Gitiles
Code Review Sign In
gerrit.openfyde.cn / boringssl.googlesource.com / boringssl / 1a668b39d5d2287f1fcdcf19a9d0e747b40f86ef / . / ssl / ssl_test.cc
blob: 7ab5054592f1d73f3250587f9a2ee8cf8aad9c7c [file] [log] [blame]
David Benjamin2e521212014-07-16 14:37:51 -0400[diff] [blame]1/* Copyright (c) 2014, Google Inc.
2 *
3 * Permission to use, copy, modify, and/or distribute this software for any
4 * purpose with or without fee is hereby granted, provided that the above
5 * copyright notice and this permission notice appear in all copies.
6 *
7 * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
8 * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
9 * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY
10 * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
11 * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION
12 * OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN
13 * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */
14
15#include <stdio.h>
David Benjamin751e8892014-10-19 00:59:36 -0400[diff] [blame]16#include <string.h>
David Benjamin1269ddd2015-10-18 15:18:55 -0400[diff] [blame]17#include <time.h>
David Benjamin2e521212014-07-16 14:37:51 -0400[diff] [blame]18
David Benjamin0f653952015-10-18 14:28:01 -0400[diff] [blame]19#include <algorithm>
Steven Valdezc8e0f902018-07-14 11:23:01 -0400[diff] [blame]20#include <limits>
David Benjamin1d77e562015-03-22 17:22:08 -0400[diff] [blame]21#include <string>
David Benjamin4f6acaf2015-11-21 03:00:50 -0500[diff] [blame]22#include <utility>
David Benjamin1d77e562015-03-22 17:22:08 -0400[diff] [blame]23#include <vector>
24
David Benjamin96628432017-01-19 19:05:47 -0500[diff] [blame]25#include <gtest/gtest.h>
26
David Benjamin0e7dbd52019-05-15 16:01:18 -0400[diff] [blame]27#include <openssl/aead.h>
David Benjamin751e8892014-10-19 00:59:36 -0400[diff] [blame]28#include <openssl/base64.h>
David Benjamine9c5d722021-06-09 17:43:16 -0400[diff] [blame]29#include <openssl/bytestring.h>
David Benjamin751e8892014-10-19 00:59:36 -0400[diff] [blame]30#include <openssl/bio.h>
David Benjamin3c51d9b2016-11-01 17:50:42 -0400[diff] [blame]31#include <openssl/cipher.h>
David Benjamin7a1eefd2015-10-17 23:39:22 -0400[diff] [blame]32#include <openssl/crypto.h>
Daniel McArdle00e434d2021-02-18 11:47:18 -0500[diff] [blame]33#include <openssl/curve25519.h>
David Benjaminbb0a17c2014-09-20 15:35:39 -0400[diff] [blame]34#include <openssl/err.h>
David Benjamin3c51d9b2016-11-01 17:50:42 -0400[diff] [blame]35#include <openssl/hmac.h>
David Benjaminc890ae52021-06-06 13:32:29 -0400[diff] [blame]36#include <openssl/hpke.h>
David Benjaminde942382016-02-11 12:02:01 -0500[diff] [blame]37#include <openssl/pem.h>
David Benjamin25490f22016-07-14 00:22:54 -0400[diff] [blame]38#include <openssl/sha.h>
David Benjaminbb0a17c2014-09-20 15:35:39 -0400[diff] [blame]39#include <openssl/ssl.h>
David Benjamin3c51d9b2016-11-01 17:50:42 -0400[diff] [blame]40#include <openssl/rand.h>
David Benjaminde942382016-02-11 12:02:01 -0500[diff] [blame]41#include <openssl/x509.h>
David Benjaminbb0a17c2014-09-20 15:35:39 -0400[diff] [blame]42
Steven Valdez87eab492016-06-27 16:34:59 -0400[diff] [blame]43#include "internal.h"
Steven Valdezcb966542016-08-17 16:56:14 -0400[diff] [blame]44#include "../crypto/internal.h"
Sigbjorn Vik2b23d242015-06-29 15:07:26 +0200[diff] [blame]45#include "../crypto/test/test_util.h"
46
David Benjamin721e8b72016-08-03 13:13:17 -0400[diff] [blame]47#if defined(OPENSSL_WINDOWS)
David Benjaminc11ea9422017-08-29 16:33:21 -0400[diff] [blame]48// Windows defines struct timeval in winsock2.h.
David Benjamin721e8b72016-08-03 13:13:17 -0400[diff] [blame]49OPENSSL_MSVC_PRAGMA(warning(push, 3))
50#include <winsock2.h>
51OPENSSL_MSVC_PRAGMA(warning(pop))
52#else
53#include <sys/time.h>
54#endif
55
David Benjamin5b33eff2018-09-22 16:52:48 -0700[diff] [blame]56#if defined(OPENSSL_THREADS)
David Benjamin6c04bd12018-07-19 18:13:09 -0400[diff] [blame]57#include <thread>
58#endif
59
David Benjamin1d77e562015-03-22 17:22:08 -0400[diff] [blame]60
Joshua Liebow-Feeser8c7c6352018-08-26 18:53:36 -0700[diff] [blame]61BSSL_NAMESPACE_BEGIN
Martin Kreichgauer72912d22017-08-04 12:06:43 -0700[diff] [blame]62
63namespace {
64
Martin Kreichgauer1a663262017-08-16 14:54:04 -0700[diff] [blame]65#define TRACED_CALL(code) \
66 do { \
67 SCOPED_TRACE("<- called from here"); \
68 code; \
69 if (::testing::Test::HasFatalFailure()) { \
70 return; \
71 } \
72 } while (false)
73
Martin Kreichgauer72912d22017-08-04 12:06:43 -0700[diff] [blame]74struct VersionParam {
75 uint16_t version;
76 enum { is_tls, is_dtls } ssl_method;
77 const char name[8];
78};
79
80static const size_t kTicketKeyLen = 48;
81
82static const VersionParam kAllVersions[] = {
Martin Kreichgauer72912d22017-08-04 12:06:43 -0700[diff] [blame]83 {TLS1_VERSION, VersionParam::is_tls, "TLS1"},
84 {TLS1_1_VERSION, VersionParam::is_tls, "TLS1_1"},
85 {TLS1_2_VERSION, VersionParam::is_tls, "TLS1_2"},
Martin Kreichgauer72912d22017-08-04 12:06:43 -0700[diff] [blame]86 {TLS1_3_VERSION, VersionParam::is_tls, "TLS1_3"},
Martin Kreichgauer72912d22017-08-04 12:06:43 -0700[diff] [blame]87 {DTLS1_VERSION, VersionParam::is_dtls, "DTLS1"},
88 {DTLS1_2_VERSION, VersionParam::is_dtls, "DTLS1_2"},
89};
90
David Benjamin1d77e562015-03-22 17:22:08 -0400[diff] [blame]91struct ExpectedCipher {
92 unsigned long id;
David Benjaminbb0a17c2014-09-20 15:35:39 -0400[diff] [blame]93 int in_group_flag;
David Benjamin1d77e562015-03-22 17:22:08 -0400[diff] [blame]94};
David Benjaminbb0a17c2014-09-20 15:35:39 -0400[diff] [blame]95
David Benjamin1d77e562015-03-22 17:22:08 -0400[diff] [blame]96struct CipherTest {
97 // The rule string to apply.
David Benjaminbb0a17c2014-09-20 15:35:39 -0400[diff] [blame]98 const char *rule;
David Benjaminfb974e62015-12-16 19:34:22 -0500[diff] [blame]99 // The list of expected ciphers, in order.
100 std::vector<ExpectedCipher> expected;
Matthew Braithwaitea57dcfb2017-02-17 22:08:23 -0800[diff] [blame]101 // True if this cipher list should fail in strict mode.
102 bool strict_fail;
David Benjamin1d77e562015-03-22 17:22:08 -0400[diff] [blame]103};
David Benjaminbb0a17c2014-09-20 15:35:39 -0400[diff] [blame]104
Alessandro Ghedini5fd18072016-09-28 21:04:25 +0100[diff] [blame]105struct CurveTest {
106 // The rule string to apply.
107 const char *rule;
108 // The list of expected curves, in order.
109 std::vector<uint16_t> expected;
110};
111
Steven Valdezc8e0f902018-07-14 11:23:01 -0400[diff] [blame]112template <typename T>
113class UnownedSSLExData {
114 public:
115 UnownedSSLExData() {
116 index_ = SSL_get_ex_new_index(0, nullptr, nullptr, nullptr, nullptr);
117 }
118
119 T *Get(const SSL *ssl) {
120 return index_ < 0 ? nullptr
121 : static_cast<T *>(SSL_get_ex_data(ssl, index_));
122 }
123
124 bool Set(SSL *ssl, T *t) {
125 return index_ >= 0 && SSL_set_ex_data(ssl, index_, t);
126 }
127
128 private:
129 int index_;
130};
131
David Benjaminfb974e62015-12-16 19:34:22 -0500[diff] [blame]132static const CipherTest kCipherTests[] = {
133 // Selecting individual ciphers should work.
134 {
135 "ECDHE-ECDSA-CHACHA20-POLY1305:"
136 "ECDHE-RSA-CHACHA20-POLY1305:"
137 "ECDHE-ECDSA-AES128-GCM-SHA256:"
138 "ECDHE-RSA-AES128-GCM-SHA256",
139 {
140 {TLS1_CK_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256, 0},
David Benjaminfb974e62015-12-16 19:34:22 -0500[diff] [blame]141 {TLS1_CK_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256, 0},
David Benjaminfb974e62015-12-16 19:34:22 -0500[diff] [blame]142 {TLS1_CK_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, 0},
143 {TLS1_CK_ECDHE_RSA_WITH_AES_128_GCM_SHA256, 0},
144 },
Matthew Braithwaitea57dcfb2017-02-17 22:08:23 -0800[diff] [blame]145 false,
David Benjaminfb974e62015-12-16 19:34:22 -0500[diff] [blame]146 },
147 // + reorders selected ciphers to the end, keeping their relative order.
148 {
149 "ECDHE-ECDSA-CHACHA20-POLY1305:"
150 "ECDHE-RSA-CHACHA20-POLY1305:"
151 "ECDHE-ECDSA-AES128-GCM-SHA256:"
152 "ECDHE-RSA-AES128-GCM-SHA256:"
153 "+aRSA",
154 {
155 {TLS1_CK_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256, 0},
David Benjaminfb974e62015-12-16 19:34:22 -0500[diff] [blame]156 {TLS1_CK_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, 0},
157 {TLS1_CK_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256, 0},
David Benjaminfb974e62015-12-16 19:34:22 -0500[diff] [blame]158 {TLS1_CK_ECDHE_RSA_WITH_AES_128_GCM_SHA256, 0},
159 },
Matthew Braithwaitea57dcfb2017-02-17 22:08:23 -0800[diff] [blame]160 false,
David Benjaminfb974e62015-12-16 19:34:22 -0500[diff] [blame]161 },
162 // ! banishes ciphers from future selections.
163 {
164 "!aRSA:"
165 "ECDHE-ECDSA-CHACHA20-POLY1305:"
166 "ECDHE-RSA-CHACHA20-POLY1305:"
167 "ECDHE-ECDSA-AES128-GCM-SHA256:"
168 "ECDHE-RSA-AES128-GCM-SHA256",
169 {
170 {TLS1_CK_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256, 0},
David Benjaminfb974e62015-12-16 19:34:22 -0500[diff] [blame]171 {TLS1_CK_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, 0},
172 },
Matthew Braithwaitea57dcfb2017-02-17 22:08:23 -0800[diff] [blame]173 false,
David Benjaminfb974e62015-12-16 19:34:22 -0500[diff] [blame]174 },
175 // Multiple masks can be ANDed in a single rule.
176 {
177 "kRSA+AESGCM+AES128",
178 {
179 {TLS1_CK_RSA_WITH_AES_128_GCM_SHA256, 0},
180 },
Matthew Braithwaitea57dcfb2017-02-17 22:08:23 -0800[diff] [blame]181 false,
David Benjaminfb974e62015-12-16 19:34:22 -0500[diff] [blame]182 },
183 // - removes selected ciphers, but preserves their order for future
Matthew Braithwaitecedc6f12017-03-15 19:20:23 -0700[diff] [blame]184 // selections. Select AES_128_GCM, but order the key exchanges RSA,
David Benjaminfb974e62015-12-16 19:34:22 -0500[diff] [blame]185 // ECDHE_RSA.
186 {
Matthew Braithwaitecedc6f12017-03-15 19:20:23 -0700[diff] [blame]187 "ALL:-kECDHE:"
Matthew Braithwaitecedc6f12017-03-15 19:20:23 -0700[diff] [blame]188 "-kRSA:-ALL:"
David Benjaminfb974e62015-12-16 19:34:22 -0500[diff] [blame]189 "AESGCM+AES128+aRSA",
190 {
191 {TLS1_CK_RSA_WITH_AES_128_GCM_SHA256, 0},
David Benjaminfb974e62015-12-16 19:34:22 -0500[diff] [blame]192 {TLS1_CK_ECDHE_RSA_WITH_AES_128_GCM_SHA256, 0},
193 },
Matthew Braithwaitea57dcfb2017-02-17 22:08:23 -0800[diff] [blame]194 false,
David Benjaminfb974e62015-12-16 19:34:22 -0500[diff] [blame]195 },
Matthew Braithwaitea57dcfb2017-02-17 22:08:23 -0800[diff] [blame]196 // Unknown selectors are no-ops, except in strict mode.
David Benjaminfb974e62015-12-16 19:34:22 -0500[diff] [blame]197 {
198 "ECDHE-ECDSA-CHACHA20-POLY1305:"
199 "ECDHE-RSA-CHACHA20-POLY1305:"
200 "ECDHE-ECDSA-AES128-GCM-SHA256:"
201 "ECDHE-RSA-AES128-GCM-SHA256:"
Matthew Braithwaitea57dcfb2017-02-17 22:08:23 -0800[diff] [blame]202 "BOGUS1",
David Benjaminfb974e62015-12-16 19:34:22 -0500[diff] [blame]203 {
204 {TLS1_CK_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256, 0},
David Benjaminfb974e62015-12-16 19:34:22 -0500[diff] [blame]205 {TLS1_CK_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256, 0},
David Benjaminfb974e62015-12-16 19:34:22 -0500[diff] [blame]206 {TLS1_CK_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, 0},
207 {TLS1_CK_ECDHE_RSA_WITH_AES_128_GCM_SHA256, 0},
208 },
Matthew Braithwaitea57dcfb2017-02-17 22:08:23 -0800[diff] [blame]209 true,
210 },
211 // Unknown selectors are no-ops, except in strict mode.
212 {
213 "ECDHE-ECDSA-CHACHA20-POLY1305:"
214 "ECDHE-RSA-CHACHA20-POLY1305:"
215 "ECDHE-ECDSA-AES128-GCM-SHA256:"
216 "ECDHE-RSA-AES128-GCM-SHA256:"
217 "-BOGUS2:+BOGUS3:!BOGUS4",
218 {
219 {TLS1_CK_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256, 0},
220 {TLS1_CK_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256, 0},
221 {TLS1_CK_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, 0},
222 {TLS1_CK_ECDHE_RSA_WITH_AES_128_GCM_SHA256, 0},
223 },
224 true,
David Benjaminfb974e62015-12-16 19:34:22 -0500[diff] [blame]225 },
226 // Square brackets specify equi-preference groups.
227 {
228 "[ECDHE-ECDSA-CHACHA20-POLY1305|ECDHE-ECDSA-AES128-GCM-SHA256]:"
229 "[ECDHE-RSA-CHACHA20-POLY1305]:"
230 "ECDHE-RSA-AES128-GCM-SHA256",
231 {
232 {TLS1_CK_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256, 1},
David Benjaminfb974e62015-12-16 19:34:22 -0500[diff] [blame]233 {TLS1_CK_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, 0},
Adam Langley2e839242017-01-19 15:12:44 -0800[diff] [blame]234 {TLS1_CK_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256, 0},
David Benjaminfb974e62015-12-16 19:34:22 -0500[diff] [blame]235 {TLS1_CK_ECDHE_RSA_WITH_AES_128_GCM_SHA256, 0},
236 },
Matthew Braithwaitea57dcfb2017-02-17 22:08:23 -0800[diff] [blame]237 false,
David Benjaminfb974e62015-12-16 19:34:22 -0500[diff] [blame]238 },
David Benjamin6fff3862017-06-21 21:07:04 -0400[diff] [blame]239 // Standard names may be used instead of OpenSSL names.
240 {
241 "[TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256|"
David Benjaminbf5f1922017-07-01 11:13:53 -0400[diff] [blame]242 "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256]:"
David Benjamin6fff3862017-06-21 21:07:04 -0400[diff] [blame]243 "[TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256]:"
244 "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",
245 {
246 {TLS1_CK_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256, 1},
247 {TLS1_CK_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, 0},
248 {TLS1_CK_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256, 0},
249 {TLS1_CK_ECDHE_RSA_WITH_AES_128_GCM_SHA256, 0},
250 },
251 false,
252 },
David Benjaminfb974e62015-12-16 19:34:22 -0500[diff] [blame]253 // @STRENGTH performs a stable strength-sort of the selected ciphers and
254 // only the selected ciphers.
255 {
256 // To simplify things, banish all but {ECDHE_RSA,RSA} x
Matthew Braithwaite8aaa9e12016-09-07 15:09:58 -0700[diff] [blame]257 // {CHACHA20,AES_256_CBC,AES_128_CBC} x SHA1.
David Benjamin6e678ee2018-04-16 19:54:42 -0400[diff] [blame]258 "!AESGCM:!3DES:"
David Benjaminfb974e62015-12-16 19:34:22 -0500[diff] [blame]259 // Order some ciphers backwards by strength.
Matthew Braithwaite8aaa9e12016-09-07 15:09:58 -0700[diff] [blame]260 "ALL:-CHACHA20:-AES256:-AES128:-ALL:"
David Benjaminfb974e62015-12-16 19:34:22 -0500[diff] [blame]261 // Select ECDHE ones and sort them by strength. Ties should resolve
262 // based on the order above.
263 "kECDHE:@STRENGTH:-ALL:"
264 // Now bring back everything uses RSA. ECDHE_RSA should be first, sorted
265 // by strength. Then RSA, backwards by strength.
266 "aRSA",
267 {
268 {TLS1_CK_ECDHE_RSA_WITH_AES_256_CBC_SHA, 0},
269 {TLS1_CK_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256, 0},
David Benjaminfb974e62015-12-16 19:34:22 -0500[diff] [blame]270 {TLS1_CK_ECDHE_RSA_WITH_AES_128_CBC_SHA, 0},
David Benjaminfb974e62015-12-16 19:34:22 -0500[diff] [blame]271 {TLS1_CK_RSA_WITH_AES_128_SHA, 0},
272 {TLS1_CK_RSA_WITH_AES_256_SHA, 0},
273 },
Matthew Braithwaitea57dcfb2017-02-17 22:08:23 -0800[diff] [blame]274 false,
David Benjaminfb974e62015-12-16 19:34:22 -0500[diff] [blame]275 },
David Benjaminbf5f1922017-07-01 11:13:53 -0400[diff] [blame]276 // Additional masks after @STRENGTH get silently discarded.
277 //
278 // TODO(davidben): Make this an error. If not silently discarded, they get
279 // interpreted as + opcodes which are very different.
280 {
281 "ECDHE-RSA-AES128-GCM-SHA256:"
282 "ECDHE-RSA-AES256-GCM-SHA384:"
283 "@STRENGTH+AES256",
284 {
285 {TLS1_CK_ECDHE_RSA_WITH_AES_256_GCM_SHA384, 0},
286 {TLS1_CK_ECDHE_RSA_WITH_AES_128_GCM_SHA256, 0},
287 },
288 false,
289 },
290 {
291 "ECDHE-RSA-AES128-GCM-SHA256:"
292 "ECDHE-RSA-AES256-GCM-SHA384:"
293 "@STRENGTH+AES256:"
294 "ECDHE-RSA-CHACHA20-POLY1305",
295 {
296 {TLS1_CK_ECDHE_RSA_WITH_AES_256_GCM_SHA384, 0},
297 {TLS1_CK_ECDHE_RSA_WITH_AES_128_GCM_SHA256, 0},
298 {TLS1_CK_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256, 0},
299 },
300 false,
301 },
David Benjaminfb974e62015-12-16 19:34:22 -0500[diff] [blame]302 // Exact ciphers may not be used in multi-part rules; they are treated
303 // as unknown aliases.
304 {
305 "ECDHE-ECDSA-AES128-GCM-SHA256:"
306 "ECDHE-RSA-AES128-GCM-SHA256:"
307 "!ECDHE-RSA-AES128-GCM-SHA256+RSA:"
308 "!ECDSA+ECDHE-ECDSA-AES128-GCM-SHA256",
309 {
310 {TLS1_CK_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, 0},
311 {TLS1_CK_ECDHE_RSA_WITH_AES_128_GCM_SHA256, 0},
312 },
Matthew Braithwaitea57dcfb2017-02-17 22:08:23 -0800[diff] [blame]313 true,
David Benjaminfb974e62015-12-16 19:34:22 -0500[diff] [blame]314 },
315 // SSLv3 matches everything that existed before TLS 1.2.
316 {
David Benjamin6e678ee2018-04-16 19:54:42 -0400[diff] [blame]317 "AES128-SHA:ECDHE-RSA-AES128-GCM-SHA256:!SSLv3",
David Benjaminfb974e62015-12-16 19:34:22 -0500[diff] [blame]318 {
David Benjamin6e678ee2018-04-16 19:54:42 -0400[diff] [blame]319 {TLS1_CK_ECDHE_RSA_WITH_AES_128_GCM_SHA256, 0},
David Benjaminfb974e62015-12-16 19:34:22 -0500[diff] [blame]320 },
Matthew Braithwaitea57dcfb2017-02-17 22:08:23 -0800[diff] [blame]321 false,
David Benjaminfb974e62015-12-16 19:34:22 -0500[diff] [blame]322 },
323 // TLSv1.2 matches everything added in TLS 1.2.
324 {
David Benjamin6e678ee2018-04-16 19:54:42 -0400[diff] [blame]325 "AES128-SHA:ECDHE-RSA-AES128-GCM-SHA256:!TLSv1.2",
David Benjaminfb974e62015-12-16 19:34:22 -0500[diff] [blame]326 {
327 {TLS1_CK_RSA_WITH_AES_128_SHA, 0},
328 },
Matthew Braithwaitea57dcfb2017-02-17 22:08:23 -0800[diff] [blame]329 false,
David Benjaminfb974e62015-12-16 19:34:22 -0500[diff] [blame]330 },
Matthew Braithwaitea57dcfb2017-02-17 22:08:23 -0800[diff] [blame]331 // The two directives have no intersection. But each component is valid, so
332 // even in strict mode it is accepted.
David Benjaminfb974e62015-12-16 19:34:22 -0500[diff] [blame]333 {
David Benjamin6e678ee2018-04-16 19:54:42 -0400[diff] [blame]334 "AES128-SHA:ECDHE-RSA-AES128-GCM-SHA256:!TLSv1.2+SSLv3",
David Benjaminfb974e62015-12-16 19:34:22 -0500[diff] [blame]335 {
336 {TLS1_CK_RSA_WITH_AES_128_SHA, 0},
David Benjamin6e678ee2018-04-16 19:54:42 -0400[diff] [blame]337 {TLS1_CK_ECDHE_RSA_WITH_AES_128_GCM_SHA256, 0},
David Benjaminfb974e62015-12-16 19:34:22 -0500[diff] [blame]338 },
Matthew Braithwaitea57dcfb2017-02-17 22:08:23 -0800[diff] [blame]339 false,
David Benjaminfb974e62015-12-16 19:34:22 -0500[diff] [blame]340 },
Adam Langley22df6912017-07-25 12:27:37 -0700[diff] [blame]341 // Spaces, semi-colons and commas are separators.
342 {
David Benjamin6e678ee2018-04-16 19:54:42 -0400[diff] [blame]343 "AES128-SHA: ECDHE-RSA-AES128-GCM-SHA256 AES256-SHA ,ECDHE-ECDSA-AES128-GCM-SHA256 ; AES128-GCM-SHA256",
Adam Langley22df6912017-07-25 12:27:37 -0700[diff] [blame]344 {
345 {TLS1_CK_RSA_WITH_AES_128_SHA, 0},
David Benjamin6e678ee2018-04-16 19:54:42 -0400[diff] [blame]346 {TLS1_CK_ECDHE_RSA_WITH_AES_128_GCM_SHA256, 0},
Adam Langley22df6912017-07-25 12:27:37 -0700[diff] [blame]347 {TLS1_CK_RSA_WITH_AES_256_SHA, 0},
David Benjamin6e678ee2018-04-16 19:54:42 -0400[diff] [blame]348 {TLS1_CK_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, 0},
Adam Langley22df6912017-07-25 12:27:37 -0700[diff] [blame]349 {TLS1_CK_RSA_WITH_AES_128_GCM_SHA256, 0},
350 },
351 // …but not in strict mode.
352 true,
353 },
David Benjaminbb0a17c2014-09-20 15:35:39 -0400[diff] [blame]354};
355
356static const char *kBadRules[] = {
David Benjamin1d77e562015-03-22 17:22:08 -0400[diff] [blame]357 // Invalid brackets.
David Benjaminbb0a17c2014-09-20 15:35:39 -0400[diff] [blame]358 "[ECDHE-RSA-CHACHA20-POLY1305|ECDHE-RSA-AES128-GCM-SHA256",
359 "RSA]",
360 "[[RSA]]",
David Benjamin1d77e562015-03-22 17:22:08 -0400[diff] [blame]361 // Operators inside brackets.
David Benjaminbb0a17c2014-09-20 15:35:39 -0400[diff] [blame]362 "[+RSA]",
David Benjamin1d77e562015-03-22 17:22:08 -0400[diff] [blame]363 // Unknown directive.
David Benjaminbb0a17c2014-09-20 15:35:39 -0400[diff] [blame]364 "@BOGUS",
David Benjamin1d77e562015-03-22 17:22:08 -0400[diff] [blame]365 // Empty cipher lists error at SSL_CTX_set_cipher_list.
David Benjaminbb0a17c2014-09-20 15:35:39 -0400[diff] [blame]366 "",
367 "BOGUS",
David Benjamin32fbdf22015-04-07 01:14:06 -0400[diff] [blame]368 // COMPLEMENTOFDEFAULT is empty.
369 "COMPLEMENTOFDEFAULT",
David Benjamin1d77e562015-03-22 17:22:08 -0400[diff] [blame]370 // Invalid command.
David Benjaminbb0a17c2014-09-20 15:35:39 -0400[diff] [blame]371 "?BAR",
David Benjamin1d77e562015-03-22 17:22:08 -0400[diff] [blame]372 // Special operators are not allowed if groups are used.
David Benjamin37d92462014-09-20 17:54:24 -0400[diff] [blame]373 "[ECDHE-RSA-CHACHA20-POLY1305|ECDHE-RSA-AES128-GCM-SHA256]:+FOO",
374 "[ECDHE-RSA-CHACHA20-POLY1305|ECDHE-RSA-AES128-GCM-SHA256]:!FOO",
375 "[ECDHE-RSA-CHACHA20-POLY1305|ECDHE-RSA-AES128-GCM-SHA256]:-FOO",
376 "[ECDHE-RSA-CHACHA20-POLY1305|ECDHE-RSA-AES128-GCM-SHA256]:@STRENGTH",
Adam Langleyf99f2442016-10-02 09:53:38 -0700[diff] [blame]377 // Opcode supplied, but missing selector.
378 "+",
Adam Langley22df6912017-07-25 12:27:37 -0700[diff] [blame]379 // Spaces are forbidden in equal-preference groups.
380 "[AES128-SHA | AES128-SHA256]",
David Benjaminbb0a17c2014-09-20 15:35:39 -0400[diff] [blame]381};
382
Matt Braithwaiteaf096752015-09-02 19:48:16 -0700[diff] [blame]383static const char *kMustNotIncludeNull[] = {
384 "ALL",
385 "DEFAULT",
David Benjamind6e9eec2015-11-18 09:48:55 -0500[diff] [blame]386 "HIGH",
Matt Braithwaiteaf096752015-09-02 19:48:16 -0700[diff] [blame]387 "FIPS",
388 "SHA",
389 "SHA1",
390 "RSA",
391 "SSLv3",
392 "TLSv1",
393 "TLSv1.2",
Matt Braithwaiteaf096752015-09-02 19:48:16 -0700[diff] [blame]394};
395
Alessandro Ghedini5fd18072016-09-28 21:04:25 +0100[diff] [blame]396static const CurveTest kCurveTests[] = {
397 {
398 "P-256",
399 { SSL_CURVE_SECP256R1 },
400 },
401 {
Adam Langley7b935932018-11-12 13:53:42 -0800[diff] [blame]402 "P-256:CECPQ2",
403 { SSL_CURVE_SECP256R1, SSL_CURVE_CECPQ2 },
404 },
405
406 {
Alessandro Ghedini5fd18072016-09-28 21:04:25 +0100[diff] [blame]407 "P-256:P-384:P-521:X25519",
408 {
409 SSL_CURVE_SECP256R1,
410 SSL_CURVE_SECP384R1,
411 SSL_CURVE_SECP521R1,
412 SSL_CURVE_X25519,
413 },
414 },
David Benjamin6dda1662017-11-02 20:44:26 -0400[diff] [blame]415 {
416 "prime256v1:secp384r1:secp521r1:x25519",
417 {
418 SSL_CURVE_SECP256R1,
419 SSL_CURVE_SECP384R1,
420 SSL_CURVE_SECP521R1,
421 SSL_CURVE_X25519,
422 },
423 },
Alessandro Ghedini5fd18072016-09-28 21:04:25 +0100[diff] [blame]424};
425
426static const char *kBadCurvesLists[] = {
427 "",
428 ":",
429 "::",
430 "P-256::X25519",
431 "RSA:P-256",
432 "P-256:RSA",
433 "X25519:P-256:",
434 ":X25519:P-256",
435};
436
David Benjamin70dbf042017-08-08 18:51:37 -0400[diff] [blame]437static std::string CipherListToString(SSL_CTX *ctx) {
David Benjamin1d77e562015-03-22 17:22:08 -0400[diff] [blame]438 bool in_group = false;
David Benjamine11726a2017-04-23 12:14:28 -0400[diff] [blame]439 std::string ret;
David Benjamin70dbf042017-08-08 18:51:37 -0400[diff] [blame]440 const STACK_OF(SSL_CIPHER) *ciphers = SSL_CTX_get_ciphers(ctx);
441 for (size_t i = 0; i < sk_SSL_CIPHER_num(ciphers); i++) {
442 const SSL_CIPHER *cipher = sk_SSL_CIPHER_value(ciphers, i);
443 if (!in_group && SSL_CTX_cipher_in_group(ctx, i)) {
David Benjamine11726a2017-04-23 12:14:28 -0400[diff] [blame]444 ret += "\t[\n";
David Benjamin1d77e562015-03-22 17:22:08 -0400[diff] [blame]445 in_group = true;
David Benjaminbb0a17c2014-09-20 15:35:39 -0400[diff] [blame]446 }
David Benjamine11726a2017-04-23 12:14:28 -0400[diff] [blame]447 ret += "\t";
David Benjaminbb0a17c2014-09-20 15:35:39 -0400[diff] [blame]448 if (in_group) {
David Benjamine11726a2017-04-23 12:14:28 -0400[diff] [blame]449 ret += " ";
David Benjaminbb0a17c2014-09-20 15:35:39 -0400[diff] [blame]450 }
David Benjamine11726a2017-04-23 12:14:28 -0400[diff] [blame]451 ret += SSL_CIPHER_get_name(cipher);
452 ret += "\n";
David Benjamin70dbf042017-08-08 18:51:37 -0400[diff] [blame]453 if (in_group && !SSL_CTX_cipher_in_group(ctx, i)) {
David Benjamine11726a2017-04-23 12:14:28 -0400[diff] [blame]454 ret += "\t]\n";
David Benjamin1d77e562015-03-22 17:22:08 -0400[diff] [blame]455 in_group = false;
David Benjaminbb0a17c2014-09-20 15:35:39 -0400[diff] [blame]456 }
457 }
David Benjamine11726a2017-04-23 12:14:28 -0400[diff] [blame]458 return ret;
David Benjaminbb0a17c2014-09-20 15:35:39 -0400[diff] [blame]459}
460
David Benjamin70dbf042017-08-08 18:51:37 -0400[diff] [blame]461static bool CipherListsEqual(SSL_CTX *ctx,
David Benjamine11726a2017-04-23 12:14:28 -0400[diff] [blame]462 const std::vector<ExpectedCipher> &expected) {
David Benjamin70dbf042017-08-08 18:51:37 -0400[diff] [blame]463 const STACK_OF(SSL_CIPHER) *ciphers = SSL_CTX_get_ciphers(ctx);
464 if (sk_SSL_CIPHER_num(ciphers) != expected.size()) {
David Benjamin1d77e562015-03-22 17:22:08 -0400[diff] [blame]465 return false;
David Benjamin65226252015-02-05 16:49:47 -0500[diff] [blame]466 }
467
David Benjamine11726a2017-04-23 12:14:28 -0400[diff] [blame]468 for (size_t i = 0; i < expected.size(); i++) {
David Benjamin70dbf042017-08-08 18:51:37 -0400[diff] [blame]469 const SSL_CIPHER *cipher = sk_SSL_CIPHER_value(ciphers, i);
David Benjamine11726a2017-04-23 12:14:28 -0400[diff] [blame]470 if (expected[i].id != SSL_CIPHER_get_id(cipher) ||
David Benjamin70dbf042017-08-08 18:51:37 -0400[diff] [blame]471 expected[i].in_group_flag != !!SSL_CTX_cipher_in_group(ctx, i)) {
David Benjamin1d77e562015-03-22 17:22:08 -0400[diff] [blame]472 return false;
David Benjaminbb0a17c2014-09-20 15:35:39 -0400[diff] [blame]473 }
474 }
475
David Benjamin1d77e562015-03-22 17:22:08 -0400[diff] [blame]476 return true;
David Benjaminbb0a17c2014-09-20 15:35:39 -0400[diff] [blame]477}
478
Daniel McArdleff746c12019-09-16 12:35:05 -0400[diff] [blame]479TEST(GrowableArrayTest, Resize) {
480 GrowableArray<size_t> array;
481 ASSERT_TRUE(array.empty());
482 EXPECT_EQ(array.size(), 0u);
483
484 ASSERT_TRUE(array.Push(42));
485 ASSERT_TRUE(!array.empty());
486 EXPECT_EQ(array.size(), 1u);
487
488 // Force a resize operation to occur
489 for (size_t i = 0; i < 16; i++) {
490 ASSERT_TRUE(array.Push(i + 1));
491 }
492
493 EXPECT_EQ(array.size(), 17u);
494
495 // Verify that expected values are still contained in array
496 for (size_t i = 0; i < array.size(); i++) {
497 EXPECT_EQ(array[i], i == 0 ? 42 : i);
498 }
499}
500
501TEST(GrowableArrayTest, MoveConstructor) {
502 GrowableArray<size_t> array;
503 for (size_t i = 0; i < 100; i++) {
504 ASSERT_TRUE(array.Push(i));
505 }
506
507 GrowableArray<size_t> array_moved(std::move(array));
508 for (size_t i = 0; i < 100; i++) {
509 EXPECT_EQ(array_moved[i], i);
510 }
511}
512
513TEST(GrowableArrayTest, GrowableArrayContainingGrowableArrays) {
514 // Representative example of a struct that contains a GrowableArray.
515 struct TagAndArray {
516 size_t tag;
517 GrowableArray<size_t> array;
518 };
519
520 GrowableArray<TagAndArray> array;
521 for (size_t i = 0; i < 100; i++) {
522 TagAndArray elem;
523 elem.tag = i;
524 for (size_t j = 0; j < i; j++) {
525 ASSERT_TRUE(elem.array.Push(j));
526 }
527 ASSERT_TRUE(array.Push(std::move(elem)));
528 }
529 EXPECT_EQ(array.size(), static_cast<size_t>(100));
530
531 GrowableArray<TagAndArray> array_moved(std::move(array));
532 EXPECT_EQ(array_moved.size(), static_cast<size_t>(100));
533 size_t count = 0;
534 for (const TagAndArray &elem : array_moved) {
535 // Test the square bracket operator returns the same value as iteration.
536 EXPECT_EQ(&elem, &array_moved[count]);
537
538 EXPECT_EQ(elem.tag, count);
539 EXPECT_EQ(elem.array.size(), count);
540 for (size_t j = 0; j < count; j++) {
541 EXPECT_EQ(elem.array[j], j);
542 }
543 count++;
544 }
545}
546
David Benjamine11726a2017-04-23 12:14:28 -0400[diff] [blame]547TEST(SSLTest, CipherRules) {
548 for (const CipherTest &t : kCipherTests) {
549 SCOPED_TRACE(t.rule);
550 bssl::UniquePtr<SSL_CTX> ctx(SSL_CTX_new(TLS_method()));
551 ASSERT_TRUE(ctx);
Matt Braithwaiteaf096752015-09-02 19:48:16 -0700[diff] [blame]552
David Benjamine11726a2017-04-23 12:14:28 -0400[diff] [blame]553 // Test lax mode.
554 ASSERT_TRUE(SSL_CTX_set_cipher_list(ctx.get(), t.rule));
David Benjamin70dbf042017-08-08 18:51:37 -0400[diff] [blame]555 EXPECT_TRUE(CipherListsEqual(ctx.get(), t.expected))
David Benjamine11726a2017-04-23 12:14:28 -0400[diff] [blame]556 << "Cipher rule evaluated to:\n"
David Benjamin70dbf042017-08-08 18:51:37 -0400[diff] [blame]557 << CipherListToString(ctx.get());
David Benjamine11726a2017-04-23 12:14:28 -0400[diff] [blame]558
559 // Test strict mode.
560 if (t.strict_fail) {
561 EXPECT_FALSE(SSL_CTX_set_strict_cipher_list(ctx.get(), t.rule));
562 } else {
563 ASSERT_TRUE(SSL_CTX_set_strict_cipher_list(ctx.get(), t.rule));
David Benjamin70dbf042017-08-08 18:51:37 -0400[diff] [blame]564 EXPECT_TRUE(CipherListsEqual(ctx.get(), t.expected))
David Benjamine11726a2017-04-23 12:14:28 -0400[diff] [blame]565 << "Cipher rule evaluated to:\n"
David Benjamin70dbf042017-08-08 18:51:37 -0400[diff] [blame]566 << CipherListToString(ctx.get());
David Benjaminbb0a17c2014-09-20 15:35:39 -0400[diff] [blame]567 }
568 }
569
David Benjaminfb974e62015-12-16 19:34:22 -0500[diff] [blame]570 for (const char *rule : kBadRules) {
David Benjamine11726a2017-04-23 12:14:28 -0400[diff] [blame]571 SCOPED_TRACE(rule);
572 bssl::UniquePtr<SSL_CTX> ctx(SSL_CTX_new(TLS_method()));
573 ASSERT_TRUE(ctx);
574
575 EXPECT_FALSE(SSL_CTX_set_cipher_list(ctx.get(), rule));
David Benjaminbb0a17c2014-09-20 15:35:39 -0400[diff] [blame]576 ERR_clear_error();
David Benjaminbb0a17c2014-09-20 15:35:39 -0400[diff] [blame]577 }
578
David Benjaminfb974e62015-12-16 19:34:22 -0500[diff] [blame]579 for (const char *rule : kMustNotIncludeNull) {
David Benjamine11726a2017-04-23 12:14:28 -0400[diff] [blame]580 SCOPED_TRACE(rule);
581 bssl::UniquePtr<SSL_CTX> ctx(SSL_CTX_new(TLS_method()));
582 ASSERT_TRUE(ctx);
583
584 ASSERT_TRUE(SSL_CTX_set_strict_cipher_list(ctx.get(), rule));
David Benjamin70dbf042017-08-08 18:51:37 -0400[diff] [blame]585 for (const SSL_CIPHER *cipher : SSL_CTX_get_ciphers(ctx.get())) {
David Benjamine3bb51c2017-08-22 23:16:02 -0700[diff] [blame]586 EXPECT_NE(NID_undef, SSL_CIPHER_get_cipher_nid(cipher));
Matt Braithwaiteaf096752015-09-02 19:48:16 -0700[diff] [blame]587 }
588 }
David Benjaminbb0a17c2014-09-20 15:35:39 -0400[diff] [blame]589}
David Benjamin2e521212014-07-16 14:37:51 -0400[diff] [blame]590
David Benjamine11726a2017-04-23 12:14:28 -0400[diff] [blame]591TEST(SSLTest, CurveRules) {
592 for (const CurveTest &t : kCurveTests) {
593 SCOPED_TRACE(t.rule);
594 bssl::UniquePtr<SSL_CTX> ctx(SSL_CTX_new(TLS_method()));
595 ASSERT_TRUE(ctx);
Alessandro Ghedini5fd18072016-09-28 21:04:25 +0100[diff] [blame]596
David Benjamine11726a2017-04-23 12:14:28 -0400[diff] [blame]597 ASSERT_TRUE(SSL_CTX_set1_curves_list(ctx.get(), t.rule));
David Benjamin0ce090a2018-07-02 20:24:40 -0400[diff] [blame]598 ASSERT_EQ(t.expected.size(), ctx->supported_group_list.size());
David Benjamine11726a2017-04-23 12:14:28 -0400[diff] [blame]599 for (size_t i = 0; i < t.expected.size(); i++) {
600 EXPECT_EQ(t.expected[i], ctx->supported_group_list[i]);
Alessandro Ghedini5fd18072016-09-28 21:04:25 +0100[diff] [blame]601 }
602 }
603
604 for (const char *rule : kBadCurvesLists) {
David Benjamine11726a2017-04-23 12:14:28 -0400[diff] [blame]605 SCOPED_TRACE(rule);
606 bssl::UniquePtr<SSL_CTX> ctx(SSL_CTX_new(TLS_method()));
607 ASSERT_TRUE(ctx);
608
609 EXPECT_FALSE(SSL_CTX_set1_curves_list(ctx.get(), rule));
Alessandro Ghedini5fd18072016-09-28 21:04:25 +0100[diff] [blame]610 ERR_clear_error();
611 }
Alessandro Ghedini5fd18072016-09-28 21:04:25 +0100[diff] [blame]612}
613
Adam Langley364f7a62016-12-12 10:51:00 -0800[diff] [blame]614// kOpenSSLSession is a serialized SSL_SESSION.
Adam Langley10f97f32016-07-12 08:09:33 -0700[diff] [blame]615static const char kOpenSSLSession[] =
Adam Langley364f7a62016-12-12 10:51:00 -0800[diff] [blame]616 "MIIFqgIBAQICAwMEAsAvBCAG5Q1ndq4Yfmbeo1zwLkNRKmCXGdNgWvGT3cskV0yQ"
Adam Langley10f97f32016-07-12 08:09:33 -0700[diff] [blame]617 "kAQwJlrlzkAWBOWiLj/jJ76D7l+UXoizP2KI2C7I2FccqMmIfFmmkUy32nIJ0mZH"
618 "IWoJoQYCBFRDO46iBAICASyjggR6MIIEdjCCA16gAwIBAgIIK9dUvsPWSlUwDQYJ"
619 "KoZIhvcNAQEFBQAwSTELMAkGA1UEBhMCVVMxEzARBgNVBAoTCkdvb2dsZSBJbmMx"
620 "JTAjBgNVBAMTHEdvb2dsZSBJbnRlcm5ldCBBdXRob3JpdHkgRzIwHhcNMTQxMDA4"
621 "MTIwNzU3WhcNMTUwMTA2MDAwMDAwWjBoMQswCQYDVQQGEwJVUzETMBEGA1UECAwK"
622 "Q2FsaWZvcm5pYTEWMBQGA1UEBwwNTW91bnRhaW4gVmlldzETMBEGA1UECgwKR29v"
623 "Z2xlIEluYzEXMBUGA1UEAwwOd3d3Lmdvb2dsZS5jb20wggEiMA0GCSqGSIb3DQEB"
624 "AQUAA4IBDwAwggEKAoIBAQCcKeLrplAC+Lofy8t/wDwtB6eu72CVp0cJ4V3lknN6"
625 "huH9ct6FFk70oRIh/VBNBBz900jYy+7111Jm1b8iqOTQ9aT5C7SEhNcQFJvqzH3e"
626 "MPkb6ZSWGm1yGF7MCQTGQXF20Sk/O16FSjAynU/b3oJmOctcycWYkY0ytS/k3LBu"
627 "Id45PJaoMqjB0WypqvNeJHC3q5JjCB4RP7Nfx5jjHSrCMhw8lUMW4EaDxjaR9KDh"
628 "PLgjsk+LDIySRSRDaCQGhEOWLJZVLzLo4N6/UlctCHEllpBUSvEOyFga52qroGjg"
629 "rf3WOQ925MFwzd6AK+Ich0gDRg8sQfdLH5OuP1cfLfU1AgMBAAGjggFBMIIBPTAd"
630 "BgNVHSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwGQYDVR0RBBIwEIIOd3d3Lmdv"
631 "b2dsZS5jb20waAYIKwYBBQUHAQEEXDBaMCsGCCsGAQUFBzAChh9odHRwOi8vcGtp"
632 "Lmdvb2dsZS5jb20vR0lBRzIuY3J0MCsGCCsGAQUFBzABhh9odHRwOi8vY2xpZW50"
633 "czEuZ29vZ2xlLmNvbS9vY3NwMB0GA1UdDgQWBBQ7a+CcxsZByOpc+xpYFcIbnUMZ"
634 "hTAMBgNVHRMBAf8EAjAAMB8GA1UdIwQYMBaAFErdBhYbvPZotXb1gba7Yhq6WoEv"
635 "MBcGA1UdIAQQMA4wDAYKKwYBBAHWeQIFATAwBgNVHR8EKTAnMCWgI6Ahhh9odHRw"
636 "Oi8vcGtpLmdvb2dsZS5jb20vR0lBRzIuY3JsMA0GCSqGSIb3DQEBBQUAA4IBAQCa"
637 "OXCBdoqUy5bxyq+Wrh1zsyyCFim1PH5VU2+yvDSWrgDY8ibRGJmfff3r4Lud5kal"
638 "dKs9k8YlKD3ITG7P0YT/Rk8hLgfEuLcq5cc0xqmE42xJ+Eo2uzq9rYorc5emMCxf"
639 "5L0TJOXZqHQpOEcuptZQ4OjdYMfSxk5UzueUhA3ogZKRcRkdB3WeWRp+nYRhx4St"
640 "o2rt2A0MKmY9165GHUqMK9YaaXHDXqBu7Sefr1uSoAP9gyIJKeihMivsGqJ1TD6Z"
641 "cc6LMe+dN2P8cZEQHtD1y296ul4Mivqk3jatUVL8/hCwgch9A8O4PGZq9WqBfEWm"
642 "IyHh1dPtbg1lOXdYCWtjpAIEAKUDAgEUqQUCAwGJwKqBpwSBpBwUQvoeOk0Kg36S"
643 "YTcLEkXqKwOBfF9vE4KX0NxeLwjcDTpsuh3qXEaZ992r1N38VDcyS6P7I6HBYN9B"
644 "sNHM362zZnY27GpTw+Kwd751CLoXFPoaMOe57dbBpXoro6Pd3BTbf/Tzr88K06yE"
645 "OTDKPNj3+inbMaVigtK4PLyPq+Topyzvx9USFgRvyuoxn0Hgb+R0A3j6SLRuyOdA"
Adam Langley364f7a62016-12-12 10:51:00 -0800[diff] [blame]646 "i4gv7Y5oliyntgMBAQA=";
Adam Langley10f97f32016-07-12 08:09:33 -0700[diff] [blame]647
648// kCustomSession is a custom serialized SSL_SESSION generated by
649// filling in missing fields from |kOpenSSLSession|. This includes
650// providing |peer_sha256|, so |peer| is not serialized.
651static const char kCustomSession[] =
David Benjamina8614602017-09-06 15:40:19 -0400[diff] [blame]652 "MIIBZAIBAQICAwMEAsAvBCAG5Q1ndq4Yfmbeo1zwLkNRKmCXGdNgWvGT3cskV0yQ"
Adam Langley10f97f32016-07-12 08:09:33 -0700[diff] [blame]653 "kAQwJlrlzkAWBOWiLj/jJ76D7l+UXoizP2KI2C7I2FccqMmIfFmmkUy32nIJ0mZH"
David Benjamina8614602017-09-06 15:40:19 -0400[diff] [blame]654 "IWoJoQYCBFRDO46iBAICASykAwQBAqUDAgEUqAcEBXdvcmxkqQUCAwGJwKqBpwSB"
655 "pBwUQvoeOk0Kg36SYTcLEkXqKwOBfF9vE4KX0NxeLwjcDTpsuh3qXEaZ992r1N38"
656 "VDcyS6P7I6HBYN9BsNHM362zZnY27GpTw+Kwd751CLoXFPoaMOe57dbBpXoro6Pd"
657 "3BTbf/Tzr88K06yEOTDKPNj3+inbMaVigtK4PLyPq+Topyzvx9USFgRvyuoxn0Hg"
658 "b+R0A3j6SLRuyOdAi4gv7Y5oliynrSIEIAYGBgYGBgYGBgYGBgYGBgYGBgYGBgYG"
659 "BgYGBgYGBgYGrgMEAQevAwQBBLADBAEF";
Adam Langley10f97f32016-07-12 08:09:33 -0700[diff] [blame]660
661// kBoringSSLSession is a serialized SSL_SESSION generated from bssl client.
662static const char kBoringSSLSession[] =
663 "MIIRwQIBAQICAwMEAsAvBCDdoGxGK26mR+8lM0uq6+k9xYuxPnwAjpcF9n0Yli9R"
664 "kQQwbyshfWhdi5XQ1++7n2L1qqrcVlmHBPpr6yknT/u4pUrpQB5FZ7vqvNn8MdHf"
665 "9rWgoQYCBFXgs7uiBAICHCCjggR6MIIEdjCCA16gAwIBAgIIf+yfD7Y6UicwDQYJ"
666 "KoZIhvcNAQELBQAwSTELMAkGA1UEBhMCVVMxEzARBgNVBAoTCkdvb2dsZSBJbmMx"
667 "JTAjBgNVBAMTHEdvb2dsZSBJbnRlcm5ldCBBdXRob3JpdHkgRzIwHhcNMTUwODEy"
668 "MTQ1MzE1WhcNMTUxMTEwMDAwMDAwWjBoMQswCQYDVQQGEwJVUzETMBEGA1UECAwK"
669 "Q2FsaWZvcm5pYTEWMBQGA1UEBwwNTW91bnRhaW4gVmlldzETMBEGA1UECgwKR29v"
670 "Z2xlIEluYzEXMBUGA1UEAwwOd3d3Lmdvb2dsZS5jb20wggEiMA0GCSqGSIb3DQEB"
671 "AQUAA4IBDwAwggEKAoIBAQC0MeG5YGQ0t+IeJeoneP/PrhEaieibeKYkbKVLNZpo"
672 "PLuBinvhkXZo3DC133NpCBpy6ZktBwamqyixAyuk/NU6OjgXqwwxfQ7di1AInLIU"
673 "792c7hFyNXSUCG7At8Ifi3YwBX9Ba6u/1d6rWTGZJrdCq3QU11RkKYyTq2KT5mce"
674 "Tv9iGKqSkSTlp8puy/9SZ/3DbU3U+BuqCFqeSlz7zjwFmk35acdCilpJlVDDN5C/"
675 "RCh8/UKc8PaL+cxlt531qoTENvYrflBno14YEZlCBZsPiFeUSILpKEj3Ccwhy0eL"
676 "EucWQ72YZU8mUzXBoXGn0zA0crFl5ci/2sTBBGZsylNBAgMBAAGjggFBMIIBPTAd"
677 "BgNVHSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwGQYDVR0RBBIwEIIOd3d3Lmdv"
678 "b2dsZS5jb20waAYIKwYBBQUHAQEEXDBaMCsGCCsGAQUFBzAChh9odHRwOi8vcGtp"
679 "Lmdvb2dsZS5jb20vR0lBRzIuY3J0MCsGCCsGAQUFBzABhh9odHRwOi8vY2xpZW50"
680 "czEuZ29vZ2xlLmNvbS9vY3NwMB0GA1UdDgQWBBS/bzHxcE73Q4j3slC4BLbMtLjG"
681 "GjAMBgNVHRMBAf8EAjAAMB8GA1UdIwQYMBaAFErdBhYbvPZotXb1gba7Yhq6WoEv"
682 "MBcGA1UdIAQQMA4wDAYKKwYBBAHWeQIFATAwBgNVHR8EKTAnMCWgI6Ahhh9odHRw"
683 "Oi8vcGtpLmdvb2dsZS5jb20vR0lBRzIuY3JsMA0GCSqGSIb3DQEBCwUAA4IBAQAb"
684 "qdWPZEHk0X7iKPCTHL6S3w6q1eR67goxZGFSM1lk1hjwyu7XcLJuvALVV9uY3ovE"
685 "kQZSHwT+pyOPWQhsSjO+1GyjvCvK/CAwiUmBX+bQRGaqHsRcio7xSbdVcajQ3bXd"
686 "X+s0WdbOpn6MStKAiBVloPlSxEI8pxY6x/BBCnTIk/+DMB17uZlOjG3vbAnkDkP+"
687 "n0OTucD9sHV7EVj9XUxi51nOfNBCN/s7lpUjDS/NJ4k3iwOtbCPswiot8vLO779a"
688 "f07vR03r349Iz/KTzk95rlFtX0IU+KYNxFNsanIXZ+C9FYGRXkwhHcvFb4qMUB1y"
689 "TTlM80jBMOwyjZXmjRAhpAIEAKUDAgEUqQUCAwGJwKqBpwSBpOgebbmn9NRUtMWH"
690 "+eJpqA5JLMFSMCChOsvKey3toBaCNGU7HfAEiiXNuuAdCBoK262BjQc2YYfqFzqH"
691 "zuppopXCvhohx7j/tnCNZIMgLYt/O9SXK2RYI5z8FhCCHvB4CbD5G0LGl5EFP27s"
692 "Jb6S3aTTYPkQe8yZSlxevg6NDwmTogLO9F7UUkaYmVcMQhzssEE2ZRYNwSOU6KjE"
693 "0Yj+8fAiBtbQriIEIN2L8ZlpaVrdN5KFNdvcmOxJu81P8q53X55xQyGTnGWwsgMC"
694 "ARezggvvMIIEdjCCA16gAwIBAgIIf+yfD7Y6UicwDQYJKoZIhvcNAQELBQAwSTEL"
695 "MAkGA1UEBhMCVVMxEzARBgNVBAoTCkdvb2dsZSBJbmMxJTAjBgNVBAMTHEdvb2ds"
696 "ZSBJbnRlcm5ldCBBdXRob3JpdHkgRzIwHhcNMTUwODEyMTQ1MzE1WhcNMTUxMTEw"
697 "MDAwMDAwWjBoMQswCQYDVQQGEwJVUzETMBEGA1UECAwKQ2FsaWZvcm5pYTEWMBQG"
698 "A1UEBwwNTW91bnRhaW4gVmlldzETMBEGA1UECgwKR29vZ2xlIEluYzEXMBUGA1UE"
699 "AwwOd3d3Lmdvb2dsZS5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIB"
700 "AQC0MeG5YGQ0t+IeJeoneP/PrhEaieibeKYkbKVLNZpoPLuBinvhkXZo3DC133Np"
701 "CBpy6ZktBwamqyixAyuk/NU6OjgXqwwxfQ7di1AInLIU792c7hFyNXSUCG7At8If"
702 "i3YwBX9Ba6u/1d6rWTGZJrdCq3QU11RkKYyTq2KT5mceTv9iGKqSkSTlp8puy/9S"
703 "Z/3DbU3U+BuqCFqeSlz7zjwFmk35acdCilpJlVDDN5C/RCh8/UKc8PaL+cxlt531"
704 "qoTENvYrflBno14YEZlCBZsPiFeUSILpKEj3Ccwhy0eLEucWQ72YZU8mUzXBoXGn"
705 "0zA0crFl5ci/2sTBBGZsylNBAgMBAAGjggFBMIIBPTAdBgNVHSUEFjAUBggrBgEF"
706 "BQcDAQYIKwYBBQUHAwIwGQYDVR0RBBIwEIIOd3d3Lmdvb2dsZS5jb20waAYIKwYB"
707 "BQUHAQEEXDBaMCsGCCsGAQUFBzAChh9odHRwOi8vcGtpLmdvb2dsZS5jb20vR0lB"
708 "RzIuY3J0MCsGCCsGAQUFBzABhh9odHRwOi8vY2xpZW50czEuZ29vZ2xlLmNvbS9v"
709 "Y3NwMB0GA1UdDgQWBBS/bzHxcE73Q4j3slC4BLbMtLjGGjAMBgNVHRMBAf8EAjAA"
710 "MB8GA1UdIwQYMBaAFErdBhYbvPZotXb1gba7Yhq6WoEvMBcGA1UdIAQQMA4wDAYK"
711 "KwYBBAHWeQIFATAwBgNVHR8EKTAnMCWgI6Ahhh9odHRwOi8vcGtpLmdvb2dsZS5j"
712 "b20vR0lBRzIuY3JsMA0GCSqGSIb3DQEBCwUAA4IBAQAbqdWPZEHk0X7iKPCTHL6S"
713 "3w6q1eR67goxZGFSM1lk1hjwyu7XcLJuvALVV9uY3ovEkQZSHwT+pyOPWQhsSjO+"
714 "1GyjvCvK/CAwiUmBX+bQRGaqHsRcio7xSbdVcajQ3bXdX+s0WdbOpn6MStKAiBVl"
715 "oPlSxEI8pxY6x/BBCnTIk/+DMB17uZlOjG3vbAnkDkP+n0OTucD9sHV7EVj9XUxi"
716 "51nOfNBCN/s7lpUjDS/NJ4k3iwOtbCPswiot8vLO779af07vR03r349Iz/KTzk95"
717 "rlFtX0IU+KYNxFNsanIXZ+C9FYGRXkwhHcvFb4qMUB1yTTlM80jBMOwyjZXmjRAh"
718 "MIID8DCCAtigAwIBAgIDAjqDMA0GCSqGSIb3DQEBCwUAMEIxCzAJBgNVBAYTAlVT"
719 "MRYwFAYDVQQKEw1HZW9UcnVzdCBJbmMuMRswGQYDVQQDExJHZW9UcnVzdCBHbG9i"
720 "YWwgQ0EwHhcNMTMwNDA1MTUxNTU2WhcNMTYxMjMxMjM1OTU5WjBJMQswCQYDVQQG"
721 "EwJVUzETMBEGA1UEChMKR29vZ2xlIEluYzElMCMGA1UEAxMcR29vZ2xlIEludGVy"
722 "bmV0IEF1dGhvcml0eSBHMjCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEB"
723 "AJwqBHdc2FCROgajguDYUEi8iT/xGXAaiEZ+4I/F8YnOIe5a/mENtzJEiaB0C1NP"
724 "VaTOgmKV7utZX8bhBYASxF6UP7xbSDj0U/ck5vuR6RXEz/RTDfRK/J9U3n2+oGtv"
725 "h8DQUB8oMANA2ghzUWx//zo8pzcGjr1LEQTrfSTe5vn8MXH7lNVg8y5Kr0LSy+rE"
726 "ahqyzFPdFUuLH8gZYR/Nnag+YyuENWllhMgZxUYi+FOVvuOAShDGKuy6lyARxzmZ"
727 "EASg8GF6lSWMTlJ14rbtCMoU/M4iarNOz0YDl5cDfsCx3nuvRTPPuj5xt970JSXC"
728 "DTWJnZ37DhF5iR43xa+OcmkCAwEAAaOB5zCB5DAfBgNVHSMEGDAWgBTAephojYn7"
729 "qwVkDBF9qn1luMrMTjAdBgNVHQ4EFgQUSt0GFhu89mi1dvWBtrtiGrpagS8wDgYD"
730 "VR0PAQH/BAQDAgEGMC4GCCsGAQUFBwEBBCIwIDAeBggrBgEFBQcwAYYSaHR0cDov"
731 "L2cuc3ltY2QuY29tMBIGA1UdEwEB/wQIMAYBAf8CAQAwNQYDVR0fBC4wLDAqoCig"
732 "JoYkaHR0cDovL2cuc3ltY2IuY29tL2NybHMvZ3RnbG9iYWwuY3JsMBcGA1UdIAQQ"
733 "MA4wDAYKKwYBBAHWeQIFATANBgkqhkiG9w0BAQsFAAOCAQEAqvqpIM1qZ4PtXtR+"
734 "3h3Ef+AlBgDFJPupyC1tft6dgmUsgWM0Zj7pUsIItMsv91+ZOmqcUHqFBYx90SpI"
735 "hNMJbHzCzTWf84LuUt5oX+QAihcglvcpjZpNy6jehsgNb1aHA30DP9z6eX0hGfnI"
736 "Oi9RdozHQZJxjyXON/hKTAAj78Q1EK7gI4BzfE00LshukNYQHpmEcxpw8u1VDu4X"
737 "Bupn7jLrLN1nBz/2i8Jw3lsA5rsb0zYaImxssDVCbJAJPZPpZAkiDoUGn8JzIdPm"
738 "X4DkjYUiOnMDsWCOrmji9D6X52ASCWg23jrW4kOVWzeBkoEfu43XrVJkFleW2V40"
739 "fsg12DCCA30wggLmoAMCAQICAxK75jANBgkqhkiG9w0BAQUFADBOMQswCQYDVQQG"
740 "EwJVUzEQMA4GA1UEChMHRXF1aWZheDEtMCsGA1UECxMkRXF1aWZheCBTZWN1cmUg"
741 "Q2VydGlmaWNhdGUgQXV0aG9yaXR5MB4XDTAyMDUyMTA0MDAwMFoXDTE4MDgyMTA0"
742 "MDAwMFowQjELMAkGA1UEBhMCVVMxFjAUBgNVBAoTDUdlb1RydXN0IEluYy4xGzAZ"
743 "BgNVBAMTEkdlb1RydXN0IEdsb2JhbCBDQTCCASIwDQYJKoZIhvcNAQEBBQADggEP"
744 "ADCCAQoCggEBANrMGGMw/fQXIxpWflvfPGw45HG3eJHUvKHYTPioQ7YD6U0hBwiI"
745 "2lgvZjkpvQV4i5046AW3an5xpObEYKaw74DkiSgPniXW7YPzraaRx5jJQhg1FJ2t"
746 "mEaSLk/K8YdDwRaVVy1Q74ktgHpXrfLuX2vSAI25FPgUFTXZwEaje3LIkb/JVSvN"
747 "0Jc+nCZkzN/Ogxlxyk7m1NV7qRnNVd7I7NJeOFPlXE+MLf5QIzb8ZubLjqQ5GQC3"
748 "lQI5kQsO/jgu0R0FmvZNPm8PBx2vLB6PYDni+jZTEznUXiYr2z2oFL0y6xgDKFIE"
749 "ceWrMz3hOLsHNoRinHnqFjD0X8Ar6HFr5PkCAwEAAaOB8DCB7TAfBgNVHSMEGDAW"
750 "gBRI5mj5K9KylddH2CMgEE8zmJCf1DAdBgNVHQ4EFgQUwHqYaI2J+6sFZAwRfap9"
751 "ZbjKzE4wDwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMCAQYwOgYDVR0fBDMw"
752 "MTAvoC2gK4YpaHR0cDovL2NybC5nZW90cnVzdC5jb20vY3Jscy9zZWN1cmVjYS5j"
753 "cmwwTgYDVR0gBEcwRTBDBgRVHSAAMDswOQYIKwYBBQUHAgEWLWh0dHBzOi8vd3d3"
754 "Lmdlb3RydXN0LmNvbS9yZXNvdXJjZXMvcmVwb3NpdG9yeTANBgkqhkiG9w0BAQUF"
755 "AAOBgQB24RJuTksWEoYwBrKBCM/wCMfHcX5m7sLt1Dsf//DwyE7WQziwuTB9GNBV"
756 "g6JqyzYRnOhIZqNtf7gT1Ef+i1pcc/yu2RsyGTirlzQUqpbS66McFAhJtrvlke+D"
757 "NusdVm/K2rxzY5Dkf3s+Iss9B+1fOHSc4wNQTqGvmO5h8oQ/Eg==";
758
759// kBadSessionExtraField is a custom serialized SSL_SESSION generated by replacing
Steven Valdez51607f12020-08-05 10:46:05 -0400[diff] [blame]760// the final (optional) element of |kCustomSession| with tag number 99.
Adam Langley10f97f32016-07-12 08:09:33 -0700[diff] [blame]761static const char kBadSessionExtraField[] =
762 "MIIBdgIBAQICAwMEAsAvBCAG5Q1ndq4Yfmbeo1zwLkNRKmCXGdNgWvGT3cskV0yQ"
763 "kAQwJlrlzkAWBOWiLj/jJ76D7l+UXoizP2KI2C7I2FccqMmIfFmmkUy32nIJ0mZH"
764 "IWoJoQYCBFRDO46iBAICASykAwQBAqUDAgEUphAEDnd3dy5nb29nbGUuY29tqAcE"
765 "BXdvcmxkqQUCAwGJwKqBpwSBpBwUQvoeOk0Kg36SYTcLEkXqKwOBfF9vE4KX0Nxe"
766 "LwjcDTpsuh3qXEaZ992r1N38VDcyS6P7I6HBYN9BsNHM362zZnY27GpTw+Kwd751"
767 "CLoXFPoaMOe57dbBpXoro6Pd3BTbf/Tzr88K06yEOTDKPNj3+inbMaVigtK4PLyP"
768 "q+Topyzvx9USFgRvyuoxn0Hgb+R0A3j6SLRuyOdAi4gv7Y5oliynrSIEIAYGBgYG"
Steven Valdez51607f12020-08-05 10:46:05 -0400[diff] [blame]769 "BgYGBgYGBgYGBgYGBgYGBgYGBgYGBgYGBgYGrgMEAQevAwQBBOMDBAEF";
Adam Langley10f97f32016-07-12 08:09:33 -0700[diff] [blame]770
771// kBadSessionVersion is a custom serialized SSL_SESSION generated by replacing
772// the version of |kCustomSession| with 2.
773static const char kBadSessionVersion[] =
774 "MIIBdgIBAgICAwMEAsAvBCAG5Q1ndq4Yfmbeo1zwLkNRKmCXGdNgWvGT3cskV0yQ"
775 "kAQwJlrlzkAWBOWiLj/jJ76D7l+UXoizP2KI2C7I2FccqMmIfFmmkUy32nIJ0mZH"
776 "IWoJoQYCBFRDO46iBAICASykAwQBAqUDAgEUphAEDnd3dy5nb29nbGUuY29tqAcE"
777 "BXdvcmxkqQUCAwGJwKqBpwSBpBwUQvoeOk0Kg36SYTcLEkXqKwOBfF9vE4KX0Nxe"
778 "LwjcDTpsuh3qXEaZ992r1N38VDcyS6P7I6HBYN9BsNHM362zZnY27GpTw+Kwd751"
779 "CLoXFPoaMOe57dbBpXoro6Pd3BTbf/Tzr88K06yEOTDKPNj3+inbMaVigtK4PLyP"
780 "q+Topyzvx9USFgRvyuoxn0Hgb+R0A3j6SLRuyOdAi4gv7Y5oliynrSIEIAYGBgYG"
781 "BgYGBgYGBgYGBgYGBgYGBgYGBgYGBgYGBgYGrgMEAQevAwQBBLADBAEF";
782
783// kBadSessionTrailingData is a custom serialized SSL_SESSION with trailing data
784// appended.
785static const char kBadSessionTrailingData[] =
786 "MIIBdgIBAQICAwMEAsAvBCAG5Q1ndq4Yfmbeo1zwLkNRKmCXGdNgWvGT3cskV0yQ"
787 "kAQwJlrlzkAWBOWiLj/jJ76D7l+UXoizP2KI2C7I2FccqMmIfFmmkUy32nIJ0mZH"
788 "IWoJoQYCBFRDO46iBAICASykAwQBAqUDAgEUphAEDnd3dy5nb29nbGUuY29tqAcE"
789 "BXdvcmxkqQUCAwGJwKqBpwSBpBwUQvoeOk0Kg36SYTcLEkXqKwOBfF9vE4KX0Nxe"
790 "LwjcDTpsuh3qXEaZ992r1N38VDcyS6P7I6HBYN9BsNHM362zZnY27GpTw+Kwd751"
791 "CLoXFPoaMOe57dbBpXoro6Pd3BTbf/Tzr88K06yEOTDKPNj3+inbMaVigtK4PLyP"
792 "q+Topyzvx9USFgRvyuoxn0Hgb+R0A3j6SLRuyOdAi4gv7Y5oliynrSIEIAYGBgYG"
793 "BgYGBgYGBgYGBgYGBgYGBgYGBgYGBgYGBgYGrgMEAQevAwQBBLADBAEFAAAA";
794
David Benjamin1d77e562015-03-22 17:22:08 -0400[diff] [blame]795static bool DecodeBase64(std::vector<uint8_t> *out, const char *in) {
David Benjamin751e8892014-10-19 00:59:36 -0400[diff] [blame]796 size_t len;
David Benjamin751e8892014-10-19 00:59:36 -0400[diff] [blame]797 if (!EVP_DecodedLength(&len, strlen(in))) {
798 fprintf(stderr, "EVP_DecodedLength failed\n");
David Benjamin1d77e562015-03-22 17:22:08 -0400[diff] [blame]799 return false;
David Benjamin751e8892014-10-19 00:59:36 -0400[diff] [blame]800 }
801
David Benjamin1d77e562015-03-22 17:22:08 -0400[diff] [blame]802 out->resize(len);
David Benjaminef14b2d2015-11-11 14:01:27 -0800[diff] [blame]803 if (!EVP_DecodeBase64(out->data(), &len, len, (const uint8_t *)in,
David Benjamin751e8892014-10-19 00:59:36 -0400[diff] [blame]804 strlen(in))) {
805 fprintf(stderr, "EVP_DecodeBase64 failed\n");
David Benjamin1d77e562015-03-22 17:22:08 -0400[diff] [blame]806 return false;
David Benjamin751e8892014-10-19 00:59:36 -0400[diff] [blame]807 }
David Benjamin1d77e562015-03-22 17:22:08 -0400[diff] [blame]808 out->resize(len);
809 return true;
David Benjamin751e8892014-10-19 00:59:36 -0400[diff] [blame]810}
811
David Benjamina486c6c2019-03-28 18:32:38 -0500[diff] [blame]812TEST(SSLTest, SessionEncoding) {
813 for (const char *input_b64 : {
814 kOpenSSLSession,
815 kCustomSession,
816 kBoringSSLSession,
817 }) {
818 SCOPED_TRACE(std::string(input_b64));
819 // Decode the input.
820 std::vector<uint8_t> input;
821 ASSERT_TRUE(DecodeBase64(&input, input_b64));
David Benjamin751e8892014-10-19 00:59:36 -0400[diff] [blame]822
David Benjamina486c6c2019-03-28 18:32:38 -0500[diff] [blame]823 // Verify the SSL_SESSION decodes.
824 bssl::UniquePtr<SSL_CTX> ssl_ctx(SSL_CTX_new(TLS_method()));
825 ASSERT_TRUE(ssl_ctx);
826 bssl::UniquePtr<SSL_SESSION> session(
827 SSL_SESSION_from_bytes(input.data(), input.size(), ssl_ctx.get()));
828 ASSERT_TRUE(session) << "SSL_SESSION_from_bytes failed";
829
830 // Verify the SSL_SESSION encoding round-trips.
831 size_t encoded_len;
832 bssl::UniquePtr<uint8_t> encoded;
833 uint8_t *encoded_raw;
834 ASSERT_TRUE(SSL_SESSION_to_bytes(session.get(), &encoded_raw, &encoded_len))
835 << "SSL_SESSION_to_bytes failed";
836 encoded.reset(encoded_raw);
837 EXPECT_EQ(Bytes(encoded.get(), encoded_len), Bytes(input))
838 << "SSL_SESSION_to_bytes did not round-trip";
839
840 // Verify the SSL_SESSION also decodes with the legacy API.
841 const uint8_t *cptr = input.data();
842 session.reset(d2i_SSL_SESSION(NULL, &cptr, input.size()));
843 ASSERT_TRUE(session) << "d2i_SSL_SESSION failed";
844 EXPECT_EQ(cptr, input.data() + input.size());
845
846 // Verify the SSL_SESSION encoding round-trips via the legacy API.
847 int len = i2d_SSL_SESSION(session.get(), NULL);
848 ASSERT_GT(len, 0) << "i2d_SSL_SESSION failed";
849 ASSERT_EQ(static_cast<size_t>(len), input.size())
850 << "i2d_SSL_SESSION(NULL) returned invalid length";
851
852 encoded.reset((uint8_t *)OPENSSL_malloc(input.size()));
853 ASSERT_TRUE(encoded);
854
855 uint8_t *ptr = encoded.get();
856 len = i2d_SSL_SESSION(session.get(), &ptr);
857 ASSERT_GT(len, 0) << "i2d_SSL_SESSION failed";
858 ASSERT_EQ(static_cast<size_t>(len), input.size())
859 << "i2d_SSL_SESSION(NULL) returned invalid length";
860 ASSERT_EQ(ptr, encoded.get() + input.size())
861 << "i2d_SSL_SESSION did not advance ptr correctly";
862 EXPECT_EQ(Bytes(encoded.get(), encoded_len), Bytes(input))
863 << "SSL_SESSION_to_bytes did not round-trip";
David Benjamin751e8892014-10-19 00:59:36 -0400[diff] [blame]864 }
865
David Benjamina486c6c2019-03-28 18:32:38 -0500[diff] [blame]866 for (const char *input_b64 : {
867 kBadSessionExtraField,
868 kBadSessionVersion,
869 kBadSessionTrailingData,
870 }) {
871 SCOPED_TRACE(std::string(input_b64));
872 std::vector<uint8_t> input;
873 ASSERT_TRUE(DecodeBase64(&input, input_b64));
David Benjamin751e8892014-10-19 00:59:36 -0400[diff] [blame]874
David Benjamina486c6c2019-03-28 18:32:38 -0500[diff] [blame]875 // Verify that the SSL_SESSION fails to decode.
876 bssl::UniquePtr<SSL_CTX> ssl_ctx(SSL_CTX_new(TLS_method()));
877 ASSERT_TRUE(ssl_ctx);
878 bssl::UniquePtr<SSL_SESSION> session(
879 SSL_SESSION_from_bytes(input.data(), input.size(), ssl_ctx.get()));
880 EXPECT_FALSE(session) << "SSL_SESSION_from_bytes unexpectedly succeeded";
881 ERR_clear_error();
David Benjamin3cac4502014-10-21 01:46:30 -0400[diff] [blame]882 }
David Benjaminf297e022015-05-28 19:55:29 -0400[diff] [blame]883}
884
David Benjamin321fcdc2017-04-24 11:42:42 -0400[diff] [blame]885static void ExpectDefaultVersion(uint16_t min_version, uint16_t max_version,
886 const SSL_METHOD *(*method)(void)) {
Matt Braithwaited17d74d2016-08-17 20:10:28 -0700[diff] [blame]887 bssl::UniquePtr<SSL_CTX> ctx(SSL_CTX_new(method()));
David Benjamin321fcdc2017-04-24 11:42:42 -0400[diff] [blame]888 ASSERT_TRUE(ctx);
Nitish Sakhawalkara4af5f82019-03-25 17:26:59 -0700[diff] [blame]889 EXPECT_EQ(min_version, SSL_CTX_get_min_proto_version(ctx.get()));
890 EXPECT_EQ(max_version, SSL_CTX_get_max_proto_version(ctx.get()));
David Benjamin321fcdc2017-04-24 11:42:42 -0400[diff] [blame]891}
892
893TEST(SSLTest, DefaultVersion) {
Matthew Braithwaite58d56f42019-11-04 13:20:01 -0800[diff] [blame]894 ExpectDefaultVersion(TLS1_VERSION, TLS1_3_VERSION, &TLS_method);
David Benjamin321fcdc2017-04-24 11:42:42 -0400[diff] [blame]895 ExpectDefaultVersion(TLS1_VERSION, TLS1_VERSION, &TLSv1_method);
896 ExpectDefaultVersion(TLS1_1_VERSION, TLS1_1_VERSION, &TLSv1_1_method);
897 ExpectDefaultVersion(TLS1_2_VERSION, TLS1_2_VERSION, &TLSv1_2_method);
Nitish Sakhawalkara4af5f82019-03-25 17:26:59 -0700[diff] [blame]898 ExpectDefaultVersion(DTLS1_VERSION, DTLS1_2_VERSION, &DTLS_method);
899 ExpectDefaultVersion(DTLS1_VERSION, DTLS1_VERSION, &DTLSv1_method);
900 ExpectDefaultVersion(DTLS1_2_VERSION, DTLS1_2_VERSION, &DTLSv1_2_method);
David Benjamin82c9e902014-12-12 15:55:27 -0500[diff] [blame]901}
902
David Benjamin348f0d82017-08-10 16:06:27 -0400[diff] [blame]903TEST(SSLTest, CipherProperties) {
David Benjamin6fff3862017-06-21 21:07:04 -0400[diff] [blame]904 static const struct {
905 int id;
906 const char *standard_name;
David Benjamin348f0d82017-08-10 16:06:27 -0400[diff] [blame]907 int cipher_nid;
908 int digest_nid;
909 int kx_nid;
910 int auth_nid;
David Benjaminb1b76ae2017-09-21 17:03:34 -0400[diff] [blame]911 int prf_nid;
David Benjamin6fff3862017-06-21 21:07:04 -0400[diff] [blame]912 } kTests[] = {
David Benjamin348f0d82017-08-10 16:06:27 -0400[diff] [blame]913 {
914 SSL3_CK_RSA_DES_192_CBC3_SHA,
915 "TLS_RSA_WITH_3DES_EDE_CBC_SHA",
916 NID_des_ede3_cbc,
917 NID_sha1,
918 NID_kx_rsa,
919 NID_auth_rsa,
David Benjaminb1b76ae2017-09-21 17:03:34 -0400[diff] [blame]920 NID_md5_sha1,
David Benjamin348f0d82017-08-10 16:06:27 -0400[diff] [blame]921 },
922 {
923 TLS1_CK_RSA_WITH_AES_128_SHA,
924 "TLS_RSA_WITH_AES_128_CBC_SHA",
925 NID_aes_128_cbc,
926 NID_sha1,
927 NID_kx_rsa,
928 NID_auth_rsa,
David Benjaminb1b76ae2017-09-21 17:03:34 -0400[diff] [blame]929 NID_md5_sha1,
David Benjamin348f0d82017-08-10 16:06:27 -0400[diff] [blame]930 },
931 {
932 TLS1_CK_PSK_WITH_AES_256_CBC_SHA,
933 "TLS_PSK_WITH_AES_256_CBC_SHA",
934 NID_aes_256_cbc,
935 NID_sha1,
936 NID_kx_psk,
937 NID_auth_psk,
David Benjaminb1b76ae2017-09-21 17:03:34 -0400[diff] [blame]938 NID_md5_sha1,
David Benjamin348f0d82017-08-10 16:06:27 -0400[diff] [blame]939 },
940 {
David Benjamin6e678ee2018-04-16 19:54:42 -0400[diff] [blame]941 TLS1_CK_ECDHE_RSA_WITH_AES_128_CBC_SHA,
942 "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA",
David Benjamin348f0d82017-08-10 16:06:27 -0400[diff] [blame]943 NID_aes_128_cbc,
David Benjamin6e678ee2018-04-16 19:54:42 -0400[diff] [blame]944 NID_sha1,
David Benjamin348f0d82017-08-10 16:06:27 -0400[diff] [blame]945 NID_kx_ecdhe,
946 NID_auth_rsa,
David Benjamin6e678ee2018-04-16 19:54:42 -0400[diff] [blame]947 NID_md5_sha1,
David Benjamin348f0d82017-08-10 16:06:27 -0400[diff] [blame]948 },
949 {
David Benjamin6e678ee2018-04-16 19:54:42 -0400[diff] [blame]950 TLS1_CK_ECDHE_RSA_WITH_AES_256_CBC_SHA,
951 "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA",
David Benjamin348f0d82017-08-10 16:06:27 -0400[diff] [blame]952 NID_aes_256_cbc,
David Benjamin6e678ee2018-04-16 19:54:42 -0400[diff] [blame]953 NID_sha1,
David Benjamin348f0d82017-08-10 16:06:27 -0400[diff] [blame]954 NID_kx_ecdhe,
955 NID_auth_rsa,
David Benjamin6e678ee2018-04-16 19:54:42 -0400[diff] [blame]956 NID_md5_sha1,
David Benjamin348f0d82017-08-10 16:06:27 -0400[diff] [blame]957 },
958 {
959 TLS1_CK_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
960 "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",
961 NID_aes_128_gcm,
962 NID_undef,
963 NID_kx_ecdhe,
964 NID_auth_rsa,
David Benjaminb1b76ae2017-09-21 17:03:34 -0400[diff] [blame]965 NID_sha256,
David Benjamin348f0d82017-08-10 16:06:27 -0400[diff] [blame]966 },
967 {
968 TLS1_CK_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
969 "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256",
970 NID_aes_128_gcm,
971 NID_undef,
972 NID_kx_ecdhe,
973 NID_auth_ecdsa,
David Benjaminb1b76ae2017-09-21 17:03:34 -0400[diff] [blame]974 NID_sha256,
David Benjamin348f0d82017-08-10 16:06:27 -0400[diff] [blame]975 },
976 {
977 TLS1_CK_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
978 "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384",
979 NID_aes_256_gcm,
980 NID_undef,
981 NID_kx_ecdhe,
982 NID_auth_ecdsa,
David Benjaminb1b76ae2017-09-21 17:03:34 -0400[diff] [blame]983 NID_sha384,
David Benjamin348f0d82017-08-10 16:06:27 -0400[diff] [blame]984 },
985 {
986 TLS1_CK_ECDHE_PSK_WITH_AES_128_CBC_SHA,
987 "TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA",
988 NID_aes_128_cbc,
989 NID_sha1,
990 NID_kx_ecdhe,
991 NID_auth_psk,
David Benjaminb1b76ae2017-09-21 17:03:34 -0400[diff] [blame]992 NID_md5_sha1,
David Benjamin348f0d82017-08-10 16:06:27 -0400[diff] [blame]993 },
994 {
995 TLS1_CK_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256,
996 "TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256",
997 NID_chacha20_poly1305,
998 NID_undef,
999 NID_kx_ecdhe,
1000 NID_auth_rsa,
David Benjaminb1b76ae2017-09-21 17:03:34 -0400[diff] [blame]1001 NID_sha256,
David Benjamin348f0d82017-08-10 16:06:27 -0400[diff] [blame]1002 },
1003 {
1004 TLS1_CK_AES_256_GCM_SHA384,
1005 "TLS_AES_256_GCM_SHA384",
1006 NID_aes_256_gcm,
1007 NID_undef,
1008 NID_kx_any,
1009 NID_auth_any,
David Benjaminb1b76ae2017-09-21 17:03:34 -0400[diff] [blame]1010 NID_sha384,
David Benjamin348f0d82017-08-10 16:06:27 -0400[diff] [blame]1011 },
1012 {
1013 TLS1_CK_AES_128_GCM_SHA256,
1014 "TLS_AES_128_GCM_SHA256",
1015 NID_aes_128_gcm,
1016 NID_undef,
1017 NID_kx_any,
1018 NID_auth_any,
David Benjaminb1b76ae2017-09-21 17:03:34 -0400[diff] [blame]1019 NID_sha256,
David Benjamin348f0d82017-08-10 16:06:27 -0400[diff] [blame]1020 },
1021 {
1022 TLS1_CK_CHACHA20_POLY1305_SHA256,
1023 "TLS_CHACHA20_POLY1305_SHA256",
1024 NID_chacha20_poly1305,
1025 NID_undef,
1026 NID_kx_any,
1027 NID_auth_any,
David Benjaminb1b76ae2017-09-21 17:03:34 -0400[diff] [blame]1028 NID_sha256,
David Benjamin348f0d82017-08-10 16:06:27 -0400[diff] [blame]1029 },
David Benjamin6fff3862017-06-21 21:07:04 -0400[diff] [blame]1030 };
David Benjamin65226252015-02-05 16:49:47 -0500[diff] [blame]1031
David Benjamin6fff3862017-06-21 21:07:04 -0400[diff] [blame]1032 for (const auto &t : kTests) {
1033 SCOPED_TRACE(t.standard_name);
David Benjamine11726a2017-04-23 12:14:28 -0400[diff] [blame]1034
1035 const SSL_CIPHER *cipher = SSL_get_cipher_by_value(t.id & 0xffff);
1036 ASSERT_TRUE(cipher);
David Benjamin6fff3862017-06-21 21:07:04 -0400[diff] [blame]1037 EXPECT_STREQ(t.standard_name, SSL_CIPHER_standard_name(cipher));
1038
David Benjamine11726a2017-04-23 12:14:28 -0400[diff] [blame]1039 bssl::UniquePtr<char> rfc_name(SSL_CIPHER_get_rfc_name(cipher));
1040 ASSERT_TRUE(rfc_name);
David Benjamin6fff3862017-06-21 21:07:04 -0400[diff] [blame]1041 EXPECT_STREQ(t.standard_name, rfc_name.get());
David Benjamin348f0d82017-08-10 16:06:27 -0400[diff] [blame]1042
1043 EXPECT_EQ(t.cipher_nid, SSL_CIPHER_get_cipher_nid(cipher));
1044 EXPECT_EQ(t.digest_nid, SSL_CIPHER_get_digest_nid(cipher));
1045 EXPECT_EQ(t.kx_nid, SSL_CIPHER_get_kx_nid(cipher));
1046 EXPECT_EQ(t.auth_nid, SSL_CIPHER_get_auth_nid(cipher));
David Benjaminb1b76ae2017-09-21 17:03:34 -0400[diff] [blame]1047 EXPECT_EQ(t.prf_nid, SSL_CIPHER_get_prf_nid(cipher));
David Benjamin65226252015-02-05 16:49:47 -0500[diff] [blame]1048 }
David Benjamin65226252015-02-05 16:49:47 -0500[diff] [blame]1049}
1050
Steven Valdeza833c352016-11-01 13:39:36 -0400[diff] [blame]1051// CreateSessionWithTicket returns a sample |SSL_SESSION| with the specified
1052// version and ticket length or nullptr on failure.
1053static bssl::UniquePtr<SSL_SESSION> CreateSessionWithTicket(uint16_t version,
1054 size_t ticket_len) {
David Benjamin422fe082015-07-21 22:03:43 -0400[diff] [blame]1055 std::vector<uint8_t> der;
1056 if (!DecodeBase64(&der, kOpenSSLSession)) {
1057 return nullptr;
1058 }
Adam Langley46db7af2017-02-01 15:49:37 -0800[diff] [blame]1059
1060 bssl::UniquePtr<SSL_CTX> ssl_ctx(SSL_CTX_new(TLS_method()));
1061 if (!ssl_ctx) {
1062 return nullptr;
1063 }
David Benjaminaaef8332018-06-29 16:45:49 -0400[diff] [blame]1064 // Use a garbage ticket.
1065 std::vector<uint8_t> ticket(ticket_len, 'a');
Steven Valdeza833c352016-11-01 13:39:36 -0400[diff] [blame]1066 bssl::UniquePtr<SSL_SESSION> session(
Adam Langley46db7af2017-02-01 15:49:37 -0800[diff] [blame]1067 SSL_SESSION_from_bytes(der.data(), der.size(), ssl_ctx.get()));
David Benjaminaaef8332018-06-29 16:45:49 -0400[diff] [blame]1068 if (!session ||
1069 !SSL_SESSION_set_protocol_version(session.get(), version) ||
1070 !SSL_SESSION_set_ticket(session.get(), ticket.data(), ticket.size())) {
David Benjamin422fe082015-07-21 22:03:43 -0400[diff] [blame]1071 return nullptr;
1072 }
David Benjamin1269ddd2015-10-18 15:18:55 -0400[diff] [blame]1073 // Fix up the timeout.
David Benjamin9b63f292016-11-15 00:44:05 -0500[diff] [blame]1074#if defined(BORINGSSL_UNSAFE_DETERMINISTIC_MODE)
David Benjaminaaef8332018-06-29 16:45:49 -0400[diff] [blame]1075 SSL_SESSION_set_time(session.get(), 1234);
David Benjamin9b63f292016-11-15 00:44:05 -0500[diff] [blame]1076#else
David Benjaminaaef8332018-06-29 16:45:49 -0400[diff] [blame]1077 SSL_SESSION_set_time(session.get(), time(nullptr));
David Benjamin9b63f292016-11-15 00:44:05 -0500[diff] [blame]1078#endif
David Benjamin422fe082015-07-21 22:03:43 -0400[diff] [blame]1079 return session;
1080}
1081
David Benjaminafc64de2016-07-19 17:12:41 +0200[diff] [blame]1082static bool GetClientHello(SSL *ssl, std::vector<uint8_t> *out) {
Matt Braithwaited17d74d2016-08-17 20:10:28 -0700[diff] [blame]1083 bssl::UniquePtr<BIO> bio(BIO_new(BIO_s_mem()));
David Benjaminafc64de2016-07-19 17:12:41 +0200[diff] [blame]1084 if (!bio) {
1085 return false;
1086 }
1087 // Do not configure a reading BIO, but record what's written to a memory BIO.
David Benjamin96a16cd2016-08-11 12:14:47 -0400[diff] [blame]1088 BIO_up_ref(bio.get());
1089 SSL_set_bio(ssl, nullptr /* rbio */, bio.get());
David Benjaminafc64de2016-07-19 17:12:41 +0200[diff] [blame]1090 int ret = SSL_connect(ssl);
1091 if (ret > 0) {
1092 // SSL_connect should fail without a BIO to write to.
1093 return false;
1094 }
1095 ERR_clear_error();
1096
1097 const uint8_t *client_hello;
1098 size_t client_hello_len;
1099 if (!BIO_mem_contents(bio.get(), &client_hello, &client_hello_len)) {
1100 return false;
1101 }
1102 *out = std::vector<uint8_t>(client_hello, client_hello + client_hello_len);
1103 return true;
1104}
1105
Steven Valdeza833c352016-11-01 13:39:36 -0400[diff] [blame]1106// GetClientHelloLen creates a client SSL connection with the specified version
1107// and ticket length. It returns the length of the ClientHello, not including
1108// the record header, on success and zero on error.
1109static size_t GetClientHelloLen(uint16_t max_version, uint16_t session_version,
1110 size_t ticket_len) {
Matt Braithwaited17d74d2016-08-17 20:10:28 -0700[diff] [blame]1111 bssl::UniquePtr<SSL_CTX> ctx(SSL_CTX_new(TLS_method()));
Steven Valdeza833c352016-11-01 13:39:36 -0400[diff] [blame]1112 bssl::UniquePtr<SSL_SESSION> session =
1113 CreateSessionWithTicket(session_version, ticket_len);
David Benjamin422fe082015-07-21 22:03:43 -0400[diff] [blame]1114 if (!ctx || !session) {
1115 return 0;
1116 }
Steven Valdeza833c352016-11-01 13:39:36 -0400[diff] [blame]1117
1118 // Set a one-element cipher list so the baseline ClientHello is unpadded.
Matt Braithwaited17d74d2016-08-17 20:10:28 -0700[diff] [blame]1119 bssl::UniquePtr<SSL> ssl(SSL_new(ctx.get()));
Steven Valdez2c62fe92016-10-14 12:08:12 -0400[diff] [blame]1120 if (!ssl || !SSL_set_session(ssl.get(), session.get()) ||
Matthew Braithwaitea57dcfb2017-02-17 22:08:23 -0800[diff] [blame]1121 !SSL_set_strict_cipher_list(ssl.get(), "ECDHE-RSA-AES128-GCM-SHA256") ||
Steven Valdeza833c352016-11-01 13:39:36 -0400[diff] [blame]1122 !SSL_set_max_proto_version(ssl.get(), max_version)) {
David Benjamin422fe082015-07-21 22:03:43 -0400[diff] [blame]1123 return 0;
1124 }
Steven Valdeza833c352016-11-01 13:39:36 -0400[diff] [blame]1125
David Benjaminafc64de2016-07-19 17:12:41 +0200[diff] [blame]1126 std::vector<uint8_t> client_hello;
1127 if (!GetClientHello(ssl.get(), &client_hello) ||
1128 client_hello.size() <= SSL3_RT_HEADER_LENGTH) {
David Benjamin422fe082015-07-21 22:03:43 -0400[diff] [blame]1129 return 0;
1130 }
Steven Valdeza833c352016-11-01 13:39:36 -0400[diff] [blame]1131
David Benjaminafc64de2016-07-19 17:12:41 +0200[diff] [blame]1132 return client_hello.size() - SSL3_RT_HEADER_LENGTH;
David Benjamin422fe082015-07-21 22:03:43 -0400[diff] [blame]1133}
1134
David Benjamina486c6c2019-03-28 18:32:38 -0500[diff] [blame]1135TEST(SSLTest, Padding) {
1136 struct PaddingVersions {
1137 uint16_t max_version, session_version;
1138 };
1139 static const PaddingVersions kPaddingVersions[] = {
1140 // Test the padding extension at TLS 1.2.
1141 {TLS1_2_VERSION, TLS1_2_VERSION},
1142 // Test the padding extension at TLS 1.3 with a TLS 1.2 session, so there
1143 // will be no PSK binder after the padding extension.
1144 {TLS1_3_VERSION, TLS1_2_VERSION},
1145 // Test the padding extension at TLS 1.3 with a TLS 1.3 session, so there
1146 // will be a PSK binder after the padding extension.
1147 {TLS1_3_VERSION, TLS1_3_VERSION},
David Benjamin422fe082015-07-21 22:03:43 -0400[diff] [blame]1148
David Benjamina486c6c2019-03-28 18:32:38 -0500[diff] [blame]1149 };
David Benjamin422fe082015-07-21 22:03:43 -0400[diff] [blame]1150
David Benjamina486c6c2019-03-28 18:32:38 -0500[diff] [blame]1151 struct PaddingTest {
1152 size_t input_len, padded_len;
1153 };
1154 static const PaddingTest kPaddingTests[] = {
1155 // ClientHellos of length below 0x100 do not require padding.
1156 {0xfe, 0xfe},
1157 {0xff, 0xff},
1158 // ClientHellos of length 0x100 through 0x1fb are padded up to 0x200.
1159 {0x100, 0x200},
1160 {0x123, 0x200},
1161 {0x1fb, 0x200},
1162 // ClientHellos of length 0x1fc through 0x1ff get padded beyond 0x200. The
1163 // padding extension takes a minimum of four bytes plus one required
1164 // content
1165 // byte. (To work around yet more server bugs, we avoid empty final
1166 // extensions.)
1167 {0x1fc, 0x201},
1168 {0x1fd, 0x202},
1169 {0x1fe, 0x203},
1170 {0x1ff, 0x204},
1171 // Finally, larger ClientHellos need no padding.
1172 {0x200, 0x200},
1173 {0x201, 0x201},
1174 };
David Benjamin422fe082015-07-21 22:03:43 -0400[diff] [blame]1175
David Benjamina486c6c2019-03-28 18:32:38 -0500[diff] [blame]1176 for (const PaddingVersions &versions : kPaddingVersions) {
1177 SCOPED_TRACE(versions.max_version);
1178 SCOPED_TRACE(versions.session_version);
David Benjamin422fe082015-07-21 22:03:43 -0400[diff] [blame]1179
David Benjamina486c6c2019-03-28 18:32:38 -0500[diff] [blame]1180 // Sample a baseline length.
1181 size_t base_len =
1182 GetClientHelloLen(versions.max_version, versions.session_version, 1);
1183 ASSERT_NE(base_len, 0u) << "Baseline length could not be sampled";
1184
1185 for (const PaddingTest &test : kPaddingTests) {
1186 SCOPED_TRACE(test.input_len);
1187 ASSERT_LE(base_len, test.input_len) << "Baseline ClientHello too long";
1188
1189 size_t padded_len =
1190 GetClientHelloLen(versions.max_version, versions.session_version,
1191 1 + test.input_len - base_len);
1192 EXPECT_EQ(padded_len, test.padded_len)
1193 << "ClientHello was not padded to expected length";
David Benjamin422fe082015-07-21 22:03:43 -0400[diff] [blame]1194 }
1195 }
David Benjamin422fe082015-07-21 22:03:43 -0400[diff] [blame]1196}
1197
David Benjamin2f3958a2021-04-16 11:55:23 -0400[diff] [blame]1198static bssl::UniquePtr<X509> CertFromPEM(const char *pem) {
1199 bssl::UniquePtr<BIO> bio(BIO_new_mem_buf(pem, strlen(pem)));
1200 if (!bio) {
1201 return nullptr;
1202 }
1203 return bssl::UniquePtr<X509>(
1204 PEM_read_bio_X509(bio.get(), nullptr, nullptr, nullptr));
1205}
1206
1207static bssl::UniquePtr<EVP_PKEY> KeyFromPEM(const char *pem) {
1208 bssl::UniquePtr<BIO> bio(BIO_new_mem_buf(pem, strlen(pem)));
1209 if (!bio) {
1210 return nullptr;
1211 }
1212 return bssl::UniquePtr<EVP_PKEY>(
1213 PEM_read_bio_PrivateKey(bio.get(), nullptr, nullptr, nullptr));
1214}
1215
Matt Braithwaited17d74d2016-08-17 20:10:28 -0700[diff] [blame]1216static bssl::UniquePtr<X509> GetTestCertificate() {
David Benjaminde942382016-02-11 12:02:01 -0500[diff] [blame]1217 static const char kCertPEM[] =
1218 "-----BEGIN CERTIFICATE-----\n"
1219 "MIICWDCCAcGgAwIBAgIJAPuwTC6rEJsMMA0GCSqGSIb3DQEBBQUAMEUxCzAJBgNV\n"
1220 "BAYTAkFVMRMwEQYDVQQIDApTb21lLVN0YXRlMSEwHwYDVQQKDBhJbnRlcm5ldCBX\n"
1221 "aWRnaXRzIFB0eSBMdGQwHhcNMTQwNDIzMjA1MDQwWhcNMTcwNDIyMjA1MDQwWjBF\n"
1222 "MQswCQYDVQQGEwJBVTETMBEGA1UECAwKU29tZS1TdGF0ZTEhMB8GA1UECgwYSW50\n"
1223 "ZXJuZXQgV2lkZ2l0cyBQdHkgTHRkMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKB\n"
1224 "gQDYK8imMuRi/03z0K1Zi0WnvfFHvwlYeyK9Na6XJYaUoIDAtB92kWdGMdAQhLci\n"
1225 "HnAjkXLI6W15OoV3gA/ElRZ1xUpxTMhjP6PyY5wqT5r6y8FxbiiFKKAnHmUcrgfV\n"
1226 "W28tQ+0rkLGMryRtrukXOgXBv7gcrmU7G1jC2a7WqmeI8QIDAQABo1AwTjAdBgNV\n"
1227 "HQ4EFgQUi3XVrMsIvg4fZbf6Vr5sp3Xaha8wHwYDVR0jBBgwFoAUi3XVrMsIvg4f\n"
1228 "Zbf6Vr5sp3Xaha8wDAYDVR0TBAUwAwEB/zANBgkqhkiG9w0BAQUFAAOBgQA76Hht\n"
1229 "ldY9avcTGSwbwoiuIqv0jTL1fHFnzy3RHMLDh+Lpvolc5DSrSJHCP5WuK0eeJXhr\n"
1230 "T5oQpHL9z/cCDLAKCKRa4uV0fhEdOWBqyR9p8y5jJtye72t6CuFUV5iqcpF4BH4f\n"
1231 "j2VNHwsSrJwkD4QUGlUtH7vwnQmyCFxZMmWAJg==\n"
1232 "-----END CERTIFICATE-----\n";
David Benjamin2f3958a2021-04-16 11:55:23 -0400[diff] [blame]1233 return CertFromPEM(kCertPEM);
David Benjaminde942382016-02-11 12:02:01 -0500[diff] [blame]1234}
1235
Matt Braithwaited17d74d2016-08-17 20:10:28 -0700[diff] [blame]1236static bssl::UniquePtr<EVP_PKEY> GetTestKey() {
David Benjaminde942382016-02-11 12:02:01 -0500[diff] [blame]1237 static const char kKeyPEM[] =
1238 "-----BEGIN RSA PRIVATE KEY-----\n"
1239 "MIICXgIBAAKBgQDYK8imMuRi/03z0K1Zi0WnvfFHvwlYeyK9Na6XJYaUoIDAtB92\n"
1240 "kWdGMdAQhLciHnAjkXLI6W15OoV3gA/ElRZ1xUpxTMhjP6PyY5wqT5r6y8FxbiiF\n"
1241 "KKAnHmUcrgfVW28tQ+0rkLGMryRtrukXOgXBv7gcrmU7G1jC2a7WqmeI8QIDAQAB\n"
1242 "AoGBAIBy09Fd4DOq/Ijp8HeKuCMKTHqTW1xGHshLQ6jwVV2vWZIn9aIgmDsvkjCe\n"
1243 "i6ssZvnbjVcwzSoByhjN8ZCf/i15HECWDFFh6gt0P5z0MnChwzZmvatV/FXCT0j+\n"
1244 "WmGNB/gkehKjGXLLcjTb6dRYVJSCZhVuOLLcbWIV10gggJQBAkEA8S8sGe4ezyyZ\n"
1245 "m4e9r95g6s43kPqtj5rewTsUxt+2n4eVodD+ZUlCULWVNAFLkYRTBCASlSrm9Xhj\n"
1246 "QpmWAHJUkQJBAOVzQdFUaewLtdOJoPCtpYoY1zd22eae8TQEmpGOR11L6kbxLQsk\n"
1247 "aMly/DOnOaa82tqAGTdqDEZgSNmCeKKknmECQAvpnY8GUOVAubGR6c+W90iBuQLj\n"
1248 "LtFp/9ihd2w/PoDwrHZaoUYVcT4VSfJQog/k7kjE4MYXYWL8eEKg3WTWQNECQQDk\n"
1249 "104Wi91Umd1PzF0ijd2jXOERJU1wEKe6XLkYYNHWQAe5l4J4MWj9OdxFXAxIuuR/\n"
1250 "tfDwbqkta4xcux67//khAkEAvvRXLHTaa6VFzTaiiO8SaFsHV3lQyXOtMrBpB5jd\n"
1251 "moZWgjHvB2W9Ckn7sDqsPB+U2tyX0joDdQEyuiMECDY8oQ==\n"
1252 "-----END RSA PRIVATE KEY-----\n";
David Benjamin2f3958a2021-04-16 11:55:23 -0400[diff] [blame]1253 return KeyFromPEM(kKeyPEM);
David Benjaminde942382016-02-11 12:02:01 -0500[diff] [blame]1254}
1255
David Benjamin9b2cdb72021-04-01 23:21:53 -0400[diff] [blame]1256static bssl::UniquePtr<SSL_CTX> CreateContextWithTestCertificate(
1257 const SSL_METHOD *method) {
1258 bssl::UniquePtr<SSL_CTX> ctx(SSL_CTX_new(TLS_method()));
1259 bssl::UniquePtr<X509> cert = GetTestCertificate();
1260 bssl::UniquePtr<EVP_PKEY> key = GetTestKey();
1261 if (!ctx || !cert || !key ||
1262 !SSL_CTX_use_certificate(ctx.get(), cert.get()) ||
1263 !SSL_CTX_use_PrivateKey(ctx.get(), key.get())) {
1264 return nullptr;
1265 }
1266 return ctx;
1267}
1268
Matt Braithwaited17d74d2016-08-17 20:10:28 -0700[diff] [blame]1269static bssl::UniquePtr<X509> GetECDSATestCertificate() {
David Benjamin0fc37ef2016-08-17 15:29:46 -0400[diff] [blame]1270 static const char kCertPEM[] =
1271 "-----BEGIN CERTIFICATE-----\n"
1272 "MIIBzzCCAXagAwIBAgIJANlMBNpJfb/rMAkGByqGSM49BAEwRTELMAkGA1UEBhMC\n"
1273 "QVUxEzARBgNVBAgMClNvbWUtU3RhdGUxITAfBgNVBAoMGEludGVybmV0IFdpZGdp\n"
1274 "dHMgUHR5IEx0ZDAeFw0xNDA0MjMyMzIxNTdaFw0xNDA1MjMyMzIxNTdaMEUxCzAJ\n"
1275 "BgNVBAYTAkFVMRMwEQYDVQQIDApTb21lLVN0YXRlMSEwHwYDVQQKDBhJbnRlcm5l\n"
1276 "dCBXaWRnaXRzIFB0eSBMdGQwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAATmK2ni\n"
1277 "v2Wfl74vHg2UikzVl2u3qR4NRvvdqakendy6WgHn1peoChj5w8SjHlbifINI2xYa\n"
1278 "HPUdfvGULUvPciLBo1AwTjAdBgNVHQ4EFgQUq4TSrKuV8IJOFngHVVdf5CaNgtEw\n"
1279 "HwYDVR0jBBgwFoAUq4TSrKuV8IJOFngHVVdf5CaNgtEwDAYDVR0TBAUwAwEB/zAJ\n"
1280 "BgcqhkjOPQQBA0gAMEUCIQDyoDVeUTo2w4J5m+4nUIWOcAZ0lVfSKXQA9L4Vh13E\n"
1281 "BwIgfB55FGohg/B6dGh5XxSZmmi08cueFV7mHzJSYV51yRQ=\n"
1282 "-----END CERTIFICATE-----\n";
David Benjamin2f3958a2021-04-16 11:55:23 -0400[diff] [blame]1283 return CertFromPEM(kCertPEM);
David Benjamin0fc37ef2016-08-17 15:29:46 -0400[diff] [blame]1284}
1285
Matt Braithwaited17d74d2016-08-17 20:10:28 -0700[diff] [blame]1286static bssl::UniquePtr<EVP_PKEY> GetECDSATestKey() {
David Benjamin0fc37ef2016-08-17 15:29:46 -0400[diff] [blame]1287 static const char kKeyPEM[] =
1288 "-----BEGIN PRIVATE KEY-----\n"
1289 "MIGHAgEAMBMGByqGSM49AgEGCCqGSM49AwEHBG0wawIBAQQgBw8IcnrUoEqc3VnJ\n"
1290 "TYlodwi1b8ldMHcO6NHJzgqLtGqhRANCAATmK2niv2Wfl74vHg2UikzVl2u3qR4N\n"
1291 "Rvvdqakendy6WgHn1peoChj5w8SjHlbifINI2xYaHPUdfvGULUvPciLB\n"
1292 "-----END PRIVATE KEY-----\n";
David Benjamin2f3958a2021-04-16 11:55:23 -0400[diff] [blame]1293 return KeyFromPEM(kKeyPEM);
David Benjamin0fc37ef2016-08-17 15:29:46 -0400[diff] [blame]1294}
1295
Adam Langleyd04ca952017-02-28 11:26:51 -0800[diff] [blame]1296static bssl::UniquePtr<CRYPTO_BUFFER> BufferFromPEM(const char *pem) {
1297 bssl::UniquePtr<BIO> bio(BIO_new_mem_buf(pem, strlen(pem)));
1298 char *name, *header;
1299 uint8_t *data;
1300 long data_len;
1301 if (!PEM_read_bio(bio.get(), &name, &header, &data,
1302 &data_len)) {
1303 return nullptr;
1304 }
1305 OPENSSL_free(name);
1306 OPENSSL_free(header);
1307
1308 auto ret = bssl::UniquePtr<CRYPTO_BUFFER>(
1309 CRYPTO_BUFFER_new(data, data_len, nullptr));
1310 OPENSSL_free(data);
1311 return ret;
1312}
1313
1314static bssl::UniquePtr<CRYPTO_BUFFER> GetChainTestCertificateBuffer() {
David Benjamin1444c3a2016-12-20 17:23:11 -0500[diff] [blame]1315 static const char kCertPEM[] =
1316 "-----BEGIN CERTIFICATE-----\n"
1317 "MIIC0jCCAbqgAwIBAgICEAAwDQYJKoZIhvcNAQELBQAwDzENMAsGA1UEAwwEQiBD\n"
1318 "QTAeFw0xNjAyMjgyMDI3MDNaFw0yNjAyMjUyMDI3MDNaMBgxFjAUBgNVBAMMDUNs\n"
1319 "aWVudCBDZXJ0IEEwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDRvaz8\n"
1320 "CC/cshpCafJo4jLkHEoBqDLhdgFelJoAiQUyIqyWl2O7YHPnpJH+TgR7oelzNzt/\n"
1321 "kLRcH89M/TszB6zqyLTC4aqmvzKL0peD/jL2LWBucR0WXIvjA3zoRuF/x86+rYH3\n"
1322 "tHb+xs2PSs8EGL/Ev+ss+qTzTGEn26fuGNHkNw6tOwPpc+o8+wUtzf/kAthamo+c\n"
1323 "IDs2rQ+lP7+aLZTLeU/q4gcLutlzcK5imex5xy2jPkweq48kijK0kIzl1cPlA5d1\n"
1324 "z7C8jU50Pj9X9sQDJTN32j7UYRisJeeYQF8GaaN8SbrDI6zHgKzrRLyxDt/KQa9V\n"
1325 "iLeXANgZi+Xx9KgfAgMBAAGjLzAtMAwGA1UdEwEB/wQCMAAwHQYDVR0lBBYwFAYI\n"
1326 "KwYBBQUHAwEGCCsGAQUFBwMCMA0GCSqGSIb3DQEBCwUAA4IBAQBFEVbmYl+2RtNw\n"
1327 "rDftRDF1v2QUbcN2ouSnQDHxeDQdSgasLzT3ui8iYu0Rw2WWcZ0DV5e0ztGPhWq7\n"
1328 "AO0B120aFRMOY+4+bzu9Q2FFkQqc7/fKTvTDzIJI5wrMnFvUfzzvxh3OHWMYSs/w\n"
1329 "giq33hTKeHEq6Jyk3btCny0Ycecyc3yGXH10sizUfiHlhviCkDuESk8mFDwDDzqW\n"
1330 "ZF0IipzFbEDHoIxLlm3GQxpiLoEV4k8KYJp3R5KBLFyxM6UGPz8h72mIPCJp2RuK\n"
1331 "MYgF91UDvVzvnYm6TfseM2+ewKirC00GOrZ7rEcFvtxnKSqYf4ckqfNdSU1Y+RRC\n"
1332 "1ngWZ7Ih\n"
1333 "-----END CERTIFICATE-----\n";
Adam Langleyd04ca952017-02-28 11:26:51 -0800[diff] [blame]1334 return BufferFromPEM(kCertPEM);
David Benjamin1444c3a2016-12-20 17:23:11 -0500[diff] [blame]1335}
1336
Adam Langleyd04ca952017-02-28 11:26:51 -0800[diff] [blame]1337static bssl::UniquePtr<X509> X509FromBuffer(
1338 bssl::UniquePtr<CRYPTO_BUFFER> buffer) {
1339 if (!buffer) {
1340 return nullptr;
1341 }
1342 const uint8_t *derp = CRYPTO_BUFFER_data(buffer.get());
1343 return bssl::UniquePtr<X509>(
1344 d2i_X509(NULL, &derp, CRYPTO_BUFFER_len(buffer.get())));
1345}
1346
1347static bssl::UniquePtr<X509> GetChainTestCertificate() {
1348 return X509FromBuffer(GetChainTestCertificateBuffer());
1349}
1350
1351static bssl::UniquePtr<CRYPTO_BUFFER> GetChainTestIntermediateBuffer() {
David Benjamin1444c3a2016-12-20 17:23:11 -0500[diff] [blame]1352 static const char kCertPEM[] =
1353 "-----BEGIN CERTIFICATE-----\n"
1354 "MIICwjCCAaqgAwIBAgICEAEwDQYJKoZIhvcNAQELBQAwFDESMBAGA1UEAwwJQyBS\n"
1355 "b290IENBMB4XDTE2MDIyODIwMjcwM1oXDTI2MDIyNTIwMjcwM1owDzENMAsGA1UE\n"
1356 "AwwEQiBDQTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALsSCYmDip2D\n"
1357 "GkjFxw7ykz26JSjELkl6ArlYjFJ3aT/SCh8qbS4gln7RH8CPBd78oFdfhIKQrwtZ\n"
1358 "3/q21ykD9BAS3qHe2YdcJfm8/kWAy5DvXk6NXU4qX334KofBAEpgdA/igEFq1P1l\n"
1359 "HAuIfZCpMRfT+i5WohVsGi8f/NgpRvVaMONLNfgw57mz1lbtFeBEISmX0kbsuJxF\n"
1360 "Qj/Bwhi5/0HAEXG8e7zN4cEx0yPRvmOATRdVb/8dW2pwOHRJq9R5M0NUkIsTSnL7\n"
1361 "6N/z8hRAHMsV3IudC5Yd7GXW1AGu9a+iKU+Q4xcZCoj0DC99tL4VKujrV1kAeqsM\n"
1362 "cz5/dKzi6+cCAwEAAaMjMCEwDwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMC\n"
1363 "AQYwDQYJKoZIhvcNAQELBQADggEBAIIeZiEeNhWWQ8Y4D+AGDwqUUeG8NjCbKrXQ\n"
1364 "BlHg5wZ8xftFaiP1Dp/UAezmx2LNazdmuwrYB8lm3FVTyaPDTKEGIPS4wJKHgqH1\n"
1365 "QPDhqNm85ey7TEtI9oYjsNim/Rb+iGkIAMXaxt58SzxbjvP0kMr1JfJIZbic9vye\n"
1366 "NwIspMFIpP3FB8ywyu0T0hWtCQgL4J47nigCHpOu58deP88fS/Nyz/fyGVWOZ76b\n"
1367 "WhWwgM3P3X95fQ3d7oFPR/bVh0YV+Cf861INwplokXgXQ3/TCQ+HNXeAMWn3JLWv\n"
1368 "XFwk8owk9dq/kQGdndGgy3KTEW4ctPX5GNhf3LJ9Q7dLji4ReQ4=\n"
1369 "-----END CERTIFICATE-----\n";
Adam Langleyd04ca952017-02-28 11:26:51 -0800[diff] [blame]1370 return BufferFromPEM(kCertPEM);
1371}
1372
1373static bssl::UniquePtr<X509> GetChainTestIntermediate() {
1374 return X509FromBuffer(GetChainTestIntermediateBuffer());
David Benjamin1444c3a2016-12-20 17:23:11 -0500[diff] [blame]1375}
1376
1377static bssl::UniquePtr<EVP_PKEY> GetChainTestKey() {
1378 static const char kKeyPEM[] =
1379 "-----BEGIN PRIVATE KEY-----\n"
1380 "MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQDRvaz8CC/cshpC\n"
1381 "afJo4jLkHEoBqDLhdgFelJoAiQUyIqyWl2O7YHPnpJH+TgR7oelzNzt/kLRcH89M\n"
1382 "/TszB6zqyLTC4aqmvzKL0peD/jL2LWBucR0WXIvjA3zoRuF/x86+rYH3tHb+xs2P\n"
1383 "Ss8EGL/Ev+ss+qTzTGEn26fuGNHkNw6tOwPpc+o8+wUtzf/kAthamo+cIDs2rQ+l\n"
1384 "P7+aLZTLeU/q4gcLutlzcK5imex5xy2jPkweq48kijK0kIzl1cPlA5d1z7C8jU50\n"
1385 "Pj9X9sQDJTN32j7UYRisJeeYQF8GaaN8SbrDI6zHgKzrRLyxDt/KQa9ViLeXANgZ\n"
1386 "i+Xx9KgfAgMBAAECggEBAK0VjSJzkyPaamcyTVSWjo7GdaBGcK60lk657RjR+lK0\n"
1387 "YJ7pkej4oM2hdsVZFsP8Cs4E33nXLa/0pDsRov/qrp0WQm2skwqGMC1I/bZ0WRPk\n"
1388 "wHaDrBBfESWnJDX/AGpVtlyOjPmgmK6J2usMPihQUDkKdAYrVWJePrMIxt1q6BMe\n"
1389 "iczs3qriMmtY3bUc4UyUwJ5fhDLjshHvfuIpYQyI6EXZM6dZksn9LylXJnigY6QJ\n"
1390 "HxOYO0BDwOsZ8yQ8J8afLk88i0GizEkgE1z3REtQUwgWfxr1WV/ud+T6/ZhSAgH9\n"
1391 "042mQvSFZnIUSEsmCvjhWuAunfxHKCTcAoYISWfzWpkCgYEA7gpf3HHU5Tn+CgUn\n"
1392 "1X5uGpG3DmcMgfeGgs2r2f/IIg/5Ac1dfYILiybL1tN9zbyLCJfcbFpWBc9hJL6f\n"
1393 "CPc5hUiwWFJqBJewxQkC1Ae/HakHbip+IZ+Jr0842O4BAArvixk4Lb7/N2Ct9sTE\n"
1394 "NJO6RtK9lbEZ5uK61DglHy8CS2UCgYEA4ZC1o36kPAMQBggajgnucb2yuUEelk0f\n"
1395 "AEr+GI32MGE+93xMr7rAhBoqLg4AITyIfEnOSQ5HwagnIHonBbv1LV/Gf9ursx8Z\n"
1396 "YOGbvT8zzzC+SU1bkDzdjAYnFQVGIjMtKOBJ3K07++ypwX1fr4QsQ8uKL8WSOWwt\n"
1397 "Z3Bym6XiZzMCgYADnhy+2OwHX85AkLt+PyGlPbmuelpyTzS4IDAQbBa6jcuW/2wA\n"
1398 "UE2km75VUXmD+u2R/9zVuLm99NzhFhSMqlUxdV1YukfqMfP5yp1EY6m/5aW7QuIP\n"
1399 "2MDa7TVL9rIFMiVZ09RKvbBbQxjhuzPQKL6X/PPspnhiTefQ+dl2k9xREQKBgHDS\n"
1400 "fMfGNEeAEKezrfSVqxphE9/tXms3L+ZpnCaT+yu/uEr5dTIAawKoQ6i9f/sf1/Sy\n"
1401 "xedsqR+IB+oKrzIDDWMgoJybN4pkZ8E5lzhVQIjFjKgFdWLzzqyW9z1gYfABQPlN\n"
1402 "FiS20WX0vgP1vcKAjdNrHzc9zyHBpgQzDmAj3NZZAoGBAI8vKCKdH7w3aL5CNkZQ\n"
1403 "2buIeWNA2HZazVwAGG5F2TU/LmXfRKnG6dX5bkU+AkBZh56jNZy//hfFSewJB4Kk\n"
1404 "buB7ERSdaNbO21zXt9FEA3+z0RfMd/Zv2vlIWOSB5nzl/7UKti3sribK6s9ZVLfi\n"
1405 "SxpiPQ8d/hmSGwn4ksrWUsJD\n"
1406 "-----END PRIVATE KEY-----\n";
David Benjamin2f3958a2021-04-16 11:55:23 -0400[diff] [blame]1407 return KeyFromPEM(kKeyPEM);
David Benjamin1444c3a2016-12-20 17:23:11 -0500[diff] [blame]1408}
1409
David Benjamin83a49932021-05-20 15:57:09 -0400[diff] [blame]1410static bool CompleteHandshakes(SSL *client, SSL *server) {
1411 // Drive both their handshakes to completion.
1412 for (;;) {
1413 int client_ret = SSL_do_handshake(client);
1414 int client_err = SSL_get_error(client, client_ret);
1415 if (client_err != SSL_ERROR_NONE &&
1416 client_err != SSL_ERROR_WANT_READ &&
1417 client_err != SSL_ERROR_WANT_WRITE &&
1418 client_err != SSL_ERROR_PENDING_TICKET) {
1419 fprintf(stderr, "Client error: %s\n", SSL_error_description(client_err));
1420 return false;
1421 }
1422
1423 int server_ret = SSL_do_handshake(server);
1424 int server_err = SSL_get_error(server, server_ret);
1425 if (server_err != SSL_ERROR_NONE &&
1426 server_err != SSL_ERROR_WANT_READ &&
1427 server_err != SSL_ERROR_WANT_WRITE &&
1428 server_err != SSL_ERROR_PENDING_TICKET) {
1429 fprintf(stderr, "Server error: %s\n", SSL_error_description(server_err));
1430 return false;
1431 }
1432
1433 if (client_ret == 1 && server_ret == 1) {
1434 break;
1435 }
1436 }
1437
1438 return true;
1439}
1440
1441static bool FlushNewSessionTickets(SSL *client, SSL *server) {
1442 // NewSessionTickets are deferred on the server to |SSL_write|, and clients do
1443 // not pick them up until |SSL_read|.
1444 for (;;) {
1445 int server_ret = SSL_write(server, nullptr, 0);
1446 int server_err = SSL_get_error(server, server_ret);
1447 // The server may either succeed (|server_ret| is zero) or block on write
1448 // (|server_ret| is -1 and |server_err| is |SSL_ERROR_WANT_WRITE|).
1449 if (server_ret > 0 ||
1450 (server_ret < 0 && server_err != SSL_ERROR_WANT_WRITE)) {
1451 fprintf(stderr, "Unexpected server result: %d %d\n", server_ret,
1452 server_err);
1453 return false;
1454 }
1455
1456 int client_ret = SSL_read(client, nullptr, 0);
1457 int client_err = SSL_get_error(client, client_ret);
1458 // The client must always block on read.
1459 if (client_ret != -1 || client_err != SSL_ERROR_WANT_READ) {
1460 fprintf(stderr, "Unexpected client result: %d %d\n", client_ret,
1461 client_err);
1462 return false;
1463 }
1464
1465 // The server flushed everything it had to write.
1466 if (server_ret == 0) {
1467 return true;
1468 }
1469 }
1470}
1471
1472// CreateClientAndServer creates a client and server |SSL| objects whose |BIO|s
1473// are paired with each other. It does not run the handshake. The caller is
1474// expected to configure the objects and drive the handshake as needed.
1475static bool CreateClientAndServer(bssl::UniquePtr<SSL> *out_client,
1476 bssl::UniquePtr<SSL> *out_server,
1477 SSL_CTX *client_ctx, SSL_CTX *server_ctx) {
1478 bssl::UniquePtr<SSL> client(SSL_new(client_ctx)), server(SSL_new(server_ctx));
1479 if (!client || !server) {
1480 return false;
1481 }
1482 SSL_set_connect_state(client.get());
1483 SSL_set_accept_state(server.get());
1484
1485 BIO *bio1, *bio2;
1486 if (!BIO_new_bio_pair(&bio1, 0, &bio2, 0)) {
1487 return false;
1488 }
1489 // SSL_set_bio takes ownership.
1490 SSL_set_bio(client.get(), bio1, bio1);
1491 SSL_set_bio(server.get(), bio2, bio2);
1492
1493 *out_client = std::move(client);
1494 *out_server = std::move(server);
1495 return true;
1496}
1497
1498struct ClientConfig {
1499 SSL_SESSION *session = nullptr;
1500 std::string servername;
1501 bool early_data = false;
1502};
1503
1504static bool ConnectClientAndServer(bssl::UniquePtr<SSL> *out_client,
1505 bssl::UniquePtr<SSL> *out_server,
1506 SSL_CTX *client_ctx, SSL_CTX *server_ctx,
1507 const ClientConfig &config = ClientConfig(),
1508 bool shed_handshake_config = true) {
1509 bssl::UniquePtr<SSL> client, server;
1510 if (!CreateClientAndServer(&client, &server, client_ctx, server_ctx)) {
1511 return false;
1512 }
1513 if (config.early_data) {
1514 SSL_set_early_data_enabled(client.get(), 1);
1515 }
1516 if (config.session) {
1517 SSL_set_session(client.get(), config.session);
1518 }
1519 if (!config.servername.empty() &&
1520 !SSL_set_tlsext_host_name(client.get(), config.servername.c_str())) {
1521 return false;
1522 }
1523
1524 SSL_set_shed_handshake_config(client.get(), shed_handshake_config);
1525 SSL_set_shed_handshake_config(server.get(), shed_handshake_config);
1526
1527 if (!CompleteHandshakes(client.get(), server.get())) {
1528 return false;
1529 }
1530
1531 *out_client = std::move(client);
1532 *out_server = std::move(server);
1533 return true;
1534}
1535
David Benjamin9734e442021-06-15 13:58:12 -0400[diff] [blame]1536static bssl::UniquePtr<SSL_SESSION> g_last_session;
1537
1538static int SaveLastSession(SSL *ssl, SSL_SESSION *session) {
1539 // Save the most recent session.
1540 g_last_session.reset(session);
1541 return 1;
1542}
1543
1544static bssl::UniquePtr<SSL_SESSION> CreateClientSession(
1545 SSL_CTX *client_ctx, SSL_CTX *server_ctx,
1546 const ClientConfig &config = ClientConfig()) {
1547 g_last_session = nullptr;
1548 SSL_CTX_sess_set_new_cb(client_ctx, SaveLastSession);
1549
1550 // Connect client and server to get a session.
1551 bssl::UniquePtr<SSL> client, server;
1552 if (!ConnectClientAndServer(&client, &server, client_ctx, server_ctx,
1553 config) ||
1554 !FlushNewSessionTickets(client.get(), server.get())) {
1555 fprintf(stderr, "Failed to connect client and server.\n");
1556 return nullptr;
1557 }
1558
1559 SSL_CTX_sess_set_new_cb(client_ctx, nullptr);
1560
1561 if (!g_last_session) {
1562 fprintf(stderr, "Client did not receive a session.\n");
1563 return nullptr;
1564 }
1565 return std::move(g_last_session);
1566}
1567
David Benjaminc79ae7a2017-08-29 16:09:44 -0400[diff] [blame]1568// Test that |SSL_get_client_CA_list| echoes back the configured parameter even
1569// before configuring as a server.
1570TEST(SSLTest, ClientCAList) {
1571 bssl::UniquePtr<SSL_CTX> ctx(SSL_CTX_new(TLS_method()));
1572 ASSERT_TRUE(ctx);
1573 bssl::UniquePtr<SSL> ssl(SSL_new(ctx.get()));
1574 ASSERT_TRUE(ssl);
1575
1576 bssl::UniquePtr<X509_NAME> name(X509_NAME_new());
1577 ASSERT_TRUE(name);
1578
1579 bssl::UniquePtr<X509_NAME> name_dup(X509_NAME_dup(name.get()));
1580 ASSERT_TRUE(name_dup);
1581
1582 bssl::UniquePtr<STACK_OF(X509_NAME)> stack(sk_X509_NAME_new_null());
1583 ASSERT_TRUE(stack);
David Benjamin2908dd12018-06-29 17:46:42 -0400[diff] [blame]1584 ASSERT_TRUE(PushToStack(stack.get(), std::move(name_dup)));
David Benjaminc79ae7a2017-08-29 16:09:44 -0400[diff] [blame]1585
1586 // |SSL_set_client_CA_list| takes ownership.
1587 SSL_set_client_CA_list(ssl.get(), stack.release());
1588
1589 STACK_OF(X509_NAME) *result = SSL_get_client_CA_list(ssl.get());
1590 ASSERT_TRUE(result);
1591 ASSERT_EQ(1u, sk_X509_NAME_num(result));
1592 EXPECT_EQ(0, X509_NAME_cmp(sk_X509_NAME_value(result, 0), name.get()));
1593}
1594
1595TEST(SSLTest, AddClientCA) {
1596 bssl::UniquePtr<SSL_CTX> ctx(SSL_CTX_new(TLS_method()));
1597 ASSERT_TRUE(ctx);
1598 bssl::UniquePtr<SSL> ssl(SSL_new(ctx.get()));
1599 ASSERT_TRUE(ssl);
1600
1601 bssl::UniquePtr<X509> cert1 = GetTestCertificate();
1602 bssl::UniquePtr<X509> cert2 = GetChainTestCertificate();
1603 ASSERT_TRUE(cert1 && cert2);
1604 X509_NAME *name1 = X509_get_subject_name(cert1.get());
1605 X509_NAME *name2 = X509_get_subject_name(cert2.get());
1606
1607 EXPECT_EQ(0u, sk_X509_NAME_num(SSL_get_client_CA_list(ssl.get())));
1608
1609 ASSERT_TRUE(SSL_add_client_CA(ssl.get(), cert1.get()));
1610 ASSERT_TRUE(SSL_add_client_CA(ssl.get(), cert2.get()));
1611
1612 STACK_OF(X509_NAME) *list = SSL_get_client_CA_list(ssl.get());
1613 ASSERT_EQ(2u, sk_X509_NAME_num(list));
1614 EXPECT_EQ(0, X509_NAME_cmp(sk_X509_NAME_value(list, 0), name1));
1615 EXPECT_EQ(0, X509_NAME_cmp(sk_X509_NAME_value(list, 1), name2));
1616
1617 ASSERT_TRUE(SSL_add_client_CA(ssl.get(), cert1.get()));
1618
1619 list = SSL_get_client_CA_list(ssl.get());
1620 ASSERT_EQ(3u, sk_X509_NAME_num(list));
1621 EXPECT_EQ(0, X509_NAME_cmp(sk_X509_NAME_value(list, 0), name1));
1622 EXPECT_EQ(0, X509_NAME_cmp(sk_X509_NAME_value(list, 1), name2));
1623 EXPECT_EQ(0, X509_NAME_cmp(sk_X509_NAME_value(list, 2), name1));
1624}
1625
David Benjamin24545c52021-06-07 16:05:07 -0400[diff] [blame]1626struct ECHConfigParams {
1627 uint16_t version = TLSEXT_TYPE_encrypted_client_hello;
1628 uint16_t config_id = 1;
1629 std::string public_name = "example.com";
1630 const EVP_HPKE_KEY *key = nullptr;
1631 // kem_id, if zero, takes its value from |key|.
1632 uint16_t kem_id = 0;
1633 // public_key, if empty takes its value from |key|.
1634 std::vector<uint8_t> public_key;
1635 size_t max_name_len = 16;
1636 // cipher_suites is a list of code points which should contain pairs of KDF
1637 // and AEAD IDs.
1638 std::vector<uint16_t> cipher_suites = {EVP_HPKE_HKDF_SHA256,
1639 EVP_HPKE_AES_128_GCM};
1640 std::vector<uint8_t> extensions;
1641};
Daniel McArdle00e434d2021-02-18 11:47:18 -0500[diff] [blame]1642
David Benjamin24545c52021-06-07 16:05:07 -0400[diff] [blame]1643// MakeECHConfig serializes an ECHConfig from |params| and writes it to
1644// |*out|.
1645bool MakeECHConfig(std::vector<uint8_t> *out,
1646 const ECHConfigParams &params) {
1647 uint16_t kem_id = params.kem_id == 0
1648 ? EVP_HPKE_KEM_id(EVP_HPKE_KEY_kem(params.key))
1649 : params.kem_id;
1650 std::vector<uint8_t> public_key = params.public_key;
1651 if (public_key.empty()) {
1652 public_key.resize(EVP_HPKE_MAX_PUBLIC_KEY_LENGTH);
1653 size_t len;
1654 if (!EVP_HPKE_KEY_public_key(params.key, public_key.data(), &len,
1655 public_key.size())) {
1656 return false;
1657 }
1658 public_key.resize(len);
1659 }
Daniel McArdle00e434d2021-02-18 11:47:18 -0500[diff] [blame]1660
Daniel McArdle00e434d2021-02-18 11:47:18 -0500[diff] [blame]1661 bssl::ScopedCBB cbb;
1662 CBB contents, child;
Daniel McArdle00e434d2021-02-18 11:47:18 -0500[diff] [blame]1663 if (!CBB_init(cbb.get(), 64) ||
David Benjamin24545c52021-06-07 16:05:07 -0400[diff] [blame]1664 !CBB_add_u16(cbb.get(), params.version) ||
Daniel McArdle00e434d2021-02-18 11:47:18 -0500[diff] [blame]1665 !CBB_add_u16_length_prefixed(cbb.get(), &contents) ||
David Benjamin24545c52021-06-07 16:05:07 -0400[diff] [blame]1666 !CBB_add_u8(&contents, params.config_id) ||
Steven Valdez94a63a52021-04-29 10:52:42 -0400[diff] [blame]1667 !CBB_add_u16(&contents, kem_id) ||
Daniel McArdle00e434d2021-02-18 11:47:18 -0500[diff] [blame]1668 !CBB_add_u16_length_prefixed(&contents, &child) ||
1669 !CBB_add_bytes(&child, public_key.data(), public_key.size()) ||
Daniel McArdle00e434d2021-02-18 11:47:18 -0500[diff] [blame]1670 !CBB_add_u16_length_prefixed(&contents, &child)) {
1671 return false;
1672 }
David Benjamin24545c52021-06-07 16:05:07 -0400[diff] [blame]1673 for (uint16_t cipher_suite : params.cipher_suites) {
Daniel McArdle00e434d2021-02-18 11:47:18 -0500[diff] [blame]1674 if (!CBB_add_u16(&child, cipher_suite)) {
1675 return false;
1676 }
1677 }
David Benjamin18b68362021-06-18 23:13:46 -0400[diff] [blame]1678 if (!CBB_add_u8(&contents, params.max_name_len) ||
1679 !CBB_add_u8_length_prefixed(&contents, &child) ||
David Benjamin24545c52021-06-07 16:05:07 -0400[diff] [blame]1680 !CBB_add_bytes(
1681 &child, reinterpret_cast<const uint8_t *>(params.public_name.data()),
1682 params.public_name.size()) ||
Steven Valdez94a63a52021-04-29 10:52:42 -0400[diff] [blame]1683 !CBB_add_u16_length_prefixed(&contents, &child) ||
David Benjamin24545c52021-06-07 16:05:07 -0400[diff] [blame]1684 !CBB_add_bytes(&child, params.extensions.data(),
1685 params.extensions.size()) ||
Daniel McArdle00e434d2021-02-18 11:47:18 -0500[diff] [blame]1686 !CBB_flush(cbb.get())) {
1687 return false;
1688 }
1689
1690 out->assign(CBB_data(cbb.get()), CBB_data(cbb.get()) + CBB_len(cbb.get()));
1691 return true;
1692}
1693
David Benjaminba423c92021-06-15 16:26:58 -0400[diff] [blame]1694static bssl::UniquePtr<SSL_ECH_KEYS> MakeTestECHKeys(uint8_t config_id = 1) {
David Benjamin83a49932021-05-20 15:57:09 -0400[diff] [blame]1695 bssl::ScopedEVP_HPKE_KEY key;
1696 uint8_t *ech_config;
1697 size_t ech_config_len;
1698 if (!EVP_HPKE_KEY_generate(key.get(), EVP_hpke_x25519_hkdf_sha256()) ||
David Benjaminba423c92021-06-15 16:26:58 -0400[diff] [blame]1699 !SSL_marshal_ech_config(&ech_config, &ech_config_len, config_id,
1700 key.get(), "public.example", 16)) {
David Benjamin83a49932021-05-20 15:57:09 -0400[diff] [blame]1701 return nullptr;
1702 }
1703 bssl::UniquePtr<uint8_t> free_ech_config(ech_config);
1704
1705 // Install a non-retry config.
1706 bssl::UniquePtr<SSL_ECH_KEYS> keys(SSL_ECH_KEYS_new());
1707 if (!keys || !SSL_ECH_KEYS_add(keys.get(), /*is_retry_config=*/1, ech_config,
1708 ech_config_len, key.get())) {
1709 return nullptr;
1710 }
1711 return keys;
1712}
1713
1714static bool InstallECHConfigList(SSL *client, const SSL_ECH_KEYS *keys) {
1715 uint8_t *ech_config_list;
1716 size_t ech_config_list_len;
1717 if (!SSL_ECH_KEYS_marshal_retry_configs(keys, &ech_config_list,
1718 &ech_config_list_len)) {
1719 return false;
1720 }
1721 bssl::UniquePtr<uint8_t> free_ech_config_list(ech_config_list);
1722 return SSL_set1_ech_config_list(client, ech_config_list, ech_config_list_len);
1723}
1724
David Benjamin24545c52021-06-07 16:05:07 -0400[diff] [blame]1725// Test that |SSL_marshal_ech_config| and |SSL_ECH_KEYS_marshal_retry_configs|
1726// output values as expected.
1727TEST(SSLTest, MarshalECHConfig) {
1728 static const uint8_t kPrivateKey[X25519_PRIVATE_KEY_LEN] = {
1729 0xbc, 0xb5, 0x51, 0x29, 0x31, 0x10, 0x30, 0xc9, 0xed, 0x26, 0xde,
1730 0xd4, 0xb3, 0xdf, 0x3a, 0xce, 0x06, 0x8a, 0xee, 0x17, 0xab, 0xce,
1731 0xd7, 0xdb, 0xf3, 0x11, 0xe5, 0xa8, 0xf3, 0xb1, 0x8e, 0x24};
1732 bssl::ScopedEVP_HPKE_KEY key;
1733 ASSERT_TRUE(EVP_HPKE_KEY_init(key.get(), EVP_hpke_x25519_hkdf_sha256(),
1734 kPrivateKey, sizeof(kPrivateKey)));
Daniel McArdle00e434d2021-02-18 11:47:18 -0500[diff] [blame]1735
David Benjamin24545c52021-06-07 16:05:07 -0400[diff] [blame]1736 static const uint8_t kECHConfig[] = {
1737 // version
David Benjamin18b68362021-06-18 23:13:46 -0400[diff] [blame]1738 0xfe, 0x0d,
David Benjamin24545c52021-06-07 16:05:07 -0400[diff] [blame]1739 // length
David Benjamin18b68362021-06-18 23:13:46 -0400[diff] [blame]1740 0x00, 0x41,
David Benjamin24545c52021-06-07 16:05:07 -0400[diff] [blame]1741 // contents.config_id
1742 0x01,
1743 // contents.kem_id
1744 0x00, 0x20,
1745 // contents.public_key
1746 0x00, 0x20, 0xa6, 0x9a, 0x41, 0x48, 0x5d, 0x32, 0x96, 0xa4, 0xe0, 0xc3,
1747 0x6a, 0xee, 0xf6, 0x63, 0x0f, 0x59, 0x32, 0x6f, 0xdc, 0xff, 0x81, 0x29,
1748 0x59, 0xa5, 0x85, 0xd3, 0x9b, 0x3b, 0xde, 0x98, 0x55, 0x5c,
1749 // contents.cipher_suites
1750 0x00, 0x08, 0x00, 0x01, 0x00, 0x01, 0x00, 0x01, 0x00, 0x03,
1751 // contents.maximum_name_length
David Benjamin18b68362021-06-18 23:13:46 -0400[diff] [blame]1752 0x10,
David Benjamin24545c52021-06-07 16:05:07 -0400[diff] [blame]1753 // contents.public_name
David Benjamin18b68362021-06-18 23:13:46 -0400[diff] [blame]1754 0x0e, 0x70, 0x75, 0x62, 0x6c, 0x69, 0x63, 0x2e, 0x65, 0x78, 0x61, 0x6d,
1755 0x70, 0x6c, 0x65,
David Benjamin24545c52021-06-07 16:05:07 -0400[diff] [blame]1756 // contents.extensions
1757 0x00, 0x00};
1758 uint8_t *ech_config;
1759 size_t ech_config_len;
1760 ASSERT_TRUE(SSL_marshal_ech_config(&ech_config, &ech_config_len,
1761 /*config_id=*/1, key.get(),
1762 "public.example", 16));
1763 bssl::UniquePtr<uint8_t> free_ech_config(ech_config);
1764 EXPECT_EQ(Bytes(kECHConfig), Bytes(ech_config, ech_config_len));
1765
1766 // Generate a second ECHConfig.
1767 bssl::ScopedEVP_HPKE_KEY key2;
1768 ASSERT_TRUE(EVP_HPKE_KEY_generate(key2.get(), EVP_hpke_x25519_hkdf_sha256()));
1769 uint8_t *ech_config2;
1770 size_t ech_config2_len;
1771 ASSERT_TRUE(SSL_marshal_ech_config(&ech_config2, &ech_config2_len,
1772 /*config_id=*/2, key2.get(),
1773 "public.example", 16));
1774 bssl::UniquePtr<uint8_t> free_ech_config2(ech_config2);
1775
1776 // Install both ECHConfigs in an |SSL_ECH_KEYS|.
David Benjaminc3b373b2021-06-06 13:04:26 -0400[diff] [blame]1777 bssl::UniquePtr<SSL_ECH_KEYS> keys(SSL_ECH_KEYS_new());
1778 ASSERT_TRUE(keys);
David Benjamin24545c52021-06-07 16:05:07 -0400[diff] [blame]1779 ASSERT_TRUE(SSL_ECH_KEYS_add(keys.get(), /*is_retry_config=*/1, ech_config,
1780 ech_config_len, key.get()));
1781 ASSERT_TRUE(SSL_ECH_KEYS_add(keys.get(), /*is_retry_config=*/1, ech_config2,
1782 ech_config2_len, key2.get()));
1783
1784 // The ECHConfigList should be correctly serialized.
1785 uint8_t *ech_config_list;
1786 size_t ech_config_list_len;
1787 ASSERT_TRUE(SSL_ECH_KEYS_marshal_retry_configs(keys.get(), &ech_config_list,
1788 &ech_config_list_len));
1789 bssl::UniquePtr<uint8_t> free_ech_config_list(ech_config_list);
1790
1791 // ECHConfigList is just the concatenation with a length prefix.
1792 size_t len = ech_config_len + ech_config2_len;
1793 std::vector<uint8_t> expected = {uint8_t(len >> 8), uint8_t(len)};
1794 expected.insert(expected.end(), ech_config, ech_config + ech_config_len);
1795 expected.insert(expected.end(), ech_config2, ech_config2 + ech_config2_len);
1796 EXPECT_EQ(Bytes(expected), Bytes(ech_config_list, ech_config_list_len));
David Benjamin24545c52021-06-07 16:05:07 -0400[diff] [blame]1797}
1798
1799TEST(SSLTest, ECHHasDuplicateConfigID) {
1800 const struct {
1801 std::vector<uint8_t> ids;
1802 bool has_duplicate;
1803 } kTests[] = {
1804 {{}, false},
1805 {{1}, false},
1806 {{1, 2, 3, 255}, false},
1807 {{1, 2, 3, 1}, true},
1808 };
1809 for (const auto &test : kTests) {
1810 bssl::UniquePtr<SSL_ECH_KEYS> keys(SSL_ECH_KEYS_new());
1811 ASSERT_TRUE(keys);
1812 for (const uint8_t id : test.ids) {
1813 bssl::ScopedEVP_HPKE_KEY key;
1814 ASSERT_TRUE(
1815 EVP_HPKE_KEY_generate(key.get(), EVP_hpke_x25519_hkdf_sha256()));
1816 uint8_t *ech_config;
1817 size_t ech_config_len;
1818 ASSERT_TRUE(SSL_marshal_ech_config(&ech_config, &ech_config_len, id,
1819 key.get(), "public.example", 16));
1820 bssl::UniquePtr<uint8_t> free_ech_config(ech_config);
1821 ASSERT_TRUE(SSL_ECH_KEYS_add(keys.get(), /*is_retry_config=*/1,
1822 ech_config, ech_config_len, key.get()));
1823 }
1824
1825 EXPECT_EQ(test.has_duplicate ? 1 : 0,
1826 SSL_ECH_KEYS_has_duplicate_config_id(keys.get()));
1827 }
1828}
1829
1830// Test that |SSL_ECH_KEYS_add| checks consistency between the public and
1831// private key.
1832TEST(SSLTest, ECHKeyConsistency) {
1833 bssl::UniquePtr<SSL_ECH_KEYS> keys(SSL_ECH_KEYS_new());
1834 ASSERT_TRUE(keys);
1835 bssl::ScopedEVP_HPKE_KEY key;
1836 ASSERT_TRUE(EVP_HPKE_KEY_generate(key.get(), EVP_hpke_x25519_hkdf_sha256()));
1837 uint8_t public_key[EVP_HPKE_MAX_PUBLIC_KEY_LENGTH];
1838 size_t public_key_len;
1839 ASSERT_TRUE(EVP_HPKE_KEY_public_key(key.get(), public_key, &public_key_len,
1840 sizeof(public_key)));
1841
1842 // Adding an ECHConfig with the matching public key succeeds.
1843 ECHConfigParams params;
1844 params.key = key.get();
1845 std::vector<uint8_t> ech_config;
1846 ASSERT_TRUE(MakeECHConfig(&ech_config, params));
1847 EXPECT_TRUE(SSL_ECH_KEYS_add(keys.get(), /*is_retry_config=*/1,
1848 ech_config.data(), ech_config.size(),
1849 key.get()));
Daniel McArdle00e434d2021-02-18 11:47:18 -0500[diff] [blame]1850
David Benjaminc890ae52021-06-06 13:32:29 -0400[diff] [blame]1851 // Adding an ECHConfig with the wrong public key is an error.
1852 bssl::ScopedEVP_HPKE_KEY wrong_key;
1853 ASSERT_TRUE(
1854 EVP_HPKE_KEY_generate(wrong_key.get(), EVP_hpke_x25519_hkdf_sha256()));
David Benjamin24545c52021-06-07 16:05:07 -0400[diff] [blame]1855 EXPECT_FALSE(SSL_ECH_KEYS_add(keys.get(), /*is_retry_config=*/1,
1856 ech_config.data(), ech_config.size(),
1857 wrong_key.get()));
1858
1859 // Adding an ECHConfig with a truncated public key is an error.
1860 ECHConfigParams truncated;
1861 truncated.key = key.get();
1862 truncated.public_key.assign(public_key, public_key + public_key_len - 1);
1863 ASSERT_TRUE(MakeECHConfig(&ech_config, truncated));
1864 EXPECT_FALSE(SSL_ECH_KEYS_add(keys.get(), /*is_retry_config=*/1,
1865 ech_config.data(), ech_config.size(), key.get()));
Daniel McArdle00e434d2021-02-18 11:47:18 -0500[diff] [blame]1866
David Benjaminc890ae52021-06-06 13:32:29 -0400[diff] [blame]1867 // Adding an ECHConfig with the right public key, but wrong KEM ID, is an
1868 // error.
David Benjamin24545c52021-06-07 16:05:07 -0400[diff] [blame]1869 ECHConfigParams wrong_kem;
1870 wrong_kem.key = key.get();
1871 wrong_kem.kem_id = 0x0010; // DHKEM(P-256, HKDF-SHA256)
1872 ASSERT_TRUE(MakeECHConfig(&ech_config, wrong_kem));
David Benjaminc890ae52021-06-06 13:32:29 -0400[diff] [blame]1873 EXPECT_FALSE(SSL_ECH_KEYS_add(keys.get(), /*is_retry_config=*/1,
1874 ech_config.data(), ech_config.size(),
1875 key.get()));
Daniel McArdle00e434d2021-02-18 11:47:18 -0500[diff] [blame]1876}
1877
David Benjaminc3b373b2021-06-06 13:04:26 -0400[diff] [blame]1878// Test that |SSL_CTX_set1_ech_keys| fails when the config list
Daniel McArdle00e434d2021-02-18 11:47:18 -0500[diff] [blame]1879// has no retry configs.
1880TEST(SSLTest, ECHServerConfigsWithoutRetryConfigs) {
David Benjamin24545c52021-06-07 16:05:07 -0400[diff] [blame]1881 bssl::ScopedEVP_HPKE_KEY key;
1882 ASSERT_TRUE(EVP_HPKE_KEY_generate(key.get(), EVP_hpke_x25519_hkdf_sha256()));
1883 uint8_t *ech_config;
1884 size_t ech_config_len;
1885 ASSERT_TRUE(SSL_marshal_ech_config(&ech_config, &ech_config_len,
1886 /*config_id=*/1, key.get(),
1887 "public.example", 16));
1888 bssl::UniquePtr<uint8_t> free_ech_config(ech_config);
Daniel McArdle00e434d2021-02-18 11:47:18 -0500[diff] [blame]1889
David Benjamin24545c52021-06-07 16:05:07 -0400[diff] [blame]1890 // Install a non-retry config.
David Benjaminc3b373b2021-06-06 13:04:26 -0400[diff] [blame]1891 bssl::UniquePtr<SSL_ECH_KEYS> keys(SSL_ECH_KEYS_new());
1892 ASSERT_TRUE(keys);
David Benjamin24545c52021-06-07 16:05:07 -0400[diff] [blame]1893 ASSERT_TRUE(SSL_ECH_KEYS_add(keys.get(), /*is_retry_config=*/0, ech_config,
1894 ech_config_len, key.get()));
Daniel McArdle00e434d2021-02-18 11:47:18 -0500[diff] [blame]1895
David Benjamin24545c52021-06-07 16:05:07 -0400[diff] [blame]1896 // |keys| has no retry configs.
1897 bssl::UniquePtr<SSL_CTX> ctx(SSL_CTX_new(TLS_method()));
1898 ASSERT_TRUE(ctx);
1899 EXPECT_FALSE(SSL_CTX_set1_ech_keys(ctx.get(), keys.get()));
Daniel McArdle00e434d2021-02-18 11:47:18 -0500[diff] [blame]1900
1901 // Add the same ECHConfig to the list, but this time mark it as a retry
1902 // config.
David Benjamin24545c52021-06-07 16:05:07 -0400[diff] [blame]1903 ASSERT_TRUE(SSL_ECH_KEYS_add(keys.get(), /*is_retry_config=*/1, ech_config,
1904 ech_config_len, key.get()));
1905 EXPECT_TRUE(SSL_CTX_set1_ech_keys(ctx.get(), keys.get()));
Daniel McArdle00e434d2021-02-18 11:47:18 -0500[diff] [blame]1906}
1907
1908// Test that the server APIs reject ECHConfigs with unsupported features.
1909TEST(SSLTest, UnsupportedECHConfig) {
David Benjaminc3b373b2021-06-06 13:04:26 -0400[diff] [blame]1910 bssl::UniquePtr<SSL_ECH_KEYS> keys(SSL_ECH_KEYS_new());
1911 ASSERT_TRUE(keys);
David Benjaminc890ae52021-06-06 13:32:29 -0400[diff] [blame]1912 bssl::ScopedEVP_HPKE_KEY key;
David Benjamin24545c52021-06-07 16:05:07 -0400[diff] [blame]1913 ASSERT_TRUE(EVP_HPKE_KEY_generate(key.get(), EVP_hpke_x25519_hkdf_sha256()));
Daniel McArdle00e434d2021-02-18 11:47:18 -0500[diff] [blame]1914
1915 // Unsupported versions are rejected.
David Benjamin24545c52021-06-07 16:05:07 -0400[diff] [blame]1916 ECHConfigParams unsupported_version;
1917 unsupported_version.version = 0xffff;
1918 unsupported_version.key = key.get();
Daniel McArdle00e434d2021-02-18 11:47:18 -0500[diff] [blame]1919 std::vector<uint8_t> ech_config;
David Benjamin24545c52021-06-07 16:05:07 -0400[diff] [blame]1920 ASSERT_TRUE(MakeECHConfig(&ech_config, unsupported_version));
David Benjaminc3b373b2021-06-06 13:04:26 -0400[diff] [blame]1921 EXPECT_FALSE(SSL_ECH_KEYS_add(keys.get(), /*is_retry_config=*/1,
1922 ech_config.data(), ech_config.size(),
David Benjaminc890ae52021-06-06 13:32:29 -0400[diff] [blame]1923 key.get()));
Daniel McArdle00e434d2021-02-18 11:47:18 -0500[diff] [blame]1924
David Benjamin24545c52021-06-07 16:05:07 -0400[diff] [blame]1925 // Unsupported cipher suites are rejected. (We only support HKDF-SHA256.)
1926 ECHConfigParams unsupported_kdf;
1927 unsupported_kdf.key = key.get();
1928 unsupported_kdf.cipher_suites = {0x002 /* HKDF-SHA384 */,
1929 EVP_HPKE_AES_128_GCM};
1930 ASSERT_TRUE(MakeECHConfig(&ech_config, unsupported_kdf));
1931 EXPECT_FALSE(SSL_ECH_KEYS_add(keys.get(), /*is_retry_config=*/1,
1932 ech_config.data(), ech_config.size(),
1933 key.get()));
1934 ECHConfigParams unsupported_aead;
1935 unsupported_aead.key = key.get();
1936 unsupported_aead.cipher_suites = {EVP_HPKE_HKDF_SHA256, 0xffff};
1937 ASSERT_TRUE(MakeECHConfig(&ech_config, unsupported_aead));
1938 EXPECT_FALSE(SSL_ECH_KEYS_add(keys.get(), /*is_retry_config=*/1,
1939 ech_config.data(), ech_config.size(),
1940 key.get()));
1941
1942
Daniel McArdle00e434d2021-02-18 11:47:18 -0500[diff] [blame]1943 // Unsupported extensions are rejected.
David Benjamin24545c52021-06-07 16:05:07 -0400[diff] [blame]1944 ECHConfigParams extensions;
1945 extensions.key = key.get();
1946 extensions.extensions = {0x00, 0x01, 0x00, 0x00};
1947 ASSERT_TRUE(MakeECHConfig(&ech_config, extensions));
David Benjaminc3b373b2021-06-06 13:04:26 -0400[diff] [blame]1948 EXPECT_FALSE(SSL_ECH_KEYS_add(keys.get(), /*is_retry_config=*/1,
1949 ech_config.data(), ech_config.size(),
David Benjaminc890ae52021-06-06 13:32:29 -0400[diff] [blame]1950 key.get()));
David Benjamin9cbe7372021-06-15 18:09:10 -0400[diff] [blame]1951
1952 // Invalid public names are rejected.
1953 ECHConfigParams invalid_public_name;
1954 invalid_public_name.key = key.get();
1955 invalid_public_name.public_name = "dns_names_have_no_underscores.example";
1956 ASSERT_TRUE(MakeECHConfig(&ech_config, invalid_public_name));
1957 EXPECT_FALSE(SSL_ECH_KEYS_add(keys.get(), /*is_retry_config=*/1,
1958 ech_config.data(), ech_config.size(),
1959 key.get()));
Daniel McArdle00e434d2021-02-18 11:47:18 -0500[diff] [blame]1960}
1961
David Benjamin83a49932021-05-20 15:57:09 -0400[diff] [blame]1962// Test that |SSL_get_client_random| reports the correct value on both client
1963// and server in ECH. The client sends two different random values. When ECH is
1964// accepted, we should report the inner one.
1965TEST(SSLTest, ECHClientRandomsMatch) {
1966 bssl::UniquePtr<SSL_CTX> server_ctx =
1967 CreateContextWithTestCertificate(TLS_method());
1968 bssl::UniquePtr<SSL_ECH_KEYS> keys = MakeTestECHKeys();
1969 ASSERT_TRUE(keys);
1970 ASSERT_TRUE(SSL_CTX_set1_ech_keys(server_ctx.get(), keys.get()));
1971
1972 bssl::UniquePtr<SSL_CTX> client_ctx(SSL_CTX_new(TLS_method()));
1973 ASSERT_TRUE(client_ctx);
1974 bssl::UniquePtr<SSL> client, server;
1975 ASSERT_TRUE(CreateClientAndServer(&client, &server, client_ctx.get(),
1976 server_ctx.get()));
1977 ASSERT_TRUE(InstallECHConfigList(client.get(), keys.get()));
1978 ASSERT_TRUE(CompleteHandshakes(client.get(), server.get()));
1979
1980 EXPECT_TRUE(SSL_ech_accepted(client.get()));
1981 EXPECT_TRUE(SSL_ech_accepted(server.get()));
1982
1983 // An ECH server will fairly naturally record the inner ClientHello random,
1984 // but an ECH client may forget to update the random once ClientHelloInner is
1985 // selected.
1986 uint8_t client_random1[SSL3_RANDOM_SIZE];
1987 uint8_t client_random2[SSL3_RANDOM_SIZE];
1988 ASSERT_EQ(sizeof(client_random1),
1989 SSL_get_client_random(client.get(), client_random1,
1990 sizeof(client_random1)));
1991 ASSERT_EQ(sizeof(client_random2),
1992 SSL_get_client_random(server.get(), client_random2,
1993 sizeof(client_random2)));
1994 EXPECT_EQ(Bytes(client_random1), Bytes(client_random2));
1995}
1996
1997// GetECHLength sets |*out_client_hello_len| and |*out_ech_len| to the lengths
1998// of the ClientHello and ECH extension, respectively, when a client created
1999// from |ctx| constructs a ClientHello with name |name| and an ECHConfig with
2000// maximum name length |max_name_len|.
2001static bool GetECHLength(SSL_CTX *ctx, size_t *out_client_hello_len,
2002 size_t *out_ech_len, size_t max_name_len,
2003 const char *name) {
2004 bssl::ScopedEVP_HPKE_KEY key;
2005 uint8_t *ech_config;
2006 size_t ech_config_len;
2007 if (!EVP_HPKE_KEY_generate(key.get(), EVP_hpke_x25519_hkdf_sha256()) ||
2008 !SSL_marshal_ech_config(&ech_config, &ech_config_len,
2009 /*config_id=*/1, key.get(), "public.example",
2010 max_name_len)) {
2011 return false;
2012 }
2013 bssl::UniquePtr<uint8_t> free_ech_config(ech_config);
2014
2015 bssl::UniquePtr<SSL_ECH_KEYS> keys(SSL_ECH_KEYS_new());
2016 if (!keys || !SSL_ECH_KEYS_add(keys.get(), /*is_retry_config=*/1, ech_config,
2017 ech_config_len, key.get())) {
2018 return false;
2019 }
2020
2021 bssl::UniquePtr<SSL> ssl(SSL_new(ctx));
2022 if (!ssl || !InstallECHConfigList(ssl.get(), keys.get()) ||
2023 (name != nullptr && !SSL_set_tlsext_host_name(ssl.get(), name))) {
2024 return false;
2025 }
2026 SSL_set_connect_state(ssl.get());
2027
2028 std::vector<uint8_t> client_hello;
2029 SSL_CLIENT_HELLO parsed;
2030 const uint8_t *unused;
2031 if (!GetClientHello(ssl.get(), &client_hello) ||
2032 !ssl_client_hello_init(
2033 ssl.get(), &parsed,
2034 // Skip record and handshake headers. This assumes the ClientHello
2035 // fits in one record.
2036 MakeConstSpan(client_hello)
2037 .subspan(SSL3_RT_HEADER_LENGTH + SSL3_HM_HEADER_LENGTH)) ||
2038 !SSL_early_callback_ctx_extension_get(
2039 &parsed, TLSEXT_TYPE_encrypted_client_hello, &unused, out_ech_len)) {
2040 return false;
2041 }
2042 *out_client_hello_len = client_hello.size();
2043 return true;
2044}
2045
2046TEST(SSLTest, ECHPadding) {
2047 bssl::UniquePtr<SSL_CTX> ctx(SSL_CTX_new(TLS_method()));
2048 ASSERT_TRUE(ctx);
2049
2050 // Sample lengths with max_name_len = 128 as baseline.
2051 size_t client_hello_len_baseline, ech_len_baseline;
2052 ASSERT_TRUE(GetECHLength(ctx.get(), &client_hello_len_baseline,
2053 &ech_len_baseline, 128, "example.com"));
2054
2055 // Check that all name lengths under the server's maximum look the same.
2056 for (size_t name_len : {1, 2, 32, 64, 127, 128}) {
2057 SCOPED_TRACE(name_len);
2058 size_t client_hello_len, ech_len;
2059 ASSERT_TRUE(GetECHLength(ctx.get(), &client_hello_len, &ech_len, 128,
2060 std::string(name_len, 'a').c_str()));
2061 EXPECT_EQ(client_hello_len, client_hello_len_baseline);
2062 EXPECT_EQ(ech_len, ech_len_baseline);
2063 }
2064
2065 // When sending no SNI, we must still pad as if we are sending one.
2066 size_t client_hello_len, ech_len;
2067 ASSERT_TRUE(
2068 GetECHLength(ctx.get(), &client_hello_len, &ech_len, 128, nullptr));
2069 EXPECT_EQ(client_hello_len, client_hello_len_baseline);
2070 EXPECT_EQ(ech_len, ech_len_baseline);
2071
David Benjamin18b68362021-06-18 23:13:46 -0400[diff] [blame]2072 // Name lengths above the maximum do not get named-based padding, but the
2073 // overall input is padded to a multiple of 32.
2074 size_t client_hello_len_baseline2, ech_len_baseline2;
2075 ASSERT_TRUE(GetECHLength(ctx.get(), &client_hello_len_baseline2,
2076 &ech_len_baseline2, 128,
2077 std::string(128 + 32, 'a').c_str()));
2078 EXPECT_EQ(ech_len_baseline2, ech_len_baseline + 32);
2079 // The ClientHello lengths may match if we are still under the threshold for
2080 // padding extension.
2081 EXPECT_GE(client_hello_len_baseline2, client_hello_len_baseline);
David Benjamin83a49932021-05-20 15:57:09 -0400[diff] [blame]2082
David Benjamin18b68362021-06-18 23:13:46 -0400[diff] [blame]2083 for (size_t name_len = 128 + 1; name_len < 128 + 32; name_len++) {
David Benjamin83a49932021-05-20 15:57:09 -0400[diff] [blame]2084 SCOPED_TRACE(name_len);
2085 ASSERT_TRUE(GetECHLength(ctx.get(), &client_hello_len, &ech_len, 128,
2086 std::string(name_len, 'a').c_str()));
David Benjamin18b68362021-06-18 23:13:46 -0400[diff] [blame]2087 EXPECT_TRUE(ech_len == ech_len_baseline || ech_len == ech_len_baseline2)
2088 << ech_len;
2089 EXPECT_TRUE(client_hello_len == client_hello_len_baseline ||
2090 client_hello_len == client_hello_len_baseline2)
2091 << client_hello_len;
David Benjamin83a49932021-05-20 15:57:09 -0400[diff] [blame]2092 }
2093}
2094
David Benjamin9cbe7372021-06-15 18:09:10 -0400[diff] [blame]2095TEST(SSLTest, ECHPublicName) {
2096 auto str_to_span = [](const char *str) -> Span<const uint8_t> {
2097 return MakeConstSpan(reinterpret_cast<const uint8_t *>(str), strlen(str));
2098 };
2099
2100 EXPECT_FALSE(ssl_is_valid_ech_public_name(str_to_span("")));
2101 EXPECT_TRUE(ssl_is_valid_ech_public_name(str_to_span("example.com")));
2102 EXPECT_FALSE(ssl_is_valid_ech_public_name(str_to_span(".example.com")));
2103 EXPECT_FALSE(ssl_is_valid_ech_public_name(str_to_span("example.com.")));
2104 EXPECT_FALSE(ssl_is_valid_ech_public_name(str_to_span("example..com")));
2105 EXPECT_FALSE(ssl_is_valid_ech_public_name(str_to_span("www.-example.com")));
2106 EXPECT_FALSE(ssl_is_valid_ech_public_name(str_to_span("www.example-.com")));
2107 EXPECT_FALSE(
2108 ssl_is_valid_ech_public_name(str_to_span("no_underscores.example")));
2109 EXPECT_FALSE(ssl_is_valid_ech_public_name(
2110 str_to_span("invalid_chars.\x01.example")));
2111 EXPECT_FALSE(ssl_is_valid_ech_public_name(
2112 str_to_span("invalid_chars.\xff.example")));
2113 static const uint8_t kWithNUL[] = {'t', 'e', 's', 't', 0};
2114 EXPECT_FALSE(ssl_is_valid_ech_public_name(kWithNUL));
2115
2116 // Test an LDH label with every character and the maximum length.
2117 EXPECT_TRUE(ssl_is_valid_ech_public_name(str_to_span(
2118 "abcdefhijklmnopqrstuvwxyz-ABCDEFGHIJKLMNOPQRSTUVWXYZ-0123456789")));
2119 EXPECT_FALSE(ssl_is_valid_ech_public_name(str_to_span(
2120 "abcdefhijklmnopqrstuvwxyz-ABCDEFGHIJKLMNOPQRSTUVWXYZ-01234567899")));
2121
David Benjamin1a668b32021-09-02 23:00:28 -0400[diff] [blame^]2122 // Inputs with trailing numeric components are rejected.
David Benjamin9cbe7372021-06-15 18:09:10 -0400[diff] [blame]2123 EXPECT_FALSE(ssl_is_valid_ech_public_name(str_to_span("127.0.0.1")));
David Benjamin1a668b32021-09-02 23:00:28 -0400[diff] [blame^]2124 EXPECT_FALSE(ssl_is_valid_ech_public_name(str_to_span("example.1")));
2125 EXPECT_FALSE(ssl_is_valid_ech_public_name(str_to_span("example.01")));
2126 EXPECT_FALSE(ssl_is_valid_ech_public_name(str_to_span("example.0x01")));
2127 EXPECT_FALSE(ssl_is_valid_ech_public_name(str_to_span("example.0X01")));
2128 // Leading zeros and values that overflow |uint32_t| are still rejected.
2129 EXPECT_FALSE(ssl_is_valid_ech_public_name(
2130 str_to_span("example.123456789000000000000000")));
2131 EXPECT_FALSE(ssl_is_valid_ech_public_name(
2132 str_to_span("example.012345678900000000000000")));
2133 EXPECT_FALSE(ssl_is_valid_ech_public_name(
2134 str_to_span("example.0x123456789abcdefABCDEF0")));
2135 EXPECT_FALSE(ssl_is_valid_ech_public_name(
2136 str_to_span("example.0x0123456789abcdefABCDEF")));
2137 // Adding a non-digit or non-hex character makes it a valid DNS name again.
2138 // Single-component numbers are rejected.
David Benjamin9cbe7372021-06-15 18:09:10 -0400[diff] [blame]2139 EXPECT_TRUE(ssl_is_valid_ech_public_name(
David Benjamin1a668b32021-09-02 23:00:28 -0400[diff] [blame^]2140 str_to_span("example.1234567890a")));
2141 EXPECT_TRUE(ssl_is_valid_ech_public_name(
2142 str_to_span("example.01234567890a")));
2143 EXPECT_TRUE(ssl_is_valid_ech_public_name(
2144 str_to_span("example.0x123456789abcdefg")));
2145 EXPECT_FALSE(ssl_is_valid_ech_public_name(str_to_span("1")));
2146 EXPECT_FALSE(ssl_is_valid_ech_public_name(str_to_span("01")));
2147 EXPECT_FALSE(ssl_is_valid_ech_public_name(str_to_span("0x01")));
2148 EXPECT_FALSE(ssl_is_valid_ech_public_name(str_to_span("0X01")));
2149 // Numbers with trailing dots are rejected. (They are already rejected by the
2150 // LDH label rules, but the WHATWG URL parser additionally rejects them.)
2151 EXPECT_FALSE(ssl_is_valid_ech_public_name(str_to_span("1.")));
2152 EXPECT_FALSE(ssl_is_valid_ech_public_name(str_to_span("01.")));
2153 EXPECT_FALSE(ssl_is_valid_ech_public_name(str_to_span("0x01.")));
2154 EXPECT_FALSE(ssl_is_valid_ech_public_name(str_to_span("0X01.")));
David Benjamin9cbe7372021-06-15 18:09:10 -0400[diff] [blame]2155}
2156
David Benjaminba423c92021-06-15 16:26:58 -0400[diff] [blame]2157// When using the built-in verifier, test that |SSL_get0_ech_name_override| is
2158// applied automatically.
2159TEST(SSLTest, ECHBuiltinVerifier) {
2160 // These test certificates generated with the following Go program.
2161 /* clang-format off
2162func main() {
2163 notBefore := time.Date(2000, time.January, 1, 0, 0, 0, 0, time.UTC)
2164 notAfter := time.Date(2099, time.January, 1, 0, 0, 0, 0, time.UTC)
2165 rootKey, _ := ecdsa.GenerateKey(elliptic.P256(), rand.Reader)
2166 rootTemplate := &x509.Certificate{
2167 SerialNumber: big.NewInt(1),
2168 Subject: pkix.Name{CommonName: "Test CA"},
2169 NotBefore: notBefore,
2170 NotAfter: notAfter,
2171 BasicConstraintsValid: true,
2172 IsCA: true,
2173 }
2174 rootDER, _ := x509.CreateCertificate(rand.Reader, rootTemplate, rootTemplate, &rootKey.PublicKey, rootKey)
2175 root, _ := x509.ParseCertificate(rootDER)
2176 pem.Encode(os.Stdout, &pem.Block{Type: "CERTIFICATE", Bytes: rootDER})
2177 leafKey, _ := ecdsa.GenerateKey(elliptic.P256(), rand.Reader)
2178 leafKeyDER, _ := x509.MarshalPKCS8PrivateKey(leafKey)
2179 pem.Encode(os.Stdout, &pem.Block{Type: "PRIVATE KEY", Bytes: leafKeyDER})
2180 for i, name := range []string{"public.example", "secret.example"} {
2181 leafTemplate := &x509.Certificate{
2182 SerialNumber: big.NewInt(int64(i) + 2),
2183 Subject: pkix.Name{CommonName: name},
2184 NotBefore: notBefore,
2185 NotAfter: notAfter,
2186 BasicConstraintsValid: true,
2187 DNSNames: []string{name},
2188 }
2189 leafDER, _ := x509.CreateCertificate(rand.Reader, leafTemplate, root, &leafKey.PublicKey, rootKey)
2190 pem.Encode(os.Stdout, &pem.Block{Type: "CERTIFICATE", Bytes: leafDER})
2191 }
2192}
2193clang-format on */
2194 bssl::UniquePtr<X509> root = CertFromPEM(R"(
2195-----BEGIN CERTIFICATE-----
2196MIIBRzCB7aADAgECAgEBMAoGCCqGSM49BAMCMBIxEDAOBgNVBAMTB1Rlc3QgQ0Ew
2197IBcNMDAwMTAxMDAwMDAwWhgPMjA5OTAxMDEwMDAwMDBaMBIxEDAOBgNVBAMTB1Rl
2198c3QgQ0EwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAAT5JUjrI1DAxSpEl88UkmJw
2199tAJqxo/YrSFo9V3MkcNkfTixi5p6MUtO8DazhEgekBcd2+tBAWtl7dy0qpvTqx92
2200ozIwMDAPBgNVHRMBAf8EBTADAQH/MB0GA1UdDgQWBBTw6ftkexAI6o4r5FntJIfL
2201GU5F4zAKBggqhkjOPQQDAgNJADBGAiEAiiNowddQeHZaZFIygwe6RW5/WG4sUXWC
2202dkyl9CQzRaYCIQCFS1EvwZbZtMny27fYm1eeYciY0TkJTEi34H1KwyzzIA==
2203-----END CERTIFICATE-----
2204)");
2205 ASSERT_TRUE(root);
2206 bssl::UniquePtr<EVP_PKEY> leaf_key = KeyFromPEM(R"(
2207-----BEGIN PRIVATE KEY-----
2208MIGHAgEAMBMGByqGSM49AgEGCCqGSM49AwEHBG0wawIBAQQgj5WKHwHnziiyPauf
22097QukxTwtTyGZkk8qNdms4puJfxqhRANCAARNrkhxabALDlJrHtvkuDwvCWUF/oVC
2210hr6PDITHi1lDlJzvVT4aXBH87sH2n2UV5zpx13NHkq1bIC8eRT8eOIe0
2211-----END PRIVATE KEY-----
2212)");
2213 ASSERT_TRUE(leaf_key);
2214 bssl::UniquePtr<X509> leaf_public = CertFromPEM(R"(
2215-----BEGIN CERTIFICATE-----
2216MIIBaDCCAQ6gAwIBAgIBAjAKBggqhkjOPQQDAjASMRAwDgYDVQQDEwdUZXN0IENB
2217MCAXDTAwMDEwMTAwMDAwMFoYDzIwOTkwMTAxMDAwMDAwWjAZMRcwFQYDVQQDEw5w
2218dWJsaWMuZXhhbXBsZTBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABE2uSHFpsAsO
2219Umse2+S4PC8JZQX+hUKGvo8MhMeLWUOUnO9VPhpcEfzuwfafZRXnOnHXc0eSrVsg
2220Lx5FPx44h7SjTDBKMAwGA1UdEwEB/wQCMAAwHwYDVR0jBBgwFoAU8On7ZHsQCOqO
2221K+RZ7SSHyxlOReMwGQYDVR0RBBIwEIIOcHVibGljLmV4YW1wbGUwCgYIKoZIzj0E
2222AwIDSAAwRQIhANqZRhDR/+QL05hsWXMYEwaiHifd9iakKoFEhKFchcF3AiBRAeXw
2223wRGGT6+iPmTYM6N5/IDyAb5B9Ke38O6lLEsUwA==
2224-----END CERTIFICATE-----
2225)");
2226 ASSERT_TRUE(leaf_public);
2227 bssl::UniquePtr<X509> leaf_secret = CertFromPEM(R"(
2228-----BEGIN CERTIFICATE-----
2229MIIBaTCCAQ6gAwIBAgIBAzAKBggqhkjOPQQDAjASMRAwDgYDVQQDEwdUZXN0IENB
2230MCAXDTAwMDEwMTAwMDAwMFoYDzIwOTkwMTAxMDAwMDAwWjAZMRcwFQYDVQQDEw5z
2231ZWNyZXQuZXhhbXBsZTBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABE2uSHFpsAsO
2232Umse2+S4PC8JZQX+hUKGvo8MhMeLWUOUnO9VPhpcEfzuwfafZRXnOnHXc0eSrVsg
2233Lx5FPx44h7SjTDBKMAwGA1UdEwEB/wQCMAAwHwYDVR0jBBgwFoAU8On7ZHsQCOqO
2234K+RZ7SSHyxlOReMwGQYDVR0RBBIwEIIOc2VjcmV0LmV4YW1wbGUwCgYIKoZIzj0E
2235AwIDSQAwRgIhAPQdIz1xCFkc9WuSkxOxJDpywZiEp9SnKcxJ9nwrlRp3AiEA+O3+
2236XRqE7XFhHL+7TNC2a9OOAjQsEF137YPWo+rhgko=
2237-----END CERTIFICATE-----
2238)");
2239 ASSERT_TRUE(leaf_secret);
2240
2241 // Use different config IDs so that fuzzer mode, which breaks trial
2242 // decryption, will observe the key mismatch.
2243 bssl::UniquePtr<SSL_ECH_KEYS> keys = MakeTestECHKeys(/*config_id=*/1);
2244 ASSERT_TRUE(keys);
2245 bssl::UniquePtr<SSL_ECH_KEYS> wrong_keys = MakeTestECHKeys(/*config_id=*/2);
2246 ASSERT_TRUE(wrong_keys);
2247 bssl::UniquePtr<SSL_CTX> server_ctx =
2248 CreateContextWithTestCertificate(TLS_method());
2249 ASSERT_TRUE(server_ctx);
2250 bssl::UniquePtr<SSL_CTX> client_ctx(SSL_CTX_new(TLS_method()));
2251 ASSERT_TRUE(client_ctx);
2252
2253 // Configure the client to verify certificates and expect the secret name.
2254 // This is the name the client is trying to connect to. If ECH is rejected,
2255 // BoringSSL will internally override this setting with the public name.
2256 bssl::UniquePtr<X509_STORE> store(X509_STORE_new());
2257 ASSERT_TRUE(store);
2258 ASSERT_TRUE(X509_STORE_add_cert(store.get(), root.get()));
2259 SSL_CTX_set_cert_store(client_ctx.get(), store.release());
2260 SSL_CTX_set_verify(client_ctx.get(), SSL_VERIFY_PEER, nullptr);
2261 static const char kSecretName[] = "secret.example";
2262 ASSERT_TRUE(X509_VERIFY_PARAM_set1_host(SSL_CTX_get0_param(client_ctx.get()),
2263 kSecretName, strlen(kSecretName)));
2264
2265 // For simplicity, we only run through a pair of representative scenarios here
2266 // and rely on runner.go to verify that |SSL_get0_ech_name_override| behaves
2267 // correctly.
2268 for (bool accept_ech : {false, true}) {
2269 SCOPED_TRACE(accept_ech);
2270 for (bool use_leaf_secret : {false, true}) {
2271 SCOPED_TRACE(use_leaf_secret);
2272
2273 // The server will reject ECH when configured with the wrong keys.
2274 ASSERT_TRUE(SSL_CTX_set1_ech_keys(
2275 server_ctx.get(), accept_ech ? keys.get() : wrong_keys.get()));
2276
2277 bssl::UniquePtr<SSL> client, server;
2278 ASSERT_TRUE(CreateClientAndServer(&client, &server, client_ctx.get(),
2279 server_ctx.get()));
2280 ASSERT_TRUE(InstallECHConfigList(client.get(), keys.get()));
2281
2282 // Configure the server with the selected certificate.
2283 ASSERT_TRUE(SSL_use_certificate(server.get(), use_leaf_secret
2284 ? leaf_secret.get()
2285 : leaf_public.get()));
2286 ASSERT_TRUE(SSL_use_PrivateKey(server.get(), leaf_key.get()));
2287
2288 // The handshake may fail due to name mismatch or ECH reject. We check
2289 // |SSL_get_verify_result| to confirm the handshake got far enough.
2290 CompleteHandshakes(client.get(), server.get());
2291 EXPECT_EQ(accept_ech == use_leaf_secret ? X509_V_OK
2292 : X509_V_ERR_HOSTNAME_MISMATCH,
2293 SSL_get_verify_result(client.get()));
2294 }
2295 }
2296}
2297
David Benjamin83a49932021-05-20 15:57:09 -0400[diff] [blame]2298#if defined(OPENSSL_THREADS)
2299// Test that the server ECH config can be swapped out while the |SSL_CTX| is
2300// in use on other threads. This test is intended to be run with TSan.
2301TEST(SSLTest, ECHThreads) {
2302 // Generate a pair of ECHConfigs.
2303 bssl::ScopedEVP_HPKE_KEY key1;
2304 ASSERT_TRUE(EVP_HPKE_KEY_generate(key1.get(), EVP_hpke_x25519_hkdf_sha256()));
2305 uint8_t *ech_config1;
2306 size_t ech_config1_len;
2307 ASSERT_TRUE(SSL_marshal_ech_config(&ech_config1, &ech_config1_len,
2308 /*config_id=*/1, key1.get(),
2309 "public.example", 16));
2310 bssl::UniquePtr<uint8_t> free_ech_config1(ech_config1);
2311 bssl::ScopedEVP_HPKE_KEY key2;
2312 ASSERT_TRUE(EVP_HPKE_KEY_generate(key2.get(), EVP_hpke_x25519_hkdf_sha256()));
2313 uint8_t *ech_config2;
2314 size_t ech_config2_len;
2315 ASSERT_TRUE(SSL_marshal_ech_config(&ech_config2, &ech_config2_len,
2316 /*config_id=*/2, key2.get(),
2317 "public.example", 16));
2318 bssl::UniquePtr<uint8_t> free_ech_config2(ech_config2);
2319
2320 // |keys1| contains the first config. |keys12| contains both.
2321 bssl::UniquePtr<SSL_ECH_KEYS> keys1(SSL_ECH_KEYS_new());
2322 ASSERT_TRUE(keys1);
2323 ASSERT_TRUE(SSL_ECH_KEYS_add(keys1.get(), /*is_retry_config=*/1, ech_config1,
2324 ech_config1_len, key1.get()));
2325 bssl::UniquePtr<SSL_ECH_KEYS> keys12(SSL_ECH_KEYS_new());
2326 ASSERT_TRUE(keys12);
2327 ASSERT_TRUE(SSL_ECH_KEYS_add(keys12.get(), /*is_retry_config=*/1, ech_config2,
2328 ech_config2_len, key2.get()));
2329 ASSERT_TRUE(SSL_ECH_KEYS_add(keys12.get(), /*is_retry_config=*/0, ech_config1,
2330 ech_config1_len, key1.get()));
2331
2332 bssl::UniquePtr<SSL_CTX> server_ctx =
2333 CreateContextWithTestCertificate(TLS_method());
2334 ASSERT_TRUE(SSL_CTX_set1_ech_keys(server_ctx.get(), keys1.get()));
2335
2336 bssl::UniquePtr<SSL_CTX> client_ctx(SSL_CTX_new(TLS_method()));
2337 ASSERT_TRUE(client_ctx);
2338 bssl::UniquePtr<SSL> client, server;
2339 ASSERT_TRUE(CreateClientAndServer(&client, &server, client_ctx.get(),
2340 server_ctx.get()));
2341 ASSERT_TRUE(InstallECHConfigList(client.get(), keys1.get()));
2342
2343 // In parallel, complete the connection and reconfigure the ECHConfig. Note
2344 // |keys12| supports all the keys in |keys1|, so the handshake should complete
2345 // the same whichever the server uses.
2346 std::vector<std::thread> threads;
2347 threads.emplace_back([&] {
2348 ASSERT_TRUE(CompleteHandshakes(client.get(), server.get()));
2349 EXPECT_TRUE(SSL_ech_accepted(client.get()));
2350 EXPECT_TRUE(SSL_ech_accepted(server.get()));
2351 });
2352 threads.emplace_back([&] {
2353 EXPECT_TRUE(SSL_CTX_set1_ech_keys(server_ctx.get(), keys12.get()));
2354 });
2355 for (auto &thread : threads) {
2356 thread.join();
2357 }
2358}
2359#endif // OPENSSL_THREADS
2360
David Benjaminc79ae7a2017-08-29 16:09:44 -0400[diff] [blame]2361static void AppendSession(SSL_SESSION *session, void *arg) {
2362 std::vector<SSL_SESSION*> *out =
2363 reinterpret_cast<std::vector<SSL_SESSION*>*>(arg);
2364 out->push_back(session);
2365}
2366
2367// CacheEquals returns true if |ctx|'s session cache consists of |expected|, in
2368// order.
2369static bool CacheEquals(SSL_CTX *ctx,
2370 const std::vector<SSL_SESSION*> &expected) {
2371 // Check the linked list.
2372 SSL_SESSION *ptr = ctx->session_cache_head;
2373 for (SSL_SESSION *session : expected) {
2374 if (ptr != session) {
2375 return false;
2376 }
2377 // TODO(davidben): This is an absurd way to denote the end of the list.
2378 if (ptr->next ==
2379 reinterpret_cast<SSL_SESSION *>(&ctx->session_cache_tail)) {
2380 ptr = nullptr;
2381 } else {
2382 ptr = ptr->next;
2383 }
2384 }
2385 if (ptr != nullptr) {
2386 return false;
2387 }
2388
2389 // Check the hash table.
2390 std::vector<SSL_SESSION*> actual, expected_copy;
David Benjamin9eaa3bd2017-09-27 17:03:54 -0400[diff] [blame]2391 lh_SSL_SESSION_doall_arg(ctx->sessions, AppendSession, &actual);
David Benjaminc79ae7a2017-08-29 16:09:44 -0400[diff] [blame]2392 expected_copy = expected;
2393
2394 std::sort(actual.begin(), actual.end());
2395 std::sort(expected_copy.begin(), expected_copy.end());
2396
2397 return actual == expected_copy;
2398}
2399
2400static bssl::UniquePtr<SSL_SESSION> CreateTestSession(uint32_t number) {
2401 bssl::UniquePtr<SSL_CTX> ssl_ctx(SSL_CTX_new(TLS_method()));
2402 if (!ssl_ctx) {
2403 return nullptr;
2404 }
2405 bssl::UniquePtr<SSL_SESSION> ret(SSL_SESSION_new(ssl_ctx.get()));
2406 if (!ret) {
2407 return nullptr;
2408 }
2409
David Benjaminaaef8332018-06-29 16:45:49 -0400[diff] [blame]2410 uint8_t id[SSL3_SSL_SESSION_ID_LENGTH] = {0};
2411 OPENSSL_memcpy(id, &number, sizeof(number));
2412 if (!SSL_SESSION_set1_id(ret.get(), id, sizeof(id))) {
2413 return nullptr;
2414 }
David Benjaminc79ae7a2017-08-29 16:09:44 -0400[diff] [blame]2415 return ret;
2416}
2417
2418// Test that the internal session cache behaves as expected.
2419TEST(SSLTest, InternalSessionCache) {
2420 bssl::UniquePtr<SSL_CTX> ctx(SSL_CTX_new(TLS_method()));
2421 ASSERT_TRUE(ctx);
2422
2423 // Prepare 10 test sessions.
2424 std::vector<bssl::UniquePtr<SSL_SESSION>> sessions;
2425 for (int i = 0; i < 10; i++) {
2426 bssl::UniquePtr<SSL_SESSION> session = CreateTestSession(i);
2427 ASSERT_TRUE(session);
2428 sessions.push_back(std::move(session));
2429 }
2430
2431 SSL_CTX_sess_set_cache_size(ctx.get(), 5);
2432
2433 // Insert all the test sessions.
2434 for (const auto &session : sessions) {
2435 ASSERT_TRUE(SSL_CTX_add_session(ctx.get(), session.get()));
2436 }
2437
2438 // Only the last five should be in the list.
2439 ASSERT_TRUE(CacheEquals(
2440 ctx.get(), {sessions[9].get(), sessions[8].get(), sessions[7].get(),
2441 sessions[6].get(), sessions[5].get()}));
2442
2443 // Inserting an element already in the cache should fail and leave the cache
2444 // unchanged.
2445 ASSERT_FALSE(SSL_CTX_add_session(ctx.get(), sessions[7].get()));
2446 ASSERT_TRUE(CacheEquals(
2447 ctx.get(), {sessions[9].get(), sessions[8].get(), sessions[7].get(),
2448 sessions[6].get(), sessions[5].get()}));
2449
2450 // Although collisions should be impossible (256-bit session IDs), the cache
2451 // must handle them gracefully.
2452 bssl::UniquePtr<SSL_SESSION> collision(CreateTestSession(7));
2453 ASSERT_TRUE(collision);
2454 ASSERT_TRUE(SSL_CTX_add_session(ctx.get(), collision.get()));
2455 ASSERT_TRUE(CacheEquals(
2456 ctx.get(), {collision.get(), sessions[9].get(), sessions[8].get(),
2457 sessions[6].get(), sessions[5].get()}));
2458
2459 // Removing sessions behaves correctly.
2460 ASSERT_TRUE(SSL_CTX_remove_session(ctx.get(), sessions[6].get()));
2461 ASSERT_TRUE(CacheEquals(ctx.get(), {collision.get(), sessions[9].get(),
2462 sessions[8].get(), sessions[5].get()}));
2463
2464 // Removing sessions requires an exact match.
2465 ASSERT_FALSE(SSL_CTX_remove_session(ctx.get(), sessions[0].get()));
2466 ASSERT_FALSE(SSL_CTX_remove_session(ctx.get(), sessions[7].get()));
2467
2468 // The cache remains unchanged.
2469 ASSERT_TRUE(CacheEquals(ctx.get(), {collision.get(), sessions[9].get(),
2470 sessions[8].get(), sessions[5].get()}));
2471}
2472
2473static uint16_t EpochFromSequence(uint64_t seq) {
2474 return static_cast<uint16_t>(seq >> 48);
2475}
2476
David Benjamin71dfad42017-07-16 17:27:39 -0400[diff] [blame]2477static const uint8_t kTestName[] = {
2478 0x30, 0x45, 0x31, 0x0b, 0x30, 0x09, 0x06, 0x03, 0x55, 0x04, 0x06, 0x13,
2479 0x02, 0x41, 0x55, 0x31, 0x13, 0x30, 0x11, 0x06, 0x03, 0x55, 0x04, 0x08,
2480 0x0c, 0x0a, 0x53, 0x6f, 0x6d, 0x65, 0x2d, 0x53, 0x74, 0x61, 0x74, 0x65,
2481 0x31, 0x21, 0x30, 0x1f, 0x06, 0x03, 0x55, 0x04, 0x0a, 0x0c, 0x18, 0x49,
2482 0x6e, 0x74, 0x65, 0x72, 0x6e, 0x65, 0x74, 0x20, 0x57, 0x69, 0x64, 0x67,
2483 0x69, 0x74, 0x73, 0x20, 0x50, 0x74, 0x79, 0x20, 0x4c, 0x74, 0x64,
2484};
2485
David Benjaminc11ea9422017-08-29 16:33:21 -0400[diff] [blame]2486// SSLVersionTest executes its test cases under all available protocol versions.
2487// Test cases call |Connect| to create a connection using context objects with
2488// the protocol version fixed to the current version under test.
Martin Kreichgauer1a663262017-08-16 14:54:04 -0700[diff] [blame]2489class SSLVersionTest : public ::testing::TestWithParam<VersionParam> {
2490 protected:
2491 SSLVersionTest() : cert_(GetTestCertificate()), key_(GetTestKey()) {}
2492
2493 void SetUp() { ResetContexts(); }
2494
2495 bssl::UniquePtr<SSL_CTX> CreateContext() const {
2496 const SSL_METHOD *method = is_dtls() ? DTLS_method() : TLS_method();
2497 bssl::UniquePtr<SSL_CTX> ctx(SSL_CTX_new(method));
2498 if (!ctx || !SSL_CTX_set_min_proto_version(ctx.get(), version()) ||
2499 !SSL_CTX_set_max_proto_version(ctx.get(), version())) {
2500 return nullptr;
2501 }
2502 return ctx;
David Benjamin0fef3052016-11-18 15:11:10 +0900[diff] [blame]2503 }
David Benjamin686bb192016-05-10 15:15:41 -0400[diff] [blame]2504
Martin Kreichgauer1a663262017-08-16 14:54:04 -0700[diff] [blame]2505 void ResetContexts() {
2506 ASSERT_TRUE(cert_);
2507 ASSERT_TRUE(key_);
2508 client_ctx_ = CreateContext();
2509 ASSERT_TRUE(client_ctx_);
2510 server_ctx_ = CreateContext();
2511 ASSERT_TRUE(server_ctx_);
2512 // Set up a server cert. Client certs can be set up explicitly.
2513 ASSERT_TRUE(UseCertAndKey(server_ctx_.get()));
David Benjamin0fef3052016-11-18 15:11:10 +0900[diff] [blame]2514 }
David Benjamin686bb192016-05-10 15:15:41 -0400[diff] [blame]2515
Martin Kreichgauer1a663262017-08-16 14:54:04 -0700[diff] [blame]2516 bool UseCertAndKey(SSL_CTX *ctx) const {
2517 return SSL_CTX_use_certificate(ctx, cert_.get()) &&
2518 SSL_CTX_use_PrivateKey(ctx, key_.get());
David Benjamin0fef3052016-11-18 15:11:10 +0900[diff] [blame]2519 }
David Benjamin686bb192016-05-10 15:15:41 -0400[diff] [blame]2520
David Benjamina8614602017-09-06 15:40:19 -0400[diff] [blame]2521 bool Connect(const ClientConfig &config = ClientConfig()) {
Martin Kreichgauer1a663262017-08-16 14:54:04 -0700[diff] [blame]2522 return ConnectClientAndServer(&client_, &server_, client_ctx_.get(),
David Benjamin9b2cdb72021-04-01 23:21:53 -0400[diff] [blame]2523 server_ctx_.get(), config,
Matthew Braithwaiteb7bc80a2018-04-13 15:51:30 -0700[diff] [blame]2524 shed_handshake_config_);
Martin Kreichgauer1a663262017-08-16 14:54:04 -0700[diff] [blame]2525 }
2526
2527 uint16_t version() const { return GetParam().version; }
2528
2529 bool is_dtls() const {
2530 return GetParam().ssl_method == VersionParam::is_dtls;
2531 }
2532
Matthew Braithwaiteb7bc80a2018-04-13 15:51:30 -0700[diff] [blame]2533 bool shed_handshake_config_ = true;
Martin Kreichgauer1a663262017-08-16 14:54:04 -0700[diff] [blame]2534 bssl::UniquePtr<SSL> client_, server_;
2535 bssl::UniquePtr<SSL_CTX> server_ctx_, client_ctx_;
2536 bssl::UniquePtr<X509> cert_;
2537 bssl::UniquePtr<EVP_PKEY> key_;
2538};
2539
David Benjaminbe7006a2019-04-09 18:05:02 -0500[diff] [blame]2540INSTANTIATE_TEST_SUITE_P(WithVersion, SSLVersionTest,
2541 testing::ValuesIn(kAllVersions),
2542 [](const testing::TestParamInfo<VersionParam> &i) {
2543 return i.param.name;
2544 });
Martin Kreichgauer1a663262017-08-16 14:54:04 -0700[diff] [blame]2545
2546TEST_P(SSLVersionTest, SequenceNumber) {
2547 ASSERT_TRUE(Connect());
2548
David Benjamin0fef3052016-11-18 15:11:10 +0900[diff] [blame]2549 // Drain any post-handshake messages to ensure there are no unread records
2550 // on either end.
Steven Valdez777a2392019-02-21 11:30:47 -0500[diff] [blame]2551 ASSERT_TRUE(FlushNewSessionTickets(client_.get(), server_.get()));
David Benjaminde942382016-02-11 12:02:01 -0500[diff] [blame]2552
Martin Kreichgauer1a663262017-08-16 14:54:04 -0700[diff] [blame]2553 uint64_t client_read_seq = SSL_get_read_sequence(client_.get());
2554 uint64_t client_write_seq = SSL_get_write_sequence(client_.get());
2555 uint64_t server_read_seq = SSL_get_read_sequence(server_.get());
2556 uint64_t server_write_seq = SSL_get_write_sequence(server_.get());
Steven Valdez2c62fe92016-10-14 12:08:12 -0400[diff] [blame]2557
Martin Kreichgauer1a663262017-08-16 14:54:04 -0700[diff] [blame]2558 if (is_dtls()) {
David Benjamin0fef3052016-11-18 15:11:10 +0900[diff] [blame]2559 // Both client and server must be at epoch 1.
Martin Kreichgauer1a663262017-08-16 14:54:04 -0700[diff] [blame]2560 EXPECT_EQ(EpochFromSequence(client_read_seq), 1);
2561 EXPECT_EQ(EpochFromSequence(client_write_seq), 1);
2562 EXPECT_EQ(EpochFromSequence(server_read_seq), 1);
2563 EXPECT_EQ(EpochFromSequence(server_write_seq), 1);
David Benjamin0fef3052016-11-18 15:11:10 +0900[diff] [blame]2564
2565 // The next record to be written should exceed the largest received.
Martin Kreichgauer1a663262017-08-16 14:54:04 -0700[diff] [blame]2566 EXPECT_GT(client_write_seq, server_read_seq);
2567 EXPECT_GT(server_write_seq, client_read_seq);
David Benjamin0fef3052016-11-18 15:11:10 +0900[diff] [blame]2568 } else {
2569 // The next record to be written should equal the next to be received.
Martin Kreichgauer1a663262017-08-16 14:54:04 -0700[diff] [blame]2570 EXPECT_EQ(client_write_seq, server_read_seq);
2571 EXPECT_EQ(server_write_seq, client_read_seq);
David Benjamin0fef3052016-11-18 15:11:10 +0900[diff] [blame]2572 }
2573
2574 // Send a record from client to server.
Steven Valdez777a2392019-02-21 11:30:47 -0500[diff] [blame]2575 uint8_t byte = 0;
Martin Kreichgauer1a663262017-08-16 14:54:04 -0700[diff] [blame]2576 EXPECT_EQ(SSL_write(client_.get(), &byte, 1), 1);
2577 EXPECT_EQ(SSL_read(server_.get(), &byte, 1), 1);
David Benjamin0fef3052016-11-18 15:11:10 +0900[diff] [blame]2578
2579 // The client write and server read sequence numbers should have
2580 // incremented.
Martin Kreichgauer1a663262017-08-16 14:54:04 -0700[diff] [blame]2581 EXPECT_EQ(client_write_seq + 1, SSL_get_write_sequence(client_.get()));
2582 EXPECT_EQ(server_read_seq + 1, SSL_get_read_sequence(server_.get()));
David Benjaminde942382016-02-11 12:02:01 -0500[diff] [blame]2583}
2584
Martin Kreichgauer1a663262017-08-16 14:54:04 -0700[diff] [blame]2585TEST_P(SSLVersionTest, OneSidedShutdown) {
David Benjamin68f37b72016-11-18 15:14:42 +0900[diff] [blame]2586 // SSL_shutdown is a no-op in DTLS.
Martin Kreichgauer1a663262017-08-16 14:54:04 -0700[diff] [blame]2587 if (is_dtls()) {
2588 return;
David Benjamin686bb192016-05-10 15:15:41 -0400[diff] [blame]2589 }
Martin Kreichgauer1a663262017-08-16 14:54:04 -0700[diff] [blame]2590 ASSERT_TRUE(Connect());
David Benjamin686bb192016-05-10 15:15:41 -0400[diff] [blame]2591
David Benjamin9734e442021-06-15 13:58:12 -0400[diff] [blame]2592 // Shut down half the connection. |SSL_shutdown| will return 0 to signal only
David Benjamin686bb192016-05-10 15:15:41 -0400[diff] [blame]2593 // one side has shut down.
Martin Kreichgauer1a663262017-08-16 14:54:04 -0700[diff] [blame]2594 ASSERT_EQ(SSL_shutdown(client_.get()), 0);
David Benjamin686bb192016-05-10 15:15:41 -0400[diff] [blame]2595
2596 // Reading from the server should consume the EOF.
2597 uint8_t byte;
Martin Kreichgauer1a663262017-08-16 14:54:04 -0700[diff] [blame]2598 ASSERT_EQ(SSL_read(server_.get(), &byte, 1), 0);
2599 ASSERT_EQ(SSL_get_error(server_.get(), 0), SSL_ERROR_ZERO_RETURN);
David Benjamin686bb192016-05-10 15:15:41 -0400[diff] [blame]2600
2601 // However, the server may continue to write data and then shut down the
2602 // connection.
2603 byte = 42;
Martin Kreichgauer1a663262017-08-16 14:54:04 -0700[diff] [blame]2604 ASSERT_EQ(SSL_write(server_.get(), &byte, 1), 1);
2605 ASSERT_EQ(SSL_read(client_.get(), &byte, 1), 1);
2606 ASSERT_EQ(byte, 42);
David Benjamin686bb192016-05-10 15:15:41 -0400[diff] [blame]2607
2608 // The server may then shutdown the connection.
Martin Kreichgauer1a663262017-08-16 14:54:04 -0700[diff] [blame]2609 EXPECT_EQ(SSL_shutdown(server_.get()), 1);
2610 EXPECT_EQ(SSL_shutdown(client_.get()), 1);
David Benjamin686bb192016-05-10 15:15:41 -0400[diff] [blame]2611}
David Benjamin68f37b72016-11-18 15:14:42 +0900[diff] [blame]2612
David Benjamin9734e442021-06-15 13:58:12 -0400[diff] [blame]2613// Test that, after calling |SSL_shutdown|, |SSL_write| fails.
2614TEST_P(SSLVersionTest, WriteAfterShutdown) {
2615 ASSERT_TRUE(Connect());
2616
2617 for (SSL *ssl : {client_.get(), server_.get()}) {
2618 SCOPED_TRACE(SSL_is_server(ssl) ? "server" : "client");
2619
2620 bssl::UniquePtr<BIO> mem(BIO_new(BIO_s_mem()));
2621 ASSERT_TRUE(mem);
2622 SSL_set0_wbio(ssl, bssl::UpRef(mem).release());
2623
2624 // Shut down half the connection. |SSL_shutdown| will return 0 to signal
2625 // only one side has shut down.
2626 ASSERT_EQ(SSL_shutdown(ssl), 0);
2627
2628 // |ssl| should have written an alert to the transport.
2629 const uint8_t *unused;
2630 size_t len;
2631 ASSERT_TRUE(BIO_mem_contents(mem.get(), &unused, &len));
2632 EXPECT_NE(0u, len);
2633 EXPECT_TRUE(BIO_reset(mem.get()));
2634
2635 // Writing should fail.
2636 EXPECT_EQ(-1, SSL_write(ssl, "a", 1));
2637
2638 // Nothing should be written to the transport.
2639 ASSERT_TRUE(BIO_mem_contents(mem.get(), &unused, &len));
2640 EXPECT_EQ(0u, len);
2641 }
2642}
2643
2644// Test that, after sending a fatal alert in a failed |SSL_read|, |SSL_write|
2645// fails.
2646TEST_P(SSLVersionTest, WriteAfterReadSentFatalAlert) {
2647 // Decryption failures are not fatal in DTLS.
2648 if (is_dtls()) {
2649 return;
2650 }
2651
2652 ASSERT_TRUE(Connect());
2653
2654 // Save the write |BIO|s as the test will overwrite them.
2655 bssl::UniquePtr<BIO> client_wbio = bssl::UpRef(SSL_get_wbio(client_.get()));
2656 bssl::UniquePtr<BIO> server_wbio = bssl::UpRef(SSL_get_wbio(server_.get()));
2657
2658 for (bool test_server : {false, true}) {
2659 SCOPED_TRACE(test_server ? "server" : "client");
2660 SSL *ssl = test_server ? server_.get() : client_.get();
2661 BIO *other_wbio = test_server ? client_wbio.get() : server_wbio.get();
2662
2663 bssl::UniquePtr<BIO> mem(BIO_new(BIO_s_mem()));
2664 ASSERT_TRUE(mem);
2665 SSL_set0_wbio(ssl, bssl::UpRef(mem).release());
2666
2667 // Read an invalid record from the peer.
2668 static const uint8_t kInvalidRecord[] = "invalid record";
2669 EXPECT_EQ(int{sizeof(kInvalidRecord)},
2670 BIO_write(other_wbio, kInvalidRecord, sizeof(kInvalidRecord)));
2671 char buf[256];
2672 EXPECT_EQ(-1, SSL_read(ssl, buf, sizeof(buf)));
2673
2674 // |ssl| should have written an alert to the transport.
2675 const uint8_t *unused;
2676 size_t len;
2677 ASSERT_TRUE(BIO_mem_contents(mem.get(), &unused, &len));
2678 EXPECT_NE(0u, len);
2679 EXPECT_TRUE(BIO_reset(mem.get()));
2680
2681 // Writing should fail.
2682 EXPECT_EQ(-1, SSL_write(ssl, "a", 1));
2683
2684 // Nothing should be written to the transport.
2685 ASSERT_TRUE(BIO_mem_contents(mem.get(), &unused, &len));
2686 EXPECT_EQ(0u, len);
2687 }
2688}
2689
2690// Test that, after sending a fatal alert from the handshake, |SSL_write| fails.
2691TEST_P(SSLVersionTest, WriteAfterHandshakeSentFatalAlert) {
2692 for (bool test_server : {false, true}) {
2693 SCOPED_TRACE(test_server ? "server" : "client");
2694
2695 bssl::UniquePtr<SSL> ssl(
2696 SSL_new(test_server ? server_ctx_.get() : client_ctx_.get()));
2697 ASSERT_TRUE(ssl);
2698 if (test_server) {
2699 SSL_set_accept_state(ssl.get());
2700 } else {
2701 SSL_set_connect_state(ssl.get());
2702 }
2703
2704 std::vector<uint8_t> invalid;
2705 if (is_dtls()) {
2706 // In DTLS, invalid records are discarded. To cause the handshake to fail,
2707 // use a valid handshake record with invalid contents.
2708 invalid.push_back(SSL3_RT_HANDSHAKE);
2709 invalid.push_back(DTLS1_VERSION >> 8);
2710 invalid.push_back(DTLS1_VERSION & 0xff);
2711 // epoch and sequence_number
2712 for (int i = 0; i < 8; i++) {
2713 invalid.push_back(0);
2714 }
2715 // A one-byte fragment is invalid.
2716 invalid.push_back(0);
2717 invalid.push_back(1);
2718 // Arbitrary contents.
2719 invalid.push_back(0);
2720 } else {
2721 invalid = {'i', 'n', 'v', 'a', 'l', 'i', 'd'};
2722 }
2723 bssl::UniquePtr<BIO> rbio(
2724 BIO_new_mem_buf(invalid.data(), invalid.size()));
2725 ASSERT_TRUE(rbio);
2726 SSL_set0_rbio(ssl.get(), rbio.release());
2727
2728 bssl::UniquePtr<BIO> mem(BIO_new(BIO_s_mem()));
2729 ASSERT_TRUE(mem);
2730 SSL_set0_wbio(ssl.get(), bssl::UpRef(mem).release());
2731
2732 // The handshake should fail.
2733 EXPECT_EQ(-1, SSL_do_handshake(ssl.get()));
2734 EXPECT_EQ(SSL_ERROR_SSL, SSL_get_error(ssl.get(), -1));
2735 uint32_t err = ERR_get_error();
2736
2737 // |ssl| should have written an alert (and, in the client's case, a
2738 // ClientHello) to the transport.
2739 const uint8_t *unused;
2740 size_t len;
2741 ASSERT_TRUE(BIO_mem_contents(mem.get(), &unused, &len));
2742 EXPECT_NE(0u, len);
2743 EXPECT_TRUE(BIO_reset(mem.get()));
2744
2745 // Writing should fail, with the same error as the handshake.
2746 EXPECT_EQ(-1, SSL_write(ssl.get(), "a", 1));
2747 EXPECT_EQ(SSL_ERROR_SSL, SSL_get_error(ssl.get(), -1));
2748 EXPECT_EQ(err, ERR_get_error());
2749
2750 // Nothing should be written to the transport.
2751 ASSERT_TRUE(BIO_mem_contents(mem.get(), &unused, &len));
2752 EXPECT_EQ(0u, len);
2753 }
2754}
2755
2756// Test that, after seeing TLS 1.2 in response to early data, |SSL_write|
2757// continues to report |SSL_R_WRONG_VERSION_ON_EARLY_DATA|. See
2758// https://crbug.com/1078515.
2759TEST(SSLTest, WriteAfterWrongVersionOnEarlyData) {
2760 // Set up some 0-RTT-enabled contexts.
2761 bssl::UniquePtr<SSL_CTX> client_ctx(SSL_CTX_new(TLS_method()));
2762 bssl::UniquePtr<SSL_CTX> server_ctx =
2763 CreateContextWithTestCertificate(TLS_method());
2764 ASSERT_TRUE(client_ctx);
2765 ASSERT_TRUE(server_ctx);
2766 SSL_CTX_set_early_data_enabled(client_ctx.get(), 1);
2767 SSL_CTX_set_early_data_enabled(server_ctx.get(), 1);
2768 SSL_CTX_set_session_cache_mode(client_ctx.get(), SSL_SESS_CACHE_BOTH);
2769 SSL_CTX_set_session_cache_mode(server_ctx.get(), SSL_SESS_CACHE_BOTH);
2770
2771 // Get an early-data-capable session.
2772 bssl::UniquePtr<SSL_SESSION> session =
2773 CreateClientSession(client_ctx.get(), server_ctx.get());
2774 ASSERT_TRUE(session);
2775 EXPECT_TRUE(SSL_SESSION_early_data_capable(session.get()));
2776
2777 // Offer the session to the server, but now the server speaks TLS 1.2.
2778 bssl::UniquePtr<SSL> client, server;
2779 ASSERT_TRUE(CreateClientAndServer(&client, &server, client_ctx.get(),
2780 server_ctx.get()));
2781 SSL_set_session(client.get(), session.get());
2782 EXPECT_TRUE(SSL_set_max_proto_version(server.get(), TLS1_2_VERSION));
2783
2784 // The client handshake initially succeeds in the early data state.
2785 EXPECT_EQ(1, SSL_do_handshake(client.get()));
2786 EXPECT_TRUE(SSL_in_early_data(client.get()));
2787
2788 // The server processes the ClientHello and negotiates TLS 1.2.
2789 EXPECT_EQ(-1, SSL_do_handshake(server.get()));
2790 EXPECT_EQ(SSL_ERROR_WANT_READ, SSL_get_error(server.get(), -1));
2791 EXPECT_EQ(TLS1_2_VERSION, SSL_version(server.get()));
2792
2793 // Capture the client's output.
2794 bssl::UniquePtr<BIO> mem(BIO_new(BIO_s_mem()));
2795 ASSERT_TRUE(mem);
2796 SSL_set0_wbio(client.get(), bssl::UpRef(mem).release());
2797
2798 // The client processes the ServerHello and fails.
2799 EXPECT_EQ(-1, SSL_do_handshake(client.get()));
2800 EXPECT_EQ(SSL_ERROR_SSL, SSL_get_error(client.get(), -1));
2801 uint32_t err = ERR_get_error();
2802 EXPECT_EQ(ERR_LIB_SSL, ERR_GET_LIB(err));
2803 EXPECT_EQ(SSL_R_WRONG_VERSION_ON_EARLY_DATA, ERR_GET_REASON(err));
2804
2805 // The client should have written an alert to the transport.
2806 const uint8_t *unused;
2807 size_t len;
2808 ASSERT_TRUE(BIO_mem_contents(mem.get(), &unused, &len));
2809 EXPECT_NE(0u, len);
2810 EXPECT_TRUE(BIO_reset(mem.get()));
2811
2812 // Writing should fail, with the same error as the handshake.
2813 EXPECT_EQ(-1, SSL_write(client.get(), "a", 1));
2814 EXPECT_EQ(SSL_ERROR_SSL, SSL_get_error(client.get(), -1));
2815 err = ERR_get_error();
2816 EXPECT_EQ(ERR_LIB_SSL, ERR_GET_LIB(err));
2817 EXPECT_EQ(SSL_R_WRONG_VERSION_ON_EARLY_DATA, ERR_GET_REASON(err));
2818
2819 // Nothing should be written to the transport.
2820 ASSERT_TRUE(BIO_mem_contents(mem.get(), &unused, &len));
2821 EXPECT_EQ(0u, len);
2822}
2823
David Benjaminf0d8e222017-02-04 10:58:26 -0500[diff] [blame]2824TEST(SSLTest, SessionDuplication) {
Matt Braithwaited17d74d2016-08-17 20:10:28 -0700[diff] [blame]2825 bssl::UniquePtr<SSL_CTX> client_ctx(SSL_CTX_new(TLS_method()));
David Benjamin9b2cdb72021-04-01 23:21:53 -0400[diff] [blame]2826 bssl::UniquePtr<SSL_CTX> server_ctx =
2827 CreateContextWithTestCertificate(TLS_method());
David Benjaminf0d8e222017-02-04 10:58:26 -0500[diff] [blame]2828 ASSERT_TRUE(client_ctx);
2829 ASSERT_TRUE(server_ctx);
Steven Valdez87eab492016-06-27 16:34:59 -0400[diff] [blame]2830
Matt Braithwaited17d74d2016-08-17 20:10:28 -0700[diff] [blame]2831 bssl::UniquePtr<SSL> client, server;
David Benjaminf0d8e222017-02-04 10:58:26 -0500[diff] [blame]2832 ASSERT_TRUE(ConnectClientAndServer(&client, &server, client_ctx.get(),
David Benjamina8614602017-09-06 15:40:19 -0400[diff] [blame]2833 server_ctx.get()));
Steven Valdez87eab492016-06-27 16:34:59 -0400[diff] [blame]2834
2835 SSL_SESSION *session0 = SSL_get_session(client.get());
David Benjamin31b0c9b2017-07-20 14:49:15 -0400[diff] [blame]2836 bssl::UniquePtr<SSL_SESSION> session1 =
2837 bssl::SSL_SESSION_dup(session0, SSL_SESSION_DUP_ALL);
David Benjaminf0d8e222017-02-04 10:58:26 -0500[diff] [blame]2838 ASSERT_TRUE(session1);
David Benjamin4501bd52016-08-01 13:39:41 -0400[diff] [blame]2839
David Benjamina3a71e92018-06-29 13:24:45 -0400[diff] [blame]2840 session1->not_resumable = false;
Steven Valdez84b5c002016-08-25 16:30:58 -0400[diff] [blame]2841
Steven Valdez87eab492016-06-27 16:34:59 -0400[diff] [blame]2842 uint8_t *s0_bytes, *s1_bytes;
2843 size_t s0_len, s1_len;
2844
David Benjaminf0d8e222017-02-04 10:58:26 -0500[diff] [blame]2845 ASSERT_TRUE(SSL_SESSION_to_bytes(session0, &s0_bytes, &s0_len));
Matt Braithwaited17d74d2016-08-17 20:10:28 -0700[diff] [blame]2846 bssl::UniquePtr<uint8_t> free_s0(s0_bytes);
Steven Valdez87eab492016-06-27 16:34:59 -0400[diff] [blame]2847
David Benjaminf0d8e222017-02-04 10:58:26 -0500[diff] [blame]2848 ASSERT_TRUE(SSL_SESSION_to_bytes(session1.get(), &s1_bytes, &s1_len));
Matt Braithwaited17d74d2016-08-17 20:10:28 -0700[diff] [blame]2849 bssl::UniquePtr<uint8_t> free_s1(s1_bytes);
Steven Valdez87eab492016-06-27 16:34:59 -0400[diff] [blame]2850
David Benjamin7d7554b2017-02-04 11:48:59 -0500[diff] [blame]2851 EXPECT_EQ(Bytes(s0_bytes, s0_len), Bytes(s1_bytes, s1_len));
Steven Valdez87eab492016-06-27 16:34:59 -0400[diff] [blame]2852}
David Benjamin686bb192016-05-10 15:15:41 -0400[diff] [blame]2853
David Benjaminf0d8e222017-02-04 10:58:26 -0500[diff] [blame]2854static void ExpectFDs(const SSL *ssl, int rfd, int wfd) {
David Benjaminca743582017-06-15 17:51:35 -0400[diff] [blame]2855 EXPECT_EQ(rfd, SSL_get_fd(ssl));
David Benjaminf0d8e222017-02-04 10:58:26 -0500[diff] [blame]2856 EXPECT_EQ(rfd, SSL_get_rfd(ssl));
2857 EXPECT_EQ(wfd, SSL_get_wfd(ssl));
David Benjamin5c0fb882016-06-14 14:03:51 -0400[diff] [blame]2858
2859 // The wrapper BIOs are always equal when fds are equal, even if set
2860 // individually.
David Benjaminf0d8e222017-02-04 10:58:26 -0500[diff] [blame]2861 if (rfd == wfd) {
2862 EXPECT_EQ(SSL_get_rbio(ssl), SSL_get_wbio(ssl));
David Benjamin5c0fb882016-06-14 14:03:51 -0400[diff] [blame]2863 }
David Benjamin5c0fb882016-06-14 14:03:51 -0400[diff] [blame]2864}
2865
David Benjaminf0d8e222017-02-04 10:58:26 -0500[diff] [blame]2866TEST(SSLTest, SetFD) {
Matt Braithwaited17d74d2016-08-17 20:10:28 -0700[diff] [blame]2867 bssl::UniquePtr<SSL_CTX> ctx(SSL_CTX_new(TLS_method()));
David Benjaminf0d8e222017-02-04 10:58:26 -0500[diff] [blame]2868 ASSERT_TRUE(ctx);
David Benjamin5c0fb882016-06-14 14:03:51 -0400[diff] [blame]2869
2870 // Test setting different read and write FDs.
Matt Braithwaited17d74d2016-08-17 20:10:28 -0700[diff] [blame]2871 bssl::UniquePtr<SSL> ssl(SSL_new(ctx.get()));
David Benjaminf0d8e222017-02-04 10:58:26 -0500[diff] [blame]2872 ASSERT_TRUE(ssl);
2873 EXPECT_TRUE(SSL_set_rfd(ssl.get(), 1));
2874 EXPECT_TRUE(SSL_set_wfd(ssl.get(), 2));
2875 ExpectFDs(ssl.get(), 1, 2);
David Benjamin5c0fb882016-06-14 14:03:51 -0400[diff] [blame]2876
2877 // Test setting the same FD.
2878 ssl.reset(SSL_new(ctx.get()));
David Benjaminf0d8e222017-02-04 10:58:26 -0500[diff] [blame]2879 ASSERT_TRUE(ssl);
2880 EXPECT_TRUE(SSL_set_fd(ssl.get(), 1));
2881 ExpectFDs(ssl.get(), 1, 1);
David Benjamin5c0fb882016-06-14 14:03:51 -0400[diff] [blame]2882
2883 // Test setting the same FD one side at a time.
2884 ssl.reset(SSL_new(ctx.get()));
David Benjaminf0d8e222017-02-04 10:58:26 -0500[diff] [blame]2885 ASSERT_TRUE(ssl);
2886 EXPECT_TRUE(SSL_set_rfd(ssl.get(), 1));
2887 EXPECT_TRUE(SSL_set_wfd(ssl.get(), 1));
2888 ExpectFDs(ssl.get(), 1, 1);
David Benjamin5c0fb882016-06-14 14:03:51 -0400[diff] [blame]2889
2890 // Test setting the same FD in the other order.
2891 ssl.reset(SSL_new(ctx.get()));
David Benjaminf0d8e222017-02-04 10:58:26 -0500[diff] [blame]2892 ASSERT_TRUE(ssl);
2893 EXPECT_TRUE(SSL_set_wfd(ssl.get(), 1));
2894 EXPECT_TRUE(SSL_set_rfd(ssl.get(), 1));
2895 ExpectFDs(ssl.get(), 1, 1);
David Benjamin5c0fb882016-06-14 14:03:51 -0400[diff] [blame]2896
David Benjamin5c0fb882016-06-14 14:03:51 -0400[diff] [blame]2897 // Test changing the read FD partway through.
2898 ssl.reset(SSL_new(ctx.get()));
David Benjaminf0d8e222017-02-04 10:58:26 -0500[diff] [blame]2899 ASSERT_TRUE(ssl);
2900 EXPECT_TRUE(SSL_set_fd(ssl.get(), 1));
2901 EXPECT_TRUE(SSL_set_rfd(ssl.get(), 2));
2902 ExpectFDs(ssl.get(), 2, 1);
David Benjamin5c0fb882016-06-14 14:03:51 -0400[diff] [blame]2903
2904 // Test changing the write FD partway through.
2905 ssl.reset(SSL_new(ctx.get()));
David Benjaminf0d8e222017-02-04 10:58:26 -0500[diff] [blame]2906 ASSERT_TRUE(ssl);
2907 EXPECT_TRUE(SSL_set_fd(ssl.get(), 1));
2908 EXPECT_TRUE(SSL_set_wfd(ssl.get(), 2));
2909 ExpectFDs(ssl.get(), 1, 2);
David Benjamin5c0fb882016-06-14 14:03:51 -0400[diff] [blame]2910
2911 // Test a no-op change to the read FD partway through.
2912 ssl.reset(SSL_new(ctx.get()));
David Benjaminf0d8e222017-02-04 10:58:26 -0500[diff] [blame]2913 ASSERT_TRUE(ssl);
2914 EXPECT_TRUE(SSL_set_fd(ssl.get(), 1));
2915 EXPECT_TRUE(SSL_set_rfd(ssl.get(), 1));
2916 ExpectFDs(ssl.get(), 1, 1);
David Benjamin5c0fb882016-06-14 14:03:51 -0400[diff] [blame]2917
2918 // Test a no-op change to the write FD partway through.
2919 ssl.reset(SSL_new(ctx.get()));
David Benjaminf0d8e222017-02-04 10:58:26 -0500[diff] [blame]2920 ASSERT_TRUE(ssl);
2921 EXPECT_TRUE(SSL_set_fd(ssl.get(), 1));
2922 EXPECT_TRUE(SSL_set_wfd(ssl.get(), 1));
2923 ExpectFDs(ssl.get(), 1, 1);
David Benjamin5c0fb882016-06-14 14:03:51 -0400[diff] [blame]2924
2925 // ASan builds will implicitly test that the internal |BIO| reference-counting
2926 // is correct.
David Benjamin5c0fb882016-06-14 14:03:51 -0400[diff] [blame]2927}
2928
David Benjaminf0d8e222017-02-04 10:58:26 -0500[diff] [blame]2929TEST(SSLTest, SetBIO) {
Matt Braithwaited17d74d2016-08-17 20:10:28 -0700[diff] [blame]2930 bssl::UniquePtr<SSL_CTX> ctx(SSL_CTX_new(TLS_method()));
David Benjaminf0d8e222017-02-04 10:58:26 -0500[diff] [blame]2931 ASSERT_TRUE(ctx);
David Benjamin4501bd52016-08-01 13:39:41 -0400[diff] [blame]2932
Matt Braithwaited17d74d2016-08-17 20:10:28 -0700[diff] [blame]2933 bssl::UniquePtr<SSL> ssl(SSL_new(ctx.get()));
2934 bssl::UniquePtr<BIO> bio1(BIO_new(BIO_s_mem())), bio2(BIO_new(BIO_s_mem())),
David Benjamin4501bd52016-08-01 13:39:41 -0400[diff] [blame]2935 bio3(BIO_new(BIO_s_mem()));
David Benjaminf0d8e222017-02-04 10:58:26 -0500[diff] [blame]2936 ASSERT_TRUE(ssl);
2937 ASSERT_TRUE(bio1);
2938 ASSERT_TRUE(bio2);
2939 ASSERT_TRUE(bio3);
David Benjamin4501bd52016-08-01 13:39:41 -0400[diff] [blame]2940
2941 // SSL_set_bio takes one reference when the parameters are the same.
2942 BIO_up_ref(bio1.get());
2943 SSL_set_bio(ssl.get(), bio1.get(), bio1.get());
2944
2945 // Repeating the call does nothing.
2946 SSL_set_bio(ssl.get(), bio1.get(), bio1.get());
2947
2948 // It takes one reference each when the parameters are different.
2949 BIO_up_ref(bio2.get());
2950 BIO_up_ref(bio3.get());
2951 SSL_set_bio(ssl.get(), bio2.get(), bio3.get());
2952
2953 // Repeating the call does nothing.
2954 SSL_set_bio(ssl.get(), bio2.get(), bio3.get());
2955
2956 // It takes one reference when changing only wbio.
2957 BIO_up_ref(bio1.get());
2958 SSL_set_bio(ssl.get(), bio2.get(), bio1.get());
2959
2960 // It takes one reference when changing only rbio and the two are different.
2961 BIO_up_ref(bio3.get());
2962 SSL_set_bio(ssl.get(), bio3.get(), bio1.get());
2963
2964 // If setting wbio to rbio, it takes no additional references.
2965 SSL_set_bio(ssl.get(), bio3.get(), bio3.get());
2966
2967 // From there, wbio may be switched to something else.
2968 BIO_up_ref(bio1.get());
2969 SSL_set_bio(ssl.get(), bio3.get(), bio1.get());
2970
2971 // If setting rbio to wbio, it takes no additional references.
2972 SSL_set_bio(ssl.get(), bio1.get(), bio1.get());
2973
2974 // From there, rbio may be switched to something else, but, for historical
2975 // reasons, it takes a reference to both parameters.
2976 BIO_up_ref(bio1.get());
2977 BIO_up_ref(bio2.get());
2978 SSL_set_bio(ssl.get(), bio2.get(), bio1.get());
2979
2980 // ASAN builds will implicitly test that the internal |BIO| reference-counting
2981 // is correct.
David Benjamin4501bd52016-08-01 13:39:41 -0400[diff] [blame]2982}
2983
David Benjamin25490f22016-07-14 00:22:54 -0400[diff] [blame]2984static int VerifySucceed(X509_STORE_CTX *store_ctx, void *arg) { return 1; }
2985
Martin Kreichgauer1a663262017-08-16 14:54:04 -0700[diff] [blame]2986TEST_P(SSLVersionTest, GetPeerCertificate) {
2987 ASSERT_TRUE(UseCertAndKey(client_ctx_.get()));
David Benjaminadd5e522016-07-14 00:33:24 -0400[diff] [blame]2988
David Benjamin0fef3052016-11-18 15:11:10 +0900[diff] [blame]2989 // Configure both client and server to accept any certificate.
Martin Kreichgauer1a663262017-08-16 14:54:04 -0700[diff] [blame]2990 SSL_CTX_set_verify(client_ctx_.get(),
2991 SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT,
2992 nullptr);
2993 SSL_CTX_set_cert_verify_callback(client_ctx_.get(), VerifySucceed, NULL);
2994 SSL_CTX_set_verify(server_ctx_.get(),
2995 SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT,
2996 nullptr);
2997 SSL_CTX_set_cert_verify_callback(server_ctx_.get(), VerifySucceed, NULL);
David Benjaminadd5e522016-07-14 00:33:24 -0400[diff] [blame]2998
Martin Kreichgauer1a663262017-08-16 14:54:04 -0700[diff] [blame]2999 ASSERT_TRUE(Connect());
David Benjaminadd5e522016-07-14 00:33:24 -0400[diff] [blame]3000
David Benjamin0fef3052016-11-18 15:11:10 +0900[diff] [blame]3001 // Client and server should both see the leaf certificate.
Martin Kreichgauer1a663262017-08-16 14:54:04 -0700[diff] [blame]3002 bssl::UniquePtr<X509> peer(SSL_get_peer_certificate(server_.get()));
3003 ASSERT_TRUE(peer);
3004 ASSERT_EQ(X509_cmp(cert_.get(), peer.get()), 0);
David Benjaminadd5e522016-07-14 00:33:24 -0400[diff] [blame]3005
Martin Kreichgauer1a663262017-08-16 14:54:04 -0700[diff] [blame]3006 peer.reset(SSL_get_peer_certificate(client_.get()));
3007 ASSERT_TRUE(peer);
3008 ASSERT_EQ(X509_cmp(cert_.get(), peer.get()), 0);
David Benjaminadd5e522016-07-14 00:33:24 -0400[diff] [blame]3009
David Benjamine664a532017-07-20 20:19:36 -0400[diff] [blame]3010 // However, for historical reasons, the X509 chain includes the leaf on the
David Benjamin0fef3052016-11-18 15:11:10 +0900[diff] [blame]3011 // client, but does not on the server.
Martin Kreichgauer1a663262017-08-16 14:54:04 -0700[diff] [blame]3012 EXPECT_EQ(sk_X509_num(SSL_get_peer_cert_chain(client_.get())), 1u);
3013 EXPECT_EQ(sk_CRYPTO_BUFFER_num(SSL_get0_peer_certificates(client_.get())),
3014 1u);
David Benjaminadd5e522016-07-14 00:33:24 -0400[diff] [blame]3015
Martin Kreichgauer1a663262017-08-16 14:54:04 -0700[diff] [blame]3016 EXPECT_EQ(sk_X509_num(SSL_get_peer_cert_chain(server_.get())), 0u);
3017 EXPECT_EQ(sk_CRYPTO_BUFFER_num(SSL_get0_peer_certificates(server_.get())),
3018 1u);
David Benjaminadd5e522016-07-14 00:33:24 -0400[diff] [blame]3019}
3020
Martin Kreichgauer1a663262017-08-16 14:54:04 -0700[diff] [blame]3021TEST_P(SSLVersionTest, NoPeerCertificate) {
3022 SSL_CTX_set_verify(server_ctx_.get(), SSL_VERIFY_PEER, nullptr);
3023 SSL_CTX_set_cert_verify_callback(server_ctx_.get(), VerifySucceed, NULL);
3024 SSL_CTX_set_cert_verify_callback(client_ctx_.get(), VerifySucceed, NULL);
David Benjamine664a532017-07-20 20:19:36 -0400[diff] [blame]3025
Martin Kreichgauer1a663262017-08-16 14:54:04 -0700[diff] [blame]3026 ASSERT_TRUE(Connect());
David Benjamine664a532017-07-20 20:19:36 -0400[diff] [blame]3027
Martin Kreichgauer1a663262017-08-16 14:54:04 -0700[diff] [blame]3028 // Server should not see a peer certificate.
3029 bssl::UniquePtr<X509> peer(SSL_get_peer_certificate(server_.get()));
3030 ASSERT_FALSE(peer);
3031 ASSERT_FALSE(SSL_get0_peer_certificates(server_.get()));
David Benjamine664a532017-07-20 20:19:36 -0400[diff] [blame]3032}
3033
Martin Kreichgauer1a663262017-08-16 14:54:04 -0700[diff] [blame]3034TEST_P(SSLVersionTest, RetainOnlySHA256OfCerts) {
David Benjamin25490f22016-07-14 00:22:54 -0400[diff] [blame]3035 uint8_t *cert_der = NULL;
Martin Kreichgauer1a663262017-08-16 14:54:04 -0700[diff] [blame]3036 int cert_der_len = i2d_X509(cert_.get(), &cert_der);
3037 ASSERT_GE(cert_der_len, 0);
Matt Braithwaited17d74d2016-08-17 20:10:28 -0700[diff] [blame]3038 bssl::UniquePtr<uint8_t> free_cert_der(cert_der);
David Benjamin25490f22016-07-14 00:22:54 -0400[diff] [blame]3039
3040 uint8_t cert_sha256[SHA256_DIGEST_LENGTH];
3041 SHA256(cert_der, cert_der_len, cert_sha256);
3042
Martin Kreichgauer1a663262017-08-16 14:54:04 -0700[diff] [blame]3043 ASSERT_TRUE(UseCertAndKey(client_ctx_.get()));
3044
David Benjamin0fef3052016-11-18 15:11:10 +0900[diff] [blame]3045 // Configure both client and server to accept any certificate, but the
3046 // server must retain only the SHA-256 of the peer.
Martin Kreichgauer1a663262017-08-16 14:54:04 -0700[diff] [blame]3047 SSL_CTX_set_verify(client_ctx_.get(),
3048 SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT,
3049 nullptr);
3050 SSL_CTX_set_verify(server_ctx_.get(),
3051 SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT,
3052 nullptr);
3053 SSL_CTX_set_cert_verify_callback(client_ctx_.get(), VerifySucceed, NULL);
3054 SSL_CTX_set_cert_verify_callback(server_ctx_.get(), VerifySucceed, NULL);
3055 SSL_CTX_set_retain_only_sha256_of_client_certs(server_ctx_.get(), 1);
David Benjamin25490f22016-07-14 00:22:54 -0400[diff] [blame]3056
Martin Kreichgauer1a663262017-08-16 14:54:04 -0700[diff] [blame]3057 ASSERT_TRUE(Connect());
David Benjamin25490f22016-07-14 00:22:54 -0400[diff] [blame]3058
David Benjamin0fef3052016-11-18 15:11:10 +0900[diff] [blame]3059 // The peer certificate has been dropped.
Martin Kreichgauer1a663262017-08-16 14:54:04 -0700[diff] [blame]3060 bssl::UniquePtr<X509> peer(SSL_get_peer_certificate(server_.get()));
3061 EXPECT_FALSE(peer);
David Benjamin25490f22016-07-14 00:22:54 -0400[diff] [blame]3062
Martin Kreichgauer1a663262017-08-16 14:54:04 -0700[diff] [blame]3063 SSL_SESSION *session = SSL_get_session(server_.get());
David Benjamin02de7bd2018-05-08 18:13:54 -0400[diff] [blame]3064 EXPECT_TRUE(SSL_SESSION_has_peer_sha256(session));
David Benjamin25490f22016-07-14 00:22:54 -0400[diff] [blame]3065
David Benjamin02de7bd2018-05-08 18:13:54 -0400[diff] [blame]3066 const uint8_t *peer_sha256;
3067 size_t peer_sha256_len;
3068 SSL_SESSION_get0_peer_sha256(session, &peer_sha256, &peer_sha256_len);
3069 EXPECT_EQ(Bytes(cert_sha256), Bytes(peer_sha256, peer_sha256_len));
David Benjamin25490f22016-07-14 00:22:54 -0400[diff] [blame]3070}
3071
David Benjamin737d2df2017-09-25 15:05:19 -0400[diff] [blame]3072// Tests that our ClientHellos do not change unexpectedly. These are purely
3073// change detection tests. If they fail as part of an intentional ClientHello
3074// change, update the test vector.
3075TEST(SSLTest, ClientHello) {
3076 struct {
3077 uint16_t max_version;
3078 std::vector<uint8_t> expected;
3079 } kTests[] = {
David Benjamin737d2df2017-09-25 15:05:19 -0400[diff] [blame]3080 {TLS1_VERSION,
3081 {0x16, 0x03, 0x01, 0x00, 0x5a, 0x01, 0x00, 0x00, 0x56, 0x03, 0x01, 0x00,
3082 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
3083 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
3084 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x0e, 0xc0, 0x09,
3085 0xc0, 0x13, 0xc0, 0x0a, 0xc0, 0x14, 0x00, 0x2f, 0x00, 0x35, 0x00, 0x0a,
Adam Langleyd6680952018-08-23 08:01:23 -0700[diff] [blame]3086 0x01, 0x00, 0x00, 0x1f, 0x00, 0x17, 0x00, 0x00, 0xff, 0x01, 0x00, 0x01,
3087 0x00, 0x00, 0x0a, 0x00, 0x08, 0x00, 0x06, 0x00, 0x1d, 0x00, 0x17, 0x00,
3088 0x18, 0x00, 0x0b, 0x00, 0x02, 0x01, 0x00, 0x00, 0x23, 0x00, 0x00}},
David Benjamin737d2df2017-09-25 15:05:19 -0400[diff] [blame]3089 {TLS1_1_VERSION,
3090 {0x16, 0x03, 0x01, 0x00, 0x5a, 0x01, 0x00, 0x00, 0x56, 0x03, 0x02, 0x00,
3091 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
3092 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
3093 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x0e, 0xc0, 0x09,
3094 0xc0, 0x13, 0xc0, 0x0a, 0xc0, 0x14, 0x00, 0x2f, 0x00, 0x35, 0x00, 0x0a,
Adam Langleyd6680952018-08-23 08:01:23 -0700[diff] [blame]3095 0x01, 0x00, 0x00, 0x1f, 0x00, 0x17, 0x00, 0x00, 0xff, 0x01, 0x00, 0x01,
3096 0x00, 0x00, 0x0a, 0x00, 0x08, 0x00, 0x06, 0x00, 0x1d, 0x00, 0x17, 0x00,
3097 0x18, 0x00, 0x0b, 0x00, 0x02, 0x01, 0x00, 0x00, 0x23, 0x00, 0x00}},
David Benjamin737d2df2017-09-25 15:05:19 -0400[diff] [blame]3098 {TLS1_2_VERSION,
David Benjamin6e678ee2018-04-16 19:54:42 -0400[diff] [blame]3099 {0x16, 0x03, 0x01, 0x00, 0x82, 0x01, 0x00, 0x00, 0x7e, 0x03, 0x03, 0x00,
David Benjamin737d2df2017-09-25 15:05:19 -0400[diff] [blame]3100 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
3101 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
David Benjamin6e678ee2018-04-16 19:54:42 -0400[diff] [blame]3102 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x1e, 0xcc, 0xa9,
David Benjamin737d2df2017-09-25 15:05:19 -0400[diff] [blame]3103 0xcc, 0xa8, 0xc0, 0x2b, 0xc0, 0x2f, 0xc0, 0x2c, 0xc0, 0x30, 0xc0, 0x09,
David Benjamin6e678ee2018-04-16 19:54:42 -0400[diff] [blame]3104 0xc0, 0x13, 0xc0, 0x0a, 0xc0, 0x14, 0x00, 0x9c, 0x00, 0x9d, 0x00, 0x2f,
Adam Langleyd6680952018-08-23 08:01:23 -0700[diff] [blame]3105 0x00, 0x35, 0x00, 0x0a, 0x01, 0x00, 0x00, 0x37, 0x00, 0x17, 0x00, 0x00,
3106 0xff, 0x01, 0x00, 0x01, 0x00, 0x00, 0x0a, 0x00, 0x08, 0x00, 0x06, 0x00,
3107 0x1d, 0x00, 0x17, 0x00, 0x18, 0x00, 0x0b, 0x00, 0x02, 0x01, 0x00, 0x00,
3108 0x23, 0x00, 0x00, 0x00, 0x0d, 0x00, 0x14, 0x00, 0x12, 0x04, 0x03, 0x08,
3109 0x04, 0x04, 0x01, 0x05, 0x03, 0x08, 0x05, 0x05, 0x01, 0x08, 0x06, 0x06,
3110 0x01, 0x02, 0x01}},
David Benjamin737d2df2017-09-25 15:05:19 -0400[diff] [blame]3111 // TODO(davidben): Add a change detector for TLS 1.3 once the spec and our
3112 // implementation has settled enough that it won't change.
David Benjaminafc64de2016-07-19 17:12:41 +0200[diff] [blame]3113 };
David Benjamin737d2df2017-09-25 15:05:19 -0400[diff] [blame]3114
3115 for (const auto &t : kTests) {
3116 SCOPED_TRACE(t.max_version);
3117
3118 bssl::UniquePtr<SSL_CTX> ctx(SSL_CTX_new(TLS_method()));
3119 ASSERT_TRUE(ctx);
3120 // Our default cipher list varies by CPU capabilities, so manually place the
3121 // ChaCha20 ciphers in front.
3122 const char *cipher_list = "CHACHA20:ALL";
David Benjamin737d2df2017-09-25 15:05:19 -0400[diff] [blame]3123 ASSERT_TRUE(SSL_CTX_set_max_proto_version(ctx.get(), t.max_version));
3124 ASSERT_TRUE(SSL_CTX_set_strict_cipher_list(ctx.get(), cipher_list));
3125
3126 bssl::UniquePtr<SSL> ssl(SSL_new(ctx.get()));
3127 ASSERT_TRUE(ssl);
3128 std::vector<uint8_t> client_hello;
3129 ASSERT_TRUE(GetClientHello(ssl.get(), &client_hello));
3130
3131 // Zero the client_random.
3132 constexpr size_t kRandomOffset = 1 + 2 + 2 + // record header
3133 1 + 3 + // handshake message header
3134 2; // client_version
3135 ASSERT_GE(client_hello.size(), kRandomOffset + SSL3_RANDOM_SIZE);
3136 OPENSSL_memset(client_hello.data() + kRandomOffset, 0, SSL3_RANDOM_SIZE);
3137
3138 if (client_hello != t.expected) {
3139 ADD_FAILURE() << "ClientHellos did not match.";
3140 // Print the value manually so it is easier to update the test vector.
3141 for (size_t i = 0; i < client_hello.size(); i += 12) {
3142 printf(" %c", i == 0 ? '{' : ' ');
3143 for (size_t j = i; j < client_hello.size() && j < i + 12; j++) {
3144 if (j > i) {
3145 printf(" ");
3146 }
3147 printf("0x%02x", client_hello[j]);
3148 if (j < client_hello.size() - 1) {
3149 printf(",");
3150 }
3151 }
3152 if (i + 12 >= client_hello.size()) {
Adam Langleyd6680952018-08-23 08:01:23 -0700[diff] [blame]3153 printf("}},");
David Benjamin737d2df2017-09-25 15:05:19 -0400[diff] [blame]3154 }
3155 printf("\n");
3156 }
3157 }
David Benjaminafc64de2016-07-19 17:12:41 +0200[diff] [blame]3158 }
David Benjaminafc64de2016-07-19 17:12:41 +0200[diff] [blame]3159}
3160
Martin Kreichgauer1a663262017-08-16 14:54:04 -0700[diff] [blame]3161static void ExpectSessionReused(SSL_CTX *client_ctx, SSL_CTX *server_ctx,
3162 SSL_SESSION *session, bool want_reused) {
Matt Braithwaited17d74d2016-08-17 20:10:28 -0700[diff] [blame]3163 bssl::UniquePtr<SSL> client, server;
David Benjamina8614602017-09-06 15:40:19 -0400[diff] [blame]3164 ClientConfig config;
3165 config.session = session;
3166 EXPECT_TRUE(
3167 ConnectClientAndServer(&client, &server, client_ctx, server_ctx, config));
David Benjamina20e5352016-08-02 19:09:41 -0400[diff] [blame]3168
Martin Kreichgauer1a663262017-08-16 14:54:04 -0700[diff] [blame]3169 EXPECT_EQ(SSL_session_reused(client.get()), SSL_session_reused(server.get()));
David Benjamina20e5352016-08-02 19:09:41 -0400[diff] [blame]3170
3171 bool was_reused = !!SSL_session_reused(client.get());
Martin Kreichgauer1a663262017-08-16 14:54:04 -0700[diff] [blame]3172 EXPECT_EQ(was_reused, want_reused);
David Benjamina20e5352016-08-02 19:09:41 -0400[diff] [blame]3173}
3174
David Benjamin3c51d9b2016-11-01 17:50:42 -0400[diff] [blame]3175static bssl::UniquePtr<SSL_SESSION> ExpectSessionRenewed(SSL_CTX *client_ctx,
3176 SSL_CTX *server_ctx,
3177 SSL_SESSION *session) {
3178 g_last_session = nullptr;
3179 SSL_CTX_sess_set_new_cb(client_ctx, SaveLastSession);
3180
3181 bssl::UniquePtr<SSL> client, server;
David Benjamina8614602017-09-06 15:40:19 -0400[diff] [blame]3182 ClientConfig config;
3183 config.session = session;
3184 if (!ConnectClientAndServer(&client, &server, client_ctx, server_ctx,
Steven Valdez777a2392019-02-21 11:30:47 -0500[diff] [blame]3185 config) ||
3186 !FlushNewSessionTickets(client.get(), server.get())) {
David Benjamin3c51d9b2016-11-01 17:50:42 -0400[diff] [blame]3187 fprintf(stderr, "Failed to connect client and server.\n");
3188 return nullptr;
3189 }
3190
3191 if (SSL_session_reused(client.get()) != SSL_session_reused(server.get())) {
3192 fprintf(stderr, "Client and server were inconsistent.\n");
3193 return nullptr;
3194 }
3195
3196 if (!SSL_session_reused(client.get())) {
3197 fprintf(stderr, "Session was not reused.\n");
3198 return nullptr;
3199 }
3200
David Benjamin3c51d9b2016-11-01 17:50:42 -0400[diff] [blame]3201 SSL_CTX_sess_set_new_cb(client_ctx, nullptr);
3202
3203 if (!g_last_session) {
3204 fprintf(stderr, "Client did not receive a renewed session.\n");
3205 return nullptr;
3206 }
3207 return std::move(g_last_session);
3208}
3209
Martin Kreichgauer1a663262017-08-16 14:54:04 -0700[diff] [blame]3210static void ExpectTicketKeyChanged(SSL_CTX *ctx, uint8_t *inout_key,
Martin Kreichgauer72912d22017-08-04 12:06:43 -0700[diff] [blame]3211 bool changed) {
3212 uint8_t new_key[kTicketKeyLen];
David Benjaminc11ea9422017-08-29 16:33:21 -0400[diff] [blame]3213 // May return 0, 1 or 48.
Martin Kreichgauer1a663262017-08-16 14:54:04 -0700[diff] [blame]3214 ASSERT_EQ(SSL_CTX_get_tlsext_ticket_keys(ctx, new_key, kTicketKeyLen), 1);
3215 if (changed) {
3216 ASSERT_NE(Bytes(inout_key, kTicketKeyLen), Bytes(new_key));
3217 } else {
3218 ASSERT_EQ(Bytes(inout_key, kTicketKeyLen), Bytes(new_key));
Martin Kreichgauer72912d22017-08-04 12:06:43 -0700[diff] [blame]3219 }
3220 OPENSSL_memcpy(inout_key, new_key, kTicketKeyLen);
Martin Kreichgauer72912d22017-08-04 12:06:43 -0700[diff] [blame]3221}
3222
David Benjamina933c382016-10-28 00:10:03 -0400[diff] [blame]3223static int SwitchSessionIDContextSNI(SSL *ssl, int *out_alert, void *arg) {
3224 static const uint8_t kContext[] = {3};
3225
3226 if (!SSL_set_session_id_context(ssl, kContext, sizeof(kContext))) {
3227 return SSL_TLSEXT_ERR_ALERT_FATAL;
3228 }
3229
3230 return SSL_TLSEXT_ERR_OK;
3231}
3232
Martin Kreichgauer1a663262017-08-16 14:54:04 -0700[diff] [blame]3233TEST_P(SSLVersionTest, SessionIDContext) {
David Benjamina20e5352016-08-02 19:09:41 -0400[diff] [blame]3234 static const uint8_t kContext1[] = {1};
3235 static const uint8_t kContext2[] = {2};
3236
Martin Kreichgauer1a663262017-08-16 14:54:04 -0700[diff] [blame]3237 ASSERT_TRUE(SSL_CTX_set_session_id_context(server_ctx_.get(), kContext1,
3238 sizeof(kContext1)));
David Benjamina20e5352016-08-02 19:09:41 -0400[diff] [blame]3239
Martin Kreichgauer1a663262017-08-16 14:54:04 -0700[diff] [blame]3240 SSL_CTX_set_session_cache_mode(client_ctx_.get(), SSL_SESS_CACHE_BOTH);
3241 SSL_CTX_set_session_cache_mode(server_ctx_.get(), SSL_SESS_CACHE_BOTH);
David Benjamina20e5352016-08-02 19:09:41 -0400[diff] [blame]3242
David Benjamin0fef3052016-11-18 15:11:10 +0900[diff] [blame]3243 bssl::UniquePtr<SSL_SESSION> session =
Martin Kreichgauer1a663262017-08-16 14:54:04 -0700[diff] [blame]3244 CreateClientSession(client_ctx_.get(), server_ctx_.get());
3245 ASSERT_TRUE(session);
David Benjamina20e5352016-08-02 19:09:41 -0400[diff] [blame]3246
Martin Kreichgauer1a663262017-08-16 14:54:04 -0700[diff] [blame]3247 TRACED_CALL(ExpectSessionReused(client_ctx_.get(), server_ctx_.get(),
3248 session.get(),
3249 true /* expect session reused */));
David Benjamina20e5352016-08-02 19:09:41 -0400[diff] [blame]3250
David Benjamin0fef3052016-11-18 15:11:10 +0900[diff] [blame]3251 // Change the session ID context.
Martin Kreichgauer1a663262017-08-16 14:54:04 -0700[diff] [blame]3252 ASSERT_TRUE(SSL_CTX_set_session_id_context(server_ctx_.get(), kContext2,
3253 sizeof(kContext2)));
David Benjamina20e5352016-08-02 19:09:41 -0400[diff] [blame]3254
Martin Kreichgauer1a663262017-08-16 14:54:04 -0700[diff] [blame]3255 TRACED_CALL(ExpectSessionReused(client_ctx_.get(), server_ctx_.get(),
3256 session.get(),
3257 false /* expect session not reused */));
David Benjamina933c382016-10-28 00:10:03 -0400[diff] [blame]3258
David Benjamin0fef3052016-11-18 15:11:10 +0900[diff] [blame]3259 // Change the session ID context back and install an SNI callback to switch
3260 // it.
Martin Kreichgauer1a663262017-08-16 14:54:04 -0700[diff] [blame]3261 ASSERT_TRUE(SSL_CTX_set_session_id_context(server_ctx_.get(), kContext1,
3262 sizeof(kContext1)));
David Benjamina933c382016-10-28 00:10:03 -0400[diff] [blame]3263
Martin Kreichgauer1a663262017-08-16 14:54:04 -0700[diff] [blame]3264 SSL_CTX_set_tlsext_servername_callback(server_ctx_.get(),
David Benjamin0fef3052016-11-18 15:11:10 +0900[diff] [blame]3265 SwitchSessionIDContextSNI);
David Benjamina933c382016-10-28 00:10:03 -0400[diff] [blame]3266
Martin Kreichgauer1a663262017-08-16 14:54:04 -0700[diff] [blame]3267 TRACED_CALL(ExpectSessionReused(client_ctx_.get(), server_ctx_.get(),
3268 session.get(),
3269 false /* expect session not reused */));
David Benjamina933c382016-10-28 00:10:03 -0400[diff] [blame]3270
David Benjamin0fef3052016-11-18 15:11:10 +0900[diff] [blame]3271 // Switch the session ID context with the early callback instead.
Martin Kreichgauer1a663262017-08-16 14:54:04 -0700[diff] [blame]3272 SSL_CTX_set_tlsext_servername_callback(server_ctx_.get(), nullptr);
Alessandro Ghedini57e81e62017-03-14 23:36:00 +0000[diff] [blame]3273 SSL_CTX_set_select_certificate_cb(
Martin Kreichgauer1a663262017-08-16 14:54:04 -0700[diff] [blame]3274 server_ctx_.get(),
Alessandro Ghedini57e81e62017-03-14 23:36:00 +0000[diff] [blame]3275 [](const SSL_CLIENT_HELLO *client_hello) -> ssl_select_cert_result_t {
3276 static const uint8_t kContext[] = {3};
3277
3278 if (!SSL_set_session_id_context(client_hello->ssl, kContext,
3279 sizeof(kContext))) {
3280 return ssl_select_cert_error;
3281 }
3282
3283 return ssl_select_cert_success;
3284 });
David Benjamina933c382016-10-28 00:10:03 -0400[diff] [blame]3285
Martin Kreichgauer1a663262017-08-16 14:54:04 -0700[diff] [blame]3286 TRACED_CALL(ExpectSessionReused(client_ctx_.get(), server_ctx_.get(),
3287 session.get(),
3288 false /* expect session not reused */));
David Benjamina20e5352016-08-02 19:09:41 -0400[diff] [blame]3289}
3290
David Benjamin721e8b72016-08-03 13:13:17 -0400[diff] [blame]3291static timeval g_current_time;
3292
3293static void CurrentTimeCallback(const SSL *ssl, timeval *out_clock) {
3294 *out_clock = g_current_time;
3295}
3296
David Benjamin17b30832017-01-28 14:00:32 -0500[diff] [blame]3297static void FrozenTimeCallback(const SSL *ssl, timeval *out_clock) {
3298 out_clock->tv_sec = 1000;
3299 out_clock->tv_usec = 0;
3300}
3301
David Benjamin3c51d9b2016-11-01 17:50:42 -0400[diff] [blame]3302static int RenewTicketCallback(SSL *ssl, uint8_t *key_name, uint8_t *iv,
3303 EVP_CIPHER_CTX *ctx, HMAC_CTX *hmac_ctx,
3304 int encrypt) {
3305 static const uint8_t kZeros[16] = {0};
3306
3307 if (encrypt) {
David Benjamin17cf2cb2016-12-13 01:07:13 -0500[diff] [blame]3308 OPENSSL_memcpy(key_name, kZeros, sizeof(kZeros));
David Benjamin3c51d9b2016-11-01 17:50:42 -0400[diff] [blame]3309 RAND_bytes(iv, 16);
David Benjamin17cf2cb2016-12-13 01:07:13 -0500[diff] [blame]3310 } else if (OPENSSL_memcmp(key_name, kZeros, 16) != 0) {
David Benjamin3c51d9b2016-11-01 17:50:42 -0400[diff] [blame]3311 return 0;
3312 }
3313
3314 if (!HMAC_Init_ex(hmac_ctx, kZeros, sizeof(kZeros), EVP_sha256(), NULL) ||
3315 !EVP_CipherInit_ex(ctx, EVP_aes_128_cbc(), NULL, kZeros, iv, encrypt)) {
3316 return -1;
3317 }
3318
3319 // Returning two from the callback in decrypt mode renews the
3320 // session in TLS 1.2 and below.
3321 return encrypt ? 1 : 2;
3322}
3323
David Benjamin123db572016-11-03 16:59:25 -0400[diff] [blame]3324static bool GetServerTicketTime(long *out, const SSL_SESSION *session) {
David Benjaminaaef8332018-06-29 16:45:49 -0400[diff] [blame]3325 const uint8_t *ticket;
3326 size_t ticket_len;
3327 SSL_SESSION_get0_ticket(session, &ticket, &ticket_len);
3328 if (ticket_len < 16 + 16 + SHA256_DIGEST_LENGTH) {
David Benjamin123db572016-11-03 16:59:25 -0400[diff] [blame]3329 return false;
3330 }
3331
David Benjaminaaef8332018-06-29 16:45:49 -0400[diff] [blame]3332 const uint8_t *ciphertext = ticket + 16 + 16;
3333 size_t len = ticket_len - 16 - 16 - SHA256_DIGEST_LENGTH;
David Benjamin123db572016-11-03 16:59:25 -0400[diff] [blame]3334 std::unique_ptr<uint8_t[]> plaintext(new uint8_t[len]);
3335
David Benjamin9b63f292016-11-15 00:44:05 -0500[diff] [blame]3336#if defined(BORINGSSL_UNSAFE_FUZZER_MODE)
3337 // Fuzzer-mode tickets are unencrypted.
David Benjamin17cf2cb2016-12-13 01:07:13 -0500[diff] [blame]3338 OPENSSL_memcpy(plaintext.get(), ciphertext, len);
David Benjamin9b63f292016-11-15 00:44:05 -0500[diff] [blame]3339#else
3340 static const uint8_t kZeros[16] = {0};
David Benjaminaaef8332018-06-29 16:45:49 -0400[diff] [blame]3341 const uint8_t *iv = ticket + 16;
David Benjamin123db572016-11-03 16:59:25 -0400[diff] [blame]3342 bssl::ScopedEVP_CIPHER_CTX ctx;
3343 int len1, len2;
3344 if (!EVP_DecryptInit_ex(ctx.get(), EVP_aes_128_cbc(), nullptr, kZeros, iv) ||
3345 !EVP_DecryptUpdate(ctx.get(), plaintext.get(), &len1, ciphertext, len) ||
3346 !EVP_DecryptFinal_ex(ctx.get(), plaintext.get() + len1, &len2)) {
3347 return false;
3348 }
3349
3350 len = static_cast<size_t>(len1 + len2);
David Benjamin9b63f292016-11-15 00:44:05 -0500[diff] [blame]3351#endif
David Benjamin123db572016-11-03 16:59:25 -0400[diff] [blame]3352
Adam Langley46db7af2017-02-01 15:49:37 -0800[diff] [blame]3353 bssl::UniquePtr<SSL_CTX> ssl_ctx(SSL_CTX_new(TLS_method()));
3354 if (!ssl_ctx) {
3355 return false;
3356 }
David Benjamin123db572016-11-03 16:59:25 -0400[diff] [blame]3357 bssl::UniquePtr<SSL_SESSION> server_session(
Adam Langley46db7af2017-02-01 15:49:37 -0800[diff] [blame]3358 SSL_SESSION_from_bytes(plaintext.get(), len, ssl_ctx.get()));
David Benjamin123db572016-11-03 16:59:25 -0400[diff] [blame]3359 if (!server_session) {
3360 return false;
3361 }
3362
David Benjaminaaef8332018-06-29 16:45:49 -0400[diff] [blame]3363 *out = SSL_SESSION_get_time(server_session.get());
David Benjamin123db572016-11-03 16:59:25 -0400[diff] [blame]3364 return true;
3365}
3366
Martin Kreichgauer1a663262017-08-16 14:54:04 -0700[diff] [blame]3367TEST_P(SSLVersionTest, SessionTimeout) {
3368 for (bool server_test : {false, true}) {
3369 SCOPED_TRACE(server_test);
David Benjamin721e8b72016-08-03 13:13:17 -0400[diff] [blame]3370
Martin Kreichgauer1a663262017-08-16 14:54:04 -0700[diff] [blame]3371 ResetContexts();
3372 SSL_CTX_set_session_cache_mode(client_ctx_.get(), SSL_SESS_CACHE_BOTH);
3373 SSL_CTX_set_session_cache_mode(server_ctx_.get(), SSL_SESS_CACHE_BOTH);
3374
David Benjamin17b30832017-01-28 14:00:32 -0500[diff] [blame]3375 static const time_t kStartTime = 1000;
David Benjamin0fef3052016-11-18 15:11:10 +0900[diff] [blame]3376 g_current_time.tv_sec = kStartTime;
David Benjamin1b22f852016-10-27 16:36:32 -0400[diff] [blame]3377
David Benjamin17b30832017-01-28 14:00:32 -0500[diff] [blame]3378 // We are willing to use a longer lifetime for TLS 1.3 sessions as
3379 // resumptions still perform ECDHE.
Martin Kreichgauer1a663262017-08-16 14:54:04 -0700[diff] [blame]3380 const time_t timeout = version() == TLS1_3_VERSION
David Benjamin17b30832017-01-28 14:00:32 -0500[diff] [blame]3381 ? SSL_DEFAULT_SESSION_PSK_DHE_TIMEOUT
3382 : SSL_DEFAULT_SESSION_TIMEOUT;
3383
David Benjamin17b30832017-01-28 14:00:32 -0500[diff] [blame]3384 // Both client and server must enforce session timeouts. We configure the
3385 // other side with a frozen clock so it never expires tickets.
David Benjamin0fef3052016-11-18 15:11:10 +0900[diff] [blame]3386 if (server_test) {
Martin Kreichgauer1a663262017-08-16 14:54:04 -0700[diff] [blame]3387 SSL_CTX_set_current_time_cb(client_ctx_.get(), FrozenTimeCallback);
3388 SSL_CTX_set_current_time_cb(server_ctx_.get(), CurrentTimeCallback);
David Benjamin0fef3052016-11-18 15:11:10 +0900[diff] [blame]3389 } else {
Martin Kreichgauer1a663262017-08-16 14:54:04 -0700[diff] [blame]3390 SSL_CTX_set_current_time_cb(client_ctx_.get(), CurrentTimeCallback);
3391 SSL_CTX_set_current_time_cb(server_ctx_.get(), FrozenTimeCallback);
David Benjamin0fef3052016-11-18 15:11:10 +0900[diff] [blame]3392 }
3393
3394 // Configure a ticket callback which renews tickets.
Martin Kreichgauer1a663262017-08-16 14:54:04 -0700[diff] [blame]3395 SSL_CTX_set_tlsext_ticket_key_cb(server_ctx_.get(), RenewTicketCallback);
David Benjamin0fef3052016-11-18 15:11:10 +0900[diff] [blame]3396
3397 bssl::UniquePtr<SSL_SESSION> session =
Martin Kreichgauer1a663262017-08-16 14:54:04 -0700[diff] [blame]3398 CreateClientSession(client_ctx_.get(), server_ctx_.get());
3399 ASSERT_TRUE(session);
David Benjamin0fef3052016-11-18 15:11:10 +0900[diff] [blame]3400
3401 // Advance the clock just behind the timeout.
David Benjamin17b30832017-01-28 14:00:32 -0500[diff] [blame]3402 g_current_time.tv_sec += timeout - 1;
David Benjamin0fef3052016-11-18 15:11:10 +0900[diff] [blame]3403
Martin Kreichgauer1a663262017-08-16 14:54:04 -0700[diff] [blame]3404 TRACED_CALL(ExpectSessionReused(client_ctx_.get(), server_ctx_.get(),
3405 session.get(),
3406 true /* expect session reused */));
David Benjamin0fef3052016-11-18 15:11:10 +0900[diff] [blame]3407
3408 // Advance the clock one more second.
3409 g_current_time.tv_sec++;
3410
Martin Kreichgauer1a663262017-08-16 14:54:04 -0700[diff] [blame]3411 TRACED_CALL(ExpectSessionReused(client_ctx_.get(), server_ctx_.get(),
3412 session.get(),
3413 false /* expect session not reused */));
David Benjamin0fef3052016-11-18 15:11:10 +0900[diff] [blame]3414
3415 // Rewind the clock to before the session was minted.
3416 g_current_time.tv_sec = kStartTime - 1;
3417
Martin Kreichgauer1a663262017-08-16 14:54:04 -0700[diff] [blame]3418 TRACED_CALL(ExpectSessionReused(client_ctx_.get(), server_ctx_.get(),
3419 session.get(),
3420 false /* expect session not reused */));
David Benjamin0fef3052016-11-18 15:11:10 +0900[diff] [blame]3421
David Benjamin0fef3052016-11-18 15:11:10 +0900[diff] [blame]3422 // Renew the session 10 seconds before expiration.
David Benjamin17b30832017-01-28 14:00:32 -0500[diff] [blame]3423 time_t new_start_time = kStartTime + timeout - 10;
3424 g_current_time.tv_sec = new_start_time;
Martin Kreichgauer1a663262017-08-16 14:54:04 -0700[diff] [blame]3425 bssl::UniquePtr<SSL_SESSION> new_session = ExpectSessionRenewed(
3426 client_ctx_.get(), server_ctx_.get(), session.get());
3427 ASSERT_TRUE(new_session);
David Benjamin0fef3052016-11-18 15:11:10 +0900[diff] [blame]3428
3429 // This new session is not the same object as before.
Martin Kreichgauer1a663262017-08-16 14:54:04 -0700[diff] [blame]3430 EXPECT_NE(session.get(), new_session.get());
David Benjamin0fef3052016-11-18 15:11:10 +0900[diff] [blame]3431
3432 // Check the sessions have timestamps measured from issuance.
3433 long session_time = 0;
3434 if (server_test) {
Martin Kreichgauer1a663262017-08-16 14:54:04 -0700[diff] [blame]3435 ASSERT_TRUE(GetServerTicketTime(&session_time, new_session.get()));
David Benjamin0fef3052016-11-18 15:11:10 +0900[diff] [blame]3436 } else {
David Benjaminaaef8332018-06-29 16:45:49 -0400[diff] [blame]3437 session_time = SSL_SESSION_get_time(new_session.get());
David Benjamin0fef3052016-11-18 15:11:10 +0900[diff] [blame]3438 }
David Benjamin721e8b72016-08-03 13:13:17 -0400[diff] [blame]3439
Martin Kreichgauer1a663262017-08-16 14:54:04 -0700[diff] [blame]3440 ASSERT_EQ(session_time, g_current_time.tv_sec);
David Benjamin721e8b72016-08-03 13:13:17 -0400[diff] [blame]3441
Martin Kreichgauer1a663262017-08-16 14:54:04 -0700[diff] [blame]3442 if (version() == TLS1_3_VERSION) {
David Benjamin17b30832017-01-28 14:00:32 -0500[diff] [blame]3443 // Renewal incorporates fresh key material in TLS 1.3, so we extend the
3444 // lifetime TLS 1.3.
3445 g_current_time.tv_sec = new_start_time + timeout - 1;
Martin Kreichgauer1a663262017-08-16 14:54:04 -0700[diff] [blame]3446 TRACED_CALL(ExpectSessionReused(client_ctx_.get(), server_ctx_.get(),
3447 new_session.get(),
3448 true /* expect session reused */));
David Benjamin721e8b72016-08-03 13:13:17 -0400[diff] [blame]3449
David Benjamin17b30832017-01-28 14:00:32 -0500[diff] [blame]3450 // The new session expires after the new timeout.
3451 g_current_time.tv_sec = new_start_time + timeout + 1;
Martin Kreichgauer1a663262017-08-16 14:54:04 -0700[diff] [blame]3452 TRACED_CALL(ExpectSessionReused(client_ctx_.get(), server_ctx_.get(),
3453 new_session.get(),
3454 false /* expect session ot reused */));
David Benjamin17b30832017-01-28 14:00:32 -0500[diff] [blame]3455
3456 // Renew the session until it begins just past the auth timeout.
3457 time_t auth_end_time = kStartTime + SSL_DEFAULT_SESSION_AUTH_TIMEOUT;
3458 while (new_start_time < auth_end_time - 1000) {
3459 // Get as close as possible to target start time.
3460 new_start_time =
3461 std::min(auth_end_time - 1000, new_start_time + timeout - 1);
3462 g_current_time.tv_sec = new_start_time;
Martin Kreichgauer1a663262017-08-16 14:54:04 -0700[diff] [blame]3463 new_session = ExpectSessionRenewed(client_ctx_.get(), server_ctx_.get(),
David Benjamin17b30832017-01-28 14:00:32 -0500[diff] [blame]3464 new_session.get());
Martin Kreichgauer1a663262017-08-16 14:54:04 -0700[diff] [blame]3465 ASSERT_TRUE(new_session);
David Benjamin17b30832017-01-28 14:00:32 -0500[diff] [blame]3466 }
3467
3468 // Now the session's lifetime is bound by the auth timeout.
3469 g_current_time.tv_sec = auth_end_time - 1;
Martin Kreichgauer1a663262017-08-16 14:54:04 -0700[diff] [blame]3470 TRACED_CALL(ExpectSessionReused(client_ctx_.get(), server_ctx_.get(),
3471 new_session.get(),
3472 true /* expect session reused */));
David Benjamin17b30832017-01-28 14:00:32 -0500[diff] [blame]3473
3474 g_current_time.tv_sec = auth_end_time + 1;
Martin Kreichgauer1a663262017-08-16 14:54:04 -0700[diff] [blame]3475 TRACED_CALL(ExpectSessionReused(client_ctx_.get(), server_ctx_.get(),
3476 new_session.get(),
3477 false /* expect session ot reused */));
David Benjamin17b30832017-01-28 14:00:32 -0500[diff] [blame]3478 } else {
3479 // The new session is usable just before the old expiration.
3480 g_current_time.tv_sec = kStartTime + timeout - 1;
Martin Kreichgauer1a663262017-08-16 14:54:04 -0700[diff] [blame]3481 TRACED_CALL(ExpectSessionReused(client_ctx_.get(), server_ctx_.get(),
3482 new_session.get(),
3483 true /* expect session reused */));
David Benjamin17b30832017-01-28 14:00:32 -0500[diff] [blame]3484
3485 // Renewal does not extend the lifetime, so it is not usable beyond the
3486 // old expiration.
3487 g_current_time.tv_sec = kStartTime + timeout + 1;
Martin Kreichgauer1a663262017-08-16 14:54:04 -0700[diff] [blame]3488 TRACED_CALL(ExpectSessionReused(client_ctx_.get(), server_ctx_.get(),
3489 new_session.get(),
3490 false /* expect session not reused */));
David Benjamin1b22f852016-10-27 16:36:32 -0400[diff] [blame]3491 }
David Benjamin721e8b72016-08-03 13:13:17 -0400[diff] [blame]3492 }
David Benjamin721e8b72016-08-03 13:13:17 -0400[diff] [blame]3493}
3494
Martin Kreichgauer1a663262017-08-16 14:54:04 -0700[diff] [blame]3495TEST_P(SSLVersionTest, DefaultTicketKeyInitialization) {
Martin Kreichgauer72912d22017-08-04 12:06:43 -0700[diff] [blame]3496 static const uint8_t kZeroKey[kTicketKeyLen] = {};
3497 uint8_t ticket_key[kTicketKeyLen];
Martin Kreichgauer1a663262017-08-16 14:54:04 -0700[diff] [blame]3498 ASSERT_EQ(1, SSL_CTX_get_tlsext_ticket_keys(server_ctx_.get(), ticket_key,
Martin Kreichgauer72912d22017-08-04 12:06:43 -0700[diff] [blame]3499 kTicketKeyLen));
3500 ASSERT_NE(0, OPENSSL_memcmp(ticket_key, kZeroKey, kTicketKeyLen));
3501}
3502
Martin Kreichgauer1a663262017-08-16 14:54:04 -0700[diff] [blame]3503TEST_P(SSLVersionTest, DefaultTicketKeyRotation) {
Martin Kreichgauer72912d22017-08-04 12:06:43 -0700[diff] [blame]3504 static const time_t kStartTime = 1001;
3505 g_current_time.tv_sec = kStartTime;
Martin Kreichgauer72912d22017-08-04 12:06:43 -0700[diff] [blame]3506
David Benjaminc11ea9422017-08-29 16:33:21 -0400[diff] [blame]3507 // We use session reuse as a proxy for ticket decryption success, hence
3508 // disable session timeouts.
Martin Kreichgauer1a663262017-08-16 14:54:04 -0700[diff] [blame]3509 SSL_CTX_set_timeout(server_ctx_.get(), std::numeric_limits<uint32_t>::max());
3510 SSL_CTX_set_session_psk_dhe_timeout(server_ctx_.get(),
Martin Kreichgauer72912d22017-08-04 12:06:43 -0700[diff] [blame]3511 std::numeric_limits<uint32_t>::max());
3512
Martin Kreichgauer1a663262017-08-16 14:54:04 -0700[diff] [blame]3513 SSL_CTX_set_current_time_cb(client_ctx_.get(), FrozenTimeCallback);
3514 SSL_CTX_set_current_time_cb(server_ctx_.get(), CurrentTimeCallback);
Martin Kreichgauer72912d22017-08-04 12:06:43 -0700[diff] [blame]3515
Martin Kreichgauer1a663262017-08-16 14:54:04 -0700[diff] [blame]3516 SSL_CTX_set_session_cache_mode(client_ctx_.get(), SSL_SESS_CACHE_BOTH);
3517 SSL_CTX_set_session_cache_mode(server_ctx_.get(), SSL_SESS_CACHE_OFF);
Martin Kreichgauer72912d22017-08-04 12:06:43 -0700[diff] [blame]3518
David Benjamin1f0d54b2018-08-09 16:19:13 -0500[diff] [blame]3519 // Initialize ticket_key with the current key and check that it was
3520 // initialized to something, not all zeros.
3521 uint8_t ticket_key[kTicketKeyLen] = {0};
Martin Kreichgauer1a663262017-08-16 14:54:04 -0700[diff] [blame]3522 TRACED_CALL(ExpectTicketKeyChanged(server_ctx_.get(), ticket_key,
3523 true /* changed */));
Martin Kreichgauer72912d22017-08-04 12:06:43 -0700[diff] [blame]3524
David Benjaminc11ea9422017-08-29 16:33:21 -0400[diff] [blame]3525 // Verify ticket resumption actually works.
Martin Kreichgauer72912d22017-08-04 12:06:43 -0700[diff] [blame]3526 bssl::UniquePtr<SSL> client, server;
3527 bssl::UniquePtr<SSL_SESSION> session =
Martin Kreichgauer1a663262017-08-16 14:54:04 -0700[diff] [blame]3528 CreateClientSession(client_ctx_.get(), server_ctx_.get());
Martin Kreichgauer72912d22017-08-04 12:06:43 -0700[diff] [blame]3529 ASSERT_TRUE(session);
Martin Kreichgauer1a663262017-08-16 14:54:04 -0700[diff] [blame]3530 TRACED_CALL(ExpectSessionReused(client_ctx_.get(), server_ctx_.get(),
Martin Kreichgauer72912d22017-08-04 12:06:43 -0700[diff] [blame]3531 session.get(), true /* reused */));
3532
David Benjaminc11ea9422017-08-29 16:33:21 -0400[diff] [blame]3533 // Advance time to just before key rotation.
Martin Kreichgauer72912d22017-08-04 12:06:43 -0700[diff] [blame]3534 g_current_time.tv_sec += SSL_DEFAULT_TICKET_KEY_ROTATION_INTERVAL - 1;
Martin Kreichgauer1a663262017-08-16 14:54:04 -0700[diff] [blame]3535 TRACED_CALL(ExpectSessionReused(client_ctx_.get(), server_ctx_.get(),
Martin Kreichgauer72912d22017-08-04 12:06:43 -0700[diff] [blame]3536 session.get(), true /* reused */));
Martin Kreichgauer1a663262017-08-16 14:54:04 -0700[diff] [blame]3537 TRACED_CALL(ExpectTicketKeyChanged(server_ctx_.get(), ticket_key,
Martin Kreichgauer72912d22017-08-04 12:06:43 -0700[diff] [blame]3538 false /* NOT changed */));
3539
David Benjaminc11ea9422017-08-29 16:33:21 -0400[diff] [blame]3540 // Force key rotation.
Martin Kreichgauer72912d22017-08-04 12:06:43 -0700[diff] [blame]3541 g_current_time.tv_sec += 1;
3542 bssl::UniquePtr<SSL_SESSION> new_session =
Martin Kreichgauer1a663262017-08-16 14:54:04 -0700[diff] [blame]3543 CreateClientSession(client_ctx_.get(), server_ctx_.get());
3544 TRACED_CALL(ExpectTicketKeyChanged(server_ctx_.get(), ticket_key,
3545 true /* changed */));
Martin Kreichgauer72912d22017-08-04 12:06:43 -0700[diff] [blame]3546
David Benjaminc11ea9422017-08-29 16:33:21 -0400[diff] [blame]3547 // Resumption with both old and new ticket should work.
Martin Kreichgauer1a663262017-08-16 14:54:04 -0700[diff] [blame]3548 TRACED_CALL(ExpectSessionReused(client_ctx_.get(), server_ctx_.get(),
Martin Kreichgauer72912d22017-08-04 12:06:43 -0700[diff] [blame]3549 session.get(), true /* reused */));
Martin Kreichgauer1a663262017-08-16 14:54:04 -0700[diff] [blame]3550 TRACED_CALL(ExpectSessionReused(client_ctx_.get(), server_ctx_.get(),
Martin Kreichgauer72912d22017-08-04 12:06:43 -0700[diff] [blame]3551 new_session.get(), true /* reused */));
Martin Kreichgauer1a663262017-08-16 14:54:04 -0700[diff] [blame]3552 TRACED_CALL(ExpectTicketKeyChanged(server_ctx_.get(), ticket_key,
Martin Kreichgauer72912d22017-08-04 12:06:43 -0700[diff] [blame]3553 false /* NOT changed */));
3554
David Benjaminc11ea9422017-08-29 16:33:21 -0400[diff] [blame]3555 // Force key rotation again. Resumption with the old ticket now fails.
Martin Kreichgauer72912d22017-08-04 12:06:43 -0700[diff] [blame]3556 g_current_time.tv_sec += SSL_DEFAULT_TICKET_KEY_ROTATION_INTERVAL;
Martin Kreichgauer1a663262017-08-16 14:54:04 -0700[diff] [blame]3557 TRACED_CALL(ExpectSessionReused(client_ctx_.get(), server_ctx_.get(),
Martin Kreichgauer72912d22017-08-04 12:06:43 -0700[diff] [blame]3558 session.get(), false /* NOT reused */));
Martin Kreichgauer1a663262017-08-16 14:54:04 -0700[diff] [blame]3559 TRACED_CALL(ExpectTicketKeyChanged(server_ctx_.get(), ticket_key,
3560 true /* changed */));
Martin Kreichgauer72912d22017-08-04 12:06:43 -0700[diff] [blame]3561
David Benjaminc11ea9422017-08-29 16:33:21 -0400[diff] [blame]3562 // But resumption with the newer session still works.
Martin Kreichgauer1a663262017-08-16 14:54:04 -0700[diff] [blame]3563 TRACED_CALL(ExpectSessionReused(client_ctx_.get(), server_ctx_.get(),
Martin Kreichgauer72912d22017-08-04 12:06:43 -0700[diff] [blame]3564 new_session.get(), true /* reused */));
3565}
3566
David Benjamin0fc37ef2016-08-17 15:29:46 -0400[diff] [blame]3567static int SwitchContext(SSL *ssl, int *out_alert, void *arg) {
Martin Kreichgauer1a663262017-08-16 14:54:04 -0700[diff] [blame]3568 SSL_CTX *ctx = reinterpret_cast<SSL_CTX *>(arg);
David Benjamin0fc37ef2016-08-17 15:29:46 -0400[diff] [blame]3569 SSL_set_SSL_CTX(ssl, ctx);
3570 return SSL_TLSEXT_ERR_OK;
3571}
3572
Martin Kreichgauer1a663262017-08-16 14:54:04 -0700[diff] [blame]3573TEST_P(SSLVersionTest, SNICallback) {
Matt Braithwaited17d74d2016-08-17 20:10:28 -0700[diff] [blame]3574 bssl::UniquePtr<X509> cert2 = GetECDSATestCertificate();
Martin Kreichgauer1a663262017-08-16 14:54:04 -0700[diff] [blame]3575 ASSERT_TRUE(cert2);
Matt Braithwaited17d74d2016-08-17 20:10:28 -0700[diff] [blame]3576 bssl::UniquePtr<EVP_PKEY> key2 = GetECDSATestKey();
Martin Kreichgauer1a663262017-08-16 14:54:04 -0700[diff] [blame]3577 ASSERT_TRUE(key2);
David Benjamin0fc37ef2016-08-17 15:29:46 -0400[diff] [blame]3578
David Benjamin0fef3052016-11-18 15:11:10 +0900[diff] [blame]3579 // Test that switching the |SSL_CTX| at the SNI callback behaves correctly.
3580 static const uint16_t kECDSAWithSHA256 = SSL_SIGN_ECDSA_SECP256R1_SHA256;
David Benjamin0fc37ef2016-08-17 15:29:46 -0400[diff] [blame]3581
David Benjamin83a32122017-02-14 18:34:54 -0500[diff] [blame]3582 static const uint8_t kSCTList[] = {0, 6, 0, 4, 5, 6, 7, 8};
3583 static const uint8_t kOCSPResponse[] = {1, 2, 3, 4};
3584
Martin Kreichgauer1a663262017-08-16 14:54:04 -0700[diff] [blame]3585 bssl::UniquePtr<SSL_CTX> server_ctx2 = CreateContext();
3586 ASSERT_TRUE(server_ctx2);
3587 ASSERT_TRUE(SSL_CTX_use_certificate(server_ctx2.get(), cert2.get()));
3588 ASSERT_TRUE(SSL_CTX_use_PrivateKey(server_ctx2.get(), key2.get()));
3589 ASSERT_TRUE(SSL_CTX_set_signed_cert_timestamp_list(
3590 server_ctx2.get(), kSCTList, sizeof(kSCTList)));
3591 ASSERT_TRUE(SSL_CTX_set_ocsp_response(server_ctx2.get(), kOCSPResponse,
3592 sizeof(kOCSPResponse)));
3593 // Historically signing preferences would be lost in some cases with the
3594 // SNI callback, which triggers the TLS 1.2 SHA-1 default. To ensure
3595 // this doesn't happen when |version| is TLS 1.2, configure the private
3596 // key to only sign SHA-256.
3597 ASSERT_TRUE(SSL_CTX_set_signing_algorithm_prefs(server_ctx2.get(),
3598 &kECDSAWithSHA256, 1));
David Benjamin0fc37ef2016-08-17 15:29:46 -0400[diff] [blame]3599
Martin Kreichgauer1a663262017-08-16 14:54:04 -0700[diff] [blame]3600 SSL_CTX_set_tlsext_servername_callback(server_ctx_.get(), SwitchContext);
3601 SSL_CTX_set_tlsext_servername_arg(server_ctx_.get(), server_ctx2.get());
David Benjamin0fc37ef2016-08-17 15:29:46 -0400[diff] [blame]3602
Martin Kreichgauer1a663262017-08-16 14:54:04 -0700[diff] [blame]3603 SSL_CTX_enable_signed_cert_timestamps(client_ctx_.get());
3604 SSL_CTX_enable_ocsp_stapling(client_ctx_.get());
David Benjamin83a32122017-02-14 18:34:54 -0500[diff] [blame]3605
Martin Kreichgauer1a663262017-08-16 14:54:04 -0700[diff] [blame]3606 ASSERT_TRUE(Connect());
David Benjamin0fc37ef2016-08-17 15:29:46 -0400[diff] [blame]3607
David Benjamin0fef3052016-11-18 15:11:10 +0900[diff] [blame]3608 // The client should have received |cert2|.
Martin Kreichgauer1a663262017-08-16 14:54:04 -0700[diff] [blame]3609 bssl::UniquePtr<X509> peer(SSL_get_peer_certificate(client_.get()));
3610 ASSERT_TRUE(peer);
3611 EXPECT_EQ(X509_cmp(peer.get(), cert2.get()), 0);
David Benjamin0fc37ef2016-08-17 15:29:46 -0400[diff] [blame]3612
David Benjamin83a32122017-02-14 18:34:54 -0500[diff] [blame]3613 // The client should have received |server_ctx2|'s SCT list.
3614 const uint8_t *data;
3615 size_t len;
Martin Kreichgauer1a663262017-08-16 14:54:04 -0700[diff] [blame]3616 SSL_get0_signed_cert_timestamp_list(client_.get(), &data, &len);
3617 EXPECT_EQ(Bytes(kSCTList), Bytes(data, len));
David Benjamin83a32122017-02-14 18:34:54 -0500[diff] [blame]3618
3619 // The client should have received |server_ctx2|'s OCSP response.
Martin Kreichgauer1a663262017-08-16 14:54:04 -0700[diff] [blame]3620 SSL_get0_ocsp_response(client_.get(), &data, &len);
3621 EXPECT_EQ(Bytes(kOCSPResponse), Bytes(data, len));
David Benjamin0fc37ef2016-08-17 15:29:46 -0400[diff] [blame]3622}
3623
David Benjaminf0d8e222017-02-04 10:58:26 -0500[diff] [blame]3624// Test that the early callback can swap the maximum version.
3625TEST(SSLTest, EarlyCallbackVersionSwitch) {
David Benjamin9b2cdb72021-04-01 23:21:53 -0400[diff] [blame]3626 bssl::UniquePtr<SSL_CTX> server_ctx =
3627 CreateContextWithTestCertificate(TLS_method());
Matt Braithwaited17d74d2016-08-17 20:10:28 -0700[diff] [blame]3628 bssl::UniquePtr<SSL_CTX> client_ctx(SSL_CTX_new(TLS_method()));
David Benjaminf0d8e222017-02-04 10:58:26 -0500[diff] [blame]3629 ASSERT_TRUE(server_ctx);
3630 ASSERT_TRUE(client_ctx);
David Benjaminf0d8e222017-02-04 10:58:26 -0500[diff] [blame]3631 ASSERT_TRUE(SSL_CTX_set_max_proto_version(client_ctx.get(), TLS1_3_VERSION));
3632 ASSERT_TRUE(SSL_CTX_set_max_proto_version(server_ctx.get(), TLS1_3_VERSION));
David Benjamin99620572016-08-30 00:35:36 -0400[diff] [blame]3633
David Benjaminf0d8e222017-02-04 10:58:26 -0500[diff] [blame]3634 SSL_CTX_set_select_certificate_cb(
Alessandro Ghedini57e81e62017-03-14 23:36:00 +0000[diff] [blame]3635 server_ctx.get(),
3636 [](const SSL_CLIENT_HELLO *client_hello) -> ssl_select_cert_result_t {
David Benjaminf0d8e222017-02-04 10:58:26 -0500[diff] [blame]3637 if (!SSL_set_max_proto_version(client_hello->ssl, TLS1_2_VERSION)) {
Alessandro Ghedini57e81e62017-03-14 23:36:00 +0000[diff] [blame]3638 return ssl_select_cert_error;
David Benjaminf0d8e222017-02-04 10:58:26 -0500[diff] [blame]3639 }
3640
Alessandro Ghedini57e81e62017-03-14 23:36:00 +0000[diff] [blame]3641 return ssl_select_cert_success;
David Benjaminf0d8e222017-02-04 10:58:26 -0500[diff] [blame]3642 });
David Benjamin99620572016-08-30 00:35:36 -0400[diff] [blame]3643
Matt Braithwaited17d74d2016-08-17 20:10:28 -0700[diff] [blame]3644 bssl::UniquePtr<SSL> client, server;
David Benjaminf0d8e222017-02-04 10:58:26 -0500[diff] [blame]3645 ASSERT_TRUE(ConnectClientAndServer(&client, &server, client_ctx.get(),
David Benjamina8614602017-09-06 15:40:19 -0400[diff] [blame]3646 server_ctx.get()));
David Benjaminf0d8e222017-02-04 10:58:26 -0500[diff] [blame]3647 EXPECT_EQ(TLS1_2_VERSION, SSL_version(client.get()));
David Benjamin99620572016-08-30 00:35:36 -0400[diff] [blame]3648}
3649
David Benjaminf0d8e222017-02-04 10:58:26 -0500[diff] [blame]3650TEST(SSLTest, SetVersion) {
David Benjamin2dc02042016-09-19 19:57:37 -0400[diff] [blame]3651 bssl::UniquePtr<SSL_CTX> ctx(SSL_CTX_new(TLS_method()));
David Benjaminf0d8e222017-02-04 10:58:26 -0500[diff] [blame]3652 ASSERT_TRUE(ctx);
David Benjamin2dc02042016-09-19 19:57:37 -0400[diff] [blame]3653
David Benjaminf0d8e222017-02-04 10:58:26 -0500[diff] [blame]3654 // Set valid TLS versions.
3655 EXPECT_TRUE(SSL_CTX_set_max_proto_version(ctx.get(), TLS1_VERSION));
3656 EXPECT_TRUE(SSL_CTX_set_max_proto_version(ctx.get(), TLS1_1_VERSION));
3657 EXPECT_TRUE(SSL_CTX_set_min_proto_version(ctx.get(), TLS1_VERSION));
3658 EXPECT_TRUE(SSL_CTX_set_min_proto_version(ctx.get(), TLS1_1_VERSION));
David Benjamin2dc02042016-09-19 19:57:37 -0400[diff] [blame]3659
David Benjaminf0d8e222017-02-04 10:58:26 -0500[diff] [blame]3660 // Invalid TLS versions are rejected.
3661 EXPECT_FALSE(SSL_CTX_set_max_proto_version(ctx.get(), DTLS1_VERSION));
3662 EXPECT_FALSE(SSL_CTX_set_max_proto_version(ctx.get(), 0x0200));
3663 EXPECT_FALSE(SSL_CTX_set_max_proto_version(ctx.get(), 0x1234));
3664 EXPECT_FALSE(SSL_CTX_set_min_proto_version(ctx.get(), DTLS1_VERSION));
3665 EXPECT_FALSE(SSL_CTX_set_min_proto_version(ctx.get(), 0x0200));
3666 EXPECT_FALSE(SSL_CTX_set_min_proto_version(ctx.get(), 0x1234));
David Benjamin2dc02042016-09-19 19:57:37 -0400[diff] [blame]3667
David Benjaminf0d8e222017-02-04 10:58:26 -0500[diff] [blame]3668 // Zero is the default version.
3669 EXPECT_TRUE(SSL_CTX_set_max_proto_version(ctx.get(), 0));
Matthew Braithwaite58d56f42019-11-04 13:20:01 -0800[diff] [blame]3670 EXPECT_EQ(TLS1_3_VERSION, SSL_CTX_get_max_proto_version(ctx.get()));
David Benjaminf0d8e222017-02-04 10:58:26 -0500[diff] [blame]3671 EXPECT_TRUE(SSL_CTX_set_min_proto_version(ctx.get(), 0));
Nitish Sakhawalkara4af5f82019-03-25 17:26:59 -0700[diff] [blame]3672 EXPECT_EQ(TLS1_VERSION, SSL_CTX_get_min_proto_version(ctx.get()));
David Benjamin3cfeb952017-03-01 16:48:38 -0500[diff] [blame]3673
David Benjamin9bb15f52018-06-26 00:07:40 -0400[diff] [blame]3674 // TLS 1.3 is available, but not by default.
David Benjamin3cfeb952017-03-01 16:48:38 -0500[diff] [blame]3675 EXPECT_TRUE(SSL_CTX_set_max_proto_version(ctx.get(), TLS1_3_VERSION));
Nitish Sakhawalkara4af5f82019-03-25 17:26:59 -0700[diff] [blame]3676 EXPECT_EQ(TLS1_3_VERSION, SSL_CTX_get_max_proto_version(ctx.get()));
David Benjamine34bcc92016-09-21 16:53:09 -0400[diff] [blame]3677
David Benjamin9bb15f52018-06-26 00:07:40 -0400[diff] [blame]3678 // SSL 3.0 is not available.
3679 EXPECT_FALSE(SSL_CTX_set_min_proto_version(ctx.get(), SSL3_VERSION));
3680
David Benjamin2dc02042016-09-19 19:57:37 -0400[diff] [blame]3681 ctx.reset(SSL_CTX_new(DTLS_method()));
David Benjaminf0d8e222017-02-04 10:58:26 -0500[diff] [blame]3682 ASSERT_TRUE(ctx);
David Benjamin2dc02042016-09-19 19:57:37 -0400[diff] [blame]3683
David Benjaminf0d8e222017-02-04 10:58:26 -0500[diff] [blame]3684 EXPECT_TRUE(SSL_CTX_set_max_proto_version(ctx.get(), DTLS1_VERSION));
3685 EXPECT_TRUE(SSL_CTX_set_max_proto_version(ctx.get(), DTLS1_2_VERSION));
3686 EXPECT_TRUE(SSL_CTX_set_min_proto_version(ctx.get(), DTLS1_VERSION));
3687 EXPECT_TRUE(SSL_CTX_set_min_proto_version(ctx.get(), DTLS1_2_VERSION));
David Benjamin2dc02042016-09-19 19:57:37 -0400[diff] [blame]3688
David Benjaminf0d8e222017-02-04 10:58:26 -0500[diff] [blame]3689 EXPECT_FALSE(SSL_CTX_set_max_proto_version(ctx.get(), TLS1_VERSION));
3690 EXPECT_FALSE(SSL_CTX_set_max_proto_version(ctx.get(), 0xfefe /* DTLS 1.1 */));
3691 EXPECT_FALSE(SSL_CTX_set_max_proto_version(ctx.get(), 0xfffe /* DTLS 0.1 */));
3692 EXPECT_FALSE(SSL_CTX_set_max_proto_version(ctx.get(), 0x1234));
3693 EXPECT_FALSE(SSL_CTX_set_min_proto_version(ctx.get(), TLS1_VERSION));
3694 EXPECT_FALSE(SSL_CTX_set_min_proto_version(ctx.get(), 0xfefe /* DTLS 1.1 */));
3695 EXPECT_FALSE(SSL_CTX_set_min_proto_version(ctx.get(), 0xfffe /* DTLS 0.1 */));
3696 EXPECT_FALSE(SSL_CTX_set_min_proto_version(ctx.get(), 0x1234));
David Benjamin2dc02042016-09-19 19:57:37 -0400[diff] [blame]3697
David Benjaminf0d8e222017-02-04 10:58:26 -0500[diff] [blame]3698 EXPECT_TRUE(SSL_CTX_set_max_proto_version(ctx.get(), 0));
Nitish Sakhawalkara4af5f82019-03-25 17:26:59 -0700[diff] [blame]3699 EXPECT_EQ(DTLS1_2_VERSION, SSL_CTX_get_max_proto_version(ctx.get()));
David Benjaminf0d8e222017-02-04 10:58:26 -0500[diff] [blame]3700 EXPECT_TRUE(SSL_CTX_set_min_proto_version(ctx.get(), 0));
Nitish Sakhawalkara4af5f82019-03-25 17:26:59 -0700[diff] [blame]3701 EXPECT_EQ(DTLS1_VERSION, SSL_CTX_get_min_proto_version(ctx.get()));
David Benjamin2dc02042016-09-19 19:57:37 -0400[diff] [blame]3702}
3703
David Benjamin458334a2016-12-15 13:53:25 -0500[diff] [blame]3704static const char *GetVersionName(uint16_t version) {
3705 switch (version) {
David Benjamin458334a2016-12-15 13:53:25 -0500[diff] [blame]3706 case TLS1_VERSION:
3707 return "TLSv1";
3708 case TLS1_1_VERSION:
3709 return "TLSv1.1";
3710 case TLS1_2_VERSION:
3711 return "TLSv1.2";
3712 case TLS1_3_VERSION:
3713 return "TLSv1.3";
3714 case DTLS1_VERSION:
3715 return "DTLSv1";
3716 case DTLS1_2_VERSION:
3717 return "DTLSv1.2";
3718 default:
3719 return "???";
3720 }
3721}
3722
Martin Kreichgauer1a663262017-08-16 14:54:04 -0700[diff] [blame]3723TEST_P(SSLVersionTest, Version) {
3724 ASSERT_TRUE(Connect());
David Benjamincb18ac22016-09-27 14:09:15 -0400[diff] [blame]3725
Martin Kreichgauer1a663262017-08-16 14:54:04 -0700[diff] [blame]3726 EXPECT_EQ(SSL_version(client_.get()), version());
3727 EXPECT_EQ(SSL_version(server_.get()), version());
David Benjamincb18ac22016-09-27 14:09:15 -0400[diff] [blame]3728
David Benjamin458334a2016-12-15 13:53:25 -0500[diff] [blame]3729 // Test the version name is reported as expected.
Martin Kreichgauer1a663262017-08-16 14:54:04 -0700[diff] [blame]3730 const char *version_name = GetVersionName(version());
3731 EXPECT_EQ(strcmp(version_name, SSL_get_version(client_.get())), 0);
3732 EXPECT_EQ(strcmp(version_name, SSL_get_version(server_.get())), 0);
David Benjamin458334a2016-12-15 13:53:25 -0500[diff] [blame]3733
3734 // Test SSL_SESSION reports the same name.
3735 const char *client_name =
Martin Kreichgauer1a663262017-08-16 14:54:04 -0700[diff] [blame]3736 SSL_SESSION_get_version(SSL_get_session(client_.get()));
David Benjamin458334a2016-12-15 13:53:25 -0500[diff] [blame]3737 const char *server_name =
Martin Kreichgauer1a663262017-08-16 14:54:04 -0700[diff] [blame]3738 SSL_SESSION_get_version(SSL_get_session(server_.get()));
3739 EXPECT_EQ(strcmp(version_name, client_name), 0);
3740 EXPECT_EQ(strcmp(version_name, server_name), 0);
David Benjamincb18ac22016-09-27 14:09:15 -0400[diff] [blame]3741}
3742
David Benjamin9ef31f02016-10-31 18:01:13 -0400[diff] [blame]3743// Tests that that |SSL_get_pending_cipher| is available during the ALPN
3744// selection callback.
Martin Kreichgauer1a663262017-08-16 14:54:04 -0700[diff] [blame]3745TEST_P(SSLVersionTest, ALPNCipherAvailable) {
Martin Kreichgauer1a663262017-08-16 14:54:04 -0700[diff] [blame]3746 ASSERT_TRUE(UseCertAndKey(client_ctx_.get()));
3747
David Benjamin9ef31f02016-10-31 18:01:13 -0400[diff] [blame]3748 static const uint8_t kALPNProtos[] = {0x03, 'f', 'o', 'o'};
Martin Kreichgauer1a663262017-08-16 14:54:04 -0700[diff] [blame]3749 ASSERT_EQ(SSL_CTX_set_alpn_protos(client_ctx_.get(), kALPNProtos,
3750 sizeof(kALPNProtos)),
3751 0);
David Benjamin0fef3052016-11-18 15:11:10 +0900[diff] [blame]3752
3753 // The ALPN callback does not fail the handshake on error, so have the
3754 // callback write a boolean.
Martin Kreichgauer1a663262017-08-16 14:54:04 -0700[diff] [blame]3755 std::pair<uint16_t, bool> callback_state(version(), false);
David Benjamin0fef3052016-11-18 15:11:10 +0900[diff] [blame]3756 SSL_CTX_set_alpn_select_cb(
Martin Kreichgauer1a663262017-08-16 14:54:04 -0700[diff] [blame]3757 server_ctx_.get(),
David Benjamin0fef3052016-11-18 15:11:10 +0900[diff] [blame]3758 [](SSL *ssl, const uint8_t **out, uint8_t *out_len, const uint8_t *in,
3759 unsigned in_len, void *arg) -> int {
3760 auto state = reinterpret_cast<std::pair<uint16_t, bool> *>(arg);
3761 if (SSL_get_pending_cipher(ssl) != nullptr &&
3762 SSL_version(ssl) == state->first) {
3763 state->second = true;
3764 }
3765 return SSL_TLSEXT_ERR_NOACK;
3766 },
3767 &callback_state);
3768
Martin Kreichgauer1a663262017-08-16 14:54:04 -0700[diff] [blame]3769 ASSERT_TRUE(Connect());
David Benjamin0fef3052016-11-18 15:11:10 +0900[diff] [blame]3770
Martin Kreichgauer1a663262017-08-16 14:54:04 -0700[diff] [blame]3771 ASSERT_TRUE(callback_state.second);
David Benjamin0fef3052016-11-18 15:11:10 +0900[diff] [blame]3772}
3773
Martin Kreichgauer1a663262017-08-16 14:54:04 -0700[diff] [blame]3774TEST_P(SSLVersionTest, SSLClearSessionResumption) {
David Benjaminb79cc842016-12-07 15:57:14 -0500[diff] [blame]3775 // Skip this for TLS 1.3. TLS 1.3's ticket mechanism is incompatible with this
3776 // API pattern.
Martin Kreichgauer1a663262017-08-16 14:54:04 -0700[diff] [blame]3777 if (version() == TLS1_3_VERSION) {
3778 return;
David Benjaminb79cc842016-12-07 15:57:14 -0500[diff] [blame]3779 }
3780
Matthew Braithwaiteb7bc80a2018-04-13 15:51:30 -0700[diff] [blame]3781 shed_handshake_config_ = false;
Martin Kreichgauer1a663262017-08-16 14:54:04 -0700[diff] [blame]3782 ASSERT_TRUE(Connect());
David Benjaminb79cc842016-12-07 15:57:14 -0500[diff] [blame]3783
Martin Kreichgauer1a663262017-08-16 14:54:04 -0700[diff] [blame]3784 EXPECT_FALSE(SSL_session_reused(client_.get()));
3785 EXPECT_FALSE(SSL_session_reused(server_.get()));
David Benjaminb79cc842016-12-07 15:57:14 -0500[diff] [blame]3786
3787 // Reset everything.
Martin Kreichgauer1a663262017-08-16 14:54:04 -0700[diff] [blame]3788 ASSERT_TRUE(SSL_clear(client_.get()));
3789 ASSERT_TRUE(SSL_clear(server_.get()));
David Benjaminb79cc842016-12-07 15:57:14 -0500[diff] [blame]3790
3791 // Attempt to connect a second time.
Martin Kreichgauer1a663262017-08-16 14:54:04 -0700[diff] [blame]3792 ASSERT_TRUE(CompleteHandshakes(client_.get(), server_.get()));
David Benjaminb79cc842016-12-07 15:57:14 -0500[diff] [blame]3793
3794 // |SSL_clear| should implicitly offer the previous session to the server.
Martin Kreichgauer1a663262017-08-16 14:54:04 -0700[diff] [blame]3795 EXPECT_TRUE(SSL_session_reused(client_.get()));
3796 EXPECT_TRUE(SSL_session_reused(server_.get()));
David Benjaminb79cc842016-12-07 15:57:14 -0500[diff] [blame]3797}
3798
Matthew Braithwaiteb7bc80a2018-04-13 15:51:30 -0700[diff] [blame]3799TEST_P(SSLVersionTest, SSLClearFailsWithShedding) {
3800 shed_handshake_config_ = false;
3801 ASSERT_TRUE(Connect());
3802 ASSERT_TRUE(CompleteHandshakes(client_.get(), server_.get()));
3803
3804 // Reset everything.
3805 ASSERT_TRUE(SSL_clear(client_.get()));
3806 ASSERT_TRUE(SSL_clear(server_.get()));
3807
3808 // Now enable shedding, and connect a second time.
3809 shed_handshake_config_ = true;
3810 ASSERT_TRUE(Connect());
3811 ASSERT_TRUE(CompleteHandshakes(client_.get(), server_.get()));
3812
3813 // |SSL_clear| should now fail.
3814 ASSERT_FALSE(SSL_clear(client_.get()));
3815 ASSERT_FALSE(SSL_clear(server_.get()));
3816}
3817
Martin Kreichgauer1a663262017-08-16 14:54:04 -0700[diff] [blame]3818static bool ChainsEqual(STACK_OF(X509) * chain,
3819 const std::vector<X509 *> &expected) {
David Benjamin1444c3a2016-12-20 17:23:11 -0500[diff] [blame]3820 if (sk_X509_num(chain) != expected.size()) {
3821 return false;
3822 }
3823
3824 for (size_t i = 0; i < expected.size(); i++) {
3825 if (X509_cmp(sk_X509_value(chain, i), expected[i]) != 0) {
3826 return false;
3827 }
3828 }
3829
3830 return true;
3831}
3832
Martin Kreichgauer1a663262017-08-16 14:54:04 -0700[diff] [blame]3833TEST_P(SSLVersionTest, AutoChain) {
3834 cert_ = GetChainTestCertificate();
3835 ASSERT_TRUE(cert_);
3836 key_ = GetChainTestKey();
3837 ASSERT_TRUE(key_);
David Benjamin1444c3a2016-12-20 17:23:11 -0500[diff] [blame]3838 bssl::UniquePtr<X509> intermediate = GetChainTestIntermediate();
Martin Kreichgauer1a663262017-08-16 14:54:04 -0700[diff] [blame]3839 ASSERT_TRUE(intermediate);
3840
3841 ASSERT_TRUE(UseCertAndKey(client_ctx_.get()));
3842 ASSERT_TRUE(UseCertAndKey(server_ctx_.get()));
David Benjamin1444c3a2016-12-20 17:23:11 -0500[diff] [blame]3843
3844 // Configure both client and server to accept any certificate. Add
3845 // |intermediate| to the cert store.
Martin Kreichgauer1a663262017-08-16 14:54:04 -0700[diff] [blame]3846 ASSERT_TRUE(X509_STORE_add_cert(SSL_CTX_get_cert_store(client_ctx_.get()),
3847 intermediate.get()));
3848 ASSERT_TRUE(X509_STORE_add_cert(SSL_CTX_get_cert_store(server_ctx_.get()),
3849 intermediate.get()));
3850 SSL_CTX_set_verify(client_ctx_.get(),
3851 SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT,
3852 nullptr);
3853 SSL_CTX_set_verify(server_ctx_.get(),
3854 SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT,
3855 nullptr);
3856 SSL_CTX_set_cert_verify_callback(client_ctx_.get(), VerifySucceed, NULL);
3857 SSL_CTX_set_cert_verify_callback(server_ctx_.get(), VerifySucceed, NULL);
David Benjamin1444c3a2016-12-20 17:23:11 -0500[diff] [blame]3858
3859 // By default, the client and server should each only send the leaf.
Martin Kreichgauer1a663262017-08-16 14:54:04 -0700[diff] [blame]3860 ASSERT_TRUE(Connect());
David Benjamin1444c3a2016-12-20 17:23:11 -0500[diff] [blame]3861
Martin Kreichgauer1a663262017-08-16 14:54:04 -0700[diff] [blame]3862 EXPECT_TRUE(
3863 ChainsEqual(SSL_get_peer_full_cert_chain(client_.get()), {cert_.get()}));
3864 EXPECT_TRUE(
3865 ChainsEqual(SSL_get_peer_full_cert_chain(server_.get()), {cert_.get()}));
David Benjamin1444c3a2016-12-20 17:23:11 -0500[diff] [blame]3866
3867 // If auto-chaining is enabled, then the intermediate is sent.
Martin Kreichgauer1a663262017-08-16 14:54:04 -0700[diff] [blame]3868 SSL_CTX_clear_mode(client_ctx_.get(), SSL_MODE_NO_AUTO_CHAIN);
3869 SSL_CTX_clear_mode(server_ctx_.get(), SSL_MODE_NO_AUTO_CHAIN);
3870 ASSERT_TRUE(Connect());
David Benjamin1444c3a2016-12-20 17:23:11 -0500[diff] [blame]3871
Martin Kreichgauer1a663262017-08-16 14:54:04 -0700[diff] [blame]3872 EXPECT_TRUE(ChainsEqual(SSL_get_peer_full_cert_chain(client_.get()),
3873 {cert_.get(), intermediate.get()}));
3874 EXPECT_TRUE(ChainsEqual(SSL_get_peer_full_cert_chain(server_.get()),
3875 {cert_.get(), intermediate.get()}));
David Benjamin1444c3a2016-12-20 17:23:11 -0500[diff] [blame]3876
3877 // Auto-chaining does not override explicitly-configured intermediates.
Martin Kreichgauer1a663262017-08-16 14:54:04 -0700[diff] [blame]3878 ASSERT_TRUE(SSL_CTX_add1_chain_cert(client_ctx_.get(), cert_.get()));
3879 ASSERT_TRUE(SSL_CTX_add1_chain_cert(server_ctx_.get(), cert_.get()));
3880 ASSERT_TRUE(Connect());
David Benjamin1444c3a2016-12-20 17:23:11 -0500[diff] [blame]3881
Martin Kreichgauer1a663262017-08-16 14:54:04 -0700[diff] [blame]3882 EXPECT_TRUE(ChainsEqual(SSL_get_peer_full_cert_chain(client_.get()),
3883 {cert_.get(), cert_.get()}));
David Benjamin1444c3a2016-12-20 17:23:11 -0500[diff] [blame]3884
Martin Kreichgauer1a663262017-08-16 14:54:04 -0700[diff] [blame]3885 EXPECT_TRUE(ChainsEqual(SSL_get_peer_full_cert_chain(server_.get()),
3886 {cert_.get(), cert_.get()}));
David Benjamin1444c3a2016-12-20 17:23:11 -0500[diff] [blame]3887}
3888
David Benjamin48063c22017-01-01 23:56:36 -0500[diff] [blame]3889static bool ExpectBadWriteRetry() {
3890 int err = ERR_get_error();
3891 if (ERR_GET_LIB(err) != ERR_LIB_SSL ||
3892 ERR_GET_REASON(err) != SSL_R_BAD_WRITE_RETRY) {
3893 char buf[ERR_ERROR_STRING_BUF_LEN];
3894 ERR_error_string_n(err, buf, sizeof(buf));
3895 fprintf(stderr, "Wanted SSL_R_BAD_WRITE_RETRY, got: %s.\n", buf);
3896 return false;
3897 }
3898
3899 if (ERR_peek_error() != 0) {
3900 fprintf(stderr, "Unexpected error following SSL_R_BAD_WRITE_RETRY.\n");
3901 return false;
3902 }
3903
3904 return true;
3905}
3906
Martin Kreichgauer1a663262017-08-16 14:54:04 -0700[diff] [blame]3907TEST_P(SSLVersionTest, SSLWriteRetry) {
3908 if (is_dtls()) {
3909 return;
David Benjamin48063c22017-01-01 23:56:36 -0500[diff] [blame]3910 }
3911
Martin Kreichgauer1a663262017-08-16 14:54:04 -0700[diff] [blame]3912 for (bool enable_partial_write : {false, true}) {
3913 SCOPED_TRACE(enable_partial_write);
3914
David Benjamin48063c22017-01-01 23:56:36 -0500[diff] [blame]3915 // Connect a client and server.
Martin Kreichgauer1a663262017-08-16 14:54:04 -0700[diff] [blame]3916 ASSERT_TRUE(UseCertAndKey(client_ctx_.get()));
3917
3918 ASSERT_TRUE(Connect());
David Benjamin48063c22017-01-01 23:56:36 -0500[diff] [blame]3919
3920 if (enable_partial_write) {
Martin Kreichgauer1a663262017-08-16 14:54:04 -0700[diff] [blame]3921 SSL_set_mode(client_.get(), SSL_MODE_ENABLE_PARTIAL_WRITE);
David Benjamin48063c22017-01-01 23:56:36 -0500[diff] [blame]3922 }
3923
3924 // Write without reading until the buffer is full and we have an unfinished
3925 // write. Keep a count so we may reread it again later. "hello!" will be
3926 // written in two chunks, "hello" and "!".
3927 char data[] = "hello!";
3928 static const int kChunkLen = 5; // The length of "hello".
3929 unsigned count = 0;
3930 for (;;) {
Martin Kreichgauer1a663262017-08-16 14:54:04 -0700[diff] [blame]3931 int ret = SSL_write(client_.get(), data, kChunkLen);
David Benjamin48063c22017-01-01 23:56:36 -0500[diff] [blame]3932 if (ret <= 0) {
Martin Kreichgauer1a663262017-08-16 14:54:04 -0700[diff] [blame]3933 ASSERT_EQ(SSL_get_error(client_.get(), ret), SSL_ERROR_WANT_WRITE);
3934 break;
David Benjamin48063c22017-01-01 23:56:36 -0500[diff] [blame]3935 }
3936
Martin Kreichgauer1a663262017-08-16 14:54:04 -0700[diff] [blame]3937 ASSERT_EQ(ret, 5);
David Benjamin48063c22017-01-01 23:56:36 -0500[diff] [blame]3938
3939 count++;
3940 }
3941
3942 // Retrying with the same parameters is legal.
Martin Kreichgauer1a663262017-08-16 14:54:04 -0700[diff] [blame]3943 ASSERT_EQ(
3944 SSL_get_error(client_.get(), SSL_write(client_.get(), data, kChunkLen)),
3945 SSL_ERROR_WANT_WRITE);
David Benjamin48063c22017-01-01 23:56:36 -0500[diff] [blame]3946
3947 // Retrying with the same buffer but shorter length is not legal.
Martin Kreichgauer1a663262017-08-16 14:54:04 -0700[diff] [blame]3948 ASSERT_EQ(SSL_get_error(client_.get(),
3949 SSL_write(client_.get(), data, kChunkLen - 1)),
3950 SSL_ERROR_SSL);
3951 ASSERT_TRUE(ExpectBadWriteRetry());
David Benjamin48063c22017-01-01 23:56:36 -0500[diff] [blame]3952
3953 // Retrying with a different buffer pointer is not legal.
3954 char data2[] = "hello";
Martin Kreichgauer1a663262017-08-16 14:54:04 -0700[diff] [blame]3955 ASSERT_EQ(SSL_get_error(client_.get(),
3956 SSL_write(client_.get(), data2, kChunkLen)),
3957 SSL_ERROR_SSL);
3958 ASSERT_TRUE(ExpectBadWriteRetry());
David Benjamin48063c22017-01-01 23:56:36 -0500[diff] [blame]3959
3960 // With |SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER|, the buffer may move.
Martin Kreichgauer1a663262017-08-16 14:54:04 -0700[diff] [blame]3961 SSL_set_mode(client_.get(), SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER);
3962 ASSERT_EQ(SSL_get_error(client_.get(),
3963 SSL_write(client_.get(), data2, kChunkLen)),
3964 SSL_ERROR_WANT_WRITE);
David Benjamin48063c22017-01-01 23:56:36 -0500[diff] [blame]3965
3966 // |SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER| does not disable length checks.
Martin Kreichgauer1a663262017-08-16 14:54:04 -0700[diff] [blame]3967 ASSERT_EQ(SSL_get_error(client_.get(),
3968 SSL_write(client_.get(), data2, kChunkLen - 1)),
3969 SSL_ERROR_SSL);
3970 ASSERT_TRUE(ExpectBadWriteRetry());
David Benjamin48063c22017-01-01 23:56:36 -0500[diff] [blame]3971
3972 // Retrying with a larger buffer is legal.
Martin Kreichgauer1a663262017-08-16 14:54:04 -0700[diff] [blame]3973 ASSERT_EQ(SSL_get_error(client_.get(),
3974 SSL_write(client_.get(), data, kChunkLen + 1)),
3975 SSL_ERROR_WANT_WRITE);
David Benjamin48063c22017-01-01 23:56:36 -0500[diff] [blame]3976
3977 // Drain the buffer.
3978 char buf[20];
3979 for (unsigned i = 0; i < count; i++) {
Martin Kreichgauer1a663262017-08-16 14:54:04 -0700[diff] [blame]3980 ASSERT_EQ(SSL_read(server_.get(), buf, sizeof(buf)), kChunkLen);
3981 ASSERT_EQ(OPENSSL_memcmp(buf, "hello", kChunkLen), 0);
David Benjamin48063c22017-01-01 23:56:36 -0500[diff] [blame]3982 }
3983
3984 // Now that there is space, a retry with a larger buffer should flush the
3985 // pending record, skip over that many bytes of input (on assumption they
3986 // are the same), and write the remainder. If SSL_MODE_ENABLE_PARTIAL_WRITE
3987 // is set, this will complete in two steps.
3988 char data3[] = "_____!";
3989 if (enable_partial_write) {
Martin Kreichgauer1a663262017-08-16 14:54:04 -0700[diff] [blame]3990 ASSERT_EQ(SSL_write(client_.get(), data3, kChunkLen + 1), kChunkLen);
3991 ASSERT_EQ(SSL_write(client_.get(), data3 + kChunkLen, 1), 1);
3992 } else {
3993 ASSERT_EQ(SSL_write(client_.get(), data3, kChunkLen + 1), kChunkLen + 1);
David Benjamin48063c22017-01-01 23:56:36 -0500[diff] [blame]3994 }
3995
3996 // Check the last write was correct. The data will be spread over two
3997 // records, so SSL_read returns twice.
Martin Kreichgauer1a663262017-08-16 14:54:04 -0700[diff] [blame]3998 ASSERT_EQ(SSL_read(server_.get(), buf, sizeof(buf)), kChunkLen);
3999 ASSERT_EQ(OPENSSL_memcmp(buf, "hello", kChunkLen), 0);
4000 ASSERT_EQ(SSL_read(server_.get(), buf, sizeof(buf)), 1);
4001 ASSERT_EQ(buf[0], '!');
David Benjamin48063c22017-01-01 23:56:36 -0500[diff] [blame]4002 }
David Benjamin48063c22017-01-01 23:56:36 -0500[diff] [blame]4003}
4004
Martin Kreichgauer1a663262017-08-16 14:54:04 -0700[diff] [blame]4005TEST_P(SSLVersionTest, RecordCallback) {
4006 for (bool test_server : {true, false}) {
4007 SCOPED_TRACE(test_server);
4008 ResetContexts();
David Benjamin5df5be12017-06-22 19:43:11 -0400[diff] [blame]4009
Martin Kreichgauer1a663262017-08-16 14:54:04 -0700[diff] [blame]4010 bool read_seen = false;
4011 bool write_seen = false;
4012 auto cb = [&](int is_write, int cb_version, int cb_type, const void *buf,
4013 size_t len, SSL *ssl) {
4014 if (cb_type != SSL3_RT_HEADER) {
4015 return;
Martin Kreichgauer72912d22017-08-04 12:06:43 -0700[diff] [blame]4016 }
Martin Kreichgauer1a663262017-08-16 14:54:04 -0700[diff] [blame]4017
4018 // The callback does not report a version for records.
4019 EXPECT_EQ(0, cb_version);
4020
4021 if (is_write) {
4022 write_seen = true;
4023 } else {
4024 read_seen = true;
4025 }
4026
4027 // Sanity-check that the record header is plausible.
4028 CBS cbs;
4029 CBS_init(&cbs, reinterpret_cast<const uint8_t *>(buf), len);
4030 uint8_t type;
4031 uint16_t record_version, length;
4032 ASSERT_TRUE(CBS_get_u8(&cbs, &type));
4033 ASSERT_TRUE(CBS_get_u16(&cbs, &record_version));
Steven Valdez64cc1212017-12-04 11:15:37 -0500[diff] [blame]4034 EXPECT_EQ(record_version & 0xff00, version() & 0xff00);
Martin Kreichgauer1a663262017-08-16 14:54:04 -0700[diff] [blame]4035 if (is_dtls()) {
4036 uint16_t epoch;
4037 ASSERT_TRUE(CBS_get_u16(&cbs, &epoch));
4038 EXPECT_TRUE(epoch == 0 || epoch == 1) << "Invalid epoch: " << epoch;
4039 ASSERT_TRUE(CBS_skip(&cbs, 6));
4040 }
4041 ASSERT_TRUE(CBS_get_u16(&cbs, &length));
4042 EXPECT_EQ(0u, CBS_len(&cbs));
4043 };
4044 using CallbackType = decltype(cb);
4045 SSL_CTX *ctx = test_server ? server_ctx_.get() : client_ctx_.get();
4046 SSL_CTX_set_msg_callback(
4047 ctx, [](int is_write, int cb_version, int cb_type, const void *buf,
4048 size_t len, SSL *ssl, void *arg) {
4049 CallbackType *cb_ptr = reinterpret_cast<CallbackType *>(arg);
4050 (*cb_ptr)(is_write, cb_version, cb_type, buf, len, ssl);
4051 });
4052 SSL_CTX_set_msg_callback_arg(ctx, &cb);
4053
4054 ASSERT_TRUE(Connect());
4055
4056 EXPECT_TRUE(read_seen);
4057 EXPECT_TRUE(write_seen);
David Benjamin0fef3052016-11-18 15:11:10 +0900[diff] [blame]4058 }
David Benjamin9ef31f02016-10-31 18:01:13 -0400[diff] [blame]4059}
4060
David Benjamina8614602017-09-06 15:40:19 -0400[diff] [blame]4061TEST_P(SSLVersionTest, GetServerName) {
David Benjamina8614602017-09-06 15:40:19 -0400[diff] [blame]4062 ClientConfig config;
4063 config.servername = "host1";
4064
4065 SSL_CTX_set_tlsext_servername_callback(
4066 server_ctx_.get(), [](SSL *ssl, int *out_alert, void *arg) -> int {
4067 // During the handshake, |SSL_get_servername| must match |config|.
4068 ClientConfig *config_p = reinterpret_cast<ClientConfig *>(arg);
4069 EXPECT_STREQ(config_p->servername.c_str(),
4070 SSL_get_servername(ssl, TLSEXT_NAMETYPE_host_name));
4071 return SSL_TLSEXT_ERR_OK;
4072 });
4073 SSL_CTX_set_tlsext_servername_arg(server_ctx_.get(), &config);
4074
4075 ASSERT_TRUE(Connect(config));
4076 // After the handshake, it must also be available.
4077 EXPECT_STREQ(config.servername.c_str(),
4078 SSL_get_servername(server_.get(), TLSEXT_NAMETYPE_host_name));
4079
4080 // Establish a session under host1.
4081 SSL_CTX_set_session_cache_mode(client_ctx_.get(), SSL_SESS_CACHE_BOTH);
4082 SSL_CTX_set_session_cache_mode(server_ctx_.get(), SSL_SESS_CACHE_BOTH);
4083 bssl::UniquePtr<SSL_SESSION> session =
4084 CreateClientSession(client_ctx_.get(), server_ctx_.get(), config);
4085
4086 // If the client resumes a session with a different name, |SSL_get_servername|
4087 // must return the new name.
4088 ASSERT_TRUE(session);
4089 config.session = session.get();
4090 config.servername = "host2";
4091 ASSERT_TRUE(Connect(config));
4092 EXPECT_STREQ(config.servername.c_str(),
4093 SSL_get_servername(server_.get(), TLSEXT_NAMETYPE_host_name));
4094}
4095
David Benjamin3d8f0802017-09-06 16:12:52 -0400[diff] [blame]4096// Test that session cache mode bits are honored in the client session callback.
4097TEST_P(SSLVersionTest, ClientSessionCacheMode) {
4098 SSL_CTX_set_session_cache_mode(client_ctx_.get(), SSL_SESS_CACHE_OFF);
4099 EXPECT_FALSE(CreateClientSession(client_ctx_.get(), server_ctx_.get()));
4100
4101 SSL_CTX_set_session_cache_mode(client_ctx_.get(), SSL_SESS_CACHE_CLIENT);
4102 EXPECT_TRUE(CreateClientSession(client_ctx_.get(), server_ctx_.get()));
4103
4104 SSL_CTX_set_session_cache_mode(client_ctx_.get(), SSL_SESS_CACHE_SERVER);
4105 EXPECT_FALSE(CreateClientSession(client_ctx_.get(), server_ctx_.get()));
4106}
4107
Steven Valdez777a2392019-02-21 11:30:47 -0500[diff] [blame]4108// Test that all versions survive tiny write buffers. In particular, TLS 1.3
4109// NewSessionTickets are written post-handshake. Servers that block
4110// |SSL_do_handshake| on writing them will deadlock if clients are not draining
4111// the buffer. Test that we do not do this.
4112TEST_P(SSLVersionTest, SmallBuffer) {
4113 // DTLS is a datagram protocol and requires packet-sized buffers.
4114 if (is_dtls()) {
4115 return;
4116 }
4117
4118 // Test both flushing NewSessionTickets with a zero-sized write and
4119 // non-zero-sized write.
4120 for (bool use_zero_write : {false, true}) {
4121 SCOPED_TRACE(use_zero_write);
4122
4123 g_last_session = nullptr;
4124 SSL_CTX_set_session_cache_mode(client_ctx_.get(), SSL_SESS_CACHE_BOTH);
4125 SSL_CTX_sess_set_new_cb(client_ctx_.get(), SaveLastSession);
4126
4127 bssl::UniquePtr<SSL> client(SSL_new(client_ctx_.get())),
4128 server(SSL_new(server_ctx_.get()));
4129 ASSERT_TRUE(client);
4130 ASSERT_TRUE(server);
4131 SSL_set_connect_state(client.get());
4132 SSL_set_accept_state(server.get());
4133
4134 // Use a tiny buffer.
4135 BIO *bio1, *bio2;
4136 ASSERT_TRUE(BIO_new_bio_pair(&bio1, 1, &bio2, 1));
4137
4138 // SSL_set_bio takes ownership.
4139 SSL_set_bio(client.get(), bio1, bio1);
4140 SSL_set_bio(server.get(), bio2, bio2);
4141
4142 ASSERT_TRUE(CompleteHandshakes(client.get(), server.get()));
4143 if (version() >= TLS1_3_VERSION) {
4144 // The post-handshake ticket should not have been processed yet.
4145 EXPECT_FALSE(g_last_session);
4146 }
4147
4148 if (use_zero_write) {
4149 ASSERT_TRUE(FlushNewSessionTickets(client.get(), server.get()));
4150 EXPECT_TRUE(g_last_session);
4151 }
4152
4153 // Send some data from server to client. If |use_zero_write| is false, this
4154 // will also flush the NewSessionTickets.
4155 static const char kMessage[] = "hello world";
4156 char buf[sizeof(kMessage)];
4157 for (;;) {
4158 int server_ret = SSL_write(server.get(), kMessage, sizeof(kMessage));
4159 int server_err = SSL_get_error(server.get(), server_ret);
4160 int client_ret = SSL_read(client.get(), buf, sizeof(buf));
4161 int client_err = SSL_get_error(client.get(), client_ret);
4162
4163 // The server will write a single record, so every iteration should see
4164 // |SSL_ERROR_WANT_WRITE| and |SSL_ERROR_WANT_READ|, until the final
4165 // iteration, where both will complete.
4166 if (server_ret > 0) {
4167 EXPECT_EQ(server_ret, static_cast<int>(sizeof(kMessage)));
4168 EXPECT_EQ(client_ret, static_cast<int>(sizeof(kMessage)));
4169 EXPECT_EQ(Bytes(buf), Bytes(kMessage));
4170 break;
4171 }
4172
4173 ASSERT_EQ(server_ret, -1);
4174 ASSERT_EQ(server_err, SSL_ERROR_WANT_WRITE);
4175 ASSERT_EQ(client_ret, -1);
4176 ASSERT_EQ(client_err, SSL_ERROR_WANT_READ);
4177 }
4178
4179 // The NewSessionTickets should have been flushed and processed.
4180 EXPECT_TRUE(g_last_session);
4181 }
4182}
4183
Adam Langleye1e78132017-01-31 15:24:31 -0800[diff] [blame]4184TEST(SSLTest, AddChainCertHack) {
4185 // Ensure that we don't accidently break the hack that we have in place to
4186 // keep curl and serf happy when they use an |X509| even after transfering
4187 // ownership.
4188
4189 bssl::UniquePtr<SSL_CTX> ctx(SSL_CTX_new(TLS_method()));
4190 ASSERT_TRUE(ctx);
4191 X509 *cert = GetTestCertificate().release();
4192 ASSERT_TRUE(cert);
4193 SSL_CTX_add0_chain_cert(ctx.get(), cert);
4194
4195 // This should not trigger a use-after-free.
4196 X509_cmp(cert, cert);
4197}
4198
David Benjaminb2ff2622017-02-03 17:06:18 -0500[diff] [blame]4199TEST(SSLTest, GetCertificate) {
4200 bssl::UniquePtr<SSL_CTX> ctx(SSL_CTX_new(TLS_method()));
4201 ASSERT_TRUE(ctx);
4202 bssl::UniquePtr<X509> cert = GetTestCertificate();
4203 ASSERT_TRUE(cert);
4204 ASSERT_TRUE(SSL_CTX_use_certificate(ctx.get(), cert.get()));
4205 bssl::UniquePtr<SSL> ssl(SSL_new(ctx.get()));
4206 ASSERT_TRUE(ssl);
4207
4208 X509 *cert2 = SSL_CTX_get0_certificate(ctx.get());
4209 ASSERT_TRUE(cert2);
4210 X509 *cert3 = SSL_get_certificate(ssl.get());
4211 ASSERT_TRUE(cert3);
4212
4213 // The old and new certificates must be identical.
4214 EXPECT_EQ(0, X509_cmp(cert.get(), cert2));
4215 EXPECT_EQ(0, X509_cmp(cert.get(), cert3));
4216
4217 uint8_t *der = nullptr;
4218 long der_len = i2d_X509(cert.get(), &der);
4219 ASSERT_LT(0, der_len);
4220 bssl::UniquePtr<uint8_t> free_der(der);
4221
4222 uint8_t *der2 = nullptr;
4223 long der2_len = i2d_X509(cert2, &der2);
4224 ASSERT_LT(0, der2_len);
4225 bssl::UniquePtr<uint8_t> free_der2(der2);
4226
4227 uint8_t *der3 = nullptr;
4228 long der3_len = i2d_X509(cert3, &der3);
4229 ASSERT_LT(0, der3_len);
4230 bssl::UniquePtr<uint8_t> free_der3(der3);
4231
4232 // They must also encode identically.
David Benjamin7d7554b2017-02-04 11:48:59 -0500[diff] [blame]4233 EXPECT_EQ(Bytes(der, der_len), Bytes(der2, der2_len));
4234 EXPECT_EQ(Bytes(der, der_len), Bytes(der3, der3_len));
David Benjaminb2ff2622017-02-03 17:06:18 -0500[diff] [blame]4235}
4236
Adam Langleyd04ca952017-02-28 11:26:51 -0800[diff] [blame]4237TEST(SSLTest, SetChainAndKeyMismatch) {
4238 bssl::UniquePtr<SSL_CTX> ctx(SSL_CTX_new(TLS_with_buffers_method()));
4239 ASSERT_TRUE(ctx);
4240
4241 bssl::UniquePtr<EVP_PKEY> key = GetTestKey();
4242 ASSERT_TRUE(key);
4243 bssl::UniquePtr<CRYPTO_BUFFER> leaf = GetChainTestCertificateBuffer();
4244 ASSERT_TRUE(leaf);
4245 std::vector<CRYPTO_BUFFER*> chain = {
4246 leaf.get(),
4247 };
4248
4249 // Should fail because |GetTestKey| doesn't match the chain-test certificate.
4250 ASSERT_FALSE(SSL_CTX_set_chain_and_key(ctx.get(), &chain[0], chain.size(),
4251 key.get(), nullptr));
4252 ERR_clear_error();
4253}
4254
4255TEST(SSLTest, SetChainAndKey) {
4256 bssl::UniquePtr<SSL_CTX> client_ctx(SSL_CTX_new(TLS_with_buffers_method()));
4257 ASSERT_TRUE(client_ctx);
4258 bssl::UniquePtr<SSL_CTX> server_ctx(SSL_CTX_new(TLS_with_buffers_method()));
4259 ASSERT_TRUE(server_ctx);
4260
Adam Langley964256d2020-03-19 11:57:12 -0700[diff] [blame]4261 ASSERT_EQ(nullptr, SSL_CTX_get0_chain(server_ctx.get()));
4262
Adam Langleyd04ca952017-02-28 11:26:51 -0800[diff] [blame]4263 bssl::UniquePtr<EVP_PKEY> key = GetChainTestKey();
4264 ASSERT_TRUE(key);
4265 bssl::UniquePtr<CRYPTO_BUFFER> leaf = GetChainTestCertificateBuffer();
4266 ASSERT_TRUE(leaf);
4267 bssl::UniquePtr<CRYPTO_BUFFER> intermediate =
4268 GetChainTestIntermediateBuffer();
4269 ASSERT_TRUE(intermediate);
4270 std::vector<CRYPTO_BUFFER*> chain = {
4271 leaf.get(), intermediate.get(),
4272 };
4273 ASSERT_TRUE(SSL_CTX_set_chain_and_key(server_ctx.get(), &chain[0],
4274 chain.size(), key.get(), nullptr));
4275
Adam Langley964256d2020-03-19 11:57:12 -0700[diff] [blame]4276 ASSERT_EQ(chain.size(),
4277 sk_CRYPTO_BUFFER_num(SSL_CTX_get0_chain(server_ctx.get())));
4278
David Benjamin3a1dd462017-07-11 16:13:10 -0400[diff] [blame]4279 SSL_CTX_set_custom_verify(
4280 client_ctx.get(), SSL_VERIFY_PEER,
4281 [](SSL *ssl, uint8_t *out_alert) -> ssl_verify_result_t {
4282 return ssl_verify_ok;
4283 });
Adam Langleyd04ca952017-02-28 11:26:51 -0800[diff] [blame]4284
4285 bssl::UniquePtr<SSL> client, server;
4286 ASSERT_TRUE(ConnectClientAndServer(&client, &server, client_ctx.get(),
David Benjamina8614602017-09-06 15:40:19 -0400[diff] [blame]4287 server_ctx.get()));
Adam Langleyd04ca952017-02-28 11:26:51 -0800[diff] [blame]4288}
4289
Matthew Braithwaite5301c102018-01-23 12:08:55 -0800[diff] [blame]4290TEST(SSLTest, BuffersFailWithoutCustomVerify) {
4291 bssl::UniquePtr<SSL_CTX> client_ctx(SSL_CTX_new(TLS_with_buffers_method()));
4292 ASSERT_TRUE(client_ctx);
4293 bssl::UniquePtr<SSL_CTX> server_ctx(SSL_CTX_new(TLS_with_buffers_method()));
4294 ASSERT_TRUE(server_ctx);
4295
4296 bssl::UniquePtr<EVP_PKEY> key = GetChainTestKey();
4297 ASSERT_TRUE(key);
4298 bssl::UniquePtr<CRYPTO_BUFFER> leaf = GetChainTestCertificateBuffer();
4299 ASSERT_TRUE(leaf);
4300 std::vector<CRYPTO_BUFFER*> chain = { leaf.get() };
4301 ASSERT_TRUE(SSL_CTX_set_chain_and_key(server_ctx.get(), &chain[0],
4302 chain.size(), key.get(), nullptr));
4303
4304 // Without SSL_CTX_set_custom_verify(), i.e. with everything in the default
4305 // configuration, certificate verification should fail.
4306 bssl::UniquePtr<SSL> client, server;
4307 ASSERT_FALSE(ConnectClientAndServer(&client, &server, client_ctx.get(),
4308 server_ctx.get()));
4309
4310 // Whereas with a verifier, the connection should succeed.
4311 SSL_CTX_set_custom_verify(
4312 client_ctx.get(), SSL_VERIFY_PEER,
4313 [](SSL *ssl, uint8_t *out_alert) -> ssl_verify_result_t {
4314 return ssl_verify_ok;
4315 });
4316 ASSERT_TRUE(ConnectClientAndServer(&client, &server, client_ctx.get(),
4317 server_ctx.get()));
4318}
4319
4320TEST(SSLTest, CustomVerify) {
4321 bssl::UniquePtr<SSL_CTX> client_ctx(SSL_CTX_new(TLS_with_buffers_method()));
4322 ASSERT_TRUE(client_ctx);
4323 bssl::UniquePtr<SSL_CTX> server_ctx(SSL_CTX_new(TLS_with_buffers_method()));
4324 ASSERT_TRUE(server_ctx);
4325
4326 bssl::UniquePtr<EVP_PKEY> key = GetChainTestKey();
4327 ASSERT_TRUE(key);
4328 bssl::UniquePtr<CRYPTO_BUFFER> leaf = GetChainTestCertificateBuffer();
4329 ASSERT_TRUE(leaf);
4330 std::vector<CRYPTO_BUFFER*> chain = { leaf.get() };
4331 ASSERT_TRUE(SSL_CTX_set_chain_and_key(server_ctx.get(), &chain[0],
4332 chain.size(), key.get(), nullptr));
4333
4334 SSL_CTX_set_custom_verify(
4335 client_ctx.get(), SSL_VERIFY_PEER,
4336 [](SSL *ssl, uint8_t *out_alert) -> ssl_verify_result_t {
4337 return ssl_verify_ok;
4338 });
4339
4340 bssl::UniquePtr<SSL> client, server;
4341 ASSERT_TRUE(ConnectClientAndServer(&client, &server, client_ctx.get(),
4342 server_ctx.get()));
4343
4344 // With SSL_VERIFY_PEER, ssl_verify_invalid should result in a dropped
4345 // connection.
4346 SSL_CTX_set_custom_verify(
4347 client_ctx.get(), SSL_VERIFY_PEER,
4348 [](SSL *ssl, uint8_t *out_alert) -> ssl_verify_result_t {
4349 return ssl_verify_invalid;
4350 });
4351
4352 ASSERT_FALSE(ConnectClientAndServer(&client, &server, client_ctx.get(),
4353 server_ctx.get()));
4354
4355 // But with SSL_VERIFY_NONE, ssl_verify_invalid should not cause a dropped
4356 // connection.
4357 SSL_CTX_set_custom_verify(
4358 client_ctx.get(), SSL_VERIFY_NONE,
4359 [](SSL *ssl, uint8_t *out_alert) -> ssl_verify_result_t {
4360 return ssl_verify_invalid;
4361 });
4362
4363 ASSERT_TRUE(ConnectClientAndServer(&client, &server, client_ctx.get(),
4364 server_ctx.get()));
4365}
4366
David Benjamin71dfad42017-07-16 17:27:39 -0400[diff] [blame]4367TEST(SSLTest, ClientCABuffers) {
4368 bssl::UniquePtr<SSL_CTX> client_ctx(SSL_CTX_new(TLS_with_buffers_method()));
4369 ASSERT_TRUE(client_ctx);
4370 bssl::UniquePtr<SSL_CTX> server_ctx(SSL_CTX_new(TLS_with_buffers_method()));
4371 ASSERT_TRUE(server_ctx);
4372
4373 bssl::UniquePtr<EVP_PKEY> key = GetChainTestKey();
4374 ASSERT_TRUE(key);
4375 bssl::UniquePtr<CRYPTO_BUFFER> leaf = GetChainTestCertificateBuffer();
4376 ASSERT_TRUE(leaf);
4377 bssl::UniquePtr<CRYPTO_BUFFER> intermediate =
4378 GetChainTestIntermediateBuffer();
4379 ASSERT_TRUE(intermediate);
4380 std::vector<CRYPTO_BUFFER *> chain = {
4381 leaf.get(),
4382 intermediate.get(),
4383 };
4384 ASSERT_TRUE(SSL_CTX_set_chain_and_key(server_ctx.get(), &chain[0],
4385 chain.size(), key.get(), nullptr));
4386
4387 bssl::UniquePtr<CRYPTO_BUFFER> ca_name(
4388 CRYPTO_BUFFER_new(kTestName, sizeof(kTestName), nullptr));
4389 ASSERT_TRUE(ca_name);
4390 bssl::UniquePtr<STACK_OF(CRYPTO_BUFFER)> ca_names(
4391 sk_CRYPTO_BUFFER_new_null());
4392 ASSERT_TRUE(ca_names);
David Benjamin2908dd12018-06-29 17:46:42 -0400[diff] [blame]4393 ASSERT_TRUE(PushToStack(ca_names.get(), std::move(ca_name)));
David Benjamin71dfad42017-07-16 17:27:39 -0400[diff] [blame]4394 SSL_CTX_set0_client_CAs(server_ctx.get(), ca_names.release());
4395
4396 // Configure client and server to accept all certificates.
4397 SSL_CTX_set_custom_verify(
4398 client_ctx.get(), SSL_VERIFY_PEER,
4399 [](SSL *ssl, uint8_t *out_alert) -> ssl_verify_result_t {
4400 return ssl_verify_ok;
4401 });
4402 SSL_CTX_set_custom_verify(
4403 server_ctx.get(), SSL_VERIFY_PEER,
4404 [](SSL *ssl, uint8_t *out_alert) -> ssl_verify_result_t {
4405 return ssl_verify_ok;
4406 });
4407
4408 bool cert_cb_called = false;
4409 SSL_CTX_set_cert_cb(
4410 client_ctx.get(),
4411 [](SSL *ssl, void *arg) -> int {
David Benjamin5f001d12018-05-08 16:46:48 -0400[diff] [blame]4412 const STACK_OF(CRYPTO_BUFFER) *peer_names =
David Benjamin71dfad42017-07-16 17:27:39 -0400[diff] [blame]4413 SSL_get0_server_requested_CAs(ssl);
4414 EXPECT_EQ(1u, sk_CRYPTO_BUFFER_num(peer_names));
4415 CRYPTO_BUFFER *peer_name = sk_CRYPTO_BUFFER_value(peer_names, 0);
4416 EXPECT_EQ(Bytes(kTestName), Bytes(CRYPTO_BUFFER_data(peer_name),
4417 CRYPTO_BUFFER_len(peer_name)));
4418 *reinterpret_cast<bool *>(arg) = true;
4419 return 1;
4420 },
4421 &cert_cb_called);
4422
4423 bssl::UniquePtr<SSL> client, server;
4424 ASSERT_TRUE(ConnectClientAndServer(&client, &server, client_ctx.get(),
David Benjamina8614602017-09-06 15:40:19 -0400[diff] [blame]4425 server_ctx.get()));
David Benjamin71dfad42017-07-16 17:27:39 -0400[diff] [blame]4426 EXPECT_TRUE(cert_cb_called);
4427}
4428
David Benjamin91222b82017-03-09 20:10:56 -0500[diff] [blame]4429// Configuring the empty cipher list, though an error, should still modify the
4430// configuration.
4431TEST(SSLTest, EmptyCipherList) {
4432 bssl::UniquePtr<SSL_CTX> ctx(SSL_CTX_new(TLS_method()));
4433 ASSERT_TRUE(ctx);
4434
4435 // Initially, the cipher list is not empty.
4436 EXPECT_NE(0u, sk_SSL_CIPHER_num(SSL_CTX_get_ciphers(ctx.get())));
4437
4438 // Configuring the empty cipher list fails.
4439 EXPECT_FALSE(SSL_CTX_set_cipher_list(ctx.get(), ""));
4440 ERR_clear_error();
4441
4442 // But the cipher list is still updated to empty.
4443 EXPECT_EQ(0u, sk_SSL_CIPHER_num(SSL_CTX_get_ciphers(ctx.get())));
4444}
4445
Adam Langley4c341d02017-03-08 19:33:21 -0800[diff] [blame]4446// ssl_test_ticket_aead_failure_mode enumerates the possible ways in which the
4447// test |SSL_TICKET_AEAD_METHOD| can fail.
4448enum ssl_test_ticket_aead_failure_mode {
4449 ssl_test_ticket_aead_ok = 0,
4450 ssl_test_ticket_aead_seal_fail,
4451 ssl_test_ticket_aead_open_soft_fail,
4452 ssl_test_ticket_aead_open_hard_fail,
4453};
4454
4455struct ssl_test_ticket_aead_state {
4456 unsigned retry_count;
4457 ssl_test_ticket_aead_failure_mode failure_mode;
4458};
4459
4460static int ssl_test_ticket_aead_ex_index_dup(CRYPTO_EX_DATA *to,
4461 const CRYPTO_EX_DATA *from,
4462 void **from_d, int index,
4463 long argl, void *argp) {
4464 abort();
4465}
4466
4467static void ssl_test_ticket_aead_ex_index_free(void *parent, void *ptr,
4468 CRYPTO_EX_DATA *ad, int index,
4469 long argl, void *argp) {
4470 auto state = reinterpret_cast<ssl_test_ticket_aead_state*>(ptr);
4471 if (state == nullptr) {
4472 return;
4473 }
4474
4475 OPENSSL_free(state);
4476}
4477
4478static CRYPTO_once_t g_ssl_test_ticket_aead_ex_index_once = CRYPTO_ONCE_INIT;
4479static int g_ssl_test_ticket_aead_ex_index;
4480
4481static int ssl_test_ticket_aead_get_ex_index() {
4482 CRYPTO_once(&g_ssl_test_ticket_aead_ex_index_once, [] {
4483 g_ssl_test_ticket_aead_ex_index = SSL_get_ex_new_index(
4484 0, nullptr, nullptr, ssl_test_ticket_aead_ex_index_dup,
4485 ssl_test_ticket_aead_ex_index_free);
4486 });
4487 return g_ssl_test_ticket_aead_ex_index;
4488}
4489
4490static size_t ssl_test_ticket_aead_max_overhead(SSL *ssl) {
4491 return 1;
4492}
4493
4494static int ssl_test_ticket_aead_seal(SSL *ssl, uint8_t *out, size_t *out_len,
4495 size_t max_out_len, const uint8_t *in,
4496 size_t in_len) {
4497 auto state = reinterpret_cast<ssl_test_ticket_aead_state *>(
4498 SSL_get_ex_data(ssl, ssl_test_ticket_aead_get_ex_index()));
4499
4500 if (state->failure_mode == ssl_test_ticket_aead_seal_fail ||
4501 max_out_len < in_len + 1) {
4502 return 0;
4503 }
4504
4505 OPENSSL_memmove(out, in, in_len);
4506 out[in_len] = 0xff;
4507 *out_len = in_len + 1;
4508
4509 return 1;
4510}
4511
4512static ssl_ticket_aead_result_t ssl_test_ticket_aead_open(
4513 SSL *ssl, uint8_t *out, size_t *out_len, size_t max_out_len,
4514 const uint8_t *in, size_t in_len) {
4515 auto state = reinterpret_cast<ssl_test_ticket_aead_state *>(
4516 SSL_get_ex_data(ssl, ssl_test_ticket_aead_get_ex_index()));
4517
4518 if (state->retry_count > 0) {
4519 state->retry_count--;
4520 return ssl_ticket_aead_retry;
4521 }
4522
4523 switch (state->failure_mode) {
4524 case ssl_test_ticket_aead_ok:
4525 break;
4526 case ssl_test_ticket_aead_seal_fail:
4527 // If |seal| failed then there shouldn't be any ticket to try and
4528 // decrypt.
4529 abort();
4530 break;
4531 case ssl_test_ticket_aead_open_soft_fail:
4532 return ssl_ticket_aead_ignore_ticket;
4533 case ssl_test_ticket_aead_open_hard_fail:
4534 return ssl_ticket_aead_error;
4535 }
4536
4537 if (in_len == 0 || in[in_len - 1] != 0xff) {
4538 return ssl_ticket_aead_ignore_ticket;
4539 }
4540
4541 if (max_out_len < in_len - 1) {
4542 return ssl_ticket_aead_error;
4543 }
4544
4545 OPENSSL_memmove(out, in, in_len - 1);
4546 *out_len = in_len - 1;
4547 return ssl_ticket_aead_success;
4548}
4549
4550static const SSL_TICKET_AEAD_METHOD kSSLTestTicketMethod = {
4551 ssl_test_ticket_aead_max_overhead,
4552 ssl_test_ticket_aead_seal,
4553 ssl_test_ticket_aead_open,
4554};
4555
4556static void ConnectClientAndServerWithTicketMethod(
4557 bssl::UniquePtr<SSL> *out_client, bssl::UniquePtr<SSL> *out_server,
4558 SSL_CTX *client_ctx, SSL_CTX *server_ctx, unsigned retry_count,
4559 ssl_test_ticket_aead_failure_mode failure_mode, SSL_SESSION *session) {
4560 bssl::UniquePtr<SSL> client(SSL_new(client_ctx)), server(SSL_new(server_ctx));
4561 ASSERT_TRUE(client);
4562 ASSERT_TRUE(server);
4563 SSL_set_connect_state(client.get());
4564 SSL_set_accept_state(server.get());
4565
4566 auto state = reinterpret_cast<ssl_test_ticket_aead_state *>(
4567 OPENSSL_malloc(sizeof(ssl_test_ticket_aead_state)));
4568 ASSERT_TRUE(state);
4569 OPENSSL_memset(state, 0, sizeof(ssl_test_ticket_aead_state));
4570 state->retry_count = retry_count;
4571 state->failure_mode = failure_mode;
4572
4573 ASSERT_TRUE(SSL_set_ex_data(server.get(), ssl_test_ticket_aead_get_ex_index(),
4574 state));
4575
4576 SSL_set_session(client.get(), session);
4577
4578 BIO *bio1, *bio2;
4579 ASSERT_TRUE(BIO_new_bio_pair(&bio1, 0, &bio2, 0));
4580
4581 // SSL_set_bio takes ownership.
4582 SSL_set_bio(client.get(), bio1, bio1);
4583 SSL_set_bio(server.get(), bio2, bio2);
4584
4585 if (CompleteHandshakes(client.get(), server.get())) {
4586 *out_client = std::move(client);
4587 *out_server = std::move(server);
4588 } else {
4589 out_client->reset();
4590 out_server->reset();
4591 }
4592}
4593
David Benjaminc9775322018-04-13 16:39:12 -0400[diff] [blame]4594using TicketAEADMethodParam =
4595 testing::tuple<uint16_t, unsigned, ssl_test_ticket_aead_failure_mode>;
4596
Adam Langley4c341d02017-03-08 19:33:21 -0800[diff] [blame]4597class TicketAEADMethodTest
David Benjaminc9775322018-04-13 16:39:12 -0400[diff] [blame]4598 : public ::testing::TestWithParam<TicketAEADMethodParam> {};
Adam Langley4c341d02017-03-08 19:33:21 -0800[diff] [blame]4599
4600TEST_P(TicketAEADMethodTest, Resume) {
David Benjamin9b2cdb72021-04-01 23:21:53 -0400[diff] [blame]4601 bssl::UniquePtr<SSL_CTX> server_ctx =
4602 CreateContextWithTestCertificate(TLS_method());
Adam Langley4c341d02017-03-08 19:33:21 -0800[diff] [blame]4603 ASSERT_TRUE(server_ctx);
4604 bssl::UniquePtr<SSL_CTX> client_ctx(SSL_CTX_new(TLS_method()));
4605 ASSERT_TRUE(client_ctx);
4606
4607 const uint16_t version = testing::get<0>(GetParam());
4608 const unsigned retry_count = testing::get<1>(GetParam());
4609 const ssl_test_ticket_aead_failure_mode failure_mode =
4610 testing::get<2>(GetParam());
4611
Adam Langley4c341d02017-03-08 19:33:21 -0800[diff] [blame]4612 ASSERT_TRUE(SSL_CTX_set_min_proto_version(client_ctx.get(), version));
4613 ASSERT_TRUE(SSL_CTX_set_max_proto_version(client_ctx.get(), version));
4614 ASSERT_TRUE(SSL_CTX_set_min_proto_version(server_ctx.get(), version));
4615 ASSERT_TRUE(SSL_CTX_set_max_proto_version(server_ctx.get(), version));
4616
4617 SSL_CTX_set_session_cache_mode(client_ctx.get(), SSL_SESS_CACHE_BOTH);
4618 SSL_CTX_set_session_cache_mode(server_ctx.get(), SSL_SESS_CACHE_BOTH);
4619 SSL_CTX_set_current_time_cb(client_ctx.get(), FrozenTimeCallback);
4620 SSL_CTX_set_current_time_cb(server_ctx.get(), FrozenTimeCallback);
David Benjamin707af292017-03-10 17:47:18 -0500[diff] [blame]4621 SSL_CTX_sess_set_new_cb(client_ctx.get(), SaveLastSession);
Adam Langley4c341d02017-03-08 19:33:21 -0800[diff] [blame]4622
4623 SSL_CTX_set_ticket_aead_method(server_ctx.get(), &kSSLTestTicketMethod);
4624
4625 bssl::UniquePtr<SSL> client, server;
4626 ConnectClientAndServerWithTicketMethod(&client, &server, client_ctx.get(),
4627 server_ctx.get(), retry_count,
4628 failure_mode, nullptr);
4629 switch (failure_mode) {
4630 case ssl_test_ticket_aead_ok:
4631 case ssl_test_ticket_aead_open_hard_fail:
4632 case ssl_test_ticket_aead_open_soft_fail:
4633 ASSERT_TRUE(client);
4634 break;
4635 case ssl_test_ticket_aead_seal_fail:
4636 EXPECT_FALSE(client);
4637 return;
4638 }
4639 EXPECT_FALSE(SSL_session_reused(client.get()));
4640 EXPECT_FALSE(SSL_session_reused(server.get()));
4641
Steven Valdez777a2392019-02-21 11:30:47 -0500[diff] [blame]4642 ASSERT_TRUE(FlushNewSessionTickets(client.get(), server.get()));
David Benjamin707af292017-03-10 17:47:18 -0500[diff] [blame]4643 bssl::UniquePtr<SSL_SESSION> session = std::move(g_last_session);
Adam Langley4c341d02017-03-08 19:33:21 -0800[diff] [blame]4644 ConnectClientAndServerWithTicketMethod(&client, &server, client_ctx.get(),
4645 server_ctx.get(), retry_count,
David Benjamin707af292017-03-10 17:47:18 -0500[diff] [blame]4646 failure_mode, session.get());
Adam Langley4c341d02017-03-08 19:33:21 -0800[diff] [blame]4647 switch (failure_mode) {
4648 case ssl_test_ticket_aead_ok:
4649 ASSERT_TRUE(client);
4650 EXPECT_TRUE(SSL_session_reused(client.get()));
4651 EXPECT_TRUE(SSL_session_reused(server.get()));
4652 break;
4653 case ssl_test_ticket_aead_seal_fail:
4654 abort();
4655 break;
4656 case ssl_test_ticket_aead_open_hard_fail:
4657 EXPECT_FALSE(client);
4658 break;
4659 case ssl_test_ticket_aead_open_soft_fail:
4660 ASSERT_TRUE(client);
4661 EXPECT_FALSE(SSL_session_reused(client.get()));
4662 EXPECT_FALSE(SSL_session_reused(server.get()));
4663 }
4664}
4665
David Benjaminc9775322018-04-13 16:39:12 -0400[diff] [blame]4666std::string TicketAEADMethodParamToString(
4667 const testing::TestParamInfo<TicketAEADMethodParam> &params) {
4668 std::string ret = GetVersionName(std::get<0>(params.param));
4669 // GTest only allows alphanumeric characters and '_' in the parameter
4670 // string. Additionally filter out the 'v' to get "TLS13" over "TLSv13".
4671 for (auto it = ret.begin(); it != ret.end();) {
4672 if (*it == '.' || *it == 'v') {
4673 it = ret.erase(it);
4674 } else {
4675 ++it;
4676 }
4677 }
4678 char retry_count[256];
4679 snprintf(retry_count, sizeof(retry_count), "%d", std::get<1>(params.param));
4680 ret += "_";
4681 ret += retry_count;
4682 ret += "Retries_";
4683 switch (std::get<2>(params.param)) {
4684 case ssl_test_ticket_aead_ok:
4685 ret += "OK";
4686 break;
4687 case ssl_test_ticket_aead_seal_fail:
4688 ret += "SealFail";
4689 break;
4690 case ssl_test_ticket_aead_open_soft_fail:
4691 ret += "OpenSoftFail";
4692 break;
4693 case ssl_test_ticket_aead_open_hard_fail:
4694 ret += "OpenHardFail";
4695 break;
4696 }
4697 return ret;
4698}
4699
David Benjaminbe7006a2019-04-09 18:05:02 -0500[diff] [blame]4700INSTANTIATE_TEST_SUITE_P(
Adam Langley4c341d02017-03-08 19:33:21 -0800[diff] [blame]4701 TicketAEADMethodTests, TicketAEADMethodTest,
David Benjaminc9775322018-04-13 16:39:12 -0400[diff] [blame]4702 testing::Combine(testing::Values(TLS1_2_VERSION, TLS1_3_VERSION),
4703 testing::Values(0, 1, 2),
4704 testing::Values(ssl_test_ticket_aead_ok,
4705 ssl_test_ticket_aead_seal_fail,
4706 ssl_test_ticket_aead_open_soft_fail,
4707 ssl_test_ticket_aead_open_hard_fail)),
4708 TicketAEADMethodParamToString);
Adam Langley4c341d02017-03-08 19:33:21 -0800[diff] [blame]4709
David Benjaminca743582017-06-15 17:51:35 -0400[diff] [blame]4710TEST(SSLTest, SelectNextProto) {
4711 uint8_t *result;
4712 uint8_t result_len;
4713
4714 // If there is an overlap, it should be returned.
4715 EXPECT_EQ(OPENSSL_NPN_NEGOTIATED,
4716 SSL_select_next_proto(&result, &result_len,
4717 (const uint8_t *)"\1a\2bb\3ccc", 9,
4718 (const uint8_t *)"\1x\1y\1a\1z", 8));
4719 EXPECT_EQ(Bytes("a"), Bytes(result, result_len));
4720
4721 EXPECT_EQ(OPENSSL_NPN_NEGOTIATED,
4722 SSL_select_next_proto(&result, &result_len,
4723 (const uint8_t *)"\1a\2bb\3ccc", 9,
4724 (const uint8_t *)"\1x\1y\2bb\1z", 9));
4725 EXPECT_EQ(Bytes("bb"), Bytes(result, result_len));
4726
4727 EXPECT_EQ(OPENSSL_NPN_NEGOTIATED,
4728 SSL_select_next_proto(&result, &result_len,
4729 (const uint8_t *)"\1a\2bb\3ccc", 9,
4730 (const uint8_t *)"\1x\1y\3ccc\1z", 10));
4731 EXPECT_EQ(Bytes("ccc"), Bytes(result, result_len));
4732
4733 // Peer preference order takes precedence over local.
4734 EXPECT_EQ(OPENSSL_NPN_NEGOTIATED,
4735 SSL_select_next_proto(&result, &result_len,
4736 (const uint8_t *)"\1a\2bb\3ccc", 9,
4737 (const uint8_t *)"\3ccc\2bb\1a", 9));
4738 EXPECT_EQ(Bytes("a"), Bytes(result, result_len));
4739
4740 // If there is no overlap, return the first local protocol.
4741 EXPECT_EQ(OPENSSL_NPN_NO_OVERLAP,
4742 SSL_select_next_proto(&result, &result_len,
4743 (const uint8_t *)"\1a\2bb\3ccc", 9,
4744 (const uint8_t *)"\1x\2yy\3zzz", 9));
4745 EXPECT_EQ(Bytes("x"), Bytes(result, result_len));
4746
4747 EXPECT_EQ(OPENSSL_NPN_NO_OVERLAP,
4748 SSL_select_next_proto(&result, &result_len, nullptr, 0,
4749 (const uint8_t *)"\1x\2yy\3zzz", 9));
4750 EXPECT_EQ(Bytes("x"), Bytes(result, result_len));
4751}
4752
Martin Kreichgauer17c30572017-07-18 12:42:18 -0700[diff] [blame]4753TEST(SSLTest, SealRecord) {
Matthew Braithwaite58d56f42019-11-04 13:20:01 -0800[diff] [blame]4754 bssl::UniquePtr<SSL_CTX> client_ctx(SSL_CTX_new(TLSv1_2_method())),
David Benjamin9b2cdb72021-04-01 23:21:53 -0400[diff] [blame]4755 server_ctx(CreateContextWithTestCertificate(TLSv1_2_method()));
Martin Kreichgauer17c30572017-07-18 12:42:18 -0700[diff] [blame]4756 ASSERT_TRUE(client_ctx);
4757 ASSERT_TRUE(server_ctx);
4758
Martin Kreichgauer17c30572017-07-18 12:42:18 -0700[diff] [blame]4759 bssl::UniquePtr<SSL> client, server;
4760 ASSERT_TRUE(ConnectClientAndServer(&client, &server, client_ctx.get(),
David Benjamina8614602017-09-06 15:40:19 -0400[diff] [blame]4761 server_ctx.get()));
Martin Kreichgauer17c30572017-07-18 12:42:18 -0700[diff] [blame]4762
4763 const std::vector<uint8_t> record = {1, 2, 3, 4, 5};
4764 std::vector<uint8_t> prefix(
4765 bssl::SealRecordPrefixLen(client.get(), record.size())),
Martin Kreichgauerabbf3652017-07-21 16:27:54 -0700[diff] [blame]4766 body(record.size()),
4767 suffix(bssl::SealRecordSuffixLen(client.get(), record.size()));
Martin Kreichgauer17c30572017-07-18 12:42:18 -0700[diff] [blame]4768 ASSERT_TRUE(bssl::SealRecord(client.get(), bssl::MakeSpan(prefix),
4769 bssl::MakeSpan(body), bssl::MakeSpan(suffix),
Martin Kreichgauerabbf3652017-07-21 16:27:54 -0700[diff] [blame]4770 record));
Martin Kreichgauer17c30572017-07-18 12:42:18 -0700[diff] [blame]4771
4772 std::vector<uint8_t> sealed;
4773 sealed.insert(sealed.end(), prefix.begin(), prefix.end());
4774 sealed.insert(sealed.end(), body.begin(), body.end());
4775 sealed.insert(sealed.end(), suffix.begin(), suffix.end());
4776 std::vector<uint8_t> sealed_copy = sealed;
4777
4778 bssl::Span<uint8_t> plaintext;
4779 size_t record_len;
4780 uint8_t alert = 255;
4781 EXPECT_EQ(bssl::OpenRecord(server.get(), &plaintext, &record_len, &alert,
4782 bssl::MakeSpan(sealed)),
4783 bssl::OpenRecordResult::kOK);
4784 EXPECT_EQ(record_len, sealed.size());
4785 EXPECT_EQ(plaintext, record);
4786 EXPECT_EQ(255, alert);
4787}
4788
4789TEST(SSLTest, SealRecordInPlace) {
Matthew Braithwaite58d56f42019-11-04 13:20:01 -0800[diff] [blame]4790 bssl::UniquePtr<SSL_CTX> client_ctx(SSL_CTX_new(TLSv1_2_method())),
David Benjamin9b2cdb72021-04-01 23:21:53 -0400[diff] [blame]4791 server_ctx(CreateContextWithTestCertificate(TLSv1_2_method()));
Martin Kreichgauer17c30572017-07-18 12:42:18 -0700[diff] [blame]4792 ASSERT_TRUE(client_ctx);
4793 ASSERT_TRUE(server_ctx);
4794
Martin Kreichgauer17c30572017-07-18 12:42:18 -0700[diff] [blame]4795 bssl::UniquePtr<SSL> client, server;
4796 ASSERT_TRUE(ConnectClientAndServer(&client, &server, client_ctx.get(),
David Benjamina8614602017-09-06 15:40:19 -0400[diff] [blame]4797 server_ctx.get()));
Martin Kreichgauer17c30572017-07-18 12:42:18 -0700[diff] [blame]4798
4799 const std::vector<uint8_t> plaintext = {1, 2, 3, 4, 5};
4800 std::vector<uint8_t> record = plaintext;
4801 std::vector<uint8_t> prefix(
4802 bssl::SealRecordPrefixLen(client.get(), record.size())),
Martin Kreichgauerabbf3652017-07-21 16:27:54 -0700[diff] [blame]4803 suffix(bssl::SealRecordSuffixLen(client.get(), record.size()));
Martin Kreichgauer17c30572017-07-18 12:42:18 -0700[diff] [blame]4804 ASSERT_TRUE(bssl::SealRecord(client.get(), bssl::MakeSpan(prefix),
4805 bssl::MakeSpan(record), bssl::MakeSpan(suffix),
Martin Kreichgauerabbf3652017-07-21 16:27:54 -0700[diff] [blame]4806 record));
Martin Kreichgauer17c30572017-07-18 12:42:18 -0700[diff] [blame]4807 record.insert(record.begin(), prefix.begin(), prefix.end());
4808 record.insert(record.end(), suffix.begin(), suffix.end());
4809
4810 bssl::Span<uint8_t> result;
4811 size_t record_len;
4812 uint8_t alert;
4813 EXPECT_EQ(bssl::OpenRecord(server.get(), &result, &record_len, &alert,
4814 bssl::MakeSpan(record)),
4815 bssl::OpenRecordResult::kOK);
4816 EXPECT_EQ(record_len, record.size());
4817 EXPECT_EQ(plaintext, result);
4818}
4819
4820TEST(SSLTest, SealRecordTrailingData) {
Matthew Braithwaite58d56f42019-11-04 13:20:01 -0800[diff] [blame]4821 bssl::UniquePtr<SSL_CTX> client_ctx(SSL_CTX_new(TLSv1_2_method())),
David Benjamin9b2cdb72021-04-01 23:21:53 -0400[diff] [blame]4822 server_ctx(CreateContextWithTestCertificate(TLSv1_2_method()));
Martin Kreichgauer17c30572017-07-18 12:42:18 -0700[diff] [blame]4823 ASSERT_TRUE(client_ctx);
4824 ASSERT_TRUE(server_ctx);
4825
Martin Kreichgauer17c30572017-07-18 12:42:18 -0700[diff] [blame]4826 bssl::UniquePtr<SSL> client, server;
4827 ASSERT_TRUE(ConnectClientAndServer(&client, &server, client_ctx.get(),
David Benjamina8614602017-09-06 15:40:19 -0400[diff] [blame]4828 server_ctx.get()));
Martin Kreichgauer17c30572017-07-18 12:42:18 -0700[diff] [blame]4829
4830 const std::vector<uint8_t> plaintext = {1, 2, 3, 4, 5};
4831 std::vector<uint8_t> record = plaintext;
4832 std::vector<uint8_t> prefix(
4833 bssl::SealRecordPrefixLen(client.get(), record.size())),
Martin Kreichgauerabbf3652017-07-21 16:27:54 -0700[diff] [blame]4834 suffix(bssl::SealRecordSuffixLen(client.get(), record.size()));
Martin Kreichgauer17c30572017-07-18 12:42:18 -0700[diff] [blame]4835 ASSERT_TRUE(bssl::SealRecord(client.get(), bssl::MakeSpan(prefix),
4836 bssl::MakeSpan(record), bssl::MakeSpan(suffix),
Martin Kreichgauerabbf3652017-07-21 16:27:54 -0700[diff] [blame]4837 record));
Martin Kreichgauer17c30572017-07-18 12:42:18 -0700[diff] [blame]4838 record.insert(record.begin(), prefix.begin(), prefix.end());
4839 record.insert(record.end(), suffix.begin(), suffix.end());
4840 record.insert(record.end(), {5, 4, 3, 2, 1});
4841
4842 bssl::Span<uint8_t> result;
4843 size_t record_len;
4844 uint8_t alert;
4845 EXPECT_EQ(bssl::OpenRecord(server.get(), &result, &record_len, &alert,
4846 bssl::MakeSpan(record)),
4847 bssl::OpenRecordResult::kOK);
4848 EXPECT_EQ(record_len, record.size() - 5);
4849 EXPECT_EQ(plaintext, result);
4850}
4851
4852TEST(SSLTest, SealRecordInvalidSpanSize) {
Matthew Braithwaite58d56f42019-11-04 13:20:01 -0800[diff] [blame]4853 bssl::UniquePtr<SSL_CTX> client_ctx(SSL_CTX_new(TLSv1_2_method())),
David Benjamin9b2cdb72021-04-01 23:21:53 -0400[diff] [blame]4854 server_ctx(CreateContextWithTestCertificate(TLSv1_2_method()));
Martin Kreichgauer17c30572017-07-18 12:42:18 -0700[diff] [blame]4855 ASSERT_TRUE(client_ctx);
4856 ASSERT_TRUE(server_ctx);
4857
Martin Kreichgauer17c30572017-07-18 12:42:18 -0700[diff] [blame]4858 bssl::UniquePtr<SSL> client, server;
4859 ASSERT_TRUE(ConnectClientAndServer(&client, &server, client_ctx.get(),
David Benjamina8614602017-09-06 15:40:19 -0400[diff] [blame]4860 server_ctx.get()));
Martin Kreichgauer17c30572017-07-18 12:42:18 -0700[diff] [blame]4861
4862 std::vector<uint8_t> record = {1, 2, 3, 4, 5};
4863 std::vector<uint8_t> prefix(
4864 bssl::SealRecordPrefixLen(client.get(), record.size())),
Martin Kreichgauerabbf3652017-07-21 16:27:54 -0700[diff] [blame]4865 body(record.size()),
4866 suffix(bssl::SealRecordSuffixLen(client.get(), record.size()));
Martin Kreichgauer17c30572017-07-18 12:42:18 -0700[diff] [blame]4867
4868 auto expect_err = []() {
4869 int err = ERR_get_error();
4870 EXPECT_EQ(ERR_GET_LIB(err), ERR_LIB_SSL);
4871 EXPECT_EQ(ERR_GET_REASON(err), SSL_R_BUFFER_TOO_SMALL);
4872 ERR_clear_error();
4873 };
4874 EXPECT_FALSE(bssl::SealRecord(
4875 client.get(), bssl::MakeSpan(prefix.data(), prefix.size() - 1),
Martin Kreichgauerabbf3652017-07-21 16:27:54 -0700[diff] [blame]4876 bssl::MakeSpan(record), bssl::MakeSpan(suffix), record));
Martin Kreichgauer17c30572017-07-18 12:42:18 -0700[diff] [blame]4877 expect_err();
4878 EXPECT_FALSE(bssl::SealRecord(
4879 client.get(), bssl::MakeSpan(prefix.data(), prefix.size() + 1),
Martin Kreichgauerabbf3652017-07-21 16:27:54 -0700[diff] [blame]4880 bssl::MakeSpan(record), bssl::MakeSpan(suffix), record));
Martin Kreichgauer17c30572017-07-18 12:42:18 -0700[diff] [blame]4881 expect_err();
4882
4883 EXPECT_FALSE(
4884 bssl::SealRecord(client.get(), bssl::MakeSpan(prefix),
4885 bssl::MakeSpan(record.data(), record.size() - 1),
Martin Kreichgauerabbf3652017-07-21 16:27:54 -0700[diff] [blame]4886 bssl::MakeSpan(suffix), record));
Martin Kreichgauer17c30572017-07-18 12:42:18 -0700[diff] [blame]4887 expect_err();
4888 EXPECT_FALSE(
4889 bssl::SealRecord(client.get(), bssl::MakeSpan(prefix),
4890 bssl::MakeSpan(record.data(), record.size() + 1),
Martin Kreichgauerabbf3652017-07-21 16:27:54 -0700[diff] [blame]4891 bssl::MakeSpan(suffix), record));
Martin Kreichgauer17c30572017-07-18 12:42:18 -0700[diff] [blame]4892 expect_err();
4893
4894 EXPECT_FALSE(bssl::SealRecord(
4895 client.get(), bssl::MakeSpan(prefix), bssl::MakeSpan(record),
Martin Kreichgauerabbf3652017-07-21 16:27:54 -0700[diff] [blame]4896 bssl::MakeSpan(suffix.data(), suffix.size() - 1), record));
Martin Kreichgauer17c30572017-07-18 12:42:18 -0700[diff] [blame]4897 expect_err();
4898 EXPECT_FALSE(bssl::SealRecord(
4899 client.get(), bssl::MakeSpan(prefix), bssl::MakeSpan(record),
Martin Kreichgauerabbf3652017-07-21 16:27:54 -0700[diff] [blame]4900 bssl::MakeSpan(suffix.data(), suffix.size() + 1), record));
Martin Kreichgauer17c30572017-07-18 12:42:18 -0700[diff] [blame]4901 expect_err();
4902}
4903
David Benjamin617b8182017-08-29 15:33:10 -0400[diff] [blame]4904// The client should gracefully handle no suitable ciphers being enabled.
4905TEST(SSLTest, NoCiphersAvailable) {
4906 bssl::UniquePtr<SSL_CTX> ctx(SSL_CTX_new(TLS_method()));
4907 ASSERT_TRUE(ctx);
4908
4909 // Configure |client_ctx| with a cipher list that does not intersect with its
4910 // version configuration.
4911 ASSERT_TRUE(SSL_CTX_set_strict_cipher_list(
4912 ctx.get(), "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256"));
4913 ASSERT_TRUE(SSL_CTX_set_max_proto_version(ctx.get(), TLS1_1_VERSION));
4914
4915 bssl::UniquePtr<SSL> ssl(SSL_new(ctx.get()));
4916 ASSERT_TRUE(ssl);
4917 SSL_set_connect_state(ssl.get());
4918
4919 UniquePtr<BIO> rbio(BIO_new(BIO_s_mem())), wbio(BIO_new(BIO_s_mem()));
4920 ASSERT_TRUE(rbio);
4921 ASSERT_TRUE(wbio);
4922 SSL_set0_rbio(ssl.get(), rbio.release());
4923 SSL_set0_wbio(ssl.get(), wbio.release());
4924
4925 int ret = SSL_do_handshake(ssl.get());
4926 EXPECT_EQ(-1, ret);
4927 EXPECT_EQ(SSL_ERROR_SSL, SSL_get_error(ssl.get(), ret));
4928 uint32_t err = ERR_get_error();
4929 EXPECT_EQ(ERR_LIB_SSL, ERR_GET_LIB(err));
4930 EXPECT_EQ(SSL_R_NO_CIPHERS_AVAILABLE, ERR_GET_REASON(err));
4931}
4932
David Benjamina4bafd32017-10-03 15:06:29 -0400[diff] [blame]4933TEST_P(SSLVersionTest, SessionVersion) {
4934 SSL_CTX_set_session_cache_mode(client_ctx_.get(), SSL_SESS_CACHE_BOTH);
4935 SSL_CTX_set_session_cache_mode(server_ctx_.get(), SSL_SESS_CACHE_BOTH);
4936
4937 bssl::UniquePtr<SSL_SESSION> session =
4938 CreateClientSession(client_ctx_.get(), server_ctx_.get());
4939 ASSERT_TRUE(session);
4940 EXPECT_EQ(version(), SSL_SESSION_get_protocol_version(session.get()));
4941
4942 // Sessions in TLS 1.3 and later should be single-use.
4943 EXPECT_EQ(version() == TLS1_3_VERSION,
4944 !!SSL_SESSION_should_be_single_use(session.get()));
4945
4946 // Making fake sessions for testing works.
4947 session.reset(SSL_SESSION_new(client_ctx_.get()));
4948 ASSERT_TRUE(session);
4949 ASSERT_TRUE(SSL_SESSION_set_protocol_version(session.get(), version()));
4950 EXPECT_EQ(version(), SSL_SESSION_get_protocol_version(session.get()));
4951}
4952
David Benjaminfdb7a352017-10-12 17:34:18 -0400[diff] [blame]4953TEST_P(SSLVersionTest, SSLPending) {
4954 UniquePtr<SSL> ssl(SSL_new(client_ctx_.get()));
4955 ASSERT_TRUE(ssl);
4956 EXPECT_EQ(0, SSL_pending(ssl.get()));
4957
4958 ASSERT_TRUE(Connect());
4959 EXPECT_EQ(0, SSL_pending(client_.get()));
4960
4961 ASSERT_EQ(5, SSL_write(server_.get(), "hello", 5));
4962 ASSERT_EQ(5, SSL_write(server_.get(), "world", 5));
4963 EXPECT_EQ(0, SSL_pending(client_.get()));
4964
4965 char buf[10];
4966 ASSERT_EQ(1, SSL_peek(client_.get(), buf, 1));
4967 EXPECT_EQ(5, SSL_pending(client_.get()));
4968
4969 ASSERT_EQ(1, SSL_read(client_.get(), buf, 1));
4970 EXPECT_EQ(4, SSL_pending(client_.get()));
4971
4972 ASSERT_EQ(4, SSL_read(client_.get(), buf, 10));
4973 EXPECT_EQ(0, SSL_pending(client_.get()));
4974
4975 ASSERT_EQ(2, SSL_read(client_.get(), buf, 2));
4976 EXPECT_EQ(3, SSL_pending(client_.get()));
4977}
4978
David Benjamina031b612017-10-11 20:48:25 -0400[diff] [blame]4979// Test that post-handshake tickets consumed by |SSL_shutdown| are ignored.
4980TEST(SSLTest, ShutdownIgnoresTickets) {
David Benjamin9b2cdb72021-04-01 23:21:53 -0400[diff] [blame]4981 bssl::UniquePtr<SSL_CTX> ctx(CreateContextWithTestCertificate(TLS_method()));
David Benjamina031b612017-10-11 20:48:25 -0400[diff] [blame]4982 ASSERT_TRUE(ctx);
4983 ASSERT_TRUE(SSL_CTX_set_min_proto_version(ctx.get(), TLS1_3_VERSION));
4984 ASSERT_TRUE(SSL_CTX_set_max_proto_version(ctx.get(), TLS1_3_VERSION));
4985
David Benjamina031b612017-10-11 20:48:25 -0400[diff] [blame]4986 SSL_CTX_set_session_cache_mode(ctx.get(), SSL_SESS_CACHE_BOTH);
4987
4988 bssl::UniquePtr<SSL> client, server;
4989 ASSERT_TRUE(ConnectClientAndServer(&client, &server, ctx.get(), ctx.get()));
4990
4991 SSL_CTX_sess_set_new_cb(ctx.get(), [](SSL *ssl, SSL_SESSION *session) -> int {
4992 ADD_FAILURE() << "New session callback called during SSL_shutdown";
4993 return 0;
4994 });
4995
4996 // Send close_notify.
4997 EXPECT_EQ(0, SSL_shutdown(server.get()));
4998 EXPECT_EQ(0, SSL_shutdown(client.get()));
4999
5000 // Receive close_notify.
5001 EXPECT_EQ(1, SSL_shutdown(server.get()));
5002 EXPECT_EQ(1, SSL_shutdown(client.get()));
5003}
5004
David Benjamin6cc352e2017-11-02 17:21:39 -0400[diff] [blame]5005TEST(SSLTest, SignatureAlgorithmProperties) {
5006 EXPECT_EQ(EVP_PKEY_NONE, SSL_get_signature_algorithm_key_type(0x1234));
5007 EXPECT_EQ(nullptr, SSL_get_signature_algorithm_digest(0x1234));
5008 EXPECT_FALSE(SSL_is_signature_algorithm_rsa_pss(0x1234));
5009
5010 EXPECT_EQ(EVP_PKEY_RSA,
5011 SSL_get_signature_algorithm_key_type(SSL_SIGN_RSA_PKCS1_MD5_SHA1));
5012 EXPECT_EQ(EVP_md5_sha1(),
5013 SSL_get_signature_algorithm_digest(SSL_SIGN_RSA_PKCS1_MD5_SHA1));
5014 EXPECT_FALSE(SSL_is_signature_algorithm_rsa_pss(SSL_SIGN_RSA_PKCS1_MD5_SHA1));
5015
5016 EXPECT_EQ(EVP_PKEY_EC, SSL_get_signature_algorithm_key_type(
5017 SSL_SIGN_ECDSA_SECP256R1_SHA256));
5018 EXPECT_EQ(EVP_sha256(), SSL_get_signature_algorithm_digest(
5019 SSL_SIGN_ECDSA_SECP256R1_SHA256));
5020 EXPECT_FALSE(
5021 SSL_is_signature_algorithm_rsa_pss(SSL_SIGN_ECDSA_SECP256R1_SHA256));
5022
5023 EXPECT_EQ(EVP_PKEY_RSA,
David Benjamin6879e192018-04-13 16:01:02 -0400[diff] [blame]5024 SSL_get_signature_algorithm_key_type(SSL_SIGN_RSA_PSS_RSAE_SHA384));
David Benjamin6cc352e2017-11-02 17:21:39 -0400[diff] [blame]5025 EXPECT_EQ(EVP_sha384(),
David Benjamin6879e192018-04-13 16:01:02 -0400[diff] [blame]5026 SSL_get_signature_algorithm_digest(SSL_SIGN_RSA_PSS_RSAE_SHA384));
5027 EXPECT_TRUE(SSL_is_signature_algorithm_rsa_pss(SSL_SIGN_RSA_PSS_RSAE_SHA384));
David Benjamin6cc352e2017-11-02 17:21:39 -0400[diff] [blame]5028}
5029
Adam Langley85967952018-07-03 08:04:58 -0700[diff] [blame]5030static int XORCompressFunc(SSL *ssl, CBB *out, const uint8_t *in,
5031 size_t in_len) {
5032 for (size_t i = 0; i < in_len; i++) {
Adam Langley0080d832018-06-07 16:39:49 -0700[diff] [blame]5033 if (!CBB_add_u8(out, in[i] ^ 0x55)) {
Adam Langley85967952018-07-03 08:04:58 -0700[diff] [blame]5034 return 0;
Adam Langley0080d832018-06-07 16:39:49 -0700[diff] [blame]5035 }
5036 }
5037
5038 SSL_set_app_data(ssl, XORCompressFunc);
5039
Adam Langley85967952018-07-03 08:04:58 -0700[diff] [blame]5040 return 1;
Adam Langley0080d832018-06-07 16:39:49 -0700[diff] [blame]5041}
5042
Adam Langley85967952018-07-03 08:04:58 -0700[diff] [blame]5043static int XORDecompressFunc(SSL *ssl, CRYPTO_BUFFER **out,
5044 size_t uncompressed_len, const uint8_t *in,
5045 size_t in_len) {
5046 if (in_len != uncompressed_len) {
5047 return 0;
Adam Langley0080d832018-06-07 16:39:49 -0700[diff] [blame]5048 }
5049
5050 uint8_t *data;
Adam Langley85967952018-07-03 08:04:58 -0700[diff] [blame]5051 *out = CRYPTO_BUFFER_alloc(&data, uncompressed_len);
5052 if (*out == nullptr) {
5053 return 0;
Adam Langley0080d832018-06-07 16:39:49 -0700[diff] [blame]5054 }
5055
Adam Langley85967952018-07-03 08:04:58 -0700[diff] [blame]5056 for (size_t i = 0; i < in_len; i++) {
Adam Langley0080d832018-06-07 16:39:49 -0700[diff] [blame]5057 data[i] = in[i] ^ 0x55;
5058 }
5059
5060 SSL_set_app_data(ssl, XORDecompressFunc);
5061
Adam Langley85967952018-07-03 08:04:58 -0700[diff] [blame]5062 return 1;
Adam Langley0080d832018-06-07 16:39:49 -0700[diff] [blame]5063}
5064
5065TEST(SSLTest, CertCompression) {
5066 bssl::UniquePtr<SSL_CTX> client_ctx(SSL_CTX_new(TLS_method()));
David Benjamin9b2cdb72021-04-01 23:21:53 -0400[diff] [blame]5067 bssl::UniquePtr<SSL_CTX> server_ctx(
5068 CreateContextWithTestCertificate(TLS_method()));
Adam Langley0080d832018-06-07 16:39:49 -0700[diff] [blame]5069 ASSERT_TRUE(client_ctx);
5070 ASSERT_TRUE(server_ctx);
5071
Adam Langley0080d832018-06-07 16:39:49 -0700[diff] [blame]5072 ASSERT_TRUE(SSL_CTX_set_max_proto_version(client_ctx.get(), TLS1_3_VERSION));
5073 ASSERT_TRUE(SSL_CTX_set_max_proto_version(server_ctx.get(), TLS1_3_VERSION));
5074 ASSERT_TRUE(SSL_CTX_add_cert_compression_alg(
5075 client_ctx.get(), 0x1234, XORCompressFunc, XORDecompressFunc));
5076 ASSERT_TRUE(SSL_CTX_add_cert_compression_alg(
5077 server_ctx.get(), 0x1234, XORCompressFunc, XORDecompressFunc));
5078
5079 bssl::UniquePtr<SSL> client, server;
5080 ASSERT_TRUE(ConnectClientAndServer(&client, &server, client_ctx.get(),
5081 server_ctx.get()));
5082
5083 EXPECT_TRUE(SSL_get_app_data(client.get()) == XORDecompressFunc);
5084 EXPECT_TRUE(SSL_get_app_data(server.get()) == XORCompressFunc);
5085}
5086
Adam Langleyddb57cf2018-01-26 09:17:53 -0800[diff] [blame]5087void MoveBIOs(SSL *dest, SSL *src) {
5088 BIO *rbio = SSL_get_rbio(src);
5089 BIO_up_ref(rbio);
5090 SSL_set0_rbio(dest, rbio);
5091
5092 BIO *wbio = SSL_get_wbio(src);
5093 BIO_up_ref(wbio);
5094 SSL_set0_wbio(dest, wbio);
5095
5096 SSL_set0_rbio(src, nullptr);
5097 SSL_set0_wbio(src, nullptr);
5098}
5099
5100TEST(SSLTest, Handoff) {
5101 bssl::UniquePtr<SSL_CTX> client_ctx(SSL_CTX_new(TLS_method()));
5102 bssl::UniquePtr<SSL_CTX> server_ctx(SSL_CTX_new(TLS_method()));
David Benjamin9b2cdb72021-04-01 23:21:53 -0400[diff] [blame]5103 bssl::UniquePtr<SSL_CTX> handshaker_ctx(
5104 CreateContextWithTestCertificate(TLS_method()));
Adam Langleyddb57cf2018-01-26 09:17:53 -0800[diff] [blame]5105 ASSERT_TRUE(client_ctx);
5106 ASSERT_TRUE(server_ctx);
5107 ASSERT_TRUE(handshaker_ctx);
5108
Matthew Braithwaite134fb892019-11-26 17:56:11 -0800[diff] [blame]5109 SSL_CTX_set_session_cache_mode(client_ctx.get(), SSL_SESS_CACHE_CLIENT);
5110 SSL_CTX_sess_set_new_cb(client_ctx.get(), SaveLastSession);
Adam Langleyddb57cf2018-01-26 09:17:53 -0800[diff] [blame]5111 SSL_CTX_set_handoff_mode(server_ctx.get(), 1);
Matthew Braithwaite134fb892019-11-26 17:56:11 -0800[diff] [blame]5112 uint8_t keys[48];
David Benjamin243b5cc2019-12-04 11:23:50 -0500[diff] [blame]5113 SSL_CTX_get_tlsext_ticket_keys(server_ctx.get(), &keys, sizeof(keys));
Matthew Braithwaite134fb892019-11-26 17:56:11 -0800[diff] [blame]5114 SSL_CTX_set_tlsext_ticket_keys(handshaker_ctx.get(), &keys, sizeof(keys));
Adam Langleyddb57cf2018-01-26 09:17:53 -0800[diff] [blame]5115
Matthew Braithwaite4f3e8212020-01-08 16:56:48 -0800[diff] [blame]5116 for (bool early_data : {false, true}) {
5117 SCOPED_TRACE(early_data);
5118 for (bool is_resume : {false, true}) {
5119 SCOPED_TRACE(is_resume);
5120 bssl::UniquePtr<SSL> client, server;
David Benjamin9b2cdb72021-04-01 23:21:53 -0400[diff] [blame]5121 ASSERT_TRUE(CreateClientAndServer(&client, &server, client_ctx.get(),
5122 server_ctx.get()));
5123 SSL_set_early_data_enabled(client.get(), early_data);
Matthew Braithwaite4f3e8212020-01-08 16:56:48 -0800[diff] [blame]5124 if (is_resume) {
5125 ASSERT_TRUE(g_last_session);
David Benjamin9b2cdb72021-04-01 23:21:53 -0400[diff] [blame]5126 SSL_set_session(client.get(), g_last_session.get());
5127 if (early_data) {
5128 EXPECT_GT(g_last_session->ticket_max_early_data, 0u);
5129 }
Matthew Braithwaite4f3e8212020-01-08 16:56:48 -0800[diff] [blame]5130 }
David Benjamin9b2cdb72021-04-01 23:21:53 -0400[diff] [blame]5131
Matthew Braithwaite4f3e8212020-01-08 16:56:48 -0800[diff] [blame]5132
5133 int client_ret = SSL_do_handshake(client.get());
5134 int client_err = SSL_get_error(client.get(), client_ret);
5135
5136 uint8_t byte_written;
David Benjamin9b2cdb72021-04-01 23:21:53 -0400[diff] [blame]5137 if (early_data && is_resume) {
Matthew Braithwaite4f3e8212020-01-08 16:56:48 -0800[diff] [blame]5138 ASSERT_EQ(client_err, 0);
5139 EXPECT_TRUE(SSL_in_early_data(client.get()));
5140 // Attempt to write early data.
5141 byte_written = 43;
5142 EXPECT_EQ(SSL_write(client.get(), &byte_written, 1), 1);
5143 } else {
5144 ASSERT_EQ(client_err, SSL_ERROR_WANT_READ);
5145 }
5146
5147 int server_ret = SSL_do_handshake(server.get());
5148 int server_err = SSL_get_error(server.get(), server_ret);
5149 ASSERT_EQ(server_err, SSL_ERROR_HANDOFF);
5150
5151 ScopedCBB cbb;
5152 Array<uint8_t> handoff;
5153 SSL_CLIENT_HELLO hello;
5154 ASSERT_TRUE(CBB_init(cbb.get(), 256));
5155 ASSERT_TRUE(SSL_serialize_handoff(server.get(), cbb.get(), &hello));
5156 ASSERT_TRUE(CBBFinishArray(cbb.get(), &handoff));
5157
5158 bssl::UniquePtr<SSL> handshaker(SSL_new(handshaker_ctx.get()));
5159 // Note split handshakes determines 0-RTT support, for both the current
5160 // handshake and newly-issued tickets, entirely by |handshaker|. There is
5161 // no need to call |SSL_set_early_data_enabled| on |server|.
5162 SSL_set_early_data_enabled(handshaker.get(), 1);
5163 ASSERT_TRUE(SSL_apply_handoff(handshaker.get(), handoff));
5164
5165 MoveBIOs(handshaker.get(), server.get());
5166
5167 int handshake_ret = SSL_do_handshake(handshaker.get());
5168 int handshake_err = SSL_get_error(handshaker.get(), handshake_ret);
5169 ASSERT_EQ(handshake_err, SSL_ERROR_HANDBACK);
5170
5171 // Double-check that additional calls to |SSL_do_handshake| continue
Adam Langley472d91c2020-02-18 12:12:35 -0800[diff] [blame]5172 // to get |SSL_ERROR_HANDBACK|.
Matthew Braithwaite4f3e8212020-01-08 16:56:48 -0800[diff] [blame]5173 handshake_ret = SSL_do_handshake(handshaker.get());
5174 handshake_err = SSL_get_error(handshaker.get(), handshake_ret);
5175 ASSERT_EQ(handshake_err, SSL_ERROR_HANDBACK);
5176
5177 ScopedCBB cbb_handback;
5178 Array<uint8_t> handback;
5179 ASSERT_TRUE(CBB_init(cbb_handback.get(), 1024));
5180 ASSERT_TRUE(SSL_serialize_handback(handshaker.get(), cbb_handback.get()));
5181 ASSERT_TRUE(CBBFinishArray(cbb_handback.get(), &handback));
5182
5183 bssl::UniquePtr<SSL> server2(SSL_new(server_ctx.get()));
5184 ASSERT_TRUE(SSL_apply_handback(server2.get(), handback));
5185
5186 MoveBIOs(server2.get(), handshaker.get());
5187 ASSERT_TRUE(CompleteHandshakes(client.get(), server2.get()));
5188 EXPECT_EQ(is_resume, SSL_session_reused(client.get()));
5189
David Benjamin9b2cdb72021-04-01 23:21:53 -0400[diff] [blame]5190 if (early_data && is_resume) {
Matthew Braithwaite4f3e8212020-01-08 16:56:48 -0800[diff] [blame]5191 // In this case, one byte of early data has already been written above.
5192 EXPECT_TRUE(SSL_early_data_accepted(client.get()));
5193 } else {
5194 byte_written = 42;
5195 EXPECT_EQ(SSL_write(client.get(), &byte_written, 1), 1);
5196 }
5197 uint8_t byte;
5198 EXPECT_EQ(SSL_read(server2.get(), &byte, 1), 1);
5199 EXPECT_EQ(byte_written, byte);
5200
5201 byte = 44;
5202 EXPECT_EQ(SSL_write(server2.get(), &byte, 1), 1);
5203 EXPECT_EQ(SSL_read(client.get(), &byte, 1), 1);
5204 EXPECT_EQ(44, byte);
Matthew Braithwaite134fb892019-11-26 17:56:11 -0800[diff] [blame]5205 }
Matthew Braithwaite134fb892019-11-26 17:56:11 -0800[diff] [blame]5206 }
Adam Langleyddb57cf2018-01-26 09:17:53 -0800[diff] [blame]5207}
5208
5209TEST(SSLTest, HandoffDeclined) {
5210 bssl::UniquePtr<SSL_CTX> client_ctx(SSL_CTX_new(TLS_method()));
David Benjamin9b2cdb72021-04-01 23:21:53 -0400[diff] [blame]5211 bssl::UniquePtr<SSL_CTX> server_ctx(
5212 CreateContextWithTestCertificate(TLS_method()));
Adam Langleyddb57cf2018-01-26 09:17:53 -0800[diff] [blame]5213 ASSERT_TRUE(client_ctx);
5214 ASSERT_TRUE(server_ctx);
5215
5216 SSL_CTX_set_handoff_mode(server_ctx.get(), 1);
5217 ASSERT_TRUE(SSL_CTX_set_max_proto_version(server_ctx.get(), TLS1_2_VERSION));
5218
Adam Langleyddb57cf2018-01-26 09:17:53 -0800[diff] [blame]5219 bssl::UniquePtr<SSL> client, server;
David Benjamin9b2cdb72021-04-01 23:21:53 -0400[diff] [blame]5220 ASSERT_TRUE(CreateClientAndServer(&client, &server, client_ctx.get(),
5221 server_ctx.get()));
Adam Langleyddb57cf2018-01-26 09:17:53 -0800[diff] [blame]5222
5223 int client_ret = SSL_do_handshake(client.get());
5224 int client_err = SSL_get_error(client.get(), client_ret);
5225 ASSERT_EQ(client_err, SSL_ERROR_WANT_READ);
5226
5227 int server_ret = SSL_do_handshake(server.get());
5228 int server_err = SSL_get_error(server.get(), server_ret);
5229 ASSERT_EQ(server_err, SSL_ERROR_HANDOFF);
5230
5231 ScopedCBB cbb;
Adam Langleyc9827e02019-04-12 14:46:50 -0700[diff] [blame]5232 SSL_CLIENT_HELLO hello;
Adam Langleyddb57cf2018-01-26 09:17:53 -0800[diff] [blame]5233 ASSERT_TRUE(CBB_init(cbb.get(), 256));
Adam Langleyc9827e02019-04-12 14:46:50 -0700[diff] [blame]5234 ASSERT_TRUE(SSL_serialize_handoff(server.get(), cbb.get(), &hello));
Adam Langleyddb57cf2018-01-26 09:17:53 -0800[diff] [blame]5235
5236 ASSERT_TRUE(SSL_decline_handoff(server.get()));
5237
5238 ASSERT_TRUE(CompleteHandshakes(client.get(), server.get()));
5239
5240 uint8_t byte = 42;
5241 EXPECT_EQ(SSL_write(client.get(), &byte, 1), 1);
5242 EXPECT_EQ(SSL_read(server.get(), &byte, 1), 1);
5243 EXPECT_EQ(42, byte);
5244
5245 byte = 43;
5246 EXPECT_EQ(SSL_write(server.get(), &byte, 1), 1);
5247 EXPECT_EQ(SSL_read(client.get(), &byte, 1), 1);
5248 EXPECT_EQ(43, byte);
5249}
5250
Adam Langley826ce152018-08-03 10:31:21 -0700[diff] [blame]5251static std::string SigAlgsToString(Span<const uint16_t> sigalgs) {
5252 std::string ret = "{";
5253
5254 for (uint16_t v : sigalgs) {
5255 if (ret.size() > 1) {
5256 ret += ", ";
5257 }
5258
5259 char buf[8];
5260 snprintf(buf, sizeof(buf) - 1, "0x%02x", v);
5261 buf[sizeof(buf)-1] = 0;
5262 ret += std::string(buf);
5263 }
5264
5265 ret += "}";
5266 return ret;
5267}
5268
5269void ExpectSigAlgsEqual(Span<const uint16_t> expected,
5270 Span<const uint16_t> actual) {
5271 bool matches = false;
5272 if (expected.size() == actual.size()) {
5273 matches = true;
5274
5275 for (size_t i = 0; i < expected.size(); i++) {
5276 if (expected[i] != actual[i]) {
5277 matches = false;
5278 break;
5279 }
5280 }
5281 }
5282
5283 if (!matches) {
5284 ADD_FAILURE() << "expected: " << SigAlgsToString(expected)
5285 << " got: " << SigAlgsToString(actual);
5286 }
5287}
5288
5289TEST(SSLTest, SigAlgs) {
5290 static const struct {
5291 std::vector<int> input;
5292 bool ok;
5293 std::vector<uint16_t> expected;
5294 } kTests[] = {
5295 {{}, true, {}},
5296 {{1}, false, {}},
5297 {{1, 2, 3}, false, {}},
5298 {{NID_sha256, EVP_PKEY_ED25519}, false, {}},
5299 {{NID_sha256, EVP_PKEY_RSA, NID_sha256, EVP_PKEY_RSA}, false, {}},
5300
5301 {{NID_sha256, EVP_PKEY_RSA}, true, {SSL_SIGN_RSA_PKCS1_SHA256}},
5302 {{NID_sha512, EVP_PKEY_RSA}, true, {SSL_SIGN_RSA_PKCS1_SHA512}},
5303 {{NID_sha256, EVP_PKEY_RSA_PSS}, true, {SSL_SIGN_RSA_PSS_RSAE_SHA256}},
5304 {{NID_undef, EVP_PKEY_ED25519}, true, {SSL_SIGN_ED25519}},
5305 {{NID_undef, EVP_PKEY_ED25519, NID_sha384, EVP_PKEY_EC},
5306 true,
5307 {SSL_SIGN_ED25519, SSL_SIGN_ECDSA_SECP384R1_SHA384}},
5308 };
5309
5310 UniquePtr<SSL_CTX> ctx(SSL_CTX_new(TLS_method()));
5311
5312 unsigned n = 1;
5313 for (const auto &test : kTests) {
5314 SCOPED_TRACE(n++);
5315
5316 const bool ok =
5317 SSL_CTX_set1_sigalgs(ctx.get(), test.input.data(), test.input.size());
5318 EXPECT_EQ(ok, test.ok);
5319
5320 if (!ok) {
5321 ERR_clear_error();
5322 }
5323
5324 if (!test.ok) {
5325 continue;
5326 }
5327
5328 ExpectSigAlgsEqual(test.expected, ctx->cert->sigalgs);
5329 }
5330}
5331
5332TEST(SSLTest, SigAlgsList) {
5333 static const struct {
5334 const char *input;
5335 bool ok;
5336 std::vector<uint16_t> expected;
5337 } kTests[] = {
5338 {"", false, {}},
5339 {":", false, {}},
5340 {"+", false, {}},
5341 {"RSA", false, {}},
5342 {"RSA+", false, {}},
5343 {"RSA+SHA256:", false, {}},
5344 {":RSA+SHA256:", false, {}},
5345 {":RSA+SHA256+:", false, {}},
5346 {"!", false, {}},
5347 {"\x01", false, {}},
5348 {"RSA+SHA256:RSA+SHA384:RSA+SHA256", false, {}},
5349 {"RSA-PSS+SHA256:rsa_pss_rsae_sha256", false, {}},
5350
5351 {"RSA+SHA256", true, {SSL_SIGN_RSA_PKCS1_SHA256}},
5352 {"RSA+SHA256:ed25519",
5353 true,
5354 {SSL_SIGN_RSA_PKCS1_SHA256, SSL_SIGN_ED25519}},
5355 {"ECDSA+SHA256:RSA+SHA512",
5356 true,
5357 {SSL_SIGN_ECDSA_SECP256R1_SHA256, SSL_SIGN_RSA_PKCS1_SHA512}},
5358 {"ecdsa_secp256r1_sha256:rsa_pss_rsae_sha256",
5359 true,
5360 {SSL_SIGN_ECDSA_SECP256R1_SHA256, SSL_SIGN_RSA_PSS_RSAE_SHA256}},
5361 {"RSA-PSS+SHA256", true, {SSL_SIGN_RSA_PSS_RSAE_SHA256}},
5362 {"PSS+SHA256", true, {SSL_SIGN_RSA_PSS_RSAE_SHA256}},
5363 };
5364
5365 UniquePtr<SSL_CTX> ctx(SSL_CTX_new(TLS_method()));
5366
5367 unsigned n = 1;
5368 for (const auto &test : kTests) {
5369 SCOPED_TRACE(n++);
5370
5371 const bool ok = SSL_CTX_set1_sigalgs_list(ctx.get(), test.input);
5372 EXPECT_EQ(ok, test.ok);
5373
5374 if (!ok) {
5375 if (test.ok) {
5376 ERR_print_errors_fp(stderr);
5377 }
5378 ERR_clear_error();
5379 }
5380
5381 if (!test.ok) {
5382 continue;
5383 }
5384
5385 ExpectSigAlgsEqual(test.expected, ctx->cert->sigalgs);
5386 }
5387}
5388
Matthew Braithwaited2ed3822018-07-10 16:27:22 -0700[diff] [blame]5389TEST(SSLTest, ApplyHandoffRemovesUnsupportedCiphers) {
5390 bssl::UniquePtr<SSL_CTX> server_ctx(SSL_CTX_new(TLS_method()));
5391 bssl::UniquePtr<SSL> server(SSL_new(server_ctx.get()));
5392
5393 // handoff is a handoff message that has been artificially modified to pretend
5394 // that only cipher 0x0A is supported. When it is applied to |server|, all
5395 // ciphers but that one should be removed.
Matthew Braithwaitec65eb2c2018-11-02 17:29:35 -0700[diff] [blame]5396 //
5397 // To make a new one of these, try sticking this in the |Handoff| test above:
5398 //
5399 // hexdump(stderr, "", handoff.data(), handoff.size());
5400 // sed -e 's/\(..\)/0x\1, /g'
5401 //
5402 // and modify serialize_features() to emit only cipher 0x0A.
5403
Matthew Braithwaited2ed3822018-07-10 16:27:22 -0700[diff] [blame]5404 uint8_t handoff[] = {
Matthew Braithwaitec65eb2c2018-11-02 17:29:35 -0700[diff] [blame]5405 0x30, 0x81, 0x9a, 0x02, 0x01, 0x00, 0x04, 0x00, 0x04, 0x81, 0x82, 0x01,
5406 0x00, 0x00, 0x7e, 0x03, 0x03, 0x30, 0x8e, 0x8f, 0x79, 0xd2, 0x87, 0x39,
5407 0xc2, 0x23, 0x23, 0x13, 0xca, 0x3c, 0x80, 0x44, 0xfd, 0x80, 0x83, 0x62,
5408 0x3c, 0xcc, 0xf8, 0x76, 0xd3, 0x62, 0xbb, 0x54, 0xe3, 0xc4, 0x39, 0x24,
5409 0xa5, 0x00, 0x00, 0x1e, 0xc0, 0x2b, 0xc0, 0x2f, 0xc0, 0x2c, 0xc0, 0x30,
Matthew Braithwaited2ed3822018-07-10 16:27:22 -0700[diff] [blame]5410 0xcc, 0xa9, 0xcc, 0xa8, 0xc0, 0x09, 0xc0, 0x13, 0xc0, 0x0a, 0xc0, 0x14,
5411 0x00, 0x9c, 0x00, 0x9d, 0x00, 0x2f, 0x00, 0x35, 0x00, 0x0a, 0x01, 0x00,
Matthew Braithwaitec65eb2c2018-11-02 17:29:35 -0700[diff] [blame]5412 0x00, 0x37, 0x00, 0x17, 0x00, 0x00, 0xff, 0x01, 0x00, 0x01, 0x00, 0x00,
5413 0x0a, 0x00, 0x08, 0x00, 0x06, 0x00, 0x1d, 0x00, 0x17, 0x00, 0x18, 0x00,
5414 0x0b, 0x00, 0x02, 0x01, 0x00, 0x00, 0x23, 0x00, 0x00, 0x00, 0x0d, 0x00,
5415 0x14, 0x00, 0x12, 0x04, 0x03, 0x08, 0x04, 0x04, 0x01, 0x05, 0x03, 0x08,
5416 0x05, 0x05, 0x01, 0x08, 0x06, 0x06, 0x01, 0x02, 0x01, 0x04, 0x02, 0x00,
5417 0x0a, 0x04, 0x0a, 0x00, 0x15, 0x00, 0x17, 0x00, 0x18, 0x00, 0x19, 0x00,
5418 0x1d,
Matthew Braithwaited2ed3822018-07-10 16:27:22 -0700[diff] [blame]5419 };
5420
5421 EXPECT_EQ(20u, sk_SSL_CIPHER_num(SSL_get_ciphers(server.get())));
5422 ASSERT_TRUE(
5423 SSL_apply_handoff(server.get(), {handoff, OPENSSL_ARRAY_SIZE(handoff)}));
5424 EXPECT_EQ(1u, sk_SSL_CIPHER_num(SSL_get_ciphers(server.get())));
5425}
5426
Matthew Braithwaitec65eb2c2018-11-02 17:29:35 -0700[diff] [blame]5427TEST(SSLTest, ApplyHandoffRemovesUnsupportedCurves) {
5428 bssl::UniquePtr<SSL_CTX> server_ctx(SSL_CTX_new(TLS_method()));
5429 bssl::UniquePtr<SSL> server(SSL_new(server_ctx.get()));
5430
5431 // handoff is a handoff message that has been artificially modified to pretend
5432 // that only one curve is supported. When it is applied to |server|, all
5433 // curves but that one should be removed.
5434 //
5435 // See |ApplyHandoffRemovesUnsupportedCiphers| for how to make a new one of
5436 // these.
5437 uint8_t handoff[] = {
5438 0x30, 0x81, 0xc0, 0x02, 0x01, 0x00, 0x04, 0x00, 0x04, 0x81, 0x82, 0x01,
5439 0x00, 0x00, 0x7e, 0x03, 0x03, 0x98, 0x30, 0xce, 0xd9, 0xb0, 0xdf, 0x5f,
5440 0x82, 0x05, 0x4a, 0x43, 0x67, 0x7e, 0xdb, 0x6a, 0x4f, 0x21, 0x18, 0x4e,
5441 0x0d, 0x94, 0x63, 0x18, 0x8b, 0x54, 0x89, 0xdb, 0x8b, 0x1d, 0x84, 0xbc,
5442 0x09, 0x00, 0x00, 0x1e, 0xc0, 0x2b, 0xc0, 0x2f, 0xc0, 0x2c, 0xc0, 0x30,
5443 0xcc, 0xa9, 0xcc, 0xa8, 0xc0, 0x09, 0xc0, 0x13, 0xc0, 0x0a, 0xc0, 0x14,
5444 0x00, 0x9c, 0x00, 0x9d, 0x00, 0x2f, 0x00, 0x35, 0x00, 0x0a, 0x01, 0x00,
5445 0x00, 0x37, 0x00, 0x17, 0x00, 0x00, 0xff, 0x01, 0x00, 0x01, 0x00, 0x00,
5446 0x0a, 0x00, 0x08, 0x00, 0x06, 0x00, 0x1d, 0x00, 0x17, 0x00, 0x18, 0x00,
5447 0x0b, 0x00, 0x02, 0x01, 0x00, 0x00, 0x23, 0x00, 0x00, 0x00, 0x0d, 0x00,
5448 0x14, 0x00, 0x12, 0x04, 0x03, 0x08, 0x04, 0x04, 0x01, 0x05, 0x03, 0x08,
5449 0x05, 0x05, 0x01, 0x08, 0x06, 0x06, 0x01, 0x02, 0x01, 0x04, 0x30, 0x00,
5450 0x02, 0x00, 0x0a, 0x00, 0x2f, 0x00, 0x35, 0x00, 0x8c, 0x00, 0x8d, 0x00,
5451 0x9c, 0x00, 0x9d, 0x13, 0x01, 0x13, 0x02, 0x13, 0x03, 0xc0, 0x09, 0xc0,
5452 0x0a, 0xc0, 0x13, 0xc0, 0x14, 0xc0, 0x2b, 0xc0, 0x2c, 0xc0, 0x2f, 0xc0,
5453 0x30, 0xc0, 0x35, 0xc0, 0x36, 0xcc, 0xa8, 0xcc, 0xa9, 0xcc, 0xac, 0x04,
5454 0x02, 0x00, 0x17,
5455 };
5456
5457 // The zero length means that the default list of groups is used.
5458 EXPECT_EQ(0u, server->config->supported_group_list.size());
5459 ASSERT_TRUE(
5460 SSL_apply_handoff(server.get(), {handoff, OPENSSL_ARRAY_SIZE(handoff)}));
5461 EXPECT_EQ(1u, server->config->supported_group_list.size());
5462}
5463
Adam Langleyba9ad662018-12-17 13:59:38 -0800[diff] [blame]5464TEST(SSLTest, ZeroSizedWiteFlushesHandshakeMessages) {
5465 // If there are pending handshake mesages, an |SSL_write| of zero bytes should
5466 // flush them.
David Benjamin9b2cdb72021-04-01 23:21:53 -0400[diff] [blame]5467 bssl::UniquePtr<SSL_CTX> server_ctx(
5468 CreateContextWithTestCertificate(TLS_method()));
Adam Langleyba9ad662018-12-17 13:59:38 -0800[diff] [blame]5469 EXPECT_TRUE(SSL_CTX_set_max_proto_version(server_ctx.get(), TLS1_3_VERSION));
5470 EXPECT_TRUE(SSL_CTX_set_min_proto_version(server_ctx.get(), TLS1_3_VERSION));
Adam Langleyba9ad662018-12-17 13:59:38 -0800[diff] [blame]5471
5472 bssl::UniquePtr<SSL_CTX> client_ctx(SSL_CTX_new(TLS_method()));
5473 EXPECT_TRUE(SSL_CTX_set_max_proto_version(client_ctx.get(), TLS1_3_VERSION));
5474 EXPECT_TRUE(SSL_CTX_set_min_proto_version(client_ctx.get(), TLS1_3_VERSION));
5475
5476 bssl::UniquePtr<SSL> client, server;
5477 ASSERT_TRUE(ConnectClientAndServer(&client, &server, client_ctx.get(),
5478 server_ctx.get()));
5479
5480 BIO *client_wbio = SSL_get_wbio(client.get());
5481 EXPECT_EQ(0u, BIO_wpending(client_wbio));
5482 EXPECT_TRUE(SSL_key_update(client.get(), SSL_KEY_UPDATE_NOT_REQUESTED));
5483 EXPECT_EQ(0u, BIO_wpending(client_wbio));
5484 EXPECT_EQ(0, SSL_write(client.get(), nullptr, 0));
5485 EXPECT_NE(0u, BIO_wpending(client_wbio));
5486}
5487
David Benjamin5869eb32018-07-17 00:59:45 -0400[diff] [blame]5488TEST_P(SSLVersionTest, VerifyBeforeCertRequest) {
5489 // Configure the server to request client certificates.
5490 SSL_CTX_set_custom_verify(
5491 server_ctx_.get(), SSL_VERIFY_PEER,
5492 [](SSL *ssl, uint8_t *out_alert) { return ssl_verify_ok; });
5493
5494 // Configure the client to reject the server certificate.
5495 SSL_CTX_set_custom_verify(
5496 client_ctx_.get(), SSL_VERIFY_PEER,
5497 [](SSL *ssl, uint8_t *out_alert) { return ssl_verify_invalid; });
5498
5499 // cert_cb should not be called. Verification should fail first.
5500 SSL_CTX_set_cert_cb(client_ctx_.get(),
5501 [](SSL *ssl, void *arg) {
5502 ADD_FAILURE() << "cert_cb unexpectedly called";
5503 return 0;
5504 },
5505 nullptr);
5506
5507 bssl::UniquePtr<SSL> client, server;
5508 EXPECT_FALSE(ConnectClientAndServer(&client, &server, client_ctx_.get(),
5509 server_ctx_.get()));
5510}
5511
David Benjamin492c9aa2018-08-31 16:35:22 -0500[diff] [blame]5512// Test that ticket-based sessions on the client get fake session IDs.
5513TEST_P(SSLVersionTest, FakeIDsForTickets) {
5514 SSL_CTX_set_session_cache_mode(client_ctx_.get(), SSL_SESS_CACHE_BOTH);
5515 SSL_CTX_set_session_cache_mode(server_ctx_.get(), SSL_SESS_CACHE_BOTH);
5516
5517 bssl::UniquePtr<SSL_SESSION> session =
5518 CreateClientSession(client_ctx_.get(), server_ctx_.get());
5519 ASSERT_TRUE(session);
5520
5521 EXPECT_TRUE(SSL_SESSION_has_ticket(session.get()));
5522 unsigned session_id_length;
5523 SSL_SESSION_get_id(session.get(), &session_id_length);
5524 EXPECT_NE(session_id_length, 0u);
5525}
5526
David Benjamin6c04bd12018-07-19 18:13:09 -0400[diff] [blame]5527// These tests test multi-threaded behavior. They are intended to run with
5528// ThreadSanitizer.
David Benjamin5b33eff2018-09-22 16:52:48 -0700[diff] [blame]5529#if defined(OPENSSL_THREADS)
David Benjamin6c04bd12018-07-19 18:13:09 -0400[diff] [blame]5530TEST_P(SSLVersionTest, SessionCacheThreads) {
5531 SSL_CTX_set_options(server_ctx_.get(), SSL_OP_NO_TICKET);
5532 SSL_CTX_set_session_cache_mode(client_ctx_.get(), SSL_SESS_CACHE_BOTH);
5533 SSL_CTX_set_session_cache_mode(server_ctx_.get(), SSL_SESS_CACHE_BOTH);
5534
5535 if (version() == TLS1_3_VERSION) {
5536 // Our TLS 1.3 implementation does not support stateful resumption.
5537 ASSERT_FALSE(CreateClientSession(client_ctx_.get(), server_ctx_.get()));
5538 return;
5539 }
5540
5541 // Establish two client sessions to test with.
5542 bssl::UniquePtr<SSL_SESSION> session1 =
5543 CreateClientSession(client_ctx_.get(), server_ctx_.get());
5544 ASSERT_TRUE(session1);
5545 bssl::UniquePtr<SSL_SESSION> session2 =
5546 CreateClientSession(client_ctx_.get(), server_ctx_.get());
5547 ASSERT_TRUE(session2);
5548
5549 auto connect_with_session = [&](SSL_SESSION *session) {
5550 ClientConfig config;
5551 config.session = session;
5552 UniquePtr<SSL> client, server;
5553 EXPECT_TRUE(ConnectClientAndServer(&client, &server, client_ctx_.get(),
5554 server_ctx_.get(), config));
5555 };
5556
5557 // Resume sessions in parallel with establishing new ones.
5558 {
5559 std::vector<std::thread> threads;
5560 threads.emplace_back([&] { connect_with_session(nullptr); });
5561 threads.emplace_back([&] { connect_with_session(nullptr); });
5562 threads.emplace_back([&] { connect_with_session(session1.get()); });
5563 threads.emplace_back([&] { connect_with_session(session1.get()); });
5564 threads.emplace_back([&] { connect_with_session(session2.get()); });
5565 threads.emplace_back([&] { connect_with_session(session2.get()); });
5566 for (auto &thread : threads) {
5567 thread.join();
5568 }
5569 }
5570
David Benjamina10017c2021-06-16 16:00:13 -0400[diff] [blame]5571 // Hit the maximum session cache size across multiple threads, to test the
5572 // size enforcement logic.
David Benjamin6c04bd12018-07-19 18:13:09 -0400[diff] [blame]5573 size_t limit = SSL_CTX_sess_number(server_ctx_.get()) + 2;
5574 SSL_CTX_sess_set_cache_size(server_ctx_.get(), limit);
5575 {
5576 std::vector<std::thread> threads;
5577 for (int i = 0; i < 4; i++) {
5578 threads.emplace_back([&]() {
5579 connect_with_session(nullptr);
5580 EXPECT_LE(SSL_CTX_sess_number(server_ctx_.get()), limit);
5581 });
5582 }
5583 for (auto &thread : threads) {
5584 thread.join();
5585 }
5586 EXPECT_EQ(SSL_CTX_sess_number(server_ctx_.get()), limit);
5587 }
David Benjamina10017c2021-06-16 16:00:13 -0400[diff] [blame]5588
5589 // Reset the session cache, this time with a mock clock.
5590 ASSERT_NO_FATAL_FAILURE(ResetContexts());
5591 SSL_CTX_set_options(server_ctx_.get(), SSL_OP_NO_TICKET);
5592 SSL_CTX_set_session_cache_mode(client_ctx_.get(), SSL_SESS_CACHE_BOTH);
5593 SSL_CTX_set_session_cache_mode(server_ctx_.get(), SSL_SESS_CACHE_BOTH);
5594 SSL_CTX_set_current_time_cb(server_ctx_.get(), CurrentTimeCallback);
5595
5596 // Make some sessions at an arbitrary start time. Then expire them.
5597 g_current_time.tv_sec = 1000;
5598 bssl::UniquePtr<SSL_SESSION> expired_session1 =
5599 CreateClientSession(client_ctx_.get(), server_ctx_.get());
5600 ASSERT_TRUE(expired_session1);
5601 bssl::UniquePtr<SSL_SESSION> expired_session2 =
5602 CreateClientSession(client_ctx_.get(), server_ctx_.get());
5603 ASSERT_TRUE(expired_session2);
5604 g_current_time.tv_sec += 100 * SSL_DEFAULT_SESSION_TIMEOUT;
5605
5606 session1 = CreateClientSession(client_ctx_.get(), server_ctx_.get());
5607 ASSERT_TRUE(session1);
5608
5609 // Every 256 connections, we flush stale sessions from the session cache. Test
5610 // this logic is correctly synchronized with other connection attempts.
5611 static const int kNumConnections = 256;
5612 {
5613 std::vector<std::thread> threads;
5614 threads.emplace_back([&] {
5615 for (int i = 0; i < kNumConnections; i++) {
5616 connect_with_session(nullptr);
5617 }
5618 });
5619 threads.emplace_back([&] {
5620 for (int i = 0; i < kNumConnections; i++) {
5621 connect_with_session(nullptr);
5622 }
5623 });
5624 threads.emplace_back([&] {
5625 // Never connect with |expired_session2|. The session cache eagerly
5626 // removes expired sessions when it sees them. Leaving |expired_session2|
5627 // untouched ensures it is instead cleared by periodic flushing.
5628 for (int i = 0; i < kNumConnections; i++) {
5629 connect_with_session(expired_session1.get());
5630 }
5631 });
5632 threads.emplace_back([&] {
5633 for (int i = 0; i < kNumConnections; i++) {
5634 connect_with_session(session1.get());
5635 }
5636 });
5637 for (auto &thread : threads) {
5638 thread.join();
5639 }
5640 }
David Benjamin6c04bd12018-07-19 18:13:09 -0400[diff] [blame]5641}
5642
5643TEST_P(SSLVersionTest, SessionTicketThreads) {
5644 for (bool renew_ticket : {false, true}) {
5645 SCOPED_TRACE(renew_ticket);
5646 ResetContexts();
5647 SSL_CTX_set_session_cache_mode(client_ctx_.get(), SSL_SESS_CACHE_BOTH);
5648 SSL_CTX_set_session_cache_mode(server_ctx_.get(), SSL_SESS_CACHE_BOTH);
5649 if (renew_ticket) {
5650 SSL_CTX_set_tlsext_ticket_key_cb(server_ctx_.get(), RenewTicketCallback);
5651 }
5652
5653 // Establish two client sessions to test with.
5654 bssl::UniquePtr<SSL_SESSION> session1 =
5655 CreateClientSession(client_ctx_.get(), server_ctx_.get());
5656 ASSERT_TRUE(session1);
5657 bssl::UniquePtr<SSL_SESSION> session2 =
5658 CreateClientSession(client_ctx_.get(), server_ctx_.get());
5659 ASSERT_TRUE(session2);
5660
5661 auto connect_with_session = [&](SSL_SESSION *session) {
5662 ClientConfig config;
5663 config.session = session;
5664 UniquePtr<SSL> client, server;
5665 EXPECT_TRUE(ConnectClientAndServer(&client, &server, client_ctx_.get(),
5666 server_ctx_.get(), config));
5667 };
5668
5669 // Resume sessions in parallel with establishing new ones.
5670 {
5671 std::vector<std::thread> threads;
5672 threads.emplace_back([&] { connect_with_session(nullptr); });
5673 threads.emplace_back([&] { connect_with_session(nullptr); });
5674 threads.emplace_back([&] { connect_with_session(session1.get()); });
5675 threads.emplace_back([&] { connect_with_session(session1.get()); });
5676 threads.emplace_back([&] { connect_with_session(session2.get()); });
5677 threads.emplace_back([&] { connect_with_session(session2.get()); });
5678 for (auto &thread : threads) {
5679 thread.join();
5680 }
5681 }
5682 }
5683}
5684
5685// SSL_CTX_get0_certificate needs to lock internally. Test this works.
5686TEST(SSLTest, GetCertificateThreads) {
5687 bssl::UniquePtr<SSL_CTX> ctx(SSL_CTX_new(TLS_method()));
5688 ASSERT_TRUE(ctx);
5689 bssl::UniquePtr<X509> cert = GetTestCertificate();
5690 ASSERT_TRUE(cert);
5691 ASSERT_TRUE(SSL_CTX_use_certificate(ctx.get(), cert.get()));
5692
5693 // Existing code expects |SSL_CTX_get0_certificate| to be callable from two
5694 // threads concurrently. It originally was an immutable operation. Now we
5695 // implement it with a thread-safe cache, so it is worth testing.
5696 X509 *cert2_thread;
5697 std::thread thread(
5698 [&] { cert2_thread = SSL_CTX_get0_certificate(ctx.get()); });
5699 X509 *cert2 = SSL_CTX_get0_certificate(ctx.get());
5700 thread.join();
5701
5702 EXPECT_EQ(cert2, cert2_thread);
5703 EXPECT_EQ(0, X509_cmp(cert.get(), cert2));
5704}
David Benjamin4cce9552018-12-13 12:20:54 -0600[diff] [blame]5705
5706// Functions which access properties on the negotiated session are thread-safe
5707// where needed. Prior to TLS 1.3, clients resuming sessions and servers
5708// performing stateful resumption will share an underlying SSL_SESSION object,
5709// potentially across threads.
5710TEST_P(SSLVersionTest, SessionPropertiesThreads) {
5711 if (version() == TLS1_3_VERSION) {
5712 // Our TLS 1.3 implementation does not support stateful resumption.
5713 ASSERT_FALSE(CreateClientSession(client_ctx_.get(), server_ctx_.get()));
5714 return;
5715 }
5716
5717 SSL_CTX_set_options(server_ctx_.get(), SSL_OP_NO_TICKET);
5718 SSL_CTX_set_session_cache_mode(client_ctx_.get(), SSL_SESS_CACHE_BOTH);
5719 SSL_CTX_set_session_cache_mode(server_ctx_.get(), SSL_SESS_CACHE_BOTH);
5720
5721 ASSERT_TRUE(UseCertAndKey(client_ctx_.get()));
5722 ASSERT_TRUE(UseCertAndKey(server_ctx_.get()));
5723
5724 // Configure mutual authentication, so we have more session state.
5725 SSL_CTX_set_custom_verify(
5726 client_ctx_.get(), SSL_VERIFY_PEER,
5727 [](SSL *ssl, uint8_t *out_alert) { return ssl_verify_ok; });
5728 SSL_CTX_set_custom_verify(
5729 server_ctx_.get(), SSL_VERIFY_PEER,
5730 [](SSL *ssl, uint8_t *out_alert) { return ssl_verify_ok; });
5731
5732 // Establish a client session to test with.
5733 bssl::UniquePtr<SSL_SESSION> session =
5734 CreateClientSession(client_ctx_.get(), server_ctx_.get());
5735 ASSERT_TRUE(session);
5736
5737 // Resume with it twice.
5738 UniquePtr<SSL> ssls[4];
5739 ClientConfig config;
5740 config.session = session.get();
5741 ASSERT_TRUE(ConnectClientAndServer(&ssls[0], &ssls[1], client_ctx_.get(),
5742 server_ctx_.get(), config));
5743 ASSERT_TRUE(ConnectClientAndServer(&ssls[2], &ssls[3], client_ctx_.get(),
5744 server_ctx_.get(), config));
5745
5746 // Read properties in parallel.
5747 auto read_properties = [](const SSL *ssl) {
5748 EXPECT_TRUE(SSL_get_peer_cert_chain(ssl));
5749 bssl::UniquePtr<X509> peer(SSL_get_peer_certificate(ssl));
5750 EXPECT_TRUE(peer);
5751 EXPECT_TRUE(SSL_get_current_cipher(ssl));
5752 EXPECT_TRUE(SSL_get_curve_id(ssl));
5753 };
5754
5755 std::vector<std::thread> threads;
5756 for (const auto &ssl_ptr : ssls) {
5757 const SSL *ssl = ssl_ptr.get();
5758 threads.emplace_back([=] { read_properties(ssl); });
5759 }
5760 for (auto &thread : threads) {
5761 thread.join();
5762 }
5763}
David Benjamina486c6c2019-03-28 18:32:38 -0500[diff] [blame]5764#endif // OPENSSL_THREADS
David Benjamin6c04bd12018-07-19 18:13:09 -0400[diff] [blame]5765
Steven Valdezc8e0f902018-07-14 11:23:01 -0400[diff] [blame]5766constexpr size_t kNumQUICLevels = 4;
5767static_assert(ssl_encryption_initial < kNumQUICLevels,
5768 "kNumQUICLevels is wrong");
5769static_assert(ssl_encryption_early_data < kNumQUICLevels,
5770 "kNumQUICLevels is wrong");
5771static_assert(ssl_encryption_handshake < kNumQUICLevels,
5772 "kNumQUICLevels is wrong");
5773static_assert(ssl_encryption_application < kNumQUICLevels,
5774 "kNumQUICLevels is wrong");
5775
David Benjamin1e859052020-02-09 16:04:58 -0500[diff] [blame]5776const char *LevelToString(ssl_encryption_level_t level) {
5777 switch (level) {
5778 case ssl_encryption_initial:
5779 return "initial";
5780 case ssl_encryption_early_data:
5781 return "early data";
5782 case ssl_encryption_handshake:
5783 return "handshake";
5784 case ssl_encryption_application:
5785 return "application";
5786 }
5787 return "<unknown>";
5788}
5789
Steven Valdezc8e0f902018-07-14 11:23:01 -0400[diff] [blame]5790class MockQUICTransport {
5791 public:
David Benjamind6343572019-08-15 17:29:02 -0400[diff] [blame]5792 enum class Role { kClient, kServer };
5793
5794 explicit MockQUICTransport(Role role) : role_(role) {
Steven Valdezc8e0f902018-07-14 11:23:01 -0400[diff] [blame]5795 // The caller is expected to configure initial secrets.
5796 levels_[ssl_encryption_initial].write_secret = {1};
5797 levels_[ssl_encryption_initial].read_secret = {1};
5798 }
5799
5800 void set_peer(MockQUICTransport *peer) { peer_ = peer; }
5801
5802 bool has_alert() const { return has_alert_; }
5803 ssl_encryption_level_t alert_level() const { return alert_level_; }
5804 uint8_t alert() const { return alert_; }
5805
5806 bool PeerSecretsMatch(ssl_encryption_level_t level) const {
5807 return levels_[level].write_secret == peer_->levels_[level].read_secret &&
Steven Valdez384d0ea2018-11-06 10:45:36 -0500[diff] [blame]5808 levels_[level].read_secret == peer_->levels_[level].write_secret &&
5809 levels_[level].cipher == peer_->levels_[level].cipher;
Steven Valdezc8e0f902018-07-14 11:23:01 -0400[diff] [blame]5810 }
5811
David Benjamin1e859052020-02-09 16:04:58 -0500[diff] [blame]5812 bool HasReadSecret(ssl_encryption_level_t level) const {
5813 return !levels_[level].read_secret.empty();
Steven Valdezc8e0f902018-07-14 11:23:01 -0400[diff] [blame]5814 }
5815
David Benjamin1e859052020-02-09 16:04:58 -0500[diff] [blame]5816 bool HasWriteSecret(ssl_encryption_level_t level) const {
5817 return !levels_[level].write_secret.empty();
5818 }
5819
David Benjamin5298ef92020-03-13 12:17:30 -0400[diff] [blame]5820 void AllowOutOfOrderWrites() { allow_out_of_order_writes_ = true; }
5821
David Benjamin1e859052020-02-09 16:04:58 -0500[diff] [blame]5822 bool SetReadSecret(ssl_encryption_level_t level, const SSL_CIPHER *cipher,
5823 Span<const uint8_t> secret) {
5824 if (HasReadSecret(level)) {
5825 ADD_FAILURE() << LevelToString(level) << " read secret configured twice";
5826 return false;
5827 }
5828
5829 if (role_ == Role::kClient && level == ssl_encryption_early_data) {
5830 ADD_FAILURE() << "Unexpected early data read secret";
5831 return false;
5832 }
5833
5834 ssl_encryption_level_t ack_level =
5835 level == ssl_encryption_early_data ? ssl_encryption_application : level;
5836 if (!HasWriteSecret(ack_level)) {
5837 ADD_FAILURE() << LevelToString(level)
5838 << " read secret configured before ACK write secret";
Steven Valdezc8e0f902018-07-14 11:23:01 -0400[diff] [blame]5839 return false;
5840 }
Steven Valdez384d0ea2018-11-06 10:45:36 -0500[diff] [blame]5841
5842 if (cipher == nullptr) {
David Benjamin1e859052020-02-09 16:04:58 -0500[diff] [blame]5843 ADD_FAILURE() << "Unexpected null cipher";
Steven Valdez384d0ea2018-11-06 10:45:36 -0500[diff] [blame]5844 return false;
5845 }
5846
David Benjamin1e859052020-02-09 16:04:58 -0500[diff] [blame]5847 if (level != ssl_encryption_early_data &&
5848 SSL_CIPHER_get_id(cipher) != levels_[level].cipher) {
5849 ADD_FAILURE() << "Cipher suite inconsistent";
Steven Valdezc8e0f902018-07-14 11:23:01 -0400[diff] [blame]5850 return false;
5851 }
David Benjamind6343572019-08-15 17:29:02 -0400[diff] [blame]5852
David Benjamin1e859052020-02-09 16:04:58 -0500[diff] [blame]5853 levels_[level].read_secret.assign(secret.begin(), secret.end());
5854 levels_[level].cipher = SSL_CIPHER_get_id(cipher);
5855 return true;
5856 }
5857
5858 bool SetWriteSecret(ssl_encryption_level_t level, const SSL_CIPHER *cipher,
5859 Span<const uint8_t> secret) {
5860 if (HasWriteSecret(level)) {
5861 ADD_FAILURE() << LevelToString(level) << " write secret configured twice";
David Benjamind6343572019-08-15 17:29:02 -0400[diff] [blame]5862 return false;
Steven Valdezc8e0f902018-07-14 11:23:01 -0400[diff] [blame]5863 }
David Benjamind6343572019-08-15 17:29:02 -0400[diff] [blame]5864
David Benjamin1e859052020-02-09 16:04:58 -0500[diff] [blame]5865 if (role_ == Role::kServer && level == ssl_encryption_early_data) {
5866 ADD_FAILURE() << "Unexpected early data write secret";
5867 return false;
5868 }
5869
5870 if (cipher == nullptr) {
5871 ADD_FAILURE() << "Unexpected null cipher";
5872 return false;
5873 }
5874
5875 levels_[level].write_secret.assign(secret.begin(), secret.end());
Steven Valdez384d0ea2018-11-06 10:45:36 -0500[diff] [blame]5876 levels_[level].cipher = SSL_CIPHER_get_id(cipher);
Steven Valdezc8e0f902018-07-14 11:23:01 -0400[diff] [blame]5877 return true;
5878 }
5879
5880 bool WriteHandshakeData(ssl_encryption_level_t level,
5881 Span<const uint8_t> data) {
5882 if (levels_[level].write_secret.empty()) {
David Benjamin1e859052020-02-09 16:04:58 -0500[diff] [blame]5883 ADD_FAILURE() << LevelToString(level)
5884 << " write secret not yet configured";
Steven Valdezc8e0f902018-07-14 11:23:01 -0400[diff] [blame]5885 return false;
5886 }
David Benjamin5298ef92020-03-13 12:17:30 -0400[diff] [blame]5887
5888 // Although the levels are conceptually separate, BoringSSL finishes writing
5889 // data from a previous level before installing keys for the next level.
5890 if (!allow_out_of_order_writes_) {
5891 switch (level) {
5892 case ssl_encryption_early_data:
5893 ADD_FAILURE() << "unexpected handshake data at early data level";
5894 return false;
5895 case ssl_encryption_initial:
5896 if (!levels_[ssl_encryption_handshake].write_secret.empty()) {
5897 ADD_FAILURE()
5898 << LevelToString(level)
5899 << " handshake data written after handshake keys installed";
5900 return false;
5901 }
5902 OPENSSL_FALLTHROUGH;
5903 case ssl_encryption_handshake:
5904 if (!levels_[ssl_encryption_application].write_secret.empty()) {
5905 ADD_FAILURE()
5906 << LevelToString(level)
5907 << " handshake data written after application keys installed";
5908 return false;
5909 }
5910 OPENSSL_FALLTHROUGH;
5911 case ssl_encryption_application:
5912 break;
5913 }
5914 }
5915
Steven Valdezc8e0f902018-07-14 11:23:01 -0400[diff] [blame]5916 levels_[level].write_data.insert(levels_[level].write_data.end(),
5917 data.begin(), data.end());
5918 return true;
5919 }
5920
5921 bool SendAlert(ssl_encryption_level_t level, uint8_t alert_value) {
5922 if (has_alert_) {
5923 ADD_FAILURE() << "duplicate alert sent";
5924 return false;
5925 }
5926
5927 if (levels_[level].write_secret.empty()) {
David Benjamin1e859052020-02-09 16:04:58 -0500[diff] [blame]5928 ADD_FAILURE() << LevelToString(level)
5929 << " write secret not yet configured";
Steven Valdezc8e0f902018-07-14 11:23:01 -0400[diff] [blame]5930 return false;
5931 }
5932
5933 has_alert_ = true;
5934 alert_level_ = level;
5935 alert_ = alert_value;
5936 return true;
5937 }
5938
5939 bool ReadHandshakeData(std::vector<uint8_t> *out,
5940 ssl_encryption_level_t level,
5941 size_t num = std::numeric_limits<size_t>::max()) {
5942 if (levels_[level].read_secret.empty()) {
David Benjamind6343572019-08-15 17:29:02 -0400[diff] [blame]5943 ADD_FAILURE() << "data read before keys configured in level " << level;
Steven Valdezc8e0f902018-07-14 11:23:01 -0400[diff] [blame]5944 return false;
5945 }
5946 // The peer may not have configured any keys yet.
5947 if (peer_->levels_[level].write_secret.empty()) {
David Benjamind0b97942019-08-21 12:54:20 -0400[diff] [blame]5948 out->clear();
Steven Valdezc8e0f902018-07-14 11:23:01 -0400[diff] [blame]5949 return true;
5950 }
5951 // Check the peer computed the same key.
5952 if (peer_->levels_[level].write_secret != levels_[level].read_secret) {
David Benjamind6343572019-08-15 17:29:02 -0400[diff] [blame]5953 ADD_FAILURE() << "peer write key does not match read key in level "
5954 << level;
Steven Valdezc8e0f902018-07-14 11:23:01 -0400[diff] [blame]5955 return false;
5956 }
Steven Valdez384d0ea2018-11-06 10:45:36 -0500[diff] [blame]5957 if (peer_->levels_[level].cipher != levels_[level].cipher) {
David Benjamind6343572019-08-15 17:29:02 -0400[diff] [blame]5958 ADD_FAILURE() << "peer cipher does not match in level " << level;
Steven Valdez384d0ea2018-11-06 10:45:36 -0500[diff] [blame]5959 return false;
5960 }
Steven Valdezc8e0f902018-07-14 11:23:01 -0400[diff] [blame]5961 std::vector<uint8_t> *peer_data = &peer_->levels_[level].write_data;
5962 num = std::min(num, peer_data->size());
5963 out->assign(peer_data->begin(), peer_data->begin() + num);
5964 peer_data->erase(peer_data->begin(), peer_data->begin() + num);
5965 return true;
5966 }
5967
5968 private:
David Benjamind6343572019-08-15 17:29:02 -0400[diff] [blame]5969 Role role_;
Steven Valdezc8e0f902018-07-14 11:23:01 -0400[diff] [blame]5970 MockQUICTransport *peer_ = nullptr;
5971
David Benjamin5298ef92020-03-13 12:17:30 -0400[diff] [blame]5972 bool allow_out_of_order_writes_ = false;
Steven Valdezc8e0f902018-07-14 11:23:01 -0400[diff] [blame]5973 bool has_alert_ = false;
5974 ssl_encryption_level_t alert_level_ = ssl_encryption_initial;
5975 uint8_t alert_ = 0;
5976
5977 struct Level {
5978 std::vector<uint8_t> write_data;
5979 std::vector<uint8_t> write_secret;
5980 std::vector<uint8_t> read_secret;
Steven Valdez384d0ea2018-11-06 10:45:36 -0500[diff] [blame]5981 uint32_t cipher = 0;
Steven Valdezc8e0f902018-07-14 11:23:01 -0400[diff] [blame]5982 };
5983 Level levels_[kNumQUICLevels];
5984};
5985
5986class MockQUICTransportPair {
5987 public:
David Benjamind6343572019-08-15 17:29:02 -0400[diff] [blame]5988 MockQUICTransportPair()
5989 : client_(MockQUICTransport::Role::kClient),
5990 server_(MockQUICTransport::Role::kServer) {
Steven Valdezc8e0f902018-07-14 11:23:01 -0400[diff] [blame]5991 client_.set_peer(&server_);
David Benjamind6343572019-08-15 17:29:02 -0400[diff] [blame]5992 server_.set_peer(&client_);
Steven Valdezc8e0f902018-07-14 11:23:01 -0400[diff] [blame]5993 }
5994
5995 ~MockQUICTransportPair() {
Steven Valdezc8e0f902018-07-14 11:23:01 -0400[diff] [blame]5996 client_.set_peer(nullptr);
David Benjamind6343572019-08-15 17:29:02 -0400[diff] [blame]5997 server_.set_peer(nullptr);
Steven Valdezc8e0f902018-07-14 11:23:01 -0400[diff] [blame]5998 }
5999
6000 MockQUICTransport *client() { return &client_; }
6001 MockQUICTransport *server() { return &server_; }
6002
6003 bool SecretsMatch(ssl_encryption_level_t level) const {
David Benjamin1e859052020-02-09 16:04:58 -0500[diff] [blame]6004 // We only need to check |HasReadSecret| and |HasWriteSecret| on |client_|.
6005 // |PeerSecretsMatch| checks that |server_| is analogously configured.
6006 return client_.PeerSecretsMatch(level) &&
6007 client_.HasWriteSecret(level) &&
6008 (level == ssl_encryption_early_data || client_.HasReadSecret(level));
Steven Valdezc8e0f902018-07-14 11:23:01 -0400[diff] [blame]6009 }
6010
6011 private:
6012 MockQUICTransport client_;
6013 MockQUICTransport server_;
6014};
6015
6016class QUICMethodTest : public testing::Test {
6017 protected:
6018 void SetUp() override {
6019 client_ctx_.reset(SSL_CTX_new(TLS_method()));
David Benjamin9b2cdb72021-04-01 23:21:53 -0400[diff] [blame]6020 server_ctx_ = CreateContextWithTestCertificate(TLS_method());
Steven Valdezc8e0f902018-07-14 11:23:01 -0400[diff] [blame]6021 ASSERT_TRUE(client_ctx_);
6022 ASSERT_TRUE(server_ctx_);
6023
Steven Valdezc8e0f902018-07-14 11:23:01 -0400[diff] [blame]6024 SSL_CTX_set_min_proto_version(server_ctx_.get(), TLS1_3_VERSION);
6025 SSL_CTX_set_max_proto_version(server_ctx_.get(), TLS1_3_VERSION);
6026 SSL_CTX_set_min_proto_version(client_ctx_.get(), TLS1_3_VERSION);
6027 SSL_CTX_set_max_proto_version(client_ctx_.get(), TLS1_3_VERSION);
Nick Harper74161f42020-07-24 15:35:27 -0700[diff] [blame]6028
6029 static const uint8_t kALPNProtos[] = {0x03, 'f', 'o', 'o'};
6030 ASSERT_EQ(SSL_CTX_set_alpn_protos(client_ctx_.get(), kALPNProtos,
6031 sizeof(kALPNProtos)),
6032 0);
6033 SSL_CTX_set_alpn_select_cb(
6034 server_ctx_.get(),
6035 [](SSL *ssl, const uint8_t **out, uint8_t *out_len, const uint8_t *in,
6036 unsigned in_len, void *arg) -> int {
6037 return SSL_select_next_proto(
6038 const_cast<uint8_t **>(out), out_len, in, in_len,
6039 kALPNProtos, sizeof(kALPNProtos)) == OPENSSL_NPN_NEGOTIATED
6040 ? SSL_TLSEXT_ERR_OK
6041 : SSL_TLSEXT_ERR_NOACK;
6042 },
6043 nullptr);
Steven Valdezc8e0f902018-07-14 11:23:01 -0400[diff] [blame]6044 }
6045
6046 static MockQUICTransport *TransportFromSSL(const SSL *ssl) {
6047 return ex_data_.Get(ssl);
6048 }
6049
6050 static bool ProvideHandshakeData(
6051 SSL *ssl, size_t num = std::numeric_limits<size_t>::max()) {
6052 MockQUICTransport *transport = TransportFromSSL(ssl);
6053 ssl_encryption_level_t level = SSL_quic_read_level(ssl);
6054 std::vector<uint8_t> data;
6055 return transport->ReadHandshakeData(&data, level, num) &&
6056 SSL_provide_quic_data(ssl, level, data.data(), data.size());
6057 }
6058
David Benjamin5298ef92020-03-13 12:17:30 -0400[diff] [blame]6059 void AllowOutOfOrderWrites() {
6060 allow_out_of_order_writes_ = true;
6061 }
6062
Steven Valdezc8e0f902018-07-14 11:23:01 -0400[diff] [blame]6063 bool CreateClientAndServer() {
6064 client_.reset(SSL_new(client_ctx_.get()));
6065 server_.reset(SSL_new(server_ctx_.get()));
6066 if (!client_ || !server_) {
6067 return false;
6068 }
6069
6070 SSL_set_connect_state(client_.get());
6071 SSL_set_accept_state(server_.get());
6072
David Benjamind6343572019-08-15 17:29:02 -0400[diff] [blame]6073 transport_.reset(new MockQUICTransportPair);
6074 ex_data_.Set(client_.get(), transport_->client());
6075 ex_data_.Set(server_.get(), transport_->server());
David Benjamin5298ef92020-03-13 12:17:30 -0400[diff] [blame]6076 if (allow_out_of_order_writes_) {
6077 transport_->client()->AllowOutOfOrderWrites();
6078 transport_->server()->AllowOutOfOrderWrites();
6079 }
Nick Harper7c522992020-04-30 14:15:49 -0700[diff] [blame]6080 static const uint8_t client_transport_params[] = {0};
6081 if (!SSL_set_quic_transport_params(client_.get(), client_transport_params,
6082 sizeof(client_transport_params)) ||
6083 !SSL_set_quic_transport_params(server_.get(),
6084 server_transport_params_.data(),
6085 server_transport_params_.size()) ||
6086 !SSL_set_quic_early_data_context(
6087 server_.get(), server_quic_early_data_context_.data(),
6088 server_quic_early_data_context_.size())) {
Nick Harper72cff812020-03-26 18:06:16 -0700[diff] [blame]6089 return false;
6090 }
Steven Valdezc8e0f902018-07-14 11:23:01 -0400[diff] [blame]6091 return true;
6092 }
6093
Nick Harper72cff812020-03-26 18:06:16 -0700[diff] [blame]6094 enum class ExpectedError {
6095 kNoError,
6096 kClientError,
6097 kServerError,
6098 };
6099
David Benjamind6343572019-08-15 17:29:02 -0400[diff] [blame]6100 // CompleteHandshakesForQUIC runs |SSL_do_handshake| on |client_| and
6101 // |server_| until each completes once. It returns true on success and false
6102 // on failure.
6103 bool CompleteHandshakesForQUIC() {
Nick Harper72cff812020-03-26 18:06:16 -0700[diff] [blame]6104 return RunQUICHandshakesAndExpectError(ExpectedError::kNoError);
6105 }
6106
6107 // Runs |SSL_do_handshake| on |client_| and |server_| until each completes
6108 // once. If |expect_client_error| is true, it will return true only if the
6109 // client handshake failed. Otherwise, it returns true if both handshakes
6110 // succeed and false otherwise.
6111 bool RunQUICHandshakesAndExpectError(ExpectedError expected_error) {
David Benjamind6343572019-08-15 17:29:02 -0400[diff] [blame]6112 bool client_done = false, server_done = false;
6113 while (!client_done || !server_done) {
6114 if (!client_done) {
6115 if (!ProvideHandshakeData(client_.get())) {
6116 ADD_FAILURE() << "ProvideHandshakeData(client_) failed";
6117 return false;
6118 }
6119 int client_ret = SSL_do_handshake(client_.get());
David Benjamin2fb729d2020-02-20 17:37:33 -0500[diff] [blame]6120 int client_err = SSL_get_error(client_.get(), client_ret);
David Benjamind6343572019-08-15 17:29:02 -0400[diff] [blame]6121 if (client_ret == 1) {
6122 client_done = true;
David Benjamin2fb729d2020-02-20 17:37:33 -0500[diff] [blame]6123 } else if (client_ret != -1 || client_err != SSL_ERROR_WANT_READ) {
Nick Harper72cff812020-03-26 18:06:16 -0700[diff] [blame]6124 if (expected_error == ExpectedError::kClientError) {
6125 return true;
6126 }
David Benjamin2fb729d2020-02-20 17:37:33 -0500[diff] [blame]6127 ADD_FAILURE() << "Unexpected client output: " << client_ret << " "
6128 << client_err;
6129 return false;
David Benjamind6343572019-08-15 17:29:02 -0400[diff] [blame]6130 }
6131 }
6132
6133 if (!server_done) {
6134 if (!ProvideHandshakeData(server_.get())) {
6135 ADD_FAILURE() << "ProvideHandshakeData(server_) failed";
6136 return false;
6137 }
6138 int server_ret = SSL_do_handshake(server_.get());
David Benjamin2fb729d2020-02-20 17:37:33 -0500[diff] [blame]6139 int server_err = SSL_get_error(server_.get(), server_ret);
David Benjamind6343572019-08-15 17:29:02 -0400[diff] [blame]6140 if (server_ret == 1) {
6141 server_done = true;
David Benjamin2fb729d2020-02-20 17:37:33 -0500[diff] [blame]6142 } else if (server_ret != -1 || server_err != SSL_ERROR_WANT_READ) {
Nick Harper72cff812020-03-26 18:06:16 -0700[diff] [blame]6143 if (expected_error == ExpectedError::kServerError) {
6144 return true;
6145 }
David Benjamin2fb729d2020-02-20 17:37:33 -0500[diff] [blame]6146 ADD_FAILURE() << "Unexpected server output: " << server_ret << " "
6147 << server_err;
6148 return false;
David Benjamind6343572019-08-15 17:29:02 -0400[diff] [blame]6149 }
6150 }
6151 }
Nick Harper72cff812020-03-26 18:06:16 -0700[diff] [blame]6152 return expected_error == ExpectedError::kNoError;
David Benjamind6343572019-08-15 17:29:02 -0400[diff] [blame]6153 }
6154
6155 bssl::UniquePtr<SSL_SESSION> CreateClientSessionForQUIC() {
6156 g_last_session = nullptr;
6157 SSL_CTX_sess_set_new_cb(client_ctx_.get(), SaveLastSession);
6158 if (!CreateClientAndServer() ||
6159 !CompleteHandshakesForQUIC()) {
6160 return nullptr;
Steven Valdeze6eef1c2018-11-09 13:32:34 -0500[diff] [blame]6161 }
6162
David Benjamind6343572019-08-15 17:29:02 -0400[diff] [blame]6163 // The server sent NewSessionTicket messages in the handshake.
6164 if (!ProvideHandshakeData(client_.get()) ||
6165 !SSL_process_quic_post_handshake(client_.get())) {
6166 return nullptr;
6167 }
Steven Valdeze6eef1c2018-11-09 13:32:34 -0500[diff] [blame]6168
David Benjamind6343572019-08-15 17:29:02 -0400[diff] [blame]6169 return std::move(g_last_session);
6170 }
6171
6172 void ExpectHandshakeSuccess() {
6173 EXPECT_TRUE(transport_->SecretsMatch(ssl_encryption_application));
6174 EXPECT_EQ(ssl_encryption_application, SSL_quic_read_level(client_.get()));
6175 EXPECT_EQ(ssl_encryption_application, SSL_quic_write_level(client_.get()));
6176 EXPECT_EQ(ssl_encryption_application, SSL_quic_read_level(server_.get()));
6177 EXPECT_EQ(ssl_encryption_application, SSL_quic_write_level(server_.get()));
6178 EXPECT_FALSE(transport_->client()->has_alert());
6179 EXPECT_FALSE(transport_->server()->has_alert());
6180
6181 // SSL_do_handshake is now idempotent.
6182 EXPECT_EQ(SSL_do_handshake(client_.get()), 1);
6183 EXPECT_EQ(SSL_do_handshake(server_.get()), 1);
Steven Valdeze6eef1c2018-11-09 13:32:34 -0500[diff] [blame]6184 }
6185
David Benjamin1e859052020-02-09 16:04:58 -0500[diff] [blame]6186 // Returns a default SSL_QUIC_METHOD. Individual methods may be overwritten by
6187 // the test.
6188 SSL_QUIC_METHOD DefaultQUICMethod() {
6189 return SSL_QUIC_METHOD{
6190 SetReadSecretCallback, SetWriteSecretCallback, AddHandshakeDataCallback,
6191 FlushFlightCallback, SendAlertCallback,
6192 };
6193 }
Steven Valdezc8e0f902018-07-14 11:23:01 -0400[diff] [blame]6194
David Benjamin1e859052020-02-09 16:04:58 -0500[diff] [blame]6195 static int SetReadSecretCallback(SSL *ssl, ssl_encryption_level_t level,
6196 const SSL_CIPHER *cipher,
6197 const uint8_t *secret, size_t secret_len) {
6198 return TransportFromSSL(ssl)->SetReadSecret(
6199 level, cipher, MakeConstSpan(secret, secret_len));
6200 }
6201
6202 static int SetWriteSecretCallback(SSL *ssl, ssl_encryption_level_t level,
6203 const SSL_CIPHER *cipher,
6204 const uint8_t *secret, size_t secret_len) {
6205 return TransportFromSSL(ssl)->SetWriteSecret(
6206 level, cipher, MakeConstSpan(secret, secret_len));
Steven Valdezc8e0f902018-07-14 11:23:01 -0400[diff] [blame]6207 }
6208
David Benjamincc9d9352018-10-30 19:45:22 -0500[diff] [blame]6209 static int AddHandshakeDataCallback(SSL *ssl,
6210 enum ssl_encryption_level_t level,
6211 const uint8_t *data, size_t len) {
Steven Valdezc8e0f902018-07-14 11:23:01 -0400[diff] [blame]6212 EXPECT_EQ(level, SSL_quic_write_level(ssl));
6213 return TransportFromSSL(ssl)->WriteHandshakeData(level,
6214 MakeConstSpan(data, len));
6215 }
6216
6217 static int FlushFlightCallback(SSL *ssl) { return 1; }
6218
6219 static int SendAlertCallback(SSL *ssl, ssl_encryption_level_t level,
6220 uint8_t alert) {
6221 EXPECT_EQ(level, SSL_quic_write_level(ssl));
6222 return TransportFromSSL(ssl)->SendAlert(level, alert);
6223 }
6224
6225 bssl::UniquePtr<SSL_CTX> client_ctx_;
6226 bssl::UniquePtr<SSL_CTX> server_ctx_;
6227
6228 static UnownedSSLExData<MockQUICTransport> ex_data_;
David Benjamind6343572019-08-15 17:29:02 -0400[diff] [blame]6229 std::unique_ptr<MockQUICTransportPair> transport_;
Steven Valdezc8e0f902018-07-14 11:23:01 -0400[diff] [blame]6230
6231 bssl::UniquePtr<SSL> client_;
6232 bssl::UniquePtr<SSL> server_;
David Benjamin5298ef92020-03-13 12:17:30 -0400[diff] [blame]6233
Nick Harper7c522992020-04-30 14:15:49 -0700[diff] [blame]6234 std::vector<uint8_t> server_transport_params_ = {1};
6235 std::vector<uint8_t> server_quic_early_data_context_ = {2};
6236
David Benjamin5298ef92020-03-13 12:17:30 -0400[diff] [blame]6237 bool allow_out_of_order_writes_ = false;
Steven Valdezc8e0f902018-07-14 11:23:01 -0400[diff] [blame]6238};
6239
6240UnownedSSLExData<MockQUICTransport> QUICMethodTest::ex_data_;
6241
David Benjaminfd863b62019-07-25 13:51:32 -0400[diff] [blame]6242// Test a full handshake and resumption work.
Steven Valdezc8e0f902018-07-14 11:23:01 -0400[diff] [blame]6243TEST_F(QUICMethodTest, Basic) {
David Benjamin1e859052020-02-09 16:04:58 -0500[diff] [blame]6244 const SSL_QUIC_METHOD quic_method = DefaultQUICMethod();
Steven Valdezc8e0f902018-07-14 11:23:01 -0400[diff] [blame]6245
Steven Valdeze6eef1c2018-11-09 13:32:34 -0500[diff] [blame]6246 g_last_session = nullptr;
6247
6248 SSL_CTX_set_session_cache_mode(client_ctx_.get(), SSL_SESS_CACHE_BOTH);
6249 SSL_CTX_sess_set_new_cb(client_ctx_.get(), SaveLastSession);
Steven Valdezc8e0f902018-07-14 11:23:01 -0400[diff] [blame]6250 ASSERT_TRUE(SSL_CTX_set_quic_method(client_ctx_.get(), &quic_method));
6251 ASSERT_TRUE(SSL_CTX_set_quic_method(server_ctx_.get(), &quic_method));
David Benjamind6343572019-08-15 17:29:02 -0400[diff] [blame]6252
Steven Valdezc8e0f902018-07-14 11:23:01 -0400[diff] [blame]6253 ASSERT_TRUE(CreateClientAndServer());
David Benjamind6343572019-08-15 17:29:02 -0400[diff] [blame]6254 ASSERT_TRUE(CompleteHandshakesForQUIC());
Steven Valdezc8e0f902018-07-14 11:23:01 -0400[diff] [blame]6255
David Benjamind6343572019-08-15 17:29:02 -0400[diff] [blame]6256 ExpectHandshakeSuccess();
6257 EXPECT_FALSE(SSL_session_reused(client_.get()));
6258 EXPECT_FALSE(SSL_session_reused(server_.get()));
Steven Valdezc8e0f902018-07-14 11:23:01 -0400[diff] [blame]6259
6260 // The server sent NewSessionTicket messages in the handshake.
Steven Valdeze6eef1c2018-11-09 13:32:34 -0500[diff] [blame]6261 EXPECT_FALSE(g_last_session);
6262 ASSERT_TRUE(ProvideHandshakeData(client_.get()));
6263 EXPECT_EQ(SSL_process_quic_post_handshake(client_.get()), 1);
6264 EXPECT_TRUE(g_last_session);
6265
6266 // Create a second connection to verify resumption works.
David Benjamind6343572019-08-15 17:29:02 -0400[diff] [blame]6267 ASSERT_TRUE(CreateClientAndServer());
Steven Valdeze6eef1c2018-11-09 13:32:34 -0500[diff] [blame]6268 bssl::UniquePtr<SSL_SESSION> session = std::move(g_last_session);
6269 SSL_set_session(client_.get(), session.get());
6270
David Benjamind6343572019-08-15 17:29:02 -0400[diff] [blame]6271 ASSERT_TRUE(CompleteHandshakesForQUIC());
Steven Valdeze6eef1c2018-11-09 13:32:34 -0500[diff] [blame]6272
David Benjamind6343572019-08-15 17:29:02 -0400[diff] [blame]6273 ExpectHandshakeSuccess();
Steven Valdeze6eef1c2018-11-09 13:32:34 -0500[diff] [blame]6274 EXPECT_TRUE(SSL_session_reused(client_.get()));
6275 EXPECT_TRUE(SSL_session_reused(server_.get()));
Steven Valdezc8e0f902018-07-14 11:23:01 -0400[diff] [blame]6276}
6277
David Benjaminfd863b62019-07-25 13:51:32 -0400[diff] [blame]6278// Test that HelloRetryRequest in QUIC works.
6279TEST_F(QUICMethodTest, HelloRetryRequest) {
David Benjamin1e859052020-02-09 16:04:58 -0500[diff] [blame]6280 const SSL_QUIC_METHOD quic_method = DefaultQUICMethod();
David Benjaminfd863b62019-07-25 13:51:32 -0400[diff] [blame]6281
6282 ASSERT_TRUE(SSL_CTX_set_quic_method(client_ctx_.get(), &quic_method));
6283 ASSERT_TRUE(SSL_CTX_set_quic_method(server_ctx_.get(), &quic_method));
6284
6285 // BoringSSL predicts the most preferred curve, so using different preferences
6286 // will trigger HelloRetryRequest.
6287 static const int kClientPrefs[] = {NID_X25519, NID_X9_62_prime256v1};
6288 ASSERT_TRUE(SSL_CTX_set1_curves(client_ctx_.get(), kClientPrefs,
6289 OPENSSL_ARRAY_SIZE(kClientPrefs)));
6290 static const int kServerPrefs[] = {NID_X9_62_prime256v1, NID_X25519};
6291 ASSERT_TRUE(SSL_CTX_set1_curves(server_ctx_.get(), kServerPrefs,
6292 OPENSSL_ARRAY_SIZE(kServerPrefs)));
6293
6294 ASSERT_TRUE(CreateClientAndServer());
David Benjamind6343572019-08-15 17:29:02 -0400[diff] [blame]6295 ASSERT_TRUE(CompleteHandshakesForQUIC());
6296 ExpectHandshakeSuccess();
6297}
David Benjaminfd863b62019-07-25 13:51:32 -0400[diff] [blame]6298
Nick Harpere32549e2020-05-06 14:27:11 -0700[diff] [blame]6299// Test that the client does not send a legacy_session_id in the ClientHello.
6300TEST_F(QUICMethodTest, NoLegacySessionId) {
6301 const SSL_QUIC_METHOD quic_method = DefaultQUICMethod();
6302
6303 ASSERT_TRUE(SSL_CTX_set_quic_method(client_ctx_.get(), &quic_method));
6304 ASSERT_TRUE(SSL_CTX_set_quic_method(server_ctx_.get(), &quic_method));
6305 // Check that the session ID length is 0 in an early callback.
6306 SSL_CTX_set_select_certificate_cb(
6307 server_ctx_.get(),
6308 [](const SSL_CLIENT_HELLO *client_hello) -> ssl_select_cert_result_t {
6309 EXPECT_EQ(client_hello->session_id_len, 0u);
6310 return ssl_select_cert_success;
6311 });
6312
6313 ASSERT_TRUE(CreateClientAndServer());
6314 ASSERT_TRUE(CompleteHandshakesForQUIC());
6315
6316 ExpectHandshakeSuccess();
6317}
6318
David Benjamin1e859052020-02-09 16:04:58 -0500[diff] [blame]6319// Test that, even in a 1-RTT handshake, the server installs keys at the right
6320// time. Half-RTT keys are available early, but 1-RTT read keys are deferred.
6321TEST_F(QUICMethodTest, HalfRTTKeys) {
6322 const SSL_QUIC_METHOD quic_method = DefaultQUICMethod();
6323
6324 ASSERT_TRUE(SSL_CTX_set_quic_method(client_ctx_.get(), &quic_method));
6325 ASSERT_TRUE(SSL_CTX_set_quic_method(server_ctx_.get(), &quic_method));
6326 ASSERT_TRUE(CreateClientAndServer());
6327
6328 // The client sends ClientHello.
6329 ASSERT_EQ(SSL_do_handshake(client_.get()), -1);
6330 ASSERT_EQ(SSL_ERROR_WANT_READ, SSL_get_error(client_.get(), -1));
6331
6332 // The server reads ClientHello and sends ServerHello..Finished.
6333 ASSERT_TRUE(ProvideHandshakeData(server_.get()));
6334 ASSERT_EQ(SSL_do_handshake(server_.get()), -1);
6335 ASSERT_EQ(SSL_ERROR_WANT_READ, SSL_get_error(server_.get(), -1));
6336
6337 // At this point, the server has half-RTT write keys, but it cannot access
6338 // 1-RTT read keys until client Finished.
6339 EXPECT_TRUE(transport_->server()->HasWriteSecret(ssl_encryption_application));
6340 EXPECT_FALSE(transport_->server()->HasReadSecret(ssl_encryption_application));
6341
6342 // Finish up the client and server handshakes.
6343 ASSERT_TRUE(CompleteHandshakesForQUIC());
6344
6345 // Both sides can now exchange 1-RTT data.
6346 ExpectHandshakeSuccess();
6347}
6348
David Benjamind6343572019-08-15 17:29:02 -0400[diff] [blame]6349TEST_F(QUICMethodTest, ZeroRTTAccept) {
David Benjamin1e859052020-02-09 16:04:58 -0500[diff] [blame]6350 const SSL_QUIC_METHOD quic_method = DefaultQUICMethod();
David Benjamind6343572019-08-15 17:29:02 -0400[diff] [blame]6351
6352 SSL_CTX_set_session_cache_mode(client_ctx_.get(), SSL_SESS_CACHE_BOTH);
6353 SSL_CTX_set_early_data_enabled(client_ctx_.get(), 1);
6354 SSL_CTX_set_early_data_enabled(server_ctx_.get(), 1);
6355 ASSERT_TRUE(SSL_CTX_set_quic_method(client_ctx_.get(), &quic_method));
6356 ASSERT_TRUE(SSL_CTX_set_quic_method(server_ctx_.get(), &quic_method));
6357
6358 bssl::UniquePtr<SSL_SESSION> session = CreateClientSessionForQUIC();
6359 ASSERT_TRUE(session);
6360
6361 ASSERT_TRUE(CreateClientAndServer());
6362 SSL_set_session(client_.get(), session.get());
6363
6364 // The client handshake should return immediately into the early data state.
6365 ASSERT_EQ(SSL_do_handshake(client_.get()), 1);
6366 EXPECT_TRUE(SSL_in_early_data(client_.get()));
6367 // The transport should have keys for sending 0-RTT data.
David Benjamin1e859052020-02-09 16:04:58 -0500[diff] [blame]6368 EXPECT_TRUE(transport_->client()->HasWriteSecret(ssl_encryption_early_data));
David Benjamind6343572019-08-15 17:29:02 -0400[diff] [blame]6369
6370 // The server will consume the ClientHello and also enter the early data
6371 // state.
6372 ASSERT_TRUE(ProvideHandshakeData(server_.get()));
6373 ASSERT_EQ(SSL_do_handshake(server_.get()), 1);
6374 EXPECT_TRUE(SSL_in_early_data(server_.get()));
6375 EXPECT_TRUE(transport_->SecretsMatch(ssl_encryption_early_data));
David Benjamin1e859052020-02-09 16:04:58 -0500[diff] [blame]6376 // At this point, the server has half-RTT write keys, but it cannot access
6377 // 1-RTT read keys until client Finished.
6378 EXPECT_TRUE(transport_->server()->HasWriteSecret(ssl_encryption_application));
6379 EXPECT_FALSE(transport_->server()->HasReadSecret(ssl_encryption_application));
David Benjamind6343572019-08-15 17:29:02 -0400[diff] [blame]6380
6381 // Finish up the client and server handshakes.
6382 ASSERT_TRUE(CompleteHandshakesForQUIC());
6383
6384 // Both sides can now exchange 1-RTT data.
6385 ExpectHandshakeSuccess();
6386 EXPECT_TRUE(SSL_session_reused(client_.get()));
6387 EXPECT_TRUE(SSL_session_reused(server_.get()));
6388 EXPECT_FALSE(SSL_in_early_data(client_.get()));
6389 EXPECT_FALSE(SSL_in_early_data(server_.get()));
6390 EXPECT_TRUE(SSL_early_data_accepted(client_.get()));
6391 EXPECT_TRUE(SSL_early_data_accepted(server_.get()));
Nick Harper5e086952020-09-30 13:59:14 -0700[diff] [blame]6392
6393 // Finish handling post-handshake messages after the first 0-RTT resumption.
6394 EXPECT_TRUE(ProvideHandshakeData(client_.get()));
6395 EXPECT_TRUE(SSL_process_quic_post_handshake(client_.get()));
6396
6397 // Perform a second 0-RTT resumption attempt, and confirm that 0-RTT is
6398 // accepted again.
6399 ASSERT_TRUE(CreateClientAndServer());
6400 SSL_set_session(client_.get(), g_last_session.get());
6401
6402 // The client handshake should return immediately into the early data state.
6403 ASSERT_EQ(SSL_do_handshake(client_.get()), 1);
6404 EXPECT_TRUE(SSL_in_early_data(client_.get()));
6405 // The transport should have keys for sending 0-RTT data.
6406 EXPECT_TRUE(transport_->client()->HasWriteSecret(ssl_encryption_early_data));
6407
6408 // The server will consume the ClientHello and also enter the early data
6409 // state.
6410 ASSERT_TRUE(ProvideHandshakeData(server_.get()));
6411 ASSERT_EQ(SSL_do_handshake(server_.get()), 1);
6412 EXPECT_TRUE(SSL_in_early_data(server_.get()));
6413 EXPECT_TRUE(transport_->SecretsMatch(ssl_encryption_early_data));
6414 // At this point, the server has half-RTT write keys, but it cannot access
6415 // 1-RTT read keys until client Finished.
6416 EXPECT_TRUE(transport_->server()->HasWriteSecret(ssl_encryption_application));
6417 EXPECT_FALSE(transport_->server()->HasReadSecret(ssl_encryption_application));
6418
6419 // Finish up the client and server handshakes.
6420 ASSERT_TRUE(CompleteHandshakesForQUIC());
6421
6422 // Both sides can now exchange 1-RTT data.
6423 ExpectHandshakeSuccess();
6424 EXPECT_TRUE(SSL_session_reused(client_.get()));
6425 EXPECT_TRUE(SSL_session_reused(server_.get()));
6426 EXPECT_FALSE(SSL_in_early_data(client_.get()));
6427 EXPECT_FALSE(SSL_in_early_data(server_.get()));
6428 EXPECT_TRUE(SSL_early_data_accepted(client_.get()));
6429 EXPECT_TRUE(SSL_early_data_accepted(server_.get()));
6430 EXPECT_EQ(SSL_get_early_data_reason(client_.get()), ssl_early_data_accepted);
6431 EXPECT_EQ(SSL_get_early_data_reason(server_.get()), ssl_early_data_accepted);
David Benjamind6343572019-08-15 17:29:02 -0400[diff] [blame]6432}
6433
Nick Harper7c522992020-04-30 14:15:49 -0700[diff] [blame]6434TEST_F(QUICMethodTest, ZeroRTTRejectMismatchedParameters) {
6435 const SSL_QUIC_METHOD quic_method = DefaultQUICMethod();
6436
6437 SSL_CTX_set_session_cache_mode(client_ctx_.get(), SSL_SESS_CACHE_BOTH);
6438 SSL_CTX_set_early_data_enabled(client_ctx_.get(), 1);
6439 SSL_CTX_set_early_data_enabled(server_ctx_.get(), 1);
6440 ASSERT_TRUE(SSL_CTX_set_quic_method(client_ctx_.get(), &quic_method));
6441 ASSERT_TRUE(SSL_CTX_set_quic_method(server_ctx_.get(), &quic_method));
6442
6443
6444 bssl::UniquePtr<SSL_SESSION> session = CreateClientSessionForQUIC();
6445 ASSERT_TRUE(session);
6446
Nick Harper85194322020-05-20 16:59:29 -0700[diff] [blame]6447 ASSERT_TRUE(CreateClientAndServer());
6448 static const uint8_t new_context[] = {4};
6449 ASSERT_TRUE(SSL_set_quic_early_data_context(server_.get(), new_context,
6450 sizeof(new_context)));
6451 SSL_set_session(client_.get(), session.get());
Nick Harper7c522992020-04-30 14:15:49 -0700[diff] [blame]6452
Nick Harper85194322020-05-20 16:59:29 -0700[diff] [blame]6453 // The client handshake should return immediately into the early data
6454 // state.
6455 ASSERT_EQ(SSL_do_handshake(client_.get()), 1);
6456 EXPECT_TRUE(SSL_in_early_data(client_.get()));
6457 // The transport should have keys for sending 0-RTT data.
6458 EXPECT_TRUE(transport_->client()->HasWriteSecret(ssl_encryption_early_data));
Nick Harper7c522992020-04-30 14:15:49 -0700[diff] [blame]6459
Nick Harper85194322020-05-20 16:59:29 -0700[diff] [blame]6460 // The server will consume the ClientHello, but it will not accept 0-RTT.
6461 ASSERT_TRUE(ProvideHandshakeData(server_.get()));
6462 ASSERT_EQ(SSL_do_handshake(server_.get()), -1);
6463 EXPECT_EQ(SSL_ERROR_WANT_READ, SSL_get_error(server_.get(), -1));
6464 EXPECT_FALSE(SSL_in_early_data(server_.get()));
6465 EXPECT_FALSE(transport_->server()->HasReadSecret(ssl_encryption_early_data));
Nick Harper7c522992020-04-30 14:15:49 -0700[diff] [blame]6466
Nick Harper85194322020-05-20 16:59:29 -0700[diff] [blame]6467 // The client consumes the server response and signals 0-RTT rejection.
6468 for (;;) {
6469 ASSERT_TRUE(ProvideHandshakeData(client_.get()));
6470 ASSERT_EQ(-1, SSL_do_handshake(client_.get()));
6471 int err = SSL_get_error(client_.get(), -1);
6472 if (err == SSL_ERROR_EARLY_DATA_REJECTED) {
6473 break;
Nick Harper7c522992020-04-30 14:15:49 -0700[diff] [blame]6474 }
Nick Harper85194322020-05-20 16:59:29 -0700[diff] [blame]6475 ASSERT_EQ(SSL_ERROR_WANT_READ, err);
Nick Harper7c522992020-04-30 14:15:49 -0700[diff] [blame]6476 }
Nick Harper85194322020-05-20 16:59:29 -0700[diff] [blame]6477
6478 // As in TLS over TCP, 0-RTT rejection is sticky.
6479 ASSERT_EQ(-1, SSL_do_handshake(client_.get()));
6480 ASSERT_EQ(SSL_ERROR_EARLY_DATA_REJECTED, SSL_get_error(client_.get(), -1));
6481
6482 // Finish up the client and server handshakes.
6483 SSL_reset_early_data_reject(client_.get());
6484 ASSERT_TRUE(CompleteHandshakesForQUIC());
6485
6486 // Both sides can now exchange 1-RTT data.
6487 ExpectHandshakeSuccess();
6488 EXPECT_TRUE(SSL_session_reused(client_.get()));
6489 EXPECT_TRUE(SSL_session_reused(server_.get()));
6490 EXPECT_FALSE(SSL_in_early_data(client_.get()));
6491 EXPECT_FALSE(SSL_in_early_data(server_.get()));
6492 EXPECT_FALSE(SSL_early_data_accepted(client_.get()));
6493 EXPECT_FALSE(SSL_early_data_accepted(server_.get()));
6494}
6495
6496TEST_F(QUICMethodTest, NoZeroRTTTicketWithoutEarlyDataContext) {
6497 server_quic_early_data_context_ = {};
6498 const SSL_QUIC_METHOD quic_method = DefaultQUICMethod();
6499
6500 SSL_CTX_set_session_cache_mode(client_ctx_.get(), SSL_SESS_CACHE_BOTH);
6501 SSL_CTX_set_early_data_enabled(client_ctx_.get(), 1);
6502 SSL_CTX_set_early_data_enabled(server_ctx_.get(), 1);
6503 ASSERT_TRUE(SSL_CTX_set_quic_method(client_ctx_.get(), &quic_method));
6504 ASSERT_TRUE(SSL_CTX_set_quic_method(server_ctx_.get(), &quic_method));
6505
6506 bssl::UniquePtr<SSL_SESSION> session = CreateClientSessionForQUIC();
6507 ASSERT_TRUE(session);
6508 EXPECT_FALSE(SSL_SESSION_early_data_capable(session.get()));
Nick Harper7c522992020-04-30 14:15:49 -0700[diff] [blame]6509}
6510
David Benjamind6343572019-08-15 17:29:02 -0400[diff] [blame]6511TEST_F(QUICMethodTest, ZeroRTTReject) {
David Benjamin1e859052020-02-09 16:04:58 -0500[diff] [blame]6512 const SSL_QUIC_METHOD quic_method = DefaultQUICMethod();
David Benjamind6343572019-08-15 17:29:02 -0400[diff] [blame]6513
6514 SSL_CTX_set_session_cache_mode(client_ctx_.get(), SSL_SESS_CACHE_BOTH);
6515 SSL_CTX_set_early_data_enabled(client_ctx_.get(), 1);
6516 SSL_CTX_set_early_data_enabled(server_ctx_.get(), 1);
6517 ASSERT_TRUE(SSL_CTX_set_quic_method(client_ctx_.get(), &quic_method));
6518 ASSERT_TRUE(SSL_CTX_set_quic_method(server_ctx_.get(), &quic_method));
6519
6520 bssl::UniquePtr<SSL_SESSION> session = CreateClientSessionForQUIC();
6521 ASSERT_TRUE(session);
6522
6523 for (bool reject_hrr : {false, true}) {
6524 SCOPED_TRACE(reject_hrr);
6525
6526 ASSERT_TRUE(CreateClientAndServer());
6527 if (reject_hrr) {
6528 // Configure the server to prefer P-256, which will reject 0-RTT via
6529 // HelloRetryRequest.
6530 int p256 = NID_X9_62_prime256v1;
6531 ASSERT_TRUE(SSL_set1_curves(server_.get(), &p256, 1));
6532 } else {
6533 // Disable 0-RTT on the server, so it will reject it.
6534 SSL_set_early_data_enabled(server_.get(), 0);
David Benjaminfd863b62019-07-25 13:51:32 -0400[diff] [blame]6535 }
David Benjamind6343572019-08-15 17:29:02 -0400[diff] [blame]6536 SSL_set_session(client_.get(), session.get());
David Benjaminfd863b62019-07-25 13:51:32 -0400[diff] [blame]6537
David Benjamind6343572019-08-15 17:29:02 -0400[diff] [blame]6538 // The client handshake should return immediately into the early data state.
6539 ASSERT_EQ(SSL_do_handshake(client_.get()), 1);
6540 EXPECT_TRUE(SSL_in_early_data(client_.get()));
6541 // The transport should have keys for sending 0-RTT data.
David Benjamin1e859052020-02-09 16:04:58 -0500[diff] [blame]6542 EXPECT_TRUE(
6543 transport_->client()->HasWriteSecret(ssl_encryption_early_data));
David Benjamind6343572019-08-15 17:29:02 -0400[diff] [blame]6544
6545 // The server will consume the ClientHello, but it will not accept 0-RTT.
David Benjaminfd863b62019-07-25 13:51:32 -0400[diff] [blame]6546 ASSERT_TRUE(ProvideHandshakeData(server_.get()));
David Benjamind6343572019-08-15 17:29:02 -0400[diff] [blame]6547 ASSERT_EQ(SSL_do_handshake(server_.get()), -1);
6548 EXPECT_EQ(SSL_ERROR_WANT_READ, SSL_get_error(server_.get(), -1));
6549 EXPECT_FALSE(SSL_in_early_data(server_.get()));
David Benjamin1e859052020-02-09 16:04:58 -0500[diff] [blame]6550 EXPECT_FALSE(
6551 transport_->server()->HasReadSecret(ssl_encryption_early_data));
David Benjamind6343572019-08-15 17:29:02 -0400[diff] [blame]6552
6553 // The client consumes the server response and signals 0-RTT rejection.
6554 for (;;) {
6555 ASSERT_TRUE(ProvideHandshakeData(client_.get()));
6556 ASSERT_EQ(-1, SSL_do_handshake(client_.get()));
6557 int err = SSL_get_error(client_.get(), -1);
6558 if (err == SSL_ERROR_EARLY_DATA_REJECTED) {
6559 break;
6560 }
6561 ASSERT_EQ(SSL_ERROR_WANT_READ, err);
David Benjaminfd863b62019-07-25 13:51:32 -0400[diff] [blame]6562 }
6563
David Benjamind6343572019-08-15 17:29:02 -0400[diff] [blame]6564 // As in TLS over TCP, 0-RTT rejection is sticky.
6565 ASSERT_EQ(-1, SSL_do_handshake(client_.get()));
6566 ASSERT_EQ(SSL_ERROR_EARLY_DATA_REJECTED, SSL_get_error(client_.get(), -1));
6567
6568 // Finish up the client and server handshakes.
6569 SSL_reset_early_data_reject(client_.get());
6570 ASSERT_TRUE(CompleteHandshakesForQUIC());
6571
6572 // Both sides can now exchange 1-RTT data.
6573 ExpectHandshakeSuccess();
6574 EXPECT_TRUE(SSL_session_reused(client_.get()));
6575 EXPECT_TRUE(SSL_session_reused(server_.get()));
6576 EXPECT_FALSE(SSL_in_early_data(client_.get()));
6577 EXPECT_FALSE(SSL_in_early_data(server_.get()));
6578 EXPECT_FALSE(SSL_early_data_accepted(client_.get()));
6579 EXPECT_FALSE(SSL_early_data_accepted(server_.get()));
David Benjaminfd863b62019-07-25 13:51:32 -0400[diff] [blame]6580 }
David Benjaminfd863b62019-07-25 13:51:32 -0400[diff] [blame]6581}
6582
David Benjaminee0716f2019-11-19 14:16:28 +0800[diff] [blame]6583TEST_F(QUICMethodTest, NoZeroRTTKeysBeforeReverify) {
David Benjamin1e859052020-02-09 16:04:58 -0500[diff] [blame]6584 const SSL_QUIC_METHOD quic_method = DefaultQUICMethod();
David Benjaminee0716f2019-11-19 14:16:28 +0800[diff] [blame]6585
6586 SSL_CTX_set_session_cache_mode(client_ctx_.get(), SSL_SESS_CACHE_BOTH);
6587 SSL_CTX_set_early_data_enabled(client_ctx_.get(), 1);
6588 SSL_CTX_set_reverify_on_resume(client_ctx_.get(), 1);
6589 SSL_CTX_set_early_data_enabled(server_ctx_.get(), 1);
6590 ASSERT_TRUE(SSL_CTX_set_quic_method(client_ctx_.get(), &quic_method));
6591 ASSERT_TRUE(SSL_CTX_set_quic_method(server_ctx_.get(), &quic_method));
6592
6593 bssl::UniquePtr<SSL_SESSION> session = CreateClientSessionForQUIC();
6594 ASSERT_TRUE(session);
6595
6596 ASSERT_TRUE(CreateClientAndServer());
6597 SSL_set_session(client_.get(), session.get());
6598
6599 // Configure the certificate (re)verification to never complete. The client
6600 // handshake should pause.
6601 SSL_set_custom_verify(
6602 client_.get(), SSL_VERIFY_PEER,
6603 [](SSL *ssl, uint8_t *out_alert) -> ssl_verify_result_t {
6604 return ssl_verify_retry;
6605 });
6606 ASSERT_EQ(SSL_do_handshake(client_.get()), -1);
6607 ASSERT_EQ(SSL_get_error(client_.get(), -1),
6608 SSL_ERROR_WANT_CERTIFICATE_VERIFY);
6609
6610 // The early data keys have not yet been released.
David Benjamin1e859052020-02-09 16:04:58 -0500[diff] [blame]6611 EXPECT_FALSE(transport_->client()->HasWriteSecret(ssl_encryption_early_data));
David Benjaminee0716f2019-11-19 14:16:28 +0800[diff] [blame]6612
6613 // After the verification completes, the handshake progresses to the 0-RTT
6614 // point and releases keys.
6615 SSL_set_custom_verify(
6616 client_.get(), SSL_VERIFY_PEER,
6617 [](SSL *ssl, uint8_t *out_alert) -> ssl_verify_result_t {
6618 return ssl_verify_ok;
6619 });
6620 ASSERT_EQ(SSL_do_handshake(client_.get()), 1);
6621 EXPECT_TRUE(SSL_in_early_data(client_.get()));
David Benjamin1e859052020-02-09 16:04:58 -0500[diff] [blame]6622 EXPECT_TRUE(transport_->client()->HasWriteSecret(ssl_encryption_early_data));
David Benjaminee0716f2019-11-19 14:16:28 +0800[diff] [blame]6623}
6624
Steven Valdezc8e0f902018-07-14 11:23:01 -0400[diff] [blame]6625// Test only releasing data to QUIC one byte at a time on request, to maximize
6626// state machine pauses. Additionally, test that existing asynchronous callbacks
6627// still work.
6628TEST_F(QUICMethodTest, Async) {
David Benjamin1e859052020-02-09 16:04:58 -0500[diff] [blame]6629 const SSL_QUIC_METHOD quic_method = DefaultQUICMethod();
Steven Valdezc8e0f902018-07-14 11:23:01 -0400[diff] [blame]6630
6631 ASSERT_TRUE(SSL_CTX_set_quic_method(client_ctx_.get(), &quic_method));
6632 ASSERT_TRUE(SSL_CTX_set_quic_method(server_ctx_.get(), &quic_method));
6633 ASSERT_TRUE(CreateClientAndServer());
6634
6635 // Install an asynchronous certificate callback.
6636 bool cert_cb_ok = false;
6637 SSL_set_cert_cb(server_.get(),
6638 [](SSL *, void *arg) -> int {
6639 return *static_cast<bool *>(arg) ? 1 : -1;
6640 },
6641 &cert_cb_ok);
6642
6643 for (;;) {
6644 int client_ret = SSL_do_handshake(client_.get());
6645 if (client_ret != 1) {
6646 ASSERT_EQ(client_ret, -1);
6647 ASSERT_EQ(SSL_get_error(client_.get(), client_ret), SSL_ERROR_WANT_READ);
6648 ASSERT_TRUE(ProvideHandshakeData(client_.get(), 1));
6649 }
6650
6651 int server_ret = SSL_do_handshake(server_.get());
6652 if (server_ret != 1) {
6653 ASSERT_EQ(server_ret, -1);
6654 int ssl_err = SSL_get_error(server_.get(), server_ret);
6655 switch (ssl_err) {
6656 case SSL_ERROR_WANT_READ:
6657 ASSERT_TRUE(ProvideHandshakeData(server_.get(), 1));
6658 break;
6659 case SSL_ERROR_WANT_X509_LOOKUP:
6660 ASSERT_FALSE(cert_cb_ok);
6661 cert_cb_ok = true;
6662 break;
6663 default:
6664 FAIL() << "Unexpected SSL_get_error result: " << ssl_err;
6665 }
6666 }
6667
6668 if (client_ret == 1 && server_ret == 1) {
6669 break;
6670 }
6671 }
6672
David Benjamind6343572019-08-15 17:29:02 -0400[diff] [blame]6673 ExpectHandshakeSuccess();
Steven Valdezc8e0f902018-07-14 11:23:01 -0400[diff] [blame]6674}
6675
6676// Test buffering write data until explicit flushes.
6677TEST_F(QUICMethodTest, Buffered) {
David Benjamin5298ef92020-03-13 12:17:30 -0400[diff] [blame]6678 AllowOutOfOrderWrites();
6679
Steven Valdezc8e0f902018-07-14 11:23:01 -0400[diff] [blame]6680 struct BufferedFlight {
6681 std::vector<uint8_t> data[kNumQUICLevels];
6682 };
6683 static UnownedSSLExData<BufferedFlight> buffered_flights;
6684
David Benjamincc9d9352018-10-30 19:45:22 -0500[diff] [blame]6685 auto add_handshake_data = [](SSL *ssl, enum ssl_encryption_level_t level,
6686 const uint8_t *data, size_t len) -> int {
Steven Valdezc8e0f902018-07-14 11:23:01 -0400[diff] [blame]6687 BufferedFlight *flight = buffered_flights.Get(ssl);
6688 flight->data[level].insert(flight->data[level].end(), data, data + len);
6689 return 1;
6690 };
6691
6692 auto flush_flight = [](SSL *ssl) -> int {
6693 BufferedFlight *flight = buffered_flights.Get(ssl);
6694 for (size_t level = 0; level < kNumQUICLevels; level++) {
6695 if (!flight->data[level].empty()) {
6696 if (!TransportFromSSL(ssl)->WriteHandshakeData(
6697 static_cast<ssl_encryption_level_t>(level),
6698 flight->data[level])) {
6699 return 0;
6700 }
6701 flight->data[level].clear();
6702 }
6703 }
6704 return 1;
6705 };
6706
David Benjamin1e859052020-02-09 16:04:58 -0500[diff] [blame]6707 SSL_QUIC_METHOD quic_method = DefaultQUICMethod();
6708 quic_method.add_handshake_data = add_handshake_data;
6709 quic_method.flush_flight = flush_flight;
Steven Valdezc8e0f902018-07-14 11:23:01 -0400[diff] [blame]6710
6711 ASSERT_TRUE(SSL_CTX_set_quic_method(client_ctx_.get(), &quic_method));
6712 ASSERT_TRUE(SSL_CTX_set_quic_method(server_ctx_.get(), &quic_method));
6713 ASSERT_TRUE(CreateClientAndServer());
6714
6715 BufferedFlight client_flight, server_flight;
6716 buffered_flights.Set(client_.get(), &client_flight);
6717 buffered_flights.Set(server_.get(), &server_flight);
6718
David Benjamind6343572019-08-15 17:29:02 -0400[diff] [blame]6719 ASSERT_TRUE(CompleteHandshakesForQUIC());
Steven Valdezc8e0f902018-07-14 11:23:01 -0400[diff] [blame]6720
David Benjamind6343572019-08-15 17:29:02 -0400[diff] [blame]6721 ExpectHandshakeSuccess();
Steven Valdezc8e0f902018-07-14 11:23:01 -0400[diff] [blame]6722}
6723
6724// Test that excess data at one level is rejected. That is, if a single
6725// |SSL_provide_quic_data| call included both ServerHello and
6726// EncryptedExtensions in a single chunk, BoringSSL notices and rejects this on
6727// key change.
6728TEST_F(QUICMethodTest, ExcessProvidedData) {
David Benjamin5298ef92020-03-13 12:17:30 -0400[diff] [blame]6729 AllowOutOfOrderWrites();
6730
David Benjamincc9d9352018-10-30 19:45:22 -0500[diff] [blame]6731 auto add_handshake_data = [](SSL *ssl, enum ssl_encryption_level_t level,
6732 const uint8_t *data, size_t len) -> int {
Steven Valdezc8e0f902018-07-14 11:23:01 -0400[diff] [blame]6733 // Switch everything to the initial level.
6734 return TransportFromSSL(ssl)->WriteHandshakeData(ssl_encryption_initial,
6735 MakeConstSpan(data, len));
6736 };
6737
David Benjamin1e859052020-02-09 16:04:58 -0500[diff] [blame]6738 SSL_QUIC_METHOD quic_method = DefaultQUICMethod();
6739 quic_method.add_handshake_data = add_handshake_data;
Steven Valdezc8e0f902018-07-14 11:23:01 -0400[diff] [blame]6740
6741 ASSERT_TRUE(SSL_CTX_set_quic_method(client_ctx_.get(), &quic_method));
6742 ASSERT_TRUE(SSL_CTX_set_quic_method(server_ctx_.get(), &quic_method));
6743 ASSERT_TRUE(CreateClientAndServer());
6744
6745 // Send the ClientHello and ServerHello through Finished.
6746 ASSERT_EQ(SSL_do_handshake(client_.get()), -1);
6747 ASSERT_EQ(SSL_get_error(client_.get(), -1), SSL_ERROR_WANT_READ);
6748 ASSERT_TRUE(ProvideHandshakeData(server_.get()));
6749 ASSERT_EQ(SSL_do_handshake(server_.get()), -1);
6750 ASSERT_EQ(SSL_get_error(server_.get(), -1), SSL_ERROR_WANT_READ);
6751
6752 // The client is still waiting for the ServerHello at initial
6753 // encryption.
6754 ASSERT_EQ(ssl_encryption_initial, SSL_quic_read_level(client_.get()));
6755
David Benjamincc9d9352018-10-30 19:45:22 -0500[diff] [blame]6756 // |add_handshake_data| incorrectly wrote everything at the initial level, so
6757 // this queues up ServerHello through Finished in one chunk.
Steven Valdezc8e0f902018-07-14 11:23:01 -0400[diff] [blame]6758 ASSERT_TRUE(ProvideHandshakeData(client_.get()));
6759
6760 // The client reads ServerHello successfully, but then rejects the buffered
6761 // EncryptedExtensions on key change.
6762 ASSERT_EQ(SSL_do_handshake(client_.get()), -1);
6763 ASSERT_EQ(SSL_get_error(client_.get(), -1), SSL_ERROR_SSL);
6764 uint32_t err = ERR_get_error();
6765 EXPECT_EQ(ERR_GET_LIB(err), ERR_LIB_SSL);
David Benjaminf9cc26f2020-02-09 16:49:31 -0500[diff] [blame]6766 EXPECT_EQ(ERR_GET_REASON(err), SSL_R_EXCESS_HANDSHAKE_DATA);
Steven Valdezc8e0f902018-07-14 11:23:01 -0400[diff] [blame]6767
David Benjamin1e859052020-02-09 16:04:58 -0500[diff] [blame]6768 // The client sends an alert in response to this. The alert is sent at
6769 // handshake level because we install write secrets before read secrets and
6770 // the error is discovered when installing the read secret. (How to send
6771 // alerts on protocol syntax errors near key changes is ambiguous in general.)
David Benjamind6343572019-08-15 17:29:02 -0400[diff] [blame]6772 ASSERT_TRUE(transport_->client()->has_alert());
David Benjamin1e859052020-02-09 16:04:58 -0500[diff] [blame]6773 EXPECT_EQ(transport_->client()->alert_level(), ssl_encryption_handshake);
David Benjamind6343572019-08-15 17:29:02 -0400[diff] [blame]6774 EXPECT_EQ(transport_->client()->alert(), SSL_AD_UNEXPECTED_MESSAGE);
Steven Valdezc8e0f902018-07-14 11:23:01 -0400[diff] [blame]6775
David Benjamin5298ef92020-03-13 12:17:30 -0400[diff] [blame]6776 // Sanity-check handshake secrets. The error is discovered while setting the
6777 // read secret, so only the write secret has been installed.
David Benjamin1e859052020-02-09 16:04:58 -0500[diff] [blame]6778 EXPECT_TRUE(transport_->client()->HasWriteSecret(ssl_encryption_handshake));
David Benjamin5298ef92020-03-13 12:17:30 -0400[diff] [blame]6779 EXPECT_FALSE(transport_->client()->HasReadSecret(ssl_encryption_handshake));
Steven Valdezc8e0f902018-07-14 11:23:01 -0400[diff] [blame]6780}
6781
6782// Test that |SSL_provide_quic_data| will reject data at the wrong level.
6783TEST_F(QUICMethodTest, ProvideWrongLevel) {
David Benjamin1e859052020-02-09 16:04:58 -0500[diff] [blame]6784 const SSL_QUIC_METHOD quic_method = DefaultQUICMethod();
Steven Valdezc8e0f902018-07-14 11:23:01 -0400[diff] [blame]6785
6786 ASSERT_TRUE(SSL_CTX_set_quic_method(client_ctx_.get(), &quic_method));
6787 ASSERT_TRUE(SSL_CTX_set_quic_method(server_ctx_.get(), &quic_method));
6788 ASSERT_TRUE(CreateClientAndServer());
6789
6790 // Send the ClientHello and ServerHello through Finished.
6791 ASSERT_EQ(SSL_do_handshake(client_.get()), -1);
6792 ASSERT_EQ(SSL_get_error(client_.get(), -1), SSL_ERROR_WANT_READ);
6793 ASSERT_TRUE(ProvideHandshakeData(server_.get()));
6794 ASSERT_EQ(SSL_do_handshake(server_.get()), -1);
6795 ASSERT_EQ(SSL_get_error(server_.get(), -1), SSL_ERROR_WANT_READ);
6796
6797 // The client is still waiting for the ServerHello at initial
6798 // encryption.
6799 ASSERT_EQ(ssl_encryption_initial, SSL_quic_read_level(client_.get()));
6800
6801 // Data cannot be provided at the next level.
6802 std::vector<uint8_t> data;
6803 ASSERT_TRUE(
David Benjamind6343572019-08-15 17:29:02 -0400[diff] [blame]6804 transport_->client()->ReadHandshakeData(&data, ssl_encryption_initial));
Steven Valdezc8e0f902018-07-14 11:23:01 -0400[diff] [blame]6805 ASSERT_FALSE(SSL_provide_quic_data(client_.get(), ssl_encryption_handshake,
6806 data.data(), data.size()));
6807 ERR_clear_error();
6808
6809 // Progress to EncryptedExtensions.
6810 ASSERT_TRUE(SSL_provide_quic_data(client_.get(), ssl_encryption_initial,
6811 data.data(), data.size()));
6812 ASSERT_EQ(SSL_do_handshake(client_.get()), -1);
6813 ASSERT_EQ(SSL_get_error(client_.get(), -1), SSL_ERROR_WANT_READ);
6814 ASSERT_EQ(ssl_encryption_handshake, SSL_quic_read_level(client_.get()));
6815
6816 // Data cannot be provided at the previous level.
6817 ASSERT_TRUE(
David Benjamind6343572019-08-15 17:29:02 -0400[diff] [blame]6818 transport_->client()->ReadHandshakeData(&data, ssl_encryption_handshake));
Steven Valdezc8e0f902018-07-14 11:23:01 -0400[diff] [blame]6819 ASSERT_FALSE(SSL_provide_quic_data(client_.get(), ssl_encryption_initial,
6820 data.data(), data.size()));
6821}
6822
6823TEST_F(QUICMethodTest, TooMuchData) {
David Benjamin1e859052020-02-09 16:04:58 -0500[diff] [blame]6824 const SSL_QUIC_METHOD quic_method = DefaultQUICMethod();
Steven Valdezc8e0f902018-07-14 11:23:01 -0400[diff] [blame]6825
6826 ASSERT_TRUE(SSL_CTX_set_quic_method(client_ctx_.get(), &quic_method));
6827 ASSERT_TRUE(SSL_CTX_set_quic_method(server_ctx_.get(), &quic_method));
6828 ASSERT_TRUE(CreateClientAndServer());
6829
6830 size_t limit =
6831 SSL_quic_max_handshake_flight_len(client_.get(), ssl_encryption_initial);
6832 uint8_t b = 0;
6833 for (size_t i = 0; i < limit; i++) {
6834 ASSERT_TRUE(
6835 SSL_provide_quic_data(client_.get(), ssl_encryption_initial, &b, 1));
6836 }
6837
6838 EXPECT_FALSE(
6839 SSL_provide_quic_data(client_.get(), ssl_encryption_initial, &b, 1));
6840}
6841
Steven Valdeze6eef1c2018-11-09 13:32:34 -0500[diff] [blame]6842// Provide invalid post-handshake data.
6843TEST_F(QUICMethodTest, BadPostHandshake) {
David Benjamin1e859052020-02-09 16:04:58 -0500[diff] [blame]6844 const SSL_QUIC_METHOD quic_method = DefaultQUICMethod();
Steven Valdeze6eef1c2018-11-09 13:32:34 -0500[diff] [blame]6845
6846 g_last_session = nullptr;
6847
6848 SSL_CTX_set_session_cache_mode(client_ctx_.get(), SSL_SESS_CACHE_BOTH);
6849 SSL_CTX_sess_set_new_cb(client_ctx_.get(), SaveLastSession);
6850 ASSERT_TRUE(SSL_CTX_set_quic_method(client_ctx_.get(), &quic_method));
6851 ASSERT_TRUE(SSL_CTX_set_quic_method(server_ctx_.get(), &quic_method));
6852 ASSERT_TRUE(CreateClientAndServer());
David Benjamind6343572019-08-15 17:29:02 -0400[diff] [blame]6853 ASSERT_TRUE(CompleteHandshakesForQUIC());
Steven Valdeze6eef1c2018-11-09 13:32:34 -0500[diff] [blame]6854
6855 EXPECT_EQ(SSL_do_handshake(client_.get()), 1);
6856 EXPECT_EQ(SSL_do_handshake(server_.get()), 1);
David Benjamind6343572019-08-15 17:29:02 -0400[diff] [blame]6857 EXPECT_TRUE(transport_->SecretsMatch(ssl_encryption_application));
6858 EXPECT_FALSE(transport_->client()->has_alert());
6859 EXPECT_FALSE(transport_->server()->has_alert());
Steven Valdeze6eef1c2018-11-09 13:32:34 -0500[diff] [blame]6860
6861 // Junk sent as part of post-handshake data should cause an error.
6862 uint8_t kJunk[] = {0x17, 0x0, 0x0, 0x4, 0xB, 0xE, 0xE, 0xF};
6863 ASSERT_TRUE(SSL_provide_quic_data(client_.get(), ssl_encryption_application,
6864 kJunk, sizeof(kJunk)));
6865 EXPECT_EQ(SSL_process_quic_post_handshake(client_.get()), 0);
6866}
6867
Nick Harper80ddfc72020-03-11 18:26:31 -0700[diff] [blame]6868static void ExpectReceivedTransportParamsEqual(const SSL *ssl,
6869 Span<const uint8_t> expected) {
6870 const uint8_t *received;
6871 size_t received_len;
6872 SSL_get_peer_quic_transport_params(ssl, &received, &received_len);
6873 ASSERT_EQ(received_len, expected.size());
6874 EXPECT_EQ(Bytes(received, received_len), Bytes(expected));
6875}
6876
6877TEST_F(QUICMethodTest, SetTransportParameters) {
6878 const SSL_QUIC_METHOD quic_method = DefaultQUICMethod();
6879 ASSERT_TRUE(SSL_CTX_set_quic_method(client_ctx_.get(), &quic_method));
6880 ASSERT_TRUE(SSL_CTX_set_quic_method(server_ctx_.get(), &quic_method));
6881
6882 ASSERT_TRUE(CreateClientAndServer());
6883 uint8_t kClientParams[] = {1, 2, 3, 4};
6884 uint8_t kServerParams[] = {5, 6, 7};
6885 ASSERT_TRUE(SSL_set_quic_transport_params(client_.get(), kClientParams,
6886 sizeof(kClientParams)));
6887 ASSERT_TRUE(SSL_set_quic_transport_params(server_.get(), kServerParams,
6888 sizeof(kServerParams)));
6889
6890 ASSERT_TRUE(CompleteHandshakesForQUIC());
6891 ExpectReceivedTransportParamsEqual(client_.get(), kServerParams);
6892 ExpectReceivedTransportParamsEqual(server_.get(), kClientParams);
6893}
6894
6895TEST_F(QUICMethodTest, SetTransportParamsInCallback) {
6896 const SSL_QUIC_METHOD quic_method = DefaultQUICMethod();
6897 ASSERT_TRUE(SSL_CTX_set_quic_method(client_ctx_.get(), &quic_method));
6898 ASSERT_TRUE(SSL_CTX_set_quic_method(server_ctx_.get(), &quic_method));
6899
6900 ASSERT_TRUE(CreateClientAndServer());
6901 uint8_t kClientParams[] = {1, 2, 3, 4};
6902 static uint8_t kServerParams[] = {5, 6, 7};
6903 ASSERT_TRUE(SSL_set_quic_transport_params(client_.get(), kClientParams,
6904 sizeof(kClientParams)));
6905 SSL_CTX_set_tlsext_servername_callback(
6906 server_ctx_.get(), [](SSL *ssl, int *out_alert, void *arg) -> int {
6907 EXPECT_TRUE(SSL_set_quic_transport_params(ssl, kServerParams,
6908 sizeof(kServerParams)));
6909 return SSL_TLSEXT_ERR_OK;
6910 });
6911
6912 ASSERT_TRUE(CompleteHandshakesForQUIC());
6913 ExpectReceivedTransportParamsEqual(client_.get(), kServerParams);
6914 ExpectReceivedTransportParamsEqual(server_.get(), kClientParams);
6915}
6916
Nick Harper6bfd25c2020-03-30 17:15:19 -0700[diff] [blame]6917TEST_F(QUICMethodTest, ForbidCrossProtocolResumptionClient) {
6918 const SSL_QUIC_METHOD quic_method = DefaultQUICMethod();
6919
6920 g_last_session = nullptr;
6921
6922 SSL_CTX_set_session_cache_mode(client_ctx_.get(), SSL_SESS_CACHE_BOTH);
6923 SSL_CTX_sess_set_new_cb(client_ctx_.get(), SaveLastSession);
6924 ASSERT_TRUE(SSL_CTX_set_quic_method(client_ctx_.get(), &quic_method));
6925 ASSERT_TRUE(SSL_CTX_set_quic_method(server_ctx_.get(), &quic_method));
6926
6927 ASSERT_TRUE(CreateClientAndServer());
6928 ASSERT_TRUE(CompleteHandshakesForQUIC());
6929
6930 ExpectHandshakeSuccess();
6931 EXPECT_FALSE(SSL_session_reused(client_.get()));
6932 EXPECT_FALSE(SSL_session_reused(server_.get()));
6933
6934 // The server sent NewSessionTicket messages in the handshake.
6935 EXPECT_FALSE(g_last_session);
6936 ASSERT_TRUE(ProvideHandshakeData(client_.get()));
6937 EXPECT_EQ(SSL_process_quic_post_handshake(client_.get()), 1);
6938 EXPECT_TRUE(g_last_session);
6939
6940 // Pretend that g_last_session came from a TLS-over-TCP connection.
6941 g_last_session.get()->is_quic = false;
6942
6943 // Create a second connection and verify that resumption does not occur with
6944 // a session from a non-QUIC connection. This tests that the client does not
6945 // offer over QUIC a session believed to be received over TCP. The server
6946 // believes this is a QUIC session, so if the client offered the session, the
6947 // server would have resumed it.
6948 ASSERT_TRUE(CreateClientAndServer());
6949 bssl::UniquePtr<SSL_SESSION> session = std::move(g_last_session);
6950 SSL_set_session(client_.get(), session.get());
6951
6952 ASSERT_TRUE(CompleteHandshakesForQUIC());
6953 ExpectHandshakeSuccess();
6954 EXPECT_FALSE(SSL_session_reused(client_.get()));
6955 EXPECT_FALSE(SSL_session_reused(server_.get()));
6956}
6957
6958TEST_F(QUICMethodTest, ForbidCrossProtocolResumptionServer) {
6959 const SSL_QUIC_METHOD quic_method = DefaultQUICMethod();
6960
6961 g_last_session = nullptr;
6962
6963 SSL_CTX_set_session_cache_mode(client_ctx_.get(), SSL_SESS_CACHE_BOTH);
6964 SSL_CTX_sess_set_new_cb(client_ctx_.get(), SaveLastSession);
6965 ASSERT_TRUE(SSL_CTX_set_quic_method(client_ctx_.get(), &quic_method));
6966 ASSERT_TRUE(SSL_CTX_set_quic_method(server_ctx_.get(), &quic_method));
6967
6968 ASSERT_TRUE(CreateClientAndServer());
6969 ASSERT_TRUE(CompleteHandshakesForQUIC());
6970
6971 ExpectHandshakeSuccess();
6972 EXPECT_FALSE(SSL_session_reused(client_.get()));
6973 EXPECT_FALSE(SSL_session_reused(server_.get()));
6974
6975 // The server sent NewSessionTicket messages in the handshake.
6976 EXPECT_FALSE(g_last_session);
6977 ASSERT_TRUE(ProvideHandshakeData(client_.get()));
6978 EXPECT_EQ(SSL_process_quic_post_handshake(client_.get()), 1);
6979 EXPECT_TRUE(g_last_session);
6980
6981 // Attempt a resumption with g_last_session using TLS_method.
6982 bssl::UniquePtr<SSL_CTX> client_ctx(SSL_CTX_new(TLS_method()));
6983 ASSERT_TRUE(client_ctx);
6984
6985 ASSERT_TRUE(SSL_CTX_set_quic_method(server_ctx_.get(), nullptr));
6986
6987 bssl::UniquePtr<SSL> client(SSL_new(client_ctx.get())),
6988 server(SSL_new(server_ctx_.get()));
6989 ASSERT_TRUE(client);
6990 ASSERT_TRUE(server);
6991 SSL_set_connect_state(client.get());
6992 SSL_set_accept_state(server.get());
6993
6994 // The TLS-over-TCP client will refuse to resume with a quic session, so
6995 // mark is_quic = false to bypass the client check to test the server check.
6996 g_last_session.get()->is_quic = false;
6997 SSL_set_session(client.get(), g_last_session.get());
6998
6999 BIO *bio1, *bio2;
7000 ASSERT_TRUE(BIO_new_bio_pair(&bio1, 0, &bio2, 0));
7001
7002 // SSL_set_bio takes ownership.
7003 SSL_set_bio(client.get(), bio1, bio1);
7004 SSL_set_bio(server.get(), bio2, bio2);
7005 ASSERT_TRUE(CompleteHandshakes(client.get(), server.get()));
7006
7007 EXPECT_FALSE(SSL_session_reused(client.get()));
7008 EXPECT_FALSE(SSL_session_reused(server.get()));
7009}
7010
Nick Harper72cff812020-03-26 18:06:16 -0700[diff] [blame]7011TEST_F(QUICMethodTest, ClientRejectsMissingTransportParams) {
7012 const SSL_QUIC_METHOD quic_method = DefaultQUICMethod();
7013 ASSERT_TRUE(SSL_CTX_set_quic_method(client_ctx_.get(), &quic_method));
7014 ASSERT_TRUE(SSL_CTX_set_quic_method(server_ctx_.get(), &quic_method));
7015
7016 ASSERT_TRUE(CreateClientAndServer());
7017 ASSERT_TRUE(SSL_set_quic_transport_params(server_.get(), nullptr, 0));
7018 ASSERT_TRUE(RunQUICHandshakesAndExpectError(ExpectedError::kServerError));
7019}
7020
7021TEST_F(QUICMethodTest, ServerRejectsMissingTransportParams) {
7022 const SSL_QUIC_METHOD quic_method = DefaultQUICMethod();
7023 ASSERT_TRUE(SSL_CTX_set_quic_method(client_ctx_.get(), &quic_method));
7024 ASSERT_TRUE(SSL_CTX_set_quic_method(server_ctx_.get(), &quic_method));
7025
7026 ASSERT_TRUE(CreateClientAndServer());
7027 ASSERT_TRUE(SSL_set_quic_transport_params(client_.get(), nullptr, 0));
7028 ASSERT_TRUE(RunQUICHandshakesAndExpectError(ExpectedError::kClientError));
7029}
7030
David Schinazi3d8b8c32021-01-14 11:25:49 -0800[diff] [blame]7031TEST_F(QUICMethodTest, QuicLegacyCodepointEnabled) {
7032 const SSL_QUIC_METHOD quic_method = DefaultQUICMethod();
7033 ASSERT_TRUE(SSL_CTX_set_quic_method(client_ctx_.get(), &quic_method));
7034 ASSERT_TRUE(SSL_CTX_set_quic_method(server_ctx_.get(), &quic_method));
7035
7036 ASSERT_TRUE(CreateClientAndServer());
7037 uint8_t kClientParams[] = {1, 2, 3, 4};
7038 uint8_t kServerParams[] = {5, 6, 7};
7039 SSL_set_quic_use_legacy_codepoint(client_.get(), 1);
7040 SSL_set_quic_use_legacy_codepoint(server_.get(), 1);
7041 ASSERT_TRUE(SSL_set_quic_transport_params(client_.get(), kClientParams,
7042 sizeof(kClientParams)));
7043 ASSERT_TRUE(SSL_set_quic_transport_params(server_.get(), kServerParams,
7044 sizeof(kServerParams)));
7045
7046 ASSERT_TRUE(CompleteHandshakesForQUIC());
7047 ExpectReceivedTransportParamsEqual(client_.get(), kServerParams);
7048 ExpectReceivedTransportParamsEqual(server_.get(), kClientParams);
7049}
7050
7051TEST_F(QUICMethodTest, QuicLegacyCodepointDisabled) {
7052 const SSL_QUIC_METHOD quic_method = DefaultQUICMethod();
7053 ASSERT_TRUE(SSL_CTX_set_quic_method(client_ctx_.get(), &quic_method));
7054 ASSERT_TRUE(SSL_CTX_set_quic_method(server_ctx_.get(), &quic_method));
7055
7056 ASSERT_TRUE(CreateClientAndServer());
7057 uint8_t kClientParams[] = {1, 2, 3, 4};
7058 uint8_t kServerParams[] = {5, 6, 7};
7059 SSL_set_quic_use_legacy_codepoint(client_.get(), 0);
7060 SSL_set_quic_use_legacy_codepoint(server_.get(), 0);
7061 ASSERT_TRUE(SSL_set_quic_transport_params(client_.get(), kClientParams,
7062 sizeof(kClientParams)));
7063 ASSERT_TRUE(SSL_set_quic_transport_params(server_.get(), kServerParams,
7064 sizeof(kServerParams)));
7065
7066 ASSERT_TRUE(CompleteHandshakesForQUIC());
7067 ExpectReceivedTransportParamsEqual(client_.get(), kServerParams);
7068 ExpectReceivedTransportParamsEqual(server_.get(), kClientParams);
7069}
7070
7071TEST_F(QUICMethodTest, QuicLegacyCodepointClientOnly) {
7072 const SSL_QUIC_METHOD quic_method = DefaultQUICMethod();
7073 ASSERT_TRUE(SSL_CTX_set_quic_method(client_ctx_.get(), &quic_method));
7074 ASSERT_TRUE(SSL_CTX_set_quic_method(server_ctx_.get(), &quic_method));
7075
7076 ASSERT_TRUE(CreateClientAndServer());
7077 uint8_t kClientParams[] = {1, 2, 3, 4};
7078 uint8_t kServerParams[] = {5, 6, 7};
7079 SSL_set_quic_use_legacy_codepoint(client_.get(), 1);
7080 SSL_set_quic_use_legacy_codepoint(server_.get(), 0);
7081 ASSERT_TRUE(SSL_set_quic_transport_params(client_.get(), kClientParams,
7082 sizeof(kClientParams)));
7083 ASSERT_TRUE(SSL_set_quic_transport_params(server_.get(), kServerParams,
7084 sizeof(kServerParams)));
7085
7086 ASSERT_TRUE(RunQUICHandshakesAndExpectError(ExpectedError::kServerError));
7087}
7088
7089TEST_F(QUICMethodTest, QuicLegacyCodepointServerOnly) {
7090 const SSL_QUIC_METHOD quic_method = DefaultQUICMethod();
7091 ASSERT_TRUE(SSL_CTX_set_quic_method(client_ctx_.get(), &quic_method));
7092 ASSERT_TRUE(SSL_CTX_set_quic_method(server_ctx_.get(), &quic_method));
7093
7094 ASSERT_TRUE(CreateClientAndServer());
7095 uint8_t kClientParams[] = {1, 2, 3, 4};
7096 uint8_t kServerParams[] = {5, 6, 7};
7097 SSL_set_quic_use_legacy_codepoint(client_.get(), 0);
7098 SSL_set_quic_use_legacy_codepoint(server_.get(), 1);
7099 ASSERT_TRUE(SSL_set_quic_transport_params(client_.get(), kClientParams,
7100 sizeof(kClientParams)));
7101 ASSERT_TRUE(SSL_set_quic_transport_params(server_.get(), kServerParams,
7102 sizeof(kServerParams)));
7103
7104 ASSERT_TRUE(RunQUICHandshakesAndExpectError(ExpectedError::kServerError));
7105}
7106
David Benjaminc47bfce2021-01-20 17:10:32 -0500[diff] [blame]7107// Test that the default QUIC code point is consistent with
7108// |TLSEXT_TYPE_quic_transport_parameters|. This test ensures we remember to
7109// update the two values together.
7110TEST_F(QUICMethodTest, QuicCodePointDefault) {
7111 const SSL_QUIC_METHOD quic_method = DefaultQUICMethod();
7112 ASSERT_TRUE(SSL_CTX_set_quic_method(client_ctx_.get(), &quic_method));
7113 ASSERT_TRUE(SSL_CTX_set_quic_method(server_ctx_.get(), &quic_method));
7114 SSL_CTX_set_select_certificate_cb(
7115 server_ctx_.get(),
7116 [](const SSL_CLIENT_HELLO *client_hello) -> ssl_select_cert_result_t {
7117 const uint8_t *data;
7118 size_t len;
7119 if (!SSL_early_callback_ctx_extension_get(
7120 client_hello, TLSEXT_TYPE_quic_transport_parameters, &data,
7121 &len)) {
7122 ADD_FAILURE() << "Could not find quic_transport_parameters extension";
7123 return ssl_select_cert_error;
7124 }
7125 return ssl_select_cert_success;
7126 });
7127
7128 ASSERT_TRUE(CreateClientAndServer());
7129 ASSERT_TRUE(CompleteHandshakesForQUIC());
7130}
7131
Adam Langley7540cc22019-04-18 09:56:13 -0700[diff] [blame]7132extern "C" {
7133int BORINGSSL_enum_c_type_test(void);
7134}
7135
7136TEST(SSLTest, EnumTypes) {
7137 EXPECT_EQ(sizeof(int), sizeof(ssl_private_key_result_t));
7138 EXPECT_EQ(1, BORINGSSL_enum_c_type_test());
7139}
7140
David Benjaminb29e1e12019-05-06 14:44:46 -0500[diff] [blame]7141TEST_P(SSLVersionTest, DoubleSSLError) {
7142 // Connect the inner SSL connections.
7143 ASSERT_TRUE(Connect());
7144
7145 // Make a pair of |BIO|s which wrap |client_| and |server_|.
7146 UniquePtr<BIO_METHOD> bio_method(BIO_meth_new(0, nullptr));
7147 ASSERT_TRUE(bio_method);
7148 ASSERT_TRUE(BIO_meth_set_read(
7149 bio_method.get(), [](BIO *bio, char *out, int len) -> int {
7150 SSL *ssl = static_cast<SSL *>(BIO_get_data(bio));
7151 int ret = SSL_read(ssl, out, len);
7152 int ssl_ret = SSL_get_error(ssl, ret);
7153 if (ssl_ret == SSL_ERROR_WANT_READ) {
7154 BIO_set_retry_read(bio);
7155 }
7156 return ret;
7157 }));
7158 ASSERT_TRUE(BIO_meth_set_write(
7159 bio_method.get(), [](BIO *bio, const char *in, int len) -> int {
7160 SSL *ssl = static_cast<SSL *>(BIO_get_data(bio));
7161 int ret = SSL_write(ssl, in, len);
7162 int ssl_ret = SSL_get_error(ssl, ret);
7163 if (ssl_ret == SSL_ERROR_WANT_WRITE) {
7164 BIO_set_retry_write(bio);
7165 }
7166 return ret;
7167 }));
7168 ASSERT_TRUE(BIO_meth_set_ctrl(
7169 bio_method.get(), [](BIO *bio, int cmd, long larg, void *parg) -> long {
7170 // |SSL| objects require |BIO_flush| support.
7171 if (cmd == BIO_CTRL_FLUSH) {
7172 return 1;
7173 }
7174 return 0;
7175 }));
7176
7177 UniquePtr<BIO> client_bio(BIO_new(bio_method.get()));
7178 ASSERT_TRUE(client_bio);
7179 BIO_set_data(client_bio.get(), client_.get());
7180 BIO_set_init(client_bio.get(), 1);
7181
7182 UniquePtr<BIO> server_bio(BIO_new(bio_method.get()));
7183 ASSERT_TRUE(server_bio);
7184 BIO_set_data(server_bio.get(), server_.get());
7185 BIO_set_init(server_bio.get(), 1);
7186
7187 // Wrap the inner connections in another layer of SSL.
7188 UniquePtr<SSL> client_outer(SSL_new(client_ctx_.get()));
7189 ASSERT_TRUE(client_outer);
7190 SSL_set_connect_state(client_outer.get());
7191 SSL_set_bio(client_outer.get(), client_bio.get(), client_bio.get());
7192 client_bio.release(); // |SSL_set_bio| takes ownership.
7193
7194 UniquePtr<SSL> server_outer(SSL_new(server_ctx_.get()));
7195 ASSERT_TRUE(server_outer);
7196 SSL_set_accept_state(server_outer.get());
7197 SSL_set_bio(server_outer.get(), server_bio.get(), server_bio.get());
7198 server_bio.release(); // |SSL_set_bio| takes ownership.
7199
7200 // Configure |client_outer| to reject the server certificate.
7201 SSL_set_custom_verify(
7202 client_outer.get(), SSL_VERIFY_PEER,
7203 [](SSL *ssl, uint8_t *out_alert) -> ssl_verify_result_t {
7204 return ssl_verify_invalid;
7205 });
7206
7207 for (;;) {
7208 int client_ret = SSL_do_handshake(client_outer.get());
7209 int client_err = SSL_get_error(client_outer.get(), client_ret);
7210 if (client_err != SSL_ERROR_WANT_READ &&
7211 client_err != SSL_ERROR_WANT_WRITE) {
7212 // The client handshake should terminate on a certificate verification
7213 // error.
7214 EXPECT_EQ(SSL_ERROR_SSL, client_err);
7215 uint32_t err = ERR_peek_error();
7216 EXPECT_EQ(ERR_LIB_SSL, ERR_GET_LIB(err));
7217 EXPECT_EQ(SSL_R_CERTIFICATE_VERIFY_FAILED, ERR_GET_REASON(err));
7218 break;
7219 }
7220
7221 // Run the server handshake and continue.
7222 int server_ret = SSL_do_handshake(server_outer.get());
7223 int server_err = SSL_get_error(server_outer.get(), server_ret);
7224 ASSERT_TRUE(server_err == SSL_ERROR_NONE ||
7225 server_err == SSL_ERROR_WANT_READ ||
7226 server_err == SSL_ERROR_WANT_WRITE);
7227 }
7228}
7229
David Benjamin1b819472020-06-09 14:01:02 -0400[diff] [blame]7230TEST_P(SSLVersionTest, SameKeyResume) {
7231 uint8_t key[48];
7232 RAND_bytes(key, sizeof(key));
7233
7234 bssl::UniquePtr<SSL_CTX> server_ctx2 = CreateContext();
7235 ASSERT_TRUE(server_ctx2);
7236 ASSERT_TRUE(UseCertAndKey(server_ctx2.get()));
7237 ASSERT_TRUE(
7238 SSL_CTX_set_tlsext_ticket_keys(server_ctx_.get(), key, sizeof(key)));
7239 ASSERT_TRUE(
7240 SSL_CTX_set_tlsext_ticket_keys(server_ctx2.get(), key, sizeof(key)));
7241
7242 SSL_CTX_set_session_cache_mode(client_ctx_.get(), SSL_SESS_CACHE_BOTH);
7243 SSL_CTX_set_session_cache_mode(server_ctx_.get(), SSL_SESS_CACHE_BOTH);
7244 SSL_CTX_set_session_cache_mode(server_ctx2.get(), SSL_SESS_CACHE_BOTH);
7245
7246 // Establish a session for |server_ctx_|.
7247 bssl::UniquePtr<SSL_SESSION> session =
7248 CreateClientSession(client_ctx_.get(), server_ctx_.get());
7249 ASSERT_TRUE(session);
7250 ClientConfig config;
7251 config.session = session.get();
7252
7253 // Resuming with |server_ctx_| again works.
7254 bssl::UniquePtr<SSL> client, server;
7255 ASSERT_TRUE(ConnectClientAndServer(&client, &server, client_ctx_.get(),
7256 server_ctx_.get(), config));
7257 EXPECT_TRUE(SSL_session_reused(client.get()));
7258 EXPECT_TRUE(SSL_session_reused(server.get()));
7259
7260 // Resuming with |server_ctx2| also works.
7261 ASSERT_TRUE(ConnectClientAndServer(&client, &server, client_ctx_.get(),
7262 server_ctx2.get(), config));
7263 EXPECT_TRUE(SSL_session_reused(client.get()));
7264 EXPECT_TRUE(SSL_session_reused(server.get()));
7265}
7266
7267TEST_P(SSLVersionTest, DifferentKeyNoResume) {
7268 uint8_t key1[48], key2[48];
7269 RAND_bytes(key1, sizeof(key1));
7270 RAND_bytes(key2, sizeof(key2));
7271
7272 bssl::UniquePtr<SSL_CTX> server_ctx2 = CreateContext();
7273 ASSERT_TRUE(server_ctx2);
7274 ASSERT_TRUE(UseCertAndKey(server_ctx2.get()));
7275 ASSERT_TRUE(
7276 SSL_CTX_set_tlsext_ticket_keys(server_ctx_.get(), key1, sizeof(key1)));
7277 ASSERT_TRUE(
7278 SSL_CTX_set_tlsext_ticket_keys(server_ctx2.get(), key2, sizeof(key2)));
7279
7280 SSL_CTX_set_session_cache_mode(client_ctx_.get(), SSL_SESS_CACHE_BOTH);
7281 SSL_CTX_set_session_cache_mode(server_ctx_.get(), SSL_SESS_CACHE_BOTH);
7282 SSL_CTX_set_session_cache_mode(server_ctx2.get(), SSL_SESS_CACHE_BOTH);
7283
7284 // Establish a session for |server_ctx_|.
7285 bssl::UniquePtr<SSL_SESSION> session =
7286 CreateClientSession(client_ctx_.get(), server_ctx_.get());
7287 ASSERT_TRUE(session);
7288 ClientConfig config;
7289 config.session = session.get();
7290
7291 // Resuming with |server_ctx_| again works.
7292 bssl::UniquePtr<SSL> client, server;
7293 ASSERT_TRUE(ConnectClientAndServer(&client, &server, client_ctx_.get(),
7294 server_ctx_.get(), config));
7295 EXPECT_TRUE(SSL_session_reused(client.get()));
7296 EXPECT_TRUE(SSL_session_reused(server.get()));
7297
7298 // Resuming with |server_ctx2| does not work.
7299 ASSERT_TRUE(ConnectClientAndServer(&client, &server, client_ctx_.get(),
7300 server_ctx2.get(), config));
7301 EXPECT_FALSE(SSL_session_reused(client.get()));
7302 EXPECT_FALSE(SSL_session_reused(server.get()));
7303}
7304
7305TEST_P(SSLVersionTest, UnrelatedServerNoResume) {
7306 bssl::UniquePtr<SSL_CTX> server_ctx2 = CreateContext();
7307 ASSERT_TRUE(server_ctx2);
7308 ASSERT_TRUE(UseCertAndKey(server_ctx2.get()));
7309
7310 SSL_CTX_set_session_cache_mode(client_ctx_.get(), SSL_SESS_CACHE_BOTH);
7311 SSL_CTX_set_session_cache_mode(server_ctx_.get(), SSL_SESS_CACHE_BOTH);
7312 SSL_CTX_set_session_cache_mode(server_ctx2.get(), SSL_SESS_CACHE_BOTH);
7313
7314 // Establish a session for |server_ctx_|.
7315 bssl::UniquePtr<SSL_SESSION> session =
7316 CreateClientSession(client_ctx_.get(), server_ctx_.get());
7317 ASSERT_TRUE(session);
7318 ClientConfig config;
7319 config.session = session.get();
7320
7321 // Resuming with |server_ctx_| again works.
7322 bssl::UniquePtr<SSL> client, server;
7323 ASSERT_TRUE(ConnectClientAndServer(&client, &server, client_ctx_.get(),
7324 server_ctx_.get(), config));
7325 EXPECT_TRUE(SSL_session_reused(client.get()));
7326 EXPECT_TRUE(SSL_session_reused(server.get()));
7327
7328 // Resuming with |server_ctx2| does not work.
7329 ASSERT_TRUE(ConnectClientAndServer(&client, &server, client_ctx_.get(),
7330 server_ctx2.get(), config));
7331 EXPECT_FALSE(SSL_session_reused(client.get()));
7332 EXPECT_FALSE(SSL_session_reused(server.get()));
7333}
7334
Adam Langley47cefed2021-05-26 13:36:40 -0700[diff] [blame]7335Span<const uint8_t> SessionIDOf(const SSL* ssl) {
7336 const SSL_SESSION *session = SSL_get_session(ssl);
7337 unsigned len;
7338 const uint8_t *data = SSL_SESSION_get_id(session, &len);
7339 return MakeConstSpan(data, len);
7340}
7341
7342TEST_P(SSLVersionTest, TicketSessionIDsMatch) {
7343 // This checks that the session IDs at client and server match after a ticket
7344 // resumption. It's unclear whether this should be true, but Envoy depends
7345 // on it in their tests so this will give an early signal if we break it.
7346 SSL_CTX_set_session_cache_mode(client_ctx_.get(), SSL_SESS_CACHE_BOTH);
7347 SSL_CTX_set_session_cache_mode(server_ctx_.get(), SSL_SESS_CACHE_BOTH);
7348
7349 bssl::UniquePtr<SSL_SESSION> session =
7350 CreateClientSession(client_ctx_.get(), server_ctx_.get());
7351
7352 bssl::UniquePtr<SSL> client, server;
7353 ClientConfig config;
7354 config.session = session.get();
7355 EXPECT_TRUE(ConnectClientAndServer(&client, &server, client_ctx_.get(),
7356 server_ctx_.get(), config));
7357 EXPECT_TRUE(SSL_session_reused(client.get()));
7358 EXPECT_TRUE(SSL_session_reused(server.get()));
7359
7360 EXPECT_EQ(Bytes(SessionIDOf(client.get())), Bytes(SessionIDOf(server.get())));
7361}
7362
David Benjamin0e7dbd52019-05-15 16:01:18 -0400[diff] [blame]7363TEST(SSLTest, WriteWhileExplicitRenegotiate) {
David Benjamin9b2cdb72021-04-01 23:21:53 -0400[diff] [blame]7364 bssl::UniquePtr<SSL_CTX> ctx(CreateContextWithTestCertificate(TLS_method()));
David Benjamin0e7dbd52019-05-15 16:01:18 -0400[diff] [blame]7365 ASSERT_TRUE(ctx);
7366
David Benjamin0e7dbd52019-05-15 16:01:18 -0400[diff] [blame]7367 ASSERT_TRUE(SSL_CTX_set_min_proto_version(ctx.get(), TLS1_2_VERSION));
7368 ASSERT_TRUE(SSL_CTX_set_max_proto_version(ctx.get(), TLS1_2_VERSION));
7369 ASSERT_TRUE(SSL_CTX_set_strict_cipher_list(
7370 ctx.get(), "TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256"));
7371
7372 bssl::UniquePtr<SSL> client, server;
David Benjamin9b2cdb72021-04-01 23:21:53 -0400[diff] [blame]7373 ASSERT_TRUE(CreateClientAndServer(&client, &server, ctx.get(), ctx.get()));
David Benjamin0e7dbd52019-05-15 16:01:18 -0400[diff] [blame]7374 SSL_set_renegotiate_mode(client.get(), ssl_renegotiate_explicit);
David Benjamin9b2cdb72021-04-01 23:21:53 -0400[diff] [blame]7375 ASSERT_TRUE(CompleteHandshakes(client.get(), server.get()));
David Benjamin0e7dbd52019-05-15 16:01:18 -0400[diff] [blame]7376
7377 static const uint8_t kInput[] = {'h', 'e', 'l', 'l', 'o'};
7378
7379 // Write "hello" until the buffer is full, so |client| has a pending write.
7380 size_t num_writes = 0;
7381 for (;;) {
7382 int ret = SSL_write(client.get(), kInput, sizeof(kInput));
7383 if (ret != int(sizeof(kInput))) {
7384 ASSERT_EQ(-1, ret);
7385 ASSERT_EQ(SSL_ERROR_WANT_WRITE, SSL_get_error(client.get(), ret));
7386 break;
7387 }
7388 num_writes++;
7389 }
7390
7391 // Encrypt a HelloRequest.
7392 uint8_t in[] = {SSL3_MT_HELLO_REQUEST, 0, 0, 0};
7393#if defined(BORINGSSL_UNSAFE_FUZZER_MODE)
7394 // Fuzzer-mode records are unencrypted.
7395 uint8_t record[5 + sizeof(in)];
7396 record[0] = SSL3_RT_HANDSHAKE;
7397 record[1] = 3;
7398 record[2] = 3; // TLS 1.2
7399 record[3] = 0;
7400 record[4] = sizeof(record) - 5;
7401 memcpy(record + 5, in, sizeof(in));
7402#else
7403 // Extract key material from |server|.
7404 static const size_t kKeyLen = 32;
7405 static const size_t kNonceLen = 12;
7406 ASSERT_EQ(2u * (kKeyLen + kNonceLen), SSL_get_key_block_len(server.get()));
7407 uint8_t key_block[2u * (kKeyLen + kNonceLen)];
7408 ASSERT_TRUE(
7409 SSL_generate_key_block(server.get(), key_block, sizeof(key_block)));
7410 Span<uint8_t> key = MakeSpan(key_block + kKeyLen, kKeyLen);
7411 Span<uint8_t> nonce =
7412 MakeSpan(key_block + kKeyLen + kKeyLen + kNonceLen, kNonceLen);
7413
7414 uint8_t ad[13];
7415 uint64_t seq = SSL_get_write_sequence(server.get());
7416 for (size_t i = 0; i < 8; i++) {
7417 // The nonce is XORed with the sequence number.
7418 nonce[11 - i] ^= uint8_t(seq);
7419 ad[7 - i] = uint8_t(seq);
7420 seq >>= 8;
7421 }
7422
7423 ad[8] = SSL3_RT_HANDSHAKE;
7424 ad[9] = 3;
7425 ad[10] = 3; // TLS 1.2
7426 ad[11] = 0;
7427 ad[12] = sizeof(in);
7428
7429 uint8_t record[5 + sizeof(in) + 16];
7430 record[0] = SSL3_RT_HANDSHAKE;
7431 record[1] = 3;
7432 record[2] = 3; // TLS 1.2
7433 record[3] = 0;
7434 record[4] = sizeof(record) - 5;
7435
7436 ScopedEVP_AEAD_CTX aead;
7437 ASSERT_TRUE(EVP_AEAD_CTX_init(aead.get(), EVP_aead_chacha20_poly1305(),
7438 key.data(), key.size(),
7439 EVP_AEAD_DEFAULT_TAG_LENGTH, nullptr));
7440 size_t len;
7441 ASSERT_TRUE(EVP_AEAD_CTX_seal(aead.get(), record + 5, &len,
7442 sizeof(record) - 5, nonce.data(), nonce.size(),
7443 in, sizeof(in), ad, sizeof(ad)));
7444 ASSERT_EQ(sizeof(record) - 5, len);
7445#endif // BORINGSSL_UNSAFE_FUZZER_MODE
7446
7447 ASSERT_EQ(int(sizeof(record)),
7448 BIO_write(SSL_get_wbio(server.get()), record, sizeof(record)));
7449
7450 // |SSL_read| should pick up the HelloRequest.
7451 uint8_t byte;
7452 ASSERT_EQ(-1, SSL_read(client.get(), &byte, 1));
7453 ASSERT_EQ(SSL_ERROR_WANT_RENEGOTIATE, SSL_get_error(client.get(), -1));
7454
7455 // Drain the data from the |client|.
7456 uint8_t buf[sizeof(kInput)];
7457 for (size_t i = 0; i < num_writes; i++) {
7458 ASSERT_EQ(int(sizeof(buf)), SSL_read(server.get(), buf, sizeof(buf)));
7459 EXPECT_EQ(Bytes(buf), Bytes(kInput));
7460 }
7461
7462 // |client| should be able to finish the pending write and continue to write,
7463 // despite the paused HelloRequest.
7464 ASSERT_EQ(int(sizeof(kInput)),
7465 SSL_write(client.get(), kInput, sizeof(kInput)));
7466 ASSERT_EQ(int(sizeof(buf)), SSL_read(server.get(), buf, sizeof(buf)));
7467 EXPECT_EQ(Bytes(buf), Bytes(kInput));
7468
7469 ASSERT_EQ(int(sizeof(kInput)),
7470 SSL_write(client.get(), kInput, sizeof(kInput)));
7471 ASSERT_EQ(int(sizeof(buf)), SSL_read(server.get(), buf, sizeof(buf)));
7472 EXPECT_EQ(Bytes(buf), Bytes(kInput));
7473
7474 // |SSL_read| is stuck until we acknowledge the HelloRequest.
7475 ASSERT_EQ(-1, SSL_read(client.get(), &byte, 1));
7476 ASSERT_EQ(SSL_ERROR_WANT_RENEGOTIATE, SSL_get_error(client.get(), -1));
7477
7478 ASSERT_TRUE(SSL_renegotiate(client.get()));
7479 ASSERT_EQ(-1, SSL_read(client.get(), &byte, 1));
7480 ASSERT_EQ(SSL_ERROR_WANT_READ, SSL_get_error(client.get(), -1));
7481
7482 // We never renegotiate as a server.
7483 ASSERT_EQ(-1, SSL_read(server.get(), buf, sizeof(buf)));
7484 ASSERT_EQ(SSL_ERROR_SSL, SSL_get_error(server.get(), -1));
7485 uint32_t err = ERR_get_error();
7486 EXPECT_EQ(ERR_LIB_SSL, ERR_GET_LIB(err));
7487 EXPECT_EQ(SSL_R_NO_RENEGOTIATION, ERR_GET_REASON(err));
7488}
7489
David Benjaminf9e0cda2020-03-23 18:29:09 -0400[diff] [blame]7490
7491TEST(SSLTest, CopyWithoutEarlyData) {
7492 bssl::UniquePtr<SSL_CTX> client_ctx(SSL_CTX_new(TLS_method()));
David Benjamin9b2cdb72021-04-01 23:21:53 -0400[diff] [blame]7493 bssl::UniquePtr<SSL_CTX> server_ctx(
7494 CreateContextWithTestCertificate(TLS_method()));
David Benjaminf9e0cda2020-03-23 18:29:09 -0400[diff] [blame]7495 ASSERT_TRUE(client_ctx);
7496 ASSERT_TRUE(server_ctx);
7497
David Benjaminf9e0cda2020-03-23 18:29:09 -0400[diff] [blame]7498 SSL_CTX_set_session_cache_mode(client_ctx.get(), SSL_SESS_CACHE_BOTH);
7499 SSL_CTX_set_session_cache_mode(server_ctx.get(), SSL_SESS_CACHE_BOTH);
7500 SSL_CTX_set_early_data_enabled(client_ctx.get(), 1);
7501 SSL_CTX_set_early_data_enabled(server_ctx.get(), 1);
7502
7503 bssl::UniquePtr<SSL_SESSION> session =
7504 CreateClientSession(client_ctx.get(), server_ctx.get());
7505 ASSERT_TRUE(session);
7506
7507 // The client should attempt early data with |session|.
David Benjaminf9e0cda2020-03-23 18:29:09 -0400[diff] [blame]7508 bssl::UniquePtr<SSL> client, server;
David Benjamin9b2cdb72021-04-01 23:21:53 -0400[diff] [blame]7509 ASSERT_TRUE(CreateClientAndServer(&client, &server, client_ctx.get(),
7510 server_ctx.get()));
7511 SSL_set_session(client.get(), session.get());
7512 SSL_set_early_data_enabled(client.get(), 1);
David Benjaminf9e0cda2020-03-23 18:29:09 -0400[diff] [blame]7513 ASSERT_EQ(1, SSL_do_handshake(client.get()));
7514 EXPECT_TRUE(SSL_in_early_data(client.get()));
7515
7516 // |SSL_SESSION_copy_without_early_data| should disable early data but
7517 // still resume the session.
7518 bssl::UniquePtr<SSL_SESSION> session2(
7519 SSL_SESSION_copy_without_early_data(session.get()));
7520 ASSERT_TRUE(session2);
7521 EXPECT_NE(session.get(), session2.get());
David Benjamin9b2cdb72021-04-01 23:21:53 -0400[diff] [blame]7522 ASSERT_TRUE(CreateClientAndServer(&client, &server, client_ctx.get(),
7523 server_ctx.get()));
7524 SSL_set_session(client.get(), session2.get());
7525 SSL_set_early_data_enabled(client.get(), 1);
7526 EXPECT_TRUE(CompleteHandshakes(client.get(), server.get()));
David Benjaminf9e0cda2020-03-23 18:29:09 -0400[diff] [blame]7527 EXPECT_TRUE(SSL_session_reused(client.get()));
7528 EXPECT_EQ(ssl_early_data_unsupported_for_session,
7529 SSL_get_early_data_reason(client.get()));
7530
7531 // |SSL_SESSION_copy_without_early_data| should be a reference count increase
7532 // when passed an early-data-incapable session.
7533 bssl::UniquePtr<SSL_SESSION> session3(
7534 SSL_SESSION_copy_without_early_data(session2.get()));
7535 EXPECT_EQ(session2.get(), session3.get());
7536}
7537
Adam Langley53a17f52020-05-26 14:44:07 -0700[diff] [blame]7538TEST(SSLTest, ProcessTLS13NewSessionTicket) {
7539 // Configure client and server to negotiate TLS 1.3 only.
Adam Langley53a17f52020-05-26 14:44:07 -0700[diff] [blame]7540 bssl::UniquePtr<SSL_CTX> client_ctx(SSL_CTX_new(TLS_method()));
David Benjamin9b2cdb72021-04-01 23:21:53 -0400[diff] [blame]7541 bssl::UniquePtr<SSL_CTX> server_ctx(
7542 CreateContextWithTestCertificate(TLS_method()));
Adam Langley53a17f52020-05-26 14:44:07 -0700[diff] [blame]7543 ASSERT_TRUE(client_ctx);
7544 ASSERT_TRUE(server_ctx);
7545 ASSERT_TRUE(SSL_CTX_set_min_proto_version(client_ctx.get(), TLS1_3_VERSION));
7546 ASSERT_TRUE(SSL_CTX_set_min_proto_version(server_ctx.get(), TLS1_3_VERSION));
7547 ASSERT_TRUE(SSL_CTX_set_max_proto_version(client_ctx.get(), TLS1_3_VERSION));
7548 ASSERT_TRUE(SSL_CTX_set_max_proto_version(server_ctx.get(), TLS1_3_VERSION));
Adam Langley53a17f52020-05-26 14:44:07 -0700[diff] [blame]7549
7550 bssl::UniquePtr<SSL> client, server;
7551 ASSERT_TRUE(ConnectClientAndServer(&client, &server, client_ctx.get(),
7552 server_ctx.get()));
7553 EXPECT_EQ(TLS1_3_VERSION, SSL_version(client.get()));
7554
7555 // Process a TLS 1.3 NewSessionTicket.
7556 static const uint8_t kTicket[] = {
7557 0x04, 0x00, 0x00, 0xb2, 0x00, 0x02, 0xa3, 0x00, 0x04, 0x03, 0x02, 0x01,
7558 0x01, 0x00, 0x00, 0xa0, 0x01, 0x06, 0x09, 0x11, 0x16, 0x19, 0x21, 0x26,
7559 0x29, 0x31, 0x36, 0x39, 0x41, 0x46, 0x49, 0x51, 0x03, 0x06, 0x09, 0x13,
7560 0x16, 0x19, 0x23, 0x26, 0x29, 0x33, 0x36, 0x39, 0x43, 0x46, 0x49, 0x53,
7561 0xf7, 0x00, 0x29, 0xec, 0xf2, 0xc4, 0xa4, 0x41, 0xfc, 0x30, 0x17, 0x2e,
7562 0x9f, 0x7c, 0xa8, 0xaf, 0x75, 0x70, 0xf0, 0x1f, 0xc7, 0x98, 0xf7, 0xcf,
7563 0x5a, 0x5a, 0x6b, 0x5b, 0xfe, 0xf1, 0xe7, 0x3a, 0xe8, 0xf7, 0x6c, 0xd2,
7564 0xa8, 0xa6, 0x92, 0x5b, 0x96, 0x8d, 0xde, 0xdb, 0xd3, 0x20, 0x6a, 0xcb,
7565 0x69, 0x06, 0xf4, 0x91, 0x85, 0x2e, 0xe6, 0x5e, 0x0c, 0x59, 0xf2, 0x9e,
7566 0x9b, 0x79, 0x91, 0x24, 0x7e, 0x4a, 0x32, 0x3d, 0xbe, 0x4b, 0x80, 0x70,
7567 0xaf, 0xd0, 0x1d, 0xe2, 0xca, 0x05, 0x35, 0x09, 0x09, 0x05, 0x0f, 0xbb,
7568 0xc4, 0xae, 0xd7, 0xc4, 0xed, 0xd7, 0xae, 0x35, 0xc8, 0x73, 0x63, 0x78,
7569 0x64, 0xc9, 0x7a, 0x1f, 0xed, 0x7a, 0x9a, 0x47, 0x44, 0xfd, 0x50, 0xf7,
7570 0xb7, 0xe0, 0x64, 0xa9, 0x02, 0xc1, 0x5c, 0x23, 0x18, 0x3f, 0xc4, 0xcf,
7571 0x72, 0x02, 0x59, 0x2d, 0xe1, 0xaa, 0x61, 0x72, 0x00, 0x04, 0x5a, 0x5a,
7572 0x00, 0x00,
7573 };
7574 bssl::UniquePtr<SSL_SESSION> session(SSL_process_tls13_new_session_ticket(
7575 client.get(), kTicket, sizeof(kTicket)));
7576 ASSERT_TRUE(session);
7577 ASSERT_TRUE(SSL_SESSION_has_ticket(session.get()));
7578
7579 uint8_t *session_buf = nullptr;
7580 size_t session_length = 0;
7581 ASSERT_TRUE(
7582 SSL_SESSION_to_bytes(session.get(), &session_buf, &session_length));
7583 bssl::UniquePtr<uint8_t> session_buf_free(session_buf);
7584 ASSERT_TRUE(session_buf);
7585 ASSERT_GT(session_length, 0u);
7586
7587 // Servers cannot call |SSL_process_tls13_new_session_ticket|.
7588 ASSERT_FALSE(SSL_process_tls13_new_session_ticket(server.get(), kTicket,
7589 sizeof(kTicket)));
7590
7591 // Clients cannot call |SSL_process_tls13_new_session_ticket| before the
7592 // handshake completes.
7593 bssl::UniquePtr<SSL> client2(SSL_new(client_ctx.get()));
7594 ASSERT_TRUE(client2);
7595 SSL_set_connect_state(client2.get());
7596 ASSERT_FALSE(SSL_process_tls13_new_session_ticket(client2.get(), kTicket,
7597 sizeof(kTicket)));
7598}
7599
David Benjamin3989c992020-10-09 14:12:06 -0400[diff] [blame]7600TEST(SSLTest, BIO) {
7601 bssl::UniquePtr<SSL_CTX> client_ctx(SSL_CTX_new(TLS_method()));
David Benjamin9b2cdb72021-04-01 23:21:53 -0400[diff] [blame]7602 bssl::UniquePtr<SSL_CTX> server_ctx(
7603 CreateContextWithTestCertificate(TLS_method()));
David Benjamin3989c992020-10-09 14:12:06 -0400[diff] [blame]7604 ASSERT_TRUE(client_ctx);
7605 ASSERT_TRUE(server_ctx);
7606
David Benjamin3989c992020-10-09 14:12:06 -0400[diff] [blame]7607 for (bool take_ownership : {true, false}) {
7608 // For simplicity, get the handshake out of the way first.
7609 bssl::UniquePtr<SSL> client, server;
7610 ASSERT_TRUE(ConnectClientAndServer(&client, &server, client_ctx.get(),
7611 server_ctx.get()));
7612
7613 // Wrap |client| in an SSL BIO.
7614 bssl::UniquePtr<BIO> client_bio(BIO_new(BIO_f_ssl()));
7615 ASSERT_TRUE(client_bio);
7616 ASSERT_EQ(1, BIO_set_ssl(client_bio.get(), client.get(), take_ownership));
7617 if (take_ownership) {
7618 client.release();
7619 }
7620
7621 // Flushing the BIO should not crash.
7622 EXPECT_EQ(1, BIO_flush(client_bio.get()));
7623
7624 // Exchange some data.
7625 EXPECT_EQ(5, BIO_write(client_bio.get(), "hello", 5));
7626 uint8_t buf[5];
7627 ASSERT_EQ(5, SSL_read(server.get(), buf, sizeof(buf)));
7628 EXPECT_EQ(Bytes("hello"), Bytes(buf));
7629
7630 EXPECT_EQ(5, SSL_write(server.get(), "world", 5));
7631 ASSERT_EQ(5, BIO_read(client_bio.get(), buf, sizeof(buf)));
7632 EXPECT_EQ(Bytes("world"), Bytes(buf));
7633
7634 // |BIO_should_read| should work.
7635 EXPECT_EQ(-1, BIO_read(client_bio.get(), buf, sizeof(buf)));
7636 EXPECT_TRUE(BIO_should_read(client_bio.get()));
7637
7638 // Writing data should eventually exceed the buffer size and fail, reporting
7639 // |BIO_should_write|.
7640 int ret;
7641 for (int i = 0; i < 1024; i++) {
7642 std::vector<uint8_t> buffer(1024);
7643 ret = BIO_write(client_bio.get(), buffer.data(), buffer.size());
7644 if (ret <= 0) {
7645 break;
7646 }
7647 }
7648 EXPECT_EQ(-1, ret);
7649 EXPECT_TRUE(BIO_should_write(client_bio.get()));
7650 }
7651}
7652
David Benjamin12a3e7e2021-04-13 11:47:36 -0400[diff] [blame]7653TEST(SSLTest, ALPNConfig) {
7654 bssl::UniquePtr<SSL_CTX> ctx(SSL_CTX_new(TLS_method()));
7655 ASSERT_TRUE(ctx);
7656 bssl::UniquePtr<X509> cert = GetTestCertificate();
7657 bssl::UniquePtr<EVP_PKEY> key = GetTestKey();
7658 ASSERT_TRUE(cert);
7659 ASSERT_TRUE(key);
7660 ASSERT_TRUE(SSL_CTX_use_certificate(ctx.get(), cert.get()));
7661 ASSERT_TRUE(SSL_CTX_use_PrivateKey(ctx.get(), key.get()));
7662
7663 // Set up some machinery to check the configured ALPN against what is actually
7664 // sent over the wire. Note that the ALPN callback is only called when the
7665 // client offers ALPN.
7666 std::vector<uint8_t> observed_alpn;
7667 SSL_CTX_set_alpn_select_cb(
7668 ctx.get(),
7669 [](SSL *ssl, const uint8_t **out, uint8_t *out_len, const uint8_t *in,
7670 unsigned in_len, void *arg) -> int {
7671 std::vector<uint8_t> *observed_alpn_ptr =
7672 static_cast<std::vector<uint8_t> *>(arg);
7673 observed_alpn_ptr->assign(in, in + in_len);
7674 return SSL_TLSEXT_ERR_NOACK;
7675 },
7676 &observed_alpn);
7677 auto check_alpn_proto = [&](Span<const uint8_t> expected) {
7678 observed_alpn.clear();
7679 bssl::UniquePtr<SSL> client, server;
7680 EXPECT_TRUE(ConnectClientAndServer(&client, &server, ctx.get(), ctx.get()));
7681 EXPECT_EQ(Bytes(expected), Bytes(observed_alpn));
7682 };
7683
7684 // Note that |SSL_CTX_set_alpn_protos|'s return value is reversed.
7685 static const uint8_t kValidList[] = {0x03, 'f', 'o', 'o',
7686 0x03, 'b', 'a', 'r'};
7687 EXPECT_EQ(0,
7688 SSL_CTX_set_alpn_protos(ctx.get(), kValidList, sizeof(kValidList)));
7689 check_alpn_proto(kValidList);
7690
7691 // Invalid lists are rejected.
7692 static const uint8_t kInvalidList[] = {0x04, 'f', 'o', 'o'};
7693 EXPECT_EQ(1, SSL_CTX_set_alpn_protos(ctx.get(), kInvalidList,
7694 sizeof(kInvalidList)));
7695
7696 // Empty lists are valid and are interpreted as disabling ALPN.
7697 EXPECT_EQ(0, SSL_CTX_set_alpn_protos(ctx.get(), nullptr, 0));
7698 check_alpn_proto({});
7699}
7700
David Benjamin2f3958a2021-04-16 11:55:23 -0400[diff] [blame]7701// Test that the key usage checker can correctly handle issuerUID and
7702// subjectUID. See https://crbug.com/1199744.
7703TEST(SSLTest, KeyUsageWithUIDs) {
7704 static const char kGoodKeyUsage[] = R"(
7705-----BEGIN CERTIFICATE-----
7706MIIB7DCCAZOgAwIBAgIJANlMBNpJfb/rMAoGCCqGSM49BAMCMEUxCzAJBgNVBAYT
7707AkFVMRMwEQYDVQQIDApTb21lLVN0YXRlMSEwHwYDVQQKDBhJbnRlcm5ldCBXaWRn
7708aXRzIFB0eSBMdGQwHhcNMTQwNDIzMjMyMTU3WhcNMTQwNTIzMjMyMTU3WjBFMQsw
7709CQYDVQQGEwJBVTETMBEGA1UECAwKU29tZS1TdGF0ZTEhMB8GA1UECgwYSW50ZXJu
7710ZXQgV2lkZ2l0cyBQdHkgTHRkMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE5itp
77114r9ln5e+Lx4NlIpM1Zdrt6keDUb73ampHp3culoB59aXqAoY+cPEox5W4nyDSNsW
7712Ghz1HX7xlC1Lz3IiwYEEABI0VoIEABI0VqNgMF4wHQYDVR0OBBYEFKuE0qyrlfCC
7713ThZ4B1VXX+QmjYLRMB8GA1UdIwQYMBaAFKuE0qyrlfCCThZ4B1VXX+QmjYLRMA4G
7714A1UdDwEB/wQEAwIHgDAMBgNVHRMEBTADAQH/MAoGCCqGSM49BAMCA0cAMEQCIEWJ
771534EcqW5MHwLIA1hZ2Tj/jV2QjN02KLxis9mFsqDKAiAMlMTkzsM51vVs9Ohqa+Rc
77164Z7qDhjIhiF4dM0uEDYRVA==
7717-----END CERTIFICATE-----
7718)";
7719 static const char kBadKeyUsage[] = R"(
7720-----BEGIN CERTIFICATE-----
7721MIIB7jCCAZOgAwIBAgIJANlMBNpJfb/rMAoGCCqGSM49BAMCMEUxCzAJBgNVBAYT
7722AkFVMRMwEQYDVQQIDApTb21lLVN0YXRlMSEwHwYDVQQKDBhJbnRlcm5ldCBXaWRn
7723aXRzIFB0eSBMdGQwHhcNMTQwNDIzMjMyMTU3WhcNMTQwNTIzMjMyMTU3WjBFMQsw
7724CQYDVQQGEwJBVTETMBEGA1UECAwKU29tZS1TdGF0ZTEhMB8GA1UECgwYSW50ZXJu
7725ZXQgV2lkZ2l0cyBQdHkgTHRkMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE5itp
77264r9ln5e+Lx4NlIpM1Zdrt6keDUb73ampHp3culoB59aXqAoY+cPEox5W4nyDSNsW
7727Ghz1HX7xlC1Lz3IiwYEEABI0VoIEABI0VqNgMF4wHQYDVR0OBBYEFKuE0qyrlfCC
7728ThZ4B1VXX+QmjYLRMB8GA1UdIwQYMBaAFKuE0qyrlfCCThZ4B1VXX+QmjYLRMA4G
7729A1UdDwEB/wQEAwIDCDAMBgNVHRMEBTADAQH/MAoGCCqGSM49BAMCA0kAMEYCIQC6
7730taYBUDu2gcZC6EMk79FBHArYI0ucF+kzvETegZCbBAIhANtObFec5gtso/47moPD
7731RHrQbWsFUakETXL9QMlegh5t
7732-----END CERTIFICATE-----
7733)";
7734
7735 bssl::UniquePtr<X509> good = CertFromPEM(kGoodKeyUsage);
7736 ASSERT_TRUE(good);
7737 bssl::UniquePtr<X509> bad = CertFromPEM(kBadKeyUsage);
7738 ASSERT_TRUE(bad);
7739
7740 // We check key usage when configuring EC certificates to distinguish ECDSA
7741 // and ECDH.
7742 bssl::UniquePtr<SSL_CTX> ctx(SSL_CTX_new(TLS_method()));
7743 ASSERT_TRUE(ctx);
7744 EXPECT_TRUE(SSL_CTX_use_certificate(ctx.get(), good.get()));
7745 EXPECT_FALSE(SSL_CTX_use_certificate(ctx.get(), bad.get()));
7746}
7747
David Benjamin9b2cdb72021-04-01 23:21:53 -0400[diff] [blame]7748// Test that |SSL_can_release_private_key| reports true as early as expected.
7749// The internal asserts in the library check we do not report true too early.
7750TEST(SSLTest, CanReleasePrivateKey) {
7751 bssl::UniquePtr<SSL_CTX> client_ctx =
7752 CreateContextWithTestCertificate(TLS_method());
7753 ASSERT_TRUE(client_ctx);
7754 SSL_CTX_set_session_cache_mode(client_ctx.get(), SSL_SESS_CACHE_BOTH);
7755
7756 // Note this assumes the transport buffer is large enough to fit the client
7757 // and server first flights. We check this with |SSL_ERROR_WANT_READ|. If the
7758 // transport buffer was too small it would return |SSL_ERROR_WANT_WRITE|.
7759 auto check_first_server_round_trip = [&](SSL *client, SSL *server) {
7760 // Write the ClientHello.
7761 ASSERT_EQ(-1, SSL_do_handshake(client));
7762 ASSERT_EQ(SSL_ERROR_WANT_READ, SSL_get_error(client, -1));
7763
7764 // Consume the ClientHello and write the server flight.
7765 ASSERT_EQ(-1, SSL_do_handshake(server));
7766 ASSERT_EQ(SSL_ERROR_WANT_READ, SSL_get_error(server, -1));
7767
7768 EXPECT_TRUE(SSL_can_release_private_key(server));
7769 };
7770
7771 {
7772 SCOPED_TRACE("TLS 1.2 ECDHE");
7773 bssl::UniquePtr<SSL_CTX> server_ctx(
7774 CreateContextWithTestCertificate(TLS_method()));
7775 ASSERT_TRUE(server_ctx);
7776 ASSERT_TRUE(
7777 SSL_CTX_set_max_proto_version(server_ctx.get(), TLS1_2_VERSION));
7778 ASSERT_TRUE(SSL_CTX_set_strict_cipher_list(
7779 server_ctx.get(), "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256"));
7780 // Configure the server to request client certificates, so we can also test
7781 // the client half.
7782 SSL_CTX_set_custom_verify(
7783 server_ctx.get(), SSL_VERIFY_PEER,
7784 [](SSL *ssl, uint8_t *out_alert) { return ssl_verify_ok; });
7785 bssl::UniquePtr<SSL> client, server;
7786 ASSERT_TRUE(CreateClientAndServer(&client, &server, client_ctx.get(),
7787 server_ctx.get()));
7788 check_first_server_round_trip(client.get(), server.get());
7789
7790 // Consume the server flight and write the client response. The client still
7791 // has a Finished message to consume but can also release its key early.
7792 ASSERT_EQ(-1, SSL_do_handshake(client.get()));
7793 ASSERT_EQ(SSL_ERROR_WANT_READ, SSL_get_error(client.get(), -1));
7794 EXPECT_TRUE(SSL_can_release_private_key(client.get()));
7795
7796 // However, a client that has not disabled renegotiation can never release
7797 // the key.
7798 ASSERT_TRUE(CreateClientAndServer(&client, &server, client_ctx.get(),
7799 server_ctx.get()));
7800 SSL_set_renegotiate_mode(client.get(), ssl_renegotiate_freely);
7801 check_first_server_round_trip(client.get(), server.get());
7802 ASSERT_EQ(-1, SSL_do_handshake(client.get()));
7803 ASSERT_EQ(SSL_ERROR_WANT_READ, SSL_get_error(client.get(), -1));
7804 EXPECT_FALSE(SSL_can_release_private_key(client.get()));
7805 }
7806
7807 {
7808 SCOPED_TRACE("TLS 1.2 resumption");
7809 bssl::UniquePtr<SSL_CTX> server_ctx(
7810 CreateContextWithTestCertificate(TLS_method()));
7811 ASSERT_TRUE(server_ctx);
7812 ASSERT_TRUE(
7813 SSL_CTX_set_max_proto_version(server_ctx.get(), TLS1_2_VERSION));
7814 bssl::UniquePtr<SSL_SESSION> session =
7815 CreateClientSession(client_ctx.get(), server_ctx.get());
7816 ASSERT_TRUE(session);
7817 bssl::UniquePtr<SSL> client, server;
7818 ASSERT_TRUE(CreateClientAndServer(&client, &server, client_ctx.get(),
7819 server_ctx.get()));
7820 SSL_set_session(client.get(), session.get());
7821 check_first_server_round_trip(client.get(), server.get());
7822 }
7823
7824 {
7825 SCOPED_TRACE("TLS 1.3 1-RTT");
7826 bssl::UniquePtr<SSL_CTX> server_ctx(
7827 CreateContextWithTestCertificate(TLS_method()));
7828 ASSERT_TRUE(server_ctx);
7829 ASSERT_TRUE(
7830 SSL_CTX_set_max_proto_version(server_ctx.get(), TLS1_3_VERSION));
7831 bssl::UniquePtr<SSL> client, server;
7832 ASSERT_TRUE(CreateClientAndServer(&client, &server, client_ctx.get(),
7833 server_ctx.get()));
7834 check_first_server_round_trip(client.get(), server.get());
7835 }
7836
7837 {
7838 SCOPED_TRACE("TLS 1.3 resumption");
7839 bssl::UniquePtr<SSL_CTX> server_ctx(
7840 CreateContextWithTestCertificate(TLS_method()));
7841 ASSERT_TRUE(server_ctx);
7842 ASSERT_TRUE(
7843 SSL_CTX_set_max_proto_version(server_ctx.get(), TLS1_3_VERSION));
7844 bssl::UniquePtr<SSL_SESSION> session =
7845 CreateClientSession(client_ctx.get(), server_ctx.get());
7846 ASSERT_TRUE(session);
7847 bssl::UniquePtr<SSL> client, server;
7848 ASSERT_TRUE(CreateClientAndServer(&client, &server, client_ctx.get(),
7849 server_ctx.get()));
7850 SSL_set_session(client.get(), session.get());
7851 check_first_server_round_trip(client.get(), server.get());
7852 }
7853}
7854
David Benjamine9c5d722021-06-09 17:43:16 -0400[diff] [blame]7855// GetExtensionOrder sets |*out| to the list of extensions a client attached to
7856// |ctx| will send in the ClientHello. If |ech_keys| is non-null, the client
7857// will offer ECH with the public component. If |decrypt_ech| is true, |*out|
7858// will be set to the ClientHelloInner's extensions, rather than
7859// ClientHelloOuter.
7860static bool GetExtensionOrder(SSL_CTX *client_ctx, std::vector<uint16_t> *out,
7861 SSL_ECH_KEYS *ech_keys, bool decrypt_ech) {
7862 struct AppData {
7863 std::vector<uint16_t> *out;
7864 bool decrypt_ech;
7865 bool callback_done = false;
7866 };
7867 AppData app_data;
7868 app_data.out = out;
7869 app_data.decrypt_ech = decrypt_ech;
7870
7871 bssl::UniquePtr<SSL_CTX> server_ctx =
7872 CreateContextWithTestCertificate(TLS_method());
7873 if (!server_ctx || //
7874 !SSL_CTX_set_app_data(server_ctx.get(), &app_data) ||
7875 (decrypt_ech && !SSL_CTX_set1_ech_keys(server_ctx.get(), ech_keys))) {
7876 return false;
7877 }
7878
7879 // Configure the server to record the ClientHello extension order. We use a
7880 // server rather than |GetClientHello| so it can decrypt ClientHelloInner.
7881 SSL_CTX_set_select_certificate_cb(
7882 server_ctx.get(),
7883 [](const SSL_CLIENT_HELLO *client_hello) -> ssl_select_cert_result_t {
7884 AppData *app_data_ptr = static_cast<AppData *>(
7885 SSL_CTX_get_app_data(SSL_get_SSL_CTX(client_hello->ssl)));
7886 EXPECT_EQ(app_data_ptr->decrypt_ech ? 1 : 0,
7887 SSL_ech_accepted(client_hello->ssl));
7888
7889 app_data_ptr->out->clear();
7890 CBS extensions;
7891 CBS_init(&extensions, client_hello->extensions,
7892 client_hello->extensions_len);
7893 while (CBS_len(&extensions)) {
7894 uint16_t type;
7895 CBS body;
7896 if (!CBS_get_u16(&extensions, &type) ||
7897 !CBS_get_u16_length_prefixed(&extensions, &body)) {
7898 return ssl_select_cert_error;
7899 }
7900 app_data_ptr->out->push_back(type);
7901 }
7902
7903 // Don't bother completing the handshake.
7904 app_data_ptr->callback_done = true;
7905 return ssl_select_cert_error;
7906 });
7907
7908 bssl::UniquePtr<SSL> client, server;
7909 if (!CreateClientAndServer(&client, &server, client_ctx, server_ctx.get()) ||
7910 (ech_keys != nullptr && !InstallECHConfigList(client.get(), ech_keys))) {
7911 return false;
7912 }
7913
7914 // Run the handshake far enough to process the ClientHello.
7915 SSL_do_handshake(client.get());
7916 SSL_do_handshake(server.get());
7917 return app_data.callback_done;
7918}
7919
7920// Test that, when extension permutation is enabled, the ClientHello extension
7921// order changes, both with and without ECH, and in both ClientHelloInner and
7922// ClientHelloOuter.
7923TEST(SSLTest, PermuteExtensions) {
7924 bssl::UniquePtr<SSL_ECH_KEYS> keys = MakeTestECHKeys();
7925 ASSERT_TRUE(keys);
7926 for (bool offer_ech : {false, true}) {
7927 SCOPED_TRACE(offer_ech);
7928 SSL_ECH_KEYS *maybe_keys = offer_ech ? keys.get() : nullptr;
7929 for (bool decrypt_ech : {false, true}) {
7930 SCOPED_TRACE(decrypt_ech);
7931 if (!offer_ech && decrypt_ech) {
7932 continue;
7933 }
7934
7935 // When extension permutation is disabled, the order should be consistent.
7936 bssl::UniquePtr<SSL_CTX> ctx(SSL_CTX_new(TLS_method()));
7937 ASSERT_TRUE(ctx);
7938 std::vector<uint16_t> order1, order2;
7939 ASSERT_TRUE(
7940 GetExtensionOrder(ctx.get(), &order1, maybe_keys, decrypt_ech));
7941 ASSERT_TRUE(
7942 GetExtensionOrder(ctx.get(), &order2, maybe_keys, decrypt_ech));
7943 EXPECT_EQ(order1, order2);
7944
7945 ctx.reset(SSL_CTX_new(TLS_method()));
7946 ASSERT_TRUE(ctx);
7947 SSL_CTX_set_permute_extensions(ctx.get(), 1);
7948
7949 // When extension permutation is enabled, each ClientHello should have a
7950 // different order.
7951 //
7952 // This test is inherently flaky, so we run it multiple times. We send at
7953 // least five extensions by default from TLS 1.3: supported_versions,
7954 // key_share, supported_groups, psk_key_exchange_modes, and
7955 // signature_algorithms. That means the probability of a false negative is
7956 // at most 1/120. Repeating the test 14 times lowers false negative rate
7957 // to under 2^-96.
7958 ASSERT_TRUE(
7959 GetExtensionOrder(ctx.get(), &order1, maybe_keys, decrypt_ech));
7960 EXPECT_GE(order1.size(), 5u);
7961 static const int kNumIterations = 14;
7962 bool passed = false;
7963 for (int i = 0; i < kNumIterations; i++) {
7964 ASSERT_TRUE(
7965 GetExtensionOrder(ctx.get(), &order2, maybe_keys, decrypt_ech));
7966 if (order1 != order2) {
7967 passed = true;
7968 break;
7969 }
7970 }
7971 EXPECT_TRUE(passed) << "Extensions were not permuted";
7972 }
7973 }
7974}
7975
Martin Kreichgauer72912d22017-08-04 12:06:43 -0700[diff] [blame]7976} // namespace
Joshua Liebow-Feeser8c7c6352018-08-26 18:53:36 -0700[diff] [blame]7977BSSL_NAMESPACE_END