Gitiles
Code Review Sign In
gerrit.openfyde.cn / boringssl.googlesource.com / boringssl / 353577cdc798444e1add6215c8e12c10234088ac / . / ssl / ssl_test.cc
blob: 7737e756d4b060a3e851f74297743a188cb6b9b4 [file] [log] [blame]
David Benjamin2e521212014-07-16 14:37:51 -0400[diff] [blame]1/* Copyright (c) 2014, Google Inc.
2 *
3 * Permission to use, copy, modify, and/or distribute this software for any
4 * purpose with or without fee is hereby granted, provided that the above
5 * copyright notice and this permission notice appear in all copies.
6 *
7 * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
8 * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
9 * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY
10 * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
11 * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION
12 * OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN
13 * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */
14
15#include <stdio.h>
David Benjamin751e8892014-10-19 00:59:36 -0400[diff] [blame]16#include <string.h>
David Benjamin1269ddd2015-10-18 15:18:55 -0400[diff] [blame]17#include <time.h>
David Benjamin2e521212014-07-16 14:37:51 -0400[diff] [blame]18
David Benjamin0f653952015-10-18 14:28:01 -0400[diff] [blame]19#include <algorithm>
David Benjamin1d77e562015-03-22 17:22:08 -0400[diff] [blame]20#include <string>
David Benjamin4f6acaf2015-11-21 03:00:50 -0500[diff] [blame]21#include <utility>
David Benjamin1d77e562015-03-22 17:22:08 -0400[diff] [blame]22#include <vector>
23
David Benjamin96628432017-01-19 19:05:47 -0500[diff] [blame]24#include <gtest/gtest.h>
25
David Benjamin751e8892014-10-19 00:59:36 -0400[diff] [blame]26#include <openssl/base64.h>
27#include <openssl/bio.h>
David Benjamin3c51d9b2016-11-01 17:50:42 -0400[diff] [blame]28#include <openssl/cipher.h>
David Benjamin7a1eefd2015-10-17 23:39:22 -0400[diff] [blame]29#include <openssl/crypto.h>
David Benjaminbb0a17c2014-09-20 15:35:39 -0400[diff] [blame]30#include <openssl/err.h>
David Benjamin3c51d9b2016-11-01 17:50:42 -0400[diff] [blame]31#include <openssl/hmac.h>
David Benjaminde942382016-02-11 12:02:01 -0500[diff] [blame]32#include <openssl/pem.h>
David Benjamin25490f22016-07-14 00:22:54 -0400[diff] [blame]33#include <openssl/sha.h>
David Benjaminbb0a17c2014-09-20 15:35:39 -0400[diff] [blame]34#include <openssl/ssl.h>
David Benjamin3c51d9b2016-11-01 17:50:42 -0400[diff] [blame]35#include <openssl/rand.h>
David Benjaminde942382016-02-11 12:02:01 -0500[diff] [blame]36#include <openssl/x509.h>
David Benjaminbb0a17c2014-09-20 15:35:39 -0400[diff] [blame]37
Steven Valdez87eab492016-06-27 16:34:59 -0400[diff] [blame]38#include "internal.h"
Steven Valdezcb966542016-08-17 16:56:14 -0400[diff] [blame]39#include "../crypto/internal.h"
Sigbjorn Vik2b23d242015-06-29 15:07:26 +0200[diff] [blame]40#include "../crypto/test/test_util.h"
41
David Benjamin721e8b72016-08-03 13:13:17 -0400[diff] [blame]42#if defined(OPENSSL_WINDOWS)
43/* Windows defines struct timeval in winsock2.h. */
44OPENSSL_MSVC_PRAGMA(warning(push, 3))
45#include <winsock2.h>
46OPENSSL_MSVC_PRAGMA(warning(pop))
47#else
48#include <sys/time.h>
49#endif
50
David Benjamin1d77e562015-03-22 17:22:08 -0400[diff] [blame]51
52struct ExpectedCipher {
53 unsigned long id;
David Benjaminbb0a17c2014-09-20 15:35:39 -0400[diff] [blame]54 int in_group_flag;
David Benjamin1d77e562015-03-22 17:22:08 -0400[diff] [blame]55};
David Benjaminbb0a17c2014-09-20 15:35:39 -0400[diff] [blame]56
David Benjamin1d77e562015-03-22 17:22:08 -0400[diff] [blame]57struct CipherTest {
58 // The rule string to apply.
David Benjaminbb0a17c2014-09-20 15:35:39 -0400[diff] [blame]59 const char *rule;
David Benjaminfb974e62015-12-16 19:34:22 -0500[diff] [blame]60 // The list of expected ciphers, in order.
61 std::vector<ExpectedCipher> expected;
Matthew Braithwaitea57dcfb2017-02-17 22:08:23 -0800[diff] [blame]62 // True if this cipher list should fail in strict mode.
63 bool strict_fail;
David Benjamin1d77e562015-03-22 17:22:08 -0400[diff] [blame]64};
David Benjaminbb0a17c2014-09-20 15:35:39 -0400[diff] [blame]65
Alessandro Ghedini5fd18072016-09-28 21:04:25 +0100[diff] [blame]66struct CurveTest {
67 // The rule string to apply.
68 const char *rule;
69 // The list of expected curves, in order.
70 std::vector<uint16_t> expected;
71};
72
David Benjaminfb974e62015-12-16 19:34:22 -0500[diff] [blame]73static const CipherTest kCipherTests[] = {
74 // Selecting individual ciphers should work.
75 {
76 "ECDHE-ECDSA-CHACHA20-POLY1305:"
77 "ECDHE-RSA-CHACHA20-POLY1305:"
78 "ECDHE-ECDSA-AES128-GCM-SHA256:"
79 "ECDHE-RSA-AES128-GCM-SHA256",
80 {
81 {TLS1_CK_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256, 0},
David Benjaminfb974e62015-12-16 19:34:22 -0500[diff] [blame]82 {TLS1_CK_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256, 0},
David Benjaminfb974e62015-12-16 19:34:22 -0500[diff] [blame]83 {TLS1_CK_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, 0},
84 {TLS1_CK_ECDHE_RSA_WITH_AES_128_GCM_SHA256, 0},
85 },
Matthew Braithwaitea57dcfb2017-02-17 22:08:23 -0800[diff] [blame]86 false,
David Benjaminfb974e62015-12-16 19:34:22 -0500[diff] [blame]87 },
88 // + reorders selected ciphers to the end, keeping their relative order.
89 {
90 "ECDHE-ECDSA-CHACHA20-POLY1305:"
91 "ECDHE-RSA-CHACHA20-POLY1305:"
92 "ECDHE-ECDSA-AES128-GCM-SHA256:"
93 "ECDHE-RSA-AES128-GCM-SHA256:"
94 "+aRSA",
95 {
96 {TLS1_CK_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256, 0},
David Benjaminfb974e62015-12-16 19:34:22 -0500[diff] [blame]97 {TLS1_CK_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, 0},
98 {TLS1_CK_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256, 0},
David Benjaminfb974e62015-12-16 19:34:22 -0500[diff] [blame]99 {TLS1_CK_ECDHE_RSA_WITH_AES_128_GCM_SHA256, 0},
100 },
Matthew Braithwaitea57dcfb2017-02-17 22:08:23 -0800[diff] [blame]101 false,
David Benjaminfb974e62015-12-16 19:34:22 -0500[diff] [blame]102 },
103 // ! banishes ciphers from future selections.
104 {
105 "!aRSA:"
106 "ECDHE-ECDSA-CHACHA20-POLY1305:"
107 "ECDHE-RSA-CHACHA20-POLY1305:"
108 "ECDHE-ECDSA-AES128-GCM-SHA256:"
109 "ECDHE-RSA-AES128-GCM-SHA256",
110 {
111 {TLS1_CK_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256, 0},
David Benjaminfb974e62015-12-16 19:34:22 -0500[diff] [blame]112 {TLS1_CK_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, 0},
113 },
Matthew Braithwaitea57dcfb2017-02-17 22:08:23 -0800[diff] [blame]114 false,
David Benjaminfb974e62015-12-16 19:34:22 -0500[diff] [blame]115 },
116 // Multiple masks can be ANDed in a single rule.
117 {
118 "kRSA+AESGCM+AES128",
119 {
120 {TLS1_CK_RSA_WITH_AES_128_GCM_SHA256, 0},
121 },
Matthew Braithwaitea57dcfb2017-02-17 22:08:23 -0800[diff] [blame]122 false,
David Benjaminfb974e62015-12-16 19:34:22 -0500[diff] [blame]123 },
124 // - removes selected ciphers, but preserves their order for future
Matthew Braithwaitecedc6f12017-03-15 19:20:23 -0700[diff] [blame]125 // selections. Select AES_128_GCM, but order the key exchanges RSA,
David Benjaminfb974e62015-12-16 19:34:22 -0500[diff] [blame]126 // ECDHE_RSA.
127 {
Matthew Braithwaitecedc6f12017-03-15 19:20:23 -0700[diff] [blame]128 "ALL:-kECDHE:"
Matthew Braithwaitecedc6f12017-03-15 19:20:23 -0700[diff] [blame]129 "-kRSA:-ALL:"
David Benjaminfb974e62015-12-16 19:34:22 -0500[diff] [blame]130 "AESGCM+AES128+aRSA",
131 {
132 {TLS1_CK_RSA_WITH_AES_128_GCM_SHA256, 0},
David Benjaminfb974e62015-12-16 19:34:22 -0500[diff] [blame]133 {TLS1_CK_ECDHE_RSA_WITH_AES_128_GCM_SHA256, 0},
134 },
Matthew Braithwaitea57dcfb2017-02-17 22:08:23 -0800[diff] [blame]135 false,
David Benjaminfb974e62015-12-16 19:34:22 -0500[diff] [blame]136 },
Matthew Braithwaitea57dcfb2017-02-17 22:08:23 -0800[diff] [blame]137 // Unknown selectors are no-ops, except in strict mode.
David Benjaminfb974e62015-12-16 19:34:22 -0500[diff] [blame]138 {
139 "ECDHE-ECDSA-CHACHA20-POLY1305:"
140 "ECDHE-RSA-CHACHA20-POLY1305:"
141 "ECDHE-ECDSA-AES128-GCM-SHA256:"
142 "ECDHE-RSA-AES128-GCM-SHA256:"
Matthew Braithwaitea57dcfb2017-02-17 22:08:23 -0800[diff] [blame]143 "BOGUS1",
David Benjaminfb974e62015-12-16 19:34:22 -0500[diff] [blame]144 {
145 {TLS1_CK_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256, 0},
David Benjaminfb974e62015-12-16 19:34:22 -0500[diff] [blame]146 {TLS1_CK_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256, 0},
David Benjaminfb974e62015-12-16 19:34:22 -0500[diff] [blame]147 {TLS1_CK_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, 0},
148 {TLS1_CK_ECDHE_RSA_WITH_AES_128_GCM_SHA256, 0},
149 },
Matthew Braithwaitea57dcfb2017-02-17 22:08:23 -0800[diff] [blame]150 true,
151 },
152 // Unknown selectors are no-ops, except in strict mode.
153 {
154 "ECDHE-ECDSA-CHACHA20-POLY1305:"
155 "ECDHE-RSA-CHACHA20-POLY1305:"
156 "ECDHE-ECDSA-AES128-GCM-SHA256:"
157 "ECDHE-RSA-AES128-GCM-SHA256:"
158 "-BOGUS2:+BOGUS3:!BOGUS4",
159 {
160 {TLS1_CK_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256, 0},
161 {TLS1_CK_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256, 0},
162 {TLS1_CK_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, 0},
163 {TLS1_CK_ECDHE_RSA_WITH_AES_128_GCM_SHA256, 0},
164 },
165 true,
David Benjaminfb974e62015-12-16 19:34:22 -0500[diff] [blame]166 },
167 // Square brackets specify equi-preference groups.
168 {
169 "[ECDHE-ECDSA-CHACHA20-POLY1305|ECDHE-ECDSA-AES128-GCM-SHA256]:"
170 "[ECDHE-RSA-CHACHA20-POLY1305]:"
171 "ECDHE-RSA-AES128-GCM-SHA256",
172 {
173 {TLS1_CK_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256, 1},
David Benjaminfb974e62015-12-16 19:34:22 -0500[diff] [blame]174 {TLS1_CK_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, 0},
Adam Langley2e839242017-01-19 15:12:44 -0800[diff] [blame]175 {TLS1_CK_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256, 0},
David Benjaminfb974e62015-12-16 19:34:22 -0500[diff] [blame]176 {TLS1_CK_ECDHE_RSA_WITH_AES_128_GCM_SHA256, 0},
177 },
Matthew Braithwaitea57dcfb2017-02-17 22:08:23 -0800[diff] [blame]178 false,
David Benjaminfb974e62015-12-16 19:34:22 -0500[diff] [blame]179 },
David Benjamin6fff3862017-06-21 21:07:04 -0400[diff] [blame]180 // Standard names may be used instead of OpenSSL names.
181 {
182 "[TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256|"
183 "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256]:"
184 "[TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256]:"
185 "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",
186 {
187 {TLS1_CK_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256, 1},
188 {TLS1_CK_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, 0},
189 {TLS1_CK_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256, 0},
190 {TLS1_CK_ECDHE_RSA_WITH_AES_128_GCM_SHA256, 0},
191 },
192 false,
193 },
David Benjaminfb974e62015-12-16 19:34:22 -0500[diff] [blame]194 // @STRENGTH performs a stable strength-sort of the selected ciphers and
195 // only the selected ciphers.
196 {
197 // To simplify things, banish all but {ECDHE_RSA,RSA} x
Matthew Braithwaite8aaa9e12016-09-07 15:09:58 -0700[diff] [blame]198 // {CHACHA20,AES_256_CBC,AES_128_CBC} x SHA1.
Matthew Braithwaitecedc6f12017-03-15 19:20:23 -0700[diff] [blame]199 "!AESGCM:!3DES:!SHA256:!SHA384:"
David Benjaminfb974e62015-12-16 19:34:22 -0500[diff] [blame]200 // Order some ciphers backwards by strength.
Matthew Braithwaite8aaa9e12016-09-07 15:09:58 -0700[diff] [blame]201 "ALL:-CHACHA20:-AES256:-AES128:-ALL:"
David Benjaminfb974e62015-12-16 19:34:22 -0500[diff] [blame]202 // Select ECDHE ones and sort them by strength. Ties should resolve
203 // based on the order above.
204 "kECDHE:@STRENGTH:-ALL:"
205 // Now bring back everything uses RSA. ECDHE_RSA should be first, sorted
206 // by strength. Then RSA, backwards by strength.
207 "aRSA",
208 {
209 {TLS1_CK_ECDHE_RSA_WITH_AES_256_CBC_SHA, 0},
210 {TLS1_CK_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256, 0},
David Benjaminfb974e62015-12-16 19:34:22 -0500[diff] [blame]211 {TLS1_CK_ECDHE_RSA_WITH_AES_128_CBC_SHA, 0},
David Benjaminfb974e62015-12-16 19:34:22 -0500[diff] [blame]212 {TLS1_CK_RSA_WITH_AES_128_SHA, 0},
213 {TLS1_CK_RSA_WITH_AES_256_SHA, 0},
214 },
Matthew Braithwaitea57dcfb2017-02-17 22:08:23 -0800[diff] [blame]215 false,
David Benjaminfb974e62015-12-16 19:34:22 -0500[diff] [blame]216 },
217 // Exact ciphers may not be used in multi-part rules; they are treated
218 // as unknown aliases.
219 {
220 "ECDHE-ECDSA-AES128-GCM-SHA256:"
221 "ECDHE-RSA-AES128-GCM-SHA256:"
222 "!ECDHE-RSA-AES128-GCM-SHA256+RSA:"
223 "!ECDSA+ECDHE-ECDSA-AES128-GCM-SHA256",
224 {
225 {TLS1_CK_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, 0},
226 {TLS1_CK_ECDHE_RSA_WITH_AES_128_GCM_SHA256, 0},
227 },
Matthew Braithwaitea57dcfb2017-02-17 22:08:23 -0800[diff] [blame]228 true,
David Benjaminfb974e62015-12-16 19:34:22 -0500[diff] [blame]229 },
230 // SSLv3 matches everything that existed before TLS 1.2.
231 {
232 "AES128-SHA:AES128-SHA256:!SSLv3",
233 {
234 {TLS1_CK_RSA_WITH_AES_128_SHA256, 0},
235 },
Matthew Braithwaitea57dcfb2017-02-17 22:08:23 -0800[diff] [blame]236 false,
David Benjaminfb974e62015-12-16 19:34:22 -0500[diff] [blame]237 },
238 // TLSv1.2 matches everything added in TLS 1.2.
239 {
240 "AES128-SHA:AES128-SHA256:!TLSv1.2",
241 {
242 {TLS1_CK_RSA_WITH_AES_128_SHA, 0},
243 },
Matthew Braithwaitea57dcfb2017-02-17 22:08:23 -0800[diff] [blame]244 false,
David Benjaminfb974e62015-12-16 19:34:22 -0500[diff] [blame]245 },
Matthew Braithwaitea57dcfb2017-02-17 22:08:23 -0800[diff] [blame]246 // The two directives have no intersection. But each component is valid, so
247 // even in strict mode it is accepted.
David Benjaminfb974e62015-12-16 19:34:22 -0500[diff] [blame]248 {
249 "AES128-SHA:AES128-SHA256:!TLSv1.2+SSLv3",
250 {
251 {TLS1_CK_RSA_WITH_AES_128_SHA, 0},
252 {TLS1_CK_RSA_WITH_AES_128_SHA256, 0},
253 },
Matthew Braithwaitea57dcfb2017-02-17 22:08:23 -0800[diff] [blame]254 false,
David Benjaminfb974e62015-12-16 19:34:22 -0500[diff] [blame]255 },
David Benjaminbb0a17c2014-09-20 15:35:39 -0400[diff] [blame]256};
257
258static const char *kBadRules[] = {
David Benjamin1d77e562015-03-22 17:22:08 -0400[diff] [blame]259 // Invalid brackets.
David Benjaminbb0a17c2014-09-20 15:35:39 -0400[diff] [blame]260 "[ECDHE-RSA-CHACHA20-POLY1305|ECDHE-RSA-AES128-GCM-SHA256",
261 "RSA]",
262 "[[RSA]]",
David Benjamin1d77e562015-03-22 17:22:08 -0400[diff] [blame]263 // Operators inside brackets.
David Benjaminbb0a17c2014-09-20 15:35:39 -0400[diff] [blame]264 "[+RSA]",
David Benjamin1d77e562015-03-22 17:22:08 -0400[diff] [blame]265 // Unknown directive.
David Benjaminbb0a17c2014-09-20 15:35:39 -0400[diff] [blame]266 "@BOGUS",
David Benjamin1d77e562015-03-22 17:22:08 -0400[diff] [blame]267 // Empty cipher lists error at SSL_CTX_set_cipher_list.
David Benjaminbb0a17c2014-09-20 15:35:39 -0400[diff] [blame]268 "",
269 "BOGUS",
David Benjamin32fbdf22015-04-07 01:14:06 -0400[diff] [blame]270 // COMPLEMENTOFDEFAULT is empty.
271 "COMPLEMENTOFDEFAULT",
David Benjamin1d77e562015-03-22 17:22:08 -0400[diff] [blame]272 // Invalid command.
David Benjaminbb0a17c2014-09-20 15:35:39 -0400[diff] [blame]273 "?BAR",
David Benjamin1d77e562015-03-22 17:22:08 -0400[diff] [blame]274 // Special operators are not allowed if groups are used.
David Benjamin37d92462014-09-20 17:54:24 -0400[diff] [blame]275 "[ECDHE-RSA-CHACHA20-POLY1305|ECDHE-RSA-AES128-GCM-SHA256]:+FOO",
276 "[ECDHE-RSA-CHACHA20-POLY1305|ECDHE-RSA-AES128-GCM-SHA256]:!FOO",
277 "[ECDHE-RSA-CHACHA20-POLY1305|ECDHE-RSA-AES128-GCM-SHA256]:-FOO",
278 "[ECDHE-RSA-CHACHA20-POLY1305|ECDHE-RSA-AES128-GCM-SHA256]:@STRENGTH",
Adam Langleyf99f2442016-10-02 09:53:38 -0700[diff] [blame]279 // Opcode supplied, but missing selector.
280 "+",
David Benjaminbb0a17c2014-09-20 15:35:39 -0400[diff] [blame]281};
282
Matt Braithwaiteaf096752015-09-02 19:48:16 -0700[diff] [blame]283static const char *kMustNotIncludeNull[] = {
284 "ALL",
285 "DEFAULT",
David Benjamind6e9eec2015-11-18 09:48:55 -0500[diff] [blame]286 "HIGH",
Matt Braithwaiteaf096752015-09-02 19:48:16 -0700[diff] [blame]287 "FIPS",
288 "SHA",
289 "SHA1",
290 "RSA",
291 "SSLv3",
292 "TLSv1",
293 "TLSv1.2",
Matt Braithwaiteaf096752015-09-02 19:48:16 -0700[diff] [blame]294};
295
Alessandro Ghedini5fd18072016-09-28 21:04:25 +0100[diff] [blame]296static const CurveTest kCurveTests[] = {
297 {
298 "P-256",
299 { SSL_CURVE_SECP256R1 },
300 },
301 {
302 "P-256:P-384:P-521:X25519",
303 {
304 SSL_CURVE_SECP256R1,
305 SSL_CURVE_SECP384R1,
306 SSL_CURVE_SECP521R1,
307 SSL_CURVE_X25519,
308 },
309 },
310};
311
312static const char *kBadCurvesLists[] = {
313 "",
314 ":",
315 "::",
316 "P-256::X25519",
317 "RSA:P-256",
318 "P-256:RSA",
319 "X25519:P-256:",
320 ":X25519:P-256",
321};
322
David Benjamine11726a2017-04-23 12:14:28 -0400[diff] [blame]323static std::string CipherListToString(ssl_cipher_preference_list_st *list) {
David Benjamin1d77e562015-03-22 17:22:08 -0400[diff] [blame]324 bool in_group = false;
David Benjamine11726a2017-04-23 12:14:28 -0400[diff] [blame]325 std::string ret;
David Benjamin1d77e562015-03-22 17:22:08 -0400[diff] [blame]326 for (size_t i = 0; i < sk_SSL_CIPHER_num(list->ciphers); i++) {
David Benjaminbb0a17c2014-09-20 15:35:39 -0400[diff] [blame]327 const SSL_CIPHER *cipher = sk_SSL_CIPHER_value(list->ciphers, i);
328 if (!in_group && list->in_group_flags[i]) {
David Benjamine11726a2017-04-23 12:14:28 -0400[diff] [blame]329 ret += "\t[\n";
David Benjamin1d77e562015-03-22 17:22:08 -0400[diff] [blame]330 in_group = true;
David Benjaminbb0a17c2014-09-20 15:35:39 -0400[diff] [blame]331 }
David Benjamine11726a2017-04-23 12:14:28 -0400[diff] [blame]332 ret += "\t";
David Benjaminbb0a17c2014-09-20 15:35:39 -0400[diff] [blame]333 if (in_group) {
David Benjamine11726a2017-04-23 12:14:28 -0400[diff] [blame]334 ret += " ";
David Benjaminbb0a17c2014-09-20 15:35:39 -0400[diff] [blame]335 }
David Benjamine11726a2017-04-23 12:14:28 -0400[diff] [blame]336 ret += SSL_CIPHER_get_name(cipher);
337 ret += "\n";
David Benjaminbb0a17c2014-09-20 15:35:39 -0400[diff] [blame]338 if (in_group && !list->in_group_flags[i]) {
David Benjamine11726a2017-04-23 12:14:28 -0400[diff] [blame]339 ret += "\t]\n";
David Benjamin1d77e562015-03-22 17:22:08 -0400[diff] [blame]340 in_group = false;
David Benjaminbb0a17c2014-09-20 15:35:39 -0400[diff] [blame]341 }
342 }
David Benjamine11726a2017-04-23 12:14:28 -0400[diff] [blame]343 return ret;
David Benjaminbb0a17c2014-09-20 15:35:39 -0400[diff] [blame]344}
345
David Benjamine11726a2017-04-23 12:14:28 -0400[diff] [blame]346static bool CipherListsEqual(ssl_cipher_preference_list_st *list,
347 const std::vector<ExpectedCipher> &expected) {
348 if (sk_SSL_CIPHER_num(list->ciphers) != expected.size()) {
David Benjamin1d77e562015-03-22 17:22:08 -0400[diff] [blame]349 return false;
David Benjamin65226252015-02-05 16:49:47 -0500[diff] [blame]350 }
351
David Benjamine11726a2017-04-23 12:14:28 -0400[diff] [blame]352 for (size_t i = 0; i < expected.size(); i++) {
353 const SSL_CIPHER *cipher = sk_SSL_CIPHER_value(list->ciphers, i);
354 if (expected[i].id != SSL_CIPHER_get_id(cipher) ||
355 expected[i].in_group_flag != list->in_group_flags[i]) {
David Benjamin1d77e562015-03-22 17:22:08 -0400[diff] [blame]356 return false;
David Benjaminbb0a17c2014-09-20 15:35:39 -0400[diff] [blame]357 }
358 }
359
David Benjamin1d77e562015-03-22 17:22:08 -0400[diff] [blame]360 return true;
David Benjaminbb0a17c2014-09-20 15:35:39 -0400[diff] [blame]361}
362
David Benjamine11726a2017-04-23 12:14:28 -0400[diff] [blame]363TEST(SSLTest, CipherRules) {
364 for (const CipherTest &t : kCipherTests) {
365 SCOPED_TRACE(t.rule);
366 bssl::UniquePtr<SSL_CTX> ctx(SSL_CTX_new(TLS_method()));
367 ASSERT_TRUE(ctx);
Matt Braithwaiteaf096752015-09-02 19:48:16 -0700[diff] [blame]368
David Benjamine11726a2017-04-23 12:14:28 -0400[diff] [blame]369 // Test lax mode.
370 ASSERT_TRUE(SSL_CTX_set_cipher_list(ctx.get(), t.rule));
371 EXPECT_TRUE(CipherListsEqual(ctx->cipher_list, t.expected))
372 << "Cipher rule evaluated to:\n"
373 << CipherListToString(ctx->cipher_list);
374
375 // Test strict mode.
376 if (t.strict_fail) {
377 EXPECT_FALSE(SSL_CTX_set_strict_cipher_list(ctx.get(), t.rule));
378 } else {
379 ASSERT_TRUE(SSL_CTX_set_strict_cipher_list(ctx.get(), t.rule));
380 EXPECT_TRUE(CipherListsEqual(ctx->cipher_list, t.expected))
381 << "Cipher rule evaluated to:\n"
382 << CipherListToString(ctx->cipher_list);
David Benjaminbb0a17c2014-09-20 15:35:39 -0400[diff] [blame]383 }
384 }
385
David Benjaminfb974e62015-12-16 19:34:22 -0500[diff] [blame]386 for (const char *rule : kBadRules) {
David Benjamine11726a2017-04-23 12:14:28 -0400[diff] [blame]387 SCOPED_TRACE(rule);
388 bssl::UniquePtr<SSL_CTX> ctx(SSL_CTX_new(TLS_method()));
389 ASSERT_TRUE(ctx);
390
391 EXPECT_FALSE(SSL_CTX_set_cipher_list(ctx.get(), rule));
David Benjaminbb0a17c2014-09-20 15:35:39 -0400[diff] [blame]392 ERR_clear_error();
David Benjaminbb0a17c2014-09-20 15:35:39 -0400[diff] [blame]393 }
394
David Benjaminfb974e62015-12-16 19:34:22 -0500[diff] [blame]395 for (const char *rule : kMustNotIncludeNull) {
David Benjamine11726a2017-04-23 12:14:28 -0400[diff] [blame]396 SCOPED_TRACE(rule);
397 bssl::UniquePtr<SSL_CTX> ctx(SSL_CTX_new(TLS_method()));
398 ASSERT_TRUE(ctx);
399
400 ASSERT_TRUE(SSL_CTX_set_strict_cipher_list(ctx.get(), rule));
401 for (size_t i = 0; i < sk_SSL_CIPHER_num(ctx->cipher_list->ciphers); i++) {
402 EXPECT_FALSE(SSL_CIPHER_is_NULL(
403 sk_SSL_CIPHER_value(ctx->cipher_list->ciphers, i)));
Matt Braithwaiteaf096752015-09-02 19:48:16 -0700[diff] [blame]404 }
405 }
David Benjaminbb0a17c2014-09-20 15:35:39 -0400[diff] [blame]406}
David Benjamin2e521212014-07-16 14:37:51 -0400[diff] [blame]407
David Benjamine11726a2017-04-23 12:14:28 -0400[diff] [blame]408TEST(SSLTest, CurveRules) {
409 for (const CurveTest &t : kCurveTests) {
410 SCOPED_TRACE(t.rule);
411 bssl::UniquePtr<SSL_CTX> ctx(SSL_CTX_new(TLS_method()));
412 ASSERT_TRUE(ctx);
Alessandro Ghedini5fd18072016-09-28 21:04:25 +0100[diff] [blame]413
David Benjamine11726a2017-04-23 12:14:28 -0400[diff] [blame]414 ASSERT_TRUE(SSL_CTX_set1_curves_list(ctx.get(), t.rule));
415 ASSERT_EQ(t.expected.size(), ctx->supported_group_list_len);
416 for (size_t i = 0; i < t.expected.size(); i++) {
417 EXPECT_EQ(t.expected[i], ctx->supported_group_list[i]);
Alessandro Ghedini5fd18072016-09-28 21:04:25 +0100[diff] [blame]418 }
419 }
420
421 for (const char *rule : kBadCurvesLists) {
David Benjamine11726a2017-04-23 12:14:28 -0400[diff] [blame]422 SCOPED_TRACE(rule);
423 bssl::UniquePtr<SSL_CTX> ctx(SSL_CTX_new(TLS_method()));
424 ASSERT_TRUE(ctx);
425
426 EXPECT_FALSE(SSL_CTX_set1_curves_list(ctx.get(), rule));
Alessandro Ghedini5fd18072016-09-28 21:04:25 +0100[diff] [blame]427 ERR_clear_error();
428 }
Alessandro Ghedini5fd18072016-09-28 21:04:25 +0100[diff] [blame]429}
430
Adam Langley364f7a62016-12-12 10:51:00 -0800[diff] [blame]431// kOpenSSLSession is a serialized SSL_SESSION.
Adam Langley10f97f32016-07-12 08:09:33 -0700[diff] [blame]432static const char kOpenSSLSession[] =
Adam Langley364f7a62016-12-12 10:51:00 -0800[diff] [blame]433 "MIIFqgIBAQICAwMEAsAvBCAG5Q1ndq4Yfmbeo1zwLkNRKmCXGdNgWvGT3cskV0yQ"
Adam Langley10f97f32016-07-12 08:09:33 -0700[diff] [blame]434 "kAQwJlrlzkAWBOWiLj/jJ76D7l+UXoizP2KI2C7I2FccqMmIfFmmkUy32nIJ0mZH"
435 "IWoJoQYCBFRDO46iBAICASyjggR6MIIEdjCCA16gAwIBAgIIK9dUvsPWSlUwDQYJ"
436 "KoZIhvcNAQEFBQAwSTELMAkGA1UEBhMCVVMxEzARBgNVBAoTCkdvb2dsZSBJbmMx"
437 "JTAjBgNVBAMTHEdvb2dsZSBJbnRlcm5ldCBBdXRob3JpdHkgRzIwHhcNMTQxMDA4"
438 "MTIwNzU3WhcNMTUwMTA2MDAwMDAwWjBoMQswCQYDVQQGEwJVUzETMBEGA1UECAwK"
439 "Q2FsaWZvcm5pYTEWMBQGA1UEBwwNTW91bnRhaW4gVmlldzETMBEGA1UECgwKR29v"
440 "Z2xlIEluYzEXMBUGA1UEAwwOd3d3Lmdvb2dsZS5jb20wggEiMA0GCSqGSIb3DQEB"
441 "AQUAA4IBDwAwggEKAoIBAQCcKeLrplAC+Lofy8t/wDwtB6eu72CVp0cJ4V3lknN6"
442 "huH9ct6FFk70oRIh/VBNBBz900jYy+7111Jm1b8iqOTQ9aT5C7SEhNcQFJvqzH3e"
443 "MPkb6ZSWGm1yGF7MCQTGQXF20Sk/O16FSjAynU/b3oJmOctcycWYkY0ytS/k3LBu"
444 "Id45PJaoMqjB0WypqvNeJHC3q5JjCB4RP7Nfx5jjHSrCMhw8lUMW4EaDxjaR9KDh"
445 "PLgjsk+LDIySRSRDaCQGhEOWLJZVLzLo4N6/UlctCHEllpBUSvEOyFga52qroGjg"
446 "rf3WOQ925MFwzd6AK+Ich0gDRg8sQfdLH5OuP1cfLfU1AgMBAAGjggFBMIIBPTAd"
447 "BgNVHSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwGQYDVR0RBBIwEIIOd3d3Lmdv"
448 "b2dsZS5jb20waAYIKwYBBQUHAQEEXDBaMCsGCCsGAQUFBzAChh9odHRwOi8vcGtp"
449 "Lmdvb2dsZS5jb20vR0lBRzIuY3J0MCsGCCsGAQUFBzABhh9odHRwOi8vY2xpZW50"
450 "czEuZ29vZ2xlLmNvbS9vY3NwMB0GA1UdDgQWBBQ7a+CcxsZByOpc+xpYFcIbnUMZ"
451 "hTAMBgNVHRMBAf8EAjAAMB8GA1UdIwQYMBaAFErdBhYbvPZotXb1gba7Yhq6WoEv"
452 "MBcGA1UdIAQQMA4wDAYKKwYBBAHWeQIFATAwBgNVHR8EKTAnMCWgI6Ahhh9odHRw"
453 "Oi8vcGtpLmdvb2dsZS5jb20vR0lBRzIuY3JsMA0GCSqGSIb3DQEBBQUAA4IBAQCa"
454 "OXCBdoqUy5bxyq+Wrh1zsyyCFim1PH5VU2+yvDSWrgDY8ibRGJmfff3r4Lud5kal"
455 "dKs9k8YlKD3ITG7P0YT/Rk8hLgfEuLcq5cc0xqmE42xJ+Eo2uzq9rYorc5emMCxf"
456 "5L0TJOXZqHQpOEcuptZQ4OjdYMfSxk5UzueUhA3ogZKRcRkdB3WeWRp+nYRhx4St"
457 "o2rt2A0MKmY9165GHUqMK9YaaXHDXqBu7Sefr1uSoAP9gyIJKeihMivsGqJ1TD6Z"
458 "cc6LMe+dN2P8cZEQHtD1y296ul4Mivqk3jatUVL8/hCwgch9A8O4PGZq9WqBfEWm"
459 "IyHh1dPtbg1lOXdYCWtjpAIEAKUDAgEUqQUCAwGJwKqBpwSBpBwUQvoeOk0Kg36S"
460 "YTcLEkXqKwOBfF9vE4KX0NxeLwjcDTpsuh3qXEaZ992r1N38VDcyS6P7I6HBYN9B"
461 "sNHM362zZnY27GpTw+Kwd751CLoXFPoaMOe57dbBpXoro6Pd3BTbf/Tzr88K06yE"
462 "OTDKPNj3+inbMaVigtK4PLyPq+Topyzvx9USFgRvyuoxn0Hgb+R0A3j6SLRuyOdA"
Adam Langley364f7a62016-12-12 10:51:00 -0800[diff] [blame]463 "i4gv7Y5oliyntgMBAQA=";
Adam Langley10f97f32016-07-12 08:09:33 -0700[diff] [blame]464
465// kCustomSession is a custom serialized SSL_SESSION generated by
466// filling in missing fields from |kOpenSSLSession|. This includes
467// providing |peer_sha256|, so |peer| is not serialized.
468static const char kCustomSession[] =
469 "MIIBdgIBAQICAwMEAsAvBCAG5Q1ndq4Yfmbeo1zwLkNRKmCXGdNgWvGT3cskV0yQ"
470 "kAQwJlrlzkAWBOWiLj/jJ76D7l+UXoizP2KI2C7I2FccqMmIfFmmkUy32nIJ0mZH"
471 "IWoJoQYCBFRDO46iBAICASykAwQBAqUDAgEUphAEDnd3dy5nb29nbGUuY29tqAcE"
472 "BXdvcmxkqQUCAwGJwKqBpwSBpBwUQvoeOk0Kg36SYTcLEkXqKwOBfF9vE4KX0Nxe"
473 "LwjcDTpsuh3qXEaZ992r1N38VDcyS6P7I6HBYN9BsNHM362zZnY27GpTw+Kwd751"
474 "CLoXFPoaMOe57dbBpXoro6Pd3BTbf/Tzr88K06yEOTDKPNj3+inbMaVigtK4PLyP"
475 "q+Topyzvx9USFgRvyuoxn0Hgb+R0A3j6SLRuyOdAi4gv7Y5oliynrSIEIAYGBgYG"
476 "BgYGBgYGBgYGBgYGBgYGBgYGBgYGBgYGBgYGrgMEAQevAwQBBLADBAEF";
477
478// kBoringSSLSession is a serialized SSL_SESSION generated from bssl client.
479static const char kBoringSSLSession[] =
480 "MIIRwQIBAQICAwMEAsAvBCDdoGxGK26mR+8lM0uq6+k9xYuxPnwAjpcF9n0Yli9R"
481 "kQQwbyshfWhdi5XQ1++7n2L1qqrcVlmHBPpr6yknT/u4pUrpQB5FZ7vqvNn8MdHf"
482 "9rWgoQYCBFXgs7uiBAICHCCjggR6MIIEdjCCA16gAwIBAgIIf+yfD7Y6UicwDQYJ"
483 "KoZIhvcNAQELBQAwSTELMAkGA1UEBhMCVVMxEzARBgNVBAoTCkdvb2dsZSBJbmMx"
484 "JTAjBgNVBAMTHEdvb2dsZSBJbnRlcm5ldCBBdXRob3JpdHkgRzIwHhcNMTUwODEy"
485 "MTQ1MzE1WhcNMTUxMTEwMDAwMDAwWjBoMQswCQYDVQQGEwJVUzETMBEGA1UECAwK"
486 "Q2FsaWZvcm5pYTEWMBQGA1UEBwwNTW91bnRhaW4gVmlldzETMBEGA1UECgwKR29v"
487 "Z2xlIEluYzEXMBUGA1UEAwwOd3d3Lmdvb2dsZS5jb20wggEiMA0GCSqGSIb3DQEB"
488 "AQUAA4IBDwAwggEKAoIBAQC0MeG5YGQ0t+IeJeoneP/PrhEaieibeKYkbKVLNZpo"
489 "PLuBinvhkXZo3DC133NpCBpy6ZktBwamqyixAyuk/NU6OjgXqwwxfQ7di1AInLIU"
490 "792c7hFyNXSUCG7At8Ifi3YwBX9Ba6u/1d6rWTGZJrdCq3QU11RkKYyTq2KT5mce"
491 "Tv9iGKqSkSTlp8puy/9SZ/3DbU3U+BuqCFqeSlz7zjwFmk35acdCilpJlVDDN5C/"
492 "RCh8/UKc8PaL+cxlt531qoTENvYrflBno14YEZlCBZsPiFeUSILpKEj3Ccwhy0eL"
493 "EucWQ72YZU8mUzXBoXGn0zA0crFl5ci/2sTBBGZsylNBAgMBAAGjggFBMIIBPTAd"
494 "BgNVHSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwGQYDVR0RBBIwEIIOd3d3Lmdv"
495 "b2dsZS5jb20waAYIKwYBBQUHAQEEXDBaMCsGCCsGAQUFBzAChh9odHRwOi8vcGtp"
496 "Lmdvb2dsZS5jb20vR0lBRzIuY3J0MCsGCCsGAQUFBzABhh9odHRwOi8vY2xpZW50"
497 "czEuZ29vZ2xlLmNvbS9vY3NwMB0GA1UdDgQWBBS/bzHxcE73Q4j3slC4BLbMtLjG"
498 "GjAMBgNVHRMBAf8EAjAAMB8GA1UdIwQYMBaAFErdBhYbvPZotXb1gba7Yhq6WoEv"
499 "MBcGA1UdIAQQMA4wDAYKKwYBBAHWeQIFATAwBgNVHR8EKTAnMCWgI6Ahhh9odHRw"
500 "Oi8vcGtpLmdvb2dsZS5jb20vR0lBRzIuY3JsMA0GCSqGSIb3DQEBCwUAA4IBAQAb"
501 "qdWPZEHk0X7iKPCTHL6S3w6q1eR67goxZGFSM1lk1hjwyu7XcLJuvALVV9uY3ovE"
502 "kQZSHwT+pyOPWQhsSjO+1GyjvCvK/CAwiUmBX+bQRGaqHsRcio7xSbdVcajQ3bXd"
503 "X+s0WdbOpn6MStKAiBVloPlSxEI8pxY6x/BBCnTIk/+DMB17uZlOjG3vbAnkDkP+"
504 "n0OTucD9sHV7EVj9XUxi51nOfNBCN/s7lpUjDS/NJ4k3iwOtbCPswiot8vLO779a"
505 "f07vR03r349Iz/KTzk95rlFtX0IU+KYNxFNsanIXZ+C9FYGRXkwhHcvFb4qMUB1y"
506 "TTlM80jBMOwyjZXmjRAhpAIEAKUDAgEUqQUCAwGJwKqBpwSBpOgebbmn9NRUtMWH"
507 "+eJpqA5JLMFSMCChOsvKey3toBaCNGU7HfAEiiXNuuAdCBoK262BjQc2YYfqFzqH"
508 "zuppopXCvhohx7j/tnCNZIMgLYt/O9SXK2RYI5z8FhCCHvB4CbD5G0LGl5EFP27s"
509 "Jb6S3aTTYPkQe8yZSlxevg6NDwmTogLO9F7UUkaYmVcMQhzssEE2ZRYNwSOU6KjE"
510 "0Yj+8fAiBtbQriIEIN2L8ZlpaVrdN5KFNdvcmOxJu81P8q53X55xQyGTnGWwsgMC"
511 "ARezggvvMIIEdjCCA16gAwIBAgIIf+yfD7Y6UicwDQYJKoZIhvcNAQELBQAwSTEL"
512 "MAkGA1UEBhMCVVMxEzARBgNVBAoTCkdvb2dsZSBJbmMxJTAjBgNVBAMTHEdvb2ds"
513 "ZSBJbnRlcm5ldCBBdXRob3JpdHkgRzIwHhcNMTUwODEyMTQ1MzE1WhcNMTUxMTEw"
514 "MDAwMDAwWjBoMQswCQYDVQQGEwJVUzETMBEGA1UECAwKQ2FsaWZvcm5pYTEWMBQG"
515 "A1UEBwwNTW91bnRhaW4gVmlldzETMBEGA1UECgwKR29vZ2xlIEluYzEXMBUGA1UE"
516 "AwwOd3d3Lmdvb2dsZS5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIB"
517 "AQC0MeG5YGQ0t+IeJeoneP/PrhEaieibeKYkbKVLNZpoPLuBinvhkXZo3DC133Np"
518 "CBpy6ZktBwamqyixAyuk/NU6OjgXqwwxfQ7di1AInLIU792c7hFyNXSUCG7At8If"
519 "i3YwBX9Ba6u/1d6rWTGZJrdCq3QU11RkKYyTq2KT5mceTv9iGKqSkSTlp8puy/9S"
520 "Z/3DbU3U+BuqCFqeSlz7zjwFmk35acdCilpJlVDDN5C/RCh8/UKc8PaL+cxlt531"
521 "qoTENvYrflBno14YEZlCBZsPiFeUSILpKEj3Ccwhy0eLEucWQ72YZU8mUzXBoXGn"
522 "0zA0crFl5ci/2sTBBGZsylNBAgMBAAGjggFBMIIBPTAdBgNVHSUEFjAUBggrBgEF"
523 "BQcDAQYIKwYBBQUHAwIwGQYDVR0RBBIwEIIOd3d3Lmdvb2dsZS5jb20waAYIKwYB"
524 "BQUHAQEEXDBaMCsGCCsGAQUFBzAChh9odHRwOi8vcGtpLmdvb2dsZS5jb20vR0lB"
525 "RzIuY3J0MCsGCCsGAQUFBzABhh9odHRwOi8vY2xpZW50czEuZ29vZ2xlLmNvbS9v"
526 "Y3NwMB0GA1UdDgQWBBS/bzHxcE73Q4j3slC4BLbMtLjGGjAMBgNVHRMBAf8EAjAA"
527 "MB8GA1UdIwQYMBaAFErdBhYbvPZotXb1gba7Yhq6WoEvMBcGA1UdIAQQMA4wDAYK"
528 "KwYBBAHWeQIFATAwBgNVHR8EKTAnMCWgI6Ahhh9odHRwOi8vcGtpLmdvb2dsZS5j"
529 "b20vR0lBRzIuY3JsMA0GCSqGSIb3DQEBCwUAA4IBAQAbqdWPZEHk0X7iKPCTHL6S"
530 "3w6q1eR67goxZGFSM1lk1hjwyu7XcLJuvALVV9uY3ovEkQZSHwT+pyOPWQhsSjO+"
531 "1GyjvCvK/CAwiUmBX+bQRGaqHsRcio7xSbdVcajQ3bXdX+s0WdbOpn6MStKAiBVl"
532 "oPlSxEI8pxY6x/BBCnTIk/+DMB17uZlOjG3vbAnkDkP+n0OTucD9sHV7EVj9XUxi"
533 "51nOfNBCN/s7lpUjDS/NJ4k3iwOtbCPswiot8vLO779af07vR03r349Iz/KTzk95"
534 "rlFtX0IU+KYNxFNsanIXZ+C9FYGRXkwhHcvFb4qMUB1yTTlM80jBMOwyjZXmjRAh"
535 "MIID8DCCAtigAwIBAgIDAjqDMA0GCSqGSIb3DQEBCwUAMEIxCzAJBgNVBAYTAlVT"
536 "MRYwFAYDVQQKEw1HZW9UcnVzdCBJbmMuMRswGQYDVQQDExJHZW9UcnVzdCBHbG9i"
537 "YWwgQ0EwHhcNMTMwNDA1MTUxNTU2WhcNMTYxMjMxMjM1OTU5WjBJMQswCQYDVQQG"
538 "EwJVUzETMBEGA1UEChMKR29vZ2xlIEluYzElMCMGA1UEAxMcR29vZ2xlIEludGVy"
539 "bmV0IEF1dGhvcml0eSBHMjCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEB"
540 "AJwqBHdc2FCROgajguDYUEi8iT/xGXAaiEZ+4I/F8YnOIe5a/mENtzJEiaB0C1NP"
541 "VaTOgmKV7utZX8bhBYASxF6UP7xbSDj0U/ck5vuR6RXEz/RTDfRK/J9U3n2+oGtv"
542 "h8DQUB8oMANA2ghzUWx//zo8pzcGjr1LEQTrfSTe5vn8MXH7lNVg8y5Kr0LSy+rE"
543 "ahqyzFPdFUuLH8gZYR/Nnag+YyuENWllhMgZxUYi+FOVvuOAShDGKuy6lyARxzmZ"
544 "EASg8GF6lSWMTlJ14rbtCMoU/M4iarNOz0YDl5cDfsCx3nuvRTPPuj5xt970JSXC"
545 "DTWJnZ37DhF5iR43xa+OcmkCAwEAAaOB5zCB5DAfBgNVHSMEGDAWgBTAephojYn7"
546 "qwVkDBF9qn1luMrMTjAdBgNVHQ4EFgQUSt0GFhu89mi1dvWBtrtiGrpagS8wDgYD"
547 "VR0PAQH/BAQDAgEGMC4GCCsGAQUFBwEBBCIwIDAeBggrBgEFBQcwAYYSaHR0cDov"
548 "L2cuc3ltY2QuY29tMBIGA1UdEwEB/wQIMAYBAf8CAQAwNQYDVR0fBC4wLDAqoCig"
549 "JoYkaHR0cDovL2cuc3ltY2IuY29tL2NybHMvZ3RnbG9iYWwuY3JsMBcGA1UdIAQQ"
550 "MA4wDAYKKwYBBAHWeQIFATANBgkqhkiG9w0BAQsFAAOCAQEAqvqpIM1qZ4PtXtR+"
551 "3h3Ef+AlBgDFJPupyC1tft6dgmUsgWM0Zj7pUsIItMsv91+ZOmqcUHqFBYx90SpI"
552 "hNMJbHzCzTWf84LuUt5oX+QAihcglvcpjZpNy6jehsgNb1aHA30DP9z6eX0hGfnI"
553 "Oi9RdozHQZJxjyXON/hKTAAj78Q1EK7gI4BzfE00LshukNYQHpmEcxpw8u1VDu4X"
554 "Bupn7jLrLN1nBz/2i8Jw3lsA5rsb0zYaImxssDVCbJAJPZPpZAkiDoUGn8JzIdPm"
555 "X4DkjYUiOnMDsWCOrmji9D6X52ASCWg23jrW4kOVWzeBkoEfu43XrVJkFleW2V40"
556 "fsg12DCCA30wggLmoAMCAQICAxK75jANBgkqhkiG9w0BAQUFADBOMQswCQYDVQQG"
557 "EwJVUzEQMA4GA1UEChMHRXF1aWZheDEtMCsGA1UECxMkRXF1aWZheCBTZWN1cmUg"
558 "Q2VydGlmaWNhdGUgQXV0aG9yaXR5MB4XDTAyMDUyMTA0MDAwMFoXDTE4MDgyMTA0"
559 "MDAwMFowQjELMAkGA1UEBhMCVVMxFjAUBgNVBAoTDUdlb1RydXN0IEluYy4xGzAZ"
560 "BgNVBAMTEkdlb1RydXN0IEdsb2JhbCBDQTCCASIwDQYJKoZIhvcNAQEBBQADggEP"
561 "ADCCAQoCggEBANrMGGMw/fQXIxpWflvfPGw45HG3eJHUvKHYTPioQ7YD6U0hBwiI"
562 "2lgvZjkpvQV4i5046AW3an5xpObEYKaw74DkiSgPniXW7YPzraaRx5jJQhg1FJ2t"
563 "mEaSLk/K8YdDwRaVVy1Q74ktgHpXrfLuX2vSAI25FPgUFTXZwEaje3LIkb/JVSvN"
564 "0Jc+nCZkzN/Ogxlxyk7m1NV7qRnNVd7I7NJeOFPlXE+MLf5QIzb8ZubLjqQ5GQC3"
565 "lQI5kQsO/jgu0R0FmvZNPm8PBx2vLB6PYDni+jZTEznUXiYr2z2oFL0y6xgDKFIE"
566 "ceWrMz3hOLsHNoRinHnqFjD0X8Ar6HFr5PkCAwEAAaOB8DCB7TAfBgNVHSMEGDAW"
567 "gBRI5mj5K9KylddH2CMgEE8zmJCf1DAdBgNVHQ4EFgQUwHqYaI2J+6sFZAwRfap9"
568 "ZbjKzE4wDwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMCAQYwOgYDVR0fBDMw"
569 "MTAvoC2gK4YpaHR0cDovL2NybC5nZW90cnVzdC5jb20vY3Jscy9zZWN1cmVjYS5j"
570 "cmwwTgYDVR0gBEcwRTBDBgRVHSAAMDswOQYIKwYBBQUHAgEWLWh0dHBzOi8vd3d3"
571 "Lmdlb3RydXN0LmNvbS9yZXNvdXJjZXMvcmVwb3NpdG9yeTANBgkqhkiG9w0BAQUF"
572 "AAOBgQB24RJuTksWEoYwBrKBCM/wCMfHcX5m7sLt1Dsf//DwyE7WQziwuTB9GNBV"
573 "g6JqyzYRnOhIZqNtf7gT1Ef+i1pcc/yu2RsyGTirlzQUqpbS66McFAhJtrvlke+D"
574 "NusdVm/K2rxzY5Dkf3s+Iss9B+1fOHSc4wNQTqGvmO5h8oQ/Eg==";
575
576// kBadSessionExtraField is a custom serialized SSL_SESSION generated by replacing
577// the final (optional) element of |kCustomSession| with tag number 30.
578static const char kBadSessionExtraField[] =
579 "MIIBdgIBAQICAwMEAsAvBCAG5Q1ndq4Yfmbeo1zwLkNRKmCXGdNgWvGT3cskV0yQ"
580 "kAQwJlrlzkAWBOWiLj/jJ76D7l+UXoizP2KI2C7I2FccqMmIfFmmkUy32nIJ0mZH"
581 "IWoJoQYCBFRDO46iBAICASykAwQBAqUDAgEUphAEDnd3dy5nb29nbGUuY29tqAcE"
582 "BXdvcmxkqQUCAwGJwKqBpwSBpBwUQvoeOk0Kg36SYTcLEkXqKwOBfF9vE4KX0Nxe"
583 "LwjcDTpsuh3qXEaZ992r1N38VDcyS6P7I6HBYN9BsNHM362zZnY27GpTw+Kwd751"
584 "CLoXFPoaMOe57dbBpXoro6Pd3BTbf/Tzr88K06yEOTDKPNj3+inbMaVigtK4PLyP"
585 "q+Topyzvx9USFgRvyuoxn0Hgb+R0A3j6SLRuyOdAi4gv7Y5oliynrSIEIAYGBgYG"
586 "BgYGBgYGBgYGBgYGBgYGBgYGBgYGBgYGBgYGrgMEAQevAwQBBL4DBAEF";
587
588// kBadSessionVersion is a custom serialized SSL_SESSION generated by replacing
589// the version of |kCustomSession| with 2.
590static const char kBadSessionVersion[] =
591 "MIIBdgIBAgICAwMEAsAvBCAG5Q1ndq4Yfmbeo1zwLkNRKmCXGdNgWvGT3cskV0yQ"
592 "kAQwJlrlzkAWBOWiLj/jJ76D7l+UXoizP2KI2C7I2FccqMmIfFmmkUy32nIJ0mZH"
593 "IWoJoQYCBFRDO46iBAICASykAwQBAqUDAgEUphAEDnd3dy5nb29nbGUuY29tqAcE"
594 "BXdvcmxkqQUCAwGJwKqBpwSBpBwUQvoeOk0Kg36SYTcLEkXqKwOBfF9vE4KX0Nxe"
595 "LwjcDTpsuh3qXEaZ992r1N38VDcyS6P7I6HBYN9BsNHM362zZnY27GpTw+Kwd751"
596 "CLoXFPoaMOe57dbBpXoro6Pd3BTbf/Tzr88K06yEOTDKPNj3+inbMaVigtK4PLyP"
597 "q+Topyzvx9USFgRvyuoxn0Hgb+R0A3j6SLRuyOdAi4gv7Y5oliynrSIEIAYGBgYG"
598 "BgYGBgYGBgYGBgYGBgYGBgYGBgYGBgYGBgYGrgMEAQevAwQBBLADBAEF";
599
600// kBadSessionTrailingData is a custom serialized SSL_SESSION with trailing data
601// appended.
602static const char kBadSessionTrailingData[] =
603 "MIIBdgIBAQICAwMEAsAvBCAG5Q1ndq4Yfmbeo1zwLkNRKmCXGdNgWvGT3cskV0yQ"
604 "kAQwJlrlzkAWBOWiLj/jJ76D7l+UXoizP2KI2C7I2FccqMmIfFmmkUy32nIJ0mZH"
605 "IWoJoQYCBFRDO46iBAICASykAwQBAqUDAgEUphAEDnd3dy5nb29nbGUuY29tqAcE"
606 "BXdvcmxkqQUCAwGJwKqBpwSBpBwUQvoeOk0Kg36SYTcLEkXqKwOBfF9vE4KX0Nxe"
607 "LwjcDTpsuh3qXEaZ992r1N38VDcyS6P7I6HBYN9BsNHM362zZnY27GpTw+Kwd751"
608 "CLoXFPoaMOe57dbBpXoro6Pd3BTbf/Tzr88K06yEOTDKPNj3+inbMaVigtK4PLyP"
609 "q+Topyzvx9USFgRvyuoxn0Hgb+R0A3j6SLRuyOdAi4gv7Y5oliynrSIEIAYGBgYG"
610 "BgYGBgYGBgYGBgYGBgYGBgYGBgYGBgYGBgYGrgMEAQevAwQBBLADBAEFAAAA";
611
David Benjamin1d77e562015-03-22 17:22:08 -0400[diff] [blame]612static bool DecodeBase64(std::vector<uint8_t> *out, const char *in) {
David Benjamin751e8892014-10-19 00:59:36 -0400[diff] [blame]613 size_t len;
David Benjamin751e8892014-10-19 00:59:36 -0400[diff] [blame]614 if (!EVP_DecodedLength(&len, strlen(in))) {
615 fprintf(stderr, "EVP_DecodedLength failed\n");
David Benjamin1d77e562015-03-22 17:22:08 -0400[diff] [blame]616 return false;
David Benjamin751e8892014-10-19 00:59:36 -0400[diff] [blame]617 }
618
David Benjamin1d77e562015-03-22 17:22:08 -0400[diff] [blame]619 out->resize(len);
David Benjaminef14b2d2015-11-11 14:01:27 -0800[diff] [blame]620 if (!EVP_DecodeBase64(out->data(), &len, len, (const uint8_t *)in,
David Benjamin751e8892014-10-19 00:59:36 -0400[diff] [blame]621 strlen(in))) {
622 fprintf(stderr, "EVP_DecodeBase64 failed\n");
David Benjamin1d77e562015-03-22 17:22:08 -0400[diff] [blame]623 return false;
David Benjamin751e8892014-10-19 00:59:36 -0400[diff] [blame]624 }
David Benjamin1d77e562015-03-22 17:22:08 -0400[diff] [blame]625 out->resize(len);
626 return true;
David Benjamin751e8892014-10-19 00:59:36 -0400[diff] [blame]627}
628
David Benjamin1d77e562015-03-22 17:22:08 -0400[diff] [blame]629static bool TestSSL_SESSIONEncoding(const char *input_b64) {
David Benjamin751e8892014-10-19 00:59:36 -0400[diff] [blame]630 const uint8_t *cptr;
631 uint8_t *ptr;
David Benjamin751e8892014-10-19 00:59:36 -0400[diff] [blame]632
David Benjamin1d77e562015-03-22 17:22:08 -0400[diff] [blame]633 // Decode the input.
634 std::vector<uint8_t> input;
635 if (!DecodeBase64(&input, input_b64)) {
636 return false;
David Benjamin751e8892014-10-19 00:59:36 -0400[diff] [blame]637 }
638
David Benjamin1d77e562015-03-22 17:22:08 -0400[diff] [blame]639 // Verify the SSL_SESSION decodes.
Adam Langley46db7af2017-02-01 15:49:37 -0800[diff] [blame]640 bssl::UniquePtr<SSL_CTX> ssl_ctx(SSL_CTX_new(TLS_method()));
641 if (!ssl_ctx) {
642 return false;
643 }
644 bssl::UniquePtr<SSL_SESSION> session(
645 SSL_SESSION_from_bytes(input.data(), input.size(), ssl_ctx.get()));
David Benjaminfd67aa82015-06-15 19:41:48 -0400[diff] [blame]646 if (!session) {
647 fprintf(stderr, "SSL_SESSION_from_bytes failed\n");
David Benjamin1d77e562015-03-22 17:22:08 -0400[diff] [blame]648 return false;
David Benjamin751e8892014-10-19 00:59:36 -0400[diff] [blame]649 }
650
David Benjamin1d77e562015-03-22 17:22:08 -0400[diff] [blame]651 // Verify the SSL_SESSION encoding round-trips.
652 size_t encoded_len;
Matt Braithwaited17d74d2016-08-17 20:10:28 -0700[diff] [blame]653 bssl::UniquePtr<uint8_t> encoded;
David Benjamin1d77e562015-03-22 17:22:08 -0400[diff] [blame]654 uint8_t *encoded_raw;
655 if (!SSL_SESSION_to_bytes(session.get(), &encoded_raw, &encoded_len)) {
David Benjamin3cac4502014-10-21 01:46:30 -0400[diff] [blame]656 fprintf(stderr, "SSL_SESSION_to_bytes failed\n");
David Benjamin1d77e562015-03-22 17:22:08 -0400[diff] [blame]657 return false;
David Benjamin3cac4502014-10-21 01:46:30 -0400[diff] [blame]658 }
David Benjamin1d77e562015-03-22 17:22:08 -0400[diff] [blame]659 encoded.reset(encoded_raw);
660 if (encoded_len != input.size() ||
David Benjamin17cf2cb2016-12-13 01:07:13 -0500[diff] [blame]661 OPENSSL_memcmp(input.data(), encoded.get(), input.size()) != 0) {
David Benjamin3cac4502014-10-21 01:46:30 -0400[diff] [blame]662 fprintf(stderr, "SSL_SESSION_to_bytes did not round-trip\n");
Sigbjorn Vik2b23d242015-06-29 15:07:26 +0200[diff] [blame]663 hexdump(stderr, "Before: ", input.data(), input.size());
664 hexdump(stderr, "After: ", encoded_raw, encoded_len);
David Benjamin1d77e562015-03-22 17:22:08 -0400[diff] [blame]665 return false;
David Benjamin3cac4502014-10-21 01:46:30 -0400[diff] [blame]666 }
David Benjamin3cac4502014-10-21 01:46:30 -0400[diff] [blame]667
David Benjaminfd67aa82015-06-15 19:41:48 -0400[diff] [blame]668 // Verify the SSL_SESSION also decodes with the legacy API.
David Benjaminef14b2d2015-11-11 14:01:27 -0800[diff] [blame]669 cptr = input.data();
David Benjaminfd67aa82015-06-15 19:41:48 -0400[diff] [blame]670 session.reset(d2i_SSL_SESSION(NULL, &cptr, input.size()));
David Benjaminef14b2d2015-11-11 14:01:27 -0800[diff] [blame]671 if (!session || cptr != input.data() + input.size()) {
David Benjaminfd67aa82015-06-15 19:41:48 -0400[diff] [blame]672 fprintf(stderr, "d2i_SSL_SESSION failed\n");
673 return false;
674 }
675
David Benjamin1d77e562015-03-22 17:22:08 -0400[diff] [blame]676 // Verify the SSL_SESSION encoding round-trips via the legacy API.
677 int len = i2d_SSL_SESSION(session.get(), NULL);
678 if (len < 0 || (size_t)len != input.size()) {
David Benjamin751e8892014-10-19 00:59:36 -0400[diff] [blame]679 fprintf(stderr, "i2d_SSL_SESSION(NULL) returned invalid length\n");
David Benjamin1d77e562015-03-22 17:22:08 -0400[diff] [blame]680 return false;
David Benjamin751e8892014-10-19 00:59:36 -0400[diff] [blame]681 }
682
David Benjamin1d77e562015-03-22 17:22:08 -0400[diff] [blame]683 encoded.reset((uint8_t *)OPENSSL_malloc(input.size()));
684 if (!encoded) {
David Benjamin751e8892014-10-19 00:59:36 -0400[diff] [blame]685 fprintf(stderr, "malloc failed\n");
David Benjamin1d77e562015-03-22 17:22:08 -0400[diff] [blame]686 return false;
David Benjamin751e8892014-10-19 00:59:36 -0400[diff] [blame]687 }
David Benjamin1d77e562015-03-22 17:22:08 -0400[diff] [blame]688
689 ptr = encoded.get();
690 len = i2d_SSL_SESSION(session.get(), &ptr);
691 if (len < 0 || (size_t)len != input.size()) {
David Benjamin751e8892014-10-19 00:59:36 -0400[diff] [blame]692 fprintf(stderr, "i2d_SSL_SESSION returned invalid length\n");
David Benjamin1d77e562015-03-22 17:22:08 -0400[diff] [blame]693 return false;
David Benjamin751e8892014-10-19 00:59:36 -0400[diff] [blame]694 }
David Benjamin1d77e562015-03-22 17:22:08 -0400[diff] [blame]695 if (ptr != encoded.get() + input.size()) {
David Benjamin751e8892014-10-19 00:59:36 -0400[diff] [blame]696 fprintf(stderr, "i2d_SSL_SESSION did not advance ptr correctly\n");
David Benjamin1d77e562015-03-22 17:22:08 -0400[diff] [blame]697 return false;
David Benjamin751e8892014-10-19 00:59:36 -0400[diff] [blame]698 }
David Benjamin17cf2cb2016-12-13 01:07:13 -0500[diff] [blame]699 if (OPENSSL_memcmp(input.data(), encoded.get(), input.size()) != 0) {
David Benjamin751e8892014-10-19 00:59:36 -0400[diff] [blame]700 fprintf(stderr, "i2d_SSL_SESSION did not round-trip\n");
David Benjamin1d77e562015-03-22 17:22:08 -0400[diff] [blame]701 return false;
David Benjamin751e8892014-10-19 00:59:36 -0400[diff] [blame]702 }
703
David Benjamin1d77e562015-03-22 17:22:08 -0400[diff] [blame]704 return true;
David Benjamin751e8892014-10-19 00:59:36 -0400[diff] [blame]705}
706
David Benjaminf297e022015-05-28 19:55:29 -0400[diff] [blame]707static bool TestBadSSL_SESSIONEncoding(const char *input_b64) {
708 std::vector<uint8_t> input;
709 if (!DecodeBase64(&input, input_b64)) {
710 return false;
711 }
712
713 // Verify that the SSL_SESSION fails to decode.
Adam Langley46db7af2017-02-01 15:49:37 -0800[diff] [blame]714 bssl::UniquePtr<SSL_CTX> ssl_ctx(SSL_CTX_new(TLS_method()));
715 if (!ssl_ctx) {
716 return false;
717 }
718 bssl::UniquePtr<SSL_SESSION> session(
719 SSL_SESSION_from_bytes(input.data(), input.size(), ssl_ctx.get()));
David Benjaminf297e022015-05-28 19:55:29 -0400[diff] [blame]720 if (session) {
David Benjaminfd67aa82015-06-15 19:41:48 -0400[diff] [blame]721 fprintf(stderr, "SSL_SESSION_from_bytes unexpectedly succeeded\n");
David Benjaminf297e022015-05-28 19:55:29 -0400[diff] [blame]722 return false;
723 }
724 ERR_clear_error();
725 return true;
726}
727
David Benjamin321fcdc2017-04-24 11:42:42 -0400[diff] [blame]728static void ExpectDefaultVersion(uint16_t min_version, uint16_t max_version,
729 const SSL_METHOD *(*method)(void)) {
Matt Braithwaited17d74d2016-08-17 20:10:28 -0700[diff] [blame]730 bssl::UniquePtr<SSL_CTX> ctx(SSL_CTX_new(method()));
David Benjamin321fcdc2017-04-24 11:42:42 -0400[diff] [blame]731 ASSERT_TRUE(ctx);
David Benjaminfc08dfc2017-06-20 14:39:32 -0400[diff] [blame]732 EXPECT_EQ(min_version, ctx->conf_min_version);
733 EXPECT_EQ(max_version, ctx->conf_max_version);
David Benjamin321fcdc2017-04-24 11:42:42 -0400[diff] [blame]734}
735
736TEST(SSLTest, DefaultVersion) {
737 // TODO(svaldez): Update this when TLS 1.3 is enabled by default.
738 ExpectDefaultVersion(TLS1_VERSION, TLS1_2_VERSION, &TLS_method);
739 ExpectDefaultVersion(TLS1_VERSION, TLS1_VERSION, &TLSv1_method);
740 ExpectDefaultVersion(TLS1_1_VERSION, TLS1_1_VERSION, &TLSv1_1_method);
741 ExpectDefaultVersion(TLS1_2_VERSION, TLS1_2_VERSION, &TLSv1_2_method);
742 ExpectDefaultVersion(TLS1_1_VERSION, TLS1_2_VERSION, &DTLS_method);
743 ExpectDefaultVersion(TLS1_1_VERSION, TLS1_1_VERSION, &DTLSv1_method);
744 ExpectDefaultVersion(TLS1_2_VERSION, TLS1_2_VERSION, &DTLSv1_2_method);
David Benjamin82c9e902014-12-12 15:55:27 -0500[diff] [blame]745}
746
David Benjamin6fff3862017-06-21 21:07:04 -0400[diff] [blame]747TEST(SSLTest, CipherGetStandardName) {
748 static const struct {
749 int id;
750 const char *standard_name;
751 } kTests[] = {
752 {SSL3_CK_RSA_DES_192_CBC3_SHA, "TLS_RSA_WITH_3DES_EDE_CBC_SHA"},
753 {TLS1_CK_RSA_WITH_AES_128_SHA, "TLS_RSA_WITH_AES_128_CBC_SHA"},
754 {TLS1_CK_ECDHE_RSA_WITH_AES_128_SHA256,
755 "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256"},
756 {TLS1_CK_ECDHE_RSA_WITH_AES_256_SHA384,
757 "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384"},
758 {TLS1_CK_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
759 "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256"},
760 {TLS1_CK_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
761 "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256"},
762 {TLS1_CK_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
763 "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384"},
764 {TLS1_CK_ECDHE_PSK_WITH_AES_128_CBC_SHA,
765 "TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA"},
766 {TLS1_CK_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256,
767 "TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256"},
768 {TLS1_CK_AES_256_GCM_SHA384, "TLS_AES_256_GCM_SHA384"},
769 {TLS1_CK_AES_128_GCM_SHA256, "TLS_AES_128_GCM_SHA256"},
770 {TLS1_CK_CHACHA20_POLY1305_SHA256, "TLS_CHACHA20_POLY1305_SHA256"},
771 };
David Benjamin65226252015-02-05 16:49:47 -0500[diff] [blame]772
David Benjamin6fff3862017-06-21 21:07:04 -0400[diff] [blame]773 for (const auto &t : kTests) {
774 SCOPED_TRACE(t.standard_name);
David Benjamine11726a2017-04-23 12:14:28 -0400[diff] [blame]775
776 const SSL_CIPHER *cipher = SSL_get_cipher_by_value(t.id & 0xffff);
777 ASSERT_TRUE(cipher);
David Benjamin6fff3862017-06-21 21:07:04 -0400[diff] [blame]778 EXPECT_STREQ(t.standard_name, SSL_CIPHER_standard_name(cipher));
779
David Benjamine11726a2017-04-23 12:14:28 -0400[diff] [blame]780 bssl::UniquePtr<char> rfc_name(SSL_CIPHER_get_rfc_name(cipher));
781 ASSERT_TRUE(rfc_name);
David Benjamin6fff3862017-06-21 21:07:04 -0400[diff] [blame]782 EXPECT_STREQ(t.standard_name, rfc_name.get());
David Benjamin65226252015-02-05 16:49:47 -0500[diff] [blame]783 }
David Benjamin65226252015-02-05 16:49:47 -0500[diff] [blame]784}
785
Steven Valdeza833c352016-11-01 13:39:36 -0400[diff] [blame]786// CreateSessionWithTicket returns a sample |SSL_SESSION| with the specified
787// version and ticket length or nullptr on failure.
788static bssl::UniquePtr<SSL_SESSION> CreateSessionWithTicket(uint16_t version,
789 size_t ticket_len) {
David Benjamin422fe082015-07-21 22:03:43 -0400[diff] [blame]790 std::vector<uint8_t> der;
791 if (!DecodeBase64(&der, kOpenSSLSession)) {
792 return nullptr;
793 }
Adam Langley46db7af2017-02-01 15:49:37 -0800[diff] [blame]794
795 bssl::UniquePtr<SSL_CTX> ssl_ctx(SSL_CTX_new(TLS_method()));
796 if (!ssl_ctx) {
797 return nullptr;
798 }
Steven Valdeza833c352016-11-01 13:39:36 -0400[diff] [blame]799 bssl::UniquePtr<SSL_SESSION> session(
Adam Langley46db7af2017-02-01 15:49:37 -0800[diff] [blame]800 SSL_SESSION_from_bytes(der.data(), der.size(), ssl_ctx.get()));
David Benjamin422fe082015-07-21 22:03:43 -0400[diff] [blame]801 if (!session) {
802 return nullptr;
803 }
804
Steven Valdeza833c352016-11-01 13:39:36 -0400[diff] [blame]805 session->ssl_version = version;
806
David Benjamin422fe082015-07-21 22:03:43 -0400[diff] [blame]807 // Swap out the ticket for a garbage one.
808 OPENSSL_free(session->tlsext_tick);
809 session->tlsext_tick = reinterpret_cast<uint8_t*>(OPENSSL_malloc(ticket_len));
810 if (session->tlsext_tick == nullptr) {
811 return nullptr;
812 }
David Benjamin17cf2cb2016-12-13 01:07:13 -0500[diff] [blame]813 OPENSSL_memset(session->tlsext_tick, 'a', ticket_len);
David Benjamin422fe082015-07-21 22:03:43 -0400[diff] [blame]814 session->tlsext_ticklen = ticket_len;
David Benjamin1269ddd2015-10-18 15:18:55 -0400[diff] [blame]815
816 // Fix up the timeout.
David Benjamin9b63f292016-11-15 00:44:05 -0500[diff] [blame]817#if defined(BORINGSSL_UNSAFE_DETERMINISTIC_MODE)
818 session->time = 1234;
819#else
David Benjamin1269ddd2015-10-18 15:18:55 -0400[diff] [blame]820 session->time = time(NULL);
David Benjamin9b63f292016-11-15 00:44:05 -0500[diff] [blame]821#endif
David Benjamin422fe082015-07-21 22:03:43 -0400[diff] [blame]822 return session;
823}
824
David Benjaminafc64de2016-07-19 17:12:41 +0200[diff] [blame]825static bool GetClientHello(SSL *ssl, std::vector<uint8_t> *out) {
Matt Braithwaited17d74d2016-08-17 20:10:28 -0700[diff] [blame]826 bssl::UniquePtr<BIO> bio(BIO_new(BIO_s_mem()));
David Benjaminafc64de2016-07-19 17:12:41 +0200[diff] [blame]827 if (!bio) {
828 return false;
829 }
830 // Do not configure a reading BIO, but record what's written to a memory BIO.
David Benjamin96a16cd2016-08-11 12:14:47 -0400[diff] [blame]831 BIO_up_ref(bio.get());
832 SSL_set_bio(ssl, nullptr /* rbio */, bio.get());
David Benjaminafc64de2016-07-19 17:12:41 +0200[diff] [blame]833 int ret = SSL_connect(ssl);
834 if (ret > 0) {
835 // SSL_connect should fail without a BIO to write to.
836 return false;
837 }
838 ERR_clear_error();
839
840 const uint8_t *client_hello;
841 size_t client_hello_len;
842 if (!BIO_mem_contents(bio.get(), &client_hello, &client_hello_len)) {
843 return false;
844 }
845 *out = std::vector<uint8_t>(client_hello, client_hello + client_hello_len);
846 return true;
847}
848
Steven Valdeza833c352016-11-01 13:39:36 -0400[diff] [blame]849// GetClientHelloLen creates a client SSL connection with the specified version
850// and ticket length. It returns the length of the ClientHello, not including
851// the record header, on success and zero on error.
852static size_t GetClientHelloLen(uint16_t max_version, uint16_t session_version,
853 size_t ticket_len) {
Matt Braithwaited17d74d2016-08-17 20:10:28 -0700[diff] [blame]854 bssl::UniquePtr<SSL_CTX> ctx(SSL_CTX_new(TLS_method()));
Steven Valdeza833c352016-11-01 13:39:36 -0400[diff] [blame]855 bssl::UniquePtr<SSL_SESSION> session =
856 CreateSessionWithTicket(session_version, ticket_len);
David Benjamin422fe082015-07-21 22:03:43 -0400[diff] [blame]857 if (!ctx || !session) {
858 return 0;
859 }
Steven Valdeza833c352016-11-01 13:39:36 -0400[diff] [blame]860
861 // Set a one-element cipher list so the baseline ClientHello is unpadded.
Matt Braithwaited17d74d2016-08-17 20:10:28 -0700[diff] [blame]862 bssl::UniquePtr<SSL> ssl(SSL_new(ctx.get()));
Steven Valdez2c62fe92016-10-14 12:08:12 -0400[diff] [blame]863 if (!ssl || !SSL_set_session(ssl.get(), session.get()) ||
Matthew Braithwaitea57dcfb2017-02-17 22:08:23 -0800[diff] [blame]864 !SSL_set_strict_cipher_list(ssl.get(), "ECDHE-RSA-AES128-GCM-SHA256") ||
Steven Valdeza833c352016-11-01 13:39:36 -0400[diff] [blame]865 !SSL_set_max_proto_version(ssl.get(), max_version)) {
David Benjamin422fe082015-07-21 22:03:43 -0400[diff] [blame]866 return 0;
867 }
Steven Valdeza833c352016-11-01 13:39:36 -0400[diff] [blame]868
David Benjaminafc64de2016-07-19 17:12:41 +0200[diff] [blame]869 std::vector<uint8_t> client_hello;
870 if (!GetClientHello(ssl.get(), &client_hello) ||
871 client_hello.size() <= SSL3_RT_HEADER_LENGTH) {
David Benjamin422fe082015-07-21 22:03:43 -0400[diff] [blame]872 return 0;
873 }
Steven Valdeza833c352016-11-01 13:39:36 -0400[diff] [blame]874
David Benjaminafc64de2016-07-19 17:12:41 +0200[diff] [blame]875 return client_hello.size() - SSL3_RT_HEADER_LENGTH;
David Benjamin422fe082015-07-21 22:03:43 -0400[diff] [blame]876}
877
878struct PaddingTest {
879 size_t input_len, padded_len;
880};
881
882static const PaddingTest kPaddingTests[] = {
883 // ClientHellos of length below 0x100 do not require padding.
884 {0xfe, 0xfe},
885 {0xff, 0xff},
886 // ClientHellos of length 0x100 through 0x1fb are padded up to 0x200.
887 {0x100, 0x200},
888 {0x123, 0x200},
889 {0x1fb, 0x200},
890 // ClientHellos of length 0x1fc through 0x1ff get padded beyond 0x200. The
891 // padding extension takes a minimum of four bytes plus one required content
892 // byte. (To work around yet more server bugs, we avoid empty final
893 // extensions.)
894 {0x1fc, 0x201},
895 {0x1fd, 0x202},
896 {0x1fe, 0x203},
897 {0x1ff, 0x204},
898 // Finally, larger ClientHellos need no padding.
899 {0x200, 0x200},
900 {0x201, 0x201},
901};
902
Steven Valdeza833c352016-11-01 13:39:36 -0400[diff] [blame]903static bool TestPaddingExtension(uint16_t max_version,
904 uint16_t session_version) {
David Benjamin422fe082015-07-21 22:03:43 -0400[diff] [blame]905 // Sample a baseline length.
Steven Valdeza833c352016-11-01 13:39:36 -0400[diff] [blame]906 size_t base_len = GetClientHelloLen(max_version, session_version, 1);
David Benjamin422fe082015-07-21 22:03:43 -0400[diff] [blame]907 if (base_len == 0) {
908 return false;
909 }
910
911 for (const PaddingTest &test : kPaddingTests) {
912 if (base_len > test.input_len) {
Steven Valdeza833c352016-11-01 13:39:36 -0400[diff] [blame]913 fprintf(stderr,
914 "Baseline ClientHello too long (max_version = %04x, "
915 "session_version = %04x).\n",
916 max_version, session_version);
David Benjamin422fe082015-07-21 22:03:43 -0400[diff] [blame]917 return false;
918 }
919
Steven Valdeza833c352016-11-01 13:39:36 -0400[diff] [blame]920 size_t padded_len = GetClientHelloLen(max_version, session_version,
921 1 + test.input_len - base_len);
David Benjamin422fe082015-07-21 22:03:43 -0400[diff] [blame]922 if (padded_len != test.padded_len) {
Steven Valdeza833c352016-11-01 13:39:36 -0400[diff] [blame]923 fprintf(stderr,
924 "%u-byte ClientHello padded to %u bytes, not %u (max_version = "
925 "%04x, session_version = %04x).\n",
David Benjamin422fe082015-07-21 22:03:43 -0400[diff] [blame]926 static_cast<unsigned>(test.input_len),
927 static_cast<unsigned>(padded_len),
Steven Valdeza833c352016-11-01 13:39:36 -0400[diff] [blame]928 static_cast<unsigned>(test.padded_len), max_version,
929 session_version);
David Benjamin422fe082015-07-21 22:03:43 -0400[diff] [blame]930 return false;
931 }
932 }
Steven Valdeza833c352016-11-01 13:39:36 -0400[diff] [blame]933
David Benjamin422fe082015-07-21 22:03:43 -0400[diff] [blame]934 return true;
935}
936
David Benjamin1d128f32015-09-08 17:41:40 -0400[diff] [blame]937// Test that |SSL_get_client_CA_list| echoes back the configured parameter even
938// before configuring as a server.
David Benjaminf0d8e222017-02-04 10:58:26 -0500[diff] [blame]939TEST(SSLTest, ClientCAList) {
Matt Braithwaited17d74d2016-08-17 20:10:28 -0700[diff] [blame]940 bssl::UniquePtr<SSL_CTX> ctx(SSL_CTX_new(TLS_method()));
David Benjaminf0d8e222017-02-04 10:58:26 -0500[diff] [blame]941 ASSERT_TRUE(ctx);
Matt Braithwaited17d74d2016-08-17 20:10:28 -0700[diff] [blame]942 bssl::UniquePtr<SSL> ssl(SSL_new(ctx.get()));
David Benjaminf0d8e222017-02-04 10:58:26 -0500[diff] [blame]943 ASSERT_TRUE(ssl);
David Benjamin1d128f32015-09-08 17:41:40 -0400[diff] [blame]944
Adam Langley34b4c822017-02-02 10:57:17 -0800[diff] [blame]945 bssl::UniquePtr<X509_NAME> name(X509_NAME_new());
946 ASSERT_TRUE(name);
David Benjamin1d128f32015-09-08 17:41:40 -0400[diff] [blame]947
Adam Langley34b4c822017-02-02 10:57:17 -0800[diff] [blame]948 bssl::UniquePtr<X509_NAME> name_dup(X509_NAME_dup(name.get()));
949 ASSERT_TRUE(name_dup);
950
951 bssl::UniquePtr<STACK_OF(X509_NAME)> stack(sk_X509_NAME_new_null());
952 ASSERT_TRUE(stack);
953
954 ASSERT_TRUE(sk_X509_NAME_push(stack.get(), name_dup.get()));
955 name_dup.release();
956
957 // |SSL_set_client_CA_list| takes ownership.
958 SSL_set_client_CA_list(ssl.get(), stack.release());
959
960 STACK_OF(X509_NAME) *result = SSL_get_client_CA_list(ssl.get());
961 ASSERT_TRUE(result);
962 ASSERT_EQ(1u, sk_X509_NAME_num(result));
963 EXPECT_EQ(0, X509_NAME_cmp(sk_X509_NAME_value(result, 0), name.get()));
David Benjamin1d128f32015-09-08 17:41:40 -0400[diff] [blame]964}
965
David Benjamin0f653952015-10-18 14:28:01 -0400[diff] [blame]966static void AppendSession(SSL_SESSION *session, void *arg) {
967 std::vector<SSL_SESSION*> *out =
968 reinterpret_cast<std::vector<SSL_SESSION*>*>(arg);
969 out->push_back(session);
970}
971
David Benjamine11726a2017-04-23 12:14:28 -0400[diff] [blame]972// CacheEquals returns true if |ctx|'s session cache consists of |expected|, in
David Benjamin0f653952015-10-18 14:28:01 -0400[diff] [blame]973// order.
David Benjamine11726a2017-04-23 12:14:28 -0400[diff] [blame]974static bool CacheEquals(SSL_CTX *ctx,
David Benjamin0f653952015-10-18 14:28:01 -0400[diff] [blame]975 const std::vector<SSL_SESSION*> &expected) {
976 // Check the linked list.
977 SSL_SESSION *ptr = ctx->session_cache_head;
978 for (SSL_SESSION *session : expected) {
979 if (ptr != session) {
980 return false;
981 }
982 // TODO(davidben): This is an absurd way to denote the end of the list.
983 if (ptr->next ==
984 reinterpret_cast<SSL_SESSION *>(&ctx->session_cache_tail)) {
985 ptr = nullptr;
986 } else {
987 ptr = ptr->next;
988 }
989 }
990 if (ptr != nullptr) {
991 return false;
992 }
993
994 // Check the hash table.
995 std::vector<SSL_SESSION*> actual, expected_copy;
996 lh_SSL_SESSION_doall_arg(SSL_CTX_sessions(ctx), AppendSession, &actual);
997 expected_copy = expected;
998
999 std::sort(actual.begin(), actual.end());
1000 std::sort(expected_copy.begin(), expected_copy.end());
1001
1002 return actual == expected_copy;
1003}
1004
Matt Braithwaited17d74d2016-08-17 20:10:28 -0700[diff] [blame]1005static bssl::UniquePtr<SSL_SESSION> CreateTestSession(uint32_t number) {
Adam Langley46db7af2017-02-01 15:49:37 -0800[diff] [blame]1006 bssl::UniquePtr<SSL_CTX> ssl_ctx(SSL_CTX_new(TLS_method()));
1007 if (!ssl_ctx) {
1008 return nullptr;
1009 }
1010 bssl::UniquePtr<SSL_SESSION> ret(SSL_SESSION_new(ssl_ctx.get()));
David Benjamin0f653952015-10-18 14:28:01 -0400[diff] [blame]1011 if (!ret) {
1012 return nullptr;
1013 }
1014
1015 ret->session_id_length = SSL3_SSL_SESSION_ID_LENGTH;
David Benjamin17cf2cb2016-12-13 01:07:13 -0500[diff] [blame]1016 OPENSSL_memset(ret->session_id, 0, ret->session_id_length);
1017 OPENSSL_memcpy(ret->session_id, &number, sizeof(number));
David Benjamin0f653952015-10-18 14:28:01 -0400[diff] [blame]1018 return ret;
1019}
1020
David Benjamin0f653952015-10-18 14:28:01 -0400[diff] [blame]1021// Test that the internal session cache behaves as expected.
David Benjamine11726a2017-04-23 12:14:28 -0400[diff] [blame]1022TEST(SSLTest, InternalSessionCache) {
Matt Braithwaited17d74d2016-08-17 20:10:28 -0700[diff] [blame]1023 bssl::UniquePtr<SSL_CTX> ctx(SSL_CTX_new(TLS_method()));
David Benjamine11726a2017-04-23 12:14:28 -0400[diff] [blame]1024 ASSERT_TRUE(ctx);
David Benjamin0f653952015-10-18 14:28:01 -0400[diff] [blame]1025
1026 // Prepare 10 test sessions.
Matt Braithwaited17d74d2016-08-17 20:10:28 -0700[diff] [blame]1027 std::vector<bssl::UniquePtr<SSL_SESSION>> sessions;
David Benjamin0f653952015-10-18 14:28:01 -0400[diff] [blame]1028 for (int i = 0; i < 10; i++) {
Matt Braithwaited17d74d2016-08-17 20:10:28 -0700[diff] [blame]1029 bssl::UniquePtr<SSL_SESSION> session = CreateTestSession(i);
David Benjamine11726a2017-04-23 12:14:28 -0400[diff] [blame]1030 ASSERT_TRUE(session);
David Benjamin4f6acaf2015-11-21 03:00:50 -0500[diff] [blame]1031 sessions.push_back(std::move(session));
David Benjamin0f653952015-10-18 14:28:01 -0400[diff] [blame]1032 }
1033
1034 SSL_CTX_sess_set_cache_size(ctx.get(), 5);
1035
1036 // Insert all the test sessions.
David Benjamin4f6acaf2015-11-21 03:00:50 -0500[diff] [blame]1037 for (const auto &session : sessions) {
David Benjamine11726a2017-04-23 12:14:28 -0400[diff] [blame]1038 ASSERT_TRUE(SSL_CTX_add_session(ctx.get(), session.get()));
David Benjamin0f653952015-10-18 14:28:01 -0400[diff] [blame]1039 }
1040
1041 // Only the last five should be in the list.
David Benjamine11726a2017-04-23 12:14:28 -0400[diff] [blame]1042 ASSERT_TRUE(CacheEquals(
1043 ctx.get(), {sessions[9].get(), sessions[8].get(), sessions[7].get(),
1044 sessions[6].get(), sessions[5].get()}));
David Benjamin0f653952015-10-18 14:28:01 -0400[diff] [blame]1045
David Benjamine11726a2017-04-23 12:14:28 -0400[diff] [blame]1046 // Inserting an element already in the cache should fail and leave the cache
1047 // unchanged.
1048 ASSERT_FALSE(SSL_CTX_add_session(ctx.get(), sessions[7].get()));
1049 ASSERT_TRUE(CacheEquals(
1050 ctx.get(), {sessions[9].get(), sessions[8].get(), sessions[7].get(),
1051 sessions[6].get(), sessions[5].get()}));
David Benjamin0f653952015-10-18 14:28:01 -0400[diff] [blame]1052
1053 // Although collisions should be impossible (256-bit session IDs), the cache
1054 // must handle them gracefully.
Matt Braithwaited17d74d2016-08-17 20:10:28 -0700[diff] [blame]1055 bssl::UniquePtr<SSL_SESSION> collision(CreateTestSession(7));
David Benjamine11726a2017-04-23 12:14:28 -0400[diff] [blame]1056 ASSERT_TRUE(collision);
1057 ASSERT_TRUE(SSL_CTX_add_session(ctx.get(), collision.get()));
1058 ASSERT_TRUE(CacheEquals(
1059 ctx.get(), {collision.get(), sessions[9].get(), sessions[8].get(),
1060 sessions[6].get(), sessions[5].get()}));
David Benjamin0f653952015-10-18 14:28:01 -0400[diff] [blame]1061
1062 // Removing sessions behaves correctly.
David Benjamine11726a2017-04-23 12:14:28 -0400[diff] [blame]1063 ASSERT_TRUE(SSL_CTX_remove_session(ctx.get(), sessions[6].get()));
1064 ASSERT_TRUE(CacheEquals(ctx.get(), {collision.get(), sessions[9].get(),
1065 sessions[8].get(), sessions[5].get()}));
David Benjamin0f653952015-10-18 14:28:01 -0400[diff] [blame]1066
1067 // Removing sessions requires an exact match.
David Benjamine11726a2017-04-23 12:14:28 -0400[diff] [blame]1068 ASSERT_FALSE(SSL_CTX_remove_session(ctx.get(), sessions[0].get()));
1069 ASSERT_FALSE(SSL_CTX_remove_session(ctx.get(), sessions[7].get()));
David Benjamin0f653952015-10-18 14:28:01 -0400[diff] [blame]1070
David Benjamine11726a2017-04-23 12:14:28 -0400[diff] [blame]1071 // The cache remains unchanged.
1072 ASSERT_TRUE(CacheEquals(ctx.get(), {collision.get(), sessions[9].get(),
1073 sessions[8].get(), sessions[5].get()}));
David Benjamin0f653952015-10-18 14:28:01 -0400[diff] [blame]1074}
1075
David Benjaminde942382016-02-11 12:02:01 -0500[diff] [blame]1076static uint16_t EpochFromSequence(uint64_t seq) {
1077 return static_cast<uint16_t>(seq >> 48);
1078}
1079
Matt Braithwaited17d74d2016-08-17 20:10:28 -0700[diff] [blame]1080static bssl::UniquePtr<X509> GetTestCertificate() {
David Benjaminde942382016-02-11 12:02:01 -0500[diff] [blame]1081 static const char kCertPEM[] =
1082 "-----BEGIN CERTIFICATE-----\n"
1083 "MIICWDCCAcGgAwIBAgIJAPuwTC6rEJsMMA0GCSqGSIb3DQEBBQUAMEUxCzAJBgNV\n"
1084 "BAYTAkFVMRMwEQYDVQQIDApTb21lLVN0YXRlMSEwHwYDVQQKDBhJbnRlcm5ldCBX\n"
1085 "aWRnaXRzIFB0eSBMdGQwHhcNMTQwNDIzMjA1MDQwWhcNMTcwNDIyMjA1MDQwWjBF\n"
1086 "MQswCQYDVQQGEwJBVTETMBEGA1UECAwKU29tZS1TdGF0ZTEhMB8GA1UECgwYSW50\n"
1087 "ZXJuZXQgV2lkZ2l0cyBQdHkgTHRkMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKB\n"
1088 "gQDYK8imMuRi/03z0K1Zi0WnvfFHvwlYeyK9Na6XJYaUoIDAtB92kWdGMdAQhLci\n"
1089 "HnAjkXLI6W15OoV3gA/ElRZ1xUpxTMhjP6PyY5wqT5r6y8FxbiiFKKAnHmUcrgfV\n"
1090 "W28tQ+0rkLGMryRtrukXOgXBv7gcrmU7G1jC2a7WqmeI8QIDAQABo1AwTjAdBgNV\n"
1091 "HQ4EFgQUi3XVrMsIvg4fZbf6Vr5sp3Xaha8wHwYDVR0jBBgwFoAUi3XVrMsIvg4f\n"
1092 "Zbf6Vr5sp3Xaha8wDAYDVR0TBAUwAwEB/zANBgkqhkiG9w0BAQUFAAOBgQA76Hht\n"
1093 "ldY9avcTGSwbwoiuIqv0jTL1fHFnzy3RHMLDh+Lpvolc5DSrSJHCP5WuK0eeJXhr\n"
1094 "T5oQpHL9z/cCDLAKCKRa4uV0fhEdOWBqyR9p8y5jJtye72t6CuFUV5iqcpF4BH4f\n"
1095 "j2VNHwsSrJwkD4QUGlUtH7vwnQmyCFxZMmWAJg==\n"
1096 "-----END CERTIFICATE-----\n";
Matt Braithwaited17d74d2016-08-17 20:10:28 -0700[diff] [blame]1097 bssl::UniquePtr<BIO> bio(BIO_new_mem_buf(kCertPEM, strlen(kCertPEM)));
David Benjamin1444c3a2016-12-20 17:23:11 -0500[diff] [blame]1098 return bssl::UniquePtr<X509>(
1099 PEM_read_bio_X509(bio.get(), nullptr, nullptr, nullptr));
David Benjaminde942382016-02-11 12:02:01 -0500[diff] [blame]1100}
1101
Matt Braithwaited17d74d2016-08-17 20:10:28 -0700[diff] [blame]1102static bssl::UniquePtr<EVP_PKEY> GetTestKey() {
David Benjaminde942382016-02-11 12:02:01 -0500[diff] [blame]1103 static const char kKeyPEM[] =
1104 "-----BEGIN RSA PRIVATE KEY-----\n"
1105 "MIICXgIBAAKBgQDYK8imMuRi/03z0K1Zi0WnvfFHvwlYeyK9Na6XJYaUoIDAtB92\n"
1106 "kWdGMdAQhLciHnAjkXLI6W15OoV3gA/ElRZ1xUpxTMhjP6PyY5wqT5r6y8FxbiiF\n"
1107 "KKAnHmUcrgfVW28tQ+0rkLGMryRtrukXOgXBv7gcrmU7G1jC2a7WqmeI8QIDAQAB\n"
1108 "AoGBAIBy09Fd4DOq/Ijp8HeKuCMKTHqTW1xGHshLQ6jwVV2vWZIn9aIgmDsvkjCe\n"
1109 "i6ssZvnbjVcwzSoByhjN8ZCf/i15HECWDFFh6gt0P5z0MnChwzZmvatV/FXCT0j+\n"
1110 "WmGNB/gkehKjGXLLcjTb6dRYVJSCZhVuOLLcbWIV10gggJQBAkEA8S8sGe4ezyyZ\n"
1111 "m4e9r95g6s43kPqtj5rewTsUxt+2n4eVodD+ZUlCULWVNAFLkYRTBCASlSrm9Xhj\n"
1112 "QpmWAHJUkQJBAOVzQdFUaewLtdOJoPCtpYoY1zd22eae8TQEmpGOR11L6kbxLQsk\n"
1113 "aMly/DOnOaa82tqAGTdqDEZgSNmCeKKknmECQAvpnY8GUOVAubGR6c+W90iBuQLj\n"
1114 "LtFp/9ihd2w/PoDwrHZaoUYVcT4VSfJQog/k7kjE4MYXYWL8eEKg3WTWQNECQQDk\n"
1115 "104Wi91Umd1PzF0ijd2jXOERJU1wEKe6XLkYYNHWQAe5l4J4MWj9OdxFXAxIuuR/\n"
1116 "tfDwbqkta4xcux67//khAkEAvvRXLHTaa6VFzTaiiO8SaFsHV3lQyXOtMrBpB5jd\n"
1117 "moZWgjHvB2W9Ckn7sDqsPB+U2tyX0joDdQEyuiMECDY8oQ==\n"
1118 "-----END RSA PRIVATE KEY-----\n";
Matt Braithwaited17d74d2016-08-17 20:10:28 -0700[diff] [blame]1119 bssl::UniquePtr<BIO> bio(BIO_new_mem_buf(kKeyPEM, strlen(kKeyPEM)));
1120 return bssl::UniquePtr<EVP_PKEY>(
David Benjaminde942382016-02-11 12:02:01 -0500[diff] [blame]1121 PEM_read_bio_PrivateKey(bio.get(), nullptr, nullptr, nullptr));
1122}
1123
Matt Braithwaited17d74d2016-08-17 20:10:28 -0700[diff] [blame]1124static bssl::UniquePtr<X509> GetECDSATestCertificate() {
David Benjamin0fc37ef2016-08-17 15:29:46 -0400[diff] [blame]1125 static const char kCertPEM[] =
1126 "-----BEGIN CERTIFICATE-----\n"
1127 "MIIBzzCCAXagAwIBAgIJANlMBNpJfb/rMAkGByqGSM49BAEwRTELMAkGA1UEBhMC\n"
1128 "QVUxEzARBgNVBAgMClNvbWUtU3RhdGUxITAfBgNVBAoMGEludGVybmV0IFdpZGdp\n"
1129 "dHMgUHR5IEx0ZDAeFw0xNDA0MjMyMzIxNTdaFw0xNDA1MjMyMzIxNTdaMEUxCzAJ\n"
1130 "BgNVBAYTAkFVMRMwEQYDVQQIDApTb21lLVN0YXRlMSEwHwYDVQQKDBhJbnRlcm5l\n"
1131 "dCBXaWRnaXRzIFB0eSBMdGQwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAATmK2ni\n"
1132 "v2Wfl74vHg2UikzVl2u3qR4NRvvdqakendy6WgHn1peoChj5w8SjHlbifINI2xYa\n"
1133 "HPUdfvGULUvPciLBo1AwTjAdBgNVHQ4EFgQUq4TSrKuV8IJOFngHVVdf5CaNgtEw\n"
1134 "HwYDVR0jBBgwFoAUq4TSrKuV8IJOFngHVVdf5CaNgtEwDAYDVR0TBAUwAwEB/zAJ\n"
1135 "BgcqhkjOPQQBA0gAMEUCIQDyoDVeUTo2w4J5m+4nUIWOcAZ0lVfSKXQA9L4Vh13E\n"
1136 "BwIgfB55FGohg/B6dGh5XxSZmmi08cueFV7mHzJSYV51yRQ=\n"
1137 "-----END CERTIFICATE-----\n";
Matt Braithwaited17d74d2016-08-17 20:10:28 -0700[diff] [blame]1138 bssl::UniquePtr<BIO> bio(BIO_new_mem_buf(kCertPEM, strlen(kCertPEM)));
1139 return bssl::UniquePtr<X509>(PEM_read_bio_X509(bio.get(), nullptr, nullptr, nullptr));
David Benjamin0fc37ef2016-08-17 15:29:46 -0400[diff] [blame]1140}
1141
Matt Braithwaited17d74d2016-08-17 20:10:28 -0700[diff] [blame]1142static bssl::UniquePtr<EVP_PKEY> GetECDSATestKey() {
David Benjamin0fc37ef2016-08-17 15:29:46 -0400[diff] [blame]1143 static const char kKeyPEM[] =
1144 "-----BEGIN PRIVATE KEY-----\n"
1145 "MIGHAgEAMBMGByqGSM49AgEGCCqGSM49AwEHBG0wawIBAQQgBw8IcnrUoEqc3VnJ\n"
1146 "TYlodwi1b8ldMHcO6NHJzgqLtGqhRANCAATmK2niv2Wfl74vHg2UikzVl2u3qR4N\n"
1147 "Rvvdqakendy6WgHn1peoChj5w8SjHlbifINI2xYaHPUdfvGULUvPciLB\n"
1148 "-----END PRIVATE KEY-----\n";
Matt Braithwaited17d74d2016-08-17 20:10:28 -0700[diff] [blame]1149 bssl::UniquePtr<BIO> bio(BIO_new_mem_buf(kKeyPEM, strlen(kKeyPEM)));
1150 return bssl::UniquePtr<EVP_PKEY>(
David Benjamin0fc37ef2016-08-17 15:29:46 -0400[diff] [blame]1151 PEM_read_bio_PrivateKey(bio.get(), nullptr, nullptr, nullptr));
1152}
1153
Adam Langleyd04ca952017-02-28 11:26:51 -0800[diff] [blame]1154static bssl::UniquePtr<CRYPTO_BUFFER> BufferFromPEM(const char *pem) {
1155 bssl::UniquePtr<BIO> bio(BIO_new_mem_buf(pem, strlen(pem)));
1156 char *name, *header;
1157 uint8_t *data;
1158 long data_len;
1159 if (!PEM_read_bio(bio.get(), &name, &header, &data,
1160 &data_len)) {
1161 return nullptr;
1162 }
1163 OPENSSL_free(name);
1164 OPENSSL_free(header);
1165
1166 auto ret = bssl::UniquePtr<CRYPTO_BUFFER>(
1167 CRYPTO_BUFFER_new(data, data_len, nullptr));
1168 OPENSSL_free(data);
1169 return ret;
1170}
1171
1172static bssl::UniquePtr<CRYPTO_BUFFER> GetChainTestCertificateBuffer() {
David Benjamin1444c3a2016-12-20 17:23:11 -0500[diff] [blame]1173 static const char kCertPEM[] =
1174 "-----BEGIN CERTIFICATE-----\n"
1175 "MIIC0jCCAbqgAwIBAgICEAAwDQYJKoZIhvcNAQELBQAwDzENMAsGA1UEAwwEQiBD\n"
1176 "QTAeFw0xNjAyMjgyMDI3MDNaFw0yNjAyMjUyMDI3MDNaMBgxFjAUBgNVBAMMDUNs\n"
1177 "aWVudCBDZXJ0IEEwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDRvaz8\n"
1178 "CC/cshpCafJo4jLkHEoBqDLhdgFelJoAiQUyIqyWl2O7YHPnpJH+TgR7oelzNzt/\n"
1179 "kLRcH89M/TszB6zqyLTC4aqmvzKL0peD/jL2LWBucR0WXIvjA3zoRuF/x86+rYH3\n"
1180 "tHb+xs2PSs8EGL/Ev+ss+qTzTGEn26fuGNHkNw6tOwPpc+o8+wUtzf/kAthamo+c\n"
1181 "IDs2rQ+lP7+aLZTLeU/q4gcLutlzcK5imex5xy2jPkweq48kijK0kIzl1cPlA5d1\n"
1182 "z7C8jU50Pj9X9sQDJTN32j7UYRisJeeYQF8GaaN8SbrDI6zHgKzrRLyxDt/KQa9V\n"
1183 "iLeXANgZi+Xx9KgfAgMBAAGjLzAtMAwGA1UdEwEB/wQCMAAwHQYDVR0lBBYwFAYI\n"
1184 "KwYBBQUHAwEGCCsGAQUFBwMCMA0GCSqGSIb3DQEBCwUAA4IBAQBFEVbmYl+2RtNw\n"
1185 "rDftRDF1v2QUbcN2ouSnQDHxeDQdSgasLzT3ui8iYu0Rw2WWcZ0DV5e0ztGPhWq7\n"
1186 "AO0B120aFRMOY+4+bzu9Q2FFkQqc7/fKTvTDzIJI5wrMnFvUfzzvxh3OHWMYSs/w\n"
1187 "giq33hTKeHEq6Jyk3btCny0Ycecyc3yGXH10sizUfiHlhviCkDuESk8mFDwDDzqW\n"
1188 "ZF0IipzFbEDHoIxLlm3GQxpiLoEV4k8KYJp3R5KBLFyxM6UGPz8h72mIPCJp2RuK\n"
1189 "MYgF91UDvVzvnYm6TfseM2+ewKirC00GOrZ7rEcFvtxnKSqYf4ckqfNdSU1Y+RRC\n"
1190 "1ngWZ7Ih\n"
1191 "-----END CERTIFICATE-----\n";
Adam Langleyd04ca952017-02-28 11:26:51 -0800[diff] [blame]1192 return BufferFromPEM(kCertPEM);
David Benjamin1444c3a2016-12-20 17:23:11 -0500[diff] [blame]1193}
1194
Adam Langleyd04ca952017-02-28 11:26:51 -0800[diff] [blame]1195static bssl::UniquePtr<X509> X509FromBuffer(
1196 bssl::UniquePtr<CRYPTO_BUFFER> buffer) {
1197 if (!buffer) {
1198 return nullptr;
1199 }
1200 const uint8_t *derp = CRYPTO_BUFFER_data(buffer.get());
1201 return bssl::UniquePtr<X509>(
1202 d2i_X509(NULL, &derp, CRYPTO_BUFFER_len(buffer.get())));
1203}
1204
1205static bssl::UniquePtr<X509> GetChainTestCertificate() {
1206 return X509FromBuffer(GetChainTestCertificateBuffer());
1207}
1208
1209static bssl::UniquePtr<CRYPTO_BUFFER> GetChainTestIntermediateBuffer() {
David Benjamin1444c3a2016-12-20 17:23:11 -0500[diff] [blame]1210 static const char kCertPEM[] =
1211 "-----BEGIN CERTIFICATE-----\n"
1212 "MIICwjCCAaqgAwIBAgICEAEwDQYJKoZIhvcNAQELBQAwFDESMBAGA1UEAwwJQyBS\n"
1213 "b290IENBMB4XDTE2MDIyODIwMjcwM1oXDTI2MDIyNTIwMjcwM1owDzENMAsGA1UE\n"
1214 "AwwEQiBDQTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALsSCYmDip2D\n"
1215 "GkjFxw7ykz26JSjELkl6ArlYjFJ3aT/SCh8qbS4gln7RH8CPBd78oFdfhIKQrwtZ\n"
1216 "3/q21ykD9BAS3qHe2YdcJfm8/kWAy5DvXk6NXU4qX334KofBAEpgdA/igEFq1P1l\n"
1217 "HAuIfZCpMRfT+i5WohVsGi8f/NgpRvVaMONLNfgw57mz1lbtFeBEISmX0kbsuJxF\n"
1218 "Qj/Bwhi5/0HAEXG8e7zN4cEx0yPRvmOATRdVb/8dW2pwOHRJq9R5M0NUkIsTSnL7\n"
1219 "6N/z8hRAHMsV3IudC5Yd7GXW1AGu9a+iKU+Q4xcZCoj0DC99tL4VKujrV1kAeqsM\n"
1220 "cz5/dKzi6+cCAwEAAaMjMCEwDwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMC\n"
1221 "AQYwDQYJKoZIhvcNAQELBQADggEBAIIeZiEeNhWWQ8Y4D+AGDwqUUeG8NjCbKrXQ\n"
1222 "BlHg5wZ8xftFaiP1Dp/UAezmx2LNazdmuwrYB8lm3FVTyaPDTKEGIPS4wJKHgqH1\n"
1223 "QPDhqNm85ey7TEtI9oYjsNim/Rb+iGkIAMXaxt58SzxbjvP0kMr1JfJIZbic9vye\n"
1224 "NwIspMFIpP3FB8ywyu0T0hWtCQgL4J47nigCHpOu58deP88fS/Nyz/fyGVWOZ76b\n"
1225 "WhWwgM3P3X95fQ3d7oFPR/bVh0YV+Cf861INwplokXgXQ3/TCQ+HNXeAMWn3JLWv\n"
1226 "XFwk8owk9dq/kQGdndGgy3KTEW4ctPX5GNhf3LJ9Q7dLji4ReQ4=\n"
1227 "-----END CERTIFICATE-----\n";
Adam Langleyd04ca952017-02-28 11:26:51 -0800[diff] [blame]1228 return BufferFromPEM(kCertPEM);
1229}
1230
1231static bssl::UniquePtr<X509> GetChainTestIntermediate() {
1232 return X509FromBuffer(GetChainTestIntermediateBuffer());
David Benjamin1444c3a2016-12-20 17:23:11 -0500[diff] [blame]1233}
1234
1235static bssl::UniquePtr<EVP_PKEY> GetChainTestKey() {
1236 static const char kKeyPEM[] =
1237 "-----BEGIN PRIVATE KEY-----\n"
1238 "MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQDRvaz8CC/cshpC\n"
1239 "afJo4jLkHEoBqDLhdgFelJoAiQUyIqyWl2O7YHPnpJH+TgR7oelzNzt/kLRcH89M\n"
1240 "/TszB6zqyLTC4aqmvzKL0peD/jL2LWBucR0WXIvjA3zoRuF/x86+rYH3tHb+xs2P\n"
1241 "Ss8EGL/Ev+ss+qTzTGEn26fuGNHkNw6tOwPpc+o8+wUtzf/kAthamo+cIDs2rQ+l\n"
1242 "P7+aLZTLeU/q4gcLutlzcK5imex5xy2jPkweq48kijK0kIzl1cPlA5d1z7C8jU50\n"
1243 "Pj9X9sQDJTN32j7UYRisJeeYQF8GaaN8SbrDI6zHgKzrRLyxDt/KQa9ViLeXANgZ\n"
1244 "i+Xx9KgfAgMBAAECggEBAK0VjSJzkyPaamcyTVSWjo7GdaBGcK60lk657RjR+lK0\n"
1245 "YJ7pkej4oM2hdsVZFsP8Cs4E33nXLa/0pDsRov/qrp0WQm2skwqGMC1I/bZ0WRPk\n"
1246 "wHaDrBBfESWnJDX/AGpVtlyOjPmgmK6J2usMPihQUDkKdAYrVWJePrMIxt1q6BMe\n"
1247 "iczs3qriMmtY3bUc4UyUwJ5fhDLjshHvfuIpYQyI6EXZM6dZksn9LylXJnigY6QJ\n"
1248 "HxOYO0BDwOsZ8yQ8J8afLk88i0GizEkgE1z3REtQUwgWfxr1WV/ud+T6/ZhSAgH9\n"
1249 "042mQvSFZnIUSEsmCvjhWuAunfxHKCTcAoYISWfzWpkCgYEA7gpf3HHU5Tn+CgUn\n"
1250 "1X5uGpG3DmcMgfeGgs2r2f/IIg/5Ac1dfYILiybL1tN9zbyLCJfcbFpWBc9hJL6f\n"
1251 "CPc5hUiwWFJqBJewxQkC1Ae/HakHbip+IZ+Jr0842O4BAArvixk4Lb7/N2Ct9sTE\n"
1252 "NJO6RtK9lbEZ5uK61DglHy8CS2UCgYEA4ZC1o36kPAMQBggajgnucb2yuUEelk0f\n"
1253 "AEr+GI32MGE+93xMr7rAhBoqLg4AITyIfEnOSQ5HwagnIHonBbv1LV/Gf9ursx8Z\n"
1254 "YOGbvT8zzzC+SU1bkDzdjAYnFQVGIjMtKOBJ3K07++ypwX1fr4QsQ8uKL8WSOWwt\n"
1255 "Z3Bym6XiZzMCgYADnhy+2OwHX85AkLt+PyGlPbmuelpyTzS4IDAQbBa6jcuW/2wA\n"
1256 "UE2km75VUXmD+u2R/9zVuLm99NzhFhSMqlUxdV1YukfqMfP5yp1EY6m/5aW7QuIP\n"
1257 "2MDa7TVL9rIFMiVZ09RKvbBbQxjhuzPQKL6X/PPspnhiTefQ+dl2k9xREQKBgHDS\n"
1258 "fMfGNEeAEKezrfSVqxphE9/tXms3L+ZpnCaT+yu/uEr5dTIAawKoQ6i9f/sf1/Sy\n"
1259 "xedsqR+IB+oKrzIDDWMgoJybN4pkZ8E5lzhVQIjFjKgFdWLzzqyW9z1gYfABQPlN\n"
1260 "FiS20WX0vgP1vcKAjdNrHzc9zyHBpgQzDmAj3NZZAoGBAI8vKCKdH7w3aL5CNkZQ\n"
1261 "2buIeWNA2HZazVwAGG5F2TU/LmXfRKnG6dX5bkU+AkBZh56jNZy//hfFSewJB4Kk\n"
1262 "buB7ERSdaNbO21zXt9FEA3+z0RfMd/Zv2vlIWOSB5nzl/7UKti3sribK6s9ZVLfi\n"
1263 "SxpiPQ8d/hmSGwn4ksrWUsJD\n"
1264 "-----END PRIVATE KEY-----\n";
1265 bssl::UniquePtr<BIO> bio(BIO_new_mem_buf(kKeyPEM, strlen(kKeyPEM)));
1266 return bssl::UniquePtr<EVP_PKEY>(
1267 PEM_read_bio_PrivateKey(bio.get(), nullptr, nullptr, nullptr));
1268}
1269
David Benjaminb79cc842016-12-07 15:57:14 -0500[diff] [blame]1270static bool CompleteHandshakes(SSL *client, SSL *server) {
1271 // Drive both their handshakes to completion.
1272 for (;;) {
1273 int client_ret = SSL_do_handshake(client);
1274 int client_err = SSL_get_error(client, client_ret);
1275 if (client_err != SSL_ERROR_NONE &&
1276 client_err != SSL_ERROR_WANT_READ &&
Adam Langley4c341d02017-03-08 19:33:21 -0800[diff] [blame]1277 client_err != SSL_ERROR_WANT_WRITE &&
1278 client_err != SSL_ERROR_PENDING_TICKET) {
David Benjaminb79cc842016-12-07 15:57:14 -0500[diff] [blame]1279 fprintf(stderr, "Client error: %d\n", client_err);
1280 return false;
1281 }
1282
1283 int server_ret = SSL_do_handshake(server);
1284 int server_err = SSL_get_error(server, server_ret);
1285 if (server_err != SSL_ERROR_NONE &&
1286 server_err != SSL_ERROR_WANT_READ &&
Adam Langley4c341d02017-03-08 19:33:21 -0800[diff] [blame]1287 server_err != SSL_ERROR_WANT_WRITE &&
1288 server_err != SSL_ERROR_PENDING_TICKET) {
David Benjaminb79cc842016-12-07 15:57:14 -0500[diff] [blame]1289 fprintf(stderr, "Server error: %d\n", server_err);
1290 return false;
1291 }
1292
1293 if (client_ret == 1 && server_ret == 1) {
1294 break;
1295 }
1296 }
1297
1298 return true;
1299}
1300
1301static bool ConnectClientAndServer(bssl::UniquePtr<SSL> *out_client,
1302 bssl::UniquePtr<SSL> *out_server,
David Benjamina20e5352016-08-02 19:09:41 -0400[diff] [blame]1303 SSL_CTX *client_ctx, SSL_CTX *server_ctx,
1304 SSL_SESSION *session) {
Matt Braithwaited17d74d2016-08-17 20:10:28 -0700[diff] [blame]1305 bssl::UniquePtr<SSL> client(SSL_new(client_ctx)), server(SSL_new(server_ctx));
David Benjaminde942382016-02-11 12:02:01 -0500[diff] [blame]1306 if (!client || !server) {
1307 return false;
1308 }
1309 SSL_set_connect_state(client.get());
1310 SSL_set_accept_state(server.get());
1311
David Benjamina20e5352016-08-02 19:09:41 -0400[diff] [blame]1312 SSL_set_session(client.get(), session);
1313
David Benjaminde942382016-02-11 12:02:01 -0500[diff] [blame]1314 BIO *bio1, *bio2;
1315 if (!BIO_new_bio_pair(&bio1, 0, &bio2, 0)) {
1316 return false;
1317 }
1318 // SSL_set_bio takes ownership.
1319 SSL_set_bio(client.get(), bio1, bio1);
1320 SSL_set_bio(server.get(), bio2, bio2);
1321
David Benjaminb79cc842016-12-07 15:57:14 -0500[diff] [blame]1322 if (!CompleteHandshakes(client.get(), server.get())) {
1323 return false;
David Benjaminde942382016-02-11 12:02:01 -0500[diff] [blame]1324 }
1325
David Benjamin686bb192016-05-10 15:15:41 -0400[diff] [blame]1326 *out_client = std::move(client);
1327 *out_server = std::move(server);
1328 return true;
1329}
1330
David Benjamin0fef3052016-11-18 15:11:10 +0900[diff] [blame]1331static bool TestSequenceNumber(bool is_dtls, const SSL_METHOD *method,
1332 uint16_t version) {
1333 bssl::UniquePtr<SSL_CTX> client_ctx(SSL_CTX_new(method));
1334 bssl::UniquePtr<SSL_CTX> server_ctx(SSL_CTX_new(method));
1335 if (!server_ctx || !client_ctx ||
1336 !SSL_CTX_set_min_proto_version(client_ctx.get(), version) ||
1337 !SSL_CTX_set_max_proto_version(client_ctx.get(), version) ||
1338 !SSL_CTX_set_min_proto_version(server_ctx.get(), version) ||
1339 !SSL_CTX_set_max_proto_version(server_ctx.get(), version)) {
1340 return false;
1341 }
David Benjamin686bb192016-05-10 15:15:41 -0400[diff] [blame]1342
David Benjamin0fef3052016-11-18 15:11:10 +0900[diff] [blame]1343 bssl::UniquePtr<X509> cert = GetTestCertificate();
1344 bssl::UniquePtr<EVP_PKEY> key = GetTestKey();
1345 if (!cert || !key || !SSL_CTX_use_certificate(server_ctx.get(), cert.get()) ||
1346 !SSL_CTX_use_PrivateKey(server_ctx.get(), key.get())) {
1347 return false;
1348 }
David Benjamin686bb192016-05-10 15:15:41 -0400[diff] [blame]1349
David Benjamin0fef3052016-11-18 15:11:10 +0900[diff] [blame]1350 bssl::UniquePtr<SSL> client, server;
1351 if (!ConnectClientAndServer(&client, &server, client_ctx.get(),
1352 server_ctx.get(), nullptr /* no session */)) {
1353 return false;
1354 }
David Benjamin686bb192016-05-10 15:15:41 -0400[diff] [blame]1355
David Benjamin0fef3052016-11-18 15:11:10 +0900[diff] [blame]1356 // Drain any post-handshake messages to ensure there are no unread records
1357 // on either end.
1358 uint8_t byte = 0;
1359 if (SSL_read(client.get(), &byte, 1) > 0 ||
1360 SSL_read(server.get(), &byte, 1) > 0) {
1361 fprintf(stderr, "Received unexpected data.\n");
1362 return false;
1363 }
David Benjaminde942382016-02-11 12:02:01 -0500[diff] [blame]1364
David Benjamin0fef3052016-11-18 15:11:10 +0900[diff] [blame]1365 uint64_t client_read_seq = SSL_get_read_sequence(client.get());
1366 uint64_t client_write_seq = SSL_get_write_sequence(client.get());
1367 uint64_t server_read_seq = SSL_get_read_sequence(server.get());
1368 uint64_t server_write_seq = SSL_get_write_sequence(server.get());
Steven Valdez2c62fe92016-10-14 12:08:12 -0400[diff] [blame]1369
David Benjamin0fef3052016-11-18 15:11:10 +0900[diff] [blame]1370 if (is_dtls) {
1371 // Both client and server must be at epoch 1.
1372 if (EpochFromSequence(client_read_seq) != 1 ||
1373 EpochFromSequence(client_write_seq) != 1 ||
1374 EpochFromSequence(server_read_seq) != 1 ||
1375 EpochFromSequence(server_write_seq) != 1) {
1376 fprintf(stderr, "Bad epochs.\n");
1377 return false;
David Benjaminde942382016-02-11 12:02:01 -0500[diff] [blame]1378 }
David Benjamin0fef3052016-11-18 15:11:10 +0900[diff] [blame]1379
1380 // The next record to be written should exceed the largest received.
1381 if (client_write_seq <= server_read_seq ||
1382 server_write_seq <= client_read_seq) {
1383 fprintf(stderr, "Inconsistent sequence numbers.\n");
1384 return false;
1385 }
1386 } else {
1387 // The next record to be written should equal the next to be received.
1388 if (client_write_seq != server_read_seq ||
1389 server_write_seq != client_read_seq) {
1390 fprintf(stderr, "Inconsistent sequence numbers.\n");
1391 return false;
1392 }
1393 }
1394
1395 // Send a record from client to server.
1396 if (SSL_write(client.get(), &byte, 1) != 1 ||
1397 SSL_read(server.get(), &byte, 1) != 1) {
1398 fprintf(stderr, "Could not send byte.\n");
1399 return false;
1400 }
1401
1402 // The client write and server read sequence numbers should have
1403 // incremented.
1404 if (client_write_seq + 1 != SSL_get_write_sequence(client.get()) ||
1405 server_read_seq + 1 != SSL_get_read_sequence(server.get())) {
1406 fprintf(stderr, "Sequence numbers did not increment.\n");
1407 return false;
David Benjaminde942382016-02-11 12:02:01 -0500[diff] [blame]1408 }
1409
1410 return true;
1411}
1412
David Benjamin68f37b72016-11-18 15:14:42 +0900[diff] [blame]1413static bool TestOneSidedShutdown(bool is_dtls, const SSL_METHOD *method,
1414 uint16_t version) {
1415 // SSL_shutdown is a no-op in DTLS.
1416 if (is_dtls) {
1417 return true;
David Benjamin686bb192016-05-10 15:15:41 -0400[diff] [blame]1418 }
1419
David Benjamin68f37b72016-11-18 15:14:42 +0900[diff] [blame]1420 bssl::UniquePtr<SSL_CTX> client_ctx(SSL_CTX_new(method));
1421 bssl::UniquePtr<SSL_CTX> server_ctx(SSL_CTX_new(method));
Matt Braithwaited17d74d2016-08-17 20:10:28 -0700[diff] [blame]1422 bssl::UniquePtr<X509> cert = GetTestCertificate();
1423 bssl::UniquePtr<EVP_PKEY> key = GetTestKey();
David Benjamin68f37b72016-11-18 15:14:42 +0900[diff] [blame]1424 if (!client_ctx || !server_ctx || !cert || !key ||
1425 !SSL_CTX_set_min_proto_version(server_ctx.get(), version) ||
1426 !SSL_CTX_set_max_proto_version(server_ctx.get(), version) ||
1427 !SSL_CTX_set_min_proto_version(client_ctx.get(), version) ||
1428 !SSL_CTX_set_max_proto_version(client_ctx.get(), version) ||
David Benjamin686bb192016-05-10 15:15:41 -0400[diff] [blame]1429 !SSL_CTX_use_certificate(server_ctx.get(), cert.get()) ||
1430 !SSL_CTX_use_PrivateKey(server_ctx.get(), key.get())) {
1431 return false;
1432 }
1433
Matt Braithwaited17d74d2016-08-17 20:10:28 -0700[diff] [blame]1434 bssl::UniquePtr<SSL> client, server;
David Benjamin686bb192016-05-10 15:15:41 -0400[diff] [blame]1435 if (!ConnectClientAndServer(&client, &server, client_ctx.get(),
David Benjamina20e5352016-08-02 19:09:41 -0400[diff] [blame]1436 server_ctx.get(), nullptr /* no session */)) {
David Benjamin686bb192016-05-10 15:15:41 -0400[diff] [blame]1437 return false;
1438 }
1439
1440 // Shut down half the connection. SSL_shutdown will return 0 to signal only
1441 // one side has shut down.
1442 if (SSL_shutdown(client.get()) != 0) {
1443 fprintf(stderr, "Could not shutdown.\n");
1444 return false;
1445 }
1446
1447 // Reading from the server should consume the EOF.
1448 uint8_t byte;
1449 if (SSL_read(server.get(), &byte, 1) != 0 ||
1450 SSL_get_error(server.get(), 0) != SSL_ERROR_ZERO_RETURN) {
1451 fprintf(stderr, "Connection was not shut down cleanly.\n");
1452 return false;
1453 }
1454
1455 // However, the server may continue to write data and then shut down the
1456 // connection.
1457 byte = 42;
1458 if (SSL_write(server.get(), &byte, 1) != 1 ||
1459 SSL_read(client.get(), &byte, 1) != 1 ||
1460 byte != 42) {
1461 fprintf(stderr, "Could not send byte.\n");
1462 return false;
1463 }
1464
1465 // The server may then shutdown the connection.
1466 if (SSL_shutdown(server.get()) != 1 ||
1467 SSL_shutdown(client.get()) != 1) {
1468 fprintf(stderr, "Could not complete shutdown.\n");
1469 return false;
1470 }
1471
1472 return true;
1473}
David Benjamin68f37b72016-11-18 15:14:42 +0900[diff] [blame]1474
David Benjaminf0d8e222017-02-04 10:58:26 -0500[diff] [blame]1475TEST(SSLTest, SessionDuplication) {
Matt Braithwaited17d74d2016-08-17 20:10:28 -0700[diff] [blame]1476 bssl::UniquePtr<SSL_CTX> client_ctx(SSL_CTX_new(TLS_method()));
1477 bssl::UniquePtr<SSL_CTX> server_ctx(SSL_CTX_new(TLS_method()));
David Benjaminf0d8e222017-02-04 10:58:26 -0500[diff] [blame]1478 ASSERT_TRUE(client_ctx);
1479 ASSERT_TRUE(server_ctx);
Steven Valdez87eab492016-06-27 16:34:59 -0400[diff] [blame]1480
Matt Braithwaited17d74d2016-08-17 20:10:28 -0700[diff] [blame]1481 bssl::UniquePtr<X509> cert = GetTestCertificate();
1482 bssl::UniquePtr<EVP_PKEY> key = GetTestKey();
David Benjaminf0d8e222017-02-04 10:58:26 -0500[diff] [blame]1483 ASSERT_TRUE(cert);
1484 ASSERT_TRUE(key);
1485 ASSERT_TRUE(SSL_CTX_use_certificate(server_ctx.get(), cert.get()));
1486 ASSERT_TRUE(SSL_CTX_use_PrivateKey(server_ctx.get(), key.get()));
Steven Valdez87eab492016-06-27 16:34:59 -0400[diff] [blame]1487
Matt Braithwaited17d74d2016-08-17 20:10:28 -0700[diff] [blame]1488 bssl::UniquePtr<SSL> client, server;
David Benjaminf0d8e222017-02-04 10:58:26 -0500[diff] [blame]1489 ASSERT_TRUE(ConnectClientAndServer(&client, &server, client_ctx.get(),
1490 server_ctx.get(),
1491 nullptr /* no session */));
Steven Valdez87eab492016-06-27 16:34:59 -0400[diff] [blame]1492
1493 SSL_SESSION *session0 = SSL_get_session(client.get());
David Benjaminf0d8e222017-02-04 10:58:26 -0500[diff] [blame]1494 bssl::UniquePtr<SSL_SESSION> session1(
1495 SSL_SESSION_dup(session0, SSL_SESSION_DUP_ALL));
1496 ASSERT_TRUE(session1);
David Benjamin4501bd52016-08-01 13:39:41 -0400[diff] [blame]1497
Steven Valdez84b5c002016-08-25 16:30:58 -0400[diff] [blame]1498 session1->not_resumable = 0;
1499
Steven Valdez87eab492016-06-27 16:34:59 -0400[diff] [blame]1500 uint8_t *s0_bytes, *s1_bytes;
1501 size_t s0_len, s1_len;
1502
David Benjaminf0d8e222017-02-04 10:58:26 -0500[diff] [blame]1503 ASSERT_TRUE(SSL_SESSION_to_bytes(session0, &s0_bytes, &s0_len));
Matt Braithwaited17d74d2016-08-17 20:10:28 -0700[diff] [blame]1504 bssl::UniquePtr<uint8_t> free_s0(s0_bytes);
Steven Valdez87eab492016-06-27 16:34:59 -0400[diff] [blame]1505
David Benjaminf0d8e222017-02-04 10:58:26 -0500[diff] [blame]1506 ASSERT_TRUE(SSL_SESSION_to_bytes(session1.get(), &s1_bytes, &s1_len));
Matt Braithwaited17d74d2016-08-17 20:10:28 -0700[diff] [blame]1507 bssl::UniquePtr<uint8_t> free_s1(s1_bytes);
Steven Valdez87eab492016-06-27 16:34:59 -0400[diff] [blame]1508
David Benjamin7d7554b2017-02-04 11:48:59 -0500[diff] [blame]1509 EXPECT_EQ(Bytes(s0_bytes, s0_len), Bytes(s1_bytes, s1_len));
Steven Valdez87eab492016-06-27 16:34:59 -0400[diff] [blame]1510}
David Benjamin686bb192016-05-10 15:15:41 -0400[diff] [blame]1511
David Benjaminf0d8e222017-02-04 10:58:26 -0500[diff] [blame]1512static void ExpectFDs(const SSL *ssl, int rfd, int wfd) {
David Benjaminca743582017-06-15 17:51:35 -0400[diff] [blame]1513 EXPECT_EQ(rfd, SSL_get_fd(ssl));
David Benjaminf0d8e222017-02-04 10:58:26 -0500[diff] [blame]1514 EXPECT_EQ(rfd, SSL_get_rfd(ssl));
1515 EXPECT_EQ(wfd, SSL_get_wfd(ssl));
David Benjamin5c0fb882016-06-14 14:03:51 -0400[diff] [blame]1516
1517 // The wrapper BIOs are always equal when fds are equal, even if set
1518 // individually.
David Benjaminf0d8e222017-02-04 10:58:26 -0500[diff] [blame]1519 if (rfd == wfd) {
1520 EXPECT_EQ(SSL_get_rbio(ssl), SSL_get_wbio(ssl));
David Benjamin5c0fb882016-06-14 14:03:51 -0400[diff] [blame]1521 }
David Benjamin5c0fb882016-06-14 14:03:51 -0400[diff] [blame]1522}
1523
David Benjaminf0d8e222017-02-04 10:58:26 -0500[diff] [blame]1524TEST(SSLTest, SetFD) {
Matt Braithwaited17d74d2016-08-17 20:10:28 -0700[diff] [blame]1525 bssl::UniquePtr<SSL_CTX> ctx(SSL_CTX_new(TLS_method()));
David Benjaminf0d8e222017-02-04 10:58:26 -0500[diff] [blame]1526 ASSERT_TRUE(ctx);
David Benjamin5c0fb882016-06-14 14:03:51 -0400[diff] [blame]1527
1528 // Test setting different read and write FDs.
Matt Braithwaited17d74d2016-08-17 20:10:28 -0700[diff] [blame]1529 bssl::UniquePtr<SSL> ssl(SSL_new(ctx.get()));
David Benjaminf0d8e222017-02-04 10:58:26 -0500[diff] [blame]1530 ASSERT_TRUE(ssl);
1531 EXPECT_TRUE(SSL_set_rfd(ssl.get(), 1));
1532 EXPECT_TRUE(SSL_set_wfd(ssl.get(), 2));
1533 ExpectFDs(ssl.get(), 1, 2);
David Benjamin5c0fb882016-06-14 14:03:51 -0400[diff] [blame]1534
1535 // Test setting the same FD.
1536 ssl.reset(SSL_new(ctx.get()));
David Benjaminf0d8e222017-02-04 10:58:26 -0500[diff] [blame]1537 ASSERT_TRUE(ssl);
1538 EXPECT_TRUE(SSL_set_fd(ssl.get(), 1));
1539 ExpectFDs(ssl.get(), 1, 1);
David Benjamin5c0fb882016-06-14 14:03:51 -0400[diff] [blame]1540
1541 // Test setting the same FD one side at a time.
1542 ssl.reset(SSL_new(ctx.get()));
David Benjaminf0d8e222017-02-04 10:58:26 -0500[diff] [blame]1543 ASSERT_TRUE(ssl);
1544 EXPECT_TRUE(SSL_set_rfd(ssl.get(), 1));
1545 EXPECT_TRUE(SSL_set_wfd(ssl.get(), 1));
1546 ExpectFDs(ssl.get(), 1, 1);
David Benjamin5c0fb882016-06-14 14:03:51 -0400[diff] [blame]1547
1548 // Test setting the same FD in the other order.
1549 ssl.reset(SSL_new(ctx.get()));
David Benjaminf0d8e222017-02-04 10:58:26 -0500[diff] [blame]1550 ASSERT_TRUE(ssl);
1551 EXPECT_TRUE(SSL_set_wfd(ssl.get(), 1));
1552 EXPECT_TRUE(SSL_set_rfd(ssl.get(), 1));
1553 ExpectFDs(ssl.get(), 1, 1);
David Benjamin5c0fb882016-06-14 14:03:51 -0400[diff] [blame]1554
David Benjamin5c0fb882016-06-14 14:03:51 -0400[diff] [blame]1555 // Test changing the read FD partway through.
1556 ssl.reset(SSL_new(ctx.get()));
David Benjaminf0d8e222017-02-04 10:58:26 -0500[diff] [blame]1557 ASSERT_TRUE(ssl);
1558 EXPECT_TRUE(SSL_set_fd(ssl.get(), 1));
1559 EXPECT_TRUE(SSL_set_rfd(ssl.get(), 2));
1560 ExpectFDs(ssl.get(), 2, 1);
David Benjamin5c0fb882016-06-14 14:03:51 -0400[diff] [blame]1561
1562 // Test changing the write FD partway through.
1563 ssl.reset(SSL_new(ctx.get()));
David Benjaminf0d8e222017-02-04 10:58:26 -0500[diff] [blame]1564 ASSERT_TRUE(ssl);
1565 EXPECT_TRUE(SSL_set_fd(ssl.get(), 1));
1566 EXPECT_TRUE(SSL_set_wfd(ssl.get(), 2));
1567 ExpectFDs(ssl.get(), 1, 2);
David Benjamin5c0fb882016-06-14 14:03:51 -0400[diff] [blame]1568
1569 // Test a no-op change to the read FD partway through.
1570 ssl.reset(SSL_new(ctx.get()));
David Benjaminf0d8e222017-02-04 10:58:26 -0500[diff] [blame]1571 ASSERT_TRUE(ssl);
1572 EXPECT_TRUE(SSL_set_fd(ssl.get(), 1));
1573 EXPECT_TRUE(SSL_set_rfd(ssl.get(), 1));
1574 ExpectFDs(ssl.get(), 1, 1);
David Benjamin5c0fb882016-06-14 14:03:51 -0400[diff] [blame]1575
1576 // Test a no-op change to the write FD partway through.
1577 ssl.reset(SSL_new(ctx.get()));
David Benjaminf0d8e222017-02-04 10:58:26 -0500[diff] [blame]1578 ASSERT_TRUE(ssl);
1579 EXPECT_TRUE(SSL_set_fd(ssl.get(), 1));
1580 EXPECT_TRUE(SSL_set_wfd(ssl.get(), 1));
1581 ExpectFDs(ssl.get(), 1, 1);
David Benjamin5c0fb882016-06-14 14:03:51 -0400[diff] [blame]1582
1583 // ASan builds will implicitly test that the internal |BIO| reference-counting
1584 // is correct.
David Benjamin5c0fb882016-06-14 14:03:51 -0400[diff] [blame]1585}
1586
David Benjaminf0d8e222017-02-04 10:58:26 -0500[diff] [blame]1587TEST(SSLTest, SetBIO) {
Matt Braithwaited17d74d2016-08-17 20:10:28 -0700[diff] [blame]1588 bssl::UniquePtr<SSL_CTX> ctx(SSL_CTX_new(TLS_method()));
David Benjaminf0d8e222017-02-04 10:58:26 -0500[diff] [blame]1589 ASSERT_TRUE(ctx);
David Benjamin4501bd52016-08-01 13:39:41 -0400[diff] [blame]1590
Matt Braithwaited17d74d2016-08-17 20:10:28 -0700[diff] [blame]1591 bssl::UniquePtr<SSL> ssl(SSL_new(ctx.get()));
1592 bssl::UniquePtr<BIO> bio1(BIO_new(BIO_s_mem())), bio2(BIO_new(BIO_s_mem())),
David Benjamin4501bd52016-08-01 13:39:41 -0400[diff] [blame]1593 bio3(BIO_new(BIO_s_mem()));
David Benjaminf0d8e222017-02-04 10:58:26 -0500[diff] [blame]1594 ASSERT_TRUE(ssl);
1595 ASSERT_TRUE(bio1);
1596 ASSERT_TRUE(bio2);
1597 ASSERT_TRUE(bio3);
David Benjamin4501bd52016-08-01 13:39:41 -0400[diff] [blame]1598
1599 // SSL_set_bio takes one reference when the parameters are the same.
1600 BIO_up_ref(bio1.get());
1601 SSL_set_bio(ssl.get(), bio1.get(), bio1.get());
1602
1603 // Repeating the call does nothing.
1604 SSL_set_bio(ssl.get(), bio1.get(), bio1.get());
1605
1606 // It takes one reference each when the parameters are different.
1607 BIO_up_ref(bio2.get());
1608 BIO_up_ref(bio3.get());
1609 SSL_set_bio(ssl.get(), bio2.get(), bio3.get());
1610
1611 // Repeating the call does nothing.
1612 SSL_set_bio(ssl.get(), bio2.get(), bio3.get());
1613
1614 // It takes one reference when changing only wbio.
1615 BIO_up_ref(bio1.get());
1616 SSL_set_bio(ssl.get(), bio2.get(), bio1.get());
1617
1618 // It takes one reference when changing only rbio and the two are different.
1619 BIO_up_ref(bio3.get());
1620 SSL_set_bio(ssl.get(), bio3.get(), bio1.get());
1621
1622 // If setting wbio to rbio, it takes no additional references.
1623 SSL_set_bio(ssl.get(), bio3.get(), bio3.get());
1624
1625 // From there, wbio may be switched to something else.
1626 BIO_up_ref(bio1.get());
1627 SSL_set_bio(ssl.get(), bio3.get(), bio1.get());
1628
1629 // If setting rbio to wbio, it takes no additional references.
1630 SSL_set_bio(ssl.get(), bio1.get(), bio1.get());
1631
1632 // From there, rbio may be switched to something else, but, for historical
1633 // reasons, it takes a reference to both parameters.
1634 BIO_up_ref(bio1.get());
1635 BIO_up_ref(bio2.get());
1636 SSL_set_bio(ssl.get(), bio2.get(), bio1.get());
1637
1638 // ASAN builds will implicitly test that the internal |BIO| reference-counting
1639 // is correct.
David Benjamin4501bd52016-08-01 13:39:41 -0400[diff] [blame]1640}
1641
David Benjamin25490f22016-07-14 00:22:54 -0400[diff] [blame]1642static int VerifySucceed(X509_STORE_CTX *store_ctx, void *arg) { return 1; }
1643
David Benjamin0fef3052016-11-18 15:11:10 +0900[diff] [blame]1644static bool TestGetPeerCertificate(bool is_dtls, const SSL_METHOD *method,
1645 uint16_t version) {
Matt Braithwaited17d74d2016-08-17 20:10:28 -0700[diff] [blame]1646 bssl::UniquePtr<X509> cert = GetTestCertificate();
1647 bssl::UniquePtr<EVP_PKEY> key = GetTestKey();
David Benjaminadd5e522016-07-14 00:33:24 -0400[diff] [blame]1648 if (!cert || !key) {
1649 return false;
1650 }
1651
David Benjamin0fef3052016-11-18 15:11:10 +0900[diff] [blame]1652 // Configure both client and server to accept any certificate.
1653 bssl::UniquePtr<SSL_CTX> ctx(SSL_CTX_new(method));
1654 if (!ctx ||
1655 !SSL_CTX_use_certificate(ctx.get(), cert.get()) ||
1656 !SSL_CTX_use_PrivateKey(ctx.get(), key.get()) ||
1657 !SSL_CTX_set_min_proto_version(ctx.get(), version) ||
1658 !SSL_CTX_set_max_proto_version(ctx.get(), version)) {
1659 return false;
1660 }
1661 SSL_CTX_set_verify(
1662 ctx.get(), SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT, nullptr);
1663 SSL_CTX_set_cert_verify_callback(ctx.get(), VerifySucceed, NULL);
David Benjaminadd5e522016-07-14 00:33:24 -0400[diff] [blame]1664
David Benjamin0fef3052016-11-18 15:11:10 +0900[diff] [blame]1665 bssl::UniquePtr<SSL> client, server;
1666 if (!ConnectClientAndServer(&client, &server, ctx.get(), ctx.get(),
1667 nullptr /* no session */)) {
1668 return false;
1669 }
David Benjaminadd5e522016-07-14 00:33:24 -0400[diff] [blame]1670
David Benjamin0fef3052016-11-18 15:11:10 +0900[diff] [blame]1671 // Client and server should both see the leaf certificate.
1672 bssl::UniquePtr<X509> peer(SSL_get_peer_certificate(server.get()));
1673 if (!peer || X509_cmp(cert.get(), peer.get()) != 0) {
1674 fprintf(stderr, "Server peer certificate did not match.\n");
1675 return false;
1676 }
David Benjaminadd5e522016-07-14 00:33:24 -0400[diff] [blame]1677
David Benjamin0fef3052016-11-18 15:11:10 +0900[diff] [blame]1678 peer.reset(SSL_get_peer_certificate(client.get()));
1679 if (!peer || X509_cmp(cert.get(), peer.get()) != 0) {
1680 fprintf(stderr, "Client peer certificate did not match.\n");
1681 return false;
1682 }
David Benjaminadd5e522016-07-14 00:33:24 -0400[diff] [blame]1683
David Benjamin0fef3052016-11-18 15:11:10 +0900[diff] [blame]1684 // However, for historical reasons, the chain includes the leaf on the
1685 // client, but does not on the server.
1686 if (sk_X509_num(SSL_get_peer_cert_chain(client.get())) != 1) {
1687 fprintf(stderr, "Client peer chain was incorrect.\n");
1688 return false;
1689 }
David Benjaminadd5e522016-07-14 00:33:24 -0400[diff] [blame]1690
David Benjamin0fef3052016-11-18 15:11:10 +0900[diff] [blame]1691 if (sk_X509_num(SSL_get_peer_cert_chain(server.get())) != 0) {
1692 fprintf(stderr, "Server peer chain was incorrect.\n");
1693 return false;
David Benjaminadd5e522016-07-14 00:33:24 -0400[diff] [blame]1694 }
1695
1696 return true;
1697}
1698
David Benjamin0fef3052016-11-18 15:11:10 +0900[diff] [blame]1699static bool TestRetainOnlySHA256OfCerts(bool is_dtls, const SSL_METHOD *method,
1700 uint16_t version) {
Matt Braithwaited17d74d2016-08-17 20:10:28 -0700[diff] [blame]1701 bssl::UniquePtr<X509> cert = GetTestCertificate();
1702 bssl::UniquePtr<EVP_PKEY> key = GetTestKey();
David Benjamin25490f22016-07-14 00:22:54 -0400[diff] [blame]1703 if (!cert || !key) {
1704 return false;
1705 }
1706
1707 uint8_t *cert_der = NULL;
1708 int cert_der_len = i2d_X509(cert.get(), &cert_der);
1709 if (cert_der_len < 0) {
1710 return false;
1711 }
Matt Braithwaited17d74d2016-08-17 20:10:28 -0700[diff] [blame]1712 bssl::UniquePtr<uint8_t> free_cert_der(cert_der);
David Benjamin25490f22016-07-14 00:22:54 -0400[diff] [blame]1713
1714 uint8_t cert_sha256[SHA256_DIGEST_LENGTH];
1715 SHA256(cert_der, cert_der_len, cert_sha256);
1716
David Benjamin0fef3052016-11-18 15:11:10 +0900[diff] [blame]1717 // Configure both client and server to accept any certificate, but the
1718 // server must retain only the SHA-256 of the peer.
1719 bssl::UniquePtr<SSL_CTX> ctx(SSL_CTX_new(method));
1720 if (!ctx ||
1721 !SSL_CTX_use_certificate(ctx.get(), cert.get()) ||
1722 !SSL_CTX_use_PrivateKey(ctx.get(), key.get()) ||
1723 !SSL_CTX_set_min_proto_version(ctx.get(), version) ||
1724 !SSL_CTX_set_max_proto_version(ctx.get(), version)) {
1725 return false;
1726 }
1727 SSL_CTX_set_verify(
1728 ctx.get(), SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT, nullptr);
1729 SSL_CTX_set_cert_verify_callback(ctx.get(), VerifySucceed, NULL);
1730 SSL_CTX_set_retain_only_sha256_of_client_certs(ctx.get(), 1);
David Benjamin25490f22016-07-14 00:22:54 -0400[diff] [blame]1731
David Benjamin0fef3052016-11-18 15:11:10 +0900[diff] [blame]1732 bssl::UniquePtr<SSL> client, server;
1733 if (!ConnectClientAndServer(&client, &server, ctx.get(), ctx.get(),
1734 nullptr /* no session */)) {
1735 return false;
1736 }
David Benjamin25490f22016-07-14 00:22:54 -0400[diff] [blame]1737
David Benjamin0fef3052016-11-18 15:11:10 +0900[diff] [blame]1738 // The peer certificate has been dropped.
1739 bssl::UniquePtr<X509> peer(SSL_get_peer_certificate(server.get()));
1740 if (peer) {
1741 fprintf(stderr, "Peer certificate was retained.\n");
1742 return false;
1743 }
David Benjamin25490f22016-07-14 00:22:54 -0400[diff] [blame]1744
David Benjamin0fef3052016-11-18 15:11:10 +0900[diff] [blame]1745 SSL_SESSION *session = SSL_get_session(server.get());
1746 if (!session->peer_sha256_valid) {
1747 fprintf(stderr, "peer_sha256_valid was not set.\n");
1748 return false;
1749 }
David Benjamin25490f22016-07-14 00:22:54 -0400[diff] [blame]1750
David Benjamin17cf2cb2016-12-13 01:07:13 -0500[diff] [blame]1751 if (OPENSSL_memcmp(cert_sha256, session->peer_sha256, SHA256_DIGEST_LENGTH) !=
1752 0) {
David Benjamin0fef3052016-11-18 15:11:10 +0900[diff] [blame]1753 fprintf(stderr, "peer_sha256 did not match.\n");
1754 return false;
David Benjamin25490f22016-07-14 00:22:54 -0400[diff] [blame]1755 }
1756
1757 return true;
1758}
1759
David Benjaminafc64de2016-07-19 17:12:41 +0200[diff] [blame]1760static bool ClientHelloMatches(uint16_t version, const uint8_t *expected,
1761 size_t expected_len) {
Matt Braithwaited17d74d2016-08-17 20:10:28 -0700[diff] [blame]1762 bssl::UniquePtr<SSL_CTX> ctx(SSL_CTX_new(TLS_method()));
Matthew Braithwaitecedc6f12017-03-15 19:20:23 -0700[diff] [blame]1763 // Our default cipher list varies by CPU capabilities, so manually place the
1764 // ChaCha20 ciphers in front.
Matthew Braithwaite7e06de52017-04-10 15:52:14 -0700[diff] [blame]1765 const char* cipher_list = "CHACHA20:ALL";
David Benjamin2dc02042016-09-19 19:57:37 -0400[diff] [blame]1766 if (!ctx ||
David Benjamin3cfeb952017-03-01 16:48:38 -0500[diff] [blame]1767 // SSLv3 is off by default.
1768 !SSL_CTX_set_min_proto_version(ctx.get(), SSL3_VERSION) ||
David Benjamine4706902016-09-20 15:12:23 -0400[diff] [blame]1769 !SSL_CTX_set_max_proto_version(ctx.get(), version) ||
Matthew Braithwaitecedc6f12017-03-15 19:20:23 -0700[diff] [blame]1770 !SSL_CTX_set_strict_cipher_list(ctx.get(), cipher_list)) {
David Benjaminafc64de2016-07-19 17:12:41 +0200[diff] [blame]1771 return false;
1772 }
David Benjamin2dc02042016-09-19 19:57:37 -0400[diff] [blame]1773
Matt Braithwaited17d74d2016-08-17 20:10:28 -0700[diff] [blame]1774 bssl::UniquePtr<SSL> ssl(SSL_new(ctx.get()));
David Benjaminafc64de2016-07-19 17:12:41 +0200[diff] [blame]1775 if (!ssl) {
1776 return false;
1777 }
1778 std::vector<uint8_t> client_hello;
1779 if (!GetClientHello(ssl.get(), &client_hello)) {
1780 return false;
1781 }
1782
1783 // Zero the client_random.
1784 constexpr size_t kRandomOffset = 1 + 2 + 2 + // record header
1785 1 + 3 + // handshake message header
1786 2; // client_version
1787 if (client_hello.size() < kRandomOffset + SSL3_RANDOM_SIZE) {
1788 fprintf(stderr, "ClientHello for version %04x too short.\n", version);
1789 return false;
1790 }
David Benjamin17cf2cb2016-12-13 01:07:13 -0500[diff] [blame]1791 OPENSSL_memset(client_hello.data() + kRandomOffset, 0, SSL3_RANDOM_SIZE);
David Benjaminafc64de2016-07-19 17:12:41 +0200[diff] [blame]1792
1793 if (client_hello.size() != expected_len ||
David Benjamin17cf2cb2016-12-13 01:07:13 -0500[diff] [blame]1794 OPENSSL_memcmp(client_hello.data(), expected, expected_len) != 0) {
David Benjaminafc64de2016-07-19 17:12:41 +0200[diff] [blame]1795 fprintf(stderr, "ClientHello for version %04x did not match:\n", version);
1796 fprintf(stderr, "Got:\n\t");
1797 for (size_t i = 0; i < client_hello.size(); i++) {
1798 fprintf(stderr, "0x%02x, ", client_hello[i]);
1799 }
1800 fprintf(stderr, "\nWanted:\n\t");
1801 for (size_t i = 0; i < expected_len; i++) {
1802 fprintf(stderr, "0x%02x, ", expected[i]);
1803 }
1804 fprintf(stderr, "\n");
1805 return false;
1806 }
1807
1808 return true;
1809}
1810
1811// Tests that our ClientHellos do not change unexpectedly.
1812static bool TestClientHello() {
1813 static const uint8_t kSSL3ClientHello[] = {
Matt Braithwaite9c8c4182016-08-24 14:36:54 -0700[diff] [blame]1814 0x16,
1815 0x03, 0x00,
Matthew Braithwaitecedc6f12017-03-15 19:20:23 -0700[diff] [blame]1816 0x00, 0x3b,
Matt Braithwaite9c8c4182016-08-24 14:36:54 -0700[diff] [blame]1817 0x01,
Matthew Braithwaitecedc6f12017-03-15 19:20:23 -0700[diff] [blame]1818 0x00, 0x00, 0x37,
Matt Braithwaite9c8c4182016-08-24 14:36:54 -0700[diff] [blame]1819 0x03, 0x00,
1820 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1821 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1822 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1823 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1824 0x00,
Matthew Braithwaitecedc6f12017-03-15 19:20:23 -0700[diff] [blame]1825 0x00, 0x10,
Matt Braithwaite9c8c4182016-08-24 14:36:54 -0700[diff] [blame]1826 0xc0, 0x09,
1827 0xc0, 0x13,
Matt Braithwaite9c8c4182016-08-24 14:36:54 -0700[diff] [blame]1828 0xc0, 0x0a,
1829 0xc0, 0x14,
Matt Braithwaite9c8c4182016-08-24 14:36:54 -0700[diff] [blame]1830 0x00, 0x2f,
1831 0x00, 0x35,
1832 0x00, 0x0a,
1833 0x00, 0xff, 0x01, 0x00,
David Benjaminafc64de2016-07-19 17:12:41 +0200[diff] [blame]1834 };
1835 if (!ClientHelloMatches(SSL3_VERSION, kSSL3ClientHello,
1836 sizeof(kSSL3ClientHello))) {
1837 return false;
1838 }
1839
1840 static const uint8_t kTLS1ClientHello[] = {
Matt Braithwaite9c8c4182016-08-24 14:36:54 -0700[diff] [blame]1841 0x16,
1842 0x03, 0x01,
Matthew Braithwaitecedc6f12017-03-15 19:20:23 -0700[diff] [blame]1843 0x00, 0x5a,
Matt Braithwaite9c8c4182016-08-24 14:36:54 -0700[diff] [blame]1844 0x01,
Matthew Braithwaitecedc6f12017-03-15 19:20:23 -0700[diff] [blame]1845 0x00, 0x00, 0x56,
Matt Braithwaite9c8c4182016-08-24 14:36:54 -0700[diff] [blame]1846 0x03, 0x01,
1847 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1848 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1849 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1850 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1851 0x00,
Matthew Braithwaitecedc6f12017-03-15 19:20:23 -0700[diff] [blame]1852 0x00, 0x0e,
Matt Braithwaite9c8c4182016-08-24 14:36:54 -0700[diff] [blame]1853 0xc0, 0x09,
1854 0xc0, 0x13,
Matt Braithwaite9c8c4182016-08-24 14:36:54 -0700[diff] [blame]1855 0xc0, 0x0a,
1856 0xc0, 0x14,
Matt Braithwaite9c8c4182016-08-24 14:36:54 -0700[diff] [blame]1857 0x00, 0x2f,
1858 0x00, 0x35,
1859 0x00, 0x0a,
David Benjaminafc64de2016-07-19 17:12:41 +0200[diff] [blame]1860 0x01, 0x00, 0x00, 0x1f, 0xff, 0x01, 0x00, 0x01, 0x00, 0x00, 0x17, 0x00,
1861 0x00, 0x00, 0x23, 0x00, 0x00, 0x00, 0x0b, 0x00, 0x02, 0x01, 0x00, 0x00,
1862 0x0a, 0x00, 0x08, 0x00, 0x06, 0x00, 0x1d, 0x00, 0x17, 0x00, 0x18,
1863 };
1864 if (!ClientHelloMatches(TLS1_VERSION, kTLS1ClientHello,
1865 sizeof(kTLS1ClientHello))) {
1866 return false;
1867 }
1868
1869 static const uint8_t kTLS11ClientHello[] = {
Matt Braithwaite9c8c4182016-08-24 14:36:54 -0700[diff] [blame]1870 0x16,
1871 0x03, 0x01,
Matthew Braithwaitecedc6f12017-03-15 19:20:23 -0700[diff] [blame]1872 0x00, 0x5a,
Matt Braithwaite9c8c4182016-08-24 14:36:54 -0700[diff] [blame]1873 0x01,
Matthew Braithwaitecedc6f12017-03-15 19:20:23 -0700[diff] [blame]1874 0x00, 0x00, 0x56,
Matt Braithwaite9c8c4182016-08-24 14:36:54 -0700[diff] [blame]1875 0x03, 0x02,
1876 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1877 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1878 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1879 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1880 0x00,
Matthew Braithwaitecedc6f12017-03-15 19:20:23 -0700[diff] [blame]1881 0x00, 0x0e,
Matt Braithwaite9c8c4182016-08-24 14:36:54 -0700[diff] [blame]1882 0xc0, 0x09,
1883 0xc0, 0x13,
Matt Braithwaite9c8c4182016-08-24 14:36:54 -0700[diff] [blame]1884 0xc0, 0x0a,
1885 0xc0, 0x14,
Matt Braithwaite9c8c4182016-08-24 14:36:54 -0700[diff] [blame]1886 0x00, 0x2f,
1887 0x00, 0x35,
1888 0x00, 0x0a,
David Benjaminafc64de2016-07-19 17:12:41 +0200[diff] [blame]1889 0x01, 0x00, 0x00, 0x1f, 0xff, 0x01, 0x00, 0x01, 0x00, 0x00, 0x17, 0x00,
1890 0x00, 0x00, 0x23, 0x00, 0x00, 0x00, 0x0b, 0x00, 0x02, 0x01, 0x00, 0x00,
1891 0x0a, 0x00, 0x08, 0x00, 0x06, 0x00, 0x1d, 0x00, 0x17, 0x00, 0x18,
1892 };
1893 if (!ClientHelloMatches(TLS1_1_VERSION, kTLS11ClientHello,
1894 sizeof(kTLS11ClientHello))) {
1895 return false;
1896 }
1897
David Benjamin3b584332017-01-24 22:47:18 -0500[diff] [blame]1898 // kTLS12ClientHello assumes RSA-PSS, which is disabled for Android system
1899 // builds.
1900#if defined(BORINGSSL_ANDROID_SYSTEM)
1901 return true;
1902#endif
1903
David Benjaminafc64de2016-07-19 17:12:41 +0200[diff] [blame]1904 static const uint8_t kTLS12ClientHello[] = {
Matthew Braithwaitecedc6f12017-03-15 19:20:23 -0700[diff] [blame]1905 0x16,
1906 0x03, 0x01,
1907 0x00, 0x8e,
1908 0x01,
1909 0x00, 0x00, 0x8a,
1910 0x03, 0x03,
David Benjamin57e929f2016-08-30 00:30:38 -0400[diff] [blame]1911 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1912 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
Matthew Braithwaitecedc6f12017-03-15 19:20:23 -0700[diff] [blame]1913 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1914 0x00, 0x2a,
1915 0xcc, 0xa9,
1916 0xcc, 0xa8,
1917 0xc0, 0x2b,
1918 0xc0, 0x2f,
1919 0xc0, 0x2c,
1920 0xc0, 0x30,
1921 0xc0, 0x09,
1922 0xc0, 0x23,
1923 0xc0, 0x13,
1924 0xc0, 0x27,
1925 0xc0, 0x0a,
1926 0xc0, 0x24,
1927 0xc0, 0x14,
1928 0xc0, 0x28,
1929 0x00, 0x9c,
1930 0x00, 0x9d,
1931 0x00, 0x2f,
1932 0x00, 0x3c,
1933 0x00, 0x35,
1934 0x00, 0x3d,
1935 0x00, 0x0a,
1936 0x01, 0x00, 0x00, 0x37, 0xff, 0x01, 0x00, 0x01, 0x00, 0x00, 0x17, 0x00,
1937 0x00, 0x00, 0x23, 0x00, 0x00, 0x00, 0x0d, 0x00, 0x14, 0x00, 0x12, 0x04,
1938 0x03, 0x08, 0x04, 0x04, 0x01, 0x05, 0x03, 0x08, 0x05, 0x05, 0x01, 0x08,
1939 0x06, 0x06, 0x01, 0x02, 0x01, 0x00, 0x0b, 0x00, 0x02, 0x01, 0x00, 0x00,
1940 0x0a, 0x00, 0x08, 0x00, 0x06, 0x00, 0x1d, 0x00, 0x17, 0x00, 0x18,
David Benjaminafc64de2016-07-19 17:12:41 +0200[diff] [blame]1941 };
1942 if (!ClientHelloMatches(TLS1_2_VERSION, kTLS12ClientHello,
1943 sizeof(kTLS12ClientHello))) {
1944 return false;
1945 }
1946
1947 // TODO(davidben): Add a change detector for TLS 1.3 once the spec and our
1948 // implementation has settled enough that it won't change.
1949
1950 return true;
1951}
1952
Matt Braithwaited17d74d2016-08-17 20:10:28 -0700[diff] [blame]1953static bssl::UniquePtr<SSL_SESSION> g_last_session;
David Benjamina20e5352016-08-02 19:09:41 -0400[diff] [blame]1954
1955static int SaveLastSession(SSL *ssl, SSL_SESSION *session) {
1956 // Save the most recent session.
1957 g_last_session.reset(session);
1958 return 1;
1959}
1960
Matt Braithwaited17d74d2016-08-17 20:10:28 -0700[diff] [blame]1961static bssl::UniquePtr<SSL_SESSION> CreateClientSession(SSL_CTX *client_ctx,
Steven Valdeze831a812017-03-09 14:56:07 -0500[diff] [blame]1962 SSL_CTX *server_ctx) {
David Benjamina20e5352016-08-02 19:09:41 -0400[diff] [blame]1963 g_last_session = nullptr;
1964 SSL_CTX_sess_set_new_cb(client_ctx, SaveLastSession);
1965
1966 // Connect client and server to get a session.
Matt Braithwaited17d74d2016-08-17 20:10:28 -0700[diff] [blame]1967 bssl::UniquePtr<SSL> client, server;
David Benjamina20e5352016-08-02 19:09:41 -0400[diff] [blame]1968 if (!ConnectClientAndServer(&client, &server, client_ctx, server_ctx,
1969 nullptr /* no session */)) {
1970 fprintf(stderr, "Failed to connect client and server.\n");
1971 return nullptr;
1972 }
1973
1974 // Run the read loop to account for post-handshake tickets in TLS 1.3.
1975 SSL_read(client.get(), nullptr, 0);
1976
1977 SSL_CTX_sess_set_new_cb(client_ctx, nullptr);
1978
1979 if (!g_last_session) {
1980 fprintf(stderr, "Client did not receive a session.\n");
1981 return nullptr;
1982 }
1983 return std::move(g_last_session);
1984}
1985
1986static bool ExpectSessionReused(SSL_CTX *client_ctx, SSL_CTX *server_ctx,
1987 SSL_SESSION *session,
1988 bool reused) {
Matt Braithwaited17d74d2016-08-17 20:10:28 -0700[diff] [blame]1989 bssl::UniquePtr<SSL> client, server;
David Benjamina20e5352016-08-02 19:09:41 -0400[diff] [blame]1990 if (!ConnectClientAndServer(&client, &server, client_ctx,
1991 server_ctx, session)) {
1992 fprintf(stderr, "Failed to connect client and server.\n");
1993 return false;
1994 }
1995
1996 if (SSL_session_reused(client.get()) != SSL_session_reused(server.get())) {
1997 fprintf(stderr, "Client and server were inconsistent.\n");
1998 return false;
1999 }
2000
2001 bool was_reused = !!SSL_session_reused(client.get());
2002 if (was_reused != reused) {
2003 fprintf(stderr, "Session was%s reused, but we expected the opposite.\n",
2004 was_reused ? "" : " not");
2005 return false;
2006 }
2007
2008 return true;
2009}
2010
David Benjamin3c51d9b2016-11-01 17:50:42 -0400[diff] [blame]2011static bssl::UniquePtr<SSL_SESSION> ExpectSessionRenewed(SSL_CTX *client_ctx,
2012 SSL_CTX *server_ctx,
2013 SSL_SESSION *session) {
2014 g_last_session = nullptr;
2015 SSL_CTX_sess_set_new_cb(client_ctx, SaveLastSession);
2016
2017 bssl::UniquePtr<SSL> client, server;
2018 if (!ConnectClientAndServer(&client, &server, client_ctx,
2019 server_ctx, session)) {
2020 fprintf(stderr, "Failed to connect client and server.\n");
2021 return nullptr;
2022 }
2023
2024 if (SSL_session_reused(client.get()) != SSL_session_reused(server.get())) {
2025 fprintf(stderr, "Client and server were inconsistent.\n");
2026 return nullptr;
2027 }
2028
2029 if (!SSL_session_reused(client.get())) {
2030 fprintf(stderr, "Session was not reused.\n");
2031 return nullptr;
2032 }
2033
2034 // Run the read loop to account for post-handshake tickets in TLS 1.3.
2035 SSL_read(client.get(), nullptr, 0);
2036
2037 SSL_CTX_sess_set_new_cb(client_ctx, nullptr);
2038
2039 if (!g_last_session) {
2040 fprintf(stderr, "Client did not receive a renewed session.\n");
2041 return nullptr;
2042 }
2043 return std::move(g_last_session);
2044}
2045
David Benjamina933c382016-10-28 00:10:03 -0400[diff] [blame]2046static int SwitchSessionIDContextSNI(SSL *ssl, int *out_alert, void *arg) {
2047 static const uint8_t kContext[] = {3};
2048
2049 if (!SSL_set_session_id_context(ssl, kContext, sizeof(kContext))) {
2050 return SSL_TLSEXT_ERR_ALERT_FATAL;
2051 }
2052
2053 return SSL_TLSEXT_ERR_OK;
2054}
2055
David Benjamin0fef3052016-11-18 15:11:10 +0900[diff] [blame]2056static bool TestSessionIDContext(bool is_dtls, const SSL_METHOD *method,
2057 uint16_t version) {
Matt Braithwaited17d74d2016-08-17 20:10:28 -0700[diff] [blame]2058 bssl::UniquePtr<X509> cert = GetTestCertificate();
2059 bssl::UniquePtr<EVP_PKEY> key = GetTestKey();
David Benjamina20e5352016-08-02 19:09:41 -0400[diff] [blame]2060 if (!cert || !key) {
2061 return false;
2062 }
2063
2064 static const uint8_t kContext1[] = {1};
2065 static const uint8_t kContext2[] = {2};
2066
David Benjamin0fef3052016-11-18 15:11:10 +0900[diff] [blame]2067 bssl::UniquePtr<SSL_CTX> server_ctx(SSL_CTX_new(method));
2068 bssl::UniquePtr<SSL_CTX> client_ctx(SSL_CTX_new(method));
2069 if (!server_ctx || !client_ctx ||
2070 !SSL_CTX_use_certificate(server_ctx.get(), cert.get()) ||
2071 !SSL_CTX_use_PrivateKey(server_ctx.get(), key.get()) ||
2072 !SSL_CTX_set_session_id_context(server_ctx.get(), kContext1,
2073 sizeof(kContext1)) ||
2074 !SSL_CTX_set_min_proto_version(client_ctx.get(), version) ||
2075 !SSL_CTX_set_max_proto_version(client_ctx.get(), version) ||
2076 !SSL_CTX_set_min_proto_version(server_ctx.get(), version) ||
2077 !SSL_CTX_set_max_proto_version(server_ctx.get(), version)) {
2078 return false;
2079 }
David Benjamina20e5352016-08-02 19:09:41 -0400[diff] [blame]2080
David Benjamin0fef3052016-11-18 15:11:10 +0900[diff] [blame]2081 SSL_CTX_set_session_cache_mode(client_ctx.get(), SSL_SESS_CACHE_BOTH);
2082 SSL_CTX_set_session_cache_mode(server_ctx.get(), SSL_SESS_CACHE_BOTH);
David Benjamina20e5352016-08-02 19:09:41 -0400[diff] [blame]2083
David Benjamin0fef3052016-11-18 15:11:10 +0900[diff] [blame]2084 bssl::UniquePtr<SSL_SESSION> session =
2085 CreateClientSession(client_ctx.get(), server_ctx.get());
2086 if (!session) {
2087 fprintf(stderr, "Error getting session.\n");
2088 return false;
2089 }
David Benjamina20e5352016-08-02 19:09:41 -0400[diff] [blame]2090
David Benjamin0fef3052016-11-18 15:11:10 +0900[diff] [blame]2091 if (!ExpectSessionReused(client_ctx.get(), server_ctx.get(), session.get(),
2092 true /* expect session reused */)) {
2093 fprintf(stderr, "Error resuming session.\n");
2094 return false;
2095 }
David Benjamina20e5352016-08-02 19:09:41 -0400[diff] [blame]2096
David Benjamin0fef3052016-11-18 15:11:10 +0900[diff] [blame]2097 // Change the session ID context.
2098 if (!SSL_CTX_set_session_id_context(server_ctx.get(), kContext2,
2099 sizeof(kContext2))) {
2100 return false;
2101 }
David Benjamina20e5352016-08-02 19:09:41 -0400[diff] [blame]2102
David Benjamin0fef3052016-11-18 15:11:10 +0900[diff] [blame]2103 if (!ExpectSessionReused(client_ctx.get(), server_ctx.get(), session.get(),
2104 false /* expect session not reused */)) {
2105 fprintf(stderr, "Error connecting with a different context.\n");
2106 return false;
2107 }
David Benjamina933c382016-10-28 00:10:03 -0400[diff] [blame]2108
David Benjamin0fef3052016-11-18 15:11:10 +0900[diff] [blame]2109 // Change the session ID context back and install an SNI callback to switch
2110 // it.
2111 if (!SSL_CTX_set_session_id_context(server_ctx.get(), kContext1,
2112 sizeof(kContext1))) {
2113 return false;
2114 }
David Benjamina933c382016-10-28 00:10:03 -0400[diff] [blame]2115
David Benjamin0fef3052016-11-18 15:11:10 +0900[diff] [blame]2116 SSL_CTX_set_tlsext_servername_callback(server_ctx.get(),
2117 SwitchSessionIDContextSNI);
David Benjamina933c382016-10-28 00:10:03 -0400[diff] [blame]2118
David Benjamin0fef3052016-11-18 15:11:10 +0900[diff] [blame]2119 if (!ExpectSessionReused(client_ctx.get(), server_ctx.get(), session.get(),
2120 false /* expect session not reused */)) {
2121 fprintf(stderr, "Error connecting with a context switch on SNI callback.\n");
2122 return false;
2123 }
David Benjamina933c382016-10-28 00:10:03 -0400[diff] [blame]2124
David Benjamin0fef3052016-11-18 15:11:10 +0900[diff] [blame]2125 // Switch the session ID context with the early callback instead.
2126 SSL_CTX_set_tlsext_servername_callback(server_ctx.get(), nullptr);
Alessandro Ghedini57e81e62017-03-14 23:36:00 +0000[diff] [blame]2127 SSL_CTX_set_select_certificate_cb(
2128 server_ctx.get(),
2129 [](const SSL_CLIENT_HELLO *client_hello) -> ssl_select_cert_result_t {
2130 static const uint8_t kContext[] = {3};
2131
2132 if (!SSL_set_session_id_context(client_hello->ssl, kContext,
2133 sizeof(kContext))) {
2134 return ssl_select_cert_error;
2135 }
2136
2137 return ssl_select_cert_success;
2138 });
David Benjamina933c382016-10-28 00:10:03 -0400[diff] [blame]2139
David Benjamin0fef3052016-11-18 15:11:10 +0900[diff] [blame]2140 if (!ExpectSessionReused(client_ctx.get(), server_ctx.get(), session.get(),
2141 false /* expect session not reused */)) {
2142 fprintf(stderr,
2143 "Error connecting with a context switch on early callback.\n");
2144 return false;
David Benjamina20e5352016-08-02 19:09:41 -0400[diff] [blame]2145 }
2146
2147 return true;
2148}
2149
David Benjamin721e8b72016-08-03 13:13:17 -0400[diff] [blame]2150static timeval g_current_time;
2151
2152static void CurrentTimeCallback(const SSL *ssl, timeval *out_clock) {
2153 *out_clock = g_current_time;
2154}
2155
David Benjamin17b30832017-01-28 14:00:32 -0500[diff] [blame]2156static void FrozenTimeCallback(const SSL *ssl, timeval *out_clock) {
2157 out_clock->tv_sec = 1000;
2158 out_clock->tv_usec = 0;
2159}
2160
David Benjamin3c51d9b2016-11-01 17:50:42 -0400[diff] [blame]2161static int RenewTicketCallback(SSL *ssl, uint8_t *key_name, uint8_t *iv,
2162 EVP_CIPHER_CTX *ctx, HMAC_CTX *hmac_ctx,
2163 int encrypt) {
2164 static const uint8_t kZeros[16] = {0};
2165
2166 if (encrypt) {
David Benjamin17cf2cb2016-12-13 01:07:13 -0500[diff] [blame]2167 OPENSSL_memcpy(key_name, kZeros, sizeof(kZeros));
David Benjamin3c51d9b2016-11-01 17:50:42 -0400[diff] [blame]2168 RAND_bytes(iv, 16);
David Benjamin17cf2cb2016-12-13 01:07:13 -0500[diff] [blame]2169 } else if (OPENSSL_memcmp(key_name, kZeros, 16) != 0) {
David Benjamin3c51d9b2016-11-01 17:50:42 -0400[diff] [blame]2170 return 0;
2171 }
2172
2173 if (!HMAC_Init_ex(hmac_ctx, kZeros, sizeof(kZeros), EVP_sha256(), NULL) ||
2174 !EVP_CipherInit_ex(ctx, EVP_aes_128_cbc(), NULL, kZeros, iv, encrypt)) {
2175 return -1;
2176 }
2177
2178 // Returning two from the callback in decrypt mode renews the
2179 // session in TLS 1.2 and below.
2180 return encrypt ? 1 : 2;
2181}
2182
David Benjamin123db572016-11-03 16:59:25 -0400[diff] [blame]2183static bool GetServerTicketTime(long *out, const SSL_SESSION *session) {
David Benjamin123db572016-11-03 16:59:25 -0400[diff] [blame]2184 if (session->tlsext_ticklen < 16 + 16 + SHA256_DIGEST_LENGTH) {
2185 return false;
2186 }
2187
David Benjamin123db572016-11-03 16:59:25 -0400[diff] [blame]2188 const uint8_t *ciphertext = session->tlsext_tick + 16 + 16;
2189 size_t len = session->tlsext_ticklen - 16 - 16 - SHA256_DIGEST_LENGTH;
2190 std::unique_ptr<uint8_t[]> plaintext(new uint8_t[len]);
2191
David Benjamin9b63f292016-11-15 00:44:05 -0500[diff] [blame]2192#if defined(BORINGSSL_UNSAFE_FUZZER_MODE)
2193 // Fuzzer-mode tickets are unencrypted.
David Benjamin17cf2cb2016-12-13 01:07:13 -0500[diff] [blame]2194 OPENSSL_memcpy(plaintext.get(), ciphertext, len);
David Benjamin9b63f292016-11-15 00:44:05 -0500[diff] [blame]2195#else
2196 static const uint8_t kZeros[16] = {0};
2197 const uint8_t *iv = session->tlsext_tick + 16;
David Benjamin123db572016-11-03 16:59:25 -0400[diff] [blame]2198 bssl::ScopedEVP_CIPHER_CTX ctx;
2199 int len1, len2;
2200 if (!EVP_DecryptInit_ex(ctx.get(), EVP_aes_128_cbc(), nullptr, kZeros, iv) ||
2201 !EVP_DecryptUpdate(ctx.get(), plaintext.get(), &len1, ciphertext, len) ||
2202 !EVP_DecryptFinal_ex(ctx.get(), plaintext.get() + len1, &len2)) {
2203 return false;
2204 }
2205
2206 len = static_cast<size_t>(len1 + len2);
David Benjamin9b63f292016-11-15 00:44:05 -0500[diff] [blame]2207#endif
David Benjamin123db572016-11-03 16:59:25 -0400[diff] [blame]2208
Adam Langley46db7af2017-02-01 15:49:37 -0800[diff] [blame]2209 bssl::UniquePtr<SSL_CTX> ssl_ctx(SSL_CTX_new(TLS_method()));
2210 if (!ssl_ctx) {
2211 return false;
2212 }
David Benjamin123db572016-11-03 16:59:25 -0400[diff] [blame]2213 bssl::UniquePtr<SSL_SESSION> server_session(
Adam Langley46db7af2017-02-01 15:49:37 -0800[diff] [blame]2214 SSL_SESSION_from_bytes(plaintext.get(), len, ssl_ctx.get()));
David Benjamin123db572016-11-03 16:59:25 -0400[diff] [blame]2215 if (!server_session) {
2216 return false;
2217 }
2218
2219 *out = server_session->time;
2220 return true;
2221}
2222
David Benjamin0fef3052016-11-18 15:11:10 +0900[diff] [blame]2223static bool TestSessionTimeout(bool is_dtls, const SSL_METHOD *method,
2224 uint16_t version) {
Matt Braithwaited17d74d2016-08-17 20:10:28 -0700[diff] [blame]2225 bssl::UniquePtr<X509> cert = GetTestCertificate();
2226 bssl::UniquePtr<EVP_PKEY> key = GetTestKey();
David Benjamin721e8b72016-08-03 13:13:17 -0400[diff] [blame]2227 if (!cert || !key) {
2228 return false;
2229 }
2230
David Benjamin0fef3052016-11-18 15:11:10 +0900[diff] [blame]2231 for (bool server_test : std::vector<bool>{false, true}) {
David Benjamin17b30832017-01-28 14:00:32 -0500[diff] [blame]2232 static const time_t kStartTime = 1000;
David Benjamin0fef3052016-11-18 15:11:10 +0900[diff] [blame]2233 g_current_time.tv_sec = kStartTime;
David Benjamin1b22f852016-10-27 16:36:32 -0400[diff] [blame]2234
David Benjamin17b30832017-01-28 14:00:32 -0500[diff] [blame]2235 // We are willing to use a longer lifetime for TLS 1.3 sessions as
2236 // resumptions still perform ECDHE.
2237 const time_t timeout = version == TLS1_3_VERSION
2238 ? SSL_DEFAULT_SESSION_PSK_DHE_TIMEOUT
2239 : SSL_DEFAULT_SESSION_TIMEOUT;
2240
David Benjamin0fef3052016-11-18 15:11:10 +0900[diff] [blame]2241 bssl::UniquePtr<SSL_CTX> server_ctx(SSL_CTX_new(method));
2242 bssl::UniquePtr<SSL_CTX> client_ctx(SSL_CTX_new(method));
2243 if (!server_ctx || !client_ctx ||
2244 !SSL_CTX_use_certificate(server_ctx.get(), cert.get()) ||
2245 !SSL_CTX_use_PrivateKey(server_ctx.get(), key.get()) ||
2246 !SSL_CTX_set_min_proto_version(client_ctx.get(), version) ||
2247 !SSL_CTX_set_max_proto_version(client_ctx.get(), version) ||
2248 !SSL_CTX_set_min_proto_version(server_ctx.get(), version) ||
2249 !SSL_CTX_set_max_proto_version(server_ctx.get(), version)) {
2250 return false;
2251 }
2252
2253 SSL_CTX_set_session_cache_mode(client_ctx.get(), SSL_SESS_CACHE_BOTH);
2254 SSL_CTX_set_session_cache_mode(server_ctx.get(), SSL_SESS_CACHE_BOTH);
2255
David Benjamin17b30832017-01-28 14:00:32 -0500[diff] [blame]2256 // Both client and server must enforce session timeouts. We configure the
2257 // other side with a frozen clock so it never expires tickets.
David Benjamin0fef3052016-11-18 15:11:10 +0900[diff] [blame]2258 if (server_test) {
David Benjamin17b30832017-01-28 14:00:32 -0500[diff] [blame]2259 SSL_CTX_set_current_time_cb(client_ctx.get(), FrozenTimeCallback);
David Benjamin0fef3052016-11-18 15:11:10 +0900[diff] [blame]2260 SSL_CTX_set_current_time_cb(server_ctx.get(), CurrentTimeCallback);
2261 } else {
2262 SSL_CTX_set_current_time_cb(client_ctx.get(), CurrentTimeCallback);
David Benjamin17b30832017-01-28 14:00:32 -0500[diff] [blame]2263 SSL_CTX_set_current_time_cb(server_ctx.get(), FrozenTimeCallback);
David Benjamin0fef3052016-11-18 15:11:10 +0900[diff] [blame]2264 }
2265
2266 // Configure a ticket callback which renews tickets.
2267 SSL_CTX_set_tlsext_ticket_key_cb(server_ctx.get(), RenewTicketCallback);
2268
2269 bssl::UniquePtr<SSL_SESSION> session =
2270 CreateClientSession(client_ctx.get(), server_ctx.get());
2271 if (!session) {
2272 fprintf(stderr, "Error getting session.\n");
2273 return false;
2274 }
2275
2276 // Advance the clock just behind the timeout.
David Benjamin17b30832017-01-28 14:00:32 -0500[diff] [blame]2277 g_current_time.tv_sec += timeout - 1;
David Benjamin0fef3052016-11-18 15:11:10 +0900[diff] [blame]2278
2279 if (!ExpectSessionReused(client_ctx.get(), server_ctx.get(), session.get(),
2280 true /* expect session reused */)) {
2281 fprintf(stderr, "Error resuming session.\n");
2282 return false;
2283 }
2284
2285 // Advance the clock one more second.
2286 g_current_time.tv_sec++;
2287
2288 if (!ExpectSessionReused(client_ctx.get(), server_ctx.get(), session.get(),
2289 false /* expect session not reused */)) {
2290 fprintf(stderr, "Error resuming session.\n");
2291 return false;
2292 }
2293
2294 // Rewind the clock to before the session was minted.
2295 g_current_time.tv_sec = kStartTime - 1;
2296
2297 if (!ExpectSessionReused(client_ctx.get(), server_ctx.get(), session.get(),
2298 false /* expect session not reused */)) {
2299 fprintf(stderr, "Error resuming session.\n");
2300 return false;
2301 }
2302
2303 // SSL 3.0 cannot renew sessions.
2304 if (version == SSL3_VERSION) {
2305 continue;
2306 }
2307
2308 // Renew the session 10 seconds before expiration.
David Benjamin17b30832017-01-28 14:00:32 -0500[diff] [blame]2309 time_t new_start_time = kStartTime + timeout - 10;
2310 g_current_time.tv_sec = new_start_time;
David Benjamin0fef3052016-11-18 15:11:10 +0900[diff] [blame]2311 bssl::UniquePtr<SSL_SESSION> new_session =
2312 ExpectSessionRenewed(client_ctx.get(), server_ctx.get(), session.get());
2313 if (!new_session) {
2314 fprintf(stderr, "Error renewing session.\n");
2315 return false;
2316 }
2317
2318 // This new session is not the same object as before.
2319 if (session.get() == new_session.get()) {
2320 fprintf(stderr, "New and old sessions alias.\n");
2321 return false;
2322 }
2323
2324 // Check the sessions have timestamps measured from issuance.
2325 long session_time = 0;
2326 if (server_test) {
2327 if (!GetServerTicketTime(&session_time, new_session.get())) {
2328 fprintf(stderr, "Failed to decode session ticket.\n");
David Benjaminb2e2e322016-11-01 17:32:54 -0400[diff] [blame]2329 return false;
2330 }
David Benjamin0fef3052016-11-18 15:11:10 +0900[diff] [blame]2331 } else {
2332 session_time = new_session->time;
2333 }
David Benjamin721e8b72016-08-03 13:13:17 -0400[diff] [blame]2334
David Benjamin0fef3052016-11-18 15:11:10 +0900[diff] [blame]2335 if (session_time != g_current_time.tv_sec) {
2336 fprintf(stderr, "New session is not measured from issuance.\n");
2337 return false;
2338 }
David Benjamin721e8b72016-08-03 13:13:17 -0400[diff] [blame]2339
David Benjamin17b30832017-01-28 14:00:32 -0500[diff] [blame]2340 if (version == TLS1_3_VERSION) {
2341 // Renewal incorporates fresh key material in TLS 1.3, so we extend the
2342 // lifetime TLS 1.3.
2343 g_current_time.tv_sec = new_start_time + timeout - 1;
2344 if (!ExpectSessionReused(client_ctx.get(), server_ctx.get(),
2345 new_session.get(),
2346 true /* expect session reused */)) {
2347 fprintf(stderr, "Error resuming renewed session.\n");
2348 return false;
2349 }
David Benjamin721e8b72016-08-03 13:13:17 -0400[diff] [blame]2350
David Benjamin17b30832017-01-28 14:00:32 -0500[diff] [blame]2351 // The new session expires after the new timeout.
2352 g_current_time.tv_sec = new_start_time + timeout + 1;
2353 if (!ExpectSessionReused(client_ctx.get(), server_ctx.get(),
2354 new_session.get(),
2355 false /* expect session ot reused */)) {
2356 fprintf(stderr, "Renewed session's lifetime is too long.\n");
2357 return false;
2358 }
2359
2360 // Renew the session until it begins just past the auth timeout.
2361 time_t auth_end_time = kStartTime + SSL_DEFAULT_SESSION_AUTH_TIMEOUT;
2362 while (new_start_time < auth_end_time - 1000) {
2363 // Get as close as possible to target start time.
2364 new_start_time =
2365 std::min(auth_end_time - 1000, new_start_time + timeout - 1);
2366 g_current_time.tv_sec = new_start_time;
2367 new_session = ExpectSessionRenewed(client_ctx.get(), server_ctx.get(),
2368 new_session.get());
2369 if (!new_session) {
2370 fprintf(stderr, "Error renewing session.\n");
2371 return false;
2372 }
2373 }
2374
2375 // Now the session's lifetime is bound by the auth timeout.
2376 g_current_time.tv_sec = auth_end_time - 1;
2377 if (!ExpectSessionReused(client_ctx.get(), server_ctx.get(),
2378 new_session.get(),
2379 true /* expect session reused */)) {
2380 fprintf(stderr, "Error resuming renewed session.\n");
2381 return false;
2382 }
2383
2384 g_current_time.tv_sec = auth_end_time + 1;
2385 if (!ExpectSessionReused(client_ctx.get(), server_ctx.get(),
2386 new_session.get(),
2387 false /* expect session ot reused */)) {
2388 fprintf(stderr, "Renewed session's lifetime is too long.\n");
2389 return false;
2390 }
2391 } else {
2392 // The new session is usable just before the old expiration.
2393 g_current_time.tv_sec = kStartTime + timeout - 1;
2394 if (!ExpectSessionReused(client_ctx.get(), server_ctx.get(),
2395 new_session.get(),
2396 true /* expect session reused */)) {
2397 fprintf(stderr, "Error resuming renewed session.\n");
2398 return false;
2399 }
2400
2401 // Renewal does not extend the lifetime, so it is not usable beyond the
2402 // old expiration.
2403 g_current_time.tv_sec = kStartTime + timeout + 1;
2404 if (!ExpectSessionReused(client_ctx.get(), server_ctx.get(),
2405 new_session.get(),
2406 false /* expect session not reused */)) {
2407 fprintf(stderr, "Renewed session's lifetime is too long.\n");
2408 return false;
2409 }
David Benjamin1b22f852016-10-27 16:36:32 -0400[diff] [blame]2410 }
David Benjamin721e8b72016-08-03 13:13:17 -0400[diff] [blame]2411 }
2412
2413 return true;
2414}
2415
David Benjamin0fc37ef2016-08-17 15:29:46 -0400[diff] [blame]2416static int SwitchContext(SSL *ssl, int *out_alert, void *arg) {
2417 SSL_CTX *ctx = reinterpret_cast<SSL_CTX*>(arg);
2418 SSL_set_SSL_CTX(ssl, ctx);
2419 return SSL_TLSEXT_ERR_OK;
2420}
2421
David Benjamin0fef3052016-11-18 15:11:10 +0900[diff] [blame]2422static bool TestSNICallback(bool is_dtls, const SSL_METHOD *method,
2423 uint16_t version) {
2424 // SSL 3.0 lacks extensions.
2425 if (version == SSL3_VERSION) {
2426 return true;
2427 }
2428
Matt Braithwaited17d74d2016-08-17 20:10:28 -0700[diff] [blame]2429 bssl::UniquePtr<X509> cert = GetTestCertificate();
2430 bssl::UniquePtr<EVP_PKEY> key = GetTestKey();
2431 bssl::UniquePtr<X509> cert2 = GetECDSATestCertificate();
2432 bssl::UniquePtr<EVP_PKEY> key2 = GetECDSATestKey();
David Benjamin0fc37ef2016-08-17 15:29:46 -0400[diff] [blame]2433 if (!cert || !key || !cert2 || !key2) {
2434 return false;
2435 }
2436
David Benjamin0fef3052016-11-18 15:11:10 +0900[diff] [blame]2437 // Test that switching the |SSL_CTX| at the SNI callback behaves correctly.
2438 static const uint16_t kECDSAWithSHA256 = SSL_SIGN_ECDSA_SECP256R1_SHA256;
David Benjamin0fc37ef2016-08-17 15:29:46 -0400[diff] [blame]2439
David Benjamin83a32122017-02-14 18:34:54 -0500[diff] [blame]2440 static const uint8_t kSCTList[] = {0, 6, 0, 4, 5, 6, 7, 8};
2441 static const uint8_t kOCSPResponse[] = {1, 2, 3, 4};
2442
David Benjamin0fef3052016-11-18 15:11:10 +0900[diff] [blame]2443 bssl::UniquePtr<SSL_CTX> server_ctx(SSL_CTX_new(method));
2444 bssl::UniquePtr<SSL_CTX> server_ctx2(SSL_CTX_new(method));
2445 bssl::UniquePtr<SSL_CTX> client_ctx(SSL_CTX_new(method));
2446 if (!server_ctx || !server_ctx2 || !client_ctx ||
2447 !SSL_CTX_use_certificate(server_ctx.get(), cert.get()) ||
2448 !SSL_CTX_use_PrivateKey(server_ctx.get(), key.get()) ||
2449 !SSL_CTX_use_certificate(server_ctx2.get(), cert2.get()) ||
2450 !SSL_CTX_use_PrivateKey(server_ctx2.get(), key2.get()) ||
David Benjamin83a32122017-02-14 18:34:54 -0500[diff] [blame]2451 !SSL_CTX_set_signed_cert_timestamp_list(server_ctx2.get(), kSCTList,
2452 sizeof(kSCTList)) ||
2453 !SSL_CTX_set_ocsp_response(server_ctx2.get(), kOCSPResponse,
2454 sizeof(kOCSPResponse)) ||
David Benjamin0fef3052016-11-18 15:11:10 +0900[diff] [blame]2455 // Historically signing preferences would be lost in some cases with the
2456 // SNI callback, which triggers the TLS 1.2 SHA-1 default. To ensure
2457 // this doesn't happen when |version| is TLS 1.2, configure the private
2458 // key to only sign SHA-256.
2459 !SSL_CTX_set_signing_algorithm_prefs(server_ctx2.get(), &kECDSAWithSHA256,
2460 1) ||
2461 !SSL_CTX_set_min_proto_version(client_ctx.get(), version) ||
2462 !SSL_CTX_set_max_proto_version(client_ctx.get(), version) ||
2463 !SSL_CTX_set_min_proto_version(server_ctx.get(), version) ||
2464 !SSL_CTX_set_max_proto_version(server_ctx.get(), version) ||
2465 !SSL_CTX_set_min_proto_version(server_ctx2.get(), version) ||
2466 !SSL_CTX_set_max_proto_version(server_ctx2.get(), version)) {
2467 return false;
2468 }
David Benjamin0fc37ef2016-08-17 15:29:46 -0400[diff] [blame]2469
David Benjamin0fef3052016-11-18 15:11:10 +0900[diff] [blame]2470 SSL_CTX_set_tlsext_servername_callback(server_ctx.get(), SwitchContext);
2471 SSL_CTX_set_tlsext_servername_arg(server_ctx.get(), server_ctx2.get());
David Benjamin0fc37ef2016-08-17 15:29:46 -0400[diff] [blame]2472
David Benjamin83a32122017-02-14 18:34:54 -0500[diff] [blame]2473 SSL_CTX_enable_signed_cert_timestamps(client_ctx.get());
2474 SSL_CTX_enable_ocsp_stapling(client_ctx.get());
2475
David Benjamin0fef3052016-11-18 15:11:10 +0900[diff] [blame]2476 bssl::UniquePtr<SSL> client, server;
2477 if (!ConnectClientAndServer(&client, &server, client_ctx.get(),
2478 server_ctx.get(), nullptr)) {
2479 fprintf(stderr, "Handshake failed.\n");
2480 return false;
2481 }
David Benjamin0fc37ef2016-08-17 15:29:46 -0400[diff] [blame]2482
David Benjamin0fef3052016-11-18 15:11:10 +0900[diff] [blame]2483 // The client should have received |cert2|.
2484 bssl::UniquePtr<X509> peer(SSL_get_peer_certificate(client.get()));
2485 if (!peer || X509_cmp(peer.get(), cert2.get()) != 0) {
2486 fprintf(stderr, "Incorrect certificate received.\n");
2487 return false;
David Benjamin0fc37ef2016-08-17 15:29:46 -0400[diff] [blame]2488 }
2489
David Benjamin83a32122017-02-14 18:34:54 -0500[diff] [blame]2490 // The client should have received |server_ctx2|'s SCT list.
2491 const uint8_t *data;
2492 size_t len;
2493 SSL_get0_signed_cert_timestamp_list(client.get(), &data, &len);
2494 if (Bytes(kSCTList) != Bytes(data, len)) {
2495 fprintf(stderr, "Incorrect SCT list received.\n");
2496 return false;
2497 }
2498
2499 // The client should have received |server_ctx2|'s OCSP response.
2500 SSL_get0_ocsp_response(client.get(), &data, &len);
2501 if (Bytes(kOCSPResponse) != Bytes(data, len)) {
2502 fprintf(stderr, "Incorrect OCSP response received.\n");
2503 return false;
2504 }
2505
David Benjamin0fc37ef2016-08-17 15:29:46 -0400[diff] [blame]2506 return true;
2507}
2508
David Benjaminf0d8e222017-02-04 10:58:26 -0500[diff] [blame]2509// Test that the early callback can swap the maximum version.
2510TEST(SSLTest, EarlyCallbackVersionSwitch) {
Matt Braithwaited17d74d2016-08-17 20:10:28 -0700[diff] [blame]2511 bssl::UniquePtr<X509> cert = GetTestCertificate();
2512 bssl::UniquePtr<EVP_PKEY> key = GetTestKey();
2513 bssl::UniquePtr<SSL_CTX> server_ctx(SSL_CTX_new(TLS_method()));
2514 bssl::UniquePtr<SSL_CTX> client_ctx(SSL_CTX_new(TLS_method()));
David Benjaminf0d8e222017-02-04 10:58:26 -0500[diff] [blame]2515 ASSERT_TRUE(cert);
2516 ASSERT_TRUE(key);
2517 ASSERT_TRUE(server_ctx);
2518 ASSERT_TRUE(client_ctx);
2519 ASSERT_TRUE(SSL_CTX_use_certificate(server_ctx.get(), cert.get()));
2520 ASSERT_TRUE(SSL_CTX_use_PrivateKey(server_ctx.get(), key.get()));
2521 ASSERT_TRUE(SSL_CTX_set_max_proto_version(client_ctx.get(), TLS1_3_VERSION));
2522 ASSERT_TRUE(SSL_CTX_set_max_proto_version(server_ctx.get(), TLS1_3_VERSION));
David Benjamin99620572016-08-30 00:35:36 -0400[diff] [blame]2523
David Benjaminf0d8e222017-02-04 10:58:26 -0500[diff] [blame]2524 SSL_CTX_set_select_certificate_cb(
Alessandro Ghedini57e81e62017-03-14 23:36:00 +0000[diff] [blame]2525 server_ctx.get(),
2526 [](const SSL_CLIENT_HELLO *client_hello) -> ssl_select_cert_result_t {
David Benjaminf0d8e222017-02-04 10:58:26 -0500[diff] [blame]2527 if (!SSL_set_max_proto_version(client_hello->ssl, TLS1_2_VERSION)) {
Alessandro Ghedini57e81e62017-03-14 23:36:00 +0000[diff] [blame]2528 return ssl_select_cert_error;
David Benjaminf0d8e222017-02-04 10:58:26 -0500[diff] [blame]2529 }
2530
Alessandro Ghedini57e81e62017-03-14 23:36:00 +0000[diff] [blame]2531 return ssl_select_cert_success;
David Benjaminf0d8e222017-02-04 10:58:26 -0500[diff] [blame]2532 });
David Benjamin99620572016-08-30 00:35:36 -0400[diff] [blame]2533
Matt Braithwaited17d74d2016-08-17 20:10:28 -0700[diff] [blame]2534 bssl::UniquePtr<SSL> client, server;
David Benjaminf0d8e222017-02-04 10:58:26 -0500[diff] [blame]2535 ASSERT_TRUE(ConnectClientAndServer(&client, &server, client_ctx.get(),
2536 server_ctx.get(), nullptr));
2537 EXPECT_EQ(TLS1_2_VERSION, SSL_version(client.get()));
David Benjamin99620572016-08-30 00:35:36 -0400[diff] [blame]2538}
2539
David Benjaminf0d8e222017-02-04 10:58:26 -0500[diff] [blame]2540TEST(SSLTest, SetVersion) {
David Benjamin2dc02042016-09-19 19:57:37 -0400[diff] [blame]2541 bssl::UniquePtr<SSL_CTX> ctx(SSL_CTX_new(TLS_method()));
David Benjaminf0d8e222017-02-04 10:58:26 -0500[diff] [blame]2542 ASSERT_TRUE(ctx);
David Benjamin2dc02042016-09-19 19:57:37 -0400[diff] [blame]2543
David Benjaminf0d8e222017-02-04 10:58:26 -0500[diff] [blame]2544 // Set valid TLS versions.
2545 EXPECT_TRUE(SSL_CTX_set_max_proto_version(ctx.get(), TLS1_VERSION));
2546 EXPECT_TRUE(SSL_CTX_set_max_proto_version(ctx.get(), TLS1_1_VERSION));
2547 EXPECT_TRUE(SSL_CTX_set_min_proto_version(ctx.get(), TLS1_VERSION));
2548 EXPECT_TRUE(SSL_CTX_set_min_proto_version(ctx.get(), TLS1_1_VERSION));
David Benjamin2dc02042016-09-19 19:57:37 -0400[diff] [blame]2549
David Benjaminf0d8e222017-02-04 10:58:26 -0500[diff] [blame]2550 // Invalid TLS versions are rejected.
2551 EXPECT_FALSE(SSL_CTX_set_max_proto_version(ctx.get(), DTLS1_VERSION));
2552 EXPECT_FALSE(SSL_CTX_set_max_proto_version(ctx.get(), 0x0200));
2553 EXPECT_FALSE(SSL_CTX_set_max_proto_version(ctx.get(), 0x1234));
2554 EXPECT_FALSE(SSL_CTX_set_min_proto_version(ctx.get(), DTLS1_VERSION));
2555 EXPECT_FALSE(SSL_CTX_set_min_proto_version(ctx.get(), 0x0200));
2556 EXPECT_FALSE(SSL_CTX_set_min_proto_version(ctx.get(), 0x1234));
David Benjamin2dc02042016-09-19 19:57:37 -0400[diff] [blame]2557
David Benjaminf0d8e222017-02-04 10:58:26 -0500[diff] [blame]2558 // Zero is the default version.
2559 EXPECT_TRUE(SSL_CTX_set_max_proto_version(ctx.get(), 0));
David Benjaminfc08dfc2017-06-20 14:39:32 -0400[diff] [blame]2560 EXPECT_EQ(TLS1_2_VERSION, ctx->conf_max_version);
David Benjaminf0d8e222017-02-04 10:58:26 -0500[diff] [blame]2561 EXPECT_TRUE(SSL_CTX_set_min_proto_version(ctx.get(), 0));
David Benjaminfc08dfc2017-06-20 14:39:32 -0400[diff] [blame]2562 EXPECT_EQ(TLS1_VERSION, ctx->conf_min_version);
David Benjamin3cfeb952017-03-01 16:48:38 -0500[diff] [blame]2563
2564 // SSL 3.0 and TLS 1.3 are available, but not by default.
2565 EXPECT_TRUE(SSL_CTX_set_min_proto_version(ctx.get(), SSL3_VERSION));
David Benjaminfc08dfc2017-06-20 14:39:32 -0400[diff] [blame]2566 EXPECT_EQ(SSL3_VERSION, ctx->conf_min_version);
David Benjamin3cfeb952017-03-01 16:48:38 -0500[diff] [blame]2567 EXPECT_TRUE(SSL_CTX_set_max_proto_version(ctx.get(), TLS1_3_VERSION));
David Benjaminfc08dfc2017-06-20 14:39:32 -0400[diff] [blame]2568 EXPECT_EQ(TLS1_3_VERSION, ctx->conf_max_version);
David Benjamine34bcc92016-09-21 16:53:09 -0400[diff] [blame]2569
David Benjamin353577c2017-06-29 15:54:58 -0400[diff] [blame^]2570 // TLS1_3_DRAFT_VERSION is not an API-level version.
2571 EXPECT_FALSE(SSL_CTX_set_max_proto_version(ctx.get(), TLS1_3_DRAFT_VERSION));
2572 ERR_clear_error();
2573
David Benjamin2dc02042016-09-19 19:57:37 -0400[diff] [blame]2574 ctx.reset(SSL_CTX_new(DTLS_method()));
David Benjaminf0d8e222017-02-04 10:58:26 -0500[diff] [blame]2575 ASSERT_TRUE(ctx);
David Benjamin2dc02042016-09-19 19:57:37 -0400[diff] [blame]2576
David Benjaminf0d8e222017-02-04 10:58:26 -0500[diff] [blame]2577 EXPECT_TRUE(SSL_CTX_set_max_proto_version(ctx.get(), DTLS1_VERSION));
2578 EXPECT_TRUE(SSL_CTX_set_max_proto_version(ctx.get(), DTLS1_2_VERSION));
2579 EXPECT_TRUE(SSL_CTX_set_min_proto_version(ctx.get(), DTLS1_VERSION));
2580 EXPECT_TRUE(SSL_CTX_set_min_proto_version(ctx.get(), DTLS1_2_VERSION));
David Benjamin2dc02042016-09-19 19:57:37 -0400[diff] [blame]2581
David Benjaminf0d8e222017-02-04 10:58:26 -0500[diff] [blame]2582 EXPECT_FALSE(SSL_CTX_set_max_proto_version(ctx.get(), TLS1_VERSION));
2583 EXPECT_FALSE(SSL_CTX_set_max_proto_version(ctx.get(), 0xfefe /* DTLS 1.1 */));
2584 EXPECT_FALSE(SSL_CTX_set_max_proto_version(ctx.get(), 0xfffe /* DTLS 0.1 */));
2585 EXPECT_FALSE(SSL_CTX_set_max_proto_version(ctx.get(), 0x1234));
2586 EXPECT_FALSE(SSL_CTX_set_min_proto_version(ctx.get(), TLS1_VERSION));
2587 EXPECT_FALSE(SSL_CTX_set_min_proto_version(ctx.get(), 0xfefe /* DTLS 1.1 */));
2588 EXPECT_FALSE(SSL_CTX_set_min_proto_version(ctx.get(), 0xfffe /* DTLS 0.1 */));
2589 EXPECT_FALSE(SSL_CTX_set_min_proto_version(ctx.get(), 0x1234));
David Benjamin2dc02042016-09-19 19:57:37 -0400[diff] [blame]2590
David Benjaminf0d8e222017-02-04 10:58:26 -0500[diff] [blame]2591 EXPECT_TRUE(SSL_CTX_set_max_proto_version(ctx.get(), 0));
David Benjaminfc08dfc2017-06-20 14:39:32 -0400[diff] [blame]2592 EXPECT_EQ(TLS1_2_VERSION, ctx->conf_max_version);
David Benjaminf0d8e222017-02-04 10:58:26 -0500[diff] [blame]2593 EXPECT_TRUE(SSL_CTX_set_min_proto_version(ctx.get(), 0));
David Benjaminfc08dfc2017-06-20 14:39:32 -0400[diff] [blame]2594 EXPECT_EQ(TLS1_1_VERSION, ctx->conf_min_version);
David Benjamin2dc02042016-09-19 19:57:37 -0400[diff] [blame]2595}
2596
David Benjamin458334a2016-12-15 13:53:25 -0500[diff] [blame]2597static const char *GetVersionName(uint16_t version) {
2598 switch (version) {
2599 case SSL3_VERSION:
2600 return "SSLv3";
2601 case TLS1_VERSION:
2602 return "TLSv1";
2603 case TLS1_1_VERSION:
2604 return "TLSv1.1";
2605 case TLS1_2_VERSION:
2606 return "TLSv1.2";
2607 case TLS1_3_VERSION:
2608 return "TLSv1.3";
2609 case DTLS1_VERSION:
2610 return "DTLSv1";
2611 case DTLS1_2_VERSION:
2612 return "DTLSv1.2";
2613 default:
2614 return "???";
2615 }
2616}
2617
David Benjamin0fef3052016-11-18 15:11:10 +0900[diff] [blame]2618static bool TestVersion(bool is_dtls, const SSL_METHOD *method,
2619 uint16_t version) {
David Benjamincb18ac22016-09-27 14:09:15 -0400[diff] [blame]2620 bssl::UniquePtr<X509> cert = GetTestCertificate();
2621 bssl::UniquePtr<EVP_PKEY> key = GetTestKey();
2622 if (!cert || !key) {
2623 return false;
2624 }
2625
David Benjamin0fef3052016-11-18 15:11:10 +0900[diff] [blame]2626 bssl::UniquePtr<SSL_CTX> server_ctx(SSL_CTX_new(method));
2627 bssl::UniquePtr<SSL_CTX> client_ctx(SSL_CTX_new(method));
2628 bssl::UniquePtr<SSL> client, server;
2629 if (!server_ctx || !client_ctx ||
2630 !SSL_CTX_use_certificate(server_ctx.get(), cert.get()) ||
2631 !SSL_CTX_use_PrivateKey(server_ctx.get(), key.get()) ||
2632 !SSL_CTX_set_min_proto_version(client_ctx.get(), version) ||
2633 !SSL_CTX_set_max_proto_version(client_ctx.get(), version) ||
2634 !SSL_CTX_set_min_proto_version(server_ctx.get(), version) ||
2635 !SSL_CTX_set_max_proto_version(server_ctx.get(), version) ||
2636 !ConnectClientAndServer(&client, &server, client_ctx.get(),
2637 server_ctx.get(), nullptr /* no session */)) {
2638 fprintf(stderr, "Failed to connect.\n");
2639 return false;
2640 }
David Benjamincb18ac22016-09-27 14:09:15 -0400[diff] [blame]2641
David Benjamin0fef3052016-11-18 15:11:10 +0900[diff] [blame]2642 if (SSL_version(client.get()) != version ||
2643 SSL_version(server.get()) != version) {
2644 fprintf(stderr, "Version mismatch. Got %04x and %04x, wanted %04x.\n",
2645 SSL_version(client.get()), SSL_version(server.get()), version);
2646 return false;
David Benjamincb18ac22016-09-27 14:09:15 -0400[diff] [blame]2647 }
2648
David Benjamin458334a2016-12-15 13:53:25 -0500[diff] [blame]2649 // Test the version name is reported as expected.
2650 const char *version_name = GetVersionName(version);
2651 if (strcmp(version_name, SSL_get_version(client.get())) != 0 ||
2652 strcmp(version_name, SSL_get_version(server.get())) != 0) {
2653 fprintf(stderr, "Version name mismatch. Got '%s' and '%s', wanted '%s'.\n",
2654 SSL_get_version(client.get()), SSL_get_version(server.get()),
2655 version_name);
2656 return false;
2657 }
2658
2659 // Test SSL_SESSION reports the same name.
2660 const char *client_name =
2661 SSL_SESSION_get_version(SSL_get_session(client.get()));
2662 const char *server_name =
2663 SSL_SESSION_get_version(SSL_get_session(server.get()));
2664 if (strcmp(version_name, client_name) != 0 ||
2665 strcmp(version_name, server_name) != 0) {
2666 fprintf(stderr,
2667 "Session version name mismatch. Got '%s' and '%s', wanted '%s'.\n",
2668 client_name, server_name, version_name);
2669 return false;
2670 }
2671
David Benjamincb18ac22016-09-27 14:09:15 -0400[diff] [blame]2672 return true;
2673}
2674
David Benjamin9ef31f02016-10-31 18:01:13 -0400[diff] [blame]2675// Tests that that |SSL_get_pending_cipher| is available during the ALPN
2676// selection callback.
David Benjamin0fef3052016-11-18 15:11:10 +0900[diff] [blame]2677static bool TestALPNCipherAvailable(bool is_dtls, const SSL_METHOD *method,
2678 uint16_t version) {
2679 // SSL 3.0 lacks extensions.
2680 if (version == SSL3_VERSION) {
2681 return true;
2682 }
2683
David Benjamin9ef31f02016-10-31 18:01:13 -0400[diff] [blame]2684 static const uint8_t kALPNProtos[] = {0x03, 'f', 'o', 'o'};
2685
2686 bssl::UniquePtr<X509> cert = GetTestCertificate();
2687 bssl::UniquePtr<EVP_PKEY> key = GetTestKey();
2688 if (!cert || !key) {
2689 return false;
2690 }
2691
David Benjamin0fef3052016-11-18 15:11:10 +0900[diff] [blame]2692 bssl::UniquePtr<SSL_CTX> ctx(SSL_CTX_new(method));
2693 if (!ctx || !SSL_CTX_use_certificate(ctx.get(), cert.get()) ||
2694 !SSL_CTX_use_PrivateKey(ctx.get(), key.get()) ||
2695 !SSL_CTX_set_min_proto_version(ctx.get(), version) ||
2696 !SSL_CTX_set_max_proto_version(ctx.get(), version) ||
2697 SSL_CTX_set_alpn_protos(ctx.get(), kALPNProtos, sizeof(kALPNProtos)) !=
2698 0) {
2699 return false;
2700 }
2701
2702 // The ALPN callback does not fail the handshake on error, so have the
2703 // callback write a boolean.
2704 std::pair<uint16_t, bool> callback_state(version, false);
2705 SSL_CTX_set_alpn_select_cb(
2706 ctx.get(),
2707 [](SSL *ssl, const uint8_t **out, uint8_t *out_len, const uint8_t *in,
2708 unsigned in_len, void *arg) -> int {
2709 auto state = reinterpret_cast<std::pair<uint16_t, bool> *>(arg);
2710 if (SSL_get_pending_cipher(ssl) != nullptr &&
2711 SSL_version(ssl) == state->first) {
2712 state->second = true;
2713 }
2714 return SSL_TLSEXT_ERR_NOACK;
2715 },
2716 &callback_state);
2717
2718 bssl::UniquePtr<SSL> client, server;
2719 if (!ConnectClientAndServer(&client, &server, ctx.get(), ctx.get(),
2720 nullptr /* no session */)) {
2721 return false;
2722 }
2723
2724 if (!callback_state.second) {
2725 fprintf(stderr, "The pending cipher was not known in the ALPN callback.\n");
2726 return false;
2727 }
2728
2729 return true;
2730}
2731
David Benjaminb79cc842016-12-07 15:57:14 -0500[diff] [blame]2732static bool TestSSLClearSessionResumption(bool is_dtls,
2733 const SSL_METHOD *method,
2734 uint16_t version) {
2735 // Skip this for TLS 1.3. TLS 1.3's ticket mechanism is incompatible with this
2736 // API pattern.
2737 if (version == TLS1_3_VERSION) {
2738 return true;
2739 }
2740
2741 bssl::UniquePtr<X509> cert = GetTestCertificate();
2742 bssl::UniquePtr<EVP_PKEY> key = GetTestKey();
2743 bssl::UniquePtr<SSL_CTX> server_ctx(SSL_CTX_new(method));
2744 bssl::UniquePtr<SSL_CTX> client_ctx(SSL_CTX_new(method));
2745 if (!cert || !key || !server_ctx || !client_ctx ||
2746 !SSL_CTX_use_certificate(server_ctx.get(), cert.get()) ||
2747 !SSL_CTX_use_PrivateKey(server_ctx.get(), key.get()) ||
2748 !SSL_CTX_set_min_proto_version(client_ctx.get(), version) ||
2749 !SSL_CTX_set_max_proto_version(client_ctx.get(), version) ||
2750 !SSL_CTX_set_min_proto_version(server_ctx.get(), version) ||
2751 !SSL_CTX_set_max_proto_version(server_ctx.get(), version)) {
2752 return false;
2753 }
2754
2755 // Connect a client and a server.
2756 bssl::UniquePtr<SSL> client, server;
2757 if (!ConnectClientAndServer(&client, &server, client_ctx.get(),
2758 server_ctx.get(), nullptr /* no session */)) {
2759 return false;
2760 }
2761
2762 if (SSL_session_reused(client.get()) ||
2763 SSL_session_reused(server.get())) {
2764 fprintf(stderr, "Session unexpectedly reused.\n");
2765 return false;
2766 }
2767
2768 // Reset everything.
2769 if (!SSL_clear(client.get()) ||
2770 !SSL_clear(server.get())) {
2771 fprintf(stderr, "SSL_clear failed.\n");
2772 return false;
2773 }
2774
2775 // Attempt to connect a second time.
2776 if (!CompleteHandshakes(client.get(), server.get())) {
2777 fprintf(stderr, "Could not reuse SSL objects.\n");
2778 return false;
2779 }
2780
2781 // |SSL_clear| should implicitly offer the previous session to the server.
2782 if (!SSL_session_reused(client.get()) ||
2783 !SSL_session_reused(server.get())) {
2784 fprintf(stderr, "Session was not reused in second try.\n");
2785 return false;
2786 }
2787
2788 return true;
2789}
2790
David Benjamin1444c3a2016-12-20 17:23:11 -0500[diff] [blame]2791static bool ChainsEqual(STACK_OF(X509) *chain,
2792 const std::vector<X509 *> &expected) {
2793 if (sk_X509_num(chain) != expected.size()) {
2794 return false;
2795 }
2796
2797 for (size_t i = 0; i < expected.size(); i++) {
2798 if (X509_cmp(sk_X509_value(chain, i), expected[i]) != 0) {
2799 return false;
2800 }
2801 }
2802
2803 return true;
2804}
2805
2806static bool TestAutoChain(bool is_dtls, const SSL_METHOD *method,
2807 uint16_t version) {
David Benjamin1444c3a2016-12-20 17:23:11 -0500[diff] [blame]2808 bssl::UniquePtr<X509> cert = GetChainTestCertificate();
2809 bssl::UniquePtr<X509> intermediate = GetChainTestIntermediate();
2810 bssl::UniquePtr<EVP_PKEY> key = GetChainTestKey();
2811 if (!cert || !intermediate || !key) {
2812 return false;
2813 }
2814
2815 // Configure both client and server to accept any certificate. Add
2816 // |intermediate| to the cert store.
2817 bssl::UniquePtr<SSL_CTX> ctx(SSL_CTX_new(method));
2818 if (!ctx ||
2819 !SSL_CTX_use_certificate(ctx.get(), cert.get()) ||
2820 !SSL_CTX_use_PrivateKey(ctx.get(), key.get()) ||
2821 !SSL_CTX_set_min_proto_version(ctx.get(), version) ||
2822 !SSL_CTX_set_max_proto_version(ctx.get(), version) ||
2823 !X509_STORE_add_cert(SSL_CTX_get_cert_store(ctx.get()),
2824 intermediate.get())) {
2825 return false;
2826 }
2827 SSL_CTX_set_verify(
2828 ctx.get(), SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT, nullptr);
2829 SSL_CTX_set_cert_verify_callback(ctx.get(), VerifySucceed, NULL);
2830
2831 // By default, the client and server should each only send the leaf.
2832 bssl::UniquePtr<SSL> client, server;
2833 if (!ConnectClientAndServer(&client, &server, ctx.get(), ctx.get(),
2834 nullptr /* no session */)) {
2835 return false;
2836 }
2837
2838 if (!ChainsEqual(SSL_get_peer_full_cert_chain(client.get()), {cert.get()})) {
2839 fprintf(stderr, "Client-received chain did not match.\n");
2840 return false;
2841 }
2842
2843 if (!ChainsEqual(SSL_get_peer_full_cert_chain(server.get()), {cert.get()})) {
2844 fprintf(stderr, "Server-received chain did not match.\n");
2845 return false;
2846 }
2847
2848 // If auto-chaining is enabled, then the intermediate is sent.
2849 SSL_CTX_clear_mode(ctx.get(), SSL_MODE_NO_AUTO_CHAIN);
2850 if (!ConnectClientAndServer(&client, &server, ctx.get(), ctx.get(),
2851 nullptr /* no session */)) {
2852 return false;
2853 }
2854
2855 if (!ChainsEqual(SSL_get_peer_full_cert_chain(client.get()),
2856 {cert.get(), intermediate.get()})) {
2857 fprintf(stderr, "Client-received chain did not match (auto-chaining).\n");
2858 return false;
2859 }
2860
2861 if (!ChainsEqual(SSL_get_peer_full_cert_chain(server.get()),
2862 {cert.get(), intermediate.get()})) {
2863 fprintf(stderr, "Server-received chain did not match (auto-chaining).\n");
2864 return false;
2865 }
2866
2867 // Auto-chaining does not override explicitly-configured intermediates.
2868 if (!SSL_CTX_add1_chain_cert(ctx.get(), cert.get()) ||
2869 !ConnectClientAndServer(&client, &server, ctx.get(), ctx.get(),
2870 nullptr /* no session */)) {
2871 return false;
2872 }
2873
2874 if (!ChainsEqual(SSL_get_peer_full_cert_chain(client.get()),
2875 {cert.get(), cert.get()})) {
2876 fprintf(stderr,
2877 "Client-received chain did not match (auto-chaining, explicit "
2878 "intermediate).\n");
2879 return false;
2880 }
2881
2882 if (!ChainsEqual(SSL_get_peer_full_cert_chain(server.get()),
2883 {cert.get(), cert.get()})) {
2884 fprintf(stderr,
2885 "Server-received chain did not match (auto-chaining, explicit "
2886 "intermediate).\n");
2887 return false;
2888 }
2889
2890 return true;
2891}
2892
David Benjamin48063c22017-01-01 23:56:36 -0500[diff] [blame]2893static bool ExpectBadWriteRetry() {
2894 int err = ERR_get_error();
2895 if (ERR_GET_LIB(err) != ERR_LIB_SSL ||
2896 ERR_GET_REASON(err) != SSL_R_BAD_WRITE_RETRY) {
2897 char buf[ERR_ERROR_STRING_BUF_LEN];
2898 ERR_error_string_n(err, buf, sizeof(buf));
2899 fprintf(stderr, "Wanted SSL_R_BAD_WRITE_RETRY, got: %s.\n", buf);
2900 return false;
2901 }
2902
2903 if (ERR_peek_error() != 0) {
2904 fprintf(stderr, "Unexpected error following SSL_R_BAD_WRITE_RETRY.\n");
2905 return false;
2906 }
2907
2908 return true;
2909}
2910
2911static bool TestSSLWriteRetry(bool is_dtls, const SSL_METHOD *method,
2912 uint16_t version) {
2913 if (is_dtls) {
2914 return true;
2915 }
2916
2917 for (bool enable_partial_write : std::vector<bool>{false, true}) {
2918 // Connect a client and server.
2919 bssl::UniquePtr<X509> cert = GetTestCertificate();
2920 bssl::UniquePtr<EVP_PKEY> key = GetTestKey();
2921 bssl::UniquePtr<SSL_CTX> ctx(SSL_CTX_new(method));
2922 bssl::UniquePtr<SSL> client, server;
2923 if (!cert || !key || !ctx ||
2924 !SSL_CTX_use_certificate(ctx.get(), cert.get()) ||
2925 !SSL_CTX_use_PrivateKey(ctx.get(), key.get()) ||
2926 !SSL_CTX_set_min_proto_version(ctx.get(), version) ||
2927 !SSL_CTX_set_max_proto_version(ctx.get(), version) ||
2928 !ConnectClientAndServer(&client, &server, ctx.get(), ctx.get(),
2929 nullptr /* no session */)) {
2930 return false;
2931 }
2932
2933 if (enable_partial_write) {
2934 SSL_set_mode(client.get(), SSL_MODE_ENABLE_PARTIAL_WRITE);
2935 }
2936
2937 // Write without reading until the buffer is full and we have an unfinished
2938 // write. Keep a count so we may reread it again later. "hello!" will be
2939 // written in two chunks, "hello" and "!".
2940 char data[] = "hello!";
2941 static const int kChunkLen = 5; // The length of "hello".
2942 unsigned count = 0;
2943 for (;;) {
2944 int ret = SSL_write(client.get(), data, kChunkLen);
2945 if (ret <= 0) {
2946 int err = SSL_get_error(client.get(), ret);
2947 if (SSL_get_error(client.get(), ret) == SSL_ERROR_WANT_WRITE) {
2948 break;
2949 }
2950 fprintf(stderr, "SSL_write failed in unexpected way: %d\n", err);
2951 return false;
2952 }
2953
2954 if (ret != 5) {
2955 fprintf(stderr, "SSL_write wrote %d bytes, expected 5.\n", ret);
2956 return false;
2957 }
2958
2959 count++;
2960 }
2961
2962 // Retrying with the same parameters is legal.
2963 if (SSL_get_error(client.get(), SSL_write(client.get(), data, kChunkLen)) !=
2964 SSL_ERROR_WANT_WRITE) {
2965 fprintf(stderr, "SSL_write retry unexpectedly failed.\n");
2966 return false;
2967 }
2968
2969 // Retrying with the same buffer but shorter length is not legal.
2970 if (SSL_get_error(client.get(),
2971 SSL_write(client.get(), data, kChunkLen - 1)) !=
2972 SSL_ERROR_SSL ||
2973 !ExpectBadWriteRetry()) {
2974 fprintf(stderr, "SSL_write retry did not fail as expected.\n");
2975 return false;
2976 }
2977
2978 // Retrying with a different buffer pointer is not legal.
2979 char data2[] = "hello";
2980 if (SSL_get_error(client.get(), SSL_write(client.get(), data2,
2981 kChunkLen)) != SSL_ERROR_SSL ||
2982 !ExpectBadWriteRetry()) {
2983 fprintf(stderr, "SSL_write retry did not fail as expected.\n");
2984 return false;
2985 }
2986
2987 // With |SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER|, the buffer may move.
2988 SSL_set_mode(client.get(), SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER);
2989 if (SSL_get_error(client.get(),
2990 SSL_write(client.get(), data2, kChunkLen)) !=
2991 SSL_ERROR_WANT_WRITE) {
2992 fprintf(stderr, "SSL_write retry unexpectedly failed.\n");
2993 return false;
2994 }
2995
2996 // |SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER| does not disable length checks.
2997 if (SSL_get_error(client.get(),
2998 SSL_write(client.get(), data2, kChunkLen - 1)) !=
2999 SSL_ERROR_SSL ||
3000 !ExpectBadWriteRetry()) {
3001 fprintf(stderr, "SSL_write retry did not fail as expected.\n");
3002 return false;
3003 }
3004
3005 // Retrying with a larger buffer is legal.
3006 if (SSL_get_error(client.get(),
3007 SSL_write(client.get(), data, kChunkLen + 1)) !=
3008 SSL_ERROR_WANT_WRITE) {
3009 fprintf(stderr, "SSL_write retry unexpectedly failed.\n");
3010 return false;
3011 }
3012
3013 // Drain the buffer.
3014 char buf[20];
3015 for (unsigned i = 0; i < count; i++) {
3016 if (SSL_read(server.get(), buf, sizeof(buf)) != kChunkLen ||
3017 OPENSSL_memcmp(buf, "hello", kChunkLen) != 0) {
3018 fprintf(stderr, "Failed to read initial records.\n");
3019 return false;
3020 }
3021 }
3022
3023 // Now that there is space, a retry with a larger buffer should flush the
3024 // pending record, skip over that many bytes of input (on assumption they
3025 // are the same), and write the remainder. If SSL_MODE_ENABLE_PARTIAL_WRITE
3026 // is set, this will complete in two steps.
3027 char data3[] = "_____!";
3028 if (enable_partial_write) {
3029 if (SSL_write(client.get(), data3, kChunkLen + 1) != kChunkLen ||
3030 SSL_write(client.get(), data3 + kChunkLen, 1) != 1) {
3031 fprintf(stderr, "SSL_write retry failed.\n");
3032 return false;
3033 }
3034 } else if (SSL_write(client.get(), data3, kChunkLen + 1) != kChunkLen + 1) {
3035 fprintf(stderr, "SSL_write retry failed.\n");
3036 return false;
3037 }
3038
3039 // Check the last write was correct. The data will be spread over two
3040 // records, so SSL_read returns twice.
3041 if (SSL_read(server.get(), buf, sizeof(buf)) != kChunkLen ||
3042 OPENSSL_memcmp(buf, "hello", kChunkLen) != 0 ||
3043 SSL_read(server.get(), buf, sizeof(buf)) != 1 ||
3044 buf[0] != '!') {
3045 fprintf(stderr, "Failed to read write retry.\n");
3046 return false;
3047 }
3048 }
3049
3050 return true;
3051}
3052
David Benjamin5df5be12017-06-22 19:43:11 -0400[diff] [blame]3053static bool TestRecordCallback(bool is_dtls, const SSL_METHOD *method,
3054 uint16_t version) {
3055 bssl::UniquePtr<X509> cert = GetChainTestCertificate();
3056 bssl::UniquePtr<X509> intermediate = GetChainTestIntermediate();
3057 bssl::UniquePtr<EVP_PKEY> key = GetChainTestKey();
3058 if (!cert || !intermediate || !key) {
3059 return false;
3060 }
3061
3062 bssl::UniquePtr<SSL_CTX> ctx(SSL_CTX_new(method));
3063 if (!ctx ||
3064 !SSL_CTX_use_certificate(ctx.get(), cert.get()) ||
3065 !SSL_CTX_use_PrivateKey(ctx.get(), key.get()) ||
3066 !SSL_CTX_set_min_proto_version(ctx.get(), version) ||
3067 !SSL_CTX_set_max_proto_version(ctx.get(), version)) {
3068 return false;
3069 }
3070
3071 bool read_seen = false;
3072 bool write_seen = false;
3073 auto cb = [&](int is_write, int cb_version, int cb_type, const void *buf,
3074 size_t len, SSL *ssl) {
3075 if (cb_type != SSL3_RT_HEADER) {
3076 return;
3077 }
3078
3079 // The callback does not report a version for records.
3080 EXPECT_EQ(0, cb_version);
3081
3082 if (is_write) {
3083 write_seen = true;
3084 } else {
3085 read_seen = true;
3086 }
3087
3088 // Sanity-check that the record header is plausible.
3089 CBS cbs;
3090 CBS_init(&cbs, reinterpret_cast<const uint8_t *>(buf), len);
3091 uint8_t type;
3092 uint16_t record_version, length;
3093 ASSERT_TRUE(CBS_get_u8(&cbs, &type));
3094 ASSERT_TRUE(CBS_get_u16(&cbs, &record_version));
3095 EXPECT_TRUE(record_version == version ||
3096 record_version == (is_dtls ? DTLS1_VERSION : TLS1_VERSION))
3097 << "Invalid record version: " << record_version;
3098 if (is_dtls) {
3099 uint16_t epoch;
3100 ASSERT_TRUE(CBS_get_u16(&cbs, &epoch));
3101 EXPECT_TRUE(epoch == 0 || epoch == 1) << "Invalid epoch: " << epoch;
3102 ASSERT_TRUE(CBS_skip(&cbs, 6));
3103 }
3104 ASSERT_TRUE(CBS_get_u16(&cbs, &length));
3105 EXPECT_EQ(0u, CBS_len(&cbs));
3106 };
3107 using CallbackType = decltype(cb);
3108 SSL_CTX_set_msg_callback(
3109 ctx.get(), [](int is_write, int cb_version, int cb_type, const void *buf,
3110 size_t len, SSL *ssl, void *arg) {
3111 CallbackType *cb_ptr = reinterpret_cast<CallbackType *>(arg);
3112 (*cb_ptr)(is_write, cb_version, cb_type, buf, len, ssl);
3113 });
3114 SSL_CTX_set_msg_callback_arg(ctx.get(), &cb);
3115
3116 bssl::UniquePtr<SSL> client, server;
3117 if (!ConnectClientAndServer(&client, &server, ctx.get(), ctx.get(),
3118 nullptr /* no session */)) {
3119 return false;
3120 }
3121
3122 EXPECT_TRUE(read_seen);
3123 EXPECT_TRUE(write_seen);
3124 return true;
3125}
3126
3127
David Benjamin0fef3052016-11-18 15:11:10 +0900[diff] [blame]3128static bool ForEachVersion(bool (*test_func)(bool is_dtls,
3129 const SSL_METHOD *method,
3130 uint16_t version)) {
3131 static uint16_t kTLSVersions[] = {
David Benjamin3b584332017-01-24 22:47:18 -0500[diff] [blame]3132 SSL3_VERSION,
3133 TLS1_VERSION,
3134 TLS1_1_VERSION,
3135 TLS1_2_VERSION,
3136// TLS 1.3 requires RSA-PSS, which is disabled for Android system builds.
3137#if !defined(BORINGSSL_ANDROID_SYSTEM)
3138 TLS1_3_VERSION,
3139#endif
David Benjamin0fef3052016-11-18 15:11:10 +0900[diff] [blame]3140 };
3141
3142 static uint16_t kDTLSVersions[] = {
3143 DTLS1_VERSION, DTLS1_2_VERSION,
3144 };
3145
David Benjamin9ef31f02016-10-31 18:01:13 -0400[diff] [blame]3146 for (uint16_t version : kTLSVersions) {
David Benjamin0fef3052016-11-18 15:11:10 +0900[diff] [blame]3147 if (!test_func(false, TLS_method(), version)) {
3148 fprintf(stderr, "Test failed at TLS version %04x.\n", version);
David Benjamin9ef31f02016-10-31 18:01:13 -0400[diff] [blame]3149 return false;
3150 }
David Benjamin0fef3052016-11-18 15:11:10 +0900[diff] [blame]3151 }
David Benjamin9ef31f02016-10-31 18:01:13 -0400[diff] [blame]3152
David Benjamin0fef3052016-11-18 15:11:10 +0900[diff] [blame]3153 for (uint16_t version : kDTLSVersions) {
3154 if (!test_func(true, DTLS_method(), version)) {
3155 fprintf(stderr, "Test failed at DTLS version %04x.\n", version);
David Benjamin9ef31f02016-10-31 18:01:13 -0400[diff] [blame]3156 return false;
3157 }
3158 }
3159
3160 return true;
3161}
3162
Adam Langleye1e78132017-01-31 15:24:31 -0800[diff] [blame]3163TEST(SSLTest, AddChainCertHack) {
3164 // Ensure that we don't accidently break the hack that we have in place to
3165 // keep curl and serf happy when they use an |X509| even after transfering
3166 // ownership.
3167
3168 bssl::UniquePtr<SSL_CTX> ctx(SSL_CTX_new(TLS_method()));
3169 ASSERT_TRUE(ctx);
3170 X509 *cert = GetTestCertificate().release();
3171 ASSERT_TRUE(cert);
3172 SSL_CTX_add0_chain_cert(ctx.get(), cert);
3173
3174 // This should not trigger a use-after-free.
3175 X509_cmp(cert, cert);
3176}
3177
David Benjaminb2ff2622017-02-03 17:06:18 -0500[diff] [blame]3178TEST(SSLTest, GetCertificate) {
3179 bssl::UniquePtr<SSL_CTX> ctx(SSL_CTX_new(TLS_method()));
3180 ASSERT_TRUE(ctx);
3181 bssl::UniquePtr<X509> cert = GetTestCertificate();
3182 ASSERT_TRUE(cert);
3183 ASSERT_TRUE(SSL_CTX_use_certificate(ctx.get(), cert.get()));
3184 bssl::UniquePtr<SSL> ssl(SSL_new(ctx.get()));
3185 ASSERT_TRUE(ssl);
3186
3187 X509 *cert2 = SSL_CTX_get0_certificate(ctx.get());
3188 ASSERT_TRUE(cert2);
3189 X509 *cert3 = SSL_get_certificate(ssl.get());
3190 ASSERT_TRUE(cert3);
3191
3192 // The old and new certificates must be identical.
3193 EXPECT_EQ(0, X509_cmp(cert.get(), cert2));
3194 EXPECT_EQ(0, X509_cmp(cert.get(), cert3));
3195
3196 uint8_t *der = nullptr;
3197 long der_len = i2d_X509(cert.get(), &der);
3198 ASSERT_LT(0, der_len);
3199 bssl::UniquePtr<uint8_t> free_der(der);
3200
3201 uint8_t *der2 = nullptr;
3202 long der2_len = i2d_X509(cert2, &der2);
3203 ASSERT_LT(0, der2_len);
3204 bssl::UniquePtr<uint8_t> free_der2(der2);
3205
3206 uint8_t *der3 = nullptr;
3207 long der3_len = i2d_X509(cert3, &der3);
3208 ASSERT_LT(0, der3_len);
3209 bssl::UniquePtr<uint8_t> free_der3(der3);
3210
3211 // They must also encode identically.
David Benjamin7d7554b2017-02-04 11:48:59 -0500[diff] [blame]3212 EXPECT_EQ(Bytes(der, der_len), Bytes(der2, der2_len));
3213 EXPECT_EQ(Bytes(der, der_len), Bytes(der3, der3_len));
David Benjaminb2ff2622017-02-03 17:06:18 -0500[diff] [blame]3214}
3215
Adam Langleyd04ca952017-02-28 11:26:51 -0800[diff] [blame]3216TEST(SSLTest, SetChainAndKeyMismatch) {
3217 bssl::UniquePtr<SSL_CTX> ctx(SSL_CTX_new(TLS_with_buffers_method()));
3218 ASSERT_TRUE(ctx);
3219
3220 bssl::UniquePtr<EVP_PKEY> key = GetTestKey();
3221 ASSERT_TRUE(key);
3222 bssl::UniquePtr<CRYPTO_BUFFER> leaf = GetChainTestCertificateBuffer();
3223 ASSERT_TRUE(leaf);
3224 std::vector<CRYPTO_BUFFER*> chain = {
3225 leaf.get(),
3226 };
3227
3228 // Should fail because |GetTestKey| doesn't match the chain-test certificate.
3229 ASSERT_FALSE(SSL_CTX_set_chain_and_key(ctx.get(), &chain[0], chain.size(),
3230 key.get(), nullptr));
3231 ERR_clear_error();
3232}
3233
3234TEST(SSLTest, SetChainAndKey) {
3235 bssl::UniquePtr<SSL_CTX> client_ctx(SSL_CTX_new(TLS_with_buffers_method()));
3236 ASSERT_TRUE(client_ctx);
3237 bssl::UniquePtr<SSL_CTX> server_ctx(SSL_CTX_new(TLS_with_buffers_method()));
3238 ASSERT_TRUE(server_ctx);
3239
3240 bssl::UniquePtr<EVP_PKEY> key = GetChainTestKey();
3241 ASSERT_TRUE(key);
3242 bssl::UniquePtr<CRYPTO_BUFFER> leaf = GetChainTestCertificateBuffer();
3243 ASSERT_TRUE(leaf);
3244 bssl::UniquePtr<CRYPTO_BUFFER> intermediate =
3245 GetChainTestIntermediateBuffer();
3246 ASSERT_TRUE(intermediate);
3247 std::vector<CRYPTO_BUFFER*> chain = {
3248 leaf.get(), intermediate.get(),
3249 };
3250 ASSERT_TRUE(SSL_CTX_set_chain_and_key(server_ctx.get(), &chain[0],
3251 chain.size(), key.get(), nullptr));
3252
3253 SSL_CTX_i_promise_to_verify_certs_after_the_handshake(client_ctx.get());
3254
3255 bssl::UniquePtr<SSL> client, server;
3256 ASSERT_TRUE(ConnectClientAndServer(&client, &server, client_ctx.get(),
3257 server_ctx.get(),
3258 nullptr /* no session */));
3259}
3260
David Benjamin91222b82017-03-09 20:10:56 -0500[diff] [blame]3261// Configuring the empty cipher list, though an error, should still modify the
3262// configuration.
3263TEST(SSLTest, EmptyCipherList) {
3264 bssl::UniquePtr<SSL_CTX> ctx(SSL_CTX_new(TLS_method()));
3265 ASSERT_TRUE(ctx);
3266
3267 // Initially, the cipher list is not empty.
3268 EXPECT_NE(0u, sk_SSL_CIPHER_num(SSL_CTX_get_ciphers(ctx.get())));
3269
3270 // Configuring the empty cipher list fails.
3271 EXPECT_FALSE(SSL_CTX_set_cipher_list(ctx.get(), ""));
3272 ERR_clear_error();
3273
3274 // But the cipher list is still updated to empty.
3275 EXPECT_EQ(0u, sk_SSL_CIPHER_num(SSL_CTX_get_ciphers(ctx.get())));
3276}
3277
Adam Langley4c341d02017-03-08 19:33:21 -0800[diff] [blame]3278// ssl_test_ticket_aead_failure_mode enumerates the possible ways in which the
3279// test |SSL_TICKET_AEAD_METHOD| can fail.
3280enum ssl_test_ticket_aead_failure_mode {
3281 ssl_test_ticket_aead_ok = 0,
3282 ssl_test_ticket_aead_seal_fail,
3283 ssl_test_ticket_aead_open_soft_fail,
3284 ssl_test_ticket_aead_open_hard_fail,
3285};
3286
3287struct ssl_test_ticket_aead_state {
3288 unsigned retry_count;
3289 ssl_test_ticket_aead_failure_mode failure_mode;
3290};
3291
3292static int ssl_test_ticket_aead_ex_index_dup(CRYPTO_EX_DATA *to,
3293 const CRYPTO_EX_DATA *from,
3294 void **from_d, int index,
3295 long argl, void *argp) {
3296 abort();
3297}
3298
3299static void ssl_test_ticket_aead_ex_index_free(void *parent, void *ptr,
3300 CRYPTO_EX_DATA *ad, int index,
3301 long argl, void *argp) {
3302 auto state = reinterpret_cast<ssl_test_ticket_aead_state*>(ptr);
3303 if (state == nullptr) {
3304 return;
3305 }
3306
3307 OPENSSL_free(state);
3308}
3309
3310static CRYPTO_once_t g_ssl_test_ticket_aead_ex_index_once = CRYPTO_ONCE_INIT;
3311static int g_ssl_test_ticket_aead_ex_index;
3312
3313static int ssl_test_ticket_aead_get_ex_index() {
3314 CRYPTO_once(&g_ssl_test_ticket_aead_ex_index_once, [] {
3315 g_ssl_test_ticket_aead_ex_index = SSL_get_ex_new_index(
3316 0, nullptr, nullptr, ssl_test_ticket_aead_ex_index_dup,
3317 ssl_test_ticket_aead_ex_index_free);
3318 });
3319 return g_ssl_test_ticket_aead_ex_index;
3320}
3321
3322static size_t ssl_test_ticket_aead_max_overhead(SSL *ssl) {
3323 return 1;
3324}
3325
3326static int ssl_test_ticket_aead_seal(SSL *ssl, uint8_t *out, size_t *out_len,
3327 size_t max_out_len, const uint8_t *in,
3328 size_t in_len) {
3329 auto state = reinterpret_cast<ssl_test_ticket_aead_state *>(
3330 SSL_get_ex_data(ssl, ssl_test_ticket_aead_get_ex_index()));
3331
3332 if (state->failure_mode == ssl_test_ticket_aead_seal_fail ||
3333 max_out_len < in_len + 1) {
3334 return 0;
3335 }
3336
3337 OPENSSL_memmove(out, in, in_len);
3338 out[in_len] = 0xff;
3339 *out_len = in_len + 1;
3340
3341 return 1;
3342}
3343
3344static ssl_ticket_aead_result_t ssl_test_ticket_aead_open(
3345 SSL *ssl, uint8_t *out, size_t *out_len, size_t max_out_len,
3346 const uint8_t *in, size_t in_len) {
3347 auto state = reinterpret_cast<ssl_test_ticket_aead_state *>(
3348 SSL_get_ex_data(ssl, ssl_test_ticket_aead_get_ex_index()));
3349
3350 if (state->retry_count > 0) {
3351 state->retry_count--;
3352 return ssl_ticket_aead_retry;
3353 }
3354
3355 switch (state->failure_mode) {
3356 case ssl_test_ticket_aead_ok:
3357 break;
3358 case ssl_test_ticket_aead_seal_fail:
3359 // If |seal| failed then there shouldn't be any ticket to try and
3360 // decrypt.
3361 abort();
3362 break;
3363 case ssl_test_ticket_aead_open_soft_fail:
3364 return ssl_ticket_aead_ignore_ticket;
3365 case ssl_test_ticket_aead_open_hard_fail:
3366 return ssl_ticket_aead_error;
3367 }
3368
3369 if (in_len == 0 || in[in_len - 1] != 0xff) {
3370 return ssl_ticket_aead_ignore_ticket;
3371 }
3372
3373 if (max_out_len < in_len - 1) {
3374 return ssl_ticket_aead_error;
3375 }
3376
3377 OPENSSL_memmove(out, in, in_len - 1);
3378 *out_len = in_len - 1;
3379 return ssl_ticket_aead_success;
3380}
3381
3382static const SSL_TICKET_AEAD_METHOD kSSLTestTicketMethod = {
3383 ssl_test_ticket_aead_max_overhead,
3384 ssl_test_ticket_aead_seal,
3385 ssl_test_ticket_aead_open,
3386};
3387
3388static void ConnectClientAndServerWithTicketMethod(
3389 bssl::UniquePtr<SSL> *out_client, bssl::UniquePtr<SSL> *out_server,
3390 SSL_CTX *client_ctx, SSL_CTX *server_ctx, unsigned retry_count,
3391 ssl_test_ticket_aead_failure_mode failure_mode, SSL_SESSION *session) {
3392 bssl::UniquePtr<SSL> client(SSL_new(client_ctx)), server(SSL_new(server_ctx));
3393 ASSERT_TRUE(client);
3394 ASSERT_TRUE(server);
3395 SSL_set_connect_state(client.get());
3396 SSL_set_accept_state(server.get());
3397
3398 auto state = reinterpret_cast<ssl_test_ticket_aead_state *>(
3399 OPENSSL_malloc(sizeof(ssl_test_ticket_aead_state)));
3400 ASSERT_TRUE(state);
3401 OPENSSL_memset(state, 0, sizeof(ssl_test_ticket_aead_state));
3402 state->retry_count = retry_count;
3403 state->failure_mode = failure_mode;
3404
3405 ASSERT_TRUE(SSL_set_ex_data(server.get(), ssl_test_ticket_aead_get_ex_index(),
3406 state));
3407
3408 SSL_set_session(client.get(), session);
3409
3410 BIO *bio1, *bio2;
3411 ASSERT_TRUE(BIO_new_bio_pair(&bio1, 0, &bio2, 0));
3412
3413 // SSL_set_bio takes ownership.
3414 SSL_set_bio(client.get(), bio1, bio1);
3415 SSL_set_bio(server.get(), bio2, bio2);
3416
3417 if (CompleteHandshakes(client.get(), server.get())) {
3418 *out_client = std::move(client);
3419 *out_server = std::move(server);
3420 } else {
3421 out_client->reset();
3422 out_server->reset();
3423 }
3424}
3425
3426class TicketAEADMethodTest
3427 : public ::testing::TestWithParam<testing::tuple<
3428 uint16_t, unsigned, ssl_test_ticket_aead_failure_mode>> {};
3429
3430TEST_P(TicketAEADMethodTest, Resume) {
3431 bssl::UniquePtr<X509> cert = GetTestCertificate();
3432 ASSERT_TRUE(cert);
3433 bssl::UniquePtr<EVP_PKEY> key = GetTestKey();
3434 ASSERT_TRUE(key);
3435
3436 bssl::UniquePtr<SSL_CTX> server_ctx(SSL_CTX_new(TLS_method()));
3437 ASSERT_TRUE(server_ctx);
3438 bssl::UniquePtr<SSL_CTX> client_ctx(SSL_CTX_new(TLS_method()));
3439 ASSERT_TRUE(client_ctx);
3440
3441 const uint16_t version = testing::get<0>(GetParam());
3442 const unsigned retry_count = testing::get<1>(GetParam());
3443 const ssl_test_ticket_aead_failure_mode failure_mode =
3444 testing::get<2>(GetParam());
3445
3446 ASSERT_TRUE(SSL_CTX_use_certificate(server_ctx.get(), cert.get()));
3447 ASSERT_TRUE(SSL_CTX_use_PrivateKey(server_ctx.get(), key.get()));
3448 ASSERT_TRUE(SSL_CTX_set_min_proto_version(client_ctx.get(), version));
3449 ASSERT_TRUE(SSL_CTX_set_max_proto_version(client_ctx.get(), version));
3450 ASSERT_TRUE(SSL_CTX_set_min_proto_version(server_ctx.get(), version));
3451 ASSERT_TRUE(SSL_CTX_set_max_proto_version(server_ctx.get(), version));
3452
3453 SSL_CTX_set_session_cache_mode(client_ctx.get(), SSL_SESS_CACHE_BOTH);
3454 SSL_CTX_set_session_cache_mode(server_ctx.get(), SSL_SESS_CACHE_BOTH);
3455 SSL_CTX_set_current_time_cb(client_ctx.get(), FrozenTimeCallback);
3456 SSL_CTX_set_current_time_cb(server_ctx.get(), FrozenTimeCallback);
David Benjamin707af292017-03-10 17:47:18 -0500[diff] [blame]3457 SSL_CTX_sess_set_new_cb(client_ctx.get(), SaveLastSession);
Adam Langley4c341d02017-03-08 19:33:21 -0800[diff] [blame]3458
3459 SSL_CTX_set_ticket_aead_method(server_ctx.get(), &kSSLTestTicketMethod);
3460
3461 bssl::UniquePtr<SSL> client, server;
3462 ConnectClientAndServerWithTicketMethod(&client, &server, client_ctx.get(),
3463 server_ctx.get(), retry_count,
3464 failure_mode, nullptr);
3465 switch (failure_mode) {
3466 case ssl_test_ticket_aead_ok:
3467 case ssl_test_ticket_aead_open_hard_fail:
3468 case ssl_test_ticket_aead_open_soft_fail:
3469 ASSERT_TRUE(client);
3470 break;
3471 case ssl_test_ticket_aead_seal_fail:
3472 EXPECT_FALSE(client);
3473 return;
3474 }
3475 EXPECT_FALSE(SSL_session_reused(client.get()));
3476 EXPECT_FALSE(SSL_session_reused(server.get()));
3477
David Benjamin707af292017-03-10 17:47:18 -0500[diff] [blame]3478 // Run the read loop to account for post-handshake tickets in TLS 1.3.
3479 SSL_read(client.get(), nullptr, 0);
3480
3481 bssl::UniquePtr<SSL_SESSION> session = std::move(g_last_session);
Adam Langley4c341d02017-03-08 19:33:21 -0800[diff] [blame]3482 ConnectClientAndServerWithTicketMethod(&client, &server, client_ctx.get(),
3483 server_ctx.get(), retry_count,
David Benjamin707af292017-03-10 17:47:18 -0500[diff] [blame]3484 failure_mode, session.get());
Adam Langley4c341d02017-03-08 19:33:21 -0800[diff] [blame]3485 switch (failure_mode) {
3486 case ssl_test_ticket_aead_ok:
3487 ASSERT_TRUE(client);
3488 EXPECT_TRUE(SSL_session_reused(client.get()));
3489 EXPECT_TRUE(SSL_session_reused(server.get()));
3490 break;
3491 case ssl_test_ticket_aead_seal_fail:
3492 abort();
3493 break;
3494 case ssl_test_ticket_aead_open_hard_fail:
3495 EXPECT_FALSE(client);
3496 break;
3497 case ssl_test_ticket_aead_open_soft_fail:
3498 ASSERT_TRUE(client);
3499 EXPECT_FALSE(SSL_session_reused(client.get()));
3500 EXPECT_FALSE(SSL_session_reused(server.get()));
3501 }
3502}
3503
3504INSTANTIATE_TEST_CASE_P(
3505 TicketAEADMethodTests, TicketAEADMethodTest,
3506 testing::Combine(
David Benjamin707af292017-03-10 17:47:18 -0500[diff] [blame]3507 testing::Values(TLS1_2_VERSION, TLS1_3_VERSION),
Adam Langley4c341d02017-03-08 19:33:21 -0800[diff] [blame]3508 testing::Values(0, 1, 2),
3509 testing::Values(ssl_test_ticket_aead_ok,
3510 ssl_test_ticket_aead_seal_fail,
3511 ssl_test_ticket_aead_open_soft_fail,
3512 ssl_test_ticket_aead_open_hard_fail)));
3513
David Benjamin3cfeb952017-03-01 16:48:38 -0500[diff] [blame]3514TEST(SSLTest, SSL3Method) {
3515 bssl::UniquePtr<X509> cert = GetTestCertificate();
3516 ASSERT_TRUE(cert);
3517
3518 // For compatibility, SSLv3_method should work up to SSL_CTX_new and SSL_new.
3519 bssl::UniquePtr<SSL_CTX> ssl3_ctx(SSL_CTX_new(SSLv3_method()));
3520 ASSERT_TRUE(ssl3_ctx);
3521 ASSERT_TRUE(SSL_CTX_use_certificate(ssl3_ctx.get(), cert.get()));
3522 bssl::UniquePtr<SSL> ssl(SSL_new(ssl3_ctx.get()));
3523 EXPECT_TRUE(ssl);
3524
3525 // Create a normal TLS context to test against.
3526 bssl::UniquePtr<SSL_CTX> tls_ctx(SSL_CTX_new(TLS_method()));
3527 ASSERT_TRUE(tls_ctx);
3528 ASSERT_TRUE(SSL_CTX_use_certificate(tls_ctx.get(), cert.get()));
3529
3530 // However, handshaking an SSLv3_method server should fail to resolve the
3531 // version range. Explicit calls to SSL_CTX_set_min_proto_version are the only
3532 // way to enable SSL 3.0.
3533 bssl::UniquePtr<SSL> client, server;
3534 EXPECT_FALSE(ConnectClientAndServer(&client, &server, tls_ctx.get(),
3535 ssl3_ctx.get(),
3536 nullptr /* no session */));
3537 uint32_t err = ERR_get_error();
3538 EXPECT_EQ(ERR_LIB_SSL, ERR_GET_LIB(err));
3539 EXPECT_EQ(SSL_R_NO_SUPPORTED_VERSIONS_ENABLED, ERR_GET_REASON(err));
3540
3541 // Likewise for SSLv3_method clients.
3542 EXPECT_FALSE(ConnectClientAndServer(&client, &server, ssl3_ctx.get(),
3543 tls_ctx.get(),
3544 nullptr /* no session */));
3545 err = ERR_get_error();
3546 EXPECT_EQ(ERR_LIB_SSL, ERR_GET_LIB(err));
3547 EXPECT_EQ(SSL_R_NO_SUPPORTED_VERSIONS_ENABLED, ERR_GET_REASON(err));
3548}
3549
David Benjaminca743582017-06-15 17:51:35 -0400[diff] [blame]3550TEST(SSLTest, SelectNextProto) {
3551 uint8_t *result;
3552 uint8_t result_len;
3553
3554 // If there is an overlap, it should be returned.
3555 EXPECT_EQ(OPENSSL_NPN_NEGOTIATED,
3556 SSL_select_next_proto(&result, &result_len,
3557 (const uint8_t *)"\1a\2bb\3ccc", 9,
3558 (const uint8_t *)"\1x\1y\1a\1z", 8));
3559 EXPECT_EQ(Bytes("a"), Bytes(result, result_len));
3560
3561 EXPECT_EQ(OPENSSL_NPN_NEGOTIATED,
3562 SSL_select_next_proto(&result, &result_len,
3563 (const uint8_t *)"\1a\2bb\3ccc", 9,
3564 (const uint8_t *)"\1x\1y\2bb\1z", 9));
3565 EXPECT_EQ(Bytes("bb"), Bytes(result, result_len));
3566
3567 EXPECT_EQ(OPENSSL_NPN_NEGOTIATED,
3568 SSL_select_next_proto(&result, &result_len,
3569 (const uint8_t *)"\1a\2bb\3ccc", 9,
3570 (const uint8_t *)"\1x\1y\3ccc\1z", 10));
3571 EXPECT_EQ(Bytes("ccc"), Bytes(result, result_len));
3572
3573 // Peer preference order takes precedence over local.
3574 EXPECT_EQ(OPENSSL_NPN_NEGOTIATED,
3575 SSL_select_next_proto(&result, &result_len,
3576 (const uint8_t *)"\1a\2bb\3ccc", 9,
3577 (const uint8_t *)"\3ccc\2bb\1a", 9));
3578 EXPECT_EQ(Bytes("a"), Bytes(result, result_len));
3579
3580 // If there is no overlap, return the first local protocol.
3581 EXPECT_EQ(OPENSSL_NPN_NO_OVERLAP,
3582 SSL_select_next_proto(&result, &result_len,
3583 (const uint8_t *)"\1a\2bb\3ccc", 9,
3584 (const uint8_t *)"\1x\2yy\3zzz", 9));
3585 EXPECT_EQ(Bytes("x"), Bytes(result, result_len));
3586
3587 EXPECT_EQ(OPENSSL_NPN_NO_OVERLAP,
3588 SSL_select_next_proto(&result, &result_len, nullptr, 0,
3589 (const uint8_t *)"\1x\2yy\3zzz", 9));
3590 EXPECT_EQ(Bytes("x"), Bytes(result, result_len));
3591}
3592
David Benjamin96628432017-01-19 19:05:47 -0500[diff] [blame]3593// TODO(davidben): Convert this file to GTest properly.
3594TEST(SSLTest, AllTests) {
David Benjamine11726a2017-04-23 12:14:28 -0400[diff] [blame]3595 if (!TestSSL_SESSIONEncoding(kOpenSSLSession) ||
Adam Langley10f97f32016-07-12 08:09:33 -0700[diff] [blame]3596 !TestSSL_SESSIONEncoding(kCustomSession) ||
3597 !TestSSL_SESSIONEncoding(kBoringSSLSession) ||
3598 !TestBadSSL_SESSIONEncoding(kBadSessionExtraField) ||
3599 !TestBadSSL_SESSIONEncoding(kBadSessionVersion) ||
3600 !TestBadSSL_SESSIONEncoding(kBadSessionTrailingData) ||
Steven Valdeza833c352016-11-01 13:39:36 -0400[diff] [blame]3601 // Test the padding extension at TLS 1.2.
3602 !TestPaddingExtension(TLS1_2_VERSION, TLS1_2_VERSION) ||
3603 // Test the padding extension at TLS 1.3 with a TLS 1.2 session, so there
3604 // will be no PSK binder after the padding extension.
3605 !TestPaddingExtension(TLS1_3_VERSION, TLS1_2_VERSION) ||
3606 // Test the padding extension at TLS 1.3 with a TLS 1.3 session, so there
3607 // will be a PSK binder after the padding extension.
3608 !TestPaddingExtension(TLS1_3_VERSION, TLS1_3_DRAFT_VERSION) ||
David Benjamin0fef3052016-11-18 15:11:10 +0900[diff] [blame]3609 !ForEachVersion(TestSequenceNumber) ||
David Benjamin68f37b72016-11-18 15:14:42 +0900[diff] [blame]3610 !ForEachVersion(TestOneSidedShutdown) ||
David Benjamin0fef3052016-11-18 15:11:10 +0900[diff] [blame]3611 !ForEachVersion(TestGetPeerCertificate) ||
3612 !ForEachVersion(TestRetainOnlySHA256OfCerts) ||
David Benjamina20e5352016-08-02 19:09:41 -0400[diff] [blame]3613 !TestClientHello() ||
David Benjamin0fef3052016-11-18 15:11:10 +0900[diff] [blame]3614 !ForEachVersion(TestSessionIDContext) ||
3615 !ForEachVersion(TestSessionTimeout) ||
3616 !ForEachVersion(TestSNICallback) ||
David Benjamin0fef3052016-11-18 15:11:10 +0900[diff] [blame]3617 !ForEachVersion(TestVersion) ||
David Benjaminb79cc842016-12-07 15:57:14 -0500[diff] [blame]3618 !ForEachVersion(TestALPNCipherAvailable) ||
David Benjamin1444c3a2016-12-20 17:23:11 -0500[diff] [blame]3619 !ForEachVersion(TestSSLClearSessionResumption) ||
David Benjamin48063c22017-01-01 23:56:36 -0500[diff] [blame]3620 !ForEachVersion(TestAutoChain) ||
David Benjamin5df5be12017-06-22 19:43:11 -0400[diff] [blame]3621 !ForEachVersion(TestSSLWriteRetry) ||
3622 !ForEachVersion(TestRecordCallback)) {
David Benjamin96628432017-01-19 19:05:47 -0500[diff] [blame]3623 ADD_FAILURE() << "Tests failed";
David Benjaminbb0a17c2014-09-20 15:35:39 -0400[diff] [blame]3624 }
David Benjamin2e521212014-07-16 14:37:51 -0400[diff] [blame]3625}