Gitiles
Code Review Sign In
gerrit.openfyde.cn / boringssl.googlesource.com / boringssl / 6fff386492d9f316f5f780ff9d0ddaf1700f98a9 / . / ssl / ssl_test.cc
blob: 31899a5294e45782002fe199c293561ce3b5acb8 [file] [log] [blame]
David Benjamin2e521212014-07-16 14:37:51 -0400[diff] [blame]1/* Copyright (c) 2014, Google Inc.
2 *
3 * Permission to use, copy, modify, and/or distribute this software for any
4 * purpose with or without fee is hereby granted, provided that the above
5 * copyright notice and this permission notice appear in all copies.
6 *
7 * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
8 * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
9 * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY
10 * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
11 * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION
12 * OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN
13 * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */
14
15#include <stdio.h>
David Benjamin751e8892014-10-19 00:59:36 -0400[diff] [blame]16#include <string.h>
David Benjamin1269ddd2015-10-18 15:18:55 -0400[diff] [blame]17#include <time.h>
David Benjamin2e521212014-07-16 14:37:51 -0400[diff] [blame]18
David Benjamin0f653952015-10-18 14:28:01 -0400[diff] [blame]19#include <algorithm>
David Benjamin1d77e562015-03-22 17:22:08 -0400[diff] [blame]20#include <string>
David Benjamin4f6acaf2015-11-21 03:00:50 -0500[diff] [blame]21#include <utility>
David Benjamin1d77e562015-03-22 17:22:08 -0400[diff] [blame]22#include <vector>
23
David Benjamin96628432017-01-19 19:05:47 -0500[diff] [blame]24#include <gtest/gtest.h>
25
David Benjamin751e8892014-10-19 00:59:36 -0400[diff] [blame]26#include <openssl/base64.h>
27#include <openssl/bio.h>
David Benjamin3c51d9b2016-11-01 17:50:42 -0400[diff] [blame]28#include <openssl/cipher.h>
David Benjamin7a1eefd2015-10-17 23:39:22 -0400[diff] [blame]29#include <openssl/crypto.h>
David Benjaminbb0a17c2014-09-20 15:35:39 -0400[diff] [blame]30#include <openssl/err.h>
David Benjamin3c51d9b2016-11-01 17:50:42 -0400[diff] [blame]31#include <openssl/hmac.h>
David Benjaminde942382016-02-11 12:02:01 -0500[diff] [blame]32#include <openssl/pem.h>
David Benjamin25490f22016-07-14 00:22:54 -0400[diff] [blame]33#include <openssl/sha.h>
David Benjaminbb0a17c2014-09-20 15:35:39 -0400[diff] [blame]34#include <openssl/ssl.h>
David Benjamin3c51d9b2016-11-01 17:50:42 -0400[diff] [blame]35#include <openssl/rand.h>
David Benjaminde942382016-02-11 12:02:01 -0500[diff] [blame]36#include <openssl/x509.h>
David Benjaminbb0a17c2014-09-20 15:35:39 -0400[diff] [blame]37
Steven Valdez87eab492016-06-27 16:34:59 -0400[diff] [blame]38#include "internal.h"
Steven Valdezcb966542016-08-17 16:56:14 -0400[diff] [blame]39#include "../crypto/internal.h"
Sigbjorn Vik2b23d242015-06-29 15:07:26 +0200[diff] [blame]40#include "../crypto/test/test_util.h"
41
David Benjamin721e8b72016-08-03 13:13:17 -0400[diff] [blame]42#if defined(OPENSSL_WINDOWS)
43/* Windows defines struct timeval in winsock2.h. */
44OPENSSL_MSVC_PRAGMA(warning(push, 3))
45#include <winsock2.h>
46OPENSSL_MSVC_PRAGMA(warning(pop))
47#else
48#include <sys/time.h>
49#endif
50
David Benjamin1d77e562015-03-22 17:22:08 -0400[diff] [blame]51
52struct ExpectedCipher {
53 unsigned long id;
David Benjaminbb0a17c2014-09-20 15:35:39 -0400[diff] [blame]54 int in_group_flag;
David Benjamin1d77e562015-03-22 17:22:08 -0400[diff] [blame]55};
David Benjaminbb0a17c2014-09-20 15:35:39 -0400[diff] [blame]56
David Benjamin1d77e562015-03-22 17:22:08 -0400[diff] [blame]57struct CipherTest {
58 // The rule string to apply.
David Benjaminbb0a17c2014-09-20 15:35:39 -0400[diff] [blame]59 const char *rule;
David Benjaminfb974e62015-12-16 19:34:22 -0500[diff] [blame]60 // The list of expected ciphers, in order.
61 std::vector<ExpectedCipher> expected;
Matthew Braithwaitea57dcfb2017-02-17 22:08:23 -0800[diff] [blame]62 // True if this cipher list should fail in strict mode.
63 bool strict_fail;
David Benjamin1d77e562015-03-22 17:22:08 -0400[diff] [blame]64};
David Benjaminbb0a17c2014-09-20 15:35:39 -0400[diff] [blame]65
Alessandro Ghedini5fd18072016-09-28 21:04:25 +0100[diff] [blame]66struct CurveTest {
67 // The rule string to apply.
68 const char *rule;
69 // The list of expected curves, in order.
70 std::vector<uint16_t> expected;
71};
72
David Benjaminfb974e62015-12-16 19:34:22 -0500[diff] [blame]73static const CipherTest kCipherTests[] = {
74 // Selecting individual ciphers should work.
75 {
76 "ECDHE-ECDSA-CHACHA20-POLY1305:"
77 "ECDHE-RSA-CHACHA20-POLY1305:"
78 "ECDHE-ECDSA-AES128-GCM-SHA256:"
79 "ECDHE-RSA-AES128-GCM-SHA256",
80 {
81 {TLS1_CK_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256, 0},
David Benjaminfb974e62015-12-16 19:34:22 -0500[diff] [blame]82 {TLS1_CK_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256, 0},
David Benjaminfb974e62015-12-16 19:34:22 -0500[diff] [blame]83 {TLS1_CK_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, 0},
84 {TLS1_CK_ECDHE_RSA_WITH_AES_128_GCM_SHA256, 0},
85 },
Matthew Braithwaitea57dcfb2017-02-17 22:08:23 -0800[diff] [blame]86 false,
David Benjaminfb974e62015-12-16 19:34:22 -0500[diff] [blame]87 },
88 // + reorders selected ciphers to the end, keeping their relative order.
89 {
90 "ECDHE-ECDSA-CHACHA20-POLY1305:"
91 "ECDHE-RSA-CHACHA20-POLY1305:"
92 "ECDHE-ECDSA-AES128-GCM-SHA256:"
93 "ECDHE-RSA-AES128-GCM-SHA256:"
94 "+aRSA",
95 {
96 {TLS1_CK_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256, 0},
David Benjaminfb974e62015-12-16 19:34:22 -0500[diff] [blame]97 {TLS1_CK_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, 0},
98 {TLS1_CK_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256, 0},
David Benjaminfb974e62015-12-16 19:34:22 -0500[diff] [blame]99 {TLS1_CK_ECDHE_RSA_WITH_AES_128_GCM_SHA256, 0},
100 },
Matthew Braithwaitea57dcfb2017-02-17 22:08:23 -0800[diff] [blame]101 false,
David Benjaminfb974e62015-12-16 19:34:22 -0500[diff] [blame]102 },
103 // ! banishes ciphers from future selections.
104 {
105 "!aRSA:"
106 "ECDHE-ECDSA-CHACHA20-POLY1305:"
107 "ECDHE-RSA-CHACHA20-POLY1305:"
108 "ECDHE-ECDSA-AES128-GCM-SHA256:"
109 "ECDHE-RSA-AES128-GCM-SHA256",
110 {
111 {TLS1_CK_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256, 0},
David Benjaminfb974e62015-12-16 19:34:22 -0500[diff] [blame]112 {TLS1_CK_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, 0},
113 },
Matthew Braithwaitea57dcfb2017-02-17 22:08:23 -0800[diff] [blame]114 false,
David Benjaminfb974e62015-12-16 19:34:22 -0500[diff] [blame]115 },
116 // Multiple masks can be ANDed in a single rule.
117 {
118 "kRSA+AESGCM+AES128",
119 {
120 {TLS1_CK_RSA_WITH_AES_128_GCM_SHA256, 0},
121 },
Matthew Braithwaitea57dcfb2017-02-17 22:08:23 -0800[diff] [blame]122 false,
David Benjaminfb974e62015-12-16 19:34:22 -0500[diff] [blame]123 },
124 // - removes selected ciphers, but preserves their order for future
Matthew Braithwaitecedc6f12017-03-15 19:20:23 -0700[diff] [blame]125 // selections. Select AES_128_GCM, but order the key exchanges RSA,
David Benjaminfb974e62015-12-16 19:34:22 -0500[diff] [blame]126 // ECDHE_RSA.
127 {
Matthew Braithwaitecedc6f12017-03-15 19:20:23 -0700[diff] [blame]128 "ALL:-kECDHE:"
Matthew Braithwaitecedc6f12017-03-15 19:20:23 -0700[diff] [blame]129 "-kRSA:-ALL:"
David Benjaminfb974e62015-12-16 19:34:22 -0500[diff] [blame]130 "AESGCM+AES128+aRSA",
131 {
132 {TLS1_CK_RSA_WITH_AES_128_GCM_SHA256, 0},
David Benjaminfb974e62015-12-16 19:34:22 -0500[diff] [blame]133 {TLS1_CK_ECDHE_RSA_WITH_AES_128_GCM_SHA256, 0},
134 },
Matthew Braithwaitea57dcfb2017-02-17 22:08:23 -0800[diff] [blame]135 false,
David Benjaminfb974e62015-12-16 19:34:22 -0500[diff] [blame]136 },
Matthew Braithwaitea57dcfb2017-02-17 22:08:23 -0800[diff] [blame]137 // Unknown selectors are no-ops, except in strict mode.
David Benjaminfb974e62015-12-16 19:34:22 -0500[diff] [blame]138 {
139 "ECDHE-ECDSA-CHACHA20-POLY1305:"
140 "ECDHE-RSA-CHACHA20-POLY1305:"
141 "ECDHE-ECDSA-AES128-GCM-SHA256:"
142 "ECDHE-RSA-AES128-GCM-SHA256:"
Matthew Braithwaitea57dcfb2017-02-17 22:08:23 -0800[diff] [blame]143 "BOGUS1",
David Benjaminfb974e62015-12-16 19:34:22 -0500[diff] [blame]144 {
145 {TLS1_CK_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256, 0},
David Benjaminfb974e62015-12-16 19:34:22 -0500[diff] [blame]146 {TLS1_CK_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256, 0},
David Benjaminfb974e62015-12-16 19:34:22 -0500[diff] [blame]147 {TLS1_CK_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, 0},
148 {TLS1_CK_ECDHE_RSA_WITH_AES_128_GCM_SHA256, 0},
149 },
Matthew Braithwaitea57dcfb2017-02-17 22:08:23 -0800[diff] [blame]150 true,
151 },
152 // Unknown selectors are no-ops, except in strict mode.
153 {
154 "ECDHE-ECDSA-CHACHA20-POLY1305:"
155 "ECDHE-RSA-CHACHA20-POLY1305:"
156 "ECDHE-ECDSA-AES128-GCM-SHA256:"
157 "ECDHE-RSA-AES128-GCM-SHA256:"
158 "-BOGUS2:+BOGUS3:!BOGUS4",
159 {
160 {TLS1_CK_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256, 0},
161 {TLS1_CK_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256, 0},
162 {TLS1_CK_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, 0},
163 {TLS1_CK_ECDHE_RSA_WITH_AES_128_GCM_SHA256, 0},
164 },
165 true,
David Benjaminfb974e62015-12-16 19:34:22 -0500[diff] [blame]166 },
167 // Square brackets specify equi-preference groups.
168 {
169 "[ECDHE-ECDSA-CHACHA20-POLY1305|ECDHE-ECDSA-AES128-GCM-SHA256]:"
170 "[ECDHE-RSA-CHACHA20-POLY1305]:"
171 "ECDHE-RSA-AES128-GCM-SHA256",
172 {
173 {TLS1_CK_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256, 1},
David Benjaminfb974e62015-12-16 19:34:22 -0500[diff] [blame]174 {TLS1_CK_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, 0},
Adam Langley2e839242017-01-19 15:12:44 -0800[diff] [blame]175 {TLS1_CK_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256, 0},
David Benjaminfb974e62015-12-16 19:34:22 -0500[diff] [blame]176 {TLS1_CK_ECDHE_RSA_WITH_AES_128_GCM_SHA256, 0},
177 },
Matthew Braithwaitea57dcfb2017-02-17 22:08:23 -0800[diff] [blame]178 false,
David Benjaminfb974e62015-12-16 19:34:22 -0500[diff] [blame]179 },
David Benjamin6fff3862017-06-21 21:07:04 -0400[diff] [blame^]180 // Standard names may be used instead of OpenSSL names.
181 {
182 "[TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256|"
183 "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256]:"
184 "[TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256]:"
185 "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",
186 {
187 {TLS1_CK_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256, 1},
188 {TLS1_CK_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, 0},
189 {TLS1_CK_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256, 0},
190 {TLS1_CK_ECDHE_RSA_WITH_AES_128_GCM_SHA256, 0},
191 },
192 false,
193 },
David Benjaminfb974e62015-12-16 19:34:22 -0500[diff] [blame]194 // @STRENGTH performs a stable strength-sort of the selected ciphers and
195 // only the selected ciphers.
196 {
197 // To simplify things, banish all but {ECDHE_RSA,RSA} x
Matthew Braithwaite8aaa9e12016-09-07 15:09:58 -0700[diff] [blame]198 // {CHACHA20,AES_256_CBC,AES_128_CBC} x SHA1.
Matthew Braithwaitecedc6f12017-03-15 19:20:23 -0700[diff] [blame]199 "!AESGCM:!3DES:!SHA256:!SHA384:"
David Benjaminfb974e62015-12-16 19:34:22 -0500[diff] [blame]200 // Order some ciphers backwards by strength.
Matthew Braithwaite8aaa9e12016-09-07 15:09:58 -0700[diff] [blame]201 "ALL:-CHACHA20:-AES256:-AES128:-ALL:"
David Benjaminfb974e62015-12-16 19:34:22 -0500[diff] [blame]202 // Select ECDHE ones and sort them by strength. Ties should resolve
203 // based on the order above.
204 "kECDHE:@STRENGTH:-ALL:"
205 // Now bring back everything uses RSA. ECDHE_RSA should be first, sorted
206 // by strength. Then RSA, backwards by strength.
207 "aRSA",
208 {
209 {TLS1_CK_ECDHE_RSA_WITH_AES_256_CBC_SHA, 0},
210 {TLS1_CK_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256, 0},
David Benjaminfb974e62015-12-16 19:34:22 -0500[diff] [blame]211 {TLS1_CK_ECDHE_RSA_WITH_AES_128_CBC_SHA, 0},
David Benjaminfb974e62015-12-16 19:34:22 -0500[diff] [blame]212 {TLS1_CK_RSA_WITH_AES_128_SHA, 0},
213 {TLS1_CK_RSA_WITH_AES_256_SHA, 0},
214 },
Matthew Braithwaitea57dcfb2017-02-17 22:08:23 -0800[diff] [blame]215 false,
David Benjaminfb974e62015-12-16 19:34:22 -0500[diff] [blame]216 },
217 // Exact ciphers may not be used in multi-part rules; they are treated
218 // as unknown aliases.
219 {
220 "ECDHE-ECDSA-AES128-GCM-SHA256:"
221 "ECDHE-RSA-AES128-GCM-SHA256:"
222 "!ECDHE-RSA-AES128-GCM-SHA256+RSA:"
223 "!ECDSA+ECDHE-ECDSA-AES128-GCM-SHA256",
224 {
225 {TLS1_CK_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, 0},
226 {TLS1_CK_ECDHE_RSA_WITH_AES_128_GCM_SHA256, 0},
227 },
Matthew Braithwaitea57dcfb2017-02-17 22:08:23 -0800[diff] [blame]228 true,
David Benjaminfb974e62015-12-16 19:34:22 -0500[diff] [blame]229 },
230 // SSLv3 matches everything that existed before TLS 1.2.
231 {
232 "AES128-SHA:AES128-SHA256:!SSLv3",
233 {
234 {TLS1_CK_RSA_WITH_AES_128_SHA256, 0},
235 },
Matthew Braithwaitea57dcfb2017-02-17 22:08:23 -0800[diff] [blame]236 false,
David Benjaminfb974e62015-12-16 19:34:22 -0500[diff] [blame]237 },
238 // TLSv1.2 matches everything added in TLS 1.2.
239 {
240 "AES128-SHA:AES128-SHA256:!TLSv1.2",
241 {
242 {TLS1_CK_RSA_WITH_AES_128_SHA, 0},
243 },
Matthew Braithwaitea57dcfb2017-02-17 22:08:23 -0800[diff] [blame]244 false,
David Benjaminfb974e62015-12-16 19:34:22 -0500[diff] [blame]245 },
Matthew Braithwaitea57dcfb2017-02-17 22:08:23 -0800[diff] [blame]246 // The two directives have no intersection. But each component is valid, so
247 // even in strict mode it is accepted.
David Benjaminfb974e62015-12-16 19:34:22 -0500[diff] [blame]248 {
249 "AES128-SHA:AES128-SHA256:!TLSv1.2+SSLv3",
250 {
251 {TLS1_CK_RSA_WITH_AES_128_SHA, 0},
252 {TLS1_CK_RSA_WITH_AES_128_SHA256, 0},
253 },
Matthew Braithwaitea57dcfb2017-02-17 22:08:23 -0800[diff] [blame]254 false,
David Benjaminfb974e62015-12-16 19:34:22 -0500[diff] [blame]255 },
David Benjaminbb0a17c2014-09-20 15:35:39 -0400[diff] [blame]256};
257
258static const char *kBadRules[] = {
David Benjamin1d77e562015-03-22 17:22:08 -0400[diff] [blame]259 // Invalid brackets.
David Benjaminbb0a17c2014-09-20 15:35:39 -0400[diff] [blame]260 "[ECDHE-RSA-CHACHA20-POLY1305|ECDHE-RSA-AES128-GCM-SHA256",
261 "RSA]",
262 "[[RSA]]",
David Benjamin1d77e562015-03-22 17:22:08 -0400[diff] [blame]263 // Operators inside brackets.
David Benjaminbb0a17c2014-09-20 15:35:39 -0400[diff] [blame]264 "[+RSA]",
David Benjamin1d77e562015-03-22 17:22:08 -0400[diff] [blame]265 // Unknown directive.
David Benjaminbb0a17c2014-09-20 15:35:39 -0400[diff] [blame]266 "@BOGUS",
David Benjamin1d77e562015-03-22 17:22:08 -0400[diff] [blame]267 // Empty cipher lists error at SSL_CTX_set_cipher_list.
David Benjaminbb0a17c2014-09-20 15:35:39 -0400[diff] [blame]268 "",
269 "BOGUS",
David Benjamin32fbdf22015-04-07 01:14:06 -0400[diff] [blame]270 // COMPLEMENTOFDEFAULT is empty.
271 "COMPLEMENTOFDEFAULT",
David Benjamin1d77e562015-03-22 17:22:08 -0400[diff] [blame]272 // Invalid command.
David Benjaminbb0a17c2014-09-20 15:35:39 -0400[diff] [blame]273 "?BAR",
David Benjamin1d77e562015-03-22 17:22:08 -0400[diff] [blame]274 // Special operators are not allowed if groups are used.
David Benjamin37d92462014-09-20 17:54:24 -0400[diff] [blame]275 "[ECDHE-RSA-CHACHA20-POLY1305|ECDHE-RSA-AES128-GCM-SHA256]:+FOO",
276 "[ECDHE-RSA-CHACHA20-POLY1305|ECDHE-RSA-AES128-GCM-SHA256]:!FOO",
277 "[ECDHE-RSA-CHACHA20-POLY1305|ECDHE-RSA-AES128-GCM-SHA256]:-FOO",
278 "[ECDHE-RSA-CHACHA20-POLY1305|ECDHE-RSA-AES128-GCM-SHA256]:@STRENGTH",
Adam Langleyf99f2442016-10-02 09:53:38 -0700[diff] [blame]279 // Opcode supplied, but missing selector.
280 "+",
David Benjaminbb0a17c2014-09-20 15:35:39 -0400[diff] [blame]281};
282
Matt Braithwaiteaf096752015-09-02 19:48:16 -0700[diff] [blame]283static const char *kMustNotIncludeNull[] = {
284 "ALL",
285 "DEFAULT",
David Benjamind6e9eec2015-11-18 09:48:55 -0500[diff] [blame]286 "HIGH",
Matt Braithwaiteaf096752015-09-02 19:48:16 -0700[diff] [blame]287 "FIPS",
288 "SHA",
289 "SHA1",
290 "RSA",
291 "SSLv3",
292 "TLSv1",
293 "TLSv1.2",
Matt Braithwaiteaf096752015-09-02 19:48:16 -0700[diff] [blame]294};
295
Alessandro Ghedini5fd18072016-09-28 21:04:25 +0100[diff] [blame]296static const CurveTest kCurveTests[] = {
297 {
298 "P-256",
299 { SSL_CURVE_SECP256R1 },
300 },
301 {
302 "P-256:P-384:P-521:X25519",
303 {
304 SSL_CURVE_SECP256R1,
305 SSL_CURVE_SECP384R1,
306 SSL_CURVE_SECP521R1,
307 SSL_CURVE_X25519,
308 },
309 },
310};
311
312static const char *kBadCurvesLists[] = {
313 "",
314 ":",
315 "::",
316 "P-256::X25519",
317 "RSA:P-256",
318 "P-256:RSA",
319 "X25519:P-256:",
320 ":X25519:P-256",
321};
322
David Benjamine11726a2017-04-23 12:14:28 -0400[diff] [blame]323static std::string CipherListToString(ssl_cipher_preference_list_st *list) {
David Benjamin1d77e562015-03-22 17:22:08 -0400[diff] [blame]324 bool in_group = false;
David Benjamine11726a2017-04-23 12:14:28 -0400[diff] [blame]325 std::string ret;
David Benjamin1d77e562015-03-22 17:22:08 -0400[diff] [blame]326 for (size_t i = 0; i < sk_SSL_CIPHER_num(list->ciphers); i++) {
David Benjaminbb0a17c2014-09-20 15:35:39 -0400[diff] [blame]327 const SSL_CIPHER *cipher = sk_SSL_CIPHER_value(list->ciphers, i);
328 if (!in_group && list->in_group_flags[i]) {
David Benjamine11726a2017-04-23 12:14:28 -0400[diff] [blame]329 ret += "\t[\n";
David Benjamin1d77e562015-03-22 17:22:08 -0400[diff] [blame]330 in_group = true;
David Benjaminbb0a17c2014-09-20 15:35:39 -0400[diff] [blame]331 }
David Benjamine11726a2017-04-23 12:14:28 -0400[diff] [blame]332 ret += "\t";
David Benjaminbb0a17c2014-09-20 15:35:39 -0400[diff] [blame]333 if (in_group) {
David Benjamine11726a2017-04-23 12:14:28 -0400[diff] [blame]334 ret += " ";
David Benjaminbb0a17c2014-09-20 15:35:39 -0400[diff] [blame]335 }
David Benjamine11726a2017-04-23 12:14:28 -0400[diff] [blame]336 ret += SSL_CIPHER_get_name(cipher);
337 ret += "\n";
David Benjaminbb0a17c2014-09-20 15:35:39 -0400[diff] [blame]338 if (in_group && !list->in_group_flags[i]) {
David Benjamine11726a2017-04-23 12:14:28 -0400[diff] [blame]339 ret += "\t]\n";
David Benjamin1d77e562015-03-22 17:22:08 -0400[diff] [blame]340 in_group = false;
David Benjaminbb0a17c2014-09-20 15:35:39 -0400[diff] [blame]341 }
342 }
David Benjamine11726a2017-04-23 12:14:28 -0400[diff] [blame]343 return ret;
David Benjaminbb0a17c2014-09-20 15:35:39 -0400[diff] [blame]344}
345
David Benjamine11726a2017-04-23 12:14:28 -0400[diff] [blame]346static bool CipherListsEqual(ssl_cipher_preference_list_st *list,
347 const std::vector<ExpectedCipher> &expected) {
348 if (sk_SSL_CIPHER_num(list->ciphers) != expected.size()) {
David Benjamin1d77e562015-03-22 17:22:08 -0400[diff] [blame]349 return false;
David Benjamin65226252015-02-05 16:49:47 -0500[diff] [blame]350 }
351
David Benjamine11726a2017-04-23 12:14:28 -0400[diff] [blame]352 for (size_t i = 0; i < expected.size(); i++) {
353 const SSL_CIPHER *cipher = sk_SSL_CIPHER_value(list->ciphers, i);
354 if (expected[i].id != SSL_CIPHER_get_id(cipher) ||
355 expected[i].in_group_flag != list->in_group_flags[i]) {
David Benjamin1d77e562015-03-22 17:22:08 -0400[diff] [blame]356 return false;
David Benjaminbb0a17c2014-09-20 15:35:39 -0400[diff] [blame]357 }
358 }
359
David Benjamin1d77e562015-03-22 17:22:08 -0400[diff] [blame]360 return true;
David Benjaminbb0a17c2014-09-20 15:35:39 -0400[diff] [blame]361}
362
David Benjamine11726a2017-04-23 12:14:28 -0400[diff] [blame]363TEST(SSLTest, CipherRules) {
364 for (const CipherTest &t : kCipherTests) {
365 SCOPED_TRACE(t.rule);
366 bssl::UniquePtr<SSL_CTX> ctx(SSL_CTX_new(TLS_method()));
367 ASSERT_TRUE(ctx);
Matt Braithwaiteaf096752015-09-02 19:48:16 -0700[diff] [blame]368
David Benjamine11726a2017-04-23 12:14:28 -0400[diff] [blame]369 // Test lax mode.
370 ASSERT_TRUE(SSL_CTX_set_cipher_list(ctx.get(), t.rule));
371 EXPECT_TRUE(CipherListsEqual(ctx->cipher_list, t.expected))
372 << "Cipher rule evaluated to:\n"
373 << CipherListToString(ctx->cipher_list);
374
375 // Test strict mode.
376 if (t.strict_fail) {
377 EXPECT_FALSE(SSL_CTX_set_strict_cipher_list(ctx.get(), t.rule));
378 } else {
379 ASSERT_TRUE(SSL_CTX_set_strict_cipher_list(ctx.get(), t.rule));
380 EXPECT_TRUE(CipherListsEqual(ctx->cipher_list, t.expected))
381 << "Cipher rule evaluated to:\n"
382 << CipherListToString(ctx->cipher_list);
David Benjaminbb0a17c2014-09-20 15:35:39 -0400[diff] [blame]383 }
384 }
385
David Benjaminfb974e62015-12-16 19:34:22 -0500[diff] [blame]386 for (const char *rule : kBadRules) {
David Benjamine11726a2017-04-23 12:14:28 -0400[diff] [blame]387 SCOPED_TRACE(rule);
388 bssl::UniquePtr<SSL_CTX> ctx(SSL_CTX_new(TLS_method()));
389 ASSERT_TRUE(ctx);
390
391 EXPECT_FALSE(SSL_CTX_set_cipher_list(ctx.get(), rule));
David Benjaminbb0a17c2014-09-20 15:35:39 -0400[diff] [blame]392 ERR_clear_error();
David Benjaminbb0a17c2014-09-20 15:35:39 -0400[diff] [blame]393 }
394
David Benjaminfb974e62015-12-16 19:34:22 -0500[diff] [blame]395 for (const char *rule : kMustNotIncludeNull) {
David Benjamine11726a2017-04-23 12:14:28 -0400[diff] [blame]396 SCOPED_TRACE(rule);
397 bssl::UniquePtr<SSL_CTX> ctx(SSL_CTX_new(TLS_method()));
398 ASSERT_TRUE(ctx);
399
400 ASSERT_TRUE(SSL_CTX_set_strict_cipher_list(ctx.get(), rule));
401 for (size_t i = 0; i < sk_SSL_CIPHER_num(ctx->cipher_list->ciphers); i++) {
402 EXPECT_FALSE(SSL_CIPHER_is_NULL(
403 sk_SSL_CIPHER_value(ctx->cipher_list->ciphers, i)));
Matt Braithwaiteaf096752015-09-02 19:48:16 -0700[diff] [blame]404 }
405 }
David Benjaminbb0a17c2014-09-20 15:35:39 -0400[diff] [blame]406}
David Benjamin2e521212014-07-16 14:37:51 -0400[diff] [blame]407
David Benjamine11726a2017-04-23 12:14:28 -0400[diff] [blame]408TEST(SSLTest, CurveRules) {
409 for (const CurveTest &t : kCurveTests) {
410 SCOPED_TRACE(t.rule);
411 bssl::UniquePtr<SSL_CTX> ctx(SSL_CTX_new(TLS_method()));
412 ASSERT_TRUE(ctx);
Alessandro Ghedini5fd18072016-09-28 21:04:25 +0100[diff] [blame]413
David Benjamine11726a2017-04-23 12:14:28 -0400[diff] [blame]414 ASSERT_TRUE(SSL_CTX_set1_curves_list(ctx.get(), t.rule));
415 ASSERT_EQ(t.expected.size(), ctx->supported_group_list_len);
416 for (size_t i = 0; i < t.expected.size(); i++) {
417 EXPECT_EQ(t.expected[i], ctx->supported_group_list[i]);
Alessandro Ghedini5fd18072016-09-28 21:04:25 +0100[diff] [blame]418 }
419 }
420
421 for (const char *rule : kBadCurvesLists) {
David Benjamine11726a2017-04-23 12:14:28 -0400[diff] [blame]422 SCOPED_TRACE(rule);
423 bssl::UniquePtr<SSL_CTX> ctx(SSL_CTX_new(TLS_method()));
424 ASSERT_TRUE(ctx);
425
426 EXPECT_FALSE(SSL_CTX_set1_curves_list(ctx.get(), rule));
Alessandro Ghedini5fd18072016-09-28 21:04:25 +0100[diff] [blame]427 ERR_clear_error();
428 }
Alessandro Ghedini5fd18072016-09-28 21:04:25 +0100[diff] [blame]429}
430
Adam Langley364f7a62016-12-12 10:51:00 -0800[diff] [blame]431// kOpenSSLSession is a serialized SSL_SESSION.
Adam Langley10f97f32016-07-12 08:09:33 -0700[diff] [blame]432static const char kOpenSSLSession[] =
Adam Langley364f7a62016-12-12 10:51:00 -0800[diff] [blame]433 "MIIFqgIBAQICAwMEAsAvBCAG5Q1ndq4Yfmbeo1zwLkNRKmCXGdNgWvGT3cskV0yQ"
Adam Langley10f97f32016-07-12 08:09:33 -0700[diff] [blame]434 "kAQwJlrlzkAWBOWiLj/jJ76D7l+UXoizP2KI2C7I2FccqMmIfFmmkUy32nIJ0mZH"
435 "IWoJoQYCBFRDO46iBAICASyjggR6MIIEdjCCA16gAwIBAgIIK9dUvsPWSlUwDQYJ"
436 "KoZIhvcNAQEFBQAwSTELMAkGA1UEBhMCVVMxEzARBgNVBAoTCkdvb2dsZSBJbmMx"
437 "JTAjBgNVBAMTHEdvb2dsZSBJbnRlcm5ldCBBdXRob3JpdHkgRzIwHhcNMTQxMDA4"
438 "MTIwNzU3WhcNMTUwMTA2MDAwMDAwWjBoMQswCQYDVQQGEwJVUzETMBEGA1UECAwK"
439 "Q2FsaWZvcm5pYTEWMBQGA1UEBwwNTW91bnRhaW4gVmlldzETMBEGA1UECgwKR29v"
440 "Z2xlIEluYzEXMBUGA1UEAwwOd3d3Lmdvb2dsZS5jb20wggEiMA0GCSqGSIb3DQEB"
441 "AQUAA4IBDwAwggEKAoIBAQCcKeLrplAC+Lofy8t/wDwtB6eu72CVp0cJ4V3lknN6"
442 "huH9ct6FFk70oRIh/VBNBBz900jYy+7111Jm1b8iqOTQ9aT5C7SEhNcQFJvqzH3e"
443 "MPkb6ZSWGm1yGF7MCQTGQXF20Sk/O16FSjAynU/b3oJmOctcycWYkY0ytS/k3LBu"
444 "Id45PJaoMqjB0WypqvNeJHC3q5JjCB4RP7Nfx5jjHSrCMhw8lUMW4EaDxjaR9KDh"
445 "PLgjsk+LDIySRSRDaCQGhEOWLJZVLzLo4N6/UlctCHEllpBUSvEOyFga52qroGjg"
446 "rf3WOQ925MFwzd6AK+Ich0gDRg8sQfdLH5OuP1cfLfU1AgMBAAGjggFBMIIBPTAd"
447 "BgNVHSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwGQYDVR0RBBIwEIIOd3d3Lmdv"
448 "b2dsZS5jb20waAYIKwYBBQUHAQEEXDBaMCsGCCsGAQUFBzAChh9odHRwOi8vcGtp"
449 "Lmdvb2dsZS5jb20vR0lBRzIuY3J0MCsGCCsGAQUFBzABhh9odHRwOi8vY2xpZW50"
450 "czEuZ29vZ2xlLmNvbS9vY3NwMB0GA1UdDgQWBBQ7a+CcxsZByOpc+xpYFcIbnUMZ"
451 "hTAMBgNVHRMBAf8EAjAAMB8GA1UdIwQYMBaAFErdBhYbvPZotXb1gba7Yhq6WoEv"
452 "MBcGA1UdIAQQMA4wDAYKKwYBBAHWeQIFATAwBgNVHR8EKTAnMCWgI6Ahhh9odHRw"
453 "Oi8vcGtpLmdvb2dsZS5jb20vR0lBRzIuY3JsMA0GCSqGSIb3DQEBBQUAA4IBAQCa"
454 "OXCBdoqUy5bxyq+Wrh1zsyyCFim1PH5VU2+yvDSWrgDY8ibRGJmfff3r4Lud5kal"
455 "dKs9k8YlKD3ITG7P0YT/Rk8hLgfEuLcq5cc0xqmE42xJ+Eo2uzq9rYorc5emMCxf"
456 "5L0TJOXZqHQpOEcuptZQ4OjdYMfSxk5UzueUhA3ogZKRcRkdB3WeWRp+nYRhx4St"
457 "o2rt2A0MKmY9165GHUqMK9YaaXHDXqBu7Sefr1uSoAP9gyIJKeihMivsGqJ1TD6Z"
458 "cc6LMe+dN2P8cZEQHtD1y296ul4Mivqk3jatUVL8/hCwgch9A8O4PGZq9WqBfEWm"
459 "IyHh1dPtbg1lOXdYCWtjpAIEAKUDAgEUqQUCAwGJwKqBpwSBpBwUQvoeOk0Kg36S"
460 "YTcLEkXqKwOBfF9vE4KX0NxeLwjcDTpsuh3qXEaZ992r1N38VDcyS6P7I6HBYN9B"
461 "sNHM362zZnY27GpTw+Kwd751CLoXFPoaMOe57dbBpXoro6Pd3BTbf/Tzr88K06yE"
462 "OTDKPNj3+inbMaVigtK4PLyPq+Topyzvx9USFgRvyuoxn0Hgb+R0A3j6SLRuyOdA"
Adam Langley364f7a62016-12-12 10:51:00 -0800[diff] [blame]463 "i4gv7Y5oliyntgMBAQA=";
Adam Langley10f97f32016-07-12 08:09:33 -0700[diff] [blame]464
465// kCustomSession is a custom serialized SSL_SESSION generated by
466// filling in missing fields from |kOpenSSLSession|. This includes
467// providing |peer_sha256|, so |peer| is not serialized.
468static const char kCustomSession[] =
469 "MIIBdgIBAQICAwMEAsAvBCAG5Q1ndq4Yfmbeo1zwLkNRKmCXGdNgWvGT3cskV0yQ"
470 "kAQwJlrlzkAWBOWiLj/jJ76D7l+UXoizP2KI2C7I2FccqMmIfFmmkUy32nIJ0mZH"
471 "IWoJoQYCBFRDO46iBAICASykAwQBAqUDAgEUphAEDnd3dy5nb29nbGUuY29tqAcE"
472 "BXdvcmxkqQUCAwGJwKqBpwSBpBwUQvoeOk0Kg36SYTcLEkXqKwOBfF9vE4KX0Nxe"
473 "LwjcDTpsuh3qXEaZ992r1N38VDcyS6P7I6HBYN9BsNHM362zZnY27GpTw+Kwd751"
474 "CLoXFPoaMOe57dbBpXoro6Pd3BTbf/Tzr88K06yEOTDKPNj3+inbMaVigtK4PLyP"
475 "q+Topyzvx9USFgRvyuoxn0Hgb+R0A3j6SLRuyOdAi4gv7Y5oliynrSIEIAYGBgYG"
476 "BgYGBgYGBgYGBgYGBgYGBgYGBgYGBgYGBgYGrgMEAQevAwQBBLADBAEF";
477
478// kBoringSSLSession is a serialized SSL_SESSION generated from bssl client.
479static const char kBoringSSLSession[] =
480 "MIIRwQIBAQICAwMEAsAvBCDdoGxGK26mR+8lM0uq6+k9xYuxPnwAjpcF9n0Yli9R"
481 "kQQwbyshfWhdi5XQ1++7n2L1qqrcVlmHBPpr6yknT/u4pUrpQB5FZ7vqvNn8MdHf"
482 "9rWgoQYCBFXgs7uiBAICHCCjggR6MIIEdjCCA16gAwIBAgIIf+yfD7Y6UicwDQYJ"
483 "KoZIhvcNAQELBQAwSTELMAkGA1UEBhMCVVMxEzARBgNVBAoTCkdvb2dsZSBJbmMx"
484 "JTAjBgNVBAMTHEdvb2dsZSBJbnRlcm5ldCBBdXRob3JpdHkgRzIwHhcNMTUwODEy"
485 "MTQ1MzE1WhcNMTUxMTEwMDAwMDAwWjBoMQswCQYDVQQGEwJVUzETMBEGA1UECAwK"
486 "Q2FsaWZvcm5pYTEWMBQGA1UEBwwNTW91bnRhaW4gVmlldzETMBEGA1UECgwKR29v"
487 "Z2xlIEluYzEXMBUGA1UEAwwOd3d3Lmdvb2dsZS5jb20wggEiMA0GCSqGSIb3DQEB"
488 "AQUAA4IBDwAwggEKAoIBAQC0MeG5YGQ0t+IeJeoneP/PrhEaieibeKYkbKVLNZpo"
489 "PLuBinvhkXZo3DC133NpCBpy6ZktBwamqyixAyuk/NU6OjgXqwwxfQ7di1AInLIU"
490 "792c7hFyNXSUCG7At8Ifi3YwBX9Ba6u/1d6rWTGZJrdCq3QU11RkKYyTq2KT5mce"
491 "Tv9iGKqSkSTlp8puy/9SZ/3DbU3U+BuqCFqeSlz7zjwFmk35acdCilpJlVDDN5C/"
492 "RCh8/UKc8PaL+cxlt531qoTENvYrflBno14YEZlCBZsPiFeUSILpKEj3Ccwhy0eL"
493 "EucWQ72YZU8mUzXBoXGn0zA0crFl5ci/2sTBBGZsylNBAgMBAAGjggFBMIIBPTAd"
494 "BgNVHSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwGQYDVR0RBBIwEIIOd3d3Lmdv"
495 "b2dsZS5jb20waAYIKwYBBQUHAQEEXDBaMCsGCCsGAQUFBzAChh9odHRwOi8vcGtp"
496 "Lmdvb2dsZS5jb20vR0lBRzIuY3J0MCsGCCsGAQUFBzABhh9odHRwOi8vY2xpZW50"
497 "czEuZ29vZ2xlLmNvbS9vY3NwMB0GA1UdDgQWBBS/bzHxcE73Q4j3slC4BLbMtLjG"
498 "GjAMBgNVHRMBAf8EAjAAMB8GA1UdIwQYMBaAFErdBhYbvPZotXb1gba7Yhq6WoEv"
499 "MBcGA1UdIAQQMA4wDAYKKwYBBAHWeQIFATAwBgNVHR8EKTAnMCWgI6Ahhh9odHRw"
500 "Oi8vcGtpLmdvb2dsZS5jb20vR0lBRzIuY3JsMA0GCSqGSIb3DQEBCwUAA4IBAQAb"
501 "qdWPZEHk0X7iKPCTHL6S3w6q1eR67goxZGFSM1lk1hjwyu7XcLJuvALVV9uY3ovE"
502 "kQZSHwT+pyOPWQhsSjO+1GyjvCvK/CAwiUmBX+bQRGaqHsRcio7xSbdVcajQ3bXd"
503 "X+s0WdbOpn6MStKAiBVloPlSxEI8pxY6x/BBCnTIk/+DMB17uZlOjG3vbAnkDkP+"
504 "n0OTucD9sHV7EVj9XUxi51nOfNBCN/s7lpUjDS/NJ4k3iwOtbCPswiot8vLO779a"
505 "f07vR03r349Iz/KTzk95rlFtX0IU+KYNxFNsanIXZ+C9FYGRXkwhHcvFb4qMUB1y"
506 "TTlM80jBMOwyjZXmjRAhpAIEAKUDAgEUqQUCAwGJwKqBpwSBpOgebbmn9NRUtMWH"
507 "+eJpqA5JLMFSMCChOsvKey3toBaCNGU7HfAEiiXNuuAdCBoK262BjQc2YYfqFzqH"
508 "zuppopXCvhohx7j/tnCNZIMgLYt/O9SXK2RYI5z8FhCCHvB4CbD5G0LGl5EFP27s"
509 "Jb6S3aTTYPkQe8yZSlxevg6NDwmTogLO9F7UUkaYmVcMQhzssEE2ZRYNwSOU6KjE"
510 "0Yj+8fAiBtbQriIEIN2L8ZlpaVrdN5KFNdvcmOxJu81P8q53X55xQyGTnGWwsgMC"
511 "ARezggvvMIIEdjCCA16gAwIBAgIIf+yfD7Y6UicwDQYJKoZIhvcNAQELBQAwSTEL"
512 "MAkGA1UEBhMCVVMxEzARBgNVBAoTCkdvb2dsZSBJbmMxJTAjBgNVBAMTHEdvb2ds"
513 "ZSBJbnRlcm5ldCBBdXRob3JpdHkgRzIwHhcNMTUwODEyMTQ1MzE1WhcNMTUxMTEw"
514 "MDAwMDAwWjBoMQswCQYDVQQGEwJVUzETMBEGA1UECAwKQ2FsaWZvcm5pYTEWMBQG"
515 "A1UEBwwNTW91bnRhaW4gVmlldzETMBEGA1UECgwKR29vZ2xlIEluYzEXMBUGA1UE"
516 "AwwOd3d3Lmdvb2dsZS5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIB"
517 "AQC0MeG5YGQ0t+IeJeoneP/PrhEaieibeKYkbKVLNZpoPLuBinvhkXZo3DC133Np"
518 "CBpy6ZktBwamqyixAyuk/NU6OjgXqwwxfQ7di1AInLIU792c7hFyNXSUCG7At8If"
519 "i3YwBX9Ba6u/1d6rWTGZJrdCq3QU11RkKYyTq2KT5mceTv9iGKqSkSTlp8puy/9S"
520 "Z/3DbU3U+BuqCFqeSlz7zjwFmk35acdCilpJlVDDN5C/RCh8/UKc8PaL+cxlt531"
521 "qoTENvYrflBno14YEZlCBZsPiFeUSILpKEj3Ccwhy0eLEucWQ72YZU8mUzXBoXGn"
522 "0zA0crFl5ci/2sTBBGZsylNBAgMBAAGjggFBMIIBPTAdBgNVHSUEFjAUBggrBgEF"
523 "BQcDAQYIKwYBBQUHAwIwGQYDVR0RBBIwEIIOd3d3Lmdvb2dsZS5jb20waAYIKwYB"
524 "BQUHAQEEXDBaMCsGCCsGAQUFBzAChh9odHRwOi8vcGtpLmdvb2dsZS5jb20vR0lB"
525 "RzIuY3J0MCsGCCsGAQUFBzABhh9odHRwOi8vY2xpZW50czEuZ29vZ2xlLmNvbS9v"
526 "Y3NwMB0GA1UdDgQWBBS/bzHxcE73Q4j3slC4BLbMtLjGGjAMBgNVHRMBAf8EAjAA"
527 "MB8GA1UdIwQYMBaAFErdBhYbvPZotXb1gba7Yhq6WoEvMBcGA1UdIAQQMA4wDAYK"
528 "KwYBBAHWeQIFATAwBgNVHR8EKTAnMCWgI6Ahhh9odHRwOi8vcGtpLmdvb2dsZS5j"
529 "b20vR0lBRzIuY3JsMA0GCSqGSIb3DQEBCwUAA4IBAQAbqdWPZEHk0X7iKPCTHL6S"
530 "3w6q1eR67goxZGFSM1lk1hjwyu7XcLJuvALVV9uY3ovEkQZSHwT+pyOPWQhsSjO+"
531 "1GyjvCvK/CAwiUmBX+bQRGaqHsRcio7xSbdVcajQ3bXdX+s0WdbOpn6MStKAiBVl"
532 "oPlSxEI8pxY6x/BBCnTIk/+DMB17uZlOjG3vbAnkDkP+n0OTucD9sHV7EVj9XUxi"
533 "51nOfNBCN/s7lpUjDS/NJ4k3iwOtbCPswiot8vLO779af07vR03r349Iz/KTzk95"
534 "rlFtX0IU+KYNxFNsanIXZ+C9FYGRXkwhHcvFb4qMUB1yTTlM80jBMOwyjZXmjRAh"
535 "MIID8DCCAtigAwIBAgIDAjqDMA0GCSqGSIb3DQEBCwUAMEIxCzAJBgNVBAYTAlVT"
536 "MRYwFAYDVQQKEw1HZW9UcnVzdCBJbmMuMRswGQYDVQQDExJHZW9UcnVzdCBHbG9i"
537 "YWwgQ0EwHhcNMTMwNDA1MTUxNTU2WhcNMTYxMjMxMjM1OTU5WjBJMQswCQYDVQQG"
538 "EwJVUzETMBEGA1UEChMKR29vZ2xlIEluYzElMCMGA1UEAxMcR29vZ2xlIEludGVy"
539 "bmV0IEF1dGhvcml0eSBHMjCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEB"
540 "AJwqBHdc2FCROgajguDYUEi8iT/xGXAaiEZ+4I/F8YnOIe5a/mENtzJEiaB0C1NP"
541 "VaTOgmKV7utZX8bhBYASxF6UP7xbSDj0U/ck5vuR6RXEz/RTDfRK/J9U3n2+oGtv"
542 "h8DQUB8oMANA2ghzUWx//zo8pzcGjr1LEQTrfSTe5vn8MXH7lNVg8y5Kr0LSy+rE"
543 "ahqyzFPdFUuLH8gZYR/Nnag+YyuENWllhMgZxUYi+FOVvuOAShDGKuy6lyARxzmZ"
544 "EASg8GF6lSWMTlJ14rbtCMoU/M4iarNOz0YDl5cDfsCx3nuvRTPPuj5xt970JSXC"
545 "DTWJnZ37DhF5iR43xa+OcmkCAwEAAaOB5zCB5DAfBgNVHSMEGDAWgBTAephojYn7"
546 "qwVkDBF9qn1luMrMTjAdBgNVHQ4EFgQUSt0GFhu89mi1dvWBtrtiGrpagS8wDgYD"
547 "VR0PAQH/BAQDAgEGMC4GCCsGAQUFBwEBBCIwIDAeBggrBgEFBQcwAYYSaHR0cDov"
548 "L2cuc3ltY2QuY29tMBIGA1UdEwEB/wQIMAYBAf8CAQAwNQYDVR0fBC4wLDAqoCig"
549 "JoYkaHR0cDovL2cuc3ltY2IuY29tL2NybHMvZ3RnbG9iYWwuY3JsMBcGA1UdIAQQ"
550 "MA4wDAYKKwYBBAHWeQIFATANBgkqhkiG9w0BAQsFAAOCAQEAqvqpIM1qZ4PtXtR+"
551 "3h3Ef+AlBgDFJPupyC1tft6dgmUsgWM0Zj7pUsIItMsv91+ZOmqcUHqFBYx90SpI"
552 "hNMJbHzCzTWf84LuUt5oX+QAihcglvcpjZpNy6jehsgNb1aHA30DP9z6eX0hGfnI"
553 "Oi9RdozHQZJxjyXON/hKTAAj78Q1EK7gI4BzfE00LshukNYQHpmEcxpw8u1VDu4X"
554 "Bupn7jLrLN1nBz/2i8Jw3lsA5rsb0zYaImxssDVCbJAJPZPpZAkiDoUGn8JzIdPm"
555 "X4DkjYUiOnMDsWCOrmji9D6X52ASCWg23jrW4kOVWzeBkoEfu43XrVJkFleW2V40"
556 "fsg12DCCA30wggLmoAMCAQICAxK75jANBgkqhkiG9w0BAQUFADBOMQswCQYDVQQG"
557 "EwJVUzEQMA4GA1UEChMHRXF1aWZheDEtMCsGA1UECxMkRXF1aWZheCBTZWN1cmUg"
558 "Q2VydGlmaWNhdGUgQXV0aG9yaXR5MB4XDTAyMDUyMTA0MDAwMFoXDTE4MDgyMTA0"
559 "MDAwMFowQjELMAkGA1UEBhMCVVMxFjAUBgNVBAoTDUdlb1RydXN0IEluYy4xGzAZ"
560 "BgNVBAMTEkdlb1RydXN0IEdsb2JhbCBDQTCCASIwDQYJKoZIhvcNAQEBBQADggEP"
561 "ADCCAQoCggEBANrMGGMw/fQXIxpWflvfPGw45HG3eJHUvKHYTPioQ7YD6U0hBwiI"
562 "2lgvZjkpvQV4i5046AW3an5xpObEYKaw74DkiSgPniXW7YPzraaRx5jJQhg1FJ2t"
563 "mEaSLk/K8YdDwRaVVy1Q74ktgHpXrfLuX2vSAI25FPgUFTXZwEaje3LIkb/JVSvN"
564 "0Jc+nCZkzN/Ogxlxyk7m1NV7qRnNVd7I7NJeOFPlXE+MLf5QIzb8ZubLjqQ5GQC3"
565 "lQI5kQsO/jgu0R0FmvZNPm8PBx2vLB6PYDni+jZTEznUXiYr2z2oFL0y6xgDKFIE"
566 "ceWrMz3hOLsHNoRinHnqFjD0X8Ar6HFr5PkCAwEAAaOB8DCB7TAfBgNVHSMEGDAW"
567 "gBRI5mj5K9KylddH2CMgEE8zmJCf1DAdBgNVHQ4EFgQUwHqYaI2J+6sFZAwRfap9"
568 "ZbjKzE4wDwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMCAQYwOgYDVR0fBDMw"
569 "MTAvoC2gK4YpaHR0cDovL2NybC5nZW90cnVzdC5jb20vY3Jscy9zZWN1cmVjYS5j"
570 "cmwwTgYDVR0gBEcwRTBDBgRVHSAAMDswOQYIKwYBBQUHAgEWLWh0dHBzOi8vd3d3"
571 "Lmdlb3RydXN0LmNvbS9yZXNvdXJjZXMvcmVwb3NpdG9yeTANBgkqhkiG9w0BAQUF"
572 "AAOBgQB24RJuTksWEoYwBrKBCM/wCMfHcX5m7sLt1Dsf//DwyE7WQziwuTB9GNBV"
573 "g6JqyzYRnOhIZqNtf7gT1Ef+i1pcc/yu2RsyGTirlzQUqpbS66McFAhJtrvlke+D"
574 "NusdVm/K2rxzY5Dkf3s+Iss9B+1fOHSc4wNQTqGvmO5h8oQ/Eg==";
575
576// kBadSessionExtraField is a custom serialized SSL_SESSION generated by replacing
577// the final (optional) element of |kCustomSession| with tag number 30.
578static const char kBadSessionExtraField[] =
579 "MIIBdgIBAQICAwMEAsAvBCAG5Q1ndq4Yfmbeo1zwLkNRKmCXGdNgWvGT3cskV0yQ"
580 "kAQwJlrlzkAWBOWiLj/jJ76D7l+UXoizP2KI2C7I2FccqMmIfFmmkUy32nIJ0mZH"
581 "IWoJoQYCBFRDO46iBAICASykAwQBAqUDAgEUphAEDnd3dy5nb29nbGUuY29tqAcE"
582 "BXdvcmxkqQUCAwGJwKqBpwSBpBwUQvoeOk0Kg36SYTcLEkXqKwOBfF9vE4KX0Nxe"
583 "LwjcDTpsuh3qXEaZ992r1N38VDcyS6P7I6HBYN9BsNHM362zZnY27GpTw+Kwd751"
584 "CLoXFPoaMOe57dbBpXoro6Pd3BTbf/Tzr88K06yEOTDKPNj3+inbMaVigtK4PLyP"
585 "q+Topyzvx9USFgRvyuoxn0Hgb+R0A3j6SLRuyOdAi4gv7Y5oliynrSIEIAYGBgYG"
586 "BgYGBgYGBgYGBgYGBgYGBgYGBgYGBgYGBgYGrgMEAQevAwQBBL4DBAEF";
587
588// kBadSessionVersion is a custom serialized SSL_SESSION generated by replacing
589// the version of |kCustomSession| with 2.
590static const char kBadSessionVersion[] =
591 "MIIBdgIBAgICAwMEAsAvBCAG5Q1ndq4Yfmbeo1zwLkNRKmCXGdNgWvGT3cskV0yQ"
592 "kAQwJlrlzkAWBOWiLj/jJ76D7l+UXoizP2KI2C7I2FccqMmIfFmmkUy32nIJ0mZH"
593 "IWoJoQYCBFRDO46iBAICASykAwQBAqUDAgEUphAEDnd3dy5nb29nbGUuY29tqAcE"
594 "BXdvcmxkqQUCAwGJwKqBpwSBpBwUQvoeOk0Kg36SYTcLEkXqKwOBfF9vE4KX0Nxe"
595 "LwjcDTpsuh3qXEaZ992r1N38VDcyS6P7I6HBYN9BsNHM362zZnY27GpTw+Kwd751"
596 "CLoXFPoaMOe57dbBpXoro6Pd3BTbf/Tzr88K06yEOTDKPNj3+inbMaVigtK4PLyP"
597 "q+Topyzvx9USFgRvyuoxn0Hgb+R0A3j6SLRuyOdAi4gv7Y5oliynrSIEIAYGBgYG"
598 "BgYGBgYGBgYGBgYGBgYGBgYGBgYGBgYGBgYGrgMEAQevAwQBBLADBAEF";
599
600// kBadSessionTrailingData is a custom serialized SSL_SESSION with trailing data
601// appended.
602static const char kBadSessionTrailingData[] =
603 "MIIBdgIBAQICAwMEAsAvBCAG5Q1ndq4Yfmbeo1zwLkNRKmCXGdNgWvGT3cskV0yQ"
604 "kAQwJlrlzkAWBOWiLj/jJ76D7l+UXoizP2KI2C7I2FccqMmIfFmmkUy32nIJ0mZH"
605 "IWoJoQYCBFRDO46iBAICASykAwQBAqUDAgEUphAEDnd3dy5nb29nbGUuY29tqAcE"
606 "BXdvcmxkqQUCAwGJwKqBpwSBpBwUQvoeOk0Kg36SYTcLEkXqKwOBfF9vE4KX0Nxe"
607 "LwjcDTpsuh3qXEaZ992r1N38VDcyS6P7I6HBYN9BsNHM362zZnY27GpTw+Kwd751"
608 "CLoXFPoaMOe57dbBpXoro6Pd3BTbf/Tzr88K06yEOTDKPNj3+inbMaVigtK4PLyP"
609 "q+Topyzvx9USFgRvyuoxn0Hgb+R0A3j6SLRuyOdAi4gv7Y5oliynrSIEIAYGBgYG"
610 "BgYGBgYGBgYGBgYGBgYGBgYGBgYGBgYGBgYGrgMEAQevAwQBBLADBAEFAAAA";
611
David Benjamin1d77e562015-03-22 17:22:08 -0400[diff] [blame]612static bool DecodeBase64(std::vector<uint8_t> *out, const char *in) {
David Benjamin751e8892014-10-19 00:59:36 -0400[diff] [blame]613 size_t len;
David Benjamin751e8892014-10-19 00:59:36 -0400[diff] [blame]614 if (!EVP_DecodedLength(&len, strlen(in))) {
615 fprintf(stderr, "EVP_DecodedLength failed\n");
David Benjamin1d77e562015-03-22 17:22:08 -0400[diff] [blame]616 return false;
David Benjamin751e8892014-10-19 00:59:36 -0400[diff] [blame]617 }
618
David Benjamin1d77e562015-03-22 17:22:08 -0400[diff] [blame]619 out->resize(len);
David Benjaminef14b2d2015-11-11 14:01:27 -0800[diff] [blame]620 if (!EVP_DecodeBase64(out->data(), &len, len, (const uint8_t *)in,
David Benjamin751e8892014-10-19 00:59:36 -0400[diff] [blame]621 strlen(in))) {
622 fprintf(stderr, "EVP_DecodeBase64 failed\n");
David Benjamin1d77e562015-03-22 17:22:08 -0400[diff] [blame]623 return false;
David Benjamin751e8892014-10-19 00:59:36 -0400[diff] [blame]624 }
David Benjamin1d77e562015-03-22 17:22:08 -0400[diff] [blame]625 out->resize(len);
626 return true;
David Benjamin751e8892014-10-19 00:59:36 -0400[diff] [blame]627}
628
David Benjamin1d77e562015-03-22 17:22:08 -0400[diff] [blame]629static bool TestSSL_SESSIONEncoding(const char *input_b64) {
David Benjamin751e8892014-10-19 00:59:36 -0400[diff] [blame]630 const uint8_t *cptr;
631 uint8_t *ptr;
David Benjamin751e8892014-10-19 00:59:36 -0400[diff] [blame]632
David Benjamin1d77e562015-03-22 17:22:08 -0400[diff] [blame]633 // Decode the input.
634 std::vector<uint8_t> input;
635 if (!DecodeBase64(&input, input_b64)) {
636 return false;
David Benjamin751e8892014-10-19 00:59:36 -0400[diff] [blame]637 }
638
David Benjamin1d77e562015-03-22 17:22:08 -0400[diff] [blame]639 // Verify the SSL_SESSION decodes.
Adam Langley46db7af2017-02-01 15:49:37 -0800[diff] [blame]640 bssl::UniquePtr<SSL_CTX> ssl_ctx(SSL_CTX_new(TLS_method()));
641 if (!ssl_ctx) {
642 return false;
643 }
644 bssl::UniquePtr<SSL_SESSION> session(
645 SSL_SESSION_from_bytes(input.data(), input.size(), ssl_ctx.get()));
David Benjaminfd67aa82015-06-15 19:41:48 -0400[diff] [blame]646 if (!session) {
647 fprintf(stderr, "SSL_SESSION_from_bytes failed\n");
David Benjamin1d77e562015-03-22 17:22:08 -0400[diff] [blame]648 return false;
David Benjamin751e8892014-10-19 00:59:36 -0400[diff] [blame]649 }
650
David Benjamin1d77e562015-03-22 17:22:08 -0400[diff] [blame]651 // Verify the SSL_SESSION encoding round-trips.
652 size_t encoded_len;
Matt Braithwaited17d74d2016-08-17 20:10:28 -0700[diff] [blame]653 bssl::UniquePtr<uint8_t> encoded;
David Benjamin1d77e562015-03-22 17:22:08 -0400[diff] [blame]654 uint8_t *encoded_raw;
655 if (!SSL_SESSION_to_bytes(session.get(), &encoded_raw, &encoded_len)) {
David Benjamin3cac4502014-10-21 01:46:30 -0400[diff] [blame]656 fprintf(stderr, "SSL_SESSION_to_bytes failed\n");
David Benjamin1d77e562015-03-22 17:22:08 -0400[diff] [blame]657 return false;
David Benjamin3cac4502014-10-21 01:46:30 -0400[diff] [blame]658 }
David Benjamin1d77e562015-03-22 17:22:08 -0400[diff] [blame]659 encoded.reset(encoded_raw);
660 if (encoded_len != input.size() ||
David Benjamin17cf2cb2016-12-13 01:07:13 -0500[diff] [blame]661 OPENSSL_memcmp(input.data(), encoded.get(), input.size()) != 0) {
David Benjamin3cac4502014-10-21 01:46:30 -0400[diff] [blame]662 fprintf(stderr, "SSL_SESSION_to_bytes did not round-trip\n");
Sigbjorn Vik2b23d242015-06-29 15:07:26 +0200[diff] [blame]663 hexdump(stderr, "Before: ", input.data(), input.size());
664 hexdump(stderr, "After: ", encoded_raw, encoded_len);
David Benjamin1d77e562015-03-22 17:22:08 -0400[diff] [blame]665 return false;
David Benjamin3cac4502014-10-21 01:46:30 -0400[diff] [blame]666 }
David Benjamin3cac4502014-10-21 01:46:30 -0400[diff] [blame]667
David Benjaminfd67aa82015-06-15 19:41:48 -0400[diff] [blame]668 // Verify the SSL_SESSION also decodes with the legacy API.
David Benjaminef14b2d2015-11-11 14:01:27 -0800[diff] [blame]669 cptr = input.data();
David Benjaminfd67aa82015-06-15 19:41:48 -0400[diff] [blame]670 session.reset(d2i_SSL_SESSION(NULL, &cptr, input.size()));
David Benjaminef14b2d2015-11-11 14:01:27 -0800[diff] [blame]671 if (!session || cptr != input.data() + input.size()) {
David Benjaminfd67aa82015-06-15 19:41:48 -0400[diff] [blame]672 fprintf(stderr, "d2i_SSL_SESSION failed\n");
673 return false;
674 }
675
David Benjamin1d77e562015-03-22 17:22:08 -0400[diff] [blame]676 // Verify the SSL_SESSION encoding round-trips via the legacy API.
677 int len = i2d_SSL_SESSION(session.get(), NULL);
678 if (len < 0 || (size_t)len != input.size()) {
David Benjamin751e8892014-10-19 00:59:36 -0400[diff] [blame]679 fprintf(stderr, "i2d_SSL_SESSION(NULL) returned invalid length\n");
David Benjamin1d77e562015-03-22 17:22:08 -0400[diff] [blame]680 return false;
David Benjamin751e8892014-10-19 00:59:36 -0400[diff] [blame]681 }
682
David Benjamin1d77e562015-03-22 17:22:08 -0400[diff] [blame]683 encoded.reset((uint8_t *)OPENSSL_malloc(input.size()));
684 if (!encoded) {
David Benjamin751e8892014-10-19 00:59:36 -0400[diff] [blame]685 fprintf(stderr, "malloc failed\n");
David Benjamin1d77e562015-03-22 17:22:08 -0400[diff] [blame]686 return false;
David Benjamin751e8892014-10-19 00:59:36 -0400[diff] [blame]687 }
David Benjamin1d77e562015-03-22 17:22:08 -0400[diff] [blame]688
689 ptr = encoded.get();
690 len = i2d_SSL_SESSION(session.get(), &ptr);
691 if (len < 0 || (size_t)len != input.size()) {
David Benjamin751e8892014-10-19 00:59:36 -0400[diff] [blame]692 fprintf(stderr, "i2d_SSL_SESSION returned invalid length\n");
David Benjamin1d77e562015-03-22 17:22:08 -0400[diff] [blame]693 return false;
David Benjamin751e8892014-10-19 00:59:36 -0400[diff] [blame]694 }
David Benjamin1d77e562015-03-22 17:22:08 -0400[diff] [blame]695 if (ptr != encoded.get() + input.size()) {
David Benjamin751e8892014-10-19 00:59:36 -0400[diff] [blame]696 fprintf(stderr, "i2d_SSL_SESSION did not advance ptr correctly\n");
David Benjamin1d77e562015-03-22 17:22:08 -0400[diff] [blame]697 return false;
David Benjamin751e8892014-10-19 00:59:36 -0400[diff] [blame]698 }
David Benjamin17cf2cb2016-12-13 01:07:13 -0500[diff] [blame]699 if (OPENSSL_memcmp(input.data(), encoded.get(), input.size()) != 0) {
David Benjamin751e8892014-10-19 00:59:36 -0400[diff] [blame]700 fprintf(stderr, "i2d_SSL_SESSION did not round-trip\n");
David Benjamin1d77e562015-03-22 17:22:08 -0400[diff] [blame]701 return false;
David Benjamin751e8892014-10-19 00:59:36 -0400[diff] [blame]702 }
703
David Benjamin1d77e562015-03-22 17:22:08 -0400[diff] [blame]704 return true;
David Benjamin751e8892014-10-19 00:59:36 -0400[diff] [blame]705}
706
David Benjaminf297e022015-05-28 19:55:29 -0400[diff] [blame]707static bool TestBadSSL_SESSIONEncoding(const char *input_b64) {
708 std::vector<uint8_t> input;
709 if (!DecodeBase64(&input, input_b64)) {
710 return false;
711 }
712
713 // Verify that the SSL_SESSION fails to decode.
Adam Langley46db7af2017-02-01 15:49:37 -0800[diff] [blame]714 bssl::UniquePtr<SSL_CTX> ssl_ctx(SSL_CTX_new(TLS_method()));
715 if (!ssl_ctx) {
716 return false;
717 }
718 bssl::UniquePtr<SSL_SESSION> session(
719 SSL_SESSION_from_bytes(input.data(), input.size(), ssl_ctx.get()));
David Benjaminf297e022015-05-28 19:55:29 -0400[diff] [blame]720 if (session) {
David Benjaminfd67aa82015-06-15 19:41:48 -0400[diff] [blame]721 fprintf(stderr, "SSL_SESSION_from_bytes unexpectedly succeeded\n");
David Benjaminf297e022015-05-28 19:55:29 -0400[diff] [blame]722 return false;
723 }
724 ERR_clear_error();
725 return true;
726}
727
David Benjamin321fcdc2017-04-24 11:42:42 -0400[diff] [blame]728static void ExpectDefaultVersion(uint16_t min_version, uint16_t max_version,
729 const SSL_METHOD *(*method)(void)) {
Matt Braithwaited17d74d2016-08-17 20:10:28 -0700[diff] [blame]730 bssl::UniquePtr<SSL_CTX> ctx(SSL_CTX_new(method()));
David Benjamin321fcdc2017-04-24 11:42:42 -0400[diff] [blame]731 ASSERT_TRUE(ctx);
David Benjaminfc08dfc2017-06-20 14:39:32 -0400[diff] [blame]732 EXPECT_EQ(min_version, ctx->conf_min_version);
733 EXPECT_EQ(max_version, ctx->conf_max_version);
David Benjamin321fcdc2017-04-24 11:42:42 -0400[diff] [blame]734}
735
736TEST(SSLTest, DefaultVersion) {
737 // TODO(svaldez): Update this when TLS 1.3 is enabled by default.
738 ExpectDefaultVersion(TLS1_VERSION, TLS1_2_VERSION, &TLS_method);
739 ExpectDefaultVersion(TLS1_VERSION, TLS1_VERSION, &TLSv1_method);
740 ExpectDefaultVersion(TLS1_1_VERSION, TLS1_1_VERSION, &TLSv1_1_method);
741 ExpectDefaultVersion(TLS1_2_VERSION, TLS1_2_VERSION, &TLSv1_2_method);
742 ExpectDefaultVersion(TLS1_1_VERSION, TLS1_2_VERSION, &DTLS_method);
743 ExpectDefaultVersion(TLS1_1_VERSION, TLS1_1_VERSION, &DTLSv1_method);
744 ExpectDefaultVersion(TLS1_2_VERSION, TLS1_2_VERSION, &DTLSv1_2_method);
David Benjamin82c9e902014-12-12 15:55:27 -0500[diff] [blame]745}
746
David Benjamin6fff3862017-06-21 21:07:04 -0400[diff] [blame^]747TEST(SSLTest, CipherGetStandardName) {
748 static const struct {
749 int id;
750 const char *standard_name;
751 } kTests[] = {
752 {SSL3_CK_RSA_DES_192_CBC3_SHA, "TLS_RSA_WITH_3DES_EDE_CBC_SHA"},
753 {TLS1_CK_RSA_WITH_AES_128_SHA, "TLS_RSA_WITH_AES_128_CBC_SHA"},
754 {TLS1_CK_ECDHE_RSA_WITH_AES_128_SHA256,
755 "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256"},
756 {TLS1_CK_ECDHE_RSA_WITH_AES_256_SHA384,
757 "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384"},
758 {TLS1_CK_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
759 "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256"},
760 {TLS1_CK_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
761 "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256"},
762 {TLS1_CK_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
763 "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384"},
764 {TLS1_CK_ECDHE_PSK_WITH_AES_128_CBC_SHA,
765 "TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA"},
766 {TLS1_CK_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256,
767 "TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256"},
768 {TLS1_CK_AES_256_GCM_SHA384, "TLS_AES_256_GCM_SHA384"},
769 {TLS1_CK_AES_128_GCM_SHA256, "TLS_AES_128_GCM_SHA256"},
770 {TLS1_CK_CHACHA20_POLY1305_SHA256, "TLS_CHACHA20_POLY1305_SHA256"},
771 };
David Benjamin65226252015-02-05 16:49:47 -0500[diff] [blame]772
David Benjamin6fff3862017-06-21 21:07:04 -0400[diff] [blame^]773 for (const auto &t : kTests) {
774 SCOPED_TRACE(t.standard_name);
David Benjamine11726a2017-04-23 12:14:28 -0400[diff] [blame]775
776 const SSL_CIPHER *cipher = SSL_get_cipher_by_value(t.id & 0xffff);
777 ASSERT_TRUE(cipher);
David Benjamin6fff3862017-06-21 21:07:04 -0400[diff] [blame^]778 EXPECT_STREQ(t.standard_name, SSL_CIPHER_standard_name(cipher));
779
David Benjamine11726a2017-04-23 12:14:28 -0400[diff] [blame]780 bssl::UniquePtr<char> rfc_name(SSL_CIPHER_get_rfc_name(cipher));
781 ASSERT_TRUE(rfc_name);
David Benjamin6fff3862017-06-21 21:07:04 -0400[diff] [blame^]782 EXPECT_STREQ(t.standard_name, rfc_name.get());
David Benjamin65226252015-02-05 16:49:47 -0500[diff] [blame]783 }
David Benjamin65226252015-02-05 16:49:47 -0500[diff] [blame]784}
785
Steven Valdeza833c352016-11-01 13:39:36 -0400[diff] [blame]786// CreateSessionWithTicket returns a sample |SSL_SESSION| with the specified
787// version and ticket length or nullptr on failure.
788static bssl::UniquePtr<SSL_SESSION> CreateSessionWithTicket(uint16_t version,
789 size_t ticket_len) {
David Benjamin422fe082015-07-21 22:03:43 -0400[diff] [blame]790 std::vector<uint8_t> der;
791 if (!DecodeBase64(&der, kOpenSSLSession)) {
792 return nullptr;
793 }
Adam Langley46db7af2017-02-01 15:49:37 -0800[diff] [blame]794
795 bssl::UniquePtr<SSL_CTX> ssl_ctx(SSL_CTX_new(TLS_method()));
796 if (!ssl_ctx) {
797 return nullptr;
798 }
Steven Valdeza833c352016-11-01 13:39:36 -0400[diff] [blame]799 bssl::UniquePtr<SSL_SESSION> session(
Adam Langley46db7af2017-02-01 15:49:37 -0800[diff] [blame]800 SSL_SESSION_from_bytes(der.data(), der.size(), ssl_ctx.get()));
David Benjamin422fe082015-07-21 22:03:43 -0400[diff] [blame]801 if (!session) {
802 return nullptr;
803 }
804
Steven Valdeza833c352016-11-01 13:39:36 -0400[diff] [blame]805 session->ssl_version = version;
806
David Benjamin422fe082015-07-21 22:03:43 -0400[diff] [blame]807 // Swap out the ticket for a garbage one.
808 OPENSSL_free(session->tlsext_tick);
809 session->tlsext_tick = reinterpret_cast<uint8_t*>(OPENSSL_malloc(ticket_len));
810 if (session->tlsext_tick == nullptr) {
811 return nullptr;
812 }
David Benjamin17cf2cb2016-12-13 01:07:13 -0500[diff] [blame]813 OPENSSL_memset(session->tlsext_tick, 'a', ticket_len);
David Benjamin422fe082015-07-21 22:03:43 -0400[diff] [blame]814 session->tlsext_ticklen = ticket_len;
David Benjamin1269ddd2015-10-18 15:18:55 -0400[diff] [blame]815
816 // Fix up the timeout.
David Benjamin9b63f292016-11-15 00:44:05 -0500[diff] [blame]817#if defined(BORINGSSL_UNSAFE_DETERMINISTIC_MODE)
818 session->time = 1234;
819#else
David Benjamin1269ddd2015-10-18 15:18:55 -0400[diff] [blame]820 session->time = time(NULL);
David Benjamin9b63f292016-11-15 00:44:05 -0500[diff] [blame]821#endif
David Benjamin422fe082015-07-21 22:03:43 -0400[diff] [blame]822 return session;
823}
824
David Benjaminafc64de2016-07-19 17:12:41 +0200[diff] [blame]825static bool GetClientHello(SSL *ssl, std::vector<uint8_t> *out) {
Matt Braithwaited17d74d2016-08-17 20:10:28 -0700[diff] [blame]826 bssl::UniquePtr<BIO> bio(BIO_new(BIO_s_mem()));
David Benjaminafc64de2016-07-19 17:12:41 +0200[diff] [blame]827 if (!bio) {
828 return false;
829 }
830 // Do not configure a reading BIO, but record what's written to a memory BIO.
David Benjamin96a16cd2016-08-11 12:14:47 -0400[diff] [blame]831 BIO_up_ref(bio.get());
832 SSL_set_bio(ssl, nullptr /* rbio */, bio.get());
David Benjaminafc64de2016-07-19 17:12:41 +0200[diff] [blame]833 int ret = SSL_connect(ssl);
834 if (ret > 0) {
835 // SSL_connect should fail without a BIO to write to.
836 return false;
837 }
838 ERR_clear_error();
839
840 const uint8_t *client_hello;
841 size_t client_hello_len;
842 if (!BIO_mem_contents(bio.get(), &client_hello, &client_hello_len)) {
843 return false;
844 }
845 *out = std::vector<uint8_t>(client_hello, client_hello + client_hello_len);
846 return true;
847}
848
Steven Valdeza833c352016-11-01 13:39:36 -0400[diff] [blame]849// GetClientHelloLen creates a client SSL connection with the specified version
850// and ticket length. It returns the length of the ClientHello, not including
851// the record header, on success and zero on error.
852static size_t GetClientHelloLen(uint16_t max_version, uint16_t session_version,
853 size_t ticket_len) {
Matt Braithwaited17d74d2016-08-17 20:10:28 -0700[diff] [blame]854 bssl::UniquePtr<SSL_CTX> ctx(SSL_CTX_new(TLS_method()));
Steven Valdeza833c352016-11-01 13:39:36 -0400[diff] [blame]855 bssl::UniquePtr<SSL_SESSION> session =
856 CreateSessionWithTicket(session_version, ticket_len);
David Benjamin422fe082015-07-21 22:03:43 -0400[diff] [blame]857 if (!ctx || !session) {
858 return 0;
859 }
Steven Valdeza833c352016-11-01 13:39:36 -0400[diff] [blame]860
861 // Set a one-element cipher list so the baseline ClientHello is unpadded.
Matt Braithwaited17d74d2016-08-17 20:10:28 -0700[diff] [blame]862 bssl::UniquePtr<SSL> ssl(SSL_new(ctx.get()));
Steven Valdez2c62fe92016-10-14 12:08:12 -0400[diff] [blame]863 if (!ssl || !SSL_set_session(ssl.get(), session.get()) ||
Matthew Braithwaitea57dcfb2017-02-17 22:08:23 -0800[diff] [blame]864 !SSL_set_strict_cipher_list(ssl.get(), "ECDHE-RSA-AES128-GCM-SHA256") ||
Steven Valdeza833c352016-11-01 13:39:36 -0400[diff] [blame]865 !SSL_set_max_proto_version(ssl.get(), max_version)) {
David Benjamin422fe082015-07-21 22:03:43 -0400[diff] [blame]866 return 0;
867 }
Steven Valdeza833c352016-11-01 13:39:36 -0400[diff] [blame]868
David Benjaminafc64de2016-07-19 17:12:41 +0200[diff] [blame]869 std::vector<uint8_t> client_hello;
870 if (!GetClientHello(ssl.get(), &client_hello) ||
871 client_hello.size() <= SSL3_RT_HEADER_LENGTH) {
David Benjamin422fe082015-07-21 22:03:43 -0400[diff] [blame]872 return 0;
873 }
Steven Valdeza833c352016-11-01 13:39:36 -0400[diff] [blame]874
David Benjaminafc64de2016-07-19 17:12:41 +0200[diff] [blame]875 return client_hello.size() - SSL3_RT_HEADER_LENGTH;
David Benjamin422fe082015-07-21 22:03:43 -0400[diff] [blame]876}
877
878struct PaddingTest {
879 size_t input_len, padded_len;
880};
881
882static const PaddingTest kPaddingTests[] = {
883 // ClientHellos of length below 0x100 do not require padding.
884 {0xfe, 0xfe},
885 {0xff, 0xff},
886 // ClientHellos of length 0x100 through 0x1fb are padded up to 0x200.
887 {0x100, 0x200},
888 {0x123, 0x200},
889 {0x1fb, 0x200},
890 // ClientHellos of length 0x1fc through 0x1ff get padded beyond 0x200. The
891 // padding extension takes a minimum of four bytes plus one required content
892 // byte. (To work around yet more server bugs, we avoid empty final
893 // extensions.)
894 {0x1fc, 0x201},
895 {0x1fd, 0x202},
896 {0x1fe, 0x203},
897 {0x1ff, 0x204},
898 // Finally, larger ClientHellos need no padding.
899 {0x200, 0x200},
900 {0x201, 0x201},
901};
902
Steven Valdeza833c352016-11-01 13:39:36 -0400[diff] [blame]903static bool TestPaddingExtension(uint16_t max_version,
904 uint16_t session_version) {
David Benjamin422fe082015-07-21 22:03:43 -0400[diff] [blame]905 // Sample a baseline length.
Steven Valdeza833c352016-11-01 13:39:36 -0400[diff] [blame]906 size_t base_len = GetClientHelloLen(max_version, session_version, 1);
David Benjamin422fe082015-07-21 22:03:43 -0400[diff] [blame]907 if (base_len == 0) {
908 return false;
909 }
910
911 for (const PaddingTest &test : kPaddingTests) {
912 if (base_len > test.input_len) {
Steven Valdeza833c352016-11-01 13:39:36 -0400[diff] [blame]913 fprintf(stderr,
914 "Baseline ClientHello too long (max_version = %04x, "
915 "session_version = %04x).\n",
916 max_version, session_version);
David Benjamin422fe082015-07-21 22:03:43 -0400[diff] [blame]917 return false;
918 }
919
Steven Valdeza833c352016-11-01 13:39:36 -0400[diff] [blame]920 size_t padded_len = GetClientHelloLen(max_version, session_version,
921 1 + test.input_len - base_len);
David Benjamin422fe082015-07-21 22:03:43 -0400[diff] [blame]922 if (padded_len != test.padded_len) {
Steven Valdeza833c352016-11-01 13:39:36 -0400[diff] [blame]923 fprintf(stderr,
924 "%u-byte ClientHello padded to %u bytes, not %u (max_version = "
925 "%04x, session_version = %04x).\n",
David Benjamin422fe082015-07-21 22:03:43 -0400[diff] [blame]926 static_cast<unsigned>(test.input_len),
927 static_cast<unsigned>(padded_len),
Steven Valdeza833c352016-11-01 13:39:36 -0400[diff] [blame]928 static_cast<unsigned>(test.padded_len), max_version,
929 session_version);
David Benjamin422fe082015-07-21 22:03:43 -0400[diff] [blame]930 return false;
931 }
932 }
Steven Valdeza833c352016-11-01 13:39:36 -0400[diff] [blame]933
David Benjamin422fe082015-07-21 22:03:43 -0400[diff] [blame]934 return true;
935}
936
David Benjamin1d128f32015-09-08 17:41:40 -0400[diff] [blame]937// Test that |SSL_get_client_CA_list| echoes back the configured parameter even
938// before configuring as a server.
David Benjaminf0d8e222017-02-04 10:58:26 -0500[diff] [blame]939TEST(SSLTest, ClientCAList) {
Matt Braithwaited17d74d2016-08-17 20:10:28 -0700[diff] [blame]940 bssl::UniquePtr<SSL_CTX> ctx(SSL_CTX_new(TLS_method()));
David Benjaminf0d8e222017-02-04 10:58:26 -0500[diff] [blame]941 ASSERT_TRUE(ctx);
Matt Braithwaited17d74d2016-08-17 20:10:28 -0700[diff] [blame]942 bssl::UniquePtr<SSL> ssl(SSL_new(ctx.get()));
David Benjaminf0d8e222017-02-04 10:58:26 -0500[diff] [blame]943 ASSERT_TRUE(ssl);
David Benjamin1d128f32015-09-08 17:41:40 -0400[diff] [blame]944
Adam Langley34b4c822017-02-02 10:57:17 -0800[diff] [blame]945 bssl::UniquePtr<X509_NAME> name(X509_NAME_new());
946 ASSERT_TRUE(name);
David Benjamin1d128f32015-09-08 17:41:40 -0400[diff] [blame]947
Adam Langley34b4c822017-02-02 10:57:17 -0800[diff] [blame]948 bssl::UniquePtr<X509_NAME> name_dup(X509_NAME_dup(name.get()));
949 ASSERT_TRUE(name_dup);
950
951 bssl::UniquePtr<STACK_OF(X509_NAME)> stack(sk_X509_NAME_new_null());
952 ASSERT_TRUE(stack);
953
954 ASSERT_TRUE(sk_X509_NAME_push(stack.get(), name_dup.get()));
955 name_dup.release();
956
957 // |SSL_set_client_CA_list| takes ownership.
958 SSL_set_client_CA_list(ssl.get(), stack.release());
959
960 STACK_OF(X509_NAME) *result = SSL_get_client_CA_list(ssl.get());
961 ASSERT_TRUE(result);
962 ASSERT_EQ(1u, sk_X509_NAME_num(result));
963 EXPECT_EQ(0, X509_NAME_cmp(sk_X509_NAME_value(result, 0), name.get()));
David Benjamin1d128f32015-09-08 17:41:40 -0400[diff] [blame]964}
965
David Benjamin0f653952015-10-18 14:28:01 -0400[diff] [blame]966static void AppendSession(SSL_SESSION *session, void *arg) {
967 std::vector<SSL_SESSION*> *out =
968 reinterpret_cast<std::vector<SSL_SESSION*>*>(arg);
969 out->push_back(session);
970}
971
David Benjamine11726a2017-04-23 12:14:28 -0400[diff] [blame]972// CacheEquals returns true if |ctx|'s session cache consists of |expected|, in
David Benjamin0f653952015-10-18 14:28:01 -0400[diff] [blame]973// order.
David Benjamine11726a2017-04-23 12:14:28 -0400[diff] [blame]974static bool CacheEquals(SSL_CTX *ctx,
David Benjamin0f653952015-10-18 14:28:01 -0400[diff] [blame]975 const std::vector<SSL_SESSION*> &expected) {
976 // Check the linked list.
977 SSL_SESSION *ptr = ctx->session_cache_head;
978 for (SSL_SESSION *session : expected) {
979 if (ptr != session) {
980 return false;
981 }
982 // TODO(davidben): This is an absurd way to denote the end of the list.
983 if (ptr->next ==
984 reinterpret_cast<SSL_SESSION *>(&ctx->session_cache_tail)) {
985 ptr = nullptr;
986 } else {
987 ptr = ptr->next;
988 }
989 }
990 if (ptr != nullptr) {
991 return false;
992 }
993
994 // Check the hash table.
995 std::vector<SSL_SESSION*> actual, expected_copy;
996 lh_SSL_SESSION_doall_arg(SSL_CTX_sessions(ctx), AppendSession, &actual);
997 expected_copy = expected;
998
999 std::sort(actual.begin(), actual.end());
1000 std::sort(expected_copy.begin(), expected_copy.end());
1001
1002 return actual == expected_copy;
1003}
1004
Matt Braithwaited17d74d2016-08-17 20:10:28 -0700[diff] [blame]1005static bssl::UniquePtr<SSL_SESSION> CreateTestSession(uint32_t number) {
Adam Langley46db7af2017-02-01 15:49:37 -0800[diff] [blame]1006 bssl::UniquePtr<SSL_CTX> ssl_ctx(SSL_CTX_new(TLS_method()));
1007 if (!ssl_ctx) {
1008 return nullptr;
1009 }
1010 bssl::UniquePtr<SSL_SESSION> ret(SSL_SESSION_new(ssl_ctx.get()));
David Benjamin0f653952015-10-18 14:28:01 -0400[diff] [blame]1011 if (!ret) {
1012 return nullptr;
1013 }
1014
1015 ret->session_id_length = SSL3_SSL_SESSION_ID_LENGTH;
David Benjamin17cf2cb2016-12-13 01:07:13 -0500[diff] [blame]1016 OPENSSL_memset(ret->session_id, 0, ret->session_id_length);
1017 OPENSSL_memcpy(ret->session_id, &number, sizeof(number));
David Benjamin0f653952015-10-18 14:28:01 -0400[diff] [blame]1018 return ret;
1019}
1020
David Benjamin0f653952015-10-18 14:28:01 -0400[diff] [blame]1021// Test that the internal session cache behaves as expected.
David Benjamine11726a2017-04-23 12:14:28 -0400[diff] [blame]1022TEST(SSLTest, InternalSessionCache) {
Matt Braithwaited17d74d2016-08-17 20:10:28 -0700[diff] [blame]1023 bssl::UniquePtr<SSL_CTX> ctx(SSL_CTX_new(TLS_method()));
David Benjamine11726a2017-04-23 12:14:28 -0400[diff] [blame]1024 ASSERT_TRUE(ctx);
David Benjamin0f653952015-10-18 14:28:01 -0400[diff] [blame]1025
1026 // Prepare 10 test sessions.
Matt Braithwaited17d74d2016-08-17 20:10:28 -0700[diff] [blame]1027 std::vector<bssl::UniquePtr<SSL_SESSION>> sessions;
David Benjamin0f653952015-10-18 14:28:01 -0400[diff] [blame]1028 for (int i = 0; i < 10; i++) {
Matt Braithwaited17d74d2016-08-17 20:10:28 -0700[diff] [blame]1029 bssl::UniquePtr<SSL_SESSION> session = CreateTestSession(i);
David Benjamine11726a2017-04-23 12:14:28 -0400[diff] [blame]1030 ASSERT_TRUE(session);
David Benjamin4f6acaf2015-11-21 03:00:50 -0500[diff] [blame]1031 sessions.push_back(std::move(session));
David Benjamin0f653952015-10-18 14:28:01 -0400[diff] [blame]1032 }
1033
1034 SSL_CTX_sess_set_cache_size(ctx.get(), 5);
1035
1036 // Insert all the test sessions.
David Benjamin4f6acaf2015-11-21 03:00:50 -0500[diff] [blame]1037 for (const auto &session : sessions) {
David Benjamine11726a2017-04-23 12:14:28 -0400[diff] [blame]1038 ASSERT_TRUE(SSL_CTX_add_session(ctx.get(), session.get()));
David Benjamin0f653952015-10-18 14:28:01 -0400[diff] [blame]1039 }
1040
1041 // Only the last five should be in the list.
David Benjamine11726a2017-04-23 12:14:28 -0400[diff] [blame]1042 ASSERT_TRUE(CacheEquals(
1043 ctx.get(), {sessions[9].get(), sessions[8].get(), sessions[7].get(),
1044 sessions[6].get(), sessions[5].get()}));
David Benjamin0f653952015-10-18 14:28:01 -0400[diff] [blame]1045
David Benjamine11726a2017-04-23 12:14:28 -0400[diff] [blame]1046 // Inserting an element already in the cache should fail and leave the cache
1047 // unchanged.
1048 ASSERT_FALSE(SSL_CTX_add_session(ctx.get(), sessions[7].get()));
1049 ASSERT_TRUE(CacheEquals(
1050 ctx.get(), {sessions[9].get(), sessions[8].get(), sessions[7].get(),
1051 sessions[6].get(), sessions[5].get()}));
David Benjamin0f653952015-10-18 14:28:01 -0400[diff] [blame]1052
1053 // Although collisions should be impossible (256-bit session IDs), the cache
1054 // must handle them gracefully.
Matt Braithwaited17d74d2016-08-17 20:10:28 -0700[diff] [blame]1055 bssl::UniquePtr<SSL_SESSION> collision(CreateTestSession(7));
David Benjamine11726a2017-04-23 12:14:28 -0400[diff] [blame]1056 ASSERT_TRUE(collision);
1057 ASSERT_TRUE(SSL_CTX_add_session(ctx.get(), collision.get()));
1058 ASSERT_TRUE(CacheEquals(
1059 ctx.get(), {collision.get(), sessions[9].get(), sessions[8].get(),
1060 sessions[6].get(), sessions[5].get()}));
David Benjamin0f653952015-10-18 14:28:01 -0400[diff] [blame]1061
1062 // Removing sessions behaves correctly.
David Benjamine11726a2017-04-23 12:14:28 -0400[diff] [blame]1063 ASSERT_TRUE(SSL_CTX_remove_session(ctx.get(), sessions[6].get()));
1064 ASSERT_TRUE(CacheEquals(ctx.get(), {collision.get(), sessions[9].get(),
1065 sessions[8].get(), sessions[5].get()}));
David Benjamin0f653952015-10-18 14:28:01 -0400[diff] [blame]1066
1067 // Removing sessions requires an exact match.
David Benjamine11726a2017-04-23 12:14:28 -0400[diff] [blame]1068 ASSERT_FALSE(SSL_CTX_remove_session(ctx.get(), sessions[0].get()));
1069 ASSERT_FALSE(SSL_CTX_remove_session(ctx.get(), sessions[7].get()));
David Benjamin0f653952015-10-18 14:28:01 -0400[diff] [blame]1070
David Benjamine11726a2017-04-23 12:14:28 -0400[diff] [blame]1071 // The cache remains unchanged.
1072 ASSERT_TRUE(CacheEquals(ctx.get(), {collision.get(), sessions[9].get(),
1073 sessions[8].get(), sessions[5].get()}));
David Benjamin0f653952015-10-18 14:28:01 -0400[diff] [blame]1074}
1075
David Benjaminde942382016-02-11 12:02:01 -0500[diff] [blame]1076static uint16_t EpochFromSequence(uint64_t seq) {
1077 return static_cast<uint16_t>(seq >> 48);
1078}
1079
Matt Braithwaited17d74d2016-08-17 20:10:28 -0700[diff] [blame]1080static bssl::UniquePtr<X509> GetTestCertificate() {
David Benjaminde942382016-02-11 12:02:01 -0500[diff] [blame]1081 static const char kCertPEM[] =
1082 "-----BEGIN CERTIFICATE-----\n"
1083 "MIICWDCCAcGgAwIBAgIJAPuwTC6rEJsMMA0GCSqGSIb3DQEBBQUAMEUxCzAJBgNV\n"
1084 "BAYTAkFVMRMwEQYDVQQIDApTb21lLVN0YXRlMSEwHwYDVQQKDBhJbnRlcm5ldCBX\n"
1085 "aWRnaXRzIFB0eSBMdGQwHhcNMTQwNDIzMjA1MDQwWhcNMTcwNDIyMjA1MDQwWjBF\n"
1086 "MQswCQYDVQQGEwJBVTETMBEGA1UECAwKU29tZS1TdGF0ZTEhMB8GA1UECgwYSW50\n"
1087 "ZXJuZXQgV2lkZ2l0cyBQdHkgTHRkMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKB\n"
1088 "gQDYK8imMuRi/03z0K1Zi0WnvfFHvwlYeyK9Na6XJYaUoIDAtB92kWdGMdAQhLci\n"
1089 "HnAjkXLI6W15OoV3gA/ElRZ1xUpxTMhjP6PyY5wqT5r6y8FxbiiFKKAnHmUcrgfV\n"
1090 "W28tQ+0rkLGMryRtrukXOgXBv7gcrmU7G1jC2a7WqmeI8QIDAQABo1AwTjAdBgNV\n"
1091 "HQ4EFgQUi3XVrMsIvg4fZbf6Vr5sp3Xaha8wHwYDVR0jBBgwFoAUi3XVrMsIvg4f\n"
1092 "Zbf6Vr5sp3Xaha8wDAYDVR0TBAUwAwEB/zANBgkqhkiG9w0BAQUFAAOBgQA76Hht\n"
1093 "ldY9avcTGSwbwoiuIqv0jTL1fHFnzy3RHMLDh+Lpvolc5DSrSJHCP5WuK0eeJXhr\n"
1094 "T5oQpHL9z/cCDLAKCKRa4uV0fhEdOWBqyR9p8y5jJtye72t6CuFUV5iqcpF4BH4f\n"
1095 "j2VNHwsSrJwkD4QUGlUtH7vwnQmyCFxZMmWAJg==\n"
1096 "-----END CERTIFICATE-----\n";
Matt Braithwaited17d74d2016-08-17 20:10:28 -0700[diff] [blame]1097 bssl::UniquePtr<BIO> bio(BIO_new_mem_buf(kCertPEM, strlen(kCertPEM)));
David Benjamin1444c3a2016-12-20 17:23:11 -0500[diff] [blame]1098 return bssl::UniquePtr<X509>(
1099 PEM_read_bio_X509(bio.get(), nullptr, nullptr, nullptr));
David Benjaminde942382016-02-11 12:02:01 -0500[diff] [blame]1100}
1101
Matt Braithwaited17d74d2016-08-17 20:10:28 -0700[diff] [blame]1102static bssl::UniquePtr<EVP_PKEY> GetTestKey() {
David Benjaminde942382016-02-11 12:02:01 -0500[diff] [blame]1103 static const char kKeyPEM[] =
1104 "-----BEGIN RSA PRIVATE KEY-----\n"
1105 "MIICXgIBAAKBgQDYK8imMuRi/03z0K1Zi0WnvfFHvwlYeyK9Na6XJYaUoIDAtB92\n"
1106 "kWdGMdAQhLciHnAjkXLI6W15OoV3gA/ElRZ1xUpxTMhjP6PyY5wqT5r6y8FxbiiF\n"
1107 "KKAnHmUcrgfVW28tQ+0rkLGMryRtrukXOgXBv7gcrmU7G1jC2a7WqmeI8QIDAQAB\n"
1108 "AoGBAIBy09Fd4DOq/Ijp8HeKuCMKTHqTW1xGHshLQ6jwVV2vWZIn9aIgmDsvkjCe\n"
1109 "i6ssZvnbjVcwzSoByhjN8ZCf/i15HECWDFFh6gt0P5z0MnChwzZmvatV/FXCT0j+\n"
1110 "WmGNB/gkehKjGXLLcjTb6dRYVJSCZhVuOLLcbWIV10gggJQBAkEA8S8sGe4ezyyZ\n"
1111 "m4e9r95g6s43kPqtj5rewTsUxt+2n4eVodD+ZUlCULWVNAFLkYRTBCASlSrm9Xhj\n"
1112 "QpmWAHJUkQJBAOVzQdFUaewLtdOJoPCtpYoY1zd22eae8TQEmpGOR11L6kbxLQsk\n"
1113 "aMly/DOnOaa82tqAGTdqDEZgSNmCeKKknmECQAvpnY8GUOVAubGR6c+W90iBuQLj\n"
1114 "LtFp/9ihd2w/PoDwrHZaoUYVcT4VSfJQog/k7kjE4MYXYWL8eEKg3WTWQNECQQDk\n"
1115 "104Wi91Umd1PzF0ijd2jXOERJU1wEKe6XLkYYNHWQAe5l4J4MWj9OdxFXAxIuuR/\n"
1116 "tfDwbqkta4xcux67//khAkEAvvRXLHTaa6VFzTaiiO8SaFsHV3lQyXOtMrBpB5jd\n"
1117 "moZWgjHvB2W9Ckn7sDqsPB+U2tyX0joDdQEyuiMECDY8oQ==\n"
1118 "-----END RSA PRIVATE KEY-----\n";
Matt Braithwaited17d74d2016-08-17 20:10:28 -0700[diff] [blame]1119 bssl::UniquePtr<BIO> bio(BIO_new_mem_buf(kKeyPEM, strlen(kKeyPEM)));
1120 return bssl::UniquePtr<EVP_PKEY>(
David Benjaminde942382016-02-11 12:02:01 -0500[diff] [blame]1121 PEM_read_bio_PrivateKey(bio.get(), nullptr, nullptr, nullptr));
1122}
1123
Matt Braithwaited17d74d2016-08-17 20:10:28 -0700[diff] [blame]1124static bssl::UniquePtr<X509> GetECDSATestCertificate() {
David Benjamin0fc37ef2016-08-17 15:29:46 -0400[diff] [blame]1125 static const char kCertPEM[] =
1126 "-----BEGIN CERTIFICATE-----\n"
1127 "MIIBzzCCAXagAwIBAgIJANlMBNpJfb/rMAkGByqGSM49BAEwRTELMAkGA1UEBhMC\n"
1128 "QVUxEzARBgNVBAgMClNvbWUtU3RhdGUxITAfBgNVBAoMGEludGVybmV0IFdpZGdp\n"
1129 "dHMgUHR5IEx0ZDAeFw0xNDA0MjMyMzIxNTdaFw0xNDA1MjMyMzIxNTdaMEUxCzAJ\n"
1130 "BgNVBAYTAkFVMRMwEQYDVQQIDApTb21lLVN0YXRlMSEwHwYDVQQKDBhJbnRlcm5l\n"
1131 "dCBXaWRnaXRzIFB0eSBMdGQwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAATmK2ni\n"
1132 "v2Wfl74vHg2UikzVl2u3qR4NRvvdqakendy6WgHn1peoChj5w8SjHlbifINI2xYa\n"
1133 "HPUdfvGULUvPciLBo1AwTjAdBgNVHQ4EFgQUq4TSrKuV8IJOFngHVVdf5CaNgtEw\n"
1134 "HwYDVR0jBBgwFoAUq4TSrKuV8IJOFngHVVdf5CaNgtEwDAYDVR0TBAUwAwEB/zAJ\n"
1135 "BgcqhkjOPQQBA0gAMEUCIQDyoDVeUTo2w4J5m+4nUIWOcAZ0lVfSKXQA9L4Vh13E\n"
1136 "BwIgfB55FGohg/B6dGh5XxSZmmi08cueFV7mHzJSYV51yRQ=\n"
1137 "-----END CERTIFICATE-----\n";
Matt Braithwaited17d74d2016-08-17 20:10:28 -0700[diff] [blame]1138 bssl::UniquePtr<BIO> bio(BIO_new_mem_buf(kCertPEM, strlen(kCertPEM)));
1139 return bssl::UniquePtr<X509>(PEM_read_bio_X509(bio.get(), nullptr, nullptr, nullptr));
David Benjamin0fc37ef2016-08-17 15:29:46 -0400[diff] [blame]1140}
1141
Matt Braithwaited17d74d2016-08-17 20:10:28 -0700[diff] [blame]1142static bssl::UniquePtr<EVP_PKEY> GetECDSATestKey() {
David Benjamin0fc37ef2016-08-17 15:29:46 -0400[diff] [blame]1143 static const char kKeyPEM[] =
1144 "-----BEGIN PRIVATE KEY-----\n"
1145 "MIGHAgEAMBMGByqGSM49AgEGCCqGSM49AwEHBG0wawIBAQQgBw8IcnrUoEqc3VnJ\n"
1146 "TYlodwi1b8ldMHcO6NHJzgqLtGqhRANCAATmK2niv2Wfl74vHg2UikzVl2u3qR4N\n"
1147 "Rvvdqakendy6WgHn1peoChj5w8SjHlbifINI2xYaHPUdfvGULUvPciLB\n"
1148 "-----END PRIVATE KEY-----\n";
Matt Braithwaited17d74d2016-08-17 20:10:28 -0700[diff] [blame]1149 bssl::UniquePtr<BIO> bio(BIO_new_mem_buf(kKeyPEM, strlen(kKeyPEM)));
1150 return bssl::UniquePtr<EVP_PKEY>(
David Benjamin0fc37ef2016-08-17 15:29:46 -0400[diff] [blame]1151 PEM_read_bio_PrivateKey(bio.get(), nullptr, nullptr, nullptr));
1152}
1153
Adam Langleyd04ca952017-02-28 11:26:51 -0800[diff] [blame]1154static bssl::UniquePtr<CRYPTO_BUFFER> BufferFromPEM(const char *pem) {
1155 bssl::UniquePtr<BIO> bio(BIO_new_mem_buf(pem, strlen(pem)));
1156 char *name, *header;
1157 uint8_t *data;
1158 long data_len;
1159 if (!PEM_read_bio(bio.get(), &name, &header, &data,
1160 &data_len)) {
1161 return nullptr;
1162 }
1163 OPENSSL_free(name);
1164 OPENSSL_free(header);
1165
1166 auto ret = bssl::UniquePtr<CRYPTO_BUFFER>(
1167 CRYPTO_BUFFER_new(data, data_len, nullptr));
1168 OPENSSL_free(data);
1169 return ret;
1170}
1171
1172static bssl::UniquePtr<CRYPTO_BUFFER> GetChainTestCertificateBuffer() {
David Benjamin1444c3a2016-12-20 17:23:11 -0500[diff] [blame]1173 static const char kCertPEM[] =
1174 "-----BEGIN CERTIFICATE-----\n"
1175 "MIIC0jCCAbqgAwIBAgICEAAwDQYJKoZIhvcNAQELBQAwDzENMAsGA1UEAwwEQiBD\n"
1176 "QTAeFw0xNjAyMjgyMDI3MDNaFw0yNjAyMjUyMDI3MDNaMBgxFjAUBgNVBAMMDUNs\n"
1177 "aWVudCBDZXJ0IEEwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDRvaz8\n"
1178 "CC/cshpCafJo4jLkHEoBqDLhdgFelJoAiQUyIqyWl2O7YHPnpJH+TgR7oelzNzt/\n"
1179 "kLRcH89M/TszB6zqyLTC4aqmvzKL0peD/jL2LWBucR0WXIvjA3zoRuF/x86+rYH3\n"
1180 "tHb+xs2PSs8EGL/Ev+ss+qTzTGEn26fuGNHkNw6tOwPpc+o8+wUtzf/kAthamo+c\n"
1181 "IDs2rQ+lP7+aLZTLeU/q4gcLutlzcK5imex5xy2jPkweq48kijK0kIzl1cPlA5d1\n"
1182 "z7C8jU50Pj9X9sQDJTN32j7UYRisJeeYQF8GaaN8SbrDI6zHgKzrRLyxDt/KQa9V\n"
1183 "iLeXANgZi+Xx9KgfAgMBAAGjLzAtMAwGA1UdEwEB/wQCMAAwHQYDVR0lBBYwFAYI\n"
1184 "KwYBBQUHAwEGCCsGAQUFBwMCMA0GCSqGSIb3DQEBCwUAA4IBAQBFEVbmYl+2RtNw\n"
1185 "rDftRDF1v2QUbcN2ouSnQDHxeDQdSgasLzT3ui8iYu0Rw2WWcZ0DV5e0ztGPhWq7\n"
1186 "AO0B120aFRMOY+4+bzu9Q2FFkQqc7/fKTvTDzIJI5wrMnFvUfzzvxh3OHWMYSs/w\n"
1187 "giq33hTKeHEq6Jyk3btCny0Ycecyc3yGXH10sizUfiHlhviCkDuESk8mFDwDDzqW\n"
1188 "ZF0IipzFbEDHoIxLlm3GQxpiLoEV4k8KYJp3R5KBLFyxM6UGPz8h72mIPCJp2RuK\n"
1189 "MYgF91UDvVzvnYm6TfseM2+ewKirC00GOrZ7rEcFvtxnKSqYf4ckqfNdSU1Y+RRC\n"
1190 "1ngWZ7Ih\n"
1191 "-----END CERTIFICATE-----\n";
Adam Langleyd04ca952017-02-28 11:26:51 -0800[diff] [blame]1192 return BufferFromPEM(kCertPEM);
David Benjamin1444c3a2016-12-20 17:23:11 -0500[diff] [blame]1193}
1194
Adam Langleyd04ca952017-02-28 11:26:51 -0800[diff] [blame]1195static bssl::UniquePtr<X509> X509FromBuffer(
1196 bssl::UniquePtr<CRYPTO_BUFFER> buffer) {
1197 if (!buffer) {
1198 return nullptr;
1199 }
1200 const uint8_t *derp = CRYPTO_BUFFER_data(buffer.get());
1201 return bssl::UniquePtr<X509>(
1202 d2i_X509(NULL, &derp, CRYPTO_BUFFER_len(buffer.get())));
1203}
1204
1205static bssl::UniquePtr<X509> GetChainTestCertificate() {
1206 return X509FromBuffer(GetChainTestCertificateBuffer());
1207}
1208
1209static bssl::UniquePtr<CRYPTO_BUFFER> GetChainTestIntermediateBuffer() {
David Benjamin1444c3a2016-12-20 17:23:11 -0500[diff] [blame]1210 static const char kCertPEM[] =
1211 "-----BEGIN CERTIFICATE-----\n"
1212 "MIICwjCCAaqgAwIBAgICEAEwDQYJKoZIhvcNAQELBQAwFDESMBAGA1UEAwwJQyBS\n"
1213 "b290IENBMB4XDTE2MDIyODIwMjcwM1oXDTI2MDIyNTIwMjcwM1owDzENMAsGA1UE\n"
1214 "AwwEQiBDQTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALsSCYmDip2D\n"
1215 "GkjFxw7ykz26JSjELkl6ArlYjFJ3aT/SCh8qbS4gln7RH8CPBd78oFdfhIKQrwtZ\n"
1216 "3/q21ykD9BAS3qHe2YdcJfm8/kWAy5DvXk6NXU4qX334KofBAEpgdA/igEFq1P1l\n"
1217 "HAuIfZCpMRfT+i5WohVsGi8f/NgpRvVaMONLNfgw57mz1lbtFeBEISmX0kbsuJxF\n"
1218 "Qj/Bwhi5/0HAEXG8e7zN4cEx0yPRvmOATRdVb/8dW2pwOHRJq9R5M0NUkIsTSnL7\n"
1219 "6N/z8hRAHMsV3IudC5Yd7GXW1AGu9a+iKU+Q4xcZCoj0DC99tL4VKujrV1kAeqsM\n"
1220 "cz5/dKzi6+cCAwEAAaMjMCEwDwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMC\n"
1221 "AQYwDQYJKoZIhvcNAQELBQADggEBAIIeZiEeNhWWQ8Y4D+AGDwqUUeG8NjCbKrXQ\n"
1222 "BlHg5wZ8xftFaiP1Dp/UAezmx2LNazdmuwrYB8lm3FVTyaPDTKEGIPS4wJKHgqH1\n"
1223 "QPDhqNm85ey7TEtI9oYjsNim/Rb+iGkIAMXaxt58SzxbjvP0kMr1JfJIZbic9vye\n"
1224 "NwIspMFIpP3FB8ywyu0T0hWtCQgL4J47nigCHpOu58deP88fS/Nyz/fyGVWOZ76b\n"
1225 "WhWwgM3P3X95fQ3d7oFPR/bVh0YV+Cf861INwplokXgXQ3/TCQ+HNXeAMWn3JLWv\n"
1226 "XFwk8owk9dq/kQGdndGgy3KTEW4ctPX5GNhf3LJ9Q7dLji4ReQ4=\n"
1227 "-----END CERTIFICATE-----\n";
Adam Langleyd04ca952017-02-28 11:26:51 -0800[diff] [blame]1228 return BufferFromPEM(kCertPEM);
1229}
1230
1231static bssl::UniquePtr<X509> GetChainTestIntermediate() {
1232 return X509FromBuffer(GetChainTestIntermediateBuffer());
David Benjamin1444c3a2016-12-20 17:23:11 -0500[diff] [blame]1233}
1234
1235static bssl::UniquePtr<EVP_PKEY> GetChainTestKey() {
1236 static const char kKeyPEM[] =
1237 "-----BEGIN PRIVATE KEY-----\n"
1238 "MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQDRvaz8CC/cshpC\n"
1239 "afJo4jLkHEoBqDLhdgFelJoAiQUyIqyWl2O7YHPnpJH+TgR7oelzNzt/kLRcH89M\n"
1240 "/TszB6zqyLTC4aqmvzKL0peD/jL2LWBucR0WXIvjA3zoRuF/x86+rYH3tHb+xs2P\n"
1241 "Ss8EGL/Ev+ss+qTzTGEn26fuGNHkNw6tOwPpc+o8+wUtzf/kAthamo+cIDs2rQ+l\n"
1242 "P7+aLZTLeU/q4gcLutlzcK5imex5xy2jPkweq48kijK0kIzl1cPlA5d1z7C8jU50\n"
1243 "Pj9X9sQDJTN32j7UYRisJeeYQF8GaaN8SbrDI6zHgKzrRLyxDt/KQa9ViLeXANgZ\n"
1244 "i+Xx9KgfAgMBAAECggEBAK0VjSJzkyPaamcyTVSWjo7GdaBGcK60lk657RjR+lK0\n"
1245 "YJ7pkej4oM2hdsVZFsP8Cs4E33nXLa/0pDsRov/qrp0WQm2skwqGMC1I/bZ0WRPk\n"
1246 "wHaDrBBfESWnJDX/AGpVtlyOjPmgmK6J2usMPihQUDkKdAYrVWJePrMIxt1q6BMe\n"
1247 "iczs3qriMmtY3bUc4UyUwJ5fhDLjshHvfuIpYQyI6EXZM6dZksn9LylXJnigY6QJ\n"
1248 "HxOYO0BDwOsZ8yQ8J8afLk88i0GizEkgE1z3REtQUwgWfxr1WV/ud+T6/ZhSAgH9\n"
1249 "042mQvSFZnIUSEsmCvjhWuAunfxHKCTcAoYISWfzWpkCgYEA7gpf3HHU5Tn+CgUn\n"
1250 "1X5uGpG3DmcMgfeGgs2r2f/IIg/5Ac1dfYILiybL1tN9zbyLCJfcbFpWBc9hJL6f\n"
1251 "CPc5hUiwWFJqBJewxQkC1Ae/HakHbip+IZ+Jr0842O4BAArvixk4Lb7/N2Ct9sTE\n"
1252 "NJO6RtK9lbEZ5uK61DglHy8CS2UCgYEA4ZC1o36kPAMQBggajgnucb2yuUEelk0f\n"
1253 "AEr+GI32MGE+93xMr7rAhBoqLg4AITyIfEnOSQ5HwagnIHonBbv1LV/Gf9ursx8Z\n"
1254 "YOGbvT8zzzC+SU1bkDzdjAYnFQVGIjMtKOBJ3K07++ypwX1fr4QsQ8uKL8WSOWwt\n"
1255 "Z3Bym6XiZzMCgYADnhy+2OwHX85AkLt+PyGlPbmuelpyTzS4IDAQbBa6jcuW/2wA\n"
1256 "UE2km75VUXmD+u2R/9zVuLm99NzhFhSMqlUxdV1YukfqMfP5yp1EY6m/5aW7QuIP\n"
1257 "2MDa7TVL9rIFMiVZ09RKvbBbQxjhuzPQKL6X/PPspnhiTefQ+dl2k9xREQKBgHDS\n"
1258 "fMfGNEeAEKezrfSVqxphE9/tXms3L+ZpnCaT+yu/uEr5dTIAawKoQ6i9f/sf1/Sy\n"
1259 "xedsqR+IB+oKrzIDDWMgoJybN4pkZ8E5lzhVQIjFjKgFdWLzzqyW9z1gYfABQPlN\n"
1260 "FiS20WX0vgP1vcKAjdNrHzc9zyHBpgQzDmAj3NZZAoGBAI8vKCKdH7w3aL5CNkZQ\n"
1261 "2buIeWNA2HZazVwAGG5F2TU/LmXfRKnG6dX5bkU+AkBZh56jNZy//hfFSewJB4Kk\n"
1262 "buB7ERSdaNbO21zXt9FEA3+z0RfMd/Zv2vlIWOSB5nzl/7UKti3sribK6s9ZVLfi\n"
1263 "SxpiPQ8d/hmSGwn4ksrWUsJD\n"
1264 "-----END PRIVATE KEY-----\n";
1265 bssl::UniquePtr<BIO> bio(BIO_new_mem_buf(kKeyPEM, strlen(kKeyPEM)));
1266 return bssl::UniquePtr<EVP_PKEY>(
1267 PEM_read_bio_PrivateKey(bio.get(), nullptr, nullptr, nullptr));
1268}
1269
David Benjaminb79cc842016-12-07 15:57:14 -0500[diff] [blame]1270static bool CompleteHandshakes(SSL *client, SSL *server) {
1271 // Drive both their handshakes to completion.
1272 for (;;) {
1273 int client_ret = SSL_do_handshake(client);
1274 int client_err = SSL_get_error(client, client_ret);
1275 if (client_err != SSL_ERROR_NONE &&
1276 client_err != SSL_ERROR_WANT_READ &&
Adam Langley4c341d02017-03-08 19:33:21 -0800[diff] [blame]1277 client_err != SSL_ERROR_WANT_WRITE &&
1278 client_err != SSL_ERROR_PENDING_TICKET) {
David Benjaminb79cc842016-12-07 15:57:14 -0500[diff] [blame]1279 fprintf(stderr, "Client error: %d\n", client_err);
1280 return false;
1281 }
1282
1283 int server_ret = SSL_do_handshake(server);
1284 int server_err = SSL_get_error(server, server_ret);
1285 if (server_err != SSL_ERROR_NONE &&
1286 server_err != SSL_ERROR_WANT_READ &&
Adam Langley4c341d02017-03-08 19:33:21 -0800[diff] [blame]1287 server_err != SSL_ERROR_WANT_WRITE &&
1288 server_err != SSL_ERROR_PENDING_TICKET) {
David Benjaminb79cc842016-12-07 15:57:14 -0500[diff] [blame]1289 fprintf(stderr, "Server error: %d\n", server_err);
1290 return false;
1291 }
1292
1293 if (client_ret == 1 && server_ret == 1) {
1294 break;
1295 }
1296 }
1297
1298 return true;
1299}
1300
1301static bool ConnectClientAndServer(bssl::UniquePtr<SSL> *out_client,
1302 bssl::UniquePtr<SSL> *out_server,
David Benjamina20e5352016-08-02 19:09:41 -0400[diff] [blame]1303 SSL_CTX *client_ctx, SSL_CTX *server_ctx,
1304 SSL_SESSION *session) {
Matt Braithwaited17d74d2016-08-17 20:10:28 -0700[diff] [blame]1305 bssl::UniquePtr<SSL> client(SSL_new(client_ctx)), server(SSL_new(server_ctx));
David Benjaminde942382016-02-11 12:02:01 -0500[diff] [blame]1306 if (!client || !server) {
1307 return false;
1308 }
1309 SSL_set_connect_state(client.get());
1310 SSL_set_accept_state(server.get());
1311
David Benjamina20e5352016-08-02 19:09:41 -0400[diff] [blame]1312 SSL_set_session(client.get(), session);
1313
David Benjaminde942382016-02-11 12:02:01 -0500[diff] [blame]1314 BIO *bio1, *bio2;
1315 if (!BIO_new_bio_pair(&bio1, 0, &bio2, 0)) {
1316 return false;
1317 }
1318 // SSL_set_bio takes ownership.
1319 SSL_set_bio(client.get(), bio1, bio1);
1320 SSL_set_bio(server.get(), bio2, bio2);
1321
David Benjaminb79cc842016-12-07 15:57:14 -0500[diff] [blame]1322 if (!CompleteHandshakes(client.get(), server.get())) {
1323 return false;
David Benjaminde942382016-02-11 12:02:01 -0500[diff] [blame]1324 }
1325
David Benjamin686bb192016-05-10 15:15:41 -0400[diff] [blame]1326 *out_client = std::move(client);
1327 *out_server = std::move(server);
1328 return true;
1329}
1330
David Benjamin0fef3052016-11-18 15:11:10 +0900[diff] [blame]1331static bool TestSequenceNumber(bool is_dtls, const SSL_METHOD *method,
1332 uint16_t version) {
1333 bssl::UniquePtr<SSL_CTX> client_ctx(SSL_CTX_new(method));
1334 bssl::UniquePtr<SSL_CTX> server_ctx(SSL_CTX_new(method));
1335 if (!server_ctx || !client_ctx ||
1336 !SSL_CTX_set_min_proto_version(client_ctx.get(), version) ||
1337 !SSL_CTX_set_max_proto_version(client_ctx.get(), version) ||
1338 !SSL_CTX_set_min_proto_version(server_ctx.get(), version) ||
1339 !SSL_CTX_set_max_proto_version(server_ctx.get(), version)) {
1340 return false;
1341 }
David Benjamin686bb192016-05-10 15:15:41 -0400[diff] [blame]1342
David Benjamin0fef3052016-11-18 15:11:10 +0900[diff] [blame]1343 bssl::UniquePtr<X509> cert = GetTestCertificate();
1344 bssl::UniquePtr<EVP_PKEY> key = GetTestKey();
1345 if (!cert || !key || !SSL_CTX_use_certificate(server_ctx.get(), cert.get()) ||
1346 !SSL_CTX_use_PrivateKey(server_ctx.get(), key.get())) {
1347 return false;
1348 }
David Benjamin686bb192016-05-10 15:15:41 -0400[diff] [blame]1349
David Benjamin0fef3052016-11-18 15:11:10 +0900[diff] [blame]1350 bssl::UniquePtr<SSL> client, server;
1351 if (!ConnectClientAndServer(&client, &server, client_ctx.get(),
1352 server_ctx.get(), nullptr /* no session */)) {
1353 return false;
1354 }
David Benjamin686bb192016-05-10 15:15:41 -0400[diff] [blame]1355
David Benjamin0fef3052016-11-18 15:11:10 +0900[diff] [blame]1356 // Drain any post-handshake messages to ensure there are no unread records
1357 // on either end.
1358 uint8_t byte = 0;
1359 if (SSL_read(client.get(), &byte, 1) > 0 ||
1360 SSL_read(server.get(), &byte, 1) > 0) {
1361 fprintf(stderr, "Received unexpected data.\n");
1362 return false;
1363 }
David Benjaminde942382016-02-11 12:02:01 -0500[diff] [blame]1364
David Benjamin0fef3052016-11-18 15:11:10 +0900[diff] [blame]1365 uint64_t client_read_seq = SSL_get_read_sequence(client.get());
1366 uint64_t client_write_seq = SSL_get_write_sequence(client.get());
1367 uint64_t server_read_seq = SSL_get_read_sequence(server.get());
1368 uint64_t server_write_seq = SSL_get_write_sequence(server.get());
Steven Valdez2c62fe92016-10-14 12:08:12 -0400[diff] [blame]1369
David Benjamin0fef3052016-11-18 15:11:10 +0900[diff] [blame]1370 if (is_dtls) {
1371 // Both client and server must be at epoch 1.
1372 if (EpochFromSequence(client_read_seq) != 1 ||
1373 EpochFromSequence(client_write_seq) != 1 ||
1374 EpochFromSequence(server_read_seq) != 1 ||
1375 EpochFromSequence(server_write_seq) != 1) {
1376 fprintf(stderr, "Bad epochs.\n");
1377 return false;
David Benjaminde942382016-02-11 12:02:01 -0500[diff] [blame]1378 }
David Benjamin0fef3052016-11-18 15:11:10 +0900[diff] [blame]1379
1380 // The next record to be written should exceed the largest received.
1381 if (client_write_seq <= server_read_seq ||
1382 server_write_seq <= client_read_seq) {
1383 fprintf(stderr, "Inconsistent sequence numbers.\n");
1384 return false;
1385 }
1386 } else {
1387 // The next record to be written should equal the next to be received.
1388 if (client_write_seq != server_read_seq ||
1389 server_write_seq != client_read_seq) {
1390 fprintf(stderr, "Inconsistent sequence numbers.\n");
1391 return false;
1392 }
1393 }
1394
1395 // Send a record from client to server.
1396 if (SSL_write(client.get(), &byte, 1) != 1 ||
1397 SSL_read(server.get(), &byte, 1) != 1) {
1398 fprintf(stderr, "Could not send byte.\n");
1399 return false;
1400 }
1401
1402 // The client write and server read sequence numbers should have
1403 // incremented.
1404 if (client_write_seq + 1 != SSL_get_write_sequence(client.get()) ||
1405 server_read_seq + 1 != SSL_get_read_sequence(server.get())) {
1406 fprintf(stderr, "Sequence numbers did not increment.\n");
1407 return false;
David Benjaminde942382016-02-11 12:02:01 -0500[diff] [blame]1408 }
1409
1410 return true;
1411}
1412
David Benjamin68f37b72016-11-18 15:14:42 +0900[diff] [blame]1413static bool TestOneSidedShutdown(bool is_dtls, const SSL_METHOD *method,
1414 uint16_t version) {
1415 // SSL_shutdown is a no-op in DTLS.
1416 if (is_dtls) {
1417 return true;
David Benjamin686bb192016-05-10 15:15:41 -0400[diff] [blame]1418 }
1419
David Benjamin68f37b72016-11-18 15:14:42 +0900[diff] [blame]1420 bssl::UniquePtr<SSL_CTX> client_ctx(SSL_CTX_new(method));
1421 bssl::UniquePtr<SSL_CTX> server_ctx(SSL_CTX_new(method));
Matt Braithwaited17d74d2016-08-17 20:10:28 -0700[diff] [blame]1422 bssl::UniquePtr<X509> cert = GetTestCertificate();
1423 bssl::UniquePtr<EVP_PKEY> key = GetTestKey();
David Benjamin68f37b72016-11-18 15:14:42 +0900[diff] [blame]1424 if (!client_ctx || !server_ctx || !cert || !key ||
1425 !SSL_CTX_set_min_proto_version(server_ctx.get(), version) ||
1426 !SSL_CTX_set_max_proto_version(server_ctx.get(), version) ||
1427 !SSL_CTX_set_min_proto_version(client_ctx.get(), version) ||
1428 !SSL_CTX_set_max_proto_version(client_ctx.get(), version) ||
David Benjamin686bb192016-05-10 15:15:41 -0400[diff] [blame]1429 !SSL_CTX_use_certificate(server_ctx.get(), cert.get()) ||
1430 !SSL_CTX_use_PrivateKey(server_ctx.get(), key.get())) {
1431 return false;
1432 }
1433
Matt Braithwaited17d74d2016-08-17 20:10:28 -0700[diff] [blame]1434 bssl::UniquePtr<SSL> client, server;
David Benjamin686bb192016-05-10 15:15:41 -0400[diff] [blame]1435 if (!ConnectClientAndServer(&client, &server, client_ctx.get(),
David Benjamina20e5352016-08-02 19:09:41 -0400[diff] [blame]1436 server_ctx.get(), nullptr /* no session */)) {
David Benjamin686bb192016-05-10 15:15:41 -0400[diff] [blame]1437 return false;
1438 }
1439
1440 // Shut down half the connection. SSL_shutdown will return 0 to signal only
1441 // one side has shut down.
1442 if (SSL_shutdown(client.get()) != 0) {
1443 fprintf(stderr, "Could not shutdown.\n");
1444 return false;
1445 }
1446
1447 // Reading from the server should consume the EOF.
1448 uint8_t byte;
1449 if (SSL_read(server.get(), &byte, 1) != 0 ||
1450 SSL_get_error(server.get(), 0) != SSL_ERROR_ZERO_RETURN) {
1451 fprintf(stderr, "Connection was not shut down cleanly.\n");
1452 return false;
1453 }
1454
1455 // However, the server may continue to write data and then shut down the
1456 // connection.
1457 byte = 42;
1458 if (SSL_write(server.get(), &byte, 1) != 1 ||
1459 SSL_read(client.get(), &byte, 1) != 1 ||
1460 byte != 42) {
1461 fprintf(stderr, "Could not send byte.\n");
1462 return false;
1463 }
1464
1465 // The server may then shutdown the connection.
1466 if (SSL_shutdown(server.get()) != 1 ||
1467 SSL_shutdown(client.get()) != 1) {
1468 fprintf(stderr, "Could not complete shutdown.\n");
1469 return false;
1470 }
1471
1472 return true;
1473}
David Benjamin68f37b72016-11-18 15:14:42 +0900[diff] [blame]1474
David Benjaminf0d8e222017-02-04 10:58:26 -0500[diff] [blame]1475TEST(SSLTest, SessionDuplication) {
Matt Braithwaited17d74d2016-08-17 20:10:28 -0700[diff] [blame]1476 bssl::UniquePtr<SSL_CTX> client_ctx(SSL_CTX_new(TLS_method()));
1477 bssl::UniquePtr<SSL_CTX> server_ctx(SSL_CTX_new(TLS_method()));
David Benjaminf0d8e222017-02-04 10:58:26 -0500[diff] [blame]1478 ASSERT_TRUE(client_ctx);
1479 ASSERT_TRUE(server_ctx);
Steven Valdez87eab492016-06-27 16:34:59 -0400[diff] [blame]1480
Matt Braithwaited17d74d2016-08-17 20:10:28 -0700[diff] [blame]1481 bssl::UniquePtr<X509> cert = GetTestCertificate();
1482 bssl::UniquePtr<EVP_PKEY> key = GetTestKey();
David Benjaminf0d8e222017-02-04 10:58:26 -0500[diff] [blame]1483 ASSERT_TRUE(cert);
1484 ASSERT_TRUE(key);
1485 ASSERT_TRUE(SSL_CTX_use_certificate(server_ctx.get(), cert.get()));
1486 ASSERT_TRUE(SSL_CTX_use_PrivateKey(server_ctx.get(), key.get()));
Steven Valdez87eab492016-06-27 16:34:59 -0400[diff] [blame]1487
Matt Braithwaited17d74d2016-08-17 20:10:28 -0700[diff] [blame]1488 bssl::UniquePtr<SSL> client, server;
David Benjaminf0d8e222017-02-04 10:58:26 -0500[diff] [blame]1489 ASSERT_TRUE(ConnectClientAndServer(&client, &server, client_ctx.get(),
1490 server_ctx.get(),
1491 nullptr /* no session */));
Steven Valdez87eab492016-06-27 16:34:59 -0400[diff] [blame]1492
1493 SSL_SESSION *session0 = SSL_get_session(client.get());
David Benjaminf0d8e222017-02-04 10:58:26 -0500[diff] [blame]1494 bssl::UniquePtr<SSL_SESSION> session1(
1495 SSL_SESSION_dup(session0, SSL_SESSION_DUP_ALL));
1496 ASSERT_TRUE(session1);
David Benjamin4501bd52016-08-01 13:39:41 -0400[diff] [blame]1497
Steven Valdez84b5c002016-08-25 16:30:58 -0400[diff] [blame]1498 session1->not_resumable = 0;
1499
Steven Valdez87eab492016-06-27 16:34:59 -0400[diff] [blame]1500 uint8_t *s0_bytes, *s1_bytes;
1501 size_t s0_len, s1_len;
1502
David Benjaminf0d8e222017-02-04 10:58:26 -0500[diff] [blame]1503 ASSERT_TRUE(SSL_SESSION_to_bytes(session0, &s0_bytes, &s0_len));
Matt Braithwaited17d74d2016-08-17 20:10:28 -0700[diff] [blame]1504 bssl::UniquePtr<uint8_t> free_s0(s0_bytes);
Steven Valdez87eab492016-06-27 16:34:59 -0400[diff] [blame]1505
David Benjaminf0d8e222017-02-04 10:58:26 -0500[diff] [blame]1506 ASSERT_TRUE(SSL_SESSION_to_bytes(session1.get(), &s1_bytes, &s1_len));
Matt Braithwaited17d74d2016-08-17 20:10:28 -0700[diff] [blame]1507 bssl::UniquePtr<uint8_t> free_s1(s1_bytes);
Steven Valdez87eab492016-06-27 16:34:59 -0400[diff] [blame]1508
David Benjamin7d7554b2017-02-04 11:48:59 -0500[diff] [blame]1509 EXPECT_EQ(Bytes(s0_bytes, s0_len), Bytes(s1_bytes, s1_len));
Steven Valdez87eab492016-06-27 16:34:59 -0400[diff] [blame]1510}
David Benjamin686bb192016-05-10 15:15:41 -0400[diff] [blame]1511
David Benjaminf0d8e222017-02-04 10:58:26 -0500[diff] [blame]1512static void ExpectFDs(const SSL *ssl, int rfd, int wfd) {
David Benjaminca743582017-06-15 17:51:35 -0400[diff] [blame]1513 EXPECT_EQ(rfd, SSL_get_fd(ssl));
David Benjaminf0d8e222017-02-04 10:58:26 -0500[diff] [blame]1514 EXPECT_EQ(rfd, SSL_get_rfd(ssl));
1515 EXPECT_EQ(wfd, SSL_get_wfd(ssl));
David Benjamin5c0fb882016-06-14 14:03:51 -0400[diff] [blame]1516
1517 // The wrapper BIOs are always equal when fds are equal, even if set
1518 // individually.
David Benjaminf0d8e222017-02-04 10:58:26 -0500[diff] [blame]1519 if (rfd == wfd) {
1520 EXPECT_EQ(SSL_get_rbio(ssl), SSL_get_wbio(ssl));
David Benjamin5c0fb882016-06-14 14:03:51 -0400[diff] [blame]1521 }
David Benjamin5c0fb882016-06-14 14:03:51 -0400[diff] [blame]1522}
1523
David Benjaminf0d8e222017-02-04 10:58:26 -0500[diff] [blame]1524TEST(SSLTest, SetFD) {
Matt Braithwaited17d74d2016-08-17 20:10:28 -0700[diff] [blame]1525 bssl::UniquePtr<SSL_CTX> ctx(SSL_CTX_new(TLS_method()));
David Benjaminf0d8e222017-02-04 10:58:26 -0500[diff] [blame]1526 ASSERT_TRUE(ctx);
David Benjamin5c0fb882016-06-14 14:03:51 -0400[diff] [blame]1527
1528 // Test setting different read and write FDs.
Matt Braithwaited17d74d2016-08-17 20:10:28 -0700[diff] [blame]1529 bssl::UniquePtr<SSL> ssl(SSL_new(ctx.get()));
David Benjaminf0d8e222017-02-04 10:58:26 -0500[diff] [blame]1530 ASSERT_TRUE(ssl);
1531 EXPECT_TRUE(SSL_set_rfd(ssl.get(), 1));
1532 EXPECT_TRUE(SSL_set_wfd(ssl.get(), 2));
1533 ExpectFDs(ssl.get(), 1, 2);
David Benjamin5c0fb882016-06-14 14:03:51 -0400[diff] [blame]1534
1535 // Test setting the same FD.
1536 ssl.reset(SSL_new(ctx.get()));
David Benjaminf0d8e222017-02-04 10:58:26 -0500[diff] [blame]1537 ASSERT_TRUE(ssl);
1538 EXPECT_TRUE(SSL_set_fd(ssl.get(), 1));
1539 ExpectFDs(ssl.get(), 1, 1);
David Benjamin5c0fb882016-06-14 14:03:51 -0400[diff] [blame]1540
1541 // Test setting the same FD one side at a time.
1542 ssl.reset(SSL_new(ctx.get()));
David Benjaminf0d8e222017-02-04 10:58:26 -0500[diff] [blame]1543 ASSERT_TRUE(ssl);
1544 EXPECT_TRUE(SSL_set_rfd(ssl.get(), 1));
1545 EXPECT_TRUE(SSL_set_wfd(ssl.get(), 1));
1546 ExpectFDs(ssl.get(), 1, 1);
David Benjamin5c0fb882016-06-14 14:03:51 -0400[diff] [blame]1547
1548 // Test setting the same FD in the other order.
1549 ssl.reset(SSL_new(ctx.get()));
David Benjaminf0d8e222017-02-04 10:58:26 -0500[diff] [blame]1550 ASSERT_TRUE(ssl);
1551 EXPECT_TRUE(SSL_set_wfd(ssl.get(), 1));
1552 EXPECT_TRUE(SSL_set_rfd(ssl.get(), 1));
1553 ExpectFDs(ssl.get(), 1, 1);
David Benjamin5c0fb882016-06-14 14:03:51 -0400[diff] [blame]1554
David Benjamin5c0fb882016-06-14 14:03:51 -0400[diff] [blame]1555 // Test changing the read FD partway through.
1556 ssl.reset(SSL_new(ctx.get()));
David Benjaminf0d8e222017-02-04 10:58:26 -0500[diff] [blame]1557 ASSERT_TRUE(ssl);
1558 EXPECT_TRUE(SSL_set_fd(ssl.get(), 1));
1559 EXPECT_TRUE(SSL_set_rfd(ssl.get(), 2));
1560 ExpectFDs(ssl.get(), 2, 1);
David Benjamin5c0fb882016-06-14 14:03:51 -0400[diff] [blame]1561
1562 // Test changing the write FD partway through.
1563 ssl.reset(SSL_new(ctx.get()));
David Benjaminf0d8e222017-02-04 10:58:26 -0500[diff] [blame]1564 ASSERT_TRUE(ssl);
1565 EXPECT_TRUE(SSL_set_fd(ssl.get(), 1));
1566 EXPECT_TRUE(SSL_set_wfd(ssl.get(), 2));
1567 ExpectFDs(ssl.get(), 1, 2);
David Benjamin5c0fb882016-06-14 14:03:51 -0400[diff] [blame]1568
1569 // Test a no-op change to the read FD partway through.
1570 ssl.reset(SSL_new(ctx.get()));
David Benjaminf0d8e222017-02-04 10:58:26 -0500[diff] [blame]1571 ASSERT_TRUE(ssl);
1572 EXPECT_TRUE(SSL_set_fd(ssl.get(), 1));
1573 EXPECT_TRUE(SSL_set_rfd(ssl.get(), 1));
1574 ExpectFDs(ssl.get(), 1, 1);
David Benjamin5c0fb882016-06-14 14:03:51 -0400[diff] [blame]1575
1576 // Test a no-op change to the write FD partway through.
1577 ssl.reset(SSL_new(ctx.get()));
David Benjaminf0d8e222017-02-04 10:58:26 -0500[diff] [blame]1578 ASSERT_TRUE(ssl);
1579 EXPECT_TRUE(SSL_set_fd(ssl.get(), 1));
1580 EXPECT_TRUE(SSL_set_wfd(ssl.get(), 1));
1581 ExpectFDs(ssl.get(), 1, 1);
David Benjamin5c0fb882016-06-14 14:03:51 -0400[diff] [blame]1582
1583 // ASan builds will implicitly test that the internal |BIO| reference-counting
1584 // is correct.
David Benjamin5c0fb882016-06-14 14:03:51 -0400[diff] [blame]1585}
1586
David Benjaminf0d8e222017-02-04 10:58:26 -0500[diff] [blame]1587TEST(SSLTest, SetBIO) {
Matt Braithwaited17d74d2016-08-17 20:10:28 -0700[diff] [blame]1588 bssl::UniquePtr<SSL_CTX> ctx(SSL_CTX_new(TLS_method()));
David Benjaminf0d8e222017-02-04 10:58:26 -0500[diff] [blame]1589 ASSERT_TRUE(ctx);
David Benjamin4501bd52016-08-01 13:39:41 -0400[diff] [blame]1590
Matt Braithwaited17d74d2016-08-17 20:10:28 -0700[diff] [blame]1591 bssl::UniquePtr<SSL> ssl(SSL_new(ctx.get()));
1592 bssl::UniquePtr<BIO> bio1(BIO_new(BIO_s_mem())), bio2(BIO_new(BIO_s_mem())),
David Benjamin4501bd52016-08-01 13:39:41 -0400[diff] [blame]1593 bio3(BIO_new(BIO_s_mem()));
David Benjaminf0d8e222017-02-04 10:58:26 -0500[diff] [blame]1594 ASSERT_TRUE(ssl);
1595 ASSERT_TRUE(bio1);
1596 ASSERT_TRUE(bio2);
1597 ASSERT_TRUE(bio3);
David Benjamin4501bd52016-08-01 13:39:41 -0400[diff] [blame]1598
1599 // SSL_set_bio takes one reference when the parameters are the same.
1600 BIO_up_ref(bio1.get());
1601 SSL_set_bio(ssl.get(), bio1.get(), bio1.get());
1602
1603 // Repeating the call does nothing.
1604 SSL_set_bio(ssl.get(), bio1.get(), bio1.get());
1605
1606 // It takes one reference each when the parameters are different.
1607 BIO_up_ref(bio2.get());
1608 BIO_up_ref(bio3.get());
1609 SSL_set_bio(ssl.get(), bio2.get(), bio3.get());
1610
1611 // Repeating the call does nothing.
1612 SSL_set_bio(ssl.get(), bio2.get(), bio3.get());
1613
1614 // It takes one reference when changing only wbio.
1615 BIO_up_ref(bio1.get());
1616 SSL_set_bio(ssl.get(), bio2.get(), bio1.get());
1617
1618 // It takes one reference when changing only rbio and the two are different.
1619 BIO_up_ref(bio3.get());
1620 SSL_set_bio(ssl.get(), bio3.get(), bio1.get());
1621
1622 // If setting wbio to rbio, it takes no additional references.
1623 SSL_set_bio(ssl.get(), bio3.get(), bio3.get());
1624
1625 // From there, wbio may be switched to something else.
1626 BIO_up_ref(bio1.get());
1627 SSL_set_bio(ssl.get(), bio3.get(), bio1.get());
1628
1629 // If setting rbio to wbio, it takes no additional references.
1630 SSL_set_bio(ssl.get(), bio1.get(), bio1.get());
1631
1632 // From there, rbio may be switched to something else, but, for historical
1633 // reasons, it takes a reference to both parameters.
1634 BIO_up_ref(bio1.get());
1635 BIO_up_ref(bio2.get());
1636 SSL_set_bio(ssl.get(), bio2.get(), bio1.get());
1637
1638 // ASAN builds will implicitly test that the internal |BIO| reference-counting
1639 // is correct.
David Benjamin4501bd52016-08-01 13:39:41 -0400[diff] [blame]1640}
1641
David Benjamin25490f22016-07-14 00:22:54 -0400[diff] [blame]1642static int VerifySucceed(X509_STORE_CTX *store_ctx, void *arg) { return 1; }
1643
David Benjamin0fef3052016-11-18 15:11:10 +0900[diff] [blame]1644static bool TestGetPeerCertificate(bool is_dtls, const SSL_METHOD *method,
1645 uint16_t version) {
Matt Braithwaited17d74d2016-08-17 20:10:28 -0700[diff] [blame]1646 bssl::UniquePtr<X509> cert = GetTestCertificate();
1647 bssl::UniquePtr<EVP_PKEY> key = GetTestKey();
David Benjaminadd5e522016-07-14 00:33:24 -0400[diff] [blame]1648 if (!cert || !key) {
1649 return false;
1650 }
1651
David Benjamin0fef3052016-11-18 15:11:10 +0900[diff] [blame]1652 // Configure both client and server to accept any certificate.
1653 bssl::UniquePtr<SSL_CTX> ctx(SSL_CTX_new(method));
1654 if (!ctx ||
1655 !SSL_CTX_use_certificate(ctx.get(), cert.get()) ||
1656 !SSL_CTX_use_PrivateKey(ctx.get(), key.get()) ||
1657 !SSL_CTX_set_min_proto_version(ctx.get(), version) ||
1658 !SSL_CTX_set_max_proto_version(ctx.get(), version)) {
1659 return false;
1660 }
1661 SSL_CTX_set_verify(
1662 ctx.get(), SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT, nullptr);
1663 SSL_CTX_set_cert_verify_callback(ctx.get(), VerifySucceed, NULL);
David Benjaminadd5e522016-07-14 00:33:24 -0400[diff] [blame]1664
David Benjamin0fef3052016-11-18 15:11:10 +0900[diff] [blame]1665 bssl::UniquePtr<SSL> client, server;
1666 if (!ConnectClientAndServer(&client, &server, ctx.get(), ctx.get(),
1667 nullptr /* no session */)) {
1668 return false;
1669 }
David Benjaminadd5e522016-07-14 00:33:24 -0400[diff] [blame]1670
David Benjamin0fef3052016-11-18 15:11:10 +0900[diff] [blame]1671 // Client and server should both see the leaf certificate.
1672 bssl::UniquePtr<X509> peer(SSL_get_peer_certificate(server.get()));
1673 if (!peer || X509_cmp(cert.get(), peer.get()) != 0) {
1674 fprintf(stderr, "Server peer certificate did not match.\n");
1675 return false;
1676 }
David Benjaminadd5e522016-07-14 00:33:24 -0400[diff] [blame]1677
David Benjamin0fef3052016-11-18 15:11:10 +0900[diff] [blame]1678 peer.reset(SSL_get_peer_certificate(client.get()));
1679 if (!peer || X509_cmp(cert.get(), peer.get()) != 0) {
1680 fprintf(stderr, "Client peer certificate did not match.\n");
1681 return false;
1682 }
David Benjaminadd5e522016-07-14 00:33:24 -0400[diff] [blame]1683
David Benjamin0fef3052016-11-18 15:11:10 +0900[diff] [blame]1684 // However, for historical reasons, the chain includes the leaf on the
1685 // client, but does not on the server.
1686 if (sk_X509_num(SSL_get_peer_cert_chain(client.get())) != 1) {
1687 fprintf(stderr, "Client peer chain was incorrect.\n");
1688 return false;
1689 }
David Benjaminadd5e522016-07-14 00:33:24 -0400[diff] [blame]1690
David Benjamin0fef3052016-11-18 15:11:10 +0900[diff] [blame]1691 if (sk_X509_num(SSL_get_peer_cert_chain(server.get())) != 0) {
1692 fprintf(stderr, "Server peer chain was incorrect.\n");
1693 return false;
David Benjaminadd5e522016-07-14 00:33:24 -0400[diff] [blame]1694 }
1695
1696 return true;
1697}
1698
David Benjamin0fef3052016-11-18 15:11:10 +0900[diff] [blame]1699static bool TestRetainOnlySHA256OfCerts(bool is_dtls, const SSL_METHOD *method,
1700 uint16_t version) {
Matt Braithwaited17d74d2016-08-17 20:10:28 -0700[diff] [blame]1701 bssl::UniquePtr<X509> cert = GetTestCertificate();
1702 bssl::UniquePtr<EVP_PKEY> key = GetTestKey();
David Benjamin25490f22016-07-14 00:22:54 -0400[diff] [blame]1703 if (!cert || !key) {
1704 return false;
1705 }
1706
1707 uint8_t *cert_der = NULL;
1708 int cert_der_len = i2d_X509(cert.get(), &cert_der);
1709 if (cert_der_len < 0) {
1710 return false;
1711 }
Matt Braithwaited17d74d2016-08-17 20:10:28 -0700[diff] [blame]1712 bssl::UniquePtr<uint8_t> free_cert_der(cert_der);
David Benjamin25490f22016-07-14 00:22:54 -0400[diff] [blame]1713
1714 uint8_t cert_sha256[SHA256_DIGEST_LENGTH];
1715 SHA256(cert_der, cert_der_len, cert_sha256);
1716
David Benjamin0fef3052016-11-18 15:11:10 +0900[diff] [blame]1717 // Configure both client and server to accept any certificate, but the
1718 // server must retain only the SHA-256 of the peer.
1719 bssl::UniquePtr<SSL_CTX> ctx(SSL_CTX_new(method));
1720 if (!ctx ||
1721 !SSL_CTX_use_certificate(ctx.get(), cert.get()) ||
1722 !SSL_CTX_use_PrivateKey(ctx.get(), key.get()) ||
1723 !SSL_CTX_set_min_proto_version(ctx.get(), version) ||
1724 !SSL_CTX_set_max_proto_version(ctx.get(), version)) {
1725 return false;
1726 }
1727 SSL_CTX_set_verify(
1728 ctx.get(), SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT, nullptr);
1729 SSL_CTX_set_cert_verify_callback(ctx.get(), VerifySucceed, NULL);
1730 SSL_CTX_set_retain_only_sha256_of_client_certs(ctx.get(), 1);
David Benjamin25490f22016-07-14 00:22:54 -0400[diff] [blame]1731
David Benjamin0fef3052016-11-18 15:11:10 +0900[diff] [blame]1732 bssl::UniquePtr<SSL> client, server;
1733 if (!ConnectClientAndServer(&client, &server, ctx.get(), ctx.get(),
1734 nullptr /* no session */)) {
1735 return false;
1736 }
David Benjamin25490f22016-07-14 00:22:54 -0400[diff] [blame]1737
David Benjamin0fef3052016-11-18 15:11:10 +0900[diff] [blame]1738 // The peer certificate has been dropped.
1739 bssl::UniquePtr<X509> peer(SSL_get_peer_certificate(server.get()));
1740 if (peer) {
1741 fprintf(stderr, "Peer certificate was retained.\n");
1742 return false;
1743 }
David Benjamin25490f22016-07-14 00:22:54 -0400[diff] [blame]1744
David Benjamin0fef3052016-11-18 15:11:10 +0900[diff] [blame]1745 SSL_SESSION *session = SSL_get_session(server.get());
1746 if (!session->peer_sha256_valid) {
1747 fprintf(stderr, "peer_sha256_valid was not set.\n");
1748 return false;
1749 }
David Benjamin25490f22016-07-14 00:22:54 -0400[diff] [blame]1750
David Benjamin17cf2cb2016-12-13 01:07:13 -0500[diff] [blame]1751 if (OPENSSL_memcmp(cert_sha256, session->peer_sha256, SHA256_DIGEST_LENGTH) !=
1752 0) {
David Benjamin0fef3052016-11-18 15:11:10 +0900[diff] [blame]1753 fprintf(stderr, "peer_sha256 did not match.\n");
1754 return false;
David Benjamin25490f22016-07-14 00:22:54 -0400[diff] [blame]1755 }
1756
1757 return true;
1758}
1759
David Benjaminafc64de2016-07-19 17:12:41 +0200[diff] [blame]1760static bool ClientHelloMatches(uint16_t version, const uint8_t *expected,
1761 size_t expected_len) {
Matt Braithwaited17d74d2016-08-17 20:10:28 -0700[diff] [blame]1762 bssl::UniquePtr<SSL_CTX> ctx(SSL_CTX_new(TLS_method()));
Matthew Braithwaitecedc6f12017-03-15 19:20:23 -0700[diff] [blame]1763 // Our default cipher list varies by CPU capabilities, so manually place the
1764 // ChaCha20 ciphers in front.
Matthew Braithwaite7e06de52017-04-10 15:52:14 -0700[diff] [blame]1765 const char* cipher_list = "CHACHA20:ALL";
David Benjamin2dc02042016-09-19 19:57:37 -0400[diff] [blame]1766 if (!ctx ||
David Benjamin3cfeb952017-03-01 16:48:38 -0500[diff] [blame]1767 // SSLv3 is off by default.
1768 !SSL_CTX_set_min_proto_version(ctx.get(), SSL3_VERSION) ||
David Benjamine4706902016-09-20 15:12:23 -0400[diff] [blame]1769 !SSL_CTX_set_max_proto_version(ctx.get(), version) ||
Matthew Braithwaitecedc6f12017-03-15 19:20:23 -0700[diff] [blame]1770 !SSL_CTX_set_strict_cipher_list(ctx.get(), cipher_list)) {
David Benjaminafc64de2016-07-19 17:12:41 +0200[diff] [blame]1771 return false;
1772 }
David Benjamin2dc02042016-09-19 19:57:37 -0400[diff] [blame]1773
Matt Braithwaited17d74d2016-08-17 20:10:28 -0700[diff] [blame]1774 bssl::UniquePtr<SSL> ssl(SSL_new(ctx.get()));
David Benjaminafc64de2016-07-19 17:12:41 +0200[diff] [blame]1775 if (!ssl) {
1776 return false;
1777 }
1778 std::vector<uint8_t> client_hello;
1779 if (!GetClientHello(ssl.get(), &client_hello)) {
1780 return false;
1781 }
1782
1783 // Zero the client_random.
1784 constexpr size_t kRandomOffset = 1 + 2 + 2 + // record header
1785 1 + 3 + // handshake message header
1786 2; // client_version
1787 if (client_hello.size() < kRandomOffset + SSL3_RANDOM_SIZE) {
1788 fprintf(stderr, "ClientHello for version %04x too short.\n", version);
1789 return false;
1790 }
David Benjamin17cf2cb2016-12-13 01:07:13 -0500[diff] [blame]1791 OPENSSL_memset(client_hello.data() + kRandomOffset, 0, SSL3_RANDOM_SIZE);
David Benjaminafc64de2016-07-19 17:12:41 +0200[diff] [blame]1792
1793 if (client_hello.size() != expected_len ||
David Benjamin17cf2cb2016-12-13 01:07:13 -0500[diff] [blame]1794 OPENSSL_memcmp(client_hello.data(), expected, expected_len) != 0) {
David Benjaminafc64de2016-07-19 17:12:41 +0200[diff] [blame]1795 fprintf(stderr, "ClientHello for version %04x did not match:\n", version);
1796 fprintf(stderr, "Got:\n\t");
1797 for (size_t i = 0; i < client_hello.size(); i++) {
1798 fprintf(stderr, "0x%02x, ", client_hello[i]);
1799 }
1800 fprintf(stderr, "\nWanted:\n\t");
1801 for (size_t i = 0; i < expected_len; i++) {
1802 fprintf(stderr, "0x%02x, ", expected[i]);
1803 }
1804 fprintf(stderr, "\n");
1805 return false;
1806 }
1807
1808 return true;
1809}
1810
1811// Tests that our ClientHellos do not change unexpectedly.
1812static bool TestClientHello() {
1813 static const uint8_t kSSL3ClientHello[] = {
Matt Braithwaite9c8c4182016-08-24 14:36:54 -0700[diff] [blame]1814 0x16,
1815 0x03, 0x00,
Matthew Braithwaitecedc6f12017-03-15 19:20:23 -0700[diff] [blame]1816 0x00, 0x3b,
Matt Braithwaite9c8c4182016-08-24 14:36:54 -0700[diff] [blame]1817 0x01,
Matthew Braithwaitecedc6f12017-03-15 19:20:23 -0700[diff] [blame]1818 0x00, 0x00, 0x37,
Matt Braithwaite9c8c4182016-08-24 14:36:54 -0700[diff] [blame]1819 0x03, 0x00,
1820 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1821 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1822 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1823 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1824 0x00,
Matthew Braithwaitecedc6f12017-03-15 19:20:23 -0700[diff] [blame]1825 0x00, 0x10,
Matt Braithwaite9c8c4182016-08-24 14:36:54 -0700[diff] [blame]1826 0xc0, 0x09,
1827 0xc0, 0x13,
Matt Braithwaite9c8c4182016-08-24 14:36:54 -0700[diff] [blame]1828 0xc0, 0x0a,
1829 0xc0, 0x14,
Matt Braithwaite9c8c4182016-08-24 14:36:54 -0700[diff] [blame]1830 0x00, 0x2f,
1831 0x00, 0x35,
1832 0x00, 0x0a,
1833 0x00, 0xff, 0x01, 0x00,
David Benjaminafc64de2016-07-19 17:12:41 +0200[diff] [blame]1834 };
1835 if (!ClientHelloMatches(SSL3_VERSION, kSSL3ClientHello,
1836 sizeof(kSSL3ClientHello))) {
1837 return false;
1838 }
1839
1840 static const uint8_t kTLS1ClientHello[] = {
Matt Braithwaite9c8c4182016-08-24 14:36:54 -0700[diff] [blame]1841 0x16,
1842 0x03, 0x01,
Matthew Braithwaitecedc6f12017-03-15 19:20:23 -0700[diff] [blame]1843 0x00, 0x5a,
Matt Braithwaite9c8c4182016-08-24 14:36:54 -0700[diff] [blame]1844 0x01,
Matthew Braithwaitecedc6f12017-03-15 19:20:23 -0700[diff] [blame]1845 0x00, 0x00, 0x56,
Matt Braithwaite9c8c4182016-08-24 14:36:54 -0700[diff] [blame]1846 0x03, 0x01,
1847 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1848 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1849 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1850 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1851 0x00,
Matthew Braithwaitecedc6f12017-03-15 19:20:23 -0700[diff] [blame]1852 0x00, 0x0e,
Matt Braithwaite9c8c4182016-08-24 14:36:54 -0700[diff] [blame]1853 0xc0, 0x09,
1854 0xc0, 0x13,
Matt Braithwaite9c8c4182016-08-24 14:36:54 -0700[diff] [blame]1855 0xc0, 0x0a,
1856 0xc0, 0x14,
Matt Braithwaite9c8c4182016-08-24 14:36:54 -0700[diff] [blame]1857 0x00, 0x2f,
1858 0x00, 0x35,
1859 0x00, 0x0a,
David Benjaminafc64de2016-07-19 17:12:41 +0200[diff] [blame]1860 0x01, 0x00, 0x00, 0x1f, 0xff, 0x01, 0x00, 0x01, 0x00, 0x00, 0x17, 0x00,
1861 0x00, 0x00, 0x23, 0x00, 0x00, 0x00, 0x0b, 0x00, 0x02, 0x01, 0x00, 0x00,
1862 0x0a, 0x00, 0x08, 0x00, 0x06, 0x00, 0x1d, 0x00, 0x17, 0x00, 0x18,
1863 };
1864 if (!ClientHelloMatches(TLS1_VERSION, kTLS1ClientHello,
1865 sizeof(kTLS1ClientHello))) {
1866 return false;
1867 }
1868
1869 static const uint8_t kTLS11ClientHello[] = {
Matt Braithwaite9c8c4182016-08-24 14:36:54 -0700[diff] [blame]1870 0x16,
1871 0x03, 0x01,
Matthew Braithwaitecedc6f12017-03-15 19:20:23 -0700[diff] [blame]1872 0x00, 0x5a,
Matt Braithwaite9c8c4182016-08-24 14:36:54 -0700[diff] [blame]1873 0x01,
Matthew Braithwaitecedc6f12017-03-15 19:20:23 -0700[diff] [blame]1874 0x00, 0x00, 0x56,
Matt Braithwaite9c8c4182016-08-24 14:36:54 -0700[diff] [blame]1875 0x03, 0x02,
1876 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1877 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1878 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1879 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1880 0x00,
Matthew Braithwaitecedc6f12017-03-15 19:20:23 -0700[diff] [blame]1881 0x00, 0x0e,
Matt Braithwaite9c8c4182016-08-24 14:36:54 -0700[diff] [blame]1882 0xc0, 0x09,
1883 0xc0, 0x13,
Matt Braithwaite9c8c4182016-08-24 14:36:54 -0700[diff] [blame]1884 0xc0, 0x0a,
1885 0xc0, 0x14,
Matt Braithwaite9c8c4182016-08-24 14:36:54 -0700[diff] [blame]1886 0x00, 0x2f,
1887 0x00, 0x35,
1888 0x00, 0x0a,
David Benjaminafc64de2016-07-19 17:12:41 +0200[diff] [blame]1889 0x01, 0x00, 0x00, 0x1f, 0xff, 0x01, 0x00, 0x01, 0x00, 0x00, 0x17, 0x00,
1890 0x00, 0x00, 0x23, 0x00, 0x00, 0x00, 0x0b, 0x00, 0x02, 0x01, 0x00, 0x00,
1891 0x0a, 0x00, 0x08, 0x00, 0x06, 0x00, 0x1d, 0x00, 0x17, 0x00, 0x18,
1892 };
1893 if (!ClientHelloMatches(TLS1_1_VERSION, kTLS11ClientHello,
1894 sizeof(kTLS11ClientHello))) {
1895 return false;
1896 }
1897
David Benjamin3b584332017-01-24 22:47:18 -0500[diff] [blame]1898 // kTLS12ClientHello assumes RSA-PSS, which is disabled for Android system
1899 // builds.
1900#if defined(BORINGSSL_ANDROID_SYSTEM)
1901 return true;
1902#endif
1903
David Benjaminafc64de2016-07-19 17:12:41 +0200[diff] [blame]1904 static const uint8_t kTLS12ClientHello[] = {
Matthew Braithwaitecedc6f12017-03-15 19:20:23 -0700[diff] [blame]1905 0x16,
1906 0x03, 0x01,
1907 0x00, 0x8e,
1908 0x01,
1909 0x00, 0x00, 0x8a,
1910 0x03, 0x03,
David Benjamin57e929f2016-08-30 00:30:38 -0400[diff] [blame]1911 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1912 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
Matthew Braithwaitecedc6f12017-03-15 19:20:23 -0700[diff] [blame]1913 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1914 0x00, 0x2a,
1915 0xcc, 0xa9,
1916 0xcc, 0xa8,
1917 0xc0, 0x2b,
1918 0xc0, 0x2f,
1919 0xc0, 0x2c,
1920 0xc0, 0x30,
1921 0xc0, 0x09,
1922 0xc0, 0x23,
1923 0xc0, 0x13,
1924 0xc0, 0x27,
1925 0xc0, 0x0a,
1926 0xc0, 0x24,
1927 0xc0, 0x14,
1928 0xc0, 0x28,
1929 0x00, 0x9c,
1930 0x00, 0x9d,
1931 0x00, 0x2f,
1932 0x00, 0x3c,
1933 0x00, 0x35,
1934 0x00, 0x3d,
1935 0x00, 0x0a,
1936 0x01, 0x00, 0x00, 0x37, 0xff, 0x01, 0x00, 0x01, 0x00, 0x00, 0x17, 0x00,
1937 0x00, 0x00, 0x23, 0x00, 0x00, 0x00, 0x0d, 0x00, 0x14, 0x00, 0x12, 0x04,
1938 0x03, 0x08, 0x04, 0x04, 0x01, 0x05, 0x03, 0x08, 0x05, 0x05, 0x01, 0x08,
1939 0x06, 0x06, 0x01, 0x02, 0x01, 0x00, 0x0b, 0x00, 0x02, 0x01, 0x00, 0x00,
1940 0x0a, 0x00, 0x08, 0x00, 0x06, 0x00, 0x1d, 0x00, 0x17, 0x00, 0x18,
David Benjaminafc64de2016-07-19 17:12:41 +0200[diff] [blame]1941 };
1942 if (!ClientHelloMatches(TLS1_2_VERSION, kTLS12ClientHello,
1943 sizeof(kTLS12ClientHello))) {
1944 return false;
1945 }
1946
1947 // TODO(davidben): Add a change detector for TLS 1.3 once the spec and our
1948 // implementation has settled enough that it won't change.
1949
1950 return true;
1951}
1952
Matt Braithwaited17d74d2016-08-17 20:10:28 -0700[diff] [blame]1953static bssl::UniquePtr<SSL_SESSION> g_last_session;
David Benjamina20e5352016-08-02 19:09:41 -0400[diff] [blame]1954
1955static int SaveLastSession(SSL *ssl, SSL_SESSION *session) {
1956 // Save the most recent session.
1957 g_last_session.reset(session);
1958 return 1;
1959}
1960
Matt Braithwaited17d74d2016-08-17 20:10:28 -0700[diff] [blame]1961static bssl::UniquePtr<SSL_SESSION> CreateClientSession(SSL_CTX *client_ctx,
Steven Valdeze831a812017-03-09 14:56:07 -0500[diff] [blame]1962 SSL_CTX *server_ctx) {
David Benjamina20e5352016-08-02 19:09:41 -0400[diff] [blame]1963 g_last_session = nullptr;
1964 SSL_CTX_sess_set_new_cb(client_ctx, SaveLastSession);
1965
1966 // Connect client and server to get a session.
Matt Braithwaited17d74d2016-08-17 20:10:28 -0700[diff] [blame]1967 bssl::UniquePtr<SSL> client, server;
David Benjamina20e5352016-08-02 19:09:41 -0400[diff] [blame]1968 if (!ConnectClientAndServer(&client, &server, client_ctx, server_ctx,
1969 nullptr /* no session */)) {
1970 fprintf(stderr, "Failed to connect client and server.\n");
1971 return nullptr;
1972 }
1973
1974 // Run the read loop to account for post-handshake tickets in TLS 1.3.
1975 SSL_read(client.get(), nullptr, 0);
1976
1977 SSL_CTX_sess_set_new_cb(client_ctx, nullptr);
1978
1979 if (!g_last_session) {
1980 fprintf(stderr, "Client did not receive a session.\n");
1981 return nullptr;
1982 }
1983 return std::move(g_last_session);
1984}
1985
1986static bool ExpectSessionReused(SSL_CTX *client_ctx, SSL_CTX *server_ctx,
1987 SSL_SESSION *session,
1988 bool reused) {
Matt Braithwaited17d74d2016-08-17 20:10:28 -0700[diff] [blame]1989 bssl::UniquePtr<SSL> client, server;
David Benjamina20e5352016-08-02 19:09:41 -0400[diff] [blame]1990 if (!ConnectClientAndServer(&client, &server, client_ctx,
1991 server_ctx, session)) {
1992 fprintf(stderr, "Failed to connect client and server.\n");
1993 return false;
1994 }
1995
1996 if (SSL_session_reused(client.get()) != SSL_session_reused(server.get())) {
1997 fprintf(stderr, "Client and server were inconsistent.\n");
1998 return false;
1999 }
2000
2001 bool was_reused = !!SSL_session_reused(client.get());
2002 if (was_reused != reused) {
2003 fprintf(stderr, "Session was%s reused, but we expected the opposite.\n",
2004 was_reused ? "" : " not");
2005 return false;
2006 }
2007
2008 return true;
2009}
2010
David Benjamin3c51d9b2016-11-01 17:50:42 -0400[diff] [blame]2011static bssl::UniquePtr<SSL_SESSION> ExpectSessionRenewed(SSL_CTX *client_ctx,
2012 SSL_CTX *server_ctx,
2013 SSL_SESSION *session) {
2014 g_last_session = nullptr;
2015 SSL_CTX_sess_set_new_cb(client_ctx, SaveLastSession);
2016
2017 bssl::UniquePtr<SSL> client, server;
2018 if (!ConnectClientAndServer(&client, &server, client_ctx,
2019 server_ctx, session)) {
2020 fprintf(stderr, "Failed to connect client and server.\n");
2021 return nullptr;
2022 }
2023
2024 if (SSL_session_reused(client.get()) != SSL_session_reused(server.get())) {
2025 fprintf(stderr, "Client and server were inconsistent.\n");
2026 return nullptr;
2027 }
2028
2029 if (!SSL_session_reused(client.get())) {
2030 fprintf(stderr, "Session was not reused.\n");
2031 return nullptr;
2032 }
2033
2034 // Run the read loop to account for post-handshake tickets in TLS 1.3.
2035 SSL_read(client.get(), nullptr, 0);
2036
2037 SSL_CTX_sess_set_new_cb(client_ctx, nullptr);
2038
2039 if (!g_last_session) {
2040 fprintf(stderr, "Client did not receive a renewed session.\n");
2041 return nullptr;
2042 }
2043 return std::move(g_last_session);
2044}
2045
David Benjamina933c382016-10-28 00:10:03 -0400[diff] [blame]2046static int SwitchSessionIDContextSNI(SSL *ssl, int *out_alert, void *arg) {
2047 static const uint8_t kContext[] = {3};
2048
2049 if (!SSL_set_session_id_context(ssl, kContext, sizeof(kContext))) {
2050 return SSL_TLSEXT_ERR_ALERT_FATAL;
2051 }
2052
2053 return SSL_TLSEXT_ERR_OK;
2054}
2055
David Benjamin0fef3052016-11-18 15:11:10 +0900[diff] [blame]2056static bool TestSessionIDContext(bool is_dtls, const SSL_METHOD *method,
2057 uint16_t version) {
Matt Braithwaited17d74d2016-08-17 20:10:28 -0700[diff] [blame]2058 bssl::UniquePtr<X509> cert = GetTestCertificate();
2059 bssl::UniquePtr<EVP_PKEY> key = GetTestKey();
David Benjamina20e5352016-08-02 19:09:41 -0400[diff] [blame]2060 if (!cert || !key) {
2061 return false;
2062 }
2063
2064 static const uint8_t kContext1[] = {1};
2065 static const uint8_t kContext2[] = {2};
2066
David Benjamin0fef3052016-11-18 15:11:10 +0900[diff] [blame]2067 bssl::UniquePtr<SSL_CTX> server_ctx(SSL_CTX_new(method));
2068 bssl::UniquePtr<SSL_CTX> client_ctx(SSL_CTX_new(method));
2069 if (!server_ctx || !client_ctx ||
2070 !SSL_CTX_use_certificate(server_ctx.get(), cert.get()) ||
2071 !SSL_CTX_use_PrivateKey(server_ctx.get(), key.get()) ||
2072 !SSL_CTX_set_session_id_context(server_ctx.get(), kContext1,
2073 sizeof(kContext1)) ||
2074 !SSL_CTX_set_min_proto_version(client_ctx.get(), version) ||
2075 !SSL_CTX_set_max_proto_version(client_ctx.get(), version) ||
2076 !SSL_CTX_set_min_proto_version(server_ctx.get(), version) ||
2077 !SSL_CTX_set_max_proto_version(server_ctx.get(), version)) {
2078 return false;
2079 }
David Benjamina20e5352016-08-02 19:09:41 -0400[diff] [blame]2080
David Benjamin0fef3052016-11-18 15:11:10 +0900[diff] [blame]2081 SSL_CTX_set_session_cache_mode(client_ctx.get(), SSL_SESS_CACHE_BOTH);
2082 SSL_CTX_set_session_cache_mode(server_ctx.get(), SSL_SESS_CACHE_BOTH);
David Benjamina20e5352016-08-02 19:09:41 -0400[diff] [blame]2083
David Benjamin0fef3052016-11-18 15:11:10 +0900[diff] [blame]2084 bssl::UniquePtr<SSL_SESSION> session =
2085 CreateClientSession(client_ctx.get(), server_ctx.get());
2086 if (!session) {
2087 fprintf(stderr, "Error getting session.\n");
2088 return false;
2089 }
David Benjamina20e5352016-08-02 19:09:41 -0400[diff] [blame]2090
David Benjamin0fef3052016-11-18 15:11:10 +0900[diff] [blame]2091 if (!ExpectSessionReused(client_ctx.get(), server_ctx.get(), session.get(),
2092 true /* expect session reused */)) {
2093 fprintf(stderr, "Error resuming session.\n");
2094 return false;
2095 }
David Benjamina20e5352016-08-02 19:09:41 -0400[diff] [blame]2096
David Benjamin0fef3052016-11-18 15:11:10 +0900[diff] [blame]2097 // Change the session ID context.
2098 if (!SSL_CTX_set_session_id_context(server_ctx.get(), kContext2,
2099 sizeof(kContext2))) {
2100 return false;
2101 }
David Benjamina20e5352016-08-02 19:09:41 -0400[diff] [blame]2102
David Benjamin0fef3052016-11-18 15:11:10 +0900[diff] [blame]2103 if (!ExpectSessionReused(client_ctx.get(), server_ctx.get(), session.get(),
2104 false /* expect session not reused */)) {
2105 fprintf(stderr, "Error connecting with a different context.\n");
2106 return false;
2107 }
David Benjamina933c382016-10-28 00:10:03 -0400[diff] [blame]2108
David Benjamin0fef3052016-11-18 15:11:10 +0900[diff] [blame]2109 // Change the session ID context back and install an SNI callback to switch
2110 // it.
2111 if (!SSL_CTX_set_session_id_context(server_ctx.get(), kContext1,
2112 sizeof(kContext1))) {
2113 return false;
2114 }
David Benjamina933c382016-10-28 00:10:03 -0400[diff] [blame]2115
David Benjamin0fef3052016-11-18 15:11:10 +0900[diff] [blame]2116 SSL_CTX_set_tlsext_servername_callback(server_ctx.get(),
2117 SwitchSessionIDContextSNI);
David Benjamina933c382016-10-28 00:10:03 -0400[diff] [blame]2118
David Benjamin0fef3052016-11-18 15:11:10 +0900[diff] [blame]2119 if (!ExpectSessionReused(client_ctx.get(), server_ctx.get(), session.get(),
2120 false /* expect session not reused */)) {
2121 fprintf(stderr, "Error connecting with a context switch on SNI callback.\n");
2122 return false;
2123 }
David Benjamina933c382016-10-28 00:10:03 -0400[diff] [blame]2124
David Benjamin0fef3052016-11-18 15:11:10 +0900[diff] [blame]2125 // Switch the session ID context with the early callback instead.
2126 SSL_CTX_set_tlsext_servername_callback(server_ctx.get(), nullptr);
Alessandro Ghedini57e81e62017-03-14 23:36:00 +0000[diff] [blame]2127 SSL_CTX_set_select_certificate_cb(
2128 server_ctx.get(),
2129 [](const SSL_CLIENT_HELLO *client_hello) -> ssl_select_cert_result_t {
2130 static const uint8_t kContext[] = {3};
2131
2132 if (!SSL_set_session_id_context(client_hello->ssl, kContext,
2133 sizeof(kContext))) {
2134 return ssl_select_cert_error;
2135 }
2136
2137 return ssl_select_cert_success;
2138 });
David Benjamina933c382016-10-28 00:10:03 -0400[diff] [blame]2139
David Benjamin0fef3052016-11-18 15:11:10 +0900[diff] [blame]2140 if (!ExpectSessionReused(client_ctx.get(), server_ctx.get(), session.get(),
2141 false /* expect session not reused */)) {
2142 fprintf(stderr,
2143 "Error connecting with a context switch on early callback.\n");
2144 return false;
David Benjamina20e5352016-08-02 19:09:41 -0400[diff] [blame]2145 }
2146
2147 return true;
2148}
2149
David Benjamin721e8b72016-08-03 13:13:17 -0400[diff] [blame]2150static timeval g_current_time;
2151
2152static void CurrentTimeCallback(const SSL *ssl, timeval *out_clock) {
2153 *out_clock = g_current_time;
2154}
2155
David Benjamin17b30832017-01-28 14:00:32 -0500[diff] [blame]2156static void FrozenTimeCallback(const SSL *ssl, timeval *out_clock) {
2157 out_clock->tv_sec = 1000;
2158 out_clock->tv_usec = 0;
2159}
2160
David Benjamin3c51d9b2016-11-01 17:50:42 -0400[diff] [blame]2161static int RenewTicketCallback(SSL *ssl, uint8_t *key_name, uint8_t *iv,
2162 EVP_CIPHER_CTX *ctx, HMAC_CTX *hmac_ctx,
2163 int encrypt) {
2164 static const uint8_t kZeros[16] = {0};
2165
2166 if (encrypt) {
David Benjamin17cf2cb2016-12-13 01:07:13 -0500[diff] [blame]2167 OPENSSL_memcpy(key_name, kZeros, sizeof(kZeros));
David Benjamin3c51d9b2016-11-01 17:50:42 -0400[diff] [blame]2168 RAND_bytes(iv, 16);
David Benjamin17cf2cb2016-12-13 01:07:13 -0500[diff] [blame]2169 } else if (OPENSSL_memcmp(key_name, kZeros, 16) != 0) {
David Benjamin3c51d9b2016-11-01 17:50:42 -0400[diff] [blame]2170 return 0;
2171 }
2172
2173 if (!HMAC_Init_ex(hmac_ctx, kZeros, sizeof(kZeros), EVP_sha256(), NULL) ||
2174 !EVP_CipherInit_ex(ctx, EVP_aes_128_cbc(), NULL, kZeros, iv, encrypt)) {
2175 return -1;
2176 }
2177
2178 // Returning two from the callback in decrypt mode renews the
2179 // session in TLS 1.2 and below.
2180 return encrypt ? 1 : 2;
2181}
2182
David Benjamin123db572016-11-03 16:59:25 -0400[diff] [blame]2183static bool GetServerTicketTime(long *out, const SSL_SESSION *session) {
David Benjamin123db572016-11-03 16:59:25 -0400[diff] [blame]2184 if (session->tlsext_ticklen < 16 + 16 + SHA256_DIGEST_LENGTH) {
2185 return false;
2186 }
2187
David Benjamin123db572016-11-03 16:59:25 -0400[diff] [blame]2188 const uint8_t *ciphertext = session->tlsext_tick + 16 + 16;
2189 size_t len = session->tlsext_ticklen - 16 - 16 - SHA256_DIGEST_LENGTH;
2190 std::unique_ptr<uint8_t[]> plaintext(new uint8_t[len]);
2191
David Benjamin9b63f292016-11-15 00:44:05 -0500[diff] [blame]2192#if defined(BORINGSSL_UNSAFE_FUZZER_MODE)
2193 // Fuzzer-mode tickets are unencrypted.
David Benjamin17cf2cb2016-12-13 01:07:13 -0500[diff] [blame]2194 OPENSSL_memcpy(plaintext.get(), ciphertext, len);
David Benjamin9b63f292016-11-15 00:44:05 -0500[diff] [blame]2195#else
2196 static const uint8_t kZeros[16] = {0};
2197 const uint8_t *iv = session->tlsext_tick + 16;
David Benjamin123db572016-11-03 16:59:25 -0400[diff] [blame]2198 bssl::ScopedEVP_CIPHER_CTX ctx;
2199 int len1, len2;
2200 if (!EVP_DecryptInit_ex(ctx.get(), EVP_aes_128_cbc(), nullptr, kZeros, iv) ||
2201 !EVP_DecryptUpdate(ctx.get(), plaintext.get(), &len1, ciphertext, len) ||
2202 !EVP_DecryptFinal_ex(ctx.get(), plaintext.get() + len1, &len2)) {
2203 return false;
2204 }
2205
2206 len = static_cast<size_t>(len1 + len2);
David Benjamin9b63f292016-11-15 00:44:05 -0500[diff] [blame]2207#endif
David Benjamin123db572016-11-03 16:59:25 -0400[diff] [blame]2208
Adam Langley46db7af2017-02-01 15:49:37 -0800[diff] [blame]2209 bssl::UniquePtr<SSL_CTX> ssl_ctx(SSL_CTX_new(TLS_method()));
2210 if (!ssl_ctx) {
2211 return false;
2212 }
David Benjamin123db572016-11-03 16:59:25 -0400[diff] [blame]2213 bssl::UniquePtr<SSL_SESSION> server_session(
Adam Langley46db7af2017-02-01 15:49:37 -0800[diff] [blame]2214 SSL_SESSION_from_bytes(plaintext.get(), len, ssl_ctx.get()));
David Benjamin123db572016-11-03 16:59:25 -0400[diff] [blame]2215 if (!server_session) {
2216 return false;
2217 }
2218
2219 *out = server_session->time;
2220 return true;
2221}
2222
David Benjamin0fef3052016-11-18 15:11:10 +0900[diff] [blame]2223static bool TestSessionTimeout(bool is_dtls, const SSL_METHOD *method,
2224 uint16_t version) {
Matt Braithwaited17d74d2016-08-17 20:10:28 -0700[diff] [blame]2225 bssl::UniquePtr<X509> cert = GetTestCertificate();
2226 bssl::UniquePtr<EVP_PKEY> key = GetTestKey();
David Benjamin721e8b72016-08-03 13:13:17 -0400[diff] [blame]2227 if (!cert || !key) {
2228 return false;
2229 }
2230
David Benjamin0fef3052016-11-18 15:11:10 +0900[diff] [blame]2231 for (bool server_test : std::vector<bool>{false, true}) {
David Benjamin17b30832017-01-28 14:00:32 -0500[diff] [blame]2232 static const time_t kStartTime = 1000;
David Benjamin0fef3052016-11-18 15:11:10 +0900[diff] [blame]2233 g_current_time.tv_sec = kStartTime;
David Benjamin1b22f852016-10-27 16:36:32 -0400[diff] [blame]2234
David Benjamin17b30832017-01-28 14:00:32 -0500[diff] [blame]2235 // We are willing to use a longer lifetime for TLS 1.3 sessions as
2236 // resumptions still perform ECDHE.
2237 const time_t timeout = version == TLS1_3_VERSION
2238 ? SSL_DEFAULT_SESSION_PSK_DHE_TIMEOUT
2239 : SSL_DEFAULT_SESSION_TIMEOUT;
2240
David Benjamin0fef3052016-11-18 15:11:10 +0900[diff] [blame]2241 bssl::UniquePtr<SSL_CTX> server_ctx(SSL_CTX_new(method));
2242 bssl::UniquePtr<SSL_CTX> client_ctx(SSL_CTX_new(method));
2243 if (!server_ctx || !client_ctx ||
2244 !SSL_CTX_use_certificate(server_ctx.get(), cert.get()) ||
2245 !SSL_CTX_use_PrivateKey(server_ctx.get(), key.get()) ||
2246 !SSL_CTX_set_min_proto_version(client_ctx.get(), version) ||
2247 !SSL_CTX_set_max_proto_version(client_ctx.get(), version) ||
2248 !SSL_CTX_set_min_proto_version(server_ctx.get(), version) ||
2249 !SSL_CTX_set_max_proto_version(server_ctx.get(), version)) {
2250 return false;
2251 }
2252
2253 SSL_CTX_set_session_cache_mode(client_ctx.get(), SSL_SESS_CACHE_BOTH);
2254 SSL_CTX_set_session_cache_mode(server_ctx.get(), SSL_SESS_CACHE_BOTH);
2255
David Benjamin17b30832017-01-28 14:00:32 -0500[diff] [blame]2256 // Both client and server must enforce session timeouts. We configure the
2257 // other side with a frozen clock so it never expires tickets.
David Benjamin0fef3052016-11-18 15:11:10 +0900[diff] [blame]2258 if (server_test) {
David Benjamin17b30832017-01-28 14:00:32 -0500[diff] [blame]2259 SSL_CTX_set_current_time_cb(client_ctx.get(), FrozenTimeCallback);
David Benjamin0fef3052016-11-18 15:11:10 +0900[diff] [blame]2260 SSL_CTX_set_current_time_cb(server_ctx.get(), CurrentTimeCallback);
2261 } else {
2262 SSL_CTX_set_current_time_cb(client_ctx.get(), CurrentTimeCallback);
David Benjamin17b30832017-01-28 14:00:32 -0500[diff] [blame]2263 SSL_CTX_set_current_time_cb(server_ctx.get(), FrozenTimeCallback);
David Benjamin0fef3052016-11-18 15:11:10 +0900[diff] [blame]2264 }
2265
2266 // Configure a ticket callback which renews tickets.
2267 SSL_CTX_set_tlsext_ticket_key_cb(server_ctx.get(), RenewTicketCallback);
2268
2269 bssl::UniquePtr<SSL_SESSION> session =
2270 CreateClientSession(client_ctx.get(), server_ctx.get());
2271 if (!session) {
2272 fprintf(stderr, "Error getting session.\n");
2273 return false;
2274 }
2275
2276 // Advance the clock just behind the timeout.
David Benjamin17b30832017-01-28 14:00:32 -0500[diff] [blame]2277 g_current_time.tv_sec += timeout - 1;
David Benjamin0fef3052016-11-18 15:11:10 +0900[diff] [blame]2278
2279 if (!ExpectSessionReused(client_ctx.get(), server_ctx.get(), session.get(),
2280 true /* expect session reused */)) {
2281 fprintf(stderr, "Error resuming session.\n");
2282 return false;
2283 }
2284
2285 // Advance the clock one more second.
2286 g_current_time.tv_sec++;
2287
2288 if (!ExpectSessionReused(client_ctx.get(), server_ctx.get(), session.get(),
2289 false /* expect session not reused */)) {
2290 fprintf(stderr, "Error resuming session.\n");
2291 return false;
2292 }
2293
2294 // Rewind the clock to before the session was minted.
2295 g_current_time.tv_sec = kStartTime - 1;
2296
2297 if (!ExpectSessionReused(client_ctx.get(), server_ctx.get(), session.get(),
2298 false /* expect session not reused */)) {
2299 fprintf(stderr, "Error resuming session.\n");
2300 return false;
2301 }
2302
2303 // SSL 3.0 cannot renew sessions.
2304 if (version == SSL3_VERSION) {
2305 continue;
2306 }
2307
2308 // Renew the session 10 seconds before expiration.
David Benjamin17b30832017-01-28 14:00:32 -0500[diff] [blame]2309 time_t new_start_time = kStartTime + timeout - 10;
2310 g_current_time.tv_sec = new_start_time;
David Benjamin0fef3052016-11-18 15:11:10 +0900[diff] [blame]2311 bssl::UniquePtr<SSL_SESSION> new_session =
2312 ExpectSessionRenewed(client_ctx.get(), server_ctx.get(), session.get());
2313 if (!new_session) {
2314 fprintf(stderr, "Error renewing session.\n");
2315 return false;
2316 }
2317
2318 // This new session is not the same object as before.
2319 if (session.get() == new_session.get()) {
2320 fprintf(stderr, "New and old sessions alias.\n");
2321 return false;
2322 }
2323
2324 // Check the sessions have timestamps measured from issuance.
2325 long session_time = 0;
2326 if (server_test) {
2327 if (!GetServerTicketTime(&session_time, new_session.get())) {
2328 fprintf(stderr, "Failed to decode session ticket.\n");
David Benjaminb2e2e322016-11-01 17:32:54 -0400[diff] [blame]2329 return false;
2330 }
David Benjamin0fef3052016-11-18 15:11:10 +0900[diff] [blame]2331 } else {
2332 session_time = new_session->time;
2333 }
David Benjamin721e8b72016-08-03 13:13:17 -0400[diff] [blame]2334
David Benjamin0fef3052016-11-18 15:11:10 +0900[diff] [blame]2335 if (session_time != g_current_time.tv_sec) {
2336 fprintf(stderr, "New session is not measured from issuance.\n");
2337 return false;
2338 }
David Benjamin721e8b72016-08-03 13:13:17 -0400[diff] [blame]2339
David Benjamin17b30832017-01-28 14:00:32 -0500[diff] [blame]2340 if (version == TLS1_3_VERSION) {
2341 // Renewal incorporates fresh key material in TLS 1.3, so we extend the
2342 // lifetime TLS 1.3.
2343 g_current_time.tv_sec = new_start_time + timeout - 1;
2344 if (!ExpectSessionReused(client_ctx.get(), server_ctx.get(),
2345 new_session.get(),
2346 true /* expect session reused */)) {
2347 fprintf(stderr, "Error resuming renewed session.\n");
2348 return false;
2349 }
David Benjamin721e8b72016-08-03 13:13:17 -0400[diff] [blame]2350
David Benjamin17b30832017-01-28 14:00:32 -0500[diff] [blame]2351 // The new session expires after the new timeout.
2352 g_current_time.tv_sec = new_start_time + timeout + 1;
2353 if (!ExpectSessionReused(client_ctx.get(), server_ctx.get(),
2354 new_session.get(),
2355 false /* expect session ot reused */)) {
2356 fprintf(stderr, "Renewed session's lifetime is too long.\n");
2357 return false;
2358 }
2359
2360 // Renew the session until it begins just past the auth timeout.
2361 time_t auth_end_time = kStartTime + SSL_DEFAULT_SESSION_AUTH_TIMEOUT;
2362 while (new_start_time < auth_end_time - 1000) {
2363 // Get as close as possible to target start time.
2364 new_start_time =
2365 std::min(auth_end_time - 1000, new_start_time + timeout - 1);
2366 g_current_time.tv_sec = new_start_time;
2367 new_session = ExpectSessionRenewed(client_ctx.get(), server_ctx.get(),
2368 new_session.get());
2369 if (!new_session) {
2370 fprintf(stderr, "Error renewing session.\n");
2371 return false;
2372 }
2373 }
2374
2375 // Now the session's lifetime is bound by the auth timeout.
2376 g_current_time.tv_sec = auth_end_time - 1;
2377 if (!ExpectSessionReused(client_ctx.get(), server_ctx.get(),
2378 new_session.get(),
2379 true /* expect session reused */)) {
2380 fprintf(stderr, "Error resuming renewed session.\n");
2381 return false;
2382 }
2383
2384 g_current_time.tv_sec = auth_end_time + 1;
2385 if (!ExpectSessionReused(client_ctx.get(), server_ctx.get(),
2386 new_session.get(),
2387 false /* expect session ot reused */)) {
2388 fprintf(stderr, "Renewed session's lifetime is too long.\n");
2389 return false;
2390 }
2391 } else {
2392 // The new session is usable just before the old expiration.
2393 g_current_time.tv_sec = kStartTime + timeout - 1;
2394 if (!ExpectSessionReused(client_ctx.get(), server_ctx.get(),
2395 new_session.get(),
2396 true /* expect session reused */)) {
2397 fprintf(stderr, "Error resuming renewed session.\n");
2398 return false;
2399 }
2400
2401 // Renewal does not extend the lifetime, so it is not usable beyond the
2402 // old expiration.
2403 g_current_time.tv_sec = kStartTime + timeout + 1;
2404 if (!ExpectSessionReused(client_ctx.get(), server_ctx.get(),
2405 new_session.get(),
2406 false /* expect session not reused */)) {
2407 fprintf(stderr, "Renewed session's lifetime is too long.\n");
2408 return false;
2409 }
David Benjamin1b22f852016-10-27 16:36:32 -0400[diff] [blame]2410 }
David Benjamin721e8b72016-08-03 13:13:17 -0400[diff] [blame]2411 }
2412
2413 return true;
2414}
2415
David Benjamin0fc37ef2016-08-17 15:29:46 -0400[diff] [blame]2416static int SwitchContext(SSL *ssl, int *out_alert, void *arg) {
2417 SSL_CTX *ctx = reinterpret_cast<SSL_CTX*>(arg);
2418 SSL_set_SSL_CTX(ssl, ctx);
2419 return SSL_TLSEXT_ERR_OK;
2420}
2421
David Benjamin0fef3052016-11-18 15:11:10 +0900[diff] [blame]2422static bool TestSNICallback(bool is_dtls, const SSL_METHOD *method,
2423 uint16_t version) {
2424 // SSL 3.0 lacks extensions.
2425 if (version == SSL3_VERSION) {
2426 return true;
2427 }
2428
Matt Braithwaited17d74d2016-08-17 20:10:28 -0700[diff] [blame]2429 bssl::UniquePtr<X509> cert = GetTestCertificate();
2430 bssl::UniquePtr<EVP_PKEY> key = GetTestKey();
2431 bssl::UniquePtr<X509> cert2 = GetECDSATestCertificate();
2432 bssl::UniquePtr<EVP_PKEY> key2 = GetECDSATestKey();
David Benjamin0fc37ef2016-08-17 15:29:46 -0400[diff] [blame]2433 if (!cert || !key || !cert2 || !key2) {
2434 return false;
2435 }
2436
David Benjamin0fef3052016-11-18 15:11:10 +0900[diff] [blame]2437 // Test that switching the |SSL_CTX| at the SNI callback behaves correctly.
2438 static const uint16_t kECDSAWithSHA256 = SSL_SIGN_ECDSA_SECP256R1_SHA256;
David Benjamin0fc37ef2016-08-17 15:29:46 -0400[diff] [blame]2439
David Benjamin83a32122017-02-14 18:34:54 -0500[diff] [blame]2440 static const uint8_t kSCTList[] = {0, 6, 0, 4, 5, 6, 7, 8};
2441 static const uint8_t kOCSPResponse[] = {1, 2, 3, 4};
2442
David Benjamin0fef3052016-11-18 15:11:10 +0900[diff] [blame]2443 bssl::UniquePtr<SSL_CTX> server_ctx(SSL_CTX_new(method));
2444 bssl::UniquePtr<SSL_CTX> server_ctx2(SSL_CTX_new(method));
2445 bssl::UniquePtr<SSL_CTX> client_ctx(SSL_CTX_new(method));
2446 if (!server_ctx || !server_ctx2 || !client_ctx ||
2447 !SSL_CTX_use_certificate(server_ctx.get(), cert.get()) ||
2448 !SSL_CTX_use_PrivateKey(server_ctx.get(), key.get()) ||
2449 !SSL_CTX_use_certificate(server_ctx2.get(), cert2.get()) ||
2450 !SSL_CTX_use_PrivateKey(server_ctx2.get(), key2.get()) ||
David Benjamin83a32122017-02-14 18:34:54 -0500[diff] [blame]2451 !SSL_CTX_set_signed_cert_timestamp_list(server_ctx2.get(), kSCTList,
2452 sizeof(kSCTList)) ||
2453 !SSL_CTX_set_ocsp_response(server_ctx2.get(), kOCSPResponse,
2454 sizeof(kOCSPResponse)) ||
David Benjamin0fef3052016-11-18 15:11:10 +0900[diff] [blame]2455 // Historically signing preferences would be lost in some cases with the
2456 // SNI callback, which triggers the TLS 1.2 SHA-1 default. To ensure
2457 // this doesn't happen when |version| is TLS 1.2, configure the private
2458 // key to only sign SHA-256.
2459 !SSL_CTX_set_signing_algorithm_prefs(server_ctx2.get(), &kECDSAWithSHA256,
2460 1) ||
2461 !SSL_CTX_set_min_proto_version(client_ctx.get(), version) ||
2462 !SSL_CTX_set_max_proto_version(client_ctx.get(), version) ||
2463 !SSL_CTX_set_min_proto_version(server_ctx.get(), version) ||
2464 !SSL_CTX_set_max_proto_version(server_ctx.get(), version) ||
2465 !SSL_CTX_set_min_proto_version(server_ctx2.get(), version) ||
2466 !SSL_CTX_set_max_proto_version(server_ctx2.get(), version)) {
2467 return false;
2468 }
David Benjamin0fc37ef2016-08-17 15:29:46 -0400[diff] [blame]2469
David Benjamin0fef3052016-11-18 15:11:10 +0900[diff] [blame]2470 SSL_CTX_set_tlsext_servername_callback(server_ctx.get(), SwitchContext);
2471 SSL_CTX_set_tlsext_servername_arg(server_ctx.get(), server_ctx2.get());
David Benjamin0fc37ef2016-08-17 15:29:46 -0400[diff] [blame]2472
David Benjamin83a32122017-02-14 18:34:54 -0500[diff] [blame]2473 SSL_CTX_enable_signed_cert_timestamps(client_ctx.get());
2474 SSL_CTX_enable_ocsp_stapling(client_ctx.get());
2475
David Benjamin0fef3052016-11-18 15:11:10 +0900[diff] [blame]2476 bssl::UniquePtr<SSL> client, server;
2477 if (!ConnectClientAndServer(&client, &server, client_ctx.get(),
2478 server_ctx.get(), nullptr)) {
2479 fprintf(stderr, "Handshake failed.\n");
2480 return false;
2481 }
David Benjamin0fc37ef2016-08-17 15:29:46 -0400[diff] [blame]2482
David Benjamin0fef3052016-11-18 15:11:10 +0900[diff] [blame]2483 // The client should have received |cert2|.
2484 bssl::UniquePtr<X509> peer(SSL_get_peer_certificate(client.get()));
2485 if (!peer || X509_cmp(peer.get(), cert2.get()) != 0) {
2486 fprintf(stderr, "Incorrect certificate received.\n");
2487 return false;
David Benjamin0fc37ef2016-08-17 15:29:46 -0400[diff] [blame]2488 }
2489
David Benjamin83a32122017-02-14 18:34:54 -0500[diff] [blame]2490 // The client should have received |server_ctx2|'s SCT list.
2491 const uint8_t *data;
2492 size_t len;
2493 SSL_get0_signed_cert_timestamp_list(client.get(), &data, &len);
2494 if (Bytes(kSCTList) != Bytes(data, len)) {
2495 fprintf(stderr, "Incorrect SCT list received.\n");
2496 return false;
2497 }
2498
2499 // The client should have received |server_ctx2|'s OCSP response.
2500 SSL_get0_ocsp_response(client.get(), &data, &len);
2501 if (Bytes(kOCSPResponse) != Bytes(data, len)) {
2502 fprintf(stderr, "Incorrect OCSP response received.\n");
2503 return false;
2504 }
2505
David Benjamin0fc37ef2016-08-17 15:29:46 -0400[diff] [blame]2506 return true;
2507}
2508
David Benjaminf0d8e222017-02-04 10:58:26 -0500[diff] [blame]2509// Test that the early callback can swap the maximum version.
2510TEST(SSLTest, EarlyCallbackVersionSwitch) {
Matt Braithwaited17d74d2016-08-17 20:10:28 -0700[diff] [blame]2511 bssl::UniquePtr<X509> cert = GetTestCertificate();
2512 bssl::UniquePtr<EVP_PKEY> key = GetTestKey();
2513 bssl::UniquePtr<SSL_CTX> server_ctx(SSL_CTX_new(TLS_method()));
2514 bssl::UniquePtr<SSL_CTX> client_ctx(SSL_CTX_new(TLS_method()));
David Benjaminf0d8e222017-02-04 10:58:26 -0500[diff] [blame]2515 ASSERT_TRUE(cert);
2516 ASSERT_TRUE(key);
2517 ASSERT_TRUE(server_ctx);
2518 ASSERT_TRUE(client_ctx);
2519 ASSERT_TRUE(SSL_CTX_use_certificate(server_ctx.get(), cert.get()));
2520 ASSERT_TRUE(SSL_CTX_use_PrivateKey(server_ctx.get(), key.get()));
2521 ASSERT_TRUE(SSL_CTX_set_max_proto_version(client_ctx.get(), TLS1_3_VERSION));
2522 ASSERT_TRUE(SSL_CTX_set_max_proto_version(server_ctx.get(), TLS1_3_VERSION));
David Benjamin99620572016-08-30 00:35:36 -0400[diff] [blame]2523
David Benjaminf0d8e222017-02-04 10:58:26 -0500[diff] [blame]2524 SSL_CTX_set_select_certificate_cb(
Alessandro Ghedini57e81e62017-03-14 23:36:00 +0000[diff] [blame]2525 server_ctx.get(),
2526 [](const SSL_CLIENT_HELLO *client_hello) -> ssl_select_cert_result_t {
David Benjaminf0d8e222017-02-04 10:58:26 -0500[diff] [blame]2527 if (!SSL_set_max_proto_version(client_hello->ssl, TLS1_2_VERSION)) {
Alessandro Ghedini57e81e62017-03-14 23:36:00 +0000[diff] [blame]2528 return ssl_select_cert_error;
David Benjaminf0d8e222017-02-04 10:58:26 -0500[diff] [blame]2529 }
2530
Alessandro Ghedini57e81e62017-03-14 23:36:00 +0000[diff] [blame]2531 return ssl_select_cert_success;
David Benjaminf0d8e222017-02-04 10:58:26 -0500[diff] [blame]2532 });
David Benjamin99620572016-08-30 00:35:36 -0400[diff] [blame]2533
Matt Braithwaited17d74d2016-08-17 20:10:28 -0700[diff] [blame]2534 bssl::UniquePtr<SSL> client, server;
David Benjaminf0d8e222017-02-04 10:58:26 -0500[diff] [blame]2535 ASSERT_TRUE(ConnectClientAndServer(&client, &server, client_ctx.get(),
2536 server_ctx.get(), nullptr));
2537 EXPECT_EQ(TLS1_2_VERSION, SSL_version(client.get()));
David Benjamin99620572016-08-30 00:35:36 -0400[diff] [blame]2538}
2539
David Benjaminf0d8e222017-02-04 10:58:26 -0500[diff] [blame]2540TEST(SSLTest, SetVersion) {
David Benjamin2dc02042016-09-19 19:57:37 -0400[diff] [blame]2541 bssl::UniquePtr<SSL_CTX> ctx(SSL_CTX_new(TLS_method()));
David Benjaminf0d8e222017-02-04 10:58:26 -0500[diff] [blame]2542 ASSERT_TRUE(ctx);
David Benjamin2dc02042016-09-19 19:57:37 -0400[diff] [blame]2543
David Benjaminf0d8e222017-02-04 10:58:26 -0500[diff] [blame]2544 // Set valid TLS versions.
2545 EXPECT_TRUE(SSL_CTX_set_max_proto_version(ctx.get(), TLS1_VERSION));
2546 EXPECT_TRUE(SSL_CTX_set_max_proto_version(ctx.get(), TLS1_1_VERSION));
2547 EXPECT_TRUE(SSL_CTX_set_min_proto_version(ctx.get(), TLS1_VERSION));
2548 EXPECT_TRUE(SSL_CTX_set_min_proto_version(ctx.get(), TLS1_1_VERSION));
David Benjamin2dc02042016-09-19 19:57:37 -0400[diff] [blame]2549
David Benjaminf0d8e222017-02-04 10:58:26 -0500[diff] [blame]2550 // Invalid TLS versions are rejected.
2551 EXPECT_FALSE(SSL_CTX_set_max_proto_version(ctx.get(), DTLS1_VERSION));
2552 EXPECT_FALSE(SSL_CTX_set_max_proto_version(ctx.get(), 0x0200));
2553 EXPECT_FALSE(SSL_CTX_set_max_proto_version(ctx.get(), 0x1234));
2554 EXPECT_FALSE(SSL_CTX_set_min_proto_version(ctx.get(), DTLS1_VERSION));
2555 EXPECT_FALSE(SSL_CTX_set_min_proto_version(ctx.get(), 0x0200));
2556 EXPECT_FALSE(SSL_CTX_set_min_proto_version(ctx.get(), 0x1234));
David Benjamin2dc02042016-09-19 19:57:37 -0400[diff] [blame]2557
David Benjaminf0d8e222017-02-04 10:58:26 -0500[diff] [blame]2558 // Zero is the default version.
2559 EXPECT_TRUE(SSL_CTX_set_max_proto_version(ctx.get(), 0));
David Benjaminfc08dfc2017-06-20 14:39:32 -0400[diff] [blame]2560 EXPECT_EQ(TLS1_2_VERSION, ctx->conf_max_version);
David Benjaminf0d8e222017-02-04 10:58:26 -0500[diff] [blame]2561 EXPECT_TRUE(SSL_CTX_set_min_proto_version(ctx.get(), 0));
David Benjaminfc08dfc2017-06-20 14:39:32 -0400[diff] [blame]2562 EXPECT_EQ(TLS1_VERSION, ctx->conf_min_version);
David Benjamin3cfeb952017-03-01 16:48:38 -0500[diff] [blame]2563
2564 // SSL 3.0 and TLS 1.3 are available, but not by default.
2565 EXPECT_TRUE(SSL_CTX_set_min_proto_version(ctx.get(), SSL3_VERSION));
David Benjaminfc08dfc2017-06-20 14:39:32 -0400[diff] [blame]2566 EXPECT_EQ(SSL3_VERSION, ctx->conf_min_version);
David Benjamin3cfeb952017-03-01 16:48:38 -0500[diff] [blame]2567 EXPECT_TRUE(SSL_CTX_set_max_proto_version(ctx.get(), TLS1_3_VERSION));
David Benjaminfc08dfc2017-06-20 14:39:32 -0400[diff] [blame]2568 EXPECT_EQ(TLS1_3_VERSION, ctx->conf_max_version);
David Benjamine34bcc92016-09-21 16:53:09 -0400[diff] [blame]2569
David Benjamin2dc02042016-09-19 19:57:37 -0400[diff] [blame]2570 ctx.reset(SSL_CTX_new(DTLS_method()));
David Benjaminf0d8e222017-02-04 10:58:26 -0500[diff] [blame]2571 ASSERT_TRUE(ctx);
David Benjamin2dc02042016-09-19 19:57:37 -0400[diff] [blame]2572
David Benjaminf0d8e222017-02-04 10:58:26 -0500[diff] [blame]2573 EXPECT_TRUE(SSL_CTX_set_max_proto_version(ctx.get(), DTLS1_VERSION));
2574 EXPECT_TRUE(SSL_CTX_set_max_proto_version(ctx.get(), DTLS1_2_VERSION));
2575 EXPECT_TRUE(SSL_CTX_set_min_proto_version(ctx.get(), DTLS1_VERSION));
2576 EXPECT_TRUE(SSL_CTX_set_min_proto_version(ctx.get(), DTLS1_2_VERSION));
David Benjamin2dc02042016-09-19 19:57:37 -0400[diff] [blame]2577
David Benjaminf0d8e222017-02-04 10:58:26 -0500[diff] [blame]2578 EXPECT_FALSE(SSL_CTX_set_max_proto_version(ctx.get(), TLS1_VERSION));
2579 EXPECT_FALSE(SSL_CTX_set_max_proto_version(ctx.get(), 0xfefe /* DTLS 1.1 */));
2580 EXPECT_FALSE(SSL_CTX_set_max_proto_version(ctx.get(), 0xfffe /* DTLS 0.1 */));
2581 EXPECT_FALSE(SSL_CTX_set_max_proto_version(ctx.get(), 0x1234));
2582 EXPECT_FALSE(SSL_CTX_set_min_proto_version(ctx.get(), TLS1_VERSION));
2583 EXPECT_FALSE(SSL_CTX_set_min_proto_version(ctx.get(), 0xfefe /* DTLS 1.1 */));
2584 EXPECT_FALSE(SSL_CTX_set_min_proto_version(ctx.get(), 0xfffe /* DTLS 0.1 */));
2585 EXPECT_FALSE(SSL_CTX_set_min_proto_version(ctx.get(), 0x1234));
David Benjamin2dc02042016-09-19 19:57:37 -0400[diff] [blame]2586
David Benjaminf0d8e222017-02-04 10:58:26 -0500[diff] [blame]2587 EXPECT_TRUE(SSL_CTX_set_max_proto_version(ctx.get(), 0));
David Benjaminfc08dfc2017-06-20 14:39:32 -0400[diff] [blame]2588 EXPECT_EQ(TLS1_2_VERSION, ctx->conf_max_version);
David Benjaminf0d8e222017-02-04 10:58:26 -0500[diff] [blame]2589 EXPECT_TRUE(SSL_CTX_set_min_proto_version(ctx.get(), 0));
David Benjaminfc08dfc2017-06-20 14:39:32 -0400[diff] [blame]2590 EXPECT_EQ(TLS1_1_VERSION, ctx->conf_min_version);
David Benjamin2dc02042016-09-19 19:57:37 -0400[diff] [blame]2591}
2592
David Benjamin458334a2016-12-15 13:53:25 -0500[diff] [blame]2593static const char *GetVersionName(uint16_t version) {
2594 switch (version) {
2595 case SSL3_VERSION:
2596 return "SSLv3";
2597 case TLS1_VERSION:
2598 return "TLSv1";
2599 case TLS1_1_VERSION:
2600 return "TLSv1.1";
2601 case TLS1_2_VERSION:
2602 return "TLSv1.2";
2603 case TLS1_3_VERSION:
2604 return "TLSv1.3";
2605 case DTLS1_VERSION:
2606 return "DTLSv1";
2607 case DTLS1_2_VERSION:
2608 return "DTLSv1.2";
2609 default:
2610 return "???";
2611 }
2612}
2613
David Benjamin0fef3052016-11-18 15:11:10 +0900[diff] [blame]2614static bool TestVersion(bool is_dtls, const SSL_METHOD *method,
2615 uint16_t version) {
David Benjamincb18ac22016-09-27 14:09:15 -0400[diff] [blame]2616 bssl::UniquePtr<X509> cert = GetTestCertificate();
2617 bssl::UniquePtr<EVP_PKEY> key = GetTestKey();
2618 if (!cert || !key) {
2619 return false;
2620 }
2621
David Benjamin0fef3052016-11-18 15:11:10 +0900[diff] [blame]2622 bssl::UniquePtr<SSL_CTX> server_ctx(SSL_CTX_new(method));
2623 bssl::UniquePtr<SSL_CTX> client_ctx(SSL_CTX_new(method));
2624 bssl::UniquePtr<SSL> client, server;
2625 if (!server_ctx || !client_ctx ||
2626 !SSL_CTX_use_certificate(server_ctx.get(), cert.get()) ||
2627 !SSL_CTX_use_PrivateKey(server_ctx.get(), key.get()) ||
2628 !SSL_CTX_set_min_proto_version(client_ctx.get(), version) ||
2629 !SSL_CTX_set_max_proto_version(client_ctx.get(), version) ||
2630 !SSL_CTX_set_min_proto_version(server_ctx.get(), version) ||
2631 !SSL_CTX_set_max_proto_version(server_ctx.get(), version) ||
2632 !ConnectClientAndServer(&client, &server, client_ctx.get(),
2633 server_ctx.get(), nullptr /* no session */)) {
2634 fprintf(stderr, "Failed to connect.\n");
2635 return false;
2636 }
David Benjamincb18ac22016-09-27 14:09:15 -0400[diff] [blame]2637
David Benjamin0fef3052016-11-18 15:11:10 +0900[diff] [blame]2638 if (SSL_version(client.get()) != version ||
2639 SSL_version(server.get()) != version) {
2640 fprintf(stderr, "Version mismatch. Got %04x and %04x, wanted %04x.\n",
2641 SSL_version(client.get()), SSL_version(server.get()), version);
2642 return false;
David Benjamincb18ac22016-09-27 14:09:15 -0400[diff] [blame]2643 }
2644
David Benjamin458334a2016-12-15 13:53:25 -0500[diff] [blame]2645 // Test the version name is reported as expected.
2646 const char *version_name = GetVersionName(version);
2647 if (strcmp(version_name, SSL_get_version(client.get())) != 0 ||
2648 strcmp(version_name, SSL_get_version(server.get())) != 0) {
2649 fprintf(stderr, "Version name mismatch. Got '%s' and '%s', wanted '%s'.\n",
2650 SSL_get_version(client.get()), SSL_get_version(server.get()),
2651 version_name);
2652 return false;
2653 }
2654
2655 // Test SSL_SESSION reports the same name.
2656 const char *client_name =
2657 SSL_SESSION_get_version(SSL_get_session(client.get()));
2658 const char *server_name =
2659 SSL_SESSION_get_version(SSL_get_session(server.get()));
2660 if (strcmp(version_name, client_name) != 0 ||
2661 strcmp(version_name, server_name) != 0) {
2662 fprintf(stderr,
2663 "Session version name mismatch. Got '%s' and '%s', wanted '%s'.\n",
2664 client_name, server_name, version_name);
2665 return false;
2666 }
2667
David Benjamincb18ac22016-09-27 14:09:15 -0400[diff] [blame]2668 return true;
2669}
2670
David Benjamin9ef31f02016-10-31 18:01:13 -0400[diff] [blame]2671// Tests that that |SSL_get_pending_cipher| is available during the ALPN
2672// selection callback.
David Benjamin0fef3052016-11-18 15:11:10 +0900[diff] [blame]2673static bool TestALPNCipherAvailable(bool is_dtls, const SSL_METHOD *method,
2674 uint16_t version) {
2675 // SSL 3.0 lacks extensions.
2676 if (version == SSL3_VERSION) {
2677 return true;
2678 }
2679
David Benjamin9ef31f02016-10-31 18:01:13 -0400[diff] [blame]2680 static const uint8_t kALPNProtos[] = {0x03, 'f', 'o', 'o'};
2681
2682 bssl::UniquePtr<X509> cert = GetTestCertificate();
2683 bssl::UniquePtr<EVP_PKEY> key = GetTestKey();
2684 if (!cert || !key) {
2685 return false;
2686 }
2687
David Benjamin0fef3052016-11-18 15:11:10 +0900[diff] [blame]2688 bssl::UniquePtr<SSL_CTX> ctx(SSL_CTX_new(method));
2689 if (!ctx || !SSL_CTX_use_certificate(ctx.get(), cert.get()) ||
2690 !SSL_CTX_use_PrivateKey(ctx.get(), key.get()) ||
2691 !SSL_CTX_set_min_proto_version(ctx.get(), version) ||
2692 !SSL_CTX_set_max_proto_version(ctx.get(), version) ||
2693 SSL_CTX_set_alpn_protos(ctx.get(), kALPNProtos, sizeof(kALPNProtos)) !=
2694 0) {
2695 return false;
2696 }
2697
2698 // The ALPN callback does not fail the handshake on error, so have the
2699 // callback write a boolean.
2700 std::pair<uint16_t, bool> callback_state(version, false);
2701 SSL_CTX_set_alpn_select_cb(
2702 ctx.get(),
2703 [](SSL *ssl, const uint8_t **out, uint8_t *out_len, const uint8_t *in,
2704 unsigned in_len, void *arg) -> int {
2705 auto state = reinterpret_cast<std::pair<uint16_t, bool> *>(arg);
2706 if (SSL_get_pending_cipher(ssl) != nullptr &&
2707 SSL_version(ssl) == state->first) {
2708 state->second = true;
2709 }
2710 return SSL_TLSEXT_ERR_NOACK;
2711 },
2712 &callback_state);
2713
2714 bssl::UniquePtr<SSL> client, server;
2715 if (!ConnectClientAndServer(&client, &server, ctx.get(), ctx.get(),
2716 nullptr /* no session */)) {
2717 return false;
2718 }
2719
2720 if (!callback_state.second) {
2721 fprintf(stderr, "The pending cipher was not known in the ALPN callback.\n");
2722 return false;
2723 }
2724
2725 return true;
2726}
2727
David Benjaminb79cc842016-12-07 15:57:14 -0500[diff] [blame]2728static bool TestSSLClearSessionResumption(bool is_dtls,
2729 const SSL_METHOD *method,
2730 uint16_t version) {
2731 // Skip this for TLS 1.3. TLS 1.3's ticket mechanism is incompatible with this
2732 // API pattern.
2733 if (version == TLS1_3_VERSION) {
2734 return true;
2735 }
2736
2737 bssl::UniquePtr<X509> cert = GetTestCertificate();
2738 bssl::UniquePtr<EVP_PKEY> key = GetTestKey();
2739 bssl::UniquePtr<SSL_CTX> server_ctx(SSL_CTX_new(method));
2740 bssl::UniquePtr<SSL_CTX> client_ctx(SSL_CTX_new(method));
2741 if (!cert || !key || !server_ctx || !client_ctx ||
2742 !SSL_CTX_use_certificate(server_ctx.get(), cert.get()) ||
2743 !SSL_CTX_use_PrivateKey(server_ctx.get(), key.get()) ||
2744 !SSL_CTX_set_min_proto_version(client_ctx.get(), version) ||
2745 !SSL_CTX_set_max_proto_version(client_ctx.get(), version) ||
2746 !SSL_CTX_set_min_proto_version(server_ctx.get(), version) ||
2747 !SSL_CTX_set_max_proto_version(server_ctx.get(), version)) {
2748 return false;
2749 }
2750
2751 // Connect a client and a server.
2752 bssl::UniquePtr<SSL> client, server;
2753 if (!ConnectClientAndServer(&client, &server, client_ctx.get(),
2754 server_ctx.get(), nullptr /* no session */)) {
2755 return false;
2756 }
2757
2758 if (SSL_session_reused(client.get()) ||
2759 SSL_session_reused(server.get())) {
2760 fprintf(stderr, "Session unexpectedly reused.\n");
2761 return false;
2762 }
2763
2764 // Reset everything.
2765 if (!SSL_clear(client.get()) ||
2766 !SSL_clear(server.get())) {
2767 fprintf(stderr, "SSL_clear failed.\n");
2768 return false;
2769 }
2770
2771 // Attempt to connect a second time.
2772 if (!CompleteHandshakes(client.get(), server.get())) {
2773 fprintf(stderr, "Could not reuse SSL objects.\n");
2774 return false;
2775 }
2776
2777 // |SSL_clear| should implicitly offer the previous session to the server.
2778 if (!SSL_session_reused(client.get()) ||
2779 !SSL_session_reused(server.get())) {
2780 fprintf(stderr, "Session was not reused in second try.\n");
2781 return false;
2782 }
2783
2784 return true;
2785}
2786
David Benjamin1444c3a2016-12-20 17:23:11 -0500[diff] [blame]2787static bool ChainsEqual(STACK_OF(X509) *chain,
2788 const std::vector<X509 *> &expected) {
2789 if (sk_X509_num(chain) != expected.size()) {
2790 return false;
2791 }
2792
2793 for (size_t i = 0; i < expected.size(); i++) {
2794 if (X509_cmp(sk_X509_value(chain, i), expected[i]) != 0) {
2795 return false;
2796 }
2797 }
2798
2799 return true;
2800}
2801
2802static bool TestAutoChain(bool is_dtls, const SSL_METHOD *method,
2803 uint16_t version) {
David Benjamin1444c3a2016-12-20 17:23:11 -0500[diff] [blame]2804 bssl::UniquePtr<X509> cert = GetChainTestCertificate();
2805 bssl::UniquePtr<X509> intermediate = GetChainTestIntermediate();
2806 bssl::UniquePtr<EVP_PKEY> key = GetChainTestKey();
2807 if (!cert || !intermediate || !key) {
2808 return false;
2809 }
2810
2811 // Configure both client and server to accept any certificate. Add
2812 // |intermediate| to the cert store.
2813 bssl::UniquePtr<SSL_CTX> ctx(SSL_CTX_new(method));
2814 if (!ctx ||
2815 !SSL_CTX_use_certificate(ctx.get(), cert.get()) ||
2816 !SSL_CTX_use_PrivateKey(ctx.get(), key.get()) ||
2817 !SSL_CTX_set_min_proto_version(ctx.get(), version) ||
2818 !SSL_CTX_set_max_proto_version(ctx.get(), version) ||
2819 !X509_STORE_add_cert(SSL_CTX_get_cert_store(ctx.get()),
2820 intermediate.get())) {
2821 return false;
2822 }
2823 SSL_CTX_set_verify(
2824 ctx.get(), SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT, nullptr);
2825 SSL_CTX_set_cert_verify_callback(ctx.get(), VerifySucceed, NULL);
2826
2827 // By default, the client and server should each only send the leaf.
2828 bssl::UniquePtr<SSL> client, server;
2829 if (!ConnectClientAndServer(&client, &server, ctx.get(), ctx.get(),
2830 nullptr /* no session */)) {
2831 return false;
2832 }
2833
2834 if (!ChainsEqual(SSL_get_peer_full_cert_chain(client.get()), {cert.get()})) {
2835 fprintf(stderr, "Client-received chain did not match.\n");
2836 return false;
2837 }
2838
2839 if (!ChainsEqual(SSL_get_peer_full_cert_chain(server.get()), {cert.get()})) {
2840 fprintf(stderr, "Server-received chain did not match.\n");
2841 return false;
2842 }
2843
2844 // If auto-chaining is enabled, then the intermediate is sent.
2845 SSL_CTX_clear_mode(ctx.get(), SSL_MODE_NO_AUTO_CHAIN);
2846 if (!ConnectClientAndServer(&client, &server, ctx.get(), ctx.get(),
2847 nullptr /* no session */)) {
2848 return false;
2849 }
2850
2851 if (!ChainsEqual(SSL_get_peer_full_cert_chain(client.get()),
2852 {cert.get(), intermediate.get()})) {
2853 fprintf(stderr, "Client-received chain did not match (auto-chaining).\n");
2854 return false;
2855 }
2856
2857 if (!ChainsEqual(SSL_get_peer_full_cert_chain(server.get()),
2858 {cert.get(), intermediate.get()})) {
2859 fprintf(stderr, "Server-received chain did not match (auto-chaining).\n");
2860 return false;
2861 }
2862
2863 // Auto-chaining does not override explicitly-configured intermediates.
2864 if (!SSL_CTX_add1_chain_cert(ctx.get(), cert.get()) ||
2865 !ConnectClientAndServer(&client, &server, ctx.get(), ctx.get(),
2866 nullptr /* no session */)) {
2867 return false;
2868 }
2869
2870 if (!ChainsEqual(SSL_get_peer_full_cert_chain(client.get()),
2871 {cert.get(), cert.get()})) {
2872 fprintf(stderr,
2873 "Client-received chain did not match (auto-chaining, explicit "
2874 "intermediate).\n");
2875 return false;
2876 }
2877
2878 if (!ChainsEqual(SSL_get_peer_full_cert_chain(server.get()),
2879 {cert.get(), cert.get()})) {
2880 fprintf(stderr,
2881 "Server-received chain did not match (auto-chaining, explicit "
2882 "intermediate).\n");
2883 return false;
2884 }
2885
2886 return true;
2887}
2888
David Benjamin48063c22017-01-01 23:56:36 -0500[diff] [blame]2889static bool ExpectBadWriteRetry() {
2890 int err = ERR_get_error();
2891 if (ERR_GET_LIB(err) != ERR_LIB_SSL ||
2892 ERR_GET_REASON(err) != SSL_R_BAD_WRITE_RETRY) {
2893 char buf[ERR_ERROR_STRING_BUF_LEN];
2894 ERR_error_string_n(err, buf, sizeof(buf));
2895 fprintf(stderr, "Wanted SSL_R_BAD_WRITE_RETRY, got: %s.\n", buf);
2896 return false;
2897 }
2898
2899 if (ERR_peek_error() != 0) {
2900 fprintf(stderr, "Unexpected error following SSL_R_BAD_WRITE_RETRY.\n");
2901 return false;
2902 }
2903
2904 return true;
2905}
2906
2907static bool TestSSLWriteRetry(bool is_dtls, const SSL_METHOD *method,
2908 uint16_t version) {
2909 if (is_dtls) {
2910 return true;
2911 }
2912
2913 for (bool enable_partial_write : std::vector<bool>{false, true}) {
2914 // Connect a client and server.
2915 bssl::UniquePtr<X509> cert = GetTestCertificate();
2916 bssl::UniquePtr<EVP_PKEY> key = GetTestKey();
2917 bssl::UniquePtr<SSL_CTX> ctx(SSL_CTX_new(method));
2918 bssl::UniquePtr<SSL> client, server;
2919 if (!cert || !key || !ctx ||
2920 !SSL_CTX_use_certificate(ctx.get(), cert.get()) ||
2921 !SSL_CTX_use_PrivateKey(ctx.get(), key.get()) ||
2922 !SSL_CTX_set_min_proto_version(ctx.get(), version) ||
2923 !SSL_CTX_set_max_proto_version(ctx.get(), version) ||
2924 !ConnectClientAndServer(&client, &server, ctx.get(), ctx.get(),
2925 nullptr /* no session */)) {
2926 return false;
2927 }
2928
2929 if (enable_partial_write) {
2930 SSL_set_mode(client.get(), SSL_MODE_ENABLE_PARTIAL_WRITE);
2931 }
2932
2933 // Write without reading until the buffer is full and we have an unfinished
2934 // write. Keep a count so we may reread it again later. "hello!" will be
2935 // written in two chunks, "hello" and "!".
2936 char data[] = "hello!";
2937 static const int kChunkLen = 5; // The length of "hello".
2938 unsigned count = 0;
2939 for (;;) {
2940 int ret = SSL_write(client.get(), data, kChunkLen);
2941 if (ret <= 0) {
2942 int err = SSL_get_error(client.get(), ret);
2943 if (SSL_get_error(client.get(), ret) == SSL_ERROR_WANT_WRITE) {
2944 break;
2945 }
2946 fprintf(stderr, "SSL_write failed in unexpected way: %d\n", err);
2947 return false;
2948 }
2949
2950 if (ret != 5) {
2951 fprintf(stderr, "SSL_write wrote %d bytes, expected 5.\n", ret);
2952 return false;
2953 }
2954
2955 count++;
2956 }
2957
2958 // Retrying with the same parameters is legal.
2959 if (SSL_get_error(client.get(), SSL_write(client.get(), data, kChunkLen)) !=
2960 SSL_ERROR_WANT_WRITE) {
2961 fprintf(stderr, "SSL_write retry unexpectedly failed.\n");
2962 return false;
2963 }
2964
2965 // Retrying with the same buffer but shorter length is not legal.
2966 if (SSL_get_error(client.get(),
2967 SSL_write(client.get(), data, kChunkLen - 1)) !=
2968 SSL_ERROR_SSL ||
2969 !ExpectBadWriteRetry()) {
2970 fprintf(stderr, "SSL_write retry did not fail as expected.\n");
2971 return false;
2972 }
2973
2974 // Retrying with a different buffer pointer is not legal.
2975 char data2[] = "hello";
2976 if (SSL_get_error(client.get(), SSL_write(client.get(), data2,
2977 kChunkLen)) != SSL_ERROR_SSL ||
2978 !ExpectBadWriteRetry()) {
2979 fprintf(stderr, "SSL_write retry did not fail as expected.\n");
2980 return false;
2981 }
2982
2983 // With |SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER|, the buffer may move.
2984 SSL_set_mode(client.get(), SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER);
2985 if (SSL_get_error(client.get(),
2986 SSL_write(client.get(), data2, kChunkLen)) !=
2987 SSL_ERROR_WANT_WRITE) {
2988 fprintf(stderr, "SSL_write retry unexpectedly failed.\n");
2989 return false;
2990 }
2991
2992 // |SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER| does not disable length checks.
2993 if (SSL_get_error(client.get(),
2994 SSL_write(client.get(), data2, kChunkLen - 1)) !=
2995 SSL_ERROR_SSL ||
2996 !ExpectBadWriteRetry()) {
2997 fprintf(stderr, "SSL_write retry did not fail as expected.\n");
2998 return false;
2999 }
3000
3001 // Retrying with a larger buffer is legal.
3002 if (SSL_get_error(client.get(),
3003 SSL_write(client.get(), data, kChunkLen + 1)) !=
3004 SSL_ERROR_WANT_WRITE) {
3005 fprintf(stderr, "SSL_write retry unexpectedly failed.\n");
3006 return false;
3007 }
3008
3009 // Drain the buffer.
3010 char buf[20];
3011 for (unsigned i = 0; i < count; i++) {
3012 if (SSL_read(server.get(), buf, sizeof(buf)) != kChunkLen ||
3013 OPENSSL_memcmp(buf, "hello", kChunkLen) != 0) {
3014 fprintf(stderr, "Failed to read initial records.\n");
3015 return false;
3016 }
3017 }
3018
3019 // Now that there is space, a retry with a larger buffer should flush the
3020 // pending record, skip over that many bytes of input (on assumption they
3021 // are the same), and write the remainder. If SSL_MODE_ENABLE_PARTIAL_WRITE
3022 // is set, this will complete in two steps.
3023 char data3[] = "_____!";
3024 if (enable_partial_write) {
3025 if (SSL_write(client.get(), data3, kChunkLen + 1) != kChunkLen ||
3026 SSL_write(client.get(), data3 + kChunkLen, 1) != 1) {
3027 fprintf(stderr, "SSL_write retry failed.\n");
3028 return false;
3029 }
3030 } else if (SSL_write(client.get(), data3, kChunkLen + 1) != kChunkLen + 1) {
3031 fprintf(stderr, "SSL_write retry failed.\n");
3032 return false;
3033 }
3034
3035 // Check the last write was correct. The data will be spread over two
3036 // records, so SSL_read returns twice.
3037 if (SSL_read(server.get(), buf, sizeof(buf)) != kChunkLen ||
3038 OPENSSL_memcmp(buf, "hello", kChunkLen) != 0 ||
3039 SSL_read(server.get(), buf, sizeof(buf)) != 1 ||
3040 buf[0] != '!') {
3041 fprintf(stderr, "Failed to read write retry.\n");
3042 return false;
3043 }
3044 }
3045
3046 return true;
3047}
3048
David Benjamin0fef3052016-11-18 15:11:10 +0900[diff] [blame]3049static bool ForEachVersion(bool (*test_func)(bool is_dtls,
3050 const SSL_METHOD *method,
3051 uint16_t version)) {
3052 static uint16_t kTLSVersions[] = {
David Benjamin3b584332017-01-24 22:47:18 -0500[diff] [blame]3053 SSL3_VERSION,
3054 TLS1_VERSION,
3055 TLS1_1_VERSION,
3056 TLS1_2_VERSION,
3057// TLS 1.3 requires RSA-PSS, which is disabled for Android system builds.
3058#if !defined(BORINGSSL_ANDROID_SYSTEM)
3059 TLS1_3_VERSION,
3060#endif
David Benjamin0fef3052016-11-18 15:11:10 +0900[diff] [blame]3061 };
3062
3063 static uint16_t kDTLSVersions[] = {
3064 DTLS1_VERSION, DTLS1_2_VERSION,
3065 };
3066
David Benjamin9ef31f02016-10-31 18:01:13 -0400[diff] [blame]3067 for (uint16_t version : kTLSVersions) {
David Benjamin0fef3052016-11-18 15:11:10 +0900[diff] [blame]3068 if (!test_func(false, TLS_method(), version)) {
3069 fprintf(stderr, "Test failed at TLS version %04x.\n", version);
David Benjamin9ef31f02016-10-31 18:01:13 -0400[diff] [blame]3070 return false;
3071 }
David Benjamin0fef3052016-11-18 15:11:10 +0900[diff] [blame]3072 }
David Benjamin9ef31f02016-10-31 18:01:13 -0400[diff] [blame]3073
David Benjamin0fef3052016-11-18 15:11:10 +0900[diff] [blame]3074 for (uint16_t version : kDTLSVersions) {
3075 if (!test_func(true, DTLS_method(), version)) {
3076 fprintf(stderr, "Test failed at DTLS version %04x.\n", version);
David Benjamin9ef31f02016-10-31 18:01:13 -0400[diff] [blame]3077 return false;
3078 }
3079 }
3080
3081 return true;
3082}
3083
Adam Langleye1e78132017-01-31 15:24:31 -0800[diff] [blame]3084TEST(SSLTest, AddChainCertHack) {
3085 // Ensure that we don't accidently break the hack that we have in place to
3086 // keep curl and serf happy when they use an |X509| even after transfering
3087 // ownership.
3088
3089 bssl::UniquePtr<SSL_CTX> ctx(SSL_CTX_new(TLS_method()));
3090 ASSERT_TRUE(ctx);
3091 X509 *cert = GetTestCertificate().release();
3092 ASSERT_TRUE(cert);
3093 SSL_CTX_add0_chain_cert(ctx.get(), cert);
3094
3095 // This should not trigger a use-after-free.
3096 X509_cmp(cert, cert);
3097}
3098
David Benjaminb2ff2622017-02-03 17:06:18 -0500[diff] [blame]3099TEST(SSLTest, GetCertificate) {
3100 bssl::UniquePtr<SSL_CTX> ctx(SSL_CTX_new(TLS_method()));
3101 ASSERT_TRUE(ctx);
3102 bssl::UniquePtr<X509> cert = GetTestCertificate();
3103 ASSERT_TRUE(cert);
3104 ASSERT_TRUE(SSL_CTX_use_certificate(ctx.get(), cert.get()));
3105 bssl::UniquePtr<SSL> ssl(SSL_new(ctx.get()));
3106 ASSERT_TRUE(ssl);
3107
3108 X509 *cert2 = SSL_CTX_get0_certificate(ctx.get());
3109 ASSERT_TRUE(cert2);
3110 X509 *cert3 = SSL_get_certificate(ssl.get());
3111 ASSERT_TRUE(cert3);
3112
3113 // The old and new certificates must be identical.
3114 EXPECT_EQ(0, X509_cmp(cert.get(), cert2));
3115 EXPECT_EQ(0, X509_cmp(cert.get(), cert3));
3116
3117 uint8_t *der = nullptr;
3118 long der_len = i2d_X509(cert.get(), &der);
3119 ASSERT_LT(0, der_len);
3120 bssl::UniquePtr<uint8_t> free_der(der);
3121
3122 uint8_t *der2 = nullptr;
3123 long der2_len = i2d_X509(cert2, &der2);
3124 ASSERT_LT(0, der2_len);
3125 bssl::UniquePtr<uint8_t> free_der2(der2);
3126
3127 uint8_t *der3 = nullptr;
3128 long der3_len = i2d_X509(cert3, &der3);
3129 ASSERT_LT(0, der3_len);
3130 bssl::UniquePtr<uint8_t> free_der3(der3);
3131
3132 // They must also encode identically.
David Benjamin7d7554b2017-02-04 11:48:59 -0500[diff] [blame]3133 EXPECT_EQ(Bytes(der, der_len), Bytes(der2, der2_len));
3134 EXPECT_EQ(Bytes(der, der_len), Bytes(der3, der3_len));
David Benjaminb2ff2622017-02-03 17:06:18 -0500[diff] [blame]3135}
3136
Adam Langleyd04ca952017-02-28 11:26:51 -0800[diff] [blame]3137TEST(SSLTest, SetChainAndKeyMismatch) {
3138 bssl::UniquePtr<SSL_CTX> ctx(SSL_CTX_new(TLS_with_buffers_method()));
3139 ASSERT_TRUE(ctx);
3140
3141 bssl::UniquePtr<EVP_PKEY> key = GetTestKey();
3142 ASSERT_TRUE(key);
3143 bssl::UniquePtr<CRYPTO_BUFFER> leaf = GetChainTestCertificateBuffer();
3144 ASSERT_TRUE(leaf);
3145 std::vector<CRYPTO_BUFFER*> chain = {
3146 leaf.get(),
3147 };
3148
3149 // Should fail because |GetTestKey| doesn't match the chain-test certificate.
3150 ASSERT_FALSE(SSL_CTX_set_chain_and_key(ctx.get(), &chain[0], chain.size(),
3151 key.get(), nullptr));
3152 ERR_clear_error();
3153}
3154
3155TEST(SSLTest, SetChainAndKey) {
3156 bssl::UniquePtr<SSL_CTX> client_ctx(SSL_CTX_new(TLS_with_buffers_method()));
3157 ASSERT_TRUE(client_ctx);
3158 bssl::UniquePtr<SSL_CTX> server_ctx(SSL_CTX_new(TLS_with_buffers_method()));
3159 ASSERT_TRUE(server_ctx);
3160
3161 bssl::UniquePtr<EVP_PKEY> key = GetChainTestKey();
3162 ASSERT_TRUE(key);
3163 bssl::UniquePtr<CRYPTO_BUFFER> leaf = GetChainTestCertificateBuffer();
3164 ASSERT_TRUE(leaf);
3165 bssl::UniquePtr<CRYPTO_BUFFER> intermediate =
3166 GetChainTestIntermediateBuffer();
3167 ASSERT_TRUE(intermediate);
3168 std::vector<CRYPTO_BUFFER*> chain = {
3169 leaf.get(), intermediate.get(),
3170 };
3171 ASSERT_TRUE(SSL_CTX_set_chain_and_key(server_ctx.get(), &chain[0],
3172 chain.size(), key.get(), nullptr));
3173
3174 SSL_CTX_i_promise_to_verify_certs_after_the_handshake(client_ctx.get());
3175
3176 bssl::UniquePtr<SSL> client, server;
3177 ASSERT_TRUE(ConnectClientAndServer(&client, &server, client_ctx.get(),
3178 server_ctx.get(),
3179 nullptr /* no session */));
3180}
3181
David Benjamin91222b82017-03-09 20:10:56 -0500[diff] [blame]3182// Configuring the empty cipher list, though an error, should still modify the
3183// configuration.
3184TEST(SSLTest, EmptyCipherList) {
3185 bssl::UniquePtr<SSL_CTX> ctx(SSL_CTX_new(TLS_method()));
3186 ASSERT_TRUE(ctx);
3187
3188 // Initially, the cipher list is not empty.
3189 EXPECT_NE(0u, sk_SSL_CIPHER_num(SSL_CTX_get_ciphers(ctx.get())));
3190
3191 // Configuring the empty cipher list fails.
3192 EXPECT_FALSE(SSL_CTX_set_cipher_list(ctx.get(), ""));
3193 ERR_clear_error();
3194
3195 // But the cipher list is still updated to empty.
3196 EXPECT_EQ(0u, sk_SSL_CIPHER_num(SSL_CTX_get_ciphers(ctx.get())));
3197}
3198
Adam Langley4c341d02017-03-08 19:33:21 -0800[diff] [blame]3199// ssl_test_ticket_aead_failure_mode enumerates the possible ways in which the
3200// test |SSL_TICKET_AEAD_METHOD| can fail.
3201enum ssl_test_ticket_aead_failure_mode {
3202 ssl_test_ticket_aead_ok = 0,
3203 ssl_test_ticket_aead_seal_fail,
3204 ssl_test_ticket_aead_open_soft_fail,
3205 ssl_test_ticket_aead_open_hard_fail,
3206};
3207
3208struct ssl_test_ticket_aead_state {
3209 unsigned retry_count;
3210 ssl_test_ticket_aead_failure_mode failure_mode;
3211};
3212
3213static int ssl_test_ticket_aead_ex_index_dup(CRYPTO_EX_DATA *to,
3214 const CRYPTO_EX_DATA *from,
3215 void **from_d, int index,
3216 long argl, void *argp) {
3217 abort();
3218}
3219
3220static void ssl_test_ticket_aead_ex_index_free(void *parent, void *ptr,
3221 CRYPTO_EX_DATA *ad, int index,
3222 long argl, void *argp) {
3223 auto state = reinterpret_cast<ssl_test_ticket_aead_state*>(ptr);
3224 if (state == nullptr) {
3225 return;
3226 }
3227
3228 OPENSSL_free(state);
3229}
3230
3231static CRYPTO_once_t g_ssl_test_ticket_aead_ex_index_once = CRYPTO_ONCE_INIT;
3232static int g_ssl_test_ticket_aead_ex_index;
3233
3234static int ssl_test_ticket_aead_get_ex_index() {
3235 CRYPTO_once(&g_ssl_test_ticket_aead_ex_index_once, [] {
3236 g_ssl_test_ticket_aead_ex_index = SSL_get_ex_new_index(
3237 0, nullptr, nullptr, ssl_test_ticket_aead_ex_index_dup,
3238 ssl_test_ticket_aead_ex_index_free);
3239 });
3240 return g_ssl_test_ticket_aead_ex_index;
3241}
3242
3243static size_t ssl_test_ticket_aead_max_overhead(SSL *ssl) {
3244 return 1;
3245}
3246
3247static int ssl_test_ticket_aead_seal(SSL *ssl, uint8_t *out, size_t *out_len,
3248 size_t max_out_len, const uint8_t *in,
3249 size_t in_len) {
3250 auto state = reinterpret_cast<ssl_test_ticket_aead_state *>(
3251 SSL_get_ex_data(ssl, ssl_test_ticket_aead_get_ex_index()));
3252
3253 if (state->failure_mode == ssl_test_ticket_aead_seal_fail ||
3254 max_out_len < in_len + 1) {
3255 return 0;
3256 }
3257
3258 OPENSSL_memmove(out, in, in_len);
3259 out[in_len] = 0xff;
3260 *out_len = in_len + 1;
3261
3262 return 1;
3263}
3264
3265static ssl_ticket_aead_result_t ssl_test_ticket_aead_open(
3266 SSL *ssl, uint8_t *out, size_t *out_len, size_t max_out_len,
3267 const uint8_t *in, size_t in_len) {
3268 auto state = reinterpret_cast<ssl_test_ticket_aead_state *>(
3269 SSL_get_ex_data(ssl, ssl_test_ticket_aead_get_ex_index()));
3270
3271 if (state->retry_count > 0) {
3272 state->retry_count--;
3273 return ssl_ticket_aead_retry;
3274 }
3275
3276 switch (state->failure_mode) {
3277 case ssl_test_ticket_aead_ok:
3278 break;
3279 case ssl_test_ticket_aead_seal_fail:
3280 // If |seal| failed then there shouldn't be any ticket to try and
3281 // decrypt.
3282 abort();
3283 break;
3284 case ssl_test_ticket_aead_open_soft_fail:
3285 return ssl_ticket_aead_ignore_ticket;
3286 case ssl_test_ticket_aead_open_hard_fail:
3287 return ssl_ticket_aead_error;
3288 }
3289
3290 if (in_len == 0 || in[in_len - 1] != 0xff) {
3291 return ssl_ticket_aead_ignore_ticket;
3292 }
3293
3294 if (max_out_len < in_len - 1) {
3295 return ssl_ticket_aead_error;
3296 }
3297
3298 OPENSSL_memmove(out, in, in_len - 1);
3299 *out_len = in_len - 1;
3300 return ssl_ticket_aead_success;
3301}
3302
3303static const SSL_TICKET_AEAD_METHOD kSSLTestTicketMethod = {
3304 ssl_test_ticket_aead_max_overhead,
3305 ssl_test_ticket_aead_seal,
3306 ssl_test_ticket_aead_open,
3307};
3308
3309static void ConnectClientAndServerWithTicketMethod(
3310 bssl::UniquePtr<SSL> *out_client, bssl::UniquePtr<SSL> *out_server,
3311 SSL_CTX *client_ctx, SSL_CTX *server_ctx, unsigned retry_count,
3312 ssl_test_ticket_aead_failure_mode failure_mode, SSL_SESSION *session) {
3313 bssl::UniquePtr<SSL> client(SSL_new(client_ctx)), server(SSL_new(server_ctx));
3314 ASSERT_TRUE(client);
3315 ASSERT_TRUE(server);
3316 SSL_set_connect_state(client.get());
3317 SSL_set_accept_state(server.get());
3318
3319 auto state = reinterpret_cast<ssl_test_ticket_aead_state *>(
3320 OPENSSL_malloc(sizeof(ssl_test_ticket_aead_state)));
3321 ASSERT_TRUE(state);
3322 OPENSSL_memset(state, 0, sizeof(ssl_test_ticket_aead_state));
3323 state->retry_count = retry_count;
3324 state->failure_mode = failure_mode;
3325
3326 ASSERT_TRUE(SSL_set_ex_data(server.get(), ssl_test_ticket_aead_get_ex_index(),
3327 state));
3328
3329 SSL_set_session(client.get(), session);
3330
3331 BIO *bio1, *bio2;
3332 ASSERT_TRUE(BIO_new_bio_pair(&bio1, 0, &bio2, 0));
3333
3334 // SSL_set_bio takes ownership.
3335 SSL_set_bio(client.get(), bio1, bio1);
3336 SSL_set_bio(server.get(), bio2, bio2);
3337
3338 if (CompleteHandshakes(client.get(), server.get())) {
3339 *out_client = std::move(client);
3340 *out_server = std::move(server);
3341 } else {
3342 out_client->reset();
3343 out_server->reset();
3344 }
3345}
3346
3347class TicketAEADMethodTest
3348 : public ::testing::TestWithParam<testing::tuple<
3349 uint16_t, unsigned, ssl_test_ticket_aead_failure_mode>> {};
3350
3351TEST_P(TicketAEADMethodTest, Resume) {
3352 bssl::UniquePtr<X509> cert = GetTestCertificate();
3353 ASSERT_TRUE(cert);
3354 bssl::UniquePtr<EVP_PKEY> key = GetTestKey();
3355 ASSERT_TRUE(key);
3356
3357 bssl::UniquePtr<SSL_CTX> server_ctx(SSL_CTX_new(TLS_method()));
3358 ASSERT_TRUE(server_ctx);
3359 bssl::UniquePtr<SSL_CTX> client_ctx(SSL_CTX_new(TLS_method()));
3360 ASSERT_TRUE(client_ctx);
3361
3362 const uint16_t version = testing::get<0>(GetParam());
3363 const unsigned retry_count = testing::get<1>(GetParam());
3364 const ssl_test_ticket_aead_failure_mode failure_mode =
3365 testing::get<2>(GetParam());
3366
3367 ASSERT_TRUE(SSL_CTX_use_certificate(server_ctx.get(), cert.get()));
3368 ASSERT_TRUE(SSL_CTX_use_PrivateKey(server_ctx.get(), key.get()));
3369 ASSERT_TRUE(SSL_CTX_set_min_proto_version(client_ctx.get(), version));
3370 ASSERT_TRUE(SSL_CTX_set_max_proto_version(client_ctx.get(), version));
3371 ASSERT_TRUE(SSL_CTX_set_min_proto_version(server_ctx.get(), version));
3372 ASSERT_TRUE(SSL_CTX_set_max_proto_version(server_ctx.get(), version));
3373
3374 SSL_CTX_set_session_cache_mode(client_ctx.get(), SSL_SESS_CACHE_BOTH);
3375 SSL_CTX_set_session_cache_mode(server_ctx.get(), SSL_SESS_CACHE_BOTH);
3376 SSL_CTX_set_current_time_cb(client_ctx.get(), FrozenTimeCallback);
3377 SSL_CTX_set_current_time_cb(server_ctx.get(), FrozenTimeCallback);
David Benjamin707af292017-03-10 17:47:18 -0500[diff] [blame]3378 SSL_CTX_sess_set_new_cb(client_ctx.get(), SaveLastSession);
Adam Langley4c341d02017-03-08 19:33:21 -0800[diff] [blame]3379
3380 SSL_CTX_set_ticket_aead_method(server_ctx.get(), &kSSLTestTicketMethod);
3381
3382 bssl::UniquePtr<SSL> client, server;
3383 ConnectClientAndServerWithTicketMethod(&client, &server, client_ctx.get(),
3384 server_ctx.get(), retry_count,
3385 failure_mode, nullptr);
3386 switch (failure_mode) {
3387 case ssl_test_ticket_aead_ok:
3388 case ssl_test_ticket_aead_open_hard_fail:
3389 case ssl_test_ticket_aead_open_soft_fail:
3390 ASSERT_TRUE(client);
3391 break;
3392 case ssl_test_ticket_aead_seal_fail:
3393 EXPECT_FALSE(client);
3394 return;
3395 }
3396 EXPECT_FALSE(SSL_session_reused(client.get()));
3397 EXPECT_FALSE(SSL_session_reused(server.get()));
3398
David Benjamin707af292017-03-10 17:47:18 -0500[diff] [blame]3399 // Run the read loop to account for post-handshake tickets in TLS 1.3.
3400 SSL_read(client.get(), nullptr, 0);
3401
3402 bssl::UniquePtr<SSL_SESSION> session = std::move(g_last_session);
Adam Langley4c341d02017-03-08 19:33:21 -0800[diff] [blame]3403 ConnectClientAndServerWithTicketMethod(&client, &server, client_ctx.get(),
3404 server_ctx.get(), retry_count,
David Benjamin707af292017-03-10 17:47:18 -0500[diff] [blame]3405 failure_mode, session.get());
Adam Langley4c341d02017-03-08 19:33:21 -0800[diff] [blame]3406 switch (failure_mode) {
3407 case ssl_test_ticket_aead_ok:
3408 ASSERT_TRUE(client);
3409 EXPECT_TRUE(SSL_session_reused(client.get()));
3410 EXPECT_TRUE(SSL_session_reused(server.get()));
3411 break;
3412 case ssl_test_ticket_aead_seal_fail:
3413 abort();
3414 break;
3415 case ssl_test_ticket_aead_open_hard_fail:
3416 EXPECT_FALSE(client);
3417 break;
3418 case ssl_test_ticket_aead_open_soft_fail:
3419 ASSERT_TRUE(client);
3420 EXPECT_FALSE(SSL_session_reused(client.get()));
3421 EXPECT_FALSE(SSL_session_reused(server.get()));
3422 }
3423}
3424
3425INSTANTIATE_TEST_CASE_P(
3426 TicketAEADMethodTests, TicketAEADMethodTest,
3427 testing::Combine(
David Benjamin707af292017-03-10 17:47:18 -0500[diff] [blame]3428 testing::Values(TLS1_2_VERSION, TLS1_3_VERSION),
Adam Langley4c341d02017-03-08 19:33:21 -0800[diff] [blame]3429 testing::Values(0, 1, 2),
3430 testing::Values(ssl_test_ticket_aead_ok,
3431 ssl_test_ticket_aead_seal_fail,
3432 ssl_test_ticket_aead_open_soft_fail,
3433 ssl_test_ticket_aead_open_hard_fail)));
3434
David Benjamin3cfeb952017-03-01 16:48:38 -0500[diff] [blame]3435TEST(SSLTest, SSL3Method) {
3436 bssl::UniquePtr<X509> cert = GetTestCertificate();
3437 ASSERT_TRUE(cert);
3438
3439 // For compatibility, SSLv3_method should work up to SSL_CTX_new and SSL_new.
3440 bssl::UniquePtr<SSL_CTX> ssl3_ctx(SSL_CTX_new(SSLv3_method()));
3441 ASSERT_TRUE(ssl3_ctx);
3442 ASSERT_TRUE(SSL_CTX_use_certificate(ssl3_ctx.get(), cert.get()));
3443 bssl::UniquePtr<SSL> ssl(SSL_new(ssl3_ctx.get()));
3444 EXPECT_TRUE(ssl);
3445
3446 // Create a normal TLS context to test against.
3447 bssl::UniquePtr<SSL_CTX> tls_ctx(SSL_CTX_new(TLS_method()));
3448 ASSERT_TRUE(tls_ctx);
3449 ASSERT_TRUE(SSL_CTX_use_certificate(tls_ctx.get(), cert.get()));
3450
3451 // However, handshaking an SSLv3_method server should fail to resolve the
3452 // version range. Explicit calls to SSL_CTX_set_min_proto_version are the only
3453 // way to enable SSL 3.0.
3454 bssl::UniquePtr<SSL> client, server;
3455 EXPECT_FALSE(ConnectClientAndServer(&client, &server, tls_ctx.get(),
3456 ssl3_ctx.get(),
3457 nullptr /* no session */));
3458 uint32_t err = ERR_get_error();
3459 EXPECT_EQ(ERR_LIB_SSL, ERR_GET_LIB(err));
3460 EXPECT_EQ(SSL_R_NO_SUPPORTED_VERSIONS_ENABLED, ERR_GET_REASON(err));
3461
3462 // Likewise for SSLv3_method clients.
3463 EXPECT_FALSE(ConnectClientAndServer(&client, &server, ssl3_ctx.get(),
3464 tls_ctx.get(),
3465 nullptr /* no session */));
3466 err = ERR_get_error();
3467 EXPECT_EQ(ERR_LIB_SSL, ERR_GET_LIB(err));
3468 EXPECT_EQ(SSL_R_NO_SUPPORTED_VERSIONS_ENABLED, ERR_GET_REASON(err));
3469}
3470
David Benjaminca743582017-06-15 17:51:35 -0400[diff] [blame]3471TEST(SSLTest, SelectNextProto) {
3472 uint8_t *result;
3473 uint8_t result_len;
3474
3475 // If there is an overlap, it should be returned.
3476 EXPECT_EQ(OPENSSL_NPN_NEGOTIATED,
3477 SSL_select_next_proto(&result, &result_len,
3478 (const uint8_t *)"\1a\2bb\3ccc", 9,
3479 (const uint8_t *)"\1x\1y\1a\1z", 8));
3480 EXPECT_EQ(Bytes("a"), Bytes(result, result_len));
3481
3482 EXPECT_EQ(OPENSSL_NPN_NEGOTIATED,
3483 SSL_select_next_proto(&result, &result_len,
3484 (const uint8_t *)"\1a\2bb\3ccc", 9,
3485 (const uint8_t *)"\1x\1y\2bb\1z", 9));
3486 EXPECT_EQ(Bytes("bb"), Bytes(result, result_len));
3487
3488 EXPECT_EQ(OPENSSL_NPN_NEGOTIATED,
3489 SSL_select_next_proto(&result, &result_len,
3490 (const uint8_t *)"\1a\2bb\3ccc", 9,
3491 (const uint8_t *)"\1x\1y\3ccc\1z", 10));
3492 EXPECT_EQ(Bytes("ccc"), Bytes(result, result_len));
3493
3494 // Peer preference order takes precedence over local.
3495 EXPECT_EQ(OPENSSL_NPN_NEGOTIATED,
3496 SSL_select_next_proto(&result, &result_len,
3497 (const uint8_t *)"\1a\2bb\3ccc", 9,
3498 (const uint8_t *)"\3ccc\2bb\1a", 9));
3499 EXPECT_EQ(Bytes("a"), Bytes(result, result_len));
3500
3501 // If there is no overlap, return the first local protocol.
3502 EXPECT_EQ(OPENSSL_NPN_NO_OVERLAP,
3503 SSL_select_next_proto(&result, &result_len,
3504 (const uint8_t *)"\1a\2bb\3ccc", 9,
3505 (const uint8_t *)"\1x\2yy\3zzz", 9));
3506 EXPECT_EQ(Bytes("x"), Bytes(result, result_len));
3507
3508 EXPECT_EQ(OPENSSL_NPN_NO_OVERLAP,
3509 SSL_select_next_proto(&result, &result_len, nullptr, 0,
3510 (const uint8_t *)"\1x\2yy\3zzz", 9));
3511 EXPECT_EQ(Bytes("x"), Bytes(result, result_len));
3512}
3513
David Benjamin96628432017-01-19 19:05:47 -0500[diff] [blame]3514// TODO(davidben): Convert this file to GTest properly.
3515TEST(SSLTest, AllTests) {
David Benjamine11726a2017-04-23 12:14:28 -0400[diff] [blame]3516 if (!TestSSL_SESSIONEncoding(kOpenSSLSession) ||
Adam Langley10f97f32016-07-12 08:09:33 -0700[diff] [blame]3517 !TestSSL_SESSIONEncoding(kCustomSession) ||
3518 !TestSSL_SESSIONEncoding(kBoringSSLSession) ||
3519 !TestBadSSL_SESSIONEncoding(kBadSessionExtraField) ||
3520 !TestBadSSL_SESSIONEncoding(kBadSessionVersion) ||
3521 !TestBadSSL_SESSIONEncoding(kBadSessionTrailingData) ||
Steven Valdeza833c352016-11-01 13:39:36 -0400[diff] [blame]3522 // Test the padding extension at TLS 1.2.
3523 !TestPaddingExtension(TLS1_2_VERSION, TLS1_2_VERSION) ||
3524 // Test the padding extension at TLS 1.3 with a TLS 1.2 session, so there
3525 // will be no PSK binder after the padding extension.
3526 !TestPaddingExtension(TLS1_3_VERSION, TLS1_2_VERSION) ||
3527 // Test the padding extension at TLS 1.3 with a TLS 1.3 session, so there
3528 // will be a PSK binder after the padding extension.
3529 !TestPaddingExtension(TLS1_3_VERSION, TLS1_3_DRAFT_VERSION) ||
David Benjamin0fef3052016-11-18 15:11:10 +0900[diff] [blame]3530 !ForEachVersion(TestSequenceNumber) ||
David Benjamin68f37b72016-11-18 15:14:42 +0900[diff] [blame]3531 !ForEachVersion(TestOneSidedShutdown) ||
David Benjamin0fef3052016-11-18 15:11:10 +0900[diff] [blame]3532 !ForEachVersion(TestGetPeerCertificate) ||
3533 !ForEachVersion(TestRetainOnlySHA256OfCerts) ||
David Benjamina20e5352016-08-02 19:09:41 -0400[diff] [blame]3534 !TestClientHello() ||
David Benjamin0fef3052016-11-18 15:11:10 +0900[diff] [blame]3535 !ForEachVersion(TestSessionIDContext) ||
3536 !ForEachVersion(TestSessionTimeout) ||
3537 !ForEachVersion(TestSNICallback) ||
David Benjamin0fef3052016-11-18 15:11:10 +0900[diff] [blame]3538 !ForEachVersion(TestVersion) ||
David Benjaminb79cc842016-12-07 15:57:14 -0500[diff] [blame]3539 !ForEachVersion(TestALPNCipherAvailable) ||
David Benjamin1444c3a2016-12-20 17:23:11 -0500[diff] [blame]3540 !ForEachVersion(TestSSLClearSessionResumption) ||
David Benjamin48063c22017-01-01 23:56:36 -0500[diff] [blame]3541 !ForEachVersion(TestAutoChain) ||
3542 !ForEachVersion(TestSSLWriteRetry)) {
David Benjamin96628432017-01-19 19:05:47 -0500[diff] [blame]3543 ADD_FAILURE() << "Tests failed";
David Benjaminbb0a17c2014-09-20 15:35:39 -0400[diff] [blame]3544 }
David Benjamin2e521212014-07-16 14:37:51 -0400[diff] [blame]3545}