Gitiles
Code Review Sign In
gerrit.openfyde.cn / boringssl.googlesource.com / boringssl / 71dfad4d108a520ef85922c13cb95395fba0ddef / . / ssl / ssl_test.cc
blob: bf546da43541b944ab3c14032d7c81886910edf7 [file] [log] [blame]
David Benjamin2e521212014-07-16 14:37:51 -0400[diff] [blame]1/* Copyright (c) 2014, Google Inc.
2 *
3 * Permission to use, copy, modify, and/or distribute this software for any
4 * purpose with or without fee is hereby granted, provided that the above
5 * copyright notice and this permission notice appear in all copies.
6 *
7 * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
8 * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
9 * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY
10 * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
11 * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION
12 * OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN
13 * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */
14
15#include <stdio.h>
David Benjamin751e8892014-10-19 00:59:36 -0400[diff] [blame]16#include <string.h>
David Benjamin1269ddd2015-10-18 15:18:55 -0400[diff] [blame]17#include <time.h>
David Benjamin2e521212014-07-16 14:37:51 -0400[diff] [blame]18
David Benjamin0f653952015-10-18 14:28:01 -0400[diff] [blame]19#include <algorithm>
David Benjamin1d77e562015-03-22 17:22:08 -0400[diff] [blame]20#include <string>
David Benjamin4f6acaf2015-11-21 03:00:50 -0500[diff] [blame]21#include <utility>
David Benjamin1d77e562015-03-22 17:22:08 -0400[diff] [blame]22#include <vector>
23
David Benjamin96628432017-01-19 19:05:47 -0500[diff] [blame]24#include <gtest/gtest.h>
25
David Benjamin751e8892014-10-19 00:59:36 -0400[diff] [blame]26#include <openssl/base64.h>
27#include <openssl/bio.h>
David Benjamin3c51d9b2016-11-01 17:50:42 -0400[diff] [blame]28#include <openssl/cipher.h>
David Benjamin7a1eefd2015-10-17 23:39:22 -0400[diff] [blame]29#include <openssl/crypto.h>
David Benjaminbb0a17c2014-09-20 15:35:39 -0400[diff] [blame]30#include <openssl/err.h>
David Benjamin3c51d9b2016-11-01 17:50:42 -0400[diff] [blame]31#include <openssl/hmac.h>
David Benjaminde942382016-02-11 12:02:01 -0500[diff] [blame]32#include <openssl/pem.h>
David Benjamin25490f22016-07-14 00:22:54 -0400[diff] [blame]33#include <openssl/sha.h>
David Benjaminbb0a17c2014-09-20 15:35:39 -0400[diff] [blame]34#include <openssl/ssl.h>
David Benjamin3c51d9b2016-11-01 17:50:42 -0400[diff] [blame]35#include <openssl/rand.h>
David Benjaminde942382016-02-11 12:02:01 -0500[diff] [blame]36#include <openssl/x509.h>
David Benjaminbb0a17c2014-09-20 15:35:39 -0400[diff] [blame]37
Steven Valdez87eab492016-06-27 16:34:59 -0400[diff] [blame]38#include "internal.h"
Steven Valdezcb966542016-08-17 16:56:14 -0400[diff] [blame]39#include "../crypto/internal.h"
Sigbjorn Vik2b23d242015-06-29 15:07:26 +0200[diff] [blame]40#include "../crypto/test/test_util.h"
41
David Benjamin721e8b72016-08-03 13:13:17 -0400[diff] [blame]42#if defined(OPENSSL_WINDOWS)
43/* Windows defines struct timeval in winsock2.h. */
44OPENSSL_MSVC_PRAGMA(warning(push, 3))
45#include <winsock2.h>
46OPENSSL_MSVC_PRAGMA(warning(pop))
47#else
48#include <sys/time.h>
49#endif
50
David Benjamin1d77e562015-03-22 17:22:08 -0400[diff] [blame]51
52struct ExpectedCipher {
53 unsigned long id;
David Benjaminbb0a17c2014-09-20 15:35:39 -0400[diff] [blame]54 int in_group_flag;
David Benjamin1d77e562015-03-22 17:22:08 -0400[diff] [blame]55};
David Benjaminbb0a17c2014-09-20 15:35:39 -0400[diff] [blame]56
David Benjamin1d77e562015-03-22 17:22:08 -0400[diff] [blame]57struct CipherTest {
58 // The rule string to apply.
David Benjaminbb0a17c2014-09-20 15:35:39 -0400[diff] [blame]59 const char *rule;
David Benjaminfb974e62015-12-16 19:34:22 -0500[diff] [blame]60 // The list of expected ciphers, in order.
61 std::vector<ExpectedCipher> expected;
Matthew Braithwaitea57dcfb2017-02-17 22:08:23 -0800[diff] [blame]62 // True if this cipher list should fail in strict mode.
63 bool strict_fail;
David Benjamin1d77e562015-03-22 17:22:08 -0400[diff] [blame]64};
David Benjaminbb0a17c2014-09-20 15:35:39 -0400[diff] [blame]65
Alessandro Ghedini5fd18072016-09-28 21:04:25 +0100[diff] [blame]66struct CurveTest {
67 // The rule string to apply.
68 const char *rule;
69 // The list of expected curves, in order.
70 std::vector<uint16_t> expected;
71};
72
David Benjaminfb974e62015-12-16 19:34:22 -0500[diff] [blame]73static const CipherTest kCipherTests[] = {
74 // Selecting individual ciphers should work.
75 {
76 "ECDHE-ECDSA-CHACHA20-POLY1305:"
77 "ECDHE-RSA-CHACHA20-POLY1305:"
78 "ECDHE-ECDSA-AES128-GCM-SHA256:"
79 "ECDHE-RSA-AES128-GCM-SHA256",
80 {
81 {TLS1_CK_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256, 0},
David Benjaminfb974e62015-12-16 19:34:22 -0500[diff] [blame]82 {TLS1_CK_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256, 0},
David Benjaminfb974e62015-12-16 19:34:22 -0500[diff] [blame]83 {TLS1_CK_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, 0},
84 {TLS1_CK_ECDHE_RSA_WITH_AES_128_GCM_SHA256, 0},
85 },
Matthew Braithwaitea57dcfb2017-02-17 22:08:23 -0800[diff] [blame]86 false,
David Benjaminfb974e62015-12-16 19:34:22 -0500[diff] [blame]87 },
88 // + reorders selected ciphers to the end, keeping their relative order.
89 {
90 "ECDHE-ECDSA-CHACHA20-POLY1305:"
91 "ECDHE-RSA-CHACHA20-POLY1305:"
92 "ECDHE-ECDSA-AES128-GCM-SHA256:"
93 "ECDHE-RSA-AES128-GCM-SHA256:"
94 "+aRSA",
95 {
96 {TLS1_CK_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256, 0},
David Benjaminfb974e62015-12-16 19:34:22 -0500[diff] [blame]97 {TLS1_CK_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, 0},
98 {TLS1_CK_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256, 0},
David Benjaminfb974e62015-12-16 19:34:22 -0500[diff] [blame]99 {TLS1_CK_ECDHE_RSA_WITH_AES_128_GCM_SHA256, 0},
100 },
Matthew Braithwaitea57dcfb2017-02-17 22:08:23 -0800[diff] [blame]101 false,
David Benjaminfb974e62015-12-16 19:34:22 -0500[diff] [blame]102 },
103 // ! banishes ciphers from future selections.
104 {
105 "!aRSA:"
106 "ECDHE-ECDSA-CHACHA20-POLY1305:"
107 "ECDHE-RSA-CHACHA20-POLY1305:"
108 "ECDHE-ECDSA-AES128-GCM-SHA256:"
109 "ECDHE-RSA-AES128-GCM-SHA256",
110 {
111 {TLS1_CK_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256, 0},
David Benjaminfb974e62015-12-16 19:34:22 -0500[diff] [blame]112 {TLS1_CK_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, 0},
113 },
Matthew Braithwaitea57dcfb2017-02-17 22:08:23 -0800[diff] [blame]114 false,
David Benjaminfb974e62015-12-16 19:34:22 -0500[diff] [blame]115 },
116 // Multiple masks can be ANDed in a single rule.
117 {
118 "kRSA+AESGCM+AES128",
119 {
120 {TLS1_CK_RSA_WITH_AES_128_GCM_SHA256, 0},
121 },
Matthew Braithwaitea57dcfb2017-02-17 22:08:23 -0800[diff] [blame]122 false,
David Benjaminfb974e62015-12-16 19:34:22 -0500[diff] [blame]123 },
124 // - removes selected ciphers, but preserves their order for future
Matthew Braithwaitecedc6f12017-03-15 19:20:23 -0700[diff] [blame]125 // selections. Select AES_128_GCM, but order the key exchanges RSA,
David Benjaminfb974e62015-12-16 19:34:22 -0500[diff] [blame]126 // ECDHE_RSA.
127 {
Matthew Braithwaitecedc6f12017-03-15 19:20:23 -0700[diff] [blame]128 "ALL:-kECDHE:"
Matthew Braithwaitecedc6f12017-03-15 19:20:23 -0700[diff] [blame]129 "-kRSA:-ALL:"
David Benjaminfb974e62015-12-16 19:34:22 -0500[diff] [blame]130 "AESGCM+AES128+aRSA",
131 {
132 {TLS1_CK_RSA_WITH_AES_128_GCM_SHA256, 0},
David Benjaminfb974e62015-12-16 19:34:22 -0500[diff] [blame]133 {TLS1_CK_ECDHE_RSA_WITH_AES_128_GCM_SHA256, 0},
134 },
Matthew Braithwaitea57dcfb2017-02-17 22:08:23 -0800[diff] [blame]135 false,
David Benjaminfb974e62015-12-16 19:34:22 -0500[diff] [blame]136 },
Matthew Braithwaitea57dcfb2017-02-17 22:08:23 -0800[diff] [blame]137 // Unknown selectors are no-ops, except in strict mode.
David Benjaminfb974e62015-12-16 19:34:22 -0500[diff] [blame]138 {
139 "ECDHE-ECDSA-CHACHA20-POLY1305:"
140 "ECDHE-RSA-CHACHA20-POLY1305:"
141 "ECDHE-ECDSA-AES128-GCM-SHA256:"
142 "ECDHE-RSA-AES128-GCM-SHA256:"
Matthew Braithwaitea57dcfb2017-02-17 22:08:23 -0800[diff] [blame]143 "BOGUS1",
David Benjaminfb974e62015-12-16 19:34:22 -0500[diff] [blame]144 {
145 {TLS1_CK_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256, 0},
David Benjaminfb974e62015-12-16 19:34:22 -0500[diff] [blame]146 {TLS1_CK_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256, 0},
David Benjaminfb974e62015-12-16 19:34:22 -0500[diff] [blame]147 {TLS1_CK_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, 0},
148 {TLS1_CK_ECDHE_RSA_WITH_AES_128_GCM_SHA256, 0},
149 },
Matthew Braithwaitea57dcfb2017-02-17 22:08:23 -0800[diff] [blame]150 true,
151 },
152 // Unknown selectors are no-ops, except in strict mode.
153 {
154 "ECDHE-ECDSA-CHACHA20-POLY1305:"
155 "ECDHE-RSA-CHACHA20-POLY1305:"
156 "ECDHE-ECDSA-AES128-GCM-SHA256:"
157 "ECDHE-RSA-AES128-GCM-SHA256:"
158 "-BOGUS2:+BOGUS3:!BOGUS4",
159 {
160 {TLS1_CK_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256, 0},
161 {TLS1_CK_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256, 0},
162 {TLS1_CK_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, 0},
163 {TLS1_CK_ECDHE_RSA_WITH_AES_128_GCM_SHA256, 0},
164 },
165 true,
David Benjaminfb974e62015-12-16 19:34:22 -0500[diff] [blame]166 },
167 // Square brackets specify equi-preference groups.
168 {
169 "[ECDHE-ECDSA-CHACHA20-POLY1305|ECDHE-ECDSA-AES128-GCM-SHA256]:"
170 "[ECDHE-RSA-CHACHA20-POLY1305]:"
171 "ECDHE-RSA-AES128-GCM-SHA256",
172 {
173 {TLS1_CK_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256, 1},
David Benjaminfb974e62015-12-16 19:34:22 -0500[diff] [blame]174 {TLS1_CK_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, 0},
Adam Langley2e839242017-01-19 15:12:44 -0800[diff] [blame]175 {TLS1_CK_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256, 0},
David Benjaminfb974e62015-12-16 19:34:22 -0500[diff] [blame]176 {TLS1_CK_ECDHE_RSA_WITH_AES_128_GCM_SHA256, 0},
177 },
Matthew Braithwaitea57dcfb2017-02-17 22:08:23 -0800[diff] [blame]178 false,
David Benjaminfb974e62015-12-16 19:34:22 -0500[diff] [blame]179 },
David Benjamin6fff3862017-06-21 21:07:04 -0400[diff] [blame]180 // Standard names may be used instead of OpenSSL names.
181 {
182 "[TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256|"
David Benjaminbf5f1922017-07-01 11:13:53 -0400[diff] [blame]183 "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256]:"
David Benjamin6fff3862017-06-21 21:07:04 -0400[diff] [blame]184 "[TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256]:"
185 "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",
186 {
187 {TLS1_CK_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256, 1},
188 {TLS1_CK_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, 0},
189 {TLS1_CK_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256, 0},
190 {TLS1_CK_ECDHE_RSA_WITH_AES_128_GCM_SHA256, 0},
191 },
192 false,
193 },
David Benjaminfb974e62015-12-16 19:34:22 -0500[diff] [blame]194 // @STRENGTH performs a stable strength-sort of the selected ciphers and
195 // only the selected ciphers.
196 {
197 // To simplify things, banish all but {ECDHE_RSA,RSA} x
Matthew Braithwaite8aaa9e12016-09-07 15:09:58 -0700[diff] [blame]198 // {CHACHA20,AES_256_CBC,AES_128_CBC} x SHA1.
Matthew Braithwaitecedc6f12017-03-15 19:20:23 -0700[diff] [blame]199 "!AESGCM:!3DES:!SHA256:!SHA384:"
David Benjaminfb974e62015-12-16 19:34:22 -0500[diff] [blame]200 // Order some ciphers backwards by strength.
Matthew Braithwaite8aaa9e12016-09-07 15:09:58 -0700[diff] [blame]201 "ALL:-CHACHA20:-AES256:-AES128:-ALL:"
David Benjaminfb974e62015-12-16 19:34:22 -0500[diff] [blame]202 // Select ECDHE ones and sort them by strength. Ties should resolve
203 // based on the order above.
204 "kECDHE:@STRENGTH:-ALL:"
205 // Now bring back everything uses RSA. ECDHE_RSA should be first, sorted
206 // by strength. Then RSA, backwards by strength.
207 "aRSA",
208 {
209 {TLS1_CK_ECDHE_RSA_WITH_AES_256_CBC_SHA, 0},
210 {TLS1_CK_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256, 0},
David Benjaminfb974e62015-12-16 19:34:22 -0500[diff] [blame]211 {TLS1_CK_ECDHE_RSA_WITH_AES_128_CBC_SHA, 0},
David Benjaminfb974e62015-12-16 19:34:22 -0500[diff] [blame]212 {TLS1_CK_RSA_WITH_AES_128_SHA, 0},
213 {TLS1_CK_RSA_WITH_AES_256_SHA, 0},
214 },
Matthew Braithwaitea57dcfb2017-02-17 22:08:23 -0800[diff] [blame]215 false,
David Benjaminfb974e62015-12-16 19:34:22 -0500[diff] [blame]216 },
David Benjaminbf5f1922017-07-01 11:13:53 -0400[diff] [blame]217 // Additional masks after @STRENGTH get silently discarded.
218 //
219 // TODO(davidben): Make this an error. If not silently discarded, they get
220 // interpreted as + opcodes which are very different.
221 {
222 "ECDHE-RSA-AES128-GCM-SHA256:"
223 "ECDHE-RSA-AES256-GCM-SHA384:"
224 "@STRENGTH+AES256",
225 {
226 {TLS1_CK_ECDHE_RSA_WITH_AES_256_GCM_SHA384, 0},
227 {TLS1_CK_ECDHE_RSA_WITH_AES_128_GCM_SHA256, 0},
228 },
229 false,
230 },
231 {
232 "ECDHE-RSA-AES128-GCM-SHA256:"
233 "ECDHE-RSA-AES256-GCM-SHA384:"
234 "@STRENGTH+AES256:"
235 "ECDHE-RSA-CHACHA20-POLY1305",
236 {
237 {TLS1_CK_ECDHE_RSA_WITH_AES_256_GCM_SHA384, 0},
238 {TLS1_CK_ECDHE_RSA_WITH_AES_128_GCM_SHA256, 0},
239 {TLS1_CK_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256, 0},
240 },
241 false,
242 },
David Benjaminfb974e62015-12-16 19:34:22 -0500[diff] [blame]243 // Exact ciphers may not be used in multi-part rules; they are treated
244 // as unknown aliases.
245 {
246 "ECDHE-ECDSA-AES128-GCM-SHA256:"
247 "ECDHE-RSA-AES128-GCM-SHA256:"
248 "!ECDHE-RSA-AES128-GCM-SHA256+RSA:"
249 "!ECDSA+ECDHE-ECDSA-AES128-GCM-SHA256",
250 {
251 {TLS1_CK_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, 0},
252 {TLS1_CK_ECDHE_RSA_WITH_AES_128_GCM_SHA256, 0},
253 },
Matthew Braithwaitea57dcfb2017-02-17 22:08:23 -0800[diff] [blame]254 true,
David Benjaminfb974e62015-12-16 19:34:22 -0500[diff] [blame]255 },
256 // SSLv3 matches everything that existed before TLS 1.2.
257 {
258 "AES128-SHA:AES128-SHA256:!SSLv3",
259 {
260 {TLS1_CK_RSA_WITH_AES_128_SHA256, 0},
261 },
Matthew Braithwaitea57dcfb2017-02-17 22:08:23 -0800[diff] [blame]262 false,
David Benjaminfb974e62015-12-16 19:34:22 -0500[diff] [blame]263 },
264 // TLSv1.2 matches everything added in TLS 1.2.
265 {
266 "AES128-SHA:AES128-SHA256:!TLSv1.2",
267 {
268 {TLS1_CK_RSA_WITH_AES_128_SHA, 0},
269 },
Matthew Braithwaitea57dcfb2017-02-17 22:08:23 -0800[diff] [blame]270 false,
David Benjaminfb974e62015-12-16 19:34:22 -0500[diff] [blame]271 },
Matthew Braithwaitea57dcfb2017-02-17 22:08:23 -0800[diff] [blame]272 // The two directives have no intersection. But each component is valid, so
273 // even in strict mode it is accepted.
David Benjaminfb974e62015-12-16 19:34:22 -0500[diff] [blame]274 {
275 "AES128-SHA:AES128-SHA256:!TLSv1.2+SSLv3",
276 {
277 {TLS1_CK_RSA_WITH_AES_128_SHA, 0},
278 {TLS1_CK_RSA_WITH_AES_128_SHA256, 0},
279 },
Matthew Braithwaitea57dcfb2017-02-17 22:08:23 -0800[diff] [blame]280 false,
David Benjaminfb974e62015-12-16 19:34:22 -0500[diff] [blame]281 },
David Benjaminbb0a17c2014-09-20 15:35:39 -0400[diff] [blame]282};
283
284static const char *kBadRules[] = {
David Benjamin1d77e562015-03-22 17:22:08 -0400[diff] [blame]285 // Invalid brackets.
David Benjaminbb0a17c2014-09-20 15:35:39 -0400[diff] [blame]286 "[ECDHE-RSA-CHACHA20-POLY1305|ECDHE-RSA-AES128-GCM-SHA256",
287 "RSA]",
288 "[[RSA]]",
David Benjamin1d77e562015-03-22 17:22:08 -0400[diff] [blame]289 // Operators inside brackets.
David Benjaminbb0a17c2014-09-20 15:35:39 -0400[diff] [blame]290 "[+RSA]",
David Benjamin1d77e562015-03-22 17:22:08 -0400[diff] [blame]291 // Unknown directive.
David Benjaminbb0a17c2014-09-20 15:35:39 -0400[diff] [blame]292 "@BOGUS",
David Benjamin1d77e562015-03-22 17:22:08 -0400[diff] [blame]293 // Empty cipher lists error at SSL_CTX_set_cipher_list.
David Benjaminbb0a17c2014-09-20 15:35:39 -0400[diff] [blame]294 "",
295 "BOGUS",
David Benjamin32fbdf22015-04-07 01:14:06 -0400[diff] [blame]296 // COMPLEMENTOFDEFAULT is empty.
297 "COMPLEMENTOFDEFAULT",
David Benjamin1d77e562015-03-22 17:22:08 -0400[diff] [blame]298 // Invalid command.
David Benjaminbb0a17c2014-09-20 15:35:39 -0400[diff] [blame]299 "?BAR",
David Benjamin1d77e562015-03-22 17:22:08 -0400[diff] [blame]300 // Special operators are not allowed if groups are used.
David Benjamin37d92462014-09-20 17:54:24 -0400[diff] [blame]301 "[ECDHE-RSA-CHACHA20-POLY1305|ECDHE-RSA-AES128-GCM-SHA256]:+FOO",
302 "[ECDHE-RSA-CHACHA20-POLY1305|ECDHE-RSA-AES128-GCM-SHA256]:!FOO",
303 "[ECDHE-RSA-CHACHA20-POLY1305|ECDHE-RSA-AES128-GCM-SHA256]:-FOO",
304 "[ECDHE-RSA-CHACHA20-POLY1305|ECDHE-RSA-AES128-GCM-SHA256]:@STRENGTH",
Adam Langleyf99f2442016-10-02 09:53:38 -0700[diff] [blame]305 // Opcode supplied, but missing selector.
306 "+",
David Benjaminbb0a17c2014-09-20 15:35:39 -0400[diff] [blame]307};
308
Matt Braithwaiteaf096752015-09-02 19:48:16 -0700[diff] [blame]309static const char *kMustNotIncludeNull[] = {
310 "ALL",
311 "DEFAULT",
David Benjamind6e9eec2015-11-18 09:48:55 -0500[diff] [blame]312 "HIGH",
Matt Braithwaiteaf096752015-09-02 19:48:16 -0700[diff] [blame]313 "FIPS",
314 "SHA",
315 "SHA1",
316 "RSA",
317 "SSLv3",
318 "TLSv1",
319 "TLSv1.2",
Matt Braithwaiteaf096752015-09-02 19:48:16 -0700[diff] [blame]320};
321
Alessandro Ghedini5fd18072016-09-28 21:04:25 +0100[diff] [blame]322static const CurveTest kCurveTests[] = {
323 {
324 "P-256",
325 { SSL_CURVE_SECP256R1 },
326 },
327 {
328 "P-256:P-384:P-521:X25519",
329 {
330 SSL_CURVE_SECP256R1,
331 SSL_CURVE_SECP384R1,
332 SSL_CURVE_SECP521R1,
333 SSL_CURVE_X25519,
334 },
335 },
336};
337
338static const char *kBadCurvesLists[] = {
339 "",
340 ":",
341 "::",
342 "P-256::X25519",
343 "RSA:P-256",
344 "P-256:RSA",
345 "X25519:P-256:",
346 ":X25519:P-256",
347};
348
David Benjamine11726a2017-04-23 12:14:28 -0400[diff] [blame]349static std::string CipherListToString(ssl_cipher_preference_list_st *list) {
David Benjamin1d77e562015-03-22 17:22:08 -0400[diff] [blame]350 bool in_group = false;
David Benjamine11726a2017-04-23 12:14:28 -0400[diff] [blame]351 std::string ret;
David Benjamin1d77e562015-03-22 17:22:08 -0400[diff] [blame]352 for (size_t i = 0; i < sk_SSL_CIPHER_num(list->ciphers); i++) {
David Benjaminbb0a17c2014-09-20 15:35:39 -0400[diff] [blame]353 const SSL_CIPHER *cipher = sk_SSL_CIPHER_value(list->ciphers, i);
354 if (!in_group && list->in_group_flags[i]) {
David Benjamine11726a2017-04-23 12:14:28 -0400[diff] [blame]355 ret += "\t[\n";
David Benjamin1d77e562015-03-22 17:22:08 -0400[diff] [blame]356 in_group = true;
David Benjaminbb0a17c2014-09-20 15:35:39 -0400[diff] [blame]357 }
David Benjamine11726a2017-04-23 12:14:28 -0400[diff] [blame]358 ret += "\t";
David Benjaminbb0a17c2014-09-20 15:35:39 -0400[diff] [blame]359 if (in_group) {
David Benjamine11726a2017-04-23 12:14:28 -0400[diff] [blame]360 ret += " ";
David Benjaminbb0a17c2014-09-20 15:35:39 -0400[diff] [blame]361 }
David Benjamine11726a2017-04-23 12:14:28 -0400[diff] [blame]362 ret += SSL_CIPHER_get_name(cipher);
363 ret += "\n";
David Benjaminbb0a17c2014-09-20 15:35:39 -0400[diff] [blame]364 if (in_group && !list->in_group_flags[i]) {
David Benjamine11726a2017-04-23 12:14:28 -0400[diff] [blame]365 ret += "\t]\n";
David Benjamin1d77e562015-03-22 17:22:08 -0400[diff] [blame]366 in_group = false;
David Benjaminbb0a17c2014-09-20 15:35:39 -0400[diff] [blame]367 }
368 }
David Benjamine11726a2017-04-23 12:14:28 -0400[diff] [blame]369 return ret;
David Benjaminbb0a17c2014-09-20 15:35:39 -0400[diff] [blame]370}
371
David Benjamine11726a2017-04-23 12:14:28 -0400[diff] [blame]372static bool CipherListsEqual(ssl_cipher_preference_list_st *list,
373 const std::vector<ExpectedCipher> &expected) {
374 if (sk_SSL_CIPHER_num(list->ciphers) != expected.size()) {
David Benjamin1d77e562015-03-22 17:22:08 -0400[diff] [blame]375 return false;
David Benjamin65226252015-02-05 16:49:47 -0500[diff] [blame]376 }
377
David Benjamine11726a2017-04-23 12:14:28 -0400[diff] [blame]378 for (size_t i = 0; i < expected.size(); i++) {
379 const SSL_CIPHER *cipher = sk_SSL_CIPHER_value(list->ciphers, i);
380 if (expected[i].id != SSL_CIPHER_get_id(cipher) ||
381 expected[i].in_group_flag != list->in_group_flags[i]) {
David Benjamin1d77e562015-03-22 17:22:08 -0400[diff] [blame]382 return false;
David Benjaminbb0a17c2014-09-20 15:35:39 -0400[diff] [blame]383 }
384 }
385
David Benjamin1d77e562015-03-22 17:22:08 -0400[diff] [blame]386 return true;
David Benjaminbb0a17c2014-09-20 15:35:39 -0400[diff] [blame]387}
388
David Benjamine11726a2017-04-23 12:14:28 -0400[diff] [blame]389TEST(SSLTest, CipherRules) {
390 for (const CipherTest &t : kCipherTests) {
391 SCOPED_TRACE(t.rule);
392 bssl::UniquePtr<SSL_CTX> ctx(SSL_CTX_new(TLS_method()));
393 ASSERT_TRUE(ctx);
Matt Braithwaiteaf096752015-09-02 19:48:16 -0700[diff] [blame]394
David Benjamine11726a2017-04-23 12:14:28 -0400[diff] [blame]395 // Test lax mode.
396 ASSERT_TRUE(SSL_CTX_set_cipher_list(ctx.get(), t.rule));
397 EXPECT_TRUE(CipherListsEqual(ctx->cipher_list, t.expected))
398 << "Cipher rule evaluated to:\n"
399 << CipherListToString(ctx->cipher_list);
400
401 // Test strict mode.
402 if (t.strict_fail) {
403 EXPECT_FALSE(SSL_CTX_set_strict_cipher_list(ctx.get(), t.rule));
404 } else {
405 ASSERT_TRUE(SSL_CTX_set_strict_cipher_list(ctx.get(), t.rule));
406 EXPECT_TRUE(CipherListsEqual(ctx->cipher_list, t.expected))
407 << "Cipher rule evaluated to:\n"
408 << CipherListToString(ctx->cipher_list);
David Benjaminbb0a17c2014-09-20 15:35:39 -0400[diff] [blame]409 }
410 }
411
David Benjaminfb974e62015-12-16 19:34:22 -0500[diff] [blame]412 for (const char *rule : kBadRules) {
David Benjamine11726a2017-04-23 12:14:28 -0400[diff] [blame]413 SCOPED_TRACE(rule);
414 bssl::UniquePtr<SSL_CTX> ctx(SSL_CTX_new(TLS_method()));
415 ASSERT_TRUE(ctx);
416
417 EXPECT_FALSE(SSL_CTX_set_cipher_list(ctx.get(), rule));
David Benjaminbb0a17c2014-09-20 15:35:39 -0400[diff] [blame]418 ERR_clear_error();
David Benjaminbb0a17c2014-09-20 15:35:39 -0400[diff] [blame]419 }
420
David Benjaminfb974e62015-12-16 19:34:22 -0500[diff] [blame]421 for (const char *rule : kMustNotIncludeNull) {
David Benjamine11726a2017-04-23 12:14:28 -0400[diff] [blame]422 SCOPED_TRACE(rule);
423 bssl::UniquePtr<SSL_CTX> ctx(SSL_CTX_new(TLS_method()));
424 ASSERT_TRUE(ctx);
425
426 ASSERT_TRUE(SSL_CTX_set_strict_cipher_list(ctx.get(), rule));
427 for (size_t i = 0; i < sk_SSL_CIPHER_num(ctx->cipher_list->ciphers); i++) {
428 EXPECT_FALSE(SSL_CIPHER_is_NULL(
429 sk_SSL_CIPHER_value(ctx->cipher_list->ciphers, i)));
Matt Braithwaiteaf096752015-09-02 19:48:16 -0700[diff] [blame]430 }
431 }
David Benjaminbb0a17c2014-09-20 15:35:39 -0400[diff] [blame]432}
David Benjamin2e521212014-07-16 14:37:51 -0400[diff] [blame]433
David Benjamine11726a2017-04-23 12:14:28 -0400[diff] [blame]434TEST(SSLTest, CurveRules) {
435 for (const CurveTest &t : kCurveTests) {
436 SCOPED_TRACE(t.rule);
437 bssl::UniquePtr<SSL_CTX> ctx(SSL_CTX_new(TLS_method()));
438 ASSERT_TRUE(ctx);
Alessandro Ghedini5fd18072016-09-28 21:04:25 +0100[diff] [blame]439
David Benjamine11726a2017-04-23 12:14:28 -0400[diff] [blame]440 ASSERT_TRUE(SSL_CTX_set1_curves_list(ctx.get(), t.rule));
441 ASSERT_EQ(t.expected.size(), ctx->supported_group_list_len);
442 for (size_t i = 0; i < t.expected.size(); i++) {
443 EXPECT_EQ(t.expected[i], ctx->supported_group_list[i]);
Alessandro Ghedini5fd18072016-09-28 21:04:25 +0100[diff] [blame]444 }
445 }
446
447 for (const char *rule : kBadCurvesLists) {
David Benjamine11726a2017-04-23 12:14:28 -0400[diff] [blame]448 SCOPED_TRACE(rule);
449 bssl::UniquePtr<SSL_CTX> ctx(SSL_CTX_new(TLS_method()));
450 ASSERT_TRUE(ctx);
451
452 EXPECT_FALSE(SSL_CTX_set1_curves_list(ctx.get(), rule));
Alessandro Ghedini5fd18072016-09-28 21:04:25 +0100[diff] [blame]453 ERR_clear_error();
454 }
Alessandro Ghedini5fd18072016-09-28 21:04:25 +0100[diff] [blame]455}
456
Adam Langley364f7a62016-12-12 10:51:00 -0800[diff] [blame]457// kOpenSSLSession is a serialized SSL_SESSION.
Adam Langley10f97f32016-07-12 08:09:33 -0700[diff] [blame]458static const char kOpenSSLSession[] =
Adam Langley364f7a62016-12-12 10:51:00 -0800[diff] [blame]459 "MIIFqgIBAQICAwMEAsAvBCAG5Q1ndq4Yfmbeo1zwLkNRKmCXGdNgWvGT3cskV0yQ"
Adam Langley10f97f32016-07-12 08:09:33 -0700[diff] [blame]460 "kAQwJlrlzkAWBOWiLj/jJ76D7l+UXoizP2KI2C7I2FccqMmIfFmmkUy32nIJ0mZH"
461 "IWoJoQYCBFRDO46iBAICASyjggR6MIIEdjCCA16gAwIBAgIIK9dUvsPWSlUwDQYJ"
462 "KoZIhvcNAQEFBQAwSTELMAkGA1UEBhMCVVMxEzARBgNVBAoTCkdvb2dsZSBJbmMx"
463 "JTAjBgNVBAMTHEdvb2dsZSBJbnRlcm5ldCBBdXRob3JpdHkgRzIwHhcNMTQxMDA4"
464 "MTIwNzU3WhcNMTUwMTA2MDAwMDAwWjBoMQswCQYDVQQGEwJVUzETMBEGA1UECAwK"
465 "Q2FsaWZvcm5pYTEWMBQGA1UEBwwNTW91bnRhaW4gVmlldzETMBEGA1UECgwKR29v"
466 "Z2xlIEluYzEXMBUGA1UEAwwOd3d3Lmdvb2dsZS5jb20wggEiMA0GCSqGSIb3DQEB"
467 "AQUAA4IBDwAwggEKAoIBAQCcKeLrplAC+Lofy8t/wDwtB6eu72CVp0cJ4V3lknN6"
468 "huH9ct6FFk70oRIh/VBNBBz900jYy+7111Jm1b8iqOTQ9aT5C7SEhNcQFJvqzH3e"
469 "MPkb6ZSWGm1yGF7MCQTGQXF20Sk/O16FSjAynU/b3oJmOctcycWYkY0ytS/k3LBu"
470 "Id45PJaoMqjB0WypqvNeJHC3q5JjCB4RP7Nfx5jjHSrCMhw8lUMW4EaDxjaR9KDh"
471 "PLgjsk+LDIySRSRDaCQGhEOWLJZVLzLo4N6/UlctCHEllpBUSvEOyFga52qroGjg"
472 "rf3WOQ925MFwzd6AK+Ich0gDRg8sQfdLH5OuP1cfLfU1AgMBAAGjggFBMIIBPTAd"
473 "BgNVHSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwGQYDVR0RBBIwEIIOd3d3Lmdv"
474 "b2dsZS5jb20waAYIKwYBBQUHAQEEXDBaMCsGCCsGAQUFBzAChh9odHRwOi8vcGtp"
475 "Lmdvb2dsZS5jb20vR0lBRzIuY3J0MCsGCCsGAQUFBzABhh9odHRwOi8vY2xpZW50"
476 "czEuZ29vZ2xlLmNvbS9vY3NwMB0GA1UdDgQWBBQ7a+CcxsZByOpc+xpYFcIbnUMZ"
477 "hTAMBgNVHRMBAf8EAjAAMB8GA1UdIwQYMBaAFErdBhYbvPZotXb1gba7Yhq6WoEv"
478 "MBcGA1UdIAQQMA4wDAYKKwYBBAHWeQIFATAwBgNVHR8EKTAnMCWgI6Ahhh9odHRw"
479 "Oi8vcGtpLmdvb2dsZS5jb20vR0lBRzIuY3JsMA0GCSqGSIb3DQEBBQUAA4IBAQCa"
480 "OXCBdoqUy5bxyq+Wrh1zsyyCFim1PH5VU2+yvDSWrgDY8ibRGJmfff3r4Lud5kal"
481 "dKs9k8YlKD3ITG7P0YT/Rk8hLgfEuLcq5cc0xqmE42xJ+Eo2uzq9rYorc5emMCxf"
482 "5L0TJOXZqHQpOEcuptZQ4OjdYMfSxk5UzueUhA3ogZKRcRkdB3WeWRp+nYRhx4St"
483 "o2rt2A0MKmY9165GHUqMK9YaaXHDXqBu7Sefr1uSoAP9gyIJKeihMivsGqJ1TD6Z"
484 "cc6LMe+dN2P8cZEQHtD1y296ul4Mivqk3jatUVL8/hCwgch9A8O4PGZq9WqBfEWm"
485 "IyHh1dPtbg1lOXdYCWtjpAIEAKUDAgEUqQUCAwGJwKqBpwSBpBwUQvoeOk0Kg36S"
486 "YTcLEkXqKwOBfF9vE4KX0NxeLwjcDTpsuh3qXEaZ992r1N38VDcyS6P7I6HBYN9B"
487 "sNHM362zZnY27GpTw+Kwd751CLoXFPoaMOe57dbBpXoro6Pd3BTbf/Tzr88K06yE"
488 "OTDKPNj3+inbMaVigtK4PLyPq+Topyzvx9USFgRvyuoxn0Hgb+R0A3j6SLRuyOdA"
Adam Langley364f7a62016-12-12 10:51:00 -0800[diff] [blame]489 "i4gv7Y5oliyntgMBAQA=";
Adam Langley10f97f32016-07-12 08:09:33 -0700[diff] [blame]490
491// kCustomSession is a custom serialized SSL_SESSION generated by
492// filling in missing fields from |kOpenSSLSession|. This includes
493// providing |peer_sha256|, so |peer| is not serialized.
494static const char kCustomSession[] =
495 "MIIBdgIBAQICAwMEAsAvBCAG5Q1ndq4Yfmbeo1zwLkNRKmCXGdNgWvGT3cskV0yQ"
496 "kAQwJlrlzkAWBOWiLj/jJ76D7l+UXoizP2KI2C7I2FccqMmIfFmmkUy32nIJ0mZH"
497 "IWoJoQYCBFRDO46iBAICASykAwQBAqUDAgEUphAEDnd3dy5nb29nbGUuY29tqAcE"
498 "BXdvcmxkqQUCAwGJwKqBpwSBpBwUQvoeOk0Kg36SYTcLEkXqKwOBfF9vE4KX0Nxe"
499 "LwjcDTpsuh3qXEaZ992r1N38VDcyS6P7I6HBYN9BsNHM362zZnY27GpTw+Kwd751"
500 "CLoXFPoaMOe57dbBpXoro6Pd3BTbf/Tzr88K06yEOTDKPNj3+inbMaVigtK4PLyP"
501 "q+Topyzvx9USFgRvyuoxn0Hgb+R0A3j6SLRuyOdAi4gv7Y5oliynrSIEIAYGBgYG"
502 "BgYGBgYGBgYGBgYGBgYGBgYGBgYGBgYGBgYGrgMEAQevAwQBBLADBAEF";
503
504// kBoringSSLSession is a serialized SSL_SESSION generated from bssl client.
505static const char kBoringSSLSession[] =
506 "MIIRwQIBAQICAwMEAsAvBCDdoGxGK26mR+8lM0uq6+k9xYuxPnwAjpcF9n0Yli9R"
507 "kQQwbyshfWhdi5XQ1++7n2L1qqrcVlmHBPpr6yknT/u4pUrpQB5FZ7vqvNn8MdHf"
508 "9rWgoQYCBFXgs7uiBAICHCCjggR6MIIEdjCCA16gAwIBAgIIf+yfD7Y6UicwDQYJ"
509 "KoZIhvcNAQELBQAwSTELMAkGA1UEBhMCVVMxEzARBgNVBAoTCkdvb2dsZSBJbmMx"
510 "JTAjBgNVBAMTHEdvb2dsZSBJbnRlcm5ldCBBdXRob3JpdHkgRzIwHhcNMTUwODEy"
511 "MTQ1MzE1WhcNMTUxMTEwMDAwMDAwWjBoMQswCQYDVQQGEwJVUzETMBEGA1UECAwK"
512 "Q2FsaWZvcm5pYTEWMBQGA1UEBwwNTW91bnRhaW4gVmlldzETMBEGA1UECgwKR29v"
513 "Z2xlIEluYzEXMBUGA1UEAwwOd3d3Lmdvb2dsZS5jb20wggEiMA0GCSqGSIb3DQEB"
514 "AQUAA4IBDwAwggEKAoIBAQC0MeG5YGQ0t+IeJeoneP/PrhEaieibeKYkbKVLNZpo"
515 "PLuBinvhkXZo3DC133NpCBpy6ZktBwamqyixAyuk/NU6OjgXqwwxfQ7di1AInLIU"
516 "792c7hFyNXSUCG7At8Ifi3YwBX9Ba6u/1d6rWTGZJrdCq3QU11RkKYyTq2KT5mce"
517 "Tv9iGKqSkSTlp8puy/9SZ/3DbU3U+BuqCFqeSlz7zjwFmk35acdCilpJlVDDN5C/"
518 "RCh8/UKc8PaL+cxlt531qoTENvYrflBno14YEZlCBZsPiFeUSILpKEj3Ccwhy0eL"
519 "EucWQ72YZU8mUzXBoXGn0zA0crFl5ci/2sTBBGZsylNBAgMBAAGjggFBMIIBPTAd"
520 "BgNVHSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwGQYDVR0RBBIwEIIOd3d3Lmdv"
521 "b2dsZS5jb20waAYIKwYBBQUHAQEEXDBaMCsGCCsGAQUFBzAChh9odHRwOi8vcGtp"
522 "Lmdvb2dsZS5jb20vR0lBRzIuY3J0MCsGCCsGAQUFBzABhh9odHRwOi8vY2xpZW50"
523 "czEuZ29vZ2xlLmNvbS9vY3NwMB0GA1UdDgQWBBS/bzHxcE73Q4j3slC4BLbMtLjG"
524 "GjAMBgNVHRMBAf8EAjAAMB8GA1UdIwQYMBaAFErdBhYbvPZotXb1gba7Yhq6WoEv"
525 "MBcGA1UdIAQQMA4wDAYKKwYBBAHWeQIFATAwBgNVHR8EKTAnMCWgI6Ahhh9odHRw"
526 "Oi8vcGtpLmdvb2dsZS5jb20vR0lBRzIuY3JsMA0GCSqGSIb3DQEBCwUAA4IBAQAb"
527 "qdWPZEHk0X7iKPCTHL6S3w6q1eR67goxZGFSM1lk1hjwyu7XcLJuvALVV9uY3ovE"
528 "kQZSHwT+pyOPWQhsSjO+1GyjvCvK/CAwiUmBX+bQRGaqHsRcio7xSbdVcajQ3bXd"
529 "X+s0WdbOpn6MStKAiBVloPlSxEI8pxY6x/BBCnTIk/+DMB17uZlOjG3vbAnkDkP+"
530 "n0OTucD9sHV7EVj9XUxi51nOfNBCN/s7lpUjDS/NJ4k3iwOtbCPswiot8vLO779a"
531 "f07vR03r349Iz/KTzk95rlFtX0IU+KYNxFNsanIXZ+C9FYGRXkwhHcvFb4qMUB1y"
532 "TTlM80jBMOwyjZXmjRAhpAIEAKUDAgEUqQUCAwGJwKqBpwSBpOgebbmn9NRUtMWH"
533 "+eJpqA5JLMFSMCChOsvKey3toBaCNGU7HfAEiiXNuuAdCBoK262BjQc2YYfqFzqH"
534 "zuppopXCvhohx7j/tnCNZIMgLYt/O9SXK2RYI5z8FhCCHvB4CbD5G0LGl5EFP27s"
535 "Jb6S3aTTYPkQe8yZSlxevg6NDwmTogLO9F7UUkaYmVcMQhzssEE2ZRYNwSOU6KjE"
536 "0Yj+8fAiBtbQriIEIN2L8ZlpaVrdN5KFNdvcmOxJu81P8q53X55xQyGTnGWwsgMC"
537 "ARezggvvMIIEdjCCA16gAwIBAgIIf+yfD7Y6UicwDQYJKoZIhvcNAQELBQAwSTEL"
538 "MAkGA1UEBhMCVVMxEzARBgNVBAoTCkdvb2dsZSBJbmMxJTAjBgNVBAMTHEdvb2ds"
539 "ZSBJbnRlcm5ldCBBdXRob3JpdHkgRzIwHhcNMTUwODEyMTQ1MzE1WhcNMTUxMTEw"
540 "MDAwMDAwWjBoMQswCQYDVQQGEwJVUzETMBEGA1UECAwKQ2FsaWZvcm5pYTEWMBQG"
541 "A1UEBwwNTW91bnRhaW4gVmlldzETMBEGA1UECgwKR29vZ2xlIEluYzEXMBUGA1UE"
542 "AwwOd3d3Lmdvb2dsZS5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIB"
543 "AQC0MeG5YGQ0t+IeJeoneP/PrhEaieibeKYkbKVLNZpoPLuBinvhkXZo3DC133Np"
544 "CBpy6ZktBwamqyixAyuk/NU6OjgXqwwxfQ7di1AInLIU792c7hFyNXSUCG7At8If"
545 "i3YwBX9Ba6u/1d6rWTGZJrdCq3QU11RkKYyTq2KT5mceTv9iGKqSkSTlp8puy/9S"
546 "Z/3DbU3U+BuqCFqeSlz7zjwFmk35acdCilpJlVDDN5C/RCh8/UKc8PaL+cxlt531"
547 "qoTENvYrflBno14YEZlCBZsPiFeUSILpKEj3Ccwhy0eLEucWQ72YZU8mUzXBoXGn"
548 "0zA0crFl5ci/2sTBBGZsylNBAgMBAAGjggFBMIIBPTAdBgNVHSUEFjAUBggrBgEF"
549 "BQcDAQYIKwYBBQUHAwIwGQYDVR0RBBIwEIIOd3d3Lmdvb2dsZS5jb20waAYIKwYB"
550 "BQUHAQEEXDBaMCsGCCsGAQUFBzAChh9odHRwOi8vcGtpLmdvb2dsZS5jb20vR0lB"
551 "RzIuY3J0MCsGCCsGAQUFBzABhh9odHRwOi8vY2xpZW50czEuZ29vZ2xlLmNvbS9v"
552 "Y3NwMB0GA1UdDgQWBBS/bzHxcE73Q4j3slC4BLbMtLjGGjAMBgNVHRMBAf8EAjAA"
553 "MB8GA1UdIwQYMBaAFErdBhYbvPZotXb1gba7Yhq6WoEvMBcGA1UdIAQQMA4wDAYK"
554 "KwYBBAHWeQIFATAwBgNVHR8EKTAnMCWgI6Ahhh9odHRwOi8vcGtpLmdvb2dsZS5j"
555 "b20vR0lBRzIuY3JsMA0GCSqGSIb3DQEBCwUAA4IBAQAbqdWPZEHk0X7iKPCTHL6S"
556 "3w6q1eR67goxZGFSM1lk1hjwyu7XcLJuvALVV9uY3ovEkQZSHwT+pyOPWQhsSjO+"
557 "1GyjvCvK/CAwiUmBX+bQRGaqHsRcio7xSbdVcajQ3bXdX+s0WdbOpn6MStKAiBVl"
558 "oPlSxEI8pxY6x/BBCnTIk/+DMB17uZlOjG3vbAnkDkP+n0OTucD9sHV7EVj9XUxi"
559 "51nOfNBCN/s7lpUjDS/NJ4k3iwOtbCPswiot8vLO779af07vR03r349Iz/KTzk95"
560 "rlFtX0IU+KYNxFNsanIXZ+C9FYGRXkwhHcvFb4qMUB1yTTlM80jBMOwyjZXmjRAh"
561 "MIID8DCCAtigAwIBAgIDAjqDMA0GCSqGSIb3DQEBCwUAMEIxCzAJBgNVBAYTAlVT"
562 "MRYwFAYDVQQKEw1HZW9UcnVzdCBJbmMuMRswGQYDVQQDExJHZW9UcnVzdCBHbG9i"
563 "YWwgQ0EwHhcNMTMwNDA1MTUxNTU2WhcNMTYxMjMxMjM1OTU5WjBJMQswCQYDVQQG"
564 "EwJVUzETMBEGA1UEChMKR29vZ2xlIEluYzElMCMGA1UEAxMcR29vZ2xlIEludGVy"
565 "bmV0IEF1dGhvcml0eSBHMjCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEB"
566 "AJwqBHdc2FCROgajguDYUEi8iT/xGXAaiEZ+4I/F8YnOIe5a/mENtzJEiaB0C1NP"
567 "VaTOgmKV7utZX8bhBYASxF6UP7xbSDj0U/ck5vuR6RXEz/RTDfRK/J9U3n2+oGtv"
568 "h8DQUB8oMANA2ghzUWx//zo8pzcGjr1LEQTrfSTe5vn8MXH7lNVg8y5Kr0LSy+rE"
569 "ahqyzFPdFUuLH8gZYR/Nnag+YyuENWllhMgZxUYi+FOVvuOAShDGKuy6lyARxzmZ"
570 "EASg8GF6lSWMTlJ14rbtCMoU/M4iarNOz0YDl5cDfsCx3nuvRTPPuj5xt970JSXC"
571 "DTWJnZ37DhF5iR43xa+OcmkCAwEAAaOB5zCB5DAfBgNVHSMEGDAWgBTAephojYn7"
572 "qwVkDBF9qn1luMrMTjAdBgNVHQ4EFgQUSt0GFhu89mi1dvWBtrtiGrpagS8wDgYD"
573 "VR0PAQH/BAQDAgEGMC4GCCsGAQUFBwEBBCIwIDAeBggrBgEFBQcwAYYSaHR0cDov"
574 "L2cuc3ltY2QuY29tMBIGA1UdEwEB/wQIMAYBAf8CAQAwNQYDVR0fBC4wLDAqoCig"
575 "JoYkaHR0cDovL2cuc3ltY2IuY29tL2NybHMvZ3RnbG9iYWwuY3JsMBcGA1UdIAQQ"
576 "MA4wDAYKKwYBBAHWeQIFATANBgkqhkiG9w0BAQsFAAOCAQEAqvqpIM1qZ4PtXtR+"
577 "3h3Ef+AlBgDFJPupyC1tft6dgmUsgWM0Zj7pUsIItMsv91+ZOmqcUHqFBYx90SpI"
578 "hNMJbHzCzTWf84LuUt5oX+QAihcglvcpjZpNy6jehsgNb1aHA30DP9z6eX0hGfnI"
579 "Oi9RdozHQZJxjyXON/hKTAAj78Q1EK7gI4BzfE00LshukNYQHpmEcxpw8u1VDu4X"
580 "Bupn7jLrLN1nBz/2i8Jw3lsA5rsb0zYaImxssDVCbJAJPZPpZAkiDoUGn8JzIdPm"
581 "X4DkjYUiOnMDsWCOrmji9D6X52ASCWg23jrW4kOVWzeBkoEfu43XrVJkFleW2V40"
582 "fsg12DCCA30wggLmoAMCAQICAxK75jANBgkqhkiG9w0BAQUFADBOMQswCQYDVQQG"
583 "EwJVUzEQMA4GA1UEChMHRXF1aWZheDEtMCsGA1UECxMkRXF1aWZheCBTZWN1cmUg"
584 "Q2VydGlmaWNhdGUgQXV0aG9yaXR5MB4XDTAyMDUyMTA0MDAwMFoXDTE4MDgyMTA0"
585 "MDAwMFowQjELMAkGA1UEBhMCVVMxFjAUBgNVBAoTDUdlb1RydXN0IEluYy4xGzAZ"
586 "BgNVBAMTEkdlb1RydXN0IEdsb2JhbCBDQTCCASIwDQYJKoZIhvcNAQEBBQADggEP"
587 "ADCCAQoCggEBANrMGGMw/fQXIxpWflvfPGw45HG3eJHUvKHYTPioQ7YD6U0hBwiI"
588 "2lgvZjkpvQV4i5046AW3an5xpObEYKaw74DkiSgPniXW7YPzraaRx5jJQhg1FJ2t"
589 "mEaSLk/K8YdDwRaVVy1Q74ktgHpXrfLuX2vSAI25FPgUFTXZwEaje3LIkb/JVSvN"
590 "0Jc+nCZkzN/Ogxlxyk7m1NV7qRnNVd7I7NJeOFPlXE+MLf5QIzb8ZubLjqQ5GQC3"
591 "lQI5kQsO/jgu0R0FmvZNPm8PBx2vLB6PYDni+jZTEznUXiYr2z2oFL0y6xgDKFIE"
592 "ceWrMz3hOLsHNoRinHnqFjD0X8Ar6HFr5PkCAwEAAaOB8DCB7TAfBgNVHSMEGDAW"
593 "gBRI5mj5K9KylddH2CMgEE8zmJCf1DAdBgNVHQ4EFgQUwHqYaI2J+6sFZAwRfap9"
594 "ZbjKzE4wDwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMCAQYwOgYDVR0fBDMw"
595 "MTAvoC2gK4YpaHR0cDovL2NybC5nZW90cnVzdC5jb20vY3Jscy9zZWN1cmVjYS5j"
596 "cmwwTgYDVR0gBEcwRTBDBgRVHSAAMDswOQYIKwYBBQUHAgEWLWh0dHBzOi8vd3d3"
597 "Lmdlb3RydXN0LmNvbS9yZXNvdXJjZXMvcmVwb3NpdG9yeTANBgkqhkiG9w0BAQUF"
598 "AAOBgQB24RJuTksWEoYwBrKBCM/wCMfHcX5m7sLt1Dsf//DwyE7WQziwuTB9GNBV"
599 "g6JqyzYRnOhIZqNtf7gT1Ef+i1pcc/yu2RsyGTirlzQUqpbS66McFAhJtrvlke+D"
600 "NusdVm/K2rxzY5Dkf3s+Iss9B+1fOHSc4wNQTqGvmO5h8oQ/Eg==";
601
602// kBadSessionExtraField is a custom serialized SSL_SESSION generated by replacing
603// the final (optional) element of |kCustomSession| with tag number 30.
604static const char kBadSessionExtraField[] =
605 "MIIBdgIBAQICAwMEAsAvBCAG5Q1ndq4Yfmbeo1zwLkNRKmCXGdNgWvGT3cskV0yQ"
606 "kAQwJlrlzkAWBOWiLj/jJ76D7l+UXoizP2KI2C7I2FccqMmIfFmmkUy32nIJ0mZH"
607 "IWoJoQYCBFRDO46iBAICASykAwQBAqUDAgEUphAEDnd3dy5nb29nbGUuY29tqAcE"
608 "BXdvcmxkqQUCAwGJwKqBpwSBpBwUQvoeOk0Kg36SYTcLEkXqKwOBfF9vE4KX0Nxe"
609 "LwjcDTpsuh3qXEaZ992r1N38VDcyS6P7I6HBYN9BsNHM362zZnY27GpTw+Kwd751"
610 "CLoXFPoaMOe57dbBpXoro6Pd3BTbf/Tzr88K06yEOTDKPNj3+inbMaVigtK4PLyP"
611 "q+Topyzvx9USFgRvyuoxn0Hgb+R0A3j6SLRuyOdAi4gv7Y5oliynrSIEIAYGBgYG"
612 "BgYGBgYGBgYGBgYGBgYGBgYGBgYGBgYGBgYGrgMEAQevAwQBBL4DBAEF";
613
614// kBadSessionVersion is a custom serialized SSL_SESSION generated by replacing
615// the version of |kCustomSession| with 2.
616static const char kBadSessionVersion[] =
617 "MIIBdgIBAgICAwMEAsAvBCAG5Q1ndq4Yfmbeo1zwLkNRKmCXGdNgWvGT3cskV0yQ"
618 "kAQwJlrlzkAWBOWiLj/jJ76D7l+UXoizP2KI2C7I2FccqMmIfFmmkUy32nIJ0mZH"
619 "IWoJoQYCBFRDO46iBAICASykAwQBAqUDAgEUphAEDnd3dy5nb29nbGUuY29tqAcE"
620 "BXdvcmxkqQUCAwGJwKqBpwSBpBwUQvoeOk0Kg36SYTcLEkXqKwOBfF9vE4KX0Nxe"
621 "LwjcDTpsuh3qXEaZ992r1N38VDcyS6P7I6HBYN9BsNHM362zZnY27GpTw+Kwd751"
622 "CLoXFPoaMOe57dbBpXoro6Pd3BTbf/Tzr88K06yEOTDKPNj3+inbMaVigtK4PLyP"
623 "q+Topyzvx9USFgRvyuoxn0Hgb+R0A3j6SLRuyOdAi4gv7Y5oliynrSIEIAYGBgYG"
624 "BgYGBgYGBgYGBgYGBgYGBgYGBgYGBgYGBgYGrgMEAQevAwQBBLADBAEF";
625
626// kBadSessionTrailingData is a custom serialized SSL_SESSION with trailing data
627// appended.
628static const char kBadSessionTrailingData[] =
629 "MIIBdgIBAQICAwMEAsAvBCAG5Q1ndq4Yfmbeo1zwLkNRKmCXGdNgWvGT3cskV0yQ"
630 "kAQwJlrlzkAWBOWiLj/jJ76D7l+UXoizP2KI2C7I2FccqMmIfFmmkUy32nIJ0mZH"
631 "IWoJoQYCBFRDO46iBAICASykAwQBAqUDAgEUphAEDnd3dy5nb29nbGUuY29tqAcE"
632 "BXdvcmxkqQUCAwGJwKqBpwSBpBwUQvoeOk0Kg36SYTcLEkXqKwOBfF9vE4KX0Nxe"
633 "LwjcDTpsuh3qXEaZ992r1N38VDcyS6P7I6HBYN9BsNHM362zZnY27GpTw+Kwd751"
634 "CLoXFPoaMOe57dbBpXoro6Pd3BTbf/Tzr88K06yEOTDKPNj3+inbMaVigtK4PLyP"
635 "q+Topyzvx9USFgRvyuoxn0Hgb+R0A3j6SLRuyOdAi4gv7Y5oliynrSIEIAYGBgYG"
636 "BgYGBgYGBgYGBgYGBgYGBgYGBgYGBgYGBgYGrgMEAQevAwQBBLADBAEFAAAA";
637
David Benjamin1d77e562015-03-22 17:22:08 -0400[diff] [blame]638static bool DecodeBase64(std::vector<uint8_t> *out, const char *in) {
David Benjamin751e8892014-10-19 00:59:36 -0400[diff] [blame]639 size_t len;
David Benjamin751e8892014-10-19 00:59:36 -0400[diff] [blame]640 if (!EVP_DecodedLength(&len, strlen(in))) {
641 fprintf(stderr, "EVP_DecodedLength failed\n");
David Benjamin1d77e562015-03-22 17:22:08 -0400[diff] [blame]642 return false;
David Benjamin751e8892014-10-19 00:59:36 -0400[diff] [blame]643 }
644
David Benjamin1d77e562015-03-22 17:22:08 -0400[diff] [blame]645 out->resize(len);
David Benjaminef14b2d2015-11-11 14:01:27 -0800[diff] [blame]646 if (!EVP_DecodeBase64(out->data(), &len, len, (const uint8_t *)in,
David Benjamin751e8892014-10-19 00:59:36 -0400[diff] [blame]647 strlen(in))) {
648 fprintf(stderr, "EVP_DecodeBase64 failed\n");
David Benjamin1d77e562015-03-22 17:22:08 -0400[diff] [blame]649 return false;
David Benjamin751e8892014-10-19 00:59:36 -0400[diff] [blame]650 }
David Benjamin1d77e562015-03-22 17:22:08 -0400[diff] [blame]651 out->resize(len);
652 return true;
David Benjamin751e8892014-10-19 00:59:36 -0400[diff] [blame]653}
654
David Benjamin1d77e562015-03-22 17:22:08 -0400[diff] [blame]655static bool TestSSL_SESSIONEncoding(const char *input_b64) {
David Benjamin751e8892014-10-19 00:59:36 -0400[diff] [blame]656 const uint8_t *cptr;
657 uint8_t *ptr;
David Benjamin751e8892014-10-19 00:59:36 -0400[diff] [blame]658
David Benjamin1d77e562015-03-22 17:22:08 -0400[diff] [blame]659 // Decode the input.
660 std::vector<uint8_t> input;
661 if (!DecodeBase64(&input, input_b64)) {
662 return false;
David Benjamin751e8892014-10-19 00:59:36 -0400[diff] [blame]663 }
664
David Benjamin1d77e562015-03-22 17:22:08 -0400[diff] [blame]665 // Verify the SSL_SESSION decodes.
Adam Langley46db7af2017-02-01 15:49:37 -0800[diff] [blame]666 bssl::UniquePtr<SSL_CTX> ssl_ctx(SSL_CTX_new(TLS_method()));
667 if (!ssl_ctx) {
668 return false;
669 }
670 bssl::UniquePtr<SSL_SESSION> session(
671 SSL_SESSION_from_bytes(input.data(), input.size(), ssl_ctx.get()));
David Benjaminfd67aa82015-06-15 19:41:48 -0400[diff] [blame]672 if (!session) {
673 fprintf(stderr, "SSL_SESSION_from_bytes failed\n");
David Benjamin1d77e562015-03-22 17:22:08 -0400[diff] [blame]674 return false;
David Benjamin751e8892014-10-19 00:59:36 -0400[diff] [blame]675 }
676
David Benjamin1d77e562015-03-22 17:22:08 -0400[diff] [blame]677 // Verify the SSL_SESSION encoding round-trips.
678 size_t encoded_len;
Matt Braithwaited17d74d2016-08-17 20:10:28 -0700[diff] [blame]679 bssl::UniquePtr<uint8_t> encoded;
David Benjamin1d77e562015-03-22 17:22:08 -0400[diff] [blame]680 uint8_t *encoded_raw;
681 if (!SSL_SESSION_to_bytes(session.get(), &encoded_raw, &encoded_len)) {
David Benjamin3cac4502014-10-21 01:46:30 -0400[diff] [blame]682 fprintf(stderr, "SSL_SESSION_to_bytes failed\n");
David Benjamin1d77e562015-03-22 17:22:08 -0400[diff] [blame]683 return false;
David Benjamin3cac4502014-10-21 01:46:30 -0400[diff] [blame]684 }
David Benjamin1d77e562015-03-22 17:22:08 -0400[diff] [blame]685 encoded.reset(encoded_raw);
686 if (encoded_len != input.size() ||
David Benjamin17cf2cb2016-12-13 01:07:13 -0500[diff] [blame]687 OPENSSL_memcmp(input.data(), encoded.get(), input.size()) != 0) {
David Benjamin3cac4502014-10-21 01:46:30 -0400[diff] [blame]688 fprintf(stderr, "SSL_SESSION_to_bytes did not round-trip\n");
Sigbjorn Vik2b23d242015-06-29 15:07:26 +0200[diff] [blame]689 hexdump(stderr, "Before: ", input.data(), input.size());
690 hexdump(stderr, "After: ", encoded_raw, encoded_len);
David Benjamin1d77e562015-03-22 17:22:08 -0400[diff] [blame]691 return false;
David Benjamin3cac4502014-10-21 01:46:30 -0400[diff] [blame]692 }
David Benjamin3cac4502014-10-21 01:46:30 -0400[diff] [blame]693
David Benjaminfd67aa82015-06-15 19:41:48 -0400[diff] [blame]694 // Verify the SSL_SESSION also decodes with the legacy API.
David Benjaminef14b2d2015-11-11 14:01:27 -0800[diff] [blame]695 cptr = input.data();
David Benjaminfd67aa82015-06-15 19:41:48 -0400[diff] [blame]696 session.reset(d2i_SSL_SESSION(NULL, &cptr, input.size()));
David Benjaminef14b2d2015-11-11 14:01:27 -0800[diff] [blame]697 if (!session || cptr != input.data() + input.size()) {
David Benjaminfd67aa82015-06-15 19:41:48 -0400[diff] [blame]698 fprintf(stderr, "d2i_SSL_SESSION failed\n");
699 return false;
700 }
701
David Benjamin1d77e562015-03-22 17:22:08 -0400[diff] [blame]702 // Verify the SSL_SESSION encoding round-trips via the legacy API.
703 int len = i2d_SSL_SESSION(session.get(), NULL);
704 if (len < 0 || (size_t)len != input.size()) {
David Benjamin751e8892014-10-19 00:59:36 -0400[diff] [blame]705 fprintf(stderr, "i2d_SSL_SESSION(NULL) returned invalid length\n");
David Benjamin1d77e562015-03-22 17:22:08 -0400[diff] [blame]706 return false;
David Benjamin751e8892014-10-19 00:59:36 -0400[diff] [blame]707 }
708
David Benjamin1d77e562015-03-22 17:22:08 -0400[diff] [blame]709 encoded.reset((uint8_t *)OPENSSL_malloc(input.size()));
710 if (!encoded) {
David Benjamin751e8892014-10-19 00:59:36 -0400[diff] [blame]711 fprintf(stderr, "malloc failed\n");
David Benjamin1d77e562015-03-22 17:22:08 -0400[diff] [blame]712 return false;
David Benjamin751e8892014-10-19 00:59:36 -0400[diff] [blame]713 }
David Benjamin1d77e562015-03-22 17:22:08 -0400[diff] [blame]714
715 ptr = encoded.get();
716 len = i2d_SSL_SESSION(session.get(), &ptr);
717 if (len < 0 || (size_t)len != input.size()) {
David Benjamin751e8892014-10-19 00:59:36 -0400[diff] [blame]718 fprintf(stderr, "i2d_SSL_SESSION returned invalid length\n");
David Benjamin1d77e562015-03-22 17:22:08 -0400[diff] [blame]719 return false;
David Benjamin751e8892014-10-19 00:59:36 -0400[diff] [blame]720 }
David Benjamin1d77e562015-03-22 17:22:08 -0400[diff] [blame]721 if (ptr != encoded.get() + input.size()) {
David Benjamin751e8892014-10-19 00:59:36 -0400[diff] [blame]722 fprintf(stderr, "i2d_SSL_SESSION did not advance ptr correctly\n");
David Benjamin1d77e562015-03-22 17:22:08 -0400[diff] [blame]723 return false;
David Benjamin751e8892014-10-19 00:59:36 -0400[diff] [blame]724 }
David Benjamin17cf2cb2016-12-13 01:07:13 -0500[diff] [blame]725 if (OPENSSL_memcmp(input.data(), encoded.get(), input.size()) != 0) {
David Benjamin751e8892014-10-19 00:59:36 -0400[diff] [blame]726 fprintf(stderr, "i2d_SSL_SESSION did not round-trip\n");
David Benjamin1d77e562015-03-22 17:22:08 -0400[diff] [blame]727 return false;
David Benjamin751e8892014-10-19 00:59:36 -0400[diff] [blame]728 }
729
David Benjamin1d77e562015-03-22 17:22:08 -0400[diff] [blame]730 return true;
David Benjamin751e8892014-10-19 00:59:36 -0400[diff] [blame]731}
732
David Benjaminf297e022015-05-28 19:55:29 -0400[diff] [blame]733static bool TestBadSSL_SESSIONEncoding(const char *input_b64) {
734 std::vector<uint8_t> input;
735 if (!DecodeBase64(&input, input_b64)) {
736 return false;
737 }
738
739 // Verify that the SSL_SESSION fails to decode.
Adam Langley46db7af2017-02-01 15:49:37 -0800[diff] [blame]740 bssl::UniquePtr<SSL_CTX> ssl_ctx(SSL_CTX_new(TLS_method()));
741 if (!ssl_ctx) {
742 return false;
743 }
744 bssl::UniquePtr<SSL_SESSION> session(
745 SSL_SESSION_from_bytes(input.data(), input.size(), ssl_ctx.get()));
David Benjaminf297e022015-05-28 19:55:29 -0400[diff] [blame]746 if (session) {
David Benjaminfd67aa82015-06-15 19:41:48 -0400[diff] [blame]747 fprintf(stderr, "SSL_SESSION_from_bytes unexpectedly succeeded\n");
David Benjaminf297e022015-05-28 19:55:29 -0400[diff] [blame]748 return false;
749 }
750 ERR_clear_error();
751 return true;
752}
753
David Benjamin321fcdc2017-04-24 11:42:42 -0400[diff] [blame]754static void ExpectDefaultVersion(uint16_t min_version, uint16_t max_version,
755 const SSL_METHOD *(*method)(void)) {
Matt Braithwaited17d74d2016-08-17 20:10:28 -0700[diff] [blame]756 bssl::UniquePtr<SSL_CTX> ctx(SSL_CTX_new(method()));
David Benjamin321fcdc2017-04-24 11:42:42 -0400[diff] [blame]757 ASSERT_TRUE(ctx);
David Benjaminfc08dfc2017-06-20 14:39:32 -0400[diff] [blame]758 EXPECT_EQ(min_version, ctx->conf_min_version);
759 EXPECT_EQ(max_version, ctx->conf_max_version);
David Benjamin321fcdc2017-04-24 11:42:42 -0400[diff] [blame]760}
761
762TEST(SSLTest, DefaultVersion) {
763 // TODO(svaldez): Update this when TLS 1.3 is enabled by default.
764 ExpectDefaultVersion(TLS1_VERSION, TLS1_2_VERSION, &TLS_method);
765 ExpectDefaultVersion(TLS1_VERSION, TLS1_VERSION, &TLSv1_method);
766 ExpectDefaultVersion(TLS1_1_VERSION, TLS1_1_VERSION, &TLSv1_1_method);
767 ExpectDefaultVersion(TLS1_2_VERSION, TLS1_2_VERSION, &TLSv1_2_method);
768 ExpectDefaultVersion(TLS1_1_VERSION, TLS1_2_VERSION, &DTLS_method);
769 ExpectDefaultVersion(TLS1_1_VERSION, TLS1_1_VERSION, &DTLSv1_method);
770 ExpectDefaultVersion(TLS1_2_VERSION, TLS1_2_VERSION, &DTLSv1_2_method);
David Benjamin82c9e902014-12-12 15:55:27 -0500[diff] [blame]771}
772
David Benjamin6fff3862017-06-21 21:07:04 -0400[diff] [blame]773TEST(SSLTest, CipherGetStandardName) {
774 static const struct {
775 int id;
776 const char *standard_name;
777 } kTests[] = {
778 {SSL3_CK_RSA_DES_192_CBC3_SHA, "TLS_RSA_WITH_3DES_EDE_CBC_SHA"},
779 {TLS1_CK_RSA_WITH_AES_128_SHA, "TLS_RSA_WITH_AES_128_CBC_SHA"},
780 {TLS1_CK_ECDHE_RSA_WITH_AES_128_SHA256,
781 "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256"},
782 {TLS1_CK_ECDHE_RSA_WITH_AES_256_SHA384,
783 "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384"},
784 {TLS1_CK_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
785 "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256"},
786 {TLS1_CK_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
787 "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256"},
788 {TLS1_CK_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
789 "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384"},
790 {TLS1_CK_ECDHE_PSK_WITH_AES_128_CBC_SHA,
791 "TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA"},
792 {TLS1_CK_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256,
793 "TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256"},
794 {TLS1_CK_AES_256_GCM_SHA384, "TLS_AES_256_GCM_SHA384"},
795 {TLS1_CK_AES_128_GCM_SHA256, "TLS_AES_128_GCM_SHA256"},
796 {TLS1_CK_CHACHA20_POLY1305_SHA256, "TLS_CHACHA20_POLY1305_SHA256"},
797 };
David Benjamin65226252015-02-05 16:49:47 -0500[diff] [blame]798
David Benjamin6fff3862017-06-21 21:07:04 -0400[diff] [blame]799 for (const auto &t : kTests) {
800 SCOPED_TRACE(t.standard_name);
David Benjamine11726a2017-04-23 12:14:28 -0400[diff] [blame]801
802 const SSL_CIPHER *cipher = SSL_get_cipher_by_value(t.id & 0xffff);
803 ASSERT_TRUE(cipher);
David Benjamin6fff3862017-06-21 21:07:04 -0400[diff] [blame]804 EXPECT_STREQ(t.standard_name, SSL_CIPHER_standard_name(cipher));
805
David Benjamine11726a2017-04-23 12:14:28 -0400[diff] [blame]806 bssl::UniquePtr<char> rfc_name(SSL_CIPHER_get_rfc_name(cipher));
807 ASSERT_TRUE(rfc_name);
David Benjamin6fff3862017-06-21 21:07:04 -0400[diff] [blame]808 EXPECT_STREQ(t.standard_name, rfc_name.get());
David Benjamin65226252015-02-05 16:49:47 -0500[diff] [blame]809 }
David Benjamin65226252015-02-05 16:49:47 -0500[diff] [blame]810}
811
Steven Valdeza833c352016-11-01 13:39:36 -0400[diff] [blame]812// CreateSessionWithTicket returns a sample |SSL_SESSION| with the specified
813// version and ticket length or nullptr on failure.
814static bssl::UniquePtr<SSL_SESSION> CreateSessionWithTicket(uint16_t version,
815 size_t ticket_len) {
David Benjamin422fe082015-07-21 22:03:43 -0400[diff] [blame]816 std::vector<uint8_t> der;
817 if (!DecodeBase64(&der, kOpenSSLSession)) {
818 return nullptr;
819 }
Adam Langley46db7af2017-02-01 15:49:37 -0800[diff] [blame]820
821 bssl::UniquePtr<SSL_CTX> ssl_ctx(SSL_CTX_new(TLS_method()));
822 if (!ssl_ctx) {
823 return nullptr;
824 }
Steven Valdeza833c352016-11-01 13:39:36 -0400[diff] [blame]825 bssl::UniquePtr<SSL_SESSION> session(
Adam Langley46db7af2017-02-01 15:49:37 -0800[diff] [blame]826 SSL_SESSION_from_bytes(der.data(), der.size(), ssl_ctx.get()));
David Benjamin422fe082015-07-21 22:03:43 -0400[diff] [blame]827 if (!session) {
828 return nullptr;
829 }
830
Steven Valdeza833c352016-11-01 13:39:36 -0400[diff] [blame]831 session->ssl_version = version;
832
David Benjamin422fe082015-07-21 22:03:43 -0400[diff] [blame]833 // Swap out the ticket for a garbage one.
834 OPENSSL_free(session->tlsext_tick);
835 session->tlsext_tick = reinterpret_cast<uint8_t*>(OPENSSL_malloc(ticket_len));
836 if (session->tlsext_tick == nullptr) {
837 return nullptr;
838 }
David Benjamin17cf2cb2016-12-13 01:07:13 -0500[diff] [blame]839 OPENSSL_memset(session->tlsext_tick, 'a', ticket_len);
David Benjamin422fe082015-07-21 22:03:43 -0400[diff] [blame]840 session->tlsext_ticklen = ticket_len;
David Benjamin1269ddd2015-10-18 15:18:55 -0400[diff] [blame]841
842 // Fix up the timeout.
David Benjamin9b63f292016-11-15 00:44:05 -0500[diff] [blame]843#if defined(BORINGSSL_UNSAFE_DETERMINISTIC_MODE)
844 session->time = 1234;
845#else
David Benjamin1269ddd2015-10-18 15:18:55 -0400[diff] [blame]846 session->time = time(NULL);
David Benjamin9b63f292016-11-15 00:44:05 -0500[diff] [blame]847#endif
David Benjamin422fe082015-07-21 22:03:43 -0400[diff] [blame]848 return session;
849}
850
David Benjaminafc64de2016-07-19 17:12:41 +0200[diff] [blame]851static bool GetClientHello(SSL *ssl, std::vector<uint8_t> *out) {
Matt Braithwaited17d74d2016-08-17 20:10:28 -0700[diff] [blame]852 bssl::UniquePtr<BIO> bio(BIO_new(BIO_s_mem()));
David Benjaminafc64de2016-07-19 17:12:41 +0200[diff] [blame]853 if (!bio) {
854 return false;
855 }
856 // Do not configure a reading BIO, but record what's written to a memory BIO.
David Benjamin96a16cd2016-08-11 12:14:47 -0400[diff] [blame]857 BIO_up_ref(bio.get());
858 SSL_set_bio(ssl, nullptr /* rbio */, bio.get());
David Benjaminafc64de2016-07-19 17:12:41 +0200[diff] [blame]859 int ret = SSL_connect(ssl);
860 if (ret > 0) {
861 // SSL_connect should fail without a BIO to write to.
862 return false;
863 }
864 ERR_clear_error();
865
866 const uint8_t *client_hello;
867 size_t client_hello_len;
868 if (!BIO_mem_contents(bio.get(), &client_hello, &client_hello_len)) {
869 return false;
870 }
871 *out = std::vector<uint8_t>(client_hello, client_hello + client_hello_len);
872 return true;
873}
874
Steven Valdeza833c352016-11-01 13:39:36 -0400[diff] [blame]875// GetClientHelloLen creates a client SSL connection with the specified version
876// and ticket length. It returns the length of the ClientHello, not including
877// the record header, on success and zero on error.
878static size_t GetClientHelloLen(uint16_t max_version, uint16_t session_version,
879 size_t ticket_len) {
Matt Braithwaited17d74d2016-08-17 20:10:28 -0700[diff] [blame]880 bssl::UniquePtr<SSL_CTX> ctx(SSL_CTX_new(TLS_method()));
Steven Valdeza833c352016-11-01 13:39:36 -0400[diff] [blame]881 bssl::UniquePtr<SSL_SESSION> session =
882 CreateSessionWithTicket(session_version, ticket_len);
David Benjamin422fe082015-07-21 22:03:43 -0400[diff] [blame]883 if (!ctx || !session) {
884 return 0;
885 }
Steven Valdeza833c352016-11-01 13:39:36 -0400[diff] [blame]886
887 // Set a one-element cipher list so the baseline ClientHello is unpadded.
Matt Braithwaited17d74d2016-08-17 20:10:28 -0700[diff] [blame]888 bssl::UniquePtr<SSL> ssl(SSL_new(ctx.get()));
Steven Valdez2c62fe92016-10-14 12:08:12 -0400[diff] [blame]889 if (!ssl || !SSL_set_session(ssl.get(), session.get()) ||
Matthew Braithwaitea57dcfb2017-02-17 22:08:23 -0800[diff] [blame]890 !SSL_set_strict_cipher_list(ssl.get(), "ECDHE-RSA-AES128-GCM-SHA256") ||
Steven Valdeza833c352016-11-01 13:39:36 -0400[diff] [blame]891 !SSL_set_max_proto_version(ssl.get(), max_version)) {
David Benjamin422fe082015-07-21 22:03:43 -0400[diff] [blame]892 return 0;
893 }
Steven Valdeza833c352016-11-01 13:39:36 -0400[diff] [blame]894
David Benjaminafc64de2016-07-19 17:12:41 +0200[diff] [blame]895 std::vector<uint8_t> client_hello;
896 if (!GetClientHello(ssl.get(), &client_hello) ||
897 client_hello.size() <= SSL3_RT_HEADER_LENGTH) {
David Benjamin422fe082015-07-21 22:03:43 -0400[diff] [blame]898 return 0;
899 }
Steven Valdeza833c352016-11-01 13:39:36 -0400[diff] [blame]900
David Benjaminafc64de2016-07-19 17:12:41 +0200[diff] [blame]901 return client_hello.size() - SSL3_RT_HEADER_LENGTH;
David Benjamin422fe082015-07-21 22:03:43 -0400[diff] [blame]902}
903
904struct PaddingTest {
905 size_t input_len, padded_len;
906};
907
908static const PaddingTest kPaddingTests[] = {
909 // ClientHellos of length below 0x100 do not require padding.
910 {0xfe, 0xfe},
911 {0xff, 0xff},
912 // ClientHellos of length 0x100 through 0x1fb are padded up to 0x200.
913 {0x100, 0x200},
914 {0x123, 0x200},
915 {0x1fb, 0x200},
916 // ClientHellos of length 0x1fc through 0x1ff get padded beyond 0x200. The
917 // padding extension takes a minimum of four bytes plus one required content
918 // byte. (To work around yet more server bugs, we avoid empty final
919 // extensions.)
920 {0x1fc, 0x201},
921 {0x1fd, 0x202},
922 {0x1fe, 0x203},
923 {0x1ff, 0x204},
924 // Finally, larger ClientHellos need no padding.
925 {0x200, 0x200},
926 {0x201, 0x201},
927};
928
Steven Valdeza833c352016-11-01 13:39:36 -0400[diff] [blame]929static bool TestPaddingExtension(uint16_t max_version,
930 uint16_t session_version) {
David Benjamin422fe082015-07-21 22:03:43 -0400[diff] [blame]931 // Sample a baseline length.
Steven Valdeza833c352016-11-01 13:39:36 -0400[diff] [blame]932 size_t base_len = GetClientHelloLen(max_version, session_version, 1);
David Benjamin422fe082015-07-21 22:03:43 -0400[diff] [blame]933 if (base_len == 0) {
934 return false;
935 }
936
937 for (const PaddingTest &test : kPaddingTests) {
938 if (base_len > test.input_len) {
Steven Valdeza833c352016-11-01 13:39:36 -0400[diff] [blame]939 fprintf(stderr,
940 "Baseline ClientHello too long (max_version = %04x, "
941 "session_version = %04x).\n",
942 max_version, session_version);
David Benjamin422fe082015-07-21 22:03:43 -0400[diff] [blame]943 return false;
944 }
945
Steven Valdeza833c352016-11-01 13:39:36 -0400[diff] [blame]946 size_t padded_len = GetClientHelloLen(max_version, session_version,
947 1 + test.input_len - base_len);
David Benjamin422fe082015-07-21 22:03:43 -0400[diff] [blame]948 if (padded_len != test.padded_len) {
Steven Valdeza833c352016-11-01 13:39:36 -0400[diff] [blame]949 fprintf(stderr,
950 "%u-byte ClientHello padded to %u bytes, not %u (max_version = "
951 "%04x, session_version = %04x).\n",
David Benjamin422fe082015-07-21 22:03:43 -0400[diff] [blame]952 static_cast<unsigned>(test.input_len),
953 static_cast<unsigned>(padded_len),
Steven Valdeza833c352016-11-01 13:39:36 -0400[diff] [blame]954 static_cast<unsigned>(test.padded_len), max_version,
955 session_version);
David Benjamin422fe082015-07-21 22:03:43 -0400[diff] [blame]956 return false;
957 }
958 }
Steven Valdeza833c352016-11-01 13:39:36 -0400[diff] [blame]959
David Benjamin422fe082015-07-21 22:03:43 -0400[diff] [blame]960 return true;
961}
962
David Benjamin1d128f32015-09-08 17:41:40 -0400[diff] [blame]963// Test that |SSL_get_client_CA_list| echoes back the configured parameter even
964// before configuring as a server.
David Benjaminf0d8e222017-02-04 10:58:26 -0500[diff] [blame]965TEST(SSLTest, ClientCAList) {
Matt Braithwaited17d74d2016-08-17 20:10:28 -0700[diff] [blame]966 bssl::UniquePtr<SSL_CTX> ctx(SSL_CTX_new(TLS_method()));
David Benjaminf0d8e222017-02-04 10:58:26 -0500[diff] [blame]967 ASSERT_TRUE(ctx);
Matt Braithwaited17d74d2016-08-17 20:10:28 -0700[diff] [blame]968 bssl::UniquePtr<SSL> ssl(SSL_new(ctx.get()));
David Benjaminf0d8e222017-02-04 10:58:26 -0500[diff] [blame]969 ASSERT_TRUE(ssl);
David Benjamin1d128f32015-09-08 17:41:40 -0400[diff] [blame]970
Adam Langley34b4c822017-02-02 10:57:17 -0800[diff] [blame]971 bssl::UniquePtr<X509_NAME> name(X509_NAME_new());
972 ASSERT_TRUE(name);
David Benjamin1d128f32015-09-08 17:41:40 -0400[diff] [blame]973
Adam Langley34b4c822017-02-02 10:57:17 -0800[diff] [blame]974 bssl::UniquePtr<X509_NAME> name_dup(X509_NAME_dup(name.get()));
975 ASSERT_TRUE(name_dup);
976
977 bssl::UniquePtr<STACK_OF(X509_NAME)> stack(sk_X509_NAME_new_null());
978 ASSERT_TRUE(stack);
979
980 ASSERT_TRUE(sk_X509_NAME_push(stack.get(), name_dup.get()));
981 name_dup.release();
982
983 // |SSL_set_client_CA_list| takes ownership.
984 SSL_set_client_CA_list(ssl.get(), stack.release());
985
986 STACK_OF(X509_NAME) *result = SSL_get_client_CA_list(ssl.get());
987 ASSERT_TRUE(result);
988 ASSERT_EQ(1u, sk_X509_NAME_num(result));
989 EXPECT_EQ(0, X509_NAME_cmp(sk_X509_NAME_value(result, 0), name.get()));
David Benjamin1d128f32015-09-08 17:41:40 -0400[diff] [blame]990}
991
David Benjamin0f653952015-10-18 14:28:01 -0400[diff] [blame]992static void AppendSession(SSL_SESSION *session, void *arg) {
993 std::vector<SSL_SESSION*> *out =
994 reinterpret_cast<std::vector<SSL_SESSION*>*>(arg);
995 out->push_back(session);
996}
997
David Benjamine11726a2017-04-23 12:14:28 -0400[diff] [blame]998// CacheEquals returns true if |ctx|'s session cache consists of |expected|, in
David Benjamin0f653952015-10-18 14:28:01 -0400[diff] [blame]999// order.
David Benjamine11726a2017-04-23 12:14:28 -0400[diff] [blame]1000static bool CacheEquals(SSL_CTX *ctx,
David Benjamin0f653952015-10-18 14:28:01 -0400[diff] [blame]1001 const std::vector<SSL_SESSION*> &expected) {
1002 // Check the linked list.
1003 SSL_SESSION *ptr = ctx->session_cache_head;
1004 for (SSL_SESSION *session : expected) {
1005 if (ptr != session) {
1006 return false;
1007 }
1008 // TODO(davidben): This is an absurd way to denote the end of the list.
1009 if (ptr->next ==
1010 reinterpret_cast<SSL_SESSION *>(&ctx->session_cache_tail)) {
1011 ptr = nullptr;
1012 } else {
1013 ptr = ptr->next;
1014 }
1015 }
1016 if (ptr != nullptr) {
1017 return false;
1018 }
1019
1020 // Check the hash table.
1021 std::vector<SSL_SESSION*> actual, expected_copy;
1022 lh_SSL_SESSION_doall_arg(SSL_CTX_sessions(ctx), AppendSession, &actual);
1023 expected_copy = expected;
1024
1025 std::sort(actual.begin(), actual.end());
1026 std::sort(expected_copy.begin(), expected_copy.end());
1027
1028 return actual == expected_copy;
1029}
1030
Matt Braithwaited17d74d2016-08-17 20:10:28 -0700[diff] [blame]1031static bssl::UniquePtr<SSL_SESSION> CreateTestSession(uint32_t number) {
Adam Langley46db7af2017-02-01 15:49:37 -0800[diff] [blame]1032 bssl::UniquePtr<SSL_CTX> ssl_ctx(SSL_CTX_new(TLS_method()));
1033 if (!ssl_ctx) {
1034 return nullptr;
1035 }
1036 bssl::UniquePtr<SSL_SESSION> ret(SSL_SESSION_new(ssl_ctx.get()));
David Benjamin0f653952015-10-18 14:28:01 -0400[diff] [blame]1037 if (!ret) {
1038 return nullptr;
1039 }
1040
1041 ret->session_id_length = SSL3_SSL_SESSION_ID_LENGTH;
David Benjamin17cf2cb2016-12-13 01:07:13 -0500[diff] [blame]1042 OPENSSL_memset(ret->session_id, 0, ret->session_id_length);
1043 OPENSSL_memcpy(ret->session_id, &number, sizeof(number));
David Benjamin0f653952015-10-18 14:28:01 -0400[diff] [blame]1044 return ret;
1045}
1046
David Benjamin0f653952015-10-18 14:28:01 -0400[diff] [blame]1047// Test that the internal session cache behaves as expected.
David Benjamine11726a2017-04-23 12:14:28 -0400[diff] [blame]1048TEST(SSLTest, InternalSessionCache) {
Matt Braithwaited17d74d2016-08-17 20:10:28 -0700[diff] [blame]1049 bssl::UniquePtr<SSL_CTX> ctx(SSL_CTX_new(TLS_method()));
David Benjamine11726a2017-04-23 12:14:28 -0400[diff] [blame]1050 ASSERT_TRUE(ctx);
David Benjamin0f653952015-10-18 14:28:01 -0400[diff] [blame]1051
1052 // Prepare 10 test sessions.
Matt Braithwaited17d74d2016-08-17 20:10:28 -0700[diff] [blame]1053 std::vector<bssl::UniquePtr<SSL_SESSION>> sessions;
David Benjamin0f653952015-10-18 14:28:01 -0400[diff] [blame]1054 for (int i = 0; i < 10; i++) {
Matt Braithwaited17d74d2016-08-17 20:10:28 -0700[diff] [blame]1055 bssl::UniquePtr<SSL_SESSION> session = CreateTestSession(i);
David Benjamine11726a2017-04-23 12:14:28 -0400[diff] [blame]1056 ASSERT_TRUE(session);
David Benjamin4f6acaf2015-11-21 03:00:50 -0500[diff] [blame]1057 sessions.push_back(std::move(session));
David Benjamin0f653952015-10-18 14:28:01 -0400[diff] [blame]1058 }
1059
1060 SSL_CTX_sess_set_cache_size(ctx.get(), 5);
1061
1062 // Insert all the test sessions.
David Benjamin4f6acaf2015-11-21 03:00:50 -0500[diff] [blame]1063 for (const auto &session : sessions) {
David Benjamine11726a2017-04-23 12:14:28 -0400[diff] [blame]1064 ASSERT_TRUE(SSL_CTX_add_session(ctx.get(), session.get()));
David Benjamin0f653952015-10-18 14:28:01 -0400[diff] [blame]1065 }
1066
1067 // Only the last five should be in the list.
David Benjamine11726a2017-04-23 12:14:28 -0400[diff] [blame]1068 ASSERT_TRUE(CacheEquals(
1069 ctx.get(), {sessions[9].get(), sessions[8].get(), sessions[7].get(),
1070 sessions[6].get(), sessions[5].get()}));
David Benjamin0f653952015-10-18 14:28:01 -0400[diff] [blame]1071
David Benjamine11726a2017-04-23 12:14:28 -0400[diff] [blame]1072 // Inserting an element already in the cache should fail and leave the cache
1073 // unchanged.
1074 ASSERT_FALSE(SSL_CTX_add_session(ctx.get(), sessions[7].get()));
1075 ASSERT_TRUE(CacheEquals(
1076 ctx.get(), {sessions[9].get(), sessions[8].get(), sessions[7].get(),
1077 sessions[6].get(), sessions[5].get()}));
David Benjamin0f653952015-10-18 14:28:01 -0400[diff] [blame]1078
1079 // Although collisions should be impossible (256-bit session IDs), the cache
1080 // must handle them gracefully.
Matt Braithwaited17d74d2016-08-17 20:10:28 -0700[diff] [blame]1081 bssl::UniquePtr<SSL_SESSION> collision(CreateTestSession(7));
David Benjamine11726a2017-04-23 12:14:28 -0400[diff] [blame]1082 ASSERT_TRUE(collision);
1083 ASSERT_TRUE(SSL_CTX_add_session(ctx.get(), collision.get()));
1084 ASSERT_TRUE(CacheEquals(
1085 ctx.get(), {collision.get(), sessions[9].get(), sessions[8].get(),
1086 sessions[6].get(), sessions[5].get()}));
David Benjamin0f653952015-10-18 14:28:01 -0400[diff] [blame]1087
1088 // Removing sessions behaves correctly.
David Benjamine11726a2017-04-23 12:14:28 -0400[diff] [blame]1089 ASSERT_TRUE(SSL_CTX_remove_session(ctx.get(), sessions[6].get()));
1090 ASSERT_TRUE(CacheEquals(ctx.get(), {collision.get(), sessions[9].get(),
1091 sessions[8].get(), sessions[5].get()}));
David Benjamin0f653952015-10-18 14:28:01 -0400[diff] [blame]1092
1093 // Removing sessions requires an exact match.
David Benjamine11726a2017-04-23 12:14:28 -0400[diff] [blame]1094 ASSERT_FALSE(SSL_CTX_remove_session(ctx.get(), sessions[0].get()));
1095 ASSERT_FALSE(SSL_CTX_remove_session(ctx.get(), sessions[7].get()));
David Benjamin0f653952015-10-18 14:28:01 -0400[diff] [blame]1096
David Benjamine11726a2017-04-23 12:14:28 -0400[diff] [blame]1097 // The cache remains unchanged.
1098 ASSERT_TRUE(CacheEquals(ctx.get(), {collision.get(), sessions[9].get(),
1099 sessions[8].get(), sessions[5].get()}));
David Benjamin0f653952015-10-18 14:28:01 -0400[diff] [blame]1100}
1101
David Benjaminde942382016-02-11 12:02:01 -0500[diff] [blame]1102static uint16_t EpochFromSequence(uint64_t seq) {
1103 return static_cast<uint16_t>(seq >> 48);
1104}
1105
Matt Braithwaited17d74d2016-08-17 20:10:28 -0700[diff] [blame]1106static bssl::UniquePtr<X509> GetTestCertificate() {
David Benjaminde942382016-02-11 12:02:01 -0500[diff] [blame]1107 static const char kCertPEM[] =
1108 "-----BEGIN CERTIFICATE-----\n"
1109 "MIICWDCCAcGgAwIBAgIJAPuwTC6rEJsMMA0GCSqGSIb3DQEBBQUAMEUxCzAJBgNV\n"
1110 "BAYTAkFVMRMwEQYDVQQIDApTb21lLVN0YXRlMSEwHwYDVQQKDBhJbnRlcm5ldCBX\n"
1111 "aWRnaXRzIFB0eSBMdGQwHhcNMTQwNDIzMjA1MDQwWhcNMTcwNDIyMjA1MDQwWjBF\n"
1112 "MQswCQYDVQQGEwJBVTETMBEGA1UECAwKU29tZS1TdGF0ZTEhMB8GA1UECgwYSW50\n"
1113 "ZXJuZXQgV2lkZ2l0cyBQdHkgTHRkMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKB\n"
1114 "gQDYK8imMuRi/03z0K1Zi0WnvfFHvwlYeyK9Na6XJYaUoIDAtB92kWdGMdAQhLci\n"
1115 "HnAjkXLI6W15OoV3gA/ElRZ1xUpxTMhjP6PyY5wqT5r6y8FxbiiFKKAnHmUcrgfV\n"
1116 "W28tQ+0rkLGMryRtrukXOgXBv7gcrmU7G1jC2a7WqmeI8QIDAQABo1AwTjAdBgNV\n"
1117 "HQ4EFgQUi3XVrMsIvg4fZbf6Vr5sp3Xaha8wHwYDVR0jBBgwFoAUi3XVrMsIvg4f\n"
1118 "Zbf6Vr5sp3Xaha8wDAYDVR0TBAUwAwEB/zANBgkqhkiG9w0BAQUFAAOBgQA76Hht\n"
1119 "ldY9avcTGSwbwoiuIqv0jTL1fHFnzy3RHMLDh+Lpvolc5DSrSJHCP5WuK0eeJXhr\n"
1120 "T5oQpHL9z/cCDLAKCKRa4uV0fhEdOWBqyR9p8y5jJtye72t6CuFUV5iqcpF4BH4f\n"
1121 "j2VNHwsSrJwkD4QUGlUtH7vwnQmyCFxZMmWAJg==\n"
1122 "-----END CERTIFICATE-----\n";
Matt Braithwaited17d74d2016-08-17 20:10:28 -0700[diff] [blame]1123 bssl::UniquePtr<BIO> bio(BIO_new_mem_buf(kCertPEM, strlen(kCertPEM)));
David Benjamin1444c3a2016-12-20 17:23:11 -0500[diff] [blame]1124 return bssl::UniquePtr<X509>(
1125 PEM_read_bio_X509(bio.get(), nullptr, nullptr, nullptr));
David Benjaminde942382016-02-11 12:02:01 -0500[diff] [blame]1126}
1127
Matt Braithwaited17d74d2016-08-17 20:10:28 -0700[diff] [blame]1128static bssl::UniquePtr<EVP_PKEY> GetTestKey() {
David Benjaminde942382016-02-11 12:02:01 -0500[diff] [blame]1129 static const char kKeyPEM[] =
1130 "-----BEGIN RSA PRIVATE KEY-----\n"
1131 "MIICXgIBAAKBgQDYK8imMuRi/03z0K1Zi0WnvfFHvwlYeyK9Na6XJYaUoIDAtB92\n"
1132 "kWdGMdAQhLciHnAjkXLI6W15OoV3gA/ElRZ1xUpxTMhjP6PyY5wqT5r6y8FxbiiF\n"
1133 "KKAnHmUcrgfVW28tQ+0rkLGMryRtrukXOgXBv7gcrmU7G1jC2a7WqmeI8QIDAQAB\n"
1134 "AoGBAIBy09Fd4DOq/Ijp8HeKuCMKTHqTW1xGHshLQ6jwVV2vWZIn9aIgmDsvkjCe\n"
1135 "i6ssZvnbjVcwzSoByhjN8ZCf/i15HECWDFFh6gt0P5z0MnChwzZmvatV/FXCT0j+\n"
1136 "WmGNB/gkehKjGXLLcjTb6dRYVJSCZhVuOLLcbWIV10gggJQBAkEA8S8sGe4ezyyZ\n"
1137 "m4e9r95g6s43kPqtj5rewTsUxt+2n4eVodD+ZUlCULWVNAFLkYRTBCASlSrm9Xhj\n"
1138 "QpmWAHJUkQJBAOVzQdFUaewLtdOJoPCtpYoY1zd22eae8TQEmpGOR11L6kbxLQsk\n"
1139 "aMly/DOnOaa82tqAGTdqDEZgSNmCeKKknmECQAvpnY8GUOVAubGR6c+W90iBuQLj\n"
1140 "LtFp/9ihd2w/PoDwrHZaoUYVcT4VSfJQog/k7kjE4MYXYWL8eEKg3WTWQNECQQDk\n"
1141 "104Wi91Umd1PzF0ijd2jXOERJU1wEKe6XLkYYNHWQAe5l4J4MWj9OdxFXAxIuuR/\n"
1142 "tfDwbqkta4xcux67//khAkEAvvRXLHTaa6VFzTaiiO8SaFsHV3lQyXOtMrBpB5jd\n"
1143 "moZWgjHvB2W9Ckn7sDqsPB+U2tyX0joDdQEyuiMECDY8oQ==\n"
1144 "-----END RSA PRIVATE KEY-----\n";
Matt Braithwaited17d74d2016-08-17 20:10:28 -0700[diff] [blame]1145 bssl::UniquePtr<BIO> bio(BIO_new_mem_buf(kKeyPEM, strlen(kKeyPEM)));
1146 return bssl::UniquePtr<EVP_PKEY>(
David Benjaminde942382016-02-11 12:02:01 -0500[diff] [blame]1147 PEM_read_bio_PrivateKey(bio.get(), nullptr, nullptr, nullptr));
1148}
1149
Matt Braithwaited17d74d2016-08-17 20:10:28 -0700[diff] [blame]1150static bssl::UniquePtr<X509> GetECDSATestCertificate() {
David Benjamin0fc37ef2016-08-17 15:29:46 -0400[diff] [blame]1151 static const char kCertPEM[] =
1152 "-----BEGIN CERTIFICATE-----\n"
1153 "MIIBzzCCAXagAwIBAgIJANlMBNpJfb/rMAkGByqGSM49BAEwRTELMAkGA1UEBhMC\n"
1154 "QVUxEzARBgNVBAgMClNvbWUtU3RhdGUxITAfBgNVBAoMGEludGVybmV0IFdpZGdp\n"
1155 "dHMgUHR5IEx0ZDAeFw0xNDA0MjMyMzIxNTdaFw0xNDA1MjMyMzIxNTdaMEUxCzAJ\n"
1156 "BgNVBAYTAkFVMRMwEQYDVQQIDApTb21lLVN0YXRlMSEwHwYDVQQKDBhJbnRlcm5l\n"
1157 "dCBXaWRnaXRzIFB0eSBMdGQwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAATmK2ni\n"
1158 "v2Wfl74vHg2UikzVl2u3qR4NRvvdqakendy6WgHn1peoChj5w8SjHlbifINI2xYa\n"
1159 "HPUdfvGULUvPciLBo1AwTjAdBgNVHQ4EFgQUq4TSrKuV8IJOFngHVVdf5CaNgtEw\n"
1160 "HwYDVR0jBBgwFoAUq4TSrKuV8IJOFngHVVdf5CaNgtEwDAYDVR0TBAUwAwEB/zAJ\n"
1161 "BgcqhkjOPQQBA0gAMEUCIQDyoDVeUTo2w4J5m+4nUIWOcAZ0lVfSKXQA9L4Vh13E\n"
1162 "BwIgfB55FGohg/B6dGh5XxSZmmi08cueFV7mHzJSYV51yRQ=\n"
1163 "-----END CERTIFICATE-----\n";
Matt Braithwaited17d74d2016-08-17 20:10:28 -0700[diff] [blame]1164 bssl::UniquePtr<BIO> bio(BIO_new_mem_buf(kCertPEM, strlen(kCertPEM)));
1165 return bssl::UniquePtr<X509>(PEM_read_bio_X509(bio.get(), nullptr, nullptr, nullptr));
David Benjamin0fc37ef2016-08-17 15:29:46 -0400[diff] [blame]1166}
1167
Matt Braithwaited17d74d2016-08-17 20:10:28 -0700[diff] [blame]1168static bssl::UniquePtr<EVP_PKEY> GetECDSATestKey() {
David Benjamin0fc37ef2016-08-17 15:29:46 -0400[diff] [blame]1169 static const char kKeyPEM[] =
1170 "-----BEGIN PRIVATE KEY-----\n"
1171 "MIGHAgEAMBMGByqGSM49AgEGCCqGSM49AwEHBG0wawIBAQQgBw8IcnrUoEqc3VnJ\n"
1172 "TYlodwi1b8ldMHcO6NHJzgqLtGqhRANCAATmK2niv2Wfl74vHg2UikzVl2u3qR4N\n"
1173 "Rvvdqakendy6WgHn1peoChj5w8SjHlbifINI2xYaHPUdfvGULUvPciLB\n"
1174 "-----END PRIVATE KEY-----\n";
Matt Braithwaited17d74d2016-08-17 20:10:28 -0700[diff] [blame]1175 bssl::UniquePtr<BIO> bio(BIO_new_mem_buf(kKeyPEM, strlen(kKeyPEM)));
1176 return bssl::UniquePtr<EVP_PKEY>(
David Benjamin0fc37ef2016-08-17 15:29:46 -0400[diff] [blame]1177 PEM_read_bio_PrivateKey(bio.get(), nullptr, nullptr, nullptr));
1178}
1179
Adam Langleyd04ca952017-02-28 11:26:51 -0800[diff] [blame]1180static bssl::UniquePtr<CRYPTO_BUFFER> BufferFromPEM(const char *pem) {
1181 bssl::UniquePtr<BIO> bio(BIO_new_mem_buf(pem, strlen(pem)));
1182 char *name, *header;
1183 uint8_t *data;
1184 long data_len;
1185 if (!PEM_read_bio(bio.get(), &name, &header, &data,
1186 &data_len)) {
1187 return nullptr;
1188 }
1189 OPENSSL_free(name);
1190 OPENSSL_free(header);
1191
1192 auto ret = bssl::UniquePtr<CRYPTO_BUFFER>(
1193 CRYPTO_BUFFER_new(data, data_len, nullptr));
1194 OPENSSL_free(data);
1195 return ret;
1196}
1197
1198static bssl::UniquePtr<CRYPTO_BUFFER> GetChainTestCertificateBuffer() {
David Benjamin1444c3a2016-12-20 17:23:11 -0500[diff] [blame]1199 static const char kCertPEM[] =
1200 "-----BEGIN CERTIFICATE-----\n"
1201 "MIIC0jCCAbqgAwIBAgICEAAwDQYJKoZIhvcNAQELBQAwDzENMAsGA1UEAwwEQiBD\n"
1202 "QTAeFw0xNjAyMjgyMDI3MDNaFw0yNjAyMjUyMDI3MDNaMBgxFjAUBgNVBAMMDUNs\n"
1203 "aWVudCBDZXJ0IEEwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDRvaz8\n"
1204 "CC/cshpCafJo4jLkHEoBqDLhdgFelJoAiQUyIqyWl2O7YHPnpJH+TgR7oelzNzt/\n"
1205 "kLRcH89M/TszB6zqyLTC4aqmvzKL0peD/jL2LWBucR0WXIvjA3zoRuF/x86+rYH3\n"
1206 "tHb+xs2PSs8EGL/Ev+ss+qTzTGEn26fuGNHkNw6tOwPpc+o8+wUtzf/kAthamo+c\n"
1207 "IDs2rQ+lP7+aLZTLeU/q4gcLutlzcK5imex5xy2jPkweq48kijK0kIzl1cPlA5d1\n"
1208 "z7C8jU50Pj9X9sQDJTN32j7UYRisJeeYQF8GaaN8SbrDI6zHgKzrRLyxDt/KQa9V\n"
1209 "iLeXANgZi+Xx9KgfAgMBAAGjLzAtMAwGA1UdEwEB/wQCMAAwHQYDVR0lBBYwFAYI\n"
1210 "KwYBBQUHAwEGCCsGAQUFBwMCMA0GCSqGSIb3DQEBCwUAA4IBAQBFEVbmYl+2RtNw\n"
1211 "rDftRDF1v2QUbcN2ouSnQDHxeDQdSgasLzT3ui8iYu0Rw2WWcZ0DV5e0ztGPhWq7\n"
1212 "AO0B120aFRMOY+4+bzu9Q2FFkQqc7/fKTvTDzIJI5wrMnFvUfzzvxh3OHWMYSs/w\n"
1213 "giq33hTKeHEq6Jyk3btCny0Ycecyc3yGXH10sizUfiHlhviCkDuESk8mFDwDDzqW\n"
1214 "ZF0IipzFbEDHoIxLlm3GQxpiLoEV4k8KYJp3R5KBLFyxM6UGPz8h72mIPCJp2RuK\n"
1215 "MYgF91UDvVzvnYm6TfseM2+ewKirC00GOrZ7rEcFvtxnKSqYf4ckqfNdSU1Y+RRC\n"
1216 "1ngWZ7Ih\n"
1217 "-----END CERTIFICATE-----\n";
Adam Langleyd04ca952017-02-28 11:26:51 -0800[diff] [blame]1218 return BufferFromPEM(kCertPEM);
David Benjamin1444c3a2016-12-20 17:23:11 -0500[diff] [blame]1219}
1220
Adam Langleyd04ca952017-02-28 11:26:51 -0800[diff] [blame]1221static bssl::UniquePtr<X509> X509FromBuffer(
1222 bssl::UniquePtr<CRYPTO_BUFFER> buffer) {
1223 if (!buffer) {
1224 return nullptr;
1225 }
1226 const uint8_t *derp = CRYPTO_BUFFER_data(buffer.get());
1227 return bssl::UniquePtr<X509>(
1228 d2i_X509(NULL, &derp, CRYPTO_BUFFER_len(buffer.get())));
1229}
1230
1231static bssl::UniquePtr<X509> GetChainTestCertificate() {
1232 return X509FromBuffer(GetChainTestCertificateBuffer());
1233}
1234
1235static bssl::UniquePtr<CRYPTO_BUFFER> GetChainTestIntermediateBuffer() {
David Benjamin1444c3a2016-12-20 17:23:11 -0500[diff] [blame]1236 static const char kCertPEM[] =
1237 "-----BEGIN CERTIFICATE-----\n"
1238 "MIICwjCCAaqgAwIBAgICEAEwDQYJKoZIhvcNAQELBQAwFDESMBAGA1UEAwwJQyBS\n"
1239 "b290IENBMB4XDTE2MDIyODIwMjcwM1oXDTI2MDIyNTIwMjcwM1owDzENMAsGA1UE\n"
1240 "AwwEQiBDQTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALsSCYmDip2D\n"
1241 "GkjFxw7ykz26JSjELkl6ArlYjFJ3aT/SCh8qbS4gln7RH8CPBd78oFdfhIKQrwtZ\n"
1242 "3/q21ykD9BAS3qHe2YdcJfm8/kWAy5DvXk6NXU4qX334KofBAEpgdA/igEFq1P1l\n"
1243 "HAuIfZCpMRfT+i5WohVsGi8f/NgpRvVaMONLNfgw57mz1lbtFeBEISmX0kbsuJxF\n"
1244 "Qj/Bwhi5/0HAEXG8e7zN4cEx0yPRvmOATRdVb/8dW2pwOHRJq9R5M0NUkIsTSnL7\n"
1245 "6N/z8hRAHMsV3IudC5Yd7GXW1AGu9a+iKU+Q4xcZCoj0DC99tL4VKujrV1kAeqsM\n"
1246 "cz5/dKzi6+cCAwEAAaMjMCEwDwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMC\n"
1247 "AQYwDQYJKoZIhvcNAQELBQADggEBAIIeZiEeNhWWQ8Y4D+AGDwqUUeG8NjCbKrXQ\n"
1248 "BlHg5wZ8xftFaiP1Dp/UAezmx2LNazdmuwrYB8lm3FVTyaPDTKEGIPS4wJKHgqH1\n"
1249 "QPDhqNm85ey7TEtI9oYjsNim/Rb+iGkIAMXaxt58SzxbjvP0kMr1JfJIZbic9vye\n"
1250 "NwIspMFIpP3FB8ywyu0T0hWtCQgL4J47nigCHpOu58deP88fS/Nyz/fyGVWOZ76b\n"
1251 "WhWwgM3P3X95fQ3d7oFPR/bVh0YV+Cf861INwplokXgXQ3/TCQ+HNXeAMWn3JLWv\n"
1252 "XFwk8owk9dq/kQGdndGgy3KTEW4ctPX5GNhf3LJ9Q7dLji4ReQ4=\n"
1253 "-----END CERTIFICATE-----\n";
Adam Langleyd04ca952017-02-28 11:26:51 -0800[diff] [blame]1254 return BufferFromPEM(kCertPEM);
1255}
1256
1257static bssl::UniquePtr<X509> GetChainTestIntermediate() {
1258 return X509FromBuffer(GetChainTestIntermediateBuffer());
David Benjamin1444c3a2016-12-20 17:23:11 -0500[diff] [blame]1259}
1260
1261static bssl::UniquePtr<EVP_PKEY> GetChainTestKey() {
1262 static const char kKeyPEM[] =
1263 "-----BEGIN PRIVATE KEY-----\n"
1264 "MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQDRvaz8CC/cshpC\n"
1265 "afJo4jLkHEoBqDLhdgFelJoAiQUyIqyWl2O7YHPnpJH+TgR7oelzNzt/kLRcH89M\n"
1266 "/TszB6zqyLTC4aqmvzKL0peD/jL2LWBucR0WXIvjA3zoRuF/x86+rYH3tHb+xs2P\n"
1267 "Ss8EGL/Ev+ss+qTzTGEn26fuGNHkNw6tOwPpc+o8+wUtzf/kAthamo+cIDs2rQ+l\n"
1268 "P7+aLZTLeU/q4gcLutlzcK5imex5xy2jPkweq48kijK0kIzl1cPlA5d1z7C8jU50\n"
1269 "Pj9X9sQDJTN32j7UYRisJeeYQF8GaaN8SbrDI6zHgKzrRLyxDt/KQa9ViLeXANgZ\n"
1270 "i+Xx9KgfAgMBAAECggEBAK0VjSJzkyPaamcyTVSWjo7GdaBGcK60lk657RjR+lK0\n"
1271 "YJ7pkej4oM2hdsVZFsP8Cs4E33nXLa/0pDsRov/qrp0WQm2skwqGMC1I/bZ0WRPk\n"
1272 "wHaDrBBfESWnJDX/AGpVtlyOjPmgmK6J2usMPihQUDkKdAYrVWJePrMIxt1q6BMe\n"
1273 "iczs3qriMmtY3bUc4UyUwJ5fhDLjshHvfuIpYQyI6EXZM6dZksn9LylXJnigY6QJ\n"
1274 "HxOYO0BDwOsZ8yQ8J8afLk88i0GizEkgE1z3REtQUwgWfxr1WV/ud+T6/ZhSAgH9\n"
1275 "042mQvSFZnIUSEsmCvjhWuAunfxHKCTcAoYISWfzWpkCgYEA7gpf3HHU5Tn+CgUn\n"
1276 "1X5uGpG3DmcMgfeGgs2r2f/IIg/5Ac1dfYILiybL1tN9zbyLCJfcbFpWBc9hJL6f\n"
1277 "CPc5hUiwWFJqBJewxQkC1Ae/HakHbip+IZ+Jr0842O4BAArvixk4Lb7/N2Ct9sTE\n"
1278 "NJO6RtK9lbEZ5uK61DglHy8CS2UCgYEA4ZC1o36kPAMQBggajgnucb2yuUEelk0f\n"
1279 "AEr+GI32MGE+93xMr7rAhBoqLg4AITyIfEnOSQ5HwagnIHonBbv1LV/Gf9ursx8Z\n"
1280 "YOGbvT8zzzC+SU1bkDzdjAYnFQVGIjMtKOBJ3K07++ypwX1fr4QsQ8uKL8WSOWwt\n"
1281 "Z3Bym6XiZzMCgYADnhy+2OwHX85AkLt+PyGlPbmuelpyTzS4IDAQbBa6jcuW/2wA\n"
1282 "UE2km75VUXmD+u2R/9zVuLm99NzhFhSMqlUxdV1YukfqMfP5yp1EY6m/5aW7QuIP\n"
1283 "2MDa7TVL9rIFMiVZ09RKvbBbQxjhuzPQKL6X/PPspnhiTefQ+dl2k9xREQKBgHDS\n"
1284 "fMfGNEeAEKezrfSVqxphE9/tXms3L+ZpnCaT+yu/uEr5dTIAawKoQ6i9f/sf1/Sy\n"
1285 "xedsqR+IB+oKrzIDDWMgoJybN4pkZ8E5lzhVQIjFjKgFdWLzzqyW9z1gYfABQPlN\n"
1286 "FiS20WX0vgP1vcKAjdNrHzc9zyHBpgQzDmAj3NZZAoGBAI8vKCKdH7w3aL5CNkZQ\n"
1287 "2buIeWNA2HZazVwAGG5F2TU/LmXfRKnG6dX5bkU+AkBZh56jNZy//hfFSewJB4Kk\n"
1288 "buB7ERSdaNbO21zXt9FEA3+z0RfMd/Zv2vlIWOSB5nzl/7UKti3sribK6s9ZVLfi\n"
1289 "SxpiPQ8d/hmSGwn4ksrWUsJD\n"
1290 "-----END PRIVATE KEY-----\n";
1291 bssl::UniquePtr<BIO> bio(BIO_new_mem_buf(kKeyPEM, strlen(kKeyPEM)));
1292 return bssl::UniquePtr<EVP_PKEY>(
1293 PEM_read_bio_PrivateKey(bio.get(), nullptr, nullptr, nullptr));
1294}
1295
David Benjamin71dfad42017-07-16 17:27:39 -0400[diff] [blame^]1296static const uint8_t kTestName[] = {
1297 0x30, 0x45, 0x31, 0x0b, 0x30, 0x09, 0x06, 0x03, 0x55, 0x04, 0x06, 0x13,
1298 0x02, 0x41, 0x55, 0x31, 0x13, 0x30, 0x11, 0x06, 0x03, 0x55, 0x04, 0x08,
1299 0x0c, 0x0a, 0x53, 0x6f, 0x6d, 0x65, 0x2d, 0x53, 0x74, 0x61, 0x74, 0x65,
1300 0x31, 0x21, 0x30, 0x1f, 0x06, 0x03, 0x55, 0x04, 0x0a, 0x0c, 0x18, 0x49,
1301 0x6e, 0x74, 0x65, 0x72, 0x6e, 0x65, 0x74, 0x20, 0x57, 0x69, 0x64, 0x67,
1302 0x69, 0x74, 0x73, 0x20, 0x50, 0x74, 0x79, 0x20, 0x4c, 0x74, 0x64,
1303};
1304
David Benjaminb79cc842016-12-07 15:57:14 -0500[diff] [blame]1305static bool CompleteHandshakes(SSL *client, SSL *server) {
1306 // Drive both their handshakes to completion.
1307 for (;;) {
1308 int client_ret = SSL_do_handshake(client);
1309 int client_err = SSL_get_error(client, client_ret);
1310 if (client_err != SSL_ERROR_NONE &&
1311 client_err != SSL_ERROR_WANT_READ &&
Adam Langley4c341d02017-03-08 19:33:21 -0800[diff] [blame]1312 client_err != SSL_ERROR_WANT_WRITE &&
1313 client_err != SSL_ERROR_PENDING_TICKET) {
David Benjaminb79cc842016-12-07 15:57:14 -0500[diff] [blame]1314 fprintf(stderr, "Client error: %d\n", client_err);
1315 return false;
1316 }
1317
1318 int server_ret = SSL_do_handshake(server);
1319 int server_err = SSL_get_error(server, server_ret);
1320 if (server_err != SSL_ERROR_NONE &&
1321 server_err != SSL_ERROR_WANT_READ &&
Adam Langley4c341d02017-03-08 19:33:21 -0800[diff] [blame]1322 server_err != SSL_ERROR_WANT_WRITE &&
1323 server_err != SSL_ERROR_PENDING_TICKET) {
David Benjaminb79cc842016-12-07 15:57:14 -0500[diff] [blame]1324 fprintf(stderr, "Server error: %d\n", server_err);
1325 return false;
1326 }
1327
1328 if (client_ret == 1 && server_ret == 1) {
1329 break;
1330 }
1331 }
1332
1333 return true;
1334}
1335
1336static bool ConnectClientAndServer(bssl::UniquePtr<SSL> *out_client,
1337 bssl::UniquePtr<SSL> *out_server,
David Benjamina20e5352016-08-02 19:09:41 -0400[diff] [blame]1338 SSL_CTX *client_ctx, SSL_CTX *server_ctx,
1339 SSL_SESSION *session) {
Matt Braithwaited17d74d2016-08-17 20:10:28 -0700[diff] [blame]1340 bssl::UniquePtr<SSL> client(SSL_new(client_ctx)), server(SSL_new(server_ctx));
David Benjaminde942382016-02-11 12:02:01 -0500[diff] [blame]1341 if (!client || !server) {
1342 return false;
1343 }
1344 SSL_set_connect_state(client.get());
1345 SSL_set_accept_state(server.get());
1346
David Benjamina20e5352016-08-02 19:09:41 -0400[diff] [blame]1347 SSL_set_session(client.get(), session);
1348
David Benjaminde942382016-02-11 12:02:01 -0500[diff] [blame]1349 BIO *bio1, *bio2;
1350 if (!BIO_new_bio_pair(&bio1, 0, &bio2, 0)) {
1351 return false;
1352 }
1353 // SSL_set_bio takes ownership.
1354 SSL_set_bio(client.get(), bio1, bio1);
1355 SSL_set_bio(server.get(), bio2, bio2);
1356
David Benjaminb79cc842016-12-07 15:57:14 -0500[diff] [blame]1357 if (!CompleteHandshakes(client.get(), server.get())) {
1358 return false;
David Benjaminde942382016-02-11 12:02:01 -0500[diff] [blame]1359 }
1360
David Benjamin686bb192016-05-10 15:15:41 -0400[diff] [blame]1361 *out_client = std::move(client);
1362 *out_server = std::move(server);
1363 return true;
1364}
1365
David Benjamin0fef3052016-11-18 15:11:10 +0900[diff] [blame]1366static bool TestSequenceNumber(bool is_dtls, const SSL_METHOD *method,
1367 uint16_t version) {
1368 bssl::UniquePtr<SSL_CTX> client_ctx(SSL_CTX_new(method));
1369 bssl::UniquePtr<SSL_CTX> server_ctx(SSL_CTX_new(method));
1370 if (!server_ctx || !client_ctx ||
1371 !SSL_CTX_set_min_proto_version(client_ctx.get(), version) ||
1372 !SSL_CTX_set_max_proto_version(client_ctx.get(), version) ||
1373 !SSL_CTX_set_min_proto_version(server_ctx.get(), version) ||
1374 !SSL_CTX_set_max_proto_version(server_ctx.get(), version)) {
1375 return false;
1376 }
David Benjamin686bb192016-05-10 15:15:41 -0400[diff] [blame]1377
David Benjamin0fef3052016-11-18 15:11:10 +0900[diff] [blame]1378 bssl::UniquePtr<X509> cert = GetTestCertificate();
1379 bssl::UniquePtr<EVP_PKEY> key = GetTestKey();
1380 if (!cert || !key || !SSL_CTX_use_certificate(server_ctx.get(), cert.get()) ||
1381 !SSL_CTX_use_PrivateKey(server_ctx.get(), key.get())) {
1382 return false;
1383 }
David Benjamin686bb192016-05-10 15:15:41 -0400[diff] [blame]1384
David Benjamin0fef3052016-11-18 15:11:10 +0900[diff] [blame]1385 bssl::UniquePtr<SSL> client, server;
1386 if (!ConnectClientAndServer(&client, &server, client_ctx.get(),
1387 server_ctx.get(), nullptr /* no session */)) {
1388 return false;
1389 }
David Benjamin686bb192016-05-10 15:15:41 -0400[diff] [blame]1390
David Benjamin0fef3052016-11-18 15:11:10 +0900[diff] [blame]1391 // Drain any post-handshake messages to ensure there are no unread records
1392 // on either end.
1393 uint8_t byte = 0;
1394 if (SSL_read(client.get(), &byte, 1) > 0 ||
1395 SSL_read(server.get(), &byte, 1) > 0) {
1396 fprintf(stderr, "Received unexpected data.\n");
1397 return false;
1398 }
David Benjaminde942382016-02-11 12:02:01 -0500[diff] [blame]1399
David Benjamin0fef3052016-11-18 15:11:10 +0900[diff] [blame]1400 uint64_t client_read_seq = SSL_get_read_sequence(client.get());
1401 uint64_t client_write_seq = SSL_get_write_sequence(client.get());
1402 uint64_t server_read_seq = SSL_get_read_sequence(server.get());
1403 uint64_t server_write_seq = SSL_get_write_sequence(server.get());
Steven Valdez2c62fe92016-10-14 12:08:12 -0400[diff] [blame]1404
David Benjamin0fef3052016-11-18 15:11:10 +0900[diff] [blame]1405 if (is_dtls) {
1406 // Both client and server must be at epoch 1.
1407 if (EpochFromSequence(client_read_seq) != 1 ||
1408 EpochFromSequence(client_write_seq) != 1 ||
1409 EpochFromSequence(server_read_seq) != 1 ||
1410 EpochFromSequence(server_write_seq) != 1) {
1411 fprintf(stderr, "Bad epochs.\n");
1412 return false;
David Benjaminde942382016-02-11 12:02:01 -0500[diff] [blame]1413 }
David Benjamin0fef3052016-11-18 15:11:10 +0900[diff] [blame]1414
1415 // The next record to be written should exceed the largest received.
1416 if (client_write_seq <= server_read_seq ||
1417 server_write_seq <= client_read_seq) {
1418 fprintf(stderr, "Inconsistent sequence numbers.\n");
1419 return false;
1420 }
1421 } else {
1422 // The next record to be written should equal the next to be received.
1423 if (client_write_seq != server_read_seq ||
1424 server_write_seq != client_read_seq) {
1425 fprintf(stderr, "Inconsistent sequence numbers.\n");
1426 return false;
1427 }
1428 }
1429
1430 // Send a record from client to server.
1431 if (SSL_write(client.get(), &byte, 1) != 1 ||
1432 SSL_read(server.get(), &byte, 1) != 1) {
1433 fprintf(stderr, "Could not send byte.\n");
1434 return false;
1435 }
1436
1437 // The client write and server read sequence numbers should have
1438 // incremented.
1439 if (client_write_seq + 1 != SSL_get_write_sequence(client.get()) ||
1440 server_read_seq + 1 != SSL_get_read_sequence(server.get())) {
1441 fprintf(stderr, "Sequence numbers did not increment.\n");
1442 return false;
David Benjaminde942382016-02-11 12:02:01 -0500[diff] [blame]1443 }
1444
1445 return true;
1446}
1447
David Benjamin68f37b72016-11-18 15:14:42 +0900[diff] [blame]1448static bool TestOneSidedShutdown(bool is_dtls, const SSL_METHOD *method,
1449 uint16_t version) {
1450 // SSL_shutdown is a no-op in DTLS.
1451 if (is_dtls) {
1452 return true;
David Benjamin686bb192016-05-10 15:15:41 -0400[diff] [blame]1453 }
1454
David Benjamin68f37b72016-11-18 15:14:42 +0900[diff] [blame]1455 bssl::UniquePtr<SSL_CTX> client_ctx(SSL_CTX_new(method));
1456 bssl::UniquePtr<SSL_CTX> server_ctx(SSL_CTX_new(method));
Matt Braithwaited17d74d2016-08-17 20:10:28 -0700[diff] [blame]1457 bssl::UniquePtr<X509> cert = GetTestCertificate();
1458 bssl::UniquePtr<EVP_PKEY> key = GetTestKey();
David Benjamin68f37b72016-11-18 15:14:42 +0900[diff] [blame]1459 if (!client_ctx || !server_ctx || !cert || !key ||
1460 !SSL_CTX_set_min_proto_version(server_ctx.get(), version) ||
1461 !SSL_CTX_set_max_proto_version(server_ctx.get(), version) ||
1462 !SSL_CTX_set_min_proto_version(client_ctx.get(), version) ||
1463 !SSL_CTX_set_max_proto_version(client_ctx.get(), version) ||
David Benjamin686bb192016-05-10 15:15:41 -0400[diff] [blame]1464 !SSL_CTX_use_certificate(server_ctx.get(), cert.get()) ||
1465 !SSL_CTX_use_PrivateKey(server_ctx.get(), key.get())) {
1466 return false;
1467 }
1468
Matt Braithwaited17d74d2016-08-17 20:10:28 -0700[diff] [blame]1469 bssl::UniquePtr<SSL> client, server;
David Benjamin686bb192016-05-10 15:15:41 -0400[diff] [blame]1470 if (!ConnectClientAndServer(&client, &server, client_ctx.get(),
David Benjamina20e5352016-08-02 19:09:41 -0400[diff] [blame]1471 server_ctx.get(), nullptr /* no session */)) {
David Benjamin686bb192016-05-10 15:15:41 -0400[diff] [blame]1472 return false;
1473 }
1474
1475 // Shut down half the connection. SSL_shutdown will return 0 to signal only
1476 // one side has shut down.
1477 if (SSL_shutdown(client.get()) != 0) {
1478 fprintf(stderr, "Could not shutdown.\n");
1479 return false;
1480 }
1481
1482 // Reading from the server should consume the EOF.
1483 uint8_t byte;
1484 if (SSL_read(server.get(), &byte, 1) != 0 ||
1485 SSL_get_error(server.get(), 0) != SSL_ERROR_ZERO_RETURN) {
1486 fprintf(stderr, "Connection was not shut down cleanly.\n");
1487 return false;
1488 }
1489
1490 // However, the server may continue to write data and then shut down the
1491 // connection.
1492 byte = 42;
1493 if (SSL_write(server.get(), &byte, 1) != 1 ||
1494 SSL_read(client.get(), &byte, 1) != 1 ||
1495 byte != 42) {
1496 fprintf(stderr, "Could not send byte.\n");
1497 return false;
1498 }
1499
1500 // The server may then shutdown the connection.
1501 if (SSL_shutdown(server.get()) != 1 ||
1502 SSL_shutdown(client.get()) != 1) {
1503 fprintf(stderr, "Could not complete shutdown.\n");
1504 return false;
1505 }
1506
1507 return true;
1508}
David Benjamin68f37b72016-11-18 15:14:42 +0900[diff] [blame]1509
David Benjaminf0d8e222017-02-04 10:58:26 -0500[diff] [blame]1510TEST(SSLTest, SessionDuplication) {
Matt Braithwaited17d74d2016-08-17 20:10:28 -0700[diff] [blame]1511 bssl::UniquePtr<SSL_CTX> client_ctx(SSL_CTX_new(TLS_method()));
1512 bssl::UniquePtr<SSL_CTX> server_ctx(SSL_CTX_new(TLS_method()));
David Benjaminf0d8e222017-02-04 10:58:26 -0500[diff] [blame]1513 ASSERT_TRUE(client_ctx);
1514 ASSERT_TRUE(server_ctx);
Steven Valdez87eab492016-06-27 16:34:59 -0400[diff] [blame]1515
Matt Braithwaited17d74d2016-08-17 20:10:28 -0700[diff] [blame]1516 bssl::UniquePtr<X509> cert = GetTestCertificate();
1517 bssl::UniquePtr<EVP_PKEY> key = GetTestKey();
David Benjaminf0d8e222017-02-04 10:58:26 -0500[diff] [blame]1518 ASSERT_TRUE(cert);
1519 ASSERT_TRUE(key);
1520 ASSERT_TRUE(SSL_CTX_use_certificate(server_ctx.get(), cert.get()));
1521 ASSERT_TRUE(SSL_CTX_use_PrivateKey(server_ctx.get(), key.get()));
Steven Valdez87eab492016-06-27 16:34:59 -0400[diff] [blame]1522
Matt Braithwaited17d74d2016-08-17 20:10:28 -0700[diff] [blame]1523 bssl::UniquePtr<SSL> client, server;
David Benjaminf0d8e222017-02-04 10:58:26 -0500[diff] [blame]1524 ASSERT_TRUE(ConnectClientAndServer(&client, &server, client_ctx.get(),
1525 server_ctx.get(),
1526 nullptr /* no session */));
Steven Valdez87eab492016-06-27 16:34:59 -0400[diff] [blame]1527
1528 SSL_SESSION *session0 = SSL_get_session(client.get());
David Benjaminf0d8e222017-02-04 10:58:26 -0500[diff] [blame]1529 bssl::UniquePtr<SSL_SESSION> session1(
1530 SSL_SESSION_dup(session0, SSL_SESSION_DUP_ALL));
1531 ASSERT_TRUE(session1);
David Benjamin4501bd52016-08-01 13:39:41 -0400[diff] [blame]1532
Steven Valdez84b5c002016-08-25 16:30:58 -0400[diff] [blame]1533 session1->not_resumable = 0;
1534
Steven Valdez87eab492016-06-27 16:34:59 -0400[diff] [blame]1535 uint8_t *s0_bytes, *s1_bytes;
1536 size_t s0_len, s1_len;
1537
David Benjaminf0d8e222017-02-04 10:58:26 -0500[diff] [blame]1538 ASSERT_TRUE(SSL_SESSION_to_bytes(session0, &s0_bytes, &s0_len));
Matt Braithwaited17d74d2016-08-17 20:10:28 -0700[diff] [blame]1539 bssl::UniquePtr<uint8_t> free_s0(s0_bytes);
Steven Valdez87eab492016-06-27 16:34:59 -0400[diff] [blame]1540
David Benjaminf0d8e222017-02-04 10:58:26 -0500[diff] [blame]1541 ASSERT_TRUE(SSL_SESSION_to_bytes(session1.get(), &s1_bytes, &s1_len));
Matt Braithwaited17d74d2016-08-17 20:10:28 -0700[diff] [blame]1542 bssl::UniquePtr<uint8_t> free_s1(s1_bytes);
Steven Valdez87eab492016-06-27 16:34:59 -0400[diff] [blame]1543
David Benjamin7d7554b2017-02-04 11:48:59 -0500[diff] [blame]1544 EXPECT_EQ(Bytes(s0_bytes, s0_len), Bytes(s1_bytes, s1_len));
Steven Valdez87eab492016-06-27 16:34:59 -0400[diff] [blame]1545}
David Benjamin686bb192016-05-10 15:15:41 -0400[diff] [blame]1546
David Benjaminf0d8e222017-02-04 10:58:26 -0500[diff] [blame]1547static void ExpectFDs(const SSL *ssl, int rfd, int wfd) {
David Benjaminca743582017-06-15 17:51:35 -0400[diff] [blame]1548 EXPECT_EQ(rfd, SSL_get_fd(ssl));
David Benjaminf0d8e222017-02-04 10:58:26 -0500[diff] [blame]1549 EXPECT_EQ(rfd, SSL_get_rfd(ssl));
1550 EXPECT_EQ(wfd, SSL_get_wfd(ssl));
David Benjamin5c0fb882016-06-14 14:03:51 -0400[diff] [blame]1551
1552 // The wrapper BIOs are always equal when fds are equal, even if set
1553 // individually.
David Benjaminf0d8e222017-02-04 10:58:26 -0500[diff] [blame]1554 if (rfd == wfd) {
1555 EXPECT_EQ(SSL_get_rbio(ssl), SSL_get_wbio(ssl));
David Benjamin5c0fb882016-06-14 14:03:51 -0400[diff] [blame]1556 }
David Benjamin5c0fb882016-06-14 14:03:51 -0400[diff] [blame]1557}
1558
David Benjaminf0d8e222017-02-04 10:58:26 -0500[diff] [blame]1559TEST(SSLTest, SetFD) {
Matt Braithwaited17d74d2016-08-17 20:10:28 -0700[diff] [blame]1560 bssl::UniquePtr<SSL_CTX> ctx(SSL_CTX_new(TLS_method()));
David Benjaminf0d8e222017-02-04 10:58:26 -0500[diff] [blame]1561 ASSERT_TRUE(ctx);
David Benjamin5c0fb882016-06-14 14:03:51 -0400[diff] [blame]1562
1563 // Test setting different read and write FDs.
Matt Braithwaited17d74d2016-08-17 20:10:28 -0700[diff] [blame]1564 bssl::UniquePtr<SSL> ssl(SSL_new(ctx.get()));
David Benjaminf0d8e222017-02-04 10:58:26 -0500[diff] [blame]1565 ASSERT_TRUE(ssl);
1566 EXPECT_TRUE(SSL_set_rfd(ssl.get(), 1));
1567 EXPECT_TRUE(SSL_set_wfd(ssl.get(), 2));
1568 ExpectFDs(ssl.get(), 1, 2);
David Benjamin5c0fb882016-06-14 14:03:51 -0400[diff] [blame]1569
1570 // Test setting the same FD.
1571 ssl.reset(SSL_new(ctx.get()));
David Benjaminf0d8e222017-02-04 10:58:26 -0500[diff] [blame]1572 ASSERT_TRUE(ssl);
1573 EXPECT_TRUE(SSL_set_fd(ssl.get(), 1));
1574 ExpectFDs(ssl.get(), 1, 1);
David Benjamin5c0fb882016-06-14 14:03:51 -0400[diff] [blame]1575
1576 // Test setting the same FD one side at a time.
1577 ssl.reset(SSL_new(ctx.get()));
David Benjaminf0d8e222017-02-04 10:58:26 -0500[diff] [blame]1578 ASSERT_TRUE(ssl);
1579 EXPECT_TRUE(SSL_set_rfd(ssl.get(), 1));
1580 EXPECT_TRUE(SSL_set_wfd(ssl.get(), 1));
1581 ExpectFDs(ssl.get(), 1, 1);
David Benjamin5c0fb882016-06-14 14:03:51 -0400[diff] [blame]1582
1583 // Test setting the same FD in the other order.
1584 ssl.reset(SSL_new(ctx.get()));
David Benjaminf0d8e222017-02-04 10:58:26 -0500[diff] [blame]1585 ASSERT_TRUE(ssl);
1586 EXPECT_TRUE(SSL_set_wfd(ssl.get(), 1));
1587 EXPECT_TRUE(SSL_set_rfd(ssl.get(), 1));
1588 ExpectFDs(ssl.get(), 1, 1);
David Benjamin5c0fb882016-06-14 14:03:51 -0400[diff] [blame]1589
David Benjamin5c0fb882016-06-14 14:03:51 -0400[diff] [blame]1590 // Test changing the read FD partway through.
1591 ssl.reset(SSL_new(ctx.get()));
David Benjaminf0d8e222017-02-04 10:58:26 -0500[diff] [blame]1592 ASSERT_TRUE(ssl);
1593 EXPECT_TRUE(SSL_set_fd(ssl.get(), 1));
1594 EXPECT_TRUE(SSL_set_rfd(ssl.get(), 2));
1595 ExpectFDs(ssl.get(), 2, 1);
David Benjamin5c0fb882016-06-14 14:03:51 -0400[diff] [blame]1596
1597 // Test changing the write FD partway through.
1598 ssl.reset(SSL_new(ctx.get()));
David Benjaminf0d8e222017-02-04 10:58:26 -0500[diff] [blame]1599 ASSERT_TRUE(ssl);
1600 EXPECT_TRUE(SSL_set_fd(ssl.get(), 1));
1601 EXPECT_TRUE(SSL_set_wfd(ssl.get(), 2));
1602 ExpectFDs(ssl.get(), 1, 2);
David Benjamin5c0fb882016-06-14 14:03:51 -0400[diff] [blame]1603
1604 // Test a no-op change to the read FD partway through.
1605 ssl.reset(SSL_new(ctx.get()));
David Benjaminf0d8e222017-02-04 10:58:26 -0500[diff] [blame]1606 ASSERT_TRUE(ssl);
1607 EXPECT_TRUE(SSL_set_fd(ssl.get(), 1));
1608 EXPECT_TRUE(SSL_set_rfd(ssl.get(), 1));
1609 ExpectFDs(ssl.get(), 1, 1);
David Benjamin5c0fb882016-06-14 14:03:51 -0400[diff] [blame]1610
1611 // Test a no-op change to the write FD partway through.
1612 ssl.reset(SSL_new(ctx.get()));
David Benjaminf0d8e222017-02-04 10:58:26 -0500[diff] [blame]1613 ASSERT_TRUE(ssl);
1614 EXPECT_TRUE(SSL_set_fd(ssl.get(), 1));
1615 EXPECT_TRUE(SSL_set_wfd(ssl.get(), 1));
1616 ExpectFDs(ssl.get(), 1, 1);
David Benjamin5c0fb882016-06-14 14:03:51 -0400[diff] [blame]1617
1618 // ASan builds will implicitly test that the internal |BIO| reference-counting
1619 // is correct.
David Benjamin5c0fb882016-06-14 14:03:51 -0400[diff] [blame]1620}
1621
David Benjaminf0d8e222017-02-04 10:58:26 -0500[diff] [blame]1622TEST(SSLTest, SetBIO) {
Matt Braithwaited17d74d2016-08-17 20:10:28 -0700[diff] [blame]1623 bssl::UniquePtr<SSL_CTX> ctx(SSL_CTX_new(TLS_method()));
David Benjaminf0d8e222017-02-04 10:58:26 -0500[diff] [blame]1624 ASSERT_TRUE(ctx);
David Benjamin4501bd52016-08-01 13:39:41 -0400[diff] [blame]1625
Matt Braithwaited17d74d2016-08-17 20:10:28 -0700[diff] [blame]1626 bssl::UniquePtr<SSL> ssl(SSL_new(ctx.get()));
1627 bssl::UniquePtr<BIO> bio1(BIO_new(BIO_s_mem())), bio2(BIO_new(BIO_s_mem())),
David Benjamin4501bd52016-08-01 13:39:41 -0400[diff] [blame]1628 bio3(BIO_new(BIO_s_mem()));
David Benjaminf0d8e222017-02-04 10:58:26 -0500[diff] [blame]1629 ASSERT_TRUE(ssl);
1630 ASSERT_TRUE(bio1);
1631 ASSERT_TRUE(bio2);
1632 ASSERT_TRUE(bio3);
David Benjamin4501bd52016-08-01 13:39:41 -0400[diff] [blame]1633
1634 // SSL_set_bio takes one reference when the parameters are the same.
1635 BIO_up_ref(bio1.get());
1636 SSL_set_bio(ssl.get(), bio1.get(), bio1.get());
1637
1638 // Repeating the call does nothing.
1639 SSL_set_bio(ssl.get(), bio1.get(), bio1.get());
1640
1641 // It takes one reference each when the parameters are different.
1642 BIO_up_ref(bio2.get());
1643 BIO_up_ref(bio3.get());
1644 SSL_set_bio(ssl.get(), bio2.get(), bio3.get());
1645
1646 // Repeating the call does nothing.
1647 SSL_set_bio(ssl.get(), bio2.get(), bio3.get());
1648
1649 // It takes one reference when changing only wbio.
1650 BIO_up_ref(bio1.get());
1651 SSL_set_bio(ssl.get(), bio2.get(), bio1.get());
1652
1653 // It takes one reference when changing only rbio and the two are different.
1654 BIO_up_ref(bio3.get());
1655 SSL_set_bio(ssl.get(), bio3.get(), bio1.get());
1656
1657 // If setting wbio to rbio, it takes no additional references.
1658 SSL_set_bio(ssl.get(), bio3.get(), bio3.get());
1659
1660 // From there, wbio may be switched to something else.
1661 BIO_up_ref(bio1.get());
1662 SSL_set_bio(ssl.get(), bio3.get(), bio1.get());
1663
1664 // If setting rbio to wbio, it takes no additional references.
1665 SSL_set_bio(ssl.get(), bio1.get(), bio1.get());
1666
1667 // From there, rbio may be switched to something else, but, for historical
1668 // reasons, it takes a reference to both parameters.
1669 BIO_up_ref(bio1.get());
1670 BIO_up_ref(bio2.get());
1671 SSL_set_bio(ssl.get(), bio2.get(), bio1.get());
1672
1673 // ASAN builds will implicitly test that the internal |BIO| reference-counting
1674 // is correct.
David Benjamin4501bd52016-08-01 13:39:41 -0400[diff] [blame]1675}
1676
David Benjamin25490f22016-07-14 00:22:54 -0400[diff] [blame]1677static int VerifySucceed(X509_STORE_CTX *store_ctx, void *arg) { return 1; }
1678
David Benjamin0fef3052016-11-18 15:11:10 +0900[diff] [blame]1679static bool TestGetPeerCertificate(bool is_dtls, const SSL_METHOD *method,
1680 uint16_t version) {
Matt Braithwaited17d74d2016-08-17 20:10:28 -0700[diff] [blame]1681 bssl::UniquePtr<X509> cert = GetTestCertificate();
1682 bssl::UniquePtr<EVP_PKEY> key = GetTestKey();
David Benjaminadd5e522016-07-14 00:33:24 -0400[diff] [blame]1683 if (!cert || !key) {
1684 return false;
1685 }
1686
David Benjamin0fef3052016-11-18 15:11:10 +0900[diff] [blame]1687 // Configure both client and server to accept any certificate.
1688 bssl::UniquePtr<SSL_CTX> ctx(SSL_CTX_new(method));
1689 if (!ctx ||
1690 !SSL_CTX_use_certificate(ctx.get(), cert.get()) ||
1691 !SSL_CTX_use_PrivateKey(ctx.get(), key.get()) ||
1692 !SSL_CTX_set_min_proto_version(ctx.get(), version) ||
1693 !SSL_CTX_set_max_proto_version(ctx.get(), version)) {
1694 return false;
1695 }
1696 SSL_CTX_set_verify(
1697 ctx.get(), SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT, nullptr);
1698 SSL_CTX_set_cert_verify_callback(ctx.get(), VerifySucceed, NULL);
David Benjaminadd5e522016-07-14 00:33:24 -0400[diff] [blame]1699
David Benjamin0fef3052016-11-18 15:11:10 +0900[diff] [blame]1700 bssl::UniquePtr<SSL> client, server;
1701 if (!ConnectClientAndServer(&client, &server, ctx.get(), ctx.get(),
1702 nullptr /* no session */)) {
1703 return false;
1704 }
David Benjaminadd5e522016-07-14 00:33:24 -0400[diff] [blame]1705
David Benjamin0fef3052016-11-18 15:11:10 +0900[diff] [blame]1706 // Client and server should both see the leaf certificate.
1707 bssl::UniquePtr<X509> peer(SSL_get_peer_certificate(server.get()));
1708 if (!peer || X509_cmp(cert.get(), peer.get()) != 0) {
1709 fprintf(stderr, "Server peer certificate did not match.\n");
1710 return false;
1711 }
David Benjaminadd5e522016-07-14 00:33:24 -0400[diff] [blame]1712
David Benjamin0fef3052016-11-18 15:11:10 +0900[diff] [blame]1713 peer.reset(SSL_get_peer_certificate(client.get()));
1714 if (!peer || X509_cmp(cert.get(), peer.get()) != 0) {
1715 fprintf(stderr, "Client peer certificate did not match.\n");
1716 return false;
1717 }
David Benjaminadd5e522016-07-14 00:33:24 -0400[diff] [blame]1718
David Benjamin0fef3052016-11-18 15:11:10 +0900[diff] [blame]1719 // However, for historical reasons, the chain includes the leaf on the
1720 // client, but does not on the server.
1721 if (sk_X509_num(SSL_get_peer_cert_chain(client.get())) != 1) {
1722 fprintf(stderr, "Client peer chain was incorrect.\n");
1723 return false;
1724 }
David Benjaminadd5e522016-07-14 00:33:24 -0400[diff] [blame]1725
David Benjamin0fef3052016-11-18 15:11:10 +0900[diff] [blame]1726 if (sk_X509_num(SSL_get_peer_cert_chain(server.get())) != 0) {
1727 fprintf(stderr, "Server peer chain was incorrect.\n");
1728 return false;
David Benjaminadd5e522016-07-14 00:33:24 -0400[diff] [blame]1729 }
1730
1731 return true;
1732}
1733
David Benjamin0fef3052016-11-18 15:11:10 +0900[diff] [blame]1734static bool TestRetainOnlySHA256OfCerts(bool is_dtls, const SSL_METHOD *method,
1735 uint16_t version) {
Matt Braithwaited17d74d2016-08-17 20:10:28 -0700[diff] [blame]1736 bssl::UniquePtr<X509> cert = GetTestCertificate();
1737 bssl::UniquePtr<EVP_PKEY> key = GetTestKey();
David Benjamin25490f22016-07-14 00:22:54 -0400[diff] [blame]1738 if (!cert || !key) {
1739 return false;
1740 }
1741
1742 uint8_t *cert_der = NULL;
1743 int cert_der_len = i2d_X509(cert.get(), &cert_der);
1744 if (cert_der_len < 0) {
1745 return false;
1746 }
Matt Braithwaited17d74d2016-08-17 20:10:28 -0700[diff] [blame]1747 bssl::UniquePtr<uint8_t> free_cert_der(cert_der);
David Benjamin25490f22016-07-14 00:22:54 -0400[diff] [blame]1748
1749 uint8_t cert_sha256[SHA256_DIGEST_LENGTH];
1750 SHA256(cert_der, cert_der_len, cert_sha256);
1751
David Benjamin0fef3052016-11-18 15:11:10 +0900[diff] [blame]1752 // Configure both client and server to accept any certificate, but the
1753 // server must retain only the SHA-256 of the peer.
1754 bssl::UniquePtr<SSL_CTX> ctx(SSL_CTX_new(method));
1755 if (!ctx ||
1756 !SSL_CTX_use_certificate(ctx.get(), cert.get()) ||
1757 !SSL_CTX_use_PrivateKey(ctx.get(), key.get()) ||
1758 !SSL_CTX_set_min_proto_version(ctx.get(), version) ||
1759 !SSL_CTX_set_max_proto_version(ctx.get(), version)) {
1760 return false;
1761 }
1762 SSL_CTX_set_verify(
1763 ctx.get(), SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT, nullptr);
1764 SSL_CTX_set_cert_verify_callback(ctx.get(), VerifySucceed, NULL);
1765 SSL_CTX_set_retain_only_sha256_of_client_certs(ctx.get(), 1);
David Benjamin25490f22016-07-14 00:22:54 -0400[diff] [blame]1766
David Benjamin0fef3052016-11-18 15:11:10 +0900[diff] [blame]1767 bssl::UniquePtr<SSL> client, server;
1768 if (!ConnectClientAndServer(&client, &server, ctx.get(), ctx.get(),
1769 nullptr /* no session */)) {
1770 return false;
1771 }
David Benjamin25490f22016-07-14 00:22:54 -0400[diff] [blame]1772
David Benjamin0fef3052016-11-18 15:11:10 +0900[diff] [blame]1773 // The peer certificate has been dropped.
1774 bssl::UniquePtr<X509> peer(SSL_get_peer_certificate(server.get()));
1775 if (peer) {
1776 fprintf(stderr, "Peer certificate was retained.\n");
1777 return false;
1778 }
David Benjamin25490f22016-07-14 00:22:54 -0400[diff] [blame]1779
David Benjamin0fef3052016-11-18 15:11:10 +0900[diff] [blame]1780 SSL_SESSION *session = SSL_get_session(server.get());
1781 if (!session->peer_sha256_valid) {
1782 fprintf(stderr, "peer_sha256_valid was not set.\n");
1783 return false;
1784 }
David Benjamin25490f22016-07-14 00:22:54 -0400[diff] [blame]1785
David Benjamin17cf2cb2016-12-13 01:07:13 -0500[diff] [blame]1786 if (OPENSSL_memcmp(cert_sha256, session->peer_sha256, SHA256_DIGEST_LENGTH) !=
1787 0) {
David Benjamin0fef3052016-11-18 15:11:10 +0900[diff] [blame]1788 fprintf(stderr, "peer_sha256 did not match.\n");
1789 return false;
David Benjamin25490f22016-07-14 00:22:54 -0400[diff] [blame]1790 }
1791
1792 return true;
1793}
1794
David Benjaminafc64de2016-07-19 17:12:41 +0200[diff] [blame]1795static bool ClientHelloMatches(uint16_t version, const uint8_t *expected,
1796 size_t expected_len) {
Matt Braithwaited17d74d2016-08-17 20:10:28 -0700[diff] [blame]1797 bssl::UniquePtr<SSL_CTX> ctx(SSL_CTX_new(TLS_method()));
Matthew Braithwaitecedc6f12017-03-15 19:20:23 -0700[diff] [blame]1798 // Our default cipher list varies by CPU capabilities, so manually place the
1799 // ChaCha20 ciphers in front.
Matthew Braithwaite7e06de52017-04-10 15:52:14 -0700[diff] [blame]1800 const char* cipher_list = "CHACHA20:ALL";
David Benjamin2dc02042016-09-19 19:57:37 -0400[diff] [blame]1801 if (!ctx ||
David Benjamin3cfeb952017-03-01 16:48:38 -0500[diff] [blame]1802 // SSLv3 is off by default.
1803 !SSL_CTX_set_min_proto_version(ctx.get(), SSL3_VERSION) ||
David Benjamine4706902016-09-20 15:12:23 -0400[diff] [blame]1804 !SSL_CTX_set_max_proto_version(ctx.get(), version) ||
Matthew Braithwaitecedc6f12017-03-15 19:20:23 -0700[diff] [blame]1805 !SSL_CTX_set_strict_cipher_list(ctx.get(), cipher_list)) {
David Benjaminafc64de2016-07-19 17:12:41 +0200[diff] [blame]1806 return false;
1807 }
David Benjamin2dc02042016-09-19 19:57:37 -0400[diff] [blame]1808
Matt Braithwaited17d74d2016-08-17 20:10:28 -0700[diff] [blame]1809 bssl::UniquePtr<SSL> ssl(SSL_new(ctx.get()));
David Benjaminafc64de2016-07-19 17:12:41 +0200[diff] [blame]1810 if (!ssl) {
1811 return false;
1812 }
1813 std::vector<uint8_t> client_hello;
1814 if (!GetClientHello(ssl.get(), &client_hello)) {
1815 return false;
1816 }
1817
1818 // Zero the client_random.
1819 constexpr size_t kRandomOffset = 1 + 2 + 2 + // record header
1820 1 + 3 + // handshake message header
1821 2; // client_version
1822 if (client_hello.size() < kRandomOffset + SSL3_RANDOM_SIZE) {
1823 fprintf(stderr, "ClientHello for version %04x too short.\n", version);
1824 return false;
1825 }
David Benjamin17cf2cb2016-12-13 01:07:13 -0500[diff] [blame]1826 OPENSSL_memset(client_hello.data() + kRandomOffset, 0, SSL3_RANDOM_SIZE);
David Benjaminafc64de2016-07-19 17:12:41 +0200[diff] [blame]1827
1828 if (client_hello.size() != expected_len ||
David Benjamin17cf2cb2016-12-13 01:07:13 -0500[diff] [blame]1829 OPENSSL_memcmp(client_hello.data(), expected, expected_len) != 0) {
David Benjaminafc64de2016-07-19 17:12:41 +0200[diff] [blame]1830 fprintf(stderr, "ClientHello for version %04x did not match:\n", version);
1831 fprintf(stderr, "Got:\n\t");
1832 for (size_t i = 0; i < client_hello.size(); i++) {
1833 fprintf(stderr, "0x%02x, ", client_hello[i]);
1834 }
1835 fprintf(stderr, "\nWanted:\n\t");
1836 for (size_t i = 0; i < expected_len; i++) {
1837 fprintf(stderr, "0x%02x, ", expected[i]);
1838 }
1839 fprintf(stderr, "\n");
1840 return false;
1841 }
1842
1843 return true;
1844}
1845
1846// Tests that our ClientHellos do not change unexpectedly.
1847static bool TestClientHello() {
1848 static const uint8_t kSSL3ClientHello[] = {
Matt Braithwaite9c8c4182016-08-24 14:36:54 -0700[diff] [blame]1849 0x16,
1850 0x03, 0x00,
Matthew Braithwaitecedc6f12017-03-15 19:20:23 -0700[diff] [blame]1851 0x00, 0x3b,
Matt Braithwaite9c8c4182016-08-24 14:36:54 -0700[diff] [blame]1852 0x01,
Matthew Braithwaitecedc6f12017-03-15 19:20:23 -0700[diff] [blame]1853 0x00, 0x00, 0x37,
Matt Braithwaite9c8c4182016-08-24 14:36:54 -0700[diff] [blame]1854 0x03, 0x00,
1855 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1856 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1857 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1858 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1859 0x00,
Matthew Braithwaitecedc6f12017-03-15 19:20:23 -0700[diff] [blame]1860 0x00, 0x10,
Matt Braithwaite9c8c4182016-08-24 14:36:54 -0700[diff] [blame]1861 0xc0, 0x09,
1862 0xc0, 0x13,
Matt Braithwaite9c8c4182016-08-24 14:36:54 -0700[diff] [blame]1863 0xc0, 0x0a,
1864 0xc0, 0x14,
Matt Braithwaite9c8c4182016-08-24 14:36:54 -0700[diff] [blame]1865 0x00, 0x2f,
1866 0x00, 0x35,
1867 0x00, 0x0a,
1868 0x00, 0xff, 0x01, 0x00,
David Benjaminafc64de2016-07-19 17:12:41 +0200[diff] [blame]1869 };
1870 if (!ClientHelloMatches(SSL3_VERSION, kSSL3ClientHello,
1871 sizeof(kSSL3ClientHello))) {
1872 return false;
1873 }
1874
1875 static const uint8_t kTLS1ClientHello[] = {
Matt Braithwaite9c8c4182016-08-24 14:36:54 -0700[diff] [blame]1876 0x16,
1877 0x03, 0x01,
Matthew Braithwaitecedc6f12017-03-15 19:20:23 -0700[diff] [blame]1878 0x00, 0x5a,
Matt Braithwaite9c8c4182016-08-24 14:36:54 -0700[diff] [blame]1879 0x01,
Matthew Braithwaitecedc6f12017-03-15 19:20:23 -0700[diff] [blame]1880 0x00, 0x00, 0x56,
Matt Braithwaite9c8c4182016-08-24 14:36:54 -0700[diff] [blame]1881 0x03, 0x01,
1882 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1883 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1884 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1885 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1886 0x00,
Matthew Braithwaitecedc6f12017-03-15 19:20:23 -0700[diff] [blame]1887 0x00, 0x0e,
Matt Braithwaite9c8c4182016-08-24 14:36:54 -0700[diff] [blame]1888 0xc0, 0x09,
1889 0xc0, 0x13,
Matt Braithwaite9c8c4182016-08-24 14:36:54 -0700[diff] [blame]1890 0xc0, 0x0a,
1891 0xc0, 0x14,
Matt Braithwaite9c8c4182016-08-24 14:36:54 -0700[diff] [blame]1892 0x00, 0x2f,
1893 0x00, 0x35,
1894 0x00, 0x0a,
David Benjaminafc64de2016-07-19 17:12:41 +0200[diff] [blame]1895 0x01, 0x00, 0x00, 0x1f, 0xff, 0x01, 0x00, 0x01, 0x00, 0x00, 0x17, 0x00,
1896 0x00, 0x00, 0x23, 0x00, 0x00, 0x00, 0x0b, 0x00, 0x02, 0x01, 0x00, 0x00,
1897 0x0a, 0x00, 0x08, 0x00, 0x06, 0x00, 0x1d, 0x00, 0x17, 0x00, 0x18,
1898 };
1899 if (!ClientHelloMatches(TLS1_VERSION, kTLS1ClientHello,
1900 sizeof(kTLS1ClientHello))) {
1901 return false;
1902 }
1903
1904 static const uint8_t kTLS11ClientHello[] = {
Matt Braithwaite9c8c4182016-08-24 14:36:54 -0700[diff] [blame]1905 0x16,
1906 0x03, 0x01,
Matthew Braithwaitecedc6f12017-03-15 19:20:23 -0700[diff] [blame]1907 0x00, 0x5a,
Matt Braithwaite9c8c4182016-08-24 14:36:54 -0700[diff] [blame]1908 0x01,
Matthew Braithwaitecedc6f12017-03-15 19:20:23 -0700[diff] [blame]1909 0x00, 0x00, 0x56,
Matt Braithwaite9c8c4182016-08-24 14:36:54 -0700[diff] [blame]1910 0x03, 0x02,
1911 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1912 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1913 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1914 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1915 0x00,
Matthew Braithwaitecedc6f12017-03-15 19:20:23 -0700[diff] [blame]1916 0x00, 0x0e,
Matt Braithwaite9c8c4182016-08-24 14:36:54 -0700[diff] [blame]1917 0xc0, 0x09,
1918 0xc0, 0x13,
Matt Braithwaite9c8c4182016-08-24 14:36:54 -0700[diff] [blame]1919 0xc0, 0x0a,
1920 0xc0, 0x14,
Matt Braithwaite9c8c4182016-08-24 14:36:54 -0700[diff] [blame]1921 0x00, 0x2f,
1922 0x00, 0x35,
1923 0x00, 0x0a,
David Benjaminafc64de2016-07-19 17:12:41 +0200[diff] [blame]1924 0x01, 0x00, 0x00, 0x1f, 0xff, 0x01, 0x00, 0x01, 0x00, 0x00, 0x17, 0x00,
1925 0x00, 0x00, 0x23, 0x00, 0x00, 0x00, 0x0b, 0x00, 0x02, 0x01, 0x00, 0x00,
1926 0x0a, 0x00, 0x08, 0x00, 0x06, 0x00, 0x1d, 0x00, 0x17, 0x00, 0x18,
1927 };
1928 if (!ClientHelloMatches(TLS1_1_VERSION, kTLS11ClientHello,
1929 sizeof(kTLS11ClientHello))) {
1930 return false;
1931 }
1932
David Benjamin3b584332017-01-24 22:47:18 -0500[diff] [blame]1933 // kTLS12ClientHello assumes RSA-PSS, which is disabled for Android system
1934 // builds.
1935#if defined(BORINGSSL_ANDROID_SYSTEM)
1936 return true;
1937#endif
1938
David Benjaminafc64de2016-07-19 17:12:41 +0200[diff] [blame]1939 static const uint8_t kTLS12ClientHello[] = {
Matthew Braithwaitecedc6f12017-03-15 19:20:23 -0700[diff] [blame]1940 0x16,
1941 0x03, 0x01,
1942 0x00, 0x8e,
1943 0x01,
1944 0x00, 0x00, 0x8a,
1945 0x03, 0x03,
David Benjamin57e929f2016-08-30 00:30:38 -0400[diff] [blame]1946 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1947 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
Matthew Braithwaitecedc6f12017-03-15 19:20:23 -0700[diff] [blame]1948 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1949 0x00, 0x2a,
1950 0xcc, 0xa9,
1951 0xcc, 0xa8,
1952 0xc0, 0x2b,
1953 0xc0, 0x2f,
1954 0xc0, 0x2c,
1955 0xc0, 0x30,
1956 0xc0, 0x09,
1957 0xc0, 0x23,
1958 0xc0, 0x13,
1959 0xc0, 0x27,
1960 0xc0, 0x0a,
1961 0xc0, 0x24,
1962 0xc0, 0x14,
1963 0xc0, 0x28,
1964 0x00, 0x9c,
1965 0x00, 0x9d,
1966 0x00, 0x2f,
1967 0x00, 0x3c,
1968 0x00, 0x35,
1969 0x00, 0x3d,
1970 0x00, 0x0a,
1971 0x01, 0x00, 0x00, 0x37, 0xff, 0x01, 0x00, 0x01, 0x00, 0x00, 0x17, 0x00,
1972 0x00, 0x00, 0x23, 0x00, 0x00, 0x00, 0x0d, 0x00, 0x14, 0x00, 0x12, 0x04,
1973 0x03, 0x08, 0x04, 0x04, 0x01, 0x05, 0x03, 0x08, 0x05, 0x05, 0x01, 0x08,
1974 0x06, 0x06, 0x01, 0x02, 0x01, 0x00, 0x0b, 0x00, 0x02, 0x01, 0x00, 0x00,
1975 0x0a, 0x00, 0x08, 0x00, 0x06, 0x00, 0x1d, 0x00, 0x17, 0x00, 0x18,
David Benjaminafc64de2016-07-19 17:12:41 +0200[diff] [blame]1976 };
1977 if (!ClientHelloMatches(TLS1_2_VERSION, kTLS12ClientHello,
1978 sizeof(kTLS12ClientHello))) {
1979 return false;
1980 }
1981
1982 // TODO(davidben): Add a change detector for TLS 1.3 once the spec and our
1983 // implementation has settled enough that it won't change.
1984
1985 return true;
1986}
1987
Matt Braithwaited17d74d2016-08-17 20:10:28 -0700[diff] [blame]1988static bssl::UniquePtr<SSL_SESSION> g_last_session;
David Benjamina20e5352016-08-02 19:09:41 -0400[diff] [blame]1989
1990static int SaveLastSession(SSL *ssl, SSL_SESSION *session) {
1991 // Save the most recent session.
1992 g_last_session.reset(session);
1993 return 1;
1994}
1995
Matt Braithwaited17d74d2016-08-17 20:10:28 -0700[diff] [blame]1996static bssl::UniquePtr<SSL_SESSION> CreateClientSession(SSL_CTX *client_ctx,
Steven Valdeze831a812017-03-09 14:56:07 -0500[diff] [blame]1997 SSL_CTX *server_ctx) {
David Benjamina20e5352016-08-02 19:09:41 -0400[diff] [blame]1998 g_last_session = nullptr;
1999 SSL_CTX_sess_set_new_cb(client_ctx, SaveLastSession);
2000
2001 // Connect client and server to get a session.
Matt Braithwaited17d74d2016-08-17 20:10:28 -0700[diff] [blame]2002 bssl::UniquePtr<SSL> client, server;
David Benjamina20e5352016-08-02 19:09:41 -0400[diff] [blame]2003 if (!ConnectClientAndServer(&client, &server, client_ctx, server_ctx,
2004 nullptr /* no session */)) {
2005 fprintf(stderr, "Failed to connect client and server.\n");
2006 return nullptr;
2007 }
2008
2009 // Run the read loop to account for post-handshake tickets in TLS 1.3.
2010 SSL_read(client.get(), nullptr, 0);
2011
2012 SSL_CTX_sess_set_new_cb(client_ctx, nullptr);
2013
2014 if (!g_last_session) {
2015 fprintf(stderr, "Client did not receive a session.\n");
2016 return nullptr;
2017 }
2018 return std::move(g_last_session);
2019}
2020
2021static bool ExpectSessionReused(SSL_CTX *client_ctx, SSL_CTX *server_ctx,
2022 SSL_SESSION *session,
2023 bool reused) {
Matt Braithwaited17d74d2016-08-17 20:10:28 -0700[diff] [blame]2024 bssl::UniquePtr<SSL> client, server;
David Benjamina20e5352016-08-02 19:09:41 -0400[diff] [blame]2025 if (!ConnectClientAndServer(&client, &server, client_ctx,
2026 server_ctx, session)) {
2027 fprintf(stderr, "Failed to connect client and server.\n");
2028 return false;
2029 }
2030
2031 if (SSL_session_reused(client.get()) != SSL_session_reused(server.get())) {
2032 fprintf(stderr, "Client and server were inconsistent.\n");
2033 return false;
2034 }
2035
2036 bool was_reused = !!SSL_session_reused(client.get());
2037 if (was_reused != reused) {
2038 fprintf(stderr, "Session was%s reused, but we expected the opposite.\n",
2039 was_reused ? "" : " not");
2040 return false;
2041 }
2042
2043 return true;
2044}
2045
David Benjamin3c51d9b2016-11-01 17:50:42 -0400[diff] [blame]2046static bssl::UniquePtr<SSL_SESSION> ExpectSessionRenewed(SSL_CTX *client_ctx,
2047 SSL_CTX *server_ctx,
2048 SSL_SESSION *session) {
2049 g_last_session = nullptr;
2050 SSL_CTX_sess_set_new_cb(client_ctx, SaveLastSession);
2051
2052 bssl::UniquePtr<SSL> client, server;
2053 if (!ConnectClientAndServer(&client, &server, client_ctx,
2054 server_ctx, session)) {
2055 fprintf(stderr, "Failed to connect client and server.\n");
2056 return nullptr;
2057 }
2058
2059 if (SSL_session_reused(client.get()) != SSL_session_reused(server.get())) {
2060 fprintf(stderr, "Client and server were inconsistent.\n");
2061 return nullptr;
2062 }
2063
2064 if (!SSL_session_reused(client.get())) {
2065 fprintf(stderr, "Session was not reused.\n");
2066 return nullptr;
2067 }
2068
2069 // Run the read loop to account for post-handshake tickets in TLS 1.3.
2070 SSL_read(client.get(), nullptr, 0);
2071
2072 SSL_CTX_sess_set_new_cb(client_ctx, nullptr);
2073
2074 if (!g_last_session) {
2075 fprintf(stderr, "Client did not receive a renewed session.\n");
2076 return nullptr;
2077 }
2078 return std::move(g_last_session);
2079}
2080
David Benjamina933c382016-10-28 00:10:03 -0400[diff] [blame]2081static int SwitchSessionIDContextSNI(SSL *ssl, int *out_alert, void *arg) {
2082 static const uint8_t kContext[] = {3};
2083
2084 if (!SSL_set_session_id_context(ssl, kContext, sizeof(kContext))) {
2085 return SSL_TLSEXT_ERR_ALERT_FATAL;
2086 }
2087
2088 return SSL_TLSEXT_ERR_OK;
2089}
2090
David Benjamin0fef3052016-11-18 15:11:10 +0900[diff] [blame]2091static bool TestSessionIDContext(bool is_dtls, const SSL_METHOD *method,
2092 uint16_t version) {
Matt Braithwaited17d74d2016-08-17 20:10:28 -0700[diff] [blame]2093 bssl::UniquePtr<X509> cert = GetTestCertificate();
2094 bssl::UniquePtr<EVP_PKEY> key = GetTestKey();
David Benjamina20e5352016-08-02 19:09:41 -0400[diff] [blame]2095 if (!cert || !key) {
2096 return false;
2097 }
2098
2099 static const uint8_t kContext1[] = {1};
2100 static const uint8_t kContext2[] = {2};
2101
David Benjamin0fef3052016-11-18 15:11:10 +0900[diff] [blame]2102 bssl::UniquePtr<SSL_CTX> server_ctx(SSL_CTX_new(method));
2103 bssl::UniquePtr<SSL_CTX> client_ctx(SSL_CTX_new(method));
2104 if (!server_ctx || !client_ctx ||
2105 !SSL_CTX_use_certificate(server_ctx.get(), cert.get()) ||
2106 !SSL_CTX_use_PrivateKey(server_ctx.get(), key.get()) ||
2107 !SSL_CTX_set_session_id_context(server_ctx.get(), kContext1,
2108 sizeof(kContext1)) ||
2109 !SSL_CTX_set_min_proto_version(client_ctx.get(), version) ||
2110 !SSL_CTX_set_max_proto_version(client_ctx.get(), version) ||
2111 !SSL_CTX_set_min_proto_version(server_ctx.get(), version) ||
2112 !SSL_CTX_set_max_proto_version(server_ctx.get(), version)) {
2113 return false;
2114 }
David Benjamina20e5352016-08-02 19:09:41 -0400[diff] [blame]2115
David Benjamin0fef3052016-11-18 15:11:10 +0900[diff] [blame]2116 SSL_CTX_set_session_cache_mode(client_ctx.get(), SSL_SESS_CACHE_BOTH);
2117 SSL_CTX_set_session_cache_mode(server_ctx.get(), SSL_SESS_CACHE_BOTH);
David Benjamina20e5352016-08-02 19:09:41 -0400[diff] [blame]2118
David Benjamin0fef3052016-11-18 15:11:10 +0900[diff] [blame]2119 bssl::UniquePtr<SSL_SESSION> session =
2120 CreateClientSession(client_ctx.get(), server_ctx.get());
2121 if (!session) {
2122 fprintf(stderr, "Error getting session.\n");
2123 return false;
2124 }
David Benjamina20e5352016-08-02 19:09:41 -0400[diff] [blame]2125
David Benjamin0fef3052016-11-18 15:11:10 +0900[diff] [blame]2126 if (!ExpectSessionReused(client_ctx.get(), server_ctx.get(), session.get(),
2127 true /* expect session reused */)) {
2128 fprintf(stderr, "Error resuming session.\n");
2129 return false;
2130 }
David Benjamina20e5352016-08-02 19:09:41 -0400[diff] [blame]2131
David Benjamin0fef3052016-11-18 15:11:10 +0900[diff] [blame]2132 // Change the session ID context.
2133 if (!SSL_CTX_set_session_id_context(server_ctx.get(), kContext2,
2134 sizeof(kContext2))) {
2135 return false;
2136 }
David Benjamina20e5352016-08-02 19:09:41 -0400[diff] [blame]2137
David Benjamin0fef3052016-11-18 15:11:10 +0900[diff] [blame]2138 if (!ExpectSessionReused(client_ctx.get(), server_ctx.get(), session.get(),
2139 false /* expect session not reused */)) {
2140 fprintf(stderr, "Error connecting with a different context.\n");
2141 return false;
2142 }
David Benjamina933c382016-10-28 00:10:03 -0400[diff] [blame]2143
David Benjamin0fef3052016-11-18 15:11:10 +0900[diff] [blame]2144 // Change the session ID context back and install an SNI callback to switch
2145 // it.
2146 if (!SSL_CTX_set_session_id_context(server_ctx.get(), kContext1,
2147 sizeof(kContext1))) {
2148 return false;
2149 }
David Benjamina933c382016-10-28 00:10:03 -0400[diff] [blame]2150
David Benjamin0fef3052016-11-18 15:11:10 +0900[diff] [blame]2151 SSL_CTX_set_tlsext_servername_callback(server_ctx.get(),
2152 SwitchSessionIDContextSNI);
David Benjamina933c382016-10-28 00:10:03 -0400[diff] [blame]2153
David Benjamin0fef3052016-11-18 15:11:10 +0900[diff] [blame]2154 if (!ExpectSessionReused(client_ctx.get(), server_ctx.get(), session.get(),
2155 false /* expect session not reused */)) {
2156 fprintf(stderr, "Error connecting with a context switch on SNI callback.\n");
2157 return false;
2158 }
David Benjamina933c382016-10-28 00:10:03 -0400[diff] [blame]2159
David Benjamin0fef3052016-11-18 15:11:10 +0900[diff] [blame]2160 // Switch the session ID context with the early callback instead.
2161 SSL_CTX_set_tlsext_servername_callback(server_ctx.get(), nullptr);
Alessandro Ghedini57e81e62017-03-14 23:36:00 +0000[diff] [blame]2162 SSL_CTX_set_select_certificate_cb(
2163 server_ctx.get(),
2164 [](const SSL_CLIENT_HELLO *client_hello) -> ssl_select_cert_result_t {
2165 static const uint8_t kContext[] = {3};
2166
2167 if (!SSL_set_session_id_context(client_hello->ssl, kContext,
2168 sizeof(kContext))) {
2169 return ssl_select_cert_error;
2170 }
2171
2172 return ssl_select_cert_success;
2173 });
David Benjamina933c382016-10-28 00:10:03 -0400[diff] [blame]2174
David Benjamin0fef3052016-11-18 15:11:10 +0900[diff] [blame]2175 if (!ExpectSessionReused(client_ctx.get(), server_ctx.get(), session.get(),
2176 false /* expect session not reused */)) {
2177 fprintf(stderr,
2178 "Error connecting with a context switch on early callback.\n");
2179 return false;
David Benjamina20e5352016-08-02 19:09:41 -0400[diff] [blame]2180 }
2181
2182 return true;
2183}
2184
David Benjamin721e8b72016-08-03 13:13:17 -0400[diff] [blame]2185static timeval g_current_time;
2186
2187static void CurrentTimeCallback(const SSL *ssl, timeval *out_clock) {
2188 *out_clock = g_current_time;
2189}
2190
David Benjamin17b30832017-01-28 14:00:32 -0500[diff] [blame]2191static void FrozenTimeCallback(const SSL *ssl, timeval *out_clock) {
2192 out_clock->tv_sec = 1000;
2193 out_clock->tv_usec = 0;
2194}
2195
David Benjamin3c51d9b2016-11-01 17:50:42 -0400[diff] [blame]2196static int RenewTicketCallback(SSL *ssl, uint8_t *key_name, uint8_t *iv,
2197 EVP_CIPHER_CTX *ctx, HMAC_CTX *hmac_ctx,
2198 int encrypt) {
2199 static const uint8_t kZeros[16] = {0};
2200
2201 if (encrypt) {
David Benjamin17cf2cb2016-12-13 01:07:13 -0500[diff] [blame]2202 OPENSSL_memcpy(key_name, kZeros, sizeof(kZeros));
David Benjamin3c51d9b2016-11-01 17:50:42 -0400[diff] [blame]2203 RAND_bytes(iv, 16);
David Benjamin17cf2cb2016-12-13 01:07:13 -0500[diff] [blame]2204 } else if (OPENSSL_memcmp(key_name, kZeros, 16) != 0) {
David Benjamin3c51d9b2016-11-01 17:50:42 -0400[diff] [blame]2205 return 0;
2206 }
2207
2208 if (!HMAC_Init_ex(hmac_ctx, kZeros, sizeof(kZeros), EVP_sha256(), NULL) ||
2209 !EVP_CipherInit_ex(ctx, EVP_aes_128_cbc(), NULL, kZeros, iv, encrypt)) {
2210 return -1;
2211 }
2212
2213 // Returning two from the callback in decrypt mode renews the
2214 // session in TLS 1.2 and below.
2215 return encrypt ? 1 : 2;
2216}
2217
David Benjamin123db572016-11-03 16:59:25 -0400[diff] [blame]2218static bool GetServerTicketTime(long *out, const SSL_SESSION *session) {
David Benjamin123db572016-11-03 16:59:25 -0400[diff] [blame]2219 if (session->tlsext_ticklen < 16 + 16 + SHA256_DIGEST_LENGTH) {
2220 return false;
2221 }
2222
David Benjamin123db572016-11-03 16:59:25 -0400[diff] [blame]2223 const uint8_t *ciphertext = session->tlsext_tick + 16 + 16;
2224 size_t len = session->tlsext_ticklen - 16 - 16 - SHA256_DIGEST_LENGTH;
2225 std::unique_ptr<uint8_t[]> plaintext(new uint8_t[len]);
2226
David Benjamin9b63f292016-11-15 00:44:05 -0500[diff] [blame]2227#if defined(BORINGSSL_UNSAFE_FUZZER_MODE)
2228 // Fuzzer-mode tickets are unencrypted.
David Benjamin17cf2cb2016-12-13 01:07:13 -0500[diff] [blame]2229 OPENSSL_memcpy(plaintext.get(), ciphertext, len);
David Benjamin9b63f292016-11-15 00:44:05 -0500[diff] [blame]2230#else
2231 static const uint8_t kZeros[16] = {0};
2232 const uint8_t *iv = session->tlsext_tick + 16;
David Benjamin123db572016-11-03 16:59:25 -0400[diff] [blame]2233 bssl::ScopedEVP_CIPHER_CTX ctx;
2234 int len1, len2;
2235 if (!EVP_DecryptInit_ex(ctx.get(), EVP_aes_128_cbc(), nullptr, kZeros, iv) ||
2236 !EVP_DecryptUpdate(ctx.get(), plaintext.get(), &len1, ciphertext, len) ||
2237 !EVP_DecryptFinal_ex(ctx.get(), plaintext.get() + len1, &len2)) {
2238 return false;
2239 }
2240
2241 len = static_cast<size_t>(len1 + len2);
David Benjamin9b63f292016-11-15 00:44:05 -0500[diff] [blame]2242#endif
David Benjamin123db572016-11-03 16:59:25 -0400[diff] [blame]2243
Adam Langley46db7af2017-02-01 15:49:37 -0800[diff] [blame]2244 bssl::UniquePtr<SSL_CTX> ssl_ctx(SSL_CTX_new(TLS_method()));
2245 if (!ssl_ctx) {
2246 return false;
2247 }
David Benjamin123db572016-11-03 16:59:25 -0400[diff] [blame]2248 bssl::UniquePtr<SSL_SESSION> server_session(
Adam Langley46db7af2017-02-01 15:49:37 -0800[diff] [blame]2249 SSL_SESSION_from_bytes(plaintext.get(), len, ssl_ctx.get()));
David Benjamin123db572016-11-03 16:59:25 -0400[diff] [blame]2250 if (!server_session) {
2251 return false;
2252 }
2253
2254 *out = server_session->time;
2255 return true;
2256}
2257
David Benjamin0fef3052016-11-18 15:11:10 +0900[diff] [blame]2258static bool TestSessionTimeout(bool is_dtls, const SSL_METHOD *method,
2259 uint16_t version) {
Matt Braithwaited17d74d2016-08-17 20:10:28 -0700[diff] [blame]2260 bssl::UniquePtr<X509> cert = GetTestCertificate();
2261 bssl::UniquePtr<EVP_PKEY> key = GetTestKey();
David Benjamin721e8b72016-08-03 13:13:17 -0400[diff] [blame]2262 if (!cert || !key) {
2263 return false;
2264 }
2265
David Benjamin0fef3052016-11-18 15:11:10 +0900[diff] [blame]2266 for (bool server_test : std::vector<bool>{false, true}) {
David Benjamin17b30832017-01-28 14:00:32 -0500[diff] [blame]2267 static const time_t kStartTime = 1000;
David Benjamin0fef3052016-11-18 15:11:10 +0900[diff] [blame]2268 g_current_time.tv_sec = kStartTime;
David Benjamin1b22f852016-10-27 16:36:32 -0400[diff] [blame]2269
David Benjamin17b30832017-01-28 14:00:32 -0500[diff] [blame]2270 // We are willing to use a longer lifetime for TLS 1.3 sessions as
2271 // resumptions still perform ECDHE.
2272 const time_t timeout = version == TLS1_3_VERSION
2273 ? SSL_DEFAULT_SESSION_PSK_DHE_TIMEOUT
2274 : SSL_DEFAULT_SESSION_TIMEOUT;
2275
David Benjamin0fef3052016-11-18 15:11:10 +0900[diff] [blame]2276 bssl::UniquePtr<SSL_CTX> server_ctx(SSL_CTX_new(method));
2277 bssl::UniquePtr<SSL_CTX> client_ctx(SSL_CTX_new(method));
2278 if (!server_ctx || !client_ctx ||
2279 !SSL_CTX_use_certificate(server_ctx.get(), cert.get()) ||
2280 !SSL_CTX_use_PrivateKey(server_ctx.get(), key.get()) ||
2281 !SSL_CTX_set_min_proto_version(client_ctx.get(), version) ||
2282 !SSL_CTX_set_max_proto_version(client_ctx.get(), version) ||
2283 !SSL_CTX_set_min_proto_version(server_ctx.get(), version) ||
2284 !SSL_CTX_set_max_proto_version(server_ctx.get(), version)) {
2285 return false;
2286 }
2287
2288 SSL_CTX_set_session_cache_mode(client_ctx.get(), SSL_SESS_CACHE_BOTH);
2289 SSL_CTX_set_session_cache_mode(server_ctx.get(), SSL_SESS_CACHE_BOTH);
2290
David Benjamin17b30832017-01-28 14:00:32 -0500[diff] [blame]2291 // Both client and server must enforce session timeouts. We configure the
2292 // other side with a frozen clock so it never expires tickets.
David Benjamin0fef3052016-11-18 15:11:10 +0900[diff] [blame]2293 if (server_test) {
David Benjamin17b30832017-01-28 14:00:32 -0500[diff] [blame]2294 SSL_CTX_set_current_time_cb(client_ctx.get(), FrozenTimeCallback);
David Benjamin0fef3052016-11-18 15:11:10 +0900[diff] [blame]2295 SSL_CTX_set_current_time_cb(server_ctx.get(), CurrentTimeCallback);
2296 } else {
2297 SSL_CTX_set_current_time_cb(client_ctx.get(), CurrentTimeCallback);
David Benjamin17b30832017-01-28 14:00:32 -0500[diff] [blame]2298 SSL_CTX_set_current_time_cb(server_ctx.get(), FrozenTimeCallback);
David Benjamin0fef3052016-11-18 15:11:10 +0900[diff] [blame]2299 }
2300
2301 // Configure a ticket callback which renews tickets.
2302 SSL_CTX_set_tlsext_ticket_key_cb(server_ctx.get(), RenewTicketCallback);
2303
2304 bssl::UniquePtr<SSL_SESSION> session =
2305 CreateClientSession(client_ctx.get(), server_ctx.get());
2306 if (!session) {
2307 fprintf(stderr, "Error getting session.\n");
2308 return false;
2309 }
2310
2311 // Advance the clock just behind the timeout.
David Benjamin17b30832017-01-28 14:00:32 -0500[diff] [blame]2312 g_current_time.tv_sec += timeout - 1;
David Benjamin0fef3052016-11-18 15:11:10 +0900[diff] [blame]2313
2314 if (!ExpectSessionReused(client_ctx.get(), server_ctx.get(), session.get(),
2315 true /* expect session reused */)) {
2316 fprintf(stderr, "Error resuming session.\n");
2317 return false;
2318 }
2319
2320 // Advance the clock one more second.
2321 g_current_time.tv_sec++;
2322
2323 if (!ExpectSessionReused(client_ctx.get(), server_ctx.get(), session.get(),
2324 false /* expect session not reused */)) {
2325 fprintf(stderr, "Error resuming session.\n");
2326 return false;
2327 }
2328
2329 // Rewind the clock to before the session was minted.
2330 g_current_time.tv_sec = kStartTime - 1;
2331
2332 if (!ExpectSessionReused(client_ctx.get(), server_ctx.get(), session.get(),
2333 false /* expect session not reused */)) {
2334 fprintf(stderr, "Error resuming session.\n");
2335 return false;
2336 }
2337
2338 // SSL 3.0 cannot renew sessions.
2339 if (version == SSL3_VERSION) {
2340 continue;
2341 }
2342
2343 // Renew the session 10 seconds before expiration.
David Benjamin17b30832017-01-28 14:00:32 -0500[diff] [blame]2344 time_t new_start_time = kStartTime + timeout - 10;
2345 g_current_time.tv_sec = new_start_time;
David Benjamin0fef3052016-11-18 15:11:10 +0900[diff] [blame]2346 bssl::UniquePtr<SSL_SESSION> new_session =
2347 ExpectSessionRenewed(client_ctx.get(), server_ctx.get(), session.get());
2348 if (!new_session) {
2349 fprintf(stderr, "Error renewing session.\n");
2350 return false;
2351 }
2352
2353 // This new session is not the same object as before.
2354 if (session.get() == new_session.get()) {
2355 fprintf(stderr, "New and old sessions alias.\n");
2356 return false;
2357 }
2358
2359 // Check the sessions have timestamps measured from issuance.
2360 long session_time = 0;
2361 if (server_test) {
2362 if (!GetServerTicketTime(&session_time, new_session.get())) {
2363 fprintf(stderr, "Failed to decode session ticket.\n");
David Benjaminb2e2e322016-11-01 17:32:54 -0400[diff] [blame]2364 return false;
2365 }
David Benjamin0fef3052016-11-18 15:11:10 +0900[diff] [blame]2366 } else {
2367 session_time = new_session->time;
2368 }
David Benjamin721e8b72016-08-03 13:13:17 -0400[diff] [blame]2369
David Benjamin0fef3052016-11-18 15:11:10 +0900[diff] [blame]2370 if (session_time != g_current_time.tv_sec) {
2371 fprintf(stderr, "New session is not measured from issuance.\n");
2372 return false;
2373 }
David Benjamin721e8b72016-08-03 13:13:17 -0400[diff] [blame]2374
David Benjamin17b30832017-01-28 14:00:32 -0500[diff] [blame]2375 if (version == TLS1_3_VERSION) {
2376 // Renewal incorporates fresh key material in TLS 1.3, so we extend the
2377 // lifetime TLS 1.3.
2378 g_current_time.tv_sec = new_start_time + timeout - 1;
2379 if (!ExpectSessionReused(client_ctx.get(), server_ctx.get(),
2380 new_session.get(),
2381 true /* expect session reused */)) {
2382 fprintf(stderr, "Error resuming renewed session.\n");
2383 return false;
2384 }
David Benjamin721e8b72016-08-03 13:13:17 -0400[diff] [blame]2385
David Benjamin17b30832017-01-28 14:00:32 -0500[diff] [blame]2386 // The new session expires after the new timeout.
2387 g_current_time.tv_sec = new_start_time + timeout + 1;
2388 if (!ExpectSessionReused(client_ctx.get(), server_ctx.get(),
2389 new_session.get(),
2390 false /* expect session ot reused */)) {
2391 fprintf(stderr, "Renewed session's lifetime is too long.\n");
2392 return false;
2393 }
2394
2395 // Renew the session until it begins just past the auth timeout.
2396 time_t auth_end_time = kStartTime + SSL_DEFAULT_SESSION_AUTH_TIMEOUT;
2397 while (new_start_time < auth_end_time - 1000) {
2398 // Get as close as possible to target start time.
2399 new_start_time =
2400 std::min(auth_end_time - 1000, new_start_time + timeout - 1);
2401 g_current_time.tv_sec = new_start_time;
2402 new_session = ExpectSessionRenewed(client_ctx.get(), server_ctx.get(),
2403 new_session.get());
2404 if (!new_session) {
2405 fprintf(stderr, "Error renewing session.\n");
2406 return false;
2407 }
2408 }
2409
2410 // Now the session's lifetime is bound by the auth timeout.
2411 g_current_time.tv_sec = auth_end_time - 1;
2412 if (!ExpectSessionReused(client_ctx.get(), server_ctx.get(),
2413 new_session.get(),
2414 true /* expect session reused */)) {
2415 fprintf(stderr, "Error resuming renewed session.\n");
2416 return false;
2417 }
2418
2419 g_current_time.tv_sec = auth_end_time + 1;
2420 if (!ExpectSessionReused(client_ctx.get(), server_ctx.get(),
2421 new_session.get(),
2422 false /* expect session ot reused */)) {
2423 fprintf(stderr, "Renewed session's lifetime is too long.\n");
2424 return false;
2425 }
2426 } else {
2427 // The new session is usable just before the old expiration.
2428 g_current_time.tv_sec = kStartTime + timeout - 1;
2429 if (!ExpectSessionReused(client_ctx.get(), server_ctx.get(),
2430 new_session.get(),
2431 true /* expect session reused */)) {
2432 fprintf(stderr, "Error resuming renewed session.\n");
2433 return false;
2434 }
2435
2436 // Renewal does not extend the lifetime, so it is not usable beyond the
2437 // old expiration.
2438 g_current_time.tv_sec = kStartTime + timeout + 1;
2439 if (!ExpectSessionReused(client_ctx.get(), server_ctx.get(),
2440 new_session.get(),
2441 false /* expect session not reused */)) {
2442 fprintf(stderr, "Renewed session's lifetime is too long.\n");
2443 return false;
2444 }
David Benjamin1b22f852016-10-27 16:36:32 -0400[diff] [blame]2445 }
David Benjamin721e8b72016-08-03 13:13:17 -0400[diff] [blame]2446 }
2447
2448 return true;
2449}
2450
David Benjamin0fc37ef2016-08-17 15:29:46 -0400[diff] [blame]2451static int SwitchContext(SSL *ssl, int *out_alert, void *arg) {
2452 SSL_CTX *ctx = reinterpret_cast<SSL_CTX*>(arg);
2453 SSL_set_SSL_CTX(ssl, ctx);
2454 return SSL_TLSEXT_ERR_OK;
2455}
2456
David Benjamin0fef3052016-11-18 15:11:10 +0900[diff] [blame]2457static bool TestSNICallback(bool is_dtls, const SSL_METHOD *method,
2458 uint16_t version) {
2459 // SSL 3.0 lacks extensions.
2460 if (version == SSL3_VERSION) {
2461 return true;
2462 }
2463
Matt Braithwaited17d74d2016-08-17 20:10:28 -0700[diff] [blame]2464 bssl::UniquePtr<X509> cert = GetTestCertificate();
2465 bssl::UniquePtr<EVP_PKEY> key = GetTestKey();
2466 bssl::UniquePtr<X509> cert2 = GetECDSATestCertificate();
2467 bssl::UniquePtr<EVP_PKEY> key2 = GetECDSATestKey();
David Benjamin0fc37ef2016-08-17 15:29:46 -0400[diff] [blame]2468 if (!cert || !key || !cert2 || !key2) {
2469 return false;
2470 }
2471
David Benjamin0fef3052016-11-18 15:11:10 +0900[diff] [blame]2472 // Test that switching the |SSL_CTX| at the SNI callback behaves correctly.
2473 static const uint16_t kECDSAWithSHA256 = SSL_SIGN_ECDSA_SECP256R1_SHA256;
David Benjamin0fc37ef2016-08-17 15:29:46 -0400[diff] [blame]2474
David Benjamin83a32122017-02-14 18:34:54 -0500[diff] [blame]2475 static const uint8_t kSCTList[] = {0, 6, 0, 4, 5, 6, 7, 8};
2476 static const uint8_t kOCSPResponse[] = {1, 2, 3, 4};
2477
David Benjamin0fef3052016-11-18 15:11:10 +0900[diff] [blame]2478 bssl::UniquePtr<SSL_CTX> server_ctx(SSL_CTX_new(method));
2479 bssl::UniquePtr<SSL_CTX> server_ctx2(SSL_CTX_new(method));
2480 bssl::UniquePtr<SSL_CTX> client_ctx(SSL_CTX_new(method));
2481 if (!server_ctx || !server_ctx2 || !client_ctx ||
2482 !SSL_CTX_use_certificate(server_ctx.get(), cert.get()) ||
2483 !SSL_CTX_use_PrivateKey(server_ctx.get(), key.get()) ||
2484 !SSL_CTX_use_certificate(server_ctx2.get(), cert2.get()) ||
2485 !SSL_CTX_use_PrivateKey(server_ctx2.get(), key2.get()) ||
David Benjamin83a32122017-02-14 18:34:54 -0500[diff] [blame]2486 !SSL_CTX_set_signed_cert_timestamp_list(server_ctx2.get(), kSCTList,
2487 sizeof(kSCTList)) ||
2488 !SSL_CTX_set_ocsp_response(server_ctx2.get(), kOCSPResponse,
2489 sizeof(kOCSPResponse)) ||
David Benjamin0fef3052016-11-18 15:11:10 +0900[diff] [blame]2490 // Historically signing preferences would be lost in some cases with the
2491 // SNI callback, which triggers the TLS 1.2 SHA-1 default. To ensure
2492 // this doesn't happen when |version| is TLS 1.2, configure the private
2493 // key to only sign SHA-256.
2494 !SSL_CTX_set_signing_algorithm_prefs(server_ctx2.get(), &kECDSAWithSHA256,
2495 1) ||
2496 !SSL_CTX_set_min_proto_version(client_ctx.get(), version) ||
2497 !SSL_CTX_set_max_proto_version(client_ctx.get(), version) ||
2498 !SSL_CTX_set_min_proto_version(server_ctx.get(), version) ||
2499 !SSL_CTX_set_max_proto_version(server_ctx.get(), version) ||
2500 !SSL_CTX_set_min_proto_version(server_ctx2.get(), version) ||
2501 !SSL_CTX_set_max_proto_version(server_ctx2.get(), version)) {
2502 return false;
2503 }
David Benjamin0fc37ef2016-08-17 15:29:46 -0400[diff] [blame]2504
David Benjamin0fef3052016-11-18 15:11:10 +0900[diff] [blame]2505 SSL_CTX_set_tlsext_servername_callback(server_ctx.get(), SwitchContext);
2506 SSL_CTX_set_tlsext_servername_arg(server_ctx.get(), server_ctx2.get());
David Benjamin0fc37ef2016-08-17 15:29:46 -0400[diff] [blame]2507
David Benjamin83a32122017-02-14 18:34:54 -0500[diff] [blame]2508 SSL_CTX_enable_signed_cert_timestamps(client_ctx.get());
2509 SSL_CTX_enable_ocsp_stapling(client_ctx.get());
2510
David Benjamin0fef3052016-11-18 15:11:10 +0900[diff] [blame]2511 bssl::UniquePtr<SSL> client, server;
2512 if (!ConnectClientAndServer(&client, &server, client_ctx.get(),
2513 server_ctx.get(), nullptr)) {
2514 fprintf(stderr, "Handshake failed.\n");
2515 return false;
2516 }
David Benjamin0fc37ef2016-08-17 15:29:46 -0400[diff] [blame]2517
David Benjamin0fef3052016-11-18 15:11:10 +0900[diff] [blame]2518 // The client should have received |cert2|.
2519 bssl::UniquePtr<X509> peer(SSL_get_peer_certificate(client.get()));
2520 if (!peer || X509_cmp(peer.get(), cert2.get()) != 0) {
2521 fprintf(stderr, "Incorrect certificate received.\n");
2522 return false;
David Benjamin0fc37ef2016-08-17 15:29:46 -0400[diff] [blame]2523 }
2524
David Benjamin83a32122017-02-14 18:34:54 -0500[diff] [blame]2525 // The client should have received |server_ctx2|'s SCT list.
2526 const uint8_t *data;
2527 size_t len;
2528 SSL_get0_signed_cert_timestamp_list(client.get(), &data, &len);
2529 if (Bytes(kSCTList) != Bytes(data, len)) {
2530 fprintf(stderr, "Incorrect SCT list received.\n");
2531 return false;
2532 }
2533
2534 // The client should have received |server_ctx2|'s OCSP response.
2535 SSL_get0_ocsp_response(client.get(), &data, &len);
2536 if (Bytes(kOCSPResponse) != Bytes(data, len)) {
2537 fprintf(stderr, "Incorrect OCSP response received.\n");
2538 return false;
2539 }
2540
David Benjamin0fc37ef2016-08-17 15:29:46 -0400[diff] [blame]2541 return true;
2542}
2543
David Benjaminf0d8e222017-02-04 10:58:26 -0500[diff] [blame]2544// Test that the early callback can swap the maximum version.
2545TEST(SSLTest, EarlyCallbackVersionSwitch) {
Matt Braithwaited17d74d2016-08-17 20:10:28 -0700[diff] [blame]2546 bssl::UniquePtr<X509> cert = GetTestCertificate();
2547 bssl::UniquePtr<EVP_PKEY> key = GetTestKey();
2548 bssl::UniquePtr<SSL_CTX> server_ctx(SSL_CTX_new(TLS_method()));
2549 bssl::UniquePtr<SSL_CTX> client_ctx(SSL_CTX_new(TLS_method()));
David Benjaminf0d8e222017-02-04 10:58:26 -0500[diff] [blame]2550 ASSERT_TRUE(cert);
2551 ASSERT_TRUE(key);
2552 ASSERT_TRUE(server_ctx);
2553 ASSERT_TRUE(client_ctx);
2554 ASSERT_TRUE(SSL_CTX_use_certificate(server_ctx.get(), cert.get()));
2555 ASSERT_TRUE(SSL_CTX_use_PrivateKey(server_ctx.get(), key.get()));
2556 ASSERT_TRUE(SSL_CTX_set_max_proto_version(client_ctx.get(), TLS1_3_VERSION));
2557 ASSERT_TRUE(SSL_CTX_set_max_proto_version(server_ctx.get(), TLS1_3_VERSION));
David Benjamin99620572016-08-30 00:35:36 -0400[diff] [blame]2558
David Benjaminf0d8e222017-02-04 10:58:26 -0500[diff] [blame]2559 SSL_CTX_set_select_certificate_cb(
Alessandro Ghedini57e81e62017-03-14 23:36:00 +0000[diff] [blame]2560 server_ctx.get(),
2561 [](const SSL_CLIENT_HELLO *client_hello) -> ssl_select_cert_result_t {
David Benjaminf0d8e222017-02-04 10:58:26 -0500[diff] [blame]2562 if (!SSL_set_max_proto_version(client_hello->ssl, TLS1_2_VERSION)) {
Alessandro Ghedini57e81e62017-03-14 23:36:00 +0000[diff] [blame]2563 return ssl_select_cert_error;
David Benjaminf0d8e222017-02-04 10:58:26 -0500[diff] [blame]2564 }
2565
Alessandro Ghedini57e81e62017-03-14 23:36:00 +0000[diff] [blame]2566 return ssl_select_cert_success;
David Benjaminf0d8e222017-02-04 10:58:26 -0500[diff] [blame]2567 });
David Benjamin99620572016-08-30 00:35:36 -0400[diff] [blame]2568
Matt Braithwaited17d74d2016-08-17 20:10:28 -0700[diff] [blame]2569 bssl::UniquePtr<SSL> client, server;
David Benjaminf0d8e222017-02-04 10:58:26 -0500[diff] [blame]2570 ASSERT_TRUE(ConnectClientAndServer(&client, &server, client_ctx.get(),
2571 server_ctx.get(), nullptr));
2572 EXPECT_EQ(TLS1_2_VERSION, SSL_version(client.get()));
David Benjamin99620572016-08-30 00:35:36 -0400[diff] [blame]2573}
2574
David Benjaminf0d8e222017-02-04 10:58:26 -0500[diff] [blame]2575TEST(SSLTest, SetVersion) {
David Benjamin2dc02042016-09-19 19:57:37 -0400[diff] [blame]2576 bssl::UniquePtr<SSL_CTX> ctx(SSL_CTX_new(TLS_method()));
David Benjaminf0d8e222017-02-04 10:58:26 -0500[diff] [blame]2577 ASSERT_TRUE(ctx);
David Benjamin2dc02042016-09-19 19:57:37 -0400[diff] [blame]2578
David Benjaminf0d8e222017-02-04 10:58:26 -0500[diff] [blame]2579 // Set valid TLS versions.
2580 EXPECT_TRUE(SSL_CTX_set_max_proto_version(ctx.get(), TLS1_VERSION));
2581 EXPECT_TRUE(SSL_CTX_set_max_proto_version(ctx.get(), TLS1_1_VERSION));
2582 EXPECT_TRUE(SSL_CTX_set_min_proto_version(ctx.get(), TLS1_VERSION));
2583 EXPECT_TRUE(SSL_CTX_set_min_proto_version(ctx.get(), TLS1_1_VERSION));
David Benjamin2dc02042016-09-19 19:57:37 -0400[diff] [blame]2584
David Benjaminf0d8e222017-02-04 10:58:26 -0500[diff] [blame]2585 // Invalid TLS versions are rejected.
2586 EXPECT_FALSE(SSL_CTX_set_max_proto_version(ctx.get(), DTLS1_VERSION));
2587 EXPECT_FALSE(SSL_CTX_set_max_proto_version(ctx.get(), 0x0200));
2588 EXPECT_FALSE(SSL_CTX_set_max_proto_version(ctx.get(), 0x1234));
2589 EXPECT_FALSE(SSL_CTX_set_min_proto_version(ctx.get(), DTLS1_VERSION));
2590 EXPECT_FALSE(SSL_CTX_set_min_proto_version(ctx.get(), 0x0200));
2591 EXPECT_FALSE(SSL_CTX_set_min_proto_version(ctx.get(), 0x1234));
David Benjamin2dc02042016-09-19 19:57:37 -0400[diff] [blame]2592
David Benjaminf0d8e222017-02-04 10:58:26 -0500[diff] [blame]2593 // Zero is the default version.
2594 EXPECT_TRUE(SSL_CTX_set_max_proto_version(ctx.get(), 0));
David Benjaminfc08dfc2017-06-20 14:39:32 -0400[diff] [blame]2595 EXPECT_EQ(TLS1_2_VERSION, ctx->conf_max_version);
David Benjaminf0d8e222017-02-04 10:58:26 -0500[diff] [blame]2596 EXPECT_TRUE(SSL_CTX_set_min_proto_version(ctx.get(), 0));
David Benjaminfc08dfc2017-06-20 14:39:32 -0400[diff] [blame]2597 EXPECT_EQ(TLS1_VERSION, ctx->conf_min_version);
David Benjamin3cfeb952017-03-01 16:48:38 -0500[diff] [blame]2598
2599 // SSL 3.0 and TLS 1.3 are available, but not by default.
2600 EXPECT_TRUE(SSL_CTX_set_min_proto_version(ctx.get(), SSL3_VERSION));
David Benjaminfc08dfc2017-06-20 14:39:32 -0400[diff] [blame]2601 EXPECT_EQ(SSL3_VERSION, ctx->conf_min_version);
David Benjamin3cfeb952017-03-01 16:48:38 -0500[diff] [blame]2602 EXPECT_TRUE(SSL_CTX_set_max_proto_version(ctx.get(), TLS1_3_VERSION));
David Benjaminfc08dfc2017-06-20 14:39:32 -0400[diff] [blame]2603 EXPECT_EQ(TLS1_3_VERSION, ctx->conf_max_version);
David Benjamine34bcc92016-09-21 16:53:09 -0400[diff] [blame]2604
David Benjamin353577c2017-06-29 15:54:58 -0400[diff] [blame]2605 // TLS1_3_DRAFT_VERSION is not an API-level version.
2606 EXPECT_FALSE(SSL_CTX_set_max_proto_version(ctx.get(), TLS1_3_DRAFT_VERSION));
2607 ERR_clear_error();
2608
David Benjamin2dc02042016-09-19 19:57:37 -0400[diff] [blame]2609 ctx.reset(SSL_CTX_new(DTLS_method()));
David Benjaminf0d8e222017-02-04 10:58:26 -0500[diff] [blame]2610 ASSERT_TRUE(ctx);
David Benjamin2dc02042016-09-19 19:57:37 -0400[diff] [blame]2611
David Benjaminf0d8e222017-02-04 10:58:26 -0500[diff] [blame]2612 EXPECT_TRUE(SSL_CTX_set_max_proto_version(ctx.get(), DTLS1_VERSION));
2613 EXPECT_TRUE(SSL_CTX_set_max_proto_version(ctx.get(), DTLS1_2_VERSION));
2614 EXPECT_TRUE(SSL_CTX_set_min_proto_version(ctx.get(), DTLS1_VERSION));
2615 EXPECT_TRUE(SSL_CTX_set_min_proto_version(ctx.get(), DTLS1_2_VERSION));
David Benjamin2dc02042016-09-19 19:57:37 -0400[diff] [blame]2616
David Benjaminf0d8e222017-02-04 10:58:26 -0500[diff] [blame]2617 EXPECT_FALSE(SSL_CTX_set_max_proto_version(ctx.get(), TLS1_VERSION));
2618 EXPECT_FALSE(SSL_CTX_set_max_proto_version(ctx.get(), 0xfefe /* DTLS 1.1 */));
2619 EXPECT_FALSE(SSL_CTX_set_max_proto_version(ctx.get(), 0xfffe /* DTLS 0.1 */));
2620 EXPECT_FALSE(SSL_CTX_set_max_proto_version(ctx.get(), 0x1234));
2621 EXPECT_FALSE(SSL_CTX_set_min_proto_version(ctx.get(), TLS1_VERSION));
2622 EXPECT_FALSE(SSL_CTX_set_min_proto_version(ctx.get(), 0xfefe /* DTLS 1.1 */));
2623 EXPECT_FALSE(SSL_CTX_set_min_proto_version(ctx.get(), 0xfffe /* DTLS 0.1 */));
2624 EXPECT_FALSE(SSL_CTX_set_min_proto_version(ctx.get(), 0x1234));
David Benjamin2dc02042016-09-19 19:57:37 -0400[diff] [blame]2625
David Benjaminf0d8e222017-02-04 10:58:26 -0500[diff] [blame]2626 EXPECT_TRUE(SSL_CTX_set_max_proto_version(ctx.get(), 0));
David Benjaminfc08dfc2017-06-20 14:39:32 -0400[diff] [blame]2627 EXPECT_EQ(TLS1_2_VERSION, ctx->conf_max_version);
David Benjaminf0d8e222017-02-04 10:58:26 -0500[diff] [blame]2628 EXPECT_TRUE(SSL_CTX_set_min_proto_version(ctx.get(), 0));
David Benjaminfc08dfc2017-06-20 14:39:32 -0400[diff] [blame]2629 EXPECT_EQ(TLS1_1_VERSION, ctx->conf_min_version);
David Benjamin2dc02042016-09-19 19:57:37 -0400[diff] [blame]2630}
2631
David Benjamin458334a2016-12-15 13:53:25 -0500[diff] [blame]2632static const char *GetVersionName(uint16_t version) {
2633 switch (version) {
2634 case SSL3_VERSION:
2635 return "SSLv3";
2636 case TLS1_VERSION:
2637 return "TLSv1";
2638 case TLS1_1_VERSION:
2639 return "TLSv1.1";
2640 case TLS1_2_VERSION:
2641 return "TLSv1.2";
2642 case TLS1_3_VERSION:
2643 return "TLSv1.3";
2644 case DTLS1_VERSION:
2645 return "DTLSv1";
2646 case DTLS1_2_VERSION:
2647 return "DTLSv1.2";
2648 default:
2649 return "???";
2650 }
2651}
2652
David Benjamin0fef3052016-11-18 15:11:10 +0900[diff] [blame]2653static bool TestVersion(bool is_dtls, const SSL_METHOD *method,
2654 uint16_t version) {
David Benjamincb18ac22016-09-27 14:09:15 -0400[diff] [blame]2655 bssl::UniquePtr<X509> cert = GetTestCertificate();
2656 bssl::UniquePtr<EVP_PKEY> key = GetTestKey();
2657 if (!cert || !key) {
2658 return false;
2659 }
2660
David Benjamin0fef3052016-11-18 15:11:10 +0900[diff] [blame]2661 bssl::UniquePtr<SSL_CTX> server_ctx(SSL_CTX_new(method));
2662 bssl::UniquePtr<SSL_CTX> client_ctx(SSL_CTX_new(method));
2663 bssl::UniquePtr<SSL> client, server;
2664 if (!server_ctx || !client_ctx ||
2665 !SSL_CTX_use_certificate(server_ctx.get(), cert.get()) ||
2666 !SSL_CTX_use_PrivateKey(server_ctx.get(), key.get()) ||
2667 !SSL_CTX_set_min_proto_version(client_ctx.get(), version) ||
2668 !SSL_CTX_set_max_proto_version(client_ctx.get(), version) ||
2669 !SSL_CTX_set_min_proto_version(server_ctx.get(), version) ||
2670 !SSL_CTX_set_max_proto_version(server_ctx.get(), version) ||
2671 !ConnectClientAndServer(&client, &server, client_ctx.get(),
2672 server_ctx.get(), nullptr /* no session */)) {
2673 fprintf(stderr, "Failed to connect.\n");
2674 return false;
2675 }
David Benjamincb18ac22016-09-27 14:09:15 -0400[diff] [blame]2676
David Benjamin0fef3052016-11-18 15:11:10 +0900[diff] [blame]2677 if (SSL_version(client.get()) != version ||
2678 SSL_version(server.get()) != version) {
2679 fprintf(stderr, "Version mismatch. Got %04x and %04x, wanted %04x.\n",
2680 SSL_version(client.get()), SSL_version(server.get()), version);
2681 return false;
David Benjamincb18ac22016-09-27 14:09:15 -0400[diff] [blame]2682 }
2683
David Benjamin458334a2016-12-15 13:53:25 -0500[diff] [blame]2684 // Test the version name is reported as expected.
2685 const char *version_name = GetVersionName(version);
2686 if (strcmp(version_name, SSL_get_version(client.get())) != 0 ||
2687 strcmp(version_name, SSL_get_version(server.get())) != 0) {
2688 fprintf(stderr, "Version name mismatch. Got '%s' and '%s', wanted '%s'.\n",
2689 SSL_get_version(client.get()), SSL_get_version(server.get()),
2690 version_name);
2691 return false;
2692 }
2693
2694 // Test SSL_SESSION reports the same name.
2695 const char *client_name =
2696 SSL_SESSION_get_version(SSL_get_session(client.get()));
2697 const char *server_name =
2698 SSL_SESSION_get_version(SSL_get_session(server.get()));
2699 if (strcmp(version_name, client_name) != 0 ||
2700 strcmp(version_name, server_name) != 0) {
2701 fprintf(stderr,
2702 "Session version name mismatch. Got '%s' and '%s', wanted '%s'.\n",
2703 client_name, server_name, version_name);
2704 return false;
2705 }
2706
David Benjamincb18ac22016-09-27 14:09:15 -0400[diff] [blame]2707 return true;
2708}
2709
David Benjamin9ef31f02016-10-31 18:01:13 -0400[diff] [blame]2710// Tests that that |SSL_get_pending_cipher| is available during the ALPN
2711// selection callback.
David Benjamin0fef3052016-11-18 15:11:10 +0900[diff] [blame]2712static bool TestALPNCipherAvailable(bool is_dtls, const SSL_METHOD *method,
2713 uint16_t version) {
2714 // SSL 3.0 lacks extensions.
2715 if (version == SSL3_VERSION) {
2716 return true;
2717 }
2718
David Benjamin9ef31f02016-10-31 18:01:13 -0400[diff] [blame]2719 static const uint8_t kALPNProtos[] = {0x03, 'f', 'o', 'o'};
2720
2721 bssl::UniquePtr<X509> cert = GetTestCertificate();
2722 bssl::UniquePtr<EVP_PKEY> key = GetTestKey();
2723 if (!cert || !key) {
2724 return false;
2725 }
2726
David Benjamin0fef3052016-11-18 15:11:10 +0900[diff] [blame]2727 bssl::UniquePtr<SSL_CTX> ctx(SSL_CTX_new(method));
2728 if (!ctx || !SSL_CTX_use_certificate(ctx.get(), cert.get()) ||
2729 !SSL_CTX_use_PrivateKey(ctx.get(), key.get()) ||
2730 !SSL_CTX_set_min_proto_version(ctx.get(), version) ||
2731 !SSL_CTX_set_max_proto_version(ctx.get(), version) ||
2732 SSL_CTX_set_alpn_protos(ctx.get(), kALPNProtos, sizeof(kALPNProtos)) !=
2733 0) {
2734 return false;
2735 }
2736
2737 // The ALPN callback does not fail the handshake on error, so have the
2738 // callback write a boolean.
2739 std::pair<uint16_t, bool> callback_state(version, false);
2740 SSL_CTX_set_alpn_select_cb(
2741 ctx.get(),
2742 [](SSL *ssl, const uint8_t **out, uint8_t *out_len, const uint8_t *in,
2743 unsigned in_len, void *arg) -> int {
2744 auto state = reinterpret_cast<std::pair<uint16_t, bool> *>(arg);
2745 if (SSL_get_pending_cipher(ssl) != nullptr &&
2746 SSL_version(ssl) == state->first) {
2747 state->second = true;
2748 }
2749 return SSL_TLSEXT_ERR_NOACK;
2750 },
2751 &callback_state);
2752
2753 bssl::UniquePtr<SSL> client, server;
2754 if (!ConnectClientAndServer(&client, &server, ctx.get(), ctx.get(),
2755 nullptr /* no session */)) {
2756 return false;
2757 }
2758
2759 if (!callback_state.second) {
2760 fprintf(stderr, "The pending cipher was not known in the ALPN callback.\n");
2761 return false;
2762 }
2763
2764 return true;
2765}
2766
David Benjaminb79cc842016-12-07 15:57:14 -0500[diff] [blame]2767static bool TestSSLClearSessionResumption(bool is_dtls,
2768 const SSL_METHOD *method,
2769 uint16_t version) {
2770 // Skip this for TLS 1.3. TLS 1.3's ticket mechanism is incompatible with this
2771 // API pattern.
2772 if (version == TLS1_3_VERSION) {
2773 return true;
2774 }
2775
2776 bssl::UniquePtr<X509> cert = GetTestCertificate();
2777 bssl::UniquePtr<EVP_PKEY> key = GetTestKey();
2778 bssl::UniquePtr<SSL_CTX> server_ctx(SSL_CTX_new(method));
2779 bssl::UniquePtr<SSL_CTX> client_ctx(SSL_CTX_new(method));
2780 if (!cert || !key || !server_ctx || !client_ctx ||
2781 !SSL_CTX_use_certificate(server_ctx.get(), cert.get()) ||
2782 !SSL_CTX_use_PrivateKey(server_ctx.get(), key.get()) ||
2783 !SSL_CTX_set_min_proto_version(client_ctx.get(), version) ||
2784 !SSL_CTX_set_max_proto_version(client_ctx.get(), version) ||
2785 !SSL_CTX_set_min_proto_version(server_ctx.get(), version) ||
2786 !SSL_CTX_set_max_proto_version(server_ctx.get(), version)) {
2787 return false;
2788 }
2789
2790 // Connect a client and a server.
2791 bssl::UniquePtr<SSL> client, server;
2792 if (!ConnectClientAndServer(&client, &server, client_ctx.get(),
2793 server_ctx.get(), nullptr /* no session */)) {
2794 return false;
2795 }
2796
2797 if (SSL_session_reused(client.get()) ||
2798 SSL_session_reused(server.get())) {
2799 fprintf(stderr, "Session unexpectedly reused.\n");
2800 return false;
2801 }
2802
2803 // Reset everything.
2804 if (!SSL_clear(client.get()) ||
2805 !SSL_clear(server.get())) {
2806 fprintf(stderr, "SSL_clear failed.\n");
2807 return false;
2808 }
2809
2810 // Attempt to connect a second time.
2811 if (!CompleteHandshakes(client.get(), server.get())) {
2812 fprintf(stderr, "Could not reuse SSL objects.\n");
2813 return false;
2814 }
2815
2816 // |SSL_clear| should implicitly offer the previous session to the server.
2817 if (!SSL_session_reused(client.get()) ||
2818 !SSL_session_reused(server.get())) {
2819 fprintf(stderr, "Session was not reused in second try.\n");
2820 return false;
2821 }
2822
2823 return true;
2824}
2825
David Benjamin1444c3a2016-12-20 17:23:11 -0500[diff] [blame]2826static bool ChainsEqual(STACK_OF(X509) *chain,
2827 const std::vector<X509 *> &expected) {
2828 if (sk_X509_num(chain) != expected.size()) {
2829 return false;
2830 }
2831
2832 for (size_t i = 0; i < expected.size(); i++) {
2833 if (X509_cmp(sk_X509_value(chain, i), expected[i]) != 0) {
2834 return false;
2835 }
2836 }
2837
2838 return true;
2839}
2840
2841static bool TestAutoChain(bool is_dtls, const SSL_METHOD *method,
2842 uint16_t version) {
David Benjamin1444c3a2016-12-20 17:23:11 -0500[diff] [blame]2843 bssl::UniquePtr<X509> cert = GetChainTestCertificate();
2844 bssl::UniquePtr<X509> intermediate = GetChainTestIntermediate();
2845 bssl::UniquePtr<EVP_PKEY> key = GetChainTestKey();
2846 if (!cert || !intermediate || !key) {
2847 return false;
2848 }
2849
2850 // Configure both client and server to accept any certificate. Add
2851 // |intermediate| to the cert store.
2852 bssl::UniquePtr<SSL_CTX> ctx(SSL_CTX_new(method));
2853 if (!ctx ||
2854 !SSL_CTX_use_certificate(ctx.get(), cert.get()) ||
2855 !SSL_CTX_use_PrivateKey(ctx.get(), key.get()) ||
2856 !SSL_CTX_set_min_proto_version(ctx.get(), version) ||
2857 !SSL_CTX_set_max_proto_version(ctx.get(), version) ||
2858 !X509_STORE_add_cert(SSL_CTX_get_cert_store(ctx.get()),
2859 intermediate.get())) {
2860 return false;
2861 }
2862 SSL_CTX_set_verify(
2863 ctx.get(), SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT, nullptr);
2864 SSL_CTX_set_cert_verify_callback(ctx.get(), VerifySucceed, NULL);
2865
2866 // By default, the client and server should each only send the leaf.
2867 bssl::UniquePtr<SSL> client, server;
2868 if (!ConnectClientAndServer(&client, &server, ctx.get(), ctx.get(),
2869 nullptr /* no session */)) {
2870 return false;
2871 }
2872
2873 if (!ChainsEqual(SSL_get_peer_full_cert_chain(client.get()), {cert.get()})) {
2874 fprintf(stderr, "Client-received chain did not match.\n");
2875 return false;
2876 }
2877
2878 if (!ChainsEqual(SSL_get_peer_full_cert_chain(server.get()), {cert.get()})) {
2879 fprintf(stderr, "Server-received chain did not match.\n");
2880 return false;
2881 }
2882
2883 // If auto-chaining is enabled, then the intermediate is sent.
2884 SSL_CTX_clear_mode(ctx.get(), SSL_MODE_NO_AUTO_CHAIN);
2885 if (!ConnectClientAndServer(&client, &server, ctx.get(), ctx.get(),
2886 nullptr /* no session */)) {
2887 return false;
2888 }
2889
2890 if (!ChainsEqual(SSL_get_peer_full_cert_chain(client.get()),
2891 {cert.get(), intermediate.get()})) {
2892 fprintf(stderr, "Client-received chain did not match (auto-chaining).\n");
2893 return false;
2894 }
2895
2896 if (!ChainsEqual(SSL_get_peer_full_cert_chain(server.get()),
2897 {cert.get(), intermediate.get()})) {
2898 fprintf(stderr, "Server-received chain did not match (auto-chaining).\n");
2899 return false;
2900 }
2901
2902 // Auto-chaining does not override explicitly-configured intermediates.
2903 if (!SSL_CTX_add1_chain_cert(ctx.get(), cert.get()) ||
2904 !ConnectClientAndServer(&client, &server, ctx.get(), ctx.get(),
2905 nullptr /* no session */)) {
2906 return false;
2907 }
2908
2909 if (!ChainsEqual(SSL_get_peer_full_cert_chain(client.get()),
2910 {cert.get(), cert.get()})) {
2911 fprintf(stderr,
2912 "Client-received chain did not match (auto-chaining, explicit "
2913 "intermediate).\n");
2914 return false;
2915 }
2916
2917 if (!ChainsEqual(SSL_get_peer_full_cert_chain(server.get()),
2918 {cert.get(), cert.get()})) {
2919 fprintf(stderr,
2920 "Server-received chain did not match (auto-chaining, explicit "
2921 "intermediate).\n");
2922 return false;
2923 }
2924
2925 return true;
2926}
2927
David Benjamin48063c22017-01-01 23:56:36 -0500[diff] [blame]2928static bool ExpectBadWriteRetry() {
2929 int err = ERR_get_error();
2930 if (ERR_GET_LIB(err) != ERR_LIB_SSL ||
2931 ERR_GET_REASON(err) != SSL_R_BAD_WRITE_RETRY) {
2932 char buf[ERR_ERROR_STRING_BUF_LEN];
2933 ERR_error_string_n(err, buf, sizeof(buf));
2934 fprintf(stderr, "Wanted SSL_R_BAD_WRITE_RETRY, got: %s.\n", buf);
2935 return false;
2936 }
2937
2938 if (ERR_peek_error() != 0) {
2939 fprintf(stderr, "Unexpected error following SSL_R_BAD_WRITE_RETRY.\n");
2940 return false;
2941 }
2942
2943 return true;
2944}
2945
2946static bool TestSSLWriteRetry(bool is_dtls, const SSL_METHOD *method,
2947 uint16_t version) {
2948 if (is_dtls) {
2949 return true;
2950 }
2951
2952 for (bool enable_partial_write : std::vector<bool>{false, true}) {
2953 // Connect a client and server.
2954 bssl::UniquePtr<X509> cert = GetTestCertificate();
2955 bssl::UniquePtr<EVP_PKEY> key = GetTestKey();
2956 bssl::UniquePtr<SSL_CTX> ctx(SSL_CTX_new(method));
2957 bssl::UniquePtr<SSL> client, server;
2958 if (!cert || !key || !ctx ||
2959 !SSL_CTX_use_certificate(ctx.get(), cert.get()) ||
2960 !SSL_CTX_use_PrivateKey(ctx.get(), key.get()) ||
2961 !SSL_CTX_set_min_proto_version(ctx.get(), version) ||
2962 !SSL_CTX_set_max_proto_version(ctx.get(), version) ||
2963 !ConnectClientAndServer(&client, &server, ctx.get(), ctx.get(),
2964 nullptr /* no session */)) {
2965 return false;
2966 }
2967
2968 if (enable_partial_write) {
2969 SSL_set_mode(client.get(), SSL_MODE_ENABLE_PARTIAL_WRITE);
2970 }
2971
2972 // Write without reading until the buffer is full and we have an unfinished
2973 // write. Keep a count so we may reread it again later. "hello!" will be
2974 // written in two chunks, "hello" and "!".
2975 char data[] = "hello!";
2976 static const int kChunkLen = 5; // The length of "hello".
2977 unsigned count = 0;
2978 for (;;) {
2979 int ret = SSL_write(client.get(), data, kChunkLen);
2980 if (ret <= 0) {
2981 int err = SSL_get_error(client.get(), ret);
2982 if (SSL_get_error(client.get(), ret) == SSL_ERROR_WANT_WRITE) {
2983 break;
2984 }
2985 fprintf(stderr, "SSL_write failed in unexpected way: %d\n", err);
2986 return false;
2987 }
2988
2989 if (ret != 5) {
2990 fprintf(stderr, "SSL_write wrote %d bytes, expected 5.\n", ret);
2991 return false;
2992 }
2993
2994 count++;
2995 }
2996
2997 // Retrying with the same parameters is legal.
2998 if (SSL_get_error(client.get(), SSL_write(client.get(), data, kChunkLen)) !=
2999 SSL_ERROR_WANT_WRITE) {
3000 fprintf(stderr, "SSL_write retry unexpectedly failed.\n");
3001 return false;
3002 }
3003
3004 // Retrying with the same buffer but shorter length is not legal.
3005 if (SSL_get_error(client.get(),
3006 SSL_write(client.get(), data, kChunkLen - 1)) !=
3007 SSL_ERROR_SSL ||
3008 !ExpectBadWriteRetry()) {
3009 fprintf(stderr, "SSL_write retry did not fail as expected.\n");
3010 return false;
3011 }
3012
3013 // Retrying with a different buffer pointer is not legal.
3014 char data2[] = "hello";
3015 if (SSL_get_error(client.get(), SSL_write(client.get(), data2,
3016 kChunkLen)) != SSL_ERROR_SSL ||
3017 !ExpectBadWriteRetry()) {
3018 fprintf(stderr, "SSL_write retry did not fail as expected.\n");
3019 return false;
3020 }
3021
3022 // With |SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER|, the buffer may move.
3023 SSL_set_mode(client.get(), SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER);
3024 if (SSL_get_error(client.get(),
3025 SSL_write(client.get(), data2, kChunkLen)) !=
3026 SSL_ERROR_WANT_WRITE) {
3027 fprintf(stderr, "SSL_write retry unexpectedly failed.\n");
3028 return false;
3029 }
3030
3031 // |SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER| does not disable length checks.
3032 if (SSL_get_error(client.get(),
3033 SSL_write(client.get(), data2, kChunkLen - 1)) !=
3034 SSL_ERROR_SSL ||
3035 !ExpectBadWriteRetry()) {
3036 fprintf(stderr, "SSL_write retry did not fail as expected.\n");
3037 return false;
3038 }
3039
3040 // Retrying with a larger buffer is legal.
3041 if (SSL_get_error(client.get(),
3042 SSL_write(client.get(), data, kChunkLen + 1)) !=
3043 SSL_ERROR_WANT_WRITE) {
3044 fprintf(stderr, "SSL_write retry unexpectedly failed.\n");
3045 return false;
3046 }
3047
3048 // Drain the buffer.
3049 char buf[20];
3050 for (unsigned i = 0; i < count; i++) {
3051 if (SSL_read(server.get(), buf, sizeof(buf)) != kChunkLen ||
3052 OPENSSL_memcmp(buf, "hello", kChunkLen) != 0) {
3053 fprintf(stderr, "Failed to read initial records.\n");
3054 return false;
3055 }
3056 }
3057
3058 // Now that there is space, a retry with a larger buffer should flush the
3059 // pending record, skip over that many bytes of input (on assumption they
3060 // are the same), and write the remainder. If SSL_MODE_ENABLE_PARTIAL_WRITE
3061 // is set, this will complete in two steps.
3062 char data3[] = "_____!";
3063 if (enable_partial_write) {
3064 if (SSL_write(client.get(), data3, kChunkLen + 1) != kChunkLen ||
3065 SSL_write(client.get(), data3 + kChunkLen, 1) != 1) {
3066 fprintf(stderr, "SSL_write retry failed.\n");
3067 return false;
3068 }
3069 } else if (SSL_write(client.get(), data3, kChunkLen + 1) != kChunkLen + 1) {
3070 fprintf(stderr, "SSL_write retry failed.\n");
3071 return false;
3072 }
3073
3074 // Check the last write was correct. The data will be spread over two
3075 // records, so SSL_read returns twice.
3076 if (SSL_read(server.get(), buf, sizeof(buf)) != kChunkLen ||
3077 OPENSSL_memcmp(buf, "hello", kChunkLen) != 0 ||
3078 SSL_read(server.get(), buf, sizeof(buf)) != 1 ||
3079 buf[0] != '!') {
3080 fprintf(stderr, "Failed to read write retry.\n");
3081 return false;
3082 }
3083 }
3084
3085 return true;
3086}
3087
David Benjamin5df5be12017-06-22 19:43:11 -0400[diff] [blame]3088static bool TestRecordCallback(bool is_dtls, const SSL_METHOD *method,
3089 uint16_t version) {
3090 bssl::UniquePtr<X509> cert = GetChainTestCertificate();
3091 bssl::UniquePtr<X509> intermediate = GetChainTestIntermediate();
3092 bssl::UniquePtr<EVP_PKEY> key = GetChainTestKey();
3093 if (!cert || !intermediate || !key) {
3094 return false;
3095 }
3096
3097 bssl::UniquePtr<SSL_CTX> ctx(SSL_CTX_new(method));
3098 if (!ctx ||
3099 !SSL_CTX_use_certificate(ctx.get(), cert.get()) ||
3100 !SSL_CTX_use_PrivateKey(ctx.get(), key.get()) ||
3101 !SSL_CTX_set_min_proto_version(ctx.get(), version) ||
3102 !SSL_CTX_set_max_proto_version(ctx.get(), version)) {
3103 return false;
3104 }
3105
3106 bool read_seen = false;
3107 bool write_seen = false;
3108 auto cb = [&](int is_write, int cb_version, int cb_type, const void *buf,
3109 size_t len, SSL *ssl) {
3110 if (cb_type != SSL3_RT_HEADER) {
3111 return;
3112 }
3113
3114 // The callback does not report a version for records.
3115 EXPECT_EQ(0, cb_version);
3116
3117 if (is_write) {
3118 write_seen = true;
3119 } else {
3120 read_seen = true;
3121 }
3122
3123 // Sanity-check that the record header is plausible.
3124 CBS cbs;
3125 CBS_init(&cbs, reinterpret_cast<const uint8_t *>(buf), len);
3126 uint8_t type;
3127 uint16_t record_version, length;
3128 ASSERT_TRUE(CBS_get_u8(&cbs, &type));
3129 ASSERT_TRUE(CBS_get_u16(&cbs, &record_version));
3130 EXPECT_TRUE(record_version == version ||
3131 record_version == (is_dtls ? DTLS1_VERSION : TLS1_VERSION))
3132 << "Invalid record version: " << record_version;
3133 if (is_dtls) {
3134 uint16_t epoch;
3135 ASSERT_TRUE(CBS_get_u16(&cbs, &epoch));
3136 EXPECT_TRUE(epoch == 0 || epoch == 1) << "Invalid epoch: " << epoch;
3137 ASSERT_TRUE(CBS_skip(&cbs, 6));
3138 }
3139 ASSERT_TRUE(CBS_get_u16(&cbs, &length));
3140 EXPECT_EQ(0u, CBS_len(&cbs));
3141 };
3142 using CallbackType = decltype(cb);
3143 SSL_CTX_set_msg_callback(
3144 ctx.get(), [](int is_write, int cb_version, int cb_type, const void *buf,
3145 size_t len, SSL *ssl, void *arg) {
3146 CallbackType *cb_ptr = reinterpret_cast<CallbackType *>(arg);
3147 (*cb_ptr)(is_write, cb_version, cb_type, buf, len, ssl);
3148 });
3149 SSL_CTX_set_msg_callback_arg(ctx.get(), &cb);
3150
3151 bssl::UniquePtr<SSL> client, server;
3152 if (!ConnectClientAndServer(&client, &server, ctx.get(), ctx.get(),
3153 nullptr /* no session */)) {
3154 return false;
3155 }
3156
3157 EXPECT_TRUE(read_seen);
3158 EXPECT_TRUE(write_seen);
3159 return true;
3160}
3161
3162
David Benjamin0fef3052016-11-18 15:11:10 +0900[diff] [blame]3163static bool ForEachVersion(bool (*test_func)(bool is_dtls,
3164 const SSL_METHOD *method,
3165 uint16_t version)) {
3166 static uint16_t kTLSVersions[] = {
David Benjamin3b584332017-01-24 22:47:18 -0500[diff] [blame]3167 SSL3_VERSION,
3168 TLS1_VERSION,
3169 TLS1_1_VERSION,
3170 TLS1_2_VERSION,
3171// TLS 1.3 requires RSA-PSS, which is disabled for Android system builds.
3172#if !defined(BORINGSSL_ANDROID_SYSTEM)
3173 TLS1_3_VERSION,
3174#endif
David Benjamin0fef3052016-11-18 15:11:10 +0900[diff] [blame]3175 };
3176
3177 static uint16_t kDTLSVersions[] = {
3178 DTLS1_VERSION, DTLS1_2_VERSION,
3179 };
3180
David Benjamin9ef31f02016-10-31 18:01:13 -0400[diff] [blame]3181 for (uint16_t version : kTLSVersions) {
David Benjamin0fef3052016-11-18 15:11:10 +0900[diff] [blame]3182 if (!test_func(false, TLS_method(), version)) {
3183 fprintf(stderr, "Test failed at TLS version %04x.\n", version);
David Benjamin9ef31f02016-10-31 18:01:13 -0400[diff] [blame]3184 return false;
3185 }
David Benjamin0fef3052016-11-18 15:11:10 +0900[diff] [blame]3186 }
David Benjamin9ef31f02016-10-31 18:01:13 -0400[diff] [blame]3187
David Benjamin0fef3052016-11-18 15:11:10 +0900[diff] [blame]3188 for (uint16_t version : kDTLSVersions) {
3189 if (!test_func(true, DTLS_method(), version)) {
3190 fprintf(stderr, "Test failed at DTLS version %04x.\n", version);
David Benjamin9ef31f02016-10-31 18:01:13 -0400[diff] [blame]3191 return false;
3192 }
3193 }
3194
3195 return true;
3196}
3197
Adam Langleye1e78132017-01-31 15:24:31 -0800[diff] [blame]3198TEST(SSLTest, AddChainCertHack) {
3199 // Ensure that we don't accidently break the hack that we have in place to
3200 // keep curl and serf happy when they use an |X509| even after transfering
3201 // ownership.
3202
3203 bssl::UniquePtr<SSL_CTX> ctx(SSL_CTX_new(TLS_method()));
3204 ASSERT_TRUE(ctx);
3205 X509 *cert = GetTestCertificate().release();
3206 ASSERT_TRUE(cert);
3207 SSL_CTX_add0_chain_cert(ctx.get(), cert);
3208
3209 // This should not trigger a use-after-free.
3210 X509_cmp(cert, cert);
3211}
3212
David Benjaminb2ff2622017-02-03 17:06:18 -0500[diff] [blame]3213TEST(SSLTest, GetCertificate) {
3214 bssl::UniquePtr<SSL_CTX> ctx(SSL_CTX_new(TLS_method()));
3215 ASSERT_TRUE(ctx);
3216 bssl::UniquePtr<X509> cert = GetTestCertificate();
3217 ASSERT_TRUE(cert);
3218 ASSERT_TRUE(SSL_CTX_use_certificate(ctx.get(), cert.get()));
3219 bssl::UniquePtr<SSL> ssl(SSL_new(ctx.get()));
3220 ASSERT_TRUE(ssl);
3221
3222 X509 *cert2 = SSL_CTX_get0_certificate(ctx.get());
3223 ASSERT_TRUE(cert2);
3224 X509 *cert3 = SSL_get_certificate(ssl.get());
3225 ASSERT_TRUE(cert3);
3226
3227 // The old and new certificates must be identical.
3228 EXPECT_EQ(0, X509_cmp(cert.get(), cert2));
3229 EXPECT_EQ(0, X509_cmp(cert.get(), cert3));
3230
3231 uint8_t *der = nullptr;
3232 long der_len = i2d_X509(cert.get(), &der);
3233 ASSERT_LT(0, der_len);
3234 bssl::UniquePtr<uint8_t> free_der(der);
3235
3236 uint8_t *der2 = nullptr;
3237 long der2_len = i2d_X509(cert2, &der2);
3238 ASSERT_LT(0, der2_len);
3239 bssl::UniquePtr<uint8_t> free_der2(der2);
3240
3241 uint8_t *der3 = nullptr;
3242 long der3_len = i2d_X509(cert3, &der3);
3243 ASSERT_LT(0, der3_len);
3244 bssl::UniquePtr<uint8_t> free_der3(der3);
3245
3246 // They must also encode identically.
David Benjamin7d7554b2017-02-04 11:48:59 -0500[diff] [blame]3247 EXPECT_EQ(Bytes(der, der_len), Bytes(der2, der2_len));
3248 EXPECT_EQ(Bytes(der, der_len), Bytes(der3, der3_len));
David Benjaminb2ff2622017-02-03 17:06:18 -0500[diff] [blame]3249}
3250
Adam Langleyd04ca952017-02-28 11:26:51 -0800[diff] [blame]3251TEST(SSLTest, SetChainAndKeyMismatch) {
3252 bssl::UniquePtr<SSL_CTX> ctx(SSL_CTX_new(TLS_with_buffers_method()));
3253 ASSERT_TRUE(ctx);
3254
3255 bssl::UniquePtr<EVP_PKEY> key = GetTestKey();
3256 ASSERT_TRUE(key);
3257 bssl::UniquePtr<CRYPTO_BUFFER> leaf = GetChainTestCertificateBuffer();
3258 ASSERT_TRUE(leaf);
3259 std::vector<CRYPTO_BUFFER*> chain = {
3260 leaf.get(),
3261 };
3262
3263 // Should fail because |GetTestKey| doesn't match the chain-test certificate.
3264 ASSERT_FALSE(SSL_CTX_set_chain_and_key(ctx.get(), &chain[0], chain.size(),
3265 key.get(), nullptr));
3266 ERR_clear_error();
3267}
3268
3269TEST(SSLTest, SetChainAndKey) {
3270 bssl::UniquePtr<SSL_CTX> client_ctx(SSL_CTX_new(TLS_with_buffers_method()));
3271 ASSERT_TRUE(client_ctx);
3272 bssl::UniquePtr<SSL_CTX> server_ctx(SSL_CTX_new(TLS_with_buffers_method()));
3273 ASSERT_TRUE(server_ctx);
3274
3275 bssl::UniquePtr<EVP_PKEY> key = GetChainTestKey();
3276 ASSERT_TRUE(key);
3277 bssl::UniquePtr<CRYPTO_BUFFER> leaf = GetChainTestCertificateBuffer();
3278 ASSERT_TRUE(leaf);
3279 bssl::UniquePtr<CRYPTO_BUFFER> intermediate =
3280 GetChainTestIntermediateBuffer();
3281 ASSERT_TRUE(intermediate);
3282 std::vector<CRYPTO_BUFFER*> chain = {
3283 leaf.get(), intermediate.get(),
3284 };
3285 ASSERT_TRUE(SSL_CTX_set_chain_and_key(server_ctx.get(), &chain[0],
3286 chain.size(), key.get(), nullptr));
3287
David Benjamin3a1dd462017-07-11 16:13:10 -0400[diff] [blame]3288 SSL_CTX_set_custom_verify(
3289 client_ctx.get(), SSL_VERIFY_PEER,
3290 [](SSL *ssl, uint8_t *out_alert) -> ssl_verify_result_t {
3291 return ssl_verify_ok;
3292 });
Adam Langleyd04ca952017-02-28 11:26:51 -0800[diff] [blame]3293
3294 bssl::UniquePtr<SSL> client, server;
3295 ASSERT_TRUE(ConnectClientAndServer(&client, &server, client_ctx.get(),
3296 server_ctx.get(),
3297 nullptr /* no session */));
3298}
3299
David Benjamin71dfad42017-07-16 17:27:39 -0400[diff] [blame^]3300TEST(SSLTest, ClientCABuffers) {
3301 bssl::UniquePtr<SSL_CTX> client_ctx(SSL_CTX_new(TLS_with_buffers_method()));
3302 ASSERT_TRUE(client_ctx);
3303 bssl::UniquePtr<SSL_CTX> server_ctx(SSL_CTX_new(TLS_with_buffers_method()));
3304 ASSERT_TRUE(server_ctx);
3305
3306 bssl::UniquePtr<EVP_PKEY> key = GetChainTestKey();
3307 ASSERT_TRUE(key);
3308 bssl::UniquePtr<CRYPTO_BUFFER> leaf = GetChainTestCertificateBuffer();
3309 ASSERT_TRUE(leaf);
3310 bssl::UniquePtr<CRYPTO_BUFFER> intermediate =
3311 GetChainTestIntermediateBuffer();
3312 ASSERT_TRUE(intermediate);
3313 std::vector<CRYPTO_BUFFER *> chain = {
3314 leaf.get(),
3315 intermediate.get(),
3316 };
3317 ASSERT_TRUE(SSL_CTX_set_chain_and_key(server_ctx.get(), &chain[0],
3318 chain.size(), key.get(), nullptr));
3319
3320 bssl::UniquePtr<CRYPTO_BUFFER> ca_name(
3321 CRYPTO_BUFFER_new(kTestName, sizeof(kTestName), nullptr));
3322 ASSERT_TRUE(ca_name);
3323 bssl::UniquePtr<STACK_OF(CRYPTO_BUFFER)> ca_names(
3324 sk_CRYPTO_BUFFER_new_null());
3325 ASSERT_TRUE(ca_names);
3326 ASSERT_TRUE(sk_CRYPTO_BUFFER_push(ca_names.get(), ca_name.get()));
3327 ca_name.release();
3328 SSL_CTX_set0_client_CAs(server_ctx.get(), ca_names.release());
3329
3330 // Configure client and server to accept all certificates.
3331 SSL_CTX_set_custom_verify(
3332 client_ctx.get(), SSL_VERIFY_PEER,
3333 [](SSL *ssl, uint8_t *out_alert) -> ssl_verify_result_t {
3334 return ssl_verify_ok;
3335 });
3336 SSL_CTX_set_custom_verify(
3337 server_ctx.get(), SSL_VERIFY_PEER,
3338 [](SSL *ssl, uint8_t *out_alert) -> ssl_verify_result_t {
3339 return ssl_verify_ok;
3340 });
3341
3342 bool cert_cb_called = false;
3343 SSL_CTX_set_cert_cb(
3344 client_ctx.get(),
3345 [](SSL *ssl, void *arg) -> int {
3346 STACK_OF(CRYPTO_BUFFER) *peer_names =
3347 SSL_get0_server_requested_CAs(ssl);
3348 EXPECT_EQ(1u, sk_CRYPTO_BUFFER_num(peer_names));
3349 CRYPTO_BUFFER *peer_name = sk_CRYPTO_BUFFER_value(peer_names, 0);
3350 EXPECT_EQ(Bytes(kTestName), Bytes(CRYPTO_BUFFER_data(peer_name),
3351 CRYPTO_BUFFER_len(peer_name)));
3352 *reinterpret_cast<bool *>(arg) = true;
3353 return 1;
3354 },
3355 &cert_cb_called);
3356
3357 bssl::UniquePtr<SSL> client, server;
3358 ASSERT_TRUE(ConnectClientAndServer(&client, &server, client_ctx.get(),
3359 server_ctx.get(),
3360 nullptr /* no session */));
3361 EXPECT_TRUE(cert_cb_called);
3362}
3363
David Benjamin91222b82017-03-09 20:10:56 -0500[diff] [blame]3364// Configuring the empty cipher list, though an error, should still modify the
3365// configuration.
3366TEST(SSLTest, EmptyCipherList) {
3367 bssl::UniquePtr<SSL_CTX> ctx(SSL_CTX_new(TLS_method()));
3368 ASSERT_TRUE(ctx);
3369
3370 // Initially, the cipher list is not empty.
3371 EXPECT_NE(0u, sk_SSL_CIPHER_num(SSL_CTX_get_ciphers(ctx.get())));
3372
3373 // Configuring the empty cipher list fails.
3374 EXPECT_FALSE(SSL_CTX_set_cipher_list(ctx.get(), ""));
3375 ERR_clear_error();
3376
3377 // But the cipher list is still updated to empty.
3378 EXPECT_EQ(0u, sk_SSL_CIPHER_num(SSL_CTX_get_ciphers(ctx.get())));
3379}
3380
Adam Langley4c341d02017-03-08 19:33:21 -0800[diff] [blame]3381// ssl_test_ticket_aead_failure_mode enumerates the possible ways in which the
3382// test |SSL_TICKET_AEAD_METHOD| can fail.
3383enum ssl_test_ticket_aead_failure_mode {
3384 ssl_test_ticket_aead_ok = 0,
3385 ssl_test_ticket_aead_seal_fail,
3386 ssl_test_ticket_aead_open_soft_fail,
3387 ssl_test_ticket_aead_open_hard_fail,
3388};
3389
3390struct ssl_test_ticket_aead_state {
3391 unsigned retry_count;
3392 ssl_test_ticket_aead_failure_mode failure_mode;
3393};
3394
3395static int ssl_test_ticket_aead_ex_index_dup(CRYPTO_EX_DATA *to,
3396 const CRYPTO_EX_DATA *from,
3397 void **from_d, int index,
3398 long argl, void *argp) {
3399 abort();
3400}
3401
3402static void ssl_test_ticket_aead_ex_index_free(void *parent, void *ptr,
3403 CRYPTO_EX_DATA *ad, int index,
3404 long argl, void *argp) {
3405 auto state = reinterpret_cast<ssl_test_ticket_aead_state*>(ptr);
3406 if (state == nullptr) {
3407 return;
3408 }
3409
3410 OPENSSL_free(state);
3411}
3412
3413static CRYPTO_once_t g_ssl_test_ticket_aead_ex_index_once = CRYPTO_ONCE_INIT;
3414static int g_ssl_test_ticket_aead_ex_index;
3415
3416static int ssl_test_ticket_aead_get_ex_index() {
3417 CRYPTO_once(&g_ssl_test_ticket_aead_ex_index_once, [] {
3418 g_ssl_test_ticket_aead_ex_index = SSL_get_ex_new_index(
3419 0, nullptr, nullptr, ssl_test_ticket_aead_ex_index_dup,
3420 ssl_test_ticket_aead_ex_index_free);
3421 });
3422 return g_ssl_test_ticket_aead_ex_index;
3423}
3424
3425static size_t ssl_test_ticket_aead_max_overhead(SSL *ssl) {
3426 return 1;
3427}
3428
3429static int ssl_test_ticket_aead_seal(SSL *ssl, uint8_t *out, size_t *out_len,
3430 size_t max_out_len, const uint8_t *in,
3431 size_t in_len) {
3432 auto state = reinterpret_cast<ssl_test_ticket_aead_state *>(
3433 SSL_get_ex_data(ssl, ssl_test_ticket_aead_get_ex_index()));
3434
3435 if (state->failure_mode == ssl_test_ticket_aead_seal_fail ||
3436 max_out_len < in_len + 1) {
3437 return 0;
3438 }
3439
3440 OPENSSL_memmove(out, in, in_len);
3441 out[in_len] = 0xff;
3442 *out_len = in_len + 1;
3443
3444 return 1;
3445}
3446
3447static ssl_ticket_aead_result_t ssl_test_ticket_aead_open(
3448 SSL *ssl, uint8_t *out, size_t *out_len, size_t max_out_len,
3449 const uint8_t *in, size_t in_len) {
3450 auto state = reinterpret_cast<ssl_test_ticket_aead_state *>(
3451 SSL_get_ex_data(ssl, ssl_test_ticket_aead_get_ex_index()));
3452
3453 if (state->retry_count > 0) {
3454 state->retry_count--;
3455 return ssl_ticket_aead_retry;
3456 }
3457
3458 switch (state->failure_mode) {
3459 case ssl_test_ticket_aead_ok:
3460 break;
3461 case ssl_test_ticket_aead_seal_fail:
3462 // If |seal| failed then there shouldn't be any ticket to try and
3463 // decrypt.
3464 abort();
3465 break;
3466 case ssl_test_ticket_aead_open_soft_fail:
3467 return ssl_ticket_aead_ignore_ticket;
3468 case ssl_test_ticket_aead_open_hard_fail:
3469 return ssl_ticket_aead_error;
3470 }
3471
3472 if (in_len == 0 || in[in_len - 1] != 0xff) {
3473 return ssl_ticket_aead_ignore_ticket;
3474 }
3475
3476 if (max_out_len < in_len - 1) {
3477 return ssl_ticket_aead_error;
3478 }
3479
3480 OPENSSL_memmove(out, in, in_len - 1);
3481 *out_len = in_len - 1;
3482 return ssl_ticket_aead_success;
3483}
3484
3485static const SSL_TICKET_AEAD_METHOD kSSLTestTicketMethod = {
3486 ssl_test_ticket_aead_max_overhead,
3487 ssl_test_ticket_aead_seal,
3488 ssl_test_ticket_aead_open,
3489};
3490
3491static void ConnectClientAndServerWithTicketMethod(
3492 bssl::UniquePtr<SSL> *out_client, bssl::UniquePtr<SSL> *out_server,
3493 SSL_CTX *client_ctx, SSL_CTX *server_ctx, unsigned retry_count,
3494 ssl_test_ticket_aead_failure_mode failure_mode, SSL_SESSION *session) {
3495 bssl::UniquePtr<SSL> client(SSL_new(client_ctx)), server(SSL_new(server_ctx));
3496 ASSERT_TRUE(client);
3497 ASSERT_TRUE(server);
3498 SSL_set_connect_state(client.get());
3499 SSL_set_accept_state(server.get());
3500
3501 auto state = reinterpret_cast<ssl_test_ticket_aead_state *>(
3502 OPENSSL_malloc(sizeof(ssl_test_ticket_aead_state)));
3503 ASSERT_TRUE(state);
3504 OPENSSL_memset(state, 0, sizeof(ssl_test_ticket_aead_state));
3505 state->retry_count = retry_count;
3506 state->failure_mode = failure_mode;
3507
3508 ASSERT_TRUE(SSL_set_ex_data(server.get(), ssl_test_ticket_aead_get_ex_index(),
3509 state));
3510
3511 SSL_set_session(client.get(), session);
3512
3513 BIO *bio1, *bio2;
3514 ASSERT_TRUE(BIO_new_bio_pair(&bio1, 0, &bio2, 0));
3515
3516 // SSL_set_bio takes ownership.
3517 SSL_set_bio(client.get(), bio1, bio1);
3518 SSL_set_bio(server.get(), bio2, bio2);
3519
3520 if (CompleteHandshakes(client.get(), server.get())) {
3521 *out_client = std::move(client);
3522 *out_server = std::move(server);
3523 } else {
3524 out_client->reset();
3525 out_server->reset();
3526 }
3527}
3528
3529class TicketAEADMethodTest
3530 : public ::testing::TestWithParam<testing::tuple<
3531 uint16_t, unsigned, ssl_test_ticket_aead_failure_mode>> {};
3532
3533TEST_P(TicketAEADMethodTest, Resume) {
3534 bssl::UniquePtr<X509> cert = GetTestCertificate();
3535 ASSERT_TRUE(cert);
3536 bssl::UniquePtr<EVP_PKEY> key = GetTestKey();
3537 ASSERT_TRUE(key);
3538
3539 bssl::UniquePtr<SSL_CTX> server_ctx(SSL_CTX_new(TLS_method()));
3540 ASSERT_TRUE(server_ctx);
3541 bssl::UniquePtr<SSL_CTX> client_ctx(SSL_CTX_new(TLS_method()));
3542 ASSERT_TRUE(client_ctx);
3543
3544 const uint16_t version = testing::get<0>(GetParam());
3545 const unsigned retry_count = testing::get<1>(GetParam());
3546 const ssl_test_ticket_aead_failure_mode failure_mode =
3547 testing::get<2>(GetParam());
3548
3549 ASSERT_TRUE(SSL_CTX_use_certificate(server_ctx.get(), cert.get()));
3550 ASSERT_TRUE(SSL_CTX_use_PrivateKey(server_ctx.get(), key.get()));
3551 ASSERT_TRUE(SSL_CTX_set_min_proto_version(client_ctx.get(), version));
3552 ASSERT_TRUE(SSL_CTX_set_max_proto_version(client_ctx.get(), version));
3553 ASSERT_TRUE(SSL_CTX_set_min_proto_version(server_ctx.get(), version));
3554 ASSERT_TRUE(SSL_CTX_set_max_proto_version(server_ctx.get(), version));
3555
3556 SSL_CTX_set_session_cache_mode(client_ctx.get(), SSL_SESS_CACHE_BOTH);
3557 SSL_CTX_set_session_cache_mode(server_ctx.get(), SSL_SESS_CACHE_BOTH);
3558 SSL_CTX_set_current_time_cb(client_ctx.get(), FrozenTimeCallback);
3559 SSL_CTX_set_current_time_cb(server_ctx.get(), FrozenTimeCallback);
David Benjamin707af292017-03-10 17:47:18 -0500[diff] [blame]3560 SSL_CTX_sess_set_new_cb(client_ctx.get(), SaveLastSession);
Adam Langley4c341d02017-03-08 19:33:21 -0800[diff] [blame]3561
3562 SSL_CTX_set_ticket_aead_method(server_ctx.get(), &kSSLTestTicketMethod);
3563
3564 bssl::UniquePtr<SSL> client, server;
3565 ConnectClientAndServerWithTicketMethod(&client, &server, client_ctx.get(),
3566 server_ctx.get(), retry_count,
3567 failure_mode, nullptr);
3568 switch (failure_mode) {
3569 case ssl_test_ticket_aead_ok:
3570 case ssl_test_ticket_aead_open_hard_fail:
3571 case ssl_test_ticket_aead_open_soft_fail:
3572 ASSERT_TRUE(client);
3573 break;
3574 case ssl_test_ticket_aead_seal_fail:
3575 EXPECT_FALSE(client);
3576 return;
3577 }
3578 EXPECT_FALSE(SSL_session_reused(client.get()));
3579 EXPECT_FALSE(SSL_session_reused(server.get()));
3580
David Benjamin707af292017-03-10 17:47:18 -0500[diff] [blame]3581 // Run the read loop to account for post-handshake tickets in TLS 1.3.
3582 SSL_read(client.get(), nullptr, 0);
3583
3584 bssl::UniquePtr<SSL_SESSION> session = std::move(g_last_session);
Adam Langley4c341d02017-03-08 19:33:21 -0800[diff] [blame]3585 ConnectClientAndServerWithTicketMethod(&client, &server, client_ctx.get(),
3586 server_ctx.get(), retry_count,
David Benjamin707af292017-03-10 17:47:18 -0500[diff] [blame]3587 failure_mode, session.get());
Adam Langley4c341d02017-03-08 19:33:21 -0800[diff] [blame]3588 switch (failure_mode) {
3589 case ssl_test_ticket_aead_ok:
3590 ASSERT_TRUE(client);
3591 EXPECT_TRUE(SSL_session_reused(client.get()));
3592 EXPECT_TRUE(SSL_session_reused(server.get()));
3593 break;
3594 case ssl_test_ticket_aead_seal_fail:
3595 abort();
3596 break;
3597 case ssl_test_ticket_aead_open_hard_fail:
3598 EXPECT_FALSE(client);
3599 break;
3600 case ssl_test_ticket_aead_open_soft_fail:
3601 ASSERT_TRUE(client);
3602 EXPECT_FALSE(SSL_session_reused(client.get()));
3603 EXPECT_FALSE(SSL_session_reused(server.get()));
3604 }
3605}
3606
3607INSTANTIATE_TEST_CASE_P(
3608 TicketAEADMethodTests, TicketAEADMethodTest,
3609 testing::Combine(
David Benjamin707af292017-03-10 17:47:18 -0500[diff] [blame]3610 testing::Values(TLS1_2_VERSION, TLS1_3_VERSION),
Adam Langley4c341d02017-03-08 19:33:21 -0800[diff] [blame]3611 testing::Values(0, 1, 2),
3612 testing::Values(ssl_test_ticket_aead_ok,
3613 ssl_test_ticket_aead_seal_fail,
3614 ssl_test_ticket_aead_open_soft_fail,
3615 ssl_test_ticket_aead_open_hard_fail)));
3616
David Benjamin3cfeb952017-03-01 16:48:38 -0500[diff] [blame]3617TEST(SSLTest, SSL3Method) {
3618 bssl::UniquePtr<X509> cert = GetTestCertificate();
3619 ASSERT_TRUE(cert);
3620
3621 // For compatibility, SSLv3_method should work up to SSL_CTX_new and SSL_new.
3622 bssl::UniquePtr<SSL_CTX> ssl3_ctx(SSL_CTX_new(SSLv3_method()));
3623 ASSERT_TRUE(ssl3_ctx);
3624 ASSERT_TRUE(SSL_CTX_use_certificate(ssl3_ctx.get(), cert.get()));
3625 bssl::UniquePtr<SSL> ssl(SSL_new(ssl3_ctx.get()));
3626 EXPECT_TRUE(ssl);
3627
3628 // Create a normal TLS context to test against.
3629 bssl::UniquePtr<SSL_CTX> tls_ctx(SSL_CTX_new(TLS_method()));
3630 ASSERT_TRUE(tls_ctx);
3631 ASSERT_TRUE(SSL_CTX_use_certificate(tls_ctx.get(), cert.get()));
3632
3633 // However, handshaking an SSLv3_method server should fail to resolve the
3634 // version range. Explicit calls to SSL_CTX_set_min_proto_version are the only
3635 // way to enable SSL 3.0.
3636 bssl::UniquePtr<SSL> client, server;
3637 EXPECT_FALSE(ConnectClientAndServer(&client, &server, tls_ctx.get(),
3638 ssl3_ctx.get(),
3639 nullptr /* no session */));
3640 uint32_t err = ERR_get_error();
3641 EXPECT_EQ(ERR_LIB_SSL, ERR_GET_LIB(err));
3642 EXPECT_EQ(SSL_R_NO_SUPPORTED_VERSIONS_ENABLED, ERR_GET_REASON(err));
3643
3644 // Likewise for SSLv3_method clients.
3645 EXPECT_FALSE(ConnectClientAndServer(&client, &server, ssl3_ctx.get(),
3646 tls_ctx.get(),
3647 nullptr /* no session */));
3648 err = ERR_get_error();
3649 EXPECT_EQ(ERR_LIB_SSL, ERR_GET_LIB(err));
3650 EXPECT_EQ(SSL_R_NO_SUPPORTED_VERSIONS_ENABLED, ERR_GET_REASON(err));
3651}
3652
David Benjaminca743582017-06-15 17:51:35 -0400[diff] [blame]3653TEST(SSLTest, SelectNextProto) {
3654 uint8_t *result;
3655 uint8_t result_len;
3656
3657 // If there is an overlap, it should be returned.
3658 EXPECT_EQ(OPENSSL_NPN_NEGOTIATED,
3659 SSL_select_next_proto(&result, &result_len,
3660 (const uint8_t *)"\1a\2bb\3ccc", 9,
3661 (const uint8_t *)"\1x\1y\1a\1z", 8));
3662 EXPECT_EQ(Bytes("a"), Bytes(result, result_len));
3663
3664 EXPECT_EQ(OPENSSL_NPN_NEGOTIATED,
3665 SSL_select_next_proto(&result, &result_len,
3666 (const uint8_t *)"\1a\2bb\3ccc", 9,
3667 (const uint8_t *)"\1x\1y\2bb\1z", 9));
3668 EXPECT_EQ(Bytes("bb"), Bytes(result, result_len));
3669
3670 EXPECT_EQ(OPENSSL_NPN_NEGOTIATED,
3671 SSL_select_next_proto(&result, &result_len,
3672 (const uint8_t *)"\1a\2bb\3ccc", 9,
3673 (const uint8_t *)"\1x\1y\3ccc\1z", 10));
3674 EXPECT_EQ(Bytes("ccc"), Bytes(result, result_len));
3675
3676 // Peer preference order takes precedence over local.
3677 EXPECT_EQ(OPENSSL_NPN_NEGOTIATED,
3678 SSL_select_next_proto(&result, &result_len,
3679 (const uint8_t *)"\1a\2bb\3ccc", 9,
3680 (const uint8_t *)"\3ccc\2bb\1a", 9));
3681 EXPECT_EQ(Bytes("a"), Bytes(result, result_len));
3682
3683 // If there is no overlap, return the first local protocol.
3684 EXPECT_EQ(OPENSSL_NPN_NO_OVERLAP,
3685 SSL_select_next_proto(&result, &result_len,
3686 (const uint8_t *)"\1a\2bb\3ccc", 9,
3687 (const uint8_t *)"\1x\2yy\3zzz", 9));
3688 EXPECT_EQ(Bytes("x"), Bytes(result, result_len));
3689
3690 EXPECT_EQ(OPENSSL_NPN_NO_OVERLAP,
3691 SSL_select_next_proto(&result, &result_len, nullptr, 0,
3692 (const uint8_t *)"\1x\2yy\3zzz", 9));
3693 EXPECT_EQ(Bytes("x"), Bytes(result, result_len));
3694}
3695
David Benjamin96628432017-01-19 19:05:47 -0500[diff] [blame]3696// TODO(davidben): Convert this file to GTest properly.
3697TEST(SSLTest, AllTests) {
David Benjamine11726a2017-04-23 12:14:28 -0400[diff] [blame]3698 if (!TestSSL_SESSIONEncoding(kOpenSSLSession) ||
Adam Langley10f97f32016-07-12 08:09:33 -0700[diff] [blame]3699 !TestSSL_SESSIONEncoding(kCustomSession) ||
3700 !TestSSL_SESSIONEncoding(kBoringSSLSession) ||
3701 !TestBadSSL_SESSIONEncoding(kBadSessionExtraField) ||
3702 !TestBadSSL_SESSIONEncoding(kBadSessionVersion) ||
3703 !TestBadSSL_SESSIONEncoding(kBadSessionTrailingData) ||
Steven Valdeza833c352016-11-01 13:39:36 -0400[diff] [blame]3704 // Test the padding extension at TLS 1.2.
3705 !TestPaddingExtension(TLS1_2_VERSION, TLS1_2_VERSION) ||
3706 // Test the padding extension at TLS 1.3 with a TLS 1.2 session, so there
3707 // will be no PSK binder after the padding extension.
3708 !TestPaddingExtension(TLS1_3_VERSION, TLS1_2_VERSION) ||
3709 // Test the padding extension at TLS 1.3 with a TLS 1.3 session, so there
3710 // will be a PSK binder after the padding extension.
3711 !TestPaddingExtension(TLS1_3_VERSION, TLS1_3_DRAFT_VERSION) ||
David Benjamin0fef3052016-11-18 15:11:10 +0900[diff] [blame]3712 !ForEachVersion(TestSequenceNumber) ||
David Benjamin68f37b72016-11-18 15:14:42 +0900[diff] [blame]3713 !ForEachVersion(TestOneSidedShutdown) ||
David Benjamin0fef3052016-11-18 15:11:10 +0900[diff] [blame]3714 !ForEachVersion(TestGetPeerCertificate) ||
3715 !ForEachVersion(TestRetainOnlySHA256OfCerts) ||
David Benjamina20e5352016-08-02 19:09:41 -0400[diff] [blame]3716 !TestClientHello() ||
David Benjamin0fef3052016-11-18 15:11:10 +0900[diff] [blame]3717 !ForEachVersion(TestSessionIDContext) ||
3718 !ForEachVersion(TestSessionTimeout) ||
3719 !ForEachVersion(TestSNICallback) ||
David Benjamin0fef3052016-11-18 15:11:10 +0900[diff] [blame]3720 !ForEachVersion(TestVersion) ||
David Benjaminb79cc842016-12-07 15:57:14 -0500[diff] [blame]3721 !ForEachVersion(TestALPNCipherAvailable) ||
David Benjamin1444c3a2016-12-20 17:23:11 -0500[diff] [blame]3722 !ForEachVersion(TestSSLClearSessionResumption) ||
David Benjamin48063c22017-01-01 23:56:36 -0500[diff] [blame]3723 !ForEachVersion(TestAutoChain) ||
David Benjamin5df5be12017-06-22 19:43:11 -0400[diff] [blame]3724 !ForEachVersion(TestSSLWriteRetry) ||
3725 !ForEachVersion(TestRecordCallback)) {
David Benjamin96628432017-01-19 19:05:47 -0500[diff] [blame]3726 ADD_FAILURE() << "Tests failed";
David Benjaminbb0a17c2014-09-20 15:35:39 -0400[diff] [blame]3727 }
David Benjamin2e521212014-07-16 14:37:51 -0400[diff] [blame]3728}