Gitiles
Code Review Sign In
gerrit.openfyde.cn / boringssl.googlesource.com / boringssl / 86e95b852eb4a1e43116cb6951b450b78bd52b4b / . / ssl / ssl_test.cc
blob: 38cac4b955126f8acd8f1ac057003f69247e1c43 [file] [log] [blame]
David Benjamin2e521212014-07-16 14:37:51 -0400[diff] [blame]1/* Copyright (c) 2014, Google Inc.
2 *
3 * Permission to use, copy, modify, and/or distribute this software for any
4 * purpose with or without fee is hereby granted, provided that the above
5 * copyright notice and this permission notice appear in all copies.
6 *
7 * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
8 * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
9 * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY
10 * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
11 * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION
12 * OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN
13 * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */
14
David Benjamin86e95b82017-07-18 16:34:25 -0400[diff] [blame^]15#define BORINGSSL_INTERNAL_CXX_TYPES
16
David Benjamin2e521212014-07-16 14:37:51 -0400[diff] [blame]17#include <stdio.h>
David Benjamin751e8892014-10-19 00:59:36 -0400[diff] [blame]18#include <string.h>
David Benjamin1269ddd2015-10-18 15:18:55 -0400[diff] [blame]19#include <time.h>
David Benjamin2e521212014-07-16 14:37:51 -0400[diff] [blame]20
David Benjamin0f653952015-10-18 14:28:01 -0400[diff] [blame]21#include <algorithm>
David Benjamin1d77e562015-03-22 17:22:08 -0400[diff] [blame]22#include <string>
David Benjamin4f6acaf2015-11-21 03:00:50 -0500[diff] [blame]23#include <utility>
David Benjamin1d77e562015-03-22 17:22:08 -0400[diff] [blame]24#include <vector>
25
David Benjamin96628432017-01-19 19:05:47 -0500[diff] [blame]26#include <gtest/gtest.h>
27
David Benjamin751e8892014-10-19 00:59:36 -0400[diff] [blame]28#include <openssl/base64.h>
29#include <openssl/bio.h>
David Benjamin3c51d9b2016-11-01 17:50:42 -0400[diff] [blame]30#include <openssl/cipher.h>
David Benjamin7a1eefd2015-10-17 23:39:22 -0400[diff] [blame]31#include <openssl/crypto.h>
David Benjaminbb0a17c2014-09-20 15:35:39 -0400[diff] [blame]32#include <openssl/err.h>
David Benjamin3c51d9b2016-11-01 17:50:42 -0400[diff] [blame]33#include <openssl/hmac.h>
David Benjaminde942382016-02-11 12:02:01 -0500[diff] [blame]34#include <openssl/pem.h>
David Benjamin25490f22016-07-14 00:22:54 -0400[diff] [blame]35#include <openssl/sha.h>
David Benjaminbb0a17c2014-09-20 15:35:39 -0400[diff] [blame]36#include <openssl/ssl.h>
David Benjamin3c51d9b2016-11-01 17:50:42 -0400[diff] [blame]37#include <openssl/rand.h>
David Benjaminde942382016-02-11 12:02:01 -0500[diff] [blame]38#include <openssl/x509.h>
David Benjaminbb0a17c2014-09-20 15:35:39 -0400[diff] [blame]39
Steven Valdez87eab492016-06-27 16:34:59 -0400[diff] [blame]40#include "internal.h"
Steven Valdezcb966542016-08-17 16:56:14 -0400[diff] [blame]41#include "../crypto/internal.h"
Sigbjorn Vik2b23d242015-06-29 15:07:26 +0200[diff] [blame]42#include "../crypto/test/test_util.h"
43
David Benjamin721e8b72016-08-03 13:13:17 -0400[diff] [blame]44#if defined(OPENSSL_WINDOWS)
45/* Windows defines struct timeval in winsock2.h. */
46OPENSSL_MSVC_PRAGMA(warning(push, 3))
47#include <winsock2.h>
48OPENSSL_MSVC_PRAGMA(warning(pop))
49#else
50#include <sys/time.h>
51#endif
52
David Benjamin1d77e562015-03-22 17:22:08 -0400[diff] [blame]53
54struct ExpectedCipher {
55 unsigned long id;
David Benjaminbb0a17c2014-09-20 15:35:39 -0400[diff] [blame]56 int in_group_flag;
David Benjamin1d77e562015-03-22 17:22:08 -0400[diff] [blame]57};
David Benjaminbb0a17c2014-09-20 15:35:39 -0400[diff] [blame]58
David Benjamin1d77e562015-03-22 17:22:08 -0400[diff] [blame]59struct CipherTest {
60 // The rule string to apply.
David Benjaminbb0a17c2014-09-20 15:35:39 -0400[diff] [blame]61 const char *rule;
David Benjaminfb974e62015-12-16 19:34:22 -0500[diff] [blame]62 // The list of expected ciphers, in order.
63 std::vector<ExpectedCipher> expected;
Matthew Braithwaitea57dcfb2017-02-17 22:08:23 -0800[diff] [blame]64 // True if this cipher list should fail in strict mode.
65 bool strict_fail;
David Benjamin1d77e562015-03-22 17:22:08 -0400[diff] [blame]66};
David Benjaminbb0a17c2014-09-20 15:35:39 -0400[diff] [blame]67
Alessandro Ghedini5fd18072016-09-28 21:04:25 +0100[diff] [blame]68struct CurveTest {
69 // The rule string to apply.
70 const char *rule;
71 // The list of expected curves, in order.
72 std::vector<uint16_t> expected;
73};
74
David Benjaminfb974e62015-12-16 19:34:22 -0500[diff] [blame]75static const CipherTest kCipherTests[] = {
76 // Selecting individual ciphers should work.
77 {
78 "ECDHE-ECDSA-CHACHA20-POLY1305:"
79 "ECDHE-RSA-CHACHA20-POLY1305:"
80 "ECDHE-ECDSA-AES128-GCM-SHA256:"
81 "ECDHE-RSA-AES128-GCM-SHA256",
82 {
83 {TLS1_CK_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256, 0},
David Benjaminfb974e62015-12-16 19:34:22 -0500[diff] [blame]84 {TLS1_CK_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256, 0},
David Benjaminfb974e62015-12-16 19:34:22 -0500[diff] [blame]85 {TLS1_CK_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, 0},
86 {TLS1_CK_ECDHE_RSA_WITH_AES_128_GCM_SHA256, 0},
87 },
Matthew Braithwaitea57dcfb2017-02-17 22:08:23 -0800[diff] [blame]88 false,
David Benjaminfb974e62015-12-16 19:34:22 -0500[diff] [blame]89 },
90 // + reorders selected ciphers to the end, keeping their relative order.
91 {
92 "ECDHE-ECDSA-CHACHA20-POLY1305:"
93 "ECDHE-RSA-CHACHA20-POLY1305:"
94 "ECDHE-ECDSA-AES128-GCM-SHA256:"
95 "ECDHE-RSA-AES128-GCM-SHA256:"
96 "+aRSA",
97 {
98 {TLS1_CK_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256, 0},
David Benjaminfb974e62015-12-16 19:34:22 -0500[diff] [blame]99 {TLS1_CK_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, 0},
100 {TLS1_CK_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256, 0},
David Benjaminfb974e62015-12-16 19:34:22 -0500[diff] [blame]101 {TLS1_CK_ECDHE_RSA_WITH_AES_128_GCM_SHA256, 0},
102 },
Matthew Braithwaitea57dcfb2017-02-17 22:08:23 -0800[diff] [blame]103 false,
David Benjaminfb974e62015-12-16 19:34:22 -0500[diff] [blame]104 },
105 // ! banishes ciphers from future selections.
106 {
107 "!aRSA:"
108 "ECDHE-ECDSA-CHACHA20-POLY1305:"
109 "ECDHE-RSA-CHACHA20-POLY1305:"
110 "ECDHE-ECDSA-AES128-GCM-SHA256:"
111 "ECDHE-RSA-AES128-GCM-SHA256",
112 {
113 {TLS1_CK_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256, 0},
David Benjaminfb974e62015-12-16 19:34:22 -0500[diff] [blame]114 {TLS1_CK_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, 0},
115 },
Matthew Braithwaitea57dcfb2017-02-17 22:08:23 -0800[diff] [blame]116 false,
David Benjaminfb974e62015-12-16 19:34:22 -0500[diff] [blame]117 },
118 // Multiple masks can be ANDed in a single rule.
119 {
120 "kRSA+AESGCM+AES128",
121 {
122 {TLS1_CK_RSA_WITH_AES_128_GCM_SHA256, 0},
123 },
Matthew Braithwaitea57dcfb2017-02-17 22:08:23 -0800[diff] [blame]124 false,
David Benjaminfb974e62015-12-16 19:34:22 -0500[diff] [blame]125 },
126 // - removes selected ciphers, but preserves their order for future
Matthew Braithwaitecedc6f12017-03-15 19:20:23 -0700[diff] [blame]127 // selections. Select AES_128_GCM, but order the key exchanges RSA,
David Benjaminfb974e62015-12-16 19:34:22 -0500[diff] [blame]128 // ECDHE_RSA.
129 {
Matthew Braithwaitecedc6f12017-03-15 19:20:23 -0700[diff] [blame]130 "ALL:-kECDHE:"
Matthew Braithwaitecedc6f12017-03-15 19:20:23 -0700[diff] [blame]131 "-kRSA:-ALL:"
David Benjaminfb974e62015-12-16 19:34:22 -0500[diff] [blame]132 "AESGCM+AES128+aRSA",
133 {
134 {TLS1_CK_RSA_WITH_AES_128_GCM_SHA256, 0},
David Benjaminfb974e62015-12-16 19:34:22 -0500[diff] [blame]135 {TLS1_CK_ECDHE_RSA_WITH_AES_128_GCM_SHA256, 0},
136 },
Matthew Braithwaitea57dcfb2017-02-17 22:08:23 -0800[diff] [blame]137 false,
David Benjaminfb974e62015-12-16 19:34:22 -0500[diff] [blame]138 },
Matthew Braithwaitea57dcfb2017-02-17 22:08:23 -0800[diff] [blame]139 // Unknown selectors are no-ops, except in strict mode.
David Benjaminfb974e62015-12-16 19:34:22 -0500[diff] [blame]140 {
141 "ECDHE-ECDSA-CHACHA20-POLY1305:"
142 "ECDHE-RSA-CHACHA20-POLY1305:"
143 "ECDHE-ECDSA-AES128-GCM-SHA256:"
144 "ECDHE-RSA-AES128-GCM-SHA256:"
Matthew Braithwaitea57dcfb2017-02-17 22:08:23 -0800[diff] [blame]145 "BOGUS1",
David Benjaminfb974e62015-12-16 19:34:22 -0500[diff] [blame]146 {
147 {TLS1_CK_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256, 0},
David Benjaminfb974e62015-12-16 19:34:22 -0500[diff] [blame]148 {TLS1_CK_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256, 0},
David Benjaminfb974e62015-12-16 19:34:22 -0500[diff] [blame]149 {TLS1_CK_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, 0},
150 {TLS1_CK_ECDHE_RSA_WITH_AES_128_GCM_SHA256, 0},
151 },
Matthew Braithwaitea57dcfb2017-02-17 22:08:23 -0800[diff] [blame]152 true,
153 },
154 // Unknown selectors are no-ops, except in strict mode.
155 {
156 "ECDHE-ECDSA-CHACHA20-POLY1305:"
157 "ECDHE-RSA-CHACHA20-POLY1305:"
158 "ECDHE-ECDSA-AES128-GCM-SHA256:"
159 "ECDHE-RSA-AES128-GCM-SHA256:"
160 "-BOGUS2:+BOGUS3:!BOGUS4",
161 {
162 {TLS1_CK_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256, 0},
163 {TLS1_CK_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256, 0},
164 {TLS1_CK_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, 0},
165 {TLS1_CK_ECDHE_RSA_WITH_AES_128_GCM_SHA256, 0},
166 },
167 true,
David Benjaminfb974e62015-12-16 19:34:22 -0500[diff] [blame]168 },
169 // Square brackets specify equi-preference groups.
170 {
171 "[ECDHE-ECDSA-CHACHA20-POLY1305|ECDHE-ECDSA-AES128-GCM-SHA256]:"
172 "[ECDHE-RSA-CHACHA20-POLY1305]:"
173 "ECDHE-RSA-AES128-GCM-SHA256",
174 {
175 {TLS1_CK_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256, 1},
David Benjaminfb974e62015-12-16 19:34:22 -0500[diff] [blame]176 {TLS1_CK_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, 0},
Adam Langley2e839242017-01-19 15:12:44 -0800[diff] [blame]177 {TLS1_CK_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256, 0},
David Benjaminfb974e62015-12-16 19:34:22 -0500[diff] [blame]178 {TLS1_CK_ECDHE_RSA_WITH_AES_128_GCM_SHA256, 0},
179 },
Matthew Braithwaitea57dcfb2017-02-17 22:08:23 -0800[diff] [blame]180 false,
David Benjaminfb974e62015-12-16 19:34:22 -0500[diff] [blame]181 },
David Benjamin6fff3862017-06-21 21:07:04 -0400[diff] [blame]182 // Standard names may be used instead of OpenSSL names.
183 {
184 "[TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256|"
David Benjaminbf5f1922017-07-01 11:13:53 -0400[diff] [blame]185 "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256]:"
David Benjamin6fff3862017-06-21 21:07:04 -0400[diff] [blame]186 "[TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256]:"
187 "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",
188 {
189 {TLS1_CK_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256, 1},
190 {TLS1_CK_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, 0},
191 {TLS1_CK_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256, 0},
192 {TLS1_CK_ECDHE_RSA_WITH_AES_128_GCM_SHA256, 0},
193 },
194 false,
195 },
David Benjaminfb974e62015-12-16 19:34:22 -0500[diff] [blame]196 // @STRENGTH performs a stable strength-sort of the selected ciphers and
197 // only the selected ciphers.
198 {
199 // To simplify things, banish all but {ECDHE_RSA,RSA} x
Matthew Braithwaite8aaa9e12016-09-07 15:09:58 -0700[diff] [blame]200 // {CHACHA20,AES_256_CBC,AES_128_CBC} x SHA1.
Matthew Braithwaitecedc6f12017-03-15 19:20:23 -0700[diff] [blame]201 "!AESGCM:!3DES:!SHA256:!SHA384:"
David Benjaminfb974e62015-12-16 19:34:22 -0500[diff] [blame]202 // Order some ciphers backwards by strength.
Matthew Braithwaite8aaa9e12016-09-07 15:09:58 -0700[diff] [blame]203 "ALL:-CHACHA20:-AES256:-AES128:-ALL:"
David Benjaminfb974e62015-12-16 19:34:22 -0500[diff] [blame]204 // Select ECDHE ones and sort them by strength. Ties should resolve
205 // based on the order above.
206 "kECDHE:@STRENGTH:-ALL:"
207 // Now bring back everything uses RSA. ECDHE_RSA should be first, sorted
208 // by strength. Then RSA, backwards by strength.
209 "aRSA",
210 {
211 {TLS1_CK_ECDHE_RSA_WITH_AES_256_CBC_SHA, 0},
212 {TLS1_CK_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256, 0},
David Benjaminfb974e62015-12-16 19:34:22 -0500[diff] [blame]213 {TLS1_CK_ECDHE_RSA_WITH_AES_128_CBC_SHA, 0},
David Benjaminfb974e62015-12-16 19:34:22 -0500[diff] [blame]214 {TLS1_CK_RSA_WITH_AES_128_SHA, 0},
215 {TLS1_CK_RSA_WITH_AES_256_SHA, 0},
216 },
Matthew Braithwaitea57dcfb2017-02-17 22:08:23 -0800[diff] [blame]217 false,
David Benjaminfb974e62015-12-16 19:34:22 -0500[diff] [blame]218 },
David Benjaminbf5f1922017-07-01 11:13:53 -0400[diff] [blame]219 // Additional masks after @STRENGTH get silently discarded.
220 //
221 // TODO(davidben): Make this an error. If not silently discarded, they get
222 // interpreted as + opcodes which are very different.
223 {
224 "ECDHE-RSA-AES128-GCM-SHA256:"
225 "ECDHE-RSA-AES256-GCM-SHA384:"
226 "@STRENGTH+AES256",
227 {
228 {TLS1_CK_ECDHE_RSA_WITH_AES_256_GCM_SHA384, 0},
229 {TLS1_CK_ECDHE_RSA_WITH_AES_128_GCM_SHA256, 0},
230 },
231 false,
232 },
233 {
234 "ECDHE-RSA-AES128-GCM-SHA256:"
235 "ECDHE-RSA-AES256-GCM-SHA384:"
236 "@STRENGTH+AES256:"
237 "ECDHE-RSA-CHACHA20-POLY1305",
238 {
239 {TLS1_CK_ECDHE_RSA_WITH_AES_256_GCM_SHA384, 0},
240 {TLS1_CK_ECDHE_RSA_WITH_AES_128_GCM_SHA256, 0},
241 {TLS1_CK_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256, 0},
242 },
243 false,
244 },
David Benjaminfb974e62015-12-16 19:34:22 -0500[diff] [blame]245 // Exact ciphers may not be used in multi-part rules; they are treated
246 // as unknown aliases.
247 {
248 "ECDHE-ECDSA-AES128-GCM-SHA256:"
249 "ECDHE-RSA-AES128-GCM-SHA256:"
250 "!ECDHE-RSA-AES128-GCM-SHA256+RSA:"
251 "!ECDSA+ECDHE-ECDSA-AES128-GCM-SHA256",
252 {
253 {TLS1_CK_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, 0},
254 {TLS1_CK_ECDHE_RSA_WITH_AES_128_GCM_SHA256, 0},
255 },
Matthew Braithwaitea57dcfb2017-02-17 22:08:23 -0800[diff] [blame]256 true,
David Benjaminfb974e62015-12-16 19:34:22 -0500[diff] [blame]257 },
258 // SSLv3 matches everything that existed before TLS 1.2.
259 {
260 "AES128-SHA:AES128-SHA256:!SSLv3",
261 {
262 {TLS1_CK_RSA_WITH_AES_128_SHA256, 0},
263 },
Matthew Braithwaitea57dcfb2017-02-17 22:08:23 -0800[diff] [blame]264 false,
David Benjaminfb974e62015-12-16 19:34:22 -0500[diff] [blame]265 },
266 // TLSv1.2 matches everything added in TLS 1.2.
267 {
268 "AES128-SHA:AES128-SHA256:!TLSv1.2",
269 {
270 {TLS1_CK_RSA_WITH_AES_128_SHA, 0},
271 },
Matthew Braithwaitea57dcfb2017-02-17 22:08:23 -0800[diff] [blame]272 false,
David Benjaminfb974e62015-12-16 19:34:22 -0500[diff] [blame]273 },
Matthew Braithwaitea57dcfb2017-02-17 22:08:23 -0800[diff] [blame]274 // The two directives have no intersection. But each component is valid, so
275 // even in strict mode it is accepted.
David Benjaminfb974e62015-12-16 19:34:22 -0500[diff] [blame]276 {
277 "AES128-SHA:AES128-SHA256:!TLSv1.2+SSLv3",
278 {
279 {TLS1_CK_RSA_WITH_AES_128_SHA, 0},
280 {TLS1_CK_RSA_WITH_AES_128_SHA256, 0},
281 },
Matthew Braithwaitea57dcfb2017-02-17 22:08:23 -0800[diff] [blame]282 false,
David Benjaminfb974e62015-12-16 19:34:22 -0500[diff] [blame]283 },
David Benjaminbb0a17c2014-09-20 15:35:39 -0400[diff] [blame]284};
285
286static const char *kBadRules[] = {
David Benjamin1d77e562015-03-22 17:22:08 -0400[diff] [blame]287 // Invalid brackets.
David Benjaminbb0a17c2014-09-20 15:35:39 -0400[diff] [blame]288 "[ECDHE-RSA-CHACHA20-POLY1305|ECDHE-RSA-AES128-GCM-SHA256",
289 "RSA]",
290 "[[RSA]]",
David Benjamin1d77e562015-03-22 17:22:08 -0400[diff] [blame]291 // Operators inside brackets.
David Benjaminbb0a17c2014-09-20 15:35:39 -0400[diff] [blame]292 "[+RSA]",
David Benjamin1d77e562015-03-22 17:22:08 -0400[diff] [blame]293 // Unknown directive.
David Benjaminbb0a17c2014-09-20 15:35:39 -0400[diff] [blame]294 "@BOGUS",
David Benjamin1d77e562015-03-22 17:22:08 -0400[diff] [blame]295 // Empty cipher lists error at SSL_CTX_set_cipher_list.
David Benjaminbb0a17c2014-09-20 15:35:39 -0400[diff] [blame]296 "",
297 "BOGUS",
David Benjamin32fbdf22015-04-07 01:14:06 -0400[diff] [blame]298 // COMPLEMENTOFDEFAULT is empty.
299 "COMPLEMENTOFDEFAULT",
David Benjamin1d77e562015-03-22 17:22:08 -0400[diff] [blame]300 // Invalid command.
David Benjaminbb0a17c2014-09-20 15:35:39 -0400[diff] [blame]301 "?BAR",
David Benjamin1d77e562015-03-22 17:22:08 -0400[diff] [blame]302 // Special operators are not allowed if groups are used.
David Benjamin37d92462014-09-20 17:54:24 -0400[diff] [blame]303 "[ECDHE-RSA-CHACHA20-POLY1305|ECDHE-RSA-AES128-GCM-SHA256]:+FOO",
304 "[ECDHE-RSA-CHACHA20-POLY1305|ECDHE-RSA-AES128-GCM-SHA256]:!FOO",
305 "[ECDHE-RSA-CHACHA20-POLY1305|ECDHE-RSA-AES128-GCM-SHA256]:-FOO",
306 "[ECDHE-RSA-CHACHA20-POLY1305|ECDHE-RSA-AES128-GCM-SHA256]:@STRENGTH",
Adam Langleyf99f2442016-10-02 09:53:38 -0700[diff] [blame]307 // Opcode supplied, but missing selector.
308 "+",
David Benjaminbb0a17c2014-09-20 15:35:39 -0400[diff] [blame]309};
310
Matt Braithwaiteaf096752015-09-02 19:48:16 -0700[diff] [blame]311static const char *kMustNotIncludeNull[] = {
312 "ALL",
313 "DEFAULT",
David Benjamind6e9eec2015-11-18 09:48:55 -0500[diff] [blame]314 "HIGH",
Matt Braithwaiteaf096752015-09-02 19:48:16 -0700[diff] [blame]315 "FIPS",
316 "SHA",
317 "SHA1",
318 "RSA",
319 "SSLv3",
320 "TLSv1",
321 "TLSv1.2",
Matt Braithwaiteaf096752015-09-02 19:48:16 -0700[diff] [blame]322};
323
Alessandro Ghedini5fd18072016-09-28 21:04:25 +0100[diff] [blame]324static const CurveTest kCurveTests[] = {
325 {
326 "P-256",
327 { SSL_CURVE_SECP256R1 },
328 },
329 {
330 "P-256:P-384:P-521:X25519",
331 {
332 SSL_CURVE_SECP256R1,
333 SSL_CURVE_SECP384R1,
334 SSL_CURVE_SECP521R1,
335 SSL_CURVE_X25519,
336 },
337 },
338};
339
340static const char *kBadCurvesLists[] = {
341 "",
342 ":",
343 "::",
344 "P-256::X25519",
345 "RSA:P-256",
346 "P-256:RSA",
347 "X25519:P-256:",
348 ":X25519:P-256",
349};
350
David Benjamine11726a2017-04-23 12:14:28 -0400[diff] [blame]351static std::string CipherListToString(ssl_cipher_preference_list_st *list) {
David Benjamin1d77e562015-03-22 17:22:08 -0400[diff] [blame]352 bool in_group = false;
David Benjamine11726a2017-04-23 12:14:28 -0400[diff] [blame]353 std::string ret;
David Benjamin1d77e562015-03-22 17:22:08 -0400[diff] [blame]354 for (size_t i = 0; i < sk_SSL_CIPHER_num(list->ciphers); i++) {
David Benjaminbb0a17c2014-09-20 15:35:39 -0400[diff] [blame]355 const SSL_CIPHER *cipher = sk_SSL_CIPHER_value(list->ciphers, i);
356 if (!in_group && list->in_group_flags[i]) {
David Benjamine11726a2017-04-23 12:14:28 -0400[diff] [blame]357 ret += "\t[\n";
David Benjamin1d77e562015-03-22 17:22:08 -0400[diff] [blame]358 in_group = true;
David Benjaminbb0a17c2014-09-20 15:35:39 -0400[diff] [blame]359 }
David Benjamine11726a2017-04-23 12:14:28 -0400[diff] [blame]360 ret += "\t";
David Benjaminbb0a17c2014-09-20 15:35:39 -0400[diff] [blame]361 if (in_group) {
David Benjamine11726a2017-04-23 12:14:28 -0400[diff] [blame]362 ret += " ";
David Benjaminbb0a17c2014-09-20 15:35:39 -0400[diff] [blame]363 }
David Benjamine11726a2017-04-23 12:14:28 -0400[diff] [blame]364 ret += SSL_CIPHER_get_name(cipher);
365 ret += "\n";
David Benjaminbb0a17c2014-09-20 15:35:39 -0400[diff] [blame]366 if (in_group && !list->in_group_flags[i]) {
David Benjamine11726a2017-04-23 12:14:28 -0400[diff] [blame]367 ret += "\t]\n";
David Benjamin1d77e562015-03-22 17:22:08 -0400[diff] [blame]368 in_group = false;
David Benjaminbb0a17c2014-09-20 15:35:39 -0400[diff] [blame]369 }
370 }
David Benjamine11726a2017-04-23 12:14:28 -0400[diff] [blame]371 return ret;
David Benjaminbb0a17c2014-09-20 15:35:39 -0400[diff] [blame]372}
373
David Benjamine11726a2017-04-23 12:14:28 -0400[diff] [blame]374static bool CipherListsEqual(ssl_cipher_preference_list_st *list,
375 const std::vector<ExpectedCipher> &expected) {
376 if (sk_SSL_CIPHER_num(list->ciphers) != expected.size()) {
David Benjamin1d77e562015-03-22 17:22:08 -0400[diff] [blame]377 return false;
David Benjamin65226252015-02-05 16:49:47 -0500[diff] [blame]378 }
379
David Benjamine11726a2017-04-23 12:14:28 -0400[diff] [blame]380 for (size_t i = 0; i < expected.size(); i++) {
381 const SSL_CIPHER *cipher = sk_SSL_CIPHER_value(list->ciphers, i);
382 if (expected[i].id != SSL_CIPHER_get_id(cipher) ||
383 expected[i].in_group_flag != list->in_group_flags[i]) {
David Benjamin1d77e562015-03-22 17:22:08 -0400[diff] [blame]384 return false;
David Benjaminbb0a17c2014-09-20 15:35:39 -0400[diff] [blame]385 }
386 }
387
David Benjamin1d77e562015-03-22 17:22:08 -0400[diff] [blame]388 return true;
David Benjaminbb0a17c2014-09-20 15:35:39 -0400[diff] [blame]389}
390
David Benjamine11726a2017-04-23 12:14:28 -0400[diff] [blame]391TEST(SSLTest, CipherRules) {
392 for (const CipherTest &t : kCipherTests) {
393 SCOPED_TRACE(t.rule);
394 bssl::UniquePtr<SSL_CTX> ctx(SSL_CTX_new(TLS_method()));
395 ASSERT_TRUE(ctx);
Matt Braithwaiteaf096752015-09-02 19:48:16 -0700[diff] [blame]396
David Benjamine11726a2017-04-23 12:14:28 -0400[diff] [blame]397 // Test lax mode.
398 ASSERT_TRUE(SSL_CTX_set_cipher_list(ctx.get(), t.rule));
399 EXPECT_TRUE(CipherListsEqual(ctx->cipher_list, t.expected))
400 << "Cipher rule evaluated to:\n"
401 << CipherListToString(ctx->cipher_list);
402
403 // Test strict mode.
404 if (t.strict_fail) {
405 EXPECT_FALSE(SSL_CTX_set_strict_cipher_list(ctx.get(), t.rule));
406 } else {
407 ASSERT_TRUE(SSL_CTX_set_strict_cipher_list(ctx.get(), t.rule));
408 EXPECT_TRUE(CipherListsEqual(ctx->cipher_list, t.expected))
409 << "Cipher rule evaluated to:\n"
410 << CipherListToString(ctx->cipher_list);
David Benjaminbb0a17c2014-09-20 15:35:39 -0400[diff] [blame]411 }
412 }
413
David Benjaminfb974e62015-12-16 19:34:22 -0500[diff] [blame]414 for (const char *rule : kBadRules) {
David Benjamine11726a2017-04-23 12:14:28 -0400[diff] [blame]415 SCOPED_TRACE(rule);
416 bssl::UniquePtr<SSL_CTX> ctx(SSL_CTX_new(TLS_method()));
417 ASSERT_TRUE(ctx);
418
419 EXPECT_FALSE(SSL_CTX_set_cipher_list(ctx.get(), rule));
David Benjaminbb0a17c2014-09-20 15:35:39 -0400[diff] [blame]420 ERR_clear_error();
David Benjaminbb0a17c2014-09-20 15:35:39 -0400[diff] [blame]421 }
422
David Benjaminfb974e62015-12-16 19:34:22 -0500[diff] [blame]423 for (const char *rule : kMustNotIncludeNull) {
David Benjamine11726a2017-04-23 12:14:28 -0400[diff] [blame]424 SCOPED_TRACE(rule);
425 bssl::UniquePtr<SSL_CTX> ctx(SSL_CTX_new(TLS_method()));
426 ASSERT_TRUE(ctx);
427
428 ASSERT_TRUE(SSL_CTX_set_strict_cipher_list(ctx.get(), rule));
429 for (size_t i = 0; i < sk_SSL_CIPHER_num(ctx->cipher_list->ciphers); i++) {
430 EXPECT_FALSE(SSL_CIPHER_is_NULL(
431 sk_SSL_CIPHER_value(ctx->cipher_list->ciphers, i)));
Matt Braithwaiteaf096752015-09-02 19:48:16 -0700[diff] [blame]432 }
433 }
David Benjaminbb0a17c2014-09-20 15:35:39 -0400[diff] [blame]434}
David Benjamin2e521212014-07-16 14:37:51 -0400[diff] [blame]435
David Benjamine11726a2017-04-23 12:14:28 -0400[diff] [blame]436TEST(SSLTest, CurveRules) {
437 for (const CurveTest &t : kCurveTests) {
438 SCOPED_TRACE(t.rule);
439 bssl::UniquePtr<SSL_CTX> ctx(SSL_CTX_new(TLS_method()));
440 ASSERT_TRUE(ctx);
Alessandro Ghedini5fd18072016-09-28 21:04:25 +0100[diff] [blame]441
David Benjamine11726a2017-04-23 12:14:28 -0400[diff] [blame]442 ASSERT_TRUE(SSL_CTX_set1_curves_list(ctx.get(), t.rule));
443 ASSERT_EQ(t.expected.size(), ctx->supported_group_list_len);
444 for (size_t i = 0; i < t.expected.size(); i++) {
445 EXPECT_EQ(t.expected[i], ctx->supported_group_list[i]);
Alessandro Ghedini5fd18072016-09-28 21:04:25 +0100[diff] [blame]446 }
447 }
448
449 for (const char *rule : kBadCurvesLists) {
David Benjamine11726a2017-04-23 12:14:28 -0400[diff] [blame]450 SCOPED_TRACE(rule);
451 bssl::UniquePtr<SSL_CTX> ctx(SSL_CTX_new(TLS_method()));
452 ASSERT_TRUE(ctx);
453
454 EXPECT_FALSE(SSL_CTX_set1_curves_list(ctx.get(), rule));
Alessandro Ghedini5fd18072016-09-28 21:04:25 +0100[diff] [blame]455 ERR_clear_error();
456 }
Alessandro Ghedini5fd18072016-09-28 21:04:25 +0100[diff] [blame]457}
458
Adam Langley364f7a62016-12-12 10:51:00 -0800[diff] [blame]459// kOpenSSLSession is a serialized SSL_SESSION.
Adam Langley10f97f32016-07-12 08:09:33 -0700[diff] [blame]460static const char kOpenSSLSession[] =
Adam Langley364f7a62016-12-12 10:51:00 -0800[diff] [blame]461 "MIIFqgIBAQICAwMEAsAvBCAG5Q1ndq4Yfmbeo1zwLkNRKmCXGdNgWvGT3cskV0yQ"
Adam Langley10f97f32016-07-12 08:09:33 -0700[diff] [blame]462 "kAQwJlrlzkAWBOWiLj/jJ76D7l+UXoizP2KI2C7I2FccqMmIfFmmkUy32nIJ0mZH"
463 "IWoJoQYCBFRDO46iBAICASyjggR6MIIEdjCCA16gAwIBAgIIK9dUvsPWSlUwDQYJ"
464 "KoZIhvcNAQEFBQAwSTELMAkGA1UEBhMCVVMxEzARBgNVBAoTCkdvb2dsZSBJbmMx"
465 "JTAjBgNVBAMTHEdvb2dsZSBJbnRlcm5ldCBBdXRob3JpdHkgRzIwHhcNMTQxMDA4"
466 "MTIwNzU3WhcNMTUwMTA2MDAwMDAwWjBoMQswCQYDVQQGEwJVUzETMBEGA1UECAwK"
467 "Q2FsaWZvcm5pYTEWMBQGA1UEBwwNTW91bnRhaW4gVmlldzETMBEGA1UECgwKR29v"
468 "Z2xlIEluYzEXMBUGA1UEAwwOd3d3Lmdvb2dsZS5jb20wggEiMA0GCSqGSIb3DQEB"
469 "AQUAA4IBDwAwggEKAoIBAQCcKeLrplAC+Lofy8t/wDwtB6eu72CVp0cJ4V3lknN6"
470 "huH9ct6FFk70oRIh/VBNBBz900jYy+7111Jm1b8iqOTQ9aT5C7SEhNcQFJvqzH3e"
471 "MPkb6ZSWGm1yGF7MCQTGQXF20Sk/O16FSjAynU/b3oJmOctcycWYkY0ytS/k3LBu"
472 "Id45PJaoMqjB0WypqvNeJHC3q5JjCB4RP7Nfx5jjHSrCMhw8lUMW4EaDxjaR9KDh"
473 "PLgjsk+LDIySRSRDaCQGhEOWLJZVLzLo4N6/UlctCHEllpBUSvEOyFga52qroGjg"
474 "rf3WOQ925MFwzd6AK+Ich0gDRg8sQfdLH5OuP1cfLfU1AgMBAAGjggFBMIIBPTAd"
475 "BgNVHSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwGQYDVR0RBBIwEIIOd3d3Lmdv"
476 "b2dsZS5jb20waAYIKwYBBQUHAQEEXDBaMCsGCCsGAQUFBzAChh9odHRwOi8vcGtp"
477 "Lmdvb2dsZS5jb20vR0lBRzIuY3J0MCsGCCsGAQUFBzABhh9odHRwOi8vY2xpZW50"
478 "czEuZ29vZ2xlLmNvbS9vY3NwMB0GA1UdDgQWBBQ7a+CcxsZByOpc+xpYFcIbnUMZ"
479 "hTAMBgNVHRMBAf8EAjAAMB8GA1UdIwQYMBaAFErdBhYbvPZotXb1gba7Yhq6WoEv"
480 "MBcGA1UdIAQQMA4wDAYKKwYBBAHWeQIFATAwBgNVHR8EKTAnMCWgI6Ahhh9odHRw"
481 "Oi8vcGtpLmdvb2dsZS5jb20vR0lBRzIuY3JsMA0GCSqGSIb3DQEBBQUAA4IBAQCa"
482 "OXCBdoqUy5bxyq+Wrh1zsyyCFim1PH5VU2+yvDSWrgDY8ibRGJmfff3r4Lud5kal"
483 "dKs9k8YlKD3ITG7P0YT/Rk8hLgfEuLcq5cc0xqmE42xJ+Eo2uzq9rYorc5emMCxf"
484 "5L0TJOXZqHQpOEcuptZQ4OjdYMfSxk5UzueUhA3ogZKRcRkdB3WeWRp+nYRhx4St"
485 "o2rt2A0MKmY9165GHUqMK9YaaXHDXqBu7Sefr1uSoAP9gyIJKeihMivsGqJ1TD6Z"
486 "cc6LMe+dN2P8cZEQHtD1y296ul4Mivqk3jatUVL8/hCwgch9A8O4PGZq9WqBfEWm"
487 "IyHh1dPtbg1lOXdYCWtjpAIEAKUDAgEUqQUCAwGJwKqBpwSBpBwUQvoeOk0Kg36S"
488 "YTcLEkXqKwOBfF9vE4KX0NxeLwjcDTpsuh3qXEaZ992r1N38VDcyS6P7I6HBYN9B"
489 "sNHM362zZnY27GpTw+Kwd751CLoXFPoaMOe57dbBpXoro6Pd3BTbf/Tzr88K06yE"
490 "OTDKPNj3+inbMaVigtK4PLyPq+Topyzvx9USFgRvyuoxn0Hgb+R0A3j6SLRuyOdA"
Adam Langley364f7a62016-12-12 10:51:00 -0800[diff] [blame]491 "i4gv7Y5oliyntgMBAQA=";
Adam Langley10f97f32016-07-12 08:09:33 -0700[diff] [blame]492
493// kCustomSession is a custom serialized SSL_SESSION generated by
494// filling in missing fields from |kOpenSSLSession|. This includes
495// providing |peer_sha256|, so |peer| is not serialized.
496static const char kCustomSession[] =
497 "MIIBdgIBAQICAwMEAsAvBCAG5Q1ndq4Yfmbeo1zwLkNRKmCXGdNgWvGT3cskV0yQ"
498 "kAQwJlrlzkAWBOWiLj/jJ76D7l+UXoizP2KI2C7I2FccqMmIfFmmkUy32nIJ0mZH"
499 "IWoJoQYCBFRDO46iBAICASykAwQBAqUDAgEUphAEDnd3dy5nb29nbGUuY29tqAcE"
500 "BXdvcmxkqQUCAwGJwKqBpwSBpBwUQvoeOk0Kg36SYTcLEkXqKwOBfF9vE4KX0Nxe"
501 "LwjcDTpsuh3qXEaZ992r1N38VDcyS6P7I6HBYN9BsNHM362zZnY27GpTw+Kwd751"
502 "CLoXFPoaMOe57dbBpXoro6Pd3BTbf/Tzr88K06yEOTDKPNj3+inbMaVigtK4PLyP"
503 "q+Topyzvx9USFgRvyuoxn0Hgb+R0A3j6SLRuyOdAi4gv7Y5oliynrSIEIAYGBgYG"
504 "BgYGBgYGBgYGBgYGBgYGBgYGBgYGBgYGBgYGrgMEAQevAwQBBLADBAEF";
505
506// kBoringSSLSession is a serialized SSL_SESSION generated from bssl client.
507static const char kBoringSSLSession[] =
508 "MIIRwQIBAQICAwMEAsAvBCDdoGxGK26mR+8lM0uq6+k9xYuxPnwAjpcF9n0Yli9R"
509 "kQQwbyshfWhdi5XQ1++7n2L1qqrcVlmHBPpr6yknT/u4pUrpQB5FZ7vqvNn8MdHf"
510 "9rWgoQYCBFXgs7uiBAICHCCjggR6MIIEdjCCA16gAwIBAgIIf+yfD7Y6UicwDQYJ"
511 "KoZIhvcNAQELBQAwSTELMAkGA1UEBhMCVVMxEzARBgNVBAoTCkdvb2dsZSBJbmMx"
512 "JTAjBgNVBAMTHEdvb2dsZSBJbnRlcm5ldCBBdXRob3JpdHkgRzIwHhcNMTUwODEy"
513 "MTQ1MzE1WhcNMTUxMTEwMDAwMDAwWjBoMQswCQYDVQQGEwJVUzETMBEGA1UECAwK"
514 "Q2FsaWZvcm5pYTEWMBQGA1UEBwwNTW91bnRhaW4gVmlldzETMBEGA1UECgwKR29v"
515 "Z2xlIEluYzEXMBUGA1UEAwwOd3d3Lmdvb2dsZS5jb20wggEiMA0GCSqGSIb3DQEB"
516 "AQUAA4IBDwAwggEKAoIBAQC0MeG5YGQ0t+IeJeoneP/PrhEaieibeKYkbKVLNZpo"
517 "PLuBinvhkXZo3DC133NpCBpy6ZktBwamqyixAyuk/NU6OjgXqwwxfQ7di1AInLIU"
518 "792c7hFyNXSUCG7At8Ifi3YwBX9Ba6u/1d6rWTGZJrdCq3QU11RkKYyTq2KT5mce"
519 "Tv9iGKqSkSTlp8puy/9SZ/3DbU3U+BuqCFqeSlz7zjwFmk35acdCilpJlVDDN5C/"
520 "RCh8/UKc8PaL+cxlt531qoTENvYrflBno14YEZlCBZsPiFeUSILpKEj3Ccwhy0eL"
521 "EucWQ72YZU8mUzXBoXGn0zA0crFl5ci/2sTBBGZsylNBAgMBAAGjggFBMIIBPTAd"
522 "BgNVHSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwGQYDVR0RBBIwEIIOd3d3Lmdv"
523 "b2dsZS5jb20waAYIKwYBBQUHAQEEXDBaMCsGCCsGAQUFBzAChh9odHRwOi8vcGtp"
524 "Lmdvb2dsZS5jb20vR0lBRzIuY3J0MCsGCCsGAQUFBzABhh9odHRwOi8vY2xpZW50"
525 "czEuZ29vZ2xlLmNvbS9vY3NwMB0GA1UdDgQWBBS/bzHxcE73Q4j3slC4BLbMtLjG"
526 "GjAMBgNVHRMBAf8EAjAAMB8GA1UdIwQYMBaAFErdBhYbvPZotXb1gba7Yhq6WoEv"
527 "MBcGA1UdIAQQMA4wDAYKKwYBBAHWeQIFATAwBgNVHR8EKTAnMCWgI6Ahhh9odHRw"
528 "Oi8vcGtpLmdvb2dsZS5jb20vR0lBRzIuY3JsMA0GCSqGSIb3DQEBCwUAA4IBAQAb"
529 "qdWPZEHk0X7iKPCTHL6S3w6q1eR67goxZGFSM1lk1hjwyu7XcLJuvALVV9uY3ovE"
530 "kQZSHwT+pyOPWQhsSjO+1GyjvCvK/CAwiUmBX+bQRGaqHsRcio7xSbdVcajQ3bXd"
531 "X+s0WdbOpn6MStKAiBVloPlSxEI8pxY6x/BBCnTIk/+DMB17uZlOjG3vbAnkDkP+"
532 "n0OTucD9sHV7EVj9XUxi51nOfNBCN/s7lpUjDS/NJ4k3iwOtbCPswiot8vLO779a"
533 "f07vR03r349Iz/KTzk95rlFtX0IU+KYNxFNsanIXZ+C9FYGRXkwhHcvFb4qMUB1y"
534 "TTlM80jBMOwyjZXmjRAhpAIEAKUDAgEUqQUCAwGJwKqBpwSBpOgebbmn9NRUtMWH"
535 "+eJpqA5JLMFSMCChOsvKey3toBaCNGU7HfAEiiXNuuAdCBoK262BjQc2YYfqFzqH"
536 "zuppopXCvhohx7j/tnCNZIMgLYt/O9SXK2RYI5z8FhCCHvB4CbD5G0LGl5EFP27s"
537 "Jb6S3aTTYPkQe8yZSlxevg6NDwmTogLO9F7UUkaYmVcMQhzssEE2ZRYNwSOU6KjE"
538 "0Yj+8fAiBtbQriIEIN2L8ZlpaVrdN5KFNdvcmOxJu81P8q53X55xQyGTnGWwsgMC"
539 "ARezggvvMIIEdjCCA16gAwIBAgIIf+yfD7Y6UicwDQYJKoZIhvcNAQELBQAwSTEL"
540 "MAkGA1UEBhMCVVMxEzARBgNVBAoTCkdvb2dsZSBJbmMxJTAjBgNVBAMTHEdvb2ds"
541 "ZSBJbnRlcm5ldCBBdXRob3JpdHkgRzIwHhcNMTUwODEyMTQ1MzE1WhcNMTUxMTEw"
542 "MDAwMDAwWjBoMQswCQYDVQQGEwJVUzETMBEGA1UECAwKQ2FsaWZvcm5pYTEWMBQG"
543 "A1UEBwwNTW91bnRhaW4gVmlldzETMBEGA1UECgwKR29vZ2xlIEluYzEXMBUGA1UE"
544 "AwwOd3d3Lmdvb2dsZS5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIB"
545 "AQC0MeG5YGQ0t+IeJeoneP/PrhEaieibeKYkbKVLNZpoPLuBinvhkXZo3DC133Np"
546 "CBpy6ZktBwamqyixAyuk/NU6OjgXqwwxfQ7di1AInLIU792c7hFyNXSUCG7At8If"
547 "i3YwBX9Ba6u/1d6rWTGZJrdCq3QU11RkKYyTq2KT5mceTv9iGKqSkSTlp8puy/9S"
548 "Z/3DbU3U+BuqCFqeSlz7zjwFmk35acdCilpJlVDDN5C/RCh8/UKc8PaL+cxlt531"
549 "qoTENvYrflBno14YEZlCBZsPiFeUSILpKEj3Ccwhy0eLEucWQ72YZU8mUzXBoXGn"
550 "0zA0crFl5ci/2sTBBGZsylNBAgMBAAGjggFBMIIBPTAdBgNVHSUEFjAUBggrBgEF"
551 "BQcDAQYIKwYBBQUHAwIwGQYDVR0RBBIwEIIOd3d3Lmdvb2dsZS5jb20waAYIKwYB"
552 "BQUHAQEEXDBaMCsGCCsGAQUFBzAChh9odHRwOi8vcGtpLmdvb2dsZS5jb20vR0lB"
553 "RzIuY3J0MCsGCCsGAQUFBzABhh9odHRwOi8vY2xpZW50czEuZ29vZ2xlLmNvbS9v"
554 "Y3NwMB0GA1UdDgQWBBS/bzHxcE73Q4j3slC4BLbMtLjGGjAMBgNVHRMBAf8EAjAA"
555 "MB8GA1UdIwQYMBaAFErdBhYbvPZotXb1gba7Yhq6WoEvMBcGA1UdIAQQMA4wDAYK"
556 "KwYBBAHWeQIFATAwBgNVHR8EKTAnMCWgI6Ahhh9odHRwOi8vcGtpLmdvb2dsZS5j"
557 "b20vR0lBRzIuY3JsMA0GCSqGSIb3DQEBCwUAA4IBAQAbqdWPZEHk0X7iKPCTHL6S"
558 "3w6q1eR67goxZGFSM1lk1hjwyu7XcLJuvALVV9uY3ovEkQZSHwT+pyOPWQhsSjO+"
559 "1GyjvCvK/CAwiUmBX+bQRGaqHsRcio7xSbdVcajQ3bXdX+s0WdbOpn6MStKAiBVl"
560 "oPlSxEI8pxY6x/BBCnTIk/+DMB17uZlOjG3vbAnkDkP+n0OTucD9sHV7EVj9XUxi"
561 "51nOfNBCN/s7lpUjDS/NJ4k3iwOtbCPswiot8vLO779af07vR03r349Iz/KTzk95"
562 "rlFtX0IU+KYNxFNsanIXZ+C9FYGRXkwhHcvFb4qMUB1yTTlM80jBMOwyjZXmjRAh"
563 "MIID8DCCAtigAwIBAgIDAjqDMA0GCSqGSIb3DQEBCwUAMEIxCzAJBgNVBAYTAlVT"
564 "MRYwFAYDVQQKEw1HZW9UcnVzdCBJbmMuMRswGQYDVQQDExJHZW9UcnVzdCBHbG9i"
565 "YWwgQ0EwHhcNMTMwNDA1MTUxNTU2WhcNMTYxMjMxMjM1OTU5WjBJMQswCQYDVQQG"
566 "EwJVUzETMBEGA1UEChMKR29vZ2xlIEluYzElMCMGA1UEAxMcR29vZ2xlIEludGVy"
567 "bmV0IEF1dGhvcml0eSBHMjCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEB"
568 "AJwqBHdc2FCROgajguDYUEi8iT/xGXAaiEZ+4I/F8YnOIe5a/mENtzJEiaB0C1NP"
569 "VaTOgmKV7utZX8bhBYASxF6UP7xbSDj0U/ck5vuR6RXEz/RTDfRK/J9U3n2+oGtv"
570 "h8DQUB8oMANA2ghzUWx//zo8pzcGjr1LEQTrfSTe5vn8MXH7lNVg8y5Kr0LSy+rE"
571 "ahqyzFPdFUuLH8gZYR/Nnag+YyuENWllhMgZxUYi+FOVvuOAShDGKuy6lyARxzmZ"
572 "EASg8GF6lSWMTlJ14rbtCMoU/M4iarNOz0YDl5cDfsCx3nuvRTPPuj5xt970JSXC"
573 "DTWJnZ37DhF5iR43xa+OcmkCAwEAAaOB5zCB5DAfBgNVHSMEGDAWgBTAephojYn7"
574 "qwVkDBF9qn1luMrMTjAdBgNVHQ4EFgQUSt0GFhu89mi1dvWBtrtiGrpagS8wDgYD"
575 "VR0PAQH/BAQDAgEGMC4GCCsGAQUFBwEBBCIwIDAeBggrBgEFBQcwAYYSaHR0cDov"
576 "L2cuc3ltY2QuY29tMBIGA1UdEwEB/wQIMAYBAf8CAQAwNQYDVR0fBC4wLDAqoCig"
577 "JoYkaHR0cDovL2cuc3ltY2IuY29tL2NybHMvZ3RnbG9iYWwuY3JsMBcGA1UdIAQQ"
578 "MA4wDAYKKwYBBAHWeQIFATANBgkqhkiG9w0BAQsFAAOCAQEAqvqpIM1qZ4PtXtR+"
579 "3h3Ef+AlBgDFJPupyC1tft6dgmUsgWM0Zj7pUsIItMsv91+ZOmqcUHqFBYx90SpI"
580 "hNMJbHzCzTWf84LuUt5oX+QAihcglvcpjZpNy6jehsgNb1aHA30DP9z6eX0hGfnI"
581 "Oi9RdozHQZJxjyXON/hKTAAj78Q1EK7gI4BzfE00LshukNYQHpmEcxpw8u1VDu4X"
582 "Bupn7jLrLN1nBz/2i8Jw3lsA5rsb0zYaImxssDVCbJAJPZPpZAkiDoUGn8JzIdPm"
583 "X4DkjYUiOnMDsWCOrmji9D6X52ASCWg23jrW4kOVWzeBkoEfu43XrVJkFleW2V40"
584 "fsg12DCCA30wggLmoAMCAQICAxK75jANBgkqhkiG9w0BAQUFADBOMQswCQYDVQQG"
585 "EwJVUzEQMA4GA1UEChMHRXF1aWZheDEtMCsGA1UECxMkRXF1aWZheCBTZWN1cmUg"
586 "Q2VydGlmaWNhdGUgQXV0aG9yaXR5MB4XDTAyMDUyMTA0MDAwMFoXDTE4MDgyMTA0"
587 "MDAwMFowQjELMAkGA1UEBhMCVVMxFjAUBgNVBAoTDUdlb1RydXN0IEluYy4xGzAZ"
588 "BgNVBAMTEkdlb1RydXN0IEdsb2JhbCBDQTCCASIwDQYJKoZIhvcNAQEBBQADggEP"
589 "ADCCAQoCggEBANrMGGMw/fQXIxpWflvfPGw45HG3eJHUvKHYTPioQ7YD6U0hBwiI"
590 "2lgvZjkpvQV4i5046AW3an5xpObEYKaw74DkiSgPniXW7YPzraaRx5jJQhg1FJ2t"
591 "mEaSLk/K8YdDwRaVVy1Q74ktgHpXrfLuX2vSAI25FPgUFTXZwEaje3LIkb/JVSvN"
592 "0Jc+nCZkzN/Ogxlxyk7m1NV7qRnNVd7I7NJeOFPlXE+MLf5QIzb8ZubLjqQ5GQC3"
593 "lQI5kQsO/jgu0R0FmvZNPm8PBx2vLB6PYDni+jZTEznUXiYr2z2oFL0y6xgDKFIE"
594 "ceWrMz3hOLsHNoRinHnqFjD0X8Ar6HFr5PkCAwEAAaOB8DCB7TAfBgNVHSMEGDAW"
595 "gBRI5mj5K9KylddH2CMgEE8zmJCf1DAdBgNVHQ4EFgQUwHqYaI2J+6sFZAwRfap9"
596 "ZbjKzE4wDwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMCAQYwOgYDVR0fBDMw"
597 "MTAvoC2gK4YpaHR0cDovL2NybC5nZW90cnVzdC5jb20vY3Jscy9zZWN1cmVjYS5j"
598 "cmwwTgYDVR0gBEcwRTBDBgRVHSAAMDswOQYIKwYBBQUHAgEWLWh0dHBzOi8vd3d3"
599 "Lmdlb3RydXN0LmNvbS9yZXNvdXJjZXMvcmVwb3NpdG9yeTANBgkqhkiG9w0BAQUF"
600 "AAOBgQB24RJuTksWEoYwBrKBCM/wCMfHcX5m7sLt1Dsf//DwyE7WQziwuTB9GNBV"
601 "g6JqyzYRnOhIZqNtf7gT1Ef+i1pcc/yu2RsyGTirlzQUqpbS66McFAhJtrvlke+D"
602 "NusdVm/K2rxzY5Dkf3s+Iss9B+1fOHSc4wNQTqGvmO5h8oQ/Eg==";
603
604// kBadSessionExtraField is a custom serialized SSL_SESSION generated by replacing
605// the final (optional) element of |kCustomSession| with tag number 30.
606static const char kBadSessionExtraField[] =
607 "MIIBdgIBAQICAwMEAsAvBCAG5Q1ndq4Yfmbeo1zwLkNRKmCXGdNgWvGT3cskV0yQ"
608 "kAQwJlrlzkAWBOWiLj/jJ76D7l+UXoizP2KI2C7I2FccqMmIfFmmkUy32nIJ0mZH"
609 "IWoJoQYCBFRDO46iBAICASykAwQBAqUDAgEUphAEDnd3dy5nb29nbGUuY29tqAcE"
610 "BXdvcmxkqQUCAwGJwKqBpwSBpBwUQvoeOk0Kg36SYTcLEkXqKwOBfF9vE4KX0Nxe"
611 "LwjcDTpsuh3qXEaZ992r1N38VDcyS6P7I6HBYN9BsNHM362zZnY27GpTw+Kwd751"
612 "CLoXFPoaMOe57dbBpXoro6Pd3BTbf/Tzr88K06yEOTDKPNj3+inbMaVigtK4PLyP"
613 "q+Topyzvx9USFgRvyuoxn0Hgb+R0A3j6SLRuyOdAi4gv7Y5oliynrSIEIAYGBgYG"
614 "BgYGBgYGBgYGBgYGBgYGBgYGBgYGBgYGBgYGrgMEAQevAwQBBL4DBAEF";
615
616// kBadSessionVersion is a custom serialized SSL_SESSION generated by replacing
617// the version of |kCustomSession| with 2.
618static const char kBadSessionVersion[] =
619 "MIIBdgIBAgICAwMEAsAvBCAG5Q1ndq4Yfmbeo1zwLkNRKmCXGdNgWvGT3cskV0yQ"
620 "kAQwJlrlzkAWBOWiLj/jJ76D7l+UXoizP2KI2C7I2FccqMmIfFmmkUy32nIJ0mZH"
621 "IWoJoQYCBFRDO46iBAICASykAwQBAqUDAgEUphAEDnd3dy5nb29nbGUuY29tqAcE"
622 "BXdvcmxkqQUCAwGJwKqBpwSBpBwUQvoeOk0Kg36SYTcLEkXqKwOBfF9vE4KX0Nxe"
623 "LwjcDTpsuh3qXEaZ992r1N38VDcyS6P7I6HBYN9BsNHM362zZnY27GpTw+Kwd751"
624 "CLoXFPoaMOe57dbBpXoro6Pd3BTbf/Tzr88K06yEOTDKPNj3+inbMaVigtK4PLyP"
625 "q+Topyzvx9USFgRvyuoxn0Hgb+R0A3j6SLRuyOdAi4gv7Y5oliynrSIEIAYGBgYG"
626 "BgYGBgYGBgYGBgYGBgYGBgYGBgYGBgYGBgYGrgMEAQevAwQBBLADBAEF";
627
628// kBadSessionTrailingData is a custom serialized SSL_SESSION with trailing data
629// appended.
630static const char kBadSessionTrailingData[] =
631 "MIIBdgIBAQICAwMEAsAvBCAG5Q1ndq4Yfmbeo1zwLkNRKmCXGdNgWvGT3cskV0yQ"
632 "kAQwJlrlzkAWBOWiLj/jJ76D7l+UXoizP2KI2C7I2FccqMmIfFmmkUy32nIJ0mZH"
633 "IWoJoQYCBFRDO46iBAICASykAwQBAqUDAgEUphAEDnd3dy5nb29nbGUuY29tqAcE"
634 "BXdvcmxkqQUCAwGJwKqBpwSBpBwUQvoeOk0Kg36SYTcLEkXqKwOBfF9vE4KX0Nxe"
635 "LwjcDTpsuh3qXEaZ992r1N38VDcyS6P7I6HBYN9BsNHM362zZnY27GpTw+Kwd751"
636 "CLoXFPoaMOe57dbBpXoro6Pd3BTbf/Tzr88K06yEOTDKPNj3+inbMaVigtK4PLyP"
637 "q+Topyzvx9USFgRvyuoxn0Hgb+R0A3j6SLRuyOdAi4gv7Y5oliynrSIEIAYGBgYG"
638 "BgYGBgYGBgYGBgYGBgYGBgYGBgYGBgYGBgYGrgMEAQevAwQBBLADBAEFAAAA";
639
David Benjamin1d77e562015-03-22 17:22:08 -0400[diff] [blame]640static bool DecodeBase64(std::vector<uint8_t> *out, const char *in) {
David Benjamin751e8892014-10-19 00:59:36 -0400[diff] [blame]641 size_t len;
David Benjamin751e8892014-10-19 00:59:36 -0400[diff] [blame]642 if (!EVP_DecodedLength(&len, strlen(in))) {
643 fprintf(stderr, "EVP_DecodedLength failed\n");
David Benjamin1d77e562015-03-22 17:22:08 -0400[diff] [blame]644 return false;
David Benjamin751e8892014-10-19 00:59:36 -0400[diff] [blame]645 }
646
David Benjamin1d77e562015-03-22 17:22:08 -0400[diff] [blame]647 out->resize(len);
David Benjaminef14b2d2015-11-11 14:01:27 -0800[diff] [blame]648 if (!EVP_DecodeBase64(out->data(), &len, len, (const uint8_t *)in,
David Benjamin751e8892014-10-19 00:59:36 -0400[diff] [blame]649 strlen(in))) {
650 fprintf(stderr, "EVP_DecodeBase64 failed\n");
David Benjamin1d77e562015-03-22 17:22:08 -0400[diff] [blame]651 return false;
David Benjamin751e8892014-10-19 00:59:36 -0400[diff] [blame]652 }
David Benjamin1d77e562015-03-22 17:22:08 -0400[diff] [blame]653 out->resize(len);
654 return true;
David Benjamin751e8892014-10-19 00:59:36 -0400[diff] [blame]655}
656
David Benjamin1d77e562015-03-22 17:22:08 -0400[diff] [blame]657static bool TestSSL_SESSIONEncoding(const char *input_b64) {
David Benjamin751e8892014-10-19 00:59:36 -0400[diff] [blame]658 const uint8_t *cptr;
659 uint8_t *ptr;
David Benjamin751e8892014-10-19 00:59:36 -0400[diff] [blame]660
David Benjamin1d77e562015-03-22 17:22:08 -0400[diff] [blame]661 // Decode the input.
662 std::vector<uint8_t> input;
663 if (!DecodeBase64(&input, input_b64)) {
664 return false;
David Benjamin751e8892014-10-19 00:59:36 -0400[diff] [blame]665 }
666
David Benjamin1d77e562015-03-22 17:22:08 -0400[diff] [blame]667 // Verify the SSL_SESSION decodes.
Adam Langley46db7af2017-02-01 15:49:37 -0800[diff] [blame]668 bssl::UniquePtr<SSL_CTX> ssl_ctx(SSL_CTX_new(TLS_method()));
669 if (!ssl_ctx) {
670 return false;
671 }
672 bssl::UniquePtr<SSL_SESSION> session(
673 SSL_SESSION_from_bytes(input.data(), input.size(), ssl_ctx.get()));
David Benjaminfd67aa82015-06-15 19:41:48 -0400[diff] [blame]674 if (!session) {
675 fprintf(stderr, "SSL_SESSION_from_bytes failed\n");
David Benjamin1d77e562015-03-22 17:22:08 -0400[diff] [blame]676 return false;
David Benjamin751e8892014-10-19 00:59:36 -0400[diff] [blame]677 }
678
David Benjamin1d77e562015-03-22 17:22:08 -0400[diff] [blame]679 // Verify the SSL_SESSION encoding round-trips.
680 size_t encoded_len;
Matt Braithwaited17d74d2016-08-17 20:10:28 -0700[diff] [blame]681 bssl::UniquePtr<uint8_t> encoded;
David Benjamin1d77e562015-03-22 17:22:08 -0400[diff] [blame]682 uint8_t *encoded_raw;
683 if (!SSL_SESSION_to_bytes(session.get(), &encoded_raw, &encoded_len)) {
David Benjamin3cac4502014-10-21 01:46:30 -0400[diff] [blame]684 fprintf(stderr, "SSL_SESSION_to_bytes failed\n");
David Benjamin1d77e562015-03-22 17:22:08 -0400[diff] [blame]685 return false;
David Benjamin3cac4502014-10-21 01:46:30 -0400[diff] [blame]686 }
David Benjamin1d77e562015-03-22 17:22:08 -0400[diff] [blame]687 encoded.reset(encoded_raw);
688 if (encoded_len != input.size() ||
David Benjamin17cf2cb2016-12-13 01:07:13 -0500[diff] [blame]689 OPENSSL_memcmp(input.data(), encoded.get(), input.size()) != 0) {
David Benjamin3cac4502014-10-21 01:46:30 -0400[diff] [blame]690 fprintf(stderr, "SSL_SESSION_to_bytes did not round-trip\n");
Sigbjorn Vik2b23d242015-06-29 15:07:26 +0200[diff] [blame]691 hexdump(stderr, "Before: ", input.data(), input.size());
692 hexdump(stderr, "After: ", encoded_raw, encoded_len);
David Benjamin1d77e562015-03-22 17:22:08 -0400[diff] [blame]693 return false;
David Benjamin3cac4502014-10-21 01:46:30 -0400[diff] [blame]694 }
David Benjamin3cac4502014-10-21 01:46:30 -0400[diff] [blame]695
David Benjaminfd67aa82015-06-15 19:41:48 -0400[diff] [blame]696 // Verify the SSL_SESSION also decodes with the legacy API.
David Benjaminef14b2d2015-11-11 14:01:27 -0800[diff] [blame]697 cptr = input.data();
David Benjaminfd67aa82015-06-15 19:41:48 -0400[diff] [blame]698 session.reset(d2i_SSL_SESSION(NULL, &cptr, input.size()));
David Benjaminef14b2d2015-11-11 14:01:27 -0800[diff] [blame]699 if (!session || cptr != input.data() + input.size()) {
David Benjaminfd67aa82015-06-15 19:41:48 -0400[diff] [blame]700 fprintf(stderr, "d2i_SSL_SESSION failed\n");
701 return false;
702 }
703
David Benjamin1d77e562015-03-22 17:22:08 -0400[diff] [blame]704 // Verify the SSL_SESSION encoding round-trips via the legacy API.
705 int len = i2d_SSL_SESSION(session.get(), NULL);
706 if (len < 0 || (size_t)len != input.size()) {
David Benjamin751e8892014-10-19 00:59:36 -0400[diff] [blame]707 fprintf(stderr, "i2d_SSL_SESSION(NULL) returned invalid length\n");
David Benjamin1d77e562015-03-22 17:22:08 -0400[diff] [blame]708 return false;
David Benjamin751e8892014-10-19 00:59:36 -0400[diff] [blame]709 }
710
David Benjamin1d77e562015-03-22 17:22:08 -0400[diff] [blame]711 encoded.reset((uint8_t *)OPENSSL_malloc(input.size()));
712 if (!encoded) {
David Benjamin751e8892014-10-19 00:59:36 -0400[diff] [blame]713 fprintf(stderr, "malloc failed\n");
David Benjamin1d77e562015-03-22 17:22:08 -0400[diff] [blame]714 return false;
David Benjamin751e8892014-10-19 00:59:36 -0400[diff] [blame]715 }
David Benjamin1d77e562015-03-22 17:22:08 -0400[diff] [blame]716
717 ptr = encoded.get();
718 len = i2d_SSL_SESSION(session.get(), &ptr);
719 if (len < 0 || (size_t)len != input.size()) {
David Benjamin751e8892014-10-19 00:59:36 -0400[diff] [blame]720 fprintf(stderr, "i2d_SSL_SESSION returned invalid length\n");
David Benjamin1d77e562015-03-22 17:22:08 -0400[diff] [blame]721 return false;
David Benjamin751e8892014-10-19 00:59:36 -0400[diff] [blame]722 }
David Benjamin1d77e562015-03-22 17:22:08 -0400[diff] [blame]723 if (ptr != encoded.get() + input.size()) {
David Benjamin751e8892014-10-19 00:59:36 -0400[diff] [blame]724 fprintf(stderr, "i2d_SSL_SESSION did not advance ptr correctly\n");
David Benjamin1d77e562015-03-22 17:22:08 -0400[diff] [blame]725 return false;
David Benjamin751e8892014-10-19 00:59:36 -0400[diff] [blame]726 }
David Benjamin17cf2cb2016-12-13 01:07:13 -0500[diff] [blame]727 if (OPENSSL_memcmp(input.data(), encoded.get(), input.size()) != 0) {
David Benjamin751e8892014-10-19 00:59:36 -0400[diff] [blame]728 fprintf(stderr, "i2d_SSL_SESSION did not round-trip\n");
David Benjamin1d77e562015-03-22 17:22:08 -0400[diff] [blame]729 return false;
David Benjamin751e8892014-10-19 00:59:36 -0400[diff] [blame]730 }
731
David Benjamin1d77e562015-03-22 17:22:08 -0400[diff] [blame]732 return true;
David Benjamin751e8892014-10-19 00:59:36 -0400[diff] [blame]733}
734
David Benjaminf297e022015-05-28 19:55:29 -0400[diff] [blame]735static bool TestBadSSL_SESSIONEncoding(const char *input_b64) {
736 std::vector<uint8_t> input;
737 if (!DecodeBase64(&input, input_b64)) {
738 return false;
739 }
740
741 // Verify that the SSL_SESSION fails to decode.
Adam Langley46db7af2017-02-01 15:49:37 -0800[diff] [blame]742 bssl::UniquePtr<SSL_CTX> ssl_ctx(SSL_CTX_new(TLS_method()));
743 if (!ssl_ctx) {
744 return false;
745 }
746 bssl::UniquePtr<SSL_SESSION> session(
747 SSL_SESSION_from_bytes(input.data(), input.size(), ssl_ctx.get()));
David Benjaminf297e022015-05-28 19:55:29 -0400[diff] [blame]748 if (session) {
David Benjaminfd67aa82015-06-15 19:41:48 -0400[diff] [blame]749 fprintf(stderr, "SSL_SESSION_from_bytes unexpectedly succeeded\n");
David Benjaminf297e022015-05-28 19:55:29 -0400[diff] [blame]750 return false;
751 }
752 ERR_clear_error();
753 return true;
754}
755
David Benjamin321fcdc2017-04-24 11:42:42 -0400[diff] [blame]756static void ExpectDefaultVersion(uint16_t min_version, uint16_t max_version,
757 const SSL_METHOD *(*method)(void)) {
Matt Braithwaited17d74d2016-08-17 20:10:28 -0700[diff] [blame]758 bssl::UniquePtr<SSL_CTX> ctx(SSL_CTX_new(method()));
David Benjamin321fcdc2017-04-24 11:42:42 -0400[diff] [blame]759 ASSERT_TRUE(ctx);
David Benjaminfc08dfc2017-06-20 14:39:32 -0400[diff] [blame]760 EXPECT_EQ(min_version, ctx->conf_min_version);
761 EXPECT_EQ(max_version, ctx->conf_max_version);
David Benjamin321fcdc2017-04-24 11:42:42 -0400[diff] [blame]762}
763
764TEST(SSLTest, DefaultVersion) {
765 // TODO(svaldez): Update this when TLS 1.3 is enabled by default.
766 ExpectDefaultVersion(TLS1_VERSION, TLS1_2_VERSION, &TLS_method);
767 ExpectDefaultVersion(TLS1_VERSION, TLS1_VERSION, &TLSv1_method);
768 ExpectDefaultVersion(TLS1_1_VERSION, TLS1_1_VERSION, &TLSv1_1_method);
769 ExpectDefaultVersion(TLS1_2_VERSION, TLS1_2_VERSION, &TLSv1_2_method);
770 ExpectDefaultVersion(TLS1_1_VERSION, TLS1_2_VERSION, &DTLS_method);
771 ExpectDefaultVersion(TLS1_1_VERSION, TLS1_1_VERSION, &DTLSv1_method);
772 ExpectDefaultVersion(TLS1_2_VERSION, TLS1_2_VERSION, &DTLSv1_2_method);
David Benjamin82c9e902014-12-12 15:55:27 -0500[diff] [blame]773}
774
David Benjamin6fff3862017-06-21 21:07:04 -0400[diff] [blame]775TEST(SSLTest, CipherGetStandardName) {
776 static const struct {
777 int id;
778 const char *standard_name;
779 } kTests[] = {
780 {SSL3_CK_RSA_DES_192_CBC3_SHA, "TLS_RSA_WITH_3DES_EDE_CBC_SHA"},
781 {TLS1_CK_RSA_WITH_AES_128_SHA, "TLS_RSA_WITH_AES_128_CBC_SHA"},
782 {TLS1_CK_ECDHE_RSA_WITH_AES_128_SHA256,
783 "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256"},
784 {TLS1_CK_ECDHE_RSA_WITH_AES_256_SHA384,
785 "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384"},
786 {TLS1_CK_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
787 "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256"},
788 {TLS1_CK_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
789 "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256"},
790 {TLS1_CK_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
791 "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384"},
792 {TLS1_CK_ECDHE_PSK_WITH_AES_128_CBC_SHA,
793 "TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA"},
794 {TLS1_CK_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256,
795 "TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256"},
796 {TLS1_CK_AES_256_GCM_SHA384, "TLS_AES_256_GCM_SHA384"},
797 {TLS1_CK_AES_128_GCM_SHA256, "TLS_AES_128_GCM_SHA256"},
798 {TLS1_CK_CHACHA20_POLY1305_SHA256, "TLS_CHACHA20_POLY1305_SHA256"},
799 };
David Benjamin65226252015-02-05 16:49:47 -0500[diff] [blame]800
David Benjamin6fff3862017-06-21 21:07:04 -0400[diff] [blame]801 for (const auto &t : kTests) {
802 SCOPED_TRACE(t.standard_name);
David Benjamine11726a2017-04-23 12:14:28 -0400[diff] [blame]803
804 const SSL_CIPHER *cipher = SSL_get_cipher_by_value(t.id & 0xffff);
805 ASSERT_TRUE(cipher);
David Benjamin6fff3862017-06-21 21:07:04 -0400[diff] [blame]806 EXPECT_STREQ(t.standard_name, SSL_CIPHER_standard_name(cipher));
807
David Benjamine11726a2017-04-23 12:14:28 -0400[diff] [blame]808 bssl::UniquePtr<char> rfc_name(SSL_CIPHER_get_rfc_name(cipher));
809 ASSERT_TRUE(rfc_name);
David Benjamin6fff3862017-06-21 21:07:04 -0400[diff] [blame]810 EXPECT_STREQ(t.standard_name, rfc_name.get());
David Benjamin65226252015-02-05 16:49:47 -0500[diff] [blame]811 }
David Benjamin65226252015-02-05 16:49:47 -0500[diff] [blame]812}
813
Steven Valdeza833c352016-11-01 13:39:36 -0400[diff] [blame]814// CreateSessionWithTicket returns a sample |SSL_SESSION| with the specified
815// version and ticket length or nullptr on failure.
816static bssl::UniquePtr<SSL_SESSION> CreateSessionWithTicket(uint16_t version,
817 size_t ticket_len) {
David Benjamin422fe082015-07-21 22:03:43 -0400[diff] [blame]818 std::vector<uint8_t> der;
819 if (!DecodeBase64(&der, kOpenSSLSession)) {
820 return nullptr;
821 }
Adam Langley46db7af2017-02-01 15:49:37 -0800[diff] [blame]822
823 bssl::UniquePtr<SSL_CTX> ssl_ctx(SSL_CTX_new(TLS_method()));
824 if (!ssl_ctx) {
825 return nullptr;
826 }
Steven Valdeza833c352016-11-01 13:39:36 -0400[diff] [blame]827 bssl::UniquePtr<SSL_SESSION> session(
Adam Langley46db7af2017-02-01 15:49:37 -0800[diff] [blame]828 SSL_SESSION_from_bytes(der.data(), der.size(), ssl_ctx.get()));
David Benjamin422fe082015-07-21 22:03:43 -0400[diff] [blame]829 if (!session) {
830 return nullptr;
831 }
832
Steven Valdeza833c352016-11-01 13:39:36 -0400[diff] [blame]833 session->ssl_version = version;
834
David Benjamin422fe082015-07-21 22:03:43 -0400[diff] [blame]835 // Swap out the ticket for a garbage one.
836 OPENSSL_free(session->tlsext_tick);
837 session->tlsext_tick = reinterpret_cast<uint8_t*>(OPENSSL_malloc(ticket_len));
838 if (session->tlsext_tick == nullptr) {
839 return nullptr;
840 }
David Benjamin17cf2cb2016-12-13 01:07:13 -0500[diff] [blame]841 OPENSSL_memset(session->tlsext_tick, 'a', ticket_len);
David Benjamin422fe082015-07-21 22:03:43 -0400[diff] [blame]842 session->tlsext_ticklen = ticket_len;
David Benjamin1269ddd2015-10-18 15:18:55 -0400[diff] [blame]843
844 // Fix up the timeout.
David Benjamin9b63f292016-11-15 00:44:05 -0500[diff] [blame]845#if defined(BORINGSSL_UNSAFE_DETERMINISTIC_MODE)
846 session->time = 1234;
847#else
David Benjamin1269ddd2015-10-18 15:18:55 -0400[diff] [blame]848 session->time = time(NULL);
David Benjamin9b63f292016-11-15 00:44:05 -0500[diff] [blame]849#endif
David Benjamin422fe082015-07-21 22:03:43 -0400[diff] [blame]850 return session;
851}
852
David Benjaminafc64de2016-07-19 17:12:41 +0200[diff] [blame]853static bool GetClientHello(SSL *ssl, std::vector<uint8_t> *out) {
Matt Braithwaited17d74d2016-08-17 20:10:28 -0700[diff] [blame]854 bssl::UniquePtr<BIO> bio(BIO_new(BIO_s_mem()));
David Benjaminafc64de2016-07-19 17:12:41 +0200[diff] [blame]855 if (!bio) {
856 return false;
857 }
858 // Do not configure a reading BIO, but record what's written to a memory BIO.
David Benjamin96a16cd2016-08-11 12:14:47 -0400[diff] [blame]859 BIO_up_ref(bio.get());
860 SSL_set_bio(ssl, nullptr /* rbio */, bio.get());
David Benjaminafc64de2016-07-19 17:12:41 +0200[diff] [blame]861 int ret = SSL_connect(ssl);
862 if (ret > 0) {
863 // SSL_connect should fail without a BIO to write to.
864 return false;
865 }
866 ERR_clear_error();
867
868 const uint8_t *client_hello;
869 size_t client_hello_len;
870 if (!BIO_mem_contents(bio.get(), &client_hello, &client_hello_len)) {
871 return false;
872 }
873 *out = std::vector<uint8_t>(client_hello, client_hello + client_hello_len);
874 return true;
875}
876
Steven Valdeza833c352016-11-01 13:39:36 -0400[diff] [blame]877// GetClientHelloLen creates a client SSL connection with the specified version
878// and ticket length. It returns the length of the ClientHello, not including
879// the record header, on success and zero on error.
880static size_t GetClientHelloLen(uint16_t max_version, uint16_t session_version,
881 size_t ticket_len) {
Matt Braithwaited17d74d2016-08-17 20:10:28 -0700[diff] [blame]882 bssl::UniquePtr<SSL_CTX> ctx(SSL_CTX_new(TLS_method()));
Steven Valdeza833c352016-11-01 13:39:36 -0400[diff] [blame]883 bssl::UniquePtr<SSL_SESSION> session =
884 CreateSessionWithTicket(session_version, ticket_len);
David Benjamin422fe082015-07-21 22:03:43 -0400[diff] [blame]885 if (!ctx || !session) {
886 return 0;
887 }
Steven Valdeza833c352016-11-01 13:39:36 -0400[diff] [blame]888
889 // Set a one-element cipher list so the baseline ClientHello is unpadded.
Matt Braithwaited17d74d2016-08-17 20:10:28 -0700[diff] [blame]890 bssl::UniquePtr<SSL> ssl(SSL_new(ctx.get()));
Steven Valdez2c62fe92016-10-14 12:08:12 -0400[diff] [blame]891 if (!ssl || !SSL_set_session(ssl.get(), session.get()) ||
Matthew Braithwaitea57dcfb2017-02-17 22:08:23 -0800[diff] [blame]892 !SSL_set_strict_cipher_list(ssl.get(), "ECDHE-RSA-AES128-GCM-SHA256") ||
Steven Valdeza833c352016-11-01 13:39:36 -0400[diff] [blame]893 !SSL_set_max_proto_version(ssl.get(), max_version)) {
David Benjamin422fe082015-07-21 22:03:43 -0400[diff] [blame]894 return 0;
895 }
Steven Valdeza833c352016-11-01 13:39:36 -0400[diff] [blame]896
David Benjaminafc64de2016-07-19 17:12:41 +0200[diff] [blame]897 std::vector<uint8_t> client_hello;
898 if (!GetClientHello(ssl.get(), &client_hello) ||
899 client_hello.size() <= SSL3_RT_HEADER_LENGTH) {
David Benjamin422fe082015-07-21 22:03:43 -0400[diff] [blame]900 return 0;
901 }
Steven Valdeza833c352016-11-01 13:39:36 -0400[diff] [blame]902
David Benjaminafc64de2016-07-19 17:12:41 +0200[diff] [blame]903 return client_hello.size() - SSL3_RT_HEADER_LENGTH;
David Benjamin422fe082015-07-21 22:03:43 -0400[diff] [blame]904}
905
906struct PaddingTest {
907 size_t input_len, padded_len;
908};
909
910static const PaddingTest kPaddingTests[] = {
911 // ClientHellos of length below 0x100 do not require padding.
912 {0xfe, 0xfe},
913 {0xff, 0xff},
914 // ClientHellos of length 0x100 through 0x1fb are padded up to 0x200.
915 {0x100, 0x200},
916 {0x123, 0x200},
917 {0x1fb, 0x200},
918 // ClientHellos of length 0x1fc through 0x1ff get padded beyond 0x200. The
919 // padding extension takes a minimum of four bytes plus one required content
920 // byte. (To work around yet more server bugs, we avoid empty final
921 // extensions.)
922 {0x1fc, 0x201},
923 {0x1fd, 0x202},
924 {0x1fe, 0x203},
925 {0x1ff, 0x204},
926 // Finally, larger ClientHellos need no padding.
927 {0x200, 0x200},
928 {0x201, 0x201},
929};
930
Steven Valdeza833c352016-11-01 13:39:36 -0400[diff] [blame]931static bool TestPaddingExtension(uint16_t max_version,
932 uint16_t session_version) {
David Benjamin422fe082015-07-21 22:03:43 -0400[diff] [blame]933 // Sample a baseline length.
Steven Valdeza833c352016-11-01 13:39:36 -0400[diff] [blame]934 size_t base_len = GetClientHelloLen(max_version, session_version, 1);
David Benjamin422fe082015-07-21 22:03:43 -0400[diff] [blame]935 if (base_len == 0) {
936 return false;
937 }
938
939 for (const PaddingTest &test : kPaddingTests) {
940 if (base_len > test.input_len) {
Steven Valdeza833c352016-11-01 13:39:36 -0400[diff] [blame]941 fprintf(stderr,
942 "Baseline ClientHello too long (max_version = %04x, "
943 "session_version = %04x).\n",
944 max_version, session_version);
David Benjamin422fe082015-07-21 22:03:43 -0400[diff] [blame]945 return false;
946 }
947
Steven Valdeza833c352016-11-01 13:39:36 -0400[diff] [blame]948 size_t padded_len = GetClientHelloLen(max_version, session_version,
949 1 + test.input_len - base_len);
David Benjamin422fe082015-07-21 22:03:43 -0400[diff] [blame]950 if (padded_len != test.padded_len) {
Steven Valdeza833c352016-11-01 13:39:36 -0400[diff] [blame]951 fprintf(stderr,
952 "%u-byte ClientHello padded to %u bytes, not %u (max_version = "
953 "%04x, session_version = %04x).\n",
David Benjamin422fe082015-07-21 22:03:43 -0400[diff] [blame]954 static_cast<unsigned>(test.input_len),
955 static_cast<unsigned>(padded_len),
Steven Valdeza833c352016-11-01 13:39:36 -0400[diff] [blame]956 static_cast<unsigned>(test.padded_len), max_version,
957 session_version);
David Benjamin422fe082015-07-21 22:03:43 -0400[diff] [blame]958 return false;
959 }
960 }
Steven Valdeza833c352016-11-01 13:39:36 -0400[diff] [blame]961
David Benjamin422fe082015-07-21 22:03:43 -0400[diff] [blame]962 return true;
963}
964
David Benjamin1d128f32015-09-08 17:41:40 -0400[diff] [blame]965// Test that |SSL_get_client_CA_list| echoes back the configured parameter even
966// before configuring as a server.
David Benjaminf0d8e222017-02-04 10:58:26 -0500[diff] [blame]967TEST(SSLTest, ClientCAList) {
Matt Braithwaited17d74d2016-08-17 20:10:28 -0700[diff] [blame]968 bssl::UniquePtr<SSL_CTX> ctx(SSL_CTX_new(TLS_method()));
David Benjaminf0d8e222017-02-04 10:58:26 -0500[diff] [blame]969 ASSERT_TRUE(ctx);
Matt Braithwaited17d74d2016-08-17 20:10:28 -0700[diff] [blame]970 bssl::UniquePtr<SSL> ssl(SSL_new(ctx.get()));
David Benjaminf0d8e222017-02-04 10:58:26 -0500[diff] [blame]971 ASSERT_TRUE(ssl);
David Benjamin1d128f32015-09-08 17:41:40 -0400[diff] [blame]972
Adam Langley34b4c822017-02-02 10:57:17 -0800[diff] [blame]973 bssl::UniquePtr<X509_NAME> name(X509_NAME_new());
974 ASSERT_TRUE(name);
David Benjamin1d128f32015-09-08 17:41:40 -0400[diff] [blame]975
Adam Langley34b4c822017-02-02 10:57:17 -0800[diff] [blame]976 bssl::UniquePtr<X509_NAME> name_dup(X509_NAME_dup(name.get()));
977 ASSERT_TRUE(name_dup);
978
979 bssl::UniquePtr<STACK_OF(X509_NAME)> stack(sk_X509_NAME_new_null());
980 ASSERT_TRUE(stack);
981
982 ASSERT_TRUE(sk_X509_NAME_push(stack.get(), name_dup.get()));
983 name_dup.release();
984
985 // |SSL_set_client_CA_list| takes ownership.
986 SSL_set_client_CA_list(ssl.get(), stack.release());
987
988 STACK_OF(X509_NAME) *result = SSL_get_client_CA_list(ssl.get());
989 ASSERT_TRUE(result);
990 ASSERT_EQ(1u, sk_X509_NAME_num(result));
991 EXPECT_EQ(0, X509_NAME_cmp(sk_X509_NAME_value(result, 0), name.get()));
David Benjamin1d128f32015-09-08 17:41:40 -0400[diff] [blame]992}
993
David Benjamin0f653952015-10-18 14:28:01 -0400[diff] [blame]994static void AppendSession(SSL_SESSION *session, void *arg) {
995 std::vector<SSL_SESSION*> *out =
996 reinterpret_cast<std::vector<SSL_SESSION*>*>(arg);
997 out->push_back(session);
998}
999
David Benjamine11726a2017-04-23 12:14:28 -0400[diff] [blame]1000// CacheEquals returns true if |ctx|'s session cache consists of |expected|, in
David Benjamin0f653952015-10-18 14:28:01 -0400[diff] [blame]1001// order.
David Benjamine11726a2017-04-23 12:14:28 -0400[diff] [blame]1002static bool CacheEquals(SSL_CTX *ctx,
David Benjamin0f653952015-10-18 14:28:01 -0400[diff] [blame]1003 const std::vector<SSL_SESSION*> &expected) {
1004 // Check the linked list.
1005 SSL_SESSION *ptr = ctx->session_cache_head;
1006 for (SSL_SESSION *session : expected) {
1007 if (ptr != session) {
1008 return false;
1009 }
1010 // TODO(davidben): This is an absurd way to denote the end of the list.
1011 if (ptr->next ==
1012 reinterpret_cast<SSL_SESSION *>(&ctx->session_cache_tail)) {
1013 ptr = nullptr;
1014 } else {
1015 ptr = ptr->next;
1016 }
1017 }
1018 if (ptr != nullptr) {
1019 return false;
1020 }
1021
1022 // Check the hash table.
1023 std::vector<SSL_SESSION*> actual, expected_copy;
1024 lh_SSL_SESSION_doall_arg(SSL_CTX_sessions(ctx), AppendSession, &actual);
1025 expected_copy = expected;
1026
1027 std::sort(actual.begin(), actual.end());
1028 std::sort(expected_copy.begin(), expected_copy.end());
1029
1030 return actual == expected_copy;
1031}
1032
Matt Braithwaited17d74d2016-08-17 20:10:28 -0700[diff] [blame]1033static bssl::UniquePtr<SSL_SESSION> CreateTestSession(uint32_t number) {
Adam Langley46db7af2017-02-01 15:49:37 -0800[diff] [blame]1034 bssl::UniquePtr<SSL_CTX> ssl_ctx(SSL_CTX_new(TLS_method()));
1035 if (!ssl_ctx) {
1036 return nullptr;
1037 }
1038 bssl::UniquePtr<SSL_SESSION> ret(SSL_SESSION_new(ssl_ctx.get()));
David Benjamin0f653952015-10-18 14:28:01 -0400[diff] [blame]1039 if (!ret) {
1040 return nullptr;
1041 }
1042
1043 ret->session_id_length = SSL3_SSL_SESSION_ID_LENGTH;
David Benjamin17cf2cb2016-12-13 01:07:13 -0500[diff] [blame]1044 OPENSSL_memset(ret->session_id, 0, ret->session_id_length);
1045 OPENSSL_memcpy(ret->session_id, &number, sizeof(number));
David Benjamin0f653952015-10-18 14:28:01 -0400[diff] [blame]1046 return ret;
1047}
1048
David Benjamin0f653952015-10-18 14:28:01 -0400[diff] [blame]1049// Test that the internal session cache behaves as expected.
David Benjamine11726a2017-04-23 12:14:28 -0400[diff] [blame]1050TEST(SSLTest, InternalSessionCache) {
Matt Braithwaited17d74d2016-08-17 20:10:28 -0700[diff] [blame]1051 bssl::UniquePtr<SSL_CTX> ctx(SSL_CTX_new(TLS_method()));
David Benjamine11726a2017-04-23 12:14:28 -0400[diff] [blame]1052 ASSERT_TRUE(ctx);
David Benjamin0f653952015-10-18 14:28:01 -0400[diff] [blame]1053
1054 // Prepare 10 test sessions.
Matt Braithwaited17d74d2016-08-17 20:10:28 -0700[diff] [blame]1055 std::vector<bssl::UniquePtr<SSL_SESSION>> sessions;
David Benjamin0f653952015-10-18 14:28:01 -0400[diff] [blame]1056 for (int i = 0; i < 10; i++) {
Matt Braithwaited17d74d2016-08-17 20:10:28 -0700[diff] [blame]1057 bssl::UniquePtr<SSL_SESSION> session = CreateTestSession(i);
David Benjamine11726a2017-04-23 12:14:28 -0400[diff] [blame]1058 ASSERT_TRUE(session);
David Benjamin4f6acaf2015-11-21 03:00:50 -0500[diff] [blame]1059 sessions.push_back(std::move(session));
David Benjamin0f653952015-10-18 14:28:01 -0400[diff] [blame]1060 }
1061
1062 SSL_CTX_sess_set_cache_size(ctx.get(), 5);
1063
1064 // Insert all the test sessions.
David Benjamin4f6acaf2015-11-21 03:00:50 -0500[diff] [blame]1065 for (const auto &session : sessions) {
David Benjamine11726a2017-04-23 12:14:28 -0400[diff] [blame]1066 ASSERT_TRUE(SSL_CTX_add_session(ctx.get(), session.get()));
David Benjamin0f653952015-10-18 14:28:01 -0400[diff] [blame]1067 }
1068
1069 // Only the last five should be in the list.
David Benjamine11726a2017-04-23 12:14:28 -0400[diff] [blame]1070 ASSERT_TRUE(CacheEquals(
1071 ctx.get(), {sessions[9].get(), sessions[8].get(), sessions[7].get(),
1072 sessions[6].get(), sessions[5].get()}));
David Benjamin0f653952015-10-18 14:28:01 -0400[diff] [blame]1073
David Benjamine11726a2017-04-23 12:14:28 -0400[diff] [blame]1074 // Inserting an element already in the cache should fail and leave the cache
1075 // unchanged.
1076 ASSERT_FALSE(SSL_CTX_add_session(ctx.get(), sessions[7].get()));
1077 ASSERT_TRUE(CacheEquals(
1078 ctx.get(), {sessions[9].get(), sessions[8].get(), sessions[7].get(),
1079 sessions[6].get(), sessions[5].get()}));
David Benjamin0f653952015-10-18 14:28:01 -0400[diff] [blame]1080
1081 // Although collisions should be impossible (256-bit session IDs), the cache
1082 // must handle them gracefully.
Matt Braithwaited17d74d2016-08-17 20:10:28 -0700[diff] [blame]1083 bssl::UniquePtr<SSL_SESSION> collision(CreateTestSession(7));
David Benjamine11726a2017-04-23 12:14:28 -0400[diff] [blame]1084 ASSERT_TRUE(collision);
1085 ASSERT_TRUE(SSL_CTX_add_session(ctx.get(), collision.get()));
1086 ASSERT_TRUE(CacheEquals(
1087 ctx.get(), {collision.get(), sessions[9].get(), sessions[8].get(),
1088 sessions[6].get(), sessions[5].get()}));
David Benjamin0f653952015-10-18 14:28:01 -0400[diff] [blame]1089
1090 // Removing sessions behaves correctly.
David Benjamine11726a2017-04-23 12:14:28 -0400[diff] [blame]1091 ASSERT_TRUE(SSL_CTX_remove_session(ctx.get(), sessions[6].get()));
1092 ASSERT_TRUE(CacheEquals(ctx.get(), {collision.get(), sessions[9].get(),
1093 sessions[8].get(), sessions[5].get()}));
David Benjamin0f653952015-10-18 14:28:01 -0400[diff] [blame]1094
1095 // Removing sessions requires an exact match.
David Benjamine11726a2017-04-23 12:14:28 -0400[diff] [blame]1096 ASSERT_FALSE(SSL_CTX_remove_session(ctx.get(), sessions[0].get()));
1097 ASSERT_FALSE(SSL_CTX_remove_session(ctx.get(), sessions[7].get()));
David Benjamin0f653952015-10-18 14:28:01 -0400[diff] [blame]1098
David Benjamine11726a2017-04-23 12:14:28 -0400[diff] [blame]1099 // The cache remains unchanged.
1100 ASSERT_TRUE(CacheEquals(ctx.get(), {collision.get(), sessions[9].get(),
1101 sessions[8].get(), sessions[5].get()}));
David Benjamin0f653952015-10-18 14:28:01 -0400[diff] [blame]1102}
1103
David Benjaminde942382016-02-11 12:02:01 -0500[diff] [blame]1104static uint16_t EpochFromSequence(uint64_t seq) {
1105 return static_cast<uint16_t>(seq >> 48);
1106}
1107
Matt Braithwaited17d74d2016-08-17 20:10:28 -0700[diff] [blame]1108static bssl::UniquePtr<X509> GetTestCertificate() {
David Benjaminde942382016-02-11 12:02:01 -0500[diff] [blame]1109 static const char kCertPEM[] =
1110 "-----BEGIN CERTIFICATE-----\n"
1111 "MIICWDCCAcGgAwIBAgIJAPuwTC6rEJsMMA0GCSqGSIb3DQEBBQUAMEUxCzAJBgNV\n"
1112 "BAYTAkFVMRMwEQYDVQQIDApTb21lLVN0YXRlMSEwHwYDVQQKDBhJbnRlcm5ldCBX\n"
1113 "aWRnaXRzIFB0eSBMdGQwHhcNMTQwNDIzMjA1MDQwWhcNMTcwNDIyMjA1MDQwWjBF\n"
1114 "MQswCQYDVQQGEwJBVTETMBEGA1UECAwKU29tZS1TdGF0ZTEhMB8GA1UECgwYSW50\n"
1115 "ZXJuZXQgV2lkZ2l0cyBQdHkgTHRkMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKB\n"
1116 "gQDYK8imMuRi/03z0K1Zi0WnvfFHvwlYeyK9Na6XJYaUoIDAtB92kWdGMdAQhLci\n"
1117 "HnAjkXLI6W15OoV3gA/ElRZ1xUpxTMhjP6PyY5wqT5r6y8FxbiiFKKAnHmUcrgfV\n"
1118 "W28tQ+0rkLGMryRtrukXOgXBv7gcrmU7G1jC2a7WqmeI8QIDAQABo1AwTjAdBgNV\n"
1119 "HQ4EFgQUi3XVrMsIvg4fZbf6Vr5sp3Xaha8wHwYDVR0jBBgwFoAUi3XVrMsIvg4f\n"
1120 "Zbf6Vr5sp3Xaha8wDAYDVR0TBAUwAwEB/zANBgkqhkiG9w0BAQUFAAOBgQA76Hht\n"
1121 "ldY9avcTGSwbwoiuIqv0jTL1fHFnzy3RHMLDh+Lpvolc5DSrSJHCP5WuK0eeJXhr\n"
1122 "T5oQpHL9z/cCDLAKCKRa4uV0fhEdOWBqyR9p8y5jJtye72t6CuFUV5iqcpF4BH4f\n"
1123 "j2VNHwsSrJwkD4QUGlUtH7vwnQmyCFxZMmWAJg==\n"
1124 "-----END CERTIFICATE-----\n";
Matt Braithwaited17d74d2016-08-17 20:10:28 -0700[diff] [blame]1125 bssl::UniquePtr<BIO> bio(BIO_new_mem_buf(kCertPEM, strlen(kCertPEM)));
David Benjamin1444c3a2016-12-20 17:23:11 -0500[diff] [blame]1126 return bssl::UniquePtr<X509>(
1127 PEM_read_bio_X509(bio.get(), nullptr, nullptr, nullptr));
David Benjaminde942382016-02-11 12:02:01 -0500[diff] [blame]1128}
1129
Matt Braithwaited17d74d2016-08-17 20:10:28 -0700[diff] [blame]1130static bssl::UniquePtr<EVP_PKEY> GetTestKey() {
David Benjaminde942382016-02-11 12:02:01 -0500[diff] [blame]1131 static const char kKeyPEM[] =
1132 "-----BEGIN RSA PRIVATE KEY-----\n"
1133 "MIICXgIBAAKBgQDYK8imMuRi/03z0K1Zi0WnvfFHvwlYeyK9Na6XJYaUoIDAtB92\n"
1134 "kWdGMdAQhLciHnAjkXLI6W15OoV3gA/ElRZ1xUpxTMhjP6PyY5wqT5r6y8FxbiiF\n"
1135 "KKAnHmUcrgfVW28tQ+0rkLGMryRtrukXOgXBv7gcrmU7G1jC2a7WqmeI8QIDAQAB\n"
1136 "AoGBAIBy09Fd4DOq/Ijp8HeKuCMKTHqTW1xGHshLQ6jwVV2vWZIn9aIgmDsvkjCe\n"
1137 "i6ssZvnbjVcwzSoByhjN8ZCf/i15HECWDFFh6gt0P5z0MnChwzZmvatV/FXCT0j+\n"
1138 "WmGNB/gkehKjGXLLcjTb6dRYVJSCZhVuOLLcbWIV10gggJQBAkEA8S8sGe4ezyyZ\n"
1139 "m4e9r95g6s43kPqtj5rewTsUxt+2n4eVodD+ZUlCULWVNAFLkYRTBCASlSrm9Xhj\n"
1140 "QpmWAHJUkQJBAOVzQdFUaewLtdOJoPCtpYoY1zd22eae8TQEmpGOR11L6kbxLQsk\n"
1141 "aMly/DOnOaa82tqAGTdqDEZgSNmCeKKknmECQAvpnY8GUOVAubGR6c+W90iBuQLj\n"
1142 "LtFp/9ihd2w/PoDwrHZaoUYVcT4VSfJQog/k7kjE4MYXYWL8eEKg3WTWQNECQQDk\n"
1143 "104Wi91Umd1PzF0ijd2jXOERJU1wEKe6XLkYYNHWQAe5l4J4MWj9OdxFXAxIuuR/\n"
1144 "tfDwbqkta4xcux67//khAkEAvvRXLHTaa6VFzTaiiO8SaFsHV3lQyXOtMrBpB5jd\n"
1145 "moZWgjHvB2W9Ckn7sDqsPB+U2tyX0joDdQEyuiMECDY8oQ==\n"
1146 "-----END RSA PRIVATE KEY-----\n";
Matt Braithwaited17d74d2016-08-17 20:10:28 -0700[diff] [blame]1147 bssl::UniquePtr<BIO> bio(BIO_new_mem_buf(kKeyPEM, strlen(kKeyPEM)));
1148 return bssl::UniquePtr<EVP_PKEY>(
David Benjaminde942382016-02-11 12:02:01 -0500[diff] [blame]1149 PEM_read_bio_PrivateKey(bio.get(), nullptr, nullptr, nullptr));
1150}
1151
Matt Braithwaited17d74d2016-08-17 20:10:28 -0700[diff] [blame]1152static bssl::UniquePtr<X509> GetECDSATestCertificate() {
David Benjamin0fc37ef2016-08-17 15:29:46 -0400[diff] [blame]1153 static const char kCertPEM[] =
1154 "-----BEGIN CERTIFICATE-----\n"
1155 "MIIBzzCCAXagAwIBAgIJANlMBNpJfb/rMAkGByqGSM49BAEwRTELMAkGA1UEBhMC\n"
1156 "QVUxEzARBgNVBAgMClNvbWUtU3RhdGUxITAfBgNVBAoMGEludGVybmV0IFdpZGdp\n"
1157 "dHMgUHR5IEx0ZDAeFw0xNDA0MjMyMzIxNTdaFw0xNDA1MjMyMzIxNTdaMEUxCzAJ\n"
1158 "BgNVBAYTAkFVMRMwEQYDVQQIDApTb21lLVN0YXRlMSEwHwYDVQQKDBhJbnRlcm5l\n"
1159 "dCBXaWRnaXRzIFB0eSBMdGQwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAATmK2ni\n"
1160 "v2Wfl74vHg2UikzVl2u3qR4NRvvdqakendy6WgHn1peoChj5w8SjHlbifINI2xYa\n"
1161 "HPUdfvGULUvPciLBo1AwTjAdBgNVHQ4EFgQUq4TSrKuV8IJOFngHVVdf5CaNgtEw\n"
1162 "HwYDVR0jBBgwFoAUq4TSrKuV8IJOFngHVVdf5CaNgtEwDAYDVR0TBAUwAwEB/zAJ\n"
1163 "BgcqhkjOPQQBA0gAMEUCIQDyoDVeUTo2w4J5m+4nUIWOcAZ0lVfSKXQA9L4Vh13E\n"
1164 "BwIgfB55FGohg/B6dGh5XxSZmmi08cueFV7mHzJSYV51yRQ=\n"
1165 "-----END CERTIFICATE-----\n";
Matt Braithwaited17d74d2016-08-17 20:10:28 -0700[diff] [blame]1166 bssl::UniquePtr<BIO> bio(BIO_new_mem_buf(kCertPEM, strlen(kCertPEM)));
1167 return bssl::UniquePtr<X509>(PEM_read_bio_X509(bio.get(), nullptr, nullptr, nullptr));
David Benjamin0fc37ef2016-08-17 15:29:46 -0400[diff] [blame]1168}
1169
Matt Braithwaited17d74d2016-08-17 20:10:28 -0700[diff] [blame]1170static bssl::UniquePtr<EVP_PKEY> GetECDSATestKey() {
David Benjamin0fc37ef2016-08-17 15:29:46 -0400[diff] [blame]1171 static const char kKeyPEM[] =
1172 "-----BEGIN PRIVATE KEY-----\n"
1173 "MIGHAgEAMBMGByqGSM49AgEGCCqGSM49AwEHBG0wawIBAQQgBw8IcnrUoEqc3VnJ\n"
1174 "TYlodwi1b8ldMHcO6NHJzgqLtGqhRANCAATmK2niv2Wfl74vHg2UikzVl2u3qR4N\n"
1175 "Rvvdqakendy6WgHn1peoChj5w8SjHlbifINI2xYaHPUdfvGULUvPciLB\n"
1176 "-----END PRIVATE KEY-----\n";
Matt Braithwaited17d74d2016-08-17 20:10:28 -0700[diff] [blame]1177 bssl::UniquePtr<BIO> bio(BIO_new_mem_buf(kKeyPEM, strlen(kKeyPEM)));
1178 return bssl::UniquePtr<EVP_PKEY>(
David Benjamin0fc37ef2016-08-17 15:29:46 -0400[diff] [blame]1179 PEM_read_bio_PrivateKey(bio.get(), nullptr, nullptr, nullptr));
1180}
1181
Adam Langleyd04ca952017-02-28 11:26:51 -0800[diff] [blame]1182static bssl::UniquePtr<CRYPTO_BUFFER> BufferFromPEM(const char *pem) {
1183 bssl::UniquePtr<BIO> bio(BIO_new_mem_buf(pem, strlen(pem)));
1184 char *name, *header;
1185 uint8_t *data;
1186 long data_len;
1187 if (!PEM_read_bio(bio.get(), &name, &header, &data,
1188 &data_len)) {
1189 return nullptr;
1190 }
1191 OPENSSL_free(name);
1192 OPENSSL_free(header);
1193
1194 auto ret = bssl::UniquePtr<CRYPTO_BUFFER>(
1195 CRYPTO_BUFFER_new(data, data_len, nullptr));
1196 OPENSSL_free(data);
1197 return ret;
1198}
1199
1200static bssl::UniquePtr<CRYPTO_BUFFER> GetChainTestCertificateBuffer() {
David Benjamin1444c3a2016-12-20 17:23:11 -0500[diff] [blame]1201 static const char kCertPEM[] =
1202 "-----BEGIN CERTIFICATE-----\n"
1203 "MIIC0jCCAbqgAwIBAgICEAAwDQYJKoZIhvcNAQELBQAwDzENMAsGA1UEAwwEQiBD\n"
1204 "QTAeFw0xNjAyMjgyMDI3MDNaFw0yNjAyMjUyMDI3MDNaMBgxFjAUBgNVBAMMDUNs\n"
1205 "aWVudCBDZXJ0IEEwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDRvaz8\n"
1206 "CC/cshpCafJo4jLkHEoBqDLhdgFelJoAiQUyIqyWl2O7YHPnpJH+TgR7oelzNzt/\n"
1207 "kLRcH89M/TszB6zqyLTC4aqmvzKL0peD/jL2LWBucR0WXIvjA3zoRuF/x86+rYH3\n"
1208 "tHb+xs2PSs8EGL/Ev+ss+qTzTGEn26fuGNHkNw6tOwPpc+o8+wUtzf/kAthamo+c\n"
1209 "IDs2rQ+lP7+aLZTLeU/q4gcLutlzcK5imex5xy2jPkweq48kijK0kIzl1cPlA5d1\n"
1210 "z7C8jU50Pj9X9sQDJTN32j7UYRisJeeYQF8GaaN8SbrDI6zHgKzrRLyxDt/KQa9V\n"
1211 "iLeXANgZi+Xx9KgfAgMBAAGjLzAtMAwGA1UdEwEB/wQCMAAwHQYDVR0lBBYwFAYI\n"
1212 "KwYBBQUHAwEGCCsGAQUFBwMCMA0GCSqGSIb3DQEBCwUAA4IBAQBFEVbmYl+2RtNw\n"
1213 "rDftRDF1v2QUbcN2ouSnQDHxeDQdSgasLzT3ui8iYu0Rw2WWcZ0DV5e0ztGPhWq7\n"
1214 "AO0B120aFRMOY+4+bzu9Q2FFkQqc7/fKTvTDzIJI5wrMnFvUfzzvxh3OHWMYSs/w\n"
1215 "giq33hTKeHEq6Jyk3btCny0Ycecyc3yGXH10sizUfiHlhviCkDuESk8mFDwDDzqW\n"
1216 "ZF0IipzFbEDHoIxLlm3GQxpiLoEV4k8KYJp3R5KBLFyxM6UGPz8h72mIPCJp2RuK\n"
1217 "MYgF91UDvVzvnYm6TfseM2+ewKirC00GOrZ7rEcFvtxnKSqYf4ckqfNdSU1Y+RRC\n"
1218 "1ngWZ7Ih\n"
1219 "-----END CERTIFICATE-----\n";
Adam Langleyd04ca952017-02-28 11:26:51 -0800[diff] [blame]1220 return BufferFromPEM(kCertPEM);
David Benjamin1444c3a2016-12-20 17:23:11 -0500[diff] [blame]1221}
1222
Adam Langleyd04ca952017-02-28 11:26:51 -0800[diff] [blame]1223static bssl::UniquePtr<X509> X509FromBuffer(
1224 bssl::UniquePtr<CRYPTO_BUFFER> buffer) {
1225 if (!buffer) {
1226 return nullptr;
1227 }
1228 const uint8_t *derp = CRYPTO_BUFFER_data(buffer.get());
1229 return bssl::UniquePtr<X509>(
1230 d2i_X509(NULL, &derp, CRYPTO_BUFFER_len(buffer.get())));
1231}
1232
1233static bssl::UniquePtr<X509> GetChainTestCertificate() {
1234 return X509FromBuffer(GetChainTestCertificateBuffer());
1235}
1236
1237static bssl::UniquePtr<CRYPTO_BUFFER> GetChainTestIntermediateBuffer() {
David Benjamin1444c3a2016-12-20 17:23:11 -0500[diff] [blame]1238 static const char kCertPEM[] =
1239 "-----BEGIN CERTIFICATE-----\n"
1240 "MIICwjCCAaqgAwIBAgICEAEwDQYJKoZIhvcNAQELBQAwFDESMBAGA1UEAwwJQyBS\n"
1241 "b290IENBMB4XDTE2MDIyODIwMjcwM1oXDTI2MDIyNTIwMjcwM1owDzENMAsGA1UE\n"
1242 "AwwEQiBDQTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALsSCYmDip2D\n"
1243 "GkjFxw7ykz26JSjELkl6ArlYjFJ3aT/SCh8qbS4gln7RH8CPBd78oFdfhIKQrwtZ\n"
1244 "3/q21ykD9BAS3qHe2YdcJfm8/kWAy5DvXk6NXU4qX334KofBAEpgdA/igEFq1P1l\n"
1245 "HAuIfZCpMRfT+i5WohVsGi8f/NgpRvVaMONLNfgw57mz1lbtFeBEISmX0kbsuJxF\n"
1246 "Qj/Bwhi5/0HAEXG8e7zN4cEx0yPRvmOATRdVb/8dW2pwOHRJq9R5M0NUkIsTSnL7\n"
1247 "6N/z8hRAHMsV3IudC5Yd7GXW1AGu9a+iKU+Q4xcZCoj0DC99tL4VKujrV1kAeqsM\n"
1248 "cz5/dKzi6+cCAwEAAaMjMCEwDwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMC\n"
1249 "AQYwDQYJKoZIhvcNAQELBQADggEBAIIeZiEeNhWWQ8Y4D+AGDwqUUeG8NjCbKrXQ\n"
1250 "BlHg5wZ8xftFaiP1Dp/UAezmx2LNazdmuwrYB8lm3FVTyaPDTKEGIPS4wJKHgqH1\n"
1251 "QPDhqNm85ey7TEtI9oYjsNim/Rb+iGkIAMXaxt58SzxbjvP0kMr1JfJIZbic9vye\n"
1252 "NwIspMFIpP3FB8ywyu0T0hWtCQgL4J47nigCHpOu58deP88fS/Nyz/fyGVWOZ76b\n"
1253 "WhWwgM3P3X95fQ3d7oFPR/bVh0YV+Cf861INwplokXgXQ3/TCQ+HNXeAMWn3JLWv\n"
1254 "XFwk8owk9dq/kQGdndGgy3KTEW4ctPX5GNhf3LJ9Q7dLji4ReQ4=\n"
1255 "-----END CERTIFICATE-----\n";
Adam Langleyd04ca952017-02-28 11:26:51 -0800[diff] [blame]1256 return BufferFromPEM(kCertPEM);
1257}
1258
1259static bssl::UniquePtr<X509> GetChainTestIntermediate() {
1260 return X509FromBuffer(GetChainTestIntermediateBuffer());
David Benjamin1444c3a2016-12-20 17:23:11 -0500[diff] [blame]1261}
1262
1263static bssl::UniquePtr<EVP_PKEY> GetChainTestKey() {
1264 static const char kKeyPEM[] =
1265 "-----BEGIN PRIVATE KEY-----\n"
1266 "MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQDRvaz8CC/cshpC\n"
1267 "afJo4jLkHEoBqDLhdgFelJoAiQUyIqyWl2O7YHPnpJH+TgR7oelzNzt/kLRcH89M\n"
1268 "/TszB6zqyLTC4aqmvzKL0peD/jL2LWBucR0WXIvjA3zoRuF/x86+rYH3tHb+xs2P\n"
1269 "Ss8EGL/Ev+ss+qTzTGEn26fuGNHkNw6tOwPpc+o8+wUtzf/kAthamo+cIDs2rQ+l\n"
1270 "P7+aLZTLeU/q4gcLutlzcK5imex5xy2jPkweq48kijK0kIzl1cPlA5d1z7C8jU50\n"
1271 "Pj9X9sQDJTN32j7UYRisJeeYQF8GaaN8SbrDI6zHgKzrRLyxDt/KQa9ViLeXANgZ\n"
1272 "i+Xx9KgfAgMBAAECggEBAK0VjSJzkyPaamcyTVSWjo7GdaBGcK60lk657RjR+lK0\n"
1273 "YJ7pkej4oM2hdsVZFsP8Cs4E33nXLa/0pDsRov/qrp0WQm2skwqGMC1I/bZ0WRPk\n"
1274 "wHaDrBBfESWnJDX/AGpVtlyOjPmgmK6J2usMPihQUDkKdAYrVWJePrMIxt1q6BMe\n"
1275 "iczs3qriMmtY3bUc4UyUwJ5fhDLjshHvfuIpYQyI6EXZM6dZksn9LylXJnigY6QJ\n"
1276 "HxOYO0BDwOsZ8yQ8J8afLk88i0GizEkgE1z3REtQUwgWfxr1WV/ud+T6/ZhSAgH9\n"
1277 "042mQvSFZnIUSEsmCvjhWuAunfxHKCTcAoYISWfzWpkCgYEA7gpf3HHU5Tn+CgUn\n"
1278 "1X5uGpG3DmcMgfeGgs2r2f/IIg/5Ac1dfYILiybL1tN9zbyLCJfcbFpWBc9hJL6f\n"
1279 "CPc5hUiwWFJqBJewxQkC1Ae/HakHbip+IZ+Jr0842O4BAArvixk4Lb7/N2Ct9sTE\n"
1280 "NJO6RtK9lbEZ5uK61DglHy8CS2UCgYEA4ZC1o36kPAMQBggajgnucb2yuUEelk0f\n"
1281 "AEr+GI32MGE+93xMr7rAhBoqLg4AITyIfEnOSQ5HwagnIHonBbv1LV/Gf9ursx8Z\n"
1282 "YOGbvT8zzzC+SU1bkDzdjAYnFQVGIjMtKOBJ3K07++ypwX1fr4QsQ8uKL8WSOWwt\n"
1283 "Z3Bym6XiZzMCgYADnhy+2OwHX85AkLt+PyGlPbmuelpyTzS4IDAQbBa6jcuW/2wA\n"
1284 "UE2km75VUXmD+u2R/9zVuLm99NzhFhSMqlUxdV1YukfqMfP5yp1EY6m/5aW7QuIP\n"
1285 "2MDa7TVL9rIFMiVZ09RKvbBbQxjhuzPQKL6X/PPspnhiTefQ+dl2k9xREQKBgHDS\n"
1286 "fMfGNEeAEKezrfSVqxphE9/tXms3L+ZpnCaT+yu/uEr5dTIAawKoQ6i9f/sf1/Sy\n"
1287 "xedsqR+IB+oKrzIDDWMgoJybN4pkZ8E5lzhVQIjFjKgFdWLzzqyW9z1gYfABQPlN\n"
1288 "FiS20WX0vgP1vcKAjdNrHzc9zyHBpgQzDmAj3NZZAoGBAI8vKCKdH7w3aL5CNkZQ\n"
1289 "2buIeWNA2HZazVwAGG5F2TU/LmXfRKnG6dX5bkU+AkBZh56jNZy//hfFSewJB4Kk\n"
1290 "buB7ERSdaNbO21zXt9FEA3+z0RfMd/Zv2vlIWOSB5nzl/7UKti3sribK6s9ZVLfi\n"
1291 "SxpiPQ8d/hmSGwn4ksrWUsJD\n"
1292 "-----END PRIVATE KEY-----\n";
1293 bssl::UniquePtr<BIO> bio(BIO_new_mem_buf(kKeyPEM, strlen(kKeyPEM)));
1294 return bssl::UniquePtr<EVP_PKEY>(
1295 PEM_read_bio_PrivateKey(bio.get(), nullptr, nullptr, nullptr));
1296}
1297
David Benjamin71dfad42017-07-16 17:27:39 -0400[diff] [blame]1298static const uint8_t kTestName[] = {
1299 0x30, 0x45, 0x31, 0x0b, 0x30, 0x09, 0x06, 0x03, 0x55, 0x04, 0x06, 0x13,
1300 0x02, 0x41, 0x55, 0x31, 0x13, 0x30, 0x11, 0x06, 0x03, 0x55, 0x04, 0x08,
1301 0x0c, 0x0a, 0x53, 0x6f, 0x6d, 0x65, 0x2d, 0x53, 0x74, 0x61, 0x74, 0x65,
1302 0x31, 0x21, 0x30, 0x1f, 0x06, 0x03, 0x55, 0x04, 0x0a, 0x0c, 0x18, 0x49,
1303 0x6e, 0x74, 0x65, 0x72, 0x6e, 0x65, 0x74, 0x20, 0x57, 0x69, 0x64, 0x67,
1304 0x69, 0x74, 0x73, 0x20, 0x50, 0x74, 0x79, 0x20, 0x4c, 0x74, 0x64,
1305};
1306
David Benjaminb79cc842016-12-07 15:57:14 -0500[diff] [blame]1307static bool CompleteHandshakes(SSL *client, SSL *server) {
1308 // Drive both their handshakes to completion.
1309 for (;;) {
1310 int client_ret = SSL_do_handshake(client);
1311 int client_err = SSL_get_error(client, client_ret);
1312 if (client_err != SSL_ERROR_NONE &&
1313 client_err != SSL_ERROR_WANT_READ &&
Adam Langley4c341d02017-03-08 19:33:21 -0800[diff] [blame]1314 client_err != SSL_ERROR_WANT_WRITE &&
1315 client_err != SSL_ERROR_PENDING_TICKET) {
David Benjaminb79cc842016-12-07 15:57:14 -0500[diff] [blame]1316 fprintf(stderr, "Client error: %d\n", client_err);
1317 return false;
1318 }
1319
1320 int server_ret = SSL_do_handshake(server);
1321 int server_err = SSL_get_error(server, server_ret);
1322 if (server_err != SSL_ERROR_NONE &&
1323 server_err != SSL_ERROR_WANT_READ &&
Adam Langley4c341d02017-03-08 19:33:21 -0800[diff] [blame]1324 server_err != SSL_ERROR_WANT_WRITE &&
1325 server_err != SSL_ERROR_PENDING_TICKET) {
David Benjaminb79cc842016-12-07 15:57:14 -0500[diff] [blame]1326 fprintf(stderr, "Server error: %d\n", server_err);
1327 return false;
1328 }
1329
1330 if (client_ret == 1 && server_ret == 1) {
1331 break;
1332 }
1333 }
1334
1335 return true;
1336}
1337
1338static bool ConnectClientAndServer(bssl::UniquePtr<SSL> *out_client,
1339 bssl::UniquePtr<SSL> *out_server,
David Benjamina20e5352016-08-02 19:09:41 -0400[diff] [blame]1340 SSL_CTX *client_ctx, SSL_CTX *server_ctx,
1341 SSL_SESSION *session) {
Matt Braithwaited17d74d2016-08-17 20:10:28 -0700[diff] [blame]1342 bssl::UniquePtr<SSL> client(SSL_new(client_ctx)), server(SSL_new(server_ctx));
David Benjaminde942382016-02-11 12:02:01 -0500[diff] [blame]1343 if (!client || !server) {
1344 return false;
1345 }
1346 SSL_set_connect_state(client.get());
1347 SSL_set_accept_state(server.get());
1348
David Benjamina20e5352016-08-02 19:09:41 -0400[diff] [blame]1349 SSL_set_session(client.get(), session);
1350
David Benjaminde942382016-02-11 12:02:01 -0500[diff] [blame]1351 BIO *bio1, *bio2;
1352 if (!BIO_new_bio_pair(&bio1, 0, &bio2, 0)) {
1353 return false;
1354 }
1355 // SSL_set_bio takes ownership.
1356 SSL_set_bio(client.get(), bio1, bio1);
1357 SSL_set_bio(server.get(), bio2, bio2);
1358
David Benjaminb79cc842016-12-07 15:57:14 -0500[diff] [blame]1359 if (!CompleteHandshakes(client.get(), server.get())) {
1360 return false;
David Benjaminde942382016-02-11 12:02:01 -0500[diff] [blame]1361 }
1362
David Benjamin686bb192016-05-10 15:15:41 -0400[diff] [blame]1363 *out_client = std::move(client);
1364 *out_server = std::move(server);
1365 return true;
1366}
1367
David Benjamin0fef3052016-11-18 15:11:10 +0900[diff] [blame]1368static bool TestSequenceNumber(bool is_dtls, const SSL_METHOD *method,
1369 uint16_t version) {
1370 bssl::UniquePtr<SSL_CTX> client_ctx(SSL_CTX_new(method));
1371 bssl::UniquePtr<SSL_CTX> server_ctx(SSL_CTX_new(method));
1372 if (!server_ctx || !client_ctx ||
1373 !SSL_CTX_set_min_proto_version(client_ctx.get(), version) ||
1374 !SSL_CTX_set_max_proto_version(client_ctx.get(), version) ||
1375 !SSL_CTX_set_min_proto_version(server_ctx.get(), version) ||
1376 !SSL_CTX_set_max_proto_version(server_ctx.get(), version)) {
1377 return false;
1378 }
David Benjamin686bb192016-05-10 15:15:41 -0400[diff] [blame]1379
David Benjamin0fef3052016-11-18 15:11:10 +0900[diff] [blame]1380 bssl::UniquePtr<X509> cert = GetTestCertificate();
1381 bssl::UniquePtr<EVP_PKEY> key = GetTestKey();
1382 if (!cert || !key || !SSL_CTX_use_certificate(server_ctx.get(), cert.get()) ||
1383 !SSL_CTX_use_PrivateKey(server_ctx.get(), key.get())) {
1384 return false;
1385 }
David Benjamin686bb192016-05-10 15:15:41 -0400[diff] [blame]1386
David Benjamin0fef3052016-11-18 15:11:10 +0900[diff] [blame]1387 bssl::UniquePtr<SSL> client, server;
1388 if (!ConnectClientAndServer(&client, &server, client_ctx.get(),
1389 server_ctx.get(), nullptr /* no session */)) {
1390 return false;
1391 }
David Benjamin686bb192016-05-10 15:15:41 -0400[diff] [blame]1392
David Benjamin0fef3052016-11-18 15:11:10 +0900[diff] [blame]1393 // Drain any post-handshake messages to ensure there are no unread records
1394 // on either end.
1395 uint8_t byte = 0;
1396 if (SSL_read(client.get(), &byte, 1) > 0 ||
1397 SSL_read(server.get(), &byte, 1) > 0) {
1398 fprintf(stderr, "Received unexpected data.\n");
1399 return false;
1400 }
David Benjaminde942382016-02-11 12:02:01 -0500[diff] [blame]1401
David Benjamin0fef3052016-11-18 15:11:10 +0900[diff] [blame]1402 uint64_t client_read_seq = SSL_get_read_sequence(client.get());
1403 uint64_t client_write_seq = SSL_get_write_sequence(client.get());
1404 uint64_t server_read_seq = SSL_get_read_sequence(server.get());
1405 uint64_t server_write_seq = SSL_get_write_sequence(server.get());
Steven Valdez2c62fe92016-10-14 12:08:12 -0400[diff] [blame]1406
David Benjamin0fef3052016-11-18 15:11:10 +0900[diff] [blame]1407 if (is_dtls) {
1408 // Both client and server must be at epoch 1.
1409 if (EpochFromSequence(client_read_seq) != 1 ||
1410 EpochFromSequence(client_write_seq) != 1 ||
1411 EpochFromSequence(server_read_seq) != 1 ||
1412 EpochFromSequence(server_write_seq) != 1) {
1413 fprintf(stderr, "Bad epochs.\n");
1414 return false;
David Benjaminde942382016-02-11 12:02:01 -0500[diff] [blame]1415 }
David Benjamin0fef3052016-11-18 15:11:10 +0900[diff] [blame]1416
1417 // The next record to be written should exceed the largest received.
1418 if (client_write_seq <= server_read_seq ||
1419 server_write_seq <= client_read_seq) {
1420 fprintf(stderr, "Inconsistent sequence numbers.\n");
1421 return false;
1422 }
1423 } else {
1424 // The next record to be written should equal the next to be received.
1425 if (client_write_seq != server_read_seq ||
1426 server_write_seq != client_read_seq) {
1427 fprintf(stderr, "Inconsistent sequence numbers.\n");
1428 return false;
1429 }
1430 }
1431
1432 // Send a record from client to server.
1433 if (SSL_write(client.get(), &byte, 1) != 1 ||
1434 SSL_read(server.get(), &byte, 1) != 1) {
1435 fprintf(stderr, "Could not send byte.\n");
1436 return false;
1437 }
1438
1439 // The client write and server read sequence numbers should have
1440 // incremented.
1441 if (client_write_seq + 1 != SSL_get_write_sequence(client.get()) ||
1442 server_read_seq + 1 != SSL_get_read_sequence(server.get())) {
1443 fprintf(stderr, "Sequence numbers did not increment.\n");
1444 return false;
David Benjaminde942382016-02-11 12:02:01 -0500[diff] [blame]1445 }
1446
1447 return true;
1448}
1449
David Benjamin68f37b72016-11-18 15:14:42 +0900[diff] [blame]1450static bool TestOneSidedShutdown(bool is_dtls, const SSL_METHOD *method,
1451 uint16_t version) {
1452 // SSL_shutdown is a no-op in DTLS.
1453 if (is_dtls) {
1454 return true;
David Benjamin686bb192016-05-10 15:15:41 -0400[diff] [blame]1455 }
1456
David Benjamin68f37b72016-11-18 15:14:42 +0900[diff] [blame]1457 bssl::UniquePtr<SSL_CTX> client_ctx(SSL_CTX_new(method));
1458 bssl::UniquePtr<SSL_CTX> server_ctx(SSL_CTX_new(method));
Matt Braithwaited17d74d2016-08-17 20:10:28 -0700[diff] [blame]1459 bssl::UniquePtr<X509> cert = GetTestCertificate();
1460 bssl::UniquePtr<EVP_PKEY> key = GetTestKey();
David Benjamin68f37b72016-11-18 15:14:42 +0900[diff] [blame]1461 if (!client_ctx || !server_ctx || !cert || !key ||
1462 !SSL_CTX_set_min_proto_version(server_ctx.get(), version) ||
1463 !SSL_CTX_set_max_proto_version(server_ctx.get(), version) ||
1464 !SSL_CTX_set_min_proto_version(client_ctx.get(), version) ||
1465 !SSL_CTX_set_max_proto_version(client_ctx.get(), version) ||
David Benjamin686bb192016-05-10 15:15:41 -0400[diff] [blame]1466 !SSL_CTX_use_certificate(server_ctx.get(), cert.get()) ||
1467 !SSL_CTX_use_PrivateKey(server_ctx.get(), key.get())) {
1468 return false;
1469 }
1470
Matt Braithwaited17d74d2016-08-17 20:10:28 -0700[diff] [blame]1471 bssl::UniquePtr<SSL> client, server;
David Benjamin686bb192016-05-10 15:15:41 -0400[diff] [blame]1472 if (!ConnectClientAndServer(&client, &server, client_ctx.get(),
David Benjamina20e5352016-08-02 19:09:41 -0400[diff] [blame]1473 server_ctx.get(), nullptr /* no session */)) {
David Benjamin686bb192016-05-10 15:15:41 -0400[diff] [blame]1474 return false;
1475 }
1476
1477 // Shut down half the connection. SSL_shutdown will return 0 to signal only
1478 // one side has shut down.
1479 if (SSL_shutdown(client.get()) != 0) {
1480 fprintf(stderr, "Could not shutdown.\n");
1481 return false;
1482 }
1483
1484 // Reading from the server should consume the EOF.
1485 uint8_t byte;
1486 if (SSL_read(server.get(), &byte, 1) != 0 ||
1487 SSL_get_error(server.get(), 0) != SSL_ERROR_ZERO_RETURN) {
1488 fprintf(stderr, "Connection was not shut down cleanly.\n");
1489 return false;
1490 }
1491
1492 // However, the server may continue to write data and then shut down the
1493 // connection.
1494 byte = 42;
1495 if (SSL_write(server.get(), &byte, 1) != 1 ||
1496 SSL_read(client.get(), &byte, 1) != 1 ||
1497 byte != 42) {
1498 fprintf(stderr, "Could not send byte.\n");
1499 return false;
1500 }
1501
1502 // The server may then shutdown the connection.
1503 if (SSL_shutdown(server.get()) != 1 ||
1504 SSL_shutdown(client.get()) != 1) {
1505 fprintf(stderr, "Could not complete shutdown.\n");
1506 return false;
1507 }
1508
1509 return true;
1510}
David Benjamin68f37b72016-11-18 15:14:42 +0900[diff] [blame]1511
David Benjaminf0d8e222017-02-04 10:58:26 -0500[diff] [blame]1512TEST(SSLTest, SessionDuplication) {
Matt Braithwaited17d74d2016-08-17 20:10:28 -0700[diff] [blame]1513 bssl::UniquePtr<SSL_CTX> client_ctx(SSL_CTX_new(TLS_method()));
1514 bssl::UniquePtr<SSL_CTX> server_ctx(SSL_CTX_new(TLS_method()));
David Benjaminf0d8e222017-02-04 10:58:26 -0500[diff] [blame]1515 ASSERT_TRUE(client_ctx);
1516 ASSERT_TRUE(server_ctx);
Steven Valdez87eab492016-06-27 16:34:59 -0400[diff] [blame]1517
Matt Braithwaited17d74d2016-08-17 20:10:28 -0700[diff] [blame]1518 bssl::UniquePtr<X509> cert = GetTestCertificate();
1519 bssl::UniquePtr<EVP_PKEY> key = GetTestKey();
David Benjaminf0d8e222017-02-04 10:58:26 -0500[diff] [blame]1520 ASSERT_TRUE(cert);
1521 ASSERT_TRUE(key);
1522 ASSERT_TRUE(SSL_CTX_use_certificate(server_ctx.get(), cert.get()));
1523 ASSERT_TRUE(SSL_CTX_use_PrivateKey(server_ctx.get(), key.get()));
Steven Valdez87eab492016-06-27 16:34:59 -0400[diff] [blame]1524
Matt Braithwaited17d74d2016-08-17 20:10:28 -0700[diff] [blame]1525 bssl::UniquePtr<SSL> client, server;
David Benjaminf0d8e222017-02-04 10:58:26 -0500[diff] [blame]1526 ASSERT_TRUE(ConnectClientAndServer(&client, &server, client_ctx.get(),
1527 server_ctx.get(),
1528 nullptr /* no session */));
Steven Valdez87eab492016-06-27 16:34:59 -0400[diff] [blame]1529
1530 SSL_SESSION *session0 = SSL_get_session(client.get());
David Benjaminf0d8e222017-02-04 10:58:26 -0500[diff] [blame]1531 bssl::UniquePtr<SSL_SESSION> session1(
David Benjamin86e95b82017-07-18 16:34:25 -0400[diff] [blame^]1532 bssl::SSL_SESSION_dup(session0, SSL_SESSION_DUP_ALL));
David Benjaminf0d8e222017-02-04 10:58:26 -0500[diff] [blame]1533 ASSERT_TRUE(session1);
David Benjamin4501bd52016-08-01 13:39:41 -0400[diff] [blame]1534
Steven Valdez84b5c002016-08-25 16:30:58 -0400[diff] [blame]1535 session1->not_resumable = 0;
1536
Steven Valdez87eab492016-06-27 16:34:59 -0400[diff] [blame]1537 uint8_t *s0_bytes, *s1_bytes;
1538 size_t s0_len, s1_len;
1539
David Benjaminf0d8e222017-02-04 10:58:26 -0500[diff] [blame]1540 ASSERT_TRUE(SSL_SESSION_to_bytes(session0, &s0_bytes, &s0_len));
Matt Braithwaited17d74d2016-08-17 20:10:28 -0700[diff] [blame]1541 bssl::UniquePtr<uint8_t> free_s0(s0_bytes);
Steven Valdez87eab492016-06-27 16:34:59 -0400[diff] [blame]1542
David Benjaminf0d8e222017-02-04 10:58:26 -0500[diff] [blame]1543 ASSERT_TRUE(SSL_SESSION_to_bytes(session1.get(), &s1_bytes, &s1_len));
Matt Braithwaited17d74d2016-08-17 20:10:28 -0700[diff] [blame]1544 bssl::UniquePtr<uint8_t> free_s1(s1_bytes);
Steven Valdez87eab492016-06-27 16:34:59 -0400[diff] [blame]1545
David Benjamin7d7554b2017-02-04 11:48:59 -0500[diff] [blame]1546 EXPECT_EQ(Bytes(s0_bytes, s0_len), Bytes(s1_bytes, s1_len));
Steven Valdez87eab492016-06-27 16:34:59 -0400[diff] [blame]1547}
David Benjamin686bb192016-05-10 15:15:41 -0400[diff] [blame]1548
David Benjaminf0d8e222017-02-04 10:58:26 -0500[diff] [blame]1549static void ExpectFDs(const SSL *ssl, int rfd, int wfd) {
David Benjaminca743582017-06-15 17:51:35 -0400[diff] [blame]1550 EXPECT_EQ(rfd, SSL_get_fd(ssl));
David Benjaminf0d8e222017-02-04 10:58:26 -0500[diff] [blame]1551 EXPECT_EQ(rfd, SSL_get_rfd(ssl));
1552 EXPECT_EQ(wfd, SSL_get_wfd(ssl));
David Benjamin5c0fb882016-06-14 14:03:51 -0400[diff] [blame]1553
1554 // The wrapper BIOs are always equal when fds are equal, even if set
1555 // individually.
David Benjaminf0d8e222017-02-04 10:58:26 -0500[diff] [blame]1556 if (rfd == wfd) {
1557 EXPECT_EQ(SSL_get_rbio(ssl), SSL_get_wbio(ssl));
David Benjamin5c0fb882016-06-14 14:03:51 -0400[diff] [blame]1558 }
David Benjamin5c0fb882016-06-14 14:03:51 -0400[diff] [blame]1559}
1560
David Benjaminf0d8e222017-02-04 10:58:26 -0500[diff] [blame]1561TEST(SSLTest, SetFD) {
Matt Braithwaited17d74d2016-08-17 20:10:28 -0700[diff] [blame]1562 bssl::UniquePtr<SSL_CTX> ctx(SSL_CTX_new(TLS_method()));
David Benjaminf0d8e222017-02-04 10:58:26 -0500[diff] [blame]1563 ASSERT_TRUE(ctx);
David Benjamin5c0fb882016-06-14 14:03:51 -0400[diff] [blame]1564
1565 // Test setting different read and write FDs.
Matt Braithwaited17d74d2016-08-17 20:10:28 -0700[diff] [blame]1566 bssl::UniquePtr<SSL> ssl(SSL_new(ctx.get()));
David Benjaminf0d8e222017-02-04 10:58:26 -0500[diff] [blame]1567 ASSERT_TRUE(ssl);
1568 EXPECT_TRUE(SSL_set_rfd(ssl.get(), 1));
1569 EXPECT_TRUE(SSL_set_wfd(ssl.get(), 2));
1570 ExpectFDs(ssl.get(), 1, 2);
David Benjamin5c0fb882016-06-14 14:03:51 -0400[diff] [blame]1571
1572 // Test setting the same FD.
1573 ssl.reset(SSL_new(ctx.get()));
David Benjaminf0d8e222017-02-04 10:58:26 -0500[diff] [blame]1574 ASSERT_TRUE(ssl);
1575 EXPECT_TRUE(SSL_set_fd(ssl.get(), 1));
1576 ExpectFDs(ssl.get(), 1, 1);
David Benjamin5c0fb882016-06-14 14:03:51 -0400[diff] [blame]1577
1578 // Test setting the same FD one side at a time.
1579 ssl.reset(SSL_new(ctx.get()));
David Benjaminf0d8e222017-02-04 10:58:26 -0500[diff] [blame]1580 ASSERT_TRUE(ssl);
1581 EXPECT_TRUE(SSL_set_rfd(ssl.get(), 1));
1582 EXPECT_TRUE(SSL_set_wfd(ssl.get(), 1));
1583 ExpectFDs(ssl.get(), 1, 1);
David Benjamin5c0fb882016-06-14 14:03:51 -0400[diff] [blame]1584
1585 // Test setting the same FD in the other order.
1586 ssl.reset(SSL_new(ctx.get()));
David Benjaminf0d8e222017-02-04 10:58:26 -0500[diff] [blame]1587 ASSERT_TRUE(ssl);
1588 EXPECT_TRUE(SSL_set_wfd(ssl.get(), 1));
1589 EXPECT_TRUE(SSL_set_rfd(ssl.get(), 1));
1590 ExpectFDs(ssl.get(), 1, 1);
David Benjamin5c0fb882016-06-14 14:03:51 -0400[diff] [blame]1591
David Benjamin5c0fb882016-06-14 14:03:51 -0400[diff] [blame]1592 // Test changing the read FD partway through.
1593 ssl.reset(SSL_new(ctx.get()));
David Benjaminf0d8e222017-02-04 10:58:26 -0500[diff] [blame]1594 ASSERT_TRUE(ssl);
1595 EXPECT_TRUE(SSL_set_fd(ssl.get(), 1));
1596 EXPECT_TRUE(SSL_set_rfd(ssl.get(), 2));
1597 ExpectFDs(ssl.get(), 2, 1);
David Benjamin5c0fb882016-06-14 14:03:51 -0400[diff] [blame]1598
1599 // Test changing the write FD partway through.
1600 ssl.reset(SSL_new(ctx.get()));
David Benjaminf0d8e222017-02-04 10:58:26 -0500[diff] [blame]1601 ASSERT_TRUE(ssl);
1602 EXPECT_TRUE(SSL_set_fd(ssl.get(), 1));
1603 EXPECT_TRUE(SSL_set_wfd(ssl.get(), 2));
1604 ExpectFDs(ssl.get(), 1, 2);
David Benjamin5c0fb882016-06-14 14:03:51 -0400[diff] [blame]1605
1606 // Test a no-op change to the read FD partway through.
1607 ssl.reset(SSL_new(ctx.get()));
David Benjaminf0d8e222017-02-04 10:58:26 -0500[diff] [blame]1608 ASSERT_TRUE(ssl);
1609 EXPECT_TRUE(SSL_set_fd(ssl.get(), 1));
1610 EXPECT_TRUE(SSL_set_rfd(ssl.get(), 1));
1611 ExpectFDs(ssl.get(), 1, 1);
David Benjamin5c0fb882016-06-14 14:03:51 -0400[diff] [blame]1612
1613 // Test a no-op change to the write FD partway through.
1614 ssl.reset(SSL_new(ctx.get()));
David Benjaminf0d8e222017-02-04 10:58:26 -0500[diff] [blame]1615 ASSERT_TRUE(ssl);
1616 EXPECT_TRUE(SSL_set_fd(ssl.get(), 1));
1617 EXPECT_TRUE(SSL_set_wfd(ssl.get(), 1));
1618 ExpectFDs(ssl.get(), 1, 1);
David Benjamin5c0fb882016-06-14 14:03:51 -0400[diff] [blame]1619
1620 // ASan builds will implicitly test that the internal |BIO| reference-counting
1621 // is correct.
David Benjamin5c0fb882016-06-14 14:03:51 -0400[diff] [blame]1622}
1623
David Benjaminf0d8e222017-02-04 10:58:26 -0500[diff] [blame]1624TEST(SSLTest, SetBIO) {
Matt Braithwaited17d74d2016-08-17 20:10:28 -0700[diff] [blame]1625 bssl::UniquePtr<SSL_CTX> ctx(SSL_CTX_new(TLS_method()));
David Benjaminf0d8e222017-02-04 10:58:26 -0500[diff] [blame]1626 ASSERT_TRUE(ctx);
David Benjamin4501bd52016-08-01 13:39:41 -0400[diff] [blame]1627
Matt Braithwaited17d74d2016-08-17 20:10:28 -0700[diff] [blame]1628 bssl::UniquePtr<SSL> ssl(SSL_new(ctx.get()));
1629 bssl::UniquePtr<BIO> bio1(BIO_new(BIO_s_mem())), bio2(BIO_new(BIO_s_mem())),
David Benjamin4501bd52016-08-01 13:39:41 -0400[diff] [blame]1630 bio3(BIO_new(BIO_s_mem()));
David Benjaminf0d8e222017-02-04 10:58:26 -0500[diff] [blame]1631 ASSERT_TRUE(ssl);
1632 ASSERT_TRUE(bio1);
1633 ASSERT_TRUE(bio2);
1634 ASSERT_TRUE(bio3);
David Benjamin4501bd52016-08-01 13:39:41 -0400[diff] [blame]1635
1636 // SSL_set_bio takes one reference when the parameters are the same.
1637 BIO_up_ref(bio1.get());
1638 SSL_set_bio(ssl.get(), bio1.get(), bio1.get());
1639
1640 // Repeating the call does nothing.
1641 SSL_set_bio(ssl.get(), bio1.get(), bio1.get());
1642
1643 // It takes one reference each when the parameters are different.
1644 BIO_up_ref(bio2.get());
1645 BIO_up_ref(bio3.get());
1646 SSL_set_bio(ssl.get(), bio2.get(), bio3.get());
1647
1648 // Repeating the call does nothing.
1649 SSL_set_bio(ssl.get(), bio2.get(), bio3.get());
1650
1651 // It takes one reference when changing only wbio.
1652 BIO_up_ref(bio1.get());
1653 SSL_set_bio(ssl.get(), bio2.get(), bio1.get());
1654
1655 // It takes one reference when changing only rbio and the two are different.
1656 BIO_up_ref(bio3.get());
1657 SSL_set_bio(ssl.get(), bio3.get(), bio1.get());
1658
1659 // If setting wbio to rbio, it takes no additional references.
1660 SSL_set_bio(ssl.get(), bio3.get(), bio3.get());
1661
1662 // From there, wbio may be switched to something else.
1663 BIO_up_ref(bio1.get());
1664 SSL_set_bio(ssl.get(), bio3.get(), bio1.get());
1665
1666 // If setting rbio to wbio, it takes no additional references.
1667 SSL_set_bio(ssl.get(), bio1.get(), bio1.get());
1668
1669 // From there, rbio may be switched to something else, but, for historical
1670 // reasons, it takes a reference to both parameters.
1671 BIO_up_ref(bio1.get());
1672 BIO_up_ref(bio2.get());
1673 SSL_set_bio(ssl.get(), bio2.get(), bio1.get());
1674
1675 // ASAN builds will implicitly test that the internal |BIO| reference-counting
1676 // is correct.
David Benjamin4501bd52016-08-01 13:39:41 -0400[diff] [blame]1677}
1678
David Benjamin25490f22016-07-14 00:22:54 -0400[diff] [blame]1679static int VerifySucceed(X509_STORE_CTX *store_ctx, void *arg) { return 1; }
1680
David Benjamin0fef3052016-11-18 15:11:10 +0900[diff] [blame]1681static bool TestGetPeerCertificate(bool is_dtls, const SSL_METHOD *method,
1682 uint16_t version) {
Matt Braithwaited17d74d2016-08-17 20:10:28 -0700[diff] [blame]1683 bssl::UniquePtr<X509> cert = GetTestCertificate();
1684 bssl::UniquePtr<EVP_PKEY> key = GetTestKey();
David Benjaminadd5e522016-07-14 00:33:24 -0400[diff] [blame]1685 if (!cert || !key) {
1686 return false;
1687 }
1688
David Benjamin0fef3052016-11-18 15:11:10 +0900[diff] [blame]1689 // Configure both client and server to accept any certificate.
1690 bssl::UniquePtr<SSL_CTX> ctx(SSL_CTX_new(method));
1691 if (!ctx ||
1692 !SSL_CTX_use_certificate(ctx.get(), cert.get()) ||
1693 !SSL_CTX_use_PrivateKey(ctx.get(), key.get()) ||
1694 !SSL_CTX_set_min_proto_version(ctx.get(), version) ||
1695 !SSL_CTX_set_max_proto_version(ctx.get(), version)) {
1696 return false;
1697 }
1698 SSL_CTX_set_verify(
1699 ctx.get(), SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT, nullptr);
1700 SSL_CTX_set_cert_verify_callback(ctx.get(), VerifySucceed, NULL);
David Benjaminadd5e522016-07-14 00:33:24 -0400[diff] [blame]1701
David Benjamin0fef3052016-11-18 15:11:10 +0900[diff] [blame]1702 bssl::UniquePtr<SSL> client, server;
1703 if (!ConnectClientAndServer(&client, &server, ctx.get(), ctx.get(),
1704 nullptr /* no session */)) {
1705 return false;
1706 }
David Benjaminadd5e522016-07-14 00:33:24 -0400[diff] [blame]1707
David Benjamin0fef3052016-11-18 15:11:10 +0900[diff] [blame]1708 // Client and server should both see the leaf certificate.
1709 bssl::UniquePtr<X509> peer(SSL_get_peer_certificate(server.get()));
1710 if (!peer || X509_cmp(cert.get(), peer.get()) != 0) {
1711 fprintf(stderr, "Server peer certificate did not match.\n");
1712 return false;
1713 }
David Benjaminadd5e522016-07-14 00:33:24 -0400[diff] [blame]1714
David Benjamin0fef3052016-11-18 15:11:10 +0900[diff] [blame]1715 peer.reset(SSL_get_peer_certificate(client.get()));
1716 if (!peer || X509_cmp(cert.get(), peer.get()) != 0) {
1717 fprintf(stderr, "Client peer certificate did not match.\n");
1718 return false;
1719 }
David Benjaminadd5e522016-07-14 00:33:24 -0400[diff] [blame]1720
David Benjamin0fef3052016-11-18 15:11:10 +0900[diff] [blame]1721 // However, for historical reasons, the chain includes the leaf on the
1722 // client, but does not on the server.
1723 if (sk_X509_num(SSL_get_peer_cert_chain(client.get())) != 1) {
1724 fprintf(stderr, "Client peer chain was incorrect.\n");
1725 return false;
1726 }
David Benjaminadd5e522016-07-14 00:33:24 -0400[diff] [blame]1727
David Benjamin0fef3052016-11-18 15:11:10 +0900[diff] [blame]1728 if (sk_X509_num(SSL_get_peer_cert_chain(server.get())) != 0) {
1729 fprintf(stderr, "Server peer chain was incorrect.\n");
1730 return false;
David Benjaminadd5e522016-07-14 00:33:24 -0400[diff] [blame]1731 }
1732
1733 return true;
1734}
1735
David Benjamin0fef3052016-11-18 15:11:10 +0900[diff] [blame]1736static bool TestRetainOnlySHA256OfCerts(bool is_dtls, const SSL_METHOD *method,
1737 uint16_t version) {
Matt Braithwaited17d74d2016-08-17 20:10:28 -0700[diff] [blame]1738 bssl::UniquePtr<X509> cert = GetTestCertificate();
1739 bssl::UniquePtr<EVP_PKEY> key = GetTestKey();
David Benjamin25490f22016-07-14 00:22:54 -0400[diff] [blame]1740 if (!cert || !key) {
1741 return false;
1742 }
1743
1744 uint8_t *cert_der = NULL;
1745 int cert_der_len = i2d_X509(cert.get(), &cert_der);
1746 if (cert_der_len < 0) {
1747 return false;
1748 }
Matt Braithwaited17d74d2016-08-17 20:10:28 -0700[diff] [blame]1749 bssl::UniquePtr<uint8_t> free_cert_der(cert_der);
David Benjamin25490f22016-07-14 00:22:54 -0400[diff] [blame]1750
1751 uint8_t cert_sha256[SHA256_DIGEST_LENGTH];
1752 SHA256(cert_der, cert_der_len, cert_sha256);
1753
David Benjamin0fef3052016-11-18 15:11:10 +0900[diff] [blame]1754 // Configure both client and server to accept any certificate, but the
1755 // server must retain only the SHA-256 of the peer.
1756 bssl::UniquePtr<SSL_CTX> ctx(SSL_CTX_new(method));
1757 if (!ctx ||
1758 !SSL_CTX_use_certificate(ctx.get(), cert.get()) ||
1759 !SSL_CTX_use_PrivateKey(ctx.get(), key.get()) ||
1760 !SSL_CTX_set_min_proto_version(ctx.get(), version) ||
1761 !SSL_CTX_set_max_proto_version(ctx.get(), version)) {
1762 return false;
1763 }
1764 SSL_CTX_set_verify(
1765 ctx.get(), SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT, nullptr);
1766 SSL_CTX_set_cert_verify_callback(ctx.get(), VerifySucceed, NULL);
1767 SSL_CTX_set_retain_only_sha256_of_client_certs(ctx.get(), 1);
David Benjamin25490f22016-07-14 00:22:54 -0400[diff] [blame]1768
David Benjamin0fef3052016-11-18 15:11:10 +0900[diff] [blame]1769 bssl::UniquePtr<SSL> client, server;
1770 if (!ConnectClientAndServer(&client, &server, ctx.get(), ctx.get(),
1771 nullptr /* no session */)) {
1772 return false;
1773 }
David Benjamin25490f22016-07-14 00:22:54 -0400[diff] [blame]1774
David Benjamin0fef3052016-11-18 15:11:10 +0900[diff] [blame]1775 // The peer certificate has been dropped.
1776 bssl::UniquePtr<X509> peer(SSL_get_peer_certificate(server.get()));
1777 if (peer) {
1778 fprintf(stderr, "Peer certificate was retained.\n");
1779 return false;
1780 }
David Benjamin25490f22016-07-14 00:22:54 -0400[diff] [blame]1781
David Benjamin0fef3052016-11-18 15:11:10 +0900[diff] [blame]1782 SSL_SESSION *session = SSL_get_session(server.get());
1783 if (!session->peer_sha256_valid) {
1784 fprintf(stderr, "peer_sha256_valid was not set.\n");
1785 return false;
1786 }
David Benjamin25490f22016-07-14 00:22:54 -0400[diff] [blame]1787
David Benjamin17cf2cb2016-12-13 01:07:13 -0500[diff] [blame]1788 if (OPENSSL_memcmp(cert_sha256, session->peer_sha256, SHA256_DIGEST_LENGTH) !=
1789 0) {
David Benjamin0fef3052016-11-18 15:11:10 +0900[diff] [blame]1790 fprintf(stderr, "peer_sha256 did not match.\n");
1791 return false;
David Benjamin25490f22016-07-14 00:22:54 -0400[diff] [blame]1792 }
1793
1794 return true;
1795}
1796
David Benjaminafc64de2016-07-19 17:12:41 +0200[diff] [blame]1797static bool ClientHelloMatches(uint16_t version, const uint8_t *expected,
1798 size_t expected_len) {
Matt Braithwaited17d74d2016-08-17 20:10:28 -0700[diff] [blame]1799 bssl::UniquePtr<SSL_CTX> ctx(SSL_CTX_new(TLS_method()));
Matthew Braithwaitecedc6f12017-03-15 19:20:23 -0700[diff] [blame]1800 // Our default cipher list varies by CPU capabilities, so manually place the
1801 // ChaCha20 ciphers in front.
Matthew Braithwaite7e06de52017-04-10 15:52:14 -0700[diff] [blame]1802 const char* cipher_list = "CHACHA20:ALL";
David Benjamin2dc02042016-09-19 19:57:37 -0400[diff] [blame]1803 if (!ctx ||
David Benjamin3cfeb952017-03-01 16:48:38 -0500[diff] [blame]1804 // SSLv3 is off by default.
1805 !SSL_CTX_set_min_proto_version(ctx.get(), SSL3_VERSION) ||
David Benjamine4706902016-09-20 15:12:23 -0400[diff] [blame]1806 !SSL_CTX_set_max_proto_version(ctx.get(), version) ||
Matthew Braithwaitecedc6f12017-03-15 19:20:23 -0700[diff] [blame]1807 !SSL_CTX_set_strict_cipher_list(ctx.get(), cipher_list)) {
David Benjaminafc64de2016-07-19 17:12:41 +0200[diff] [blame]1808 return false;
1809 }
David Benjamin2dc02042016-09-19 19:57:37 -0400[diff] [blame]1810
Matt Braithwaited17d74d2016-08-17 20:10:28 -0700[diff] [blame]1811 bssl::UniquePtr<SSL> ssl(SSL_new(ctx.get()));
David Benjaminafc64de2016-07-19 17:12:41 +0200[diff] [blame]1812 if (!ssl) {
1813 return false;
1814 }
1815 std::vector<uint8_t> client_hello;
1816 if (!GetClientHello(ssl.get(), &client_hello)) {
1817 return false;
1818 }
1819
1820 // Zero the client_random.
1821 constexpr size_t kRandomOffset = 1 + 2 + 2 + // record header
1822 1 + 3 + // handshake message header
1823 2; // client_version
1824 if (client_hello.size() < kRandomOffset + SSL3_RANDOM_SIZE) {
1825 fprintf(stderr, "ClientHello for version %04x too short.\n", version);
1826 return false;
1827 }
David Benjamin17cf2cb2016-12-13 01:07:13 -0500[diff] [blame]1828 OPENSSL_memset(client_hello.data() + kRandomOffset, 0, SSL3_RANDOM_SIZE);
David Benjaminafc64de2016-07-19 17:12:41 +0200[diff] [blame]1829
1830 if (client_hello.size() != expected_len ||
David Benjamin17cf2cb2016-12-13 01:07:13 -0500[diff] [blame]1831 OPENSSL_memcmp(client_hello.data(), expected, expected_len) != 0) {
David Benjaminafc64de2016-07-19 17:12:41 +0200[diff] [blame]1832 fprintf(stderr, "ClientHello for version %04x did not match:\n", version);
1833 fprintf(stderr, "Got:\n\t");
1834 for (size_t i = 0; i < client_hello.size(); i++) {
1835 fprintf(stderr, "0x%02x, ", client_hello[i]);
1836 }
1837 fprintf(stderr, "\nWanted:\n\t");
1838 for (size_t i = 0; i < expected_len; i++) {
1839 fprintf(stderr, "0x%02x, ", expected[i]);
1840 }
1841 fprintf(stderr, "\n");
1842 return false;
1843 }
1844
1845 return true;
1846}
1847
1848// Tests that our ClientHellos do not change unexpectedly.
1849static bool TestClientHello() {
1850 static const uint8_t kSSL3ClientHello[] = {
Matt Braithwaite9c8c4182016-08-24 14:36:54 -0700[diff] [blame]1851 0x16,
1852 0x03, 0x00,
Matthew Braithwaitecedc6f12017-03-15 19:20:23 -0700[diff] [blame]1853 0x00, 0x3b,
Matt Braithwaite9c8c4182016-08-24 14:36:54 -0700[diff] [blame]1854 0x01,
Matthew Braithwaitecedc6f12017-03-15 19:20:23 -0700[diff] [blame]1855 0x00, 0x00, 0x37,
Matt Braithwaite9c8c4182016-08-24 14:36:54 -0700[diff] [blame]1856 0x03, 0x00,
1857 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1858 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1859 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1860 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1861 0x00,
Matthew Braithwaitecedc6f12017-03-15 19:20:23 -0700[diff] [blame]1862 0x00, 0x10,
Matt Braithwaite9c8c4182016-08-24 14:36:54 -0700[diff] [blame]1863 0xc0, 0x09,
1864 0xc0, 0x13,
Matt Braithwaite9c8c4182016-08-24 14:36:54 -0700[diff] [blame]1865 0xc0, 0x0a,
1866 0xc0, 0x14,
Matt Braithwaite9c8c4182016-08-24 14:36:54 -0700[diff] [blame]1867 0x00, 0x2f,
1868 0x00, 0x35,
1869 0x00, 0x0a,
1870 0x00, 0xff, 0x01, 0x00,
David Benjaminafc64de2016-07-19 17:12:41 +0200[diff] [blame]1871 };
1872 if (!ClientHelloMatches(SSL3_VERSION, kSSL3ClientHello,
1873 sizeof(kSSL3ClientHello))) {
1874 return false;
1875 }
1876
1877 static const uint8_t kTLS1ClientHello[] = {
Matt Braithwaite9c8c4182016-08-24 14:36:54 -0700[diff] [blame]1878 0x16,
1879 0x03, 0x01,
Matthew Braithwaitecedc6f12017-03-15 19:20:23 -0700[diff] [blame]1880 0x00, 0x5a,
Matt Braithwaite9c8c4182016-08-24 14:36:54 -0700[diff] [blame]1881 0x01,
Matthew Braithwaitecedc6f12017-03-15 19:20:23 -0700[diff] [blame]1882 0x00, 0x00, 0x56,
Matt Braithwaite9c8c4182016-08-24 14:36:54 -0700[diff] [blame]1883 0x03, 0x01,
1884 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1885 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1886 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1887 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1888 0x00,
Matthew Braithwaitecedc6f12017-03-15 19:20:23 -0700[diff] [blame]1889 0x00, 0x0e,
Matt Braithwaite9c8c4182016-08-24 14:36:54 -0700[diff] [blame]1890 0xc0, 0x09,
1891 0xc0, 0x13,
Matt Braithwaite9c8c4182016-08-24 14:36:54 -0700[diff] [blame]1892 0xc0, 0x0a,
1893 0xc0, 0x14,
Matt Braithwaite9c8c4182016-08-24 14:36:54 -0700[diff] [blame]1894 0x00, 0x2f,
1895 0x00, 0x35,
1896 0x00, 0x0a,
David Benjaminafc64de2016-07-19 17:12:41 +0200[diff] [blame]1897 0x01, 0x00, 0x00, 0x1f, 0xff, 0x01, 0x00, 0x01, 0x00, 0x00, 0x17, 0x00,
1898 0x00, 0x00, 0x23, 0x00, 0x00, 0x00, 0x0b, 0x00, 0x02, 0x01, 0x00, 0x00,
1899 0x0a, 0x00, 0x08, 0x00, 0x06, 0x00, 0x1d, 0x00, 0x17, 0x00, 0x18,
1900 };
1901 if (!ClientHelloMatches(TLS1_VERSION, kTLS1ClientHello,
1902 sizeof(kTLS1ClientHello))) {
1903 return false;
1904 }
1905
1906 static const uint8_t kTLS11ClientHello[] = {
Matt Braithwaite9c8c4182016-08-24 14:36:54 -0700[diff] [blame]1907 0x16,
1908 0x03, 0x01,
Matthew Braithwaitecedc6f12017-03-15 19:20:23 -0700[diff] [blame]1909 0x00, 0x5a,
Matt Braithwaite9c8c4182016-08-24 14:36:54 -0700[diff] [blame]1910 0x01,
Matthew Braithwaitecedc6f12017-03-15 19:20:23 -0700[diff] [blame]1911 0x00, 0x00, 0x56,
Matt Braithwaite9c8c4182016-08-24 14:36:54 -0700[diff] [blame]1912 0x03, 0x02,
1913 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1914 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1915 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1916 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1917 0x00,
Matthew Braithwaitecedc6f12017-03-15 19:20:23 -0700[diff] [blame]1918 0x00, 0x0e,
Matt Braithwaite9c8c4182016-08-24 14:36:54 -0700[diff] [blame]1919 0xc0, 0x09,
1920 0xc0, 0x13,
Matt Braithwaite9c8c4182016-08-24 14:36:54 -0700[diff] [blame]1921 0xc0, 0x0a,
1922 0xc0, 0x14,
Matt Braithwaite9c8c4182016-08-24 14:36:54 -0700[diff] [blame]1923 0x00, 0x2f,
1924 0x00, 0x35,
1925 0x00, 0x0a,
David Benjaminafc64de2016-07-19 17:12:41 +0200[diff] [blame]1926 0x01, 0x00, 0x00, 0x1f, 0xff, 0x01, 0x00, 0x01, 0x00, 0x00, 0x17, 0x00,
1927 0x00, 0x00, 0x23, 0x00, 0x00, 0x00, 0x0b, 0x00, 0x02, 0x01, 0x00, 0x00,
1928 0x0a, 0x00, 0x08, 0x00, 0x06, 0x00, 0x1d, 0x00, 0x17, 0x00, 0x18,
1929 };
1930 if (!ClientHelloMatches(TLS1_1_VERSION, kTLS11ClientHello,
1931 sizeof(kTLS11ClientHello))) {
1932 return false;
1933 }
1934
David Benjamin3b584332017-01-24 22:47:18 -0500[diff] [blame]1935 // kTLS12ClientHello assumes RSA-PSS, which is disabled for Android system
1936 // builds.
1937#if defined(BORINGSSL_ANDROID_SYSTEM)
1938 return true;
1939#endif
1940
David Benjaminafc64de2016-07-19 17:12:41 +0200[diff] [blame]1941 static const uint8_t kTLS12ClientHello[] = {
Matthew Braithwaitecedc6f12017-03-15 19:20:23 -0700[diff] [blame]1942 0x16,
1943 0x03, 0x01,
1944 0x00, 0x8e,
1945 0x01,
1946 0x00, 0x00, 0x8a,
1947 0x03, 0x03,
David Benjamin57e929f2016-08-30 00:30:38 -0400[diff] [blame]1948 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1949 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
Matthew Braithwaitecedc6f12017-03-15 19:20:23 -0700[diff] [blame]1950 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1951 0x00, 0x2a,
1952 0xcc, 0xa9,
1953 0xcc, 0xa8,
1954 0xc0, 0x2b,
1955 0xc0, 0x2f,
1956 0xc0, 0x2c,
1957 0xc0, 0x30,
1958 0xc0, 0x09,
1959 0xc0, 0x23,
1960 0xc0, 0x13,
1961 0xc0, 0x27,
1962 0xc0, 0x0a,
1963 0xc0, 0x24,
1964 0xc0, 0x14,
1965 0xc0, 0x28,
1966 0x00, 0x9c,
1967 0x00, 0x9d,
1968 0x00, 0x2f,
1969 0x00, 0x3c,
1970 0x00, 0x35,
1971 0x00, 0x3d,
1972 0x00, 0x0a,
1973 0x01, 0x00, 0x00, 0x37, 0xff, 0x01, 0x00, 0x01, 0x00, 0x00, 0x17, 0x00,
1974 0x00, 0x00, 0x23, 0x00, 0x00, 0x00, 0x0d, 0x00, 0x14, 0x00, 0x12, 0x04,
1975 0x03, 0x08, 0x04, 0x04, 0x01, 0x05, 0x03, 0x08, 0x05, 0x05, 0x01, 0x08,
1976 0x06, 0x06, 0x01, 0x02, 0x01, 0x00, 0x0b, 0x00, 0x02, 0x01, 0x00, 0x00,
1977 0x0a, 0x00, 0x08, 0x00, 0x06, 0x00, 0x1d, 0x00, 0x17, 0x00, 0x18,
David Benjaminafc64de2016-07-19 17:12:41 +0200[diff] [blame]1978 };
1979 if (!ClientHelloMatches(TLS1_2_VERSION, kTLS12ClientHello,
1980 sizeof(kTLS12ClientHello))) {
1981 return false;
1982 }
1983
1984 // TODO(davidben): Add a change detector for TLS 1.3 once the spec and our
1985 // implementation has settled enough that it won't change.
1986
1987 return true;
1988}
1989
Matt Braithwaited17d74d2016-08-17 20:10:28 -0700[diff] [blame]1990static bssl::UniquePtr<SSL_SESSION> g_last_session;
David Benjamina20e5352016-08-02 19:09:41 -0400[diff] [blame]1991
1992static int SaveLastSession(SSL *ssl, SSL_SESSION *session) {
1993 // Save the most recent session.
1994 g_last_session.reset(session);
1995 return 1;
1996}
1997
Matt Braithwaited17d74d2016-08-17 20:10:28 -0700[diff] [blame]1998static bssl::UniquePtr<SSL_SESSION> CreateClientSession(SSL_CTX *client_ctx,
Steven Valdeze831a812017-03-09 14:56:07 -0500[diff] [blame]1999 SSL_CTX *server_ctx) {
David Benjamina20e5352016-08-02 19:09:41 -0400[diff] [blame]2000 g_last_session = nullptr;
2001 SSL_CTX_sess_set_new_cb(client_ctx, SaveLastSession);
2002
2003 // Connect client and server to get a session.
Matt Braithwaited17d74d2016-08-17 20:10:28 -0700[diff] [blame]2004 bssl::UniquePtr<SSL> client, server;
David Benjamina20e5352016-08-02 19:09:41 -0400[diff] [blame]2005 if (!ConnectClientAndServer(&client, &server, client_ctx, server_ctx,
2006 nullptr /* no session */)) {
2007 fprintf(stderr, "Failed to connect client and server.\n");
2008 return nullptr;
2009 }
2010
2011 // Run the read loop to account for post-handshake tickets in TLS 1.3.
2012 SSL_read(client.get(), nullptr, 0);
2013
2014 SSL_CTX_sess_set_new_cb(client_ctx, nullptr);
2015
2016 if (!g_last_session) {
2017 fprintf(stderr, "Client did not receive a session.\n");
2018 return nullptr;
2019 }
2020 return std::move(g_last_session);
2021}
2022
2023static bool ExpectSessionReused(SSL_CTX *client_ctx, SSL_CTX *server_ctx,
2024 SSL_SESSION *session,
2025 bool reused) {
Matt Braithwaited17d74d2016-08-17 20:10:28 -0700[diff] [blame]2026 bssl::UniquePtr<SSL> client, server;
David Benjamina20e5352016-08-02 19:09:41 -0400[diff] [blame]2027 if (!ConnectClientAndServer(&client, &server, client_ctx,
2028 server_ctx, session)) {
2029 fprintf(stderr, "Failed to connect client and server.\n");
2030 return false;
2031 }
2032
2033 if (SSL_session_reused(client.get()) != SSL_session_reused(server.get())) {
2034 fprintf(stderr, "Client and server were inconsistent.\n");
2035 return false;
2036 }
2037
2038 bool was_reused = !!SSL_session_reused(client.get());
2039 if (was_reused != reused) {
2040 fprintf(stderr, "Session was%s reused, but we expected the opposite.\n",
2041 was_reused ? "" : " not");
2042 return false;
2043 }
2044
2045 return true;
2046}
2047
David Benjamin3c51d9b2016-11-01 17:50:42 -0400[diff] [blame]2048static bssl::UniquePtr<SSL_SESSION> ExpectSessionRenewed(SSL_CTX *client_ctx,
2049 SSL_CTX *server_ctx,
2050 SSL_SESSION *session) {
2051 g_last_session = nullptr;
2052 SSL_CTX_sess_set_new_cb(client_ctx, SaveLastSession);
2053
2054 bssl::UniquePtr<SSL> client, server;
2055 if (!ConnectClientAndServer(&client, &server, client_ctx,
2056 server_ctx, session)) {
2057 fprintf(stderr, "Failed to connect client and server.\n");
2058 return nullptr;
2059 }
2060
2061 if (SSL_session_reused(client.get()) != SSL_session_reused(server.get())) {
2062 fprintf(stderr, "Client and server were inconsistent.\n");
2063 return nullptr;
2064 }
2065
2066 if (!SSL_session_reused(client.get())) {
2067 fprintf(stderr, "Session was not reused.\n");
2068 return nullptr;
2069 }
2070
2071 // Run the read loop to account for post-handshake tickets in TLS 1.3.
2072 SSL_read(client.get(), nullptr, 0);
2073
2074 SSL_CTX_sess_set_new_cb(client_ctx, nullptr);
2075
2076 if (!g_last_session) {
2077 fprintf(stderr, "Client did not receive a renewed session.\n");
2078 return nullptr;
2079 }
2080 return std::move(g_last_session);
2081}
2082
David Benjamina933c382016-10-28 00:10:03 -0400[diff] [blame]2083static int SwitchSessionIDContextSNI(SSL *ssl, int *out_alert, void *arg) {
2084 static const uint8_t kContext[] = {3};
2085
2086 if (!SSL_set_session_id_context(ssl, kContext, sizeof(kContext))) {
2087 return SSL_TLSEXT_ERR_ALERT_FATAL;
2088 }
2089
2090 return SSL_TLSEXT_ERR_OK;
2091}
2092
David Benjamin0fef3052016-11-18 15:11:10 +0900[diff] [blame]2093static bool TestSessionIDContext(bool is_dtls, const SSL_METHOD *method,
2094 uint16_t version) {
Matt Braithwaited17d74d2016-08-17 20:10:28 -0700[diff] [blame]2095 bssl::UniquePtr<X509> cert = GetTestCertificate();
2096 bssl::UniquePtr<EVP_PKEY> key = GetTestKey();
David Benjamina20e5352016-08-02 19:09:41 -0400[diff] [blame]2097 if (!cert || !key) {
2098 return false;
2099 }
2100
2101 static const uint8_t kContext1[] = {1};
2102 static const uint8_t kContext2[] = {2};
2103
David Benjamin0fef3052016-11-18 15:11:10 +0900[diff] [blame]2104 bssl::UniquePtr<SSL_CTX> server_ctx(SSL_CTX_new(method));
2105 bssl::UniquePtr<SSL_CTX> client_ctx(SSL_CTX_new(method));
2106 if (!server_ctx || !client_ctx ||
2107 !SSL_CTX_use_certificate(server_ctx.get(), cert.get()) ||
2108 !SSL_CTX_use_PrivateKey(server_ctx.get(), key.get()) ||
2109 !SSL_CTX_set_session_id_context(server_ctx.get(), kContext1,
2110 sizeof(kContext1)) ||
2111 !SSL_CTX_set_min_proto_version(client_ctx.get(), version) ||
2112 !SSL_CTX_set_max_proto_version(client_ctx.get(), version) ||
2113 !SSL_CTX_set_min_proto_version(server_ctx.get(), version) ||
2114 !SSL_CTX_set_max_proto_version(server_ctx.get(), version)) {
2115 return false;
2116 }
David Benjamina20e5352016-08-02 19:09:41 -0400[diff] [blame]2117
David Benjamin0fef3052016-11-18 15:11:10 +0900[diff] [blame]2118 SSL_CTX_set_session_cache_mode(client_ctx.get(), SSL_SESS_CACHE_BOTH);
2119 SSL_CTX_set_session_cache_mode(server_ctx.get(), SSL_SESS_CACHE_BOTH);
David Benjamina20e5352016-08-02 19:09:41 -0400[diff] [blame]2120
David Benjamin0fef3052016-11-18 15:11:10 +0900[diff] [blame]2121 bssl::UniquePtr<SSL_SESSION> session =
2122 CreateClientSession(client_ctx.get(), server_ctx.get());
2123 if (!session) {
2124 fprintf(stderr, "Error getting session.\n");
2125 return false;
2126 }
David Benjamina20e5352016-08-02 19:09:41 -0400[diff] [blame]2127
David Benjamin0fef3052016-11-18 15:11:10 +0900[diff] [blame]2128 if (!ExpectSessionReused(client_ctx.get(), server_ctx.get(), session.get(),
2129 true /* expect session reused */)) {
2130 fprintf(stderr, "Error resuming session.\n");
2131 return false;
2132 }
David Benjamina20e5352016-08-02 19:09:41 -0400[diff] [blame]2133
David Benjamin0fef3052016-11-18 15:11:10 +0900[diff] [blame]2134 // Change the session ID context.
2135 if (!SSL_CTX_set_session_id_context(server_ctx.get(), kContext2,
2136 sizeof(kContext2))) {
2137 return false;
2138 }
David Benjamina20e5352016-08-02 19:09:41 -0400[diff] [blame]2139
David Benjamin0fef3052016-11-18 15:11:10 +0900[diff] [blame]2140 if (!ExpectSessionReused(client_ctx.get(), server_ctx.get(), session.get(),
2141 false /* expect session not reused */)) {
2142 fprintf(stderr, "Error connecting with a different context.\n");
2143 return false;
2144 }
David Benjamina933c382016-10-28 00:10:03 -0400[diff] [blame]2145
David Benjamin0fef3052016-11-18 15:11:10 +0900[diff] [blame]2146 // Change the session ID context back and install an SNI callback to switch
2147 // it.
2148 if (!SSL_CTX_set_session_id_context(server_ctx.get(), kContext1,
2149 sizeof(kContext1))) {
2150 return false;
2151 }
David Benjamina933c382016-10-28 00:10:03 -0400[diff] [blame]2152
David Benjamin0fef3052016-11-18 15:11:10 +0900[diff] [blame]2153 SSL_CTX_set_tlsext_servername_callback(server_ctx.get(),
2154 SwitchSessionIDContextSNI);
David Benjamina933c382016-10-28 00:10:03 -0400[diff] [blame]2155
David Benjamin0fef3052016-11-18 15:11:10 +0900[diff] [blame]2156 if (!ExpectSessionReused(client_ctx.get(), server_ctx.get(), session.get(),
2157 false /* expect session not reused */)) {
2158 fprintf(stderr, "Error connecting with a context switch on SNI callback.\n");
2159 return false;
2160 }
David Benjamina933c382016-10-28 00:10:03 -0400[diff] [blame]2161
David Benjamin0fef3052016-11-18 15:11:10 +0900[diff] [blame]2162 // Switch the session ID context with the early callback instead.
2163 SSL_CTX_set_tlsext_servername_callback(server_ctx.get(), nullptr);
Alessandro Ghedini57e81e62017-03-14 23:36:00 +0000[diff] [blame]2164 SSL_CTX_set_select_certificate_cb(
2165 server_ctx.get(),
2166 [](const SSL_CLIENT_HELLO *client_hello) -> ssl_select_cert_result_t {
2167 static const uint8_t kContext[] = {3};
2168
2169 if (!SSL_set_session_id_context(client_hello->ssl, kContext,
2170 sizeof(kContext))) {
2171 return ssl_select_cert_error;
2172 }
2173
2174 return ssl_select_cert_success;
2175 });
David Benjamina933c382016-10-28 00:10:03 -0400[diff] [blame]2176
David Benjamin0fef3052016-11-18 15:11:10 +0900[diff] [blame]2177 if (!ExpectSessionReused(client_ctx.get(), server_ctx.get(), session.get(),
2178 false /* expect session not reused */)) {
2179 fprintf(stderr,
2180 "Error connecting with a context switch on early callback.\n");
2181 return false;
David Benjamina20e5352016-08-02 19:09:41 -0400[diff] [blame]2182 }
2183
2184 return true;
2185}
2186
David Benjamin721e8b72016-08-03 13:13:17 -0400[diff] [blame]2187static timeval g_current_time;
2188
2189static void CurrentTimeCallback(const SSL *ssl, timeval *out_clock) {
2190 *out_clock = g_current_time;
2191}
2192
David Benjamin17b30832017-01-28 14:00:32 -0500[diff] [blame]2193static void FrozenTimeCallback(const SSL *ssl, timeval *out_clock) {
2194 out_clock->tv_sec = 1000;
2195 out_clock->tv_usec = 0;
2196}
2197
David Benjamin3c51d9b2016-11-01 17:50:42 -0400[diff] [blame]2198static int RenewTicketCallback(SSL *ssl, uint8_t *key_name, uint8_t *iv,
2199 EVP_CIPHER_CTX *ctx, HMAC_CTX *hmac_ctx,
2200 int encrypt) {
2201 static const uint8_t kZeros[16] = {0};
2202
2203 if (encrypt) {
David Benjamin17cf2cb2016-12-13 01:07:13 -0500[diff] [blame]2204 OPENSSL_memcpy(key_name, kZeros, sizeof(kZeros));
David Benjamin3c51d9b2016-11-01 17:50:42 -0400[diff] [blame]2205 RAND_bytes(iv, 16);
David Benjamin17cf2cb2016-12-13 01:07:13 -0500[diff] [blame]2206 } else if (OPENSSL_memcmp(key_name, kZeros, 16) != 0) {
David Benjamin3c51d9b2016-11-01 17:50:42 -0400[diff] [blame]2207 return 0;
2208 }
2209
2210 if (!HMAC_Init_ex(hmac_ctx, kZeros, sizeof(kZeros), EVP_sha256(), NULL) ||
2211 !EVP_CipherInit_ex(ctx, EVP_aes_128_cbc(), NULL, kZeros, iv, encrypt)) {
2212 return -1;
2213 }
2214
2215 // Returning two from the callback in decrypt mode renews the
2216 // session in TLS 1.2 and below.
2217 return encrypt ? 1 : 2;
2218}
2219
David Benjamin123db572016-11-03 16:59:25 -0400[diff] [blame]2220static bool GetServerTicketTime(long *out, const SSL_SESSION *session) {
David Benjamin123db572016-11-03 16:59:25 -0400[diff] [blame]2221 if (session->tlsext_ticklen < 16 + 16 + SHA256_DIGEST_LENGTH) {
2222 return false;
2223 }
2224
David Benjamin123db572016-11-03 16:59:25 -0400[diff] [blame]2225 const uint8_t *ciphertext = session->tlsext_tick + 16 + 16;
2226 size_t len = session->tlsext_ticklen - 16 - 16 - SHA256_DIGEST_LENGTH;
2227 std::unique_ptr<uint8_t[]> plaintext(new uint8_t[len]);
2228
David Benjamin9b63f292016-11-15 00:44:05 -0500[diff] [blame]2229#if defined(BORINGSSL_UNSAFE_FUZZER_MODE)
2230 // Fuzzer-mode tickets are unencrypted.
David Benjamin17cf2cb2016-12-13 01:07:13 -0500[diff] [blame]2231 OPENSSL_memcpy(plaintext.get(), ciphertext, len);
David Benjamin9b63f292016-11-15 00:44:05 -0500[diff] [blame]2232#else
2233 static const uint8_t kZeros[16] = {0};
2234 const uint8_t *iv = session->tlsext_tick + 16;
David Benjamin123db572016-11-03 16:59:25 -0400[diff] [blame]2235 bssl::ScopedEVP_CIPHER_CTX ctx;
2236 int len1, len2;
2237 if (!EVP_DecryptInit_ex(ctx.get(), EVP_aes_128_cbc(), nullptr, kZeros, iv) ||
2238 !EVP_DecryptUpdate(ctx.get(), plaintext.get(), &len1, ciphertext, len) ||
2239 !EVP_DecryptFinal_ex(ctx.get(), plaintext.get() + len1, &len2)) {
2240 return false;
2241 }
2242
2243 len = static_cast<size_t>(len1 + len2);
David Benjamin9b63f292016-11-15 00:44:05 -0500[diff] [blame]2244#endif
David Benjamin123db572016-11-03 16:59:25 -0400[diff] [blame]2245
Adam Langley46db7af2017-02-01 15:49:37 -0800[diff] [blame]2246 bssl::UniquePtr<SSL_CTX> ssl_ctx(SSL_CTX_new(TLS_method()));
2247 if (!ssl_ctx) {
2248 return false;
2249 }
David Benjamin123db572016-11-03 16:59:25 -0400[diff] [blame]2250 bssl::UniquePtr<SSL_SESSION> server_session(
Adam Langley46db7af2017-02-01 15:49:37 -0800[diff] [blame]2251 SSL_SESSION_from_bytes(plaintext.get(), len, ssl_ctx.get()));
David Benjamin123db572016-11-03 16:59:25 -0400[diff] [blame]2252 if (!server_session) {
2253 return false;
2254 }
2255
2256 *out = server_session->time;
2257 return true;
2258}
2259
David Benjamin0fef3052016-11-18 15:11:10 +0900[diff] [blame]2260static bool TestSessionTimeout(bool is_dtls, const SSL_METHOD *method,
2261 uint16_t version) {
Matt Braithwaited17d74d2016-08-17 20:10:28 -0700[diff] [blame]2262 bssl::UniquePtr<X509> cert = GetTestCertificate();
2263 bssl::UniquePtr<EVP_PKEY> key = GetTestKey();
David Benjamin721e8b72016-08-03 13:13:17 -0400[diff] [blame]2264 if (!cert || !key) {
2265 return false;
2266 }
2267
David Benjamin0fef3052016-11-18 15:11:10 +0900[diff] [blame]2268 for (bool server_test : std::vector<bool>{false, true}) {
David Benjamin17b30832017-01-28 14:00:32 -0500[diff] [blame]2269 static const time_t kStartTime = 1000;
David Benjamin0fef3052016-11-18 15:11:10 +0900[diff] [blame]2270 g_current_time.tv_sec = kStartTime;
David Benjamin1b22f852016-10-27 16:36:32 -0400[diff] [blame]2271
David Benjamin17b30832017-01-28 14:00:32 -0500[diff] [blame]2272 // We are willing to use a longer lifetime for TLS 1.3 sessions as
2273 // resumptions still perform ECDHE.
2274 const time_t timeout = version == TLS1_3_VERSION
2275 ? SSL_DEFAULT_SESSION_PSK_DHE_TIMEOUT
2276 : SSL_DEFAULT_SESSION_TIMEOUT;
2277
David Benjamin0fef3052016-11-18 15:11:10 +0900[diff] [blame]2278 bssl::UniquePtr<SSL_CTX> server_ctx(SSL_CTX_new(method));
2279 bssl::UniquePtr<SSL_CTX> client_ctx(SSL_CTX_new(method));
2280 if (!server_ctx || !client_ctx ||
2281 !SSL_CTX_use_certificate(server_ctx.get(), cert.get()) ||
2282 !SSL_CTX_use_PrivateKey(server_ctx.get(), key.get()) ||
2283 !SSL_CTX_set_min_proto_version(client_ctx.get(), version) ||
2284 !SSL_CTX_set_max_proto_version(client_ctx.get(), version) ||
2285 !SSL_CTX_set_min_proto_version(server_ctx.get(), version) ||
2286 !SSL_CTX_set_max_proto_version(server_ctx.get(), version)) {
2287 return false;
2288 }
2289
2290 SSL_CTX_set_session_cache_mode(client_ctx.get(), SSL_SESS_CACHE_BOTH);
2291 SSL_CTX_set_session_cache_mode(server_ctx.get(), SSL_SESS_CACHE_BOTH);
2292
David Benjamin17b30832017-01-28 14:00:32 -0500[diff] [blame]2293 // Both client and server must enforce session timeouts. We configure the
2294 // other side with a frozen clock so it never expires tickets.
David Benjamin0fef3052016-11-18 15:11:10 +0900[diff] [blame]2295 if (server_test) {
David Benjamin17b30832017-01-28 14:00:32 -0500[diff] [blame]2296 SSL_CTX_set_current_time_cb(client_ctx.get(), FrozenTimeCallback);
David Benjamin0fef3052016-11-18 15:11:10 +0900[diff] [blame]2297 SSL_CTX_set_current_time_cb(server_ctx.get(), CurrentTimeCallback);
2298 } else {
2299 SSL_CTX_set_current_time_cb(client_ctx.get(), CurrentTimeCallback);
David Benjamin17b30832017-01-28 14:00:32 -0500[diff] [blame]2300 SSL_CTX_set_current_time_cb(server_ctx.get(), FrozenTimeCallback);
David Benjamin0fef3052016-11-18 15:11:10 +0900[diff] [blame]2301 }
2302
2303 // Configure a ticket callback which renews tickets.
2304 SSL_CTX_set_tlsext_ticket_key_cb(server_ctx.get(), RenewTicketCallback);
2305
2306 bssl::UniquePtr<SSL_SESSION> session =
2307 CreateClientSession(client_ctx.get(), server_ctx.get());
2308 if (!session) {
2309 fprintf(stderr, "Error getting session.\n");
2310 return false;
2311 }
2312
2313 // Advance the clock just behind the timeout.
David Benjamin17b30832017-01-28 14:00:32 -0500[diff] [blame]2314 g_current_time.tv_sec += timeout - 1;
David Benjamin0fef3052016-11-18 15:11:10 +0900[diff] [blame]2315
2316 if (!ExpectSessionReused(client_ctx.get(), server_ctx.get(), session.get(),
2317 true /* expect session reused */)) {
2318 fprintf(stderr, "Error resuming session.\n");
2319 return false;
2320 }
2321
2322 // Advance the clock one more second.
2323 g_current_time.tv_sec++;
2324
2325 if (!ExpectSessionReused(client_ctx.get(), server_ctx.get(), session.get(),
2326 false /* expect session not reused */)) {
2327 fprintf(stderr, "Error resuming session.\n");
2328 return false;
2329 }
2330
2331 // Rewind the clock to before the session was minted.
2332 g_current_time.tv_sec = kStartTime - 1;
2333
2334 if (!ExpectSessionReused(client_ctx.get(), server_ctx.get(), session.get(),
2335 false /* expect session not reused */)) {
2336 fprintf(stderr, "Error resuming session.\n");
2337 return false;
2338 }
2339
2340 // SSL 3.0 cannot renew sessions.
2341 if (version == SSL3_VERSION) {
2342 continue;
2343 }
2344
2345 // Renew the session 10 seconds before expiration.
David Benjamin17b30832017-01-28 14:00:32 -0500[diff] [blame]2346 time_t new_start_time = kStartTime + timeout - 10;
2347 g_current_time.tv_sec = new_start_time;
David Benjamin0fef3052016-11-18 15:11:10 +0900[diff] [blame]2348 bssl::UniquePtr<SSL_SESSION> new_session =
2349 ExpectSessionRenewed(client_ctx.get(), server_ctx.get(), session.get());
2350 if (!new_session) {
2351 fprintf(stderr, "Error renewing session.\n");
2352 return false;
2353 }
2354
2355 // This new session is not the same object as before.
2356 if (session.get() == new_session.get()) {
2357 fprintf(stderr, "New and old sessions alias.\n");
2358 return false;
2359 }
2360
2361 // Check the sessions have timestamps measured from issuance.
2362 long session_time = 0;
2363 if (server_test) {
2364 if (!GetServerTicketTime(&session_time, new_session.get())) {
2365 fprintf(stderr, "Failed to decode session ticket.\n");
David Benjaminb2e2e322016-11-01 17:32:54 -0400[diff] [blame]2366 return false;
2367 }
David Benjamin0fef3052016-11-18 15:11:10 +0900[diff] [blame]2368 } else {
2369 session_time = new_session->time;
2370 }
David Benjamin721e8b72016-08-03 13:13:17 -0400[diff] [blame]2371
David Benjamin0fef3052016-11-18 15:11:10 +0900[diff] [blame]2372 if (session_time != g_current_time.tv_sec) {
2373 fprintf(stderr, "New session is not measured from issuance.\n");
2374 return false;
2375 }
David Benjamin721e8b72016-08-03 13:13:17 -0400[diff] [blame]2376
David Benjamin17b30832017-01-28 14:00:32 -0500[diff] [blame]2377 if (version == TLS1_3_VERSION) {
2378 // Renewal incorporates fresh key material in TLS 1.3, so we extend the
2379 // lifetime TLS 1.3.
2380 g_current_time.tv_sec = new_start_time + timeout - 1;
2381 if (!ExpectSessionReused(client_ctx.get(), server_ctx.get(),
2382 new_session.get(),
2383 true /* expect session reused */)) {
2384 fprintf(stderr, "Error resuming renewed session.\n");
2385 return false;
2386 }
David Benjamin721e8b72016-08-03 13:13:17 -0400[diff] [blame]2387
David Benjamin17b30832017-01-28 14:00:32 -0500[diff] [blame]2388 // The new session expires after the new timeout.
2389 g_current_time.tv_sec = new_start_time + timeout + 1;
2390 if (!ExpectSessionReused(client_ctx.get(), server_ctx.get(),
2391 new_session.get(),
2392 false /* expect session ot reused */)) {
2393 fprintf(stderr, "Renewed session's lifetime is too long.\n");
2394 return false;
2395 }
2396
2397 // Renew the session until it begins just past the auth timeout.
2398 time_t auth_end_time = kStartTime + SSL_DEFAULT_SESSION_AUTH_TIMEOUT;
2399 while (new_start_time < auth_end_time - 1000) {
2400 // Get as close as possible to target start time.
2401 new_start_time =
2402 std::min(auth_end_time - 1000, new_start_time + timeout - 1);
2403 g_current_time.tv_sec = new_start_time;
2404 new_session = ExpectSessionRenewed(client_ctx.get(), server_ctx.get(),
2405 new_session.get());
2406 if (!new_session) {
2407 fprintf(stderr, "Error renewing session.\n");
2408 return false;
2409 }
2410 }
2411
2412 // Now the session's lifetime is bound by the auth timeout.
2413 g_current_time.tv_sec = auth_end_time - 1;
2414 if (!ExpectSessionReused(client_ctx.get(), server_ctx.get(),
2415 new_session.get(),
2416 true /* expect session reused */)) {
2417 fprintf(stderr, "Error resuming renewed session.\n");
2418 return false;
2419 }
2420
2421 g_current_time.tv_sec = auth_end_time + 1;
2422 if (!ExpectSessionReused(client_ctx.get(), server_ctx.get(),
2423 new_session.get(),
2424 false /* expect session ot reused */)) {
2425 fprintf(stderr, "Renewed session's lifetime is too long.\n");
2426 return false;
2427 }
2428 } else {
2429 // The new session is usable just before the old expiration.
2430 g_current_time.tv_sec = kStartTime + timeout - 1;
2431 if (!ExpectSessionReused(client_ctx.get(), server_ctx.get(),
2432 new_session.get(),
2433 true /* expect session reused */)) {
2434 fprintf(stderr, "Error resuming renewed session.\n");
2435 return false;
2436 }
2437
2438 // Renewal does not extend the lifetime, so it is not usable beyond the
2439 // old expiration.
2440 g_current_time.tv_sec = kStartTime + timeout + 1;
2441 if (!ExpectSessionReused(client_ctx.get(), server_ctx.get(),
2442 new_session.get(),
2443 false /* expect session not reused */)) {
2444 fprintf(stderr, "Renewed session's lifetime is too long.\n");
2445 return false;
2446 }
David Benjamin1b22f852016-10-27 16:36:32 -0400[diff] [blame]2447 }
David Benjamin721e8b72016-08-03 13:13:17 -0400[diff] [blame]2448 }
2449
2450 return true;
2451}
2452
David Benjamin0fc37ef2016-08-17 15:29:46 -0400[diff] [blame]2453static int SwitchContext(SSL *ssl, int *out_alert, void *arg) {
2454 SSL_CTX *ctx = reinterpret_cast<SSL_CTX*>(arg);
2455 SSL_set_SSL_CTX(ssl, ctx);
2456 return SSL_TLSEXT_ERR_OK;
2457}
2458
David Benjamin0fef3052016-11-18 15:11:10 +0900[diff] [blame]2459static bool TestSNICallback(bool is_dtls, const SSL_METHOD *method,
2460 uint16_t version) {
2461 // SSL 3.0 lacks extensions.
2462 if (version == SSL3_VERSION) {
2463 return true;
2464 }
2465
Matt Braithwaited17d74d2016-08-17 20:10:28 -0700[diff] [blame]2466 bssl::UniquePtr<X509> cert = GetTestCertificate();
2467 bssl::UniquePtr<EVP_PKEY> key = GetTestKey();
2468 bssl::UniquePtr<X509> cert2 = GetECDSATestCertificate();
2469 bssl::UniquePtr<EVP_PKEY> key2 = GetECDSATestKey();
David Benjamin0fc37ef2016-08-17 15:29:46 -0400[diff] [blame]2470 if (!cert || !key || !cert2 || !key2) {
2471 return false;
2472 }
2473
David Benjamin0fef3052016-11-18 15:11:10 +0900[diff] [blame]2474 // Test that switching the |SSL_CTX| at the SNI callback behaves correctly.
2475 static const uint16_t kECDSAWithSHA256 = SSL_SIGN_ECDSA_SECP256R1_SHA256;
David Benjamin0fc37ef2016-08-17 15:29:46 -0400[diff] [blame]2476
David Benjamin83a32122017-02-14 18:34:54 -0500[diff] [blame]2477 static const uint8_t kSCTList[] = {0, 6, 0, 4, 5, 6, 7, 8};
2478 static const uint8_t kOCSPResponse[] = {1, 2, 3, 4};
2479
David Benjamin0fef3052016-11-18 15:11:10 +0900[diff] [blame]2480 bssl::UniquePtr<SSL_CTX> server_ctx(SSL_CTX_new(method));
2481 bssl::UniquePtr<SSL_CTX> server_ctx2(SSL_CTX_new(method));
2482 bssl::UniquePtr<SSL_CTX> client_ctx(SSL_CTX_new(method));
2483 if (!server_ctx || !server_ctx2 || !client_ctx ||
2484 !SSL_CTX_use_certificate(server_ctx.get(), cert.get()) ||
2485 !SSL_CTX_use_PrivateKey(server_ctx.get(), key.get()) ||
2486 !SSL_CTX_use_certificate(server_ctx2.get(), cert2.get()) ||
2487 !SSL_CTX_use_PrivateKey(server_ctx2.get(), key2.get()) ||
David Benjamin83a32122017-02-14 18:34:54 -0500[diff] [blame]2488 !SSL_CTX_set_signed_cert_timestamp_list(server_ctx2.get(), kSCTList,
2489 sizeof(kSCTList)) ||
2490 !SSL_CTX_set_ocsp_response(server_ctx2.get(), kOCSPResponse,
2491 sizeof(kOCSPResponse)) ||
David Benjamin0fef3052016-11-18 15:11:10 +0900[diff] [blame]2492 // Historically signing preferences would be lost in some cases with the
2493 // SNI callback, which triggers the TLS 1.2 SHA-1 default. To ensure
2494 // this doesn't happen when |version| is TLS 1.2, configure the private
2495 // key to only sign SHA-256.
2496 !SSL_CTX_set_signing_algorithm_prefs(server_ctx2.get(), &kECDSAWithSHA256,
2497 1) ||
2498 !SSL_CTX_set_min_proto_version(client_ctx.get(), version) ||
2499 !SSL_CTX_set_max_proto_version(client_ctx.get(), version) ||
2500 !SSL_CTX_set_min_proto_version(server_ctx.get(), version) ||
2501 !SSL_CTX_set_max_proto_version(server_ctx.get(), version) ||
2502 !SSL_CTX_set_min_proto_version(server_ctx2.get(), version) ||
2503 !SSL_CTX_set_max_proto_version(server_ctx2.get(), version)) {
2504 return false;
2505 }
David Benjamin0fc37ef2016-08-17 15:29:46 -0400[diff] [blame]2506
David Benjamin0fef3052016-11-18 15:11:10 +0900[diff] [blame]2507 SSL_CTX_set_tlsext_servername_callback(server_ctx.get(), SwitchContext);
2508 SSL_CTX_set_tlsext_servername_arg(server_ctx.get(), server_ctx2.get());
David Benjamin0fc37ef2016-08-17 15:29:46 -0400[diff] [blame]2509
David Benjamin83a32122017-02-14 18:34:54 -0500[diff] [blame]2510 SSL_CTX_enable_signed_cert_timestamps(client_ctx.get());
2511 SSL_CTX_enable_ocsp_stapling(client_ctx.get());
2512
David Benjamin0fef3052016-11-18 15:11:10 +0900[diff] [blame]2513 bssl::UniquePtr<SSL> client, server;
2514 if (!ConnectClientAndServer(&client, &server, client_ctx.get(),
2515 server_ctx.get(), nullptr)) {
2516 fprintf(stderr, "Handshake failed.\n");
2517 return false;
2518 }
David Benjamin0fc37ef2016-08-17 15:29:46 -0400[diff] [blame]2519
David Benjamin0fef3052016-11-18 15:11:10 +0900[diff] [blame]2520 // The client should have received |cert2|.
2521 bssl::UniquePtr<X509> peer(SSL_get_peer_certificate(client.get()));
2522 if (!peer || X509_cmp(peer.get(), cert2.get()) != 0) {
2523 fprintf(stderr, "Incorrect certificate received.\n");
2524 return false;
David Benjamin0fc37ef2016-08-17 15:29:46 -0400[diff] [blame]2525 }
2526
David Benjamin83a32122017-02-14 18:34:54 -0500[diff] [blame]2527 // The client should have received |server_ctx2|'s SCT list.
2528 const uint8_t *data;
2529 size_t len;
2530 SSL_get0_signed_cert_timestamp_list(client.get(), &data, &len);
2531 if (Bytes(kSCTList) != Bytes(data, len)) {
2532 fprintf(stderr, "Incorrect SCT list received.\n");
2533 return false;
2534 }
2535
2536 // The client should have received |server_ctx2|'s OCSP response.
2537 SSL_get0_ocsp_response(client.get(), &data, &len);
2538 if (Bytes(kOCSPResponse) != Bytes(data, len)) {
2539 fprintf(stderr, "Incorrect OCSP response received.\n");
2540 return false;
2541 }
2542
David Benjamin0fc37ef2016-08-17 15:29:46 -0400[diff] [blame]2543 return true;
2544}
2545
David Benjaminf0d8e222017-02-04 10:58:26 -0500[diff] [blame]2546// Test that the early callback can swap the maximum version.
2547TEST(SSLTest, EarlyCallbackVersionSwitch) {
Matt Braithwaited17d74d2016-08-17 20:10:28 -0700[diff] [blame]2548 bssl::UniquePtr<X509> cert = GetTestCertificate();
2549 bssl::UniquePtr<EVP_PKEY> key = GetTestKey();
2550 bssl::UniquePtr<SSL_CTX> server_ctx(SSL_CTX_new(TLS_method()));
2551 bssl::UniquePtr<SSL_CTX> client_ctx(SSL_CTX_new(TLS_method()));
David Benjaminf0d8e222017-02-04 10:58:26 -0500[diff] [blame]2552 ASSERT_TRUE(cert);
2553 ASSERT_TRUE(key);
2554 ASSERT_TRUE(server_ctx);
2555 ASSERT_TRUE(client_ctx);
2556 ASSERT_TRUE(SSL_CTX_use_certificate(server_ctx.get(), cert.get()));
2557 ASSERT_TRUE(SSL_CTX_use_PrivateKey(server_ctx.get(), key.get()));
2558 ASSERT_TRUE(SSL_CTX_set_max_proto_version(client_ctx.get(), TLS1_3_VERSION));
2559 ASSERT_TRUE(SSL_CTX_set_max_proto_version(server_ctx.get(), TLS1_3_VERSION));
David Benjamin99620572016-08-30 00:35:36 -0400[diff] [blame]2560
David Benjaminf0d8e222017-02-04 10:58:26 -0500[diff] [blame]2561 SSL_CTX_set_select_certificate_cb(
Alessandro Ghedini57e81e62017-03-14 23:36:00 +0000[diff] [blame]2562 server_ctx.get(),
2563 [](const SSL_CLIENT_HELLO *client_hello) -> ssl_select_cert_result_t {
David Benjaminf0d8e222017-02-04 10:58:26 -0500[diff] [blame]2564 if (!SSL_set_max_proto_version(client_hello->ssl, TLS1_2_VERSION)) {
Alessandro Ghedini57e81e62017-03-14 23:36:00 +0000[diff] [blame]2565 return ssl_select_cert_error;
David Benjaminf0d8e222017-02-04 10:58:26 -0500[diff] [blame]2566 }
2567
Alessandro Ghedini57e81e62017-03-14 23:36:00 +0000[diff] [blame]2568 return ssl_select_cert_success;
David Benjaminf0d8e222017-02-04 10:58:26 -0500[diff] [blame]2569 });
David Benjamin99620572016-08-30 00:35:36 -0400[diff] [blame]2570
Matt Braithwaited17d74d2016-08-17 20:10:28 -0700[diff] [blame]2571 bssl::UniquePtr<SSL> client, server;
David Benjaminf0d8e222017-02-04 10:58:26 -0500[diff] [blame]2572 ASSERT_TRUE(ConnectClientAndServer(&client, &server, client_ctx.get(),
2573 server_ctx.get(), nullptr));
2574 EXPECT_EQ(TLS1_2_VERSION, SSL_version(client.get()));
David Benjamin99620572016-08-30 00:35:36 -0400[diff] [blame]2575}
2576
David Benjaminf0d8e222017-02-04 10:58:26 -0500[diff] [blame]2577TEST(SSLTest, SetVersion) {
David Benjamin2dc02042016-09-19 19:57:37 -0400[diff] [blame]2578 bssl::UniquePtr<SSL_CTX> ctx(SSL_CTX_new(TLS_method()));
David Benjaminf0d8e222017-02-04 10:58:26 -0500[diff] [blame]2579 ASSERT_TRUE(ctx);
David Benjamin2dc02042016-09-19 19:57:37 -0400[diff] [blame]2580
David Benjaminf0d8e222017-02-04 10:58:26 -0500[diff] [blame]2581 // Set valid TLS versions.
2582 EXPECT_TRUE(SSL_CTX_set_max_proto_version(ctx.get(), TLS1_VERSION));
2583 EXPECT_TRUE(SSL_CTX_set_max_proto_version(ctx.get(), TLS1_1_VERSION));
2584 EXPECT_TRUE(SSL_CTX_set_min_proto_version(ctx.get(), TLS1_VERSION));
2585 EXPECT_TRUE(SSL_CTX_set_min_proto_version(ctx.get(), TLS1_1_VERSION));
David Benjamin2dc02042016-09-19 19:57:37 -0400[diff] [blame]2586
David Benjaminf0d8e222017-02-04 10:58:26 -0500[diff] [blame]2587 // Invalid TLS versions are rejected.
2588 EXPECT_FALSE(SSL_CTX_set_max_proto_version(ctx.get(), DTLS1_VERSION));
2589 EXPECT_FALSE(SSL_CTX_set_max_proto_version(ctx.get(), 0x0200));
2590 EXPECT_FALSE(SSL_CTX_set_max_proto_version(ctx.get(), 0x1234));
2591 EXPECT_FALSE(SSL_CTX_set_min_proto_version(ctx.get(), DTLS1_VERSION));
2592 EXPECT_FALSE(SSL_CTX_set_min_proto_version(ctx.get(), 0x0200));
2593 EXPECT_FALSE(SSL_CTX_set_min_proto_version(ctx.get(), 0x1234));
David Benjamin2dc02042016-09-19 19:57:37 -0400[diff] [blame]2594
David Benjaminf0d8e222017-02-04 10:58:26 -0500[diff] [blame]2595 // Zero is the default version.
2596 EXPECT_TRUE(SSL_CTX_set_max_proto_version(ctx.get(), 0));
David Benjaminfc08dfc2017-06-20 14:39:32 -0400[diff] [blame]2597 EXPECT_EQ(TLS1_2_VERSION, ctx->conf_max_version);
David Benjaminf0d8e222017-02-04 10:58:26 -0500[diff] [blame]2598 EXPECT_TRUE(SSL_CTX_set_min_proto_version(ctx.get(), 0));
David Benjaminfc08dfc2017-06-20 14:39:32 -0400[diff] [blame]2599 EXPECT_EQ(TLS1_VERSION, ctx->conf_min_version);
David Benjamin3cfeb952017-03-01 16:48:38 -0500[diff] [blame]2600
2601 // SSL 3.0 and TLS 1.3 are available, but not by default.
2602 EXPECT_TRUE(SSL_CTX_set_min_proto_version(ctx.get(), SSL3_VERSION));
David Benjaminfc08dfc2017-06-20 14:39:32 -0400[diff] [blame]2603 EXPECT_EQ(SSL3_VERSION, ctx->conf_min_version);
David Benjamin3cfeb952017-03-01 16:48:38 -0500[diff] [blame]2604 EXPECT_TRUE(SSL_CTX_set_max_proto_version(ctx.get(), TLS1_3_VERSION));
David Benjaminfc08dfc2017-06-20 14:39:32 -0400[diff] [blame]2605 EXPECT_EQ(TLS1_3_VERSION, ctx->conf_max_version);
David Benjamine34bcc92016-09-21 16:53:09 -0400[diff] [blame]2606
David Benjamin353577c2017-06-29 15:54:58 -0400[diff] [blame]2607 // TLS1_3_DRAFT_VERSION is not an API-level version.
2608 EXPECT_FALSE(SSL_CTX_set_max_proto_version(ctx.get(), TLS1_3_DRAFT_VERSION));
2609 ERR_clear_error();
2610
David Benjamin2dc02042016-09-19 19:57:37 -0400[diff] [blame]2611 ctx.reset(SSL_CTX_new(DTLS_method()));
David Benjaminf0d8e222017-02-04 10:58:26 -0500[diff] [blame]2612 ASSERT_TRUE(ctx);
David Benjamin2dc02042016-09-19 19:57:37 -0400[diff] [blame]2613
David Benjaminf0d8e222017-02-04 10:58:26 -0500[diff] [blame]2614 EXPECT_TRUE(SSL_CTX_set_max_proto_version(ctx.get(), DTLS1_VERSION));
2615 EXPECT_TRUE(SSL_CTX_set_max_proto_version(ctx.get(), DTLS1_2_VERSION));
2616 EXPECT_TRUE(SSL_CTX_set_min_proto_version(ctx.get(), DTLS1_VERSION));
2617 EXPECT_TRUE(SSL_CTX_set_min_proto_version(ctx.get(), DTLS1_2_VERSION));
David Benjamin2dc02042016-09-19 19:57:37 -0400[diff] [blame]2618
David Benjaminf0d8e222017-02-04 10:58:26 -0500[diff] [blame]2619 EXPECT_FALSE(SSL_CTX_set_max_proto_version(ctx.get(), TLS1_VERSION));
2620 EXPECT_FALSE(SSL_CTX_set_max_proto_version(ctx.get(), 0xfefe /* DTLS 1.1 */));
2621 EXPECT_FALSE(SSL_CTX_set_max_proto_version(ctx.get(), 0xfffe /* DTLS 0.1 */));
2622 EXPECT_FALSE(SSL_CTX_set_max_proto_version(ctx.get(), 0x1234));
2623 EXPECT_FALSE(SSL_CTX_set_min_proto_version(ctx.get(), TLS1_VERSION));
2624 EXPECT_FALSE(SSL_CTX_set_min_proto_version(ctx.get(), 0xfefe /* DTLS 1.1 */));
2625 EXPECT_FALSE(SSL_CTX_set_min_proto_version(ctx.get(), 0xfffe /* DTLS 0.1 */));
2626 EXPECT_FALSE(SSL_CTX_set_min_proto_version(ctx.get(), 0x1234));
David Benjamin2dc02042016-09-19 19:57:37 -0400[diff] [blame]2627
David Benjaminf0d8e222017-02-04 10:58:26 -0500[diff] [blame]2628 EXPECT_TRUE(SSL_CTX_set_max_proto_version(ctx.get(), 0));
David Benjaminfc08dfc2017-06-20 14:39:32 -0400[diff] [blame]2629 EXPECT_EQ(TLS1_2_VERSION, ctx->conf_max_version);
David Benjaminf0d8e222017-02-04 10:58:26 -0500[diff] [blame]2630 EXPECT_TRUE(SSL_CTX_set_min_proto_version(ctx.get(), 0));
David Benjaminfc08dfc2017-06-20 14:39:32 -0400[diff] [blame]2631 EXPECT_EQ(TLS1_1_VERSION, ctx->conf_min_version);
David Benjamin2dc02042016-09-19 19:57:37 -0400[diff] [blame]2632}
2633
David Benjamin458334a2016-12-15 13:53:25 -0500[diff] [blame]2634static const char *GetVersionName(uint16_t version) {
2635 switch (version) {
2636 case SSL3_VERSION:
2637 return "SSLv3";
2638 case TLS1_VERSION:
2639 return "TLSv1";
2640 case TLS1_1_VERSION:
2641 return "TLSv1.1";
2642 case TLS1_2_VERSION:
2643 return "TLSv1.2";
2644 case TLS1_3_VERSION:
2645 return "TLSv1.3";
2646 case DTLS1_VERSION:
2647 return "DTLSv1";
2648 case DTLS1_2_VERSION:
2649 return "DTLSv1.2";
2650 default:
2651 return "???";
2652 }
2653}
2654
David Benjamin0fef3052016-11-18 15:11:10 +0900[diff] [blame]2655static bool TestVersion(bool is_dtls, const SSL_METHOD *method,
2656 uint16_t version) {
David Benjamincb18ac22016-09-27 14:09:15 -0400[diff] [blame]2657 bssl::UniquePtr<X509> cert = GetTestCertificate();
2658 bssl::UniquePtr<EVP_PKEY> key = GetTestKey();
2659 if (!cert || !key) {
2660 return false;
2661 }
2662
David Benjamin0fef3052016-11-18 15:11:10 +0900[diff] [blame]2663 bssl::UniquePtr<SSL_CTX> server_ctx(SSL_CTX_new(method));
2664 bssl::UniquePtr<SSL_CTX> client_ctx(SSL_CTX_new(method));
2665 bssl::UniquePtr<SSL> client, server;
2666 if (!server_ctx || !client_ctx ||
2667 !SSL_CTX_use_certificate(server_ctx.get(), cert.get()) ||
2668 !SSL_CTX_use_PrivateKey(server_ctx.get(), key.get()) ||
2669 !SSL_CTX_set_min_proto_version(client_ctx.get(), version) ||
2670 !SSL_CTX_set_max_proto_version(client_ctx.get(), version) ||
2671 !SSL_CTX_set_min_proto_version(server_ctx.get(), version) ||
2672 !SSL_CTX_set_max_proto_version(server_ctx.get(), version) ||
2673 !ConnectClientAndServer(&client, &server, client_ctx.get(),
2674 server_ctx.get(), nullptr /* no session */)) {
2675 fprintf(stderr, "Failed to connect.\n");
2676 return false;
2677 }
David Benjamincb18ac22016-09-27 14:09:15 -0400[diff] [blame]2678
David Benjamin0fef3052016-11-18 15:11:10 +0900[diff] [blame]2679 if (SSL_version(client.get()) != version ||
2680 SSL_version(server.get()) != version) {
2681 fprintf(stderr, "Version mismatch. Got %04x and %04x, wanted %04x.\n",
2682 SSL_version(client.get()), SSL_version(server.get()), version);
2683 return false;
David Benjamincb18ac22016-09-27 14:09:15 -0400[diff] [blame]2684 }
2685
David Benjamin458334a2016-12-15 13:53:25 -0500[diff] [blame]2686 // Test the version name is reported as expected.
2687 const char *version_name = GetVersionName(version);
2688 if (strcmp(version_name, SSL_get_version(client.get())) != 0 ||
2689 strcmp(version_name, SSL_get_version(server.get())) != 0) {
2690 fprintf(stderr, "Version name mismatch. Got '%s' and '%s', wanted '%s'.\n",
2691 SSL_get_version(client.get()), SSL_get_version(server.get()),
2692 version_name);
2693 return false;
2694 }
2695
2696 // Test SSL_SESSION reports the same name.
2697 const char *client_name =
2698 SSL_SESSION_get_version(SSL_get_session(client.get()));
2699 const char *server_name =
2700 SSL_SESSION_get_version(SSL_get_session(server.get()));
2701 if (strcmp(version_name, client_name) != 0 ||
2702 strcmp(version_name, server_name) != 0) {
2703 fprintf(stderr,
2704 "Session version name mismatch. Got '%s' and '%s', wanted '%s'.\n",
2705 client_name, server_name, version_name);
2706 return false;
2707 }
2708
David Benjamincb18ac22016-09-27 14:09:15 -0400[diff] [blame]2709 return true;
2710}
2711
David Benjamin9ef31f02016-10-31 18:01:13 -0400[diff] [blame]2712// Tests that that |SSL_get_pending_cipher| is available during the ALPN
2713// selection callback.
David Benjamin0fef3052016-11-18 15:11:10 +0900[diff] [blame]2714static bool TestALPNCipherAvailable(bool is_dtls, const SSL_METHOD *method,
2715 uint16_t version) {
2716 // SSL 3.0 lacks extensions.
2717 if (version == SSL3_VERSION) {
2718 return true;
2719 }
2720
David Benjamin9ef31f02016-10-31 18:01:13 -0400[diff] [blame]2721 static const uint8_t kALPNProtos[] = {0x03, 'f', 'o', 'o'};
2722
2723 bssl::UniquePtr<X509> cert = GetTestCertificate();
2724 bssl::UniquePtr<EVP_PKEY> key = GetTestKey();
2725 if (!cert || !key) {
2726 return false;
2727 }
2728
David Benjamin0fef3052016-11-18 15:11:10 +0900[diff] [blame]2729 bssl::UniquePtr<SSL_CTX> ctx(SSL_CTX_new(method));
2730 if (!ctx || !SSL_CTX_use_certificate(ctx.get(), cert.get()) ||
2731 !SSL_CTX_use_PrivateKey(ctx.get(), key.get()) ||
2732 !SSL_CTX_set_min_proto_version(ctx.get(), version) ||
2733 !SSL_CTX_set_max_proto_version(ctx.get(), version) ||
2734 SSL_CTX_set_alpn_protos(ctx.get(), kALPNProtos, sizeof(kALPNProtos)) !=
2735 0) {
2736 return false;
2737 }
2738
2739 // The ALPN callback does not fail the handshake on error, so have the
2740 // callback write a boolean.
2741 std::pair<uint16_t, bool> callback_state(version, false);
2742 SSL_CTX_set_alpn_select_cb(
2743 ctx.get(),
2744 [](SSL *ssl, const uint8_t **out, uint8_t *out_len, const uint8_t *in,
2745 unsigned in_len, void *arg) -> int {
2746 auto state = reinterpret_cast<std::pair<uint16_t, bool> *>(arg);
2747 if (SSL_get_pending_cipher(ssl) != nullptr &&
2748 SSL_version(ssl) == state->first) {
2749 state->second = true;
2750 }
2751 return SSL_TLSEXT_ERR_NOACK;
2752 },
2753 &callback_state);
2754
2755 bssl::UniquePtr<SSL> client, server;
2756 if (!ConnectClientAndServer(&client, &server, ctx.get(), ctx.get(),
2757 nullptr /* no session */)) {
2758 return false;
2759 }
2760
2761 if (!callback_state.second) {
2762 fprintf(stderr, "The pending cipher was not known in the ALPN callback.\n");
2763 return false;
2764 }
2765
2766 return true;
2767}
2768
David Benjaminb79cc842016-12-07 15:57:14 -0500[diff] [blame]2769static bool TestSSLClearSessionResumption(bool is_dtls,
2770 const SSL_METHOD *method,
2771 uint16_t version) {
2772 // Skip this for TLS 1.3. TLS 1.3's ticket mechanism is incompatible with this
2773 // API pattern.
2774 if (version == TLS1_3_VERSION) {
2775 return true;
2776 }
2777
2778 bssl::UniquePtr<X509> cert = GetTestCertificate();
2779 bssl::UniquePtr<EVP_PKEY> key = GetTestKey();
2780 bssl::UniquePtr<SSL_CTX> server_ctx(SSL_CTX_new(method));
2781 bssl::UniquePtr<SSL_CTX> client_ctx(SSL_CTX_new(method));
2782 if (!cert || !key || !server_ctx || !client_ctx ||
2783 !SSL_CTX_use_certificate(server_ctx.get(), cert.get()) ||
2784 !SSL_CTX_use_PrivateKey(server_ctx.get(), key.get()) ||
2785 !SSL_CTX_set_min_proto_version(client_ctx.get(), version) ||
2786 !SSL_CTX_set_max_proto_version(client_ctx.get(), version) ||
2787 !SSL_CTX_set_min_proto_version(server_ctx.get(), version) ||
2788 !SSL_CTX_set_max_proto_version(server_ctx.get(), version)) {
2789 return false;
2790 }
2791
2792 // Connect a client and a server.
2793 bssl::UniquePtr<SSL> client, server;
2794 if (!ConnectClientAndServer(&client, &server, client_ctx.get(),
2795 server_ctx.get(), nullptr /* no session */)) {
2796 return false;
2797 }
2798
2799 if (SSL_session_reused(client.get()) ||
2800 SSL_session_reused(server.get())) {
2801 fprintf(stderr, "Session unexpectedly reused.\n");
2802 return false;
2803 }
2804
2805 // Reset everything.
2806 if (!SSL_clear(client.get()) ||
2807 !SSL_clear(server.get())) {
2808 fprintf(stderr, "SSL_clear failed.\n");
2809 return false;
2810 }
2811
2812 // Attempt to connect a second time.
2813 if (!CompleteHandshakes(client.get(), server.get())) {
2814 fprintf(stderr, "Could not reuse SSL objects.\n");
2815 return false;
2816 }
2817
2818 // |SSL_clear| should implicitly offer the previous session to the server.
2819 if (!SSL_session_reused(client.get()) ||
2820 !SSL_session_reused(server.get())) {
2821 fprintf(stderr, "Session was not reused in second try.\n");
2822 return false;
2823 }
2824
2825 return true;
2826}
2827
David Benjamin1444c3a2016-12-20 17:23:11 -0500[diff] [blame]2828static bool ChainsEqual(STACK_OF(X509) *chain,
2829 const std::vector<X509 *> &expected) {
2830 if (sk_X509_num(chain) != expected.size()) {
2831 return false;
2832 }
2833
2834 for (size_t i = 0; i < expected.size(); i++) {
2835 if (X509_cmp(sk_X509_value(chain, i), expected[i]) != 0) {
2836 return false;
2837 }
2838 }
2839
2840 return true;
2841}
2842
2843static bool TestAutoChain(bool is_dtls, const SSL_METHOD *method,
2844 uint16_t version) {
David Benjamin1444c3a2016-12-20 17:23:11 -0500[diff] [blame]2845 bssl::UniquePtr<X509> cert = GetChainTestCertificate();
2846 bssl::UniquePtr<X509> intermediate = GetChainTestIntermediate();
2847 bssl::UniquePtr<EVP_PKEY> key = GetChainTestKey();
2848 if (!cert || !intermediate || !key) {
2849 return false;
2850 }
2851
2852 // Configure both client and server to accept any certificate. Add
2853 // |intermediate| to the cert store.
2854 bssl::UniquePtr<SSL_CTX> ctx(SSL_CTX_new(method));
2855 if (!ctx ||
2856 !SSL_CTX_use_certificate(ctx.get(), cert.get()) ||
2857 !SSL_CTX_use_PrivateKey(ctx.get(), key.get()) ||
2858 !SSL_CTX_set_min_proto_version(ctx.get(), version) ||
2859 !SSL_CTX_set_max_proto_version(ctx.get(), version) ||
2860 !X509_STORE_add_cert(SSL_CTX_get_cert_store(ctx.get()),
2861 intermediate.get())) {
2862 return false;
2863 }
2864 SSL_CTX_set_verify(
2865 ctx.get(), SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT, nullptr);
2866 SSL_CTX_set_cert_verify_callback(ctx.get(), VerifySucceed, NULL);
2867
2868 // By default, the client and server should each only send the leaf.
2869 bssl::UniquePtr<SSL> client, server;
2870 if (!ConnectClientAndServer(&client, &server, ctx.get(), ctx.get(),
2871 nullptr /* no session */)) {
2872 return false;
2873 }
2874
2875 if (!ChainsEqual(SSL_get_peer_full_cert_chain(client.get()), {cert.get()})) {
2876 fprintf(stderr, "Client-received chain did not match.\n");
2877 return false;
2878 }
2879
2880 if (!ChainsEqual(SSL_get_peer_full_cert_chain(server.get()), {cert.get()})) {
2881 fprintf(stderr, "Server-received chain did not match.\n");
2882 return false;
2883 }
2884
2885 // If auto-chaining is enabled, then the intermediate is sent.
2886 SSL_CTX_clear_mode(ctx.get(), SSL_MODE_NO_AUTO_CHAIN);
2887 if (!ConnectClientAndServer(&client, &server, ctx.get(), ctx.get(),
2888 nullptr /* no session */)) {
2889 return false;
2890 }
2891
2892 if (!ChainsEqual(SSL_get_peer_full_cert_chain(client.get()),
2893 {cert.get(), intermediate.get()})) {
2894 fprintf(stderr, "Client-received chain did not match (auto-chaining).\n");
2895 return false;
2896 }
2897
2898 if (!ChainsEqual(SSL_get_peer_full_cert_chain(server.get()),
2899 {cert.get(), intermediate.get()})) {
2900 fprintf(stderr, "Server-received chain did not match (auto-chaining).\n");
2901 return false;
2902 }
2903
2904 // Auto-chaining does not override explicitly-configured intermediates.
2905 if (!SSL_CTX_add1_chain_cert(ctx.get(), cert.get()) ||
2906 !ConnectClientAndServer(&client, &server, ctx.get(), ctx.get(),
2907 nullptr /* no session */)) {
2908 return false;
2909 }
2910
2911 if (!ChainsEqual(SSL_get_peer_full_cert_chain(client.get()),
2912 {cert.get(), cert.get()})) {
2913 fprintf(stderr,
2914 "Client-received chain did not match (auto-chaining, explicit "
2915 "intermediate).\n");
2916 return false;
2917 }
2918
2919 if (!ChainsEqual(SSL_get_peer_full_cert_chain(server.get()),
2920 {cert.get(), cert.get()})) {
2921 fprintf(stderr,
2922 "Server-received chain did not match (auto-chaining, explicit "
2923 "intermediate).\n");
2924 return false;
2925 }
2926
2927 return true;
2928}
2929
David Benjamin48063c22017-01-01 23:56:36 -0500[diff] [blame]2930static bool ExpectBadWriteRetry() {
2931 int err = ERR_get_error();
2932 if (ERR_GET_LIB(err) != ERR_LIB_SSL ||
2933 ERR_GET_REASON(err) != SSL_R_BAD_WRITE_RETRY) {
2934 char buf[ERR_ERROR_STRING_BUF_LEN];
2935 ERR_error_string_n(err, buf, sizeof(buf));
2936 fprintf(stderr, "Wanted SSL_R_BAD_WRITE_RETRY, got: %s.\n", buf);
2937 return false;
2938 }
2939
2940 if (ERR_peek_error() != 0) {
2941 fprintf(stderr, "Unexpected error following SSL_R_BAD_WRITE_RETRY.\n");
2942 return false;
2943 }
2944
2945 return true;
2946}
2947
2948static bool TestSSLWriteRetry(bool is_dtls, const SSL_METHOD *method,
2949 uint16_t version) {
2950 if (is_dtls) {
2951 return true;
2952 }
2953
2954 for (bool enable_partial_write : std::vector<bool>{false, true}) {
2955 // Connect a client and server.
2956 bssl::UniquePtr<X509> cert = GetTestCertificate();
2957 bssl::UniquePtr<EVP_PKEY> key = GetTestKey();
2958 bssl::UniquePtr<SSL_CTX> ctx(SSL_CTX_new(method));
2959 bssl::UniquePtr<SSL> client, server;
2960 if (!cert || !key || !ctx ||
2961 !SSL_CTX_use_certificate(ctx.get(), cert.get()) ||
2962 !SSL_CTX_use_PrivateKey(ctx.get(), key.get()) ||
2963 !SSL_CTX_set_min_proto_version(ctx.get(), version) ||
2964 !SSL_CTX_set_max_proto_version(ctx.get(), version) ||
2965 !ConnectClientAndServer(&client, &server, ctx.get(), ctx.get(),
2966 nullptr /* no session */)) {
2967 return false;
2968 }
2969
2970 if (enable_partial_write) {
2971 SSL_set_mode(client.get(), SSL_MODE_ENABLE_PARTIAL_WRITE);
2972 }
2973
2974 // Write without reading until the buffer is full and we have an unfinished
2975 // write. Keep a count so we may reread it again later. "hello!" will be
2976 // written in two chunks, "hello" and "!".
2977 char data[] = "hello!";
2978 static const int kChunkLen = 5; // The length of "hello".
2979 unsigned count = 0;
2980 for (;;) {
2981 int ret = SSL_write(client.get(), data, kChunkLen);
2982 if (ret <= 0) {
2983 int err = SSL_get_error(client.get(), ret);
2984 if (SSL_get_error(client.get(), ret) == SSL_ERROR_WANT_WRITE) {
2985 break;
2986 }
2987 fprintf(stderr, "SSL_write failed in unexpected way: %d\n", err);
2988 return false;
2989 }
2990
2991 if (ret != 5) {
2992 fprintf(stderr, "SSL_write wrote %d bytes, expected 5.\n", ret);
2993 return false;
2994 }
2995
2996 count++;
2997 }
2998
2999 // Retrying with the same parameters is legal.
3000 if (SSL_get_error(client.get(), SSL_write(client.get(), data, kChunkLen)) !=
3001 SSL_ERROR_WANT_WRITE) {
3002 fprintf(stderr, "SSL_write retry unexpectedly failed.\n");
3003 return false;
3004 }
3005
3006 // Retrying with the same buffer but shorter length is not legal.
3007 if (SSL_get_error(client.get(),
3008 SSL_write(client.get(), data, kChunkLen - 1)) !=
3009 SSL_ERROR_SSL ||
3010 !ExpectBadWriteRetry()) {
3011 fprintf(stderr, "SSL_write retry did not fail as expected.\n");
3012 return false;
3013 }
3014
3015 // Retrying with a different buffer pointer is not legal.
3016 char data2[] = "hello";
3017 if (SSL_get_error(client.get(), SSL_write(client.get(), data2,
3018 kChunkLen)) != SSL_ERROR_SSL ||
3019 !ExpectBadWriteRetry()) {
3020 fprintf(stderr, "SSL_write retry did not fail as expected.\n");
3021 return false;
3022 }
3023
3024 // With |SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER|, the buffer may move.
3025 SSL_set_mode(client.get(), SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER);
3026 if (SSL_get_error(client.get(),
3027 SSL_write(client.get(), data2, kChunkLen)) !=
3028 SSL_ERROR_WANT_WRITE) {
3029 fprintf(stderr, "SSL_write retry unexpectedly failed.\n");
3030 return false;
3031 }
3032
3033 // |SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER| does not disable length checks.
3034 if (SSL_get_error(client.get(),
3035 SSL_write(client.get(), data2, kChunkLen - 1)) !=
3036 SSL_ERROR_SSL ||
3037 !ExpectBadWriteRetry()) {
3038 fprintf(stderr, "SSL_write retry did not fail as expected.\n");
3039 return false;
3040 }
3041
3042 // Retrying with a larger buffer is legal.
3043 if (SSL_get_error(client.get(),
3044 SSL_write(client.get(), data, kChunkLen + 1)) !=
3045 SSL_ERROR_WANT_WRITE) {
3046 fprintf(stderr, "SSL_write retry unexpectedly failed.\n");
3047 return false;
3048 }
3049
3050 // Drain the buffer.
3051 char buf[20];
3052 for (unsigned i = 0; i < count; i++) {
3053 if (SSL_read(server.get(), buf, sizeof(buf)) != kChunkLen ||
3054 OPENSSL_memcmp(buf, "hello", kChunkLen) != 0) {
3055 fprintf(stderr, "Failed to read initial records.\n");
3056 return false;
3057 }
3058 }
3059
3060 // Now that there is space, a retry with a larger buffer should flush the
3061 // pending record, skip over that many bytes of input (on assumption they
3062 // are the same), and write the remainder. If SSL_MODE_ENABLE_PARTIAL_WRITE
3063 // is set, this will complete in two steps.
3064 char data3[] = "_____!";
3065 if (enable_partial_write) {
3066 if (SSL_write(client.get(), data3, kChunkLen + 1) != kChunkLen ||
3067 SSL_write(client.get(), data3 + kChunkLen, 1) != 1) {
3068 fprintf(stderr, "SSL_write retry failed.\n");
3069 return false;
3070 }
3071 } else if (SSL_write(client.get(), data3, kChunkLen + 1) != kChunkLen + 1) {
3072 fprintf(stderr, "SSL_write retry failed.\n");
3073 return false;
3074 }
3075
3076 // Check the last write was correct. The data will be spread over two
3077 // records, so SSL_read returns twice.
3078 if (SSL_read(server.get(), buf, sizeof(buf)) != kChunkLen ||
3079 OPENSSL_memcmp(buf, "hello", kChunkLen) != 0 ||
3080 SSL_read(server.get(), buf, sizeof(buf)) != 1 ||
3081 buf[0] != '!') {
3082 fprintf(stderr, "Failed to read write retry.\n");
3083 return false;
3084 }
3085 }
3086
3087 return true;
3088}
3089
David Benjamin5df5be12017-06-22 19:43:11 -0400[diff] [blame]3090static bool TestRecordCallback(bool is_dtls, const SSL_METHOD *method,
3091 uint16_t version) {
3092 bssl::UniquePtr<X509> cert = GetChainTestCertificate();
3093 bssl::UniquePtr<X509> intermediate = GetChainTestIntermediate();
3094 bssl::UniquePtr<EVP_PKEY> key = GetChainTestKey();
3095 if (!cert || !intermediate || !key) {
3096 return false;
3097 }
3098
3099 bssl::UniquePtr<SSL_CTX> ctx(SSL_CTX_new(method));
3100 if (!ctx ||
3101 !SSL_CTX_use_certificate(ctx.get(), cert.get()) ||
3102 !SSL_CTX_use_PrivateKey(ctx.get(), key.get()) ||
3103 !SSL_CTX_set_min_proto_version(ctx.get(), version) ||
3104 !SSL_CTX_set_max_proto_version(ctx.get(), version)) {
3105 return false;
3106 }
3107
3108 bool read_seen = false;
3109 bool write_seen = false;
3110 auto cb = [&](int is_write, int cb_version, int cb_type, const void *buf,
3111 size_t len, SSL *ssl) {
3112 if (cb_type != SSL3_RT_HEADER) {
3113 return;
3114 }
3115
3116 // The callback does not report a version for records.
3117 EXPECT_EQ(0, cb_version);
3118
3119 if (is_write) {
3120 write_seen = true;
3121 } else {
3122 read_seen = true;
3123 }
3124
3125 // Sanity-check that the record header is plausible.
3126 CBS cbs;
3127 CBS_init(&cbs, reinterpret_cast<const uint8_t *>(buf), len);
3128 uint8_t type;
3129 uint16_t record_version, length;
3130 ASSERT_TRUE(CBS_get_u8(&cbs, &type));
3131 ASSERT_TRUE(CBS_get_u16(&cbs, &record_version));
3132 EXPECT_TRUE(record_version == version ||
3133 record_version == (is_dtls ? DTLS1_VERSION : TLS1_VERSION))
3134 << "Invalid record version: " << record_version;
3135 if (is_dtls) {
3136 uint16_t epoch;
3137 ASSERT_TRUE(CBS_get_u16(&cbs, &epoch));
3138 EXPECT_TRUE(epoch == 0 || epoch == 1) << "Invalid epoch: " << epoch;
3139 ASSERT_TRUE(CBS_skip(&cbs, 6));
3140 }
3141 ASSERT_TRUE(CBS_get_u16(&cbs, &length));
3142 EXPECT_EQ(0u, CBS_len(&cbs));
3143 };
3144 using CallbackType = decltype(cb);
3145 SSL_CTX_set_msg_callback(
3146 ctx.get(), [](int is_write, int cb_version, int cb_type, const void *buf,
3147 size_t len, SSL *ssl, void *arg) {
3148 CallbackType *cb_ptr = reinterpret_cast<CallbackType *>(arg);
3149 (*cb_ptr)(is_write, cb_version, cb_type, buf, len, ssl);
3150 });
3151 SSL_CTX_set_msg_callback_arg(ctx.get(), &cb);
3152
3153 bssl::UniquePtr<SSL> client, server;
3154 if (!ConnectClientAndServer(&client, &server, ctx.get(), ctx.get(),
3155 nullptr /* no session */)) {
3156 return false;
3157 }
3158
3159 EXPECT_TRUE(read_seen);
3160 EXPECT_TRUE(write_seen);
3161 return true;
3162}
3163
3164
David Benjamin0fef3052016-11-18 15:11:10 +0900[diff] [blame]3165static bool ForEachVersion(bool (*test_func)(bool is_dtls,
3166 const SSL_METHOD *method,
3167 uint16_t version)) {
3168 static uint16_t kTLSVersions[] = {
David Benjamin3b584332017-01-24 22:47:18 -0500[diff] [blame]3169 SSL3_VERSION,
3170 TLS1_VERSION,
3171 TLS1_1_VERSION,
3172 TLS1_2_VERSION,
3173// TLS 1.3 requires RSA-PSS, which is disabled for Android system builds.
3174#if !defined(BORINGSSL_ANDROID_SYSTEM)
3175 TLS1_3_VERSION,
3176#endif
David Benjamin0fef3052016-11-18 15:11:10 +0900[diff] [blame]3177 };
3178
3179 static uint16_t kDTLSVersions[] = {
3180 DTLS1_VERSION, DTLS1_2_VERSION,
3181 };
3182
David Benjamin9ef31f02016-10-31 18:01:13 -0400[diff] [blame]3183 for (uint16_t version : kTLSVersions) {
David Benjamin0fef3052016-11-18 15:11:10 +0900[diff] [blame]3184 if (!test_func(false, TLS_method(), version)) {
3185 fprintf(stderr, "Test failed at TLS version %04x.\n", version);
David Benjamin9ef31f02016-10-31 18:01:13 -0400[diff] [blame]3186 return false;
3187 }
David Benjamin0fef3052016-11-18 15:11:10 +0900[diff] [blame]3188 }
David Benjamin9ef31f02016-10-31 18:01:13 -0400[diff] [blame]3189
David Benjamin0fef3052016-11-18 15:11:10 +0900[diff] [blame]3190 for (uint16_t version : kDTLSVersions) {
3191 if (!test_func(true, DTLS_method(), version)) {
3192 fprintf(stderr, "Test failed at DTLS version %04x.\n", version);
David Benjamin9ef31f02016-10-31 18:01:13 -0400[diff] [blame]3193 return false;
3194 }
3195 }
3196
3197 return true;
3198}
3199
Adam Langleye1e78132017-01-31 15:24:31 -0800[diff] [blame]3200TEST(SSLTest, AddChainCertHack) {
3201 // Ensure that we don't accidently break the hack that we have in place to
3202 // keep curl and serf happy when they use an |X509| even after transfering
3203 // ownership.
3204
3205 bssl::UniquePtr<SSL_CTX> ctx(SSL_CTX_new(TLS_method()));
3206 ASSERT_TRUE(ctx);
3207 X509 *cert = GetTestCertificate().release();
3208 ASSERT_TRUE(cert);
3209 SSL_CTX_add0_chain_cert(ctx.get(), cert);
3210
3211 // This should not trigger a use-after-free.
3212 X509_cmp(cert, cert);
3213}
3214
David Benjaminb2ff2622017-02-03 17:06:18 -0500[diff] [blame]3215TEST(SSLTest, GetCertificate) {
3216 bssl::UniquePtr<SSL_CTX> ctx(SSL_CTX_new(TLS_method()));
3217 ASSERT_TRUE(ctx);
3218 bssl::UniquePtr<X509> cert = GetTestCertificate();
3219 ASSERT_TRUE(cert);
3220 ASSERT_TRUE(SSL_CTX_use_certificate(ctx.get(), cert.get()));
3221 bssl::UniquePtr<SSL> ssl(SSL_new(ctx.get()));
3222 ASSERT_TRUE(ssl);
3223
3224 X509 *cert2 = SSL_CTX_get0_certificate(ctx.get());
3225 ASSERT_TRUE(cert2);
3226 X509 *cert3 = SSL_get_certificate(ssl.get());
3227 ASSERT_TRUE(cert3);
3228
3229 // The old and new certificates must be identical.
3230 EXPECT_EQ(0, X509_cmp(cert.get(), cert2));
3231 EXPECT_EQ(0, X509_cmp(cert.get(), cert3));
3232
3233 uint8_t *der = nullptr;
3234 long der_len = i2d_X509(cert.get(), &der);
3235 ASSERT_LT(0, der_len);
3236 bssl::UniquePtr<uint8_t> free_der(der);
3237
3238 uint8_t *der2 = nullptr;
3239 long der2_len = i2d_X509(cert2, &der2);
3240 ASSERT_LT(0, der2_len);
3241 bssl::UniquePtr<uint8_t> free_der2(der2);
3242
3243 uint8_t *der3 = nullptr;
3244 long der3_len = i2d_X509(cert3, &der3);
3245 ASSERT_LT(0, der3_len);
3246 bssl::UniquePtr<uint8_t> free_der3(der3);
3247
3248 // They must also encode identically.
David Benjamin7d7554b2017-02-04 11:48:59 -0500[diff] [blame]3249 EXPECT_EQ(Bytes(der, der_len), Bytes(der2, der2_len));
3250 EXPECT_EQ(Bytes(der, der_len), Bytes(der3, der3_len));
David Benjaminb2ff2622017-02-03 17:06:18 -0500[diff] [blame]3251}
3252
Adam Langleyd04ca952017-02-28 11:26:51 -0800[diff] [blame]3253TEST(SSLTest, SetChainAndKeyMismatch) {
3254 bssl::UniquePtr<SSL_CTX> ctx(SSL_CTX_new(TLS_with_buffers_method()));
3255 ASSERT_TRUE(ctx);
3256
3257 bssl::UniquePtr<EVP_PKEY> key = GetTestKey();
3258 ASSERT_TRUE(key);
3259 bssl::UniquePtr<CRYPTO_BUFFER> leaf = GetChainTestCertificateBuffer();
3260 ASSERT_TRUE(leaf);
3261 std::vector<CRYPTO_BUFFER*> chain = {
3262 leaf.get(),
3263 };
3264
3265 // Should fail because |GetTestKey| doesn't match the chain-test certificate.
3266 ASSERT_FALSE(SSL_CTX_set_chain_and_key(ctx.get(), &chain[0], chain.size(),
3267 key.get(), nullptr));
3268 ERR_clear_error();
3269}
3270
3271TEST(SSLTest, SetChainAndKey) {
3272 bssl::UniquePtr<SSL_CTX> client_ctx(SSL_CTX_new(TLS_with_buffers_method()));
3273 ASSERT_TRUE(client_ctx);
3274 bssl::UniquePtr<SSL_CTX> server_ctx(SSL_CTX_new(TLS_with_buffers_method()));
3275 ASSERT_TRUE(server_ctx);
3276
3277 bssl::UniquePtr<EVP_PKEY> key = GetChainTestKey();
3278 ASSERT_TRUE(key);
3279 bssl::UniquePtr<CRYPTO_BUFFER> leaf = GetChainTestCertificateBuffer();
3280 ASSERT_TRUE(leaf);
3281 bssl::UniquePtr<CRYPTO_BUFFER> intermediate =
3282 GetChainTestIntermediateBuffer();
3283 ASSERT_TRUE(intermediate);
3284 std::vector<CRYPTO_BUFFER*> chain = {
3285 leaf.get(), intermediate.get(),
3286 };
3287 ASSERT_TRUE(SSL_CTX_set_chain_and_key(server_ctx.get(), &chain[0],
3288 chain.size(), key.get(), nullptr));
3289
David Benjamin3a1dd462017-07-11 16:13:10 -0400[diff] [blame]3290 SSL_CTX_set_custom_verify(
3291 client_ctx.get(), SSL_VERIFY_PEER,
3292 [](SSL *ssl, uint8_t *out_alert) -> ssl_verify_result_t {
3293 return ssl_verify_ok;
3294 });
Adam Langleyd04ca952017-02-28 11:26:51 -0800[diff] [blame]3295
3296 bssl::UniquePtr<SSL> client, server;
3297 ASSERT_TRUE(ConnectClientAndServer(&client, &server, client_ctx.get(),
3298 server_ctx.get(),
3299 nullptr /* no session */));
3300}
3301
David Benjamin71dfad42017-07-16 17:27:39 -0400[diff] [blame]3302TEST(SSLTest, ClientCABuffers) {
3303 bssl::UniquePtr<SSL_CTX> client_ctx(SSL_CTX_new(TLS_with_buffers_method()));
3304 ASSERT_TRUE(client_ctx);
3305 bssl::UniquePtr<SSL_CTX> server_ctx(SSL_CTX_new(TLS_with_buffers_method()));
3306 ASSERT_TRUE(server_ctx);
3307
3308 bssl::UniquePtr<EVP_PKEY> key = GetChainTestKey();
3309 ASSERT_TRUE(key);
3310 bssl::UniquePtr<CRYPTO_BUFFER> leaf = GetChainTestCertificateBuffer();
3311 ASSERT_TRUE(leaf);
3312 bssl::UniquePtr<CRYPTO_BUFFER> intermediate =
3313 GetChainTestIntermediateBuffer();
3314 ASSERT_TRUE(intermediate);
3315 std::vector<CRYPTO_BUFFER *> chain = {
3316 leaf.get(),
3317 intermediate.get(),
3318 };
3319 ASSERT_TRUE(SSL_CTX_set_chain_and_key(server_ctx.get(), &chain[0],
3320 chain.size(), key.get(), nullptr));
3321
3322 bssl::UniquePtr<CRYPTO_BUFFER> ca_name(
3323 CRYPTO_BUFFER_new(kTestName, sizeof(kTestName), nullptr));
3324 ASSERT_TRUE(ca_name);
3325 bssl::UniquePtr<STACK_OF(CRYPTO_BUFFER)> ca_names(
3326 sk_CRYPTO_BUFFER_new_null());
3327 ASSERT_TRUE(ca_names);
3328 ASSERT_TRUE(sk_CRYPTO_BUFFER_push(ca_names.get(), ca_name.get()));
3329 ca_name.release();
3330 SSL_CTX_set0_client_CAs(server_ctx.get(), ca_names.release());
3331
3332 // Configure client and server to accept all certificates.
3333 SSL_CTX_set_custom_verify(
3334 client_ctx.get(), SSL_VERIFY_PEER,
3335 [](SSL *ssl, uint8_t *out_alert) -> ssl_verify_result_t {
3336 return ssl_verify_ok;
3337 });
3338 SSL_CTX_set_custom_verify(
3339 server_ctx.get(), SSL_VERIFY_PEER,
3340 [](SSL *ssl, uint8_t *out_alert) -> ssl_verify_result_t {
3341 return ssl_verify_ok;
3342 });
3343
3344 bool cert_cb_called = false;
3345 SSL_CTX_set_cert_cb(
3346 client_ctx.get(),
3347 [](SSL *ssl, void *arg) -> int {
3348 STACK_OF(CRYPTO_BUFFER) *peer_names =
3349 SSL_get0_server_requested_CAs(ssl);
3350 EXPECT_EQ(1u, sk_CRYPTO_BUFFER_num(peer_names));
3351 CRYPTO_BUFFER *peer_name = sk_CRYPTO_BUFFER_value(peer_names, 0);
3352 EXPECT_EQ(Bytes(kTestName), Bytes(CRYPTO_BUFFER_data(peer_name),
3353 CRYPTO_BUFFER_len(peer_name)));
3354 *reinterpret_cast<bool *>(arg) = true;
3355 return 1;
3356 },
3357 &cert_cb_called);
3358
3359 bssl::UniquePtr<SSL> client, server;
3360 ASSERT_TRUE(ConnectClientAndServer(&client, &server, client_ctx.get(),
3361 server_ctx.get(),
3362 nullptr /* no session */));
3363 EXPECT_TRUE(cert_cb_called);
3364}
3365
David Benjamin91222b82017-03-09 20:10:56 -0500[diff] [blame]3366// Configuring the empty cipher list, though an error, should still modify the
3367// configuration.
3368TEST(SSLTest, EmptyCipherList) {
3369 bssl::UniquePtr<SSL_CTX> ctx(SSL_CTX_new(TLS_method()));
3370 ASSERT_TRUE(ctx);
3371
3372 // Initially, the cipher list is not empty.
3373 EXPECT_NE(0u, sk_SSL_CIPHER_num(SSL_CTX_get_ciphers(ctx.get())));
3374
3375 // Configuring the empty cipher list fails.
3376 EXPECT_FALSE(SSL_CTX_set_cipher_list(ctx.get(), ""));
3377 ERR_clear_error();
3378
3379 // But the cipher list is still updated to empty.
3380 EXPECT_EQ(0u, sk_SSL_CIPHER_num(SSL_CTX_get_ciphers(ctx.get())));
3381}
3382
Adam Langley4c341d02017-03-08 19:33:21 -0800[diff] [blame]3383// ssl_test_ticket_aead_failure_mode enumerates the possible ways in which the
3384// test |SSL_TICKET_AEAD_METHOD| can fail.
3385enum ssl_test_ticket_aead_failure_mode {
3386 ssl_test_ticket_aead_ok = 0,
3387 ssl_test_ticket_aead_seal_fail,
3388 ssl_test_ticket_aead_open_soft_fail,
3389 ssl_test_ticket_aead_open_hard_fail,
3390};
3391
3392struct ssl_test_ticket_aead_state {
3393 unsigned retry_count;
3394 ssl_test_ticket_aead_failure_mode failure_mode;
3395};
3396
3397static int ssl_test_ticket_aead_ex_index_dup(CRYPTO_EX_DATA *to,
3398 const CRYPTO_EX_DATA *from,
3399 void **from_d, int index,
3400 long argl, void *argp) {
3401 abort();
3402}
3403
3404static void ssl_test_ticket_aead_ex_index_free(void *parent, void *ptr,
3405 CRYPTO_EX_DATA *ad, int index,
3406 long argl, void *argp) {
3407 auto state = reinterpret_cast<ssl_test_ticket_aead_state*>(ptr);
3408 if (state == nullptr) {
3409 return;
3410 }
3411
3412 OPENSSL_free(state);
3413}
3414
3415static CRYPTO_once_t g_ssl_test_ticket_aead_ex_index_once = CRYPTO_ONCE_INIT;
3416static int g_ssl_test_ticket_aead_ex_index;
3417
3418static int ssl_test_ticket_aead_get_ex_index() {
3419 CRYPTO_once(&g_ssl_test_ticket_aead_ex_index_once, [] {
3420 g_ssl_test_ticket_aead_ex_index = SSL_get_ex_new_index(
3421 0, nullptr, nullptr, ssl_test_ticket_aead_ex_index_dup,
3422 ssl_test_ticket_aead_ex_index_free);
3423 });
3424 return g_ssl_test_ticket_aead_ex_index;
3425}
3426
3427static size_t ssl_test_ticket_aead_max_overhead(SSL *ssl) {
3428 return 1;
3429}
3430
3431static int ssl_test_ticket_aead_seal(SSL *ssl, uint8_t *out, size_t *out_len,
3432 size_t max_out_len, const uint8_t *in,
3433 size_t in_len) {
3434 auto state = reinterpret_cast<ssl_test_ticket_aead_state *>(
3435 SSL_get_ex_data(ssl, ssl_test_ticket_aead_get_ex_index()));
3436
3437 if (state->failure_mode == ssl_test_ticket_aead_seal_fail ||
3438 max_out_len < in_len + 1) {
3439 return 0;
3440 }
3441
3442 OPENSSL_memmove(out, in, in_len);
3443 out[in_len] = 0xff;
3444 *out_len = in_len + 1;
3445
3446 return 1;
3447}
3448
3449static ssl_ticket_aead_result_t ssl_test_ticket_aead_open(
3450 SSL *ssl, uint8_t *out, size_t *out_len, size_t max_out_len,
3451 const uint8_t *in, size_t in_len) {
3452 auto state = reinterpret_cast<ssl_test_ticket_aead_state *>(
3453 SSL_get_ex_data(ssl, ssl_test_ticket_aead_get_ex_index()));
3454
3455 if (state->retry_count > 0) {
3456 state->retry_count--;
3457 return ssl_ticket_aead_retry;
3458 }
3459
3460 switch (state->failure_mode) {
3461 case ssl_test_ticket_aead_ok:
3462 break;
3463 case ssl_test_ticket_aead_seal_fail:
3464 // If |seal| failed then there shouldn't be any ticket to try and
3465 // decrypt.
3466 abort();
3467 break;
3468 case ssl_test_ticket_aead_open_soft_fail:
3469 return ssl_ticket_aead_ignore_ticket;
3470 case ssl_test_ticket_aead_open_hard_fail:
3471 return ssl_ticket_aead_error;
3472 }
3473
3474 if (in_len == 0 || in[in_len - 1] != 0xff) {
3475 return ssl_ticket_aead_ignore_ticket;
3476 }
3477
3478 if (max_out_len < in_len - 1) {
3479 return ssl_ticket_aead_error;
3480 }
3481
3482 OPENSSL_memmove(out, in, in_len - 1);
3483 *out_len = in_len - 1;
3484 return ssl_ticket_aead_success;
3485}
3486
3487static const SSL_TICKET_AEAD_METHOD kSSLTestTicketMethod = {
3488 ssl_test_ticket_aead_max_overhead,
3489 ssl_test_ticket_aead_seal,
3490 ssl_test_ticket_aead_open,
3491};
3492
3493static void ConnectClientAndServerWithTicketMethod(
3494 bssl::UniquePtr<SSL> *out_client, bssl::UniquePtr<SSL> *out_server,
3495 SSL_CTX *client_ctx, SSL_CTX *server_ctx, unsigned retry_count,
3496 ssl_test_ticket_aead_failure_mode failure_mode, SSL_SESSION *session) {
3497 bssl::UniquePtr<SSL> client(SSL_new(client_ctx)), server(SSL_new(server_ctx));
3498 ASSERT_TRUE(client);
3499 ASSERT_TRUE(server);
3500 SSL_set_connect_state(client.get());
3501 SSL_set_accept_state(server.get());
3502
3503 auto state = reinterpret_cast<ssl_test_ticket_aead_state *>(
3504 OPENSSL_malloc(sizeof(ssl_test_ticket_aead_state)));
3505 ASSERT_TRUE(state);
3506 OPENSSL_memset(state, 0, sizeof(ssl_test_ticket_aead_state));
3507 state->retry_count = retry_count;
3508 state->failure_mode = failure_mode;
3509
3510 ASSERT_TRUE(SSL_set_ex_data(server.get(), ssl_test_ticket_aead_get_ex_index(),
3511 state));
3512
3513 SSL_set_session(client.get(), session);
3514
3515 BIO *bio1, *bio2;
3516 ASSERT_TRUE(BIO_new_bio_pair(&bio1, 0, &bio2, 0));
3517
3518 // SSL_set_bio takes ownership.
3519 SSL_set_bio(client.get(), bio1, bio1);
3520 SSL_set_bio(server.get(), bio2, bio2);
3521
3522 if (CompleteHandshakes(client.get(), server.get())) {
3523 *out_client = std::move(client);
3524 *out_server = std::move(server);
3525 } else {
3526 out_client->reset();
3527 out_server->reset();
3528 }
3529}
3530
3531class TicketAEADMethodTest
3532 : public ::testing::TestWithParam<testing::tuple<
3533 uint16_t, unsigned, ssl_test_ticket_aead_failure_mode>> {};
3534
3535TEST_P(TicketAEADMethodTest, Resume) {
3536 bssl::UniquePtr<X509> cert = GetTestCertificate();
3537 ASSERT_TRUE(cert);
3538 bssl::UniquePtr<EVP_PKEY> key = GetTestKey();
3539 ASSERT_TRUE(key);
3540
3541 bssl::UniquePtr<SSL_CTX> server_ctx(SSL_CTX_new(TLS_method()));
3542 ASSERT_TRUE(server_ctx);
3543 bssl::UniquePtr<SSL_CTX> client_ctx(SSL_CTX_new(TLS_method()));
3544 ASSERT_TRUE(client_ctx);
3545
3546 const uint16_t version = testing::get<0>(GetParam());
3547 const unsigned retry_count = testing::get<1>(GetParam());
3548 const ssl_test_ticket_aead_failure_mode failure_mode =
3549 testing::get<2>(GetParam());
3550
3551 ASSERT_TRUE(SSL_CTX_use_certificate(server_ctx.get(), cert.get()));
3552 ASSERT_TRUE(SSL_CTX_use_PrivateKey(server_ctx.get(), key.get()));
3553 ASSERT_TRUE(SSL_CTX_set_min_proto_version(client_ctx.get(), version));
3554 ASSERT_TRUE(SSL_CTX_set_max_proto_version(client_ctx.get(), version));
3555 ASSERT_TRUE(SSL_CTX_set_min_proto_version(server_ctx.get(), version));
3556 ASSERT_TRUE(SSL_CTX_set_max_proto_version(server_ctx.get(), version));
3557
3558 SSL_CTX_set_session_cache_mode(client_ctx.get(), SSL_SESS_CACHE_BOTH);
3559 SSL_CTX_set_session_cache_mode(server_ctx.get(), SSL_SESS_CACHE_BOTH);
3560 SSL_CTX_set_current_time_cb(client_ctx.get(), FrozenTimeCallback);
3561 SSL_CTX_set_current_time_cb(server_ctx.get(), FrozenTimeCallback);
David Benjamin707af292017-03-10 17:47:18 -0500[diff] [blame]3562 SSL_CTX_sess_set_new_cb(client_ctx.get(), SaveLastSession);
Adam Langley4c341d02017-03-08 19:33:21 -0800[diff] [blame]3563
3564 SSL_CTX_set_ticket_aead_method(server_ctx.get(), &kSSLTestTicketMethod);
3565
3566 bssl::UniquePtr<SSL> client, server;
3567 ConnectClientAndServerWithTicketMethod(&client, &server, client_ctx.get(),
3568 server_ctx.get(), retry_count,
3569 failure_mode, nullptr);
3570 switch (failure_mode) {
3571 case ssl_test_ticket_aead_ok:
3572 case ssl_test_ticket_aead_open_hard_fail:
3573 case ssl_test_ticket_aead_open_soft_fail:
3574 ASSERT_TRUE(client);
3575 break;
3576 case ssl_test_ticket_aead_seal_fail:
3577 EXPECT_FALSE(client);
3578 return;
3579 }
3580 EXPECT_FALSE(SSL_session_reused(client.get()));
3581 EXPECT_FALSE(SSL_session_reused(server.get()));
3582
David Benjamin707af292017-03-10 17:47:18 -0500[diff] [blame]3583 // Run the read loop to account for post-handshake tickets in TLS 1.3.
3584 SSL_read(client.get(), nullptr, 0);
3585
3586 bssl::UniquePtr<SSL_SESSION> session = std::move(g_last_session);
Adam Langley4c341d02017-03-08 19:33:21 -0800[diff] [blame]3587 ConnectClientAndServerWithTicketMethod(&client, &server, client_ctx.get(),
3588 server_ctx.get(), retry_count,
David Benjamin707af292017-03-10 17:47:18 -0500[diff] [blame]3589 failure_mode, session.get());
Adam Langley4c341d02017-03-08 19:33:21 -0800[diff] [blame]3590 switch (failure_mode) {
3591 case ssl_test_ticket_aead_ok:
3592 ASSERT_TRUE(client);
3593 EXPECT_TRUE(SSL_session_reused(client.get()));
3594 EXPECT_TRUE(SSL_session_reused(server.get()));
3595 break;
3596 case ssl_test_ticket_aead_seal_fail:
3597 abort();
3598 break;
3599 case ssl_test_ticket_aead_open_hard_fail:
3600 EXPECT_FALSE(client);
3601 break;
3602 case ssl_test_ticket_aead_open_soft_fail:
3603 ASSERT_TRUE(client);
3604 EXPECT_FALSE(SSL_session_reused(client.get()));
3605 EXPECT_FALSE(SSL_session_reused(server.get()));
3606 }
3607}
3608
3609INSTANTIATE_TEST_CASE_P(
3610 TicketAEADMethodTests, TicketAEADMethodTest,
3611 testing::Combine(
David Benjamin707af292017-03-10 17:47:18 -0500[diff] [blame]3612 testing::Values(TLS1_2_VERSION, TLS1_3_VERSION),
Adam Langley4c341d02017-03-08 19:33:21 -0800[diff] [blame]3613 testing::Values(0, 1, 2),
3614 testing::Values(ssl_test_ticket_aead_ok,
3615 ssl_test_ticket_aead_seal_fail,
3616 ssl_test_ticket_aead_open_soft_fail,
3617 ssl_test_ticket_aead_open_hard_fail)));
3618
David Benjamin3cfeb952017-03-01 16:48:38 -0500[diff] [blame]3619TEST(SSLTest, SSL3Method) {
3620 bssl::UniquePtr<X509> cert = GetTestCertificate();
3621 ASSERT_TRUE(cert);
3622
3623 // For compatibility, SSLv3_method should work up to SSL_CTX_new and SSL_new.
3624 bssl::UniquePtr<SSL_CTX> ssl3_ctx(SSL_CTX_new(SSLv3_method()));
3625 ASSERT_TRUE(ssl3_ctx);
3626 ASSERT_TRUE(SSL_CTX_use_certificate(ssl3_ctx.get(), cert.get()));
3627 bssl::UniquePtr<SSL> ssl(SSL_new(ssl3_ctx.get()));
3628 EXPECT_TRUE(ssl);
3629
3630 // Create a normal TLS context to test against.
3631 bssl::UniquePtr<SSL_CTX> tls_ctx(SSL_CTX_new(TLS_method()));
3632 ASSERT_TRUE(tls_ctx);
3633 ASSERT_TRUE(SSL_CTX_use_certificate(tls_ctx.get(), cert.get()));
3634
3635 // However, handshaking an SSLv3_method server should fail to resolve the
3636 // version range. Explicit calls to SSL_CTX_set_min_proto_version are the only
3637 // way to enable SSL 3.0.
3638 bssl::UniquePtr<SSL> client, server;
3639 EXPECT_FALSE(ConnectClientAndServer(&client, &server, tls_ctx.get(),
3640 ssl3_ctx.get(),
3641 nullptr /* no session */));
3642 uint32_t err = ERR_get_error();
3643 EXPECT_EQ(ERR_LIB_SSL, ERR_GET_LIB(err));
3644 EXPECT_EQ(SSL_R_NO_SUPPORTED_VERSIONS_ENABLED, ERR_GET_REASON(err));
3645
3646 // Likewise for SSLv3_method clients.
3647 EXPECT_FALSE(ConnectClientAndServer(&client, &server, ssl3_ctx.get(),
3648 tls_ctx.get(),
3649 nullptr /* no session */));
3650 err = ERR_get_error();
3651 EXPECT_EQ(ERR_LIB_SSL, ERR_GET_LIB(err));
3652 EXPECT_EQ(SSL_R_NO_SUPPORTED_VERSIONS_ENABLED, ERR_GET_REASON(err));
3653}
3654
David Benjaminca743582017-06-15 17:51:35 -0400[diff] [blame]3655TEST(SSLTest, SelectNextProto) {
3656 uint8_t *result;
3657 uint8_t result_len;
3658
3659 // If there is an overlap, it should be returned.
3660 EXPECT_EQ(OPENSSL_NPN_NEGOTIATED,
3661 SSL_select_next_proto(&result, &result_len,
3662 (const uint8_t *)"\1a\2bb\3ccc", 9,
3663 (const uint8_t *)"\1x\1y\1a\1z", 8));
3664 EXPECT_EQ(Bytes("a"), Bytes(result, result_len));
3665
3666 EXPECT_EQ(OPENSSL_NPN_NEGOTIATED,
3667 SSL_select_next_proto(&result, &result_len,
3668 (const uint8_t *)"\1a\2bb\3ccc", 9,
3669 (const uint8_t *)"\1x\1y\2bb\1z", 9));
3670 EXPECT_EQ(Bytes("bb"), Bytes(result, result_len));
3671
3672 EXPECT_EQ(OPENSSL_NPN_NEGOTIATED,
3673 SSL_select_next_proto(&result, &result_len,
3674 (const uint8_t *)"\1a\2bb\3ccc", 9,
3675 (const uint8_t *)"\1x\1y\3ccc\1z", 10));
3676 EXPECT_EQ(Bytes("ccc"), Bytes(result, result_len));
3677
3678 // Peer preference order takes precedence over local.
3679 EXPECT_EQ(OPENSSL_NPN_NEGOTIATED,
3680 SSL_select_next_proto(&result, &result_len,
3681 (const uint8_t *)"\1a\2bb\3ccc", 9,
3682 (const uint8_t *)"\3ccc\2bb\1a", 9));
3683 EXPECT_EQ(Bytes("a"), Bytes(result, result_len));
3684
3685 // If there is no overlap, return the first local protocol.
3686 EXPECT_EQ(OPENSSL_NPN_NO_OVERLAP,
3687 SSL_select_next_proto(&result, &result_len,
3688 (const uint8_t *)"\1a\2bb\3ccc", 9,
3689 (const uint8_t *)"\1x\2yy\3zzz", 9));
3690 EXPECT_EQ(Bytes("x"), Bytes(result, result_len));
3691
3692 EXPECT_EQ(OPENSSL_NPN_NO_OVERLAP,
3693 SSL_select_next_proto(&result, &result_len, nullptr, 0,
3694 (const uint8_t *)"\1x\2yy\3zzz", 9));
3695 EXPECT_EQ(Bytes("x"), Bytes(result, result_len));
3696}
3697
David Benjamin96628432017-01-19 19:05:47 -0500[diff] [blame]3698// TODO(davidben): Convert this file to GTest properly.
3699TEST(SSLTest, AllTests) {
David Benjamine11726a2017-04-23 12:14:28 -0400[diff] [blame]3700 if (!TestSSL_SESSIONEncoding(kOpenSSLSession) ||
Adam Langley10f97f32016-07-12 08:09:33 -0700[diff] [blame]3701 !TestSSL_SESSIONEncoding(kCustomSession) ||
3702 !TestSSL_SESSIONEncoding(kBoringSSLSession) ||
3703 !TestBadSSL_SESSIONEncoding(kBadSessionExtraField) ||
3704 !TestBadSSL_SESSIONEncoding(kBadSessionVersion) ||
3705 !TestBadSSL_SESSIONEncoding(kBadSessionTrailingData) ||
Steven Valdeza833c352016-11-01 13:39:36 -0400[diff] [blame]3706 // Test the padding extension at TLS 1.2.
3707 !TestPaddingExtension(TLS1_2_VERSION, TLS1_2_VERSION) ||
3708 // Test the padding extension at TLS 1.3 with a TLS 1.2 session, so there
3709 // will be no PSK binder after the padding extension.
3710 !TestPaddingExtension(TLS1_3_VERSION, TLS1_2_VERSION) ||
3711 // Test the padding extension at TLS 1.3 with a TLS 1.3 session, so there
3712 // will be a PSK binder after the padding extension.
3713 !TestPaddingExtension(TLS1_3_VERSION, TLS1_3_DRAFT_VERSION) ||
David Benjamin0fef3052016-11-18 15:11:10 +0900[diff] [blame]3714 !ForEachVersion(TestSequenceNumber) ||
David Benjamin68f37b72016-11-18 15:14:42 +0900[diff] [blame]3715 !ForEachVersion(TestOneSidedShutdown) ||
David Benjamin0fef3052016-11-18 15:11:10 +0900[diff] [blame]3716 !ForEachVersion(TestGetPeerCertificate) ||
3717 !ForEachVersion(TestRetainOnlySHA256OfCerts) ||
David Benjamina20e5352016-08-02 19:09:41 -0400[diff] [blame]3718 !TestClientHello() ||
David Benjamin0fef3052016-11-18 15:11:10 +0900[diff] [blame]3719 !ForEachVersion(TestSessionIDContext) ||
3720 !ForEachVersion(TestSessionTimeout) ||
3721 !ForEachVersion(TestSNICallback) ||
David Benjamin0fef3052016-11-18 15:11:10 +0900[diff] [blame]3722 !ForEachVersion(TestVersion) ||
David Benjaminb79cc842016-12-07 15:57:14 -0500[diff] [blame]3723 !ForEachVersion(TestALPNCipherAvailable) ||
David Benjamin1444c3a2016-12-20 17:23:11 -0500[diff] [blame]3724 !ForEachVersion(TestSSLClearSessionResumption) ||
David Benjamin48063c22017-01-01 23:56:36 -0500[diff] [blame]3725 !ForEachVersion(TestAutoChain) ||
David Benjamin5df5be12017-06-22 19:43:11 -0400[diff] [blame]3726 !ForEachVersion(TestSSLWriteRetry) ||
3727 !ForEachVersion(TestRecordCallback)) {
David Benjamin96628432017-01-19 19:05:47 -0500[diff] [blame]3728 ADD_FAILURE() << "Tests failed";
David Benjaminbb0a17c2014-09-20 15:35:39 -0400[diff] [blame]3729 }
David Benjamin2e521212014-07-16 14:37:51 -0400[diff] [blame]3730}