Gitiles
Code Review Sign In
gerrit.openfyde.cn / boringssl.googlesource.com / boringssl / fe049e4d186f253140e3d4a2570bba93386b75d8 / . / ssl / ssl_test.cc
blob: 3cc5abb296c5e8292f8a4675cbad39d1508fb43e [file] [log] [blame]
David Benjamin2e521212014-07-16 14:37:51 -0400[diff] [blame]1/* Copyright (c) 2014, Google Inc.
2 *
3 * Permission to use, copy, modify, and/or distribute this software for any
4 * purpose with or without fee is hereby granted, provided that the above
5 * copyright notice and this permission notice appear in all copies.
6 *
7 * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
8 * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
9 * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY
10 * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
11 * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION
12 * OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN
13 * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */
14
15#include <stdio.h>
David Benjamin751e8892014-10-19 00:59:36 -0400[diff] [blame]16#include <string.h>
David Benjamin1269ddd2015-10-18 15:18:55 -0400[diff] [blame]17#include <time.h>
David Benjamin2e521212014-07-16 14:37:51 -0400[diff] [blame]18
David Benjamin0f653952015-10-18 14:28:01 -0400[diff] [blame]19#include <algorithm>
Steven Valdezc8e0f902018-07-14 11:23:01 -0400[diff] [blame]20#include <limits>
David Benjamin1d77e562015-03-22 17:22:08 -0400[diff] [blame]21#include <string>
David Benjamin4f6acaf2015-11-21 03:00:50 -0500[diff] [blame]22#include <utility>
David Benjamin1d77e562015-03-22 17:22:08 -0400[diff] [blame]23#include <vector>
24
David Benjamin96628432017-01-19 19:05:47 -0500[diff] [blame]25#include <gtest/gtest.h>
26
David Benjamin0e7dbd52019-05-15 16:01:18 -0400[diff] [blame]27#include <openssl/aead.h>
David Benjamin751e8892014-10-19 00:59:36 -0400[diff] [blame]28#include <openssl/base64.h>
29#include <openssl/bio.h>
David Benjamin3c51d9b2016-11-01 17:50:42 -0400[diff] [blame]30#include <openssl/cipher.h>
David Benjamin7a1eefd2015-10-17 23:39:22 -0400[diff] [blame]31#include <openssl/crypto.h>
Daniel McArdle00e434d2021-02-18 11:47:18 -0500[diff] [blame]32#include <openssl/curve25519.h>
David Benjaminbb0a17c2014-09-20 15:35:39 -0400[diff] [blame]33#include <openssl/err.h>
David Benjamin3c51d9b2016-11-01 17:50:42 -0400[diff] [blame]34#include <openssl/hmac.h>
David Benjaminde942382016-02-11 12:02:01 -0500[diff] [blame]35#include <openssl/pem.h>
David Benjamin25490f22016-07-14 00:22:54 -0400[diff] [blame]36#include <openssl/sha.h>
David Benjaminbb0a17c2014-09-20 15:35:39 -0400[diff] [blame]37#include <openssl/ssl.h>
David Benjamin3c51d9b2016-11-01 17:50:42 -0400[diff] [blame]38#include <openssl/rand.h>
David Benjaminde942382016-02-11 12:02:01 -0500[diff] [blame]39#include <openssl/x509.h>
David Benjaminbb0a17c2014-09-20 15:35:39 -0400[diff] [blame]40
Steven Valdez87eab492016-06-27 16:34:59 -0400[diff] [blame]41#include "internal.h"
Steven Valdezcb966542016-08-17 16:56:14 -0400[diff] [blame]42#include "../crypto/internal.h"
Sigbjorn Vik2b23d242015-06-29 15:07:26 +0200[diff] [blame]43#include "../crypto/test/test_util.h"
44
David Benjamin721e8b72016-08-03 13:13:17 -0400[diff] [blame]45#if defined(OPENSSL_WINDOWS)
David Benjaminc11ea9422017-08-29 16:33:21 -0400[diff] [blame]46// Windows defines struct timeval in winsock2.h.
David Benjamin721e8b72016-08-03 13:13:17 -0400[diff] [blame]47OPENSSL_MSVC_PRAGMA(warning(push, 3))
48#include <winsock2.h>
49OPENSSL_MSVC_PRAGMA(warning(pop))
50#else
51#include <sys/time.h>
52#endif
53
David Benjamin5b33eff2018-09-22 16:52:48 -0700[diff] [blame]54#if defined(OPENSSL_THREADS)
David Benjamin6c04bd12018-07-19 18:13:09 -0400[diff] [blame]55#include <thread>
56#endif
57
David Benjamin1d77e562015-03-22 17:22:08 -0400[diff] [blame]58
Joshua Liebow-Feeser8c7c6352018-08-26 18:53:36 -0700[diff] [blame]59BSSL_NAMESPACE_BEGIN
Martin Kreichgauer72912d22017-08-04 12:06:43 -0700[diff] [blame]60
61namespace {
62
Martin Kreichgauer1a663262017-08-16 14:54:04 -0700[diff] [blame]63#define TRACED_CALL(code) \
64 do { \
65 SCOPED_TRACE("<- called from here"); \
66 code; \
67 if (::testing::Test::HasFatalFailure()) { \
68 return; \
69 } \
70 } while (false)
71
Martin Kreichgauer72912d22017-08-04 12:06:43 -0700[diff] [blame]72struct VersionParam {
73 uint16_t version;
74 enum { is_tls, is_dtls } ssl_method;
75 const char name[8];
76};
77
78static const size_t kTicketKeyLen = 48;
79
80static const VersionParam kAllVersions[] = {
Martin Kreichgauer72912d22017-08-04 12:06:43 -0700[diff] [blame]81 {TLS1_VERSION, VersionParam::is_tls, "TLS1"},
82 {TLS1_1_VERSION, VersionParam::is_tls, "TLS1_1"},
83 {TLS1_2_VERSION, VersionParam::is_tls, "TLS1_2"},
Martin Kreichgauer72912d22017-08-04 12:06:43 -0700[diff] [blame]84 {TLS1_3_VERSION, VersionParam::is_tls, "TLS1_3"},
Martin Kreichgauer72912d22017-08-04 12:06:43 -0700[diff] [blame]85 {DTLS1_VERSION, VersionParam::is_dtls, "DTLS1"},
86 {DTLS1_2_VERSION, VersionParam::is_dtls, "DTLS1_2"},
87};
88
David Benjamin1d77e562015-03-22 17:22:08 -0400[diff] [blame]89struct ExpectedCipher {
90 unsigned long id;
David Benjaminbb0a17c2014-09-20 15:35:39 -0400[diff] [blame]91 int in_group_flag;
David Benjamin1d77e562015-03-22 17:22:08 -0400[diff] [blame]92};
David Benjaminbb0a17c2014-09-20 15:35:39 -0400[diff] [blame]93
David Benjamin1d77e562015-03-22 17:22:08 -0400[diff] [blame]94struct CipherTest {
95 // The rule string to apply.
David Benjaminbb0a17c2014-09-20 15:35:39 -0400[diff] [blame]96 const char *rule;
David Benjaminfb974e62015-12-16 19:34:22 -0500[diff] [blame]97 // The list of expected ciphers, in order.
98 std::vector<ExpectedCipher> expected;
Matthew Braithwaitea57dcfb2017-02-17 22:08:23 -0800[diff] [blame]99 // True if this cipher list should fail in strict mode.
100 bool strict_fail;
David Benjamin1d77e562015-03-22 17:22:08 -0400[diff] [blame]101};
David Benjaminbb0a17c2014-09-20 15:35:39 -0400[diff] [blame]102
Alessandro Ghedini5fd18072016-09-28 21:04:25 +0100[diff] [blame]103struct CurveTest {
104 // The rule string to apply.
105 const char *rule;
106 // The list of expected curves, in order.
107 std::vector<uint16_t> expected;
108};
109
Steven Valdezc8e0f902018-07-14 11:23:01 -0400[diff] [blame]110template <typename T>
111class UnownedSSLExData {
112 public:
113 UnownedSSLExData() {
114 index_ = SSL_get_ex_new_index(0, nullptr, nullptr, nullptr, nullptr);
115 }
116
117 T *Get(const SSL *ssl) {
118 return index_ < 0 ? nullptr
119 : static_cast<T *>(SSL_get_ex_data(ssl, index_));
120 }
121
122 bool Set(SSL *ssl, T *t) {
123 return index_ >= 0 && SSL_set_ex_data(ssl, index_, t);
124 }
125
126 private:
127 int index_;
128};
129
David Benjaminfb974e62015-12-16 19:34:22 -0500[diff] [blame]130static const CipherTest kCipherTests[] = {
131 // Selecting individual ciphers should work.
132 {
133 "ECDHE-ECDSA-CHACHA20-POLY1305:"
134 "ECDHE-RSA-CHACHA20-POLY1305:"
135 "ECDHE-ECDSA-AES128-GCM-SHA256:"
136 "ECDHE-RSA-AES128-GCM-SHA256",
137 {
138 {TLS1_CK_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256, 0},
David Benjaminfb974e62015-12-16 19:34:22 -0500[diff] [blame]139 {TLS1_CK_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256, 0},
David Benjaminfb974e62015-12-16 19:34:22 -0500[diff] [blame]140 {TLS1_CK_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, 0},
141 {TLS1_CK_ECDHE_RSA_WITH_AES_128_GCM_SHA256, 0},
142 },
Matthew Braithwaitea57dcfb2017-02-17 22:08:23 -0800[diff] [blame]143 false,
David Benjaminfb974e62015-12-16 19:34:22 -0500[diff] [blame]144 },
145 // + reorders selected ciphers to the end, keeping their relative order.
146 {
147 "ECDHE-ECDSA-CHACHA20-POLY1305:"
148 "ECDHE-RSA-CHACHA20-POLY1305:"
149 "ECDHE-ECDSA-AES128-GCM-SHA256:"
150 "ECDHE-RSA-AES128-GCM-SHA256:"
151 "+aRSA",
152 {
153 {TLS1_CK_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256, 0},
David Benjaminfb974e62015-12-16 19:34:22 -0500[diff] [blame]154 {TLS1_CK_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, 0},
155 {TLS1_CK_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256, 0},
David Benjaminfb974e62015-12-16 19:34:22 -0500[diff] [blame]156 {TLS1_CK_ECDHE_RSA_WITH_AES_128_GCM_SHA256, 0},
157 },
Matthew Braithwaitea57dcfb2017-02-17 22:08:23 -0800[diff] [blame]158 false,
David Benjaminfb974e62015-12-16 19:34:22 -0500[diff] [blame]159 },
160 // ! banishes ciphers from future selections.
161 {
162 "!aRSA:"
163 "ECDHE-ECDSA-CHACHA20-POLY1305:"
164 "ECDHE-RSA-CHACHA20-POLY1305:"
165 "ECDHE-ECDSA-AES128-GCM-SHA256:"
166 "ECDHE-RSA-AES128-GCM-SHA256",
167 {
168 {TLS1_CK_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256, 0},
David Benjaminfb974e62015-12-16 19:34:22 -0500[diff] [blame]169 {TLS1_CK_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, 0},
170 },
Matthew Braithwaitea57dcfb2017-02-17 22:08:23 -0800[diff] [blame]171 false,
David Benjaminfb974e62015-12-16 19:34:22 -0500[diff] [blame]172 },
173 // Multiple masks can be ANDed in a single rule.
174 {
175 "kRSA+AESGCM+AES128",
176 {
177 {TLS1_CK_RSA_WITH_AES_128_GCM_SHA256, 0},
178 },
Matthew Braithwaitea57dcfb2017-02-17 22:08:23 -0800[diff] [blame]179 false,
David Benjaminfb974e62015-12-16 19:34:22 -0500[diff] [blame]180 },
181 // - removes selected ciphers, but preserves their order for future
Matthew Braithwaitecedc6f12017-03-15 19:20:23 -0700[diff] [blame]182 // selections. Select AES_128_GCM, but order the key exchanges RSA,
David Benjaminfb974e62015-12-16 19:34:22 -0500[diff] [blame]183 // ECDHE_RSA.
184 {
Matthew Braithwaitecedc6f12017-03-15 19:20:23 -0700[diff] [blame]185 "ALL:-kECDHE:"
Matthew Braithwaitecedc6f12017-03-15 19:20:23 -0700[diff] [blame]186 "-kRSA:-ALL:"
David Benjaminfb974e62015-12-16 19:34:22 -0500[diff] [blame]187 "AESGCM+AES128+aRSA",
188 {
189 {TLS1_CK_RSA_WITH_AES_128_GCM_SHA256, 0},
David Benjaminfb974e62015-12-16 19:34:22 -0500[diff] [blame]190 {TLS1_CK_ECDHE_RSA_WITH_AES_128_GCM_SHA256, 0},
191 },
Matthew Braithwaitea57dcfb2017-02-17 22:08:23 -0800[diff] [blame]192 false,
David Benjaminfb974e62015-12-16 19:34:22 -0500[diff] [blame]193 },
Matthew Braithwaitea57dcfb2017-02-17 22:08:23 -0800[diff] [blame]194 // Unknown selectors are no-ops, except in strict mode.
David Benjaminfb974e62015-12-16 19:34:22 -0500[diff] [blame]195 {
196 "ECDHE-ECDSA-CHACHA20-POLY1305:"
197 "ECDHE-RSA-CHACHA20-POLY1305:"
198 "ECDHE-ECDSA-AES128-GCM-SHA256:"
199 "ECDHE-RSA-AES128-GCM-SHA256:"
Matthew Braithwaitea57dcfb2017-02-17 22:08:23 -0800[diff] [blame]200 "BOGUS1",
David Benjaminfb974e62015-12-16 19:34:22 -0500[diff] [blame]201 {
202 {TLS1_CK_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256, 0},
David Benjaminfb974e62015-12-16 19:34:22 -0500[diff] [blame]203 {TLS1_CK_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256, 0},
David Benjaminfb974e62015-12-16 19:34:22 -0500[diff] [blame]204 {TLS1_CK_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, 0},
205 {TLS1_CK_ECDHE_RSA_WITH_AES_128_GCM_SHA256, 0},
206 },
Matthew Braithwaitea57dcfb2017-02-17 22:08:23 -0800[diff] [blame]207 true,
208 },
209 // Unknown selectors are no-ops, except in strict mode.
210 {
211 "ECDHE-ECDSA-CHACHA20-POLY1305:"
212 "ECDHE-RSA-CHACHA20-POLY1305:"
213 "ECDHE-ECDSA-AES128-GCM-SHA256:"
214 "ECDHE-RSA-AES128-GCM-SHA256:"
215 "-BOGUS2:+BOGUS3:!BOGUS4",
216 {
217 {TLS1_CK_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256, 0},
218 {TLS1_CK_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256, 0},
219 {TLS1_CK_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, 0},
220 {TLS1_CK_ECDHE_RSA_WITH_AES_128_GCM_SHA256, 0},
221 },
222 true,
David Benjaminfb974e62015-12-16 19:34:22 -0500[diff] [blame]223 },
224 // Square brackets specify equi-preference groups.
225 {
226 "[ECDHE-ECDSA-CHACHA20-POLY1305|ECDHE-ECDSA-AES128-GCM-SHA256]:"
227 "[ECDHE-RSA-CHACHA20-POLY1305]:"
228 "ECDHE-RSA-AES128-GCM-SHA256",
229 {
230 {TLS1_CK_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256, 1},
David Benjaminfb974e62015-12-16 19:34:22 -0500[diff] [blame]231 {TLS1_CK_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, 0},
Adam Langley2e839242017-01-19 15:12:44 -0800[diff] [blame]232 {TLS1_CK_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256, 0},
David Benjaminfb974e62015-12-16 19:34:22 -0500[diff] [blame]233 {TLS1_CK_ECDHE_RSA_WITH_AES_128_GCM_SHA256, 0},
234 },
Matthew Braithwaitea57dcfb2017-02-17 22:08:23 -0800[diff] [blame]235 false,
David Benjaminfb974e62015-12-16 19:34:22 -0500[diff] [blame]236 },
David Benjamin6fff3862017-06-21 21:07:04 -0400[diff] [blame]237 // Standard names may be used instead of OpenSSL names.
238 {
239 "[TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256|"
David Benjaminbf5f1922017-07-01 11:13:53 -0400[diff] [blame]240 "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256]:"
David Benjamin6fff3862017-06-21 21:07:04 -0400[diff] [blame]241 "[TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256]:"
242 "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",
243 {
244 {TLS1_CK_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256, 1},
245 {TLS1_CK_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, 0},
246 {TLS1_CK_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256, 0},
247 {TLS1_CK_ECDHE_RSA_WITH_AES_128_GCM_SHA256, 0},
248 },
249 false,
250 },
David Benjaminfb974e62015-12-16 19:34:22 -0500[diff] [blame]251 // @STRENGTH performs a stable strength-sort of the selected ciphers and
252 // only the selected ciphers.
253 {
254 // To simplify things, banish all but {ECDHE_RSA,RSA} x
Matthew Braithwaite8aaa9e12016-09-07 15:09:58 -0700[diff] [blame]255 // {CHACHA20,AES_256_CBC,AES_128_CBC} x SHA1.
David Benjamin6e678ee2018-04-16 19:54:42 -0400[diff] [blame]256 "!AESGCM:!3DES:"
David Benjaminfb974e62015-12-16 19:34:22 -0500[diff] [blame]257 // Order some ciphers backwards by strength.
Matthew Braithwaite8aaa9e12016-09-07 15:09:58 -0700[diff] [blame]258 "ALL:-CHACHA20:-AES256:-AES128:-ALL:"
David Benjaminfb974e62015-12-16 19:34:22 -0500[diff] [blame]259 // Select ECDHE ones and sort them by strength. Ties should resolve
260 // based on the order above.
261 "kECDHE:@STRENGTH:-ALL:"
262 // Now bring back everything uses RSA. ECDHE_RSA should be first, sorted
263 // by strength. Then RSA, backwards by strength.
264 "aRSA",
265 {
266 {TLS1_CK_ECDHE_RSA_WITH_AES_256_CBC_SHA, 0},
267 {TLS1_CK_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256, 0},
David Benjaminfb974e62015-12-16 19:34:22 -0500[diff] [blame]268 {TLS1_CK_ECDHE_RSA_WITH_AES_128_CBC_SHA, 0},
David Benjaminfb974e62015-12-16 19:34:22 -0500[diff] [blame]269 {TLS1_CK_RSA_WITH_AES_128_SHA, 0},
270 {TLS1_CK_RSA_WITH_AES_256_SHA, 0},
271 },
Matthew Braithwaitea57dcfb2017-02-17 22:08:23 -0800[diff] [blame]272 false,
David Benjaminfb974e62015-12-16 19:34:22 -0500[diff] [blame]273 },
David Benjaminbf5f1922017-07-01 11:13:53 -0400[diff] [blame]274 // Additional masks after @STRENGTH get silently discarded.
275 //
276 // TODO(davidben): Make this an error. If not silently discarded, they get
277 // interpreted as + opcodes which are very different.
278 {
279 "ECDHE-RSA-AES128-GCM-SHA256:"
280 "ECDHE-RSA-AES256-GCM-SHA384:"
281 "@STRENGTH+AES256",
282 {
283 {TLS1_CK_ECDHE_RSA_WITH_AES_256_GCM_SHA384, 0},
284 {TLS1_CK_ECDHE_RSA_WITH_AES_128_GCM_SHA256, 0},
285 },
286 false,
287 },
288 {
289 "ECDHE-RSA-AES128-GCM-SHA256:"
290 "ECDHE-RSA-AES256-GCM-SHA384:"
291 "@STRENGTH+AES256:"
292 "ECDHE-RSA-CHACHA20-POLY1305",
293 {
294 {TLS1_CK_ECDHE_RSA_WITH_AES_256_GCM_SHA384, 0},
295 {TLS1_CK_ECDHE_RSA_WITH_AES_128_GCM_SHA256, 0},
296 {TLS1_CK_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256, 0},
297 },
298 false,
299 },
David Benjaminfb974e62015-12-16 19:34:22 -0500[diff] [blame]300 // Exact ciphers may not be used in multi-part rules; they are treated
301 // as unknown aliases.
302 {
303 "ECDHE-ECDSA-AES128-GCM-SHA256:"
304 "ECDHE-RSA-AES128-GCM-SHA256:"
305 "!ECDHE-RSA-AES128-GCM-SHA256+RSA:"
306 "!ECDSA+ECDHE-ECDSA-AES128-GCM-SHA256",
307 {
308 {TLS1_CK_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, 0},
309 {TLS1_CK_ECDHE_RSA_WITH_AES_128_GCM_SHA256, 0},
310 },
Matthew Braithwaitea57dcfb2017-02-17 22:08:23 -0800[diff] [blame]311 true,
David Benjaminfb974e62015-12-16 19:34:22 -0500[diff] [blame]312 },
313 // SSLv3 matches everything that existed before TLS 1.2.
314 {
David Benjamin6e678ee2018-04-16 19:54:42 -0400[diff] [blame]315 "AES128-SHA:ECDHE-RSA-AES128-GCM-SHA256:!SSLv3",
David Benjaminfb974e62015-12-16 19:34:22 -0500[diff] [blame]316 {
David Benjamin6e678ee2018-04-16 19:54:42 -0400[diff] [blame]317 {TLS1_CK_ECDHE_RSA_WITH_AES_128_GCM_SHA256, 0},
David Benjaminfb974e62015-12-16 19:34:22 -0500[diff] [blame]318 },
Matthew Braithwaitea57dcfb2017-02-17 22:08:23 -0800[diff] [blame]319 false,
David Benjaminfb974e62015-12-16 19:34:22 -0500[diff] [blame]320 },
321 // TLSv1.2 matches everything added in TLS 1.2.
322 {
David Benjamin6e678ee2018-04-16 19:54:42 -0400[diff] [blame]323 "AES128-SHA:ECDHE-RSA-AES128-GCM-SHA256:!TLSv1.2",
David Benjaminfb974e62015-12-16 19:34:22 -0500[diff] [blame]324 {
325 {TLS1_CK_RSA_WITH_AES_128_SHA, 0},
326 },
Matthew Braithwaitea57dcfb2017-02-17 22:08:23 -0800[diff] [blame]327 false,
David Benjaminfb974e62015-12-16 19:34:22 -0500[diff] [blame]328 },
Matthew Braithwaitea57dcfb2017-02-17 22:08:23 -0800[diff] [blame]329 // The two directives have no intersection. But each component is valid, so
330 // even in strict mode it is accepted.
David Benjaminfb974e62015-12-16 19:34:22 -0500[diff] [blame]331 {
David Benjamin6e678ee2018-04-16 19:54:42 -0400[diff] [blame]332 "AES128-SHA:ECDHE-RSA-AES128-GCM-SHA256:!TLSv1.2+SSLv3",
David Benjaminfb974e62015-12-16 19:34:22 -0500[diff] [blame]333 {
334 {TLS1_CK_RSA_WITH_AES_128_SHA, 0},
David Benjamin6e678ee2018-04-16 19:54:42 -0400[diff] [blame]335 {TLS1_CK_ECDHE_RSA_WITH_AES_128_GCM_SHA256, 0},
David Benjaminfb974e62015-12-16 19:34:22 -0500[diff] [blame]336 },
Matthew Braithwaitea57dcfb2017-02-17 22:08:23 -0800[diff] [blame]337 false,
David Benjaminfb974e62015-12-16 19:34:22 -0500[diff] [blame]338 },
Adam Langley22df6912017-07-25 12:27:37 -0700[diff] [blame]339 // Spaces, semi-colons and commas are separators.
340 {
David Benjamin6e678ee2018-04-16 19:54:42 -0400[diff] [blame]341 "AES128-SHA: ECDHE-RSA-AES128-GCM-SHA256 AES256-SHA ,ECDHE-ECDSA-AES128-GCM-SHA256 ; AES128-GCM-SHA256",
Adam Langley22df6912017-07-25 12:27:37 -0700[diff] [blame]342 {
343 {TLS1_CK_RSA_WITH_AES_128_SHA, 0},
David Benjamin6e678ee2018-04-16 19:54:42 -0400[diff] [blame]344 {TLS1_CK_ECDHE_RSA_WITH_AES_128_GCM_SHA256, 0},
Adam Langley22df6912017-07-25 12:27:37 -0700[diff] [blame]345 {TLS1_CK_RSA_WITH_AES_256_SHA, 0},
David Benjamin6e678ee2018-04-16 19:54:42 -0400[diff] [blame]346 {TLS1_CK_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, 0},
Adam Langley22df6912017-07-25 12:27:37 -0700[diff] [blame]347 {TLS1_CK_RSA_WITH_AES_128_GCM_SHA256, 0},
348 },
349 // …but not in strict mode.
350 true,
351 },
David Benjaminbb0a17c2014-09-20 15:35:39 -0400[diff] [blame]352};
353
354static const char *kBadRules[] = {
David Benjamin1d77e562015-03-22 17:22:08 -0400[diff] [blame]355 // Invalid brackets.
David Benjaminbb0a17c2014-09-20 15:35:39 -0400[diff] [blame]356 "[ECDHE-RSA-CHACHA20-POLY1305|ECDHE-RSA-AES128-GCM-SHA256",
357 "RSA]",
358 "[[RSA]]",
David Benjamin1d77e562015-03-22 17:22:08 -0400[diff] [blame]359 // Operators inside brackets.
David Benjaminbb0a17c2014-09-20 15:35:39 -0400[diff] [blame]360 "[+RSA]",
David Benjamin1d77e562015-03-22 17:22:08 -0400[diff] [blame]361 // Unknown directive.
David Benjaminbb0a17c2014-09-20 15:35:39 -0400[diff] [blame]362 "@BOGUS",
David Benjamin1d77e562015-03-22 17:22:08 -0400[diff] [blame]363 // Empty cipher lists error at SSL_CTX_set_cipher_list.
David Benjaminbb0a17c2014-09-20 15:35:39 -0400[diff] [blame]364 "",
365 "BOGUS",
David Benjamin32fbdf22015-04-07 01:14:06 -0400[diff] [blame]366 // COMPLEMENTOFDEFAULT is empty.
367 "COMPLEMENTOFDEFAULT",
David Benjamin1d77e562015-03-22 17:22:08 -0400[diff] [blame]368 // Invalid command.
David Benjaminbb0a17c2014-09-20 15:35:39 -0400[diff] [blame]369 "?BAR",
David Benjamin1d77e562015-03-22 17:22:08 -0400[diff] [blame]370 // Special operators are not allowed if groups are used.
David Benjamin37d92462014-09-20 17:54:24 -0400[diff] [blame]371 "[ECDHE-RSA-CHACHA20-POLY1305|ECDHE-RSA-AES128-GCM-SHA256]:+FOO",
372 "[ECDHE-RSA-CHACHA20-POLY1305|ECDHE-RSA-AES128-GCM-SHA256]:!FOO",
373 "[ECDHE-RSA-CHACHA20-POLY1305|ECDHE-RSA-AES128-GCM-SHA256]:-FOO",
374 "[ECDHE-RSA-CHACHA20-POLY1305|ECDHE-RSA-AES128-GCM-SHA256]:@STRENGTH",
Adam Langleyf99f2442016-10-02 09:53:38 -0700[diff] [blame]375 // Opcode supplied, but missing selector.
376 "+",
Adam Langley22df6912017-07-25 12:27:37 -0700[diff] [blame]377 // Spaces are forbidden in equal-preference groups.
378 "[AES128-SHA | AES128-SHA256]",
David Benjaminbb0a17c2014-09-20 15:35:39 -0400[diff] [blame]379};
380
Matt Braithwaiteaf096752015-09-02 19:48:16 -0700[diff] [blame]381static const char *kMustNotIncludeNull[] = {
382 "ALL",
383 "DEFAULT",
David Benjamind6e9eec2015-11-18 09:48:55 -0500[diff] [blame]384 "HIGH",
Matt Braithwaiteaf096752015-09-02 19:48:16 -0700[diff] [blame]385 "FIPS",
386 "SHA",
387 "SHA1",
388 "RSA",
389 "SSLv3",
390 "TLSv1",
391 "TLSv1.2",
Matt Braithwaiteaf096752015-09-02 19:48:16 -0700[diff] [blame]392};
393
Alessandro Ghedini5fd18072016-09-28 21:04:25 +0100[diff] [blame]394static const CurveTest kCurveTests[] = {
395 {
396 "P-256",
397 { SSL_CURVE_SECP256R1 },
398 },
399 {
Adam Langley7b935932018-11-12 13:53:42 -0800[diff] [blame]400 "P-256:CECPQ2",
401 { SSL_CURVE_SECP256R1, SSL_CURVE_CECPQ2 },
402 },
403
404 {
Alessandro Ghedini5fd18072016-09-28 21:04:25 +0100[diff] [blame]405 "P-256:P-384:P-521:X25519",
406 {
407 SSL_CURVE_SECP256R1,
408 SSL_CURVE_SECP384R1,
409 SSL_CURVE_SECP521R1,
410 SSL_CURVE_X25519,
411 },
412 },
David Benjamin6dda1662017-11-02 20:44:26 -0400[diff] [blame]413 {
414 "prime256v1:secp384r1:secp521r1:x25519",
415 {
416 SSL_CURVE_SECP256R1,
417 SSL_CURVE_SECP384R1,
418 SSL_CURVE_SECP521R1,
419 SSL_CURVE_X25519,
420 },
421 },
Alessandro Ghedini5fd18072016-09-28 21:04:25 +0100[diff] [blame]422};
423
424static const char *kBadCurvesLists[] = {
425 "",
426 ":",
427 "::",
428 "P-256::X25519",
429 "RSA:P-256",
430 "P-256:RSA",
431 "X25519:P-256:",
432 ":X25519:P-256",
433};
434
David Benjamin70dbf042017-08-08 18:51:37 -0400[diff] [blame]435static std::string CipherListToString(SSL_CTX *ctx) {
David Benjamin1d77e562015-03-22 17:22:08 -0400[diff] [blame]436 bool in_group = false;
David Benjamine11726a2017-04-23 12:14:28 -0400[diff] [blame]437 std::string ret;
David Benjamin70dbf042017-08-08 18:51:37 -0400[diff] [blame]438 const STACK_OF(SSL_CIPHER) *ciphers = SSL_CTX_get_ciphers(ctx);
439 for (size_t i = 0; i < sk_SSL_CIPHER_num(ciphers); i++) {
440 const SSL_CIPHER *cipher = sk_SSL_CIPHER_value(ciphers, i);
441 if (!in_group && SSL_CTX_cipher_in_group(ctx, i)) {
David Benjamine11726a2017-04-23 12:14:28 -0400[diff] [blame]442 ret += "\t[\n";
David Benjamin1d77e562015-03-22 17:22:08 -0400[diff] [blame]443 in_group = true;
David Benjaminbb0a17c2014-09-20 15:35:39 -0400[diff] [blame]444 }
David Benjamine11726a2017-04-23 12:14:28 -0400[diff] [blame]445 ret += "\t";
David Benjaminbb0a17c2014-09-20 15:35:39 -0400[diff] [blame]446 if (in_group) {
David Benjamine11726a2017-04-23 12:14:28 -0400[diff] [blame]447 ret += " ";
David Benjaminbb0a17c2014-09-20 15:35:39 -0400[diff] [blame]448 }
David Benjamine11726a2017-04-23 12:14:28 -0400[diff] [blame]449 ret += SSL_CIPHER_get_name(cipher);
450 ret += "\n";
David Benjamin70dbf042017-08-08 18:51:37 -0400[diff] [blame]451 if (in_group && !SSL_CTX_cipher_in_group(ctx, i)) {
David Benjamine11726a2017-04-23 12:14:28 -0400[diff] [blame]452 ret += "\t]\n";
David Benjamin1d77e562015-03-22 17:22:08 -0400[diff] [blame]453 in_group = false;
David Benjaminbb0a17c2014-09-20 15:35:39 -0400[diff] [blame]454 }
455 }
David Benjamine11726a2017-04-23 12:14:28 -0400[diff] [blame]456 return ret;
David Benjaminbb0a17c2014-09-20 15:35:39 -0400[diff] [blame]457}
458
David Benjamin70dbf042017-08-08 18:51:37 -0400[diff] [blame]459static bool CipherListsEqual(SSL_CTX *ctx,
David Benjamine11726a2017-04-23 12:14:28 -0400[diff] [blame]460 const std::vector<ExpectedCipher> &expected) {
David Benjamin70dbf042017-08-08 18:51:37 -0400[diff] [blame]461 const STACK_OF(SSL_CIPHER) *ciphers = SSL_CTX_get_ciphers(ctx);
462 if (sk_SSL_CIPHER_num(ciphers) != expected.size()) {
David Benjamin1d77e562015-03-22 17:22:08 -0400[diff] [blame]463 return false;
David Benjamin65226252015-02-05 16:49:47 -0500[diff] [blame]464 }
465
David Benjamine11726a2017-04-23 12:14:28 -0400[diff] [blame]466 for (size_t i = 0; i < expected.size(); i++) {
David Benjamin70dbf042017-08-08 18:51:37 -0400[diff] [blame]467 const SSL_CIPHER *cipher = sk_SSL_CIPHER_value(ciphers, i);
David Benjamine11726a2017-04-23 12:14:28 -0400[diff] [blame]468 if (expected[i].id != SSL_CIPHER_get_id(cipher) ||
David Benjamin70dbf042017-08-08 18:51:37 -0400[diff] [blame]469 expected[i].in_group_flag != !!SSL_CTX_cipher_in_group(ctx, i)) {
David Benjamin1d77e562015-03-22 17:22:08 -0400[diff] [blame]470 return false;
David Benjaminbb0a17c2014-09-20 15:35:39 -0400[diff] [blame]471 }
472 }
473
David Benjamin1d77e562015-03-22 17:22:08 -0400[diff] [blame]474 return true;
David Benjaminbb0a17c2014-09-20 15:35:39 -0400[diff] [blame]475}
476
Daniel McArdleff746c12019-09-16 12:35:05 -0400[diff] [blame]477TEST(GrowableArrayTest, Resize) {
478 GrowableArray<size_t> array;
479 ASSERT_TRUE(array.empty());
480 EXPECT_EQ(array.size(), 0u);
481
482 ASSERT_TRUE(array.Push(42));
483 ASSERT_TRUE(!array.empty());
484 EXPECT_EQ(array.size(), 1u);
485
486 // Force a resize operation to occur
487 for (size_t i = 0; i < 16; i++) {
488 ASSERT_TRUE(array.Push(i + 1));
489 }
490
491 EXPECT_EQ(array.size(), 17u);
492
493 // Verify that expected values are still contained in array
494 for (size_t i = 0; i < array.size(); i++) {
495 EXPECT_EQ(array[i], i == 0 ? 42 : i);
496 }
497}
498
499TEST(GrowableArrayTest, MoveConstructor) {
500 GrowableArray<size_t> array;
501 for (size_t i = 0; i < 100; i++) {
502 ASSERT_TRUE(array.Push(i));
503 }
504
505 GrowableArray<size_t> array_moved(std::move(array));
506 for (size_t i = 0; i < 100; i++) {
507 EXPECT_EQ(array_moved[i], i);
508 }
509}
510
511TEST(GrowableArrayTest, GrowableArrayContainingGrowableArrays) {
512 // Representative example of a struct that contains a GrowableArray.
513 struct TagAndArray {
514 size_t tag;
515 GrowableArray<size_t> array;
516 };
517
518 GrowableArray<TagAndArray> array;
519 for (size_t i = 0; i < 100; i++) {
520 TagAndArray elem;
521 elem.tag = i;
522 for (size_t j = 0; j < i; j++) {
523 ASSERT_TRUE(elem.array.Push(j));
524 }
525 ASSERT_TRUE(array.Push(std::move(elem)));
526 }
527 EXPECT_EQ(array.size(), static_cast<size_t>(100));
528
529 GrowableArray<TagAndArray> array_moved(std::move(array));
530 EXPECT_EQ(array_moved.size(), static_cast<size_t>(100));
531 size_t count = 0;
532 for (const TagAndArray &elem : array_moved) {
533 // Test the square bracket operator returns the same value as iteration.
534 EXPECT_EQ(&elem, &array_moved[count]);
535
536 EXPECT_EQ(elem.tag, count);
537 EXPECT_EQ(elem.array.size(), count);
538 for (size_t j = 0; j < count; j++) {
539 EXPECT_EQ(elem.array[j], j);
540 }
541 count++;
542 }
543}
544
David Benjamine11726a2017-04-23 12:14:28 -0400[diff] [blame]545TEST(SSLTest, CipherRules) {
546 for (const CipherTest &t : kCipherTests) {
547 SCOPED_TRACE(t.rule);
548 bssl::UniquePtr<SSL_CTX> ctx(SSL_CTX_new(TLS_method()));
549 ASSERT_TRUE(ctx);
Matt Braithwaiteaf096752015-09-02 19:48:16 -0700[diff] [blame]550
David Benjamine11726a2017-04-23 12:14:28 -0400[diff] [blame]551 // Test lax mode.
552 ASSERT_TRUE(SSL_CTX_set_cipher_list(ctx.get(), t.rule));
David Benjamin70dbf042017-08-08 18:51:37 -0400[diff] [blame]553 EXPECT_TRUE(CipherListsEqual(ctx.get(), t.expected))
David Benjamine11726a2017-04-23 12:14:28 -0400[diff] [blame]554 << "Cipher rule evaluated to:\n"
David Benjamin70dbf042017-08-08 18:51:37 -0400[diff] [blame]555 << CipherListToString(ctx.get());
David Benjamine11726a2017-04-23 12:14:28 -0400[diff] [blame]556
557 // Test strict mode.
558 if (t.strict_fail) {
559 EXPECT_FALSE(SSL_CTX_set_strict_cipher_list(ctx.get(), t.rule));
560 } else {
561 ASSERT_TRUE(SSL_CTX_set_strict_cipher_list(ctx.get(), t.rule));
David Benjamin70dbf042017-08-08 18:51:37 -0400[diff] [blame]562 EXPECT_TRUE(CipherListsEqual(ctx.get(), t.expected))
David Benjamine11726a2017-04-23 12:14:28 -0400[diff] [blame]563 << "Cipher rule evaluated to:\n"
David Benjamin70dbf042017-08-08 18:51:37 -0400[diff] [blame]564 << CipherListToString(ctx.get());
David Benjaminbb0a17c2014-09-20 15:35:39 -0400[diff] [blame]565 }
566 }
567
David Benjaminfb974e62015-12-16 19:34:22 -0500[diff] [blame]568 for (const char *rule : kBadRules) {
David Benjamine11726a2017-04-23 12:14:28 -0400[diff] [blame]569 SCOPED_TRACE(rule);
570 bssl::UniquePtr<SSL_CTX> ctx(SSL_CTX_new(TLS_method()));
571 ASSERT_TRUE(ctx);
572
573 EXPECT_FALSE(SSL_CTX_set_cipher_list(ctx.get(), rule));
David Benjaminbb0a17c2014-09-20 15:35:39 -0400[diff] [blame]574 ERR_clear_error();
David Benjaminbb0a17c2014-09-20 15:35:39 -0400[diff] [blame]575 }
576
David Benjaminfb974e62015-12-16 19:34:22 -0500[diff] [blame]577 for (const char *rule : kMustNotIncludeNull) {
David Benjamine11726a2017-04-23 12:14:28 -0400[diff] [blame]578 SCOPED_TRACE(rule);
579 bssl::UniquePtr<SSL_CTX> ctx(SSL_CTX_new(TLS_method()));
580 ASSERT_TRUE(ctx);
581
582 ASSERT_TRUE(SSL_CTX_set_strict_cipher_list(ctx.get(), rule));
David Benjamin70dbf042017-08-08 18:51:37 -0400[diff] [blame]583 for (const SSL_CIPHER *cipher : SSL_CTX_get_ciphers(ctx.get())) {
David Benjamine3bb51c2017-08-22 23:16:02 -0700[diff] [blame]584 EXPECT_NE(NID_undef, SSL_CIPHER_get_cipher_nid(cipher));
Matt Braithwaiteaf096752015-09-02 19:48:16 -0700[diff] [blame]585 }
586 }
David Benjaminbb0a17c2014-09-20 15:35:39 -0400[diff] [blame]587}
David Benjamin2e521212014-07-16 14:37:51 -0400[diff] [blame]588
David Benjamine11726a2017-04-23 12:14:28 -0400[diff] [blame]589TEST(SSLTest, CurveRules) {
590 for (const CurveTest &t : kCurveTests) {
591 SCOPED_TRACE(t.rule);
592 bssl::UniquePtr<SSL_CTX> ctx(SSL_CTX_new(TLS_method()));
593 ASSERT_TRUE(ctx);
Alessandro Ghedini5fd18072016-09-28 21:04:25 +0100[diff] [blame]594
David Benjamine11726a2017-04-23 12:14:28 -0400[diff] [blame]595 ASSERT_TRUE(SSL_CTX_set1_curves_list(ctx.get(), t.rule));
David Benjamin0ce090a2018-07-02 20:24:40 -0400[diff] [blame]596 ASSERT_EQ(t.expected.size(), ctx->supported_group_list.size());
David Benjamine11726a2017-04-23 12:14:28 -0400[diff] [blame]597 for (size_t i = 0; i < t.expected.size(); i++) {
598 EXPECT_EQ(t.expected[i], ctx->supported_group_list[i]);
Alessandro Ghedini5fd18072016-09-28 21:04:25 +0100[diff] [blame]599 }
600 }
601
602 for (const char *rule : kBadCurvesLists) {
David Benjamine11726a2017-04-23 12:14:28 -0400[diff] [blame]603 SCOPED_TRACE(rule);
604 bssl::UniquePtr<SSL_CTX> ctx(SSL_CTX_new(TLS_method()));
605 ASSERT_TRUE(ctx);
606
607 EXPECT_FALSE(SSL_CTX_set1_curves_list(ctx.get(), rule));
Alessandro Ghedini5fd18072016-09-28 21:04:25 +0100[diff] [blame]608 ERR_clear_error();
609 }
Alessandro Ghedini5fd18072016-09-28 21:04:25 +0100[diff] [blame]610}
611
Adam Langley364f7a62016-12-12 10:51:00 -0800[diff] [blame]612// kOpenSSLSession is a serialized SSL_SESSION.
Adam Langley10f97f32016-07-12 08:09:33 -0700[diff] [blame]613static const char kOpenSSLSession[] =
Adam Langley364f7a62016-12-12 10:51:00 -0800[diff] [blame]614 "MIIFqgIBAQICAwMEAsAvBCAG5Q1ndq4Yfmbeo1zwLkNRKmCXGdNgWvGT3cskV0yQ"
Adam Langley10f97f32016-07-12 08:09:33 -0700[diff] [blame]615 "kAQwJlrlzkAWBOWiLj/jJ76D7l+UXoizP2KI2C7I2FccqMmIfFmmkUy32nIJ0mZH"
616 "IWoJoQYCBFRDO46iBAICASyjggR6MIIEdjCCA16gAwIBAgIIK9dUvsPWSlUwDQYJ"
617 "KoZIhvcNAQEFBQAwSTELMAkGA1UEBhMCVVMxEzARBgNVBAoTCkdvb2dsZSBJbmMx"
618 "JTAjBgNVBAMTHEdvb2dsZSBJbnRlcm5ldCBBdXRob3JpdHkgRzIwHhcNMTQxMDA4"
619 "MTIwNzU3WhcNMTUwMTA2MDAwMDAwWjBoMQswCQYDVQQGEwJVUzETMBEGA1UECAwK"
620 "Q2FsaWZvcm5pYTEWMBQGA1UEBwwNTW91bnRhaW4gVmlldzETMBEGA1UECgwKR29v"
621 "Z2xlIEluYzEXMBUGA1UEAwwOd3d3Lmdvb2dsZS5jb20wggEiMA0GCSqGSIb3DQEB"
622 "AQUAA4IBDwAwggEKAoIBAQCcKeLrplAC+Lofy8t/wDwtB6eu72CVp0cJ4V3lknN6"
623 "huH9ct6FFk70oRIh/VBNBBz900jYy+7111Jm1b8iqOTQ9aT5C7SEhNcQFJvqzH3e"
624 "MPkb6ZSWGm1yGF7MCQTGQXF20Sk/O16FSjAynU/b3oJmOctcycWYkY0ytS/k3LBu"
625 "Id45PJaoMqjB0WypqvNeJHC3q5JjCB4RP7Nfx5jjHSrCMhw8lUMW4EaDxjaR9KDh"
626 "PLgjsk+LDIySRSRDaCQGhEOWLJZVLzLo4N6/UlctCHEllpBUSvEOyFga52qroGjg"
627 "rf3WOQ925MFwzd6AK+Ich0gDRg8sQfdLH5OuP1cfLfU1AgMBAAGjggFBMIIBPTAd"
628 "BgNVHSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwGQYDVR0RBBIwEIIOd3d3Lmdv"
629 "b2dsZS5jb20waAYIKwYBBQUHAQEEXDBaMCsGCCsGAQUFBzAChh9odHRwOi8vcGtp"
630 "Lmdvb2dsZS5jb20vR0lBRzIuY3J0MCsGCCsGAQUFBzABhh9odHRwOi8vY2xpZW50"
631 "czEuZ29vZ2xlLmNvbS9vY3NwMB0GA1UdDgQWBBQ7a+CcxsZByOpc+xpYFcIbnUMZ"
632 "hTAMBgNVHRMBAf8EAjAAMB8GA1UdIwQYMBaAFErdBhYbvPZotXb1gba7Yhq6WoEv"
633 "MBcGA1UdIAQQMA4wDAYKKwYBBAHWeQIFATAwBgNVHR8EKTAnMCWgI6Ahhh9odHRw"
634 "Oi8vcGtpLmdvb2dsZS5jb20vR0lBRzIuY3JsMA0GCSqGSIb3DQEBBQUAA4IBAQCa"
635 "OXCBdoqUy5bxyq+Wrh1zsyyCFim1PH5VU2+yvDSWrgDY8ibRGJmfff3r4Lud5kal"
636 "dKs9k8YlKD3ITG7P0YT/Rk8hLgfEuLcq5cc0xqmE42xJ+Eo2uzq9rYorc5emMCxf"
637 "5L0TJOXZqHQpOEcuptZQ4OjdYMfSxk5UzueUhA3ogZKRcRkdB3WeWRp+nYRhx4St"
638 "o2rt2A0MKmY9165GHUqMK9YaaXHDXqBu7Sefr1uSoAP9gyIJKeihMivsGqJ1TD6Z"
639 "cc6LMe+dN2P8cZEQHtD1y296ul4Mivqk3jatUVL8/hCwgch9A8O4PGZq9WqBfEWm"
640 "IyHh1dPtbg1lOXdYCWtjpAIEAKUDAgEUqQUCAwGJwKqBpwSBpBwUQvoeOk0Kg36S"
641 "YTcLEkXqKwOBfF9vE4KX0NxeLwjcDTpsuh3qXEaZ992r1N38VDcyS6P7I6HBYN9B"
642 "sNHM362zZnY27GpTw+Kwd751CLoXFPoaMOe57dbBpXoro6Pd3BTbf/Tzr88K06yE"
643 "OTDKPNj3+inbMaVigtK4PLyPq+Topyzvx9USFgRvyuoxn0Hgb+R0A3j6SLRuyOdA"
Adam Langley364f7a62016-12-12 10:51:00 -0800[diff] [blame]644 "i4gv7Y5oliyntgMBAQA=";
Adam Langley10f97f32016-07-12 08:09:33 -0700[diff] [blame]645
646// kCustomSession is a custom serialized SSL_SESSION generated by
647// filling in missing fields from |kOpenSSLSession|. This includes
648// providing |peer_sha256|, so |peer| is not serialized.
649static const char kCustomSession[] =
David Benjamina8614602017-09-06 15:40:19 -0400[diff] [blame]650 "MIIBZAIBAQICAwMEAsAvBCAG5Q1ndq4Yfmbeo1zwLkNRKmCXGdNgWvGT3cskV0yQ"
Adam Langley10f97f32016-07-12 08:09:33 -0700[diff] [blame]651 "kAQwJlrlzkAWBOWiLj/jJ76D7l+UXoizP2KI2C7I2FccqMmIfFmmkUy32nIJ0mZH"
David Benjamina8614602017-09-06 15:40:19 -0400[diff] [blame]652 "IWoJoQYCBFRDO46iBAICASykAwQBAqUDAgEUqAcEBXdvcmxkqQUCAwGJwKqBpwSB"
653 "pBwUQvoeOk0Kg36SYTcLEkXqKwOBfF9vE4KX0NxeLwjcDTpsuh3qXEaZ992r1N38"
654 "VDcyS6P7I6HBYN9BsNHM362zZnY27GpTw+Kwd751CLoXFPoaMOe57dbBpXoro6Pd"
655 "3BTbf/Tzr88K06yEOTDKPNj3+inbMaVigtK4PLyPq+Topyzvx9USFgRvyuoxn0Hg"
656 "b+R0A3j6SLRuyOdAi4gv7Y5oliynrSIEIAYGBgYGBgYGBgYGBgYGBgYGBgYGBgYG"
657 "BgYGBgYGBgYGrgMEAQevAwQBBLADBAEF";
Adam Langley10f97f32016-07-12 08:09:33 -0700[diff] [blame]658
659// kBoringSSLSession is a serialized SSL_SESSION generated from bssl client.
660static const char kBoringSSLSession[] =
661 "MIIRwQIBAQICAwMEAsAvBCDdoGxGK26mR+8lM0uq6+k9xYuxPnwAjpcF9n0Yli9R"
662 "kQQwbyshfWhdi5XQ1++7n2L1qqrcVlmHBPpr6yknT/u4pUrpQB5FZ7vqvNn8MdHf"
663 "9rWgoQYCBFXgs7uiBAICHCCjggR6MIIEdjCCA16gAwIBAgIIf+yfD7Y6UicwDQYJ"
664 "KoZIhvcNAQELBQAwSTELMAkGA1UEBhMCVVMxEzARBgNVBAoTCkdvb2dsZSBJbmMx"
665 "JTAjBgNVBAMTHEdvb2dsZSBJbnRlcm5ldCBBdXRob3JpdHkgRzIwHhcNMTUwODEy"
666 "MTQ1MzE1WhcNMTUxMTEwMDAwMDAwWjBoMQswCQYDVQQGEwJVUzETMBEGA1UECAwK"
667 "Q2FsaWZvcm5pYTEWMBQGA1UEBwwNTW91bnRhaW4gVmlldzETMBEGA1UECgwKR29v"
668 "Z2xlIEluYzEXMBUGA1UEAwwOd3d3Lmdvb2dsZS5jb20wggEiMA0GCSqGSIb3DQEB"
669 "AQUAA4IBDwAwggEKAoIBAQC0MeG5YGQ0t+IeJeoneP/PrhEaieibeKYkbKVLNZpo"
670 "PLuBinvhkXZo3DC133NpCBpy6ZktBwamqyixAyuk/NU6OjgXqwwxfQ7di1AInLIU"
671 "792c7hFyNXSUCG7At8Ifi3YwBX9Ba6u/1d6rWTGZJrdCq3QU11RkKYyTq2KT5mce"
672 "Tv9iGKqSkSTlp8puy/9SZ/3DbU3U+BuqCFqeSlz7zjwFmk35acdCilpJlVDDN5C/"
673 "RCh8/UKc8PaL+cxlt531qoTENvYrflBno14YEZlCBZsPiFeUSILpKEj3Ccwhy0eL"
674 "EucWQ72YZU8mUzXBoXGn0zA0crFl5ci/2sTBBGZsylNBAgMBAAGjggFBMIIBPTAd"
675 "BgNVHSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwGQYDVR0RBBIwEIIOd3d3Lmdv"
676 "b2dsZS5jb20waAYIKwYBBQUHAQEEXDBaMCsGCCsGAQUFBzAChh9odHRwOi8vcGtp"
677 "Lmdvb2dsZS5jb20vR0lBRzIuY3J0MCsGCCsGAQUFBzABhh9odHRwOi8vY2xpZW50"
678 "czEuZ29vZ2xlLmNvbS9vY3NwMB0GA1UdDgQWBBS/bzHxcE73Q4j3slC4BLbMtLjG"
679 "GjAMBgNVHRMBAf8EAjAAMB8GA1UdIwQYMBaAFErdBhYbvPZotXb1gba7Yhq6WoEv"
680 "MBcGA1UdIAQQMA4wDAYKKwYBBAHWeQIFATAwBgNVHR8EKTAnMCWgI6Ahhh9odHRw"
681 "Oi8vcGtpLmdvb2dsZS5jb20vR0lBRzIuY3JsMA0GCSqGSIb3DQEBCwUAA4IBAQAb"
682 "qdWPZEHk0X7iKPCTHL6S3w6q1eR67goxZGFSM1lk1hjwyu7XcLJuvALVV9uY3ovE"
683 "kQZSHwT+pyOPWQhsSjO+1GyjvCvK/CAwiUmBX+bQRGaqHsRcio7xSbdVcajQ3bXd"
684 "X+s0WdbOpn6MStKAiBVloPlSxEI8pxY6x/BBCnTIk/+DMB17uZlOjG3vbAnkDkP+"
685 "n0OTucD9sHV7EVj9XUxi51nOfNBCN/s7lpUjDS/NJ4k3iwOtbCPswiot8vLO779a"
686 "f07vR03r349Iz/KTzk95rlFtX0IU+KYNxFNsanIXZ+C9FYGRXkwhHcvFb4qMUB1y"
687 "TTlM80jBMOwyjZXmjRAhpAIEAKUDAgEUqQUCAwGJwKqBpwSBpOgebbmn9NRUtMWH"
688 "+eJpqA5JLMFSMCChOsvKey3toBaCNGU7HfAEiiXNuuAdCBoK262BjQc2YYfqFzqH"
689 "zuppopXCvhohx7j/tnCNZIMgLYt/O9SXK2RYI5z8FhCCHvB4CbD5G0LGl5EFP27s"
690 "Jb6S3aTTYPkQe8yZSlxevg6NDwmTogLO9F7UUkaYmVcMQhzssEE2ZRYNwSOU6KjE"
691 "0Yj+8fAiBtbQriIEIN2L8ZlpaVrdN5KFNdvcmOxJu81P8q53X55xQyGTnGWwsgMC"
692 "ARezggvvMIIEdjCCA16gAwIBAgIIf+yfD7Y6UicwDQYJKoZIhvcNAQELBQAwSTEL"
693 "MAkGA1UEBhMCVVMxEzARBgNVBAoTCkdvb2dsZSBJbmMxJTAjBgNVBAMTHEdvb2ds"
694 "ZSBJbnRlcm5ldCBBdXRob3JpdHkgRzIwHhcNMTUwODEyMTQ1MzE1WhcNMTUxMTEw"
695 "MDAwMDAwWjBoMQswCQYDVQQGEwJVUzETMBEGA1UECAwKQ2FsaWZvcm5pYTEWMBQG"
696 "A1UEBwwNTW91bnRhaW4gVmlldzETMBEGA1UECgwKR29vZ2xlIEluYzEXMBUGA1UE"
697 "AwwOd3d3Lmdvb2dsZS5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIB"
698 "AQC0MeG5YGQ0t+IeJeoneP/PrhEaieibeKYkbKVLNZpoPLuBinvhkXZo3DC133Np"
699 "CBpy6ZktBwamqyixAyuk/NU6OjgXqwwxfQ7di1AInLIU792c7hFyNXSUCG7At8If"
700 "i3YwBX9Ba6u/1d6rWTGZJrdCq3QU11RkKYyTq2KT5mceTv9iGKqSkSTlp8puy/9S"
701 "Z/3DbU3U+BuqCFqeSlz7zjwFmk35acdCilpJlVDDN5C/RCh8/UKc8PaL+cxlt531"
702 "qoTENvYrflBno14YEZlCBZsPiFeUSILpKEj3Ccwhy0eLEucWQ72YZU8mUzXBoXGn"
703 "0zA0crFl5ci/2sTBBGZsylNBAgMBAAGjggFBMIIBPTAdBgNVHSUEFjAUBggrBgEF"
704 "BQcDAQYIKwYBBQUHAwIwGQYDVR0RBBIwEIIOd3d3Lmdvb2dsZS5jb20waAYIKwYB"
705 "BQUHAQEEXDBaMCsGCCsGAQUFBzAChh9odHRwOi8vcGtpLmdvb2dsZS5jb20vR0lB"
706 "RzIuY3J0MCsGCCsGAQUFBzABhh9odHRwOi8vY2xpZW50czEuZ29vZ2xlLmNvbS9v"
707 "Y3NwMB0GA1UdDgQWBBS/bzHxcE73Q4j3slC4BLbMtLjGGjAMBgNVHRMBAf8EAjAA"
708 "MB8GA1UdIwQYMBaAFErdBhYbvPZotXb1gba7Yhq6WoEvMBcGA1UdIAQQMA4wDAYK"
709 "KwYBBAHWeQIFATAwBgNVHR8EKTAnMCWgI6Ahhh9odHRwOi8vcGtpLmdvb2dsZS5j"
710 "b20vR0lBRzIuY3JsMA0GCSqGSIb3DQEBCwUAA4IBAQAbqdWPZEHk0X7iKPCTHL6S"
711 "3w6q1eR67goxZGFSM1lk1hjwyu7XcLJuvALVV9uY3ovEkQZSHwT+pyOPWQhsSjO+"
712 "1GyjvCvK/CAwiUmBX+bQRGaqHsRcio7xSbdVcajQ3bXdX+s0WdbOpn6MStKAiBVl"
713 "oPlSxEI8pxY6x/BBCnTIk/+DMB17uZlOjG3vbAnkDkP+n0OTucD9sHV7EVj9XUxi"
714 "51nOfNBCN/s7lpUjDS/NJ4k3iwOtbCPswiot8vLO779af07vR03r349Iz/KTzk95"
715 "rlFtX0IU+KYNxFNsanIXZ+C9FYGRXkwhHcvFb4qMUB1yTTlM80jBMOwyjZXmjRAh"
716 "MIID8DCCAtigAwIBAgIDAjqDMA0GCSqGSIb3DQEBCwUAMEIxCzAJBgNVBAYTAlVT"
717 "MRYwFAYDVQQKEw1HZW9UcnVzdCBJbmMuMRswGQYDVQQDExJHZW9UcnVzdCBHbG9i"
718 "YWwgQ0EwHhcNMTMwNDA1MTUxNTU2WhcNMTYxMjMxMjM1OTU5WjBJMQswCQYDVQQG"
719 "EwJVUzETMBEGA1UEChMKR29vZ2xlIEluYzElMCMGA1UEAxMcR29vZ2xlIEludGVy"
720 "bmV0IEF1dGhvcml0eSBHMjCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEB"
721 "AJwqBHdc2FCROgajguDYUEi8iT/xGXAaiEZ+4I/F8YnOIe5a/mENtzJEiaB0C1NP"
722 "VaTOgmKV7utZX8bhBYASxF6UP7xbSDj0U/ck5vuR6RXEz/RTDfRK/J9U3n2+oGtv"
723 "h8DQUB8oMANA2ghzUWx//zo8pzcGjr1LEQTrfSTe5vn8MXH7lNVg8y5Kr0LSy+rE"
724 "ahqyzFPdFUuLH8gZYR/Nnag+YyuENWllhMgZxUYi+FOVvuOAShDGKuy6lyARxzmZ"
725 "EASg8GF6lSWMTlJ14rbtCMoU/M4iarNOz0YDl5cDfsCx3nuvRTPPuj5xt970JSXC"
726 "DTWJnZ37DhF5iR43xa+OcmkCAwEAAaOB5zCB5DAfBgNVHSMEGDAWgBTAephojYn7"
727 "qwVkDBF9qn1luMrMTjAdBgNVHQ4EFgQUSt0GFhu89mi1dvWBtrtiGrpagS8wDgYD"
728 "VR0PAQH/BAQDAgEGMC4GCCsGAQUFBwEBBCIwIDAeBggrBgEFBQcwAYYSaHR0cDov"
729 "L2cuc3ltY2QuY29tMBIGA1UdEwEB/wQIMAYBAf8CAQAwNQYDVR0fBC4wLDAqoCig"
730 "JoYkaHR0cDovL2cuc3ltY2IuY29tL2NybHMvZ3RnbG9iYWwuY3JsMBcGA1UdIAQQ"
731 "MA4wDAYKKwYBBAHWeQIFATANBgkqhkiG9w0BAQsFAAOCAQEAqvqpIM1qZ4PtXtR+"
732 "3h3Ef+AlBgDFJPupyC1tft6dgmUsgWM0Zj7pUsIItMsv91+ZOmqcUHqFBYx90SpI"
733 "hNMJbHzCzTWf84LuUt5oX+QAihcglvcpjZpNy6jehsgNb1aHA30DP9z6eX0hGfnI"
734 "Oi9RdozHQZJxjyXON/hKTAAj78Q1EK7gI4BzfE00LshukNYQHpmEcxpw8u1VDu4X"
735 "Bupn7jLrLN1nBz/2i8Jw3lsA5rsb0zYaImxssDVCbJAJPZPpZAkiDoUGn8JzIdPm"
736 "X4DkjYUiOnMDsWCOrmji9D6X52ASCWg23jrW4kOVWzeBkoEfu43XrVJkFleW2V40"
737 "fsg12DCCA30wggLmoAMCAQICAxK75jANBgkqhkiG9w0BAQUFADBOMQswCQYDVQQG"
738 "EwJVUzEQMA4GA1UEChMHRXF1aWZheDEtMCsGA1UECxMkRXF1aWZheCBTZWN1cmUg"
739 "Q2VydGlmaWNhdGUgQXV0aG9yaXR5MB4XDTAyMDUyMTA0MDAwMFoXDTE4MDgyMTA0"
740 "MDAwMFowQjELMAkGA1UEBhMCVVMxFjAUBgNVBAoTDUdlb1RydXN0IEluYy4xGzAZ"
741 "BgNVBAMTEkdlb1RydXN0IEdsb2JhbCBDQTCCASIwDQYJKoZIhvcNAQEBBQADggEP"
742 "ADCCAQoCggEBANrMGGMw/fQXIxpWflvfPGw45HG3eJHUvKHYTPioQ7YD6U0hBwiI"
743 "2lgvZjkpvQV4i5046AW3an5xpObEYKaw74DkiSgPniXW7YPzraaRx5jJQhg1FJ2t"
744 "mEaSLk/K8YdDwRaVVy1Q74ktgHpXrfLuX2vSAI25FPgUFTXZwEaje3LIkb/JVSvN"
745 "0Jc+nCZkzN/Ogxlxyk7m1NV7qRnNVd7I7NJeOFPlXE+MLf5QIzb8ZubLjqQ5GQC3"
746 "lQI5kQsO/jgu0R0FmvZNPm8PBx2vLB6PYDni+jZTEznUXiYr2z2oFL0y6xgDKFIE"
747 "ceWrMz3hOLsHNoRinHnqFjD0X8Ar6HFr5PkCAwEAAaOB8DCB7TAfBgNVHSMEGDAW"
748 "gBRI5mj5K9KylddH2CMgEE8zmJCf1DAdBgNVHQ4EFgQUwHqYaI2J+6sFZAwRfap9"
749 "ZbjKzE4wDwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMCAQYwOgYDVR0fBDMw"
750 "MTAvoC2gK4YpaHR0cDovL2NybC5nZW90cnVzdC5jb20vY3Jscy9zZWN1cmVjYS5j"
751 "cmwwTgYDVR0gBEcwRTBDBgRVHSAAMDswOQYIKwYBBQUHAgEWLWh0dHBzOi8vd3d3"
752 "Lmdlb3RydXN0LmNvbS9yZXNvdXJjZXMvcmVwb3NpdG9yeTANBgkqhkiG9w0BAQUF"
753 "AAOBgQB24RJuTksWEoYwBrKBCM/wCMfHcX5m7sLt1Dsf//DwyE7WQziwuTB9GNBV"
754 "g6JqyzYRnOhIZqNtf7gT1Ef+i1pcc/yu2RsyGTirlzQUqpbS66McFAhJtrvlke+D"
755 "NusdVm/K2rxzY5Dkf3s+Iss9B+1fOHSc4wNQTqGvmO5h8oQ/Eg==";
756
757// kBadSessionExtraField is a custom serialized SSL_SESSION generated by replacing
Steven Valdez51607f12020-08-05 10:46:05 -0400[diff] [blame]758// the final (optional) element of |kCustomSession| with tag number 99.
Adam Langley10f97f32016-07-12 08:09:33 -0700[diff] [blame]759static const char kBadSessionExtraField[] =
760 "MIIBdgIBAQICAwMEAsAvBCAG5Q1ndq4Yfmbeo1zwLkNRKmCXGdNgWvGT3cskV0yQ"
761 "kAQwJlrlzkAWBOWiLj/jJ76D7l+UXoizP2KI2C7I2FccqMmIfFmmkUy32nIJ0mZH"
762 "IWoJoQYCBFRDO46iBAICASykAwQBAqUDAgEUphAEDnd3dy5nb29nbGUuY29tqAcE"
763 "BXdvcmxkqQUCAwGJwKqBpwSBpBwUQvoeOk0Kg36SYTcLEkXqKwOBfF9vE4KX0Nxe"
764 "LwjcDTpsuh3qXEaZ992r1N38VDcyS6P7I6HBYN9BsNHM362zZnY27GpTw+Kwd751"
765 "CLoXFPoaMOe57dbBpXoro6Pd3BTbf/Tzr88K06yEOTDKPNj3+inbMaVigtK4PLyP"
766 "q+Topyzvx9USFgRvyuoxn0Hgb+R0A3j6SLRuyOdAi4gv7Y5oliynrSIEIAYGBgYG"
Steven Valdez51607f12020-08-05 10:46:05 -0400[diff] [blame]767 "BgYGBgYGBgYGBgYGBgYGBgYGBgYGBgYGBgYGrgMEAQevAwQBBOMDBAEF";
Adam Langley10f97f32016-07-12 08:09:33 -0700[diff] [blame]768
769// kBadSessionVersion is a custom serialized SSL_SESSION generated by replacing
770// the version of |kCustomSession| with 2.
771static const char kBadSessionVersion[] =
772 "MIIBdgIBAgICAwMEAsAvBCAG5Q1ndq4Yfmbeo1zwLkNRKmCXGdNgWvGT3cskV0yQ"
773 "kAQwJlrlzkAWBOWiLj/jJ76D7l+UXoizP2KI2C7I2FccqMmIfFmmkUy32nIJ0mZH"
774 "IWoJoQYCBFRDO46iBAICASykAwQBAqUDAgEUphAEDnd3dy5nb29nbGUuY29tqAcE"
775 "BXdvcmxkqQUCAwGJwKqBpwSBpBwUQvoeOk0Kg36SYTcLEkXqKwOBfF9vE4KX0Nxe"
776 "LwjcDTpsuh3qXEaZ992r1N38VDcyS6P7I6HBYN9BsNHM362zZnY27GpTw+Kwd751"
777 "CLoXFPoaMOe57dbBpXoro6Pd3BTbf/Tzr88K06yEOTDKPNj3+inbMaVigtK4PLyP"
778 "q+Topyzvx9USFgRvyuoxn0Hgb+R0A3j6SLRuyOdAi4gv7Y5oliynrSIEIAYGBgYG"
779 "BgYGBgYGBgYGBgYGBgYGBgYGBgYGBgYGBgYGrgMEAQevAwQBBLADBAEF";
780
781// kBadSessionTrailingData is a custom serialized SSL_SESSION with trailing data
782// appended.
783static const char kBadSessionTrailingData[] =
784 "MIIBdgIBAQICAwMEAsAvBCAG5Q1ndq4Yfmbeo1zwLkNRKmCXGdNgWvGT3cskV0yQ"
785 "kAQwJlrlzkAWBOWiLj/jJ76D7l+UXoizP2KI2C7I2FccqMmIfFmmkUy32nIJ0mZH"
786 "IWoJoQYCBFRDO46iBAICASykAwQBAqUDAgEUphAEDnd3dy5nb29nbGUuY29tqAcE"
787 "BXdvcmxkqQUCAwGJwKqBpwSBpBwUQvoeOk0Kg36SYTcLEkXqKwOBfF9vE4KX0Nxe"
788 "LwjcDTpsuh3qXEaZ992r1N38VDcyS6P7I6HBYN9BsNHM362zZnY27GpTw+Kwd751"
789 "CLoXFPoaMOe57dbBpXoro6Pd3BTbf/Tzr88K06yEOTDKPNj3+inbMaVigtK4PLyP"
790 "q+Topyzvx9USFgRvyuoxn0Hgb+R0A3j6SLRuyOdAi4gv7Y5oliynrSIEIAYGBgYG"
791 "BgYGBgYGBgYGBgYGBgYGBgYGBgYGBgYGBgYGrgMEAQevAwQBBLADBAEFAAAA";
792
David Benjamin1d77e562015-03-22 17:22:08 -0400[diff] [blame]793static bool DecodeBase64(std::vector<uint8_t> *out, const char *in) {
David Benjamin751e8892014-10-19 00:59:36 -0400[diff] [blame]794 size_t len;
David Benjamin751e8892014-10-19 00:59:36 -0400[diff] [blame]795 if (!EVP_DecodedLength(&len, strlen(in))) {
796 fprintf(stderr, "EVP_DecodedLength failed\n");
David Benjamin1d77e562015-03-22 17:22:08 -0400[diff] [blame]797 return false;
David Benjamin751e8892014-10-19 00:59:36 -0400[diff] [blame]798 }
799
David Benjamin1d77e562015-03-22 17:22:08 -0400[diff] [blame]800 out->resize(len);
David Benjaminef14b2d2015-11-11 14:01:27 -0800[diff] [blame]801 if (!EVP_DecodeBase64(out->data(), &len, len, (const uint8_t *)in,
David Benjamin751e8892014-10-19 00:59:36 -0400[diff] [blame]802 strlen(in))) {
803 fprintf(stderr, "EVP_DecodeBase64 failed\n");
David Benjamin1d77e562015-03-22 17:22:08 -0400[diff] [blame]804 return false;
David Benjamin751e8892014-10-19 00:59:36 -0400[diff] [blame]805 }
David Benjamin1d77e562015-03-22 17:22:08 -0400[diff] [blame]806 out->resize(len);
807 return true;
David Benjamin751e8892014-10-19 00:59:36 -0400[diff] [blame]808}
809
David Benjamina486c6c2019-03-28 18:32:38 -0500[diff] [blame]810TEST(SSLTest, SessionEncoding) {
811 for (const char *input_b64 : {
812 kOpenSSLSession,
813 kCustomSession,
814 kBoringSSLSession,
815 }) {
816 SCOPED_TRACE(std::string(input_b64));
817 // Decode the input.
818 std::vector<uint8_t> input;
819 ASSERT_TRUE(DecodeBase64(&input, input_b64));
David Benjamin751e8892014-10-19 00:59:36 -0400[diff] [blame]820
David Benjamina486c6c2019-03-28 18:32:38 -0500[diff] [blame]821 // Verify the SSL_SESSION decodes.
822 bssl::UniquePtr<SSL_CTX> ssl_ctx(SSL_CTX_new(TLS_method()));
823 ASSERT_TRUE(ssl_ctx);
824 bssl::UniquePtr<SSL_SESSION> session(
825 SSL_SESSION_from_bytes(input.data(), input.size(), ssl_ctx.get()));
826 ASSERT_TRUE(session) << "SSL_SESSION_from_bytes failed";
827
828 // Verify the SSL_SESSION encoding round-trips.
829 size_t encoded_len;
830 bssl::UniquePtr<uint8_t> encoded;
831 uint8_t *encoded_raw;
832 ASSERT_TRUE(SSL_SESSION_to_bytes(session.get(), &encoded_raw, &encoded_len))
833 << "SSL_SESSION_to_bytes failed";
834 encoded.reset(encoded_raw);
835 EXPECT_EQ(Bytes(encoded.get(), encoded_len), Bytes(input))
836 << "SSL_SESSION_to_bytes did not round-trip";
837
838 // Verify the SSL_SESSION also decodes with the legacy API.
839 const uint8_t *cptr = input.data();
840 session.reset(d2i_SSL_SESSION(NULL, &cptr, input.size()));
841 ASSERT_TRUE(session) << "d2i_SSL_SESSION failed";
842 EXPECT_EQ(cptr, input.data() + input.size());
843
844 // Verify the SSL_SESSION encoding round-trips via the legacy API.
845 int len = i2d_SSL_SESSION(session.get(), NULL);
846 ASSERT_GT(len, 0) << "i2d_SSL_SESSION failed";
847 ASSERT_EQ(static_cast<size_t>(len), input.size())
848 << "i2d_SSL_SESSION(NULL) returned invalid length";
849
850 encoded.reset((uint8_t *)OPENSSL_malloc(input.size()));
851 ASSERT_TRUE(encoded);
852
853 uint8_t *ptr = encoded.get();
854 len = i2d_SSL_SESSION(session.get(), &ptr);
855 ASSERT_GT(len, 0) << "i2d_SSL_SESSION failed";
856 ASSERT_EQ(static_cast<size_t>(len), input.size())
857 << "i2d_SSL_SESSION(NULL) returned invalid length";
858 ASSERT_EQ(ptr, encoded.get() + input.size())
859 << "i2d_SSL_SESSION did not advance ptr correctly";
860 EXPECT_EQ(Bytes(encoded.get(), encoded_len), Bytes(input))
861 << "SSL_SESSION_to_bytes did not round-trip";
David Benjamin751e8892014-10-19 00:59:36 -0400[diff] [blame]862 }
863
David Benjamina486c6c2019-03-28 18:32:38 -0500[diff] [blame]864 for (const char *input_b64 : {
865 kBadSessionExtraField,
866 kBadSessionVersion,
867 kBadSessionTrailingData,
868 }) {
869 SCOPED_TRACE(std::string(input_b64));
870 std::vector<uint8_t> input;
871 ASSERT_TRUE(DecodeBase64(&input, input_b64));
David Benjamin751e8892014-10-19 00:59:36 -0400[diff] [blame]872
David Benjamina486c6c2019-03-28 18:32:38 -0500[diff] [blame]873 // Verify that the SSL_SESSION fails to decode.
874 bssl::UniquePtr<SSL_CTX> ssl_ctx(SSL_CTX_new(TLS_method()));
875 ASSERT_TRUE(ssl_ctx);
876 bssl::UniquePtr<SSL_SESSION> session(
877 SSL_SESSION_from_bytes(input.data(), input.size(), ssl_ctx.get()));
878 EXPECT_FALSE(session) << "SSL_SESSION_from_bytes unexpectedly succeeded";
879 ERR_clear_error();
David Benjamin3cac4502014-10-21 01:46:30 -0400[diff] [blame]880 }
David Benjaminf297e022015-05-28 19:55:29 -0400[diff] [blame]881}
882
David Benjamin321fcdc2017-04-24 11:42:42 -0400[diff] [blame]883static void ExpectDefaultVersion(uint16_t min_version, uint16_t max_version,
884 const SSL_METHOD *(*method)(void)) {
Matt Braithwaited17d74d2016-08-17 20:10:28 -0700[diff] [blame]885 bssl::UniquePtr<SSL_CTX> ctx(SSL_CTX_new(method()));
David Benjamin321fcdc2017-04-24 11:42:42 -0400[diff] [blame]886 ASSERT_TRUE(ctx);
Nitish Sakhawalkara4af5f82019-03-25 17:26:59 -0700[diff] [blame]887 EXPECT_EQ(min_version, SSL_CTX_get_min_proto_version(ctx.get()));
888 EXPECT_EQ(max_version, SSL_CTX_get_max_proto_version(ctx.get()));
David Benjamin321fcdc2017-04-24 11:42:42 -0400[diff] [blame]889}
890
891TEST(SSLTest, DefaultVersion) {
Matthew Braithwaite58d56f42019-11-04 13:20:01 -0800[diff] [blame]892 ExpectDefaultVersion(TLS1_VERSION, TLS1_3_VERSION, &TLS_method);
David Benjamin321fcdc2017-04-24 11:42:42 -0400[diff] [blame]893 ExpectDefaultVersion(TLS1_VERSION, TLS1_VERSION, &TLSv1_method);
894 ExpectDefaultVersion(TLS1_1_VERSION, TLS1_1_VERSION, &TLSv1_1_method);
895 ExpectDefaultVersion(TLS1_2_VERSION, TLS1_2_VERSION, &TLSv1_2_method);
Nitish Sakhawalkara4af5f82019-03-25 17:26:59 -0700[diff] [blame]896 ExpectDefaultVersion(DTLS1_VERSION, DTLS1_2_VERSION, &DTLS_method);
897 ExpectDefaultVersion(DTLS1_VERSION, DTLS1_VERSION, &DTLSv1_method);
898 ExpectDefaultVersion(DTLS1_2_VERSION, DTLS1_2_VERSION, &DTLSv1_2_method);
David Benjamin82c9e902014-12-12 15:55:27 -0500[diff] [blame]899}
900
David Benjamin348f0d82017-08-10 16:06:27 -0400[diff] [blame]901TEST(SSLTest, CipherProperties) {
David Benjamin6fff3862017-06-21 21:07:04 -0400[diff] [blame]902 static const struct {
903 int id;
904 const char *standard_name;
David Benjamin348f0d82017-08-10 16:06:27 -0400[diff] [blame]905 int cipher_nid;
906 int digest_nid;
907 int kx_nid;
908 int auth_nid;
David Benjaminb1b76ae2017-09-21 17:03:34 -0400[diff] [blame]909 int prf_nid;
David Benjamin6fff3862017-06-21 21:07:04 -0400[diff] [blame]910 } kTests[] = {
David Benjamin348f0d82017-08-10 16:06:27 -0400[diff] [blame]911 {
912 SSL3_CK_RSA_DES_192_CBC3_SHA,
913 "TLS_RSA_WITH_3DES_EDE_CBC_SHA",
914 NID_des_ede3_cbc,
915 NID_sha1,
916 NID_kx_rsa,
917 NID_auth_rsa,
David Benjaminb1b76ae2017-09-21 17:03:34 -0400[diff] [blame]918 NID_md5_sha1,
David Benjamin348f0d82017-08-10 16:06:27 -0400[diff] [blame]919 },
920 {
921 TLS1_CK_RSA_WITH_AES_128_SHA,
922 "TLS_RSA_WITH_AES_128_CBC_SHA",
923 NID_aes_128_cbc,
924 NID_sha1,
925 NID_kx_rsa,
926 NID_auth_rsa,
David Benjaminb1b76ae2017-09-21 17:03:34 -0400[diff] [blame]927 NID_md5_sha1,
David Benjamin348f0d82017-08-10 16:06:27 -0400[diff] [blame]928 },
929 {
930 TLS1_CK_PSK_WITH_AES_256_CBC_SHA,
931 "TLS_PSK_WITH_AES_256_CBC_SHA",
932 NID_aes_256_cbc,
933 NID_sha1,
934 NID_kx_psk,
935 NID_auth_psk,
David Benjaminb1b76ae2017-09-21 17:03:34 -0400[diff] [blame]936 NID_md5_sha1,
David Benjamin348f0d82017-08-10 16:06:27 -0400[diff] [blame]937 },
938 {
David Benjamin6e678ee2018-04-16 19:54:42 -0400[diff] [blame]939 TLS1_CK_ECDHE_RSA_WITH_AES_128_CBC_SHA,
940 "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA",
David Benjamin348f0d82017-08-10 16:06:27 -0400[diff] [blame]941 NID_aes_128_cbc,
David Benjamin6e678ee2018-04-16 19:54:42 -0400[diff] [blame]942 NID_sha1,
David Benjamin348f0d82017-08-10 16:06:27 -0400[diff] [blame]943 NID_kx_ecdhe,
944 NID_auth_rsa,
David Benjamin6e678ee2018-04-16 19:54:42 -0400[diff] [blame]945 NID_md5_sha1,
David Benjamin348f0d82017-08-10 16:06:27 -0400[diff] [blame]946 },
947 {
David Benjamin6e678ee2018-04-16 19:54:42 -0400[diff] [blame]948 TLS1_CK_ECDHE_RSA_WITH_AES_256_CBC_SHA,
949 "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA",
David Benjamin348f0d82017-08-10 16:06:27 -0400[diff] [blame]950 NID_aes_256_cbc,
David Benjamin6e678ee2018-04-16 19:54:42 -0400[diff] [blame]951 NID_sha1,
David Benjamin348f0d82017-08-10 16:06:27 -0400[diff] [blame]952 NID_kx_ecdhe,
953 NID_auth_rsa,
David Benjamin6e678ee2018-04-16 19:54:42 -0400[diff] [blame]954 NID_md5_sha1,
David Benjamin348f0d82017-08-10 16:06:27 -0400[diff] [blame]955 },
956 {
957 TLS1_CK_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
958 "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",
959 NID_aes_128_gcm,
960 NID_undef,
961 NID_kx_ecdhe,
962 NID_auth_rsa,
David Benjaminb1b76ae2017-09-21 17:03:34 -0400[diff] [blame]963 NID_sha256,
David Benjamin348f0d82017-08-10 16:06:27 -0400[diff] [blame]964 },
965 {
966 TLS1_CK_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
967 "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256",
968 NID_aes_128_gcm,
969 NID_undef,
970 NID_kx_ecdhe,
971 NID_auth_ecdsa,
David Benjaminb1b76ae2017-09-21 17:03:34 -0400[diff] [blame]972 NID_sha256,
David Benjamin348f0d82017-08-10 16:06:27 -0400[diff] [blame]973 },
974 {
975 TLS1_CK_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
976 "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384",
977 NID_aes_256_gcm,
978 NID_undef,
979 NID_kx_ecdhe,
980 NID_auth_ecdsa,
David Benjaminb1b76ae2017-09-21 17:03:34 -0400[diff] [blame]981 NID_sha384,
David Benjamin348f0d82017-08-10 16:06:27 -0400[diff] [blame]982 },
983 {
984 TLS1_CK_ECDHE_PSK_WITH_AES_128_CBC_SHA,
985 "TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA",
986 NID_aes_128_cbc,
987 NID_sha1,
988 NID_kx_ecdhe,
989 NID_auth_psk,
David Benjaminb1b76ae2017-09-21 17:03:34 -0400[diff] [blame]990 NID_md5_sha1,
David Benjamin348f0d82017-08-10 16:06:27 -0400[diff] [blame]991 },
992 {
993 TLS1_CK_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256,
994 "TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256",
995 NID_chacha20_poly1305,
996 NID_undef,
997 NID_kx_ecdhe,
998 NID_auth_rsa,
David Benjaminb1b76ae2017-09-21 17:03:34 -0400[diff] [blame]999 NID_sha256,
David Benjamin348f0d82017-08-10 16:06:27 -0400[diff] [blame]1000 },
1001 {
1002 TLS1_CK_AES_256_GCM_SHA384,
1003 "TLS_AES_256_GCM_SHA384",
1004 NID_aes_256_gcm,
1005 NID_undef,
1006 NID_kx_any,
1007 NID_auth_any,
David Benjaminb1b76ae2017-09-21 17:03:34 -0400[diff] [blame]1008 NID_sha384,
David Benjamin348f0d82017-08-10 16:06:27 -0400[diff] [blame]1009 },
1010 {
1011 TLS1_CK_AES_128_GCM_SHA256,
1012 "TLS_AES_128_GCM_SHA256",
1013 NID_aes_128_gcm,
1014 NID_undef,
1015 NID_kx_any,
1016 NID_auth_any,
David Benjaminb1b76ae2017-09-21 17:03:34 -0400[diff] [blame]1017 NID_sha256,
David Benjamin348f0d82017-08-10 16:06:27 -0400[diff] [blame]1018 },
1019 {
1020 TLS1_CK_CHACHA20_POLY1305_SHA256,
1021 "TLS_CHACHA20_POLY1305_SHA256",
1022 NID_chacha20_poly1305,
1023 NID_undef,
1024 NID_kx_any,
1025 NID_auth_any,
David Benjaminb1b76ae2017-09-21 17:03:34 -0400[diff] [blame]1026 NID_sha256,
David Benjamin348f0d82017-08-10 16:06:27 -0400[diff] [blame]1027 },
David Benjamin6fff3862017-06-21 21:07:04 -0400[diff] [blame]1028 };
David Benjamin65226252015-02-05 16:49:47 -0500[diff] [blame]1029
David Benjamin6fff3862017-06-21 21:07:04 -0400[diff] [blame]1030 for (const auto &t : kTests) {
1031 SCOPED_TRACE(t.standard_name);
David Benjamine11726a2017-04-23 12:14:28 -0400[diff] [blame]1032
1033 const SSL_CIPHER *cipher = SSL_get_cipher_by_value(t.id & 0xffff);
1034 ASSERT_TRUE(cipher);
David Benjamin6fff3862017-06-21 21:07:04 -0400[diff] [blame]1035 EXPECT_STREQ(t.standard_name, SSL_CIPHER_standard_name(cipher));
1036
David Benjamine11726a2017-04-23 12:14:28 -0400[diff] [blame]1037 bssl::UniquePtr<char> rfc_name(SSL_CIPHER_get_rfc_name(cipher));
1038 ASSERT_TRUE(rfc_name);
David Benjamin6fff3862017-06-21 21:07:04 -0400[diff] [blame]1039 EXPECT_STREQ(t.standard_name, rfc_name.get());
David Benjamin348f0d82017-08-10 16:06:27 -0400[diff] [blame]1040
1041 EXPECT_EQ(t.cipher_nid, SSL_CIPHER_get_cipher_nid(cipher));
1042 EXPECT_EQ(t.digest_nid, SSL_CIPHER_get_digest_nid(cipher));
1043 EXPECT_EQ(t.kx_nid, SSL_CIPHER_get_kx_nid(cipher));
1044 EXPECT_EQ(t.auth_nid, SSL_CIPHER_get_auth_nid(cipher));
David Benjaminb1b76ae2017-09-21 17:03:34 -0400[diff] [blame]1045 EXPECT_EQ(t.prf_nid, SSL_CIPHER_get_prf_nid(cipher));
David Benjamin65226252015-02-05 16:49:47 -0500[diff] [blame]1046 }
David Benjamin65226252015-02-05 16:49:47 -0500[diff] [blame]1047}
1048
Steven Valdeza833c352016-11-01 13:39:36 -0400[diff] [blame]1049// CreateSessionWithTicket returns a sample |SSL_SESSION| with the specified
1050// version and ticket length or nullptr on failure.
1051static bssl::UniquePtr<SSL_SESSION> CreateSessionWithTicket(uint16_t version,
1052 size_t ticket_len) {
David Benjamin422fe082015-07-21 22:03:43 -0400[diff] [blame]1053 std::vector<uint8_t> der;
1054 if (!DecodeBase64(&der, kOpenSSLSession)) {
1055 return nullptr;
1056 }
Adam Langley46db7af2017-02-01 15:49:37 -0800[diff] [blame]1057
1058 bssl::UniquePtr<SSL_CTX> ssl_ctx(SSL_CTX_new(TLS_method()));
1059 if (!ssl_ctx) {
1060 return nullptr;
1061 }
David Benjaminaaef8332018-06-29 16:45:49 -0400[diff] [blame]1062 // Use a garbage ticket.
1063 std::vector<uint8_t> ticket(ticket_len, 'a');
Steven Valdeza833c352016-11-01 13:39:36 -0400[diff] [blame]1064 bssl::UniquePtr<SSL_SESSION> session(
Adam Langley46db7af2017-02-01 15:49:37 -0800[diff] [blame]1065 SSL_SESSION_from_bytes(der.data(), der.size(), ssl_ctx.get()));
David Benjaminaaef8332018-06-29 16:45:49 -0400[diff] [blame]1066 if (!session ||
1067 !SSL_SESSION_set_protocol_version(session.get(), version) ||
1068 !SSL_SESSION_set_ticket(session.get(), ticket.data(), ticket.size())) {
David Benjamin422fe082015-07-21 22:03:43 -0400[diff] [blame]1069 return nullptr;
1070 }
David Benjamin1269ddd2015-10-18 15:18:55 -0400[diff] [blame]1071 // Fix up the timeout.
David Benjamin9b63f292016-11-15 00:44:05 -0500[diff] [blame]1072#if defined(BORINGSSL_UNSAFE_DETERMINISTIC_MODE)
David Benjaminaaef8332018-06-29 16:45:49 -0400[diff] [blame]1073 SSL_SESSION_set_time(session.get(), 1234);
David Benjamin9b63f292016-11-15 00:44:05 -0500[diff] [blame]1074#else
David Benjaminaaef8332018-06-29 16:45:49 -0400[diff] [blame]1075 SSL_SESSION_set_time(session.get(), time(nullptr));
David Benjamin9b63f292016-11-15 00:44:05 -0500[diff] [blame]1076#endif
David Benjamin422fe082015-07-21 22:03:43 -0400[diff] [blame]1077 return session;
1078}
1079
David Benjaminafc64de2016-07-19 17:12:41 +0200[diff] [blame]1080static bool GetClientHello(SSL *ssl, std::vector<uint8_t> *out) {
Matt Braithwaited17d74d2016-08-17 20:10:28 -0700[diff] [blame]1081 bssl::UniquePtr<BIO> bio(BIO_new(BIO_s_mem()));
David Benjaminafc64de2016-07-19 17:12:41 +0200[diff] [blame]1082 if (!bio) {
1083 return false;
1084 }
1085 // Do not configure a reading BIO, but record what's written to a memory BIO.
David Benjamin96a16cd2016-08-11 12:14:47 -0400[diff] [blame]1086 BIO_up_ref(bio.get());
1087 SSL_set_bio(ssl, nullptr /* rbio */, bio.get());
David Benjaminafc64de2016-07-19 17:12:41 +0200[diff] [blame]1088 int ret = SSL_connect(ssl);
1089 if (ret > 0) {
1090 // SSL_connect should fail without a BIO to write to.
1091 return false;
1092 }
1093 ERR_clear_error();
1094
1095 const uint8_t *client_hello;
1096 size_t client_hello_len;
1097 if (!BIO_mem_contents(bio.get(), &client_hello, &client_hello_len)) {
1098 return false;
1099 }
1100 *out = std::vector<uint8_t>(client_hello, client_hello + client_hello_len);
1101 return true;
1102}
1103
Steven Valdeza833c352016-11-01 13:39:36 -0400[diff] [blame]1104// GetClientHelloLen creates a client SSL connection with the specified version
1105// and ticket length. It returns the length of the ClientHello, not including
1106// the record header, on success and zero on error.
1107static size_t GetClientHelloLen(uint16_t max_version, uint16_t session_version,
1108 size_t ticket_len) {
Matt Braithwaited17d74d2016-08-17 20:10:28 -0700[diff] [blame]1109 bssl::UniquePtr<SSL_CTX> ctx(SSL_CTX_new(TLS_method()));
Steven Valdeza833c352016-11-01 13:39:36 -0400[diff] [blame]1110 bssl::UniquePtr<SSL_SESSION> session =
1111 CreateSessionWithTicket(session_version, ticket_len);
David Benjamin422fe082015-07-21 22:03:43 -0400[diff] [blame]1112 if (!ctx || !session) {
1113 return 0;
1114 }
Steven Valdeza833c352016-11-01 13:39:36 -0400[diff] [blame]1115
1116 // Set a one-element cipher list so the baseline ClientHello is unpadded.
Matt Braithwaited17d74d2016-08-17 20:10:28 -0700[diff] [blame]1117 bssl::UniquePtr<SSL> ssl(SSL_new(ctx.get()));
Steven Valdez2c62fe92016-10-14 12:08:12 -0400[diff] [blame]1118 if (!ssl || !SSL_set_session(ssl.get(), session.get()) ||
Matthew Braithwaitea57dcfb2017-02-17 22:08:23 -0800[diff] [blame]1119 !SSL_set_strict_cipher_list(ssl.get(), "ECDHE-RSA-AES128-GCM-SHA256") ||
Steven Valdeza833c352016-11-01 13:39:36 -0400[diff] [blame]1120 !SSL_set_max_proto_version(ssl.get(), max_version)) {
David Benjamin422fe082015-07-21 22:03:43 -0400[diff] [blame]1121 return 0;
1122 }
Steven Valdeza833c352016-11-01 13:39:36 -0400[diff] [blame]1123
David Benjaminafc64de2016-07-19 17:12:41 +0200[diff] [blame]1124 std::vector<uint8_t> client_hello;
1125 if (!GetClientHello(ssl.get(), &client_hello) ||
1126 client_hello.size() <= SSL3_RT_HEADER_LENGTH) {
David Benjamin422fe082015-07-21 22:03:43 -0400[diff] [blame]1127 return 0;
1128 }
Steven Valdeza833c352016-11-01 13:39:36 -0400[diff] [blame]1129
David Benjaminafc64de2016-07-19 17:12:41 +0200[diff] [blame]1130 return client_hello.size() - SSL3_RT_HEADER_LENGTH;
David Benjamin422fe082015-07-21 22:03:43 -0400[diff] [blame]1131}
1132
David Benjamina486c6c2019-03-28 18:32:38 -0500[diff] [blame]1133TEST(SSLTest, Padding) {
1134 struct PaddingVersions {
1135 uint16_t max_version, session_version;
1136 };
1137 static const PaddingVersions kPaddingVersions[] = {
1138 // Test the padding extension at TLS 1.2.
1139 {TLS1_2_VERSION, TLS1_2_VERSION},
1140 // Test the padding extension at TLS 1.3 with a TLS 1.2 session, so there
1141 // will be no PSK binder after the padding extension.
1142 {TLS1_3_VERSION, TLS1_2_VERSION},
1143 // Test the padding extension at TLS 1.3 with a TLS 1.3 session, so there
1144 // will be a PSK binder after the padding extension.
1145 {TLS1_3_VERSION, TLS1_3_VERSION},
David Benjamin422fe082015-07-21 22:03:43 -0400[diff] [blame]1146
David Benjamina486c6c2019-03-28 18:32:38 -0500[diff] [blame]1147 };
David Benjamin422fe082015-07-21 22:03:43 -0400[diff] [blame]1148
David Benjamina486c6c2019-03-28 18:32:38 -0500[diff] [blame]1149 struct PaddingTest {
1150 size_t input_len, padded_len;
1151 };
1152 static const PaddingTest kPaddingTests[] = {
1153 // ClientHellos of length below 0x100 do not require padding.
1154 {0xfe, 0xfe},
1155 {0xff, 0xff},
1156 // ClientHellos of length 0x100 through 0x1fb are padded up to 0x200.
1157 {0x100, 0x200},
1158 {0x123, 0x200},
1159 {0x1fb, 0x200},
1160 // ClientHellos of length 0x1fc through 0x1ff get padded beyond 0x200. The
1161 // padding extension takes a minimum of four bytes plus one required
1162 // content
1163 // byte. (To work around yet more server bugs, we avoid empty final
1164 // extensions.)
1165 {0x1fc, 0x201},
1166 {0x1fd, 0x202},
1167 {0x1fe, 0x203},
1168 {0x1ff, 0x204},
1169 // Finally, larger ClientHellos need no padding.
1170 {0x200, 0x200},
1171 {0x201, 0x201},
1172 };
David Benjamin422fe082015-07-21 22:03:43 -0400[diff] [blame]1173
David Benjamina486c6c2019-03-28 18:32:38 -0500[diff] [blame]1174 for (const PaddingVersions &versions : kPaddingVersions) {
1175 SCOPED_TRACE(versions.max_version);
1176 SCOPED_TRACE(versions.session_version);
David Benjamin422fe082015-07-21 22:03:43 -0400[diff] [blame]1177
David Benjamina486c6c2019-03-28 18:32:38 -0500[diff] [blame]1178 // Sample a baseline length.
1179 size_t base_len =
1180 GetClientHelloLen(versions.max_version, versions.session_version, 1);
1181 ASSERT_NE(base_len, 0u) << "Baseline length could not be sampled";
1182
1183 for (const PaddingTest &test : kPaddingTests) {
1184 SCOPED_TRACE(test.input_len);
1185 ASSERT_LE(base_len, test.input_len) << "Baseline ClientHello too long";
1186
1187 size_t padded_len =
1188 GetClientHelloLen(versions.max_version, versions.session_version,
1189 1 + test.input_len - base_len);
1190 EXPECT_EQ(padded_len, test.padded_len)
1191 << "ClientHello was not padded to expected length";
David Benjamin422fe082015-07-21 22:03:43 -0400[diff] [blame]1192 }
1193 }
David Benjamin422fe082015-07-21 22:03:43 -0400[diff] [blame]1194}
1195
David Benjamin2f3958a2021-04-16 11:55:23 -0400[diff] [blame]1196static bssl::UniquePtr<X509> CertFromPEM(const char *pem) {
1197 bssl::UniquePtr<BIO> bio(BIO_new_mem_buf(pem, strlen(pem)));
1198 if (!bio) {
1199 return nullptr;
1200 }
1201 return bssl::UniquePtr<X509>(
1202 PEM_read_bio_X509(bio.get(), nullptr, nullptr, nullptr));
1203}
1204
1205static bssl::UniquePtr<EVP_PKEY> KeyFromPEM(const char *pem) {
1206 bssl::UniquePtr<BIO> bio(BIO_new_mem_buf(pem, strlen(pem)));
1207 if (!bio) {
1208 return nullptr;
1209 }
1210 return bssl::UniquePtr<EVP_PKEY>(
1211 PEM_read_bio_PrivateKey(bio.get(), nullptr, nullptr, nullptr));
1212}
1213
Matt Braithwaited17d74d2016-08-17 20:10:28 -0700[diff] [blame]1214static bssl::UniquePtr<X509> GetTestCertificate() {
David Benjaminde942382016-02-11 12:02:01 -0500[diff] [blame]1215 static const char kCertPEM[] =
1216 "-----BEGIN CERTIFICATE-----\n"
1217 "MIICWDCCAcGgAwIBAgIJAPuwTC6rEJsMMA0GCSqGSIb3DQEBBQUAMEUxCzAJBgNV\n"
1218 "BAYTAkFVMRMwEQYDVQQIDApTb21lLVN0YXRlMSEwHwYDVQQKDBhJbnRlcm5ldCBX\n"
1219 "aWRnaXRzIFB0eSBMdGQwHhcNMTQwNDIzMjA1MDQwWhcNMTcwNDIyMjA1MDQwWjBF\n"
1220 "MQswCQYDVQQGEwJBVTETMBEGA1UECAwKU29tZS1TdGF0ZTEhMB8GA1UECgwYSW50\n"
1221 "ZXJuZXQgV2lkZ2l0cyBQdHkgTHRkMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKB\n"
1222 "gQDYK8imMuRi/03z0K1Zi0WnvfFHvwlYeyK9Na6XJYaUoIDAtB92kWdGMdAQhLci\n"
1223 "HnAjkXLI6W15OoV3gA/ElRZ1xUpxTMhjP6PyY5wqT5r6y8FxbiiFKKAnHmUcrgfV\n"
1224 "W28tQ+0rkLGMryRtrukXOgXBv7gcrmU7G1jC2a7WqmeI8QIDAQABo1AwTjAdBgNV\n"
1225 "HQ4EFgQUi3XVrMsIvg4fZbf6Vr5sp3Xaha8wHwYDVR0jBBgwFoAUi3XVrMsIvg4f\n"
1226 "Zbf6Vr5sp3Xaha8wDAYDVR0TBAUwAwEB/zANBgkqhkiG9w0BAQUFAAOBgQA76Hht\n"
1227 "ldY9avcTGSwbwoiuIqv0jTL1fHFnzy3RHMLDh+Lpvolc5DSrSJHCP5WuK0eeJXhr\n"
1228 "T5oQpHL9z/cCDLAKCKRa4uV0fhEdOWBqyR9p8y5jJtye72t6CuFUV5iqcpF4BH4f\n"
1229 "j2VNHwsSrJwkD4QUGlUtH7vwnQmyCFxZMmWAJg==\n"
1230 "-----END CERTIFICATE-----\n";
David Benjamin2f3958a2021-04-16 11:55:23 -0400[diff] [blame]1231 return CertFromPEM(kCertPEM);
David Benjaminde942382016-02-11 12:02:01 -0500[diff] [blame]1232}
1233
Matt Braithwaited17d74d2016-08-17 20:10:28 -0700[diff] [blame]1234static bssl::UniquePtr<EVP_PKEY> GetTestKey() {
David Benjaminde942382016-02-11 12:02:01 -0500[diff] [blame]1235 static const char kKeyPEM[] =
1236 "-----BEGIN RSA PRIVATE KEY-----\n"
1237 "MIICXgIBAAKBgQDYK8imMuRi/03z0K1Zi0WnvfFHvwlYeyK9Na6XJYaUoIDAtB92\n"
1238 "kWdGMdAQhLciHnAjkXLI6W15OoV3gA/ElRZ1xUpxTMhjP6PyY5wqT5r6y8FxbiiF\n"
1239 "KKAnHmUcrgfVW28tQ+0rkLGMryRtrukXOgXBv7gcrmU7G1jC2a7WqmeI8QIDAQAB\n"
1240 "AoGBAIBy09Fd4DOq/Ijp8HeKuCMKTHqTW1xGHshLQ6jwVV2vWZIn9aIgmDsvkjCe\n"
1241 "i6ssZvnbjVcwzSoByhjN8ZCf/i15HECWDFFh6gt0P5z0MnChwzZmvatV/FXCT0j+\n"
1242 "WmGNB/gkehKjGXLLcjTb6dRYVJSCZhVuOLLcbWIV10gggJQBAkEA8S8sGe4ezyyZ\n"
1243 "m4e9r95g6s43kPqtj5rewTsUxt+2n4eVodD+ZUlCULWVNAFLkYRTBCASlSrm9Xhj\n"
1244 "QpmWAHJUkQJBAOVzQdFUaewLtdOJoPCtpYoY1zd22eae8TQEmpGOR11L6kbxLQsk\n"
1245 "aMly/DOnOaa82tqAGTdqDEZgSNmCeKKknmECQAvpnY8GUOVAubGR6c+W90iBuQLj\n"
1246 "LtFp/9ihd2w/PoDwrHZaoUYVcT4VSfJQog/k7kjE4MYXYWL8eEKg3WTWQNECQQDk\n"
1247 "104Wi91Umd1PzF0ijd2jXOERJU1wEKe6XLkYYNHWQAe5l4J4MWj9OdxFXAxIuuR/\n"
1248 "tfDwbqkta4xcux67//khAkEAvvRXLHTaa6VFzTaiiO8SaFsHV3lQyXOtMrBpB5jd\n"
1249 "moZWgjHvB2W9Ckn7sDqsPB+U2tyX0joDdQEyuiMECDY8oQ==\n"
1250 "-----END RSA PRIVATE KEY-----\n";
David Benjamin2f3958a2021-04-16 11:55:23 -0400[diff] [blame]1251 return KeyFromPEM(kKeyPEM);
David Benjaminde942382016-02-11 12:02:01 -0500[diff] [blame]1252}
1253
Matt Braithwaited17d74d2016-08-17 20:10:28 -0700[diff] [blame]1254static bssl::UniquePtr<X509> GetECDSATestCertificate() {
David Benjamin0fc37ef2016-08-17 15:29:46 -0400[diff] [blame]1255 static const char kCertPEM[] =
1256 "-----BEGIN CERTIFICATE-----\n"
1257 "MIIBzzCCAXagAwIBAgIJANlMBNpJfb/rMAkGByqGSM49BAEwRTELMAkGA1UEBhMC\n"
1258 "QVUxEzARBgNVBAgMClNvbWUtU3RhdGUxITAfBgNVBAoMGEludGVybmV0IFdpZGdp\n"
1259 "dHMgUHR5IEx0ZDAeFw0xNDA0MjMyMzIxNTdaFw0xNDA1MjMyMzIxNTdaMEUxCzAJ\n"
1260 "BgNVBAYTAkFVMRMwEQYDVQQIDApTb21lLVN0YXRlMSEwHwYDVQQKDBhJbnRlcm5l\n"
1261 "dCBXaWRnaXRzIFB0eSBMdGQwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAATmK2ni\n"
1262 "v2Wfl74vHg2UikzVl2u3qR4NRvvdqakendy6WgHn1peoChj5w8SjHlbifINI2xYa\n"
1263 "HPUdfvGULUvPciLBo1AwTjAdBgNVHQ4EFgQUq4TSrKuV8IJOFngHVVdf5CaNgtEw\n"
1264 "HwYDVR0jBBgwFoAUq4TSrKuV8IJOFngHVVdf5CaNgtEwDAYDVR0TBAUwAwEB/zAJ\n"
1265 "BgcqhkjOPQQBA0gAMEUCIQDyoDVeUTo2w4J5m+4nUIWOcAZ0lVfSKXQA9L4Vh13E\n"
1266 "BwIgfB55FGohg/B6dGh5XxSZmmi08cueFV7mHzJSYV51yRQ=\n"
1267 "-----END CERTIFICATE-----\n";
David Benjamin2f3958a2021-04-16 11:55:23 -0400[diff] [blame]1268 return CertFromPEM(kCertPEM);
David Benjamin0fc37ef2016-08-17 15:29:46 -0400[diff] [blame]1269}
1270
Matt Braithwaited17d74d2016-08-17 20:10:28 -0700[diff] [blame]1271static bssl::UniquePtr<EVP_PKEY> GetECDSATestKey() {
David Benjamin0fc37ef2016-08-17 15:29:46 -0400[diff] [blame]1272 static const char kKeyPEM[] =
1273 "-----BEGIN PRIVATE KEY-----\n"
1274 "MIGHAgEAMBMGByqGSM49AgEGCCqGSM49AwEHBG0wawIBAQQgBw8IcnrUoEqc3VnJ\n"
1275 "TYlodwi1b8ldMHcO6NHJzgqLtGqhRANCAATmK2niv2Wfl74vHg2UikzVl2u3qR4N\n"
1276 "Rvvdqakendy6WgHn1peoChj5w8SjHlbifINI2xYaHPUdfvGULUvPciLB\n"
1277 "-----END PRIVATE KEY-----\n";
David Benjamin2f3958a2021-04-16 11:55:23 -0400[diff] [blame]1278 return KeyFromPEM(kKeyPEM);
David Benjamin0fc37ef2016-08-17 15:29:46 -0400[diff] [blame]1279}
1280
Adam Langleyd04ca952017-02-28 11:26:51 -0800[diff] [blame]1281static bssl::UniquePtr<CRYPTO_BUFFER> BufferFromPEM(const char *pem) {
1282 bssl::UniquePtr<BIO> bio(BIO_new_mem_buf(pem, strlen(pem)));
1283 char *name, *header;
1284 uint8_t *data;
1285 long data_len;
1286 if (!PEM_read_bio(bio.get(), &name, &header, &data,
1287 &data_len)) {
1288 return nullptr;
1289 }
1290 OPENSSL_free(name);
1291 OPENSSL_free(header);
1292
1293 auto ret = bssl::UniquePtr<CRYPTO_BUFFER>(
1294 CRYPTO_BUFFER_new(data, data_len, nullptr));
1295 OPENSSL_free(data);
1296 return ret;
1297}
1298
1299static bssl::UniquePtr<CRYPTO_BUFFER> GetChainTestCertificateBuffer() {
David Benjamin1444c3a2016-12-20 17:23:11 -0500[diff] [blame]1300 static const char kCertPEM[] =
1301 "-----BEGIN CERTIFICATE-----\n"
1302 "MIIC0jCCAbqgAwIBAgICEAAwDQYJKoZIhvcNAQELBQAwDzENMAsGA1UEAwwEQiBD\n"
1303 "QTAeFw0xNjAyMjgyMDI3MDNaFw0yNjAyMjUyMDI3MDNaMBgxFjAUBgNVBAMMDUNs\n"
1304 "aWVudCBDZXJ0IEEwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDRvaz8\n"
1305 "CC/cshpCafJo4jLkHEoBqDLhdgFelJoAiQUyIqyWl2O7YHPnpJH+TgR7oelzNzt/\n"
1306 "kLRcH89M/TszB6zqyLTC4aqmvzKL0peD/jL2LWBucR0WXIvjA3zoRuF/x86+rYH3\n"
1307 "tHb+xs2PSs8EGL/Ev+ss+qTzTGEn26fuGNHkNw6tOwPpc+o8+wUtzf/kAthamo+c\n"
1308 "IDs2rQ+lP7+aLZTLeU/q4gcLutlzcK5imex5xy2jPkweq48kijK0kIzl1cPlA5d1\n"
1309 "z7C8jU50Pj9X9sQDJTN32j7UYRisJeeYQF8GaaN8SbrDI6zHgKzrRLyxDt/KQa9V\n"
1310 "iLeXANgZi+Xx9KgfAgMBAAGjLzAtMAwGA1UdEwEB/wQCMAAwHQYDVR0lBBYwFAYI\n"
1311 "KwYBBQUHAwEGCCsGAQUFBwMCMA0GCSqGSIb3DQEBCwUAA4IBAQBFEVbmYl+2RtNw\n"
1312 "rDftRDF1v2QUbcN2ouSnQDHxeDQdSgasLzT3ui8iYu0Rw2WWcZ0DV5e0ztGPhWq7\n"
1313 "AO0B120aFRMOY+4+bzu9Q2FFkQqc7/fKTvTDzIJI5wrMnFvUfzzvxh3OHWMYSs/w\n"
1314 "giq33hTKeHEq6Jyk3btCny0Ycecyc3yGXH10sizUfiHlhviCkDuESk8mFDwDDzqW\n"
1315 "ZF0IipzFbEDHoIxLlm3GQxpiLoEV4k8KYJp3R5KBLFyxM6UGPz8h72mIPCJp2RuK\n"
1316 "MYgF91UDvVzvnYm6TfseM2+ewKirC00GOrZ7rEcFvtxnKSqYf4ckqfNdSU1Y+RRC\n"
1317 "1ngWZ7Ih\n"
1318 "-----END CERTIFICATE-----\n";
Adam Langleyd04ca952017-02-28 11:26:51 -0800[diff] [blame]1319 return BufferFromPEM(kCertPEM);
David Benjamin1444c3a2016-12-20 17:23:11 -0500[diff] [blame]1320}
1321
Adam Langleyd04ca952017-02-28 11:26:51 -0800[diff] [blame]1322static bssl::UniquePtr<X509> X509FromBuffer(
1323 bssl::UniquePtr<CRYPTO_BUFFER> buffer) {
1324 if (!buffer) {
1325 return nullptr;
1326 }
1327 const uint8_t *derp = CRYPTO_BUFFER_data(buffer.get());
1328 return bssl::UniquePtr<X509>(
1329 d2i_X509(NULL, &derp, CRYPTO_BUFFER_len(buffer.get())));
1330}
1331
1332static bssl::UniquePtr<X509> GetChainTestCertificate() {
1333 return X509FromBuffer(GetChainTestCertificateBuffer());
1334}
1335
1336static bssl::UniquePtr<CRYPTO_BUFFER> GetChainTestIntermediateBuffer() {
David Benjamin1444c3a2016-12-20 17:23:11 -0500[diff] [blame]1337 static const char kCertPEM[] =
1338 "-----BEGIN CERTIFICATE-----\n"
1339 "MIICwjCCAaqgAwIBAgICEAEwDQYJKoZIhvcNAQELBQAwFDESMBAGA1UEAwwJQyBS\n"
1340 "b290IENBMB4XDTE2MDIyODIwMjcwM1oXDTI2MDIyNTIwMjcwM1owDzENMAsGA1UE\n"
1341 "AwwEQiBDQTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALsSCYmDip2D\n"
1342 "GkjFxw7ykz26JSjELkl6ArlYjFJ3aT/SCh8qbS4gln7RH8CPBd78oFdfhIKQrwtZ\n"
1343 "3/q21ykD9BAS3qHe2YdcJfm8/kWAy5DvXk6NXU4qX334KofBAEpgdA/igEFq1P1l\n"
1344 "HAuIfZCpMRfT+i5WohVsGi8f/NgpRvVaMONLNfgw57mz1lbtFeBEISmX0kbsuJxF\n"
1345 "Qj/Bwhi5/0HAEXG8e7zN4cEx0yPRvmOATRdVb/8dW2pwOHRJq9R5M0NUkIsTSnL7\n"
1346 "6N/z8hRAHMsV3IudC5Yd7GXW1AGu9a+iKU+Q4xcZCoj0DC99tL4VKujrV1kAeqsM\n"
1347 "cz5/dKzi6+cCAwEAAaMjMCEwDwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMC\n"
1348 "AQYwDQYJKoZIhvcNAQELBQADggEBAIIeZiEeNhWWQ8Y4D+AGDwqUUeG8NjCbKrXQ\n"
1349 "BlHg5wZ8xftFaiP1Dp/UAezmx2LNazdmuwrYB8lm3FVTyaPDTKEGIPS4wJKHgqH1\n"
1350 "QPDhqNm85ey7TEtI9oYjsNim/Rb+iGkIAMXaxt58SzxbjvP0kMr1JfJIZbic9vye\n"
1351 "NwIspMFIpP3FB8ywyu0T0hWtCQgL4J47nigCHpOu58deP88fS/Nyz/fyGVWOZ76b\n"
1352 "WhWwgM3P3X95fQ3d7oFPR/bVh0YV+Cf861INwplokXgXQ3/TCQ+HNXeAMWn3JLWv\n"
1353 "XFwk8owk9dq/kQGdndGgy3KTEW4ctPX5GNhf3LJ9Q7dLji4ReQ4=\n"
1354 "-----END CERTIFICATE-----\n";
Adam Langleyd04ca952017-02-28 11:26:51 -0800[diff] [blame]1355 return BufferFromPEM(kCertPEM);
1356}
1357
1358static bssl::UniquePtr<X509> GetChainTestIntermediate() {
1359 return X509FromBuffer(GetChainTestIntermediateBuffer());
David Benjamin1444c3a2016-12-20 17:23:11 -0500[diff] [blame]1360}
1361
1362static bssl::UniquePtr<EVP_PKEY> GetChainTestKey() {
1363 static const char kKeyPEM[] =
1364 "-----BEGIN PRIVATE KEY-----\n"
1365 "MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQDRvaz8CC/cshpC\n"
1366 "afJo4jLkHEoBqDLhdgFelJoAiQUyIqyWl2O7YHPnpJH+TgR7oelzNzt/kLRcH89M\n"
1367 "/TszB6zqyLTC4aqmvzKL0peD/jL2LWBucR0WXIvjA3zoRuF/x86+rYH3tHb+xs2P\n"
1368 "Ss8EGL/Ev+ss+qTzTGEn26fuGNHkNw6tOwPpc+o8+wUtzf/kAthamo+cIDs2rQ+l\n"
1369 "P7+aLZTLeU/q4gcLutlzcK5imex5xy2jPkweq48kijK0kIzl1cPlA5d1z7C8jU50\n"
1370 "Pj9X9sQDJTN32j7UYRisJeeYQF8GaaN8SbrDI6zHgKzrRLyxDt/KQa9ViLeXANgZ\n"
1371 "i+Xx9KgfAgMBAAECggEBAK0VjSJzkyPaamcyTVSWjo7GdaBGcK60lk657RjR+lK0\n"
1372 "YJ7pkej4oM2hdsVZFsP8Cs4E33nXLa/0pDsRov/qrp0WQm2skwqGMC1I/bZ0WRPk\n"
1373 "wHaDrBBfESWnJDX/AGpVtlyOjPmgmK6J2usMPihQUDkKdAYrVWJePrMIxt1q6BMe\n"
1374 "iczs3qriMmtY3bUc4UyUwJ5fhDLjshHvfuIpYQyI6EXZM6dZksn9LylXJnigY6QJ\n"
1375 "HxOYO0BDwOsZ8yQ8J8afLk88i0GizEkgE1z3REtQUwgWfxr1WV/ud+T6/ZhSAgH9\n"
1376 "042mQvSFZnIUSEsmCvjhWuAunfxHKCTcAoYISWfzWpkCgYEA7gpf3HHU5Tn+CgUn\n"
1377 "1X5uGpG3DmcMgfeGgs2r2f/IIg/5Ac1dfYILiybL1tN9zbyLCJfcbFpWBc9hJL6f\n"
1378 "CPc5hUiwWFJqBJewxQkC1Ae/HakHbip+IZ+Jr0842O4BAArvixk4Lb7/N2Ct9sTE\n"
1379 "NJO6RtK9lbEZ5uK61DglHy8CS2UCgYEA4ZC1o36kPAMQBggajgnucb2yuUEelk0f\n"
1380 "AEr+GI32MGE+93xMr7rAhBoqLg4AITyIfEnOSQ5HwagnIHonBbv1LV/Gf9ursx8Z\n"
1381 "YOGbvT8zzzC+SU1bkDzdjAYnFQVGIjMtKOBJ3K07++ypwX1fr4QsQ8uKL8WSOWwt\n"
1382 "Z3Bym6XiZzMCgYADnhy+2OwHX85AkLt+PyGlPbmuelpyTzS4IDAQbBa6jcuW/2wA\n"
1383 "UE2km75VUXmD+u2R/9zVuLm99NzhFhSMqlUxdV1YukfqMfP5yp1EY6m/5aW7QuIP\n"
1384 "2MDa7TVL9rIFMiVZ09RKvbBbQxjhuzPQKL6X/PPspnhiTefQ+dl2k9xREQKBgHDS\n"
1385 "fMfGNEeAEKezrfSVqxphE9/tXms3L+ZpnCaT+yu/uEr5dTIAawKoQ6i9f/sf1/Sy\n"
1386 "xedsqR+IB+oKrzIDDWMgoJybN4pkZ8E5lzhVQIjFjKgFdWLzzqyW9z1gYfABQPlN\n"
1387 "FiS20WX0vgP1vcKAjdNrHzc9zyHBpgQzDmAj3NZZAoGBAI8vKCKdH7w3aL5CNkZQ\n"
1388 "2buIeWNA2HZazVwAGG5F2TU/LmXfRKnG6dX5bkU+AkBZh56jNZy//hfFSewJB4Kk\n"
1389 "buB7ERSdaNbO21zXt9FEA3+z0RfMd/Zv2vlIWOSB5nzl/7UKti3sribK6s9ZVLfi\n"
1390 "SxpiPQ8d/hmSGwn4ksrWUsJD\n"
1391 "-----END PRIVATE KEY-----\n";
David Benjamin2f3958a2021-04-16 11:55:23 -0400[diff] [blame]1392 return KeyFromPEM(kKeyPEM);
David Benjamin1444c3a2016-12-20 17:23:11 -0500[diff] [blame]1393}
1394
David Benjaminc79ae7a2017-08-29 16:09:44 -0400[diff] [blame]1395// Test that |SSL_get_client_CA_list| echoes back the configured parameter even
1396// before configuring as a server.
1397TEST(SSLTest, ClientCAList) {
1398 bssl::UniquePtr<SSL_CTX> ctx(SSL_CTX_new(TLS_method()));
1399 ASSERT_TRUE(ctx);
1400 bssl::UniquePtr<SSL> ssl(SSL_new(ctx.get()));
1401 ASSERT_TRUE(ssl);
1402
1403 bssl::UniquePtr<X509_NAME> name(X509_NAME_new());
1404 ASSERT_TRUE(name);
1405
1406 bssl::UniquePtr<X509_NAME> name_dup(X509_NAME_dup(name.get()));
1407 ASSERT_TRUE(name_dup);
1408
1409 bssl::UniquePtr<STACK_OF(X509_NAME)> stack(sk_X509_NAME_new_null());
1410 ASSERT_TRUE(stack);
David Benjamin2908dd12018-06-29 17:46:42 -0400[diff] [blame]1411 ASSERT_TRUE(PushToStack(stack.get(), std::move(name_dup)));
David Benjaminc79ae7a2017-08-29 16:09:44 -0400[diff] [blame]1412
1413 // |SSL_set_client_CA_list| takes ownership.
1414 SSL_set_client_CA_list(ssl.get(), stack.release());
1415
1416 STACK_OF(X509_NAME) *result = SSL_get_client_CA_list(ssl.get());
1417 ASSERT_TRUE(result);
1418 ASSERT_EQ(1u, sk_X509_NAME_num(result));
1419 EXPECT_EQ(0, X509_NAME_cmp(sk_X509_NAME_value(result, 0), name.get()));
1420}
1421
1422TEST(SSLTest, AddClientCA) {
1423 bssl::UniquePtr<SSL_CTX> ctx(SSL_CTX_new(TLS_method()));
1424 ASSERT_TRUE(ctx);
1425 bssl::UniquePtr<SSL> ssl(SSL_new(ctx.get()));
1426 ASSERT_TRUE(ssl);
1427
1428 bssl::UniquePtr<X509> cert1 = GetTestCertificate();
1429 bssl::UniquePtr<X509> cert2 = GetChainTestCertificate();
1430 ASSERT_TRUE(cert1 && cert2);
1431 X509_NAME *name1 = X509_get_subject_name(cert1.get());
1432 X509_NAME *name2 = X509_get_subject_name(cert2.get());
1433
1434 EXPECT_EQ(0u, sk_X509_NAME_num(SSL_get_client_CA_list(ssl.get())));
1435
1436 ASSERT_TRUE(SSL_add_client_CA(ssl.get(), cert1.get()));
1437 ASSERT_TRUE(SSL_add_client_CA(ssl.get(), cert2.get()));
1438
1439 STACK_OF(X509_NAME) *list = SSL_get_client_CA_list(ssl.get());
1440 ASSERT_EQ(2u, sk_X509_NAME_num(list));
1441 EXPECT_EQ(0, X509_NAME_cmp(sk_X509_NAME_value(list, 0), name1));
1442 EXPECT_EQ(0, X509_NAME_cmp(sk_X509_NAME_value(list, 1), name2));
1443
1444 ASSERT_TRUE(SSL_add_client_CA(ssl.get(), cert1.get()));
1445
1446 list = SSL_get_client_CA_list(ssl.get());
1447 ASSERT_EQ(3u, sk_X509_NAME_num(list));
1448 EXPECT_EQ(0, X509_NAME_cmp(sk_X509_NAME_value(list, 0), name1));
1449 EXPECT_EQ(0, X509_NAME_cmp(sk_X509_NAME_value(list, 1), name2));
1450 EXPECT_EQ(0, X509_NAME_cmp(sk_X509_NAME_value(list, 2), name1));
1451}
1452
Daniel McArdle00e434d2021-02-18 11:47:18 -0500[diff] [blame]1453// kECHConfig contains a serialized ECHConfig value.
1454static const uint8_t kECHConfig[] = {
1455 // version
1456 0xfe, 0x09,
1457 // length
1458 0x00, 0x42,
1459 // contents.public_name
1460 0x00, 0x0e, 0x70, 0x75, 0x62, 0x6c, 0x69, 0x63, 0x2e, 0x65, 0x78, 0x61,
1461 0x6d, 0x70, 0x6c, 0x65,
1462 // contents.public_key
1463 0x00, 0x20, 0xa6, 0x9a, 0x41, 0x48, 0x5d, 0x32, 0x96, 0xa4, 0xe0, 0xc3,
1464 0x6a, 0xee, 0xf6, 0x63, 0x0f, 0x59, 0x32, 0x6f, 0xdc, 0xff, 0x81, 0x29,
1465 0x59, 0xa5, 0x85, 0xd3, 0x9b, 0x3b, 0xde, 0x98, 0x55, 0x5c,
1466 // contents.kem_id
1467 0x00, 0x20,
1468 // contents.cipher_suites
1469 0x00, 0x08, 0x00, 0x01, 0x00, 0x01, 0x00, 0x01, 0x00, 0x03,
1470 // contents.maximum_name_length
1471 0x00, 0x10,
1472 // contents.extensions
1473 0x00, 0x00};
1474
1475// kECHConfigPublicKey is the public key encoded in |kECHConfig|.
1476static const uint8_t kECHConfigPublicKey[X25519_PUBLIC_VALUE_LEN] = {
1477 0xa6, 0x9a, 0x41, 0x48, 0x5d, 0x32, 0x96, 0xa4, 0xe0, 0xc3, 0x6a,
1478 0xee, 0xf6, 0x63, 0x0f, 0x59, 0x32, 0x6f, 0xdc, 0xff, 0x81, 0x29,
1479 0x59, 0xa5, 0x85, 0xd3, 0x9b, 0x3b, 0xde, 0x98, 0x55, 0x5c};
1480
1481// kECHConfigPrivateKey is the X25519 private key corresponding to
1482// |kECHConfigPublicKey|.
1483static const uint8_t kECHConfigPrivateKey[X25519_PRIVATE_KEY_LEN] = {
1484 0xbc, 0xb5, 0x51, 0x29, 0x31, 0x10, 0x30, 0xc9, 0xed, 0x26, 0xde,
1485 0xd4, 0xb3, 0xdf, 0x3a, 0xce, 0x06, 0x8a, 0xee, 0x17, 0xab, 0xce,
1486 0xd7, 0xdb, 0xf3, 0x11, 0xe5, 0xa8, 0xf3, 0xb1, 0x8e, 0x24};
1487
1488// MakeECHConfig serializes an ECHConfig and writes it to |*out| with the
1489// specified parameters. |cipher_suites| is a list of code points which should
1490// contain pairs of KDF and AEAD IDs.
1491bool MakeECHConfig(std::vector<uint8_t> *out, uint16_t kem_id,
1492 Span<const uint8_t> public_key,
1493 Span<const uint16_t> cipher_suites,
1494 Span<const uint8_t> extensions) {
1495 bssl::ScopedCBB cbb;
1496 CBB contents, child;
1497 static const char kPublicName[] = "example.com";
1498 if (!CBB_init(cbb.get(), 64) ||
1499 !CBB_add_u16(cbb.get(), TLSEXT_TYPE_encrypted_client_hello) ||
1500 !CBB_add_u16_length_prefixed(cbb.get(), &contents) ||
1501 !CBB_add_u16_length_prefixed(&contents, &child) ||
1502 !CBB_add_bytes(&child, reinterpret_cast<const uint8_t *>(kPublicName),
1503 strlen(kPublicName)) ||
1504 !CBB_add_u16_length_prefixed(&contents, &child) ||
1505 !CBB_add_bytes(&child, public_key.data(), public_key.size()) ||
1506 !CBB_add_u16(&contents, kem_id) ||
1507 !CBB_add_u16_length_prefixed(&contents, &child)) {
1508 return false;
1509 }
1510 for (uint16_t cipher_suite : cipher_suites) {
1511 if (!CBB_add_u16(&child, cipher_suite)) {
1512 return false;
1513 }
1514 }
1515 if (!CBB_add_u16(&contents, strlen(kPublicName)) || // maximum_name_length
1516 !CBB_add_u16_length_prefixed(&contents, &child) ||
1517 !CBB_add_bytes(&child, extensions.data(), extensions.size()) ||
1518 !CBB_flush(cbb.get())) {
1519 return false;
1520 }
1521
1522 out->assign(CBB_data(cbb.get()), CBB_data(cbb.get()) + CBB_len(cbb.get()));
1523 return true;
1524}
1525
1526TEST(SSLTest, ECHServerConfigList) {
1527 // kWrongPrivateKey is an unrelated, but valid X25519 private key.
1528 const uint8_t kWrongPrivateKey[X25519_PRIVATE_KEY_LEN] = {
1529 0xbb, 0xfe, 0x08, 0xf7, 0x31, 0xde, 0x9c, 0x8a, 0xf2, 0x06, 0x4a,
1530 0x18, 0xd7, 0x8b, 0x79, 0x31, 0xe2, 0x53, 0xdd, 0x63, 0x8f, 0x58,
1531 0x42, 0xda, 0x21, 0x0e, 0x61, 0x97, 0x29, 0xcc, 0x17, 0x71};
1532
1533 bssl::UniquePtr<SSL_CTX> ctx(SSL_CTX_new(TLS_method()));
1534 ASSERT_TRUE(ctx);
1535
1536 bssl::UniquePtr<SSL_ECH_SERVER_CONFIG_LIST> config_list(
1537 SSL_ECH_SERVER_CONFIG_LIST_new());
1538 ASSERT_TRUE(config_list);
1539
1540 // Adding an ECHConfig with the wrong private key is an error.
1541 ASSERT_FALSE(SSL_ECH_SERVER_CONFIG_LIST_add(
1542 config_list.get(), /*is_retry_config=*/1, kECHConfig, sizeof(kECHConfig),
1543 kWrongPrivateKey, sizeof(kWrongPrivateKey)));
1544 uint32_t err = ERR_get_error();
1545 EXPECT_EQ(ERR_LIB_SSL, ERR_GET_LIB(err));
1546 EXPECT_EQ(SSL_R_ECH_SERVER_CONFIG_AND_PRIVATE_KEY_MISMATCH,
1547 ERR_GET_REASON(err));
1548 ERR_clear_error();
1549
1550 // Adding an ECHConfig with the matching private key succeeds.
1551 ASSERT_TRUE(SSL_ECH_SERVER_CONFIG_LIST_add(
1552 config_list.get(), /*is_retry_config=*/1, kECHConfig, sizeof(kECHConfig),
1553 kECHConfigPrivateKey, sizeof(kECHConfigPrivateKey)));
1554
1555 ASSERT_TRUE(
1556 SSL_CTX_set1_ech_server_config_list(ctx.get(), config_list.get()));
1557
1558 // Build a new config list and replace the old one on |ctx|.
1559 bssl::UniquePtr<SSL_ECH_SERVER_CONFIG_LIST> next_config_list(
1560 SSL_ECH_SERVER_CONFIG_LIST_new());
1561 ASSERT_TRUE(SSL_ECH_SERVER_CONFIG_LIST_add(
1562 next_config_list.get(), /*is_retry_config=*/1, kECHConfig,
1563 sizeof(kECHConfig), kECHConfigPrivateKey, sizeof(kECHConfigPrivateKey)));
1564 ASSERT_TRUE(
1565 SSL_CTX_set1_ech_server_config_list(ctx.get(), next_config_list.get()));
1566}
1567
1568TEST(SSLTest, ECHServerConfigListTruncatedPublicKey) {
1569 std::vector<uint8_t> ech_config;
1570 ASSERT_TRUE(MakeECHConfig(
1571 &ech_config, EVP_HPKE_DHKEM_X25519_HKDF_SHA256,
1572 MakeConstSpan(kECHConfigPublicKey, sizeof(kECHConfigPublicKey) - 1),
1573 std::vector<uint16_t>{EVP_HPKE_HKDF_SHA256, EVP_HPKE_AEAD_AES_128_GCM},
1574 /*extensions=*/{}));
1575
1576 bssl::UniquePtr<SSL_CTX> ctx(SSL_CTX_new(TLS_method()));
1577 ASSERT_TRUE(ctx);
1578
1579 bssl::UniquePtr<SSL_ECH_SERVER_CONFIG_LIST> config_list(
1580 SSL_ECH_SERVER_CONFIG_LIST_new());
1581 ASSERT_TRUE(config_list);
1582 ASSERT_FALSE(SSL_ECH_SERVER_CONFIG_LIST_add(
1583 config_list.get(), /*is_retry_config=*/1, ech_config.data(),
1584 ech_config.size(), kECHConfigPrivateKey, sizeof(kECHConfigPrivateKey)));
1585
1586 uint32_t err = ERR_peek_error();
1587 EXPECT_EQ(ERR_LIB_SSL, ERR_GET_LIB(err));
1588 EXPECT_EQ(SSL_R_UNSUPPORTED_ECH_SERVER_CONFIG, ERR_GET_REASON(err));
1589 ERR_clear_error();
1590}
1591
1592// Test that |SSL_CTX_set1_ech_server_config_list| fails when the config list
1593// has no retry configs.
1594TEST(SSLTest, ECHServerConfigsWithoutRetryConfigs) {
1595 bssl::UniquePtr<SSL_CTX> ctx(SSL_CTX_new(TLS_method()));
1596 ASSERT_TRUE(ctx);
1597
1598 bssl::UniquePtr<SSL_ECH_SERVER_CONFIG_LIST> config_list(
1599 SSL_ECH_SERVER_CONFIG_LIST_new());
1600 ASSERT_TRUE(config_list);
1601
1602 // Adding an ECHConfig with the matching private key succeeds.
1603 ASSERT_TRUE(SSL_ECH_SERVER_CONFIG_LIST_add(
1604 config_list.get(), /*is_retry_config=*/0, kECHConfig, sizeof(kECHConfig),
1605 kECHConfigPrivateKey, sizeof(kECHConfigPrivateKey)));
1606
1607 ASSERT_FALSE(
1608 SSL_CTX_set1_ech_server_config_list(ctx.get(), config_list.get()));
1609 uint32_t err = ERR_peek_error();
1610 EXPECT_EQ(ERR_LIB_SSL, ERR_GET_LIB(err));
1611 EXPECT_EQ(SSL_R_ECH_SERVER_WOULD_HAVE_NO_RETRY_CONFIGS, ERR_GET_REASON(err));
1612 ERR_clear_error();
1613
1614 // Add the same ECHConfig to the list, but this time mark it as a retry
1615 // config.
1616 ASSERT_TRUE(SSL_ECH_SERVER_CONFIG_LIST_add(
1617 config_list.get(), /*is_retry_config=*/1, kECHConfig, sizeof(kECHConfig),
1618 kECHConfigPrivateKey, sizeof(kECHConfigPrivateKey)));
1619 ASSERT_TRUE(
1620 SSL_CTX_set1_ech_server_config_list(ctx.get(), config_list.get()));
1621}
1622
1623// Test that the server APIs reject ECHConfigs with unsupported features.
1624TEST(SSLTest, UnsupportedECHConfig) {
1625 bssl::UniquePtr<SSL_ECH_SERVER_CONFIG_LIST> config_list(
1626 SSL_ECH_SERVER_CONFIG_LIST_new());
1627 ASSERT_TRUE(config_list);
1628
1629 // Unsupported versions are rejected.
1630 static const uint8_t kUnsupportedVersion[] = {0xff, 0xff, 0x00, 0x00};
1631 EXPECT_FALSE(SSL_ECH_SERVER_CONFIG_LIST_add(
1632 config_list.get(), /*is_retry_config=*/1, kUnsupportedVersion,
1633 sizeof(kUnsupportedVersion), kECHConfigPrivateKey,
1634 sizeof(kECHConfigPrivateKey)));
1635
1636 // Unsupported cipher suites are rejected. (We only support HKDF-SHA256.)
1637 std::vector<uint8_t> ech_config;
1638 ASSERT_TRUE(MakeECHConfig(
1639 &ech_config, EVP_HPKE_DHKEM_X25519_HKDF_SHA256, kECHConfigPublicKey,
1640 std::vector<uint16_t>{EVP_HPKE_HKDF_SHA384, EVP_HPKE_AEAD_AES_128_GCM},
1641 /*extensions=*/{}));
1642 EXPECT_FALSE(SSL_ECH_SERVER_CONFIG_LIST_add(
1643 config_list.get(), /*is_retry_config=*/1, ech_config.data(),
1644 ech_config.size(), kECHConfigPrivateKey, sizeof(kECHConfigPrivateKey)));
1645
1646 // Unsupported KEMs are rejected.
1647 static const uint8_t kP256PublicKey[] = {
1648 0x04, 0xe6, 0x2b, 0x69, 0xe2, 0xbf, 0x65, 0x9f, 0x97, 0xbe, 0x2f,
1649 0x1e, 0x0d, 0x94, 0x8a, 0x4c, 0xd5, 0x97, 0x6b, 0xb7, 0xa9, 0x1e,
1650 0x0d, 0x46, 0xfb, 0xdd, 0xa9, 0xa9, 0x1e, 0x9d, 0xdc, 0xba, 0x5a,
1651 0x01, 0xe7, 0xd6, 0x97, 0xa8, 0x0a, 0x18, 0xf9, 0xc3, 0xc4, 0xa3,
1652 0x1e, 0x56, 0xe2, 0x7c, 0x83, 0x48, 0xdb, 0x16, 0x1a, 0x1c, 0xf5,
1653 0x1d, 0x7e, 0xf1, 0x94, 0x2d, 0x4b, 0xcf, 0x72, 0x22, 0xc1};
1654 static const uint8_t kP256PrivateKey[] = {
1655 0x07, 0x0f, 0x08, 0x72, 0x7a, 0xd4, 0xa0, 0x4a, 0x9c, 0xdd, 0x59,
1656 0xc9, 0x4d, 0x89, 0x68, 0x77, 0x08, 0xb5, 0x6f, 0xc9, 0x5d, 0x30,
1657 0x77, 0x0e, 0xe8, 0xd1, 0xc9, 0xce, 0x0a, 0x8b, 0xb4, 0x6a};
1658 ASSERT_TRUE(MakeECHConfig(
1659 &ech_config, 0x0010 /* DHKEM(P-256, HKDF-SHA256) */, kP256PublicKey,
1660 std::vector<uint16_t>{EVP_HPKE_HKDF_SHA256, EVP_HPKE_AEAD_AES_128_GCM},
1661 /*extensions=*/{}));
1662 EXPECT_FALSE(SSL_ECH_SERVER_CONFIG_LIST_add(
1663 config_list.get(), /*is_retry_config=*/1, ech_config.data(),
1664 ech_config.size(), kP256PrivateKey, sizeof(kP256PrivateKey)));
1665
1666 // Unsupported extensions are rejected.
1667 static const uint8_t kExtensions[] = {0x00, 0x01, 0x00, 0x00};
1668 ASSERT_TRUE(MakeECHConfig(
1669 &ech_config, EVP_HPKE_DHKEM_X25519_HKDF_SHA256, kECHConfigPublicKey,
1670 std::vector<uint16_t>{EVP_HPKE_HKDF_SHA256, EVP_HPKE_AEAD_AES_128_GCM},
1671 kExtensions));
1672 EXPECT_FALSE(SSL_ECH_SERVER_CONFIG_LIST_add(
1673 config_list.get(), /*is_retry_config=*/1, ech_config.data(),
1674 ech_config.size(), kECHConfigPrivateKey, sizeof(kECHConfigPrivateKey)));
1675}
1676
David Benjaminc79ae7a2017-08-29 16:09:44 -0400[diff] [blame]1677static void AppendSession(SSL_SESSION *session, void *arg) {
1678 std::vector<SSL_SESSION*> *out =
1679 reinterpret_cast<std::vector<SSL_SESSION*>*>(arg);
1680 out->push_back(session);
1681}
1682
1683// CacheEquals returns true if |ctx|'s session cache consists of |expected|, in
1684// order.
1685static bool CacheEquals(SSL_CTX *ctx,
1686 const std::vector<SSL_SESSION*> &expected) {
1687 // Check the linked list.
1688 SSL_SESSION *ptr = ctx->session_cache_head;
1689 for (SSL_SESSION *session : expected) {
1690 if (ptr != session) {
1691 return false;
1692 }
1693 // TODO(davidben): This is an absurd way to denote the end of the list.
1694 if (ptr->next ==
1695 reinterpret_cast<SSL_SESSION *>(&ctx->session_cache_tail)) {
1696 ptr = nullptr;
1697 } else {
1698 ptr = ptr->next;
1699 }
1700 }
1701 if (ptr != nullptr) {
1702 return false;
1703 }
1704
1705 // Check the hash table.
1706 std::vector<SSL_SESSION*> actual, expected_copy;
David Benjamin9eaa3bd2017-09-27 17:03:54 -0400[diff] [blame]1707 lh_SSL_SESSION_doall_arg(ctx->sessions, AppendSession, &actual);
David Benjaminc79ae7a2017-08-29 16:09:44 -0400[diff] [blame]1708 expected_copy = expected;
1709
1710 std::sort(actual.begin(), actual.end());
1711 std::sort(expected_copy.begin(), expected_copy.end());
1712
1713 return actual == expected_copy;
1714}
1715
1716static bssl::UniquePtr<SSL_SESSION> CreateTestSession(uint32_t number) {
1717 bssl::UniquePtr<SSL_CTX> ssl_ctx(SSL_CTX_new(TLS_method()));
1718 if (!ssl_ctx) {
1719 return nullptr;
1720 }
1721 bssl::UniquePtr<SSL_SESSION> ret(SSL_SESSION_new(ssl_ctx.get()));
1722 if (!ret) {
1723 return nullptr;
1724 }
1725
David Benjaminaaef8332018-06-29 16:45:49 -0400[diff] [blame]1726 uint8_t id[SSL3_SSL_SESSION_ID_LENGTH] = {0};
1727 OPENSSL_memcpy(id, &number, sizeof(number));
1728 if (!SSL_SESSION_set1_id(ret.get(), id, sizeof(id))) {
1729 return nullptr;
1730 }
David Benjaminc79ae7a2017-08-29 16:09:44 -0400[diff] [blame]1731 return ret;
1732}
1733
1734// Test that the internal session cache behaves as expected.
1735TEST(SSLTest, InternalSessionCache) {
1736 bssl::UniquePtr<SSL_CTX> ctx(SSL_CTX_new(TLS_method()));
1737 ASSERT_TRUE(ctx);
1738
1739 // Prepare 10 test sessions.
1740 std::vector<bssl::UniquePtr<SSL_SESSION>> sessions;
1741 for (int i = 0; i < 10; i++) {
1742 bssl::UniquePtr<SSL_SESSION> session = CreateTestSession(i);
1743 ASSERT_TRUE(session);
1744 sessions.push_back(std::move(session));
1745 }
1746
1747 SSL_CTX_sess_set_cache_size(ctx.get(), 5);
1748
1749 // Insert all the test sessions.
1750 for (const auto &session : sessions) {
1751 ASSERT_TRUE(SSL_CTX_add_session(ctx.get(), session.get()));
1752 }
1753
1754 // Only the last five should be in the list.
1755 ASSERT_TRUE(CacheEquals(
1756 ctx.get(), {sessions[9].get(), sessions[8].get(), sessions[7].get(),
1757 sessions[6].get(), sessions[5].get()}));
1758
1759 // Inserting an element already in the cache should fail and leave the cache
1760 // unchanged.
1761 ASSERT_FALSE(SSL_CTX_add_session(ctx.get(), sessions[7].get()));
1762 ASSERT_TRUE(CacheEquals(
1763 ctx.get(), {sessions[9].get(), sessions[8].get(), sessions[7].get(),
1764 sessions[6].get(), sessions[5].get()}));
1765
1766 // Although collisions should be impossible (256-bit session IDs), the cache
1767 // must handle them gracefully.
1768 bssl::UniquePtr<SSL_SESSION> collision(CreateTestSession(7));
1769 ASSERT_TRUE(collision);
1770 ASSERT_TRUE(SSL_CTX_add_session(ctx.get(), collision.get()));
1771 ASSERT_TRUE(CacheEquals(
1772 ctx.get(), {collision.get(), sessions[9].get(), sessions[8].get(),
1773 sessions[6].get(), sessions[5].get()}));
1774
1775 // Removing sessions behaves correctly.
1776 ASSERT_TRUE(SSL_CTX_remove_session(ctx.get(), sessions[6].get()));
1777 ASSERT_TRUE(CacheEquals(ctx.get(), {collision.get(), sessions[9].get(),
1778 sessions[8].get(), sessions[5].get()}));
1779
1780 // Removing sessions requires an exact match.
1781 ASSERT_FALSE(SSL_CTX_remove_session(ctx.get(), sessions[0].get()));
1782 ASSERT_FALSE(SSL_CTX_remove_session(ctx.get(), sessions[7].get()));
1783
1784 // The cache remains unchanged.
1785 ASSERT_TRUE(CacheEquals(ctx.get(), {collision.get(), sessions[9].get(),
1786 sessions[8].get(), sessions[5].get()}));
1787}
1788
1789static uint16_t EpochFromSequence(uint64_t seq) {
1790 return static_cast<uint16_t>(seq >> 48);
1791}
1792
David Benjamin71dfad42017-07-16 17:27:39 -0400[diff] [blame]1793static const uint8_t kTestName[] = {
1794 0x30, 0x45, 0x31, 0x0b, 0x30, 0x09, 0x06, 0x03, 0x55, 0x04, 0x06, 0x13,
1795 0x02, 0x41, 0x55, 0x31, 0x13, 0x30, 0x11, 0x06, 0x03, 0x55, 0x04, 0x08,
1796 0x0c, 0x0a, 0x53, 0x6f, 0x6d, 0x65, 0x2d, 0x53, 0x74, 0x61, 0x74, 0x65,
1797 0x31, 0x21, 0x30, 0x1f, 0x06, 0x03, 0x55, 0x04, 0x0a, 0x0c, 0x18, 0x49,
1798 0x6e, 0x74, 0x65, 0x72, 0x6e, 0x65, 0x74, 0x20, 0x57, 0x69, 0x64, 0x67,
1799 0x69, 0x74, 0x73, 0x20, 0x50, 0x74, 0x79, 0x20, 0x4c, 0x74, 0x64,
1800};
1801
David Benjaminb79cc842016-12-07 15:57:14 -0500[diff] [blame]1802static bool CompleteHandshakes(SSL *client, SSL *server) {
1803 // Drive both their handshakes to completion.
1804 for (;;) {
1805 int client_ret = SSL_do_handshake(client);
1806 int client_err = SSL_get_error(client, client_ret);
1807 if (client_err != SSL_ERROR_NONE &&
1808 client_err != SSL_ERROR_WANT_READ &&
Adam Langley4c341d02017-03-08 19:33:21 -0800[diff] [blame]1809 client_err != SSL_ERROR_WANT_WRITE &&
1810 client_err != SSL_ERROR_PENDING_TICKET) {
Matthew Braithwaite4f3e8212020-01-08 16:56:48 -0800[diff] [blame]1811 fprintf(stderr, "Client error: %s\n", SSL_error_description(client_err));
David Benjaminb79cc842016-12-07 15:57:14 -0500[diff] [blame]1812 return false;
1813 }
1814
1815 int server_ret = SSL_do_handshake(server);
1816 int server_err = SSL_get_error(server, server_ret);
1817 if (server_err != SSL_ERROR_NONE &&
1818 server_err != SSL_ERROR_WANT_READ &&
Adam Langley4c341d02017-03-08 19:33:21 -0800[diff] [blame]1819 server_err != SSL_ERROR_WANT_WRITE &&
1820 server_err != SSL_ERROR_PENDING_TICKET) {
Matthew Braithwaite4f3e8212020-01-08 16:56:48 -0800[diff] [blame]1821 fprintf(stderr, "Server error: %s\n", SSL_error_description(server_err));
David Benjaminb79cc842016-12-07 15:57:14 -0500[diff] [blame]1822 return false;
1823 }
1824
1825 if (client_ret == 1 && server_ret == 1) {
1826 break;
1827 }
1828 }
1829
1830 return true;
1831}
1832
Steven Valdez777a2392019-02-21 11:30:47 -0500[diff] [blame]1833static bool FlushNewSessionTickets(SSL *client, SSL *server) {
1834 // NewSessionTickets are deferred on the server to |SSL_write|, and clients do
1835 // not pick them up until |SSL_read|.
1836 for (;;) {
1837 int server_ret = SSL_write(server, nullptr, 0);
1838 int server_err = SSL_get_error(server, server_ret);
1839 // The server may either succeed (|server_ret| is zero) or block on write
1840 // (|server_ret| is -1 and |server_err| is |SSL_ERROR_WANT_WRITE|).
1841 if (server_ret > 0 ||
1842 (server_ret < 0 && server_err != SSL_ERROR_WANT_WRITE)) {
1843 fprintf(stderr, "Unexpected server result: %d %d\n", server_ret,
1844 server_err);
1845 return false;
1846 }
1847
1848 int client_ret = SSL_read(client, nullptr, 0);
1849 int client_err = SSL_get_error(client, client_ret);
1850 // The client must always block on read.
1851 if (client_ret != -1 || client_err != SSL_ERROR_WANT_READ) {
1852 fprintf(stderr, "Unexpected client result: %d %d\n", client_ret,
1853 client_err);
1854 return false;
1855 }
1856
1857 // The server flushed everything it had to write.
1858 if (server_ret == 0) {
1859 return true;
1860 }
1861 }
1862}
1863
David Benjamina8614602017-09-06 15:40:19 -0400[diff] [blame]1864struct ClientConfig {
1865 SSL_SESSION *session = nullptr;
1866 std::string servername;
Matthew Braithwaite4f3e8212020-01-08 16:56:48 -0800[diff] [blame]1867 bool early_data = false;
David Benjamina8614602017-09-06 15:40:19 -0400[diff] [blame]1868};
1869
David Benjaminb79cc842016-12-07 15:57:14 -0500[diff] [blame]1870static bool ConnectClientAndServer(bssl::UniquePtr<SSL> *out_client,
1871 bssl::UniquePtr<SSL> *out_server,
David Benjamina20e5352016-08-02 19:09:41 -0400[diff] [blame]1872 SSL_CTX *client_ctx, SSL_CTX *server_ctx,
Adam Langleyddb57cf2018-01-26 09:17:53 -0800[diff] [blame]1873 const ClientConfig &config = ClientConfig(),
Matthew Braithwaiteb7bc80a2018-04-13 15:51:30 -0700[diff] [blame]1874 bool do_handshake = true,
1875 bool shed_handshake_config = true) {
Matt Braithwaited17d74d2016-08-17 20:10:28 -0700[diff] [blame]1876 bssl::UniquePtr<SSL> client(SSL_new(client_ctx)), server(SSL_new(server_ctx));
David Benjaminde942382016-02-11 12:02:01 -0500[diff] [blame]1877 if (!client || !server) {
1878 return false;
1879 }
Matthew Braithwaite4f3e8212020-01-08 16:56:48 -0800[diff] [blame]1880 if (config.early_data) {
1881 SSL_set_early_data_enabled(client.get(), 1);
1882 }
David Benjaminde942382016-02-11 12:02:01 -0500[diff] [blame]1883 SSL_set_connect_state(client.get());
1884 SSL_set_accept_state(server.get());
1885
David Benjamina8614602017-09-06 15:40:19 -0400[diff] [blame]1886 if (config.session) {
1887 SSL_set_session(client.get(), config.session);
1888 }
1889 if (!config.servername.empty() &&
1890 !SSL_set_tlsext_host_name(client.get(), config.servername.c_str())) {
1891 return false;
1892 }
David Benjamina20e5352016-08-02 19:09:41 -0400[diff] [blame]1893
David Benjaminde942382016-02-11 12:02:01 -0500[diff] [blame]1894 BIO *bio1, *bio2;
1895 if (!BIO_new_bio_pair(&bio1, 0, &bio2, 0)) {
1896 return false;
1897 }
1898 // SSL_set_bio takes ownership.
1899 SSL_set_bio(client.get(), bio1, bio1);
1900 SSL_set_bio(server.get(), bio2, bio2);
1901
Matthew Braithwaiteb7bc80a2018-04-13 15:51:30 -0700[diff] [blame]1902 SSL_set_shed_handshake_config(client.get(), shed_handshake_config);
1903 SSL_set_shed_handshake_config(server.get(), shed_handshake_config);
1904
Adam Langleyddb57cf2018-01-26 09:17:53 -0800[diff] [blame]1905 if (do_handshake && !CompleteHandshakes(client.get(), server.get())) {
David Benjaminb79cc842016-12-07 15:57:14 -0500[diff] [blame]1906 return false;
David Benjaminde942382016-02-11 12:02:01 -0500[diff] [blame]1907 }
1908
David Benjamin686bb192016-05-10 15:15:41 -0400[diff] [blame]1909 *out_client = std::move(client);
1910 *out_server = std::move(server);
1911 return true;
1912}
1913
David Benjaminc11ea9422017-08-29 16:33:21 -0400[diff] [blame]1914// SSLVersionTest executes its test cases under all available protocol versions.
1915// Test cases call |Connect| to create a connection using context objects with
1916// the protocol version fixed to the current version under test.
Martin Kreichgauer1a663262017-08-16 14:54:04 -0700[diff] [blame]1917class SSLVersionTest : public ::testing::TestWithParam<VersionParam> {
1918 protected:
1919 SSLVersionTest() : cert_(GetTestCertificate()), key_(GetTestKey()) {}
1920
1921 void SetUp() { ResetContexts(); }
1922
1923 bssl::UniquePtr<SSL_CTX> CreateContext() const {
1924 const SSL_METHOD *method = is_dtls() ? DTLS_method() : TLS_method();
1925 bssl::UniquePtr<SSL_CTX> ctx(SSL_CTX_new(method));
1926 if (!ctx || !SSL_CTX_set_min_proto_version(ctx.get(), version()) ||
1927 !SSL_CTX_set_max_proto_version(ctx.get(), version())) {
1928 return nullptr;
1929 }
1930 return ctx;
David Benjamin0fef3052016-11-18 15:11:10 +0900[diff] [blame]1931 }
David Benjamin686bb192016-05-10 15:15:41 -0400[diff] [blame]1932
Martin Kreichgauer1a663262017-08-16 14:54:04 -0700[diff] [blame]1933 void ResetContexts() {
1934 ASSERT_TRUE(cert_);
1935 ASSERT_TRUE(key_);
1936 client_ctx_ = CreateContext();
1937 ASSERT_TRUE(client_ctx_);
1938 server_ctx_ = CreateContext();
1939 ASSERT_TRUE(server_ctx_);
1940 // Set up a server cert. Client certs can be set up explicitly.
1941 ASSERT_TRUE(UseCertAndKey(server_ctx_.get()));
David Benjamin0fef3052016-11-18 15:11:10 +0900[diff] [blame]1942 }
David Benjamin686bb192016-05-10 15:15:41 -0400[diff] [blame]1943
Martin Kreichgauer1a663262017-08-16 14:54:04 -0700[diff] [blame]1944 bool UseCertAndKey(SSL_CTX *ctx) const {
1945 return SSL_CTX_use_certificate(ctx, cert_.get()) &&
1946 SSL_CTX_use_PrivateKey(ctx, key_.get());
David Benjamin0fef3052016-11-18 15:11:10 +0900[diff] [blame]1947 }
David Benjamin686bb192016-05-10 15:15:41 -0400[diff] [blame]1948
David Benjamina8614602017-09-06 15:40:19 -0400[diff] [blame]1949 bool Connect(const ClientConfig &config = ClientConfig()) {
Martin Kreichgauer1a663262017-08-16 14:54:04 -0700[diff] [blame]1950 return ConnectClientAndServer(&client_, &server_, client_ctx_.get(),
Matthew Braithwaiteb7bc80a2018-04-13 15:51:30 -0700[diff] [blame]1951 server_ctx_.get(), config, true,
1952 shed_handshake_config_);
Martin Kreichgauer1a663262017-08-16 14:54:04 -0700[diff] [blame]1953 }
1954
1955 uint16_t version() const { return GetParam().version; }
1956
1957 bool is_dtls() const {
1958 return GetParam().ssl_method == VersionParam::is_dtls;
1959 }
1960
Matthew Braithwaiteb7bc80a2018-04-13 15:51:30 -0700[diff] [blame]1961 bool shed_handshake_config_ = true;
Martin Kreichgauer1a663262017-08-16 14:54:04 -0700[diff] [blame]1962 bssl::UniquePtr<SSL> client_, server_;
1963 bssl::UniquePtr<SSL_CTX> server_ctx_, client_ctx_;
1964 bssl::UniquePtr<X509> cert_;
1965 bssl::UniquePtr<EVP_PKEY> key_;
1966};
1967
David Benjaminbe7006a2019-04-09 18:05:02 -0500[diff] [blame]1968INSTANTIATE_TEST_SUITE_P(WithVersion, SSLVersionTest,
1969 testing::ValuesIn(kAllVersions),
1970 [](const testing::TestParamInfo<VersionParam> &i) {
1971 return i.param.name;
1972 });
Martin Kreichgauer1a663262017-08-16 14:54:04 -0700[diff] [blame]1973
1974TEST_P(SSLVersionTest, SequenceNumber) {
1975 ASSERT_TRUE(Connect());
1976
David Benjamin0fef3052016-11-18 15:11:10 +0900[diff] [blame]1977 // Drain any post-handshake messages to ensure there are no unread records
1978 // on either end.
Steven Valdez777a2392019-02-21 11:30:47 -0500[diff] [blame]1979 ASSERT_TRUE(FlushNewSessionTickets(client_.get(), server_.get()));
David Benjaminde942382016-02-11 12:02:01 -0500[diff] [blame]1980
Martin Kreichgauer1a663262017-08-16 14:54:04 -0700[diff] [blame]1981 uint64_t client_read_seq = SSL_get_read_sequence(client_.get());
1982 uint64_t client_write_seq = SSL_get_write_sequence(client_.get());
1983 uint64_t server_read_seq = SSL_get_read_sequence(server_.get());
1984 uint64_t server_write_seq = SSL_get_write_sequence(server_.get());
Steven Valdez2c62fe92016-10-14 12:08:12 -0400[diff] [blame]1985
Martin Kreichgauer1a663262017-08-16 14:54:04 -0700[diff] [blame]1986 if (is_dtls()) {
David Benjamin0fef3052016-11-18 15:11:10 +0900[diff] [blame]1987 // Both client and server must be at epoch 1.
Martin Kreichgauer1a663262017-08-16 14:54:04 -0700[diff] [blame]1988 EXPECT_EQ(EpochFromSequence(client_read_seq), 1);
1989 EXPECT_EQ(EpochFromSequence(client_write_seq), 1);
1990 EXPECT_EQ(EpochFromSequence(server_read_seq), 1);
1991 EXPECT_EQ(EpochFromSequence(server_write_seq), 1);
David Benjamin0fef3052016-11-18 15:11:10 +0900[diff] [blame]1992
1993 // The next record to be written should exceed the largest received.
Martin Kreichgauer1a663262017-08-16 14:54:04 -0700[diff] [blame]1994 EXPECT_GT(client_write_seq, server_read_seq);
1995 EXPECT_GT(server_write_seq, client_read_seq);
David Benjamin0fef3052016-11-18 15:11:10 +0900[diff] [blame]1996 } else {
1997 // The next record to be written should equal the next to be received.
Martin Kreichgauer1a663262017-08-16 14:54:04 -0700[diff] [blame]1998 EXPECT_EQ(client_write_seq, server_read_seq);
1999 EXPECT_EQ(server_write_seq, client_read_seq);
David Benjamin0fef3052016-11-18 15:11:10 +0900[diff] [blame]2000 }
2001
2002 // Send a record from client to server.
Steven Valdez777a2392019-02-21 11:30:47 -0500[diff] [blame]2003 uint8_t byte = 0;
Martin Kreichgauer1a663262017-08-16 14:54:04 -0700[diff] [blame]2004 EXPECT_EQ(SSL_write(client_.get(), &byte, 1), 1);
2005 EXPECT_EQ(SSL_read(server_.get(), &byte, 1), 1);
David Benjamin0fef3052016-11-18 15:11:10 +0900[diff] [blame]2006
2007 // The client write and server read sequence numbers should have
2008 // incremented.
Martin Kreichgauer1a663262017-08-16 14:54:04 -0700[diff] [blame]2009 EXPECT_EQ(client_write_seq + 1, SSL_get_write_sequence(client_.get()));
2010 EXPECT_EQ(server_read_seq + 1, SSL_get_read_sequence(server_.get()));
David Benjaminde942382016-02-11 12:02:01 -0500[diff] [blame]2011}
2012
Martin Kreichgauer1a663262017-08-16 14:54:04 -0700[diff] [blame]2013TEST_P(SSLVersionTest, OneSidedShutdown) {
David Benjamin68f37b72016-11-18 15:14:42 +0900[diff] [blame]2014 // SSL_shutdown is a no-op in DTLS.
Martin Kreichgauer1a663262017-08-16 14:54:04 -0700[diff] [blame]2015 if (is_dtls()) {
2016 return;
David Benjamin686bb192016-05-10 15:15:41 -0400[diff] [blame]2017 }
Martin Kreichgauer1a663262017-08-16 14:54:04 -0700[diff] [blame]2018 ASSERT_TRUE(Connect());
David Benjamin686bb192016-05-10 15:15:41 -0400[diff] [blame]2019
2020 // Shut down half the connection. SSL_shutdown will return 0 to signal only
2021 // one side has shut down.
Martin Kreichgauer1a663262017-08-16 14:54:04 -0700[diff] [blame]2022 ASSERT_EQ(SSL_shutdown(client_.get()), 0);
David Benjamin686bb192016-05-10 15:15:41 -0400[diff] [blame]2023
2024 // Reading from the server should consume the EOF.
2025 uint8_t byte;
Martin Kreichgauer1a663262017-08-16 14:54:04 -0700[diff] [blame]2026 ASSERT_EQ(SSL_read(server_.get(), &byte, 1), 0);
2027 ASSERT_EQ(SSL_get_error(server_.get(), 0), SSL_ERROR_ZERO_RETURN);
David Benjamin686bb192016-05-10 15:15:41 -0400[diff] [blame]2028
2029 // However, the server may continue to write data and then shut down the
2030 // connection.
2031 byte = 42;
Martin Kreichgauer1a663262017-08-16 14:54:04 -0700[diff] [blame]2032 ASSERT_EQ(SSL_write(server_.get(), &byte, 1), 1);
2033 ASSERT_EQ(SSL_read(client_.get(), &byte, 1), 1);
2034 ASSERT_EQ(byte, 42);
David Benjamin686bb192016-05-10 15:15:41 -0400[diff] [blame]2035
2036 // The server may then shutdown the connection.
Martin Kreichgauer1a663262017-08-16 14:54:04 -0700[diff] [blame]2037 EXPECT_EQ(SSL_shutdown(server_.get()), 1);
2038 EXPECT_EQ(SSL_shutdown(client_.get()), 1);
David Benjamin686bb192016-05-10 15:15:41 -0400[diff] [blame]2039}
David Benjamin68f37b72016-11-18 15:14:42 +0900[diff] [blame]2040
David Benjaminf0d8e222017-02-04 10:58:26 -0500[diff] [blame]2041TEST(SSLTest, SessionDuplication) {
Matt Braithwaited17d74d2016-08-17 20:10:28 -0700[diff] [blame]2042 bssl::UniquePtr<SSL_CTX> client_ctx(SSL_CTX_new(TLS_method()));
2043 bssl::UniquePtr<SSL_CTX> server_ctx(SSL_CTX_new(TLS_method()));
David Benjaminf0d8e222017-02-04 10:58:26 -0500[diff] [blame]2044 ASSERT_TRUE(client_ctx);
2045 ASSERT_TRUE(server_ctx);
Steven Valdez87eab492016-06-27 16:34:59 -0400[diff] [blame]2046
Matt Braithwaited17d74d2016-08-17 20:10:28 -0700[diff] [blame]2047 bssl::UniquePtr<X509> cert = GetTestCertificate();
2048 bssl::UniquePtr<EVP_PKEY> key = GetTestKey();
David Benjaminf0d8e222017-02-04 10:58:26 -0500[diff] [blame]2049 ASSERT_TRUE(cert);
2050 ASSERT_TRUE(key);
2051 ASSERT_TRUE(SSL_CTX_use_certificate(server_ctx.get(), cert.get()));
2052 ASSERT_TRUE(SSL_CTX_use_PrivateKey(server_ctx.get(), key.get()));
Steven Valdez87eab492016-06-27 16:34:59 -0400[diff] [blame]2053
Matt Braithwaited17d74d2016-08-17 20:10:28 -0700[diff] [blame]2054 bssl::UniquePtr<SSL> client, server;
David Benjaminf0d8e222017-02-04 10:58:26 -0500[diff] [blame]2055 ASSERT_TRUE(ConnectClientAndServer(&client, &server, client_ctx.get(),
David Benjamina8614602017-09-06 15:40:19 -0400[diff] [blame]2056 server_ctx.get()));
Steven Valdez87eab492016-06-27 16:34:59 -0400[diff] [blame]2057
2058 SSL_SESSION *session0 = SSL_get_session(client.get());
David Benjamin31b0c9b2017-07-20 14:49:15 -0400[diff] [blame]2059 bssl::UniquePtr<SSL_SESSION> session1 =
2060 bssl::SSL_SESSION_dup(session0, SSL_SESSION_DUP_ALL);
David Benjaminf0d8e222017-02-04 10:58:26 -0500[diff] [blame]2061 ASSERT_TRUE(session1);
David Benjamin4501bd52016-08-01 13:39:41 -0400[diff] [blame]2062
David Benjamina3a71e92018-06-29 13:24:45 -0400[diff] [blame]2063 session1->not_resumable = false;
Steven Valdez84b5c002016-08-25 16:30:58 -0400[diff] [blame]2064
Steven Valdez87eab492016-06-27 16:34:59 -0400[diff] [blame]2065 uint8_t *s0_bytes, *s1_bytes;
2066 size_t s0_len, s1_len;
2067
David Benjaminf0d8e222017-02-04 10:58:26 -0500[diff] [blame]2068 ASSERT_TRUE(SSL_SESSION_to_bytes(session0, &s0_bytes, &s0_len));
Matt Braithwaited17d74d2016-08-17 20:10:28 -0700[diff] [blame]2069 bssl::UniquePtr<uint8_t> free_s0(s0_bytes);
Steven Valdez87eab492016-06-27 16:34:59 -0400[diff] [blame]2070
David Benjaminf0d8e222017-02-04 10:58:26 -0500[diff] [blame]2071 ASSERT_TRUE(SSL_SESSION_to_bytes(session1.get(), &s1_bytes, &s1_len));
Matt Braithwaited17d74d2016-08-17 20:10:28 -0700[diff] [blame]2072 bssl::UniquePtr<uint8_t> free_s1(s1_bytes);
Steven Valdez87eab492016-06-27 16:34:59 -0400[diff] [blame]2073
David Benjamin7d7554b2017-02-04 11:48:59 -0500[diff] [blame]2074 EXPECT_EQ(Bytes(s0_bytes, s0_len), Bytes(s1_bytes, s1_len));
Steven Valdez87eab492016-06-27 16:34:59 -0400[diff] [blame]2075}
David Benjamin686bb192016-05-10 15:15:41 -0400[diff] [blame]2076
David Benjaminf0d8e222017-02-04 10:58:26 -0500[diff] [blame]2077static void ExpectFDs(const SSL *ssl, int rfd, int wfd) {
David Benjaminca743582017-06-15 17:51:35 -0400[diff] [blame]2078 EXPECT_EQ(rfd, SSL_get_fd(ssl));
David Benjaminf0d8e222017-02-04 10:58:26 -0500[diff] [blame]2079 EXPECT_EQ(rfd, SSL_get_rfd(ssl));
2080 EXPECT_EQ(wfd, SSL_get_wfd(ssl));
David Benjamin5c0fb882016-06-14 14:03:51 -0400[diff] [blame]2081
2082 // The wrapper BIOs are always equal when fds are equal, even if set
2083 // individually.
David Benjaminf0d8e222017-02-04 10:58:26 -0500[diff] [blame]2084 if (rfd == wfd) {
2085 EXPECT_EQ(SSL_get_rbio(ssl), SSL_get_wbio(ssl));
David Benjamin5c0fb882016-06-14 14:03:51 -0400[diff] [blame]2086 }
David Benjamin5c0fb882016-06-14 14:03:51 -0400[diff] [blame]2087}
2088
David Benjaminf0d8e222017-02-04 10:58:26 -0500[diff] [blame]2089TEST(SSLTest, SetFD) {
Matt Braithwaited17d74d2016-08-17 20:10:28 -0700[diff] [blame]2090 bssl::UniquePtr<SSL_CTX> ctx(SSL_CTX_new(TLS_method()));
David Benjaminf0d8e222017-02-04 10:58:26 -0500[diff] [blame]2091 ASSERT_TRUE(ctx);
David Benjamin5c0fb882016-06-14 14:03:51 -0400[diff] [blame]2092
2093 // Test setting different read and write FDs.
Matt Braithwaited17d74d2016-08-17 20:10:28 -0700[diff] [blame]2094 bssl::UniquePtr<SSL> ssl(SSL_new(ctx.get()));
David Benjaminf0d8e222017-02-04 10:58:26 -0500[diff] [blame]2095 ASSERT_TRUE(ssl);
2096 EXPECT_TRUE(SSL_set_rfd(ssl.get(), 1));
2097 EXPECT_TRUE(SSL_set_wfd(ssl.get(), 2));
2098 ExpectFDs(ssl.get(), 1, 2);
David Benjamin5c0fb882016-06-14 14:03:51 -0400[diff] [blame]2099
2100 // Test setting the same FD.
2101 ssl.reset(SSL_new(ctx.get()));
David Benjaminf0d8e222017-02-04 10:58:26 -0500[diff] [blame]2102 ASSERT_TRUE(ssl);
2103 EXPECT_TRUE(SSL_set_fd(ssl.get(), 1));
2104 ExpectFDs(ssl.get(), 1, 1);
David Benjamin5c0fb882016-06-14 14:03:51 -0400[diff] [blame]2105
2106 // Test setting the same FD one side at a time.
2107 ssl.reset(SSL_new(ctx.get()));
David Benjaminf0d8e222017-02-04 10:58:26 -0500[diff] [blame]2108 ASSERT_TRUE(ssl);
2109 EXPECT_TRUE(SSL_set_rfd(ssl.get(), 1));
2110 EXPECT_TRUE(SSL_set_wfd(ssl.get(), 1));
2111 ExpectFDs(ssl.get(), 1, 1);
David Benjamin5c0fb882016-06-14 14:03:51 -0400[diff] [blame]2112
2113 // Test setting the same FD in the other order.
2114 ssl.reset(SSL_new(ctx.get()));
David Benjaminf0d8e222017-02-04 10:58:26 -0500[diff] [blame]2115 ASSERT_TRUE(ssl);
2116 EXPECT_TRUE(SSL_set_wfd(ssl.get(), 1));
2117 EXPECT_TRUE(SSL_set_rfd(ssl.get(), 1));
2118 ExpectFDs(ssl.get(), 1, 1);
David Benjamin5c0fb882016-06-14 14:03:51 -0400[diff] [blame]2119
David Benjamin5c0fb882016-06-14 14:03:51 -0400[diff] [blame]2120 // Test changing the read FD partway through.
2121 ssl.reset(SSL_new(ctx.get()));
David Benjaminf0d8e222017-02-04 10:58:26 -0500[diff] [blame]2122 ASSERT_TRUE(ssl);
2123 EXPECT_TRUE(SSL_set_fd(ssl.get(), 1));
2124 EXPECT_TRUE(SSL_set_rfd(ssl.get(), 2));
2125 ExpectFDs(ssl.get(), 2, 1);
David Benjamin5c0fb882016-06-14 14:03:51 -0400[diff] [blame]2126
2127 // Test changing the write FD partway through.
2128 ssl.reset(SSL_new(ctx.get()));
David Benjaminf0d8e222017-02-04 10:58:26 -0500[diff] [blame]2129 ASSERT_TRUE(ssl);
2130 EXPECT_TRUE(SSL_set_fd(ssl.get(), 1));
2131 EXPECT_TRUE(SSL_set_wfd(ssl.get(), 2));
2132 ExpectFDs(ssl.get(), 1, 2);
David Benjamin5c0fb882016-06-14 14:03:51 -0400[diff] [blame]2133
2134 // Test a no-op change to the read FD partway through.
2135 ssl.reset(SSL_new(ctx.get()));
David Benjaminf0d8e222017-02-04 10:58:26 -0500[diff] [blame]2136 ASSERT_TRUE(ssl);
2137 EXPECT_TRUE(SSL_set_fd(ssl.get(), 1));
2138 EXPECT_TRUE(SSL_set_rfd(ssl.get(), 1));
2139 ExpectFDs(ssl.get(), 1, 1);
David Benjamin5c0fb882016-06-14 14:03:51 -0400[diff] [blame]2140
2141 // Test a no-op change to the write FD partway through.
2142 ssl.reset(SSL_new(ctx.get()));
David Benjaminf0d8e222017-02-04 10:58:26 -0500[diff] [blame]2143 ASSERT_TRUE(ssl);
2144 EXPECT_TRUE(SSL_set_fd(ssl.get(), 1));
2145 EXPECT_TRUE(SSL_set_wfd(ssl.get(), 1));
2146 ExpectFDs(ssl.get(), 1, 1);
David Benjamin5c0fb882016-06-14 14:03:51 -0400[diff] [blame]2147
2148 // ASan builds will implicitly test that the internal |BIO| reference-counting
2149 // is correct.
David Benjamin5c0fb882016-06-14 14:03:51 -0400[diff] [blame]2150}
2151
David Benjaminf0d8e222017-02-04 10:58:26 -0500[diff] [blame]2152TEST(SSLTest, SetBIO) {
Matt Braithwaited17d74d2016-08-17 20:10:28 -0700[diff] [blame]2153 bssl::UniquePtr<SSL_CTX> ctx(SSL_CTX_new(TLS_method()));
David Benjaminf0d8e222017-02-04 10:58:26 -0500[diff] [blame]2154 ASSERT_TRUE(ctx);
David Benjamin4501bd52016-08-01 13:39:41 -0400[diff] [blame]2155
Matt Braithwaited17d74d2016-08-17 20:10:28 -0700[diff] [blame]2156 bssl::UniquePtr<SSL> ssl(SSL_new(ctx.get()));
2157 bssl::UniquePtr<BIO> bio1(BIO_new(BIO_s_mem())), bio2(BIO_new(BIO_s_mem())),
David Benjamin4501bd52016-08-01 13:39:41 -0400[diff] [blame]2158 bio3(BIO_new(BIO_s_mem()));
David Benjaminf0d8e222017-02-04 10:58:26 -0500[diff] [blame]2159 ASSERT_TRUE(ssl);
2160 ASSERT_TRUE(bio1);
2161 ASSERT_TRUE(bio2);
2162 ASSERT_TRUE(bio3);
David Benjamin4501bd52016-08-01 13:39:41 -0400[diff] [blame]2163
2164 // SSL_set_bio takes one reference when the parameters are the same.
2165 BIO_up_ref(bio1.get());
2166 SSL_set_bio(ssl.get(), bio1.get(), bio1.get());
2167
2168 // Repeating the call does nothing.
2169 SSL_set_bio(ssl.get(), bio1.get(), bio1.get());
2170
2171 // It takes one reference each when the parameters are different.
2172 BIO_up_ref(bio2.get());
2173 BIO_up_ref(bio3.get());
2174 SSL_set_bio(ssl.get(), bio2.get(), bio3.get());
2175
2176 // Repeating the call does nothing.
2177 SSL_set_bio(ssl.get(), bio2.get(), bio3.get());
2178
2179 // It takes one reference when changing only wbio.
2180 BIO_up_ref(bio1.get());
2181 SSL_set_bio(ssl.get(), bio2.get(), bio1.get());
2182
2183 // It takes one reference when changing only rbio and the two are different.
2184 BIO_up_ref(bio3.get());
2185 SSL_set_bio(ssl.get(), bio3.get(), bio1.get());
2186
2187 // If setting wbio to rbio, it takes no additional references.
2188 SSL_set_bio(ssl.get(), bio3.get(), bio3.get());
2189
2190 // From there, wbio may be switched to something else.
2191 BIO_up_ref(bio1.get());
2192 SSL_set_bio(ssl.get(), bio3.get(), bio1.get());
2193
2194 // If setting rbio to wbio, it takes no additional references.
2195 SSL_set_bio(ssl.get(), bio1.get(), bio1.get());
2196
2197 // From there, rbio may be switched to something else, but, for historical
2198 // reasons, it takes a reference to both parameters.
2199 BIO_up_ref(bio1.get());
2200 BIO_up_ref(bio2.get());
2201 SSL_set_bio(ssl.get(), bio2.get(), bio1.get());
2202
2203 // ASAN builds will implicitly test that the internal |BIO| reference-counting
2204 // is correct.
David Benjamin4501bd52016-08-01 13:39:41 -0400[diff] [blame]2205}
2206
David Benjamin25490f22016-07-14 00:22:54 -0400[diff] [blame]2207static int VerifySucceed(X509_STORE_CTX *store_ctx, void *arg) { return 1; }
2208
Martin Kreichgauer1a663262017-08-16 14:54:04 -0700[diff] [blame]2209TEST_P(SSLVersionTest, GetPeerCertificate) {
2210 ASSERT_TRUE(UseCertAndKey(client_ctx_.get()));
David Benjaminadd5e522016-07-14 00:33:24 -0400[diff] [blame]2211
David Benjamin0fef3052016-11-18 15:11:10 +0900[diff] [blame]2212 // Configure both client and server to accept any certificate.
Martin Kreichgauer1a663262017-08-16 14:54:04 -0700[diff] [blame]2213 SSL_CTX_set_verify(client_ctx_.get(),
2214 SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT,
2215 nullptr);
2216 SSL_CTX_set_cert_verify_callback(client_ctx_.get(), VerifySucceed, NULL);
2217 SSL_CTX_set_verify(server_ctx_.get(),
2218 SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT,
2219 nullptr);
2220 SSL_CTX_set_cert_verify_callback(server_ctx_.get(), VerifySucceed, NULL);
David Benjaminadd5e522016-07-14 00:33:24 -0400[diff] [blame]2221
Martin Kreichgauer1a663262017-08-16 14:54:04 -0700[diff] [blame]2222 ASSERT_TRUE(Connect());
David Benjaminadd5e522016-07-14 00:33:24 -0400[diff] [blame]2223
David Benjamin0fef3052016-11-18 15:11:10 +0900[diff] [blame]2224 // Client and server should both see the leaf certificate.
Martin Kreichgauer1a663262017-08-16 14:54:04 -0700[diff] [blame]2225 bssl::UniquePtr<X509> peer(SSL_get_peer_certificate(server_.get()));
2226 ASSERT_TRUE(peer);
2227 ASSERT_EQ(X509_cmp(cert_.get(), peer.get()), 0);
David Benjaminadd5e522016-07-14 00:33:24 -0400[diff] [blame]2228
Martin Kreichgauer1a663262017-08-16 14:54:04 -0700[diff] [blame]2229 peer.reset(SSL_get_peer_certificate(client_.get()));
2230 ASSERT_TRUE(peer);
2231 ASSERT_EQ(X509_cmp(cert_.get(), peer.get()), 0);
David Benjaminadd5e522016-07-14 00:33:24 -0400[diff] [blame]2232
David Benjamine664a532017-07-20 20:19:36 -0400[diff] [blame]2233 // However, for historical reasons, the X509 chain includes the leaf on the
David Benjamin0fef3052016-11-18 15:11:10 +0900[diff] [blame]2234 // client, but does not on the server.
Martin Kreichgauer1a663262017-08-16 14:54:04 -0700[diff] [blame]2235 EXPECT_EQ(sk_X509_num(SSL_get_peer_cert_chain(client_.get())), 1u);
2236 EXPECT_EQ(sk_CRYPTO_BUFFER_num(SSL_get0_peer_certificates(client_.get())),
2237 1u);
David Benjaminadd5e522016-07-14 00:33:24 -0400[diff] [blame]2238
Martin Kreichgauer1a663262017-08-16 14:54:04 -0700[diff] [blame]2239 EXPECT_EQ(sk_X509_num(SSL_get_peer_cert_chain(server_.get())), 0u);
2240 EXPECT_EQ(sk_CRYPTO_BUFFER_num(SSL_get0_peer_certificates(server_.get())),
2241 1u);
David Benjaminadd5e522016-07-14 00:33:24 -0400[diff] [blame]2242}
2243
Martin Kreichgauer1a663262017-08-16 14:54:04 -0700[diff] [blame]2244TEST_P(SSLVersionTest, NoPeerCertificate) {
2245 SSL_CTX_set_verify(server_ctx_.get(), SSL_VERIFY_PEER, nullptr);
2246 SSL_CTX_set_cert_verify_callback(server_ctx_.get(), VerifySucceed, NULL);
2247 SSL_CTX_set_cert_verify_callback(client_ctx_.get(), VerifySucceed, NULL);
David Benjamine664a532017-07-20 20:19:36 -0400[diff] [blame]2248
Martin Kreichgauer1a663262017-08-16 14:54:04 -0700[diff] [blame]2249 ASSERT_TRUE(Connect());
David Benjamine664a532017-07-20 20:19:36 -0400[diff] [blame]2250
Martin Kreichgauer1a663262017-08-16 14:54:04 -0700[diff] [blame]2251 // Server should not see a peer certificate.
2252 bssl::UniquePtr<X509> peer(SSL_get_peer_certificate(server_.get()));
2253 ASSERT_FALSE(peer);
2254 ASSERT_FALSE(SSL_get0_peer_certificates(server_.get()));
David Benjamine664a532017-07-20 20:19:36 -0400[diff] [blame]2255}
2256
Martin Kreichgauer1a663262017-08-16 14:54:04 -0700[diff] [blame]2257TEST_P(SSLVersionTest, RetainOnlySHA256OfCerts) {
David Benjamin25490f22016-07-14 00:22:54 -0400[diff] [blame]2258 uint8_t *cert_der = NULL;
Martin Kreichgauer1a663262017-08-16 14:54:04 -0700[diff] [blame]2259 int cert_der_len = i2d_X509(cert_.get(), &cert_der);
2260 ASSERT_GE(cert_der_len, 0);
Matt Braithwaited17d74d2016-08-17 20:10:28 -0700[diff] [blame]2261 bssl::UniquePtr<uint8_t> free_cert_der(cert_der);
David Benjamin25490f22016-07-14 00:22:54 -0400[diff] [blame]2262
2263 uint8_t cert_sha256[SHA256_DIGEST_LENGTH];
2264 SHA256(cert_der, cert_der_len, cert_sha256);
2265
Martin Kreichgauer1a663262017-08-16 14:54:04 -0700[diff] [blame]2266 ASSERT_TRUE(UseCertAndKey(client_ctx_.get()));
2267
David Benjamin0fef3052016-11-18 15:11:10 +0900[diff] [blame]2268 // Configure both client and server to accept any certificate, but the
2269 // server must retain only the SHA-256 of the peer.
Martin Kreichgauer1a663262017-08-16 14:54:04 -0700[diff] [blame]2270 SSL_CTX_set_verify(client_ctx_.get(),
2271 SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT,
2272 nullptr);
2273 SSL_CTX_set_verify(server_ctx_.get(),
2274 SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT,
2275 nullptr);
2276 SSL_CTX_set_cert_verify_callback(client_ctx_.get(), VerifySucceed, NULL);
2277 SSL_CTX_set_cert_verify_callback(server_ctx_.get(), VerifySucceed, NULL);
2278 SSL_CTX_set_retain_only_sha256_of_client_certs(server_ctx_.get(), 1);
David Benjamin25490f22016-07-14 00:22:54 -0400[diff] [blame]2279
Martin Kreichgauer1a663262017-08-16 14:54:04 -0700[diff] [blame]2280 ASSERT_TRUE(Connect());
David Benjamin25490f22016-07-14 00:22:54 -0400[diff] [blame]2281
David Benjamin0fef3052016-11-18 15:11:10 +0900[diff] [blame]2282 // The peer certificate has been dropped.
Martin Kreichgauer1a663262017-08-16 14:54:04 -0700[diff] [blame]2283 bssl::UniquePtr<X509> peer(SSL_get_peer_certificate(server_.get()));
2284 EXPECT_FALSE(peer);
David Benjamin25490f22016-07-14 00:22:54 -0400[diff] [blame]2285
Martin Kreichgauer1a663262017-08-16 14:54:04 -0700[diff] [blame]2286 SSL_SESSION *session = SSL_get_session(server_.get());
David Benjamin02de7bd2018-05-08 18:13:54 -0400[diff] [blame]2287 EXPECT_TRUE(SSL_SESSION_has_peer_sha256(session));
David Benjamin25490f22016-07-14 00:22:54 -0400[diff] [blame]2288
David Benjamin02de7bd2018-05-08 18:13:54 -0400[diff] [blame]2289 const uint8_t *peer_sha256;
2290 size_t peer_sha256_len;
2291 SSL_SESSION_get0_peer_sha256(session, &peer_sha256, &peer_sha256_len);
2292 EXPECT_EQ(Bytes(cert_sha256), Bytes(peer_sha256, peer_sha256_len));
David Benjamin25490f22016-07-14 00:22:54 -0400[diff] [blame]2293}
2294
David Benjamin737d2df2017-09-25 15:05:19 -0400[diff] [blame]2295// Tests that our ClientHellos do not change unexpectedly. These are purely
2296// change detection tests. If they fail as part of an intentional ClientHello
2297// change, update the test vector.
2298TEST(SSLTest, ClientHello) {
2299 struct {
2300 uint16_t max_version;
2301 std::vector<uint8_t> expected;
2302 } kTests[] = {
David Benjamin737d2df2017-09-25 15:05:19 -0400[diff] [blame]2303 {TLS1_VERSION,
2304 {0x16, 0x03, 0x01, 0x00, 0x5a, 0x01, 0x00, 0x00, 0x56, 0x03, 0x01, 0x00,
2305 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2306 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2307 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x0e, 0xc0, 0x09,
2308 0xc0, 0x13, 0xc0, 0x0a, 0xc0, 0x14, 0x00, 0x2f, 0x00, 0x35, 0x00, 0x0a,
Adam Langleyd6680952018-08-23 08:01:23 -0700[diff] [blame]2309 0x01, 0x00, 0x00, 0x1f, 0x00, 0x17, 0x00, 0x00, 0xff, 0x01, 0x00, 0x01,
2310 0x00, 0x00, 0x0a, 0x00, 0x08, 0x00, 0x06, 0x00, 0x1d, 0x00, 0x17, 0x00,
2311 0x18, 0x00, 0x0b, 0x00, 0x02, 0x01, 0x00, 0x00, 0x23, 0x00, 0x00}},
David Benjamin737d2df2017-09-25 15:05:19 -0400[diff] [blame]2312 {TLS1_1_VERSION,
2313 {0x16, 0x03, 0x01, 0x00, 0x5a, 0x01, 0x00, 0x00, 0x56, 0x03, 0x02, 0x00,
2314 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2315 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2316 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x0e, 0xc0, 0x09,
2317 0xc0, 0x13, 0xc0, 0x0a, 0xc0, 0x14, 0x00, 0x2f, 0x00, 0x35, 0x00, 0x0a,
Adam Langleyd6680952018-08-23 08:01:23 -0700[diff] [blame]2318 0x01, 0x00, 0x00, 0x1f, 0x00, 0x17, 0x00, 0x00, 0xff, 0x01, 0x00, 0x01,
2319 0x00, 0x00, 0x0a, 0x00, 0x08, 0x00, 0x06, 0x00, 0x1d, 0x00, 0x17, 0x00,
2320 0x18, 0x00, 0x0b, 0x00, 0x02, 0x01, 0x00, 0x00, 0x23, 0x00, 0x00}},
David Benjamin737d2df2017-09-25 15:05:19 -0400[diff] [blame]2321 {TLS1_2_VERSION,
David Benjamin6e678ee2018-04-16 19:54:42 -0400[diff] [blame]2322 {0x16, 0x03, 0x01, 0x00, 0x82, 0x01, 0x00, 0x00, 0x7e, 0x03, 0x03, 0x00,
David Benjamin737d2df2017-09-25 15:05:19 -0400[diff] [blame]2323 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2324 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
David Benjamin6e678ee2018-04-16 19:54:42 -0400[diff] [blame]2325 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x1e, 0xcc, 0xa9,
David Benjamin737d2df2017-09-25 15:05:19 -0400[diff] [blame]2326 0xcc, 0xa8, 0xc0, 0x2b, 0xc0, 0x2f, 0xc0, 0x2c, 0xc0, 0x30, 0xc0, 0x09,
David Benjamin6e678ee2018-04-16 19:54:42 -0400[diff] [blame]2327 0xc0, 0x13, 0xc0, 0x0a, 0xc0, 0x14, 0x00, 0x9c, 0x00, 0x9d, 0x00, 0x2f,
Adam Langleyd6680952018-08-23 08:01:23 -0700[diff] [blame]2328 0x00, 0x35, 0x00, 0x0a, 0x01, 0x00, 0x00, 0x37, 0x00, 0x17, 0x00, 0x00,
2329 0xff, 0x01, 0x00, 0x01, 0x00, 0x00, 0x0a, 0x00, 0x08, 0x00, 0x06, 0x00,
2330 0x1d, 0x00, 0x17, 0x00, 0x18, 0x00, 0x0b, 0x00, 0x02, 0x01, 0x00, 0x00,
2331 0x23, 0x00, 0x00, 0x00, 0x0d, 0x00, 0x14, 0x00, 0x12, 0x04, 0x03, 0x08,
2332 0x04, 0x04, 0x01, 0x05, 0x03, 0x08, 0x05, 0x05, 0x01, 0x08, 0x06, 0x06,
2333 0x01, 0x02, 0x01}},
David Benjamin737d2df2017-09-25 15:05:19 -0400[diff] [blame]2334 // TODO(davidben): Add a change detector for TLS 1.3 once the spec and our
2335 // implementation has settled enough that it won't change.
David Benjaminafc64de2016-07-19 17:12:41 +0200[diff] [blame]2336 };
David Benjamin737d2df2017-09-25 15:05:19 -0400[diff] [blame]2337
2338 for (const auto &t : kTests) {
2339 SCOPED_TRACE(t.max_version);
2340
2341 bssl::UniquePtr<SSL_CTX> ctx(SSL_CTX_new(TLS_method()));
2342 ASSERT_TRUE(ctx);
2343 // Our default cipher list varies by CPU capabilities, so manually place the
2344 // ChaCha20 ciphers in front.
2345 const char *cipher_list = "CHACHA20:ALL";
David Benjamin737d2df2017-09-25 15:05:19 -0400[diff] [blame]2346 ASSERT_TRUE(SSL_CTX_set_max_proto_version(ctx.get(), t.max_version));
2347 ASSERT_TRUE(SSL_CTX_set_strict_cipher_list(ctx.get(), cipher_list));
2348
2349 bssl::UniquePtr<SSL> ssl(SSL_new(ctx.get()));
2350 ASSERT_TRUE(ssl);
2351 std::vector<uint8_t> client_hello;
2352 ASSERT_TRUE(GetClientHello(ssl.get(), &client_hello));
2353
2354 // Zero the client_random.
2355 constexpr size_t kRandomOffset = 1 + 2 + 2 + // record header
2356 1 + 3 + // handshake message header
2357 2; // client_version
2358 ASSERT_GE(client_hello.size(), kRandomOffset + SSL3_RANDOM_SIZE);
2359 OPENSSL_memset(client_hello.data() + kRandomOffset, 0, SSL3_RANDOM_SIZE);
2360
2361 if (client_hello != t.expected) {
2362 ADD_FAILURE() << "ClientHellos did not match.";
2363 // Print the value manually so it is easier to update the test vector.
2364 for (size_t i = 0; i < client_hello.size(); i += 12) {
2365 printf(" %c", i == 0 ? '{' : ' ');
2366 for (size_t j = i; j < client_hello.size() && j < i + 12; j++) {
2367 if (j > i) {
2368 printf(" ");
2369 }
2370 printf("0x%02x", client_hello[j]);
2371 if (j < client_hello.size() - 1) {
2372 printf(",");
2373 }
2374 }
2375 if (i + 12 >= client_hello.size()) {
Adam Langleyd6680952018-08-23 08:01:23 -0700[diff] [blame]2376 printf("}},");
David Benjamin737d2df2017-09-25 15:05:19 -0400[diff] [blame]2377 }
2378 printf("\n");
2379 }
2380 }
David Benjaminafc64de2016-07-19 17:12:41 +0200[diff] [blame]2381 }
David Benjaminafc64de2016-07-19 17:12:41 +0200[diff] [blame]2382}
2383
Matt Braithwaited17d74d2016-08-17 20:10:28 -0700[diff] [blame]2384static bssl::UniquePtr<SSL_SESSION> g_last_session;
David Benjamina20e5352016-08-02 19:09:41 -0400[diff] [blame]2385
2386static int SaveLastSession(SSL *ssl, SSL_SESSION *session) {
2387 // Save the most recent session.
2388 g_last_session.reset(session);
2389 return 1;
2390}
2391
David Benjamina8614602017-09-06 15:40:19 -0400[diff] [blame]2392static bssl::UniquePtr<SSL_SESSION> CreateClientSession(
2393 SSL_CTX *client_ctx, SSL_CTX *server_ctx,
2394 const ClientConfig &config = ClientConfig()) {
David Benjamina20e5352016-08-02 19:09:41 -0400[diff] [blame]2395 g_last_session = nullptr;
2396 SSL_CTX_sess_set_new_cb(client_ctx, SaveLastSession);
2397
2398 // Connect client and server to get a session.
Matt Braithwaited17d74d2016-08-17 20:10:28 -0700[diff] [blame]2399 bssl::UniquePtr<SSL> client, server;
David Benjamina20e5352016-08-02 19:09:41 -0400[diff] [blame]2400 if (!ConnectClientAndServer(&client, &server, client_ctx, server_ctx,
Steven Valdez777a2392019-02-21 11:30:47 -0500[diff] [blame]2401 config) ||
2402 !FlushNewSessionTickets(client.get(), server.get())) {
David Benjamina20e5352016-08-02 19:09:41 -0400[diff] [blame]2403 fprintf(stderr, "Failed to connect client and server.\n");
2404 return nullptr;
2405 }
2406
David Benjamina20e5352016-08-02 19:09:41 -0400[diff] [blame]2407 SSL_CTX_sess_set_new_cb(client_ctx, nullptr);
2408
2409 if (!g_last_session) {
2410 fprintf(stderr, "Client did not receive a session.\n");
2411 return nullptr;
2412 }
2413 return std::move(g_last_session);
2414}
2415
Martin Kreichgauer1a663262017-08-16 14:54:04 -0700[diff] [blame]2416static void ExpectSessionReused(SSL_CTX *client_ctx, SSL_CTX *server_ctx,
2417 SSL_SESSION *session, bool want_reused) {
Matt Braithwaited17d74d2016-08-17 20:10:28 -0700[diff] [blame]2418 bssl::UniquePtr<SSL> client, server;
David Benjamina8614602017-09-06 15:40:19 -0400[diff] [blame]2419 ClientConfig config;
2420 config.session = session;
2421 EXPECT_TRUE(
2422 ConnectClientAndServer(&client, &server, client_ctx, server_ctx, config));
David Benjamina20e5352016-08-02 19:09:41 -0400[diff] [blame]2423
Martin Kreichgauer1a663262017-08-16 14:54:04 -0700[diff] [blame]2424 EXPECT_EQ(SSL_session_reused(client.get()), SSL_session_reused(server.get()));
David Benjamina20e5352016-08-02 19:09:41 -0400[diff] [blame]2425
2426 bool was_reused = !!SSL_session_reused(client.get());
Martin Kreichgauer1a663262017-08-16 14:54:04 -0700[diff] [blame]2427 EXPECT_EQ(was_reused, want_reused);
David Benjamina20e5352016-08-02 19:09:41 -0400[diff] [blame]2428}
2429
David Benjamin3c51d9b2016-11-01 17:50:42 -0400[diff] [blame]2430static bssl::UniquePtr<SSL_SESSION> ExpectSessionRenewed(SSL_CTX *client_ctx,
2431 SSL_CTX *server_ctx,
2432 SSL_SESSION *session) {
2433 g_last_session = nullptr;
2434 SSL_CTX_sess_set_new_cb(client_ctx, SaveLastSession);
2435
2436 bssl::UniquePtr<SSL> client, server;
David Benjamina8614602017-09-06 15:40:19 -0400[diff] [blame]2437 ClientConfig config;
2438 config.session = session;
2439 if (!ConnectClientAndServer(&client, &server, client_ctx, server_ctx,
Steven Valdez777a2392019-02-21 11:30:47 -0500[diff] [blame]2440 config) ||
2441 !FlushNewSessionTickets(client.get(), server.get())) {
David Benjamin3c51d9b2016-11-01 17:50:42 -0400[diff] [blame]2442 fprintf(stderr, "Failed to connect client and server.\n");
2443 return nullptr;
2444 }
2445
2446 if (SSL_session_reused(client.get()) != SSL_session_reused(server.get())) {
2447 fprintf(stderr, "Client and server were inconsistent.\n");
2448 return nullptr;
2449 }
2450
2451 if (!SSL_session_reused(client.get())) {
2452 fprintf(stderr, "Session was not reused.\n");
2453 return nullptr;
2454 }
2455
David Benjamin3c51d9b2016-11-01 17:50:42 -0400[diff] [blame]2456 SSL_CTX_sess_set_new_cb(client_ctx, nullptr);
2457
2458 if (!g_last_session) {
2459 fprintf(stderr, "Client did not receive a renewed session.\n");
2460 return nullptr;
2461 }
2462 return std::move(g_last_session);
2463}
2464
Martin Kreichgauer1a663262017-08-16 14:54:04 -0700[diff] [blame]2465static void ExpectTicketKeyChanged(SSL_CTX *ctx, uint8_t *inout_key,
Martin Kreichgauer72912d22017-08-04 12:06:43 -0700[diff] [blame]2466 bool changed) {
2467 uint8_t new_key[kTicketKeyLen];
David Benjaminc11ea9422017-08-29 16:33:21 -0400[diff] [blame]2468 // May return 0, 1 or 48.
Martin Kreichgauer1a663262017-08-16 14:54:04 -0700[diff] [blame]2469 ASSERT_EQ(SSL_CTX_get_tlsext_ticket_keys(ctx, new_key, kTicketKeyLen), 1);
2470 if (changed) {
2471 ASSERT_NE(Bytes(inout_key, kTicketKeyLen), Bytes(new_key));
2472 } else {
2473 ASSERT_EQ(Bytes(inout_key, kTicketKeyLen), Bytes(new_key));
Martin Kreichgauer72912d22017-08-04 12:06:43 -0700[diff] [blame]2474 }
2475 OPENSSL_memcpy(inout_key, new_key, kTicketKeyLen);
Martin Kreichgauer72912d22017-08-04 12:06:43 -0700[diff] [blame]2476}
2477
David Benjamina933c382016-10-28 00:10:03 -0400[diff] [blame]2478static int SwitchSessionIDContextSNI(SSL *ssl, int *out_alert, void *arg) {
2479 static const uint8_t kContext[] = {3};
2480
2481 if (!SSL_set_session_id_context(ssl, kContext, sizeof(kContext))) {
2482 return SSL_TLSEXT_ERR_ALERT_FATAL;
2483 }
2484
2485 return SSL_TLSEXT_ERR_OK;
2486}
2487
Martin Kreichgauer1a663262017-08-16 14:54:04 -0700[diff] [blame]2488TEST_P(SSLVersionTest, SessionIDContext) {
David Benjamina20e5352016-08-02 19:09:41 -0400[diff] [blame]2489 static const uint8_t kContext1[] = {1};
2490 static const uint8_t kContext2[] = {2};
2491
Martin Kreichgauer1a663262017-08-16 14:54:04 -0700[diff] [blame]2492 ASSERT_TRUE(SSL_CTX_set_session_id_context(server_ctx_.get(), kContext1,
2493 sizeof(kContext1)));
David Benjamina20e5352016-08-02 19:09:41 -0400[diff] [blame]2494
Martin Kreichgauer1a663262017-08-16 14:54:04 -0700[diff] [blame]2495 SSL_CTX_set_session_cache_mode(client_ctx_.get(), SSL_SESS_CACHE_BOTH);
2496 SSL_CTX_set_session_cache_mode(server_ctx_.get(), SSL_SESS_CACHE_BOTH);
David Benjamina20e5352016-08-02 19:09:41 -0400[diff] [blame]2497
David Benjamin0fef3052016-11-18 15:11:10 +0900[diff] [blame]2498 bssl::UniquePtr<SSL_SESSION> session =
Martin Kreichgauer1a663262017-08-16 14:54:04 -0700[diff] [blame]2499 CreateClientSession(client_ctx_.get(), server_ctx_.get());
2500 ASSERT_TRUE(session);
David Benjamina20e5352016-08-02 19:09:41 -0400[diff] [blame]2501
Martin Kreichgauer1a663262017-08-16 14:54:04 -0700[diff] [blame]2502 TRACED_CALL(ExpectSessionReused(client_ctx_.get(), server_ctx_.get(),
2503 session.get(),
2504 true /* expect session reused */));
David Benjamina20e5352016-08-02 19:09:41 -0400[diff] [blame]2505
David Benjamin0fef3052016-11-18 15:11:10 +0900[diff] [blame]2506 // Change the session ID context.
Martin Kreichgauer1a663262017-08-16 14:54:04 -0700[diff] [blame]2507 ASSERT_TRUE(SSL_CTX_set_session_id_context(server_ctx_.get(), kContext2,
2508 sizeof(kContext2)));
David Benjamina20e5352016-08-02 19:09:41 -0400[diff] [blame]2509
Martin Kreichgauer1a663262017-08-16 14:54:04 -0700[diff] [blame]2510 TRACED_CALL(ExpectSessionReused(client_ctx_.get(), server_ctx_.get(),
2511 session.get(),
2512 false /* expect session not reused */));
David Benjamina933c382016-10-28 00:10:03 -0400[diff] [blame]2513
David Benjamin0fef3052016-11-18 15:11:10 +0900[diff] [blame]2514 // Change the session ID context back and install an SNI callback to switch
2515 // it.
Martin Kreichgauer1a663262017-08-16 14:54:04 -0700[diff] [blame]2516 ASSERT_TRUE(SSL_CTX_set_session_id_context(server_ctx_.get(), kContext1,
2517 sizeof(kContext1)));
David Benjamina933c382016-10-28 00:10:03 -0400[diff] [blame]2518
Martin Kreichgauer1a663262017-08-16 14:54:04 -0700[diff] [blame]2519 SSL_CTX_set_tlsext_servername_callback(server_ctx_.get(),
David Benjamin0fef3052016-11-18 15:11:10 +0900[diff] [blame]2520 SwitchSessionIDContextSNI);
David Benjamina933c382016-10-28 00:10:03 -0400[diff] [blame]2521
Martin Kreichgauer1a663262017-08-16 14:54:04 -0700[diff] [blame]2522 TRACED_CALL(ExpectSessionReused(client_ctx_.get(), server_ctx_.get(),
2523 session.get(),
2524 false /* expect session not reused */));
David Benjamina933c382016-10-28 00:10:03 -0400[diff] [blame]2525
David Benjamin0fef3052016-11-18 15:11:10 +0900[diff] [blame]2526 // Switch the session ID context with the early callback instead.
Martin Kreichgauer1a663262017-08-16 14:54:04 -0700[diff] [blame]2527 SSL_CTX_set_tlsext_servername_callback(server_ctx_.get(), nullptr);
Alessandro Ghedini57e81e62017-03-14 23:36:00 +0000[diff] [blame]2528 SSL_CTX_set_select_certificate_cb(
Martin Kreichgauer1a663262017-08-16 14:54:04 -0700[diff] [blame]2529 server_ctx_.get(),
Alessandro Ghedini57e81e62017-03-14 23:36:00 +0000[diff] [blame]2530 [](const SSL_CLIENT_HELLO *client_hello) -> ssl_select_cert_result_t {
2531 static const uint8_t kContext[] = {3};
2532
2533 if (!SSL_set_session_id_context(client_hello->ssl, kContext,
2534 sizeof(kContext))) {
2535 return ssl_select_cert_error;
2536 }
2537
2538 return ssl_select_cert_success;
2539 });
David Benjamina933c382016-10-28 00:10:03 -0400[diff] [blame]2540
Martin Kreichgauer1a663262017-08-16 14:54:04 -0700[diff] [blame]2541 TRACED_CALL(ExpectSessionReused(client_ctx_.get(), server_ctx_.get(),
2542 session.get(),
2543 false /* expect session not reused */));
David Benjamina20e5352016-08-02 19:09:41 -0400[diff] [blame]2544}
2545
David Benjamin721e8b72016-08-03 13:13:17 -0400[diff] [blame]2546static timeval g_current_time;
2547
2548static void CurrentTimeCallback(const SSL *ssl, timeval *out_clock) {
2549 *out_clock = g_current_time;
2550}
2551
David Benjamin17b30832017-01-28 14:00:32 -0500[diff] [blame]2552static void FrozenTimeCallback(const SSL *ssl, timeval *out_clock) {
2553 out_clock->tv_sec = 1000;
2554 out_clock->tv_usec = 0;
2555}
2556
David Benjamin3c51d9b2016-11-01 17:50:42 -0400[diff] [blame]2557static int RenewTicketCallback(SSL *ssl, uint8_t *key_name, uint8_t *iv,
2558 EVP_CIPHER_CTX *ctx, HMAC_CTX *hmac_ctx,
2559 int encrypt) {
2560 static const uint8_t kZeros[16] = {0};
2561
2562 if (encrypt) {
David Benjamin17cf2cb2016-12-13 01:07:13 -0500[diff] [blame]2563 OPENSSL_memcpy(key_name, kZeros, sizeof(kZeros));
David Benjamin3c51d9b2016-11-01 17:50:42 -0400[diff] [blame]2564 RAND_bytes(iv, 16);
David Benjamin17cf2cb2016-12-13 01:07:13 -0500[diff] [blame]2565 } else if (OPENSSL_memcmp(key_name, kZeros, 16) != 0) {
David Benjamin3c51d9b2016-11-01 17:50:42 -0400[diff] [blame]2566 return 0;
2567 }
2568
2569 if (!HMAC_Init_ex(hmac_ctx, kZeros, sizeof(kZeros), EVP_sha256(), NULL) ||
2570 !EVP_CipherInit_ex(ctx, EVP_aes_128_cbc(), NULL, kZeros, iv, encrypt)) {
2571 return -1;
2572 }
2573
2574 // Returning two from the callback in decrypt mode renews the
2575 // session in TLS 1.2 and below.
2576 return encrypt ? 1 : 2;
2577}
2578
David Benjamin123db572016-11-03 16:59:25 -0400[diff] [blame]2579static bool GetServerTicketTime(long *out, const SSL_SESSION *session) {
David Benjaminaaef8332018-06-29 16:45:49 -0400[diff] [blame]2580 const uint8_t *ticket;
2581 size_t ticket_len;
2582 SSL_SESSION_get0_ticket(session, &ticket, &ticket_len);
2583 if (ticket_len < 16 + 16 + SHA256_DIGEST_LENGTH) {
David Benjamin123db572016-11-03 16:59:25 -0400[diff] [blame]2584 return false;
2585 }
2586
David Benjaminaaef8332018-06-29 16:45:49 -0400[diff] [blame]2587 const uint8_t *ciphertext = ticket + 16 + 16;
2588 size_t len = ticket_len - 16 - 16 - SHA256_DIGEST_LENGTH;
David Benjamin123db572016-11-03 16:59:25 -0400[diff] [blame]2589 std::unique_ptr<uint8_t[]> plaintext(new uint8_t[len]);
2590
David Benjamin9b63f292016-11-15 00:44:05 -0500[diff] [blame]2591#if defined(BORINGSSL_UNSAFE_FUZZER_MODE)
2592 // Fuzzer-mode tickets are unencrypted.
David Benjamin17cf2cb2016-12-13 01:07:13 -0500[diff] [blame]2593 OPENSSL_memcpy(plaintext.get(), ciphertext, len);
David Benjamin9b63f292016-11-15 00:44:05 -0500[diff] [blame]2594#else
2595 static const uint8_t kZeros[16] = {0};
David Benjaminaaef8332018-06-29 16:45:49 -0400[diff] [blame]2596 const uint8_t *iv = ticket + 16;
David Benjamin123db572016-11-03 16:59:25 -0400[diff] [blame]2597 bssl::ScopedEVP_CIPHER_CTX ctx;
2598 int len1, len2;
2599 if (!EVP_DecryptInit_ex(ctx.get(), EVP_aes_128_cbc(), nullptr, kZeros, iv) ||
2600 !EVP_DecryptUpdate(ctx.get(), plaintext.get(), &len1, ciphertext, len) ||
2601 !EVP_DecryptFinal_ex(ctx.get(), plaintext.get() + len1, &len2)) {
2602 return false;
2603 }
2604
2605 len = static_cast<size_t>(len1 + len2);
David Benjamin9b63f292016-11-15 00:44:05 -0500[diff] [blame]2606#endif
David Benjamin123db572016-11-03 16:59:25 -0400[diff] [blame]2607
Adam Langley46db7af2017-02-01 15:49:37 -0800[diff] [blame]2608 bssl::UniquePtr<SSL_CTX> ssl_ctx(SSL_CTX_new(TLS_method()));
2609 if (!ssl_ctx) {
2610 return false;
2611 }
David Benjamin123db572016-11-03 16:59:25 -0400[diff] [blame]2612 bssl::UniquePtr<SSL_SESSION> server_session(
Adam Langley46db7af2017-02-01 15:49:37 -0800[diff] [blame]2613 SSL_SESSION_from_bytes(plaintext.get(), len, ssl_ctx.get()));
David Benjamin123db572016-11-03 16:59:25 -0400[diff] [blame]2614 if (!server_session) {
2615 return false;
2616 }
2617
David Benjaminaaef8332018-06-29 16:45:49 -0400[diff] [blame]2618 *out = SSL_SESSION_get_time(server_session.get());
David Benjamin123db572016-11-03 16:59:25 -0400[diff] [blame]2619 return true;
2620}
2621
Martin Kreichgauer1a663262017-08-16 14:54:04 -0700[diff] [blame]2622TEST_P(SSLVersionTest, SessionTimeout) {
2623 for (bool server_test : {false, true}) {
2624 SCOPED_TRACE(server_test);
David Benjamin721e8b72016-08-03 13:13:17 -0400[diff] [blame]2625
Martin Kreichgauer1a663262017-08-16 14:54:04 -0700[diff] [blame]2626 ResetContexts();
2627 SSL_CTX_set_session_cache_mode(client_ctx_.get(), SSL_SESS_CACHE_BOTH);
2628 SSL_CTX_set_session_cache_mode(server_ctx_.get(), SSL_SESS_CACHE_BOTH);
2629
David Benjamin17b30832017-01-28 14:00:32 -0500[diff] [blame]2630 static const time_t kStartTime = 1000;
David Benjamin0fef3052016-11-18 15:11:10 +0900[diff] [blame]2631 g_current_time.tv_sec = kStartTime;
David Benjamin1b22f852016-10-27 16:36:32 -0400[diff] [blame]2632
David Benjamin17b30832017-01-28 14:00:32 -0500[diff] [blame]2633 // We are willing to use a longer lifetime for TLS 1.3 sessions as
2634 // resumptions still perform ECDHE.
Martin Kreichgauer1a663262017-08-16 14:54:04 -0700[diff] [blame]2635 const time_t timeout = version() == TLS1_3_VERSION
David Benjamin17b30832017-01-28 14:00:32 -0500[diff] [blame]2636 ? SSL_DEFAULT_SESSION_PSK_DHE_TIMEOUT
2637 : SSL_DEFAULT_SESSION_TIMEOUT;
2638
David Benjamin17b30832017-01-28 14:00:32 -0500[diff] [blame]2639 // Both client and server must enforce session timeouts. We configure the
2640 // other side with a frozen clock so it never expires tickets.
David Benjamin0fef3052016-11-18 15:11:10 +0900[diff] [blame]2641 if (server_test) {
Martin Kreichgauer1a663262017-08-16 14:54:04 -0700[diff] [blame]2642 SSL_CTX_set_current_time_cb(client_ctx_.get(), FrozenTimeCallback);
2643 SSL_CTX_set_current_time_cb(server_ctx_.get(), CurrentTimeCallback);
David Benjamin0fef3052016-11-18 15:11:10 +0900[diff] [blame]2644 } else {
Martin Kreichgauer1a663262017-08-16 14:54:04 -0700[diff] [blame]2645 SSL_CTX_set_current_time_cb(client_ctx_.get(), CurrentTimeCallback);
2646 SSL_CTX_set_current_time_cb(server_ctx_.get(), FrozenTimeCallback);
David Benjamin0fef3052016-11-18 15:11:10 +0900[diff] [blame]2647 }
2648
2649 // Configure a ticket callback which renews tickets.
Martin Kreichgauer1a663262017-08-16 14:54:04 -0700[diff] [blame]2650 SSL_CTX_set_tlsext_ticket_key_cb(server_ctx_.get(), RenewTicketCallback);
David Benjamin0fef3052016-11-18 15:11:10 +0900[diff] [blame]2651
2652 bssl::UniquePtr<SSL_SESSION> session =
Martin Kreichgauer1a663262017-08-16 14:54:04 -0700[diff] [blame]2653 CreateClientSession(client_ctx_.get(), server_ctx_.get());
2654 ASSERT_TRUE(session);
David Benjamin0fef3052016-11-18 15:11:10 +0900[diff] [blame]2655
2656 // Advance the clock just behind the timeout.
David Benjamin17b30832017-01-28 14:00:32 -0500[diff] [blame]2657 g_current_time.tv_sec += timeout - 1;
David Benjamin0fef3052016-11-18 15:11:10 +0900[diff] [blame]2658
Martin Kreichgauer1a663262017-08-16 14:54:04 -0700[diff] [blame]2659 TRACED_CALL(ExpectSessionReused(client_ctx_.get(), server_ctx_.get(),
2660 session.get(),
2661 true /* expect session reused */));
David Benjamin0fef3052016-11-18 15:11:10 +0900[diff] [blame]2662
2663 // Advance the clock one more second.
2664 g_current_time.tv_sec++;
2665
Martin Kreichgauer1a663262017-08-16 14:54:04 -0700[diff] [blame]2666 TRACED_CALL(ExpectSessionReused(client_ctx_.get(), server_ctx_.get(),
2667 session.get(),
2668 false /* expect session not reused */));
David Benjamin0fef3052016-11-18 15:11:10 +0900[diff] [blame]2669
2670 // Rewind the clock to before the session was minted.
2671 g_current_time.tv_sec = kStartTime - 1;
2672
Martin Kreichgauer1a663262017-08-16 14:54:04 -0700[diff] [blame]2673 TRACED_CALL(ExpectSessionReused(client_ctx_.get(), server_ctx_.get(),
2674 session.get(),
2675 false /* expect session not reused */));
David Benjamin0fef3052016-11-18 15:11:10 +0900[diff] [blame]2676
David Benjamin0fef3052016-11-18 15:11:10 +0900[diff] [blame]2677 // Renew the session 10 seconds before expiration.
David Benjamin17b30832017-01-28 14:00:32 -0500[diff] [blame]2678 time_t new_start_time = kStartTime + timeout - 10;
2679 g_current_time.tv_sec = new_start_time;
Martin Kreichgauer1a663262017-08-16 14:54:04 -0700[diff] [blame]2680 bssl::UniquePtr<SSL_SESSION> new_session = ExpectSessionRenewed(
2681 client_ctx_.get(), server_ctx_.get(), session.get());
2682 ASSERT_TRUE(new_session);
David Benjamin0fef3052016-11-18 15:11:10 +0900[diff] [blame]2683
2684 // This new session is not the same object as before.
Martin Kreichgauer1a663262017-08-16 14:54:04 -0700[diff] [blame]2685 EXPECT_NE(session.get(), new_session.get());
David Benjamin0fef3052016-11-18 15:11:10 +0900[diff] [blame]2686
2687 // Check the sessions have timestamps measured from issuance.
2688 long session_time = 0;
2689 if (server_test) {
Martin Kreichgauer1a663262017-08-16 14:54:04 -0700[diff] [blame]2690 ASSERT_TRUE(GetServerTicketTime(&session_time, new_session.get()));
David Benjamin0fef3052016-11-18 15:11:10 +0900[diff] [blame]2691 } else {
David Benjaminaaef8332018-06-29 16:45:49 -0400[diff] [blame]2692 session_time = SSL_SESSION_get_time(new_session.get());
David Benjamin0fef3052016-11-18 15:11:10 +0900[diff] [blame]2693 }
David Benjamin721e8b72016-08-03 13:13:17 -0400[diff] [blame]2694
Martin Kreichgauer1a663262017-08-16 14:54:04 -0700[diff] [blame]2695 ASSERT_EQ(session_time, g_current_time.tv_sec);
David Benjamin721e8b72016-08-03 13:13:17 -0400[diff] [blame]2696
Martin Kreichgauer1a663262017-08-16 14:54:04 -0700[diff] [blame]2697 if (version() == TLS1_3_VERSION) {
David Benjamin17b30832017-01-28 14:00:32 -0500[diff] [blame]2698 // Renewal incorporates fresh key material in TLS 1.3, so we extend the
2699 // lifetime TLS 1.3.
2700 g_current_time.tv_sec = new_start_time + timeout - 1;
Martin Kreichgauer1a663262017-08-16 14:54:04 -0700[diff] [blame]2701 TRACED_CALL(ExpectSessionReused(client_ctx_.get(), server_ctx_.get(),
2702 new_session.get(),
2703 true /* expect session reused */));
David Benjamin721e8b72016-08-03 13:13:17 -0400[diff] [blame]2704
David Benjamin17b30832017-01-28 14:00:32 -0500[diff] [blame]2705 // The new session expires after the new timeout.
2706 g_current_time.tv_sec = new_start_time + timeout + 1;
Martin Kreichgauer1a663262017-08-16 14:54:04 -0700[diff] [blame]2707 TRACED_CALL(ExpectSessionReused(client_ctx_.get(), server_ctx_.get(),
2708 new_session.get(),
2709 false /* expect session ot reused */));
David Benjamin17b30832017-01-28 14:00:32 -0500[diff] [blame]2710
2711 // Renew the session until it begins just past the auth timeout.
2712 time_t auth_end_time = kStartTime + SSL_DEFAULT_SESSION_AUTH_TIMEOUT;
2713 while (new_start_time < auth_end_time - 1000) {
2714 // Get as close as possible to target start time.
2715 new_start_time =
2716 std::min(auth_end_time - 1000, new_start_time + timeout - 1);
2717 g_current_time.tv_sec = new_start_time;
Martin Kreichgauer1a663262017-08-16 14:54:04 -0700[diff] [blame]2718 new_session = ExpectSessionRenewed(client_ctx_.get(), server_ctx_.get(),
David Benjamin17b30832017-01-28 14:00:32 -0500[diff] [blame]2719 new_session.get());
Martin Kreichgauer1a663262017-08-16 14:54:04 -0700[diff] [blame]2720 ASSERT_TRUE(new_session);
David Benjamin17b30832017-01-28 14:00:32 -0500[diff] [blame]2721 }
2722
2723 // Now the session's lifetime is bound by the auth timeout.
2724 g_current_time.tv_sec = auth_end_time - 1;
Martin Kreichgauer1a663262017-08-16 14:54:04 -0700[diff] [blame]2725 TRACED_CALL(ExpectSessionReused(client_ctx_.get(), server_ctx_.get(),
2726 new_session.get(),
2727 true /* expect session reused */));
David Benjamin17b30832017-01-28 14:00:32 -0500[diff] [blame]2728
2729 g_current_time.tv_sec = auth_end_time + 1;
Martin Kreichgauer1a663262017-08-16 14:54:04 -0700[diff] [blame]2730 TRACED_CALL(ExpectSessionReused(client_ctx_.get(), server_ctx_.get(),
2731 new_session.get(),
2732 false /* expect session ot reused */));
David Benjamin17b30832017-01-28 14:00:32 -0500[diff] [blame]2733 } else {
2734 // The new session is usable just before the old expiration.
2735 g_current_time.tv_sec = kStartTime + timeout - 1;
Martin Kreichgauer1a663262017-08-16 14:54:04 -0700[diff] [blame]2736 TRACED_CALL(ExpectSessionReused(client_ctx_.get(), server_ctx_.get(),
2737 new_session.get(),
2738 true /* expect session reused */));
David Benjamin17b30832017-01-28 14:00:32 -0500[diff] [blame]2739
2740 // Renewal does not extend the lifetime, so it is not usable beyond the
2741 // old expiration.
2742 g_current_time.tv_sec = kStartTime + timeout + 1;
Martin Kreichgauer1a663262017-08-16 14:54:04 -0700[diff] [blame]2743 TRACED_CALL(ExpectSessionReused(client_ctx_.get(), server_ctx_.get(),
2744 new_session.get(),
2745 false /* expect session not reused */));
David Benjamin1b22f852016-10-27 16:36:32 -0400[diff] [blame]2746 }
David Benjamin721e8b72016-08-03 13:13:17 -0400[diff] [blame]2747 }
David Benjamin721e8b72016-08-03 13:13:17 -0400[diff] [blame]2748}
2749
Martin Kreichgauer1a663262017-08-16 14:54:04 -0700[diff] [blame]2750TEST_P(SSLVersionTest, DefaultTicketKeyInitialization) {
Martin Kreichgauer72912d22017-08-04 12:06:43 -0700[diff] [blame]2751 static const uint8_t kZeroKey[kTicketKeyLen] = {};
2752 uint8_t ticket_key[kTicketKeyLen];
Martin Kreichgauer1a663262017-08-16 14:54:04 -0700[diff] [blame]2753 ASSERT_EQ(1, SSL_CTX_get_tlsext_ticket_keys(server_ctx_.get(), ticket_key,
Martin Kreichgauer72912d22017-08-04 12:06:43 -0700[diff] [blame]2754 kTicketKeyLen));
2755 ASSERT_NE(0, OPENSSL_memcmp(ticket_key, kZeroKey, kTicketKeyLen));
2756}
2757
Martin Kreichgauer1a663262017-08-16 14:54:04 -0700[diff] [blame]2758TEST_P(SSLVersionTest, DefaultTicketKeyRotation) {
Martin Kreichgauer72912d22017-08-04 12:06:43 -0700[diff] [blame]2759 static const time_t kStartTime = 1001;
2760 g_current_time.tv_sec = kStartTime;
Martin Kreichgauer72912d22017-08-04 12:06:43 -0700[diff] [blame]2761
David Benjaminc11ea9422017-08-29 16:33:21 -0400[diff] [blame]2762 // We use session reuse as a proxy for ticket decryption success, hence
2763 // disable session timeouts.
Martin Kreichgauer1a663262017-08-16 14:54:04 -0700[diff] [blame]2764 SSL_CTX_set_timeout(server_ctx_.get(), std::numeric_limits<uint32_t>::max());
2765 SSL_CTX_set_session_psk_dhe_timeout(server_ctx_.get(),
Martin Kreichgauer72912d22017-08-04 12:06:43 -0700[diff] [blame]2766 std::numeric_limits<uint32_t>::max());
2767
Martin Kreichgauer1a663262017-08-16 14:54:04 -0700[diff] [blame]2768 SSL_CTX_set_current_time_cb(client_ctx_.get(), FrozenTimeCallback);
2769 SSL_CTX_set_current_time_cb(server_ctx_.get(), CurrentTimeCallback);
Martin Kreichgauer72912d22017-08-04 12:06:43 -0700[diff] [blame]2770
Martin Kreichgauer1a663262017-08-16 14:54:04 -0700[diff] [blame]2771 SSL_CTX_set_session_cache_mode(client_ctx_.get(), SSL_SESS_CACHE_BOTH);
2772 SSL_CTX_set_session_cache_mode(server_ctx_.get(), SSL_SESS_CACHE_OFF);
Martin Kreichgauer72912d22017-08-04 12:06:43 -0700[diff] [blame]2773
David Benjamin1f0d54b2018-08-09 16:19:13 -0500[diff] [blame]2774 // Initialize ticket_key with the current key and check that it was
2775 // initialized to something, not all zeros.
2776 uint8_t ticket_key[kTicketKeyLen] = {0};
Martin Kreichgauer1a663262017-08-16 14:54:04 -0700[diff] [blame]2777 TRACED_CALL(ExpectTicketKeyChanged(server_ctx_.get(), ticket_key,
2778 true /* changed */));
Martin Kreichgauer72912d22017-08-04 12:06:43 -0700[diff] [blame]2779
David Benjaminc11ea9422017-08-29 16:33:21 -0400[diff] [blame]2780 // Verify ticket resumption actually works.
Martin Kreichgauer72912d22017-08-04 12:06:43 -0700[diff] [blame]2781 bssl::UniquePtr<SSL> client, server;
2782 bssl::UniquePtr<SSL_SESSION> session =
Martin Kreichgauer1a663262017-08-16 14:54:04 -0700[diff] [blame]2783 CreateClientSession(client_ctx_.get(), server_ctx_.get());
Martin Kreichgauer72912d22017-08-04 12:06:43 -0700[diff] [blame]2784 ASSERT_TRUE(session);
Martin Kreichgauer1a663262017-08-16 14:54:04 -0700[diff] [blame]2785 TRACED_CALL(ExpectSessionReused(client_ctx_.get(), server_ctx_.get(),
Martin Kreichgauer72912d22017-08-04 12:06:43 -0700[diff] [blame]2786 session.get(), true /* reused */));
2787
David Benjaminc11ea9422017-08-29 16:33:21 -0400[diff] [blame]2788 // Advance time to just before key rotation.
Martin Kreichgauer72912d22017-08-04 12:06:43 -0700[diff] [blame]2789 g_current_time.tv_sec += SSL_DEFAULT_TICKET_KEY_ROTATION_INTERVAL - 1;
Martin Kreichgauer1a663262017-08-16 14:54:04 -0700[diff] [blame]2790 TRACED_CALL(ExpectSessionReused(client_ctx_.get(), server_ctx_.get(),
Martin Kreichgauer72912d22017-08-04 12:06:43 -0700[diff] [blame]2791 session.get(), true /* reused */));
Martin Kreichgauer1a663262017-08-16 14:54:04 -0700[diff] [blame]2792 TRACED_CALL(ExpectTicketKeyChanged(server_ctx_.get(), ticket_key,
Martin Kreichgauer72912d22017-08-04 12:06:43 -0700[diff] [blame]2793 false /* NOT changed */));
2794
David Benjaminc11ea9422017-08-29 16:33:21 -0400[diff] [blame]2795 // Force key rotation.
Martin Kreichgauer72912d22017-08-04 12:06:43 -0700[diff] [blame]2796 g_current_time.tv_sec += 1;
2797 bssl::UniquePtr<SSL_SESSION> new_session =
Martin Kreichgauer1a663262017-08-16 14:54:04 -0700[diff] [blame]2798 CreateClientSession(client_ctx_.get(), server_ctx_.get());
2799 TRACED_CALL(ExpectTicketKeyChanged(server_ctx_.get(), ticket_key,
2800 true /* changed */));
Martin Kreichgauer72912d22017-08-04 12:06:43 -0700[diff] [blame]2801
David Benjaminc11ea9422017-08-29 16:33:21 -0400[diff] [blame]2802 // Resumption with both old and new ticket should work.
Martin Kreichgauer1a663262017-08-16 14:54:04 -0700[diff] [blame]2803 TRACED_CALL(ExpectSessionReused(client_ctx_.get(), server_ctx_.get(),
Martin Kreichgauer72912d22017-08-04 12:06:43 -0700[diff] [blame]2804 session.get(), true /* reused */));
Martin Kreichgauer1a663262017-08-16 14:54:04 -0700[diff] [blame]2805 TRACED_CALL(ExpectSessionReused(client_ctx_.get(), server_ctx_.get(),
Martin Kreichgauer72912d22017-08-04 12:06:43 -0700[diff] [blame]2806 new_session.get(), true /* reused */));
Martin Kreichgauer1a663262017-08-16 14:54:04 -0700[diff] [blame]2807 TRACED_CALL(ExpectTicketKeyChanged(server_ctx_.get(), ticket_key,
Martin Kreichgauer72912d22017-08-04 12:06:43 -0700[diff] [blame]2808 false /* NOT changed */));
2809
David Benjaminc11ea9422017-08-29 16:33:21 -0400[diff] [blame]2810 // Force key rotation again. Resumption with the old ticket now fails.
Martin Kreichgauer72912d22017-08-04 12:06:43 -0700[diff] [blame]2811 g_current_time.tv_sec += SSL_DEFAULT_TICKET_KEY_ROTATION_INTERVAL;
Martin Kreichgauer1a663262017-08-16 14:54:04 -0700[diff] [blame]2812 TRACED_CALL(ExpectSessionReused(client_ctx_.get(), server_ctx_.get(),
Martin Kreichgauer72912d22017-08-04 12:06:43 -0700[diff] [blame]2813 session.get(), false /* NOT reused */));
Martin Kreichgauer1a663262017-08-16 14:54:04 -0700[diff] [blame]2814 TRACED_CALL(ExpectTicketKeyChanged(server_ctx_.get(), ticket_key,
2815 true /* changed */));
Martin Kreichgauer72912d22017-08-04 12:06:43 -0700[diff] [blame]2816
David Benjaminc11ea9422017-08-29 16:33:21 -0400[diff] [blame]2817 // But resumption with the newer session still works.
Martin Kreichgauer1a663262017-08-16 14:54:04 -0700[diff] [blame]2818 TRACED_CALL(ExpectSessionReused(client_ctx_.get(), server_ctx_.get(),
Martin Kreichgauer72912d22017-08-04 12:06:43 -0700[diff] [blame]2819 new_session.get(), true /* reused */));
2820}
2821
David Benjamin0fc37ef2016-08-17 15:29:46 -0400[diff] [blame]2822static int SwitchContext(SSL *ssl, int *out_alert, void *arg) {
Martin Kreichgauer1a663262017-08-16 14:54:04 -0700[diff] [blame]2823 SSL_CTX *ctx = reinterpret_cast<SSL_CTX *>(arg);
David Benjamin0fc37ef2016-08-17 15:29:46 -0400[diff] [blame]2824 SSL_set_SSL_CTX(ssl, ctx);
2825 return SSL_TLSEXT_ERR_OK;
2826}
2827
Martin Kreichgauer1a663262017-08-16 14:54:04 -0700[diff] [blame]2828TEST_P(SSLVersionTest, SNICallback) {
Matt Braithwaited17d74d2016-08-17 20:10:28 -0700[diff] [blame]2829 bssl::UniquePtr<X509> cert2 = GetECDSATestCertificate();
Martin Kreichgauer1a663262017-08-16 14:54:04 -0700[diff] [blame]2830 ASSERT_TRUE(cert2);
Matt Braithwaited17d74d2016-08-17 20:10:28 -0700[diff] [blame]2831 bssl::UniquePtr<EVP_PKEY> key2 = GetECDSATestKey();
Martin Kreichgauer1a663262017-08-16 14:54:04 -0700[diff] [blame]2832 ASSERT_TRUE(key2);
David Benjamin0fc37ef2016-08-17 15:29:46 -0400[diff] [blame]2833
David Benjamin0fef3052016-11-18 15:11:10 +0900[diff] [blame]2834 // Test that switching the |SSL_CTX| at the SNI callback behaves correctly.
2835 static const uint16_t kECDSAWithSHA256 = SSL_SIGN_ECDSA_SECP256R1_SHA256;
David Benjamin0fc37ef2016-08-17 15:29:46 -0400[diff] [blame]2836
David Benjamin83a32122017-02-14 18:34:54 -0500[diff] [blame]2837 static const uint8_t kSCTList[] = {0, 6, 0, 4, 5, 6, 7, 8};
2838 static const uint8_t kOCSPResponse[] = {1, 2, 3, 4};
2839
Martin Kreichgauer1a663262017-08-16 14:54:04 -0700[diff] [blame]2840 bssl::UniquePtr<SSL_CTX> server_ctx2 = CreateContext();
2841 ASSERT_TRUE(server_ctx2);
2842 ASSERT_TRUE(SSL_CTX_use_certificate(server_ctx2.get(), cert2.get()));
2843 ASSERT_TRUE(SSL_CTX_use_PrivateKey(server_ctx2.get(), key2.get()));
2844 ASSERT_TRUE(SSL_CTX_set_signed_cert_timestamp_list(
2845 server_ctx2.get(), kSCTList, sizeof(kSCTList)));
2846 ASSERT_TRUE(SSL_CTX_set_ocsp_response(server_ctx2.get(), kOCSPResponse,
2847 sizeof(kOCSPResponse)));
2848 // Historically signing preferences would be lost in some cases with the
2849 // SNI callback, which triggers the TLS 1.2 SHA-1 default. To ensure
2850 // this doesn't happen when |version| is TLS 1.2, configure the private
2851 // key to only sign SHA-256.
2852 ASSERT_TRUE(SSL_CTX_set_signing_algorithm_prefs(server_ctx2.get(),
2853 &kECDSAWithSHA256, 1));
David Benjamin0fc37ef2016-08-17 15:29:46 -0400[diff] [blame]2854
Martin Kreichgauer1a663262017-08-16 14:54:04 -0700[diff] [blame]2855 SSL_CTX_set_tlsext_servername_callback(server_ctx_.get(), SwitchContext);
2856 SSL_CTX_set_tlsext_servername_arg(server_ctx_.get(), server_ctx2.get());
David Benjamin0fc37ef2016-08-17 15:29:46 -0400[diff] [blame]2857
Martin Kreichgauer1a663262017-08-16 14:54:04 -0700[diff] [blame]2858 SSL_CTX_enable_signed_cert_timestamps(client_ctx_.get());
2859 SSL_CTX_enable_ocsp_stapling(client_ctx_.get());
David Benjamin83a32122017-02-14 18:34:54 -0500[diff] [blame]2860
Martin Kreichgauer1a663262017-08-16 14:54:04 -0700[diff] [blame]2861 ASSERT_TRUE(Connect());
David Benjamin0fc37ef2016-08-17 15:29:46 -0400[diff] [blame]2862
David Benjamin0fef3052016-11-18 15:11:10 +0900[diff] [blame]2863 // The client should have received |cert2|.
Martin Kreichgauer1a663262017-08-16 14:54:04 -0700[diff] [blame]2864 bssl::UniquePtr<X509> peer(SSL_get_peer_certificate(client_.get()));
2865 ASSERT_TRUE(peer);
2866 EXPECT_EQ(X509_cmp(peer.get(), cert2.get()), 0);
David Benjamin0fc37ef2016-08-17 15:29:46 -0400[diff] [blame]2867
David Benjamin83a32122017-02-14 18:34:54 -0500[diff] [blame]2868 // The client should have received |server_ctx2|'s SCT list.
2869 const uint8_t *data;
2870 size_t len;
Martin Kreichgauer1a663262017-08-16 14:54:04 -0700[diff] [blame]2871 SSL_get0_signed_cert_timestamp_list(client_.get(), &data, &len);
2872 EXPECT_EQ(Bytes(kSCTList), Bytes(data, len));
David Benjamin83a32122017-02-14 18:34:54 -0500[diff] [blame]2873
2874 // The client should have received |server_ctx2|'s OCSP response.
Martin Kreichgauer1a663262017-08-16 14:54:04 -0700[diff] [blame]2875 SSL_get0_ocsp_response(client_.get(), &data, &len);
2876 EXPECT_EQ(Bytes(kOCSPResponse), Bytes(data, len));
David Benjamin0fc37ef2016-08-17 15:29:46 -0400[diff] [blame]2877}
2878
David Benjaminf0d8e222017-02-04 10:58:26 -0500[diff] [blame]2879// Test that the early callback can swap the maximum version.
2880TEST(SSLTest, EarlyCallbackVersionSwitch) {
Matt Braithwaited17d74d2016-08-17 20:10:28 -0700[diff] [blame]2881 bssl::UniquePtr<X509> cert = GetTestCertificate();
2882 bssl::UniquePtr<EVP_PKEY> key = GetTestKey();
2883 bssl::UniquePtr<SSL_CTX> server_ctx(SSL_CTX_new(TLS_method()));
2884 bssl::UniquePtr<SSL_CTX> client_ctx(SSL_CTX_new(TLS_method()));
David Benjaminf0d8e222017-02-04 10:58:26 -0500[diff] [blame]2885 ASSERT_TRUE(cert);
2886 ASSERT_TRUE(key);
2887 ASSERT_TRUE(server_ctx);
2888 ASSERT_TRUE(client_ctx);
2889 ASSERT_TRUE(SSL_CTX_use_certificate(server_ctx.get(), cert.get()));
2890 ASSERT_TRUE(SSL_CTX_use_PrivateKey(server_ctx.get(), key.get()));
2891 ASSERT_TRUE(SSL_CTX_set_max_proto_version(client_ctx.get(), TLS1_3_VERSION));
2892 ASSERT_TRUE(SSL_CTX_set_max_proto_version(server_ctx.get(), TLS1_3_VERSION));
David Benjamin99620572016-08-30 00:35:36 -0400[diff] [blame]2893
David Benjaminf0d8e222017-02-04 10:58:26 -0500[diff] [blame]2894 SSL_CTX_set_select_certificate_cb(
Alessandro Ghedini57e81e62017-03-14 23:36:00 +0000[diff] [blame]2895 server_ctx.get(),
2896 [](const SSL_CLIENT_HELLO *client_hello) -> ssl_select_cert_result_t {
David Benjaminf0d8e222017-02-04 10:58:26 -0500[diff] [blame]2897 if (!SSL_set_max_proto_version(client_hello->ssl, TLS1_2_VERSION)) {
Alessandro Ghedini57e81e62017-03-14 23:36:00 +0000[diff] [blame]2898 return ssl_select_cert_error;
David Benjaminf0d8e222017-02-04 10:58:26 -0500[diff] [blame]2899 }
2900
Alessandro Ghedini57e81e62017-03-14 23:36:00 +0000[diff] [blame]2901 return ssl_select_cert_success;
David Benjaminf0d8e222017-02-04 10:58:26 -0500[diff] [blame]2902 });
David Benjamin99620572016-08-30 00:35:36 -0400[diff] [blame]2903
Matt Braithwaited17d74d2016-08-17 20:10:28 -0700[diff] [blame]2904 bssl::UniquePtr<SSL> client, server;
David Benjaminf0d8e222017-02-04 10:58:26 -0500[diff] [blame]2905 ASSERT_TRUE(ConnectClientAndServer(&client, &server, client_ctx.get(),
David Benjamina8614602017-09-06 15:40:19 -0400[diff] [blame]2906 server_ctx.get()));
David Benjaminf0d8e222017-02-04 10:58:26 -0500[diff] [blame]2907 EXPECT_EQ(TLS1_2_VERSION, SSL_version(client.get()));
David Benjamin99620572016-08-30 00:35:36 -0400[diff] [blame]2908}
2909
David Benjaminf0d8e222017-02-04 10:58:26 -0500[diff] [blame]2910TEST(SSLTest, SetVersion) {
David Benjamin2dc02042016-09-19 19:57:37 -0400[diff] [blame]2911 bssl::UniquePtr<SSL_CTX> ctx(SSL_CTX_new(TLS_method()));
David Benjaminf0d8e222017-02-04 10:58:26 -0500[diff] [blame]2912 ASSERT_TRUE(ctx);
David Benjamin2dc02042016-09-19 19:57:37 -0400[diff] [blame]2913
David Benjaminf0d8e222017-02-04 10:58:26 -0500[diff] [blame]2914 // Set valid TLS versions.
2915 EXPECT_TRUE(SSL_CTX_set_max_proto_version(ctx.get(), TLS1_VERSION));
2916 EXPECT_TRUE(SSL_CTX_set_max_proto_version(ctx.get(), TLS1_1_VERSION));
2917 EXPECT_TRUE(SSL_CTX_set_min_proto_version(ctx.get(), TLS1_VERSION));
2918 EXPECT_TRUE(SSL_CTX_set_min_proto_version(ctx.get(), TLS1_1_VERSION));
David Benjamin2dc02042016-09-19 19:57:37 -0400[diff] [blame]2919
David Benjaminf0d8e222017-02-04 10:58:26 -0500[diff] [blame]2920 // Invalid TLS versions are rejected.
2921 EXPECT_FALSE(SSL_CTX_set_max_proto_version(ctx.get(), DTLS1_VERSION));
2922 EXPECT_FALSE(SSL_CTX_set_max_proto_version(ctx.get(), 0x0200));
2923 EXPECT_FALSE(SSL_CTX_set_max_proto_version(ctx.get(), 0x1234));
2924 EXPECT_FALSE(SSL_CTX_set_min_proto_version(ctx.get(), DTLS1_VERSION));
2925 EXPECT_FALSE(SSL_CTX_set_min_proto_version(ctx.get(), 0x0200));
2926 EXPECT_FALSE(SSL_CTX_set_min_proto_version(ctx.get(), 0x1234));
David Benjamin2dc02042016-09-19 19:57:37 -0400[diff] [blame]2927
David Benjaminf0d8e222017-02-04 10:58:26 -0500[diff] [blame]2928 // Zero is the default version.
2929 EXPECT_TRUE(SSL_CTX_set_max_proto_version(ctx.get(), 0));
Matthew Braithwaite58d56f42019-11-04 13:20:01 -0800[diff] [blame]2930 EXPECT_EQ(TLS1_3_VERSION, SSL_CTX_get_max_proto_version(ctx.get()));
David Benjaminf0d8e222017-02-04 10:58:26 -0500[diff] [blame]2931 EXPECT_TRUE(SSL_CTX_set_min_proto_version(ctx.get(), 0));
Nitish Sakhawalkara4af5f82019-03-25 17:26:59 -0700[diff] [blame]2932 EXPECT_EQ(TLS1_VERSION, SSL_CTX_get_min_proto_version(ctx.get()));
David Benjamin3cfeb952017-03-01 16:48:38 -0500[diff] [blame]2933
David Benjamin9bb15f52018-06-26 00:07:40 -0400[diff] [blame]2934 // TLS 1.3 is available, but not by default.
David Benjamin3cfeb952017-03-01 16:48:38 -0500[diff] [blame]2935 EXPECT_TRUE(SSL_CTX_set_max_proto_version(ctx.get(), TLS1_3_VERSION));
Nitish Sakhawalkara4af5f82019-03-25 17:26:59 -0700[diff] [blame]2936 EXPECT_EQ(TLS1_3_VERSION, SSL_CTX_get_max_proto_version(ctx.get()));
David Benjamine34bcc92016-09-21 16:53:09 -0400[diff] [blame]2937
David Benjamin9bb15f52018-06-26 00:07:40 -0400[diff] [blame]2938 // SSL 3.0 is not available.
2939 EXPECT_FALSE(SSL_CTX_set_min_proto_version(ctx.get(), SSL3_VERSION));
2940
David Benjamin2dc02042016-09-19 19:57:37 -0400[diff] [blame]2941 ctx.reset(SSL_CTX_new(DTLS_method()));
David Benjaminf0d8e222017-02-04 10:58:26 -0500[diff] [blame]2942 ASSERT_TRUE(ctx);
David Benjamin2dc02042016-09-19 19:57:37 -0400[diff] [blame]2943
David Benjaminf0d8e222017-02-04 10:58:26 -0500[diff] [blame]2944 EXPECT_TRUE(SSL_CTX_set_max_proto_version(ctx.get(), DTLS1_VERSION));
2945 EXPECT_TRUE(SSL_CTX_set_max_proto_version(ctx.get(), DTLS1_2_VERSION));
2946 EXPECT_TRUE(SSL_CTX_set_min_proto_version(ctx.get(), DTLS1_VERSION));
2947 EXPECT_TRUE(SSL_CTX_set_min_proto_version(ctx.get(), DTLS1_2_VERSION));
David Benjamin2dc02042016-09-19 19:57:37 -0400[diff] [blame]2948
David Benjaminf0d8e222017-02-04 10:58:26 -0500[diff] [blame]2949 EXPECT_FALSE(SSL_CTX_set_max_proto_version(ctx.get(), TLS1_VERSION));
2950 EXPECT_FALSE(SSL_CTX_set_max_proto_version(ctx.get(), 0xfefe /* DTLS 1.1 */));
2951 EXPECT_FALSE(SSL_CTX_set_max_proto_version(ctx.get(), 0xfffe /* DTLS 0.1 */));
2952 EXPECT_FALSE(SSL_CTX_set_max_proto_version(ctx.get(), 0x1234));
2953 EXPECT_FALSE(SSL_CTX_set_min_proto_version(ctx.get(), TLS1_VERSION));
2954 EXPECT_FALSE(SSL_CTX_set_min_proto_version(ctx.get(), 0xfefe /* DTLS 1.1 */));
2955 EXPECT_FALSE(SSL_CTX_set_min_proto_version(ctx.get(), 0xfffe /* DTLS 0.1 */));
2956 EXPECT_FALSE(SSL_CTX_set_min_proto_version(ctx.get(), 0x1234));
David Benjamin2dc02042016-09-19 19:57:37 -0400[diff] [blame]2957
David Benjaminf0d8e222017-02-04 10:58:26 -0500[diff] [blame]2958 EXPECT_TRUE(SSL_CTX_set_max_proto_version(ctx.get(), 0));
Nitish Sakhawalkara4af5f82019-03-25 17:26:59 -0700[diff] [blame]2959 EXPECT_EQ(DTLS1_2_VERSION, SSL_CTX_get_max_proto_version(ctx.get()));
David Benjaminf0d8e222017-02-04 10:58:26 -0500[diff] [blame]2960 EXPECT_TRUE(SSL_CTX_set_min_proto_version(ctx.get(), 0));
Nitish Sakhawalkara4af5f82019-03-25 17:26:59 -0700[diff] [blame]2961 EXPECT_EQ(DTLS1_VERSION, SSL_CTX_get_min_proto_version(ctx.get()));
David Benjamin2dc02042016-09-19 19:57:37 -0400[diff] [blame]2962}
2963
David Benjamin458334a2016-12-15 13:53:25 -0500[diff] [blame]2964static const char *GetVersionName(uint16_t version) {
2965 switch (version) {
David Benjamin458334a2016-12-15 13:53:25 -0500[diff] [blame]2966 case TLS1_VERSION:
2967 return "TLSv1";
2968 case TLS1_1_VERSION:
2969 return "TLSv1.1";
2970 case TLS1_2_VERSION:
2971 return "TLSv1.2";
2972 case TLS1_3_VERSION:
2973 return "TLSv1.3";
2974 case DTLS1_VERSION:
2975 return "DTLSv1";
2976 case DTLS1_2_VERSION:
2977 return "DTLSv1.2";
2978 default:
2979 return "???";
2980 }
2981}
2982
Martin Kreichgauer1a663262017-08-16 14:54:04 -0700[diff] [blame]2983TEST_P(SSLVersionTest, Version) {
2984 ASSERT_TRUE(Connect());
David Benjamincb18ac22016-09-27 14:09:15 -0400[diff] [blame]2985
Martin Kreichgauer1a663262017-08-16 14:54:04 -0700[diff] [blame]2986 EXPECT_EQ(SSL_version(client_.get()), version());
2987 EXPECT_EQ(SSL_version(server_.get()), version());
David Benjamincb18ac22016-09-27 14:09:15 -0400[diff] [blame]2988
David Benjamin458334a2016-12-15 13:53:25 -0500[diff] [blame]2989 // Test the version name is reported as expected.
Martin Kreichgauer1a663262017-08-16 14:54:04 -0700[diff] [blame]2990 const char *version_name = GetVersionName(version());
2991 EXPECT_EQ(strcmp(version_name, SSL_get_version(client_.get())), 0);
2992 EXPECT_EQ(strcmp(version_name, SSL_get_version(server_.get())), 0);
David Benjamin458334a2016-12-15 13:53:25 -0500[diff] [blame]2993
2994 // Test SSL_SESSION reports the same name.
2995 const char *client_name =
Martin Kreichgauer1a663262017-08-16 14:54:04 -0700[diff] [blame]2996 SSL_SESSION_get_version(SSL_get_session(client_.get()));
David Benjamin458334a2016-12-15 13:53:25 -0500[diff] [blame]2997 const char *server_name =
Martin Kreichgauer1a663262017-08-16 14:54:04 -0700[diff] [blame]2998 SSL_SESSION_get_version(SSL_get_session(server_.get()));
2999 EXPECT_EQ(strcmp(version_name, client_name), 0);
3000 EXPECT_EQ(strcmp(version_name, server_name), 0);
David Benjamincb18ac22016-09-27 14:09:15 -0400[diff] [blame]3001}
3002
David Benjamin9ef31f02016-10-31 18:01:13 -0400[diff] [blame]3003// Tests that that |SSL_get_pending_cipher| is available during the ALPN
3004// selection callback.
Martin Kreichgauer1a663262017-08-16 14:54:04 -0700[diff] [blame]3005TEST_P(SSLVersionTest, ALPNCipherAvailable) {
Martin Kreichgauer1a663262017-08-16 14:54:04 -0700[diff] [blame]3006 ASSERT_TRUE(UseCertAndKey(client_ctx_.get()));
3007
David Benjamin9ef31f02016-10-31 18:01:13 -0400[diff] [blame]3008 static const uint8_t kALPNProtos[] = {0x03, 'f', 'o', 'o'};
Martin Kreichgauer1a663262017-08-16 14:54:04 -0700[diff] [blame]3009 ASSERT_EQ(SSL_CTX_set_alpn_protos(client_ctx_.get(), kALPNProtos,
3010 sizeof(kALPNProtos)),
3011 0);
David Benjamin0fef3052016-11-18 15:11:10 +0900[diff] [blame]3012
3013 // The ALPN callback does not fail the handshake on error, so have the
3014 // callback write a boolean.
Martin Kreichgauer1a663262017-08-16 14:54:04 -0700[diff] [blame]3015 std::pair<uint16_t, bool> callback_state(version(), false);
David Benjamin0fef3052016-11-18 15:11:10 +0900[diff] [blame]3016 SSL_CTX_set_alpn_select_cb(
Martin Kreichgauer1a663262017-08-16 14:54:04 -0700[diff] [blame]3017 server_ctx_.get(),
David Benjamin0fef3052016-11-18 15:11:10 +0900[diff] [blame]3018 [](SSL *ssl, const uint8_t **out, uint8_t *out_len, const uint8_t *in,
3019 unsigned in_len, void *arg) -> int {
3020 auto state = reinterpret_cast<std::pair<uint16_t, bool> *>(arg);
3021 if (SSL_get_pending_cipher(ssl) != nullptr &&
3022 SSL_version(ssl) == state->first) {
3023 state->second = true;
3024 }
3025 return SSL_TLSEXT_ERR_NOACK;
3026 },
3027 &callback_state);
3028
Martin Kreichgauer1a663262017-08-16 14:54:04 -0700[diff] [blame]3029 ASSERT_TRUE(Connect());
David Benjamin0fef3052016-11-18 15:11:10 +0900[diff] [blame]3030
Martin Kreichgauer1a663262017-08-16 14:54:04 -0700[diff] [blame]3031 ASSERT_TRUE(callback_state.second);
David Benjamin0fef3052016-11-18 15:11:10 +0900[diff] [blame]3032}
3033
Martin Kreichgauer1a663262017-08-16 14:54:04 -0700[diff] [blame]3034TEST_P(SSLVersionTest, SSLClearSessionResumption) {
David Benjaminb79cc842016-12-07 15:57:14 -0500[diff] [blame]3035 // Skip this for TLS 1.3. TLS 1.3's ticket mechanism is incompatible with this
3036 // API pattern.
Martin Kreichgauer1a663262017-08-16 14:54:04 -0700[diff] [blame]3037 if (version() == TLS1_3_VERSION) {
3038 return;
David Benjaminb79cc842016-12-07 15:57:14 -0500[diff] [blame]3039 }
3040
Matthew Braithwaiteb7bc80a2018-04-13 15:51:30 -0700[diff] [blame]3041 shed_handshake_config_ = false;
Martin Kreichgauer1a663262017-08-16 14:54:04 -0700[diff] [blame]3042 ASSERT_TRUE(Connect());
David Benjaminb79cc842016-12-07 15:57:14 -0500[diff] [blame]3043
Martin Kreichgauer1a663262017-08-16 14:54:04 -0700[diff] [blame]3044 EXPECT_FALSE(SSL_session_reused(client_.get()));
3045 EXPECT_FALSE(SSL_session_reused(server_.get()));
David Benjaminb79cc842016-12-07 15:57:14 -0500[diff] [blame]3046
3047 // Reset everything.
Martin Kreichgauer1a663262017-08-16 14:54:04 -0700[diff] [blame]3048 ASSERT_TRUE(SSL_clear(client_.get()));
3049 ASSERT_TRUE(SSL_clear(server_.get()));
David Benjaminb79cc842016-12-07 15:57:14 -0500[diff] [blame]3050
3051 // Attempt to connect a second time.
Martin Kreichgauer1a663262017-08-16 14:54:04 -0700[diff] [blame]3052 ASSERT_TRUE(CompleteHandshakes(client_.get(), server_.get()));
David Benjaminb79cc842016-12-07 15:57:14 -0500[diff] [blame]3053
3054 // |SSL_clear| should implicitly offer the previous session to the server.
Martin Kreichgauer1a663262017-08-16 14:54:04 -0700[diff] [blame]3055 EXPECT_TRUE(SSL_session_reused(client_.get()));
3056 EXPECT_TRUE(SSL_session_reused(server_.get()));
David Benjaminb79cc842016-12-07 15:57:14 -0500[diff] [blame]3057}
3058
Matthew Braithwaiteb7bc80a2018-04-13 15:51:30 -0700[diff] [blame]3059TEST_P(SSLVersionTest, SSLClearFailsWithShedding) {
3060 shed_handshake_config_ = false;
3061 ASSERT_TRUE(Connect());
3062 ASSERT_TRUE(CompleteHandshakes(client_.get(), server_.get()));
3063
3064 // Reset everything.
3065 ASSERT_TRUE(SSL_clear(client_.get()));
3066 ASSERT_TRUE(SSL_clear(server_.get()));
3067
3068 // Now enable shedding, and connect a second time.
3069 shed_handshake_config_ = true;
3070 ASSERT_TRUE(Connect());
3071 ASSERT_TRUE(CompleteHandshakes(client_.get(), server_.get()));
3072
3073 // |SSL_clear| should now fail.
3074 ASSERT_FALSE(SSL_clear(client_.get()));
3075 ASSERT_FALSE(SSL_clear(server_.get()));
3076}
3077
Martin Kreichgauer1a663262017-08-16 14:54:04 -0700[diff] [blame]3078static bool ChainsEqual(STACK_OF(X509) * chain,
3079 const std::vector<X509 *> &expected) {
David Benjamin1444c3a2016-12-20 17:23:11 -0500[diff] [blame]3080 if (sk_X509_num(chain) != expected.size()) {
3081 return false;
3082 }
3083
3084 for (size_t i = 0; i < expected.size(); i++) {
3085 if (X509_cmp(sk_X509_value(chain, i), expected[i]) != 0) {
3086 return false;
3087 }
3088 }
3089
3090 return true;
3091}
3092
Martin Kreichgauer1a663262017-08-16 14:54:04 -0700[diff] [blame]3093TEST_P(SSLVersionTest, AutoChain) {
3094 cert_ = GetChainTestCertificate();
3095 ASSERT_TRUE(cert_);
3096 key_ = GetChainTestKey();
3097 ASSERT_TRUE(key_);
David Benjamin1444c3a2016-12-20 17:23:11 -0500[diff] [blame]3098 bssl::UniquePtr<X509> intermediate = GetChainTestIntermediate();
Martin Kreichgauer1a663262017-08-16 14:54:04 -0700[diff] [blame]3099 ASSERT_TRUE(intermediate);
3100
3101 ASSERT_TRUE(UseCertAndKey(client_ctx_.get()));
3102 ASSERT_TRUE(UseCertAndKey(server_ctx_.get()));
David Benjamin1444c3a2016-12-20 17:23:11 -0500[diff] [blame]3103
3104 // Configure both client and server to accept any certificate. Add
3105 // |intermediate| to the cert store.
Martin Kreichgauer1a663262017-08-16 14:54:04 -0700[diff] [blame]3106 ASSERT_TRUE(X509_STORE_add_cert(SSL_CTX_get_cert_store(client_ctx_.get()),
3107 intermediate.get()));
3108 ASSERT_TRUE(X509_STORE_add_cert(SSL_CTX_get_cert_store(server_ctx_.get()),
3109 intermediate.get()));
3110 SSL_CTX_set_verify(client_ctx_.get(),
3111 SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT,
3112 nullptr);
3113 SSL_CTX_set_verify(server_ctx_.get(),
3114 SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT,
3115 nullptr);
3116 SSL_CTX_set_cert_verify_callback(client_ctx_.get(), VerifySucceed, NULL);
3117 SSL_CTX_set_cert_verify_callback(server_ctx_.get(), VerifySucceed, NULL);
David Benjamin1444c3a2016-12-20 17:23:11 -0500[diff] [blame]3118
3119 // By default, the client and server should each only send the leaf.
Martin Kreichgauer1a663262017-08-16 14:54:04 -0700[diff] [blame]3120 ASSERT_TRUE(Connect());
David Benjamin1444c3a2016-12-20 17:23:11 -0500[diff] [blame]3121
Martin Kreichgauer1a663262017-08-16 14:54:04 -0700[diff] [blame]3122 EXPECT_TRUE(
3123 ChainsEqual(SSL_get_peer_full_cert_chain(client_.get()), {cert_.get()}));
3124 EXPECT_TRUE(
3125 ChainsEqual(SSL_get_peer_full_cert_chain(server_.get()), {cert_.get()}));
David Benjamin1444c3a2016-12-20 17:23:11 -0500[diff] [blame]3126
3127 // If auto-chaining is enabled, then the intermediate is sent.
Martin Kreichgauer1a663262017-08-16 14:54:04 -0700[diff] [blame]3128 SSL_CTX_clear_mode(client_ctx_.get(), SSL_MODE_NO_AUTO_CHAIN);
3129 SSL_CTX_clear_mode(server_ctx_.get(), SSL_MODE_NO_AUTO_CHAIN);
3130 ASSERT_TRUE(Connect());
David Benjamin1444c3a2016-12-20 17:23:11 -0500[diff] [blame]3131
Martin Kreichgauer1a663262017-08-16 14:54:04 -0700[diff] [blame]3132 EXPECT_TRUE(ChainsEqual(SSL_get_peer_full_cert_chain(client_.get()),
3133 {cert_.get(), intermediate.get()}));
3134 EXPECT_TRUE(ChainsEqual(SSL_get_peer_full_cert_chain(server_.get()),
3135 {cert_.get(), intermediate.get()}));
David Benjamin1444c3a2016-12-20 17:23:11 -0500[diff] [blame]3136
3137 // Auto-chaining does not override explicitly-configured intermediates.
Martin Kreichgauer1a663262017-08-16 14:54:04 -0700[diff] [blame]3138 ASSERT_TRUE(SSL_CTX_add1_chain_cert(client_ctx_.get(), cert_.get()));
3139 ASSERT_TRUE(SSL_CTX_add1_chain_cert(server_ctx_.get(), cert_.get()));
3140 ASSERT_TRUE(Connect());
David Benjamin1444c3a2016-12-20 17:23:11 -0500[diff] [blame]3141
Martin Kreichgauer1a663262017-08-16 14:54:04 -0700[diff] [blame]3142 EXPECT_TRUE(ChainsEqual(SSL_get_peer_full_cert_chain(client_.get()),
3143 {cert_.get(), cert_.get()}));
David Benjamin1444c3a2016-12-20 17:23:11 -0500[diff] [blame]3144
Martin Kreichgauer1a663262017-08-16 14:54:04 -0700[diff] [blame]3145 EXPECT_TRUE(ChainsEqual(SSL_get_peer_full_cert_chain(server_.get()),
3146 {cert_.get(), cert_.get()}));
David Benjamin1444c3a2016-12-20 17:23:11 -0500[diff] [blame]3147}
3148
David Benjamin48063c22017-01-01 23:56:36 -0500[diff] [blame]3149static bool ExpectBadWriteRetry() {
3150 int err = ERR_get_error();
3151 if (ERR_GET_LIB(err) != ERR_LIB_SSL ||
3152 ERR_GET_REASON(err) != SSL_R_BAD_WRITE_RETRY) {
3153 char buf[ERR_ERROR_STRING_BUF_LEN];
3154 ERR_error_string_n(err, buf, sizeof(buf));
3155 fprintf(stderr, "Wanted SSL_R_BAD_WRITE_RETRY, got: %s.\n", buf);
3156 return false;
3157 }
3158
3159 if (ERR_peek_error() != 0) {
3160 fprintf(stderr, "Unexpected error following SSL_R_BAD_WRITE_RETRY.\n");
3161 return false;
3162 }
3163
3164 return true;
3165}
3166
Martin Kreichgauer1a663262017-08-16 14:54:04 -0700[diff] [blame]3167TEST_P(SSLVersionTest, SSLWriteRetry) {
3168 if (is_dtls()) {
3169 return;
David Benjamin48063c22017-01-01 23:56:36 -0500[diff] [blame]3170 }
3171
Martin Kreichgauer1a663262017-08-16 14:54:04 -0700[diff] [blame]3172 for (bool enable_partial_write : {false, true}) {
3173 SCOPED_TRACE(enable_partial_write);
3174
David Benjamin48063c22017-01-01 23:56:36 -0500[diff] [blame]3175 // Connect a client and server.
Martin Kreichgauer1a663262017-08-16 14:54:04 -0700[diff] [blame]3176 ASSERT_TRUE(UseCertAndKey(client_ctx_.get()));
3177
3178 ASSERT_TRUE(Connect());
David Benjamin48063c22017-01-01 23:56:36 -0500[diff] [blame]3179
3180 if (enable_partial_write) {
Martin Kreichgauer1a663262017-08-16 14:54:04 -0700[diff] [blame]3181 SSL_set_mode(client_.get(), SSL_MODE_ENABLE_PARTIAL_WRITE);
David Benjamin48063c22017-01-01 23:56:36 -0500[diff] [blame]3182 }
3183
3184 // Write without reading until the buffer is full and we have an unfinished
3185 // write. Keep a count so we may reread it again later. "hello!" will be
3186 // written in two chunks, "hello" and "!".
3187 char data[] = "hello!";
3188 static const int kChunkLen = 5; // The length of "hello".
3189 unsigned count = 0;
3190 for (;;) {
Martin Kreichgauer1a663262017-08-16 14:54:04 -0700[diff] [blame]3191 int ret = SSL_write(client_.get(), data, kChunkLen);
David Benjamin48063c22017-01-01 23:56:36 -0500[diff] [blame]3192 if (ret <= 0) {
Martin Kreichgauer1a663262017-08-16 14:54:04 -0700[diff] [blame]3193 ASSERT_EQ(SSL_get_error(client_.get(), ret), SSL_ERROR_WANT_WRITE);
3194 break;
David Benjamin48063c22017-01-01 23:56:36 -0500[diff] [blame]3195 }
3196
Martin Kreichgauer1a663262017-08-16 14:54:04 -0700[diff] [blame]3197 ASSERT_EQ(ret, 5);
David Benjamin48063c22017-01-01 23:56:36 -0500[diff] [blame]3198
3199 count++;
3200 }
3201
3202 // Retrying with the same parameters is legal.
Martin Kreichgauer1a663262017-08-16 14:54:04 -0700[diff] [blame]3203 ASSERT_EQ(
3204 SSL_get_error(client_.get(), SSL_write(client_.get(), data, kChunkLen)),
3205 SSL_ERROR_WANT_WRITE);
David Benjamin48063c22017-01-01 23:56:36 -0500[diff] [blame]3206
3207 // Retrying with the same buffer but shorter length is not legal.
Martin Kreichgauer1a663262017-08-16 14:54:04 -0700[diff] [blame]3208 ASSERT_EQ(SSL_get_error(client_.get(),
3209 SSL_write(client_.get(), data, kChunkLen - 1)),
3210 SSL_ERROR_SSL);
3211 ASSERT_TRUE(ExpectBadWriteRetry());
David Benjamin48063c22017-01-01 23:56:36 -0500[diff] [blame]3212
3213 // Retrying with a different buffer pointer is not legal.
3214 char data2[] = "hello";
Martin Kreichgauer1a663262017-08-16 14:54:04 -0700[diff] [blame]3215 ASSERT_EQ(SSL_get_error(client_.get(),
3216 SSL_write(client_.get(), data2, kChunkLen)),
3217 SSL_ERROR_SSL);
3218 ASSERT_TRUE(ExpectBadWriteRetry());
David Benjamin48063c22017-01-01 23:56:36 -0500[diff] [blame]3219
3220 // With |SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER|, the buffer may move.
Martin Kreichgauer1a663262017-08-16 14:54:04 -0700[diff] [blame]3221 SSL_set_mode(client_.get(), SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER);
3222 ASSERT_EQ(SSL_get_error(client_.get(),
3223 SSL_write(client_.get(), data2, kChunkLen)),
3224 SSL_ERROR_WANT_WRITE);
David Benjamin48063c22017-01-01 23:56:36 -0500[diff] [blame]3225
3226 // |SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER| does not disable length checks.
Martin Kreichgauer1a663262017-08-16 14:54:04 -0700[diff] [blame]3227 ASSERT_EQ(SSL_get_error(client_.get(),
3228 SSL_write(client_.get(), data2, kChunkLen - 1)),
3229 SSL_ERROR_SSL);
3230 ASSERT_TRUE(ExpectBadWriteRetry());
David Benjamin48063c22017-01-01 23:56:36 -0500[diff] [blame]3231
3232 // Retrying with a larger buffer is legal.
Martin Kreichgauer1a663262017-08-16 14:54:04 -0700[diff] [blame]3233 ASSERT_EQ(SSL_get_error(client_.get(),
3234 SSL_write(client_.get(), data, kChunkLen + 1)),
3235 SSL_ERROR_WANT_WRITE);
David Benjamin48063c22017-01-01 23:56:36 -0500[diff] [blame]3236
3237 // Drain the buffer.
3238 char buf[20];
3239 for (unsigned i = 0; i < count; i++) {
Martin Kreichgauer1a663262017-08-16 14:54:04 -0700[diff] [blame]3240 ASSERT_EQ(SSL_read(server_.get(), buf, sizeof(buf)), kChunkLen);
3241 ASSERT_EQ(OPENSSL_memcmp(buf, "hello", kChunkLen), 0);
David Benjamin48063c22017-01-01 23:56:36 -0500[diff] [blame]3242 }
3243
3244 // Now that there is space, a retry with a larger buffer should flush the
3245 // pending record, skip over that many bytes of input (on assumption they
3246 // are the same), and write the remainder. If SSL_MODE_ENABLE_PARTIAL_WRITE
3247 // is set, this will complete in two steps.
3248 char data3[] = "_____!";
3249 if (enable_partial_write) {
Martin Kreichgauer1a663262017-08-16 14:54:04 -0700[diff] [blame]3250 ASSERT_EQ(SSL_write(client_.get(), data3, kChunkLen + 1), kChunkLen);
3251 ASSERT_EQ(SSL_write(client_.get(), data3 + kChunkLen, 1), 1);
3252 } else {
3253 ASSERT_EQ(SSL_write(client_.get(), data3, kChunkLen + 1), kChunkLen + 1);
David Benjamin48063c22017-01-01 23:56:36 -0500[diff] [blame]3254 }
3255
3256 // Check the last write was correct. The data will be spread over two
3257 // records, so SSL_read returns twice.
Martin Kreichgauer1a663262017-08-16 14:54:04 -0700[diff] [blame]3258 ASSERT_EQ(SSL_read(server_.get(), buf, sizeof(buf)), kChunkLen);
3259 ASSERT_EQ(OPENSSL_memcmp(buf, "hello", kChunkLen), 0);
3260 ASSERT_EQ(SSL_read(server_.get(), buf, sizeof(buf)), 1);
3261 ASSERT_EQ(buf[0], '!');
David Benjamin48063c22017-01-01 23:56:36 -0500[diff] [blame]3262 }
David Benjamin48063c22017-01-01 23:56:36 -0500[diff] [blame]3263}
3264
Martin Kreichgauer1a663262017-08-16 14:54:04 -0700[diff] [blame]3265TEST_P(SSLVersionTest, RecordCallback) {
3266 for (bool test_server : {true, false}) {
3267 SCOPED_TRACE(test_server);
3268 ResetContexts();
David Benjamin5df5be12017-06-22 19:43:11 -0400[diff] [blame]3269
Martin Kreichgauer1a663262017-08-16 14:54:04 -0700[diff] [blame]3270 bool read_seen = false;
3271 bool write_seen = false;
3272 auto cb = [&](int is_write, int cb_version, int cb_type, const void *buf,
3273 size_t len, SSL *ssl) {
3274 if (cb_type != SSL3_RT_HEADER) {
3275 return;
Martin Kreichgauer72912d22017-08-04 12:06:43 -0700[diff] [blame]3276 }
Martin Kreichgauer1a663262017-08-16 14:54:04 -0700[diff] [blame]3277
3278 // The callback does not report a version for records.
3279 EXPECT_EQ(0, cb_version);
3280
3281 if (is_write) {
3282 write_seen = true;
3283 } else {
3284 read_seen = true;
3285 }
3286
3287 // Sanity-check that the record header is plausible.
3288 CBS cbs;
3289 CBS_init(&cbs, reinterpret_cast<const uint8_t *>(buf), len);
3290 uint8_t type;
3291 uint16_t record_version, length;
3292 ASSERT_TRUE(CBS_get_u8(&cbs, &type));
3293 ASSERT_TRUE(CBS_get_u16(&cbs, &record_version));
Steven Valdez64cc1212017-12-04 11:15:37 -0500[diff] [blame]3294 EXPECT_EQ(record_version & 0xff00, version() & 0xff00);
Martin Kreichgauer1a663262017-08-16 14:54:04 -0700[diff] [blame]3295 if (is_dtls()) {
3296 uint16_t epoch;
3297 ASSERT_TRUE(CBS_get_u16(&cbs, &epoch));
3298 EXPECT_TRUE(epoch == 0 || epoch == 1) << "Invalid epoch: " << epoch;
3299 ASSERT_TRUE(CBS_skip(&cbs, 6));
3300 }
3301 ASSERT_TRUE(CBS_get_u16(&cbs, &length));
3302 EXPECT_EQ(0u, CBS_len(&cbs));
3303 };
3304 using CallbackType = decltype(cb);
3305 SSL_CTX *ctx = test_server ? server_ctx_.get() : client_ctx_.get();
3306 SSL_CTX_set_msg_callback(
3307 ctx, [](int is_write, int cb_version, int cb_type, const void *buf,
3308 size_t len, SSL *ssl, void *arg) {
3309 CallbackType *cb_ptr = reinterpret_cast<CallbackType *>(arg);
3310 (*cb_ptr)(is_write, cb_version, cb_type, buf, len, ssl);
3311 });
3312 SSL_CTX_set_msg_callback_arg(ctx, &cb);
3313
3314 ASSERT_TRUE(Connect());
3315
3316 EXPECT_TRUE(read_seen);
3317 EXPECT_TRUE(write_seen);
David Benjamin0fef3052016-11-18 15:11:10 +0900[diff] [blame]3318 }
David Benjamin9ef31f02016-10-31 18:01:13 -0400[diff] [blame]3319}
3320
David Benjamina8614602017-09-06 15:40:19 -0400[diff] [blame]3321TEST_P(SSLVersionTest, GetServerName) {
David Benjamina8614602017-09-06 15:40:19 -0400[diff] [blame]3322 ClientConfig config;
3323 config.servername = "host1";
3324
3325 SSL_CTX_set_tlsext_servername_callback(
3326 server_ctx_.get(), [](SSL *ssl, int *out_alert, void *arg) -> int {
3327 // During the handshake, |SSL_get_servername| must match |config|.
3328 ClientConfig *config_p = reinterpret_cast<ClientConfig *>(arg);
3329 EXPECT_STREQ(config_p->servername.c_str(),
3330 SSL_get_servername(ssl, TLSEXT_NAMETYPE_host_name));
3331 return SSL_TLSEXT_ERR_OK;
3332 });
3333 SSL_CTX_set_tlsext_servername_arg(server_ctx_.get(), &config);
3334
3335 ASSERT_TRUE(Connect(config));
3336 // After the handshake, it must also be available.
3337 EXPECT_STREQ(config.servername.c_str(),
3338 SSL_get_servername(server_.get(), TLSEXT_NAMETYPE_host_name));
3339
3340 // Establish a session under host1.
3341 SSL_CTX_set_session_cache_mode(client_ctx_.get(), SSL_SESS_CACHE_BOTH);
3342 SSL_CTX_set_session_cache_mode(server_ctx_.get(), SSL_SESS_CACHE_BOTH);
3343 bssl::UniquePtr<SSL_SESSION> session =
3344 CreateClientSession(client_ctx_.get(), server_ctx_.get(), config);
3345
3346 // If the client resumes a session with a different name, |SSL_get_servername|
3347 // must return the new name.
3348 ASSERT_TRUE(session);
3349 config.session = session.get();
3350 config.servername = "host2";
3351 ASSERT_TRUE(Connect(config));
3352 EXPECT_STREQ(config.servername.c_str(),
3353 SSL_get_servername(server_.get(), TLSEXT_NAMETYPE_host_name));
3354}
3355
David Benjamin3d8f0802017-09-06 16:12:52 -0400[diff] [blame]3356// Test that session cache mode bits are honored in the client session callback.
3357TEST_P(SSLVersionTest, ClientSessionCacheMode) {
3358 SSL_CTX_set_session_cache_mode(client_ctx_.get(), SSL_SESS_CACHE_OFF);
3359 EXPECT_FALSE(CreateClientSession(client_ctx_.get(), server_ctx_.get()));
3360
3361 SSL_CTX_set_session_cache_mode(client_ctx_.get(), SSL_SESS_CACHE_CLIENT);
3362 EXPECT_TRUE(CreateClientSession(client_ctx_.get(), server_ctx_.get()));
3363
3364 SSL_CTX_set_session_cache_mode(client_ctx_.get(), SSL_SESS_CACHE_SERVER);
3365 EXPECT_FALSE(CreateClientSession(client_ctx_.get(), server_ctx_.get()));
3366}
3367
Steven Valdez777a2392019-02-21 11:30:47 -0500[diff] [blame]3368// Test that all versions survive tiny write buffers. In particular, TLS 1.3
3369// NewSessionTickets are written post-handshake. Servers that block
3370// |SSL_do_handshake| on writing them will deadlock if clients are not draining
3371// the buffer. Test that we do not do this.
3372TEST_P(SSLVersionTest, SmallBuffer) {
3373 // DTLS is a datagram protocol and requires packet-sized buffers.
3374 if (is_dtls()) {
3375 return;
3376 }
3377
3378 // Test both flushing NewSessionTickets with a zero-sized write and
3379 // non-zero-sized write.
3380 for (bool use_zero_write : {false, true}) {
3381 SCOPED_TRACE(use_zero_write);
3382
3383 g_last_session = nullptr;
3384 SSL_CTX_set_session_cache_mode(client_ctx_.get(), SSL_SESS_CACHE_BOTH);
3385 SSL_CTX_sess_set_new_cb(client_ctx_.get(), SaveLastSession);
3386
3387 bssl::UniquePtr<SSL> client(SSL_new(client_ctx_.get())),
3388 server(SSL_new(server_ctx_.get()));
3389 ASSERT_TRUE(client);
3390 ASSERT_TRUE(server);
3391 SSL_set_connect_state(client.get());
3392 SSL_set_accept_state(server.get());
3393
3394 // Use a tiny buffer.
3395 BIO *bio1, *bio2;
3396 ASSERT_TRUE(BIO_new_bio_pair(&bio1, 1, &bio2, 1));
3397
3398 // SSL_set_bio takes ownership.
3399 SSL_set_bio(client.get(), bio1, bio1);
3400 SSL_set_bio(server.get(), bio2, bio2);
3401
3402 ASSERT_TRUE(CompleteHandshakes(client.get(), server.get()));
3403 if (version() >= TLS1_3_VERSION) {
3404 // The post-handshake ticket should not have been processed yet.
3405 EXPECT_FALSE(g_last_session);
3406 }
3407
3408 if (use_zero_write) {
3409 ASSERT_TRUE(FlushNewSessionTickets(client.get(), server.get()));
3410 EXPECT_TRUE(g_last_session);
3411 }
3412
3413 // Send some data from server to client. If |use_zero_write| is false, this
3414 // will also flush the NewSessionTickets.
3415 static const char kMessage[] = "hello world";
3416 char buf[sizeof(kMessage)];
3417 for (;;) {
3418 int server_ret = SSL_write(server.get(), kMessage, sizeof(kMessage));
3419 int server_err = SSL_get_error(server.get(), server_ret);
3420 int client_ret = SSL_read(client.get(), buf, sizeof(buf));
3421 int client_err = SSL_get_error(client.get(), client_ret);
3422
3423 // The server will write a single record, so every iteration should see
3424 // |SSL_ERROR_WANT_WRITE| and |SSL_ERROR_WANT_READ|, until the final
3425 // iteration, where both will complete.
3426 if (server_ret > 0) {
3427 EXPECT_EQ(server_ret, static_cast<int>(sizeof(kMessage)));
3428 EXPECT_EQ(client_ret, static_cast<int>(sizeof(kMessage)));
3429 EXPECT_EQ(Bytes(buf), Bytes(kMessage));
3430 break;
3431 }
3432
3433 ASSERT_EQ(server_ret, -1);
3434 ASSERT_EQ(server_err, SSL_ERROR_WANT_WRITE);
3435 ASSERT_EQ(client_ret, -1);
3436 ASSERT_EQ(client_err, SSL_ERROR_WANT_READ);
3437 }
3438
3439 // The NewSessionTickets should have been flushed and processed.
3440 EXPECT_TRUE(g_last_session);
3441 }
3442}
3443
Adam Langleye1e78132017-01-31 15:24:31 -0800[diff] [blame]3444TEST(SSLTest, AddChainCertHack) {
3445 // Ensure that we don't accidently break the hack that we have in place to
3446 // keep curl and serf happy when they use an |X509| even after transfering
3447 // ownership.
3448
3449 bssl::UniquePtr<SSL_CTX> ctx(SSL_CTX_new(TLS_method()));
3450 ASSERT_TRUE(ctx);
3451 X509 *cert = GetTestCertificate().release();
3452 ASSERT_TRUE(cert);
3453 SSL_CTX_add0_chain_cert(ctx.get(), cert);
3454
3455 // This should not trigger a use-after-free.
3456 X509_cmp(cert, cert);
3457}
3458
David Benjaminb2ff2622017-02-03 17:06:18 -0500[diff] [blame]3459TEST(SSLTest, GetCertificate) {
3460 bssl::UniquePtr<SSL_CTX> ctx(SSL_CTX_new(TLS_method()));
3461 ASSERT_TRUE(ctx);
3462 bssl::UniquePtr<X509> cert = GetTestCertificate();
3463 ASSERT_TRUE(cert);
3464 ASSERT_TRUE(SSL_CTX_use_certificate(ctx.get(), cert.get()));
3465 bssl::UniquePtr<SSL> ssl(SSL_new(ctx.get()));
3466 ASSERT_TRUE(ssl);
3467
3468 X509 *cert2 = SSL_CTX_get0_certificate(ctx.get());
3469 ASSERT_TRUE(cert2);
3470 X509 *cert3 = SSL_get_certificate(ssl.get());
3471 ASSERT_TRUE(cert3);
3472
3473 // The old and new certificates must be identical.
3474 EXPECT_EQ(0, X509_cmp(cert.get(), cert2));
3475 EXPECT_EQ(0, X509_cmp(cert.get(), cert3));
3476
3477 uint8_t *der = nullptr;
3478 long der_len = i2d_X509(cert.get(), &der);
3479 ASSERT_LT(0, der_len);
3480 bssl::UniquePtr<uint8_t> free_der(der);
3481
3482 uint8_t *der2 = nullptr;
3483 long der2_len = i2d_X509(cert2, &der2);
3484 ASSERT_LT(0, der2_len);
3485 bssl::UniquePtr<uint8_t> free_der2(der2);
3486
3487 uint8_t *der3 = nullptr;
3488 long der3_len = i2d_X509(cert3, &der3);
3489 ASSERT_LT(0, der3_len);
3490 bssl::UniquePtr<uint8_t> free_der3(der3);
3491
3492 // They must also encode identically.
David Benjamin7d7554b2017-02-04 11:48:59 -0500[diff] [blame]3493 EXPECT_EQ(Bytes(der, der_len), Bytes(der2, der2_len));
3494 EXPECT_EQ(Bytes(der, der_len), Bytes(der3, der3_len));
David Benjaminb2ff2622017-02-03 17:06:18 -0500[diff] [blame]3495}
3496
Adam Langleyd04ca952017-02-28 11:26:51 -0800[diff] [blame]3497TEST(SSLTest, SetChainAndKeyMismatch) {
3498 bssl::UniquePtr<SSL_CTX> ctx(SSL_CTX_new(TLS_with_buffers_method()));
3499 ASSERT_TRUE(ctx);
3500
3501 bssl::UniquePtr<EVP_PKEY> key = GetTestKey();
3502 ASSERT_TRUE(key);
3503 bssl::UniquePtr<CRYPTO_BUFFER> leaf = GetChainTestCertificateBuffer();
3504 ASSERT_TRUE(leaf);
3505 std::vector<CRYPTO_BUFFER*> chain = {
3506 leaf.get(),
3507 };
3508
3509 // Should fail because |GetTestKey| doesn't match the chain-test certificate.
3510 ASSERT_FALSE(SSL_CTX_set_chain_and_key(ctx.get(), &chain[0], chain.size(),
3511 key.get(), nullptr));
3512 ERR_clear_error();
3513}
3514
3515TEST(SSLTest, SetChainAndKey) {
3516 bssl::UniquePtr<SSL_CTX> client_ctx(SSL_CTX_new(TLS_with_buffers_method()));
3517 ASSERT_TRUE(client_ctx);
3518 bssl::UniquePtr<SSL_CTX> server_ctx(SSL_CTX_new(TLS_with_buffers_method()));
3519 ASSERT_TRUE(server_ctx);
3520
Adam Langley964256d2020-03-19 11:57:12 -0700[diff] [blame]3521 ASSERT_EQ(nullptr, SSL_CTX_get0_chain(server_ctx.get()));
3522
Adam Langleyd04ca952017-02-28 11:26:51 -0800[diff] [blame]3523 bssl::UniquePtr<EVP_PKEY> key = GetChainTestKey();
3524 ASSERT_TRUE(key);
3525 bssl::UniquePtr<CRYPTO_BUFFER> leaf = GetChainTestCertificateBuffer();
3526 ASSERT_TRUE(leaf);
3527 bssl::UniquePtr<CRYPTO_BUFFER> intermediate =
3528 GetChainTestIntermediateBuffer();
3529 ASSERT_TRUE(intermediate);
3530 std::vector<CRYPTO_BUFFER*> chain = {
3531 leaf.get(), intermediate.get(),
3532 };
3533 ASSERT_TRUE(SSL_CTX_set_chain_and_key(server_ctx.get(), &chain[0],
3534 chain.size(), key.get(), nullptr));
3535
Adam Langley964256d2020-03-19 11:57:12 -0700[diff] [blame]3536 ASSERT_EQ(chain.size(),
3537 sk_CRYPTO_BUFFER_num(SSL_CTX_get0_chain(server_ctx.get())));
3538
David Benjamin3a1dd462017-07-11 16:13:10 -0400[diff] [blame]3539 SSL_CTX_set_custom_verify(
3540 client_ctx.get(), SSL_VERIFY_PEER,
3541 [](SSL *ssl, uint8_t *out_alert) -> ssl_verify_result_t {
3542 return ssl_verify_ok;
3543 });
Adam Langleyd04ca952017-02-28 11:26:51 -0800[diff] [blame]3544
3545 bssl::UniquePtr<SSL> client, server;
3546 ASSERT_TRUE(ConnectClientAndServer(&client, &server, client_ctx.get(),
David Benjamina8614602017-09-06 15:40:19 -0400[diff] [blame]3547 server_ctx.get()));
Adam Langleyd04ca952017-02-28 11:26:51 -0800[diff] [blame]3548}
3549
Matthew Braithwaite5301c102018-01-23 12:08:55 -0800[diff] [blame]3550TEST(SSLTest, BuffersFailWithoutCustomVerify) {
3551 bssl::UniquePtr<SSL_CTX> client_ctx(SSL_CTX_new(TLS_with_buffers_method()));
3552 ASSERT_TRUE(client_ctx);
3553 bssl::UniquePtr<SSL_CTX> server_ctx(SSL_CTX_new(TLS_with_buffers_method()));
3554 ASSERT_TRUE(server_ctx);
3555
3556 bssl::UniquePtr<EVP_PKEY> key = GetChainTestKey();
3557 ASSERT_TRUE(key);
3558 bssl::UniquePtr<CRYPTO_BUFFER> leaf = GetChainTestCertificateBuffer();
3559 ASSERT_TRUE(leaf);
3560 std::vector<CRYPTO_BUFFER*> chain = { leaf.get() };
3561 ASSERT_TRUE(SSL_CTX_set_chain_and_key(server_ctx.get(), &chain[0],
3562 chain.size(), key.get(), nullptr));
3563
3564 // Without SSL_CTX_set_custom_verify(), i.e. with everything in the default
3565 // configuration, certificate verification should fail.
3566 bssl::UniquePtr<SSL> client, server;
3567 ASSERT_FALSE(ConnectClientAndServer(&client, &server, client_ctx.get(),
3568 server_ctx.get()));
3569
3570 // Whereas with a verifier, the connection should succeed.
3571 SSL_CTX_set_custom_verify(
3572 client_ctx.get(), SSL_VERIFY_PEER,
3573 [](SSL *ssl, uint8_t *out_alert) -> ssl_verify_result_t {
3574 return ssl_verify_ok;
3575 });
3576 ASSERT_TRUE(ConnectClientAndServer(&client, &server, client_ctx.get(),
3577 server_ctx.get()));
3578}
3579
3580TEST(SSLTest, CustomVerify) {
3581 bssl::UniquePtr<SSL_CTX> client_ctx(SSL_CTX_new(TLS_with_buffers_method()));
3582 ASSERT_TRUE(client_ctx);
3583 bssl::UniquePtr<SSL_CTX> server_ctx(SSL_CTX_new(TLS_with_buffers_method()));
3584 ASSERT_TRUE(server_ctx);
3585
3586 bssl::UniquePtr<EVP_PKEY> key = GetChainTestKey();
3587 ASSERT_TRUE(key);
3588 bssl::UniquePtr<CRYPTO_BUFFER> leaf = GetChainTestCertificateBuffer();
3589 ASSERT_TRUE(leaf);
3590 std::vector<CRYPTO_BUFFER*> chain = { leaf.get() };
3591 ASSERT_TRUE(SSL_CTX_set_chain_and_key(server_ctx.get(), &chain[0],
3592 chain.size(), key.get(), nullptr));
3593
3594 SSL_CTX_set_custom_verify(
3595 client_ctx.get(), SSL_VERIFY_PEER,
3596 [](SSL *ssl, uint8_t *out_alert) -> ssl_verify_result_t {
3597 return ssl_verify_ok;
3598 });
3599
3600 bssl::UniquePtr<SSL> client, server;
3601 ASSERT_TRUE(ConnectClientAndServer(&client, &server, client_ctx.get(),
3602 server_ctx.get()));
3603
3604 // With SSL_VERIFY_PEER, ssl_verify_invalid should result in a dropped
3605 // connection.
3606 SSL_CTX_set_custom_verify(
3607 client_ctx.get(), SSL_VERIFY_PEER,
3608 [](SSL *ssl, uint8_t *out_alert) -> ssl_verify_result_t {
3609 return ssl_verify_invalid;
3610 });
3611
3612 ASSERT_FALSE(ConnectClientAndServer(&client, &server, client_ctx.get(),
3613 server_ctx.get()));
3614
3615 // But with SSL_VERIFY_NONE, ssl_verify_invalid should not cause a dropped
3616 // connection.
3617 SSL_CTX_set_custom_verify(
3618 client_ctx.get(), SSL_VERIFY_NONE,
3619 [](SSL *ssl, uint8_t *out_alert) -> ssl_verify_result_t {
3620 return ssl_verify_invalid;
3621 });
3622
3623 ASSERT_TRUE(ConnectClientAndServer(&client, &server, client_ctx.get(),
3624 server_ctx.get()));
3625}
3626
David Benjamin71dfad42017-07-16 17:27:39 -0400[diff] [blame]3627TEST(SSLTest, ClientCABuffers) {
3628 bssl::UniquePtr<SSL_CTX> client_ctx(SSL_CTX_new(TLS_with_buffers_method()));
3629 ASSERT_TRUE(client_ctx);
3630 bssl::UniquePtr<SSL_CTX> server_ctx(SSL_CTX_new(TLS_with_buffers_method()));
3631 ASSERT_TRUE(server_ctx);
3632
3633 bssl::UniquePtr<EVP_PKEY> key = GetChainTestKey();
3634 ASSERT_TRUE(key);
3635 bssl::UniquePtr<CRYPTO_BUFFER> leaf = GetChainTestCertificateBuffer();
3636 ASSERT_TRUE(leaf);
3637 bssl::UniquePtr<CRYPTO_BUFFER> intermediate =
3638 GetChainTestIntermediateBuffer();
3639 ASSERT_TRUE(intermediate);
3640 std::vector<CRYPTO_BUFFER *> chain = {
3641 leaf.get(),
3642 intermediate.get(),
3643 };
3644 ASSERT_TRUE(SSL_CTX_set_chain_and_key(server_ctx.get(), &chain[0],
3645 chain.size(), key.get(), nullptr));
3646
3647 bssl::UniquePtr<CRYPTO_BUFFER> ca_name(
3648 CRYPTO_BUFFER_new(kTestName, sizeof(kTestName), nullptr));
3649 ASSERT_TRUE(ca_name);
3650 bssl::UniquePtr<STACK_OF(CRYPTO_BUFFER)> ca_names(
3651 sk_CRYPTO_BUFFER_new_null());
3652 ASSERT_TRUE(ca_names);
David Benjamin2908dd12018-06-29 17:46:42 -0400[diff] [blame]3653 ASSERT_TRUE(PushToStack(ca_names.get(), std::move(ca_name)));
David Benjamin71dfad42017-07-16 17:27:39 -0400[diff] [blame]3654 SSL_CTX_set0_client_CAs(server_ctx.get(), ca_names.release());
3655
3656 // Configure client and server to accept all certificates.
3657 SSL_CTX_set_custom_verify(
3658 client_ctx.get(), SSL_VERIFY_PEER,
3659 [](SSL *ssl, uint8_t *out_alert) -> ssl_verify_result_t {
3660 return ssl_verify_ok;
3661 });
3662 SSL_CTX_set_custom_verify(
3663 server_ctx.get(), SSL_VERIFY_PEER,
3664 [](SSL *ssl, uint8_t *out_alert) -> ssl_verify_result_t {
3665 return ssl_verify_ok;
3666 });
3667
3668 bool cert_cb_called = false;
3669 SSL_CTX_set_cert_cb(
3670 client_ctx.get(),
3671 [](SSL *ssl, void *arg) -> int {
David Benjamin5f001d12018-05-08 16:46:48 -0400[diff] [blame]3672 const STACK_OF(CRYPTO_BUFFER) *peer_names =
David Benjamin71dfad42017-07-16 17:27:39 -0400[diff] [blame]3673 SSL_get0_server_requested_CAs(ssl);
3674 EXPECT_EQ(1u, sk_CRYPTO_BUFFER_num(peer_names));
3675 CRYPTO_BUFFER *peer_name = sk_CRYPTO_BUFFER_value(peer_names, 0);
3676 EXPECT_EQ(Bytes(kTestName), Bytes(CRYPTO_BUFFER_data(peer_name),
3677 CRYPTO_BUFFER_len(peer_name)));
3678 *reinterpret_cast<bool *>(arg) = true;
3679 return 1;
3680 },
3681 &cert_cb_called);
3682
3683 bssl::UniquePtr<SSL> client, server;
3684 ASSERT_TRUE(ConnectClientAndServer(&client, &server, client_ctx.get(),
David Benjamina8614602017-09-06 15:40:19 -0400[diff] [blame]3685 server_ctx.get()));
David Benjamin71dfad42017-07-16 17:27:39 -0400[diff] [blame]3686 EXPECT_TRUE(cert_cb_called);
3687}
3688
David Benjamin91222b82017-03-09 20:10:56 -0500[diff] [blame]3689// Configuring the empty cipher list, though an error, should still modify the
3690// configuration.
3691TEST(SSLTest, EmptyCipherList) {
3692 bssl::UniquePtr<SSL_CTX> ctx(SSL_CTX_new(TLS_method()));
3693 ASSERT_TRUE(ctx);
3694
3695 // Initially, the cipher list is not empty.
3696 EXPECT_NE(0u, sk_SSL_CIPHER_num(SSL_CTX_get_ciphers(ctx.get())));
3697
3698 // Configuring the empty cipher list fails.
3699 EXPECT_FALSE(SSL_CTX_set_cipher_list(ctx.get(), ""));
3700 ERR_clear_error();
3701
3702 // But the cipher list is still updated to empty.
3703 EXPECT_EQ(0u, sk_SSL_CIPHER_num(SSL_CTX_get_ciphers(ctx.get())));
3704}
3705
Adam Langley4c341d02017-03-08 19:33:21 -0800[diff] [blame]3706// ssl_test_ticket_aead_failure_mode enumerates the possible ways in which the
3707// test |SSL_TICKET_AEAD_METHOD| can fail.
3708enum ssl_test_ticket_aead_failure_mode {
3709 ssl_test_ticket_aead_ok = 0,
3710 ssl_test_ticket_aead_seal_fail,
3711 ssl_test_ticket_aead_open_soft_fail,
3712 ssl_test_ticket_aead_open_hard_fail,
3713};
3714
3715struct ssl_test_ticket_aead_state {
3716 unsigned retry_count;
3717 ssl_test_ticket_aead_failure_mode failure_mode;
3718};
3719
3720static int ssl_test_ticket_aead_ex_index_dup(CRYPTO_EX_DATA *to,
3721 const CRYPTO_EX_DATA *from,
3722 void **from_d, int index,
3723 long argl, void *argp) {
3724 abort();
3725}
3726
3727static void ssl_test_ticket_aead_ex_index_free(void *parent, void *ptr,
3728 CRYPTO_EX_DATA *ad, int index,
3729 long argl, void *argp) {
3730 auto state = reinterpret_cast<ssl_test_ticket_aead_state*>(ptr);
3731 if (state == nullptr) {
3732 return;
3733 }
3734
3735 OPENSSL_free(state);
3736}
3737
3738static CRYPTO_once_t g_ssl_test_ticket_aead_ex_index_once = CRYPTO_ONCE_INIT;
3739static int g_ssl_test_ticket_aead_ex_index;
3740
3741static int ssl_test_ticket_aead_get_ex_index() {
3742 CRYPTO_once(&g_ssl_test_ticket_aead_ex_index_once, [] {
3743 g_ssl_test_ticket_aead_ex_index = SSL_get_ex_new_index(
3744 0, nullptr, nullptr, ssl_test_ticket_aead_ex_index_dup,
3745 ssl_test_ticket_aead_ex_index_free);
3746 });
3747 return g_ssl_test_ticket_aead_ex_index;
3748}
3749
3750static size_t ssl_test_ticket_aead_max_overhead(SSL *ssl) {
3751 return 1;
3752}
3753
3754static int ssl_test_ticket_aead_seal(SSL *ssl, uint8_t *out, size_t *out_len,
3755 size_t max_out_len, const uint8_t *in,
3756 size_t in_len) {
3757 auto state = reinterpret_cast<ssl_test_ticket_aead_state *>(
3758 SSL_get_ex_data(ssl, ssl_test_ticket_aead_get_ex_index()));
3759
3760 if (state->failure_mode == ssl_test_ticket_aead_seal_fail ||
3761 max_out_len < in_len + 1) {
3762 return 0;
3763 }
3764
3765 OPENSSL_memmove(out, in, in_len);
3766 out[in_len] = 0xff;
3767 *out_len = in_len + 1;
3768
3769 return 1;
3770}
3771
3772static ssl_ticket_aead_result_t ssl_test_ticket_aead_open(
3773 SSL *ssl, uint8_t *out, size_t *out_len, size_t max_out_len,
3774 const uint8_t *in, size_t in_len) {
3775 auto state = reinterpret_cast<ssl_test_ticket_aead_state *>(
3776 SSL_get_ex_data(ssl, ssl_test_ticket_aead_get_ex_index()));
3777
3778 if (state->retry_count > 0) {
3779 state->retry_count--;
3780 return ssl_ticket_aead_retry;
3781 }
3782
3783 switch (state->failure_mode) {
3784 case ssl_test_ticket_aead_ok:
3785 break;
3786 case ssl_test_ticket_aead_seal_fail:
3787 // If |seal| failed then there shouldn't be any ticket to try and
3788 // decrypt.
3789 abort();
3790 break;
3791 case ssl_test_ticket_aead_open_soft_fail:
3792 return ssl_ticket_aead_ignore_ticket;
3793 case ssl_test_ticket_aead_open_hard_fail:
3794 return ssl_ticket_aead_error;
3795 }
3796
3797 if (in_len == 0 || in[in_len - 1] != 0xff) {
3798 return ssl_ticket_aead_ignore_ticket;
3799 }
3800
3801 if (max_out_len < in_len - 1) {
3802 return ssl_ticket_aead_error;
3803 }
3804
3805 OPENSSL_memmove(out, in, in_len - 1);
3806 *out_len = in_len - 1;
3807 return ssl_ticket_aead_success;
3808}
3809
3810static const SSL_TICKET_AEAD_METHOD kSSLTestTicketMethod = {
3811 ssl_test_ticket_aead_max_overhead,
3812 ssl_test_ticket_aead_seal,
3813 ssl_test_ticket_aead_open,
3814};
3815
3816static void ConnectClientAndServerWithTicketMethod(
3817 bssl::UniquePtr<SSL> *out_client, bssl::UniquePtr<SSL> *out_server,
3818 SSL_CTX *client_ctx, SSL_CTX *server_ctx, unsigned retry_count,
3819 ssl_test_ticket_aead_failure_mode failure_mode, SSL_SESSION *session) {
3820 bssl::UniquePtr<SSL> client(SSL_new(client_ctx)), server(SSL_new(server_ctx));
3821 ASSERT_TRUE(client);
3822 ASSERT_TRUE(server);
3823 SSL_set_connect_state(client.get());
3824 SSL_set_accept_state(server.get());
3825
3826 auto state = reinterpret_cast<ssl_test_ticket_aead_state *>(
3827 OPENSSL_malloc(sizeof(ssl_test_ticket_aead_state)));
3828 ASSERT_TRUE(state);
3829 OPENSSL_memset(state, 0, sizeof(ssl_test_ticket_aead_state));
3830 state->retry_count = retry_count;
3831 state->failure_mode = failure_mode;
3832
3833 ASSERT_TRUE(SSL_set_ex_data(server.get(), ssl_test_ticket_aead_get_ex_index(),
3834 state));
3835
3836 SSL_set_session(client.get(), session);
3837
3838 BIO *bio1, *bio2;
3839 ASSERT_TRUE(BIO_new_bio_pair(&bio1, 0, &bio2, 0));
3840
3841 // SSL_set_bio takes ownership.
3842 SSL_set_bio(client.get(), bio1, bio1);
3843 SSL_set_bio(server.get(), bio2, bio2);
3844
3845 if (CompleteHandshakes(client.get(), server.get())) {
3846 *out_client = std::move(client);
3847 *out_server = std::move(server);
3848 } else {
3849 out_client->reset();
3850 out_server->reset();
3851 }
3852}
3853
David Benjaminc9775322018-04-13 16:39:12 -0400[diff] [blame]3854using TicketAEADMethodParam =
3855 testing::tuple<uint16_t, unsigned, ssl_test_ticket_aead_failure_mode>;
3856
Adam Langley4c341d02017-03-08 19:33:21 -0800[diff] [blame]3857class TicketAEADMethodTest
David Benjaminc9775322018-04-13 16:39:12 -0400[diff] [blame]3858 : public ::testing::TestWithParam<TicketAEADMethodParam> {};
Adam Langley4c341d02017-03-08 19:33:21 -0800[diff] [blame]3859
3860TEST_P(TicketAEADMethodTest, Resume) {
3861 bssl::UniquePtr<X509> cert = GetTestCertificate();
3862 ASSERT_TRUE(cert);
3863 bssl::UniquePtr<EVP_PKEY> key = GetTestKey();
3864 ASSERT_TRUE(key);
3865
3866 bssl::UniquePtr<SSL_CTX> server_ctx(SSL_CTX_new(TLS_method()));
3867 ASSERT_TRUE(server_ctx);
3868 bssl::UniquePtr<SSL_CTX> client_ctx(SSL_CTX_new(TLS_method()));
3869 ASSERT_TRUE(client_ctx);
3870
3871 const uint16_t version = testing::get<0>(GetParam());
3872 const unsigned retry_count = testing::get<1>(GetParam());
3873 const ssl_test_ticket_aead_failure_mode failure_mode =
3874 testing::get<2>(GetParam());
3875
3876 ASSERT_TRUE(SSL_CTX_use_certificate(server_ctx.get(), cert.get()));
3877 ASSERT_TRUE(SSL_CTX_use_PrivateKey(server_ctx.get(), key.get()));
3878 ASSERT_TRUE(SSL_CTX_set_min_proto_version(client_ctx.get(), version));
3879 ASSERT_TRUE(SSL_CTX_set_max_proto_version(client_ctx.get(), version));
3880 ASSERT_TRUE(SSL_CTX_set_min_proto_version(server_ctx.get(), version));
3881 ASSERT_TRUE(SSL_CTX_set_max_proto_version(server_ctx.get(), version));
3882
3883 SSL_CTX_set_session_cache_mode(client_ctx.get(), SSL_SESS_CACHE_BOTH);
3884 SSL_CTX_set_session_cache_mode(server_ctx.get(), SSL_SESS_CACHE_BOTH);
3885 SSL_CTX_set_current_time_cb(client_ctx.get(), FrozenTimeCallback);
3886 SSL_CTX_set_current_time_cb(server_ctx.get(), FrozenTimeCallback);
David Benjamin707af292017-03-10 17:47:18 -0500[diff] [blame]3887 SSL_CTX_sess_set_new_cb(client_ctx.get(), SaveLastSession);
Adam Langley4c341d02017-03-08 19:33:21 -0800[diff] [blame]3888
3889 SSL_CTX_set_ticket_aead_method(server_ctx.get(), &kSSLTestTicketMethod);
3890
3891 bssl::UniquePtr<SSL> client, server;
3892 ConnectClientAndServerWithTicketMethod(&client, &server, client_ctx.get(),
3893 server_ctx.get(), retry_count,
3894 failure_mode, nullptr);
3895 switch (failure_mode) {
3896 case ssl_test_ticket_aead_ok:
3897 case ssl_test_ticket_aead_open_hard_fail:
3898 case ssl_test_ticket_aead_open_soft_fail:
3899 ASSERT_TRUE(client);
3900 break;
3901 case ssl_test_ticket_aead_seal_fail:
3902 EXPECT_FALSE(client);
3903 return;
3904 }
3905 EXPECT_FALSE(SSL_session_reused(client.get()));
3906 EXPECT_FALSE(SSL_session_reused(server.get()));
3907
Steven Valdez777a2392019-02-21 11:30:47 -0500[diff] [blame]3908 ASSERT_TRUE(FlushNewSessionTickets(client.get(), server.get()));
David Benjamin707af292017-03-10 17:47:18 -0500[diff] [blame]3909 bssl::UniquePtr<SSL_SESSION> session = std::move(g_last_session);
Adam Langley4c341d02017-03-08 19:33:21 -0800[diff] [blame]3910 ConnectClientAndServerWithTicketMethod(&client, &server, client_ctx.get(),
3911 server_ctx.get(), retry_count,
David Benjamin707af292017-03-10 17:47:18 -0500[diff] [blame]3912 failure_mode, session.get());
Adam Langley4c341d02017-03-08 19:33:21 -0800[diff] [blame]3913 switch (failure_mode) {
3914 case ssl_test_ticket_aead_ok:
3915 ASSERT_TRUE(client);
3916 EXPECT_TRUE(SSL_session_reused(client.get()));
3917 EXPECT_TRUE(SSL_session_reused(server.get()));
3918 break;
3919 case ssl_test_ticket_aead_seal_fail:
3920 abort();
3921 break;
3922 case ssl_test_ticket_aead_open_hard_fail:
3923 EXPECT_FALSE(client);
3924 break;
3925 case ssl_test_ticket_aead_open_soft_fail:
3926 ASSERT_TRUE(client);
3927 EXPECT_FALSE(SSL_session_reused(client.get()));
3928 EXPECT_FALSE(SSL_session_reused(server.get()));
3929 }
3930}
3931
David Benjaminc9775322018-04-13 16:39:12 -0400[diff] [blame]3932std::string TicketAEADMethodParamToString(
3933 const testing::TestParamInfo<TicketAEADMethodParam> &params) {
3934 std::string ret = GetVersionName(std::get<0>(params.param));
3935 // GTest only allows alphanumeric characters and '_' in the parameter
3936 // string. Additionally filter out the 'v' to get "TLS13" over "TLSv13".
3937 for (auto it = ret.begin(); it != ret.end();) {
3938 if (*it == '.' || *it == 'v') {
3939 it = ret.erase(it);
3940 } else {
3941 ++it;
3942 }
3943 }
3944 char retry_count[256];
3945 snprintf(retry_count, sizeof(retry_count), "%d", std::get<1>(params.param));
3946 ret += "_";
3947 ret += retry_count;
3948 ret += "Retries_";
3949 switch (std::get<2>(params.param)) {
3950 case ssl_test_ticket_aead_ok:
3951 ret += "OK";
3952 break;
3953 case ssl_test_ticket_aead_seal_fail:
3954 ret += "SealFail";
3955 break;
3956 case ssl_test_ticket_aead_open_soft_fail:
3957 ret += "OpenSoftFail";
3958 break;
3959 case ssl_test_ticket_aead_open_hard_fail:
3960 ret += "OpenHardFail";
3961 break;
3962 }
3963 return ret;
3964}
3965
David Benjaminbe7006a2019-04-09 18:05:02 -0500[diff] [blame]3966INSTANTIATE_TEST_SUITE_P(
Adam Langley4c341d02017-03-08 19:33:21 -0800[diff] [blame]3967 TicketAEADMethodTests, TicketAEADMethodTest,
David Benjaminc9775322018-04-13 16:39:12 -0400[diff] [blame]3968 testing::Combine(testing::Values(TLS1_2_VERSION, TLS1_3_VERSION),
3969 testing::Values(0, 1, 2),
3970 testing::Values(ssl_test_ticket_aead_ok,
3971 ssl_test_ticket_aead_seal_fail,
3972 ssl_test_ticket_aead_open_soft_fail,
3973 ssl_test_ticket_aead_open_hard_fail)),
3974 TicketAEADMethodParamToString);
Adam Langley4c341d02017-03-08 19:33:21 -0800[diff] [blame]3975
David Benjaminca743582017-06-15 17:51:35 -0400[diff] [blame]3976TEST(SSLTest, SelectNextProto) {
3977 uint8_t *result;
3978 uint8_t result_len;
3979
3980 // If there is an overlap, it should be returned.
3981 EXPECT_EQ(OPENSSL_NPN_NEGOTIATED,
3982 SSL_select_next_proto(&result, &result_len,
3983 (const uint8_t *)"\1a\2bb\3ccc", 9,
3984 (const uint8_t *)"\1x\1y\1a\1z", 8));
3985 EXPECT_EQ(Bytes("a"), Bytes(result, result_len));
3986
3987 EXPECT_EQ(OPENSSL_NPN_NEGOTIATED,
3988 SSL_select_next_proto(&result, &result_len,
3989 (const uint8_t *)"\1a\2bb\3ccc", 9,
3990 (const uint8_t *)"\1x\1y\2bb\1z", 9));
3991 EXPECT_EQ(Bytes("bb"), Bytes(result, result_len));
3992
3993 EXPECT_EQ(OPENSSL_NPN_NEGOTIATED,
3994 SSL_select_next_proto(&result, &result_len,
3995 (const uint8_t *)"\1a\2bb\3ccc", 9,
3996 (const uint8_t *)"\1x\1y\3ccc\1z", 10));
3997 EXPECT_EQ(Bytes("ccc"), Bytes(result, result_len));
3998
3999 // Peer preference order takes precedence over local.
4000 EXPECT_EQ(OPENSSL_NPN_NEGOTIATED,
4001 SSL_select_next_proto(&result, &result_len,
4002 (const uint8_t *)"\1a\2bb\3ccc", 9,
4003 (const uint8_t *)"\3ccc\2bb\1a", 9));
4004 EXPECT_EQ(Bytes("a"), Bytes(result, result_len));
4005
4006 // If there is no overlap, return the first local protocol.
4007 EXPECT_EQ(OPENSSL_NPN_NO_OVERLAP,
4008 SSL_select_next_proto(&result, &result_len,
4009 (const uint8_t *)"\1a\2bb\3ccc", 9,
4010 (const uint8_t *)"\1x\2yy\3zzz", 9));
4011 EXPECT_EQ(Bytes("x"), Bytes(result, result_len));
4012
4013 EXPECT_EQ(OPENSSL_NPN_NO_OVERLAP,
4014 SSL_select_next_proto(&result, &result_len, nullptr, 0,
4015 (const uint8_t *)"\1x\2yy\3zzz", 9));
4016 EXPECT_EQ(Bytes("x"), Bytes(result, result_len));
4017}
4018
Martin Kreichgauer17c30572017-07-18 12:42:18 -0700[diff] [blame]4019TEST(SSLTest, SealRecord) {
Matthew Braithwaite58d56f42019-11-04 13:20:01 -0800[diff] [blame]4020 bssl::UniquePtr<SSL_CTX> client_ctx(SSL_CTX_new(TLSv1_2_method())),
4021 server_ctx(SSL_CTX_new(TLSv1_2_method()));
Martin Kreichgauer17c30572017-07-18 12:42:18 -0700[diff] [blame]4022 ASSERT_TRUE(client_ctx);
4023 ASSERT_TRUE(server_ctx);
4024
4025 bssl::UniquePtr<X509> cert = GetTestCertificate();
4026 bssl::UniquePtr<EVP_PKEY> key = GetTestKey();
4027 ASSERT_TRUE(cert);
4028 ASSERT_TRUE(key);
4029 ASSERT_TRUE(SSL_CTX_use_certificate(server_ctx.get(), cert.get()));
4030 ASSERT_TRUE(SSL_CTX_use_PrivateKey(server_ctx.get(), key.get()));
4031
4032 bssl::UniquePtr<SSL> client, server;
4033 ASSERT_TRUE(ConnectClientAndServer(&client, &server, client_ctx.get(),
David Benjamina8614602017-09-06 15:40:19 -0400[diff] [blame]4034 server_ctx.get()));
Martin Kreichgauer17c30572017-07-18 12:42:18 -0700[diff] [blame]4035
4036 const std::vector<uint8_t> record = {1, 2, 3, 4, 5};
4037 std::vector<uint8_t> prefix(
4038 bssl::SealRecordPrefixLen(client.get(), record.size())),
Martin Kreichgauerabbf3652017-07-21 16:27:54 -0700[diff] [blame]4039 body(record.size()),
4040 suffix(bssl::SealRecordSuffixLen(client.get(), record.size()));
Martin Kreichgauer17c30572017-07-18 12:42:18 -0700[diff] [blame]4041 ASSERT_TRUE(bssl::SealRecord(client.get(), bssl::MakeSpan(prefix),
4042 bssl::MakeSpan(body), bssl::MakeSpan(suffix),
Martin Kreichgauerabbf3652017-07-21 16:27:54 -0700[diff] [blame]4043 record));
Martin Kreichgauer17c30572017-07-18 12:42:18 -0700[diff] [blame]4044
4045 std::vector<uint8_t> sealed;
4046 sealed.insert(sealed.end(), prefix.begin(), prefix.end());
4047 sealed.insert(sealed.end(), body.begin(), body.end());
4048 sealed.insert(sealed.end(), suffix.begin(), suffix.end());
4049 std::vector<uint8_t> sealed_copy = sealed;
4050
4051 bssl::Span<uint8_t> plaintext;
4052 size_t record_len;
4053 uint8_t alert = 255;
4054 EXPECT_EQ(bssl::OpenRecord(server.get(), &plaintext, &record_len, &alert,
4055 bssl::MakeSpan(sealed)),
4056 bssl::OpenRecordResult::kOK);
4057 EXPECT_EQ(record_len, sealed.size());
4058 EXPECT_EQ(plaintext, record);
4059 EXPECT_EQ(255, alert);
4060}
4061
4062TEST(SSLTest, SealRecordInPlace) {
Matthew Braithwaite58d56f42019-11-04 13:20:01 -0800[diff] [blame]4063 bssl::UniquePtr<SSL_CTX> client_ctx(SSL_CTX_new(TLSv1_2_method())),
4064 server_ctx(SSL_CTX_new(TLSv1_2_method()));
Martin Kreichgauer17c30572017-07-18 12:42:18 -0700[diff] [blame]4065 ASSERT_TRUE(client_ctx);
4066 ASSERT_TRUE(server_ctx);
4067
4068 bssl::UniquePtr<X509> cert = GetTestCertificate();
4069 bssl::UniquePtr<EVP_PKEY> key = GetTestKey();
4070 ASSERT_TRUE(cert);
4071 ASSERT_TRUE(key);
4072 ASSERT_TRUE(SSL_CTX_use_certificate(server_ctx.get(), cert.get()));
4073 ASSERT_TRUE(SSL_CTX_use_PrivateKey(server_ctx.get(), key.get()));
4074
4075 bssl::UniquePtr<SSL> client, server;
4076 ASSERT_TRUE(ConnectClientAndServer(&client, &server, client_ctx.get(),
David Benjamina8614602017-09-06 15:40:19 -0400[diff] [blame]4077 server_ctx.get()));
Martin Kreichgauer17c30572017-07-18 12:42:18 -0700[diff] [blame]4078
4079 const std::vector<uint8_t> plaintext = {1, 2, 3, 4, 5};
4080 std::vector<uint8_t> record = plaintext;
4081 std::vector<uint8_t> prefix(
4082 bssl::SealRecordPrefixLen(client.get(), record.size())),
Martin Kreichgauerabbf3652017-07-21 16:27:54 -0700[diff] [blame]4083 suffix(bssl::SealRecordSuffixLen(client.get(), record.size()));
Martin Kreichgauer17c30572017-07-18 12:42:18 -0700[diff] [blame]4084 ASSERT_TRUE(bssl::SealRecord(client.get(), bssl::MakeSpan(prefix),
4085 bssl::MakeSpan(record), bssl::MakeSpan(suffix),
Martin Kreichgauerabbf3652017-07-21 16:27:54 -0700[diff] [blame]4086 record));
Martin Kreichgauer17c30572017-07-18 12:42:18 -0700[diff] [blame]4087 record.insert(record.begin(), prefix.begin(), prefix.end());
4088 record.insert(record.end(), suffix.begin(), suffix.end());
4089
4090 bssl::Span<uint8_t> result;
4091 size_t record_len;
4092 uint8_t alert;
4093 EXPECT_EQ(bssl::OpenRecord(server.get(), &result, &record_len, &alert,
4094 bssl::MakeSpan(record)),
4095 bssl::OpenRecordResult::kOK);
4096 EXPECT_EQ(record_len, record.size());
4097 EXPECT_EQ(plaintext, result);
4098}
4099
4100TEST(SSLTest, SealRecordTrailingData) {
Matthew Braithwaite58d56f42019-11-04 13:20:01 -0800[diff] [blame]4101 bssl::UniquePtr<SSL_CTX> client_ctx(SSL_CTX_new(TLSv1_2_method())),
4102 server_ctx(SSL_CTX_new(TLSv1_2_method()));
Martin Kreichgauer17c30572017-07-18 12:42:18 -0700[diff] [blame]4103 ASSERT_TRUE(client_ctx);
4104 ASSERT_TRUE(server_ctx);
4105
4106 bssl::UniquePtr<X509> cert = GetTestCertificate();
4107 bssl::UniquePtr<EVP_PKEY> key = GetTestKey();
4108 ASSERT_TRUE(cert);
4109 ASSERT_TRUE(key);
4110 ASSERT_TRUE(SSL_CTX_use_certificate(server_ctx.get(), cert.get()));
4111 ASSERT_TRUE(SSL_CTX_use_PrivateKey(server_ctx.get(), key.get()));
4112
4113 bssl::UniquePtr<SSL> client, server;
4114 ASSERT_TRUE(ConnectClientAndServer(&client, &server, client_ctx.get(),
David Benjamina8614602017-09-06 15:40:19 -0400[diff] [blame]4115 server_ctx.get()));
Martin Kreichgauer17c30572017-07-18 12:42:18 -0700[diff] [blame]4116
4117 const std::vector<uint8_t> plaintext = {1, 2, 3, 4, 5};
4118 std::vector<uint8_t> record = plaintext;
4119 std::vector<uint8_t> prefix(
4120 bssl::SealRecordPrefixLen(client.get(), record.size())),
Martin Kreichgauerabbf3652017-07-21 16:27:54 -0700[diff] [blame]4121 suffix(bssl::SealRecordSuffixLen(client.get(), record.size()));
Martin Kreichgauer17c30572017-07-18 12:42:18 -0700[diff] [blame]4122 ASSERT_TRUE(bssl::SealRecord(client.get(), bssl::MakeSpan(prefix),
4123 bssl::MakeSpan(record), bssl::MakeSpan(suffix),
Martin Kreichgauerabbf3652017-07-21 16:27:54 -0700[diff] [blame]4124 record));
Martin Kreichgauer17c30572017-07-18 12:42:18 -0700[diff] [blame]4125 record.insert(record.begin(), prefix.begin(), prefix.end());
4126 record.insert(record.end(), suffix.begin(), suffix.end());
4127 record.insert(record.end(), {5, 4, 3, 2, 1});
4128
4129 bssl::Span<uint8_t> result;
4130 size_t record_len;
4131 uint8_t alert;
4132 EXPECT_EQ(bssl::OpenRecord(server.get(), &result, &record_len, &alert,
4133 bssl::MakeSpan(record)),
4134 bssl::OpenRecordResult::kOK);
4135 EXPECT_EQ(record_len, record.size() - 5);
4136 EXPECT_EQ(plaintext, result);
4137}
4138
4139TEST(SSLTest, SealRecordInvalidSpanSize) {
Matthew Braithwaite58d56f42019-11-04 13:20:01 -0800[diff] [blame]4140 bssl::UniquePtr<SSL_CTX> client_ctx(SSL_CTX_new(TLSv1_2_method())),
4141 server_ctx(SSL_CTX_new(TLSv1_2_method()));
Martin Kreichgauer17c30572017-07-18 12:42:18 -0700[diff] [blame]4142 ASSERT_TRUE(client_ctx);
4143 ASSERT_TRUE(server_ctx);
4144
4145 bssl::UniquePtr<X509> cert = GetTestCertificate();
4146 bssl::UniquePtr<EVP_PKEY> key = GetTestKey();
4147 ASSERT_TRUE(cert);
4148 ASSERT_TRUE(key);
4149 ASSERT_TRUE(SSL_CTX_use_certificate(server_ctx.get(), cert.get()));
4150 ASSERT_TRUE(SSL_CTX_use_PrivateKey(server_ctx.get(), key.get()));
4151
4152 bssl::UniquePtr<SSL> client, server;
4153 ASSERT_TRUE(ConnectClientAndServer(&client, &server, client_ctx.get(),
David Benjamina8614602017-09-06 15:40:19 -0400[diff] [blame]4154 server_ctx.get()));
Martin Kreichgauer17c30572017-07-18 12:42:18 -0700[diff] [blame]4155
4156 std::vector<uint8_t> record = {1, 2, 3, 4, 5};
4157 std::vector<uint8_t> prefix(
4158 bssl::SealRecordPrefixLen(client.get(), record.size())),
Martin Kreichgauerabbf3652017-07-21 16:27:54 -0700[diff] [blame]4159 body(record.size()),
4160 suffix(bssl::SealRecordSuffixLen(client.get(), record.size()));
Martin Kreichgauer17c30572017-07-18 12:42:18 -0700[diff] [blame]4161
4162 auto expect_err = []() {
4163 int err = ERR_get_error();
4164 EXPECT_EQ(ERR_GET_LIB(err), ERR_LIB_SSL);
4165 EXPECT_EQ(ERR_GET_REASON(err), SSL_R_BUFFER_TOO_SMALL);
4166 ERR_clear_error();
4167 };
4168 EXPECT_FALSE(bssl::SealRecord(
4169 client.get(), bssl::MakeSpan(prefix.data(), prefix.size() - 1),
Martin Kreichgauerabbf3652017-07-21 16:27:54 -0700[diff] [blame]4170 bssl::MakeSpan(record), bssl::MakeSpan(suffix), record));
Martin Kreichgauer17c30572017-07-18 12:42:18 -0700[diff] [blame]4171 expect_err();
4172 EXPECT_FALSE(bssl::SealRecord(
4173 client.get(), bssl::MakeSpan(prefix.data(), prefix.size() + 1),
Martin Kreichgauerabbf3652017-07-21 16:27:54 -0700[diff] [blame]4174 bssl::MakeSpan(record), bssl::MakeSpan(suffix), record));
Martin Kreichgauer17c30572017-07-18 12:42:18 -0700[diff] [blame]4175 expect_err();
4176
4177 EXPECT_FALSE(
4178 bssl::SealRecord(client.get(), bssl::MakeSpan(prefix),
4179 bssl::MakeSpan(record.data(), record.size() - 1),
Martin Kreichgauerabbf3652017-07-21 16:27:54 -0700[diff] [blame]4180 bssl::MakeSpan(suffix), record));
Martin Kreichgauer17c30572017-07-18 12:42:18 -0700[diff] [blame]4181 expect_err();
4182 EXPECT_FALSE(
4183 bssl::SealRecord(client.get(), bssl::MakeSpan(prefix),
4184 bssl::MakeSpan(record.data(), record.size() + 1),
Martin Kreichgauerabbf3652017-07-21 16:27:54 -0700[diff] [blame]4185 bssl::MakeSpan(suffix), record));
Martin Kreichgauer17c30572017-07-18 12:42:18 -0700[diff] [blame]4186 expect_err();
4187
4188 EXPECT_FALSE(bssl::SealRecord(
4189 client.get(), bssl::MakeSpan(prefix), bssl::MakeSpan(record),
Martin Kreichgauerabbf3652017-07-21 16:27:54 -0700[diff] [blame]4190 bssl::MakeSpan(suffix.data(), suffix.size() - 1), record));
Martin Kreichgauer17c30572017-07-18 12:42:18 -0700[diff] [blame]4191 expect_err();
4192 EXPECT_FALSE(bssl::SealRecord(
4193 client.get(), bssl::MakeSpan(prefix), bssl::MakeSpan(record),
Martin Kreichgauerabbf3652017-07-21 16:27:54 -0700[diff] [blame]4194 bssl::MakeSpan(suffix.data(), suffix.size() + 1), record));
Martin Kreichgauer17c30572017-07-18 12:42:18 -0700[diff] [blame]4195 expect_err();
4196}
4197
David Benjamin617b8182017-08-29 15:33:10 -0400[diff] [blame]4198// The client should gracefully handle no suitable ciphers being enabled.
4199TEST(SSLTest, NoCiphersAvailable) {
4200 bssl::UniquePtr<SSL_CTX> ctx(SSL_CTX_new(TLS_method()));
4201 ASSERT_TRUE(ctx);
4202
4203 // Configure |client_ctx| with a cipher list that does not intersect with its
4204 // version configuration.
4205 ASSERT_TRUE(SSL_CTX_set_strict_cipher_list(
4206 ctx.get(), "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256"));
4207 ASSERT_TRUE(SSL_CTX_set_max_proto_version(ctx.get(), TLS1_1_VERSION));
4208
4209 bssl::UniquePtr<SSL> ssl(SSL_new(ctx.get()));
4210 ASSERT_TRUE(ssl);
4211 SSL_set_connect_state(ssl.get());
4212
4213 UniquePtr<BIO> rbio(BIO_new(BIO_s_mem())), wbio(BIO_new(BIO_s_mem()));
4214 ASSERT_TRUE(rbio);
4215 ASSERT_TRUE(wbio);
4216 SSL_set0_rbio(ssl.get(), rbio.release());
4217 SSL_set0_wbio(ssl.get(), wbio.release());
4218
4219 int ret = SSL_do_handshake(ssl.get());
4220 EXPECT_EQ(-1, ret);
4221 EXPECT_EQ(SSL_ERROR_SSL, SSL_get_error(ssl.get(), ret));
4222 uint32_t err = ERR_get_error();
4223 EXPECT_EQ(ERR_LIB_SSL, ERR_GET_LIB(err));
4224 EXPECT_EQ(SSL_R_NO_CIPHERS_AVAILABLE, ERR_GET_REASON(err));
4225}
4226
David Benjamina4bafd32017-10-03 15:06:29 -0400[diff] [blame]4227TEST_P(SSLVersionTest, SessionVersion) {
4228 SSL_CTX_set_session_cache_mode(client_ctx_.get(), SSL_SESS_CACHE_BOTH);
4229 SSL_CTX_set_session_cache_mode(server_ctx_.get(), SSL_SESS_CACHE_BOTH);
4230
4231 bssl::UniquePtr<SSL_SESSION> session =
4232 CreateClientSession(client_ctx_.get(), server_ctx_.get());
4233 ASSERT_TRUE(session);
4234 EXPECT_EQ(version(), SSL_SESSION_get_protocol_version(session.get()));
4235
4236 // Sessions in TLS 1.3 and later should be single-use.
4237 EXPECT_EQ(version() == TLS1_3_VERSION,
4238 !!SSL_SESSION_should_be_single_use(session.get()));
4239
4240 // Making fake sessions for testing works.
4241 session.reset(SSL_SESSION_new(client_ctx_.get()));
4242 ASSERT_TRUE(session);
4243 ASSERT_TRUE(SSL_SESSION_set_protocol_version(session.get(), version()));
4244 EXPECT_EQ(version(), SSL_SESSION_get_protocol_version(session.get()));
4245}
4246
David Benjaminfdb7a352017-10-12 17:34:18 -0400[diff] [blame]4247TEST_P(SSLVersionTest, SSLPending) {
4248 UniquePtr<SSL> ssl(SSL_new(client_ctx_.get()));
4249 ASSERT_TRUE(ssl);
4250 EXPECT_EQ(0, SSL_pending(ssl.get()));
4251
4252 ASSERT_TRUE(Connect());
4253 EXPECT_EQ(0, SSL_pending(client_.get()));
4254
4255 ASSERT_EQ(5, SSL_write(server_.get(), "hello", 5));
4256 ASSERT_EQ(5, SSL_write(server_.get(), "world", 5));
4257 EXPECT_EQ(0, SSL_pending(client_.get()));
4258
4259 char buf[10];
4260 ASSERT_EQ(1, SSL_peek(client_.get(), buf, 1));
4261 EXPECT_EQ(5, SSL_pending(client_.get()));
4262
4263 ASSERT_EQ(1, SSL_read(client_.get(), buf, 1));
4264 EXPECT_EQ(4, SSL_pending(client_.get()));
4265
4266 ASSERT_EQ(4, SSL_read(client_.get(), buf, 10));
4267 EXPECT_EQ(0, SSL_pending(client_.get()));
4268
4269 ASSERT_EQ(2, SSL_read(client_.get(), buf, 2));
4270 EXPECT_EQ(3, SSL_pending(client_.get()));
4271}
4272
David Benjamina031b612017-10-11 20:48:25 -0400[diff] [blame]4273// Test that post-handshake tickets consumed by |SSL_shutdown| are ignored.
4274TEST(SSLTest, ShutdownIgnoresTickets) {
4275 bssl::UniquePtr<SSL_CTX> ctx(SSL_CTX_new(TLS_method()));
4276 ASSERT_TRUE(ctx);
4277 ASSERT_TRUE(SSL_CTX_set_min_proto_version(ctx.get(), TLS1_3_VERSION));
4278 ASSERT_TRUE(SSL_CTX_set_max_proto_version(ctx.get(), TLS1_3_VERSION));
4279
4280 bssl::UniquePtr<X509> cert = GetTestCertificate();
4281 bssl::UniquePtr<EVP_PKEY> key = GetTestKey();
4282 ASSERT_TRUE(cert);
4283 ASSERT_TRUE(key);
4284 ASSERT_TRUE(SSL_CTX_use_certificate(ctx.get(), cert.get()));
4285 ASSERT_TRUE(SSL_CTX_use_PrivateKey(ctx.get(), key.get()));
4286
4287 SSL_CTX_set_session_cache_mode(ctx.get(), SSL_SESS_CACHE_BOTH);
4288
4289 bssl::UniquePtr<SSL> client, server;
4290 ASSERT_TRUE(ConnectClientAndServer(&client, &server, ctx.get(), ctx.get()));
4291
4292 SSL_CTX_sess_set_new_cb(ctx.get(), [](SSL *ssl, SSL_SESSION *session) -> int {
4293 ADD_FAILURE() << "New session callback called during SSL_shutdown";
4294 return 0;
4295 });
4296
4297 // Send close_notify.
4298 EXPECT_EQ(0, SSL_shutdown(server.get()));
4299 EXPECT_EQ(0, SSL_shutdown(client.get()));
4300
4301 // Receive close_notify.
4302 EXPECT_EQ(1, SSL_shutdown(server.get()));
4303 EXPECT_EQ(1, SSL_shutdown(client.get()));
4304}
4305
David Benjamin6cc352e2017-11-02 17:21:39 -0400[diff] [blame]4306TEST(SSLTest, SignatureAlgorithmProperties) {
4307 EXPECT_EQ(EVP_PKEY_NONE, SSL_get_signature_algorithm_key_type(0x1234));
4308 EXPECT_EQ(nullptr, SSL_get_signature_algorithm_digest(0x1234));
4309 EXPECT_FALSE(SSL_is_signature_algorithm_rsa_pss(0x1234));
4310
4311 EXPECT_EQ(EVP_PKEY_RSA,
4312 SSL_get_signature_algorithm_key_type(SSL_SIGN_RSA_PKCS1_MD5_SHA1));
4313 EXPECT_EQ(EVP_md5_sha1(),
4314 SSL_get_signature_algorithm_digest(SSL_SIGN_RSA_PKCS1_MD5_SHA1));
4315 EXPECT_FALSE(SSL_is_signature_algorithm_rsa_pss(SSL_SIGN_RSA_PKCS1_MD5_SHA1));
4316
4317 EXPECT_EQ(EVP_PKEY_EC, SSL_get_signature_algorithm_key_type(
4318 SSL_SIGN_ECDSA_SECP256R1_SHA256));
4319 EXPECT_EQ(EVP_sha256(), SSL_get_signature_algorithm_digest(
4320 SSL_SIGN_ECDSA_SECP256R1_SHA256));
4321 EXPECT_FALSE(
4322 SSL_is_signature_algorithm_rsa_pss(SSL_SIGN_ECDSA_SECP256R1_SHA256));
4323
4324 EXPECT_EQ(EVP_PKEY_RSA,
David Benjamin6879e192018-04-13 16:01:02 -0400[diff] [blame]4325 SSL_get_signature_algorithm_key_type(SSL_SIGN_RSA_PSS_RSAE_SHA384));
David Benjamin6cc352e2017-11-02 17:21:39 -0400[diff] [blame]4326 EXPECT_EQ(EVP_sha384(),
David Benjamin6879e192018-04-13 16:01:02 -0400[diff] [blame]4327 SSL_get_signature_algorithm_digest(SSL_SIGN_RSA_PSS_RSAE_SHA384));
4328 EXPECT_TRUE(SSL_is_signature_algorithm_rsa_pss(SSL_SIGN_RSA_PSS_RSAE_SHA384));
David Benjamin6cc352e2017-11-02 17:21:39 -0400[diff] [blame]4329}
4330
Adam Langley85967952018-07-03 08:04:58 -0700[diff] [blame]4331static int XORCompressFunc(SSL *ssl, CBB *out, const uint8_t *in,
4332 size_t in_len) {
4333 for (size_t i = 0; i < in_len; i++) {
Adam Langley0080d832018-06-07 16:39:49 -0700[diff] [blame]4334 if (!CBB_add_u8(out, in[i] ^ 0x55)) {
Adam Langley85967952018-07-03 08:04:58 -0700[diff] [blame]4335 return 0;
Adam Langley0080d832018-06-07 16:39:49 -0700[diff] [blame]4336 }
4337 }
4338
4339 SSL_set_app_data(ssl, XORCompressFunc);
4340
Adam Langley85967952018-07-03 08:04:58 -0700[diff] [blame]4341 return 1;
Adam Langley0080d832018-06-07 16:39:49 -0700[diff] [blame]4342}
4343
Adam Langley85967952018-07-03 08:04:58 -0700[diff] [blame]4344static int XORDecompressFunc(SSL *ssl, CRYPTO_BUFFER **out,
4345 size_t uncompressed_len, const uint8_t *in,
4346 size_t in_len) {
4347 if (in_len != uncompressed_len) {
4348 return 0;
Adam Langley0080d832018-06-07 16:39:49 -0700[diff] [blame]4349 }
4350
4351 uint8_t *data;
Adam Langley85967952018-07-03 08:04:58 -0700[diff] [blame]4352 *out = CRYPTO_BUFFER_alloc(&data, uncompressed_len);
4353 if (*out == nullptr) {
4354 return 0;
Adam Langley0080d832018-06-07 16:39:49 -0700[diff] [blame]4355 }
4356
Adam Langley85967952018-07-03 08:04:58 -0700[diff] [blame]4357 for (size_t i = 0; i < in_len; i++) {
Adam Langley0080d832018-06-07 16:39:49 -0700[diff] [blame]4358 data[i] = in[i] ^ 0x55;
4359 }
4360
4361 SSL_set_app_data(ssl, XORDecompressFunc);
4362
Adam Langley85967952018-07-03 08:04:58 -0700[diff] [blame]4363 return 1;
Adam Langley0080d832018-06-07 16:39:49 -0700[diff] [blame]4364}
4365
4366TEST(SSLTest, CertCompression) {
4367 bssl::UniquePtr<SSL_CTX> client_ctx(SSL_CTX_new(TLS_method()));
4368 bssl::UniquePtr<SSL_CTX> server_ctx(SSL_CTX_new(TLS_method()));
4369 ASSERT_TRUE(client_ctx);
4370 ASSERT_TRUE(server_ctx);
4371
4372 bssl::UniquePtr<X509> cert = GetTestCertificate();
4373 bssl::UniquePtr<EVP_PKEY> key = GetTestKey();
4374 ASSERT_TRUE(cert);
4375 ASSERT_TRUE(key);
4376 ASSERT_TRUE(SSL_CTX_use_certificate(server_ctx.get(), cert.get()));
4377 ASSERT_TRUE(SSL_CTX_use_PrivateKey(server_ctx.get(), key.get()));
4378
4379 ASSERT_TRUE(SSL_CTX_set_max_proto_version(client_ctx.get(), TLS1_3_VERSION));
4380 ASSERT_TRUE(SSL_CTX_set_max_proto_version(server_ctx.get(), TLS1_3_VERSION));
4381 ASSERT_TRUE(SSL_CTX_add_cert_compression_alg(
4382 client_ctx.get(), 0x1234, XORCompressFunc, XORDecompressFunc));
4383 ASSERT_TRUE(SSL_CTX_add_cert_compression_alg(
4384 server_ctx.get(), 0x1234, XORCompressFunc, XORDecompressFunc));
4385
4386 bssl::UniquePtr<SSL> client, server;
4387 ASSERT_TRUE(ConnectClientAndServer(&client, &server, client_ctx.get(),
4388 server_ctx.get()));
4389
4390 EXPECT_TRUE(SSL_get_app_data(client.get()) == XORDecompressFunc);
4391 EXPECT_TRUE(SSL_get_app_data(server.get()) == XORCompressFunc);
4392}
4393
Adam Langleyddb57cf2018-01-26 09:17:53 -0800[diff] [blame]4394void MoveBIOs(SSL *dest, SSL *src) {
4395 BIO *rbio = SSL_get_rbio(src);
4396 BIO_up_ref(rbio);
4397 SSL_set0_rbio(dest, rbio);
4398
4399 BIO *wbio = SSL_get_wbio(src);
4400 BIO_up_ref(wbio);
4401 SSL_set0_wbio(dest, wbio);
4402
4403 SSL_set0_rbio(src, nullptr);
4404 SSL_set0_wbio(src, nullptr);
4405}
4406
4407TEST(SSLTest, Handoff) {
4408 bssl::UniquePtr<SSL_CTX> client_ctx(SSL_CTX_new(TLS_method()));
4409 bssl::UniquePtr<SSL_CTX> server_ctx(SSL_CTX_new(TLS_method()));
4410 bssl::UniquePtr<SSL_CTX> handshaker_ctx(SSL_CTX_new(TLS_method()));
4411 ASSERT_TRUE(client_ctx);
4412 ASSERT_TRUE(server_ctx);
4413 ASSERT_TRUE(handshaker_ctx);
4414
Matthew Braithwaite134fb892019-11-26 17:56:11 -0800[diff] [blame]4415 SSL_CTX_set_session_cache_mode(client_ctx.get(), SSL_SESS_CACHE_CLIENT);
4416 SSL_CTX_sess_set_new_cb(client_ctx.get(), SaveLastSession);
Adam Langleyddb57cf2018-01-26 09:17:53 -0800[diff] [blame]4417 SSL_CTX_set_handoff_mode(server_ctx.get(), 1);
Matthew Braithwaite134fb892019-11-26 17:56:11 -0800[diff] [blame]4418 uint8_t keys[48];
David Benjamin243b5cc2019-12-04 11:23:50 -0500[diff] [blame]4419 SSL_CTX_get_tlsext_ticket_keys(server_ctx.get(), &keys, sizeof(keys));
Matthew Braithwaite134fb892019-11-26 17:56:11 -0800[diff] [blame]4420 SSL_CTX_set_tlsext_ticket_keys(handshaker_ctx.get(), &keys, sizeof(keys));
Adam Langleyddb57cf2018-01-26 09:17:53 -0800[diff] [blame]4421
4422 bssl::UniquePtr<X509> cert = GetTestCertificate();
4423 bssl::UniquePtr<EVP_PKEY> key = GetTestKey();
4424 ASSERT_TRUE(cert);
4425 ASSERT_TRUE(key);
4426 ASSERT_TRUE(SSL_CTX_use_certificate(handshaker_ctx.get(), cert.get()));
4427 ASSERT_TRUE(SSL_CTX_use_PrivateKey(handshaker_ctx.get(), key.get()));
4428
Matthew Braithwaite4f3e8212020-01-08 16:56:48 -0800[diff] [blame]4429 for (bool early_data : {false, true}) {
4430 SCOPED_TRACE(early_data);
4431 for (bool is_resume : {false, true}) {
4432 SCOPED_TRACE(is_resume);
4433 bssl::UniquePtr<SSL> client, server;
4434 auto config = ClientConfig();
4435 config.early_data = early_data;
4436 if (is_resume) {
4437 ASSERT_TRUE(g_last_session);
4438 config.session = g_last_session.get();
4439 }
4440 if (is_resume && config.early_data) {
4441 EXPECT_GT(g_last_session->ticket_max_early_data, 0u);
4442 }
4443 ASSERT_TRUE(ConnectClientAndServer(&client, &server, client_ctx.get(),
4444 server_ctx.get(), config,
4445 false /* don't handshake */));
4446
4447 int client_ret = SSL_do_handshake(client.get());
4448 int client_err = SSL_get_error(client.get(), client_ret);
4449
4450 uint8_t byte_written;
4451 if (config.early_data && is_resume) {
4452 ASSERT_EQ(client_err, 0);
4453 EXPECT_TRUE(SSL_in_early_data(client.get()));
4454 // Attempt to write early data.
4455 byte_written = 43;
4456 EXPECT_EQ(SSL_write(client.get(), &byte_written, 1), 1);
4457 } else {
4458 ASSERT_EQ(client_err, SSL_ERROR_WANT_READ);
4459 }
4460
4461 int server_ret = SSL_do_handshake(server.get());
4462 int server_err = SSL_get_error(server.get(), server_ret);
4463 ASSERT_EQ(server_err, SSL_ERROR_HANDOFF);
4464
4465 ScopedCBB cbb;
4466 Array<uint8_t> handoff;
4467 SSL_CLIENT_HELLO hello;
4468 ASSERT_TRUE(CBB_init(cbb.get(), 256));
4469 ASSERT_TRUE(SSL_serialize_handoff(server.get(), cbb.get(), &hello));
4470 ASSERT_TRUE(CBBFinishArray(cbb.get(), &handoff));
4471
4472 bssl::UniquePtr<SSL> handshaker(SSL_new(handshaker_ctx.get()));
4473 // Note split handshakes determines 0-RTT support, for both the current
4474 // handshake and newly-issued tickets, entirely by |handshaker|. There is
4475 // no need to call |SSL_set_early_data_enabled| on |server|.
4476 SSL_set_early_data_enabled(handshaker.get(), 1);
4477 ASSERT_TRUE(SSL_apply_handoff(handshaker.get(), handoff));
4478
4479 MoveBIOs(handshaker.get(), server.get());
4480
4481 int handshake_ret = SSL_do_handshake(handshaker.get());
4482 int handshake_err = SSL_get_error(handshaker.get(), handshake_ret);
4483 ASSERT_EQ(handshake_err, SSL_ERROR_HANDBACK);
4484
4485 // Double-check that additional calls to |SSL_do_handshake| continue
Adam Langley472d91c2020-02-18 12:12:35 -0800[diff] [blame]4486 // to get |SSL_ERROR_HANDBACK|.
Matthew Braithwaite4f3e8212020-01-08 16:56:48 -0800[diff] [blame]4487 handshake_ret = SSL_do_handshake(handshaker.get());
4488 handshake_err = SSL_get_error(handshaker.get(), handshake_ret);
4489 ASSERT_EQ(handshake_err, SSL_ERROR_HANDBACK);
4490
4491 ScopedCBB cbb_handback;
4492 Array<uint8_t> handback;
4493 ASSERT_TRUE(CBB_init(cbb_handback.get(), 1024));
4494 ASSERT_TRUE(SSL_serialize_handback(handshaker.get(), cbb_handback.get()));
4495 ASSERT_TRUE(CBBFinishArray(cbb_handback.get(), &handback));
4496
4497 bssl::UniquePtr<SSL> server2(SSL_new(server_ctx.get()));
4498 ASSERT_TRUE(SSL_apply_handback(server2.get(), handback));
4499
4500 MoveBIOs(server2.get(), handshaker.get());
4501 ASSERT_TRUE(CompleteHandshakes(client.get(), server2.get()));
4502 EXPECT_EQ(is_resume, SSL_session_reused(client.get()));
4503
4504 if (config.early_data && is_resume) {
4505 // In this case, one byte of early data has already been written above.
4506 EXPECT_TRUE(SSL_early_data_accepted(client.get()));
4507 } else {
4508 byte_written = 42;
4509 EXPECT_EQ(SSL_write(client.get(), &byte_written, 1), 1);
4510 }
4511 uint8_t byte;
4512 EXPECT_EQ(SSL_read(server2.get(), &byte, 1), 1);
4513 EXPECT_EQ(byte_written, byte);
4514
4515 byte = 44;
4516 EXPECT_EQ(SSL_write(server2.get(), &byte, 1), 1);
4517 EXPECT_EQ(SSL_read(client.get(), &byte, 1), 1);
4518 EXPECT_EQ(44, byte);
Matthew Braithwaite134fb892019-11-26 17:56:11 -0800[diff] [blame]4519 }
Matthew Braithwaite134fb892019-11-26 17:56:11 -0800[diff] [blame]4520 }
Adam Langleyddb57cf2018-01-26 09:17:53 -0800[diff] [blame]4521}
4522
4523TEST(SSLTest, HandoffDeclined) {
4524 bssl::UniquePtr<SSL_CTX> client_ctx(SSL_CTX_new(TLS_method()));
4525 bssl::UniquePtr<SSL_CTX> server_ctx(SSL_CTX_new(TLS_method()));
4526 ASSERT_TRUE(client_ctx);
4527 ASSERT_TRUE(server_ctx);
4528
4529 SSL_CTX_set_handoff_mode(server_ctx.get(), 1);
4530 ASSERT_TRUE(SSL_CTX_set_max_proto_version(server_ctx.get(), TLS1_2_VERSION));
4531
4532 bssl::UniquePtr<X509> cert = GetTestCertificate();
4533 bssl::UniquePtr<EVP_PKEY> key = GetTestKey();
4534 ASSERT_TRUE(cert);
4535 ASSERT_TRUE(key);
4536 ASSERT_TRUE(SSL_CTX_use_certificate(server_ctx.get(), cert.get()));
4537 ASSERT_TRUE(SSL_CTX_use_PrivateKey(server_ctx.get(), key.get()));
4538
4539 bssl::UniquePtr<SSL> client, server;
4540 ASSERT_TRUE(ConnectClientAndServer(&client, &server, client_ctx.get(),
4541 server_ctx.get(), ClientConfig(),
4542 false /* don't handshake */));
4543
4544 int client_ret = SSL_do_handshake(client.get());
4545 int client_err = SSL_get_error(client.get(), client_ret);
4546 ASSERT_EQ(client_err, SSL_ERROR_WANT_READ);
4547
4548 int server_ret = SSL_do_handshake(server.get());
4549 int server_err = SSL_get_error(server.get(), server_ret);
4550 ASSERT_EQ(server_err, SSL_ERROR_HANDOFF);
4551
4552 ScopedCBB cbb;
Adam Langleyc9827e02019-04-12 14:46:50 -0700[diff] [blame]4553 SSL_CLIENT_HELLO hello;
Adam Langleyddb57cf2018-01-26 09:17:53 -0800[diff] [blame]4554 ASSERT_TRUE(CBB_init(cbb.get(), 256));
Adam Langleyc9827e02019-04-12 14:46:50 -0700[diff] [blame]4555 ASSERT_TRUE(SSL_serialize_handoff(server.get(), cbb.get(), &hello));
Adam Langleyddb57cf2018-01-26 09:17:53 -0800[diff] [blame]4556
4557 ASSERT_TRUE(SSL_decline_handoff(server.get()));
4558
4559 ASSERT_TRUE(CompleteHandshakes(client.get(), server.get()));
4560
4561 uint8_t byte = 42;
4562 EXPECT_EQ(SSL_write(client.get(), &byte, 1), 1);
4563 EXPECT_EQ(SSL_read(server.get(), &byte, 1), 1);
4564 EXPECT_EQ(42, byte);
4565
4566 byte = 43;
4567 EXPECT_EQ(SSL_write(server.get(), &byte, 1), 1);
4568 EXPECT_EQ(SSL_read(client.get(), &byte, 1), 1);
4569 EXPECT_EQ(43, byte);
4570}
4571
Adam Langley826ce152018-08-03 10:31:21 -0700[diff] [blame]4572static std::string SigAlgsToString(Span<const uint16_t> sigalgs) {
4573 std::string ret = "{";
4574
4575 for (uint16_t v : sigalgs) {
4576 if (ret.size() > 1) {
4577 ret += ", ";
4578 }
4579
4580 char buf[8];
4581 snprintf(buf, sizeof(buf) - 1, "0x%02x", v);
4582 buf[sizeof(buf)-1] = 0;
4583 ret += std::string(buf);
4584 }
4585
4586 ret += "}";
4587 return ret;
4588}
4589
4590void ExpectSigAlgsEqual(Span<const uint16_t> expected,
4591 Span<const uint16_t> actual) {
4592 bool matches = false;
4593 if (expected.size() == actual.size()) {
4594 matches = true;
4595
4596 for (size_t i = 0; i < expected.size(); i++) {
4597 if (expected[i] != actual[i]) {
4598 matches = false;
4599 break;
4600 }
4601 }
4602 }
4603
4604 if (!matches) {
4605 ADD_FAILURE() << "expected: " << SigAlgsToString(expected)
4606 << " got: " << SigAlgsToString(actual);
4607 }
4608}
4609
4610TEST(SSLTest, SigAlgs) {
4611 static const struct {
4612 std::vector<int> input;
4613 bool ok;
4614 std::vector<uint16_t> expected;
4615 } kTests[] = {
4616 {{}, true, {}},
4617 {{1}, false, {}},
4618 {{1, 2, 3}, false, {}},
4619 {{NID_sha256, EVP_PKEY_ED25519}, false, {}},
4620 {{NID_sha256, EVP_PKEY_RSA, NID_sha256, EVP_PKEY_RSA}, false, {}},
4621
4622 {{NID_sha256, EVP_PKEY_RSA}, true, {SSL_SIGN_RSA_PKCS1_SHA256}},
4623 {{NID_sha512, EVP_PKEY_RSA}, true, {SSL_SIGN_RSA_PKCS1_SHA512}},
4624 {{NID_sha256, EVP_PKEY_RSA_PSS}, true, {SSL_SIGN_RSA_PSS_RSAE_SHA256}},
4625 {{NID_undef, EVP_PKEY_ED25519}, true, {SSL_SIGN_ED25519}},
4626 {{NID_undef, EVP_PKEY_ED25519, NID_sha384, EVP_PKEY_EC},
4627 true,
4628 {SSL_SIGN_ED25519, SSL_SIGN_ECDSA_SECP384R1_SHA384}},
4629 };
4630
4631 UniquePtr<SSL_CTX> ctx(SSL_CTX_new(TLS_method()));
4632
4633 unsigned n = 1;
4634 for (const auto &test : kTests) {
4635 SCOPED_TRACE(n++);
4636
4637 const bool ok =
4638 SSL_CTX_set1_sigalgs(ctx.get(), test.input.data(), test.input.size());
4639 EXPECT_EQ(ok, test.ok);
4640
4641 if (!ok) {
4642 ERR_clear_error();
4643 }
4644
4645 if (!test.ok) {
4646 continue;
4647 }
4648
4649 ExpectSigAlgsEqual(test.expected, ctx->cert->sigalgs);
4650 }
4651}
4652
4653TEST(SSLTest, SigAlgsList) {
4654 static const struct {
4655 const char *input;
4656 bool ok;
4657 std::vector<uint16_t> expected;
4658 } kTests[] = {
4659 {"", false, {}},
4660 {":", false, {}},
4661 {"+", false, {}},
4662 {"RSA", false, {}},
4663 {"RSA+", false, {}},
4664 {"RSA+SHA256:", false, {}},
4665 {":RSA+SHA256:", false, {}},
4666 {":RSA+SHA256+:", false, {}},
4667 {"!", false, {}},
4668 {"\x01", false, {}},
4669 {"RSA+SHA256:RSA+SHA384:RSA+SHA256", false, {}},
4670 {"RSA-PSS+SHA256:rsa_pss_rsae_sha256", false, {}},
4671
4672 {"RSA+SHA256", true, {SSL_SIGN_RSA_PKCS1_SHA256}},
4673 {"RSA+SHA256:ed25519",
4674 true,
4675 {SSL_SIGN_RSA_PKCS1_SHA256, SSL_SIGN_ED25519}},
4676 {"ECDSA+SHA256:RSA+SHA512",
4677 true,
4678 {SSL_SIGN_ECDSA_SECP256R1_SHA256, SSL_SIGN_RSA_PKCS1_SHA512}},
4679 {"ecdsa_secp256r1_sha256:rsa_pss_rsae_sha256",
4680 true,
4681 {SSL_SIGN_ECDSA_SECP256R1_SHA256, SSL_SIGN_RSA_PSS_RSAE_SHA256}},
4682 {"RSA-PSS+SHA256", true, {SSL_SIGN_RSA_PSS_RSAE_SHA256}},
4683 {"PSS+SHA256", true, {SSL_SIGN_RSA_PSS_RSAE_SHA256}},
4684 };
4685
4686 UniquePtr<SSL_CTX> ctx(SSL_CTX_new(TLS_method()));
4687
4688 unsigned n = 1;
4689 for (const auto &test : kTests) {
4690 SCOPED_TRACE(n++);
4691
4692 const bool ok = SSL_CTX_set1_sigalgs_list(ctx.get(), test.input);
4693 EXPECT_EQ(ok, test.ok);
4694
4695 if (!ok) {
4696 if (test.ok) {
4697 ERR_print_errors_fp(stderr);
4698 }
4699 ERR_clear_error();
4700 }
4701
4702 if (!test.ok) {
4703 continue;
4704 }
4705
4706 ExpectSigAlgsEqual(test.expected, ctx->cert->sigalgs);
4707 }
4708}
4709
Matthew Braithwaited2ed3822018-07-10 16:27:22 -0700[diff] [blame]4710TEST(SSLTest, ApplyHandoffRemovesUnsupportedCiphers) {
4711 bssl::UniquePtr<SSL_CTX> server_ctx(SSL_CTX_new(TLS_method()));
4712 bssl::UniquePtr<SSL> server(SSL_new(server_ctx.get()));
4713
4714 // handoff is a handoff message that has been artificially modified to pretend
4715 // that only cipher 0x0A is supported. When it is applied to |server|, all
4716 // ciphers but that one should be removed.
Matthew Braithwaitec65eb2c2018-11-02 17:29:35 -0700[diff] [blame]4717 //
4718 // To make a new one of these, try sticking this in the |Handoff| test above:
4719 //
4720 // hexdump(stderr, "", handoff.data(), handoff.size());
4721 // sed -e 's/\(..\)/0x\1, /g'
4722 //
4723 // and modify serialize_features() to emit only cipher 0x0A.
4724
Matthew Braithwaited2ed3822018-07-10 16:27:22 -0700[diff] [blame]4725 uint8_t handoff[] = {
Matthew Braithwaitec65eb2c2018-11-02 17:29:35 -0700[diff] [blame]4726 0x30, 0x81, 0x9a, 0x02, 0x01, 0x00, 0x04, 0x00, 0x04, 0x81, 0x82, 0x01,
4727 0x00, 0x00, 0x7e, 0x03, 0x03, 0x30, 0x8e, 0x8f, 0x79, 0xd2, 0x87, 0x39,
4728 0xc2, 0x23, 0x23, 0x13, 0xca, 0x3c, 0x80, 0x44, 0xfd, 0x80, 0x83, 0x62,
4729 0x3c, 0xcc, 0xf8, 0x76, 0xd3, 0x62, 0xbb, 0x54, 0xe3, 0xc4, 0x39, 0x24,
4730 0xa5, 0x00, 0x00, 0x1e, 0xc0, 0x2b, 0xc0, 0x2f, 0xc0, 0x2c, 0xc0, 0x30,
Matthew Braithwaited2ed3822018-07-10 16:27:22 -0700[diff] [blame]4731 0xcc, 0xa9, 0xcc, 0xa8, 0xc0, 0x09, 0xc0, 0x13, 0xc0, 0x0a, 0xc0, 0x14,
4732 0x00, 0x9c, 0x00, 0x9d, 0x00, 0x2f, 0x00, 0x35, 0x00, 0x0a, 0x01, 0x00,
Matthew Braithwaitec65eb2c2018-11-02 17:29:35 -0700[diff] [blame]4733 0x00, 0x37, 0x00, 0x17, 0x00, 0x00, 0xff, 0x01, 0x00, 0x01, 0x00, 0x00,
4734 0x0a, 0x00, 0x08, 0x00, 0x06, 0x00, 0x1d, 0x00, 0x17, 0x00, 0x18, 0x00,
4735 0x0b, 0x00, 0x02, 0x01, 0x00, 0x00, 0x23, 0x00, 0x00, 0x00, 0x0d, 0x00,
4736 0x14, 0x00, 0x12, 0x04, 0x03, 0x08, 0x04, 0x04, 0x01, 0x05, 0x03, 0x08,
4737 0x05, 0x05, 0x01, 0x08, 0x06, 0x06, 0x01, 0x02, 0x01, 0x04, 0x02, 0x00,
4738 0x0a, 0x04, 0x0a, 0x00, 0x15, 0x00, 0x17, 0x00, 0x18, 0x00, 0x19, 0x00,
4739 0x1d,
Matthew Braithwaited2ed3822018-07-10 16:27:22 -0700[diff] [blame]4740 };
4741
4742 EXPECT_EQ(20u, sk_SSL_CIPHER_num(SSL_get_ciphers(server.get())));
4743 ASSERT_TRUE(
4744 SSL_apply_handoff(server.get(), {handoff, OPENSSL_ARRAY_SIZE(handoff)}));
4745 EXPECT_EQ(1u, sk_SSL_CIPHER_num(SSL_get_ciphers(server.get())));
4746}
4747
Matthew Braithwaitec65eb2c2018-11-02 17:29:35 -0700[diff] [blame]4748TEST(SSLTest, ApplyHandoffRemovesUnsupportedCurves) {
4749 bssl::UniquePtr<SSL_CTX> server_ctx(SSL_CTX_new(TLS_method()));
4750 bssl::UniquePtr<SSL> server(SSL_new(server_ctx.get()));
4751
4752 // handoff is a handoff message that has been artificially modified to pretend
4753 // that only one curve is supported. When it is applied to |server|, all
4754 // curves but that one should be removed.
4755 //
4756 // See |ApplyHandoffRemovesUnsupportedCiphers| for how to make a new one of
4757 // these.
4758 uint8_t handoff[] = {
4759 0x30, 0x81, 0xc0, 0x02, 0x01, 0x00, 0x04, 0x00, 0x04, 0x81, 0x82, 0x01,
4760 0x00, 0x00, 0x7e, 0x03, 0x03, 0x98, 0x30, 0xce, 0xd9, 0xb0, 0xdf, 0x5f,
4761 0x82, 0x05, 0x4a, 0x43, 0x67, 0x7e, 0xdb, 0x6a, 0x4f, 0x21, 0x18, 0x4e,
4762 0x0d, 0x94, 0x63, 0x18, 0x8b, 0x54, 0x89, 0xdb, 0x8b, 0x1d, 0x84, 0xbc,
4763 0x09, 0x00, 0x00, 0x1e, 0xc0, 0x2b, 0xc0, 0x2f, 0xc0, 0x2c, 0xc0, 0x30,
4764 0xcc, 0xa9, 0xcc, 0xa8, 0xc0, 0x09, 0xc0, 0x13, 0xc0, 0x0a, 0xc0, 0x14,
4765 0x00, 0x9c, 0x00, 0x9d, 0x00, 0x2f, 0x00, 0x35, 0x00, 0x0a, 0x01, 0x00,
4766 0x00, 0x37, 0x00, 0x17, 0x00, 0x00, 0xff, 0x01, 0x00, 0x01, 0x00, 0x00,
4767 0x0a, 0x00, 0x08, 0x00, 0x06, 0x00, 0x1d, 0x00, 0x17, 0x00, 0x18, 0x00,
4768 0x0b, 0x00, 0x02, 0x01, 0x00, 0x00, 0x23, 0x00, 0x00, 0x00, 0x0d, 0x00,
4769 0x14, 0x00, 0x12, 0x04, 0x03, 0x08, 0x04, 0x04, 0x01, 0x05, 0x03, 0x08,
4770 0x05, 0x05, 0x01, 0x08, 0x06, 0x06, 0x01, 0x02, 0x01, 0x04, 0x30, 0x00,
4771 0x02, 0x00, 0x0a, 0x00, 0x2f, 0x00, 0x35, 0x00, 0x8c, 0x00, 0x8d, 0x00,
4772 0x9c, 0x00, 0x9d, 0x13, 0x01, 0x13, 0x02, 0x13, 0x03, 0xc0, 0x09, 0xc0,
4773 0x0a, 0xc0, 0x13, 0xc0, 0x14, 0xc0, 0x2b, 0xc0, 0x2c, 0xc0, 0x2f, 0xc0,
4774 0x30, 0xc0, 0x35, 0xc0, 0x36, 0xcc, 0xa8, 0xcc, 0xa9, 0xcc, 0xac, 0x04,
4775 0x02, 0x00, 0x17,
4776 };
4777
4778 // The zero length means that the default list of groups is used.
4779 EXPECT_EQ(0u, server->config->supported_group_list.size());
4780 ASSERT_TRUE(
4781 SSL_apply_handoff(server.get(), {handoff, OPENSSL_ARRAY_SIZE(handoff)}));
4782 EXPECT_EQ(1u, server->config->supported_group_list.size());
4783}
4784
Adam Langleyba9ad662018-12-17 13:59:38 -0800[diff] [blame]4785TEST(SSLTest, ZeroSizedWiteFlushesHandshakeMessages) {
4786 // If there are pending handshake mesages, an |SSL_write| of zero bytes should
4787 // flush them.
4788 bssl::UniquePtr<SSL_CTX> server_ctx(SSL_CTX_new(TLS_method()));
4789 EXPECT_TRUE(SSL_CTX_set_max_proto_version(server_ctx.get(), TLS1_3_VERSION));
4790 EXPECT_TRUE(SSL_CTX_set_min_proto_version(server_ctx.get(), TLS1_3_VERSION));
4791 bssl::UniquePtr<X509> cert = GetTestCertificate();
4792 bssl::UniquePtr<EVP_PKEY> key = GetTestKey();
4793 ASSERT_TRUE(cert);
4794 ASSERT_TRUE(key);
4795 ASSERT_TRUE(SSL_CTX_use_certificate(server_ctx.get(), cert.get()));
4796 ASSERT_TRUE(SSL_CTX_use_PrivateKey(server_ctx.get(), key.get()));
4797
4798 bssl::UniquePtr<SSL_CTX> client_ctx(SSL_CTX_new(TLS_method()));
4799 EXPECT_TRUE(SSL_CTX_set_max_proto_version(client_ctx.get(), TLS1_3_VERSION));
4800 EXPECT_TRUE(SSL_CTX_set_min_proto_version(client_ctx.get(), TLS1_3_VERSION));
4801
4802 bssl::UniquePtr<SSL> client, server;
4803 ASSERT_TRUE(ConnectClientAndServer(&client, &server, client_ctx.get(),
4804 server_ctx.get()));
4805
4806 BIO *client_wbio = SSL_get_wbio(client.get());
4807 EXPECT_EQ(0u, BIO_wpending(client_wbio));
4808 EXPECT_TRUE(SSL_key_update(client.get(), SSL_KEY_UPDATE_NOT_REQUESTED));
4809 EXPECT_EQ(0u, BIO_wpending(client_wbio));
4810 EXPECT_EQ(0, SSL_write(client.get(), nullptr, 0));
4811 EXPECT_NE(0u, BIO_wpending(client_wbio));
4812}
4813
David Benjamin5869eb32018-07-17 00:59:45 -0400[diff] [blame]4814TEST_P(SSLVersionTest, VerifyBeforeCertRequest) {
4815 // Configure the server to request client certificates.
4816 SSL_CTX_set_custom_verify(
4817 server_ctx_.get(), SSL_VERIFY_PEER,
4818 [](SSL *ssl, uint8_t *out_alert) { return ssl_verify_ok; });
4819
4820 // Configure the client to reject the server certificate.
4821 SSL_CTX_set_custom_verify(
4822 client_ctx_.get(), SSL_VERIFY_PEER,
4823 [](SSL *ssl, uint8_t *out_alert) { return ssl_verify_invalid; });
4824
4825 // cert_cb should not be called. Verification should fail first.
4826 SSL_CTX_set_cert_cb(client_ctx_.get(),
4827 [](SSL *ssl, void *arg) {
4828 ADD_FAILURE() << "cert_cb unexpectedly called";
4829 return 0;
4830 },
4831 nullptr);
4832
4833 bssl::UniquePtr<SSL> client, server;
4834 EXPECT_FALSE(ConnectClientAndServer(&client, &server, client_ctx_.get(),
4835 server_ctx_.get()));
4836}
4837
David Benjamin492c9aa2018-08-31 16:35:22 -0500[diff] [blame]4838// Test that ticket-based sessions on the client get fake session IDs.
4839TEST_P(SSLVersionTest, FakeIDsForTickets) {
4840 SSL_CTX_set_session_cache_mode(client_ctx_.get(), SSL_SESS_CACHE_BOTH);
4841 SSL_CTX_set_session_cache_mode(server_ctx_.get(), SSL_SESS_CACHE_BOTH);
4842
4843 bssl::UniquePtr<SSL_SESSION> session =
4844 CreateClientSession(client_ctx_.get(), server_ctx_.get());
4845 ASSERT_TRUE(session);
4846
4847 EXPECT_TRUE(SSL_SESSION_has_ticket(session.get()));
4848 unsigned session_id_length;
4849 SSL_SESSION_get_id(session.get(), &session_id_length);
4850 EXPECT_NE(session_id_length, 0u);
4851}
4852
David Benjamin6c04bd12018-07-19 18:13:09 -0400[diff] [blame]4853// These tests test multi-threaded behavior. They are intended to run with
4854// ThreadSanitizer.
David Benjamin5b33eff2018-09-22 16:52:48 -0700[diff] [blame]4855#if defined(OPENSSL_THREADS)
David Benjamin6c04bd12018-07-19 18:13:09 -0400[diff] [blame]4856TEST_P(SSLVersionTest, SessionCacheThreads) {
4857 SSL_CTX_set_options(server_ctx_.get(), SSL_OP_NO_TICKET);
4858 SSL_CTX_set_session_cache_mode(client_ctx_.get(), SSL_SESS_CACHE_BOTH);
4859 SSL_CTX_set_session_cache_mode(server_ctx_.get(), SSL_SESS_CACHE_BOTH);
4860
4861 if (version() == TLS1_3_VERSION) {
4862 // Our TLS 1.3 implementation does not support stateful resumption.
4863 ASSERT_FALSE(CreateClientSession(client_ctx_.get(), server_ctx_.get()));
4864 return;
4865 }
4866
4867 // Establish two client sessions to test with.
4868 bssl::UniquePtr<SSL_SESSION> session1 =
4869 CreateClientSession(client_ctx_.get(), server_ctx_.get());
4870 ASSERT_TRUE(session1);
4871 bssl::UniquePtr<SSL_SESSION> session2 =
4872 CreateClientSession(client_ctx_.get(), server_ctx_.get());
4873 ASSERT_TRUE(session2);
4874
4875 auto connect_with_session = [&](SSL_SESSION *session) {
4876 ClientConfig config;
4877 config.session = session;
4878 UniquePtr<SSL> client, server;
4879 EXPECT_TRUE(ConnectClientAndServer(&client, &server, client_ctx_.get(),
4880 server_ctx_.get(), config));
4881 };
4882
4883 // Resume sessions in parallel with establishing new ones.
4884 {
4885 std::vector<std::thread> threads;
4886 threads.emplace_back([&] { connect_with_session(nullptr); });
4887 threads.emplace_back([&] { connect_with_session(nullptr); });
4888 threads.emplace_back([&] { connect_with_session(session1.get()); });
4889 threads.emplace_back([&] { connect_with_session(session1.get()); });
4890 threads.emplace_back([&] { connect_with_session(session2.get()); });
4891 threads.emplace_back([&] { connect_with_session(session2.get()); });
4892 for (auto &thread : threads) {
4893 thread.join();
4894 }
4895 }
4896
4897 // Hit the maximum session cache size across multiple threads
4898 size_t limit = SSL_CTX_sess_number(server_ctx_.get()) + 2;
4899 SSL_CTX_sess_set_cache_size(server_ctx_.get(), limit);
4900 {
4901 std::vector<std::thread> threads;
4902 for (int i = 0; i < 4; i++) {
4903 threads.emplace_back([&]() {
4904 connect_with_session(nullptr);
4905 EXPECT_LE(SSL_CTX_sess_number(server_ctx_.get()), limit);
4906 });
4907 }
4908 for (auto &thread : threads) {
4909 thread.join();
4910 }
4911 EXPECT_EQ(SSL_CTX_sess_number(server_ctx_.get()), limit);
4912 }
4913}
4914
4915TEST_P(SSLVersionTest, SessionTicketThreads) {
4916 for (bool renew_ticket : {false, true}) {
4917 SCOPED_TRACE(renew_ticket);
4918 ResetContexts();
4919 SSL_CTX_set_session_cache_mode(client_ctx_.get(), SSL_SESS_CACHE_BOTH);
4920 SSL_CTX_set_session_cache_mode(server_ctx_.get(), SSL_SESS_CACHE_BOTH);
4921 if (renew_ticket) {
4922 SSL_CTX_set_tlsext_ticket_key_cb(server_ctx_.get(), RenewTicketCallback);
4923 }
4924
4925 // Establish two client sessions to test with.
4926 bssl::UniquePtr<SSL_SESSION> session1 =
4927 CreateClientSession(client_ctx_.get(), server_ctx_.get());
4928 ASSERT_TRUE(session1);
4929 bssl::UniquePtr<SSL_SESSION> session2 =
4930 CreateClientSession(client_ctx_.get(), server_ctx_.get());
4931 ASSERT_TRUE(session2);
4932
4933 auto connect_with_session = [&](SSL_SESSION *session) {
4934 ClientConfig config;
4935 config.session = session;
4936 UniquePtr<SSL> client, server;
4937 EXPECT_TRUE(ConnectClientAndServer(&client, &server, client_ctx_.get(),
4938 server_ctx_.get(), config));
4939 };
4940
4941 // Resume sessions in parallel with establishing new ones.
4942 {
4943 std::vector<std::thread> threads;
4944 threads.emplace_back([&] { connect_with_session(nullptr); });
4945 threads.emplace_back([&] { connect_with_session(nullptr); });
4946 threads.emplace_back([&] { connect_with_session(session1.get()); });
4947 threads.emplace_back([&] { connect_with_session(session1.get()); });
4948 threads.emplace_back([&] { connect_with_session(session2.get()); });
4949 threads.emplace_back([&] { connect_with_session(session2.get()); });
4950 for (auto &thread : threads) {
4951 thread.join();
4952 }
4953 }
4954 }
4955}
4956
4957// SSL_CTX_get0_certificate needs to lock internally. Test this works.
4958TEST(SSLTest, GetCertificateThreads) {
4959 bssl::UniquePtr<SSL_CTX> ctx(SSL_CTX_new(TLS_method()));
4960 ASSERT_TRUE(ctx);
4961 bssl::UniquePtr<X509> cert = GetTestCertificate();
4962 ASSERT_TRUE(cert);
4963 ASSERT_TRUE(SSL_CTX_use_certificate(ctx.get(), cert.get()));
4964
4965 // Existing code expects |SSL_CTX_get0_certificate| to be callable from two
4966 // threads concurrently. It originally was an immutable operation. Now we
4967 // implement it with a thread-safe cache, so it is worth testing.
4968 X509 *cert2_thread;
4969 std::thread thread(
4970 [&] { cert2_thread = SSL_CTX_get0_certificate(ctx.get()); });
4971 X509 *cert2 = SSL_CTX_get0_certificate(ctx.get());
4972 thread.join();
4973
4974 EXPECT_EQ(cert2, cert2_thread);
4975 EXPECT_EQ(0, X509_cmp(cert.get(), cert2));
4976}
David Benjamin4cce9552018-12-13 12:20:54 -0600[diff] [blame]4977
4978// Functions which access properties on the negotiated session are thread-safe
4979// where needed. Prior to TLS 1.3, clients resuming sessions and servers
4980// performing stateful resumption will share an underlying SSL_SESSION object,
4981// potentially across threads.
4982TEST_P(SSLVersionTest, SessionPropertiesThreads) {
4983 if (version() == TLS1_3_VERSION) {
4984 // Our TLS 1.3 implementation does not support stateful resumption.
4985 ASSERT_FALSE(CreateClientSession(client_ctx_.get(), server_ctx_.get()));
4986 return;
4987 }
4988
4989 SSL_CTX_set_options(server_ctx_.get(), SSL_OP_NO_TICKET);
4990 SSL_CTX_set_session_cache_mode(client_ctx_.get(), SSL_SESS_CACHE_BOTH);
4991 SSL_CTX_set_session_cache_mode(server_ctx_.get(), SSL_SESS_CACHE_BOTH);
4992
4993 ASSERT_TRUE(UseCertAndKey(client_ctx_.get()));
4994 ASSERT_TRUE(UseCertAndKey(server_ctx_.get()));
4995
4996 // Configure mutual authentication, so we have more session state.
4997 SSL_CTX_set_custom_verify(
4998 client_ctx_.get(), SSL_VERIFY_PEER,
4999 [](SSL *ssl, uint8_t *out_alert) { return ssl_verify_ok; });
5000 SSL_CTX_set_custom_verify(
5001 server_ctx_.get(), SSL_VERIFY_PEER,
5002 [](SSL *ssl, uint8_t *out_alert) { return ssl_verify_ok; });
5003
5004 // Establish a client session to test with.
5005 bssl::UniquePtr<SSL_SESSION> session =
5006 CreateClientSession(client_ctx_.get(), server_ctx_.get());
5007 ASSERT_TRUE(session);
5008
5009 // Resume with it twice.
5010 UniquePtr<SSL> ssls[4];
5011 ClientConfig config;
5012 config.session = session.get();
5013 ASSERT_TRUE(ConnectClientAndServer(&ssls[0], &ssls[1], client_ctx_.get(),
5014 server_ctx_.get(), config));
5015 ASSERT_TRUE(ConnectClientAndServer(&ssls[2], &ssls[3], client_ctx_.get(),
5016 server_ctx_.get(), config));
5017
5018 // Read properties in parallel.
5019 auto read_properties = [](const SSL *ssl) {
5020 EXPECT_TRUE(SSL_get_peer_cert_chain(ssl));
5021 bssl::UniquePtr<X509> peer(SSL_get_peer_certificate(ssl));
5022 EXPECT_TRUE(peer);
5023 EXPECT_TRUE(SSL_get_current_cipher(ssl));
5024 EXPECT_TRUE(SSL_get_curve_id(ssl));
5025 };
5026
5027 std::vector<std::thread> threads;
5028 for (const auto &ssl_ptr : ssls) {
5029 const SSL *ssl = ssl_ptr.get();
5030 threads.emplace_back([=] { read_properties(ssl); });
5031 }
5032 for (auto &thread : threads) {
5033 thread.join();
5034 }
5035}
David Benjamina486c6c2019-03-28 18:32:38 -0500[diff] [blame]5036#endif // OPENSSL_THREADS
David Benjamin6c04bd12018-07-19 18:13:09 -0400[diff] [blame]5037
Steven Valdezc8e0f902018-07-14 11:23:01 -0400[diff] [blame]5038constexpr size_t kNumQUICLevels = 4;
5039static_assert(ssl_encryption_initial < kNumQUICLevels,
5040 "kNumQUICLevels is wrong");
5041static_assert(ssl_encryption_early_data < kNumQUICLevels,
5042 "kNumQUICLevels is wrong");
5043static_assert(ssl_encryption_handshake < kNumQUICLevels,
5044 "kNumQUICLevels is wrong");
5045static_assert(ssl_encryption_application < kNumQUICLevels,
5046 "kNumQUICLevels is wrong");
5047
David Benjamin1e859052020-02-09 16:04:58 -0500[diff] [blame]5048const char *LevelToString(ssl_encryption_level_t level) {
5049 switch (level) {
5050 case ssl_encryption_initial:
5051 return "initial";
5052 case ssl_encryption_early_data:
5053 return "early data";
5054 case ssl_encryption_handshake:
5055 return "handshake";
5056 case ssl_encryption_application:
5057 return "application";
5058 }
5059 return "<unknown>";
5060}
5061
Steven Valdezc8e0f902018-07-14 11:23:01 -0400[diff] [blame]5062class MockQUICTransport {
5063 public:
David Benjamind6343572019-08-15 17:29:02 -0400[diff] [blame]5064 enum class Role { kClient, kServer };
5065
5066 explicit MockQUICTransport(Role role) : role_(role) {
Steven Valdezc8e0f902018-07-14 11:23:01 -0400[diff] [blame]5067 // The caller is expected to configure initial secrets.
5068 levels_[ssl_encryption_initial].write_secret = {1};
5069 levels_[ssl_encryption_initial].read_secret = {1};
5070 }
5071
5072 void set_peer(MockQUICTransport *peer) { peer_ = peer; }
5073
5074 bool has_alert() const { return has_alert_; }
5075 ssl_encryption_level_t alert_level() const { return alert_level_; }
5076 uint8_t alert() const { return alert_; }
5077
5078 bool PeerSecretsMatch(ssl_encryption_level_t level) const {
5079 return levels_[level].write_secret == peer_->levels_[level].read_secret &&
Steven Valdez384d0ea2018-11-06 10:45:36 -0500[diff] [blame]5080 levels_[level].read_secret == peer_->levels_[level].write_secret &&
5081 levels_[level].cipher == peer_->levels_[level].cipher;
Steven Valdezc8e0f902018-07-14 11:23:01 -0400[diff] [blame]5082 }
5083
David Benjamin1e859052020-02-09 16:04:58 -0500[diff] [blame]5084 bool HasReadSecret(ssl_encryption_level_t level) const {
5085 return !levels_[level].read_secret.empty();
Steven Valdezc8e0f902018-07-14 11:23:01 -0400[diff] [blame]5086 }
5087
David Benjamin1e859052020-02-09 16:04:58 -0500[diff] [blame]5088 bool HasWriteSecret(ssl_encryption_level_t level) const {
5089 return !levels_[level].write_secret.empty();
5090 }
5091
David Benjamin5298ef92020-03-13 12:17:30 -0400[diff] [blame]5092 void AllowOutOfOrderWrites() { allow_out_of_order_writes_ = true; }
5093
David Benjamin1e859052020-02-09 16:04:58 -0500[diff] [blame]5094 bool SetReadSecret(ssl_encryption_level_t level, const SSL_CIPHER *cipher,
5095 Span<const uint8_t> secret) {
5096 if (HasReadSecret(level)) {
5097 ADD_FAILURE() << LevelToString(level) << " read secret configured twice";
5098 return false;
5099 }
5100
5101 if (role_ == Role::kClient && level == ssl_encryption_early_data) {
5102 ADD_FAILURE() << "Unexpected early data read secret";
5103 return false;
5104 }
5105
5106 ssl_encryption_level_t ack_level =
5107 level == ssl_encryption_early_data ? ssl_encryption_application : level;
5108 if (!HasWriteSecret(ack_level)) {
5109 ADD_FAILURE() << LevelToString(level)
5110 << " read secret configured before ACK write secret";
Steven Valdezc8e0f902018-07-14 11:23:01 -0400[diff] [blame]5111 return false;
5112 }
Steven Valdez384d0ea2018-11-06 10:45:36 -0500[diff] [blame]5113
5114 if (cipher == nullptr) {
David Benjamin1e859052020-02-09 16:04:58 -0500[diff] [blame]5115 ADD_FAILURE() << "Unexpected null cipher";
Steven Valdez384d0ea2018-11-06 10:45:36 -0500[diff] [blame]5116 return false;
5117 }
5118
David Benjamin1e859052020-02-09 16:04:58 -0500[diff] [blame]5119 if (level != ssl_encryption_early_data &&
5120 SSL_CIPHER_get_id(cipher) != levels_[level].cipher) {
5121 ADD_FAILURE() << "Cipher suite inconsistent";
Steven Valdezc8e0f902018-07-14 11:23:01 -0400[diff] [blame]5122 return false;
5123 }
David Benjamind6343572019-08-15 17:29:02 -0400[diff] [blame]5124
David Benjamin1e859052020-02-09 16:04:58 -0500[diff] [blame]5125 levels_[level].read_secret.assign(secret.begin(), secret.end());
5126 levels_[level].cipher = SSL_CIPHER_get_id(cipher);
5127 return true;
5128 }
5129
5130 bool SetWriteSecret(ssl_encryption_level_t level, const SSL_CIPHER *cipher,
5131 Span<const uint8_t> secret) {
5132 if (HasWriteSecret(level)) {
5133 ADD_FAILURE() << LevelToString(level) << " write secret configured twice";
David Benjamind6343572019-08-15 17:29:02 -0400[diff] [blame]5134 return false;
Steven Valdezc8e0f902018-07-14 11:23:01 -0400[diff] [blame]5135 }
David Benjamind6343572019-08-15 17:29:02 -0400[diff] [blame]5136
David Benjamin1e859052020-02-09 16:04:58 -0500[diff] [blame]5137 if (role_ == Role::kServer && level == ssl_encryption_early_data) {
5138 ADD_FAILURE() << "Unexpected early data write secret";
5139 return false;
5140 }
5141
5142 if (cipher == nullptr) {
5143 ADD_FAILURE() << "Unexpected null cipher";
5144 return false;
5145 }
5146
5147 levels_[level].write_secret.assign(secret.begin(), secret.end());
Steven Valdez384d0ea2018-11-06 10:45:36 -0500[diff] [blame]5148 levels_[level].cipher = SSL_CIPHER_get_id(cipher);
Steven Valdezc8e0f902018-07-14 11:23:01 -0400[diff] [blame]5149 return true;
5150 }
5151
5152 bool WriteHandshakeData(ssl_encryption_level_t level,
5153 Span<const uint8_t> data) {
5154 if (levels_[level].write_secret.empty()) {
David Benjamin1e859052020-02-09 16:04:58 -0500[diff] [blame]5155 ADD_FAILURE() << LevelToString(level)
5156 << " write secret not yet configured";
Steven Valdezc8e0f902018-07-14 11:23:01 -0400[diff] [blame]5157 return false;
5158 }
David Benjamin5298ef92020-03-13 12:17:30 -0400[diff] [blame]5159
5160 // Although the levels are conceptually separate, BoringSSL finishes writing
5161 // data from a previous level before installing keys for the next level.
5162 if (!allow_out_of_order_writes_) {
5163 switch (level) {
5164 case ssl_encryption_early_data:
5165 ADD_FAILURE() << "unexpected handshake data at early data level";
5166 return false;
5167 case ssl_encryption_initial:
5168 if (!levels_[ssl_encryption_handshake].write_secret.empty()) {
5169 ADD_FAILURE()
5170 << LevelToString(level)
5171 << " handshake data written after handshake keys installed";
5172 return false;
5173 }
5174 OPENSSL_FALLTHROUGH;
5175 case ssl_encryption_handshake:
5176 if (!levels_[ssl_encryption_application].write_secret.empty()) {
5177 ADD_FAILURE()
5178 << LevelToString(level)
5179 << " handshake data written after application keys installed";
5180 return false;
5181 }
5182 OPENSSL_FALLTHROUGH;
5183 case ssl_encryption_application:
5184 break;
5185 }
5186 }
5187
Steven Valdezc8e0f902018-07-14 11:23:01 -0400[diff] [blame]5188 levels_[level].write_data.insert(levels_[level].write_data.end(),
5189 data.begin(), data.end());
5190 return true;
5191 }
5192
5193 bool SendAlert(ssl_encryption_level_t level, uint8_t alert_value) {
5194 if (has_alert_) {
5195 ADD_FAILURE() << "duplicate alert sent";
5196 return false;
5197 }
5198
5199 if (levels_[level].write_secret.empty()) {
David Benjamin1e859052020-02-09 16:04:58 -0500[diff] [blame]5200 ADD_FAILURE() << LevelToString(level)
5201 << " write secret not yet configured";
Steven Valdezc8e0f902018-07-14 11:23:01 -0400[diff] [blame]5202 return false;
5203 }
5204
5205 has_alert_ = true;
5206 alert_level_ = level;
5207 alert_ = alert_value;
5208 return true;
5209 }
5210
5211 bool ReadHandshakeData(std::vector<uint8_t> *out,
5212 ssl_encryption_level_t level,
5213 size_t num = std::numeric_limits<size_t>::max()) {
5214 if (levels_[level].read_secret.empty()) {
David Benjamind6343572019-08-15 17:29:02 -0400[diff] [blame]5215 ADD_FAILURE() << "data read before keys configured in level " << level;
Steven Valdezc8e0f902018-07-14 11:23:01 -0400[diff] [blame]5216 return false;
5217 }
5218 // The peer may not have configured any keys yet.
5219 if (peer_->levels_[level].write_secret.empty()) {
David Benjamind0b97942019-08-21 12:54:20 -0400[diff] [blame]5220 out->clear();
Steven Valdezc8e0f902018-07-14 11:23:01 -0400[diff] [blame]5221 return true;
5222 }
5223 // Check the peer computed the same key.
5224 if (peer_->levels_[level].write_secret != levels_[level].read_secret) {
David Benjamind6343572019-08-15 17:29:02 -0400[diff] [blame]5225 ADD_FAILURE() << "peer write key does not match read key in level "
5226 << level;
Steven Valdezc8e0f902018-07-14 11:23:01 -0400[diff] [blame]5227 return false;
5228 }
Steven Valdez384d0ea2018-11-06 10:45:36 -0500[diff] [blame]5229 if (peer_->levels_[level].cipher != levels_[level].cipher) {
David Benjamind6343572019-08-15 17:29:02 -0400[diff] [blame]5230 ADD_FAILURE() << "peer cipher does not match in level " << level;
Steven Valdez384d0ea2018-11-06 10:45:36 -0500[diff] [blame]5231 return false;
5232 }
Steven Valdezc8e0f902018-07-14 11:23:01 -0400[diff] [blame]5233 std::vector<uint8_t> *peer_data = &peer_->levels_[level].write_data;
5234 num = std::min(num, peer_data->size());
5235 out->assign(peer_data->begin(), peer_data->begin() + num);
5236 peer_data->erase(peer_data->begin(), peer_data->begin() + num);
5237 return true;
5238 }
5239
5240 private:
David Benjamind6343572019-08-15 17:29:02 -0400[diff] [blame]5241 Role role_;
Steven Valdezc8e0f902018-07-14 11:23:01 -0400[diff] [blame]5242 MockQUICTransport *peer_ = nullptr;
5243
David Benjamin5298ef92020-03-13 12:17:30 -0400[diff] [blame]5244 bool allow_out_of_order_writes_ = false;
Steven Valdezc8e0f902018-07-14 11:23:01 -0400[diff] [blame]5245 bool has_alert_ = false;
5246 ssl_encryption_level_t alert_level_ = ssl_encryption_initial;
5247 uint8_t alert_ = 0;
5248
5249 struct Level {
5250 std::vector<uint8_t> write_data;
5251 std::vector<uint8_t> write_secret;
5252 std::vector<uint8_t> read_secret;
Steven Valdez384d0ea2018-11-06 10:45:36 -0500[diff] [blame]5253 uint32_t cipher = 0;
Steven Valdezc8e0f902018-07-14 11:23:01 -0400[diff] [blame]5254 };
5255 Level levels_[kNumQUICLevels];
5256};
5257
5258class MockQUICTransportPair {
5259 public:
David Benjamind6343572019-08-15 17:29:02 -0400[diff] [blame]5260 MockQUICTransportPair()
5261 : client_(MockQUICTransport::Role::kClient),
5262 server_(MockQUICTransport::Role::kServer) {
Steven Valdezc8e0f902018-07-14 11:23:01 -0400[diff] [blame]5263 client_.set_peer(&server_);
David Benjamind6343572019-08-15 17:29:02 -0400[diff] [blame]5264 server_.set_peer(&client_);
Steven Valdezc8e0f902018-07-14 11:23:01 -0400[diff] [blame]5265 }
5266
5267 ~MockQUICTransportPair() {
Steven Valdezc8e0f902018-07-14 11:23:01 -0400[diff] [blame]5268 client_.set_peer(nullptr);
David Benjamind6343572019-08-15 17:29:02 -0400[diff] [blame]5269 server_.set_peer(nullptr);
Steven Valdezc8e0f902018-07-14 11:23:01 -0400[diff] [blame]5270 }
5271
5272 MockQUICTransport *client() { return &client_; }
5273 MockQUICTransport *server() { return &server_; }
5274
5275 bool SecretsMatch(ssl_encryption_level_t level) const {
David Benjamin1e859052020-02-09 16:04:58 -0500[diff] [blame]5276 // We only need to check |HasReadSecret| and |HasWriteSecret| on |client_|.
5277 // |PeerSecretsMatch| checks that |server_| is analogously configured.
5278 return client_.PeerSecretsMatch(level) &&
5279 client_.HasWriteSecret(level) &&
5280 (level == ssl_encryption_early_data || client_.HasReadSecret(level));
Steven Valdezc8e0f902018-07-14 11:23:01 -0400[diff] [blame]5281 }
5282
5283 private:
5284 MockQUICTransport client_;
5285 MockQUICTransport server_;
5286};
5287
5288class QUICMethodTest : public testing::Test {
5289 protected:
5290 void SetUp() override {
5291 client_ctx_.reset(SSL_CTX_new(TLS_method()));
5292 server_ctx_.reset(SSL_CTX_new(TLS_method()));
5293 ASSERT_TRUE(client_ctx_);
5294 ASSERT_TRUE(server_ctx_);
5295
5296 bssl::UniquePtr<X509> cert = GetTestCertificate();
5297 bssl::UniquePtr<EVP_PKEY> key = GetTestKey();
5298 ASSERT_TRUE(cert);
5299 ASSERT_TRUE(key);
5300 ASSERT_TRUE(SSL_CTX_use_certificate(server_ctx_.get(), cert.get()));
5301 ASSERT_TRUE(SSL_CTX_use_PrivateKey(server_ctx_.get(), key.get()));
5302
5303 SSL_CTX_set_min_proto_version(server_ctx_.get(), TLS1_3_VERSION);
5304 SSL_CTX_set_max_proto_version(server_ctx_.get(), TLS1_3_VERSION);
5305 SSL_CTX_set_min_proto_version(client_ctx_.get(), TLS1_3_VERSION);
5306 SSL_CTX_set_max_proto_version(client_ctx_.get(), TLS1_3_VERSION);
Nick Harper74161f42020-07-24 15:35:27 -0700[diff] [blame]5307
5308 static const uint8_t kALPNProtos[] = {0x03, 'f', 'o', 'o'};
5309 ASSERT_EQ(SSL_CTX_set_alpn_protos(client_ctx_.get(), kALPNProtos,
5310 sizeof(kALPNProtos)),
5311 0);
5312 SSL_CTX_set_alpn_select_cb(
5313 server_ctx_.get(),
5314 [](SSL *ssl, const uint8_t **out, uint8_t *out_len, const uint8_t *in,
5315 unsigned in_len, void *arg) -> int {
5316 return SSL_select_next_proto(
5317 const_cast<uint8_t **>(out), out_len, in, in_len,
5318 kALPNProtos, sizeof(kALPNProtos)) == OPENSSL_NPN_NEGOTIATED
5319 ? SSL_TLSEXT_ERR_OK
5320 : SSL_TLSEXT_ERR_NOACK;
5321 },
5322 nullptr);
Steven Valdezc8e0f902018-07-14 11:23:01 -0400[diff] [blame]5323 }
5324
5325 static MockQUICTransport *TransportFromSSL(const SSL *ssl) {
5326 return ex_data_.Get(ssl);
5327 }
5328
5329 static bool ProvideHandshakeData(
5330 SSL *ssl, size_t num = std::numeric_limits<size_t>::max()) {
5331 MockQUICTransport *transport = TransportFromSSL(ssl);
5332 ssl_encryption_level_t level = SSL_quic_read_level(ssl);
5333 std::vector<uint8_t> data;
5334 return transport->ReadHandshakeData(&data, level, num) &&
5335 SSL_provide_quic_data(ssl, level, data.data(), data.size());
5336 }
5337
David Benjamin5298ef92020-03-13 12:17:30 -0400[diff] [blame]5338 void AllowOutOfOrderWrites() {
5339 allow_out_of_order_writes_ = true;
5340 }
5341
Steven Valdezc8e0f902018-07-14 11:23:01 -0400[diff] [blame]5342 bool CreateClientAndServer() {
5343 client_.reset(SSL_new(client_ctx_.get()));
5344 server_.reset(SSL_new(server_ctx_.get()));
5345 if (!client_ || !server_) {
5346 return false;
5347 }
5348
5349 SSL_set_connect_state(client_.get());
5350 SSL_set_accept_state(server_.get());
5351
David Benjamind6343572019-08-15 17:29:02 -0400[diff] [blame]5352 transport_.reset(new MockQUICTransportPair);
5353 ex_data_.Set(client_.get(), transport_->client());
5354 ex_data_.Set(server_.get(), transport_->server());
David Benjamin5298ef92020-03-13 12:17:30 -0400[diff] [blame]5355 if (allow_out_of_order_writes_) {
5356 transport_->client()->AllowOutOfOrderWrites();
5357 transport_->server()->AllowOutOfOrderWrites();
5358 }
Nick Harper7c522992020-04-30 14:15:49 -0700[diff] [blame]5359 static const uint8_t client_transport_params[] = {0};
5360 if (!SSL_set_quic_transport_params(client_.get(), client_transport_params,
5361 sizeof(client_transport_params)) ||
5362 !SSL_set_quic_transport_params(server_.get(),
5363 server_transport_params_.data(),
5364 server_transport_params_.size()) ||
5365 !SSL_set_quic_early_data_context(
5366 server_.get(), server_quic_early_data_context_.data(),
5367 server_quic_early_data_context_.size())) {
Nick Harper72cff812020-03-26 18:06:16 -0700[diff] [blame]5368 return false;
5369 }
Steven Valdezc8e0f902018-07-14 11:23:01 -0400[diff] [blame]5370 return true;
5371 }
5372
Nick Harper72cff812020-03-26 18:06:16 -0700[diff] [blame]5373 enum class ExpectedError {
5374 kNoError,
5375 kClientError,
5376 kServerError,
5377 };
5378
David Benjamind6343572019-08-15 17:29:02 -0400[diff] [blame]5379 // CompleteHandshakesForQUIC runs |SSL_do_handshake| on |client_| and
5380 // |server_| until each completes once. It returns true on success and false
5381 // on failure.
5382 bool CompleteHandshakesForQUIC() {
Nick Harper72cff812020-03-26 18:06:16 -0700[diff] [blame]5383 return RunQUICHandshakesAndExpectError(ExpectedError::kNoError);
5384 }
5385
5386 // Runs |SSL_do_handshake| on |client_| and |server_| until each completes
5387 // once. If |expect_client_error| is true, it will return true only if the
5388 // client handshake failed. Otherwise, it returns true if both handshakes
5389 // succeed and false otherwise.
5390 bool RunQUICHandshakesAndExpectError(ExpectedError expected_error) {
David Benjamind6343572019-08-15 17:29:02 -0400[diff] [blame]5391 bool client_done = false, server_done = false;
5392 while (!client_done || !server_done) {
5393 if (!client_done) {
5394 if (!ProvideHandshakeData(client_.get())) {
5395 ADD_FAILURE() << "ProvideHandshakeData(client_) failed";
5396 return false;
5397 }
5398 int client_ret = SSL_do_handshake(client_.get());
David Benjamin2fb729d2020-02-20 17:37:33 -0500[diff] [blame]5399 int client_err = SSL_get_error(client_.get(), client_ret);
David Benjamind6343572019-08-15 17:29:02 -0400[diff] [blame]5400 if (client_ret == 1) {
5401 client_done = true;
David Benjamin2fb729d2020-02-20 17:37:33 -0500[diff] [blame]5402 } else if (client_ret != -1 || client_err != SSL_ERROR_WANT_READ) {
Nick Harper72cff812020-03-26 18:06:16 -0700[diff] [blame]5403 if (expected_error == ExpectedError::kClientError) {
5404 return true;
5405 }
David Benjamin2fb729d2020-02-20 17:37:33 -0500[diff] [blame]5406 ADD_FAILURE() << "Unexpected client output: " << client_ret << " "
5407 << client_err;
5408 return false;
David Benjamind6343572019-08-15 17:29:02 -0400[diff] [blame]5409 }
5410 }
5411
5412 if (!server_done) {
5413 if (!ProvideHandshakeData(server_.get())) {
5414 ADD_FAILURE() << "ProvideHandshakeData(server_) failed";
5415 return false;
5416 }
5417 int server_ret = SSL_do_handshake(server_.get());
David Benjamin2fb729d2020-02-20 17:37:33 -0500[diff] [blame]5418 int server_err = SSL_get_error(server_.get(), server_ret);
David Benjamind6343572019-08-15 17:29:02 -0400[diff] [blame]5419 if (server_ret == 1) {
5420 server_done = true;
David Benjamin2fb729d2020-02-20 17:37:33 -0500[diff] [blame]5421 } else if (server_ret != -1 || server_err != SSL_ERROR_WANT_READ) {
Nick Harper72cff812020-03-26 18:06:16 -0700[diff] [blame]5422 if (expected_error == ExpectedError::kServerError) {
5423 return true;
5424 }
David Benjamin2fb729d2020-02-20 17:37:33 -0500[diff] [blame]5425 ADD_FAILURE() << "Unexpected server output: " << server_ret << " "
5426 << server_err;
5427 return false;
David Benjamind6343572019-08-15 17:29:02 -0400[diff] [blame]5428 }
5429 }
5430 }
Nick Harper72cff812020-03-26 18:06:16 -0700[diff] [blame]5431 return expected_error == ExpectedError::kNoError;
David Benjamind6343572019-08-15 17:29:02 -0400[diff] [blame]5432 }
5433
5434 bssl::UniquePtr<SSL_SESSION> CreateClientSessionForQUIC() {
5435 g_last_session = nullptr;
5436 SSL_CTX_sess_set_new_cb(client_ctx_.get(), SaveLastSession);
5437 if (!CreateClientAndServer() ||
5438 !CompleteHandshakesForQUIC()) {
5439 return nullptr;
Steven Valdeze6eef1c2018-11-09 13:32:34 -0500[diff] [blame]5440 }
5441
David Benjamind6343572019-08-15 17:29:02 -0400[diff] [blame]5442 // The server sent NewSessionTicket messages in the handshake.
5443 if (!ProvideHandshakeData(client_.get()) ||
5444 !SSL_process_quic_post_handshake(client_.get())) {
5445 return nullptr;
5446 }
Steven Valdeze6eef1c2018-11-09 13:32:34 -0500[diff] [blame]5447
David Benjamind6343572019-08-15 17:29:02 -0400[diff] [blame]5448 return std::move(g_last_session);
5449 }
5450
5451 void ExpectHandshakeSuccess() {
5452 EXPECT_TRUE(transport_->SecretsMatch(ssl_encryption_application));
5453 EXPECT_EQ(ssl_encryption_application, SSL_quic_read_level(client_.get()));
5454 EXPECT_EQ(ssl_encryption_application, SSL_quic_write_level(client_.get()));
5455 EXPECT_EQ(ssl_encryption_application, SSL_quic_read_level(server_.get()));
5456 EXPECT_EQ(ssl_encryption_application, SSL_quic_write_level(server_.get()));
5457 EXPECT_FALSE(transport_->client()->has_alert());
5458 EXPECT_FALSE(transport_->server()->has_alert());
5459
5460 // SSL_do_handshake is now idempotent.
5461 EXPECT_EQ(SSL_do_handshake(client_.get()), 1);
5462 EXPECT_EQ(SSL_do_handshake(server_.get()), 1);
Steven Valdeze6eef1c2018-11-09 13:32:34 -0500[diff] [blame]5463 }
5464
David Benjamin1e859052020-02-09 16:04:58 -0500[diff] [blame]5465 // Returns a default SSL_QUIC_METHOD. Individual methods may be overwritten by
5466 // the test.
5467 SSL_QUIC_METHOD DefaultQUICMethod() {
5468 return SSL_QUIC_METHOD{
5469 SetReadSecretCallback, SetWriteSecretCallback, AddHandshakeDataCallback,
5470 FlushFlightCallback, SendAlertCallback,
5471 };
5472 }
Steven Valdezc8e0f902018-07-14 11:23:01 -0400[diff] [blame]5473
David Benjamin1e859052020-02-09 16:04:58 -0500[diff] [blame]5474 static int SetReadSecretCallback(SSL *ssl, ssl_encryption_level_t level,
5475 const SSL_CIPHER *cipher,
5476 const uint8_t *secret, size_t secret_len) {
5477 return TransportFromSSL(ssl)->SetReadSecret(
5478 level, cipher, MakeConstSpan(secret, secret_len));
5479 }
5480
5481 static int SetWriteSecretCallback(SSL *ssl, ssl_encryption_level_t level,
5482 const SSL_CIPHER *cipher,
5483 const uint8_t *secret, size_t secret_len) {
5484 return TransportFromSSL(ssl)->SetWriteSecret(
5485 level, cipher, MakeConstSpan(secret, secret_len));
Steven Valdezc8e0f902018-07-14 11:23:01 -0400[diff] [blame]5486 }
5487
David Benjamincc9d9352018-10-30 19:45:22 -0500[diff] [blame]5488 static int AddHandshakeDataCallback(SSL *ssl,
5489 enum ssl_encryption_level_t level,
5490 const uint8_t *data, size_t len) {
Steven Valdezc8e0f902018-07-14 11:23:01 -0400[diff] [blame]5491 EXPECT_EQ(level, SSL_quic_write_level(ssl));
5492 return TransportFromSSL(ssl)->WriteHandshakeData(level,
5493 MakeConstSpan(data, len));
5494 }
5495
5496 static int FlushFlightCallback(SSL *ssl) { return 1; }
5497
5498 static int SendAlertCallback(SSL *ssl, ssl_encryption_level_t level,
5499 uint8_t alert) {
5500 EXPECT_EQ(level, SSL_quic_write_level(ssl));
5501 return TransportFromSSL(ssl)->SendAlert(level, alert);
5502 }
5503
5504 bssl::UniquePtr<SSL_CTX> client_ctx_;
5505 bssl::UniquePtr<SSL_CTX> server_ctx_;
5506
5507 static UnownedSSLExData<MockQUICTransport> ex_data_;
David Benjamind6343572019-08-15 17:29:02 -0400[diff] [blame]5508 std::unique_ptr<MockQUICTransportPair> transport_;
Steven Valdezc8e0f902018-07-14 11:23:01 -0400[diff] [blame]5509
5510 bssl::UniquePtr<SSL> client_;
5511 bssl::UniquePtr<SSL> server_;
David Benjamin5298ef92020-03-13 12:17:30 -0400[diff] [blame]5512
Nick Harper7c522992020-04-30 14:15:49 -0700[diff] [blame]5513 std::vector<uint8_t> server_transport_params_ = {1};
5514 std::vector<uint8_t> server_quic_early_data_context_ = {2};
5515
David Benjamin5298ef92020-03-13 12:17:30 -0400[diff] [blame]5516 bool allow_out_of_order_writes_ = false;
Steven Valdezc8e0f902018-07-14 11:23:01 -0400[diff] [blame]5517};
5518
5519UnownedSSLExData<MockQUICTransport> QUICMethodTest::ex_data_;
5520
David Benjaminfd863b62019-07-25 13:51:32 -0400[diff] [blame]5521// Test a full handshake and resumption work.
Steven Valdezc8e0f902018-07-14 11:23:01 -0400[diff] [blame]5522TEST_F(QUICMethodTest, Basic) {
David Benjamin1e859052020-02-09 16:04:58 -0500[diff] [blame]5523 const SSL_QUIC_METHOD quic_method = DefaultQUICMethod();
Steven Valdezc8e0f902018-07-14 11:23:01 -0400[diff] [blame]5524
Steven Valdeze6eef1c2018-11-09 13:32:34 -0500[diff] [blame]5525 g_last_session = nullptr;
5526
5527 SSL_CTX_set_session_cache_mode(client_ctx_.get(), SSL_SESS_CACHE_BOTH);
5528 SSL_CTX_sess_set_new_cb(client_ctx_.get(), SaveLastSession);
Steven Valdezc8e0f902018-07-14 11:23:01 -0400[diff] [blame]5529 ASSERT_TRUE(SSL_CTX_set_quic_method(client_ctx_.get(), &quic_method));
5530 ASSERT_TRUE(SSL_CTX_set_quic_method(server_ctx_.get(), &quic_method));
David Benjamind6343572019-08-15 17:29:02 -0400[diff] [blame]5531
Steven Valdezc8e0f902018-07-14 11:23:01 -0400[diff] [blame]5532 ASSERT_TRUE(CreateClientAndServer());
David Benjamind6343572019-08-15 17:29:02 -0400[diff] [blame]5533 ASSERT_TRUE(CompleteHandshakesForQUIC());
Steven Valdezc8e0f902018-07-14 11:23:01 -0400[diff] [blame]5534
David Benjamind6343572019-08-15 17:29:02 -0400[diff] [blame]5535 ExpectHandshakeSuccess();
5536 EXPECT_FALSE(SSL_session_reused(client_.get()));
5537 EXPECT_FALSE(SSL_session_reused(server_.get()));
Steven Valdezc8e0f902018-07-14 11:23:01 -0400[diff] [blame]5538
5539 // The server sent NewSessionTicket messages in the handshake.
Steven Valdeze6eef1c2018-11-09 13:32:34 -0500[diff] [blame]5540 EXPECT_FALSE(g_last_session);
5541 ASSERT_TRUE(ProvideHandshakeData(client_.get()));
5542 EXPECT_EQ(SSL_process_quic_post_handshake(client_.get()), 1);
5543 EXPECT_TRUE(g_last_session);
5544
5545 // Create a second connection to verify resumption works.
David Benjamind6343572019-08-15 17:29:02 -0400[diff] [blame]5546 ASSERT_TRUE(CreateClientAndServer());
Steven Valdeze6eef1c2018-11-09 13:32:34 -0500[diff] [blame]5547 bssl::UniquePtr<SSL_SESSION> session = std::move(g_last_session);
5548 SSL_set_session(client_.get(), session.get());
5549
David Benjamind6343572019-08-15 17:29:02 -0400[diff] [blame]5550 ASSERT_TRUE(CompleteHandshakesForQUIC());
Steven Valdeze6eef1c2018-11-09 13:32:34 -0500[diff] [blame]5551
David Benjamind6343572019-08-15 17:29:02 -0400[diff] [blame]5552 ExpectHandshakeSuccess();
Steven Valdeze6eef1c2018-11-09 13:32:34 -0500[diff] [blame]5553 EXPECT_TRUE(SSL_session_reused(client_.get()));
5554 EXPECT_TRUE(SSL_session_reused(server_.get()));
Steven Valdezc8e0f902018-07-14 11:23:01 -0400[diff] [blame]5555}
5556
David Benjaminfd863b62019-07-25 13:51:32 -0400[diff] [blame]5557// Test that HelloRetryRequest in QUIC works.
5558TEST_F(QUICMethodTest, HelloRetryRequest) {
David Benjamin1e859052020-02-09 16:04:58 -0500[diff] [blame]5559 const SSL_QUIC_METHOD quic_method = DefaultQUICMethod();
David Benjaminfd863b62019-07-25 13:51:32 -0400[diff] [blame]5560
5561 ASSERT_TRUE(SSL_CTX_set_quic_method(client_ctx_.get(), &quic_method));
5562 ASSERT_TRUE(SSL_CTX_set_quic_method(server_ctx_.get(), &quic_method));
5563
5564 // BoringSSL predicts the most preferred curve, so using different preferences
5565 // will trigger HelloRetryRequest.
5566 static const int kClientPrefs[] = {NID_X25519, NID_X9_62_prime256v1};
5567 ASSERT_TRUE(SSL_CTX_set1_curves(client_ctx_.get(), kClientPrefs,
5568 OPENSSL_ARRAY_SIZE(kClientPrefs)));
5569 static const int kServerPrefs[] = {NID_X9_62_prime256v1, NID_X25519};
5570 ASSERT_TRUE(SSL_CTX_set1_curves(server_ctx_.get(), kServerPrefs,
5571 OPENSSL_ARRAY_SIZE(kServerPrefs)));
5572
5573 ASSERT_TRUE(CreateClientAndServer());
David Benjamind6343572019-08-15 17:29:02 -0400[diff] [blame]5574 ASSERT_TRUE(CompleteHandshakesForQUIC());
5575 ExpectHandshakeSuccess();
5576}
David Benjaminfd863b62019-07-25 13:51:32 -0400[diff] [blame]5577
Nick Harpere32549e2020-05-06 14:27:11 -0700[diff] [blame]5578// Test that the client does not send a legacy_session_id in the ClientHello.
5579TEST_F(QUICMethodTest, NoLegacySessionId) {
5580 const SSL_QUIC_METHOD quic_method = DefaultQUICMethod();
5581
5582 ASSERT_TRUE(SSL_CTX_set_quic_method(client_ctx_.get(), &quic_method));
5583 ASSERT_TRUE(SSL_CTX_set_quic_method(server_ctx_.get(), &quic_method));
5584 // Check that the session ID length is 0 in an early callback.
5585 SSL_CTX_set_select_certificate_cb(
5586 server_ctx_.get(),
5587 [](const SSL_CLIENT_HELLO *client_hello) -> ssl_select_cert_result_t {
5588 EXPECT_EQ(client_hello->session_id_len, 0u);
5589 return ssl_select_cert_success;
5590 });
5591
5592 ASSERT_TRUE(CreateClientAndServer());
5593 ASSERT_TRUE(CompleteHandshakesForQUIC());
5594
5595 ExpectHandshakeSuccess();
5596}
5597
David Benjamin1e859052020-02-09 16:04:58 -0500[diff] [blame]5598// Test that, even in a 1-RTT handshake, the server installs keys at the right
5599// time. Half-RTT keys are available early, but 1-RTT read keys are deferred.
5600TEST_F(QUICMethodTest, HalfRTTKeys) {
5601 const SSL_QUIC_METHOD quic_method = DefaultQUICMethod();
5602
5603 ASSERT_TRUE(SSL_CTX_set_quic_method(client_ctx_.get(), &quic_method));
5604 ASSERT_TRUE(SSL_CTX_set_quic_method(server_ctx_.get(), &quic_method));
5605 ASSERT_TRUE(CreateClientAndServer());
5606
5607 // The client sends ClientHello.
5608 ASSERT_EQ(SSL_do_handshake(client_.get()), -1);
5609 ASSERT_EQ(SSL_ERROR_WANT_READ, SSL_get_error(client_.get(), -1));
5610
5611 // The server reads ClientHello and sends ServerHello..Finished.
5612 ASSERT_TRUE(ProvideHandshakeData(server_.get()));
5613 ASSERT_EQ(SSL_do_handshake(server_.get()), -1);
5614 ASSERT_EQ(SSL_ERROR_WANT_READ, SSL_get_error(server_.get(), -1));
5615
5616 // At this point, the server has half-RTT write keys, but it cannot access
5617 // 1-RTT read keys until client Finished.
5618 EXPECT_TRUE(transport_->server()->HasWriteSecret(ssl_encryption_application));
5619 EXPECT_FALSE(transport_->server()->HasReadSecret(ssl_encryption_application));
5620
5621 // Finish up the client and server handshakes.
5622 ASSERT_TRUE(CompleteHandshakesForQUIC());
5623
5624 // Both sides can now exchange 1-RTT data.
5625 ExpectHandshakeSuccess();
5626}
5627
David Benjamind6343572019-08-15 17:29:02 -0400[diff] [blame]5628TEST_F(QUICMethodTest, ZeroRTTAccept) {
David Benjamin1e859052020-02-09 16:04:58 -0500[diff] [blame]5629 const SSL_QUIC_METHOD quic_method = DefaultQUICMethod();
David Benjamind6343572019-08-15 17:29:02 -0400[diff] [blame]5630
5631 SSL_CTX_set_session_cache_mode(client_ctx_.get(), SSL_SESS_CACHE_BOTH);
5632 SSL_CTX_set_early_data_enabled(client_ctx_.get(), 1);
5633 SSL_CTX_set_early_data_enabled(server_ctx_.get(), 1);
5634 ASSERT_TRUE(SSL_CTX_set_quic_method(client_ctx_.get(), &quic_method));
5635 ASSERT_TRUE(SSL_CTX_set_quic_method(server_ctx_.get(), &quic_method));
5636
5637 bssl::UniquePtr<SSL_SESSION> session = CreateClientSessionForQUIC();
5638 ASSERT_TRUE(session);
5639
5640 ASSERT_TRUE(CreateClientAndServer());
5641 SSL_set_session(client_.get(), session.get());
5642
5643 // The client handshake should return immediately into the early data state.
5644 ASSERT_EQ(SSL_do_handshake(client_.get()), 1);
5645 EXPECT_TRUE(SSL_in_early_data(client_.get()));
5646 // The transport should have keys for sending 0-RTT data.
David Benjamin1e859052020-02-09 16:04:58 -0500[diff] [blame]5647 EXPECT_TRUE(transport_->client()->HasWriteSecret(ssl_encryption_early_data));
David Benjamind6343572019-08-15 17:29:02 -0400[diff] [blame]5648
5649 // The server will consume the ClientHello and also enter the early data
5650 // state.
5651 ASSERT_TRUE(ProvideHandshakeData(server_.get()));
5652 ASSERT_EQ(SSL_do_handshake(server_.get()), 1);
5653 EXPECT_TRUE(SSL_in_early_data(server_.get()));
5654 EXPECT_TRUE(transport_->SecretsMatch(ssl_encryption_early_data));
David Benjamin1e859052020-02-09 16:04:58 -0500[diff] [blame]5655 // At this point, the server has half-RTT write keys, but it cannot access
5656 // 1-RTT read keys until client Finished.
5657 EXPECT_TRUE(transport_->server()->HasWriteSecret(ssl_encryption_application));
5658 EXPECT_FALSE(transport_->server()->HasReadSecret(ssl_encryption_application));
David Benjamind6343572019-08-15 17:29:02 -0400[diff] [blame]5659
5660 // Finish up the client and server handshakes.
5661 ASSERT_TRUE(CompleteHandshakesForQUIC());
5662
5663 // Both sides can now exchange 1-RTT data.
5664 ExpectHandshakeSuccess();
5665 EXPECT_TRUE(SSL_session_reused(client_.get()));
5666 EXPECT_TRUE(SSL_session_reused(server_.get()));
5667 EXPECT_FALSE(SSL_in_early_data(client_.get()));
5668 EXPECT_FALSE(SSL_in_early_data(server_.get()));
5669 EXPECT_TRUE(SSL_early_data_accepted(client_.get()));
5670 EXPECT_TRUE(SSL_early_data_accepted(server_.get()));
Nick Harper5e086952020-09-30 13:59:14 -0700[diff] [blame]5671
5672 // Finish handling post-handshake messages after the first 0-RTT resumption.
5673 EXPECT_TRUE(ProvideHandshakeData(client_.get()));
5674 EXPECT_TRUE(SSL_process_quic_post_handshake(client_.get()));
5675
5676 // Perform a second 0-RTT resumption attempt, and confirm that 0-RTT is
5677 // accepted again.
5678 ASSERT_TRUE(CreateClientAndServer());
5679 SSL_set_session(client_.get(), g_last_session.get());
5680
5681 // The client handshake should return immediately into the early data state.
5682 ASSERT_EQ(SSL_do_handshake(client_.get()), 1);
5683 EXPECT_TRUE(SSL_in_early_data(client_.get()));
5684 // The transport should have keys for sending 0-RTT data.
5685 EXPECT_TRUE(transport_->client()->HasWriteSecret(ssl_encryption_early_data));
5686
5687 // The server will consume the ClientHello and also enter the early data
5688 // state.
5689 ASSERT_TRUE(ProvideHandshakeData(server_.get()));
5690 ASSERT_EQ(SSL_do_handshake(server_.get()), 1);
5691 EXPECT_TRUE(SSL_in_early_data(server_.get()));
5692 EXPECT_TRUE(transport_->SecretsMatch(ssl_encryption_early_data));
5693 // At this point, the server has half-RTT write keys, but it cannot access
5694 // 1-RTT read keys until client Finished.
5695 EXPECT_TRUE(transport_->server()->HasWriteSecret(ssl_encryption_application));
5696 EXPECT_FALSE(transport_->server()->HasReadSecret(ssl_encryption_application));
5697
5698 // Finish up the client and server handshakes.
5699 ASSERT_TRUE(CompleteHandshakesForQUIC());
5700
5701 // Both sides can now exchange 1-RTT data.
5702 ExpectHandshakeSuccess();
5703 EXPECT_TRUE(SSL_session_reused(client_.get()));
5704 EXPECT_TRUE(SSL_session_reused(server_.get()));
5705 EXPECT_FALSE(SSL_in_early_data(client_.get()));
5706 EXPECT_FALSE(SSL_in_early_data(server_.get()));
5707 EXPECT_TRUE(SSL_early_data_accepted(client_.get()));
5708 EXPECT_TRUE(SSL_early_data_accepted(server_.get()));
5709 EXPECT_EQ(SSL_get_early_data_reason(client_.get()), ssl_early_data_accepted);
5710 EXPECT_EQ(SSL_get_early_data_reason(server_.get()), ssl_early_data_accepted);
David Benjamind6343572019-08-15 17:29:02 -0400[diff] [blame]5711}
5712
Nick Harper7c522992020-04-30 14:15:49 -0700[diff] [blame]5713TEST_F(QUICMethodTest, ZeroRTTRejectMismatchedParameters) {
5714 const SSL_QUIC_METHOD quic_method = DefaultQUICMethod();
5715
5716 SSL_CTX_set_session_cache_mode(client_ctx_.get(), SSL_SESS_CACHE_BOTH);
5717 SSL_CTX_set_early_data_enabled(client_ctx_.get(), 1);
5718 SSL_CTX_set_early_data_enabled(server_ctx_.get(), 1);
5719 ASSERT_TRUE(SSL_CTX_set_quic_method(client_ctx_.get(), &quic_method));
5720 ASSERT_TRUE(SSL_CTX_set_quic_method(server_ctx_.get(), &quic_method));
5721
5722
5723 bssl::UniquePtr<SSL_SESSION> session = CreateClientSessionForQUIC();
5724 ASSERT_TRUE(session);
5725
Nick Harper85194322020-05-20 16:59:29 -0700[diff] [blame]5726 ASSERT_TRUE(CreateClientAndServer());
5727 static const uint8_t new_context[] = {4};
5728 ASSERT_TRUE(SSL_set_quic_early_data_context(server_.get(), new_context,
5729 sizeof(new_context)));
5730 SSL_set_session(client_.get(), session.get());
Nick Harper7c522992020-04-30 14:15:49 -0700[diff] [blame]5731
Nick Harper85194322020-05-20 16:59:29 -0700[diff] [blame]5732 // The client handshake should return immediately into the early data
5733 // state.
5734 ASSERT_EQ(SSL_do_handshake(client_.get()), 1);
5735 EXPECT_TRUE(SSL_in_early_data(client_.get()));
5736 // The transport should have keys for sending 0-RTT data.
5737 EXPECT_TRUE(transport_->client()->HasWriteSecret(ssl_encryption_early_data));
Nick Harper7c522992020-04-30 14:15:49 -0700[diff] [blame]5738
Nick Harper85194322020-05-20 16:59:29 -0700[diff] [blame]5739 // The server will consume the ClientHello, but it will not accept 0-RTT.
5740 ASSERT_TRUE(ProvideHandshakeData(server_.get()));
5741 ASSERT_EQ(SSL_do_handshake(server_.get()), -1);
5742 EXPECT_EQ(SSL_ERROR_WANT_READ, SSL_get_error(server_.get(), -1));
5743 EXPECT_FALSE(SSL_in_early_data(server_.get()));
5744 EXPECT_FALSE(transport_->server()->HasReadSecret(ssl_encryption_early_data));
Nick Harper7c522992020-04-30 14:15:49 -0700[diff] [blame]5745
Nick Harper85194322020-05-20 16:59:29 -0700[diff] [blame]5746 // The client consumes the server response and signals 0-RTT rejection.
5747 for (;;) {
5748 ASSERT_TRUE(ProvideHandshakeData(client_.get()));
5749 ASSERT_EQ(-1, SSL_do_handshake(client_.get()));
5750 int err = SSL_get_error(client_.get(), -1);
5751 if (err == SSL_ERROR_EARLY_DATA_REJECTED) {
5752 break;
Nick Harper7c522992020-04-30 14:15:49 -0700[diff] [blame]5753 }
Nick Harper85194322020-05-20 16:59:29 -0700[diff] [blame]5754 ASSERT_EQ(SSL_ERROR_WANT_READ, err);
Nick Harper7c522992020-04-30 14:15:49 -0700[diff] [blame]5755 }
Nick Harper85194322020-05-20 16:59:29 -0700[diff] [blame]5756
5757 // As in TLS over TCP, 0-RTT rejection is sticky.
5758 ASSERT_EQ(-1, SSL_do_handshake(client_.get()));
5759 ASSERT_EQ(SSL_ERROR_EARLY_DATA_REJECTED, SSL_get_error(client_.get(), -1));
5760
5761 // Finish up the client and server handshakes.
5762 SSL_reset_early_data_reject(client_.get());
5763 ASSERT_TRUE(CompleteHandshakesForQUIC());
5764
5765 // Both sides can now exchange 1-RTT data.
5766 ExpectHandshakeSuccess();
5767 EXPECT_TRUE(SSL_session_reused(client_.get()));
5768 EXPECT_TRUE(SSL_session_reused(server_.get()));
5769 EXPECT_FALSE(SSL_in_early_data(client_.get()));
5770 EXPECT_FALSE(SSL_in_early_data(server_.get()));
5771 EXPECT_FALSE(SSL_early_data_accepted(client_.get()));
5772 EXPECT_FALSE(SSL_early_data_accepted(server_.get()));
5773}
5774
5775TEST_F(QUICMethodTest, NoZeroRTTTicketWithoutEarlyDataContext) {
5776 server_quic_early_data_context_ = {};
5777 const SSL_QUIC_METHOD quic_method = DefaultQUICMethod();
5778
5779 SSL_CTX_set_session_cache_mode(client_ctx_.get(), SSL_SESS_CACHE_BOTH);
5780 SSL_CTX_set_early_data_enabled(client_ctx_.get(), 1);
5781 SSL_CTX_set_early_data_enabled(server_ctx_.get(), 1);
5782 ASSERT_TRUE(SSL_CTX_set_quic_method(client_ctx_.get(), &quic_method));
5783 ASSERT_TRUE(SSL_CTX_set_quic_method(server_ctx_.get(), &quic_method));
5784
5785 bssl::UniquePtr<SSL_SESSION> session = CreateClientSessionForQUIC();
5786 ASSERT_TRUE(session);
5787 EXPECT_FALSE(SSL_SESSION_early_data_capable(session.get()));
Nick Harper7c522992020-04-30 14:15:49 -0700[diff] [blame]5788}
5789
David Benjamind6343572019-08-15 17:29:02 -0400[diff] [blame]5790TEST_F(QUICMethodTest, ZeroRTTReject) {
David Benjamin1e859052020-02-09 16:04:58 -0500[diff] [blame]5791 const SSL_QUIC_METHOD quic_method = DefaultQUICMethod();
David Benjamind6343572019-08-15 17:29:02 -0400[diff] [blame]5792
5793 SSL_CTX_set_session_cache_mode(client_ctx_.get(), SSL_SESS_CACHE_BOTH);
5794 SSL_CTX_set_early_data_enabled(client_ctx_.get(), 1);
5795 SSL_CTX_set_early_data_enabled(server_ctx_.get(), 1);
5796 ASSERT_TRUE(SSL_CTX_set_quic_method(client_ctx_.get(), &quic_method));
5797 ASSERT_TRUE(SSL_CTX_set_quic_method(server_ctx_.get(), &quic_method));
5798
5799 bssl::UniquePtr<SSL_SESSION> session = CreateClientSessionForQUIC();
5800 ASSERT_TRUE(session);
5801
5802 for (bool reject_hrr : {false, true}) {
5803 SCOPED_TRACE(reject_hrr);
5804
5805 ASSERT_TRUE(CreateClientAndServer());
5806 if (reject_hrr) {
5807 // Configure the server to prefer P-256, which will reject 0-RTT via
5808 // HelloRetryRequest.
5809 int p256 = NID_X9_62_prime256v1;
5810 ASSERT_TRUE(SSL_set1_curves(server_.get(), &p256, 1));
5811 } else {
5812 // Disable 0-RTT on the server, so it will reject it.
5813 SSL_set_early_data_enabled(server_.get(), 0);
David Benjaminfd863b62019-07-25 13:51:32 -0400[diff] [blame]5814 }
David Benjamind6343572019-08-15 17:29:02 -0400[diff] [blame]5815 SSL_set_session(client_.get(), session.get());
David Benjaminfd863b62019-07-25 13:51:32 -0400[diff] [blame]5816
David Benjamind6343572019-08-15 17:29:02 -0400[diff] [blame]5817 // The client handshake should return immediately into the early data state.
5818 ASSERT_EQ(SSL_do_handshake(client_.get()), 1);
5819 EXPECT_TRUE(SSL_in_early_data(client_.get()));
5820 // The transport should have keys for sending 0-RTT data.
David Benjamin1e859052020-02-09 16:04:58 -0500[diff] [blame]5821 EXPECT_TRUE(
5822 transport_->client()->HasWriteSecret(ssl_encryption_early_data));
David Benjamind6343572019-08-15 17:29:02 -0400[diff] [blame]5823
5824 // The server will consume the ClientHello, but it will not accept 0-RTT.
David Benjaminfd863b62019-07-25 13:51:32 -0400[diff] [blame]5825 ASSERT_TRUE(ProvideHandshakeData(server_.get()));
David Benjamind6343572019-08-15 17:29:02 -0400[diff] [blame]5826 ASSERT_EQ(SSL_do_handshake(server_.get()), -1);
5827 EXPECT_EQ(SSL_ERROR_WANT_READ, SSL_get_error(server_.get(), -1));
5828 EXPECT_FALSE(SSL_in_early_data(server_.get()));
David Benjamin1e859052020-02-09 16:04:58 -0500[diff] [blame]5829 EXPECT_FALSE(
5830 transport_->server()->HasReadSecret(ssl_encryption_early_data));
David Benjamind6343572019-08-15 17:29:02 -0400[diff] [blame]5831
5832 // The client consumes the server response and signals 0-RTT rejection.
5833 for (;;) {
5834 ASSERT_TRUE(ProvideHandshakeData(client_.get()));
5835 ASSERT_EQ(-1, SSL_do_handshake(client_.get()));
5836 int err = SSL_get_error(client_.get(), -1);
5837 if (err == SSL_ERROR_EARLY_DATA_REJECTED) {
5838 break;
5839 }
5840 ASSERT_EQ(SSL_ERROR_WANT_READ, err);
David Benjaminfd863b62019-07-25 13:51:32 -0400[diff] [blame]5841 }
5842
David Benjamind6343572019-08-15 17:29:02 -0400[diff] [blame]5843 // As in TLS over TCP, 0-RTT rejection is sticky.
5844 ASSERT_EQ(-1, SSL_do_handshake(client_.get()));
5845 ASSERT_EQ(SSL_ERROR_EARLY_DATA_REJECTED, SSL_get_error(client_.get(), -1));
5846
5847 // Finish up the client and server handshakes.
5848 SSL_reset_early_data_reject(client_.get());
5849 ASSERT_TRUE(CompleteHandshakesForQUIC());
5850
5851 // Both sides can now exchange 1-RTT data.
5852 ExpectHandshakeSuccess();
5853 EXPECT_TRUE(SSL_session_reused(client_.get()));
5854 EXPECT_TRUE(SSL_session_reused(server_.get()));
5855 EXPECT_FALSE(SSL_in_early_data(client_.get()));
5856 EXPECT_FALSE(SSL_in_early_data(server_.get()));
5857 EXPECT_FALSE(SSL_early_data_accepted(client_.get()));
5858 EXPECT_FALSE(SSL_early_data_accepted(server_.get()));
David Benjaminfd863b62019-07-25 13:51:32 -0400[diff] [blame]5859 }
David Benjaminfd863b62019-07-25 13:51:32 -0400[diff] [blame]5860}
5861
David Benjaminee0716f2019-11-19 14:16:28 +0800[diff] [blame]5862TEST_F(QUICMethodTest, NoZeroRTTKeysBeforeReverify) {
David Benjamin1e859052020-02-09 16:04:58 -0500[diff] [blame]5863 const SSL_QUIC_METHOD quic_method = DefaultQUICMethod();
David Benjaminee0716f2019-11-19 14:16:28 +0800[diff] [blame]5864
5865 SSL_CTX_set_session_cache_mode(client_ctx_.get(), SSL_SESS_CACHE_BOTH);
5866 SSL_CTX_set_early_data_enabled(client_ctx_.get(), 1);
5867 SSL_CTX_set_reverify_on_resume(client_ctx_.get(), 1);
5868 SSL_CTX_set_early_data_enabled(server_ctx_.get(), 1);
5869 ASSERT_TRUE(SSL_CTX_set_quic_method(client_ctx_.get(), &quic_method));
5870 ASSERT_TRUE(SSL_CTX_set_quic_method(server_ctx_.get(), &quic_method));
5871
5872 bssl::UniquePtr<SSL_SESSION> session = CreateClientSessionForQUIC();
5873 ASSERT_TRUE(session);
5874
5875 ASSERT_TRUE(CreateClientAndServer());
5876 SSL_set_session(client_.get(), session.get());
5877
5878 // Configure the certificate (re)verification to never complete. The client
5879 // handshake should pause.
5880 SSL_set_custom_verify(
5881 client_.get(), SSL_VERIFY_PEER,
5882 [](SSL *ssl, uint8_t *out_alert) -> ssl_verify_result_t {
5883 return ssl_verify_retry;
5884 });
5885 ASSERT_EQ(SSL_do_handshake(client_.get()), -1);
5886 ASSERT_EQ(SSL_get_error(client_.get(), -1),
5887 SSL_ERROR_WANT_CERTIFICATE_VERIFY);
5888
5889 // The early data keys have not yet been released.
David Benjamin1e859052020-02-09 16:04:58 -0500[diff] [blame]5890 EXPECT_FALSE(transport_->client()->HasWriteSecret(ssl_encryption_early_data));
David Benjaminee0716f2019-11-19 14:16:28 +0800[diff] [blame]5891
5892 // After the verification completes, the handshake progresses to the 0-RTT
5893 // point and releases keys.
5894 SSL_set_custom_verify(
5895 client_.get(), SSL_VERIFY_PEER,
5896 [](SSL *ssl, uint8_t *out_alert) -> ssl_verify_result_t {
5897 return ssl_verify_ok;
5898 });
5899 ASSERT_EQ(SSL_do_handshake(client_.get()), 1);
5900 EXPECT_TRUE(SSL_in_early_data(client_.get()));
David Benjamin1e859052020-02-09 16:04:58 -0500[diff] [blame]5901 EXPECT_TRUE(transport_->client()->HasWriteSecret(ssl_encryption_early_data));
David Benjaminee0716f2019-11-19 14:16:28 +0800[diff] [blame]5902}
5903
Steven Valdezc8e0f902018-07-14 11:23:01 -0400[diff] [blame]5904// Test only releasing data to QUIC one byte at a time on request, to maximize
5905// state machine pauses. Additionally, test that existing asynchronous callbacks
5906// still work.
5907TEST_F(QUICMethodTest, Async) {
David Benjamin1e859052020-02-09 16:04:58 -0500[diff] [blame]5908 const SSL_QUIC_METHOD quic_method = DefaultQUICMethod();
Steven Valdezc8e0f902018-07-14 11:23:01 -0400[diff] [blame]5909
5910 ASSERT_TRUE(SSL_CTX_set_quic_method(client_ctx_.get(), &quic_method));
5911 ASSERT_TRUE(SSL_CTX_set_quic_method(server_ctx_.get(), &quic_method));
5912 ASSERT_TRUE(CreateClientAndServer());
5913
5914 // Install an asynchronous certificate callback.
5915 bool cert_cb_ok = false;
5916 SSL_set_cert_cb(server_.get(),
5917 [](SSL *, void *arg) -> int {
5918 return *static_cast<bool *>(arg) ? 1 : -1;
5919 },
5920 &cert_cb_ok);
5921
5922 for (;;) {
5923 int client_ret = SSL_do_handshake(client_.get());
5924 if (client_ret != 1) {
5925 ASSERT_EQ(client_ret, -1);
5926 ASSERT_EQ(SSL_get_error(client_.get(), client_ret), SSL_ERROR_WANT_READ);
5927 ASSERT_TRUE(ProvideHandshakeData(client_.get(), 1));
5928 }
5929
5930 int server_ret = SSL_do_handshake(server_.get());
5931 if (server_ret != 1) {
5932 ASSERT_EQ(server_ret, -1);
5933 int ssl_err = SSL_get_error(server_.get(), server_ret);
5934 switch (ssl_err) {
5935 case SSL_ERROR_WANT_READ:
5936 ASSERT_TRUE(ProvideHandshakeData(server_.get(), 1));
5937 break;
5938 case SSL_ERROR_WANT_X509_LOOKUP:
5939 ASSERT_FALSE(cert_cb_ok);
5940 cert_cb_ok = true;
5941 break;
5942 default:
5943 FAIL() << "Unexpected SSL_get_error result: " << ssl_err;
5944 }
5945 }
5946
5947 if (client_ret == 1 && server_ret == 1) {
5948 break;
5949 }
5950 }
5951
David Benjamind6343572019-08-15 17:29:02 -0400[diff] [blame]5952 ExpectHandshakeSuccess();
Steven Valdezc8e0f902018-07-14 11:23:01 -0400[diff] [blame]5953}
5954
5955// Test buffering write data until explicit flushes.
5956TEST_F(QUICMethodTest, Buffered) {
David Benjamin5298ef92020-03-13 12:17:30 -0400[diff] [blame]5957 AllowOutOfOrderWrites();
5958
Steven Valdezc8e0f902018-07-14 11:23:01 -0400[diff] [blame]5959 struct BufferedFlight {
5960 std::vector<uint8_t> data[kNumQUICLevels];
5961 };
5962 static UnownedSSLExData<BufferedFlight> buffered_flights;
5963
David Benjamincc9d9352018-10-30 19:45:22 -0500[diff] [blame]5964 auto add_handshake_data = [](SSL *ssl, enum ssl_encryption_level_t level,
5965 const uint8_t *data, size_t len) -> int {
Steven Valdezc8e0f902018-07-14 11:23:01 -0400[diff] [blame]5966 BufferedFlight *flight = buffered_flights.Get(ssl);
5967 flight->data[level].insert(flight->data[level].end(), data, data + len);
5968 return 1;
5969 };
5970
5971 auto flush_flight = [](SSL *ssl) -> int {
5972 BufferedFlight *flight = buffered_flights.Get(ssl);
5973 for (size_t level = 0; level < kNumQUICLevels; level++) {
5974 if (!flight->data[level].empty()) {
5975 if (!TransportFromSSL(ssl)->WriteHandshakeData(
5976 static_cast<ssl_encryption_level_t>(level),
5977 flight->data[level])) {
5978 return 0;
5979 }
5980 flight->data[level].clear();
5981 }
5982 }
5983 return 1;
5984 };
5985
David Benjamin1e859052020-02-09 16:04:58 -0500[diff] [blame]5986 SSL_QUIC_METHOD quic_method = DefaultQUICMethod();
5987 quic_method.add_handshake_data = add_handshake_data;
5988 quic_method.flush_flight = flush_flight;
Steven Valdezc8e0f902018-07-14 11:23:01 -0400[diff] [blame]5989
5990 ASSERT_TRUE(SSL_CTX_set_quic_method(client_ctx_.get(), &quic_method));
5991 ASSERT_TRUE(SSL_CTX_set_quic_method(server_ctx_.get(), &quic_method));
5992 ASSERT_TRUE(CreateClientAndServer());
5993
5994 BufferedFlight client_flight, server_flight;
5995 buffered_flights.Set(client_.get(), &client_flight);
5996 buffered_flights.Set(server_.get(), &server_flight);
5997
David Benjamind6343572019-08-15 17:29:02 -0400[diff] [blame]5998 ASSERT_TRUE(CompleteHandshakesForQUIC());
Steven Valdezc8e0f902018-07-14 11:23:01 -0400[diff] [blame]5999
David Benjamind6343572019-08-15 17:29:02 -0400[diff] [blame]6000 ExpectHandshakeSuccess();
Steven Valdezc8e0f902018-07-14 11:23:01 -0400[diff] [blame]6001}
6002
6003// Test that excess data at one level is rejected. That is, if a single
6004// |SSL_provide_quic_data| call included both ServerHello and
6005// EncryptedExtensions in a single chunk, BoringSSL notices and rejects this on
6006// key change.
6007TEST_F(QUICMethodTest, ExcessProvidedData) {
David Benjamin5298ef92020-03-13 12:17:30 -0400[diff] [blame]6008 AllowOutOfOrderWrites();
6009
David Benjamincc9d9352018-10-30 19:45:22 -0500[diff] [blame]6010 auto add_handshake_data = [](SSL *ssl, enum ssl_encryption_level_t level,
6011 const uint8_t *data, size_t len) -> int {
Steven Valdezc8e0f902018-07-14 11:23:01 -0400[diff] [blame]6012 // Switch everything to the initial level.
6013 return TransportFromSSL(ssl)->WriteHandshakeData(ssl_encryption_initial,
6014 MakeConstSpan(data, len));
6015 };
6016
David Benjamin1e859052020-02-09 16:04:58 -0500[diff] [blame]6017 SSL_QUIC_METHOD quic_method = DefaultQUICMethod();
6018 quic_method.add_handshake_data = add_handshake_data;
Steven Valdezc8e0f902018-07-14 11:23:01 -0400[diff] [blame]6019
6020 ASSERT_TRUE(SSL_CTX_set_quic_method(client_ctx_.get(), &quic_method));
6021 ASSERT_TRUE(SSL_CTX_set_quic_method(server_ctx_.get(), &quic_method));
6022 ASSERT_TRUE(CreateClientAndServer());
6023
6024 // Send the ClientHello and ServerHello through Finished.
6025 ASSERT_EQ(SSL_do_handshake(client_.get()), -1);
6026 ASSERT_EQ(SSL_get_error(client_.get(), -1), SSL_ERROR_WANT_READ);
6027 ASSERT_TRUE(ProvideHandshakeData(server_.get()));
6028 ASSERT_EQ(SSL_do_handshake(server_.get()), -1);
6029 ASSERT_EQ(SSL_get_error(server_.get(), -1), SSL_ERROR_WANT_READ);
6030
6031 // The client is still waiting for the ServerHello at initial
6032 // encryption.
6033 ASSERT_EQ(ssl_encryption_initial, SSL_quic_read_level(client_.get()));
6034
David Benjamincc9d9352018-10-30 19:45:22 -0500[diff] [blame]6035 // |add_handshake_data| incorrectly wrote everything at the initial level, so
6036 // this queues up ServerHello through Finished in one chunk.
Steven Valdezc8e0f902018-07-14 11:23:01 -0400[diff] [blame]6037 ASSERT_TRUE(ProvideHandshakeData(client_.get()));
6038
6039 // The client reads ServerHello successfully, but then rejects the buffered
6040 // EncryptedExtensions on key change.
6041 ASSERT_EQ(SSL_do_handshake(client_.get()), -1);
6042 ASSERT_EQ(SSL_get_error(client_.get(), -1), SSL_ERROR_SSL);
6043 uint32_t err = ERR_get_error();
6044 EXPECT_EQ(ERR_GET_LIB(err), ERR_LIB_SSL);
David Benjaminf9cc26f2020-02-09 16:49:31 -0500[diff] [blame]6045 EXPECT_EQ(ERR_GET_REASON(err), SSL_R_EXCESS_HANDSHAKE_DATA);
Steven Valdezc8e0f902018-07-14 11:23:01 -0400[diff] [blame]6046
David Benjamin1e859052020-02-09 16:04:58 -0500[diff] [blame]6047 // The client sends an alert in response to this. The alert is sent at
6048 // handshake level because we install write secrets before read secrets and
6049 // the error is discovered when installing the read secret. (How to send
6050 // alerts on protocol syntax errors near key changes is ambiguous in general.)
David Benjamind6343572019-08-15 17:29:02 -0400[diff] [blame]6051 ASSERT_TRUE(transport_->client()->has_alert());
David Benjamin1e859052020-02-09 16:04:58 -0500[diff] [blame]6052 EXPECT_EQ(transport_->client()->alert_level(), ssl_encryption_handshake);
David Benjamind6343572019-08-15 17:29:02 -0400[diff] [blame]6053 EXPECT_EQ(transport_->client()->alert(), SSL_AD_UNEXPECTED_MESSAGE);
Steven Valdezc8e0f902018-07-14 11:23:01 -0400[diff] [blame]6054
David Benjamin5298ef92020-03-13 12:17:30 -0400[diff] [blame]6055 // Sanity-check handshake secrets. The error is discovered while setting the
6056 // read secret, so only the write secret has been installed.
David Benjamin1e859052020-02-09 16:04:58 -0500[diff] [blame]6057 EXPECT_TRUE(transport_->client()->HasWriteSecret(ssl_encryption_handshake));
David Benjamin5298ef92020-03-13 12:17:30 -0400[diff] [blame]6058 EXPECT_FALSE(transport_->client()->HasReadSecret(ssl_encryption_handshake));
Steven Valdezc8e0f902018-07-14 11:23:01 -0400[diff] [blame]6059}
6060
6061// Test that |SSL_provide_quic_data| will reject data at the wrong level.
6062TEST_F(QUICMethodTest, ProvideWrongLevel) {
David Benjamin1e859052020-02-09 16:04:58 -0500[diff] [blame]6063 const SSL_QUIC_METHOD quic_method = DefaultQUICMethod();
Steven Valdezc8e0f902018-07-14 11:23:01 -0400[diff] [blame]6064
6065 ASSERT_TRUE(SSL_CTX_set_quic_method(client_ctx_.get(), &quic_method));
6066 ASSERT_TRUE(SSL_CTX_set_quic_method(server_ctx_.get(), &quic_method));
6067 ASSERT_TRUE(CreateClientAndServer());
6068
6069 // Send the ClientHello and ServerHello through Finished.
6070 ASSERT_EQ(SSL_do_handshake(client_.get()), -1);
6071 ASSERT_EQ(SSL_get_error(client_.get(), -1), SSL_ERROR_WANT_READ);
6072 ASSERT_TRUE(ProvideHandshakeData(server_.get()));
6073 ASSERT_EQ(SSL_do_handshake(server_.get()), -1);
6074 ASSERT_EQ(SSL_get_error(server_.get(), -1), SSL_ERROR_WANT_READ);
6075
6076 // The client is still waiting for the ServerHello at initial
6077 // encryption.
6078 ASSERT_EQ(ssl_encryption_initial, SSL_quic_read_level(client_.get()));
6079
6080 // Data cannot be provided at the next level.
6081 std::vector<uint8_t> data;
6082 ASSERT_TRUE(
David Benjamind6343572019-08-15 17:29:02 -0400[diff] [blame]6083 transport_->client()->ReadHandshakeData(&data, ssl_encryption_initial));
Steven Valdezc8e0f902018-07-14 11:23:01 -0400[diff] [blame]6084 ASSERT_FALSE(SSL_provide_quic_data(client_.get(), ssl_encryption_handshake,
6085 data.data(), data.size()));
6086 ERR_clear_error();
6087
6088 // Progress to EncryptedExtensions.
6089 ASSERT_TRUE(SSL_provide_quic_data(client_.get(), ssl_encryption_initial,
6090 data.data(), data.size()));
6091 ASSERT_EQ(SSL_do_handshake(client_.get()), -1);
6092 ASSERT_EQ(SSL_get_error(client_.get(), -1), SSL_ERROR_WANT_READ);
6093 ASSERT_EQ(ssl_encryption_handshake, SSL_quic_read_level(client_.get()));
6094
6095 // Data cannot be provided at the previous level.
6096 ASSERT_TRUE(
David Benjamind6343572019-08-15 17:29:02 -0400[diff] [blame]6097 transport_->client()->ReadHandshakeData(&data, ssl_encryption_handshake));
Steven Valdezc8e0f902018-07-14 11:23:01 -0400[diff] [blame]6098 ASSERT_FALSE(SSL_provide_quic_data(client_.get(), ssl_encryption_initial,
6099 data.data(), data.size()));
6100}
6101
6102TEST_F(QUICMethodTest, TooMuchData) {
David Benjamin1e859052020-02-09 16:04:58 -0500[diff] [blame]6103 const SSL_QUIC_METHOD quic_method = DefaultQUICMethod();
Steven Valdezc8e0f902018-07-14 11:23:01 -0400[diff] [blame]6104
6105 ASSERT_TRUE(SSL_CTX_set_quic_method(client_ctx_.get(), &quic_method));
6106 ASSERT_TRUE(SSL_CTX_set_quic_method(server_ctx_.get(), &quic_method));
6107 ASSERT_TRUE(CreateClientAndServer());
6108
6109 size_t limit =
6110 SSL_quic_max_handshake_flight_len(client_.get(), ssl_encryption_initial);
6111 uint8_t b = 0;
6112 for (size_t i = 0; i < limit; i++) {
6113 ASSERT_TRUE(
6114 SSL_provide_quic_data(client_.get(), ssl_encryption_initial, &b, 1));
6115 }
6116
6117 EXPECT_FALSE(
6118 SSL_provide_quic_data(client_.get(), ssl_encryption_initial, &b, 1));
6119}
6120
Steven Valdeze6eef1c2018-11-09 13:32:34 -0500[diff] [blame]6121// Provide invalid post-handshake data.
6122TEST_F(QUICMethodTest, BadPostHandshake) {
David Benjamin1e859052020-02-09 16:04:58 -0500[diff] [blame]6123 const SSL_QUIC_METHOD quic_method = DefaultQUICMethod();
Steven Valdeze6eef1c2018-11-09 13:32:34 -0500[diff] [blame]6124
6125 g_last_session = nullptr;
6126
6127 SSL_CTX_set_session_cache_mode(client_ctx_.get(), SSL_SESS_CACHE_BOTH);
6128 SSL_CTX_sess_set_new_cb(client_ctx_.get(), SaveLastSession);
6129 ASSERT_TRUE(SSL_CTX_set_quic_method(client_ctx_.get(), &quic_method));
6130 ASSERT_TRUE(SSL_CTX_set_quic_method(server_ctx_.get(), &quic_method));
6131 ASSERT_TRUE(CreateClientAndServer());
David Benjamind6343572019-08-15 17:29:02 -0400[diff] [blame]6132 ASSERT_TRUE(CompleteHandshakesForQUIC());
Steven Valdeze6eef1c2018-11-09 13:32:34 -0500[diff] [blame]6133
6134 EXPECT_EQ(SSL_do_handshake(client_.get()), 1);
6135 EXPECT_EQ(SSL_do_handshake(server_.get()), 1);
David Benjamind6343572019-08-15 17:29:02 -0400[diff] [blame]6136 EXPECT_TRUE(transport_->SecretsMatch(ssl_encryption_application));
6137 EXPECT_FALSE(transport_->client()->has_alert());
6138 EXPECT_FALSE(transport_->server()->has_alert());
Steven Valdeze6eef1c2018-11-09 13:32:34 -0500[diff] [blame]6139
6140 // Junk sent as part of post-handshake data should cause an error.
6141 uint8_t kJunk[] = {0x17, 0x0, 0x0, 0x4, 0xB, 0xE, 0xE, 0xF};
6142 ASSERT_TRUE(SSL_provide_quic_data(client_.get(), ssl_encryption_application,
6143 kJunk, sizeof(kJunk)));
6144 EXPECT_EQ(SSL_process_quic_post_handshake(client_.get()), 0);
6145}
6146
Nick Harper80ddfc72020-03-11 18:26:31 -0700[diff] [blame]6147static void ExpectReceivedTransportParamsEqual(const SSL *ssl,
6148 Span<const uint8_t> expected) {
6149 const uint8_t *received;
6150 size_t received_len;
6151 SSL_get_peer_quic_transport_params(ssl, &received, &received_len);
6152 ASSERT_EQ(received_len, expected.size());
6153 EXPECT_EQ(Bytes(received, received_len), Bytes(expected));
6154}
6155
6156TEST_F(QUICMethodTest, SetTransportParameters) {
6157 const SSL_QUIC_METHOD quic_method = DefaultQUICMethod();
6158 ASSERT_TRUE(SSL_CTX_set_quic_method(client_ctx_.get(), &quic_method));
6159 ASSERT_TRUE(SSL_CTX_set_quic_method(server_ctx_.get(), &quic_method));
6160
6161 ASSERT_TRUE(CreateClientAndServer());
6162 uint8_t kClientParams[] = {1, 2, 3, 4};
6163 uint8_t kServerParams[] = {5, 6, 7};
6164 ASSERT_TRUE(SSL_set_quic_transport_params(client_.get(), kClientParams,
6165 sizeof(kClientParams)));
6166 ASSERT_TRUE(SSL_set_quic_transport_params(server_.get(), kServerParams,
6167 sizeof(kServerParams)));
6168
6169 ASSERT_TRUE(CompleteHandshakesForQUIC());
6170 ExpectReceivedTransportParamsEqual(client_.get(), kServerParams);
6171 ExpectReceivedTransportParamsEqual(server_.get(), kClientParams);
6172}
6173
6174TEST_F(QUICMethodTest, SetTransportParamsInCallback) {
6175 const SSL_QUIC_METHOD quic_method = DefaultQUICMethod();
6176 ASSERT_TRUE(SSL_CTX_set_quic_method(client_ctx_.get(), &quic_method));
6177 ASSERT_TRUE(SSL_CTX_set_quic_method(server_ctx_.get(), &quic_method));
6178
6179 ASSERT_TRUE(CreateClientAndServer());
6180 uint8_t kClientParams[] = {1, 2, 3, 4};
6181 static uint8_t kServerParams[] = {5, 6, 7};
6182 ASSERT_TRUE(SSL_set_quic_transport_params(client_.get(), kClientParams,
6183 sizeof(kClientParams)));
6184 SSL_CTX_set_tlsext_servername_callback(
6185 server_ctx_.get(), [](SSL *ssl, int *out_alert, void *arg) -> int {
6186 EXPECT_TRUE(SSL_set_quic_transport_params(ssl, kServerParams,
6187 sizeof(kServerParams)));
6188 return SSL_TLSEXT_ERR_OK;
6189 });
6190
6191 ASSERT_TRUE(CompleteHandshakesForQUIC());
6192 ExpectReceivedTransportParamsEqual(client_.get(), kServerParams);
6193 ExpectReceivedTransportParamsEqual(server_.get(), kClientParams);
6194}
6195
Nick Harper6bfd25c2020-03-30 17:15:19 -0700[diff] [blame]6196TEST_F(QUICMethodTest, ForbidCrossProtocolResumptionClient) {
6197 const SSL_QUIC_METHOD quic_method = DefaultQUICMethod();
6198
6199 g_last_session = nullptr;
6200
6201 SSL_CTX_set_session_cache_mode(client_ctx_.get(), SSL_SESS_CACHE_BOTH);
6202 SSL_CTX_sess_set_new_cb(client_ctx_.get(), SaveLastSession);
6203 ASSERT_TRUE(SSL_CTX_set_quic_method(client_ctx_.get(), &quic_method));
6204 ASSERT_TRUE(SSL_CTX_set_quic_method(server_ctx_.get(), &quic_method));
6205
6206 ASSERT_TRUE(CreateClientAndServer());
6207 ASSERT_TRUE(CompleteHandshakesForQUIC());
6208
6209 ExpectHandshakeSuccess();
6210 EXPECT_FALSE(SSL_session_reused(client_.get()));
6211 EXPECT_FALSE(SSL_session_reused(server_.get()));
6212
6213 // The server sent NewSessionTicket messages in the handshake.
6214 EXPECT_FALSE(g_last_session);
6215 ASSERT_TRUE(ProvideHandshakeData(client_.get()));
6216 EXPECT_EQ(SSL_process_quic_post_handshake(client_.get()), 1);
6217 EXPECT_TRUE(g_last_session);
6218
6219 // Pretend that g_last_session came from a TLS-over-TCP connection.
6220 g_last_session.get()->is_quic = false;
6221
6222 // Create a second connection and verify that resumption does not occur with
6223 // a session from a non-QUIC connection. This tests that the client does not
6224 // offer over QUIC a session believed to be received over TCP. The server
6225 // believes this is a QUIC session, so if the client offered the session, the
6226 // server would have resumed it.
6227 ASSERT_TRUE(CreateClientAndServer());
6228 bssl::UniquePtr<SSL_SESSION> session = std::move(g_last_session);
6229 SSL_set_session(client_.get(), session.get());
6230
6231 ASSERT_TRUE(CompleteHandshakesForQUIC());
6232 ExpectHandshakeSuccess();
6233 EXPECT_FALSE(SSL_session_reused(client_.get()));
6234 EXPECT_FALSE(SSL_session_reused(server_.get()));
6235}
6236
6237TEST_F(QUICMethodTest, ForbidCrossProtocolResumptionServer) {
6238 const SSL_QUIC_METHOD quic_method = DefaultQUICMethod();
6239
6240 g_last_session = nullptr;
6241
6242 SSL_CTX_set_session_cache_mode(client_ctx_.get(), SSL_SESS_CACHE_BOTH);
6243 SSL_CTX_sess_set_new_cb(client_ctx_.get(), SaveLastSession);
6244 ASSERT_TRUE(SSL_CTX_set_quic_method(client_ctx_.get(), &quic_method));
6245 ASSERT_TRUE(SSL_CTX_set_quic_method(server_ctx_.get(), &quic_method));
6246
6247 ASSERT_TRUE(CreateClientAndServer());
6248 ASSERT_TRUE(CompleteHandshakesForQUIC());
6249
6250 ExpectHandshakeSuccess();
6251 EXPECT_FALSE(SSL_session_reused(client_.get()));
6252 EXPECT_FALSE(SSL_session_reused(server_.get()));
6253
6254 // The server sent NewSessionTicket messages in the handshake.
6255 EXPECT_FALSE(g_last_session);
6256 ASSERT_TRUE(ProvideHandshakeData(client_.get()));
6257 EXPECT_EQ(SSL_process_quic_post_handshake(client_.get()), 1);
6258 EXPECT_TRUE(g_last_session);
6259
6260 // Attempt a resumption with g_last_session using TLS_method.
6261 bssl::UniquePtr<SSL_CTX> client_ctx(SSL_CTX_new(TLS_method()));
6262 ASSERT_TRUE(client_ctx);
6263
6264 ASSERT_TRUE(SSL_CTX_set_quic_method(server_ctx_.get(), nullptr));
6265
6266 bssl::UniquePtr<SSL> client(SSL_new(client_ctx.get())),
6267 server(SSL_new(server_ctx_.get()));
6268 ASSERT_TRUE(client);
6269 ASSERT_TRUE(server);
6270 SSL_set_connect_state(client.get());
6271 SSL_set_accept_state(server.get());
6272
6273 // The TLS-over-TCP client will refuse to resume with a quic session, so
6274 // mark is_quic = false to bypass the client check to test the server check.
6275 g_last_session.get()->is_quic = false;
6276 SSL_set_session(client.get(), g_last_session.get());
6277
6278 BIO *bio1, *bio2;
6279 ASSERT_TRUE(BIO_new_bio_pair(&bio1, 0, &bio2, 0));
6280
6281 // SSL_set_bio takes ownership.
6282 SSL_set_bio(client.get(), bio1, bio1);
6283 SSL_set_bio(server.get(), bio2, bio2);
6284 ASSERT_TRUE(CompleteHandshakes(client.get(), server.get()));
6285
6286 EXPECT_FALSE(SSL_session_reused(client.get()));
6287 EXPECT_FALSE(SSL_session_reused(server.get()));
6288}
6289
Nick Harper72cff812020-03-26 18:06:16 -0700[diff] [blame]6290TEST_F(QUICMethodTest, ClientRejectsMissingTransportParams) {
6291 const SSL_QUIC_METHOD quic_method = DefaultQUICMethod();
6292 ASSERT_TRUE(SSL_CTX_set_quic_method(client_ctx_.get(), &quic_method));
6293 ASSERT_TRUE(SSL_CTX_set_quic_method(server_ctx_.get(), &quic_method));
6294
6295 ASSERT_TRUE(CreateClientAndServer());
6296 ASSERT_TRUE(SSL_set_quic_transport_params(server_.get(), nullptr, 0));
6297 ASSERT_TRUE(RunQUICHandshakesAndExpectError(ExpectedError::kServerError));
6298}
6299
6300TEST_F(QUICMethodTest, ServerRejectsMissingTransportParams) {
6301 const SSL_QUIC_METHOD quic_method = DefaultQUICMethod();
6302 ASSERT_TRUE(SSL_CTX_set_quic_method(client_ctx_.get(), &quic_method));
6303 ASSERT_TRUE(SSL_CTX_set_quic_method(server_ctx_.get(), &quic_method));
6304
6305 ASSERT_TRUE(CreateClientAndServer());
6306 ASSERT_TRUE(SSL_set_quic_transport_params(client_.get(), nullptr, 0));
6307 ASSERT_TRUE(RunQUICHandshakesAndExpectError(ExpectedError::kClientError));
6308}
6309
David Schinazi3d8b8c32021-01-14 11:25:49 -0800[diff] [blame]6310TEST_F(QUICMethodTest, QuicLegacyCodepointEnabled) {
6311 const SSL_QUIC_METHOD quic_method = DefaultQUICMethod();
6312 ASSERT_TRUE(SSL_CTX_set_quic_method(client_ctx_.get(), &quic_method));
6313 ASSERT_TRUE(SSL_CTX_set_quic_method(server_ctx_.get(), &quic_method));
6314
6315 ASSERT_TRUE(CreateClientAndServer());
6316 uint8_t kClientParams[] = {1, 2, 3, 4};
6317 uint8_t kServerParams[] = {5, 6, 7};
6318 SSL_set_quic_use_legacy_codepoint(client_.get(), 1);
6319 SSL_set_quic_use_legacy_codepoint(server_.get(), 1);
6320 ASSERT_TRUE(SSL_set_quic_transport_params(client_.get(), kClientParams,
6321 sizeof(kClientParams)));
6322 ASSERT_TRUE(SSL_set_quic_transport_params(server_.get(), kServerParams,
6323 sizeof(kServerParams)));
6324
6325 ASSERT_TRUE(CompleteHandshakesForQUIC());
6326 ExpectReceivedTransportParamsEqual(client_.get(), kServerParams);
6327 ExpectReceivedTransportParamsEqual(server_.get(), kClientParams);
6328}
6329
6330TEST_F(QUICMethodTest, QuicLegacyCodepointDisabled) {
6331 const SSL_QUIC_METHOD quic_method = DefaultQUICMethod();
6332 ASSERT_TRUE(SSL_CTX_set_quic_method(client_ctx_.get(), &quic_method));
6333 ASSERT_TRUE(SSL_CTX_set_quic_method(server_ctx_.get(), &quic_method));
6334
6335 ASSERT_TRUE(CreateClientAndServer());
6336 uint8_t kClientParams[] = {1, 2, 3, 4};
6337 uint8_t kServerParams[] = {5, 6, 7};
6338 SSL_set_quic_use_legacy_codepoint(client_.get(), 0);
6339 SSL_set_quic_use_legacy_codepoint(server_.get(), 0);
6340 ASSERT_TRUE(SSL_set_quic_transport_params(client_.get(), kClientParams,
6341 sizeof(kClientParams)));
6342 ASSERT_TRUE(SSL_set_quic_transport_params(server_.get(), kServerParams,
6343 sizeof(kServerParams)));
6344
6345 ASSERT_TRUE(CompleteHandshakesForQUIC());
6346 ExpectReceivedTransportParamsEqual(client_.get(), kServerParams);
6347 ExpectReceivedTransportParamsEqual(server_.get(), kClientParams);
6348}
6349
6350TEST_F(QUICMethodTest, QuicLegacyCodepointClientOnly) {
6351 const SSL_QUIC_METHOD quic_method = DefaultQUICMethod();
6352 ASSERT_TRUE(SSL_CTX_set_quic_method(client_ctx_.get(), &quic_method));
6353 ASSERT_TRUE(SSL_CTX_set_quic_method(server_ctx_.get(), &quic_method));
6354
6355 ASSERT_TRUE(CreateClientAndServer());
6356 uint8_t kClientParams[] = {1, 2, 3, 4};
6357 uint8_t kServerParams[] = {5, 6, 7};
6358 SSL_set_quic_use_legacy_codepoint(client_.get(), 1);
6359 SSL_set_quic_use_legacy_codepoint(server_.get(), 0);
6360 ASSERT_TRUE(SSL_set_quic_transport_params(client_.get(), kClientParams,
6361 sizeof(kClientParams)));
6362 ASSERT_TRUE(SSL_set_quic_transport_params(server_.get(), kServerParams,
6363 sizeof(kServerParams)));
6364
6365 ASSERT_TRUE(RunQUICHandshakesAndExpectError(ExpectedError::kServerError));
6366}
6367
6368TEST_F(QUICMethodTest, QuicLegacyCodepointServerOnly) {
6369 const SSL_QUIC_METHOD quic_method = DefaultQUICMethod();
6370 ASSERT_TRUE(SSL_CTX_set_quic_method(client_ctx_.get(), &quic_method));
6371 ASSERT_TRUE(SSL_CTX_set_quic_method(server_ctx_.get(), &quic_method));
6372
6373 ASSERT_TRUE(CreateClientAndServer());
6374 uint8_t kClientParams[] = {1, 2, 3, 4};
6375 uint8_t kServerParams[] = {5, 6, 7};
6376 SSL_set_quic_use_legacy_codepoint(client_.get(), 0);
6377 SSL_set_quic_use_legacy_codepoint(server_.get(), 1);
6378 ASSERT_TRUE(SSL_set_quic_transport_params(client_.get(), kClientParams,
6379 sizeof(kClientParams)));
6380 ASSERT_TRUE(SSL_set_quic_transport_params(server_.get(), kServerParams,
6381 sizeof(kServerParams)));
6382
6383 ASSERT_TRUE(RunQUICHandshakesAndExpectError(ExpectedError::kServerError));
6384}
6385
David Benjaminc47bfce2021-01-20 17:10:32 -0500[diff] [blame]6386// Test that the default QUIC code point is consistent with
6387// |TLSEXT_TYPE_quic_transport_parameters|. This test ensures we remember to
6388// update the two values together.
6389TEST_F(QUICMethodTest, QuicCodePointDefault) {
6390 const SSL_QUIC_METHOD quic_method = DefaultQUICMethod();
6391 ASSERT_TRUE(SSL_CTX_set_quic_method(client_ctx_.get(), &quic_method));
6392 ASSERT_TRUE(SSL_CTX_set_quic_method(server_ctx_.get(), &quic_method));
6393 SSL_CTX_set_select_certificate_cb(
6394 server_ctx_.get(),
6395 [](const SSL_CLIENT_HELLO *client_hello) -> ssl_select_cert_result_t {
6396 const uint8_t *data;
6397 size_t len;
6398 if (!SSL_early_callback_ctx_extension_get(
6399 client_hello, TLSEXT_TYPE_quic_transport_parameters, &data,
6400 &len)) {
6401 ADD_FAILURE() << "Could not find quic_transport_parameters extension";
6402 return ssl_select_cert_error;
6403 }
6404 return ssl_select_cert_success;
6405 });
6406
6407 ASSERT_TRUE(CreateClientAndServer());
6408 ASSERT_TRUE(CompleteHandshakesForQUIC());
6409}
6410
Adam Langley7540cc22019-04-18 09:56:13 -0700[diff] [blame]6411extern "C" {
6412int BORINGSSL_enum_c_type_test(void);
6413}
6414
6415TEST(SSLTest, EnumTypes) {
6416 EXPECT_EQ(sizeof(int), sizeof(ssl_private_key_result_t));
6417 EXPECT_EQ(1, BORINGSSL_enum_c_type_test());
6418}
6419
David Benjaminb29e1e12019-05-06 14:44:46 -0500[diff] [blame]6420TEST_P(SSLVersionTest, DoubleSSLError) {
6421 // Connect the inner SSL connections.
6422 ASSERT_TRUE(Connect());
6423
6424 // Make a pair of |BIO|s which wrap |client_| and |server_|.
6425 UniquePtr<BIO_METHOD> bio_method(BIO_meth_new(0, nullptr));
6426 ASSERT_TRUE(bio_method);
6427 ASSERT_TRUE(BIO_meth_set_read(
6428 bio_method.get(), [](BIO *bio, char *out, int len) -> int {
6429 SSL *ssl = static_cast<SSL *>(BIO_get_data(bio));
6430 int ret = SSL_read(ssl, out, len);
6431 int ssl_ret = SSL_get_error(ssl, ret);
6432 if (ssl_ret == SSL_ERROR_WANT_READ) {
6433 BIO_set_retry_read(bio);
6434 }
6435 return ret;
6436 }));
6437 ASSERT_TRUE(BIO_meth_set_write(
6438 bio_method.get(), [](BIO *bio, const char *in, int len) -> int {
6439 SSL *ssl = static_cast<SSL *>(BIO_get_data(bio));
6440 int ret = SSL_write(ssl, in, len);
6441 int ssl_ret = SSL_get_error(ssl, ret);
6442 if (ssl_ret == SSL_ERROR_WANT_WRITE) {
6443 BIO_set_retry_write(bio);
6444 }
6445 return ret;
6446 }));
6447 ASSERT_TRUE(BIO_meth_set_ctrl(
6448 bio_method.get(), [](BIO *bio, int cmd, long larg, void *parg) -> long {
6449 // |SSL| objects require |BIO_flush| support.
6450 if (cmd == BIO_CTRL_FLUSH) {
6451 return 1;
6452 }
6453 return 0;
6454 }));
6455
6456 UniquePtr<BIO> client_bio(BIO_new(bio_method.get()));
6457 ASSERT_TRUE(client_bio);
6458 BIO_set_data(client_bio.get(), client_.get());
6459 BIO_set_init(client_bio.get(), 1);
6460
6461 UniquePtr<BIO> server_bio(BIO_new(bio_method.get()));
6462 ASSERT_TRUE(server_bio);
6463 BIO_set_data(server_bio.get(), server_.get());
6464 BIO_set_init(server_bio.get(), 1);
6465
6466 // Wrap the inner connections in another layer of SSL.
6467 UniquePtr<SSL> client_outer(SSL_new(client_ctx_.get()));
6468 ASSERT_TRUE(client_outer);
6469 SSL_set_connect_state(client_outer.get());
6470 SSL_set_bio(client_outer.get(), client_bio.get(), client_bio.get());
6471 client_bio.release(); // |SSL_set_bio| takes ownership.
6472
6473 UniquePtr<SSL> server_outer(SSL_new(server_ctx_.get()));
6474 ASSERT_TRUE(server_outer);
6475 SSL_set_accept_state(server_outer.get());
6476 SSL_set_bio(server_outer.get(), server_bio.get(), server_bio.get());
6477 server_bio.release(); // |SSL_set_bio| takes ownership.
6478
6479 // Configure |client_outer| to reject the server certificate.
6480 SSL_set_custom_verify(
6481 client_outer.get(), SSL_VERIFY_PEER,
6482 [](SSL *ssl, uint8_t *out_alert) -> ssl_verify_result_t {
6483 return ssl_verify_invalid;
6484 });
6485
6486 for (;;) {
6487 int client_ret = SSL_do_handshake(client_outer.get());
6488 int client_err = SSL_get_error(client_outer.get(), client_ret);
6489 if (client_err != SSL_ERROR_WANT_READ &&
6490 client_err != SSL_ERROR_WANT_WRITE) {
6491 // The client handshake should terminate on a certificate verification
6492 // error.
6493 EXPECT_EQ(SSL_ERROR_SSL, client_err);
6494 uint32_t err = ERR_peek_error();
6495 EXPECT_EQ(ERR_LIB_SSL, ERR_GET_LIB(err));
6496 EXPECT_EQ(SSL_R_CERTIFICATE_VERIFY_FAILED, ERR_GET_REASON(err));
6497 break;
6498 }
6499
6500 // Run the server handshake and continue.
6501 int server_ret = SSL_do_handshake(server_outer.get());
6502 int server_err = SSL_get_error(server_outer.get(), server_ret);
6503 ASSERT_TRUE(server_err == SSL_ERROR_NONE ||
6504 server_err == SSL_ERROR_WANT_READ ||
6505 server_err == SSL_ERROR_WANT_WRITE);
6506 }
6507}
6508
David Benjamin1b819472020-06-09 14:01:02 -0400[diff] [blame]6509TEST_P(SSLVersionTest, SameKeyResume) {
6510 uint8_t key[48];
6511 RAND_bytes(key, sizeof(key));
6512
6513 bssl::UniquePtr<SSL_CTX> server_ctx2 = CreateContext();
6514 ASSERT_TRUE(server_ctx2);
6515 ASSERT_TRUE(UseCertAndKey(server_ctx2.get()));
6516 ASSERT_TRUE(
6517 SSL_CTX_set_tlsext_ticket_keys(server_ctx_.get(), key, sizeof(key)));
6518 ASSERT_TRUE(
6519 SSL_CTX_set_tlsext_ticket_keys(server_ctx2.get(), key, sizeof(key)));
6520
6521 SSL_CTX_set_session_cache_mode(client_ctx_.get(), SSL_SESS_CACHE_BOTH);
6522 SSL_CTX_set_session_cache_mode(server_ctx_.get(), SSL_SESS_CACHE_BOTH);
6523 SSL_CTX_set_session_cache_mode(server_ctx2.get(), SSL_SESS_CACHE_BOTH);
6524
6525 // Establish a session for |server_ctx_|.
6526 bssl::UniquePtr<SSL_SESSION> session =
6527 CreateClientSession(client_ctx_.get(), server_ctx_.get());
6528 ASSERT_TRUE(session);
6529 ClientConfig config;
6530 config.session = session.get();
6531
6532 // Resuming with |server_ctx_| again works.
6533 bssl::UniquePtr<SSL> client, server;
6534 ASSERT_TRUE(ConnectClientAndServer(&client, &server, client_ctx_.get(),
6535 server_ctx_.get(), config));
6536 EXPECT_TRUE(SSL_session_reused(client.get()));
6537 EXPECT_TRUE(SSL_session_reused(server.get()));
6538
6539 // Resuming with |server_ctx2| also works.
6540 ASSERT_TRUE(ConnectClientAndServer(&client, &server, client_ctx_.get(),
6541 server_ctx2.get(), config));
6542 EXPECT_TRUE(SSL_session_reused(client.get()));
6543 EXPECT_TRUE(SSL_session_reused(server.get()));
6544}
6545
6546TEST_P(SSLVersionTest, DifferentKeyNoResume) {
6547 uint8_t key1[48], key2[48];
6548 RAND_bytes(key1, sizeof(key1));
6549 RAND_bytes(key2, sizeof(key2));
6550
6551 bssl::UniquePtr<SSL_CTX> server_ctx2 = CreateContext();
6552 ASSERT_TRUE(server_ctx2);
6553 ASSERT_TRUE(UseCertAndKey(server_ctx2.get()));
6554 ASSERT_TRUE(
6555 SSL_CTX_set_tlsext_ticket_keys(server_ctx_.get(), key1, sizeof(key1)));
6556 ASSERT_TRUE(
6557 SSL_CTX_set_tlsext_ticket_keys(server_ctx2.get(), key2, sizeof(key2)));
6558
6559 SSL_CTX_set_session_cache_mode(client_ctx_.get(), SSL_SESS_CACHE_BOTH);
6560 SSL_CTX_set_session_cache_mode(server_ctx_.get(), SSL_SESS_CACHE_BOTH);
6561 SSL_CTX_set_session_cache_mode(server_ctx2.get(), SSL_SESS_CACHE_BOTH);
6562
6563 // Establish a session for |server_ctx_|.
6564 bssl::UniquePtr<SSL_SESSION> session =
6565 CreateClientSession(client_ctx_.get(), server_ctx_.get());
6566 ASSERT_TRUE(session);
6567 ClientConfig config;
6568 config.session = session.get();
6569
6570 // Resuming with |server_ctx_| again works.
6571 bssl::UniquePtr<SSL> client, server;
6572 ASSERT_TRUE(ConnectClientAndServer(&client, &server, client_ctx_.get(),
6573 server_ctx_.get(), config));
6574 EXPECT_TRUE(SSL_session_reused(client.get()));
6575 EXPECT_TRUE(SSL_session_reused(server.get()));
6576
6577 // Resuming with |server_ctx2| does not work.
6578 ASSERT_TRUE(ConnectClientAndServer(&client, &server, client_ctx_.get(),
6579 server_ctx2.get(), config));
6580 EXPECT_FALSE(SSL_session_reused(client.get()));
6581 EXPECT_FALSE(SSL_session_reused(server.get()));
6582}
6583
6584TEST_P(SSLVersionTest, UnrelatedServerNoResume) {
6585 bssl::UniquePtr<SSL_CTX> server_ctx2 = CreateContext();
6586 ASSERT_TRUE(server_ctx2);
6587 ASSERT_TRUE(UseCertAndKey(server_ctx2.get()));
6588
6589 SSL_CTX_set_session_cache_mode(client_ctx_.get(), SSL_SESS_CACHE_BOTH);
6590 SSL_CTX_set_session_cache_mode(server_ctx_.get(), SSL_SESS_CACHE_BOTH);
6591 SSL_CTX_set_session_cache_mode(server_ctx2.get(), SSL_SESS_CACHE_BOTH);
6592
6593 // Establish a session for |server_ctx_|.
6594 bssl::UniquePtr<SSL_SESSION> session =
6595 CreateClientSession(client_ctx_.get(), server_ctx_.get());
6596 ASSERT_TRUE(session);
6597 ClientConfig config;
6598 config.session = session.get();
6599
6600 // Resuming with |server_ctx_| again works.
6601 bssl::UniquePtr<SSL> client, server;
6602 ASSERT_TRUE(ConnectClientAndServer(&client, &server, client_ctx_.get(),
6603 server_ctx_.get(), config));
6604 EXPECT_TRUE(SSL_session_reused(client.get()));
6605 EXPECT_TRUE(SSL_session_reused(server.get()));
6606
6607 // Resuming with |server_ctx2| does not work.
6608 ASSERT_TRUE(ConnectClientAndServer(&client, &server, client_ctx_.get(),
6609 server_ctx2.get(), config));
6610 EXPECT_FALSE(SSL_session_reused(client.get()));
6611 EXPECT_FALSE(SSL_session_reused(server.get()));
6612}
6613
David Benjamin0e7dbd52019-05-15 16:01:18 -0400[diff] [blame]6614TEST(SSLTest, WriteWhileExplicitRenegotiate) {
6615 bssl::UniquePtr<SSL_CTX> ctx(SSL_CTX_new(TLS_method()));
6616 ASSERT_TRUE(ctx);
6617
6618 bssl::UniquePtr<X509> cert = GetTestCertificate();
6619 bssl::UniquePtr<EVP_PKEY> pkey = GetTestKey();
6620 ASSERT_TRUE(cert);
6621 ASSERT_TRUE(pkey);
6622 ASSERT_TRUE(SSL_CTX_use_certificate(ctx.get(), cert.get()));
6623 ASSERT_TRUE(SSL_CTX_use_PrivateKey(ctx.get(), pkey.get()));
6624 ASSERT_TRUE(SSL_CTX_set_min_proto_version(ctx.get(), TLS1_2_VERSION));
6625 ASSERT_TRUE(SSL_CTX_set_max_proto_version(ctx.get(), TLS1_2_VERSION));
6626 ASSERT_TRUE(SSL_CTX_set_strict_cipher_list(
6627 ctx.get(), "TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256"));
6628
6629 bssl::UniquePtr<SSL> client, server;
6630 ASSERT_TRUE(ConnectClientAndServer(&client, &server, ctx.get(), ctx.get(),
6631 ClientConfig(), true /* do_handshake */,
6632 false /* don't shed handshake config */));
6633 SSL_set_renegotiate_mode(client.get(), ssl_renegotiate_explicit);
6634
6635 static const uint8_t kInput[] = {'h', 'e', 'l', 'l', 'o'};
6636
6637 // Write "hello" until the buffer is full, so |client| has a pending write.
6638 size_t num_writes = 0;
6639 for (;;) {
6640 int ret = SSL_write(client.get(), kInput, sizeof(kInput));
6641 if (ret != int(sizeof(kInput))) {
6642 ASSERT_EQ(-1, ret);
6643 ASSERT_EQ(SSL_ERROR_WANT_WRITE, SSL_get_error(client.get(), ret));
6644 break;
6645 }
6646 num_writes++;
6647 }
6648
6649 // Encrypt a HelloRequest.
6650 uint8_t in[] = {SSL3_MT_HELLO_REQUEST, 0, 0, 0};
6651#if defined(BORINGSSL_UNSAFE_FUZZER_MODE)
6652 // Fuzzer-mode records are unencrypted.
6653 uint8_t record[5 + sizeof(in)];
6654 record[0] = SSL3_RT_HANDSHAKE;
6655 record[1] = 3;
6656 record[2] = 3; // TLS 1.2
6657 record[3] = 0;
6658 record[4] = sizeof(record) - 5;
6659 memcpy(record + 5, in, sizeof(in));
6660#else
6661 // Extract key material from |server|.
6662 static const size_t kKeyLen = 32;
6663 static const size_t kNonceLen = 12;
6664 ASSERT_EQ(2u * (kKeyLen + kNonceLen), SSL_get_key_block_len(server.get()));
6665 uint8_t key_block[2u * (kKeyLen + kNonceLen)];
6666 ASSERT_TRUE(
6667 SSL_generate_key_block(server.get(), key_block, sizeof(key_block)));
6668 Span<uint8_t> key = MakeSpan(key_block + kKeyLen, kKeyLen);
6669 Span<uint8_t> nonce =
6670 MakeSpan(key_block + kKeyLen + kKeyLen + kNonceLen, kNonceLen);
6671
6672 uint8_t ad[13];
6673 uint64_t seq = SSL_get_write_sequence(server.get());
6674 for (size_t i = 0; i < 8; i++) {
6675 // The nonce is XORed with the sequence number.
6676 nonce[11 - i] ^= uint8_t(seq);
6677 ad[7 - i] = uint8_t(seq);
6678 seq >>= 8;
6679 }
6680
6681 ad[8] = SSL3_RT_HANDSHAKE;
6682 ad[9] = 3;
6683 ad[10] = 3; // TLS 1.2
6684 ad[11] = 0;
6685 ad[12] = sizeof(in);
6686
6687 uint8_t record[5 + sizeof(in) + 16];
6688 record[0] = SSL3_RT_HANDSHAKE;
6689 record[1] = 3;
6690 record[2] = 3; // TLS 1.2
6691 record[3] = 0;
6692 record[4] = sizeof(record) - 5;
6693
6694 ScopedEVP_AEAD_CTX aead;
6695 ASSERT_TRUE(EVP_AEAD_CTX_init(aead.get(), EVP_aead_chacha20_poly1305(),
6696 key.data(), key.size(),
6697 EVP_AEAD_DEFAULT_TAG_LENGTH, nullptr));
6698 size_t len;
6699 ASSERT_TRUE(EVP_AEAD_CTX_seal(aead.get(), record + 5, &len,
6700 sizeof(record) - 5, nonce.data(), nonce.size(),
6701 in, sizeof(in), ad, sizeof(ad)));
6702 ASSERT_EQ(sizeof(record) - 5, len);
6703#endif // BORINGSSL_UNSAFE_FUZZER_MODE
6704
6705 ASSERT_EQ(int(sizeof(record)),
6706 BIO_write(SSL_get_wbio(server.get()), record, sizeof(record)));
6707
6708 // |SSL_read| should pick up the HelloRequest.
6709 uint8_t byte;
6710 ASSERT_EQ(-1, SSL_read(client.get(), &byte, 1));
6711 ASSERT_EQ(SSL_ERROR_WANT_RENEGOTIATE, SSL_get_error(client.get(), -1));
6712
6713 // Drain the data from the |client|.
6714 uint8_t buf[sizeof(kInput)];
6715 for (size_t i = 0; i < num_writes; i++) {
6716 ASSERT_EQ(int(sizeof(buf)), SSL_read(server.get(), buf, sizeof(buf)));
6717 EXPECT_EQ(Bytes(buf), Bytes(kInput));
6718 }
6719
6720 // |client| should be able to finish the pending write and continue to write,
6721 // despite the paused HelloRequest.
6722 ASSERT_EQ(int(sizeof(kInput)),
6723 SSL_write(client.get(), kInput, sizeof(kInput)));
6724 ASSERT_EQ(int(sizeof(buf)), SSL_read(server.get(), buf, sizeof(buf)));
6725 EXPECT_EQ(Bytes(buf), Bytes(kInput));
6726
6727 ASSERT_EQ(int(sizeof(kInput)),
6728 SSL_write(client.get(), kInput, sizeof(kInput)));
6729 ASSERT_EQ(int(sizeof(buf)), SSL_read(server.get(), buf, sizeof(buf)));
6730 EXPECT_EQ(Bytes(buf), Bytes(kInput));
6731
6732 // |SSL_read| is stuck until we acknowledge the HelloRequest.
6733 ASSERT_EQ(-1, SSL_read(client.get(), &byte, 1));
6734 ASSERT_EQ(SSL_ERROR_WANT_RENEGOTIATE, SSL_get_error(client.get(), -1));
6735
6736 ASSERT_TRUE(SSL_renegotiate(client.get()));
6737 ASSERT_EQ(-1, SSL_read(client.get(), &byte, 1));
6738 ASSERT_EQ(SSL_ERROR_WANT_READ, SSL_get_error(client.get(), -1));
6739
6740 // We never renegotiate as a server.
6741 ASSERT_EQ(-1, SSL_read(server.get(), buf, sizeof(buf)));
6742 ASSERT_EQ(SSL_ERROR_SSL, SSL_get_error(server.get(), -1));
6743 uint32_t err = ERR_get_error();
6744 EXPECT_EQ(ERR_LIB_SSL, ERR_GET_LIB(err));
6745 EXPECT_EQ(SSL_R_NO_RENEGOTIATION, ERR_GET_REASON(err));
6746}
6747
David Benjaminf9e0cda2020-03-23 18:29:09 -0400[diff] [blame]6748
6749TEST(SSLTest, CopyWithoutEarlyData) {
6750 bssl::UniquePtr<SSL_CTX> client_ctx(SSL_CTX_new(TLS_method()));
6751 bssl::UniquePtr<SSL_CTX> server_ctx(SSL_CTX_new(TLS_method()));
6752 ASSERT_TRUE(client_ctx);
6753 ASSERT_TRUE(server_ctx);
6754
6755 bssl::UniquePtr<X509> cert = GetTestCertificate();
6756 bssl::UniquePtr<EVP_PKEY> key = GetTestKey();
6757 ASSERT_TRUE(cert);
6758 ASSERT_TRUE(key);
6759 ASSERT_TRUE(SSL_CTX_use_certificate(server_ctx.get(), cert.get()));
6760 ASSERT_TRUE(SSL_CTX_use_PrivateKey(server_ctx.get(), key.get()));
6761
6762 SSL_CTX_set_session_cache_mode(client_ctx.get(), SSL_SESS_CACHE_BOTH);
6763 SSL_CTX_set_session_cache_mode(server_ctx.get(), SSL_SESS_CACHE_BOTH);
6764 SSL_CTX_set_early_data_enabled(client_ctx.get(), 1);
6765 SSL_CTX_set_early_data_enabled(server_ctx.get(), 1);
6766
6767 bssl::UniquePtr<SSL_SESSION> session =
6768 CreateClientSession(client_ctx.get(), server_ctx.get());
6769 ASSERT_TRUE(session);
6770
6771 // The client should attempt early data with |session|.
6772 auto config = ClientConfig();
6773 config.early_data = true;
6774 config.session = session.get();
6775 bssl::UniquePtr<SSL> client, server;
6776 ASSERT_TRUE(ConnectClientAndServer(&client, &server, client_ctx.get(),
6777 server_ctx.get(), config,
6778 /*do_handshake=*/false));
6779 ASSERT_EQ(1, SSL_do_handshake(client.get()));
6780 EXPECT_TRUE(SSL_in_early_data(client.get()));
6781
6782 // |SSL_SESSION_copy_without_early_data| should disable early data but
6783 // still resume the session.
6784 bssl::UniquePtr<SSL_SESSION> session2(
6785 SSL_SESSION_copy_without_early_data(session.get()));
6786 ASSERT_TRUE(session2);
6787 EXPECT_NE(session.get(), session2.get());
6788 config.session = session2.get();
6789 ASSERT_TRUE(ConnectClientAndServer(&client, &server, client_ctx.get(),
6790 server_ctx.get(), config));
6791 EXPECT_TRUE(SSL_session_reused(client.get()));
6792 EXPECT_EQ(ssl_early_data_unsupported_for_session,
6793 SSL_get_early_data_reason(client.get()));
6794
6795 // |SSL_SESSION_copy_without_early_data| should be a reference count increase
6796 // when passed an early-data-incapable session.
6797 bssl::UniquePtr<SSL_SESSION> session3(
6798 SSL_SESSION_copy_without_early_data(session2.get()));
6799 EXPECT_EQ(session2.get(), session3.get());
6800}
6801
Adam Langley53a17f52020-05-26 14:44:07 -0700[diff] [blame]6802TEST(SSLTest, ProcessTLS13NewSessionTicket) {
6803 // Configure client and server to negotiate TLS 1.3 only.
6804 bssl::UniquePtr<X509> cert = GetTestCertificate();
6805 bssl::UniquePtr<EVP_PKEY> key = GetTestKey();
6806 bssl::UniquePtr<SSL_CTX> client_ctx(SSL_CTX_new(TLS_method()));
6807 bssl::UniquePtr<SSL_CTX> server_ctx(SSL_CTX_new(TLS_method()));
6808 ASSERT_TRUE(client_ctx);
6809 ASSERT_TRUE(server_ctx);
6810 ASSERT_TRUE(SSL_CTX_set_min_proto_version(client_ctx.get(), TLS1_3_VERSION));
6811 ASSERT_TRUE(SSL_CTX_set_min_proto_version(server_ctx.get(), TLS1_3_VERSION));
6812 ASSERT_TRUE(SSL_CTX_set_max_proto_version(client_ctx.get(), TLS1_3_VERSION));
6813 ASSERT_TRUE(SSL_CTX_set_max_proto_version(server_ctx.get(), TLS1_3_VERSION));
6814 ASSERT_TRUE(SSL_CTX_use_certificate(server_ctx.get(), cert.get()));
6815 ASSERT_TRUE(SSL_CTX_use_PrivateKey(server_ctx.get(), key.get()));
6816
6817 bssl::UniquePtr<SSL> client, server;
6818 ASSERT_TRUE(ConnectClientAndServer(&client, &server, client_ctx.get(),
6819 server_ctx.get()));
6820 EXPECT_EQ(TLS1_3_VERSION, SSL_version(client.get()));
6821
6822 // Process a TLS 1.3 NewSessionTicket.
6823 static const uint8_t kTicket[] = {
6824 0x04, 0x00, 0x00, 0xb2, 0x00, 0x02, 0xa3, 0x00, 0x04, 0x03, 0x02, 0x01,
6825 0x01, 0x00, 0x00, 0xa0, 0x01, 0x06, 0x09, 0x11, 0x16, 0x19, 0x21, 0x26,
6826 0x29, 0x31, 0x36, 0x39, 0x41, 0x46, 0x49, 0x51, 0x03, 0x06, 0x09, 0x13,
6827 0x16, 0x19, 0x23, 0x26, 0x29, 0x33, 0x36, 0x39, 0x43, 0x46, 0x49, 0x53,
6828 0xf7, 0x00, 0x29, 0xec, 0xf2, 0xc4, 0xa4, 0x41, 0xfc, 0x30, 0x17, 0x2e,
6829 0x9f, 0x7c, 0xa8, 0xaf, 0x75, 0x70, 0xf0, 0x1f, 0xc7, 0x98, 0xf7, 0xcf,
6830 0x5a, 0x5a, 0x6b, 0x5b, 0xfe, 0xf1, 0xe7, 0x3a, 0xe8, 0xf7, 0x6c, 0xd2,
6831 0xa8, 0xa6, 0x92, 0x5b, 0x96, 0x8d, 0xde, 0xdb, 0xd3, 0x20, 0x6a, 0xcb,
6832 0x69, 0x06, 0xf4, 0x91, 0x85, 0x2e, 0xe6, 0x5e, 0x0c, 0x59, 0xf2, 0x9e,
6833 0x9b, 0x79, 0x91, 0x24, 0x7e, 0x4a, 0x32, 0x3d, 0xbe, 0x4b, 0x80, 0x70,
6834 0xaf, 0xd0, 0x1d, 0xe2, 0xca, 0x05, 0x35, 0x09, 0x09, 0x05, 0x0f, 0xbb,
6835 0xc4, 0xae, 0xd7, 0xc4, 0xed, 0xd7, 0xae, 0x35, 0xc8, 0x73, 0x63, 0x78,
6836 0x64, 0xc9, 0x7a, 0x1f, 0xed, 0x7a, 0x9a, 0x47, 0x44, 0xfd, 0x50, 0xf7,
6837 0xb7, 0xe0, 0x64, 0xa9, 0x02, 0xc1, 0x5c, 0x23, 0x18, 0x3f, 0xc4, 0xcf,
6838 0x72, 0x02, 0x59, 0x2d, 0xe1, 0xaa, 0x61, 0x72, 0x00, 0x04, 0x5a, 0x5a,
6839 0x00, 0x00,
6840 };
6841 bssl::UniquePtr<SSL_SESSION> session(SSL_process_tls13_new_session_ticket(
6842 client.get(), kTicket, sizeof(kTicket)));
6843 ASSERT_TRUE(session);
6844 ASSERT_TRUE(SSL_SESSION_has_ticket(session.get()));
6845
6846 uint8_t *session_buf = nullptr;
6847 size_t session_length = 0;
6848 ASSERT_TRUE(
6849 SSL_SESSION_to_bytes(session.get(), &session_buf, &session_length));
6850 bssl::UniquePtr<uint8_t> session_buf_free(session_buf);
6851 ASSERT_TRUE(session_buf);
6852 ASSERT_GT(session_length, 0u);
6853
6854 // Servers cannot call |SSL_process_tls13_new_session_ticket|.
6855 ASSERT_FALSE(SSL_process_tls13_new_session_ticket(server.get(), kTicket,
6856 sizeof(kTicket)));
6857
6858 // Clients cannot call |SSL_process_tls13_new_session_ticket| before the
6859 // handshake completes.
6860 bssl::UniquePtr<SSL> client2(SSL_new(client_ctx.get()));
6861 ASSERT_TRUE(client2);
6862 SSL_set_connect_state(client2.get());
6863 ASSERT_FALSE(SSL_process_tls13_new_session_ticket(client2.get(), kTicket,
6864 sizeof(kTicket)));
6865}
6866
David Benjamin3989c992020-10-09 14:12:06 -0400[diff] [blame]6867TEST(SSLTest, BIO) {
6868 bssl::UniquePtr<SSL_CTX> client_ctx(SSL_CTX_new(TLS_method()));
6869 bssl::UniquePtr<SSL_CTX> server_ctx(SSL_CTX_new(TLS_method()));
6870 ASSERT_TRUE(client_ctx);
6871 ASSERT_TRUE(server_ctx);
6872
6873 bssl::UniquePtr<X509> cert = GetTestCertificate();
6874 bssl::UniquePtr<EVP_PKEY> key = GetTestKey();
6875 ASSERT_TRUE(cert);
6876 ASSERT_TRUE(key);
6877 ASSERT_TRUE(SSL_CTX_use_certificate(server_ctx.get(), cert.get()));
6878 ASSERT_TRUE(SSL_CTX_use_PrivateKey(server_ctx.get(), key.get()));
6879
6880 for (bool take_ownership : {true, false}) {
6881 // For simplicity, get the handshake out of the way first.
6882 bssl::UniquePtr<SSL> client, server;
6883 ASSERT_TRUE(ConnectClientAndServer(&client, &server, client_ctx.get(),
6884 server_ctx.get()));
6885
6886 // Wrap |client| in an SSL BIO.
6887 bssl::UniquePtr<BIO> client_bio(BIO_new(BIO_f_ssl()));
6888 ASSERT_TRUE(client_bio);
6889 ASSERT_EQ(1, BIO_set_ssl(client_bio.get(), client.get(), take_ownership));
6890 if (take_ownership) {
6891 client.release();
6892 }
6893
6894 // Flushing the BIO should not crash.
6895 EXPECT_EQ(1, BIO_flush(client_bio.get()));
6896
6897 // Exchange some data.
6898 EXPECT_EQ(5, BIO_write(client_bio.get(), "hello", 5));
6899 uint8_t buf[5];
6900 ASSERT_EQ(5, SSL_read(server.get(), buf, sizeof(buf)));
6901 EXPECT_EQ(Bytes("hello"), Bytes(buf));
6902
6903 EXPECT_EQ(5, SSL_write(server.get(), "world", 5));
6904 ASSERT_EQ(5, BIO_read(client_bio.get(), buf, sizeof(buf)));
6905 EXPECT_EQ(Bytes("world"), Bytes(buf));
6906
6907 // |BIO_should_read| should work.
6908 EXPECT_EQ(-1, BIO_read(client_bio.get(), buf, sizeof(buf)));
6909 EXPECT_TRUE(BIO_should_read(client_bio.get()));
6910
6911 // Writing data should eventually exceed the buffer size and fail, reporting
6912 // |BIO_should_write|.
6913 int ret;
6914 for (int i = 0; i < 1024; i++) {
6915 std::vector<uint8_t> buffer(1024);
6916 ret = BIO_write(client_bio.get(), buffer.data(), buffer.size());
6917 if (ret <= 0) {
6918 break;
6919 }
6920 }
6921 EXPECT_EQ(-1, ret);
6922 EXPECT_TRUE(BIO_should_write(client_bio.get()));
6923 }
6924}
6925
David Benjamin12a3e7e2021-04-13 11:47:36 -0400[diff] [blame]6926TEST(SSLTest, ALPNConfig) {
6927 bssl::UniquePtr<SSL_CTX> ctx(SSL_CTX_new(TLS_method()));
6928 ASSERT_TRUE(ctx);
6929 bssl::UniquePtr<X509> cert = GetTestCertificate();
6930 bssl::UniquePtr<EVP_PKEY> key = GetTestKey();
6931 ASSERT_TRUE(cert);
6932 ASSERT_TRUE(key);
6933 ASSERT_TRUE(SSL_CTX_use_certificate(ctx.get(), cert.get()));
6934 ASSERT_TRUE(SSL_CTX_use_PrivateKey(ctx.get(), key.get()));
6935
6936 // Set up some machinery to check the configured ALPN against what is actually
6937 // sent over the wire. Note that the ALPN callback is only called when the
6938 // client offers ALPN.
6939 std::vector<uint8_t> observed_alpn;
6940 SSL_CTX_set_alpn_select_cb(
6941 ctx.get(),
6942 [](SSL *ssl, const uint8_t **out, uint8_t *out_len, const uint8_t *in,
6943 unsigned in_len, void *arg) -> int {
6944 std::vector<uint8_t> *observed_alpn_ptr =
6945 static_cast<std::vector<uint8_t> *>(arg);
6946 observed_alpn_ptr->assign(in, in + in_len);
6947 return SSL_TLSEXT_ERR_NOACK;
6948 },
6949 &observed_alpn);
6950 auto check_alpn_proto = [&](Span<const uint8_t> expected) {
6951 observed_alpn.clear();
6952 bssl::UniquePtr<SSL> client, server;
6953 EXPECT_TRUE(ConnectClientAndServer(&client, &server, ctx.get(), ctx.get()));
6954 EXPECT_EQ(Bytes(expected), Bytes(observed_alpn));
6955 };
6956
6957 // Note that |SSL_CTX_set_alpn_protos|'s return value is reversed.
6958 static const uint8_t kValidList[] = {0x03, 'f', 'o', 'o',
6959 0x03, 'b', 'a', 'r'};
6960 EXPECT_EQ(0,
6961 SSL_CTX_set_alpn_protos(ctx.get(), kValidList, sizeof(kValidList)));
6962 check_alpn_proto(kValidList);
6963
6964 // Invalid lists are rejected.
6965 static const uint8_t kInvalidList[] = {0x04, 'f', 'o', 'o'};
6966 EXPECT_EQ(1, SSL_CTX_set_alpn_protos(ctx.get(), kInvalidList,
6967 sizeof(kInvalidList)));
6968
6969 // Empty lists are valid and are interpreted as disabling ALPN.
6970 EXPECT_EQ(0, SSL_CTX_set_alpn_protos(ctx.get(), nullptr, 0));
6971 check_alpn_proto({});
6972}
6973
David Benjamin2f3958a2021-04-16 11:55:23 -0400[diff] [blame]6974// Test that the key usage checker can correctly handle issuerUID and
6975// subjectUID. See https://crbug.com/1199744.
6976TEST(SSLTest, KeyUsageWithUIDs) {
6977 static const char kGoodKeyUsage[] = R"(
6978-----BEGIN CERTIFICATE-----
6979MIIB7DCCAZOgAwIBAgIJANlMBNpJfb/rMAoGCCqGSM49BAMCMEUxCzAJBgNVBAYT
6980AkFVMRMwEQYDVQQIDApTb21lLVN0YXRlMSEwHwYDVQQKDBhJbnRlcm5ldCBXaWRn
6981aXRzIFB0eSBMdGQwHhcNMTQwNDIzMjMyMTU3WhcNMTQwNTIzMjMyMTU3WjBFMQsw
6982CQYDVQQGEwJBVTETMBEGA1UECAwKU29tZS1TdGF0ZTEhMB8GA1UECgwYSW50ZXJu
6983ZXQgV2lkZ2l0cyBQdHkgTHRkMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE5itp
69844r9ln5e+Lx4NlIpM1Zdrt6keDUb73ampHp3culoB59aXqAoY+cPEox5W4nyDSNsW
6985Ghz1HX7xlC1Lz3IiwYEEABI0VoIEABI0VqNgMF4wHQYDVR0OBBYEFKuE0qyrlfCC
6986ThZ4B1VXX+QmjYLRMB8GA1UdIwQYMBaAFKuE0qyrlfCCThZ4B1VXX+QmjYLRMA4G
6987A1UdDwEB/wQEAwIHgDAMBgNVHRMEBTADAQH/MAoGCCqGSM49BAMCA0cAMEQCIEWJ
698834EcqW5MHwLIA1hZ2Tj/jV2QjN02KLxis9mFsqDKAiAMlMTkzsM51vVs9Ohqa+Rc
69894Z7qDhjIhiF4dM0uEDYRVA==
6990-----END CERTIFICATE-----
6991)";
6992 static const char kBadKeyUsage[] = R"(
6993-----BEGIN CERTIFICATE-----
6994MIIB7jCCAZOgAwIBAgIJANlMBNpJfb/rMAoGCCqGSM49BAMCMEUxCzAJBgNVBAYT
6995AkFVMRMwEQYDVQQIDApTb21lLVN0YXRlMSEwHwYDVQQKDBhJbnRlcm5ldCBXaWRn
6996aXRzIFB0eSBMdGQwHhcNMTQwNDIzMjMyMTU3WhcNMTQwNTIzMjMyMTU3WjBFMQsw
6997CQYDVQQGEwJBVTETMBEGA1UECAwKU29tZS1TdGF0ZTEhMB8GA1UECgwYSW50ZXJu
6998ZXQgV2lkZ2l0cyBQdHkgTHRkMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE5itp
69994r9ln5e+Lx4NlIpM1Zdrt6keDUb73ampHp3culoB59aXqAoY+cPEox5W4nyDSNsW
7000Ghz1HX7xlC1Lz3IiwYEEABI0VoIEABI0VqNgMF4wHQYDVR0OBBYEFKuE0qyrlfCC
7001ThZ4B1VXX+QmjYLRMB8GA1UdIwQYMBaAFKuE0qyrlfCCThZ4B1VXX+QmjYLRMA4G
7002A1UdDwEB/wQEAwIDCDAMBgNVHRMEBTADAQH/MAoGCCqGSM49BAMCA0kAMEYCIQC6
7003taYBUDu2gcZC6EMk79FBHArYI0ucF+kzvETegZCbBAIhANtObFec5gtso/47moPD
7004RHrQbWsFUakETXL9QMlegh5t
7005-----END CERTIFICATE-----
7006)";
7007
7008 bssl::UniquePtr<X509> good = CertFromPEM(kGoodKeyUsage);
7009 ASSERT_TRUE(good);
7010 bssl::UniquePtr<X509> bad = CertFromPEM(kBadKeyUsage);
7011 ASSERT_TRUE(bad);
7012
7013 // We check key usage when configuring EC certificates to distinguish ECDSA
7014 // and ECDH.
7015 bssl::UniquePtr<SSL_CTX> ctx(SSL_CTX_new(TLS_method()));
7016 ASSERT_TRUE(ctx);
7017 EXPECT_TRUE(SSL_CTX_use_certificate(ctx.get(), good.get()));
7018 EXPECT_FALSE(SSL_CTX_use_certificate(ctx.get(), bad.get()));
7019}
7020
Martin Kreichgauer72912d22017-08-04 12:06:43 -0700[diff] [blame]7021} // namespace
Joshua Liebow-Feeser8c7c6352018-08-26 18:53:36 -0700[diff] [blame]7022BSSL_NAMESPACE_END