Gitiles
Code Review Sign In
gerrit.openfyde.cn / boringssl.googlesource.com / boringssl / c11ea942b7e94614655be1bc0e16eba33dc125d2 / . / ssl / ssl_test.cc
blob: dd795a6fa8855c4cdbea497018651310fd0d8117 [file] [log] [blame]
David Benjamin2e521212014-07-16 14:37:51 -0400[diff] [blame]1/* Copyright (c) 2014, Google Inc.
2 *
3 * Permission to use, copy, modify, and/or distribute this software for any
4 * purpose with or without fee is hereby granted, provided that the above
5 * copyright notice and this permission notice appear in all copies.
6 *
7 * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
8 * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
9 * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY
10 * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
11 * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION
12 * OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN
13 * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */
14
15#include <stdio.h>
David Benjamin751e8892014-10-19 00:59:36 -0400[diff] [blame]16#include <string.h>
David Benjamin1269ddd2015-10-18 15:18:55 -0400[diff] [blame]17#include <time.h>
David Benjamin2e521212014-07-16 14:37:51 -0400[diff] [blame]18
David Benjamin0f653952015-10-18 14:28:01 -0400[diff] [blame]19#include <algorithm>
David Benjamin1d77e562015-03-22 17:22:08 -0400[diff] [blame]20#include <string>
David Benjamin4f6acaf2015-11-21 03:00:50 -0500[diff] [blame]21#include <utility>
David Benjamin1d77e562015-03-22 17:22:08 -0400[diff] [blame]22#include <vector>
23
David Benjamin96628432017-01-19 19:05:47 -0500[diff] [blame]24#include <gtest/gtest.h>
25
David Benjamin751e8892014-10-19 00:59:36 -0400[diff] [blame]26#include <openssl/base64.h>
27#include <openssl/bio.h>
David Benjamin3c51d9b2016-11-01 17:50:42 -0400[diff] [blame]28#include <openssl/cipher.h>
David Benjamin7a1eefd2015-10-17 23:39:22 -0400[diff] [blame]29#include <openssl/crypto.h>
David Benjaminbb0a17c2014-09-20 15:35:39 -0400[diff] [blame]30#include <openssl/err.h>
David Benjamin3c51d9b2016-11-01 17:50:42 -0400[diff] [blame]31#include <openssl/hmac.h>
David Benjaminde942382016-02-11 12:02:01 -0500[diff] [blame]32#include <openssl/pem.h>
David Benjamin25490f22016-07-14 00:22:54 -0400[diff] [blame]33#include <openssl/sha.h>
David Benjaminbb0a17c2014-09-20 15:35:39 -0400[diff] [blame]34#include <openssl/ssl.h>
David Benjamin3c51d9b2016-11-01 17:50:42 -0400[diff] [blame]35#include <openssl/rand.h>
David Benjaminde942382016-02-11 12:02:01 -0500[diff] [blame]36#include <openssl/x509.h>
David Benjaminbb0a17c2014-09-20 15:35:39 -0400[diff] [blame]37
Steven Valdez87eab492016-06-27 16:34:59 -0400[diff] [blame]38#include "internal.h"
Steven Valdezcb966542016-08-17 16:56:14 -0400[diff] [blame]39#include "../crypto/internal.h"
Sigbjorn Vik2b23d242015-06-29 15:07:26 +0200[diff] [blame]40#include "../crypto/test/test_util.h"
41
David Benjamin721e8b72016-08-03 13:13:17 -0400[diff] [blame]42#if defined(OPENSSL_WINDOWS)
David Benjaminc11ea9422017-08-29 16:33:21 -0400[diff] [blame^]43// Windows defines struct timeval in winsock2.h.
David Benjamin721e8b72016-08-03 13:13:17 -0400[diff] [blame]44OPENSSL_MSVC_PRAGMA(warning(push, 3))
45#include <winsock2.h>
46OPENSSL_MSVC_PRAGMA(warning(pop))
47#else
48#include <sys/time.h>
49#endif
50
David Benjamin1d77e562015-03-22 17:22:08 -0400[diff] [blame]51
Martin Kreichgauer72912d22017-08-04 12:06:43 -0700[diff] [blame]52namespace bssl {
53
54namespace {
55
Martin Kreichgauer1a663262017-08-16 14:54:04 -0700[diff] [blame]56#define TRACED_CALL(code) \
57 do { \
58 SCOPED_TRACE("<- called from here"); \
59 code; \
60 if (::testing::Test::HasFatalFailure()) { \
61 return; \
62 } \
63 } while (false)
64
Martin Kreichgauer72912d22017-08-04 12:06:43 -0700[diff] [blame]65struct VersionParam {
66 uint16_t version;
67 enum { is_tls, is_dtls } ssl_method;
68 const char name[8];
69};
70
71static const size_t kTicketKeyLen = 48;
72
73static const VersionParam kAllVersions[] = {
74 {SSL3_VERSION, VersionParam::is_tls, "SSL3"},
75 {TLS1_VERSION, VersionParam::is_tls, "TLS1"},
76 {TLS1_1_VERSION, VersionParam::is_tls, "TLS1_1"},
77 {TLS1_2_VERSION, VersionParam::is_tls, "TLS1_2"},
78// TLS 1.3 requires RSA-PSS, which is disabled for Android system builds.
79#if !defined(BORINGSSL_ANDROID_SYSTEM)
80 {TLS1_3_VERSION, VersionParam::is_tls, "TLS1_3"},
81#endif
82 {DTLS1_VERSION, VersionParam::is_dtls, "DTLS1"},
83 {DTLS1_2_VERSION, VersionParam::is_dtls, "DTLS1_2"},
84};
85
David Benjamin1d77e562015-03-22 17:22:08 -0400[diff] [blame]86struct ExpectedCipher {
87 unsigned long id;
David Benjaminbb0a17c2014-09-20 15:35:39 -0400[diff] [blame]88 int in_group_flag;
David Benjamin1d77e562015-03-22 17:22:08 -0400[diff] [blame]89};
David Benjaminbb0a17c2014-09-20 15:35:39 -0400[diff] [blame]90
David Benjamin1d77e562015-03-22 17:22:08 -0400[diff] [blame]91struct CipherTest {
92 // The rule string to apply.
David Benjaminbb0a17c2014-09-20 15:35:39 -0400[diff] [blame]93 const char *rule;
David Benjaminfb974e62015-12-16 19:34:22 -0500[diff] [blame]94 // The list of expected ciphers, in order.
95 std::vector<ExpectedCipher> expected;
Matthew Braithwaitea57dcfb2017-02-17 22:08:23 -0800[diff] [blame]96 // True if this cipher list should fail in strict mode.
97 bool strict_fail;
David Benjamin1d77e562015-03-22 17:22:08 -0400[diff] [blame]98};
David Benjaminbb0a17c2014-09-20 15:35:39 -0400[diff] [blame]99
Alessandro Ghedini5fd18072016-09-28 21:04:25 +0100[diff] [blame]100struct CurveTest {
101 // The rule string to apply.
102 const char *rule;
103 // The list of expected curves, in order.
104 std::vector<uint16_t> expected;
105};
106
David Benjaminfb974e62015-12-16 19:34:22 -0500[diff] [blame]107static const CipherTest kCipherTests[] = {
108 // Selecting individual ciphers should work.
109 {
110 "ECDHE-ECDSA-CHACHA20-POLY1305:"
111 "ECDHE-RSA-CHACHA20-POLY1305:"
112 "ECDHE-ECDSA-AES128-GCM-SHA256:"
113 "ECDHE-RSA-AES128-GCM-SHA256",
114 {
115 {TLS1_CK_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256, 0},
David Benjaminfb974e62015-12-16 19:34:22 -0500[diff] [blame]116 {TLS1_CK_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256, 0},
David Benjaminfb974e62015-12-16 19:34:22 -0500[diff] [blame]117 {TLS1_CK_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, 0},
118 {TLS1_CK_ECDHE_RSA_WITH_AES_128_GCM_SHA256, 0},
119 },
Matthew Braithwaitea57dcfb2017-02-17 22:08:23 -0800[diff] [blame]120 false,
David Benjaminfb974e62015-12-16 19:34:22 -0500[diff] [blame]121 },
122 // + reorders selected ciphers to the end, keeping their relative order.
123 {
124 "ECDHE-ECDSA-CHACHA20-POLY1305:"
125 "ECDHE-RSA-CHACHA20-POLY1305:"
126 "ECDHE-ECDSA-AES128-GCM-SHA256:"
127 "ECDHE-RSA-AES128-GCM-SHA256:"
128 "+aRSA",
129 {
130 {TLS1_CK_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256, 0},
David Benjaminfb974e62015-12-16 19:34:22 -0500[diff] [blame]131 {TLS1_CK_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, 0},
132 {TLS1_CK_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256, 0},
David Benjaminfb974e62015-12-16 19:34:22 -0500[diff] [blame]133 {TLS1_CK_ECDHE_RSA_WITH_AES_128_GCM_SHA256, 0},
134 },
Matthew Braithwaitea57dcfb2017-02-17 22:08:23 -0800[diff] [blame]135 false,
David Benjaminfb974e62015-12-16 19:34:22 -0500[diff] [blame]136 },
137 // ! banishes ciphers from future selections.
138 {
139 "!aRSA:"
140 "ECDHE-ECDSA-CHACHA20-POLY1305:"
141 "ECDHE-RSA-CHACHA20-POLY1305:"
142 "ECDHE-ECDSA-AES128-GCM-SHA256:"
143 "ECDHE-RSA-AES128-GCM-SHA256",
144 {
145 {TLS1_CK_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256, 0},
David Benjaminfb974e62015-12-16 19:34:22 -0500[diff] [blame]146 {TLS1_CK_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, 0},
147 },
Matthew Braithwaitea57dcfb2017-02-17 22:08:23 -0800[diff] [blame]148 false,
David Benjaminfb974e62015-12-16 19:34:22 -0500[diff] [blame]149 },
150 // Multiple masks can be ANDed in a single rule.
151 {
152 "kRSA+AESGCM+AES128",
153 {
154 {TLS1_CK_RSA_WITH_AES_128_GCM_SHA256, 0},
155 },
Matthew Braithwaitea57dcfb2017-02-17 22:08:23 -0800[diff] [blame]156 false,
David Benjaminfb974e62015-12-16 19:34:22 -0500[diff] [blame]157 },
158 // - removes selected ciphers, but preserves their order for future
Matthew Braithwaitecedc6f12017-03-15 19:20:23 -0700[diff] [blame]159 // selections. Select AES_128_GCM, but order the key exchanges RSA,
David Benjaminfb974e62015-12-16 19:34:22 -0500[diff] [blame]160 // ECDHE_RSA.
161 {
Matthew Braithwaitecedc6f12017-03-15 19:20:23 -0700[diff] [blame]162 "ALL:-kECDHE:"
Matthew Braithwaitecedc6f12017-03-15 19:20:23 -0700[diff] [blame]163 "-kRSA:-ALL:"
David Benjaminfb974e62015-12-16 19:34:22 -0500[diff] [blame]164 "AESGCM+AES128+aRSA",
165 {
166 {TLS1_CK_RSA_WITH_AES_128_GCM_SHA256, 0},
David Benjaminfb974e62015-12-16 19:34:22 -0500[diff] [blame]167 {TLS1_CK_ECDHE_RSA_WITH_AES_128_GCM_SHA256, 0},
168 },
Matthew Braithwaitea57dcfb2017-02-17 22:08:23 -0800[diff] [blame]169 false,
David Benjaminfb974e62015-12-16 19:34:22 -0500[diff] [blame]170 },
Matthew Braithwaitea57dcfb2017-02-17 22:08:23 -0800[diff] [blame]171 // Unknown selectors are no-ops, except in strict mode.
David Benjaminfb974e62015-12-16 19:34:22 -0500[diff] [blame]172 {
173 "ECDHE-ECDSA-CHACHA20-POLY1305:"
174 "ECDHE-RSA-CHACHA20-POLY1305:"
175 "ECDHE-ECDSA-AES128-GCM-SHA256:"
176 "ECDHE-RSA-AES128-GCM-SHA256:"
Matthew Braithwaitea57dcfb2017-02-17 22:08:23 -0800[diff] [blame]177 "BOGUS1",
David Benjaminfb974e62015-12-16 19:34:22 -0500[diff] [blame]178 {
179 {TLS1_CK_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256, 0},
David Benjaminfb974e62015-12-16 19:34:22 -0500[diff] [blame]180 {TLS1_CK_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256, 0},
David Benjaminfb974e62015-12-16 19:34:22 -0500[diff] [blame]181 {TLS1_CK_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, 0},
182 {TLS1_CK_ECDHE_RSA_WITH_AES_128_GCM_SHA256, 0},
183 },
Matthew Braithwaitea57dcfb2017-02-17 22:08:23 -0800[diff] [blame]184 true,
185 },
186 // Unknown selectors are no-ops, except in strict mode.
187 {
188 "ECDHE-ECDSA-CHACHA20-POLY1305:"
189 "ECDHE-RSA-CHACHA20-POLY1305:"
190 "ECDHE-ECDSA-AES128-GCM-SHA256:"
191 "ECDHE-RSA-AES128-GCM-SHA256:"
192 "-BOGUS2:+BOGUS3:!BOGUS4",
193 {
194 {TLS1_CK_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256, 0},
195 {TLS1_CK_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256, 0},
196 {TLS1_CK_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, 0},
197 {TLS1_CK_ECDHE_RSA_WITH_AES_128_GCM_SHA256, 0},
198 },
199 true,
David Benjaminfb974e62015-12-16 19:34:22 -0500[diff] [blame]200 },
201 // Square brackets specify equi-preference groups.
202 {
203 "[ECDHE-ECDSA-CHACHA20-POLY1305|ECDHE-ECDSA-AES128-GCM-SHA256]:"
204 "[ECDHE-RSA-CHACHA20-POLY1305]:"
205 "ECDHE-RSA-AES128-GCM-SHA256",
206 {
207 {TLS1_CK_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256, 1},
David Benjaminfb974e62015-12-16 19:34:22 -0500[diff] [blame]208 {TLS1_CK_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, 0},
Adam Langley2e839242017-01-19 15:12:44 -0800[diff] [blame]209 {TLS1_CK_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256, 0},
David Benjaminfb974e62015-12-16 19:34:22 -0500[diff] [blame]210 {TLS1_CK_ECDHE_RSA_WITH_AES_128_GCM_SHA256, 0},
211 },
Matthew Braithwaitea57dcfb2017-02-17 22:08:23 -0800[diff] [blame]212 false,
David Benjaminfb974e62015-12-16 19:34:22 -0500[diff] [blame]213 },
David Benjamin6fff3862017-06-21 21:07:04 -0400[diff] [blame]214 // Standard names may be used instead of OpenSSL names.
215 {
216 "[TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256|"
David Benjaminbf5f1922017-07-01 11:13:53 -0400[diff] [blame]217 "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256]:"
David Benjamin6fff3862017-06-21 21:07:04 -0400[diff] [blame]218 "[TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256]:"
219 "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",
220 {
221 {TLS1_CK_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256, 1},
222 {TLS1_CK_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, 0},
223 {TLS1_CK_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256, 0},
224 {TLS1_CK_ECDHE_RSA_WITH_AES_128_GCM_SHA256, 0},
225 },
226 false,
227 },
David Benjaminfb974e62015-12-16 19:34:22 -0500[diff] [blame]228 // @STRENGTH performs a stable strength-sort of the selected ciphers and
229 // only the selected ciphers.
230 {
231 // To simplify things, banish all but {ECDHE_RSA,RSA} x
Matthew Braithwaite8aaa9e12016-09-07 15:09:58 -0700[diff] [blame]232 // {CHACHA20,AES_256_CBC,AES_128_CBC} x SHA1.
Matthew Braithwaitecedc6f12017-03-15 19:20:23 -0700[diff] [blame]233 "!AESGCM:!3DES:!SHA256:!SHA384:"
David Benjaminfb974e62015-12-16 19:34:22 -0500[diff] [blame]234 // Order some ciphers backwards by strength.
Matthew Braithwaite8aaa9e12016-09-07 15:09:58 -0700[diff] [blame]235 "ALL:-CHACHA20:-AES256:-AES128:-ALL:"
David Benjaminfb974e62015-12-16 19:34:22 -0500[diff] [blame]236 // Select ECDHE ones and sort them by strength. Ties should resolve
237 // based on the order above.
238 "kECDHE:@STRENGTH:-ALL:"
239 // Now bring back everything uses RSA. ECDHE_RSA should be first, sorted
240 // by strength. Then RSA, backwards by strength.
241 "aRSA",
242 {
243 {TLS1_CK_ECDHE_RSA_WITH_AES_256_CBC_SHA, 0},
244 {TLS1_CK_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256, 0},
David Benjaminfb974e62015-12-16 19:34:22 -0500[diff] [blame]245 {TLS1_CK_ECDHE_RSA_WITH_AES_128_CBC_SHA, 0},
David Benjaminfb974e62015-12-16 19:34:22 -0500[diff] [blame]246 {TLS1_CK_RSA_WITH_AES_128_SHA, 0},
247 {TLS1_CK_RSA_WITH_AES_256_SHA, 0},
248 },
Matthew Braithwaitea57dcfb2017-02-17 22:08:23 -0800[diff] [blame]249 false,
David Benjaminfb974e62015-12-16 19:34:22 -0500[diff] [blame]250 },
David Benjaminbf5f1922017-07-01 11:13:53 -0400[diff] [blame]251 // Additional masks after @STRENGTH get silently discarded.
252 //
253 // TODO(davidben): Make this an error. If not silently discarded, they get
254 // interpreted as + opcodes which are very different.
255 {
256 "ECDHE-RSA-AES128-GCM-SHA256:"
257 "ECDHE-RSA-AES256-GCM-SHA384:"
258 "@STRENGTH+AES256",
259 {
260 {TLS1_CK_ECDHE_RSA_WITH_AES_256_GCM_SHA384, 0},
261 {TLS1_CK_ECDHE_RSA_WITH_AES_128_GCM_SHA256, 0},
262 },
263 false,
264 },
265 {
266 "ECDHE-RSA-AES128-GCM-SHA256:"
267 "ECDHE-RSA-AES256-GCM-SHA384:"
268 "@STRENGTH+AES256:"
269 "ECDHE-RSA-CHACHA20-POLY1305",
270 {
271 {TLS1_CK_ECDHE_RSA_WITH_AES_256_GCM_SHA384, 0},
272 {TLS1_CK_ECDHE_RSA_WITH_AES_128_GCM_SHA256, 0},
273 {TLS1_CK_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256, 0},
274 },
275 false,
276 },
David Benjaminfb974e62015-12-16 19:34:22 -0500[diff] [blame]277 // Exact ciphers may not be used in multi-part rules; they are treated
278 // as unknown aliases.
279 {
280 "ECDHE-ECDSA-AES128-GCM-SHA256:"
281 "ECDHE-RSA-AES128-GCM-SHA256:"
282 "!ECDHE-RSA-AES128-GCM-SHA256+RSA:"
283 "!ECDSA+ECDHE-ECDSA-AES128-GCM-SHA256",
284 {
285 {TLS1_CK_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, 0},
286 {TLS1_CK_ECDHE_RSA_WITH_AES_128_GCM_SHA256, 0},
287 },
Matthew Braithwaitea57dcfb2017-02-17 22:08:23 -0800[diff] [blame]288 true,
David Benjaminfb974e62015-12-16 19:34:22 -0500[diff] [blame]289 },
290 // SSLv3 matches everything that existed before TLS 1.2.
291 {
292 "AES128-SHA:AES128-SHA256:!SSLv3",
293 {
294 {TLS1_CK_RSA_WITH_AES_128_SHA256, 0},
295 },
Matthew Braithwaitea57dcfb2017-02-17 22:08:23 -0800[diff] [blame]296 false,
David Benjaminfb974e62015-12-16 19:34:22 -0500[diff] [blame]297 },
298 // TLSv1.2 matches everything added in TLS 1.2.
299 {
300 "AES128-SHA:AES128-SHA256:!TLSv1.2",
301 {
302 {TLS1_CK_RSA_WITH_AES_128_SHA, 0},
303 },
Matthew Braithwaitea57dcfb2017-02-17 22:08:23 -0800[diff] [blame]304 false,
David Benjaminfb974e62015-12-16 19:34:22 -0500[diff] [blame]305 },
Matthew Braithwaitea57dcfb2017-02-17 22:08:23 -0800[diff] [blame]306 // The two directives have no intersection. But each component is valid, so
307 // even in strict mode it is accepted.
David Benjaminfb974e62015-12-16 19:34:22 -0500[diff] [blame]308 {
309 "AES128-SHA:AES128-SHA256:!TLSv1.2+SSLv3",
310 {
311 {TLS1_CK_RSA_WITH_AES_128_SHA, 0},
312 {TLS1_CK_RSA_WITH_AES_128_SHA256, 0},
313 },
Matthew Braithwaitea57dcfb2017-02-17 22:08:23 -0800[diff] [blame]314 false,
David Benjaminfb974e62015-12-16 19:34:22 -0500[diff] [blame]315 },
Adam Langley22df6912017-07-25 12:27:37 -0700[diff] [blame]316 // Spaces, semi-colons and commas are separators.
317 {
318 "AES128-SHA: AES128-SHA256 AES256-SHA ,AES256-SHA256 ; AES128-GCM-SHA256",
319 {
320 {TLS1_CK_RSA_WITH_AES_128_SHA, 0},
321 {TLS1_CK_RSA_WITH_AES_128_SHA256, 0},
322 {TLS1_CK_RSA_WITH_AES_256_SHA, 0},
323 {TLS1_CK_RSA_WITH_AES_256_SHA256, 0},
324 {TLS1_CK_RSA_WITH_AES_128_GCM_SHA256, 0},
325 },
326 // …but not in strict mode.
327 true,
328 },
David Benjaminbb0a17c2014-09-20 15:35:39 -0400[diff] [blame]329};
330
331static const char *kBadRules[] = {
David Benjamin1d77e562015-03-22 17:22:08 -0400[diff] [blame]332 // Invalid brackets.
David Benjaminbb0a17c2014-09-20 15:35:39 -0400[diff] [blame]333 "[ECDHE-RSA-CHACHA20-POLY1305|ECDHE-RSA-AES128-GCM-SHA256",
334 "RSA]",
335 "[[RSA]]",
David Benjamin1d77e562015-03-22 17:22:08 -0400[diff] [blame]336 // Operators inside brackets.
David Benjaminbb0a17c2014-09-20 15:35:39 -0400[diff] [blame]337 "[+RSA]",
David Benjamin1d77e562015-03-22 17:22:08 -0400[diff] [blame]338 // Unknown directive.
David Benjaminbb0a17c2014-09-20 15:35:39 -0400[diff] [blame]339 "@BOGUS",
David Benjamin1d77e562015-03-22 17:22:08 -0400[diff] [blame]340 // Empty cipher lists error at SSL_CTX_set_cipher_list.
David Benjaminbb0a17c2014-09-20 15:35:39 -0400[diff] [blame]341 "",
342 "BOGUS",
David Benjamin32fbdf22015-04-07 01:14:06 -0400[diff] [blame]343 // COMPLEMENTOFDEFAULT is empty.
344 "COMPLEMENTOFDEFAULT",
David Benjamin1d77e562015-03-22 17:22:08 -0400[diff] [blame]345 // Invalid command.
David Benjaminbb0a17c2014-09-20 15:35:39 -0400[diff] [blame]346 "?BAR",
David Benjamin1d77e562015-03-22 17:22:08 -0400[diff] [blame]347 // Special operators are not allowed if groups are used.
David Benjamin37d92462014-09-20 17:54:24 -0400[diff] [blame]348 "[ECDHE-RSA-CHACHA20-POLY1305|ECDHE-RSA-AES128-GCM-SHA256]:+FOO",
349 "[ECDHE-RSA-CHACHA20-POLY1305|ECDHE-RSA-AES128-GCM-SHA256]:!FOO",
350 "[ECDHE-RSA-CHACHA20-POLY1305|ECDHE-RSA-AES128-GCM-SHA256]:-FOO",
351 "[ECDHE-RSA-CHACHA20-POLY1305|ECDHE-RSA-AES128-GCM-SHA256]:@STRENGTH",
Adam Langleyf99f2442016-10-02 09:53:38 -0700[diff] [blame]352 // Opcode supplied, but missing selector.
353 "+",
Adam Langley22df6912017-07-25 12:27:37 -0700[diff] [blame]354 // Spaces are forbidden in equal-preference groups.
355 "[AES128-SHA | AES128-SHA256]",
David Benjaminbb0a17c2014-09-20 15:35:39 -0400[diff] [blame]356};
357
Matt Braithwaiteaf096752015-09-02 19:48:16 -0700[diff] [blame]358static const char *kMustNotIncludeNull[] = {
359 "ALL",
360 "DEFAULT",
David Benjamind6e9eec2015-11-18 09:48:55 -0500[diff] [blame]361 "HIGH",
Matt Braithwaiteaf096752015-09-02 19:48:16 -0700[diff] [blame]362 "FIPS",
363 "SHA",
364 "SHA1",
365 "RSA",
366 "SSLv3",
367 "TLSv1",
368 "TLSv1.2",
Matt Braithwaiteaf096752015-09-02 19:48:16 -0700[diff] [blame]369};
370
Alessandro Ghedini5fd18072016-09-28 21:04:25 +0100[diff] [blame]371static const CurveTest kCurveTests[] = {
372 {
373 "P-256",
374 { SSL_CURVE_SECP256R1 },
375 },
376 {
377 "P-256:P-384:P-521:X25519",
378 {
379 SSL_CURVE_SECP256R1,
380 SSL_CURVE_SECP384R1,
381 SSL_CURVE_SECP521R1,
382 SSL_CURVE_X25519,
383 },
384 },
385};
386
387static const char *kBadCurvesLists[] = {
388 "",
389 ":",
390 "::",
391 "P-256::X25519",
392 "RSA:P-256",
393 "P-256:RSA",
394 "X25519:P-256:",
395 ":X25519:P-256",
396};
397
David Benjamin70dbf042017-08-08 18:51:37 -0400[diff] [blame]398static std::string CipherListToString(SSL_CTX *ctx) {
David Benjamin1d77e562015-03-22 17:22:08 -0400[diff] [blame]399 bool in_group = false;
David Benjamine11726a2017-04-23 12:14:28 -0400[diff] [blame]400 std::string ret;
David Benjamin70dbf042017-08-08 18:51:37 -0400[diff] [blame]401 const STACK_OF(SSL_CIPHER) *ciphers = SSL_CTX_get_ciphers(ctx);
402 for (size_t i = 0; i < sk_SSL_CIPHER_num(ciphers); i++) {
403 const SSL_CIPHER *cipher = sk_SSL_CIPHER_value(ciphers, i);
404 if (!in_group && SSL_CTX_cipher_in_group(ctx, i)) {
David Benjamine11726a2017-04-23 12:14:28 -0400[diff] [blame]405 ret += "\t[\n";
David Benjamin1d77e562015-03-22 17:22:08 -0400[diff] [blame]406 in_group = true;
David Benjaminbb0a17c2014-09-20 15:35:39 -0400[diff] [blame]407 }
David Benjamine11726a2017-04-23 12:14:28 -0400[diff] [blame]408 ret += "\t";
David Benjaminbb0a17c2014-09-20 15:35:39 -0400[diff] [blame]409 if (in_group) {
David Benjamine11726a2017-04-23 12:14:28 -0400[diff] [blame]410 ret += " ";
David Benjaminbb0a17c2014-09-20 15:35:39 -0400[diff] [blame]411 }
David Benjamine11726a2017-04-23 12:14:28 -0400[diff] [blame]412 ret += SSL_CIPHER_get_name(cipher);
413 ret += "\n";
David Benjamin70dbf042017-08-08 18:51:37 -0400[diff] [blame]414 if (in_group && !SSL_CTX_cipher_in_group(ctx, i)) {
David Benjamine11726a2017-04-23 12:14:28 -0400[diff] [blame]415 ret += "\t]\n";
David Benjamin1d77e562015-03-22 17:22:08 -0400[diff] [blame]416 in_group = false;
David Benjaminbb0a17c2014-09-20 15:35:39 -0400[diff] [blame]417 }
418 }
David Benjamine11726a2017-04-23 12:14:28 -0400[diff] [blame]419 return ret;
David Benjaminbb0a17c2014-09-20 15:35:39 -0400[diff] [blame]420}
421
David Benjamin70dbf042017-08-08 18:51:37 -0400[diff] [blame]422static bool CipherListsEqual(SSL_CTX *ctx,
David Benjamine11726a2017-04-23 12:14:28 -0400[diff] [blame]423 const std::vector<ExpectedCipher> &expected) {
David Benjamin70dbf042017-08-08 18:51:37 -0400[diff] [blame]424 const STACK_OF(SSL_CIPHER) *ciphers = SSL_CTX_get_ciphers(ctx);
425 if (sk_SSL_CIPHER_num(ciphers) != expected.size()) {
David Benjamin1d77e562015-03-22 17:22:08 -0400[diff] [blame]426 return false;
David Benjamin65226252015-02-05 16:49:47 -0500[diff] [blame]427 }
428
David Benjamine11726a2017-04-23 12:14:28 -0400[diff] [blame]429 for (size_t i = 0; i < expected.size(); i++) {
David Benjamin70dbf042017-08-08 18:51:37 -0400[diff] [blame]430 const SSL_CIPHER *cipher = sk_SSL_CIPHER_value(ciphers, i);
David Benjamine11726a2017-04-23 12:14:28 -0400[diff] [blame]431 if (expected[i].id != SSL_CIPHER_get_id(cipher) ||
David Benjamin70dbf042017-08-08 18:51:37 -0400[diff] [blame]432 expected[i].in_group_flag != !!SSL_CTX_cipher_in_group(ctx, i)) {
David Benjamin1d77e562015-03-22 17:22:08 -0400[diff] [blame]433 return false;
David Benjaminbb0a17c2014-09-20 15:35:39 -0400[diff] [blame]434 }
435 }
436
David Benjamin1d77e562015-03-22 17:22:08 -0400[diff] [blame]437 return true;
David Benjaminbb0a17c2014-09-20 15:35:39 -0400[diff] [blame]438}
439
David Benjamine11726a2017-04-23 12:14:28 -0400[diff] [blame]440TEST(SSLTest, CipherRules) {
441 for (const CipherTest &t : kCipherTests) {
442 SCOPED_TRACE(t.rule);
443 bssl::UniquePtr<SSL_CTX> ctx(SSL_CTX_new(TLS_method()));
444 ASSERT_TRUE(ctx);
Matt Braithwaiteaf096752015-09-02 19:48:16 -0700[diff] [blame]445
David Benjamine11726a2017-04-23 12:14:28 -0400[diff] [blame]446 // Test lax mode.
447 ASSERT_TRUE(SSL_CTX_set_cipher_list(ctx.get(), t.rule));
David Benjamin70dbf042017-08-08 18:51:37 -0400[diff] [blame]448 EXPECT_TRUE(CipherListsEqual(ctx.get(), t.expected))
David Benjamine11726a2017-04-23 12:14:28 -0400[diff] [blame]449 << "Cipher rule evaluated to:\n"
David Benjamin70dbf042017-08-08 18:51:37 -0400[diff] [blame]450 << CipherListToString(ctx.get());
David Benjamine11726a2017-04-23 12:14:28 -0400[diff] [blame]451
452 // Test strict mode.
453 if (t.strict_fail) {
454 EXPECT_FALSE(SSL_CTX_set_strict_cipher_list(ctx.get(), t.rule));
455 } else {
456 ASSERT_TRUE(SSL_CTX_set_strict_cipher_list(ctx.get(), t.rule));
David Benjamin70dbf042017-08-08 18:51:37 -0400[diff] [blame]457 EXPECT_TRUE(CipherListsEqual(ctx.get(), t.expected))
David Benjamine11726a2017-04-23 12:14:28 -0400[diff] [blame]458 << "Cipher rule evaluated to:\n"
David Benjamin70dbf042017-08-08 18:51:37 -0400[diff] [blame]459 << CipherListToString(ctx.get());
David Benjaminbb0a17c2014-09-20 15:35:39 -0400[diff] [blame]460 }
461 }
462
David Benjaminfb974e62015-12-16 19:34:22 -0500[diff] [blame]463 for (const char *rule : kBadRules) {
David Benjamine11726a2017-04-23 12:14:28 -0400[diff] [blame]464 SCOPED_TRACE(rule);
465 bssl::UniquePtr<SSL_CTX> ctx(SSL_CTX_new(TLS_method()));
466 ASSERT_TRUE(ctx);
467
468 EXPECT_FALSE(SSL_CTX_set_cipher_list(ctx.get(), rule));
David Benjaminbb0a17c2014-09-20 15:35:39 -0400[diff] [blame]469 ERR_clear_error();
David Benjaminbb0a17c2014-09-20 15:35:39 -0400[diff] [blame]470 }
471
David Benjaminfb974e62015-12-16 19:34:22 -0500[diff] [blame]472 for (const char *rule : kMustNotIncludeNull) {
David Benjamine11726a2017-04-23 12:14:28 -0400[diff] [blame]473 SCOPED_TRACE(rule);
474 bssl::UniquePtr<SSL_CTX> ctx(SSL_CTX_new(TLS_method()));
475 ASSERT_TRUE(ctx);
476
477 ASSERT_TRUE(SSL_CTX_set_strict_cipher_list(ctx.get(), rule));
David Benjamin70dbf042017-08-08 18:51:37 -0400[diff] [blame]478 for (const SSL_CIPHER *cipher : SSL_CTX_get_ciphers(ctx.get())) {
David Benjamine3bb51c2017-08-22 23:16:02 -0700[diff] [blame]479 EXPECT_NE(NID_undef, SSL_CIPHER_get_cipher_nid(cipher));
Matt Braithwaiteaf096752015-09-02 19:48:16 -0700[diff] [blame]480 }
481 }
David Benjaminbb0a17c2014-09-20 15:35:39 -0400[diff] [blame]482}
David Benjamin2e521212014-07-16 14:37:51 -0400[diff] [blame]483
David Benjamine11726a2017-04-23 12:14:28 -0400[diff] [blame]484TEST(SSLTest, CurveRules) {
485 for (const CurveTest &t : kCurveTests) {
486 SCOPED_TRACE(t.rule);
487 bssl::UniquePtr<SSL_CTX> ctx(SSL_CTX_new(TLS_method()));
488 ASSERT_TRUE(ctx);
Alessandro Ghedini5fd18072016-09-28 21:04:25 +0100[diff] [blame]489
David Benjamine11726a2017-04-23 12:14:28 -0400[diff] [blame]490 ASSERT_TRUE(SSL_CTX_set1_curves_list(ctx.get(), t.rule));
491 ASSERT_EQ(t.expected.size(), ctx->supported_group_list_len);
492 for (size_t i = 0; i < t.expected.size(); i++) {
493 EXPECT_EQ(t.expected[i], ctx->supported_group_list[i]);
Alessandro Ghedini5fd18072016-09-28 21:04:25 +0100[diff] [blame]494 }
495 }
496
497 for (const char *rule : kBadCurvesLists) {
David Benjamine11726a2017-04-23 12:14:28 -0400[diff] [blame]498 SCOPED_TRACE(rule);
499 bssl::UniquePtr<SSL_CTX> ctx(SSL_CTX_new(TLS_method()));
500 ASSERT_TRUE(ctx);
501
502 EXPECT_FALSE(SSL_CTX_set1_curves_list(ctx.get(), rule));
Alessandro Ghedini5fd18072016-09-28 21:04:25 +0100[diff] [blame]503 ERR_clear_error();
504 }
Alessandro Ghedini5fd18072016-09-28 21:04:25 +0100[diff] [blame]505}
506
Adam Langley364f7a62016-12-12 10:51:00 -0800[diff] [blame]507// kOpenSSLSession is a serialized SSL_SESSION.
Adam Langley10f97f32016-07-12 08:09:33 -0700[diff] [blame]508static const char kOpenSSLSession[] =
Adam Langley364f7a62016-12-12 10:51:00 -0800[diff] [blame]509 "MIIFqgIBAQICAwMEAsAvBCAG5Q1ndq4Yfmbeo1zwLkNRKmCXGdNgWvGT3cskV0yQ"
Adam Langley10f97f32016-07-12 08:09:33 -0700[diff] [blame]510 "kAQwJlrlzkAWBOWiLj/jJ76D7l+UXoizP2KI2C7I2FccqMmIfFmmkUy32nIJ0mZH"
511 "IWoJoQYCBFRDO46iBAICASyjggR6MIIEdjCCA16gAwIBAgIIK9dUvsPWSlUwDQYJ"
512 "KoZIhvcNAQEFBQAwSTELMAkGA1UEBhMCVVMxEzARBgNVBAoTCkdvb2dsZSBJbmMx"
513 "JTAjBgNVBAMTHEdvb2dsZSBJbnRlcm5ldCBBdXRob3JpdHkgRzIwHhcNMTQxMDA4"
514 "MTIwNzU3WhcNMTUwMTA2MDAwMDAwWjBoMQswCQYDVQQGEwJVUzETMBEGA1UECAwK"
515 "Q2FsaWZvcm5pYTEWMBQGA1UEBwwNTW91bnRhaW4gVmlldzETMBEGA1UECgwKR29v"
516 "Z2xlIEluYzEXMBUGA1UEAwwOd3d3Lmdvb2dsZS5jb20wggEiMA0GCSqGSIb3DQEB"
517 "AQUAA4IBDwAwggEKAoIBAQCcKeLrplAC+Lofy8t/wDwtB6eu72CVp0cJ4V3lknN6"
518 "huH9ct6FFk70oRIh/VBNBBz900jYy+7111Jm1b8iqOTQ9aT5C7SEhNcQFJvqzH3e"
519 "MPkb6ZSWGm1yGF7MCQTGQXF20Sk/O16FSjAynU/b3oJmOctcycWYkY0ytS/k3LBu"
520 "Id45PJaoMqjB0WypqvNeJHC3q5JjCB4RP7Nfx5jjHSrCMhw8lUMW4EaDxjaR9KDh"
521 "PLgjsk+LDIySRSRDaCQGhEOWLJZVLzLo4N6/UlctCHEllpBUSvEOyFga52qroGjg"
522 "rf3WOQ925MFwzd6AK+Ich0gDRg8sQfdLH5OuP1cfLfU1AgMBAAGjggFBMIIBPTAd"
523 "BgNVHSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwGQYDVR0RBBIwEIIOd3d3Lmdv"
524 "b2dsZS5jb20waAYIKwYBBQUHAQEEXDBaMCsGCCsGAQUFBzAChh9odHRwOi8vcGtp"
525 "Lmdvb2dsZS5jb20vR0lBRzIuY3J0MCsGCCsGAQUFBzABhh9odHRwOi8vY2xpZW50"
526 "czEuZ29vZ2xlLmNvbS9vY3NwMB0GA1UdDgQWBBQ7a+CcxsZByOpc+xpYFcIbnUMZ"
527 "hTAMBgNVHRMBAf8EAjAAMB8GA1UdIwQYMBaAFErdBhYbvPZotXb1gba7Yhq6WoEv"
528 "MBcGA1UdIAQQMA4wDAYKKwYBBAHWeQIFATAwBgNVHR8EKTAnMCWgI6Ahhh9odHRw"
529 "Oi8vcGtpLmdvb2dsZS5jb20vR0lBRzIuY3JsMA0GCSqGSIb3DQEBBQUAA4IBAQCa"
530 "OXCBdoqUy5bxyq+Wrh1zsyyCFim1PH5VU2+yvDSWrgDY8ibRGJmfff3r4Lud5kal"
531 "dKs9k8YlKD3ITG7P0YT/Rk8hLgfEuLcq5cc0xqmE42xJ+Eo2uzq9rYorc5emMCxf"
532 "5L0TJOXZqHQpOEcuptZQ4OjdYMfSxk5UzueUhA3ogZKRcRkdB3WeWRp+nYRhx4St"
533 "o2rt2A0MKmY9165GHUqMK9YaaXHDXqBu7Sefr1uSoAP9gyIJKeihMivsGqJ1TD6Z"
534 "cc6LMe+dN2P8cZEQHtD1y296ul4Mivqk3jatUVL8/hCwgch9A8O4PGZq9WqBfEWm"
535 "IyHh1dPtbg1lOXdYCWtjpAIEAKUDAgEUqQUCAwGJwKqBpwSBpBwUQvoeOk0Kg36S"
536 "YTcLEkXqKwOBfF9vE4KX0NxeLwjcDTpsuh3qXEaZ992r1N38VDcyS6P7I6HBYN9B"
537 "sNHM362zZnY27GpTw+Kwd751CLoXFPoaMOe57dbBpXoro6Pd3BTbf/Tzr88K06yE"
538 "OTDKPNj3+inbMaVigtK4PLyPq+Topyzvx9USFgRvyuoxn0Hgb+R0A3j6SLRuyOdA"
Adam Langley364f7a62016-12-12 10:51:00 -0800[diff] [blame]539 "i4gv7Y5oliyntgMBAQA=";
Adam Langley10f97f32016-07-12 08:09:33 -0700[diff] [blame]540
541// kCustomSession is a custom serialized SSL_SESSION generated by
542// filling in missing fields from |kOpenSSLSession|. This includes
543// providing |peer_sha256|, so |peer| is not serialized.
544static const char kCustomSession[] =
545 "MIIBdgIBAQICAwMEAsAvBCAG5Q1ndq4Yfmbeo1zwLkNRKmCXGdNgWvGT3cskV0yQ"
546 "kAQwJlrlzkAWBOWiLj/jJ76D7l+UXoizP2KI2C7I2FccqMmIfFmmkUy32nIJ0mZH"
547 "IWoJoQYCBFRDO46iBAICASykAwQBAqUDAgEUphAEDnd3dy5nb29nbGUuY29tqAcE"
548 "BXdvcmxkqQUCAwGJwKqBpwSBpBwUQvoeOk0Kg36SYTcLEkXqKwOBfF9vE4KX0Nxe"
549 "LwjcDTpsuh3qXEaZ992r1N38VDcyS6P7I6HBYN9BsNHM362zZnY27GpTw+Kwd751"
550 "CLoXFPoaMOe57dbBpXoro6Pd3BTbf/Tzr88K06yEOTDKPNj3+inbMaVigtK4PLyP"
551 "q+Topyzvx9USFgRvyuoxn0Hgb+R0A3j6SLRuyOdAi4gv7Y5oliynrSIEIAYGBgYG"
552 "BgYGBgYGBgYGBgYGBgYGBgYGBgYGBgYGBgYGrgMEAQevAwQBBLADBAEF";
553
554// kBoringSSLSession is a serialized SSL_SESSION generated from bssl client.
555static const char kBoringSSLSession[] =
556 "MIIRwQIBAQICAwMEAsAvBCDdoGxGK26mR+8lM0uq6+k9xYuxPnwAjpcF9n0Yli9R"
557 "kQQwbyshfWhdi5XQ1++7n2L1qqrcVlmHBPpr6yknT/u4pUrpQB5FZ7vqvNn8MdHf"
558 "9rWgoQYCBFXgs7uiBAICHCCjggR6MIIEdjCCA16gAwIBAgIIf+yfD7Y6UicwDQYJ"
559 "KoZIhvcNAQELBQAwSTELMAkGA1UEBhMCVVMxEzARBgNVBAoTCkdvb2dsZSBJbmMx"
560 "JTAjBgNVBAMTHEdvb2dsZSBJbnRlcm5ldCBBdXRob3JpdHkgRzIwHhcNMTUwODEy"
561 "MTQ1MzE1WhcNMTUxMTEwMDAwMDAwWjBoMQswCQYDVQQGEwJVUzETMBEGA1UECAwK"
562 "Q2FsaWZvcm5pYTEWMBQGA1UEBwwNTW91bnRhaW4gVmlldzETMBEGA1UECgwKR29v"
563 "Z2xlIEluYzEXMBUGA1UEAwwOd3d3Lmdvb2dsZS5jb20wggEiMA0GCSqGSIb3DQEB"
564 "AQUAA4IBDwAwggEKAoIBAQC0MeG5YGQ0t+IeJeoneP/PrhEaieibeKYkbKVLNZpo"
565 "PLuBinvhkXZo3DC133NpCBpy6ZktBwamqyixAyuk/NU6OjgXqwwxfQ7di1AInLIU"
566 "792c7hFyNXSUCG7At8Ifi3YwBX9Ba6u/1d6rWTGZJrdCq3QU11RkKYyTq2KT5mce"
567 "Tv9iGKqSkSTlp8puy/9SZ/3DbU3U+BuqCFqeSlz7zjwFmk35acdCilpJlVDDN5C/"
568 "RCh8/UKc8PaL+cxlt531qoTENvYrflBno14YEZlCBZsPiFeUSILpKEj3Ccwhy0eL"
569 "EucWQ72YZU8mUzXBoXGn0zA0crFl5ci/2sTBBGZsylNBAgMBAAGjggFBMIIBPTAd"
570 "BgNVHSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwGQYDVR0RBBIwEIIOd3d3Lmdv"
571 "b2dsZS5jb20waAYIKwYBBQUHAQEEXDBaMCsGCCsGAQUFBzAChh9odHRwOi8vcGtp"
572 "Lmdvb2dsZS5jb20vR0lBRzIuY3J0MCsGCCsGAQUFBzABhh9odHRwOi8vY2xpZW50"
573 "czEuZ29vZ2xlLmNvbS9vY3NwMB0GA1UdDgQWBBS/bzHxcE73Q4j3slC4BLbMtLjG"
574 "GjAMBgNVHRMBAf8EAjAAMB8GA1UdIwQYMBaAFErdBhYbvPZotXb1gba7Yhq6WoEv"
575 "MBcGA1UdIAQQMA4wDAYKKwYBBAHWeQIFATAwBgNVHR8EKTAnMCWgI6Ahhh9odHRw"
576 "Oi8vcGtpLmdvb2dsZS5jb20vR0lBRzIuY3JsMA0GCSqGSIb3DQEBCwUAA4IBAQAb"
577 "qdWPZEHk0X7iKPCTHL6S3w6q1eR67goxZGFSM1lk1hjwyu7XcLJuvALVV9uY3ovE"
578 "kQZSHwT+pyOPWQhsSjO+1GyjvCvK/CAwiUmBX+bQRGaqHsRcio7xSbdVcajQ3bXd"
579 "X+s0WdbOpn6MStKAiBVloPlSxEI8pxY6x/BBCnTIk/+DMB17uZlOjG3vbAnkDkP+"
580 "n0OTucD9sHV7EVj9XUxi51nOfNBCN/s7lpUjDS/NJ4k3iwOtbCPswiot8vLO779a"
581 "f07vR03r349Iz/KTzk95rlFtX0IU+KYNxFNsanIXZ+C9FYGRXkwhHcvFb4qMUB1y"
582 "TTlM80jBMOwyjZXmjRAhpAIEAKUDAgEUqQUCAwGJwKqBpwSBpOgebbmn9NRUtMWH"
583 "+eJpqA5JLMFSMCChOsvKey3toBaCNGU7HfAEiiXNuuAdCBoK262BjQc2YYfqFzqH"
584 "zuppopXCvhohx7j/tnCNZIMgLYt/O9SXK2RYI5z8FhCCHvB4CbD5G0LGl5EFP27s"
585 "Jb6S3aTTYPkQe8yZSlxevg6NDwmTogLO9F7UUkaYmVcMQhzssEE2ZRYNwSOU6KjE"
586 "0Yj+8fAiBtbQriIEIN2L8ZlpaVrdN5KFNdvcmOxJu81P8q53X55xQyGTnGWwsgMC"
587 "ARezggvvMIIEdjCCA16gAwIBAgIIf+yfD7Y6UicwDQYJKoZIhvcNAQELBQAwSTEL"
588 "MAkGA1UEBhMCVVMxEzARBgNVBAoTCkdvb2dsZSBJbmMxJTAjBgNVBAMTHEdvb2ds"
589 "ZSBJbnRlcm5ldCBBdXRob3JpdHkgRzIwHhcNMTUwODEyMTQ1MzE1WhcNMTUxMTEw"
590 "MDAwMDAwWjBoMQswCQYDVQQGEwJVUzETMBEGA1UECAwKQ2FsaWZvcm5pYTEWMBQG"
591 "A1UEBwwNTW91bnRhaW4gVmlldzETMBEGA1UECgwKR29vZ2xlIEluYzEXMBUGA1UE"
592 "AwwOd3d3Lmdvb2dsZS5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIB"
593 "AQC0MeG5YGQ0t+IeJeoneP/PrhEaieibeKYkbKVLNZpoPLuBinvhkXZo3DC133Np"
594 "CBpy6ZktBwamqyixAyuk/NU6OjgXqwwxfQ7di1AInLIU792c7hFyNXSUCG7At8If"
595 "i3YwBX9Ba6u/1d6rWTGZJrdCq3QU11RkKYyTq2KT5mceTv9iGKqSkSTlp8puy/9S"
596 "Z/3DbU3U+BuqCFqeSlz7zjwFmk35acdCilpJlVDDN5C/RCh8/UKc8PaL+cxlt531"
597 "qoTENvYrflBno14YEZlCBZsPiFeUSILpKEj3Ccwhy0eLEucWQ72YZU8mUzXBoXGn"
598 "0zA0crFl5ci/2sTBBGZsylNBAgMBAAGjggFBMIIBPTAdBgNVHSUEFjAUBggrBgEF"
599 "BQcDAQYIKwYBBQUHAwIwGQYDVR0RBBIwEIIOd3d3Lmdvb2dsZS5jb20waAYIKwYB"
600 "BQUHAQEEXDBaMCsGCCsGAQUFBzAChh9odHRwOi8vcGtpLmdvb2dsZS5jb20vR0lB"
601 "RzIuY3J0MCsGCCsGAQUFBzABhh9odHRwOi8vY2xpZW50czEuZ29vZ2xlLmNvbS9v"
602 "Y3NwMB0GA1UdDgQWBBS/bzHxcE73Q4j3slC4BLbMtLjGGjAMBgNVHRMBAf8EAjAA"
603 "MB8GA1UdIwQYMBaAFErdBhYbvPZotXb1gba7Yhq6WoEvMBcGA1UdIAQQMA4wDAYK"
604 "KwYBBAHWeQIFATAwBgNVHR8EKTAnMCWgI6Ahhh9odHRwOi8vcGtpLmdvb2dsZS5j"
605 "b20vR0lBRzIuY3JsMA0GCSqGSIb3DQEBCwUAA4IBAQAbqdWPZEHk0X7iKPCTHL6S"
606 "3w6q1eR67goxZGFSM1lk1hjwyu7XcLJuvALVV9uY3ovEkQZSHwT+pyOPWQhsSjO+"
607 "1GyjvCvK/CAwiUmBX+bQRGaqHsRcio7xSbdVcajQ3bXdX+s0WdbOpn6MStKAiBVl"
608 "oPlSxEI8pxY6x/BBCnTIk/+DMB17uZlOjG3vbAnkDkP+n0OTucD9sHV7EVj9XUxi"
609 "51nOfNBCN/s7lpUjDS/NJ4k3iwOtbCPswiot8vLO779af07vR03r349Iz/KTzk95"
610 "rlFtX0IU+KYNxFNsanIXZ+C9FYGRXkwhHcvFb4qMUB1yTTlM80jBMOwyjZXmjRAh"
611 "MIID8DCCAtigAwIBAgIDAjqDMA0GCSqGSIb3DQEBCwUAMEIxCzAJBgNVBAYTAlVT"
612 "MRYwFAYDVQQKEw1HZW9UcnVzdCBJbmMuMRswGQYDVQQDExJHZW9UcnVzdCBHbG9i"
613 "YWwgQ0EwHhcNMTMwNDA1MTUxNTU2WhcNMTYxMjMxMjM1OTU5WjBJMQswCQYDVQQG"
614 "EwJVUzETMBEGA1UEChMKR29vZ2xlIEluYzElMCMGA1UEAxMcR29vZ2xlIEludGVy"
615 "bmV0IEF1dGhvcml0eSBHMjCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEB"
616 "AJwqBHdc2FCROgajguDYUEi8iT/xGXAaiEZ+4I/F8YnOIe5a/mENtzJEiaB0C1NP"
617 "VaTOgmKV7utZX8bhBYASxF6UP7xbSDj0U/ck5vuR6RXEz/RTDfRK/J9U3n2+oGtv"
618 "h8DQUB8oMANA2ghzUWx//zo8pzcGjr1LEQTrfSTe5vn8MXH7lNVg8y5Kr0LSy+rE"
619 "ahqyzFPdFUuLH8gZYR/Nnag+YyuENWllhMgZxUYi+FOVvuOAShDGKuy6lyARxzmZ"
620 "EASg8GF6lSWMTlJ14rbtCMoU/M4iarNOz0YDl5cDfsCx3nuvRTPPuj5xt970JSXC"
621 "DTWJnZ37DhF5iR43xa+OcmkCAwEAAaOB5zCB5DAfBgNVHSMEGDAWgBTAephojYn7"
622 "qwVkDBF9qn1luMrMTjAdBgNVHQ4EFgQUSt0GFhu89mi1dvWBtrtiGrpagS8wDgYD"
623 "VR0PAQH/BAQDAgEGMC4GCCsGAQUFBwEBBCIwIDAeBggrBgEFBQcwAYYSaHR0cDov"
624 "L2cuc3ltY2QuY29tMBIGA1UdEwEB/wQIMAYBAf8CAQAwNQYDVR0fBC4wLDAqoCig"
625 "JoYkaHR0cDovL2cuc3ltY2IuY29tL2NybHMvZ3RnbG9iYWwuY3JsMBcGA1UdIAQQ"
626 "MA4wDAYKKwYBBAHWeQIFATANBgkqhkiG9w0BAQsFAAOCAQEAqvqpIM1qZ4PtXtR+"
627 "3h3Ef+AlBgDFJPupyC1tft6dgmUsgWM0Zj7pUsIItMsv91+ZOmqcUHqFBYx90SpI"
628 "hNMJbHzCzTWf84LuUt5oX+QAihcglvcpjZpNy6jehsgNb1aHA30DP9z6eX0hGfnI"
629 "Oi9RdozHQZJxjyXON/hKTAAj78Q1EK7gI4BzfE00LshukNYQHpmEcxpw8u1VDu4X"
630 "Bupn7jLrLN1nBz/2i8Jw3lsA5rsb0zYaImxssDVCbJAJPZPpZAkiDoUGn8JzIdPm"
631 "X4DkjYUiOnMDsWCOrmji9D6X52ASCWg23jrW4kOVWzeBkoEfu43XrVJkFleW2V40"
632 "fsg12DCCA30wggLmoAMCAQICAxK75jANBgkqhkiG9w0BAQUFADBOMQswCQYDVQQG"
633 "EwJVUzEQMA4GA1UEChMHRXF1aWZheDEtMCsGA1UECxMkRXF1aWZheCBTZWN1cmUg"
634 "Q2VydGlmaWNhdGUgQXV0aG9yaXR5MB4XDTAyMDUyMTA0MDAwMFoXDTE4MDgyMTA0"
635 "MDAwMFowQjELMAkGA1UEBhMCVVMxFjAUBgNVBAoTDUdlb1RydXN0IEluYy4xGzAZ"
636 "BgNVBAMTEkdlb1RydXN0IEdsb2JhbCBDQTCCASIwDQYJKoZIhvcNAQEBBQADggEP"
637 "ADCCAQoCggEBANrMGGMw/fQXIxpWflvfPGw45HG3eJHUvKHYTPioQ7YD6U0hBwiI"
638 "2lgvZjkpvQV4i5046AW3an5xpObEYKaw74DkiSgPniXW7YPzraaRx5jJQhg1FJ2t"
639 "mEaSLk/K8YdDwRaVVy1Q74ktgHpXrfLuX2vSAI25FPgUFTXZwEaje3LIkb/JVSvN"
640 "0Jc+nCZkzN/Ogxlxyk7m1NV7qRnNVd7I7NJeOFPlXE+MLf5QIzb8ZubLjqQ5GQC3"
641 "lQI5kQsO/jgu0R0FmvZNPm8PBx2vLB6PYDni+jZTEznUXiYr2z2oFL0y6xgDKFIE"
642 "ceWrMz3hOLsHNoRinHnqFjD0X8Ar6HFr5PkCAwEAAaOB8DCB7TAfBgNVHSMEGDAW"
643 "gBRI5mj5K9KylddH2CMgEE8zmJCf1DAdBgNVHQ4EFgQUwHqYaI2J+6sFZAwRfap9"
644 "ZbjKzE4wDwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMCAQYwOgYDVR0fBDMw"
645 "MTAvoC2gK4YpaHR0cDovL2NybC5nZW90cnVzdC5jb20vY3Jscy9zZWN1cmVjYS5j"
646 "cmwwTgYDVR0gBEcwRTBDBgRVHSAAMDswOQYIKwYBBQUHAgEWLWh0dHBzOi8vd3d3"
647 "Lmdlb3RydXN0LmNvbS9yZXNvdXJjZXMvcmVwb3NpdG9yeTANBgkqhkiG9w0BAQUF"
648 "AAOBgQB24RJuTksWEoYwBrKBCM/wCMfHcX5m7sLt1Dsf//DwyE7WQziwuTB9GNBV"
649 "g6JqyzYRnOhIZqNtf7gT1Ef+i1pcc/yu2RsyGTirlzQUqpbS66McFAhJtrvlke+D"
650 "NusdVm/K2rxzY5Dkf3s+Iss9B+1fOHSc4wNQTqGvmO5h8oQ/Eg==";
651
652// kBadSessionExtraField is a custom serialized SSL_SESSION generated by replacing
653// the final (optional) element of |kCustomSession| with tag number 30.
654static const char kBadSessionExtraField[] =
655 "MIIBdgIBAQICAwMEAsAvBCAG5Q1ndq4Yfmbeo1zwLkNRKmCXGdNgWvGT3cskV0yQ"
656 "kAQwJlrlzkAWBOWiLj/jJ76D7l+UXoizP2KI2C7I2FccqMmIfFmmkUy32nIJ0mZH"
657 "IWoJoQYCBFRDO46iBAICASykAwQBAqUDAgEUphAEDnd3dy5nb29nbGUuY29tqAcE"
658 "BXdvcmxkqQUCAwGJwKqBpwSBpBwUQvoeOk0Kg36SYTcLEkXqKwOBfF9vE4KX0Nxe"
659 "LwjcDTpsuh3qXEaZ992r1N38VDcyS6P7I6HBYN9BsNHM362zZnY27GpTw+Kwd751"
660 "CLoXFPoaMOe57dbBpXoro6Pd3BTbf/Tzr88K06yEOTDKPNj3+inbMaVigtK4PLyP"
661 "q+Topyzvx9USFgRvyuoxn0Hgb+R0A3j6SLRuyOdAi4gv7Y5oliynrSIEIAYGBgYG"
662 "BgYGBgYGBgYGBgYGBgYGBgYGBgYGBgYGBgYGrgMEAQevAwQBBL4DBAEF";
663
664// kBadSessionVersion is a custom serialized SSL_SESSION generated by replacing
665// the version of |kCustomSession| with 2.
666static const char kBadSessionVersion[] =
667 "MIIBdgIBAgICAwMEAsAvBCAG5Q1ndq4Yfmbeo1zwLkNRKmCXGdNgWvGT3cskV0yQ"
668 "kAQwJlrlzkAWBOWiLj/jJ76D7l+UXoizP2KI2C7I2FccqMmIfFmmkUy32nIJ0mZH"
669 "IWoJoQYCBFRDO46iBAICASykAwQBAqUDAgEUphAEDnd3dy5nb29nbGUuY29tqAcE"
670 "BXdvcmxkqQUCAwGJwKqBpwSBpBwUQvoeOk0Kg36SYTcLEkXqKwOBfF9vE4KX0Nxe"
671 "LwjcDTpsuh3qXEaZ992r1N38VDcyS6P7I6HBYN9BsNHM362zZnY27GpTw+Kwd751"
672 "CLoXFPoaMOe57dbBpXoro6Pd3BTbf/Tzr88K06yEOTDKPNj3+inbMaVigtK4PLyP"
673 "q+Topyzvx9USFgRvyuoxn0Hgb+R0A3j6SLRuyOdAi4gv7Y5oliynrSIEIAYGBgYG"
674 "BgYGBgYGBgYGBgYGBgYGBgYGBgYGBgYGBgYGrgMEAQevAwQBBLADBAEF";
675
676// kBadSessionTrailingData is a custom serialized SSL_SESSION with trailing data
677// appended.
678static const char kBadSessionTrailingData[] =
679 "MIIBdgIBAQICAwMEAsAvBCAG5Q1ndq4Yfmbeo1zwLkNRKmCXGdNgWvGT3cskV0yQ"
680 "kAQwJlrlzkAWBOWiLj/jJ76D7l+UXoizP2KI2C7I2FccqMmIfFmmkUy32nIJ0mZH"
681 "IWoJoQYCBFRDO46iBAICASykAwQBAqUDAgEUphAEDnd3dy5nb29nbGUuY29tqAcE"
682 "BXdvcmxkqQUCAwGJwKqBpwSBpBwUQvoeOk0Kg36SYTcLEkXqKwOBfF9vE4KX0Nxe"
683 "LwjcDTpsuh3qXEaZ992r1N38VDcyS6P7I6HBYN9BsNHM362zZnY27GpTw+Kwd751"
684 "CLoXFPoaMOe57dbBpXoro6Pd3BTbf/Tzr88K06yEOTDKPNj3+inbMaVigtK4PLyP"
685 "q+Topyzvx9USFgRvyuoxn0Hgb+R0A3j6SLRuyOdAi4gv7Y5oliynrSIEIAYGBgYG"
686 "BgYGBgYGBgYGBgYGBgYGBgYGBgYGBgYGBgYGrgMEAQevAwQBBLADBAEFAAAA";
687
David Benjamin1d77e562015-03-22 17:22:08 -0400[diff] [blame]688static bool DecodeBase64(std::vector<uint8_t> *out, const char *in) {
David Benjamin751e8892014-10-19 00:59:36 -0400[diff] [blame]689 size_t len;
David Benjamin751e8892014-10-19 00:59:36 -0400[diff] [blame]690 if (!EVP_DecodedLength(&len, strlen(in))) {
691 fprintf(stderr, "EVP_DecodedLength failed\n");
David Benjamin1d77e562015-03-22 17:22:08 -0400[diff] [blame]692 return false;
David Benjamin751e8892014-10-19 00:59:36 -0400[diff] [blame]693 }
694
David Benjamin1d77e562015-03-22 17:22:08 -0400[diff] [blame]695 out->resize(len);
David Benjaminef14b2d2015-11-11 14:01:27 -0800[diff] [blame]696 if (!EVP_DecodeBase64(out->data(), &len, len, (const uint8_t *)in,
David Benjamin751e8892014-10-19 00:59:36 -0400[diff] [blame]697 strlen(in))) {
698 fprintf(stderr, "EVP_DecodeBase64 failed\n");
David Benjamin1d77e562015-03-22 17:22:08 -0400[diff] [blame]699 return false;
David Benjamin751e8892014-10-19 00:59:36 -0400[diff] [blame]700 }
David Benjamin1d77e562015-03-22 17:22:08 -0400[diff] [blame]701 out->resize(len);
702 return true;
David Benjamin751e8892014-10-19 00:59:36 -0400[diff] [blame]703}
704
David Benjamin1d77e562015-03-22 17:22:08 -0400[diff] [blame]705static bool TestSSL_SESSIONEncoding(const char *input_b64) {
David Benjamin751e8892014-10-19 00:59:36 -0400[diff] [blame]706 const uint8_t *cptr;
707 uint8_t *ptr;
David Benjamin751e8892014-10-19 00:59:36 -0400[diff] [blame]708
David Benjamin1d77e562015-03-22 17:22:08 -0400[diff] [blame]709 // Decode the input.
710 std::vector<uint8_t> input;
711 if (!DecodeBase64(&input, input_b64)) {
712 return false;
David Benjamin751e8892014-10-19 00:59:36 -0400[diff] [blame]713 }
714
David Benjamin1d77e562015-03-22 17:22:08 -0400[diff] [blame]715 // Verify the SSL_SESSION decodes.
Adam Langley46db7af2017-02-01 15:49:37 -0800[diff] [blame]716 bssl::UniquePtr<SSL_CTX> ssl_ctx(SSL_CTX_new(TLS_method()));
717 if (!ssl_ctx) {
718 return false;
719 }
720 bssl::UniquePtr<SSL_SESSION> session(
721 SSL_SESSION_from_bytes(input.data(), input.size(), ssl_ctx.get()));
David Benjaminfd67aa82015-06-15 19:41:48 -0400[diff] [blame]722 if (!session) {
723 fprintf(stderr, "SSL_SESSION_from_bytes failed\n");
David Benjamin1d77e562015-03-22 17:22:08 -0400[diff] [blame]724 return false;
David Benjamin751e8892014-10-19 00:59:36 -0400[diff] [blame]725 }
726
David Benjamin1d77e562015-03-22 17:22:08 -0400[diff] [blame]727 // Verify the SSL_SESSION encoding round-trips.
728 size_t encoded_len;
Matt Braithwaited17d74d2016-08-17 20:10:28 -0700[diff] [blame]729 bssl::UniquePtr<uint8_t> encoded;
David Benjamin1d77e562015-03-22 17:22:08 -0400[diff] [blame]730 uint8_t *encoded_raw;
731 if (!SSL_SESSION_to_bytes(session.get(), &encoded_raw, &encoded_len)) {
David Benjamin3cac4502014-10-21 01:46:30 -0400[diff] [blame]732 fprintf(stderr, "SSL_SESSION_to_bytes failed\n");
David Benjamin1d77e562015-03-22 17:22:08 -0400[diff] [blame]733 return false;
David Benjamin3cac4502014-10-21 01:46:30 -0400[diff] [blame]734 }
David Benjamin1d77e562015-03-22 17:22:08 -0400[diff] [blame]735 encoded.reset(encoded_raw);
736 if (encoded_len != input.size() ||
David Benjamin17cf2cb2016-12-13 01:07:13 -0500[diff] [blame]737 OPENSSL_memcmp(input.data(), encoded.get(), input.size()) != 0) {
David Benjamin3cac4502014-10-21 01:46:30 -0400[diff] [blame]738 fprintf(stderr, "SSL_SESSION_to_bytes did not round-trip\n");
Sigbjorn Vik2b23d242015-06-29 15:07:26 +0200[diff] [blame]739 hexdump(stderr, "Before: ", input.data(), input.size());
740 hexdump(stderr, "After: ", encoded_raw, encoded_len);
David Benjamin1d77e562015-03-22 17:22:08 -0400[diff] [blame]741 return false;
David Benjamin3cac4502014-10-21 01:46:30 -0400[diff] [blame]742 }
David Benjamin3cac4502014-10-21 01:46:30 -0400[diff] [blame]743
David Benjaminfd67aa82015-06-15 19:41:48 -0400[diff] [blame]744 // Verify the SSL_SESSION also decodes with the legacy API.
David Benjaminef14b2d2015-11-11 14:01:27 -0800[diff] [blame]745 cptr = input.data();
David Benjaminfd67aa82015-06-15 19:41:48 -0400[diff] [blame]746 session.reset(d2i_SSL_SESSION(NULL, &cptr, input.size()));
David Benjaminef14b2d2015-11-11 14:01:27 -0800[diff] [blame]747 if (!session || cptr != input.data() + input.size()) {
David Benjaminfd67aa82015-06-15 19:41:48 -0400[diff] [blame]748 fprintf(stderr, "d2i_SSL_SESSION failed\n");
749 return false;
750 }
751
David Benjamin1d77e562015-03-22 17:22:08 -0400[diff] [blame]752 // Verify the SSL_SESSION encoding round-trips via the legacy API.
753 int len = i2d_SSL_SESSION(session.get(), NULL);
754 if (len < 0 || (size_t)len != input.size()) {
David Benjamin751e8892014-10-19 00:59:36 -0400[diff] [blame]755 fprintf(stderr, "i2d_SSL_SESSION(NULL) returned invalid length\n");
David Benjamin1d77e562015-03-22 17:22:08 -0400[diff] [blame]756 return false;
David Benjamin751e8892014-10-19 00:59:36 -0400[diff] [blame]757 }
758
David Benjamin1d77e562015-03-22 17:22:08 -0400[diff] [blame]759 encoded.reset((uint8_t *)OPENSSL_malloc(input.size()));
760 if (!encoded) {
David Benjamin751e8892014-10-19 00:59:36 -0400[diff] [blame]761 fprintf(stderr, "malloc failed\n");
David Benjamin1d77e562015-03-22 17:22:08 -0400[diff] [blame]762 return false;
David Benjamin751e8892014-10-19 00:59:36 -0400[diff] [blame]763 }
David Benjamin1d77e562015-03-22 17:22:08 -0400[diff] [blame]764
765 ptr = encoded.get();
766 len = i2d_SSL_SESSION(session.get(), &ptr);
767 if (len < 0 || (size_t)len != input.size()) {
David Benjamin751e8892014-10-19 00:59:36 -0400[diff] [blame]768 fprintf(stderr, "i2d_SSL_SESSION returned invalid length\n");
David Benjamin1d77e562015-03-22 17:22:08 -0400[diff] [blame]769 return false;
David Benjamin751e8892014-10-19 00:59:36 -0400[diff] [blame]770 }
David Benjamin1d77e562015-03-22 17:22:08 -0400[diff] [blame]771 if (ptr != encoded.get() + input.size()) {
David Benjamin751e8892014-10-19 00:59:36 -0400[diff] [blame]772 fprintf(stderr, "i2d_SSL_SESSION did not advance ptr correctly\n");
David Benjamin1d77e562015-03-22 17:22:08 -0400[diff] [blame]773 return false;
David Benjamin751e8892014-10-19 00:59:36 -0400[diff] [blame]774 }
David Benjamin17cf2cb2016-12-13 01:07:13 -0500[diff] [blame]775 if (OPENSSL_memcmp(input.data(), encoded.get(), input.size()) != 0) {
David Benjamin751e8892014-10-19 00:59:36 -0400[diff] [blame]776 fprintf(stderr, "i2d_SSL_SESSION did not round-trip\n");
David Benjamin1d77e562015-03-22 17:22:08 -0400[diff] [blame]777 return false;
David Benjamin751e8892014-10-19 00:59:36 -0400[diff] [blame]778 }
779
David Benjamin1d77e562015-03-22 17:22:08 -0400[diff] [blame]780 return true;
David Benjamin751e8892014-10-19 00:59:36 -0400[diff] [blame]781}
782
David Benjaminf297e022015-05-28 19:55:29 -0400[diff] [blame]783static bool TestBadSSL_SESSIONEncoding(const char *input_b64) {
784 std::vector<uint8_t> input;
785 if (!DecodeBase64(&input, input_b64)) {
786 return false;
787 }
788
789 // Verify that the SSL_SESSION fails to decode.
Adam Langley46db7af2017-02-01 15:49:37 -0800[diff] [blame]790 bssl::UniquePtr<SSL_CTX> ssl_ctx(SSL_CTX_new(TLS_method()));
791 if (!ssl_ctx) {
792 return false;
793 }
794 bssl::UniquePtr<SSL_SESSION> session(
795 SSL_SESSION_from_bytes(input.data(), input.size(), ssl_ctx.get()));
David Benjaminf297e022015-05-28 19:55:29 -0400[diff] [blame]796 if (session) {
David Benjaminfd67aa82015-06-15 19:41:48 -0400[diff] [blame]797 fprintf(stderr, "SSL_SESSION_from_bytes unexpectedly succeeded\n");
David Benjaminf297e022015-05-28 19:55:29 -0400[diff] [blame]798 return false;
799 }
800 ERR_clear_error();
801 return true;
802}
803
David Benjamin321fcdc2017-04-24 11:42:42 -0400[diff] [blame]804static void ExpectDefaultVersion(uint16_t min_version, uint16_t max_version,
805 const SSL_METHOD *(*method)(void)) {
Matt Braithwaited17d74d2016-08-17 20:10:28 -0700[diff] [blame]806 bssl::UniquePtr<SSL_CTX> ctx(SSL_CTX_new(method()));
David Benjamin321fcdc2017-04-24 11:42:42 -0400[diff] [blame]807 ASSERT_TRUE(ctx);
David Benjaminfc08dfc2017-06-20 14:39:32 -0400[diff] [blame]808 EXPECT_EQ(min_version, ctx->conf_min_version);
809 EXPECT_EQ(max_version, ctx->conf_max_version);
David Benjamin321fcdc2017-04-24 11:42:42 -0400[diff] [blame]810}
811
812TEST(SSLTest, DefaultVersion) {
813 // TODO(svaldez): Update this when TLS 1.3 is enabled by default.
814 ExpectDefaultVersion(TLS1_VERSION, TLS1_2_VERSION, &TLS_method);
815 ExpectDefaultVersion(TLS1_VERSION, TLS1_VERSION, &TLSv1_method);
816 ExpectDefaultVersion(TLS1_1_VERSION, TLS1_1_VERSION, &TLSv1_1_method);
817 ExpectDefaultVersion(TLS1_2_VERSION, TLS1_2_VERSION, &TLSv1_2_method);
818 ExpectDefaultVersion(TLS1_1_VERSION, TLS1_2_VERSION, &DTLS_method);
819 ExpectDefaultVersion(TLS1_1_VERSION, TLS1_1_VERSION, &DTLSv1_method);
820 ExpectDefaultVersion(TLS1_2_VERSION, TLS1_2_VERSION, &DTLSv1_2_method);
David Benjamin82c9e902014-12-12 15:55:27 -0500[diff] [blame]821}
822
David Benjamin348f0d82017-08-10 16:06:27 -0400[diff] [blame]823TEST(SSLTest, CipherProperties) {
David Benjamin6fff3862017-06-21 21:07:04 -0400[diff] [blame]824 static const struct {
825 int id;
826 const char *standard_name;
David Benjamin348f0d82017-08-10 16:06:27 -0400[diff] [blame]827 int cipher_nid;
828 int digest_nid;
829 int kx_nid;
830 int auth_nid;
David Benjamin6fff3862017-06-21 21:07:04 -0400[diff] [blame]831 } kTests[] = {
David Benjamin348f0d82017-08-10 16:06:27 -0400[diff] [blame]832 {
833 SSL3_CK_RSA_DES_192_CBC3_SHA,
834 "TLS_RSA_WITH_3DES_EDE_CBC_SHA",
835 NID_des_ede3_cbc,
836 NID_sha1,
837 NID_kx_rsa,
838 NID_auth_rsa,
839 },
840 {
841 TLS1_CK_RSA_WITH_AES_128_SHA,
842 "TLS_RSA_WITH_AES_128_CBC_SHA",
843 NID_aes_128_cbc,
844 NID_sha1,
845 NID_kx_rsa,
846 NID_auth_rsa,
847 },
848 {
849 TLS1_CK_PSK_WITH_AES_256_CBC_SHA,
850 "TLS_PSK_WITH_AES_256_CBC_SHA",
851 NID_aes_256_cbc,
852 NID_sha1,
853 NID_kx_psk,
854 NID_auth_psk,
855 },
856 {
857 TLS1_CK_ECDHE_RSA_WITH_AES_128_SHA256,
858 "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256",
859 NID_aes_128_cbc,
860 NID_sha256,
861 NID_kx_ecdhe,
862 NID_auth_rsa,
863 },
864 {
865 TLS1_CK_ECDHE_RSA_WITH_AES_256_SHA384,
866 "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384",
867 NID_aes_256_cbc,
868 NID_sha384,
869 NID_kx_ecdhe,
870 NID_auth_rsa,
871 },
872 {
873 TLS1_CK_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
874 "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",
875 NID_aes_128_gcm,
876 NID_undef,
877 NID_kx_ecdhe,
878 NID_auth_rsa,
879 },
880 {
881 TLS1_CK_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
882 "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256",
883 NID_aes_128_gcm,
884 NID_undef,
885 NID_kx_ecdhe,
886 NID_auth_ecdsa,
887 },
888 {
889 TLS1_CK_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
890 "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384",
891 NID_aes_256_gcm,
892 NID_undef,
893 NID_kx_ecdhe,
894 NID_auth_ecdsa,
895 },
896 {
897 TLS1_CK_ECDHE_PSK_WITH_AES_128_CBC_SHA,
898 "TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA",
899 NID_aes_128_cbc,
900 NID_sha1,
901 NID_kx_ecdhe,
902 NID_auth_psk,
903 },
904 {
905 TLS1_CK_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256,
906 "TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256",
907 NID_chacha20_poly1305,
908 NID_undef,
909 NID_kx_ecdhe,
910 NID_auth_rsa,
911 },
912 {
913 TLS1_CK_AES_256_GCM_SHA384,
914 "TLS_AES_256_GCM_SHA384",
915 NID_aes_256_gcm,
916 NID_undef,
917 NID_kx_any,
918 NID_auth_any,
919 },
920 {
921 TLS1_CK_AES_128_GCM_SHA256,
922 "TLS_AES_128_GCM_SHA256",
923 NID_aes_128_gcm,
924 NID_undef,
925 NID_kx_any,
926 NID_auth_any,
927 },
928 {
929 TLS1_CK_CHACHA20_POLY1305_SHA256,
930 "TLS_CHACHA20_POLY1305_SHA256",
931 NID_chacha20_poly1305,
932 NID_undef,
933 NID_kx_any,
934 NID_auth_any,
935 },
David Benjamin6fff3862017-06-21 21:07:04 -0400[diff] [blame]936 };
David Benjamin65226252015-02-05 16:49:47 -0500[diff] [blame]937
David Benjamin6fff3862017-06-21 21:07:04 -0400[diff] [blame]938 for (const auto &t : kTests) {
939 SCOPED_TRACE(t.standard_name);
David Benjamine11726a2017-04-23 12:14:28 -0400[diff] [blame]940
941 const SSL_CIPHER *cipher = SSL_get_cipher_by_value(t.id & 0xffff);
942 ASSERT_TRUE(cipher);
David Benjamin6fff3862017-06-21 21:07:04 -0400[diff] [blame]943 EXPECT_STREQ(t.standard_name, SSL_CIPHER_standard_name(cipher));
944
David Benjamine11726a2017-04-23 12:14:28 -0400[diff] [blame]945 bssl::UniquePtr<char> rfc_name(SSL_CIPHER_get_rfc_name(cipher));
946 ASSERT_TRUE(rfc_name);
David Benjamin6fff3862017-06-21 21:07:04 -0400[diff] [blame]947 EXPECT_STREQ(t.standard_name, rfc_name.get());
David Benjamin348f0d82017-08-10 16:06:27 -0400[diff] [blame]948
949 EXPECT_EQ(t.cipher_nid, SSL_CIPHER_get_cipher_nid(cipher));
950 EXPECT_EQ(t.digest_nid, SSL_CIPHER_get_digest_nid(cipher));
951 EXPECT_EQ(t.kx_nid, SSL_CIPHER_get_kx_nid(cipher));
952 EXPECT_EQ(t.auth_nid, SSL_CIPHER_get_auth_nid(cipher));
David Benjamin65226252015-02-05 16:49:47 -0500[diff] [blame]953 }
David Benjamin65226252015-02-05 16:49:47 -0500[diff] [blame]954}
955
Steven Valdeza833c352016-11-01 13:39:36 -0400[diff] [blame]956// CreateSessionWithTicket returns a sample |SSL_SESSION| with the specified
957// version and ticket length or nullptr on failure.
958static bssl::UniquePtr<SSL_SESSION> CreateSessionWithTicket(uint16_t version,
959 size_t ticket_len) {
David Benjamin422fe082015-07-21 22:03:43 -0400[diff] [blame]960 std::vector<uint8_t> der;
961 if (!DecodeBase64(&der, kOpenSSLSession)) {
962 return nullptr;
963 }
Adam Langley46db7af2017-02-01 15:49:37 -0800[diff] [blame]964
965 bssl::UniquePtr<SSL_CTX> ssl_ctx(SSL_CTX_new(TLS_method()));
966 if (!ssl_ctx) {
967 return nullptr;
968 }
Steven Valdeza833c352016-11-01 13:39:36 -0400[diff] [blame]969 bssl::UniquePtr<SSL_SESSION> session(
Adam Langley46db7af2017-02-01 15:49:37 -0800[diff] [blame]970 SSL_SESSION_from_bytes(der.data(), der.size(), ssl_ctx.get()));
David Benjamin422fe082015-07-21 22:03:43 -0400[diff] [blame]971 if (!session) {
972 return nullptr;
973 }
974
Steven Valdeza833c352016-11-01 13:39:36 -0400[diff] [blame]975 session->ssl_version = version;
976
David Benjamin422fe082015-07-21 22:03:43 -0400[diff] [blame]977 // Swap out the ticket for a garbage one.
978 OPENSSL_free(session->tlsext_tick);
979 session->tlsext_tick = reinterpret_cast<uint8_t*>(OPENSSL_malloc(ticket_len));
980 if (session->tlsext_tick == nullptr) {
981 return nullptr;
982 }
David Benjamin17cf2cb2016-12-13 01:07:13 -0500[diff] [blame]983 OPENSSL_memset(session->tlsext_tick, 'a', ticket_len);
David Benjamin422fe082015-07-21 22:03:43 -0400[diff] [blame]984 session->tlsext_ticklen = ticket_len;
David Benjamin1269ddd2015-10-18 15:18:55 -0400[diff] [blame]985
986 // Fix up the timeout.
David Benjamin9b63f292016-11-15 00:44:05 -0500[diff] [blame]987#if defined(BORINGSSL_UNSAFE_DETERMINISTIC_MODE)
988 session->time = 1234;
989#else
David Benjamin1269ddd2015-10-18 15:18:55 -0400[diff] [blame]990 session->time = time(NULL);
David Benjamin9b63f292016-11-15 00:44:05 -0500[diff] [blame]991#endif
David Benjamin422fe082015-07-21 22:03:43 -0400[diff] [blame]992 return session;
993}
994
David Benjaminafc64de2016-07-19 17:12:41 +0200[diff] [blame]995static bool GetClientHello(SSL *ssl, std::vector<uint8_t> *out) {
Matt Braithwaited17d74d2016-08-17 20:10:28 -0700[diff] [blame]996 bssl::UniquePtr<BIO> bio(BIO_new(BIO_s_mem()));
David Benjaminafc64de2016-07-19 17:12:41 +0200[diff] [blame]997 if (!bio) {
998 return false;
999 }
1000 // Do not configure a reading BIO, but record what's written to a memory BIO.
David Benjamin96a16cd2016-08-11 12:14:47 -0400[diff] [blame]1001 BIO_up_ref(bio.get());
1002 SSL_set_bio(ssl, nullptr /* rbio */, bio.get());
David Benjaminafc64de2016-07-19 17:12:41 +0200[diff] [blame]1003 int ret = SSL_connect(ssl);
1004 if (ret > 0) {
1005 // SSL_connect should fail without a BIO to write to.
1006 return false;
1007 }
1008 ERR_clear_error();
1009
1010 const uint8_t *client_hello;
1011 size_t client_hello_len;
1012 if (!BIO_mem_contents(bio.get(), &client_hello, &client_hello_len)) {
1013 return false;
1014 }
1015 *out = std::vector<uint8_t>(client_hello, client_hello + client_hello_len);
1016 return true;
1017}
1018
Steven Valdeza833c352016-11-01 13:39:36 -0400[diff] [blame]1019// GetClientHelloLen creates a client SSL connection with the specified version
1020// and ticket length. It returns the length of the ClientHello, not including
1021// the record header, on success and zero on error.
1022static size_t GetClientHelloLen(uint16_t max_version, uint16_t session_version,
1023 size_t ticket_len) {
Matt Braithwaited17d74d2016-08-17 20:10:28 -0700[diff] [blame]1024 bssl::UniquePtr<SSL_CTX> ctx(SSL_CTX_new(TLS_method()));
Steven Valdeza833c352016-11-01 13:39:36 -0400[diff] [blame]1025 bssl::UniquePtr<SSL_SESSION> session =
1026 CreateSessionWithTicket(session_version, ticket_len);
David Benjamin422fe082015-07-21 22:03:43 -0400[diff] [blame]1027 if (!ctx || !session) {
1028 return 0;
1029 }
Steven Valdeza833c352016-11-01 13:39:36 -0400[diff] [blame]1030
1031 // Set a one-element cipher list so the baseline ClientHello is unpadded.
Matt Braithwaited17d74d2016-08-17 20:10:28 -0700[diff] [blame]1032 bssl::UniquePtr<SSL> ssl(SSL_new(ctx.get()));
Steven Valdez2c62fe92016-10-14 12:08:12 -0400[diff] [blame]1033 if (!ssl || !SSL_set_session(ssl.get(), session.get()) ||
Matthew Braithwaitea57dcfb2017-02-17 22:08:23 -0800[diff] [blame]1034 !SSL_set_strict_cipher_list(ssl.get(), "ECDHE-RSA-AES128-GCM-SHA256") ||
Steven Valdeza833c352016-11-01 13:39:36 -0400[diff] [blame]1035 !SSL_set_max_proto_version(ssl.get(), max_version)) {
David Benjamin422fe082015-07-21 22:03:43 -0400[diff] [blame]1036 return 0;
1037 }
Steven Valdeza833c352016-11-01 13:39:36 -0400[diff] [blame]1038
David Benjaminafc64de2016-07-19 17:12:41 +0200[diff] [blame]1039 std::vector<uint8_t> client_hello;
1040 if (!GetClientHello(ssl.get(), &client_hello) ||
1041 client_hello.size() <= SSL3_RT_HEADER_LENGTH) {
David Benjamin422fe082015-07-21 22:03:43 -0400[diff] [blame]1042 return 0;
1043 }
Steven Valdeza833c352016-11-01 13:39:36 -0400[diff] [blame]1044
David Benjaminafc64de2016-07-19 17:12:41 +0200[diff] [blame]1045 return client_hello.size() - SSL3_RT_HEADER_LENGTH;
David Benjamin422fe082015-07-21 22:03:43 -0400[diff] [blame]1046}
1047
1048struct PaddingTest {
1049 size_t input_len, padded_len;
1050};
1051
1052static const PaddingTest kPaddingTests[] = {
1053 // ClientHellos of length below 0x100 do not require padding.
1054 {0xfe, 0xfe},
1055 {0xff, 0xff},
1056 // ClientHellos of length 0x100 through 0x1fb are padded up to 0x200.
1057 {0x100, 0x200},
1058 {0x123, 0x200},
1059 {0x1fb, 0x200},
1060 // ClientHellos of length 0x1fc through 0x1ff get padded beyond 0x200. The
1061 // padding extension takes a minimum of four bytes plus one required content
1062 // byte. (To work around yet more server bugs, we avoid empty final
1063 // extensions.)
1064 {0x1fc, 0x201},
1065 {0x1fd, 0x202},
1066 {0x1fe, 0x203},
1067 {0x1ff, 0x204},
1068 // Finally, larger ClientHellos need no padding.
1069 {0x200, 0x200},
1070 {0x201, 0x201},
1071};
1072
Steven Valdeza833c352016-11-01 13:39:36 -0400[diff] [blame]1073static bool TestPaddingExtension(uint16_t max_version,
1074 uint16_t session_version) {
David Benjamin422fe082015-07-21 22:03:43 -0400[diff] [blame]1075 // Sample a baseline length.
Steven Valdeza833c352016-11-01 13:39:36 -0400[diff] [blame]1076 size_t base_len = GetClientHelloLen(max_version, session_version, 1);
David Benjamin422fe082015-07-21 22:03:43 -0400[diff] [blame]1077 if (base_len == 0) {
1078 return false;
1079 }
1080
1081 for (const PaddingTest &test : kPaddingTests) {
1082 if (base_len > test.input_len) {
Steven Valdeza833c352016-11-01 13:39:36 -0400[diff] [blame]1083 fprintf(stderr,
1084 "Baseline ClientHello too long (max_version = %04x, "
1085 "session_version = %04x).\n",
1086 max_version, session_version);
David Benjamin422fe082015-07-21 22:03:43 -0400[diff] [blame]1087 return false;
1088 }
1089
Steven Valdeza833c352016-11-01 13:39:36 -0400[diff] [blame]1090 size_t padded_len = GetClientHelloLen(max_version, session_version,
1091 1 + test.input_len - base_len);
David Benjamin422fe082015-07-21 22:03:43 -0400[diff] [blame]1092 if (padded_len != test.padded_len) {
Steven Valdeza833c352016-11-01 13:39:36 -0400[diff] [blame]1093 fprintf(stderr,
1094 "%u-byte ClientHello padded to %u bytes, not %u (max_version = "
1095 "%04x, session_version = %04x).\n",
David Benjamin422fe082015-07-21 22:03:43 -0400[diff] [blame]1096 static_cast<unsigned>(test.input_len),
1097 static_cast<unsigned>(padded_len),
Steven Valdeza833c352016-11-01 13:39:36 -0400[diff] [blame]1098 static_cast<unsigned>(test.padded_len), max_version,
1099 session_version);
David Benjamin422fe082015-07-21 22:03:43 -0400[diff] [blame]1100 return false;
1101 }
1102 }
Steven Valdeza833c352016-11-01 13:39:36 -0400[diff] [blame]1103
David Benjamin422fe082015-07-21 22:03:43 -0400[diff] [blame]1104 return true;
1105}
1106
Matt Braithwaited17d74d2016-08-17 20:10:28 -0700[diff] [blame]1107static bssl::UniquePtr<X509> GetTestCertificate() {
David Benjaminde942382016-02-11 12:02:01 -0500[diff] [blame]1108 static const char kCertPEM[] =
1109 "-----BEGIN CERTIFICATE-----\n"
1110 "MIICWDCCAcGgAwIBAgIJAPuwTC6rEJsMMA0GCSqGSIb3DQEBBQUAMEUxCzAJBgNV\n"
1111 "BAYTAkFVMRMwEQYDVQQIDApTb21lLVN0YXRlMSEwHwYDVQQKDBhJbnRlcm5ldCBX\n"
1112 "aWRnaXRzIFB0eSBMdGQwHhcNMTQwNDIzMjA1MDQwWhcNMTcwNDIyMjA1MDQwWjBF\n"
1113 "MQswCQYDVQQGEwJBVTETMBEGA1UECAwKU29tZS1TdGF0ZTEhMB8GA1UECgwYSW50\n"
1114 "ZXJuZXQgV2lkZ2l0cyBQdHkgTHRkMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKB\n"
1115 "gQDYK8imMuRi/03z0K1Zi0WnvfFHvwlYeyK9Na6XJYaUoIDAtB92kWdGMdAQhLci\n"
1116 "HnAjkXLI6W15OoV3gA/ElRZ1xUpxTMhjP6PyY5wqT5r6y8FxbiiFKKAnHmUcrgfV\n"
1117 "W28tQ+0rkLGMryRtrukXOgXBv7gcrmU7G1jC2a7WqmeI8QIDAQABo1AwTjAdBgNV\n"
1118 "HQ4EFgQUi3XVrMsIvg4fZbf6Vr5sp3Xaha8wHwYDVR0jBBgwFoAUi3XVrMsIvg4f\n"
1119 "Zbf6Vr5sp3Xaha8wDAYDVR0TBAUwAwEB/zANBgkqhkiG9w0BAQUFAAOBgQA76Hht\n"
1120 "ldY9avcTGSwbwoiuIqv0jTL1fHFnzy3RHMLDh+Lpvolc5DSrSJHCP5WuK0eeJXhr\n"
1121 "T5oQpHL9z/cCDLAKCKRa4uV0fhEdOWBqyR9p8y5jJtye72t6CuFUV5iqcpF4BH4f\n"
1122 "j2VNHwsSrJwkD4QUGlUtH7vwnQmyCFxZMmWAJg==\n"
1123 "-----END CERTIFICATE-----\n";
Matt Braithwaited17d74d2016-08-17 20:10:28 -0700[diff] [blame]1124 bssl::UniquePtr<BIO> bio(BIO_new_mem_buf(kCertPEM, strlen(kCertPEM)));
David Benjamin1444c3a2016-12-20 17:23:11 -0500[diff] [blame]1125 return bssl::UniquePtr<X509>(
1126 PEM_read_bio_X509(bio.get(), nullptr, nullptr, nullptr));
David Benjaminde942382016-02-11 12:02:01 -0500[diff] [blame]1127}
1128
Matt Braithwaited17d74d2016-08-17 20:10:28 -0700[diff] [blame]1129static bssl::UniquePtr<EVP_PKEY> GetTestKey() {
David Benjaminde942382016-02-11 12:02:01 -0500[diff] [blame]1130 static const char kKeyPEM[] =
1131 "-----BEGIN RSA PRIVATE KEY-----\n"
1132 "MIICXgIBAAKBgQDYK8imMuRi/03z0K1Zi0WnvfFHvwlYeyK9Na6XJYaUoIDAtB92\n"
1133 "kWdGMdAQhLciHnAjkXLI6W15OoV3gA/ElRZ1xUpxTMhjP6PyY5wqT5r6y8FxbiiF\n"
1134 "KKAnHmUcrgfVW28tQ+0rkLGMryRtrukXOgXBv7gcrmU7G1jC2a7WqmeI8QIDAQAB\n"
1135 "AoGBAIBy09Fd4DOq/Ijp8HeKuCMKTHqTW1xGHshLQ6jwVV2vWZIn9aIgmDsvkjCe\n"
1136 "i6ssZvnbjVcwzSoByhjN8ZCf/i15HECWDFFh6gt0P5z0MnChwzZmvatV/FXCT0j+\n"
1137 "WmGNB/gkehKjGXLLcjTb6dRYVJSCZhVuOLLcbWIV10gggJQBAkEA8S8sGe4ezyyZ\n"
1138 "m4e9r95g6s43kPqtj5rewTsUxt+2n4eVodD+ZUlCULWVNAFLkYRTBCASlSrm9Xhj\n"
1139 "QpmWAHJUkQJBAOVzQdFUaewLtdOJoPCtpYoY1zd22eae8TQEmpGOR11L6kbxLQsk\n"
1140 "aMly/DOnOaa82tqAGTdqDEZgSNmCeKKknmECQAvpnY8GUOVAubGR6c+W90iBuQLj\n"
1141 "LtFp/9ihd2w/PoDwrHZaoUYVcT4VSfJQog/k7kjE4MYXYWL8eEKg3WTWQNECQQDk\n"
1142 "104Wi91Umd1PzF0ijd2jXOERJU1wEKe6XLkYYNHWQAe5l4J4MWj9OdxFXAxIuuR/\n"
1143 "tfDwbqkta4xcux67//khAkEAvvRXLHTaa6VFzTaiiO8SaFsHV3lQyXOtMrBpB5jd\n"
1144 "moZWgjHvB2W9Ckn7sDqsPB+U2tyX0joDdQEyuiMECDY8oQ==\n"
1145 "-----END RSA PRIVATE KEY-----\n";
Matt Braithwaited17d74d2016-08-17 20:10:28 -0700[diff] [blame]1146 bssl::UniquePtr<BIO> bio(BIO_new_mem_buf(kKeyPEM, strlen(kKeyPEM)));
1147 return bssl::UniquePtr<EVP_PKEY>(
David Benjaminde942382016-02-11 12:02:01 -0500[diff] [blame]1148 PEM_read_bio_PrivateKey(bio.get(), nullptr, nullptr, nullptr));
1149}
1150
Matt Braithwaited17d74d2016-08-17 20:10:28 -0700[diff] [blame]1151static bssl::UniquePtr<X509> GetECDSATestCertificate() {
David Benjamin0fc37ef2016-08-17 15:29:46 -0400[diff] [blame]1152 static const char kCertPEM[] =
1153 "-----BEGIN CERTIFICATE-----\n"
1154 "MIIBzzCCAXagAwIBAgIJANlMBNpJfb/rMAkGByqGSM49BAEwRTELMAkGA1UEBhMC\n"
1155 "QVUxEzARBgNVBAgMClNvbWUtU3RhdGUxITAfBgNVBAoMGEludGVybmV0IFdpZGdp\n"
1156 "dHMgUHR5IEx0ZDAeFw0xNDA0MjMyMzIxNTdaFw0xNDA1MjMyMzIxNTdaMEUxCzAJ\n"
1157 "BgNVBAYTAkFVMRMwEQYDVQQIDApTb21lLVN0YXRlMSEwHwYDVQQKDBhJbnRlcm5l\n"
1158 "dCBXaWRnaXRzIFB0eSBMdGQwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAATmK2ni\n"
1159 "v2Wfl74vHg2UikzVl2u3qR4NRvvdqakendy6WgHn1peoChj5w8SjHlbifINI2xYa\n"
1160 "HPUdfvGULUvPciLBo1AwTjAdBgNVHQ4EFgQUq4TSrKuV8IJOFngHVVdf5CaNgtEw\n"
1161 "HwYDVR0jBBgwFoAUq4TSrKuV8IJOFngHVVdf5CaNgtEwDAYDVR0TBAUwAwEB/zAJ\n"
1162 "BgcqhkjOPQQBA0gAMEUCIQDyoDVeUTo2w4J5m+4nUIWOcAZ0lVfSKXQA9L4Vh13E\n"
1163 "BwIgfB55FGohg/B6dGh5XxSZmmi08cueFV7mHzJSYV51yRQ=\n"
1164 "-----END CERTIFICATE-----\n";
Matt Braithwaited17d74d2016-08-17 20:10:28 -0700[diff] [blame]1165 bssl::UniquePtr<BIO> bio(BIO_new_mem_buf(kCertPEM, strlen(kCertPEM)));
1166 return bssl::UniquePtr<X509>(PEM_read_bio_X509(bio.get(), nullptr, nullptr, nullptr));
David Benjamin0fc37ef2016-08-17 15:29:46 -0400[diff] [blame]1167}
1168
Matt Braithwaited17d74d2016-08-17 20:10:28 -0700[diff] [blame]1169static bssl::UniquePtr<EVP_PKEY> GetECDSATestKey() {
David Benjamin0fc37ef2016-08-17 15:29:46 -0400[diff] [blame]1170 static const char kKeyPEM[] =
1171 "-----BEGIN PRIVATE KEY-----\n"
1172 "MIGHAgEAMBMGByqGSM49AgEGCCqGSM49AwEHBG0wawIBAQQgBw8IcnrUoEqc3VnJ\n"
1173 "TYlodwi1b8ldMHcO6NHJzgqLtGqhRANCAATmK2niv2Wfl74vHg2UikzVl2u3qR4N\n"
1174 "Rvvdqakendy6WgHn1peoChj5w8SjHlbifINI2xYaHPUdfvGULUvPciLB\n"
1175 "-----END PRIVATE KEY-----\n";
Matt Braithwaited17d74d2016-08-17 20:10:28 -0700[diff] [blame]1176 bssl::UniquePtr<BIO> bio(BIO_new_mem_buf(kKeyPEM, strlen(kKeyPEM)));
1177 return bssl::UniquePtr<EVP_PKEY>(
David Benjamin0fc37ef2016-08-17 15:29:46 -0400[diff] [blame]1178 PEM_read_bio_PrivateKey(bio.get(), nullptr, nullptr, nullptr));
1179}
1180
Adam Langleyd04ca952017-02-28 11:26:51 -0800[diff] [blame]1181static bssl::UniquePtr<CRYPTO_BUFFER> BufferFromPEM(const char *pem) {
1182 bssl::UniquePtr<BIO> bio(BIO_new_mem_buf(pem, strlen(pem)));
1183 char *name, *header;
1184 uint8_t *data;
1185 long data_len;
1186 if (!PEM_read_bio(bio.get(), &name, &header, &data,
1187 &data_len)) {
1188 return nullptr;
1189 }
1190 OPENSSL_free(name);
1191 OPENSSL_free(header);
1192
1193 auto ret = bssl::UniquePtr<CRYPTO_BUFFER>(
1194 CRYPTO_BUFFER_new(data, data_len, nullptr));
1195 OPENSSL_free(data);
1196 return ret;
1197}
1198
1199static bssl::UniquePtr<CRYPTO_BUFFER> GetChainTestCertificateBuffer() {
David Benjamin1444c3a2016-12-20 17:23:11 -0500[diff] [blame]1200 static const char kCertPEM[] =
1201 "-----BEGIN CERTIFICATE-----\n"
1202 "MIIC0jCCAbqgAwIBAgICEAAwDQYJKoZIhvcNAQELBQAwDzENMAsGA1UEAwwEQiBD\n"
1203 "QTAeFw0xNjAyMjgyMDI3MDNaFw0yNjAyMjUyMDI3MDNaMBgxFjAUBgNVBAMMDUNs\n"
1204 "aWVudCBDZXJ0IEEwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDRvaz8\n"
1205 "CC/cshpCafJo4jLkHEoBqDLhdgFelJoAiQUyIqyWl2O7YHPnpJH+TgR7oelzNzt/\n"
1206 "kLRcH89M/TszB6zqyLTC4aqmvzKL0peD/jL2LWBucR0WXIvjA3zoRuF/x86+rYH3\n"
1207 "tHb+xs2PSs8EGL/Ev+ss+qTzTGEn26fuGNHkNw6tOwPpc+o8+wUtzf/kAthamo+c\n"
1208 "IDs2rQ+lP7+aLZTLeU/q4gcLutlzcK5imex5xy2jPkweq48kijK0kIzl1cPlA5d1\n"
1209 "z7C8jU50Pj9X9sQDJTN32j7UYRisJeeYQF8GaaN8SbrDI6zHgKzrRLyxDt/KQa9V\n"
1210 "iLeXANgZi+Xx9KgfAgMBAAGjLzAtMAwGA1UdEwEB/wQCMAAwHQYDVR0lBBYwFAYI\n"
1211 "KwYBBQUHAwEGCCsGAQUFBwMCMA0GCSqGSIb3DQEBCwUAA4IBAQBFEVbmYl+2RtNw\n"
1212 "rDftRDF1v2QUbcN2ouSnQDHxeDQdSgasLzT3ui8iYu0Rw2WWcZ0DV5e0ztGPhWq7\n"
1213 "AO0B120aFRMOY+4+bzu9Q2FFkQqc7/fKTvTDzIJI5wrMnFvUfzzvxh3OHWMYSs/w\n"
1214 "giq33hTKeHEq6Jyk3btCny0Ycecyc3yGXH10sizUfiHlhviCkDuESk8mFDwDDzqW\n"
1215 "ZF0IipzFbEDHoIxLlm3GQxpiLoEV4k8KYJp3R5KBLFyxM6UGPz8h72mIPCJp2RuK\n"
1216 "MYgF91UDvVzvnYm6TfseM2+ewKirC00GOrZ7rEcFvtxnKSqYf4ckqfNdSU1Y+RRC\n"
1217 "1ngWZ7Ih\n"
1218 "-----END CERTIFICATE-----\n";
Adam Langleyd04ca952017-02-28 11:26:51 -0800[diff] [blame]1219 return BufferFromPEM(kCertPEM);
David Benjamin1444c3a2016-12-20 17:23:11 -0500[diff] [blame]1220}
1221
Adam Langleyd04ca952017-02-28 11:26:51 -0800[diff] [blame]1222static bssl::UniquePtr<X509> X509FromBuffer(
1223 bssl::UniquePtr<CRYPTO_BUFFER> buffer) {
1224 if (!buffer) {
1225 return nullptr;
1226 }
1227 const uint8_t *derp = CRYPTO_BUFFER_data(buffer.get());
1228 return bssl::UniquePtr<X509>(
1229 d2i_X509(NULL, &derp, CRYPTO_BUFFER_len(buffer.get())));
1230}
1231
1232static bssl::UniquePtr<X509> GetChainTestCertificate() {
1233 return X509FromBuffer(GetChainTestCertificateBuffer());
1234}
1235
1236static bssl::UniquePtr<CRYPTO_BUFFER> GetChainTestIntermediateBuffer() {
David Benjamin1444c3a2016-12-20 17:23:11 -0500[diff] [blame]1237 static const char kCertPEM[] =
1238 "-----BEGIN CERTIFICATE-----\n"
1239 "MIICwjCCAaqgAwIBAgICEAEwDQYJKoZIhvcNAQELBQAwFDESMBAGA1UEAwwJQyBS\n"
1240 "b290IENBMB4XDTE2MDIyODIwMjcwM1oXDTI2MDIyNTIwMjcwM1owDzENMAsGA1UE\n"
1241 "AwwEQiBDQTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALsSCYmDip2D\n"
1242 "GkjFxw7ykz26JSjELkl6ArlYjFJ3aT/SCh8qbS4gln7RH8CPBd78oFdfhIKQrwtZ\n"
1243 "3/q21ykD9BAS3qHe2YdcJfm8/kWAy5DvXk6NXU4qX334KofBAEpgdA/igEFq1P1l\n"
1244 "HAuIfZCpMRfT+i5WohVsGi8f/NgpRvVaMONLNfgw57mz1lbtFeBEISmX0kbsuJxF\n"
1245 "Qj/Bwhi5/0HAEXG8e7zN4cEx0yPRvmOATRdVb/8dW2pwOHRJq9R5M0NUkIsTSnL7\n"
1246 "6N/z8hRAHMsV3IudC5Yd7GXW1AGu9a+iKU+Q4xcZCoj0DC99tL4VKujrV1kAeqsM\n"
1247 "cz5/dKzi6+cCAwEAAaMjMCEwDwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMC\n"
1248 "AQYwDQYJKoZIhvcNAQELBQADggEBAIIeZiEeNhWWQ8Y4D+AGDwqUUeG8NjCbKrXQ\n"
1249 "BlHg5wZ8xftFaiP1Dp/UAezmx2LNazdmuwrYB8lm3FVTyaPDTKEGIPS4wJKHgqH1\n"
1250 "QPDhqNm85ey7TEtI9oYjsNim/Rb+iGkIAMXaxt58SzxbjvP0kMr1JfJIZbic9vye\n"
1251 "NwIspMFIpP3FB8ywyu0T0hWtCQgL4J47nigCHpOu58deP88fS/Nyz/fyGVWOZ76b\n"
1252 "WhWwgM3P3X95fQ3d7oFPR/bVh0YV+Cf861INwplokXgXQ3/TCQ+HNXeAMWn3JLWv\n"
1253 "XFwk8owk9dq/kQGdndGgy3KTEW4ctPX5GNhf3LJ9Q7dLji4ReQ4=\n"
1254 "-----END CERTIFICATE-----\n";
Adam Langleyd04ca952017-02-28 11:26:51 -0800[diff] [blame]1255 return BufferFromPEM(kCertPEM);
1256}
1257
1258static bssl::UniquePtr<X509> GetChainTestIntermediate() {
1259 return X509FromBuffer(GetChainTestIntermediateBuffer());
David Benjamin1444c3a2016-12-20 17:23:11 -0500[diff] [blame]1260}
1261
1262static bssl::UniquePtr<EVP_PKEY> GetChainTestKey() {
1263 static const char kKeyPEM[] =
1264 "-----BEGIN PRIVATE KEY-----\n"
1265 "MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQDRvaz8CC/cshpC\n"
1266 "afJo4jLkHEoBqDLhdgFelJoAiQUyIqyWl2O7YHPnpJH+TgR7oelzNzt/kLRcH89M\n"
1267 "/TszB6zqyLTC4aqmvzKL0peD/jL2LWBucR0WXIvjA3zoRuF/x86+rYH3tHb+xs2P\n"
1268 "Ss8EGL/Ev+ss+qTzTGEn26fuGNHkNw6tOwPpc+o8+wUtzf/kAthamo+cIDs2rQ+l\n"
1269 "P7+aLZTLeU/q4gcLutlzcK5imex5xy2jPkweq48kijK0kIzl1cPlA5d1z7C8jU50\n"
1270 "Pj9X9sQDJTN32j7UYRisJeeYQF8GaaN8SbrDI6zHgKzrRLyxDt/KQa9ViLeXANgZ\n"
1271 "i+Xx9KgfAgMBAAECggEBAK0VjSJzkyPaamcyTVSWjo7GdaBGcK60lk657RjR+lK0\n"
1272 "YJ7pkej4oM2hdsVZFsP8Cs4E33nXLa/0pDsRov/qrp0WQm2skwqGMC1I/bZ0WRPk\n"
1273 "wHaDrBBfESWnJDX/AGpVtlyOjPmgmK6J2usMPihQUDkKdAYrVWJePrMIxt1q6BMe\n"
1274 "iczs3qriMmtY3bUc4UyUwJ5fhDLjshHvfuIpYQyI6EXZM6dZksn9LylXJnigY6QJ\n"
1275 "HxOYO0BDwOsZ8yQ8J8afLk88i0GizEkgE1z3REtQUwgWfxr1WV/ud+T6/ZhSAgH9\n"
1276 "042mQvSFZnIUSEsmCvjhWuAunfxHKCTcAoYISWfzWpkCgYEA7gpf3HHU5Tn+CgUn\n"
1277 "1X5uGpG3DmcMgfeGgs2r2f/IIg/5Ac1dfYILiybL1tN9zbyLCJfcbFpWBc9hJL6f\n"
1278 "CPc5hUiwWFJqBJewxQkC1Ae/HakHbip+IZ+Jr0842O4BAArvixk4Lb7/N2Ct9sTE\n"
1279 "NJO6RtK9lbEZ5uK61DglHy8CS2UCgYEA4ZC1o36kPAMQBggajgnucb2yuUEelk0f\n"
1280 "AEr+GI32MGE+93xMr7rAhBoqLg4AITyIfEnOSQ5HwagnIHonBbv1LV/Gf9ursx8Z\n"
1281 "YOGbvT8zzzC+SU1bkDzdjAYnFQVGIjMtKOBJ3K07++ypwX1fr4QsQ8uKL8WSOWwt\n"
1282 "Z3Bym6XiZzMCgYADnhy+2OwHX85AkLt+PyGlPbmuelpyTzS4IDAQbBa6jcuW/2wA\n"
1283 "UE2km75VUXmD+u2R/9zVuLm99NzhFhSMqlUxdV1YukfqMfP5yp1EY6m/5aW7QuIP\n"
1284 "2MDa7TVL9rIFMiVZ09RKvbBbQxjhuzPQKL6X/PPspnhiTefQ+dl2k9xREQKBgHDS\n"
1285 "fMfGNEeAEKezrfSVqxphE9/tXms3L+ZpnCaT+yu/uEr5dTIAawKoQ6i9f/sf1/Sy\n"
1286 "xedsqR+IB+oKrzIDDWMgoJybN4pkZ8E5lzhVQIjFjKgFdWLzzqyW9z1gYfABQPlN\n"
1287 "FiS20WX0vgP1vcKAjdNrHzc9zyHBpgQzDmAj3NZZAoGBAI8vKCKdH7w3aL5CNkZQ\n"
1288 "2buIeWNA2HZazVwAGG5F2TU/LmXfRKnG6dX5bkU+AkBZh56jNZy//hfFSewJB4Kk\n"
1289 "buB7ERSdaNbO21zXt9FEA3+z0RfMd/Zv2vlIWOSB5nzl/7UKti3sribK6s9ZVLfi\n"
1290 "SxpiPQ8d/hmSGwn4ksrWUsJD\n"
1291 "-----END PRIVATE KEY-----\n";
1292 bssl::UniquePtr<BIO> bio(BIO_new_mem_buf(kKeyPEM, strlen(kKeyPEM)));
1293 return bssl::UniquePtr<EVP_PKEY>(
1294 PEM_read_bio_PrivateKey(bio.get(), nullptr, nullptr, nullptr));
1295}
1296
David Benjaminc79ae7a2017-08-29 16:09:44 -0400[diff] [blame]1297// Test that |SSL_get_client_CA_list| echoes back the configured parameter even
1298// before configuring as a server.
1299TEST(SSLTest, ClientCAList) {
1300 bssl::UniquePtr<SSL_CTX> ctx(SSL_CTX_new(TLS_method()));
1301 ASSERT_TRUE(ctx);
1302 bssl::UniquePtr<SSL> ssl(SSL_new(ctx.get()));
1303 ASSERT_TRUE(ssl);
1304
1305 bssl::UniquePtr<X509_NAME> name(X509_NAME_new());
1306 ASSERT_TRUE(name);
1307
1308 bssl::UniquePtr<X509_NAME> name_dup(X509_NAME_dup(name.get()));
1309 ASSERT_TRUE(name_dup);
1310
1311 bssl::UniquePtr<STACK_OF(X509_NAME)> stack(sk_X509_NAME_new_null());
1312 ASSERT_TRUE(stack);
1313
1314 ASSERT_TRUE(sk_X509_NAME_push(stack.get(), name_dup.get()));
1315 name_dup.release();
1316
1317 // |SSL_set_client_CA_list| takes ownership.
1318 SSL_set_client_CA_list(ssl.get(), stack.release());
1319
1320 STACK_OF(X509_NAME) *result = SSL_get_client_CA_list(ssl.get());
1321 ASSERT_TRUE(result);
1322 ASSERT_EQ(1u, sk_X509_NAME_num(result));
1323 EXPECT_EQ(0, X509_NAME_cmp(sk_X509_NAME_value(result, 0), name.get()));
1324}
1325
1326TEST(SSLTest, AddClientCA) {
1327 bssl::UniquePtr<SSL_CTX> ctx(SSL_CTX_new(TLS_method()));
1328 ASSERT_TRUE(ctx);
1329 bssl::UniquePtr<SSL> ssl(SSL_new(ctx.get()));
1330 ASSERT_TRUE(ssl);
1331
1332 bssl::UniquePtr<X509> cert1 = GetTestCertificate();
1333 bssl::UniquePtr<X509> cert2 = GetChainTestCertificate();
1334 ASSERT_TRUE(cert1 && cert2);
1335 X509_NAME *name1 = X509_get_subject_name(cert1.get());
1336 X509_NAME *name2 = X509_get_subject_name(cert2.get());
1337
1338 EXPECT_EQ(0u, sk_X509_NAME_num(SSL_get_client_CA_list(ssl.get())));
1339
1340 ASSERT_TRUE(SSL_add_client_CA(ssl.get(), cert1.get()));
1341 ASSERT_TRUE(SSL_add_client_CA(ssl.get(), cert2.get()));
1342
1343 STACK_OF(X509_NAME) *list = SSL_get_client_CA_list(ssl.get());
1344 ASSERT_EQ(2u, sk_X509_NAME_num(list));
1345 EXPECT_EQ(0, X509_NAME_cmp(sk_X509_NAME_value(list, 0), name1));
1346 EXPECT_EQ(0, X509_NAME_cmp(sk_X509_NAME_value(list, 1), name2));
1347
1348 ASSERT_TRUE(SSL_add_client_CA(ssl.get(), cert1.get()));
1349
1350 list = SSL_get_client_CA_list(ssl.get());
1351 ASSERT_EQ(3u, sk_X509_NAME_num(list));
1352 EXPECT_EQ(0, X509_NAME_cmp(sk_X509_NAME_value(list, 0), name1));
1353 EXPECT_EQ(0, X509_NAME_cmp(sk_X509_NAME_value(list, 1), name2));
1354 EXPECT_EQ(0, X509_NAME_cmp(sk_X509_NAME_value(list, 2), name1));
1355}
1356
1357static void AppendSession(SSL_SESSION *session, void *arg) {
1358 std::vector<SSL_SESSION*> *out =
1359 reinterpret_cast<std::vector<SSL_SESSION*>*>(arg);
1360 out->push_back(session);
1361}
1362
1363// CacheEquals returns true if |ctx|'s session cache consists of |expected|, in
1364// order.
1365static bool CacheEquals(SSL_CTX *ctx,
1366 const std::vector<SSL_SESSION*> &expected) {
1367 // Check the linked list.
1368 SSL_SESSION *ptr = ctx->session_cache_head;
1369 for (SSL_SESSION *session : expected) {
1370 if (ptr != session) {
1371 return false;
1372 }
1373 // TODO(davidben): This is an absurd way to denote the end of the list.
1374 if (ptr->next ==
1375 reinterpret_cast<SSL_SESSION *>(&ctx->session_cache_tail)) {
1376 ptr = nullptr;
1377 } else {
1378 ptr = ptr->next;
1379 }
1380 }
1381 if (ptr != nullptr) {
1382 return false;
1383 }
1384
1385 // Check the hash table.
1386 std::vector<SSL_SESSION*> actual, expected_copy;
1387 lh_SSL_SESSION_doall_arg(SSL_CTX_sessions(ctx), AppendSession, &actual);
1388 expected_copy = expected;
1389
1390 std::sort(actual.begin(), actual.end());
1391 std::sort(expected_copy.begin(), expected_copy.end());
1392
1393 return actual == expected_copy;
1394}
1395
1396static bssl::UniquePtr<SSL_SESSION> CreateTestSession(uint32_t number) {
1397 bssl::UniquePtr<SSL_CTX> ssl_ctx(SSL_CTX_new(TLS_method()));
1398 if (!ssl_ctx) {
1399 return nullptr;
1400 }
1401 bssl::UniquePtr<SSL_SESSION> ret(SSL_SESSION_new(ssl_ctx.get()));
1402 if (!ret) {
1403 return nullptr;
1404 }
1405
1406 ret->session_id_length = SSL3_SSL_SESSION_ID_LENGTH;
1407 OPENSSL_memset(ret->session_id, 0, ret->session_id_length);
1408 OPENSSL_memcpy(ret->session_id, &number, sizeof(number));
1409 return ret;
1410}
1411
1412// Test that the internal session cache behaves as expected.
1413TEST(SSLTest, InternalSessionCache) {
1414 bssl::UniquePtr<SSL_CTX> ctx(SSL_CTX_new(TLS_method()));
1415 ASSERT_TRUE(ctx);
1416
1417 // Prepare 10 test sessions.
1418 std::vector<bssl::UniquePtr<SSL_SESSION>> sessions;
1419 for (int i = 0; i < 10; i++) {
1420 bssl::UniquePtr<SSL_SESSION> session = CreateTestSession(i);
1421 ASSERT_TRUE(session);
1422 sessions.push_back(std::move(session));
1423 }
1424
1425 SSL_CTX_sess_set_cache_size(ctx.get(), 5);
1426
1427 // Insert all the test sessions.
1428 for (const auto &session : sessions) {
1429 ASSERT_TRUE(SSL_CTX_add_session(ctx.get(), session.get()));
1430 }
1431
1432 // Only the last five should be in the list.
1433 ASSERT_TRUE(CacheEquals(
1434 ctx.get(), {sessions[9].get(), sessions[8].get(), sessions[7].get(),
1435 sessions[6].get(), sessions[5].get()}));
1436
1437 // Inserting an element already in the cache should fail and leave the cache
1438 // unchanged.
1439 ASSERT_FALSE(SSL_CTX_add_session(ctx.get(), sessions[7].get()));
1440 ASSERT_TRUE(CacheEquals(
1441 ctx.get(), {sessions[9].get(), sessions[8].get(), sessions[7].get(),
1442 sessions[6].get(), sessions[5].get()}));
1443
1444 // Although collisions should be impossible (256-bit session IDs), the cache
1445 // must handle them gracefully.
1446 bssl::UniquePtr<SSL_SESSION> collision(CreateTestSession(7));
1447 ASSERT_TRUE(collision);
1448 ASSERT_TRUE(SSL_CTX_add_session(ctx.get(), collision.get()));
1449 ASSERT_TRUE(CacheEquals(
1450 ctx.get(), {collision.get(), sessions[9].get(), sessions[8].get(),
1451 sessions[6].get(), sessions[5].get()}));
1452
1453 // Removing sessions behaves correctly.
1454 ASSERT_TRUE(SSL_CTX_remove_session(ctx.get(), sessions[6].get()));
1455 ASSERT_TRUE(CacheEquals(ctx.get(), {collision.get(), sessions[9].get(),
1456 sessions[8].get(), sessions[5].get()}));
1457
1458 // Removing sessions requires an exact match.
1459 ASSERT_FALSE(SSL_CTX_remove_session(ctx.get(), sessions[0].get()));
1460 ASSERT_FALSE(SSL_CTX_remove_session(ctx.get(), sessions[7].get()));
1461
1462 // The cache remains unchanged.
1463 ASSERT_TRUE(CacheEquals(ctx.get(), {collision.get(), sessions[9].get(),
1464 sessions[8].get(), sessions[5].get()}));
1465}
1466
1467static uint16_t EpochFromSequence(uint64_t seq) {
1468 return static_cast<uint16_t>(seq >> 48);
1469}
1470
David Benjamin71dfad42017-07-16 17:27:39 -0400[diff] [blame]1471static const uint8_t kTestName[] = {
1472 0x30, 0x45, 0x31, 0x0b, 0x30, 0x09, 0x06, 0x03, 0x55, 0x04, 0x06, 0x13,
1473 0x02, 0x41, 0x55, 0x31, 0x13, 0x30, 0x11, 0x06, 0x03, 0x55, 0x04, 0x08,
1474 0x0c, 0x0a, 0x53, 0x6f, 0x6d, 0x65, 0x2d, 0x53, 0x74, 0x61, 0x74, 0x65,
1475 0x31, 0x21, 0x30, 0x1f, 0x06, 0x03, 0x55, 0x04, 0x0a, 0x0c, 0x18, 0x49,
1476 0x6e, 0x74, 0x65, 0x72, 0x6e, 0x65, 0x74, 0x20, 0x57, 0x69, 0x64, 0x67,
1477 0x69, 0x74, 0x73, 0x20, 0x50, 0x74, 0x79, 0x20, 0x4c, 0x74, 0x64,
1478};
1479
David Benjaminb79cc842016-12-07 15:57:14 -0500[diff] [blame]1480static bool CompleteHandshakes(SSL *client, SSL *server) {
1481 // Drive both their handshakes to completion.
1482 for (;;) {
1483 int client_ret = SSL_do_handshake(client);
1484 int client_err = SSL_get_error(client, client_ret);
1485 if (client_err != SSL_ERROR_NONE &&
1486 client_err != SSL_ERROR_WANT_READ &&
Adam Langley4c341d02017-03-08 19:33:21 -0800[diff] [blame]1487 client_err != SSL_ERROR_WANT_WRITE &&
1488 client_err != SSL_ERROR_PENDING_TICKET) {
David Benjaminb79cc842016-12-07 15:57:14 -0500[diff] [blame]1489 fprintf(stderr, "Client error: %d\n", client_err);
1490 return false;
1491 }
1492
1493 int server_ret = SSL_do_handshake(server);
1494 int server_err = SSL_get_error(server, server_ret);
1495 if (server_err != SSL_ERROR_NONE &&
1496 server_err != SSL_ERROR_WANT_READ &&
Adam Langley4c341d02017-03-08 19:33:21 -0800[diff] [blame]1497 server_err != SSL_ERROR_WANT_WRITE &&
1498 server_err != SSL_ERROR_PENDING_TICKET) {
David Benjaminb79cc842016-12-07 15:57:14 -0500[diff] [blame]1499 fprintf(stderr, "Server error: %d\n", server_err);
1500 return false;
1501 }
1502
1503 if (client_ret == 1 && server_ret == 1) {
1504 break;
1505 }
1506 }
1507
1508 return true;
1509}
1510
1511static bool ConnectClientAndServer(bssl::UniquePtr<SSL> *out_client,
1512 bssl::UniquePtr<SSL> *out_server,
David Benjamina20e5352016-08-02 19:09:41 -0400[diff] [blame]1513 SSL_CTX *client_ctx, SSL_CTX *server_ctx,
1514 SSL_SESSION *session) {
Matt Braithwaited17d74d2016-08-17 20:10:28 -0700[diff] [blame]1515 bssl::UniquePtr<SSL> client(SSL_new(client_ctx)), server(SSL_new(server_ctx));
David Benjaminde942382016-02-11 12:02:01 -0500[diff] [blame]1516 if (!client || !server) {
1517 return false;
1518 }
1519 SSL_set_connect_state(client.get());
1520 SSL_set_accept_state(server.get());
1521
David Benjamina20e5352016-08-02 19:09:41 -0400[diff] [blame]1522 SSL_set_session(client.get(), session);
1523
David Benjaminde942382016-02-11 12:02:01 -0500[diff] [blame]1524 BIO *bio1, *bio2;
1525 if (!BIO_new_bio_pair(&bio1, 0, &bio2, 0)) {
1526 return false;
1527 }
1528 // SSL_set_bio takes ownership.
1529 SSL_set_bio(client.get(), bio1, bio1);
1530 SSL_set_bio(server.get(), bio2, bio2);
1531
David Benjaminb79cc842016-12-07 15:57:14 -0500[diff] [blame]1532 if (!CompleteHandshakes(client.get(), server.get())) {
1533 return false;
David Benjaminde942382016-02-11 12:02:01 -0500[diff] [blame]1534 }
1535
David Benjamin686bb192016-05-10 15:15:41 -0400[diff] [blame]1536 *out_client = std::move(client);
1537 *out_server = std::move(server);
1538 return true;
1539}
1540
David Benjaminc11ea9422017-08-29 16:33:21 -0400[diff] [blame^]1541// SSLVersionTest executes its test cases under all available protocol versions.
1542// Test cases call |Connect| to create a connection using context objects with
1543// the protocol version fixed to the current version under test.
Martin Kreichgauer1a663262017-08-16 14:54:04 -0700[diff] [blame]1544class SSLVersionTest : public ::testing::TestWithParam<VersionParam> {
1545 protected:
1546 SSLVersionTest() : cert_(GetTestCertificate()), key_(GetTestKey()) {}
1547
1548 void SetUp() { ResetContexts(); }
1549
1550 bssl::UniquePtr<SSL_CTX> CreateContext() const {
1551 const SSL_METHOD *method = is_dtls() ? DTLS_method() : TLS_method();
1552 bssl::UniquePtr<SSL_CTX> ctx(SSL_CTX_new(method));
1553 if (!ctx || !SSL_CTX_set_min_proto_version(ctx.get(), version()) ||
1554 !SSL_CTX_set_max_proto_version(ctx.get(), version())) {
1555 return nullptr;
1556 }
1557 return ctx;
David Benjamin0fef3052016-11-18 15:11:10 +0900[diff] [blame]1558 }
David Benjamin686bb192016-05-10 15:15:41 -0400[diff] [blame]1559
Martin Kreichgauer1a663262017-08-16 14:54:04 -0700[diff] [blame]1560 void ResetContexts() {
1561 ASSERT_TRUE(cert_);
1562 ASSERT_TRUE(key_);
1563 client_ctx_ = CreateContext();
1564 ASSERT_TRUE(client_ctx_);
1565 server_ctx_ = CreateContext();
1566 ASSERT_TRUE(server_ctx_);
1567 // Set up a server cert. Client certs can be set up explicitly.
1568 ASSERT_TRUE(UseCertAndKey(server_ctx_.get()));
David Benjamin0fef3052016-11-18 15:11:10 +0900[diff] [blame]1569 }
David Benjamin686bb192016-05-10 15:15:41 -0400[diff] [blame]1570
Martin Kreichgauer1a663262017-08-16 14:54:04 -0700[diff] [blame]1571 bool UseCertAndKey(SSL_CTX *ctx) const {
1572 return SSL_CTX_use_certificate(ctx, cert_.get()) &&
1573 SSL_CTX_use_PrivateKey(ctx, key_.get());
David Benjamin0fef3052016-11-18 15:11:10 +0900[diff] [blame]1574 }
David Benjamin686bb192016-05-10 15:15:41 -0400[diff] [blame]1575
Martin Kreichgauer1a663262017-08-16 14:54:04 -0700[diff] [blame]1576 bool Connect() {
1577 return ConnectClientAndServer(&client_, &server_, client_ctx_.get(),
1578 server_ctx_.get(), nullptr /* no session */);
1579 }
1580
1581 uint16_t version() const { return GetParam().version; }
1582
1583 bool is_dtls() const {
1584 return GetParam().ssl_method == VersionParam::is_dtls;
1585 }
1586
1587 bssl::UniquePtr<SSL> client_, server_;
1588 bssl::UniquePtr<SSL_CTX> server_ctx_, client_ctx_;
1589 bssl::UniquePtr<X509> cert_;
1590 bssl::UniquePtr<EVP_PKEY> key_;
1591};
1592
1593INSTANTIATE_TEST_CASE_P(WithVersion, SSLVersionTest,
1594 testing::ValuesIn(kAllVersions),
1595 [](const testing::TestParamInfo<VersionParam> &i) {
1596 return i.param.name;
1597 });
1598
1599TEST_P(SSLVersionTest, SequenceNumber) {
1600 ASSERT_TRUE(Connect());
1601
David Benjamin0fef3052016-11-18 15:11:10 +0900[diff] [blame]1602 // Drain any post-handshake messages to ensure there are no unread records
1603 // on either end.
1604 uint8_t byte = 0;
Martin Kreichgauer1a663262017-08-16 14:54:04 -0700[diff] [blame]1605 ASSERT_LE(SSL_read(client_.get(), &byte, 1), 0);
1606 ASSERT_LE(SSL_read(server_.get(), &byte, 1), 0);
David Benjaminde942382016-02-11 12:02:01 -0500[diff] [blame]1607
Martin Kreichgauer1a663262017-08-16 14:54:04 -0700[diff] [blame]1608 uint64_t client_read_seq = SSL_get_read_sequence(client_.get());
1609 uint64_t client_write_seq = SSL_get_write_sequence(client_.get());
1610 uint64_t server_read_seq = SSL_get_read_sequence(server_.get());
1611 uint64_t server_write_seq = SSL_get_write_sequence(server_.get());
Steven Valdez2c62fe92016-10-14 12:08:12 -0400[diff] [blame]1612
Martin Kreichgauer1a663262017-08-16 14:54:04 -0700[diff] [blame]1613 if (is_dtls()) {
David Benjamin0fef3052016-11-18 15:11:10 +0900[diff] [blame]1614 // Both client and server must be at epoch 1.
Martin Kreichgauer1a663262017-08-16 14:54:04 -0700[diff] [blame]1615 EXPECT_EQ(EpochFromSequence(client_read_seq), 1);
1616 EXPECT_EQ(EpochFromSequence(client_write_seq), 1);
1617 EXPECT_EQ(EpochFromSequence(server_read_seq), 1);
1618 EXPECT_EQ(EpochFromSequence(server_write_seq), 1);
David Benjamin0fef3052016-11-18 15:11:10 +0900[diff] [blame]1619
1620 // The next record to be written should exceed the largest received.
Martin Kreichgauer1a663262017-08-16 14:54:04 -0700[diff] [blame]1621 EXPECT_GT(client_write_seq, server_read_seq);
1622 EXPECT_GT(server_write_seq, client_read_seq);
David Benjamin0fef3052016-11-18 15:11:10 +0900[diff] [blame]1623 } else {
1624 // The next record to be written should equal the next to be received.
Martin Kreichgauer1a663262017-08-16 14:54:04 -0700[diff] [blame]1625 EXPECT_EQ(client_write_seq, server_read_seq);
1626 EXPECT_EQ(server_write_seq, client_read_seq);
David Benjamin0fef3052016-11-18 15:11:10 +0900[diff] [blame]1627 }
1628
1629 // Send a record from client to server.
Martin Kreichgauer1a663262017-08-16 14:54:04 -0700[diff] [blame]1630 EXPECT_EQ(SSL_write(client_.get(), &byte, 1), 1);
1631 EXPECT_EQ(SSL_read(server_.get(), &byte, 1), 1);
David Benjamin0fef3052016-11-18 15:11:10 +0900[diff] [blame]1632
1633 // The client write and server read sequence numbers should have
1634 // incremented.
Martin Kreichgauer1a663262017-08-16 14:54:04 -0700[diff] [blame]1635 EXPECT_EQ(client_write_seq + 1, SSL_get_write_sequence(client_.get()));
1636 EXPECT_EQ(server_read_seq + 1, SSL_get_read_sequence(server_.get()));
David Benjaminde942382016-02-11 12:02:01 -0500[diff] [blame]1637}
1638
Martin Kreichgauer1a663262017-08-16 14:54:04 -0700[diff] [blame]1639TEST_P(SSLVersionTest, OneSidedShutdown) {
David Benjamin68f37b72016-11-18 15:14:42 +0900[diff] [blame]1640 // SSL_shutdown is a no-op in DTLS.
Martin Kreichgauer1a663262017-08-16 14:54:04 -0700[diff] [blame]1641 if (is_dtls()) {
1642 return;
David Benjamin686bb192016-05-10 15:15:41 -0400[diff] [blame]1643 }
Martin Kreichgauer1a663262017-08-16 14:54:04 -0700[diff] [blame]1644 ASSERT_TRUE(Connect());
David Benjamin686bb192016-05-10 15:15:41 -0400[diff] [blame]1645
1646 // Shut down half the connection. SSL_shutdown will return 0 to signal only
1647 // one side has shut down.
Martin Kreichgauer1a663262017-08-16 14:54:04 -0700[diff] [blame]1648 ASSERT_EQ(SSL_shutdown(client_.get()), 0);
David Benjamin686bb192016-05-10 15:15:41 -0400[diff] [blame]1649
1650 // Reading from the server should consume the EOF.
1651 uint8_t byte;
Martin Kreichgauer1a663262017-08-16 14:54:04 -0700[diff] [blame]1652 ASSERT_EQ(SSL_read(server_.get(), &byte, 1), 0);
1653 ASSERT_EQ(SSL_get_error(server_.get(), 0), SSL_ERROR_ZERO_RETURN);
David Benjamin686bb192016-05-10 15:15:41 -0400[diff] [blame]1654
1655 // However, the server may continue to write data and then shut down the
1656 // connection.
1657 byte = 42;
Martin Kreichgauer1a663262017-08-16 14:54:04 -0700[diff] [blame]1658 ASSERT_EQ(SSL_write(server_.get(), &byte, 1), 1);
1659 ASSERT_EQ(SSL_read(client_.get(), &byte, 1), 1);
1660 ASSERT_EQ(byte, 42);
David Benjamin686bb192016-05-10 15:15:41 -0400[diff] [blame]1661
1662 // The server may then shutdown the connection.
Martin Kreichgauer1a663262017-08-16 14:54:04 -0700[diff] [blame]1663 EXPECT_EQ(SSL_shutdown(server_.get()), 1);
1664 EXPECT_EQ(SSL_shutdown(client_.get()), 1);
David Benjamin686bb192016-05-10 15:15:41 -0400[diff] [blame]1665}
David Benjamin68f37b72016-11-18 15:14:42 +0900[diff] [blame]1666
David Benjaminf0d8e222017-02-04 10:58:26 -0500[diff] [blame]1667TEST(SSLTest, SessionDuplication) {
Matt Braithwaited17d74d2016-08-17 20:10:28 -0700[diff] [blame]1668 bssl::UniquePtr<SSL_CTX> client_ctx(SSL_CTX_new(TLS_method()));
1669 bssl::UniquePtr<SSL_CTX> server_ctx(SSL_CTX_new(TLS_method()));
David Benjaminf0d8e222017-02-04 10:58:26 -0500[diff] [blame]1670 ASSERT_TRUE(client_ctx);
1671 ASSERT_TRUE(server_ctx);
Steven Valdez87eab492016-06-27 16:34:59 -0400[diff] [blame]1672
Matt Braithwaited17d74d2016-08-17 20:10:28 -0700[diff] [blame]1673 bssl::UniquePtr<X509> cert = GetTestCertificate();
1674 bssl::UniquePtr<EVP_PKEY> key = GetTestKey();
David Benjaminf0d8e222017-02-04 10:58:26 -0500[diff] [blame]1675 ASSERT_TRUE(cert);
1676 ASSERT_TRUE(key);
1677 ASSERT_TRUE(SSL_CTX_use_certificate(server_ctx.get(), cert.get()));
1678 ASSERT_TRUE(SSL_CTX_use_PrivateKey(server_ctx.get(), key.get()));
Steven Valdez87eab492016-06-27 16:34:59 -0400[diff] [blame]1679
Matt Braithwaited17d74d2016-08-17 20:10:28 -0700[diff] [blame]1680 bssl::UniquePtr<SSL> client, server;
David Benjaminf0d8e222017-02-04 10:58:26 -0500[diff] [blame]1681 ASSERT_TRUE(ConnectClientAndServer(&client, &server, client_ctx.get(),
1682 server_ctx.get(),
1683 nullptr /* no session */));
Steven Valdez87eab492016-06-27 16:34:59 -0400[diff] [blame]1684
1685 SSL_SESSION *session0 = SSL_get_session(client.get());
David Benjamin31b0c9b2017-07-20 14:49:15 -0400[diff] [blame]1686 bssl::UniquePtr<SSL_SESSION> session1 =
1687 bssl::SSL_SESSION_dup(session0, SSL_SESSION_DUP_ALL);
David Benjaminf0d8e222017-02-04 10:58:26 -0500[diff] [blame]1688 ASSERT_TRUE(session1);
David Benjamin4501bd52016-08-01 13:39:41 -0400[diff] [blame]1689
Steven Valdez84b5c002016-08-25 16:30:58 -0400[diff] [blame]1690 session1->not_resumable = 0;
1691
Steven Valdez87eab492016-06-27 16:34:59 -0400[diff] [blame]1692 uint8_t *s0_bytes, *s1_bytes;
1693 size_t s0_len, s1_len;
1694
David Benjaminf0d8e222017-02-04 10:58:26 -0500[diff] [blame]1695 ASSERT_TRUE(SSL_SESSION_to_bytes(session0, &s0_bytes, &s0_len));
Matt Braithwaited17d74d2016-08-17 20:10:28 -0700[diff] [blame]1696 bssl::UniquePtr<uint8_t> free_s0(s0_bytes);
Steven Valdez87eab492016-06-27 16:34:59 -0400[diff] [blame]1697
David Benjaminf0d8e222017-02-04 10:58:26 -0500[diff] [blame]1698 ASSERT_TRUE(SSL_SESSION_to_bytes(session1.get(), &s1_bytes, &s1_len));
Matt Braithwaited17d74d2016-08-17 20:10:28 -0700[diff] [blame]1699 bssl::UniquePtr<uint8_t> free_s1(s1_bytes);
Steven Valdez87eab492016-06-27 16:34:59 -0400[diff] [blame]1700
David Benjamin7d7554b2017-02-04 11:48:59 -0500[diff] [blame]1701 EXPECT_EQ(Bytes(s0_bytes, s0_len), Bytes(s1_bytes, s1_len));
Steven Valdez87eab492016-06-27 16:34:59 -0400[diff] [blame]1702}
David Benjamin686bb192016-05-10 15:15:41 -0400[diff] [blame]1703
David Benjaminf0d8e222017-02-04 10:58:26 -0500[diff] [blame]1704static void ExpectFDs(const SSL *ssl, int rfd, int wfd) {
David Benjaminca743582017-06-15 17:51:35 -0400[diff] [blame]1705 EXPECT_EQ(rfd, SSL_get_fd(ssl));
David Benjaminf0d8e222017-02-04 10:58:26 -0500[diff] [blame]1706 EXPECT_EQ(rfd, SSL_get_rfd(ssl));
1707 EXPECT_EQ(wfd, SSL_get_wfd(ssl));
David Benjamin5c0fb882016-06-14 14:03:51 -0400[diff] [blame]1708
1709 // The wrapper BIOs are always equal when fds are equal, even if set
1710 // individually.
David Benjaminf0d8e222017-02-04 10:58:26 -0500[diff] [blame]1711 if (rfd == wfd) {
1712 EXPECT_EQ(SSL_get_rbio(ssl), SSL_get_wbio(ssl));
David Benjamin5c0fb882016-06-14 14:03:51 -0400[diff] [blame]1713 }
David Benjamin5c0fb882016-06-14 14:03:51 -0400[diff] [blame]1714}
1715
David Benjaminf0d8e222017-02-04 10:58:26 -0500[diff] [blame]1716TEST(SSLTest, SetFD) {
Matt Braithwaited17d74d2016-08-17 20:10:28 -0700[diff] [blame]1717 bssl::UniquePtr<SSL_CTX> ctx(SSL_CTX_new(TLS_method()));
David Benjaminf0d8e222017-02-04 10:58:26 -0500[diff] [blame]1718 ASSERT_TRUE(ctx);
David Benjamin5c0fb882016-06-14 14:03:51 -0400[diff] [blame]1719
1720 // Test setting different read and write FDs.
Matt Braithwaited17d74d2016-08-17 20:10:28 -0700[diff] [blame]1721 bssl::UniquePtr<SSL> ssl(SSL_new(ctx.get()));
David Benjaminf0d8e222017-02-04 10:58:26 -0500[diff] [blame]1722 ASSERT_TRUE(ssl);
1723 EXPECT_TRUE(SSL_set_rfd(ssl.get(), 1));
1724 EXPECT_TRUE(SSL_set_wfd(ssl.get(), 2));
1725 ExpectFDs(ssl.get(), 1, 2);
David Benjamin5c0fb882016-06-14 14:03:51 -0400[diff] [blame]1726
1727 // Test setting the same FD.
1728 ssl.reset(SSL_new(ctx.get()));
David Benjaminf0d8e222017-02-04 10:58:26 -0500[diff] [blame]1729 ASSERT_TRUE(ssl);
1730 EXPECT_TRUE(SSL_set_fd(ssl.get(), 1));
1731 ExpectFDs(ssl.get(), 1, 1);
David Benjamin5c0fb882016-06-14 14:03:51 -0400[diff] [blame]1732
1733 // Test setting the same FD one side at a time.
1734 ssl.reset(SSL_new(ctx.get()));
David Benjaminf0d8e222017-02-04 10:58:26 -0500[diff] [blame]1735 ASSERT_TRUE(ssl);
1736 EXPECT_TRUE(SSL_set_rfd(ssl.get(), 1));
1737 EXPECT_TRUE(SSL_set_wfd(ssl.get(), 1));
1738 ExpectFDs(ssl.get(), 1, 1);
David Benjamin5c0fb882016-06-14 14:03:51 -0400[diff] [blame]1739
1740 // Test setting the same FD in the other order.
1741 ssl.reset(SSL_new(ctx.get()));
David Benjaminf0d8e222017-02-04 10:58:26 -0500[diff] [blame]1742 ASSERT_TRUE(ssl);
1743 EXPECT_TRUE(SSL_set_wfd(ssl.get(), 1));
1744 EXPECT_TRUE(SSL_set_rfd(ssl.get(), 1));
1745 ExpectFDs(ssl.get(), 1, 1);
David Benjamin5c0fb882016-06-14 14:03:51 -0400[diff] [blame]1746
David Benjamin5c0fb882016-06-14 14:03:51 -0400[diff] [blame]1747 // Test changing the read FD partway through.
1748 ssl.reset(SSL_new(ctx.get()));
David Benjaminf0d8e222017-02-04 10:58:26 -0500[diff] [blame]1749 ASSERT_TRUE(ssl);
1750 EXPECT_TRUE(SSL_set_fd(ssl.get(), 1));
1751 EXPECT_TRUE(SSL_set_rfd(ssl.get(), 2));
1752 ExpectFDs(ssl.get(), 2, 1);
David Benjamin5c0fb882016-06-14 14:03:51 -0400[diff] [blame]1753
1754 // Test changing the write FD partway through.
1755 ssl.reset(SSL_new(ctx.get()));
David Benjaminf0d8e222017-02-04 10:58:26 -0500[diff] [blame]1756 ASSERT_TRUE(ssl);
1757 EXPECT_TRUE(SSL_set_fd(ssl.get(), 1));
1758 EXPECT_TRUE(SSL_set_wfd(ssl.get(), 2));
1759 ExpectFDs(ssl.get(), 1, 2);
David Benjamin5c0fb882016-06-14 14:03:51 -0400[diff] [blame]1760
1761 // Test a no-op change to the read FD partway through.
1762 ssl.reset(SSL_new(ctx.get()));
David Benjaminf0d8e222017-02-04 10:58:26 -0500[diff] [blame]1763 ASSERT_TRUE(ssl);
1764 EXPECT_TRUE(SSL_set_fd(ssl.get(), 1));
1765 EXPECT_TRUE(SSL_set_rfd(ssl.get(), 1));
1766 ExpectFDs(ssl.get(), 1, 1);
David Benjamin5c0fb882016-06-14 14:03:51 -0400[diff] [blame]1767
1768 // Test a no-op change to the write FD partway through.
1769 ssl.reset(SSL_new(ctx.get()));
David Benjaminf0d8e222017-02-04 10:58:26 -0500[diff] [blame]1770 ASSERT_TRUE(ssl);
1771 EXPECT_TRUE(SSL_set_fd(ssl.get(), 1));
1772 EXPECT_TRUE(SSL_set_wfd(ssl.get(), 1));
1773 ExpectFDs(ssl.get(), 1, 1);
David Benjamin5c0fb882016-06-14 14:03:51 -0400[diff] [blame]1774
1775 // ASan builds will implicitly test that the internal |BIO| reference-counting
1776 // is correct.
David Benjamin5c0fb882016-06-14 14:03:51 -0400[diff] [blame]1777}
1778
David Benjaminf0d8e222017-02-04 10:58:26 -0500[diff] [blame]1779TEST(SSLTest, SetBIO) {
Matt Braithwaited17d74d2016-08-17 20:10:28 -0700[diff] [blame]1780 bssl::UniquePtr<SSL_CTX> ctx(SSL_CTX_new(TLS_method()));
David Benjaminf0d8e222017-02-04 10:58:26 -0500[diff] [blame]1781 ASSERT_TRUE(ctx);
David Benjamin4501bd52016-08-01 13:39:41 -0400[diff] [blame]1782
Matt Braithwaited17d74d2016-08-17 20:10:28 -0700[diff] [blame]1783 bssl::UniquePtr<SSL> ssl(SSL_new(ctx.get()));
1784 bssl::UniquePtr<BIO> bio1(BIO_new(BIO_s_mem())), bio2(BIO_new(BIO_s_mem())),
David Benjamin4501bd52016-08-01 13:39:41 -0400[diff] [blame]1785 bio3(BIO_new(BIO_s_mem()));
David Benjaminf0d8e222017-02-04 10:58:26 -0500[diff] [blame]1786 ASSERT_TRUE(ssl);
1787 ASSERT_TRUE(bio1);
1788 ASSERT_TRUE(bio2);
1789 ASSERT_TRUE(bio3);
David Benjamin4501bd52016-08-01 13:39:41 -0400[diff] [blame]1790
1791 // SSL_set_bio takes one reference when the parameters are the same.
1792 BIO_up_ref(bio1.get());
1793 SSL_set_bio(ssl.get(), bio1.get(), bio1.get());
1794
1795 // Repeating the call does nothing.
1796 SSL_set_bio(ssl.get(), bio1.get(), bio1.get());
1797
1798 // It takes one reference each when the parameters are different.
1799 BIO_up_ref(bio2.get());
1800 BIO_up_ref(bio3.get());
1801 SSL_set_bio(ssl.get(), bio2.get(), bio3.get());
1802
1803 // Repeating the call does nothing.
1804 SSL_set_bio(ssl.get(), bio2.get(), bio3.get());
1805
1806 // It takes one reference when changing only wbio.
1807 BIO_up_ref(bio1.get());
1808 SSL_set_bio(ssl.get(), bio2.get(), bio1.get());
1809
1810 // It takes one reference when changing only rbio and the two are different.
1811 BIO_up_ref(bio3.get());
1812 SSL_set_bio(ssl.get(), bio3.get(), bio1.get());
1813
1814 // If setting wbio to rbio, it takes no additional references.
1815 SSL_set_bio(ssl.get(), bio3.get(), bio3.get());
1816
1817 // From there, wbio may be switched to something else.
1818 BIO_up_ref(bio1.get());
1819 SSL_set_bio(ssl.get(), bio3.get(), bio1.get());
1820
1821 // If setting rbio to wbio, it takes no additional references.
1822 SSL_set_bio(ssl.get(), bio1.get(), bio1.get());
1823
1824 // From there, rbio may be switched to something else, but, for historical
1825 // reasons, it takes a reference to both parameters.
1826 BIO_up_ref(bio1.get());
1827 BIO_up_ref(bio2.get());
1828 SSL_set_bio(ssl.get(), bio2.get(), bio1.get());
1829
1830 // ASAN builds will implicitly test that the internal |BIO| reference-counting
1831 // is correct.
David Benjamin4501bd52016-08-01 13:39:41 -0400[diff] [blame]1832}
1833
David Benjamin25490f22016-07-14 00:22:54 -0400[diff] [blame]1834static int VerifySucceed(X509_STORE_CTX *store_ctx, void *arg) { return 1; }
1835
Martin Kreichgauer1a663262017-08-16 14:54:04 -0700[diff] [blame]1836TEST_P(SSLVersionTest, GetPeerCertificate) {
1837 ASSERT_TRUE(UseCertAndKey(client_ctx_.get()));
David Benjaminadd5e522016-07-14 00:33:24 -0400[diff] [blame]1838
David Benjamin0fef3052016-11-18 15:11:10 +0900[diff] [blame]1839 // Configure both client and server to accept any certificate.
Martin Kreichgauer1a663262017-08-16 14:54:04 -0700[diff] [blame]1840 SSL_CTX_set_verify(client_ctx_.get(),
1841 SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT,
1842 nullptr);
1843 SSL_CTX_set_cert_verify_callback(client_ctx_.get(), VerifySucceed, NULL);
1844 SSL_CTX_set_verify(server_ctx_.get(),
1845 SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT,
1846 nullptr);
1847 SSL_CTX_set_cert_verify_callback(server_ctx_.get(), VerifySucceed, NULL);
David Benjaminadd5e522016-07-14 00:33:24 -0400[diff] [blame]1848
Martin Kreichgauer1a663262017-08-16 14:54:04 -0700[diff] [blame]1849 ASSERT_TRUE(Connect());
David Benjaminadd5e522016-07-14 00:33:24 -0400[diff] [blame]1850
David Benjamin0fef3052016-11-18 15:11:10 +0900[diff] [blame]1851 // Client and server should both see the leaf certificate.
Martin Kreichgauer1a663262017-08-16 14:54:04 -0700[diff] [blame]1852 bssl::UniquePtr<X509> peer(SSL_get_peer_certificate(server_.get()));
1853 ASSERT_TRUE(peer);
1854 ASSERT_EQ(X509_cmp(cert_.get(), peer.get()), 0);
David Benjaminadd5e522016-07-14 00:33:24 -0400[diff] [blame]1855
Martin Kreichgauer1a663262017-08-16 14:54:04 -0700[diff] [blame]1856 peer.reset(SSL_get_peer_certificate(client_.get()));
1857 ASSERT_TRUE(peer);
1858 ASSERT_EQ(X509_cmp(cert_.get(), peer.get()), 0);
David Benjaminadd5e522016-07-14 00:33:24 -0400[diff] [blame]1859
David Benjamine664a532017-07-20 20:19:36 -0400[diff] [blame]1860 // However, for historical reasons, the X509 chain includes the leaf on the
David Benjamin0fef3052016-11-18 15:11:10 +0900[diff] [blame]1861 // client, but does not on the server.
Martin Kreichgauer1a663262017-08-16 14:54:04 -0700[diff] [blame]1862 EXPECT_EQ(sk_X509_num(SSL_get_peer_cert_chain(client_.get())), 1u);
1863 EXPECT_EQ(sk_CRYPTO_BUFFER_num(SSL_get0_peer_certificates(client_.get())),
1864 1u);
David Benjaminadd5e522016-07-14 00:33:24 -0400[diff] [blame]1865
Martin Kreichgauer1a663262017-08-16 14:54:04 -0700[diff] [blame]1866 EXPECT_EQ(sk_X509_num(SSL_get_peer_cert_chain(server_.get())), 0u);
1867 EXPECT_EQ(sk_CRYPTO_BUFFER_num(SSL_get0_peer_certificates(server_.get())),
1868 1u);
David Benjaminadd5e522016-07-14 00:33:24 -0400[diff] [blame]1869}
1870
Martin Kreichgauer1a663262017-08-16 14:54:04 -0700[diff] [blame]1871TEST_P(SSLVersionTest, NoPeerCertificate) {
1872 SSL_CTX_set_verify(server_ctx_.get(), SSL_VERIFY_PEER, nullptr);
1873 SSL_CTX_set_cert_verify_callback(server_ctx_.get(), VerifySucceed, NULL);
1874 SSL_CTX_set_cert_verify_callback(client_ctx_.get(), VerifySucceed, NULL);
David Benjamine664a532017-07-20 20:19:36 -0400[diff] [blame]1875
Martin Kreichgauer1a663262017-08-16 14:54:04 -0700[diff] [blame]1876 ASSERT_TRUE(Connect());
David Benjamine664a532017-07-20 20:19:36 -0400[diff] [blame]1877
Martin Kreichgauer1a663262017-08-16 14:54:04 -0700[diff] [blame]1878 // Server should not see a peer certificate.
1879 bssl::UniquePtr<X509> peer(SSL_get_peer_certificate(server_.get()));
1880 ASSERT_FALSE(peer);
1881 ASSERT_FALSE(SSL_get0_peer_certificates(server_.get()));
David Benjamine664a532017-07-20 20:19:36 -0400[diff] [blame]1882}
1883
Martin Kreichgauer1a663262017-08-16 14:54:04 -0700[diff] [blame]1884TEST_P(SSLVersionTest, RetainOnlySHA256OfCerts) {
David Benjamin25490f22016-07-14 00:22:54 -0400[diff] [blame]1885 uint8_t *cert_der = NULL;
Martin Kreichgauer1a663262017-08-16 14:54:04 -0700[diff] [blame]1886 int cert_der_len = i2d_X509(cert_.get(), &cert_der);
1887 ASSERT_GE(cert_der_len, 0);
Matt Braithwaited17d74d2016-08-17 20:10:28 -0700[diff] [blame]1888 bssl::UniquePtr<uint8_t> free_cert_der(cert_der);
David Benjamin25490f22016-07-14 00:22:54 -0400[diff] [blame]1889
1890 uint8_t cert_sha256[SHA256_DIGEST_LENGTH];
1891 SHA256(cert_der, cert_der_len, cert_sha256);
1892
Martin Kreichgauer1a663262017-08-16 14:54:04 -0700[diff] [blame]1893 ASSERT_TRUE(UseCertAndKey(client_ctx_.get()));
1894
David Benjamin0fef3052016-11-18 15:11:10 +0900[diff] [blame]1895 // Configure both client and server to accept any certificate, but the
1896 // server must retain only the SHA-256 of the peer.
Martin Kreichgauer1a663262017-08-16 14:54:04 -0700[diff] [blame]1897 SSL_CTX_set_verify(client_ctx_.get(),
1898 SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT,
1899 nullptr);
1900 SSL_CTX_set_verify(server_ctx_.get(),
1901 SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT,
1902 nullptr);
1903 SSL_CTX_set_cert_verify_callback(client_ctx_.get(), VerifySucceed, NULL);
1904 SSL_CTX_set_cert_verify_callback(server_ctx_.get(), VerifySucceed, NULL);
1905 SSL_CTX_set_retain_only_sha256_of_client_certs(server_ctx_.get(), 1);
David Benjamin25490f22016-07-14 00:22:54 -0400[diff] [blame]1906
Martin Kreichgauer1a663262017-08-16 14:54:04 -0700[diff] [blame]1907 ASSERT_TRUE(Connect());
David Benjamin25490f22016-07-14 00:22:54 -0400[diff] [blame]1908
David Benjamin0fef3052016-11-18 15:11:10 +0900[diff] [blame]1909 // The peer certificate has been dropped.
Martin Kreichgauer1a663262017-08-16 14:54:04 -0700[diff] [blame]1910 bssl::UniquePtr<X509> peer(SSL_get_peer_certificate(server_.get()));
1911 EXPECT_FALSE(peer);
David Benjamin25490f22016-07-14 00:22:54 -0400[diff] [blame]1912
Martin Kreichgauer1a663262017-08-16 14:54:04 -0700[diff] [blame]1913 SSL_SESSION *session = SSL_get_session(server_.get());
1914 EXPECT_TRUE(session->peer_sha256_valid);
David Benjamin25490f22016-07-14 00:22:54 -0400[diff] [blame]1915
Martin Kreichgauer1a663262017-08-16 14:54:04 -0700[diff] [blame]1916 EXPECT_EQ(Bytes(cert_sha256), Bytes(session->peer_sha256));
David Benjamin25490f22016-07-14 00:22:54 -0400[diff] [blame]1917}
1918
David Benjaminafc64de2016-07-19 17:12:41 +0200[diff] [blame]1919static bool ClientHelloMatches(uint16_t version, const uint8_t *expected,
1920 size_t expected_len) {
Matt Braithwaited17d74d2016-08-17 20:10:28 -0700[diff] [blame]1921 bssl::UniquePtr<SSL_CTX> ctx(SSL_CTX_new(TLS_method()));
Matthew Braithwaitecedc6f12017-03-15 19:20:23 -0700[diff] [blame]1922 // Our default cipher list varies by CPU capabilities, so manually place the
1923 // ChaCha20 ciphers in front.
Matthew Braithwaite7e06de52017-04-10 15:52:14 -0700[diff] [blame]1924 const char* cipher_list = "CHACHA20:ALL";
David Benjamin2dc02042016-09-19 19:57:37 -0400[diff] [blame]1925 if (!ctx ||
David Benjamin3cfeb952017-03-01 16:48:38 -0500[diff] [blame]1926 // SSLv3 is off by default.
1927 !SSL_CTX_set_min_proto_version(ctx.get(), SSL3_VERSION) ||
David Benjamine4706902016-09-20 15:12:23 -0400[diff] [blame]1928 !SSL_CTX_set_max_proto_version(ctx.get(), version) ||
Matthew Braithwaitecedc6f12017-03-15 19:20:23 -0700[diff] [blame]1929 !SSL_CTX_set_strict_cipher_list(ctx.get(), cipher_list)) {
David Benjaminafc64de2016-07-19 17:12:41 +0200[diff] [blame]1930 return false;
1931 }
David Benjamin2dc02042016-09-19 19:57:37 -0400[diff] [blame]1932
Matt Braithwaited17d74d2016-08-17 20:10:28 -0700[diff] [blame]1933 bssl::UniquePtr<SSL> ssl(SSL_new(ctx.get()));
David Benjaminafc64de2016-07-19 17:12:41 +0200[diff] [blame]1934 if (!ssl) {
1935 return false;
1936 }
1937 std::vector<uint8_t> client_hello;
1938 if (!GetClientHello(ssl.get(), &client_hello)) {
1939 return false;
1940 }
1941
1942 // Zero the client_random.
1943 constexpr size_t kRandomOffset = 1 + 2 + 2 + // record header
1944 1 + 3 + // handshake message header
1945 2; // client_version
1946 if (client_hello.size() < kRandomOffset + SSL3_RANDOM_SIZE) {
1947 fprintf(stderr, "ClientHello for version %04x too short.\n", version);
1948 return false;
1949 }
David Benjamin17cf2cb2016-12-13 01:07:13 -0500[diff] [blame]1950 OPENSSL_memset(client_hello.data() + kRandomOffset, 0, SSL3_RANDOM_SIZE);
David Benjaminafc64de2016-07-19 17:12:41 +0200[diff] [blame]1951
1952 if (client_hello.size() != expected_len ||
David Benjamin17cf2cb2016-12-13 01:07:13 -0500[diff] [blame]1953 OPENSSL_memcmp(client_hello.data(), expected, expected_len) != 0) {
David Benjaminafc64de2016-07-19 17:12:41 +0200[diff] [blame]1954 fprintf(stderr, "ClientHello for version %04x did not match:\n", version);
1955 fprintf(stderr, "Got:\n\t");
1956 for (size_t i = 0; i < client_hello.size(); i++) {
1957 fprintf(stderr, "0x%02x, ", client_hello[i]);
1958 }
1959 fprintf(stderr, "\nWanted:\n\t");
1960 for (size_t i = 0; i < expected_len; i++) {
1961 fprintf(stderr, "0x%02x, ", expected[i]);
1962 }
1963 fprintf(stderr, "\n");
1964 return false;
1965 }
1966
1967 return true;
1968}
1969
1970// Tests that our ClientHellos do not change unexpectedly.
1971static bool TestClientHello() {
1972 static const uint8_t kSSL3ClientHello[] = {
Matt Braithwaite9c8c4182016-08-24 14:36:54 -0700[diff] [blame]1973 0x16,
1974 0x03, 0x00,
Matthew Braithwaitecedc6f12017-03-15 19:20:23 -0700[diff] [blame]1975 0x00, 0x3b,
Matt Braithwaite9c8c4182016-08-24 14:36:54 -0700[diff] [blame]1976 0x01,
Matthew Braithwaitecedc6f12017-03-15 19:20:23 -0700[diff] [blame]1977 0x00, 0x00, 0x37,
Matt Braithwaite9c8c4182016-08-24 14:36:54 -0700[diff] [blame]1978 0x03, 0x00,
1979 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1980 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1981 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1982 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1983 0x00,
Matthew Braithwaitecedc6f12017-03-15 19:20:23 -0700[diff] [blame]1984 0x00, 0x10,
Matt Braithwaite9c8c4182016-08-24 14:36:54 -0700[diff] [blame]1985 0xc0, 0x09,
1986 0xc0, 0x13,
Matt Braithwaite9c8c4182016-08-24 14:36:54 -0700[diff] [blame]1987 0xc0, 0x0a,
1988 0xc0, 0x14,
Matt Braithwaite9c8c4182016-08-24 14:36:54 -0700[diff] [blame]1989 0x00, 0x2f,
1990 0x00, 0x35,
1991 0x00, 0x0a,
1992 0x00, 0xff, 0x01, 0x00,
David Benjaminafc64de2016-07-19 17:12:41 +0200[diff] [blame]1993 };
1994 if (!ClientHelloMatches(SSL3_VERSION, kSSL3ClientHello,
1995 sizeof(kSSL3ClientHello))) {
1996 return false;
1997 }
1998
1999 static const uint8_t kTLS1ClientHello[] = {
Matt Braithwaite9c8c4182016-08-24 14:36:54 -0700[diff] [blame]2000 0x16,
2001 0x03, 0x01,
Matthew Braithwaitecedc6f12017-03-15 19:20:23 -0700[diff] [blame]2002 0x00, 0x5a,
Matt Braithwaite9c8c4182016-08-24 14:36:54 -0700[diff] [blame]2003 0x01,
Matthew Braithwaitecedc6f12017-03-15 19:20:23 -0700[diff] [blame]2004 0x00, 0x00, 0x56,
Matt Braithwaite9c8c4182016-08-24 14:36:54 -0700[diff] [blame]2005 0x03, 0x01,
2006 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2007 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2008 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2009 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2010 0x00,
Matthew Braithwaitecedc6f12017-03-15 19:20:23 -0700[diff] [blame]2011 0x00, 0x0e,
Matt Braithwaite9c8c4182016-08-24 14:36:54 -0700[diff] [blame]2012 0xc0, 0x09,
2013 0xc0, 0x13,
Matt Braithwaite9c8c4182016-08-24 14:36:54 -0700[diff] [blame]2014 0xc0, 0x0a,
2015 0xc0, 0x14,
Matt Braithwaite9c8c4182016-08-24 14:36:54 -0700[diff] [blame]2016 0x00, 0x2f,
2017 0x00, 0x35,
2018 0x00, 0x0a,
David Benjaminafc64de2016-07-19 17:12:41 +0200[diff] [blame]2019 0x01, 0x00, 0x00, 0x1f, 0xff, 0x01, 0x00, 0x01, 0x00, 0x00, 0x17, 0x00,
2020 0x00, 0x00, 0x23, 0x00, 0x00, 0x00, 0x0b, 0x00, 0x02, 0x01, 0x00, 0x00,
2021 0x0a, 0x00, 0x08, 0x00, 0x06, 0x00, 0x1d, 0x00, 0x17, 0x00, 0x18,
2022 };
2023 if (!ClientHelloMatches(TLS1_VERSION, kTLS1ClientHello,
2024 sizeof(kTLS1ClientHello))) {
2025 return false;
2026 }
2027
2028 static const uint8_t kTLS11ClientHello[] = {
Matt Braithwaite9c8c4182016-08-24 14:36:54 -0700[diff] [blame]2029 0x16,
2030 0x03, 0x01,
Matthew Braithwaitecedc6f12017-03-15 19:20:23 -0700[diff] [blame]2031 0x00, 0x5a,
Matt Braithwaite9c8c4182016-08-24 14:36:54 -0700[diff] [blame]2032 0x01,
Matthew Braithwaitecedc6f12017-03-15 19:20:23 -0700[diff] [blame]2033 0x00, 0x00, 0x56,
Matt Braithwaite9c8c4182016-08-24 14:36:54 -0700[diff] [blame]2034 0x03, 0x02,
2035 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2036 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2037 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2038 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2039 0x00,
Matthew Braithwaitecedc6f12017-03-15 19:20:23 -0700[diff] [blame]2040 0x00, 0x0e,
Matt Braithwaite9c8c4182016-08-24 14:36:54 -0700[diff] [blame]2041 0xc0, 0x09,
2042 0xc0, 0x13,
Matt Braithwaite9c8c4182016-08-24 14:36:54 -0700[diff] [blame]2043 0xc0, 0x0a,
2044 0xc0, 0x14,
Matt Braithwaite9c8c4182016-08-24 14:36:54 -0700[diff] [blame]2045 0x00, 0x2f,
2046 0x00, 0x35,
2047 0x00, 0x0a,
David Benjaminafc64de2016-07-19 17:12:41 +0200[diff] [blame]2048 0x01, 0x00, 0x00, 0x1f, 0xff, 0x01, 0x00, 0x01, 0x00, 0x00, 0x17, 0x00,
2049 0x00, 0x00, 0x23, 0x00, 0x00, 0x00, 0x0b, 0x00, 0x02, 0x01, 0x00, 0x00,
2050 0x0a, 0x00, 0x08, 0x00, 0x06, 0x00, 0x1d, 0x00, 0x17, 0x00, 0x18,
2051 };
2052 if (!ClientHelloMatches(TLS1_1_VERSION, kTLS11ClientHello,
2053 sizeof(kTLS11ClientHello))) {
2054 return false;
2055 }
2056
David Benjamin3b584332017-01-24 22:47:18 -0500[diff] [blame]2057 // kTLS12ClientHello assumes RSA-PSS, which is disabled for Android system
2058 // builds.
2059#if defined(BORINGSSL_ANDROID_SYSTEM)
2060 return true;
2061#endif
2062
David Benjaminafc64de2016-07-19 17:12:41 +0200[diff] [blame]2063 static const uint8_t kTLS12ClientHello[] = {
Matthew Braithwaitecedc6f12017-03-15 19:20:23 -0700[diff] [blame]2064 0x16,
2065 0x03, 0x01,
2066 0x00, 0x8e,
2067 0x01,
2068 0x00, 0x00, 0x8a,
2069 0x03, 0x03,
David Benjamin57e929f2016-08-30 00:30:38 -0400[diff] [blame]2070 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2071 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
Matthew Braithwaitecedc6f12017-03-15 19:20:23 -0700[diff] [blame]2072 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2073 0x00, 0x2a,
2074 0xcc, 0xa9,
2075 0xcc, 0xa8,
2076 0xc0, 0x2b,
2077 0xc0, 0x2f,
2078 0xc0, 0x2c,
2079 0xc0, 0x30,
2080 0xc0, 0x09,
2081 0xc0, 0x23,
2082 0xc0, 0x13,
2083 0xc0, 0x27,
2084 0xc0, 0x0a,
2085 0xc0, 0x24,
2086 0xc0, 0x14,
2087 0xc0, 0x28,
2088 0x00, 0x9c,
2089 0x00, 0x9d,
2090 0x00, 0x2f,
2091 0x00, 0x3c,
2092 0x00, 0x35,
2093 0x00, 0x3d,
2094 0x00, 0x0a,
2095 0x01, 0x00, 0x00, 0x37, 0xff, 0x01, 0x00, 0x01, 0x00, 0x00, 0x17, 0x00,
2096 0x00, 0x00, 0x23, 0x00, 0x00, 0x00, 0x0d, 0x00, 0x14, 0x00, 0x12, 0x04,
2097 0x03, 0x08, 0x04, 0x04, 0x01, 0x05, 0x03, 0x08, 0x05, 0x05, 0x01, 0x08,
2098 0x06, 0x06, 0x01, 0x02, 0x01, 0x00, 0x0b, 0x00, 0x02, 0x01, 0x00, 0x00,
2099 0x0a, 0x00, 0x08, 0x00, 0x06, 0x00, 0x1d, 0x00, 0x17, 0x00, 0x18,
David Benjaminafc64de2016-07-19 17:12:41 +0200[diff] [blame]2100 };
2101 if (!ClientHelloMatches(TLS1_2_VERSION, kTLS12ClientHello,
2102 sizeof(kTLS12ClientHello))) {
2103 return false;
2104 }
2105
2106 // TODO(davidben): Add a change detector for TLS 1.3 once the spec and our
2107 // implementation has settled enough that it won't change.
2108
2109 return true;
2110}
2111
Matt Braithwaited17d74d2016-08-17 20:10:28 -0700[diff] [blame]2112static bssl::UniquePtr<SSL_SESSION> g_last_session;
David Benjamina20e5352016-08-02 19:09:41 -0400[diff] [blame]2113
2114static int SaveLastSession(SSL *ssl, SSL_SESSION *session) {
2115 // Save the most recent session.
2116 g_last_session.reset(session);
2117 return 1;
2118}
2119
Matt Braithwaited17d74d2016-08-17 20:10:28 -0700[diff] [blame]2120static bssl::UniquePtr<SSL_SESSION> CreateClientSession(SSL_CTX *client_ctx,
Steven Valdeze831a812017-03-09 14:56:07 -0500[diff] [blame]2121 SSL_CTX *server_ctx) {
David Benjamina20e5352016-08-02 19:09:41 -0400[diff] [blame]2122 g_last_session = nullptr;
2123 SSL_CTX_sess_set_new_cb(client_ctx, SaveLastSession);
2124
2125 // Connect client and server to get a session.
Matt Braithwaited17d74d2016-08-17 20:10:28 -0700[diff] [blame]2126 bssl::UniquePtr<SSL> client, server;
David Benjamina20e5352016-08-02 19:09:41 -0400[diff] [blame]2127 if (!ConnectClientAndServer(&client, &server, client_ctx, server_ctx,
2128 nullptr /* no session */)) {
2129 fprintf(stderr, "Failed to connect client and server.\n");
2130 return nullptr;
2131 }
2132
2133 // Run the read loop to account for post-handshake tickets in TLS 1.3.
2134 SSL_read(client.get(), nullptr, 0);
2135
2136 SSL_CTX_sess_set_new_cb(client_ctx, nullptr);
2137
2138 if (!g_last_session) {
2139 fprintf(stderr, "Client did not receive a session.\n");
2140 return nullptr;
2141 }
2142 return std::move(g_last_session);
2143}
2144
Martin Kreichgauer1a663262017-08-16 14:54:04 -0700[diff] [blame]2145static void ExpectSessionReused(SSL_CTX *client_ctx, SSL_CTX *server_ctx,
2146 SSL_SESSION *session, bool want_reused) {
Matt Braithwaited17d74d2016-08-17 20:10:28 -0700[diff] [blame]2147 bssl::UniquePtr<SSL> client, server;
Martin Kreichgauer1a663262017-08-16 14:54:04 -0700[diff] [blame]2148 EXPECT_TRUE(ConnectClientAndServer(&client, &server, client_ctx, server_ctx,
2149 session));
David Benjamina20e5352016-08-02 19:09:41 -0400[diff] [blame]2150
Martin Kreichgauer1a663262017-08-16 14:54:04 -0700[diff] [blame]2151 EXPECT_EQ(SSL_session_reused(client.get()), SSL_session_reused(server.get()));
David Benjamina20e5352016-08-02 19:09:41 -0400[diff] [blame]2152
2153 bool was_reused = !!SSL_session_reused(client.get());
Martin Kreichgauer1a663262017-08-16 14:54:04 -0700[diff] [blame]2154 EXPECT_EQ(was_reused, want_reused);
David Benjamina20e5352016-08-02 19:09:41 -0400[diff] [blame]2155}
2156
David Benjamin3c51d9b2016-11-01 17:50:42 -0400[diff] [blame]2157static bssl::UniquePtr<SSL_SESSION> ExpectSessionRenewed(SSL_CTX *client_ctx,
2158 SSL_CTX *server_ctx,
2159 SSL_SESSION *session) {
2160 g_last_session = nullptr;
2161 SSL_CTX_sess_set_new_cb(client_ctx, SaveLastSession);
2162
2163 bssl::UniquePtr<SSL> client, server;
2164 if (!ConnectClientAndServer(&client, &server, client_ctx,
2165 server_ctx, session)) {
2166 fprintf(stderr, "Failed to connect client and server.\n");
2167 return nullptr;
2168 }
2169
2170 if (SSL_session_reused(client.get()) != SSL_session_reused(server.get())) {
2171 fprintf(stderr, "Client and server were inconsistent.\n");
2172 return nullptr;
2173 }
2174
2175 if (!SSL_session_reused(client.get())) {
2176 fprintf(stderr, "Session was not reused.\n");
2177 return nullptr;
2178 }
2179
2180 // Run the read loop to account for post-handshake tickets in TLS 1.3.
2181 SSL_read(client.get(), nullptr, 0);
2182
2183 SSL_CTX_sess_set_new_cb(client_ctx, nullptr);
2184
2185 if (!g_last_session) {
2186 fprintf(stderr, "Client did not receive a renewed session.\n");
2187 return nullptr;
2188 }
2189 return std::move(g_last_session);
2190}
2191
Martin Kreichgauer1a663262017-08-16 14:54:04 -0700[diff] [blame]2192static void ExpectTicketKeyChanged(SSL_CTX *ctx, uint8_t *inout_key,
Martin Kreichgauer72912d22017-08-04 12:06:43 -0700[diff] [blame]2193 bool changed) {
2194 uint8_t new_key[kTicketKeyLen];
David Benjaminc11ea9422017-08-29 16:33:21 -0400[diff] [blame^]2195 // May return 0, 1 or 48.
Martin Kreichgauer1a663262017-08-16 14:54:04 -0700[diff] [blame]2196 ASSERT_EQ(SSL_CTX_get_tlsext_ticket_keys(ctx, new_key, kTicketKeyLen), 1);
2197 if (changed) {
2198 ASSERT_NE(Bytes(inout_key, kTicketKeyLen), Bytes(new_key));
2199 } else {
2200 ASSERT_EQ(Bytes(inout_key, kTicketKeyLen), Bytes(new_key));
Martin Kreichgauer72912d22017-08-04 12:06:43 -0700[diff] [blame]2201 }
2202 OPENSSL_memcpy(inout_key, new_key, kTicketKeyLen);
Martin Kreichgauer72912d22017-08-04 12:06:43 -0700[diff] [blame]2203}
2204
David Benjamina933c382016-10-28 00:10:03 -0400[diff] [blame]2205static int SwitchSessionIDContextSNI(SSL *ssl, int *out_alert, void *arg) {
2206 static const uint8_t kContext[] = {3};
2207
2208 if (!SSL_set_session_id_context(ssl, kContext, sizeof(kContext))) {
2209 return SSL_TLSEXT_ERR_ALERT_FATAL;
2210 }
2211
2212 return SSL_TLSEXT_ERR_OK;
2213}
2214
Martin Kreichgauer1a663262017-08-16 14:54:04 -0700[diff] [blame]2215TEST_P(SSLVersionTest, SessionIDContext) {
David Benjamina20e5352016-08-02 19:09:41 -0400[diff] [blame]2216 static const uint8_t kContext1[] = {1};
2217 static const uint8_t kContext2[] = {2};
2218
Martin Kreichgauer1a663262017-08-16 14:54:04 -0700[diff] [blame]2219 ASSERT_TRUE(SSL_CTX_set_session_id_context(server_ctx_.get(), kContext1,
2220 sizeof(kContext1)));
David Benjamina20e5352016-08-02 19:09:41 -0400[diff] [blame]2221
Martin Kreichgauer1a663262017-08-16 14:54:04 -0700[diff] [blame]2222 SSL_CTX_set_session_cache_mode(client_ctx_.get(), SSL_SESS_CACHE_BOTH);
2223 SSL_CTX_set_session_cache_mode(server_ctx_.get(), SSL_SESS_CACHE_BOTH);
David Benjamina20e5352016-08-02 19:09:41 -0400[diff] [blame]2224
David Benjamin0fef3052016-11-18 15:11:10 +0900[diff] [blame]2225 bssl::UniquePtr<SSL_SESSION> session =
Martin Kreichgauer1a663262017-08-16 14:54:04 -0700[diff] [blame]2226 CreateClientSession(client_ctx_.get(), server_ctx_.get());
2227 ASSERT_TRUE(session);
David Benjamina20e5352016-08-02 19:09:41 -0400[diff] [blame]2228
Martin Kreichgauer1a663262017-08-16 14:54:04 -0700[diff] [blame]2229 TRACED_CALL(ExpectSessionReused(client_ctx_.get(), server_ctx_.get(),
2230 session.get(),
2231 true /* expect session reused */));
David Benjamina20e5352016-08-02 19:09:41 -0400[diff] [blame]2232
David Benjamin0fef3052016-11-18 15:11:10 +0900[diff] [blame]2233 // Change the session ID context.
Martin Kreichgauer1a663262017-08-16 14:54:04 -0700[diff] [blame]2234 ASSERT_TRUE(SSL_CTX_set_session_id_context(server_ctx_.get(), kContext2,
2235 sizeof(kContext2)));
David Benjamina20e5352016-08-02 19:09:41 -0400[diff] [blame]2236
Martin Kreichgauer1a663262017-08-16 14:54:04 -0700[diff] [blame]2237 TRACED_CALL(ExpectSessionReused(client_ctx_.get(), server_ctx_.get(),
2238 session.get(),
2239 false /* expect session not reused */));
David Benjamina933c382016-10-28 00:10:03 -0400[diff] [blame]2240
David Benjamin0fef3052016-11-18 15:11:10 +0900[diff] [blame]2241 // Change the session ID context back and install an SNI callback to switch
2242 // it.
Martin Kreichgauer1a663262017-08-16 14:54:04 -0700[diff] [blame]2243 ASSERT_TRUE(SSL_CTX_set_session_id_context(server_ctx_.get(), kContext1,
2244 sizeof(kContext1)));
David Benjamina933c382016-10-28 00:10:03 -0400[diff] [blame]2245
Martin Kreichgauer1a663262017-08-16 14:54:04 -0700[diff] [blame]2246 SSL_CTX_set_tlsext_servername_callback(server_ctx_.get(),
David Benjamin0fef3052016-11-18 15:11:10 +0900[diff] [blame]2247 SwitchSessionIDContextSNI);
David Benjamina933c382016-10-28 00:10:03 -0400[diff] [blame]2248
Martin Kreichgauer1a663262017-08-16 14:54:04 -0700[diff] [blame]2249 TRACED_CALL(ExpectSessionReused(client_ctx_.get(), server_ctx_.get(),
2250 session.get(),
2251 false /* expect session not reused */));
David Benjamina933c382016-10-28 00:10:03 -0400[diff] [blame]2252
David Benjamin0fef3052016-11-18 15:11:10 +0900[diff] [blame]2253 // Switch the session ID context with the early callback instead.
Martin Kreichgauer1a663262017-08-16 14:54:04 -0700[diff] [blame]2254 SSL_CTX_set_tlsext_servername_callback(server_ctx_.get(), nullptr);
Alessandro Ghedini57e81e62017-03-14 23:36:00 +0000[diff] [blame]2255 SSL_CTX_set_select_certificate_cb(
Martin Kreichgauer1a663262017-08-16 14:54:04 -0700[diff] [blame]2256 server_ctx_.get(),
Alessandro Ghedini57e81e62017-03-14 23:36:00 +0000[diff] [blame]2257 [](const SSL_CLIENT_HELLO *client_hello) -> ssl_select_cert_result_t {
2258 static const uint8_t kContext[] = {3};
2259
2260 if (!SSL_set_session_id_context(client_hello->ssl, kContext,
2261 sizeof(kContext))) {
2262 return ssl_select_cert_error;
2263 }
2264
2265 return ssl_select_cert_success;
2266 });
David Benjamina933c382016-10-28 00:10:03 -0400[diff] [blame]2267
Martin Kreichgauer1a663262017-08-16 14:54:04 -0700[diff] [blame]2268 TRACED_CALL(ExpectSessionReused(client_ctx_.get(), server_ctx_.get(),
2269 session.get(),
2270 false /* expect session not reused */));
David Benjamina20e5352016-08-02 19:09:41 -0400[diff] [blame]2271}
2272
David Benjamin721e8b72016-08-03 13:13:17 -0400[diff] [blame]2273static timeval g_current_time;
2274
2275static void CurrentTimeCallback(const SSL *ssl, timeval *out_clock) {
2276 *out_clock = g_current_time;
2277}
2278
David Benjamin17b30832017-01-28 14:00:32 -0500[diff] [blame]2279static void FrozenTimeCallback(const SSL *ssl, timeval *out_clock) {
2280 out_clock->tv_sec = 1000;
2281 out_clock->tv_usec = 0;
2282}
2283
David Benjamin3c51d9b2016-11-01 17:50:42 -0400[diff] [blame]2284static int RenewTicketCallback(SSL *ssl, uint8_t *key_name, uint8_t *iv,
2285 EVP_CIPHER_CTX *ctx, HMAC_CTX *hmac_ctx,
2286 int encrypt) {
2287 static const uint8_t kZeros[16] = {0};
2288
2289 if (encrypt) {
David Benjamin17cf2cb2016-12-13 01:07:13 -0500[diff] [blame]2290 OPENSSL_memcpy(key_name, kZeros, sizeof(kZeros));
David Benjamin3c51d9b2016-11-01 17:50:42 -0400[diff] [blame]2291 RAND_bytes(iv, 16);
David Benjamin17cf2cb2016-12-13 01:07:13 -0500[diff] [blame]2292 } else if (OPENSSL_memcmp(key_name, kZeros, 16) != 0) {
David Benjamin3c51d9b2016-11-01 17:50:42 -0400[diff] [blame]2293 return 0;
2294 }
2295
2296 if (!HMAC_Init_ex(hmac_ctx, kZeros, sizeof(kZeros), EVP_sha256(), NULL) ||
2297 !EVP_CipherInit_ex(ctx, EVP_aes_128_cbc(), NULL, kZeros, iv, encrypt)) {
2298 return -1;
2299 }
2300
2301 // Returning two from the callback in decrypt mode renews the
2302 // session in TLS 1.2 and below.
2303 return encrypt ? 1 : 2;
2304}
2305
David Benjamin123db572016-11-03 16:59:25 -0400[diff] [blame]2306static bool GetServerTicketTime(long *out, const SSL_SESSION *session) {
David Benjamin123db572016-11-03 16:59:25 -0400[diff] [blame]2307 if (session->tlsext_ticklen < 16 + 16 + SHA256_DIGEST_LENGTH) {
2308 return false;
2309 }
2310
David Benjamin123db572016-11-03 16:59:25 -0400[diff] [blame]2311 const uint8_t *ciphertext = session->tlsext_tick + 16 + 16;
2312 size_t len = session->tlsext_ticklen - 16 - 16 - SHA256_DIGEST_LENGTH;
2313 std::unique_ptr<uint8_t[]> plaintext(new uint8_t[len]);
2314
David Benjamin9b63f292016-11-15 00:44:05 -0500[diff] [blame]2315#if defined(BORINGSSL_UNSAFE_FUZZER_MODE)
2316 // Fuzzer-mode tickets are unencrypted.
David Benjamin17cf2cb2016-12-13 01:07:13 -0500[diff] [blame]2317 OPENSSL_memcpy(plaintext.get(), ciphertext, len);
David Benjamin9b63f292016-11-15 00:44:05 -0500[diff] [blame]2318#else
2319 static const uint8_t kZeros[16] = {0};
2320 const uint8_t *iv = session->tlsext_tick + 16;
David Benjamin123db572016-11-03 16:59:25 -0400[diff] [blame]2321 bssl::ScopedEVP_CIPHER_CTX ctx;
2322 int len1, len2;
2323 if (!EVP_DecryptInit_ex(ctx.get(), EVP_aes_128_cbc(), nullptr, kZeros, iv) ||
2324 !EVP_DecryptUpdate(ctx.get(), plaintext.get(), &len1, ciphertext, len) ||
2325 !EVP_DecryptFinal_ex(ctx.get(), plaintext.get() + len1, &len2)) {
2326 return false;
2327 }
2328
2329 len = static_cast<size_t>(len1 + len2);
David Benjamin9b63f292016-11-15 00:44:05 -0500[diff] [blame]2330#endif
David Benjamin123db572016-11-03 16:59:25 -0400[diff] [blame]2331
Adam Langley46db7af2017-02-01 15:49:37 -0800[diff] [blame]2332 bssl::UniquePtr<SSL_CTX> ssl_ctx(SSL_CTX_new(TLS_method()));
2333 if (!ssl_ctx) {
2334 return false;
2335 }
David Benjamin123db572016-11-03 16:59:25 -0400[diff] [blame]2336 bssl::UniquePtr<SSL_SESSION> server_session(
Adam Langley46db7af2017-02-01 15:49:37 -0800[diff] [blame]2337 SSL_SESSION_from_bytes(plaintext.get(), len, ssl_ctx.get()));
David Benjamin123db572016-11-03 16:59:25 -0400[diff] [blame]2338 if (!server_session) {
2339 return false;
2340 }
2341
2342 *out = server_session->time;
2343 return true;
2344}
2345
Martin Kreichgauer1a663262017-08-16 14:54:04 -0700[diff] [blame]2346TEST_P(SSLVersionTest, SessionTimeout) {
2347 for (bool server_test : {false, true}) {
2348 SCOPED_TRACE(server_test);
David Benjamin721e8b72016-08-03 13:13:17 -0400[diff] [blame]2349
Martin Kreichgauer1a663262017-08-16 14:54:04 -0700[diff] [blame]2350 ResetContexts();
2351 SSL_CTX_set_session_cache_mode(client_ctx_.get(), SSL_SESS_CACHE_BOTH);
2352 SSL_CTX_set_session_cache_mode(server_ctx_.get(), SSL_SESS_CACHE_BOTH);
2353
David Benjamin17b30832017-01-28 14:00:32 -0500[diff] [blame]2354 static const time_t kStartTime = 1000;
David Benjamin0fef3052016-11-18 15:11:10 +0900[diff] [blame]2355 g_current_time.tv_sec = kStartTime;
David Benjamin1b22f852016-10-27 16:36:32 -0400[diff] [blame]2356
David Benjamin17b30832017-01-28 14:00:32 -0500[diff] [blame]2357 // We are willing to use a longer lifetime for TLS 1.3 sessions as
2358 // resumptions still perform ECDHE.
Martin Kreichgauer1a663262017-08-16 14:54:04 -0700[diff] [blame]2359 const time_t timeout = version() == TLS1_3_VERSION
David Benjamin17b30832017-01-28 14:00:32 -0500[diff] [blame]2360 ? SSL_DEFAULT_SESSION_PSK_DHE_TIMEOUT
2361 : SSL_DEFAULT_SESSION_TIMEOUT;
2362
David Benjamin17b30832017-01-28 14:00:32 -0500[diff] [blame]2363 // Both client and server must enforce session timeouts. We configure the
2364 // other side with a frozen clock so it never expires tickets.
David Benjamin0fef3052016-11-18 15:11:10 +0900[diff] [blame]2365 if (server_test) {
Martin Kreichgauer1a663262017-08-16 14:54:04 -0700[diff] [blame]2366 SSL_CTX_set_current_time_cb(client_ctx_.get(), FrozenTimeCallback);
2367 SSL_CTX_set_current_time_cb(server_ctx_.get(), CurrentTimeCallback);
David Benjamin0fef3052016-11-18 15:11:10 +0900[diff] [blame]2368 } else {
Martin Kreichgauer1a663262017-08-16 14:54:04 -0700[diff] [blame]2369 SSL_CTX_set_current_time_cb(client_ctx_.get(), CurrentTimeCallback);
2370 SSL_CTX_set_current_time_cb(server_ctx_.get(), FrozenTimeCallback);
David Benjamin0fef3052016-11-18 15:11:10 +0900[diff] [blame]2371 }
2372
2373 // Configure a ticket callback which renews tickets.
Martin Kreichgauer1a663262017-08-16 14:54:04 -0700[diff] [blame]2374 SSL_CTX_set_tlsext_ticket_key_cb(server_ctx_.get(), RenewTicketCallback);
David Benjamin0fef3052016-11-18 15:11:10 +0900[diff] [blame]2375
2376 bssl::UniquePtr<SSL_SESSION> session =
Martin Kreichgauer1a663262017-08-16 14:54:04 -0700[diff] [blame]2377 CreateClientSession(client_ctx_.get(), server_ctx_.get());
2378 ASSERT_TRUE(session);
David Benjamin0fef3052016-11-18 15:11:10 +0900[diff] [blame]2379
2380 // Advance the clock just behind the timeout.
David Benjamin17b30832017-01-28 14:00:32 -0500[diff] [blame]2381 g_current_time.tv_sec += timeout - 1;
David Benjamin0fef3052016-11-18 15:11:10 +0900[diff] [blame]2382
Martin Kreichgauer1a663262017-08-16 14:54:04 -0700[diff] [blame]2383 TRACED_CALL(ExpectSessionReused(client_ctx_.get(), server_ctx_.get(),
2384 session.get(),
2385 true /* expect session reused */));
David Benjamin0fef3052016-11-18 15:11:10 +0900[diff] [blame]2386
2387 // Advance the clock one more second.
2388 g_current_time.tv_sec++;
2389
Martin Kreichgauer1a663262017-08-16 14:54:04 -0700[diff] [blame]2390 TRACED_CALL(ExpectSessionReused(client_ctx_.get(), server_ctx_.get(),
2391 session.get(),
2392 false /* expect session not reused */));
David Benjamin0fef3052016-11-18 15:11:10 +0900[diff] [blame]2393
2394 // Rewind the clock to before the session was minted.
2395 g_current_time.tv_sec = kStartTime - 1;
2396
Martin Kreichgauer1a663262017-08-16 14:54:04 -0700[diff] [blame]2397 TRACED_CALL(ExpectSessionReused(client_ctx_.get(), server_ctx_.get(),
2398 session.get(),
2399 false /* expect session not reused */));
David Benjamin0fef3052016-11-18 15:11:10 +0900[diff] [blame]2400
2401 // SSL 3.0 cannot renew sessions.
Martin Kreichgauer1a663262017-08-16 14:54:04 -0700[diff] [blame]2402 if (version() == SSL3_VERSION) {
David Benjamin0fef3052016-11-18 15:11:10 +0900[diff] [blame]2403 continue;
2404 }
2405
2406 // Renew the session 10 seconds before expiration.
David Benjamin17b30832017-01-28 14:00:32 -0500[diff] [blame]2407 time_t new_start_time = kStartTime + timeout - 10;
2408 g_current_time.tv_sec = new_start_time;
Martin Kreichgauer1a663262017-08-16 14:54:04 -0700[diff] [blame]2409 bssl::UniquePtr<SSL_SESSION> new_session = ExpectSessionRenewed(
2410 client_ctx_.get(), server_ctx_.get(), session.get());
2411 ASSERT_TRUE(new_session);
David Benjamin0fef3052016-11-18 15:11:10 +0900[diff] [blame]2412
2413 // This new session is not the same object as before.
Martin Kreichgauer1a663262017-08-16 14:54:04 -0700[diff] [blame]2414 EXPECT_NE(session.get(), new_session.get());
David Benjamin0fef3052016-11-18 15:11:10 +0900[diff] [blame]2415
2416 // Check the sessions have timestamps measured from issuance.
2417 long session_time = 0;
2418 if (server_test) {
Martin Kreichgauer1a663262017-08-16 14:54:04 -0700[diff] [blame]2419 ASSERT_TRUE(GetServerTicketTime(&session_time, new_session.get()));
David Benjamin0fef3052016-11-18 15:11:10 +0900[diff] [blame]2420 } else {
2421 session_time = new_session->time;
2422 }
David Benjamin721e8b72016-08-03 13:13:17 -0400[diff] [blame]2423
Martin Kreichgauer1a663262017-08-16 14:54:04 -0700[diff] [blame]2424 ASSERT_EQ(session_time, g_current_time.tv_sec);
David Benjamin721e8b72016-08-03 13:13:17 -0400[diff] [blame]2425
Martin Kreichgauer1a663262017-08-16 14:54:04 -0700[diff] [blame]2426 if (version() == TLS1_3_VERSION) {
David Benjamin17b30832017-01-28 14:00:32 -0500[diff] [blame]2427 // Renewal incorporates fresh key material in TLS 1.3, so we extend the
2428 // lifetime TLS 1.3.
2429 g_current_time.tv_sec = new_start_time + timeout - 1;
Martin Kreichgauer1a663262017-08-16 14:54:04 -0700[diff] [blame]2430 TRACED_CALL(ExpectSessionReused(client_ctx_.get(), server_ctx_.get(),
2431 new_session.get(),
2432 true /* expect session reused */));
David Benjamin721e8b72016-08-03 13:13:17 -0400[diff] [blame]2433
David Benjamin17b30832017-01-28 14:00:32 -0500[diff] [blame]2434 // The new session expires after the new timeout.
2435 g_current_time.tv_sec = new_start_time + timeout + 1;
Martin Kreichgauer1a663262017-08-16 14:54:04 -0700[diff] [blame]2436 TRACED_CALL(ExpectSessionReused(client_ctx_.get(), server_ctx_.get(),
2437 new_session.get(),
2438 false /* expect session ot reused */));
David Benjamin17b30832017-01-28 14:00:32 -0500[diff] [blame]2439
2440 // Renew the session until it begins just past the auth timeout.
2441 time_t auth_end_time = kStartTime + SSL_DEFAULT_SESSION_AUTH_TIMEOUT;
2442 while (new_start_time < auth_end_time - 1000) {
2443 // Get as close as possible to target start time.
2444 new_start_time =
2445 std::min(auth_end_time - 1000, new_start_time + timeout - 1);
2446 g_current_time.tv_sec = new_start_time;
Martin Kreichgauer1a663262017-08-16 14:54:04 -0700[diff] [blame]2447 new_session = ExpectSessionRenewed(client_ctx_.get(), server_ctx_.get(),
David Benjamin17b30832017-01-28 14:00:32 -0500[diff] [blame]2448 new_session.get());
Martin Kreichgauer1a663262017-08-16 14:54:04 -0700[diff] [blame]2449 ASSERT_TRUE(new_session);
David Benjamin17b30832017-01-28 14:00:32 -0500[diff] [blame]2450 }
2451
2452 // Now the session's lifetime is bound by the auth timeout.
2453 g_current_time.tv_sec = auth_end_time - 1;
Martin Kreichgauer1a663262017-08-16 14:54:04 -0700[diff] [blame]2454 TRACED_CALL(ExpectSessionReused(client_ctx_.get(), server_ctx_.get(),
2455 new_session.get(),
2456 true /* expect session reused */));
David Benjamin17b30832017-01-28 14:00:32 -0500[diff] [blame]2457
2458 g_current_time.tv_sec = auth_end_time + 1;
Martin Kreichgauer1a663262017-08-16 14:54:04 -0700[diff] [blame]2459 TRACED_CALL(ExpectSessionReused(client_ctx_.get(), server_ctx_.get(),
2460 new_session.get(),
2461 false /* expect session ot reused */));
David Benjamin17b30832017-01-28 14:00:32 -0500[diff] [blame]2462 } else {
2463 // The new session is usable just before the old expiration.
2464 g_current_time.tv_sec = kStartTime + timeout - 1;
Martin Kreichgauer1a663262017-08-16 14:54:04 -0700[diff] [blame]2465 TRACED_CALL(ExpectSessionReused(client_ctx_.get(), server_ctx_.get(),
2466 new_session.get(),
2467 true /* expect session reused */));
David Benjamin17b30832017-01-28 14:00:32 -0500[diff] [blame]2468
2469 // Renewal does not extend the lifetime, so it is not usable beyond the
2470 // old expiration.
2471 g_current_time.tv_sec = kStartTime + timeout + 1;
Martin Kreichgauer1a663262017-08-16 14:54:04 -0700[diff] [blame]2472 TRACED_CALL(ExpectSessionReused(client_ctx_.get(), server_ctx_.get(),
2473 new_session.get(),
2474 false /* expect session not reused */));
David Benjamin1b22f852016-10-27 16:36:32 -0400[diff] [blame]2475 }
David Benjamin721e8b72016-08-03 13:13:17 -0400[diff] [blame]2476 }
David Benjamin721e8b72016-08-03 13:13:17 -0400[diff] [blame]2477}
2478
Martin Kreichgauer1a663262017-08-16 14:54:04 -0700[diff] [blame]2479TEST_P(SSLVersionTest, DefaultTicketKeyInitialization) {
Martin Kreichgauer72912d22017-08-04 12:06:43 -0700[diff] [blame]2480 static const uint8_t kZeroKey[kTicketKeyLen] = {};
2481 uint8_t ticket_key[kTicketKeyLen];
Martin Kreichgauer1a663262017-08-16 14:54:04 -0700[diff] [blame]2482 ASSERT_EQ(1, SSL_CTX_get_tlsext_ticket_keys(server_ctx_.get(), ticket_key,
Martin Kreichgauer72912d22017-08-04 12:06:43 -0700[diff] [blame]2483 kTicketKeyLen));
2484 ASSERT_NE(0, OPENSSL_memcmp(ticket_key, kZeroKey, kTicketKeyLen));
2485}
2486
Martin Kreichgauer1a663262017-08-16 14:54:04 -0700[diff] [blame]2487TEST_P(SSLVersionTest, DefaultTicketKeyRotation) {
Martin Kreichgauer72912d22017-08-04 12:06:43 -0700[diff] [blame]2488 if (GetParam().version == SSL3_VERSION) {
2489 return;
2490 }
2491
2492 static const time_t kStartTime = 1001;
2493 g_current_time.tv_sec = kStartTime;
2494 uint8_t ticket_key[kTicketKeyLen];
2495
David Benjaminc11ea9422017-08-29 16:33:21 -0400[diff] [blame^]2496 // We use session reuse as a proxy for ticket decryption success, hence
2497 // disable session timeouts.
Martin Kreichgauer1a663262017-08-16 14:54:04 -0700[diff] [blame]2498 SSL_CTX_set_timeout(server_ctx_.get(), std::numeric_limits<uint32_t>::max());
2499 SSL_CTX_set_session_psk_dhe_timeout(server_ctx_.get(),
Martin Kreichgauer72912d22017-08-04 12:06:43 -0700[diff] [blame]2500 std::numeric_limits<uint32_t>::max());
2501
Martin Kreichgauer1a663262017-08-16 14:54:04 -0700[diff] [blame]2502 SSL_CTX_set_current_time_cb(client_ctx_.get(), FrozenTimeCallback);
2503 SSL_CTX_set_current_time_cb(server_ctx_.get(), CurrentTimeCallback);
Martin Kreichgauer72912d22017-08-04 12:06:43 -0700[diff] [blame]2504
Martin Kreichgauer1a663262017-08-16 14:54:04 -0700[diff] [blame]2505 SSL_CTX_set_session_cache_mode(client_ctx_.get(), SSL_SESS_CACHE_BOTH);
2506 SSL_CTX_set_session_cache_mode(server_ctx_.get(), SSL_SESS_CACHE_OFF);
Martin Kreichgauer72912d22017-08-04 12:06:43 -0700[diff] [blame]2507
David Benjaminc11ea9422017-08-29 16:33:21 -0400[diff] [blame^]2508 // Initialize ticket_key with the current key.
Martin Kreichgauer1a663262017-08-16 14:54:04 -0700[diff] [blame]2509 TRACED_CALL(ExpectTicketKeyChanged(server_ctx_.get(), ticket_key,
2510 true /* changed */));
Martin Kreichgauer72912d22017-08-04 12:06:43 -0700[diff] [blame]2511
David Benjaminc11ea9422017-08-29 16:33:21 -0400[diff] [blame^]2512 // Verify ticket resumption actually works.
Martin Kreichgauer72912d22017-08-04 12:06:43 -0700[diff] [blame]2513 bssl::UniquePtr<SSL> client, server;
2514 bssl::UniquePtr<SSL_SESSION> session =
Martin Kreichgauer1a663262017-08-16 14:54:04 -0700[diff] [blame]2515 CreateClientSession(client_ctx_.get(), server_ctx_.get());
Martin Kreichgauer72912d22017-08-04 12:06:43 -0700[diff] [blame]2516 ASSERT_TRUE(session);
Martin Kreichgauer1a663262017-08-16 14:54:04 -0700[diff] [blame]2517 TRACED_CALL(ExpectSessionReused(client_ctx_.get(), server_ctx_.get(),
Martin Kreichgauer72912d22017-08-04 12:06:43 -0700[diff] [blame]2518 session.get(), true /* reused */));
2519
David Benjaminc11ea9422017-08-29 16:33:21 -0400[diff] [blame^]2520 // Advance time to just before key rotation.
Martin Kreichgauer72912d22017-08-04 12:06:43 -0700[diff] [blame]2521 g_current_time.tv_sec += SSL_DEFAULT_TICKET_KEY_ROTATION_INTERVAL - 1;
Martin Kreichgauer1a663262017-08-16 14:54:04 -0700[diff] [blame]2522 TRACED_CALL(ExpectSessionReused(client_ctx_.get(), server_ctx_.get(),
Martin Kreichgauer72912d22017-08-04 12:06:43 -0700[diff] [blame]2523 session.get(), true /* reused */));
Martin Kreichgauer1a663262017-08-16 14:54:04 -0700[diff] [blame]2524 TRACED_CALL(ExpectTicketKeyChanged(server_ctx_.get(), ticket_key,
Martin Kreichgauer72912d22017-08-04 12:06:43 -0700[diff] [blame]2525 false /* NOT changed */));
2526
David Benjaminc11ea9422017-08-29 16:33:21 -0400[diff] [blame^]2527 // Force key rotation.
Martin Kreichgauer72912d22017-08-04 12:06:43 -0700[diff] [blame]2528 g_current_time.tv_sec += 1;
2529 bssl::UniquePtr<SSL_SESSION> new_session =
Martin Kreichgauer1a663262017-08-16 14:54:04 -0700[diff] [blame]2530 CreateClientSession(client_ctx_.get(), server_ctx_.get());
2531 TRACED_CALL(ExpectTicketKeyChanged(server_ctx_.get(), ticket_key,
2532 true /* changed */));
Martin Kreichgauer72912d22017-08-04 12:06:43 -0700[diff] [blame]2533
David Benjaminc11ea9422017-08-29 16:33:21 -0400[diff] [blame^]2534 // Resumption with both old and new ticket should work.
Martin Kreichgauer1a663262017-08-16 14:54:04 -0700[diff] [blame]2535 TRACED_CALL(ExpectSessionReused(client_ctx_.get(), server_ctx_.get(),
Martin Kreichgauer72912d22017-08-04 12:06:43 -0700[diff] [blame]2536 session.get(), true /* reused */));
Martin Kreichgauer1a663262017-08-16 14:54:04 -0700[diff] [blame]2537 TRACED_CALL(ExpectSessionReused(client_ctx_.get(), server_ctx_.get(),
Martin Kreichgauer72912d22017-08-04 12:06:43 -0700[diff] [blame]2538 new_session.get(), true /* reused */));
Martin Kreichgauer1a663262017-08-16 14:54:04 -0700[diff] [blame]2539 TRACED_CALL(ExpectTicketKeyChanged(server_ctx_.get(), ticket_key,
Martin Kreichgauer72912d22017-08-04 12:06:43 -0700[diff] [blame]2540 false /* NOT changed */));
2541
David Benjaminc11ea9422017-08-29 16:33:21 -0400[diff] [blame^]2542 // Force key rotation again. Resumption with the old ticket now fails.
Martin Kreichgauer72912d22017-08-04 12:06:43 -0700[diff] [blame]2543 g_current_time.tv_sec += SSL_DEFAULT_TICKET_KEY_ROTATION_INTERVAL;
Martin Kreichgauer1a663262017-08-16 14:54:04 -0700[diff] [blame]2544 TRACED_CALL(ExpectSessionReused(client_ctx_.get(), server_ctx_.get(),
Martin Kreichgauer72912d22017-08-04 12:06:43 -0700[diff] [blame]2545 session.get(), false /* NOT reused */));
Martin Kreichgauer1a663262017-08-16 14:54:04 -0700[diff] [blame]2546 TRACED_CALL(ExpectTicketKeyChanged(server_ctx_.get(), ticket_key,
2547 true /* changed */));
Martin Kreichgauer72912d22017-08-04 12:06:43 -0700[diff] [blame]2548
David Benjaminc11ea9422017-08-29 16:33:21 -0400[diff] [blame^]2549 // But resumption with the newer session still works.
Martin Kreichgauer1a663262017-08-16 14:54:04 -0700[diff] [blame]2550 TRACED_CALL(ExpectSessionReused(client_ctx_.get(), server_ctx_.get(),
Martin Kreichgauer72912d22017-08-04 12:06:43 -0700[diff] [blame]2551 new_session.get(), true /* reused */));
2552}
2553
David Benjamin0fc37ef2016-08-17 15:29:46 -0400[diff] [blame]2554static int SwitchContext(SSL *ssl, int *out_alert, void *arg) {
Martin Kreichgauer1a663262017-08-16 14:54:04 -0700[diff] [blame]2555 SSL_CTX *ctx = reinterpret_cast<SSL_CTX *>(arg);
David Benjamin0fc37ef2016-08-17 15:29:46 -0400[diff] [blame]2556 SSL_set_SSL_CTX(ssl, ctx);
2557 return SSL_TLSEXT_ERR_OK;
2558}
2559
Martin Kreichgauer1a663262017-08-16 14:54:04 -0700[diff] [blame]2560TEST_P(SSLVersionTest, SNICallback) {
David Benjamin0fef3052016-11-18 15:11:10 +0900[diff] [blame]2561 // SSL 3.0 lacks extensions.
Martin Kreichgauer1a663262017-08-16 14:54:04 -0700[diff] [blame]2562 if (version() == SSL3_VERSION) {
2563 return;
David Benjamin0fef3052016-11-18 15:11:10 +0900[diff] [blame]2564 }
2565
Matt Braithwaited17d74d2016-08-17 20:10:28 -0700[diff] [blame]2566 bssl::UniquePtr<X509> cert2 = GetECDSATestCertificate();
Martin Kreichgauer1a663262017-08-16 14:54:04 -0700[diff] [blame]2567 ASSERT_TRUE(cert2);
Matt Braithwaited17d74d2016-08-17 20:10:28 -0700[diff] [blame]2568 bssl::UniquePtr<EVP_PKEY> key2 = GetECDSATestKey();
Martin Kreichgauer1a663262017-08-16 14:54:04 -0700[diff] [blame]2569 ASSERT_TRUE(key2);
David Benjamin0fc37ef2016-08-17 15:29:46 -0400[diff] [blame]2570
David Benjamin0fef3052016-11-18 15:11:10 +0900[diff] [blame]2571 // Test that switching the |SSL_CTX| at the SNI callback behaves correctly.
2572 static const uint16_t kECDSAWithSHA256 = SSL_SIGN_ECDSA_SECP256R1_SHA256;
David Benjamin0fc37ef2016-08-17 15:29:46 -0400[diff] [blame]2573
David Benjamin83a32122017-02-14 18:34:54 -0500[diff] [blame]2574 static const uint8_t kSCTList[] = {0, 6, 0, 4, 5, 6, 7, 8};
2575 static const uint8_t kOCSPResponse[] = {1, 2, 3, 4};
2576
Martin Kreichgauer1a663262017-08-16 14:54:04 -0700[diff] [blame]2577 bssl::UniquePtr<SSL_CTX> server_ctx2 = CreateContext();
2578 ASSERT_TRUE(server_ctx2);
2579 ASSERT_TRUE(SSL_CTX_use_certificate(server_ctx2.get(), cert2.get()));
2580 ASSERT_TRUE(SSL_CTX_use_PrivateKey(server_ctx2.get(), key2.get()));
2581 ASSERT_TRUE(SSL_CTX_set_signed_cert_timestamp_list(
2582 server_ctx2.get(), kSCTList, sizeof(kSCTList)));
2583 ASSERT_TRUE(SSL_CTX_set_ocsp_response(server_ctx2.get(), kOCSPResponse,
2584 sizeof(kOCSPResponse)));
2585 // Historically signing preferences would be lost in some cases with the
2586 // SNI callback, which triggers the TLS 1.2 SHA-1 default. To ensure
2587 // this doesn't happen when |version| is TLS 1.2, configure the private
2588 // key to only sign SHA-256.
2589 ASSERT_TRUE(SSL_CTX_set_signing_algorithm_prefs(server_ctx2.get(),
2590 &kECDSAWithSHA256, 1));
David Benjamin0fc37ef2016-08-17 15:29:46 -0400[diff] [blame]2591
Martin Kreichgauer1a663262017-08-16 14:54:04 -0700[diff] [blame]2592 SSL_CTX_set_tlsext_servername_callback(server_ctx_.get(), SwitchContext);
2593 SSL_CTX_set_tlsext_servername_arg(server_ctx_.get(), server_ctx2.get());
David Benjamin0fc37ef2016-08-17 15:29:46 -0400[diff] [blame]2594
Martin Kreichgauer1a663262017-08-16 14:54:04 -0700[diff] [blame]2595 SSL_CTX_enable_signed_cert_timestamps(client_ctx_.get());
2596 SSL_CTX_enable_ocsp_stapling(client_ctx_.get());
David Benjamin83a32122017-02-14 18:34:54 -0500[diff] [blame]2597
Martin Kreichgauer1a663262017-08-16 14:54:04 -0700[diff] [blame]2598 ASSERT_TRUE(Connect());
David Benjamin0fc37ef2016-08-17 15:29:46 -0400[diff] [blame]2599
David Benjamin0fef3052016-11-18 15:11:10 +0900[diff] [blame]2600 // The client should have received |cert2|.
Martin Kreichgauer1a663262017-08-16 14:54:04 -0700[diff] [blame]2601 bssl::UniquePtr<X509> peer(SSL_get_peer_certificate(client_.get()));
2602 ASSERT_TRUE(peer);
2603 EXPECT_EQ(X509_cmp(peer.get(), cert2.get()), 0);
David Benjamin0fc37ef2016-08-17 15:29:46 -0400[diff] [blame]2604
David Benjamin83a32122017-02-14 18:34:54 -0500[diff] [blame]2605 // The client should have received |server_ctx2|'s SCT list.
2606 const uint8_t *data;
2607 size_t len;
Martin Kreichgauer1a663262017-08-16 14:54:04 -0700[diff] [blame]2608 SSL_get0_signed_cert_timestamp_list(client_.get(), &data, &len);
2609 EXPECT_EQ(Bytes(kSCTList), Bytes(data, len));
David Benjamin83a32122017-02-14 18:34:54 -0500[diff] [blame]2610
2611 // The client should have received |server_ctx2|'s OCSP response.
Martin Kreichgauer1a663262017-08-16 14:54:04 -0700[diff] [blame]2612 SSL_get0_ocsp_response(client_.get(), &data, &len);
2613 EXPECT_EQ(Bytes(kOCSPResponse), Bytes(data, len));
David Benjamin0fc37ef2016-08-17 15:29:46 -0400[diff] [blame]2614}
2615
David Benjaminf0d8e222017-02-04 10:58:26 -0500[diff] [blame]2616// Test that the early callback can swap the maximum version.
2617TEST(SSLTest, EarlyCallbackVersionSwitch) {
Matt Braithwaited17d74d2016-08-17 20:10:28 -0700[diff] [blame]2618 bssl::UniquePtr<X509> cert = GetTestCertificate();
2619 bssl::UniquePtr<EVP_PKEY> key = GetTestKey();
2620 bssl::UniquePtr<SSL_CTX> server_ctx(SSL_CTX_new(TLS_method()));
2621 bssl::UniquePtr<SSL_CTX> client_ctx(SSL_CTX_new(TLS_method()));
David Benjaminf0d8e222017-02-04 10:58:26 -0500[diff] [blame]2622 ASSERT_TRUE(cert);
2623 ASSERT_TRUE(key);
2624 ASSERT_TRUE(server_ctx);
2625 ASSERT_TRUE(client_ctx);
2626 ASSERT_TRUE(SSL_CTX_use_certificate(server_ctx.get(), cert.get()));
2627 ASSERT_TRUE(SSL_CTX_use_PrivateKey(server_ctx.get(), key.get()));
2628 ASSERT_TRUE(SSL_CTX_set_max_proto_version(client_ctx.get(), TLS1_3_VERSION));
2629 ASSERT_TRUE(SSL_CTX_set_max_proto_version(server_ctx.get(), TLS1_3_VERSION));
David Benjamin99620572016-08-30 00:35:36 -0400[diff] [blame]2630
David Benjaminf0d8e222017-02-04 10:58:26 -0500[diff] [blame]2631 SSL_CTX_set_select_certificate_cb(
Alessandro Ghedini57e81e62017-03-14 23:36:00 +0000[diff] [blame]2632 server_ctx.get(),
2633 [](const SSL_CLIENT_HELLO *client_hello) -> ssl_select_cert_result_t {
David Benjaminf0d8e222017-02-04 10:58:26 -0500[diff] [blame]2634 if (!SSL_set_max_proto_version(client_hello->ssl, TLS1_2_VERSION)) {
Alessandro Ghedini57e81e62017-03-14 23:36:00 +0000[diff] [blame]2635 return ssl_select_cert_error;
David Benjaminf0d8e222017-02-04 10:58:26 -0500[diff] [blame]2636 }
2637
Alessandro Ghedini57e81e62017-03-14 23:36:00 +0000[diff] [blame]2638 return ssl_select_cert_success;
David Benjaminf0d8e222017-02-04 10:58:26 -0500[diff] [blame]2639 });
David Benjamin99620572016-08-30 00:35:36 -0400[diff] [blame]2640
Matt Braithwaited17d74d2016-08-17 20:10:28 -0700[diff] [blame]2641 bssl::UniquePtr<SSL> client, server;
David Benjaminf0d8e222017-02-04 10:58:26 -0500[diff] [blame]2642 ASSERT_TRUE(ConnectClientAndServer(&client, &server, client_ctx.get(),
2643 server_ctx.get(), nullptr));
2644 EXPECT_EQ(TLS1_2_VERSION, SSL_version(client.get()));
David Benjamin99620572016-08-30 00:35:36 -0400[diff] [blame]2645}
2646
David Benjaminf0d8e222017-02-04 10:58:26 -0500[diff] [blame]2647TEST(SSLTest, SetVersion) {
David Benjamin2dc02042016-09-19 19:57:37 -0400[diff] [blame]2648 bssl::UniquePtr<SSL_CTX> ctx(SSL_CTX_new(TLS_method()));
David Benjaminf0d8e222017-02-04 10:58:26 -0500[diff] [blame]2649 ASSERT_TRUE(ctx);
David Benjamin2dc02042016-09-19 19:57:37 -0400[diff] [blame]2650
David Benjaminf0d8e222017-02-04 10:58:26 -0500[diff] [blame]2651 // Set valid TLS versions.
2652 EXPECT_TRUE(SSL_CTX_set_max_proto_version(ctx.get(), TLS1_VERSION));
2653 EXPECT_TRUE(SSL_CTX_set_max_proto_version(ctx.get(), TLS1_1_VERSION));
2654 EXPECT_TRUE(SSL_CTX_set_min_proto_version(ctx.get(), TLS1_VERSION));
2655 EXPECT_TRUE(SSL_CTX_set_min_proto_version(ctx.get(), TLS1_1_VERSION));
David Benjamin2dc02042016-09-19 19:57:37 -0400[diff] [blame]2656
David Benjaminf0d8e222017-02-04 10:58:26 -0500[diff] [blame]2657 // Invalid TLS versions are rejected.
2658 EXPECT_FALSE(SSL_CTX_set_max_proto_version(ctx.get(), DTLS1_VERSION));
2659 EXPECT_FALSE(SSL_CTX_set_max_proto_version(ctx.get(), 0x0200));
2660 EXPECT_FALSE(SSL_CTX_set_max_proto_version(ctx.get(), 0x1234));
2661 EXPECT_FALSE(SSL_CTX_set_min_proto_version(ctx.get(), DTLS1_VERSION));
2662 EXPECT_FALSE(SSL_CTX_set_min_proto_version(ctx.get(), 0x0200));
2663 EXPECT_FALSE(SSL_CTX_set_min_proto_version(ctx.get(), 0x1234));
David Benjamin2dc02042016-09-19 19:57:37 -0400[diff] [blame]2664
David Benjaminf0d8e222017-02-04 10:58:26 -0500[diff] [blame]2665 // Zero is the default version.
2666 EXPECT_TRUE(SSL_CTX_set_max_proto_version(ctx.get(), 0));
David Benjaminfc08dfc2017-06-20 14:39:32 -0400[diff] [blame]2667 EXPECT_EQ(TLS1_2_VERSION, ctx->conf_max_version);
David Benjaminf0d8e222017-02-04 10:58:26 -0500[diff] [blame]2668 EXPECT_TRUE(SSL_CTX_set_min_proto_version(ctx.get(), 0));
David Benjaminfc08dfc2017-06-20 14:39:32 -0400[diff] [blame]2669 EXPECT_EQ(TLS1_VERSION, ctx->conf_min_version);
David Benjamin3cfeb952017-03-01 16:48:38 -0500[diff] [blame]2670
2671 // SSL 3.0 and TLS 1.3 are available, but not by default.
2672 EXPECT_TRUE(SSL_CTX_set_min_proto_version(ctx.get(), SSL3_VERSION));
David Benjaminfc08dfc2017-06-20 14:39:32 -0400[diff] [blame]2673 EXPECT_EQ(SSL3_VERSION, ctx->conf_min_version);
David Benjamin3cfeb952017-03-01 16:48:38 -0500[diff] [blame]2674 EXPECT_TRUE(SSL_CTX_set_max_proto_version(ctx.get(), TLS1_3_VERSION));
David Benjaminfc08dfc2017-06-20 14:39:32 -0400[diff] [blame]2675 EXPECT_EQ(TLS1_3_VERSION, ctx->conf_max_version);
David Benjamine34bcc92016-09-21 16:53:09 -0400[diff] [blame]2676
David Benjamin353577c2017-06-29 15:54:58 -0400[diff] [blame]2677 // TLS1_3_DRAFT_VERSION is not an API-level version.
2678 EXPECT_FALSE(SSL_CTX_set_max_proto_version(ctx.get(), TLS1_3_DRAFT_VERSION));
2679 ERR_clear_error();
2680
David Benjamin2dc02042016-09-19 19:57:37 -0400[diff] [blame]2681 ctx.reset(SSL_CTX_new(DTLS_method()));
David Benjaminf0d8e222017-02-04 10:58:26 -0500[diff] [blame]2682 ASSERT_TRUE(ctx);
David Benjamin2dc02042016-09-19 19:57:37 -0400[diff] [blame]2683
David Benjaminf0d8e222017-02-04 10:58:26 -0500[diff] [blame]2684 EXPECT_TRUE(SSL_CTX_set_max_proto_version(ctx.get(), DTLS1_VERSION));
2685 EXPECT_TRUE(SSL_CTX_set_max_proto_version(ctx.get(), DTLS1_2_VERSION));
2686 EXPECT_TRUE(SSL_CTX_set_min_proto_version(ctx.get(), DTLS1_VERSION));
2687 EXPECT_TRUE(SSL_CTX_set_min_proto_version(ctx.get(), DTLS1_2_VERSION));
David Benjamin2dc02042016-09-19 19:57:37 -0400[diff] [blame]2688
David Benjaminf0d8e222017-02-04 10:58:26 -0500[diff] [blame]2689 EXPECT_FALSE(SSL_CTX_set_max_proto_version(ctx.get(), TLS1_VERSION));
2690 EXPECT_FALSE(SSL_CTX_set_max_proto_version(ctx.get(), 0xfefe /* DTLS 1.1 */));
2691 EXPECT_FALSE(SSL_CTX_set_max_proto_version(ctx.get(), 0xfffe /* DTLS 0.1 */));
2692 EXPECT_FALSE(SSL_CTX_set_max_proto_version(ctx.get(), 0x1234));
2693 EXPECT_FALSE(SSL_CTX_set_min_proto_version(ctx.get(), TLS1_VERSION));
2694 EXPECT_FALSE(SSL_CTX_set_min_proto_version(ctx.get(), 0xfefe /* DTLS 1.1 */));
2695 EXPECT_FALSE(SSL_CTX_set_min_proto_version(ctx.get(), 0xfffe /* DTLS 0.1 */));
2696 EXPECT_FALSE(SSL_CTX_set_min_proto_version(ctx.get(), 0x1234));
David Benjamin2dc02042016-09-19 19:57:37 -0400[diff] [blame]2697
David Benjaminf0d8e222017-02-04 10:58:26 -0500[diff] [blame]2698 EXPECT_TRUE(SSL_CTX_set_max_proto_version(ctx.get(), 0));
David Benjaminfc08dfc2017-06-20 14:39:32 -0400[diff] [blame]2699 EXPECT_EQ(TLS1_2_VERSION, ctx->conf_max_version);
David Benjaminf0d8e222017-02-04 10:58:26 -0500[diff] [blame]2700 EXPECT_TRUE(SSL_CTX_set_min_proto_version(ctx.get(), 0));
David Benjaminfc08dfc2017-06-20 14:39:32 -0400[diff] [blame]2701 EXPECT_EQ(TLS1_1_VERSION, ctx->conf_min_version);
David Benjamin2dc02042016-09-19 19:57:37 -0400[diff] [blame]2702}
2703
David Benjamin458334a2016-12-15 13:53:25 -0500[diff] [blame]2704static const char *GetVersionName(uint16_t version) {
2705 switch (version) {
2706 case SSL3_VERSION:
2707 return "SSLv3";
2708 case TLS1_VERSION:
2709 return "TLSv1";
2710 case TLS1_1_VERSION:
2711 return "TLSv1.1";
2712 case TLS1_2_VERSION:
2713 return "TLSv1.2";
2714 case TLS1_3_VERSION:
2715 return "TLSv1.3";
2716 case DTLS1_VERSION:
2717 return "DTLSv1";
2718 case DTLS1_2_VERSION:
2719 return "DTLSv1.2";
2720 default:
2721 return "???";
2722 }
2723}
2724
Martin Kreichgauer1a663262017-08-16 14:54:04 -0700[diff] [blame]2725TEST_P(SSLVersionTest, Version) {
2726 ASSERT_TRUE(Connect());
David Benjamincb18ac22016-09-27 14:09:15 -0400[diff] [blame]2727
Martin Kreichgauer1a663262017-08-16 14:54:04 -0700[diff] [blame]2728 EXPECT_EQ(SSL_version(client_.get()), version());
2729 EXPECT_EQ(SSL_version(server_.get()), version());
David Benjamincb18ac22016-09-27 14:09:15 -0400[diff] [blame]2730
David Benjamin458334a2016-12-15 13:53:25 -0500[diff] [blame]2731 // Test the version name is reported as expected.
Martin Kreichgauer1a663262017-08-16 14:54:04 -0700[diff] [blame]2732 const char *version_name = GetVersionName(version());
2733 EXPECT_EQ(strcmp(version_name, SSL_get_version(client_.get())), 0);
2734 EXPECT_EQ(strcmp(version_name, SSL_get_version(server_.get())), 0);
David Benjamin458334a2016-12-15 13:53:25 -0500[diff] [blame]2735
2736 // Test SSL_SESSION reports the same name.
2737 const char *client_name =
Martin Kreichgauer1a663262017-08-16 14:54:04 -0700[diff] [blame]2738 SSL_SESSION_get_version(SSL_get_session(client_.get()));
David Benjamin458334a2016-12-15 13:53:25 -0500[diff] [blame]2739 const char *server_name =
Martin Kreichgauer1a663262017-08-16 14:54:04 -0700[diff] [blame]2740 SSL_SESSION_get_version(SSL_get_session(server_.get()));
2741 EXPECT_EQ(strcmp(version_name, client_name), 0);
2742 EXPECT_EQ(strcmp(version_name, server_name), 0);
David Benjamincb18ac22016-09-27 14:09:15 -0400[diff] [blame]2743}
2744
David Benjamin9ef31f02016-10-31 18:01:13 -0400[diff] [blame]2745// Tests that that |SSL_get_pending_cipher| is available during the ALPN
2746// selection callback.
Martin Kreichgauer1a663262017-08-16 14:54:04 -0700[diff] [blame]2747TEST_P(SSLVersionTest, ALPNCipherAvailable) {
David Benjamin0fef3052016-11-18 15:11:10 +0900[diff] [blame]2748 // SSL 3.0 lacks extensions.
Martin Kreichgauer1a663262017-08-16 14:54:04 -0700[diff] [blame]2749 if (version() == SSL3_VERSION) {
2750 return;
David Benjamin0fef3052016-11-18 15:11:10 +0900[diff] [blame]2751 }
2752
Martin Kreichgauer1a663262017-08-16 14:54:04 -0700[diff] [blame]2753 ASSERT_TRUE(UseCertAndKey(client_ctx_.get()));
2754
David Benjamin9ef31f02016-10-31 18:01:13 -0400[diff] [blame]2755 static const uint8_t kALPNProtos[] = {0x03, 'f', 'o', 'o'};
Martin Kreichgauer1a663262017-08-16 14:54:04 -0700[diff] [blame]2756 ASSERT_EQ(SSL_CTX_set_alpn_protos(client_ctx_.get(), kALPNProtos,
2757 sizeof(kALPNProtos)),
2758 0);
David Benjamin0fef3052016-11-18 15:11:10 +0900[diff] [blame]2759
2760 // The ALPN callback does not fail the handshake on error, so have the
2761 // callback write a boolean.
Martin Kreichgauer1a663262017-08-16 14:54:04 -0700[diff] [blame]2762 std::pair<uint16_t, bool> callback_state(version(), false);
David Benjamin0fef3052016-11-18 15:11:10 +0900[diff] [blame]2763 SSL_CTX_set_alpn_select_cb(
Martin Kreichgauer1a663262017-08-16 14:54:04 -0700[diff] [blame]2764 server_ctx_.get(),
David Benjamin0fef3052016-11-18 15:11:10 +0900[diff] [blame]2765 [](SSL *ssl, const uint8_t **out, uint8_t *out_len, const uint8_t *in,
2766 unsigned in_len, void *arg) -> int {
2767 auto state = reinterpret_cast<std::pair<uint16_t, bool> *>(arg);
2768 if (SSL_get_pending_cipher(ssl) != nullptr &&
2769 SSL_version(ssl) == state->first) {
2770 state->second = true;
2771 }
2772 return SSL_TLSEXT_ERR_NOACK;
2773 },
2774 &callback_state);
2775
Martin Kreichgauer1a663262017-08-16 14:54:04 -0700[diff] [blame]2776 ASSERT_TRUE(Connect());
David Benjamin0fef3052016-11-18 15:11:10 +0900[diff] [blame]2777
Martin Kreichgauer1a663262017-08-16 14:54:04 -0700[diff] [blame]2778 ASSERT_TRUE(callback_state.second);
David Benjamin0fef3052016-11-18 15:11:10 +0900[diff] [blame]2779}
2780
Martin Kreichgauer1a663262017-08-16 14:54:04 -0700[diff] [blame]2781TEST_P(SSLVersionTest, SSLClearSessionResumption) {
David Benjaminb79cc842016-12-07 15:57:14 -0500[diff] [blame]2782 // Skip this for TLS 1.3. TLS 1.3's ticket mechanism is incompatible with this
2783 // API pattern.
Martin Kreichgauer1a663262017-08-16 14:54:04 -0700[diff] [blame]2784 if (version() == TLS1_3_VERSION) {
2785 return;
David Benjaminb79cc842016-12-07 15:57:14 -0500[diff] [blame]2786 }
2787
Martin Kreichgauer1a663262017-08-16 14:54:04 -0700[diff] [blame]2788 ASSERT_TRUE(Connect());
David Benjaminb79cc842016-12-07 15:57:14 -0500[diff] [blame]2789
Martin Kreichgauer1a663262017-08-16 14:54:04 -0700[diff] [blame]2790 EXPECT_FALSE(SSL_session_reused(client_.get()));
2791 EXPECT_FALSE(SSL_session_reused(server_.get()));
David Benjaminb79cc842016-12-07 15:57:14 -0500[diff] [blame]2792
2793 // Reset everything.
Martin Kreichgauer1a663262017-08-16 14:54:04 -0700[diff] [blame]2794 ASSERT_TRUE(SSL_clear(client_.get()));
2795 ASSERT_TRUE(SSL_clear(server_.get()));
David Benjaminb79cc842016-12-07 15:57:14 -0500[diff] [blame]2796
2797 // Attempt to connect a second time.
Martin Kreichgauer1a663262017-08-16 14:54:04 -0700[diff] [blame]2798 ASSERT_TRUE(CompleteHandshakes(client_.get(), server_.get()));
David Benjaminb79cc842016-12-07 15:57:14 -0500[diff] [blame]2799
2800 // |SSL_clear| should implicitly offer the previous session to the server.
Martin Kreichgauer1a663262017-08-16 14:54:04 -0700[diff] [blame]2801 EXPECT_TRUE(SSL_session_reused(client_.get()));
2802 EXPECT_TRUE(SSL_session_reused(server_.get()));
David Benjaminb79cc842016-12-07 15:57:14 -0500[diff] [blame]2803}
2804
Martin Kreichgauer1a663262017-08-16 14:54:04 -0700[diff] [blame]2805static bool ChainsEqual(STACK_OF(X509) * chain,
2806 const std::vector<X509 *> &expected) {
David Benjamin1444c3a2016-12-20 17:23:11 -0500[diff] [blame]2807 if (sk_X509_num(chain) != expected.size()) {
2808 return false;
2809 }
2810
2811 for (size_t i = 0; i < expected.size(); i++) {
2812 if (X509_cmp(sk_X509_value(chain, i), expected[i]) != 0) {
2813 return false;
2814 }
2815 }
2816
2817 return true;
2818}
2819
Martin Kreichgauer1a663262017-08-16 14:54:04 -0700[diff] [blame]2820TEST_P(SSLVersionTest, AutoChain) {
2821 cert_ = GetChainTestCertificate();
2822 ASSERT_TRUE(cert_);
2823 key_ = GetChainTestKey();
2824 ASSERT_TRUE(key_);
David Benjamin1444c3a2016-12-20 17:23:11 -0500[diff] [blame]2825 bssl::UniquePtr<X509> intermediate = GetChainTestIntermediate();
Martin Kreichgauer1a663262017-08-16 14:54:04 -0700[diff] [blame]2826 ASSERT_TRUE(intermediate);
2827
2828 ASSERT_TRUE(UseCertAndKey(client_ctx_.get()));
2829 ASSERT_TRUE(UseCertAndKey(server_ctx_.get()));
David Benjamin1444c3a2016-12-20 17:23:11 -0500[diff] [blame]2830
2831 // Configure both client and server to accept any certificate. Add
2832 // |intermediate| to the cert store.
Martin Kreichgauer1a663262017-08-16 14:54:04 -0700[diff] [blame]2833 ASSERT_TRUE(X509_STORE_add_cert(SSL_CTX_get_cert_store(client_ctx_.get()),
2834 intermediate.get()));
2835 ASSERT_TRUE(X509_STORE_add_cert(SSL_CTX_get_cert_store(server_ctx_.get()),
2836 intermediate.get()));
2837 SSL_CTX_set_verify(client_ctx_.get(),
2838 SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT,
2839 nullptr);
2840 SSL_CTX_set_verify(server_ctx_.get(),
2841 SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT,
2842 nullptr);
2843 SSL_CTX_set_cert_verify_callback(client_ctx_.get(), VerifySucceed, NULL);
2844 SSL_CTX_set_cert_verify_callback(server_ctx_.get(), VerifySucceed, NULL);
David Benjamin1444c3a2016-12-20 17:23:11 -0500[diff] [blame]2845
2846 // By default, the client and server should each only send the leaf.
Martin Kreichgauer1a663262017-08-16 14:54:04 -0700[diff] [blame]2847 ASSERT_TRUE(Connect());
David Benjamin1444c3a2016-12-20 17:23:11 -0500[diff] [blame]2848
Martin Kreichgauer1a663262017-08-16 14:54:04 -0700[diff] [blame]2849 EXPECT_TRUE(
2850 ChainsEqual(SSL_get_peer_full_cert_chain(client_.get()), {cert_.get()}));
2851 EXPECT_TRUE(
2852 ChainsEqual(SSL_get_peer_full_cert_chain(server_.get()), {cert_.get()}));
David Benjamin1444c3a2016-12-20 17:23:11 -0500[diff] [blame]2853
2854 // If auto-chaining is enabled, then the intermediate is sent.
Martin Kreichgauer1a663262017-08-16 14:54:04 -0700[diff] [blame]2855 SSL_CTX_clear_mode(client_ctx_.get(), SSL_MODE_NO_AUTO_CHAIN);
2856 SSL_CTX_clear_mode(server_ctx_.get(), SSL_MODE_NO_AUTO_CHAIN);
2857 ASSERT_TRUE(Connect());
David Benjamin1444c3a2016-12-20 17:23:11 -0500[diff] [blame]2858
Martin Kreichgauer1a663262017-08-16 14:54:04 -0700[diff] [blame]2859 EXPECT_TRUE(ChainsEqual(SSL_get_peer_full_cert_chain(client_.get()),
2860 {cert_.get(), intermediate.get()}));
2861 EXPECT_TRUE(ChainsEqual(SSL_get_peer_full_cert_chain(server_.get()),
2862 {cert_.get(), intermediate.get()}));
David Benjamin1444c3a2016-12-20 17:23:11 -0500[diff] [blame]2863
2864 // Auto-chaining does not override explicitly-configured intermediates.
Martin Kreichgauer1a663262017-08-16 14:54:04 -0700[diff] [blame]2865 ASSERT_TRUE(SSL_CTX_add1_chain_cert(client_ctx_.get(), cert_.get()));
2866 ASSERT_TRUE(SSL_CTX_add1_chain_cert(server_ctx_.get(), cert_.get()));
2867 ASSERT_TRUE(Connect());
David Benjamin1444c3a2016-12-20 17:23:11 -0500[diff] [blame]2868
Martin Kreichgauer1a663262017-08-16 14:54:04 -0700[diff] [blame]2869 EXPECT_TRUE(ChainsEqual(SSL_get_peer_full_cert_chain(client_.get()),
2870 {cert_.get(), cert_.get()}));
David Benjamin1444c3a2016-12-20 17:23:11 -0500[diff] [blame]2871
Martin Kreichgauer1a663262017-08-16 14:54:04 -0700[diff] [blame]2872 EXPECT_TRUE(ChainsEqual(SSL_get_peer_full_cert_chain(server_.get()),
2873 {cert_.get(), cert_.get()}));
David Benjamin1444c3a2016-12-20 17:23:11 -0500[diff] [blame]2874}
2875
David Benjamin48063c22017-01-01 23:56:36 -0500[diff] [blame]2876static bool ExpectBadWriteRetry() {
2877 int err = ERR_get_error();
2878 if (ERR_GET_LIB(err) != ERR_LIB_SSL ||
2879 ERR_GET_REASON(err) != SSL_R_BAD_WRITE_RETRY) {
2880 char buf[ERR_ERROR_STRING_BUF_LEN];
2881 ERR_error_string_n(err, buf, sizeof(buf));
2882 fprintf(stderr, "Wanted SSL_R_BAD_WRITE_RETRY, got: %s.\n", buf);
2883 return false;
2884 }
2885
2886 if (ERR_peek_error() != 0) {
2887 fprintf(stderr, "Unexpected error following SSL_R_BAD_WRITE_RETRY.\n");
2888 return false;
2889 }
2890
2891 return true;
2892}
2893
Martin Kreichgauer1a663262017-08-16 14:54:04 -0700[diff] [blame]2894TEST_P(SSLVersionTest, SSLWriteRetry) {
2895 if (is_dtls()) {
2896 return;
David Benjamin48063c22017-01-01 23:56:36 -0500[diff] [blame]2897 }
2898
Martin Kreichgauer1a663262017-08-16 14:54:04 -0700[diff] [blame]2899 for (bool enable_partial_write : {false, true}) {
2900 SCOPED_TRACE(enable_partial_write);
2901
David Benjamin48063c22017-01-01 23:56:36 -0500[diff] [blame]2902 // Connect a client and server.
Martin Kreichgauer1a663262017-08-16 14:54:04 -0700[diff] [blame]2903 ASSERT_TRUE(UseCertAndKey(client_ctx_.get()));
2904
2905 ASSERT_TRUE(Connect());
David Benjamin48063c22017-01-01 23:56:36 -0500[diff] [blame]2906
2907 if (enable_partial_write) {
Martin Kreichgauer1a663262017-08-16 14:54:04 -0700[diff] [blame]2908 SSL_set_mode(client_.get(), SSL_MODE_ENABLE_PARTIAL_WRITE);
David Benjamin48063c22017-01-01 23:56:36 -0500[diff] [blame]2909 }
2910
2911 // Write without reading until the buffer is full and we have an unfinished
2912 // write. Keep a count so we may reread it again later. "hello!" will be
2913 // written in two chunks, "hello" and "!".
2914 char data[] = "hello!";
2915 static const int kChunkLen = 5; // The length of "hello".
2916 unsigned count = 0;
2917 for (;;) {
Martin Kreichgauer1a663262017-08-16 14:54:04 -0700[diff] [blame]2918 int ret = SSL_write(client_.get(), data, kChunkLen);
David Benjamin48063c22017-01-01 23:56:36 -0500[diff] [blame]2919 if (ret <= 0) {
Martin Kreichgauer1a663262017-08-16 14:54:04 -0700[diff] [blame]2920 ASSERT_EQ(SSL_get_error(client_.get(), ret), SSL_ERROR_WANT_WRITE);
2921 break;
David Benjamin48063c22017-01-01 23:56:36 -0500[diff] [blame]2922 }
2923
Martin Kreichgauer1a663262017-08-16 14:54:04 -0700[diff] [blame]2924 ASSERT_EQ(ret, 5);
David Benjamin48063c22017-01-01 23:56:36 -0500[diff] [blame]2925
2926 count++;
2927 }
2928
2929 // Retrying with the same parameters is legal.
Martin Kreichgauer1a663262017-08-16 14:54:04 -0700[diff] [blame]2930 ASSERT_EQ(
2931 SSL_get_error(client_.get(), SSL_write(client_.get(), data, kChunkLen)),
2932 SSL_ERROR_WANT_WRITE);
David Benjamin48063c22017-01-01 23:56:36 -0500[diff] [blame]2933
2934 // Retrying with the same buffer but shorter length is not legal.
Martin Kreichgauer1a663262017-08-16 14:54:04 -0700[diff] [blame]2935 ASSERT_EQ(SSL_get_error(client_.get(),
2936 SSL_write(client_.get(), data, kChunkLen - 1)),
2937 SSL_ERROR_SSL);
2938 ASSERT_TRUE(ExpectBadWriteRetry());
David Benjamin48063c22017-01-01 23:56:36 -0500[diff] [blame]2939
2940 // Retrying with a different buffer pointer is not legal.
2941 char data2[] = "hello";
Martin Kreichgauer1a663262017-08-16 14:54:04 -0700[diff] [blame]2942 ASSERT_EQ(SSL_get_error(client_.get(),
2943 SSL_write(client_.get(), data2, kChunkLen)),
2944 SSL_ERROR_SSL);
2945 ASSERT_TRUE(ExpectBadWriteRetry());
David Benjamin48063c22017-01-01 23:56:36 -0500[diff] [blame]2946
2947 // With |SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER|, the buffer may move.
Martin Kreichgauer1a663262017-08-16 14:54:04 -0700[diff] [blame]2948 SSL_set_mode(client_.get(), SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER);
2949 ASSERT_EQ(SSL_get_error(client_.get(),
2950 SSL_write(client_.get(), data2, kChunkLen)),
2951 SSL_ERROR_WANT_WRITE);
David Benjamin48063c22017-01-01 23:56:36 -0500[diff] [blame]2952
2953 // |SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER| does not disable length checks.
Martin Kreichgauer1a663262017-08-16 14:54:04 -0700[diff] [blame]2954 ASSERT_EQ(SSL_get_error(client_.get(),
2955 SSL_write(client_.get(), data2, kChunkLen - 1)),
2956 SSL_ERROR_SSL);
2957 ASSERT_TRUE(ExpectBadWriteRetry());
David Benjamin48063c22017-01-01 23:56:36 -0500[diff] [blame]2958
2959 // Retrying with a larger buffer is legal.
Martin Kreichgauer1a663262017-08-16 14:54:04 -0700[diff] [blame]2960 ASSERT_EQ(SSL_get_error(client_.get(),
2961 SSL_write(client_.get(), data, kChunkLen + 1)),
2962 SSL_ERROR_WANT_WRITE);
David Benjamin48063c22017-01-01 23:56:36 -0500[diff] [blame]2963
2964 // Drain the buffer.
2965 char buf[20];
2966 for (unsigned i = 0; i < count; i++) {
Martin Kreichgauer1a663262017-08-16 14:54:04 -0700[diff] [blame]2967 ASSERT_EQ(SSL_read(server_.get(), buf, sizeof(buf)), kChunkLen);
2968 ASSERT_EQ(OPENSSL_memcmp(buf, "hello", kChunkLen), 0);
David Benjamin48063c22017-01-01 23:56:36 -0500[diff] [blame]2969 }
2970
2971 // Now that there is space, a retry with a larger buffer should flush the
2972 // pending record, skip over that many bytes of input (on assumption they
2973 // are the same), and write the remainder. If SSL_MODE_ENABLE_PARTIAL_WRITE
2974 // is set, this will complete in two steps.
2975 char data3[] = "_____!";
2976 if (enable_partial_write) {
Martin Kreichgauer1a663262017-08-16 14:54:04 -0700[diff] [blame]2977 ASSERT_EQ(SSL_write(client_.get(), data3, kChunkLen + 1), kChunkLen);
2978 ASSERT_EQ(SSL_write(client_.get(), data3 + kChunkLen, 1), 1);
2979 } else {
2980 ASSERT_EQ(SSL_write(client_.get(), data3, kChunkLen + 1), kChunkLen + 1);
David Benjamin48063c22017-01-01 23:56:36 -0500[diff] [blame]2981 }
2982
2983 // Check the last write was correct. The data will be spread over two
2984 // records, so SSL_read returns twice.
Martin Kreichgauer1a663262017-08-16 14:54:04 -0700[diff] [blame]2985 ASSERT_EQ(SSL_read(server_.get(), buf, sizeof(buf)), kChunkLen);
2986 ASSERT_EQ(OPENSSL_memcmp(buf, "hello", kChunkLen), 0);
2987 ASSERT_EQ(SSL_read(server_.get(), buf, sizeof(buf)), 1);
2988 ASSERT_EQ(buf[0], '!');
David Benjamin48063c22017-01-01 23:56:36 -0500[diff] [blame]2989 }
David Benjamin48063c22017-01-01 23:56:36 -0500[diff] [blame]2990}
2991
Martin Kreichgauer1a663262017-08-16 14:54:04 -0700[diff] [blame]2992TEST_P(SSLVersionTest, RecordCallback) {
2993 for (bool test_server : {true, false}) {
2994 SCOPED_TRACE(test_server);
2995 ResetContexts();
David Benjamin5df5be12017-06-22 19:43:11 -0400[diff] [blame]2996
Martin Kreichgauer1a663262017-08-16 14:54:04 -0700[diff] [blame]2997 bool read_seen = false;
2998 bool write_seen = false;
2999 auto cb = [&](int is_write, int cb_version, int cb_type, const void *buf,
3000 size_t len, SSL *ssl) {
3001 if (cb_type != SSL3_RT_HEADER) {
3002 return;
Martin Kreichgauer72912d22017-08-04 12:06:43 -0700[diff] [blame]3003 }
Martin Kreichgauer1a663262017-08-16 14:54:04 -0700[diff] [blame]3004
3005 // The callback does not report a version for records.
3006 EXPECT_EQ(0, cb_version);
3007
3008 if (is_write) {
3009 write_seen = true;
3010 } else {
3011 read_seen = true;
3012 }
3013
3014 // Sanity-check that the record header is plausible.
3015 CBS cbs;
3016 CBS_init(&cbs, reinterpret_cast<const uint8_t *>(buf), len);
3017 uint8_t type;
3018 uint16_t record_version, length;
3019 ASSERT_TRUE(CBS_get_u8(&cbs, &type));
3020 ASSERT_TRUE(CBS_get_u16(&cbs, &record_version));
3021 EXPECT_TRUE(record_version == version() ||
3022 record_version == (is_dtls() ? DTLS1_VERSION : TLS1_VERSION))
3023 << "Invalid record version: " << record_version;
3024 if (is_dtls()) {
3025 uint16_t epoch;
3026 ASSERT_TRUE(CBS_get_u16(&cbs, &epoch));
3027 EXPECT_TRUE(epoch == 0 || epoch == 1) << "Invalid epoch: " << epoch;
3028 ASSERT_TRUE(CBS_skip(&cbs, 6));
3029 }
3030 ASSERT_TRUE(CBS_get_u16(&cbs, &length));
3031 EXPECT_EQ(0u, CBS_len(&cbs));
3032 };
3033 using CallbackType = decltype(cb);
3034 SSL_CTX *ctx = test_server ? server_ctx_.get() : client_ctx_.get();
3035 SSL_CTX_set_msg_callback(
3036 ctx, [](int is_write, int cb_version, int cb_type, const void *buf,
3037 size_t len, SSL *ssl, void *arg) {
3038 CallbackType *cb_ptr = reinterpret_cast<CallbackType *>(arg);
3039 (*cb_ptr)(is_write, cb_version, cb_type, buf, len, ssl);
3040 });
3041 SSL_CTX_set_msg_callback_arg(ctx, &cb);
3042
3043 ASSERT_TRUE(Connect());
3044
3045 EXPECT_TRUE(read_seen);
3046 EXPECT_TRUE(write_seen);
David Benjamin0fef3052016-11-18 15:11:10 +0900[diff] [blame]3047 }
David Benjamin9ef31f02016-10-31 18:01:13 -0400[diff] [blame]3048}
3049
Adam Langleye1e78132017-01-31 15:24:31 -0800[diff] [blame]3050TEST(SSLTest, AddChainCertHack) {
3051 // Ensure that we don't accidently break the hack that we have in place to
3052 // keep curl and serf happy when they use an |X509| even after transfering
3053 // ownership.
3054
3055 bssl::UniquePtr<SSL_CTX> ctx(SSL_CTX_new(TLS_method()));
3056 ASSERT_TRUE(ctx);
3057 X509 *cert = GetTestCertificate().release();
3058 ASSERT_TRUE(cert);
3059 SSL_CTX_add0_chain_cert(ctx.get(), cert);
3060
3061 // This should not trigger a use-after-free.
3062 X509_cmp(cert, cert);
3063}
3064
David Benjaminb2ff2622017-02-03 17:06:18 -0500[diff] [blame]3065TEST(SSLTest, GetCertificate) {
3066 bssl::UniquePtr<SSL_CTX> ctx(SSL_CTX_new(TLS_method()));
3067 ASSERT_TRUE(ctx);
3068 bssl::UniquePtr<X509> cert = GetTestCertificate();
3069 ASSERT_TRUE(cert);
3070 ASSERT_TRUE(SSL_CTX_use_certificate(ctx.get(), cert.get()));
3071 bssl::UniquePtr<SSL> ssl(SSL_new(ctx.get()));
3072 ASSERT_TRUE(ssl);
3073
3074 X509 *cert2 = SSL_CTX_get0_certificate(ctx.get());
3075 ASSERT_TRUE(cert2);
3076 X509 *cert3 = SSL_get_certificate(ssl.get());
3077 ASSERT_TRUE(cert3);
3078
3079 // The old and new certificates must be identical.
3080 EXPECT_EQ(0, X509_cmp(cert.get(), cert2));
3081 EXPECT_EQ(0, X509_cmp(cert.get(), cert3));
3082
3083 uint8_t *der = nullptr;
3084 long der_len = i2d_X509(cert.get(), &der);
3085 ASSERT_LT(0, der_len);
3086 bssl::UniquePtr<uint8_t> free_der(der);
3087
3088 uint8_t *der2 = nullptr;
3089 long der2_len = i2d_X509(cert2, &der2);
3090 ASSERT_LT(0, der2_len);
3091 bssl::UniquePtr<uint8_t> free_der2(der2);
3092
3093 uint8_t *der3 = nullptr;
3094 long der3_len = i2d_X509(cert3, &der3);
3095 ASSERT_LT(0, der3_len);
3096 bssl::UniquePtr<uint8_t> free_der3(der3);
3097
3098 // They must also encode identically.
David Benjamin7d7554b2017-02-04 11:48:59 -0500[diff] [blame]3099 EXPECT_EQ(Bytes(der, der_len), Bytes(der2, der2_len));
3100 EXPECT_EQ(Bytes(der, der_len), Bytes(der3, der3_len));
David Benjaminb2ff2622017-02-03 17:06:18 -0500[diff] [blame]3101}
3102
Adam Langleyd04ca952017-02-28 11:26:51 -0800[diff] [blame]3103TEST(SSLTest, SetChainAndKeyMismatch) {
3104 bssl::UniquePtr<SSL_CTX> ctx(SSL_CTX_new(TLS_with_buffers_method()));
3105 ASSERT_TRUE(ctx);
3106
3107 bssl::UniquePtr<EVP_PKEY> key = GetTestKey();
3108 ASSERT_TRUE(key);
3109 bssl::UniquePtr<CRYPTO_BUFFER> leaf = GetChainTestCertificateBuffer();
3110 ASSERT_TRUE(leaf);
3111 std::vector<CRYPTO_BUFFER*> chain = {
3112 leaf.get(),
3113 };
3114
3115 // Should fail because |GetTestKey| doesn't match the chain-test certificate.
3116 ASSERT_FALSE(SSL_CTX_set_chain_and_key(ctx.get(), &chain[0], chain.size(),
3117 key.get(), nullptr));
3118 ERR_clear_error();
3119}
3120
3121TEST(SSLTest, SetChainAndKey) {
3122 bssl::UniquePtr<SSL_CTX> client_ctx(SSL_CTX_new(TLS_with_buffers_method()));
3123 ASSERT_TRUE(client_ctx);
3124 bssl::UniquePtr<SSL_CTX> server_ctx(SSL_CTX_new(TLS_with_buffers_method()));
3125 ASSERT_TRUE(server_ctx);
3126
3127 bssl::UniquePtr<EVP_PKEY> key = GetChainTestKey();
3128 ASSERT_TRUE(key);
3129 bssl::UniquePtr<CRYPTO_BUFFER> leaf = GetChainTestCertificateBuffer();
3130 ASSERT_TRUE(leaf);
3131 bssl::UniquePtr<CRYPTO_BUFFER> intermediate =
3132 GetChainTestIntermediateBuffer();
3133 ASSERT_TRUE(intermediate);
3134 std::vector<CRYPTO_BUFFER*> chain = {
3135 leaf.get(), intermediate.get(),
3136 };
3137 ASSERT_TRUE(SSL_CTX_set_chain_and_key(server_ctx.get(), &chain[0],
3138 chain.size(), key.get(), nullptr));
3139
David Benjamin3a1dd462017-07-11 16:13:10 -0400[diff] [blame]3140 SSL_CTX_set_custom_verify(
3141 client_ctx.get(), SSL_VERIFY_PEER,
3142 [](SSL *ssl, uint8_t *out_alert) -> ssl_verify_result_t {
3143 return ssl_verify_ok;
3144 });
Adam Langleyd04ca952017-02-28 11:26:51 -0800[diff] [blame]3145
3146 bssl::UniquePtr<SSL> client, server;
3147 ASSERT_TRUE(ConnectClientAndServer(&client, &server, client_ctx.get(),
3148 server_ctx.get(),
3149 nullptr /* no session */));
3150}
3151
David Benjamin71dfad42017-07-16 17:27:39 -0400[diff] [blame]3152TEST(SSLTest, ClientCABuffers) {
3153 bssl::UniquePtr<SSL_CTX> client_ctx(SSL_CTX_new(TLS_with_buffers_method()));
3154 ASSERT_TRUE(client_ctx);
3155 bssl::UniquePtr<SSL_CTX> server_ctx(SSL_CTX_new(TLS_with_buffers_method()));
3156 ASSERT_TRUE(server_ctx);
3157
3158 bssl::UniquePtr<EVP_PKEY> key = GetChainTestKey();
3159 ASSERT_TRUE(key);
3160 bssl::UniquePtr<CRYPTO_BUFFER> leaf = GetChainTestCertificateBuffer();
3161 ASSERT_TRUE(leaf);
3162 bssl::UniquePtr<CRYPTO_BUFFER> intermediate =
3163 GetChainTestIntermediateBuffer();
3164 ASSERT_TRUE(intermediate);
3165 std::vector<CRYPTO_BUFFER *> chain = {
3166 leaf.get(),
3167 intermediate.get(),
3168 };
3169 ASSERT_TRUE(SSL_CTX_set_chain_and_key(server_ctx.get(), &chain[0],
3170 chain.size(), key.get(), nullptr));
3171
3172 bssl::UniquePtr<CRYPTO_BUFFER> ca_name(
3173 CRYPTO_BUFFER_new(kTestName, sizeof(kTestName), nullptr));
3174 ASSERT_TRUE(ca_name);
3175 bssl::UniquePtr<STACK_OF(CRYPTO_BUFFER)> ca_names(
3176 sk_CRYPTO_BUFFER_new_null());
3177 ASSERT_TRUE(ca_names);
3178 ASSERT_TRUE(sk_CRYPTO_BUFFER_push(ca_names.get(), ca_name.get()));
3179 ca_name.release();
3180 SSL_CTX_set0_client_CAs(server_ctx.get(), ca_names.release());
3181
3182 // Configure client and server to accept all certificates.
3183 SSL_CTX_set_custom_verify(
3184 client_ctx.get(), SSL_VERIFY_PEER,
3185 [](SSL *ssl, uint8_t *out_alert) -> ssl_verify_result_t {
3186 return ssl_verify_ok;
3187 });
3188 SSL_CTX_set_custom_verify(
3189 server_ctx.get(), SSL_VERIFY_PEER,
3190 [](SSL *ssl, uint8_t *out_alert) -> ssl_verify_result_t {
3191 return ssl_verify_ok;
3192 });
3193
3194 bool cert_cb_called = false;
3195 SSL_CTX_set_cert_cb(
3196 client_ctx.get(),
3197 [](SSL *ssl, void *arg) -> int {
3198 STACK_OF(CRYPTO_BUFFER) *peer_names =
3199 SSL_get0_server_requested_CAs(ssl);
3200 EXPECT_EQ(1u, sk_CRYPTO_BUFFER_num(peer_names));
3201 CRYPTO_BUFFER *peer_name = sk_CRYPTO_BUFFER_value(peer_names, 0);
3202 EXPECT_EQ(Bytes(kTestName), Bytes(CRYPTO_BUFFER_data(peer_name),
3203 CRYPTO_BUFFER_len(peer_name)));
3204 *reinterpret_cast<bool *>(arg) = true;
3205 return 1;
3206 },
3207 &cert_cb_called);
3208
3209 bssl::UniquePtr<SSL> client, server;
3210 ASSERT_TRUE(ConnectClientAndServer(&client, &server, client_ctx.get(),
3211 server_ctx.get(),
3212 nullptr /* no session */));
3213 EXPECT_TRUE(cert_cb_called);
3214}
3215
David Benjamin91222b82017-03-09 20:10:56 -0500[diff] [blame]3216// Configuring the empty cipher list, though an error, should still modify the
3217// configuration.
3218TEST(SSLTest, EmptyCipherList) {
3219 bssl::UniquePtr<SSL_CTX> ctx(SSL_CTX_new(TLS_method()));
3220 ASSERT_TRUE(ctx);
3221
3222 // Initially, the cipher list is not empty.
3223 EXPECT_NE(0u, sk_SSL_CIPHER_num(SSL_CTX_get_ciphers(ctx.get())));
3224
3225 // Configuring the empty cipher list fails.
3226 EXPECT_FALSE(SSL_CTX_set_cipher_list(ctx.get(), ""));
3227 ERR_clear_error();
3228
3229 // But the cipher list is still updated to empty.
3230 EXPECT_EQ(0u, sk_SSL_CIPHER_num(SSL_CTX_get_ciphers(ctx.get())));
3231}
3232
Adam Langley4c341d02017-03-08 19:33:21 -0800[diff] [blame]3233// ssl_test_ticket_aead_failure_mode enumerates the possible ways in which the
3234// test |SSL_TICKET_AEAD_METHOD| can fail.
3235enum ssl_test_ticket_aead_failure_mode {
3236 ssl_test_ticket_aead_ok = 0,
3237 ssl_test_ticket_aead_seal_fail,
3238 ssl_test_ticket_aead_open_soft_fail,
3239 ssl_test_ticket_aead_open_hard_fail,
3240};
3241
3242struct ssl_test_ticket_aead_state {
3243 unsigned retry_count;
3244 ssl_test_ticket_aead_failure_mode failure_mode;
3245};
3246
3247static int ssl_test_ticket_aead_ex_index_dup(CRYPTO_EX_DATA *to,
3248 const CRYPTO_EX_DATA *from,
3249 void **from_d, int index,
3250 long argl, void *argp) {
3251 abort();
3252}
3253
3254static void ssl_test_ticket_aead_ex_index_free(void *parent, void *ptr,
3255 CRYPTO_EX_DATA *ad, int index,
3256 long argl, void *argp) {
3257 auto state = reinterpret_cast<ssl_test_ticket_aead_state*>(ptr);
3258 if (state == nullptr) {
3259 return;
3260 }
3261
3262 OPENSSL_free(state);
3263}
3264
3265static CRYPTO_once_t g_ssl_test_ticket_aead_ex_index_once = CRYPTO_ONCE_INIT;
3266static int g_ssl_test_ticket_aead_ex_index;
3267
3268static int ssl_test_ticket_aead_get_ex_index() {
3269 CRYPTO_once(&g_ssl_test_ticket_aead_ex_index_once, [] {
3270 g_ssl_test_ticket_aead_ex_index = SSL_get_ex_new_index(
3271 0, nullptr, nullptr, ssl_test_ticket_aead_ex_index_dup,
3272 ssl_test_ticket_aead_ex_index_free);
3273 });
3274 return g_ssl_test_ticket_aead_ex_index;
3275}
3276
3277static size_t ssl_test_ticket_aead_max_overhead(SSL *ssl) {
3278 return 1;
3279}
3280
3281static int ssl_test_ticket_aead_seal(SSL *ssl, uint8_t *out, size_t *out_len,
3282 size_t max_out_len, const uint8_t *in,
3283 size_t in_len) {
3284 auto state = reinterpret_cast<ssl_test_ticket_aead_state *>(
3285 SSL_get_ex_data(ssl, ssl_test_ticket_aead_get_ex_index()));
3286
3287 if (state->failure_mode == ssl_test_ticket_aead_seal_fail ||
3288 max_out_len < in_len + 1) {
3289 return 0;
3290 }
3291
3292 OPENSSL_memmove(out, in, in_len);
3293 out[in_len] = 0xff;
3294 *out_len = in_len + 1;
3295
3296 return 1;
3297}
3298
3299static ssl_ticket_aead_result_t ssl_test_ticket_aead_open(
3300 SSL *ssl, uint8_t *out, size_t *out_len, size_t max_out_len,
3301 const uint8_t *in, size_t in_len) {
3302 auto state = reinterpret_cast<ssl_test_ticket_aead_state *>(
3303 SSL_get_ex_data(ssl, ssl_test_ticket_aead_get_ex_index()));
3304
3305 if (state->retry_count > 0) {
3306 state->retry_count--;
3307 return ssl_ticket_aead_retry;
3308 }
3309
3310 switch (state->failure_mode) {
3311 case ssl_test_ticket_aead_ok:
3312 break;
3313 case ssl_test_ticket_aead_seal_fail:
3314 // If |seal| failed then there shouldn't be any ticket to try and
3315 // decrypt.
3316 abort();
3317 break;
3318 case ssl_test_ticket_aead_open_soft_fail:
3319 return ssl_ticket_aead_ignore_ticket;
3320 case ssl_test_ticket_aead_open_hard_fail:
3321 return ssl_ticket_aead_error;
3322 }
3323
3324 if (in_len == 0 || in[in_len - 1] != 0xff) {
3325 return ssl_ticket_aead_ignore_ticket;
3326 }
3327
3328 if (max_out_len < in_len - 1) {
3329 return ssl_ticket_aead_error;
3330 }
3331
3332 OPENSSL_memmove(out, in, in_len - 1);
3333 *out_len = in_len - 1;
3334 return ssl_ticket_aead_success;
3335}
3336
3337static const SSL_TICKET_AEAD_METHOD kSSLTestTicketMethod = {
3338 ssl_test_ticket_aead_max_overhead,
3339 ssl_test_ticket_aead_seal,
3340 ssl_test_ticket_aead_open,
3341};
3342
3343static void ConnectClientAndServerWithTicketMethod(
3344 bssl::UniquePtr<SSL> *out_client, bssl::UniquePtr<SSL> *out_server,
3345 SSL_CTX *client_ctx, SSL_CTX *server_ctx, unsigned retry_count,
3346 ssl_test_ticket_aead_failure_mode failure_mode, SSL_SESSION *session) {
3347 bssl::UniquePtr<SSL> client(SSL_new(client_ctx)), server(SSL_new(server_ctx));
3348 ASSERT_TRUE(client);
3349 ASSERT_TRUE(server);
3350 SSL_set_connect_state(client.get());
3351 SSL_set_accept_state(server.get());
3352
3353 auto state = reinterpret_cast<ssl_test_ticket_aead_state *>(
3354 OPENSSL_malloc(sizeof(ssl_test_ticket_aead_state)));
3355 ASSERT_TRUE(state);
3356 OPENSSL_memset(state, 0, sizeof(ssl_test_ticket_aead_state));
3357 state->retry_count = retry_count;
3358 state->failure_mode = failure_mode;
3359
3360 ASSERT_TRUE(SSL_set_ex_data(server.get(), ssl_test_ticket_aead_get_ex_index(),
3361 state));
3362
3363 SSL_set_session(client.get(), session);
3364
3365 BIO *bio1, *bio2;
3366 ASSERT_TRUE(BIO_new_bio_pair(&bio1, 0, &bio2, 0));
3367
3368 // SSL_set_bio takes ownership.
3369 SSL_set_bio(client.get(), bio1, bio1);
3370 SSL_set_bio(server.get(), bio2, bio2);
3371
3372 if (CompleteHandshakes(client.get(), server.get())) {
3373 *out_client = std::move(client);
3374 *out_server = std::move(server);
3375 } else {
3376 out_client->reset();
3377 out_server->reset();
3378 }
3379}
3380
3381class TicketAEADMethodTest
3382 : public ::testing::TestWithParam<testing::tuple<
3383 uint16_t, unsigned, ssl_test_ticket_aead_failure_mode>> {};
3384
3385TEST_P(TicketAEADMethodTest, Resume) {
3386 bssl::UniquePtr<X509> cert = GetTestCertificate();
3387 ASSERT_TRUE(cert);
3388 bssl::UniquePtr<EVP_PKEY> key = GetTestKey();
3389 ASSERT_TRUE(key);
3390
3391 bssl::UniquePtr<SSL_CTX> server_ctx(SSL_CTX_new(TLS_method()));
3392 ASSERT_TRUE(server_ctx);
3393 bssl::UniquePtr<SSL_CTX> client_ctx(SSL_CTX_new(TLS_method()));
3394 ASSERT_TRUE(client_ctx);
3395
3396 const uint16_t version = testing::get<0>(GetParam());
3397 const unsigned retry_count = testing::get<1>(GetParam());
3398 const ssl_test_ticket_aead_failure_mode failure_mode =
3399 testing::get<2>(GetParam());
3400
3401 ASSERT_TRUE(SSL_CTX_use_certificate(server_ctx.get(), cert.get()));
3402 ASSERT_TRUE(SSL_CTX_use_PrivateKey(server_ctx.get(), key.get()));
3403 ASSERT_TRUE(SSL_CTX_set_min_proto_version(client_ctx.get(), version));
3404 ASSERT_TRUE(SSL_CTX_set_max_proto_version(client_ctx.get(), version));
3405 ASSERT_TRUE(SSL_CTX_set_min_proto_version(server_ctx.get(), version));
3406 ASSERT_TRUE(SSL_CTX_set_max_proto_version(server_ctx.get(), version));
3407
3408 SSL_CTX_set_session_cache_mode(client_ctx.get(), SSL_SESS_CACHE_BOTH);
3409 SSL_CTX_set_session_cache_mode(server_ctx.get(), SSL_SESS_CACHE_BOTH);
3410 SSL_CTX_set_current_time_cb(client_ctx.get(), FrozenTimeCallback);
3411 SSL_CTX_set_current_time_cb(server_ctx.get(), FrozenTimeCallback);
David Benjamin707af292017-03-10 17:47:18 -0500[diff] [blame]3412 SSL_CTX_sess_set_new_cb(client_ctx.get(), SaveLastSession);
Adam Langley4c341d02017-03-08 19:33:21 -0800[diff] [blame]3413
3414 SSL_CTX_set_ticket_aead_method(server_ctx.get(), &kSSLTestTicketMethod);
3415
3416 bssl::UniquePtr<SSL> client, server;
3417 ConnectClientAndServerWithTicketMethod(&client, &server, client_ctx.get(),
3418 server_ctx.get(), retry_count,
3419 failure_mode, nullptr);
3420 switch (failure_mode) {
3421 case ssl_test_ticket_aead_ok:
3422 case ssl_test_ticket_aead_open_hard_fail:
3423 case ssl_test_ticket_aead_open_soft_fail:
3424 ASSERT_TRUE(client);
3425 break;
3426 case ssl_test_ticket_aead_seal_fail:
3427 EXPECT_FALSE(client);
3428 return;
3429 }
3430 EXPECT_FALSE(SSL_session_reused(client.get()));
3431 EXPECT_FALSE(SSL_session_reused(server.get()));
3432
David Benjamin707af292017-03-10 17:47:18 -0500[diff] [blame]3433 // Run the read loop to account for post-handshake tickets in TLS 1.3.
3434 SSL_read(client.get(), nullptr, 0);
3435
3436 bssl::UniquePtr<SSL_SESSION> session = std::move(g_last_session);
Adam Langley4c341d02017-03-08 19:33:21 -0800[diff] [blame]3437 ConnectClientAndServerWithTicketMethod(&client, &server, client_ctx.get(),
3438 server_ctx.get(), retry_count,
David Benjamin707af292017-03-10 17:47:18 -0500[diff] [blame]3439 failure_mode, session.get());
Adam Langley4c341d02017-03-08 19:33:21 -0800[diff] [blame]3440 switch (failure_mode) {
3441 case ssl_test_ticket_aead_ok:
3442 ASSERT_TRUE(client);
3443 EXPECT_TRUE(SSL_session_reused(client.get()));
3444 EXPECT_TRUE(SSL_session_reused(server.get()));
3445 break;
3446 case ssl_test_ticket_aead_seal_fail:
3447 abort();
3448 break;
3449 case ssl_test_ticket_aead_open_hard_fail:
3450 EXPECT_FALSE(client);
3451 break;
3452 case ssl_test_ticket_aead_open_soft_fail:
3453 ASSERT_TRUE(client);
3454 EXPECT_FALSE(SSL_session_reused(client.get()));
3455 EXPECT_FALSE(SSL_session_reused(server.get()));
3456 }
3457}
3458
3459INSTANTIATE_TEST_CASE_P(
3460 TicketAEADMethodTests, TicketAEADMethodTest,
3461 testing::Combine(
David Benjamin707af292017-03-10 17:47:18 -0500[diff] [blame]3462 testing::Values(TLS1_2_VERSION, TLS1_3_VERSION),
Adam Langley4c341d02017-03-08 19:33:21 -0800[diff] [blame]3463 testing::Values(0, 1, 2),
3464 testing::Values(ssl_test_ticket_aead_ok,
3465 ssl_test_ticket_aead_seal_fail,
3466 ssl_test_ticket_aead_open_soft_fail,
3467 ssl_test_ticket_aead_open_hard_fail)));
3468
David Benjamin3cfeb952017-03-01 16:48:38 -0500[diff] [blame]3469TEST(SSLTest, SSL3Method) {
3470 bssl::UniquePtr<X509> cert = GetTestCertificate();
3471 ASSERT_TRUE(cert);
3472
3473 // For compatibility, SSLv3_method should work up to SSL_CTX_new and SSL_new.
3474 bssl::UniquePtr<SSL_CTX> ssl3_ctx(SSL_CTX_new(SSLv3_method()));
3475 ASSERT_TRUE(ssl3_ctx);
3476 ASSERT_TRUE(SSL_CTX_use_certificate(ssl3_ctx.get(), cert.get()));
3477 bssl::UniquePtr<SSL> ssl(SSL_new(ssl3_ctx.get()));
3478 EXPECT_TRUE(ssl);
3479
3480 // Create a normal TLS context to test against.
3481 bssl::UniquePtr<SSL_CTX> tls_ctx(SSL_CTX_new(TLS_method()));
3482 ASSERT_TRUE(tls_ctx);
3483 ASSERT_TRUE(SSL_CTX_use_certificate(tls_ctx.get(), cert.get()));
3484
3485 // However, handshaking an SSLv3_method server should fail to resolve the
3486 // version range. Explicit calls to SSL_CTX_set_min_proto_version are the only
3487 // way to enable SSL 3.0.
3488 bssl::UniquePtr<SSL> client, server;
3489 EXPECT_FALSE(ConnectClientAndServer(&client, &server, tls_ctx.get(),
3490 ssl3_ctx.get(),
3491 nullptr /* no session */));
3492 uint32_t err = ERR_get_error();
3493 EXPECT_EQ(ERR_LIB_SSL, ERR_GET_LIB(err));
3494 EXPECT_EQ(SSL_R_NO_SUPPORTED_VERSIONS_ENABLED, ERR_GET_REASON(err));
3495
3496 // Likewise for SSLv3_method clients.
3497 EXPECT_FALSE(ConnectClientAndServer(&client, &server, ssl3_ctx.get(),
3498 tls_ctx.get(),
3499 nullptr /* no session */));
3500 err = ERR_get_error();
3501 EXPECT_EQ(ERR_LIB_SSL, ERR_GET_LIB(err));
3502 EXPECT_EQ(SSL_R_NO_SUPPORTED_VERSIONS_ENABLED, ERR_GET_REASON(err));
3503}
3504
David Benjaminca743582017-06-15 17:51:35 -0400[diff] [blame]3505TEST(SSLTest, SelectNextProto) {
3506 uint8_t *result;
3507 uint8_t result_len;
3508
3509 // If there is an overlap, it should be returned.
3510 EXPECT_EQ(OPENSSL_NPN_NEGOTIATED,
3511 SSL_select_next_proto(&result, &result_len,
3512 (const uint8_t *)"\1a\2bb\3ccc", 9,
3513 (const uint8_t *)"\1x\1y\1a\1z", 8));
3514 EXPECT_EQ(Bytes("a"), Bytes(result, result_len));
3515
3516 EXPECT_EQ(OPENSSL_NPN_NEGOTIATED,
3517 SSL_select_next_proto(&result, &result_len,
3518 (const uint8_t *)"\1a\2bb\3ccc", 9,
3519 (const uint8_t *)"\1x\1y\2bb\1z", 9));
3520 EXPECT_EQ(Bytes("bb"), Bytes(result, result_len));
3521
3522 EXPECT_EQ(OPENSSL_NPN_NEGOTIATED,
3523 SSL_select_next_proto(&result, &result_len,
3524 (const uint8_t *)"\1a\2bb\3ccc", 9,
3525 (const uint8_t *)"\1x\1y\3ccc\1z", 10));
3526 EXPECT_EQ(Bytes("ccc"), Bytes(result, result_len));
3527
3528 // Peer preference order takes precedence over local.
3529 EXPECT_EQ(OPENSSL_NPN_NEGOTIATED,
3530 SSL_select_next_proto(&result, &result_len,
3531 (const uint8_t *)"\1a\2bb\3ccc", 9,
3532 (const uint8_t *)"\3ccc\2bb\1a", 9));
3533 EXPECT_EQ(Bytes("a"), Bytes(result, result_len));
3534
3535 // If there is no overlap, return the first local protocol.
3536 EXPECT_EQ(OPENSSL_NPN_NO_OVERLAP,
3537 SSL_select_next_proto(&result, &result_len,
3538 (const uint8_t *)"\1a\2bb\3ccc", 9,
3539 (const uint8_t *)"\1x\2yy\3zzz", 9));
3540 EXPECT_EQ(Bytes("x"), Bytes(result, result_len));
3541
3542 EXPECT_EQ(OPENSSL_NPN_NO_OVERLAP,
3543 SSL_select_next_proto(&result, &result_len, nullptr, 0,
3544 (const uint8_t *)"\1x\2yy\3zzz", 9));
3545 EXPECT_EQ(Bytes("x"), Bytes(result, result_len));
3546}
3547
Martin Kreichgauer17c30572017-07-18 12:42:18 -0700[diff] [blame]3548TEST(SSLTest, SealRecord) {
3549 bssl::UniquePtr<SSL_CTX> client_ctx(SSL_CTX_new(TLS_method())),
3550 server_ctx(SSL_CTX_new(TLS_method()));
3551 ASSERT_TRUE(client_ctx);
3552 ASSERT_TRUE(server_ctx);
3553
3554 bssl::UniquePtr<X509> cert = GetTestCertificate();
3555 bssl::UniquePtr<EVP_PKEY> key = GetTestKey();
3556 ASSERT_TRUE(cert);
3557 ASSERT_TRUE(key);
3558 ASSERT_TRUE(SSL_CTX_use_certificate(server_ctx.get(), cert.get()));
3559 ASSERT_TRUE(SSL_CTX_use_PrivateKey(server_ctx.get(), key.get()));
3560
3561 bssl::UniquePtr<SSL> client, server;
3562 ASSERT_TRUE(ConnectClientAndServer(&client, &server, client_ctx.get(),
3563 server_ctx.get(),
3564 nullptr /* no session */));
3565
3566 const std::vector<uint8_t> record = {1, 2, 3, 4, 5};
3567 std::vector<uint8_t> prefix(
3568 bssl::SealRecordPrefixLen(client.get(), record.size())),
Martin Kreichgauerabbf3652017-07-21 16:27:54 -0700[diff] [blame]3569 body(record.size()),
3570 suffix(bssl::SealRecordSuffixLen(client.get(), record.size()));
Martin Kreichgauer17c30572017-07-18 12:42:18 -0700[diff] [blame]3571 ASSERT_TRUE(bssl::SealRecord(client.get(), bssl::MakeSpan(prefix),
3572 bssl::MakeSpan(body), bssl::MakeSpan(suffix),
Martin Kreichgauerabbf3652017-07-21 16:27:54 -0700[diff] [blame]3573 record));
Martin Kreichgauer17c30572017-07-18 12:42:18 -0700[diff] [blame]3574
3575 std::vector<uint8_t> sealed;
3576 sealed.insert(sealed.end(), prefix.begin(), prefix.end());
3577 sealed.insert(sealed.end(), body.begin(), body.end());
3578 sealed.insert(sealed.end(), suffix.begin(), suffix.end());
3579 std::vector<uint8_t> sealed_copy = sealed;
3580
3581 bssl::Span<uint8_t> plaintext;
3582 size_t record_len;
3583 uint8_t alert = 255;
3584 EXPECT_EQ(bssl::OpenRecord(server.get(), &plaintext, &record_len, &alert,
3585 bssl::MakeSpan(sealed)),
3586 bssl::OpenRecordResult::kOK);
3587 EXPECT_EQ(record_len, sealed.size());
3588 EXPECT_EQ(plaintext, record);
3589 EXPECT_EQ(255, alert);
3590}
3591
3592TEST(SSLTest, SealRecordInPlace) {
3593 bssl::UniquePtr<SSL_CTX> client_ctx(SSL_CTX_new(TLS_method())),
3594 server_ctx(SSL_CTX_new(TLS_method()));
3595 ASSERT_TRUE(client_ctx);
3596 ASSERT_TRUE(server_ctx);
3597
3598 bssl::UniquePtr<X509> cert = GetTestCertificate();
3599 bssl::UniquePtr<EVP_PKEY> key = GetTestKey();
3600 ASSERT_TRUE(cert);
3601 ASSERT_TRUE(key);
3602 ASSERT_TRUE(SSL_CTX_use_certificate(server_ctx.get(), cert.get()));
3603 ASSERT_TRUE(SSL_CTX_use_PrivateKey(server_ctx.get(), key.get()));
3604
3605 bssl::UniquePtr<SSL> client, server;
3606 ASSERT_TRUE(ConnectClientAndServer(&client, &server, client_ctx.get(),
3607 server_ctx.get(),
3608 nullptr /* no session */));
3609
3610 const std::vector<uint8_t> plaintext = {1, 2, 3, 4, 5};
3611 std::vector<uint8_t> record = plaintext;
3612 std::vector<uint8_t> prefix(
3613 bssl::SealRecordPrefixLen(client.get(), record.size())),
Martin Kreichgauerabbf3652017-07-21 16:27:54 -0700[diff] [blame]3614 suffix(bssl::SealRecordSuffixLen(client.get(), record.size()));
Martin Kreichgauer17c30572017-07-18 12:42:18 -0700[diff] [blame]3615 ASSERT_TRUE(bssl::SealRecord(client.get(), bssl::MakeSpan(prefix),
3616 bssl::MakeSpan(record), bssl::MakeSpan(suffix),
Martin Kreichgauerabbf3652017-07-21 16:27:54 -0700[diff] [blame]3617 record));
Martin Kreichgauer17c30572017-07-18 12:42:18 -0700[diff] [blame]3618 record.insert(record.begin(), prefix.begin(), prefix.end());
3619 record.insert(record.end(), suffix.begin(), suffix.end());
3620
3621 bssl::Span<uint8_t> result;
3622 size_t record_len;
3623 uint8_t alert;
3624 EXPECT_EQ(bssl::OpenRecord(server.get(), &result, &record_len, &alert,
3625 bssl::MakeSpan(record)),
3626 bssl::OpenRecordResult::kOK);
3627 EXPECT_EQ(record_len, record.size());
3628 EXPECT_EQ(plaintext, result);
3629}
3630
3631TEST(SSLTest, SealRecordTrailingData) {
3632 bssl::UniquePtr<SSL_CTX> client_ctx(SSL_CTX_new(TLS_method())),
3633 server_ctx(SSL_CTX_new(TLS_method()));
3634 ASSERT_TRUE(client_ctx);
3635 ASSERT_TRUE(server_ctx);
3636
3637 bssl::UniquePtr<X509> cert = GetTestCertificate();
3638 bssl::UniquePtr<EVP_PKEY> key = GetTestKey();
3639 ASSERT_TRUE(cert);
3640 ASSERT_TRUE(key);
3641 ASSERT_TRUE(SSL_CTX_use_certificate(server_ctx.get(), cert.get()));
3642 ASSERT_TRUE(SSL_CTX_use_PrivateKey(server_ctx.get(), key.get()));
3643
3644 bssl::UniquePtr<SSL> client, server;
3645 ASSERT_TRUE(ConnectClientAndServer(&client, &server, client_ctx.get(),
3646 server_ctx.get(),
3647 nullptr /* no session */));
3648
3649 const std::vector<uint8_t> plaintext = {1, 2, 3, 4, 5};
3650 std::vector<uint8_t> record = plaintext;
3651 std::vector<uint8_t> prefix(
3652 bssl::SealRecordPrefixLen(client.get(), record.size())),
Martin Kreichgauerabbf3652017-07-21 16:27:54 -0700[diff] [blame]3653 suffix(bssl::SealRecordSuffixLen(client.get(), record.size()));
Martin Kreichgauer17c30572017-07-18 12:42:18 -0700[diff] [blame]3654 ASSERT_TRUE(bssl::SealRecord(client.get(), bssl::MakeSpan(prefix),
3655 bssl::MakeSpan(record), bssl::MakeSpan(suffix),
Martin Kreichgauerabbf3652017-07-21 16:27:54 -0700[diff] [blame]3656 record));
Martin Kreichgauer17c30572017-07-18 12:42:18 -0700[diff] [blame]3657 record.insert(record.begin(), prefix.begin(), prefix.end());
3658 record.insert(record.end(), suffix.begin(), suffix.end());
3659 record.insert(record.end(), {5, 4, 3, 2, 1});
3660
3661 bssl::Span<uint8_t> result;
3662 size_t record_len;
3663 uint8_t alert;
3664 EXPECT_EQ(bssl::OpenRecord(server.get(), &result, &record_len, &alert,
3665 bssl::MakeSpan(record)),
3666 bssl::OpenRecordResult::kOK);
3667 EXPECT_EQ(record_len, record.size() - 5);
3668 EXPECT_EQ(plaintext, result);
3669}
3670
3671TEST(SSLTest, SealRecordInvalidSpanSize) {
3672 bssl::UniquePtr<SSL_CTX> client_ctx(SSL_CTX_new(TLS_method())),
3673 server_ctx(SSL_CTX_new(TLS_method()));
3674 ASSERT_TRUE(client_ctx);
3675 ASSERT_TRUE(server_ctx);
3676
3677 bssl::UniquePtr<X509> cert = GetTestCertificate();
3678 bssl::UniquePtr<EVP_PKEY> key = GetTestKey();
3679 ASSERT_TRUE(cert);
3680 ASSERT_TRUE(key);
3681 ASSERT_TRUE(SSL_CTX_use_certificate(server_ctx.get(), cert.get()));
3682 ASSERT_TRUE(SSL_CTX_use_PrivateKey(server_ctx.get(), key.get()));
3683
3684 bssl::UniquePtr<SSL> client, server;
3685 ASSERT_TRUE(ConnectClientAndServer(&client, &server, client_ctx.get(),
3686 server_ctx.get(),
3687 nullptr /* no session */));
3688
3689 std::vector<uint8_t> record = {1, 2, 3, 4, 5};
3690 std::vector<uint8_t> prefix(
3691 bssl::SealRecordPrefixLen(client.get(), record.size())),
Martin Kreichgauerabbf3652017-07-21 16:27:54 -0700[diff] [blame]3692 body(record.size()),
3693 suffix(bssl::SealRecordSuffixLen(client.get(), record.size()));
Martin Kreichgauer17c30572017-07-18 12:42:18 -0700[diff] [blame]3694
3695 auto expect_err = []() {
3696 int err = ERR_get_error();
3697 EXPECT_EQ(ERR_GET_LIB(err), ERR_LIB_SSL);
3698 EXPECT_EQ(ERR_GET_REASON(err), SSL_R_BUFFER_TOO_SMALL);
3699 ERR_clear_error();
3700 };
3701 EXPECT_FALSE(bssl::SealRecord(
3702 client.get(), bssl::MakeSpan(prefix.data(), prefix.size() - 1),
Martin Kreichgauerabbf3652017-07-21 16:27:54 -0700[diff] [blame]3703 bssl::MakeSpan(record), bssl::MakeSpan(suffix), record));
Martin Kreichgauer17c30572017-07-18 12:42:18 -0700[diff] [blame]3704 expect_err();
3705 EXPECT_FALSE(bssl::SealRecord(
3706 client.get(), bssl::MakeSpan(prefix.data(), prefix.size() + 1),
Martin Kreichgauerabbf3652017-07-21 16:27:54 -0700[diff] [blame]3707 bssl::MakeSpan(record), bssl::MakeSpan(suffix), record));
Martin Kreichgauer17c30572017-07-18 12:42:18 -0700[diff] [blame]3708 expect_err();
3709
3710 EXPECT_FALSE(
3711 bssl::SealRecord(client.get(), bssl::MakeSpan(prefix),
3712 bssl::MakeSpan(record.data(), record.size() - 1),
Martin Kreichgauerabbf3652017-07-21 16:27:54 -0700[diff] [blame]3713 bssl::MakeSpan(suffix), record));
Martin Kreichgauer17c30572017-07-18 12:42:18 -0700[diff] [blame]3714 expect_err();
3715 EXPECT_FALSE(
3716 bssl::SealRecord(client.get(), bssl::MakeSpan(prefix),
3717 bssl::MakeSpan(record.data(), record.size() + 1),
Martin Kreichgauerabbf3652017-07-21 16:27:54 -0700[diff] [blame]3718 bssl::MakeSpan(suffix), record));
Martin Kreichgauer17c30572017-07-18 12:42:18 -0700[diff] [blame]3719 expect_err();
3720
3721 EXPECT_FALSE(bssl::SealRecord(
3722 client.get(), bssl::MakeSpan(prefix), bssl::MakeSpan(record),
Martin Kreichgauerabbf3652017-07-21 16:27:54 -0700[diff] [blame]3723 bssl::MakeSpan(suffix.data(), suffix.size() - 1), record));
Martin Kreichgauer17c30572017-07-18 12:42:18 -0700[diff] [blame]3724 expect_err();
3725 EXPECT_FALSE(bssl::SealRecord(
3726 client.get(), bssl::MakeSpan(prefix), bssl::MakeSpan(record),
Martin Kreichgauerabbf3652017-07-21 16:27:54 -0700[diff] [blame]3727 bssl::MakeSpan(suffix.data(), suffix.size() + 1), record));
Martin Kreichgauer17c30572017-07-18 12:42:18 -0700[diff] [blame]3728 expect_err();
3729}
3730
David Benjamin617b8182017-08-29 15:33:10 -0400[diff] [blame]3731// The client should gracefully handle no suitable ciphers being enabled.
3732TEST(SSLTest, NoCiphersAvailable) {
3733 bssl::UniquePtr<SSL_CTX> ctx(SSL_CTX_new(TLS_method()));
3734 ASSERT_TRUE(ctx);
3735
3736 // Configure |client_ctx| with a cipher list that does not intersect with its
3737 // version configuration.
3738 ASSERT_TRUE(SSL_CTX_set_strict_cipher_list(
3739 ctx.get(), "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256"));
3740 ASSERT_TRUE(SSL_CTX_set_max_proto_version(ctx.get(), TLS1_1_VERSION));
3741
3742 bssl::UniquePtr<SSL> ssl(SSL_new(ctx.get()));
3743 ASSERT_TRUE(ssl);
3744 SSL_set_connect_state(ssl.get());
3745
3746 UniquePtr<BIO> rbio(BIO_new(BIO_s_mem())), wbio(BIO_new(BIO_s_mem()));
3747 ASSERT_TRUE(rbio);
3748 ASSERT_TRUE(wbio);
3749 SSL_set0_rbio(ssl.get(), rbio.release());
3750 SSL_set0_wbio(ssl.get(), wbio.release());
3751
3752 int ret = SSL_do_handshake(ssl.get());
3753 EXPECT_EQ(-1, ret);
3754 EXPECT_EQ(SSL_ERROR_SSL, SSL_get_error(ssl.get(), ret));
3755 uint32_t err = ERR_get_error();
3756 EXPECT_EQ(ERR_LIB_SSL, ERR_GET_LIB(err));
3757 EXPECT_EQ(SSL_R_NO_CIPHERS_AVAILABLE, ERR_GET_REASON(err));
3758}
3759
David Benjamin96628432017-01-19 19:05:47 -0500[diff] [blame]3760// TODO(davidben): Convert this file to GTest properly.
3761TEST(SSLTest, AllTests) {
David Benjamine11726a2017-04-23 12:14:28 -0400[diff] [blame]3762 if (!TestSSL_SESSIONEncoding(kOpenSSLSession) ||
Adam Langley10f97f32016-07-12 08:09:33 -0700[diff] [blame]3763 !TestSSL_SESSIONEncoding(kCustomSession) ||
3764 !TestSSL_SESSIONEncoding(kBoringSSLSession) ||
3765 !TestBadSSL_SESSIONEncoding(kBadSessionExtraField) ||
3766 !TestBadSSL_SESSIONEncoding(kBadSessionVersion) ||
3767 !TestBadSSL_SESSIONEncoding(kBadSessionTrailingData) ||
Steven Valdeza833c352016-11-01 13:39:36 -0400[diff] [blame]3768 // Test the padding extension at TLS 1.2.
3769 !TestPaddingExtension(TLS1_2_VERSION, TLS1_2_VERSION) ||
3770 // Test the padding extension at TLS 1.3 with a TLS 1.2 session, so there
3771 // will be no PSK binder after the padding extension.
3772 !TestPaddingExtension(TLS1_3_VERSION, TLS1_2_VERSION) ||
3773 // Test the padding extension at TLS 1.3 with a TLS 1.3 session, so there
3774 // will be a PSK binder after the padding extension.
3775 !TestPaddingExtension(TLS1_3_VERSION, TLS1_3_DRAFT_VERSION) ||
Martin Kreichgauer1a663262017-08-16 14:54:04 -0700[diff] [blame]3776 !TestClientHello()) {
David Benjamin96628432017-01-19 19:05:47 -0500[diff] [blame]3777 ADD_FAILURE() << "Tests failed";
David Benjaminbb0a17c2014-09-20 15:35:39 -0400[diff] [blame]3778 }
David Benjamin2e521212014-07-16 14:37:51 -0400[diff] [blame]3779}
Martin Kreichgauer72912d22017-08-04 12:06:43 -0700[diff] [blame]3780
3781} // namespace
3782} // namespace bssl