Gitiles
Code Review Sign In
gerrit.openfyde.cn / boringssl.googlesource.com / boringssl / ca7435822f12e67edc834e0452913591f456449d / . / ssl / ssl_test.cc
blob: b53c93a088573120d7347371c6bd0342029c4697 [file] [log] [blame]
David Benjamin2e521212014-07-16 14:37:51 -0400[diff] [blame]1/* Copyright (c) 2014, Google Inc.
2 *
3 * Permission to use, copy, modify, and/or distribute this software for any
4 * purpose with or without fee is hereby granted, provided that the above
5 * copyright notice and this permission notice appear in all copies.
6 *
7 * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
8 * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
9 * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY
10 * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
11 * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION
12 * OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN
13 * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */
14
15#include <stdio.h>
David Benjamin751e8892014-10-19 00:59:36 -0400[diff] [blame]16#include <string.h>
David Benjamin1269ddd2015-10-18 15:18:55 -0400[diff] [blame]17#include <time.h>
David Benjamin2e521212014-07-16 14:37:51 -0400[diff] [blame]18
David Benjamin0f653952015-10-18 14:28:01 -0400[diff] [blame]19#include <algorithm>
David Benjamin1d77e562015-03-22 17:22:08 -0400[diff] [blame]20#include <string>
David Benjamin4f6acaf2015-11-21 03:00:50 -0500[diff] [blame]21#include <utility>
David Benjamin1d77e562015-03-22 17:22:08 -0400[diff] [blame]22#include <vector>
23
David Benjamin96628432017-01-19 19:05:47 -0500[diff] [blame]24#include <gtest/gtest.h>
25
David Benjamin751e8892014-10-19 00:59:36 -0400[diff] [blame]26#include <openssl/base64.h>
27#include <openssl/bio.h>
David Benjamin3c51d9b2016-11-01 17:50:42 -0400[diff] [blame]28#include <openssl/cipher.h>
David Benjamin7a1eefd2015-10-17 23:39:22 -0400[diff] [blame]29#include <openssl/crypto.h>
David Benjaminbb0a17c2014-09-20 15:35:39 -0400[diff] [blame]30#include <openssl/err.h>
David Benjamin3c51d9b2016-11-01 17:50:42 -0400[diff] [blame]31#include <openssl/hmac.h>
David Benjaminde942382016-02-11 12:02:01 -0500[diff] [blame]32#include <openssl/pem.h>
David Benjamin25490f22016-07-14 00:22:54 -0400[diff] [blame]33#include <openssl/sha.h>
David Benjaminbb0a17c2014-09-20 15:35:39 -0400[diff] [blame]34#include <openssl/ssl.h>
David Benjamin3c51d9b2016-11-01 17:50:42 -0400[diff] [blame]35#include <openssl/rand.h>
David Benjaminde942382016-02-11 12:02:01 -0500[diff] [blame]36#include <openssl/x509.h>
David Benjaminbb0a17c2014-09-20 15:35:39 -0400[diff] [blame]37
Steven Valdez87eab492016-06-27 16:34:59 -0400[diff] [blame]38#include "internal.h"
Steven Valdezcb966542016-08-17 16:56:14 -0400[diff] [blame]39#include "../crypto/internal.h"
Sigbjorn Vik2b23d242015-06-29 15:07:26 +0200[diff] [blame]40#include "../crypto/test/test_util.h"
41
David Benjamin721e8b72016-08-03 13:13:17 -0400[diff] [blame]42#if defined(OPENSSL_WINDOWS)
43/* Windows defines struct timeval in winsock2.h. */
44OPENSSL_MSVC_PRAGMA(warning(push, 3))
45#include <winsock2.h>
46OPENSSL_MSVC_PRAGMA(warning(pop))
47#else
48#include <sys/time.h>
49#endif
50
David Benjamin1d77e562015-03-22 17:22:08 -0400[diff] [blame]51
52struct ExpectedCipher {
53 unsigned long id;
David Benjaminbb0a17c2014-09-20 15:35:39 -0400[diff] [blame]54 int in_group_flag;
David Benjamin1d77e562015-03-22 17:22:08 -0400[diff] [blame]55};
David Benjaminbb0a17c2014-09-20 15:35:39 -0400[diff] [blame]56
David Benjamin1d77e562015-03-22 17:22:08 -0400[diff] [blame]57struct CipherTest {
58 // The rule string to apply.
David Benjaminbb0a17c2014-09-20 15:35:39 -0400[diff] [blame]59 const char *rule;
David Benjaminfb974e62015-12-16 19:34:22 -0500[diff] [blame]60 // The list of expected ciphers, in order.
61 std::vector<ExpectedCipher> expected;
Matthew Braithwaitea57dcfb2017-02-17 22:08:23 -0800[diff] [blame]62 // True if this cipher list should fail in strict mode.
63 bool strict_fail;
David Benjamin1d77e562015-03-22 17:22:08 -0400[diff] [blame]64};
David Benjaminbb0a17c2014-09-20 15:35:39 -0400[diff] [blame]65
Alessandro Ghedini5fd18072016-09-28 21:04:25 +0100[diff] [blame]66struct CurveTest {
67 // The rule string to apply.
68 const char *rule;
69 // The list of expected curves, in order.
70 std::vector<uint16_t> expected;
71};
72
David Benjaminfb974e62015-12-16 19:34:22 -0500[diff] [blame]73static const CipherTest kCipherTests[] = {
74 // Selecting individual ciphers should work.
75 {
76 "ECDHE-ECDSA-CHACHA20-POLY1305:"
77 "ECDHE-RSA-CHACHA20-POLY1305:"
78 "ECDHE-ECDSA-AES128-GCM-SHA256:"
79 "ECDHE-RSA-AES128-GCM-SHA256",
80 {
81 {TLS1_CK_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256, 0},
David Benjaminfb974e62015-12-16 19:34:22 -0500[diff] [blame]82 {TLS1_CK_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256, 0},
David Benjaminfb974e62015-12-16 19:34:22 -0500[diff] [blame]83 {TLS1_CK_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, 0},
84 {TLS1_CK_ECDHE_RSA_WITH_AES_128_GCM_SHA256, 0},
85 },
Matthew Braithwaitea57dcfb2017-02-17 22:08:23 -0800[diff] [blame]86 false,
David Benjaminfb974e62015-12-16 19:34:22 -0500[diff] [blame]87 },
88 // + reorders selected ciphers to the end, keeping their relative order.
89 {
90 "ECDHE-ECDSA-CHACHA20-POLY1305:"
91 "ECDHE-RSA-CHACHA20-POLY1305:"
92 "ECDHE-ECDSA-AES128-GCM-SHA256:"
93 "ECDHE-RSA-AES128-GCM-SHA256:"
94 "+aRSA",
95 {
96 {TLS1_CK_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256, 0},
David Benjaminfb974e62015-12-16 19:34:22 -0500[diff] [blame]97 {TLS1_CK_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, 0},
98 {TLS1_CK_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256, 0},
David Benjaminfb974e62015-12-16 19:34:22 -0500[diff] [blame]99 {TLS1_CK_ECDHE_RSA_WITH_AES_128_GCM_SHA256, 0},
100 },
Matthew Braithwaitea57dcfb2017-02-17 22:08:23 -0800[diff] [blame]101 false,
David Benjaminfb974e62015-12-16 19:34:22 -0500[diff] [blame]102 },
103 // ! banishes ciphers from future selections.
104 {
105 "!aRSA:"
106 "ECDHE-ECDSA-CHACHA20-POLY1305:"
107 "ECDHE-RSA-CHACHA20-POLY1305:"
108 "ECDHE-ECDSA-AES128-GCM-SHA256:"
109 "ECDHE-RSA-AES128-GCM-SHA256",
110 {
111 {TLS1_CK_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256, 0},
David Benjaminfb974e62015-12-16 19:34:22 -0500[diff] [blame]112 {TLS1_CK_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, 0},
113 },
Matthew Braithwaitea57dcfb2017-02-17 22:08:23 -0800[diff] [blame]114 false,
David Benjaminfb974e62015-12-16 19:34:22 -0500[diff] [blame]115 },
116 // Multiple masks can be ANDed in a single rule.
117 {
118 "kRSA+AESGCM+AES128",
119 {
120 {TLS1_CK_RSA_WITH_AES_128_GCM_SHA256, 0},
121 },
Matthew Braithwaitea57dcfb2017-02-17 22:08:23 -0800[diff] [blame]122 false,
David Benjaminfb974e62015-12-16 19:34:22 -0500[diff] [blame]123 },
124 // - removes selected ciphers, but preserves their order for future
Matthew Braithwaitecedc6f12017-03-15 19:20:23 -0700[diff] [blame]125 // selections. Select AES_128_GCM, but order the key exchanges RSA,
David Benjaminfb974e62015-12-16 19:34:22 -0500[diff] [blame]126 // ECDHE_RSA.
127 {
Matthew Braithwaitecedc6f12017-03-15 19:20:23 -0700[diff] [blame]128 "ALL:-kECDHE:"
Matthew Braithwaitecedc6f12017-03-15 19:20:23 -0700[diff] [blame]129 "-kRSA:-ALL:"
David Benjaminfb974e62015-12-16 19:34:22 -0500[diff] [blame]130 "AESGCM+AES128+aRSA",
131 {
132 {TLS1_CK_RSA_WITH_AES_128_GCM_SHA256, 0},
David Benjaminfb974e62015-12-16 19:34:22 -0500[diff] [blame]133 {TLS1_CK_ECDHE_RSA_WITH_AES_128_GCM_SHA256, 0},
134 },
Matthew Braithwaitea57dcfb2017-02-17 22:08:23 -0800[diff] [blame]135 false,
David Benjaminfb974e62015-12-16 19:34:22 -0500[diff] [blame]136 },
Matthew Braithwaitea57dcfb2017-02-17 22:08:23 -0800[diff] [blame]137 // Unknown selectors are no-ops, except in strict mode.
David Benjaminfb974e62015-12-16 19:34:22 -0500[diff] [blame]138 {
139 "ECDHE-ECDSA-CHACHA20-POLY1305:"
140 "ECDHE-RSA-CHACHA20-POLY1305:"
141 "ECDHE-ECDSA-AES128-GCM-SHA256:"
142 "ECDHE-RSA-AES128-GCM-SHA256:"
Matthew Braithwaitea57dcfb2017-02-17 22:08:23 -0800[diff] [blame]143 "BOGUS1",
David Benjaminfb974e62015-12-16 19:34:22 -0500[diff] [blame]144 {
145 {TLS1_CK_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256, 0},
David Benjaminfb974e62015-12-16 19:34:22 -0500[diff] [blame]146 {TLS1_CK_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256, 0},
David Benjaminfb974e62015-12-16 19:34:22 -0500[diff] [blame]147 {TLS1_CK_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, 0},
148 {TLS1_CK_ECDHE_RSA_WITH_AES_128_GCM_SHA256, 0},
149 },
Matthew Braithwaitea57dcfb2017-02-17 22:08:23 -0800[diff] [blame]150 true,
151 },
152 // Unknown selectors are no-ops, except in strict mode.
153 {
154 "ECDHE-ECDSA-CHACHA20-POLY1305:"
155 "ECDHE-RSA-CHACHA20-POLY1305:"
156 "ECDHE-ECDSA-AES128-GCM-SHA256:"
157 "ECDHE-RSA-AES128-GCM-SHA256:"
158 "-BOGUS2:+BOGUS3:!BOGUS4",
159 {
160 {TLS1_CK_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256, 0},
161 {TLS1_CK_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256, 0},
162 {TLS1_CK_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, 0},
163 {TLS1_CK_ECDHE_RSA_WITH_AES_128_GCM_SHA256, 0},
164 },
165 true,
David Benjaminfb974e62015-12-16 19:34:22 -0500[diff] [blame]166 },
167 // Square brackets specify equi-preference groups.
168 {
169 "[ECDHE-ECDSA-CHACHA20-POLY1305|ECDHE-ECDSA-AES128-GCM-SHA256]:"
170 "[ECDHE-RSA-CHACHA20-POLY1305]:"
171 "ECDHE-RSA-AES128-GCM-SHA256",
172 {
173 {TLS1_CK_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256, 1},
David Benjaminfb974e62015-12-16 19:34:22 -0500[diff] [blame]174 {TLS1_CK_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, 0},
Adam Langley2e839242017-01-19 15:12:44 -0800[diff] [blame]175 {TLS1_CK_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256, 0},
David Benjaminfb974e62015-12-16 19:34:22 -0500[diff] [blame]176 {TLS1_CK_ECDHE_RSA_WITH_AES_128_GCM_SHA256, 0},
177 },
Matthew Braithwaitea57dcfb2017-02-17 22:08:23 -0800[diff] [blame]178 false,
David Benjaminfb974e62015-12-16 19:34:22 -0500[diff] [blame]179 },
180 // @STRENGTH performs a stable strength-sort of the selected ciphers and
181 // only the selected ciphers.
182 {
183 // To simplify things, banish all but {ECDHE_RSA,RSA} x
Matthew Braithwaite8aaa9e12016-09-07 15:09:58 -0700[diff] [blame]184 // {CHACHA20,AES_256_CBC,AES_128_CBC} x SHA1.
Matthew Braithwaitecedc6f12017-03-15 19:20:23 -0700[diff] [blame]185 "!AESGCM:!3DES:!SHA256:!SHA384:"
David Benjaminfb974e62015-12-16 19:34:22 -0500[diff] [blame]186 // Order some ciphers backwards by strength.
Matthew Braithwaite8aaa9e12016-09-07 15:09:58 -0700[diff] [blame]187 "ALL:-CHACHA20:-AES256:-AES128:-ALL:"
David Benjaminfb974e62015-12-16 19:34:22 -0500[diff] [blame]188 // Select ECDHE ones and sort them by strength. Ties should resolve
189 // based on the order above.
190 "kECDHE:@STRENGTH:-ALL:"
191 // Now bring back everything uses RSA. ECDHE_RSA should be first, sorted
192 // by strength. Then RSA, backwards by strength.
193 "aRSA",
194 {
195 {TLS1_CK_ECDHE_RSA_WITH_AES_256_CBC_SHA, 0},
196 {TLS1_CK_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256, 0},
David Benjaminfb974e62015-12-16 19:34:22 -0500[diff] [blame]197 {TLS1_CK_ECDHE_RSA_WITH_AES_128_CBC_SHA, 0},
David Benjaminfb974e62015-12-16 19:34:22 -0500[diff] [blame]198 {TLS1_CK_RSA_WITH_AES_128_SHA, 0},
199 {TLS1_CK_RSA_WITH_AES_256_SHA, 0},
200 },
Matthew Braithwaitea57dcfb2017-02-17 22:08:23 -0800[diff] [blame]201 false,
David Benjaminfb974e62015-12-16 19:34:22 -0500[diff] [blame]202 },
203 // Exact ciphers may not be used in multi-part rules; they are treated
204 // as unknown aliases.
205 {
206 "ECDHE-ECDSA-AES128-GCM-SHA256:"
207 "ECDHE-RSA-AES128-GCM-SHA256:"
208 "!ECDHE-RSA-AES128-GCM-SHA256+RSA:"
209 "!ECDSA+ECDHE-ECDSA-AES128-GCM-SHA256",
210 {
211 {TLS1_CK_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, 0},
212 {TLS1_CK_ECDHE_RSA_WITH_AES_128_GCM_SHA256, 0},
213 },
Matthew Braithwaitea57dcfb2017-02-17 22:08:23 -0800[diff] [blame]214 true,
David Benjaminfb974e62015-12-16 19:34:22 -0500[diff] [blame]215 },
216 // SSLv3 matches everything that existed before TLS 1.2.
217 {
218 "AES128-SHA:AES128-SHA256:!SSLv3",
219 {
220 {TLS1_CK_RSA_WITH_AES_128_SHA256, 0},
221 },
Matthew Braithwaitea57dcfb2017-02-17 22:08:23 -0800[diff] [blame]222 false,
David Benjaminfb974e62015-12-16 19:34:22 -0500[diff] [blame]223 },
224 // TLSv1.2 matches everything added in TLS 1.2.
225 {
226 "AES128-SHA:AES128-SHA256:!TLSv1.2",
227 {
228 {TLS1_CK_RSA_WITH_AES_128_SHA, 0},
229 },
Matthew Braithwaitea57dcfb2017-02-17 22:08:23 -0800[diff] [blame]230 false,
David Benjaminfb974e62015-12-16 19:34:22 -0500[diff] [blame]231 },
Matthew Braithwaitea57dcfb2017-02-17 22:08:23 -0800[diff] [blame]232 // The two directives have no intersection. But each component is valid, so
233 // even in strict mode it is accepted.
David Benjaminfb974e62015-12-16 19:34:22 -0500[diff] [blame]234 {
235 "AES128-SHA:AES128-SHA256:!TLSv1.2+SSLv3",
236 {
237 {TLS1_CK_RSA_WITH_AES_128_SHA, 0},
238 {TLS1_CK_RSA_WITH_AES_128_SHA256, 0},
239 },
Matthew Braithwaitea57dcfb2017-02-17 22:08:23 -0800[diff] [blame]240 false,
David Benjaminfb974e62015-12-16 19:34:22 -0500[diff] [blame]241 },
David Benjaminbb0a17c2014-09-20 15:35:39 -0400[diff] [blame]242};
243
244static const char *kBadRules[] = {
David Benjamin1d77e562015-03-22 17:22:08 -0400[diff] [blame]245 // Invalid brackets.
David Benjaminbb0a17c2014-09-20 15:35:39 -0400[diff] [blame]246 "[ECDHE-RSA-CHACHA20-POLY1305|ECDHE-RSA-AES128-GCM-SHA256",
247 "RSA]",
248 "[[RSA]]",
David Benjamin1d77e562015-03-22 17:22:08 -0400[diff] [blame]249 // Operators inside brackets.
David Benjaminbb0a17c2014-09-20 15:35:39 -0400[diff] [blame]250 "[+RSA]",
David Benjamin1d77e562015-03-22 17:22:08 -0400[diff] [blame]251 // Unknown directive.
David Benjaminbb0a17c2014-09-20 15:35:39 -0400[diff] [blame]252 "@BOGUS",
David Benjamin1d77e562015-03-22 17:22:08 -0400[diff] [blame]253 // Empty cipher lists error at SSL_CTX_set_cipher_list.
David Benjaminbb0a17c2014-09-20 15:35:39 -0400[diff] [blame]254 "",
255 "BOGUS",
David Benjamin32fbdf22015-04-07 01:14:06 -0400[diff] [blame]256 // COMPLEMENTOFDEFAULT is empty.
257 "COMPLEMENTOFDEFAULT",
David Benjamin1d77e562015-03-22 17:22:08 -0400[diff] [blame]258 // Invalid command.
David Benjaminbb0a17c2014-09-20 15:35:39 -0400[diff] [blame]259 "?BAR",
David Benjamin1d77e562015-03-22 17:22:08 -0400[diff] [blame]260 // Special operators are not allowed if groups are used.
David Benjamin37d92462014-09-20 17:54:24 -0400[diff] [blame]261 "[ECDHE-RSA-CHACHA20-POLY1305|ECDHE-RSA-AES128-GCM-SHA256]:+FOO",
262 "[ECDHE-RSA-CHACHA20-POLY1305|ECDHE-RSA-AES128-GCM-SHA256]:!FOO",
263 "[ECDHE-RSA-CHACHA20-POLY1305|ECDHE-RSA-AES128-GCM-SHA256]:-FOO",
264 "[ECDHE-RSA-CHACHA20-POLY1305|ECDHE-RSA-AES128-GCM-SHA256]:@STRENGTH",
Adam Langleyf99f2442016-10-02 09:53:38 -0700[diff] [blame]265 // Opcode supplied, but missing selector.
266 "+",
David Benjaminbb0a17c2014-09-20 15:35:39 -0400[diff] [blame]267};
268
Matt Braithwaiteaf096752015-09-02 19:48:16 -0700[diff] [blame]269static const char *kMustNotIncludeNull[] = {
270 "ALL",
271 "DEFAULT",
David Benjamind6e9eec2015-11-18 09:48:55 -0500[diff] [blame]272 "HIGH",
Matt Braithwaiteaf096752015-09-02 19:48:16 -0700[diff] [blame]273 "FIPS",
274 "SHA",
275 "SHA1",
276 "RSA",
277 "SSLv3",
278 "TLSv1",
279 "TLSv1.2",
Matt Braithwaiteaf096752015-09-02 19:48:16 -0700[diff] [blame]280};
281
Alessandro Ghedini5fd18072016-09-28 21:04:25 +0100[diff] [blame]282static const CurveTest kCurveTests[] = {
283 {
284 "P-256",
285 { SSL_CURVE_SECP256R1 },
286 },
287 {
288 "P-256:P-384:P-521:X25519",
289 {
290 SSL_CURVE_SECP256R1,
291 SSL_CURVE_SECP384R1,
292 SSL_CURVE_SECP521R1,
293 SSL_CURVE_X25519,
294 },
295 },
296};
297
298static const char *kBadCurvesLists[] = {
299 "",
300 ":",
301 "::",
302 "P-256::X25519",
303 "RSA:P-256",
304 "P-256:RSA",
305 "X25519:P-256:",
306 ":X25519:P-256",
307};
308
David Benjamine11726a2017-04-23 12:14:28 -0400[diff] [blame]309static std::string CipherListToString(ssl_cipher_preference_list_st *list) {
David Benjamin1d77e562015-03-22 17:22:08 -0400[diff] [blame]310 bool in_group = false;
David Benjamine11726a2017-04-23 12:14:28 -0400[diff] [blame]311 std::string ret;
David Benjamin1d77e562015-03-22 17:22:08 -0400[diff] [blame]312 for (size_t i = 0; i < sk_SSL_CIPHER_num(list->ciphers); i++) {
David Benjaminbb0a17c2014-09-20 15:35:39 -0400[diff] [blame]313 const SSL_CIPHER *cipher = sk_SSL_CIPHER_value(list->ciphers, i);
314 if (!in_group && list->in_group_flags[i]) {
David Benjamine11726a2017-04-23 12:14:28 -0400[diff] [blame]315 ret += "\t[\n";
David Benjamin1d77e562015-03-22 17:22:08 -0400[diff] [blame]316 in_group = true;
David Benjaminbb0a17c2014-09-20 15:35:39 -0400[diff] [blame]317 }
David Benjamine11726a2017-04-23 12:14:28 -0400[diff] [blame]318 ret += "\t";
David Benjaminbb0a17c2014-09-20 15:35:39 -0400[diff] [blame]319 if (in_group) {
David Benjamine11726a2017-04-23 12:14:28 -0400[diff] [blame]320 ret += " ";
David Benjaminbb0a17c2014-09-20 15:35:39 -0400[diff] [blame]321 }
David Benjamine11726a2017-04-23 12:14:28 -0400[diff] [blame]322 ret += SSL_CIPHER_get_name(cipher);
323 ret += "\n";
David Benjaminbb0a17c2014-09-20 15:35:39 -0400[diff] [blame]324 if (in_group && !list->in_group_flags[i]) {
David Benjamine11726a2017-04-23 12:14:28 -0400[diff] [blame]325 ret += "\t]\n";
David Benjamin1d77e562015-03-22 17:22:08 -0400[diff] [blame]326 in_group = false;
David Benjaminbb0a17c2014-09-20 15:35:39 -0400[diff] [blame]327 }
328 }
David Benjamine11726a2017-04-23 12:14:28 -0400[diff] [blame]329 return ret;
David Benjaminbb0a17c2014-09-20 15:35:39 -0400[diff] [blame]330}
331
David Benjamine11726a2017-04-23 12:14:28 -0400[diff] [blame]332static bool CipherListsEqual(ssl_cipher_preference_list_st *list,
333 const std::vector<ExpectedCipher> &expected) {
334 if (sk_SSL_CIPHER_num(list->ciphers) != expected.size()) {
David Benjamin1d77e562015-03-22 17:22:08 -0400[diff] [blame]335 return false;
David Benjamin65226252015-02-05 16:49:47 -0500[diff] [blame]336 }
337
David Benjamine11726a2017-04-23 12:14:28 -0400[diff] [blame]338 for (size_t i = 0; i < expected.size(); i++) {
339 const SSL_CIPHER *cipher = sk_SSL_CIPHER_value(list->ciphers, i);
340 if (expected[i].id != SSL_CIPHER_get_id(cipher) ||
341 expected[i].in_group_flag != list->in_group_flags[i]) {
David Benjamin1d77e562015-03-22 17:22:08 -0400[diff] [blame]342 return false;
David Benjaminbb0a17c2014-09-20 15:35:39 -0400[diff] [blame]343 }
344 }
345
David Benjamin1d77e562015-03-22 17:22:08 -0400[diff] [blame]346 return true;
David Benjaminbb0a17c2014-09-20 15:35:39 -0400[diff] [blame]347}
348
David Benjamine11726a2017-04-23 12:14:28 -0400[diff] [blame]349TEST(SSLTest, CipherRules) {
350 for (const CipherTest &t : kCipherTests) {
351 SCOPED_TRACE(t.rule);
352 bssl::UniquePtr<SSL_CTX> ctx(SSL_CTX_new(TLS_method()));
353 ASSERT_TRUE(ctx);
Matt Braithwaiteaf096752015-09-02 19:48:16 -0700[diff] [blame]354
David Benjamine11726a2017-04-23 12:14:28 -0400[diff] [blame]355 // Test lax mode.
356 ASSERT_TRUE(SSL_CTX_set_cipher_list(ctx.get(), t.rule));
357 EXPECT_TRUE(CipherListsEqual(ctx->cipher_list, t.expected))
358 << "Cipher rule evaluated to:\n"
359 << CipherListToString(ctx->cipher_list);
360
361 // Test strict mode.
362 if (t.strict_fail) {
363 EXPECT_FALSE(SSL_CTX_set_strict_cipher_list(ctx.get(), t.rule));
364 } else {
365 ASSERT_TRUE(SSL_CTX_set_strict_cipher_list(ctx.get(), t.rule));
366 EXPECT_TRUE(CipherListsEqual(ctx->cipher_list, t.expected))
367 << "Cipher rule evaluated to:\n"
368 << CipherListToString(ctx->cipher_list);
David Benjaminbb0a17c2014-09-20 15:35:39 -0400[diff] [blame]369 }
370 }
371
David Benjaminfb974e62015-12-16 19:34:22 -0500[diff] [blame]372 for (const char *rule : kBadRules) {
David Benjamine11726a2017-04-23 12:14:28 -0400[diff] [blame]373 SCOPED_TRACE(rule);
374 bssl::UniquePtr<SSL_CTX> ctx(SSL_CTX_new(TLS_method()));
375 ASSERT_TRUE(ctx);
376
377 EXPECT_FALSE(SSL_CTX_set_cipher_list(ctx.get(), rule));
David Benjaminbb0a17c2014-09-20 15:35:39 -0400[diff] [blame]378 ERR_clear_error();
David Benjaminbb0a17c2014-09-20 15:35:39 -0400[diff] [blame]379 }
380
David Benjaminfb974e62015-12-16 19:34:22 -0500[diff] [blame]381 for (const char *rule : kMustNotIncludeNull) {
David Benjamine11726a2017-04-23 12:14:28 -0400[diff] [blame]382 SCOPED_TRACE(rule);
383 bssl::UniquePtr<SSL_CTX> ctx(SSL_CTX_new(TLS_method()));
384 ASSERT_TRUE(ctx);
385
386 ASSERT_TRUE(SSL_CTX_set_strict_cipher_list(ctx.get(), rule));
387 for (size_t i = 0; i < sk_SSL_CIPHER_num(ctx->cipher_list->ciphers); i++) {
388 EXPECT_FALSE(SSL_CIPHER_is_NULL(
389 sk_SSL_CIPHER_value(ctx->cipher_list->ciphers, i)));
Matt Braithwaiteaf096752015-09-02 19:48:16 -0700[diff] [blame]390 }
391 }
David Benjaminbb0a17c2014-09-20 15:35:39 -0400[diff] [blame]392}
David Benjamin2e521212014-07-16 14:37:51 -0400[diff] [blame]393
David Benjamine11726a2017-04-23 12:14:28 -0400[diff] [blame]394TEST(SSLTest, CurveRules) {
395 for (const CurveTest &t : kCurveTests) {
396 SCOPED_TRACE(t.rule);
397 bssl::UniquePtr<SSL_CTX> ctx(SSL_CTX_new(TLS_method()));
398 ASSERT_TRUE(ctx);
Alessandro Ghedini5fd18072016-09-28 21:04:25 +0100[diff] [blame]399
David Benjamine11726a2017-04-23 12:14:28 -0400[diff] [blame]400 ASSERT_TRUE(SSL_CTX_set1_curves_list(ctx.get(), t.rule));
401 ASSERT_EQ(t.expected.size(), ctx->supported_group_list_len);
402 for (size_t i = 0; i < t.expected.size(); i++) {
403 EXPECT_EQ(t.expected[i], ctx->supported_group_list[i]);
Alessandro Ghedini5fd18072016-09-28 21:04:25 +0100[diff] [blame]404 }
405 }
406
407 for (const char *rule : kBadCurvesLists) {
David Benjamine11726a2017-04-23 12:14:28 -0400[diff] [blame]408 SCOPED_TRACE(rule);
409 bssl::UniquePtr<SSL_CTX> ctx(SSL_CTX_new(TLS_method()));
410 ASSERT_TRUE(ctx);
411
412 EXPECT_FALSE(SSL_CTX_set1_curves_list(ctx.get(), rule));
Alessandro Ghedini5fd18072016-09-28 21:04:25 +0100[diff] [blame]413 ERR_clear_error();
414 }
Alessandro Ghedini5fd18072016-09-28 21:04:25 +0100[diff] [blame]415}
416
Adam Langley364f7a62016-12-12 10:51:00 -0800[diff] [blame]417// kOpenSSLSession is a serialized SSL_SESSION.
Adam Langley10f97f32016-07-12 08:09:33 -0700[diff] [blame]418static const char kOpenSSLSession[] =
Adam Langley364f7a62016-12-12 10:51:00 -0800[diff] [blame]419 "MIIFqgIBAQICAwMEAsAvBCAG5Q1ndq4Yfmbeo1zwLkNRKmCXGdNgWvGT3cskV0yQ"
Adam Langley10f97f32016-07-12 08:09:33 -0700[diff] [blame]420 "kAQwJlrlzkAWBOWiLj/jJ76D7l+UXoizP2KI2C7I2FccqMmIfFmmkUy32nIJ0mZH"
421 "IWoJoQYCBFRDO46iBAICASyjggR6MIIEdjCCA16gAwIBAgIIK9dUvsPWSlUwDQYJ"
422 "KoZIhvcNAQEFBQAwSTELMAkGA1UEBhMCVVMxEzARBgNVBAoTCkdvb2dsZSBJbmMx"
423 "JTAjBgNVBAMTHEdvb2dsZSBJbnRlcm5ldCBBdXRob3JpdHkgRzIwHhcNMTQxMDA4"
424 "MTIwNzU3WhcNMTUwMTA2MDAwMDAwWjBoMQswCQYDVQQGEwJVUzETMBEGA1UECAwK"
425 "Q2FsaWZvcm5pYTEWMBQGA1UEBwwNTW91bnRhaW4gVmlldzETMBEGA1UECgwKR29v"
426 "Z2xlIEluYzEXMBUGA1UEAwwOd3d3Lmdvb2dsZS5jb20wggEiMA0GCSqGSIb3DQEB"
427 "AQUAA4IBDwAwggEKAoIBAQCcKeLrplAC+Lofy8t/wDwtB6eu72CVp0cJ4V3lknN6"
428 "huH9ct6FFk70oRIh/VBNBBz900jYy+7111Jm1b8iqOTQ9aT5C7SEhNcQFJvqzH3e"
429 "MPkb6ZSWGm1yGF7MCQTGQXF20Sk/O16FSjAynU/b3oJmOctcycWYkY0ytS/k3LBu"
430 "Id45PJaoMqjB0WypqvNeJHC3q5JjCB4RP7Nfx5jjHSrCMhw8lUMW4EaDxjaR9KDh"
431 "PLgjsk+LDIySRSRDaCQGhEOWLJZVLzLo4N6/UlctCHEllpBUSvEOyFga52qroGjg"
432 "rf3WOQ925MFwzd6AK+Ich0gDRg8sQfdLH5OuP1cfLfU1AgMBAAGjggFBMIIBPTAd"
433 "BgNVHSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwGQYDVR0RBBIwEIIOd3d3Lmdv"
434 "b2dsZS5jb20waAYIKwYBBQUHAQEEXDBaMCsGCCsGAQUFBzAChh9odHRwOi8vcGtp"
435 "Lmdvb2dsZS5jb20vR0lBRzIuY3J0MCsGCCsGAQUFBzABhh9odHRwOi8vY2xpZW50"
436 "czEuZ29vZ2xlLmNvbS9vY3NwMB0GA1UdDgQWBBQ7a+CcxsZByOpc+xpYFcIbnUMZ"
437 "hTAMBgNVHRMBAf8EAjAAMB8GA1UdIwQYMBaAFErdBhYbvPZotXb1gba7Yhq6WoEv"
438 "MBcGA1UdIAQQMA4wDAYKKwYBBAHWeQIFATAwBgNVHR8EKTAnMCWgI6Ahhh9odHRw"
439 "Oi8vcGtpLmdvb2dsZS5jb20vR0lBRzIuY3JsMA0GCSqGSIb3DQEBBQUAA4IBAQCa"
440 "OXCBdoqUy5bxyq+Wrh1zsyyCFim1PH5VU2+yvDSWrgDY8ibRGJmfff3r4Lud5kal"
441 "dKs9k8YlKD3ITG7P0YT/Rk8hLgfEuLcq5cc0xqmE42xJ+Eo2uzq9rYorc5emMCxf"
442 "5L0TJOXZqHQpOEcuptZQ4OjdYMfSxk5UzueUhA3ogZKRcRkdB3WeWRp+nYRhx4St"
443 "o2rt2A0MKmY9165GHUqMK9YaaXHDXqBu7Sefr1uSoAP9gyIJKeihMivsGqJ1TD6Z"
444 "cc6LMe+dN2P8cZEQHtD1y296ul4Mivqk3jatUVL8/hCwgch9A8O4PGZq9WqBfEWm"
445 "IyHh1dPtbg1lOXdYCWtjpAIEAKUDAgEUqQUCAwGJwKqBpwSBpBwUQvoeOk0Kg36S"
446 "YTcLEkXqKwOBfF9vE4KX0NxeLwjcDTpsuh3qXEaZ992r1N38VDcyS6P7I6HBYN9B"
447 "sNHM362zZnY27GpTw+Kwd751CLoXFPoaMOe57dbBpXoro6Pd3BTbf/Tzr88K06yE"
448 "OTDKPNj3+inbMaVigtK4PLyPq+Topyzvx9USFgRvyuoxn0Hgb+R0A3j6SLRuyOdA"
Adam Langley364f7a62016-12-12 10:51:00 -0800[diff] [blame]449 "i4gv7Y5oliyntgMBAQA=";
Adam Langley10f97f32016-07-12 08:09:33 -0700[diff] [blame]450
451// kCustomSession is a custom serialized SSL_SESSION generated by
452// filling in missing fields from |kOpenSSLSession|. This includes
453// providing |peer_sha256|, so |peer| is not serialized.
454static const char kCustomSession[] =
455 "MIIBdgIBAQICAwMEAsAvBCAG5Q1ndq4Yfmbeo1zwLkNRKmCXGdNgWvGT3cskV0yQ"
456 "kAQwJlrlzkAWBOWiLj/jJ76D7l+UXoizP2KI2C7I2FccqMmIfFmmkUy32nIJ0mZH"
457 "IWoJoQYCBFRDO46iBAICASykAwQBAqUDAgEUphAEDnd3dy5nb29nbGUuY29tqAcE"
458 "BXdvcmxkqQUCAwGJwKqBpwSBpBwUQvoeOk0Kg36SYTcLEkXqKwOBfF9vE4KX0Nxe"
459 "LwjcDTpsuh3qXEaZ992r1N38VDcyS6P7I6HBYN9BsNHM362zZnY27GpTw+Kwd751"
460 "CLoXFPoaMOe57dbBpXoro6Pd3BTbf/Tzr88K06yEOTDKPNj3+inbMaVigtK4PLyP"
461 "q+Topyzvx9USFgRvyuoxn0Hgb+R0A3j6SLRuyOdAi4gv7Y5oliynrSIEIAYGBgYG"
462 "BgYGBgYGBgYGBgYGBgYGBgYGBgYGBgYGBgYGrgMEAQevAwQBBLADBAEF";
463
464// kBoringSSLSession is a serialized SSL_SESSION generated from bssl client.
465static const char kBoringSSLSession[] =
466 "MIIRwQIBAQICAwMEAsAvBCDdoGxGK26mR+8lM0uq6+k9xYuxPnwAjpcF9n0Yli9R"
467 "kQQwbyshfWhdi5XQ1++7n2L1qqrcVlmHBPpr6yknT/u4pUrpQB5FZ7vqvNn8MdHf"
468 "9rWgoQYCBFXgs7uiBAICHCCjggR6MIIEdjCCA16gAwIBAgIIf+yfD7Y6UicwDQYJ"
469 "KoZIhvcNAQELBQAwSTELMAkGA1UEBhMCVVMxEzARBgNVBAoTCkdvb2dsZSBJbmMx"
470 "JTAjBgNVBAMTHEdvb2dsZSBJbnRlcm5ldCBBdXRob3JpdHkgRzIwHhcNMTUwODEy"
471 "MTQ1MzE1WhcNMTUxMTEwMDAwMDAwWjBoMQswCQYDVQQGEwJVUzETMBEGA1UECAwK"
472 "Q2FsaWZvcm5pYTEWMBQGA1UEBwwNTW91bnRhaW4gVmlldzETMBEGA1UECgwKR29v"
473 "Z2xlIEluYzEXMBUGA1UEAwwOd3d3Lmdvb2dsZS5jb20wggEiMA0GCSqGSIb3DQEB"
474 "AQUAA4IBDwAwggEKAoIBAQC0MeG5YGQ0t+IeJeoneP/PrhEaieibeKYkbKVLNZpo"
475 "PLuBinvhkXZo3DC133NpCBpy6ZktBwamqyixAyuk/NU6OjgXqwwxfQ7di1AInLIU"
476 "792c7hFyNXSUCG7At8Ifi3YwBX9Ba6u/1d6rWTGZJrdCq3QU11RkKYyTq2KT5mce"
477 "Tv9iGKqSkSTlp8puy/9SZ/3DbU3U+BuqCFqeSlz7zjwFmk35acdCilpJlVDDN5C/"
478 "RCh8/UKc8PaL+cxlt531qoTENvYrflBno14YEZlCBZsPiFeUSILpKEj3Ccwhy0eL"
479 "EucWQ72YZU8mUzXBoXGn0zA0crFl5ci/2sTBBGZsylNBAgMBAAGjggFBMIIBPTAd"
480 "BgNVHSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwGQYDVR0RBBIwEIIOd3d3Lmdv"
481 "b2dsZS5jb20waAYIKwYBBQUHAQEEXDBaMCsGCCsGAQUFBzAChh9odHRwOi8vcGtp"
482 "Lmdvb2dsZS5jb20vR0lBRzIuY3J0MCsGCCsGAQUFBzABhh9odHRwOi8vY2xpZW50"
483 "czEuZ29vZ2xlLmNvbS9vY3NwMB0GA1UdDgQWBBS/bzHxcE73Q4j3slC4BLbMtLjG"
484 "GjAMBgNVHRMBAf8EAjAAMB8GA1UdIwQYMBaAFErdBhYbvPZotXb1gba7Yhq6WoEv"
485 "MBcGA1UdIAQQMA4wDAYKKwYBBAHWeQIFATAwBgNVHR8EKTAnMCWgI6Ahhh9odHRw"
486 "Oi8vcGtpLmdvb2dsZS5jb20vR0lBRzIuY3JsMA0GCSqGSIb3DQEBCwUAA4IBAQAb"
487 "qdWPZEHk0X7iKPCTHL6S3w6q1eR67goxZGFSM1lk1hjwyu7XcLJuvALVV9uY3ovE"
488 "kQZSHwT+pyOPWQhsSjO+1GyjvCvK/CAwiUmBX+bQRGaqHsRcio7xSbdVcajQ3bXd"
489 "X+s0WdbOpn6MStKAiBVloPlSxEI8pxY6x/BBCnTIk/+DMB17uZlOjG3vbAnkDkP+"
490 "n0OTucD9sHV7EVj9XUxi51nOfNBCN/s7lpUjDS/NJ4k3iwOtbCPswiot8vLO779a"
491 "f07vR03r349Iz/KTzk95rlFtX0IU+KYNxFNsanIXZ+C9FYGRXkwhHcvFb4qMUB1y"
492 "TTlM80jBMOwyjZXmjRAhpAIEAKUDAgEUqQUCAwGJwKqBpwSBpOgebbmn9NRUtMWH"
493 "+eJpqA5JLMFSMCChOsvKey3toBaCNGU7HfAEiiXNuuAdCBoK262BjQc2YYfqFzqH"
494 "zuppopXCvhohx7j/tnCNZIMgLYt/O9SXK2RYI5z8FhCCHvB4CbD5G0LGl5EFP27s"
495 "Jb6S3aTTYPkQe8yZSlxevg6NDwmTogLO9F7UUkaYmVcMQhzssEE2ZRYNwSOU6KjE"
496 "0Yj+8fAiBtbQriIEIN2L8ZlpaVrdN5KFNdvcmOxJu81P8q53X55xQyGTnGWwsgMC"
497 "ARezggvvMIIEdjCCA16gAwIBAgIIf+yfD7Y6UicwDQYJKoZIhvcNAQELBQAwSTEL"
498 "MAkGA1UEBhMCVVMxEzARBgNVBAoTCkdvb2dsZSBJbmMxJTAjBgNVBAMTHEdvb2ds"
499 "ZSBJbnRlcm5ldCBBdXRob3JpdHkgRzIwHhcNMTUwODEyMTQ1MzE1WhcNMTUxMTEw"
500 "MDAwMDAwWjBoMQswCQYDVQQGEwJVUzETMBEGA1UECAwKQ2FsaWZvcm5pYTEWMBQG"
501 "A1UEBwwNTW91bnRhaW4gVmlldzETMBEGA1UECgwKR29vZ2xlIEluYzEXMBUGA1UE"
502 "AwwOd3d3Lmdvb2dsZS5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIB"
503 "AQC0MeG5YGQ0t+IeJeoneP/PrhEaieibeKYkbKVLNZpoPLuBinvhkXZo3DC133Np"
504 "CBpy6ZktBwamqyixAyuk/NU6OjgXqwwxfQ7di1AInLIU792c7hFyNXSUCG7At8If"
505 "i3YwBX9Ba6u/1d6rWTGZJrdCq3QU11RkKYyTq2KT5mceTv9iGKqSkSTlp8puy/9S"
506 "Z/3DbU3U+BuqCFqeSlz7zjwFmk35acdCilpJlVDDN5C/RCh8/UKc8PaL+cxlt531"
507 "qoTENvYrflBno14YEZlCBZsPiFeUSILpKEj3Ccwhy0eLEucWQ72YZU8mUzXBoXGn"
508 "0zA0crFl5ci/2sTBBGZsylNBAgMBAAGjggFBMIIBPTAdBgNVHSUEFjAUBggrBgEF"
509 "BQcDAQYIKwYBBQUHAwIwGQYDVR0RBBIwEIIOd3d3Lmdvb2dsZS5jb20waAYIKwYB"
510 "BQUHAQEEXDBaMCsGCCsGAQUFBzAChh9odHRwOi8vcGtpLmdvb2dsZS5jb20vR0lB"
511 "RzIuY3J0MCsGCCsGAQUFBzABhh9odHRwOi8vY2xpZW50czEuZ29vZ2xlLmNvbS9v"
512 "Y3NwMB0GA1UdDgQWBBS/bzHxcE73Q4j3slC4BLbMtLjGGjAMBgNVHRMBAf8EAjAA"
513 "MB8GA1UdIwQYMBaAFErdBhYbvPZotXb1gba7Yhq6WoEvMBcGA1UdIAQQMA4wDAYK"
514 "KwYBBAHWeQIFATAwBgNVHR8EKTAnMCWgI6Ahhh9odHRwOi8vcGtpLmdvb2dsZS5j"
515 "b20vR0lBRzIuY3JsMA0GCSqGSIb3DQEBCwUAA4IBAQAbqdWPZEHk0X7iKPCTHL6S"
516 "3w6q1eR67goxZGFSM1lk1hjwyu7XcLJuvALVV9uY3ovEkQZSHwT+pyOPWQhsSjO+"
517 "1GyjvCvK/CAwiUmBX+bQRGaqHsRcio7xSbdVcajQ3bXdX+s0WdbOpn6MStKAiBVl"
518 "oPlSxEI8pxY6x/BBCnTIk/+DMB17uZlOjG3vbAnkDkP+n0OTucD9sHV7EVj9XUxi"
519 "51nOfNBCN/s7lpUjDS/NJ4k3iwOtbCPswiot8vLO779af07vR03r349Iz/KTzk95"
520 "rlFtX0IU+KYNxFNsanIXZ+C9FYGRXkwhHcvFb4qMUB1yTTlM80jBMOwyjZXmjRAh"
521 "MIID8DCCAtigAwIBAgIDAjqDMA0GCSqGSIb3DQEBCwUAMEIxCzAJBgNVBAYTAlVT"
522 "MRYwFAYDVQQKEw1HZW9UcnVzdCBJbmMuMRswGQYDVQQDExJHZW9UcnVzdCBHbG9i"
523 "YWwgQ0EwHhcNMTMwNDA1MTUxNTU2WhcNMTYxMjMxMjM1OTU5WjBJMQswCQYDVQQG"
524 "EwJVUzETMBEGA1UEChMKR29vZ2xlIEluYzElMCMGA1UEAxMcR29vZ2xlIEludGVy"
525 "bmV0IEF1dGhvcml0eSBHMjCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEB"
526 "AJwqBHdc2FCROgajguDYUEi8iT/xGXAaiEZ+4I/F8YnOIe5a/mENtzJEiaB0C1NP"
527 "VaTOgmKV7utZX8bhBYASxF6UP7xbSDj0U/ck5vuR6RXEz/RTDfRK/J9U3n2+oGtv"
528 "h8DQUB8oMANA2ghzUWx//zo8pzcGjr1LEQTrfSTe5vn8MXH7lNVg8y5Kr0LSy+rE"
529 "ahqyzFPdFUuLH8gZYR/Nnag+YyuENWllhMgZxUYi+FOVvuOAShDGKuy6lyARxzmZ"
530 "EASg8GF6lSWMTlJ14rbtCMoU/M4iarNOz0YDl5cDfsCx3nuvRTPPuj5xt970JSXC"
531 "DTWJnZ37DhF5iR43xa+OcmkCAwEAAaOB5zCB5DAfBgNVHSMEGDAWgBTAephojYn7"
532 "qwVkDBF9qn1luMrMTjAdBgNVHQ4EFgQUSt0GFhu89mi1dvWBtrtiGrpagS8wDgYD"
533 "VR0PAQH/BAQDAgEGMC4GCCsGAQUFBwEBBCIwIDAeBggrBgEFBQcwAYYSaHR0cDov"
534 "L2cuc3ltY2QuY29tMBIGA1UdEwEB/wQIMAYBAf8CAQAwNQYDVR0fBC4wLDAqoCig"
535 "JoYkaHR0cDovL2cuc3ltY2IuY29tL2NybHMvZ3RnbG9iYWwuY3JsMBcGA1UdIAQQ"
536 "MA4wDAYKKwYBBAHWeQIFATANBgkqhkiG9w0BAQsFAAOCAQEAqvqpIM1qZ4PtXtR+"
537 "3h3Ef+AlBgDFJPupyC1tft6dgmUsgWM0Zj7pUsIItMsv91+ZOmqcUHqFBYx90SpI"
538 "hNMJbHzCzTWf84LuUt5oX+QAihcglvcpjZpNy6jehsgNb1aHA30DP9z6eX0hGfnI"
539 "Oi9RdozHQZJxjyXON/hKTAAj78Q1EK7gI4BzfE00LshukNYQHpmEcxpw8u1VDu4X"
540 "Bupn7jLrLN1nBz/2i8Jw3lsA5rsb0zYaImxssDVCbJAJPZPpZAkiDoUGn8JzIdPm"
541 "X4DkjYUiOnMDsWCOrmji9D6X52ASCWg23jrW4kOVWzeBkoEfu43XrVJkFleW2V40"
542 "fsg12DCCA30wggLmoAMCAQICAxK75jANBgkqhkiG9w0BAQUFADBOMQswCQYDVQQG"
543 "EwJVUzEQMA4GA1UEChMHRXF1aWZheDEtMCsGA1UECxMkRXF1aWZheCBTZWN1cmUg"
544 "Q2VydGlmaWNhdGUgQXV0aG9yaXR5MB4XDTAyMDUyMTA0MDAwMFoXDTE4MDgyMTA0"
545 "MDAwMFowQjELMAkGA1UEBhMCVVMxFjAUBgNVBAoTDUdlb1RydXN0IEluYy4xGzAZ"
546 "BgNVBAMTEkdlb1RydXN0IEdsb2JhbCBDQTCCASIwDQYJKoZIhvcNAQEBBQADggEP"
547 "ADCCAQoCggEBANrMGGMw/fQXIxpWflvfPGw45HG3eJHUvKHYTPioQ7YD6U0hBwiI"
548 "2lgvZjkpvQV4i5046AW3an5xpObEYKaw74DkiSgPniXW7YPzraaRx5jJQhg1FJ2t"
549 "mEaSLk/K8YdDwRaVVy1Q74ktgHpXrfLuX2vSAI25FPgUFTXZwEaje3LIkb/JVSvN"
550 "0Jc+nCZkzN/Ogxlxyk7m1NV7qRnNVd7I7NJeOFPlXE+MLf5QIzb8ZubLjqQ5GQC3"
551 "lQI5kQsO/jgu0R0FmvZNPm8PBx2vLB6PYDni+jZTEznUXiYr2z2oFL0y6xgDKFIE"
552 "ceWrMz3hOLsHNoRinHnqFjD0X8Ar6HFr5PkCAwEAAaOB8DCB7TAfBgNVHSMEGDAW"
553 "gBRI5mj5K9KylddH2CMgEE8zmJCf1DAdBgNVHQ4EFgQUwHqYaI2J+6sFZAwRfap9"
554 "ZbjKzE4wDwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMCAQYwOgYDVR0fBDMw"
555 "MTAvoC2gK4YpaHR0cDovL2NybC5nZW90cnVzdC5jb20vY3Jscy9zZWN1cmVjYS5j"
556 "cmwwTgYDVR0gBEcwRTBDBgRVHSAAMDswOQYIKwYBBQUHAgEWLWh0dHBzOi8vd3d3"
557 "Lmdlb3RydXN0LmNvbS9yZXNvdXJjZXMvcmVwb3NpdG9yeTANBgkqhkiG9w0BAQUF"
558 "AAOBgQB24RJuTksWEoYwBrKBCM/wCMfHcX5m7sLt1Dsf//DwyE7WQziwuTB9GNBV"
559 "g6JqyzYRnOhIZqNtf7gT1Ef+i1pcc/yu2RsyGTirlzQUqpbS66McFAhJtrvlke+D"
560 "NusdVm/K2rxzY5Dkf3s+Iss9B+1fOHSc4wNQTqGvmO5h8oQ/Eg==";
561
562// kBadSessionExtraField is a custom serialized SSL_SESSION generated by replacing
563// the final (optional) element of |kCustomSession| with tag number 30.
564static const char kBadSessionExtraField[] =
565 "MIIBdgIBAQICAwMEAsAvBCAG5Q1ndq4Yfmbeo1zwLkNRKmCXGdNgWvGT3cskV0yQ"
566 "kAQwJlrlzkAWBOWiLj/jJ76D7l+UXoizP2KI2C7I2FccqMmIfFmmkUy32nIJ0mZH"
567 "IWoJoQYCBFRDO46iBAICASykAwQBAqUDAgEUphAEDnd3dy5nb29nbGUuY29tqAcE"
568 "BXdvcmxkqQUCAwGJwKqBpwSBpBwUQvoeOk0Kg36SYTcLEkXqKwOBfF9vE4KX0Nxe"
569 "LwjcDTpsuh3qXEaZ992r1N38VDcyS6P7I6HBYN9BsNHM362zZnY27GpTw+Kwd751"
570 "CLoXFPoaMOe57dbBpXoro6Pd3BTbf/Tzr88K06yEOTDKPNj3+inbMaVigtK4PLyP"
571 "q+Topyzvx9USFgRvyuoxn0Hgb+R0A3j6SLRuyOdAi4gv7Y5oliynrSIEIAYGBgYG"
572 "BgYGBgYGBgYGBgYGBgYGBgYGBgYGBgYGBgYGrgMEAQevAwQBBL4DBAEF";
573
574// kBadSessionVersion is a custom serialized SSL_SESSION generated by replacing
575// the version of |kCustomSession| with 2.
576static const char kBadSessionVersion[] =
577 "MIIBdgIBAgICAwMEAsAvBCAG5Q1ndq4Yfmbeo1zwLkNRKmCXGdNgWvGT3cskV0yQ"
578 "kAQwJlrlzkAWBOWiLj/jJ76D7l+UXoizP2KI2C7I2FccqMmIfFmmkUy32nIJ0mZH"
579 "IWoJoQYCBFRDO46iBAICASykAwQBAqUDAgEUphAEDnd3dy5nb29nbGUuY29tqAcE"
580 "BXdvcmxkqQUCAwGJwKqBpwSBpBwUQvoeOk0Kg36SYTcLEkXqKwOBfF9vE4KX0Nxe"
581 "LwjcDTpsuh3qXEaZ992r1N38VDcyS6P7I6HBYN9BsNHM362zZnY27GpTw+Kwd751"
582 "CLoXFPoaMOe57dbBpXoro6Pd3BTbf/Tzr88K06yEOTDKPNj3+inbMaVigtK4PLyP"
583 "q+Topyzvx9USFgRvyuoxn0Hgb+R0A3j6SLRuyOdAi4gv7Y5oliynrSIEIAYGBgYG"
584 "BgYGBgYGBgYGBgYGBgYGBgYGBgYGBgYGBgYGrgMEAQevAwQBBLADBAEF";
585
586// kBadSessionTrailingData is a custom serialized SSL_SESSION with trailing data
587// appended.
588static const char kBadSessionTrailingData[] =
589 "MIIBdgIBAQICAwMEAsAvBCAG5Q1ndq4Yfmbeo1zwLkNRKmCXGdNgWvGT3cskV0yQ"
590 "kAQwJlrlzkAWBOWiLj/jJ76D7l+UXoizP2KI2C7I2FccqMmIfFmmkUy32nIJ0mZH"
591 "IWoJoQYCBFRDO46iBAICASykAwQBAqUDAgEUphAEDnd3dy5nb29nbGUuY29tqAcE"
592 "BXdvcmxkqQUCAwGJwKqBpwSBpBwUQvoeOk0Kg36SYTcLEkXqKwOBfF9vE4KX0Nxe"
593 "LwjcDTpsuh3qXEaZ992r1N38VDcyS6P7I6HBYN9BsNHM362zZnY27GpTw+Kwd751"
594 "CLoXFPoaMOe57dbBpXoro6Pd3BTbf/Tzr88K06yEOTDKPNj3+inbMaVigtK4PLyP"
595 "q+Topyzvx9USFgRvyuoxn0Hgb+R0A3j6SLRuyOdAi4gv7Y5oliynrSIEIAYGBgYG"
596 "BgYGBgYGBgYGBgYGBgYGBgYGBgYGBgYGBgYGrgMEAQevAwQBBLADBAEFAAAA";
597
David Benjamin1d77e562015-03-22 17:22:08 -0400[diff] [blame]598static bool DecodeBase64(std::vector<uint8_t> *out, const char *in) {
David Benjamin751e8892014-10-19 00:59:36 -0400[diff] [blame]599 size_t len;
David Benjamin751e8892014-10-19 00:59:36 -0400[diff] [blame]600 if (!EVP_DecodedLength(&len, strlen(in))) {
601 fprintf(stderr, "EVP_DecodedLength failed\n");
David Benjamin1d77e562015-03-22 17:22:08 -0400[diff] [blame]602 return false;
David Benjamin751e8892014-10-19 00:59:36 -0400[diff] [blame]603 }
604
David Benjamin1d77e562015-03-22 17:22:08 -0400[diff] [blame]605 out->resize(len);
David Benjaminef14b2d2015-11-11 14:01:27 -0800[diff] [blame]606 if (!EVP_DecodeBase64(out->data(), &len, len, (const uint8_t *)in,
David Benjamin751e8892014-10-19 00:59:36 -0400[diff] [blame]607 strlen(in))) {
608 fprintf(stderr, "EVP_DecodeBase64 failed\n");
David Benjamin1d77e562015-03-22 17:22:08 -0400[diff] [blame]609 return false;
David Benjamin751e8892014-10-19 00:59:36 -0400[diff] [blame]610 }
David Benjamin1d77e562015-03-22 17:22:08 -0400[diff] [blame]611 out->resize(len);
612 return true;
David Benjamin751e8892014-10-19 00:59:36 -0400[diff] [blame]613}
614
David Benjamin1d77e562015-03-22 17:22:08 -0400[diff] [blame]615static bool TestSSL_SESSIONEncoding(const char *input_b64) {
David Benjamin751e8892014-10-19 00:59:36 -0400[diff] [blame]616 const uint8_t *cptr;
617 uint8_t *ptr;
David Benjamin751e8892014-10-19 00:59:36 -0400[diff] [blame]618
David Benjamin1d77e562015-03-22 17:22:08 -0400[diff] [blame]619 // Decode the input.
620 std::vector<uint8_t> input;
621 if (!DecodeBase64(&input, input_b64)) {
622 return false;
David Benjamin751e8892014-10-19 00:59:36 -0400[diff] [blame]623 }
624
David Benjamin1d77e562015-03-22 17:22:08 -0400[diff] [blame]625 // Verify the SSL_SESSION decodes.
Adam Langley46db7af2017-02-01 15:49:37 -0800[diff] [blame]626 bssl::UniquePtr<SSL_CTX> ssl_ctx(SSL_CTX_new(TLS_method()));
627 if (!ssl_ctx) {
628 return false;
629 }
630 bssl::UniquePtr<SSL_SESSION> session(
631 SSL_SESSION_from_bytes(input.data(), input.size(), ssl_ctx.get()));
David Benjaminfd67aa82015-06-15 19:41:48 -0400[diff] [blame]632 if (!session) {
633 fprintf(stderr, "SSL_SESSION_from_bytes failed\n");
David Benjamin1d77e562015-03-22 17:22:08 -0400[diff] [blame]634 return false;
David Benjamin751e8892014-10-19 00:59:36 -0400[diff] [blame]635 }
636
David Benjamin1d77e562015-03-22 17:22:08 -0400[diff] [blame]637 // Verify the SSL_SESSION encoding round-trips.
638 size_t encoded_len;
Matt Braithwaited17d74d2016-08-17 20:10:28 -0700[diff] [blame]639 bssl::UniquePtr<uint8_t> encoded;
David Benjamin1d77e562015-03-22 17:22:08 -0400[diff] [blame]640 uint8_t *encoded_raw;
641 if (!SSL_SESSION_to_bytes(session.get(), &encoded_raw, &encoded_len)) {
David Benjamin3cac4502014-10-21 01:46:30 -0400[diff] [blame]642 fprintf(stderr, "SSL_SESSION_to_bytes failed\n");
David Benjamin1d77e562015-03-22 17:22:08 -0400[diff] [blame]643 return false;
David Benjamin3cac4502014-10-21 01:46:30 -0400[diff] [blame]644 }
David Benjamin1d77e562015-03-22 17:22:08 -0400[diff] [blame]645 encoded.reset(encoded_raw);
646 if (encoded_len != input.size() ||
David Benjamin17cf2cb2016-12-13 01:07:13 -0500[diff] [blame]647 OPENSSL_memcmp(input.data(), encoded.get(), input.size()) != 0) {
David Benjamin3cac4502014-10-21 01:46:30 -0400[diff] [blame]648 fprintf(stderr, "SSL_SESSION_to_bytes did not round-trip\n");
Sigbjorn Vik2b23d242015-06-29 15:07:26 +0200[diff] [blame]649 hexdump(stderr, "Before: ", input.data(), input.size());
650 hexdump(stderr, "After: ", encoded_raw, encoded_len);
David Benjamin1d77e562015-03-22 17:22:08 -0400[diff] [blame]651 return false;
David Benjamin3cac4502014-10-21 01:46:30 -0400[diff] [blame]652 }
David Benjamin3cac4502014-10-21 01:46:30 -0400[diff] [blame]653
David Benjaminfd67aa82015-06-15 19:41:48 -0400[diff] [blame]654 // Verify the SSL_SESSION also decodes with the legacy API.
David Benjaminef14b2d2015-11-11 14:01:27 -0800[diff] [blame]655 cptr = input.data();
David Benjaminfd67aa82015-06-15 19:41:48 -0400[diff] [blame]656 session.reset(d2i_SSL_SESSION(NULL, &cptr, input.size()));
David Benjaminef14b2d2015-11-11 14:01:27 -0800[diff] [blame]657 if (!session || cptr != input.data() + input.size()) {
David Benjaminfd67aa82015-06-15 19:41:48 -0400[diff] [blame]658 fprintf(stderr, "d2i_SSL_SESSION failed\n");
659 return false;
660 }
661
David Benjamin1d77e562015-03-22 17:22:08 -0400[diff] [blame]662 // Verify the SSL_SESSION encoding round-trips via the legacy API.
663 int len = i2d_SSL_SESSION(session.get(), NULL);
664 if (len < 0 || (size_t)len != input.size()) {
David Benjamin751e8892014-10-19 00:59:36 -0400[diff] [blame]665 fprintf(stderr, "i2d_SSL_SESSION(NULL) returned invalid length\n");
David Benjamin1d77e562015-03-22 17:22:08 -0400[diff] [blame]666 return false;
David Benjamin751e8892014-10-19 00:59:36 -0400[diff] [blame]667 }
668
David Benjamin1d77e562015-03-22 17:22:08 -0400[diff] [blame]669 encoded.reset((uint8_t *)OPENSSL_malloc(input.size()));
670 if (!encoded) {
David Benjamin751e8892014-10-19 00:59:36 -0400[diff] [blame]671 fprintf(stderr, "malloc failed\n");
David Benjamin1d77e562015-03-22 17:22:08 -0400[diff] [blame]672 return false;
David Benjamin751e8892014-10-19 00:59:36 -0400[diff] [blame]673 }
David Benjamin1d77e562015-03-22 17:22:08 -0400[diff] [blame]674
675 ptr = encoded.get();
676 len = i2d_SSL_SESSION(session.get(), &ptr);
677 if (len < 0 || (size_t)len != input.size()) {
David Benjamin751e8892014-10-19 00:59:36 -0400[diff] [blame]678 fprintf(stderr, "i2d_SSL_SESSION returned invalid length\n");
David Benjamin1d77e562015-03-22 17:22:08 -0400[diff] [blame]679 return false;
David Benjamin751e8892014-10-19 00:59:36 -0400[diff] [blame]680 }
David Benjamin1d77e562015-03-22 17:22:08 -0400[diff] [blame]681 if (ptr != encoded.get() + input.size()) {
David Benjamin751e8892014-10-19 00:59:36 -0400[diff] [blame]682 fprintf(stderr, "i2d_SSL_SESSION did not advance ptr correctly\n");
David Benjamin1d77e562015-03-22 17:22:08 -0400[diff] [blame]683 return false;
David Benjamin751e8892014-10-19 00:59:36 -0400[diff] [blame]684 }
David Benjamin17cf2cb2016-12-13 01:07:13 -0500[diff] [blame]685 if (OPENSSL_memcmp(input.data(), encoded.get(), input.size()) != 0) {
David Benjamin751e8892014-10-19 00:59:36 -0400[diff] [blame]686 fprintf(stderr, "i2d_SSL_SESSION did not round-trip\n");
David Benjamin1d77e562015-03-22 17:22:08 -0400[diff] [blame]687 return false;
David Benjamin751e8892014-10-19 00:59:36 -0400[diff] [blame]688 }
689
David Benjamin1d77e562015-03-22 17:22:08 -0400[diff] [blame]690 return true;
David Benjamin751e8892014-10-19 00:59:36 -0400[diff] [blame]691}
692
David Benjaminf297e022015-05-28 19:55:29 -0400[diff] [blame]693static bool TestBadSSL_SESSIONEncoding(const char *input_b64) {
694 std::vector<uint8_t> input;
695 if (!DecodeBase64(&input, input_b64)) {
696 return false;
697 }
698
699 // Verify that the SSL_SESSION fails to decode.
Adam Langley46db7af2017-02-01 15:49:37 -0800[diff] [blame]700 bssl::UniquePtr<SSL_CTX> ssl_ctx(SSL_CTX_new(TLS_method()));
701 if (!ssl_ctx) {
702 return false;
703 }
704 bssl::UniquePtr<SSL_SESSION> session(
705 SSL_SESSION_from_bytes(input.data(), input.size(), ssl_ctx.get()));
David Benjaminf297e022015-05-28 19:55:29 -0400[diff] [blame]706 if (session) {
David Benjaminfd67aa82015-06-15 19:41:48 -0400[diff] [blame]707 fprintf(stderr, "SSL_SESSION_from_bytes unexpectedly succeeded\n");
David Benjaminf297e022015-05-28 19:55:29 -0400[diff] [blame]708 return false;
709 }
710 ERR_clear_error();
711 return true;
712}
713
David Benjamin321fcdc2017-04-24 11:42:42 -0400[diff] [blame]714static void ExpectDefaultVersion(uint16_t min_version, uint16_t max_version,
715 const SSL_METHOD *(*method)(void)) {
Matt Braithwaited17d74d2016-08-17 20:10:28 -0700[diff] [blame]716 bssl::UniquePtr<SSL_CTX> ctx(SSL_CTX_new(method()));
David Benjamin321fcdc2017-04-24 11:42:42 -0400[diff] [blame]717 ASSERT_TRUE(ctx);
718 EXPECT_EQ(min_version, ctx->min_version);
719 EXPECT_EQ(max_version, ctx->max_version);
720}
721
722TEST(SSLTest, DefaultVersion) {
723 // TODO(svaldez): Update this when TLS 1.3 is enabled by default.
724 ExpectDefaultVersion(TLS1_VERSION, TLS1_2_VERSION, &TLS_method);
725 ExpectDefaultVersion(TLS1_VERSION, TLS1_VERSION, &TLSv1_method);
726 ExpectDefaultVersion(TLS1_1_VERSION, TLS1_1_VERSION, &TLSv1_1_method);
727 ExpectDefaultVersion(TLS1_2_VERSION, TLS1_2_VERSION, &TLSv1_2_method);
728 ExpectDefaultVersion(TLS1_1_VERSION, TLS1_2_VERSION, &DTLS_method);
729 ExpectDefaultVersion(TLS1_1_VERSION, TLS1_1_VERSION, &DTLSv1_method);
730 ExpectDefaultVersion(TLS1_2_VERSION, TLS1_2_VERSION, &DTLSv1_2_method);
David Benjamin82c9e902014-12-12 15:55:27 -0500[diff] [blame]731}
732
David Benjamin65226252015-02-05 16:49:47 -0500[diff] [blame]733typedef struct {
David Benjamin2bdb35c2015-02-21 11:03:06 -0500[diff] [blame]734 int id;
David Benjamin65226252015-02-05 16:49:47 -0500[diff] [blame]735 const char *rfc_name;
736} CIPHER_RFC_NAME_TEST;
737
738static const CIPHER_RFC_NAME_TEST kCipherRFCNameTests[] = {
Steven Valdez803c77a2016-09-06 14:13:43 -0400[diff] [blame]739 {SSL3_CK_RSA_DES_192_CBC3_SHA, "TLS_RSA_WITH_3DES_EDE_CBC_SHA"},
740 {TLS1_CK_RSA_WITH_AES_128_SHA, "TLS_RSA_WITH_AES_128_CBC_SHA"},
Steven Valdez803c77a2016-09-06 14:13:43 -0400[diff] [blame]741 {TLS1_CK_ECDHE_RSA_WITH_AES_128_SHA256,
742 "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256"},
743 {TLS1_CK_ECDHE_RSA_WITH_AES_256_SHA384,
744 "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384"},
745 {TLS1_CK_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
746 "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256"},
747 {TLS1_CK_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
748 "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256"},
749 {TLS1_CK_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
750 "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384"},
751 {TLS1_CK_ECDHE_PSK_WITH_AES_128_CBC_SHA,
752 "TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA"},
753 {TLS1_CK_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256,
754 "TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256"},
755 {TLS1_CK_AES_256_GCM_SHA384, "TLS_AES_256_GCM_SHA384"},
756 {TLS1_CK_AES_128_GCM_SHA256, "TLS_AES_128_GCM_SHA256"},
757 {TLS1_CK_CHACHA20_POLY1305_SHA256, "TLS_CHACHA20_POLY1305_SHA256"},
David Benjamin65226252015-02-05 16:49:47 -0500[diff] [blame]758};
759
David Benjamine11726a2017-04-23 12:14:28 -0400[diff] [blame]760TEST(SSLTest, CipherGetRFCName) {
761 for (const CIPHER_RFC_NAME_TEST &t : kCipherRFCNameTests) {
762 SCOPED_TRACE(t.rfc_name);
763
764 const SSL_CIPHER *cipher = SSL_get_cipher_by_value(t.id & 0xffff);
765 ASSERT_TRUE(cipher);
766 bssl::UniquePtr<char> rfc_name(SSL_CIPHER_get_rfc_name(cipher));
767 ASSERT_TRUE(rfc_name);
768
769 EXPECT_STREQ(t.rfc_name, rfc_name.get());
David Benjamin65226252015-02-05 16:49:47 -0500[diff] [blame]770 }
David Benjamin65226252015-02-05 16:49:47 -0500[diff] [blame]771}
772
Steven Valdeza833c352016-11-01 13:39:36 -0400[diff] [blame]773// CreateSessionWithTicket returns a sample |SSL_SESSION| with the specified
774// version and ticket length or nullptr on failure.
775static bssl::UniquePtr<SSL_SESSION> CreateSessionWithTicket(uint16_t version,
776 size_t ticket_len) {
David Benjamin422fe082015-07-21 22:03:43 -0400[diff] [blame]777 std::vector<uint8_t> der;
778 if (!DecodeBase64(&der, kOpenSSLSession)) {
779 return nullptr;
780 }
Adam Langley46db7af2017-02-01 15:49:37 -0800[diff] [blame]781
782 bssl::UniquePtr<SSL_CTX> ssl_ctx(SSL_CTX_new(TLS_method()));
783 if (!ssl_ctx) {
784 return nullptr;
785 }
Steven Valdeza833c352016-11-01 13:39:36 -0400[diff] [blame]786 bssl::UniquePtr<SSL_SESSION> session(
Adam Langley46db7af2017-02-01 15:49:37 -0800[diff] [blame]787 SSL_SESSION_from_bytes(der.data(), der.size(), ssl_ctx.get()));
David Benjamin422fe082015-07-21 22:03:43 -0400[diff] [blame]788 if (!session) {
789 return nullptr;
790 }
791
Steven Valdeza833c352016-11-01 13:39:36 -0400[diff] [blame]792 session->ssl_version = version;
793
David Benjamin422fe082015-07-21 22:03:43 -0400[diff] [blame]794 // Swap out the ticket for a garbage one.
795 OPENSSL_free(session->tlsext_tick);
796 session->tlsext_tick = reinterpret_cast<uint8_t*>(OPENSSL_malloc(ticket_len));
797 if (session->tlsext_tick == nullptr) {
798 return nullptr;
799 }
David Benjamin17cf2cb2016-12-13 01:07:13 -0500[diff] [blame]800 OPENSSL_memset(session->tlsext_tick, 'a', ticket_len);
David Benjamin422fe082015-07-21 22:03:43 -0400[diff] [blame]801 session->tlsext_ticklen = ticket_len;
David Benjamin1269ddd2015-10-18 15:18:55 -0400[diff] [blame]802
803 // Fix up the timeout.
David Benjamin9b63f292016-11-15 00:44:05 -0500[diff] [blame]804#if defined(BORINGSSL_UNSAFE_DETERMINISTIC_MODE)
805 session->time = 1234;
806#else
David Benjamin1269ddd2015-10-18 15:18:55 -0400[diff] [blame]807 session->time = time(NULL);
David Benjamin9b63f292016-11-15 00:44:05 -0500[diff] [blame]808#endif
David Benjamin422fe082015-07-21 22:03:43 -0400[diff] [blame]809 return session;
810}
811
David Benjaminafc64de2016-07-19 17:12:41 +0200[diff] [blame]812static bool GetClientHello(SSL *ssl, std::vector<uint8_t> *out) {
Matt Braithwaited17d74d2016-08-17 20:10:28 -0700[diff] [blame]813 bssl::UniquePtr<BIO> bio(BIO_new(BIO_s_mem()));
David Benjaminafc64de2016-07-19 17:12:41 +0200[diff] [blame]814 if (!bio) {
815 return false;
816 }
817 // Do not configure a reading BIO, but record what's written to a memory BIO.
David Benjamin96a16cd2016-08-11 12:14:47 -0400[diff] [blame]818 BIO_up_ref(bio.get());
819 SSL_set_bio(ssl, nullptr /* rbio */, bio.get());
David Benjaminafc64de2016-07-19 17:12:41 +0200[diff] [blame]820 int ret = SSL_connect(ssl);
821 if (ret > 0) {
822 // SSL_connect should fail without a BIO to write to.
823 return false;
824 }
825 ERR_clear_error();
826
827 const uint8_t *client_hello;
828 size_t client_hello_len;
829 if (!BIO_mem_contents(bio.get(), &client_hello, &client_hello_len)) {
830 return false;
831 }
832 *out = std::vector<uint8_t>(client_hello, client_hello + client_hello_len);
833 return true;
834}
835
Steven Valdeza833c352016-11-01 13:39:36 -0400[diff] [blame]836// GetClientHelloLen creates a client SSL connection with the specified version
837// and ticket length. It returns the length of the ClientHello, not including
838// the record header, on success and zero on error.
839static size_t GetClientHelloLen(uint16_t max_version, uint16_t session_version,
840 size_t ticket_len) {
Matt Braithwaited17d74d2016-08-17 20:10:28 -0700[diff] [blame]841 bssl::UniquePtr<SSL_CTX> ctx(SSL_CTX_new(TLS_method()));
Steven Valdeza833c352016-11-01 13:39:36 -0400[diff] [blame]842 bssl::UniquePtr<SSL_SESSION> session =
843 CreateSessionWithTicket(session_version, ticket_len);
David Benjamin422fe082015-07-21 22:03:43 -0400[diff] [blame]844 if (!ctx || !session) {
845 return 0;
846 }
Steven Valdeza833c352016-11-01 13:39:36 -0400[diff] [blame]847
848 // Set a one-element cipher list so the baseline ClientHello is unpadded.
Matt Braithwaited17d74d2016-08-17 20:10:28 -0700[diff] [blame]849 bssl::UniquePtr<SSL> ssl(SSL_new(ctx.get()));
Steven Valdez2c62fe92016-10-14 12:08:12 -0400[diff] [blame]850 if (!ssl || !SSL_set_session(ssl.get(), session.get()) ||
Matthew Braithwaitea57dcfb2017-02-17 22:08:23 -0800[diff] [blame]851 !SSL_set_strict_cipher_list(ssl.get(), "ECDHE-RSA-AES128-GCM-SHA256") ||
Steven Valdeza833c352016-11-01 13:39:36 -0400[diff] [blame]852 !SSL_set_max_proto_version(ssl.get(), max_version)) {
David Benjamin422fe082015-07-21 22:03:43 -0400[diff] [blame]853 return 0;
854 }
Steven Valdeza833c352016-11-01 13:39:36 -0400[diff] [blame]855
David Benjaminafc64de2016-07-19 17:12:41 +0200[diff] [blame]856 std::vector<uint8_t> client_hello;
857 if (!GetClientHello(ssl.get(), &client_hello) ||
858 client_hello.size() <= SSL3_RT_HEADER_LENGTH) {
David Benjamin422fe082015-07-21 22:03:43 -0400[diff] [blame]859 return 0;
860 }
Steven Valdeza833c352016-11-01 13:39:36 -0400[diff] [blame]861
David Benjaminafc64de2016-07-19 17:12:41 +0200[diff] [blame]862 return client_hello.size() - SSL3_RT_HEADER_LENGTH;
David Benjamin422fe082015-07-21 22:03:43 -0400[diff] [blame]863}
864
865struct PaddingTest {
866 size_t input_len, padded_len;
867};
868
869static const PaddingTest kPaddingTests[] = {
870 // ClientHellos of length below 0x100 do not require padding.
871 {0xfe, 0xfe},
872 {0xff, 0xff},
873 // ClientHellos of length 0x100 through 0x1fb are padded up to 0x200.
874 {0x100, 0x200},
875 {0x123, 0x200},
876 {0x1fb, 0x200},
877 // ClientHellos of length 0x1fc through 0x1ff get padded beyond 0x200. The
878 // padding extension takes a minimum of four bytes plus one required content
879 // byte. (To work around yet more server bugs, we avoid empty final
880 // extensions.)
881 {0x1fc, 0x201},
882 {0x1fd, 0x202},
883 {0x1fe, 0x203},
884 {0x1ff, 0x204},
885 // Finally, larger ClientHellos need no padding.
886 {0x200, 0x200},
887 {0x201, 0x201},
888};
889
Steven Valdeza833c352016-11-01 13:39:36 -0400[diff] [blame]890static bool TestPaddingExtension(uint16_t max_version,
891 uint16_t session_version) {
David Benjamin422fe082015-07-21 22:03:43 -0400[diff] [blame]892 // Sample a baseline length.
Steven Valdeza833c352016-11-01 13:39:36 -0400[diff] [blame]893 size_t base_len = GetClientHelloLen(max_version, session_version, 1);
David Benjamin422fe082015-07-21 22:03:43 -0400[diff] [blame]894 if (base_len == 0) {
895 return false;
896 }
897
898 for (const PaddingTest &test : kPaddingTests) {
899 if (base_len > test.input_len) {
Steven Valdeza833c352016-11-01 13:39:36 -0400[diff] [blame]900 fprintf(stderr,
901 "Baseline ClientHello too long (max_version = %04x, "
902 "session_version = %04x).\n",
903 max_version, session_version);
David Benjamin422fe082015-07-21 22:03:43 -0400[diff] [blame]904 return false;
905 }
906
Steven Valdeza833c352016-11-01 13:39:36 -0400[diff] [blame]907 size_t padded_len = GetClientHelloLen(max_version, session_version,
908 1 + test.input_len - base_len);
David Benjamin422fe082015-07-21 22:03:43 -0400[diff] [blame]909 if (padded_len != test.padded_len) {
Steven Valdeza833c352016-11-01 13:39:36 -0400[diff] [blame]910 fprintf(stderr,
911 "%u-byte ClientHello padded to %u bytes, not %u (max_version = "
912 "%04x, session_version = %04x).\n",
David Benjamin422fe082015-07-21 22:03:43 -0400[diff] [blame]913 static_cast<unsigned>(test.input_len),
914 static_cast<unsigned>(padded_len),
Steven Valdeza833c352016-11-01 13:39:36 -0400[diff] [blame]915 static_cast<unsigned>(test.padded_len), max_version,
916 session_version);
David Benjamin422fe082015-07-21 22:03:43 -0400[diff] [blame]917 return false;
918 }
919 }
Steven Valdeza833c352016-11-01 13:39:36 -0400[diff] [blame]920
David Benjamin422fe082015-07-21 22:03:43 -0400[diff] [blame]921 return true;
922}
923
David Benjamin1d128f32015-09-08 17:41:40 -0400[diff] [blame]924// Test that |SSL_get_client_CA_list| echoes back the configured parameter even
925// before configuring as a server.
David Benjaminf0d8e222017-02-04 10:58:26 -0500[diff] [blame]926TEST(SSLTest, ClientCAList) {
Matt Braithwaited17d74d2016-08-17 20:10:28 -0700[diff] [blame]927 bssl::UniquePtr<SSL_CTX> ctx(SSL_CTX_new(TLS_method()));
David Benjaminf0d8e222017-02-04 10:58:26 -0500[diff] [blame]928 ASSERT_TRUE(ctx);
Matt Braithwaited17d74d2016-08-17 20:10:28 -0700[diff] [blame]929 bssl::UniquePtr<SSL> ssl(SSL_new(ctx.get()));
David Benjaminf0d8e222017-02-04 10:58:26 -0500[diff] [blame]930 ASSERT_TRUE(ssl);
David Benjamin1d128f32015-09-08 17:41:40 -0400[diff] [blame]931
Adam Langley34b4c822017-02-02 10:57:17 -0800[diff] [blame]932 bssl::UniquePtr<X509_NAME> name(X509_NAME_new());
933 ASSERT_TRUE(name);
David Benjamin1d128f32015-09-08 17:41:40 -0400[diff] [blame]934
Adam Langley34b4c822017-02-02 10:57:17 -0800[diff] [blame]935 bssl::UniquePtr<X509_NAME> name_dup(X509_NAME_dup(name.get()));
936 ASSERT_TRUE(name_dup);
937
938 bssl::UniquePtr<STACK_OF(X509_NAME)> stack(sk_X509_NAME_new_null());
939 ASSERT_TRUE(stack);
940
941 ASSERT_TRUE(sk_X509_NAME_push(stack.get(), name_dup.get()));
942 name_dup.release();
943
944 // |SSL_set_client_CA_list| takes ownership.
945 SSL_set_client_CA_list(ssl.get(), stack.release());
946
947 STACK_OF(X509_NAME) *result = SSL_get_client_CA_list(ssl.get());
948 ASSERT_TRUE(result);
949 ASSERT_EQ(1u, sk_X509_NAME_num(result));
950 EXPECT_EQ(0, X509_NAME_cmp(sk_X509_NAME_value(result, 0), name.get()));
David Benjamin1d128f32015-09-08 17:41:40 -0400[diff] [blame]951}
952
David Benjamin0f653952015-10-18 14:28:01 -0400[diff] [blame]953static void AppendSession(SSL_SESSION *session, void *arg) {
954 std::vector<SSL_SESSION*> *out =
955 reinterpret_cast<std::vector<SSL_SESSION*>*>(arg);
956 out->push_back(session);
957}
958
David Benjamine11726a2017-04-23 12:14:28 -0400[diff] [blame]959// CacheEquals returns true if |ctx|'s session cache consists of |expected|, in
David Benjamin0f653952015-10-18 14:28:01 -0400[diff] [blame]960// order.
David Benjamine11726a2017-04-23 12:14:28 -0400[diff] [blame]961static bool CacheEquals(SSL_CTX *ctx,
David Benjamin0f653952015-10-18 14:28:01 -0400[diff] [blame]962 const std::vector<SSL_SESSION*> &expected) {
963 // Check the linked list.
964 SSL_SESSION *ptr = ctx->session_cache_head;
965 for (SSL_SESSION *session : expected) {
966 if (ptr != session) {
967 return false;
968 }
969 // TODO(davidben): This is an absurd way to denote the end of the list.
970 if (ptr->next ==
971 reinterpret_cast<SSL_SESSION *>(&ctx->session_cache_tail)) {
972 ptr = nullptr;
973 } else {
974 ptr = ptr->next;
975 }
976 }
977 if (ptr != nullptr) {
978 return false;
979 }
980
981 // Check the hash table.
982 std::vector<SSL_SESSION*> actual, expected_copy;
983 lh_SSL_SESSION_doall_arg(SSL_CTX_sessions(ctx), AppendSession, &actual);
984 expected_copy = expected;
985
986 std::sort(actual.begin(), actual.end());
987 std::sort(expected_copy.begin(), expected_copy.end());
988
989 return actual == expected_copy;
990}
991
Matt Braithwaited17d74d2016-08-17 20:10:28 -0700[diff] [blame]992static bssl::UniquePtr<SSL_SESSION> CreateTestSession(uint32_t number) {
Adam Langley46db7af2017-02-01 15:49:37 -0800[diff] [blame]993 bssl::UniquePtr<SSL_CTX> ssl_ctx(SSL_CTX_new(TLS_method()));
994 if (!ssl_ctx) {
995 return nullptr;
996 }
997 bssl::UniquePtr<SSL_SESSION> ret(SSL_SESSION_new(ssl_ctx.get()));
David Benjamin0f653952015-10-18 14:28:01 -0400[diff] [blame]998 if (!ret) {
999 return nullptr;
1000 }
1001
1002 ret->session_id_length = SSL3_SSL_SESSION_ID_LENGTH;
David Benjamin17cf2cb2016-12-13 01:07:13 -0500[diff] [blame]1003 OPENSSL_memset(ret->session_id, 0, ret->session_id_length);
1004 OPENSSL_memcpy(ret->session_id, &number, sizeof(number));
David Benjamin0f653952015-10-18 14:28:01 -0400[diff] [blame]1005 return ret;
1006}
1007
David Benjamin0f653952015-10-18 14:28:01 -0400[diff] [blame]1008// Test that the internal session cache behaves as expected.
David Benjamine11726a2017-04-23 12:14:28 -0400[diff] [blame]1009TEST(SSLTest, InternalSessionCache) {
Matt Braithwaited17d74d2016-08-17 20:10:28 -0700[diff] [blame]1010 bssl::UniquePtr<SSL_CTX> ctx(SSL_CTX_new(TLS_method()));
David Benjamine11726a2017-04-23 12:14:28 -0400[diff] [blame]1011 ASSERT_TRUE(ctx);
David Benjamin0f653952015-10-18 14:28:01 -0400[diff] [blame]1012
1013 // Prepare 10 test sessions.
Matt Braithwaited17d74d2016-08-17 20:10:28 -0700[diff] [blame]1014 std::vector<bssl::UniquePtr<SSL_SESSION>> sessions;
David Benjamin0f653952015-10-18 14:28:01 -0400[diff] [blame]1015 for (int i = 0; i < 10; i++) {
Matt Braithwaited17d74d2016-08-17 20:10:28 -0700[diff] [blame]1016 bssl::UniquePtr<SSL_SESSION> session = CreateTestSession(i);
David Benjamine11726a2017-04-23 12:14:28 -0400[diff] [blame]1017 ASSERT_TRUE(session);
David Benjamin4f6acaf2015-11-21 03:00:50 -0500[diff] [blame]1018 sessions.push_back(std::move(session));
David Benjamin0f653952015-10-18 14:28:01 -0400[diff] [blame]1019 }
1020
1021 SSL_CTX_sess_set_cache_size(ctx.get(), 5);
1022
1023 // Insert all the test sessions.
David Benjamin4f6acaf2015-11-21 03:00:50 -0500[diff] [blame]1024 for (const auto &session : sessions) {
David Benjamine11726a2017-04-23 12:14:28 -0400[diff] [blame]1025 ASSERT_TRUE(SSL_CTX_add_session(ctx.get(), session.get()));
David Benjamin0f653952015-10-18 14:28:01 -0400[diff] [blame]1026 }
1027
1028 // Only the last five should be in the list.
David Benjamine11726a2017-04-23 12:14:28 -0400[diff] [blame]1029 ASSERT_TRUE(CacheEquals(
1030 ctx.get(), {sessions[9].get(), sessions[8].get(), sessions[7].get(),
1031 sessions[6].get(), sessions[5].get()}));
David Benjamin0f653952015-10-18 14:28:01 -0400[diff] [blame]1032
David Benjamine11726a2017-04-23 12:14:28 -0400[diff] [blame]1033 // Inserting an element already in the cache should fail and leave the cache
1034 // unchanged.
1035 ASSERT_FALSE(SSL_CTX_add_session(ctx.get(), sessions[7].get()));
1036 ASSERT_TRUE(CacheEquals(
1037 ctx.get(), {sessions[9].get(), sessions[8].get(), sessions[7].get(),
1038 sessions[6].get(), sessions[5].get()}));
David Benjamin0f653952015-10-18 14:28:01 -0400[diff] [blame]1039
1040 // Although collisions should be impossible (256-bit session IDs), the cache
1041 // must handle them gracefully.
Matt Braithwaited17d74d2016-08-17 20:10:28 -0700[diff] [blame]1042 bssl::UniquePtr<SSL_SESSION> collision(CreateTestSession(7));
David Benjamine11726a2017-04-23 12:14:28 -0400[diff] [blame]1043 ASSERT_TRUE(collision);
1044 ASSERT_TRUE(SSL_CTX_add_session(ctx.get(), collision.get()));
1045 ASSERT_TRUE(CacheEquals(
1046 ctx.get(), {collision.get(), sessions[9].get(), sessions[8].get(),
1047 sessions[6].get(), sessions[5].get()}));
David Benjamin0f653952015-10-18 14:28:01 -0400[diff] [blame]1048
1049 // Removing sessions behaves correctly.
David Benjamine11726a2017-04-23 12:14:28 -0400[diff] [blame]1050 ASSERT_TRUE(SSL_CTX_remove_session(ctx.get(), sessions[6].get()));
1051 ASSERT_TRUE(CacheEquals(ctx.get(), {collision.get(), sessions[9].get(),
1052 sessions[8].get(), sessions[5].get()}));
David Benjamin0f653952015-10-18 14:28:01 -0400[diff] [blame]1053
1054 // Removing sessions requires an exact match.
David Benjamine11726a2017-04-23 12:14:28 -0400[diff] [blame]1055 ASSERT_FALSE(SSL_CTX_remove_session(ctx.get(), sessions[0].get()));
1056 ASSERT_FALSE(SSL_CTX_remove_session(ctx.get(), sessions[7].get()));
David Benjamin0f653952015-10-18 14:28:01 -0400[diff] [blame]1057
David Benjamine11726a2017-04-23 12:14:28 -0400[diff] [blame]1058 // The cache remains unchanged.
1059 ASSERT_TRUE(CacheEquals(ctx.get(), {collision.get(), sessions[9].get(),
1060 sessions[8].get(), sessions[5].get()}));
David Benjamin0f653952015-10-18 14:28:01 -0400[diff] [blame]1061}
1062
David Benjaminde942382016-02-11 12:02:01 -0500[diff] [blame]1063static uint16_t EpochFromSequence(uint64_t seq) {
1064 return static_cast<uint16_t>(seq >> 48);
1065}
1066
Matt Braithwaited17d74d2016-08-17 20:10:28 -0700[diff] [blame]1067static bssl::UniquePtr<X509> GetTestCertificate() {
David Benjaminde942382016-02-11 12:02:01 -0500[diff] [blame]1068 static const char kCertPEM[] =
1069 "-----BEGIN CERTIFICATE-----\n"
1070 "MIICWDCCAcGgAwIBAgIJAPuwTC6rEJsMMA0GCSqGSIb3DQEBBQUAMEUxCzAJBgNV\n"
1071 "BAYTAkFVMRMwEQYDVQQIDApTb21lLVN0YXRlMSEwHwYDVQQKDBhJbnRlcm5ldCBX\n"
1072 "aWRnaXRzIFB0eSBMdGQwHhcNMTQwNDIzMjA1MDQwWhcNMTcwNDIyMjA1MDQwWjBF\n"
1073 "MQswCQYDVQQGEwJBVTETMBEGA1UECAwKU29tZS1TdGF0ZTEhMB8GA1UECgwYSW50\n"
1074 "ZXJuZXQgV2lkZ2l0cyBQdHkgTHRkMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKB\n"
1075 "gQDYK8imMuRi/03z0K1Zi0WnvfFHvwlYeyK9Na6XJYaUoIDAtB92kWdGMdAQhLci\n"
1076 "HnAjkXLI6W15OoV3gA/ElRZ1xUpxTMhjP6PyY5wqT5r6y8FxbiiFKKAnHmUcrgfV\n"
1077 "W28tQ+0rkLGMryRtrukXOgXBv7gcrmU7G1jC2a7WqmeI8QIDAQABo1AwTjAdBgNV\n"
1078 "HQ4EFgQUi3XVrMsIvg4fZbf6Vr5sp3Xaha8wHwYDVR0jBBgwFoAUi3XVrMsIvg4f\n"
1079 "Zbf6Vr5sp3Xaha8wDAYDVR0TBAUwAwEB/zANBgkqhkiG9w0BAQUFAAOBgQA76Hht\n"
1080 "ldY9avcTGSwbwoiuIqv0jTL1fHFnzy3RHMLDh+Lpvolc5DSrSJHCP5WuK0eeJXhr\n"
1081 "T5oQpHL9z/cCDLAKCKRa4uV0fhEdOWBqyR9p8y5jJtye72t6CuFUV5iqcpF4BH4f\n"
1082 "j2VNHwsSrJwkD4QUGlUtH7vwnQmyCFxZMmWAJg==\n"
1083 "-----END CERTIFICATE-----\n";
Matt Braithwaited17d74d2016-08-17 20:10:28 -0700[diff] [blame]1084 bssl::UniquePtr<BIO> bio(BIO_new_mem_buf(kCertPEM, strlen(kCertPEM)));
David Benjamin1444c3a2016-12-20 17:23:11 -0500[diff] [blame]1085 return bssl::UniquePtr<X509>(
1086 PEM_read_bio_X509(bio.get(), nullptr, nullptr, nullptr));
David Benjaminde942382016-02-11 12:02:01 -0500[diff] [blame]1087}
1088
Matt Braithwaited17d74d2016-08-17 20:10:28 -0700[diff] [blame]1089static bssl::UniquePtr<EVP_PKEY> GetTestKey() {
David Benjaminde942382016-02-11 12:02:01 -0500[diff] [blame]1090 static const char kKeyPEM[] =
1091 "-----BEGIN RSA PRIVATE KEY-----\n"
1092 "MIICXgIBAAKBgQDYK8imMuRi/03z0K1Zi0WnvfFHvwlYeyK9Na6XJYaUoIDAtB92\n"
1093 "kWdGMdAQhLciHnAjkXLI6W15OoV3gA/ElRZ1xUpxTMhjP6PyY5wqT5r6y8FxbiiF\n"
1094 "KKAnHmUcrgfVW28tQ+0rkLGMryRtrukXOgXBv7gcrmU7G1jC2a7WqmeI8QIDAQAB\n"
1095 "AoGBAIBy09Fd4DOq/Ijp8HeKuCMKTHqTW1xGHshLQ6jwVV2vWZIn9aIgmDsvkjCe\n"
1096 "i6ssZvnbjVcwzSoByhjN8ZCf/i15HECWDFFh6gt0P5z0MnChwzZmvatV/FXCT0j+\n"
1097 "WmGNB/gkehKjGXLLcjTb6dRYVJSCZhVuOLLcbWIV10gggJQBAkEA8S8sGe4ezyyZ\n"
1098 "m4e9r95g6s43kPqtj5rewTsUxt+2n4eVodD+ZUlCULWVNAFLkYRTBCASlSrm9Xhj\n"
1099 "QpmWAHJUkQJBAOVzQdFUaewLtdOJoPCtpYoY1zd22eae8TQEmpGOR11L6kbxLQsk\n"
1100 "aMly/DOnOaa82tqAGTdqDEZgSNmCeKKknmECQAvpnY8GUOVAubGR6c+W90iBuQLj\n"
1101 "LtFp/9ihd2w/PoDwrHZaoUYVcT4VSfJQog/k7kjE4MYXYWL8eEKg3WTWQNECQQDk\n"
1102 "104Wi91Umd1PzF0ijd2jXOERJU1wEKe6XLkYYNHWQAe5l4J4MWj9OdxFXAxIuuR/\n"
1103 "tfDwbqkta4xcux67//khAkEAvvRXLHTaa6VFzTaiiO8SaFsHV3lQyXOtMrBpB5jd\n"
1104 "moZWgjHvB2W9Ckn7sDqsPB+U2tyX0joDdQEyuiMECDY8oQ==\n"
1105 "-----END RSA PRIVATE KEY-----\n";
Matt Braithwaited17d74d2016-08-17 20:10:28 -0700[diff] [blame]1106 bssl::UniquePtr<BIO> bio(BIO_new_mem_buf(kKeyPEM, strlen(kKeyPEM)));
1107 return bssl::UniquePtr<EVP_PKEY>(
David Benjaminde942382016-02-11 12:02:01 -0500[diff] [blame]1108 PEM_read_bio_PrivateKey(bio.get(), nullptr, nullptr, nullptr));
1109}
1110
Matt Braithwaited17d74d2016-08-17 20:10:28 -0700[diff] [blame]1111static bssl::UniquePtr<X509> GetECDSATestCertificate() {
David Benjamin0fc37ef2016-08-17 15:29:46 -0400[diff] [blame]1112 static const char kCertPEM[] =
1113 "-----BEGIN CERTIFICATE-----\n"
1114 "MIIBzzCCAXagAwIBAgIJANlMBNpJfb/rMAkGByqGSM49BAEwRTELMAkGA1UEBhMC\n"
1115 "QVUxEzARBgNVBAgMClNvbWUtU3RhdGUxITAfBgNVBAoMGEludGVybmV0IFdpZGdp\n"
1116 "dHMgUHR5IEx0ZDAeFw0xNDA0MjMyMzIxNTdaFw0xNDA1MjMyMzIxNTdaMEUxCzAJ\n"
1117 "BgNVBAYTAkFVMRMwEQYDVQQIDApTb21lLVN0YXRlMSEwHwYDVQQKDBhJbnRlcm5l\n"
1118 "dCBXaWRnaXRzIFB0eSBMdGQwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAATmK2ni\n"
1119 "v2Wfl74vHg2UikzVl2u3qR4NRvvdqakendy6WgHn1peoChj5w8SjHlbifINI2xYa\n"
1120 "HPUdfvGULUvPciLBo1AwTjAdBgNVHQ4EFgQUq4TSrKuV8IJOFngHVVdf5CaNgtEw\n"
1121 "HwYDVR0jBBgwFoAUq4TSrKuV8IJOFngHVVdf5CaNgtEwDAYDVR0TBAUwAwEB/zAJ\n"
1122 "BgcqhkjOPQQBA0gAMEUCIQDyoDVeUTo2w4J5m+4nUIWOcAZ0lVfSKXQA9L4Vh13E\n"
1123 "BwIgfB55FGohg/B6dGh5XxSZmmi08cueFV7mHzJSYV51yRQ=\n"
1124 "-----END CERTIFICATE-----\n";
Matt Braithwaited17d74d2016-08-17 20:10:28 -0700[diff] [blame]1125 bssl::UniquePtr<BIO> bio(BIO_new_mem_buf(kCertPEM, strlen(kCertPEM)));
1126 return bssl::UniquePtr<X509>(PEM_read_bio_X509(bio.get(), nullptr, nullptr, nullptr));
David Benjamin0fc37ef2016-08-17 15:29:46 -0400[diff] [blame]1127}
1128
Matt Braithwaited17d74d2016-08-17 20:10:28 -0700[diff] [blame]1129static bssl::UniquePtr<EVP_PKEY> GetECDSATestKey() {
David Benjamin0fc37ef2016-08-17 15:29:46 -0400[diff] [blame]1130 static const char kKeyPEM[] =
1131 "-----BEGIN PRIVATE KEY-----\n"
1132 "MIGHAgEAMBMGByqGSM49AgEGCCqGSM49AwEHBG0wawIBAQQgBw8IcnrUoEqc3VnJ\n"
1133 "TYlodwi1b8ldMHcO6NHJzgqLtGqhRANCAATmK2niv2Wfl74vHg2UikzVl2u3qR4N\n"
1134 "Rvvdqakendy6WgHn1peoChj5w8SjHlbifINI2xYaHPUdfvGULUvPciLB\n"
1135 "-----END PRIVATE KEY-----\n";
Matt Braithwaited17d74d2016-08-17 20:10:28 -0700[diff] [blame]1136 bssl::UniquePtr<BIO> bio(BIO_new_mem_buf(kKeyPEM, strlen(kKeyPEM)));
1137 return bssl::UniquePtr<EVP_PKEY>(
David Benjamin0fc37ef2016-08-17 15:29:46 -0400[diff] [blame]1138 PEM_read_bio_PrivateKey(bio.get(), nullptr, nullptr, nullptr));
1139}
1140
Adam Langleyd04ca952017-02-28 11:26:51 -0800[diff] [blame]1141static bssl::UniquePtr<CRYPTO_BUFFER> BufferFromPEM(const char *pem) {
1142 bssl::UniquePtr<BIO> bio(BIO_new_mem_buf(pem, strlen(pem)));
1143 char *name, *header;
1144 uint8_t *data;
1145 long data_len;
1146 if (!PEM_read_bio(bio.get(), &name, &header, &data,
1147 &data_len)) {
1148 return nullptr;
1149 }
1150 OPENSSL_free(name);
1151 OPENSSL_free(header);
1152
1153 auto ret = bssl::UniquePtr<CRYPTO_BUFFER>(
1154 CRYPTO_BUFFER_new(data, data_len, nullptr));
1155 OPENSSL_free(data);
1156 return ret;
1157}
1158
1159static bssl::UniquePtr<CRYPTO_BUFFER> GetChainTestCertificateBuffer() {
David Benjamin1444c3a2016-12-20 17:23:11 -0500[diff] [blame]1160 static const char kCertPEM[] =
1161 "-----BEGIN CERTIFICATE-----\n"
1162 "MIIC0jCCAbqgAwIBAgICEAAwDQYJKoZIhvcNAQELBQAwDzENMAsGA1UEAwwEQiBD\n"
1163 "QTAeFw0xNjAyMjgyMDI3MDNaFw0yNjAyMjUyMDI3MDNaMBgxFjAUBgNVBAMMDUNs\n"
1164 "aWVudCBDZXJ0IEEwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDRvaz8\n"
1165 "CC/cshpCafJo4jLkHEoBqDLhdgFelJoAiQUyIqyWl2O7YHPnpJH+TgR7oelzNzt/\n"
1166 "kLRcH89M/TszB6zqyLTC4aqmvzKL0peD/jL2LWBucR0WXIvjA3zoRuF/x86+rYH3\n"
1167 "tHb+xs2PSs8EGL/Ev+ss+qTzTGEn26fuGNHkNw6tOwPpc+o8+wUtzf/kAthamo+c\n"
1168 "IDs2rQ+lP7+aLZTLeU/q4gcLutlzcK5imex5xy2jPkweq48kijK0kIzl1cPlA5d1\n"
1169 "z7C8jU50Pj9X9sQDJTN32j7UYRisJeeYQF8GaaN8SbrDI6zHgKzrRLyxDt/KQa9V\n"
1170 "iLeXANgZi+Xx9KgfAgMBAAGjLzAtMAwGA1UdEwEB/wQCMAAwHQYDVR0lBBYwFAYI\n"
1171 "KwYBBQUHAwEGCCsGAQUFBwMCMA0GCSqGSIb3DQEBCwUAA4IBAQBFEVbmYl+2RtNw\n"
1172 "rDftRDF1v2QUbcN2ouSnQDHxeDQdSgasLzT3ui8iYu0Rw2WWcZ0DV5e0ztGPhWq7\n"
1173 "AO0B120aFRMOY+4+bzu9Q2FFkQqc7/fKTvTDzIJI5wrMnFvUfzzvxh3OHWMYSs/w\n"
1174 "giq33hTKeHEq6Jyk3btCny0Ycecyc3yGXH10sizUfiHlhviCkDuESk8mFDwDDzqW\n"
1175 "ZF0IipzFbEDHoIxLlm3GQxpiLoEV4k8KYJp3R5KBLFyxM6UGPz8h72mIPCJp2RuK\n"
1176 "MYgF91UDvVzvnYm6TfseM2+ewKirC00GOrZ7rEcFvtxnKSqYf4ckqfNdSU1Y+RRC\n"
1177 "1ngWZ7Ih\n"
1178 "-----END CERTIFICATE-----\n";
Adam Langleyd04ca952017-02-28 11:26:51 -0800[diff] [blame]1179 return BufferFromPEM(kCertPEM);
David Benjamin1444c3a2016-12-20 17:23:11 -0500[diff] [blame]1180}
1181
Adam Langleyd04ca952017-02-28 11:26:51 -0800[diff] [blame]1182static bssl::UniquePtr<X509> X509FromBuffer(
1183 bssl::UniquePtr<CRYPTO_BUFFER> buffer) {
1184 if (!buffer) {
1185 return nullptr;
1186 }
1187 const uint8_t *derp = CRYPTO_BUFFER_data(buffer.get());
1188 return bssl::UniquePtr<X509>(
1189 d2i_X509(NULL, &derp, CRYPTO_BUFFER_len(buffer.get())));
1190}
1191
1192static bssl::UniquePtr<X509> GetChainTestCertificate() {
1193 return X509FromBuffer(GetChainTestCertificateBuffer());
1194}
1195
1196static bssl::UniquePtr<CRYPTO_BUFFER> GetChainTestIntermediateBuffer() {
David Benjamin1444c3a2016-12-20 17:23:11 -0500[diff] [blame]1197 static const char kCertPEM[] =
1198 "-----BEGIN CERTIFICATE-----\n"
1199 "MIICwjCCAaqgAwIBAgICEAEwDQYJKoZIhvcNAQELBQAwFDESMBAGA1UEAwwJQyBS\n"
1200 "b290IENBMB4XDTE2MDIyODIwMjcwM1oXDTI2MDIyNTIwMjcwM1owDzENMAsGA1UE\n"
1201 "AwwEQiBDQTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALsSCYmDip2D\n"
1202 "GkjFxw7ykz26JSjELkl6ArlYjFJ3aT/SCh8qbS4gln7RH8CPBd78oFdfhIKQrwtZ\n"
1203 "3/q21ykD9BAS3qHe2YdcJfm8/kWAy5DvXk6NXU4qX334KofBAEpgdA/igEFq1P1l\n"
1204 "HAuIfZCpMRfT+i5WohVsGi8f/NgpRvVaMONLNfgw57mz1lbtFeBEISmX0kbsuJxF\n"
1205 "Qj/Bwhi5/0HAEXG8e7zN4cEx0yPRvmOATRdVb/8dW2pwOHRJq9R5M0NUkIsTSnL7\n"
1206 "6N/z8hRAHMsV3IudC5Yd7GXW1AGu9a+iKU+Q4xcZCoj0DC99tL4VKujrV1kAeqsM\n"
1207 "cz5/dKzi6+cCAwEAAaMjMCEwDwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMC\n"
1208 "AQYwDQYJKoZIhvcNAQELBQADggEBAIIeZiEeNhWWQ8Y4D+AGDwqUUeG8NjCbKrXQ\n"
1209 "BlHg5wZ8xftFaiP1Dp/UAezmx2LNazdmuwrYB8lm3FVTyaPDTKEGIPS4wJKHgqH1\n"
1210 "QPDhqNm85ey7TEtI9oYjsNim/Rb+iGkIAMXaxt58SzxbjvP0kMr1JfJIZbic9vye\n"
1211 "NwIspMFIpP3FB8ywyu0T0hWtCQgL4J47nigCHpOu58deP88fS/Nyz/fyGVWOZ76b\n"
1212 "WhWwgM3P3X95fQ3d7oFPR/bVh0YV+Cf861INwplokXgXQ3/TCQ+HNXeAMWn3JLWv\n"
1213 "XFwk8owk9dq/kQGdndGgy3KTEW4ctPX5GNhf3LJ9Q7dLji4ReQ4=\n"
1214 "-----END CERTIFICATE-----\n";
Adam Langleyd04ca952017-02-28 11:26:51 -0800[diff] [blame]1215 return BufferFromPEM(kCertPEM);
1216}
1217
1218static bssl::UniquePtr<X509> GetChainTestIntermediate() {
1219 return X509FromBuffer(GetChainTestIntermediateBuffer());
David Benjamin1444c3a2016-12-20 17:23:11 -0500[diff] [blame]1220}
1221
1222static bssl::UniquePtr<EVP_PKEY> GetChainTestKey() {
1223 static const char kKeyPEM[] =
1224 "-----BEGIN PRIVATE KEY-----\n"
1225 "MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQDRvaz8CC/cshpC\n"
1226 "afJo4jLkHEoBqDLhdgFelJoAiQUyIqyWl2O7YHPnpJH+TgR7oelzNzt/kLRcH89M\n"
1227 "/TszB6zqyLTC4aqmvzKL0peD/jL2LWBucR0WXIvjA3zoRuF/x86+rYH3tHb+xs2P\n"
1228 "Ss8EGL/Ev+ss+qTzTGEn26fuGNHkNw6tOwPpc+o8+wUtzf/kAthamo+cIDs2rQ+l\n"
1229 "P7+aLZTLeU/q4gcLutlzcK5imex5xy2jPkweq48kijK0kIzl1cPlA5d1z7C8jU50\n"
1230 "Pj9X9sQDJTN32j7UYRisJeeYQF8GaaN8SbrDI6zHgKzrRLyxDt/KQa9ViLeXANgZ\n"
1231 "i+Xx9KgfAgMBAAECggEBAK0VjSJzkyPaamcyTVSWjo7GdaBGcK60lk657RjR+lK0\n"
1232 "YJ7pkej4oM2hdsVZFsP8Cs4E33nXLa/0pDsRov/qrp0WQm2skwqGMC1I/bZ0WRPk\n"
1233 "wHaDrBBfESWnJDX/AGpVtlyOjPmgmK6J2usMPihQUDkKdAYrVWJePrMIxt1q6BMe\n"
1234 "iczs3qriMmtY3bUc4UyUwJ5fhDLjshHvfuIpYQyI6EXZM6dZksn9LylXJnigY6QJ\n"
1235 "HxOYO0BDwOsZ8yQ8J8afLk88i0GizEkgE1z3REtQUwgWfxr1WV/ud+T6/ZhSAgH9\n"
1236 "042mQvSFZnIUSEsmCvjhWuAunfxHKCTcAoYISWfzWpkCgYEA7gpf3HHU5Tn+CgUn\n"
1237 "1X5uGpG3DmcMgfeGgs2r2f/IIg/5Ac1dfYILiybL1tN9zbyLCJfcbFpWBc9hJL6f\n"
1238 "CPc5hUiwWFJqBJewxQkC1Ae/HakHbip+IZ+Jr0842O4BAArvixk4Lb7/N2Ct9sTE\n"
1239 "NJO6RtK9lbEZ5uK61DglHy8CS2UCgYEA4ZC1o36kPAMQBggajgnucb2yuUEelk0f\n"
1240 "AEr+GI32MGE+93xMr7rAhBoqLg4AITyIfEnOSQ5HwagnIHonBbv1LV/Gf9ursx8Z\n"
1241 "YOGbvT8zzzC+SU1bkDzdjAYnFQVGIjMtKOBJ3K07++ypwX1fr4QsQ8uKL8WSOWwt\n"
1242 "Z3Bym6XiZzMCgYADnhy+2OwHX85AkLt+PyGlPbmuelpyTzS4IDAQbBa6jcuW/2wA\n"
1243 "UE2km75VUXmD+u2R/9zVuLm99NzhFhSMqlUxdV1YukfqMfP5yp1EY6m/5aW7QuIP\n"
1244 "2MDa7TVL9rIFMiVZ09RKvbBbQxjhuzPQKL6X/PPspnhiTefQ+dl2k9xREQKBgHDS\n"
1245 "fMfGNEeAEKezrfSVqxphE9/tXms3L+ZpnCaT+yu/uEr5dTIAawKoQ6i9f/sf1/Sy\n"
1246 "xedsqR+IB+oKrzIDDWMgoJybN4pkZ8E5lzhVQIjFjKgFdWLzzqyW9z1gYfABQPlN\n"
1247 "FiS20WX0vgP1vcKAjdNrHzc9zyHBpgQzDmAj3NZZAoGBAI8vKCKdH7w3aL5CNkZQ\n"
1248 "2buIeWNA2HZazVwAGG5F2TU/LmXfRKnG6dX5bkU+AkBZh56jNZy//hfFSewJB4Kk\n"
1249 "buB7ERSdaNbO21zXt9FEA3+z0RfMd/Zv2vlIWOSB5nzl/7UKti3sribK6s9ZVLfi\n"
1250 "SxpiPQ8d/hmSGwn4ksrWUsJD\n"
1251 "-----END PRIVATE KEY-----\n";
1252 bssl::UniquePtr<BIO> bio(BIO_new_mem_buf(kKeyPEM, strlen(kKeyPEM)));
1253 return bssl::UniquePtr<EVP_PKEY>(
1254 PEM_read_bio_PrivateKey(bio.get(), nullptr, nullptr, nullptr));
1255}
1256
David Benjaminb79cc842016-12-07 15:57:14 -0500[diff] [blame]1257static bool CompleteHandshakes(SSL *client, SSL *server) {
1258 // Drive both their handshakes to completion.
1259 for (;;) {
1260 int client_ret = SSL_do_handshake(client);
1261 int client_err = SSL_get_error(client, client_ret);
1262 if (client_err != SSL_ERROR_NONE &&
1263 client_err != SSL_ERROR_WANT_READ &&
Adam Langley4c341d02017-03-08 19:33:21 -0800[diff] [blame]1264 client_err != SSL_ERROR_WANT_WRITE &&
1265 client_err != SSL_ERROR_PENDING_TICKET) {
David Benjaminb79cc842016-12-07 15:57:14 -0500[diff] [blame]1266 fprintf(stderr, "Client error: %d\n", client_err);
1267 return false;
1268 }
1269
1270 int server_ret = SSL_do_handshake(server);
1271 int server_err = SSL_get_error(server, server_ret);
1272 if (server_err != SSL_ERROR_NONE &&
1273 server_err != SSL_ERROR_WANT_READ &&
Adam Langley4c341d02017-03-08 19:33:21 -0800[diff] [blame]1274 server_err != SSL_ERROR_WANT_WRITE &&
1275 server_err != SSL_ERROR_PENDING_TICKET) {
David Benjaminb79cc842016-12-07 15:57:14 -0500[diff] [blame]1276 fprintf(stderr, "Server error: %d\n", server_err);
1277 return false;
1278 }
1279
1280 if (client_ret == 1 && server_ret == 1) {
1281 break;
1282 }
1283 }
1284
1285 return true;
1286}
1287
1288static bool ConnectClientAndServer(bssl::UniquePtr<SSL> *out_client,
1289 bssl::UniquePtr<SSL> *out_server,
David Benjamina20e5352016-08-02 19:09:41 -0400[diff] [blame]1290 SSL_CTX *client_ctx, SSL_CTX *server_ctx,
1291 SSL_SESSION *session) {
Matt Braithwaited17d74d2016-08-17 20:10:28 -0700[diff] [blame]1292 bssl::UniquePtr<SSL> client(SSL_new(client_ctx)), server(SSL_new(server_ctx));
David Benjaminde942382016-02-11 12:02:01 -0500[diff] [blame]1293 if (!client || !server) {
1294 return false;
1295 }
1296 SSL_set_connect_state(client.get());
1297 SSL_set_accept_state(server.get());
1298
David Benjamina20e5352016-08-02 19:09:41 -0400[diff] [blame]1299 SSL_set_session(client.get(), session);
1300
David Benjaminde942382016-02-11 12:02:01 -0500[diff] [blame]1301 BIO *bio1, *bio2;
1302 if (!BIO_new_bio_pair(&bio1, 0, &bio2, 0)) {
1303 return false;
1304 }
1305 // SSL_set_bio takes ownership.
1306 SSL_set_bio(client.get(), bio1, bio1);
1307 SSL_set_bio(server.get(), bio2, bio2);
1308
David Benjaminb79cc842016-12-07 15:57:14 -0500[diff] [blame]1309 if (!CompleteHandshakes(client.get(), server.get())) {
1310 return false;
David Benjaminde942382016-02-11 12:02:01 -0500[diff] [blame]1311 }
1312
David Benjamin686bb192016-05-10 15:15:41 -0400[diff] [blame]1313 *out_client = std::move(client);
1314 *out_server = std::move(server);
1315 return true;
1316}
1317
David Benjamin0fef3052016-11-18 15:11:10 +0900[diff] [blame]1318static bool TestSequenceNumber(bool is_dtls, const SSL_METHOD *method,
1319 uint16_t version) {
1320 bssl::UniquePtr<SSL_CTX> client_ctx(SSL_CTX_new(method));
1321 bssl::UniquePtr<SSL_CTX> server_ctx(SSL_CTX_new(method));
1322 if (!server_ctx || !client_ctx ||
1323 !SSL_CTX_set_min_proto_version(client_ctx.get(), version) ||
1324 !SSL_CTX_set_max_proto_version(client_ctx.get(), version) ||
1325 !SSL_CTX_set_min_proto_version(server_ctx.get(), version) ||
1326 !SSL_CTX_set_max_proto_version(server_ctx.get(), version)) {
1327 return false;
1328 }
David Benjamin686bb192016-05-10 15:15:41 -0400[diff] [blame]1329
David Benjamin0fef3052016-11-18 15:11:10 +0900[diff] [blame]1330 bssl::UniquePtr<X509> cert = GetTestCertificate();
1331 bssl::UniquePtr<EVP_PKEY> key = GetTestKey();
1332 if (!cert || !key || !SSL_CTX_use_certificate(server_ctx.get(), cert.get()) ||
1333 !SSL_CTX_use_PrivateKey(server_ctx.get(), key.get())) {
1334 return false;
1335 }
David Benjamin686bb192016-05-10 15:15:41 -0400[diff] [blame]1336
David Benjamin0fef3052016-11-18 15:11:10 +0900[diff] [blame]1337 bssl::UniquePtr<SSL> client, server;
1338 if (!ConnectClientAndServer(&client, &server, client_ctx.get(),
1339 server_ctx.get(), nullptr /* no session */)) {
1340 return false;
1341 }
David Benjamin686bb192016-05-10 15:15:41 -0400[diff] [blame]1342
David Benjamin0fef3052016-11-18 15:11:10 +0900[diff] [blame]1343 // Drain any post-handshake messages to ensure there are no unread records
1344 // on either end.
1345 uint8_t byte = 0;
1346 if (SSL_read(client.get(), &byte, 1) > 0 ||
1347 SSL_read(server.get(), &byte, 1) > 0) {
1348 fprintf(stderr, "Received unexpected data.\n");
1349 return false;
1350 }
David Benjaminde942382016-02-11 12:02:01 -0500[diff] [blame]1351
David Benjamin0fef3052016-11-18 15:11:10 +0900[diff] [blame]1352 uint64_t client_read_seq = SSL_get_read_sequence(client.get());
1353 uint64_t client_write_seq = SSL_get_write_sequence(client.get());
1354 uint64_t server_read_seq = SSL_get_read_sequence(server.get());
1355 uint64_t server_write_seq = SSL_get_write_sequence(server.get());
Steven Valdez2c62fe92016-10-14 12:08:12 -0400[diff] [blame]1356
David Benjamin0fef3052016-11-18 15:11:10 +0900[diff] [blame]1357 if (is_dtls) {
1358 // Both client and server must be at epoch 1.
1359 if (EpochFromSequence(client_read_seq) != 1 ||
1360 EpochFromSequence(client_write_seq) != 1 ||
1361 EpochFromSequence(server_read_seq) != 1 ||
1362 EpochFromSequence(server_write_seq) != 1) {
1363 fprintf(stderr, "Bad epochs.\n");
1364 return false;
David Benjaminde942382016-02-11 12:02:01 -0500[diff] [blame]1365 }
David Benjamin0fef3052016-11-18 15:11:10 +0900[diff] [blame]1366
1367 // The next record to be written should exceed the largest received.
1368 if (client_write_seq <= server_read_seq ||
1369 server_write_seq <= client_read_seq) {
1370 fprintf(stderr, "Inconsistent sequence numbers.\n");
1371 return false;
1372 }
1373 } else {
1374 // The next record to be written should equal the next to be received.
1375 if (client_write_seq != server_read_seq ||
1376 server_write_seq != client_read_seq) {
1377 fprintf(stderr, "Inconsistent sequence numbers.\n");
1378 return false;
1379 }
1380 }
1381
1382 // Send a record from client to server.
1383 if (SSL_write(client.get(), &byte, 1) != 1 ||
1384 SSL_read(server.get(), &byte, 1) != 1) {
1385 fprintf(stderr, "Could not send byte.\n");
1386 return false;
1387 }
1388
1389 // The client write and server read sequence numbers should have
1390 // incremented.
1391 if (client_write_seq + 1 != SSL_get_write_sequence(client.get()) ||
1392 server_read_seq + 1 != SSL_get_read_sequence(server.get())) {
1393 fprintf(stderr, "Sequence numbers did not increment.\n");
1394 return false;
David Benjaminde942382016-02-11 12:02:01 -0500[diff] [blame]1395 }
1396
1397 return true;
1398}
1399
David Benjamin68f37b72016-11-18 15:14:42 +0900[diff] [blame]1400static bool TestOneSidedShutdown(bool is_dtls, const SSL_METHOD *method,
1401 uint16_t version) {
1402 // SSL_shutdown is a no-op in DTLS.
1403 if (is_dtls) {
1404 return true;
David Benjamin686bb192016-05-10 15:15:41 -0400[diff] [blame]1405 }
1406
David Benjamin68f37b72016-11-18 15:14:42 +0900[diff] [blame]1407 bssl::UniquePtr<SSL_CTX> client_ctx(SSL_CTX_new(method));
1408 bssl::UniquePtr<SSL_CTX> server_ctx(SSL_CTX_new(method));
Matt Braithwaited17d74d2016-08-17 20:10:28 -0700[diff] [blame]1409 bssl::UniquePtr<X509> cert = GetTestCertificate();
1410 bssl::UniquePtr<EVP_PKEY> key = GetTestKey();
David Benjamin68f37b72016-11-18 15:14:42 +0900[diff] [blame]1411 if (!client_ctx || !server_ctx || !cert || !key ||
1412 !SSL_CTX_set_min_proto_version(server_ctx.get(), version) ||
1413 !SSL_CTX_set_max_proto_version(server_ctx.get(), version) ||
1414 !SSL_CTX_set_min_proto_version(client_ctx.get(), version) ||
1415 !SSL_CTX_set_max_proto_version(client_ctx.get(), version) ||
David Benjamin686bb192016-05-10 15:15:41 -0400[diff] [blame]1416 !SSL_CTX_use_certificate(server_ctx.get(), cert.get()) ||
1417 !SSL_CTX_use_PrivateKey(server_ctx.get(), key.get())) {
1418 return false;
1419 }
1420
Matt Braithwaited17d74d2016-08-17 20:10:28 -0700[diff] [blame]1421 bssl::UniquePtr<SSL> client, server;
David Benjamin686bb192016-05-10 15:15:41 -0400[diff] [blame]1422 if (!ConnectClientAndServer(&client, &server, client_ctx.get(),
David Benjamina20e5352016-08-02 19:09:41 -0400[diff] [blame]1423 server_ctx.get(), nullptr /* no session */)) {
David Benjamin686bb192016-05-10 15:15:41 -0400[diff] [blame]1424 return false;
1425 }
1426
1427 // Shut down half the connection. SSL_shutdown will return 0 to signal only
1428 // one side has shut down.
1429 if (SSL_shutdown(client.get()) != 0) {
1430 fprintf(stderr, "Could not shutdown.\n");
1431 return false;
1432 }
1433
1434 // Reading from the server should consume the EOF.
1435 uint8_t byte;
1436 if (SSL_read(server.get(), &byte, 1) != 0 ||
1437 SSL_get_error(server.get(), 0) != SSL_ERROR_ZERO_RETURN) {
1438 fprintf(stderr, "Connection was not shut down cleanly.\n");
1439 return false;
1440 }
1441
1442 // However, the server may continue to write data and then shut down the
1443 // connection.
1444 byte = 42;
1445 if (SSL_write(server.get(), &byte, 1) != 1 ||
1446 SSL_read(client.get(), &byte, 1) != 1 ||
1447 byte != 42) {
1448 fprintf(stderr, "Could not send byte.\n");
1449 return false;
1450 }
1451
1452 // The server may then shutdown the connection.
1453 if (SSL_shutdown(server.get()) != 1 ||
1454 SSL_shutdown(client.get()) != 1) {
1455 fprintf(stderr, "Could not complete shutdown.\n");
1456 return false;
1457 }
1458
1459 return true;
1460}
David Benjamin68f37b72016-11-18 15:14:42 +0900[diff] [blame]1461
David Benjaminf0d8e222017-02-04 10:58:26 -0500[diff] [blame]1462TEST(SSLTest, SessionDuplication) {
Matt Braithwaited17d74d2016-08-17 20:10:28 -0700[diff] [blame]1463 bssl::UniquePtr<SSL_CTX> client_ctx(SSL_CTX_new(TLS_method()));
1464 bssl::UniquePtr<SSL_CTX> server_ctx(SSL_CTX_new(TLS_method()));
David Benjaminf0d8e222017-02-04 10:58:26 -0500[diff] [blame]1465 ASSERT_TRUE(client_ctx);
1466 ASSERT_TRUE(server_ctx);
Steven Valdez87eab492016-06-27 16:34:59 -0400[diff] [blame]1467
Matt Braithwaited17d74d2016-08-17 20:10:28 -0700[diff] [blame]1468 bssl::UniquePtr<X509> cert = GetTestCertificate();
1469 bssl::UniquePtr<EVP_PKEY> key = GetTestKey();
David Benjaminf0d8e222017-02-04 10:58:26 -0500[diff] [blame]1470 ASSERT_TRUE(cert);
1471 ASSERT_TRUE(key);
1472 ASSERT_TRUE(SSL_CTX_use_certificate(server_ctx.get(), cert.get()));
1473 ASSERT_TRUE(SSL_CTX_use_PrivateKey(server_ctx.get(), key.get()));
Steven Valdez87eab492016-06-27 16:34:59 -0400[diff] [blame]1474
Matt Braithwaited17d74d2016-08-17 20:10:28 -0700[diff] [blame]1475 bssl::UniquePtr<SSL> client, server;
David Benjaminf0d8e222017-02-04 10:58:26 -0500[diff] [blame]1476 ASSERT_TRUE(ConnectClientAndServer(&client, &server, client_ctx.get(),
1477 server_ctx.get(),
1478 nullptr /* no session */));
Steven Valdez87eab492016-06-27 16:34:59 -0400[diff] [blame]1479
1480 SSL_SESSION *session0 = SSL_get_session(client.get());
David Benjaminf0d8e222017-02-04 10:58:26 -0500[diff] [blame]1481 bssl::UniquePtr<SSL_SESSION> session1(
1482 SSL_SESSION_dup(session0, SSL_SESSION_DUP_ALL));
1483 ASSERT_TRUE(session1);
David Benjamin4501bd52016-08-01 13:39:41 -0400[diff] [blame]1484
Steven Valdez84b5c002016-08-25 16:30:58 -0400[diff] [blame]1485 session1->not_resumable = 0;
1486
Steven Valdez87eab492016-06-27 16:34:59 -0400[diff] [blame]1487 uint8_t *s0_bytes, *s1_bytes;
1488 size_t s0_len, s1_len;
1489
David Benjaminf0d8e222017-02-04 10:58:26 -0500[diff] [blame]1490 ASSERT_TRUE(SSL_SESSION_to_bytes(session0, &s0_bytes, &s0_len));
Matt Braithwaited17d74d2016-08-17 20:10:28 -0700[diff] [blame]1491 bssl::UniquePtr<uint8_t> free_s0(s0_bytes);
Steven Valdez87eab492016-06-27 16:34:59 -0400[diff] [blame]1492
David Benjaminf0d8e222017-02-04 10:58:26 -0500[diff] [blame]1493 ASSERT_TRUE(SSL_SESSION_to_bytes(session1.get(), &s1_bytes, &s1_len));
Matt Braithwaited17d74d2016-08-17 20:10:28 -0700[diff] [blame]1494 bssl::UniquePtr<uint8_t> free_s1(s1_bytes);
Steven Valdez87eab492016-06-27 16:34:59 -0400[diff] [blame]1495
David Benjamin7d7554b2017-02-04 11:48:59 -0500[diff] [blame]1496 EXPECT_EQ(Bytes(s0_bytes, s0_len), Bytes(s1_bytes, s1_len));
Steven Valdez87eab492016-06-27 16:34:59 -0400[diff] [blame]1497}
David Benjamin686bb192016-05-10 15:15:41 -0400[diff] [blame]1498
David Benjaminf0d8e222017-02-04 10:58:26 -0500[diff] [blame]1499static void ExpectFDs(const SSL *ssl, int rfd, int wfd) {
David Benjaminca743582017-06-15 17:51:35 -0400[diff] [blame^]1500 EXPECT_EQ(rfd, SSL_get_fd(ssl));
David Benjaminf0d8e222017-02-04 10:58:26 -0500[diff] [blame]1501 EXPECT_EQ(rfd, SSL_get_rfd(ssl));
1502 EXPECT_EQ(wfd, SSL_get_wfd(ssl));
David Benjamin5c0fb882016-06-14 14:03:51 -0400[diff] [blame]1503
1504 // The wrapper BIOs are always equal when fds are equal, even if set
1505 // individually.
David Benjaminf0d8e222017-02-04 10:58:26 -0500[diff] [blame]1506 if (rfd == wfd) {
1507 EXPECT_EQ(SSL_get_rbio(ssl), SSL_get_wbio(ssl));
David Benjamin5c0fb882016-06-14 14:03:51 -0400[diff] [blame]1508 }
David Benjamin5c0fb882016-06-14 14:03:51 -0400[diff] [blame]1509}
1510
David Benjaminf0d8e222017-02-04 10:58:26 -0500[diff] [blame]1511TEST(SSLTest, SetFD) {
Matt Braithwaited17d74d2016-08-17 20:10:28 -0700[diff] [blame]1512 bssl::UniquePtr<SSL_CTX> ctx(SSL_CTX_new(TLS_method()));
David Benjaminf0d8e222017-02-04 10:58:26 -0500[diff] [blame]1513 ASSERT_TRUE(ctx);
David Benjamin5c0fb882016-06-14 14:03:51 -0400[diff] [blame]1514
1515 // Test setting different read and write FDs.
Matt Braithwaited17d74d2016-08-17 20:10:28 -0700[diff] [blame]1516 bssl::UniquePtr<SSL> ssl(SSL_new(ctx.get()));
David Benjaminf0d8e222017-02-04 10:58:26 -0500[diff] [blame]1517 ASSERT_TRUE(ssl);
1518 EXPECT_TRUE(SSL_set_rfd(ssl.get(), 1));
1519 EXPECT_TRUE(SSL_set_wfd(ssl.get(), 2));
1520 ExpectFDs(ssl.get(), 1, 2);
David Benjamin5c0fb882016-06-14 14:03:51 -0400[diff] [blame]1521
1522 // Test setting the same FD.
1523 ssl.reset(SSL_new(ctx.get()));
David Benjaminf0d8e222017-02-04 10:58:26 -0500[diff] [blame]1524 ASSERT_TRUE(ssl);
1525 EXPECT_TRUE(SSL_set_fd(ssl.get(), 1));
1526 ExpectFDs(ssl.get(), 1, 1);
David Benjamin5c0fb882016-06-14 14:03:51 -0400[diff] [blame]1527
1528 // Test setting the same FD one side at a time.
1529 ssl.reset(SSL_new(ctx.get()));
David Benjaminf0d8e222017-02-04 10:58:26 -0500[diff] [blame]1530 ASSERT_TRUE(ssl);
1531 EXPECT_TRUE(SSL_set_rfd(ssl.get(), 1));
1532 EXPECT_TRUE(SSL_set_wfd(ssl.get(), 1));
1533 ExpectFDs(ssl.get(), 1, 1);
David Benjamin5c0fb882016-06-14 14:03:51 -0400[diff] [blame]1534
1535 // Test setting the same FD in the other order.
1536 ssl.reset(SSL_new(ctx.get()));
David Benjaminf0d8e222017-02-04 10:58:26 -0500[diff] [blame]1537 ASSERT_TRUE(ssl);
1538 EXPECT_TRUE(SSL_set_wfd(ssl.get(), 1));
1539 EXPECT_TRUE(SSL_set_rfd(ssl.get(), 1));
1540 ExpectFDs(ssl.get(), 1, 1);
David Benjamin5c0fb882016-06-14 14:03:51 -0400[diff] [blame]1541
David Benjamin5c0fb882016-06-14 14:03:51 -0400[diff] [blame]1542 // Test changing the read FD partway through.
1543 ssl.reset(SSL_new(ctx.get()));
David Benjaminf0d8e222017-02-04 10:58:26 -0500[diff] [blame]1544 ASSERT_TRUE(ssl);
1545 EXPECT_TRUE(SSL_set_fd(ssl.get(), 1));
1546 EXPECT_TRUE(SSL_set_rfd(ssl.get(), 2));
1547 ExpectFDs(ssl.get(), 2, 1);
David Benjamin5c0fb882016-06-14 14:03:51 -0400[diff] [blame]1548
1549 // Test changing the write FD partway through.
1550 ssl.reset(SSL_new(ctx.get()));
David Benjaminf0d8e222017-02-04 10:58:26 -0500[diff] [blame]1551 ASSERT_TRUE(ssl);
1552 EXPECT_TRUE(SSL_set_fd(ssl.get(), 1));
1553 EXPECT_TRUE(SSL_set_wfd(ssl.get(), 2));
1554 ExpectFDs(ssl.get(), 1, 2);
David Benjamin5c0fb882016-06-14 14:03:51 -0400[diff] [blame]1555
1556 // Test a no-op change to the read FD partway through.
1557 ssl.reset(SSL_new(ctx.get()));
David Benjaminf0d8e222017-02-04 10:58:26 -0500[diff] [blame]1558 ASSERT_TRUE(ssl);
1559 EXPECT_TRUE(SSL_set_fd(ssl.get(), 1));
1560 EXPECT_TRUE(SSL_set_rfd(ssl.get(), 1));
1561 ExpectFDs(ssl.get(), 1, 1);
David Benjamin5c0fb882016-06-14 14:03:51 -0400[diff] [blame]1562
1563 // Test a no-op change to the write FD partway through.
1564 ssl.reset(SSL_new(ctx.get()));
David Benjaminf0d8e222017-02-04 10:58:26 -0500[diff] [blame]1565 ASSERT_TRUE(ssl);
1566 EXPECT_TRUE(SSL_set_fd(ssl.get(), 1));
1567 EXPECT_TRUE(SSL_set_wfd(ssl.get(), 1));
1568 ExpectFDs(ssl.get(), 1, 1);
David Benjamin5c0fb882016-06-14 14:03:51 -0400[diff] [blame]1569
1570 // ASan builds will implicitly test that the internal |BIO| reference-counting
1571 // is correct.
David Benjamin5c0fb882016-06-14 14:03:51 -0400[diff] [blame]1572}
1573
David Benjaminf0d8e222017-02-04 10:58:26 -0500[diff] [blame]1574TEST(SSLTest, SetBIO) {
Matt Braithwaited17d74d2016-08-17 20:10:28 -0700[diff] [blame]1575 bssl::UniquePtr<SSL_CTX> ctx(SSL_CTX_new(TLS_method()));
David Benjaminf0d8e222017-02-04 10:58:26 -0500[diff] [blame]1576 ASSERT_TRUE(ctx);
David Benjamin4501bd52016-08-01 13:39:41 -0400[diff] [blame]1577
Matt Braithwaited17d74d2016-08-17 20:10:28 -0700[diff] [blame]1578 bssl::UniquePtr<SSL> ssl(SSL_new(ctx.get()));
1579 bssl::UniquePtr<BIO> bio1(BIO_new(BIO_s_mem())), bio2(BIO_new(BIO_s_mem())),
David Benjamin4501bd52016-08-01 13:39:41 -0400[diff] [blame]1580 bio3(BIO_new(BIO_s_mem()));
David Benjaminf0d8e222017-02-04 10:58:26 -0500[diff] [blame]1581 ASSERT_TRUE(ssl);
1582 ASSERT_TRUE(bio1);
1583 ASSERT_TRUE(bio2);
1584 ASSERT_TRUE(bio3);
David Benjamin4501bd52016-08-01 13:39:41 -0400[diff] [blame]1585
1586 // SSL_set_bio takes one reference when the parameters are the same.
1587 BIO_up_ref(bio1.get());
1588 SSL_set_bio(ssl.get(), bio1.get(), bio1.get());
1589
1590 // Repeating the call does nothing.
1591 SSL_set_bio(ssl.get(), bio1.get(), bio1.get());
1592
1593 // It takes one reference each when the parameters are different.
1594 BIO_up_ref(bio2.get());
1595 BIO_up_ref(bio3.get());
1596 SSL_set_bio(ssl.get(), bio2.get(), bio3.get());
1597
1598 // Repeating the call does nothing.
1599 SSL_set_bio(ssl.get(), bio2.get(), bio3.get());
1600
1601 // It takes one reference when changing only wbio.
1602 BIO_up_ref(bio1.get());
1603 SSL_set_bio(ssl.get(), bio2.get(), bio1.get());
1604
1605 // It takes one reference when changing only rbio and the two are different.
1606 BIO_up_ref(bio3.get());
1607 SSL_set_bio(ssl.get(), bio3.get(), bio1.get());
1608
1609 // If setting wbio to rbio, it takes no additional references.
1610 SSL_set_bio(ssl.get(), bio3.get(), bio3.get());
1611
1612 // From there, wbio may be switched to something else.
1613 BIO_up_ref(bio1.get());
1614 SSL_set_bio(ssl.get(), bio3.get(), bio1.get());
1615
1616 // If setting rbio to wbio, it takes no additional references.
1617 SSL_set_bio(ssl.get(), bio1.get(), bio1.get());
1618
1619 // From there, rbio may be switched to something else, but, for historical
1620 // reasons, it takes a reference to both parameters.
1621 BIO_up_ref(bio1.get());
1622 BIO_up_ref(bio2.get());
1623 SSL_set_bio(ssl.get(), bio2.get(), bio1.get());
1624
1625 // ASAN builds will implicitly test that the internal |BIO| reference-counting
1626 // is correct.
David Benjamin4501bd52016-08-01 13:39:41 -0400[diff] [blame]1627}
1628
David Benjamin25490f22016-07-14 00:22:54 -0400[diff] [blame]1629static int VerifySucceed(X509_STORE_CTX *store_ctx, void *arg) { return 1; }
1630
David Benjamin0fef3052016-11-18 15:11:10 +0900[diff] [blame]1631static bool TestGetPeerCertificate(bool is_dtls, const SSL_METHOD *method,
1632 uint16_t version) {
Matt Braithwaited17d74d2016-08-17 20:10:28 -0700[diff] [blame]1633 bssl::UniquePtr<X509> cert = GetTestCertificate();
1634 bssl::UniquePtr<EVP_PKEY> key = GetTestKey();
David Benjaminadd5e522016-07-14 00:33:24 -0400[diff] [blame]1635 if (!cert || !key) {
1636 return false;
1637 }
1638
David Benjamin0fef3052016-11-18 15:11:10 +0900[diff] [blame]1639 // Configure both client and server to accept any certificate.
1640 bssl::UniquePtr<SSL_CTX> ctx(SSL_CTX_new(method));
1641 if (!ctx ||
1642 !SSL_CTX_use_certificate(ctx.get(), cert.get()) ||
1643 !SSL_CTX_use_PrivateKey(ctx.get(), key.get()) ||
1644 !SSL_CTX_set_min_proto_version(ctx.get(), version) ||
1645 !SSL_CTX_set_max_proto_version(ctx.get(), version)) {
1646 return false;
1647 }
1648 SSL_CTX_set_verify(
1649 ctx.get(), SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT, nullptr);
1650 SSL_CTX_set_cert_verify_callback(ctx.get(), VerifySucceed, NULL);
David Benjaminadd5e522016-07-14 00:33:24 -0400[diff] [blame]1651
David Benjamin0fef3052016-11-18 15:11:10 +0900[diff] [blame]1652 bssl::UniquePtr<SSL> client, server;
1653 if (!ConnectClientAndServer(&client, &server, ctx.get(), ctx.get(),
1654 nullptr /* no session */)) {
1655 return false;
1656 }
David Benjaminadd5e522016-07-14 00:33:24 -0400[diff] [blame]1657
David Benjamin0fef3052016-11-18 15:11:10 +0900[diff] [blame]1658 // Client and server should both see the leaf certificate.
1659 bssl::UniquePtr<X509> peer(SSL_get_peer_certificate(server.get()));
1660 if (!peer || X509_cmp(cert.get(), peer.get()) != 0) {
1661 fprintf(stderr, "Server peer certificate did not match.\n");
1662 return false;
1663 }
David Benjaminadd5e522016-07-14 00:33:24 -0400[diff] [blame]1664
David Benjamin0fef3052016-11-18 15:11:10 +0900[diff] [blame]1665 peer.reset(SSL_get_peer_certificate(client.get()));
1666 if (!peer || X509_cmp(cert.get(), peer.get()) != 0) {
1667 fprintf(stderr, "Client peer certificate did not match.\n");
1668 return false;
1669 }
David Benjaminadd5e522016-07-14 00:33:24 -0400[diff] [blame]1670
David Benjamin0fef3052016-11-18 15:11:10 +0900[diff] [blame]1671 // However, for historical reasons, the chain includes the leaf on the
1672 // client, but does not on the server.
1673 if (sk_X509_num(SSL_get_peer_cert_chain(client.get())) != 1) {
1674 fprintf(stderr, "Client peer chain was incorrect.\n");
1675 return false;
1676 }
David Benjaminadd5e522016-07-14 00:33:24 -0400[diff] [blame]1677
David Benjamin0fef3052016-11-18 15:11:10 +0900[diff] [blame]1678 if (sk_X509_num(SSL_get_peer_cert_chain(server.get())) != 0) {
1679 fprintf(stderr, "Server peer chain was incorrect.\n");
1680 return false;
David Benjaminadd5e522016-07-14 00:33:24 -0400[diff] [blame]1681 }
1682
1683 return true;
1684}
1685
David Benjamin0fef3052016-11-18 15:11:10 +0900[diff] [blame]1686static bool TestRetainOnlySHA256OfCerts(bool is_dtls, const SSL_METHOD *method,
1687 uint16_t version) {
Matt Braithwaited17d74d2016-08-17 20:10:28 -0700[diff] [blame]1688 bssl::UniquePtr<X509> cert = GetTestCertificate();
1689 bssl::UniquePtr<EVP_PKEY> key = GetTestKey();
David Benjamin25490f22016-07-14 00:22:54 -0400[diff] [blame]1690 if (!cert || !key) {
1691 return false;
1692 }
1693
1694 uint8_t *cert_der = NULL;
1695 int cert_der_len = i2d_X509(cert.get(), &cert_der);
1696 if (cert_der_len < 0) {
1697 return false;
1698 }
Matt Braithwaited17d74d2016-08-17 20:10:28 -0700[diff] [blame]1699 bssl::UniquePtr<uint8_t> free_cert_der(cert_der);
David Benjamin25490f22016-07-14 00:22:54 -0400[diff] [blame]1700
1701 uint8_t cert_sha256[SHA256_DIGEST_LENGTH];
1702 SHA256(cert_der, cert_der_len, cert_sha256);
1703
David Benjamin0fef3052016-11-18 15:11:10 +0900[diff] [blame]1704 // Configure both client and server to accept any certificate, but the
1705 // server must retain only the SHA-256 of the peer.
1706 bssl::UniquePtr<SSL_CTX> ctx(SSL_CTX_new(method));
1707 if (!ctx ||
1708 !SSL_CTX_use_certificate(ctx.get(), cert.get()) ||
1709 !SSL_CTX_use_PrivateKey(ctx.get(), key.get()) ||
1710 !SSL_CTX_set_min_proto_version(ctx.get(), version) ||
1711 !SSL_CTX_set_max_proto_version(ctx.get(), version)) {
1712 return false;
1713 }
1714 SSL_CTX_set_verify(
1715 ctx.get(), SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT, nullptr);
1716 SSL_CTX_set_cert_verify_callback(ctx.get(), VerifySucceed, NULL);
1717 SSL_CTX_set_retain_only_sha256_of_client_certs(ctx.get(), 1);
David Benjamin25490f22016-07-14 00:22:54 -0400[diff] [blame]1718
David Benjamin0fef3052016-11-18 15:11:10 +0900[diff] [blame]1719 bssl::UniquePtr<SSL> client, server;
1720 if (!ConnectClientAndServer(&client, &server, ctx.get(), ctx.get(),
1721 nullptr /* no session */)) {
1722 return false;
1723 }
David Benjamin25490f22016-07-14 00:22:54 -0400[diff] [blame]1724
David Benjamin0fef3052016-11-18 15:11:10 +0900[diff] [blame]1725 // The peer certificate has been dropped.
1726 bssl::UniquePtr<X509> peer(SSL_get_peer_certificate(server.get()));
1727 if (peer) {
1728 fprintf(stderr, "Peer certificate was retained.\n");
1729 return false;
1730 }
David Benjamin25490f22016-07-14 00:22:54 -0400[diff] [blame]1731
David Benjamin0fef3052016-11-18 15:11:10 +0900[diff] [blame]1732 SSL_SESSION *session = SSL_get_session(server.get());
1733 if (!session->peer_sha256_valid) {
1734 fprintf(stderr, "peer_sha256_valid was not set.\n");
1735 return false;
1736 }
David Benjamin25490f22016-07-14 00:22:54 -0400[diff] [blame]1737
David Benjamin17cf2cb2016-12-13 01:07:13 -0500[diff] [blame]1738 if (OPENSSL_memcmp(cert_sha256, session->peer_sha256, SHA256_DIGEST_LENGTH) !=
1739 0) {
David Benjamin0fef3052016-11-18 15:11:10 +0900[diff] [blame]1740 fprintf(stderr, "peer_sha256 did not match.\n");
1741 return false;
David Benjamin25490f22016-07-14 00:22:54 -0400[diff] [blame]1742 }
1743
1744 return true;
1745}
1746
David Benjaminafc64de2016-07-19 17:12:41 +0200[diff] [blame]1747static bool ClientHelloMatches(uint16_t version, const uint8_t *expected,
1748 size_t expected_len) {
Matt Braithwaited17d74d2016-08-17 20:10:28 -0700[diff] [blame]1749 bssl::UniquePtr<SSL_CTX> ctx(SSL_CTX_new(TLS_method()));
Matthew Braithwaitecedc6f12017-03-15 19:20:23 -0700[diff] [blame]1750 // Our default cipher list varies by CPU capabilities, so manually place the
1751 // ChaCha20 ciphers in front.
Matthew Braithwaite7e06de52017-04-10 15:52:14 -0700[diff] [blame]1752 const char* cipher_list = "CHACHA20:ALL";
David Benjamin2dc02042016-09-19 19:57:37 -0400[diff] [blame]1753 if (!ctx ||
David Benjamin3cfeb952017-03-01 16:48:38 -0500[diff] [blame]1754 // SSLv3 is off by default.
1755 !SSL_CTX_set_min_proto_version(ctx.get(), SSL3_VERSION) ||
David Benjamine4706902016-09-20 15:12:23 -0400[diff] [blame]1756 !SSL_CTX_set_max_proto_version(ctx.get(), version) ||
Matthew Braithwaitecedc6f12017-03-15 19:20:23 -0700[diff] [blame]1757 !SSL_CTX_set_strict_cipher_list(ctx.get(), cipher_list)) {
David Benjaminafc64de2016-07-19 17:12:41 +0200[diff] [blame]1758 return false;
1759 }
David Benjamin2dc02042016-09-19 19:57:37 -0400[diff] [blame]1760
Matt Braithwaited17d74d2016-08-17 20:10:28 -0700[diff] [blame]1761 bssl::UniquePtr<SSL> ssl(SSL_new(ctx.get()));
David Benjaminafc64de2016-07-19 17:12:41 +0200[diff] [blame]1762 if (!ssl) {
1763 return false;
1764 }
1765 std::vector<uint8_t> client_hello;
1766 if (!GetClientHello(ssl.get(), &client_hello)) {
1767 return false;
1768 }
1769
1770 // Zero the client_random.
1771 constexpr size_t kRandomOffset = 1 + 2 + 2 + // record header
1772 1 + 3 + // handshake message header
1773 2; // client_version
1774 if (client_hello.size() < kRandomOffset + SSL3_RANDOM_SIZE) {
1775 fprintf(stderr, "ClientHello for version %04x too short.\n", version);
1776 return false;
1777 }
David Benjamin17cf2cb2016-12-13 01:07:13 -0500[diff] [blame]1778 OPENSSL_memset(client_hello.data() + kRandomOffset, 0, SSL3_RANDOM_SIZE);
David Benjaminafc64de2016-07-19 17:12:41 +0200[diff] [blame]1779
1780 if (client_hello.size() != expected_len ||
David Benjamin17cf2cb2016-12-13 01:07:13 -0500[diff] [blame]1781 OPENSSL_memcmp(client_hello.data(), expected, expected_len) != 0) {
David Benjaminafc64de2016-07-19 17:12:41 +0200[diff] [blame]1782 fprintf(stderr, "ClientHello for version %04x did not match:\n", version);
1783 fprintf(stderr, "Got:\n\t");
1784 for (size_t i = 0; i < client_hello.size(); i++) {
1785 fprintf(stderr, "0x%02x, ", client_hello[i]);
1786 }
1787 fprintf(stderr, "\nWanted:\n\t");
1788 for (size_t i = 0; i < expected_len; i++) {
1789 fprintf(stderr, "0x%02x, ", expected[i]);
1790 }
1791 fprintf(stderr, "\n");
1792 return false;
1793 }
1794
1795 return true;
1796}
1797
1798// Tests that our ClientHellos do not change unexpectedly.
1799static bool TestClientHello() {
1800 static const uint8_t kSSL3ClientHello[] = {
Matt Braithwaite9c8c4182016-08-24 14:36:54 -0700[diff] [blame]1801 0x16,
1802 0x03, 0x00,
Matthew Braithwaitecedc6f12017-03-15 19:20:23 -0700[diff] [blame]1803 0x00, 0x3b,
Matt Braithwaite9c8c4182016-08-24 14:36:54 -0700[diff] [blame]1804 0x01,
Matthew Braithwaitecedc6f12017-03-15 19:20:23 -0700[diff] [blame]1805 0x00, 0x00, 0x37,
Matt Braithwaite9c8c4182016-08-24 14:36:54 -0700[diff] [blame]1806 0x03, 0x00,
1807 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1808 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1809 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1810 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1811 0x00,
Matthew Braithwaitecedc6f12017-03-15 19:20:23 -0700[diff] [blame]1812 0x00, 0x10,
Matt Braithwaite9c8c4182016-08-24 14:36:54 -0700[diff] [blame]1813 0xc0, 0x09,
1814 0xc0, 0x13,
Matt Braithwaite9c8c4182016-08-24 14:36:54 -0700[diff] [blame]1815 0xc0, 0x0a,
1816 0xc0, 0x14,
Matt Braithwaite9c8c4182016-08-24 14:36:54 -0700[diff] [blame]1817 0x00, 0x2f,
1818 0x00, 0x35,
1819 0x00, 0x0a,
1820 0x00, 0xff, 0x01, 0x00,
David Benjaminafc64de2016-07-19 17:12:41 +0200[diff] [blame]1821 };
1822 if (!ClientHelloMatches(SSL3_VERSION, kSSL3ClientHello,
1823 sizeof(kSSL3ClientHello))) {
1824 return false;
1825 }
1826
1827 static const uint8_t kTLS1ClientHello[] = {
Matt Braithwaite9c8c4182016-08-24 14:36:54 -0700[diff] [blame]1828 0x16,
1829 0x03, 0x01,
Matthew Braithwaitecedc6f12017-03-15 19:20:23 -0700[diff] [blame]1830 0x00, 0x5a,
Matt Braithwaite9c8c4182016-08-24 14:36:54 -0700[diff] [blame]1831 0x01,
Matthew Braithwaitecedc6f12017-03-15 19:20:23 -0700[diff] [blame]1832 0x00, 0x00, 0x56,
Matt Braithwaite9c8c4182016-08-24 14:36:54 -0700[diff] [blame]1833 0x03, 0x01,
1834 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1835 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1836 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1837 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1838 0x00,
Matthew Braithwaitecedc6f12017-03-15 19:20:23 -0700[diff] [blame]1839 0x00, 0x0e,
Matt Braithwaite9c8c4182016-08-24 14:36:54 -0700[diff] [blame]1840 0xc0, 0x09,
1841 0xc0, 0x13,
Matt Braithwaite9c8c4182016-08-24 14:36:54 -0700[diff] [blame]1842 0xc0, 0x0a,
1843 0xc0, 0x14,
Matt Braithwaite9c8c4182016-08-24 14:36:54 -0700[diff] [blame]1844 0x00, 0x2f,
1845 0x00, 0x35,
1846 0x00, 0x0a,
David Benjaminafc64de2016-07-19 17:12:41 +0200[diff] [blame]1847 0x01, 0x00, 0x00, 0x1f, 0xff, 0x01, 0x00, 0x01, 0x00, 0x00, 0x17, 0x00,
1848 0x00, 0x00, 0x23, 0x00, 0x00, 0x00, 0x0b, 0x00, 0x02, 0x01, 0x00, 0x00,
1849 0x0a, 0x00, 0x08, 0x00, 0x06, 0x00, 0x1d, 0x00, 0x17, 0x00, 0x18,
1850 };
1851 if (!ClientHelloMatches(TLS1_VERSION, kTLS1ClientHello,
1852 sizeof(kTLS1ClientHello))) {
1853 return false;
1854 }
1855
1856 static const uint8_t kTLS11ClientHello[] = {
Matt Braithwaite9c8c4182016-08-24 14:36:54 -0700[diff] [blame]1857 0x16,
1858 0x03, 0x01,
Matthew Braithwaitecedc6f12017-03-15 19:20:23 -0700[diff] [blame]1859 0x00, 0x5a,
Matt Braithwaite9c8c4182016-08-24 14:36:54 -0700[diff] [blame]1860 0x01,
Matthew Braithwaitecedc6f12017-03-15 19:20:23 -0700[diff] [blame]1861 0x00, 0x00, 0x56,
Matt Braithwaite9c8c4182016-08-24 14:36:54 -0700[diff] [blame]1862 0x03, 0x02,
1863 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1864 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1865 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1866 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1867 0x00,
Matthew Braithwaitecedc6f12017-03-15 19:20:23 -0700[diff] [blame]1868 0x00, 0x0e,
Matt Braithwaite9c8c4182016-08-24 14:36:54 -0700[diff] [blame]1869 0xc0, 0x09,
1870 0xc0, 0x13,
Matt Braithwaite9c8c4182016-08-24 14:36:54 -0700[diff] [blame]1871 0xc0, 0x0a,
1872 0xc0, 0x14,
Matt Braithwaite9c8c4182016-08-24 14:36:54 -0700[diff] [blame]1873 0x00, 0x2f,
1874 0x00, 0x35,
1875 0x00, 0x0a,
David Benjaminafc64de2016-07-19 17:12:41 +0200[diff] [blame]1876 0x01, 0x00, 0x00, 0x1f, 0xff, 0x01, 0x00, 0x01, 0x00, 0x00, 0x17, 0x00,
1877 0x00, 0x00, 0x23, 0x00, 0x00, 0x00, 0x0b, 0x00, 0x02, 0x01, 0x00, 0x00,
1878 0x0a, 0x00, 0x08, 0x00, 0x06, 0x00, 0x1d, 0x00, 0x17, 0x00, 0x18,
1879 };
1880 if (!ClientHelloMatches(TLS1_1_VERSION, kTLS11ClientHello,
1881 sizeof(kTLS11ClientHello))) {
1882 return false;
1883 }
1884
David Benjamin3b584332017-01-24 22:47:18 -0500[diff] [blame]1885 // kTLS12ClientHello assumes RSA-PSS, which is disabled for Android system
1886 // builds.
1887#if defined(BORINGSSL_ANDROID_SYSTEM)
1888 return true;
1889#endif
1890
David Benjaminafc64de2016-07-19 17:12:41 +0200[diff] [blame]1891 static const uint8_t kTLS12ClientHello[] = {
Matthew Braithwaitecedc6f12017-03-15 19:20:23 -0700[diff] [blame]1892 0x16,
1893 0x03, 0x01,
1894 0x00, 0x8e,
1895 0x01,
1896 0x00, 0x00, 0x8a,
1897 0x03, 0x03,
David Benjamin57e929f2016-08-30 00:30:38 -0400[diff] [blame]1898 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1899 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
Matthew Braithwaitecedc6f12017-03-15 19:20:23 -0700[diff] [blame]1900 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1901 0x00, 0x2a,
1902 0xcc, 0xa9,
1903 0xcc, 0xa8,
1904 0xc0, 0x2b,
1905 0xc0, 0x2f,
1906 0xc0, 0x2c,
1907 0xc0, 0x30,
1908 0xc0, 0x09,
1909 0xc0, 0x23,
1910 0xc0, 0x13,
1911 0xc0, 0x27,
1912 0xc0, 0x0a,
1913 0xc0, 0x24,
1914 0xc0, 0x14,
1915 0xc0, 0x28,
1916 0x00, 0x9c,
1917 0x00, 0x9d,
1918 0x00, 0x2f,
1919 0x00, 0x3c,
1920 0x00, 0x35,
1921 0x00, 0x3d,
1922 0x00, 0x0a,
1923 0x01, 0x00, 0x00, 0x37, 0xff, 0x01, 0x00, 0x01, 0x00, 0x00, 0x17, 0x00,
1924 0x00, 0x00, 0x23, 0x00, 0x00, 0x00, 0x0d, 0x00, 0x14, 0x00, 0x12, 0x04,
1925 0x03, 0x08, 0x04, 0x04, 0x01, 0x05, 0x03, 0x08, 0x05, 0x05, 0x01, 0x08,
1926 0x06, 0x06, 0x01, 0x02, 0x01, 0x00, 0x0b, 0x00, 0x02, 0x01, 0x00, 0x00,
1927 0x0a, 0x00, 0x08, 0x00, 0x06, 0x00, 0x1d, 0x00, 0x17, 0x00, 0x18,
David Benjaminafc64de2016-07-19 17:12:41 +0200[diff] [blame]1928 };
1929 if (!ClientHelloMatches(TLS1_2_VERSION, kTLS12ClientHello,
1930 sizeof(kTLS12ClientHello))) {
1931 return false;
1932 }
1933
1934 // TODO(davidben): Add a change detector for TLS 1.3 once the spec and our
1935 // implementation has settled enough that it won't change.
1936
1937 return true;
1938}
1939
Matt Braithwaited17d74d2016-08-17 20:10:28 -0700[diff] [blame]1940static bssl::UniquePtr<SSL_SESSION> g_last_session;
David Benjamina20e5352016-08-02 19:09:41 -0400[diff] [blame]1941
1942static int SaveLastSession(SSL *ssl, SSL_SESSION *session) {
1943 // Save the most recent session.
1944 g_last_session.reset(session);
1945 return 1;
1946}
1947
Matt Braithwaited17d74d2016-08-17 20:10:28 -0700[diff] [blame]1948static bssl::UniquePtr<SSL_SESSION> CreateClientSession(SSL_CTX *client_ctx,
Steven Valdeze831a812017-03-09 14:56:07 -0500[diff] [blame]1949 SSL_CTX *server_ctx) {
David Benjamina20e5352016-08-02 19:09:41 -0400[diff] [blame]1950 g_last_session = nullptr;
1951 SSL_CTX_sess_set_new_cb(client_ctx, SaveLastSession);
1952
1953 // Connect client and server to get a session.
Matt Braithwaited17d74d2016-08-17 20:10:28 -0700[diff] [blame]1954 bssl::UniquePtr<SSL> client, server;
David Benjamina20e5352016-08-02 19:09:41 -0400[diff] [blame]1955 if (!ConnectClientAndServer(&client, &server, client_ctx, server_ctx,
1956 nullptr /* no session */)) {
1957 fprintf(stderr, "Failed to connect client and server.\n");
1958 return nullptr;
1959 }
1960
1961 // Run the read loop to account for post-handshake tickets in TLS 1.3.
1962 SSL_read(client.get(), nullptr, 0);
1963
1964 SSL_CTX_sess_set_new_cb(client_ctx, nullptr);
1965
1966 if (!g_last_session) {
1967 fprintf(stderr, "Client did not receive a session.\n");
1968 return nullptr;
1969 }
1970 return std::move(g_last_session);
1971}
1972
1973static bool ExpectSessionReused(SSL_CTX *client_ctx, SSL_CTX *server_ctx,
1974 SSL_SESSION *session,
1975 bool reused) {
Matt Braithwaited17d74d2016-08-17 20:10:28 -0700[diff] [blame]1976 bssl::UniquePtr<SSL> client, server;
David Benjamina20e5352016-08-02 19:09:41 -0400[diff] [blame]1977 if (!ConnectClientAndServer(&client, &server, client_ctx,
1978 server_ctx, session)) {
1979 fprintf(stderr, "Failed to connect client and server.\n");
1980 return false;
1981 }
1982
1983 if (SSL_session_reused(client.get()) != SSL_session_reused(server.get())) {
1984 fprintf(stderr, "Client and server were inconsistent.\n");
1985 return false;
1986 }
1987
1988 bool was_reused = !!SSL_session_reused(client.get());
1989 if (was_reused != reused) {
1990 fprintf(stderr, "Session was%s reused, but we expected the opposite.\n",
1991 was_reused ? "" : " not");
1992 return false;
1993 }
1994
1995 return true;
1996}
1997
David Benjamin3c51d9b2016-11-01 17:50:42 -0400[diff] [blame]1998static bssl::UniquePtr<SSL_SESSION> ExpectSessionRenewed(SSL_CTX *client_ctx,
1999 SSL_CTX *server_ctx,
2000 SSL_SESSION *session) {
2001 g_last_session = nullptr;
2002 SSL_CTX_sess_set_new_cb(client_ctx, SaveLastSession);
2003
2004 bssl::UniquePtr<SSL> client, server;
2005 if (!ConnectClientAndServer(&client, &server, client_ctx,
2006 server_ctx, session)) {
2007 fprintf(stderr, "Failed to connect client and server.\n");
2008 return nullptr;
2009 }
2010
2011 if (SSL_session_reused(client.get()) != SSL_session_reused(server.get())) {
2012 fprintf(stderr, "Client and server were inconsistent.\n");
2013 return nullptr;
2014 }
2015
2016 if (!SSL_session_reused(client.get())) {
2017 fprintf(stderr, "Session was not reused.\n");
2018 return nullptr;
2019 }
2020
2021 // Run the read loop to account for post-handshake tickets in TLS 1.3.
2022 SSL_read(client.get(), nullptr, 0);
2023
2024 SSL_CTX_sess_set_new_cb(client_ctx, nullptr);
2025
2026 if (!g_last_session) {
2027 fprintf(stderr, "Client did not receive a renewed session.\n");
2028 return nullptr;
2029 }
2030 return std::move(g_last_session);
2031}
2032
David Benjamina933c382016-10-28 00:10:03 -0400[diff] [blame]2033static int SwitchSessionIDContextSNI(SSL *ssl, int *out_alert, void *arg) {
2034 static const uint8_t kContext[] = {3};
2035
2036 if (!SSL_set_session_id_context(ssl, kContext, sizeof(kContext))) {
2037 return SSL_TLSEXT_ERR_ALERT_FATAL;
2038 }
2039
2040 return SSL_TLSEXT_ERR_OK;
2041}
2042
David Benjamin0fef3052016-11-18 15:11:10 +0900[diff] [blame]2043static bool TestSessionIDContext(bool is_dtls, const SSL_METHOD *method,
2044 uint16_t version) {
Matt Braithwaited17d74d2016-08-17 20:10:28 -0700[diff] [blame]2045 bssl::UniquePtr<X509> cert = GetTestCertificate();
2046 bssl::UniquePtr<EVP_PKEY> key = GetTestKey();
David Benjamina20e5352016-08-02 19:09:41 -0400[diff] [blame]2047 if (!cert || !key) {
2048 return false;
2049 }
2050
2051 static const uint8_t kContext1[] = {1};
2052 static const uint8_t kContext2[] = {2};
2053
David Benjamin0fef3052016-11-18 15:11:10 +0900[diff] [blame]2054 bssl::UniquePtr<SSL_CTX> server_ctx(SSL_CTX_new(method));
2055 bssl::UniquePtr<SSL_CTX> client_ctx(SSL_CTX_new(method));
2056 if (!server_ctx || !client_ctx ||
2057 !SSL_CTX_use_certificate(server_ctx.get(), cert.get()) ||
2058 !SSL_CTX_use_PrivateKey(server_ctx.get(), key.get()) ||
2059 !SSL_CTX_set_session_id_context(server_ctx.get(), kContext1,
2060 sizeof(kContext1)) ||
2061 !SSL_CTX_set_min_proto_version(client_ctx.get(), version) ||
2062 !SSL_CTX_set_max_proto_version(client_ctx.get(), version) ||
2063 !SSL_CTX_set_min_proto_version(server_ctx.get(), version) ||
2064 !SSL_CTX_set_max_proto_version(server_ctx.get(), version)) {
2065 return false;
2066 }
David Benjamina20e5352016-08-02 19:09:41 -0400[diff] [blame]2067
David Benjamin0fef3052016-11-18 15:11:10 +0900[diff] [blame]2068 SSL_CTX_set_session_cache_mode(client_ctx.get(), SSL_SESS_CACHE_BOTH);
2069 SSL_CTX_set_session_cache_mode(server_ctx.get(), SSL_SESS_CACHE_BOTH);
David Benjamina20e5352016-08-02 19:09:41 -0400[diff] [blame]2070
David Benjamin0fef3052016-11-18 15:11:10 +0900[diff] [blame]2071 bssl::UniquePtr<SSL_SESSION> session =
2072 CreateClientSession(client_ctx.get(), server_ctx.get());
2073 if (!session) {
2074 fprintf(stderr, "Error getting session.\n");
2075 return false;
2076 }
David Benjamina20e5352016-08-02 19:09:41 -0400[diff] [blame]2077
David Benjamin0fef3052016-11-18 15:11:10 +0900[diff] [blame]2078 if (!ExpectSessionReused(client_ctx.get(), server_ctx.get(), session.get(),
2079 true /* expect session reused */)) {
2080 fprintf(stderr, "Error resuming session.\n");
2081 return false;
2082 }
David Benjamina20e5352016-08-02 19:09:41 -0400[diff] [blame]2083
David Benjamin0fef3052016-11-18 15:11:10 +0900[diff] [blame]2084 // Change the session ID context.
2085 if (!SSL_CTX_set_session_id_context(server_ctx.get(), kContext2,
2086 sizeof(kContext2))) {
2087 return false;
2088 }
David Benjamina20e5352016-08-02 19:09:41 -0400[diff] [blame]2089
David Benjamin0fef3052016-11-18 15:11:10 +0900[diff] [blame]2090 if (!ExpectSessionReused(client_ctx.get(), server_ctx.get(), session.get(),
2091 false /* expect session not reused */)) {
2092 fprintf(stderr, "Error connecting with a different context.\n");
2093 return false;
2094 }
David Benjamina933c382016-10-28 00:10:03 -0400[diff] [blame]2095
David Benjamin0fef3052016-11-18 15:11:10 +0900[diff] [blame]2096 // Change the session ID context back and install an SNI callback to switch
2097 // it.
2098 if (!SSL_CTX_set_session_id_context(server_ctx.get(), kContext1,
2099 sizeof(kContext1))) {
2100 return false;
2101 }
David Benjamina933c382016-10-28 00:10:03 -0400[diff] [blame]2102
David Benjamin0fef3052016-11-18 15:11:10 +0900[diff] [blame]2103 SSL_CTX_set_tlsext_servername_callback(server_ctx.get(),
2104 SwitchSessionIDContextSNI);
David Benjamina933c382016-10-28 00:10:03 -0400[diff] [blame]2105
David Benjamin0fef3052016-11-18 15:11:10 +0900[diff] [blame]2106 if (!ExpectSessionReused(client_ctx.get(), server_ctx.get(), session.get(),
2107 false /* expect session not reused */)) {
2108 fprintf(stderr, "Error connecting with a context switch on SNI callback.\n");
2109 return false;
2110 }
David Benjamina933c382016-10-28 00:10:03 -0400[diff] [blame]2111
David Benjamin0fef3052016-11-18 15:11:10 +0900[diff] [blame]2112 // Switch the session ID context with the early callback instead.
2113 SSL_CTX_set_tlsext_servername_callback(server_ctx.get(), nullptr);
Alessandro Ghedini57e81e62017-03-14 23:36:00 +0000[diff] [blame]2114 SSL_CTX_set_select_certificate_cb(
2115 server_ctx.get(),
2116 [](const SSL_CLIENT_HELLO *client_hello) -> ssl_select_cert_result_t {
2117 static const uint8_t kContext[] = {3};
2118
2119 if (!SSL_set_session_id_context(client_hello->ssl, kContext,
2120 sizeof(kContext))) {
2121 return ssl_select_cert_error;
2122 }
2123
2124 return ssl_select_cert_success;
2125 });
David Benjamina933c382016-10-28 00:10:03 -0400[diff] [blame]2126
David Benjamin0fef3052016-11-18 15:11:10 +0900[diff] [blame]2127 if (!ExpectSessionReused(client_ctx.get(), server_ctx.get(), session.get(),
2128 false /* expect session not reused */)) {
2129 fprintf(stderr,
2130 "Error connecting with a context switch on early callback.\n");
2131 return false;
David Benjamina20e5352016-08-02 19:09:41 -0400[diff] [blame]2132 }
2133
2134 return true;
2135}
2136
David Benjamin721e8b72016-08-03 13:13:17 -0400[diff] [blame]2137static timeval g_current_time;
2138
2139static void CurrentTimeCallback(const SSL *ssl, timeval *out_clock) {
2140 *out_clock = g_current_time;
2141}
2142
David Benjamin17b30832017-01-28 14:00:32 -0500[diff] [blame]2143static void FrozenTimeCallback(const SSL *ssl, timeval *out_clock) {
2144 out_clock->tv_sec = 1000;
2145 out_clock->tv_usec = 0;
2146}
2147
David Benjamin3c51d9b2016-11-01 17:50:42 -0400[diff] [blame]2148static int RenewTicketCallback(SSL *ssl, uint8_t *key_name, uint8_t *iv,
2149 EVP_CIPHER_CTX *ctx, HMAC_CTX *hmac_ctx,
2150 int encrypt) {
2151 static const uint8_t kZeros[16] = {0};
2152
2153 if (encrypt) {
David Benjamin17cf2cb2016-12-13 01:07:13 -0500[diff] [blame]2154 OPENSSL_memcpy(key_name, kZeros, sizeof(kZeros));
David Benjamin3c51d9b2016-11-01 17:50:42 -0400[diff] [blame]2155 RAND_bytes(iv, 16);
David Benjamin17cf2cb2016-12-13 01:07:13 -0500[diff] [blame]2156 } else if (OPENSSL_memcmp(key_name, kZeros, 16) != 0) {
David Benjamin3c51d9b2016-11-01 17:50:42 -0400[diff] [blame]2157 return 0;
2158 }
2159
2160 if (!HMAC_Init_ex(hmac_ctx, kZeros, sizeof(kZeros), EVP_sha256(), NULL) ||
2161 !EVP_CipherInit_ex(ctx, EVP_aes_128_cbc(), NULL, kZeros, iv, encrypt)) {
2162 return -1;
2163 }
2164
2165 // Returning two from the callback in decrypt mode renews the
2166 // session in TLS 1.2 and below.
2167 return encrypt ? 1 : 2;
2168}
2169
David Benjamin123db572016-11-03 16:59:25 -0400[diff] [blame]2170static bool GetServerTicketTime(long *out, const SSL_SESSION *session) {
David Benjamin123db572016-11-03 16:59:25 -0400[diff] [blame]2171 if (session->tlsext_ticklen < 16 + 16 + SHA256_DIGEST_LENGTH) {
2172 return false;
2173 }
2174
David Benjamin123db572016-11-03 16:59:25 -0400[diff] [blame]2175 const uint8_t *ciphertext = session->tlsext_tick + 16 + 16;
2176 size_t len = session->tlsext_ticklen - 16 - 16 - SHA256_DIGEST_LENGTH;
2177 std::unique_ptr<uint8_t[]> plaintext(new uint8_t[len]);
2178
David Benjamin9b63f292016-11-15 00:44:05 -0500[diff] [blame]2179#if defined(BORINGSSL_UNSAFE_FUZZER_MODE)
2180 // Fuzzer-mode tickets are unencrypted.
David Benjamin17cf2cb2016-12-13 01:07:13 -0500[diff] [blame]2181 OPENSSL_memcpy(plaintext.get(), ciphertext, len);
David Benjamin9b63f292016-11-15 00:44:05 -0500[diff] [blame]2182#else
2183 static const uint8_t kZeros[16] = {0};
2184 const uint8_t *iv = session->tlsext_tick + 16;
David Benjamin123db572016-11-03 16:59:25 -0400[diff] [blame]2185 bssl::ScopedEVP_CIPHER_CTX ctx;
2186 int len1, len2;
2187 if (!EVP_DecryptInit_ex(ctx.get(), EVP_aes_128_cbc(), nullptr, kZeros, iv) ||
2188 !EVP_DecryptUpdate(ctx.get(), plaintext.get(), &len1, ciphertext, len) ||
2189 !EVP_DecryptFinal_ex(ctx.get(), plaintext.get() + len1, &len2)) {
2190 return false;
2191 }
2192
2193 len = static_cast<size_t>(len1 + len2);
David Benjamin9b63f292016-11-15 00:44:05 -0500[diff] [blame]2194#endif
David Benjamin123db572016-11-03 16:59:25 -0400[diff] [blame]2195
Adam Langley46db7af2017-02-01 15:49:37 -0800[diff] [blame]2196 bssl::UniquePtr<SSL_CTX> ssl_ctx(SSL_CTX_new(TLS_method()));
2197 if (!ssl_ctx) {
2198 return false;
2199 }
David Benjamin123db572016-11-03 16:59:25 -0400[diff] [blame]2200 bssl::UniquePtr<SSL_SESSION> server_session(
Adam Langley46db7af2017-02-01 15:49:37 -0800[diff] [blame]2201 SSL_SESSION_from_bytes(plaintext.get(), len, ssl_ctx.get()));
David Benjamin123db572016-11-03 16:59:25 -0400[diff] [blame]2202 if (!server_session) {
2203 return false;
2204 }
2205
2206 *out = server_session->time;
2207 return true;
2208}
2209
David Benjamin0fef3052016-11-18 15:11:10 +0900[diff] [blame]2210static bool TestSessionTimeout(bool is_dtls, const SSL_METHOD *method,
2211 uint16_t version) {
Matt Braithwaited17d74d2016-08-17 20:10:28 -0700[diff] [blame]2212 bssl::UniquePtr<X509> cert = GetTestCertificate();
2213 bssl::UniquePtr<EVP_PKEY> key = GetTestKey();
David Benjamin721e8b72016-08-03 13:13:17 -0400[diff] [blame]2214 if (!cert || !key) {
2215 return false;
2216 }
2217
David Benjamin0fef3052016-11-18 15:11:10 +0900[diff] [blame]2218 for (bool server_test : std::vector<bool>{false, true}) {
David Benjamin17b30832017-01-28 14:00:32 -0500[diff] [blame]2219 static const time_t kStartTime = 1000;
David Benjamin0fef3052016-11-18 15:11:10 +0900[diff] [blame]2220 g_current_time.tv_sec = kStartTime;
David Benjamin1b22f852016-10-27 16:36:32 -0400[diff] [blame]2221
David Benjamin17b30832017-01-28 14:00:32 -0500[diff] [blame]2222 // We are willing to use a longer lifetime for TLS 1.3 sessions as
2223 // resumptions still perform ECDHE.
2224 const time_t timeout = version == TLS1_3_VERSION
2225 ? SSL_DEFAULT_SESSION_PSK_DHE_TIMEOUT
2226 : SSL_DEFAULT_SESSION_TIMEOUT;
2227
David Benjamin0fef3052016-11-18 15:11:10 +0900[diff] [blame]2228 bssl::UniquePtr<SSL_CTX> server_ctx(SSL_CTX_new(method));
2229 bssl::UniquePtr<SSL_CTX> client_ctx(SSL_CTX_new(method));
2230 if (!server_ctx || !client_ctx ||
2231 !SSL_CTX_use_certificate(server_ctx.get(), cert.get()) ||
2232 !SSL_CTX_use_PrivateKey(server_ctx.get(), key.get()) ||
2233 !SSL_CTX_set_min_proto_version(client_ctx.get(), version) ||
2234 !SSL_CTX_set_max_proto_version(client_ctx.get(), version) ||
2235 !SSL_CTX_set_min_proto_version(server_ctx.get(), version) ||
2236 !SSL_CTX_set_max_proto_version(server_ctx.get(), version)) {
2237 return false;
2238 }
2239
2240 SSL_CTX_set_session_cache_mode(client_ctx.get(), SSL_SESS_CACHE_BOTH);
2241 SSL_CTX_set_session_cache_mode(server_ctx.get(), SSL_SESS_CACHE_BOTH);
2242
David Benjamin17b30832017-01-28 14:00:32 -0500[diff] [blame]2243 // Both client and server must enforce session timeouts. We configure the
2244 // other side with a frozen clock so it never expires tickets.
David Benjamin0fef3052016-11-18 15:11:10 +0900[diff] [blame]2245 if (server_test) {
David Benjamin17b30832017-01-28 14:00:32 -0500[diff] [blame]2246 SSL_CTX_set_current_time_cb(client_ctx.get(), FrozenTimeCallback);
David Benjamin0fef3052016-11-18 15:11:10 +0900[diff] [blame]2247 SSL_CTX_set_current_time_cb(server_ctx.get(), CurrentTimeCallback);
2248 } else {
2249 SSL_CTX_set_current_time_cb(client_ctx.get(), CurrentTimeCallback);
David Benjamin17b30832017-01-28 14:00:32 -0500[diff] [blame]2250 SSL_CTX_set_current_time_cb(server_ctx.get(), FrozenTimeCallback);
David Benjamin0fef3052016-11-18 15:11:10 +0900[diff] [blame]2251 }
2252
2253 // Configure a ticket callback which renews tickets.
2254 SSL_CTX_set_tlsext_ticket_key_cb(server_ctx.get(), RenewTicketCallback);
2255
2256 bssl::UniquePtr<SSL_SESSION> session =
2257 CreateClientSession(client_ctx.get(), server_ctx.get());
2258 if (!session) {
2259 fprintf(stderr, "Error getting session.\n");
2260 return false;
2261 }
2262
2263 // Advance the clock just behind the timeout.
David Benjamin17b30832017-01-28 14:00:32 -0500[diff] [blame]2264 g_current_time.tv_sec += timeout - 1;
David Benjamin0fef3052016-11-18 15:11:10 +0900[diff] [blame]2265
2266 if (!ExpectSessionReused(client_ctx.get(), server_ctx.get(), session.get(),
2267 true /* expect session reused */)) {
2268 fprintf(stderr, "Error resuming session.\n");
2269 return false;
2270 }
2271
2272 // Advance the clock one more second.
2273 g_current_time.tv_sec++;
2274
2275 if (!ExpectSessionReused(client_ctx.get(), server_ctx.get(), session.get(),
2276 false /* expect session not reused */)) {
2277 fprintf(stderr, "Error resuming session.\n");
2278 return false;
2279 }
2280
2281 // Rewind the clock to before the session was minted.
2282 g_current_time.tv_sec = kStartTime - 1;
2283
2284 if (!ExpectSessionReused(client_ctx.get(), server_ctx.get(), session.get(),
2285 false /* expect session not reused */)) {
2286 fprintf(stderr, "Error resuming session.\n");
2287 return false;
2288 }
2289
2290 // SSL 3.0 cannot renew sessions.
2291 if (version == SSL3_VERSION) {
2292 continue;
2293 }
2294
2295 // Renew the session 10 seconds before expiration.
David Benjamin17b30832017-01-28 14:00:32 -0500[diff] [blame]2296 time_t new_start_time = kStartTime + timeout - 10;
2297 g_current_time.tv_sec = new_start_time;
David Benjamin0fef3052016-11-18 15:11:10 +0900[diff] [blame]2298 bssl::UniquePtr<SSL_SESSION> new_session =
2299 ExpectSessionRenewed(client_ctx.get(), server_ctx.get(), session.get());
2300 if (!new_session) {
2301 fprintf(stderr, "Error renewing session.\n");
2302 return false;
2303 }
2304
2305 // This new session is not the same object as before.
2306 if (session.get() == new_session.get()) {
2307 fprintf(stderr, "New and old sessions alias.\n");
2308 return false;
2309 }
2310
2311 // Check the sessions have timestamps measured from issuance.
2312 long session_time = 0;
2313 if (server_test) {
2314 if (!GetServerTicketTime(&session_time, new_session.get())) {
2315 fprintf(stderr, "Failed to decode session ticket.\n");
David Benjaminb2e2e322016-11-01 17:32:54 -0400[diff] [blame]2316 return false;
2317 }
David Benjamin0fef3052016-11-18 15:11:10 +0900[diff] [blame]2318 } else {
2319 session_time = new_session->time;
2320 }
David Benjamin721e8b72016-08-03 13:13:17 -0400[diff] [blame]2321
David Benjamin0fef3052016-11-18 15:11:10 +0900[diff] [blame]2322 if (session_time != g_current_time.tv_sec) {
2323 fprintf(stderr, "New session is not measured from issuance.\n");
2324 return false;
2325 }
David Benjamin721e8b72016-08-03 13:13:17 -0400[diff] [blame]2326
David Benjamin17b30832017-01-28 14:00:32 -0500[diff] [blame]2327 if (version == TLS1_3_VERSION) {
2328 // Renewal incorporates fresh key material in TLS 1.3, so we extend the
2329 // lifetime TLS 1.3.
2330 g_current_time.tv_sec = new_start_time + timeout - 1;
2331 if (!ExpectSessionReused(client_ctx.get(), server_ctx.get(),
2332 new_session.get(),
2333 true /* expect session reused */)) {
2334 fprintf(stderr, "Error resuming renewed session.\n");
2335 return false;
2336 }
David Benjamin721e8b72016-08-03 13:13:17 -0400[diff] [blame]2337
David Benjamin17b30832017-01-28 14:00:32 -0500[diff] [blame]2338 // The new session expires after the new timeout.
2339 g_current_time.tv_sec = new_start_time + timeout + 1;
2340 if (!ExpectSessionReused(client_ctx.get(), server_ctx.get(),
2341 new_session.get(),
2342 false /* expect session ot reused */)) {
2343 fprintf(stderr, "Renewed session's lifetime is too long.\n");
2344 return false;
2345 }
2346
2347 // Renew the session until it begins just past the auth timeout.
2348 time_t auth_end_time = kStartTime + SSL_DEFAULT_SESSION_AUTH_TIMEOUT;
2349 while (new_start_time < auth_end_time - 1000) {
2350 // Get as close as possible to target start time.
2351 new_start_time =
2352 std::min(auth_end_time - 1000, new_start_time + timeout - 1);
2353 g_current_time.tv_sec = new_start_time;
2354 new_session = ExpectSessionRenewed(client_ctx.get(), server_ctx.get(),
2355 new_session.get());
2356 if (!new_session) {
2357 fprintf(stderr, "Error renewing session.\n");
2358 return false;
2359 }
2360 }
2361
2362 // Now the session's lifetime is bound by the auth timeout.
2363 g_current_time.tv_sec = auth_end_time - 1;
2364 if (!ExpectSessionReused(client_ctx.get(), server_ctx.get(),
2365 new_session.get(),
2366 true /* expect session reused */)) {
2367 fprintf(stderr, "Error resuming renewed session.\n");
2368 return false;
2369 }
2370
2371 g_current_time.tv_sec = auth_end_time + 1;
2372 if (!ExpectSessionReused(client_ctx.get(), server_ctx.get(),
2373 new_session.get(),
2374 false /* expect session ot reused */)) {
2375 fprintf(stderr, "Renewed session's lifetime is too long.\n");
2376 return false;
2377 }
2378 } else {
2379 // The new session is usable just before the old expiration.
2380 g_current_time.tv_sec = kStartTime + timeout - 1;
2381 if (!ExpectSessionReused(client_ctx.get(), server_ctx.get(),
2382 new_session.get(),
2383 true /* expect session reused */)) {
2384 fprintf(stderr, "Error resuming renewed session.\n");
2385 return false;
2386 }
2387
2388 // Renewal does not extend the lifetime, so it is not usable beyond the
2389 // old expiration.
2390 g_current_time.tv_sec = kStartTime + timeout + 1;
2391 if (!ExpectSessionReused(client_ctx.get(), server_ctx.get(),
2392 new_session.get(),
2393 false /* expect session not reused */)) {
2394 fprintf(stderr, "Renewed session's lifetime is too long.\n");
2395 return false;
2396 }
David Benjamin1b22f852016-10-27 16:36:32 -0400[diff] [blame]2397 }
David Benjamin721e8b72016-08-03 13:13:17 -0400[diff] [blame]2398 }
2399
2400 return true;
2401}
2402
David Benjamin0fc37ef2016-08-17 15:29:46 -0400[diff] [blame]2403static int SwitchContext(SSL *ssl, int *out_alert, void *arg) {
2404 SSL_CTX *ctx = reinterpret_cast<SSL_CTX*>(arg);
2405 SSL_set_SSL_CTX(ssl, ctx);
2406 return SSL_TLSEXT_ERR_OK;
2407}
2408
David Benjamin0fef3052016-11-18 15:11:10 +0900[diff] [blame]2409static bool TestSNICallback(bool is_dtls, const SSL_METHOD *method,
2410 uint16_t version) {
2411 // SSL 3.0 lacks extensions.
2412 if (version == SSL3_VERSION) {
2413 return true;
2414 }
2415
Matt Braithwaited17d74d2016-08-17 20:10:28 -0700[diff] [blame]2416 bssl::UniquePtr<X509> cert = GetTestCertificate();
2417 bssl::UniquePtr<EVP_PKEY> key = GetTestKey();
2418 bssl::UniquePtr<X509> cert2 = GetECDSATestCertificate();
2419 bssl::UniquePtr<EVP_PKEY> key2 = GetECDSATestKey();
David Benjamin0fc37ef2016-08-17 15:29:46 -0400[diff] [blame]2420 if (!cert || !key || !cert2 || !key2) {
2421 return false;
2422 }
2423
David Benjamin0fef3052016-11-18 15:11:10 +0900[diff] [blame]2424 // Test that switching the |SSL_CTX| at the SNI callback behaves correctly.
2425 static const uint16_t kECDSAWithSHA256 = SSL_SIGN_ECDSA_SECP256R1_SHA256;
David Benjamin0fc37ef2016-08-17 15:29:46 -0400[diff] [blame]2426
David Benjamin83a32122017-02-14 18:34:54 -0500[diff] [blame]2427 static const uint8_t kSCTList[] = {0, 6, 0, 4, 5, 6, 7, 8};
2428 static const uint8_t kOCSPResponse[] = {1, 2, 3, 4};
2429
David Benjamin0fef3052016-11-18 15:11:10 +0900[diff] [blame]2430 bssl::UniquePtr<SSL_CTX> server_ctx(SSL_CTX_new(method));
2431 bssl::UniquePtr<SSL_CTX> server_ctx2(SSL_CTX_new(method));
2432 bssl::UniquePtr<SSL_CTX> client_ctx(SSL_CTX_new(method));
2433 if (!server_ctx || !server_ctx2 || !client_ctx ||
2434 !SSL_CTX_use_certificate(server_ctx.get(), cert.get()) ||
2435 !SSL_CTX_use_PrivateKey(server_ctx.get(), key.get()) ||
2436 !SSL_CTX_use_certificate(server_ctx2.get(), cert2.get()) ||
2437 !SSL_CTX_use_PrivateKey(server_ctx2.get(), key2.get()) ||
David Benjamin83a32122017-02-14 18:34:54 -0500[diff] [blame]2438 !SSL_CTX_set_signed_cert_timestamp_list(server_ctx2.get(), kSCTList,
2439 sizeof(kSCTList)) ||
2440 !SSL_CTX_set_ocsp_response(server_ctx2.get(), kOCSPResponse,
2441 sizeof(kOCSPResponse)) ||
David Benjamin0fef3052016-11-18 15:11:10 +0900[diff] [blame]2442 // Historically signing preferences would be lost in some cases with the
2443 // SNI callback, which triggers the TLS 1.2 SHA-1 default. To ensure
2444 // this doesn't happen when |version| is TLS 1.2, configure the private
2445 // key to only sign SHA-256.
2446 !SSL_CTX_set_signing_algorithm_prefs(server_ctx2.get(), &kECDSAWithSHA256,
2447 1) ||
2448 !SSL_CTX_set_min_proto_version(client_ctx.get(), version) ||
2449 !SSL_CTX_set_max_proto_version(client_ctx.get(), version) ||
2450 !SSL_CTX_set_min_proto_version(server_ctx.get(), version) ||
2451 !SSL_CTX_set_max_proto_version(server_ctx.get(), version) ||
2452 !SSL_CTX_set_min_proto_version(server_ctx2.get(), version) ||
2453 !SSL_CTX_set_max_proto_version(server_ctx2.get(), version)) {
2454 return false;
2455 }
David Benjamin0fc37ef2016-08-17 15:29:46 -0400[diff] [blame]2456
David Benjamin0fef3052016-11-18 15:11:10 +0900[diff] [blame]2457 SSL_CTX_set_tlsext_servername_callback(server_ctx.get(), SwitchContext);
2458 SSL_CTX_set_tlsext_servername_arg(server_ctx.get(), server_ctx2.get());
David Benjamin0fc37ef2016-08-17 15:29:46 -0400[diff] [blame]2459
David Benjamin83a32122017-02-14 18:34:54 -0500[diff] [blame]2460 SSL_CTX_enable_signed_cert_timestamps(client_ctx.get());
2461 SSL_CTX_enable_ocsp_stapling(client_ctx.get());
2462
David Benjamin0fef3052016-11-18 15:11:10 +0900[diff] [blame]2463 bssl::UniquePtr<SSL> client, server;
2464 if (!ConnectClientAndServer(&client, &server, client_ctx.get(),
2465 server_ctx.get(), nullptr)) {
2466 fprintf(stderr, "Handshake failed.\n");
2467 return false;
2468 }
David Benjamin0fc37ef2016-08-17 15:29:46 -0400[diff] [blame]2469
David Benjamin0fef3052016-11-18 15:11:10 +0900[diff] [blame]2470 // The client should have received |cert2|.
2471 bssl::UniquePtr<X509> peer(SSL_get_peer_certificate(client.get()));
2472 if (!peer || X509_cmp(peer.get(), cert2.get()) != 0) {
2473 fprintf(stderr, "Incorrect certificate received.\n");
2474 return false;
David Benjamin0fc37ef2016-08-17 15:29:46 -0400[diff] [blame]2475 }
2476
David Benjamin83a32122017-02-14 18:34:54 -0500[diff] [blame]2477 // The client should have received |server_ctx2|'s SCT list.
2478 const uint8_t *data;
2479 size_t len;
2480 SSL_get0_signed_cert_timestamp_list(client.get(), &data, &len);
2481 if (Bytes(kSCTList) != Bytes(data, len)) {
2482 fprintf(stderr, "Incorrect SCT list received.\n");
2483 return false;
2484 }
2485
2486 // The client should have received |server_ctx2|'s OCSP response.
2487 SSL_get0_ocsp_response(client.get(), &data, &len);
2488 if (Bytes(kOCSPResponse) != Bytes(data, len)) {
2489 fprintf(stderr, "Incorrect OCSP response received.\n");
2490 return false;
2491 }
2492
David Benjamin0fc37ef2016-08-17 15:29:46 -0400[diff] [blame]2493 return true;
2494}
2495
David Benjaminf0d8e222017-02-04 10:58:26 -0500[diff] [blame]2496// Test that the early callback can swap the maximum version.
2497TEST(SSLTest, EarlyCallbackVersionSwitch) {
Matt Braithwaited17d74d2016-08-17 20:10:28 -0700[diff] [blame]2498 bssl::UniquePtr<X509> cert = GetTestCertificate();
2499 bssl::UniquePtr<EVP_PKEY> key = GetTestKey();
2500 bssl::UniquePtr<SSL_CTX> server_ctx(SSL_CTX_new(TLS_method()));
2501 bssl::UniquePtr<SSL_CTX> client_ctx(SSL_CTX_new(TLS_method()));
David Benjaminf0d8e222017-02-04 10:58:26 -0500[diff] [blame]2502 ASSERT_TRUE(cert);
2503 ASSERT_TRUE(key);
2504 ASSERT_TRUE(server_ctx);
2505 ASSERT_TRUE(client_ctx);
2506 ASSERT_TRUE(SSL_CTX_use_certificate(server_ctx.get(), cert.get()));
2507 ASSERT_TRUE(SSL_CTX_use_PrivateKey(server_ctx.get(), key.get()));
2508 ASSERT_TRUE(SSL_CTX_set_max_proto_version(client_ctx.get(), TLS1_3_VERSION));
2509 ASSERT_TRUE(SSL_CTX_set_max_proto_version(server_ctx.get(), TLS1_3_VERSION));
David Benjamin99620572016-08-30 00:35:36 -0400[diff] [blame]2510
David Benjaminf0d8e222017-02-04 10:58:26 -0500[diff] [blame]2511 SSL_CTX_set_select_certificate_cb(
Alessandro Ghedini57e81e62017-03-14 23:36:00 +0000[diff] [blame]2512 server_ctx.get(),
2513 [](const SSL_CLIENT_HELLO *client_hello) -> ssl_select_cert_result_t {
David Benjaminf0d8e222017-02-04 10:58:26 -0500[diff] [blame]2514 if (!SSL_set_max_proto_version(client_hello->ssl, TLS1_2_VERSION)) {
Alessandro Ghedini57e81e62017-03-14 23:36:00 +0000[diff] [blame]2515 return ssl_select_cert_error;
David Benjaminf0d8e222017-02-04 10:58:26 -0500[diff] [blame]2516 }
2517
Alessandro Ghedini57e81e62017-03-14 23:36:00 +0000[diff] [blame]2518 return ssl_select_cert_success;
David Benjaminf0d8e222017-02-04 10:58:26 -0500[diff] [blame]2519 });
David Benjamin99620572016-08-30 00:35:36 -0400[diff] [blame]2520
Matt Braithwaited17d74d2016-08-17 20:10:28 -0700[diff] [blame]2521 bssl::UniquePtr<SSL> client, server;
David Benjaminf0d8e222017-02-04 10:58:26 -0500[diff] [blame]2522 ASSERT_TRUE(ConnectClientAndServer(&client, &server, client_ctx.get(),
2523 server_ctx.get(), nullptr));
2524 EXPECT_EQ(TLS1_2_VERSION, SSL_version(client.get()));
David Benjamin99620572016-08-30 00:35:36 -0400[diff] [blame]2525}
2526
David Benjaminf0d8e222017-02-04 10:58:26 -0500[diff] [blame]2527TEST(SSLTest, SetVersion) {
David Benjamin2dc02042016-09-19 19:57:37 -0400[diff] [blame]2528 bssl::UniquePtr<SSL_CTX> ctx(SSL_CTX_new(TLS_method()));
David Benjaminf0d8e222017-02-04 10:58:26 -0500[diff] [blame]2529 ASSERT_TRUE(ctx);
David Benjamin2dc02042016-09-19 19:57:37 -0400[diff] [blame]2530
David Benjaminf0d8e222017-02-04 10:58:26 -0500[diff] [blame]2531 // Set valid TLS versions.
2532 EXPECT_TRUE(SSL_CTX_set_max_proto_version(ctx.get(), TLS1_VERSION));
2533 EXPECT_TRUE(SSL_CTX_set_max_proto_version(ctx.get(), TLS1_1_VERSION));
2534 EXPECT_TRUE(SSL_CTX_set_min_proto_version(ctx.get(), TLS1_VERSION));
2535 EXPECT_TRUE(SSL_CTX_set_min_proto_version(ctx.get(), TLS1_1_VERSION));
David Benjamin2dc02042016-09-19 19:57:37 -0400[diff] [blame]2536
David Benjaminf0d8e222017-02-04 10:58:26 -0500[diff] [blame]2537 // Invalid TLS versions are rejected.
2538 EXPECT_FALSE(SSL_CTX_set_max_proto_version(ctx.get(), DTLS1_VERSION));
2539 EXPECT_FALSE(SSL_CTX_set_max_proto_version(ctx.get(), 0x0200));
2540 EXPECT_FALSE(SSL_CTX_set_max_proto_version(ctx.get(), 0x1234));
2541 EXPECT_FALSE(SSL_CTX_set_min_proto_version(ctx.get(), DTLS1_VERSION));
2542 EXPECT_FALSE(SSL_CTX_set_min_proto_version(ctx.get(), 0x0200));
2543 EXPECT_FALSE(SSL_CTX_set_min_proto_version(ctx.get(), 0x1234));
David Benjamin2dc02042016-09-19 19:57:37 -0400[diff] [blame]2544
David Benjaminf0d8e222017-02-04 10:58:26 -0500[diff] [blame]2545 // Zero is the default version.
2546 EXPECT_TRUE(SSL_CTX_set_max_proto_version(ctx.get(), 0));
2547 EXPECT_EQ(TLS1_2_VERSION, ctx->max_version);
2548 EXPECT_TRUE(SSL_CTX_set_min_proto_version(ctx.get(), 0));
David Benjamin3cfeb952017-03-01 16:48:38 -0500[diff] [blame]2549 EXPECT_EQ(TLS1_VERSION, ctx->min_version);
2550
2551 // SSL 3.0 and TLS 1.3 are available, but not by default.
2552 EXPECT_TRUE(SSL_CTX_set_min_proto_version(ctx.get(), SSL3_VERSION));
David Benjaminf0d8e222017-02-04 10:58:26 -0500[diff] [blame]2553 EXPECT_EQ(SSL3_VERSION, ctx->min_version);
David Benjamin3cfeb952017-03-01 16:48:38 -0500[diff] [blame]2554 EXPECT_TRUE(SSL_CTX_set_max_proto_version(ctx.get(), TLS1_3_VERSION));
2555 EXPECT_EQ(TLS1_3_VERSION, ctx->max_version);
David Benjamine34bcc92016-09-21 16:53:09 -0400[diff] [blame]2556
David Benjamin2dc02042016-09-19 19:57:37 -0400[diff] [blame]2557 ctx.reset(SSL_CTX_new(DTLS_method()));
David Benjaminf0d8e222017-02-04 10:58:26 -0500[diff] [blame]2558 ASSERT_TRUE(ctx);
David Benjamin2dc02042016-09-19 19:57:37 -0400[diff] [blame]2559
David Benjaminf0d8e222017-02-04 10:58:26 -0500[diff] [blame]2560 EXPECT_TRUE(SSL_CTX_set_max_proto_version(ctx.get(), DTLS1_VERSION));
2561 EXPECT_TRUE(SSL_CTX_set_max_proto_version(ctx.get(), DTLS1_2_VERSION));
2562 EXPECT_TRUE(SSL_CTX_set_min_proto_version(ctx.get(), DTLS1_VERSION));
2563 EXPECT_TRUE(SSL_CTX_set_min_proto_version(ctx.get(), DTLS1_2_VERSION));
David Benjamin2dc02042016-09-19 19:57:37 -0400[diff] [blame]2564
David Benjaminf0d8e222017-02-04 10:58:26 -0500[diff] [blame]2565 EXPECT_FALSE(SSL_CTX_set_max_proto_version(ctx.get(), TLS1_VERSION));
2566 EXPECT_FALSE(SSL_CTX_set_max_proto_version(ctx.get(), 0xfefe /* DTLS 1.1 */));
2567 EXPECT_FALSE(SSL_CTX_set_max_proto_version(ctx.get(), 0xfffe /* DTLS 0.1 */));
2568 EXPECT_FALSE(SSL_CTX_set_max_proto_version(ctx.get(), 0x1234));
2569 EXPECT_FALSE(SSL_CTX_set_min_proto_version(ctx.get(), TLS1_VERSION));
2570 EXPECT_FALSE(SSL_CTX_set_min_proto_version(ctx.get(), 0xfefe /* DTLS 1.1 */));
2571 EXPECT_FALSE(SSL_CTX_set_min_proto_version(ctx.get(), 0xfffe /* DTLS 0.1 */));
2572 EXPECT_FALSE(SSL_CTX_set_min_proto_version(ctx.get(), 0x1234));
David Benjamin2dc02042016-09-19 19:57:37 -0400[diff] [blame]2573
David Benjaminf0d8e222017-02-04 10:58:26 -0500[diff] [blame]2574 EXPECT_TRUE(SSL_CTX_set_max_proto_version(ctx.get(), 0));
2575 EXPECT_EQ(TLS1_2_VERSION, ctx->max_version);
2576 EXPECT_TRUE(SSL_CTX_set_min_proto_version(ctx.get(), 0));
2577 EXPECT_EQ(TLS1_1_VERSION, ctx->min_version);
David Benjamin2dc02042016-09-19 19:57:37 -0400[diff] [blame]2578}
2579
David Benjamin458334a2016-12-15 13:53:25 -0500[diff] [blame]2580static const char *GetVersionName(uint16_t version) {
2581 switch (version) {
2582 case SSL3_VERSION:
2583 return "SSLv3";
2584 case TLS1_VERSION:
2585 return "TLSv1";
2586 case TLS1_1_VERSION:
2587 return "TLSv1.1";
2588 case TLS1_2_VERSION:
2589 return "TLSv1.2";
2590 case TLS1_3_VERSION:
2591 return "TLSv1.3";
2592 case DTLS1_VERSION:
2593 return "DTLSv1";
2594 case DTLS1_2_VERSION:
2595 return "DTLSv1.2";
2596 default:
2597 return "???";
2598 }
2599}
2600
David Benjamin0fef3052016-11-18 15:11:10 +0900[diff] [blame]2601static bool TestVersion(bool is_dtls, const SSL_METHOD *method,
2602 uint16_t version) {
David Benjamincb18ac22016-09-27 14:09:15 -0400[diff] [blame]2603 bssl::UniquePtr<X509> cert = GetTestCertificate();
2604 bssl::UniquePtr<EVP_PKEY> key = GetTestKey();
2605 if (!cert || !key) {
2606 return false;
2607 }
2608
David Benjamin0fef3052016-11-18 15:11:10 +0900[diff] [blame]2609 bssl::UniquePtr<SSL_CTX> server_ctx(SSL_CTX_new(method));
2610 bssl::UniquePtr<SSL_CTX> client_ctx(SSL_CTX_new(method));
2611 bssl::UniquePtr<SSL> client, server;
2612 if (!server_ctx || !client_ctx ||
2613 !SSL_CTX_use_certificate(server_ctx.get(), cert.get()) ||
2614 !SSL_CTX_use_PrivateKey(server_ctx.get(), key.get()) ||
2615 !SSL_CTX_set_min_proto_version(client_ctx.get(), version) ||
2616 !SSL_CTX_set_max_proto_version(client_ctx.get(), version) ||
2617 !SSL_CTX_set_min_proto_version(server_ctx.get(), version) ||
2618 !SSL_CTX_set_max_proto_version(server_ctx.get(), version) ||
2619 !ConnectClientAndServer(&client, &server, client_ctx.get(),
2620 server_ctx.get(), nullptr /* no session */)) {
2621 fprintf(stderr, "Failed to connect.\n");
2622 return false;
2623 }
David Benjamincb18ac22016-09-27 14:09:15 -0400[diff] [blame]2624
David Benjamin0fef3052016-11-18 15:11:10 +0900[diff] [blame]2625 if (SSL_version(client.get()) != version ||
2626 SSL_version(server.get()) != version) {
2627 fprintf(stderr, "Version mismatch. Got %04x and %04x, wanted %04x.\n",
2628 SSL_version(client.get()), SSL_version(server.get()), version);
2629 return false;
David Benjamincb18ac22016-09-27 14:09:15 -0400[diff] [blame]2630 }
2631
David Benjamin458334a2016-12-15 13:53:25 -0500[diff] [blame]2632 // Test the version name is reported as expected.
2633 const char *version_name = GetVersionName(version);
2634 if (strcmp(version_name, SSL_get_version(client.get())) != 0 ||
2635 strcmp(version_name, SSL_get_version(server.get())) != 0) {
2636 fprintf(stderr, "Version name mismatch. Got '%s' and '%s', wanted '%s'.\n",
2637 SSL_get_version(client.get()), SSL_get_version(server.get()),
2638 version_name);
2639 return false;
2640 }
2641
2642 // Test SSL_SESSION reports the same name.
2643 const char *client_name =
2644 SSL_SESSION_get_version(SSL_get_session(client.get()));
2645 const char *server_name =
2646 SSL_SESSION_get_version(SSL_get_session(server.get()));
2647 if (strcmp(version_name, client_name) != 0 ||
2648 strcmp(version_name, server_name) != 0) {
2649 fprintf(stderr,
2650 "Session version name mismatch. Got '%s' and '%s', wanted '%s'.\n",
2651 client_name, server_name, version_name);
2652 return false;
2653 }
2654
David Benjamincb18ac22016-09-27 14:09:15 -0400[diff] [blame]2655 return true;
2656}
2657
David Benjamin9ef31f02016-10-31 18:01:13 -0400[diff] [blame]2658// Tests that that |SSL_get_pending_cipher| is available during the ALPN
2659// selection callback.
David Benjamin0fef3052016-11-18 15:11:10 +0900[diff] [blame]2660static bool TestALPNCipherAvailable(bool is_dtls, const SSL_METHOD *method,
2661 uint16_t version) {
2662 // SSL 3.0 lacks extensions.
2663 if (version == SSL3_VERSION) {
2664 return true;
2665 }
2666
David Benjamin9ef31f02016-10-31 18:01:13 -0400[diff] [blame]2667 static const uint8_t kALPNProtos[] = {0x03, 'f', 'o', 'o'};
2668
2669 bssl::UniquePtr<X509> cert = GetTestCertificate();
2670 bssl::UniquePtr<EVP_PKEY> key = GetTestKey();
2671 if (!cert || !key) {
2672 return false;
2673 }
2674
David Benjamin0fef3052016-11-18 15:11:10 +0900[diff] [blame]2675 bssl::UniquePtr<SSL_CTX> ctx(SSL_CTX_new(method));
2676 if (!ctx || !SSL_CTX_use_certificate(ctx.get(), cert.get()) ||
2677 !SSL_CTX_use_PrivateKey(ctx.get(), key.get()) ||
2678 !SSL_CTX_set_min_proto_version(ctx.get(), version) ||
2679 !SSL_CTX_set_max_proto_version(ctx.get(), version) ||
2680 SSL_CTX_set_alpn_protos(ctx.get(), kALPNProtos, sizeof(kALPNProtos)) !=
2681 0) {
2682 return false;
2683 }
2684
2685 // The ALPN callback does not fail the handshake on error, so have the
2686 // callback write a boolean.
2687 std::pair<uint16_t, bool> callback_state(version, false);
2688 SSL_CTX_set_alpn_select_cb(
2689 ctx.get(),
2690 [](SSL *ssl, const uint8_t **out, uint8_t *out_len, const uint8_t *in,
2691 unsigned in_len, void *arg) -> int {
2692 auto state = reinterpret_cast<std::pair<uint16_t, bool> *>(arg);
2693 if (SSL_get_pending_cipher(ssl) != nullptr &&
2694 SSL_version(ssl) == state->first) {
2695 state->second = true;
2696 }
2697 return SSL_TLSEXT_ERR_NOACK;
2698 },
2699 &callback_state);
2700
2701 bssl::UniquePtr<SSL> client, server;
2702 if (!ConnectClientAndServer(&client, &server, ctx.get(), ctx.get(),
2703 nullptr /* no session */)) {
2704 return false;
2705 }
2706
2707 if (!callback_state.second) {
2708 fprintf(stderr, "The pending cipher was not known in the ALPN callback.\n");
2709 return false;
2710 }
2711
2712 return true;
2713}
2714
David Benjaminb79cc842016-12-07 15:57:14 -0500[diff] [blame]2715static bool TestSSLClearSessionResumption(bool is_dtls,
2716 const SSL_METHOD *method,
2717 uint16_t version) {
2718 // Skip this for TLS 1.3. TLS 1.3's ticket mechanism is incompatible with this
2719 // API pattern.
2720 if (version == TLS1_3_VERSION) {
2721 return true;
2722 }
2723
2724 bssl::UniquePtr<X509> cert = GetTestCertificate();
2725 bssl::UniquePtr<EVP_PKEY> key = GetTestKey();
2726 bssl::UniquePtr<SSL_CTX> server_ctx(SSL_CTX_new(method));
2727 bssl::UniquePtr<SSL_CTX> client_ctx(SSL_CTX_new(method));
2728 if (!cert || !key || !server_ctx || !client_ctx ||
2729 !SSL_CTX_use_certificate(server_ctx.get(), cert.get()) ||
2730 !SSL_CTX_use_PrivateKey(server_ctx.get(), key.get()) ||
2731 !SSL_CTX_set_min_proto_version(client_ctx.get(), version) ||
2732 !SSL_CTX_set_max_proto_version(client_ctx.get(), version) ||
2733 !SSL_CTX_set_min_proto_version(server_ctx.get(), version) ||
2734 !SSL_CTX_set_max_proto_version(server_ctx.get(), version)) {
2735 return false;
2736 }
2737
2738 // Connect a client and a server.
2739 bssl::UniquePtr<SSL> client, server;
2740 if (!ConnectClientAndServer(&client, &server, client_ctx.get(),
2741 server_ctx.get(), nullptr /* no session */)) {
2742 return false;
2743 }
2744
2745 if (SSL_session_reused(client.get()) ||
2746 SSL_session_reused(server.get())) {
2747 fprintf(stderr, "Session unexpectedly reused.\n");
2748 return false;
2749 }
2750
2751 // Reset everything.
2752 if (!SSL_clear(client.get()) ||
2753 !SSL_clear(server.get())) {
2754 fprintf(stderr, "SSL_clear failed.\n");
2755 return false;
2756 }
2757
2758 // Attempt to connect a second time.
2759 if (!CompleteHandshakes(client.get(), server.get())) {
2760 fprintf(stderr, "Could not reuse SSL objects.\n");
2761 return false;
2762 }
2763
2764 // |SSL_clear| should implicitly offer the previous session to the server.
2765 if (!SSL_session_reused(client.get()) ||
2766 !SSL_session_reused(server.get())) {
2767 fprintf(stderr, "Session was not reused in second try.\n");
2768 return false;
2769 }
2770
2771 return true;
2772}
2773
David Benjamin1444c3a2016-12-20 17:23:11 -0500[diff] [blame]2774static bool ChainsEqual(STACK_OF(X509) *chain,
2775 const std::vector<X509 *> &expected) {
2776 if (sk_X509_num(chain) != expected.size()) {
2777 return false;
2778 }
2779
2780 for (size_t i = 0; i < expected.size(); i++) {
2781 if (X509_cmp(sk_X509_value(chain, i), expected[i]) != 0) {
2782 return false;
2783 }
2784 }
2785
2786 return true;
2787}
2788
2789static bool TestAutoChain(bool is_dtls, const SSL_METHOD *method,
2790 uint16_t version) {
David Benjamin1444c3a2016-12-20 17:23:11 -0500[diff] [blame]2791 bssl::UniquePtr<X509> cert = GetChainTestCertificate();
2792 bssl::UniquePtr<X509> intermediate = GetChainTestIntermediate();
2793 bssl::UniquePtr<EVP_PKEY> key = GetChainTestKey();
2794 if (!cert || !intermediate || !key) {
2795 return false;
2796 }
2797
2798 // Configure both client and server to accept any certificate. Add
2799 // |intermediate| to the cert store.
2800 bssl::UniquePtr<SSL_CTX> ctx(SSL_CTX_new(method));
2801 if (!ctx ||
2802 !SSL_CTX_use_certificate(ctx.get(), cert.get()) ||
2803 !SSL_CTX_use_PrivateKey(ctx.get(), key.get()) ||
2804 !SSL_CTX_set_min_proto_version(ctx.get(), version) ||
2805 !SSL_CTX_set_max_proto_version(ctx.get(), version) ||
2806 !X509_STORE_add_cert(SSL_CTX_get_cert_store(ctx.get()),
2807 intermediate.get())) {
2808 return false;
2809 }
2810 SSL_CTX_set_verify(
2811 ctx.get(), SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT, nullptr);
2812 SSL_CTX_set_cert_verify_callback(ctx.get(), VerifySucceed, NULL);
2813
2814 // By default, the client and server should each only send the leaf.
2815 bssl::UniquePtr<SSL> client, server;
2816 if (!ConnectClientAndServer(&client, &server, ctx.get(), ctx.get(),
2817 nullptr /* no session */)) {
2818 return false;
2819 }
2820
2821 if (!ChainsEqual(SSL_get_peer_full_cert_chain(client.get()), {cert.get()})) {
2822 fprintf(stderr, "Client-received chain did not match.\n");
2823 return false;
2824 }
2825
2826 if (!ChainsEqual(SSL_get_peer_full_cert_chain(server.get()), {cert.get()})) {
2827 fprintf(stderr, "Server-received chain did not match.\n");
2828 return false;
2829 }
2830
2831 // If auto-chaining is enabled, then the intermediate is sent.
2832 SSL_CTX_clear_mode(ctx.get(), SSL_MODE_NO_AUTO_CHAIN);
2833 if (!ConnectClientAndServer(&client, &server, ctx.get(), ctx.get(),
2834 nullptr /* no session */)) {
2835 return false;
2836 }
2837
2838 if (!ChainsEqual(SSL_get_peer_full_cert_chain(client.get()),
2839 {cert.get(), intermediate.get()})) {
2840 fprintf(stderr, "Client-received chain did not match (auto-chaining).\n");
2841 return false;
2842 }
2843
2844 if (!ChainsEqual(SSL_get_peer_full_cert_chain(server.get()),
2845 {cert.get(), intermediate.get()})) {
2846 fprintf(stderr, "Server-received chain did not match (auto-chaining).\n");
2847 return false;
2848 }
2849
2850 // Auto-chaining does not override explicitly-configured intermediates.
2851 if (!SSL_CTX_add1_chain_cert(ctx.get(), cert.get()) ||
2852 !ConnectClientAndServer(&client, &server, ctx.get(), ctx.get(),
2853 nullptr /* no session */)) {
2854 return false;
2855 }
2856
2857 if (!ChainsEqual(SSL_get_peer_full_cert_chain(client.get()),
2858 {cert.get(), cert.get()})) {
2859 fprintf(stderr,
2860 "Client-received chain did not match (auto-chaining, explicit "
2861 "intermediate).\n");
2862 return false;
2863 }
2864
2865 if (!ChainsEqual(SSL_get_peer_full_cert_chain(server.get()),
2866 {cert.get(), cert.get()})) {
2867 fprintf(stderr,
2868 "Server-received chain did not match (auto-chaining, explicit "
2869 "intermediate).\n");
2870 return false;
2871 }
2872
2873 return true;
2874}
2875
David Benjamin48063c22017-01-01 23:56:36 -0500[diff] [blame]2876static bool ExpectBadWriteRetry() {
2877 int err = ERR_get_error();
2878 if (ERR_GET_LIB(err) != ERR_LIB_SSL ||
2879 ERR_GET_REASON(err) != SSL_R_BAD_WRITE_RETRY) {
2880 char buf[ERR_ERROR_STRING_BUF_LEN];
2881 ERR_error_string_n(err, buf, sizeof(buf));
2882 fprintf(stderr, "Wanted SSL_R_BAD_WRITE_RETRY, got: %s.\n", buf);
2883 return false;
2884 }
2885
2886 if (ERR_peek_error() != 0) {
2887 fprintf(stderr, "Unexpected error following SSL_R_BAD_WRITE_RETRY.\n");
2888 return false;
2889 }
2890
2891 return true;
2892}
2893
2894static bool TestSSLWriteRetry(bool is_dtls, const SSL_METHOD *method,
2895 uint16_t version) {
2896 if (is_dtls) {
2897 return true;
2898 }
2899
2900 for (bool enable_partial_write : std::vector<bool>{false, true}) {
2901 // Connect a client and server.
2902 bssl::UniquePtr<X509> cert = GetTestCertificate();
2903 bssl::UniquePtr<EVP_PKEY> key = GetTestKey();
2904 bssl::UniquePtr<SSL_CTX> ctx(SSL_CTX_new(method));
2905 bssl::UniquePtr<SSL> client, server;
2906 if (!cert || !key || !ctx ||
2907 !SSL_CTX_use_certificate(ctx.get(), cert.get()) ||
2908 !SSL_CTX_use_PrivateKey(ctx.get(), key.get()) ||
2909 !SSL_CTX_set_min_proto_version(ctx.get(), version) ||
2910 !SSL_CTX_set_max_proto_version(ctx.get(), version) ||
2911 !ConnectClientAndServer(&client, &server, ctx.get(), ctx.get(),
2912 nullptr /* no session */)) {
2913 return false;
2914 }
2915
2916 if (enable_partial_write) {
2917 SSL_set_mode(client.get(), SSL_MODE_ENABLE_PARTIAL_WRITE);
2918 }
2919
2920 // Write without reading until the buffer is full and we have an unfinished
2921 // write. Keep a count so we may reread it again later. "hello!" will be
2922 // written in two chunks, "hello" and "!".
2923 char data[] = "hello!";
2924 static const int kChunkLen = 5; // The length of "hello".
2925 unsigned count = 0;
2926 for (;;) {
2927 int ret = SSL_write(client.get(), data, kChunkLen);
2928 if (ret <= 0) {
2929 int err = SSL_get_error(client.get(), ret);
2930 if (SSL_get_error(client.get(), ret) == SSL_ERROR_WANT_WRITE) {
2931 break;
2932 }
2933 fprintf(stderr, "SSL_write failed in unexpected way: %d\n", err);
2934 return false;
2935 }
2936
2937 if (ret != 5) {
2938 fprintf(stderr, "SSL_write wrote %d bytes, expected 5.\n", ret);
2939 return false;
2940 }
2941
2942 count++;
2943 }
2944
2945 // Retrying with the same parameters is legal.
2946 if (SSL_get_error(client.get(), SSL_write(client.get(), data, kChunkLen)) !=
2947 SSL_ERROR_WANT_WRITE) {
2948 fprintf(stderr, "SSL_write retry unexpectedly failed.\n");
2949 return false;
2950 }
2951
2952 // Retrying with the same buffer but shorter length is not legal.
2953 if (SSL_get_error(client.get(),
2954 SSL_write(client.get(), data, kChunkLen - 1)) !=
2955 SSL_ERROR_SSL ||
2956 !ExpectBadWriteRetry()) {
2957 fprintf(stderr, "SSL_write retry did not fail as expected.\n");
2958 return false;
2959 }
2960
2961 // Retrying with a different buffer pointer is not legal.
2962 char data2[] = "hello";
2963 if (SSL_get_error(client.get(), SSL_write(client.get(), data2,
2964 kChunkLen)) != SSL_ERROR_SSL ||
2965 !ExpectBadWriteRetry()) {
2966 fprintf(stderr, "SSL_write retry did not fail as expected.\n");
2967 return false;
2968 }
2969
2970 // With |SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER|, the buffer may move.
2971 SSL_set_mode(client.get(), SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER);
2972 if (SSL_get_error(client.get(),
2973 SSL_write(client.get(), data2, kChunkLen)) !=
2974 SSL_ERROR_WANT_WRITE) {
2975 fprintf(stderr, "SSL_write retry unexpectedly failed.\n");
2976 return false;
2977 }
2978
2979 // |SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER| does not disable length checks.
2980 if (SSL_get_error(client.get(),
2981 SSL_write(client.get(), data2, kChunkLen - 1)) !=
2982 SSL_ERROR_SSL ||
2983 !ExpectBadWriteRetry()) {
2984 fprintf(stderr, "SSL_write retry did not fail as expected.\n");
2985 return false;
2986 }
2987
2988 // Retrying with a larger buffer is legal.
2989 if (SSL_get_error(client.get(),
2990 SSL_write(client.get(), data, kChunkLen + 1)) !=
2991 SSL_ERROR_WANT_WRITE) {
2992 fprintf(stderr, "SSL_write retry unexpectedly failed.\n");
2993 return false;
2994 }
2995
2996 // Drain the buffer.
2997 char buf[20];
2998 for (unsigned i = 0; i < count; i++) {
2999 if (SSL_read(server.get(), buf, sizeof(buf)) != kChunkLen ||
3000 OPENSSL_memcmp(buf, "hello", kChunkLen) != 0) {
3001 fprintf(stderr, "Failed to read initial records.\n");
3002 return false;
3003 }
3004 }
3005
3006 // Now that there is space, a retry with a larger buffer should flush the
3007 // pending record, skip over that many bytes of input (on assumption they
3008 // are the same), and write the remainder. If SSL_MODE_ENABLE_PARTIAL_WRITE
3009 // is set, this will complete in two steps.
3010 char data3[] = "_____!";
3011 if (enable_partial_write) {
3012 if (SSL_write(client.get(), data3, kChunkLen + 1) != kChunkLen ||
3013 SSL_write(client.get(), data3 + kChunkLen, 1) != 1) {
3014 fprintf(stderr, "SSL_write retry failed.\n");
3015 return false;
3016 }
3017 } else if (SSL_write(client.get(), data3, kChunkLen + 1) != kChunkLen + 1) {
3018 fprintf(stderr, "SSL_write retry failed.\n");
3019 return false;
3020 }
3021
3022 // Check the last write was correct. The data will be spread over two
3023 // records, so SSL_read returns twice.
3024 if (SSL_read(server.get(), buf, sizeof(buf)) != kChunkLen ||
3025 OPENSSL_memcmp(buf, "hello", kChunkLen) != 0 ||
3026 SSL_read(server.get(), buf, sizeof(buf)) != 1 ||
3027 buf[0] != '!') {
3028 fprintf(stderr, "Failed to read write retry.\n");
3029 return false;
3030 }
3031 }
3032
3033 return true;
3034}
3035
David Benjamin0fef3052016-11-18 15:11:10 +0900[diff] [blame]3036static bool ForEachVersion(bool (*test_func)(bool is_dtls,
3037 const SSL_METHOD *method,
3038 uint16_t version)) {
3039 static uint16_t kTLSVersions[] = {
David Benjamin3b584332017-01-24 22:47:18 -0500[diff] [blame]3040 SSL3_VERSION,
3041 TLS1_VERSION,
3042 TLS1_1_VERSION,
3043 TLS1_2_VERSION,
3044// TLS 1.3 requires RSA-PSS, which is disabled for Android system builds.
3045#if !defined(BORINGSSL_ANDROID_SYSTEM)
3046 TLS1_3_VERSION,
3047#endif
David Benjamin0fef3052016-11-18 15:11:10 +0900[diff] [blame]3048 };
3049
3050 static uint16_t kDTLSVersions[] = {
3051 DTLS1_VERSION, DTLS1_2_VERSION,
3052 };
3053
David Benjamin9ef31f02016-10-31 18:01:13 -0400[diff] [blame]3054 for (uint16_t version : kTLSVersions) {
David Benjamin0fef3052016-11-18 15:11:10 +0900[diff] [blame]3055 if (!test_func(false, TLS_method(), version)) {
3056 fprintf(stderr, "Test failed at TLS version %04x.\n", version);
David Benjamin9ef31f02016-10-31 18:01:13 -0400[diff] [blame]3057 return false;
3058 }
David Benjamin0fef3052016-11-18 15:11:10 +0900[diff] [blame]3059 }
David Benjamin9ef31f02016-10-31 18:01:13 -0400[diff] [blame]3060
David Benjamin0fef3052016-11-18 15:11:10 +0900[diff] [blame]3061 for (uint16_t version : kDTLSVersions) {
3062 if (!test_func(true, DTLS_method(), version)) {
3063 fprintf(stderr, "Test failed at DTLS version %04x.\n", version);
David Benjamin9ef31f02016-10-31 18:01:13 -0400[diff] [blame]3064 return false;
3065 }
3066 }
3067
3068 return true;
3069}
3070
Adam Langleye1e78132017-01-31 15:24:31 -0800[diff] [blame]3071TEST(SSLTest, AddChainCertHack) {
3072 // Ensure that we don't accidently break the hack that we have in place to
3073 // keep curl and serf happy when they use an |X509| even after transfering
3074 // ownership.
3075
3076 bssl::UniquePtr<SSL_CTX> ctx(SSL_CTX_new(TLS_method()));
3077 ASSERT_TRUE(ctx);
3078 X509 *cert = GetTestCertificate().release();
3079 ASSERT_TRUE(cert);
3080 SSL_CTX_add0_chain_cert(ctx.get(), cert);
3081
3082 // This should not trigger a use-after-free.
3083 X509_cmp(cert, cert);
3084}
3085
David Benjaminb2ff2622017-02-03 17:06:18 -0500[diff] [blame]3086TEST(SSLTest, GetCertificate) {
3087 bssl::UniquePtr<SSL_CTX> ctx(SSL_CTX_new(TLS_method()));
3088 ASSERT_TRUE(ctx);
3089 bssl::UniquePtr<X509> cert = GetTestCertificate();
3090 ASSERT_TRUE(cert);
3091 ASSERT_TRUE(SSL_CTX_use_certificate(ctx.get(), cert.get()));
3092 bssl::UniquePtr<SSL> ssl(SSL_new(ctx.get()));
3093 ASSERT_TRUE(ssl);
3094
3095 X509 *cert2 = SSL_CTX_get0_certificate(ctx.get());
3096 ASSERT_TRUE(cert2);
3097 X509 *cert3 = SSL_get_certificate(ssl.get());
3098 ASSERT_TRUE(cert3);
3099
3100 // The old and new certificates must be identical.
3101 EXPECT_EQ(0, X509_cmp(cert.get(), cert2));
3102 EXPECT_EQ(0, X509_cmp(cert.get(), cert3));
3103
3104 uint8_t *der = nullptr;
3105 long der_len = i2d_X509(cert.get(), &der);
3106 ASSERT_LT(0, der_len);
3107 bssl::UniquePtr<uint8_t> free_der(der);
3108
3109 uint8_t *der2 = nullptr;
3110 long der2_len = i2d_X509(cert2, &der2);
3111 ASSERT_LT(0, der2_len);
3112 bssl::UniquePtr<uint8_t> free_der2(der2);
3113
3114 uint8_t *der3 = nullptr;
3115 long der3_len = i2d_X509(cert3, &der3);
3116 ASSERT_LT(0, der3_len);
3117 bssl::UniquePtr<uint8_t> free_der3(der3);
3118
3119 // They must also encode identically.
David Benjamin7d7554b2017-02-04 11:48:59 -0500[diff] [blame]3120 EXPECT_EQ(Bytes(der, der_len), Bytes(der2, der2_len));
3121 EXPECT_EQ(Bytes(der, der_len), Bytes(der3, der3_len));
David Benjaminb2ff2622017-02-03 17:06:18 -0500[diff] [blame]3122}
3123
Adam Langleyd04ca952017-02-28 11:26:51 -0800[diff] [blame]3124TEST(SSLTest, SetChainAndKeyMismatch) {
3125 bssl::UniquePtr<SSL_CTX> ctx(SSL_CTX_new(TLS_with_buffers_method()));
3126 ASSERT_TRUE(ctx);
3127
3128 bssl::UniquePtr<EVP_PKEY> key = GetTestKey();
3129 ASSERT_TRUE(key);
3130 bssl::UniquePtr<CRYPTO_BUFFER> leaf = GetChainTestCertificateBuffer();
3131 ASSERT_TRUE(leaf);
3132 std::vector<CRYPTO_BUFFER*> chain = {
3133 leaf.get(),
3134 };
3135
3136 // Should fail because |GetTestKey| doesn't match the chain-test certificate.
3137 ASSERT_FALSE(SSL_CTX_set_chain_and_key(ctx.get(), &chain[0], chain.size(),
3138 key.get(), nullptr));
3139 ERR_clear_error();
3140}
3141
3142TEST(SSLTest, SetChainAndKey) {
3143 bssl::UniquePtr<SSL_CTX> client_ctx(SSL_CTX_new(TLS_with_buffers_method()));
3144 ASSERT_TRUE(client_ctx);
3145 bssl::UniquePtr<SSL_CTX> server_ctx(SSL_CTX_new(TLS_with_buffers_method()));
3146 ASSERT_TRUE(server_ctx);
3147
3148 bssl::UniquePtr<EVP_PKEY> key = GetChainTestKey();
3149 ASSERT_TRUE(key);
3150 bssl::UniquePtr<CRYPTO_BUFFER> leaf = GetChainTestCertificateBuffer();
3151 ASSERT_TRUE(leaf);
3152 bssl::UniquePtr<CRYPTO_BUFFER> intermediate =
3153 GetChainTestIntermediateBuffer();
3154 ASSERT_TRUE(intermediate);
3155 std::vector<CRYPTO_BUFFER*> chain = {
3156 leaf.get(), intermediate.get(),
3157 };
3158 ASSERT_TRUE(SSL_CTX_set_chain_and_key(server_ctx.get(), &chain[0],
3159 chain.size(), key.get(), nullptr));
3160
3161 SSL_CTX_i_promise_to_verify_certs_after_the_handshake(client_ctx.get());
3162
3163 bssl::UniquePtr<SSL> client, server;
3164 ASSERT_TRUE(ConnectClientAndServer(&client, &server, client_ctx.get(),
3165 server_ctx.get(),
3166 nullptr /* no session */));
3167}
3168
David Benjamin91222b82017-03-09 20:10:56 -0500[diff] [blame]3169// Configuring the empty cipher list, though an error, should still modify the
3170// configuration.
3171TEST(SSLTest, EmptyCipherList) {
3172 bssl::UniquePtr<SSL_CTX> ctx(SSL_CTX_new(TLS_method()));
3173 ASSERT_TRUE(ctx);
3174
3175 // Initially, the cipher list is not empty.
3176 EXPECT_NE(0u, sk_SSL_CIPHER_num(SSL_CTX_get_ciphers(ctx.get())));
3177
3178 // Configuring the empty cipher list fails.
3179 EXPECT_FALSE(SSL_CTX_set_cipher_list(ctx.get(), ""));
3180 ERR_clear_error();
3181
3182 // But the cipher list is still updated to empty.
3183 EXPECT_EQ(0u, sk_SSL_CIPHER_num(SSL_CTX_get_ciphers(ctx.get())));
3184}
3185
Adam Langley4c341d02017-03-08 19:33:21 -0800[diff] [blame]3186// ssl_test_ticket_aead_failure_mode enumerates the possible ways in which the
3187// test |SSL_TICKET_AEAD_METHOD| can fail.
3188enum ssl_test_ticket_aead_failure_mode {
3189 ssl_test_ticket_aead_ok = 0,
3190 ssl_test_ticket_aead_seal_fail,
3191 ssl_test_ticket_aead_open_soft_fail,
3192 ssl_test_ticket_aead_open_hard_fail,
3193};
3194
3195struct ssl_test_ticket_aead_state {
3196 unsigned retry_count;
3197 ssl_test_ticket_aead_failure_mode failure_mode;
3198};
3199
3200static int ssl_test_ticket_aead_ex_index_dup(CRYPTO_EX_DATA *to,
3201 const CRYPTO_EX_DATA *from,
3202 void **from_d, int index,
3203 long argl, void *argp) {
3204 abort();
3205}
3206
3207static void ssl_test_ticket_aead_ex_index_free(void *parent, void *ptr,
3208 CRYPTO_EX_DATA *ad, int index,
3209 long argl, void *argp) {
3210 auto state = reinterpret_cast<ssl_test_ticket_aead_state*>(ptr);
3211 if (state == nullptr) {
3212 return;
3213 }
3214
3215 OPENSSL_free(state);
3216}
3217
3218static CRYPTO_once_t g_ssl_test_ticket_aead_ex_index_once = CRYPTO_ONCE_INIT;
3219static int g_ssl_test_ticket_aead_ex_index;
3220
3221static int ssl_test_ticket_aead_get_ex_index() {
3222 CRYPTO_once(&g_ssl_test_ticket_aead_ex_index_once, [] {
3223 g_ssl_test_ticket_aead_ex_index = SSL_get_ex_new_index(
3224 0, nullptr, nullptr, ssl_test_ticket_aead_ex_index_dup,
3225 ssl_test_ticket_aead_ex_index_free);
3226 });
3227 return g_ssl_test_ticket_aead_ex_index;
3228}
3229
3230static size_t ssl_test_ticket_aead_max_overhead(SSL *ssl) {
3231 return 1;
3232}
3233
3234static int ssl_test_ticket_aead_seal(SSL *ssl, uint8_t *out, size_t *out_len,
3235 size_t max_out_len, const uint8_t *in,
3236 size_t in_len) {
3237 auto state = reinterpret_cast<ssl_test_ticket_aead_state *>(
3238 SSL_get_ex_data(ssl, ssl_test_ticket_aead_get_ex_index()));
3239
3240 if (state->failure_mode == ssl_test_ticket_aead_seal_fail ||
3241 max_out_len < in_len + 1) {
3242 return 0;
3243 }
3244
3245 OPENSSL_memmove(out, in, in_len);
3246 out[in_len] = 0xff;
3247 *out_len = in_len + 1;
3248
3249 return 1;
3250}
3251
3252static ssl_ticket_aead_result_t ssl_test_ticket_aead_open(
3253 SSL *ssl, uint8_t *out, size_t *out_len, size_t max_out_len,
3254 const uint8_t *in, size_t in_len) {
3255 auto state = reinterpret_cast<ssl_test_ticket_aead_state *>(
3256 SSL_get_ex_data(ssl, ssl_test_ticket_aead_get_ex_index()));
3257
3258 if (state->retry_count > 0) {
3259 state->retry_count--;
3260 return ssl_ticket_aead_retry;
3261 }
3262
3263 switch (state->failure_mode) {
3264 case ssl_test_ticket_aead_ok:
3265 break;
3266 case ssl_test_ticket_aead_seal_fail:
3267 // If |seal| failed then there shouldn't be any ticket to try and
3268 // decrypt.
3269 abort();
3270 break;
3271 case ssl_test_ticket_aead_open_soft_fail:
3272 return ssl_ticket_aead_ignore_ticket;
3273 case ssl_test_ticket_aead_open_hard_fail:
3274 return ssl_ticket_aead_error;
3275 }
3276
3277 if (in_len == 0 || in[in_len - 1] != 0xff) {
3278 return ssl_ticket_aead_ignore_ticket;
3279 }
3280
3281 if (max_out_len < in_len - 1) {
3282 return ssl_ticket_aead_error;
3283 }
3284
3285 OPENSSL_memmove(out, in, in_len - 1);
3286 *out_len = in_len - 1;
3287 return ssl_ticket_aead_success;
3288}
3289
3290static const SSL_TICKET_AEAD_METHOD kSSLTestTicketMethod = {
3291 ssl_test_ticket_aead_max_overhead,
3292 ssl_test_ticket_aead_seal,
3293 ssl_test_ticket_aead_open,
3294};
3295
3296static void ConnectClientAndServerWithTicketMethod(
3297 bssl::UniquePtr<SSL> *out_client, bssl::UniquePtr<SSL> *out_server,
3298 SSL_CTX *client_ctx, SSL_CTX *server_ctx, unsigned retry_count,
3299 ssl_test_ticket_aead_failure_mode failure_mode, SSL_SESSION *session) {
3300 bssl::UniquePtr<SSL> client(SSL_new(client_ctx)), server(SSL_new(server_ctx));
3301 ASSERT_TRUE(client);
3302 ASSERT_TRUE(server);
3303 SSL_set_connect_state(client.get());
3304 SSL_set_accept_state(server.get());
3305
3306 auto state = reinterpret_cast<ssl_test_ticket_aead_state *>(
3307 OPENSSL_malloc(sizeof(ssl_test_ticket_aead_state)));
3308 ASSERT_TRUE(state);
3309 OPENSSL_memset(state, 0, sizeof(ssl_test_ticket_aead_state));
3310 state->retry_count = retry_count;
3311 state->failure_mode = failure_mode;
3312
3313 ASSERT_TRUE(SSL_set_ex_data(server.get(), ssl_test_ticket_aead_get_ex_index(),
3314 state));
3315
3316 SSL_set_session(client.get(), session);
3317
3318 BIO *bio1, *bio2;
3319 ASSERT_TRUE(BIO_new_bio_pair(&bio1, 0, &bio2, 0));
3320
3321 // SSL_set_bio takes ownership.
3322 SSL_set_bio(client.get(), bio1, bio1);
3323 SSL_set_bio(server.get(), bio2, bio2);
3324
3325 if (CompleteHandshakes(client.get(), server.get())) {
3326 *out_client = std::move(client);
3327 *out_server = std::move(server);
3328 } else {
3329 out_client->reset();
3330 out_server->reset();
3331 }
3332}
3333
3334class TicketAEADMethodTest
3335 : public ::testing::TestWithParam<testing::tuple<
3336 uint16_t, unsigned, ssl_test_ticket_aead_failure_mode>> {};
3337
3338TEST_P(TicketAEADMethodTest, Resume) {
3339 bssl::UniquePtr<X509> cert = GetTestCertificate();
3340 ASSERT_TRUE(cert);
3341 bssl::UniquePtr<EVP_PKEY> key = GetTestKey();
3342 ASSERT_TRUE(key);
3343
3344 bssl::UniquePtr<SSL_CTX> server_ctx(SSL_CTX_new(TLS_method()));
3345 ASSERT_TRUE(server_ctx);
3346 bssl::UniquePtr<SSL_CTX> client_ctx(SSL_CTX_new(TLS_method()));
3347 ASSERT_TRUE(client_ctx);
3348
3349 const uint16_t version = testing::get<0>(GetParam());
3350 const unsigned retry_count = testing::get<1>(GetParam());
3351 const ssl_test_ticket_aead_failure_mode failure_mode =
3352 testing::get<2>(GetParam());
3353
3354 ASSERT_TRUE(SSL_CTX_use_certificate(server_ctx.get(), cert.get()));
3355 ASSERT_TRUE(SSL_CTX_use_PrivateKey(server_ctx.get(), key.get()));
3356 ASSERT_TRUE(SSL_CTX_set_min_proto_version(client_ctx.get(), version));
3357 ASSERT_TRUE(SSL_CTX_set_max_proto_version(client_ctx.get(), version));
3358 ASSERT_TRUE(SSL_CTX_set_min_proto_version(server_ctx.get(), version));
3359 ASSERT_TRUE(SSL_CTX_set_max_proto_version(server_ctx.get(), version));
3360
3361 SSL_CTX_set_session_cache_mode(client_ctx.get(), SSL_SESS_CACHE_BOTH);
3362 SSL_CTX_set_session_cache_mode(server_ctx.get(), SSL_SESS_CACHE_BOTH);
3363 SSL_CTX_set_current_time_cb(client_ctx.get(), FrozenTimeCallback);
3364 SSL_CTX_set_current_time_cb(server_ctx.get(), FrozenTimeCallback);
David Benjamin707af292017-03-10 17:47:18 -0500[diff] [blame]3365 SSL_CTX_sess_set_new_cb(client_ctx.get(), SaveLastSession);
Adam Langley4c341d02017-03-08 19:33:21 -0800[diff] [blame]3366
3367 SSL_CTX_set_ticket_aead_method(server_ctx.get(), &kSSLTestTicketMethod);
3368
3369 bssl::UniquePtr<SSL> client, server;
3370 ConnectClientAndServerWithTicketMethod(&client, &server, client_ctx.get(),
3371 server_ctx.get(), retry_count,
3372 failure_mode, nullptr);
3373 switch (failure_mode) {
3374 case ssl_test_ticket_aead_ok:
3375 case ssl_test_ticket_aead_open_hard_fail:
3376 case ssl_test_ticket_aead_open_soft_fail:
3377 ASSERT_TRUE(client);
3378 break;
3379 case ssl_test_ticket_aead_seal_fail:
3380 EXPECT_FALSE(client);
3381 return;
3382 }
3383 EXPECT_FALSE(SSL_session_reused(client.get()));
3384 EXPECT_FALSE(SSL_session_reused(server.get()));
3385
David Benjamin707af292017-03-10 17:47:18 -0500[diff] [blame]3386 // Run the read loop to account for post-handshake tickets in TLS 1.3.
3387 SSL_read(client.get(), nullptr, 0);
3388
3389 bssl::UniquePtr<SSL_SESSION> session = std::move(g_last_session);
Adam Langley4c341d02017-03-08 19:33:21 -0800[diff] [blame]3390 ConnectClientAndServerWithTicketMethod(&client, &server, client_ctx.get(),
3391 server_ctx.get(), retry_count,
David Benjamin707af292017-03-10 17:47:18 -0500[diff] [blame]3392 failure_mode, session.get());
Adam Langley4c341d02017-03-08 19:33:21 -0800[diff] [blame]3393 switch (failure_mode) {
3394 case ssl_test_ticket_aead_ok:
3395 ASSERT_TRUE(client);
3396 EXPECT_TRUE(SSL_session_reused(client.get()));
3397 EXPECT_TRUE(SSL_session_reused(server.get()));
3398 break;
3399 case ssl_test_ticket_aead_seal_fail:
3400 abort();
3401 break;
3402 case ssl_test_ticket_aead_open_hard_fail:
3403 EXPECT_FALSE(client);
3404 break;
3405 case ssl_test_ticket_aead_open_soft_fail:
3406 ASSERT_TRUE(client);
3407 EXPECT_FALSE(SSL_session_reused(client.get()));
3408 EXPECT_FALSE(SSL_session_reused(server.get()));
3409 }
3410}
3411
3412INSTANTIATE_TEST_CASE_P(
3413 TicketAEADMethodTests, TicketAEADMethodTest,
3414 testing::Combine(
David Benjamin707af292017-03-10 17:47:18 -0500[diff] [blame]3415 testing::Values(TLS1_2_VERSION, TLS1_3_VERSION),
Adam Langley4c341d02017-03-08 19:33:21 -0800[diff] [blame]3416 testing::Values(0, 1, 2),
3417 testing::Values(ssl_test_ticket_aead_ok,
3418 ssl_test_ticket_aead_seal_fail,
3419 ssl_test_ticket_aead_open_soft_fail,
3420 ssl_test_ticket_aead_open_hard_fail)));
3421
David Benjamin3cfeb952017-03-01 16:48:38 -0500[diff] [blame]3422TEST(SSLTest, SSL3Method) {
3423 bssl::UniquePtr<X509> cert = GetTestCertificate();
3424 ASSERT_TRUE(cert);
3425
3426 // For compatibility, SSLv3_method should work up to SSL_CTX_new and SSL_new.
3427 bssl::UniquePtr<SSL_CTX> ssl3_ctx(SSL_CTX_new(SSLv3_method()));
3428 ASSERT_TRUE(ssl3_ctx);
3429 ASSERT_TRUE(SSL_CTX_use_certificate(ssl3_ctx.get(), cert.get()));
3430 bssl::UniquePtr<SSL> ssl(SSL_new(ssl3_ctx.get()));
3431 EXPECT_TRUE(ssl);
3432
3433 // Create a normal TLS context to test against.
3434 bssl::UniquePtr<SSL_CTX> tls_ctx(SSL_CTX_new(TLS_method()));
3435 ASSERT_TRUE(tls_ctx);
3436 ASSERT_TRUE(SSL_CTX_use_certificate(tls_ctx.get(), cert.get()));
3437
3438 // However, handshaking an SSLv3_method server should fail to resolve the
3439 // version range. Explicit calls to SSL_CTX_set_min_proto_version are the only
3440 // way to enable SSL 3.0.
3441 bssl::UniquePtr<SSL> client, server;
3442 EXPECT_FALSE(ConnectClientAndServer(&client, &server, tls_ctx.get(),
3443 ssl3_ctx.get(),
3444 nullptr /* no session */));
3445 uint32_t err = ERR_get_error();
3446 EXPECT_EQ(ERR_LIB_SSL, ERR_GET_LIB(err));
3447 EXPECT_EQ(SSL_R_NO_SUPPORTED_VERSIONS_ENABLED, ERR_GET_REASON(err));
3448
3449 // Likewise for SSLv3_method clients.
3450 EXPECT_FALSE(ConnectClientAndServer(&client, &server, ssl3_ctx.get(),
3451 tls_ctx.get(),
3452 nullptr /* no session */));
3453 err = ERR_get_error();
3454 EXPECT_EQ(ERR_LIB_SSL, ERR_GET_LIB(err));
3455 EXPECT_EQ(SSL_R_NO_SUPPORTED_VERSIONS_ENABLED, ERR_GET_REASON(err));
3456}
3457
David Benjaminca743582017-06-15 17:51:35 -0400[diff] [blame^]3458TEST(SSLTest, SelectNextProto) {
3459 uint8_t *result;
3460 uint8_t result_len;
3461
3462 // If there is an overlap, it should be returned.
3463 EXPECT_EQ(OPENSSL_NPN_NEGOTIATED,
3464 SSL_select_next_proto(&result, &result_len,
3465 (const uint8_t *)"\1a\2bb\3ccc", 9,
3466 (const uint8_t *)"\1x\1y\1a\1z", 8));
3467 EXPECT_EQ(Bytes("a"), Bytes(result, result_len));
3468
3469 EXPECT_EQ(OPENSSL_NPN_NEGOTIATED,
3470 SSL_select_next_proto(&result, &result_len,
3471 (const uint8_t *)"\1a\2bb\3ccc", 9,
3472 (const uint8_t *)"\1x\1y\2bb\1z", 9));
3473 EXPECT_EQ(Bytes("bb"), Bytes(result, result_len));
3474
3475 EXPECT_EQ(OPENSSL_NPN_NEGOTIATED,
3476 SSL_select_next_proto(&result, &result_len,
3477 (const uint8_t *)"\1a\2bb\3ccc", 9,
3478 (const uint8_t *)"\1x\1y\3ccc\1z", 10));
3479 EXPECT_EQ(Bytes("ccc"), Bytes(result, result_len));
3480
3481 // Peer preference order takes precedence over local.
3482 EXPECT_EQ(OPENSSL_NPN_NEGOTIATED,
3483 SSL_select_next_proto(&result, &result_len,
3484 (const uint8_t *)"\1a\2bb\3ccc", 9,
3485 (const uint8_t *)"\3ccc\2bb\1a", 9));
3486 EXPECT_EQ(Bytes("a"), Bytes(result, result_len));
3487
3488 // If there is no overlap, return the first local protocol.
3489 EXPECT_EQ(OPENSSL_NPN_NO_OVERLAP,
3490 SSL_select_next_proto(&result, &result_len,
3491 (const uint8_t *)"\1a\2bb\3ccc", 9,
3492 (const uint8_t *)"\1x\2yy\3zzz", 9));
3493 EXPECT_EQ(Bytes("x"), Bytes(result, result_len));
3494
3495 EXPECT_EQ(OPENSSL_NPN_NO_OVERLAP,
3496 SSL_select_next_proto(&result, &result_len, nullptr, 0,
3497 (const uint8_t *)"\1x\2yy\3zzz", 9));
3498 EXPECT_EQ(Bytes("x"), Bytes(result, result_len));
3499}
3500
David Benjamin96628432017-01-19 19:05:47 -0500[diff] [blame]3501// TODO(davidben): Convert this file to GTest properly.
3502TEST(SSLTest, AllTests) {
David Benjamine11726a2017-04-23 12:14:28 -0400[diff] [blame]3503 if (!TestSSL_SESSIONEncoding(kOpenSSLSession) ||
Adam Langley10f97f32016-07-12 08:09:33 -0700[diff] [blame]3504 !TestSSL_SESSIONEncoding(kCustomSession) ||
3505 !TestSSL_SESSIONEncoding(kBoringSSLSession) ||
3506 !TestBadSSL_SESSIONEncoding(kBadSessionExtraField) ||
3507 !TestBadSSL_SESSIONEncoding(kBadSessionVersion) ||
3508 !TestBadSSL_SESSIONEncoding(kBadSessionTrailingData) ||
Steven Valdeza833c352016-11-01 13:39:36 -0400[diff] [blame]3509 // Test the padding extension at TLS 1.2.
3510 !TestPaddingExtension(TLS1_2_VERSION, TLS1_2_VERSION) ||
3511 // Test the padding extension at TLS 1.3 with a TLS 1.2 session, so there
3512 // will be no PSK binder after the padding extension.
3513 !TestPaddingExtension(TLS1_3_VERSION, TLS1_2_VERSION) ||
3514 // Test the padding extension at TLS 1.3 with a TLS 1.3 session, so there
3515 // will be a PSK binder after the padding extension.
3516 !TestPaddingExtension(TLS1_3_VERSION, TLS1_3_DRAFT_VERSION) ||
David Benjamin0fef3052016-11-18 15:11:10 +0900[diff] [blame]3517 !ForEachVersion(TestSequenceNumber) ||
David Benjamin68f37b72016-11-18 15:14:42 +0900[diff] [blame]3518 !ForEachVersion(TestOneSidedShutdown) ||
David Benjamin0fef3052016-11-18 15:11:10 +0900[diff] [blame]3519 !ForEachVersion(TestGetPeerCertificate) ||
3520 !ForEachVersion(TestRetainOnlySHA256OfCerts) ||
David Benjamina20e5352016-08-02 19:09:41 -0400[diff] [blame]3521 !TestClientHello() ||
David Benjamin0fef3052016-11-18 15:11:10 +0900[diff] [blame]3522 !ForEachVersion(TestSessionIDContext) ||
3523 !ForEachVersion(TestSessionTimeout) ||
3524 !ForEachVersion(TestSNICallback) ||
David Benjamin0fef3052016-11-18 15:11:10 +0900[diff] [blame]3525 !ForEachVersion(TestVersion) ||
David Benjaminb79cc842016-12-07 15:57:14 -0500[diff] [blame]3526 !ForEachVersion(TestALPNCipherAvailable) ||
David Benjamin1444c3a2016-12-20 17:23:11 -0500[diff] [blame]3527 !ForEachVersion(TestSSLClearSessionResumption) ||
David Benjamin48063c22017-01-01 23:56:36 -0500[diff] [blame]3528 !ForEachVersion(TestAutoChain) ||
3529 !ForEachVersion(TestSSLWriteRetry)) {
David Benjamin96628432017-01-19 19:05:47 -0500[diff] [blame]3530 ADD_FAILURE() << "Tests failed";
David Benjaminbb0a17c2014-09-20 15:35:39 -0400[diff] [blame]3531 }
David Benjamin2e521212014-07-16 14:37:51 -0400[diff] [blame]3532}