Google Git
Sign in
boringssl / boringssl.git / 35a31162ffb3a9f6bf7c543e2d516d5cdb339334 / . / ssl / ssl_test.cc
blob: 17209298f84bcd248c0367a4cc8fb88074705b5e [file] [log] [blame]
David Benjamin2e521212014-07-16 14:37:51 -0400[diff] [blame]1/* Copyright (c) 2014, Google Inc.
2 *
3 * Permission to use, copy, modify, and/or distribute this software for any
4 * purpose with or without fee is hereby granted, provided that the above
5 * copyright notice and this permission notice appear in all copies.
6 *
7 * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
8 * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
9 * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY
10 * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
11 * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION
12 * OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN
13 * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */
14
15#include <stdio.h>
David Benjamin751e8892014-10-19 00:59:36 -0400[diff] [blame]16#include <string.h>
David Benjamin1269ddd2015-10-18 15:18:55 -0400[diff] [blame]17#include <time.h>
David Benjamin2e521212014-07-16 14:37:51 -0400[diff] [blame]18
David Benjamin0f653952015-10-18 14:28:01 -0400[diff] [blame]19#include <algorithm>
Steven Valdezc8e0f902018-07-14 11:23:01 -0400[diff] [blame]20#include <limits>
David Benjamin1d77e562015-03-22 17:22:08 -0400[diff] [blame]21#include <string>
David Benjamin4f6acaf2015-11-21 03:00:50 -0500[diff] [blame]22#include <utility>
David Benjamin1d77e562015-03-22 17:22:08 -0400[diff] [blame]23#include <vector>
24
David Benjamin96628432017-01-19 19:05:47 -0500[diff] [blame]25#include <gtest/gtest.h>
26
David Benjamin0e7dbd52019-05-15 16:01:18 -0400[diff] [blame]27#include <openssl/aead.h>
David Benjamin751e8892014-10-19 00:59:36 -0400[diff] [blame]28#include <openssl/base64.h>
David Benjamine9c5d722021-06-09 17:43:16 -0400[diff] [blame]29#include <openssl/bytestring.h>
David Benjamin751e8892014-10-19 00:59:36 -0400[diff] [blame]30#include <openssl/bio.h>
David Benjamin3c51d9b2016-11-01 17:50:42 -0400[diff] [blame]31#include <openssl/cipher.h>
David Benjamin7a1eefd2015-10-17 23:39:22 -0400[diff] [blame]32#include <openssl/crypto.h>
Daniel McArdle00e434d2021-02-18 11:47:18 -0500[diff] [blame]33#include <openssl/curve25519.h>
David Benjaminbb0a17c2014-09-20 15:35:39 -0400[diff] [blame]34#include <openssl/err.h>
David Benjamin3c51d9b2016-11-01 17:50:42 -0400[diff] [blame]35#include <openssl/hmac.h>
David Benjaminc890ae52021-06-06 13:32:29 -0400[diff] [blame]36#include <openssl/hpke.h>
David Benjaminde942382016-02-11 12:02:01 -0500[diff] [blame]37#include <openssl/pem.h>
David Benjamin25490f22016-07-14 00:22:54 -0400[diff] [blame]38#include <openssl/sha.h>
David Benjaminbb0a17c2014-09-20 15:35:39 -0400[diff] [blame]39#include <openssl/ssl.h>
David Benjamin3c51d9b2016-11-01 17:50:42 -0400[diff] [blame]40#include <openssl/rand.h>
David Benjaminde942382016-02-11 12:02:01 -0500[diff] [blame]41#include <openssl/x509.h>
Adam Langley7e7e6b62021-12-06 13:04:07 -0800[diff] [blame]42#include <openssl/x509v3.h>
David Benjaminbb0a17c2014-09-20 15:35:39 -0400[diff] [blame]43
Steven Valdez87eab492016-06-27 16:34:59 -0400[diff] [blame]44#include "internal.h"
Steven Valdezcb966542016-08-17 16:56:14 -0400[diff] [blame]45#include "../crypto/internal.h"
Sigbjorn Vik2b23d242015-06-29 15:07:26 +0200[diff] [blame]46#include "../crypto/test/test_util.h"
47
David Benjamin721e8b72016-08-03 13:13:17 -0400[diff] [blame]48#if defined(OPENSSL_WINDOWS)
David Benjaminc11ea9422017-08-29 16:33:21 -0400[diff] [blame]49// Windows defines struct timeval in winsock2.h.
David Benjamin721e8b72016-08-03 13:13:17 -0400[diff] [blame]50OPENSSL_MSVC_PRAGMA(warning(push, 3))
51#include <winsock2.h>
52OPENSSL_MSVC_PRAGMA(warning(pop))
53#else
54#include <sys/time.h>
55#endif
56
David Benjamin5b33eff2018-09-22 16:52:48 -0700[diff] [blame]57#if defined(OPENSSL_THREADS)
David Benjamin6c04bd12018-07-19 18:13:09 -0400[diff] [blame]58#include <thread>
59#endif
60
David Benjamin1d77e562015-03-22 17:22:08 -0400[diff] [blame]61
Joshua Liebow-Feeser8c7c6352018-08-26 18:53:36 -0700[diff] [blame]62BSSL_NAMESPACE_BEGIN
Martin Kreichgauer72912d22017-08-04 12:06:43 -0700[diff] [blame]63
64namespace {
65
Martin Kreichgauer1a663262017-08-16 14:54:04 -0700[diff] [blame]66#define TRACED_CALL(code) \
67 do { \
68 SCOPED_TRACE("<- called from here"); \
69 code; \
70 if (::testing::Test::HasFatalFailure()) { \
71 return; \
72 } \
73 } while (false)
74
Martin Kreichgauer72912d22017-08-04 12:06:43 -0700[diff] [blame]75struct VersionParam {
76 uint16_t version;
77 enum { is_tls, is_dtls } ssl_method;
78 const char name[8];
79};
80
81static const size_t kTicketKeyLen = 48;
82
83static const VersionParam kAllVersions[] = {
Martin Kreichgauer72912d22017-08-04 12:06:43 -0700[diff] [blame]84 {TLS1_VERSION, VersionParam::is_tls, "TLS1"},
85 {TLS1_1_VERSION, VersionParam::is_tls, "TLS1_1"},
86 {TLS1_2_VERSION, VersionParam::is_tls, "TLS1_2"},
Martin Kreichgauer72912d22017-08-04 12:06:43 -0700[diff] [blame]87 {TLS1_3_VERSION, VersionParam::is_tls, "TLS1_3"},
Martin Kreichgauer72912d22017-08-04 12:06:43 -0700[diff] [blame]88 {DTLS1_VERSION, VersionParam::is_dtls, "DTLS1"},
89 {DTLS1_2_VERSION, VersionParam::is_dtls, "DTLS1_2"},
90};
91
David Benjamin1d77e562015-03-22 17:22:08 -0400[diff] [blame]92struct ExpectedCipher {
93 unsigned long id;
David Benjaminbb0a17c2014-09-20 15:35:39 -0400[diff] [blame]94 int in_group_flag;
David Benjamin1d77e562015-03-22 17:22:08 -0400[diff] [blame]95};
David Benjaminbb0a17c2014-09-20 15:35:39 -0400[diff] [blame]96
David Benjamin1d77e562015-03-22 17:22:08 -0400[diff] [blame]97struct CipherTest {
98 // The rule string to apply.
David Benjaminbb0a17c2014-09-20 15:35:39 -0400[diff] [blame]99 const char *rule;
David Benjaminfb974e62015-12-16 19:34:22 -0500[diff] [blame]100 // The list of expected ciphers, in order.
101 std::vector<ExpectedCipher> expected;
Matthew Braithwaitea57dcfb2017-02-17 22:08:23 -0800[diff] [blame]102 // True if this cipher list should fail in strict mode.
103 bool strict_fail;
David Benjamin1d77e562015-03-22 17:22:08 -0400[diff] [blame]104};
David Benjaminbb0a17c2014-09-20 15:35:39 -0400[diff] [blame]105
Alessandro Ghedini5fd18072016-09-28 21:04:25 +0100[diff] [blame]106struct CurveTest {
107 // The rule string to apply.
108 const char *rule;
109 // The list of expected curves, in order.
110 std::vector<uint16_t> expected;
111};
112
Steven Valdezc8e0f902018-07-14 11:23:01 -0400[diff] [blame]113template <typename T>
114class UnownedSSLExData {
115 public:
116 UnownedSSLExData() {
117 index_ = SSL_get_ex_new_index(0, nullptr, nullptr, nullptr, nullptr);
118 }
119
120 T *Get(const SSL *ssl) {
121 return index_ < 0 ? nullptr
122 : static_cast<T *>(SSL_get_ex_data(ssl, index_));
123 }
124
125 bool Set(SSL *ssl, T *t) {
126 return index_ >= 0 && SSL_set_ex_data(ssl, index_, t);
127 }
128
129 private:
130 int index_;
131};
132
David Benjaminfb974e62015-12-16 19:34:22 -0500[diff] [blame]133static const CipherTest kCipherTests[] = {
134 // Selecting individual ciphers should work.
135 {
136 "ECDHE-ECDSA-CHACHA20-POLY1305:"
137 "ECDHE-RSA-CHACHA20-POLY1305:"
138 "ECDHE-ECDSA-AES128-GCM-SHA256:"
139 "ECDHE-RSA-AES128-GCM-SHA256",
140 {
141 {TLS1_CK_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256, 0},
David Benjaminfb974e62015-12-16 19:34:22 -0500[diff] [blame]142 {TLS1_CK_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256, 0},
David Benjaminfb974e62015-12-16 19:34:22 -0500[diff] [blame]143 {TLS1_CK_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, 0},
144 {TLS1_CK_ECDHE_RSA_WITH_AES_128_GCM_SHA256, 0},
145 },
Matthew Braithwaitea57dcfb2017-02-17 22:08:23 -0800[diff] [blame]146 false,
David Benjaminfb974e62015-12-16 19:34:22 -0500[diff] [blame]147 },
148 // + reorders selected ciphers to the end, keeping their relative order.
149 {
150 "ECDHE-ECDSA-CHACHA20-POLY1305:"
151 "ECDHE-RSA-CHACHA20-POLY1305:"
152 "ECDHE-ECDSA-AES128-GCM-SHA256:"
153 "ECDHE-RSA-AES128-GCM-SHA256:"
154 "+aRSA",
155 {
156 {TLS1_CK_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256, 0},
David Benjaminfb974e62015-12-16 19:34:22 -0500[diff] [blame]157 {TLS1_CK_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, 0},
158 {TLS1_CK_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256, 0},
David Benjaminfb974e62015-12-16 19:34:22 -0500[diff] [blame]159 {TLS1_CK_ECDHE_RSA_WITH_AES_128_GCM_SHA256, 0},
160 },
Matthew Braithwaitea57dcfb2017-02-17 22:08:23 -0800[diff] [blame]161 false,
David Benjaminfb974e62015-12-16 19:34:22 -0500[diff] [blame]162 },
163 // ! banishes ciphers from future selections.
164 {
165 "!aRSA:"
166 "ECDHE-ECDSA-CHACHA20-POLY1305:"
167 "ECDHE-RSA-CHACHA20-POLY1305:"
168 "ECDHE-ECDSA-AES128-GCM-SHA256:"
169 "ECDHE-RSA-AES128-GCM-SHA256",
170 {
171 {TLS1_CK_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256, 0},
David Benjaminfb974e62015-12-16 19:34:22 -0500[diff] [blame]172 {TLS1_CK_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, 0},
173 },
Matthew Braithwaitea57dcfb2017-02-17 22:08:23 -0800[diff] [blame]174 false,
David Benjaminfb974e62015-12-16 19:34:22 -0500[diff] [blame]175 },
176 // Multiple masks can be ANDed in a single rule.
177 {
178 "kRSA+AESGCM+AES128",
179 {
180 {TLS1_CK_RSA_WITH_AES_128_GCM_SHA256, 0},
181 },
Matthew Braithwaitea57dcfb2017-02-17 22:08:23 -0800[diff] [blame]182 false,
David Benjaminfb974e62015-12-16 19:34:22 -0500[diff] [blame]183 },
184 // - removes selected ciphers, but preserves their order for future
Matthew Braithwaitecedc6f12017-03-15 19:20:23 -0700[diff] [blame]185 // selections. Select AES_128_GCM, but order the key exchanges RSA,
David Benjaminfb974e62015-12-16 19:34:22 -0500[diff] [blame]186 // ECDHE_RSA.
187 {
Matthew Braithwaitecedc6f12017-03-15 19:20:23 -0700[diff] [blame]188 "ALL:-kECDHE:"
Matthew Braithwaitecedc6f12017-03-15 19:20:23 -0700[diff] [blame]189 "-kRSA:-ALL:"
David Benjaminfb974e62015-12-16 19:34:22 -0500[diff] [blame]190 "AESGCM+AES128+aRSA",
191 {
192 {TLS1_CK_RSA_WITH_AES_128_GCM_SHA256, 0},
David Benjaminfb974e62015-12-16 19:34:22 -0500[diff] [blame]193 {TLS1_CK_ECDHE_RSA_WITH_AES_128_GCM_SHA256, 0},
194 },
Matthew Braithwaitea57dcfb2017-02-17 22:08:23 -0800[diff] [blame]195 false,
David Benjaminfb974e62015-12-16 19:34:22 -0500[diff] [blame]196 },
Matthew Braithwaitea57dcfb2017-02-17 22:08:23 -0800[diff] [blame]197 // Unknown selectors are no-ops, except in strict mode.
David Benjaminfb974e62015-12-16 19:34:22 -0500[diff] [blame]198 {
199 "ECDHE-ECDSA-CHACHA20-POLY1305:"
200 "ECDHE-RSA-CHACHA20-POLY1305:"
201 "ECDHE-ECDSA-AES128-GCM-SHA256:"
202 "ECDHE-RSA-AES128-GCM-SHA256:"
Matthew Braithwaitea57dcfb2017-02-17 22:08:23 -0800[diff] [blame]203 "BOGUS1",
David Benjaminfb974e62015-12-16 19:34:22 -0500[diff] [blame]204 {
205 {TLS1_CK_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256, 0},
David Benjaminfb974e62015-12-16 19:34:22 -0500[diff] [blame]206 {TLS1_CK_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256, 0},
David Benjaminfb974e62015-12-16 19:34:22 -0500[diff] [blame]207 {TLS1_CK_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, 0},
208 {TLS1_CK_ECDHE_RSA_WITH_AES_128_GCM_SHA256, 0},
209 },
Matthew Braithwaitea57dcfb2017-02-17 22:08:23 -0800[diff] [blame]210 true,
211 },
212 // Unknown selectors are no-ops, except in strict mode.
213 {
214 "ECDHE-ECDSA-CHACHA20-POLY1305:"
215 "ECDHE-RSA-CHACHA20-POLY1305:"
216 "ECDHE-ECDSA-AES128-GCM-SHA256:"
217 "ECDHE-RSA-AES128-GCM-SHA256:"
218 "-BOGUS2:+BOGUS3:!BOGUS4",
219 {
220 {TLS1_CK_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256, 0},
221 {TLS1_CK_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256, 0},
222 {TLS1_CK_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, 0},
223 {TLS1_CK_ECDHE_RSA_WITH_AES_128_GCM_SHA256, 0},
224 },
225 true,
David Benjaminfb974e62015-12-16 19:34:22 -0500[diff] [blame]226 },
227 // Square brackets specify equi-preference groups.
228 {
229 "[ECDHE-ECDSA-CHACHA20-POLY1305|ECDHE-ECDSA-AES128-GCM-SHA256]:"
230 "[ECDHE-RSA-CHACHA20-POLY1305]:"
231 "ECDHE-RSA-AES128-GCM-SHA256",
232 {
233 {TLS1_CK_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256, 1},
David Benjaminfb974e62015-12-16 19:34:22 -0500[diff] [blame]234 {TLS1_CK_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, 0},
Adam Langley2e839242017-01-19 15:12:44 -0800[diff] [blame]235 {TLS1_CK_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256, 0},
David Benjaminfb974e62015-12-16 19:34:22 -0500[diff] [blame]236 {TLS1_CK_ECDHE_RSA_WITH_AES_128_GCM_SHA256, 0},
237 },
Matthew Braithwaitea57dcfb2017-02-17 22:08:23 -0800[diff] [blame]238 false,
David Benjaminfb974e62015-12-16 19:34:22 -0500[diff] [blame]239 },
David Benjamin6fff3862017-06-21 21:07:04 -0400[diff] [blame]240 // Standard names may be used instead of OpenSSL names.
241 {
242 "[TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256|"
David Benjaminbf5f1922017-07-01 11:13:53 -0400[diff] [blame]243 "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256]:"
David Benjamin6fff3862017-06-21 21:07:04 -0400[diff] [blame]244 "[TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256]:"
245 "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",
246 {
247 {TLS1_CK_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256, 1},
248 {TLS1_CK_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, 0},
249 {TLS1_CK_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256, 0},
250 {TLS1_CK_ECDHE_RSA_WITH_AES_128_GCM_SHA256, 0},
251 },
252 false,
253 },
David Benjaminfb974e62015-12-16 19:34:22 -0500[diff] [blame]254 // @STRENGTH performs a stable strength-sort of the selected ciphers and
255 // only the selected ciphers.
256 {
257 // To simplify things, banish all but {ECDHE_RSA,RSA} x
Matthew Braithwaite8aaa9e12016-09-07 15:09:58 -0700[diff] [blame]258 // {CHACHA20,AES_256_CBC,AES_128_CBC} x SHA1.
David Benjamin6e678ee2018-04-16 19:54:42 -0400[diff] [blame]259 "!AESGCM:!3DES:"
David Benjaminfb974e62015-12-16 19:34:22 -0500[diff] [blame]260 // Order some ciphers backwards by strength.
Matthew Braithwaite8aaa9e12016-09-07 15:09:58 -0700[diff] [blame]261 "ALL:-CHACHA20:-AES256:-AES128:-ALL:"
David Benjaminfb974e62015-12-16 19:34:22 -0500[diff] [blame]262 // Select ECDHE ones and sort them by strength. Ties should resolve
263 // based on the order above.
264 "kECDHE:@STRENGTH:-ALL:"
265 // Now bring back everything uses RSA. ECDHE_RSA should be first, sorted
266 // by strength. Then RSA, backwards by strength.
267 "aRSA",
268 {
269 {TLS1_CK_ECDHE_RSA_WITH_AES_256_CBC_SHA, 0},
270 {TLS1_CK_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256, 0},
David Benjaminfb974e62015-12-16 19:34:22 -0500[diff] [blame]271 {TLS1_CK_ECDHE_RSA_WITH_AES_128_CBC_SHA, 0},
David Benjaminfb974e62015-12-16 19:34:22 -0500[diff] [blame]272 {TLS1_CK_RSA_WITH_AES_128_SHA, 0},
273 {TLS1_CK_RSA_WITH_AES_256_SHA, 0},
274 },
Matthew Braithwaitea57dcfb2017-02-17 22:08:23 -0800[diff] [blame]275 false,
David Benjaminfb974e62015-12-16 19:34:22 -0500[diff] [blame]276 },
David Benjaminbf5f1922017-07-01 11:13:53 -0400[diff] [blame]277 // Additional masks after @STRENGTH get silently discarded.
278 //
279 // TODO(davidben): Make this an error. If not silently discarded, they get
280 // interpreted as + opcodes which are very different.
281 {
282 "ECDHE-RSA-AES128-GCM-SHA256:"
283 "ECDHE-RSA-AES256-GCM-SHA384:"
284 "@STRENGTH+AES256",
285 {
286 {TLS1_CK_ECDHE_RSA_WITH_AES_256_GCM_SHA384, 0},
287 {TLS1_CK_ECDHE_RSA_WITH_AES_128_GCM_SHA256, 0},
288 },
289 false,
290 },
291 {
292 "ECDHE-RSA-AES128-GCM-SHA256:"
293 "ECDHE-RSA-AES256-GCM-SHA384:"
294 "@STRENGTH+AES256:"
295 "ECDHE-RSA-CHACHA20-POLY1305",
296 {
297 {TLS1_CK_ECDHE_RSA_WITH_AES_256_GCM_SHA384, 0},
298 {TLS1_CK_ECDHE_RSA_WITH_AES_128_GCM_SHA256, 0},
299 {TLS1_CK_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256, 0},
300 },
301 false,
302 },
David Benjaminfb974e62015-12-16 19:34:22 -0500[diff] [blame]303 // Exact ciphers may not be used in multi-part rules; they are treated
304 // as unknown aliases.
305 {
306 "ECDHE-ECDSA-AES128-GCM-SHA256:"
307 "ECDHE-RSA-AES128-GCM-SHA256:"
308 "!ECDHE-RSA-AES128-GCM-SHA256+RSA:"
309 "!ECDSA+ECDHE-ECDSA-AES128-GCM-SHA256",
310 {
311 {TLS1_CK_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, 0},
312 {TLS1_CK_ECDHE_RSA_WITH_AES_128_GCM_SHA256, 0},
313 },
Matthew Braithwaitea57dcfb2017-02-17 22:08:23 -0800[diff] [blame]314 true,
David Benjaminfb974e62015-12-16 19:34:22 -0500[diff] [blame]315 },
316 // SSLv3 matches everything that existed before TLS 1.2.
317 {
David Benjamin6e678ee2018-04-16 19:54:42 -0400[diff] [blame]318 "AES128-SHA:ECDHE-RSA-AES128-GCM-SHA256:!SSLv3",
David Benjaminfb974e62015-12-16 19:34:22 -0500[diff] [blame]319 {
David Benjamin6e678ee2018-04-16 19:54:42 -0400[diff] [blame]320 {TLS1_CK_ECDHE_RSA_WITH_AES_128_GCM_SHA256, 0},
David Benjaminfb974e62015-12-16 19:34:22 -0500[diff] [blame]321 },
Matthew Braithwaitea57dcfb2017-02-17 22:08:23 -0800[diff] [blame]322 false,
David Benjaminfb974e62015-12-16 19:34:22 -0500[diff] [blame]323 },
324 // TLSv1.2 matches everything added in TLS 1.2.
325 {
David Benjamin6e678ee2018-04-16 19:54:42 -0400[diff] [blame]326 "AES128-SHA:ECDHE-RSA-AES128-GCM-SHA256:!TLSv1.2",
David Benjaminfb974e62015-12-16 19:34:22 -0500[diff] [blame]327 {
328 {TLS1_CK_RSA_WITH_AES_128_SHA, 0},
329 },
Matthew Braithwaitea57dcfb2017-02-17 22:08:23 -0800[diff] [blame]330 false,
David Benjaminfb974e62015-12-16 19:34:22 -0500[diff] [blame]331 },
Matthew Braithwaitea57dcfb2017-02-17 22:08:23 -0800[diff] [blame]332 // The two directives have no intersection. But each component is valid, so
333 // even in strict mode it is accepted.
David Benjaminfb974e62015-12-16 19:34:22 -0500[diff] [blame]334 {
David Benjamin6e678ee2018-04-16 19:54:42 -0400[diff] [blame]335 "AES128-SHA:ECDHE-RSA-AES128-GCM-SHA256:!TLSv1.2+SSLv3",
David Benjaminfb974e62015-12-16 19:34:22 -0500[diff] [blame]336 {
337 {TLS1_CK_RSA_WITH_AES_128_SHA, 0},
David Benjamin6e678ee2018-04-16 19:54:42 -0400[diff] [blame]338 {TLS1_CK_ECDHE_RSA_WITH_AES_128_GCM_SHA256, 0},
David Benjaminfb974e62015-12-16 19:34:22 -0500[diff] [blame]339 },
Matthew Braithwaitea57dcfb2017-02-17 22:08:23 -0800[diff] [blame]340 false,
David Benjaminfb974e62015-12-16 19:34:22 -0500[diff] [blame]341 },
Adam Langley22df6912017-07-25 12:27:37 -0700[diff] [blame]342 // Spaces, semi-colons and commas are separators.
343 {
David Benjamin6e678ee2018-04-16 19:54:42 -0400[diff] [blame]344 "AES128-SHA: ECDHE-RSA-AES128-GCM-SHA256 AES256-SHA ,ECDHE-ECDSA-AES128-GCM-SHA256 ; AES128-GCM-SHA256",
Adam Langley22df6912017-07-25 12:27:37 -0700[diff] [blame]345 {
346 {TLS1_CK_RSA_WITH_AES_128_SHA, 0},
David Benjamin6e678ee2018-04-16 19:54:42 -0400[diff] [blame]347 {TLS1_CK_ECDHE_RSA_WITH_AES_128_GCM_SHA256, 0},
Adam Langley22df6912017-07-25 12:27:37 -0700[diff] [blame]348 {TLS1_CK_RSA_WITH_AES_256_SHA, 0},
David Benjamin6e678ee2018-04-16 19:54:42 -0400[diff] [blame]349 {TLS1_CK_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, 0},
Adam Langley22df6912017-07-25 12:27:37 -0700[diff] [blame]350 {TLS1_CK_RSA_WITH_AES_128_GCM_SHA256, 0},
351 },
352 // …but not in strict mode.
353 true,
354 },
David Benjaminbb0a17c2014-09-20 15:35:39 -0400[diff] [blame]355};
356
357static const char *kBadRules[] = {
David Benjamin1d77e562015-03-22 17:22:08 -0400[diff] [blame]358 // Invalid brackets.
David Benjaminbb0a17c2014-09-20 15:35:39 -0400[diff] [blame]359 "[ECDHE-RSA-CHACHA20-POLY1305|ECDHE-RSA-AES128-GCM-SHA256",
360 "RSA]",
361 "[[RSA]]",
David Benjamin1d77e562015-03-22 17:22:08 -0400[diff] [blame]362 // Operators inside brackets.
David Benjaminbb0a17c2014-09-20 15:35:39 -0400[diff] [blame]363 "[+RSA]",
David Benjamin1d77e562015-03-22 17:22:08 -0400[diff] [blame]364 // Unknown directive.
David Benjaminbb0a17c2014-09-20 15:35:39 -0400[diff] [blame]365 "@BOGUS",
David Benjamin1d77e562015-03-22 17:22:08 -0400[diff] [blame]366 // Empty cipher lists error at SSL_CTX_set_cipher_list.
David Benjaminbb0a17c2014-09-20 15:35:39 -0400[diff] [blame]367 "",
368 "BOGUS",
David Benjamin32fbdf22015-04-07 01:14:06 -0400[diff] [blame]369 // COMPLEMENTOFDEFAULT is empty.
370 "COMPLEMENTOFDEFAULT",
David Benjamin1d77e562015-03-22 17:22:08 -0400[diff] [blame]371 // Invalid command.
David Benjaminbb0a17c2014-09-20 15:35:39 -0400[diff] [blame]372 "?BAR",
David Benjamin1d77e562015-03-22 17:22:08 -0400[diff] [blame]373 // Special operators are not allowed if groups are used.
David Benjamin37d92462014-09-20 17:54:24 -0400[diff] [blame]374 "[ECDHE-RSA-CHACHA20-POLY1305|ECDHE-RSA-AES128-GCM-SHA256]:+FOO",
375 "[ECDHE-RSA-CHACHA20-POLY1305|ECDHE-RSA-AES128-GCM-SHA256]:!FOO",
376 "[ECDHE-RSA-CHACHA20-POLY1305|ECDHE-RSA-AES128-GCM-SHA256]:-FOO",
377 "[ECDHE-RSA-CHACHA20-POLY1305|ECDHE-RSA-AES128-GCM-SHA256]:@STRENGTH",
Adam Langleyf99f2442016-10-02 09:53:38 -0700[diff] [blame]378 // Opcode supplied, but missing selector.
379 "+",
Adam Langley22df6912017-07-25 12:27:37 -0700[diff] [blame]380 // Spaces are forbidden in equal-preference groups.
381 "[AES128-SHA | AES128-SHA256]",
David Benjaminbb0a17c2014-09-20 15:35:39 -0400[diff] [blame]382};
383
Matt Braithwaiteaf096752015-09-02 19:48:16 -0700[diff] [blame]384static const char *kMustNotIncludeNull[] = {
385 "ALL",
386 "DEFAULT",
David Benjamind6e9eec2015-11-18 09:48:55 -0500[diff] [blame]387 "HIGH",
Matt Braithwaiteaf096752015-09-02 19:48:16 -0700[diff] [blame]388 "FIPS",
389 "SHA",
390 "SHA1",
391 "RSA",
392 "SSLv3",
393 "TLSv1",
394 "TLSv1.2",
Matt Braithwaiteaf096752015-09-02 19:48:16 -0700[diff] [blame]395};
396
Alessandro Ghedini5fd18072016-09-28 21:04:25 +0100[diff] [blame]397static const CurveTest kCurveTests[] = {
398 {
399 "P-256",
400 { SSL_CURVE_SECP256R1 },
401 },
402 {
Adam Langley7b935932018-11-12 13:53:42 -0800[diff] [blame]403 "P-256:CECPQ2",
404 { SSL_CURVE_SECP256R1, SSL_CURVE_CECPQ2 },
405 },
406
407 {
Alessandro Ghedini5fd18072016-09-28 21:04:25 +0100[diff] [blame]408 "P-256:P-384:P-521:X25519",
409 {
410 SSL_CURVE_SECP256R1,
411 SSL_CURVE_SECP384R1,
412 SSL_CURVE_SECP521R1,
413 SSL_CURVE_X25519,
414 },
415 },
David Benjamin6dda1662017-11-02 20:44:26 -0400[diff] [blame]416 {
417 "prime256v1:secp384r1:secp521r1:x25519",
418 {
419 SSL_CURVE_SECP256R1,
420 SSL_CURVE_SECP384R1,
421 SSL_CURVE_SECP521R1,
422 SSL_CURVE_X25519,
423 },
424 },
Alessandro Ghedini5fd18072016-09-28 21:04:25 +0100[diff] [blame]425};
426
427static const char *kBadCurvesLists[] = {
428 "",
429 ":",
430 "::",
431 "P-256::X25519",
432 "RSA:P-256",
433 "P-256:RSA",
434 "X25519:P-256:",
435 ":X25519:P-256",
436};
437
David Benjamin70dbf042017-08-08 18:51:37 -0400[diff] [blame]438static std::string CipherListToString(SSL_CTX *ctx) {
David Benjamin1d77e562015-03-22 17:22:08 -0400[diff] [blame]439 bool in_group = false;
David Benjamine11726a2017-04-23 12:14:28 -0400[diff] [blame]440 std::string ret;
David Benjamin70dbf042017-08-08 18:51:37 -0400[diff] [blame]441 const STACK_OF(SSL_CIPHER) *ciphers = SSL_CTX_get_ciphers(ctx);
442 for (size_t i = 0; i < sk_SSL_CIPHER_num(ciphers); i++) {
443 const SSL_CIPHER *cipher = sk_SSL_CIPHER_value(ciphers, i);
444 if (!in_group && SSL_CTX_cipher_in_group(ctx, i)) {
David Benjamine11726a2017-04-23 12:14:28 -0400[diff] [blame]445 ret += "\t[\n";
David Benjamin1d77e562015-03-22 17:22:08 -0400[diff] [blame]446 in_group = true;
David Benjaminbb0a17c2014-09-20 15:35:39 -0400[diff] [blame]447 }
David Benjamine11726a2017-04-23 12:14:28 -0400[diff] [blame]448 ret += "\t";
David Benjaminbb0a17c2014-09-20 15:35:39 -0400[diff] [blame]449 if (in_group) {
David Benjamine11726a2017-04-23 12:14:28 -0400[diff] [blame]450 ret += " ";
David Benjaminbb0a17c2014-09-20 15:35:39 -0400[diff] [blame]451 }
David Benjamine11726a2017-04-23 12:14:28 -0400[diff] [blame]452 ret += SSL_CIPHER_get_name(cipher);
453 ret += "\n";
David Benjamin70dbf042017-08-08 18:51:37 -0400[diff] [blame]454 if (in_group && !SSL_CTX_cipher_in_group(ctx, i)) {
David Benjamine11726a2017-04-23 12:14:28 -0400[diff] [blame]455 ret += "\t]\n";
David Benjamin1d77e562015-03-22 17:22:08 -0400[diff] [blame]456 in_group = false;
David Benjaminbb0a17c2014-09-20 15:35:39 -0400[diff] [blame]457 }
458 }
David Benjamine11726a2017-04-23 12:14:28 -0400[diff] [blame]459 return ret;
David Benjaminbb0a17c2014-09-20 15:35:39 -0400[diff] [blame]460}
461
David Benjamin70dbf042017-08-08 18:51:37 -0400[diff] [blame]462static bool CipherListsEqual(SSL_CTX *ctx,
David Benjamine11726a2017-04-23 12:14:28 -0400[diff] [blame]463 const std::vector<ExpectedCipher> &expected) {
David Benjamin70dbf042017-08-08 18:51:37 -0400[diff] [blame]464 const STACK_OF(SSL_CIPHER) *ciphers = SSL_CTX_get_ciphers(ctx);
465 if (sk_SSL_CIPHER_num(ciphers) != expected.size()) {
David Benjamin1d77e562015-03-22 17:22:08 -0400[diff] [blame]466 return false;
David Benjamin65226252015-02-05 16:49:47 -0500[diff] [blame]467 }
468
David Benjamine11726a2017-04-23 12:14:28 -0400[diff] [blame]469 for (size_t i = 0; i < expected.size(); i++) {
David Benjamin70dbf042017-08-08 18:51:37 -0400[diff] [blame]470 const SSL_CIPHER *cipher = sk_SSL_CIPHER_value(ciphers, i);
David Benjamine11726a2017-04-23 12:14:28 -0400[diff] [blame]471 if (expected[i].id != SSL_CIPHER_get_id(cipher) ||
David Benjamin70dbf042017-08-08 18:51:37 -0400[diff] [blame]472 expected[i].in_group_flag != !!SSL_CTX_cipher_in_group(ctx, i)) {
David Benjamin1d77e562015-03-22 17:22:08 -0400[diff] [blame]473 return false;
David Benjaminbb0a17c2014-09-20 15:35:39 -0400[diff] [blame]474 }
475 }
476
David Benjamin1d77e562015-03-22 17:22:08 -0400[diff] [blame]477 return true;
David Benjaminbb0a17c2014-09-20 15:35:39 -0400[diff] [blame]478}
479
Daniel McArdleff746c12019-09-16 12:35:05 -0400[diff] [blame]480TEST(GrowableArrayTest, Resize) {
481 GrowableArray<size_t> array;
482 ASSERT_TRUE(array.empty());
483 EXPECT_EQ(array.size(), 0u);
484
485 ASSERT_TRUE(array.Push(42));
486 ASSERT_TRUE(!array.empty());
487 EXPECT_EQ(array.size(), 1u);
488
489 // Force a resize operation to occur
490 for (size_t i = 0; i < 16; i++) {
491 ASSERT_TRUE(array.Push(i + 1));
492 }
493
494 EXPECT_EQ(array.size(), 17u);
495
496 // Verify that expected values are still contained in array
497 for (size_t i = 0; i < array.size(); i++) {
498 EXPECT_EQ(array[i], i == 0 ? 42 : i);
499 }
500}
501
502TEST(GrowableArrayTest, MoveConstructor) {
503 GrowableArray<size_t> array;
504 for (size_t i = 0; i < 100; i++) {
505 ASSERT_TRUE(array.Push(i));
506 }
507
508 GrowableArray<size_t> array_moved(std::move(array));
509 for (size_t i = 0; i < 100; i++) {
510 EXPECT_EQ(array_moved[i], i);
511 }
512}
513
514TEST(GrowableArrayTest, GrowableArrayContainingGrowableArrays) {
515 // Representative example of a struct that contains a GrowableArray.
516 struct TagAndArray {
517 size_t tag;
518 GrowableArray<size_t> array;
519 };
520
521 GrowableArray<TagAndArray> array;
522 for (size_t i = 0; i < 100; i++) {
523 TagAndArray elem;
524 elem.tag = i;
525 for (size_t j = 0; j < i; j++) {
526 ASSERT_TRUE(elem.array.Push(j));
527 }
528 ASSERT_TRUE(array.Push(std::move(elem)));
529 }
530 EXPECT_EQ(array.size(), static_cast<size_t>(100));
531
532 GrowableArray<TagAndArray> array_moved(std::move(array));
533 EXPECT_EQ(array_moved.size(), static_cast<size_t>(100));
534 size_t count = 0;
535 for (const TagAndArray &elem : array_moved) {
536 // Test the square bracket operator returns the same value as iteration.
537 EXPECT_EQ(&elem, &array_moved[count]);
538
539 EXPECT_EQ(elem.tag, count);
540 EXPECT_EQ(elem.array.size(), count);
541 for (size_t j = 0; j < count; j++) {
542 EXPECT_EQ(elem.array[j], j);
543 }
544 count++;
545 }
546}
547
David Benjamine11726a2017-04-23 12:14:28 -0400[diff] [blame]548TEST(SSLTest, CipherRules) {
549 for (const CipherTest &t : kCipherTests) {
550 SCOPED_TRACE(t.rule);
551 bssl::UniquePtr<SSL_CTX> ctx(SSL_CTX_new(TLS_method()));
552 ASSERT_TRUE(ctx);
Matt Braithwaiteaf096752015-09-02 19:48:16 -0700[diff] [blame]553
David Benjamine11726a2017-04-23 12:14:28 -0400[diff] [blame]554 // Test lax mode.
555 ASSERT_TRUE(SSL_CTX_set_cipher_list(ctx.get(), t.rule));
David Benjamin70dbf042017-08-08 18:51:37 -0400[diff] [blame]556 EXPECT_TRUE(CipherListsEqual(ctx.get(), t.expected))
David Benjamine11726a2017-04-23 12:14:28 -0400[diff] [blame]557 << "Cipher rule evaluated to:\n"
David Benjamin70dbf042017-08-08 18:51:37 -0400[diff] [blame]558 << CipherListToString(ctx.get());
David Benjamine11726a2017-04-23 12:14:28 -0400[diff] [blame]559
560 // Test strict mode.
561 if (t.strict_fail) {
562 EXPECT_FALSE(SSL_CTX_set_strict_cipher_list(ctx.get(), t.rule));
563 } else {
564 ASSERT_TRUE(SSL_CTX_set_strict_cipher_list(ctx.get(), t.rule));
David Benjamin70dbf042017-08-08 18:51:37 -0400[diff] [blame]565 EXPECT_TRUE(CipherListsEqual(ctx.get(), t.expected))
David Benjamine11726a2017-04-23 12:14:28 -0400[diff] [blame]566 << "Cipher rule evaluated to:\n"
David Benjamin70dbf042017-08-08 18:51:37 -0400[diff] [blame]567 << CipherListToString(ctx.get());
David Benjaminbb0a17c2014-09-20 15:35:39 -0400[diff] [blame]568 }
569 }
570
David Benjaminfb974e62015-12-16 19:34:22 -0500[diff] [blame]571 for (const char *rule : kBadRules) {
David Benjamine11726a2017-04-23 12:14:28 -0400[diff] [blame]572 SCOPED_TRACE(rule);
573 bssl::UniquePtr<SSL_CTX> ctx(SSL_CTX_new(TLS_method()));
574 ASSERT_TRUE(ctx);
575
576 EXPECT_FALSE(SSL_CTX_set_cipher_list(ctx.get(), rule));
David Benjaminbb0a17c2014-09-20 15:35:39 -0400[diff] [blame]577 ERR_clear_error();
David Benjaminbb0a17c2014-09-20 15:35:39 -0400[diff] [blame]578 }
579
David Benjaminfb974e62015-12-16 19:34:22 -0500[diff] [blame]580 for (const char *rule : kMustNotIncludeNull) {
David Benjamine11726a2017-04-23 12:14:28 -0400[diff] [blame]581 SCOPED_TRACE(rule);
582 bssl::UniquePtr<SSL_CTX> ctx(SSL_CTX_new(TLS_method()));
583 ASSERT_TRUE(ctx);
584
585 ASSERT_TRUE(SSL_CTX_set_strict_cipher_list(ctx.get(), rule));
David Benjamin70dbf042017-08-08 18:51:37 -0400[diff] [blame]586 for (const SSL_CIPHER *cipher : SSL_CTX_get_ciphers(ctx.get())) {
David Benjamine3bb51c2017-08-22 23:16:02 -0700[diff] [blame]587 EXPECT_NE(NID_undef, SSL_CIPHER_get_cipher_nid(cipher));
Matt Braithwaiteaf096752015-09-02 19:48:16 -0700[diff] [blame]588 }
589 }
David Benjaminbb0a17c2014-09-20 15:35:39 -0400[diff] [blame]590}
David Benjamin2e521212014-07-16 14:37:51 -0400[diff] [blame]591
David Benjamine11726a2017-04-23 12:14:28 -0400[diff] [blame]592TEST(SSLTest, CurveRules) {
593 for (const CurveTest &t : kCurveTests) {
594 SCOPED_TRACE(t.rule);
595 bssl::UniquePtr<SSL_CTX> ctx(SSL_CTX_new(TLS_method()));
596 ASSERT_TRUE(ctx);
Alessandro Ghedini5fd18072016-09-28 21:04:25 +0100[diff] [blame]597
David Benjamine11726a2017-04-23 12:14:28 -0400[diff] [blame]598 ASSERT_TRUE(SSL_CTX_set1_curves_list(ctx.get(), t.rule));
David Benjamin0ce090a2018-07-02 20:24:40 -0400[diff] [blame]599 ASSERT_EQ(t.expected.size(), ctx->supported_group_list.size());
David Benjamine11726a2017-04-23 12:14:28 -0400[diff] [blame]600 for (size_t i = 0; i < t.expected.size(); i++) {
601 EXPECT_EQ(t.expected[i], ctx->supported_group_list[i]);
Alessandro Ghedini5fd18072016-09-28 21:04:25 +0100[diff] [blame]602 }
603 }
604
605 for (const char *rule : kBadCurvesLists) {
David Benjamine11726a2017-04-23 12:14:28 -0400[diff] [blame]606 SCOPED_TRACE(rule);
607 bssl::UniquePtr<SSL_CTX> ctx(SSL_CTX_new(TLS_method()));
608 ASSERT_TRUE(ctx);
609
610 EXPECT_FALSE(SSL_CTX_set1_curves_list(ctx.get(), rule));
Alessandro Ghedini5fd18072016-09-28 21:04:25 +0100[diff] [blame]611 ERR_clear_error();
612 }
Alessandro Ghedini5fd18072016-09-28 21:04:25 +0100[diff] [blame]613}
614
Adam Langley364f7a62016-12-12 10:51:00 -0800[diff] [blame]615// kOpenSSLSession is a serialized SSL_SESSION.
Adam Langley10f97f32016-07-12 08:09:33 -0700[diff] [blame]616static const char kOpenSSLSession[] =
Adam Langley364f7a62016-12-12 10:51:00 -0800[diff] [blame]617 "MIIFqgIBAQICAwMEAsAvBCAG5Q1ndq4Yfmbeo1zwLkNRKmCXGdNgWvGT3cskV0yQ"
Adam Langley10f97f32016-07-12 08:09:33 -0700[diff] [blame]618 "kAQwJlrlzkAWBOWiLj/jJ76D7l+UXoizP2KI2C7I2FccqMmIfFmmkUy32nIJ0mZH"
619 "IWoJoQYCBFRDO46iBAICASyjggR6MIIEdjCCA16gAwIBAgIIK9dUvsPWSlUwDQYJ"
620 "KoZIhvcNAQEFBQAwSTELMAkGA1UEBhMCVVMxEzARBgNVBAoTCkdvb2dsZSBJbmMx"
621 "JTAjBgNVBAMTHEdvb2dsZSBJbnRlcm5ldCBBdXRob3JpdHkgRzIwHhcNMTQxMDA4"
622 "MTIwNzU3WhcNMTUwMTA2MDAwMDAwWjBoMQswCQYDVQQGEwJVUzETMBEGA1UECAwK"
623 "Q2FsaWZvcm5pYTEWMBQGA1UEBwwNTW91bnRhaW4gVmlldzETMBEGA1UECgwKR29v"
624 "Z2xlIEluYzEXMBUGA1UEAwwOd3d3Lmdvb2dsZS5jb20wggEiMA0GCSqGSIb3DQEB"
625 "AQUAA4IBDwAwggEKAoIBAQCcKeLrplAC+Lofy8t/wDwtB6eu72CVp0cJ4V3lknN6"
626 "huH9ct6FFk70oRIh/VBNBBz900jYy+7111Jm1b8iqOTQ9aT5C7SEhNcQFJvqzH3e"
627 "MPkb6ZSWGm1yGF7MCQTGQXF20Sk/O16FSjAynU/b3oJmOctcycWYkY0ytS/k3LBu"
628 "Id45PJaoMqjB0WypqvNeJHC3q5JjCB4RP7Nfx5jjHSrCMhw8lUMW4EaDxjaR9KDh"
629 "PLgjsk+LDIySRSRDaCQGhEOWLJZVLzLo4N6/UlctCHEllpBUSvEOyFga52qroGjg"
630 "rf3WOQ925MFwzd6AK+Ich0gDRg8sQfdLH5OuP1cfLfU1AgMBAAGjggFBMIIBPTAd"
631 "BgNVHSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwGQYDVR0RBBIwEIIOd3d3Lmdv"
632 "b2dsZS5jb20waAYIKwYBBQUHAQEEXDBaMCsGCCsGAQUFBzAChh9odHRwOi8vcGtp"
633 "Lmdvb2dsZS5jb20vR0lBRzIuY3J0MCsGCCsGAQUFBzABhh9odHRwOi8vY2xpZW50"
634 "czEuZ29vZ2xlLmNvbS9vY3NwMB0GA1UdDgQWBBQ7a+CcxsZByOpc+xpYFcIbnUMZ"
635 "hTAMBgNVHRMBAf8EAjAAMB8GA1UdIwQYMBaAFErdBhYbvPZotXb1gba7Yhq6WoEv"
636 "MBcGA1UdIAQQMA4wDAYKKwYBBAHWeQIFATAwBgNVHR8EKTAnMCWgI6Ahhh9odHRw"
637 "Oi8vcGtpLmdvb2dsZS5jb20vR0lBRzIuY3JsMA0GCSqGSIb3DQEBBQUAA4IBAQCa"
638 "OXCBdoqUy5bxyq+Wrh1zsyyCFim1PH5VU2+yvDSWrgDY8ibRGJmfff3r4Lud5kal"
639 "dKs9k8YlKD3ITG7P0YT/Rk8hLgfEuLcq5cc0xqmE42xJ+Eo2uzq9rYorc5emMCxf"
640 "5L0TJOXZqHQpOEcuptZQ4OjdYMfSxk5UzueUhA3ogZKRcRkdB3WeWRp+nYRhx4St"
641 "o2rt2A0MKmY9165GHUqMK9YaaXHDXqBu7Sefr1uSoAP9gyIJKeihMivsGqJ1TD6Z"
642 "cc6LMe+dN2P8cZEQHtD1y296ul4Mivqk3jatUVL8/hCwgch9A8O4PGZq9WqBfEWm"
643 "IyHh1dPtbg1lOXdYCWtjpAIEAKUDAgEUqQUCAwGJwKqBpwSBpBwUQvoeOk0Kg36S"
644 "YTcLEkXqKwOBfF9vE4KX0NxeLwjcDTpsuh3qXEaZ992r1N38VDcyS6P7I6HBYN9B"
645 "sNHM362zZnY27GpTw+Kwd751CLoXFPoaMOe57dbBpXoro6Pd3BTbf/Tzr88K06yE"
646 "OTDKPNj3+inbMaVigtK4PLyPq+Topyzvx9USFgRvyuoxn0Hgb+R0A3j6SLRuyOdA"
Adam Langley364f7a62016-12-12 10:51:00 -0800[diff] [blame]647 "i4gv7Y5oliyntgMBAQA=";
Adam Langley10f97f32016-07-12 08:09:33 -0700[diff] [blame]648
649// kCustomSession is a custom serialized SSL_SESSION generated by
650// filling in missing fields from |kOpenSSLSession|. This includes
651// providing |peer_sha256|, so |peer| is not serialized.
652static const char kCustomSession[] =
David Benjamina8614602017-09-06 15:40:19 -0400[diff] [blame]653 "MIIBZAIBAQICAwMEAsAvBCAG5Q1ndq4Yfmbeo1zwLkNRKmCXGdNgWvGT3cskV0yQ"
Adam Langley10f97f32016-07-12 08:09:33 -0700[diff] [blame]654 "kAQwJlrlzkAWBOWiLj/jJ76D7l+UXoizP2KI2C7I2FccqMmIfFmmkUy32nIJ0mZH"
David Benjamina8614602017-09-06 15:40:19 -0400[diff] [blame]655 "IWoJoQYCBFRDO46iBAICASykAwQBAqUDAgEUqAcEBXdvcmxkqQUCAwGJwKqBpwSB"
656 "pBwUQvoeOk0Kg36SYTcLEkXqKwOBfF9vE4KX0NxeLwjcDTpsuh3qXEaZ992r1N38"
657 "VDcyS6P7I6HBYN9BsNHM362zZnY27GpTw+Kwd751CLoXFPoaMOe57dbBpXoro6Pd"
658 "3BTbf/Tzr88K06yEOTDKPNj3+inbMaVigtK4PLyPq+Topyzvx9USFgRvyuoxn0Hg"
659 "b+R0A3j6SLRuyOdAi4gv7Y5oliynrSIEIAYGBgYGBgYGBgYGBgYGBgYGBgYGBgYG"
660 "BgYGBgYGBgYGrgMEAQevAwQBBLADBAEF";
Adam Langley10f97f32016-07-12 08:09:33 -0700[diff] [blame]661
662// kBoringSSLSession is a serialized SSL_SESSION generated from bssl client.
663static const char kBoringSSLSession[] =
664 "MIIRwQIBAQICAwMEAsAvBCDdoGxGK26mR+8lM0uq6+k9xYuxPnwAjpcF9n0Yli9R"
665 "kQQwbyshfWhdi5XQ1++7n2L1qqrcVlmHBPpr6yknT/u4pUrpQB5FZ7vqvNn8MdHf"
666 "9rWgoQYCBFXgs7uiBAICHCCjggR6MIIEdjCCA16gAwIBAgIIf+yfD7Y6UicwDQYJ"
667 "KoZIhvcNAQELBQAwSTELMAkGA1UEBhMCVVMxEzARBgNVBAoTCkdvb2dsZSBJbmMx"
668 "JTAjBgNVBAMTHEdvb2dsZSBJbnRlcm5ldCBBdXRob3JpdHkgRzIwHhcNMTUwODEy"
669 "MTQ1MzE1WhcNMTUxMTEwMDAwMDAwWjBoMQswCQYDVQQGEwJVUzETMBEGA1UECAwK"
670 "Q2FsaWZvcm5pYTEWMBQGA1UEBwwNTW91bnRhaW4gVmlldzETMBEGA1UECgwKR29v"
671 "Z2xlIEluYzEXMBUGA1UEAwwOd3d3Lmdvb2dsZS5jb20wggEiMA0GCSqGSIb3DQEB"
672 "AQUAA4IBDwAwggEKAoIBAQC0MeG5YGQ0t+IeJeoneP/PrhEaieibeKYkbKVLNZpo"
673 "PLuBinvhkXZo3DC133NpCBpy6ZktBwamqyixAyuk/NU6OjgXqwwxfQ7di1AInLIU"
674 "792c7hFyNXSUCG7At8Ifi3YwBX9Ba6u/1d6rWTGZJrdCq3QU11RkKYyTq2KT5mce"
675 "Tv9iGKqSkSTlp8puy/9SZ/3DbU3U+BuqCFqeSlz7zjwFmk35acdCilpJlVDDN5C/"
676 "RCh8/UKc8PaL+cxlt531qoTENvYrflBno14YEZlCBZsPiFeUSILpKEj3Ccwhy0eL"
677 "EucWQ72YZU8mUzXBoXGn0zA0crFl5ci/2sTBBGZsylNBAgMBAAGjggFBMIIBPTAd"
678 "BgNVHSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwGQYDVR0RBBIwEIIOd3d3Lmdv"
679 "b2dsZS5jb20waAYIKwYBBQUHAQEEXDBaMCsGCCsGAQUFBzAChh9odHRwOi8vcGtp"
680 "Lmdvb2dsZS5jb20vR0lBRzIuY3J0MCsGCCsGAQUFBzABhh9odHRwOi8vY2xpZW50"
681 "czEuZ29vZ2xlLmNvbS9vY3NwMB0GA1UdDgQWBBS/bzHxcE73Q4j3slC4BLbMtLjG"
682 "GjAMBgNVHRMBAf8EAjAAMB8GA1UdIwQYMBaAFErdBhYbvPZotXb1gba7Yhq6WoEv"
683 "MBcGA1UdIAQQMA4wDAYKKwYBBAHWeQIFATAwBgNVHR8EKTAnMCWgI6Ahhh9odHRw"
684 "Oi8vcGtpLmdvb2dsZS5jb20vR0lBRzIuY3JsMA0GCSqGSIb3DQEBCwUAA4IBAQAb"
685 "qdWPZEHk0X7iKPCTHL6S3w6q1eR67goxZGFSM1lk1hjwyu7XcLJuvALVV9uY3ovE"
686 "kQZSHwT+pyOPWQhsSjO+1GyjvCvK/CAwiUmBX+bQRGaqHsRcio7xSbdVcajQ3bXd"
687 "X+s0WdbOpn6MStKAiBVloPlSxEI8pxY6x/BBCnTIk/+DMB17uZlOjG3vbAnkDkP+"
688 "n0OTucD9sHV7EVj9XUxi51nOfNBCN/s7lpUjDS/NJ4k3iwOtbCPswiot8vLO779a"
689 "f07vR03r349Iz/KTzk95rlFtX0IU+KYNxFNsanIXZ+C9FYGRXkwhHcvFb4qMUB1y"
690 "TTlM80jBMOwyjZXmjRAhpAIEAKUDAgEUqQUCAwGJwKqBpwSBpOgebbmn9NRUtMWH"
691 "+eJpqA5JLMFSMCChOsvKey3toBaCNGU7HfAEiiXNuuAdCBoK262BjQc2YYfqFzqH"
692 "zuppopXCvhohx7j/tnCNZIMgLYt/O9SXK2RYI5z8FhCCHvB4CbD5G0LGl5EFP27s"
693 "Jb6S3aTTYPkQe8yZSlxevg6NDwmTogLO9F7UUkaYmVcMQhzssEE2ZRYNwSOU6KjE"
694 "0Yj+8fAiBtbQriIEIN2L8ZlpaVrdN5KFNdvcmOxJu81P8q53X55xQyGTnGWwsgMC"
695 "ARezggvvMIIEdjCCA16gAwIBAgIIf+yfD7Y6UicwDQYJKoZIhvcNAQELBQAwSTEL"
696 "MAkGA1UEBhMCVVMxEzARBgNVBAoTCkdvb2dsZSBJbmMxJTAjBgNVBAMTHEdvb2ds"
697 "ZSBJbnRlcm5ldCBBdXRob3JpdHkgRzIwHhcNMTUwODEyMTQ1MzE1WhcNMTUxMTEw"
698 "MDAwMDAwWjBoMQswCQYDVQQGEwJVUzETMBEGA1UECAwKQ2FsaWZvcm5pYTEWMBQG"
699 "A1UEBwwNTW91bnRhaW4gVmlldzETMBEGA1UECgwKR29vZ2xlIEluYzEXMBUGA1UE"
700 "AwwOd3d3Lmdvb2dsZS5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIB"
701 "AQC0MeG5YGQ0t+IeJeoneP/PrhEaieibeKYkbKVLNZpoPLuBinvhkXZo3DC133Np"
702 "CBpy6ZktBwamqyixAyuk/NU6OjgXqwwxfQ7di1AInLIU792c7hFyNXSUCG7At8If"
703 "i3YwBX9Ba6u/1d6rWTGZJrdCq3QU11RkKYyTq2KT5mceTv9iGKqSkSTlp8puy/9S"
704 "Z/3DbU3U+BuqCFqeSlz7zjwFmk35acdCilpJlVDDN5C/RCh8/UKc8PaL+cxlt531"
705 "qoTENvYrflBno14YEZlCBZsPiFeUSILpKEj3Ccwhy0eLEucWQ72YZU8mUzXBoXGn"
706 "0zA0crFl5ci/2sTBBGZsylNBAgMBAAGjggFBMIIBPTAdBgNVHSUEFjAUBggrBgEF"
707 "BQcDAQYIKwYBBQUHAwIwGQYDVR0RBBIwEIIOd3d3Lmdvb2dsZS5jb20waAYIKwYB"
708 "BQUHAQEEXDBaMCsGCCsGAQUFBzAChh9odHRwOi8vcGtpLmdvb2dsZS5jb20vR0lB"
709 "RzIuY3J0MCsGCCsGAQUFBzABhh9odHRwOi8vY2xpZW50czEuZ29vZ2xlLmNvbS9v"
710 "Y3NwMB0GA1UdDgQWBBS/bzHxcE73Q4j3slC4BLbMtLjGGjAMBgNVHRMBAf8EAjAA"
711 "MB8GA1UdIwQYMBaAFErdBhYbvPZotXb1gba7Yhq6WoEvMBcGA1UdIAQQMA4wDAYK"
712 "KwYBBAHWeQIFATAwBgNVHR8EKTAnMCWgI6Ahhh9odHRwOi8vcGtpLmdvb2dsZS5j"
713 "b20vR0lBRzIuY3JsMA0GCSqGSIb3DQEBCwUAA4IBAQAbqdWPZEHk0X7iKPCTHL6S"
714 "3w6q1eR67goxZGFSM1lk1hjwyu7XcLJuvALVV9uY3ovEkQZSHwT+pyOPWQhsSjO+"
715 "1GyjvCvK/CAwiUmBX+bQRGaqHsRcio7xSbdVcajQ3bXdX+s0WdbOpn6MStKAiBVl"
716 "oPlSxEI8pxY6x/BBCnTIk/+DMB17uZlOjG3vbAnkDkP+n0OTucD9sHV7EVj9XUxi"
717 "51nOfNBCN/s7lpUjDS/NJ4k3iwOtbCPswiot8vLO779af07vR03r349Iz/KTzk95"
718 "rlFtX0IU+KYNxFNsanIXZ+C9FYGRXkwhHcvFb4qMUB1yTTlM80jBMOwyjZXmjRAh"
719 "MIID8DCCAtigAwIBAgIDAjqDMA0GCSqGSIb3DQEBCwUAMEIxCzAJBgNVBAYTAlVT"
720 "MRYwFAYDVQQKEw1HZW9UcnVzdCBJbmMuMRswGQYDVQQDExJHZW9UcnVzdCBHbG9i"
721 "YWwgQ0EwHhcNMTMwNDA1MTUxNTU2WhcNMTYxMjMxMjM1OTU5WjBJMQswCQYDVQQG"
722 "EwJVUzETMBEGA1UEChMKR29vZ2xlIEluYzElMCMGA1UEAxMcR29vZ2xlIEludGVy"
723 "bmV0IEF1dGhvcml0eSBHMjCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEB"
724 "AJwqBHdc2FCROgajguDYUEi8iT/xGXAaiEZ+4I/F8YnOIe5a/mENtzJEiaB0C1NP"
725 "VaTOgmKV7utZX8bhBYASxF6UP7xbSDj0U/ck5vuR6RXEz/RTDfRK/J9U3n2+oGtv"
726 "h8DQUB8oMANA2ghzUWx//zo8pzcGjr1LEQTrfSTe5vn8MXH7lNVg8y5Kr0LSy+rE"
727 "ahqyzFPdFUuLH8gZYR/Nnag+YyuENWllhMgZxUYi+FOVvuOAShDGKuy6lyARxzmZ"
728 "EASg8GF6lSWMTlJ14rbtCMoU/M4iarNOz0YDl5cDfsCx3nuvRTPPuj5xt970JSXC"
729 "DTWJnZ37DhF5iR43xa+OcmkCAwEAAaOB5zCB5DAfBgNVHSMEGDAWgBTAephojYn7"
730 "qwVkDBF9qn1luMrMTjAdBgNVHQ4EFgQUSt0GFhu89mi1dvWBtrtiGrpagS8wDgYD"
731 "VR0PAQH/BAQDAgEGMC4GCCsGAQUFBwEBBCIwIDAeBggrBgEFBQcwAYYSaHR0cDov"
732 "L2cuc3ltY2QuY29tMBIGA1UdEwEB/wQIMAYBAf8CAQAwNQYDVR0fBC4wLDAqoCig"
733 "JoYkaHR0cDovL2cuc3ltY2IuY29tL2NybHMvZ3RnbG9iYWwuY3JsMBcGA1UdIAQQ"
734 "MA4wDAYKKwYBBAHWeQIFATANBgkqhkiG9w0BAQsFAAOCAQEAqvqpIM1qZ4PtXtR+"
735 "3h3Ef+AlBgDFJPupyC1tft6dgmUsgWM0Zj7pUsIItMsv91+ZOmqcUHqFBYx90SpI"
736 "hNMJbHzCzTWf84LuUt5oX+QAihcglvcpjZpNy6jehsgNb1aHA30DP9z6eX0hGfnI"
737 "Oi9RdozHQZJxjyXON/hKTAAj78Q1EK7gI4BzfE00LshukNYQHpmEcxpw8u1VDu4X"
738 "Bupn7jLrLN1nBz/2i8Jw3lsA5rsb0zYaImxssDVCbJAJPZPpZAkiDoUGn8JzIdPm"
739 "X4DkjYUiOnMDsWCOrmji9D6X52ASCWg23jrW4kOVWzeBkoEfu43XrVJkFleW2V40"
740 "fsg12DCCA30wggLmoAMCAQICAxK75jANBgkqhkiG9w0BAQUFADBOMQswCQYDVQQG"
741 "EwJVUzEQMA4GA1UEChMHRXF1aWZheDEtMCsGA1UECxMkRXF1aWZheCBTZWN1cmUg"
742 "Q2VydGlmaWNhdGUgQXV0aG9yaXR5MB4XDTAyMDUyMTA0MDAwMFoXDTE4MDgyMTA0"
743 "MDAwMFowQjELMAkGA1UEBhMCVVMxFjAUBgNVBAoTDUdlb1RydXN0IEluYy4xGzAZ"
744 "BgNVBAMTEkdlb1RydXN0IEdsb2JhbCBDQTCCASIwDQYJKoZIhvcNAQEBBQADggEP"
745 "ADCCAQoCggEBANrMGGMw/fQXIxpWflvfPGw45HG3eJHUvKHYTPioQ7YD6U0hBwiI"
746 "2lgvZjkpvQV4i5046AW3an5xpObEYKaw74DkiSgPniXW7YPzraaRx5jJQhg1FJ2t"
747 "mEaSLk/K8YdDwRaVVy1Q74ktgHpXrfLuX2vSAI25FPgUFTXZwEaje3LIkb/JVSvN"
748 "0Jc+nCZkzN/Ogxlxyk7m1NV7qRnNVd7I7NJeOFPlXE+MLf5QIzb8ZubLjqQ5GQC3"
749 "lQI5kQsO/jgu0R0FmvZNPm8PBx2vLB6PYDni+jZTEznUXiYr2z2oFL0y6xgDKFIE"
750 "ceWrMz3hOLsHNoRinHnqFjD0X8Ar6HFr5PkCAwEAAaOB8DCB7TAfBgNVHSMEGDAW"
751 "gBRI5mj5K9KylddH2CMgEE8zmJCf1DAdBgNVHQ4EFgQUwHqYaI2J+6sFZAwRfap9"
752 "ZbjKzE4wDwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMCAQYwOgYDVR0fBDMw"
753 "MTAvoC2gK4YpaHR0cDovL2NybC5nZW90cnVzdC5jb20vY3Jscy9zZWN1cmVjYS5j"
754 "cmwwTgYDVR0gBEcwRTBDBgRVHSAAMDswOQYIKwYBBQUHAgEWLWh0dHBzOi8vd3d3"
755 "Lmdlb3RydXN0LmNvbS9yZXNvdXJjZXMvcmVwb3NpdG9yeTANBgkqhkiG9w0BAQUF"
756 "AAOBgQB24RJuTksWEoYwBrKBCM/wCMfHcX5m7sLt1Dsf//DwyE7WQziwuTB9GNBV"
757 "g6JqyzYRnOhIZqNtf7gT1Ef+i1pcc/yu2RsyGTirlzQUqpbS66McFAhJtrvlke+D"
758 "NusdVm/K2rxzY5Dkf3s+Iss9B+1fOHSc4wNQTqGvmO5h8oQ/Eg==";
759
760// kBadSessionExtraField is a custom serialized SSL_SESSION generated by replacing
Steven Valdez51607f12020-08-05 10:46:05 -0400[diff] [blame]761// the final (optional) element of |kCustomSession| with tag number 99.
Adam Langley10f97f32016-07-12 08:09:33 -0700[diff] [blame]762static const char kBadSessionExtraField[] =
763 "MIIBdgIBAQICAwMEAsAvBCAG5Q1ndq4Yfmbeo1zwLkNRKmCXGdNgWvGT3cskV0yQ"
764 "kAQwJlrlzkAWBOWiLj/jJ76D7l+UXoizP2KI2C7I2FccqMmIfFmmkUy32nIJ0mZH"
765 "IWoJoQYCBFRDO46iBAICASykAwQBAqUDAgEUphAEDnd3dy5nb29nbGUuY29tqAcE"
766 "BXdvcmxkqQUCAwGJwKqBpwSBpBwUQvoeOk0Kg36SYTcLEkXqKwOBfF9vE4KX0Nxe"
767 "LwjcDTpsuh3qXEaZ992r1N38VDcyS6P7I6HBYN9BsNHM362zZnY27GpTw+Kwd751"
768 "CLoXFPoaMOe57dbBpXoro6Pd3BTbf/Tzr88K06yEOTDKPNj3+inbMaVigtK4PLyP"
769 "q+Topyzvx9USFgRvyuoxn0Hgb+R0A3j6SLRuyOdAi4gv7Y5oliynrSIEIAYGBgYG"
Steven Valdez51607f12020-08-05 10:46:05 -0400[diff] [blame]770 "BgYGBgYGBgYGBgYGBgYGBgYGBgYGBgYGBgYGrgMEAQevAwQBBOMDBAEF";
Adam Langley10f97f32016-07-12 08:09:33 -0700[diff] [blame]771
772// kBadSessionVersion is a custom serialized SSL_SESSION generated by replacing
773// the version of |kCustomSession| with 2.
774static const char kBadSessionVersion[] =
775 "MIIBdgIBAgICAwMEAsAvBCAG5Q1ndq4Yfmbeo1zwLkNRKmCXGdNgWvGT3cskV0yQ"
776 "kAQwJlrlzkAWBOWiLj/jJ76D7l+UXoizP2KI2C7I2FccqMmIfFmmkUy32nIJ0mZH"
777 "IWoJoQYCBFRDO46iBAICASykAwQBAqUDAgEUphAEDnd3dy5nb29nbGUuY29tqAcE"
778 "BXdvcmxkqQUCAwGJwKqBpwSBpBwUQvoeOk0Kg36SYTcLEkXqKwOBfF9vE4KX0Nxe"
779 "LwjcDTpsuh3qXEaZ992r1N38VDcyS6P7I6HBYN9BsNHM362zZnY27GpTw+Kwd751"
780 "CLoXFPoaMOe57dbBpXoro6Pd3BTbf/Tzr88K06yEOTDKPNj3+inbMaVigtK4PLyP"
781 "q+Topyzvx9USFgRvyuoxn0Hgb+R0A3j6SLRuyOdAi4gv7Y5oliynrSIEIAYGBgYG"
782 "BgYGBgYGBgYGBgYGBgYGBgYGBgYGBgYGBgYGrgMEAQevAwQBBLADBAEF";
783
784// kBadSessionTrailingData is a custom serialized SSL_SESSION with trailing data
785// appended.
786static const char kBadSessionTrailingData[] =
787 "MIIBdgIBAQICAwMEAsAvBCAG5Q1ndq4Yfmbeo1zwLkNRKmCXGdNgWvGT3cskV0yQ"
788 "kAQwJlrlzkAWBOWiLj/jJ76D7l+UXoizP2KI2C7I2FccqMmIfFmmkUy32nIJ0mZH"
789 "IWoJoQYCBFRDO46iBAICASykAwQBAqUDAgEUphAEDnd3dy5nb29nbGUuY29tqAcE"
790 "BXdvcmxkqQUCAwGJwKqBpwSBpBwUQvoeOk0Kg36SYTcLEkXqKwOBfF9vE4KX0Nxe"
791 "LwjcDTpsuh3qXEaZ992r1N38VDcyS6P7I6HBYN9BsNHM362zZnY27GpTw+Kwd751"
792 "CLoXFPoaMOe57dbBpXoro6Pd3BTbf/Tzr88K06yEOTDKPNj3+inbMaVigtK4PLyP"
793 "q+Topyzvx9USFgRvyuoxn0Hgb+R0A3j6SLRuyOdAi4gv7Y5oliynrSIEIAYGBgYG"
794 "BgYGBgYGBgYGBgYGBgYGBgYGBgYGBgYGBgYGrgMEAQevAwQBBLADBAEFAAAA";
795
David Benjamin1d77e562015-03-22 17:22:08 -0400[diff] [blame]796static bool DecodeBase64(std::vector<uint8_t> *out, const char *in) {
David Benjamin751e8892014-10-19 00:59:36 -0400[diff] [blame]797 size_t len;
David Benjamin751e8892014-10-19 00:59:36 -0400[diff] [blame]798 if (!EVP_DecodedLength(&len, strlen(in))) {
799 fprintf(stderr, "EVP_DecodedLength failed\n");
David Benjamin1d77e562015-03-22 17:22:08 -0400[diff] [blame]800 return false;
David Benjamin751e8892014-10-19 00:59:36 -0400[diff] [blame]801 }
802
David Benjamin1d77e562015-03-22 17:22:08 -0400[diff] [blame]803 out->resize(len);
David Benjaminef14b2d2015-11-11 14:01:27 -0800[diff] [blame]804 if (!EVP_DecodeBase64(out->data(), &len, len, (const uint8_t *)in,
David Benjamin751e8892014-10-19 00:59:36 -0400[diff] [blame]805 strlen(in))) {
806 fprintf(stderr, "EVP_DecodeBase64 failed\n");
David Benjamin1d77e562015-03-22 17:22:08 -0400[diff] [blame]807 return false;
David Benjamin751e8892014-10-19 00:59:36 -0400[diff] [blame]808 }
David Benjamin1d77e562015-03-22 17:22:08 -0400[diff] [blame]809 out->resize(len);
810 return true;
David Benjamin751e8892014-10-19 00:59:36 -0400[diff] [blame]811}
812
David Benjamina486c6c2019-03-28 18:32:38 -0500[diff] [blame]813TEST(SSLTest, SessionEncoding) {
814 for (const char *input_b64 : {
815 kOpenSSLSession,
816 kCustomSession,
817 kBoringSSLSession,
818 }) {
819 SCOPED_TRACE(std::string(input_b64));
820 // Decode the input.
821 std::vector<uint8_t> input;
822 ASSERT_TRUE(DecodeBase64(&input, input_b64));
David Benjamin751e8892014-10-19 00:59:36 -0400[diff] [blame]823
David Benjamina486c6c2019-03-28 18:32:38 -0500[diff] [blame]824 // Verify the SSL_SESSION decodes.
825 bssl::UniquePtr<SSL_CTX> ssl_ctx(SSL_CTX_new(TLS_method()));
826 ASSERT_TRUE(ssl_ctx);
827 bssl::UniquePtr<SSL_SESSION> session(
828 SSL_SESSION_from_bytes(input.data(), input.size(), ssl_ctx.get()));
829 ASSERT_TRUE(session) << "SSL_SESSION_from_bytes failed";
830
831 // Verify the SSL_SESSION encoding round-trips.
832 size_t encoded_len;
833 bssl::UniquePtr<uint8_t> encoded;
834 uint8_t *encoded_raw;
835 ASSERT_TRUE(SSL_SESSION_to_bytes(session.get(), &encoded_raw, &encoded_len))
836 << "SSL_SESSION_to_bytes failed";
837 encoded.reset(encoded_raw);
838 EXPECT_EQ(Bytes(encoded.get(), encoded_len), Bytes(input))
839 << "SSL_SESSION_to_bytes did not round-trip";
840
841 // Verify the SSL_SESSION also decodes with the legacy API.
842 const uint8_t *cptr = input.data();
843 session.reset(d2i_SSL_SESSION(NULL, &cptr, input.size()));
844 ASSERT_TRUE(session) << "d2i_SSL_SESSION failed";
845 EXPECT_EQ(cptr, input.data() + input.size());
846
847 // Verify the SSL_SESSION encoding round-trips via the legacy API.
848 int len = i2d_SSL_SESSION(session.get(), NULL);
849 ASSERT_GT(len, 0) << "i2d_SSL_SESSION failed";
850 ASSERT_EQ(static_cast<size_t>(len), input.size())
851 << "i2d_SSL_SESSION(NULL) returned invalid length";
852
853 encoded.reset((uint8_t *)OPENSSL_malloc(input.size()));
854 ASSERT_TRUE(encoded);
855
856 uint8_t *ptr = encoded.get();
857 len = i2d_SSL_SESSION(session.get(), &ptr);
858 ASSERT_GT(len, 0) << "i2d_SSL_SESSION failed";
859 ASSERT_EQ(static_cast<size_t>(len), input.size())
860 << "i2d_SSL_SESSION(NULL) returned invalid length";
861 ASSERT_EQ(ptr, encoded.get() + input.size())
862 << "i2d_SSL_SESSION did not advance ptr correctly";
863 EXPECT_EQ(Bytes(encoded.get(), encoded_len), Bytes(input))
864 << "SSL_SESSION_to_bytes did not round-trip";
David Benjamin751e8892014-10-19 00:59:36 -0400[diff] [blame]865 }
866
David Benjamina486c6c2019-03-28 18:32:38 -0500[diff] [blame]867 for (const char *input_b64 : {
868 kBadSessionExtraField,
869 kBadSessionVersion,
870 kBadSessionTrailingData,
871 }) {
872 SCOPED_TRACE(std::string(input_b64));
873 std::vector<uint8_t> input;
874 ASSERT_TRUE(DecodeBase64(&input, input_b64));
David Benjamin751e8892014-10-19 00:59:36 -0400[diff] [blame]875
David Benjamina486c6c2019-03-28 18:32:38 -0500[diff] [blame]876 // Verify that the SSL_SESSION fails to decode.
877 bssl::UniquePtr<SSL_CTX> ssl_ctx(SSL_CTX_new(TLS_method()));
878 ASSERT_TRUE(ssl_ctx);
879 bssl::UniquePtr<SSL_SESSION> session(
880 SSL_SESSION_from_bytes(input.data(), input.size(), ssl_ctx.get()));
881 EXPECT_FALSE(session) << "SSL_SESSION_from_bytes unexpectedly succeeded";
882 ERR_clear_error();
David Benjamin3cac4502014-10-21 01:46:30 -0400[diff] [blame]883 }
David Benjaminf297e022015-05-28 19:55:29 -0400[diff] [blame]884}
885
David Benjamin321fcdc2017-04-24 11:42:42 -0400[diff] [blame]886static void ExpectDefaultVersion(uint16_t min_version, uint16_t max_version,
887 const SSL_METHOD *(*method)(void)) {
Matt Braithwaited17d74d2016-08-17 20:10:28 -0700[diff] [blame]888 bssl::UniquePtr<SSL_CTX> ctx(SSL_CTX_new(method()));
David Benjamin321fcdc2017-04-24 11:42:42 -0400[diff] [blame]889 ASSERT_TRUE(ctx);
Nitish Sakhawalkara4af5f82019-03-25 17:26:59 -0700[diff] [blame]890 EXPECT_EQ(min_version, SSL_CTX_get_min_proto_version(ctx.get()));
891 EXPECT_EQ(max_version, SSL_CTX_get_max_proto_version(ctx.get()));
David Benjamin321fcdc2017-04-24 11:42:42 -0400[diff] [blame]892}
893
894TEST(SSLTest, DefaultVersion) {
Matthew Braithwaite58d56f42019-11-04 13:20:01 -0800[diff] [blame]895 ExpectDefaultVersion(TLS1_VERSION, TLS1_3_VERSION, &TLS_method);
David Benjamin321fcdc2017-04-24 11:42:42 -0400[diff] [blame]896 ExpectDefaultVersion(TLS1_VERSION, TLS1_VERSION, &TLSv1_method);
897 ExpectDefaultVersion(TLS1_1_VERSION, TLS1_1_VERSION, &TLSv1_1_method);
898 ExpectDefaultVersion(TLS1_2_VERSION, TLS1_2_VERSION, &TLSv1_2_method);
Nitish Sakhawalkara4af5f82019-03-25 17:26:59 -0700[diff] [blame]899 ExpectDefaultVersion(DTLS1_VERSION, DTLS1_2_VERSION, &DTLS_method);
900 ExpectDefaultVersion(DTLS1_VERSION, DTLS1_VERSION, &DTLSv1_method);
901 ExpectDefaultVersion(DTLS1_2_VERSION, DTLS1_2_VERSION, &DTLSv1_2_method);
David Benjamin82c9e902014-12-12 15:55:27 -0500[diff] [blame]902}
903
David Benjamin348f0d82017-08-10 16:06:27 -0400[diff] [blame]904TEST(SSLTest, CipherProperties) {
David Benjamin6fff3862017-06-21 21:07:04 -0400[diff] [blame]905 static const struct {
906 int id;
907 const char *standard_name;
David Benjamin348f0d82017-08-10 16:06:27 -0400[diff] [blame]908 int cipher_nid;
909 int digest_nid;
910 int kx_nid;
911 int auth_nid;
David Benjaminb1b76ae2017-09-21 17:03:34 -0400[diff] [blame]912 int prf_nid;
David Benjamin6fff3862017-06-21 21:07:04 -0400[diff] [blame]913 } kTests[] = {
David Benjamin348f0d82017-08-10 16:06:27 -0400[diff] [blame]914 {
915 SSL3_CK_RSA_DES_192_CBC3_SHA,
916 "TLS_RSA_WITH_3DES_EDE_CBC_SHA",
917 NID_des_ede3_cbc,
918 NID_sha1,
919 NID_kx_rsa,
920 NID_auth_rsa,
David Benjaminb1b76ae2017-09-21 17:03:34 -0400[diff] [blame]921 NID_md5_sha1,
David Benjamin348f0d82017-08-10 16:06:27 -0400[diff] [blame]922 },
923 {
924 TLS1_CK_RSA_WITH_AES_128_SHA,
925 "TLS_RSA_WITH_AES_128_CBC_SHA",
926 NID_aes_128_cbc,
927 NID_sha1,
928 NID_kx_rsa,
929 NID_auth_rsa,
David Benjaminb1b76ae2017-09-21 17:03:34 -0400[diff] [blame]930 NID_md5_sha1,
David Benjamin348f0d82017-08-10 16:06:27 -0400[diff] [blame]931 },
932 {
933 TLS1_CK_PSK_WITH_AES_256_CBC_SHA,
934 "TLS_PSK_WITH_AES_256_CBC_SHA",
935 NID_aes_256_cbc,
936 NID_sha1,
937 NID_kx_psk,
938 NID_auth_psk,
David Benjaminb1b76ae2017-09-21 17:03:34 -0400[diff] [blame]939 NID_md5_sha1,
David Benjamin348f0d82017-08-10 16:06:27 -0400[diff] [blame]940 },
941 {
David Benjamin6e678ee2018-04-16 19:54:42 -0400[diff] [blame]942 TLS1_CK_ECDHE_RSA_WITH_AES_128_CBC_SHA,
943 "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA",
David Benjamin348f0d82017-08-10 16:06:27 -0400[diff] [blame]944 NID_aes_128_cbc,
David Benjamin6e678ee2018-04-16 19:54:42 -0400[diff] [blame]945 NID_sha1,
David Benjamin348f0d82017-08-10 16:06:27 -0400[diff] [blame]946 NID_kx_ecdhe,
947 NID_auth_rsa,
David Benjamin6e678ee2018-04-16 19:54:42 -0400[diff] [blame]948 NID_md5_sha1,
David Benjamin348f0d82017-08-10 16:06:27 -0400[diff] [blame]949 },
950 {
David Benjamin6e678ee2018-04-16 19:54:42 -0400[diff] [blame]951 TLS1_CK_ECDHE_RSA_WITH_AES_256_CBC_SHA,
952 "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA",
David Benjamin348f0d82017-08-10 16:06:27 -0400[diff] [blame]953 NID_aes_256_cbc,
David Benjamin6e678ee2018-04-16 19:54:42 -0400[diff] [blame]954 NID_sha1,
David Benjamin348f0d82017-08-10 16:06:27 -0400[diff] [blame]955 NID_kx_ecdhe,
956 NID_auth_rsa,
David Benjamin6e678ee2018-04-16 19:54:42 -0400[diff] [blame]957 NID_md5_sha1,
David Benjamin348f0d82017-08-10 16:06:27 -0400[diff] [blame]958 },
959 {
960 TLS1_CK_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
961 "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",
962 NID_aes_128_gcm,
963 NID_undef,
964 NID_kx_ecdhe,
965 NID_auth_rsa,
David Benjaminb1b76ae2017-09-21 17:03:34 -0400[diff] [blame]966 NID_sha256,
David Benjamin348f0d82017-08-10 16:06:27 -0400[diff] [blame]967 },
968 {
969 TLS1_CK_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
970 "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256",
971 NID_aes_128_gcm,
972 NID_undef,
973 NID_kx_ecdhe,
974 NID_auth_ecdsa,
David Benjaminb1b76ae2017-09-21 17:03:34 -0400[diff] [blame]975 NID_sha256,
David Benjamin348f0d82017-08-10 16:06:27 -0400[diff] [blame]976 },
977 {
978 TLS1_CK_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
979 "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384",
980 NID_aes_256_gcm,
981 NID_undef,
982 NID_kx_ecdhe,
983 NID_auth_ecdsa,
David Benjaminb1b76ae2017-09-21 17:03:34 -0400[diff] [blame]984 NID_sha384,
David Benjamin348f0d82017-08-10 16:06:27 -0400[diff] [blame]985 },
986 {
987 TLS1_CK_ECDHE_PSK_WITH_AES_128_CBC_SHA,
988 "TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA",
989 NID_aes_128_cbc,
990 NID_sha1,
991 NID_kx_ecdhe,
992 NID_auth_psk,
David Benjaminb1b76ae2017-09-21 17:03:34 -0400[diff] [blame]993 NID_md5_sha1,
David Benjamin348f0d82017-08-10 16:06:27 -0400[diff] [blame]994 },
995 {
996 TLS1_CK_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256,
997 "TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256",
998 NID_chacha20_poly1305,
999 NID_undef,
1000 NID_kx_ecdhe,
1001 NID_auth_rsa,
David Benjaminb1b76ae2017-09-21 17:03:34 -0400[diff] [blame]1002 NID_sha256,
David Benjamin348f0d82017-08-10 16:06:27 -0400[diff] [blame]1003 },
1004 {
David Benjamindfddbc42022-07-18 16:08:06 -0400[diff] [blame]1005 TLS1_3_CK_AES_256_GCM_SHA384,
David Benjamin348f0d82017-08-10 16:06:27 -0400[diff] [blame]1006 "TLS_AES_256_GCM_SHA384",
1007 NID_aes_256_gcm,
1008 NID_undef,
1009 NID_kx_any,
1010 NID_auth_any,
David Benjaminb1b76ae2017-09-21 17:03:34 -0400[diff] [blame]1011 NID_sha384,
David Benjamin348f0d82017-08-10 16:06:27 -0400[diff] [blame]1012 },
1013 {
David Benjamindfddbc42022-07-18 16:08:06 -0400[diff] [blame]1014 TLS1_3_CK_AES_128_GCM_SHA256,
David Benjamin348f0d82017-08-10 16:06:27 -0400[diff] [blame]1015 "TLS_AES_128_GCM_SHA256",
1016 NID_aes_128_gcm,
1017 NID_undef,
1018 NID_kx_any,
1019 NID_auth_any,
David Benjaminb1b76ae2017-09-21 17:03:34 -0400[diff] [blame]1020 NID_sha256,
David Benjamin348f0d82017-08-10 16:06:27 -0400[diff] [blame]1021 },
1022 {
David Benjamindfddbc42022-07-18 16:08:06 -0400[diff] [blame]1023 TLS1_3_CK_CHACHA20_POLY1305_SHA256,
David Benjamin348f0d82017-08-10 16:06:27 -0400[diff] [blame]1024 "TLS_CHACHA20_POLY1305_SHA256",
1025 NID_chacha20_poly1305,
1026 NID_undef,
1027 NID_kx_any,
1028 NID_auth_any,
David Benjaminb1b76ae2017-09-21 17:03:34 -0400[diff] [blame]1029 NID_sha256,
David Benjamin348f0d82017-08-10 16:06:27 -0400[diff] [blame]1030 },
David Benjamin6fff3862017-06-21 21:07:04 -0400[diff] [blame]1031 };
David Benjamin65226252015-02-05 16:49:47 -0500[diff] [blame]1032
David Benjamin6fff3862017-06-21 21:07:04 -0400[diff] [blame]1033 for (const auto &t : kTests) {
1034 SCOPED_TRACE(t.standard_name);
David Benjamine11726a2017-04-23 12:14:28 -0400[diff] [blame]1035
1036 const SSL_CIPHER *cipher = SSL_get_cipher_by_value(t.id & 0xffff);
1037 ASSERT_TRUE(cipher);
David Benjamin6fff3862017-06-21 21:07:04 -0400[diff] [blame]1038 EXPECT_STREQ(t.standard_name, SSL_CIPHER_standard_name(cipher));
1039
David Benjamine11726a2017-04-23 12:14:28 -0400[diff] [blame]1040 bssl::UniquePtr<char> rfc_name(SSL_CIPHER_get_rfc_name(cipher));
1041 ASSERT_TRUE(rfc_name);
David Benjamin6fff3862017-06-21 21:07:04 -0400[diff] [blame]1042 EXPECT_STREQ(t.standard_name, rfc_name.get());
David Benjamin348f0d82017-08-10 16:06:27 -0400[diff] [blame]1043
1044 EXPECT_EQ(t.cipher_nid, SSL_CIPHER_get_cipher_nid(cipher));
1045 EXPECT_EQ(t.digest_nid, SSL_CIPHER_get_digest_nid(cipher));
1046 EXPECT_EQ(t.kx_nid, SSL_CIPHER_get_kx_nid(cipher));
1047 EXPECT_EQ(t.auth_nid, SSL_CIPHER_get_auth_nid(cipher));
David Benjaminb1b76ae2017-09-21 17:03:34 -0400[diff] [blame]1048 EXPECT_EQ(t.prf_nid, SSL_CIPHER_get_prf_nid(cipher));
David Benjamin65226252015-02-05 16:49:47 -0500[diff] [blame]1049 }
David Benjamin65226252015-02-05 16:49:47 -0500[diff] [blame]1050}
1051
Steven Valdeza833c352016-11-01 13:39:36 -0400[diff] [blame]1052// CreateSessionWithTicket returns a sample |SSL_SESSION| with the specified
1053// version and ticket length or nullptr on failure.
1054static bssl::UniquePtr<SSL_SESSION> CreateSessionWithTicket(uint16_t version,
1055 size_t ticket_len) {
David Benjamin422fe082015-07-21 22:03:43 -0400[diff] [blame]1056 std::vector<uint8_t> der;
1057 if (!DecodeBase64(&der, kOpenSSLSession)) {
1058 return nullptr;
1059 }
Adam Langley46db7af2017-02-01 15:49:37 -0800[diff] [blame]1060
1061 bssl::UniquePtr<SSL_CTX> ssl_ctx(SSL_CTX_new(TLS_method()));
1062 if (!ssl_ctx) {
1063 return nullptr;
1064 }
David Benjaminaaef8332018-06-29 16:45:49 -0400[diff] [blame]1065 // Use a garbage ticket.
1066 std::vector<uint8_t> ticket(ticket_len, 'a');
Steven Valdeza833c352016-11-01 13:39:36 -0400[diff] [blame]1067 bssl::UniquePtr<SSL_SESSION> session(
Adam Langley46db7af2017-02-01 15:49:37 -0800[diff] [blame]1068 SSL_SESSION_from_bytes(der.data(), der.size(), ssl_ctx.get()));
David Benjaminaaef8332018-06-29 16:45:49 -0400[diff] [blame]1069 if (!session ||
1070 !SSL_SESSION_set_protocol_version(session.get(), version) ||
1071 !SSL_SESSION_set_ticket(session.get(), ticket.data(), ticket.size())) {
David Benjamin422fe082015-07-21 22:03:43 -0400[diff] [blame]1072 return nullptr;
1073 }
David Benjamin1269ddd2015-10-18 15:18:55 -0400[diff] [blame]1074 // Fix up the timeout.
David Benjamin9b63f292016-11-15 00:44:05 -0500[diff] [blame]1075#if defined(BORINGSSL_UNSAFE_DETERMINISTIC_MODE)
David Benjaminaaef8332018-06-29 16:45:49 -0400[diff] [blame]1076 SSL_SESSION_set_time(session.get(), 1234);
David Benjamin9b63f292016-11-15 00:44:05 -0500[diff] [blame]1077#else
David Benjaminaaef8332018-06-29 16:45:49 -0400[diff] [blame]1078 SSL_SESSION_set_time(session.get(), time(nullptr));
David Benjamin9b63f292016-11-15 00:44:05 -0500[diff] [blame]1079#endif
David Benjamin422fe082015-07-21 22:03:43 -0400[diff] [blame]1080 return session;
1081}
1082
David Benjaminafc64de2016-07-19 17:12:41 +0200[diff] [blame]1083static bool GetClientHello(SSL *ssl, std::vector<uint8_t> *out) {
Matt Braithwaited17d74d2016-08-17 20:10:28 -0700[diff] [blame]1084 bssl::UniquePtr<BIO> bio(BIO_new(BIO_s_mem()));
David Benjaminafc64de2016-07-19 17:12:41 +0200[diff] [blame]1085 if (!bio) {
1086 return false;
1087 }
1088 // Do not configure a reading BIO, but record what's written to a memory BIO.
David Benjamin96a16cd2016-08-11 12:14:47 -0400[diff] [blame]1089 BIO_up_ref(bio.get());
1090 SSL_set_bio(ssl, nullptr /* rbio */, bio.get());
David Benjaminafc64de2016-07-19 17:12:41 +0200[diff] [blame]1091 int ret = SSL_connect(ssl);
1092 if (ret > 0) {
1093 // SSL_connect should fail without a BIO to write to.
1094 return false;
1095 }
1096 ERR_clear_error();
1097
1098 const uint8_t *client_hello;
1099 size_t client_hello_len;
1100 if (!BIO_mem_contents(bio.get(), &client_hello, &client_hello_len)) {
1101 return false;
1102 }
1103 *out = std::vector<uint8_t>(client_hello, client_hello + client_hello_len);
1104 return true;
1105}
1106
Steven Valdeza833c352016-11-01 13:39:36 -0400[diff] [blame]1107// GetClientHelloLen creates a client SSL connection with the specified version
1108// and ticket length. It returns the length of the ClientHello, not including
1109// the record header, on success and zero on error.
1110static size_t GetClientHelloLen(uint16_t max_version, uint16_t session_version,
1111 size_t ticket_len) {
Matt Braithwaited17d74d2016-08-17 20:10:28 -0700[diff] [blame]1112 bssl::UniquePtr<SSL_CTX> ctx(SSL_CTX_new(TLS_method()));
Steven Valdeza833c352016-11-01 13:39:36 -0400[diff] [blame]1113 bssl::UniquePtr<SSL_SESSION> session =
1114 CreateSessionWithTicket(session_version, ticket_len);
David Benjamin422fe082015-07-21 22:03:43 -0400[diff] [blame]1115 if (!ctx || !session) {
1116 return 0;
1117 }
Steven Valdeza833c352016-11-01 13:39:36 -0400[diff] [blame]1118
1119 // Set a one-element cipher list so the baseline ClientHello is unpadded.
Matt Braithwaited17d74d2016-08-17 20:10:28 -0700[diff] [blame]1120 bssl::UniquePtr<SSL> ssl(SSL_new(ctx.get()));
Steven Valdez2c62fe92016-10-14 12:08:12 -0400[diff] [blame]1121 if (!ssl || !SSL_set_session(ssl.get(), session.get()) ||
Matthew Braithwaitea57dcfb2017-02-17 22:08:23 -0800[diff] [blame]1122 !SSL_set_strict_cipher_list(ssl.get(), "ECDHE-RSA-AES128-GCM-SHA256") ||
Steven Valdeza833c352016-11-01 13:39:36 -0400[diff] [blame]1123 !SSL_set_max_proto_version(ssl.get(), max_version)) {
David Benjamin422fe082015-07-21 22:03:43 -0400[diff] [blame]1124 return 0;
1125 }
Steven Valdeza833c352016-11-01 13:39:36 -0400[diff] [blame]1126
David Benjaminafc64de2016-07-19 17:12:41 +0200[diff] [blame]1127 std::vector<uint8_t> client_hello;
1128 if (!GetClientHello(ssl.get(), &client_hello) ||
1129 client_hello.size() <= SSL3_RT_HEADER_LENGTH) {
David Benjamin422fe082015-07-21 22:03:43 -0400[diff] [blame]1130 return 0;
1131 }
Steven Valdeza833c352016-11-01 13:39:36 -0400[diff] [blame]1132
David Benjaminafc64de2016-07-19 17:12:41 +0200[diff] [blame]1133 return client_hello.size() - SSL3_RT_HEADER_LENGTH;
David Benjamin422fe082015-07-21 22:03:43 -0400[diff] [blame]1134}
1135
David Benjamina486c6c2019-03-28 18:32:38 -0500[diff] [blame]1136TEST(SSLTest, Padding) {
1137 struct PaddingVersions {
1138 uint16_t max_version, session_version;
1139 };
1140 static const PaddingVersions kPaddingVersions[] = {
1141 // Test the padding extension at TLS 1.2.
1142 {TLS1_2_VERSION, TLS1_2_VERSION},
1143 // Test the padding extension at TLS 1.3 with a TLS 1.2 session, so there
1144 // will be no PSK binder after the padding extension.
1145 {TLS1_3_VERSION, TLS1_2_VERSION},
1146 // Test the padding extension at TLS 1.3 with a TLS 1.3 session, so there
1147 // will be a PSK binder after the padding extension.
1148 {TLS1_3_VERSION, TLS1_3_VERSION},
David Benjamin422fe082015-07-21 22:03:43 -0400[diff] [blame]1149
David Benjamina486c6c2019-03-28 18:32:38 -0500[diff] [blame]1150 };
David Benjamin422fe082015-07-21 22:03:43 -0400[diff] [blame]1151
David Benjamina486c6c2019-03-28 18:32:38 -0500[diff] [blame]1152 struct PaddingTest {
1153 size_t input_len, padded_len;
1154 };
1155 static const PaddingTest kPaddingTests[] = {
1156 // ClientHellos of length below 0x100 do not require padding.
1157 {0xfe, 0xfe},
1158 {0xff, 0xff},
1159 // ClientHellos of length 0x100 through 0x1fb are padded up to 0x200.
1160 {0x100, 0x200},
1161 {0x123, 0x200},
1162 {0x1fb, 0x200},
1163 // ClientHellos of length 0x1fc through 0x1ff get padded beyond 0x200. The
1164 // padding extension takes a minimum of four bytes plus one required
1165 // content
1166 // byte. (To work around yet more server bugs, we avoid empty final
1167 // extensions.)
1168 {0x1fc, 0x201},
1169 {0x1fd, 0x202},
1170 {0x1fe, 0x203},
1171 {0x1ff, 0x204},
1172 // Finally, larger ClientHellos need no padding.
1173 {0x200, 0x200},
1174 {0x201, 0x201},
1175 };
David Benjamin422fe082015-07-21 22:03:43 -0400[diff] [blame]1176
David Benjamina486c6c2019-03-28 18:32:38 -0500[diff] [blame]1177 for (const PaddingVersions &versions : kPaddingVersions) {
1178 SCOPED_TRACE(versions.max_version);
1179 SCOPED_TRACE(versions.session_version);
David Benjamin422fe082015-07-21 22:03:43 -0400[diff] [blame]1180
David Benjamina486c6c2019-03-28 18:32:38 -0500[diff] [blame]1181 // Sample a baseline length.
1182 size_t base_len =
1183 GetClientHelloLen(versions.max_version, versions.session_version, 1);
1184 ASSERT_NE(base_len, 0u) << "Baseline length could not be sampled";
1185
1186 for (const PaddingTest &test : kPaddingTests) {
1187 SCOPED_TRACE(test.input_len);
1188 ASSERT_LE(base_len, test.input_len) << "Baseline ClientHello too long";
1189
1190 size_t padded_len =
1191 GetClientHelloLen(versions.max_version, versions.session_version,
1192 1 + test.input_len - base_len);
1193 EXPECT_EQ(padded_len, test.padded_len)
1194 << "ClientHello was not padded to expected length";
David Benjamin422fe082015-07-21 22:03:43 -0400[diff] [blame]1195 }
1196 }
David Benjamin422fe082015-07-21 22:03:43 -0400[diff] [blame]1197}
1198
David Benjamin2f3958a2021-04-16 11:55:23 -0400[diff] [blame]1199static bssl::UniquePtr<X509> CertFromPEM(const char *pem) {
1200 bssl::UniquePtr<BIO> bio(BIO_new_mem_buf(pem, strlen(pem)));
1201 if (!bio) {
1202 return nullptr;
1203 }
1204 return bssl::UniquePtr<X509>(
1205 PEM_read_bio_X509(bio.get(), nullptr, nullptr, nullptr));
1206}
1207
1208static bssl::UniquePtr<EVP_PKEY> KeyFromPEM(const char *pem) {
1209 bssl::UniquePtr<BIO> bio(BIO_new_mem_buf(pem, strlen(pem)));
1210 if (!bio) {
1211 return nullptr;
1212 }
1213 return bssl::UniquePtr<EVP_PKEY>(
1214 PEM_read_bio_PrivateKey(bio.get(), nullptr, nullptr, nullptr));
1215}
1216
Matt Braithwaited17d74d2016-08-17 20:10:28 -0700[diff] [blame]1217static bssl::UniquePtr<X509> GetTestCertificate() {
David Benjaminde942382016-02-11 12:02:01 -0500[diff] [blame]1218 static const char kCertPEM[] =
1219 "-----BEGIN CERTIFICATE-----\n"
1220 "MIICWDCCAcGgAwIBAgIJAPuwTC6rEJsMMA0GCSqGSIb3DQEBBQUAMEUxCzAJBgNV\n"
1221 "BAYTAkFVMRMwEQYDVQQIDApTb21lLVN0YXRlMSEwHwYDVQQKDBhJbnRlcm5ldCBX\n"
1222 "aWRnaXRzIFB0eSBMdGQwHhcNMTQwNDIzMjA1MDQwWhcNMTcwNDIyMjA1MDQwWjBF\n"
1223 "MQswCQYDVQQGEwJBVTETMBEGA1UECAwKU29tZS1TdGF0ZTEhMB8GA1UECgwYSW50\n"
1224 "ZXJuZXQgV2lkZ2l0cyBQdHkgTHRkMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKB\n"
1225 "gQDYK8imMuRi/03z0K1Zi0WnvfFHvwlYeyK9Na6XJYaUoIDAtB92kWdGMdAQhLci\n"
1226 "HnAjkXLI6W15OoV3gA/ElRZ1xUpxTMhjP6PyY5wqT5r6y8FxbiiFKKAnHmUcrgfV\n"
1227 "W28tQ+0rkLGMryRtrukXOgXBv7gcrmU7G1jC2a7WqmeI8QIDAQABo1AwTjAdBgNV\n"
1228 "HQ4EFgQUi3XVrMsIvg4fZbf6Vr5sp3Xaha8wHwYDVR0jBBgwFoAUi3XVrMsIvg4f\n"
1229 "Zbf6Vr5sp3Xaha8wDAYDVR0TBAUwAwEB/zANBgkqhkiG9w0BAQUFAAOBgQA76Hht\n"
1230 "ldY9avcTGSwbwoiuIqv0jTL1fHFnzy3RHMLDh+Lpvolc5DSrSJHCP5WuK0eeJXhr\n"
1231 "T5oQpHL9z/cCDLAKCKRa4uV0fhEdOWBqyR9p8y5jJtye72t6CuFUV5iqcpF4BH4f\n"
1232 "j2VNHwsSrJwkD4QUGlUtH7vwnQmyCFxZMmWAJg==\n"
1233 "-----END CERTIFICATE-----\n";
David Benjamin2f3958a2021-04-16 11:55:23 -0400[diff] [blame]1234 return CertFromPEM(kCertPEM);
David Benjaminde942382016-02-11 12:02:01 -0500[diff] [blame]1235}
1236
Matt Braithwaited17d74d2016-08-17 20:10:28 -0700[diff] [blame]1237static bssl::UniquePtr<EVP_PKEY> GetTestKey() {
David Benjaminde942382016-02-11 12:02:01 -0500[diff] [blame]1238 static const char kKeyPEM[] =
1239 "-----BEGIN RSA PRIVATE KEY-----\n"
1240 "MIICXgIBAAKBgQDYK8imMuRi/03z0K1Zi0WnvfFHvwlYeyK9Na6XJYaUoIDAtB92\n"
1241 "kWdGMdAQhLciHnAjkXLI6W15OoV3gA/ElRZ1xUpxTMhjP6PyY5wqT5r6y8FxbiiF\n"
1242 "KKAnHmUcrgfVW28tQ+0rkLGMryRtrukXOgXBv7gcrmU7G1jC2a7WqmeI8QIDAQAB\n"
1243 "AoGBAIBy09Fd4DOq/Ijp8HeKuCMKTHqTW1xGHshLQ6jwVV2vWZIn9aIgmDsvkjCe\n"
1244 "i6ssZvnbjVcwzSoByhjN8ZCf/i15HECWDFFh6gt0P5z0MnChwzZmvatV/FXCT0j+\n"
1245 "WmGNB/gkehKjGXLLcjTb6dRYVJSCZhVuOLLcbWIV10gggJQBAkEA8S8sGe4ezyyZ\n"
1246 "m4e9r95g6s43kPqtj5rewTsUxt+2n4eVodD+ZUlCULWVNAFLkYRTBCASlSrm9Xhj\n"
1247 "QpmWAHJUkQJBAOVzQdFUaewLtdOJoPCtpYoY1zd22eae8TQEmpGOR11L6kbxLQsk\n"
1248 "aMly/DOnOaa82tqAGTdqDEZgSNmCeKKknmECQAvpnY8GUOVAubGR6c+W90iBuQLj\n"
1249 "LtFp/9ihd2w/PoDwrHZaoUYVcT4VSfJQog/k7kjE4MYXYWL8eEKg3WTWQNECQQDk\n"
1250 "104Wi91Umd1PzF0ijd2jXOERJU1wEKe6XLkYYNHWQAe5l4J4MWj9OdxFXAxIuuR/\n"
1251 "tfDwbqkta4xcux67//khAkEAvvRXLHTaa6VFzTaiiO8SaFsHV3lQyXOtMrBpB5jd\n"
1252 "moZWgjHvB2W9Ckn7sDqsPB+U2tyX0joDdQEyuiMECDY8oQ==\n"
1253 "-----END RSA PRIVATE KEY-----\n";
David Benjamin2f3958a2021-04-16 11:55:23 -0400[diff] [blame]1254 return KeyFromPEM(kKeyPEM);
David Benjaminde942382016-02-11 12:02:01 -0500[diff] [blame]1255}
1256
David Benjamin9b2cdb72021-04-01 23:21:53 -0400[diff] [blame]1257static bssl::UniquePtr<SSL_CTX> CreateContextWithTestCertificate(
1258 const SSL_METHOD *method) {
1259 bssl::UniquePtr<SSL_CTX> ctx(SSL_CTX_new(TLS_method()));
1260 bssl::UniquePtr<X509> cert = GetTestCertificate();
1261 bssl::UniquePtr<EVP_PKEY> key = GetTestKey();
1262 if (!ctx || !cert || !key ||
1263 !SSL_CTX_use_certificate(ctx.get(), cert.get()) ||
1264 !SSL_CTX_use_PrivateKey(ctx.get(), key.get())) {
1265 return nullptr;
1266 }
1267 return ctx;
1268}
1269
Matt Braithwaited17d74d2016-08-17 20:10:28 -0700[diff] [blame]1270static bssl::UniquePtr<X509> GetECDSATestCertificate() {
David Benjamin0fc37ef2016-08-17 15:29:46 -0400[diff] [blame]1271 static const char kCertPEM[] =
1272 "-----BEGIN CERTIFICATE-----\n"
1273 "MIIBzzCCAXagAwIBAgIJANlMBNpJfb/rMAkGByqGSM49BAEwRTELMAkGA1UEBhMC\n"
1274 "QVUxEzARBgNVBAgMClNvbWUtU3RhdGUxITAfBgNVBAoMGEludGVybmV0IFdpZGdp\n"
1275 "dHMgUHR5IEx0ZDAeFw0xNDA0MjMyMzIxNTdaFw0xNDA1MjMyMzIxNTdaMEUxCzAJ\n"
1276 "BgNVBAYTAkFVMRMwEQYDVQQIDApTb21lLVN0YXRlMSEwHwYDVQQKDBhJbnRlcm5l\n"
1277 "dCBXaWRnaXRzIFB0eSBMdGQwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAATmK2ni\n"
1278 "v2Wfl74vHg2UikzVl2u3qR4NRvvdqakendy6WgHn1peoChj5w8SjHlbifINI2xYa\n"
1279 "HPUdfvGULUvPciLBo1AwTjAdBgNVHQ4EFgQUq4TSrKuV8IJOFngHVVdf5CaNgtEw\n"
1280 "HwYDVR0jBBgwFoAUq4TSrKuV8IJOFngHVVdf5CaNgtEwDAYDVR0TBAUwAwEB/zAJ\n"
1281 "BgcqhkjOPQQBA0gAMEUCIQDyoDVeUTo2w4J5m+4nUIWOcAZ0lVfSKXQA9L4Vh13E\n"
1282 "BwIgfB55FGohg/B6dGh5XxSZmmi08cueFV7mHzJSYV51yRQ=\n"
1283 "-----END CERTIFICATE-----\n";
David Benjamin2f3958a2021-04-16 11:55:23 -0400[diff] [blame]1284 return CertFromPEM(kCertPEM);
David Benjamin0fc37ef2016-08-17 15:29:46 -0400[diff] [blame]1285}
1286
Matt Braithwaited17d74d2016-08-17 20:10:28 -0700[diff] [blame]1287static bssl::UniquePtr<EVP_PKEY> GetECDSATestKey() {
David Benjamin0fc37ef2016-08-17 15:29:46 -0400[diff] [blame]1288 static const char kKeyPEM[] =
1289 "-----BEGIN PRIVATE KEY-----\n"
1290 "MIGHAgEAMBMGByqGSM49AgEGCCqGSM49AwEHBG0wawIBAQQgBw8IcnrUoEqc3VnJ\n"
1291 "TYlodwi1b8ldMHcO6NHJzgqLtGqhRANCAATmK2niv2Wfl74vHg2UikzVl2u3qR4N\n"
1292 "Rvvdqakendy6WgHn1peoChj5w8SjHlbifINI2xYaHPUdfvGULUvPciLB\n"
1293 "-----END PRIVATE KEY-----\n";
David Benjamin2f3958a2021-04-16 11:55:23 -0400[diff] [blame]1294 return KeyFromPEM(kKeyPEM);
David Benjamin0fc37ef2016-08-17 15:29:46 -0400[diff] [blame]1295}
1296
Adam Langleyd04ca952017-02-28 11:26:51 -0800[diff] [blame]1297static bssl::UniquePtr<CRYPTO_BUFFER> BufferFromPEM(const char *pem) {
1298 bssl::UniquePtr<BIO> bio(BIO_new_mem_buf(pem, strlen(pem)));
1299 char *name, *header;
1300 uint8_t *data;
1301 long data_len;
1302 if (!PEM_read_bio(bio.get(), &name, &header, &data,
1303 &data_len)) {
1304 return nullptr;
1305 }
1306 OPENSSL_free(name);
1307 OPENSSL_free(header);
1308
1309 auto ret = bssl::UniquePtr<CRYPTO_BUFFER>(
1310 CRYPTO_BUFFER_new(data, data_len, nullptr));
1311 OPENSSL_free(data);
1312 return ret;
1313}
1314
1315static bssl::UniquePtr<CRYPTO_BUFFER> GetChainTestCertificateBuffer() {
David Benjamin1444c3a2016-12-20 17:23:11 -0500[diff] [blame]1316 static const char kCertPEM[] =
1317 "-----BEGIN CERTIFICATE-----\n"
1318 "MIIC0jCCAbqgAwIBAgICEAAwDQYJKoZIhvcNAQELBQAwDzENMAsGA1UEAwwEQiBD\n"
1319 "QTAeFw0xNjAyMjgyMDI3MDNaFw0yNjAyMjUyMDI3MDNaMBgxFjAUBgNVBAMMDUNs\n"
1320 "aWVudCBDZXJ0IEEwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDRvaz8\n"
1321 "CC/cshpCafJo4jLkHEoBqDLhdgFelJoAiQUyIqyWl2O7YHPnpJH+TgR7oelzNzt/\n"
1322 "kLRcH89M/TszB6zqyLTC4aqmvzKL0peD/jL2LWBucR0WXIvjA3zoRuF/x86+rYH3\n"
1323 "tHb+xs2PSs8EGL/Ev+ss+qTzTGEn26fuGNHkNw6tOwPpc+o8+wUtzf/kAthamo+c\n"
1324 "IDs2rQ+lP7+aLZTLeU/q4gcLutlzcK5imex5xy2jPkweq48kijK0kIzl1cPlA5d1\n"
1325 "z7C8jU50Pj9X9sQDJTN32j7UYRisJeeYQF8GaaN8SbrDI6zHgKzrRLyxDt/KQa9V\n"
1326 "iLeXANgZi+Xx9KgfAgMBAAGjLzAtMAwGA1UdEwEB/wQCMAAwHQYDVR0lBBYwFAYI\n"
1327 "KwYBBQUHAwEGCCsGAQUFBwMCMA0GCSqGSIb3DQEBCwUAA4IBAQBFEVbmYl+2RtNw\n"
1328 "rDftRDF1v2QUbcN2ouSnQDHxeDQdSgasLzT3ui8iYu0Rw2WWcZ0DV5e0ztGPhWq7\n"
1329 "AO0B120aFRMOY+4+bzu9Q2FFkQqc7/fKTvTDzIJI5wrMnFvUfzzvxh3OHWMYSs/w\n"
1330 "giq33hTKeHEq6Jyk3btCny0Ycecyc3yGXH10sizUfiHlhviCkDuESk8mFDwDDzqW\n"
1331 "ZF0IipzFbEDHoIxLlm3GQxpiLoEV4k8KYJp3R5KBLFyxM6UGPz8h72mIPCJp2RuK\n"
1332 "MYgF91UDvVzvnYm6TfseM2+ewKirC00GOrZ7rEcFvtxnKSqYf4ckqfNdSU1Y+RRC\n"
1333 "1ngWZ7Ih\n"
1334 "-----END CERTIFICATE-----\n";
Adam Langleyd04ca952017-02-28 11:26:51 -0800[diff] [blame]1335 return BufferFromPEM(kCertPEM);
David Benjamin1444c3a2016-12-20 17:23:11 -0500[diff] [blame]1336}
1337
Adam Langleyd04ca952017-02-28 11:26:51 -0800[diff] [blame]1338static bssl::UniquePtr<X509> X509FromBuffer(
1339 bssl::UniquePtr<CRYPTO_BUFFER> buffer) {
1340 if (!buffer) {
1341 return nullptr;
1342 }
1343 const uint8_t *derp = CRYPTO_BUFFER_data(buffer.get());
1344 return bssl::UniquePtr<X509>(
1345 d2i_X509(NULL, &derp, CRYPTO_BUFFER_len(buffer.get())));
1346}
1347
1348static bssl::UniquePtr<X509> GetChainTestCertificate() {
1349 return X509FromBuffer(GetChainTestCertificateBuffer());
1350}
1351
1352static bssl::UniquePtr<CRYPTO_BUFFER> GetChainTestIntermediateBuffer() {
David Benjamin1444c3a2016-12-20 17:23:11 -0500[diff] [blame]1353 static const char kCertPEM[] =
1354 "-----BEGIN CERTIFICATE-----\n"
1355 "MIICwjCCAaqgAwIBAgICEAEwDQYJKoZIhvcNAQELBQAwFDESMBAGA1UEAwwJQyBS\n"
1356 "b290IENBMB4XDTE2MDIyODIwMjcwM1oXDTI2MDIyNTIwMjcwM1owDzENMAsGA1UE\n"
1357 "AwwEQiBDQTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALsSCYmDip2D\n"
1358 "GkjFxw7ykz26JSjELkl6ArlYjFJ3aT/SCh8qbS4gln7RH8CPBd78oFdfhIKQrwtZ\n"
1359 "3/q21ykD9BAS3qHe2YdcJfm8/kWAy5DvXk6NXU4qX334KofBAEpgdA/igEFq1P1l\n"
1360 "HAuIfZCpMRfT+i5WohVsGi8f/NgpRvVaMONLNfgw57mz1lbtFeBEISmX0kbsuJxF\n"
1361 "Qj/Bwhi5/0HAEXG8e7zN4cEx0yPRvmOATRdVb/8dW2pwOHRJq9R5M0NUkIsTSnL7\n"
1362 "6N/z8hRAHMsV3IudC5Yd7GXW1AGu9a+iKU+Q4xcZCoj0DC99tL4VKujrV1kAeqsM\n"
1363 "cz5/dKzi6+cCAwEAAaMjMCEwDwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMC\n"
1364 "AQYwDQYJKoZIhvcNAQELBQADggEBAIIeZiEeNhWWQ8Y4D+AGDwqUUeG8NjCbKrXQ\n"
1365 "BlHg5wZ8xftFaiP1Dp/UAezmx2LNazdmuwrYB8lm3FVTyaPDTKEGIPS4wJKHgqH1\n"
1366 "QPDhqNm85ey7TEtI9oYjsNim/Rb+iGkIAMXaxt58SzxbjvP0kMr1JfJIZbic9vye\n"
1367 "NwIspMFIpP3FB8ywyu0T0hWtCQgL4J47nigCHpOu58deP88fS/Nyz/fyGVWOZ76b\n"
1368 "WhWwgM3P3X95fQ3d7oFPR/bVh0YV+Cf861INwplokXgXQ3/TCQ+HNXeAMWn3JLWv\n"
1369 "XFwk8owk9dq/kQGdndGgy3KTEW4ctPX5GNhf3LJ9Q7dLji4ReQ4=\n"
1370 "-----END CERTIFICATE-----\n";
Adam Langleyd04ca952017-02-28 11:26:51 -0800[diff] [blame]1371 return BufferFromPEM(kCertPEM);
1372}
1373
1374static bssl::UniquePtr<X509> GetChainTestIntermediate() {
1375 return X509FromBuffer(GetChainTestIntermediateBuffer());
David Benjamin1444c3a2016-12-20 17:23:11 -0500[diff] [blame]1376}
1377
1378static bssl::UniquePtr<EVP_PKEY> GetChainTestKey() {
1379 static const char kKeyPEM[] =
1380 "-----BEGIN PRIVATE KEY-----\n"
1381 "MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQDRvaz8CC/cshpC\n"
1382 "afJo4jLkHEoBqDLhdgFelJoAiQUyIqyWl2O7YHPnpJH+TgR7oelzNzt/kLRcH89M\n"
1383 "/TszB6zqyLTC4aqmvzKL0peD/jL2LWBucR0WXIvjA3zoRuF/x86+rYH3tHb+xs2P\n"
1384 "Ss8EGL/Ev+ss+qTzTGEn26fuGNHkNw6tOwPpc+o8+wUtzf/kAthamo+cIDs2rQ+l\n"
1385 "P7+aLZTLeU/q4gcLutlzcK5imex5xy2jPkweq48kijK0kIzl1cPlA5d1z7C8jU50\n"
1386 "Pj9X9sQDJTN32j7UYRisJeeYQF8GaaN8SbrDI6zHgKzrRLyxDt/KQa9ViLeXANgZ\n"
1387 "i+Xx9KgfAgMBAAECggEBAK0VjSJzkyPaamcyTVSWjo7GdaBGcK60lk657RjR+lK0\n"
1388 "YJ7pkej4oM2hdsVZFsP8Cs4E33nXLa/0pDsRov/qrp0WQm2skwqGMC1I/bZ0WRPk\n"
1389 "wHaDrBBfESWnJDX/AGpVtlyOjPmgmK6J2usMPihQUDkKdAYrVWJePrMIxt1q6BMe\n"
1390 "iczs3qriMmtY3bUc4UyUwJ5fhDLjshHvfuIpYQyI6EXZM6dZksn9LylXJnigY6QJ\n"
1391 "HxOYO0BDwOsZ8yQ8J8afLk88i0GizEkgE1z3REtQUwgWfxr1WV/ud+T6/ZhSAgH9\n"
1392 "042mQvSFZnIUSEsmCvjhWuAunfxHKCTcAoYISWfzWpkCgYEA7gpf3HHU5Tn+CgUn\n"
1393 "1X5uGpG3DmcMgfeGgs2r2f/IIg/5Ac1dfYILiybL1tN9zbyLCJfcbFpWBc9hJL6f\n"
1394 "CPc5hUiwWFJqBJewxQkC1Ae/HakHbip+IZ+Jr0842O4BAArvixk4Lb7/N2Ct9sTE\n"
1395 "NJO6RtK9lbEZ5uK61DglHy8CS2UCgYEA4ZC1o36kPAMQBggajgnucb2yuUEelk0f\n"
1396 "AEr+GI32MGE+93xMr7rAhBoqLg4AITyIfEnOSQ5HwagnIHonBbv1LV/Gf9ursx8Z\n"
1397 "YOGbvT8zzzC+SU1bkDzdjAYnFQVGIjMtKOBJ3K07++ypwX1fr4QsQ8uKL8WSOWwt\n"
1398 "Z3Bym6XiZzMCgYADnhy+2OwHX85AkLt+PyGlPbmuelpyTzS4IDAQbBa6jcuW/2wA\n"
1399 "UE2km75VUXmD+u2R/9zVuLm99NzhFhSMqlUxdV1YukfqMfP5yp1EY6m/5aW7QuIP\n"
1400 "2MDa7TVL9rIFMiVZ09RKvbBbQxjhuzPQKL6X/PPspnhiTefQ+dl2k9xREQKBgHDS\n"
1401 "fMfGNEeAEKezrfSVqxphE9/tXms3L+ZpnCaT+yu/uEr5dTIAawKoQ6i9f/sf1/Sy\n"
1402 "xedsqR+IB+oKrzIDDWMgoJybN4pkZ8E5lzhVQIjFjKgFdWLzzqyW9z1gYfABQPlN\n"
1403 "FiS20WX0vgP1vcKAjdNrHzc9zyHBpgQzDmAj3NZZAoGBAI8vKCKdH7w3aL5CNkZQ\n"
1404 "2buIeWNA2HZazVwAGG5F2TU/LmXfRKnG6dX5bkU+AkBZh56jNZy//hfFSewJB4Kk\n"
1405 "buB7ERSdaNbO21zXt9FEA3+z0RfMd/Zv2vlIWOSB5nzl/7UKti3sribK6s9ZVLfi\n"
1406 "SxpiPQ8d/hmSGwn4ksrWUsJD\n"
1407 "-----END PRIVATE KEY-----\n";
David Benjamin2f3958a2021-04-16 11:55:23 -0400[diff] [blame]1408 return KeyFromPEM(kKeyPEM);
David Benjamin1444c3a2016-12-20 17:23:11 -0500[diff] [blame]1409}
1410
David Benjamin83a49932021-05-20 15:57:09 -0400[diff] [blame]1411static bool CompleteHandshakes(SSL *client, SSL *server) {
1412 // Drive both their handshakes to completion.
1413 for (;;) {
1414 int client_ret = SSL_do_handshake(client);
1415 int client_err = SSL_get_error(client, client_ret);
1416 if (client_err != SSL_ERROR_NONE &&
1417 client_err != SSL_ERROR_WANT_READ &&
1418 client_err != SSL_ERROR_WANT_WRITE &&
1419 client_err != SSL_ERROR_PENDING_TICKET) {
1420 fprintf(stderr, "Client error: %s\n", SSL_error_description(client_err));
1421 return false;
1422 }
1423
1424 int server_ret = SSL_do_handshake(server);
1425 int server_err = SSL_get_error(server, server_ret);
1426 if (server_err != SSL_ERROR_NONE &&
1427 server_err != SSL_ERROR_WANT_READ &&
1428 server_err != SSL_ERROR_WANT_WRITE &&
1429 server_err != SSL_ERROR_PENDING_TICKET) {
1430 fprintf(stderr, "Server error: %s\n", SSL_error_description(server_err));
1431 return false;
1432 }
1433
1434 if (client_ret == 1 && server_ret == 1) {
1435 break;
1436 }
1437 }
1438
1439 return true;
1440}
1441
1442static bool FlushNewSessionTickets(SSL *client, SSL *server) {
1443 // NewSessionTickets are deferred on the server to |SSL_write|, and clients do
1444 // not pick them up until |SSL_read|.
1445 for (;;) {
1446 int server_ret = SSL_write(server, nullptr, 0);
1447 int server_err = SSL_get_error(server, server_ret);
1448 // The server may either succeed (|server_ret| is zero) or block on write
1449 // (|server_ret| is -1 and |server_err| is |SSL_ERROR_WANT_WRITE|).
1450 if (server_ret > 0 ||
1451 (server_ret < 0 && server_err != SSL_ERROR_WANT_WRITE)) {
1452 fprintf(stderr, "Unexpected server result: %d %d\n", server_ret,
1453 server_err);
1454 return false;
1455 }
1456
1457 int client_ret = SSL_read(client, nullptr, 0);
1458 int client_err = SSL_get_error(client, client_ret);
1459 // The client must always block on read.
1460 if (client_ret != -1 || client_err != SSL_ERROR_WANT_READ) {
1461 fprintf(stderr, "Unexpected client result: %d %d\n", client_ret,
1462 client_err);
1463 return false;
1464 }
1465
1466 // The server flushed everything it had to write.
1467 if (server_ret == 0) {
1468 return true;
1469 }
1470 }
1471}
1472
1473// CreateClientAndServer creates a client and server |SSL| objects whose |BIO|s
1474// are paired with each other. It does not run the handshake. The caller is
1475// expected to configure the objects and drive the handshake as needed.
1476static bool CreateClientAndServer(bssl::UniquePtr<SSL> *out_client,
1477 bssl::UniquePtr<SSL> *out_server,
1478 SSL_CTX *client_ctx, SSL_CTX *server_ctx) {
1479 bssl::UniquePtr<SSL> client(SSL_new(client_ctx)), server(SSL_new(server_ctx));
1480 if (!client || !server) {
1481 return false;
1482 }
1483 SSL_set_connect_state(client.get());
1484 SSL_set_accept_state(server.get());
1485
1486 BIO *bio1, *bio2;
1487 if (!BIO_new_bio_pair(&bio1, 0, &bio2, 0)) {
1488 return false;
1489 }
1490 // SSL_set_bio takes ownership.
1491 SSL_set_bio(client.get(), bio1, bio1);
1492 SSL_set_bio(server.get(), bio2, bio2);
1493
1494 *out_client = std::move(client);
1495 *out_server = std::move(server);
1496 return true;
1497}
1498
1499struct ClientConfig {
1500 SSL_SESSION *session = nullptr;
1501 std::string servername;
Adam Langley7e7e6b62021-12-06 13:04:07 -0800[diff] [blame]1502 std::string verify_hostname;
1503 unsigned hostflags = 0;
David Benjamin83a49932021-05-20 15:57:09 -0400[diff] [blame]1504 bool early_data = false;
1505};
1506
1507static bool ConnectClientAndServer(bssl::UniquePtr<SSL> *out_client,
1508 bssl::UniquePtr<SSL> *out_server,
1509 SSL_CTX *client_ctx, SSL_CTX *server_ctx,
1510 const ClientConfig &config = ClientConfig(),
1511 bool shed_handshake_config = true) {
1512 bssl::UniquePtr<SSL> client, server;
1513 if (!CreateClientAndServer(&client, &server, client_ctx, server_ctx)) {
1514 return false;
1515 }
1516 if (config.early_data) {
1517 SSL_set_early_data_enabled(client.get(), 1);
1518 }
1519 if (config.session) {
1520 SSL_set_session(client.get(), config.session);
1521 }
1522 if (!config.servername.empty() &&
1523 !SSL_set_tlsext_host_name(client.get(), config.servername.c_str())) {
1524 return false;
1525 }
Adam Langley7e7e6b62021-12-06 13:04:07 -0800[diff] [blame]1526 if (!config.verify_hostname.empty()) {
1527 if (!SSL_set1_host(client.get(), config.verify_hostname.c_str())) {
1528 return false;
1529 }
1530 SSL_set_hostflags(client.get(), config.hostflags);
1531 }
David Benjamin83a49932021-05-20 15:57:09 -0400[diff] [blame]1532
1533 SSL_set_shed_handshake_config(client.get(), shed_handshake_config);
1534 SSL_set_shed_handshake_config(server.get(), shed_handshake_config);
1535
1536 if (!CompleteHandshakes(client.get(), server.get())) {
1537 return false;
1538 }
1539
1540 *out_client = std::move(client);
1541 *out_server = std::move(server);
1542 return true;
1543}
1544
David Benjamin9734e442021-06-15 13:58:12 -0400[diff] [blame]1545static bssl::UniquePtr<SSL_SESSION> g_last_session;
1546
1547static int SaveLastSession(SSL *ssl, SSL_SESSION *session) {
1548 // Save the most recent session.
1549 g_last_session.reset(session);
1550 return 1;
1551}
1552
1553static bssl::UniquePtr<SSL_SESSION> CreateClientSession(
1554 SSL_CTX *client_ctx, SSL_CTX *server_ctx,
1555 const ClientConfig &config = ClientConfig()) {
1556 g_last_session = nullptr;
1557 SSL_CTX_sess_set_new_cb(client_ctx, SaveLastSession);
1558
1559 // Connect client and server to get a session.
1560 bssl::UniquePtr<SSL> client, server;
1561 if (!ConnectClientAndServer(&client, &server, client_ctx, server_ctx,
1562 config) ||
1563 !FlushNewSessionTickets(client.get(), server.get())) {
1564 fprintf(stderr, "Failed to connect client and server.\n");
1565 return nullptr;
1566 }
1567
1568 SSL_CTX_sess_set_new_cb(client_ctx, nullptr);
1569
1570 if (!g_last_session) {
1571 fprintf(stderr, "Client did not receive a session.\n");
1572 return nullptr;
1573 }
1574 return std::move(g_last_session);
1575}
1576
David Benjaminc79ae7a2017-08-29 16:09:44 -0400[diff] [blame]1577// Test that |SSL_get_client_CA_list| echoes back the configured parameter even
1578// before configuring as a server.
1579TEST(SSLTest, ClientCAList) {
1580 bssl::UniquePtr<SSL_CTX> ctx(SSL_CTX_new(TLS_method()));
1581 ASSERT_TRUE(ctx);
1582 bssl::UniquePtr<SSL> ssl(SSL_new(ctx.get()));
1583 ASSERT_TRUE(ssl);
1584
1585 bssl::UniquePtr<X509_NAME> name(X509_NAME_new());
1586 ASSERT_TRUE(name);
1587
1588 bssl::UniquePtr<X509_NAME> name_dup(X509_NAME_dup(name.get()));
1589 ASSERT_TRUE(name_dup);
1590
1591 bssl::UniquePtr<STACK_OF(X509_NAME)> stack(sk_X509_NAME_new_null());
1592 ASSERT_TRUE(stack);
David Benjamin2908dd12018-06-29 17:46:42 -0400[diff] [blame]1593 ASSERT_TRUE(PushToStack(stack.get(), std::move(name_dup)));
David Benjaminc79ae7a2017-08-29 16:09:44 -0400[diff] [blame]1594
1595 // |SSL_set_client_CA_list| takes ownership.
1596 SSL_set_client_CA_list(ssl.get(), stack.release());
1597
1598 STACK_OF(X509_NAME) *result = SSL_get_client_CA_list(ssl.get());
1599 ASSERT_TRUE(result);
1600 ASSERT_EQ(1u, sk_X509_NAME_num(result));
1601 EXPECT_EQ(0, X509_NAME_cmp(sk_X509_NAME_value(result, 0), name.get()));
1602}
1603
1604TEST(SSLTest, AddClientCA) {
1605 bssl::UniquePtr<SSL_CTX> ctx(SSL_CTX_new(TLS_method()));
1606 ASSERT_TRUE(ctx);
1607 bssl::UniquePtr<SSL> ssl(SSL_new(ctx.get()));
1608 ASSERT_TRUE(ssl);
1609
1610 bssl::UniquePtr<X509> cert1 = GetTestCertificate();
1611 bssl::UniquePtr<X509> cert2 = GetChainTestCertificate();
1612 ASSERT_TRUE(cert1 && cert2);
1613 X509_NAME *name1 = X509_get_subject_name(cert1.get());
1614 X509_NAME *name2 = X509_get_subject_name(cert2.get());
1615
1616 EXPECT_EQ(0u, sk_X509_NAME_num(SSL_get_client_CA_list(ssl.get())));
1617
1618 ASSERT_TRUE(SSL_add_client_CA(ssl.get(), cert1.get()));
1619 ASSERT_TRUE(SSL_add_client_CA(ssl.get(), cert2.get()));
1620
1621 STACK_OF(X509_NAME) *list = SSL_get_client_CA_list(ssl.get());
1622 ASSERT_EQ(2u, sk_X509_NAME_num(list));
1623 EXPECT_EQ(0, X509_NAME_cmp(sk_X509_NAME_value(list, 0), name1));
1624 EXPECT_EQ(0, X509_NAME_cmp(sk_X509_NAME_value(list, 1), name2));
1625
1626 ASSERT_TRUE(SSL_add_client_CA(ssl.get(), cert1.get()));
1627
1628 list = SSL_get_client_CA_list(ssl.get());
1629 ASSERT_EQ(3u, sk_X509_NAME_num(list));
1630 EXPECT_EQ(0, X509_NAME_cmp(sk_X509_NAME_value(list, 0), name1));
1631 EXPECT_EQ(0, X509_NAME_cmp(sk_X509_NAME_value(list, 1), name2));
1632 EXPECT_EQ(0, X509_NAME_cmp(sk_X509_NAME_value(list, 2), name1));
1633}
1634
David Benjamin24545c52021-06-07 16:05:07 -0400[diff] [blame]1635struct ECHConfigParams {
1636 uint16_t version = TLSEXT_TYPE_encrypted_client_hello;
1637 uint16_t config_id = 1;
1638 std::string public_name = "example.com";
1639 const EVP_HPKE_KEY *key = nullptr;
1640 // kem_id, if zero, takes its value from |key|.
1641 uint16_t kem_id = 0;
1642 // public_key, if empty takes its value from |key|.
1643 std::vector<uint8_t> public_key;
1644 size_t max_name_len = 16;
1645 // cipher_suites is a list of code points which should contain pairs of KDF
1646 // and AEAD IDs.
1647 std::vector<uint16_t> cipher_suites = {EVP_HPKE_HKDF_SHA256,
1648 EVP_HPKE_AES_128_GCM};
1649 std::vector<uint8_t> extensions;
1650};
Daniel McArdle00e434d2021-02-18 11:47:18 -0500[diff] [blame]1651
David Benjamin24545c52021-06-07 16:05:07 -0400[diff] [blame]1652// MakeECHConfig serializes an ECHConfig from |params| and writes it to
1653// |*out|.
1654bool MakeECHConfig(std::vector<uint8_t> *out,
1655 const ECHConfigParams &params) {
1656 uint16_t kem_id = params.kem_id == 0
1657 ? EVP_HPKE_KEM_id(EVP_HPKE_KEY_kem(params.key))
1658 : params.kem_id;
1659 std::vector<uint8_t> public_key = params.public_key;
1660 if (public_key.empty()) {
1661 public_key.resize(EVP_HPKE_MAX_PUBLIC_KEY_LENGTH);
1662 size_t len;
1663 if (!EVP_HPKE_KEY_public_key(params.key, public_key.data(), &len,
1664 public_key.size())) {
1665 return false;
1666 }
1667 public_key.resize(len);
1668 }
Daniel McArdle00e434d2021-02-18 11:47:18 -0500[diff] [blame]1669
Daniel McArdle00e434d2021-02-18 11:47:18 -0500[diff] [blame]1670 bssl::ScopedCBB cbb;
1671 CBB contents, child;
Daniel McArdle00e434d2021-02-18 11:47:18 -0500[diff] [blame]1672 if (!CBB_init(cbb.get(), 64) ||
David Benjamin24545c52021-06-07 16:05:07 -0400[diff] [blame]1673 !CBB_add_u16(cbb.get(), params.version) ||
Daniel McArdle00e434d2021-02-18 11:47:18 -0500[diff] [blame]1674 !CBB_add_u16_length_prefixed(cbb.get(), &contents) ||
David Benjamin24545c52021-06-07 16:05:07 -0400[diff] [blame]1675 !CBB_add_u8(&contents, params.config_id) ||
Steven Valdez94a63a52021-04-29 10:52:42 -0400[diff] [blame]1676 !CBB_add_u16(&contents, kem_id) ||
Daniel McArdle00e434d2021-02-18 11:47:18 -0500[diff] [blame]1677 !CBB_add_u16_length_prefixed(&contents, &child) ||
1678 !CBB_add_bytes(&child, public_key.data(), public_key.size()) ||
Daniel McArdle00e434d2021-02-18 11:47:18 -0500[diff] [blame]1679 !CBB_add_u16_length_prefixed(&contents, &child)) {
1680 return false;
1681 }
David Benjamin24545c52021-06-07 16:05:07 -0400[diff] [blame]1682 for (uint16_t cipher_suite : params.cipher_suites) {
Daniel McArdle00e434d2021-02-18 11:47:18 -0500[diff] [blame]1683 if (!CBB_add_u16(&child, cipher_suite)) {
1684 return false;
1685 }
1686 }
David Benjamin18b68362021-06-18 23:13:46 -0400[diff] [blame]1687 if (!CBB_add_u8(&contents, params.max_name_len) ||
1688 !CBB_add_u8_length_prefixed(&contents, &child) ||
David Benjamin24545c52021-06-07 16:05:07 -0400[diff] [blame]1689 !CBB_add_bytes(
1690 &child, reinterpret_cast<const uint8_t *>(params.public_name.data()),
1691 params.public_name.size()) ||
Steven Valdez94a63a52021-04-29 10:52:42 -0400[diff] [blame]1692 !CBB_add_u16_length_prefixed(&contents, &child) ||
David Benjamin24545c52021-06-07 16:05:07 -0400[diff] [blame]1693 !CBB_add_bytes(&child, params.extensions.data(),
1694 params.extensions.size()) ||
Daniel McArdle00e434d2021-02-18 11:47:18 -0500[diff] [blame]1695 !CBB_flush(cbb.get())) {
1696 return false;
1697 }
1698
1699 out->assign(CBB_data(cbb.get()), CBB_data(cbb.get()) + CBB_len(cbb.get()));
1700 return true;
1701}
1702
David Benjaminba423c92021-06-15 16:26:58 -0400[diff] [blame]1703static bssl::UniquePtr<SSL_ECH_KEYS> MakeTestECHKeys(uint8_t config_id = 1) {
David Benjamin83a49932021-05-20 15:57:09 -0400[diff] [blame]1704 bssl::ScopedEVP_HPKE_KEY key;
1705 uint8_t *ech_config;
1706 size_t ech_config_len;
1707 if (!EVP_HPKE_KEY_generate(key.get(), EVP_hpke_x25519_hkdf_sha256()) ||
David Benjaminba423c92021-06-15 16:26:58 -0400[diff] [blame]1708 !SSL_marshal_ech_config(&ech_config, &ech_config_len, config_id,
1709 key.get(), "public.example", 16)) {
David Benjamin83a49932021-05-20 15:57:09 -0400[diff] [blame]1710 return nullptr;
1711 }
1712 bssl::UniquePtr<uint8_t> free_ech_config(ech_config);
1713
1714 // Install a non-retry config.
1715 bssl::UniquePtr<SSL_ECH_KEYS> keys(SSL_ECH_KEYS_new());
1716 if (!keys || !SSL_ECH_KEYS_add(keys.get(), /*is_retry_config=*/1, ech_config,
1717 ech_config_len, key.get())) {
1718 return nullptr;
1719 }
1720 return keys;
1721}
1722
1723static bool InstallECHConfigList(SSL *client, const SSL_ECH_KEYS *keys) {
1724 uint8_t *ech_config_list;
1725 size_t ech_config_list_len;
1726 if (!SSL_ECH_KEYS_marshal_retry_configs(keys, &ech_config_list,
1727 &ech_config_list_len)) {
1728 return false;
1729 }
1730 bssl::UniquePtr<uint8_t> free_ech_config_list(ech_config_list);
1731 return SSL_set1_ech_config_list(client, ech_config_list, ech_config_list_len);
1732}
1733
David Benjamin24545c52021-06-07 16:05:07 -0400[diff] [blame]1734// Test that |SSL_marshal_ech_config| and |SSL_ECH_KEYS_marshal_retry_configs|
1735// output values as expected.
1736TEST(SSLTest, MarshalECHConfig) {
1737 static const uint8_t kPrivateKey[X25519_PRIVATE_KEY_LEN] = {
1738 0xbc, 0xb5, 0x51, 0x29, 0x31, 0x10, 0x30, 0xc9, 0xed, 0x26, 0xde,
1739 0xd4, 0xb3, 0xdf, 0x3a, 0xce, 0x06, 0x8a, 0xee, 0x17, 0xab, 0xce,
1740 0xd7, 0xdb, 0xf3, 0x11, 0xe5, 0xa8, 0xf3, 0xb1, 0x8e, 0x24};
1741 bssl::ScopedEVP_HPKE_KEY key;
1742 ASSERT_TRUE(EVP_HPKE_KEY_init(key.get(), EVP_hpke_x25519_hkdf_sha256(),
1743 kPrivateKey, sizeof(kPrivateKey)));
Daniel McArdle00e434d2021-02-18 11:47:18 -0500[diff] [blame]1744
David Benjamin24545c52021-06-07 16:05:07 -0400[diff] [blame]1745 static const uint8_t kECHConfig[] = {
1746 // version
David Benjamin18b68362021-06-18 23:13:46 -0400[diff] [blame]1747 0xfe, 0x0d,
David Benjamin24545c52021-06-07 16:05:07 -0400[diff] [blame]1748 // length
David Benjamin18b68362021-06-18 23:13:46 -0400[diff] [blame]1749 0x00, 0x41,
David Benjamin24545c52021-06-07 16:05:07 -0400[diff] [blame]1750 // contents.config_id
1751 0x01,
1752 // contents.kem_id
1753 0x00, 0x20,
1754 // contents.public_key
1755 0x00, 0x20, 0xa6, 0x9a, 0x41, 0x48, 0x5d, 0x32, 0x96, 0xa4, 0xe0, 0xc3,
1756 0x6a, 0xee, 0xf6, 0x63, 0x0f, 0x59, 0x32, 0x6f, 0xdc, 0xff, 0x81, 0x29,
1757 0x59, 0xa5, 0x85, 0xd3, 0x9b, 0x3b, 0xde, 0x98, 0x55, 0x5c,
1758 // contents.cipher_suites
1759 0x00, 0x08, 0x00, 0x01, 0x00, 0x01, 0x00, 0x01, 0x00, 0x03,
1760 // contents.maximum_name_length
David Benjamin18b68362021-06-18 23:13:46 -0400[diff] [blame]1761 0x10,
David Benjamin24545c52021-06-07 16:05:07 -0400[diff] [blame]1762 // contents.public_name
David Benjamin18b68362021-06-18 23:13:46 -0400[diff] [blame]1763 0x0e, 0x70, 0x75, 0x62, 0x6c, 0x69, 0x63, 0x2e, 0x65, 0x78, 0x61, 0x6d,
1764 0x70, 0x6c, 0x65,
David Benjamin24545c52021-06-07 16:05:07 -0400[diff] [blame]1765 // contents.extensions
1766 0x00, 0x00};
1767 uint8_t *ech_config;
1768 size_t ech_config_len;
1769 ASSERT_TRUE(SSL_marshal_ech_config(&ech_config, &ech_config_len,
1770 /*config_id=*/1, key.get(),
1771 "public.example", 16));
1772 bssl::UniquePtr<uint8_t> free_ech_config(ech_config);
1773 EXPECT_EQ(Bytes(kECHConfig), Bytes(ech_config, ech_config_len));
1774
1775 // Generate a second ECHConfig.
1776 bssl::ScopedEVP_HPKE_KEY key2;
1777 ASSERT_TRUE(EVP_HPKE_KEY_generate(key2.get(), EVP_hpke_x25519_hkdf_sha256()));
1778 uint8_t *ech_config2;
1779 size_t ech_config2_len;
1780 ASSERT_TRUE(SSL_marshal_ech_config(&ech_config2, &ech_config2_len,
1781 /*config_id=*/2, key2.get(),
1782 "public.example", 16));
1783 bssl::UniquePtr<uint8_t> free_ech_config2(ech_config2);
1784
1785 // Install both ECHConfigs in an |SSL_ECH_KEYS|.
David Benjaminc3b373b2021-06-06 13:04:26 -0400[diff] [blame]1786 bssl::UniquePtr<SSL_ECH_KEYS> keys(SSL_ECH_KEYS_new());
1787 ASSERT_TRUE(keys);
David Benjamin24545c52021-06-07 16:05:07 -0400[diff] [blame]1788 ASSERT_TRUE(SSL_ECH_KEYS_add(keys.get(), /*is_retry_config=*/1, ech_config,
1789 ech_config_len, key.get()));
1790 ASSERT_TRUE(SSL_ECH_KEYS_add(keys.get(), /*is_retry_config=*/1, ech_config2,
1791 ech_config2_len, key2.get()));
1792
1793 // The ECHConfigList should be correctly serialized.
1794 uint8_t *ech_config_list;
1795 size_t ech_config_list_len;
1796 ASSERT_TRUE(SSL_ECH_KEYS_marshal_retry_configs(keys.get(), &ech_config_list,
1797 &ech_config_list_len));
1798 bssl::UniquePtr<uint8_t> free_ech_config_list(ech_config_list);
1799
1800 // ECHConfigList is just the concatenation with a length prefix.
1801 size_t len = ech_config_len + ech_config2_len;
1802 std::vector<uint8_t> expected = {uint8_t(len >> 8), uint8_t(len)};
1803 expected.insert(expected.end(), ech_config, ech_config + ech_config_len);
1804 expected.insert(expected.end(), ech_config2, ech_config2 + ech_config2_len);
1805 EXPECT_EQ(Bytes(expected), Bytes(ech_config_list, ech_config_list_len));
David Benjamin24545c52021-06-07 16:05:07 -0400[diff] [blame]1806}
1807
1808TEST(SSLTest, ECHHasDuplicateConfigID) {
1809 const struct {
1810 std::vector<uint8_t> ids;
1811 bool has_duplicate;
1812 } kTests[] = {
1813 {{}, false},
1814 {{1}, false},
1815 {{1, 2, 3, 255}, false},
1816 {{1, 2, 3, 1}, true},
1817 };
1818 for (const auto &test : kTests) {
1819 bssl::UniquePtr<SSL_ECH_KEYS> keys(SSL_ECH_KEYS_new());
1820 ASSERT_TRUE(keys);
1821 for (const uint8_t id : test.ids) {
1822 bssl::ScopedEVP_HPKE_KEY key;
1823 ASSERT_TRUE(
1824 EVP_HPKE_KEY_generate(key.get(), EVP_hpke_x25519_hkdf_sha256()));
1825 uint8_t *ech_config;
1826 size_t ech_config_len;
1827 ASSERT_TRUE(SSL_marshal_ech_config(&ech_config, &ech_config_len, id,
1828 key.get(), "public.example", 16));
1829 bssl::UniquePtr<uint8_t> free_ech_config(ech_config);
1830 ASSERT_TRUE(SSL_ECH_KEYS_add(keys.get(), /*is_retry_config=*/1,
1831 ech_config, ech_config_len, key.get()));
1832 }
1833
1834 EXPECT_EQ(test.has_duplicate ? 1 : 0,
1835 SSL_ECH_KEYS_has_duplicate_config_id(keys.get()));
1836 }
1837}
1838
1839// Test that |SSL_ECH_KEYS_add| checks consistency between the public and
1840// private key.
1841TEST(SSLTest, ECHKeyConsistency) {
1842 bssl::UniquePtr<SSL_ECH_KEYS> keys(SSL_ECH_KEYS_new());
1843 ASSERT_TRUE(keys);
1844 bssl::ScopedEVP_HPKE_KEY key;
1845 ASSERT_TRUE(EVP_HPKE_KEY_generate(key.get(), EVP_hpke_x25519_hkdf_sha256()));
1846 uint8_t public_key[EVP_HPKE_MAX_PUBLIC_KEY_LENGTH];
1847 size_t public_key_len;
1848 ASSERT_TRUE(EVP_HPKE_KEY_public_key(key.get(), public_key, &public_key_len,
1849 sizeof(public_key)));
1850
1851 // Adding an ECHConfig with the matching public key succeeds.
1852 ECHConfigParams params;
1853 params.key = key.get();
1854 std::vector<uint8_t> ech_config;
1855 ASSERT_TRUE(MakeECHConfig(&ech_config, params));
1856 EXPECT_TRUE(SSL_ECH_KEYS_add(keys.get(), /*is_retry_config=*/1,
1857 ech_config.data(), ech_config.size(),
1858 key.get()));
Daniel McArdle00e434d2021-02-18 11:47:18 -0500[diff] [blame]1859
David Benjaminc890ae52021-06-06 13:32:29 -0400[diff] [blame]1860 // Adding an ECHConfig with the wrong public key is an error.
1861 bssl::ScopedEVP_HPKE_KEY wrong_key;
1862 ASSERT_TRUE(
1863 EVP_HPKE_KEY_generate(wrong_key.get(), EVP_hpke_x25519_hkdf_sha256()));
David Benjamin24545c52021-06-07 16:05:07 -0400[diff] [blame]1864 EXPECT_FALSE(SSL_ECH_KEYS_add(keys.get(), /*is_retry_config=*/1,
1865 ech_config.data(), ech_config.size(),
1866 wrong_key.get()));
1867
1868 // Adding an ECHConfig with a truncated public key is an error.
1869 ECHConfigParams truncated;
1870 truncated.key = key.get();
1871 truncated.public_key.assign(public_key, public_key + public_key_len - 1);
1872 ASSERT_TRUE(MakeECHConfig(&ech_config, truncated));
1873 EXPECT_FALSE(SSL_ECH_KEYS_add(keys.get(), /*is_retry_config=*/1,
1874 ech_config.data(), ech_config.size(), key.get()));
Daniel McArdle00e434d2021-02-18 11:47:18 -0500[diff] [blame]1875
David Benjaminc890ae52021-06-06 13:32:29 -0400[diff] [blame]1876 // Adding an ECHConfig with the right public key, but wrong KEM ID, is an
1877 // error.
David Benjamin24545c52021-06-07 16:05:07 -0400[diff] [blame]1878 ECHConfigParams wrong_kem;
1879 wrong_kem.key = key.get();
1880 wrong_kem.kem_id = 0x0010; // DHKEM(P-256, HKDF-SHA256)
1881 ASSERT_TRUE(MakeECHConfig(&ech_config, wrong_kem));
David Benjaminc890ae52021-06-06 13:32:29 -0400[diff] [blame]1882 EXPECT_FALSE(SSL_ECH_KEYS_add(keys.get(), /*is_retry_config=*/1,
1883 ech_config.data(), ech_config.size(),
1884 key.get()));
Daniel McArdle00e434d2021-02-18 11:47:18 -0500[diff] [blame]1885}
1886
David Benjaminc3b373b2021-06-06 13:04:26 -0400[diff] [blame]1887// Test that |SSL_CTX_set1_ech_keys| fails when the config list
Daniel McArdle00e434d2021-02-18 11:47:18 -0500[diff] [blame]1888// has no retry configs.
1889TEST(SSLTest, ECHServerConfigsWithoutRetryConfigs) {
David Benjamin24545c52021-06-07 16:05:07 -0400[diff] [blame]1890 bssl::ScopedEVP_HPKE_KEY key;
1891 ASSERT_TRUE(EVP_HPKE_KEY_generate(key.get(), EVP_hpke_x25519_hkdf_sha256()));
1892 uint8_t *ech_config;
1893 size_t ech_config_len;
1894 ASSERT_TRUE(SSL_marshal_ech_config(&ech_config, &ech_config_len,
1895 /*config_id=*/1, key.get(),
1896 "public.example", 16));
1897 bssl::UniquePtr<uint8_t> free_ech_config(ech_config);
Daniel McArdle00e434d2021-02-18 11:47:18 -0500[diff] [blame]1898
David Benjamin24545c52021-06-07 16:05:07 -0400[diff] [blame]1899 // Install a non-retry config.
David Benjaminc3b373b2021-06-06 13:04:26 -0400[diff] [blame]1900 bssl::UniquePtr<SSL_ECH_KEYS> keys(SSL_ECH_KEYS_new());
1901 ASSERT_TRUE(keys);
David Benjamin24545c52021-06-07 16:05:07 -0400[diff] [blame]1902 ASSERT_TRUE(SSL_ECH_KEYS_add(keys.get(), /*is_retry_config=*/0, ech_config,
1903 ech_config_len, key.get()));
Daniel McArdle00e434d2021-02-18 11:47:18 -0500[diff] [blame]1904
David Benjamin24545c52021-06-07 16:05:07 -0400[diff] [blame]1905 // |keys| has no retry configs.
1906 bssl::UniquePtr<SSL_CTX> ctx(SSL_CTX_new(TLS_method()));
1907 ASSERT_TRUE(ctx);
1908 EXPECT_FALSE(SSL_CTX_set1_ech_keys(ctx.get(), keys.get()));
Daniel McArdle00e434d2021-02-18 11:47:18 -0500[diff] [blame]1909
1910 // Add the same ECHConfig to the list, but this time mark it as a retry
1911 // config.
David Benjamin24545c52021-06-07 16:05:07 -0400[diff] [blame]1912 ASSERT_TRUE(SSL_ECH_KEYS_add(keys.get(), /*is_retry_config=*/1, ech_config,
1913 ech_config_len, key.get()));
1914 EXPECT_TRUE(SSL_CTX_set1_ech_keys(ctx.get(), keys.get()));
Daniel McArdle00e434d2021-02-18 11:47:18 -0500[diff] [blame]1915}
1916
1917// Test that the server APIs reject ECHConfigs with unsupported features.
1918TEST(SSLTest, UnsupportedECHConfig) {
David Benjaminc3b373b2021-06-06 13:04:26 -0400[diff] [blame]1919 bssl::UniquePtr<SSL_ECH_KEYS> keys(SSL_ECH_KEYS_new());
1920 ASSERT_TRUE(keys);
David Benjaminc890ae52021-06-06 13:32:29 -0400[diff] [blame]1921 bssl::ScopedEVP_HPKE_KEY key;
David Benjamin24545c52021-06-07 16:05:07 -0400[diff] [blame]1922 ASSERT_TRUE(EVP_HPKE_KEY_generate(key.get(), EVP_hpke_x25519_hkdf_sha256()));
Daniel McArdle00e434d2021-02-18 11:47:18 -0500[diff] [blame]1923
1924 // Unsupported versions are rejected.
David Benjamin24545c52021-06-07 16:05:07 -0400[diff] [blame]1925 ECHConfigParams unsupported_version;
1926 unsupported_version.version = 0xffff;
1927 unsupported_version.key = key.get();
Daniel McArdle00e434d2021-02-18 11:47:18 -0500[diff] [blame]1928 std::vector<uint8_t> ech_config;
David Benjamin24545c52021-06-07 16:05:07 -0400[diff] [blame]1929 ASSERT_TRUE(MakeECHConfig(&ech_config, unsupported_version));
David Benjaminc3b373b2021-06-06 13:04:26 -0400[diff] [blame]1930 EXPECT_FALSE(SSL_ECH_KEYS_add(keys.get(), /*is_retry_config=*/1,
1931 ech_config.data(), ech_config.size(),
David Benjaminc890ae52021-06-06 13:32:29 -0400[diff] [blame]1932 key.get()));
Daniel McArdle00e434d2021-02-18 11:47:18 -0500[diff] [blame]1933
David Benjamin24545c52021-06-07 16:05:07 -0400[diff] [blame]1934 // Unsupported cipher suites are rejected. (We only support HKDF-SHA256.)
1935 ECHConfigParams unsupported_kdf;
1936 unsupported_kdf.key = key.get();
1937 unsupported_kdf.cipher_suites = {0x002 /* HKDF-SHA384 */,
1938 EVP_HPKE_AES_128_GCM};
1939 ASSERT_TRUE(MakeECHConfig(&ech_config, unsupported_kdf));
1940 EXPECT_FALSE(SSL_ECH_KEYS_add(keys.get(), /*is_retry_config=*/1,
1941 ech_config.data(), ech_config.size(),
1942 key.get()));
1943 ECHConfigParams unsupported_aead;
1944 unsupported_aead.key = key.get();
1945 unsupported_aead.cipher_suites = {EVP_HPKE_HKDF_SHA256, 0xffff};
1946 ASSERT_TRUE(MakeECHConfig(&ech_config, unsupported_aead));
1947 EXPECT_FALSE(SSL_ECH_KEYS_add(keys.get(), /*is_retry_config=*/1,
1948 ech_config.data(), ech_config.size(),
1949 key.get()));
1950
1951
Daniel McArdle00e434d2021-02-18 11:47:18 -0500[diff] [blame]1952 // Unsupported extensions are rejected.
David Benjamin24545c52021-06-07 16:05:07 -0400[diff] [blame]1953 ECHConfigParams extensions;
1954 extensions.key = key.get();
1955 extensions.extensions = {0x00, 0x01, 0x00, 0x00};
1956 ASSERT_TRUE(MakeECHConfig(&ech_config, extensions));
David Benjaminc3b373b2021-06-06 13:04:26 -0400[diff] [blame]1957 EXPECT_FALSE(SSL_ECH_KEYS_add(keys.get(), /*is_retry_config=*/1,
1958 ech_config.data(), ech_config.size(),
David Benjaminc890ae52021-06-06 13:32:29 -0400[diff] [blame]1959 key.get()));
David Benjamin9cbe7372021-06-15 18:09:10 -0400[diff] [blame]1960
1961 // Invalid public names are rejected.
1962 ECHConfigParams invalid_public_name;
1963 invalid_public_name.key = key.get();
1964 invalid_public_name.public_name = "dns_names_have_no_underscores.example";
1965 ASSERT_TRUE(MakeECHConfig(&ech_config, invalid_public_name));
1966 EXPECT_FALSE(SSL_ECH_KEYS_add(keys.get(), /*is_retry_config=*/1,
1967 ech_config.data(), ech_config.size(),
1968 key.get()));
Daniel McArdle00e434d2021-02-18 11:47:18 -0500[diff] [blame]1969}
1970
David Benjamin83a49932021-05-20 15:57:09 -0400[diff] [blame]1971// Test that |SSL_get_client_random| reports the correct value on both client
1972// and server in ECH. The client sends two different random values. When ECH is
1973// accepted, we should report the inner one.
1974TEST(SSLTest, ECHClientRandomsMatch) {
1975 bssl::UniquePtr<SSL_CTX> server_ctx =
1976 CreateContextWithTestCertificate(TLS_method());
1977 bssl::UniquePtr<SSL_ECH_KEYS> keys = MakeTestECHKeys();
1978 ASSERT_TRUE(keys);
1979 ASSERT_TRUE(SSL_CTX_set1_ech_keys(server_ctx.get(), keys.get()));
1980
1981 bssl::UniquePtr<SSL_CTX> client_ctx(SSL_CTX_new(TLS_method()));
1982 ASSERT_TRUE(client_ctx);
1983 bssl::UniquePtr<SSL> client, server;
1984 ASSERT_TRUE(CreateClientAndServer(&client, &server, client_ctx.get(),
1985 server_ctx.get()));
1986 ASSERT_TRUE(InstallECHConfigList(client.get(), keys.get()));
1987 ASSERT_TRUE(CompleteHandshakes(client.get(), server.get()));
1988
1989 EXPECT_TRUE(SSL_ech_accepted(client.get()));
1990 EXPECT_TRUE(SSL_ech_accepted(server.get()));
1991
1992 // An ECH server will fairly naturally record the inner ClientHello random,
1993 // but an ECH client may forget to update the random once ClientHelloInner is
1994 // selected.
1995 uint8_t client_random1[SSL3_RANDOM_SIZE];
1996 uint8_t client_random2[SSL3_RANDOM_SIZE];
1997 ASSERT_EQ(sizeof(client_random1),
1998 SSL_get_client_random(client.get(), client_random1,
1999 sizeof(client_random1)));
2000 ASSERT_EQ(sizeof(client_random2),
2001 SSL_get_client_random(server.get(), client_random2,
2002 sizeof(client_random2)));
2003 EXPECT_EQ(Bytes(client_random1), Bytes(client_random2));
2004}
2005
2006// GetECHLength sets |*out_client_hello_len| and |*out_ech_len| to the lengths
2007// of the ClientHello and ECH extension, respectively, when a client created
2008// from |ctx| constructs a ClientHello with name |name| and an ECHConfig with
2009// maximum name length |max_name_len|.
2010static bool GetECHLength(SSL_CTX *ctx, size_t *out_client_hello_len,
2011 size_t *out_ech_len, size_t max_name_len,
2012 const char *name) {
2013 bssl::ScopedEVP_HPKE_KEY key;
2014 uint8_t *ech_config;
2015 size_t ech_config_len;
2016 if (!EVP_HPKE_KEY_generate(key.get(), EVP_hpke_x25519_hkdf_sha256()) ||
2017 !SSL_marshal_ech_config(&ech_config, &ech_config_len,
2018 /*config_id=*/1, key.get(), "public.example",
2019 max_name_len)) {
2020 return false;
2021 }
2022 bssl::UniquePtr<uint8_t> free_ech_config(ech_config);
2023
2024 bssl::UniquePtr<SSL_ECH_KEYS> keys(SSL_ECH_KEYS_new());
2025 if (!keys || !SSL_ECH_KEYS_add(keys.get(), /*is_retry_config=*/1, ech_config,
2026 ech_config_len, key.get())) {
2027 return false;
2028 }
2029
2030 bssl::UniquePtr<SSL> ssl(SSL_new(ctx));
2031 if (!ssl || !InstallECHConfigList(ssl.get(), keys.get()) ||
2032 (name != nullptr && !SSL_set_tlsext_host_name(ssl.get(), name))) {
2033 return false;
2034 }
2035 SSL_set_connect_state(ssl.get());
2036
2037 std::vector<uint8_t> client_hello;
2038 SSL_CLIENT_HELLO parsed;
2039 const uint8_t *unused;
2040 if (!GetClientHello(ssl.get(), &client_hello) ||
2041 !ssl_client_hello_init(
2042 ssl.get(), &parsed,
2043 // Skip record and handshake headers. This assumes the ClientHello
2044 // fits in one record.
2045 MakeConstSpan(client_hello)
2046 .subspan(SSL3_RT_HEADER_LENGTH + SSL3_HM_HEADER_LENGTH)) ||
2047 !SSL_early_callback_ctx_extension_get(
2048 &parsed, TLSEXT_TYPE_encrypted_client_hello, &unused, out_ech_len)) {
2049 return false;
2050 }
2051 *out_client_hello_len = client_hello.size();
2052 return true;
2053}
2054
2055TEST(SSLTest, ECHPadding) {
2056 bssl::UniquePtr<SSL_CTX> ctx(SSL_CTX_new(TLS_method()));
2057 ASSERT_TRUE(ctx);
2058
2059 // Sample lengths with max_name_len = 128 as baseline.
2060 size_t client_hello_len_baseline, ech_len_baseline;
2061 ASSERT_TRUE(GetECHLength(ctx.get(), &client_hello_len_baseline,
2062 &ech_len_baseline, 128, "example.com"));
2063
2064 // Check that all name lengths under the server's maximum look the same.
2065 for (size_t name_len : {1, 2, 32, 64, 127, 128}) {
2066 SCOPED_TRACE(name_len);
2067 size_t client_hello_len, ech_len;
2068 ASSERT_TRUE(GetECHLength(ctx.get(), &client_hello_len, &ech_len, 128,
2069 std::string(name_len, 'a').c_str()));
2070 EXPECT_EQ(client_hello_len, client_hello_len_baseline);
2071 EXPECT_EQ(ech_len, ech_len_baseline);
2072 }
2073
2074 // When sending no SNI, we must still pad as if we are sending one.
2075 size_t client_hello_len, ech_len;
2076 ASSERT_TRUE(
2077 GetECHLength(ctx.get(), &client_hello_len, &ech_len, 128, nullptr));
2078 EXPECT_EQ(client_hello_len, client_hello_len_baseline);
2079 EXPECT_EQ(ech_len, ech_len_baseline);
2080
David Benjamin18b68362021-06-18 23:13:46 -0400[diff] [blame]2081 // Name lengths above the maximum do not get named-based padding, but the
2082 // overall input is padded to a multiple of 32.
2083 size_t client_hello_len_baseline2, ech_len_baseline2;
2084 ASSERT_TRUE(GetECHLength(ctx.get(), &client_hello_len_baseline2,
2085 &ech_len_baseline2, 128,
2086 std::string(128 + 32, 'a').c_str()));
2087 EXPECT_EQ(ech_len_baseline2, ech_len_baseline + 32);
2088 // The ClientHello lengths may match if we are still under the threshold for
2089 // padding extension.
2090 EXPECT_GE(client_hello_len_baseline2, client_hello_len_baseline);
David Benjamin83a49932021-05-20 15:57:09 -0400[diff] [blame]2091
David Benjamin18b68362021-06-18 23:13:46 -0400[diff] [blame]2092 for (size_t name_len = 128 + 1; name_len < 128 + 32; name_len++) {
David Benjamin83a49932021-05-20 15:57:09 -0400[diff] [blame]2093 SCOPED_TRACE(name_len);
2094 ASSERT_TRUE(GetECHLength(ctx.get(), &client_hello_len, &ech_len, 128,
2095 std::string(name_len, 'a').c_str()));
David Benjamin18b68362021-06-18 23:13:46 -0400[diff] [blame]2096 EXPECT_TRUE(ech_len == ech_len_baseline || ech_len == ech_len_baseline2)
2097 << ech_len;
2098 EXPECT_TRUE(client_hello_len == client_hello_len_baseline ||
2099 client_hello_len == client_hello_len_baseline2)
2100 << client_hello_len;
David Benjamin83a49932021-05-20 15:57:09 -0400[diff] [blame]2101 }
2102}
2103
David Benjamin9cbe7372021-06-15 18:09:10 -0400[diff] [blame]2104TEST(SSLTest, ECHPublicName) {
2105 auto str_to_span = [](const char *str) -> Span<const uint8_t> {
2106 return MakeConstSpan(reinterpret_cast<const uint8_t *>(str), strlen(str));
2107 };
2108
2109 EXPECT_FALSE(ssl_is_valid_ech_public_name(str_to_span("")));
2110 EXPECT_TRUE(ssl_is_valid_ech_public_name(str_to_span("example.com")));
2111 EXPECT_FALSE(ssl_is_valid_ech_public_name(str_to_span(".example.com")));
2112 EXPECT_FALSE(ssl_is_valid_ech_public_name(str_to_span("example.com.")));
2113 EXPECT_FALSE(ssl_is_valid_ech_public_name(str_to_span("example..com")));
2114 EXPECT_FALSE(ssl_is_valid_ech_public_name(str_to_span("www.-example.com")));
2115 EXPECT_FALSE(ssl_is_valid_ech_public_name(str_to_span("www.example-.com")));
2116 EXPECT_FALSE(
2117 ssl_is_valid_ech_public_name(str_to_span("no_underscores.example")));
2118 EXPECT_FALSE(ssl_is_valid_ech_public_name(
2119 str_to_span("invalid_chars.\x01.example")));
2120 EXPECT_FALSE(ssl_is_valid_ech_public_name(
2121 str_to_span("invalid_chars.\xff.example")));
2122 static const uint8_t kWithNUL[] = {'t', 'e', 's', 't', 0};
2123 EXPECT_FALSE(ssl_is_valid_ech_public_name(kWithNUL));
2124
2125 // Test an LDH label with every character and the maximum length.
2126 EXPECT_TRUE(ssl_is_valid_ech_public_name(str_to_span(
2127 "abcdefhijklmnopqrstuvwxyz-ABCDEFGHIJKLMNOPQRSTUVWXYZ-0123456789")));
2128 EXPECT_FALSE(ssl_is_valid_ech_public_name(str_to_span(
2129 "abcdefhijklmnopqrstuvwxyz-ABCDEFGHIJKLMNOPQRSTUVWXYZ-01234567899")));
2130
David Benjamin1a668b32021-09-02 23:00:28 -0400[diff] [blame]2131 // Inputs with trailing numeric components are rejected.
David Benjamin9cbe7372021-06-15 18:09:10 -0400[diff] [blame]2132 EXPECT_FALSE(ssl_is_valid_ech_public_name(str_to_span("127.0.0.1")));
David Benjamin1a668b32021-09-02 23:00:28 -0400[diff] [blame]2133 EXPECT_FALSE(ssl_is_valid_ech_public_name(str_to_span("example.1")));
2134 EXPECT_FALSE(ssl_is_valid_ech_public_name(str_to_span("example.01")));
2135 EXPECT_FALSE(ssl_is_valid_ech_public_name(str_to_span("example.0x01")));
2136 EXPECT_FALSE(ssl_is_valid_ech_public_name(str_to_span("example.0X01")));
2137 // Leading zeros and values that overflow |uint32_t| are still rejected.
2138 EXPECT_FALSE(ssl_is_valid_ech_public_name(
2139 str_to_span("example.123456789000000000000000")));
2140 EXPECT_FALSE(ssl_is_valid_ech_public_name(
2141 str_to_span("example.012345678900000000000000")));
2142 EXPECT_FALSE(ssl_is_valid_ech_public_name(
2143 str_to_span("example.0x123456789abcdefABCDEF0")));
2144 EXPECT_FALSE(ssl_is_valid_ech_public_name(
2145 str_to_span("example.0x0123456789abcdefABCDEF")));
2146 // Adding a non-digit or non-hex character makes it a valid DNS name again.
2147 // Single-component numbers are rejected.
David Benjamin9cbe7372021-06-15 18:09:10 -0400[diff] [blame]2148 EXPECT_TRUE(ssl_is_valid_ech_public_name(
David Benjamin1a668b32021-09-02 23:00:28 -0400[diff] [blame]2149 str_to_span("example.1234567890a")));
2150 EXPECT_TRUE(ssl_is_valid_ech_public_name(
2151 str_to_span("example.01234567890a")));
2152 EXPECT_TRUE(ssl_is_valid_ech_public_name(
2153 str_to_span("example.0x123456789abcdefg")));
2154 EXPECT_FALSE(ssl_is_valid_ech_public_name(str_to_span("1")));
2155 EXPECT_FALSE(ssl_is_valid_ech_public_name(str_to_span("01")));
2156 EXPECT_FALSE(ssl_is_valid_ech_public_name(str_to_span("0x01")));
2157 EXPECT_FALSE(ssl_is_valid_ech_public_name(str_to_span("0X01")));
2158 // Numbers with trailing dots are rejected. (They are already rejected by the
2159 // LDH label rules, but the WHATWG URL parser additionally rejects them.)
2160 EXPECT_FALSE(ssl_is_valid_ech_public_name(str_to_span("1.")));
2161 EXPECT_FALSE(ssl_is_valid_ech_public_name(str_to_span("01.")));
2162 EXPECT_FALSE(ssl_is_valid_ech_public_name(str_to_span("0x01.")));
2163 EXPECT_FALSE(ssl_is_valid_ech_public_name(str_to_span("0X01.")));
David Benjamin9cbe7372021-06-15 18:09:10 -0400[diff] [blame]2164}
2165
David Benjaminba423c92021-06-15 16:26:58 -0400[diff] [blame]2166// When using the built-in verifier, test that |SSL_get0_ech_name_override| is
2167// applied automatically.
2168TEST(SSLTest, ECHBuiltinVerifier) {
2169 // These test certificates generated with the following Go program.
2170 /* clang-format off
2171func main() {
2172 notBefore := time.Date(2000, time.January, 1, 0, 0, 0, 0, time.UTC)
2173 notAfter := time.Date(2099, time.January, 1, 0, 0, 0, 0, time.UTC)
2174 rootKey, _ := ecdsa.GenerateKey(elliptic.P256(), rand.Reader)
2175 rootTemplate := &x509.Certificate{
2176 SerialNumber: big.NewInt(1),
2177 Subject: pkix.Name{CommonName: "Test CA"},
2178 NotBefore: notBefore,
2179 NotAfter: notAfter,
2180 BasicConstraintsValid: true,
2181 IsCA: true,
2182 }
2183 rootDER, _ := x509.CreateCertificate(rand.Reader, rootTemplate, rootTemplate, &rootKey.PublicKey, rootKey)
2184 root, _ := x509.ParseCertificate(rootDER)
2185 pem.Encode(os.Stdout, &pem.Block{Type: "CERTIFICATE", Bytes: rootDER})
2186 leafKey, _ := ecdsa.GenerateKey(elliptic.P256(), rand.Reader)
2187 leafKeyDER, _ := x509.MarshalPKCS8PrivateKey(leafKey)
2188 pem.Encode(os.Stdout, &pem.Block{Type: "PRIVATE KEY", Bytes: leafKeyDER})
2189 for i, name := range []string{"public.example", "secret.example"} {
2190 leafTemplate := &x509.Certificate{
2191 SerialNumber: big.NewInt(int64(i) + 2),
2192 Subject: pkix.Name{CommonName: name},
2193 NotBefore: notBefore,
2194 NotAfter: notAfter,
2195 BasicConstraintsValid: true,
2196 DNSNames: []string{name},
2197 }
2198 leafDER, _ := x509.CreateCertificate(rand.Reader, leafTemplate, root, &leafKey.PublicKey, rootKey)
2199 pem.Encode(os.Stdout, &pem.Block{Type: "CERTIFICATE", Bytes: leafDER})
2200 }
2201}
2202clang-format on */
2203 bssl::UniquePtr<X509> root = CertFromPEM(R"(
2204-----BEGIN CERTIFICATE-----
2205MIIBRzCB7aADAgECAgEBMAoGCCqGSM49BAMCMBIxEDAOBgNVBAMTB1Rlc3QgQ0Ew
2206IBcNMDAwMTAxMDAwMDAwWhgPMjA5OTAxMDEwMDAwMDBaMBIxEDAOBgNVBAMTB1Rl
2207c3QgQ0EwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAAT5JUjrI1DAxSpEl88UkmJw
2208tAJqxo/YrSFo9V3MkcNkfTixi5p6MUtO8DazhEgekBcd2+tBAWtl7dy0qpvTqx92
2209ozIwMDAPBgNVHRMBAf8EBTADAQH/MB0GA1UdDgQWBBTw6ftkexAI6o4r5FntJIfL
2210GU5F4zAKBggqhkjOPQQDAgNJADBGAiEAiiNowddQeHZaZFIygwe6RW5/WG4sUXWC
2211dkyl9CQzRaYCIQCFS1EvwZbZtMny27fYm1eeYciY0TkJTEi34H1KwyzzIA==
2212-----END CERTIFICATE-----
2213)");
2214 ASSERT_TRUE(root);
2215 bssl::UniquePtr<EVP_PKEY> leaf_key = KeyFromPEM(R"(
2216-----BEGIN PRIVATE KEY-----
2217MIGHAgEAMBMGByqGSM49AgEGCCqGSM49AwEHBG0wawIBAQQgj5WKHwHnziiyPauf
22187QukxTwtTyGZkk8qNdms4puJfxqhRANCAARNrkhxabALDlJrHtvkuDwvCWUF/oVC
2219hr6PDITHi1lDlJzvVT4aXBH87sH2n2UV5zpx13NHkq1bIC8eRT8eOIe0
2220-----END PRIVATE KEY-----
2221)");
2222 ASSERT_TRUE(leaf_key);
2223 bssl::UniquePtr<X509> leaf_public = CertFromPEM(R"(
2224-----BEGIN CERTIFICATE-----
2225MIIBaDCCAQ6gAwIBAgIBAjAKBggqhkjOPQQDAjASMRAwDgYDVQQDEwdUZXN0IENB
2226MCAXDTAwMDEwMTAwMDAwMFoYDzIwOTkwMTAxMDAwMDAwWjAZMRcwFQYDVQQDEw5w
2227dWJsaWMuZXhhbXBsZTBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABE2uSHFpsAsO
2228Umse2+S4PC8JZQX+hUKGvo8MhMeLWUOUnO9VPhpcEfzuwfafZRXnOnHXc0eSrVsg
2229Lx5FPx44h7SjTDBKMAwGA1UdEwEB/wQCMAAwHwYDVR0jBBgwFoAU8On7ZHsQCOqO
2230K+RZ7SSHyxlOReMwGQYDVR0RBBIwEIIOcHVibGljLmV4YW1wbGUwCgYIKoZIzj0E
2231AwIDSAAwRQIhANqZRhDR/+QL05hsWXMYEwaiHifd9iakKoFEhKFchcF3AiBRAeXw
2232wRGGT6+iPmTYM6N5/IDyAb5B9Ke38O6lLEsUwA==
2233-----END CERTIFICATE-----
2234)");
2235 ASSERT_TRUE(leaf_public);
2236 bssl::UniquePtr<X509> leaf_secret = CertFromPEM(R"(
2237-----BEGIN CERTIFICATE-----
2238MIIBaTCCAQ6gAwIBAgIBAzAKBggqhkjOPQQDAjASMRAwDgYDVQQDEwdUZXN0IENB
2239MCAXDTAwMDEwMTAwMDAwMFoYDzIwOTkwMTAxMDAwMDAwWjAZMRcwFQYDVQQDEw5z
2240ZWNyZXQuZXhhbXBsZTBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABE2uSHFpsAsO
2241Umse2+S4PC8JZQX+hUKGvo8MhMeLWUOUnO9VPhpcEfzuwfafZRXnOnHXc0eSrVsg
2242Lx5FPx44h7SjTDBKMAwGA1UdEwEB/wQCMAAwHwYDVR0jBBgwFoAU8On7ZHsQCOqO
2243K+RZ7SSHyxlOReMwGQYDVR0RBBIwEIIOc2VjcmV0LmV4YW1wbGUwCgYIKoZIzj0E
2244AwIDSQAwRgIhAPQdIz1xCFkc9WuSkxOxJDpywZiEp9SnKcxJ9nwrlRp3AiEA+O3+
2245XRqE7XFhHL+7TNC2a9OOAjQsEF137YPWo+rhgko=
2246-----END CERTIFICATE-----
2247)");
2248 ASSERT_TRUE(leaf_secret);
2249
2250 // Use different config IDs so that fuzzer mode, which breaks trial
2251 // decryption, will observe the key mismatch.
2252 bssl::UniquePtr<SSL_ECH_KEYS> keys = MakeTestECHKeys(/*config_id=*/1);
2253 ASSERT_TRUE(keys);
2254 bssl::UniquePtr<SSL_ECH_KEYS> wrong_keys = MakeTestECHKeys(/*config_id=*/2);
2255 ASSERT_TRUE(wrong_keys);
2256 bssl::UniquePtr<SSL_CTX> server_ctx =
2257 CreateContextWithTestCertificate(TLS_method());
2258 ASSERT_TRUE(server_ctx);
2259 bssl::UniquePtr<SSL_CTX> client_ctx(SSL_CTX_new(TLS_method()));
2260 ASSERT_TRUE(client_ctx);
2261
2262 // Configure the client to verify certificates and expect the secret name.
2263 // This is the name the client is trying to connect to. If ECH is rejected,
2264 // BoringSSL will internally override this setting with the public name.
2265 bssl::UniquePtr<X509_STORE> store(X509_STORE_new());
2266 ASSERT_TRUE(store);
2267 ASSERT_TRUE(X509_STORE_add_cert(store.get(), root.get()));
2268 SSL_CTX_set_cert_store(client_ctx.get(), store.release());
2269 SSL_CTX_set_verify(client_ctx.get(), SSL_VERIFY_PEER, nullptr);
David Benjaminc7b255e2022-12-07 12:50:04 -0500[diff] [blame]2270 X509_VERIFY_PARAM_set_flags(SSL_CTX_get0_param(client_ctx.get()),
2271 X509_V_FLAG_NO_CHECK_TIME);
David Benjaminba423c92021-06-15 16:26:58 -0400[diff] [blame]2272 static const char kSecretName[] = "secret.example";
2273 ASSERT_TRUE(X509_VERIFY_PARAM_set1_host(SSL_CTX_get0_param(client_ctx.get()),
2274 kSecretName, strlen(kSecretName)));
2275
2276 // For simplicity, we only run through a pair of representative scenarios here
2277 // and rely on runner.go to verify that |SSL_get0_ech_name_override| behaves
2278 // correctly.
2279 for (bool accept_ech : {false, true}) {
2280 SCOPED_TRACE(accept_ech);
2281 for (bool use_leaf_secret : {false, true}) {
2282 SCOPED_TRACE(use_leaf_secret);
2283
2284 // The server will reject ECH when configured with the wrong keys.
2285 ASSERT_TRUE(SSL_CTX_set1_ech_keys(
2286 server_ctx.get(), accept_ech ? keys.get() : wrong_keys.get()));
2287
2288 bssl::UniquePtr<SSL> client, server;
2289 ASSERT_TRUE(CreateClientAndServer(&client, &server, client_ctx.get(),
2290 server_ctx.get()));
2291 ASSERT_TRUE(InstallECHConfigList(client.get(), keys.get()));
2292
2293 // Configure the server with the selected certificate.
2294 ASSERT_TRUE(SSL_use_certificate(server.get(), use_leaf_secret
2295 ? leaf_secret.get()
2296 : leaf_public.get()));
2297 ASSERT_TRUE(SSL_use_PrivateKey(server.get(), leaf_key.get()));
2298
2299 // The handshake may fail due to name mismatch or ECH reject. We check
2300 // |SSL_get_verify_result| to confirm the handshake got far enough.
2301 CompleteHandshakes(client.get(), server.get());
2302 EXPECT_EQ(accept_ech == use_leaf_secret ? X509_V_OK
2303 : X509_V_ERR_HOSTNAME_MISMATCH,
2304 SSL_get_verify_result(client.get()));
2305 }
2306 }
2307}
2308
David Benjamin83a49932021-05-20 15:57:09 -0400[diff] [blame]2309#if defined(OPENSSL_THREADS)
2310// Test that the server ECH config can be swapped out while the |SSL_CTX| is
2311// in use on other threads. This test is intended to be run with TSan.
2312TEST(SSLTest, ECHThreads) {
2313 // Generate a pair of ECHConfigs.
2314 bssl::ScopedEVP_HPKE_KEY key1;
2315 ASSERT_TRUE(EVP_HPKE_KEY_generate(key1.get(), EVP_hpke_x25519_hkdf_sha256()));
2316 uint8_t *ech_config1;
2317 size_t ech_config1_len;
2318 ASSERT_TRUE(SSL_marshal_ech_config(&ech_config1, &ech_config1_len,
2319 /*config_id=*/1, key1.get(),
2320 "public.example", 16));
2321 bssl::UniquePtr<uint8_t> free_ech_config1(ech_config1);
2322 bssl::ScopedEVP_HPKE_KEY key2;
2323 ASSERT_TRUE(EVP_HPKE_KEY_generate(key2.get(), EVP_hpke_x25519_hkdf_sha256()));
2324 uint8_t *ech_config2;
2325 size_t ech_config2_len;
2326 ASSERT_TRUE(SSL_marshal_ech_config(&ech_config2, &ech_config2_len,
2327 /*config_id=*/2, key2.get(),
2328 "public.example", 16));
2329 bssl::UniquePtr<uint8_t> free_ech_config2(ech_config2);
2330
2331 // |keys1| contains the first config. |keys12| contains both.
2332 bssl::UniquePtr<SSL_ECH_KEYS> keys1(SSL_ECH_KEYS_new());
2333 ASSERT_TRUE(keys1);
2334 ASSERT_TRUE(SSL_ECH_KEYS_add(keys1.get(), /*is_retry_config=*/1, ech_config1,
2335 ech_config1_len, key1.get()));
2336 bssl::UniquePtr<SSL_ECH_KEYS> keys12(SSL_ECH_KEYS_new());
2337 ASSERT_TRUE(keys12);
2338 ASSERT_TRUE(SSL_ECH_KEYS_add(keys12.get(), /*is_retry_config=*/1, ech_config2,
2339 ech_config2_len, key2.get()));
2340 ASSERT_TRUE(SSL_ECH_KEYS_add(keys12.get(), /*is_retry_config=*/0, ech_config1,
2341 ech_config1_len, key1.get()));
2342
2343 bssl::UniquePtr<SSL_CTX> server_ctx =
2344 CreateContextWithTestCertificate(TLS_method());
2345 ASSERT_TRUE(SSL_CTX_set1_ech_keys(server_ctx.get(), keys1.get()));
2346
2347 bssl::UniquePtr<SSL_CTX> client_ctx(SSL_CTX_new(TLS_method()));
2348 ASSERT_TRUE(client_ctx);
2349 bssl::UniquePtr<SSL> client, server;
2350 ASSERT_TRUE(CreateClientAndServer(&client, &server, client_ctx.get(),
2351 server_ctx.get()));
2352 ASSERT_TRUE(InstallECHConfigList(client.get(), keys1.get()));
2353
2354 // In parallel, complete the connection and reconfigure the ECHConfig. Note
2355 // |keys12| supports all the keys in |keys1|, so the handshake should complete
2356 // the same whichever the server uses.
2357 std::vector<std::thread> threads;
2358 threads.emplace_back([&] {
2359 ASSERT_TRUE(CompleteHandshakes(client.get(), server.get()));
2360 EXPECT_TRUE(SSL_ech_accepted(client.get()));
2361 EXPECT_TRUE(SSL_ech_accepted(server.get()));
2362 });
2363 threads.emplace_back([&] {
2364 EXPECT_TRUE(SSL_CTX_set1_ech_keys(server_ctx.get(), keys12.get()));
2365 });
2366 for (auto &thread : threads) {
2367 thread.join();
2368 }
2369}
2370#endif // OPENSSL_THREADS
2371
Nick Harper10458972022-10-26 15:28:08 -0400[diff] [blame]2372TEST(SSLTest, TLS13ExporterAvailability) {
2373 bssl::UniquePtr<SSL_CTX> client_ctx(SSL_CTX_new(TLS_method()));
2374 bssl::UniquePtr<SSL_CTX> server_ctx =
2375 CreateContextWithTestCertificate(TLS_method());
2376 ASSERT_TRUE(client_ctx);
2377 ASSERT_TRUE(server_ctx);
2378 // Configure only TLS 1.3.
2379 ASSERT_TRUE(SSL_CTX_set_min_proto_version(client_ctx.get(), TLS1_3_VERSION));
2380 ASSERT_TRUE(SSL_CTX_set_max_proto_version(client_ctx.get(), TLS1_3_VERSION));
2381
2382 bssl::UniquePtr<SSL> client, server;
2383 ASSERT_TRUE(CreateClientAndServer(&client, &server, client_ctx.get(),
2384 server_ctx.get()));
2385
2386 std::vector<uint8_t> buffer(32);
2387 const char *label = "EXPORTER-test-label";
2388
2389 // The exporters are not available before the handshake starts.
2390 EXPECT_FALSE(SSL_export_keying_material(client.get(), buffer.data(),
2391 buffer.size(), label, strlen(label),
2392 nullptr, 0, 0));
2393 EXPECT_FALSE(SSL_export_keying_material(server.get(), buffer.data(),
2394 buffer.size(), label, strlen(label),
2395 nullptr, 0, 0));
2396
2397 // Send the client's first flight of handshake messages.
2398 int client_ret = SSL_do_handshake(client.get());
2399 EXPECT_EQ(SSL_get_error(client.get(), client_ret), SSL_ERROR_WANT_READ);
2400
2401 // The handshake isn't far enough for the exporters to work.
2402 EXPECT_FALSE(SSL_export_keying_material(client.get(), buffer.data(),
2403 buffer.size(), label, strlen(label),
2404 nullptr, 0, 0));
2405 EXPECT_FALSE(SSL_export_keying_material(server.get(), buffer.data(),
2406 buffer.size(), label, strlen(label),
2407 nullptr, 0, 0));
2408
2409 // Send all the server's handshake messages.
2410 int server_ret = SSL_do_handshake(server.get());
2411 EXPECT_EQ(SSL_get_error(server.get(), server_ret), SSL_ERROR_WANT_READ);
2412
2413 // At this point in the handshake, the server should have the exporter key
2414 // derived since it's sent its Finished message. The client hasn't yet
2415 // processed the server's handshake messages, so the exporter shouldn't be
2416 // available to the client.
2417 EXPECT_FALSE(SSL_export_keying_material(client.get(), buffer.data(),
2418 buffer.size(), label, strlen(label),
2419 nullptr, 0, 0));
2420 EXPECT_TRUE(SSL_export_keying_material(server.get(), buffer.data(),
2421 buffer.size(), label, strlen(label),
2422 nullptr, 0, 0));
2423
2424 // Finish the handshake on the client.
2425 EXPECT_EQ(SSL_do_handshake(client.get()), 1);
2426
2427 // The exporter should be available on both endpoints.
2428 EXPECT_TRUE(SSL_export_keying_material(client.get(), buffer.data(),
2429 buffer.size(), label, strlen(label),
2430 nullptr, 0, 0));
2431 EXPECT_TRUE(SSL_export_keying_material(server.get(), buffer.data(),
2432 buffer.size(), label, strlen(label),
2433 nullptr, 0, 0));
2434
2435 // Finish the handshake on the server.
2436 EXPECT_EQ(SSL_do_handshake(server.get()), 1);
2437
2438 // The exporter should still be available on both endpoints.
2439 EXPECT_TRUE(SSL_export_keying_material(client.get(), buffer.data(),
2440 buffer.size(), label, strlen(label),
2441 nullptr, 0, 0));
2442 EXPECT_TRUE(SSL_export_keying_material(server.get(), buffer.data(),
2443 buffer.size(), label, strlen(label),
2444 nullptr, 0, 0));
2445}
2446
David Benjaminc79ae7a2017-08-29 16:09:44 -0400[diff] [blame]2447static void AppendSession(SSL_SESSION *session, void *arg) {
2448 std::vector<SSL_SESSION*> *out =
2449 reinterpret_cast<std::vector<SSL_SESSION*>*>(arg);
2450 out->push_back(session);
2451}
2452
2453// CacheEquals returns true if |ctx|'s session cache consists of |expected|, in
2454// order.
2455static bool CacheEquals(SSL_CTX *ctx,
2456 const std::vector<SSL_SESSION*> &expected) {
2457 // Check the linked list.
2458 SSL_SESSION *ptr = ctx->session_cache_head;
2459 for (SSL_SESSION *session : expected) {
2460 if (ptr != session) {
2461 return false;
2462 }
2463 // TODO(davidben): This is an absurd way to denote the end of the list.
2464 if (ptr->next ==
2465 reinterpret_cast<SSL_SESSION *>(&ctx->session_cache_tail)) {
2466 ptr = nullptr;
2467 } else {
2468 ptr = ptr->next;
2469 }
2470 }
2471 if (ptr != nullptr) {
2472 return false;
2473 }
2474
2475 // Check the hash table.
2476 std::vector<SSL_SESSION*> actual, expected_copy;
David Benjamin9eaa3bd2017-09-27 17:03:54 -0400[diff] [blame]2477 lh_SSL_SESSION_doall_arg(ctx->sessions, AppendSession, &actual);
David Benjaminc79ae7a2017-08-29 16:09:44 -0400[diff] [blame]2478 expected_copy = expected;
2479
2480 std::sort(actual.begin(), actual.end());
2481 std::sort(expected_copy.begin(), expected_copy.end());
2482
2483 return actual == expected_copy;
2484}
2485
2486static bssl::UniquePtr<SSL_SESSION> CreateTestSession(uint32_t number) {
2487 bssl::UniquePtr<SSL_CTX> ssl_ctx(SSL_CTX_new(TLS_method()));
2488 if (!ssl_ctx) {
2489 return nullptr;
2490 }
2491 bssl::UniquePtr<SSL_SESSION> ret(SSL_SESSION_new(ssl_ctx.get()));
2492 if (!ret) {
2493 return nullptr;
2494 }
2495
David Benjaminaaef8332018-06-29 16:45:49 -0400[diff] [blame]2496 uint8_t id[SSL3_SSL_SESSION_ID_LENGTH] = {0};
2497 OPENSSL_memcpy(id, &number, sizeof(number));
2498 if (!SSL_SESSION_set1_id(ret.get(), id, sizeof(id))) {
2499 return nullptr;
2500 }
David Benjaminc79ae7a2017-08-29 16:09:44 -0400[diff] [blame]2501 return ret;
2502}
2503
2504// Test that the internal session cache behaves as expected.
2505TEST(SSLTest, InternalSessionCache) {
2506 bssl::UniquePtr<SSL_CTX> ctx(SSL_CTX_new(TLS_method()));
2507 ASSERT_TRUE(ctx);
2508
2509 // Prepare 10 test sessions.
2510 std::vector<bssl::UniquePtr<SSL_SESSION>> sessions;
2511 for (int i = 0; i < 10; i++) {
2512 bssl::UniquePtr<SSL_SESSION> session = CreateTestSession(i);
2513 ASSERT_TRUE(session);
2514 sessions.push_back(std::move(session));
2515 }
2516
2517 SSL_CTX_sess_set_cache_size(ctx.get(), 5);
2518
2519 // Insert all the test sessions.
2520 for (const auto &session : sessions) {
2521 ASSERT_TRUE(SSL_CTX_add_session(ctx.get(), session.get()));
2522 }
2523
2524 // Only the last five should be in the list.
2525 ASSERT_TRUE(CacheEquals(
2526 ctx.get(), {sessions[9].get(), sessions[8].get(), sessions[7].get(),
2527 sessions[6].get(), sessions[5].get()}));
2528
2529 // Inserting an element already in the cache should fail and leave the cache
2530 // unchanged.
2531 ASSERT_FALSE(SSL_CTX_add_session(ctx.get(), sessions[7].get()));
2532 ASSERT_TRUE(CacheEquals(
2533 ctx.get(), {sessions[9].get(), sessions[8].get(), sessions[7].get(),
2534 sessions[6].get(), sessions[5].get()}));
2535
2536 // Although collisions should be impossible (256-bit session IDs), the cache
2537 // must handle them gracefully.
2538 bssl::UniquePtr<SSL_SESSION> collision(CreateTestSession(7));
2539 ASSERT_TRUE(collision);
2540 ASSERT_TRUE(SSL_CTX_add_session(ctx.get(), collision.get()));
2541 ASSERT_TRUE(CacheEquals(
2542 ctx.get(), {collision.get(), sessions[9].get(), sessions[8].get(),
2543 sessions[6].get(), sessions[5].get()}));
2544
2545 // Removing sessions behaves correctly.
2546 ASSERT_TRUE(SSL_CTX_remove_session(ctx.get(), sessions[6].get()));
2547 ASSERT_TRUE(CacheEquals(ctx.get(), {collision.get(), sessions[9].get(),
2548 sessions[8].get(), sessions[5].get()}));
2549
2550 // Removing sessions requires an exact match.
2551 ASSERT_FALSE(SSL_CTX_remove_session(ctx.get(), sessions[0].get()));
2552 ASSERT_FALSE(SSL_CTX_remove_session(ctx.get(), sessions[7].get()));
2553
2554 // The cache remains unchanged.
2555 ASSERT_TRUE(CacheEquals(ctx.get(), {collision.get(), sessions[9].get(),
2556 sessions[8].get(), sessions[5].get()}));
2557}
2558
2559static uint16_t EpochFromSequence(uint64_t seq) {
2560 return static_cast<uint16_t>(seq >> 48);
2561}
2562
David Benjamin71dfad42017-07-16 17:27:39 -0400[diff] [blame]2563static const uint8_t kTestName[] = {
2564 0x30, 0x45, 0x31, 0x0b, 0x30, 0x09, 0x06, 0x03, 0x55, 0x04, 0x06, 0x13,
2565 0x02, 0x41, 0x55, 0x31, 0x13, 0x30, 0x11, 0x06, 0x03, 0x55, 0x04, 0x08,
2566 0x0c, 0x0a, 0x53, 0x6f, 0x6d, 0x65, 0x2d, 0x53, 0x74, 0x61, 0x74, 0x65,
2567 0x31, 0x21, 0x30, 0x1f, 0x06, 0x03, 0x55, 0x04, 0x0a, 0x0c, 0x18, 0x49,
2568 0x6e, 0x74, 0x65, 0x72, 0x6e, 0x65, 0x74, 0x20, 0x57, 0x69, 0x64, 0x67,
2569 0x69, 0x74, 0x73, 0x20, 0x50, 0x74, 0x79, 0x20, 0x4c, 0x74, 0x64,
2570};
2571
David Benjaminc11ea9422017-08-29 16:33:21 -0400[diff] [blame]2572// SSLVersionTest executes its test cases under all available protocol versions.
2573// Test cases call |Connect| to create a connection using context objects with
2574// the protocol version fixed to the current version under test.
Martin Kreichgauer1a663262017-08-16 14:54:04 -0700[diff] [blame]2575class SSLVersionTest : public ::testing::TestWithParam<VersionParam> {
2576 protected:
2577 SSLVersionTest() : cert_(GetTestCertificate()), key_(GetTestKey()) {}
2578
2579 void SetUp() { ResetContexts(); }
2580
2581 bssl::UniquePtr<SSL_CTX> CreateContext() const {
2582 const SSL_METHOD *method = is_dtls() ? DTLS_method() : TLS_method();
2583 bssl::UniquePtr<SSL_CTX> ctx(SSL_CTX_new(method));
2584 if (!ctx || !SSL_CTX_set_min_proto_version(ctx.get(), version()) ||
2585 !SSL_CTX_set_max_proto_version(ctx.get(), version())) {
2586 return nullptr;
2587 }
2588 return ctx;
David Benjamin0fef3052016-11-18 15:11:10 +0900[diff] [blame]2589 }
David Benjamin686bb192016-05-10 15:15:41 -0400[diff] [blame]2590
Martin Kreichgauer1a663262017-08-16 14:54:04 -0700[diff] [blame]2591 void ResetContexts() {
2592 ASSERT_TRUE(cert_);
2593 ASSERT_TRUE(key_);
2594 client_ctx_ = CreateContext();
2595 ASSERT_TRUE(client_ctx_);
2596 server_ctx_ = CreateContext();
2597 ASSERT_TRUE(server_ctx_);
2598 // Set up a server cert. Client certs can be set up explicitly.
2599 ASSERT_TRUE(UseCertAndKey(server_ctx_.get()));
David Benjamin0fef3052016-11-18 15:11:10 +0900[diff] [blame]2600 }
David Benjamin686bb192016-05-10 15:15:41 -0400[diff] [blame]2601
Martin Kreichgauer1a663262017-08-16 14:54:04 -0700[diff] [blame]2602 bool UseCertAndKey(SSL_CTX *ctx) const {
2603 return SSL_CTX_use_certificate(ctx, cert_.get()) &&
2604 SSL_CTX_use_PrivateKey(ctx, key_.get());
David Benjamin0fef3052016-11-18 15:11:10 +0900[diff] [blame]2605 }
David Benjamin686bb192016-05-10 15:15:41 -0400[diff] [blame]2606
David Benjamina8614602017-09-06 15:40:19 -0400[diff] [blame]2607 bool Connect(const ClientConfig &config = ClientConfig()) {
Martin Kreichgauer1a663262017-08-16 14:54:04 -0700[diff] [blame]2608 return ConnectClientAndServer(&client_, &server_, client_ctx_.get(),
David Benjamin9b2cdb72021-04-01 23:21:53 -0400[diff] [blame]2609 server_ctx_.get(), config,
Matthew Braithwaiteb7bc80a2018-04-13 15:51:30 -0700[diff] [blame]2610 shed_handshake_config_);
Martin Kreichgauer1a663262017-08-16 14:54:04 -0700[diff] [blame]2611 }
2612
2613 uint16_t version() const { return GetParam().version; }
2614
2615 bool is_dtls() const {
2616 return GetParam().ssl_method == VersionParam::is_dtls;
2617 }
2618
Matthew Braithwaiteb7bc80a2018-04-13 15:51:30 -0700[diff] [blame]2619 bool shed_handshake_config_ = true;
Martin Kreichgauer1a663262017-08-16 14:54:04 -0700[diff] [blame]2620 bssl::UniquePtr<SSL> client_, server_;
2621 bssl::UniquePtr<SSL_CTX> server_ctx_, client_ctx_;
2622 bssl::UniquePtr<X509> cert_;
2623 bssl::UniquePtr<EVP_PKEY> key_;
2624};
2625
David Benjaminbe7006a2019-04-09 18:05:02 -0500[diff] [blame]2626INSTANTIATE_TEST_SUITE_P(WithVersion, SSLVersionTest,
2627 testing::ValuesIn(kAllVersions),
2628 [](const testing::TestParamInfo<VersionParam> &i) {
2629 return i.param.name;
2630 });
Martin Kreichgauer1a663262017-08-16 14:54:04 -0700[diff] [blame]2631
2632TEST_P(SSLVersionTest, SequenceNumber) {
2633 ASSERT_TRUE(Connect());
2634
David Benjamin0fef3052016-11-18 15:11:10 +0900[diff] [blame]2635 // Drain any post-handshake messages to ensure there are no unread records
2636 // on either end.
Steven Valdez777a2392019-02-21 11:30:47 -0500[diff] [blame]2637 ASSERT_TRUE(FlushNewSessionTickets(client_.get(), server_.get()));
David Benjaminde942382016-02-11 12:02:01 -0500[diff] [blame]2638
Martin Kreichgauer1a663262017-08-16 14:54:04 -0700[diff] [blame]2639 uint64_t client_read_seq = SSL_get_read_sequence(client_.get());
2640 uint64_t client_write_seq = SSL_get_write_sequence(client_.get());
2641 uint64_t server_read_seq = SSL_get_read_sequence(server_.get());
2642 uint64_t server_write_seq = SSL_get_write_sequence(server_.get());
Steven Valdez2c62fe92016-10-14 12:08:12 -0400[diff] [blame]2643
Martin Kreichgauer1a663262017-08-16 14:54:04 -0700[diff] [blame]2644 if (is_dtls()) {
David Benjamin0fef3052016-11-18 15:11:10 +0900[diff] [blame]2645 // Both client and server must be at epoch 1.
Martin Kreichgauer1a663262017-08-16 14:54:04 -0700[diff] [blame]2646 EXPECT_EQ(EpochFromSequence(client_read_seq), 1);
2647 EXPECT_EQ(EpochFromSequence(client_write_seq), 1);
2648 EXPECT_EQ(EpochFromSequence(server_read_seq), 1);
2649 EXPECT_EQ(EpochFromSequence(server_write_seq), 1);
David Benjamin0fef3052016-11-18 15:11:10 +0900[diff] [blame]2650
2651 // The next record to be written should exceed the largest received.
Martin Kreichgauer1a663262017-08-16 14:54:04 -0700[diff] [blame]2652 EXPECT_GT(client_write_seq, server_read_seq);
2653 EXPECT_GT(server_write_seq, client_read_seq);
David Benjamin0fef3052016-11-18 15:11:10 +0900[diff] [blame]2654 } else {
2655 // The next record to be written should equal the next to be received.
Martin Kreichgauer1a663262017-08-16 14:54:04 -0700[diff] [blame]2656 EXPECT_EQ(client_write_seq, server_read_seq);
2657 EXPECT_EQ(server_write_seq, client_read_seq);
David Benjamin0fef3052016-11-18 15:11:10 +0900[diff] [blame]2658 }
2659
2660 // Send a record from client to server.
Steven Valdez777a2392019-02-21 11:30:47 -0500[diff] [blame]2661 uint8_t byte = 0;
Martin Kreichgauer1a663262017-08-16 14:54:04 -0700[diff] [blame]2662 EXPECT_EQ(SSL_write(client_.get(), &byte, 1), 1);
2663 EXPECT_EQ(SSL_read(server_.get(), &byte, 1), 1);
David Benjamin0fef3052016-11-18 15:11:10 +0900[diff] [blame]2664
2665 // The client write and server read sequence numbers should have
2666 // incremented.
Martin Kreichgauer1a663262017-08-16 14:54:04 -0700[diff] [blame]2667 EXPECT_EQ(client_write_seq + 1, SSL_get_write_sequence(client_.get()));
2668 EXPECT_EQ(server_read_seq + 1, SSL_get_read_sequence(server_.get()));
David Benjaminde942382016-02-11 12:02:01 -0500[diff] [blame]2669}
2670
Martin Kreichgauer1a663262017-08-16 14:54:04 -0700[diff] [blame]2671TEST_P(SSLVersionTest, OneSidedShutdown) {
David Benjamin68f37b72016-11-18 15:14:42 +0900[diff] [blame]2672 // SSL_shutdown is a no-op in DTLS.
Martin Kreichgauer1a663262017-08-16 14:54:04 -0700[diff] [blame]2673 if (is_dtls()) {
2674 return;
David Benjamin686bb192016-05-10 15:15:41 -0400[diff] [blame]2675 }
Martin Kreichgauer1a663262017-08-16 14:54:04 -0700[diff] [blame]2676 ASSERT_TRUE(Connect());
David Benjamin686bb192016-05-10 15:15:41 -0400[diff] [blame]2677
David Benjamin9734e442021-06-15 13:58:12 -0400[diff] [blame]2678 // Shut down half the connection. |SSL_shutdown| will return 0 to signal only
David Benjamin686bb192016-05-10 15:15:41 -0400[diff] [blame]2679 // one side has shut down.
Martin Kreichgauer1a663262017-08-16 14:54:04 -0700[diff] [blame]2680 ASSERT_EQ(SSL_shutdown(client_.get()), 0);
David Benjamin686bb192016-05-10 15:15:41 -0400[diff] [blame]2681
2682 // Reading from the server should consume the EOF.
2683 uint8_t byte;
Martin Kreichgauer1a663262017-08-16 14:54:04 -0700[diff] [blame]2684 ASSERT_EQ(SSL_read(server_.get(), &byte, 1), 0);
2685 ASSERT_EQ(SSL_get_error(server_.get(), 0), SSL_ERROR_ZERO_RETURN);
David Benjamin686bb192016-05-10 15:15:41 -0400[diff] [blame]2686
2687 // However, the server may continue to write data and then shut down the
2688 // connection.
2689 byte = 42;
Martin Kreichgauer1a663262017-08-16 14:54:04 -0700[diff] [blame]2690 ASSERT_EQ(SSL_write(server_.get(), &byte, 1), 1);
2691 ASSERT_EQ(SSL_read(client_.get(), &byte, 1), 1);
2692 ASSERT_EQ(byte, 42);
David Benjamin686bb192016-05-10 15:15:41 -0400[diff] [blame]2693
2694 // The server may then shutdown the connection.
Martin Kreichgauer1a663262017-08-16 14:54:04 -0700[diff] [blame]2695 EXPECT_EQ(SSL_shutdown(server_.get()), 1);
2696 EXPECT_EQ(SSL_shutdown(client_.get()), 1);
David Benjamin686bb192016-05-10 15:15:41 -0400[diff] [blame]2697}
David Benjamin68f37b72016-11-18 15:14:42 +0900[diff] [blame]2698
David Benjamin9734e442021-06-15 13:58:12 -0400[diff] [blame]2699// Test that, after calling |SSL_shutdown|, |SSL_write| fails.
2700TEST_P(SSLVersionTest, WriteAfterShutdown) {
2701 ASSERT_TRUE(Connect());
2702
2703 for (SSL *ssl : {client_.get(), server_.get()}) {
2704 SCOPED_TRACE(SSL_is_server(ssl) ? "server" : "client");
2705
2706 bssl::UniquePtr<BIO> mem(BIO_new(BIO_s_mem()));
2707 ASSERT_TRUE(mem);
2708 SSL_set0_wbio(ssl, bssl::UpRef(mem).release());
2709
2710 // Shut down half the connection. |SSL_shutdown| will return 0 to signal
2711 // only one side has shut down.
2712 ASSERT_EQ(SSL_shutdown(ssl), 0);
2713
2714 // |ssl| should have written an alert to the transport.
2715 const uint8_t *unused;
2716 size_t len;
2717 ASSERT_TRUE(BIO_mem_contents(mem.get(), &unused, &len));
2718 EXPECT_NE(0u, len);
2719 EXPECT_TRUE(BIO_reset(mem.get()));
2720
2721 // Writing should fail.
2722 EXPECT_EQ(-1, SSL_write(ssl, "a", 1));
2723
2724 // Nothing should be written to the transport.
2725 ASSERT_TRUE(BIO_mem_contents(mem.get(), &unused, &len));
2726 EXPECT_EQ(0u, len);
2727 }
2728}
2729
2730// Test that, after sending a fatal alert in a failed |SSL_read|, |SSL_write|
2731// fails.
2732TEST_P(SSLVersionTest, WriteAfterReadSentFatalAlert) {
2733 // Decryption failures are not fatal in DTLS.
2734 if (is_dtls()) {
2735 return;
2736 }
2737
2738 ASSERT_TRUE(Connect());
2739
2740 // Save the write |BIO|s as the test will overwrite them.
2741 bssl::UniquePtr<BIO> client_wbio = bssl::UpRef(SSL_get_wbio(client_.get()));
2742 bssl::UniquePtr<BIO> server_wbio = bssl::UpRef(SSL_get_wbio(server_.get()));
2743
2744 for (bool test_server : {false, true}) {
2745 SCOPED_TRACE(test_server ? "server" : "client");
2746 SSL *ssl = test_server ? server_.get() : client_.get();
2747 BIO *other_wbio = test_server ? client_wbio.get() : server_wbio.get();
2748
2749 bssl::UniquePtr<BIO> mem(BIO_new(BIO_s_mem()));
2750 ASSERT_TRUE(mem);
2751 SSL_set0_wbio(ssl, bssl::UpRef(mem).release());
2752
2753 // Read an invalid record from the peer.
2754 static const uint8_t kInvalidRecord[] = "invalid record";
2755 EXPECT_EQ(int{sizeof(kInvalidRecord)},
2756 BIO_write(other_wbio, kInvalidRecord, sizeof(kInvalidRecord)));
2757 char buf[256];
2758 EXPECT_EQ(-1, SSL_read(ssl, buf, sizeof(buf)));
2759
2760 // |ssl| should have written an alert to the transport.
2761 const uint8_t *unused;
2762 size_t len;
2763 ASSERT_TRUE(BIO_mem_contents(mem.get(), &unused, &len));
2764 EXPECT_NE(0u, len);
2765 EXPECT_TRUE(BIO_reset(mem.get()));
2766
2767 // Writing should fail.
2768 EXPECT_EQ(-1, SSL_write(ssl, "a", 1));
2769
2770 // Nothing should be written to the transport.
2771 ASSERT_TRUE(BIO_mem_contents(mem.get(), &unused, &len));
2772 EXPECT_EQ(0u, len);
2773 }
2774}
2775
2776// Test that, after sending a fatal alert from the handshake, |SSL_write| fails.
2777TEST_P(SSLVersionTest, WriteAfterHandshakeSentFatalAlert) {
2778 for (bool test_server : {false, true}) {
2779 SCOPED_TRACE(test_server ? "server" : "client");
2780
2781 bssl::UniquePtr<SSL> ssl(
2782 SSL_new(test_server ? server_ctx_.get() : client_ctx_.get()));
2783 ASSERT_TRUE(ssl);
2784 if (test_server) {
2785 SSL_set_accept_state(ssl.get());
2786 } else {
2787 SSL_set_connect_state(ssl.get());
2788 }
2789
2790 std::vector<uint8_t> invalid;
2791 if (is_dtls()) {
2792 // In DTLS, invalid records are discarded. To cause the handshake to fail,
2793 // use a valid handshake record with invalid contents.
2794 invalid.push_back(SSL3_RT_HANDSHAKE);
2795 invalid.push_back(DTLS1_VERSION >> 8);
2796 invalid.push_back(DTLS1_VERSION & 0xff);
2797 // epoch and sequence_number
2798 for (int i = 0; i < 8; i++) {
2799 invalid.push_back(0);
2800 }
2801 // A one-byte fragment is invalid.
2802 invalid.push_back(0);
2803 invalid.push_back(1);
2804 // Arbitrary contents.
2805 invalid.push_back(0);
2806 } else {
2807 invalid = {'i', 'n', 'v', 'a', 'l', 'i', 'd'};
2808 }
2809 bssl::UniquePtr<BIO> rbio(
2810 BIO_new_mem_buf(invalid.data(), invalid.size()));
2811 ASSERT_TRUE(rbio);
2812 SSL_set0_rbio(ssl.get(), rbio.release());
2813
2814 bssl::UniquePtr<BIO> mem(BIO_new(BIO_s_mem()));
2815 ASSERT_TRUE(mem);
2816 SSL_set0_wbio(ssl.get(), bssl::UpRef(mem).release());
2817
2818 // The handshake should fail.
2819 EXPECT_EQ(-1, SSL_do_handshake(ssl.get()));
2820 EXPECT_EQ(SSL_ERROR_SSL, SSL_get_error(ssl.get(), -1));
2821 uint32_t err = ERR_get_error();
2822
2823 // |ssl| should have written an alert (and, in the client's case, a
2824 // ClientHello) to the transport.
2825 const uint8_t *unused;
2826 size_t len;
2827 ASSERT_TRUE(BIO_mem_contents(mem.get(), &unused, &len));
2828 EXPECT_NE(0u, len);
2829 EXPECT_TRUE(BIO_reset(mem.get()));
2830
2831 // Writing should fail, with the same error as the handshake.
2832 EXPECT_EQ(-1, SSL_write(ssl.get(), "a", 1));
2833 EXPECT_EQ(SSL_ERROR_SSL, SSL_get_error(ssl.get(), -1));
2834 EXPECT_EQ(err, ERR_get_error());
2835
2836 // Nothing should be written to the transport.
2837 ASSERT_TRUE(BIO_mem_contents(mem.get(), &unused, &len));
2838 EXPECT_EQ(0u, len);
2839 }
2840}
2841
2842// Test that, after seeing TLS 1.2 in response to early data, |SSL_write|
2843// continues to report |SSL_R_WRONG_VERSION_ON_EARLY_DATA|. See
2844// https://crbug.com/1078515.
2845TEST(SSLTest, WriteAfterWrongVersionOnEarlyData) {
2846 // Set up some 0-RTT-enabled contexts.
2847 bssl::UniquePtr<SSL_CTX> client_ctx(SSL_CTX_new(TLS_method()));
2848 bssl::UniquePtr<SSL_CTX> server_ctx =
2849 CreateContextWithTestCertificate(TLS_method());
2850 ASSERT_TRUE(client_ctx);
2851 ASSERT_TRUE(server_ctx);
2852 SSL_CTX_set_early_data_enabled(client_ctx.get(), 1);
2853 SSL_CTX_set_early_data_enabled(server_ctx.get(), 1);
2854 SSL_CTX_set_session_cache_mode(client_ctx.get(), SSL_SESS_CACHE_BOTH);
2855 SSL_CTX_set_session_cache_mode(server_ctx.get(), SSL_SESS_CACHE_BOTH);
2856
2857 // Get an early-data-capable session.
2858 bssl::UniquePtr<SSL_SESSION> session =
2859 CreateClientSession(client_ctx.get(), server_ctx.get());
2860 ASSERT_TRUE(session);
2861 EXPECT_TRUE(SSL_SESSION_early_data_capable(session.get()));
2862
2863 // Offer the session to the server, but now the server speaks TLS 1.2.
2864 bssl::UniquePtr<SSL> client, server;
2865 ASSERT_TRUE(CreateClientAndServer(&client, &server, client_ctx.get(),
2866 server_ctx.get()));
2867 SSL_set_session(client.get(), session.get());
2868 EXPECT_TRUE(SSL_set_max_proto_version(server.get(), TLS1_2_VERSION));
2869
2870 // The client handshake initially succeeds in the early data state.
2871 EXPECT_EQ(1, SSL_do_handshake(client.get()));
2872 EXPECT_TRUE(SSL_in_early_data(client.get()));
2873
2874 // The server processes the ClientHello and negotiates TLS 1.2.
2875 EXPECT_EQ(-1, SSL_do_handshake(server.get()));
2876 EXPECT_EQ(SSL_ERROR_WANT_READ, SSL_get_error(server.get(), -1));
2877 EXPECT_EQ(TLS1_2_VERSION, SSL_version(server.get()));
2878
2879 // Capture the client's output.
2880 bssl::UniquePtr<BIO> mem(BIO_new(BIO_s_mem()));
2881 ASSERT_TRUE(mem);
2882 SSL_set0_wbio(client.get(), bssl::UpRef(mem).release());
2883
2884 // The client processes the ServerHello and fails.
2885 EXPECT_EQ(-1, SSL_do_handshake(client.get()));
2886 EXPECT_EQ(SSL_ERROR_SSL, SSL_get_error(client.get(), -1));
2887 uint32_t err = ERR_get_error();
2888 EXPECT_EQ(ERR_LIB_SSL, ERR_GET_LIB(err));
2889 EXPECT_EQ(SSL_R_WRONG_VERSION_ON_EARLY_DATA, ERR_GET_REASON(err));
2890
2891 // The client should have written an alert to the transport.
2892 const uint8_t *unused;
2893 size_t len;
2894 ASSERT_TRUE(BIO_mem_contents(mem.get(), &unused, &len));
2895 EXPECT_NE(0u, len);
2896 EXPECT_TRUE(BIO_reset(mem.get()));
2897
2898 // Writing should fail, with the same error as the handshake.
2899 EXPECT_EQ(-1, SSL_write(client.get(), "a", 1));
2900 EXPECT_EQ(SSL_ERROR_SSL, SSL_get_error(client.get(), -1));
2901 err = ERR_get_error();
2902 EXPECT_EQ(ERR_LIB_SSL, ERR_GET_LIB(err));
2903 EXPECT_EQ(SSL_R_WRONG_VERSION_ON_EARLY_DATA, ERR_GET_REASON(err));
2904
2905 // Nothing should be written to the transport.
2906 ASSERT_TRUE(BIO_mem_contents(mem.get(), &unused, &len));
2907 EXPECT_EQ(0u, len);
2908}
2909
David Benjaminf0d8e222017-02-04 10:58:26 -0500[diff] [blame]2910TEST(SSLTest, SessionDuplication) {
Matt Braithwaited17d74d2016-08-17 20:10:28 -0700[diff] [blame]2911 bssl::UniquePtr<SSL_CTX> client_ctx(SSL_CTX_new(TLS_method()));
David Benjamin9b2cdb72021-04-01 23:21:53 -0400[diff] [blame]2912 bssl::UniquePtr<SSL_CTX> server_ctx =
2913 CreateContextWithTestCertificate(TLS_method());
David Benjaminf0d8e222017-02-04 10:58:26 -0500[diff] [blame]2914 ASSERT_TRUE(client_ctx);
2915 ASSERT_TRUE(server_ctx);
Steven Valdez87eab492016-06-27 16:34:59 -0400[diff] [blame]2916
Matt Braithwaited17d74d2016-08-17 20:10:28 -0700[diff] [blame]2917 bssl::UniquePtr<SSL> client, server;
David Benjaminf0d8e222017-02-04 10:58:26 -0500[diff] [blame]2918 ASSERT_TRUE(ConnectClientAndServer(&client, &server, client_ctx.get(),
David Benjamina8614602017-09-06 15:40:19 -0400[diff] [blame]2919 server_ctx.get()));
Steven Valdez87eab492016-06-27 16:34:59 -0400[diff] [blame]2920
2921 SSL_SESSION *session0 = SSL_get_session(client.get());
David Benjamin31b0c9b2017-07-20 14:49:15 -0400[diff] [blame]2922 bssl::UniquePtr<SSL_SESSION> session1 =
2923 bssl::SSL_SESSION_dup(session0, SSL_SESSION_DUP_ALL);
David Benjaminf0d8e222017-02-04 10:58:26 -0500[diff] [blame]2924 ASSERT_TRUE(session1);
David Benjamin4501bd52016-08-01 13:39:41 -0400[diff] [blame]2925
David Benjamina3a71e92018-06-29 13:24:45 -0400[diff] [blame]2926 session1->not_resumable = false;
Steven Valdez84b5c002016-08-25 16:30:58 -0400[diff] [blame]2927
Steven Valdez87eab492016-06-27 16:34:59 -0400[diff] [blame]2928 uint8_t *s0_bytes, *s1_bytes;
2929 size_t s0_len, s1_len;
2930
David Benjaminf0d8e222017-02-04 10:58:26 -0500[diff] [blame]2931 ASSERT_TRUE(SSL_SESSION_to_bytes(session0, &s0_bytes, &s0_len));
Matt Braithwaited17d74d2016-08-17 20:10:28 -0700[diff] [blame]2932 bssl::UniquePtr<uint8_t> free_s0(s0_bytes);
Steven Valdez87eab492016-06-27 16:34:59 -0400[diff] [blame]2933
David Benjaminf0d8e222017-02-04 10:58:26 -0500[diff] [blame]2934 ASSERT_TRUE(SSL_SESSION_to_bytes(session1.get(), &s1_bytes, &s1_len));
Matt Braithwaited17d74d2016-08-17 20:10:28 -0700[diff] [blame]2935 bssl::UniquePtr<uint8_t> free_s1(s1_bytes);
Steven Valdez87eab492016-06-27 16:34:59 -0400[diff] [blame]2936
David Benjamin7d7554b2017-02-04 11:48:59 -0500[diff] [blame]2937 EXPECT_EQ(Bytes(s0_bytes, s0_len), Bytes(s1_bytes, s1_len));
Steven Valdez87eab492016-06-27 16:34:59 -0400[diff] [blame]2938}
David Benjamin686bb192016-05-10 15:15:41 -0400[diff] [blame]2939
David Benjaminf0d8e222017-02-04 10:58:26 -0500[diff] [blame]2940static void ExpectFDs(const SSL *ssl, int rfd, int wfd) {
David Benjaminca743582017-06-15 17:51:35 -0400[diff] [blame]2941 EXPECT_EQ(rfd, SSL_get_fd(ssl));
David Benjaminf0d8e222017-02-04 10:58:26 -0500[diff] [blame]2942 EXPECT_EQ(rfd, SSL_get_rfd(ssl));
2943 EXPECT_EQ(wfd, SSL_get_wfd(ssl));
David Benjamin5c0fb882016-06-14 14:03:51 -0400[diff] [blame]2944
2945 // The wrapper BIOs are always equal when fds are equal, even if set
2946 // individually.
David Benjaminf0d8e222017-02-04 10:58:26 -0500[diff] [blame]2947 if (rfd == wfd) {
2948 EXPECT_EQ(SSL_get_rbio(ssl), SSL_get_wbio(ssl));
David Benjamin5c0fb882016-06-14 14:03:51 -0400[diff] [blame]2949 }
David Benjamin5c0fb882016-06-14 14:03:51 -0400[diff] [blame]2950}
2951
David Benjaminf0d8e222017-02-04 10:58:26 -0500[diff] [blame]2952TEST(SSLTest, SetFD) {
Matt Braithwaited17d74d2016-08-17 20:10:28 -0700[diff] [blame]2953 bssl::UniquePtr<SSL_CTX> ctx(SSL_CTX_new(TLS_method()));
David Benjaminf0d8e222017-02-04 10:58:26 -0500[diff] [blame]2954 ASSERT_TRUE(ctx);
David Benjamin5c0fb882016-06-14 14:03:51 -0400[diff] [blame]2955
2956 // Test setting different read and write FDs.
Matt Braithwaited17d74d2016-08-17 20:10:28 -0700[diff] [blame]2957 bssl::UniquePtr<SSL> ssl(SSL_new(ctx.get()));
David Benjaminf0d8e222017-02-04 10:58:26 -0500[diff] [blame]2958 ASSERT_TRUE(ssl);
2959 EXPECT_TRUE(SSL_set_rfd(ssl.get(), 1));
2960 EXPECT_TRUE(SSL_set_wfd(ssl.get(), 2));
2961 ExpectFDs(ssl.get(), 1, 2);
David Benjamin5c0fb882016-06-14 14:03:51 -0400[diff] [blame]2962
2963 // Test setting the same FD.
2964 ssl.reset(SSL_new(ctx.get()));
David Benjaminf0d8e222017-02-04 10:58:26 -0500[diff] [blame]2965 ASSERT_TRUE(ssl);
2966 EXPECT_TRUE(SSL_set_fd(ssl.get(), 1));
2967 ExpectFDs(ssl.get(), 1, 1);
David Benjamin5c0fb882016-06-14 14:03:51 -0400[diff] [blame]2968
2969 // Test setting the same FD one side at a time.
2970 ssl.reset(SSL_new(ctx.get()));
David Benjaminf0d8e222017-02-04 10:58:26 -0500[diff] [blame]2971 ASSERT_TRUE(ssl);
2972 EXPECT_TRUE(SSL_set_rfd(ssl.get(), 1));
2973 EXPECT_TRUE(SSL_set_wfd(ssl.get(), 1));
2974 ExpectFDs(ssl.get(), 1, 1);
David Benjamin5c0fb882016-06-14 14:03:51 -0400[diff] [blame]2975
2976 // Test setting the same FD in the other order.
2977 ssl.reset(SSL_new(ctx.get()));
David Benjaminf0d8e222017-02-04 10:58:26 -0500[diff] [blame]2978 ASSERT_TRUE(ssl);
2979 EXPECT_TRUE(SSL_set_wfd(ssl.get(), 1));
2980 EXPECT_TRUE(SSL_set_rfd(ssl.get(), 1));
2981 ExpectFDs(ssl.get(), 1, 1);
David Benjamin5c0fb882016-06-14 14:03:51 -0400[diff] [blame]2982
David Benjamin5c0fb882016-06-14 14:03:51 -0400[diff] [blame]2983 // Test changing the read FD partway through.
2984 ssl.reset(SSL_new(ctx.get()));
David Benjaminf0d8e222017-02-04 10:58:26 -0500[diff] [blame]2985 ASSERT_TRUE(ssl);
2986 EXPECT_TRUE(SSL_set_fd(ssl.get(), 1));
2987 EXPECT_TRUE(SSL_set_rfd(ssl.get(), 2));
2988 ExpectFDs(ssl.get(), 2, 1);
David Benjamin5c0fb882016-06-14 14:03:51 -0400[diff] [blame]2989
2990 // Test changing the write FD partway through.
2991 ssl.reset(SSL_new(ctx.get()));
David Benjaminf0d8e222017-02-04 10:58:26 -0500[diff] [blame]2992 ASSERT_TRUE(ssl);
2993 EXPECT_TRUE(SSL_set_fd(ssl.get(), 1));
2994 EXPECT_TRUE(SSL_set_wfd(ssl.get(), 2));
2995 ExpectFDs(ssl.get(), 1, 2);
David Benjamin5c0fb882016-06-14 14:03:51 -0400[diff] [blame]2996
2997 // Test a no-op change to the read FD partway through.
2998 ssl.reset(SSL_new(ctx.get()));
David Benjaminf0d8e222017-02-04 10:58:26 -0500[diff] [blame]2999 ASSERT_TRUE(ssl);
3000 EXPECT_TRUE(SSL_set_fd(ssl.get(), 1));
3001 EXPECT_TRUE(SSL_set_rfd(ssl.get(), 1));
3002 ExpectFDs(ssl.get(), 1, 1);
David Benjamin5c0fb882016-06-14 14:03:51 -0400[diff] [blame]3003
3004 // Test a no-op change to the write FD partway through.
3005 ssl.reset(SSL_new(ctx.get()));
David Benjaminf0d8e222017-02-04 10:58:26 -0500[diff] [blame]3006 ASSERT_TRUE(ssl);
3007 EXPECT_TRUE(SSL_set_fd(ssl.get(), 1));
3008 EXPECT_TRUE(SSL_set_wfd(ssl.get(), 1));
3009 ExpectFDs(ssl.get(), 1, 1);
David Benjamin5c0fb882016-06-14 14:03:51 -0400[diff] [blame]3010
3011 // ASan builds will implicitly test that the internal |BIO| reference-counting
3012 // is correct.
David Benjamin5c0fb882016-06-14 14:03:51 -0400[diff] [blame]3013}
3014
David Benjaminf0d8e222017-02-04 10:58:26 -0500[diff] [blame]3015TEST(SSLTest, SetBIO) {
Matt Braithwaited17d74d2016-08-17 20:10:28 -0700[diff] [blame]3016 bssl::UniquePtr<SSL_CTX> ctx(SSL_CTX_new(TLS_method()));
David Benjaminf0d8e222017-02-04 10:58:26 -0500[diff] [blame]3017 ASSERT_TRUE(ctx);
David Benjamin4501bd52016-08-01 13:39:41 -0400[diff] [blame]3018
Matt Braithwaited17d74d2016-08-17 20:10:28 -0700[diff] [blame]3019 bssl::UniquePtr<SSL> ssl(SSL_new(ctx.get()));
3020 bssl::UniquePtr<BIO> bio1(BIO_new(BIO_s_mem())), bio2(BIO_new(BIO_s_mem())),
David Benjamin4501bd52016-08-01 13:39:41 -0400[diff] [blame]3021 bio3(BIO_new(BIO_s_mem()));
David Benjaminf0d8e222017-02-04 10:58:26 -0500[diff] [blame]3022 ASSERT_TRUE(ssl);
3023 ASSERT_TRUE(bio1);
3024 ASSERT_TRUE(bio2);
3025 ASSERT_TRUE(bio3);
David Benjamin4501bd52016-08-01 13:39:41 -0400[diff] [blame]3026
3027 // SSL_set_bio takes one reference when the parameters are the same.
3028 BIO_up_ref(bio1.get());
3029 SSL_set_bio(ssl.get(), bio1.get(), bio1.get());
3030
3031 // Repeating the call does nothing.
3032 SSL_set_bio(ssl.get(), bio1.get(), bio1.get());
3033
3034 // It takes one reference each when the parameters are different.
3035 BIO_up_ref(bio2.get());
3036 BIO_up_ref(bio3.get());
3037 SSL_set_bio(ssl.get(), bio2.get(), bio3.get());
3038
3039 // Repeating the call does nothing.
3040 SSL_set_bio(ssl.get(), bio2.get(), bio3.get());
3041
3042 // It takes one reference when changing only wbio.
3043 BIO_up_ref(bio1.get());
3044 SSL_set_bio(ssl.get(), bio2.get(), bio1.get());
3045
3046 // It takes one reference when changing only rbio and the two are different.
3047 BIO_up_ref(bio3.get());
3048 SSL_set_bio(ssl.get(), bio3.get(), bio1.get());
3049
3050 // If setting wbio to rbio, it takes no additional references.
3051 SSL_set_bio(ssl.get(), bio3.get(), bio3.get());
3052
3053 // From there, wbio may be switched to something else.
3054 BIO_up_ref(bio1.get());
3055 SSL_set_bio(ssl.get(), bio3.get(), bio1.get());
3056
3057 // If setting rbio to wbio, it takes no additional references.
3058 SSL_set_bio(ssl.get(), bio1.get(), bio1.get());
3059
3060 // From there, rbio may be switched to something else, but, for historical
3061 // reasons, it takes a reference to both parameters.
3062 BIO_up_ref(bio1.get());
3063 BIO_up_ref(bio2.get());
3064 SSL_set_bio(ssl.get(), bio2.get(), bio1.get());
3065
3066 // ASAN builds will implicitly test that the internal |BIO| reference-counting
3067 // is correct.
David Benjamin4501bd52016-08-01 13:39:41 -0400[diff] [blame]3068}
3069
David Benjamin25490f22016-07-14 00:22:54 -0400[diff] [blame]3070static int VerifySucceed(X509_STORE_CTX *store_ctx, void *arg) { return 1; }
3071
Martin Kreichgauer1a663262017-08-16 14:54:04 -0700[diff] [blame]3072TEST_P(SSLVersionTest, GetPeerCertificate) {
3073 ASSERT_TRUE(UseCertAndKey(client_ctx_.get()));
David Benjaminadd5e522016-07-14 00:33:24 -0400[diff] [blame]3074
David Benjamin0fef3052016-11-18 15:11:10 +0900[diff] [blame]3075 // Configure both client and server to accept any certificate.
Martin Kreichgauer1a663262017-08-16 14:54:04 -0700[diff] [blame]3076 SSL_CTX_set_verify(client_ctx_.get(),
3077 SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT,
3078 nullptr);
3079 SSL_CTX_set_cert_verify_callback(client_ctx_.get(), VerifySucceed, NULL);
3080 SSL_CTX_set_verify(server_ctx_.get(),
3081 SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT,
3082 nullptr);
3083 SSL_CTX_set_cert_verify_callback(server_ctx_.get(), VerifySucceed, NULL);
David Benjaminadd5e522016-07-14 00:33:24 -0400[diff] [blame]3084
Martin Kreichgauer1a663262017-08-16 14:54:04 -0700[diff] [blame]3085 ASSERT_TRUE(Connect());
David Benjaminadd5e522016-07-14 00:33:24 -0400[diff] [blame]3086
David Benjamin0fef3052016-11-18 15:11:10 +0900[diff] [blame]3087 // Client and server should both see the leaf certificate.
Martin Kreichgauer1a663262017-08-16 14:54:04 -0700[diff] [blame]3088 bssl::UniquePtr<X509> peer(SSL_get_peer_certificate(server_.get()));
3089 ASSERT_TRUE(peer);
3090 ASSERT_EQ(X509_cmp(cert_.get(), peer.get()), 0);
David Benjaminadd5e522016-07-14 00:33:24 -0400[diff] [blame]3091
Martin Kreichgauer1a663262017-08-16 14:54:04 -0700[diff] [blame]3092 peer.reset(SSL_get_peer_certificate(client_.get()));
3093 ASSERT_TRUE(peer);
3094 ASSERT_EQ(X509_cmp(cert_.get(), peer.get()), 0);
David Benjaminadd5e522016-07-14 00:33:24 -0400[diff] [blame]3095
David Benjamine664a532017-07-20 20:19:36 -0400[diff] [blame]3096 // However, for historical reasons, the X509 chain includes the leaf on the
David Benjamin0fef3052016-11-18 15:11:10 +0900[diff] [blame]3097 // client, but does not on the server.
Martin Kreichgauer1a663262017-08-16 14:54:04 -0700[diff] [blame]3098 EXPECT_EQ(sk_X509_num(SSL_get_peer_cert_chain(client_.get())), 1u);
3099 EXPECT_EQ(sk_CRYPTO_BUFFER_num(SSL_get0_peer_certificates(client_.get())),
3100 1u);
David Benjaminadd5e522016-07-14 00:33:24 -0400[diff] [blame]3101
Martin Kreichgauer1a663262017-08-16 14:54:04 -0700[diff] [blame]3102 EXPECT_EQ(sk_X509_num(SSL_get_peer_cert_chain(server_.get())), 0u);
3103 EXPECT_EQ(sk_CRYPTO_BUFFER_num(SSL_get0_peer_certificates(server_.get())),
3104 1u);
David Benjaminadd5e522016-07-14 00:33:24 -0400[diff] [blame]3105}
3106
Martin Kreichgauer1a663262017-08-16 14:54:04 -0700[diff] [blame]3107TEST_P(SSLVersionTest, NoPeerCertificate) {
3108 SSL_CTX_set_verify(server_ctx_.get(), SSL_VERIFY_PEER, nullptr);
3109 SSL_CTX_set_cert_verify_callback(server_ctx_.get(), VerifySucceed, NULL);
3110 SSL_CTX_set_cert_verify_callback(client_ctx_.get(), VerifySucceed, NULL);
David Benjamine664a532017-07-20 20:19:36 -0400[diff] [blame]3111
Martin Kreichgauer1a663262017-08-16 14:54:04 -0700[diff] [blame]3112 ASSERT_TRUE(Connect());
David Benjamine664a532017-07-20 20:19:36 -0400[diff] [blame]3113
Martin Kreichgauer1a663262017-08-16 14:54:04 -0700[diff] [blame]3114 // Server should not see a peer certificate.
3115 bssl::UniquePtr<X509> peer(SSL_get_peer_certificate(server_.get()));
3116 ASSERT_FALSE(peer);
3117 ASSERT_FALSE(SSL_get0_peer_certificates(server_.get()));
David Benjamine664a532017-07-20 20:19:36 -0400[diff] [blame]3118}
3119
Martin Kreichgauer1a663262017-08-16 14:54:04 -0700[diff] [blame]3120TEST_P(SSLVersionTest, RetainOnlySHA256OfCerts) {
David Benjamin25490f22016-07-14 00:22:54 -0400[diff] [blame]3121 uint8_t *cert_der = NULL;
Martin Kreichgauer1a663262017-08-16 14:54:04 -0700[diff] [blame]3122 int cert_der_len = i2d_X509(cert_.get(), &cert_der);
3123 ASSERT_GE(cert_der_len, 0);
Matt Braithwaited17d74d2016-08-17 20:10:28 -0700[diff] [blame]3124 bssl::UniquePtr<uint8_t> free_cert_der(cert_der);
David Benjamin25490f22016-07-14 00:22:54 -0400[diff] [blame]3125
3126 uint8_t cert_sha256[SHA256_DIGEST_LENGTH];
3127 SHA256(cert_der, cert_der_len, cert_sha256);
3128
Martin Kreichgauer1a663262017-08-16 14:54:04 -0700[diff] [blame]3129 ASSERT_TRUE(UseCertAndKey(client_ctx_.get()));
3130
David Benjamin0fef3052016-11-18 15:11:10 +0900[diff] [blame]3131 // Configure both client and server to accept any certificate, but the
3132 // server must retain only the SHA-256 of the peer.
Martin Kreichgauer1a663262017-08-16 14:54:04 -0700[diff] [blame]3133 SSL_CTX_set_verify(client_ctx_.get(),
3134 SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT,
3135 nullptr);
3136 SSL_CTX_set_verify(server_ctx_.get(),
3137 SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT,
3138 nullptr);
3139 SSL_CTX_set_cert_verify_callback(client_ctx_.get(), VerifySucceed, NULL);
3140 SSL_CTX_set_cert_verify_callback(server_ctx_.get(), VerifySucceed, NULL);
3141 SSL_CTX_set_retain_only_sha256_of_client_certs(server_ctx_.get(), 1);
David Benjamin25490f22016-07-14 00:22:54 -0400[diff] [blame]3142
Martin Kreichgauer1a663262017-08-16 14:54:04 -0700[diff] [blame]3143 ASSERT_TRUE(Connect());
David Benjamin25490f22016-07-14 00:22:54 -0400[diff] [blame]3144
David Benjamin0fef3052016-11-18 15:11:10 +0900[diff] [blame]3145 // The peer certificate has been dropped.
Martin Kreichgauer1a663262017-08-16 14:54:04 -0700[diff] [blame]3146 bssl::UniquePtr<X509> peer(SSL_get_peer_certificate(server_.get()));
3147 EXPECT_FALSE(peer);
David Benjamin25490f22016-07-14 00:22:54 -0400[diff] [blame]3148
Martin Kreichgauer1a663262017-08-16 14:54:04 -0700[diff] [blame]3149 SSL_SESSION *session = SSL_get_session(server_.get());
David Benjamin02de7bd2018-05-08 18:13:54 -0400[diff] [blame]3150 EXPECT_TRUE(SSL_SESSION_has_peer_sha256(session));
David Benjamin25490f22016-07-14 00:22:54 -0400[diff] [blame]3151
David Benjamin02de7bd2018-05-08 18:13:54 -0400[diff] [blame]3152 const uint8_t *peer_sha256;
3153 size_t peer_sha256_len;
3154 SSL_SESSION_get0_peer_sha256(session, &peer_sha256, &peer_sha256_len);
3155 EXPECT_EQ(Bytes(cert_sha256), Bytes(peer_sha256, peer_sha256_len));
David Benjamin25490f22016-07-14 00:22:54 -0400[diff] [blame]3156}
3157
David Benjamin737d2df2017-09-25 15:05:19 -0400[diff] [blame]3158// Tests that our ClientHellos do not change unexpectedly. These are purely
3159// change detection tests. If they fail as part of an intentional ClientHello
3160// change, update the test vector.
3161TEST(SSLTest, ClientHello) {
3162 struct {
3163 uint16_t max_version;
3164 std::vector<uint8_t> expected;
3165 } kTests[] = {
David Benjamin737d2df2017-09-25 15:05:19 -0400[diff] [blame]3166 {TLS1_VERSION,
3167 {0x16, 0x03, 0x01, 0x00, 0x5a, 0x01, 0x00, 0x00, 0x56, 0x03, 0x01, 0x00,
3168 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
3169 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
3170 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x0e, 0xc0, 0x09,
3171 0xc0, 0x13, 0xc0, 0x0a, 0xc0, 0x14, 0x00, 0x2f, 0x00, 0x35, 0x00, 0x0a,
Adam Langleyd6680952018-08-23 08:01:23 -0700[diff] [blame]3172 0x01, 0x00, 0x00, 0x1f, 0x00, 0x17, 0x00, 0x00, 0xff, 0x01, 0x00, 0x01,
3173 0x00, 0x00, 0x0a, 0x00, 0x08, 0x00, 0x06, 0x00, 0x1d, 0x00, 0x17, 0x00,
3174 0x18, 0x00, 0x0b, 0x00, 0x02, 0x01, 0x00, 0x00, 0x23, 0x00, 0x00}},
David Benjamin737d2df2017-09-25 15:05:19 -0400[diff] [blame]3175 {TLS1_1_VERSION,
3176 {0x16, 0x03, 0x01, 0x00, 0x5a, 0x01, 0x00, 0x00, 0x56, 0x03, 0x02, 0x00,
3177 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
3178 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
3179 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x0e, 0xc0, 0x09,
3180 0xc0, 0x13, 0xc0, 0x0a, 0xc0, 0x14, 0x00, 0x2f, 0x00, 0x35, 0x00, 0x0a,
Adam Langleyd6680952018-08-23 08:01:23 -0700[diff] [blame]3181 0x01, 0x00, 0x00, 0x1f, 0x00, 0x17, 0x00, 0x00, 0xff, 0x01, 0x00, 0x01,
3182 0x00, 0x00, 0x0a, 0x00, 0x08, 0x00, 0x06, 0x00, 0x1d, 0x00, 0x17, 0x00,
3183 0x18, 0x00, 0x0b, 0x00, 0x02, 0x01, 0x00, 0x00, 0x23, 0x00, 0x00}},
David Benjamin737d2df2017-09-25 15:05:19 -0400[diff] [blame]3184 {TLS1_2_VERSION,
David Benjamin6e678ee2018-04-16 19:54:42 -0400[diff] [blame]3185 {0x16, 0x03, 0x01, 0x00, 0x82, 0x01, 0x00, 0x00, 0x7e, 0x03, 0x03, 0x00,
David Benjamin737d2df2017-09-25 15:05:19 -0400[diff] [blame]3186 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
3187 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
David Benjamin6e678ee2018-04-16 19:54:42 -0400[diff] [blame]3188 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x1e, 0xcc, 0xa9,
David Benjamin737d2df2017-09-25 15:05:19 -0400[diff] [blame]3189 0xcc, 0xa8, 0xc0, 0x2b, 0xc0, 0x2f, 0xc0, 0x2c, 0xc0, 0x30, 0xc0, 0x09,
David Benjamin6e678ee2018-04-16 19:54:42 -0400[diff] [blame]3190 0xc0, 0x13, 0xc0, 0x0a, 0xc0, 0x14, 0x00, 0x9c, 0x00, 0x9d, 0x00, 0x2f,
Adam Langleyd6680952018-08-23 08:01:23 -0700[diff] [blame]3191 0x00, 0x35, 0x00, 0x0a, 0x01, 0x00, 0x00, 0x37, 0x00, 0x17, 0x00, 0x00,
3192 0xff, 0x01, 0x00, 0x01, 0x00, 0x00, 0x0a, 0x00, 0x08, 0x00, 0x06, 0x00,
3193 0x1d, 0x00, 0x17, 0x00, 0x18, 0x00, 0x0b, 0x00, 0x02, 0x01, 0x00, 0x00,
3194 0x23, 0x00, 0x00, 0x00, 0x0d, 0x00, 0x14, 0x00, 0x12, 0x04, 0x03, 0x08,
3195 0x04, 0x04, 0x01, 0x05, 0x03, 0x08, 0x05, 0x05, 0x01, 0x08, 0x06, 0x06,
3196 0x01, 0x02, 0x01}},
David Benjamin737d2df2017-09-25 15:05:19 -0400[diff] [blame]3197 // TODO(davidben): Add a change detector for TLS 1.3 once the spec and our
3198 // implementation has settled enough that it won't change.
David Benjaminafc64de2016-07-19 17:12:41 +0200[diff] [blame]3199 };
David Benjamin737d2df2017-09-25 15:05:19 -0400[diff] [blame]3200
3201 for (const auto &t : kTests) {
3202 SCOPED_TRACE(t.max_version);
3203
3204 bssl::UniquePtr<SSL_CTX> ctx(SSL_CTX_new(TLS_method()));
3205 ASSERT_TRUE(ctx);
3206 // Our default cipher list varies by CPU capabilities, so manually place the
3207 // ChaCha20 ciphers in front.
3208 const char *cipher_list = "CHACHA20:ALL";
David Benjamin737d2df2017-09-25 15:05:19 -0400[diff] [blame]3209 ASSERT_TRUE(SSL_CTX_set_max_proto_version(ctx.get(), t.max_version));
3210 ASSERT_TRUE(SSL_CTX_set_strict_cipher_list(ctx.get(), cipher_list));
3211
3212 bssl::UniquePtr<SSL> ssl(SSL_new(ctx.get()));
3213 ASSERT_TRUE(ssl);
3214 std::vector<uint8_t> client_hello;
3215 ASSERT_TRUE(GetClientHello(ssl.get(), &client_hello));
3216
3217 // Zero the client_random.
3218 constexpr size_t kRandomOffset = 1 + 2 + 2 + // record header
3219 1 + 3 + // handshake message header
3220 2; // client_version
3221 ASSERT_GE(client_hello.size(), kRandomOffset + SSL3_RANDOM_SIZE);
3222 OPENSSL_memset(client_hello.data() + kRandomOffset, 0, SSL3_RANDOM_SIZE);
3223
3224 if (client_hello != t.expected) {
3225 ADD_FAILURE() << "ClientHellos did not match.";
3226 // Print the value manually so it is easier to update the test vector.
3227 for (size_t i = 0; i < client_hello.size(); i += 12) {
3228 printf(" %c", i == 0 ? '{' : ' ');
3229 for (size_t j = i; j < client_hello.size() && j < i + 12; j++) {
3230 if (j > i) {
3231 printf(" ");
3232 }
3233 printf("0x%02x", client_hello[j]);
3234 if (j < client_hello.size() - 1) {
3235 printf(",");
3236 }
3237 }
3238 if (i + 12 >= client_hello.size()) {
Adam Langleyd6680952018-08-23 08:01:23 -0700[diff] [blame]3239 printf("}},");
David Benjamin737d2df2017-09-25 15:05:19 -0400[diff] [blame]3240 }
3241 printf("\n");
3242 }
3243 }
David Benjaminafc64de2016-07-19 17:12:41 +0200[diff] [blame]3244 }
David Benjaminafc64de2016-07-19 17:12:41 +0200[diff] [blame]3245}
3246
Martin Kreichgauer1a663262017-08-16 14:54:04 -0700[diff] [blame]3247static void ExpectSessionReused(SSL_CTX *client_ctx, SSL_CTX *server_ctx,
3248 SSL_SESSION *session, bool want_reused) {
Matt Braithwaited17d74d2016-08-17 20:10:28 -0700[diff] [blame]3249 bssl::UniquePtr<SSL> client, server;
David Benjamina8614602017-09-06 15:40:19 -0400[diff] [blame]3250 ClientConfig config;
3251 config.session = session;
3252 EXPECT_TRUE(
3253 ConnectClientAndServer(&client, &server, client_ctx, server_ctx, config));
David Benjamina20e5352016-08-02 19:09:41 -0400[diff] [blame]3254
Martin Kreichgauer1a663262017-08-16 14:54:04 -0700[diff] [blame]3255 EXPECT_EQ(SSL_session_reused(client.get()), SSL_session_reused(server.get()));
David Benjamina20e5352016-08-02 19:09:41 -0400[diff] [blame]3256
3257 bool was_reused = !!SSL_session_reused(client.get());
Martin Kreichgauer1a663262017-08-16 14:54:04 -0700[diff] [blame]3258 EXPECT_EQ(was_reused, want_reused);
David Benjamina20e5352016-08-02 19:09:41 -0400[diff] [blame]3259}
3260
David Benjamin3c51d9b2016-11-01 17:50:42 -0400[diff] [blame]3261static bssl::UniquePtr<SSL_SESSION> ExpectSessionRenewed(SSL_CTX *client_ctx,
3262 SSL_CTX *server_ctx,
3263 SSL_SESSION *session) {
3264 g_last_session = nullptr;
3265 SSL_CTX_sess_set_new_cb(client_ctx, SaveLastSession);
3266
3267 bssl::UniquePtr<SSL> client, server;
David Benjamina8614602017-09-06 15:40:19 -0400[diff] [blame]3268 ClientConfig config;
3269 config.session = session;
3270 if (!ConnectClientAndServer(&client, &server, client_ctx, server_ctx,
Steven Valdez777a2392019-02-21 11:30:47 -0500[diff] [blame]3271 config) ||
3272 !FlushNewSessionTickets(client.get(), server.get())) {
David Benjamin3c51d9b2016-11-01 17:50:42 -0400[diff] [blame]3273 fprintf(stderr, "Failed to connect client and server.\n");
3274 return nullptr;
3275 }
3276
3277 if (SSL_session_reused(client.get()) != SSL_session_reused(server.get())) {
3278 fprintf(stderr, "Client and server were inconsistent.\n");
3279 return nullptr;
3280 }
3281
3282 if (!SSL_session_reused(client.get())) {
3283 fprintf(stderr, "Session was not reused.\n");
3284 return nullptr;
3285 }
3286
David Benjamin3c51d9b2016-11-01 17:50:42 -0400[diff] [blame]3287 SSL_CTX_sess_set_new_cb(client_ctx, nullptr);
3288
3289 if (!g_last_session) {
3290 fprintf(stderr, "Client did not receive a renewed session.\n");
3291 return nullptr;
3292 }
3293 return std::move(g_last_session);
3294}
3295
Martin Kreichgauer1a663262017-08-16 14:54:04 -0700[diff] [blame]3296static void ExpectTicketKeyChanged(SSL_CTX *ctx, uint8_t *inout_key,
Martin Kreichgauer72912d22017-08-04 12:06:43 -0700[diff] [blame]3297 bool changed) {
3298 uint8_t new_key[kTicketKeyLen];
David Benjaminc11ea9422017-08-29 16:33:21 -0400[diff] [blame]3299 // May return 0, 1 or 48.
Martin Kreichgauer1a663262017-08-16 14:54:04 -0700[diff] [blame]3300 ASSERT_EQ(SSL_CTX_get_tlsext_ticket_keys(ctx, new_key, kTicketKeyLen), 1);
3301 if (changed) {
3302 ASSERT_NE(Bytes(inout_key, kTicketKeyLen), Bytes(new_key));
3303 } else {
3304 ASSERT_EQ(Bytes(inout_key, kTicketKeyLen), Bytes(new_key));
Martin Kreichgauer72912d22017-08-04 12:06:43 -0700[diff] [blame]3305 }
3306 OPENSSL_memcpy(inout_key, new_key, kTicketKeyLen);
Martin Kreichgauer72912d22017-08-04 12:06:43 -0700[diff] [blame]3307}
3308
David Benjamina933c382016-10-28 00:10:03 -0400[diff] [blame]3309static int SwitchSessionIDContextSNI(SSL *ssl, int *out_alert, void *arg) {
3310 static const uint8_t kContext[] = {3};
3311
3312 if (!SSL_set_session_id_context(ssl, kContext, sizeof(kContext))) {
3313 return SSL_TLSEXT_ERR_ALERT_FATAL;
3314 }
3315
3316 return SSL_TLSEXT_ERR_OK;
3317}
3318
Martin Kreichgauer1a663262017-08-16 14:54:04 -0700[diff] [blame]3319TEST_P(SSLVersionTest, SessionIDContext) {
David Benjamina20e5352016-08-02 19:09:41 -0400[diff] [blame]3320 static const uint8_t kContext1[] = {1};
3321 static const uint8_t kContext2[] = {2};
3322
Martin Kreichgauer1a663262017-08-16 14:54:04 -0700[diff] [blame]3323 ASSERT_TRUE(SSL_CTX_set_session_id_context(server_ctx_.get(), kContext1,
3324 sizeof(kContext1)));
David Benjamina20e5352016-08-02 19:09:41 -0400[diff] [blame]3325
Martin Kreichgauer1a663262017-08-16 14:54:04 -0700[diff] [blame]3326 SSL_CTX_set_session_cache_mode(client_ctx_.get(), SSL_SESS_CACHE_BOTH);
3327 SSL_CTX_set_session_cache_mode(server_ctx_.get(), SSL_SESS_CACHE_BOTH);
David Benjamina20e5352016-08-02 19:09:41 -0400[diff] [blame]3328
David Benjamin0fef3052016-11-18 15:11:10 +0900[diff] [blame]3329 bssl::UniquePtr<SSL_SESSION> session =
Martin Kreichgauer1a663262017-08-16 14:54:04 -0700[diff] [blame]3330 CreateClientSession(client_ctx_.get(), server_ctx_.get());
3331 ASSERT_TRUE(session);
David Benjamina20e5352016-08-02 19:09:41 -0400[diff] [blame]3332
Martin Kreichgauer1a663262017-08-16 14:54:04 -0700[diff] [blame]3333 TRACED_CALL(ExpectSessionReused(client_ctx_.get(), server_ctx_.get(),
3334 session.get(),
3335 true /* expect session reused */));
David Benjamina20e5352016-08-02 19:09:41 -0400[diff] [blame]3336
David Benjamin0fef3052016-11-18 15:11:10 +0900[diff] [blame]3337 // Change the session ID context.
Martin Kreichgauer1a663262017-08-16 14:54:04 -0700[diff] [blame]3338 ASSERT_TRUE(SSL_CTX_set_session_id_context(server_ctx_.get(), kContext2,
3339 sizeof(kContext2)));
David Benjamina20e5352016-08-02 19:09:41 -0400[diff] [blame]3340
Martin Kreichgauer1a663262017-08-16 14:54:04 -0700[diff] [blame]3341 TRACED_CALL(ExpectSessionReused(client_ctx_.get(), server_ctx_.get(),
3342 session.get(),
3343 false /* expect session not reused */));
David Benjamina933c382016-10-28 00:10:03 -0400[diff] [blame]3344
David Benjamin0fef3052016-11-18 15:11:10 +0900[diff] [blame]3345 // Change the session ID context back and install an SNI callback to switch
3346 // it.
Martin Kreichgauer1a663262017-08-16 14:54:04 -0700[diff] [blame]3347 ASSERT_TRUE(SSL_CTX_set_session_id_context(server_ctx_.get(), kContext1,
3348 sizeof(kContext1)));
David Benjamina933c382016-10-28 00:10:03 -0400[diff] [blame]3349
Martin Kreichgauer1a663262017-08-16 14:54:04 -0700[diff] [blame]3350 SSL_CTX_set_tlsext_servername_callback(server_ctx_.get(),
David Benjamin0fef3052016-11-18 15:11:10 +0900[diff] [blame]3351 SwitchSessionIDContextSNI);
David Benjamina933c382016-10-28 00:10:03 -0400[diff] [blame]3352
Martin Kreichgauer1a663262017-08-16 14:54:04 -0700[diff] [blame]3353 TRACED_CALL(ExpectSessionReused(client_ctx_.get(), server_ctx_.get(),
3354 session.get(),
3355 false /* expect session not reused */));
David Benjamina933c382016-10-28 00:10:03 -0400[diff] [blame]3356
David Benjamin0fef3052016-11-18 15:11:10 +0900[diff] [blame]3357 // Switch the session ID context with the early callback instead.
Martin Kreichgauer1a663262017-08-16 14:54:04 -0700[diff] [blame]3358 SSL_CTX_set_tlsext_servername_callback(server_ctx_.get(), nullptr);
Alessandro Ghedini57e81e62017-03-14 23:36:00 +0000[diff] [blame]3359 SSL_CTX_set_select_certificate_cb(
Martin Kreichgauer1a663262017-08-16 14:54:04 -0700[diff] [blame]3360 server_ctx_.get(),
Alessandro Ghedini57e81e62017-03-14 23:36:00 +0000[diff] [blame]3361 [](const SSL_CLIENT_HELLO *client_hello) -> ssl_select_cert_result_t {
3362 static const uint8_t kContext[] = {3};
3363
3364 if (!SSL_set_session_id_context(client_hello->ssl, kContext,
3365 sizeof(kContext))) {
3366 return ssl_select_cert_error;
3367 }
3368
3369 return ssl_select_cert_success;
3370 });
David Benjamina933c382016-10-28 00:10:03 -0400[diff] [blame]3371
Martin Kreichgauer1a663262017-08-16 14:54:04 -0700[diff] [blame]3372 TRACED_CALL(ExpectSessionReused(client_ctx_.get(), server_ctx_.get(),
3373 session.get(),
3374 false /* expect session not reused */));
David Benjamina20e5352016-08-02 19:09:41 -0400[diff] [blame]3375}
3376
David Benjamin721e8b72016-08-03 13:13:17 -0400[diff] [blame]3377static timeval g_current_time;
3378
3379static void CurrentTimeCallback(const SSL *ssl, timeval *out_clock) {
3380 *out_clock = g_current_time;
3381}
3382
David Benjamin17b30832017-01-28 14:00:32 -0500[diff] [blame]3383static void FrozenTimeCallback(const SSL *ssl, timeval *out_clock) {
3384 out_clock->tv_sec = 1000;
3385 out_clock->tv_usec = 0;
3386}
3387
David Benjamin3c51d9b2016-11-01 17:50:42 -0400[diff] [blame]3388static int RenewTicketCallback(SSL *ssl, uint8_t *key_name, uint8_t *iv,
3389 EVP_CIPHER_CTX *ctx, HMAC_CTX *hmac_ctx,
3390 int encrypt) {
3391 static const uint8_t kZeros[16] = {0};
3392
3393 if (encrypt) {
David Benjamin17cf2cb2016-12-13 01:07:13 -0500[diff] [blame]3394 OPENSSL_memcpy(key_name, kZeros, sizeof(kZeros));
David Benjamin3c51d9b2016-11-01 17:50:42 -0400[diff] [blame]3395 RAND_bytes(iv, 16);
David Benjamin17cf2cb2016-12-13 01:07:13 -0500[diff] [blame]3396 } else if (OPENSSL_memcmp(key_name, kZeros, 16) != 0) {
David Benjamin3c51d9b2016-11-01 17:50:42 -0400[diff] [blame]3397 return 0;
3398 }
3399
3400 if (!HMAC_Init_ex(hmac_ctx, kZeros, sizeof(kZeros), EVP_sha256(), NULL) ||
3401 !EVP_CipherInit_ex(ctx, EVP_aes_128_cbc(), NULL, kZeros, iv, encrypt)) {
3402 return -1;
3403 }
3404
3405 // Returning two from the callback in decrypt mode renews the
3406 // session in TLS 1.2 and below.
3407 return encrypt ? 1 : 2;
3408}
3409
David Benjamin123db572016-11-03 16:59:25 -0400[diff] [blame]3410static bool GetServerTicketTime(long *out, const SSL_SESSION *session) {
David Benjaminaaef8332018-06-29 16:45:49 -0400[diff] [blame]3411 const uint8_t *ticket;
3412 size_t ticket_len;
3413 SSL_SESSION_get0_ticket(session, &ticket, &ticket_len);
3414 if (ticket_len < 16 + 16 + SHA256_DIGEST_LENGTH) {
David Benjamin123db572016-11-03 16:59:25 -0400[diff] [blame]3415 return false;
3416 }
3417
David Benjaminaaef8332018-06-29 16:45:49 -0400[diff] [blame]3418 const uint8_t *ciphertext = ticket + 16 + 16;
3419 size_t len = ticket_len - 16 - 16 - SHA256_DIGEST_LENGTH;
David Benjamin123db572016-11-03 16:59:25 -0400[diff] [blame]3420 std::unique_ptr<uint8_t[]> plaintext(new uint8_t[len]);
3421
David Benjamin9b63f292016-11-15 00:44:05 -0500[diff] [blame]3422#if defined(BORINGSSL_UNSAFE_FUZZER_MODE)
3423 // Fuzzer-mode tickets are unencrypted.
David Benjamin17cf2cb2016-12-13 01:07:13 -0500[diff] [blame]3424 OPENSSL_memcpy(plaintext.get(), ciphertext, len);
David Benjamin9b63f292016-11-15 00:44:05 -0500[diff] [blame]3425#else
3426 static const uint8_t kZeros[16] = {0};
David Benjaminaaef8332018-06-29 16:45:49 -0400[diff] [blame]3427 const uint8_t *iv = ticket + 16;
David Benjamin123db572016-11-03 16:59:25 -0400[diff] [blame]3428 bssl::ScopedEVP_CIPHER_CTX ctx;
3429 int len1, len2;
3430 if (!EVP_DecryptInit_ex(ctx.get(), EVP_aes_128_cbc(), nullptr, kZeros, iv) ||
3431 !EVP_DecryptUpdate(ctx.get(), plaintext.get(), &len1, ciphertext, len) ||
3432 !EVP_DecryptFinal_ex(ctx.get(), plaintext.get() + len1, &len2)) {
3433 return false;
3434 }
3435
3436 len = static_cast<size_t>(len1 + len2);
David Benjamin9b63f292016-11-15 00:44:05 -0500[diff] [blame]3437#endif
David Benjamin123db572016-11-03 16:59:25 -0400[diff] [blame]3438
Adam Langley46db7af2017-02-01 15:49:37 -0800[diff] [blame]3439 bssl::UniquePtr<SSL_CTX> ssl_ctx(SSL_CTX_new(TLS_method()));
3440 if (!ssl_ctx) {
3441 return false;
3442 }
David Benjamin123db572016-11-03 16:59:25 -0400[diff] [blame]3443 bssl::UniquePtr<SSL_SESSION> server_session(
Adam Langley46db7af2017-02-01 15:49:37 -0800[diff] [blame]3444 SSL_SESSION_from_bytes(plaintext.get(), len, ssl_ctx.get()));
David Benjamin123db572016-11-03 16:59:25 -0400[diff] [blame]3445 if (!server_session) {
3446 return false;
3447 }
3448
David Benjaminaaef8332018-06-29 16:45:49 -0400[diff] [blame]3449 *out = SSL_SESSION_get_time(server_session.get());
David Benjamin123db572016-11-03 16:59:25 -0400[diff] [blame]3450 return true;
3451}
3452
Martin Kreichgauer1a663262017-08-16 14:54:04 -0700[diff] [blame]3453TEST_P(SSLVersionTest, SessionTimeout) {
3454 for (bool server_test : {false, true}) {
3455 SCOPED_TRACE(server_test);
David Benjamin721e8b72016-08-03 13:13:17 -0400[diff] [blame]3456
Martin Kreichgauer1a663262017-08-16 14:54:04 -0700[diff] [blame]3457 ResetContexts();
3458 SSL_CTX_set_session_cache_mode(client_ctx_.get(), SSL_SESS_CACHE_BOTH);
3459 SSL_CTX_set_session_cache_mode(server_ctx_.get(), SSL_SESS_CACHE_BOTH);
3460
David Benjamin17b30832017-01-28 14:00:32 -0500[diff] [blame]3461 static const time_t kStartTime = 1000;
David Benjamin0fef3052016-11-18 15:11:10 +0900[diff] [blame]3462 g_current_time.tv_sec = kStartTime;
David Benjamin1b22f852016-10-27 16:36:32 -0400[diff] [blame]3463
David Benjamin17b30832017-01-28 14:00:32 -0500[diff] [blame]3464 // We are willing to use a longer lifetime for TLS 1.3 sessions as
3465 // resumptions still perform ECDHE.
Martin Kreichgauer1a663262017-08-16 14:54:04 -0700[diff] [blame]3466 const time_t timeout = version() == TLS1_3_VERSION
David Benjamin17b30832017-01-28 14:00:32 -0500[diff] [blame]3467 ? SSL_DEFAULT_SESSION_PSK_DHE_TIMEOUT
3468 : SSL_DEFAULT_SESSION_TIMEOUT;
3469
David Benjamin17b30832017-01-28 14:00:32 -0500[diff] [blame]3470 // Both client and server must enforce session timeouts. We configure the
3471 // other side with a frozen clock so it never expires tickets.
David Benjamin0fef3052016-11-18 15:11:10 +0900[diff] [blame]3472 if (server_test) {
Martin Kreichgauer1a663262017-08-16 14:54:04 -0700[diff] [blame]3473 SSL_CTX_set_current_time_cb(client_ctx_.get(), FrozenTimeCallback);
3474 SSL_CTX_set_current_time_cb(server_ctx_.get(), CurrentTimeCallback);
David Benjamin0fef3052016-11-18 15:11:10 +0900[diff] [blame]3475 } else {
Martin Kreichgauer1a663262017-08-16 14:54:04 -0700[diff] [blame]3476 SSL_CTX_set_current_time_cb(client_ctx_.get(), CurrentTimeCallback);
3477 SSL_CTX_set_current_time_cb(server_ctx_.get(), FrozenTimeCallback);
David Benjamin0fef3052016-11-18 15:11:10 +0900[diff] [blame]3478 }
3479
3480 // Configure a ticket callback which renews tickets.
Martin Kreichgauer1a663262017-08-16 14:54:04 -0700[diff] [blame]3481 SSL_CTX_set_tlsext_ticket_key_cb(server_ctx_.get(), RenewTicketCallback);
David Benjamin0fef3052016-11-18 15:11:10 +0900[diff] [blame]3482
3483 bssl::UniquePtr<SSL_SESSION> session =
Martin Kreichgauer1a663262017-08-16 14:54:04 -0700[diff] [blame]3484 CreateClientSession(client_ctx_.get(), server_ctx_.get());
3485 ASSERT_TRUE(session);
David Benjamin0fef3052016-11-18 15:11:10 +0900[diff] [blame]3486
3487 // Advance the clock just behind the timeout.
David Benjamin17b30832017-01-28 14:00:32 -0500[diff] [blame]3488 g_current_time.tv_sec += timeout - 1;
David Benjamin0fef3052016-11-18 15:11:10 +0900[diff] [blame]3489
Martin Kreichgauer1a663262017-08-16 14:54:04 -0700[diff] [blame]3490 TRACED_CALL(ExpectSessionReused(client_ctx_.get(), server_ctx_.get(),
3491 session.get(),
3492 true /* expect session reused */));
David Benjamin0fef3052016-11-18 15:11:10 +0900[diff] [blame]3493
3494 // Advance the clock one more second.
3495 g_current_time.tv_sec++;
3496
Martin Kreichgauer1a663262017-08-16 14:54:04 -0700[diff] [blame]3497 TRACED_CALL(ExpectSessionReused(client_ctx_.get(), server_ctx_.get(),
3498 session.get(),
3499 false /* expect session not reused */));
David Benjamin0fef3052016-11-18 15:11:10 +0900[diff] [blame]3500
3501 // Rewind the clock to before the session was minted.
3502 g_current_time.tv_sec = kStartTime - 1;
3503
Martin Kreichgauer1a663262017-08-16 14:54:04 -0700[diff] [blame]3504 TRACED_CALL(ExpectSessionReused(client_ctx_.get(), server_ctx_.get(),
3505 session.get(),
3506 false /* expect session not reused */));
David Benjamin0fef3052016-11-18 15:11:10 +0900[diff] [blame]3507
David Benjamin0fef3052016-11-18 15:11:10 +0900[diff] [blame]3508 // Renew the session 10 seconds before expiration.
David Benjamin17b30832017-01-28 14:00:32 -0500[diff] [blame]3509 time_t new_start_time = kStartTime + timeout - 10;
3510 g_current_time.tv_sec = new_start_time;
Martin Kreichgauer1a663262017-08-16 14:54:04 -0700[diff] [blame]3511 bssl::UniquePtr<SSL_SESSION> new_session = ExpectSessionRenewed(
3512 client_ctx_.get(), server_ctx_.get(), session.get());
3513 ASSERT_TRUE(new_session);
David Benjamin0fef3052016-11-18 15:11:10 +0900[diff] [blame]3514
3515 // This new session is not the same object as before.
Martin Kreichgauer1a663262017-08-16 14:54:04 -0700[diff] [blame]3516 EXPECT_NE(session.get(), new_session.get());
David Benjamin0fef3052016-11-18 15:11:10 +0900[diff] [blame]3517
3518 // Check the sessions have timestamps measured from issuance.
3519 long session_time = 0;
3520 if (server_test) {
Martin Kreichgauer1a663262017-08-16 14:54:04 -0700[diff] [blame]3521 ASSERT_TRUE(GetServerTicketTime(&session_time, new_session.get()));
David Benjamin0fef3052016-11-18 15:11:10 +0900[diff] [blame]3522 } else {
David Benjaminaaef8332018-06-29 16:45:49 -0400[diff] [blame]3523 session_time = SSL_SESSION_get_time(new_session.get());
David Benjamin0fef3052016-11-18 15:11:10 +0900[diff] [blame]3524 }
David Benjamin721e8b72016-08-03 13:13:17 -0400[diff] [blame]3525
Martin Kreichgauer1a663262017-08-16 14:54:04 -0700[diff] [blame]3526 ASSERT_EQ(session_time, g_current_time.tv_sec);
David Benjamin721e8b72016-08-03 13:13:17 -0400[diff] [blame]3527
Martin Kreichgauer1a663262017-08-16 14:54:04 -0700[diff] [blame]3528 if (version() == TLS1_3_VERSION) {
David Benjamin17b30832017-01-28 14:00:32 -0500[diff] [blame]3529 // Renewal incorporates fresh key material in TLS 1.3, so we extend the
3530 // lifetime TLS 1.3.
3531 g_current_time.tv_sec = new_start_time + timeout - 1;
Martin Kreichgauer1a663262017-08-16 14:54:04 -0700[diff] [blame]3532 TRACED_CALL(ExpectSessionReused(client_ctx_.get(), server_ctx_.get(),
3533 new_session.get(),
3534 true /* expect session reused */));
David Benjamin721e8b72016-08-03 13:13:17 -0400[diff] [blame]3535
David Benjamin17b30832017-01-28 14:00:32 -0500[diff] [blame]3536 // The new session expires after the new timeout.
3537 g_current_time.tv_sec = new_start_time + timeout + 1;
Martin Kreichgauer1a663262017-08-16 14:54:04 -0700[diff] [blame]3538 TRACED_CALL(ExpectSessionReused(client_ctx_.get(), server_ctx_.get(),
3539 new_session.get(),
3540 false /* expect session ot reused */));
David Benjamin17b30832017-01-28 14:00:32 -0500[diff] [blame]3541
3542 // Renew the session until it begins just past the auth timeout.
3543 time_t auth_end_time = kStartTime + SSL_DEFAULT_SESSION_AUTH_TIMEOUT;
3544 while (new_start_time < auth_end_time - 1000) {
3545 // Get as close as possible to target start time.
3546 new_start_time =
3547 std::min(auth_end_time - 1000, new_start_time + timeout - 1);
3548 g_current_time.tv_sec = new_start_time;
Martin Kreichgauer1a663262017-08-16 14:54:04 -0700[diff] [blame]3549 new_session = ExpectSessionRenewed(client_ctx_.get(), server_ctx_.get(),
David Benjamin17b30832017-01-28 14:00:32 -0500[diff] [blame]3550 new_session.get());
Martin Kreichgauer1a663262017-08-16 14:54:04 -0700[diff] [blame]3551 ASSERT_TRUE(new_session);
David Benjamin17b30832017-01-28 14:00:32 -0500[diff] [blame]3552 }
3553
3554 // Now the session's lifetime is bound by the auth timeout.
3555 g_current_time.tv_sec = auth_end_time - 1;
Martin Kreichgauer1a663262017-08-16 14:54:04 -0700[diff] [blame]3556 TRACED_CALL(ExpectSessionReused(client_ctx_.get(), server_ctx_.get(),
3557 new_session.get(),
3558 true /* expect session reused */));
David Benjamin17b30832017-01-28 14:00:32 -0500[diff] [blame]3559
3560 g_current_time.tv_sec = auth_end_time + 1;
Martin Kreichgauer1a663262017-08-16 14:54:04 -0700[diff] [blame]3561 TRACED_CALL(ExpectSessionReused(client_ctx_.get(), server_ctx_.get(),
3562 new_session.get(),
3563 false /* expect session ot reused */));
David Benjamin17b30832017-01-28 14:00:32 -0500[diff] [blame]3564 } else {
3565 // The new session is usable just before the old expiration.
3566 g_current_time.tv_sec = kStartTime + timeout - 1;
Martin Kreichgauer1a663262017-08-16 14:54:04 -0700[diff] [blame]3567 TRACED_CALL(ExpectSessionReused(client_ctx_.get(), server_ctx_.get(),
3568 new_session.get(),
3569 true /* expect session reused */));
David Benjamin17b30832017-01-28 14:00:32 -0500[diff] [blame]3570
3571 // Renewal does not extend the lifetime, so it is not usable beyond the
3572 // old expiration.
3573 g_current_time.tv_sec = kStartTime + timeout + 1;
Martin Kreichgauer1a663262017-08-16 14:54:04 -0700[diff] [blame]3574 TRACED_CALL(ExpectSessionReused(client_ctx_.get(), server_ctx_.get(),
3575 new_session.get(),
3576 false /* expect session not reused */));
David Benjamin1b22f852016-10-27 16:36:32 -0400[diff] [blame]3577 }
David Benjamin721e8b72016-08-03 13:13:17 -0400[diff] [blame]3578 }
David Benjamin721e8b72016-08-03 13:13:17 -0400[diff] [blame]3579}
3580
Martin Kreichgauer1a663262017-08-16 14:54:04 -0700[diff] [blame]3581TEST_P(SSLVersionTest, DefaultTicketKeyInitialization) {
Martin Kreichgauer72912d22017-08-04 12:06:43 -0700[diff] [blame]3582 static const uint8_t kZeroKey[kTicketKeyLen] = {};
3583 uint8_t ticket_key[kTicketKeyLen];
Martin Kreichgauer1a663262017-08-16 14:54:04 -0700[diff] [blame]3584 ASSERT_EQ(1, SSL_CTX_get_tlsext_ticket_keys(server_ctx_.get(), ticket_key,
Martin Kreichgauer72912d22017-08-04 12:06:43 -0700[diff] [blame]3585 kTicketKeyLen));
3586 ASSERT_NE(0, OPENSSL_memcmp(ticket_key, kZeroKey, kTicketKeyLen));
3587}
3588
Martin Kreichgauer1a663262017-08-16 14:54:04 -0700[diff] [blame]3589TEST_P(SSLVersionTest, DefaultTicketKeyRotation) {
Martin Kreichgauer72912d22017-08-04 12:06:43 -0700[diff] [blame]3590 static const time_t kStartTime = 1001;
3591 g_current_time.tv_sec = kStartTime;
Martin Kreichgauer72912d22017-08-04 12:06:43 -0700[diff] [blame]3592
David Benjaminc11ea9422017-08-29 16:33:21 -0400[diff] [blame]3593 // We use session reuse as a proxy for ticket decryption success, hence
3594 // disable session timeouts.
Martin Kreichgauer1a663262017-08-16 14:54:04 -0700[diff] [blame]3595 SSL_CTX_set_timeout(server_ctx_.get(), std::numeric_limits<uint32_t>::max());
3596 SSL_CTX_set_session_psk_dhe_timeout(server_ctx_.get(),
Martin Kreichgauer72912d22017-08-04 12:06:43 -0700[diff] [blame]3597 std::numeric_limits<uint32_t>::max());
3598
Martin Kreichgauer1a663262017-08-16 14:54:04 -0700[diff] [blame]3599 SSL_CTX_set_current_time_cb(client_ctx_.get(), FrozenTimeCallback);
3600 SSL_CTX_set_current_time_cb(server_ctx_.get(), CurrentTimeCallback);
Martin Kreichgauer72912d22017-08-04 12:06:43 -0700[diff] [blame]3601
Martin Kreichgauer1a663262017-08-16 14:54:04 -0700[diff] [blame]3602 SSL_CTX_set_session_cache_mode(client_ctx_.get(), SSL_SESS_CACHE_BOTH);
3603 SSL_CTX_set_session_cache_mode(server_ctx_.get(), SSL_SESS_CACHE_OFF);
Martin Kreichgauer72912d22017-08-04 12:06:43 -0700[diff] [blame]3604
David Benjamin1f0d54b2018-08-09 16:19:13 -0500[diff] [blame]3605 // Initialize ticket_key with the current key and check that it was
3606 // initialized to something, not all zeros.
3607 uint8_t ticket_key[kTicketKeyLen] = {0};
Martin Kreichgauer1a663262017-08-16 14:54:04 -0700[diff] [blame]3608 TRACED_CALL(ExpectTicketKeyChanged(server_ctx_.get(), ticket_key,
3609 true /* changed */));
Martin Kreichgauer72912d22017-08-04 12:06:43 -0700[diff] [blame]3610
David Benjaminc11ea9422017-08-29 16:33:21 -0400[diff] [blame]3611 // Verify ticket resumption actually works.
Martin Kreichgauer72912d22017-08-04 12:06:43 -0700[diff] [blame]3612 bssl::UniquePtr<SSL> client, server;
3613 bssl::UniquePtr<SSL_SESSION> session =
Martin Kreichgauer1a663262017-08-16 14:54:04 -0700[diff] [blame]3614 CreateClientSession(client_ctx_.get(), server_ctx_.get());
Martin Kreichgauer72912d22017-08-04 12:06:43 -0700[diff] [blame]3615 ASSERT_TRUE(session);
Martin Kreichgauer1a663262017-08-16 14:54:04 -0700[diff] [blame]3616 TRACED_CALL(ExpectSessionReused(client_ctx_.get(), server_ctx_.get(),
Martin Kreichgauer72912d22017-08-04 12:06:43 -0700[diff] [blame]3617 session.get(), true /* reused */));
3618
David Benjaminc11ea9422017-08-29 16:33:21 -0400[diff] [blame]3619 // Advance time to just before key rotation.
Martin Kreichgauer72912d22017-08-04 12:06:43 -0700[diff] [blame]3620 g_current_time.tv_sec += SSL_DEFAULT_TICKET_KEY_ROTATION_INTERVAL - 1;
Martin Kreichgauer1a663262017-08-16 14:54:04 -0700[diff] [blame]3621 TRACED_CALL(ExpectSessionReused(client_ctx_.get(), server_ctx_.get(),
Martin Kreichgauer72912d22017-08-04 12:06:43 -0700[diff] [blame]3622 session.get(), true /* reused */));
Martin Kreichgauer1a663262017-08-16 14:54:04 -0700[diff] [blame]3623 TRACED_CALL(ExpectTicketKeyChanged(server_ctx_.get(), ticket_key,
Martin Kreichgauer72912d22017-08-04 12:06:43 -0700[diff] [blame]3624 false /* NOT changed */));
3625
David Benjaminc11ea9422017-08-29 16:33:21 -0400[diff] [blame]3626 // Force key rotation.
Martin Kreichgauer72912d22017-08-04 12:06:43 -0700[diff] [blame]3627 g_current_time.tv_sec += 1;
3628 bssl::UniquePtr<SSL_SESSION> new_session =
Martin Kreichgauer1a663262017-08-16 14:54:04 -0700[diff] [blame]3629 CreateClientSession(client_ctx_.get(), server_ctx_.get());
3630 TRACED_CALL(ExpectTicketKeyChanged(server_ctx_.get(), ticket_key,
3631 true /* changed */));
Martin Kreichgauer72912d22017-08-04 12:06:43 -0700[diff] [blame]3632
David Benjaminc11ea9422017-08-29 16:33:21 -0400[diff] [blame]3633 // Resumption with both old and new ticket should work.
Martin Kreichgauer1a663262017-08-16 14:54:04 -0700[diff] [blame]3634 TRACED_CALL(ExpectSessionReused(client_ctx_.get(), server_ctx_.get(),
Martin Kreichgauer72912d22017-08-04 12:06:43 -0700[diff] [blame]3635 session.get(), true /* reused */));
Martin Kreichgauer1a663262017-08-16 14:54:04 -0700[diff] [blame]3636 TRACED_CALL(ExpectSessionReused(client_ctx_.get(), server_ctx_.get(),
Martin Kreichgauer72912d22017-08-04 12:06:43 -0700[diff] [blame]3637 new_session.get(), true /* reused */));
Martin Kreichgauer1a663262017-08-16 14:54:04 -0700[diff] [blame]3638 TRACED_CALL(ExpectTicketKeyChanged(server_ctx_.get(), ticket_key,
Martin Kreichgauer72912d22017-08-04 12:06:43 -0700[diff] [blame]3639 false /* NOT changed */));
3640
David Benjaminc11ea9422017-08-29 16:33:21 -0400[diff] [blame]3641 // Force key rotation again. Resumption with the old ticket now fails.
Martin Kreichgauer72912d22017-08-04 12:06:43 -0700[diff] [blame]3642 g_current_time.tv_sec += SSL_DEFAULT_TICKET_KEY_ROTATION_INTERVAL;
Martin Kreichgauer1a663262017-08-16 14:54:04 -0700[diff] [blame]3643 TRACED_CALL(ExpectSessionReused(client_ctx_.get(), server_ctx_.get(),
Martin Kreichgauer72912d22017-08-04 12:06:43 -0700[diff] [blame]3644 session.get(), false /* NOT reused */));
Martin Kreichgauer1a663262017-08-16 14:54:04 -0700[diff] [blame]3645 TRACED_CALL(ExpectTicketKeyChanged(server_ctx_.get(), ticket_key,
3646 true /* changed */));
Martin Kreichgauer72912d22017-08-04 12:06:43 -0700[diff] [blame]3647
David Benjaminc11ea9422017-08-29 16:33:21 -0400[diff] [blame]3648 // But resumption with the newer session still works.
Martin Kreichgauer1a663262017-08-16 14:54:04 -0700[diff] [blame]3649 TRACED_CALL(ExpectSessionReused(client_ctx_.get(), server_ctx_.get(),
Martin Kreichgauer72912d22017-08-04 12:06:43 -0700[diff] [blame]3650 new_session.get(), true /* reused */));
3651}
3652
David Benjamin0fc37ef2016-08-17 15:29:46 -0400[diff] [blame]3653static int SwitchContext(SSL *ssl, int *out_alert, void *arg) {
Martin Kreichgauer1a663262017-08-16 14:54:04 -0700[diff] [blame]3654 SSL_CTX *ctx = reinterpret_cast<SSL_CTX *>(arg);
David Benjamin0fc37ef2016-08-17 15:29:46 -0400[diff] [blame]3655 SSL_set_SSL_CTX(ssl, ctx);
3656 return SSL_TLSEXT_ERR_OK;
3657}
3658
Martin Kreichgauer1a663262017-08-16 14:54:04 -0700[diff] [blame]3659TEST_P(SSLVersionTest, SNICallback) {
Matt Braithwaited17d74d2016-08-17 20:10:28 -0700[diff] [blame]3660 bssl::UniquePtr<X509> cert2 = GetECDSATestCertificate();
Martin Kreichgauer1a663262017-08-16 14:54:04 -0700[diff] [blame]3661 ASSERT_TRUE(cert2);
Matt Braithwaited17d74d2016-08-17 20:10:28 -0700[diff] [blame]3662 bssl::UniquePtr<EVP_PKEY> key2 = GetECDSATestKey();
Martin Kreichgauer1a663262017-08-16 14:54:04 -0700[diff] [blame]3663 ASSERT_TRUE(key2);
David Benjamin0fc37ef2016-08-17 15:29:46 -0400[diff] [blame]3664
David Benjamin0fef3052016-11-18 15:11:10 +0900[diff] [blame]3665 // Test that switching the |SSL_CTX| at the SNI callback behaves correctly.
3666 static const uint16_t kECDSAWithSHA256 = SSL_SIGN_ECDSA_SECP256R1_SHA256;
David Benjamin0fc37ef2016-08-17 15:29:46 -0400[diff] [blame]3667
David Benjamin83a32122017-02-14 18:34:54 -0500[diff] [blame]3668 static const uint8_t kSCTList[] = {0, 6, 0, 4, 5, 6, 7, 8};
3669 static const uint8_t kOCSPResponse[] = {1, 2, 3, 4};
3670
Martin Kreichgauer1a663262017-08-16 14:54:04 -0700[diff] [blame]3671 bssl::UniquePtr<SSL_CTX> server_ctx2 = CreateContext();
3672 ASSERT_TRUE(server_ctx2);
3673 ASSERT_TRUE(SSL_CTX_use_certificate(server_ctx2.get(), cert2.get()));
3674 ASSERT_TRUE(SSL_CTX_use_PrivateKey(server_ctx2.get(), key2.get()));
3675 ASSERT_TRUE(SSL_CTX_set_signed_cert_timestamp_list(
3676 server_ctx2.get(), kSCTList, sizeof(kSCTList)));
3677 ASSERT_TRUE(SSL_CTX_set_ocsp_response(server_ctx2.get(), kOCSPResponse,
3678 sizeof(kOCSPResponse)));
3679 // Historically signing preferences would be lost in some cases with the
3680 // SNI callback, which triggers the TLS 1.2 SHA-1 default. To ensure
3681 // this doesn't happen when |version| is TLS 1.2, configure the private
3682 // key to only sign SHA-256.
3683 ASSERT_TRUE(SSL_CTX_set_signing_algorithm_prefs(server_ctx2.get(),
3684 &kECDSAWithSHA256, 1));
David Benjamin0fc37ef2016-08-17 15:29:46 -0400[diff] [blame]3685
Martin Kreichgauer1a663262017-08-16 14:54:04 -0700[diff] [blame]3686 SSL_CTX_set_tlsext_servername_callback(server_ctx_.get(), SwitchContext);
3687 SSL_CTX_set_tlsext_servername_arg(server_ctx_.get(), server_ctx2.get());
David Benjamin0fc37ef2016-08-17 15:29:46 -0400[diff] [blame]3688
Martin Kreichgauer1a663262017-08-16 14:54:04 -0700[diff] [blame]3689 SSL_CTX_enable_signed_cert_timestamps(client_ctx_.get());
3690 SSL_CTX_enable_ocsp_stapling(client_ctx_.get());
David Benjamin83a32122017-02-14 18:34:54 -0500[diff] [blame]3691
Martin Kreichgauer1a663262017-08-16 14:54:04 -0700[diff] [blame]3692 ASSERT_TRUE(Connect());
David Benjamin0fc37ef2016-08-17 15:29:46 -0400[diff] [blame]3693
David Benjamin0fef3052016-11-18 15:11:10 +0900[diff] [blame]3694 // The client should have received |cert2|.
Martin Kreichgauer1a663262017-08-16 14:54:04 -0700[diff] [blame]3695 bssl::UniquePtr<X509> peer(SSL_get_peer_certificate(client_.get()));
3696 ASSERT_TRUE(peer);
3697 EXPECT_EQ(X509_cmp(peer.get(), cert2.get()), 0);
David Benjamin0fc37ef2016-08-17 15:29:46 -0400[diff] [blame]3698
David Benjamin83a32122017-02-14 18:34:54 -0500[diff] [blame]3699 // The client should have received |server_ctx2|'s SCT list.
3700 const uint8_t *data;
3701 size_t len;
Martin Kreichgauer1a663262017-08-16 14:54:04 -0700[diff] [blame]3702 SSL_get0_signed_cert_timestamp_list(client_.get(), &data, &len);
3703 EXPECT_EQ(Bytes(kSCTList), Bytes(data, len));
David Benjamin83a32122017-02-14 18:34:54 -0500[diff] [blame]3704
3705 // The client should have received |server_ctx2|'s OCSP response.
Martin Kreichgauer1a663262017-08-16 14:54:04 -0700[diff] [blame]3706 SSL_get0_ocsp_response(client_.get(), &data, &len);
3707 EXPECT_EQ(Bytes(kOCSPResponse), Bytes(data, len));
David Benjamin0fc37ef2016-08-17 15:29:46 -0400[diff] [blame]3708}
3709
David Benjaminf0d8e222017-02-04 10:58:26 -0500[diff] [blame]3710// Test that the early callback can swap the maximum version.
3711TEST(SSLTest, EarlyCallbackVersionSwitch) {
David Benjamin9b2cdb72021-04-01 23:21:53 -0400[diff] [blame]3712 bssl::UniquePtr<SSL_CTX> server_ctx =
3713 CreateContextWithTestCertificate(TLS_method());
Matt Braithwaited17d74d2016-08-17 20:10:28 -0700[diff] [blame]3714 bssl::UniquePtr<SSL_CTX> client_ctx(SSL_CTX_new(TLS_method()));
David Benjaminf0d8e222017-02-04 10:58:26 -0500[diff] [blame]3715 ASSERT_TRUE(server_ctx);
3716 ASSERT_TRUE(client_ctx);
David Benjaminf0d8e222017-02-04 10:58:26 -0500[diff] [blame]3717 ASSERT_TRUE(SSL_CTX_set_max_proto_version(client_ctx.get(), TLS1_3_VERSION));
3718 ASSERT_TRUE(SSL_CTX_set_max_proto_version(server_ctx.get(), TLS1_3_VERSION));
David Benjamin99620572016-08-30 00:35:36 -0400[diff] [blame]3719
David Benjaminf0d8e222017-02-04 10:58:26 -0500[diff] [blame]3720 SSL_CTX_set_select_certificate_cb(
Alessandro Ghedini57e81e62017-03-14 23:36:00 +0000[diff] [blame]3721 server_ctx.get(),
3722 [](const SSL_CLIENT_HELLO *client_hello) -> ssl_select_cert_result_t {
David Benjaminf0d8e222017-02-04 10:58:26 -0500[diff] [blame]3723 if (!SSL_set_max_proto_version(client_hello->ssl, TLS1_2_VERSION)) {
Alessandro Ghedini57e81e62017-03-14 23:36:00 +0000[diff] [blame]3724 return ssl_select_cert_error;
David Benjaminf0d8e222017-02-04 10:58:26 -0500[diff] [blame]3725 }
3726
Alessandro Ghedini57e81e62017-03-14 23:36:00 +0000[diff] [blame]3727 return ssl_select_cert_success;
David Benjaminf0d8e222017-02-04 10:58:26 -0500[diff] [blame]3728 });
David Benjamin99620572016-08-30 00:35:36 -0400[diff] [blame]3729
Matt Braithwaited17d74d2016-08-17 20:10:28 -0700[diff] [blame]3730 bssl::UniquePtr<SSL> client, server;
David Benjaminf0d8e222017-02-04 10:58:26 -0500[diff] [blame]3731 ASSERT_TRUE(ConnectClientAndServer(&client, &server, client_ctx.get(),
David Benjamina8614602017-09-06 15:40:19 -0400[diff] [blame]3732 server_ctx.get()));
David Benjaminf0d8e222017-02-04 10:58:26 -0500[diff] [blame]3733 EXPECT_EQ(TLS1_2_VERSION, SSL_version(client.get()));
David Benjamin99620572016-08-30 00:35:36 -0400[diff] [blame]3734}
3735
David Benjaminf0d8e222017-02-04 10:58:26 -0500[diff] [blame]3736TEST(SSLTest, SetVersion) {
David Benjamin2dc02042016-09-19 19:57:37 -0400[diff] [blame]3737 bssl::UniquePtr<SSL_CTX> ctx(SSL_CTX_new(TLS_method()));
David Benjaminf0d8e222017-02-04 10:58:26 -0500[diff] [blame]3738 ASSERT_TRUE(ctx);
David Benjamin2dc02042016-09-19 19:57:37 -0400[diff] [blame]3739
David Benjaminf0d8e222017-02-04 10:58:26 -0500[diff] [blame]3740 // Set valid TLS versions.
David Benjamin7a4df8e2021-10-14 13:56:03 -0400[diff] [blame]3741 for (const auto &vers : kAllVersions) {
3742 SCOPED_TRACE(vers.name);
3743 if (vers.ssl_method == VersionParam::is_tls) {
3744 EXPECT_TRUE(SSL_CTX_set_max_proto_version(ctx.get(), vers.version));
3745 EXPECT_EQ(SSL_CTX_get_max_proto_version(ctx.get()), vers.version);
3746 EXPECT_TRUE(SSL_CTX_set_min_proto_version(ctx.get(), vers.version));
3747 EXPECT_EQ(SSL_CTX_get_min_proto_version(ctx.get()), vers.version);
3748 }
3749 }
David Benjamin2dc02042016-09-19 19:57:37 -0400[diff] [blame]3750
David Benjaminf0d8e222017-02-04 10:58:26 -0500[diff] [blame]3751 // Invalid TLS versions are rejected.
3752 EXPECT_FALSE(SSL_CTX_set_max_proto_version(ctx.get(), DTLS1_VERSION));
3753 EXPECT_FALSE(SSL_CTX_set_max_proto_version(ctx.get(), 0x0200));
3754 EXPECT_FALSE(SSL_CTX_set_max_proto_version(ctx.get(), 0x1234));
3755 EXPECT_FALSE(SSL_CTX_set_min_proto_version(ctx.get(), DTLS1_VERSION));
3756 EXPECT_FALSE(SSL_CTX_set_min_proto_version(ctx.get(), 0x0200));
3757 EXPECT_FALSE(SSL_CTX_set_min_proto_version(ctx.get(), 0x1234));
David Benjamin2dc02042016-09-19 19:57:37 -0400[diff] [blame]3758
David Benjaminf0d8e222017-02-04 10:58:26 -0500[diff] [blame]3759 // Zero is the default version.
3760 EXPECT_TRUE(SSL_CTX_set_max_proto_version(ctx.get(), 0));
Matthew Braithwaite58d56f42019-11-04 13:20:01 -0800[diff] [blame]3761 EXPECT_EQ(TLS1_3_VERSION, SSL_CTX_get_max_proto_version(ctx.get()));
David Benjaminf0d8e222017-02-04 10:58:26 -0500[diff] [blame]3762 EXPECT_TRUE(SSL_CTX_set_min_proto_version(ctx.get(), 0));
Nitish Sakhawalkara4af5f82019-03-25 17:26:59 -0700[diff] [blame]3763 EXPECT_EQ(TLS1_VERSION, SSL_CTX_get_min_proto_version(ctx.get()));
David Benjamin3cfeb952017-03-01 16:48:38 -0500[diff] [blame]3764
David Benjamin9bb15f52018-06-26 00:07:40 -0400[diff] [blame]3765 // SSL 3.0 is not available.
3766 EXPECT_FALSE(SSL_CTX_set_min_proto_version(ctx.get(), SSL3_VERSION));
3767
David Benjamin2dc02042016-09-19 19:57:37 -0400[diff] [blame]3768 ctx.reset(SSL_CTX_new(DTLS_method()));
David Benjaminf0d8e222017-02-04 10:58:26 -0500[diff] [blame]3769 ASSERT_TRUE(ctx);
David Benjamin2dc02042016-09-19 19:57:37 -0400[diff] [blame]3770
David Benjamin7a4df8e2021-10-14 13:56:03 -0400[diff] [blame]3771 // Set valid DTLS versions.
3772 for (const auto &vers : kAllVersions) {
3773 SCOPED_TRACE(vers.name);
3774 if (vers.ssl_method == VersionParam::is_dtls) {
3775 EXPECT_TRUE(SSL_CTX_set_max_proto_version(ctx.get(), vers.version));
3776 EXPECT_EQ(SSL_CTX_get_max_proto_version(ctx.get()), vers.version);
3777 EXPECT_TRUE(SSL_CTX_set_min_proto_version(ctx.get(), vers.version));
3778 EXPECT_EQ(SSL_CTX_get_min_proto_version(ctx.get()), vers.version);
3779 }
3780 }
David Benjamin2dc02042016-09-19 19:57:37 -0400[diff] [blame]3781
David Benjamin7a4df8e2021-10-14 13:56:03 -0400[diff] [blame]3782 // Invalid DTLS versions are rejected.
David Benjaminf0d8e222017-02-04 10:58:26 -0500[diff] [blame]3783 EXPECT_FALSE(SSL_CTX_set_max_proto_version(ctx.get(), TLS1_VERSION));
3784 EXPECT_FALSE(SSL_CTX_set_max_proto_version(ctx.get(), 0xfefe /* DTLS 1.1 */));
3785 EXPECT_FALSE(SSL_CTX_set_max_proto_version(ctx.get(), 0xfffe /* DTLS 0.1 */));
3786 EXPECT_FALSE(SSL_CTX_set_max_proto_version(ctx.get(), 0x1234));
3787 EXPECT_FALSE(SSL_CTX_set_min_proto_version(ctx.get(), TLS1_VERSION));
3788 EXPECT_FALSE(SSL_CTX_set_min_proto_version(ctx.get(), 0xfefe /* DTLS 1.1 */));
3789 EXPECT_FALSE(SSL_CTX_set_min_proto_version(ctx.get(), 0xfffe /* DTLS 0.1 */));
3790 EXPECT_FALSE(SSL_CTX_set_min_proto_version(ctx.get(), 0x1234));
David Benjamin2dc02042016-09-19 19:57:37 -0400[diff] [blame]3791
David Benjamin7a4df8e2021-10-14 13:56:03 -0400[diff] [blame]3792 // Zero is the default version.
David Benjaminf0d8e222017-02-04 10:58:26 -0500[diff] [blame]3793 EXPECT_TRUE(SSL_CTX_set_max_proto_version(ctx.get(), 0));
Nitish Sakhawalkara4af5f82019-03-25 17:26:59 -0700[diff] [blame]3794 EXPECT_EQ(DTLS1_2_VERSION, SSL_CTX_get_max_proto_version(ctx.get()));
David Benjaminf0d8e222017-02-04 10:58:26 -0500[diff] [blame]3795 EXPECT_TRUE(SSL_CTX_set_min_proto_version(ctx.get(), 0));
Nitish Sakhawalkara4af5f82019-03-25 17:26:59 -0700[diff] [blame]3796 EXPECT_EQ(DTLS1_VERSION, SSL_CTX_get_min_proto_version(ctx.get()));
David Benjamin2dc02042016-09-19 19:57:37 -0400[diff] [blame]3797}
3798
David Benjamin458334a2016-12-15 13:53:25 -0500[diff] [blame]3799static const char *GetVersionName(uint16_t version) {
3800 switch (version) {
David Benjamin458334a2016-12-15 13:53:25 -0500[diff] [blame]3801 case TLS1_VERSION:
3802 return "TLSv1";
3803 case TLS1_1_VERSION:
3804 return "TLSv1.1";
3805 case TLS1_2_VERSION:
3806 return "TLSv1.2";
3807 case TLS1_3_VERSION:
3808 return "TLSv1.3";
3809 case DTLS1_VERSION:
3810 return "DTLSv1";
3811 case DTLS1_2_VERSION:
3812 return "DTLSv1.2";
3813 default:
3814 return "???";
3815 }
3816}
3817
Martin Kreichgauer1a663262017-08-16 14:54:04 -0700[diff] [blame]3818TEST_P(SSLVersionTest, Version) {
3819 ASSERT_TRUE(Connect());
David Benjamincb18ac22016-09-27 14:09:15 -0400[diff] [blame]3820
Martin Kreichgauer1a663262017-08-16 14:54:04 -0700[diff] [blame]3821 EXPECT_EQ(SSL_version(client_.get()), version());
3822 EXPECT_EQ(SSL_version(server_.get()), version());
David Benjamincb18ac22016-09-27 14:09:15 -0400[diff] [blame]3823
David Benjamin458334a2016-12-15 13:53:25 -0500[diff] [blame]3824 // Test the version name is reported as expected.
Martin Kreichgauer1a663262017-08-16 14:54:04 -0700[diff] [blame]3825 const char *version_name = GetVersionName(version());
3826 EXPECT_EQ(strcmp(version_name, SSL_get_version(client_.get())), 0);
3827 EXPECT_EQ(strcmp(version_name, SSL_get_version(server_.get())), 0);
David Benjamin458334a2016-12-15 13:53:25 -0500[diff] [blame]3828
3829 // Test SSL_SESSION reports the same name.
3830 const char *client_name =
Martin Kreichgauer1a663262017-08-16 14:54:04 -0700[diff] [blame]3831 SSL_SESSION_get_version(SSL_get_session(client_.get()));
David Benjamin458334a2016-12-15 13:53:25 -0500[diff] [blame]3832 const char *server_name =
Martin Kreichgauer1a663262017-08-16 14:54:04 -0700[diff] [blame]3833 SSL_SESSION_get_version(SSL_get_session(server_.get()));
3834 EXPECT_EQ(strcmp(version_name, client_name), 0);
3835 EXPECT_EQ(strcmp(version_name, server_name), 0);
David Benjamincb18ac22016-09-27 14:09:15 -0400[diff] [blame]3836}
3837
David Benjamin9ef31f02016-10-31 18:01:13 -0400[diff] [blame]3838// Tests that that |SSL_get_pending_cipher| is available during the ALPN
3839// selection callback.
Martin Kreichgauer1a663262017-08-16 14:54:04 -0700[diff] [blame]3840TEST_P(SSLVersionTest, ALPNCipherAvailable) {
Martin Kreichgauer1a663262017-08-16 14:54:04 -0700[diff] [blame]3841 ASSERT_TRUE(UseCertAndKey(client_ctx_.get()));
3842
David Benjamin9ef31f02016-10-31 18:01:13 -0400[diff] [blame]3843 static const uint8_t kALPNProtos[] = {0x03, 'f', 'o', 'o'};
Martin Kreichgauer1a663262017-08-16 14:54:04 -0700[diff] [blame]3844 ASSERT_EQ(SSL_CTX_set_alpn_protos(client_ctx_.get(), kALPNProtos,
3845 sizeof(kALPNProtos)),
3846 0);
David Benjamin0fef3052016-11-18 15:11:10 +0900[diff] [blame]3847
3848 // The ALPN callback does not fail the handshake on error, so have the
3849 // callback write a boolean.
Martin Kreichgauer1a663262017-08-16 14:54:04 -0700[diff] [blame]3850 std::pair<uint16_t, bool> callback_state(version(), false);
David Benjamin0fef3052016-11-18 15:11:10 +0900[diff] [blame]3851 SSL_CTX_set_alpn_select_cb(
Martin Kreichgauer1a663262017-08-16 14:54:04 -0700[diff] [blame]3852 server_ctx_.get(),
David Benjamin0fef3052016-11-18 15:11:10 +0900[diff] [blame]3853 [](SSL *ssl, const uint8_t **out, uint8_t *out_len, const uint8_t *in,
3854 unsigned in_len, void *arg) -> int {
3855 auto state = reinterpret_cast<std::pair<uint16_t, bool> *>(arg);
3856 if (SSL_get_pending_cipher(ssl) != nullptr &&
3857 SSL_version(ssl) == state->first) {
3858 state->second = true;
3859 }
3860 return SSL_TLSEXT_ERR_NOACK;
3861 },
3862 &callback_state);
3863
Martin Kreichgauer1a663262017-08-16 14:54:04 -0700[diff] [blame]3864 ASSERT_TRUE(Connect());
David Benjamin0fef3052016-11-18 15:11:10 +0900[diff] [blame]3865
Martin Kreichgauer1a663262017-08-16 14:54:04 -0700[diff] [blame]3866 ASSERT_TRUE(callback_state.second);
David Benjamin0fef3052016-11-18 15:11:10 +0900[diff] [blame]3867}
3868
Martin Kreichgauer1a663262017-08-16 14:54:04 -0700[diff] [blame]3869TEST_P(SSLVersionTest, SSLClearSessionResumption) {
David Benjaminb79cc842016-12-07 15:57:14 -0500[diff] [blame]3870 // Skip this for TLS 1.3. TLS 1.3's ticket mechanism is incompatible with this
3871 // API pattern.
Martin Kreichgauer1a663262017-08-16 14:54:04 -0700[diff] [blame]3872 if (version() == TLS1_3_VERSION) {
3873 return;
David Benjaminb79cc842016-12-07 15:57:14 -0500[diff] [blame]3874 }
3875
Matthew Braithwaiteb7bc80a2018-04-13 15:51:30 -0700[diff] [blame]3876 shed_handshake_config_ = false;
Martin Kreichgauer1a663262017-08-16 14:54:04 -0700[diff] [blame]3877 ASSERT_TRUE(Connect());
David Benjaminb79cc842016-12-07 15:57:14 -0500[diff] [blame]3878
Martin Kreichgauer1a663262017-08-16 14:54:04 -0700[diff] [blame]3879 EXPECT_FALSE(SSL_session_reused(client_.get()));
3880 EXPECT_FALSE(SSL_session_reused(server_.get()));
David Benjaminb79cc842016-12-07 15:57:14 -0500[diff] [blame]3881
3882 // Reset everything.
Martin Kreichgauer1a663262017-08-16 14:54:04 -0700[diff] [blame]3883 ASSERT_TRUE(SSL_clear(client_.get()));
3884 ASSERT_TRUE(SSL_clear(server_.get()));
David Benjaminb79cc842016-12-07 15:57:14 -0500[diff] [blame]3885
3886 // Attempt to connect a second time.
Martin Kreichgauer1a663262017-08-16 14:54:04 -0700[diff] [blame]3887 ASSERT_TRUE(CompleteHandshakes(client_.get(), server_.get()));
David Benjaminb79cc842016-12-07 15:57:14 -0500[diff] [blame]3888
3889 // |SSL_clear| should implicitly offer the previous session to the server.
Martin Kreichgauer1a663262017-08-16 14:54:04 -0700[diff] [blame]3890 EXPECT_TRUE(SSL_session_reused(client_.get()));
3891 EXPECT_TRUE(SSL_session_reused(server_.get()));
David Benjaminb79cc842016-12-07 15:57:14 -0500[diff] [blame]3892}
3893
Matthew Braithwaiteb7bc80a2018-04-13 15:51:30 -0700[diff] [blame]3894TEST_P(SSLVersionTest, SSLClearFailsWithShedding) {
3895 shed_handshake_config_ = false;
3896 ASSERT_TRUE(Connect());
3897 ASSERT_TRUE(CompleteHandshakes(client_.get(), server_.get()));
3898
3899 // Reset everything.
3900 ASSERT_TRUE(SSL_clear(client_.get()));
3901 ASSERT_TRUE(SSL_clear(server_.get()));
3902
3903 // Now enable shedding, and connect a second time.
3904 shed_handshake_config_ = true;
3905 ASSERT_TRUE(Connect());
3906 ASSERT_TRUE(CompleteHandshakes(client_.get(), server_.get()));
3907
3908 // |SSL_clear| should now fail.
3909 ASSERT_FALSE(SSL_clear(client_.get()));
3910 ASSERT_FALSE(SSL_clear(server_.get()));
3911}
3912
Martin Kreichgauer1a663262017-08-16 14:54:04 -0700[diff] [blame]3913static bool ChainsEqual(STACK_OF(X509) * chain,
3914 const std::vector<X509 *> &expected) {
David Benjamin1444c3a2016-12-20 17:23:11 -0500[diff] [blame]3915 if (sk_X509_num(chain) != expected.size()) {
3916 return false;
3917 }
3918
3919 for (size_t i = 0; i < expected.size(); i++) {
3920 if (X509_cmp(sk_X509_value(chain, i), expected[i]) != 0) {
3921 return false;
3922 }
3923 }
3924
3925 return true;
3926}
3927
Martin Kreichgauer1a663262017-08-16 14:54:04 -0700[diff] [blame]3928TEST_P(SSLVersionTest, AutoChain) {
3929 cert_ = GetChainTestCertificate();
3930 ASSERT_TRUE(cert_);
3931 key_ = GetChainTestKey();
3932 ASSERT_TRUE(key_);
David Benjamin1444c3a2016-12-20 17:23:11 -0500[diff] [blame]3933 bssl::UniquePtr<X509> intermediate = GetChainTestIntermediate();
Martin Kreichgauer1a663262017-08-16 14:54:04 -0700[diff] [blame]3934 ASSERT_TRUE(intermediate);
3935
3936 ASSERT_TRUE(UseCertAndKey(client_ctx_.get()));
3937 ASSERT_TRUE(UseCertAndKey(server_ctx_.get()));
David Benjamin1444c3a2016-12-20 17:23:11 -0500[diff] [blame]3938
3939 // Configure both client and server to accept any certificate. Add
3940 // |intermediate| to the cert store.
Martin Kreichgauer1a663262017-08-16 14:54:04 -0700[diff] [blame]3941 ASSERT_TRUE(X509_STORE_add_cert(SSL_CTX_get_cert_store(client_ctx_.get()),
3942 intermediate.get()));
3943 ASSERT_TRUE(X509_STORE_add_cert(SSL_CTX_get_cert_store(server_ctx_.get()),
3944 intermediate.get()));
3945 SSL_CTX_set_verify(client_ctx_.get(),
3946 SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT,
3947 nullptr);
3948 SSL_CTX_set_verify(server_ctx_.get(),
3949 SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT,
3950 nullptr);
3951 SSL_CTX_set_cert_verify_callback(client_ctx_.get(), VerifySucceed, NULL);
3952 SSL_CTX_set_cert_verify_callback(server_ctx_.get(), VerifySucceed, NULL);
David Benjamin1444c3a2016-12-20 17:23:11 -0500[diff] [blame]3953
3954 // By default, the client and server should each only send the leaf.
Martin Kreichgauer1a663262017-08-16 14:54:04 -0700[diff] [blame]3955 ASSERT_TRUE(Connect());
David Benjamin1444c3a2016-12-20 17:23:11 -0500[diff] [blame]3956
Martin Kreichgauer1a663262017-08-16 14:54:04 -0700[diff] [blame]3957 EXPECT_TRUE(
3958 ChainsEqual(SSL_get_peer_full_cert_chain(client_.get()), {cert_.get()}));
3959 EXPECT_TRUE(
3960 ChainsEqual(SSL_get_peer_full_cert_chain(server_.get()), {cert_.get()}));
David Benjamin1444c3a2016-12-20 17:23:11 -0500[diff] [blame]3961
3962 // If auto-chaining is enabled, then the intermediate is sent.
Martin Kreichgauer1a663262017-08-16 14:54:04 -0700[diff] [blame]3963 SSL_CTX_clear_mode(client_ctx_.get(), SSL_MODE_NO_AUTO_CHAIN);
3964 SSL_CTX_clear_mode(server_ctx_.get(), SSL_MODE_NO_AUTO_CHAIN);
3965 ASSERT_TRUE(Connect());
David Benjamin1444c3a2016-12-20 17:23:11 -0500[diff] [blame]3966
Martin Kreichgauer1a663262017-08-16 14:54:04 -0700[diff] [blame]3967 EXPECT_TRUE(ChainsEqual(SSL_get_peer_full_cert_chain(client_.get()),
3968 {cert_.get(), intermediate.get()}));
3969 EXPECT_TRUE(ChainsEqual(SSL_get_peer_full_cert_chain(server_.get()),
3970 {cert_.get(), intermediate.get()}));
David Benjamin1444c3a2016-12-20 17:23:11 -0500[diff] [blame]3971
3972 // Auto-chaining does not override explicitly-configured intermediates.
Martin Kreichgauer1a663262017-08-16 14:54:04 -0700[diff] [blame]3973 ASSERT_TRUE(SSL_CTX_add1_chain_cert(client_ctx_.get(), cert_.get()));
3974 ASSERT_TRUE(SSL_CTX_add1_chain_cert(server_ctx_.get(), cert_.get()));
3975 ASSERT_TRUE(Connect());
David Benjamin1444c3a2016-12-20 17:23:11 -0500[diff] [blame]3976
Martin Kreichgauer1a663262017-08-16 14:54:04 -0700[diff] [blame]3977 EXPECT_TRUE(ChainsEqual(SSL_get_peer_full_cert_chain(client_.get()),
3978 {cert_.get(), cert_.get()}));
David Benjamin1444c3a2016-12-20 17:23:11 -0500[diff] [blame]3979
Martin Kreichgauer1a663262017-08-16 14:54:04 -0700[diff] [blame]3980 EXPECT_TRUE(ChainsEqual(SSL_get_peer_full_cert_chain(server_.get()),
3981 {cert_.get(), cert_.get()}));
David Benjamin1444c3a2016-12-20 17:23:11 -0500[diff] [blame]3982}
3983
David Benjamin64bf8c52022-07-22 15:49:45 -0700[diff] [blame]3984static bool ExpectSingleError(int lib, int reason) {
3985 const char *expected = ERR_reason_error_string(ERR_PACK(lib, reason));
David Benjamin48063c22017-01-01 23:56:36 -0500[diff] [blame]3986 int err = ERR_get_error();
David Benjamin64bf8c52022-07-22 15:49:45 -0700[diff] [blame]3987 if (ERR_GET_LIB(err) != lib || ERR_GET_REASON(err) != reason) {
David Benjamin48063c22017-01-01 23:56:36 -0500[diff] [blame]3988 char buf[ERR_ERROR_STRING_BUF_LEN];
3989 ERR_error_string_n(err, buf, sizeof(buf));
David Benjamin64bf8c52022-07-22 15:49:45 -0700[diff] [blame]3990 fprintf(stderr, "Wanted %s, got: %s.\n", expected, buf);
David Benjamin48063c22017-01-01 23:56:36 -0500[diff] [blame]3991 return false;
3992 }
3993
3994 if (ERR_peek_error() != 0) {
David Benjamin64bf8c52022-07-22 15:49:45 -0700[diff] [blame]3995 fprintf(stderr, "Unexpected error following %s.\n", expected);
David Benjamin48063c22017-01-01 23:56:36 -0500[diff] [blame]3996 return false;
3997 }
3998
3999 return true;
4000}
4001
Martin Kreichgauer1a663262017-08-16 14:54:04 -0700[diff] [blame]4002TEST_P(SSLVersionTest, SSLWriteRetry) {
4003 if (is_dtls()) {
4004 return;
David Benjamin48063c22017-01-01 23:56:36 -0500[diff] [blame]4005 }
4006
Martin Kreichgauer1a663262017-08-16 14:54:04 -0700[diff] [blame]4007 for (bool enable_partial_write : {false, true}) {
4008 SCOPED_TRACE(enable_partial_write);
4009
David Benjamin48063c22017-01-01 23:56:36 -0500[diff] [blame]4010 // Connect a client and server.
Martin Kreichgauer1a663262017-08-16 14:54:04 -0700[diff] [blame]4011 ASSERT_TRUE(Connect());
David Benjamin48063c22017-01-01 23:56:36 -0500[diff] [blame]4012
4013 if (enable_partial_write) {
Martin Kreichgauer1a663262017-08-16 14:54:04 -0700[diff] [blame]4014 SSL_set_mode(client_.get(), SSL_MODE_ENABLE_PARTIAL_WRITE);
David Benjamin48063c22017-01-01 23:56:36 -0500[diff] [blame]4015 }
4016
4017 // Write without reading until the buffer is full and we have an unfinished
4018 // write. Keep a count so we may reread it again later. "hello!" will be
4019 // written in two chunks, "hello" and "!".
4020 char data[] = "hello!";
4021 static const int kChunkLen = 5; // The length of "hello".
4022 unsigned count = 0;
4023 for (;;) {
Martin Kreichgauer1a663262017-08-16 14:54:04 -0700[diff] [blame]4024 int ret = SSL_write(client_.get(), data, kChunkLen);
David Benjamin48063c22017-01-01 23:56:36 -0500[diff] [blame]4025 if (ret <= 0) {
Martin Kreichgauer1a663262017-08-16 14:54:04 -0700[diff] [blame]4026 ASSERT_EQ(SSL_get_error(client_.get(), ret), SSL_ERROR_WANT_WRITE);
4027 break;
David Benjamin48063c22017-01-01 23:56:36 -0500[diff] [blame]4028 }
Martin Kreichgauer1a663262017-08-16 14:54:04 -0700[diff] [blame]4029 ASSERT_EQ(ret, 5);
David Benjamin48063c22017-01-01 23:56:36 -0500[diff] [blame]4030 count++;
4031 }
4032
4033 // Retrying with the same parameters is legal.
Martin Kreichgauer1a663262017-08-16 14:54:04 -0700[diff] [blame]4034 ASSERT_EQ(
4035 SSL_get_error(client_.get(), SSL_write(client_.get(), data, kChunkLen)),
4036 SSL_ERROR_WANT_WRITE);
David Benjamin48063c22017-01-01 23:56:36 -0500[diff] [blame]4037
4038 // Retrying with the same buffer but shorter length is not legal.
Martin Kreichgauer1a663262017-08-16 14:54:04 -0700[diff] [blame]4039 ASSERT_EQ(SSL_get_error(client_.get(),
4040 SSL_write(client_.get(), data, kChunkLen - 1)),
4041 SSL_ERROR_SSL);
David Benjamin64bf8c52022-07-22 15:49:45 -0700[diff] [blame]4042 ASSERT_TRUE(ExpectSingleError(ERR_LIB_SSL, SSL_R_BAD_WRITE_RETRY));
David Benjamin48063c22017-01-01 23:56:36 -0500[diff] [blame]4043
4044 // Retrying with a different buffer pointer is not legal.
4045 char data2[] = "hello";
Martin Kreichgauer1a663262017-08-16 14:54:04 -0700[diff] [blame]4046 ASSERT_EQ(SSL_get_error(client_.get(),
4047 SSL_write(client_.get(), data2, kChunkLen)),
4048 SSL_ERROR_SSL);
David Benjamin64bf8c52022-07-22 15:49:45 -0700[diff] [blame]4049 ASSERT_TRUE(ExpectSingleError(ERR_LIB_SSL, SSL_R_BAD_WRITE_RETRY));
David Benjamin48063c22017-01-01 23:56:36 -0500[diff] [blame]4050
4051 // With |SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER|, the buffer may move.
Martin Kreichgauer1a663262017-08-16 14:54:04 -0700[diff] [blame]4052 SSL_set_mode(client_.get(), SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER);
4053 ASSERT_EQ(SSL_get_error(client_.get(),
4054 SSL_write(client_.get(), data2, kChunkLen)),
4055 SSL_ERROR_WANT_WRITE);
David Benjamin48063c22017-01-01 23:56:36 -0500[diff] [blame]4056
4057 // |SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER| does not disable length checks.
Martin Kreichgauer1a663262017-08-16 14:54:04 -0700[diff] [blame]4058 ASSERT_EQ(SSL_get_error(client_.get(),
4059 SSL_write(client_.get(), data2, kChunkLen - 1)),
4060 SSL_ERROR_SSL);
David Benjamin64bf8c52022-07-22 15:49:45 -0700[diff] [blame]4061 ASSERT_TRUE(ExpectSingleError(ERR_LIB_SSL, SSL_R_BAD_WRITE_RETRY));
David Benjamin48063c22017-01-01 23:56:36 -0500[diff] [blame]4062
4063 // Retrying with a larger buffer is legal.
Martin Kreichgauer1a663262017-08-16 14:54:04 -0700[diff] [blame]4064 ASSERT_EQ(SSL_get_error(client_.get(),
4065 SSL_write(client_.get(), data, kChunkLen + 1)),
4066 SSL_ERROR_WANT_WRITE);
David Benjamin48063c22017-01-01 23:56:36 -0500[diff] [blame]4067
4068 // Drain the buffer.
4069 char buf[20];
4070 for (unsigned i = 0; i < count; i++) {
Martin Kreichgauer1a663262017-08-16 14:54:04 -0700[diff] [blame]4071 ASSERT_EQ(SSL_read(server_.get(), buf, sizeof(buf)), kChunkLen);
4072 ASSERT_EQ(OPENSSL_memcmp(buf, "hello", kChunkLen), 0);
David Benjamin48063c22017-01-01 23:56:36 -0500[diff] [blame]4073 }
4074
4075 // Now that there is space, a retry with a larger buffer should flush the
4076 // pending record, skip over that many bytes of input (on assumption they
4077 // are the same), and write the remainder. If SSL_MODE_ENABLE_PARTIAL_WRITE
4078 // is set, this will complete in two steps.
David Benjamin64bf8c52022-07-22 15:49:45 -0700[diff] [blame]4079 char data_longer[] = "_____!!!!!";
David Benjamin48063c22017-01-01 23:56:36 -0500[diff] [blame]4080 if (enable_partial_write) {
David Benjamin64bf8c52022-07-22 15:49:45 -0700[diff] [blame]4081 ASSERT_EQ(SSL_write(client_.get(), data_longer, 2 * kChunkLen),
4082 kChunkLen);
4083 ASSERT_EQ(SSL_write(client_.get(), data_longer + kChunkLen, kChunkLen),
4084 kChunkLen);
Martin Kreichgauer1a663262017-08-16 14:54:04 -0700[diff] [blame]4085 } else {
David Benjamin64bf8c52022-07-22 15:49:45 -0700[diff] [blame]4086 ASSERT_EQ(SSL_write(client_.get(), data_longer, 2 * kChunkLen),
4087 2 * kChunkLen);
David Benjamin48063c22017-01-01 23:56:36 -0500[diff] [blame]4088 }
4089
4090 // Check the last write was correct. The data will be spread over two
4091 // records, so SSL_read returns twice.
Martin Kreichgauer1a663262017-08-16 14:54:04 -0700[diff] [blame]4092 ASSERT_EQ(SSL_read(server_.get(), buf, sizeof(buf)), kChunkLen);
4093 ASSERT_EQ(OPENSSL_memcmp(buf, "hello", kChunkLen), 0);
David Benjamin64bf8c52022-07-22 15:49:45 -0700[diff] [blame]4094 ASSERT_EQ(SSL_read(server_.get(), buf, sizeof(buf)), kChunkLen);
4095 ASSERT_EQ(OPENSSL_memcmp(buf, "!!!!!", kChunkLen), 0);
4096
4097 // Fill the transport buffer again. This time only leave room for one
4098 // record.
4099 count = 0;
4100 for (;;) {
4101 int ret = SSL_write(client_.get(), data, kChunkLen);
4102 if (ret <= 0) {
4103 ASSERT_EQ(SSL_get_error(client_.get(), ret), SSL_ERROR_WANT_WRITE);
4104 break;
4105 }
4106 ASSERT_EQ(ret, 5);
4107 count++;
4108 }
4109 ASSERT_EQ(SSL_read(server_.get(), buf, sizeof(buf)), kChunkLen);
4110 ASSERT_EQ(OPENSSL_memcmp(buf, "hello", kChunkLen), 0);
4111 count--;
4112
4113 // Retry the last write, with a longer input. The first half is the most
4114 // recently failed write, from filling the buffer. |SSL_write| should write
4115 // that to the transport, and then attempt to write the second half.
4116 int ret = SSL_write(client_.get(), data_longer, 2 * kChunkLen);
4117 if (enable_partial_write) {
4118 // If partial writes are allowed, the write will succeed partially.
4119 ASSERT_EQ(ret, kChunkLen);
4120
4121 // Check the first half and make room for another record.
4122 ASSERT_EQ(SSL_read(server_.get(), buf, sizeof(buf)), kChunkLen);
4123 ASSERT_EQ(OPENSSL_memcmp(buf, "hello", kChunkLen), 0);
4124 count--;
4125
4126 // Finish writing the input.
4127 ASSERT_EQ(SSL_write(client_.get(), data_longer + kChunkLen, kChunkLen),
4128 kChunkLen);
4129 } else {
4130 // Otherwise, although the first half made it to the transport, the second
4131 // half is blocked.
4132 ASSERT_EQ(ret, -1);
4133 ASSERT_EQ(SSL_get_error(client_.get(), -1), SSL_ERROR_WANT_WRITE);
4134
4135 // Check the first half and make room for another record.
4136 ASSERT_EQ(SSL_read(server_.get(), buf, sizeof(buf)), kChunkLen);
4137 ASSERT_EQ(OPENSSL_memcmp(buf, "hello", kChunkLen), 0);
4138 count--;
4139
4140 // Retrying with fewer bytes than previously attempted is an error. If the
4141 // input length is less than the number of bytes successfully written, the
4142 // check happens at a different point, with a different error.
4143 //
4144 // TODO(davidben): Should these cases use the same error?
4145 ASSERT_EQ(
4146 SSL_get_error(client_.get(),
4147 SSL_write(client_.get(), data_longer, kChunkLen - 1)),
4148 SSL_ERROR_SSL);
4149 ASSERT_TRUE(ExpectSingleError(ERR_LIB_SSL, SSL_R_BAD_LENGTH));
4150
4151 // Complete the write with the correct retry.
4152 ASSERT_EQ(SSL_write(client_.get(), data_longer, 2 * kChunkLen),
4153 2 * kChunkLen);
4154 }
4155
4156 // Drain the input and ensure everything was written correctly.
4157 for (unsigned i = 0; i < count; i++) {
4158 ASSERT_EQ(SSL_read(server_.get(), buf, sizeof(buf)), kChunkLen);
4159 ASSERT_EQ(OPENSSL_memcmp(buf, "hello", kChunkLen), 0);
4160 }
4161
4162 // The final write is spread over two records.
4163 ASSERT_EQ(SSL_read(server_.get(), buf, sizeof(buf)), kChunkLen);
4164 ASSERT_EQ(OPENSSL_memcmp(buf, "hello", kChunkLen), 0);
4165 ASSERT_EQ(SSL_read(server_.get(), buf, sizeof(buf)), kChunkLen);
4166 ASSERT_EQ(OPENSSL_memcmp(buf, "!!!!!", kChunkLen), 0);
David Benjamin48063c22017-01-01 23:56:36 -0500[diff] [blame]4167 }
David Benjamin48063c22017-01-01 23:56:36 -0500[diff] [blame]4168}
4169
Martin Kreichgauer1a663262017-08-16 14:54:04 -0700[diff] [blame]4170TEST_P(SSLVersionTest, RecordCallback) {
4171 for (bool test_server : {true, false}) {
4172 SCOPED_TRACE(test_server);
4173 ResetContexts();
David Benjamin5df5be1a2017-06-22 19:43:11 -0400[diff] [blame]4174
Martin Kreichgauer1a663262017-08-16 14:54:04 -0700[diff] [blame]4175 bool read_seen = false;
4176 bool write_seen = false;
4177 auto cb = [&](int is_write, int cb_version, int cb_type, const void *buf,
4178 size_t len, SSL *ssl) {
4179 if (cb_type != SSL3_RT_HEADER) {
4180 return;
Martin Kreichgauer72912d22017-08-04 12:06:43 -0700[diff] [blame]4181 }
Martin Kreichgauer1a663262017-08-16 14:54:04 -0700[diff] [blame]4182
4183 // The callback does not report a version for records.
4184 EXPECT_EQ(0, cb_version);
4185
4186 if (is_write) {
4187 write_seen = true;
4188 } else {
4189 read_seen = true;
4190 }
4191
4192 // Sanity-check that the record header is plausible.
4193 CBS cbs;
4194 CBS_init(&cbs, reinterpret_cast<const uint8_t *>(buf), len);
4195 uint8_t type;
4196 uint16_t record_version, length;
4197 ASSERT_TRUE(CBS_get_u8(&cbs, &type));
4198 ASSERT_TRUE(CBS_get_u16(&cbs, &record_version));
Steven Valdez64cc1212017-12-04 11:15:37 -0500[diff] [blame]4199 EXPECT_EQ(record_version & 0xff00, version() & 0xff00);
Martin Kreichgauer1a663262017-08-16 14:54:04 -0700[diff] [blame]4200 if (is_dtls()) {
4201 uint16_t epoch;
4202 ASSERT_TRUE(CBS_get_u16(&cbs, &epoch));
4203 EXPECT_TRUE(epoch == 0 || epoch == 1) << "Invalid epoch: " << epoch;
4204 ASSERT_TRUE(CBS_skip(&cbs, 6));
4205 }
4206 ASSERT_TRUE(CBS_get_u16(&cbs, &length));
4207 EXPECT_EQ(0u, CBS_len(&cbs));
4208 };
4209 using CallbackType = decltype(cb);
4210 SSL_CTX *ctx = test_server ? server_ctx_.get() : client_ctx_.get();
4211 SSL_CTX_set_msg_callback(
4212 ctx, [](int is_write, int cb_version, int cb_type, const void *buf,
4213 size_t len, SSL *ssl, void *arg) {
4214 CallbackType *cb_ptr = reinterpret_cast<CallbackType *>(arg);
4215 (*cb_ptr)(is_write, cb_version, cb_type, buf, len, ssl);
4216 });
4217 SSL_CTX_set_msg_callback_arg(ctx, &cb);
4218
4219 ASSERT_TRUE(Connect());
4220
4221 EXPECT_TRUE(read_seen);
4222 EXPECT_TRUE(write_seen);
David Benjamin0fef3052016-11-18 15:11:10 +0900[diff] [blame]4223 }
David Benjamin9ef31f02016-10-31 18:01:13 -0400[diff] [blame]4224}
4225
David Benjamina8614602017-09-06 15:40:19 -0400[diff] [blame]4226TEST_P(SSLVersionTest, GetServerName) {
David Benjamina8614602017-09-06 15:40:19 -0400[diff] [blame]4227 ClientConfig config;
4228 config.servername = "host1";
4229
4230 SSL_CTX_set_tlsext_servername_callback(
4231 server_ctx_.get(), [](SSL *ssl, int *out_alert, void *arg) -> int {
4232 // During the handshake, |SSL_get_servername| must match |config|.
4233 ClientConfig *config_p = reinterpret_cast<ClientConfig *>(arg);
4234 EXPECT_STREQ(config_p->servername.c_str(),
4235 SSL_get_servername(ssl, TLSEXT_NAMETYPE_host_name));
4236 return SSL_TLSEXT_ERR_OK;
4237 });
4238 SSL_CTX_set_tlsext_servername_arg(server_ctx_.get(), &config);
4239
4240 ASSERT_TRUE(Connect(config));
4241 // After the handshake, it must also be available.
4242 EXPECT_STREQ(config.servername.c_str(),
4243 SSL_get_servername(server_.get(), TLSEXT_NAMETYPE_host_name));
4244
4245 // Establish a session under host1.
4246 SSL_CTX_set_session_cache_mode(client_ctx_.get(), SSL_SESS_CACHE_BOTH);
4247 SSL_CTX_set_session_cache_mode(server_ctx_.get(), SSL_SESS_CACHE_BOTH);
4248 bssl::UniquePtr<SSL_SESSION> session =
4249 CreateClientSession(client_ctx_.get(), server_ctx_.get(), config);
4250
4251 // If the client resumes a session with a different name, |SSL_get_servername|
4252 // must return the new name.
4253 ASSERT_TRUE(session);
4254 config.session = session.get();
4255 config.servername = "host2";
4256 ASSERT_TRUE(Connect(config));
4257 EXPECT_STREQ(config.servername.c_str(),
4258 SSL_get_servername(server_.get(), TLSEXT_NAMETYPE_host_name));
4259}
4260
David Benjamin3d8f0802017-09-06 16:12:52 -0400[diff] [blame]4261// Test that session cache mode bits are honored in the client session callback.
4262TEST_P(SSLVersionTest, ClientSessionCacheMode) {
4263 SSL_CTX_set_session_cache_mode(client_ctx_.get(), SSL_SESS_CACHE_OFF);
4264 EXPECT_FALSE(CreateClientSession(client_ctx_.get(), server_ctx_.get()));
4265
4266 SSL_CTX_set_session_cache_mode(client_ctx_.get(), SSL_SESS_CACHE_CLIENT);
4267 EXPECT_TRUE(CreateClientSession(client_ctx_.get(), server_ctx_.get()));
4268
4269 SSL_CTX_set_session_cache_mode(client_ctx_.get(), SSL_SESS_CACHE_SERVER);
4270 EXPECT_FALSE(CreateClientSession(client_ctx_.get(), server_ctx_.get()));
4271}
4272
Steven Valdez777a2392019-02-21 11:30:47 -0500[diff] [blame]4273// Test that all versions survive tiny write buffers. In particular, TLS 1.3
4274// NewSessionTickets are written post-handshake. Servers that block
4275// |SSL_do_handshake| on writing them will deadlock if clients are not draining
4276// the buffer. Test that we do not do this.
4277TEST_P(SSLVersionTest, SmallBuffer) {
4278 // DTLS is a datagram protocol and requires packet-sized buffers.
4279 if (is_dtls()) {
4280 return;
4281 }
4282
4283 // Test both flushing NewSessionTickets with a zero-sized write and
4284 // non-zero-sized write.
4285 for (bool use_zero_write : {false, true}) {
4286 SCOPED_TRACE(use_zero_write);
4287
4288 g_last_session = nullptr;
4289 SSL_CTX_set_session_cache_mode(client_ctx_.get(), SSL_SESS_CACHE_BOTH);
4290 SSL_CTX_sess_set_new_cb(client_ctx_.get(), SaveLastSession);
4291
4292 bssl::UniquePtr<SSL> client(SSL_new(client_ctx_.get())),
4293 server(SSL_new(server_ctx_.get()));
4294 ASSERT_TRUE(client);
4295 ASSERT_TRUE(server);
4296 SSL_set_connect_state(client.get());
4297 SSL_set_accept_state(server.get());
4298
4299 // Use a tiny buffer.
4300 BIO *bio1, *bio2;
4301 ASSERT_TRUE(BIO_new_bio_pair(&bio1, 1, &bio2, 1));
4302
4303 // SSL_set_bio takes ownership.
4304 SSL_set_bio(client.get(), bio1, bio1);
4305 SSL_set_bio(server.get(), bio2, bio2);
4306
4307 ASSERT_TRUE(CompleteHandshakes(client.get(), server.get()));
4308 if (version() >= TLS1_3_VERSION) {
4309 // The post-handshake ticket should not have been processed yet.
4310 EXPECT_FALSE(g_last_session);
4311 }
4312
4313 if (use_zero_write) {
4314 ASSERT_TRUE(FlushNewSessionTickets(client.get(), server.get()));
4315 EXPECT_TRUE(g_last_session);
4316 }
4317
4318 // Send some data from server to client. If |use_zero_write| is false, this
4319 // will also flush the NewSessionTickets.
4320 static const char kMessage[] = "hello world";
4321 char buf[sizeof(kMessage)];
4322 for (;;) {
4323 int server_ret = SSL_write(server.get(), kMessage, sizeof(kMessage));
4324 int server_err = SSL_get_error(server.get(), server_ret);
4325 int client_ret = SSL_read(client.get(), buf, sizeof(buf));
4326 int client_err = SSL_get_error(client.get(), client_ret);
4327
4328 // The server will write a single record, so every iteration should see
4329 // |SSL_ERROR_WANT_WRITE| and |SSL_ERROR_WANT_READ|, until the final
4330 // iteration, where both will complete.
4331 if (server_ret > 0) {
4332 EXPECT_EQ(server_ret, static_cast<int>(sizeof(kMessage)));
4333 EXPECT_EQ(client_ret, static_cast<int>(sizeof(kMessage)));
4334 EXPECT_EQ(Bytes(buf), Bytes(kMessage));
4335 break;
4336 }
4337
4338 ASSERT_EQ(server_ret, -1);
4339 ASSERT_EQ(server_err, SSL_ERROR_WANT_WRITE);
4340 ASSERT_EQ(client_ret, -1);
4341 ASSERT_EQ(client_err, SSL_ERROR_WANT_READ);
4342 }
4343
4344 // The NewSessionTickets should have been flushed and processed.
4345 EXPECT_TRUE(g_last_session);
4346 }
4347}
4348
Adam Langleye1e78132017-01-31 15:24:31 -0800[diff] [blame]4349TEST(SSLTest, AddChainCertHack) {
4350 // Ensure that we don't accidently break the hack that we have in place to
4351 // keep curl and serf happy when they use an |X509| even after transfering
4352 // ownership.
4353
4354 bssl::UniquePtr<SSL_CTX> ctx(SSL_CTX_new(TLS_method()));
4355 ASSERT_TRUE(ctx);
4356 X509 *cert = GetTestCertificate().release();
4357 ASSERT_TRUE(cert);
4358 SSL_CTX_add0_chain_cert(ctx.get(), cert);
4359
4360 // This should not trigger a use-after-free.
4361 X509_cmp(cert, cert);
4362}
4363
David Benjaminb2ff2622017-02-03 17:06:18 -0500[diff] [blame]4364TEST(SSLTest, GetCertificate) {
4365 bssl::UniquePtr<SSL_CTX> ctx(SSL_CTX_new(TLS_method()));
4366 ASSERT_TRUE(ctx);
4367 bssl::UniquePtr<X509> cert = GetTestCertificate();
4368 ASSERT_TRUE(cert);
4369 ASSERT_TRUE(SSL_CTX_use_certificate(ctx.get(), cert.get()));
4370 bssl::UniquePtr<SSL> ssl(SSL_new(ctx.get()));
4371 ASSERT_TRUE(ssl);
4372
4373 X509 *cert2 = SSL_CTX_get0_certificate(ctx.get());
4374 ASSERT_TRUE(cert2);
4375 X509 *cert3 = SSL_get_certificate(ssl.get());
4376 ASSERT_TRUE(cert3);
4377
4378 // The old and new certificates must be identical.
4379 EXPECT_EQ(0, X509_cmp(cert.get(), cert2));
4380 EXPECT_EQ(0, X509_cmp(cert.get(), cert3));
4381
4382 uint8_t *der = nullptr;
4383 long der_len = i2d_X509(cert.get(), &der);
4384 ASSERT_LT(0, der_len);
4385 bssl::UniquePtr<uint8_t> free_der(der);
4386
4387 uint8_t *der2 = nullptr;
4388 long der2_len = i2d_X509(cert2, &der2);
4389 ASSERT_LT(0, der2_len);
4390 bssl::UniquePtr<uint8_t> free_der2(der2);
4391
4392 uint8_t *der3 = nullptr;
4393 long der3_len = i2d_X509(cert3, &der3);
4394 ASSERT_LT(0, der3_len);
4395 bssl::UniquePtr<uint8_t> free_der3(der3);
4396
4397 // They must also encode identically.
David Benjamin7d7554b2017-02-04 11:48:59 -0500[diff] [blame]4398 EXPECT_EQ(Bytes(der, der_len), Bytes(der2, der2_len));
4399 EXPECT_EQ(Bytes(der, der_len), Bytes(der3, der3_len));
David Benjaminb2ff2622017-02-03 17:06:18 -0500[diff] [blame]4400}
4401
Adam Langleyd04ca952017-02-28 11:26:51 -0800[diff] [blame]4402TEST(SSLTest, SetChainAndKeyMismatch) {
4403 bssl::UniquePtr<SSL_CTX> ctx(SSL_CTX_new(TLS_with_buffers_method()));
4404 ASSERT_TRUE(ctx);
4405
4406 bssl::UniquePtr<EVP_PKEY> key = GetTestKey();
4407 ASSERT_TRUE(key);
4408 bssl::UniquePtr<CRYPTO_BUFFER> leaf = GetChainTestCertificateBuffer();
4409 ASSERT_TRUE(leaf);
4410 std::vector<CRYPTO_BUFFER*> chain = {
4411 leaf.get(),
4412 };
4413
4414 // Should fail because |GetTestKey| doesn't match the chain-test certificate.
4415 ASSERT_FALSE(SSL_CTX_set_chain_and_key(ctx.get(), &chain[0], chain.size(),
4416 key.get(), nullptr));
4417 ERR_clear_error();
4418}
4419
4420TEST(SSLTest, SetChainAndKey) {
4421 bssl::UniquePtr<SSL_CTX> client_ctx(SSL_CTX_new(TLS_with_buffers_method()));
4422 ASSERT_TRUE(client_ctx);
4423 bssl::UniquePtr<SSL_CTX> server_ctx(SSL_CTX_new(TLS_with_buffers_method()));
4424 ASSERT_TRUE(server_ctx);
4425
Adam Langley964256d2020-03-19 11:57:12 -0700[diff] [blame]4426 ASSERT_EQ(nullptr, SSL_CTX_get0_chain(server_ctx.get()));
4427
Adam Langleyd04ca952017-02-28 11:26:51 -0800[diff] [blame]4428 bssl::UniquePtr<EVP_PKEY> key = GetChainTestKey();
4429 ASSERT_TRUE(key);
4430 bssl::UniquePtr<CRYPTO_BUFFER> leaf = GetChainTestCertificateBuffer();
4431 ASSERT_TRUE(leaf);
4432 bssl::UniquePtr<CRYPTO_BUFFER> intermediate =
4433 GetChainTestIntermediateBuffer();
4434 ASSERT_TRUE(intermediate);
4435 std::vector<CRYPTO_BUFFER*> chain = {
4436 leaf.get(), intermediate.get(),
4437 };
4438 ASSERT_TRUE(SSL_CTX_set_chain_and_key(server_ctx.get(), &chain[0],
4439 chain.size(), key.get(), nullptr));
4440
Adam Langley964256d2020-03-19 11:57:12 -0700[diff] [blame]4441 ASSERT_EQ(chain.size(),
4442 sk_CRYPTO_BUFFER_num(SSL_CTX_get0_chain(server_ctx.get())));
4443
David Benjamin3a1dd462017-07-11 16:13:10 -0400[diff] [blame]4444 SSL_CTX_set_custom_verify(
4445 client_ctx.get(), SSL_VERIFY_PEER,
4446 [](SSL *ssl, uint8_t *out_alert) -> ssl_verify_result_t {
4447 return ssl_verify_ok;
4448 });
Adam Langleyd04ca952017-02-28 11:26:51 -0800[diff] [blame]4449
4450 bssl::UniquePtr<SSL> client, server;
4451 ASSERT_TRUE(ConnectClientAndServer(&client, &server, client_ctx.get(),
David Benjamina8614602017-09-06 15:40:19 -0400[diff] [blame]4452 server_ctx.get()));
Adam Langleyd04ca952017-02-28 11:26:51 -0800[diff] [blame]4453}
4454
Matthew Braithwaite5301c102018-01-23 12:08:55 -0800[diff] [blame]4455TEST(SSLTest, BuffersFailWithoutCustomVerify) {
4456 bssl::UniquePtr<SSL_CTX> client_ctx(SSL_CTX_new(TLS_with_buffers_method()));
4457 ASSERT_TRUE(client_ctx);
4458 bssl::UniquePtr<SSL_CTX> server_ctx(SSL_CTX_new(TLS_with_buffers_method()));
4459 ASSERT_TRUE(server_ctx);
4460
4461 bssl::UniquePtr<EVP_PKEY> key = GetChainTestKey();
4462 ASSERT_TRUE(key);
4463 bssl::UniquePtr<CRYPTO_BUFFER> leaf = GetChainTestCertificateBuffer();
4464 ASSERT_TRUE(leaf);
4465 std::vector<CRYPTO_BUFFER*> chain = { leaf.get() };
4466 ASSERT_TRUE(SSL_CTX_set_chain_and_key(server_ctx.get(), &chain[0],
4467 chain.size(), key.get(), nullptr));
4468
4469 // Without SSL_CTX_set_custom_verify(), i.e. with everything in the default
4470 // configuration, certificate verification should fail.
4471 bssl::UniquePtr<SSL> client, server;
4472 ASSERT_FALSE(ConnectClientAndServer(&client, &server, client_ctx.get(),
4473 server_ctx.get()));
4474
4475 // Whereas with a verifier, the connection should succeed.
4476 SSL_CTX_set_custom_verify(
4477 client_ctx.get(), SSL_VERIFY_PEER,
4478 [](SSL *ssl, uint8_t *out_alert) -> ssl_verify_result_t {
4479 return ssl_verify_ok;
4480 });
4481 ASSERT_TRUE(ConnectClientAndServer(&client, &server, client_ctx.get(),
4482 server_ctx.get()));
4483}
4484
4485TEST(SSLTest, CustomVerify) {
4486 bssl::UniquePtr<SSL_CTX> client_ctx(SSL_CTX_new(TLS_with_buffers_method()));
4487 ASSERT_TRUE(client_ctx);
4488 bssl::UniquePtr<SSL_CTX> server_ctx(SSL_CTX_new(TLS_with_buffers_method()));
4489 ASSERT_TRUE(server_ctx);
4490
4491 bssl::UniquePtr<EVP_PKEY> key = GetChainTestKey();
4492 ASSERT_TRUE(key);
4493 bssl::UniquePtr<CRYPTO_BUFFER> leaf = GetChainTestCertificateBuffer();
4494 ASSERT_TRUE(leaf);
4495 std::vector<CRYPTO_BUFFER*> chain = { leaf.get() };
4496 ASSERT_TRUE(SSL_CTX_set_chain_and_key(server_ctx.get(), &chain[0],
4497 chain.size(), key.get(), nullptr));
4498
4499 SSL_CTX_set_custom_verify(
4500 client_ctx.get(), SSL_VERIFY_PEER,
4501 [](SSL *ssl, uint8_t *out_alert) -> ssl_verify_result_t {
4502 return ssl_verify_ok;
4503 });
4504
4505 bssl::UniquePtr<SSL> client, server;
4506 ASSERT_TRUE(ConnectClientAndServer(&client, &server, client_ctx.get(),
4507 server_ctx.get()));
4508
4509 // With SSL_VERIFY_PEER, ssl_verify_invalid should result in a dropped
4510 // connection.
4511 SSL_CTX_set_custom_verify(
4512 client_ctx.get(), SSL_VERIFY_PEER,
4513 [](SSL *ssl, uint8_t *out_alert) -> ssl_verify_result_t {
4514 return ssl_verify_invalid;
4515 });
4516
4517 ASSERT_FALSE(ConnectClientAndServer(&client, &server, client_ctx.get(),
4518 server_ctx.get()));
4519
4520 // But with SSL_VERIFY_NONE, ssl_verify_invalid should not cause a dropped
4521 // connection.
4522 SSL_CTX_set_custom_verify(
4523 client_ctx.get(), SSL_VERIFY_NONE,
4524 [](SSL *ssl, uint8_t *out_alert) -> ssl_verify_result_t {
4525 return ssl_verify_invalid;
4526 });
4527
4528 ASSERT_TRUE(ConnectClientAndServer(&client, &server, client_ctx.get(),
4529 server_ctx.get()));
4530}
4531
David Benjamin71dfad42017-07-16 17:27:39 -0400[diff] [blame]4532TEST(SSLTest, ClientCABuffers) {
4533 bssl::UniquePtr<SSL_CTX> client_ctx(SSL_CTX_new(TLS_with_buffers_method()));
4534 ASSERT_TRUE(client_ctx);
4535 bssl::UniquePtr<SSL_CTX> server_ctx(SSL_CTX_new(TLS_with_buffers_method()));
4536 ASSERT_TRUE(server_ctx);
4537
4538 bssl::UniquePtr<EVP_PKEY> key = GetChainTestKey();
4539 ASSERT_TRUE(key);
4540 bssl::UniquePtr<CRYPTO_BUFFER> leaf = GetChainTestCertificateBuffer();
4541 ASSERT_TRUE(leaf);
4542 bssl::UniquePtr<CRYPTO_BUFFER> intermediate =
4543 GetChainTestIntermediateBuffer();
4544 ASSERT_TRUE(intermediate);
4545 std::vector<CRYPTO_BUFFER *> chain = {
4546 leaf.get(),
4547 intermediate.get(),
4548 };
4549 ASSERT_TRUE(SSL_CTX_set_chain_and_key(server_ctx.get(), &chain[0],
4550 chain.size(), key.get(), nullptr));
4551
4552 bssl::UniquePtr<CRYPTO_BUFFER> ca_name(
4553 CRYPTO_BUFFER_new(kTestName, sizeof(kTestName), nullptr));
4554 ASSERT_TRUE(ca_name);
4555 bssl::UniquePtr<STACK_OF(CRYPTO_BUFFER)> ca_names(
4556 sk_CRYPTO_BUFFER_new_null());
4557 ASSERT_TRUE(ca_names);
David Benjamin2908dd12018-06-29 17:46:42 -0400[diff] [blame]4558 ASSERT_TRUE(PushToStack(ca_names.get(), std::move(ca_name)));
David Benjamin71dfad42017-07-16 17:27:39 -0400[diff] [blame]4559 SSL_CTX_set0_client_CAs(server_ctx.get(), ca_names.release());
4560
4561 // Configure client and server to accept all certificates.
4562 SSL_CTX_set_custom_verify(
4563 client_ctx.get(), SSL_VERIFY_PEER,
4564 [](SSL *ssl, uint8_t *out_alert) -> ssl_verify_result_t {
4565 return ssl_verify_ok;
4566 });
4567 SSL_CTX_set_custom_verify(
4568 server_ctx.get(), SSL_VERIFY_PEER,
4569 [](SSL *ssl, uint8_t *out_alert) -> ssl_verify_result_t {
4570 return ssl_verify_ok;
4571 });
4572
4573 bool cert_cb_called = false;
4574 SSL_CTX_set_cert_cb(
4575 client_ctx.get(),
4576 [](SSL *ssl, void *arg) -> int {
David Benjamin5f001d12018-05-08 16:46:48 -0400[diff] [blame]4577 const STACK_OF(CRYPTO_BUFFER) *peer_names =
David Benjamin71dfad42017-07-16 17:27:39 -0400[diff] [blame]4578 SSL_get0_server_requested_CAs(ssl);
4579 EXPECT_EQ(1u, sk_CRYPTO_BUFFER_num(peer_names));
4580 CRYPTO_BUFFER *peer_name = sk_CRYPTO_BUFFER_value(peer_names, 0);
4581 EXPECT_EQ(Bytes(kTestName), Bytes(CRYPTO_BUFFER_data(peer_name),
4582 CRYPTO_BUFFER_len(peer_name)));
4583 *reinterpret_cast<bool *>(arg) = true;
4584 return 1;
4585 },
4586 &cert_cb_called);
4587
4588 bssl::UniquePtr<SSL> client, server;
4589 ASSERT_TRUE(ConnectClientAndServer(&client, &server, client_ctx.get(),
David Benjamina8614602017-09-06 15:40:19 -0400[diff] [blame]4590 server_ctx.get()));
David Benjamin71dfad42017-07-16 17:27:39 -0400[diff] [blame]4591 EXPECT_TRUE(cert_cb_called);
4592}
4593
David Benjamin91222b82017-03-09 20:10:56 -0500[diff] [blame]4594// Configuring the empty cipher list, though an error, should still modify the
4595// configuration.
4596TEST(SSLTest, EmptyCipherList) {
4597 bssl::UniquePtr<SSL_CTX> ctx(SSL_CTX_new(TLS_method()));
4598 ASSERT_TRUE(ctx);
4599
4600 // Initially, the cipher list is not empty.
4601 EXPECT_NE(0u, sk_SSL_CIPHER_num(SSL_CTX_get_ciphers(ctx.get())));
4602
4603 // Configuring the empty cipher list fails.
4604 EXPECT_FALSE(SSL_CTX_set_cipher_list(ctx.get(), ""));
4605 ERR_clear_error();
4606
4607 // But the cipher list is still updated to empty.
4608 EXPECT_EQ(0u, sk_SSL_CIPHER_num(SSL_CTX_get_ciphers(ctx.get())));
4609}
4610
Adam Langley4c341d02017-03-08 19:33:21 -0800[diff] [blame]4611// ssl_test_ticket_aead_failure_mode enumerates the possible ways in which the
4612// test |SSL_TICKET_AEAD_METHOD| can fail.
4613enum ssl_test_ticket_aead_failure_mode {
4614 ssl_test_ticket_aead_ok = 0,
4615 ssl_test_ticket_aead_seal_fail,
4616 ssl_test_ticket_aead_open_soft_fail,
4617 ssl_test_ticket_aead_open_hard_fail,
4618};
4619
4620struct ssl_test_ticket_aead_state {
4621 unsigned retry_count;
4622 ssl_test_ticket_aead_failure_mode failure_mode;
4623};
4624
4625static int ssl_test_ticket_aead_ex_index_dup(CRYPTO_EX_DATA *to,
4626 const CRYPTO_EX_DATA *from,
4627 void **from_d, int index,
4628 long argl, void *argp) {
4629 abort();
4630}
4631
4632static void ssl_test_ticket_aead_ex_index_free(void *parent, void *ptr,
4633 CRYPTO_EX_DATA *ad, int index,
4634 long argl, void *argp) {
4635 auto state = reinterpret_cast<ssl_test_ticket_aead_state*>(ptr);
4636 if (state == nullptr) {
4637 return;
4638 }
4639
4640 OPENSSL_free(state);
4641}
4642
4643static CRYPTO_once_t g_ssl_test_ticket_aead_ex_index_once = CRYPTO_ONCE_INIT;
4644static int g_ssl_test_ticket_aead_ex_index;
4645
4646static int ssl_test_ticket_aead_get_ex_index() {
4647 CRYPTO_once(&g_ssl_test_ticket_aead_ex_index_once, [] {
4648 g_ssl_test_ticket_aead_ex_index = SSL_get_ex_new_index(
4649 0, nullptr, nullptr, ssl_test_ticket_aead_ex_index_dup,
4650 ssl_test_ticket_aead_ex_index_free);
4651 });
4652 return g_ssl_test_ticket_aead_ex_index;
4653}
4654
4655static size_t ssl_test_ticket_aead_max_overhead(SSL *ssl) {
4656 return 1;
4657}
4658
4659static int ssl_test_ticket_aead_seal(SSL *ssl, uint8_t *out, size_t *out_len,
4660 size_t max_out_len, const uint8_t *in,
4661 size_t in_len) {
4662 auto state = reinterpret_cast<ssl_test_ticket_aead_state *>(
4663 SSL_get_ex_data(ssl, ssl_test_ticket_aead_get_ex_index()));
4664
4665 if (state->failure_mode == ssl_test_ticket_aead_seal_fail ||
4666 max_out_len < in_len + 1) {
4667 return 0;
4668 }
4669
4670 OPENSSL_memmove(out, in, in_len);
4671 out[in_len] = 0xff;
4672 *out_len = in_len + 1;
4673
4674 return 1;
4675}
4676
4677static ssl_ticket_aead_result_t ssl_test_ticket_aead_open(
4678 SSL *ssl, uint8_t *out, size_t *out_len, size_t max_out_len,
4679 const uint8_t *in, size_t in_len) {
4680 auto state = reinterpret_cast<ssl_test_ticket_aead_state *>(
4681 SSL_get_ex_data(ssl, ssl_test_ticket_aead_get_ex_index()));
4682
4683 if (state->retry_count > 0) {
4684 state->retry_count--;
4685 return ssl_ticket_aead_retry;
4686 }
4687
4688 switch (state->failure_mode) {
4689 case ssl_test_ticket_aead_ok:
4690 break;
4691 case ssl_test_ticket_aead_seal_fail:
4692 // If |seal| failed then there shouldn't be any ticket to try and
4693 // decrypt.
4694 abort();
4695 break;
4696 case ssl_test_ticket_aead_open_soft_fail:
4697 return ssl_ticket_aead_ignore_ticket;
4698 case ssl_test_ticket_aead_open_hard_fail:
4699 return ssl_ticket_aead_error;
4700 }
4701
4702 if (in_len == 0 || in[in_len - 1] != 0xff) {
4703 return ssl_ticket_aead_ignore_ticket;
4704 }
4705
4706 if (max_out_len < in_len - 1) {
4707 return ssl_ticket_aead_error;
4708 }
4709
4710 OPENSSL_memmove(out, in, in_len - 1);
4711 *out_len = in_len - 1;
4712 return ssl_ticket_aead_success;
4713}
4714
4715static const SSL_TICKET_AEAD_METHOD kSSLTestTicketMethod = {
4716 ssl_test_ticket_aead_max_overhead,
4717 ssl_test_ticket_aead_seal,
4718 ssl_test_ticket_aead_open,
4719};
4720
4721static void ConnectClientAndServerWithTicketMethod(
4722 bssl::UniquePtr<SSL> *out_client, bssl::UniquePtr<SSL> *out_server,
4723 SSL_CTX *client_ctx, SSL_CTX *server_ctx, unsigned retry_count,
4724 ssl_test_ticket_aead_failure_mode failure_mode, SSL_SESSION *session) {
4725 bssl::UniquePtr<SSL> client(SSL_new(client_ctx)), server(SSL_new(server_ctx));
4726 ASSERT_TRUE(client);
4727 ASSERT_TRUE(server);
4728 SSL_set_connect_state(client.get());
4729 SSL_set_accept_state(server.get());
4730
4731 auto state = reinterpret_cast<ssl_test_ticket_aead_state *>(
4732 OPENSSL_malloc(sizeof(ssl_test_ticket_aead_state)));
4733 ASSERT_TRUE(state);
4734 OPENSSL_memset(state, 0, sizeof(ssl_test_ticket_aead_state));
4735 state->retry_count = retry_count;
4736 state->failure_mode = failure_mode;
4737
4738 ASSERT_TRUE(SSL_set_ex_data(server.get(), ssl_test_ticket_aead_get_ex_index(),
4739 state));
4740
4741 SSL_set_session(client.get(), session);
4742
4743 BIO *bio1, *bio2;
4744 ASSERT_TRUE(BIO_new_bio_pair(&bio1, 0, &bio2, 0));
4745
4746 // SSL_set_bio takes ownership.
4747 SSL_set_bio(client.get(), bio1, bio1);
4748 SSL_set_bio(server.get(), bio2, bio2);
4749
4750 if (CompleteHandshakes(client.get(), server.get())) {
4751 *out_client = std::move(client);
4752 *out_server = std::move(server);
4753 } else {
4754 out_client->reset();
4755 out_server->reset();
4756 }
4757}
4758
David Benjaminc9775322018-04-13 16:39:12 -0400[diff] [blame]4759using TicketAEADMethodParam =
4760 testing::tuple<uint16_t, unsigned, ssl_test_ticket_aead_failure_mode>;
4761
Adam Langley4c341d02017-03-08 19:33:21 -0800[diff] [blame]4762class TicketAEADMethodTest
David Benjaminc9775322018-04-13 16:39:12 -0400[diff] [blame]4763 : public ::testing::TestWithParam<TicketAEADMethodParam> {};
Adam Langley4c341d02017-03-08 19:33:21 -0800[diff] [blame]4764
4765TEST_P(TicketAEADMethodTest, Resume) {
David Benjamin9b2cdb72021-04-01 23:21:53 -0400[diff] [blame]4766 bssl::UniquePtr<SSL_CTX> server_ctx =
4767 CreateContextWithTestCertificate(TLS_method());
Adam Langley4c341d02017-03-08 19:33:21 -0800[diff] [blame]4768 ASSERT_TRUE(server_ctx);
4769 bssl::UniquePtr<SSL_CTX> client_ctx(SSL_CTX_new(TLS_method()));
4770 ASSERT_TRUE(client_ctx);
4771
4772 const uint16_t version = testing::get<0>(GetParam());
4773 const unsigned retry_count = testing::get<1>(GetParam());
4774 const ssl_test_ticket_aead_failure_mode failure_mode =
4775 testing::get<2>(GetParam());
4776
Adam Langley4c341d02017-03-08 19:33:21 -0800[diff] [blame]4777 ASSERT_TRUE(SSL_CTX_set_min_proto_version(client_ctx.get(), version));
4778 ASSERT_TRUE(SSL_CTX_set_max_proto_version(client_ctx.get(), version));
4779 ASSERT_TRUE(SSL_CTX_set_min_proto_version(server_ctx.get(), version));
4780 ASSERT_TRUE(SSL_CTX_set_max_proto_version(server_ctx.get(), version));
4781
4782 SSL_CTX_set_session_cache_mode(client_ctx.get(), SSL_SESS_CACHE_BOTH);
4783 SSL_CTX_set_session_cache_mode(server_ctx.get(), SSL_SESS_CACHE_BOTH);
4784 SSL_CTX_set_current_time_cb(client_ctx.get(), FrozenTimeCallback);
4785 SSL_CTX_set_current_time_cb(server_ctx.get(), FrozenTimeCallback);
David Benjamin707af292017-03-10 17:47:18 -0500[diff] [blame]4786 SSL_CTX_sess_set_new_cb(client_ctx.get(), SaveLastSession);
Adam Langley4c341d02017-03-08 19:33:21 -0800[diff] [blame]4787
4788 SSL_CTX_set_ticket_aead_method(server_ctx.get(), &kSSLTestTicketMethod);
4789
4790 bssl::UniquePtr<SSL> client, server;
4791 ConnectClientAndServerWithTicketMethod(&client, &server, client_ctx.get(),
4792 server_ctx.get(), retry_count,
4793 failure_mode, nullptr);
4794 switch (failure_mode) {
4795 case ssl_test_ticket_aead_ok:
4796 case ssl_test_ticket_aead_open_hard_fail:
4797 case ssl_test_ticket_aead_open_soft_fail:
4798 ASSERT_TRUE(client);
4799 break;
4800 case ssl_test_ticket_aead_seal_fail:
4801 EXPECT_FALSE(client);
4802 return;
4803 }
4804 EXPECT_FALSE(SSL_session_reused(client.get()));
4805 EXPECT_FALSE(SSL_session_reused(server.get()));
4806
Steven Valdez777a2392019-02-21 11:30:47 -0500[diff] [blame]4807 ASSERT_TRUE(FlushNewSessionTickets(client.get(), server.get()));
David Benjamin707af292017-03-10 17:47:18 -0500[diff] [blame]4808 bssl::UniquePtr<SSL_SESSION> session = std::move(g_last_session);
Adam Langley4c341d02017-03-08 19:33:21 -0800[diff] [blame]4809 ConnectClientAndServerWithTicketMethod(&client, &server, client_ctx.get(),
4810 server_ctx.get(), retry_count,
David Benjamin707af292017-03-10 17:47:18 -0500[diff] [blame]4811 failure_mode, session.get());
Adam Langley4c341d02017-03-08 19:33:21 -0800[diff] [blame]4812 switch (failure_mode) {
4813 case ssl_test_ticket_aead_ok:
4814 ASSERT_TRUE(client);
4815 EXPECT_TRUE(SSL_session_reused(client.get()));
4816 EXPECT_TRUE(SSL_session_reused(server.get()));
4817 break;
4818 case ssl_test_ticket_aead_seal_fail:
4819 abort();
4820 break;
4821 case ssl_test_ticket_aead_open_hard_fail:
4822 EXPECT_FALSE(client);
4823 break;
4824 case ssl_test_ticket_aead_open_soft_fail:
4825 ASSERT_TRUE(client);
4826 EXPECT_FALSE(SSL_session_reused(client.get()));
4827 EXPECT_FALSE(SSL_session_reused(server.get()));
4828 }
4829}
4830
David Benjaminc9775322018-04-13 16:39:12 -0400[diff] [blame]4831std::string TicketAEADMethodParamToString(
4832 const testing::TestParamInfo<TicketAEADMethodParam> &params) {
4833 std::string ret = GetVersionName(std::get<0>(params.param));
4834 // GTest only allows alphanumeric characters and '_' in the parameter
4835 // string. Additionally filter out the 'v' to get "TLS13" over "TLSv13".
4836 for (auto it = ret.begin(); it != ret.end();) {
4837 if (*it == '.' || *it == 'v') {
4838 it = ret.erase(it);
4839 } else {
4840 ++it;
4841 }
4842 }
4843 char retry_count[256];
David Benjamin4f1fae32021-12-15 11:41:10 -0500[diff] [blame]4844 snprintf(retry_count, sizeof(retry_count), "%u", std::get<1>(params.param));
David Benjaminc9775322018-04-13 16:39:12 -0400[diff] [blame]4845 ret += "_";
4846 ret += retry_count;
4847 ret += "Retries_";
4848 switch (std::get<2>(params.param)) {
4849 case ssl_test_ticket_aead_ok:
4850 ret += "OK";
4851 break;
4852 case ssl_test_ticket_aead_seal_fail:
4853 ret += "SealFail";
4854 break;
4855 case ssl_test_ticket_aead_open_soft_fail:
4856 ret += "OpenSoftFail";
4857 break;
4858 case ssl_test_ticket_aead_open_hard_fail:
4859 ret += "OpenHardFail";
4860 break;
4861 }
4862 return ret;
4863}
4864
David Benjaminbe7006a2019-04-09 18:05:02 -0500[diff] [blame]4865INSTANTIATE_TEST_SUITE_P(
Adam Langley4c341d02017-03-08 19:33:21 -0800[diff] [blame]4866 TicketAEADMethodTests, TicketAEADMethodTest,
David Benjaminc9775322018-04-13 16:39:12 -0400[diff] [blame]4867 testing::Combine(testing::Values(TLS1_2_VERSION, TLS1_3_VERSION),
4868 testing::Values(0, 1, 2),
4869 testing::Values(ssl_test_ticket_aead_ok,
4870 ssl_test_ticket_aead_seal_fail,
4871 ssl_test_ticket_aead_open_soft_fail,
4872 ssl_test_ticket_aead_open_hard_fail)),
4873 TicketAEADMethodParamToString);
Adam Langley4c341d02017-03-08 19:33:21 -0800[diff] [blame]4874
David Benjaminca743582017-06-15 17:51:35 -0400[diff] [blame]4875TEST(SSLTest, SelectNextProto) {
4876 uint8_t *result;
4877 uint8_t result_len;
4878
4879 // If there is an overlap, it should be returned.
4880 EXPECT_EQ(OPENSSL_NPN_NEGOTIATED,
4881 SSL_select_next_proto(&result, &result_len,
4882 (const uint8_t *)"\1a\2bb\3ccc", 9,
4883 (const uint8_t *)"\1x\1y\1a\1z", 8));
4884 EXPECT_EQ(Bytes("a"), Bytes(result, result_len));
4885
4886 EXPECT_EQ(OPENSSL_NPN_NEGOTIATED,
4887 SSL_select_next_proto(&result, &result_len,
4888 (const uint8_t *)"\1a\2bb\3ccc", 9,
4889 (const uint8_t *)"\1x\1y\2bb\1z", 9));
4890 EXPECT_EQ(Bytes("bb"), Bytes(result, result_len));
4891
4892 EXPECT_EQ(OPENSSL_NPN_NEGOTIATED,
4893 SSL_select_next_proto(&result, &result_len,
4894 (const uint8_t *)"\1a\2bb\3ccc", 9,
4895 (const uint8_t *)"\1x\1y\3ccc\1z", 10));
4896 EXPECT_EQ(Bytes("ccc"), Bytes(result, result_len));
4897
4898 // Peer preference order takes precedence over local.
4899 EXPECT_EQ(OPENSSL_NPN_NEGOTIATED,
4900 SSL_select_next_proto(&result, &result_len,
4901 (const uint8_t *)"\1a\2bb\3ccc", 9,
4902 (const uint8_t *)"\3ccc\2bb\1a", 9));
4903 EXPECT_EQ(Bytes("a"), Bytes(result, result_len));
4904
4905 // If there is no overlap, return the first local protocol.
4906 EXPECT_EQ(OPENSSL_NPN_NO_OVERLAP,
4907 SSL_select_next_proto(&result, &result_len,
4908 (const uint8_t *)"\1a\2bb\3ccc", 9,
4909 (const uint8_t *)"\1x\2yy\3zzz", 9));
4910 EXPECT_EQ(Bytes("x"), Bytes(result, result_len));
4911
4912 EXPECT_EQ(OPENSSL_NPN_NO_OVERLAP,
4913 SSL_select_next_proto(&result, &result_len, nullptr, 0,
4914 (const uint8_t *)"\1x\2yy\3zzz", 9));
4915 EXPECT_EQ(Bytes("x"), Bytes(result, result_len));
4916}
4917
David Benjamin617b8182017-08-29 15:33:10 -0400[diff] [blame]4918// The client should gracefully handle no suitable ciphers being enabled.
4919TEST(SSLTest, NoCiphersAvailable) {
4920 bssl::UniquePtr<SSL_CTX> ctx(SSL_CTX_new(TLS_method()));
4921 ASSERT_TRUE(ctx);
4922
4923 // Configure |client_ctx| with a cipher list that does not intersect with its
4924 // version configuration.
4925 ASSERT_TRUE(SSL_CTX_set_strict_cipher_list(
4926 ctx.get(), "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256"));
4927 ASSERT_TRUE(SSL_CTX_set_max_proto_version(ctx.get(), TLS1_1_VERSION));
4928
4929 bssl::UniquePtr<SSL> ssl(SSL_new(ctx.get()));
4930 ASSERT_TRUE(ssl);
4931 SSL_set_connect_state(ssl.get());
4932
4933 UniquePtr<BIO> rbio(BIO_new(BIO_s_mem())), wbio(BIO_new(BIO_s_mem()));
4934 ASSERT_TRUE(rbio);
4935 ASSERT_TRUE(wbio);
4936 SSL_set0_rbio(ssl.get(), rbio.release());
4937 SSL_set0_wbio(ssl.get(), wbio.release());
4938
4939 int ret = SSL_do_handshake(ssl.get());
4940 EXPECT_EQ(-1, ret);
4941 EXPECT_EQ(SSL_ERROR_SSL, SSL_get_error(ssl.get(), ret));
4942 uint32_t err = ERR_get_error();
4943 EXPECT_EQ(ERR_LIB_SSL, ERR_GET_LIB(err));
4944 EXPECT_EQ(SSL_R_NO_CIPHERS_AVAILABLE, ERR_GET_REASON(err));
4945}
4946
David Benjamina4bafd32017-10-03 15:06:29 -0400[diff] [blame]4947TEST_P(SSLVersionTest, SessionVersion) {
4948 SSL_CTX_set_session_cache_mode(client_ctx_.get(), SSL_SESS_CACHE_BOTH);
4949 SSL_CTX_set_session_cache_mode(server_ctx_.get(), SSL_SESS_CACHE_BOTH);
4950
4951 bssl::UniquePtr<SSL_SESSION> session =
4952 CreateClientSession(client_ctx_.get(), server_ctx_.get());
4953 ASSERT_TRUE(session);
4954 EXPECT_EQ(version(), SSL_SESSION_get_protocol_version(session.get()));
4955
4956 // Sessions in TLS 1.3 and later should be single-use.
4957 EXPECT_EQ(version() == TLS1_3_VERSION,
4958 !!SSL_SESSION_should_be_single_use(session.get()));
4959
4960 // Making fake sessions for testing works.
4961 session.reset(SSL_SESSION_new(client_ctx_.get()));
4962 ASSERT_TRUE(session);
4963 ASSERT_TRUE(SSL_SESSION_set_protocol_version(session.get(), version()));
4964 EXPECT_EQ(version(), SSL_SESSION_get_protocol_version(session.get()));
4965}
4966
David Benjaminfdb7a352017-10-12 17:34:18 -0400[diff] [blame]4967TEST_P(SSLVersionTest, SSLPending) {
4968 UniquePtr<SSL> ssl(SSL_new(client_ctx_.get()));
4969 ASSERT_TRUE(ssl);
4970 EXPECT_EQ(0, SSL_pending(ssl.get()));
4971
4972 ASSERT_TRUE(Connect());
4973 EXPECT_EQ(0, SSL_pending(client_.get()));
David Benjaminb3ed0712021-11-12 14:43:21 -0500[diff] [blame]4974 EXPECT_EQ(0, SSL_has_pending(client_.get()));
David Benjaminfdb7a352017-10-12 17:34:18 -0400[diff] [blame]4975
4976 ASSERT_EQ(5, SSL_write(server_.get(), "hello", 5));
4977 ASSERT_EQ(5, SSL_write(server_.get(), "world", 5));
4978 EXPECT_EQ(0, SSL_pending(client_.get()));
David Benjaminb3ed0712021-11-12 14:43:21 -0500[diff] [blame]4979 EXPECT_EQ(0, SSL_has_pending(client_.get()));
David Benjaminfdb7a352017-10-12 17:34:18 -0400[diff] [blame]4980
4981 char buf[10];
4982 ASSERT_EQ(1, SSL_peek(client_.get(), buf, 1));
4983 EXPECT_EQ(5, SSL_pending(client_.get()));
David Benjaminb3ed0712021-11-12 14:43:21 -0500[diff] [blame]4984 EXPECT_EQ(1, SSL_has_pending(client_.get()));
David Benjaminfdb7a352017-10-12 17:34:18 -0400[diff] [blame]4985
4986 ASSERT_EQ(1, SSL_read(client_.get(), buf, 1));
4987 EXPECT_EQ(4, SSL_pending(client_.get()));
David Benjaminb3ed0712021-11-12 14:43:21 -0500[diff] [blame]4988 EXPECT_EQ(1, SSL_has_pending(client_.get()));
David Benjaminfdb7a352017-10-12 17:34:18 -0400[diff] [blame]4989
4990 ASSERT_EQ(4, SSL_read(client_.get(), buf, 10));
4991 EXPECT_EQ(0, SSL_pending(client_.get()));
David Benjaminb3ed0712021-11-12 14:43:21 -0500[diff] [blame]4992 if (is_dtls()) {
4993 // In DTLS, the two records would have been read as a single datagram and
4994 // buffered inside |client_|. Thus, |SSL_has_pending| should return true.
4995 //
4996 // This test is slightly unrealistic. It relies on |ConnectClientAndServer|
4997 // using a |BIO| pair, which does not preserve datagram boundaries. Reading
4998 // 1 byte, then 4 bytes, from the first record also relies on
4999 // https://crbug.com/boringssl/65. But it does test the codepaths. When
5000 // fixing either of these bugs, this test may need to be redone.
5001 EXPECT_EQ(1, SSL_has_pending(client_.get()));
5002 } else {
5003 // In TLS, we do not overread, so |SSL_has_pending| should report no data is
5004 // buffered.
5005 EXPECT_EQ(0, SSL_has_pending(client_.get()));
5006 }
David Benjaminfdb7a352017-10-12 17:34:18 -0400[diff] [blame]5007
5008 ASSERT_EQ(2, SSL_read(client_.get(), buf, 2));
5009 EXPECT_EQ(3, SSL_pending(client_.get()));
David Benjaminb3ed0712021-11-12 14:43:21 -0500[diff] [blame]5010 EXPECT_EQ(1, SSL_has_pending(client_.get()));
David Benjaminfdb7a352017-10-12 17:34:18 -0400[diff] [blame]5011}
5012
David Benjamina031b612017-10-11 20:48:25 -0400[diff] [blame]5013// Test that post-handshake tickets consumed by |SSL_shutdown| are ignored.
5014TEST(SSLTest, ShutdownIgnoresTickets) {
David Benjamin9b2cdb72021-04-01 23:21:53 -0400[diff] [blame]5015 bssl::UniquePtr<SSL_CTX> ctx(CreateContextWithTestCertificate(TLS_method()));
David Benjamina031b612017-10-11 20:48:25 -0400[diff] [blame]5016 ASSERT_TRUE(ctx);
5017 ASSERT_TRUE(SSL_CTX_set_min_proto_version(ctx.get(), TLS1_3_VERSION));
5018 ASSERT_TRUE(SSL_CTX_set_max_proto_version(ctx.get(), TLS1_3_VERSION));
5019
David Benjamina031b612017-10-11 20:48:25 -0400[diff] [blame]5020 SSL_CTX_set_session_cache_mode(ctx.get(), SSL_SESS_CACHE_BOTH);
5021
5022 bssl::UniquePtr<SSL> client, server;
5023 ASSERT_TRUE(ConnectClientAndServer(&client, &server, ctx.get(), ctx.get()));
5024
5025 SSL_CTX_sess_set_new_cb(ctx.get(), [](SSL *ssl, SSL_SESSION *session) -> int {
5026 ADD_FAILURE() << "New session callback called during SSL_shutdown";
5027 return 0;
5028 });
5029
5030 // Send close_notify.
5031 EXPECT_EQ(0, SSL_shutdown(server.get()));
5032 EXPECT_EQ(0, SSL_shutdown(client.get()));
5033
5034 // Receive close_notify.
5035 EXPECT_EQ(1, SSL_shutdown(server.get()));
5036 EXPECT_EQ(1, SSL_shutdown(client.get()));
5037}
5038
David Benjamin6cc352e2017-11-02 17:21:39 -0400[diff] [blame]5039TEST(SSLTest, SignatureAlgorithmProperties) {
5040 EXPECT_EQ(EVP_PKEY_NONE, SSL_get_signature_algorithm_key_type(0x1234));
5041 EXPECT_EQ(nullptr, SSL_get_signature_algorithm_digest(0x1234));
5042 EXPECT_FALSE(SSL_is_signature_algorithm_rsa_pss(0x1234));
5043
5044 EXPECT_EQ(EVP_PKEY_RSA,
5045 SSL_get_signature_algorithm_key_type(SSL_SIGN_RSA_PKCS1_MD5_SHA1));
5046 EXPECT_EQ(EVP_md5_sha1(),
5047 SSL_get_signature_algorithm_digest(SSL_SIGN_RSA_PKCS1_MD5_SHA1));
5048 EXPECT_FALSE(SSL_is_signature_algorithm_rsa_pss(SSL_SIGN_RSA_PKCS1_MD5_SHA1));
5049
5050 EXPECT_EQ(EVP_PKEY_EC, SSL_get_signature_algorithm_key_type(
5051 SSL_SIGN_ECDSA_SECP256R1_SHA256));
5052 EXPECT_EQ(EVP_sha256(), SSL_get_signature_algorithm_digest(
5053 SSL_SIGN_ECDSA_SECP256R1_SHA256));
5054 EXPECT_FALSE(
5055 SSL_is_signature_algorithm_rsa_pss(SSL_SIGN_ECDSA_SECP256R1_SHA256));
5056
5057 EXPECT_EQ(EVP_PKEY_RSA,
David Benjamin6879e192018-04-13 16:01:02 -0400[diff] [blame]5058 SSL_get_signature_algorithm_key_type(SSL_SIGN_RSA_PSS_RSAE_SHA384));
David Benjamin6cc352e2017-11-02 17:21:39 -0400[diff] [blame]5059 EXPECT_EQ(EVP_sha384(),
David Benjamin6879e192018-04-13 16:01:02 -0400[diff] [blame]5060 SSL_get_signature_algorithm_digest(SSL_SIGN_RSA_PSS_RSAE_SHA384));
5061 EXPECT_TRUE(SSL_is_signature_algorithm_rsa_pss(SSL_SIGN_RSA_PSS_RSAE_SHA384));
David Benjamin6cc352e2017-11-02 17:21:39 -0400[diff] [blame]5062}
5063
Adam Langley85967952018-07-03 08:04:58 -0700[diff] [blame]5064static int XORCompressFunc(SSL *ssl, CBB *out, const uint8_t *in,
5065 size_t in_len) {
5066 for (size_t i = 0; i < in_len; i++) {
Adam Langley0080d832018-06-07 16:39:49 -0700[diff] [blame]5067 if (!CBB_add_u8(out, in[i] ^ 0x55)) {
Adam Langley85967952018-07-03 08:04:58 -0700[diff] [blame]5068 return 0;
Adam Langley0080d832018-06-07 16:39:49 -0700[diff] [blame]5069 }
5070 }
5071
5072 SSL_set_app_data(ssl, XORCompressFunc);
5073
Adam Langley85967952018-07-03 08:04:58 -0700[diff] [blame]5074 return 1;
Adam Langley0080d832018-06-07 16:39:49 -0700[diff] [blame]5075}
5076
Adam Langley85967952018-07-03 08:04:58 -0700[diff] [blame]5077static int XORDecompressFunc(SSL *ssl, CRYPTO_BUFFER **out,
5078 size_t uncompressed_len, const uint8_t *in,
5079 size_t in_len) {
5080 if (in_len != uncompressed_len) {
5081 return 0;
Adam Langley0080d832018-06-07 16:39:49 -0700[diff] [blame]5082 }
5083
5084 uint8_t *data;
Adam Langley85967952018-07-03 08:04:58 -0700[diff] [blame]5085 *out = CRYPTO_BUFFER_alloc(&data, uncompressed_len);
5086 if (*out == nullptr) {
5087 return 0;
Adam Langley0080d832018-06-07 16:39:49 -0700[diff] [blame]5088 }
5089
Adam Langley85967952018-07-03 08:04:58 -0700[diff] [blame]5090 for (size_t i = 0; i < in_len; i++) {
Adam Langley0080d832018-06-07 16:39:49 -0700[diff] [blame]5091 data[i] = in[i] ^ 0x55;
5092 }
5093
5094 SSL_set_app_data(ssl, XORDecompressFunc);
5095
Adam Langley85967952018-07-03 08:04:58 -0700[diff] [blame]5096 return 1;
Adam Langley0080d832018-06-07 16:39:49 -0700[diff] [blame]5097}
5098
5099TEST(SSLTest, CertCompression) {
5100 bssl::UniquePtr<SSL_CTX> client_ctx(SSL_CTX_new(TLS_method()));
David Benjamin9b2cdb72021-04-01 23:21:53 -0400[diff] [blame]5101 bssl::UniquePtr<SSL_CTX> server_ctx(
5102 CreateContextWithTestCertificate(TLS_method()));
Adam Langley0080d832018-06-07 16:39:49 -0700[diff] [blame]5103 ASSERT_TRUE(client_ctx);
5104 ASSERT_TRUE(server_ctx);
5105
Adam Langley0080d832018-06-07 16:39:49 -0700[diff] [blame]5106 ASSERT_TRUE(SSL_CTX_set_max_proto_version(client_ctx.get(), TLS1_3_VERSION));
5107 ASSERT_TRUE(SSL_CTX_set_max_proto_version(server_ctx.get(), TLS1_3_VERSION));
5108 ASSERT_TRUE(SSL_CTX_add_cert_compression_alg(
5109 client_ctx.get(), 0x1234, XORCompressFunc, XORDecompressFunc));
5110 ASSERT_TRUE(SSL_CTX_add_cert_compression_alg(
5111 server_ctx.get(), 0x1234, XORCompressFunc, XORDecompressFunc));
5112
5113 bssl::UniquePtr<SSL> client, server;
5114 ASSERT_TRUE(ConnectClientAndServer(&client, &server, client_ctx.get(),
5115 server_ctx.get()));
5116
5117 EXPECT_TRUE(SSL_get_app_data(client.get()) == XORDecompressFunc);
5118 EXPECT_TRUE(SSL_get_app_data(server.get()) == XORCompressFunc);
5119}
5120
Adam Langleyddb57cf2018-01-26 09:17:53 -0800[diff] [blame]5121void MoveBIOs(SSL *dest, SSL *src) {
5122 BIO *rbio = SSL_get_rbio(src);
5123 BIO_up_ref(rbio);
5124 SSL_set0_rbio(dest, rbio);
5125
5126 BIO *wbio = SSL_get_wbio(src);
5127 BIO_up_ref(wbio);
5128 SSL_set0_wbio(dest, wbio);
5129
5130 SSL_set0_rbio(src, nullptr);
5131 SSL_set0_wbio(src, nullptr);
5132}
5133
5134TEST(SSLTest, Handoff) {
5135 bssl::UniquePtr<SSL_CTX> client_ctx(SSL_CTX_new(TLS_method()));
5136 bssl::UniquePtr<SSL_CTX> server_ctx(SSL_CTX_new(TLS_method()));
David Benjamin9b2cdb72021-04-01 23:21:53 -0400[diff] [blame]5137 bssl::UniquePtr<SSL_CTX> handshaker_ctx(
5138 CreateContextWithTestCertificate(TLS_method()));
Adam Langleyddb57cf2018-01-26 09:17:53 -0800[diff] [blame]5139 ASSERT_TRUE(client_ctx);
5140 ASSERT_TRUE(server_ctx);
5141 ASSERT_TRUE(handshaker_ctx);
5142
Matthew Braithwaite134fb892019-11-26 17:56:11 -0800[diff] [blame]5143 SSL_CTX_set_session_cache_mode(client_ctx.get(), SSL_SESS_CACHE_CLIENT);
5144 SSL_CTX_sess_set_new_cb(client_ctx.get(), SaveLastSession);
Anton Bikineev50e7ea52022-01-23 22:35:48 +0100[diff] [blame]5145 SSL_CTX_set_handoff_mode(server_ctx.get(), true);
Matthew Braithwaite134fb892019-11-26 17:56:11 -0800[diff] [blame]5146 uint8_t keys[48];
David Benjamin243b5cc2019-12-04 11:23:50 -0500[diff] [blame]5147 SSL_CTX_get_tlsext_ticket_keys(server_ctx.get(), &keys, sizeof(keys));
Matthew Braithwaite134fb892019-11-26 17:56:11 -0800[diff] [blame]5148 SSL_CTX_set_tlsext_ticket_keys(handshaker_ctx.get(), &keys, sizeof(keys));
Adam Langleyddb57cf2018-01-26 09:17:53 -0800[diff] [blame]5149
Matthew Braithwaite4f3e8212020-01-08 16:56:48 -0800[diff] [blame]5150 for (bool early_data : {false, true}) {
5151 SCOPED_TRACE(early_data);
5152 for (bool is_resume : {false, true}) {
5153 SCOPED_TRACE(is_resume);
5154 bssl::UniquePtr<SSL> client, server;
David Benjamin9b2cdb72021-04-01 23:21:53 -0400[diff] [blame]5155 ASSERT_TRUE(CreateClientAndServer(&client, &server, client_ctx.get(),
5156 server_ctx.get()));
5157 SSL_set_early_data_enabled(client.get(), early_data);
Matthew Braithwaite4f3e8212020-01-08 16:56:48 -0800[diff] [blame]5158 if (is_resume) {
5159 ASSERT_TRUE(g_last_session);
David Benjamin9b2cdb72021-04-01 23:21:53 -0400[diff] [blame]5160 SSL_set_session(client.get(), g_last_session.get());
5161 if (early_data) {
5162 EXPECT_GT(g_last_session->ticket_max_early_data, 0u);
5163 }
Matthew Braithwaite4f3e8212020-01-08 16:56:48 -0800[diff] [blame]5164 }
David Benjamin9b2cdb72021-04-01 23:21:53 -0400[diff] [blame]5165
Matthew Braithwaite4f3e8212020-01-08 16:56:48 -0800[diff] [blame]5166
5167 int client_ret = SSL_do_handshake(client.get());
5168 int client_err = SSL_get_error(client.get(), client_ret);
5169
5170 uint8_t byte_written;
David Benjamin9b2cdb72021-04-01 23:21:53 -0400[diff] [blame]5171 if (early_data && is_resume) {
Matthew Braithwaite4f3e8212020-01-08 16:56:48 -0800[diff] [blame]5172 ASSERT_EQ(client_err, 0);
5173 EXPECT_TRUE(SSL_in_early_data(client.get()));
5174 // Attempt to write early data.
5175 byte_written = 43;
5176 EXPECT_EQ(SSL_write(client.get(), &byte_written, 1), 1);
5177 } else {
5178 ASSERT_EQ(client_err, SSL_ERROR_WANT_READ);
5179 }
5180
5181 int server_ret = SSL_do_handshake(server.get());
5182 int server_err = SSL_get_error(server.get(), server_ret);
5183 ASSERT_EQ(server_err, SSL_ERROR_HANDOFF);
5184
5185 ScopedCBB cbb;
5186 Array<uint8_t> handoff;
5187 SSL_CLIENT_HELLO hello;
5188 ASSERT_TRUE(CBB_init(cbb.get(), 256));
5189 ASSERT_TRUE(SSL_serialize_handoff(server.get(), cbb.get(), &hello));
5190 ASSERT_TRUE(CBBFinishArray(cbb.get(), &handoff));
5191
5192 bssl::UniquePtr<SSL> handshaker(SSL_new(handshaker_ctx.get()));
5193 // Note split handshakes determines 0-RTT support, for both the current
5194 // handshake and newly-issued tickets, entirely by |handshaker|. There is
5195 // no need to call |SSL_set_early_data_enabled| on |server|.
5196 SSL_set_early_data_enabled(handshaker.get(), 1);
5197 ASSERT_TRUE(SSL_apply_handoff(handshaker.get(), handoff));
5198
5199 MoveBIOs(handshaker.get(), server.get());
5200
5201 int handshake_ret = SSL_do_handshake(handshaker.get());
5202 int handshake_err = SSL_get_error(handshaker.get(), handshake_ret);
5203 ASSERT_EQ(handshake_err, SSL_ERROR_HANDBACK);
5204
5205 // Double-check that additional calls to |SSL_do_handshake| continue
Adam Langley472d91c2020-02-18 12:12:35 -0800[diff] [blame]5206 // to get |SSL_ERROR_HANDBACK|.
Matthew Braithwaite4f3e8212020-01-08 16:56:48 -0800[diff] [blame]5207 handshake_ret = SSL_do_handshake(handshaker.get());
5208 handshake_err = SSL_get_error(handshaker.get(), handshake_ret);
5209 ASSERT_EQ(handshake_err, SSL_ERROR_HANDBACK);
5210
5211 ScopedCBB cbb_handback;
5212 Array<uint8_t> handback;
5213 ASSERT_TRUE(CBB_init(cbb_handback.get(), 1024));
5214 ASSERT_TRUE(SSL_serialize_handback(handshaker.get(), cbb_handback.get()));
5215 ASSERT_TRUE(CBBFinishArray(cbb_handback.get(), &handback));
5216
5217 bssl::UniquePtr<SSL> server2(SSL_new(server_ctx.get()));
5218 ASSERT_TRUE(SSL_apply_handback(server2.get(), handback));
5219
5220 MoveBIOs(server2.get(), handshaker.get());
5221 ASSERT_TRUE(CompleteHandshakes(client.get(), server2.get()));
5222 EXPECT_EQ(is_resume, SSL_session_reused(client.get()));
5223
David Benjamin9b2cdb72021-04-01 23:21:53 -0400[diff] [blame]5224 if (early_data && is_resume) {
Matthew Braithwaite4f3e8212020-01-08 16:56:48 -0800[diff] [blame]5225 // In this case, one byte of early data has already been written above.
5226 EXPECT_TRUE(SSL_early_data_accepted(client.get()));
5227 } else {
5228 byte_written = 42;
5229 EXPECT_EQ(SSL_write(client.get(), &byte_written, 1), 1);
5230 }
5231 uint8_t byte;
5232 EXPECT_EQ(SSL_read(server2.get(), &byte, 1), 1);
5233 EXPECT_EQ(byte_written, byte);
5234
5235 byte = 44;
5236 EXPECT_EQ(SSL_write(server2.get(), &byte, 1), 1);
5237 EXPECT_EQ(SSL_read(client.get(), &byte, 1), 1);
5238 EXPECT_EQ(44, byte);
Matthew Braithwaite134fb892019-11-26 17:56:11 -0800[diff] [blame]5239 }
Matthew Braithwaite134fb892019-11-26 17:56:11 -0800[diff] [blame]5240 }
Adam Langleyddb57cf2018-01-26 09:17:53 -0800[diff] [blame]5241}
5242
5243TEST(SSLTest, HandoffDeclined) {
5244 bssl::UniquePtr<SSL_CTX> client_ctx(SSL_CTX_new(TLS_method()));
David Benjamin9b2cdb72021-04-01 23:21:53 -0400[diff] [blame]5245 bssl::UniquePtr<SSL_CTX> server_ctx(
5246 CreateContextWithTestCertificate(TLS_method()));
Adam Langleyddb57cf2018-01-26 09:17:53 -0800[diff] [blame]5247 ASSERT_TRUE(client_ctx);
5248 ASSERT_TRUE(server_ctx);
5249
Anton Bikineev50e7ea52022-01-23 22:35:48 +0100[diff] [blame]5250 SSL_CTX_set_handoff_mode(server_ctx.get(), true);
Adam Langleyddb57cf2018-01-26 09:17:53 -0800[diff] [blame]5251 ASSERT_TRUE(SSL_CTX_set_max_proto_version(server_ctx.get(), TLS1_2_VERSION));
5252
Adam Langleyddb57cf2018-01-26 09:17:53 -0800[diff] [blame]5253 bssl::UniquePtr<SSL> client, server;
David Benjamin9b2cdb72021-04-01 23:21:53 -0400[diff] [blame]5254 ASSERT_TRUE(CreateClientAndServer(&client, &server, client_ctx.get(),
5255 server_ctx.get()));
Adam Langleyddb57cf2018-01-26 09:17:53 -0800[diff] [blame]5256
5257 int client_ret = SSL_do_handshake(client.get());
5258 int client_err = SSL_get_error(client.get(), client_ret);
5259 ASSERT_EQ(client_err, SSL_ERROR_WANT_READ);
5260
5261 int server_ret = SSL_do_handshake(server.get());
5262 int server_err = SSL_get_error(server.get(), server_ret);
5263 ASSERT_EQ(server_err, SSL_ERROR_HANDOFF);
5264
5265 ScopedCBB cbb;
Adam Langleyc9827e02019-04-12 14:46:50 -0700[diff] [blame]5266 SSL_CLIENT_HELLO hello;
Adam Langleyddb57cf2018-01-26 09:17:53 -0800[diff] [blame]5267 ASSERT_TRUE(CBB_init(cbb.get(), 256));
Adam Langleyc9827e02019-04-12 14:46:50 -0700[diff] [blame]5268 ASSERT_TRUE(SSL_serialize_handoff(server.get(), cbb.get(), &hello));
Adam Langleyddb57cf2018-01-26 09:17:53 -0800[diff] [blame]5269
5270 ASSERT_TRUE(SSL_decline_handoff(server.get()));
5271
5272 ASSERT_TRUE(CompleteHandshakes(client.get(), server.get()));
5273
5274 uint8_t byte = 42;
5275 EXPECT_EQ(SSL_write(client.get(), &byte, 1), 1);
5276 EXPECT_EQ(SSL_read(server.get(), &byte, 1), 1);
5277 EXPECT_EQ(42, byte);
5278
5279 byte = 43;
5280 EXPECT_EQ(SSL_write(server.get(), &byte, 1), 1);
5281 EXPECT_EQ(SSL_read(client.get(), &byte, 1), 1);
5282 EXPECT_EQ(43, byte);
5283}
5284
Adam Langley826ce152018-08-03 10:31:21 -0700[diff] [blame]5285static std::string SigAlgsToString(Span<const uint16_t> sigalgs) {
5286 std::string ret = "{";
5287
5288 for (uint16_t v : sigalgs) {
5289 if (ret.size() > 1) {
5290 ret += ", ";
5291 }
5292
5293 char buf[8];
5294 snprintf(buf, sizeof(buf) - 1, "0x%02x", v);
5295 buf[sizeof(buf)-1] = 0;
5296 ret += std::string(buf);
5297 }
5298
5299 ret += "}";
5300 return ret;
5301}
5302
5303void ExpectSigAlgsEqual(Span<const uint16_t> expected,
5304 Span<const uint16_t> actual) {
5305 bool matches = false;
5306 if (expected.size() == actual.size()) {
5307 matches = true;
5308
5309 for (size_t i = 0; i < expected.size(); i++) {
5310 if (expected[i] != actual[i]) {
5311 matches = false;
5312 break;
5313 }
5314 }
5315 }
5316
5317 if (!matches) {
5318 ADD_FAILURE() << "expected: " << SigAlgsToString(expected)
5319 << " got: " << SigAlgsToString(actual);
5320 }
5321}
5322
5323TEST(SSLTest, SigAlgs) {
5324 static const struct {
5325 std::vector<int> input;
5326 bool ok;
5327 std::vector<uint16_t> expected;
5328 } kTests[] = {
5329 {{}, true, {}},
5330 {{1}, false, {}},
5331 {{1, 2, 3}, false, {}},
5332 {{NID_sha256, EVP_PKEY_ED25519}, false, {}},
5333 {{NID_sha256, EVP_PKEY_RSA, NID_sha256, EVP_PKEY_RSA}, false, {}},
5334
5335 {{NID_sha256, EVP_PKEY_RSA}, true, {SSL_SIGN_RSA_PKCS1_SHA256}},
5336 {{NID_sha512, EVP_PKEY_RSA}, true, {SSL_SIGN_RSA_PKCS1_SHA512}},
5337 {{NID_sha256, EVP_PKEY_RSA_PSS}, true, {SSL_SIGN_RSA_PSS_RSAE_SHA256}},
5338 {{NID_undef, EVP_PKEY_ED25519}, true, {SSL_SIGN_ED25519}},
5339 {{NID_undef, EVP_PKEY_ED25519, NID_sha384, EVP_PKEY_EC},
5340 true,
5341 {SSL_SIGN_ED25519, SSL_SIGN_ECDSA_SECP384R1_SHA384}},
5342 };
5343
5344 UniquePtr<SSL_CTX> ctx(SSL_CTX_new(TLS_method()));
5345
5346 unsigned n = 1;
5347 for (const auto &test : kTests) {
5348 SCOPED_TRACE(n++);
5349
5350 const bool ok =
5351 SSL_CTX_set1_sigalgs(ctx.get(), test.input.data(), test.input.size());
5352 EXPECT_EQ(ok, test.ok);
5353
5354 if (!ok) {
5355 ERR_clear_error();
5356 }
5357
5358 if (!test.ok) {
5359 continue;
5360 }
5361
5362 ExpectSigAlgsEqual(test.expected, ctx->cert->sigalgs);
5363 }
5364}
5365
5366TEST(SSLTest, SigAlgsList) {
5367 static const struct {
5368 const char *input;
5369 bool ok;
5370 std::vector<uint16_t> expected;
5371 } kTests[] = {
5372 {"", false, {}},
5373 {":", false, {}},
5374 {"+", false, {}},
5375 {"RSA", false, {}},
5376 {"RSA+", false, {}},
5377 {"RSA+SHA256:", false, {}},
5378 {":RSA+SHA256:", false, {}},
5379 {":RSA+SHA256+:", false, {}},
5380 {"!", false, {}},
5381 {"\x01", false, {}},
5382 {"RSA+SHA256:RSA+SHA384:RSA+SHA256", false, {}},
5383 {"RSA-PSS+SHA256:rsa_pss_rsae_sha256", false, {}},
5384
5385 {"RSA+SHA256", true, {SSL_SIGN_RSA_PKCS1_SHA256}},
5386 {"RSA+SHA256:ed25519",
5387 true,
5388 {SSL_SIGN_RSA_PKCS1_SHA256, SSL_SIGN_ED25519}},
5389 {"ECDSA+SHA256:RSA+SHA512",
5390 true,
5391 {SSL_SIGN_ECDSA_SECP256R1_SHA256, SSL_SIGN_RSA_PKCS1_SHA512}},
5392 {"ecdsa_secp256r1_sha256:rsa_pss_rsae_sha256",
5393 true,
5394 {SSL_SIGN_ECDSA_SECP256R1_SHA256, SSL_SIGN_RSA_PSS_RSAE_SHA256}},
5395 {"RSA-PSS+SHA256", true, {SSL_SIGN_RSA_PSS_RSAE_SHA256}},
5396 {"PSS+SHA256", true, {SSL_SIGN_RSA_PSS_RSAE_SHA256}},
5397 };
5398
5399 UniquePtr<SSL_CTX> ctx(SSL_CTX_new(TLS_method()));
5400
5401 unsigned n = 1;
5402 for (const auto &test : kTests) {
5403 SCOPED_TRACE(n++);
5404
5405 const bool ok = SSL_CTX_set1_sigalgs_list(ctx.get(), test.input);
5406 EXPECT_EQ(ok, test.ok);
5407
5408 if (!ok) {
5409 if (test.ok) {
5410 ERR_print_errors_fp(stderr);
5411 }
5412 ERR_clear_error();
5413 }
5414
5415 if (!test.ok) {
5416 continue;
5417 }
5418
5419 ExpectSigAlgsEqual(test.expected, ctx->cert->sigalgs);
5420 }
5421}
5422
Matthew Braithwaited2ed3822018-07-10 16:27:22 -0700[diff] [blame]5423TEST(SSLTest, ApplyHandoffRemovesUnsupportedCiphers) {
5424 bssl::UniquePtr<SSL_CTX> server_ctx(SSL_CTX_new(TLS_method()));
5425 bssl::UniquePtr<SSL> server(SSL_new(server_ctx.get()));
5426
5427 // handoff is a handoff message that has been artificially modified to pretend
5428 // that only cipher 0x0A is supported. When it is applied to |server|, all
5429 // ciphers but that one should be removed.
Matthew Braithwaitec65eb2c2018-11-02 17:29:35 -0700[diff] [blame]5430 //
5431 // To make a new one of these, try sticking this in the |Handoff| test above:
5432 //
5433 // hexdump(stderr, "", handoff.data(), handoff.size());
5434 // sed -e 's/\(..\)/0x\1, /g'
5435 //
5436 // and modify serialize_features() to emit only cipher 0x0A.
5437
Matthew Braithwaited2ed3822018-07-10 16:27:22 -0700[diff] [blame]5438 uint8_t handoff[] = {
Matthew Braithwaitec65eb2c2018-11-02 17:29:35 -0700[diff] [blame]5439 0x30, 0x81, 0x9a, 0x02, 0x01, 0x00, 0x04, 0x00, 0x04, 0x81, 0x82, 0x01,
5440 0x00, 0x00, 0x7e, 0x03, 0x03, 0x30, 0x8e, 0x8f, 0x79, 0xd2, 0x87, 0x39,
5441 0xc2, 0x23, 0x23, 0x13, 0xca, 0x3c, 0x80, 0x44, 0xfd, 0x80, 0x83, 0x62,
5442 0x3c, 0xcc, 0xf8, 0x76, 0xd3, 0x62, 0xbb, 0x54, 0xe3, 0xc4, 0x39, 0x24,
5443 0xa5, 0x00, 0x00, 0x1e, 0xc0, 0x2b, 0xc0, 0x2f, 0xc0, 0x2c, 0xc0, 0x30,
Matthew Braithwaited2ed3822018-07-10 16:27:22 -0700[diff] [blame]5444 0xcc, 0xa9, 0xcc, 0xa8, 0xc0, 0x09, 0xc0, 0x13, 0xc0, 0x0a, 0xc0, 0x14,
5445 0x00, 0x9c, 0x00, 0x9d, 0x00, 0x2f, 0x00, 0x35, 0x00, 0x0a, 0x01, 0x00,
Matthew Braithwaitec65eb2c2018-11-02 17:29:35 -0700[diff] [blame]5446 0x00, 0x37, 0x00, 0x17, 0x00, 0x00, 0xff, 0x01, 0x00, 0x01, 0x00, 0x00,
5447 0x0a, 0x00, 0x08, 0x00, 0x06, 0x00, 0x1d, 0x00, 0x17, 0x00, 0x18, 0x00,
5448 0x0b, 0x00, 0x02, 0x01, 0x00, 0x00, 0x23, 0x00, 0x00, 0x00, 0x0d, 0x00,
5449 0x14, 0x00, 0x12, 0x04, 0x03, 0x08, 0x04, 0x04, 0x01, 0x05, 0x03, 0x08,
5450 0x05, 0x05, 0x01, 0x08, 0x06, 0x06, 0x01, 0x02, 0x01, 0x04, 0x02, 0x00,
5451 0x0a, 0x04, 0x0a, 0x00, 0x15, 0x00, 0x17, 0x00, 0x18, 0x00, 0x19, 0x00,
5452 0x1d,
Matthew Braithwaited2ed3822018-07-10 16:27:22 -0700[diff] [blame]5453 };
5454
5455 EXPECT_EQ(20u, sk_SSL_CIPHER_num(SSL_get_ciphers(server.get())));
5456 ASSERT_TRUE(
5457 SSL_apply_handoff(server.get(), {handoff, OPENSSL_ARRAY_SIZE(handoff)}));
5458 EXPECT_EQ(1u, sk_SSL_CIPHER_num(SSL_get_ciphers(server.get())));
5459}
5460
Matthew Braithwaitec65eb2c2018-11-02 17:29:35 -0700[diff] [blame]5461TEST(SSLTest, ApplyHandoffRemovesUnsupportedCurves) {
5462 bssl::UniquePtr<SSL_CTX> server_ctx(SSL_CTX_new(TLS_method()));
5463 bssl::UniquePtr<SSL> server(SSL_new(server_ctx.get()));
5464
5465 // handoff is a handoff message that has been artificially modified to pretend
5466 // that only one curve is supported. When it is applied to |server|, all
5467 // curves but that one should be removed.
5468 //
5469 // See |ApplyHandoffRemovesUnsupportedCiphers| for how to make a new one of
5470 // these.
5471 uint8_t handoff[] = {
5472 0x30, 0x81, 0xc0, 0x02, 0x01, 0x00, 0x04, 0x00, 0x04, 0x81, 0x82, 0x01,
5473 0x00, 0x00, 0x7e, 0x03, 0x03, 0x98, 0x30, 0xce, 0xd9, 0xb0, 0xdf, 0x5f,
5474 0x82, 0x05, 0x4a, 0x43, 0x67, 0x7e, 0xdb, 0x6a, 0x4f, 0x21, 0x18, 0x4e,
5475 0x0d, 0x94, 0x63, 0x18, 0x8b, 0x54, 0x89, 0xdb, 0x8b, 0x1d, 0x84, 0xbc,
5476 0x09, 0x00, 0x00, 0x1e, 0xc0, 0x2b, 0xc0, 0x2f, 0xc0, 0x2c, 0xc0, 0x30,
5477 0xcc, 0xa9, 0xcc, 0xa8, 0xc0, 0x09, 0xc0, 0x13, 0xc0, 0x0a, 0xc0, 0x14,
5478 0x00, 0x9c, 0x00, 0x9d, 0x00, 0x2f, 0x00, 0x35, 0x00, 0x0a, 0x01, 0x00,
5479 0x00, 0x37, 0x00, 0x17, 0x00, 0x00, 0xff, 0x01, 0x00, 0x01, 0x00, 0x00,
5480 0x0a, 0x00, 0x08, 0x00, 0x06, 0x00, 0x1d, 0x00, 0x17, 0x00, 0x18, 0x00,
5481 0x0b, 0x00, 0x02, 0x01, 0x00, 0x00, 0x23, 0x00, 0x00, 0x00, 0x0d, 0x00,
5482 0x14, 0x00, 0x12, 0x04, 0x03, 0x08, 0x04, 0x04, 0x01, 0x05, 0x03, 0x08,
5483 0x05, 0x05, 0x01, 0x08, 0x06, 0x06, 0x01, 0x02, 0x01, 0x04, 0x30, 0x00,
5484 0x02, 0x00, 0x0a, 0x00, 0x2f, 0x00, 0x35, 0x00, 0x8c, 0x00, 0x8d, 0x00,
5485 0x9c, 0x00, 0x9d, 0x13, 0x01, 0x13, 0x02, 0x13, 0x03, 0xc0, 0x09, 0xc0,
5486 0x0a, 0xc0, 0x13, 0xc0, 0x14, 0xc0, 0x2b, 0xc0, 0x2c, 0xc0, 0x2f, 0xc0,
5487 0x30, 0xc0, 0x35, 0xc0, 0x36, 0xcc, 0xa8, 0xcc, 0xa9, 0xcc, 0xac, 0x04,
5488 0x02, 0x00, 0x17,
5489 };
5490
5491 // The zero length means that the default list of groups is used.
5492 EXPECT_EQ(0u, server->config->supported_group_list.size());
5493 ASSERT_TRUE(
5494 SSL_apply_handoff(server.get(), {handoff, OPENSSL_ARRAY_SIZE(handoff)}));
5495 EXPECT_EQ(1u, server->config->supported_group_list.size());
5496}
5497
Adam Langleyba9ad662018-12-17 13:59:38 -0800[diff] [blame]5498TEST(SSLTest, ZeroSizedWiteFlushesHandshakeMessages) {
5499 // If there are pending handshake mesages, an |SSL_write| of zero bytes should
5500 // flush them.
David Benjamin9b2cdb72021-04-01 23:21:53 -0400[diff] [blame]5501 bssl::UniquePtr<SSL_CTX> server_ctx(
5502 CreateContextWithTestCertificate(TLS_method()));
Adam Langleyba9ad662018-12-17 13:59:38 -0800[diff] [blame]5503 EXPECT_TRUE(SSL_CTX_set_max_proto_version(server_ctx.get(), TLS1_3_VERSION));
5504 EXPECT_TRUE(SSL_CTX_set_min_proto_version(server_ctx.get(), TLS1_3_VERSION));
Adam Langleyba9ad662018-12-17 13:59:38 -0800[diff] [blame]5505
5506 bssl::UniquePtr<SSL_CTX> client_ctx(SSL_CTX_new(TLS_method()));
5507 EXPECT_TRUE(SSL_CTX_set_max_proto_version(client_ctx.get(), TLS1_3_VERSION));
5508 EXPECT_TRUE(SSL_CTX_set_min_proto_version(client_ctx.get(), TLS1_3_VERSION));
5509
5510 bssl::UniquePtr<SSL> client, server;
5511 ASSERT_TRUE(ConnectClientAndServer(&client, &server, client_ctx.get(),
5512 server_ctx.get()));
5513
5514 BIO *client_wbio = SSL_get_wbio(client.get());
5515 EXPECT_EQ(0u, BIO_wpending(client_wbio));
5516 EXPECT_TRUE(SSL_key_update(client.get(), SSL_KEY_UPDATE_NOT_REQUESTED));
5517 EXPECT_EQ(0u, BIO_wpending(client_wbio));
5518 EXPECT_EQ(0, SSL_write(client.get(), nullptr, 0));
5519 EXPECT_NE(0u, BIO_wpending(client_wbio));
5520}
5521
David Benjamin5869eb32018-07-17 00:59:45 -0400[diff] [blame]5522TEST_P(SSLVersionTest, VerifyBeforeCertRequest) {
5523 // Configure the server to request client certificates.
5524 SSL_CTX_set_custom_verify(
5525 server_ctx_.get(), SSL_VERIFY_PEER,
5526 [](SSL *ssl, uint8_t *out_alert) { return ssl_verify_ok; });
5527
5528 // Configure the client to reject the server certificate.
5529 SSL_CTX_set_custom_verify(
5530 client_ctx_.get(), SSL_VERIFY_PEER,
5531 [](SSL *ssl, uint8_t *out_alert) { return ssl_verify_invalid; });
5532
5533 // cert_cb should not be called. Verification should fail first.
5534 SSL_CTX_set_cert_cb(client_ctx_.get(),
5535 [](SSL *ssl, void *arg) {
5536 ADD_FAILURE() << "cert_cb unexpectedly called";
5537 return 0;
5538 },
5539 nullptr);
5540
5541 bssl::UniquePtr<SSL> client, server;
5542 EXPECT_FALSE(ConnectClientAndServer(&client, &server, client_ctx_.get(),
5543 server_ctx_.get()));
5544}
5545
David Benjamin492c9aa2018-08-31 16:35:22 -0500[diff] [blame]5546// Test that ticket-based sessions on the client get fake session IDs.
5547TEST_P(SSLVersionTest, FakeIDsForTickets) {
5548 SSL_CTX_set_session_cache_mode(client_ctx_.get(), SSL_SESS_CACHE_BOTH);
5549 SSL_CTX_set_session_cache_mode(server_ctx_.get(), SSL_SESS_CACHE_BOTH);
5550
5551 bssl::UniquePtr<SSL_SESSION> session =
5552 CreateClientSession(client_ctx_.get(), server_ctx_.get());
5553 ASSERT_TRUE(session);
5554
5555 EXPECT_TRUE(SSL_SESSION_has_ticket(session.get()));
5556 unsigned session_id_length;
5557 SSL_SESSION_get_id(session.get(), &session_id_length);
5558 EXPECT_NE(session_id_length, 0u);
5559}
5560
David Benjamin6c04bd12018-07-19 18:13:09 -0400[diff] [blame]5561// These tests test multi-threaded behavior. They are intended to run with
5562// ThreadSanitizer.
David Benjamin5b33eff2018-09-22 16:52:48 -0700[diff] [blame]5563#if defined(OPENSSL_THREADS)
David Benjamin6c04bd12018-07-19 18:13:09 -0400[diff] [blame]5564TEST_P(SSLVersionTest, SessionCacheThreads) {
5565 SSL_CTX_set_options(server_ctx_.get(), SSL_OP_NO_TICKET);
5566 SSL_CTX_set_session_cache_mode(client_ctx_.get(), SSL_SESS_CACHE_BOTH);
5567 SSL_CTX_set_session_cache_mode(server_ctx_.get(), SSL_SESS_CACHE_BOTH);
5568
5569 if (version() == TLS1_3_VERSION) {
5570 // Our TLS 1.3 implementation does not support stateful resumption.
5571 ASSERT_FALSE(CreateClientSession(client_ctx_.get(), server_ctx_.get()));
5572 return;
5573 }
5574
5575 // Establish two client sessions to test with.
5576 bssl::UniquePtr<SSL_SESSION> session1 =
5577 CreateClientSession(client_ctx_.get(), server_ctx_.get());
5578 ASSERT_TRUE(session1);
5579 bssl::UniquePtr<SSL_SESSION> session2 =
5580 CreateClientSession(client_ctx_.get(), server_ctx_.get());
5581 ASSERT_TRUE(session2);
5582
5583 auto connect_with_session = [&](SSL_SESSION *session) {
5584 ClientConfig config;
5585 config.session = session;
5586 UniquePtr<SSL> client, server;
5587 EXPECT_TRUE(ConnectClientAndServer(&client, &server, client_ctx_.get(),
5588 server_ctx_.get(), config));
5589 };
5590
5591 // Resume sessions in parallel with establishing new ones.
5592 {
5593 std::vector<std::thread> threads;
5594 threads.emplace_back([&] { connect_with_session(nullptr); });
5595 threads.emplace_back([&] { connect_with_session(nullptr); });
5596 threads.emplace_back([&] { connect_with_session(session1.get()); });
5597 threads.emplace_back([&] { connect_with_session(session1.get()); });
5598 threads.emplace_back([&] { connect_with_session(session2.get()); });
5599 threads.emplace_back([&] { connect_with_session(session2.get()); });
5600 for (auto &thread : threads) {
5601 thread.join();
5602 }
5603 }
5604
David Benjamina10017c2021-06-16 16:00:13 -0400[diff] [blame]5605 // Hit the maximum session cache size across multiple threads, to test the
5606 // size enforcement logic.
David Benjamin6c04bd12018-07-19 18:13:09 -0400[diff] [blame]5607 size_t limit = SSL_CTX_sess_number(server_ctx_.get()) + 2;
5608 SSL_CTX_sess_set_cache_size(server_ctx_.get(), limit);
5609 {
5610 std::vector<std::thread> threads;
5611 for (int i = 0; i < 4; i++) {
5612 threads.emplace_back([&]() {
5613 connect_with_session(nullptr);
5614 EXPECT_LE(SSL_CTX_sess_number(server_ctx_.get()), limit);
5615 });
5616 }
5617 for (auto &thread : threads) {
5618 thread.join();
5619 }
5620 EXPECT_EQ(SSL_CTX_sess_number(server_ctx_.get()), limit);
5621 }
David Benjamina10017c2021-06-16 16:00:13 -0400[diff] [blame]5622
5623 // Reset the session cache, this time with a mock clock.
5624 ASSERT_NO_FATAL_FAILURE(ResetContexts());
5625 SSL_CTX_set_options(server_ctx_.get(), SSL_OP_NO_TICKET);
5626 SSL_CTX_set_session_cache_mode(client_ctx_.get(), SSL_SESS_CACHE_BOTH);
5627 SSL_CTX_set_session_cache_mode(server_ctx_.get(), SSL_SESS_CACHE_BOTH);
5628 SSL_CTX_set_current_time_cb(server_ctx_.get(), CurrentTimeCallback);
5629
5630 // Make some sessions at an arbitrary start time. Then expire them.
5631 g_current_time.tv_sec = 1000;
5632 bssl::UniquePtr<SSL_SESSION> expired_session1 =
5633 CreateClientSession(client_ctx_.get(), server_ctx_.get());
5634 ASSERT_TRUE(expired_session1);
5635 bssl::UniquePtr<SSL_SESSION> expired_session2 =
5636 CreateClientSession(client_ctx_.get(), server_ctx_.get());
5637 ASSERT_TRUE(expired_session2);
5638 g_current_time.tv_sec += 100 * SSL_DEFAULT_SESSION_TIMEOUT;
5639
5640 session1 = CreateClientSession(client_ctx_.get(), server_ctx_.get());
5641 ASSERT_TRUE(session1);
5642
5643 // Every 256 connections, we flush stale sessions from the session cache. Test
5644 // this logic is correctly synchronized with other connection attempts.
5645 static const int kNumConnections = 256;
5646 {
5647 std::vector<std::thread> threads;
5648 threads.emplace_back([&] {
5649 for (int i = 0; i < kNumConnections; i++) {
5650 connect_with_session(nullptr);
5651 }
5652 });
5653 threads.emplace_back([&] {
5654 for (int i = 0; i < kNumConnections; i++) {
5655 connect_with_session(nullptr);
5656 }
5657 });
5658 threads.emplace_back([&] {
5659 // Never connect with |expired_session2|. The session cache eagerly
5660 // removes expired sessions when it sees them. Leaving |expired_session2|
5661 // untouched ensures it is instead cleared by periodic flushing.
5662 for (int i = 0; i < kNumConnections; i++) {
5663 connect_with_session(expired_session1.get());
5664 }
5665 });
5666 threads.emplace_back([&] {
5667 for (int i = 0; i < kNumConnections; i++) {
5668 connect_with_session(session1.get());
5669 }
5670 });
5671 for (auto &thread : threads) {
5672 thread.join();
5673 }
5674 }
David Benjamin6c04bd12018-07-19 18:13:09 -0400[diff] [blame]5675}
5676
5677TEST_P(SSLVersionTest, SessionTicketThreads) {
5678 for (bool renew_ticket : {false, true}) {
5679 SCOPED_TRACE(renew_ticket);
5680 ResetContexts();
5681 SSL_CTX_set_session_cache_mode(client_ctx_.get(), SSL_SESS_CACHE_BOTH);
5682 SSL_CTX_set_session_cache_mode(server_ctx_.get(), SSL_SESS_CACHE_BOTH);
5683 if (renew_ticket) {
5684 SSL_CTX_set_tlsext_ticket_key_cb(server_ctx_.get(), RenewTicketCallback);
5685 }
5686
5687 // Establish two client sessions to test with.
5688 bssl::UniquePtr<SSL_SESSION> session1 =
5689 CreateClientSession(client_ctx_.get(), server_ctx_.get());
5690 ASSERT_TRUE(session1);
5691 bssl::UniquePtr<SSL_SESSION> session2 =
5692 CreateClientSession(client_ctx_.get(), server_ctx_.get());
5693 ASSERT_TRUE(session2);
5694
5695 auto connect_with_session = [&](SSL_SESSION *session) {
5696 ClientConfig config;
5697 config.session = session;
5698 UniquePtr<SSL> client, server;
5699 EXPECT_TRUE(ConnectClientAndServer(&client, &server, client_ctx_.get(),
5700 server_ctx_.get(), config));
5701 };
5702
5703 // Resume sessions in parallel with establishing new ones.
5704 {
5705 std::vector<std::thread> threads;
5706 threads.emplace_back([&] { connect_with_session(nullptr); });
5707 threads.emplace_back([&] { connect_with_session(nullptr); });
5708 threads.emplace_back([&] { connect_with_session(session1.get()); });
5709 threads.emplace_back([&] { connect_with_session(session1.get()); });
5710 threads.emplace_back([&] { connect_with_session(session2.get()); });
5711 threads.emplace_back([&] { connect_with_session(session2.get()); });
5712 for (auto &thread : threads) {
5713 thread.join();
5714 }
5715 }
5716 }
5717}
5718
5719// SSL_CTX_get0_certificate needs to lock internally. Test this works.
5720TEST(SSLTest, GetCertificateThreads) {
5721 bssl::UniquePtr<SSL_CTX> ctx(SSL_CTX_new(TLS_method()));
5722 ASSERT_TRUE(ctx);
5723 bssl::UniquePtr<X509> cert = GetTestCertificate();
5724 ASSERT_TRUE(cert);
5725 ASSERT_TRUE(SSL_CTX_use_certificate(ctx.get(), cert.get()));
5726
5727 // Existing code expects |SSL_CTX_get0_certificate| to be callable from two
5728 // threads concurrently. It originally was an immutable operation. Now we
5729 // implement it with a thread-safe cache, so it is worth testing.
5730 X509 *cert2_thread;
5731 std::thread thread(
5732 [&] { cert2_thread = SSL_CTX_get0_certificate(ctx.get()); });
5733 X509 *cert2 = SSL_CTX_get0_certificate(ctx.get());
5734 thread.join();
5735
5736 EXPECT_EQ(cert2, cert2_thread);
5737 EXPECT_EQ(0, X509_cmp(cert.get(), cert2));
5738}
David Benjamin4cce9552018-12-13 12:20:54 -0600[diff] [blame]5739
5740// Functions which access properties on the negotiated session are thread-safe
5741// where needed. Prior to TLS 1.3, clients resuming sessions and servers
5742// performing stateful resumption will share an underlying SSL_SESSION object,
5743// potentially across threads.
5744TEST_P(SSLVersionTest, SessionPropertiesThreads) {
5745 if (version() == TLS1_3_VERSION) {
5746 // Our TLS 1.3 implementation does not support stateful resumption.
5747 ASSERT_FALSE(CreateClientSession(client_ctx_.get(), server_ctx_.get()));
5748 return;
5749 }
5750
5751 SSL_CTX_set_options(server_ctx_.get(), SSL_OP_NO_TICKET);
5752 SSL_CTX_set_session_cache_mode(client_ctx_.get(), SSL_SESS_CACHE_BOTH);
5753 SSL_CTX_set_session_cache_mode(server_ctx_.get(), SSL_SESS_CACHE_BOTH);
5754
5755 ASSERT_TRUE(UseCertAndKey(client_ctx_.get()));
5756 ASSERT_TRUE(UseCertAndKey(server_ctx_.get()));
5757
5758 // Configure mutual authentication, so we have more session state.
5759 SSL_CTX_set_custom_verify(
5760 client_ctx_.get(), SSL_VERIFY_PEER,
5761 [](SSL *ssl, uint8_t *out_alert) { return ssl_verify_ok; });
5762 SSL_CTX_set_custom_verify(
5763 server_ctx_.get(), SSL_VERIFY_PEER,
5764 [](SSL *ssl, uint8_t *out_alert) { return ssl_verify_ok; });
5765
5766 // Establish a client session to test with.
5767 bssl::UniquePtr<SSL_SESSION> session =
5768 CreateClientSession(client_ctx_.get(), server_ctx_.get());
5769 ASSERT_TRUE(session);
5770
5771 // Resume with it twice.
5772 UniquePtr<SSL> ssls[4];
5773 ClientConfig config;
5774 config.session = session.get();
5775 ASSERT_TRUE(ConnectClientAndServer(&ssls[0], &ssls[1], client_ctx_.get(),
5776 server_ctx_.get(), config));
5777 ASSERT_TRUE(ConnectClientAndServer(&ssls[2], &ssls[3], client_ctx_.get(),
5778 server_ctx_.get(), config));
5779
5780 // Read properties in parallel.
5781 auto read_properties = [](const SSL *ssl) {
5782 EXPECT_TRUE(SSL_get_peer_cert_chain(ssl));
5783 bssl::UniquePtr<X509> peer(SSL_get_peer_certificate(ssl));
5784 EXPECT_TRUE(peer);
5785 EXPECT_TRUE(SSL_get_current_cipher(ssl));
5786 EXPECT_TRUE(SSL_get_curve_id(ssl));
5787 };
5788
5789 std::vector<std::thread> threads;
5790 for (const auto &ssl_ptr : ssls) {
5791 const SSL *ssl = ssl_ptr.get();
5792 threads.emplace_back([=] { read_properties(ssl); });
5793 }
5794 for (auto &thread : threads) {
5795 thread.join();
5796 }
5797}
David Benjamina486c6c2019-03-28 18:32:38 -0500[diff] [blame]5798#endif // OPENSSL_THREADS
David Benjamin6c04bd12018-07-19 18:13:09 -0400[diff] [blame]5799
Steven Valdezc8e0f902018-07-14 11:23:01 -0400[diff] [blame]5800constexpr size_t kNumQUICLevels = 4;
5801static_assert(ssl_encryption_initial < kNumQUICLevels,
5802 "kNumQUICLevels is wrong");
5803static_assert(ssl_encryption_early_data < kNumQUICLevels,
5804 "kNumQUICLevels is wrong");
5805static_assert(ssl_encryption_handshake < kNumQUICLevels,
5806 "kNumQUICLevels is wrong");
5807static_assert(ssl_encryption_application < kNumQUICLevels,
5808 "kNumQUICLevels is wrong");
5809
David Benjamin1e859052020-02-09 16:04:58 -0500[diff] [blame]5810const char *LevelToString(ssl_encryption_level_t level) {
5811 switch (level) {
5812 case ssl_encryption_initial:
5813 return "initial";
5814 case ssl_encryption_early_data:
5815 return "early data";
5816 case ssl_encryption_handshake:
5817 return "handshake";
5818 case ssl_encryption_application:
5819 return "application";
5820 }
5821 return "<unknown>";
5822}
5823
Steven Valdezc8e0f902018-07-14 11:23:01 -0400[diff] [blame]5824class MockQUICTransport {
5825 public:
David Benjamind6343572019-08-15 17:29:02 -0400[diff] [blame]5826 enum class Role { kClient, kServer };
5827
5828 explicit MockQUICTransport(Role role) : role_(role) {
Steven Valdezc8e0f902018-07-14 11:23:01 -0400[diff] [blame]5829 // The caller is expected to configure initial secrets.
5830 levels_[ssl_encryption_initial].write_secret = {1};
5831 levels_[ssl_encryption_initial].read_secret = {1};
5832 }
5833
5834 void set_peer(MockQUICTransport *peer) { peer_ = peer; }
5835
5836 bool has_alert() const { return has_alert_; }
5837 ssl_encryption_level_t alert_level() const { return alert_level_; }
5838 uint8_t alert() const { return alert_; }
5839
5840 bool PeerSecretsMatch(ssl_encryption_level_t level) const {
5841 return levels_[level].write_secret == peer_->levels_[level].read_secret &&
Steven Valdez384d0ea2018-11-06 10:45:36 -0500[diff] [blame]5842 levels_[level].read_secret == peer_->levels_[level].write_secret &&
5843 levels_[level].cipher == peer_->levels_[level].cipher;
Steven Valdezc8e0f902018-07-14 11:23:01 -0400[diff] [blame]5844 }
5845
David Benjamin1e859052020-02-09 16:04:58 -0500[diff] [blame]5846 bool HasReadSecret(ssl_encryption_level_t level) const {
5847 return !levels_[level].read_secret.empty();
Steven Valdezc8e0f902018-07-14 11:23:01 -0400[diff] [blame]5848 }
5849
David Benjamin1e859052020-02-09 16:04:58 -0500[diff] [blame]5850 bool HasWriteSecret(ssl_encryption_level_t level) const {
5851 return !levels_[level].write_secret.empty();
5852 }
5853
David Benjamin5298ef92020-03-13 12:17:30 -0400[diff] [blame]5854 void AllowOutOfOrderWrites() { allow_out_of_order_writes_ = true; }
5855
David Benjamin1e859052020-02-09 16:04:58 -0500[diff] [blame]5856 bool SetReadSecret(ssl_encryption_level_t level, const SSL_CIPHER *cipher,
5857 Span<const uint8_t> secret) {
5858 if (HasReadSecret(level)) {
5859 ADD_FAILURE() << LevelToString(level) << " read secret configured twice";
5860 return false;
5861 }
5862
5863 if (role_ == Role::kClient && level == ssl_encryption_early_data) {
5864 ADD_FAILURE() << "Unexpected early data read secret";
5865 return false;
5866 }
5867
5868 ssl_encryption_level_t ack_level =
5869 level == ssl_encryption_early_data ? ssl_encryption_application : level;
5870 if (!HasWriteSecret(ack_level)) {
5871 ADD_FAILURE() << LevelToString(level)
5872 << " read secret configured before ACK write secret";
Steven Valdezc8e0f902018-07-14 11:23:01 -0400[diff] [blame]5873 return false;
5874 }
Steven Valdez384d0ea2018-11-06 10:45:36 -0500[diff] [blame]5875
5876 if (cipher == nullptr) {
David Benjamin1e859052020-02-09 16:04:58 -0500[diff] [blame]5877 ADD_FAILURE() << "Unexpected null cipher";
Steven Valdez384d0ea2018-11-06 10:45:36 -0500[diff] [blame]5878 return false;
5879 }
5880
David Benjamin1e859052020-02-09 16:04:58 -0500[diff] [blame]5881 if (level != ssl_encryption_early_data &&
5882 SSL_CIPHER_get_id(cipher) != levels_[level].cipher) {
5883 ADD_FAILURE() << "Cipher suite inconsistent";
Steven Valdezc8e0f902018-07-14 11:23:01 -0400[diff] [blame]5884 return false;
5885 }
David Benjamind6343572019-08-15 17:29:02 -0400[diff] [blame]5886
David Benjamin1e859052020-02-09 16:04:58 -0500[diff] [blame]5887 levels_[level].read_secret.assign(secret.begin(), secret.end());
5888 levels_[level].cipher = SSL_CIPHER_get_id(cipher);
5889 return true;
5890 }
5891
5892 bool SetWriteSecret(ssl_encryption_level_t level, const SSL_CIPHER *cipher,
5893 Span<const uint8_t> secret) {
5894 if (HasWriteSecret(level)) {
5895 ADD_FAILURE() << LevelToString(level) << " write secret configured twice";
David Benjamind6343572019-08-15 17:29:02 -0400[diff] [blame]5896 return false;
Steven Valdezc8e0f902018-07-14 11:23:01 -0400[diff] [blame]5897 }
David Benjamind6343572019-08-15 17:29:02 -0400[diff] [blame]5898
David Benjamin1e859052020-02-09 16:04:58 -0500[diff] [blame]5899 if (role_ == Role::kServer && level == ssl_encryption_early_data) {
5900 ADD_FAILURE() << "Unexpected early data write secret";
5901 return false;
5902 }
5903
5904 if (cipher == nullptr) {
5905 ADD_FAILURE() << "Unexpected null cipher";
5906 return false;
5907 }
5908
5909 levels_[level].write_secret.assign(secret.begin(), secret.end());
Steven Valdez384d0ea2018-11-06 10:45:36 -0500[diff] [blame]5910 levels_[level].cipher = SSL_CIPHER_get_id(cipher);
Steven Valdezc8e0f902018-07-14 11:23:01 -0400[diff] [blame]5911 return true;
5912 }
5913
5914 bool WriteHandshakeData(ssl_encryption_level_t level,
5915 Span<const uint8_t> data) {
5916 if (levels_[level].write_secret.empty()) {
David Benjamin1e859052020-02-09 16:04:58 -0500[diff] [blame]5917 ADD_FAILURE() << LevelToString(level)
5918 << " write secret not yet configured";
Steven Valdezc8e0f902018-07-14 11:23:01 -0400[diff] [blame]5919 return false;
5920 }
David Benjamin5298ef92020-03-13 12:17:30 -0400[diff] [blame]5921
5922 // Although the levels are conceptually separate, BoringSSL finishes writing
5923 // data from a previous level before installing keys for the next level.
5924 if (!allow_out_of_order_writes_) {
5925 switch (level) {
5926 case ssl_encryption_early_data:
5927 ADD_FAILURE() << "unexpected handshake data at early data level";
5928 return false;
5929 case ssl_encryption_initial:
5930 if (!levels_[ssl_encryption_handshake].write_secret.empty()) {
5931 ADD_FAILURE()
5932 << LevelToString(level)
5933 << " handshake data written after handshake keys installed";
5934 return false;
5935 }
5936 OPENSSL_FALLTHROUGH;
5937 case ssl_encryption_handshake:
5938 if (!levels_[ssl_encryption_application].write_secret.empty()) {
5939 ADD_FAILURE()
5940 << LevelToString(level)
5941 << " handshake data written after application keys installed";
5942 return false;
5943 }
5944 OPENSSL_FALLTHROUGH;
5945 case ssl_encryption_application:
5946 break;
5947 }
5948 }
5949
Steven Valdezc8e0f902018-07-14 11:23:01 -0400[diff] [blame]5950 levels_[level].write_data.insert(levels_[level].write_data.end(),
5951 data.begin(), data.end());
5952 return true;
5953 }
5954
5955 bool SendAlert(ssl_encryption_level_t level, uint8_t alert_value) {
5956 if (has_alert_) {
5957 ADD_FAILURE() << "duplicate alert sent";
5958 return false;
5959 }
5960
5961 if (levels_[level].write_secret.empty()) {
David Benjamin1e859052020-02-09 16:04:58 -0500[diff] [blame]5962 ADD_FAILURE() << LevelToString(level)
5963 << " write secret not yet configured";
Steven Valdezc8e0f902018-07-14 11:23:01 -0400[diff] [blame]5964 return false;
5965 }
5966
5967 has_alert_ = true;
5968 alert_level_ = level;
5969 alert_ = alert_value;
5970 return true;
5971 }
5972
5973 bool ReadHandshakeData(std::vector<uint8_t> *out,
5974 ssl_encryption_level_t level,
5975 size_t num = std::numeric_limits<size_t>::max()) {
5976 if (levels_[level].read_secret.empty()) {
David Benjamind6343572019-08-15 17:29:02 -0400[diff] [blame]5977 ADD_FAILURE() << "data read before keys configured in level " << level;
Steven Valdezc8e0f902018-07-14 11:23:01 -0400[diff] [blame]5978 return false;
5979 }
5980 // The peer may not have configured any keys yet.
5981 if (peer_->levels_[level].write_secret.empty()) {
David Benjamind0b97942019-08-21 12:54:20 -0400[diff] [blame]5982 out->clear();
Steven Valdezc8e0f902018-07-14 11:23:01 -0400[diff] [blame]5983 return true;
5984 }
5985 // Check the peer computed the same key.
5986 if (peer_->levels_[level].write_secret != levels_[level].read_secret) {
David Benjamind6343572019-08-15 17:29:02 -0400[diff] [blame]5987 ADD_FAILURE() << "peer write key does not match read key in level "
5988 << level;
Steven Valdezc8e0f902018-07-14 11:23:01 -0400[diff] [blame]5989 return false;
5990 }
Steven Valdez384d0ea2018-11-06 10:45:36 -0500[diff] [blame]5991 if (peer_->levels_[level].cipher != levels_[level].cipher) {
David Benjamind6343572019-08-15 17:29:02 -0400[diff] [blame]5992 ADD_FAILURE() << "peer cipher does not match in level " << level;
Steven Valdez384d0ea2018-11-06 10:45:36 -0500[diff] [blame]5993 return false;
5994 }
Steven Valdezc8e0f902018-07-14 11:23:01 -0400[diff] [blame]5995 std::vector<uint8_t> *peer_data = &peer_->levels_[level].write_data;
5996 num = std::min(num, peer_data->size());
5997 out->assign(peer_data->begin(), peer_data->begin() + num);
5998 peer_data->erase(peer_data->begin(), peer_data->begin() + num);
5999 return true;
6000 }
6001
6002 private:
David Benjamind6343572019-08-15 17:29:02 -0400[diff] [blame]6003 Role role_;
Steven Valdezc8e0f902018-07-14 11:23:01 -0400[diff] [blame]6004 MockQUICTransport *peer_ = nullptr;
6005
David Benjamin5298ef92020-03-13 12:17:30 -0400[diff] [blame]6006 bool allow_out_of_order_writes_ = false;
Steven Valdezc8e0f902018-07-14 11:23:01 -0400[diff] [blame]6007 bool has_alert_ = false;
6008 ssl_encryption_level_t alert_level_ = ssl_encryption_initial;
6009 uint8_t alert_ = 0;
6010
6011 struct Level {
6012 std::vector<uint8_t> write_data;
6013 std::vector<uint8_t> write_secret;
6014 std::vector<uint8_t> read_secret;
Steven Valdez384d0ea2018-11-06 10:45:36 -0500[diff] [blame]6015 uint32_t cipher = 0;
Steven Valdezc8e0f902018-07-14 11:23:01 -0400[diff] [blame]6016 };
6017 Level levels_[kNumQUICLevels];
6018};
6019
6020class MockQUICTransportPair {
6021 public:
David Benjamind6343572019-08-15 17:29:02 -0400[diff] [blame]6022 MockQUICTransportPair()
6023 : client_(MockQUICTransport::Role::kClient),
6024 server_(MockQUICTransport::Role::kServer) {
Steven Valdezc8e0f902018-07-14 11:23:01 -0400[diff] [blame]6025 client_.set_peer(&server_);
David Benjamind6343572019-08-15 17:29:02 -0400[diff] [blame]6026 server_.set_peer(&client_);
Steven Valdezc8e0f902018-07-14 11:23:01 -0400[diff] [blame]6027 }
6028
6029 ~MockQUICTransportPair() {
Steven Valdezc8e0f902018-07-14 11:23:01 -0400[diff] [blame]6030 client_.set_peer(nullptr);
David Benjamind6343572019-08-15 17:29:02 -0400[diff] [blame]6031 server_.set_peer(nullptr);
Steven Valdezc8e0f902018-07-14 11:23:01 -0400[diff] [blame]6032 }
6033
6034 MockQUICTransport *client() { return &client_; }
6035 MockQUICTransport *server() { return &server_; }
6036
6037 bool SecretsMatch(ssl_encryption_level_t level) const {
David Benjamin1e859052020-02-09 16:04:58 -0500[diff] [blame]6038 // We only need to check |HasReadSecret| and |HasWriteSecret| on |client_|.
6039 // |PeerSecretsMatch| checks that |server_| is analogously configured.
6040 return client_.PeerSecretsMatch(level) &&
6041 client_.HasWriteSecret(level) &&
6042 (level == ssl_encryption_early_data || client_.HasReadSecret(level));
Steven Valdezc8e0f902018-07-14 11:23:01 -0400[diff] [blame]6043 }
6044
6045 private:
6046 MockQUICTransport client_;
6047 MockQUICTransport server_;
6048};
6049
6050class QUICMethodTest : public testing::Test {
6051 protected:
6052 void SetUp() override {
6053 client_ctx_.reset(SSL_CTX_new(TLS_method()));
David Benjamin9b2cdb72021-04-01 23:21:53 -0400[diff] [blame]6054 server_ctx_ = CreateContextWithTestCertificate(TLS_method());
Steven Valdezc8e0f902018-07-14 11:23:01 -0400[diff] [blame]6055 ASSERT_TRUE(client_ctx_);
6056 ASSERT_TRUE(server_ctx_);
6057
Steven Valdezc8e0f902018-07-14 11:23:01 -0400[diff] [blame]6058 SSL_CTX_set_min_proto_version(server_ctx_.get(), TLS1_3_VERSION);
6059 SSL_CTX_set_max_proto_version(server_ctx_.get(), TLS1_3_VERSION);
6060 SSL_CTX_set_min_proto_version(client_ctx_.get(), TLS1_3_VERSION);
6061 SSL_CTX_set_max_proto_version(client_ctx_.get(), TLS1_3_VERSION);
Nick Harper74161f42020-07-24 15:35:27 -0700[diff] [blame]6062
6063 static const uint8_t kALPNProtos[] = {0x03, 'f', 'o', 'o'};
6064 ASSERT_EQ(SSL_CTX_set_alpn_protos(client_ctx_.get(), kALPNProtos,
6065 sizeof(kALPNProtos)),
6066 0);
6067 SSL_CTX_set_alpn_select_cb(
6068 server_ctx_.get(),
6069 [](SSL *ssl, const uint8_t **out, uint8_t *out_len, const uint8_t *in,
6070 unsigned in_len, void *arg) -> int {
6071 return SSL_select_next_proto(
6072 const_cast<uint8_t **>(out), out_len, in, in_len,
6073 kALPNProtos, sizeof(kALPNProtos)) == OPENSSL_NPN_NEGOTIATED
6074 ? SSL_TLSEXT_ERR_OK
6075 : SSL_TLSEXT_ERR_NOACK;
6076 },
6077 nullptr);
Steven Valdezc8e0f902018-07-14 11:23:01 -0400[diff] [blame]6078 }
6079
6080 static MockQUICTransport *TransportFromSSL(const SSL *ssl) {
6081 return ex_data_.Get(ssl);
6082 }
6083
6084 static bool ProvideHandshakeData(
6085 SSL *ssl, size_t num = std::numeric_limits<size_t>::max()) {
6086 MockQUICTransport *transport = TransportFromSSL(ssl);
6087 ssl_encryption_level_t level = SSL_quic_read_level(ssl);
6088 std::vector<uint8_t> data;
6089 return transport->ReadHandshakeData(&data, level, num) &&
6090 SSL_provide_quic_data(ssl, level, data.data(), data.size());
6091 }
6092
David Benjamin5298ef92020-03-13 12:17:30 -0400[diff] [blame]6093 void AllowOutOfOrderWrites() {
6094 allow_out_of_order_writes_ = true;
6095 }
6096
Steven Valdezc8e0f902018-07-14 11:23:01 -0400[diff] [blame]6097 bool CreateClientAndServer() {
6098 client_.reset(SSL_new(client_ctx_.get()));
6099 server_.reset(SSL_new(server_ctx_.get()));
6100 if (!client_ || !server_) {
6101 return false;
6102 }
6103
6104 SSL_set_connect_state(client_.get());
6105 SSL_set_accept_state(server_.get());
6106
David Benjamind6343572019-08-15 17:29:02 -0400[diff] [blame]6107 transport_.reset(new MockQUICTransportPair);
6108 ex_data_.Set(client_.get(), transport_->client());
6109 ex_data_.Set(server_.get(), transport_->server());
David Benjamin5298ef92020-03-13 12:17:30 -0400[diff] [blame]6110 if (allow_out_of_order_writes_) {
6111 transport_->client()->AllowOutOfOrderWrites();
6112 transport_->server()->AllowOutOfOrderWrites();
6113 }
Nick Harper7c522992020-04-30 14:15:49 -0700[diff] [blame]6114 static const uint8_t client_transport_params[] = {0};
6115 if (!SSL_set_quic_transport_params(client_.get(), client_transport_params,
6116 sizeof(client_transport_params)) ||
6117 !SSL_set_quic_transport_params(server_.get(),
6118 server_transport_params_.data(),
6119 server_transport_params_.size()) ||
6120 !SSL_set_quic_early_data_context(
6121 server_.get(), server_quic_early_data_context_.data(),
6122 server_quic_early_data_context_.size())) {
Nick Harper72cff812020-03-26 18:06:16 -0700[diff] [blame]6123 return false;
6124 }
Steven Valdezc8e0f902018-07-14 11:23:01 -0400[diff] [blame]6125 return true;
6126 }
6127
Nick Harper72cff812020-03-26 18:06:16 -0700[diff] [blame]6128 enum class ExpectedError {
6129 kNoError,
6130 kClientError,
6131 kServerError,
6132 };
6133
David Benjamind6343572019-08-15 17:29:02 -0400[diff] [blame]6134 // CompleteHandshakesForQUIC runs |SSL_do_handshake| on |client_| and
6135 // |server_| until each completes once. It returns true on success and false
6136 // on failure.
6137 bool CompleteHandshakesForQUIC() {
Nick Harper72cff812020-03-26 18:06:16 -0700[diff] [blame]6138 return RunQUICHandshakesAndExpectError(ExpectedError::kNoError);
6139 }
6140
6141 // Runs |SSL_do_handshake| on |client_| and |server_| until each completes
6142 // once. If |expect_client_error| is true, it will return true only if the
6143 // client handshake failed. Otherwise, it returns true if both handshakes
6144 // succeed and false otherwise.
6145 bool RunQUICHandshakesAndExpectError(ExpectedError expected_error) {
David Benjamind6343572019-08-15 17:29:02 -0400[diff] [blame]6146 bool client_done = false, server_done = false;
6147 while (!client_done || !server_done) {
6148 if (!client_done) {
6149 if (!ProvideHandshakeData(client_.get())) {
6150 ADD_FAILURE() << "ProvideHandshakeData(client_) failed";
6151 return false;
6152 }
6153 int client_ret = SSL_do_handshake(client_.get());
David Benjamin2fb729d2020-02-20 17:37:33 -0500[diff] [blame]6154 int client_err = SSL_get_error(client_.get(), client_ret);
David Benjamind6343572019-08-15 17:29:02 -0400[diff] [blame]6155 if (client_ret == 1) {
6156 client_done = true;
David Benjamin2fb729d2020-02-20 17:37:33 -0500[diff] [blame]6157 } else if (client_ret != -1 || client_err != SSL_ERROR_WANT_READ) {
Nick Harper72cff812020-03-26 18:06:16 -0700[diff] [blame]6158 if (expected_error == ExpectedError::kClientError) {
6159 return true;
6160 }
David Benjamin2fb729d2020-02-20 17:37:33 -0500[diff] [blame]6161 ADD_FAILURE() << "Unexpected client output: " << client_ret << " "
6162 << client_err;
6163 return false;
David Benjamind6343572019-08-15 17:29:02 -0400[diff] [blame]6164 }
6165 }
6166
6167 if (!server_done) {
6168 if (!ProvideHandshakeData(server_.get())) {
6169 ADD_FAILURE() << "ProvideHandshakeData(server_) failed";
6170 return false;
6171 }
6172 int server_ret = SSL_do_handshake(server_.get());
David Benjamin2fb729d2020-02-20 17:37:33 -0500[diff] [blame]6173 int server_err = SSL_get_error(server_.get(), server_ret);
David Benjamind6343572019-08-15 17:29:02 -0400[diff] [blame]6174 if (server_ret == 1) {
6175 server_done = true;
David Benjamin2fb729d2020-02-20 17:37:33 -0500[diff] [blame]6176 } else if (server_ret != -1 || server_err != SSL_ERROR_WANT_READ) {
Nick Harper72cff812020-03-26 18:06:16 -0700[diff] [blame]6177 if (expected_error == ExpectedError::kServerError) {
6178 return true;
6179 }
David Benjamin2fb729d2020-02-20 17:37:33 -0500[diff] [blame]6180 ADD_FAILURE() << "Unexpected server output: " << server_ret << " "
6181 << server_err;
6182 return false;
David Benjamind6343572019-08-15 17:29:02 -0400[diff] [blame]6183 }
6184 }
6185 }
Nick Harper72cff812020-03-26 18:06:16 -0700[diff] [blame]6186 return expected_error == ExpectedError::kNoError;
David Benjamind6343572019-08-15 17:29:02 -0400[diff] [blame]6187 }
6188
6189 bssl::UniquePtr<SSL_SESSION> CreateClientSessionForQUIC() {
6190 g_last_session = nullptr;
6191 SSL_CTX_sess_set_new_cb(client_ctx_.get(), SaveLastSession);
6192 if (!CreateClientAndServer() ||
6193 !CompleteHandshakesForQUIC()) {
6194 return nullptr;
Steven Valdeze6eef1c2018-11-09 13:32:34 -0500[diff] [blame]6195 }
6196
David Benjamind6343572019-08-15 17:29:02 -0400[diff] [blame]6197 // The server sent NewSessionTicket messages in the handshake.
6198 if (!ProvideHandshakeData(client_.get()) ||
6199 !SSL_process_quic_post_handshake(client_.get())) {
6200 return nullptr;
6201 }
Steven Valdeze6eef1c2018-11-09 13:32:34 -0500[diff] [blame]6202
David Benjamind6343572019-08-15 17:29:02 -0400[diff] [blame]6203 return std::move(g_last_session);
6204 }
6205
6206 void ExpectHandshakeSuccess() {
6207 EXPECT_TRUE(transport_->SecretsMatch(ssl_encryption_application));
6208 EXPECT_EQ(ssl_encryption_application, SSL_quic_read_level(client_.get()));
6209 EXPECT_EQ(ssl_encryption_application, SSL_quic_write_level(client_.get()));
6210 EXPECT_EQ(ssl_encryption_application, SSL_quic_read_level(server_.get()));
6211 EXPECT_EQ(ssl_encryption_application, SSL_quic_write_level(server_.get()));
6212 EXPECT_FALSE(transport_->client()->has_alert());
6213 EXPECT_FALSE(transport_->server()->has_alert());
6214
6215 // SSL_do_handshake is now idempotent.
6216 EXPECT_EQ(SSL_do_handshake(client_.get()), 1);
6217 EXPECT_EQ(SSL_do_handshake(server_.get()), 1);
Steven Valdeze6eef1c2018-11-09 13:32:34 -0500[diff] [blame]6218 }
6219
David Benjamin1e859052020-02-09 16:04:58 -0500[diff] [blame]6220 // Returns a default SSL_QUIC_METHOD. Individual methods may be overwritten by
6221 // the test.
6222 SSL_QUIC_METHOD DefaultQUICMethod() {
6223 return SSL_QUIC_METHOD{
6224 SetReadSecretCallback, SetWriteSecretCallback, AddHandshakeDataCallback,
6225 FlushFlightCallback, SendAlertCallback,
6226 };
6227 }
Steven Valdezc8e0f902018-07-14 11:23:01 -0400[diff] [blame]6228
David Benjamin1e859052020-02-09 16:04:58 -0500[diff] [blame]6229 static int SetReadSecretCallback(SSL *ssl, ssl_encryption_level_t level,
6230 const SSL_CIPHER *cipher,
6231 const uint8_t *secret, size_t secret_len) {
6232 return TransportFromSSL(ssl)->SetReadSecret(
6233 level, cipher, MakeConstSpan(secret, secret_len));
6234 }
6235
6236 static int SetWriteSecretCallback(SSL *ssl, ssl_encryption_level_t level,
6237 const SSL_CIPHER *cipher,
6238 const uint8_t *secret, size_t secret_len) {
6239 return TransportFromSSL(ssl)->SetWriteSecret(
6240 level, cipher, MakeConstSpan(secret, secret_len));
Steven Valdezc8e0f902018-07-14 11:23:01 -0400[diff] [blame]6241 }
6242
David Benjamincc9d9352018-10-30 19:45:22 -0500[diff] [blame]6243 static int AddHandshakeDataCallback(SSL *ssl,
6244 enum ssl_encryption_level_t level,
6245 const uint8_t *data, size_t len) {
Steven Valdezc8e0f902018-07-14 11:23:01 -0400[diff] [blame]6246 EXPECT_EQ(level, SSL_quic_write_level(ssl));
6247 return TransportFromSSL(ssl)->WriteHandshakeData(level,
6248 MakeConstSpan(data, len));
6249 }
6250
6251 static int FlushFlightCallback(SSL *ssl) { return 1; }
6252
6253 static int SendAlertCallback(SSL *ssl, ssl_encryption_level_t level,
6254 uint8_t alert) {
6255 EXPECT_EQ(level, SSL_quic_write_level(ssl));
6256 return TransportFromSSL(ssl)->SendAlert(level, alert);
6257 }
6258
6259 bssl::UniquePtr<SSL_CTX> client_ctx_;
6260 bssl::UniquePtr<SSL_CTX> server_ctx_;
6261
6262 static UnownedSSLExData<MockQUICTransport> ex_data_;
David Benjamind6343572019-08-15 17:29:02 -0400[diff] [blame]6263 std::unique_ptr<MockQUICTransportPair> transport_;
Steven Valdezc8e0f902018-07-14 11:23:01 -0400[diff] [blame]6264
6265 bssl::UniquePtr<SSL> client_;
6266 bssl::UniquePtr<SSL> server_;
David Benjamin5298ef92020-03-13 12:17:30 -0400[diff] [blame]6267
Nick Harper7c522992020-04-30 14:15:49 -0700[diff] [blame]6268 std::vector<uint8_t> server_transport_params_ = {1};
6269 std::vector<uint8_t> server_quic_early_data_context_ = {2};
6270
David Benjamin5298ef92020-03-13 12:17:30 -0400[diff] [blame]6271 bool allow_out_of_order_writes_ = false;
Steven Valdezc8e0f902018-07-14 11:23:01 -0400[diff] [blame]6272};
6273
6274UnownedSSLExData<MockQUICTransport> QUICMethodTest::ex_data_;
6275
David Benjaminfd863b62019-07-25 13:51:32 -0400[diff] [blame]6276// Test a full handshake and resumption work.
Steven Valdezc8e0f902018-07-14 11:23:01 -0400[diff] [blame]6277TEST_F(QUICMethodTest, Basic) {
David Benjamin1e859052020-02-09 16:04:58 -0500[diff] [blame]6278 const SSL_QUIC_METHOD quic_method = DefaultQUICMethod();
Steven Valdezc8e0f902018-07-14 11:23:01 -0400[diff] [blame]6279
Steven Valdeze6eef1c2018-11-09 13:32:34 -0500[diff] [blame]6280 g_last_session = nullptr;
6281
6282 SSL_CTX_set_session_cache_mode(client_ctx_.get(), SSL_SESS_CACHE_BOTH);
6283 SSL_CTX_sess_set_new_cb(client_ctx_.get(), SaveLastSession);
Steven Valdezc8e0f902018-07-14 11:23:01 -0400[diff] [blame]6284 ASSERT_TRUE(SSL_CTX_set_quic_method(client_ctx_.get(), &quic_method));
6285 ASSERT_TRUE(SSL_CTX_set_quic_method(server_ctx_.get(), &quic_method));
David Benjamind6343572019-08-15 17:29:02 -0400[diff] [blame]6286
Steven Valdezc8e0f902018-07-14 11:23:01 -0400[diff] [blame]6287 ASSERT_TRUE(CreateClientAndServer());
David Benjamind6343572019-08-15 17:29:02 -0400[diff] [blame]6288 ASSERT_TRUE(CompleteHandshakesForQUIC());
Steven Valdezc8e0f902018-07-14 11:23:01 -0400[diff] [blame]6289
David Benjamind6343572019-08-15 17:29:02 -0400[diff] [blame]6290 ExpectHandshakeSuccess();
6291 EXPECT_FALSE(SSL_session_reused(client_.get()));
6292 EXPECT_FALSE(SSL_session_reused(server_.get()));
Steven Valdezc8e0f902018-07-14 11:23:01 -0400[diff] [blame]6293
6294 // The server sent NewSessionTicket messages in the handshake.
Steven Valdeze6eef1c2018-11-09 13:32:34 -0500[diff] [blame]6295 EXPECT_FALSE(g_last_session);
6296 ASSERT_TRUE(ProvideHandshakeData(client_.get()));
6297 EXPECT_EQ(SSL_process_quic_post_handshake(client_.get()), 1);
6298 EXPECT_TRUE(g_last_session);
6299
6300 // Create a second connection to verify resumption works.
David Benjamind6343572019-08-15 17:29:02 -0400[diff] [blame]6301 ASSERT_TRUE(CreateClientAndServer());
Steven Valdeze6eef1c2018-11-09 13:32:34 -0500[diff] [blame]6302 bssl::UniquePtr<SSL_SESSION> session = std::move(g_last_session);
6303 SSL_set_session(client_.get(), session.get());
6304
David Benjamind6343572019-08-15 17:29:02 -0400[diff] [blame]6305 ASSERT_TRUE(CompleteHandshakesForQUIC());
Steven Valdeze6eef1c2018-11-09 13:32:34 -0500[diff] [blame]6306
David Benjamind6343572019-08-15 17:29:02 -0400[diff] [blame]6307 ExpectHandshakeSuccess();
Steven Valdeze6eef1c2018-11-09 13:32:34 -0500[diff] [blame]6308 EXPECT_TRUE(SSL_session_reused(client_.get()));
6309 EXPECT_TRUE(SSL_session_reused(server_.get()));
Steven Valdezc8e0f902018-07-14 11:23:01 -0400[diff] [blame]6310}
6311
David Benjaminfd863b62019-07-25 13:51:32 -0400[diff] [blame]6312// Test that HelloRetryRequest in QUIC works.
6313TEST_F(QUICMethodTest, HelloRetryRequest) {
David Benjamin1e859052020-02-09 16:04:58 -0500[diff] [blame]6314 const SSL_QUIC_METHOD quic_method = DefaultQUICMethod();
David Benjaminfd863b62019-07-25 13:51:32 -0400[diff] [blame]6315
6316 ASSERT_TRUE(SSL_CTX_set_quic_method(client_ctx_.get(), &quic_method));
6317 ASSERT_TRUE(SSL_CTX_set_quic_method(server_ctx_.get(), &quic_method));
6318
6319 // BoringSSL predicts the most preferred curve, so using different preferences
6320 // will trigger HelloRetryRequest.
6321 static const int kClientPrefs[] = {NID_X25519, NID_X9_62_prime256v1};
6322 ASSERT_TRUE(SSL_CTX_set1_curves(client_ctx_.get(), kClientPrefs,
6323 OPENSSL_ARRAY_SIZE(kClientPrefs)));
6324 static const int kServerPrefs[] = {NID_X9_62_prime256v1, NID_X25519};
6325 ASSERT_TRUE(SSL_CTX_set1_curves(server_ctx_.get(), kServerPrefs,
6326 OPENSSL_ARRAY_SIZE(kServerPrefs)));
6327
6328 ASSERT_TRUE(CreateClientAndServer());
David Benjamind6343572019-08-15 17:29:02 -0400[diff] [blame]6329 ASSERT_TRUE(CompleteHandshakesForQUIC());
6330 ExpectHandshakeSuccess();
6331}
David Benjaminfd863b62019-07-25 13:51:32 -0400[diff] [blame]6332
Nick Harpere32549e2020-05-06 14:27:11 -0700[diff] [blame]6333// Test that the client does not send a legacy_session_id in the ClientHello.
6334TEST_F(QUICMethodTest, NoLegacySessionId) {
6335 const SSL_QUIC_METHOD quic_method = DefaultQUICMethod();
6336
6337 ASSERT_TRUE(SSL_CTX_set_quic_method(client_ctx_.get(), &quic_method));
6338 ASSERT_TRUE(SSL_CTX_set_quic_method(server_ctx_.get(), &quic_method));
6339 // Check that the session ID length is 0 in an early callback.
6340 SSL_CTX_set_select_certificate_cb(
6341 server_ctx_.get(),
6342 [](const SSL_CLIENT_HELLO *client_hello) -> ssl_select_cert_result_t {
6343 EXPECT_EQ(client_hello->session_id_len, 0u);
6344 return ssl_select_cert_success;
6345 });
6346
6347 ASSERT_TRUE(CreateClientAndServer());
6348 ASSERT_TRUE(CompleteHandshakesForQUIC());
6349
6350 ExpectHandshakeSuccess();
6351}
6352
David Benjamin1e859052020-02-09 16:04:58 -0500[diff] [blame]6353// Test that, even in a 1-RTT handshake, the server installs keys at the right
6354// time. Half-RTT keys are available early, but 1-RTT read keys are deferred.
6355TEST_F(QUICMethodTest, HalfRTTKeys) {
6356 const SSL_QUIC_METHOD quic_method = DefaultQUICMethod();
6357
6358 ASSERT_TRUE(SSL_CTX_set_quic_method(client_ctx_.get(), &quic_method));
6359 ASSERT_TRUE(SSL_CTX_set_quic_method(server_ctx_.get(), &quic_method));
6360 ASSERT_TRUE(CreateClientAndServer());
6361
6362 // The client sends ClientHello.
6363 ASSERT_EQ(SSL_do_handshake(client_.get()), -1);
6364 ASSERT_EQ(SSL_ERROR_WANT_READ, SSL_get_error(client_.get(), -1));
6365
6366 // The server reads ClientHello and sends ServerHello..Finished.
6367 ASSERT_TRUE(ProvideHandshakeData(server_.get()));
6368 ASSERT_EQ(SSL_do_handshake(server_.get()), -1);
6369 ASSERT_EQ(SSL_ERROR_WANT_READ, SSL_get_error(server_.get(), -1));
6370
6371 // At this point, the server has half-RTT write keys, but it cannot access
6372 // 1-RTT read keys until client Finished.
6373 EXPECT_TRUE(transport_->server()->HasWriteSecret(ssl_encryption_application));
6374 EXPECT_FALSE(transport_->server()->HasReadSecret(ssl_encryption_application));
6375
6376 // Finish up the client and server handshakes.
6377 ASSERT_TRUE(CompleteHandshakesForQUIC());
6378
6379 // Both sides can now exchange 1-RTT data.
6380 ExpectHandshakeSuccess();
6381}
6382
David Benjamind6343572019-08-15 17:29:02 -0400[diff] [blame]6383TEST_F(QUICMethodTest, ZeroRTTAccept) {
David Benjamin1e859052020-02-09 16:04:58 -0500[diff] [blame]6384 const SSL_QUIC_METHOD quic_method = DefaultQUICMethod();
David Benjamind6343572019-08-15 17:29:02 -0400[diff] [blame]6385
6386 SSL_CTX_set_session_cache_mode(client_ctx_.get(), SSL_SESS_CACHE_BOTH);
6387 SSL_CTX_set_early_data_enabled(client_ctx_.get(), 1);
6388 SSL_CTX_set_early_data_enabled(server_ctx_.get(), 1);
6389 ASSERT_TRUE(SSL_CTX_set_quic_method(client_ctx_.get(), &quic_method));
6390 ASSERT_TRUE(SSL_CTX_set_quic_method(server_ctx_.get(), &quic_method));
6391
6392 bssl::UniquePtr<SSL_SESSION> session = CreateClientSessionForQUIC();
6393 ASSERT_TRUE(session);
6394
6395 ASSERT_TRUE(CreateClientAndServer());
6396 SSL_set_session(client_.get(), session.get());
6397
6398 // The client handshake should return immediately into the early data state.
6399 ASSERT_EQ(SSL_do_handshake(client_.get()), 1);
6400 EXPECT_TRUE(SSL_in_early_data(client_.get()));
6401 // The transport should have keys for sending 0-RTT data.
David Benjamin1e859052020-02-09 16:04:58 -0500[diff] [blame]6402 EXPECT_TRUE(transport_->client()->HasWriteSecret(ssl_encryption_early_data));
David Benjamind6343572019-08-15 17:29:02 -0400[diff] [blame]6403
6404 // The server will consume the ClientHello and also enter the early data
6405 // state.
6406 ASSERT_TRUE(ProvideHandshakeData(server_.get()));
6407 ASSERT_EQ(SSL_do_handshake(server_.get()), 1);
6408 EXPECT_TRUE(SSL_in_early_data(server_.get()));
6409 EXPECT_TRUE(transport_->SecretsMatch(ssl_encryption_early_data));
David Benjamin1e859052020-02-09 16:04:58 -0500[diff] [blame]6410 // At this point, the server has half-RTT write keys, but it cannot access
6411 // 1-RTT read keys until client Finished.
6412 EXPECT_TRUE(transport_->server()->HasWriteSecret(ssl_encryption_application));
6413 EXPECT_FALSE(transport_->server()->HasReadSecret(ssl_encryption_application));
David Benjamind6343572019-08-15 17:29:02 -0400[diff] [blame]6414
6415 // Finish up the client and server handshakes.
6416 ASSERT_TRUE(CompleteHandshakesForQUIC());
6417
6418 // Both sides can now exchange 1-RTT data.
6419 ExpectHandshakeSuccess();
6420 EXPECT_TRUE(SSL_session_reused(client_.get()));
6421 EXPECT_TRUE(SSL_session_reused(server_.get()));
6422 EXPECT_FALSE(SSL_in_early_data(client_.get()));
6423 EXPECT_FALSE(SSL_in_early_data(server_.get()));
6424 EXPECT_TRUE(SSL_early_data_accepted(client_.get()));
6425 EXPECT_TRUE(SSL_early_data_accepted(server_.get()));
Nick Harper5e086952020-09-30 13:59:14 -0700[diff] [blame]6426
6427 // Finish handling post-handshake messages after the first 0-RTT resumption.
6428 EXPECT_TRUE(ProvideHandshakeData(client_.get()));
6429 EXPECT_TRUE(SSL_process_quic_post_handshake(client_.get()));
6430
6431 // Perform a second 0-RTT resumption attempt, and confirm that 0-RTT is
6432 // accepted again.
6433 ASSERT_TRUE(CreateClientAndServer());
6434 SSL_set_session(client_.get(), g_last_session.get());
6435
6436 // The client handshake should return immediately into the early data state.
6437 ASSERT_EQ(SSL_do_handshake(client_.get()), 1);
6438 EXPECT_TRUE(SSL_in_early_data(client_.get()));
6439 // The transport should have keys for sending 0-RTT data.
6440 EXPECT_TRUE(transport_->client()->HasWriteSecret(ssl_encryption_early_data));
6441
6442 // The server will consume the ClientHello and also enter the early data
6443 // state.
6444 ASSERT_TRUE(ProvideHandshakeData(server_.get()));
6445 ASSERT_EQ(SSL_do_handshake(server_.get()), 1);
6446 EXPECT_TRUE(SSL_in_early_data(server_.get()));
6447 EXPECT_TRUE(transport_->SecretsMatch(ssl_encryption_early_data));
6448 // At this point, the server has half-RTT write keys, but it cannot access
6449 // 1-RTT read keys until client Finished.
6450 EXPECT_TRUE(transport_->server()->HasWriteSecret(ssl_encryption_application));
6451 EXPECT_FALSE(transport_->server()->HasReadSecret(ssl_encryption_application));
6452
6453 // Finish up the client and server handshakes.
6454 ASSERT_TRUE(CompleteHandshakesForQUIC());
6455
6456 // Both sides can now exchange 1-RTT data.
6457 ExpectHandshakeSuccess();
6458 EXPECT_TRUE(SSL_session_reused(client_.get()));
6459 EXPECT_TRUE(SSL_session_reused(server_.get()));
6460 EXPECT_FALSE(SSL_in_early_data(client_.get()));
6461 EXPECT_FALSE(SSL_in_early_data(server_.get()));
6462 EXPECT_TRUE(SSL_early_data_accepted(client_.get()));
6463 EXPECT_TRUE(SSL_early_data_accepted(server_.get()));
6464 EXPECT_EQ(SSL_get_early_data_reason(client_.get()), ssl_early_data_accepted);
6465 EXPECT_EQ(SSL_get_early_data_reason(server_.get()), ssl_early_data_accepted);
David Benjamind6343572019-08-15 17:29:02 -0400[diff] [blame]6466}
6467
Nick Harper7c522992020-04-30 14:15:49 -0700[diff] [blame]6468TEST_F(QUICMethodTest, ZeroRTTRejectMismatchedParameters) {
6469 const SSL_QUIC_METHOD quic_method = DefaultQUICMethod();
6470
6471 SSL_CTX_set_session_cache_mode(client_ctx_.get(), SSL_SESS_CACHE_BOTH);
6472 SSL_CTX_set_early_data_enabled(client_ctx_.get(), 1);
6473 SSL_CTX_set_early_data_enabled(server_ctx_.get(), 1);
6474 ASSERT_TRUE(SSL_CTX_set_quic_method(client_ctx_.get(), &quic_method));
6475 ASSERT_TRUE(SSL_CTX_set_quic_method(server_ctx_.get(), &quic_method));
6476
6477
6478 bssl::UniquePtr<SSL_SESSION> session = CreateClientSessionForQUIC();
6479 ASSERT_TRUE(session);
6480
Nick Harper85194322020-05-20 16:59:29 -0700[diff] [blame]6481 ASSERT_TRUE(CreateClientAndServer());
6482 static const uint8_t new_context[] = {4};
6483 ASSERT_TRUE(SSL_set_quic_early_data_context(server_.get(), new_context,
6484 sizeof(new_context)));
6485 SSL_set_session(client_.get(), session.get());
Nick Harper7c522992020-04-30 14:15:49 -0700[diff] [blame]6486
Nick Harper85194322020-05-20 16:59:29 -0700[diff] [blame]6487 // The client handshake should return immediately into the early data
6488 // state.
6489 ASSERT_EQ(SSL_do_handshake(client_.get()), 1);
6490 EXPECT_TRUE(SSL_in_early_data(client_.get()));
6491 // The transport should have keys for sending 0-RTT data.
6492 EXPECT_TRUE(transport_->client()->HasWriteSecret(ssl_encryption_early_data));
Nick Harper7c522992020-04-30 14:15:49 -0700[diff] [blame]6493
Nick Harper85194322020-05-20 16:59:29 -0700[diff] [blame]6494 // The server will consume the ClientHello, but it will not accept 0-RTT.
6495 ASSERT_TRUE(ProvideHandshakeData(server_.get()));
6496 ASSERT_EQ(SSL_do_handshake(server_.get()), -1);
6497 EXPECT_EQ(SSL_ERROR_WANT_READ, SSL_get_error(server_.get(), -1));
6498 EXPECT_FALSE(SSL_in_early_data(server_.get()));
6499 EXPECT_FALSE(transport_->server()->HasReadSecret(ssl_encryption_early_data));
Nick Harper7c522992020-04-30 14:15:49 -0700[diff] [blame]6500
Nick Harper85194322020-05-20 16:59:29 -0700[diff] [blame]6501 // The client consumes the server response and signals 0-RTT rejection.
6502 for (;;) {
6503 ASSERT_TRUE(ProvideHandshakeData(client_.get()));
6504 ASSERT_EQ(-1, SSL_do_handshake(client_.get()));
6505 int err = SSL_get_error(client_.get(), -1);
6506 if (err == SSL_ERROR_EARLY_DATA_REJECTED) {
6507 break;
Nick Harper7c522992020-04-30 14:15:49 -0700[diff] [blame]6508 }
Nick Harper85194322020-05-20 16:59:29 -0700[diff] [blame]6509 ASSERT_EQ(SSL_ERROR_WANT_READ, err);
Nick Harper7c522992020-04-30 14:15:49 -0700[diff] [blame]6510 }
Nick Harper85194322020-05-20 16:59:29 -0700[diff] [blame]6511
6512 // As in TLS over TCP, 0-RTT rejection is sticky.
6513 ASSERT_EQ(-1, SSL_do_handshake(client_.get()));
6514 ASSERT_EQ(SSL_ERROR_EARLY_DATA_REJECTED, SSL_get_error(client_.get(), -1));
6515
6516 // Finish up the client and server handshakes.
6517 SSL_reset_early_data_reject(client_.get());
6518 ASSERT_TRUE(CompleteHandshakesForQUIC());
6519
6520 // Both sides can now exchange 1-RTT data.
6521 ExpectHandshakeSuccess();
6522 EXPECT_TRUE(SSL_session_reused(client_.get()));
6523 EXPECT_TRUE(SSL_session_reused(server_.get()));
6524 EXPECT_FALSE(SSL_in_early_data(client_.get()));
6525 EXPECT_FALSE(SSL_in_early_data(server_.get()));
6526 EXPECT_FALSE(SSL_early_data_accepted(client_.get()));
6527 EXPECT_FALSE(SSL_early_data_accepted(server_.get()));
6528}
6529
6530TEST_F(QUICMethodTest, NoZeroRTTTicketWithoutEarlyDataContext) {
6531 server_quic_early_data_context_ = {};
6532 const SSL_QUIC_METHOD quic_method = DefaultQUICMethod();
6533
6534 SSL_CTX_set_session_cache_mode(client_ctx_.get(), SSL_SESS_CACHE_BOTH);
6535 SSL_CTX_set_early_data_enabled(client_ctx_.get(), 1);
6536 SSL_CTX_set_early_data_enabled(server_ctx_.get(), 1);
6537 ASSERT_TRUE(SSL_CTX_set_quic_method(client_ctx_.get(), &quic_method));
6538 ASSERT_TRUE(SSL_CTX_set_quic_method(server_ctx_.get(), &quic_method));
6539
6540 bssl::UniquePtr<SSL_SESSION> session = CreateClientSessionForQUIC();
6541 ASSERT_TRUE(session);
6542 EXPECT_FALSE(SSL_SESSION_early_data_capable(session.get()));
Nick Harper7c522992020-04-30 14:15:49 -0700[diff] [blame]6543}
6544
David Benjamind6343572019-08-15 17:29:02 -0400[diff] [blame]6545TEST_F(QUICMethodTest, ZeroRTTReject) {
David Benjamin1e859052020-02-09 16:04:58 -0500[diff] [blame]6546 const SSL_QUIC_METHOD quic_method = DefaultQUICMethod();
David Benjamind6343572019-08-15 17:29:02 -0400[diff] [blame]6547
6548 SSL_CTX_set_session_cache_mode(client_ctx_.get(), SSL_SESS_CACHE_BOTH);
6549 SSL_CTX_set_early_data_enabled(client_ctx_.get(), 1);
6550 SSL_CTX_set_early_data_enabled(server_ctx_.get(), 1);
6551 ASSERT_TRUE(SSL_CTX_set_quic_method(client_ctx_.get(), &quic_method));
6552 ASSERT_TRUE(SSL_CTX_set_quic_method(server_ctx_.get(), &quic_method));
6553
6554 bssl::UniquePtr<SSL_SESSION> session = CreateClientSessionForQUIC();
6555 ASSERT_TRUE(session);
6556
6557 for (bool reject_hrr : {false, true}) {
6558 SCOPED_TRACE(reject_hrr);
6559
6560 ASSERT_TRUE(CreateClientAndServer());
6561 if (reject_hrr) {
6562 // Configure the server to prefer P-256, which will reject 0-RTT via
6563 // HelloRetryRequest.
6564 int p256 = NID_X9_62_prime256v1;
6565 ASSERT_TRUE(SSL_set1_curves(server_.get(), &p256, 1));
6566 } else {
6567 // Disable 0-RTT on the server, so it will reject it.
6568 SSL_set_early_data_enabled(server_.get(), 0);
David Benjaminfd863b62019-07-25 13:51:32 -0400[diff] [blame]6569 }
David Benjamind6343572019-08-15 17:29:02 -0400[diff] [blame]6570 SSL_set_session(client_.get(), session.get());
David Benjaminfd863b62019-07-25 13:51:32 -0400[diff] [blame]6571
David Benjamind6343572019-08-15 17:29:02 -0400[diff] [blame]6572 // The client handshake should return immediately into the early data state.
6573 ASSERT_EQ(SSL_do_handshake(client_.get()), 1);
6574 EXPECT_TRUE(SSL_in_early_data(client_.get()));
6575 // The transport should have keys for sending 0-RTT data.
David Benjamin1e859052020-02-09 16:04:58 -0500[diff] [blame]6576 EXPECT_TRUE(
6577 transport_->client()->HasWriteSecret(ssl_encryption_early_data));
David Benjamind6343572019-08-15 17:29:02 -0400[diff] [blame]6578
6579 // The server will consume the ClientHello, but it will not accept 0-RTT.
David Benjaminfd863b62019-07-25 13:51:32 -0400[diff] [blame]6580 ASSERT_TRUE(ProvideHandshakeData(server_.get()));
David Benjamind6343572019-08-15 17:29:02 -0400[diff] [blame]6581 ASSERT_EQ(SSL_do_handshake(server_.get()), -1);
6582 EXPECT_EQ(SSL_ERROR_WANT_READ, SSL_get_error(server_.get(), -1));
6583 EXPECT_FALSE(SSL_in_early_data(server_.get()));
David Benjamin1e859052020-02-09 16:04:58 -0500[diff] [blame]6584 EXPECT_FALSE(
6585 transport_->server()->HasReadSecret(ssl_encryption_early_data));
David Benjamind6343572019-08-15 17:29:02 -0400[diff] [blame]6586
6587 // The client consumes the server response and signals 0-RTT rejection.
6588 for (;;) {
6589 ASSERT_TRUE(ProvideHandshakeData(client_.get()));
6590 ASSERT_EQ(-1, SSL_do_handshake(client_.get()));
6591 int err = SSL_get_error(client_.get(), -1);
6592 if (err == SSL_ERROR_EARLY_DATA_REJECTED) {
6593 break;
6594 }
6595 ASSERT_EQ(SSL_ERROR_WANT_READ, err);
David Benjaminfd863b62019-07-25 13:51:32 -0400[diff] [blame]6596 }
6597
David Benjamind6343572019-08-15 17:29:02 -0400[diff] [blame]6598 // As in TLS over TCP, 0-RTT rejection is sticky.
6599 ASSERT_EQ(-1, SSL_do_handshake(client_.get()));
6600 ASSERT_EQ(SSL_ERROR_EARLY_DATA_REJECTED, SSL_get_error(client_.get(), -1));
6601
6602 // Finish up the client and server handshakes.
6603 SSL_reset_early_data_reject(client_.get());
6604 ASSERT_TRUE(CompleteHandshakesForQUIC());
6605
6606 // Both sides can now exchange 1-RTT data.
6607 ExpectHandshakeSuccess();
6608 EXPECT_TRUE(SSL_session_reused(client_.get()));
6609 EXPECT_TRUE(SSL_session_reused(server_.get()));
6610 EXPECT_FALSE(SSL_in_early_data(client_.get()));
6611 EXPECT_FALSE(SSL_in_early_data(server_.get()));
6612 EXPECT_FALSE(SSL_early_data_accepted(client_.get()));
6613 EXPECT_FALSE(SSL_early_data_accepted(server_.get()));
David Benjaminfd863b62019-07-25 13:51:32 -0400[diff] [blame]6614 }
David Benjaminfd863b62019-07-25 13:51:32 -0400[diff] [blame]6615}
6616
David Benjaminee0716f2019-11-19 14:16:28 +0800[diff] [blame]6617TEST_F(QUICMethodTest, NoZeroRTTKeysBeforeReverify) {
David Benjamin1e859052020-02-09 16:04:58 -0500[diff] [blame]6618 const SSL_QUIC_METHOD quic_method = DefaultQUICMethod();
David Benjaminee0716f2019-11-19 14:16:28 +0800[diff] [blame]6619
6620 SSL_CTX_set_session_cache_mode(client_ctx_.get(), SSL_SESS_CACHE_BOTH);
6621 SSL_CTX_set_early_data_enabled(client_ctx_.get(), 1);
6622 SSL_CTX_set_reverify_on_resume(client_ctx_.get(), 1);
6623 SSL_CTX_set_early_data_enabled(server_ctx_.get(), 1);
6624 ASSERT_TRUE(SSL_CTX_set_quic_method(client_ctx_.get(), &quic_method));
6625 ASSERT_TRUE(SSL_CTX_set_quic_method(server_ctx_.get(), &quic_method));
6626
6627 bssl::UniquePtr<SSL_SESSION> session = CreateClientSessionForQUIC();
6628 ASSERT_TRUE(session);
6629
6630 ASSERT_TRUE(CreateClientAndServer());
6631 SSL_set_session(client_.get(), session.get());
6632
6633 // Configure the certificate (re)verification to never complete. The client
6634 // handshake should pause.
6635 SSL_set_custom_verify(
6636 client_.get(), SSL_VERIFY_PEER,
6637 [](SSL *ssl, uint8_t *out_alert) -> ssl_verify_result_t {
6638 return ssl_verify_retry;
6639 });
6640 ASSERT_EQ(SSL_do_handshake(client_.get()), -1);
6641 ASSERT_EQ(SSL_get_error(client_.get(), -1),
6642 SSL_ERROR_WANT_CERTIFICATE_VERIFY);
6643
6644 // The early data keys have not yet been released.
David Benjamin1e859052020-02-09 16:04:58 -0500[diff] [blame]6645 EXPECT_FALSE(transport_->client()->HasWriteSecret(ssl_encryption_early_data));
David Benjaminee0716f2019-11-19 14:16:28 +0800[diff] [blame]6646
6647 // After the verification completes, the handshake progresses to the 0-RTT
6648 // point and releases keys.
6649 SSL_set_custom_verify(
6650 client_.get(), SSL_VERIFY_PEER,
6651 [](SSL *ssl, uint8_t *out_alert) -> ssl_verify_result_t {
6652 return ssl_verify_ok;
6653 });
6654 ASSERT_EQ(SSL_do_handshake(client_.get()), 1);
6655 EXPECT_TRUE(SSL_in_early_data(client_.get()));
David Benjamin1e859052020-02-09 16:04:58 -0500[diff] [blame]6656 EXPECT_TRUE(transport_->client()->HasWriteSecret(ssl_encryption_early_data));
David Benjaminee0716f2019-11-19 14:16:28 +0800[diff] [blame]6657}
6658
Steven Valdezc8e0f902018-07-14 11:23:01 -0400[diff] [blame]6659// Test only releasing data to QUIC one byte at a time on request, to maximize
6660// state machine pauses. Additionally, test that existing asynchronous callbacks
6661// still work.
6662TEST_F(QUICMethodTest, Async) {
David Benjamin1e859052020-02-09 16:04:58 -0500[diff] [blame]6663 const SSL_QUIC_METHOD quic_method = DefaultQUICMethod();
Steven Valdezc8e0f902018-07-14 11:23:01 -0400[diff] [blame]6664
6665 ASSERT_TRUE(SSL_CTX_set_quic_method(client_ctx_.get(), &quic_method));
6666 ASSERT_TRUE(SSL_CTX_set_quic_method(server_ctx_.get(), &quic_method));
6667 ASSERT_TRUE(CreateClientAndServer());
6668
6669 // Install an asynchronous certificate callback.
6670 bool cert_cb_ok = false;
6671 SSL_set_cert_cb(server_.get(),
6672 [](SSL *, void *arg) -> int {
6673 return *static_cast<bool *>(arg) ? 1 : -1;
6674 },
6675 &cert_cb_ok);
6676
6677 for (;;) {
6678 int client_ret = SSL_do_handshake(client_.get());
6679 if (client_ret != 1) {
6680 ASSERT_EQ(client_ret, -1);
6681 ASSERT_EQ(SSL_get_error(client_.get(), client_ret), SSL_ERROR_WANT_READ);
6682 ASSERT_TRUE(ProvideHandshakeData(client_.get(), 1));
6683 }
6684
6685 int server_ret = SSL_do_handshake(server_.get());
6686 if (server_ret != 1) {
6687 ASSERT_EQ(server_ret, -1);
6688 int ssl_err = SSL_get_error(server_.get(), server_ret);
6689 switch (ssl_err) {
6690 case SSL_ERROR_WANT_READ:
6691 ASSERT_TRUE(ProvideHandshakeData(server_.get(), 1));
6692 break;
6693 case SSL_ERROR_WANT_X509_LOOKUP:
6694 ASSERT_FALSE(cert_cb_ok);
6695 cert_cb_ok = true;
6696 break;
6697 default:
6698 FAIL() << "Unexpected SSL_get_error result: " << ssl_err;
6699 }
6700 }
6701
6702 if (client_ret == 1 && server_ret == 1) {
6703 break;
6704 }
6705 }
6706
David Benjamind6343572019-08-15 17:29:02 -0400[diff] [blame]6707 ExpectHandshakeSuccess();
Steven Valdezc8e0f902018-07-14 11:23:01 -0400[diff] [blame]6708}
6709
6710// Test buffering write data until explicit flushes.
6711TEST_F(QUICMethodTest, Buffered) {
David Benjamin5298ef92020-03-13 12:17:30 -0400[diff] [blame]6712 AllowOutOfOrderWrites();
6713
Steven Valdezc8e0f902018-07-14 11:23:01 -0400[diff] [blame]6714 struct BufferedFlight {
6715 std::vector<uint8_t> data[kNumQUICLevels];
6716 };
6717 static UnownedSSLExData<BufferedFlight> buffered_flights;
6718
David Benjamincc9d9352018-10-30 19:45:22 -0500[diff] [blame]6719 auto add_handshake_data = [](SSL *ssl, enum ssl_encryption_level_t level,
6720 const uint8_t *data, size_t len) -> int {
Steven Valdezc8e0f902018-07-14 11:23:01 -0400[diff] [blame]6721 BufferedFlight *flight = buffered_flights.Get(ssl);
6722 flight->data[level].insert(flight->data[level].end(), data, data + len);
6723 return 1;
6724 };
6725
6726 auto flush_flight = [](SSL *ssl) -> int {
6727 BufferedFlight *flight = buffered_flights.Get(ssl);
6728 for (size_t level = 0; level < kNumQUICLevels; level++) {
6729 if (!flight->data[level].empty()) {
6730 if (!TransportFromSSL(ssl)->WriteHandshakeData(
6731 static_cast<ssl_encryption_level_t>(level),
6732 flight->data[level])) {
6733 return 0;
6734 }
6735 flight->data[level].clear();
6736 }
6737 }
6738 return 1;
6739 };
6740
David Benjamin1e859052020-02-09 16:04:58 -0500[diff] [blame]6741 SSL_QUIC_METHOD quic_method = DefaultQUICMethod();
6742 quic_method.add_handshake_data = add_handshake_data;
6743 quic_method.flush_flight = flush_flight;
Steven Valdezc8e0f902018-07-14 11:23:01 -0400[diff] [blame]6744
6745 ASSERT_TRUE(SSL_CTX_set_quic_method(client_ctx_.get(), &quic_method));
6746 ASSERT_TRUE(SSL_CTX_set_quic_method(server_ctx_.get(), &quic_method));
6747 ASSERT_TRUE(CreateClientAndServer());
6748
6749 BufferedFlight client_flight, server_flight;
6750 buffered_flights.Set(client_.get(), &client_flight);
6751 buffered_flights.Set(server_.get(), &server_flight);
6752
David Benjamind6343572019-08-15 17:29:02 -0400[diff] [blame]6753 ASSERT_TRUE(CompleteHandshakesForQUIC());
Steven Valdezc8e0f902018-07-14 11:23:01 -0400[diff] [blame]6754
David Benjamind6343572019-08-15 17:29:02 -0400[diff] [blame]6755 ExpectHandshakeSuccess();
Steven Valdezc8e0f902018-07-14 11:23:01 -0400[diff] [blame]6756}
6757
6758// Test that excess data at one level is rejected. That is, if a single
6759// |SSL_provide_quic_data| call included both ServerHello and
6760// EncryptedExtensions in a single chunk, BoringSSL notices and rejects this on
6761// key change.
6762TEST_F(QUICMethodTest, ExcessProvidedData) {
David Benjamin5298ef92020-03-13 12:17:30 -0400[diff] [blame]6763 AllowOutOfOrderWrites();
6764
David Benjamincc9d9352018-10-30 19:45:22 -0500[diff] [blame]6765 auto add_handshake_data = [](SSL *ssl, enum ssl_encryption_level_t level,
6766 const uint8_t *data, size_t len) -> int {
Steven Valdezc8e0f902018-07-14 11:23:01 -0400[diff] [blame]6767 // Switch everything to the initial level.
6768 return TransportFromSSL(ssl)->WriteHandshakeData(ssl_encryption_initial,
6769 MakeConstSpan(data, len));
6770 };
6771
David Benjamin1e859052020-02-09 16:04:58 -0500[diff] [blame]6772 SSL_QUIC_METHOD quic_method = DefaultQUICMethod();
6773 quic_method.add_handshake_data = add_handshake_data;
Steven Valdezc8e0f902018-07-14 11:23:01 -0400[diff] [blame]6774
6775 ASSERT_TRUE(SSL_CTX_set_quic_method(client_ctx_.get(), &quic_method));
6776 ASSERT_TRUE(SSL_CTX_set_quic_method(server_ctx_.get(), &quic_method));
6777 ASSERT_TRUE(CreateClientAndServer());
6778
6779 // Send the ClientHello and ServerHello through Finished.
6780 ASSERT_EQ(SSL_do_handshake(client_.get()), -1);
6781 ASSERT_EQ(SSL_get_error(client_.get(), -1), SSL_ERROR_WANT_READ);
6782 ASSERT_TRUE(ProvideHandshakeData(server_.get()));
6783 ASSERT_EQ(SSL_do_handshake(server_.get()), -1);
6784 ASSERT_EQ(SSL_get_error(server_.get(), -1), SSL_ERROR_WANT_READ);
6785
6786 // The client is still waiting for the ServerHello at initial
6787 // encryption.
6788 ASSERT_EQ(ssl_encryption_initial, SSL_quic_read_level(client_.get()));
6789
David Benjamincc9d9352018-10-30 19:45:22 -0500[diff] [blame]6790 // |add_handshake_data| incorrectly wrote everything at the initial level, so
6791 // this queues up ServerHello through Finished in one chunk.
Steven Valdezc8e0f902018-07-14 11:23:01 -0400[diff] [blame]6792 ASSERT_TRUE(ProvideHandshakeData(client_.get()));
6793
6794 // The client reads ServerHello successfully, but then rejects the buffered
6795 // EncryptedExtensions on key change.
6796 ASSERT_EQ(SSL_do_handshake(client_.get()), -1);
6797 ASSERT_EQ(SSL_get_error(client_.get(), -1), SSL_ERROR_SSL);
6798 uint32_t err = ERR_get_error();
6799 EXPECT_EQ(ERR_GET_LIB(err), ERR_LIB_SSL);
David Benjaminf9cc26f2020-02-09 16:49:31 -0500[diff] [blame]6800 EXPECT_EQ(ERR_GET_REASON(err), SSL_R_EXCESS_HANDSHAKE_DATA);
Steven Valdezc8e0f902018-07-14 11:23:01 -0400[diff] [blame]6801
David Benjamin1e859052020-02-09 16:04:58 -0500[diff] [blame]6802 // The client sends an alert in response to this. The alert is sent at
6803 // handshake level because we install write secrets before read secrets and
6804 // the error is discovered when installing the read secret. (How to send
6805 // alerts on protocol syntax errors near key changes is ambiguous in general.)
David Benjamind6343572019-08-15 17:29:02 -0400[diff] [blame]6806 ASSERT_TRUE(transport_->client()->has_alert());
David Benjamin1e859052020-02-09 16:04:58 -0500[diff] [blame]6807 EXPECT_EQ(transport_->client()->alert_level(), ssl_encryption_handshake);
David Benjamind6343572019-08-15 17:29:02 -0400[diff] [blame]6808 EXPECT_EQ(transport_->client()->alert(), SSL_AD_UNEXPECTED_MESSAGE);
Steven Valdezc8e0f902018-07-14 11:23:01 -0400[diff] [blame]6809
David Benjamin5298ef92020-03-13 12:17:30 -0400[diff] [blame]6810 // Sanity-check handshake secrets. The error is discovered while setting the
6811 // read secret, so only the write secret has been installed.
David Benjamin1e859052020-02-09 16:04:58 -0500[diff] [blame]6812 EXPECT_TRUE(transport_->client()->HasWriteSecret(ssl_encryption_handshake));
David Benjamin5298ef92020-03-13 12:17:30 -0400[diff] [blame]6813 EXPECT_FALSE(transport_->client()->HasReadSecret(ssl_encryption_handshake));
Steven Valdezc8e0f902018-07-14 11:23:01 -0400[diff] [blame]6814}
6815
6816// Test that |SSL_provide_quic_data| will reject data at the wrong level.
6817TEST_F(QUICMethodTest, ProvideWrongLevel) {
David Benjamin1e859052020-02-09 16:04:58 -0500[diff] [blame]6818 const SSL_QUIC_METHOD quic_method = DefaultQUICMethod();
Steven Valdezc8e0f902018-07-14 11:23:01 -0400[diff] [blame]6819
6820 ASSERT_TRUE(SSL_CTX_set_quic_method(client_ctx_.get(), &quic_method));
6821 ASSERT_TRUE(SSL_CTX_set_quic_method(server_ctx_.get(), &quic_method));
6822 ASSERT_TRUE(CreateClientAndServer());
6823
6824 // Send the ClientHello and ServerHello through Finished.
6825 ASSERT_EQ(SSL_do_handshake(client_.get()), -1);
6826 ASSERT_EQ(SSL_get_error(client_.get(), -1), SSL_ERROR_WANT_READ);
6827 ASSERT_TRUE(ProvideHandshakeData(server_.get()));
6828 ASSERT_EQ(SSL_do_handshake(server_.get()), -1);
6829 ASSERT_EQ(SSL_get_error(server_.get(), -1), SSL_ERROR_WANT_READ);
6830
6831 // The client is still waiting for the ServerHello at initial
6832 // encryption.
6833 ASSERT_EQ(ssl_encryption_initial, SSL_quic_read_level(client_.get()));
6834
6835 // Data cannot be provided at the next level.
6836 std::vector<uint8_t> data;
6837 ASSERT_TRUE(
David Benjamind6343572019-08-15 17:29:02 -0400[diff] [blame]6838 transport_->client()->ReadHandshakeData(&data, ssl_encryption_initial));
Steven Valdezc8e0f902018-07-14 11:23:01 -0400[diff] [blame]6839 ASSERT_FALSE(SSL_provide_quic_data(client_.get(), ssl_encryption_handshake,
6840 data.data(), data.size()));
6841 ERR_clear_error();
6842
6843 // Progress to EncryptedExtensions.
6844 ASSERT_TRUE(SSL_provide_quic_data(client_.get(), ssl_encryption_initial,
6845 data.data(), data.size()));
6846 ASSERT_EQ(SSL_do_handshake(client_.get()), -1);
6847 ASSERT_EQ(SSL_get_error(client_.get(), -1), SSL_ERROR_WANT_READ);
6848 ASSERT_EQ(ssl_encryption_handshake, SSL_quic_read_level(client_.get()));
6849
6850 // Data cannot be provided at the previous level.
6851 ASSERT_TRUE(
David Benjamind6343572019-08-15 17:29:02 -0400[diff] [blame]6852 transport_->client()->ReadHandshakeData(&data, ssl_encryption_handshake));
Steven Valdezc8e0f902018-07-14 11:23:01 -0400[diff] [blame]6853 ASSERT_FALSE(SSL_provide_quic_data(client_.get(), ssl_encryption_initial,
6854 data.data(), data.size()));
6855}
6856
6857TEST_F(QUICMethodTest, TooMuchData) {
David Benjamin1e859052020-02-09 16:04:58 -0500[diff] [blame]6858 const SSL_QUIC_METHOD quic_method = DefaultQUICMethod();
Steven Valdezc8e0f902018-07-14 11:23:01 -0400[diff] [blame]6859
6860 ASSERT_TRUE(SSL_CTX_set_quic_method(client_ctx_.get(), &quic_method));
6861 ASSERT_TRUE(SSL_CTX_set_quic_method(server_ctx_.get(), &quic_method));
6862 ASSERT_TRUE(CreateClientAndServer());
6863
6864 size_t limit =
6865 SSL_quic_max_handshake_flight_len(client_.get(), ssl_encryption_initial);
6866 uint8_t b = 0;
6867 for (size_t i = 0; i < limit; i++) {
6868 ASSERT_TRUE(
6869 SSL_provide_quic_data(client_.get(), ssl_encryption_initial, &b, 1));
6870 }
6871
6872 EXPECT_FALSE(
6873 SSL_provide_quic_data(client_.get(), ssl_encryption_initial, &b, 1));
6874}
6875
Steven Valdeze6eef1c2018-11-09 13:32:34 -0500[diff] [blame]6876// Provide invalid post-handshake data.
6877TEST_F(QUICMethodTest, BadPostHandshake) {
David Benjamin1e859052020-02-09 16:04:58 -0500[diff] [blame]6878 const SSL_QUIC_METHOD quic_method = DefaultQUICMethod();
Steven Valdeze6eef1c2018-11-09 13:32:34 -0500[diff] [blame]6879
6880 g_last_session = nullptr;
6881
6882 SSL_CTX_set_session_cache_mode(client_ctx_.get(), SSL_SESS_CACHE_BOTH);
6883 SSL_CTX_sess_set_new_cb(client_ctx_.get(), SaveLastSession);
6884 ASSERT_TRUE(SSL_CTX_set_quic_method(client_ctx_.get(), &quic_method));
6885 ASSERT_TRUE(SSL_CTX_set_quic_method(server_ctx_.get(), &quic_method));
6886 ASSERT_TRUE(CreateClientAndServer());
David Benjamind6343572019-08-15 17:29:02 -0400[diff] [blame]6887 ASSERT_TRUE(CompleteHandshakesForQUIC());
Steven Valdeze6eef1c2018-11-09 13:32:34 -0500[diff] [blame]6888
6889 EXPECT_EQ(SSL_do_handshake(client_.get()), 1);
6890 EXPECT_EQ(SSL_do_handshake(server_.get()), 1);
David Benjamind6343572019-08-15 17:29:02 -0400[diff] [blame]6891 EXPECT_TRUE(transport_->SecretsMatch(ssl_encryption_application));
6892 EXPECT_FALSE(transport_->client()->has_alert());
6893 EXPECT_FALSE(transport_->server()->has_alert());
Steven Valdeze6eef1c2018-11-09 13:32:34 -0500[diff] [blame]6894
6895 // Junk sent as part of post-handshake data should cause an error.
6896 uint8_t kJunk[] = {0x17, 0x0, 0x0, 0x4, 0xB, 0xE, 0xE, 0xF};
6897 ASSERT_TRUE(SSL_provide_quic_data(client_.get(), ssl_encryption_application,
6898 kJunk, sizeof(kJunk)));
6899 EXPECT_EQ(SSL_process_quic_post_handshake(client_.get()), 0);
6900}
6901
Nick Harper80ddfc72020-03-11 18:26:31 -0700[diff] [blame]6902static void ExpectReceivedTransportParamsEqual(const SSL *ssl,
6903 Span<const uint8_t> expected) {
6904 const uint8_t *received;
6905 size_t received_len;
6906 SSL_get_peer_quic_transport_params(ssl, &received, &received_len);
6907 ASSERT_EQ(received_len, expected.size());
6908 EXPECT_EQ(Bytes(received, received_len), Bytes(expected));
6909}
6910
6911TEST_F(QUICMethodTest, SetTransportParameters) {
6912 const SSL_QUIC_METHOD quic_method = DefaultQUICMethod();
6913 ASSERT_TRUE(SSL_CTX_set_quic_method(client_ctx_.get(), &quic_method));
6914 ASSERT_TRUE(SSL_CTX_set_quic_method(server_ctx_.get(), &quic_method));
6915
6916 ASSERT_TRUE(CreateClientAndServer());
6917 uint8_t kClientParams[] = {1, 2, 3, 4};
6918 uint8_t kServerParams[] = {5, 6, 7};
6919 ASSERT_TRUE(SSL_set_quic_transport_params(client_.get(), kClientParams,
6920 sizeof(kClientParams)));
6921 ASSERT_TRUE(SSL_set_quic_transport_params(server_.get(), kServerParams,
6922 sizeof(kServerParams)));
6923
6924 ASSERT_TRUE(CompleteHandshakesForQUIC());
6925 ExpectReceivedTransportParamsEqual(client_.get(), kServerParams);
6926 ExpectReceivedTransportParamsEqual(server_.get(), kClientParams);
6927}
6928
6929TEST_F(QUICMethodTest, SetTransportParamsInCallback) {
6930 const SSL_QUIC_METHOD quic_method = DefaultQUICMethod();
6931 ASSERT_TRUE(SSL_CTX_set_quic_method(client_ctx_.get(), &quic_method));
6932 ASSERT_TRUE(SSL_CTX_set_quic_method(server_ctx_.get(), &quic_method));
6933
6934 ASSERT_TRUE(CreateClientAndServer());
6935 uint8_t kClientParams[] = {1, 2, 3, 4};
6936 static uint8_t kServerParams[] = {5, 6, 7};
6937 ASSERT_TRUE(SSL_set_quic_transport_params(client_.get(), kClientParams,
6938 sizeof(kClientParams)));
6939 SSL_CTX_set_tlsext_servername_callback(
6940 server_ctx_.get(), [](SSL *ssl, int *out_alert, void *arg) -> int {
6941 EXPECT_TRUE(SSL_set_quic_transport_params(ssl, kServerParams,
6942 sizeof(kServerParams)));
6943 return SSL_TLSEXT_ERR_OK;
6944 });
6945
6946 ASSERT_TRUE(CompleteHandshakesForQUIC());
6947 ExpectReceivedTransportParamsEqual(client_.get(), kServerParams);
6948 ExpectReceivedTransportParamsEqual(server_.get(), kClientParams);
6949}
6950
Nick Harper6bfd25c2020-03-30 17:15:19 -0700[diff] [blame]6951TEST_F(QUICMethodTest, ForbidCrossProtocolResumptionClient) {
6952 const SSL_QUIC_METHOD quic_method = DefaultQUICMethod();
6953
6954 g_last_session = nullptr;
6955
6956 SSL_CTX_set_session_cache_mode(client_ctx_.get(), SSL_SESS_CACHE_BOTH);
6957 SSL_CTX_sess_set_new_cb(client_ctx_.get(), SaveLastSession);
6958 ASSERT_TRUE(SSL_CTX_set_quic_method(client_ctx_.get(), &quic_method));
6959 ASSERT_TRUE(SSL_CTX_set_quic_method(server_ctx_.get(), &quic_method));
6960
6961 ASSERT_TRUE(CreateClientAndServer());
6962 ASSERT_TRUE(CompleteHandshakesForQUIC());
6963
6964 ExpectHandshakeSuccess();
6965 EXPECT_FALSE(SSL_session_reused(client_.get()));
6966 EXPECT_FALSE(SSL_session_reused(server_.get()));
6967
6968 // The server sent NewSessionTicket messages in the handshake.
6969 EXPECT_FALSE(g_last_session);
6970 ASSERT_TRUE(ProvideHandshakeData(client_.get()));
6971 EXPECT_EQ(SSL_process_quic_post_handshake(client_.get()), 1);
6972 EXPECT_TRUE(g_last_session);
6973
6974 // Pretend that g_last_session came from a TLS-over-TCP connection.
6975 g_last_session.get()->is_quic = false;
6976
6977 // Create a second connection and verify that resumption does not occur with
6978 // a session from a non-QUIC connection. This tests that the client does not
6979 // offer over QUIC a session believed to be received over TCP. The server
6980 // believes this is a QUIC session, so if the client offered the session, the
6981 // server would have resumed it.
6982 ASSERT_TRUE(CreateClientAndServer());
6983 bssl::UniquePtr<SSL_SESSION> session = std::move(g_last_session);
6984 SSL_set_session(client_.get(), session.get());
6985
6986 ASSERT_TRUE(CompleteHandshakesForQUIC());
6987 ExpectHandshakeSuccess();
6988 EXPECT_FALSE(SSL_session_reused(client_.get()));
6989 EXPECT_FALSE(SSL_session_reused(server_.get()));
6990}
6991
6992TEST_F(QUICMethodTest, ForbidCrossProtocolResumptionServer) {
6993 const SSL_QUIC_METHOD quic_method = DefaultQUICMethod();
6994
6995 g_last_session = nullptr;
6996
6997 SSL_CTX_set_session_cache_mode(client_ctx_.get(), SSL_SESS_CACHE_BOTH);
6998 SSL_CTX_sess_set_new_cb(client_ctx_.get(), SaveLastSession);
6999 ASSERT_TRUE(SSL_CTX_set_quic_method(client_ctx_.get(), &quic_method));
7000 ASSERT_TRUE(SSL_CTX_set_quic_method(server_ctx_.get(), &quic_method));
7001
7002 ASSERT_TRUE(CreateClientAndServer());
7003 ASSERT_TRUE(CompleteHandshakesForQUIC());
7004
7005 ExpectHandshakeSuccess();
7006 EXPECT_FALSE(SSL_session_reused(client_.get()));
7007 EXPECT_FALSE(SSL_session_reused(server_.get()));
7008
7009 // The server sent NewSessionTicket messages in the handshake.
7010 EXPECT_FALSE(g_last_session);
7011 ASSERT_TRUE(ProvideHandshakeData(client_.get()));
7012 EXPECT_EQ(SSL_process_quic_post_handshake(client_.get()), 1);
7013 EXPECT_TRUE(g_last_session);
7014
7015 // Attempt a resumption with g_last_session using TLS_method.
7016 bssl::UniquePtr<SSL_CTX> client_ctx(SSL_CTX_new(TLS_method()));
7017 ASSERT_TRUE(client_ctx);
7018
7019 ASSERT_TRUE(SSL_CTX_set_quic_method(server_ctx_.get(), nullptr));
7020
7021 bssl::UniquePtr<SSL> client(SSL_new(client_ctx.get())),
7022 server(SSL_new(server_ctx_.get()));
7023 ASSERT_TRUE(client);
7024 ASSERT_TRUE(server);
7025 SSL_set_connect_state(client.get());
7026 SSL_set_accept_state(server.get());
7027
7028 // The TLS-over-TCP client will refuse to resume with a quic session, so
7029 // mark is_quic = false to bypass the client check to test the server check.
7030 g_last_session.get()->is_quic = false;
7031 SSL_set_session(client.get(), g_last_session.get());
7032
7033 BIO *bio1, *bio2;
7034 ASSERT_TRUE(BIO_new_bio_pair(&bio1, 0, &bio2, 0));
7035
7036 // SSL_set_bio takes ownership.
7037 SSL_set_bio(client.get(), bio1, bio1);
7038 SSL_set_bio(server.get(), bio2, bio2);
7039 ASSERT_TRUE(CompleteHandshakes(client.get(), server.get()));
7040
7041 EXPECT_FALSE(SSL_session_reused(client.get()));
7042 EXPECT_FALSE(SSL_session_reused(server.get()));
7043}
7044
Nick Harper72cff812020-03-26 18:06:16 -0700[diff] [blame]7045TEST_F(QUICMethodTest, ClientRejectsMissingTransportParams) {
7046 const SSL_QUIC_METHOD quic_method = DefaultQUICMethod();
7047 ASSERT_TRUE(SSL_CTX_set_quic_method(client_ctx_.get(), &quic_method));
7048 ASSERT_TRUE(SSL_CTX_set_quic_method(server_ctx_.get(), &quic_method));
7049
7050 ASSERT_TRUE(CreateClientAndServer());
7051 ASSERT_TRUE(SSL_set_quic_transport_params(server_.get(), nullptr, 0));
7052 ASSERT_TRUE(RunQUICHandshakesAndExpectError(ExpectedError::kServerError));
7053}
7054
7055TEST_F(QUICMethodTest, ServerRejectsMissingTransportParams) {
7056 const SSL_QUIC_METHOD quic_method = DefaultQUICMethod();
7057 ASSERT_TRUE(SSL_CTX_set_quic_method(client_ctx_.get(), &quic_method));
7058 ASSERT_TRUE(SSL_CTX_set_quic_method(server_ctx_.get(), &quic_method));
7059
7060 ASSERT_TRUE(CreateClientAndServer());
7061 ASSERT_TRUE(SSL_set_quic_transport_params(client_.get(), nullptr, 0));
7062 ASSERT_TRUE(RunQUICHandshakesAndExpectError(ExpectedError::kClientError));
7063}
7064
David Schinazi3d8b8c32021-01-14 11:25:49 -0800[diff] [blame]7065TEST_F(QUICMethodTest, QuicLegacyCodepointEnabled) {
7066 const SSL_QUIC_METHOD quic_method = DefaultQUICMethod();
7067 ASSERT_TRUE(SSL_CTX_set_quic_method(client_ctx_.get(), &quic_method));
7068 ASSERT_TRUE(SSL_CTX_set_quic_method(server_ctx_.get(), &quic_method));
7069
7070 ASSERT_TRUE(CreateClientAndServer());
7071 uint8_t kClientParams[] = {1, 2, 3, 4};
7072 uint8_t kServerParams[] = {5, 6, 7};
7073 SSL_set_quic_use_legacy_codepoint(client_.get(), 1);
7074 SSL_set_quic_use_legacy_codepoint(server_.get(), 1);
7075 ASSERT_TRUE(SSL_set_quic_transport_params(client_.get(), kClientParams,
7076 sizeof(kClientParams)));
7077 ASSERT_TRUE(SSL_set_quic_transport_params(server_.get(), kServerParams,
7078 sizeof(kServerParams)));
7079
7080 ASSERT_TRUE(CompleteHandshakesForQUIC());
7081 ExpectReceivedTransportParamsEqual(client_.get(), kServerParams);
7082 ExpectReceivedTransportParamsEqual(server_.get(), kClientParams);
7083}
7084
7085TEST_F(QUICMethodTest, QuicLegacyCodepointDisabled) {
7086 const SSL_QUIC_METHOD quic_method = DefaultQUICMethod();
7087 ASSERT_TRUE(SSL_CTX_set_quic_method(client_ctx_.get(), &quic_method));
7088 ASSERT_TRUE(SSL_CTX_set_quic_method(server_ctx_.get(), &quic_method));
7089
7090 ASSERT_TRUE(CreateClientAndServer());
7091 uint8_t kClientParams[] = {1, 2, 3, 4};
7092 uint8_t kServerParams[] = {5, 6, 7};
7093 SSL_set_quic_use_legacy_codepoint(client_.get(), 0);
7094 SSL_set_quic_use_legacy_codepoint(server_.get(), 0);
7095 ASSERT_TRUE(SSL_set_quic_transport_params(client_.get(), kClientParams,
7096 sizeof(kClientParams)));
7097 ASSERT_TRUE(SSL_set_quic_transport_params(server_.get(), kServerParams,
7098 sizeof(kServerParams)));
7099
7100 ASSERT_TRUE(CompleteHandshakesForQUIC());
7101 ExpectReceivedTransportParamsEqual(client_.get(), kServerParams);
7102 ExpectReceivedTransportParamsEqual(server_.get(), kClientParams);
7103}
7104
7105TEST_F(QUICMethodTest, QuicLegacyCodepointClientOnly) {
7106 const SSL_QUIC_METHOD quic_method = DefaultQUICMethod();
7107 ASSERT_TRUE(SSL_CTX_set_quic_method(client_ctx_.get(), &quic_method));
7108 ASSERT_TRUE(SSL_CTX_set_quic_method(server_ctx_.get(), &quic_method));
7109
7110 ASSERT_TRUE(CreateClientAndServer());
7111 uint8_t kClientParams[] = {1, 2, 3, 4};
7112 uint8_t kServerParams[] = {5, 6, 7};
7113 SSL_set_quic_use_legacy_codepoint(client_.get(), 1);
7114 SSL_set_quic_use_legacy_codepoint(server_.get(), 0);
7115 ASSERT_TRUE(SSL_set_quic_transport_params(client_.get(), kClientParams,
7116 sizeof(kClientParams)));
7117 ASSERT_TRUE(SSL_set_quic_transport_params(server_.get(), kServerParams,
7118 sizeof(kServerParams)));
7119
7120 ASSERT_TRUE(RunQUICHandshakesAndExpectError(ExpectedError::kServerError));
7121}
7122
7123TEST_F(QUICMethodTest, QuicLegacyCodepointServerOnly) {
7124 const SSL_QUIC_METHOD quic_method = DefaultQUICMethod();
7125 ASSERT_TRUE(SSL_CTX_set_quic_method(client_ctx_.get(), &quic_method));
7126 ASSERT_TRUE(SSL_CTX_set_quic_method(server_ctx_.get(), &quic_method));
7127
7128 ASSERT_TRUE(CreateClientAndServer());
7129 uint8_t kClientParams[] = {1, 2, 3, 4};
7130 uint8_t kServerParams[] = {5, 6, 7};
7131 SSL_set_quic_use_legacy_codepoint(client_.get(), 0);
7132 SSL_set_quic_use_legacy_codepoint(server_.get(), 1);
7133 ASSERT_TRUE(SSL_set_quic_transport_params(client_.get(), kClientParams,
7134 sizeof(kClientParams)));
7135 ASSERT_TRUE(SSL_set_quic_transport_params(server_.get(), kServerParams,
7136 sizeof(kServerParams)));
7137
7138 ASSERT_TRUE(RunQUICHandshakesAndExpectError(ExpectedError::kServerError));
7139}
7140
David Benjaminc47bfce2021-01-20 17:10:32 -0500[diff] [blame]7141// Test that the default QUIC code point is consistent with
7142// |TLSEXT_TYPE_quic_transport_parameters|. This test ensures we remember to
7143// update the two values together.
7144TEST_F(QUICMethodTest, QuicCodePointDefault) {
7145 const SSL_QUIC_METHOD quic_method = DefaultQUICMethod();
7146 ASSERT_TRUE(SSL_CTX_set_quic_method(client_ctx_.get(), &quic_method));
7147 ASSERT_TRUE(SSL_CTX_set_quic_method(server_ctx_.get(), &quic_method));
7148 SSL_CTX_set_select_certificate_cb(
7149 server_ctx_.get(),
7150 [](const SSL_CLIENT_HELLO *client_hello) -> ssl_select_cert_result_t {
7151 const uint8_t *data;
7152 size_t len;
7153 if (!SSL_early_callback_ctx_extension_get(
7154 client_hello, TLSEXT_TYPE_quic_transport_parameters, &data,
7155 &len)) {
7156 ADD_FAILURE() << "Could not find quic_transport_parameters extension";
7157 return ssl_select_cert_error;
7158 }
7159 return ssl_select_cert_success;
7160 });
7161
7162 ASSERT_TRUE(CreateClientAndServer());
7163 ASSERT_TRUE(CompleteHandshakesForQUIC());
7164}
7165
Adam Langley7540cc22019-04-18 09:56:13 -0700[diff] [blame]7166extern "C" {
7167int BORINGSSL_enum_c_type_test(void);
7168}
7169
7170TEST(SSLTest, EnumTypes) {
7171 EXPECT_EQ(sizeof(int), sizeof(ssl_private_key_result_t));
7172 EXPECT_EQ(1, BORINGSSL_enum_c_type_test());
7173}
7174
David Benjaminb29e1e12019-05-06 14:44:46 -0500[diff] [blame]7175TEST_P(SSLVersionTest, DoubleSSLError) {
7176 // Connect the inner SSL connections.
7177 ASSERT_TRUE(Connect());
7178
7179 // Make a pair of |BIO|s which wrap |client_| and |server_|.
7180 UniquePtr<BIO_METHOD> bio_method(BIO_meth_new(0, nullptr));
7181 ASSERT_TRUE(bio_method);
7182 ASSERT_TRUE(BIO_meth_set_read(
7183 bio_method.get(), [](BIO *bio, char *out, int len) -> int {
7184 SSL *ssl = static_cast<SSL *>(BIO_get_data(bio));
7185 int ret = SSL_read(ssl, out, len);
7186 int ssl_ret = SSL_get_error(ssl, ret);
7187 if (ssl_ret == SSL_ERROR_WANT_READ) {
7188 BIO_set_retry_read(bio);
7189 }
7190 return ret;
7191 }));
7192 ASSERT_TRUE(BIO_meth_set_write(
7193 bio_method.get(), [](BIO *bio, const char *in, int len) -> int {
7194 SSL *ssl = static_cast<SSL *>(BIO_get_data(bio));
7195 int ret = SSL_write(ssl, in, len);
7196 int ssl_ret = SSL_get_error(ssl, ret);
7197 if (ssl_ret == SSL_ERROR_WANT_WRITE) {
7198 BIO_set_retry_write(bio);
7199 }
7200 return ret;
7201 }));
7202 ASSERT_TRUE(BIO_meth_set_ctrl(
7203 bio_method.get(), [](BIO *bio, int cmd, long larg, void *parg) -> long {
7204 // |SSL| objects require |BIO_flush| support.
7205 if (cmd == BIO_CTRL_FLUSH) {
7206 return 1;
7207 }
7208 return 0;
7209 }));
7210
7211 UniquePtr<BIO> client_bio(BIO_new(bio_method.get()));
7212 ASSERT_TRUE(client_bio);
7213 BIO_set_data(client_bio.get(), client_.get());
7214 BIO_set_init(client_bio.get(), 1);
7215
7216 UniquePtr<BIO> server_bio(BIO_new(bio_method.get()));
7217 ASSERT_TRUE(server_bio);
7218 BIO_set_data(server_bio.get(), server_.get());
7219 BIO_set_init(server_bio.get(), 1);
7220
7221 // Wrap the inner connections in another layer of SSL.
7222 UniquePtr<SSL> client_outer(SSL_new(client_ctx_.get()));
7223 ASSERT_TRUE(client_outer);
7224 SSL_set_connect_state(client_outer.get());
7225 SSL_set_bio(client_outer.get(), client_bio.get(), client_bio.get());
7226 client_bio.release(); // |SSL_set_bio| takes ownership.
7227
7228 UniquePtr<SSL> server_outer(SSL_new(server_ctx_.get()));
7229 ASSERT_TRUE(server_outer);
7230 SSL_set_accept_state(server_outer.get());
7231 SSL_set_bio(server_outer.get(), server_bio.get(), server_bio.get());
7232 server_bio.release(); // |SSL_set_bio| takes ownership.
7233
7234 // Configure |client_outer| to reject the server certificate.
7235 SSL_set_custom_verify(
7236 client_outer.get(), SSL_VERIFY_PEER,
7237 [](SSL *ssl, uint8_t *out_alert) -> ssl_verify_result_t {
7238 return ssl_verify_invalid;
7239 });
7240
7241 for (;;) {
7242 int client_ret = SSL_do_handshake(client_outer.get());
7243 int client_err = SSL_get_error(client_outer.get(), client_ret);
7244 if (client_err != SSL_ERROR_WANT_READ &&
7245 client_err != SSL_ERROR_WANT_WRITE) {
7246 // The client handshake should terminate on a certificate verification
7247 // error.
7248 EXPECT_EQ(SSL_ERROR_SSL, client_err);
7249 uint32_t err = ERR_peek_error();
7250 EXPECT_EQ(ERR_LIB_SSL, ERR_GET_LIB(err));
7251 EXPECT_EQ(SSL_R_CERTIFICATE_VERIFY_FAILED, ERR_GET_REASON(err));
7252 break;
7253 }
7254
7255 // Run the server handshake and continue.
7256 int server_ret = SSL_do_handshake(server_outer.get());
7257 int server_err = SSL_get_error(server_outer.get(), server_ret);
7258 ASSERT_TRUE(server_err == SSL_ERROR_NONE ||
7259 server_err == SSL_ERROR_WANT_READ ||
7260 server_err == SSL_ERROR_WANT_WRITE);
7261 }
7262}
7263
David Benjamin1b819472020-06-09 14:01:02 -0400[diff] [blame]7264TEST_P(SSLVersionTest, SameKeyResume) {
7265 uint8_t key[48];
7266 RAND_bytes(key, sizeof(key));
7267
7268 bssl::UniquePtr<SSL_CTX> server_ctx2 = CreateContext();
7269 ASSERT_TRUE(server_ctx2);
7270 ASSERT_TRUE(UseCertAndKey(server_ctx2.get()));
7271 ASSERT_TRUE(
7272 SSL_CTX_set_tlsext_ticket_keys(server_ctx_.get(), key, sizeof(key)));
7273 ASSERT_TRUE(
7274 SSL_CTX_set_tlsext_ticket_keys(server_ctx2.get(), key, sizeof(key)));
7275
7276 SSL_CTX_set_session_cache_mode(client_ctx_.get(), SSL_SESS_CACHE_BOTH);
7277 SSL_CTX_set_session_cache_mode(server_ctx_.get(), SSL_SESS_CACHE_BOTH);
7278 SSL_CTX_set_session_cache_mode(server_ctx2.get(), SSL_SESS_CACHE_BOTH);
7279
7280 // Establish a session for |server_ctx_|.
7281 bssl::UniquePtr<SSL_SESSION> session =
7282 CreateClientSession(client_ctx_.get(), server_ctx_.get());
7283 ASSERT_TRUE(session);
7284 ClientConfig config;
7285 config.session = session.get();
7286
7287 // Resuming with |server_ctx_| again works.
7288 bssl::UniquePtr<SSL> client, server;
7289 ASSERT_TRUE(ConnectClientAndServer(&client, &server, client_ctx_.get(),
7290 server_ctx_.get(), config));
7291 EXPECT_TRUE(SSL_session_reused(client.get()));
7292 EXPECT_TRUE(SSL_session_reused(server.get()));
7293
7294 // Resuming with |server_ctx2| also works.
7295 ASSERT_TRUE(ConnectClientAndServer(&client, &server, client_ctx_.get(),
7296 server_ctx2.get(), config));
7297 EXPECT_TRUE(SSL_session_reused(client.get()));
7298 EXPECT_TRUE(SSL_session_reused(server.get()));
7299}
7300
7301TEST_P(SSLVersionTest, DifferentKeyNoResume) {
7302 uint8_t key1[48], key2[48];
7303 RAND_bytes(key1, sizeof(key1));
7304 RAND_bytes(key2, sizeof(key2));
7305
7306 bssl::UniquePtr<SSL_CTX> server_ctx2 = CreateContext();
7307 ASSERT_TRUE(server_ctx2);
7308 ASSERT_TRUE(UseCertAndKey(server_ctx2.get()));
7309 ASSERT_TRUE(
7310 SSL_CTX_set_tlsext_ticket_keys(server_ctx_.get(), key1, sizeof(key1)));
7311 ASSERT_TRUE(
7312 SSL_CTX_set_tlsext_ticket_keys(server_ctx2.get(), key2, sizeof(key2)));
7313
7314 SSL_CTX_set_session_cache_mode(client_ctx_.get(), SSL_SESS_CACHE_BOTH);
7315 SSL_CTX_set_session_cache_mode(server_ctx_.get(), SSL_SESS_CACHE_BOTH);
7316 SSL_CTX_set_session_cache_mode(server_ctx2.get(), SSL_SESS_CACHE_BOTH);
7317
7318 // Establish a session for |server_ctx_|.
7319 bssl::UniquePtr<SSL_SESSION> session =
7320 CreateClientSession(client_ctx_.get(), server_ctx_.get());
7321 ASSERT_TRUE(session);
7322 ClientConfig config;
7323 config.session = session.get();
7324
7325 // Resuming with |server_ctx_| again works.
7326 bssl::UniquePtr<SSL> client, server;
7327 ASSERT_TRUE(ConnectClientAndServer(&client, &server, client_ctx_.get(),
7328 server_ctx_.get(), config));
7329 EXPECT_TRUE(SSL_session_reused(client.get()));
7330 EXPECT_TRUE(SSL_session_reused(server.get()));
7331
7332 // Resuming with |server_ctx2| does not work.
7333 ASSERT_TRUE(ConnectClientAndServer(&client, &server, client_ctx_.get(),
7334 server_ctx2.get(), config));
7335 EXPECT_FALSE(SSL_session_reused(client.get()));
7336 EXPECT_FALSE(SSL_session_reused(server.get()));
7337}
7338
7339TEST_P(SSLVersionTest, UnrelatedServerNoResume) {
7340 bssl::UniquePtr<SSL_CTX> server_ctx2 = CreateContext();
7341 ASSERT_TRUE(server_ctx2);
7342 ASSERT_TRUE(UseCertAndKey(server_ctx2.get()));
7343
7344 SSL_CTX_set_session_cache_mode(client_ctx_.get(), SSL_SESS_CACHE_BOTH);
7345 SSL_CTX_set_session_cache_mode(server_ctx_.get(), SSL_SESS_CACHE_BOTH);
7346 SSL_CTX_set_session_cache_mode(server_ctx2.get(), SSL_SESS_CACHE_BOTH);
7347
7348 // Establish a session for |server_ctx_|.
7349 bssl::UniquePtr<SSL_SESSION> session =
7350 CreateClientSession(client_ctx_.get(), server_ctx_.get());
7351 ASSERT_TRUE(session);
7352 ClientConfig config;
7353 config.session = session.get();
7354
7355 // Resuming with |server_ctx_| again works.
7356 bssl::UniquePtr<SSL> client, server;
7357 ASSERT_TRUE(ConnectClientAndServer(&client, &server, client_ctx_.get(),
7358 server_ctx_.get(), config));
7359 EXPECT_TRUE(SSL_session_reused(client.get()));
7360 EXPECT_TRUE(SSL_session_reused(server.get()));
7361
7362 // Resuming with |server_ctx2| does not work.
7363 ASSERT_TRUE(ConnectClientAndServer(&client, &server, client_ctx_.get(),
7364 server_ctx2.get(), config));
7365 EXPECT_FALSE(SSL_session_reused(client.get()));
7366 EXPECT_FALSE(SSL_session_reused(server.get()));
7367}
7368
Adam Langley47cefed2021-05-26 13:36:40 -0700[diff] [blame]7369Span<const uint8_t> SessionIDOf(const SSL* ssl) {
7370 const SSL_SESSION *session = SSL_get_session(ssl);
7371 unsigned len;
7372 const uint8_t *data = SSL_SESSION_get_id(session, &len);
7373 return MakeConstSpan(data, len);
7374}
7375
7376TEST_P(SSLVersionTest, TicketSessionIDsMatch) {
7377 // This checks that the session IDs at client and server match after a ticket
7378 // resumption. It's unclear whether this should be true, but Envoy depends
7379 // on it in their tests so this will give an early signal if we break it.
7380 SSL_CTX_set_session_cache_mode(client_ctx_.get(), SSL_SESS_CACHE_BOTH);
7381 SSL_CTX_set_session_cache_mode(server_ctx_.get(), SSL_SESS_CACHE_BOTH);
7382
7383 bssl::UniquePtr<SSL_SESSION> session =
7384 CreateClientSession(client_ctx_.get(), server_ctx_.get());
7385
7386 bssl::UniquePtr<SSL> client, server;
7387 ClientConfig config;
7388 config.session = session.get();
7389 EXPECT_TRUE(ConnectClientAndServer(&client, &server, client_ctx_.get(),
7390 server_ctx_.get(), config));
7391 EXPECT_TRUE(SSL_session_reused(client.get()));
7392 EXPECT_TRUE(SSL_session_reused(server.get()));
7393
7394 EXPECT_EQ(Bytes(SessionIDOf(client.get())), Bytes(SessionIDOf(server.get())));
7395}
7396
David Benjamin10fef972022-08-30 11:38:51 -0400[diff] [blame]7397static void WriteHelloRequest(SSL *server) {
7398 // This function assumes TLS 1.2 with ChaCha20-Poly1305.
7399 ASSERT_EQ(SSL_version(server), TLS1_2_VERSION);
7400 ASSERT_EQ(SSL_CIPHER_get_cipher_nid(SSL_get_current_cipher(server)),
7401 NID_chacha20_poly1305);
David Benjamin0e7dbd52019-05-15 16:01:18 -0400[diff] [blame]7402
7403 // Encrypt a HelloRequest.
7404 uint8_t in[] = {SSL3_MT_HELLO_REQUEST, 0, 0, 0};
7405#if defined(BORINGSSL_UNSAFE_FUZZER_MODE)
7406 // Fuzzer-mode records are unencrypted.
7407 uint8_t record[5 + sizeof(in)];
7408 record[0] = SSL3_RT_HANDSHAKE;
7409 record[1] = 3;
7410 record[2] = 3; // TLS 1.2
7411 record[3] = 0;
7412 record[4] = sizeof(record) - 5;
7413 memcpy(record + 5, in, sizeof(in));
7414#else
7415 // Extract key material from |server|.
7416 static const size_t kKeyLen = 32;
7417 static const size_t kNonceLen = 12;
David Benjamin10fef972022-08-30 11:38:51 -0400[diff] [blame]7418 ASSERT_EQ(2u * (kKeyLen + kNonceLen), SSL_get_key_block_len(server));
David Benjamin0e7dbd52019-05-15 16:01:18 -0400[diff] [blame]7419 uint8_t key_block[2u * (kKeyLen + kNonceLen)];
David Benjamin10fef972022-08-30 11:38:51 -0400[diff] [blame]7420 ASSERT_TRUE(SSL_generate_key_block(server, key_block, sizeof(key_block)));
David Benjamin0e7dbd52019-05-15 16:01:18 -0400[diff] [blame]7421 Span<uint8_t> key = MakeSpan(key_block + kKeyLen, kKeyLen);
7422 Span<uint8_t> nonce =
7423 MakeSpan(key_block + kKeyLen + kKeyLen + kNonceLen, kNonceLen);
7424
7425 uint8_t ad[13];
David Benjamin10fef972022-08-30 11:38:51 -0400[diff] [blame]7426 uint64_t seq = SSL_get_write_sequence(server);
David Benjamin0e7dbd52019-05-15 16:01:18 -0400[diff] [blame]7427 for (size_t i = 0; i < 8; i++) {
7428 // The nonce is XORed with the sequence number.
7429 nonce[11 - i] ^= uint8_t(seq);
7430 ad[7 - i] = uint8_t(seq);
7431 seq >>= 8;
7432 }
7433
7434 ad[8] = SSL3_RT_HANDSHAKE;
7435 ad[9] = 3;
7436 ad[10] = 3; // TLS 1.2
7437 ad[11] = 0;
7438 ad[12] = sizeof(in);
7439
7440 uint8_t record[5 + sizeof(in) + 16];
7441 record[0] = SSL3_RT_HANDSHAKE;
7442 record[1] = 3;
7443 record[2] = 3; // TLS 1.2
7444 record[3] = 0;
7445 record[4] = sizeof(record) - 5;
7446
7447 ScopedEVP_AEAD_CTX aead;
7448 ASSERT_TRUE(EVP_AEAD_CTX_init(aead.get(), EVP_aead_chacha20_poly1305(),
7449 key.data(), key.size(),
7450 EVP_AEAD_DEFAULT_TAG_LENGTH, nullptr));
7451 size_t len;
7452 ASSERT_TRUE(EVP_AEAD_CTX_seal(aead.get(), record + 5, &len,
7453 sizeof(record) - 5, nonce.data(), nonce.size(),
7454 in, sizeof(in), ad, sizeof(ad)));
7455 ASSERT_EQ(sizeof(record) - 5, len);
7456#endif // BORINGSSL_UNSAFE_FUZZER_MODE
7457
7458 ASSERT_EQ(int(sizeof(record)),
David Benjamin10fef972022-08-30 11:38:51 -0400[diff] [blame]7459 BIO_write(SSL_get_wbio(server), record, sizeof(record)));
7460}
7461
7462TEST(SSLTest, WriteWhileExplicitRenegotiate) {
7463 bssl::UniquePtr<SSL_CTX> ctx(CreateContextWithTestCertificate(TLS_method()));
7464 ASSERT_TRUE(ctx);
7465
7466 ASSERT_TRUE(SSL_CTX_set_min_proto_version(ctx.get(), TLS1_2_VERSION));
7467 ASSERT_TRUE(SSL_CTX_set_max_proto_version(ctx.get(), TLS1_2_VERSION));
7468 ASSERT_TRUE(SSL_CTX_set_strict_cipher_list(
7469 ctx.get(), "TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256"));
7470
7471 bssl::UniquePtr<SSL> client, server;
7472 ASSERT_TRUE(CreateClientAndServer(&client, &server, ctx.get(), ctx.get()));
7473 SSL_set_renegotiate_mode(client.get(), ssl_renegotiate_explicit);
7474 ASSERT_TRUE(CompleteHandshakes(client.get(), server.get()));
7475
7476 static const uint8_t kInput[] = {'h', 'e', 'l', 'l', 'o'};
7477
7478 // Write "hello" until the buffer is full, so |client| has a pending write.
7479 size_t num_writes = 0;
7480 for (;;) {
7481 int ret = SSL_write(client.get(), kInput, sizeof(kInput));
7482 if (ret != int(sizeof(kInput))) {
7483 ASSERT_EQ(-1, ret);
7484 ASSERT_EQ(SSL_ERROR_WANT_WRITE, SSL_get_error(client.get(), ret));
7485 break;
7486 }
7487 num_writes++;
7488 }
7489
7490 ASSERT_NO_FATAL_FAILURE(WriteHelloRequest(server.get()));
David Benjamin0e7dbd52019-05-15 16:01:18 -0400[diff] [blame]7491
7492 // |SSL_read| should pick up the HelloRequest.
7493 uint8_t byte;
7494 ASSERT_EQ(-1, SSL_read(client.get(), &byte, 1));
7495 ASSERT_EQ(SSL_ERROR_WANT_RENEGOTIATE, SSL_get_error(client.get(), -1));
7496
7497 // Drain the data from the |client|.
7498 uint8_t buf[sizeof(kInput)];
7499 for (size_t i = 0; i < num_writes; i++) {
7500 ASSERT_EQ(int(sizeof(buf)), SSL_read(server.get(), buf, sizeof(buf)));
7501 EXPECT_EQ(Bytes(buf), Bytes(kInput));
7502 }
7503
7504 // |client| should be able to finish the pending write and continue to write,
7505 // despite the paused HelloRequest.
7506 ASSERT_EQ(int(sizeof(kInput)),
7507 SSL_write(client.get(), kInput, sizeof(kInput)));
7508 ASSERT_EQ(int(sizeof(buf)), SSL_read(server.get(), buf, sizeof(buf)));
7509 EXPECT_EQ(Bytes(buf), Bytes(kInput));
7510
7511 ASSERT_EQ(int(sizeof(kInput)),
7512 SSL_write(client.get(), kInput, sizeof(kInput)));
7513 ASSERT_EQ(int(sizeof(buf)), SSL_read(server.get(), buf, sizeof(buf)));
7514 EXPECT_EQ(Bytes(buf), Bytes(kInput));
7515
7516 // |SSL_read| is stuck until we acknowledge the HelloRequest.
7517 ASSERT_EQ(-1, SSL_read(client.get(), &byte, 1));
7518 ASSERT_EQ(SSL_ERROR_WANT_RENEGOTIATE, SSL_get_error(client.get(), -1));
7519
7520 ASSERT_TRUE(SSL_renegotiate(client.get()));
7521 ASSERT_EQ(-1, SSL_read(client.get(), &byte, 1));
7522 ASSERT_EQ(SSL_ERROR_WANT_READ, SSL_get_error(client.get(), -1));
7523
7524 // We never renegotiate as a server.
7525 ASSERT_EQ(-1, SSL_read(server.get(), buf, sizeof(buf)));
7526 ASSERT_EQ(SSL_ERROR_SSL, SSL_get_error(server.get(), -1));
7527 uint32_t err = ERR_get_error();
7528 EXPECT_EQ(ERR_LIB_SSL, ERR_GET_LIB(err));
7529 EXPECT_EQ(SSL_R_NO_RENEGOTIATION, ERR_GET_REASON(err));
7530}
7531
David Benjamin10fef972022-08-30 11:38:51 -0400[diff] [blame]7532TEST(SSLTest, ConnectionPropertiesDuringRenegotiate) {
7533 // Configure known connection properties, so we can check against them.
7534 bssl::UniquePtr<SSL_CTX> ctx(SSL_CTX_new(TLS_method()));
7535 ASSERT_TRUE(ctx);
7536 bssl::UniquePtr<X509> cert = GetTestCertificate();
7537 ASSERT_TRUE(cert);
7538 bssl::UniquePtr<EVP_PKEY> key = GetTestKey();
7539 ASSERT_TRUE(key);
7540 ASSERT_TRUE(SSL_CTX_use_certificate(ctx.get(), cert.get()));
7541 ASSERT_TRUE(SSL_CTX_use_PrivateKey(ctx.get(), key.get()));
7542 ASSERT_TRUE(SSL_CTX_set_min_proto_version(ctx.get(), TLS1_2_VERSION));
7543 ASSERT_TRUE(SSL_CTX_set_max_proto_version(ctx.get(), TLS1_2_VERSION));
7544 ASSERT_TRUE(SSL_CTX_set_strict_cipher_list(
7545 ctx.get(), "TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256"));
7546 ASSERT_TRUE(SSL_CTX_set1_curves_list(ctx.get(), "X25519"));
7547 ASSERT_TRUE(SSL_CTX_set1_sigalgs_list(ctx.get(), "rsa_pkcs1_sha256"));
7548
7549 // Connect a client and server that accept renegotiation.
7550 bssl::UniquePtr<SSL> client, server;
7551 ASSERT_TRUE(CreateClientAndServer(&client, &server, ctx.get(), ctx.get()));
7552 SSL_set_renegotiate_mode(client.get(), ssl_renegotiate_freely);
7553 ASSERT_TRUE(CompleteHandshakes(client.get(), server.get()));
7554
7555 auto check_properties = [&] {
7556 EXPECT_EQ(SSL_version(client.get()), TLS1_2_VERSION);
7557 const SSL_CIPHER *cipher = SSL_get_current_cipher(client.get());
7558 ASSERT_TRUE(cipher);
7559 EXPECT_EQ(SSL_CIPHER_get_id(cipher),
7560 uint32_t{TLS1_CK_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256});
7561 EXPECT_EQ(SSL_get_curve_id(client.get()), SSL_CURVE_X25519);
7562 EXPECT_EQ(SSL_get_peer_signature_algorithm(client.get()),
7563 SSL_SIGN_RSA_PKCS1_SHA256);
7564 bssl::UniquePtr<X509> peer(SSL_get_peer_certificate(client.get()));
7565 ASSERT_TRUE(peer);
7566 EXPECT_EQ(X509_cmp(cert.get(), peer.get()), 0);
7567 };
7568 check_properties();
7569
7570 // The server sends a HelloRequest.
7571 ASSERT_NO_FATAL_FAILURE(WriteHelloRequest(server.get()));
7572
7573 // Reading from the client will consume the HelloRequest, start a
7574 // renegotiation, and then block on a ServerHello from the server.
7575 uint8_t byte;
7576 ASSERT_EQ(-1, SSL_read(client.get(), &byte, 1));
7577 ASSERT_EQ(SSL_ERROR_WANT_READ, SSL_get_error(client.get(), -1));
7578
7579 // Connection properties should continue to report values from the original
7580 // handshake.
7581 check_properties();
7582}
David Benjaminf9e0cda2020-03-23 18:29:09 -0400[diff] [blame]7583
7584TEST(SSLTest, CopyWithoutEarlyData) {
7585 bssl::UniquePtr<SSL_CTX> client_ctx(SSL_CTX_new(TLS_method()));
David Benjamin9b2cdb72021-04-01 23:21:53 -0400[diff] [blame]7586 bssl::UniquePtr<SSL_CTX> server_ctx(
7587 CreateContextWithTestCertificate(TLS_method()));
David Benjaminf9e0cda2020-03-23 18:29:09 -0400[diff] [blame]7588 ASSERT_TRUE(client_ctx);
7589 ASSERT_TRUE(server_ctx);
7590
David Benjaminf9e0cda2020-03-23 18:29:09 -0400[diff] [blame]7591 SSL_CTX_set_session_cache_mode(client_ctx.get(), SSL_SESS_CACHE_BOTH);
7592 SSL_CTX_set_session_cache_mode(server_ctx.get(), SSL_SESS_CACHE_BOTH);
7593 SSL_CTX_set_early_data_enabled(client_ctx.get(), 1);
7594 SSL_CTX_set_early_data_enabled(server_ctx.get(), 1);
7595
7596 bssl::UniquePtr<SSL_SESSION> session =
7597 CreateClientSession(client_ctx.get(), server_ctx.get());
7598 ASSERT_TRUE(session);
7599
7600 // The client should attempt early data with |session|.
David Benjaminf9e0cda2020-03-23 18:29:09 -0400[diff] [blame]7601 bssl::UniquePtr<SSL> client, server;
David Benjamin9b2cdb72021-04-01 23:21:53 -0400[diff] [blame]7602 ASSERT_TRUE(CreateClientAndServer(&client, &server, client_ctx.get(),
7603 server_ctx.get()));
7604 SSL_set_session(client.get(), session.get());
7605 SSL_set_early_data_enabled(client.get(), 1);
David Benjaminf9e0cda2020-03-23 18:29:09 -0400[diff] [blame]7606 ASSERT_EQ(1, SSL_do_handshake(client.get()));
7607 EXPECT_TRUE(SSL_in_early_data(client.get()));
7608
7609 // |SSL_SESSION_copy_without_early_data| should disable early data but
7610 // still resume the session.
7611 bssl::UniquePtr<SSL_SESSION> session2(
7612 SSL_SESSION_copy_without_early_data(session.get()));
7613 ASSERT_TRUE(session2);
7614 EXPECT_NE(session.get(), session2.get());
David Benjamin9b2cdb72021-04-01 23:21:53 -0400[diff] [blame]7615 ASSERT_TRUE(CreateClientAndServer(&client, &server, client_ctx.get(),
7616 server_ctx.get()));
7617 SSL_set_session(client.get(), session2.get());
7618 SSL_set_early_data_enabled(client.get(), 1);
7619 EXPECT_TRUE(CompleteHandshakes(client.get(), server.get()));
David Benjaminf9e0cda2020-03-23 18:29:09 -0400[diff] [blame]7620 EXPECT_TRUE(SSL_session_reused(client.get()));
7621 EXPECT_EQ(ssl_early_data_unsupported_for_session,
7622 SSL_get_early_data_reason(client.get()));
7623
7624 // |SSL_SESSION_copy_without_early_data| should be a reference count increase
7625 // when passed an early-data-incapable session.
7626 bssl::UniquePtr<SSL_SESSION> session3(
7627 SSL_SESSION_copy_without_early_data(session2.get()));
7628 EXPECT_EQ(session2.get(), session3.get());
7629}
7630
Adam Langley53a17f52020-05-26 14:44:07 -0700[diff] [blame]7631TEST(SSLTest, ProcessTLS13NewSessionTicket) {
7632 // Configure client and server to negotiate TLS 1.3 only.
Adam Langley53a17f52020-05-26 14:44:07 -0700[diff] [blame]7633 bssl::UniquePtr<SSL_CTX> client_ctx(SSL_CTX_new(TLS_method()));
David Benjamin9b2cdb72021-04-01 23:21:53 -0400[diff] [blame]7634 bssl::UniquePtr<SSL_CTX> server_ctx(
7635 CreateContextWithTestCertificate(TLS_method()));
Adam Langley53a17f52020-05-26 14:44:07 -0700[diff] [blame]7636 ASSERT_TRUE(client_ctx);
7637 ASSERT_TRUE(server_ctx);
7638 ASSERT_TRUE(SSL_CTX_set_min_proto_version(client_ctx.get(), TLS1_3_VERSION));
7639 ASSERT_TRUE(SSL_CTX_set_min_proto_version(server_ctx.get(), TLS1_3_VERSION));
7640 ASSERT_TRUE(SSL_CTX_set_max_proto_version(client_ctx.get(), TLS1_3_VERSION));
7641 ASSERT_TRUE(SSL_CTX_set_max_proto_version(server_ctx.get(), TLS1_3_VERSION));
Adam Langley53a17f52020-05-26 14:44:07 -0700[diff] [blame]7642
7643 bssl::UniquePtr<SSL> client, server;
7644 ASSERT_TRUE(ConnectClientAndServer(&client, &server, client_ctx.get(),
7645 server_ctx.get()));
7646 EXPECT_EQ(TLS1_3_VERSION, SSL_version(client.get()));
7647
7648 // Process a TLS 1.3 NewSessionTicket.
7649 static const uint8_t kTicket[] = {
7650 0x04, 0x00, 0x00, 0xb2, 0x00, 0x02, 0xa3, 0x00, 0x04, 0x03, 0x02, 0x01,
7651 0x01, 0x00, 0x00, 0xa0, 0x01, 0x06, 0x09, 0x11, 0x16, 0x19, 0x21, 0x26,
7652 0x29, 0x31, 0x36, 0x39, 0x41, 0x46, 0x49, 0x51, 0x03, 0x06, 0x09, 0x13,
7653 0x16, 0x19, 0x23, 0x26, 0x29, 0x33, 0x36, 0x39, 0x43, 0x46, 0x49, 0x53,
7654 0xf7, 0x00, 0x29, 0xec, 0xf2, 0xc4, 0xa4, 0x41, 0xfc, 0x30, 0x17, 0x2e,
7655 0x9f, 0x7c, 0xa8, 0xaf, 0x75, 0x70, 0xf0, 0x1f, 0xc7, 0x98, 0xf7, 0xcf,
7656 0x5a, 0x5a, 0x6b, 0x5b, 0xfe, 0xf1, 0xe7, 0x3a, 0xe8, 0xf7, 0x6c, 0xd2,
7657 0xa8, 0xa6, 0x92, 0x5b, 0x96, 0x8d, 0xde, 0xdb, 0xd3, 0x20, 0x6a, 0xcb,
7658 0x69, 0x06, 0xf4, 0x91, 0x85, 0x2e, 0xe6, 0x5e, 0x0c, 0x59, 0xf2, 0x9e,
7659 0x9b, 0x79, 0x91, 0x24, 0x7e, 0x4a, 0x32, 0x3d, 0xbe, 0x4b, 0x80, 0x70,
7660 0xaf, 0xd0, 0x1d, 0xe2, 0xca, 0x05, 0x35, 0x09, 0x09, 0x05, 0x0f, 0xbb,
7661 0xc4, 0xae, 0xd7, 0xc4, 0xed, 0xd7, 0xae, 0x35, 0xc8, 0x73, 0x63, 0x78,
7662 0x64, 0xc9, 0x7a, 0x1f, 0xed, 0x7a, 0x9a, 0x47, 0x44, 0xfd, 0x50, 0xf7,
7663 0xb7, 0xe0, 0x64, 0xa9, 0x02, 0xc1, 0x5c, 0x23, 0x18, 0x3f, 0xc4, 0xcf,
7664 0x72, 0x02, 0x59, 0x2d, 0xe1, 0xaa, 0x61, 0x72, 0x00, 0x04, 0x5a, 0x5a,
7665 0x00, 0x00,
7666 };
7667 bssl::UniquePtr<SSL_SESSION> session(SSL_process_tls13_new_session_ticket(
7668 client.get(), kTicket, sizeof(kTicket)));
7669 ASSERT_TRUE(session);
7670 ASSERT_TRUE(SSL_SESSION_has_ticket(session.get()));
7671
7672 uint8_t *session_buf = nullptr;
7673 size_t session_length = 0;
7674 ASSERT_TRUE(
7675 SSL_SESSION_to_bytes(session.get(), &session_buf, &session_length));
7676 bssl::UniquePtr<uint8_t> session_buf_free(session_buf);
7677 ASSERT_TRUE(session_buf);
7678 ASSERT_GT(session_length, 0u);
7679
7680 // Servers cannot call |SSL_process_tls13_new_session_ticket|.
7681 ASSERT_FALSE(SSL_process_tls13_new_session_ticket(server.get(), kTicket,
7682 sizeof(kTicket)));
7683
7684 // Clients cannot call |SSL_process_tls13_new_session_ticket| before the
7685 // handshake completes.
7686 bssl::UniquePtr<SSL> client2(SSL_new(client_ctx.get()));
7687 ASSERT_TRUE(client2);
7688 SSL_set_connect_state(client2.get());
7689 ASSERT_FALSE(SSL_process_tls13_new_session_ticket(client2.get(), kTicket,
7690 sizeof(kTicket)));
7691}
7692
David Benjamin3989c992020-10-09 14:12:06 -0400[diff] [blame]7693TEST(SSLTest, BIO) {
7694 bssl::UniquePtr<SSL_CTX> client_ctx(SSL_CTX_new(TLS_method()));
David Benjamin9b2cdb72021-04-01 23:21:53 -0400[diff] [blame]7695 bssl::UniquePtr<SSL_CTX> server_ctx(
7696 CreateContextWithTestCertificate(TLS_method()));
David Benjamin3989c992020-10-09 14:12:06 -0400[diff] [blame]7697 ASSERT_TRUE(client_ctx);
7698 ASSERT_TRUE(server_ctx);
7699
David Benjamin3989c992020-10-09 14:12:06 -0400[diff] [blame]7700 for (bool take_ownership : {true, false}) {
7701 // For simplicity, get the handshake out of the way first.
7702 bssl::UniquePtr<SSL> client, server;
7703 ASSERT_TRUE(ConnectClientAndServer(&client, &server, client_ctx.get(),
7704 server_ctx.get()));
7705
7706 // Wrap |client| in an SSL BIO.
7707 bssl::UniquePtr<BIO> client_bio(BIO_new(BIO_f_ssl()));
7708 ASSERT_TRUE(client_bio);
7709 ASSERT_EQ(1, BIO_set_ssl(client_bio.get(), client.get(), take_ownership));
7710 if (take_ownership) {
7711 client.release();
7712 }
7713
7714 // Flushing the BIO should not crash.
7715 EXPECT_EQ(1, BIO_flush(client_bio.get()));
7716
7717 // Exchange some data.
7718 EXPECT_EQ(5, BIO_write(client_bio.get(), "hello", 5));
7719 uint8_t buf[5];
7720 ASSERT_EQ(5, SSL_read(server.get(), buf, sizeof(buf)));
7721 EXPECT_EQ(Bytes("hello"), Bytes(buf));
7722
7723 EXPECT_EQ(5, SSL_write(server.get(), "world", 5));
7724 ASSERT_EQ(5, BIO_read(client_bio.get(), buf, sizeof(buf)));
7725 EXPECT_EQ(Bytes("world"), Bytes(buf));
7726
7727 // |BIO_should_read| should work.
7728 EXPECT_EQ(-1, BIO_read(client_bio.get(), buf, sizeof(buf)));
7729 EXPECT_TRUE(BIO_should_read(client_bio.get()));
7730
7731 // Writing data should eventually exceed the buffer size and fail, reporting
7732 // |BIO_should_write|.
7733 int ret;
7734 for (int i = 0; i < 1024; i++) {
7735 std::vector<uint8_t> buffer(1024);
7736 ret = BIO_write(client_bio.get(), buffer.data(), buffer.size());
7737 if (ret <= 0) {
7738 break;
7739 }
7740 }
7741 EXPECT_EQ(-1, ret);
7742 EXPECT_TRUE(BIO_should_write(client_bio.get()));
7743 }
7744}
7745
David Benjamin12a3e7e2021-04-13 11:47:36 -0400[diff] [blame]7746TEST(SSLTest, ALPNConfig) {
7747 bssl::UniquePtr<SSL_CTX> ctx(SSL_CTX_new(TLS_method()));
7748 ASSERT_TRUE(ctx);
7749 bssl::UniquePtr<X509> cert = GetTestCertificate();
7750 bssl::UniquePtr<EVP_PKEY> key = GetTestKey();
7751 ASSERT_TRUE(cert);
7752 ASSERT_TRUE(key);
7753 ASSERT_TRUE(SSL_CTX_use_certificate(ctx.get(), cert.get()));
7754 ASSERT_TRUE(SSL_CTX_use_PrivateKey(ctx.get(), key.get()));
7755
7756 // Set up some machinery to check the configured ALPN against what is actually
7757 // sent over the wire. Note that the ALPN callback is only called when the
7758 // client offers ALPN.
7759 std::vector<uint8_t> observed_alpn;
7760 SSL_CTX_set_alpn_select_cb(
7761 ctx.get(),
7762 [](SSL *ssl, const uint8_t **out, uint8_t *out_len, const uint8_t *in,
7763 unsigned in_len, void *arg) -> int {
7764 std::vector<uint8_t> *observed_alpn_ptr =
7765 static_cast<std::vector<uint8_t> *>(arg);
7766 observed_alpn_ptr->assign(in, in + in_len);
7767 return SSL_TLSEXT_ERR_NOACK;
7768 },
7769 &observed_alpn);
7770 auto check_alpn_proto = [&](Span<const uint8_t> expected) {
7771 observed_alpn.clear();
7772 bssl::UniquePtr<SSL> client, server;
7773 EXPECT_TRUE(ConnectClientAndServer(&client, &server, ctx.get(), ctx.get()));
7774 EXPECT_EQ(Bytes(expected), Bytes(observed_alpn));
7775 };
7776
7777 // Note that |SSL_CTX_set_alpn_protos|'s return value is reversed.
7778 static const uint8_t kValidList[] = {0x03, 'f', 'o', 'o',
7779 0x03, 'b', 'a', 'r'};
7780 EXPECT_EQ(0,
7781 SSL_CTX_set_alpn_protos(ctx.get(), kValidList, sizeof(kValidList)));
7782 check_alpn_proto(kValidList);
7783
7784 // Invalid lists are rejected.
7785 static const uint8_t kInvalidList[] = {0x04, 'f', 'o', 'o'};
7786 EXPECT_EQ(1, SSL_CTX_set_alpn_protos(ctx.get(), kInvalidList,
7787 sizeof(kInvalidList)));
7788
7789 // Empty lists are valid and are interpreted as disabling ALPN.
7790 EXPECT_EQ(0, SSL_CTX_set_alpn_protos(ctx.get(), nullptr, 0));
7791 check_alpn_proto({});
7792}
7793
David Benjamin2f3958a2021-04-16 11:55:23 -0400[diff] [blame]7794// Test that the key usage checker can correctly handle issuerUID and
7795// subjectUID. See https://crbug.com/1199744.
7796TEST(SSLTest, KeyUsageWithUIDs) {
7797 static const char kGoodKeyUsage[] = R"(
7798-----BEGIN CERTIFICATE-----
7799MIIB7DCCAZOgAwIBAgIJANlMBNpJfb/rMAoGCCqGSM49BAMCMEUxCzAJBgNVBAYT
7800AkFVMRMwEQYDVQQIDApTb21lLVN0YXRlMSEwHwYDVQQKDBhJbnRlcm5ldCBXaWRn
7801aXRzIFB0eSBMdGQwHhcNMTQwNDIzMjMyMTU3WhcNMTQwNTIzMjMyMTU3WjBFMQsw
7802CQYDVQQGEwJBVTETMBEGA1UECAwKU29tZS1TdGF0ZTEhMB8GA1UECgwYSW50ZXJu
7803ZXQgV2lkZ2l0cyBQdHkgTHRkMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE5itp
78044r9ln5e+Lx4NlIpM1Zdrt6keDUb73ampHp3culoB59aXqAoY+cPEox5W4nyDSNsW
7805Ghz1HX7xlC1Lz3IiwYEEABI0VoIEABI0VqNgMF4wHQYDVR0OBBYEFKuE0qyrlfCC
7806ThZ4B1VXX+QmjYLRMB8GA1UdIwQYMBaAFKuE0qyrlfCCThZ4B1VXX+QmjYLRMA4G
7807A1UdDwEB/wQEAwIHgDAMBgNVHRMEBTADAQH/MAoGCCqGSM49BAMCA0cAMEQCIEWJ
780834EcqW5MHwLIA1hZ2Tj/jV2QjN02KLxis9mFsqDKAiAMlMTkzsM51vVs9Ohqa+Rc
78094Z7qDhjIhiF4dM0uEDYRVA==
7810-----END CERTIFICATE-----
7811)";
7812 static const char kBadKeyUsage[] = R"(
7813-----BEGIN CERTIFICATE-----
7814MIIB7jCCAZOgAwIBAgIJANlMBNpJfb/rMAoGCCqGSM49BAMCMEUxCzAJBgNVBAYT
7815AkFVMRMwEQYDVQQIDApTb21lLVN0YXRlMSEwHwYDVQQKDBhJbnRlcm5ldCBXaWRn
7816aXRzIFB0eSBMdGQwHhcNMTQwNDIzMjMyMTU3WhcNMTQwNTIzMjMyMTU3WjBFMQsw
7817CQYDVQQGEwJBVTETMBEGA1UECAwKU29tZS1TdGF0ZTEhMB8GA1UECgwYSW50ZXJu
7818ZXQgV2lkZ2l0cyBQdHkgTHRkMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE5itp
78194r9ln5e+Lx4NlIpM1Zdrt6keDUb73ampHp3culoB59aXqAoY+cPEox5W4nyDSNsW
7820Ghz1HX7xlC1Lz3IiwYEEABI0VoIEABI0VqNgMF4wHQYDVR0OBBYEFKuE0qyrlfCC
7821ThZ4B1VXX+QmjYLRMB8GA1UdIwQYMBaAFKuE0qyrlfCCThZ4B1VXX+QmjYLRMA4G
7822A1UdDwEB/wQEAwIDCDAMBgNVHRMEBTADAQH/MAoGCCqGSM49BAMCA0kAMEYCIQC6
7823taYBUDu2gcZC6EMk79FBHArYI0ucF+kzvETegZCbBAIhANtObFec5gtso/47moPD
7824RHrQbWsFUakETXL9QMlegh5t
7825-----END CERTIFICATE-----
7826)";
7827
7828 bssl::UniquePtr<X509> good = CertFromPEM(kGoodKeyUsage);
7829 ASSERT_TRUE(good);
7830 bssl::UniquePtr<X509> bad = CertFromPEM(kBadKeyUsage);
7831 ASSERT_TRUE(bad);
7832
7833 // We check key usage when configuring EC certificates to distinguish ECDSA
7834 // and ECDH.
7835 bssl::UniquePtr<SSL_CTX> ctx(SSL_CTX_new(TLS_method()));
7836 ASSERT_TRUE(ctx);
7837 EXPECT_TRUE(SSL_CTX_use_certificate(ctx.get(), good.get()));
7838 EXPECT_FALSE(SSL_CTX_use_certificate(ctx.get(), bad.get()));
7839}
7840
David Benjamin9b2cdb72021-04-01 23:21:53 -0400[diff] [blame]7841// Test that |SSL_can_release_private_key| reports true as early as expected.
7842// The internal asserts in the library check we do not report true too early.
7843TEST(SSLTest, CanReleasePrivateKey) {
7844 bssl::UniquePtr<SSL_CTX> client_ctx =
7845 CreateContextWithTestCertificate(TLS_method());
7846 ASSERT_TRUE(client_ctx);
7847 SSL_CTX_set_session_cache_mode(client_ctx.get(), SSL_SESS_CACHE_BOTH);
7848
7849 // Note this assumes the transport buffer is large enough to fit the client
7850 // and server first flights. We check this with |SSL_ERROR_WANT_READ|. If the
7851 // transport buffer was too small it would return |SSL_ERROR_WANT_WRITE|.
7852 auto check_first_server_round_trip = [&](SSL *client, SSL *server) {
7853 // Write the ClientHello.
7854 ASSERT_EQ(-1, SSL_do_handshake(client));
7855 ASSERT_EQ(SSL_ERROR_WANT_READ, SSL_get_error(client, -1));
7856
7857 // Consume the ClientHello and write the server flight.
7858 ASSERT_EQ(-1, SSL_do_handshake(server));
7859 ASSERT_EQ(SSL_ERROR_WANT_READ, SSL_get_error(server, -1));
7860
7861 EXPECT_TRUE(SSL_can_release_private_key(server));
7862 };
7863
7864 {
7865 SCOPED_TRACE("TLS 1.2 ECDHE");
7866 bssl::UniquePtr<SSL_CTX> server_ctx(
7867 CreateContextWithTestCertificate(TLS_method()));
7868 ASSERT_TRUE(server_ctx);
7869 ASSERT_TRUE(
7870 SSL_CTX_set_max_proto_version(server_ctx.get(), TLS1_2_VERSION));
7871 ASSERT_TRUE(SSL_CTX_set_strict_cipher_list(
7872 server_ctx.get(), "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256"));
7873 // Configure the server to request client certificates, so we can also test
7874 // the client half.
7875 SSL_CTX_set_custom_verify(
7876 server_ctx.get(), SSL_VERIFY_PEER,
7877 [](SSL *ssl, uint8_t *out_alert) { return ssl_verify_ok; });
7878 bssl::UniquePtr<SSL> client, server;
7879 ASSERT_TRUE(CreateClientAndServer(&client, &server, client_ctx.get(),
7880 server_ctx.get()));
7881 check_first_server_round_trip(client.get(), server.get());
7882
7883 // Consume the server flight and write the client response. The client still
7884 // has a Finished message to consume but can also release its key early.
7885 ASSERT_EQ(-1, SSL_do_handshake(client.get()));
7886 ASSERT_EQ(SSL_ERROR_WANT_READ, SSL_get_error(client.get(), -1));
7887 EXPECT_TRUE(SSL_can_release_private_key(client.get()));
7888
7889 // However, a client that has not disabled renegotiation can never release
7890 // the key.
7891 ASSERT_TRUE(CreateClientAndServer(&client, &server, client_ctx.get(),
7892 server_ctx.get()));
7893 SSL_set_renegotiate_mode(client.get(), ssl_renegotiate_freely);
7894 check_first_server_round_trip(client.get(), server.get());
7895 ASSERT_EQ(-1, SSL_do_handshake(client.get()));
7896 ASSERT_EQ(SSL_ERROR_WANT_READ, SSL_get_error(client.get(), -1));
7897 EXPECT_FALSE(SSL_can_release_private_key(client.get()));
7898 }
7899
7900 {
7901 SCOPED_TRACE("TLS 1.2 resumption");
7902 bssl::UniquePtr<SSL_CTX> server_ctx(
7903 CreateContextWithTestCertificate(TLS_method()));
7904 ASSERT_TRUE(server_ctx);
7905 ASSERT_TRUE(
7906 SSL_CTX_set_max_proto_version(server_ctx.get(), TLS1_2_VERSION));
7907 bssl::UniquePtr<SSL_SESSION> session =
7908 CreateClientSession(client_ctx.get(), server_ctx.get());
7909 ASSERT_TRUE(session);
7910 bssl::UniquePtr<SSL> client, server;
7911 ASSERT_TRUE(CreateClientAndServer(&client, &server, client_ctx.get(),
7912 server_ctx.get()));
7913 SSL_set_session(client.get(), session.get());
7914 check_first_server_round_trip(client.get(), server.get());
7915 }
7916
7917 {
7918 SCOPED_TRACE("TLS 1.3 1-RTT");
7919 bssl::UniquePtr<SSL_CTX> server_ctx(
7920 CreateContextWithTestCertificate(TLS_method()));
7921 ASSERT_TRUE(server_ctx);
7922 ASSERT_TRUE(
7923 SSL_CTX_set_max_proto_version(server_ctx.get(), TLS1_3_VERSION));
7924 bssl::UniquePtr<SSL> client, server;
7925 ASSERT_TRUE(CreateClientAndServer(&client, &server, client_ctx.get(),
7926 server_ctx.get()));
7927 check_first_server_round_trip(client.get(), server.get());
7928 }
7929
7930 {
7931 SCOPED_TRACE("TLS 1.3 resumption");
7932 bssl::UniquePtr<SSL_CTX> server_ctx(
7933 CreateContextWithTestCertificate(TLS_method()));
7934 ASSERT_TRUE(server_ctx);
7935 ASSERT_TRUE(
7936 SSL_CTX_set_max_proto_version(server_ctx.get(), TLS1_3_VERSION));
7937 bssl::UniquePtr<SSL_SESSION> session =
7938 CreateClientSession(client_ctx.get(), server_ctx.get());
7939 ASSERT_TRUE(session);
7940 bssl::UniquePtr<SSL> client, server;
7941 ASSERT_TRUE(CreateClientAndServer(&client, &server, client_ctx.get(),
7942 server_ctx.get()));
7943 SSL_set_session(client.get(), session.get());
7944 check_first_server_round_trip(client.get(), server.get());
7945 }
7946}
7947
David Benjamine9c5d722021-06-09 17:43:16 -0400[diff] [blame]7948// GetExtensionOrder sets |*out| to the list of extensions a client attached to
7949// |ctx| will send in the ClientHello. If |ech_keys| is non-null, the client
7950// will offer ECH with the public component. If |decrypt_ech| is true, |*out|
7951// will be set to the ClientHelloInner's extensions, rather than
7952// ClientHelloOuter.
7953static bool GetExtensionOrder(SSL_CTX *client_ctx, std::vector<uint16_t> *out,
7954 SSL_ECH_KEYS *ech_keys, bool decrypt_ech) {
7955 struct AppData {
7956 std::vector<uint16_t> *out;
7957 bool decrypt_ech;
7958 bool callback_done = false;
7959 };
7960 AppData app_data;
7961 app_data.out = out;
7962 app_data.decrypt_ech = decrypt_ech;
7963
7964 bssl::UniquePtr<SSL_CTX> server_ctx =
7965 CreateContextWithTestCertificate(TLS_method());
7966 if (!server_ctx || //
7967 !SSL_CTX_set_app_data(server_ctx.get(), &app_data) ||
7968 (decrypt_ech && !SSL_CTX_set1_ech_keys(server_ctx.get(), ech_keys))) {
7969 return false;
7970 }
7971
7972 // Configure the server to record the ClientHello extension order. We use a
7973 // server rather than |GetClientHello| so it can decrypt ClientHelloInner.
7974 SSL_CTX_set_select_certificate_cb(
7975 server_ctx.get(),
7976 [](const SSL_CLIENT_HELLO *client_hello) -> ssl_select_cert_result_t {
7977 AppData *app_data_ptr = static_cast<AppData *>(
7978 SSL_CTX_get_app_data(SSL_get_SSL_CTX(client_hello->ssl)));
7979 EXPECT_EQ(app_data_ptr->decrypt_ech ? 1 : 0,
7980 SSL_ech_accepted(client_hello->ssl));
7981
7982 app_data_ptr->out->clear();
7983 CBS extensions;
7984 CBS_init(&extensions, client_hello->extensions,
7985 client_hello->extensions_len);
7986 while (CBS_len(&extensions)) {
7987 uint16_t type;
7988 CBS body;
7989 if (!CBS_get_u16(&extensions, &type) ||
7990 !CBS_get_u16_length_prefixed(&extensions, &body)) {
7991 return ssl_select_cert_error;
7992 }
7993 app_data_ptr->out->push_back(type);
7994 }
7995
7996 // Don't bother completing the handshake.
7997 app_data_ptr->callback_done = true;
7998 return ssl_select_cert_error;
7999 });
8000
8001 bssl::UniquePtr<SSL> client, server;
8002 if (!CreateClientAndServer(&client, &server, client_ctx, server_ctx.get()) ||
8003 (ech_keys != nullptr && !InstallECHConfigList(client.get(), ech_keys))) {
8004 return false;
8005 }
8006
8007 // Run the handshake far enough to process the ClientHello.
8008 SSL_do_handshake(client.get());
8009 SSL_do_handshake(server.get());
8010 return app_data.callback_done;
8011}
8012
8013// Test that, when extension permutation is enabled, the ClientHello extension
8014// order changes, both with and without ECH, and in both ClientHelloInner and
8015// ClientHelloOuter.
8016TEST(SSLTest, PermuteExtensions) {
8017 bssl::UniquePtr<SSL_ECH_KEYS> keys = MakeTestECHKeys();
8018 ASSERT_TRUE(keys);
8019 for (bool offer_ech : {false, true}) {
8020 SCOPED_TRACE(offer_ech);
8021 SSL_ECH_KEYS *maybe_keys = offer_ech ? keys.get() : nullptr;
8022 for (bool decrypt_ech : {false, true}) {
8023 SCOPED_TRACE(decrypt_ech);
8024 if (!offer_ech && decrypt_ech) {
8025 continue;
8026 }
8027
8028 // When extension permutation is disabled, the order should be consistent.
8029 bssl::UniquePtr<SSL_CTX> ctx(SSL_CTX_new(TLS_method()));
8030 ASSERT_TRUE(ctx);
8031 std::vector<uint16_t> order1, order2;
8032 ASSERT_TRUE(
8033 GetExtensionOrder(ctx.get(), &order1, maybe_keys, decrypt_ech));
8034 ASSERT_TRUE(
8035 GetExtensionOrder(ctx.get(), &order2, maybe_keys, decrypt_ech));
8036 EXPECT_EQ(order1, order2);
8037
8038 ctx.reset(SSL_CTX_new(TLS_method()));
8039 ASSERT_TRUE(ctx);
8040 SSL_CTX_set_permute_extensions(ctx.get(), 1);
8041
8042 // When extension permutation is enabled, each ClientHello should have a
8043 // different order.
8044 //
8045 // This test is inherently flaky, so we run it multiple times. We send at
8046 // least five extensions by default from TLS 1.3: supported_versions,
8047 // key_share, supported_groups, psk_key_exchange_modes, and
8048 // signature_algorithms. That means the probability of a false negative is
8049 // at most 1/120. Repeating the test 14 times lowers false negative rate
8050 // to under 2^-96.
8051 ASSERT_TRUE(
8052 GetExtensionOrder(ctx.get(), &order1, maybe_keys, decrypt_ech));
8053 EXPECT_GE(order1.size(), 5u);
8054 static const int kNumIterations = 14;
8055 bool passed = false;
8056 for (int i = 0; i < kNumIterations; i++) {
8057 ASSERT_TRUE(
8058 GetExtensionOrder(ctx.get(), &order2, maybe_keys, decrypt_ech));
8059 if (order1 != order2) {
8060 passed = true;
8061 break;
8062 }
8063 }
8064 EXPECT_TRUE(passed) << "Extensions were not permuted";
8065 }
8066 }
8067}
8068
Adam Langley7e7e6b62021-12-06 13:04:07 -0800[diff] [blame]8069TEST(SSLTest, HostMatching) {
David Benjaminc3c540b2021-12-08 15:12:51 -0500[diff] [blame]8070 static const char kCertPEM[] = R"(
8071-----BEGIN CERTIFICATE-----
8072MIIB9jCCAZ2gAwIBAgIQeudG9R61BOxUvWkeVhU5DTAKBggqhkjOPQQDAjApMRAw
8073DgYDVQQKEwdBY21lIENvMRUwEwYDVQQDEwxleGFtcGxlMy5jb20wHhcNMjExMjA2
8074MjA1NjU2WhcNMjIxMjA2MjA1NjU2WjApMRAwDgYDVQQKEwdBY21lIENvMRUwEwYD
8075VQQDEwxleGFtcGxlMy5jb20wWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAAS7l2VO
8076Bl2TjVm9WfGk24+hMbVFUNB+RVHWbCvFvNZAoWiIJ2z34RLGInyZvCZ8xLAvsuaW
8077ULDDaoeDl1M0t4Hmo4GmMIGjMA4GA1UdDwEB/wQEAwIChDATBgNVHSUEDDAKBggr
8078BgEFBQcDATAPBgNVHRMBAf8EBTADAQH/MB0GA1UdDgQWBBTTJWurcc1t+VPQBko3
8079Gsw6cbcWSTBMBgNVHREERTBDggxleGFtcGxlMS5jb22CDGV4YW1wbGUyLmNvbYIP
8080YSouZXhhbXBsZTQuY29tgg4qLmV4YW1wbGU1LmNvbYcEAQIDBDAKBggqhkjOPQQD
8081AgNHADBEAiAAv0ljHJGrgyzZDkG6XvNZ5ewxRfnXcZuD0Y7E4giCZgIgNK1qjilu
80825DyVbfKeeJhOCtGxqE1dWLXyJBnoRomSYBY=
8083-----END CERTIFICATE-----
8084)";
Adam Langley7e7e6b62021-12-06 13:04:07 -0800[diff] [blame]8085 bssl::UniquePtr<X509> cert(CertFromPEM(kCertPEM));
8086 ASSERT_TRUE(cert);
David Benjaminc3c540b2021-12-08 15:12:51 -0500[diff] [blame]8087 static const char kCertNoSANsPEM[] = R"(
8088-----BEGIN CERTIFICATE-----
8089MIIBqzCCAVGgAwIBAgIQeudG9R61BOxUvWkeVhU5DTAKBggqhkjOPQQDAjArMRIw
8090EAYDVQQKEwlBY21lIENvIDIxFTATBgNVBAMTDGV4YW1wbGUzLmNvbTAeFw0yMTEy
8091MDYyMDU2NTZaFw0yMjEyMDYyMDU2NTZaMCsxEjAQBgNVBAoTCUFjbWUgQ28gMjEV
8092MBMGA1UEAxMMZXhhbXBsZTMuY29tMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE
8093u5dlTgZdk41ZvVnxpNuPoTG1RVDQfkVR1mwrxbzWQKFoiCds9+ESxiJ8mbwmfMSw
8094L7LmllCww2qHg5dTNLeB5qNXMFUwDgYDVR0PAQH/BAQDAgKEMBMGA1UdJQQMMAoG
8095CCsGAQUFBwMBMA8GA1UdEwEB/wQFMAMBAf8wHQYDVR0OBBYEFNMla6txzW35U9AG
8096SjcazDpxtxZJMAoGCCqGSM49BAMCA0gAMEUCIG3YWGWtpVhbcGV7wFKQwTfmvwHW
8097pw4qCFZlool4hCwsAiEA+2fc6NfSbNpFEtQkDOMJW2ANiScAVEmImNqPfb2klz4=
8098-----END CERTIFICATE-----
8099)";
8100 bssl::UniquePtr<X509> cert_no_sans(CertFromPEM(kCertNoSANsPEM));
8101 ASSERT_TRUE(cert_no_sans);
Adam Langley7e7e6b62021-12-06 13:04:07 -0800[diff] [blame]8102
David Benjaminc3c540b2021-12-08 15:12:51 -0500[diff] [blame]8103 static const char kKeyPEM[] = R"(
8104-----BEGIN PRIVATE KEY-----
8105MIGHAgEAMBMGByqGSM49AgEGCCqGSM49AwEHBG0wawIBAQQghsaSZhUzZAcQlLyJ
8106MDuy7WPdyqNsAX9rmEP650LF/q2hRANCAAS7l2VOBl2TjVm9WfGk24+hMbVFUNB+
8107RVHWbCvFvNZAoWiIJ2z34RLGInyZvCZ8xLAvsuaWULDDaoeDl1M0t4Hm
8108-----END PRIVATE KEY-----
8109)";
Adam Langley7e7e6b62021-12-06 13:04:07 -0800[diff] [blame]8110 bssl::UniquePtr<EVP_PKEY> key(KeyFromPEM(kKeyPEM));
8111 ASSERT_TRUE(key);
8112
Adam Langley7e7e6b62021-12-06 13:04:07 -0800[diff] [blame]8113 bssl::UniquePtr<SSL_CTX> client_ctx(SSL_CTX_new(TLS_method()));
8114 ASSERT_TRUE(client_ctx);
8115 ASSERT_TRUE(X509_STORE_add_cert(SSL_CTX_get_cert_store(client_ctx.get()),
8116 cert.get()));
David Benjaminc3c540b2021-12-08 15:12:51 -0500[diff] [blame]8117 ASSERT_TRUE(X509_STORE_add_cert(SSL_CTX_get_cert_store(client_ctx.get()),
8118 cert_no_sans.get()));
Adam Langley7e7e6b62021-12-06 13:04:07 -0800[diff] [blame]8119 SSL_CTX_set_verify(client_ctx.get(),
8120 SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT,
8121 nullptr);
Bob Beck28f96c22022-12-06 16:07:05 -0700[diff] [blame]8122 X509_VERIFY_PARAM_set_flags(SSL_CTX_get0_param(client_ctx.get()),
8123 X509_V_FLAG_NO_CHECK_TIME);
Adam Langley7e7e6b62021-12-06 13:04:07 -0800[diff] [blame]8124
8125 struct TestCase {
David Benjaminc3c540b2021-12-08 15:12:51 -0500[diff] [blame]8126 X509 *cert;
Adam Langley7e7e6b62021-12-06 13:04:07 -0800[diff] [blame]8127 std::string hostname;
8128 unsigned flags;
8129 bool should_match;
8130 };
8131 std::vector<TestCase> kTests = {
8132 // These two names are present as SANs in the certificate.
David Benjaminc3c540b2021-12-08 15:12:51 -0500[diff] [blame]8133 {cert.get(), "example1.com", 0, true},
8134 {cert.get(), "example2.com", 0, true},
Adam Langley7e7e6b62021-12-06 13:04:07 -0800[diff] [blame]8135 // This is the CN of the certificate, but that shouldn't matter if a SAN
8136 // extension is present.
David Benjaminc3c540b2021-12-08 15:12:51 -0500[diff] [blame]8137 {cert.get(), "example3.com", 0, false},
8138 // If the SAN is not present, we, for now, look for DNS names in the CN.
8139 {cert_no_sans.get(), "example3.com", 0, true},
8140 // ... but this can be turned off.
8141 {cert_no_sans.get(), "example3.com", X509_CHECK_FLAG_NEVER_CHECK_SUBJECT,
8142 false},
8143 // a*.example4.com is a SAN, but is invalid.
8144 {cert.get(), "abc.example4.com", 0, false},
Adam Langley7e7e6b62021-12-06 13:04:07 -0800[diff] [blame]8145 // *.example5.com is a SAN in the certificate, which is a normal and valid
8146 // wildcard.
David Benjaminc3c540b2021-12-08 15:12:51 -0500[diff] [blame]8147 {cert.get(), "abc.example5.com", 0, true},
Adam Langley7e7e6b62021-12-06 13:04:07 -0800[diff] [blame]8148 // This name is not present.
David Benjaminc3c540b2021-12-08 15:12:51 -0500[diff] [blame]8149 {cert.get(), "notexample1.com", 0, false},
Adam Langley7e7e6b62021-12-06 13:04:07 -0800[diff] [blame]8150 // The IPv4 address 1.2.3.4 is a SAN, but that shouldn't match against a
8151 // hostname that happens to be its textual representation.
David Benjaminc3c540b2021-12-08 15:12:51 -0500[diff] [blame]8152 {cert.get(), "1.2.3.4", 0, false},
Adam Langley7e7e6b62021-12-06 13:04:07 -0800[diff] [blame]8153 };
8154
Adam Langley7e7e6b62021-12-06 13:04:07 -0800[diff] [blame]8155 for (const TestCase &test : kTests) {
8156 SCOPED_TRACE(test.hostname);
David Benjaminc3c540b2021-12-08 15:12:51 -0500[diff] [blame]8157
8158 bssl::UniquePtr<SSL_CTX> server_ctx(SSL_CTX_new(TLS_method()));
8159 ASSERT_TRUE(server_ctx);
8160 ASSERT_TRUE(SSL_CTX_use_certificate(server_ctx.get(), test.cert));
8161 ASSERT_TRUE(SSL_CTX_use_PrivateKey(server_ctx.get(), key.get()));
8162
8163 ClientConfig config;
8164 bssl::UniquePtr<SSL> client, server;
Adam Langley7e7e6b62021-12-06 13:04:07 -0800[diff] [blame]8165 config.verify_hostname = test.hostname;
8166 config.hostflags = test.flags;
8167 EXPECT_EQ(test.should_match,
8168 ConnectClientAndServer(&client, &server, client_ctx.get(),
8169 server_ctx.get(), config));
8170 }
8171}
8172
David Benjamin3f180b82022-05-09 17:45:18 -0400[diff] [blame]8173TEST(SSLTest, NumTickets) {
8174 bssl::UniquePtr<SSL_CTX> server_ctx(SSL_CTX_new(TLS_method()));
8175 ASSERT_TRUE(server_ctx);
8176 bssl::UniquePtr<SSL_CTX> client_ctx(SSL_CTX_new(TLS_method()));
8177 ASSERT_TRUE(client_ctx);
8178 bssl::UniquePtr<X509> cert = GetTestCertificate();
8179 ASSERT_TRUE(cert);
8180 bssl::UniquePtr<EVP_PKEY> key = GetTestKey();
8181 ASSERT_TRUE(key);
8182 ASSERT_TRUE(SSL_CTX_use_certificate(server_ctx.get(), cert.get()));
8183 ASSERT_TRUE(SSL_CTX_use_PrivateKey(server_ctx.get(), key.get()));
8184 SSL_CTX_set_session_cache_mode(server_ctx.get(), SSL_SESS_CACHE_BOTH);
8185
8186 SSL_CTX_set_session_cache_mode(client_ctx.get(), SSL_SESS_CACHE_BOTH);
8187 static size_t ticket_count;
8188 SSL_CTX_sess_set_new_cb(client_ctx.get(), [](SSL *, SSL_SESSION *) -> int {
8189 ticket_count++;
8190 return 0;
8191 });
8192
8193 auto count_tickets = [&]() -> size_t {
8194 ticket_count = 0;
8195 bssl::UniquePtr<SSL> client, server;
8196 if (!ConnectClientAndServer(&client, &server, client_ctx.get(),
8197 server_ctx.get()) ||
8198 !FlushNewSessionTickets(client.get(), server.get())) {
8199 ADD_FAILURE() << "Could not run handshake";
8200 return 0;
8201 }
8202 return ticket_count;
8203 };
8204
8205 // By default, we should send two tickets.
8206 EXPECT_EQ(count_tickets(), 2u);
8207
8208 for (size_t num_tickets : {0, 1, 2, 3, 4, 5}) {
8209 SCOPED_TRACE(num_tickets);
8210 ASSERT_TRUE(SSL_CTX_set_num_tickets(server_ctx.get(), num_tickets));
David Benjamin5697a922022-07-21 10:35:59 -0700[diff] [blame]8211 EXPECT_EQ(SSL_CTX_get_num_tickets(server_ctx.get()), num_tickets);
David Benjamin3f180b82022-05-09 17:45:18 -0400[diff] [blame]8212 EXPECT_EQ(count_tickets(), num_tickets);
8213 }
8214
8215 // Configuring too many tickets causes us to stop at some point.
8216 ASSERT_TRUE(SSL_CTX_set_num_tickets(server_ctx.get(), 100000));
David Benjamin5697a922022-07-21 10:35:59 -0700[diff] [blame]8217 EXPECT_EQ(SSL_CTX_get_num_tickets(server_ctx.get()), 16u);
David Benjamin3f180b82022-05-09 17:45:18 -0400[diff] [blame]8218 EXPECT_EQ(count_tickets(), 16u);
8219}
8220
David Benjamin955ef792022-06-13 13:16:43 -0400[diff] [blame]8221TEST(SSLTest, CertSubjectsToStack) {
8222 const std::string kCert1 = R"(
8223-----BEGIN CERTIFICATE-----
8224MIIBzzCCAXagAwIBAgIJANlMBNpJfb/rMAkGByqGSM49BAEwRTELMAkGA1UEBhMC
8225QVUxEzARBgNVBAgMClNvbWUtU3RhdGUxITAfBgNVBAoMGEludGVybmV0IFdpZGdp
8226dHMgUHR5IEx0ZDAeFw0xNDA0MjMyMzIxNTdaFw0xNDA1MjMyMzIxNTdaMEUxCzAJ
8227BgNVBAYTAkFVMRMwEQYDVQQIDApTb21lLVN0YXRlMSEwHwYDVQQKDBhJbnRlcm5l
8228dCBXaWRnaXRzIFB0eSBMdGQwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAATmK2ni
8229v2Wfl74vHg2UikzVl2u3qR4NRvvdqakendy6WgHn1peoChj5w8SjHlbifINI2xYa
8230HPUdfvGULUvPciLBo1AwTjAdBgNVHQ4EFgQUq4TSrKuV8IJOFngHVVdf5CaNgtEw
8231HwYDVR0jBBgwFoAUq4TSrKuV8IJOFngHVVdf5CaNgtEwDAYDVR0TBAUwAwEB/zAJ
8232BgcqhkjOPQQBA0gAMEUCIQDyoDVeUTo2w4J5m+4nUIWOcAZ0lVfSKXQA9L4Vh13E
8233BwIgfB55FGohg/B6dGh5XxSZmmi08cueFV7mHzJSYV51yRQ=
8234-----END CERTIFICATE-----
8235)";
8236 const std::vector<uint8_t> kName1 = {
8237 0x30, 0x45, 0x31, 0x0b, 0x30, 0x09, 0x06, 0x03, 0x55, 0x04, 0x06, 0x13,
8238 0x02, 0x41, 0x55, 0x31, 0x13, 0x30, 0x11, 0x06, 0x03, 0x55, 0x04, 0x08,
8239 0x0c, 0x0a, 0x53, 0x6f, 0x6d, 0x65, 0x2d, 0x53, 0x74, 0x61, 0x74, 0x65,
8240 0x31, 0x21, 0x30, 0x1f, 0x06, 0x03, 0x55, 0x04, 0x0a, 0x0c, 0x18, 0x49,
8241 0x6e, 0x74, 0x65, 0x72, 0x6e, 0x65, 0x74, 0x20, 0x57, 0x69, 0x64, 0x67,
8242 0x69, 0x74, 0x73, 0x20, 0x50, 0x74, 0x79, 0x20, 0x4c, 0x74, 0x64};
8243 const std::string kCert2 = R"(
8244-----BEGIN CERTIFICATE-----
8245MIICXjCCAcegAwIBAgIIWjO48ufpunYwDQYJKoZIhvcNAQELBQAwNjEaMBgGA1UE
8246ChMRQm9yaW5nU1NMIFRFU1RJTkcxGDAWBgNVBAMTD0ludGVybWVkaWF0ZSBDQTAg
8247Fw0xNTAxMDEwMDAwMDBaGA8yMTAwMDEwMTAwMDAwMFowMjEaMBgGA1UEChMRQm9y
8248aW5nU1NMIFRFU1RJTkcxFDASBgNVBAMTC2V4YW1wbGUuY29tMIGfMA0GCSqGSIb3
8249DQEBAQUAA4GNADCBiQKBgQDD0U0ZYgqShJ7oOjsyNKyVXEHqeafmk/bAoPqY/h1c
8250oPw2E8KmeqiUSoTPjG5IXSblOxcqpbAXgnjPzo8DI3GNMhAf8SYNYsoH7gc7Uy7j
82515x8bUrisGnuTHqkqH6d4/e7ETJ7i3CpR8bvK16DggEvQTudLipz8FBHtYhFakfdh
8252TwIDAQABo3cwdTAOBgNVHQ8BAf8EBAMCBaAwHQYDVR0lBBYwFAYIKwYBBQUHAwEG
8253CCsGAQUFBwMCMAwGA1UdEwEB/wQCMAAwGQYDVR0OBBIEEKN5pvbur7mlXjeMEYA0
82544nUwGwYDVR0jBBQwEoAQjBpoqLV2211Xex+NFLIGozANBgkqhkiG9w0BAQsFAAOB
8255gQBj/p+JChp//LnXWC1k121LM/ii7hFzQzMrt70bny406SGz9jAjaPOX4S3gt38y
8256rhjpPukBlSzgQXFg66y6q5qp1nQTD1Cw6NkKBe9WuBlY3iYfmsf7WT8nhlT1CttU
8257xNCwyMX9mtdXdQicOfNjIGUCD5OLV5PgHFPRKiHHioBAhg==
8258-----END CERTIFICATE-----
8259)";
8260 const std::vector<uint8_t> kName2 = {
8261 0x30, 0x32, 0x31, 0x1a, 0x30, 0x18, 0x06, 0x03, 0x55, 0x04, 0x0a,
8262 0x13, 0x11, 0x42, 0x6f, 0x72, 0x69, 0x6e, 0x67, 0x53, 0x53, 0x4c,
8263 0x20, 0x54, 0x45, 0x53, 0x54, 0x49, 0x4e, 0x47, 0x31, 0x14, 0x30,
8264 0x12, 0x06, 0x03, 0x55, 0x04, 0x03, 0x13, 0x0b, 0x65, 0x78, 0x61,
8265 0x6d, 0x70, 0x6c, 0x65, 0x2e, 0x63, 0x6f, 0x6d};
8266
8267 const struct {
8268 std::vector<std::vector<uint8_t>> existing;
8269 std::string pem;
8270 std::vector<std::vector<uint8_t>> expected;
8271 } kTests[] = {
8272 // Do nothing.
8273 {{}, "", {}},
8274 // Append to an empty list, skipping duplicates.
8275 {{}, kCert1 + kCert2 + kCert1, {kName1, kName2}},
8276 // One of the names was already present.
8277 {{kName1}, kCert1 + kCert2, {kName1, kName2}},
8278 // Both names were already present.
8279 {{kName1, kName2}, kCert1 + kCert2, {kName1, kName2}},
8280 // Preserve existing duplicates.
8281 {{kName1, kName2, kName2}, kCert1 + kCert2, {kName1, kName2, kName2}},
8282 };
8283 for (size_t i = 0; i < OPENSSL_ARRAY_SIZE(kTests); i++) {
8284 SCOPED_TRACE(i);
8285 const auto &t = kTests[i];
8286
8287 bssl::UniquePtr<STACK_OF(X509_NAME)> stack(sk_X509_NAME_new_null());
8288 ASSERT_TRUE(stack);
8289 for (const auto& name : t.existing) {
8290 const uint8_t *inp = name.data();
8291 bssl::UniquePtr<X509_NAME> name_obj(
8292 d2i_X509_NAME(nullptr, &inp, name.size()));
8293 ASSERT_TRUE(name_obj);
8294 EXPECT_EQ(inp, name.data() + name.size());
8295 ASSERT_TRUE(bssl::PushToStack(stack.get(), std::move(name_obj)));
8296 }
8297
8298 bssl::UniquePtr<BIO> bio(BIO_new_mem_buf(t.pem.data(), t.pem.size()));
8299 ASSERT_TRUE(bio);
8300 ASSERT_TRUE(SSL_add_bio_cert_subjects_to_stack(stack.get(), bio.get()));
8301
8302 // The function should have left |stack|'s comparison function alone.
8303 EXPECT_EQ(nullptr, sk_X509_NAME_set_cmp_func(stack.get(), nullptr));
8304
8305 std::vector<std::vector<uint8_t>> expected = t.expected, result;
8306 for (X509_NAME *name : stack.get()) {
8307 uint8_t *der = nullptr;
8308 int der_len = i2d_X509_NAME(name, &der);
8309 ASSERT_GE(der_len, 0);
8310 result.push_back(std::vector<uint8_t>(der, der + der_len));
8311 OPENSSL_free(der);
8312 }
8313
8314 // |SSL_add_bio_cert_subjects_to_stack| does not return the output in a
8315 // well-defined order.
8316 std::sort(expected.begin(), expected.end());
8317 std::sort(result.begin(), result.end());
8318 EXPECT_EQ(result, expected);
8319 }
8320}
8321
David Benjamin4da5a942022-08-02 14:39:44 -0700[diff] [blame]8322#if defined(OPENSSL_LINUX) || defined(OPENSSL_APPLE)
8323TEST(SSLTest, EmptyClientCAList) {
8324 // Use /dev/null on POSIX systems as an empty file.
8325 bssl::UniquePtr<STACK_OF(X509_NAME)> names(
8326 SSL_load_client_CA_file("/dev/null"));
8327 EXPECT_FALSE(names);
8328}
8329#endif // OPENSSL_LINUX || OPENSSL_APPLE
8330
David Benjaminb95c7e52022-07-22 16:28:22 -0700[diff] [blame]8331TEST(SSLTest, EmptyWriteBlockedOnHandshakeData) {
8332 bssl::UniquePtr<SSL_CTX> client_ctx(SSL_CTX_new(TLS_method()));
8333 bssl::UniquePtr<SSL_CTX> server_ctx =
8334 CreateContextWithTestCertificate(TLS_method());
8335 ASSERT_TRUE(client_ctx);
8336 ASSERT_TRUE(server_ctx);
8337 // Configure only TLS 1.3. This test requires post-handshake NewSessionTicket.
8338 ASSERT_TRUE(SSL_CTX_set_min_proto_version(client_ctx.get(), TLS1_3_VERSION));
8339 ASSERT_TRUE(SSL_CTX_set_max_proto_version(client_ctx.get(), TLS1_3_VERSION));
8340
8341 // Connect a client and server with tiny buffer between the two.
8342 bssl::UniquePtr<SSL> client(SSL_new(client_ctx.get())),
8343 server(SSL_new(server_ctx.get()));
8344 ASSERT_TRUE(client);
8345 ASSERT_TRUE(server);
8346 SSL_set_connect_state(client.get());
8347 SSL_set_accept_state(server.get());
8348 BIO *bio1, *bio2;
8349 ASSERT_TRUE(BIO_new_bio_pair(&bio1, 1, &bio2, 1));
8350 SSL_set_bio(client.get(), bio1, bio1);
8351 SSL_set_bio(server.get(), bio2, bio2);
8352 ASSERT_TRUE(CompleteHandshakes(client.get(), server.get()));
8353
8354 // We defer NewSessionTicket to the first write, so the server has a pending
8355 // NewSessionTicket. See https://boringssl-review.googlesource.com/34948. This
8356 // means an empty write will flush the ticket. However, the transport only
8357 // allows one byte through, so this will fail with |SSL_ERROR_WANT_WRITE|.
8358 int ret = SSL_write(server.get(), nullptr, 0);
8359 ASSERT_EQ(ret, -1);
8360 ASSERT_EQ(SSL_get_error(server.get(), ret), SSL_ERROR_WANT_WRITE);
8361
8362 // Attempting to write non-zero data should not trip |SSL_R_BAD_WRITE_RETRY|.
8363 const uint8_t kData[] = {'h', 'e', 'l', 'l', 'o'};
8364 ret = SSL_write(server.get(), kData, sizeof(kData));
8365 ASSERT_EQ(ret, -1);
8366 ASSERT_EQ(SSL_get_error(server.get(), ret), SSL_ERROR_WANT_WRITE);
8367
8368 // Byte by byte, the data should eventually get through.
8369 uint8_t buf[sizeof(kData)];
8370 for (;;) {
8371 ret = SSL_read(client.get(), buf, sizeof(buf));
8372 ASSERT_EQ(ret, -1);
8373 ASSERT_EQ(SSL_get_error(client.get(), ret), SSL_ERROR_WANT_READ);
8374
8375 ret = SSL_write(server.get(), kData, sizeof(kData));
8376 if (ret > 0) {
8377 ASSERT_EQ(ret, 5);
8378 break;
8379 }
8380 ASSERT_EQ(ret, -1);
8381 ASSERT_EQ(SSL_get_error(server.get(), ret), SSL_ERROR_WANT_WRITE);
8382 }
8383
8384 ret = SSL_read(client.get(), buf, sizeof(buf));
8385 ASSERT_EQ(ret, static_cast<int>(sizeof(kData)));
8386 ASSERT_EQ(Bytes(buf, ret), Bytes(kData));
8387}
8388
David Benjamin5cb597e2022-07-27 18:34:39 -0700[diff] [blame]8389// Test that |SSL_ERROR_SYSCALL| continues to work after a close_notify.
8390TEST(SSLTest, ErrorSyscallAfterCloseNotify) {
8391 // Make a custom |BIO| where writes fail, but without pushing to the error
8392 // queue.
8393 bssl::UniquePtr<BIO_METHOD> method(BIO_meth_new(0, nullptr));
8394 ASSERT_TRUE(method);
8395 BIO_meth_set_create(method.get(), [](BIO *b) -> int {
8396 BIO_set_init(b, 1);
8397 return 1;
8398 });
8399 static bool write_failed = false;
8400 BIO_meth_set_write(method.get(), [](BIO *, const char *, int) -> int {
8401 // Fail the operation and don't add to the error queue.
8402 write_failed = true;
8403 return -1;
8404 });
8405 bssl::UniquePtr<BIO> wbio_silent_error(BIO_new(method.get()));
8406 ASSERT_TRUE(wbio_silent_error);
8407
8408 bssl::UniquePtr<SSL_CTX> client_ctx(SSL_CTX_new(TLS_method()));
8409 bssl::UniquePtr<SSL_CTX> server_ctx =
8410 CreateContextWithTestCertificate(TLS_method());
8411 ASSERT_TRUE(client_ctx);
8412 ASSERT_TRUE(server_ctx);
8413 bssl::UniquePtr<SSL> client, server;
8414 EXPECT_TRUE(ConnectClientAndServer(&client, &server, client_ctx.get(),
8415 server_ctx.get()));
8416
8417 // Replace the write |BIO| with |wbio_silent_error|.
8418 SSL_set0_wbio(client.get(), wbio_silent_error.release());
8419
8420 // Writes should fail. There is nothing in the error queue, so
8421 // |SSL_ERROR_SYSCALL| indicates the caller needs to check out-of-band.
8422 const uint8_t data[1] = {0};
8423 int ret = SSL_write(client.get(), data, sizeof(data));
8424 EXPECT_EQ(ret, -1);
8425 EXPECT_EQ(SSL_get_error(client.get(), ret), SSL_ERROR_SYSCALL);
8426 EXPECT_TRUE(write_failed);
8427 write_failed = false;
8428
8429 // Send a close_notify from the server. It should return 0 because
8430 // close_notify was sent, but not received. Confusingly, this is a success
8431 // output for |SSL_shutdown|'s API.
8432 EXPECT_EQ(SSL_shutdown(server.get()), 0);
8433
8434 // Read the close_notify on the client.
8435 uint8_t buf[1];
8436 ret = SSL_read(client.get(), buf, sizeof(buf));
8437 EXPECT_EQ(ret, 0);
8438 EXPECT_EQ(SSL_get_error(client.get(), ret), SSL_ERROR_ZERO_RETURN);
8439
David Benjaminebd8b892022-07-27 18:41:51 -0700[diff] [blame]8440 // Further calls to |SSL_read| continue to report |SSL_ERROR_ZERO_RETURN|.
8441 ret = SSL_read(client.get(), buf, sizeof(buf));
8442 EXPECT_EQ(ret, 0);
8443 EXPECT_EQ(SSL_get_error(client.get(), ret), SSL_ERROR_ZERO_RETURN);
8444
David Benjamin5cb597e2022-07-27 18:34:39 -0700[diff] [blame]8445 // Although the client has seen close_notify, it should continue to report
8446 // |SSL_ERROR_SYSCALL| when its writes fail.
8447 ret = SSL_write(client.get(), data, sizeof(data));
8448 EXPECT_EQ(ret, -1);
8449 EXPECT_EQ(SSL_get_error(client.get(), ret), SSL_ERROR_SYSCALL);
8450 EXPECT_TRUE(write_failed);
8451 write_failed = false;
David Benjaminebd8b892022-07-27 18:41:51 -0700[diff] [blame]8452
8453 // Cause |BIO_write| to fail with a return value of zero instead.
8454 // |SSL_get_error| should not misinterpret this as a close_notify.
8455 //
8456 // This is not actually a correct implementation of |BIO_write|, but the rest
8457 // of the code treats zero from |BIO_write| as an error, so ensure it does so
8458 // correctly. Fixing https://crbug.com/boringssl/503 will make this case moot.
8459 BIO_meth_set_write(method.get(), [](BIO *, const char *, int) -> int {
8460 write_failed = true;
8461 return 0;
8462 });
8463 ret = SSL_write(client.get(), data, sizeof(data));
8464 EXPECT_EQ(ret, 0);
8465 EXPECT_EQ(SSL_get_error(client.get(), ret), SSL_ERROR_SYSCALL);
8466 EXPECT_TRUE(write_failed);
8467 write_failed = false;
David Benjamin5cb597e2022-07-27 18:34:39 -0700[diff] [blame]8468}
8469
David Benjamin401137f2022-07-28 10:27:47 -0700[diff] [blame]8470// Test that |SSL_shutdown|, when quiet shutdown is enabled, simulates receiving
8471// a close_notify, down to |SSL_read| reporting |SSL_ERROR_ZERO_RETURN|.
8472TEST(SSLTest, QuietShutdown) {
8473 bssl::UniquePtr<SSL_CTX> client_ctx(SSL_CTX_new(TLS_method()));
8474 bssl::UniquePtr<SSL_CTX> server_ctx =
8475 CreateContextWithTestCertificate(TLS_method());
8476 ASSERT_TRUE(client_ctx);
8477 ASSERT_TRUE(server_ctx);
8478 SSL_CTX_set_quiet_shutdown(server_ctx.get(), 1);
8479 bssl::UniquePtr<SSL> client, server;
8480 EXPECT_TRUE(ConnectClientAndServer(&client, &server, client_ctx.get(),
8481 server_ctx.get()));
8482
8483 // Quiet shutdown is enabled, so |SSL_shutdown| on the server should
8484 // immediately return that bidirectional shutdown "completed".
8485 EXPECT_EQ(SSL_shutdown(server.get()), 1);
8486
8487 // Shut down writes so the client gets an EOF.
8488 EXPECT_TRUE(BIO_shutdown_wr(SSL_get_wbio(server.get())));
8489
8490 // Confirm no close notify was actually sent. Client reads should report a
8491 // transport EOF, not a close_notify. (Both have zero return, but
8492 // |SSL_get_error| is different.)
8493 char buf[1];
8494 int ret = SSL_read(client.get(), buf, sizeof(buf));
8495 EXPECT_EQ(ret, 0);
8496 EXPECT_EQ(SSL_get_error(client.get(), ret), SSL_ERROR_SYSCALL);
8497
8498 // The server believes bidirectional shutdown completed, so reads should
8499 // replay the (simulated) close_notify.
8500 ret = SSL_read(server.get(), buf, sizeof(buf));
8501 EXPECT_EQ(ret, 0);
8502 EXPECT_EQ(SSL_get_error(server.get(), ret), SSL_ERROR_ZERO_RETURN);
8503}
8504
David Benjamin3a1b7302022-11-29 18:44:46 -0500[diff] [blame]8505TEST(SSLTest, InvalidSignatureAlgorithm) {
8506 bssl::UniquePtr<SSL_CTX> ctx(SSL_CTX_new(TLS_method()));
8507 ASSERT_TRUE(ctx);
8508
8509 static const uint16_t kInvalidPrefs[] = {1234};
8510 EXPECT_FALSE(SSL_CTX_set_signing_algorithm_prefs(
8511 ctx.get(), kInvalidPrefs, OPENSSL_ARRAY_SIZE(kInvalidPrefs)));
8512 EXPECT_FALSE(SSL_CTX_set_verify_algorithm_prefs(
8513 ctx.get(), kInvalidPrefs, OPENSSL_ARRAY_SIZE(kInvalidPrefs)));
8514
8515 static const uint16_t kDuplicatePrefs[] = {SSL_SIGN_RSA_PKCS1_SHA256,
8516 SSL_SIGN_RSA_PKCS1_SHA256};
8517 EXPECT_FALSE(SSL_CTX_set_signing_algorithm_prefs(
8518 ctx.get(), kDuplicatePrefs, OPENSSL_ARRAY_SIZE(kDuplicatePrefs)));
8519 EXPECT_FALSE(SSL_CTX_set_verify_algorithm_prefs(
8520 ctx.get(), kDuplicatePrefs, OPENSSL_ARRAY_SIZE(kDuplicatePrefs)));
8521}
8522
Martin Kreichgauer72912d22017-08-04 12:06:43 -0700[diff] [blame]8523} // namespace
Joshua Liebow-Feeser8c7c6352018-08-26 18:53:36 -0700[diff] [blame]8524BSSL_NAMESPACE_END