Google Git
Sign in
boringssl / boringssl.git / e664a534afc3a03a14190328557fa88341a60300 / . / ssl / ssl_test.cc
blob: 48e21810f67cec92cdd796d74317944c37dc7d20 [file] [log] [blame]
David Benjamin2e521212014-07-16 14:37:51 -0400[diff] [blame]1/* Copyright (c) 2014, Google Inc.
2 *
3 * Permission to use, copy, modify, and/or distribute this software for any
4 * purpose with or without fee is hereby granted, provided that the above
5 * copyright notice and this permission notice appear in all copies.
6 *
7 * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
8 * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
9 * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY
10 * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
11 * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION
12 * OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN
13 * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */
14
15#include <stdio.h>
David Benjamin751e8892014-10-19 00:59:36 -0400[diff] [blame]16#include <string.h>
David Benjamin1269ddd2015-10-18 15:18:55 -0400[diff] [blame]17#include <time.h>
David Benjamin2e521212014-07-16 14:37:51 -0400[diff] [blame]18
David Benjamin0f653952015-10-18 14:28:01 -0400[diff] [blame]19#include <algorithm>
David Benjamin1d77e562015-03-22 17:22:08 -0400[diff] [blame]20#include <string>
David Benjamin4f6acaf2015-11-21 03:00:50 -0500[diff] [blame]21#include <utility>
David Benjamin1d77e562015-03-22 17:22:08 -0400[diff] [blame]22#include <vector>
23
David Benjamin96628432017-01-19 19:05:47 -0500[diff] [blame]24#include <gtest/gtest.h>
25
David Benjamin751e8892014-10-19 00:59:36 -0400[diff] [blame]26#include <openssl/base64.h>
27#include <openssl/bio.h>
David Benjamin3c51d9b2016-11-01 17:50:42 -0400[diff] [blame]28#include <openssl/cipher.h>
David Benjamin7a1eefd2015-10-17 23:39:22 -0400[diff] [blame]29#include <openssl/crypto.h>
David Benjaminbb0a17c2014-09-20 15:35:39 -0400[diff] [blame]30#include <openssl/err.h>
David Benjamin3c51d9b2016-11-01 17:50:42 -0400[diff] [blame]31#include <openssl/hmac.h>
David Benjaminde942382016-02-11 12:02:01 -0500[diff] [blame]32#include <openssl/pem.h>
David Benjamin25490f22016-07-14 00:22:54 -0400[diff] [blame]33#include <openssl/sha.h>
David Benjaminbb0a17c2014-09-20 15:35:39 -0400[diff] [blame]34#include <openssl/ssl.h>
David Benjamin3c51d9b2016-11-01 17:50:42 -0400[diff] [blame]35#include <openssl/rand.h>
David Benjaminde942382016-02-11 12:02:01 -0500[diff] [blame]36#include <openssl/x509.h>
David Benjaminbb0a17c2014-09-20 15:35:39 -0400[diff] [blame]37
Steven Valdez87eab492016-06-27 16:34:59 -0400[diff] [blame]38#include "internal.h"
Steven Valdezcb966542016-08-17 16:56:14 -0400[diff] [blame]39#include "../crypto/internal.h"
Sigbjorn Vik2b23d242015-06-29 15:07:26 +0200[diff] [blame]40#include "../crypto/test/test_util.h"
41
David Benjamin721e8b72016-08-03 13:13:17 -0400[diff] [blame]42#if defined(OPENSSL_WINDOWS)
43/* Windows defines struct timeval in winsock2.h. */
44OPENSSL_MSVC_PRAGMA(warning(push, 3))
45#include <winsock2.h>
46OPENSSL_MSVC_PRAGMA(warning(pop))
47#else
48#include <sys/time.h>
49#endif
50
David Benjamin1d77e562015-03-22 17:22:08 -0400[diff] [blame]51
52struct ExpectedCipher {
53 unsigned long id;
David Benjaminbb0a17c2014-09-20 15:35:39 -0400[diff] [blame]54 int in_group_flag;
David Benjamin1d77e562015-03-22 17:22:08 -0400[diff] [blame]55};
David Benjaminbb0a17c2014-09-20 15:35:39 -0400[diff] [blame]56
David Benjamin1d77e562015-03-22 17:22:08 -0400[diff] [blame]57struct CipherTest {
58 // The rule string to apply.
David Benjaminbb0a17c2014-09-20 15:35:39 -0400[diff] [blame]59 const char *rule;
David Benjaminfb974e62015-12-16 19:34:22 -0500[diff] [blame]60 // The list of expected ciphers, in order.
61 std::vector<ExpectedCipher> expected;
Matthew Braithwaitea57dcfb2017-02-17 22:08:23 -0800[diff] [blame]62 // True if this cipher list should fail in strict mode.
63 bool strict_fail;
David Benjamin1d77e562015-03-22 17:22:08 -0400[diff] [blame]64};
David Benjaminbb0a17c2014-09-20 15:35:39 -0400[diff] [blame]65
Alessandro Ghedini5fd18072016-09-28 21:04:25 +0100[diff] [blame]66struct CurveTest {
67 // The rule string to apply.
68 const char *rule;
69 // The list of expected curves, in order.
70 std::vector<uint16_t> expected;
71};
72
David Benjaminfb974e62015-12-16 19:34:22 -0500[diff] [blame]73static const CipherTest kCipherTests[] = {
74 // Selecting individual ciphers should work.
75 {
76 "ECDHE-ECDSA-CHACHA20-POLY1305:"
77 "ECDHE-RSA-CHACHA20-POLY1305:"
78 "ECDHE-ECDSA-AES128-GCM-SHA256:"
79 "ECDHE-RSA-AES128-GCM-SHA256",
80 {
81 {TLS1_CK_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256, 0},
David Benjaminfb974e62015-12-16 19:34:22 -0500[diff] [blame]82 {TLS1_CK_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256, 0},
David Benjaminfb974e62015-12-16 19:34:22 -0500[diff] [blame]83 {TLS1_CK_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, 0},
84 {TLS1_CK_ECDHE_RSA_WITH_AES_128_GCM_SHA256, 0},
85 },
Matthew Braithwaitea57dcfb2017-02-17 22:08:23 -0800[diff] [blame]86 false,
David Benjaminfb974e62015-12-16 19:34:22 -0500[diff] [blame]87 },
88 // + reorders selected ciphers to the end, keeping their relative order.
89 {
90 "ECDHE-ECDSA-CHACHA20-POLY1305:"
91 "ECDHE-RSA-CHACHA20-POLY1305:"
92 "ECDHE-ECDSA-AES128-GCM-SHA256:"
93 "ECDHE-RSA-AES128-GCM-SHA256:"
94 "+aRSA",
95 {
96 {TLS1_CK_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256, 0},
David Benjaminfb974e62015-12-16 19:34:22 -0500[diff] [blame]97 {TLS1_CK_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, 0},
98 {TLS1_CK_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256, 0},
David Benjaminfb974e62015-12-16 19:34:22 -0500[diff] [blame]99 {TLS1_CK_ECDHE_RSA_WITH_AES_128_GCM_SHA256, 0},
100 },
Matthew Braithwaitea57dcfb2017-02-17 22:08:23 -0800[diff] [blame]101 false,
David Benjaminfb974e62015-12-16 19:34:22 -0500[diff] [blame]102 },
103 // ! banishes ciphers from future selections.
104 {
105 "!aRSA:"
106 "ECDHE-ECDSA-CHACHA20-POLY1305:"
107 "ECDHE-RSA-CHACHA20-POLY1305:"
108 "ECDHE-ECDSA-AES128-GCM-SHA256:"
109 "ECDHE-RSA-AES128-GCM-SHA256",
110 {
111 {TLS1_CK_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256, 0},
David Benjaminfb974e62015-12-16 19:34:22 -0500[diff] [blame]112 {TLS1_CK_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, 0},
113 },
Matthew Braithwaitea57dcfb2017-02-17 22:08:23 -0800[diff] [blame]114 false,
David Benjaminfb974e62015-12-16 19:34:22 -0500[diff] [blame]115 },
116 // Multiple masks can be ANDed in a single rule.
117 {
118 "kRSA+AESGCM+AES128",
119 {
120 {TLS1_CK_RSA_WITH_AES_128_GCM_SHA256, 0},
121 },
Matthew Braithwaitea57dcfb2017-02-17 22:08:23 -0800[diff] [blame]122 false,
David Benjaminfb974e62015-12-16 19:34:22 -0500[diff] [blame]123 },
124 // - removes selected ciphers, but preserves their order for future
Matthew Braithwaitecedc6f12017-03-15 19:20:23 -0700[diff] [blame]125 // selections. Select AES_128_GCM, but order the key exchanges RSA,
David Benjaminfb974e62015-12-16 19:34:22 -0500[diff] [blame]126 // ECDHE_RSA.
127 {
Matthew Braithwaitecedc6f12017-03-15 19:20:23 -0700[diff] [blame]128 "ALL:-kECDHE:"
Matthew Braithwaitecedc6f12017-03-15 19:20:23 -0700[diff] [blame]129 "-kRSA:-ALL:"
David Benjaminfb974e62015-12-16 19:34:22 -0500[diff] [blame]130 "AESGCM+AES128+aRSA",
131 {
132 {TLS1_CK_RSA_WITH_AES_128_GCM_SHA256, 0},
David Benjaminfb974e62015-12-16 19:34:22 -0500[diff] [blame]133 {TLS1_CK_ECDHE_RSA_WITH_AES_128_GCM_SHA256, 0},
134 },
Matthew Braithwaitea57dcfb2017-02-17 22:08:23 -0800[diff] [blame]135 false,
David Benjaminfb974e62015-12-16 19:34:22 -0500[diff] [blame]136 },
Matthew Braithwaitea57dcfb2017-02-17 22:08:23 -0800[diff] [blame]137 // Unknown selectors are no-ops, except in strict mode.
David Benjaminfb974e62015-12-16 19:34:22 -0500[diff] [blame]138 {
139 "ECDHE-ECDSA-CHACHA20-POLY1305:"
140 "ECDHE-RSA-CHACHA20-POLY1305:"
141 "ECDHE-ECDSA-AES128-GCM-SHA256:"
142 "ECDHE-RSA-AES128-GCM-SHA256:"
Matthew Braithwaitea57dcfb2017-02-17 22:08:23 -0800[diff] [blame]143 "BOGUS1",
David Benjaminfb974e62015-12-16 19:34:22 -0500[diff] [blame]144 {
145 {TLS1_CK_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256, 0},
David Benjaminfb974e62015-12-16 19:34:22 -0500[diff] [blame]146 {TLS1_CK_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256, 0},
David Benjaminfb974e62015-12-16 19:34:22 -0500[diff] [blame]147 {TLS1_CK_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, 0},
148 {TLS1_CK_ECDHE_RSA_WITH_AES_128_GCM_SHA256, 0},
149 },
Matthew Braithwaitea57dcfb2017-02-17 22:08:23 -0800[diff] [blame]150 true,
151 },
152 // Unknown selectors are no-ops, except in strict mode.
153 {
154 "ECDHE-ECDSA-CHACHA20-POLY1305:"
155 "ECDHE-RSA-CHACHA20-POLY1305:"
156 "ECDHE-ECDSA-AES128-GCM-SHA256:"
157 "ECDHE-RSA-AES128-GCM-SHA256:"
158 "-BOGUS2:+BOGUS3:!BOGUS4",
159 {
160 {TLS1_CK_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256, 0},
161 {TLS1_CK_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256, 0},
162 {TLS1_CK_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, 0},
163 {TLS1_CK_ECDHE_RSA_WITH_AES_128_GCM_SHA256, 0},
164 },
165 true,
David Benjaminfb974e62015-12-16 19:34:22 -0500[diff] [blame]166 },
167 // Square brackets specify equi-preference groups.
168 {
169 "[ECDHE-ECDSA-CHACHA20-POLY1305|ECDHE-ECDSA-AES128-GCM-SHA256]:"
170 "[ECDHE-RSA-CHACHA20-POLY1305]:"
171 "ECDHE-RSA-AES128-GCM-SHA256",
172 {
173 {TLS1_CK_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256, 1},
David Benjaminfb974e62015-12-16 19:34:22 -0500[diff] [blame]174 {TLS1_CK_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, 0},
Adam Langley2e839242017-01-19 15:12:44 -0800[diff] [blame]175 {TLS1_CK_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256, 0},
David Benjaminfb974e62015-12-16 19:34:22 -0500[diff] [blame]176 {TLS1_CK_ECDHE_RSA_WITH_AES_128_GCM_SHA256, 0},
177 },
Matthew Braithwaitea57dcfb2017-02-17 22:08:23 -0800[diff] [blame]178 false,
David Benjaminfb974e62015-12-16 19:34:22 -0500[diff] [blame]179 },
David Benjamin6fff3862017-06-21 21:07:04 -0400[diff] [blame]180 // Standard names may be used instead of OpenSSL names.
181 {
182 "[TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256|"
David Benjaminbf5f1922017-07-01 11:13:53 -0400[diff] [blame]183 "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256]:"
David Benjamin6fff3862017-06-21 21:07:04 -0400[diff] [blame]184 "[TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256]:"
185 "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",
186 {
187 {TLS1_CK_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256, 1},
188 {TLS1_CK_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, 0},
189 {TLS1_CK_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256, 0},
190 {TLS1_CK_ECDHE_RSA_WITH_AES_128_GCM_SHA256, 0},
191 },
192 false,
193 },
David Benjaminfb974e62015-12-16 19:34:22 -0500[diff] [blame]194 // @STRENGTH performs a stable strength-sort of the selected ciphers and
195 // only the selected ciphers.
196 {
197 // To simplify things, banish all but {ECDHE_RSA,RSA} x
Matthew Braithwaite8aaa9e12016-09-07 15:09:58 -0700[diff] [blame]198 // {CHACHA20,AES_256_CBC,AES_128_CBC} x SHA1.
Matthew Braithwaitecedc6f12017-03-15 19:20:23 -0700[diff] [blame]199 "!AESGCM:!3DES:!SHA256:!SHA384:"
David Benjaminfb974e62015-12-16 19:34:22 -0500[diff] [blame]200 // Order some ciphers backwards by strength.
Matthew Braithwaite8aaa9e12016-09-07 15:09:58 -0700[diff] [blame]201 "ALL:-CHACHA20:-AES256:-AES128:-ALL:"
David Benjaminfb974e62015-12-16 19:34:22 -0500[diff] [blame]202 // Select ECDHE ones and sort them by strength. Ties should resolve
203 // based on the order above.
204 "kECDHE:@STRENGTH:-ALL:"
205 // Now bring back everything uses RSA. ECDHE_RSA should be first, sorted
206 // by strength. Then RSA, backwards by strength.
207 "aRSA",
208 {
209 {TLS1_CK_ECDHE_RSA_WITH_AES_256_CBC_SHA, 0},
210 {TLS1_CK_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256, 0},
David Benjaminfb974e62015-12-16 19:34:22 -0500[diff] [blame]211 {TLS1_CK_ECDHE_RSA_WITH_AES_128_CBC_SHA, 0},
David Benjaminfb974e62015-12-16 19:34:22 -0500[diff] [blame]212 {TLS1_CK_RSA_WITH_AES_128_SHA, 0},
213 {TLS1_CK_RSA_WITH_AES_256_SHA, 0},
214 },
Matthew Braithwaitea57dcfb2017-02-17 22:08:23 -0800[diff] [blame]215 false,
David Benjaminfb974e62015-12-16 19:34:22 -0500[diff] [blame]216 },
David Benjaminbf5f1922017-07-01 11:13:53 -0400[diff] [blame]217 // Additional masks after @STRENGTH get silently discarded.
218 //
219 // TODO(davidben): Make this an error. If not silently discarded, they get
220 // interpreted as + opcodes which are very different.
221 {
222 "ECDHE-RSA-AES128-GCM-SHA256:"
223 "ECDHE-RSA-AES256-GCM-SHA384:"
224 "@STRENGTH+AES256",
225 {
226 {TLS1_CK_ECDHE_RSA_WITH_AES_256_GCM_SHA384, 0},
227 {TLS1_CK_ECDHE_RSA_WITH_AES_128_GCM_SHA256, 0},
228 },
229 false,
230 },
231 {
232 "ECDHE-RSA-AES128-GCM-SHA256:"
233 "ECDHE-RSA-AES256-GCM-SHA384:"
234 "@STRENGTH+AES256:"
235 "ECDHE-RSA-CHACHA20-POLY1305",
236 {
237 {TLS1_CK_ECDHE_RSA_WITH_AES_256_GCM_SHA384, 0},
238 {TLS1_CK_ECDHE_RSA_WITH_AES_128_GCM_SHA256, 0},
239 {TLS1_CK_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256, 0},
240 },
241 false,
242 },
David Benjaminfb974e62015-12-16 19:34:22 -0500[diff] [blame]243 // Exact ciphers may not be used in multi-part rules; they are treated
244 // as unknown aliases.
245 {
246 "ECDHE-ECDSA-AES128-GCM-SHA256:"
247 "ECDHE-RSA-AES128-GCM-SHA256:"
248 "!ECDHE-RSA-AES128-GCM-SHA256+RSA:"
249 "!ECDSA+ECDHE-ECDSA-AES128-GCM-SHA256",
250 {
251 {TLS1_CK_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, 0},
252 {TLS1_CK_ECDHE_RSA_WITH_AES_128_GCM_SHA256, 0},
253 },
Matthew Braithwaitea57dcfb2017-02-17 22:08:23 -0800[diff] [blame]254 true,
David Benjaminfb974e62015-12-16 19:34:22 -0500[diff] [blame]255 },
256 // SSLv3 matches everything that existed before TLS 1.2.
257 {
258 "AES128-SHA:AES128-SHA256:!SSLv3",
259 {
260 {TLS1_CK_RSA_WITH_AES_128_SHA256, 0},
261 },
Matthew Braithwaitea57dcfb2017-02-17 22:08:23 -0800[diff] [blame]262 false,
David Benjaminfb974e62015-12-16 19:34:22 -0500[diff] [blame]263 },
264 // TLSv1.2 matches everything added in TLS 1.2.
265 {
266 "AES128-SHA:AES128-SHA256:!TLSv1.2",
267 {
268 {TLS1_CK_RSA_WITH_AES_128_SHA, 0},
269 },
Matthew Braithwaitea57dcfb2017-02-17 22:08:23 -0800[diff] [blame]270 false,
David Benjaminfb974e62015-12-16 19:34:22 -0500[diff] [blame]271 },
Matthew Braithwaitea57dcfb2017-02-17 22:08:23 -0800[diff] [blame]272 // The two directives have no intersection. But each component is valid, so
273 // even in strict mode it is accepted.
David Benjaminfb974e62015-12-16 19:34:22 -0500[diff] [blame]274 {
275 "AES128-SHA:AES128-SHA256:!TLSv1.2+SSLv3",
276 {
277 {TLS1_CK_RSA_WITH_AES_128_SHA, 0},
278 {TLS1_CK_RSA_WITH_AES_128_SHA256, 0},
279 },
Matthew Braithwaitea57dcfb2017-02-17 22:08:23 -0800[diff] [blame]280 false,
David Benjaminfb974e62015-12-16 19:34:22 -0500[diff] [blame]281 },
David Benjaminbb0a17c2014-09-20 15:35:39 -0400[diff] [blame]282};
283
284static const char *kBadRules[] = {
David Benjamin1d77e562015-03-22 17:22:08 -0400[diff] [blame]285 // Invalid brackets.
David Benjaminbb0a17c2014-09-20 15:35:39 -0400[diff] [blame]286 "[ECDHE-RSA-CHACHA20-POLY1305|ECDHE-RSA-AES128-GCM-SHA256",
287 "RSA]",
288 "[[RSA]]",
David Benjamin1d77e562015-03-22 17:22:08 -0400[diff] [blame]289 // Operators inside brackets.
David Benjaminbb0a17c2014-09-20 15:35:39 -0400[diff] [blame]290 "[+RSA]",
David Benjamin1d77e562015-03-22 17:22:08 -0400[diff] [blame]291 // Unknown directive.
David Benjaminbb0a17c2014-09-20 15:35:39 -0400[diff] [blame]292 "@BOGUS",
David Benjamin1d77e562015-03-22 17:22:08 -0400[diff] [blame]293 // Empty cipher lists error at SSL_CTX_set_cipher_list.
David Benjaminbb0a17c2014-09-20 15:35:39 -0400[diff] [blame]294 "",
295 "BOGUS",
David Benjamin32fbdf22015-04-07 01:14:06 -0400[diff] [blame]296 // COMPLEMENTOFDEFAULT is empty.
297 "COMPLEMENTOFDEFAULT",
David Benjamin1d77e562015-03-22 17:22:08 -0400[diff] [blame]298 // Invalid command.
David Benjaminbb0a17c2014-09-20 15:35:39 -0400[diff] [blame]299 "?BAR",
David Benjamin1d77e562015-03-22 17:22:08 -0400[diff] [blame]300 // Special operators are not allowed if groups are used.
David Benjamin37d92462014-09-20 17:54:24 -0400[diff] [blame]301 "[ECDHE-RSA-CHACHA20-POLY1305|ECDHE-RSA-AES128-GCM-SHA256]:+FOO",
302 "[ECDHE-RSA-CHACHA20-POLY1305|ECDHE-RSA-AES128-GCM-SHA256]:!FOO",
303 "[ECDHE-RSA-CHACHA20-POLY1305|ECDHE-RSA-AES128-GCM-SHA256]:-FOO",
304 "[ECDHE-RSA-CHACHA20-POLY1305|ECDHE-RSA-AES128-GCM-SHA256]:@STRENGTH",
Adam Langleyf99f2442016-10-02 09:53:38 -0700[diff] [blame]305 // Opcode supplied, but missing selector.
306 "+",
David Benjaminbb0a17c2014-09-20 15:35:39 -0400[diff] [blame]307};
308
Matt Braithwaiteaf096752015-09-02 19:48:16 -0700[diff] [blame]309static const char *kMustNotIncludeNull[] = {
310 "ALL",
311 "DEFAULT",
David Benjamind6e9eec2015-11-18 09:48:55 -0500[diff] [blame]312 "HIGH",
Matt Braithwaiteaf096752015-09-02 19:48:16 -0700[diff] [blame]313 "FIPS",
314 "SHA",
315 "SHA1",
316 "RSA",
317 "SSLv3",
318 "TLSv1",
319 "TLSv1.2",
Matt Braithwaiteaf096752015-09-02 19:48:16 -0700[diff] [blame]320};
321
Alessandro Ghedini5fd18072016-09-28 21:04:25 +0100[diff] [blame]322static const CurveTest kCurveTests[] = {
323 {
324 "P-256",
325 { SSL_CURVE_SECP256R1 },
326 },
327 {
328 "P-256:P-384:P-521:X25519",
329 {
330 SSL_CURVE_SECP256R1,
331 SSL_CURVE_SECP384R1,
332 SSL_CURVE_SECP521R1,
333 SSL_CURVE_X25519,
334 },
335 },
336};
337
338static const char *kBadCurvesLists[] = {
339 "",
340 ":",
341 "::",
342 "P-256::X25519",
343 "RSA:P-256",
344 "P-256:RSA",
345 "X25519:P-256:",
346 ":X25519:P-256",
347};
348
David Benjamine11726a2017-04-23 12:14:28 -0400[diff] [blame]349static std::string CipherListToString(ssl_cipher_preference_list_st *list) {
David Benjamin1d77e562015-03-22 17:22:08 -0400[diff] [blame]350 bool in_group = false;
David Benjamine11726a2017-04-23 12:14:28 -0400[diff] [blame]351 std::string ret;
David Benjamin1d77e562015-03-22 17:22:08 -0400[diff] [blame]352 for (size_t i = 0; i < sk_SSL_CIPHER_num(list->ciphers); i++) {
David Benjaminbb0a17c2014-09-20 15:35:39 -0400[diff] [blame]353 const SSL_CIPHER *cipher = sk_SSL_CIPHER_value(list->ciphers, i);
354 if (!in_group && list->in_group_flags[i]) {
David Benjamine11726a2017-04-23 12:14:28 -0400[diff] [blame]355 ret += "\t[\n";
David Benjamin1d77e562015-03-22 17:22:08 -0400[diff] [blame]356 in_group = true;
David Benjaminbb0a17c2014-09-20 15:35:39 -0400[diff] [blame]357 }
David Benjamine11726a2017-04-23 12:14:28 -0400[diff] [blame]358 ret += "\t";
David Benjaminbb0a17c2014-09-20 15:35:39 -0400[diff] [blame]359 if (in_group) {
David Benjamine11726a2017-04-23 12:14:28 -0400[diff] [blame]360 ret += " ";
David Benjaminbb0a17c2014-09-20 15:35:39 -0400[diff] [blame]361 }
David Benjamine11726a2017-04-23 12:14:28 -0400[diff] [blame]362 ret += SSL_CIPHER_get_name(cipher);
363 ret += "\n";
David Benjaminbb0a17c2014-09-20 15:35:39 -0400[diff] [blame]364 if (in_group && !list->in_group_flags[i]) {
David Benjamine11726a2017-04-23 12:14:28 -0400[diff] [blame]365 ret += "\t]\n";
David Benjamin1d77e562015-03-22 17:22:08 -0400[diff] [blame]366 in_group = false;
David Benjaminbb0a17c2014-09-20 15:35:39 -0400[diff] [blame]367 }
368 }
David Benjamine11726a2017-04-23 12:14:28 -0400[diff] [blame]369 return ret;
David Benjaminbb0a17c2014-09-20 15:35:39 -0400[diff] [blame]370}
371
David Benjamine11726a2017-04-23 12:14:28 -0400[diff] [blame]372static bool CipherListsEqual(ssl_cipher_preference_list_st *list,
373 const std::vector<ExpectedCipher> &expected) {
374 if (sk_SSL_CIPHER_num(list->ciphers) != expected.size()) {
David Benjamin1d77e562015-03-22 17:22:08 -0400[diff] [blame]375 return false;
David Benjamin65226252015-02-05 16:49:47 -0500[diff] [blame]376 }
377
David Benjamine11726a2017-04-23 12:14:28 -0400[diff] [blame]378 for (size_t i = 0; i < expected.size(); i++) {
379 const SSL_CIPHER *cipher = sk_SSL_CIPHER_value(list->ciphers, i);
380 if (expected[i].id != SSL_CIPHER_get_id(cipher) ||
381 expected[i].in_group_flag != list->in_group_flags[i]) {
David Benjamin1d77e562015-03-22 17:22:08 -0400[diff] [blame]382 return false;
David Benjaminbb0a17c2014-09-20 15:35:39 -0400[diff] [blame]383 }
384 }
385
David Benjamin1d77e562015-03-22 17:22:08 -0400[diff] [blame]386 return true;
David Benjaminbb0a17c2014-09-20 15:35:39 -0400[diff] [blame]387}
388
David Benjamine11726a2017-04-23 12:14:28 -0400[diff] [blame]389TEST(SSLTest, CipherRules) {
390 for (const CipherTest &t : kCipherTests) {
391 SCOPED_TRACE(t.rule);
392 bssl::UniquePtr<SSL_CTX> ctx(SSL_CTX_new(TLS_method()));
393 ASSERT_TRUE(ctx);
Matt Braithwaiteaf096752015-09-02 19:48:16 -0700[diff] [blame]394
David Benjamine11726a2017-04-23 12:14:28 -0400[diff] [blame]395 // Test lax mode.
396 ASSERT_TRUE(SSL_CTX_set_cipher_list(ctx.get(), t.rule));
397 EXPECT_TRUE(CipherListsEqual(ctx->cipher_list, t.expected))
398 << "Cipher rule evaluated to:\n"
399 << CipherListToString(ctx->cipher_list);
400
401 // Test strict mode.
402 if (t.strict_fail) {
403 EXPECT_FALSE(SSL_CTX_set_strict_cipher_list(ctx.get(), t.rule));
404 } else {
405 ASSERT_TRUE(SSL_CTX_set_strict_cipher_list(ctx.get(), t.rule));
406 EXPECT_TRUE(CipherListsEqual(ctx->cipher_list, t.expected))
407 << "Cipher rule evaluated to:\n"
408 << CipherListToString(ctx->cipher_list);
David Benjaminbb0a17c2014-09-20 15:35:39 -0400[diff] [blame]409 }
410 }
411
David Benjaminfb974e62015-12-16 19:34:22 -0500[diff] [blame]412 for (const char *rule : kBadRules) {
David Benjamine11726a2017-04-23 12:14:28 -0400[diff] [blame]413 SCOPED_TRACE(rule);
414 bssl::UniquePtr<SSL_CTX> ctx(SSL_CTX_new(TLS_method()));
415 ASSERT_TRUE(ctx);
416
417 EXPECT_FALSE(SSL_CTX_set_cipher_list(ctx.get(), rule));
David Benjaminbb0a17c2014-09-20 15:35:39 -0400[diff] [blame]418 ERR_clear_error();
David Benjaminbb0a17c2014-09-20 15:35:39 -0400[diff] [blame]419 }
420
David Benjaminfb974e62015-12-16 19:34:22 -0500[diff] [blame]421 for (const char *rule : kMustNotIncludeNull) {
David Benjamine11726a2017-04-23 12:14:28 -0400[diff] [blame]422 SCOPED_TRACE(rule);
423 bssl::UniquePtr<SSL_CTX> ctx(SSL_CTX_new(TLS_method()));
424 ASSERT_TRUE(ctx);
425
426 ASSERT_TRUE(SSL_CTX_set_strict_cipher_list(ctx.get(), rule));
427 for (size_t i = 0; i < sk_SSL_CIPHER_num(ctx->cipher_list->ciphers); i++) {
428 EXPECT_FALSE(SSL_CIPHER_is_NULL(
429 sk_SSL_CIPHER_value(ctx->cipher_list->ciphers, i)));
Matt Braithwaiteaf096752015-09-02 19:48:16 -0700[diff] [blame]430 }
431 }
David Benjaminbb0a17c2014-09-20 15:35:39 -0400[diff] [blame]432}
David Benjamin2e521212014-07-16 14:37:51 -0400[diff] [blame]433
David Benjamine11726a2017-04-23 12:14:28 -0400[diff] [blame]434TEST(SSLTest, CurveRules) {
435 for (const CurveTest &t : kCurveTests) {
436 SCOPED_TRACE(t.rule);
437 bssl::UniquePtr<SSL_CTX> ctx(SSL_CTX_new(TLS_method()));
438 ASSERT_TRUE(ctx);
Alessandro Ghedini5fd18072016-09-28 21:04:25 +0100[diff] [blame]439
David Benjamine11726a2017-04-23 12:14:28 -0400[diff] [blame]440 ASSERT_TRUE(SSL_CTX_set1_curves_list(ctx.get(), t.rule));
441 ASSERT_EQ(t.expected.size(), ctx->supported_group_list_len);
442 for (size_t i = 0; i < t.expected.size(); i++) {
443 EXPECT_EQ(t.expected[i], ctx->supported_group_list[i]);
Alessandro Ghedini5fd18072016-09-28 21:04:25 +0100[diff] [blame]444 }
445 }
446
447 for (const char *rule : kBadCurvesLists) {
David Benjamine11726a2017-04-23 12:14:28 -0400[diff] [blame]448 SCOPED_TRACE(rule);
449 bssl::UniquePtr<SSL_CTX> ctx(SSL_CTX_new(TLS_method()));
450 ASSERT_TRUE(ctx);
451
452 EXPECT_FALSE(SSL_CTX_set1_curves_list(ctx.get(), rule));
Alessandro Ghedini5fd18072016-09-28 21:04:25 +0100[diff] [blame]453 ERR_clear_error();
454 }
Alessandro Ghedini5fd18072016-09-28 21:04:25 +0100[diff] [blame]455}
456
Adam Langley364f7a62016-12-12 10:51:00 -0800[diff] [blame]457// kOpenSSLSession is a serialized SSL_SESSION.
Adam Langley10f97f32016-07-12 08:09:33 -0700[diff] [blame]458static const char kOpenSSLSession[] =
Adam Langley364f7a62016-12-12 10:51:00 -0800[diff] [blame]459 "MIIFqgIBAQICAwMEAsAvBCAG5Q1ndq4Yfmbeo1zwLkNRKmCXGdNgWvGT3cskV0yQ"
Adam Langley10f97f32016-07-12 08:09:33 -0700[diff] [blame]460 "kAQwJlrlzkAWBOWiLj/jJ76D7l+UXoizP2KI2C7I2FccqMmIfFmmkUy32nIJ0mZH"
461 "IWoJoQYCBFRDO46iBAICASyjggR6MIIEdjCCA16gAwIBAgIIK9dUvsPWSlUwDQYJ"
462 "KoZIhvcNAQEFBQAwSTELMAkGA1UEBhMCVVMxEzARBgNVBAoTCkdvb2dsZSBJbmMx"
463 "JTAjBgNVBAMTHEdvb2dsZSBJbnRlcm5ldCBBdXRob3JpdHkgRzIwHhcNMTQxMDA4"
464 "MTIwNzU3WhcNMTUwMTA2MDAwMDAwWjBoMQswCQYDVQQGEwJVUzETMBEGA1UECAwK"
465 "Q2FsaWZvcm5pYTEWMBQGA1UEBwwNTW91bnRhaW4gVmlldzETMBEGA1UECgwKR29v"
466 "Z2xlIEluYzEXMBUGA1UEAwwOd3d3Lmdvb2dsZS5jb20wggEiMA0GCSqGSIb3DQEB"
467 "AQUAA4IBDwAwggEKAoIBAQCcKeLrplAC+Lofy8t/wDwtB6eu72CVp0cJ4V3lknN6"
468 "huH9ct6FFk70oRIh/VBNBBz900jYy+7111Jm1b8iqOTQ9aT5C7SEhNcQFJvqzH3e"
469 "MPkb6ZSWGm1yGF7MCQTGQXF20Sk/O16FSjAynU/b3oJmOctcycWYkY0ytS/k3LBu"
470 "Id45PJaoMqjB0WypqvNeJHC3q5JjCB4RP7Nfx5jjHSrCMhw8lUMW4EaDxjaR9KDh"
471 "PLgjsk+LDIySRSRDaCQGhEOWLJZVLzLo4N6/UlctCHEllpBUSvEOyFga52qroGjg"
472 "rf3WOQ925MFwzd6AK+Ich0gDRg8sQfdLH5OuP1cfLfU1AgMBAAGjggFBMIIBPTAd"
473 "BgNVHSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwGQYDVR0RBBIwEIIOd3d3Lmdv"
474 "b2dsZS5jb20waAYIKwYBBQUHAQEEXDBaMCsGCCsGAQUFBzAChh9odHRwOi8vcGtp"
475 "Lmdvb2dsZS5jb20vR0lBRzIuY3J0MCsGCCsGAQUFBzABhh9odHRwOi8vY2xpZW50"
476 "czEuZ29vZ2xlLmNvbS9vY3NwMB0GA1UdDgQWBBQ7a+CcxsZByOpc+xpYFcIbnUMZ"
477 "hTAMBgNVHRMBAf8EAjAAMB8GA1UdIwQYMBaAFErdBhYbvPZotXb1gba7Yhq6WoEv"
478 "MBcGA1UdIAQQMA4wDAYKKwYBBAHWeQIFATAwBgNVHR8EKTAnMCWgI6Ahhh9odHRw"
479 "Oi8vcGtpLmdvb2dsZS5jb20vR0lBRzIuY3JsMA0GCSqGSIb3DQEBBQUAA4IBAQCa"
480 "OXCBdoqUy5bxyq+Wrh1zsyyCFim1PH5VU2+yvDSWrgDY8ibRGJmfff3r4Lud5kal"
481 "dKs9k8YlKD3ITG7P0YT/Rk8hLgfEuLcq5cc0xqmE42xJ+Eo2uzq9rYorc5emMCxf"
482 "5L0TJOXZqHQpOEcuptZQ4OjdYMfSxk5UzueUhA3ogZKRcRkdB3WeWRp+nYRhx4St"
483 "o2rt2A0MKmY9165GHUqMK9YaaXHDXqBu7Sefr1uSoAP9gyIJKeihMivsGqJ1TD6Z"
484 "cc6LMe+dN2P8cZEQHtD1y296ul4Mivqk3jatUVL8/hCwgch9A8O4PGZq9WqBfEWm"
485 "IyHh1dPtbg1lOXdYCWtjpAIEAKUDAgEUqQUCAwGJwKqBpwSBpBwUQvoeOk0Kg36S"
486 "YTcLEkXqKwOBfF9vE4KX0NxeLwjcDTpsuh3qXEaZ992r1N38VDcyS6P7I6HBYN9B"
487 "sNHM362zZnY27GpTw+Kwd751CLoXFPoaMOe57dbBpXoro6Pd3BTbf/Tzr88K06yE"
488 "OTDKPNj3+inbMaVigtK4PLyPq+Topyzvx9USFgRvyuoxn0Hgb+R0A3j6SLRuyOdA"
Adam Langley364f7a62016-12-12 10:51:00 -0800[diff] [blame]489 "i4gv7Y5oliyntgMBAQA=";
Adam Langley10f97f32016-07-12 08:09:33 -0700[diff] [blame]490
491// kCustomSession is a custom serialized SSL_SESSION generated by
492// filling in missing fields from |kOpenSSLSession|. This includes
493// providing |peer_sha256|, so |peer| is not serialized.
494static const char kCustomSession[] =
495 "MIIBdgIBAQICAwMEAsAvBCAG5Q1ndq4Yfmbeo1zwLkNRKmCXGdNgWvGT3cskV0yQ"
496 "kAQwJlrlzkAWBOWiLj/jJ76D7l+UXoizP2KI2C7I2FccqMmIfFmmkUy32nIJ0mZH"
497 "IWoJoQYCBFRDO46iBAICASykAwQBAqUDAgEUphAEDnd3dy5nb29nbGUuY29tqAcE"
498 "BXdvcmxkqQUCAwGJwKqBpwSBpBwUQvoeOk0Kg36SYTcLEkXqKwOBfF9vE4KX0Nxe"
499 "LwjcDTpsuh3qXEaZ992r1N38VDcyS6P7I6HBYN9BsNHM362zZnY27GpTw+Kwd751"
500 "CLoXFPoaMOe57dbBpXoro6Pd3BTbf/Tzr88K06yEOTDKPNj3+inbMaVigtK4PLyP"
501 "q+Topyzvx9USFgRvyuoxn0Hgb+R0A3j6SLRuyOdAi4gv7Y5oliynrSIEIAYGBgYG"
502 "BgYGBgYGBgYGBgYGBgYGBgYGBgYGBgYGBgYGrgMEAQevAwQBBLADBAEF";
503
504// kBoringSSLSession is a serialized SSL_SESSION generated from bssl client.
505static const char kBoringSSLSession[] =
506 "MIIRwQIBAQICAwMEAsAvBCDdoGxGK26mR+8lM0uq6+k9xYuxPnwAjpcF9n0Yli9R"
507 "kQQwbyshfWhdi5XQ1++7n2L1qqrcVlmHBPpr6yknT/u4pUrpQB5FZ7vqvNn8MdHf"
508 "9rWgoQYCBFXgs7uiBAICHCCjggR6MIIEdjCCA16gAwIBAgIIf+yfD7Y6UicwDQYJ"
509 "KoZIhvcNAQELBQAwSTELMAkGA1UEBhMCVVMxEzARBgNVBAoTCkdvb2dsZSBJbmMx"
510 "JTAjBgNVBAMTHEdvb2dsZSBJbnRlcm5ldCBBdXRob3JpdHkgRzIwHhcNMTUwODEy"
511 "MTQ1MzE1WhcNMTUxMTEwMDAwMDAwWjBoMQswCQYDVQQGEwJVUzETMBEGA1UECAwK"
512 "Q2FsaWZvcm5pYTEWMBQGA1UEBwwNTW91bnRhaW4gVmlldzETMBEGA1UECgwKR29v"
513 "Z2xlIEluYzEXMBUGA1UEAwwOd3d3Lmdvb2dsZS5jb20wggEiMA0GCSqGSIb3DQEB"
514 "AQUAA4IBDwAwggEKAoIBAQC0MeG5YGQ0t+IeJeoneP/PrhEaieibeKYkbKVLNZpo"
515 "PLuBinvhkXZo3DC133NpCBpy6ZktBwamqyixAyuk/NU6OjgXqwwxfQ7di1AInLIU"
516 "792c7hFyNXSUCG7At8Ifi3YwBX9Ba6u/1d6rWTGZJrdCq3QU11RkKYyTq2KT5mce"
517 "Tv9iGKqSkSTlp8puy/9SZ/3DbU3U+BuqCFqeSlz7zjwFmk35acdCilpJlVDDN5C/"
518 "RCh8/UKc8PaL+cxlt531qoTENvYrflBno14YEZlCBZsPiFeUSILpKEj3Ccwhy0eL"
519 "EucWQ72YZU8mUzXBoXGn0zA0crFl5ci/2sTBBGZsylNBAgMBAAGjggFBMIIBPTAd"
520 "BgNVHSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwGQYDVR0RBBIwEIIOd3d3Lmdv"
521 "b2dsZS5jb20waAYIKwYBBQUHAQEEXDBaMCsGCCsGAQUFBzAChh9odHRwOi8vcGtp"
522 "Lmdvb2dsZS5jb20vR0lBRzIuY3J0MCsGCCsGAQUFBzABhh9odHRwOi8vY2xpZW50"
523 "czEuZ29vZ2xlLmNvbS9vY3NwMB0GA1UdDgQWBBS/bzHxcE73Q4j3slC4BLbMtLjG"
524 "GjAMBgNVHRMBAf8EAjAAMB8GA1UdIwQYMBaAFErdBhYbvPZotXb1gba7Yhq6WoEv"
525 "MBcGA1UdIAQQMA4wDAYKKwYBBAHWeQIFATAwBgNVHR8EKTAnMCWgI6Ahhh9odHRw"
526 "Oi8vcGtpLmdvb2dsZS5jb20vR0lBRzIuY3JsMA0GCSqGSIb3DQEBCwUAA4IBAQAb"
527 "qdWPZEHk0X7iKPCTHL6S3w6q1eR67goxZGFSM1lk1hjwyu7XcLJuvALVV9uY3ovE"
528 "kQZSHwT+pyOPWQhsSjO+1GyjvCvK/CAwiUmBX+bQRGaqHsRcio7xSbdVcajQ3bXd"
529 "X+s0WdbOpn6MStKAiBVloPlSxEI8pxY6x/BBCnTIk/+DMB17uZlOjG3vbAnkDkP+"
530 "n0OTucD9sHV7EVj9XUxi51nOfNBCN/s7lpUjDS/NJ4k3iwOtbCPswiot8vLO779a"
531 "f07vR03r349Iz/KTzk95rlFtX0IU+KYNxFNsanIXZ+C9FYGRXkwhHcvFb4qMUB1y"
532 "TTlM80jBMOwyjZXmjRAhpAIEAKUDAgEUqQUCAwGJwKqBpwSBpOgebbmn9NRUtMWH"
533 "+eJpqA5JLMFSMCChOsvKey3toBaCNGU7HfAEiiXNuuAdCBoK262BjQc2YYfqFzqH"
534 "zuppopXCvhohx7j/tnCNZIMgLYt/O9SXK2RYI5z8FhCCHvB4CbD5G0LGl5EFP27s"
535 "Jb6S3aTTYPkQe8yZSlxevg6NDwmTogLO9F7UUkaYmVcMQhzssEE2ZRYNwSOU6KjE"
536 "0Yj+8fAiBtbQriIEIN2L8ZlpaVrdN5KFNdvcmOxJu81P8q53X55xQyGTnGWwsgMC"
537 "ARezggvvMIIEdjCCA16gAwIBAgIIf+yfD7Y6UicwDQYJKoZIhvcNAQELBQAwSTEL"
538 "MAkGA1UEBhMCVVMxEzARBgNVBAoTCkdvb2dsZSBJbmMxJTAjBgNVBAMTHEdvb2ds"
539 "ZSBJbnRlcm5ldCBBdXRob3JpdHkgRzIwHhcNMTUwODEyMTQ1MzE1WhcNMTUxMTEw"
540 "MDAwMDAwWjBoMQswCQYDVQQGEwJVUzETMBEGA1UECAwKQ2FsaWZvcm5pYTEWMBQG"
541 "A1UEBwwNTW91bnRhaW4gVmlldzETMBEGA1UECgwKR29vZ2xlIEluYzEXMBUGA1UE"
542 "AwwOd3d3Lmdvb2dsZS5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIB"
543 "AQC0MeG5YGQ0t+IeJeoneP/PrhEaieibeKYkbKVLNZpoPLuBinvhkXZo3DC133Np"
544 "CBpy6ZktBwamqyixAyuk/NU6OjgXqwwxfQ7di1AInLIU792c7hFyNXSUCG7At8If"
545 "i3YwBX9Ba6u/1d6rWTGZJrdCq3QU11RkKYyTq2KT5mceTv9iGKqSkSTlp8puy/9S"
546 "Z/3DbU3U+BuqCFqeSlz7zjwFmk35acdCilpJlVDDN5C/RCh8/UKc8PaL+cxlt531"
547 "qoTENvYrflBno14YEZlCBZsPiFeUSILpKEj3Ccwhy0eLEucWQ72YZU8mUzXBoXGn"
548 "0zA0crFl5ci/2sTBBGZsylNBAgMBAAGjggFBMIIBPTAdBgNVHSUEFjAUBggrBgEF"
549 "BQcDAQYIKwYBBQUHAwIwGQYDVR0RBBIwEIIOd3d3Lmdvb2dsZS5jb20waAYIKwYB"
550 "BQUHAQEEXDBaMCsGCCsGAQUFBzAChh9odHRwOi8vcGtpLmdvb2dsZS5jb20vR0lB"
551 "RzIuY3J0MCsGCCsGAQUFBzABhh9odHRwOi8vY2xpZW50czEuZ29vZ2xlLmNvbS9v"
552 "Y3NwMB0GA1UdDgQWBBS/bzHxcE73Q4j3slC4BLbMtLjGGjAMBgNVHRMBAf8EAjAA"
553 "MB8GA1UdIwQYMBaAFErdBhYbvPZotXb1gba7Yhq6WoEvMBcGA1UdIAQQMA4wDAYK"
554 "KwYBBAHWeQIFATAwBgNVHR8EKTAnMCWgI6Ahhh9odHRwOi8vcGtpLmdvb2dsZS5j"
555 "b20vR0lBRzIuY3JsMA0GCSqGSIb3DQEBCwUAA4IBAQAbqdWPZEHk0X7iKPCTHL6S"
556 "3w6q1eR67goxZGFSM1lk1hjwyu7XcLJuvALVV9uY3ovEkQZSHwT+pyOPWQhsSjO+"
557 "1GyjvCvK/CAwiUmBX+bQRGaqHsRcio7xSbdVcajQ3bXdX+s0WdbOpn6MStKAiBVl"
558 "oPlSxEI8pxY6x/BBCnTIk/+DMB17uZlOjG3vbAnkDkP+n0OTucD9sHV7EVj9XUxi"
559 "51nOfNBCN/s7lpUjDS/NJ4k3iwOtbCPswiot8vLO779af07vR03r349Iz/KTzk95"
560 "rlFtX0IU+KYNxFNsanIXZ+C9FYGRXkwhHcvFb4qMUB1yTTlM80jBMOwyjZXmjRAh"
561 "MIID8DCCAtigAwIBAgIDAjqDMA0GCSqGSIb3DQEBCwUAMEIxCzAJBgNVBAYTAlVT"
562 "MRYwFAYDVQQKEw1HZW9UcnVzdCBJbmMuMRswGQYDVQQDExJHZW9UcnVzdCBHbG9i"
563 "YWwgQ0EwHhcNMTMwNDA1MTUxNTU2WhcNMTYxMjMxMjM1OTU5WjBJMQswCQYDVQQG"
564 "EwJVUzETMBEGA1UEChMKR29vZ2xlIEluYzElMCMGA1UEAxMcR29vZ2xlIEludGVy"
565 "bmV0IEF1dGhvcml0eSBHMjCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEB"
566 "AJwqBHdc2FCROgajguDYUEi8iT/xGXAaiEZ+4I/F8YnOIe5a/mENtzJEiaB0C1NP"
567 "VaTOgmKV7utZX8bhBYASxF6UP7xbSDj0U/ck5vuR6RXEz/RTDfRK/J9U3n2+oGtv"
568 "h8DQUB8oMANA2ghzUWx//zo8pzcGjr1LEQTrfSTe5vn8MXH7lNVg8y5Kr0LSy+rE"
569 "ahqyzFPdFUuLH8gZYR/Nnag+YyuENWllhMgZxUYi+FOVvuOAShDGKuy6lyARxzmZ"
570 "EASg8GF6lSWMTlJ14rbtCMoU/M4iarNOz0YDl5cDfsCx3nuvRTPPuj5xt970JSXC"
571 "DTWJnZ37DhF5iR43xa+OcmkCAwEAAaOB5zCB5DAfBgNVHSMEGDAWgBTAephojYn7"
572 "qwVkDBF9qn1luMrMTjAdBgNVHQ4EFgQUSt0GFhu89mi1dvWBtrtiGrpagS8wDgYD"
573 "VR0PAQH/BAQDAgEGMC4GCCsGAQUFBwEBBCIwIDAeBggrBgEFBQcwAYYSaHR0cDov"
574 "L2cuc3ltY2QuY29tMBIGA1UdEwEB/wQIMAYBAf8CAQAwNQYDVR0fBC4wLDAqoCig"
575 "JoYkaHR0cDovL2cuc3ltY2IuY29tL2NybHMvZ3RnbG9iYWwuY3JsMBcGA1UdIAQQ"
576 "MA4wDAYKKwYBBAHWeQIFATANBgkqhkiG9w0BAQsFAAOCAQEAqvqpIM1qZ4PtXtR+"
577 "3h3Ef+AlBgDFJPupyC1tft6dgmUsgWM0Zj7pUsIItMsv91+ZOmqcUHqFBYx90SpI"
578 "hNMJbHzCzTWf84LuUt5oX+QAihcglvcpjZpNy6jehsgNb1aHA30DP9z6eX0hGfnI"
579 "Oi9RdozHQZJxjyXON/hKTAAj78Q1EK7gI4BzfE00LshukNYQHpmEcxpw8u1VDu4X"
580 "Bupn7jLrLN1nBz/2i8Jw3lsA5rsb0zYaImxssDVCbJAJPZPpZAkiDoUGn8JzIdPm"
581 "X4DkjYUiOnMDsWCOrmji9D6X52ASCWg23jrW4kOVWzeBkoEfu43XrVJkFleW2V40"
582 "fsg12DCCA30wggLmoAMCAQICAxK75jANBgkqhkiG9w0BAQUFADBOMQswCQYDVQQG"
583 "EwJVUzEQMA4GA1UEChMHRXF1aWZheDEtMCsGA1UECxMkRXF1aWZheCBTZWN1cmUg"
584 "Q2VydGlmaWNhdGUgQXV0aG9yaXR5MB4XDTAyMDUyMTA0MDAwMFoXDTE4MDgyMTA0"
585 "MDAwMFowQjELMAkGA1UEBhMCVVMxFjAUBgNVBAoTDUdlb1RydXN0IEluYy4xGzAZ"
586 "BgNVBAMTEkdlb1RydXN0IEdsb2JhbCBDQTCCASIwDQYJKoZIhvcNAQEBBQADggEP"
587 "ADCCAQoCggEBANrMGGMw/fQXIxpWflvfPGw45HG3eJHUvKHYTPioQ7YD6U0hBwiI"
588 "2lgvZjkpvQV4i5046AW3an5xpObEYKaw74DkiSgPniXW7YPzraaRx5jJQhg1FJ2t"
589 "mEaSLk/K8YdDwRaVVy1Q74ktgHpXrfLuX2vSAI25FPgUFTXZwEaje3LIkb/JVSvN"
590 "0Jc+nCZkzN/Ogxlxyk7m1NV7qRnNVd7I7NJeOFPlXE+MLf5QIzb8ZubLjqQ5GQC3"
591 "lQI5kQsO/jgu0R0FmvZNPm8PBx2vLB6PYDni+jZTEznUXiYr2z2oFL0y6xgDKFIE"
592 "ceWrMz3hOLsHNoRinHnqFjD0X8Ar6HFr5PkCAwEAAaOB8DCB7TAfBgNVHSMEGDAW"
593 "gBRI5mj5K9KylddH2CMgEE8zmJCf1DAdBgNVHQ4EFgQUwHqYaI2J+6sFZAwRfap9"
594 "ZbjKzE4wDwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMCAQYwOgYDVR0fBDMw"
595 "MTAvoC2gK4YpaHR0cDovL2NybC5nZW90cnVzdC5jb20vY3Jscy9zZWN1cmVjYS5j"
596 "cmwwTgYDVR0gBEcwRTBDBgRVHSAAMDswOQYIKwYBBQUHAgEWLWh0dHBzOi8vd3d3"
597 "Lmdlb3RydXN0LmNvbS9yZXNvdXJjZXMvcmVwb3NpdG9yeTANBgkqhkiG9w0BAQUF"
598 "AAOBgQB24RJuTksWEoYwBrKBCM/wCMfHcX5m7sLt1Dsf//DwyE7WQziwuTB9GNBV"
599 "g6JqyzYRnOhIZqNtf7gT1Ef+i1pcc/yu2RsyGTirlzQUqpbS66McFAhJtrvlke+D"
600 "NusdVm/K2rxzY5Dkf3s+Iss9B+1fOHSc4wNQTqGvmO5h8oQ/Eg==";
601
602// kBadSessionExtraField is a custom serialized SSL_SESSION generated by replacing
603// the final (optional) element of |kCustomSession| with tag number 30.
604static const char kBadSessionExtraField[] =
605 "MIIBdgIBAQICAwMEAsAvBCAG5Q1ndq4Yfmbeo1zwLkNRKmCXGdNgWvGT3cskV0yQ"
606 "kAQwJlrlzkAWBOWiLj/jJ76D7l+UXoizP2KI2C7I2FccqMmIfFmmkUy32nIJ0mZH"
607 "IWoJoQYCBFRDO46iBAICASykAwQBAqUDAgEUphAEDnd3dy5nb29nbGUuY29tqAcE"
608 "BXdvcmxkqQUCAwGJwKqBpwSBpBwUQvoeOk0Kg36SYTcLEkXqKwOBfF9vE4KX0Nxe"
609 "LwjcDTpsuh3qXEaZ992r1N38VDcyS6P7I6HBYN9BsNHM362zZnY27GpTw+Kwd751"
610 "CLoXFPoaMOe57dbBpXoro6Pd3BTbf/Tzr88K06yEOTDKPNj3+inbMaVigtK4PLyP"
611 "q+Topyzvx9USFgRvyuoxn0Hgb+R0A3j6SLRuyOdAi4gv7Y5oliynrSIEIAYGBgYG"
612 "BgYGBgYGBgYGBgYGBgYGBgYGBgYGBgYGBgYGrgMEAQevAwQBBL4DBAEF";
613
614// kBadSessionVersion is a custom serialized SSL_SESSION generated by replacing
615// the version of |kCustomSession| with 2.
616static const char kBadSessionVersion[] =
617 "MIIBdgIBAgICAwMEAsAvBCAG5Q1ndq4Yfmbeo1zwLkNRKmCXGdNgWvGT3cskV0yQ"
618 "kAQwJlrlzkAWBOWiLj/jJ76D7l+UXoizP2KI2C7I2FccqMmIfFmmkUy32nIJ0mZH"
619 "IWoJoQYCBFRDO46iBAICASykAwQBAqUDAgEUphAEDnd3dy5nb29nbGUuY29tqAcE"
620 "BXdvcmxkqQUCAwGJwKqBpwSBpBwUQvoeOk0Kg36SYTcLEkXqKwOBfF9vE4KX0Nxe"
621 "LwjcDTpsuh3qXEaZ992r1N38VDcyS6P7I6HBYN9BsNHM362zZnY27GpTw+Kwd751"
622 "CLoXFPoaMOe57dbBpXoro6Pd3BTbf/Tzr88K06yEOTDKPNj3+inbMaVigtK4PLyP"
623 "q+Topyzvx9USFgRvyuoxn0Hgb+R0A3j6SLRuyOdAi4gv7Y5oliynrSIEIAYGBgYG"
624 "BgYGBgYGBgYGBgYGBgYGBgYGBgYGBgYGBgYGrgMEAQevAwQBBLADBAEF";
625
626// kBadSessionTrailingData is a custom serialized SSL_SESSION with trailing data
627// appended.
628static const char kBadSessionTrailingData[] =
629 "MIIBdgIBAQICAwMEAsAvBCAG5Q1ndq4Yfmbeo1zwLkNRKmCXGdNgWvGT3cskV0yQ"
630 "kAQwJlrlzkAWBOWiLj/jJ76D7l+UXoizP2KI2C7I2FccqMmIfFmmkUy32nIJ0mZH"
631 "IWoJoQYCBFRDO46iBAICASykAwQBAqUDAgEUphAEDnd3dy5nb29nbGUuY29tqAcE"
632 "BXdvcmxkqQUCAwGJwKqBpwSBpBwUQvoeOk0Kg36SYTcLEkXqKwOBfF9vE4KX0Nxe"
633 "LwjcDTpsuh3qXEaZ992r1N38VDcyS6P7I6HBYN9BsNHM362zZnY27GpTw+Kwd751"
634 "CLoXFPoaMOe57dbBpXoro6Pd3BTbf/Tzr88K06yEOTDKPNj3+inbMaVigtK4PLyP"
635 "q+Topyzvx9USFgRvyuoxn0Hgb+R0A3j6SLRuyOdAi4gv7Y5oliynrSIEIAYGBgYG"
636 "BgYGBgYGBgYGBgYGBgYGBgYGBgYGBgYGBgYGrgMEAQevAwQBBLADBAEFAAAA";
637
David Benjamin1d77e562015-03-22 17:22:08 -0400[diff] [blame]638static bool DecodeBase64(std::vector<uint8_t> *out, const char *in) {
David Benjamin751e8892014-10-19 00:59:36 -0400[diff] [blame]639 size_t len;
David Benjamin751e8892014-10-19 00:59:36 -0400[diff] [blame]640 if (!EVP_DecodedLength(&len, strlen(in))) {
641 fprintf(stderr, "EVP_DecodedLength failed\n");
David Benjamin1d77e562015-03-22 17:22:08 -0400[diff] [blame]642 return false;
David Benjamin751e8892014-10-19 00:59:36 -0400[diff] [blame]643 }
644
David Benjamin1d77e562015-03-22 17:22:08 -0400[diff] [blame]645 out->resize(len);
David Benjaminef14b2d2015-11-11 14:01:27 -0800[diff] [blame]646 if (!EVP_DecodeBase64(out->data(), &len, len, (const uint8_t *)in,
David Benjamin751e8892014-10-19 00:59:36 -0400[diff] [blame]647 strlen(in))) {
648 fprintf(stderr, "EVP_DecodeBase64 failed\n");
David Benjamin1d77e562015-03-22 17:22:08 -0400[diff] [blame]649 return false;
David Benjamin751e8892014-10-19 00:59:36 -0400[diff] [blame]650 }
David Benjamin1d77e562015-03-22 17:22:08 -0400[diff] [blame]651 out->resize(len);
652 return true;
David Benjamin751e8892014-10-19 00:59:36 -0400[diff] [blame]653}
654
David Benjamin1d77e562015-03-22 17:22:08 -0400[diff] [blame]655static bool TestSSL_SESSIONEncoding(const char *input_b64) {
David Benjamin751e8892014-10-19 00:59:36 -0400[diff] [blame]656 const uint8_t *cptr;
657 uint8_t *ptr;
David Benjamin751e8892014-10-19 00:59:36 -0400[diff] [blame]658
David Benjamin1d77e562015-03-22 17:22:08 -0400[diff] [blame]659 // Decode the input.
660 std::vector<uint8_t> input;
661 if (!DecodeBase64(&input, input_b64)) {
662 return false;
David Benjamin751e8892014-10-19 00:59:36 -0400[diff] [blame]663 }
664
David Benjamin1d77e562015-03-22 17:22:08 -0400[diff] [blame]665 // Verify the SSL_SESSION decodes.
Adam Langley46db7af2017-02-01 15:49:37 -0800[diff] [blame]666 bssl::UniquePtr<SSL_CTX> ssl_ctx(SSL_CTX_new(TLS_method()));
667 if (!ssl_ctx) {
668 return false;
669 }
670 bssl::UniquePtr<SSL_SESSION> session(
671 SSL_SESSION_from_bytes(input.data(), input.size(), ssl_ctx.get()));
David Benjaminfd67aa82015-06-15 19:41:48 -0400[diff] [blame]672 if (!session) {
673 fprintf(stderr, "SSL_SESSION_from_bytes failed\n");
David Benjamin1d77e562015-03-22 17:22:08 -0400[diff] [blame]674 return false;
David Benjamin751e8892014-10-19 00:59:36 -0400[diff] [blame]675 }
676
David Benjamin1d77e562015-03-22 17:22:08 -0400[diff] [blame]677 // Verify the SSL_SESSION encoding round-trips.
678 size_t encoded_len;
Matt Braithwaited17d74d2016-08-17 20:10:28 -0700[diff] [blame]679 bssl::UniquePtr<uint8_t> encoded;
David Benjamin1d77e562015-03-22 17:22:08 -0400[diff] [blame]680 uint8_t *encoded_raw;
681 if (!SSL_SESSION_to_bytes(session.get(), &encoded_raw, &encoded_len)) {
David Benjamin3cac4502014-10-21 01:46:30 -0400[diff] [blame]682 fprintf(stderr, "SSL_SESSION_to_bytes failed\n");
David Benjamin1d77e562015-03-22 17:22:08 -0400[diff] [blame]683 return false;
David Benjamin3cac4502014-10-21 01:46:30 -0400[diff] [blame]684 }
David Benjamin1d77e562015-03-22 17:22:08 -0400[diff] [blame]685 encoded.reset(encoded_raw);
686 if (encoded_len != input.size() ||
David Benjamin17cf2cb2016-12-13 01:07:13 -0500[diff] [blame]687 OPENSSL_memcmp(input.data(), encoded.get(), input.size()) != 0) {
David Benjamin3cac4502014-10-21 01:46:30 -0400[diff] [blame]688 fprintf(stderr, "SSL_SESSION_to_bytes did not round-trip\n");
Sigbjorn Vik2b23d242015-06-29 15:07:26 +0200[diff] [blame]689 hexdump(stderr, "Before: ", input.data(), input.size());
690 hexdump(stderr, "After: ", encoded_raw, encoded_len);
David Benjamin1d77e562015-03-22 17:22:08 -0400[diff] [blame]691 return false;
David Benjamin3cac4502014-10-21 01:46:30 -0400[diff] [blame]692 }
David Benjamin3cac4502014-10-21 01:46:30 -0400[diff] [blame]693
David Benjaminfd67aa82015-06-15 19:41:48 -0400[diff] [blame]694 // Verify the SSL_SESSION also decodes with the legacy API.
David Benjaminef14b2d2015-11-11 14:01:27 -0800[diff] [blame]695 cptr = input.data();
David Benjaminfd67aa82015-06-15 19:41:48 -0400[diff] [blame]696 session.reset(d2i_SSL_SESSION(NULL, &cptr, input.size()));
David Benjaminef14b2d2015-11-11 14:01:27 -0800[diff] [blame]697 if (!session || cptr != input.data() + input.size()) {
David Benjaminfd67aa82015-06-15 19:41:48 -0400[diff] [blame]698 fprintf(stderr, "d2i_SSL_SESSION failed\n");
699 return false;
700 }
701
David Benjamin1d77e562015-03-22 17:22:08 -0400[diff] [blame]702 // Verify the SSL_SESSION encoding round-trips via the legacy API.
703 int len = i2d_SSL_SESSION(session.get(), NULL);
704 if (len < 0 || (size_t)len != input.size()) {
David Benjamin751e8892014-10-19 00:59:36 -0400[diff] [blame]705 fprintf(stderr, "i2d_SSL_SESSION(NULL) returned invalid length\n");
David Benjamin1d77e562015-03-22 17:22:08 -0400[diff] [blame]706 return false;
David Benjamin751e8892014-10-19 00:59:36 -0400[diff] [blame]707 }
708
David Benjamin1d77e562015-03-22 17:22:08 -0400[diff] [blame]709 encoded.reset((uint8_t *)OPENSSL_malloc(input.size()));
710 if (!encoded) {
David Benjamin751e8892014-10-19 00:59:36 -0400[diff] [blame]711 fprintf(stderr, "malloc failed\n");
David Benjamin1d77e562015-03-22 17:22:08 -0400[diff] [blame]712 return false;
David Benjamin751e8892014-10-19 00:59:36 -0400[diff] [blame]713 }
David Benjamin1d77e562015-03-22 17:22:08 -0400[diff] [blame]714
715 ptr = encoded.get();
716 len = i2d_SSL_SESSION(session.get(), &ptr);
717 if (len < 0 || (size_t)len != input.size()) {
David Benjamin751e8892014-10-19 00:59:36 -0400[diff] [blame]718 fprintf(stderr, "i2d_SSL_SESSION returned invalid length\n");
David Benjamin1d77e562015-03-22 17:22:08 -0400[diff] [blame]719 return false;
David Benjamin751e8892014-10-19 00:59:36 -0400[diff] [blame]720 }
David Benjamin1d77e562015-03-22 17:22:08 -0400[diff] [blame]721 if (ptr != encoded.get() + input.size()) {
David Benjamin751e8892014-10-19 00:59:36 -0400[diff] [blame]722 fprintf(stderr, "i2d_SSL_SESSION did not advance ptr correctly\n");
David Benjamin1d77e562015-03-22 17:22:08 -0400[diff] [blame]723 return false;
David Benjamin751e8892014-10-19 00:59:36 -0400[diff] [blame]724 }
David Benjamin17cf2cb2016-12-13 01:07:13 -0500[diff] [blame]725 if (OPENSSL_memcmp(input.data(), encoded.get(), input.size()) != 0) {
David Benjamin751e8892014-10-19 00:59:36 -0400[diff] [blame]726 fprintf(stderr, "i2d_SSL_SESSION did not round-trip\n");
David Benjamin1d77e562015-03-22 17:22:08 -0400[diff] [blame]727 return false;
David Benjamin751e8892014-10-19 00:59:36 -0400[diff] [blame]728 }
729
David Benjamin1d77e562015-03-22 17:22:08 -0400[diff] [blame]730 return true;
David Benjamin751e8892014-10-19 00:59:36 -0400[diff] [blame]731}
732
David Benjaminf297e022015-05-28 19:55:29 -0400[diff] [blame]733static bool TestBadSSL_SESSIONEncoding(const char *input_b64) {
734 std::vector<uint8_t> input;
735 if (!DecodeBase64(&input, input_b64)) {
736 return false;
737 }
738
739 // Verify that the SSL_SESSION fails to decode.
Adam Langley46db7af2017-02-01 15:49:37 -0800[diff] [blame]740 bssl::UniquePtr<SSL_CTX> ssl_ctx(SSL_CTX_new(TLS_method()));
741 if (!ssl_ctx) {
742 return false;
743 }
744 bssl::UniquePtr<SSL_SESSION> session(
745 SSL_SESSION_from_bytes(input.data(), input.size(), ssl_ctx.get()));
David Benjaminf297e022015-05-28 19:55:29 -0400[diff] [blame]746 if (session) {
David Benjaminfd67aa82015-06-15 19:41:48 -0400[diff] [blame]747 fprintf(stderr, "SSL_SESSION_from_bytes unexpectedly succeeded\n");
David Benjaminf297e022015-05-28 19:55:29 -0400[diff] [blame]748 return false;
749 }
750 ERR_clear_error();
751 return true;
752}
753
David Benjamin321fcdc2017-04-24 11:42:42 -0400[diff] [blame]754static void ExpectDefaultVersion(uint16_t min_version, uint16_t max_version,
755 const SSL_METHOD *(*method)(void)) {
Matt Braithwaited17d74d2016-08-17 20:10:28 -0700[diff] [blame]756 bssl::UniquePtr<SSL_CTX> ctx(SSL_CTX_new(method()));
David Benjamin321fcdc2017-04-24 11:42:42 -0400[diff] [blame]757 ASSERT_TRUE(ctx);
David Benjaminfc08dfc2017-06-20 14:39:32 -0400[diff] [blame]758 EXPECT_EQ(min_version, ctx->conf_min_version);
759 EXPECT_EQ(max_version, ctx->conf_max_version);
David Benjamin321fcdc2017-04-24 11:42:42 -0400[diff] [blame]760}
761
762TEST(SSLTest, DefaultVersion) {
763 // TODO(svaldez): Update this when TLS 1.3 is enabled by default.
764 ExpectDefaultVersion(TLS1_VERSION, TLS1_2_VERSION, &TLS_method);
765 ExpectDefaultVersion(TLS1_VERSION, TLS1_VERSION, &TLSv1_method);
766 ExpectDefaultVersion(TLS1_1_VERSION, TLS1_1_VERSION, &TLSv1_1_method);
767 ExpectDefaultVersion(TLS1_2_VERSION, TLS1_2_VERSION, &TLSv1_2_method);
768 ExpectDefaultVersion(TLS1_1_VERSION, TLS1_2_VERSION, &DTLS_method);
769 ExpectDefaultVersion(TLS1_1_VERSION, TLS1_1_VERSION, &DTLSv1_method);
770 ExpectDefaultVersion(TLS1_2_VERSION, TLS1_2_VERSION, &DTLSv1_2_method);
David Benjamin82c9e902014-12-12 15:55:27 -0500[diff] [blame]771}
772
David Benjamin6fff3862017-06-21 21:07:04 -0400[diff] [blame]773TEST(SSLTest, CipherGetStandardName) {
774 static const struct {
775 int id;
776 const char *standard_name;
777 } kTests[] = {
778 {SSL3_CK_RSA_DES_192_CBC3_SHA, "TLS_RSA_WITH_3DES_EDE_CBC_SHA"},
779 {TLS1_CK_RSA_WITH_AES_128_SHA, "TLS_RSA_WITH_AES_128_CBC_SHA"},
780 {TLS1_CK_ECDHE_RSA_WITH_AES_128_SHA256,
781 "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256"},
782 {TLS1_CK_ECDHE_RSA_WITH_AES_256_SHA384,
783 "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384"},
784 {TLS1_CK_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
785 "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256"},
786 {TLS1_CK_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
787 "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256"},
788 {TLS1_CK_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
789 "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384"},
790 {TLS1_CK_ECDHE_PSK_WITH_AES_128_CBC_SHA,
791 "TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA"},
792 {TLS1_CK_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256,
793 "TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256"},
794 {TLS1_CK_AES_256_GCM_SHA384, "TLS_AES_256_GCM_SHA384"},
795 {TLS1_CK_AES_128_GCM_SHA256, "TLS_AES_128_GCM_SHA256"},
796 {TLS1_CK_CHACHA20_POLY1305_SHA256, "TLS_CHACHA20_POLY1305_SHA256"},
797 };
David Benjamin65226252015-02-05 16:49:47 -0500[diff] [blame]798
David Benjamin6fff3862017-06-21 21:07:04 -0400[diff] [blame]799 for (const auto &t : kTests) {
800 SCOPED_TRACE(t.standard_name);
David Benjamine11726a2017-04-23 12:14:28 -0400[diff] [blame]801
802 const SSL_CIPHER *cipher = SSL_get_cipher_by_value(t.id & 0xffff);
803 ASSERT_TRUE(cipher);
David Benjamin6fff3862017-06-21 21:07:04 -0400[diff] [blame]804 EXPECT_STREQ(t.standard_name, SSL_CIPHER_standard_name(cipher));
805
David Benjamine11726a2017-04-23 12:14:28 -0400[diff] [blame]806 bssl::UniquePtr<char> rfc_name(SSL_CIPHER_get_rfc_name(cipher));
807 ASSERT_TRUE(rfc_name);
David Benjamin6fff3862017-06-21 21:07:04 -0400[diff] [blame]808 EXPECT_STREQ(t.standard_name, rfc_name.get());
David Benjamin65226252015-02-05 16:49:47 -0500[diff] [blame]809 }
David Benjamin65226252015-02-05 16:49:47 -0500[diff] [blame]810}
811
Steven Valdeza833c352016-11-01 13:39:36 -0400[diff] [blame]812// CreateSessionWithTicket returns a sample |SSL_SESSION| with the specified
813// version and ticket length or nullptr on failure.
814static bssl::UniquePtr<SSL_SESSION> CreateSessionWithTicket(uint16_t version,
815 size_t ticket_len) {
David Benjamin422fe082015-07-21 22:03:43 -0400[diff] [blame]816 std::vector<uint8_t> der;
817 if (!DecodeBase64(&der, kOpenSSLSession)) {
818 return nullptr;
819 }
Adam Langley46db7af2017-02-01 15:49:37 -0800[diff] [blame]820
821 bssl::UniquePtr<SSL_CTX> ssl_ctx(SSL_CTX_new(TLS_method()));
822 if (!ssl_ctx) {
823 return nullptr;
824 }
Steven Valdeza833c352016-11-01 13:39:36 -0400[diff] [blame]825 bssl::UniquePtr<SSL_SESSION> session(
Adam Langley46db7af2017-02-01 15:49:37 -0800[diff] [blame]826 SSL_SESSION_from_bytes(der.data(), der.size(), ssl_ctx.get()));
David Benjamin422fe082015-07-21 22:03:43 -0400[diff] [blame]827 if (!session) {
828 return nullptr;
829 }
830
Steven Valdeza833c352016-11-01 13:39:36 -0400[diff] [blame]831 session->ssl_version = version;
832
David Benjamin422fe082015-07-21 22:03:43 -0400[diff] [blame]833 // Swap out the ticket for a garbage one.
834 OPENSSL_free(session->tlsext_tick);
835 session->tlsext_tick = reinterpret_cast<uint8_t*>(OPENSSL_malloc(ticket_len));
836 if (session->tlsext_tick == nullptr) {
837 return nullptr;
838 }
David Benjamin17cf2cb2016-12-13 01:07:13 -0500[diff] [blame]839 OPENSSL_memset(session->tlsext_tick, 'a', ticket_len);
David Benjamin422fe082015-07-21 22:03:43 -0400[diff] [blame]840 session->tlsext_ticklen = ticket_len;
David Benjamin1269ddd2015-10-18 15:18:55 -0400[diff] [blame]841
842 // Fix up the timeout.
David Benjamin9b63f292016-11-15 00:44:05 -0500[diff] [blame]843#if defined(BORINGSSL_UNSAFE_DETERMINISTIC_MODE)
844 session->time = 1234;
845#else
David Benjamin1269ddd2015-10-18 15:18:55 -0400[diff] [blame]846 session->time = time(NULL);
David Benjamin9b63f292016-11-15 00:44:05 -0500[diff] [blame]847#endif
David Benjamin422fe082015-07-21 22:03:43 -0400[diff] [blame]848 return session;
849}
850
David Benjaminafc64de2016-07-19 17:12:41 +0200[diff] [blame]851static bool GetClientHello(SSL *ssl, std::vector<uint8_t> *out) {
Matt Braithwaited17d74d2016-08-17 20:10:28 -0700[diff] [blame]852 bssl::UniquePtr<BIO> bio(BIO_new(BIO_s_mem()));
David Benjaminafc64de2016-07-19 17:12:41 +0200[diff] [blame]853 if (!bio) {
854 return false;
855 }
856 // Do not configure a reading BIO, but record what's written to a memory BIO.
David Benjamin96a16cd2016-08-11 12:14:47 -0400[diff] [blame]857 BIO_up_ref(bio.get());
858 SSL_set_bio(ssl, nullptr /* rbio */, bio.get());
David Benjaminafc64de2016-07-19 17:12:41 +0200[diff] [blame]859 int ret = SSL_connect(ssl);
860 if (ret > 0) {
861 // SSL_connect should fail without a BIO to write to.
862 return false;
863 }
864 ERR_clear_error();
865
866 const uint8_t *client_hello;
867 size_t client_hello_len;
868 if (!BIO_mem_contents(bio.get(), &client_hello, &client_hello_len)) {
869 return false;
870 }
871 *out = std::vector<uint8_t>(client_hello, client_hello + client_hello_len);
872 return true;
873}
874
Steven Valdeza833c352016-11-01 13:39:36 -0400[diff] [blame]875// GetClientHelloLen creates a client SSL connection with the specified version
876// and ticket length. It returns the length of the ClientHello, not including
877// the record header, on success and zero on error.
878static size_t GetClientHelloLen(uint16_t max_version, uint16_t session_version,
879 size_t ticket_len) {
Matt Braithwaited17d74d2016-08-17 20:10:28 -0700[diff] [blame]880 bssl::UniquePtr<SSL_CTX> ctx(SSL_CTX_new(TLS_method()));
Steven Valdeza833c352016-11-01 13:39:36 -0400[diff] [blame]881 bssl::UniquePtr<SSL_SESSION> session =
882 CreateSessionWithTicket(session_version, ticket_len);
David Benjamin422fe082015-07-21 22:03:43 -0400[diff] [blame]883 if (!ctx || !session) {
884 return 0;
885 }
Steven Valdeza833c352016-11-01 13:39:36 -0400[diff] [blame]886
887 // Set a one-element cipher list so the baseline ClientHello is unpadded.
Matt Braithwaited17d74d2016-08-17 20:10:28 -0700[diff] [blame]888 bssl::UniquePtr<SSL> ssl(SSL_new(ctx.get()));
Steven Valdez2c62fe92016-10-14 12:08:12 -0400[diff] [blame]889 if (!ssl || !SSL_set_session(ssl.get(), session.get()) ||
Matthew Braithwaitea57dcfb2017-02-17 22:08:23 -0800[diff] [blame]890 !SSL_set_strict_cipher_list(ssl.get(), "ECDHE-RSA-AES128-GCM-SHA256") ||
Steven Valdeza833c352016-11-01 13:39:36 -0400[diff] [blame]891 !SSL_set_max_proto_version(ssl.get(), max_version)) {
David Benjamin422fe082015-07-21 22:03:43 -0400[diff] [blame]892 return 0;
893 }
Steven Valdeza833c352016-11-01 13:39:36 -0400[diff] [blame]894
David Benjaminafc64de2016-07-19 17:12:41 +0200[diff] [blame]895 std::vector<uint8_t> client_hello;
896 if (!GetClientHello(ssl.get(), &client_hello) ||
897 client_hello.size() <= SSL3_RT_HEADER_LENGTH) {
David Benjamin422fe082015-07-21 22:03:43 -0400[diff] [blame]898 return 0;
899 }
Steven Valdeza833c352016-11-01 13:39:36 -0400[diff] [blame]900
David Benjaminafc64de2016-07-19 17:12:41 +0200[diff] [blame]901 return client_hello.size() - SSL3_RT_HEADER_LENGTH;
David Benjamin422fe082015-07-21 22:03:43 -0400[diff] [blame]902}
903
904struct PaddingTest {
905 size_t input_len, padded_len;
906};
907
908static const PaddingTest kPaddingTests[] = {
909 // ClientHellos of length below 0x100 do not require padding.
910 {0xfe, 0xfe},
911 {0xff, 0xff},
912 // ClientHellos of length 0x100 through 0x1fb are padded up to 0x200.
913 {0x100, 0x200},
914 {0x123, 0x200},
915 {0x1fb, 0x200},
916 // ClientHellos of length 0x1fc through 0x1ff get padded beyond 0x200. The
917 // padding extension takes a minimum of four bytes plus one required content
918 // byte. (To work around yet more server bugs, we avoid empty final
919 // extensions.)
920 {0x1fc, 0x201},
921 {0x1fd, 0x202},
922 {0x1fe, 0x203},
923 {0x1ff, 0x204},
924 // Finally, larger ClientHellos need no padding.
925 {0x200, 0x200},
926 {0x201, 0x201},
927};
928
Steven Valdeza833c352016-11-01 13:39:36 -0400[diff] [blame]929static bool TestPaddingExtension(uint16_t max_version,
930 uint16_t session_version) {
David Benjamin422fe082015-07-21 22:03:43 -0400[diff] [blame]931 // Sample a baseline length.
Steven Valdeza833c352016-11-01 13:39:36 -0400[diff] [blame]932 size_t base_len = GetClientHelloLen(max_version, session_version, 1);
David Benjamin422fe082015-07-21 22:03:43 -0400[diff] [blame]933 if (base_len == 0) {
934 return false;
935 }
936
937 for (const PaddingTest &test : kPaddingTests) {
938 if (base_len > test.input_len) {
Steven Valdeza833c352016-11-01 13:39:36 -0400[diff] [blame]939 fprintf(stderr,
940 "Baseline ClientHello too long (max_version = %04x, "
941 "session_version = %04x).\n",
942 max_version, session_version);
David Benjamin422fe082015-07-21 22:03:43 -0400[diff] [blame]943 return false;
944 }
945
Steven Valdeza833c352016-11-01 13:39:36 -0400[diff] [blame]946 size_t padded_len = GetClientHelloLen(max_version, session_version,
947 1 + test.input_len - base_len);
David Benjamin422fe082015-07-21 22:03:43 -0400[diff] [blame]948 if (padded_len != test.padded_len) {
Steven Valdeza833c352016-11-01 13:39:36 -0400[diff] [blame]949 fprintf(stderr,
950 "%u-byte ClientHello padded to %u bytes, not %u (max_version = "
951 "%04x, session_version = %04x).\n",
David Benjamin422fe082015-07-21 22:03:43 -0400[diff] [blame]952 static_cast<unsigned>(test.input_len),
953 static_cast<unsigned>(padded_len),
Steven Valdeza833c352016-11-01 13:39:36 -0400[diff] [blame]954 static_cast<unsigned>(test.padded_len), max_version,
955 session_version);
David Benjamin422fe082015-07-21 22:03:43 -0400[diff] [blame]956 return false;
957 }
958 }
Steven Valdeza833c352016-11-01 13:39:36 -0400[diff] [blame]959
David Benjamin422fe082015-07-21 22:03:43 -0400[diff] [blame]960 return true;
961}
962
David Benjamin1d128f32015-09-08 17:41:40 -0400[diff] [blame]963// Test that |SSL_get_client_CA_list| echoes back the configured parameter even
964// before configuring as a server.
David Benjaminf0d8e222017-02-04 10:58:26 -0500[diff] [blame]965TEST(SSLTest, ClientCAList) {
Matt Braithwaited17d74d2016-08-17 20:10:28 -0700[diff] [blame]966 bssl::UniquePtr<SSL_CTX> ctx(SSL_CTX_new(TLS_method()));
David Benjaminf0d8e222017-02-04 10:58:26 -0500[diff] [blame]967 ASSERT_TRUE(ctx);
Matt Braithwaited17d74d2016-08-17 20:10:28 -0700[diff] [blame]968 bssl::UniquePtr<SSL> ssl(SSL_new(ctx.get()));
David Benjaminf0d8e222017-02-04 10:58:26 -0500[diff] [blame]969 ASSERT_TRUE(ssl);
David Benjamin1d128f32015-09-08 17:41:40 -0400[diff] [blame]970
Adam Langley34b4c822017-02-02 10:57:17 -0800[diff] [blame]971 bssl::UniquePtr<X509_NAME> name(X509_NAME_new());
972 ASSERT_TRUE(name);
David Benjamin1d128f32015-09-08 17:41:40 -0400[diff] [blame]973
Adam Langley34b4c822017-02-02 10:57:17 -0800[diff] [blame]974 bssl::UniquePtr<X509_NAME> name_dup(X509_NAME_dup(name.get()));
975 ASSERT_TRUE(name_dup);
976
977 bssl::UniquePtr<STACK_OF(X509_NAME)> stack(sk_X509_NAME_new_null());
978 ASSERT_TRUE(stack);
979
980 ASSERT_TRUE(sk_X509_NAME_push(stack.get(), name_dup.get()));
981 name_dup.release();
982
983 // |SSL_set_client_CA_list| takes ownership.
984 SSL_set_client_CA_list(ssl.get(), stack.release());
985
986 STACK_OF(X509_NAME) *result = SSL_get_client_CA_list(ssl.get());
987 ASSERT_TRUE(result);
988 ASSERT_EQ(1u, sk_X509_NAME_num(result));
989 EXPECT_EQ(0, X509_NAME_cmp(sk_X509_NAME_value(result, 0), name.get()));
David Benjamin1d128f32015-09-08 17:41:40 -0400[diff] [blame]990}
991
David Benjamin0f653952015-10-18 14:28:01 -0400[diff] [blame]992static void AppendSession(SSL_SESSION *session, void *arg) {
993 std::vector<SSL_SESSION*> *out =
994 reinterpret_cast<std::vector<SSL_SESSION*>*>(arg);
995 out->push_back(session);
996}
997
David Benjamine11726a2017-04-23 12:14:28 -0400[diff] [blame]998// CacheEquals returns true if |ctx|'s session cache consists of |expected|, in
David Benjamin0f653952015-10-18 14:28:01 -0400[diff] [blame]999// order.
David Benjamine11726a2017-04-23 12:14:28 -0400[diff] [blame]1000static bool CacheEquals(SSL_CTX *ctx,
David Benjamin0f653952015-10-18 14:28:01 -0400[diff] [blame]1001 const std::vector<SSL_SESSION*> &expected) {
1002 // Check the linked list.
1003 SSL_SESSION *ptr = ctx->session_cache_head;
1004 for (SSL_SESSION *session : expected) {
1005 if (ptr != session) {
1006 return false;
1007 }
1008 // TODO(davidben): This is an absurd way to denote the end of the list.
1009 if (ptr->next ==
1010 reinterpret_cast<SSL_SESSION *>(&ctx->session_cache_tail)) {
1011 ptr = nullptr;
1012 } else {
1013 ptr = ptr->next;
1014 }
1015 }
1016 if (ptr != nullptr) {
1017 return false;
1018 }
1019
1020 // Check the hash table.
1021 std::vector<SSL_SESSION*> actual, expected_copy;
1022 lh_SSL_SESSION_doall_arg(SSL_CTX_sessions(ctx), AppendSession, &actual);
1023 expected_copy = expected;
1024
1025 std::sort(actual.begin(), actual.end());
1026 std::sort(expected_copy.begin(), expected_copy.end());
1027
1028 return actual == expected_copy;
1029}
1030
Matt Braithwaited17d74d2016-08-17 20:10:28 -0700[diff] [blame]1031static bssl::UniquePtr<SSL_SESSION> CreateTestSession(uint32_t number) {
Adam Langley46db7af2017-02-01 15:49:37 -0800[diff] [blame]1032 bssl::UniquePtr<SSL_CTX> ssl_ctx(SSL_CTX_new(TLS_method()));
1033 if (!ssl_ctx) {
1034 return nullptr;
1035 }
1036 bssl::UniquePtr<SSL_SESSION> ret(SSL_SESSION_new(ssl_ctx.get()));
David Benjamin0f653952015-10-18 14:28:01 -0400[diff] [blame]1037 if (!ret) {
1038 return nullptr;
1039 }
1040
1041 ret->session_id_length = SSL3_SSL_SESSION_ID_LENGTH;
David Benjamin17cf2cb2016-12-13 01:07:13 -0500[diff] [blame]1042 OPENSSL_memset(ret->session_id, 0, ret->session_id_length);
1043 OPENSSL_memcpy(ret->session_id, &number, sizeof(number));
David Benjamin0f653952015-10-18 14:28:01 -0400[diff] [blame]1044 return ret;
1045}
1046
David Benjamin0f653952015-10-18 14:28:01 -0400[diff] [blame]1047// Test that the internal session cache behaves as expected.
David Benjamine11726a2017-04-23 12:14:28 -0400[diff] [blame]1048TEST(SSLTest, InternalSessionCache) {
Matt Braithwaited17d74d2016-08-17 20:10:28 -0700[diff] [blame]1049 bssl::UniquePtr<SSL_CTX> ctx(SSL_CTX_new(TLS_method()));
David Benjamine11726a2017-04-23 12:14:28 -0400[diff] [blame]1050 ASSERT_TRUE(ctx);
David Benjamin0f653952015-10-18 14:28:01 -0400[diff] [blame]1051
1052 // Prepare 10 test sessions.
Matt Braithwaited17d74d2016-08-17 20:10:28 -0700[diff] [blame]1053 std::vector<bssl::UniquePtr<SSL_SESSION>> sessions;
David Benjamin0f653952015-10-18 14:28:01 -0400[diff] [blame]1054 for (int i = 0; i < 10; i++) {
Matt Braithwaited17d74d2016-08-17 20:10:28 -0700[diff] [blame]1055 bssl::UniquePtr<SSL_SESSION> session = CreateTestSession(i);
David Benjamine11726a2017-04-23 12:14:28 -0400[diff] [blame]1056 ASSERT_TRUE(session);
David Benjamin4f6acaf2015-11-21 03:00:50 -0500[diff] [blame]1057 sessions.push_back(std::move(session));
David Benjamin0f653952015-10-18 14:28:01 -0400[diff] [blame]1058 }
1059
1060 SSL_CTX_sess_set_cache_size(ctx.get(), 5);
1061
1062 // Insert all the test sessions.
David Benjamin4f6acaf2015-11-21 03:00:50 -0500[diff] [blame]1063 for (const auto &session : sessions) {
David Benjamine11726a2017-04-23 12:14:28 -0400[diff] [blame]1064 ASSERT_TRUE(SSL_CTX_add_session(ctx.get(), session.get()));
David Benjamin0f653952015-10-18 14:28:01 -0400[diff] [blame]1065 }
1066
1067 // Only the last five should be in the list.
David Benjamine11726a2017-04-23 12:14:28 -0400[diff] [blame]1068 ASSERT_TRUE(CacheEquals(
1069 ctx.get(), {sessions[9].get(), sessions[8].get(), sessions[7].get(),
1070 sessions[6].get(), sessions[5].get()}));
David Benjamin0f653952015-10-18 14:28:01 -0400[diff] [blame]1071
David Benjamine11726a2017-04-23 12:14:28 -0400[diff] [blame]1072 // Inserting an element already in the cache should fail and leave the cache
1073 // unchanged.
1074 ASSERT_FALSE(SSL_CTX_add_session(ctx.get(), sessions[7].get()));
1075 ASSERT_TRUE(CacheEquals(
1076 ctx.get(), {sessions[9].get(), sessions[8].get(), sessions[7].get(),
1077 sessions[6].get(), sessions[5].get()}));
David Benjamin0f653952015-10-18 14:28:01 -0400[diff] [blame]1078
1079 // Although collisions should be impossible (256-bit session IDs), the cache
1080 // must handle them gracefully.
Matt Braithwaited17d74d2016-08-17 20:10:28 -0700[diff] [blame]1081 bssl::UniquePtr<SSL_SESSION> collision(CreateTestSession(7));
David Benjamine11726a2017-04-23 12:14:28 -0400[diff] [blame]1082 ASSERT_TRUE(collision);
1083 ASSERT_TRUE(SSL_CTX_add_session(ctx.get(), collision.get()));
1084 ASSERT_TRUE(CacheEquals(
1085 ctx.get(), {collision.get(), sessions[9].get(), sessions[8].get(),
1086 sessions[6].get(), sessions[5].get()}));
David Benjamin0f653952015-10-18 14:28:01 -0400[diff] [blame]1087
1088 // Removing sessions behaves correctly.
David Benjamine11726a2017-04-23 12:14:28 -0400[diff] [blame]1089 ASSERT_TRUE(SSL_CTX_remove_session(ctx.get(), sessions[6].get()));
1090 ASSERT_TRUE(CacheEquals(ctx.get(), {collision.get(), sessions[9].get(),
1091 sessions[8].get(), sessions[5].get()}));
David Benjamin0f653952015-10-18 14:28:01 -0400[diff] [blame]1092
1093 // Removing sessions requires an exact match.
David Benjamine11726a2017-04-23 12:14:28 -0400[diff] [blame]1094 ASSERT_FALSE(SSL_CTX_remove_session(ctx.get(), sessions[0].get()));
1095 ASSERT_FALSE(SSL_CTX_remove_session(ctx.get(), sessions[7].get()));
David Benjamin0f653952015-10-18 14:28:01 -0400[diff] [blame]1096
David Benjamine11726a2017-04-23 12:14:28 -0400[diff] [blame]1097 // The cache remains unchanged.
1098 ASSERT_TRUE(CacheEquals(ctx.get(), {collision.get(), sessions[9].get(),
1099 sessions[8].get(), sessions[5].get()}));
David Benjamin0f653952015-10-18 14:28:01 -0400[diff] [blame]1100}
1101
David Benjaminde942382016-02-11 12:02:01 -0500[diff] [blame]1102static uint16_t EpochFromSequence(uint64_t seq) {
1103 return static_cast<uint16_t>(seq >> 48);
1104}
1105
Matt Braithwaited17d74d2016-08-17 20:10:28 -0700[diff] [blame]1106static bssl::UniquePtr<X509> GetTestCertificate() {
David Benjaminde942382016-02-11 12:02:01 -0500[diff] [blame]1107 static const char kCertPEM[] =
1108 "-----BEGIN CERTIFICATE-----\n"
1109 "MIICWDCCAcGgAwIBAgIJAPuwTC6rEJsMMA0GCSqGSIb3DQEBBQUAMEUxCzAJBgNV\n"
1110 "BAYTAkFVMRMwEQYDVQQIDApTb21lLVN0YXRlMSEwHwYDVQQKDBhJbnRlcm5ldCBX\n"
1111 "aWRnaXRzIFB0eSBMdGQwHhcNMTQwNDIzMjA1MDQwWhcNMTcwNDIyMjA1MDQwWjBF\n"
1112 "MQswCQYDVQQGEwJBVTETMBEGA1UECAwKU29tZS1TdGF0ZTEhMB8GA1UECgwYSW50\n"
1113 "ZXJuZXQgV2lkZ2l0cyBQdHkgTHRkMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKB\n"
1114 "gQDYK8imMuRi/03z0K1Zi0WnvfFHvwlYeyK9Na6XJYaUoIDAtB92kWdGMdAQhLci\n"
1115 "HnAjkXLI6W15OoV3gA/ElRZ1xUpxTMhjP6PyY5wqT5r6y8FxbiiFKKAnHmUcrgfV\n"
1116 "W28tQ+0rkLGMryRtrukXOgXBv7gcrmU7G1jC2a7WqmeI8QIDAQABo1AwTjAdBgNV\n"
1117 "HQ4EFgQUi3XVrMsIvg4fZbf6Vr5sp3Xaha8wHwYDVR0jBBgwFoAUi3XVrMsIvg4f\n"
1118 "Zbf6Vr5sp3Xaha8wDAYDVR0TBAUwAwEB/zANBgkqhkiG9w0BAQUFAAOBgQA76Hht\n"
1119 "ldY9avcTGSwbwoiuIqv0jTL1fHFnzy3RHMLDh+Lpvolc5DSrSJHCP5WuK0eeJXhr\n"
1120 "T5oQpHL9z/cCDLAKCKRa4uV0fhEdOWBqyR9p8y5jJtye72t6CuFUV5iqcpF4BH4f\n"
1121 "j2VNHwsSrJwkD4QUGlUtH7vwnQmyCFxZMmWAJg==\n"
1122 "-----END CERTIFICATE-----\n";
Matt Braithwaited17d74d2016-08-17 20:10:28 -0700[diff] [blame]1123 bssl::UniquePtr<BIO> bio(BIO_new_mem_buf(kCertPEM, strlen(kCertPEM)));
David Benjamin1444c3a2016-12-20 17:23:11 -0500[diff] [blame]1124 return bssl::UniquePtr<X509>(
1125 PEM_read_bio_X509(bio.get(), nullptr, nullptr, nullptr));
David Benjaminde942382016-02-11 12:02:01 -0500[diff] [blame]1126}
1127
Matt Braithwaited17d74d2016-08-17 20:10:28 -0700[diff] [blame]1128static bssl::UniquePtr<EVP_PKEY> GetTestKey() {
David Benjaminde942382016-02-11 12:02:01 -0500[diff] [blame]1129 static const char kKeyPEM[] =
1130 "-----BEGIN RSA PRIVATE KEY-----\n"
1131 "MIICXgIBAAKBgQDYK8imMuRi/03z0K1Zi0WnvfFHvwlYeyK9Na6XJYaUoIDAtB92\n"
1132 "kWdGMdAQhLciHnAjkXLI6W15OoV3gA/ElRZ1xUpxTMhjP6PyY5wqT5r6y8FxbiiF\n"
1133 "KKAnHmUcrgfVW28tQ+0rkLGMryRtrukXOgXBv7gcrmU7G1jC2a7WqmeI8QIDAQAB\n"
1134 "AoGBAIBy09Fd4DOq/Ijp8HeKuCMKTHqTW1xGHshLQ6jwVV2vWZIn9aIgmDsvkjCe\n"
1135 "i6ssZvnbjVcwzSoByhjN8ZCf/i15HECWDFFh6gt0P5z0MnChwzZmvatV/FXCT0j+\n"
1136 "WmGNB/gkehKjGXLLcjTb6dRYVJSCZhVuOLLcbWIV10gggJQBAkEA8S8sGe4ezyyZ\n"
1137 "m4e9r95g6s43kPqtj5rewTsUxt+2n4eVodD+ZUlCULWVNAFLkYRTBCASlSrm9Xhj\n"
1138 "QpmWAHJUkQJBAOVzQdFUaewLtdOJoPCtpYoY1zd22eae8TQEmpGOR11L6kbxLQsk\n"
1139 "aMly/DOnOaa82tqAGTdqDEZgSNmCeKKknmECQAvpnY8GUOVAubGR6c+W90iBuQLj\n"
1140 "LtFp/9ihd2w/PoDwrHZaoUYVcT4VSfJQog/k7kjE4MYXYWL8eEKg3WTWQNECQQDk\n"
1141 "104Wi91Umd1PzF0ijd2jXOERJU1wEKe6XLkYYNHWQAe5l4J4MWj9OdxFXAxIuuR/\n"
1142 "tfDwbqkta4xcux67//khAkEAvvRXLHTaa6VFzTaiiO8SaFsHV3lQyXOtMrBpB5jd\n"
1143 "moZWgjHvB2W9Ckn7sDqsPB+U2tyX0joDdQEyuiMECDY8oQ==\n"
1144 "-----END RSA PRIVATE KEY-----\n";
Matt Braithwaited17d74d2016-08-17 20:10:28 -0700[diff] [blame]1145 bssl::UniquePtr<BIO> bio(BIO_new_mem_buf(kKeyPEM, strlen(kKeyPEM)));
1146 return bssl::UniquePtr<EVP_PKEY>(
David Benjaminde942382016-02-11 12:02:01 -0500[diff] [blame]1147 PEM_read_bio_PrivateKey(bio.get(), nullptr, nullptr, nullptr));
1148}
1149
Matt Braithwaited17d74d2016-08-17 20:10:28 -0700[diff] [blame]1150static bssl::UniquePtr<X509> GetECDSATestCertificate() {
David Benjamin0fc37ef2016-08-17 15:29:46 -0400[diff] [blame]1151 static const char kCertPEM[] =
1152 "-----BEGIN CERTIFICATE-----\n"
1153 "MIIBzzCCAXagAwIBAgIJANlMBNpJfb/rMAkGByqGSM49BAEwRTELMAkGA1UEBhMC\n"
1154 "QVUxEzARBgNVBAgMClNvbWUtU3RhdGUxITAfBgNVBAoMGEludGVybmV0IFdpZGdp\n"
1155 "dHMgUHR5IEx0ZDAeFw0xNDA0MjMyMzIxNTdaFw0xNDA1MjMyMzIxNTdaMEUxCzAJ\n"
1156 "BgNVBAYTAkFVMRMwEQYDVQQIDApTb21lLVN0YXRlMSEwHwYDVQQKDBhJbnRlcm5l\n"
1157 "dCBXaWRnaXRzIFB0eSBMdGQwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAATmK2ni\n"
1158 "v2Wfl74vHg2UikzVl2u3qR4NRvvdqakendy6WgHn1peoChj5w8SjHlbifINI2xYa\n"
1159 "HPUdfvGULUvPciLBo1AwTjAdBgNVHQ4EFgQUq4TSrKuV8IJOFngHVVdf5CaNgtEw\n"
1160 "HwYDVR0jBBgwFoAUq4TSrKuV8IJOFngHVVdf5CaNgtEwDAYDVR0TBAUwAwEB/zAJ\n"
1161 "BgcqhkjOPQQBA0gAMEUCIQDyoDVeUTo2w4J5m+4nUIWOcAZ0lVfSKXQA9L4Vh13E\n"
1162 "BwIgfB55FGohg/B6dGh5XxSZmmi08cueFV7mHzJSYV51yRQ=\n"
1163 "-----END CERTIFICATE-----\n";
Matt Braithwaited17d74d2016-08-17 20:10:28 -0700[diff] [blame]1164 bssl::UniquePtr<BIO> bio(BIO_new_mem_buf(kCertPEM, strlen(kCertPEM)));
1165 return bssl::UniquePtr<X509>(PEM_read_bio_X509(bio.get(), nullptr, nullptr, nullptr));
David Benjamin0fc37ef2016-08-17 15:29:46 -0400[diff] [blame]1166}
1167
Matt Braithwaited17d74d2016-08-17 20:10:28 -0700[diff] [blame]1168static bssl::UniquePtr<EVP_PKEY> GetECDSATestKey() {
David Benjamin0fc37ef2016-08-17 15:29:46 -0400[diff] [blame]1169 static const char kKeyPEM[] =
1170 "-----BEGIN PRIVATE KEY-----\n"
1171 "MIGHAgEAMBMGByqGSM49AgEGCCqGSM49AwEHBG0wawIBAQQgBw8IcnrUoEqc3VnJ\n"
1172 "TYlodwi1b8ldMHcO6NHJzgqLtGqhRANCAATmK2niv2Wfl74vHg2UikzVl2u3qR4N\n"
1173 "Rvvdqakendy6WgHn1peoChj5w8SjHlbifINI2xYaHPUdfvGULUvPciLB\n"
1174 "-----END PRIVATE KEY-----\n";
Matt Braithwaited17d74d2016-08-17 20:10:28 -0700[diff] [blame]1175 bssl::UniquePtr<BIO> bio(BIO_new_mem_buf(kKeyPEM, strlen(kKeyPEM)));
1176 return bssl::UniquePtr<EVP_PKEY>(
David Benjamin0fc37ef2016-08-17 15:29:46 -0400[diff] [blame]1177 PEM_read_bio_PrivateKey(bio.get(), nullptr, nullptr, nullptr));
1178}
1179
Adam Langleyd04ca952017-02-28 11:26:51 -0800[diff] [blame]1180static bssl::UniquePtr<CRYPTO_BUFFER> BufferFromPEM(const char *pem) {
1181 bssl::UniquePtr<BIO> bio(BIO_new_mem_buf(pem, strlen(pem)));
1182 char *name, *header;
1183 uint8_t *data;
1184 long data_len;
1185 if (!PEM_read_bio(bio.get(), &name, &header, &data,
1186 &data_len)) {
1187 return nullptr;
1188 }
1189 OPENSSL_free(name);
1190 OPENSSL_free(header);
1191
1192 auto ret = bssl::UniquePtr<CRYPTO_BUFFER>(
1193 CRYPTO_BUFFER_new(data, data_len, nullptr));
1194 OPENSSL_free(data);
1195 return ret;
1196}
1197
1198static bssl::UniquePtr<CRYPTO_BUFFER> GetChainTestCertificateBuffer() {
David Benjamin1444c3a2016-12-20 17:23:11 -0500[diff] [blame]1199 static const char kCertPEM[] =
1200 "-----BEGIN CERTIFICATE-----\n"
1201 "MIIC0jCCAbqgAwIBAgICEAAwDQYJKoZIhvcNAQELBQAwDzENMAsGA1UEAwwEQiBD\n"
1202 "QTAeFw0xNjAyMjgyMDI3MDNaFw0yNjAyMjUyMDI3MDNaMBgxFjAUBgNVBAMMDUNs\n"
1203 "aWVudCBDZXJ0IEEwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDRvaz8\n"
1204 "CC/cshpCafJo4jLkHEoBqDLhdgFelJoAiQUyIqyWl2O7YHPnpJH+TgR7oelzNzt/\n"
1205 "kLRcH89M/TszB6zqyLTC4aqmvzKL0peD/jL2LWBucR0WXIvjA3zoRuF/x86+rYH3\n"
1206 "tHb+xs2PSs8EGL/Ev+ss+qTzTGEn26fuGNHkNw6tOwPpc+o8+wUtzf/kAthamo+c\n"
1207 "IDs2rQ+lP7+aLZTLeU/q4gcLutlzcK5imex5xy2jPkweq48kijK0kIzl1cPlA5d1\n"
1208 "z7C8jU50Pj9X9sQDJTN32j7UYRisJeeYQF8GaaN8SbrDI6zHgKzrRLyxDt/KQa9V\n"
1209 "iLeXANgZi+Xx9KgfAgMBAAGjLzAtMAwGA1UdEwEB/wQCMAAwHQYDVR0lBBYwFAYI\n"
1210 "KwYBBQUHAwEGCCsGAQUFBwMCMA0GCSqGSIb3DQEBCwUAA4IBAQBFEVbmYl+2RtNw\n"
1211 "rDftRDF1v2QUbcN2ouSnQDHxeDQdSgasLzT3ui8iYu0Rw2WWcZ0DV5e0ztGPhWq7\n"
1212 "AO0B120aFRMOY+4+bzu9Q2FFkQqc7/fKTvTDzIJI5wrMnFvUfzzvxh3OHWMYSs/w\n"
1213 "giq33hTKeHEq6Jyk3btCny0Ycecyc3yGXH10sizUfiHlhviCkDuESk8mFDwDDzqW\n"
1214 "ZF0IipzFbEDHoIxLlm3GQxpiLoEV4k8KYJp3R5KBLFyxM6UGPz8h72mIPCJp2RuK\n"
1215 "MYgF91UDvVzvnYm6TfseM2+ewKirC00GOrZ7rEcFvtxnKSqYf4ckqfNdSU1Y+RRC\n"
1216 "1ngWZ7Ih\n"
1217 "-----END CERTIFICATE-----\n";
Adam Langleyd04ca952017-02-28 11:26:51 -0800[diff] [blame]1218 return BufferFromPEM(kCertPEM);
David Benjamin1444c3a2016-12-20 17:23:11 -0500[diff] [blame]1219}
1220
Adam Langleyd04ca952017-02-28 11:26:51 -0800[diff] [blame]1221static bssl::UniquePtr<X509> X509FromBuffer(
1222 bssl::UniquePtr<CRYPTO_BUFFER> buffer) {
1223 if (!buffer) {
1224 return nullptr;
1225 }
1226 const uint8_t *derp = CRYPTO_BUFFER_data(buffer.get());
1227 return bssl::UniquePtr<X509>(
1228 d2i_X509(NULL, &derp, CRYPTO_BUFFER_len(buffer.get())));
1229}
1230
1231static bssl::UniquePtr<X509> GetChainTestCertificate() {
1232 return X509FromBuffer(GetChainTestCertificateBuffer());
1233}
1234
1235static bssl::UniquePtr<CRYPTO_BUFFER> GetChainTestIntermediateBuffer() {
David Benjamin1444c3a2016-12-20 17:23:11 -0500[diff] [blame]1236 static const char kCertPEM[] =
1237 "-----BEGIN CERTIFICATE-----\n"
1238 "MIICwjCCAaqgAwIBAgICEAEwDQYJKoZIhvcNAQELBQAwFDESMBAGA1UEAwwJQyBS\n"
1239 "b290IENBMB4XDTE2MDIyODIwMjcwM1oXDTI2MDIyNTIwMjcwM1owDzENMAsGA1UE\n"
1240 "AwwEQiBDQTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALsSCYmDip2D\n"
1241 "GkjFxw7ykz26JSjELkl6ArlYjFJ3aT/SCh8qbS4gln7RH8CPBd78oFdfhIKQrwtZ\n"
1242 "3/q21ykD9BAS3qHe2YdcJfm8/kWAy5DvXk6NXU4qX334KofBAEpgdA/igEFq1P1l\n"
1243 "HAuIfZCpMRfT+i5WohVsGi8f/NgpRvVaMONLNfgw57mz1lbtFeBEISmX0kbsuJxF\n"
1244 "Qj/Bwhi5/0HAEXG8e7zN4cEx0yPRvmOATRdVb/8dW2pwOHRJq9R5M0NUkIsTSnL7\n"
1245 "6N/z8hRAHMsV3IudC5Yd7GXW1AGu9a+iKU+Q4xcZCoj0DC99tL4VKujrV1kAeqsM\n"
1246 "cz5/dKzi6+cCAwEAAaMjMCEwDwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMC\n"
1247 "AQYwDQYJKoZIhvcNAQELBQADggEBAIIeZiEeNhWWQ8Y4D+AGDwqUUeG8NjCbKrXQ\n"
1248 "BlHg5wZ8xftFaiP1Dp/UAezmx2LNazdmuwrYB8lm3FVTyaPDTKEGIPS4wJKHgqH1\n"
1249 "QPDhqNm85ey7TEtI9oYjsNim/Rb+iGkIAMXaxt58SzxbjvP0kMr1JfJIZbic9vye\n"
1250 "NwIspMFIpP3FB8ywyu0T0hWtCQgL4J47nigCHpOu58deP88fS/Nyz/fyGVWOZ76b\n"
1251 "WhWwgM3P3X95fQ3d7oFPR/bVh0YV+Cf861INwplokXgXQ3/TCQ+HNXeAMWn3JLWv\n"
1252 "XFwk8owk9dq/kQGdndGgy3KTEW4ctPX5GNhf3LJ9Q7dLji4ReQ4=\n"
1253 "-----END CERTIFICATE-----\n";
Adam Langleyd04ca952017-02-28 11:26:51 -0800[diff] [blame]1254 return BufferFromPEM(kCertPEM);
1255}
1256
1257static bssl::UniquePtr<X509> GetChainTestIntermediate() {
1258 return X509FromBuffer(GetChainTestIntermediateBuffer());
David Benjamin1444c3a2016-12-20 17:23:11 -0500[diff] [blame]1259}
1260
1261static bssl::UniquePtr<EVP_PKEY> GetChainTestKey() {
1262 static const char kKeyPEM[] =
1263 "-----BEGIN PRIVATE KEY-----\n"
1264 "MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQDRvaz8CC/cshpC\n"
1265 "afJo4jLkHEoBqDLhdgFelJoAiQUyIqyWl2O7YHPnpJH+TgR7oelzNzt/kLRcH89M\n"
1266 "/TszB6zqyLTC4aqmvzKL0peD/jL2LWBucR0WXIvjA3zoRuF/x86+rYH3tHb+xs2P\n"
1267 "Ss8EGL/Ev+ss+qTzTGEn26fuGNHkNw6tOwPpc+o8+wUtzf/kAthamo+cIDs2rQ+l\n"
1268 "P7+aLZTLeU/q4gcLutlzcK5imex5xy2jPkweq48kijK0kIzl1cPlA5d1z7C8jU50\n"
1269 "Pj9X9sQDJTN32j7UYRisJeeYQF8GaaN8SbrDI6zHgKzrRLyxDt/KQa9ViLeXANgZ\n"
1270 "i+Xx9KgfAgMBAAECggEBAK0VjSJzkyPaamcyTVSWjo7GdaBGcK60lk657RjR+lK0\n"
1271 "YJ7pkej4oM2hdsVZFsP8Cs4E33nXLa/0pDsRov/qrp0WQm2skwqGMC1I/bZ0WRPk\n"
1272 "wHaDrBBfESWnJDX/AGpVtlyOjPmgmK6J2usMPihQUDkKdAYrVWJePrMIxt1q6BMe\n"
1273 "iczs3qriMmtY3bUc4UyUwJ5fhDLjshHvfuIpYQyI6EXZM6dZksn9LylXJnigY6QJ\n"
1274 "HxOYO0BDwOsZ8yQ8J8afLk88i0GizEkgE1z3REtQUwgWfxr1WV/ud+T6/ZhSAgH9\n"
1275 "042mQvSFZnIUSEsmCvjhWuAunfxHKCTcAoYISWfzWpkCgYEA7gpf3HHU5Tn+CgUn\n"
1276 "1X5uGpG3DmcMgfeGgs2r2f/IIg/5Ac1dfYILiybL1tN9zbyLCJfcbFpWBc9hJL6f\n"
1277 "CPc5hUiwWFJqBJewxQkC1Ae/HakHbip+IZ+Jr0842O4BAArvixk4Lb7/N2Ct9sTE\n"
1278 "NJO6RtK9lbEZ5uK61DglHy8CS2UCgYEA4ZC1o36kPAMQBggajgnucb2yuUEelk0f\n"
1279 "AEr+GI32MGE+93xMr7rAhBoqLg4AITyIfEnOSQ5HwagnIHonBbv1LV/Gf9ursx8Z\n"
1280 "YOGbvT8zzzC+SU1bkDzdjAYnFQVGIjMtKOBJ3K07++ypwX1fr4QsQ8uKL8WSOWwt\n"
1281 "Z3Bym6XiZzMCgYADnhy+2OwHX85AkLt+PyGlPbmuelpyTzS4IDAQbBa6jcuW/2wA\n"
1282 "UE2km75VUXmD+u2R/9zVuLm99NzhFhSMqlUxdV1YukfqMfP5yp1EY6m/5aW7QuIP\n"
1283 "2MDa7TVL9rIFMiVZ09RKvbBbQxjhuzPQKL6X/PPspnhiTefQ+dl2k9xREQKBgHDS\n"
1284 "fMfGNEeAEKezrfSVqxphE9/tXms3L+ZpnCaT+yu/uEr5dTIAawKoQ6i9f/sf1/Sy\n"
1285 "xedsqR+IB+oKrzIDDWMgoJybN4pkZ8E5lzhVQIjFjKgFdWLzzqyW9z1gYfABQPlN\n"
1286 "FiS20WX0vgP1vcKAjdNrHzc9zyHBpgQzDmAj3NZZAoGBAI8vKCKdH7w3aL5CNkZQ\n"
1287 "2buIeWNA2HZazVwAGG5F2TU/LmXfRKnG6dX5bkU+AkBZh56jNZy//hfFSewJB4Kk\n"
1288 "buB7ERSdaNbO21zXt9FEA3+z0RfMd/Zv2vlIWOSB5nzl/7UKti3sribK6s9ZVLfi\n"
1289 "SxpiPQ8d/hmSGwn4ksrWUsJD\n"
1290 "-----END PRIVATE KEY-----\n";
1291 bssl::UniquePtr<BIO> bio(BIO_new_mem_buf(kKeyPEM, strlen(kKeyPEM)));
1292 return bssl::UniquePtr<EVP_PKEY>(
1293 PEM_read_bio_PrivateKey(bio.get(), nullptr, nullptr, nullptr));
1294}
1295
David Benjamin71dfad42017-07-16 17:27:39 -0400[diff] [blame]1296static const uint8_t kTestName[] = {
1297 0x30, 0x45, 0x31, 0x0b, 0x30, 0x09, 0x06, 0x03, 0x55, 0x04, 0x06, 0x13,
1298 0x02, 0x41, 0x55, 0x31, 0x13, 0x30, 0x11, 0x06, 0x03, 0x55, 0x04, 0x08,
1299 0x0c, 0x0a, 0x53, 0x6f, 0x6d, 0x65, 0x2d, 0x53, 0x74, 0x61, 0x74, 0x65,
1300 0x31, 0x21, 0x30, 0x1f, 0x06, 0x03, 0x55, 0x04, 0x0a, 0x0c, 0x18, 0x49,
1301 0x6e, 0x74, 0x65, 0x72, 0x6e, 0x65, 0x74, 0x20, 0x57, 0x69, 0x64, 0x67,
1302 0x69, 0x74, 0x73, 0x20, 0x50, 0x74, 0x79, 0x20, 0x4c, 0x74, 0x64,
1303};
1304
David Benjaminb79cc842016-12-07 15:57:14 -0500[diff] [blame]1305static bool CompleteHandshakes(SSL *client, SSL *server) {
1306 // Drive both their handshakes to completion.
1307 for (;;) {
1308 int client_ret = SSL_do_handshake(client);
1309 int client_err = SSL_get_error(client, client_ret);
1310 if (client_err != SSL_ERROR_NONE &&
1311 client_err != SSL_ERROR_WANT_READ &&
Adam Langley4c341d02017-03-08 19:33:21 -0800[diff] [blame]1312 client_err != SSL_ERROR_WANT_WRITE &&
1313 client_err != SSL_ERROR_PENDING_TICKET) {
David Benjaminb79cc842016-12-07 15:57:14 -0500[diff] [blame]1314 fprintf(stderr, "Client error: %d\n", client_err);
1315 return false;
1316 }
1317
1318 int server_ret = SSL_do_handshake(server);
1319 int server_err = SSL_get_error(server, server_ret);
1320 if (server_err != SSL_ERROR_NONE &&
1321 server_err != SSL_ERROR_WANT_READ &&
Adam Langley4c341d02017-03-08 19:33:21 -0800[diff] [blame]1322 server_err != SSL_ERROR_WANT_WRITE &&
1323 server_err != SSL_ERROR_PENDING_TICKET) {
David Benjaminb79cc842016-12-07 15:57:14 -0500[diff] [blame]1324 fprintf(stderr, "Server error: %d\n", server_err);
1325 return false;
1326 }
1327
1328 if (client_ret == 1 && server_ret == 1) {
1329 break;
1330 }
1331 }
1332
1333 return true;
1334}
1335
1336static bool ConnectClientAndServer(bssl::UniquePtr<SSL> *out_client,
1337 bssl::UniquePtr<SSL> *out_server,
David Benjamina20e5352016-08-02 19:09:41 -0400[diff] [blame]1338 SSL_CTX *client_ctx, SSL_CTX *server_ctx,
1339 SSL_SESSION *session) {
Matt Braithwaited17d74d2016-08-17 20:10:28 -0700[diff] [blame]1340 bssl::UniquePtr<SSL> client(SSL_new(client_ctx)), server(SSL_new(server_ctx));
David Benjaminde942382016-02-11 12:02:01 -0500[diff] [blame]1341 if (!client || !server) {
1342 return false;
1343 }
1344 SSL_set_connect_state(client.get());
1345 SSL_set_accept_state(server.get());
1346
David Benjamina20e5352016-08-02 19:09:41 -0400[diff] [blame]1347 SSL_set_session(client.get(), session);
1348
David Benjaminde942382016-02-11 12:02:01 -0500[diff] [blame]1349 BIO *bio1, *bio2;
1350 if (!BIO_new_bio_pair(&bio1, 0, &bio2, 0)) {
1351 return false;
1352 }
1353 // SSL_set_bio takes ownership.
1354 SSL_set_bio(client.get(), bio1, bio1);
1355 SSL_set_bio(server.get(), bio2, bio2);
1356
David Benjaminb79cc842016-12-07 15:57:14 -0500[diff] [blame]1357 if (!CompleteHandshakes(client.get(), server.get())) {
1358 return false;
David Benjaminde942382016-02-11 12:02:01 -0500[diff] [blame]1359 }
1360
David Benjamin686bb192016-05-10 15:15:41 -0400[diff] [blame]1361 *out_client = std::move(client);
1362 *out_server = std::move(server);
1363 return true;
1364}
1365
David Benjamin0fef3052016-11-18 15:11:10 +0900[diff] [blame]1366static bool TestSequenceNumber(bool is_dtls, const SSL_METHOD *method,
1367 uint16_t version) {
1368 bssl::UniquePtr<SSL_CTX> client_ctx(SSL_CTX_new(method));
1369 bssl::UniquePtr<SSL_CTX> server_ctx(SSL_CTX_new(method));
1370 if (!server_ctx || !client_ctx ||
1371 !SSL_CTX_set_min_proto_version(client_ctx.get(), version) ||
1372 !SSL_CTX_set_max_proto_version(client_ctx.get(), version) ||
1373 !SSL_CTX_set_min_proto_version(server_ctx.get(), version) ||
1374 !SSL_CTX_set_max_proto_version(server_ctx.get(), version)) {
1375 return false;
1376 }
David Benjamin686bb192016-05-10 15:15:41 -0400[diff] [blame]1377
David Benjamin0fef3052016-11-18 15:11:10 +0900[diff] [blame]1378 bssl::UniquePtr<X509> cert = GetTestCertificate();
1379 bssl::UniquePtr<EVP_PKEY> key = GetTestKey();
1380 if (!cert || !key || !SSL_CTX_use_certificate(server_ctx.get(), cert.get()) ||
1381 !SSL_CTX_use_PrivateKey(server_ctx.get(), key.get())) {
1382 return false;
1383 }
David Benjamin686bb192016-05-10 15:15:41 -0400[diff] [blame]1384
David Benjamin0fef3052016-11-18 15:11:10 +0900[diff] [blame]1385 bssl::UniquePtr<SSL> client, server;
1386 if (!ConnectClientAndServer(&client, &server, client_ctx.get(),
1387 server_ctx.get(), nullptr /* no session */)) {
1388 return false;
1389 }
David Benjamin686bb192016-05-10 15:15:41 -0400[diff] [blame]1390
David Benjamin0fef3052016-11-18 15:11:10 +0900[diff] [blame]1391 // Drain any post-handshake messages to ensure there are no unread records
1392 // on either end.
1393 uint8_t byte = 0;
1394 if (SSL_read(client.get(), &byte, 1) > 0 ||
1395 SSL_read(server.get(), &byte, 1) > 0) {
1396 fprintf(stderr, "Received unexpected data.\n");
1397 return false;
1398 }
David Benjaminde942382016-02-11 12:02:01 -0500[diff] [blame]1399
David Benjamin0fef3052016-11-18 15:11:10 +0900[diff] [blame]1400 uint64_t client_read_seq = SSL_get_read_sequence(client.get());
1401 uint64_t client_write_seq = SSL_get_write_sequence(client.get());
1402 uint64_t server_read_seq = SSL_get_read_sequence(server.get());
1403 uint64_t server_write_seq = SSL_get_write_sequence(server.get());
Steven Valdez2c62fe92016-10-14 12:08:12 -0400[diff] [blame]1404
David Benjamin0fef3052016-11-18 15:11:10 +0900[diff] [blame]1405 if (is_dtls) {
1406 // Both client and server must be at epoch 1.
1407 if (EpochFromSequence(client_read_seq) != 1 ||
1408 EpochFromSequence(client_write_seq) != 1 ||
1409 EpochFromSequence(server_read_seq) != 1 ||
1410 EpochFromSequence(server_write_seq) != 1) {
1411 fprintf(stderr, "Bad epochs.\n");
1412 return false;
David Benjaminde942382016-02-11 12:02:01 -0500[diff] [blame]1413 }
David Benjamin0fef3052016-11-18 15:11:10 +0900[diff] [blame]1414
1415 // The next record to be written should exceed the largest received.
1416 if (client_write_seq <= server_read_seq ||
1417 server_write_seq <= client_read_seq) {
1418 fprintf(stderr, "Inconsistent sequence numbers.\n");
1419 return false;
1420 }
1421 } else {
1422 // The next record to be written should equal the next to be received.
1423 if (client_write_seq != server_read_seq ||
1424 server_write_seq != client_read_seq) {
1425 fprintf(stderr, "Inconsistent sequence numbers.\n");
1426 return false;
1427 }
1428 }
1429
1430 // Send a record from client to server.
1431 if (SSL_write(client.get(), &byte, 1) != 1 ||
1432 SSL_read(server.get(), &byte, 1) != 1) {
1433 fprintf(stderr, "Could not send byte.\n");
1434 return false;
1435 }
1436
1437 // The client write and server read sequence numbers should have
1438 // incremented.
1439 if (client_write_seq + 1 != SSL_get_write_sequence(client.get()) ||
1440 server_read_seq + 1 != SSL_get_read_sequence(server.get())) {
1441 fprintf(stderr, "Sequence numbers did not increment.\n");
1442 return false;
David Benjaminde942382016-02-11 12:02:01 -0500[diff] [blame]1443 }
1444
1445 return true;
1446}
1447
David Benjamin68f37b72016-11-18 15:14:42 +0900[diff] [blame]1448static bool TestOneSidedShutdown(bool is_dtls, const SSL_METHOD *method,
1449 uint16_t version) {
1450 // SSL_shutdown is a no-op in DTLS.
1451 if (is_dtls) {
1452 return true;
David Benjamin686bb192016-05-10 15:15:41 -0400[diff] [blame]1453 }
1454
David Benjamin68f37b72016-11-18 15:14:42 +0900[diff] [blame]1455 bssl::UniquePtr<SSL_CTX> client_ctx(SSL_CTX_new(method));
1456 bssl::UniquePtr<SSL_CTX> server_ctx(SSL_CTX_new(method));
Matt Braithwaited17d74d2016-08-17 20:10:28 -0700[diff] [blame]1457 bssl::UniquePtr<X509> cert = GetTestCertificate();
1458 bssl::UniquePtr<EVP_PKEY> key = GetTestKey();
David Benjamin68f37b72016-11-18 15:14:42 +0900[diff] [blame]1459 if (!client_ctx || !server_ctx || !cert || !key ||
1460 !SSL_CTX_set_min_proto_version(server_ctx.get(), version) ||
1461 !SSL_CTX_set_max_proto_version(server_ctx.get(), version) ||
1462 !SSL_CTX_set_min_proto_version(client_ctx.get(), version) ||
1463 !SSL_CTX_set_max_proto_version(client_ctx.get(), version) ||
David Benjamin686bb192016-05-10 15:15:41 -0400[diff] [blame]1464 !SSL_CTX_use_certificate(server_ctx.get(), cert.get()) ||
1465 !SSL_CTX_use_PrivateKey(server_ctx.get(), key.get())) {
1466 return false;
1467 }
1468
Matt Braithwaited17d74d2016-08-17 20:10:28 -0700[diff] [blame]1469 bssl::UniquePtr<SSL> client, server;
David Benjamin686bb192016-05-10 15:15:41 -0400[diff] [blame]1470 if (!ConnectClientAndServer(&client, &server, client_ctx.get(),
David Benjamina20e5352016-08-02 19:09:41 -0400[diff] [blame]1471 server_ctx.get(), nullptr /* no session */)) {
David Benjamin686bb192016-05-10 15:15:41 -0400[diff] [blame]1472 return false;
1473 }
1474
1475 // Shut down half the connection. SSL_shutdown will return 0 to signal only
1476 // one side has shut down.
1477 if (SSL_shutdown(client.get()) != 0) {
1478 fprintf(stderr, "Could not shutdown.\n");
1479 return false;
1480 }
1481
1482 // Reading from the server should consume the EOF.
1483 uint8_t byte;
1484 if (SSL_read(server.get(), &byte, 1) != 0 ||
1485 SSL_get_error(server.get(), 0) != SSL_ERROR_ZERO_RETURN) {
1486 fprintf(stderr, "Connection was not shut down cleanly.\n");
1487 return false;
1488 }
1489
1490 // However, the server may continue to write data and then shut down the
1491 // connection.
1492 byte = 42;
1493 if (SSL_write(server.get(), &byte, 1) != 1 ||
1494 SSL_read(client.get(), &byte, 1) != 1 ||
1495 byte != 42) {
1496 fprintf(stderr, "Could not send byte.\n");
1497 return false;
1498 }
1499
1500 // The server may then shutdown the connection.
1501 if (SSL_shutdown(server.get()) != 1 ||
1502 SSL_shutdown(client.get()) != 1) {
1503 fprintf(stderr, "Could not complete shutdown.\n");
1504 return false;
1505 }
1506
1507 return true;
1508}
David Benjamin68f37b72016-11-18 15:14:42 +0900[diff] [blame]1509
David Benjaminf0d8e222017-02-04 10:58:26 -0500[diff] [blame]1510TEST(SSLTest, SessionDuplication) {
Matt Braithwaited17d74d2016-08-17 20:10:28 -0700[diff] [blame]1511 bssl::UniquePtr<SSL_CTX> client_ctx(SSL_CTX_new(TLS_method()));
1512 bssl::UniquePtr<SSL_CTX> server_ctx(SSL_CTX_new(TLS_method()));
David Benjaminf0d8e222017-02-04 10:58:26 -0500[diff] [blame]1513 ASSERT_TRUE(client_ctx);
1514 ASSERT_TRUE(server_ctx);
Steven Valdez87eab492016-06-27 16:34:59 -0400[diff] [blame]1515
Matt Braithwaited17d74d2016-08-17 20:10:28 -0700[diff] [blame]1516 bssl::UniquePtr<X509> cert = GetTestCertificate();
1517 bssl::UniquePtr<EVP_PKEY> key = GetTestKey();
David Benjaminf0d8e222017-02-04 10:58:26 -0500[diff] [blame]1518 ASSERT_TRUE(cert);
1519 ASSERT_TRUE(key);
1520 ASSERT_TRUE(SSL_CTX_use_certificate(server_ctx.get(), cert.get()));
1521 ASSERT_TRUE(SSL_CTX_use_PrivateKey(server_ctx.get(), key.get()));
Steven Valdez87eab492016-06-27 16:34:59 -0400[diff] [blame]1522
Matt Braithwaited17d74d2016-08-17 20:10:28 -0700[diff] [blame]1523 bssl::UniquePtr<SSL> client, server;
David Benjaminf0d8e222017-02-04 10:58:26 -0500[diff] [blame]1524 ASSERT_TRUE(ConnectClientAndServer(&client, &server, client_ctx.get(),
1525 server_ctx.get(),
1526 nullptr /* no session */));
Steven Valdez87eab492016-06-27 16:34:59 -0400[diff] [blame]1527
1528 SSL_SESSION *session0 = SSL_get_session(client.get());
David Benjamin31b0c9b2017-07-20 14:49:15 -0400[diff] [blame]1529 bssl::UniquePtr<SSL_SESSION> session1 =
1530 bssl::SSL_SESSION_dup(session0, SSL_SESSION_DUP_ALL);
David Benjaminf0d8e222017-02-04 10:58:26 -0500[diff] [blame]1531 ASSERT_TRUE(session1);
David Benjamin4501bd52016-08-01 13:39:41 -0400[diff] [blame]1532
Steven Valdez84b5c002016-08-25 16:30:58 -0400[diff] [blame]1533 session1->not_resumable = 0;
1534
Steven Valdez87eab492016-06-27 16:34:59 -0400[diff] [blame]1535 uint8_t *s0_bytes, *s1_bytes;
1536 size_t s0_len, s1_len;
1537
David Benjaminf0d8e222017-02-04 10:58:26 -0500[diff] [blame]1538 ASSERT_TRUE(SSL_SESSION_to_bytes(session0, &s0_bytes, &s0_len));
Matt Braithwaited17d74d2016-08-17 20:10:28 -0700[diff] [blame]1539 bssl::UniquePtr<uint8_t> free_s0(s0_bytes);
Steven Valdez87eab492016-06-27 16:34:59 -0400[diff] [blame]1540
David Benjaminf0d8e222017-02-04 10:58:26 -0500[diff] [blame]1541 ASSERT_TRUE(SSL_SESSION_to_bytes(session1.get(), &s1_bytes, &s1_len));
Matt Braithwaited17d74d2016-08-17 20:10:28 -0700[diff] [blame]1542 bssl::UniquePtr<uint8_t> free_s1(s1_bytes);
Steven Valdez87eab492016-06-27 16:34:59 -0400[diff] [blame]1543
David Benjamin7d7554b2017-02-04 11:48:59 -0500[diff] [blame]1544 EXPECT_EQ(Bytes(s0_bytes, s0_len), Bytes(s1_bytes, s1_len));
Steven Valdez87eab492016-06-27 16:34:59 -0400[diff] [blame]1545}
David Benjamin686bb192016-05-10 15:15:41 -0400[diff] [blame]1546
David Benjaminf0d8e222017-02-04 10:58:26 -0500[diff] [blame]1547static void ExpectFDs(const SSL *ssl, int rfd, int wfd) {
David Benjaminca743582017-06-15 17:51:35 -0400[diff] [blame]1548 EXPECT_EQ(rfd, SSL_get_fd(ssl));
David Benjaminf0d8e222017-02-04 10:58:26 -0500[diff] [blame]1549 EXPECT_EQ(rfd, SSL_get_rfd(ssl));
1550 EXPECT_EQ(wfd, SSL_get_wfd(ssl));
David Benjamin5c0fb882016-06-14 14:03:51 -0400[diff] [blame]1551
1552 // The wrapper BIOs are always equal when fds are equal, even if set
1553 // individually.
David Benjaminf0d8e222017-02-04 10:58:26 -0500[diff] [blame]1554 if (rfd == wfd) {
1555 EXPECT_EQ(SSL_get_rbio(ssl), SSL_get_wbio(ssl));
David Benjamin5c0fb882016-06-14 14:03:51 -0400[diff] [blame]1556 }
David Benjamin5c0fb882016-06-14 14:03:51 -0400[diff] [blame]1557}
1558
David Benjaminf0d8e222017-02-04 10:58:26 -0500[diff] [blame]1559TEST(SSLTest, SetFD) {
Matt Braithwaited17d74d2016-08-17 20:10:28 -0700[diff] [blame]1560 bssl::UniquePtr<SSL_CTX> ctx(SSL_CTX_new(TLS_method()));
David Benjaminf0d8e222017-02-04 10:58:26 -0500[diff] [blame]1561 ASSERT_TRUE(ctx);
David Benjamin5c0fb882016-06-14 14:03:51 -0400[diff] [blame]1562
1563 // Test setting different read and write FDs.
Matt Braithwaited17d74d2016-08-17 20:10:28 -0700[diff] [blame]1564 bssl::UniquePtr<SSL> ssl(SSL_new(ctx.get()));
David Benjaminf0d8e222017-02-04 10:58:26 -0500[diff] [blame]1565 ASSERT_TRUE(ssl);
1566 EXPECT_TRUE(SSL_set_rfd(ssl.get(), 1));
1567 EXPECT_TRUE(SSL_set_wfd(ssl.get(), 2));
1568 ExpectFDs(ssl.get(), 1, 2);
David Benjamin5c0fb882016-06-14 14:03:51 -0400[diff] [blame]1569
1570 // Test setting the same FD.
1571 ssl.reset(SSL_new(ctx.get()));
David Benjaminf0d8e222017-02-04 10:58:26 -0500[diff] [blame]1572 ASSERT_TRUE(ssl);
1573 EXPECT_TRUE(SSL_set_fd(ssl.get(), 1));
1574 ExpectFDs(ssl.get(), 1, 1);
David Benjamin5c0fb882016-06-14 14:03:51 -0400[diff] [blame]1575
1576 // Test setting the same FD one side at a time.
1577 ssl.reset(SSL_new(ctx.get()));
David Benjaminf0d8e222017-02-04 10:58:26 -0500[diff] [blame]1578 ASSERT_TRUE(ssl);
1579 EXPECT_TRUE(SSL_set_rfd(ssl.get(), 1));
1580 EXPECT_TRUE(SSL_set_wfd(ssl.get(), 1));
1581 ExpectFDs(ssl.get(), 1, 1);
David Benjamin5c0fb882016-06-14 14:03:51 -0400[diff] [blame]1582
1583 // Test setting the same FD in the other order.
1584 ssl.reset(SSL_new(ctx.get()));
David Benjaminf0d8e222017-02-04 10:58:26 -0500[diff] [blame]1585 ASSERT_TRUE(ssl);
1586 EXPECT_TRUE(SSL_set_wfd(ssl.get(), 1));
1587 EXPECT_TRUE(SSL_set_rfd(ssl.get(), 1));
1588 ExpectFDs(ssl.get(), 1, 1);
David Benjamin5c0fb882016-06-14 14:03:51 -0400[diff] [blame]1589
David Benjamin5c0fb882016-06-14 14:03:51 -0400[diff] [blame]1590 // Test changing the read FD partway through.
1591 ssl.reset(SSL_new(ctx.get()));
David Benjaminf0d8e222017-02-04 10:58:26 -0500[diff] [blame]1592 ASSERT_TRUE(ssl);
1593 EXPECT_TRUE(SSL_set_fd(ssl.get(), 1));
1594 EXPECT_TRUE(SSL_set_rfd(ssl.get(), 2));
1595 ExpectFDs(ssl.get(), 2, 1);
David Benjamin5c0fb882016-06-14 14:03:51 -0400[diff] [blame]1596
1597 // Test changing the write FD partway through.
1598 ssl.reset(SSL_new(ctx.get()));
David Benjaminf0d8e222017-02-04 10:58:26 -0500[diff] [blame]1599 ASSERT_TRUE(ssl);
1600 EXPECT_TRUE(SSL_set_fd(ssl.get(), 1));
1601 EXPECT_TRUE(SSL_set_wfd(ssl.get(), 2));
1602 ExpectFDs(ssl.get(), 1, 2);
David Benjamin5c0fb882016-06-14 14:03:51 -0400[diff] [blame]1603
1604 // Test a no-op change to the read FD partway through.
1605 ssl.reset(SSL_new(ctx.get()));
David Benjaminf0d8e222017-02-04 10:58:26 -0500[diff] [blame]1606 ASSERT_TRUE(ssl);
1607 EXPECT_TRUE(SSL_set_fd(ssl.get(), 1));
1608 EXPECT_TRUE(SSL_set_rfd(ssl.get(), 1));
1609 ExpectFDs(ssl.get(), 1, 1);
David Benjamin5c0fb882016-06-14 14:03:51 -0400[diff] [blame]1610
1611 // Test a no-op change to the write FD partway through.
1612 ssl.reset(SSL_new(ctx.get()));
David Benjaminf0d8e222017-02-04 10:58:26 -0500[diff] [blame]1613 ASSERT_TRUE(ssl);
1614 EXPECT_TRUE(SSL_set_fd(ssl.get(), 1));
1615 EXPECT_TRUE(SSL_set_wfd(ssl.get(), 1));
1616 ExpectFDs(ssl.get(), 1, 1);
David Benjamin5c0fb882016-06-14 14:03:51 -0400[diff] [blame]1617
1618 // ASan builds will implicitly test that the internal |BIO| reference-counting
1619 // is correct.
David Benjamin5c0fb882016-06-14 14:03:51 -0400[diff] [blame]1620}
1621
David Benjaminf0d8e222017-02-04 10:58:26 -0500[diff] [blame]1622TEST(SSLTest, SetBIO) {
Matt Braithwaited17d74d2016-08-17 20:10:28 -0700[diff] [blame]1623 bssl::UniquePtr<SSL_CTX> ctx(SSL_CTX_new(TLS_method()));
David Benjaminf0d8e222017-02-04 10:58:26 -0500[diff] [blame]1624 ASSERT_TRUE(ctx);
David Benjamin4501bd52016-08-01 13:39:41 -0400[diff] [blame]1625
Matt Braithwaited17d74d2016-08-17 20:10:28 -0700[diff] [blame]1626 bssl::UniquePtr<SSL> ssl(SSL_new(ctx.get()));
1627 bssl::UniquePtr<BIO> bio1(BIO_new(BIO_s_mem())), bio2(BIO_new(BIO_s_mem())),
David Benjamin4501bd52016-08-01 13:39:41 -0400[diff] [blame]1628 bio3(BIO_new(BIO_s_mem()));
David Benjaminf0d8e222017-02-04 10:58:26 -0500[diff] [blame]1629 ASSERT_TRUE(ssl);
1630 ASSERT_TRUE(bio1);
1631 ASSERT_TRUE(bio2);
1632 ASSERT_TRUE(bio3);
David Benjamin4501bd52016-08-01 13:39:41 -0400[diff] [blame]1633
1634 // SSL_set_bio takes one reference when the parameters are the same.
1635 BIO_up_ref(bio1.get());
1636 SSL_set_bio(ssl.get(), bio1.get(), bio1.get());
1637
1638 // Repeating the call does nothing.
1639 SSL_set_bio(ssl.get(), bio1.get(), bio1.get());
1640
1641 // It takes one reference each when the parameters are different.
1642 BIO_up_ref(bio2.get());
1643 BIO_up_ref(bio3.get());
1644 SSL_set_bio(ssl.get(), bio2.get(), bio3.get());
1645
1646 // Repeating the call does nothing.
1647 SSL_set_bio(ssl.get(), bio2.get(), bio3.get());
1648
1649 // It takes one reference when changing only wbio.
1650 BIO_up_ref(bio1.get());
1651 SSL_set_bio(ssl.get(), bio2.get(), bio1.get());
1652
1653 // It takes one reference when changing only rbio and the two are different.
1654 BIO_up_ref(bio3.get());
1655 SSL_set_bio(ssl.get(), bio3.get(), bio1.get());
1656
1657 // If setting wbio to rbio, it takes no additional references.
1658 SSL_set_bio(ssl.get(), bio3.get(), bio3.get());
1659
1660 // From there, wbio may be switched to something else.
1661 BIO_up_ref(bio1.get());
1662 SSL_set_bio(ssl.get(), bio3.get(), bio1.get());
1663
1664 // If setting rbio to wbio, it takes no additional references.
1665 SSL_set_bio(ssl.get(), bio1.get(), bio1.get());
1666
1667 // From there, rbio may be switched to something else, but, for historical
1668 // reasons, it takes a reference to both parameters.
1669 BIO_up_ref(bio1.get());
1670 BIO_up_ref(bio2.get());
1671 SSL_set_bio(ssl.get(), bio2.get(), bio1.get());
1672
1673 // ASAN builds will implicitly test that the internal |BIO| reference-counting
1674 // is correct.
David Benjamin4501bd52016-08-01 13:39:41 -0400[diff] [blame]1675}
1676
David Benjamin25490f22016-07-14 00:22:54 -0400[diff] [blame]1677static int VerifySucceed(X509_STORE_CTX *store_ctx, void *arg) { return 1; }
1678
David Benjamin0fef3052016-11-18 15:11:10 +0900[diff] [blame]1679static bool TestGetPeerCertificate(bool is_dtls, const SSL_METHOD *method,
1680 uint16_t version) {
Matt Braithwaited17d74d2016-08-17 20:10:28 -0700[diff] [blame]1681 bssl::UniquePtr<X509> cert = GetTestCertificate();
1682 bssl::UniquePtr<EVP_PKEY> key = GetTestKey();
David Benjaminadd5e522016-07-14 00:33:24 -0400[diff] [blame]1683 if (!cert || !key) {
1684 return false;
1685 }
1686
David Benjamin0fef3052016-11-18 15:11:10 +0900[diff] [blame]1687 // Configure both client and server to accept any certificate.
1688 bssl::UniquePtr<SSL_CTX> ctx(SSL_CTX_new(method));
1689 if (!ctx ||
1690 !SSL_CTX_use_certificate(ctx.get(), cert.get()) ||
1691 !SSL_CTX_use_PrivateKey(ctx.get(), key.get()) ||
1692 !SSL_CTX_set_min_proto_version(ctx.get(), version) ||
1693 !SSL_CTX_set_max_proto_version(ctx.get(), version)) {
1694 return false;
1695 }
1696 SSL_CTX_set_verify(
1697 ctx.get(), SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT, nullptr);
1698 SSL_CTX_set_cert_verify_callback(ctx.get(), VerifySucceed, NULL);
David Benjaminadd5e522016-07-14 00:33:24 -0400[diff] [blame]1699
David Benjamin0fef3052016-11-18 15:11:10 +0900[diff] [blame]1700 bssl::UniquePtr<SSL> client, server;
1701 if (!ConnectClientAndServer(&client, &server, ctx.get(), ctx.get(),
1702 nullptr /* no session */)) {
1703 return false;
1704 }
David Benjaminadd5e522016-07-14 00:33:24 -0400[diff] [blame]1705
David Benjamin0fef3052016-11-18 15:11:10 +0900[diff] [blame]1706 // Client and server should both see the leaf certificate.
1707 bssl::UniquePtr<X509> peer(SSL_get_peer_certificate(server.get()));
1708 if (!peer || X509_cmp(cert.get(), peer.get()) != 0) {
1709 fprintf(stderr, "Server peer certificate did not match.\n");
1710 return false;
1711 }
David Benjaminadd5e522016-07-14 00:33:24 -0400[diff] [blame]1712
David Benjamin0fef3052016-11-18 15:11:10 +0900[diff] [blame]1713 peer.reset(SSL_get_peer_certificate(client.get()));
1714 if (!peer || X509_cmp(cert.get(), peer.get()) != 0) {
1715 fprintf(stderr, "Client peer certificate did not match.\n");
1716 return false;
1717 }
David Benjaminadd5e522016-07-14 00:33:24 -0400[diff] [blame]1718
David Benjamine664a532017-07-20 20:19:36 -0400[diff] [blame^]1719 // However, for historical reasons, the X509 chain includes the leaf on the
David Benjamin0fef3052016-11-18 15:11:10 +0900[diff] [blame]1720 // client, but does not on the server.
David Benjamine664a532017-07-20 20:19:36 -0400[diff] [blame^]1721 if (sk_X509_num(SSL_get_peer_cert_chain(client.get())) != 1 ||
1722 sk_CRYPTO_BUFFER_num(SSL_get0_peer_certificates(client.get())) != 1) {
David Benjamin0fef3052016-11-18 15:11:10 +0900[diff] [blame]1723 fprintf(stderr, "Client peer chain was incorrect.\n");
1724 return false;
1725 }
David Benjaminadd5e522016-07-14 00:33:24 -0400[diff] [blame]1726
David Benjamine664a532017-07-20 20:19:36 -0400[diff] [blame^]1727 if (sk_X509_num(SSL_get_peer_cert_chain(server.get())) != 0 ||
1728 sk_CRYPTO_BUFFER_num(SSL_get0_peer_certificates(server.get())) != 1) {
David Benjamin0fef3052016-11-18 15:11:10 +0900[diff] [blame]1729 fprintf(stderr, "Server peer chain was incorrect.\n");
1730 return false;
David Benjaminadd5e522016-07-14 00:33:24 -0400[diff] [blame]1731 }
1732
1733 return true;
1734}
1735
David Benjamine664a532017-07-20 20:19:36 -0400[diff] [blame^]1736static bool TestNoPeerCertificate(bool is_dtls, const SSL_METHOD *method,
1737 uint16_t version) {
1738 bssl::UniquePtr<X509> cert = GetTestCertificate();
1739 bssl::UniquePtr<EVP_PKEY> key = GetTestKey();
1740 if (!cert || !key) {
1741 return false;
1742 }
1743
1744 // Configure an anonymous client.
1745 bssl::UniquePtr<SSL_CTX> server_ctx(SSL_CTX_new(method)),
1746 client_ctx(SSL_CTX_new(method));
1747 if (!server_ctx || !client_ctx ||
1748 !SSL_CTX_use_certificate(server_ctx.get(), cert.get()) ||
1749 !SSL_CTX_use_PrivateKey(server_ctx.get(), key.get()) ||
1750 !SSL_CTX_set_min_proto_version(server_ctx.get(), version) ||
1751 !SSL_CTX_set_max_proto_version(server_ctx.get(), version) ||
1752 !SSL_CTX_set_min_proto_version(client_ctx.get(), version) ||
1753 !SSL_CTX_set_max_proto_version(client_ctx.get(), version)) {
1754 return false;
1755 }
1756 SSL_CTX_set_verify(
1757 server_ctx.get(), SSL_VERIFY_PEER, nullptr);
1758 SSL_CTX_set_cert_verify_callback(server_ctx.get(), VerifySucceed, NULL);
1759 SSL_CTX_set_cert_verify_callback(client_ctx.get(), VerifySucceed, NULL);
1760
1761 bssl::UniquePtr<SSL> client, server;
1762 if (!ConnectClientAndServer(&client, &server, client_ctx.get(),
1763 server_ctx.get(), nullptr /* no session */)) {
1764 return false;
1765 }
1766
1767 // Client and server should both see the leaf certificate.
1768 bssl::UniquePtr<X509> peer(SSL_get_peer_certificate(server.get()));
1769 if (peer ||
1770 SSL_get0_peer_certificates(server.get()) != nullptr) {
1771 fprintf(stderr, "Server peer certificate was non-null.\n");
1772 return false;
1773 }
1774
1775 return true;
1776}
1777
David Benjamin0fef3052016-11-18 15:11:10 +0900[diff] [blame]1778static bool TestRetainOnlySHA256OfCerts(bool is_dtls, const SSL_METHOD *method,
1779 uint16_t version) {
Matt Braithwaited17d74d2016-08-17 20:10:28 -0700[diff] [blame]1780 bssl::UniquePtr<X509> cert = GetTestCertificate();
1781 bssl::UniquePtr<EVP_PKEY> key = GetTestKey();
David Benjamin25490f22016-07-14 00:22:54 -0400[diff] [blame]1782 if (!cert || !key) {
1783 return false;
1784 }
1785
1786 uint8_t *cert_der = NULL;
1787 int cert_der_len = i2d_X509(cert.get(), &cert_der);
1788 if (cert_der_len < 0) {
1789 return false;
1790 }
Matt Braithwaited17d74d2016-08-17 20:10:28 -0700[diff] [blame]1791 bssl::UniquePtr<uint8_t> free_cert_der(cert_der);
David Benjamin25490f22016-07-14 00:22:54 -0400[diff] [blame]1792
1793 uint8_t cert_sha256[SHA256_DIGEST_LENGTH];
1794 SHA256(cert_der, cert_der_len, cert_sha256);
1795
David Benjamin0fef3052016-11-18 15:11:10 +0900[diff] [blame]1796 // Configure both client and server to accept any certificate, but the
1797 // server must retain only the SHA-256 of the peer.
1798 bssl::UniquePtr<SSL_CTX> ctx(SSL_CTX_new(method));
1799 if (!ctx ||
1800 !SSL_CTX_use_certificate(ctx.get(), cert.get()) ||
1801 !SSL_CTX_use_PrivateKey(ctx.get(), key.get()) ||
1802 !SSL_CTX_set_min_proto_version(ctx.get(), version) ||
1803 !SSL_CTX_set_max_proto_version(ctx.get(), version)) {
1804 return false;
1805 }
1806 SSL_CTX_set_verify(
1807 ctx.get(), SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT, nullptr);
1808 SSL_CTX_set_cert_verify_callback(ctx.get(), VerifySucceed, NULL);
1809 SSL_CTX_set_retain_only_sha256_of_client_certs(ctx.get(), 1);
David Benjamin25490f22016-07-14 00:22:54 -0400[diff] [blame]1810
David Benjamin0fef3052016-11-18 15:11:10 +0900[diff] [blame]1811 bssl::UniquePtr<SSL> client, server;
1812 if (!ConnectClientAndServer(&client, &server, ctx.get(), ctx.get(),
1813 nullptr /* no session */)) {
1814 return false;
1815 }
David Benjamin25490f22016-07-14 00:22:54 -0400[diff] [blame]1816
David Benjamin0fef3052016-11-18 15:11:10 +0900[diff] [blame]1817 // The peer certificate has been dropped.
1818 bssl::UniquePtr<X509> peer(SSL_get_peer_certificate(server.get()));
1819 if (peer) {
1820 fprintf(stderr, "Peer certificate was retained.\n");
1821 return false;
1822 }
David Benjamin25490f22016-07-14 00:22:54 -0400[diff] [blame]1823
David Benjamin0fef3052016-11-18 15:11:10 +0900[diff] [blame]1824 SSL_SESSION *session = SSL_get_session(server.get());
1825 if (!session->peer_sha256_valid) {
1826 fprintf(stderr, "peer_sha256_valid was not set.\n");
1827 return false;
1828 }
David Benjamin25490f22016-07-14 00:22:54 -0400[diff] [blame]1829
David Benjamin17cf2cb2016-12-13 01:07:13 -0500[diff] [blame]1830 if (OPENSSL_memcmp(cert_sha256, session->peer_sha256, SHA256_DIGEST_LENGTH) !=
1831 0) {
David Benjamin0fef3052016-11-18 15:11:10 +0900[diff] [blame]1832 fprintf(stderr, "peer_sha256 did not match.\n");
1833 return false;
David Benjamin25490f22016-07-14 00:22:54 -0400[diff] [blame]1834 }
1835
1836 return true;
1837}
1838
David Benjaminafc64de2016-07-19 17:12:41 +0200[diff] [blame]1839static bool ClientHelloMatches(uint16_t version, const uint8_t *expected,
1840 size_t expected_len) {
Matt Braithwaited17d74d2016-08-17 20:10:28 -0700[diff] [blame]1841 bssl::UniquePtr<SSL_CTX> ctx(SSL_CTX_new(TLS_method()));
Matthew Braithwaitecedc6f12017-03-15 19:20:23 -0700[diff] [blame]1842 // Our default cipher list varies by CPU capabilities, so manually place the
1843 // ChaCha20 ciphers in front.
Matthew Braithwaite7e06de52017-04-10 15:52:14 -0700[diff] [blame]1844 const char* cipher_list = "CHACHA20:ALL";
David Benjamin2dc02042016-09-19 19:57:37 -0400[diff] [blame]1845 if (!ctx ||
David Benjamin3cfeb952017-03-01 16:48:38 -0500[diff] [blame]1846 // SSLv3 is off by default.
1847 !SSL_CTX_set_min_proto_version(ctx.get(), SSL3_VERSION) ||
David Benjamine4706902016-09-20 15:12:23 -0400[diff] [blame]1848 !SSL_CTX_set_max_proto_version(ctx.get(), version) ||
Matthew Braithwaitecedc6f12017-03-15 19:20:23 -0700[diff] [blame]1849 !SSL_CTX_set_strict_cipher_list(ctx.get(), cipher_list)) {
David Benjaminafc64de2016-07-19 17:12:41 +0200[diff] [blame]1850 return false;
1851 }
David Benjamin2dc02042016-09-19 19:57:37 -0400[diff] [blame]1852
Matt Braithwaited17d74d2016-08-17 20:10:28 -0700[diff] [blame]1853 bssl::UniquePtr<SSL> ssl(SSL_new(ctx.get()));
David Benjaminafc64de2016-07-19 17:12:41 +0200[diff] [blame]1854 if (!ssl) {
1855 return false;
1856 }
1857 std::vector<uint8_t> client_hello;
1858 if (!GetClientHello(ssl.get(), &client_hello)) {
1859 return false;
1860 }
1861
1862 // Zero the client_random.
1863 constexpr size_t kRandomOffset = 1 + 2 + 2 + // record header
1864 1 + 3 + // handshake message header
1865 2; // client_version
1866 if (client_hello.size() < kRandomOffset + SSL3_RANDOM_SIZE) {
1867 fprintf(stderr, "ClientHello for version %04x too short.\n", version);
1868 return false;
1869 }
David Benjamin17cf2cb2016-12-13 01:07:13 -0500[diff] [blame]1870 OPENSSL_memset(client_hello.data() + kRandomOffset, 0, SSL3_RANDOM_SIZE);
David Benjaminafc64de2016-07-19 17:12:41 +0200[diff] [blame]1871
1872 if (client_hello.size() != expected_len ||
David Benjamin17cf2cb2016-12-13 01:07:13 -0500[diff] [blame]1873 OPENSSL_memcmp(client_hello.data(), expected, expected_len) != 0) {
David Benjaminafc64de2016-07-19 17:12:41 +0200[diff] [blame]1874 fprintf(stderr, "ClientHello for version %04x did not match:\n", version);
1875 fprintf(stderr, "Got:\n\t");
1876 for (size_t i = 0; i < client_hello.size(); i++) {
1877 fprintf(stderr, "0x%02x, ", client_hello[i]);
1878 }
1879 fprintf(stderr, "\nWanted:\n\t");
1880 for (size_t i = 0; i < expected_len; i++) {
1881 fprintf(stderr, "0x%02x, ", expected[i]);
1882 }
1883 fprintf(stderr, "\n");
1884 return false;
1885 }
1886
1887 return true;
1888}
1889
1890// Tests that our ClientHellos do not change unexpectedly.
1891static bool TestClientHello() {
1892 static const uint8_t kSSL3ClientHello[] = {
Matt Braithwaite9c8c4182016-08-24 14:36:54 -0700[diff] [blame]1893 0x16,
1894 0x03, 0x00,
Matthew Braithwaitecedc6f12017-03-15 19:20:23 -0700[diff] [blame]1895 0x00, 0x3b,
Matt Braithwaite9c8c4182016-08-24 14:36:54 -0700[diff] [blame]1896 0x01,
Matthew Braithwaitecedc6f12017-03-15 19:20:23 -0700[diff] [blame]1897 0x00, 0x00, 0x37,
Matt Braithwaite9c8c4182016-08-24 14:36:54 -0700[diff] [blame]1898 0x03, 0x00,
1899 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1900 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1901 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1902 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1903 0x00,
Matthew Braithwaitecedc6f12017-03-15 19:20:23 -0700[diff] [blame]1904 0x00, 0x10,
Matt Braithwaite9c8c4182016-08-24 14:36:54 -0700[diff] [blame]1905 0xc0, 0x09,
1906 0xc0, 0x13,
Matt Braithwaite9c8c4182016-08-24 14:36:54 -0700[diff] [blame]1907 0xc0, 0x0a,
1908 0xc0, 0x14,
Matt Braithwaite9c8c4182016-08-24 14:36:54 -0700[diff] [blame]1909 0x00, 0x2f,
1910 0x00, 0x35,
1911 0x00, 0x0a,
1912 0x00, 0xff, 0x01, 0x00,
David Benjaminafc64de2016-07-19 17:12:41 +0200[diff] [blame]1913 };
1914 if (!ClientHelloMatches(SSL3_VERSION, kSSL3ClientHello,
1915 sizeof(kSSL3ClientHello))) {
1916 return false;
1917 }
1918
1919 static const uint8_t kTLS1ClientHello[] = {
Matt Braithwaite9c8c4182016-08-24 14:36:54 -0700[diff] [blame]1920 0x16,
1921 0x03, 0x01,
Matthew Braithwaitecedc6f12017-03-15 19:20:23 -0700[diff] [blame]1922 0x00, 0x5a,
Matt Braithwaite9c8c4182016-08-24 14:36:54 -0700[diff] [blame]1923 0x01,
Matthew Braithwaitecedc6f12017-03-15 19:20:23 -0700[diff] [blame]1924 0x00, 0x00, 0x56,
Matt Braithwaite9c8c4182016-08-24 14:36:54 -0700[diff] [blame]1925 0x03, 0x01,
1926 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1927 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1928 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1929 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1930 0x00,
Matthew Braithwaitecedc6f12017-03-15 19:20:23 -0700[diff] [blame]1931 0x00, 0x0e,
Matt Braithwaite9c8c4182016-08-24 14:36:54 -0700[diff] [blame]1932 0xc0, 0x09,
1933 0xc0, 0x13,
Matt Braithwaite9c8c4182016-08-24 14:36:54 -0700[diff] [blame]1934 0xc0, 0x0a,
1935 0xc0, 0x14,
Matt Braithwaite9c8c4182016-08-24 14:36:54 -0700[diff] [blame]1936 0x00, 0x2f,
1937 0x00, 0x35,
1938 0x00, 0x0a,
David Benjaminafc64de2016-07-19 17:12:41 +0200[diff] [blame]1939 0x01, 0x00, 0x00, 0x1f, 0xff, 0x01, 0x00, 0x01, 0x00, 0x00, 0x17, 0x00,
1940 0x00, 0x00, 0x23, 0x00, 0x00, 0x00, 0x0b, 0x00, 0x02, 0x01, 0x00, 0x00,
1941 0x0a, 0x00, 0x08, 0x00, 0x06, 0x00, 0x1d, 0x00, 0x17, 0x00, 0x18,
1942 };
1943 if (!ClientHelloMatches(TLS1_VERSION, kTLS1ClientHello,
1944 sizeof(kTLS1ClientHello))) {
1945 return false;
1946 }
1947
1948 static const uint8_t kTLS11ClientHello[] = {
Matt Braithwaite9c8c4182016-08-24 14:36:54 -0700[diff] [blame]1949 0x16,
1950 0x03, 0x01,
Matthew Braithwaitecedc6f12017-03-15 19:20:23 -0700[diff] [blame]1951 0x00, 0x5a,
Matt Braithwaite9c8c4182016-08-24 14:36:54 -0700[diff] [blame]1952 0x01,
Matthew Braithwaitecedc6f12017-03-15 19:20:23 -0700[diff] [blame]1953 0x00, 0x00, 0x56,
Matt Braithwaite9c8c4182016-08-24 14:36:54 -0700[diff] [blame]1954 0x03, 0x02,
1955 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1956 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1957 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1958 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1959 0x00,
Matthew Braithwaitecedc6f12017-03-15 19:20:23 -0700[diff] [blame]1960 0x00, 0x0e,
Matt Braithwaite9c8c4182016-08-24 14:36:54 -0700[diff] [blame]1961 0xc0, 0x09,
1962 0xc0, 0x13,
Matt Braithwaite9c8c4182016-08-24 14:36:54 -0700[diff] [blame]1963 0xc0, 0x0a,
1964 0xc0, 0x14,
Matt Braithwaite9c8c4182016-08-24 14:36:54 -0700[diff] [blame]1965 0x00, 0x2f,
1966 0x00, 0x35,
1967 0x00, 0x0a,
David Benjaminafc64de2016-07-19 17:12:41 +0200[diff] [blame]1968 0x01, 0x00, 0x00, 0x1f, 0xff, 0x01, 0x00, 0x01, 0x00, 0x00, 0x17, 0x00,
1969 0x00, 0x00, 0x23, 0x00, 0x00, 0x00, 0x0b, 0x00, 0x02, 0x01, 0x00, 0x00,
1970 0x0a, 0x00, 0x08, 0x00, 0x06, 0x00, 0x1d, 0x00, 0x17, 0x00, 0x18,
1971 };
1972 if (!ClientHelloMatches(TLS1_1_VERSION, kTLS11ClientHello,
1973 sizeof(kTLS11ClientHello))) {
1974 return false;
1975 }
1976
David Benjamin3b584332017-01-24 22:47:18 -0500[diff] [blame]1977 // kTLS12ClientHello assumes RSA-PSS, which is disabled for Android system
1978 // builds.
1979#if defined(BORINGSSL_ANDROID_SYSTEM)
1980 return true;
1981#endif
1982
David Benjaminafc64de2016-07-19 17:12:41 +0200[diff] [blame]1983 static const uint8_t kTLS12ClientHello[] = {
Matthew Braithwaitecedc6f12017-03-15 19:20:23 -0700[diff] [blame]1984 0x16,
1985 0x03, 0x01,
1986 0x00, 0x8e,
1987 0x01,
1988 0x00, 0x00, 0x8a,
1989 0x03, 0x03,
David Benjamin57e929f2016-08-30 00:30:38 -0400[diff] [blame]1990 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1991 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
Matthew Braithwaitecedc6f12017-03-15 19:20:23 -0700[diff] [blame]1992 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1993 0x00, 0x2a,
1994 0xcc, 0xa9,
1995 0xcc, 0xa8,
1996 0xc0, 0x2b,
1997 0xc0, 0x2f,
1998 0xc0, 0x2c,
1999 0xc0, 0x30,
2000 0xc0, 0x09,
2001 0xc0, 0x23,
2002 0xc0, 0x13,
2003 0xc0, 0x27,
2004 0xc0, 0x0a,
2005 0xc0, 0x24,
2006 0xc0, 0x14,
2007 0xc0, 0x28,
2008 0x00, 0x9c,
2009 0x00, 0x9d,
2010 0x00, 0x2f,
2011 0x00, 0x3c,
2012 0x00, 0x35,
2013 0x00, 0x3d,
2014 0x00, 0x0a,
2015 0x01, 0x00, 0x00, 0x37, 0xff, 0x01, 0x00, 0x01, 0x00, 0x00, 0x17, 0x00,
2016 0x00, 0x00, 0x23, 0x00, 0x00, 0x00, 0x0d, 0x00, 0x14, 0x00, 0x12, 0x04,
2017 0x03, 0x08, 0x04, 0x04, 0x01, 0x05, 0x03, 0x08, 0x05, 0x05, 0x01, 0x08,
2018 0x06, 0x06, 0x01, 0x02, 0x01, 0x00, 0x0b, 0x00, 0x02, 0x01, 0x00, 0x00,
2019 0x0a, 0x00, 0x08, 0x00, 0x06, 0x00, 0x1d, 0x00, 0x17, 0x00, 0x18,
David Benjaminafc64de2016-07-19 17:12:41 +0200[diff] [blame]2020 };
2021 if (!ClientHelloMatches(TLS1_2_VERSION, kTLS12ClientHello,
2022 sizeof(kTLS12ClientHello))) {
2023 return false;
2024 }
2025
2026 // TODO(davidben): Add a change detector for TLS 1.3 once the spec and our
2027 // implementation has settled enough that it won't change.
2028
2029 return true;
2030}
2031
Matt Braithwaited17d74d2016-08-17 20:10:28 -0700[diff] [blame]2032static bssl::UniquePtr<SSL_SESSION> g_last_session;
David Benjamina20e5352016-08-02 19:09:41 -0400[diff] [blame]2033
2034static int SaveLastSession(SSL *ssl, SSL_SESSION *session) {
2035 // Save the most recent session.
2036 g_last_session.reset(session);
2037 return 1;
2038}
2039
Matt Braithwaited17d74d2016-08-17 20:10:28 -0700[diff] [blame]2040static bssl::UniquePtr<SSL_SESSION> CreateClientSession(SSL_CTX *client_ctx,
Steven Valdeze831a812017-03-09 14:56:07 -0500[diff] [blame]2041 SSL_CTX *server_ctx) {
David Benjamina20e5352016-08-02 19:09:41 -0400[diff] [blame]2042 g_last_session = nullptr;
2043 SSL_CTX_sess_set_new_cb(client_ctx, SaveLastSession);
2044
2045 // Connect client and server to get a session.
Matt Braithwaited17d74d2016-08-17 20:10:28 -0700[diff] [blame]2046 bssl::UniquePtr<SSL> client, server;
David Benjamina20e5352016-08-02 19:09:41 -0400[diff] [blame]2047 if (!ConnectClientAndServer(&client, &server, client_ctx, server_ctx,
2048 nullptr /* no session */)) {
2049 fprintf(stderr, "Failed to connect client and server.\n");
2050 return nullptr;
2051 }
2052
2053 // Run the read loop to account for post-handshake tickets in TLS 1.3.
2054 SSL_read(client.get(), nullptr, 0);
2055
2056 SSL_CTX_sess_set_new_cb(client_ctx, nullptr);
2057
2058 if (!g_last_session) {
2059 fprintf(stderr, "Client did not receive a session.\n");
2060 return nullptr;
2061 }
2062 return std::move(g_last_session);
2063}
2064
2065static bool ExpectSessionReused(SSL_CTX *client_ctx, SSL_CTX *server_ctx,
2066 SSL_SESSION *session,
2067 bool reused) {
Matt Braithwaited17d74d2016-08-17 20:10:28 -0700[diff] [blame]2068 bssl::UniquePtr<SSL> client, server;
David Benjamina20e5352016-08-02 19:09:41 -0400[diff] [blame]2069 if (!ConnectClientAndServer(&client, &server, client_ctx,
2070 server_ctx, session)) {
2071 fprintf(stderr, "Failed to connect client and server.\n");
2072 return false;
2073 }
2074
2075 if (SSL_session_reused(client.get()) != SSL_session_reused(server.get())) {
2076 fprintf(stderr, "Client and server were inconsistent.\n");
2077 return false;
2078 }
2079
2080 bool was_reused = !!SSL_session_reused(client.get());
2081 if (was_reused != reused) {
2082 fprintf(stderr, "Session was%s reused, but we expected the opposite.\n",
2083 was_reused ? "" : " not");
2084 return false;
2085 }
2086
2087 return true;
2088}
2089
David Benjamin3c51d9b2016-11-01 17:50:42 -0400[diff] [blame]2090static bssl::UniquePtr<SSL_SESSION> ExpectSessionRenewed(SSL_CTX *client_ctx,
2091 SSL_CTX *server_ctx,
2092 SSL_SESSION *session) {
2093 g_last_session = nullptr;
2094 SSL_CTX_sess_set_new_cb(client_ctx, SaveLastSession);
2095
2096 bssl::UniquePtr<SSL> client, server;
2097 if (!ConnectClientAndServer(&client, &server, client_ctx,
2098 server_ctx, session)) {
2099 fprintf(stderr, "Failed to connect client and server.\n");
2100 return nullptr;
2101 }
2102
2103 if (SSL_session_reused(client.get()) != SSL_session_reused(server.get())) {
2104 fprintf(stderr, "Client and server were inconsistent.\n");
2105 return nullptr;
2106 }
2107
2108 if (!SSL_session_reused(client.get())) {
2109 fprintf(stderr, "Session was not reused.\n");
2110 return nullptr;
2111 }
2112
2113 // Run the read loop to account for post-handshake tickets in TLS 1.3.
2114 SSL_read(client.get(), nullptr, 0);
2115
2116 SSL_CTX_sess_set_new_cb(client_ctx, nullptr);
2117
2118 if (!g_last_session) {
2119 fprintf(stderr, "Client did not receive a renewed session.\n");
2120 return nullptr;
2121 }
2122 return std::move(g_last_session);
2123}
2124
David Benjamina933c382016-10-28 00:10:03 -0400[diff] [blame]2125static int SwitchSessionIDContextSNI(SSL *ssl, int *out_alert, void *arg) {
2126 static const uint8_t kContext[] = {3};
2127
2128 if (!SSL_set_session_id_context(ssl, kContext, sizeof(kContext))) {
2129 return SSL_TLSEXT_ERR_ALERT_FATAL;
2130 }
2131
2132 return SSL_TLSEXT_ERR_OK;
2133}
2134
David Benjamin0fef3052016-11-18 15:11:10 +0900[diff] [blame]2135static bool TestSessionIDContext(bool is_dtls, const SSL_METHOD *method,
2136 uint16_t version) {
Matt Braithwaited17d74d2016-08-17 20:10:28 -0700[diff] [blame]2137 bssl::UniquePtr<X509> cert = GetTestCertificate();
2138 bssl::UniquePtr<EVP_PKEY> key = GetTestKey();
David Benjamina20e5352016-08-02 19:09:41 -0400[diff] [blame]2139 if (!cert || !key) {
2140 return false;
2141 }
2142
2143 static const uint8_t kContext1[] = {1};
2144 static const uint8_t kContext2[] = {2};
2145
David Benjamin0fef3052016-11-18 15:11:10 +0900[diff] [blame]2146 bssl::UniquePtr<SSL_CTX> server_ctx(SSL_CTX_new(method));
2147 bssl::UniquePtr<SSL_CTX> client_ctx(SSL_CTX_new(method));
2148 if (!server_ctx || !client_ctx ||
2149 !SSL_CTX_use_certificate(server_ctx.get(), cert.get()) ||
2150 !SSL_CTX_use_PrivateKey(server_ctx.get(), key.get()) ||
2151 !SSL_CTX_set_session_id_context(server_ctx.get(), kContext1,
2152 sizeof(kContext1)) ||
2153 !SSL_CTX_set_min_proto_version(client_ctx.get(), version) ||
2154 !SSL_CTX_set_max_proto_version(client_ctx.get(), version) ||
2155 !SSL_CTX_set_min_proto_version(server_ctx.get(), version) ||
2156 !SSL_CTX_set_max_proto_version(server_ctx.get(), version)) {
2157 return false;
2158 }
David Benjamina20e5352016-08-02 19:09:41 -0400[diff] [blame]2159
David Benjamin0fef3052016-11-18 15:11:10 +0900[diff] [blame]2160 SSL_CTX_set_session_cache_mode(client_ctx.get(), SSL_SESS_CACHE_BOTH);
2161 SSL_CTX_set_session_cache_mode(server_ctx.get(), SSL_SESS_CACHE_BOTH);
David Benjamina20e5352016-08-02 19:09:41 -0400[diff] [blame]2162
David Benjamin0fef3052016-11-18 15:11:10 +0900[diff] [blame]2163 bssl::UniquePtr<SSL_SESSION> session =
2164 CreateClientSession(client_ctx.get(), server_ctx.get());
2165 if (!session) {
2166 fprintf(stderr, "Error getting session.\n");
2167 return false;
2168 }
David Benjamina20e5352016-08-02 19:09:41 -0400[diff] [blame]2169
David Benjamin0fef3052016-11-18 15:11:10 +0900[diff] [blame]2170 if (!ExpectSessionReused(client_ctx.get(), server_ctx.get(), session.get(),
2171 true /* expect session reused */)) {
2172 fprintf(stderr, "Error resuming session.\n");
2173 return false;
2174 }
David Benjamina20e5352016-08-02 19:09:41 -0400[diff] [blame]2175
David Benjamin0fef3052016-11-18 15:11:10 +0900[diff] [blame]2176 // Change the session ID context.
2177 if (!SSL_CTX_set_session_id_context(server_ctx.get(), kContext2,
2178 sizeof(kContext2))) {
2179 return false;
2180 }
David Benjamina20e5352016-08-02 19:09:41 -0400[diff] [blame]2181
David Benjamin0fef3052016-11-18 15:11:10 +0900[diff] [blame]2182 if (!ExpectSessionReused(client_ctx.get(), server_ctx.get(), session.get(),
2183 false /* expect session not reused */)) {
2184 fprintf(stderr, "Error connecting with a different context.\n");
2185 return false;
2186 }
David Benjamina933c382016-10-28 00:10:03 -0400[diff] [blame]2187
David Benjamin0fef3052016-11-18 15:11:10 +0900[diff] [blame]2188 // Change the session ID context back and install an SNI callback to switch
2189 // it.
2190 if (!SSL_CTX_set_session_id_context(server_ctx.get(), kContext1,
2191 sizeof(kContext1))) {
2192 return false;
2193 }
David Benjamina933c382016-10-28 00:10:03 -0400[diff] [blame]2194
David Benjamin0fef3052016-11-18 15:11:10 +0900[diff] [blame]2195 SSL_CTX_set_tlsext_servername_callback(server_ctx.get(),
2196 SwitchSessionIDContextSNI);
David Benjamina933c382016-10-28 00:10:03 -0400[diff] [blame]2197
David Benjamin0fef3052016-11-18 15:11:10 +0900[diff] [blame]2198 if (!ExpectSessionReused(client_ctx.get(), server_ctx.get(), session.get(),
2199 false /* expect session not reused */)) {
2200 fprintf(stderr, "Error connecting with a context switch on SNI callback.\n");
2201 return false;
2202 }
David Benjamina933c382016-10-28 00:10:03 -0400[diff] [blame]2203
David Benjamin0fef3052016-11-18 15:11:10 +0900[diff] [blame]2204 // Switch the session ID context with the early callback instead.
2205 SSL_CTX_set_tlsext_servername_callback(server_ctx.get(), nullptr);
Alessandro Ghedini57e81e62017-03-14 23:36:00 +0000[diff] [blame]2206 SSL_CTX_set_select_certificate_cb(
2207 server_ctx.get(),
2208 [](const SSL_CLIENT_HELLO *client_hello) -> ssl_select_cert_result_t {
2209 static const uint8_t kContext[] = {3};
2210
2211 if (!SSL_set_session_id_context(client_hello->ssl, kContext,
2212 sizeof(kContext))) {
2213 return ssl_select_cert_error;
2214 }
2215
2216 return ssl_select_cert_success;
2217 });
David Benjamina933c382016-10-28 00:10:03 -0400[diff] [blame]2218
David Benjamin0fef3052016-11-18 15:11:10 +0900[diff] [blame]2219 if (!ExpectSessionReused(client_ctx.get(), server_ctx.get(), session.get(),
2220 false /* expect session not reused */)) {
2221 fprintf(stderr,
2222 "Error connecting with a context switch on early callback.\n");
2223 return false;
David Benjamina20e5352016-08-02 19:09:41 -0400[diff] [blame]2224 }
2225
2226 return true;
2227}
2228
David Benjamin721e8b72016-08-03 13:13:17 -0400[diff] [blame]2229static timeval g_current_time;
2230
2231static void CurrentTimeCallback(const SSL *ssl, timeval *out_clock) {
2232 *out_clock = g_current_time;
2233}
2234
David Benjamin17b30832017-01-28 14:00:32 -0500[diff] [blame]2235static void FrozenTimeCallback(const SSL *ssl, timeval *out_clock) {
2236 out_clock->tv_sec = 1000;
2237 out_clock->tv_usec = 0;
2238}
2239
David Benjamin3c51d9b2016-11-01 17:50:42 -0400[diff] [blame]2240static int RenewTicketCallback(SSL *ssl, uint8_t *key_name, uint8_t *iv,
2241 EVP_CIPHER_CTX *ctx, HMAC_CTX *hmac_ctx,
2242 int encrypt) {
2243 static const uint8_t kZeros[16] = {0};
2244
2245 if (encrypt) {
David Benjamin17cf2cb2016-12-13 01:07:13 -0500[diff] [blame]2246 OPENSSL_memcpy(key_name, kZeros, sizeof(kZeros));
David Benjamin3c51d9b2016-11-01 17:50:42 -0400[diff] [blame]2247 RAND_bytes(iv, 16);
David Benjamin17cf2cb2016-12-13 01:07:13 -0500[diff] [blame]2248 } else if (OPENSSL_memcmp(key_name, kZeros, 16) != 0) {
David Benjamin3c51d9b2016-11-01 17:50:42 -0400[diff] [blame]2249 return 0;
2250 }
2251
2252 if (!HMAC_Init_ex(hmac_ctx, kZeros, sizeof(kZeros), EVP_sha256(), NULL) ||
2253 !EVP_CipherInit_ex(ctx, EVP_aes_128_cbc(), NULL, kZeros, iv, encrypt)) {
2254 return -1;
2255 }
2256
2257 // Returning two from the callback in decrypt mode renews the
2258 // session in TLS 1.2 and below.
2259 return encrypt ? 1 : 2;
2260}
2261
David Benjamin123db572016-11-03 16:59:25 -0400[diff] [blame]2262static bool GetServerTicketTime(long *out, const SSL_SESSION *session) {
David Benjamin123db572016-11-03 16:59:25 -0400[diff] [blame]2263 if (session->tlsext_ticklen < 16 + 16 + SHA256_DIGEST_LENGTH) {
2264 return false;
2265 }
2266
David Benjamin123db572016-11-03 16:59:25 -0400[diff] [blame]2267 const uint8_t *ciphertext = session->tlsext_tick + 16 + 16;
2268 size_t len = session->tlsext_ticklen - 16 - 16 - SHA256_DIGEST_LENGTH;
2269 std::unique_ptr<uint8_t[]> plaintext(new uint8_t[len]);
2270
David Benjamin9b63f292016-11-15 00:44:05 -0500[diff] [blame]2271#if defined(BORINGSSL_UNSAFE_FUZZER_MODE)
2272 // Fuzzer-mode tickets are unencrypted.
David Benjamin17cf2cb2016-12-13 01:07:13 -0500[diff] [blame]2273 OPENSSL_memcpy(plaintext.get(), ciphertext, len);
David Benjamin9b63f292016-11-15 00:44:05 -0500[diff] [blame]2274#else
2275 static const uint8_t kZeros[16] = {0};
2276 const uint8_t *iv = session->tlsext_tick + 16;
David Benjamin123db572016-11-03 16:59:25 -0400[diff] [blame]2277 bssl::ScopedEVP_CIPHER_CTX ctx;
2278 int len1, len2;
2279 if (!EVP_DecryptInit_ex(ctx.get(), EVP_aes_128_cbc(), nullptr, kZeros, iv) ||
2280 !EVP_DecryptUpdate(ctx.get(), plaintext.get(), &len1, ciphertext, len) ||
2281 !EVP_DecryptFinal_ex(ctx.get(), plaintext.get() + len1, &len2)) {
2282 return false;
2283 }
2284
2285 len = static_cast<size_t>(len1 + len2);
David Benjamin9b63f292016-11-15 00:44:05 -0500[diff] [blame]2286#endif
David Benjamin123db572016-11-03 16:59:25 -0400[diff] [blame]2287
Adam Langley46db7af2017-02-01 15:49:37 -0800[diff] [blame]2288 bssl::UniquePtr<SSL_CTX> ssl_ctx(SSL_CTX_new(TLS_method()));
2289 if (!ssl_ctx) {
2290 return false;
2291 }
David Benjamin123db572016-11-03 16:59:25 -0400[diff] [blame]2292 bssl::UniquePtr<SSL_SESSION> server_session(
Adam Langley46db7af2017-02-01 15:49:37 -0800[diff] [blame]2293 SSL_SESSION_from_bytes(plaintext.get(), len, ssl_ctx.get()));
David Benjamin123db572016-11-03 16:59:25 -0400[diff] [blame]2294 if (!server_session) {
2295 return false;
2296 }
2297
2298 *out = server_session->time;
2299 return true;
2300}
2301
David Benjamin0fef3052016-11-18 15:11:10 +0900[diff] [blame]2302static bool TestSessionTimeout(bool is_dtls, const SSL_METHOD *method,
2303 uint16_t version) {
Matt Braithwaited17d74d2016-08-17 20:10:28 -0700[diff] [blame]2304 bssl::UniquePtr<X509> cert = GetTestCertificate();
2305 bssl::UniquePtr<EVP_PKEY> key = GetTestKey();
David Benjamin721e8b72016-08-03 13:13:17 -0400[diff] [blame]2306 if (!cert || !key) {
2307 return false;
2308 }
2309
David Benjamin0fef3052016-11-18 15:11:10 +0900[diff] [blame]2310 for (bool server_test : std::vector<bool>{false, true}) {
David Benjamin17b30832017-01-28 14:00:32 -0500[diff] [blame]2311 static const time_t kStartTime = 1000;
David Benjamin0fef3052016-11-18 15:11:10 +0900[diff] [blame]2312 g_current_time.tv_sec = kStartTime;
David Benjamin1b22f852016-10-27 16:36:32 -0400[diff] [blame]2313
David Benjamin17b30832017-01-28 14:00:32 -0500[diff] [blame]2314 // We are willing to use a longer lifetime for TLS 1.3 sessions as
2315 // resumptions still perform ECDHE.
2316 const time_t timeout = version == TLS1_3_VERSION
2317 ? SSL_DEFAULT_SESSION_PSK_DHE_TIMEOUT
2318 : SSL_DEFAULT_SESSION_TIMEOUT;
2319
David Benjamin0fef3052016-11-18 15:11:10 +0900[diff] [blame]2320 bssl::UniquePtr<SSL_CTX> server_ctx(SSL_CTX_new(method));
2321 bssl::UniquePtr<SSL_CTX> client_ctx(SSL_CTX_new(method));
2322 if (!server_ctx || !client_ctx ||
2323 !SSL_CTX_use_certificate(server_ctx.get(), cert.get()) ||
2324 !SSL_CTX_use_PrivateKey(server_ctx.get(), key.get()) ||
2325 !SSL_CTX_set_min_proto_version(client_ctx.get(), version) ||
2326 !SSL_CTX_set_max_proto_version(client_ctx.get(), version) ||
2327 !SSL_CTX_set_min_proto_version(server_ctx.get(), version) ||
2328 !SSL_CTX_set_max_proto_version(server_ctx.get(), version)) {
2329 return false;
2330 }
2331
2332 SSL_CTX_set_session_cache_mode(client_ctx.get(), SSL_SESS_CACHE_BOTH);
2333 SSL_CTX_set_session_cache_mode(server_ctx.get(), SSL_SESS_CACHE_BOTH);
2334
David Benjamin17b30832017-01-28 14:00:32 -0500[diff] [blame]2335 // Both client and server must enforce session timeouts. We configure the
2336 // other side with a frozen clock so it never expires tickets.
David Benjamin0fef3052016-11-18 15:11:10 +0900[diff] [blame]2337 if (server_test) {
David Benjamin17b30832017-01-28 14:00:32 -0500[diff] [blame]2338 SSL_CTX_set_current_time_cb(client_ctx.get(), FrozenTimeCallback);
David Benjamin0fef3052016-11-18 15:11:10 +0900[diff] [blame]2339 SSL_CTX_set_current_time_cb(server_ctx.get(), CurrentTimeCallback);
2340 } else {
2341 SSL_CTX_set_current_time_cb(client_ctx.get(), CurrentTimeCallback);
David Benjamin17b30832017-01-28 14:00:32 -0500[diff] [blame]2342 SSL_CTX_set_current_time_cb(server_ctx.get(), FrozenTimeCallback);
David Benjamin0fef3052016-11-18 15:11:10 +0900[diff] [blame]2343 }
2344
2345 // Configure a ticket callback which renews tickets.
2346 SSL_CTX_set_tlsext_ticket_key_cb(server_ctx.get(), RenewTicketCallback);
2347
2348 bssl::UniquePtr<SSL_SESSION> session =
2349 CreateClientSession(client_ctx.get(), server_ctx.get());
2350 if (!session) {
2351 fprintf(stderr, "Error getting session.\n");
2352 return false;
2353 }
2354
2355 // Advance the clock just behind the timeout.
David Benjamin17b30832017-01-28 14:00:32 -0500[diff] [blame]2356 g_current_time.tv_sec += timeout - 1;
David Benjamin0fef3052016-11-18 15:11:10 +0900[diff] [blame]2357
2358 if (!ExpectSessionReused(client_ctx.get(), server_ctx.get(), session.get(),
2359 true /* expect session reused */)) {
2360 fprintf(stderr, "Error resuming session.\n");
2361 return false;
2362 }
2363
2364 // Advance the clock one more second.
2365 g_current_time.tv_sec++;
2366
2367 if (!ExpectSessionReused(client_ctx.get(), server_ctx.get(), session.get(),
2368 false /* expect session not reused */)) {
2369 fprintf(stderr, "Error resuming session.\n");
2370 return false;
2371 }
2372
2373 // Rewind the clock to before the session was minted.
2374 g_current_time.tv_sec = kStartTime - 1;
2375
2376 if (!ExpectSessionReused(client_ctx.get(), server_ctx.get(), session.get(),
2377 false /* expect session not reused */)) {
2378 fprintf(stderr, "Error resuming session.\n");
2379 return false;
2380 }
2381
2382 // SSL 3.0 cannot renew sessions.
2383 if (version == SSL3_VERSION) {
2384 continue;
2385 }
2386
2387 // Renew the session 10 seconds before expiration.
David Benjamin17b30832017-01-28 14:00:32 -0500[diff] [blame]2388 time_t new_start_time = kStartTime + timeout - 10;
2389 g_current_time.tv_sec = new_start_time;
David Benjamin0fef3052016-11-18 15:11:10 +0900[diff] [blame]2390 bssl::UniquePtr<SSL_SESSION> new_session =
2391 ExpectSessionRenewed(client_ctx.get(), server_ctx.get(), session.get());
2392 if (!new_session) {
2393 fprintf(stderr, "Error renewing session.\n");
2394 return false;
2395 }
2396
2397 // This new session is not the same object as before.
2398 if (session.get() == new_session.get()) {
2399 fprintf(stderr, "New and old sessions alias.\n");
2400 return false;
2401 }
2402
2403 // Check the sessions have timestamps measured from issuance.
2404 long session_time = 0;
2405 if (server_test) {
2406 if (!GetServerTicketTime(&session_time, new_session.get())) {
2407 fprintf(stderr, "Failed to decode session ticket.\n");
David Benjaminb2e2e322016-11-01 17:32:54 -0400[diff] [blame]2408 return false;
2409 }
David Benjamin0fef3052016-11-18 15:11:10 +0900[diff] [blame]2410 } else {
2411 session_time = new_session->time;
2412 }
David Benjamin721e8b72016-08-03 13:13:17 -0400[diff] [blame]2413
David Benjamin0fef3052016-11-18 15:11:10 +0900[diff] [blame]2414 if (session_time != g_current_time.tv_sec) {
2415 fprintf(stderr, "New session is not measured from issuance.\n");
2416 return false;
2417 }
David Benjamin721e8b72016-08-03 13:13:17 -0400[diff] [blame]2418
David Benjamin17b30832017-01-28 14:00:32 -0500[diff] [blame]2419 if (version == TLS1_3_VERSION) {
2420 // Renewal incorporates fresh key material in TLS 1.3, so we extend the
2421 // lifetime TLS 1.3.
2422 g_current_time.tv_sec = new_start_time + timeout - 1;
2423 if (!ExpectSessionReused(client_ctx.get(), server_ctx.get(),
2424 new_session.get(),
2425 true /* expect session reused */)) {
2426 fprintf(stderr, "Error resuming renewed session.\n");
2427 return false;
2428 }
David Benjamin721e8b72016-08-03 13:13:17 -0400[diff] [blame]2429
David Benjamin17b30832017-01-28 14:00:32 -0500[diff] [blame]2430 // The new session expires after the new timeout.
2431 g_current_time.tv_sec = new_start_time + timeout + 1;
2432 if (!ExpectSessionReused(client_ctx.get(), server_ctx.get(),
2433 new_session.get(),
2434 false /* expect session ot reused */)) {
2435 fprintf(stderr, "Renewed session's lifetime is too long.\n");
2436 return false;
2437 }
2438
2439 // Renew the session until it begins just past the auth timeout.
2440 time_t auth_end_time = kStartTime + SSL_DEFAULT_SESSION_AUTH_TIMEOUT;
2441 while (new_start_time < auth_end_time - 1000) {
2442 // Get as close as possible to target start time.
2443 new_start_time =
2444 std::min(auth_end_time - 1000, new_start_time + timeout - 1);
2445 g_current_time.tv_sec = new_start_time;
2446 new_session = ExpectSessionRenewed(client_ctx.get(), server_ctx.get(),
2447 new_session.get());
2448 if (!new_session) {
2449 fprintf(stderr, "Error renewing session.\n");
2450 return false;
2451 }
2452 }
2453
2454 // Now the session's lifetime is bound by the auth timeout.
2455 g_current_time.tv_sec = auth_end_time - 1;
2456 if (!ExpectSessionReused(client_ctx.get(), server_ctx.get(),
2457 new_session.get(),
2458 true /* expect session reused */)) {
2459 fprintf(stderr, "Error resuming renewed session.\n");
2460 return false;
2461 }
2462
2463 g_current_time.tv_sec = auth_end_time + 1;
2464 if (!ExpectSessionReused(client_ctx.get(), server_ctx.get(),
2465 new_session.get(),
2466 false /* expect session ot reused */)) {
2467 fprintf(stderr, "Renewed session's lifetime is too long.\n");
2468 return false;
2469 }
2470 } else {
2471 // The new session is usable just before the old expiration.
2472 g_current_time.tv_sec = kStartTime + timeout - 1;
2473 if (!ExpectSessionReused(client_ctx.get(), server_ctx.get(),
2474 new_session.get(),
2475 true /* expect session reused */)) {
2476 fprintf(stderr, "Error resuming renewed session.\n");
2477 return false;
2478 }
2479
2480 // Renewal does not extend the lifetime, so it is not usable beyond the
2481 // old expiration.
2482 g_current_time.tv_sec = kStartTime + timeout + 1;
2483 if (!ExpectSessionReused(client_ctx.get(), server_ctx.get(),
2484 new_session.get(),
2485 false /* expect session not reused */)) {
2486 fprintf(stderr, "Renewed session's lifetime is too long.\n");
2487 return false;
2488 }
David Benjamin1b22f852016-10-27 16:36:32 -0400[diff] [blame]2489 }
David Benjamin721e8b72016-08-03 13:13:17 -0400[diff] [blame]2490 }
2491
2492 return true;
2493}
2494
David Benjamin0fc37ef2016-08-17 15:29:46 -0400[diff] [blame]2495static int SwitchContext(SSL *ssl, int *out_alert, void *arg) {
2496 SSL_CTX *ctx = reinterpret_cast<SSL_CTX*>(arg);
2497 SSL_set_SSL_CTX(ssl, ctx);
2498 return SSL_TLSEXT_ERR_OK;
2499}
2500
David Benjamin0fef3052016-11-18 15:11:10 +0900[diff] [blame]2501static bool TestSNICallback(bool is_dtls, const SSL_METHOD *method,
2502 uint16_t version) {
2503 // SSL 3.0 lacks extensions.
2504 if (version == SSL3_VERSION) {
2505 return true;
2506 }
2507
Matt Braithwaited17d74d2016-08-17 20:10:28 -0700[diff] [blame]2508 bssl::UniquePtr<X509> cert = GetTestCertificate();
2509 bssl::UniquePtr<EVP_PKEY> key = GetTestKey();
2510 bssl::UniquePtr<X509> cert2 = GetECDSATestCertificate();
2511 bssl::UniquePtr<EVP_PKEY> key2 = GetECDSATestKey();
David Benjamin0fc37ef2016-08-17 15:29:46 -0400[diff] [blame]2512 if (!cert || !key || !cert2 || !key2) {
2513 return false;
2514 }
2515
David Benjamin0fef3052016-11-18 15:11:10 +0900[diff] [blame]2516 // Test that switching the |SSL_CTX| at the SNI callback behaves correctly.
2517 static const uint16_t kECDSAWithSHA256 = SSL_SIGN_ECDSA_SECP256R1_SHA256;
David Benjamin0fc37ef2016-08-17 15:29:46 -0400[diff] [blame]2518
David Benjamin83a32122017-02-14 18:34:54 -0500[diff] [blame]2519 static const uint8_t kSCTList[] = {0, 6, 0, 4, 5, 6, 7, 8};
2520 static const uint8_t kOCSPResponse[] = {1, 2, 3, 4};
2521
David Benjamin0fef3052016-11-18 15:11:10 +0900[diff] [blame]2522 bssl::UniquePtr<SSL_CTX> server_ctx(SSL_CTX_new(method));
2523 bssl::UniquePtr<SSL_CTX> server_ctx2(SSL_CTX_new(method));
2524 bssl::UniquePtr<SSL_CTX> client_ctx(SSL_CTX_new(method));
2525 if (!server_ctx || !server_ctx2 || !client_ctx ||
2526 !SSL_CTX_use_certificate(server_ctx.get(), cert.get()) ||
2527 !SSL_CTX_use_PrivateKey(server_ctx.get(), key.get()) ||
2528 !SSL_CTX_use_certificate(server_ctx2.get(), cert2.get()) ||
2529 !SSL_CTX_use_PrivateKey(server_ctx2.get(), key2.get()) ||
David Benjamin83a32122017-02-14 18:34:54 -0500[diff] [blame]2530 !SSL_CTX_set_signed_cert_timestamp_list(server_ctx2.get(), kSCTList,
2531 sizeof(kSCTList)) ||
2532 !SSL_CTX_set_ocsp_response(server_ctx2.get(), kOCSPResponse,
2533 sizeof(kOCSPResponse)) ||
David Benjamin0fef3052016-11-18 15:11:10 +0900[diff] [blame]2534 // Historically signing preferences would be lost in some cases with the
2535 // SNI callback, which triggers the TLS 1.2 SHA-1 default. To ensure
2536 // this doesn't happen when |version| is TLS 1.2, configure the private
2537 // key to only sign SHA-256.
2538 !SSL_CTX_set_signing_algorithm_prefs(server_ctx2.get(), &kECDSAWithSHA256,
2539 1) ||
2540 !SSL_CTX_set_min_proto_version(client_ctx.get(), version) ||
2541 !SSL_CTX_set_max_proto_version(client_ctx.get(), version) ||
2542 !SSL_CTX_set_min_proto_version(server_ctx.get(), version) ||
2543 !SSL_CTX_set_max_proto_version(server_ctx.get(), version) ||
2544 !SSL_CTX_set_min_proto_version(server_ctx2.get(), version) ||
2545 !SSL_CTX_set_max_proto_version(server_ctx2.get(), version)) {
2546 return false;
2547 }
David Benjamin0fc37ef2016-08-17 15:29:46 -0400[diff] [blame]2548
David Benjamin0fef3052016-11-18 15:11:10 +0900[diff] [blame]2549 SSL_CTX_set_tlsext_servername_callback(server_ctx.get(), SwitchContext);
2550 SSL_CTX_set_tlsext_servername_arg(server_ctx.get(), server_ctx2.get());
David Benjamin0fc37ef2016-08-17 15:29:46 -0400[diff] [blame]2551
David Benjamin83a32122017-02-14 18:34:54 -0500[diff] [blame]2552 SSL_CTX_enable_signed_cert_timestamps(client_ctx.get());
2553 SSL_CTX_enable_ocsp_stapling(client_ctx.get());
2554
David Benjamin0fef3052016-11-18 15:11:10 +0900[diff] [blame]2555 bssl::UniquePtr<SSL> client, server;
2556 if (!ConnectClientAndServer(&client, &server, client_ctx.get(),
2557 server_ctx.get(), nullptr)) {
2558 fprintf(stderr, "Handshake failed.\n");
2559 return false;
2560 }
David Benjamin0fc37ef2016-08-17 15:29:46 -0400[diff] [blame]2561
David Benjamin0fef3052016-11-18 15:11:10 +0900[diff] [blame]2562 // The client should have received |cert2|.
2563 bssl::UniquePtr<X509> peer(SSL_get_peer_certificate(client.get()));
2564 if (!peer || X509_cmp(peer.get(), cert2.get()) != 0) {
2565 fprintf(stderr, "Incorrect certificate received.\n");
2566 return false;
David Benjamin0fc37ef2016-08-17 15:29:46 -0400[diff] [blame]2567 }
2568
David Benjamin83a32122017-02-14 18:34:54 -0500[diff] [blame]2569 // The client should have received |server_ctx2|'s SCT list.
2570 const uint8_t *data;
2571 size_t len;
2572 SSL_get0_signed_cert_timestamp_list(client.get(), &data, &len);
2573 if (Bytes(kSCTList) != Bytes(data, len)) {
2574 fprintf(stderr, "Incorrect SCT list received.\n");
2575 return false;
2576 }
2577
2578 // The client should have received |server_ctx2|'s OCSP response.
2579 SSL_get0_ocsp_response(client.get(), &data, &len);
2580 if (Bytes(kOCSPResponse) != Bytes(data, len)) {
2581 fprintf(stderr, "Incorrect OCSP response received.\n");
2582 return false;
2583 }
2584
David Benjamin0fc37ef2016-08-17 15:29:46 -0400[diff] [blame]2585 return true;
2586}
2587
David Benjaminf0d8e222017-02-04 10:58:26 -0500[diff] [blame]2588// Test that the early callback can swap the maximum version.
2589TEST(SSLTest, EarlyCallbackVersionSwitch) {
Matt Braithwaited17d74d2016-08-17 20:10:28 -0700[diff] [blame]2590 bssl::UniquePtr<X509> cert = GetTestCertificate();
2591 bssl::UniquePtr<EVP_PKEY> key = GetTestKey();
2592 bssl::UniquePtr<SSL_CTX> server_ctx(SSL_CTX_new(TLS_method()));
2593 bssl::UniquePtr<SSL_CTX> client_ctx(SSL_CTX_new(TLS_method()));
David Benjaminf0d8e222017-02-04 10:58:26 -0500[diff] [blame]2594 ASSERT_TRUE(cert);
2595 ASSERT_TRUE(key);
2596 ASSERT_TRUE(server_ctx);
2597 ASSERT_TRUE(client_ctx);
2598 ASSERT_TRUE(SSL_CTX_use_certificate(server_ctx.get(), cert.get()));
2599 ASSERT_TRUE(SSL_CTX_use_PrivateKey(server_ctx.get(), key.get()));
2600 ASSERT_TRUE(SSL_CTX_set_max_proto_version(client_ctx.get(), TLS1_3_VERSION));
2601 ASSERT_TRUE(SSL_CTX_set_max_proto_version(server_ctx.get(), TLS1_3_VERSION));
David Benjamin99620572016-08-30 00:35:36 -0400[diff] [blame]2602
David Benjaminf0d8e222017-02-04 10:58:26 -0500[diff] [blame]2603 SSL_CTX_set_select_certificate_cb(
Alessandro Ghedini57e81e62017-03-14 23:36:00 +0000[diff] [blame]2604 server_ctx.get(),
2605 [](const SSL_CLIENT_HELLO *client_hello) -> ssl_select_cert_result_t {
David Benjaminf0d8e222017-02-04 10:58:26 -0500[diff] [blame]2606 if (!SSL_set_max_proto_version(client_hello->ssl, TLS1_2_VERSION)) {
Alessandro Ghedini57e81e62017-03-14 23:36:00 +0000[diff] [blame]2607 return ssl_select_cert_error;
David Benjaminf0d8e222017-02-04 10:58:26 -0500[diff] [blame]2608 }
2609
Alessandro Ghedini57e81e62017-03-14 23:36:00 +0000[diff] [blame]2610 return ssl_select_cert_success;
David Benjaminf0d8e222017-02-04 10:58:26 -0500[diff] [blame]2611 });
David Benjamin99620572016-08-30 00:35:36 -0400[diff] [blame]2612
Matt Braithwaited17d74d2016-08-17 20:10:28 -0700[diff] [blame]2613 bssl::UniquePtr<SSL> client, server;
David Benjaminf0d8e222017-02-04 10:58:26 -0500[diff] [blame]2614 ASSERT_TRUE(ConnectClientAndServer(&client, &server, client_ctx.get(),
2615 server_ctx.get(), nullptr));
2616 EXPECT_EQ(TLS1_2_VERSION, SSL_version(client.get()));
David Benjamin99620572016-08-30 00:35:36 -0400[diff] [blame]2617}
2618
David Benjaminf0d8e222017-02-04 10:58:26 -0500[diff] [blame]2619TEST(SSLTest, SetVersion) {
David Benjamin2dc02042016-09-19 19:57:37 -0400[diff] [blame]2620 bssl::UniquePtr<SSL_CTX> ctx(SSL_CTX_new(TLS_method()));
David Benjaminf0d8e222017-02-04 10:58:26 -0500[diff] [blame]2621 ASSERT_TRUE(ctx);
David Benjamin2dc02042016-09-19 19:57:37 -0400[diff] [blame]2622
David Benjaminf0d8e222017-02-04 10:58:26 -0500[diff] [blame]2623 // Set valid TLS versions.
2624 EXPECT_TRUE(SSL_CTX_set_max_proto_version(ctx.get(), TLS1_VERSION));
2625 EXPECT_TRUE(SSL_CTX_set_max_proto_version(ctx.get(), TLS1_1_VERSION));
2626 EXPECT_TRUE(SSL_CTX_set_min_proto_version(ctx.get(), TLS1_VERSION));
2627 EXPECT_TRUE(SSL_CTX_set_min_proto_version(ctx.get(), TLS1_1_VERSION));
David Benjamin2dc02042016-09-19 19:57:37 -0400[diff] [blame]2628
David Benjaminf0d8e222017-02-04 10:58:26 -0500[diff] [blame]2629 // Invalid TLS versions are rejected.
2630 EXPECT_FALSE(SSL_CTX_set_max_proto_version(ctx.get(), DTLS1_VERSION));
2631 EXPECT_FALSE(SSL_CTX_set_max_proto_version(ctx.get(), 0x0200));
2632 EXPECT_FALSE(SSL_CTX_set_max_proto_version(ctx.get(), 0x1234));
2633 EXPECT_FALSE(SSL_CTX_set_min_proto_version(ctx.get(), DTLS1_VERSION));
2634 EXPECT_FALSE(SSL_CTX_set_min_proto_version(ctx.get(), 0x0200));
2635 EXPECT_FALSE(SSL_CTX_set_min_proto_version(ctx.get(), 0x1234));
David Benjamin2dc02042016-09-19 19:57:37 -0400[diff] [blame]2636
David Benjaminf0d8e222017-02-04 10:58:26 -0500[diff] [blame]2637 // Zero is the default version.
2638 EXPECT_TRUE(SSL_CTX_set_max_proto_version(ctx.get(), 0));
David Benjaminfc08dfc2017-06-20 14:39:32 -0400[diff] [blame]2639 EXPECT_EQ(TLS1_2_VERSION, ctx->conf_max_version);
David Benjaminf0d8e222017-02-04 10:58:26 -0500[diff] [blame]2640 EXPECT_TRUE(SSL_CTX_set_min_proto_version(ctx.get(), 0));
David Benjaminfc08dfc2017-06-20 14:39:32 -0400[diff] [blame]2641 EXPECT_EQ(TLS1_VERSION, ctx->conf_min_version);
David Benjamin3cfeb952017-03-01 16:48:38 -0500[diff] [blame]2642
2643 // SSL 3.0 and TLS 1.3 are available, but not by default.
2644 EXPECT_TRUE(SSL_CTX_set_min_proto_version(ctx.get(), SSL3_VERSION));
David Benjaminfc08dfc2017-06-20 14:39:32 -0400[diff] [blame]2645 EXPECT_EQ(SSL3_VERSION, ctx->conf_min_version);
David Benjamin3cfeb952017-03-01 16:48:38 -0500[diff] [blame]2646 EXPECT_TRUE(SSL_CTX_set_max_proto_version(ctx.get(), TLS1_3_VERSION));
David Benjaminfc08dfc2017-06-20 14:39:32 -0400[diff] [blame]2647 EXPECT_EQ(TLS1_3_VERSION, ctx->conf_max_version);
David Benjamine34bcc92016-09-21 16:53:09 -0400[diff] [blame]2648
David Benjamin353577c2017-06-29 15:54:58 -0400[diff] [blame]2649 // TLS1_3_DRAFT_VERSION is not an API-level version.
2650 EXPECT_FALSE(SSL_CTX_set_max_proto_version(ctx.get(), TLS1_3_DRAFT_VERSION));
2651 ERR_clear_error();
2652
David Benjamin2dc02042016-09-19 19:57:37 -0400[diff] [blame]2653 ctx.reset(SSL_CTX_new(DTLS_method()));
David Benjaminf0d8e222017-02-04 10:58:26 -0500[diff] [blame]2654 ASSERT_TRUE(ctx);
David Benjamin2dc02042016-09-19 19:57:37 -0400[diff] [blame]2655
David Benjaminf0d8e222017-02-04 10:58:26 -0500[diff] [blame]2656 EXPECT_TRUE(SSL_CTX_set_max_proto_version(ctx.get(), DTLS1_VERSION));
2657 EXPECT_TRUE(SSL_CTX_set_max_proto_version(ctx.get(), DTLS1_2_VERSION));
2658 EXPECT_TRUE(SSL_CTX_set_min_proto_version(ctx.get(), DTLS1_VERSION));
2659 EXPECT_TRUE(SSL_CTX_set_min_proto_version(ctx.get(), DTLS1_2_VERSION));
David Benjamin2dc02042016-09-19 19:57:37 -0400[diff] [blame]2660
David Benjaminf0d8e222017-02-04 10:58:26 -0500[diff] [blame]2661 EXPECT_FALSE(SSL_CTX_set_max_proto_version(ctx.get(), TLS1_VERSION));
2662 EXPECT_FALSE(SSL_CTX_set_max_proto_version(ctx.get(), 0xfefe /* DTLS 1.1 */));
2663 EXPECT_FALSE(SSL_CTX_set_max_proto_version(ctx.get(), 0xfffe /* DTLS 0.1 */));
2664 EXPECT_FALSE(SSL_CTX_set_max_proto_version(ctx.get(), 0x1234));
2665 EXPECT_FALSE(SSL_CTX_set_min_proto_version(ctx.get(), TLS1_VERSION));
2666 EXPECT_FALSE(SSL_CTX_set_min_proto_version(ctx.get(), 0xfefe /* DTLS 1.1 */));
2667 EXPECT_FALSE(SSL_CTX_set_min_proto_version(ctx.get(), 0xfffe /* DTLS 0.1 */));
2668 EXPECT_FALSE(SSL_CTX_set_min_proto_version(ctx.get(), 0x1234));
David Benjamin2dc02042016-09-19 19:57:37 -0400[diff] [blame]2669
David Benjaminf0d8e222017-02-04 10:58:26 -0500[diff] [blame]2670 EXPECT_TRUE(SSL_CTX_set_max_proto_version(ctx.get(), 0));
David Benjaminfc08dfc2017-06-20 14:39:32 -0400[diff] [blame]2671 EXPECT_EQ(TLS1_2_VERSION, ctx->conf_max_version);
David Benjaminf0d8e222017-02-04 10:58:26 -0500[diff] [blame]2672 EXPECT_TRUE(SSL_CTX_set_min_proto_version(ctx.get(), 0));
David Benjaminfc08dfc2017-06-20 14:39:32 -0400[diff] [blame]2673 EXPECT_EQ(TLS1_1_VERSION, ctx->conf_min_version);
David Benjamin2dc02042016-09-19 19:57:37 -0400[diff] [blame]2674}
2675
David Benjamin458334a2016-12-15 13:53:25 -0500[diff] [blame]2676static const char *GetVersionName(uint16_t version) {
2677 switch (version) {
2678 case SSL3_VERSION:
2679 return "SSLv3";
2680 case TLS1_VERSION:
2681 return "TLSv1";
2682 case TLS1_1_VERSION:
2683 return "TLSv1.1";
2684 case TLS1_2_VERSION:
2685 return "TLSv1.2";
2686 case TLS1_3_VERSION:
2687 return "TLSv1.3";
2688 case DTLS1_VERSION:
2689 return "DTLSv1";
2690 case DTLS1_2_VERSION:
2691 return "DTLSv1.2";
2692 default:
2693 return "???";
2694 }
2695}
2696
David Benjamin0fef3052016-11-18 15:11:10 +0900[diff] [blame]2697static bool TestVersion(bool is_dtls, const SSL_METHOD *method,
2698 uint16_t version) {
David Benjamincb18ac22016-09-27 14:09:15 -0400[diff] [blame]2699 bssl::UniquePtr<X509> cert = GetTestCertificate();
2700 bssl::UniquePtr<EVP_PKEY> key = GetTestKey();
2701 if (!cert || !key) {
2702 return false;
2703 }
2704
David Benjamin0fef3052016-11-18 15:11:10 +0900[diff] [blame]2705 bssl::UniquePtr<SSL_CTX> server_ctx(SSL_CTX_new(method));
2706 bssl::UniquePtr<SSL_CTX> client_ctx(SSL_CTX_new(method));
2707 bssl::UniquePtr<SSL> client, server;
2708 if (!server_ctx || !client_ctx ||
2709 !SSL_CTX_use_certificate(server_ctx.get(), cert.get()) ||
2710 !SSL_CTX_use_PrivateKey(server_ctx.get(), key.get()) ||
2711 !SSL_CTX_set_min_proto_version(client_ctx.get(), version) ||
2712 !SSL_CTX_set_max_proto_version(client_ctx.get(), version) ||
2713 !SSL_CTX_set_min_proto_version(server_ctx.get(), version) ||
2714 !SSL_CTX_set_max_proto_version(server_ctx.get(), version) ||
2715 !ConnectClientAndServer(&client, &server, client_ctx.get(),
2716 server_ctx.get(), nullptr /* no session */)) {
2717 fprintf(stderr, "Failed to connect.\n");
2718 return false;
2719 }
David Benjamincb18ac22016-09-27 14:09:15 -0400[diff] [blame]2720
David Benjamin0fef3052016-11-18 15:11:10 +0900[diff] [blame]2721 if (SSL_version(client.get()) != version ||
2722 SSL_version(server.get()) != version) {
2723 fprintf(stderr, "Version mismatch. Got %04x and %04x, wanted %04x.\n",
2724 SSL_version(client.get()), SSL_version(server.get()), version);
2725 return false;
David Benjamincb18ac22016-09-27 14:09:15 -0400[diff] [blame]2726 }
2727
David Benjamin458334a2016-12-15 13:53:25 -0500[diff] [blame]2728 // Test the version name is reported as expected.
2729 const char *version_name = GetVersionName(version);
2730 if (strcmp(version_name, SSL_get_version(client.get())) != 0 ||
2731 strcmp(version_name, SSL_get_version(server.get())) != 0) {
2732 fprintf(stderr, "Version name mismatch. Got '%s' and '%s', wanted '%s'.\n",
2733 SSL_get_version(client.get()), SSL_get_version(server.get()),
2734 version_name);
2735 return false;
2736 }
2737
2738 // Test SSL_SESSION reports the same name.
2739 const char *client_name =
2740 SSL_SESSION_get_version(SSL_get_session(client.get()));
2741 const char *server_name =
2742 SSL_SESSION_get_version(SSL_get_session(server.get()));
2743 if (strcmp(version_name, client_name) != 0 ||
2744 strcmp(version_name, server_name) != 0) {
2745 fprintf(stderr,
2746 "Session version name mismatch. Got '%s' and '%s', wanted '%s'.\n",
2747 client_name, server_name, version_name);
2748 return false;
2749 }
2750
David Benjamincb18ac22016-09-27 14:09:15 -0400[diff] [blame]2751 return true;
2752}
2753
David Benjamin9ef31f02016-10-31 18:01:13 -0400[diff] [blame]2754// Tests that that |SSL_get_pending_cipher| is available during the ALPN
2755// selection callback.
David Benjamin0fef3052016-11-18 15:11:10 +0900[diff] [blame]2756static bool TestALPNCipherAvailable(bool is_dtls, const SSL_METHOD *method,
2757 uint16_t version) {
2758 // SSL 3.0 lacks extensions.
2759 if (version == SSL3_VERSION) {
2760 return true;
2761 }
2762
David Benjamin9ef31f02016-10-31 18:01:13 -0400[diff] [blame]2763 static const uint8_t kALPNProtos[] = {0x03, 'f', 'o', 'o'};
2764
2765 bssl::UniquePtr<X509> cert = GetTestCertificate();
2766 bssl::UniquePtr<EVP_PKEY> key = GetTestKey();
2767 if (!cert || !key) {
2768 return false;
2769 }
2770
David Benjamin0fef3052016-11-18 15:11:10 +0900[diff] [blame]2771 bssl::UniquePtr<SSL_CTX> ctx(SSL_CTX_new(method));
2772 if (!ctx || !SSL_CTX_use_certificate(ctx.get(), cert.get()) ||
2773 !SSL_CTX_use_PrivateKey(ctx.get(), key.get()) ||
2774 !SSL_CTX_set_min_proto_version(ctx.get(), version) ||
2775 !SSL_CTX_set_max_proto_version(ctx.get(), version) ||
2776 SSL_CTX_set_alpn_protos(ctx.get(), kALPNProtos, sizeof(kALPNProtos)) !=
2777 0) {
2778 return false;
2779 }
2780
2781 // The ALPN callback does not fail the handshake on error, so have the
2782 // callback write a boolean.
2783 std::pair<uint16_t, bool> callback_state(version, false);
2784 SSL_CTX_set_alpn_select_cb(
2785 ctx.get(),
2786 [](SSL *ssl, const uint8_t **out, uint8_t *out_len, const uint8_t *in,
2787 unsigned in_len, void *arg) -> int {
2788 auto state = reinterpret_cast<std::pair<uint16_t, bool> *>(arg);
2789 if (SSL_get_pending_cipher(ssl) != nullptr &&
2790 SSL_version(ssl) == state->first) {
2791 state->second = true;
2792 }
2793 return SSL_TLSEXT_ERR_NOACK;
2794 },
2795 &callback_state);
2796
2797 bssl::UniquePtr<SSL> client, server;
2798 if (!ConnectClientAndServer(&client, &server, ctx.get(), ctx.get(),
2799 nullptr /* no session */)) {
2800 return false;
2801 }
2802
2803 if (!callback_state.second) {
2804 fprintf(stderr, "The pending cipher was not known in the ALPN callback.\n");
2805 return false;
2806 }
2807
2808 return true;
2809}
2810
David Benjaminb79cc842016-12-07 15:57:14 -0500[diff] [blame]2811static bool TestSSLClearSessionResumption(bool is_dtls,
2812 const SSL_METHOD *method,
2813 uint16_t version) {
2814 // Skip this for TLS 1.3. TLS 1.3's ticket mechanism is incompatible with this
2815 // API pattern.
2816 if (version == TLS1_3_VERSION) {
2817 return true;
2818 }
2819
2820 bssl::UniquePtr<X509> cert = GetTestCertificate();
2821 bssl::UniquePtr<EVP_PKEY> key = GetTestKey();
2822 bssl::UniquePtr<SSL_CTX> server_ctx(SSL_CTX_new(method));
2823 bssl::UniquePtr<SSL_CTX> client_ctx(SSL_CTX_new(method));
2824 if (!cert || !key || !server_ctx || !client_ctx ||
2825 !SSL_CTX_use_certificate(server_ctx.get(), cert.get()) ||
2826 !SSL_CTX_use_PrivateKey(server_ctx.get(), key.get()) ||
2827 !SSL_CTX_set_min_proto_version(client_ctx.get(), version) ||
2828 !SSL_CTX_set_max_proto_version(client_ctx.get(), version) ||
2829 !SSL_CTX_set_min_proto_version(server_ctx.get(), version) ||
2830 !SSL_CTX_set_max_proto_version(server_ctx.get(), version)) {
2831 return false;
2832 }
2833
2834 // Connect a client and a server.
2835 bssl::UniquePtr<SSL> client, server;
2836 if (!ConnectClientAndServer(&client, &server, client_ctx.get(),
2837 server_ctx.get(), nullptr /* no session */)) {
2838 return false;
2839 }
2840
2841 if (SSL_session_reused(client.get()) ||
2842 SSL_session_reused(server.get())) {
2843 fprintf(stderr, "Session unexpectedly reused.\n");
2844 return false;
2845 }
2846
2847 // Reset everything.
2848 if (!SSL_clear(client.get()) ||
2849 !SSL_clear(server.get())) {
2850 fprintf(stderr, "SSL_clear failed.\n");
2851 return false;
2852 }
2853
2854 // Attempt to connect a second time.
2855 if (!CompleteHandshakes(client.get(), server.get())) {
2856 fprintf(stderr, "Could not reuse SSL objects.\n");
2857 return false;
2858 }
2859
2860 // |SSL_clear| should implicitly offer the previous session to the server.
2861 if (!SSL_session_reused(client.get()) ||
2862 !SSL_session_reused(server.get())) {
2863 fprintf(stderr, "Session was not reused in second try.\n");
2864 return false;
2865 }
2866
2867 return true;
2868}
2869
David Benjamin1444c3a2016-12-20 17:23:11 -0500[diff] [blame]2870static bool ChainsEqual(STACK_OF(X509) *chain,
2871 const std::vector<X509 *> &expected) {
2872 if (sk_X509_num(chain) != expected.size()) {
2873 return false;
2874 }
2875
2876 for (size_t i = 0; i < expected.size(); i++) {
2877 if (X509_cmp(sk_X509_value(chain, i), expected[i]) != 0) {
2878 return false;
2879 }
2880 }
2881
2882 return true;
2883}
2884
2885static bool TestAutoChain(bool is_dtls, const SSL_METHOD *method,
2886 uint16_t version) {
David Benjamin1444c3a2016-12-20 17:23:11 -0500[diff] [blame]2887 bssl::UniquePtr<X509> cert = GetChainTestCertificate();
2888 bssl::UniquePtr<X509> intermediate = GetChainTestIntermediate();
2889 bssl::UniquePtr<EVP_PKEY> key = GetChainTestKey();
2890 if (!cert || !intermediate || !key) {
2891 return false;
2892 }
2893
2894 // Configure both client and server to accept any certificate. Add
2895 // |intermediate| to the cert store.
2896 bssl::UniquePtr<SSL_CTX> ctx(SSL_CTX_new(method));
2897 if (!ctx ||
2898 !SSL_CTX_use_certificate(ctx.get(), cert.get()) ||
2899 !SSL_CTX_use_PrivateKey(ctx.get(), key.get()) ||
2900 !SSL_CTX_set_min_proto_version(ctx.get(), version) ||
2901 !SSL_CTX_set_max_proto_version(ctx.get(), version) ||
2902 !X509_STORE_add_cert(SSL_CTX_get_cert_store(ctx.get()),
2903 intermediate.get())) {
2904 return false;
2905 }
2906 SSL_CTX_set_verify(
2907 ctx.get(), SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT, nullptr);
2908 SSL_CTX_set_cert_verify_callback(ctx.get(), VerifySucceed, NULL);
2909
2910 // By default, the client and server should each only send the leaf.
2911 bssl::UniquePtr<SSL> client, server;
2912 if (!ConnectClientAndServer(&client, &server, ctx.get(), ctx.get(),
2913 nullptr /* no session */)) {
2914 return false;
2915 }
2916
2917 if (!ChainsEqual(SSL_get_peer_full_cert_chain(client.get()), {cert.get()})) {
2918 fprintf(stderr, "Client-received chain did not match.\n");
2919 return false;
2920 }
2921
2922 if (!ChainsEqual(SSL_get_peer_full_cert_chain(server.get()), {cert.get()})) {
2923 fprintf(stderr, "Server-received chain did not match.\n");
2924 return false;
2925 }
2926
2927 // If auto-chaining is enabled, then the intermediate is sent.
2928 SSL_CTX_clear_mode(ctx.get(), SSL_MODE_NO_AUTO_CHAIN);
2929 if (!ConnectClientAndServer(&client, &server, ctx.get(), ctx.get(),
2930 nullptr /* no session */)) {
2931 return false;
2932 }
2933
2934 if (!ChainsEqual(SSL_get_peer_full_cert_chain(client.get()),
2935 {cert.get(), intermediate.get()})) {
2936 fprintf(stderr, "Client-received chain did not match (auto-chaining).\n");
2937 return false;
2938 }
2939
2940 if (!ChainsEqual(SSL_get_peer_full_cert_chain(server.get()),
2941 {cert.get(), intermediate.get()})) {
2942 fprintf(stderr, "Server-received chain did not match (auto-chaining).\n");
2943 return false;
2944 }
2945
2946 // Auto-chaining does not override explicitly-configured intermediates.
2947 if (!SSL_CTX_add1_chain_cert(ctx.get(), cert.get()) ||
2948 !ConnectClientAndServer(&client, &server, ctx.get(), ctx.get(),
2949 nullptr /* no session */)) {
2950 return false;
2951 }
2952
2953 if (!ChainsEqual(SSL_get_peer_full_cert_chain(client.get()),
2954 {cert.get(), cert.get()})) {
2955 fprintf(stderr,
2956 "Client-received chain did not match (auto-chaining, explicit "
2957 "intermediate).\n");
2958 return false;
2959 }
2960
2961 if (!ChainsEqual(SSL_get_peer_full_cert_chain(server.get()),
2962 {cert.get(), cert.get()})) {
2963 fprintf(stderr,
2964 "Server-received chain did not match (auto-chaining, explicit "
2965 "intermediate).\n");
2966 return false;
2967 }
2968
2969 return true;
2970}
2971
David Benjamin48063c22017-01-01 23:56:36 -0500[diff] [blame]2972static bool ExpectBadWriteRetry() {
2973 int err = ERR_get_error();
2974 if (ERR_GET_LIB(err) != ERR_LIB_SSL ||
2975 ERR_GET_REASON(err) != SSL_R_BAD_WRITE_RETRY) {
2976 char buf[ERR_ERROR_STRING_BUF_LEN];
2977 ERR_error_string_n(err, buf, sizeof(buf));
2978 fprintf(stderr, "Wanted SSL_R_BAD_WRITE_RETRY, got: %s.\n", buf);
2979 return false;
2980 }
2981
2982 if (ERR_peek_error() != 0) {
2983 fprintf(stderr, "Unexpected error following SSL_R_BAD_WRITE_RETRY.\n");
2984 return false;
2985 }
2986
2987 return true;
2988}
2989
2990static bool TestSSLWriteRetry(bool is_dtls, const SSL_METHOD *method,
2991 uint16_t version) {
2992 if (is_dtls) {
2993 return true;
2994 }
2995
2996 for (bool enable_partial_write : std::vector<bool>{false, true}) {
2997 // Connect a client and server.
2998 bssl::UniquePtr<X509> cert = GetTestCertificate();
2999 bssl::UniquePtr<EVP_PKEY> key = GetTestKey();
3000 bssl::UniquePtr<SSL_CTX> ctx(SSL_CTX_new(method));
3001 bssl::UniquePtr<SSL> client, server;
3002 if (!cert || !key || !ctx ||
3003 !SSL_CTX_use_certificate(ctx.get(), cert.get()) ||
3004 !SSL_CTX_use_PrivateKey(ctx.get(), key.get()) ||
3005 !SSL_CTX_set_min_proto_version(ctx.get(), version) ||
3006 !SSL_CTX_set_max_proto_version(ctx.get(), version) ||
3007 !ConnectClientAndServer(&client, &server, ctx.get(), ctx.get(),
3008 nullptr /* no session */)) {
3009 return false;
3010 }
3011
3012 if (enable_partial_write) {
3013 SSL_set_mode(client.get(), SSL_MODE_ENABLE_PARTIAL_WRITE);
3014 }
3015
3016 // Write without reading until the buffer is full and we have an unfinished
3017 // write. Keep a count so we may reread it again later. "hello!" will be
3018 // written in two chunks, "hello" and "!".
3019 char data[] = "hello!";
3020 static const int kChunkLen = 5; // The length of "hello".
3021 unsigned count = 0;
3022 for (;;) {
3023 int ret = SSL_write(client.get(), data, kChunkLen);
3024 if (ret <= 0) {
3025 int err = SSL_get_error(client.get(), ret);
3026 if (SSL_get_error(client.get(), ret) == SSL_ERROR_WANT_WRITE) {
3027 break;
3028 }
3029 fprintf(stderr, "SSL_write failed in unexpected way: %d\n", err);
3030 return false;
3031 }
3032
3033 if (ret != 5) {
3034 fprintf(stderr, "SSL_write wrote %d bytes, expected 5.\n", ret);
3035 return false;
3036 }
3037
3038 count++;
3039 }
3040
3041 // Retrying with the same parameters is legal.
3042 if (SSL_get_error(client.get(), SSL_write(client.get(), data, kChunkLen)) !=
3043 SSL_ERROR_WANT_WRITE) {
3044 fprintf(stderr, "SSL_write retry unexpectedly failed.\n");
3045 return false;
3046 }
3047
3048 // Retrying with the same buffer but shorter length is not legal.
3049 if (SSL_get_error(client.get(),
3050 SSL_write(client.get(), data, kChunkLen - 1)) !=
3051 SSL_ERROR_SSL ||
3052 !ExpectBadWriteRetry()) {
3053 fprintf(stderr, "SSL_write retry did not fail as expected.\n");
3054 return false;
3055 }
3056
3057 // Retrying with a different buffer pointer is not legal.
3058 char data2[] = "hello";
3059 if (SSL_get_error(client.get(), SSL_write(client.get(), data2,
3060 kChunkLen)) != SSL_ERROR_SSL ||
3061 !ExpectBadWriteRetry()) {
3062 fprintf(stderr, "SSL_write retry did not fail as expected.\n");
3063 return false;
3064 }
3065
3066 // With |SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER|, the buffer may move.
3067 SSL_set_mode(client.get(), SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER);
3068 if (SSL_get_error(client.get(),
3069 SSL_write(client.get(), data2, kChunkLen)) !=
3070 SSL_ERROR_WANT_WRITE) {
3071 fprintf(stderr, "SSL_write retry unexpectedly failed.\n");
3072 return false;
3073 }
3074
3075 // |SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER| does not disable length checks.
3076 if (SSL_get_error(client.get(),
3077 SSL_write(client.get(), data2, kChunkLen - 1)) !=
3078 SSL_ERROR_SSL ||
3079 !ExpectBadWriteRetry()) {
3080 fprintf(stderr, "SSL_write retry did not fail as expected.\n");
3081 return false;
3082 }
3083
3084 // Retrying with a larger buffer is legal.
3085 if (SSL_get_error(client.get(),
3086 SSL_write(client.get(), data, kChunkLen + 1)) !=
3087 SSL_ERROR_WANT_WRITE) {
3088 fprintf(stderr, "SSL_write retry unexpectedly failed.\n");
3089 return false;
3090 }
3091
3092 // Drain the buffer.
3093 char buf[20];
3094 for (unsigned i = 0; i < count; i++) {
3095 if (SSL_read(server.get(), buf, sizeof(buf)) != kChunkLen ||
3096 OPENSSL_memcmp(buf, "hello", kChunkLen) != 0) {
3097 fprintf(stderr, "Failed to read initial records.\n");
3098 return false;
3099 }
3100 }
3101
3102 // Now that there is space, a retry with a larger buffer should flush the
3103 // pending record, skip over that many bytes of input (on assumption they
3104 // are the same), and write the remainder. If SSL_MODE_ENABLE_PARTIAL_WRITE
3105 // is set, this will complete in two steps.
3106 char data3[] = "_____!";
3107 if (enable_partial_write) {
3108 if (SSL_write(client.get(), data3, kChunkLen + 1) != kChunkLen ||
3109 SSL_write(client.get(), data3 + kChunkLen, 1) != 1) {
3110 fprintf(stderr, "SSL_write retry failed.\n");
3111 return false;
3112 }
3113 } else if (SSL_write(client.get(), data3, kChunkLen + 1) != kChunkLen + 1) {
3114 fprintf(stderr, "SSL_write retry failed.\n");
3115 return false;
3116 }
3117
3118 // Check the last write was correct. The data will be spread over two
3119 // records, so SSL_read returns twice.
3120 if (SSL_read(server.get(), buf, sizeof(buf)) != kChunkLen ||
3121 OPENSSL_memcmp(buf, "hello", kChunkLen) != 0 ||
3122 SSL_read(server.get(), buf, sizeof(buf)) != 1 ||
3123 buf[0] != '!') {
3124 fprintf(stderr, "Failed to read write retry.\n");
3125 return false;
3126 }
3127 }
3128
3129 return true;
3130}
3131
David Benjamin5df5be1a2017-06-22 19:43:11 -0400[diff] [blame]3132static bool TestRecordCallback(bool is_dtls, const SSL_METHOD *method,
3133 uint16_t version) {
3134 bssl::UniquePtr<X509> cert = GetChainTestCertificate();
3135 bssl::UniquePtr<X509> intermediate = GetChainTestIntermediate();
3136 bssl::UniquePtr<EVP_PKEY> key = GetChainTestKey();
3137 if (!cert || !intermediate || !key) {
3138 return false;
3139 }
3140
3141 bssl::UniquePtr<SSL_CTX> ctx(SSL_CTX_new(method));
3142 if (!ctx ||
3143 !SSL_CTX_use_certificate(ctx.get(), cert.get()) ||
3144 !SSL_CTX_use_PrivateKey(ctx.get(), key.get()) ||
3145 !SSL_CTX_set_min_proto_version(ctx.get(), version) ||
3146 !SSL_CTX_set_max_proto_version(ctx.get(), version)) {
3147 return false;
3148 }
3149
3150 bool read_seen = false;
3151 bool write_seen = false;
3152 auto cb = [&](int is_write, int cb_version, int cb_type, const void *buf,
3153 size_t len, SSL *ssl) {
3154 if (cb_type != SSL3_RT_HEADER) {
3155 return;
3156 }
3157
3158 // The callback does not report a version for records.
3159 EXPECT_EQ(0, cb_version);
3160
3161 if (is_write) {
3162 write_seen = true;
3163 } else {
3164 read_seen = true;
3165 }
3166
3167 // Sanity-check that the record header is plausible.
3168 CBS cbs;
3169 CBS_init(&cbs, reinterpret_cast<const uint8_t *>(buf), len);
3170 uint8_t type;
3171 uint16_t record_version, length;
3172 ASSERT_TRUE(CBS_get_u8(&cbs, &type));
3173 ASSERT_TRUE(CBS_get_u16(&cbs, &record_version));
3174 EXPECT_TRUE(record_version == version ||
3175 record_version == (is_dtls ? DTLS1_VERSION : TLS1_VERSION))
3176 << "Invalid record version: " << record_version;
3177 if (is_dtls) {
3178 uint16_t epoch;
3179 ASSERT_TRUE(CBS_get_u16(&cbs, &epoch));
3180 EXPECT_TRUE(epoch == 0 || epoch == 1) << "Invalid epoch: " << epoch;
3181 ASSERT_TRUE(CBS_skip(&cbs, 6));
3182 }
3183 ASSERT_TRUE(CBS_get_u16(&cbs, &length));
3184 EXPECT_EQ(0u, CBS_len(&cbs));
3185 };
3186 using CallbackType = decltype(cb);
3187 SSL_CTX_set_msg_callback(
3188 ctx.get(), [](int is_write, int cb_version, int cb_type, const void *buf,
3189 size_t len, SSL *ssl, void *arg) {
3190 CallbackType *cb_ptr = reinterpret_cast<CallbackType *>(arg);
3191 (*cb_ptr)(is_write, cb_version, cb_type, buf, len, ssl);
3192 });
3193 SSL_CTX_set_msg_callback_arg(ctx.get(), &cb);
3194
3195 bssl::UniquePtr<SSL> client, server;
3196 if (!ConnectClientAndServer(&client, &server, ctx.get(), ctx.get(),
3197 nullptr /* no session */)) {
3198 return false;
3199 }
3200
3201 EXPECT_TRUE(read_seen);
3202 EXPECT_TRUE(write_seen);
3203 return true;
3204}
3205
3206
David Benjamin0fef3052016-11-18 15:11:10 +0900[diff] [blame]3207static bool ForEachVersion(bool (*test_func)(bool is_dtls,
3208 const SSL_METHOD *method,
3209 uint16_t version)) {
3210 static uint16_t kTLSVersions[] = {
David Benjamin3b584332017-01-24 22:47:18 -0500[diff] [blame]3211 SSL3_VERSION,
3212 TLS1_VERSION,
3213 TLS1_1_VERSION,
3214 TLS1_2_VERSION,
3215// TLS 1.3 requires RSA-PSS, which is disabled for Android system builds.
3216#if !defined(BORINGSSL_ANDROID_SYSTEM)
3217 TLS1_3_VERSION,
3218#endif
David Benjamin0fef3052016-11-18 15:11:10 +0900[diff] [blame]3219 };
3220
3221 static uint16_t kDTLSVersions[] = {
3222 DTLS1_VERSION, DTLS1_2_VERSION,
3223 };
3224
David Benjamin9ef31f02016-10-31 18:01:13 -0400[diff] [blame]3225 for (uint16_t version : kTLSVersions) {
David Benjamin0fef3052016-11-18 15:11:10 +0900[diff] [blame]3226 if (!test_func(false, TLS_method(), version)) {
3227 fprintf(stderr, "Test failed at TLS version %04x.\n", version);
David Benjamin9ef31f02016-10-31 18:01:13 -0400[diff] [blame]3228 return false;
3229 }
David Benjamin0fef3052016-11-18 15:11:10 +0900[diff] [blame]3230 }
David Benjamin9ef31f02016-10-31 18:01:13 -0400[diff] [blame]3231
David Benjamin0fef3052016-11-18 15:11:10 +0900[diff] [blame]3232 for (uint16_t version : kDTLSVersions) {
3233 if (!test_func(true, DTLS_method(), version)) {
3234 fprintf(stderr, "Test failed at DTLS version %04x.\n", version);
David Benjamin9ef31f02016-10-31 18:01:13 -0400[diff] [blame]3235 return false;
3236 }
3237 }
3238
3239 return true;
3240}
3241
Adam Langleye1e78132017-01-31 15:24:31 -0800[diff] [blame]3242TEST(SSLTest, AddChainCertHack) {
3243 // Ensure that we don't accidently break the hack that we have in place to
3244 // keep curl and serf happy when they use an |X509| even after transfering
3245 // ownership.
3246
3247 bssl::UniquePtr<SSL_CTX> ctx(SSL_CTX_new(TLS_method()));
3248 ASSERT_TRUE(ctx);
3249 X509 *cert = GetTestCertificate().release();
3250 ASSERT_TRUE(cert);
3251 SSL_CTX_add0_chain_cert(ctx.get(), cert);
3252
3253 // This should not trigger a use-after-free.
3254 X509_cmp(cert, cert);
3255}
3256
David Benjaminb2ff2622017-02-03 17:06:18 -0500[diff] [blame]3257TEST(SSLTest, GetCertificate) {
3258 bssl::UniquePtr<SSL_CTX> ctx(SSL_CTX_new(TLS_method()));
3259 ASSERT_TRUE(ctx);
3260 bssl::UniquePtr<X509> cert = GetTestCertificate();
3261 ASSERT_TRUE(cert);
3262 ASSERT_TRUE(SSL_CTX_use_certificate(ctx.get(), cert.get()));
3263 bssl::UniquePtr<SSL> ssl(SSL_new(ctx.get()));
3264 ASSERT_TRUE(ssl);
3265
3266 X509 *cert2 = SSL_CTX_get0_certificate(ctx.get());
3267 ASSERT_TRUE(cert2);
3268 X509 *cert3 = SSL_get_certificate(ssl.get());
3269 ASSERT_TRUE(cert3);
3270
3271 // The old and new certificates must be identical.
3272 EXPECT_EQ(0, X509_cmp(cert.get(), cert2));
3273 EXPECT_EQ(0, X509_cmp(cert.get(), cert3));
3274
3275 uint8_t *der = nullptr;
3276 long der_len = i2d_X509(cert.get(), &der);
3277 ASSERT_LT(0, der_len);
3278 bssl::UniquePtr<uint8_t> free_der(der);
3279
3280 uint8_t *der2 = nullptr;
3281 long der2_len = i2d_X509(cert2, &der2);
3282 ASSERT_LT(0, der2_len);
3283 bssl::UniquePtr<uint8_t> free_der2(der2);
3284
3285 uint8_t *der3 = nullptr;
3286 long der3_len = i2d_X509(cert3, &der3);
3287 ASSERT_LT(0, der3_len);
3288 bssl::UniquePtr<uint8_t> free_der3(der3);
3289
3290 // They must also encode identically.
David Benjamin7d7554b2017-02-04 11:48:59 -0500[diff] [blame]3291 EXPECT_EQ(Bytes(der, der_len), Bytes(der2, der2_len));
3292 EXPECT_EQ(Bytes(der, der_len), Bytes(der3, der3_len));
David Benjaminb2ff2622017-02-03 17:06:18 -0500[diff] [blame]3293}
3294
Adam Langleyd04ca952017-02-28 11:26:51 -0800[diff] [blame]3295TEST(SSLTest, SetChainAndKeyMismatch) {
3296 bssl::UniquePtr<SSL_CTX> ctx(SSL_CTX_new(TLS_with_buffers_method()));
3297 ASSERT_TRUE(ctx);
3298
3299 bssl::UniquePtr<EVP_PKEY> key = GetTestKey();
3300 ASSERT_TRUE(key);
3301 bssl::UniquePtr<CRYPTO_BUFFER> leaf = GetChainTestCertificateBuffer();
3302 ASSERT_TRUE(leaf);
3303 std::vector<CRYPTO_BUFFER*> chain = {
3304 leaf.get(),
3305 };
3306
3307 // Should fail because |GetTestKey| doesn't match the chain-test certificate.
3308 ASSERT_FALSE(SSL_CTX_set_chain_and_key(ctx.get(), &chain[0], chain.size(),
3309 key.get(), nullptr));
3310 ERR_clear_error();
3311}
3312
3313TEST(SSLTest, SetChainAndKey) {
3314 bssl::UniquePtr<SSL_CTX> client_ctx(SSL_CTX_new(TLS_with_buffers_method()));
3315 ASSERT_TRUE(client_ctx);
3316 bssl::UniquePtr<SSL_CTX> server_ctx(SSL_CTX_new(TLS_with_buffers_method()));
3317 ASSERT_TRUE(server_ctx);
3318
3319 bssl::UniquePtr<EVP_PKEY> key = GetChainTestKey();
3320 ASSERT_TRUE(key);
3321 bssl::UniquePtr<CRYPTO_BUFFER> leaf = GetChainTestCertificateBuffer();
3322 ASSERT_TRUE(leaf);
3323 bssl::UniquePtr<CRYPTO_BUFFER> intermediate =
3324 GetChainTestIntermediateBuffer();
3325 ASSERT_TRUE(intermediate);
3326 std::vector<CRYPTO_BUFFER*> chain = {
3327 leaf.get(), intermediate.get(),
3328 };
3329 ASSERT_TRUE(SSL_CTX_set_chain_and_key(server_ctx.get(), &chain[0],
3330 chain.size(), key.get(), nullptr));
3331
David Benjamin3a1dd462017-07-11 16:13:10 -0400[diff] [blame]3332 SSL_CTX_set_custom_verify(
3333 client_ctx.get(), SSL_VERIFY_PEER,
3334 [](SSL *ssl, uint8_t *out_alert) -> ssl_verify_result_t {
3335 return ssl_verify_ok;
3336 });
Adam Langleyd04ca952017-02-28 11:26:51 -0800[diff] [blame]3337
3338 bssl::UniquePtr<SSL> client, server;
3339 ASSERT_TRUE(ConnectClientAndServer(&client, &server, client_ctx.get(),
3340 server_ctx.get(),
3341 nullptr /* no session */));
3342}
3343
David Benjamin71dfad42017-07-16 17:27:39 -0400[diff] [blame]3344TEST(SSLTest, ClientCABuffers) {
3345 bssl::UniquePtr<SSL_CTX> client_ctx(SSL_CTX_new(TLS_with_buffers_method()));
3346 ASSERT_TRUE(client_ctx);
3347 bssl::UniquePtr<SSL_CTX> server_ctx(SSL_CTX_new(TLS_with_buffers_method()));
3348 ASSERT_TRUE(server_ctx);
3349
3350 bssl::UniquePtr<EVP_PKEY> key = GetChainTestKey();
3351 ASSERT_TRUE(key);
3352 bssl::UniquePtr<CRYPTO_BUFFER> leaf = GetChainTestCertificateBuffer();
3353 ASSERT_TRUE(leaf);
3354 bssl::UniquePtr<CRYPTO_BUFFER> intermediate =
3355 GetChainTestIntermediateBuffer();
3356 ASSERT_TRUE(intermediate);
3357 std::vector<CRYPTO_BUFFER *> chain = {
3358 leaf.get(),
3359 intermediate.get(),
3360 };
3361 ASSERT_TRUE(SSL_CTX_set_chain_and_key(server_ctx.get(), &chain[0],
3362 chain.size(), key.get(), nullptr));
3363
3364 bssl::UniquePtr<CRYPTO_BUFFER> ca_name(
3365 CRYPTO_BUFFER_new(kTestName, sizeof(kTestName), nullptr));
3366 ASSERT_TRUE(ca_name);
3367 bssl::UniquePtr<STACK_OF(CRYPTO_BUFFER)> ca_names(
3368 sk_CRYPTO_BUFFER_new_null());
3369 ASSERT_TRUE(ca_names);
3370 ASSERT_TRUE(sk_CRYPTO_BUFFER_push(ca_names.get(), ca_name.get()));
3371 ca_name.release();
3372 SSL_CTX_set0_client_CAs(server_ctx.get(), ca_names.release());
3373
3374 // Configure client and server to accept all certificates.
3375 SSL_CTX_set_custom_verify(
3376 client_ctx.get(), SSL_VERIFY_PEER,
3377 [](SSL *ssl, uint8_t *out_alert) -> ssl_verify_result_t {
3378 return ssl_verify_ok;
3379 });
3380 SSL_CTX_set_custom_verify(
3381 server_ctx.get(), SSL_VERIFY_PEER,
3382 [](SSL *ssl, uint8_t *out_alert) -> ssl_verify_result_t {
3383 return ssl_verify_ok;
3384 });
3385
3386 bool cert_cb_called = false;
3387 SSL_CTX_set_cert_cb(
3388 client_ctx.get(),
3389 [](SSL *ssl, void *arg) -> int {
3390 STACK_OF(CRYPTO_BUFFER) *peer_names =
3391 SSL_get0_server_requested_CAs(ssl);
3392 EXPECT_EQ(1u, sk_CRYPTO_BUFFER_num(peer_names));
3393 CRYPTO_BUFFER *peer_name = sk_CRYPTO_BUFFER_value(peer_names, 0);
3394 EXPECT_EQ(Bytes(kTestName), Bytes(CRYPTO_BUFFER_data(peer_name),
3395 CRYPTO_BUFFER_len(peer_name)));
3396 *reinterpret_cast<bool *>(arg) = true;
3397 return 1;
3398 },
3399 &cert_cb_called);
3400
3401 bssl::UniquePtr<SSL> client, server;
3402 ASSERT_TRUE(ConnectClientAndServer(&client, &server, client_ctx.get(),
3403 server_ctx.get(),
3404 nullptr /* no session */));
3405 EXPECT_TRUE(cert_cb_called);
3406}
3407
David Benjamin91222b82017-03-09 20:10:56 -0500[diff] [blame]3408// Configuring the empty cipher list, though an error, should still modify the
3409// configuration.
3410TEST(SSLTest, EmptyCipherList) {
3411 bssl::UniquePtr<SSL_CTX> ctx(SSL_CTX_new(TLS_method()));
3412 ASSERT_TRUE(ctx);
3413
3414 // Initially, the cipher list is not empty.
3415 EXPECT_NE(0u, sk_SSL_CIPHER_num(SSL_CTX_get_ciphers(ctx.get())));
3416
3417 // Configuring the empty cipher list fails.
3418 EXPECT_FALSE(SSL_CTX_set_cipher_list(ctx.get(), ""));
3419 ERR_clear_error();
3420
3421 // But the cipher list is still updated to empty.
3422 EXPECT_EQ(0u, sk_SSL_CIPHER_num(SSL_CTX_get_ciphers(ctx.get())));
3423}
3424
Adam Langley4c341d02017-03-08 19:33:21 -0800[diff] [blame]3425// ssl_test_ticket_aead_failure_mode enumerates the possible ways in which the
3426// test |SSL_TICKET_AEAD_METHOD| can fail.
3427enum ssl_test_ticket_aead_failure_mode {
3428 ssl_test_ticket_aead_ok = 0,
3429 ssl_test_ticket_aead_seal_fail,
3430 ssl_test_ticket_aead_open_soft_fail,
3431 ssl_test_ticket_aead_open_hard_fail,
3432};
3433
3434struct ssl_test_ticket_aead_state {
3435 unsigned retry_count;
3436 ssl_test_ticket_aead_failure_mode failure_mode;
3437};
3438
3439static int ssl_test_ticket_aead_ex_index_dup(CRYPTO_EX_DATA *to,
3440 const CRYPTO_EX_DATA *from,
3441 void **from_d, int index,
3442 long argl, void *argp) {
3443 abort();
3444}
3445
3446static void ssl_test_ticket_aead_ex_index_free(void *parent, void *ptr,
3447 CRYPTO_EX_DATA *ad, int index,
3448 long argl, void *argp) {
3449 auto state = reinterpret_cast<ssl_test_ticket_aead_state*>(ptr);
3450 if (state == nullptr) {
3451 return;
3452 }
3453
3454 OPENSSL_free(state);
3455}
3456
3457static CRYPTO_once_t g_ssl_test_ticket_aead_ex_index_once = CRYPTO_ONCE_INIT;
3458static int g_ssl_test_ticket_aead_ex_index;
3459
3460static int ssl_test_ticket_aead_get_ex_index() {
3461 CRYPTO_once(&g_ssl_test_ticket_aead_ex_index_once, [] {
3462 g_ssl_test_ticket_aead_ex_index = SSL_get_ex_new_index(
3463 0, nullptr, nullptr, ssl_test_ticket_aead_ex_index_dup,
3464 ssl_test_ticket_aead_ex_index_free);
3465 });
3466 return g_ssl_test_ticket_aead_ex_index;
3467}
3468
3469static size_t ssl_test_ticket_aead_max_overhead(SSL *ssl) {
3470 return 1;
3471}
3472
3473static int ssl_test_ticket_aead_seal(SSL *ssl, uint8_t *out, size_t *out_len,
3474 size_t max_out_len, const uint8_t *in,
3475 size_t in_len) {
3476 auto state = reinterpret_cast<ssl_test_ticket_aead_state *>(
3477 SSL_get_ex_data(ssl, ssl_test_ticket_aead_get_ex_index()));
3478
3479 if (state->failure_mode == ssl_test_ticket_aead_seal_fail ||
3480 max_out_len < in_len + 1) {
3481 return 0;
3482 }
3483
3484 OPENSSL_memmove(out, in, in_len);
3485 out[in_len] = 0xff;
3486 *out_len = in_len + 1;
3487
3488 return 1;
3489}
3490
3491static ssl_ticket_aead_result_t ssl_test_ticket_aead_open(
3492 SSL *ssl, uint8_t *out, size_t *out_len, size_t max_out_len,
3493 const uint8_t *in, size_t in_len) {
3494 auto state = reinterpret_cast<ssl_test_ticket_aead_state *>(
3495 SSL_get_ex_data(ssl, ssl_test_ticket_aead_get_ex_index()));
3496
3497 if (state->retry_count > 0) {
3498 state->retry_count--;
3499 return ssl_ticket_aead_retry;
3500 }
3501
3502 switch (state->failure_mode) {
3503 case ssl_test_ticket_aead_ok:
3504 break;
3505 case ssl_test_ticket_aead_seal_fail:
3506 // If |seal| failed then there shouldn't be any ticket to try and
3507 // decrypt.
3508 abort();
3509 break;
3510 case ssl_test_ticket_aead_open_soft_fail:
3511 return ssl_ticket_aead_ignore_ticket;
3512 case ssl_test_ticket_aead_open_hard_fail:
3513 return ssl_ticket_aead_error;
3514 }
3515
3516 if (in_len == 0 || in[in_len - 1] != 0xff) {
3517 return ssl_ticket_aead_ignore_ticket;
3518 }
3519
3520 if (max_out_len < in_len - 1) {
3521 return ssl_ticket_aead_error;
3522 }
3523
3524 OPENSSL_memmove(out, in, in_len - 1);
3525 *out_len = in_len - 1;
3526 return ssl_ticket_aead_success;
3527}
3528
3529static const SSL_TICKET_AEAD_METHOD kSSLTestTicketMethod = {
3530 ssl_test_ticket_aead_max_overhead,
3531 ssl_test_ticket_aead_seal,
3532 ssl_test_ticket_aead_open,
3533};
3534
3535static void ConnectClientAndServerWithTicketMethod(
3536 bssl::UniquePtr<SSL> *out_client, bssl::UniquePtr<SSL> *out_server,
3537 SSL_CTX *client_ctx, SSL_CTX *server_ctx, unsigned retry_count,
3538 ssl_test_ticket_aead_failure_mode failure_mode, SSL_SESSION *session) {
3539 bssl::UniquePtr<SSL> client(SSL_new(client_ctx)), server(SSL_new(server_ctx));
3540 ASSERT_TRUE(client);
3541 ASSERT_TRUE(server);
3542 SSL_set_connect_state(client.get());
3543 SSL_set_accept_state(server.get());
3544
3545 auto state = reinterpret_cast<ssl_test_ticket_aead_state *>(
3546 OPENSSL_malloc(sizeof(ssl_test_ticket_aead_state)));
3547 ASSERT_TRUE(state);
3548 OPENSSL_memset(state, 0, sizeof(ssl_test_ticket_aead_state));
3549 state->retry_count = retry_count;
3550 state->failure_mode = failure_mode;
3551
3552 ASSERT_TRUE(SSL_set_ex_data(server.get(), ssl_test_ticket_aead_get_ex_index(),
3553 state));
3554
3555 SSL_set_session(client.get(), session);
3556
3557 BIO *bio1, *bio2;
3558 ASSERT_TRUE(BIO_new_bio_pair(&bio1, 0, &bio2, 0));
3559
3560 // SSL_set_bio takes ownership.
3561 SSL_set_bio(client.get(), bio1, bio1);
3562 SSL_set_bio(server.get(), bio2, bio2);
3563
3564 if (CompleteHandshakes(client.get(), server.get())) {
3565 *out_client = std::move(client);
3566 *out_server = std::move(server);
3567 } else {
3568 out_client->reset();
3569 out_server->reset();
3570 }
3571}
3572
3573class TicketAEADMethodTest
3574 : public ::testing::TestWithParam<testing::tuple<
3575 uint16_t, unsigned, ssl_test_ticket_aead_failure_mode>> {};
3576
3577TEST_P(TicketAEADMethodTest, Resume) {
3578 bssl::UniquePtr<X509> cert = GetTestCertificate();
3579 ASSERT_TRUE(cert);
3580 bssl::UniquePtr<EVP_PKEY> key = GetTestKey();
3581 ASSERT_TRUE(key);
3582
3583 bssl::UniquePtr<SSL_CTX> server_ctx(SSL_CTX_new(TLS_method()));
3584 ASSERT_TRUE(server_ctx);
3585 bssl::UniquePtr<SSL_CTX> client_ctx(SSL_CTX_new(TLS_method()));
3586 ASSERT_TRUE(client_ctx);
3587
3588 const uint16_t version = testing::get<0>(GetParam());
3589 const unsigned retry_count = testing::get<1>(GetParam());
3590 const ssl_test_ticket_aead_failure_mode failure_mode =
3591 testing::get<2>(GetParam());
3592
3593 ASSERT_TRUE(SSL_CTX_use_certificate(server_ctx.get(), cert.get()));
3594 ASSERT_TRUE(SSL_CTX_use_PrivateKey(server_ctx.get(), key.get()));
3595 ASSERT_TRUE(SSL_CTX_set_min_proto_version(client_ctx.get(), version));
3596 ASSERT_TRUE(SSL_CTX_set_max_proto_version(client_ctx.get(), version));
3597 ASSERT_TRUE(SSL_CTX_set_min_proto_version(server_ctx.get(), version));
3598 ASSERT_TRUE(SSL_CTX_set_max_proto_version(server_ctx.get(), version));
3599
3600 SSL_CTX_set_session_cache_mode(client_ctx.get(), SSL_SESS_CACHE_BOTH);
3601 SSL_CTX_set_session_cache_mode(server_ctx.get(), SSL_SESS_CACHE_BOTH);
3602 SSL_CTX_set_current_time_cb(client_ctx.get(), FrozenTimeCallback);
3603 SSL_CTX_set_current_time_cb(server_ctx.get(), FrozenTimeCallback);
David Benjamin707af292017-03-10 17:47:18 -0500[diff] [blame]3604 SSL_CTX_sess_set_new_cb(client_ctx.get(), SaveLastSession);
Adam Langley4c341d02017-03-08 19:33:21 -0800[diff] [blame]3605
3606 SSL_CTX_set_ticket_aead_method(server_ctx.get(), &kSSLTestTicketMethod);
3607
3608 bssl::UniquePtr<SSL> client, server;
3609 ConnectClientAndServerWithTicketMethod(&client, &server, client_ctx.get(),
3610 server_ctx.get(), retry_count,
3611 failure_mode, nullptr);
3612 switch (failure_mode) {
3613 case ssl_test_ticket_aead_ok:
3614 case ssl_test_ticket_aead_open_hard_fail:
3615 case ssl_test_ticket_aead_open_soft_fail:
3616 ASSERT_TRUE(client);
3617 break;
3618 case ssl_test_ticket_aead_seal_fail:
3619 EXPECT_FALSE(client);
3620 return;
3621 }
3622 EXPECT_FALSE(SSL_session_reused(client.get()));
3623 EXPECT_FALSE(SSL_session_reused(server.get()));
3624
David Benjamin707af292017-03-10 17:47:18 -0500[diff] [blame]3625 // Run the read loop to account for post-handshake tickets in TLS 1.3.
3626 SSL_read(client.get(), nullptr, 0);
3627
3628 bssl::UniquePtr<SSL_SESSION> session = std::move(g_last_session);
Adam Langley4c341d02017-03-08 19:33:21 -0800[diff] [blame]3629 ConnectClientAndServerWithTicketMethod(&client, &server, client_ctx.get(),
3630 server_ctx.get(), retry_count,
David Benjamin707af292017-03-10 17:47:18 -0500[diff] [blame]3631 failure_mode, session.get());
Adam Langley4c341d02017-03-08 19:33:21 -0800[diff] [blame]3632 switch (failure_mode) {
3633 case ssl_test_ticket_aead_ok:
3634 ASSERT_TRUE(client);
3635 EXPECT_TRUE(SSL_session_reused(client.get()));
3636 EXPECT_TRUE(SSL_session_reused(server.get()));
3637 break;
3638 case ssl_test_ticket_aead_seal_fail:
3639 abort();
3640 break;
3641 case ssl_test_ticket_aead_open_hard_fail:
3642 EXPECT_FALSE(client);
3643 break;
3644 case ssl_test_ticket_aead_open_soft_fail:
3645 ASSERT_TRUE(client);
3646 EXPECT_FALSE(SSL_session_reused(client.get()));
3647 EXPECT_FALSE(SSL_session_reused(server.get()));
3648 }
3649}
3650
3651INSTANTIATE_TEST_CASE_P(
3652 TicketAEADMethodTests, TicketAEADMethodTest,
3653 testing::Combine(
David Benjamin707af292017-03-10 17:47:18 -0500[diff] [blame]3654 testing::Values(TLS1_2_VERSION, TLS1_3_VERSION),
Adam Langley4c341d02017-03-08 19:33:21 -0800[diff] [blame]3655 testing::Values(0, 1, 2),
3656 testing::Values(ssl_test_ticket_aead_ok,
3657 ssl_test_ticket_aead_seal_fail,
3658 ssl_test_ticket_aead_open_soft_fail,
3659 ssl_test_ticket_aead_open_hard_fail)));
3660
David Benjamin3cfeb952017-03-01 16:48:38 -0500[diff] [blame]3661TEST(SSLTest, SSL3Method) {
3662 bssl::UniquePtr<X509> cert = GetTestCertificate();
3663 ASSERT_TRUE(cert);
3664
3665 // For compatibility, SSLv3_method should work up to SSL_CTX_new and SSL_new.
3666 bssl::UniquePtr<SSL_CTX> ssl3_ctx(SSL_CTX_new(SSLv3_method()));
3667 ASSERT_TRUE(ssl3_ctx);
3668 ASSERT_TRUE(SSL_CTX_use_certificate(ssl3_ctx.get(), cert.get()));
3669 bssl::UniquePtr<SSL> ssl(SSL_new(ssl3_ctx.get()));
3670 EXPECT_TRUE(ssl);
3671
3672 // Create a normal TLS context to test against.
3673 bssl::UniquePtr<SSL_CTX> tls_ctx(SSL_CTX_new(TLS_method()));
3674 ASSERT_TRUE(tls_ctx);
3675 ASSERT_TRUE(SSL_CTX_use_certificate(tls_ctx.get(), cert.get()));
3676
3677 // However, handshaking an SSLv3_method server should fail to resolve the
3678 // version range. Explicit calls to SSL_CTX_set_min_proto_version are the only
3679 // way to enable SSL 3.0.
3680 bssl::UniquePtr<SSL> client, server;
3681 EXPECT_FALSE(ConnectClientAndServer(&client, &server, tls_ctx.get(),
3682 ssl3_ctx.get(),
3683 nullptr /* no session */));
3684 uint32_t err = ERR_get_error();
3685 EXPECT_EQ(ERR_LIB_SSL, ERR_GET_LIB(err));
3686 EXPECT_EQ(SSL_R_NO_SUPPORTED_VERSIONS_ENABLED, ERR_GET_REASON(err));
3687
3688 // Likewise for SSLv3_method clients.
3689 EXPECT_FALSE(ConnectClientAndServer(&client, &server, ssl3_ctx.get(),
3690 tls_ctx.get(),
3691 nullptr /* no session */));
3692 err = ERR_get_error();
3693 EXPECT_EQ(ERR_LIB_SSL, ERR_GET_LIB(err));
3694 EXPECT_EQ(SSL_R_NO_SUPPORTED_VERSIONS_ENABLED, ERR_GET_REASON(err));
3695}
3696
David Benjaminca743582017-06-15 17:51:35 -0400[diff] [blame]3697TEST(SSLTest, SelectNextProto) {
3698 uint8_t *result;
3699 uint8_t result_len;
3700
3701 // If there is an overlap, it should be returned.
3702 EXPECT_EQ(OPENSSL_NPN_NEGOTIATED,
3703 SSL_select_next_proto(&result, &result_len,
3704 (const uint8_t *)"\1a\2bb\3ccc", 9,
3705 (const uint8_t *)"\1x\1y\1a\1z", 8));
3706 EXPECT_EQ(Bytes("a"), Bytes(result, result_len));
3707
3708 EXPECT_EQ(OPENSSL_NPN_NEGOTIATED,
3709 SSL_select_next_proto(&result, &result_len,
3710 (const uint8_t *)"\1a\2bb\3ccc", 9,
3711 (const uint8_t *)"\1x\1y\2bb\1z", 9));
3712 EXPECT_EQ(Bytes("bb"), Bytes(result, result_len));
3713
3714 EXPECT_EQ(OPENSSL_NPN_NEGOTIATED,
3715 SSL_select_next_proto(&result, &result_len,
3716 (const uint8_t *)"\1a\2bb\3ccc", 9,
3717 (const uint8_t *)"\1x\1y\3ccc\1z", 10));
3718 EXPECT_EQ(Bytes("ccc"), Bytes(result, result_len));
3719
3720 // Peer preference order takes precedence over local.
3721 EXPECT_EQ(OPENSSL_NPN_NEGOTIATED,
3722 SSL_select_next_proto(&result, &result_len,
3723 (const uint8_t *)"\1a\2bb\3ccc", 9,
3724 (const uint8_t *)"\3ccc\2bb\1a", 9));
3725 EXPECT_EQ(Bytes("a"), Bytes(result, result_len));
3726
3727 // If there is no overlap, return the first local protocol.
3728 EXPECT_EQ(OPENSSL_NPN_NO_OVERLAP,
3729 SSL_select_next_proto(&result, &result_len,
3730 (const uint8_t *)"\1a\2bb\3ccc", 9,
3731 (const uint8_t *)"\1x\2yy\3zzz", 9));
3732 EXPECT_EQ(Bytes("x"), Bytes(result, result_len));
3733
3734 EXPECT_EQ(OPENSSL_NPN_NO_OVERLAP,
3735 SSL_select_next_proto(&result, &result_len, nullptr, 0,
3736 (const uint8_t *)"\1x\2yy\3zzz", 9));
3737 EXPECT_EQ(Bytes("x"), Bytes(result, result_len));
3738}
3739
Martin Kreichgauer17c30572017-07-18 12:42:18 -0700[diff] [blame]3740TEST(SSLTest, SealRecord) {
3741 bssl::UniquePtr<SSL_CTX> client_ctx(SSL_CTX_new(TLS_method())),
3742 server_ctx(SSL_CTX_new(TLS_method()));
3743 ASSERT_TRUE(client_ctx);
3744 ASSERT_TRUE(server_ctx);
3745
3746 bssl::UniquePtr<X509> cert = GetTestCertificate();
3747 bssl::UniquePtr<EVP_PKEY> key = GetTestKey();
3748 ASSERT_TRUE(cert);
3749 ASSERT_TRUE(key);
3750 ASSERT_TRUE(SSL_CTX_use_certificate(server_ctx.get(), cert.get()));
3751 ASSERT_TRUE(SSL_CTX_use_PrivateKey(server_ctx.get(), key.get()));
3752
3753 bssl::UniquePtr<SSL> client, server;
3754 ASSERT_TRUE(ConnectClientAndServer(&client, &server, client_ctx.get(),
3755 server_ctx.get(),
3756 nullptr /* no session */));
3757
3758 const std::vector<uint8_t> record = {1, 2, 3, 4, 5};
3759 std::vector<uint8_t> prefix(
3760 bssl::SealRecordPrefixLen(client.get(), record.size())),
3761 body(record.size()), suffix(bssl::SealRecordMaxSuffixLen(client.get()));
3762 size_t suffix_size;
3763 ASSERT_TRUE(bssl::SealRecord(client.get(), bssl::MakeSpan(prefix),
3764 bssl::MakeSpan(body), bssl::MakeSpan(suffix),
3765 &suffix_size, record));
3766 suffix.resize(suffix_size);
3767
3768 std::vector<uint8_t> sealed;
3769 sealed.insert(sealed.end(), prefix.begin(), prefix.end());
3770 sealed.insert(sealed.end(), body.begin(), body.end());
3771 sealed.insert(sealed.end(), suffix.begin(), suffix.end());
3772 std::vector<uint8_t> sealed_copy = sealed;
3773
3774 bssl::Span<uint8_t> plaintext;
3775 size_t record_len;
3776 uint8_t alert = 255;
3777 EXPECT_EQ(bssl::OpenRecord(server.get(), &plaintext, &record_len, &alert,
3778 bssl::MakeSpan(sealed)),
3779 bssl::OpenRecordResult::kOK);
3780 EXPECT_EQ(record_len, sealed.size());
3781 EXPECT_EQ(plaintext, record);
3782 EXPECT_EQ(255, alert);
3783}
3784
3785TEST(SSLTest, SealRecordInPlace) {
3786 bssl::UniquePtr<SSL_CTX> client_ctx(SSL_CTX_new(TLS_method())),
3787 server_ctx(SSL_CTX_new(TLS_method()));
3788 ASSERT_TRUE(client_ctx);
3789 ASSERT_TRUE(server_ctx);
3790
3791 bssl::UniquePtr<X509> cert = GetTestCertificate();
3792 bssl::UniquePtr<EVP_PKEY> key = GetTestKey();
3793 ASSERT_TRUE(cert);
3794 ASSERT_TRUE(key);
3795 ASSERT_TRUE(SSL_CTX_use_certificate(server_ctx.get(), cert.get()));
3796 ASSERT_TRUE(SSL_CTX_use_PrivateKey(server_ctx.get(), key.get()));
3797
3798 bssl::UniquePtr<SSL> client, server;
3799 ASSERT_TRUE(ConnectClientAndServer(&client, &server, client_ctx.get(),
3800 server_ctx.get(),
3801 nullptr /* no session */));
3802
3803 const std::vector<uint8_t> plaintext = {1, 2, 3, 4, 5};
3804 std::vector<uint8_t> record = plaintext;
3805 std::vector<uint8_t> prefix(
3806 bssl::SealRecordPrefixLen(client.get(), record.size())),
3807 suffix(bssl::SealRecordMaxSuffixLen(client.get()));
3808 size_t suffix_size;
3809 ASSERT_TRUE(bssl::SealRecord(client.get(), bssl::MakeSpan(prefix),
3810 bssl::MakeSpan(record), bssl::MakeSpan(suffix),
3811 &suffix_size, record));
3812 suffix.resize(suffix_size);
3813 record.insert(record.begin(), prefix.begin(), prefix.end());
3814 record.insert(record.end(), suffix.begin(), suffix.end());
3815
3816 bssl::Span<uint8_t> result;
3817 size_t record_len;
3818 uint8_t alert;
3819 EXPECT_EQ(bssl::OpenRecord(server.get(), &result, &record_len, &alert,
3820 bssl::MakeSpan(record)),
3821 bssl::OpenRecordResult::kOK);
3822 EXPECT_EQ(record_len, record.size());
3823 EXPECT_EQ(plaintext, result);
3824}
3825
3826TEST(SSLTest, SealRecordTrailingData) {
3827 bssl::UniquePtr<SSL_CTX> client_ctx(SSL_CTX_new(TLS_method())),
3828 server_ctx(SSL_CTX_new(TLS_method()));
3829 ASSERT_TRUE(client_ctx);
3830 ASSERT_TRUE(server_ctx);
3831
3832 bssl::UniquePtr<X509> cert = GetTestCertificate();
3833 bssl::UniquePtr<EVP_PKEY> key = GetTestKey();
3834 ASSERT_TRUE(cert);
3835 ASSERT_TRUE(key);
3836 ASSERT_TRUE(SSL_CTX_use_certificate(server_ctx.get(), cert.get()));
3837 ASSERT_TRUE(SSL_CTX_use_PrivateKey(server_ctx.get(), key.get()));
3838
3839 bssl::UniquePtr<SSL> client, server;
3840 ASSERT_TRUE(ConnectClientAndServer(&client, &server, client_ctx.get(),
3841 server_ctx.get(),
3842 nullptr /* no session */));
3843
3844 const std::vector<uint8_t> plaintext = {1, 2, 3, 4, 5};
3845 std::vector<uint8_t> record = plaintext;
3846 std::vector<uint8_t> prefix(
3847 bssl::SealRecordPrefixLen(client.get(), record.size())),
3848 suffix(bssl::SealRecordMaxSuffixLen(client.get()));
3849 size_t suffix_size;
3850 ASSERT_TRUE(bssl::SealRecord(client.get(), bssl::MakeSpan(prefix),
3851 bssl::MakeSpan(record), bssl::MakeSpan(suffix),
3852 &suffix_size, record));
3853 suffix.resize(suffix_size);
3854 record.insert(record.begin(), prefix.begin(), prefix.end());
3855 record.insert(record.end(), suffix.begin(), suffix.end());
3856 record.insert(record.end(), {5, 4, 3, 2, 1});
3857
3858 bssl::Span<uint8_t> result;
3859 size_t record_len;
3860 uint8_t alert;
3861 EXPECT_EQ(bssl::OpenRecord(server.get(), &result, &record_len, &alert,
3862 bssl::MakeSpan(record)),
3863 bssl::OpenRecordResult::kOK);
3864 EXPECT_EQ(record_len, record.size() - 5);
3865 EXPECT_EQ(plaintext, result);
3866}
3867
3868TEST(SSLTest, SealRecordInvalidSpanSize) {
3869 bssl::UniquePtr<SSL_CTX> client_ctx(SSL_CTX_new(TLS_method())),
3870 server_ctx(SSL_CTX_new(TLS_method()));
3871 ASSERT_TRUE(client_ctx);
3872 ASSERT_TRUE(server_ctx);
3873
3874 bssl::UniquePtr<X509> cert = GetTestCertificate();
3875 bssl::UniquePtr<EVP_PKEY> key = GetTestKey();
3876 ASSERT_TRUE(cert);
3877 ASSERT_TRUE(key);
3878 ASSERT_TRUE(SSL_CTX_use_certificate(server_ctx.get(), cert.get()));
3879 ASSERT_TRUE(SSL_CTX_use_PrivateKey(server_ctx.get(), key.get()));
3880
3881 bssl::UniquePtr<SSL> client, server;
3882 ASSERT_TRUE(ConnectClientAndServer(&client, &server, client_ctx.get(),
3883 server_ctx.get(),
3884 nullptr /* no session */));
3885
3886 std::vector<uint8_t> record = {1, 2, 3, 4, 5};
3887 std::vector<uint8_t> prefix(
3888 bssl::SealRecordPrefixLen(client.get(), record.size())),
3889 suffix(bssl::SealRecordMaxSuffixLen(client.get()));
3890 size_t suffix_size;
3891
3892 auto expect_err = []() {
3893 int err = ERR_get_error();
3894 EXPECT_EQ(ERR_GET_LIB(err), ERR_LIB_SSL);
3895 EXPECT_EQ(ERR_GET_REASON(err), SSL_R_BUFFER_TOO_SMALL);
3896 ERR_clear_error();
3897 };
3898 EXPECT_FALSE(bssl::SealRecord(
3899 client.get(), bssl::MakeSpan(prefix.data(), prefix.size() - 1),
3900 bssl::MakeSpan(record), bssl::MakeSpan(suffix), &suffix_size, record));
3901 expect_err();
3902 EXPECT_FALSE(bssl::SealRecord(
3903 client.get(), bssl::MakeSpan(prefix.data(), prefix.size() + 1),
3904 bssl::MakeSpan(record), bssl::MakeSpan(suffix), &suffix_size, record));
3905 expect_err();
3906
3907 EXPECT_FALSE(
3908 bssl::SealRecord(client.get(), bssl::MakeSpan(prefix),
3909 bssl::MakeSpan(record.data(), record.size() - 1),
3910 bssl::MakeSpan(suffix), &suffix_size, record));
3911 expect_err();
3912 EXPECT_FALSE(
3913 bssl::SealRecord(client.get(), bssl::MakeSpan(prefix),
3914 bssl::MakeSpan(record.data(), record.size() + 1),
3915 bssl::MakeSpan(suffix), &suffix_size, record));
3916 expect_err();
3917
3918 EXPECT_FALSE(bssl::SealRecord(
3919 client.get(), bssl::MakeSpan(prefix), bssl::MakeSpan(record),
3920 bssl::MakeSpan(suffix.data(), suffix.size() - 1), &suffix_size, record));
3921 expect_err();
3922 EXPECT_FALSE(bssl::SealRecord(
3923 client.get(), bssl::MakeSpan(prefix), bssl::MakeSpan(record),
3924 bssl::MakeSpan(suffix.data(), suffix.size() + 1), &suffix_size, record));
3925 expect_err();
3926}
3927
David Benjamin96628432017-01-19 19:05:47 -0500[diff] [blame]3928// TODO(davidben): Convert this file to GTest properly.
3929TEST(SSLTest, AllTests) {
David Benjamine11726a2017-04-23 12:14:28 -0400[diff] [blame]3930 if (!TestSSL_SESSIONEncoding(kOpenSSLSession) ||
Adam Langley10f97f32016-07-12 08:09:33 -0700[diff] [blame]3931 !TestSSL_SESSIONEncoding(kCustomSession) ||
3932 !TestSSL_SESSIONEncoding(kBoringSSLSession) ||
3933 !TestBadSSL_SESSIONEncoding(kBadSessionExtraField) ||
3934 !TestBadSSL_SESSIONEncoding(kBadSessionVersion) ||
3935 !TestBadSSL_SESSIONEncoding(kBadSessionTrailingData) ||
Steven Valdeza833c352016-11-01 13:39:36 -0400[diff] [blame]3936 // Test the padding extension at TLS 1.2.
3937 !TestPaddingExtension(TLS1_2_VERSION, TLS1_2_VERSION) ||
3938 // Test the padding extension at TLS 1.3 with a TLS 1.2 session, so there
3939 // will be no PSK binder after the padding extension.
3940 !TestPaddingExtension(TLS1_3_VERSION, TLS1_2_VERSION) ||
3941 // Test the padding extension at TLS 1.3 with a TLS 1.3 session, so there
3942 // will be a PSK binder after the padding extension.
3943 !TestPaddingExtension(TLS1_3_VERSION, TLS1_3_DRAFT_VERSION) ||
David Benjamin0fef3052016-11-18 15:11:10 +0900[diff] [blame]3944 !ForEachVersion(TestSequenceNumber) ||
David Benjamin68f37b72016-11-18 15:14:42 +0900[diff] [blame]3945 !ForEachVersion(TestOneSidedShutdown) ||
David Benjamin0fef3052016-11-18 15:11:10 +0900[diff] [blame]3946 !ForEachVersion(TestGetPeerCertificate) ||
David Benjamine664a532017-07-20 20:19:36 -0400[diff] [blame^]3947 !ForEachVersion(TestNoPeerCertificate) ||
David Benjamin0fef3052016-11-18 15:11:10 +0900[diff] [blame]3948 !ForEachVersion(TestRetainOnlySHA256OfCerts) ||
David Benjamina20e5352016-08-02 19:09:41 -0400[diff] [blame]3949 !TestClientHello() ||
David Benjamin0fef3052016-11-18 15:11:10 +0900[diff] [blame]3950 !ForEachVersion(TestSessionIDContext) ||
3951 !ForEachVersion(TestSessionTimeout) ||
3952 !ForEachVersion(TestSNICallback) ||
David Benjamin0fef3052016-11-18 15:11:10 +0900[diff] [blame]3953 !ForEachVersion(TestVersion) ||
David Benjaminb79cc842016-12-07 15:57:14 -0500[diff] [blame]3954 !ForEachVersion(TestALPNCipherAvailable) ||
David Benjamin1444c3a2016-12-20 17:23:11 -0500[diff] [blame]3955 !ForEachVersion(TestSSLClearSessionResumption) ||
David Benjamin48063c22017-01-01 23:56:36 -0500[diff] [blame]3956 !ForEachVersion(TestAutoChain) ||
David Benjamin5df5be1a2017-06-22 19:43:11 -0400[diff] [blame]3957 !ForEachVersion(TestSSLWriteRetry) ||
3958 !ForEachVersion(TestRecordCallback)) {
David Benjamin96628432017-01-19 19:05:47 -0500[diff] [blame]3959 ADD_FAILURE() << "Tests failed";
David Benjaminbb0a17c2014-09-20 15:35:39 -0400[diff] [blame]3960 }
David Benjamin2e521212014-07-16 14:37:51 -0400[diff] [blame]3961}