1 /* Copyright (c) 2014, Google Inc. 2 * 3 * Permission to use, copy, modify, and/or distribute this software for any 4 * purpose with or without fee is hereby granted, provided that the above 5 * copyright notice and this permission notice appear in all copies. 6 * 7 * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES 8 * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF 9 * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY 10 * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES 11 * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION 12 * OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN 13 * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */ 14 15 #include <stdio.h> 16 #include <string.h> 17 #include <time.h> 18 19 #include <algorithm> 20 #include <limits> 21 #include <string> 22 #include <utility> 23 #include <vector> 24 25 #include <gtest/gtest.h> 26 27 #include <openssl/base64.h> 28 #include <openssl/bio.h> 29 #include <openssl/cipher.h> 30 #include <openssl/crypto.h> 31 #include <openssl/err.h> 32 #include <openssl/hmac.h> 33 #include <openssl/pem.h> 34 #include <openssl/sha.h> 35 #include <openssl/ssl.h> 36 #include <openssl/rand.h> 37 #include <openssl/x509.h> 38 39 #include "internal.h" 40 #include "../crypto/internal.h" 41 #include "../crypto/test/test_util.h" 42 43 #if defined(OPENSSL_WINDOWS) 44 // Windows defines struct timeval in winsock2.h. 45 OPENSSL_MSVC_PRAGMA(warning(push, 3)) 46 #include <winsock2.h> 47 OPENSSL_MSVC_PRAGMA(warning(pop)) 48 #else 49 #include <sys/time.h> 50 #endif 51 52 #if defined(OPENSSL_THREADS) 53 #include <thread> 54 #endif 55 56 57 BSSL_NAMESPACE_BEGIN 58 59 namespace { 60 61 #define TRACED_CALL(code) \ 62 do { \ 63 SCOPED_TRACE("<- called from here"); \ 64 code; \ 65 if (::testing::Test::HasFatalFailure()) { \ 66 return; \ 67 } \ 68 } while (false) 69 70 struct VersionParam { 71 uint16_t version; 72 enum { is_tls, is_dtls } ssl_method; 73 const char name[8]; 74 }; 75 76 static const size_t kTicketKeyLen = 48; 77 78 static const VersionParam kAllVersions[] = { 79 {TLS1_VERSION, VersionParam::is_tls, "TLS1"}, 80 {TLS1_1_VERSION, VersionParam::is_tls, "TLS1_1"}, 81 {TLS1_2_VERSION, VersionParam::is_tls, "TLS1_2"}, 82 {TLS1_3_VERSION, VersionParam::is_tls, "TLS1_3"}, 83 {DTLS1_VERSION, VersionParam::is_dtls, "DTLS1"}, 84 {DTLS1_2_VERSION, VersionParam::is_dtls, "DTLS1_2"}, 85 }; 86 87 struct ExpectedCipher { 88 unsigned long id; 89 int in_group_flag; 90 }; 91 92 struct CipherTest { 93 // The rule string to apply. 94 const char *rule; 95 // The list of expected ciphers, in order. 96 std::vector<ExpectedCipher> expected; 97 // True if this cipher list should fail in strict mode. 98 bool strict_fail; 99 }; 100 101 struct CurveTest { 102 // The rule string to apply. 103 const char *rule; 104 // The list of expected curves, in order. 105 std::vector<uint16_t> expected; 106 }; 107 108 template <typename T> 109 class UnownedSSLExData { 110 public: 111 UnownedSSLExData() { 112 index_ = SSL_get_ex_new_index(0, nullptr, nullptr, nullptr, nullptr); 113 } 114 115 T *Get(const SSL *ssl) { 116 return index_ < 0 ? nullptr 117 : static_cast<T *>(SSL_get_ex_data(ssl, index_)); 118 } 119 120 bool Set(SSL *ssl, T *t) { 121 return index_ >= 0 && SSL_set_ex_data(ssl, index_, t); 122 } 123 124 private: 125 int index_; 126 }; 127 128 static const CipherTest kCipherTests[] = { 129 // Selecting individual ciphers should work. 130 { 131 "ECDHE-ECDSA-CHACHA20-POLY1305:" 132 "ECDHE-RSA-CHACHA20-POLY1305:" 133 "ECDHE-ECDSA-AES128-GCM-SHA256:" 134 "ECDHE-RSA-AES128-GCM-SHA256", 135 { 136 {TLS1_CK_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256, 0}, 137 {TLS1_CK_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256, 0}, 138 {TLS1_CK_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, 0}, 139 {TLS1_CK_ECDHE_RSA_WITH_AES_128_GCM_SHA256, 0}, 140 }, 141 false, 142 }, 143 // + reorders selected ciphers to the end, keeping their relative order. 144 { 145 "ECDHE-ECDSA-CHACHA20-POLY1305:" 146 "ECDHE-RSA-CHACHA20-POLY1305:" 147 "ECDHE-ECDSA-AES128-GCM-SHA256:" 148 "ECDHE-RSA-AES128-GCM-SHA256:" 149 "+aRSA", 150 { 151 {TLS1_CK_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256, 0}, 152 {TLS1_CK_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, 0}, 153 {TLS1_CK_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256, 0}, 154 {TLS1_CK_ECDHE_RSA_WITH_AES_128_GCM_SHA256, 0}, 155 }, 156 false, 157 }, 158 // ! banishes ciphers from future selections. 159 { 160 "!aRSA:" 161 "ECDHE-ECDSA-CHACHA20-POLY1305:" 162 "ECDHE-RSA-CHACHA20-POLY1305:" 163 "ECDHE-ECDSA-AES128-GCM-SHA256:" 164 "ECDHE-RSA-AES128-GCM-SHA256", 165 { 166 {TLS1_CK_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256, 0}, 167 {TLS1_CK_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, 0}, 168 }, 169 false, 170 }, 171 // Multiple masks can be ANDed in a single rule. 172 { 173 "kRSA+AESGCM+AES128", 174 { 175 {TLS1_CK_RSA_WITH_AES_128_GCM_SHA256, 0}, 176 }, 177 false, 178 }, 179 // - removes selected ciphers, but preserves their order for future 180 // selections. Select AES_128_GCM, but order the key exchanges RSA, 181 // ECDHE_RSA. 182 { 183 "ALL:-kECDHE:" 184 "-kRSA:-ALL:" 185 "AESGCM+AES128+aRSA", 186 { 187 {TLS1_CK_RSA_WITH_AES_128_GCM_SHA256, 0}, 188 {TLS1_CK_ECDHE_RSA_WITH_AES_128_GCM_SHA256, 0}, 189 }, 190 false, 191 }, 192 // Unknown selectors are no-ops, except in strict mode. 193 { 194 "ECDHE-ECDSA-CHACHA20-POLY1305:" 195 "ECDHE-RSA-CHACHA20-POLY1305:" 196 "ECDHE-ECDSA-AES128-GCM-SHA256:" 197 "ECDHE-RSA-AES128-GCM-SHA256:" 198 "BOGUS1", 199 { 200 {TLS1_CK_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256, 0}, 201 {TLS1_CK_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256, 0}, 202 {TLS1_CK_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, 0}, 203 {TLS1_CK_ECDHE_RSA_WITH_AES_128_GCM_SHA256, 0}, 204 }, 205 true, 206 }, 207 // Unknown selectors are no-ops, except in strict mode. 208 { 209 "ECDHE-ECDSA-CHACHA20-POLY1305:" 210 "ECDHE-RSA-CHACHA20-POLY1305:" 211 "ECDHE-ECDSA-AES128-GCM-SHA256:" 212 "ECDHE-RSA-AES128-GCM-SHA256:" 213 "-BOGUS2:+BOGUS3:!BOGUS4", 214 { 215 {TLS1_CK_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256, 0}, 216 {TLS1_CK_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256, 0}, 217 {TLS1_CK_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, 0}, 218 {TLS1_CK_ECDHE_RSA_WITH_AES_128_GCM_SHA256, 0}, 219 }, 220 true, 221 }, 222 // Square brackets specify equi-preference groups. 223 { 224 "[ECDHE-ECDSA-CHACHA20-POLY1305|ECDHE-ECDSA-AES128-GCM-SHA256]:" 225 "[ECDHE-RSA-CHACHA20-POLY1305]:" 226 "ECDHE-RSA-AES128-GCM-SHA256", 227 { 228 {TLS1_CK_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256, 1}, 229 {TLS1_CK_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, 0}, 230 {TLS1_CK_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256, 0}, 231 {TLS1_CK_ECDHE_RSA_WITH_AES_128_GCM_SHA256, 0}, 232 }, 233 false, 234 }, 235 // Standard names may be used instead of OpenSSL names. 236 { 237 "[TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256|" 238 "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256]:" 239 "[TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256]:" 240 "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256", 241 { 242 {TLS1_CK_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256, 1}, 243 {TLS1_CK_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, 0}, 244 {TLS1_CK_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256, 0}, 245 {TLS1_CK_ECDHE_RSA_WITH_AES_128_GCM_SHA256, 0}, 246 }, 247 false, 248 }, 249 // @STRENGTH performs a stable strength-sort of the selected ciphers and 250 // only the selected ciphers. 251 { 252 // To simplify things, banish all but {ECDHE_RSA,RSA} x 253 // {CHACHA20,AES_256_CBC,AES_128_CBC} x SHA1. 254 "!AESGCM:!3DES:" 255 // Order some ciphers backwards by strength. 256 "ALL:-CHACHA20:-AES256:-AES128:-ALL:" 257 // Select ECDHE ones and sort them by strength. Ties should resolve 258 // based on the order above. 259 "kECDHE:@STRENGTH:-ALL:" 260 // Now bring back everything uses RSA. ECDHE_RSA should be first, sorted 261 // by strength. Then RSA, backwards by strength. 262 "aRSA", 263 { 264 {TLS1_CK_ECDHE_RSA_WITH_AES_256_CBC_SHA, 0}, 265 {TLS1_CK_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256, 0}, 266 {TLS1_CK_ECDHE_RSA_WITH_AES_128_CBC_SHA, 0}, 267 {TLS1_CK_RSA_WITH_AES_128_SHA, 0}, 268 {TLS1_CK_RSA_WITH_AES_256_SHA, 0}, 269 }, 270 false, 271 }, 272 // Additional masks after @STRENGTH get silently discarded. 273 // 274 // TODO(davidben): Make this an error. If not silently discarded, they get 275 // interpreted as + opcodes which are very different. 276 { 277 "ECDHE-RSA-AES128-GCM-SHA256:" 278 "ECDHE-RSA-AES256-GCM-SHA384:" 279 "@STRENGTH+AES256", 280 { 281 {TLS1_CK_ECDHE_RSA_WITH_AES_256_GCM_SHA384, 0}, 282 {TLS1_CK_ECDHE_RSA_WITH_AES_128_GCM_SHA256, 0}, 283 }, 284 false, 285 }, 286 { 287 "ECDHE-RSA-AES128-GCM-SHA256:" 288 "ECDHE-RSA-AES256-GCM-SHA384:" 289 "@STRENGTH+AES256:" 290 "ECDHE-RSA-CHACHA20-POLY1305", 291 { 292 {TLS1_CK_ECDHE_RSA_WITH_AES_256_GCM_SHA384, 0}, 293 {TLS1_CK_ECDHE_RSA_WITH_AES_128_GCM_SHA256, 0}, 294 {TLS1_CK_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256, 0}, 295 }, 296 false, 297 }, 298 // Exact ciphers may not be used in multi-part rules; they are treated 299 // as unknown aliases. 300 { 301 "ECDHE-ECDSA-AES128-GCM-SHA256:" 302 "ECDHE-RSA-AES128-GCM-SHA256:" 303 "!ECDHE-RSA-AES128-GCM-SHA256+RSA:" 304 "!ECDSA+ECDHE-ECDSA-AES128-GCM-SHA256", 305 { 306 {TLS1_CK_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, 0}, 307 {TLS1_CK_ECDHE_RSA_WITH_AES_128_GCM_SHA256, 0}, 308 }, 309 true, 310 }, 311 // SSLv3 matches everything that existed before TLS 1.2. 312 { 313 "AES128-SHA:ECDHE-RSA-AES128-GCM-SHA256:!SSLv3", 314 { 315 {TLS1_CK_ECDHE_RSA_WITH_AES_128_GCM_SHA256, 0}, 316 }, 317 false, 318 }, 319 // TLSv1.2 matches everything added in TLS 1.2. 320 { 321 "AES128-SHA:ECDHE-RSA-AES128-GCM-SHA256:!TLSv1.2", 322 { 323 {TLS1_CK_RSA_WITH_AES_128_SHA, 0}, 324 }, 325 false, 326 }, 327 // The two directives have no intersection. But each component is valid, so 328 // even in strict mode it is accepted. 329 { 330 "AES128-SHA:ECDHE-RSA-AES128-GCM-SHA256:!TLSv1.2+SSLv3", 331 { 332 {TLS1_CK_RSA_WITH_AES_128_SHA, 0}, 333 {TLS1_CK_ECDHE_RSA_WITH_AES_128_GCM_SHA256, 0}, 334 }, 335 false, 336 }, 337 // Spaces, semi-colons and commas are separators. 338 { 339 "AES128-SHA: ECDHE-RSA-AES128-GCM-SHA256 AES256-SHA ,ECDHE-ECDSA-AES128-GCM-SHA256 ; AES128-GCM-SHA256", 340 { 341 {TLS1_CK_RSA_WITH_AES_128_SHA, 0}, 342 {TLS1_CK_ECDHE_RSA_WITH_AES_128_GCM_SHA256, 0}, 343 {TLS1_CK_RSA_WITH_AES_256_SHA, 0}, 344 {TLS1_CK_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, 0}, 345 {TLS1_CK_RSA_WITH_AES_128_GCM_SHA256, 0}, 346 }, 347 // but not in strict mode. 348 true, 349 }, 350 }; 351 352 static const char *kBadRules[] = { 353 // Invalid brackets. 354 "[ECDHE-RSA-CHACHA20-POLY1305|ECDHE-RSA-AES128-GCM-SHA256", 355 "RSA]", 356 "[[RSA]]", 357 // Operators inside brackets. 358 "[+RSA]", 359 // Unknown directive. 360 "@BOGUS", 361 // Empty cipher lists error at SSL_CTX_set_cipher_list. 362 "", 363 "BOGUS", 364 // COMPLEMENTOFDEFAULT is empty. 365 "COMPLEMENTOFDEFAULT", 366 // Invalid command. 367 "?BAR", 368 // Special operators are not allowed if groups are used. 369 "[ECDHE-RSA-CHACHA20-POLY1305|ECDHE-RSA-AES128-GCM-SHA256]:+FOO", 370 "[ECDHE-RSA-CHACHA20-POLY1305|ECDHE-RSA-AES128-GCM-SHA256]:!FOO", 371 "[ECDHE-RSA-CHACHA20-POLY1305|ECDHE-RSA-AES128-GCM-SHA256]:-FOO", 372 "[ECDHE-RSA-CHACHA20-POLY1305|ECDHE-RSA-AES128-GCM-SHA256]:@STRENGTH", 373 // Opcode supplied, but missing selector. 374 "+", 375 // Spaces are forbidden in equal-preference groups. 376 "[AES128-SHA | AES128-SHA256]", 377 }; 378 379 static const char *kMustNotIncludeNull[] = { 380 "ALL", 381 "DEFAULT", 382 "HIGH", 383 "FIPS", 384 "SHA", 385 "SHA1", 386 "RSA", 387 "SSLv3", 388 "TLSv1", 389 "TLSv1.2", 390 }; 391 392 static const CurveTest kCurveTests[] = { 393 { 394 "P-256", 395 { SSL_CURVE_SECP256R1 }, 396 }, 397 { 398 "P-256:CECPQ2", 399 { SSL_CURVE_SECP256R1, SSL_CURVE_CECPQ2 }, 400 }, 401 402 { 403 "P-256:P-384:P-521:X25519", 404 { 405 SSL_CURVE_SECP256R1, 406 SSL_CURVE_SECP384R1, 407 SSL_CURVE_SECP521R1, 408 SSL_CURVE_X25519, 409 }, 410 }, 411 { 412 "prime256v1:secp384r1:secp521r1:x25519", 413 { 414 SSL_CURVE_SECP256R1, 415 SSL_CURVE_SECP384R1, 416 SSL_CURVE_SECP521R1, 417 SSL_CURVE_X25519, 418 }, 419 }, 420 }; 421 422 static const char *kBadCurvesLists[] = { 423 "", 424 ":", 425 "::", 426 "P-256::X25519", 427 "RSA:P-256", 428 "P-256:RSA", 429 "X25519:P-256:", 430 ":X25519:P-256", 431 }; 432 433 static std::string CipherListToString(SSL_CTX *ctx) { 434 bool in_group = false; 435 std::string ret; 436 const STACK_OF(SSL_CIPHER) *ciphers = SSL_CTX_get_ciphers(ctx); 437 for (size_t i = 0; i < sk_SSL_CIPHER_num(ciphers); i++) { 438 const SSL_CIPHER *cipher = sk_SSL_CIPHER_value(ciphers, i); 439 if (!in_group && SSL_CTX_cipher_in_group(ctx, i)) { 440 ret += "\t[\n"; 441 in_group = true; 442 } 443 ret += "\t"; 444 if (in_group) { 445 ret += " "; 446 } 447 ret += SSL_CIPHER_get_name(cipher); 448 ret += "\n"; 449 if (in_group && !SSL_CTX_cipher_in_group(ctx, i)) { 450 ret += "\t]\n"; 451 in_group = false; 452 } 453 } 454 return ret; 455 } 456 457 static bool CipherListsEqual(SSL_CTX *ctx, 458 const std::vector<ExpectedCipher> &expected) { 459 const STACK_OF(SSL_CIPHER) *ciphers = SSL_CTX_get_ciphers(ctx); 460 if (sk_SSL_CIPHER_num(ciphers) != expected.size()) { 461 return false; 462 } 463 464 for (size_t i = 0; i < expected.size(); i++) { 465 const SSL_CIPHER *cipher = sk_SSL_CIPHER_value(ciphers, i); 466 if (expected[i].id != SSL_CIPHER_get_id(cipher) || 467 expected[i].in_group_flag != !!SSL_CTX_cipher_in_group(ctx, i)) { 468 return false; 469 } 470 } 471 472 return true; 473 } 474 475 TEST(SSLTest, CipherRules) { 476 for (const CipherTest &t : kCipherTests) { 477 SCOPED_TRACE(t.rule); 478 bssl::UniquePtr<SSL_CTX> ctx(SSL_CTX_new(TLS_method())); 479 ASSERT_TRUE(ctx); 480 481 // Test lax mode. 482 ASSERT_TRUE(SSL_CTX_set_cipher_list(ctx.get(), t.rule)); 483 EXPECT_TRUE(CipherListsEqual(ctx.get(), t.expected)) 484 << "Cipher rule evaluated to:\n" 485 << CipherListToString(ctx.get()); 486 487 // Test strict mode. 488 if (t.strict_fail) { 489 EXPECT_FALSE(SSL_CTX_set_strict_cipher_list(ctx.get(), t.rule)); 490 } else { 491 ASSERT_TRUE(SSL_CTX_set_strict_cipher_list(ctx.get(), t.rule)); 492 EXPECT_TRUE(CipherListsEqual(ctx.get(), t.expected)) 493 << "Cipher rule evaluated to:\n" 494 << CipherListToString(ctx.get()); 495 } 496 } 497 498 for (const char *rule : kBadRules) { 499 SCOPED_TRACE(rule); 500 bssl::UniquePtr<SSL_CTX> ctx(SSL_CTX_new(TLS_method())); 501 ASSERT_TRUE(ctx); 502 503 EXPECT_FALSE(SSL_CTX_set_cipher_list(ctx.get(), rule)); 504 ERR_clear_error(); 505 } 506 507 for (const char *rule : kMustNotIncludeNull) { 508 SCOPED_TRACE(rule); 509 bssl::UniquePtr<SSL_CTX> ctx(SSL_CTX_new(TLS_method())); 510 ASSERT_TRUE(ctx); 511 512 ASSERT_TRUE(SSL_CTX_set_strict_cipher_list(ctx.get(), rule)); 513 for (const SSL_CIPHER *cipher : SSL_CTX_get_ciphers(ctx.get())) { 514 EXPECT_NE(NID_undef, SSL_CIPHER_get_cipher_nid(cipher)); 515 } 516 } 517 } 518 519 TEST(SSLTest, CurveRules) { 520 for (const CurveTest &t : kCurveTests) { 521 SCOPED_TRACE(t.rule); 522 bssl::UniquePtr<SSL_CTX> ctx(SSL_CTX_new(TLS_method())); 523 ASSERT_TRUE(ctx); 524 525 ASSERT_TRUE(SSL_CTX_set1_curves_list(ctx.get(), t.rule)); 526 ASSERT_EQ(t.expected.size(), ctx->supported_group_list.size()); 527 for (size_t i = 0; i < t.expected.size(); i++) { 528 EXPECT_EQ(t.expected[i], ctx->supported_group_list[i]); 529 } 530 } 531 532 for (const char *rule : kBadCurvesLists) { 533 SCOPED_TRACE(rule); 534 bssl::UniquePtr<SSL_CTX> ctx(SSL_CTX_new(TLS_method())); 535 ASSERT_TRUE(ctx); 536 537 EXPECT_FALSE(SSL_CTX_set1_curves_list(ctx.get(), rule)); 538 ERR_clear_error(); 539 } 540 } 541 542 // kOpenSSLSession is a serialized SSL_SESSION. 543 static const char kOpenSSLSession[] = 544 "MIIFqgIBAQICAwMEAsAvBCAG5Q1ndq4Yfmbeo1zwLkNRKmCXGdNgWvGT3cskV0yQ" 545 "kAQwJlrlzkAWBOWiLj/jJ76D7l+UXoizP2KI2C7I2FccqMmIfFmmkUy32nIJ0mZH" 546 "IWoJoQYCBFRDO46iBAICASyjggR6MIIEdjCCA16gAwIBAgIIK9dUvsPWSlUwDQYJ" 547 "KoZIhvcNAQEFBQAwSTELMAkGA1UEBhMCVVMxEzARBgNVBAoTCkdvb2dsZSBJbmMx" 548 "JTAjBgNVBAMTHEdvb2dsZSBJbnRlcm5ldCBBdXRob3JpdHkgRzIwHhcNMTQxMDA4" 549 "MTIwNzU3WhcNMTUwMTA2MDAwMDAwWjBoMQswCQYDVQQGEwJVUzETMBEGA1UECAwK" 550 "Q2FsaWZvcm5pYTEWMBQGA1UEBwwNTW91bnRhaW4gVmlldzETMBEGA1UECgwKR29v" 551 "Z2xlIEluYzEXMBUGA1UEAwwOd3d3Lmdvb2dsZS5jb20wggEiMA0GCSqGSIb3DQEB" 552 "AQUAA4IBDwAwggEKAoIBAQCcKeLrplAC+Lofy8t/wDwtB6eu72CVp0cJ4V3lknN6" 553 "huH9ct6FFk70oRIh/VBNBBz900jYy+7111Jm1b8iqOTQ9aT5C7SEhNcQFJvqzH3e" 554 "MPkb6ZSWGm1yGF7MCQTGQXF20Sk/O16FSjAynU/b3oJmOctcycWYkY0ytS/k3LBu" 555 "Id45PJaoMqjB0WypqvNeJHC3q5JjCB4RP7Nfx5jjHSrCMhw8lUMW4EaDxjaR9KDh" 556 "PLgjsk+LDIySRSRDaCQGhEOWLJZVLzLo4N6/UlctCHEllpBUSvEOyFga52qroGjg" 557 "rf3WOQ925MFwzd6AK+Ich0gDRg8sQfdLH5OuP1cfLfU1AgMBAAGjggFBMIIBPTAd" 558 "BgNVHSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwGQYDVR0RBBIwEIIOd3d3Lmdv" 559 "b2dsZS5jb20waAYIKwYBBQUHAQEEXDBaMCsGCCsGAQUFBzAChh9odHRwOi8vcGtp" 560 "Lmdvb2dsZS5jb20vR0lBRzIuY3J0MCsGCCsGAQUFBzABhh9odHRwOi8vY2xpZW50" 561 "czEuZ29vZ2xlLmNvbS9vY3NwMB0GA1UdDgQWBBQ7a+CcxsZByOpc+xpYFcIbnUMZ" 562 "hTAMBgNVHRMBAf8EAjAAMB8GA1UdIwQYMBaAFErdBhYbvPZotXb1gba7Yhq6WoEv" 563 "MBcGA1UdIAQQMA4wDAYKKwYBBAHWeQIFATAwBgNVHR8EKTAnMCWgI6Ahhh9odHRw" 564 "Oi8vcGtpLmdvb2dsZS5jb20vR0lBRzIuY3JsMA0GCSqGSIb3DQEBBQUAA4IBAQCa" 565 "OXCBdoqUy5bxyq+Wrh1zsyyCFim1PH5VU2+yvDSWrgDY8ibRGJmfff3r4Lud5kal" 566 "dKs9k8YlKD3ITG7P0YT/Rk8hLgfEuLcq5cc0xqmE42xJ+Eo2uzq9rYorc5emMCxf" 567 "5L0TJOXZqHQpOEcuptZQ4OjdYMfSxk5UzueUhA3ogZKRcRkdB3WeWRp+nYRhx4St" 568 "o2rt2A0MKmY9165GHUqMK9YaaXHDXqBu7Sefr1uSoAP9gyIJKeihMivsGqJ1TD6Z" 569 "cc6LMe+dN2P8cZEQHtD1y296ul4Mivqk3jatUVL8/hCwgch9A8O4PGZq9WqBfEWm" 570 "IyHh1dPtbg1lOXdYCWtjpAIEAKUDAgEUqQUCAwGJwKqBpwSBpBwUQvoeOk0Kg36S" 571 "YTcLEkXqKwOBfF9vE4KX0NxeLwjcDTpsuh3qXEaZ992r1N38VDcyS6P7I6HBYN9B" 572 "sNHM362zZnY27GpTw+Kwd751CLoXFPoaMOe57dbBpXoro6Pd3BTbf/Tzr88K06yE" 573 "OTDKPNj3+inbMaVigtK4PLyPq+Topyzvx9USFgRvyuoxn0Hgb+R0A3j6SLRuyOdA" 574 "i4gv7Y5oliyntgMBAQA="; 575 576 // kCustomSession is a custom serialized SSL_SESSION generated by 577 // filling in missing fields from |kOpenSSLSession|. This includes 578 // providing |peer_sha256|, so |peer| is not serialized. 579 static const char kCustomSession[] = 580 "MIIBZAIBAQICAwMEAsAvBCAG5Q1ndq4Yfmbeo1zwLkNRKmCXGdNgWvGT3cskV0yQ" 581 "kAQwJlrlzkAWBOWiLj/jJ76D7l+UXoizP2KI2C7I2FccqMmIfFmmkUy32nIJ0mZH" 582 "IWoJoQYCBFRDO46iBAICASykAwQBAqUDAgEUqAcEBXdvcmxkqQUCAwGJwKqBpwSB" 583 "pBwUQvoeOk0Kg36SYTcLEkXqKwOBfF9vE4KX0NxeLwjcDTpsuh3qXEaZ992r1N38" 584 "VDcyS6P7I6HBYN9BsNHM362zZnY27GpTw+Kwd751CLoXFPoaMOe57dbBpXoro6Pd" 585 "3BTbf/Tzr88K06yEOTDKPNj3+inbMaVigtK4PLyPq+Topyzvx9USFgRvyuoxn0Hg" 586 "b+R0A3j6SLRuyOdAi4gv7Y5oliynrSIEIAYGBgYGBgYGBgYGBgYGBgYGBgYGBgYG" 587 "BgYGBgYGBgYGrgMEAQevAwQBBLADBAEF"; 588 589 // kBoringSSLSession is a serialized SSL_SESSION generated from bssl client. 590 static const char kBoringSSLSession[] = 591 "MIIRwQIBAQICAwMEAsAvBCDdoGxGK26mR+8lM0uq6+k9xYuxPnwAjpcF9n0Yli9R" 592 "kQQwbyshfWhdi5XQ1++7n2L1qqrcVlmHBPpr6yknT/u4pUrpQB5FZ7vqvNn8MdHf" 593 "9rWgoQYCBFXgs7uiBAICHCCjggR6MIIEdjCCA16gAwIBAgIIf+yfD7Y6UicwDQYJ" 594 "KoZIhvcNAQELBQAwSTELMAkGA1UEBhMCVVMxEzARBgNVBAoTCkdvb2dsZSBJbmMx" 595 "JTAjBgNVBAMTHEdvb2dsZSBJbnRlcm5ldCBBdXRob3JpdHkgRzIwHhcNMTUwODEy" 596 "MTQ1MzE1WhcNMTUxMTEwMDAwMDAwWjBoMQswCQYDVQQGEwJVUzETMBEGA1UECAwK" 597 "Q2FsaWZvcm5pYTEWMBQGA1UEBwwNTW91bnRhaW4gVmlldzETMBEGA1UECgwKR29v" 598 "Z2xlIEluYzEXMBUGA1UEAwwOd3d3Lmdvb2dsZS5jb20wggEiMA0GCSqGSIb3DQEB" 599 "AQUAA4IBDwAwggEKAoIBAQC0MeG5YGQ0t+IeJeoneP/PrhEaieibeKYkbKVLNZpo" 600 "PLuBinvhkXZo3DC133NpCBpy6ZktBwamqyixAyuk/NU6OjgXqwwxfQ7di1AInLIU" 601 "792c7hFyNXSUCG7At8Ifi3YwBX9Ba6u/1d6rWTGZJrdCq3QU11RkKYyTq2KT5mce" 602 "Tv9iGKqSkSTlp8puy/9SZ/3DbU3U+BuqCFqeSlz7zjwFmk35acdCilpJlVDDN5C/" 603 "RCh8/UKc8PaL+cxlt531qoTENvYrflBno14YEZlCBZsPiFeUSILpKEj3Ccwhy0eL" 604 "EucWQ72YZU8mUzXBoXGn0zA0crFl5ci/2sTBBGZsylNBAgMBAAGjggFBMIIBPTAd" 605 "BgNVHSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwGQYDVR0RBBIwEIIOd3d3Lmdv" 606 "b2dsZS5jb20waAYIKwYBBQUHAQEEXDBaMCsGCCsGAQUFBzAChh9odHRwOi8vcGtp" 607 "Lmdvb2dsZS5jb20vR0lBRzIuY3J0MCsGCCsGAQUFBzABhh9odHRwOi8vY2xpZW50" 608 "czEuZ29vZ2xlLmNvbS9vY3NwMB0GA1UdDgQWBBS/bzHxcE73Q4j3slC4BLbMtLjG" 609 "GjAMBgNVHRMBAf8EAjAAMB8GA1UdIwQYMBaAFErdBhYbvPZotXb1gba7Yhq6WoEv" 610 "MBcGA1UdIAQQMA4wDAYKKwYBBAHWeQIFATAwBgNVHR8EKTAnMCWgI6Ahhh9odHRw" 611 "Oi8vcGtpLmdvb2dsZS5jb20vR0lBRzIuY3JsMA0GCSqGSIb3DQEBCwUAA4IBAQAb" 612 "qdWPZEHk0X7iKPCTHL6S3w6q1eR67goxZGFSM1lk1hjwyu7XcLJuvALVV9uY3ovE" 613 "kQZSHwT+pyOPWQhsSjO+1GyjvCvK/CAwiUmBX+bQRGaqHsRcio7xSbdVcajQ3bXd" 614 "X+s0WdbOpn6MStKAiBVloPlSxEI8pxY6x/BBCnTIk/+DMB17uZlOjG3vbAnkDkP+" 615 "n0OTucD9sHV7EVj9XUxi51nOfNBCN/s7lpUjDS/NJ4k3iwOtbCPswiot8vLO779a" 616 "f07vR03r349Iz/KTzk95rlFtX0IU+KYNxFNsanIXZ+C9FYGRXkwhHcvFb4qMUB1y" 617 "TTlM80jBMOwyjZXmjRAhpAIEAKUDAgEUqQUCAwGJwKqBpwSBpOgebbmn9NRUtMWH" 618 "+eJpqA5JLMFSMCChOsvKey3toBaCNGU7HfAEiiXNuuAdCBoK262BjQc2YYfqFzqH" 619 "zuppopXCvhohx7j/tnCNZIMgLYt/O9SXK2RYI5z8FhCCHvB4CbD5G0LGl5EFP27s" 620 "Jb6S3aTTYPkQe8yZSlxevg6NDwmTogLO9F7UUkaYmVcMQhzssEE2ZRYNwSOU6KjE" 621 "0Yj+8fAiBtbQriIEIN2L8ZlpaVrdN5KFNdvcmOxJu81P8q53X55xQyGTnGWwsgMC" 622 "ARezggvvMIIEdjCCA16gAwIBAgIIf+yfD7Y6UicwDQYJKoZIhvcNAQELBQAwSTEL" 623 "MAkGA1UEBhMCVVMxEzARBgNVBAoTCkdvb2dsZSBJbmMxJTAjBgNVBAMTHEdvb2ds" 624 "ZSBJbnRlcm5ldCBBdXRob3JpdHkgRzIwHhcNMTUwODEyMTQ1MzE1WhcNMTUxMTEw" 625 "MDAwMDAwWjBoMQswCQYDVQQGEwJVUzETMBEGA1UECAwKQ2FsaWZvcm5pYTEWMBQG" 626 "A1UEBwwNTW91bnRhaW4gVmlldzETMBEGA1UECgwKR29vZ2xlIEluYzEXMBUGA1UE" 627 "AwwOd3d3Lmdvb2dsZS5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIB" 628 "AQC0MeG5YGQ0t+IeJeoneP/PrhEaieibeKYkbKVLNZpoPLuBinvhkXZo3DC133Np" 629 "CBpy6ZktBwamqyixAyuk/NU6OjgXqwwxfQ7di1AInLIU792c7hFyNXSUCG7At8If" 630 "i3YwBX9Ba6u/1d6rWTGZJrdCq3QU11RkKYyTq2KT5mceTv9iGKqSkSTlp8puy/9S" 631 "Z/3DbU3U+BuqCFqeSlz7zjwFmk35acdCilpJlVDDN5C/RCh8/UKc8PaL+cxlt531" 632 "qoTENvYrflBno14YEZlCBZsPiFeUSILpKEj3Ccwhy0eLEucWQ72YZU8mUzXBoXGn" 633 "0zA0crFl5ci/2sTBBGZsylNBAgMBAAGjggFBMIIBPTAdBgNVHSUEFjAUBggrBgEF" 634 "BQcDAQYIKwYBBQUHAwIwGQYDVR0RBBIwEIIOd3d3Lmdvb2dsZS5jb20waAYIKwYB" 635 "BQUHAQEEXDBaMCsGCCsGAQUFBzAChh9odHRwOi8vcGtpLmdvb2dsZS5jb20vR0lB" 636 "RzIuY3J0MCsGCCsGAQUFBzABhh9odHRwOi8vY2xpZW50czEuZ29vZ2xlLmNvbS9v" 637 "Y3NwMB0GA1UdDgQWBBS/bzHxcE73Q4j3slC4BLbMtLjGGjAMBgNVHRMBAf8EAjAA" 638 "MB8GA1UdIwQYMBaAFErdBhYbvPZotXb1gba7Yhq6WoEvMBcGA1UdIAQQMA4wDAYK" 639 "KwYBBAHWeQIFATAwBgNVHR8EKTAnMCWgI6Ahhh9odHRwOi8vcGtpLmdvb2dsZS5j" 640 "b20vR0lBRzIuY3JsMA0GCSqGSIb3DQEBCwUAA4IBAQAbqdWPZEHk0X7iKPCTHL6S" 641 "3w6q1eR67goxZGFSM1lk1hjwyu7XcLJuvALVV9uY3ovEkQZSHwT+pyOPWQhsSjO+" 642 "1GyjvCvK/CAwiUmBX+bQRGaqHsRcio7xSbdVcajQ3bXdX+s0WdbOpn6MStKAiBVl" 643 "oPlSxEI8pxY6x/BBCnTIk/+DMB17uZlOjG3vbAnkDkP+n0OTucD9sHV7EVj9XUxi" 644 "51nOfNBCN/s7lpUjDS/NJ4k3iwOtbCPswiot8vLO779af07vR03r349Iz/KTzk95" 645 "rlFtX0IU+KYNxFNsanIXZ+C9FYGRXkwhHcvFb4qMUB1yTTlM80jBMOwyjZXmjRAh" 646 "MIID8DCCAtigAwIBAgIDAjqDMA0GCSqGSIb3DQEBCwUAMEIxCzAJBgNVBAYTAlVT" 647 "MRYwFAYDVQQKEw1HZW9UcnVzdCBJbmMuMRswGQYDVQQDExJHZW9UcnVzdCBHbG9i" 648 "YWwgQ0EwHhcNMTMwNDA1MTUxNTU2WhcNMTYxMjMxMjM1OTU5WjBJMQswCQYDVQQG" 649 "EwJVUzETMBEGA1UEChMKR29vZ2xlIEluYzElMCMGA1UEAxMcR29vZ2xlIEludGVy" 650 "bmV0IEF1dGhvcml0eSBHMjCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEB" 651 "AJwqBHdc2FCROgajguDYUEi8iT/xGXAaiEZ+4I/F8YnOIe5a/mENtzJEiaB0C1NP" 652 "VaTOgmKV7utZX8bhBYASxF6UP7xbSDj0U/ck5vuR6RXEz/RTDfRK/J9U3n2+oGtv" 653 "h8DQUB8oMANA2ghzUWx//zo8pzcGjr1LEQTrfSTe5vn8MXH7lNVg8y5Kr0LSy+rE" 654 "ahqyzFPdFUuLH8gZYR/Nnag+YyuENWllhMgZxUYi+FOVvuOAShDGKuy6lyARxzmZ" 655 "EASg8GF6lSWMTlJ14rbtCMoU/M4iarNOz0YDl5cDfsCx3nuvRTPPuj5xt970JSXC" 656 "DTWJnZ37DhF5iR43xa+OcmkCAwEAAaOB5zCB5DAfBgNVHSMEGDAWgBTAephojYn7" 657 "qwVkDBF9qn1luMrMTjAdBgNVHQ4EFgQUSt0GFhu89mi1dvWBtrtiGrpagS8wDgYD" 658 "VR0PAQH/BAQDAgEGMC4GCCsGAQUFBwEBBCIwIDAeBggrBgEFBQcwAYYSaHR0cDov" 659 "L2cuc3ltY2QuY29tMBIGA1UdEwEB/wQIMAYBAf8CAQAwNQYDVR0fBC4wLDAqoCig" 660 "JoYkaHR0cDovL2cuc3ltY2IuY29tL2NybHMvZ3RnbG9iYWwuY3JsMBcGA1UdIAQQ" 661 "MA4wDAYKKwYBBAHWeQIFATANBgkqhkiG9w0BAQsFAAOCAQEAqvqpIM1qZ4PtXtR+" 662 "3h3Ef+AlBgDFJPupyC1tft6dgmUsgWM0Zj7pUsIItMsv91+ZOmqcUHqFBYx90SpI" 663 "hNMJbHzCzTWf84LuUt5oX+QAihcglvcpjZpNy6jehsgNb1aHA30DP9z6eX0hGfnI" 664 "Oi9RdozHQZJxjyXON/hKTAAj78Q1EK7gI4BzfE00LshukNYQHpmEcxpw8u1VDu4X" 665 "Bupn7jLrLN1nBz/2i8Jw3lsA5rsb0zYaImxssDVCbJAJPZPpZAkiDoUGn8JzIdPm" 666 "X4DkjYUiOnMDsWCOrmji9D6X52ASCWg23jrW4kOVWzeBkoEfu43XrVJkFleW2V40" 667 "fsg12DCCA30wggLmoAMCAQICAxK75jANBgkqhkiG9w0BAQUFADBOMQswCQYDVQQG" 668 "EwJVUzEQMA4GA1UEChMHRXF1aWZheDEtMCsGA1UECxMkRXF1aWZheCBTZWN1cmUg" 669 "Q2VydGlmaWNhdGUgQXV0aG9yaXR5MB4XDTAyMDUyMTA0MDAwMFoXDTE4MDgyMTA0" 670 "MDAwMFowQjELMAkGA1UEBhMCVVMxFjAUBgNVBAoTDUdlb1RydXN0IEluYy4xGzAZ" 671 "BgNVBAMTEkdlb1RydXN0IEdsb2JhbCBDQTCCASIwDQYJKoZIhvcNAQEBBQADggEP" 672 "ADCCAQoCggEBANrMGGMw/fQXIxpWflvfPGw45HG3eJHUvKHYTPioQ7YD6U0hBwiI" 673 "2lgvZjkpvQV4i5046AW3an5xpObEYKaw74DkiSgPniXW7YPzraaRx5jJQhg1FJ2t" 674 "mEaSLk/K8YdDwRaVVy1Q74ktgHpXrfLuX2vSAI25FPgUFTXZwEaje3LIkb/JVSvN" 675 "0Jc+nCZkzN/Ogxlxyk7m1NV7qRnNVd7I7NJeOFPlXE+MLf5QIzb8ZubLjqQ5GQC3" 676 "lQI5kQsO/jgu0R0FmvZNPm8PBx2vLB6PYDni+jZTEznUXiYr2z2oFL0y6xgDKFIE" 677 "ceWrMz3hOLsHNoRinHnqFjD0X8Ar6HFr5PkCAwEAAaOB8DCB7TAfBgNVHSMEGDAW" 678 "gBRI5mj5K9KylddH2CMgEE8zmJCf1DAdBgNVHQ4EFgQUwHqYaI2J+6sFZAwRfap9" 679 "ZbjKzE4wDwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMCAQYwOgYDVR0fBDMw" 680 "MTAvoC2gK4YpaHR0cDovL2NybC5nZW90cnVzdC5jb20vY3Jscy9zZWN1cmVjYS5j" 681 "cmwwTgYDVR0gBEcwRTBDBgRVHSAAMDswOQYIKwYBBQUHAgEWLWh0dHBzOi8vd3d3" 682 "Lmdlb3RydXN0LmNvbS9yZXNvdXJjZXMvcmVwb3NpdG9yeTANBgkqhkiG9w0BAQUF" 683 "AAOBgQB24RJuTksWEoYwBrKBCM/wCMfHcX5m7sLt1Dsf//DwyE7WQziwuTB9GNBV" 684 "g6JqyzYRnOhIZqNtf7gT1Ef+i1pcc/yu2RsyGTirlzQUqpbS66McFAhJtrvlke+D" 685 "NusdVm/K2rxzY5Dkf3s+Iss9B+1fOHSc4wNQTqGvmO5h8oQ/Eg=="; 686 687 // kBadSessionExtraField is a custom serialized SSL_SESSION generated by replacing 688 // the final (optional) element of |kCustomSession| with tag number 30. 689 static const char kBadSessionExtraField[] = 690 "MIIBdgIBAQICAwMEAsAvBCAG5Q1ndq4Yfmbeo1zwLkNRKmCXGdNgWvGT3cskV0yQ" 691 "kAQwJlrlzkAWBOWiLj/jJ76D7l+UXoizP2KI2C7I2FccqMmIfFmmkUy32nIJ0mZH" 692 "IWoJoQYCBFRDO46iBAICASykAwQBAqUDAgEUphAEDnd3dy5nb29nbGUuY29tqAcE" 693 "BXdvcmxkqQUCAwGJwKqBpwSBpBwUQvoeOk0Kg36SYTcLEkXqKwOBfF9vE4KX0Nxe" 694 "LwjcDTpsuh3qXEaZ992r1N38VDcyS6P7I6HBYN9BsNHM362zZnY27GpTw+Kwd751" 695 "CLoXFPoaMOe57dbBpXoro6Pd3BTbf/Tzr88K06yEOTDKPNj3+inbMaVigtK4PLyP" 696 "q+Topyzvx9USFgRvyuoxn0Hgb+R0A3j6SLRuyOdAi4gv7Y5oliynrSIEIAYGBgYG" 697 "BgYGBgYGBgYGBgYGBgYGBgYGBgYGBgYGBgYGrgMEAQevAwQBBL4DBAEF"; 698 699 // kBadSessionVersion is a custom serialized SSL_SESSION generated by replacing 700 // the version of |kCustomSession| with 2. 701 static const char kBadSessionVersion[] = 702 "MIIBdgIBAgICAwMEAsAvBCAG5Q1ndq4Yfmbeo1zwLkNRKmCXGdNgWvGT3cskV0yQ" 703 "kAQwJlrlzkAWBOWiLj/jJ76D7l+UXoizP2KI2C7I2FccqMmIfFmmkUy32nIJ0mZH" 704 "IWoJoQYCBFRDO46iBAICASykAwQBAqUDAgEUphAEDnd3dy5nb29nbGUuY29tqAcE" 705 "BXdvcmxkqQUCAwGJwKqBpwSBpBwUQvoeOk0Kg36SYTcLEkXqKwOBfF9vE4KX0Nxe" 706 "LwjcDTpsuh3qXEaZ992r1N38VDcyS6P7I6HBYN9BsNHM362zZnY27GpTw+Kwd751" 707 "CLoXFPoaMOe57dbBpXoro6Pd3BTbf/Tzr88K06yEOTDKPNj3+inbMaVigtK4PLyP" 708 "q+Topyzvx9USFgRvyuoxn0Hgb+R0A3j6SLRuyOdAi4gv7Y5oliynrSIEIAYGBgYG" 709 "BgYGBgYGBgYGBgYGBgYGBgYGBgYGBgYGBgYGrgMEAQevAwQBBLADBAEF"; 710 711 // kBadSessionTrailingData is a custom serialized SSL_SESSION with trailing data 712 // appended. 713 static const char kBadSessionTrailingData[] = 714 "MIIBdgIBAQICAwMEAsAvBCAG5Q1ndq4Yfmbeo1zwLkNRKmCXGdNgWvGT3cskV0yQ" 715 "kAQwJlrlzkAWBOWiLj/jJ76D7l+UXoizP2KI2C7I2FccqMmIfFmmkUy32nIJ0mZH" 716 "IWoJoQYCBFRDO46iBAICASykAwQBAqUDAgEUphAEDnd3dy5nb29nbGUuY29tqAcE" 717 "BXdvcmxkqQUCAwGJwKqBpwSBpBwUQvoeOk0Kg36SYTcLEkXqKwOBfF9vE4KX0Nxe" 718 "LwjcDTpsuh3qXEaZ992r1N38VDcyS6P7I6HBYN9BsNHM362zZnY27GpTw+Kwd751" 719 "CLoXFPoaMOe57dbBpXoro6Pd3BTbf/Tzr88K06yEOTDKPNj3+inbMaVigtK4PLyP" 720 "q+Topyzvx9USFgRvyuoxn0Hgb+R0A3j6SLRuyOdAi4gv7Y5oliynrSIEIAYGBgYG" 721 "BgYGBgYGBgYGBgYGBgYGBgYGBgYGBgYGBgYGrgMEAQevAwQBBLADBAEFAAAA"; 722 723 static bool DecodeBase64(std::vector<uint8_t> *out, const char *in) { 724 size_t len; 725 if (!EVP_DecodedLength(&len, strlen(in))) { 726 fprintf(stderr, "EVP_DecodedLength failed\n"); 727 return false; 728 } 729 730 out->resize(len); 731 if (!EVP_DecodeBase64(out->data(), &len, len, (const uint8_t *)in, 732 strlen(in))) { 733 fprintf(stderr, "EVP_DecodeBase64 failed\n"); 734 return false; 735 } 736 out->resize(len); 737 return true; 738 } 739 740 static bool TestSSL_SESSIONEncoding(const char *input_b64) { 741 const uint8_t *cptr; 742 uint8_t *ptr; 743 744 // Decode the input. 745 std::vector<uint8_t> input; 746 if (!DecodeBase64(&input, input_b64)) { 747 return false; 748 } 749 750 // Verify the SSL_SESSION decodes. 751 bssl::UniquePtr<SSL_CTX> ssl_ctx(SSL_CTX_new(TLS_method())); 752 if (!ssl_ctx) { 753 return false; 754 } 755 bssl::UniquePtr<SSL_SESSION> session( 756 SSL_SESSION_from_bytes(input.data(), input.size(), ssl_ctx.get())); 757 if (!session) { 758 fprintf(stderr, "SSL_SESSION_from_bytes failed\n"); 759 return false; 760 } 761 762 // Verify the SSL_SESSION encoding round-trips. 763 size_t encoded_len; 764 bssl::UniquePtr<uint8_t> encoded; 765 uint8_t *encoded_raw; 766 if (!SSL_SESSION_to_bytes(session.get(), &encoded_raw, &encoded_len)) { 767 fprintf(stderr, "SSL_SESSION_to_bytes failed\n"); 768 return false; 769 } 770 encoded.reset(encoded_raw); 771 if (encoded_len != input.size() || 772 OPENSSL_memcmp(input.data(), encoded.get(), input.size()) != 0) { 773 fprintf(stderr, "SSL_SESSION_to_bytes did not round-trip\n"); 774 hexdump(stderr, "Before: ", input.data(), input.size()); 775 hexdump(stderr, "After: ", encoded_raw, encoded_len); 776 return false; 777 } 778 779 // Verify the SSL_SESSION also decodes with the legacy API. 780 cptr = input.data(); 781 session.reset(d2i_SSL_SESSION(NULL, &cptr, input.size())); 782 if (!session || cptr != input.data() + input.size()) { 783 fprintf(stderr, "d2i_SSL_SESSION failed\n"); 784 return false; 785 } 786 787 // Verify the SSL_SESSION encoding round-trips via the legacy API. 788 int len = i2d_SSL_SESSION(session.get(), NULL); 789 if (len < 0 || (size_t)len != input.size()) { 790 fprintf(stderr, "i2d_SSL_SESSION(NULL) returned invalid length\n"); 791 return false; 792 } 793 794 encoded.reset((uint8_t *)OPENSSL_malloc(input.size())); 795 if (!encoded) { 796 fprintf(stderr, "malloc failed\n"); 797 return false; 798 } 799 800 ptr = encoded.get(); 801 len = i2d_SSL_SESSION(session.get(), &ptr); 802 if (len < 0 || (size_t)len != input.size()) { 803 fprintf(stderr, "i2d_SSL_SESSION returned invalid length\n"); 804 return false; 805 } 806 if (ptr != encoded.get() + input.size()) { 807 fprintf(stderr, "i2d_SSL_SESSION did not advance ptr correctly\n"); 808 return false; 809 } 810 if (OPENSSL_memcmp(input.data(), encoded.get(), input.size()) != 0) { 811 fprintf(stderr, "i2d_SSL_SESSION did not round-trip\n"); 812 return false; 813 } 814 815 return true; 816 } 817 818 static bool TestBadSSL_SESSIONEncoding(const char *input_b64) { 819 std::vector<uint8_t> input; 820 if (!DecodeBase64(&input, input_b64)) { 821 return false; 822 } 823 824 // Verify that the SSL_SESSION fails to decode. 825 bssl::UniquePtr<SSL_CTX> ssl_ctx(SSL_CTX_new(TLS_method())); 826 if (!ssl_ctx) { 827 return false; 828 } 829 bssl::UniquePtr<SSL_SESSION> session( 830 SSL_SESSION_from_bytes(input.data(), input.size(), ssl_ctx.get())); 831 if (session) { 832 fprintf(stderr, "SSL_SESSION_from_bytes unexpectedly succeeded\n"); 833 return false; 834 } 835 ERR_clear_error(); 836 return true; 837 } 838 839 static void ExpectDefaultVersion(uint16_t min_version, uint16_t max_version, 840 const SSL_METHOD *(*method)(void)) { 841 bssl::UniquePtr<SSL_CTX> ctx(SSL_CTX_new(method())); 842 ASSERT_TRUE(ctx); 843 EXPECT_EQ(min_version, ctx->conf_min_version); 844 EXPECT_EQ(max_version, ctx->conf_max_version); 845 } 846 847 TEST(SSLTest, DefaultVersion) { 848 // TODO(svaldez): Update this when TLS 1.3 is enabled by default. 849 ExpectDefaultVersion(TLS1_VERSION, TLS1_2_VERSION, &TLS_method); 850 ExpectDefaultVersion(TLS1_VERSION, TLS1_VERSION, &TLSv1_method); 851 ExpectDefaultVersion(TLS1_1_VERSION, TLS1_1_VERSION, &TLSv1_1_method); 852 ExpectDefaultVersion(TLS1_2_VERSION, TLS1_2_VERSION, &TLSv1_2_method); 853 ExpectDefaultVersion(TLS1_1_VERSION, TLS1_2_VERSION, &DTLS_method); 854 ExpectDefaultVersion(TLS1_1_VERSION, TLS1_1_VERSION, &DTLSv1_method); 855 ExpectDefaultVersion(TLS1_2_VERSION, TLS1_2_VERSION, &DTLSv1_2_method); 856 } 857 858 TEST(SSLTest, CipherProperties) { 859 static const struct { 860 int id; 861 const char *standard_name; 862 int cipher_nid; 863 int digest_nid; 864 int kx_nid; 865 int auth_nid; 866 int prf_nid; 867 } kTests[] = { 868 { 869 SSL3_CK_RSA_DES_192_CBC3_SHA, 870 "TLS_RSA_WITH_3DES_EDE_CBC_SHA", 871 NID_des_ede3_cbc, 872 NID_sha1, 873 NID_kx_rsa, 874 NID_auth_rsa, 875 NID_md5_sha1, 876 }, 877 { 878 TLS1_CK_RSA_WITH_AES_128_SHA, 879 "TLS_RSA_WITH_AES_128_CBC_SHA", 880 NID_aes_128_cbc, 881 NID_sha1, 882 NID_kx_rsa, 883 NID_auth_rsa, 884 NID_md5_sha1, 885 }, 886 { 887 TLS1_CK_PSK_WITH_AES_256_CBC_SHA, 888 "TLS_PSK_WITH_AES_256_CBC_SHA", 889 NID_aes_256_cbc, 890 NID_sha1, 891 NID_kx_psk, 892 NID_auth_psk, 893 NID_md5_sha1, 894 }, 895 { 896 TLS1_CK_ECDHE_RSA_WITH_AES_128_CBC_SHA, 897 "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA", 898 NID_aes_128_cbc, 899 NID_sha1, 900 NID_kx_ecdhe, 901 NID_auth_rsa, 902 NID_md5_sha1, 903 }, 904 { 905 TLS1_CK_ECDHE_RSA_WITH_AES_256_CBC_SHA, 906 "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA", 907 NID_aes_256_cbc, 908 NID_sha1, 909 NID_kx_ecdhe, 910 NID_auth_rsa, 911 NID_md5_sha1, 912 }, 913 { 914 TLS1_CK_ECDHE_RSA_WITH_AES_128_GCM_SHA256, 915 "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256", 916 NID_aes_128_gcm, 917 NID_undef, 918 NID_kx_ecdhe, 919 NID_auth_rsa, 920 NID_sha256, 921 }, 922 { 923 TLS1_CK_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, 924 "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256", 925 NID_aes_128_gcm, 926 NID_undef, 927 NID_kx_ecdhe, 928 NID_auth_ecdsa, 929 NID_sha256, 930 }, 931 { 932 TLS1_CK_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, 933 "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384", 934 NID_aes_256_gcm, 935 NID_undef, 936 NID_kx_ecdhe, 937 NID_auth_ecdsa, 938 NID_sha384, 939 }, 940 { 941 TLS1_CK_ECDHE_PSK_WITH_AES_128_CBC_SHA, 942 "TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA", 943 NID_aes_128_cbc, 944 NID_sha1, 945 NID_kx_ecdhe, 946 NID_auth_psk, 947 NID_md5_sha1, 948 }, 949 { 950 TLS1_CK_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256, 951 "TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256", 952 NID_chacha20_poly1305, 953 NID_undef, 954 NID_kx_ecdhe, 955 NID_auth_rsa, 956 NID_sha256, 957 }, 958 { 959 TLS1_CK_AES_256_GCM_SHA384, 960 "TLS_AES_256_GCM_SHA384", 961 NID_aes_256_gcm, 962 NID_undef, 963 NID_kx_any, 964 NID_auth_any, 965 NID_sha384, 966 }, 967 { 968 TLS1_CK_AES_128_GCM_SHA256, 969 "TLS_AES_128_GCM_SHA256", 970 NID_aes_128_gcm, 971 NID_undef, 972 NID_kx_any, 973 NID_auth_any, 974 NID_sha256, 975 }, 976 { 977 TLS1_CK_CHACHA20_POLY1305_SHA256, 978 "TLS_CHACHA20_POLY1305_SHA256", 979 NID_chacha20_poly1305, 980 NID_undef, 981 NID_kx_any, 982 NID_auth_any, 983 NID_sha256, 984 }, 985 }; 986 987 for (const auto &t : kTests) { 988 SCOPED_TRACE(t.standard_name); 989 990 const SSL_CIPHER *cipher = SSL_get_cipher_by_value(t.id & 0xffff); 991 ASSERT_TRUE(cipher); 992 EXPECT_STREQ(t.standard_name, SSL_CIPHER_standard_name(cipher)); 993 994 bssl::UniquePtr<char> rfc_name(SSL_CIPHER_get_rfc_name(cipher)); 995 ASSERT_TRUE(rfc_name); 996 EXPECT_STREQ(t.standard_name, rfc_name.get()); 997 998 EXPECT_EQ(t.cipher_nid, SSL_CIPHER_get_cipher_nid(cipher)); 999 EXPECT_EQ(t.digest_nid, SSL_CIPHER_get_digest_nid(cipher)); 1000 EXPECT_EQ(t.kx_nid, SSL_CIPHER_get_kx_nid(cipher)); 1001 EXPECT_EQ(t.auth_nid, SSL_CIPHER_get_auth_nid(cipher)); 1002 EXPECT_EQ(t.prf_nid, SSL_CIPHER_get_prf_nid(cipher)); 1003 } 1004 } 1005 1006 // CreateSessionWithTicket returns a sample |SSL_SESSION| with the specified 1007 // version and ticket length or nullptr on failure. 1008 static bssl::UniquePtr<SSL_SESSION> CreateSessionWithTicket(uint16_t version, 1009 size_t ticket_len) { 1010 std::vector<uint8_t> der; 1011 if (!DecodeBase64(&der, kOpenSSLSession)) { 1012 return nullptr; 1013 } 1014 1015 bssl::UniquePtr<SSL_CTX> ssl_ctx(SSL_CTX_new(TLS_method())); 1016 if (!ssl_ctx) { 1017 return nullptr; 1018 } 1019 // Use a garbage ticket. 1020 std::vector<uint8_t> ticket(ticket_len, 'a'); 1021 bssl::UniquePtr<SSL_SESSION> session( 1022 SSL_SESSION_from_bytes(der.data(), der.size(), ssl_ctx.get())); 1023 if (!session || 1024 !SSL_SESSION_set_protocol_version(session.get(), version) || 1025 !SSL_SESSION_set_ticket(session.get(), ticket.data(), ticket.size())) { 1026 return nullptr; 1027 } 1028 // Fix up the timeout. 1029 #if defined(BORINGSSL_UNSAFE_DETERMINISTIC_MODE) 1030 SSL_SESSION_set_time(session.get(), 1234); 1031 #else 1032 SSL_SESSION_set_time(session.get(), time(nullptr)); 1033 #endif 1034 return session; 1035 } 1036 1037 static bool GetClientHello(SSL *ssl, std::vector<uint8_t> *out) { 1038 bssl::UniquePtr<BIO> bio(BIO_new(BIO_s_mem())); 1039 if (!bio) { 1040 return false; 1041 } 1042 // Do not configure a reading BIO, but record what's written to a memory BIO. 1043 BIO_up_ref(bio.get()); 1044 SSL_set_bio(ssl, nullptr /* rbio */, bio.get()); 1045 int ret = SSL_connect(ssl); 1046 if (ret > 0) { 1047 // SSL_connect should fail without a BIO to write to. 1048 return false; 1049 } 1050 ERR_clear_error(); 1051 1052 const uint8_t *client_hello; 1053 size_t client_hello_len; 1054 if (!BIO_mem_contents(bio.get(), &client_hello, &client_hello_len)) { 1055 return false; 1056 } 1057 *out = std::vector<uint8_t>(client_hello, client_hello + client_hello_len); 1058 return true; 1059 } 1060 1061 // GetClientHelloLen creates a client SSL connection with the specified version 1062 // and ticket length. It returns the length of the ClientHello, not including 1063 // the record header, on success and zero on error. 1064 static size_t GetClientHelloLen(uint16_t max_version, uint16_t session_version, 1065 size_t ticket_len) { 1066 bssl::UniquePtr<SSL_CTX> ctx(SSL_CTX_new(TLS_method())); 1067 bssl::UniquePtr<SSL_SESSION> session = 1068 CreateSessionWithTicket(session_version, ticket_len); 1069 if (!ctx || !session) { 1070 return 0; 1071 } 1072 1073 // Set a one-element cipher list so the baseline ClientHello is unpadded. 1074 bssl::UniquePtr<SSL> ssl(SSL_new(ctx.get())); 1075 if (!ssl || !SSL_set_session(ssl.get(), session.get()) || 1076 !SSL_set_strict_cipher_list(ssl.get(), "ECDHE-RSA-AES128-GCM-SHA256") || 1077 !SSL_set_max_proto_version(ssl.get(), max_version)) { 1078 return 0; 1079 } 1080 1081 std::vector<uint8_t> client_hello; 1082 if (!GetClientHello(ssl.get(), &client_hello) || 1083 client_hello.size() <= SSL3_RT_HEADER_LENGTH) { 1084 return 0; 1085 } 1086 1087 return client_hello.size() - SSL3_RT_HEADER_LENGTH; 1088 } 1089 1090 struct PaddingTest { 1091 size_t input_len, padded_len; 1092 }; 1093 1094 static const PaddingTest kPaddingTests[] = { 1095 // ClientHellos of length below 0x100 do not require padding. 1096 {0xfe, 0xfe}, 1097 {0xff, 0xff}, 1098 // ClientHellos of length 0x100 through 0x1fb are padded up to 0x200. 1099 {0x100, 0x200}, 1100 {0x123, 0x200}, 1101 {0x1fb, 0x200}, 1102 // ClientHellos of length 0x1fc through 0x1ff get padded beyond 0x200. The 1103 // padding extension takes a minimum of four bytes plus one required content 1104 // byte. (To work around yet more server bugs, we avoid empty final 1105 // extensions.) 1106 {0x1fc, 0x201}, 1107 {0x1fd, 0x202}, 1108 {0x1fe, 0x203}, 1109 {0x1ff, 0x204}, 1110 // Finally, larger ClientHellos need no padding. 1111 {0x200, 0x200}, 1112 {0x201, 0x201}, 1113 }; 1114 1115 static bool TestPaddingExtension(uint16_t max_version, 1116 uint16_t session_version) { 1117 // Sample a baseline length. 1118 size_t base_len = GetClientHelloLen(max_version, session_version, 1); 1119 if (base_len == 0) { 1120 return false; 1121 } 1122 1123 for (const PaddingTest &test : kPaddingTests) { 1124 if (base_len > test.input_len) { 1125 fprintf(stderr, 1126 "Baseline ClientHello too long (max_version = %04x, " 1127 "session_version = %04x).\n", 1128 max_version, session_version); 1129 return false; 1130 } 1131 1132 size_t padded_len = GetClientHelloLen(max_version, session_version, 1133 1 + test.input_len - base_len); 1134 if (padded_len != test.padded_len) { 1135 fprintf(stderr, 1136 "%u-byte ClientHello padded to %u bytes, not %u (max_version = " 1137 "%04x, session_version = %04x).\n", 1138 static_cast<unsigned>(test.input_len), 1139 static_cast<unsigned>(padded_len), 1140 static_cast<unsigned>(test.padded_len), max_version, 1141 session_version); 1142 return false; 1143 } 1144 } 1145 1146 return true; 1147 } 1148 1149 static bssl::UniquePtr<X509> GetTestCertificate() { 1150 static const char kCertPEM[] = 1151 "-----BEGIN CERTIFICATE-----\n" 1152 "MIICWDCCAcGgAwIBAgIJAPuwTC6rEJsMMA0GCSqGSIb3DQEBBQUAMEUxCzAJBgNV\n" 1153 "BAYTAkFVMRMwEQYDVQQIDApTb21lLVN0YXRlMSEwHwYDVQQKDBhJbnRlcm5ldCBX\n" 1154 "aWRnaXRzIFB0eSBMdGQwHhcNMTQwNDIzMjA1MDQwWhcNMTcwNDIyMjA1MDQwWjBF\n" 1155 "MQswCQYDVQQGEwJBVTETMBEGA1UECAwKU29tZS1TdGF0ZTEhMB8GA1UECgwYSW50\n" 1156 "ZXJuZXQgV2lkZ2l0cyBQdHkgTHRkMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKB\n" 1157 "gQDYK8imMuRi/03z0K1Zi0WnvfFHvwlYeyK9Na6XJYaUoIDAtB92kWdGMdAQhLci\n" 1158 "HnAjkXLI6W15OoV3gA/ElRZ1xUpxTMhjP6PyY5wqT5r6y8FxbiiFKKAnHmUcrgfV\n" 1159 "W28tQ+0rkLGMryRtrukXOgXBv7gcrmU7G1jC2a7WqmeI8QIDAQABo1AwTjAdBgNV\n" 1160 "HQ4EFgQUi3XVrMsIvg4fZbf6Vr5sp3Xaha8wHwYDVR0jBBgwFoAUi3XVrMsIvg4f\n" 1161 "Zbf6Vr5sp3Xaha8wDAYDVR0TBAUwAwEB/zANBgkqhkiG9w0BAQUFAAOBgQA76Hht\n" 1162 "ldY9avcTGSwbwoiuIqv0jTL1fHFnzy3RHMLDh+Lpvolc5DSrSJHCP5WuK0eeJXhr\n" 1163 "T5oQpHL9z/cCDLAKCKRa4uV0fhEdOWBqyR9p8y5jJtye72t6CuFUV5iqcpF4BH4f\n" 1164 "j2VNHwsSrJwkD4QUGlUtH7vwnQmyCFxZMmWAJg==\n" 1165 "-----END CERTIFICATE-----\n"; 1166 bssl::UniquePtr<BIO> bio(BIO_new_mem_buf(kCertPEM, strlen(kCertPEM))); 1167 return bssl::UniquePtr<X509>( 1168 PEM_read_bio_X509(bio.get(), nullptr, nullptr, nullptr)); 1169 } 1170 1171 static bssl::UniquePtr<EVP_PKEY> GetTestKey() { 1172 static const char kKeyPEM[] = 1173 "-----BEGIN RSA PRIVATE KEY-----\n" 1174 "MIICXgIBAAKBgQDYK8imMuRi/03z0K1Zi0WnvfFHvwlYeyK9Na6XJYaUoIDAtB92\n" 1175 "kWdGMdAQhLciHnAjkXLI6W15OoV3gA/ElRZ1xUpxTMhjP6PyY5wqT5r6y8FxbiiF\n" 1176 "KKAnHmUcrgfVW28tQ+0rkLGMryRtrukXOgXBv7gcrmU7G1jC2a7WqmeI8QIDAQAB\n" 1177 "AoGBAIBy09Fd4DOq/Ijp8HeKuCMKTHqTW1xGHshLQ6jwVV2vWZIn9aIgmDsvkjCe\n" 1178 "i6ssZvnbjVcwzSoByhjN8ZCf/i15HECWDFFh6gt0P5z0MnChwzZmvatV/FXCT0j+\n" 1179 "WmGNB/gkehKjGXLLcjTb6dRYVJSCZhVuOLLcbWIV10gggJQBAkEA8S8sGe4ezyyZ\n" 1180 "m4e9r95g6s43kPqtj5rewTsUxt+2n4eVodD+ZUlCULWVNAFLkYRTBCASlSrm9Xhj\n" 1181 "QpmWAHJUkQJBAOVzQdFUaewLtdOJoPCtpYoY1zd22eae8TQEmpGOR11L6kbxLQsk\n" 1182 "aMly/DOnOaa82tqAGTdqDEZgSNmCeKKknmECQAvpnY8GUOVAubGR6c+W90iBuQLj\n" 1183 "LtFp/9ihd2w/PoDwrHZaoUYVcT4VSfJQog/k7kjE4MYXYWL8eEKg3WTWQNECQQDk\n" 1184 "104Wi91Umd1PzF0ijd2jXOERJU1wEKe6XLkYYNHWQAe5l4J4MWj9OdxFXAxIuuR/\n" 1185 "tfDwbqkta4xcux67//khAkEAvvRXLHTaa6VFzTaiiO8SaFsHV3lQyXOtMrBpB5jd\n" 1186 "moZWgjHvB2W9Ckn7sDqsPB+U2tyX0joDdQEyuiMECDY8oQ==\n" 1187 "-----END RSA PRIVATE KEY-----\n"; 1188 bssl::UniquePtr<BIO> bio(BIO_new_mem_buf(kKeyPEM, strlen(kKeyPEM))); 1189 return bssl::UniquePtr<EVP_PKEY>( 1190 PEM_read_bio_PrivateKey(bio.get(), nullptr, nullptr, nullptr)); 1191 } 1192 1193 static bssl::UniquePtr<X509> GetECDSATestCertificate() { 1194 static const char kCertPEM[] = 1195 "-----BEGIN CERTIFICATE-----\n" 1196 "MIIBzzCCAXagAwIBAgIJANlMBNpJfb/rMAkGByqGSM49BAEwRTELMAkGA1UEBhMC\n" 1197 "QVUxEzARBgNVBAgMClNvbWUtU3RhdGUxITAfBgNVBAoMGEludGVybmV0IFdpZGdp\n" 1198 "dHMgUHR5IEx0ZDAeFw0xNDA0MjMyMzIxNTdaFw0xNDA1MjMyMzIxNTdaMEUxCzAJ\n" 1199 "BgNVBAYTAkFVMRMwEQYDVQQIDApTb21lLVN0YXRlMSEwHwYDVQQKDBhJbnRlcm5l\n" 1200 "dCBXaWRnaXRzIFB0eSBMdGQwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAATmK2ni\n" 1201 "v2Wfl74vHg2UikzVl2u3qR4NRvvdqakendy6WgHn1peoChj5w8SjHlbifINI2xYa\n" 1202 "HPUdfvGULUvPciLBo1AwTjAdBgNVHQ4EFgQUq4TSrKuV8IJOFngHVVdf5CaNgtEw\n" 1203 "HwYDVR0jBBgwFoAUq4TSrKuV8IJOFngHVVdf5CaNgtEwDAYDVR0TBAUwAwEB/zAJ\n" 1204 "BgcqhkjOPQQBA0gAMEUCIQDyoDVeUTo2w4J5m+4nUIWOcAZ0lVfSKXQA9L4Vh13E\n" 1205 "BwIgfB55FGohg/B6dGh5XxSZmmi08cueFV7mHzJSYV51yRQ=\n" 1206 "-----END CERTIFICATE-----\n"; 1207 bssl::UniquePtr<BIO> bio(BIO_new_mem_buf(kCertPEM, strlen(kCertPEM))); 1208 return bssl::UniquePtr<X509>(PEM_read_bio_X509(bio.get(), nullptr, nullptr, nullptr)); 1209 } 1210 1211 static bssl::UniquePtr<EVP_PKEY> GetECDSATestKey() { 1212 static const char kKeyPEM[] = 1213 "-----BEGIN PRIVATE KEY-----\n" 1214 "MIGHAgEAMBMGByqGSM49AgEGCCqGSM49AwEHBG0wawIBAQQgBw8IcnrUoEqc3VnJ\n" 1215 "TYlodwi1b8ldMHcO6NHJzgqLtGqhRANCAATmK2niv2Wfl74vHg2UikzVl2u3qR4N\n" 1216 "Rvvdqakendy6WgHn1peoChj5w8SjHlbifINI2xYaHPUdfvGULUvPciLB\n" 1217 "-----END PRIVATE KEY-----\n"; 1218 bssl::UniquePtr<BIO> bio(BIO_new_mem_buf(kKeyPEM, strlen(kKeyPEM))); 1219 return bssl::UniquePtr<EVP_PKEY>( 1220 PEM_read_bio_PrivateKey(bio.get(), nullptr, nullptr, nullptr)); 1221 } 1222 1223 static bssl::UniquePtr<CRYPTO_BUFFER> BufferFromPEM(const char *pem) { 1224 bssl::UniquePtr<BIO> bio(BIO_new_mem_buf(pem, strlen(pem))); 1225 char *name, *header; 1226 uint8_t *data; 1227 long data_len; 1228 if (!PEM_read_bio(bio.get(), &name, &header, &data, 1229 &data_len)) { 1230 return nullptr; 1231 } 1232 OPENSSL_free(name); 1233 OPENSSL_free(header); 1234 1235 auto ret = bssl::UniquePtr<CRYPTO_BUFFER>( 1236 CRYPTO_BUFFER_new(data, data_len, nullptr)); 1237 OPENSSL_free(data); 1238 return ret; 1239 } 1240 1241 static bssl::UniquePtr<CRYPTO_BUFFER> GetChainTestCertificateBuffer() { 1242 static const char kCertPEM[] = 1243 "-----BEGIN CERTIFICATE-----\n" 1244 "MIIC0jCCAbqgAwIBAgICEAAwDQYJKoZIhvcNAQELBQAwDzENMAsGA1UEAwwEQiBD\n" 1245 "QTAeFw0xNjAyMjgyMDI3MDNaFw0yNjAyMjUyMDI3MDNaMBgxFjAUBgNVBAMMDUNs\n" 1246 "aWVudCBDZXJ0IEEwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDRvaz8\n" 1247 "CC/cshpCafJo4jLkHEoBqDLhdgFelJoAiQUyIqyWl2O7YHPnpJH+TgR7oelzNzt/\n" 1248 "kLRcH89M/TszB6zqyLTC4aqmvzKL0peD/jL2LWBucR0WXIvjA3zoRuF/x86+rYH3\n" 1249 "tHb+xs2PSs8EGL/Ev+ss+qTzTGEn26fuGNHkNw6tOwPpc+o8+wUtzf/kAthamo+c\n" 1250 "IDs2rQ+lP7+aLZTLeU/q4gcLutlzcK5imex5xy2jPkweq48kijK0kIzl1cPlA5d1\n" 1251 "z7C8jU50Pj9X9sQDJTN32j7UYRisJeeYQF8GaaN8SbrDI6zHgKzrRLyxDt/KQa9V\n" 1252 "iLeXANgZi+Xx9KgfAgMBAAGjLzAtMAwGA1UdEwEB/wQCMAAwHQYDVR0lBBYwFAYI\n" 1253 "KwYBBQUHAwEGCCsGAQUFBwMCMA0GCSqGSIb3DQEBCwUAA4IBAQBFEVbmYl+2RtNw\n" 1254 "rDftRDF1v2QUbcN2ouSnQDHxeDQdSgasLzT3ui8iYu0Rw2WWcZ0DV5e0ztGPhWq7\n" 1255 "AO0B120aFRMOY+4+bzu9Q2FFkQqc7/fKTvTDzIJI5wrMnFvUfzzvxh3OHWMYSs/w\n" 1256 "giq33hTKeHEq6Jyk3btCny0Ycecyc3yGXH10sizUfiHlhviCkDuESk8mFDwDDzqW\n" 1257 "ZF0IipzFbEDHoIxLlm3GQxpiLoEV4k8KYJp3R5KBLFyxM6UGPz8h72mIPCJp2RuK\n" 1258 "MYgF91UDvVzvnYm6TfseM2+ewKirC00GOrZ7rEcFvtxnKSqYf4ckqfNdSU1Y+RRC\n" 1259 "1ngWZ7Ih\n" 1260 "-----END CERTIFICATE-----\n"; 1261 return BufferFromPEM(kCertPEM); 1262 } 1263 1264 static bssl::UniquePtr<X509> X509FromBuffer( 1265 bssl::UniquePtr<CRYPTO_BUFFER> buffer) { 1266 if (!buffer) { 1267 return nullptr; 1268 } 1269 const uint8_t *derp = CRYPTO_BUFFER_data(buffer.get()); 1270 return bssl::UniquePtr<X509>( 1271 d2i_X509(NULL, &derp, CRYPTO_BUFFER_len(buffer.get()))); 1272 } 1273 1274 static bssl::UniquePtr<X509> GetChainTestCertificate() { 1275 return X509FromBuffer(GetChainTestCertificateBuffer()); 1276 } 1277 1278 static bssl::UniquePtr<CRYPTO_BUFFER> GetChainTestIntermediateBuffer() { 1279 static const char kCertPEM[] = 1280 "-----BEGIN CERTIFICATE-----\n" 1281 "MIICwjCCAaqgAwIBAgICEAEwDQYJKoZIhvcNAQELBQAwFDESMBAGA1UEAwwJQyBS\n" 1282 "b290IENBMB4XDTE2MDIyODIwMjcwM1oXDTI2MDIyNTIwMjcwM1owDzENMAsGA1UE\n" 1283 "AwwEQiBDQTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALsSCYmDip2D\n" 1284 "GkjFxw7ykz26JSjELkl6ArlYjFJ3aT/SCh8qbS4gln7RH8CPBd78oFdfhIKQrwtZ\n" 1285 "3/q21ykD9BAS3qHe2YdcJfm8/kWAy5DvXk6NXU4qX334KofBAEpgdA/igEFq1P1l\n" 1286 "HAuIfZCpMRfT+i5WohVsGi8f/NgpRvVaMONLNfgw57mz1lbtFeBEISmX0kbsuJxF\n" 1287 "Qj/Bwhi5/0HAEXG8e7zN4cEx0yPRvmOATRdVb/8dW2pwOHRJq9R5M0NUkIsTSnL7\n" 1288 "6N/z8hRAHMsV3IudC5Yd7GXW1AGu9a+iKU+Q4xcZCoj0DC99tL4VKujrV1kAeqsM\n" 1289 "cz5/dKzi6+cCAwEAAaMjMCEwDwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMC\n" 1290 "AQYwDQYJKoZIhvcNAQELBQADggEBAIIeZiEeNhWWQ8Y4D+AGDwqUUeG8NjCbKrXQ\n" 1291 "BlHg5wZ8xftFaiP1Dp/UAezmx2LNazdmuwrYB8lm3FVTyaPDTKEGIPS4wJKHgqH1\n" 1292 "QPDhqNm85ey7TEtI9oYjsNim/Rb+iGkIAMXaxt58SzxbjvP0kMr1JfJIZbic9vye\n" 1293 "NwIspMFIpP3FB8ywyu0T0hWtCQgL4J47nigCHpOu58deP88fS/Nyz/fyGVWOZ76b\n" 1294 "WhWwgM3P3X95fQ3d7oFPR/bVh0YV+Cf861INwplokXgXQ3/TCQ+HNXeAMWn3JLWv\n" 1295 "XFwk8owk9dq/kQGdndGgy3KTEW4ctPX5GNhf3LJ9Q7dLji4ReQ4=\n" 1296 "-----END CERTIFICATE-----\n"; 1297 return BufferFromPEM(kCertPEM); 1298 } 1299 1300 static bssl::UniquePtr<X509> GetChainTestIntermediate() { 1301 return X509FromBuffer(GetChainTestIntermediateBuffer()); 1302 } 1303 1304 static bssl::UniquePtr<EVP_PKEY> GetChainTestKey() { 1305 static const char kKeyPEM[] = 1306 "-----BEGIN PRIVATE KEY-----\n" 1307 "MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQDRvaz8CC/cshpC\n" 1308 "afJo4jLkHEoBqDLhdgFelJoAiQUyIqyWl2O7YHPnpJH+TgR7oelzNzt/kLRcH89M\n" 1309 "/TszB6zqyLTC4aqmvzKL0peD/jL2LWBucR0WXIvjA3zoRuF/x86+rYH3tHb+xs2P\n" 1310 "Ss8EGL/Ev+ss+qTzTGEn26fuGNHkNw6tOwPpc+o8+wUtzf/kAthamo+cIDs2rQ+l\n" 1311 "P7+aLZTLeU/q4gcLutlzcK5imex5xy2jPkweq48kijK0kIzl1cPlA5d1z7C8jU50\n" 1312 "Pj9X9sQDJTN32j7UYRisJeeYQF8GaaN8SbrDI6zHgKzrRLyxDt/KQa9ViLeXANgZ\n" 1313 "i+Xx9KgfAgMBAAECggEBAK0VjSJzkyPaamcyTVSWjo7GdaBGcK60lk657RjR+lK0\n" 1314 "YJ7pkej4oM2hdsVZFsP8Cs4E33nXLa/0pDsRov/qrp0WQm2skwqGMC1I/bZ0WRPk\n" 1315 "wHaDrBBfESWnJDX/AGpVtlyOjPmgmK6J2usMPihQUDkKdAYrVWJePrMIxt1q6BMe\n" 1316 "iczs3qriMmtY3bUc4UyUwJ5fhDLjshHvfuIpYQyI6EXZM6dZksn9LylXJnigY6QJ\n" 1317 "HxOYO0BDwOsZ8yQ8J8afLk88i0GizEkgE1z3REtQUwgWfxr1WV/ud+T6/ZhSAgH9\n" 1318 "042mQvSFZnIUSEsmCvjhWuAunfxHKCTcAoYISWfzWpkCgYEA7gpf3HHU5Tn+CgUn\n" 1319 "1X5uGpG3DmcMgfeGgs2r2f/IIg/5Ac1dfYILiybL1tN9zbyLCJfcbFpWBc9hJL6f\n" 1320 "CPc5hUiwWFJqBJewxQkC1Ae/HakHbip+IZ+Jr0842O4BAArvixk4Lb7/N2Ct9sTE\n" 1321 "NJO6RtK9lbEZ5uK61DglHy8CS2UCgYEA4ZC1o36kPAMQBggajgnucb2yuUEelk0f\n" 1322 "AEr+GI32MGE+93xMr7rAhBoqLg4AITyIfEnOSQ5HwagnIHonBbv1LV/Gf9ursx8Z\n" 1323 "YOGbvT8zzzC+SU1bkDzdjAYnFQVGIjMtKOBJ3K07++ypwX1fr4QsQ8uKL8WSOWwt\n" 1324 "Z3Bym6XiZzMCgYADnhy+2OwHX85AkLt+PyGlPbmuelpyTzS4IDAQbBa6jcuW/2wA\n" 1325 "UE2km75VUXmD+u2R/9zVuLm99NzhFhSMqlUxdV1YukfqMfP5yp1EY6m/5aW7QuIP\n" 1326 "2MDa7TVL9rIFMiVZ09RKvbBbQxjhuzPQKL6X/PPspnhiTefQ+dl2k9xREQKBgHDS\n" 1327 "fMfGNEeAEKezrfSVqxphE9/tXms3L+ZpnCaT+yu/uEr5dTIAawKoQ6i9f/sf1/Sy\n" 1328 "xedsqR+IB+oKrzIDDWMgoJybN4pkZ8E5lzhVQIjFjKgFdWLzzqyW9z1gYfABQPlN\n" 1329 "FiS20WX0vgP1vcKAjdNrHzc9zyHBpgQzDmAj3NZZAoGBAI8vKCKdH7w3aL5CNkZQ\n" 1330 "2buIeWNA2HZazVwAGG5F2TU/LmXfRKnG6dX5bkU+AkBZh56jNZy//hfFSewJB4Kk\n" 1331 "buB7ERSdaNbO21zXt9FEA3+z0RfMd/Zv2vlIWOSB5nzl/7UKti3sribK6s9ZVLfi\n" 1332 "SxpiPQ8d/hmSGwn4ksrWUsJD\n" 1333 "-----END PRIVATE KEY-----\n"; 1334 bssl::UniquePtr<BIO> bio(BIO_new_mem_buf(kKeyPEM, strlen(kKeyPEM))); 1335 return bssl::UniquePtr<EVP_PKEY>( 1336 PEM_read_bio_PrivateKey(bio.get(), nullptr, nullptr, nullptr)); 1337 } 1338 1339 // Test that |SSL_get_client_CA_list| echoes back the configured parameter even 1340 // before configuring as a server. 1341 TEST(SSLTest, ClientCAList) { 1342 bssl::UniquePtr<SSL_CTX> ctx(SSL_CTX_new(TLS_method())); 1343 ASSERT_TRUE(ctx); 1344 bssl::UniquePtr<SSL> ssl(SSL_new(ctx.get())); 1345 ASSERT_TRUE(ssl); 1346 1347 bssl::UniquePtr<X509_NAME> name(X509_NAME_new()); 1348 ASSERT_TRUE(name); 1349 1350 bssl::UniquePtr<X509_NAME> name_dup(X509_NAME_dup(name.get())); 1351 ASSERT_TRUE(name_dup); 1352 1353 bssl::UniquePtr<STACK_OF(X509_NAME)> stack(sk_X509_NAME_new_null()); 1354 ASSERT_TRUE(stack); 1355 ASSERT_TRUE(PushToStack(stack.get(), std::move(name_dup))); 1356 1357 // |SSL_set_client_CA_list| takes ownership. 1358 SSL_set_client_CA_list(ssl.get(), stack.release()); 1359 1360 STACK_OF(X509_NAME) *result = SSL_get_client_CA_list(ssl.get()); 1361 ASSERT_TRUE(result); 1362 ASSERT_EQ(1u, sk_X509_NAME_num(result)); 1363 EXPECT_EQ(0, X509_NAME_cmp(sk_X509_NAME_value(result, 0), name.get())); 1364 } 1365 1366 TEST(SSLTest, AddClientCA) { 1367 bssl::UniquePtr<SSL_CTX> ctx(SSL_CTX_new(TLS_method())); 1368 ASSERT_TRUE(ctx); 1369 bssl::UniquePtr<SSL> ssl(SSL_new(ctx.get())); 1370 ASSERT_TRUE(ssl); 1371 1372 bssl::UniquePtr<X509> cert1 = GetTestCertificate(); 1373 bssl::UniquePtr<X509> cert2 = GetChainTestCertificate(); 1374 ASSERT_TRUE(cert1 && cert2); 1375 X509_NAME *name1 = X509_get_subject_name(cert1.get()); 1376 X509_NAME *name2 = X509_get_subject_name(cert2.get()); 1377 1378 EXPECT_EQ(0u, sk_X509_NAME_num(SSL_get_client_CA_list(ssl.get()))); 1379 1380 ASSERT_TRUE(SSL_add_client_CA(ssl.get(), cert1.get())); 1381 ASSERT_TRUE(SSL_add_client_CA(ssl.get(), cert2.get())); 1382 1383 STACK_OF(X509_NAME) *list = SSL_get_client_CA_list(ssl.get()); 1384 ASSERT_EQ(2u, sk_X509_NAME_num(list)); 1385 EXPECT_EQ(0, X509_NAME_cmp(sk_X509_NAME_value(list, 0), name1)); 1386 EXPECT_EQ(0, X509_NAME_cmp(sk_X509_NAME_value(list, 1), name2)); 1387 1388 ASSERT_TRUE(SSL_add_client_CA(ssl.get(), cert1.get())); 1389 1390 list = SSL_get_client_CA_list(ssl.get()); 1391 ASSERT_EQ(3u, sk_X509_NAME_num(list)); 1392 EXPECT_EQ(0, X509_NAME_cmp(sk_X509_NAME_value(list, 0), name1)); 1393 EXPECT_EQ(0, X509_NAME_cmp(sk_X509_NAME_value(list, 1), name2)); 1394 EXPECT_EQ(0, X509_NAME_cmp(sk_X509_NAME_value(list, 2), name1)); 1395 } 1396 1397 static void AppendSession(SSL_SESSION *session, void *arg) { 1398 std::vector<SSL_SESSION*> *out = 1399 reinterpret_cast<std::vector<SSL_SESSION*>*>(arg); 1400 out->push_back(session); 1401 } 1402 1403 // CacheEquals returns true if |ctx|'s session cache consists of |expected|, in 1404 // order. 1405 static bool CacheEquals(SSL_CTX *ctx, 1406 const std::vector<SSL_SESSION*> &expected) { 1407 // Check the linked list. 1408 SSL_SESSION *ptr = ctx->session_cache_head; 1409 for (SSL_SESSION *session : expected) { 1410 if (ptr != session) { 1411 return false; 1412 } 1413 // TODO(davidben): This is an absurd way to denote the end of the list. 1414 if (ptr->next == 1415 reinterpret_cast<SSL_SESSION *>(&ctx->session_cache_tail)) { 1416 ptr = nullptr; 1417 } else { 1418 ptr = ptr->next; 1419 } 1420 } 1421 if (ptr != nullptr) { 1422 return false; 1423 } 1424 1425 // Check the hash table. 1426 std::vector<SSL_SESSION*> actual, expected_copy; 1427 lh_SSL_SESSION_doall_arg(ctx->sessions, AppendSession, &actual); 1428 expected_copy = expected; 1429 1430 std::sort(actual.begin(), actual.end()); 1431 std::sort(expected_copy.begin(), expected_copy.end()); 1432 1433 return actual == expected_copy; 1434 } 1435 1436 static bssl::UniquePtr<SSL_SESSION> CreateTestSession(uint32_t number) { 1437 bssl::UniquePtr<SSL_CTX> ssl_ctx(SSL_CTX_new(TLS_method())); 1438 if (!ssl_ctx) { 1439 return nullptr; 1440 } 1441 bssl::UniquePtr<SSL_SESSION> ret(SSL_SESSION_new(ssl_ctx.get())); 1442 if (!ret) { 1443 return nullptr; 1444 } 1445 1446 uint8_t id[SSL3_SSL_SESSION_ID_LENGTH] = {0}; 1447 OPENSSL_memcpy(id, &number, sizeof(number)); 1448 if (!SSL_SESSION_set1_id(ret.get(), id, sizeof(id))) { 1449 return nullptr; 1450 } 1451 return ret; 1452 } 1453 1454 // Test that the internal session cache behaves as expected. 1455 TEST(SSLTest, InternalSessionCache) { 1456 bssl::UniquePtr<SSL_CTX> ctx(SSL_CTX_new(TLS_method())); 1457 ASSERT_TRUE(ctx); 1458 1459 // Prepare 10 test sessions. 1460 std::vector<bssl::UniquePtr<SSL_SESSION>> sessions; 1461 for (int i = 0; i < 10; i++) { 1462 bssl::UniquePtr<SSL_SESSION> session = CreateTestSession(i); 1463 ASSERT_TRUE(session); 1464 sessions.push_back(std::move(session)); 1465 } 1466 1467 SSL_CTX_sess_set_cache_size(ctx.get(), 5); 1468 1469 // Insert all the test sessions. 1470 for (const auto &session : sessions) { 1471 ASSERT_TRUE(SSL_CTX_add_session(ctx.get(), session.get())); 1472 } 1473 1474 // Only the last five should be in the list. 1475 ASSERT_TRUE(CacheEquals( 1476 ctx.get(), {sessions[9].get(), sessions[8].get(), sessions[7].get(), 1477 sessions[6].get(), sessions[5].get()})); 1478 1479 // Inserting an element already in the cache should fail and leave the cache 1480 // unchanged. 1481 ASSERT_FALSE(SSL_CTX_add_session(ctx.get(), sessions[7].get())); 1482 ASSERT_TRUE(CacheEquals( 1483 ctx.get(), {sessions[9].get(), sessions[8].get(), sessions[7].get(), 1484 sessions[6].get(), sessions[5].get()})); 1485 1486 // Although collisions should be impossible (256-bit session IDs), the cache 1487 // must handle them gracefully. 1488 bssl::UniquePtr<SSL_SESSION> collision(CreateTestSession(7)); 1489 ASSERT_TRUE(collision); 1490 ASSERT_TRUE(SSL_CTX_add_session(ctx.get(), collision.get())); 1491 ASSERT_TRUE(CacheEquals( 1492 ctx.get(), {collision.get(), sessions[9].get(), sessions[8].get(), 1493 sessions[6].get(), sessions[5].get()})); 1494 1495 // Removing sessions behaves correctly. 1496 ASSERT_TRUE(SSL_CTX_remove_session(ctx.get(), sessions[6].get())); 1497 ASSERT_TRUE(CacheEquals(ctx.get(), {collision.get(), sessions[9].get(), 1498 sessions[8].get(), sessions[5].get()})); 1499 1500 // Removing sessions requires an exact match. 1501 ASSERT_FALSE(SSL_CTX_remove_session(ctx.get(), sessions[0].get())); 1502 ASSERT_FALSE(SSL_CTX_remove_session(ctx.get(), sessions[7].get())); 1503 1504 // The cache remains unchanged. 1505 ASSERT_TRUE(CacheEquals(ctx.get(), {collision.get(), sessions[9].get(), 1506 sessions[8].get(), sessions[5].get()})); 1507 } 1508 1509 static uint16_t EpochFromSequence(uint64_t seq) { 1510 return static_cast<uint16_t>(seq >> 48); 1511 } 1512 1513 static const uint8_t kTestName[] = { 1514 0x30, 0x45, 0x31, 0x0b, 0x30, 0x09, 0x06, 0x03, 0x55, 0x04, 0x06, 0x13, 1515 0x02, 0x41, 0x55, 0x31, 0x13, 0x30, 0x11, 0x06, 0x03, 0x55, 0x04, 0x08, 1516 0x0c, 0x0a, 0x53, 0x6f, 0x6d, 0x65, 0x2d, 0x53, 0x74, 0x61, 0x74, 0x65, 1517 0x31, 0x21, 0x30, 0x1f, 0x06, 0x03, 0x55, 0x04, 0x0a, 0x0c, 0x18, 0x49, 1518 0x6e, 0x74, 0x65, 0x72, 0x6e, 0x65, 0x74, 0x20, 0x57, 0x69, 0x64, 0x67, 1519 0x69, 0x74, 0x73, 0x20, 0x50, 0x74, 0x79, 0x20, 0x4c, 0x74, 0x64, 1520 }; 1521 1522 static bool CompleteHandshakes(SSL *client, SSL *server) { 1523 // Drive both their handshakes to completion. 1524 for (;;) { 1525 int client_ret = SSL_do_handshake(client); 1526 int client_err = SSL_get_error(client, client_ret); 1527 if (client_err != SSL_ERROR_NONE && 1528 client_err != SSL_ERROR_WANT_READ && 1529 client_err != SSL_ERROR_WANT_WRITE && 1530 client_err != SSL_ERROR_PENDING_TICKET) { 1531 fprintf(stderr, "Client error: %d\n", client_err); 1532 return false; 1533 } 1534 1535 int server_ret = SSL_do_handshake(server); 1536 int server_err = SSL_get_error(server, server_ret); 1537 if (server_err != SSL_ERROR_NONE && 1538 server_err != SSL_ERROR_WANT_READ && 1539 server_err != SSL_ERROR_WANT_WRITE && 1540 server_err != SSL_ERROR_PENDING_TICKET) { 1541 fprintf(stderr, "Server error: %d\n", server_err); 1542 return false; 1543 } 1544 1545 if (client_ret == 1 && server_ret == 1) { 1546 break; 1547 } 1548 } 1549 1550 return true; 1551 } 1552 1553 struct ClientConfig { 1554 SSL_SESSION *session = nullptr; 1555 std::string servername; 1556 }; 1557 1558 static bool ConnectClientAndServer(bssl::UniquePtr<SSL> *out_client, 1559 bssl::UniquePtr<SSL> *out_server, 1560 SSL_CTX *client_ctx, SSL_CTX *server_ctx, 1561 const ClientConfig &config = ClientConfig(), 1562 bool do_handshake = true, 1563 bool shed_handshake_config = true) { 1564 bssl::UniquePtr<SSL> client(SSL_new(client_ctx)), server(SSL_new(server_ctx)); 1565 if (!client || !server) { 1566 return false; 1567 } 1568 SSL_set_connect_state(client.get()); 1569 SSL_set_accept_state(server.get()); 1570 1571 if (config.session) { 1572 SSL_set_session(client.get(), config.session); 1573 } 1574 if (!config.servername.empty() && 1575 !SSL_set_tlsext_host_name(client.get(), config.servername.c_str())) { 1576 return false; 1577 } 1578 1579 BIO *bio1, *bio2; 1580 if (!BIO_new_bio_pair(&bio1, 0, &bio2, 0)) { 1581 return false; 1582 } 1583 // SSL_set_bio takes ownership. 1584 SSL_set_bio(client.get(), bio1, bio1); 1585 SSL_set_bio(server.get(), bio2, bio2); 1586 1587 SSL_set_shed_handshake_config(client.get(), shed_handshake_config); 1588 SSL_set_shed_handshake_config(server.get(), shed_handshake_config); 1589 1590 if (do_handshake && !CompleteHandshakes(client.get(), server.get())) { 1591 return false; 1592 } 1593 1594 *out_client = std::move(client); 1595 *out_server = std::move(server); 1596 return true; 1597 } 1598 1599 // SSLVersionTest executes its test cases under all available protocol versions. 1600 // Test cases call |Connect| to create a connection using context objects with 1601 // the protocol version fixed to the current version under test. 1602 class SSLVersionTest : public ::testing::TestWithParam<VersionParam> { 1603 protected: 1604 SSLVersionTest() : cert_(GetTestCertificate()), key_(GetTestKey()) {} 1605 1606 void SetUp() { ResetContexts(); } 1607 1608 bssl::UniquePtr<SSL_CTX> CreateContext() const { 1609 const SSL_METHOD *method = is_dtls() ? DTLS_method() : TLS_method(); 1610 bssl::UniquePtr<SSL_CTX> ctx(SSL_CTX_new(method)); 1611 if (!ctx || !SSL_CTX_set_min_proto_version(ctx.get(), version()) || 1612 !SSL_CTX_set_max_proto_version(ctx.get(), version())) { 1613 return nullptr; 1614 } 1615 return ctx; 1616 } 1617 1618 void ResetContexts() { 1619 ASSERT_TRUE(cert_); 1620 ASSERT_TRUE(key_); 1621 client_ctx_ = CreateContext(); 1622 ASSERT_TRUE(client_ctx_); 1623 server_ctx_ = CreateContext(); 1624 ASSERT_TRUE(server_ctx_); 1625 // Set up a server cert. Client certs can be set up explicitly. 1626 ASSERT_TRUE(UseCertAndKey(server_ctx_.get())); 1627 } 1628 1629 bool UseCertAndKey(SSL_CTX *ctx) const { 1630 return SSL_CTX_use_certificate(ctx, cert_.get()) && 1631 SSL_CTX_use_PrivateKey(ctx, key_.get()); 1632 } 1633 1634 bool Connect(const ClientConfig &config = ClientConfig()) { 1635 return ConnectClientAndServer(&client_, &server_, client_ctx_.get(), 1636 server_ctx_.get(), config, true, 1637 shed_handshake_config_); 1638 } 1639 1640 uint16_t version() const { return GetParam().version; } 1641 1642 bool is_dtls() const { 1643 return GetParam().ssl_method == VersionParam::is_dtls; 1644 } 1645 1646 bool shed_handshake_config_ = true; 1647 bssl::UniquePtr<SSL> client_, server_; 1648 bssl::UniquePtr<SSL_CTX> server_ctx_, client_ctx_; 1649 bssl::UniquePtr<X509> cert_; 1650 bssl::UniquePtr<EVP_PKEY> key_; 1651 }; 1652 1653 INSTANTIATE_TEST_CASE_P(WithVersion, SSLVersionTest, 1654 testing::ValuesIn(kAllVersions), 1655 [](const testing::TestParamInfo<VersionParam> &i) { 1656 return i.param.name; 1657 }); 1658 1659 TEST_P(SSLVersionTest, SequenceNumber) { 1660 ASSERT_TRUE(Connect()); 1661 1662 // Drain any post-handshake messages to ensure there are no unread records 1663 // on either end. 1664 uint8_t byte = 0; 1665 ASSERT_LE(SSL_read(client_.get(), &byte, 1), 0); 1666 ASSERT_LE(SSL_read(server_.get(), &byte, 1), 0); 1667 1668 uint64_t client_read_seq = SSL_get_read_sequence(client_.get()); 1669 uint64_t client_write_seq = SSL_get_write_sequence(client_.get()); 1670 uint64_t server_read_seq = SSL_get_read_sequence(server_.get()); 1671 uint64_t server_write_seq = SSL_get_write_sequence(server_.get()); 1672 1673 if (is_dtls()) { 1674 // Both client and server must be at epoch 1. 1675 EXPECT_EQ(EpochFromSequence(client_read_seq), 1); 1676 EXPECT_EQ(EpochFromSequence(client_write_seq), 1); 1677 EXPECT_EQ(EpochFromSequence(server_read_seq), 1); 1678 EXPECT_EQ(EpochFromSequence(server_write_seq), 1); 1679 1680 // The next record to be written should exceed the largest received. 1681 EXPECT_GT(client_write_seq, server_read_seq); 1682 EXPECT_GT(server_write_seq, client_read_seq); 1683 } else { 1684 // The next record to be written should equal the next to be received. 1685 EXPECT_EQ(client_write_seq, server_read_seq); 1686 EXPECT_EQ(server_write_seq, client_read_seq); 1687 } 1688 1689 // Send a record from client to server. 1690 EXPECT_EQ(SSL_write(client_.get(), &byte, 1), 1); 1691 EXPECT_EQ(SSL_read(server_.get(), &byte, 1), 1); 1692 1693 // The client write and server read sequence numbers should have 1694 // incremented. 1695 EXPECT_EQ(client_write_seq + 1, SSL_get_write_sequence(client_.get())); 1696 EXPECT_EQ(server_read_seq + 1, SSL_get_read_sequence(server_.get())); 1697 } 1698 1699 TEST_P(SSLVersionTest, OneSidedShutdown) { 1700 // SSL_shutdown is a no-op in DTLS. 1701 if (is_dtls()) { 1702 return; 1703 } 1704 ASSERT_TRUE(Connect()); 1705 1706 // Shut down half the connection. SSL_shutdown will return 0 to signal only 1707 // one side has shut down. 1708 ASSERT_EQ(SSL_shutdown(client_.get()), 0); 1709 1710 // Reading from the server should consume the EOF. 1711 uint8_t byte; 1712 ASSERT_EQ(SSL_read(server_.get(), &byte, 1), 0); 1713 ASSERT_EQ(SSL_get_error(server_.get(), 0), SSL_ERROR_ZERO_RETURN); 1714 1715 // However, the server may continue to write data and then shut down the 1716 // connection. 1717 byte = 42; 1718 ASSERT_EQ(SSL_write(server_.get(), &byte, 1), 1); 1719 ASSERT_EQ(SSL_read(client_.get(), &byte, 1), 1); 1720 ASSERT_EQ(byte, 42); 1721 1722 // The server may then shutdown the connection. 1723 EXPECT_EQ(SSL_shutdown(server_.get()), 1); 1724 EXPECT_EQ(SSL_shutdown(client_.get()), 1); 1725 } 1726 1727 TEST(SSLTest, SessionDuplication) { 1728 bssl::UniquePtr<SSL_CTX> client_ctx(SSL_CTX_new(TLS_method())); 1729 bssl::UniquePtr<SSL_CTX> server_ctx(SSL_CTX_new(TLS_method())); 1730 ASSERT_TRUE(client_ctx); 1731 ASSERT_TRUE(server_ctx); 1732 1733 bssl::UniquePtr<X509> cert = GetTestCertificate(); 1734 bssl::UniquePtr<EVP_PKEY> key = GetTestKey(); 1735 ASSERT_TRUE(cert); 1736 ASSERT_TRUE(key); 1737 ASSERT_TRUE(SSL_CTX_use_certificate(server_ctx.get(), cert.get())); 1738 ASSERT_TRUE(SSL_CTX_use_PrivateKey(server_ctx.get(), key.get())); 1739 1740 bssl::UniquePtr<SSL> client, server; 1741 ASSERT_TRUE(ConnectClientAndServer(&client, &server, client_ctx.get(), 1742 server_ctx.get())); 1743 1744 SSL_SESSION *session0 = SSL_get_session(client.get()); 1745 bssl::UniquePtr<SSL_SESSION> session1 = 1746 bssl::SSL_SESSION_dup(session0, SSL_SESSION_DUP_ALL); 1747 ASSERT_TRUE(session1); 1748 1749 session1->not_resumable = false; 1750 1751 uint8_t *s0_bytes, *s1_bytes; 1752 size_t s0_len, s1_len; 1753 1754 ASSERT_TRUE(SSL_SESSION_to_bytes(session0, &s0_bytes, &s0_len)); 1755 bssl::UniquePtr<uint8_t> free_s0(s0_bytes); 1756 1757 ASSERT_TRUE(SSL_SESSION_to_bytes(session1.get(), &s1_bytes, &s1_len)); 1758 bssl::UniquePtr<uint8_t> free_s1(s1_bytes); 1759 1760 EXPECT_EQ(Bytes(s0_bytes, s0_len), Bytes(s1_bytes, s1_len)); 1761 } 1762 1763 static void ExpectFDs(const SSL *ssl, int rfd, int wfd) { 1764 EXPECT_EQ(rfd, SSL_get_fd(ssl)); 1765 EXPECT_EQ(rfd, SSL_get_rfd(ssl)); 1766 EXPECT_EQ(wfd, SSL_get_wfd(ssl)); 1767 1768 // The wrapper BIOs are always equal when fds are equal, even if set 1769 // individually. 1770 if (rfd == wfd) { 1771 EXPECT_EQ(SSL_get_rbio(ssl), SSL_get_wbio(ssl)); 1772 } 1773 } 1774 1775 TEST(SSLTest, SetFD) { 1776 bssl::UniquePtr<SSL_CTX> ctx(SSL_CTX_new(TLS_method())); 1777 ASSERT_TRUE(ctx); 1778 1779 // Test setting different read and write FDs. 1780 bssl::UniquePtr<SSL> ssl(SSL_new(ctx.get())); 1781 ASSERT_TRUE(ssl); 1782 EXPECT_TRUE(SSL_set_rfd(ssl.get(), 1)); 1783 EXPECT_TRUE(SSL_set_wfd(ssl.get(), 2)); 1784 ExpectFDs(ssl.get(), 1, 2); 1785 1786 // Test setting the same FD. 1787 ssl.reset(SSL_new(ctx.get())); 1788 ASSERT_TRUE(ssl); 1789 EXPECT_TRUE(SSL_set_fd(ssl.get(), 1)); 1790 ExpectFDs(ssl.get(), 1, 1); 1791 1792 // Test setting the same FD one side at a time. 1793 ssl.reset(SSL_new(ctx.get())); 1794 ASSERT_TRUE(ssl); 1795 EXPECT_TRUE(SSL_set_rfd(ssl.get(), 1)); 1796 EXPECT_TRUE(SSL_set_wfd(ssl.get(), 1)); 1797 ExpectFDs(ssl.get(), 1, 1); 1798 1799 // Test setting the same FD in the other order. 1800 ssl.reset(SSL_new(ctx.get())); 1801 ASSERT_TRUE(ssl); 1802 EXPECT_TRUE(SSL_set_wfd(ssl.get(), 1)); 1803 EXPECT_TRUE(SSL_set_rfd(ssl.get(), 1)); 1804 ExpectFDs(ssl.get(), 1, 1); 1805 1806 // Test changing the read FD partway through. 1807 ssl.reset(SSL_new(ctx.get())); 1808 ASSERT_TRUE(ssl); 1809 EXPECT_TRUE(SSL_set_fd(ssl.get(), 1)); 1810 EXPECT_TRUE(SSL_set_rfd(ssl.get(), 2)); 1811 ExpectFDs(ssl.get(), 2, 1); 1812 1813 // Test changing the write FD partway through. 1814 ssl.reset(SSL_new(ctx.get())); 1815 ASSERT_TRUE(ssl); 1816 EXPECT_TRUE(SSL_set_fd(ssl.get(), 1)); 1817 EXPECT_TRUE(SSL_set_wfd(ssl.get(), 2)); 1818 ExpectFDs(ssl.get(), 1, 2); 1819 1820 // Test a no-op change to the read FD partway through. 1821 ssl.reset(SSL_new(ctx.get())); 1822 ASSERT_TRUE(ssl); 1823 EXPECT_TRUE(SSL_set_fd(ssl.get(), 1)); 1824 EXPECT_TRUE(SSL_set_rfd(ssl.get(), 1)); 1825 ExpectFDs(ssl.get(), 1, 1); 1826 1827 // Test a no-op change to the write FD partway through. 1828 ssl.reset(SSL_new(ctx.get())); 1829 ASSERT_TRUE(ssl); 1830 EXPECT_TRUE(SSL_set_fd(ssl.get(), 1)); 1831 EXPECT_TRUE(SSL_set_wfd(ssl.get(), 1)); 1832 ExpectFDs(ssl.get(), 1, 1); 1833 1834 // ASan builds will implicitly test that the internal |BIO| reference-counting 1835 // is correct. 1836 } 1837 1838 TEST(SSLTest, SetBIO) { 1839 bssl::UniquePtr<SSL_CTX> ctx(SSL_CTX_new(TLS_method())); 1840 ASSERT_TRUE(ctx); 1841 1842 bssl::UniquePtr<SSL> ssl(SSL_new(ctx.get())); 1843 bssl::UniquePtr<BIO> bio1(BIO_new(BIO_s_mem())), bio2(BIO_new(BIO_s_mem())), 1844 bio3(BIO_new(BIO_s_mem())); 1845 ASSERT_TRUE(ssl); 1846 ASSERT_TRUE(bio1); 1847 ASSERT_TRUE(bio2); 1848 ASSERT_TRUE(bio3); 1849 1850 // SSL_set_bio takes one reference when the parameters are the same. 1851 BIO_up_ref(bio1.get()); 1852 SSL_set_bio(ssl.get(), bio1.get(), bio1.get()); 1853 1854 // Repeating the call does nothing. 1855 SSL_set_bio(ssl.get(), bio1.get(), bio1.get()); 1856 1857 // It takes one reference each when the parameters are different. 1858 BIO_up_ref(bio2.get()); 1859 BIO_up_ref(bio3.get()); 1860 SSL_set_bio(ssl.get(), bio2.get(), bio3.get()); 1861 1862 // Repeating the call does nothing. 1863 SSL_set_bio(ssl.get(), bio2.get(), bio3.get()); 1864 1865 // It takes one reference when changing only wbio. 1866 BIO_up_ref(bio1.get()); 1867 SSL_set_bio(ssl.get(), bio2.get(), bio1.get()); 1868 1869 // It takes one reference when changing only rbio and the two are different. 1870 BIO_up_ref(bio3.get()); 1871 SSL_set_bio(ssl.get(), bio3.get(), bio1.get()); 1872 1873 // If setting wbio to rbio, it takes no additional references. 1874 SSL_set_bio(ssl.get(), bio3.get(), bio3.get()); 1875 1876 // From there, wbio may be switched to something else. 1877 BIO_up_ref(bio1.get()); 1878 SSL_set_bio(ssl.get(), bio3.get(), bio1.get()); 1879 1880 // If setting rbio to wbio, it takes no additional references. 1881 SSL_set_bio(ssl.get(), bio1.get(), bio1.get()); 1882 1883 // From there, rbio may be switched to something else, but, for historical 1884 // reasons, it takes a reference to both parameters. 1885 BIO_up_ref(bio1.get()); 1886 BIO_up_ref(bio2.get()); 1887 SSL_set_bio(ssl.get(), bio2.get(), bio1.get()); 1888 1889 // ASAN builds will implicitly test that the internal |BIO| reference-counting 1890 // is correct. 1891 } 1892 1893 static int VerifySucceed(X509_STORE_CTX *store_ctx, void *arg) { return 1; } 1894 1895 TEST_P(SSLVersionTest, GetPeerCertificate) { 1896 ASSERT_TRUE(UseCertAndKey(client_ctx_.get())); 1897 1898 // Configure both client and server to accept any certificate. 1899 SSL_CTX_set_verify(client_ctx_.get(), 1900 SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT, 1901 nullptr); 1902 SSL_CTX_set_cert_verify_callback(client_ctx_.get(), VerifySucceed, NULL); 1903 SSL_CTX_set_verify(server_ctx_.get(), 1904 SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT, 1905 nullptr); 1906 SSL_CTX_set_cert_verify_callback(server_ctx_.get(), VerifySucceed, NULL); 1907 1908 ASSERT_TRUE(Connect()); 1909 1910 // Client and server should both see the leaf certificate. 1911 bssl::UniquePtr<X509> peer(SSL_get_peer_certificate(server_.get())); 1912 ASSERT_TRUE(peer); 1913 ASSERT_EQ(X509_cmp(cert_.get(), peer.get()), 0); 1914 1915 peer.reset(SSL_get_peer_certificate(client_.get())); 1916 ASSERT_TRUE(peer); 1917 ASSERT_EQ(X509_cmp(cert_.get(), peer.get()), 0); 1918 1919 // However, for historical reasons, the X509 chain includes the leaf on the 1920 // client, but does not on the server. 1921 EXPECT_EQ(sk_X509_num(SSL_get_peer_cert_chain(client_.get())), 1u); 1922 EXPECT_EQ(sk_CRYPTO_BUFFER_num(SSL_get0_peer_certificates(client_.get())), 1923 1u); 1924 1925 EXPECT_EQ(sk_X509_num(SSL_get_peer_cert_chain(server_.get())), 0u); 1926 EXPECT_EQ(sk_CRYPTO_BUFFER_num(SSL_get0_peer_certificates(server_.get())), 1927 1u); 1928 } 1929 1930 TEST_P(SSLVersionTest, NoPeerCertificate) { 1931 SSL_CTX_set_verify(server_ctx_.get(), SSL_VERIFY_PEER, nullptr); 1932 SSL_CTX_set_cert_verify_callback(server_ctx_.get(), VerifySucceed, NULL); 1933 SSL_CTX_set_cert_verify_callback(client_ctx_.get(), VerifySucceed, NULL); 1934 1935 ASSERT_TRUE(Connect()); 1936 1937 // Server should not see a peer certificate. 1938 bssl::UniquePtr<X509> peer(SSL_get_peer_certificate(server_.get())); 1939 ASSERT_FALSE(peer); 1940 ASSERT_FALSE(SSL_get0_peer_certificates(server_.get())); 1941 } 1942 1943 TEST_P(SSLVersionTest, RetainOnlySHA256OfCerts) { 1944 uint8_t *cert_der = NULL; 1945 int cert_der_len = i2d_X509(cert_.get(), &cert_der); 1946 ASSERT_GE(cert_der_len, 0); 1947 bssl::UniquePtr<uint8_t> free_cert_der(cert_der); 1948 1949 uint8_t cert_sha256[SHA256_DIGEST_LENGTH]; 1950 SHA256(cert_der, cert_der_len, cert_sha256); 1951 1952 ASSERT_TRUE(UseCertAndKey(client_ctx_.get())); 1953 1954 // Configure both client and server to accept any certificate, but the 1955 // server must retain only the SHA-256 of the peer. 1956 SSL_CTX_set_verify(client_ctx_.get(), 1957 SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT, 1958 nullptr); 1959 SSL_CTX_set_verify(server_ctx_.get(), 1960 SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT, 1961 nullptr); 1962 SSL_CTX_set_cert_verify_callback(client_ctx_.get(), VerifySucceed, NULL); 1963 SSL_CTX_set_cert_verify_callback(server_ctx_.get(), VerifySucceed, NULL); 1964 SSL_CTX_set_retain_only_sha256_of_client_certs(server_ctx_.get(), 1); 1965 1966 ASSERT_TRUE(Connect()); 1967 1968 // The peer certificate has been dropped. 1969 bssl::UniquePtr<X509> peer(SSL_get_peer_certificate(server_.get())); 1970 EXPECT_FALSE(peer); 1971 1972 SSL_SESSION *session = SSL_get_session(server_.get()); 1973 EXPECT_TRUE(SSL_SESSION_has_peer_sha256(session)); 1974 1975 const uint8_t *peer_sha256; 1976 size_t peer_sha256_len; 1977 SSL_SESSION_get0_peer_sha256(session, &peer_sha256, &peer_sha256_len); 1978 EXPECT_EQ(Bytes(cert_sha256), Bytes(peer_sha256, peer_sha256_len)); 1979 } 1980 1981 // Tests that our ClientHellos do not change unexpectedly. These are purely 1982 // change detection tests. If they fail as part of an intentional ClientHello 1983 // change, update the test vector. 1984 TEST(SSLTest, ClientHello) { 1985 struct { 1986 uint16_t max_version; 1987 std::vector<uint8_t> expected; 1988 } kTests[] = { 1989 {TLS1_VERSION, 1990 {0x16, 0x03, 0x01, 0x00, 0x5a, 0x01, 0x00, 0x00, 0x56, 0x03, 0x01, 0x00, 1991 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 1992 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 1993 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x0e, 0xc0, 0x09, 1994 0xc0, 0x13, 0xc0, 0x0a, 0xc0, 0x14, 0x00, 0x2f, 0x00, 0x35, 0x00, 0x0a, 1995 0x01, 0x00, 0x00, 0x1f, 0x00, 0x17, 0x00, 0x00, 0xff, 0x01, 0x00, 0x01, 1996 0x00, 0x00, 0x0a, 0x00, 0x08, 0x00, 0x06, 0x00, 0x1d, 0x00, 0x17, 0x00, 1997 0x18, 0x00, 0x0b, 0x00, 0x02, 0x01, 0x00, 0x00, 0x23, 0x00, 0x00}}, 1998 {TLS1_1_VERSION, 1999 {0x16, 0x03, 0x01, 0x00, 0x5a, 0x01, 0x00, 0x00, 0x56, 0x03, 0x02, 0x00, 2000 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 2001 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 2002 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x0e, 0xc0, 0x09, 2003 0xc0, 0x13, 0xc0, 0x0a, 0xc0, 0x14, 0x00, 0x2f, 0x00, 0x35, 0x00, 0x0a, 2004 0x01, 0x00, 0x00, 0x1f, 0x00, 0x17, 0x00, 0x00, 0xff, 0x01, 0x00, 0x01, 2005 0x00, 0x00, 0x0a, 0x00, 0x08, 0x00, 0x06, 0x00, 0x1d, 0x00, 0x17, 0x00, 2006 0x18, 0x00, 0x0b, 0x00, 0x02, 0x01, 0x00, 0x00, 0x23, 0x00, 0x00}}, 2007 {TLS1_2_VERSION, 2008 {0x16, 0x03, 0x01, 0x00, 0x82, 0x01, 0x00, 0x00, 0x7e, 0x03, 0x03, 0x00, 2009 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 2010 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 2011 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x1e, 0xcc, 0xa9, 2012 0xcc, 0xa8, 0xc0, 0x2b, 0xc0, 0x2f, 0xc0, 0x2c, 0xc0, 0x30, 0xc0, 0x09, 2013 0xc0, 0x13, 0xc0, 0x0a, 0xc0, 0x14, 0x00, 0x9c, 0x00, 0x9d, 0x00, 0x2f, 2014 0x00, 0x35, 0x00, 0x0a, 0x01, 0x00, 0x00, 0x37, 0x00, 0x17, 0x00, 0x00, 2015 0xff, 0x01, 0x00, 0x01, 0x00, 0x00, 0x0a, 0x00, 0x08, 0x00, 0x06, 0x00, 2016 0x1d, 0x00, 0x17, 0x00, 0x18, 0x00, 0x0b, 0x00, 0x02, 0x01, 0x00, 0x00, 2017 0x23, 0x00, 0x00, 0x00, 0x0d, 0x00, 0x14, 0x00, 0x12, 0x04, 0x03, 0x08, 2018 0x04, 0x04, 0x01, 0x05, 0x03, 0x08, 0x05, 0x05, 0x01, 0x08, 0x06, 0x06, 2019 0x01, 0x02, 0x01}}, 2020 // TODO(davidben): Add a change detector for TLS 1.3 once the spec and our 2021 // implementation has settled enough that it won't change. 2022 }; 2023 2024 for (const auto &t : kTests) { 2025 SCOPED_TRACE(t.max_version); 2026 2027 bssl::UniquePtr<SSL_CTX> ctx(SSL_CTX_new(TLS_method())); 2028 ASSERT_TRUE(ctx); 2029 // Our default cipher list varies by CPU capabilities, so manually place the 2030 // ChaCha20 ciphers in front. 2031 const char *cipher_list = "CHACHA20:ALL"; 2032 ASSERT_TRUE(SSL_CTX_set_max_proto_version(ctx.get(), t.max_version)); 2033 ASSERT_TRUE(SSL_CTX_set_strict_cipher_list(ctx.get(), cipher_list)); 2034 2035 bssl::UniquePtr<SSL> ssl(SSL_new(ctx.get())); 2036 ASSERT_TRUE(ssl); 2037 std::vector<uint8_t> client_hello; 2038 ASSERT_TRUE(GetClientHello(ssl.get(), &client_hello)); 2039 2040 // Zero the client_random. 2041 constexpr size_t kRandomOffset = 1 + 2 + 2 + // record header 2042 1 + 3 + // handshake message header 2043 2; // client_version 2044 ASSERT_GE(client_hello.size(), kRandomOffset + SSL3_RANDOM_SIZE); 2045 OPENSSL_memset(client_hello.data() + kRandomOffset, 0, SSL3_RANDOM_SIZE); 2046 2047 if (client_hello != t.expected) { 2048 ADD_FAILURE() << "ClientHellos did not match."; 2049 // Print the value manually so it is easier to update the test vector. 2050 for (size_t i = 0; i < client_hello.size(); i += 12) { 2051 printf(" %c", i == 0 ? '{' : ' '); 2052 for (size_t j = i; j < client_hello.size() && j < i + 12; j++) { 2053 if (j > i) { 2054 printf(" "); 2055 } 2056 printf("0x%02x", client_hello[j]); 2057 if (j < client_hello.size() - 1) { 2058 printf(","); 2059 } 2060 } 2061 if (i + 12 >= client_hello.size()) { 2062 printf("}},"); 2063 } 2064 printf("\n"); 2065 } 2066 } 2067 } 2068 } 2069 2070 static bssl::UniquePtr<SSL_SESSION> g_last_session; 2071 2072 static int SaveLastSession(SSL *ssl, SSL_SESSION *session) { 2073 // Save the most recent session. 2074 g_last_session.reset(session); 2075 return 1; 2076 } 2077 2078 static bssl::UniquePtr<SSL_SESSION> CreateClientSession( 2079 SSL_CTX *client_ctx, SSL_CTX *server_ctx, 2080 const ClientConfig &config = ClientConfig()) { 2081 g_last_session = nullptr; 2082 SSL_CTX_sess_set_new_cb(client_ctx, SaveLastSession); 2083 2084 // Connect client and server to get a session. 2085 bssl::UniquePtr<SSL> client, server; 2086 if (!ConnectClientAndServer(&client, &server, client_ctx, server_ctx, 2087 config)) { 2088 fprintf(stderr, "Failed to connect client and server.\n"); 2089 return nullptr; 2090 } 2091 2092 // Run the read loop to account for post-handshake tickets in TLS 1.3. 2093 SSL_read(client.get(), nullptr, 0); 2094 2095 SSL_CTX_sess_set_new_cb(client_ctx, nullptr); 2096 2097 if (!g_last_session) { 2098 fprintf(stderr, "Client did not receive a session.\n"); 2099 return nullptr; 2100 } 2101 return std::move(g_last_session); 2102 } 2103 2104 static void ExpectSessionReused(SSL_CTX *client_ctx, SSL_CTX *server_ctx, 2105 SSL_SESSION *session, bool want_reused) { 2106 bssl::UniquePtr<SSL> client, server; 2107 ClientConfig config; 2108 config.session = session; 2109 EXPECT_TRUE( 2110 ConnectClientAndServer(&client, &server, client_ctx, server_ctx, config)); 2111 2112 EXPECT_EQ(SSL_session_reused(client.get()), SSL_session_reused(server.get())); 2113 2114 bool was_reused = !!SSL_session_reused(client.get()); 2115 EXPECT_EQ(was_reused, want_reused); 2116 } 2117 2118 static bssl::UniquePtr<SSL_SESSION> ExpectSessionRenewed(SSL_CTX *client_ctx, 2119 SSL_CTX *server_ctx, 2120 SSL_SESSION *session) { 2121 g_last_session = nullptr; 2122 SSL_CTX_sess_set_new_cb(client_ctx, SaveLastSession); 2123 2124 bssl::UniquePtr<SSL> client, server; 2125 ClientConfig config; 2126 config.session = session; 2127 if (!ConnectClientAndServer(&client, &server, client_ctx, server_ctx, 2128 config)) { 2129 fprintf(stderr, "Failed to connect client and server.\n"); 2130 return nullptr; 2131 } 2132 2133 if (SSL_session_reused(client.get()) != SSL_session_reused(server.get())) { 2134 fprintf(stderr, "Client and server were inconsistent.\n"); 2135 return nullptr; 2136 } 2137 2138 if (!SSL_session_reused(client.get())) { 2139 fprintf(stderr, "Session was not reused.\n"); 2140 return nullptr; 2141 } 2142 2143 // Run the read loop to account for post-handshake tickets in TLS 1.3. 2144 SSL_read(client.get(), nullptr, 0); 2145 2146 SSL_CTX_sess_set_new_cb(client_ctx, nullptr); 2147 2148 if (!g_last_session) { 2149 fprintf(stderr, "Client did not receive a renewed session.\n"); 2150 return nullptr; 2151 } 2152 return std::move(g_last_session); 2153 } 2154 2155 static void ExpectTicketKeyChanged(SSL_CTX *ctx, uint8_t *inout_key, 2156 bool changed) { 2157 uint8_t new_key[kTicketKeyLen]; 2158 // May return 0, 1 or 48. 2159 ASSERT_EQ(SSL_CTX_get_tlsext_ticket_keys(ctx, new_key, kTicketKeyLen), 1); 2160 if (changed) { 2161 ASSERT_NE(Bytes(inout_key, kTicketKeyLen), Bytes(new_key)); 2162 } else { 2163 ASSERT_EQ(Bytes(inout_key, kTicketKeyLen), Bytes(new_key)); 2164 } 2165 OPENSSL_memcpy(inout_key, new_key, kTicketKeyLen); 2166 } 2167 2168 static int SwitchSessionIDContextSNI(SSL *ssl, int *out_alert, void *arg) { 2169 static const uint8_t kContext[] = {3}; 2170 2171 if (!SSL_set_session_id_context(ssl, kContext, sizeof(kContext))) { 2172 return SSL_TLSEXT_ERR_ALERT_FATAL; 2173 } 2174 2175 return SSL_TLSEXT_ERR_OK; 2176 } 2177 2178 TEST_P(SSLVersionTest, SessionIDContext) { 2179 static const uint8_t kContext1[] = {1}; 2180 static const uint8_t kContext2[] = {2}; 2181 2182 ASSERT_TRUE(SSL_CTX_set_session_id_context(server_ctx_.get(), kContext1, 2183 sizeof(kContext1))); 2184 2185 SSL_CTX_set_session_cache_mode(client_ctx_.get(), SSL_SESS_CACHE_BOTH); 2186 SSL_CTX_set_session_cache_mode(server_ctx_.get(), SSL_SESS_CACHE_BOTH); 2187 2188 bssl::UniquePtr<SSL_SESSION> session = 2189 CreateClientSession(client_ctx_.get(), server_ctx_.get()); 2190 ASSERT_TRUE(session); 2191 2192 TRACED_CALL(ExpectSessionReused(client_ctx_.get(), server_ctx_.get(), 2193 session.get(), 2194 true /* expect session reused */)); 2195 2196 // Change the session ID context. 2197 ASSERT_TRUE(SSL_CTX_set_session_id_context(server_ctx_.get(), kContext2, 2198 sizeof(kContext2))); 2199 2200 TRACED_CALL(ExpectSessionReused(client_ctx_.get(), server_ctx_.get(), 2201 session.get(), 2202 false /* expect session not reused */)); 2203 2204 // Change the session ID context back and install an SNI callback to switch 2205 // it. 2206 ASSERT_TRUE(SSL_CTX_set_session_id_context(server_ctx_.get(), kContext1, 2207 sizeof(kContext1))); 2208 2209 SSL_CTX_set_tlsext_servername_callback(server_ctx_.get(), 2210 SwitchSessionIDContextSNI); 2211 2212 TRACED_CALL(ExpectSessionReused(client_ctx_.get(), server_ctx_.get(), 2213 session.get(), 2214 false /* expect session not reused */)); 2215 2216 // Switch the session ID context with the early callback instead. 2217 SSL_CTX_set_tlsext_servername_callback(server_ctx_.get(), nullptr); 2218 SSL_CTX_set_select_certificate_cb( 2219 server_ctx_.get(), 2220 [](const SSL_CLIENT_HELLO *client_hello) -> ssl_select_cert_result_t { 2221 static const uint8_t kContext[] = {3}; 2222 2223 if (!SSL_set_session_id_context(client_hello->ssl, kContext, 2224 sizeof(kContext))) { 2225 return ssl_select_cert_error; 2226 } 2227 2228 return ssl_select_cert_success; 2229 }); 2230 2231 TRACED_CALL(ExpectSessionReused(client_ctx_.get(), server_ctx_.get(), 2232 session.get(), 2233 false /* expect session not reused */)); 2234 } 2235 2236 static timeval g_current_time; 2237 2238 static void CurrentTimeCallback(const SSL *ssl, timeval *out_clock) { 2239 *out_clock = g_current_time; 2240 } 2241 2242 static void FrozenTimeCallback(const SSL *ssl, timeval *out_clock) { 2243 out_clock->tv_sec = 1000; 2244 out_clock->tv_usec = 0; 2245 } 2246 2247 static int RenewTicketCallback(SSL *ssl, uint8_t *key_name, uint8_t *iv, 2248 EVP_CIPHER_CTX *ctx, HMAC_CTX *hmac_ctx, 2249 int encrypt) { 2250 static const uint8_t kZeros[16] = {0}; 2251 2252 if (encrypt) { 2253 OPENSSL_memcpy(key_name, kZeros, sizeof(kZeros)); 2254 RAND_bytes(iv, 16); 2255 } else if (OPENSSL_memcmp(key_name, kZeros, 16) != 0) { 2256 return 0; 2257 } 2258 2259 if (!HMAC_Init_ex(hmac_ctx, kZeros, sizeof(kZeros), EVP_sha256(), NULL) || 2260 !EVP_CipherInit_ex(ctx, EVP_aes_128_cbc(), NULL, kZeros, iv, encrypt)) { 2261 return -1; 2262 } 2263 2264 // Returning two from the callback in decrypt mode renews the 2265 // session in TLS 1.2 and below. 2266 return encrypt ? 1 : 2; 2267 } 2268 2269 static bool GetServerTicketTime(long *out, const SSL_SESSION *session) { 2270 const uint8_t *ticket; 2271 size_t ticket_len; 2272 SSL_SESSION_get0_ticket(session, &ticket, &ticket_len); 2273 if (ticket_len < 16 + 16 + SHA256_DIGEST_LENGTH) { 2274 return false; 2275 } 2276 2277 const uint8_t *ciphertext = ticket + 16 + 16; 2278 size_t len = ticket_len - 16 - 16 - SHA256_DIGEST_LENGTH; 2279 std::unique_ptr<uint8_t[]> plaintext(new uint8_t[len]); 2280 2281 #if defined(BORINGSSL_UNSAFE_FUZZER_MODE) 2282 // Fuzzer-mode tickets are unencrypted. 2283 OPENSSL_memcpy(plaintext.get(), ciphertext, len); 2284 #else 2285 static const uint8_t kZeros[16] = {0}; 2286 const uint8_t *iv = ticket + 16; 2287 bssl::ScopedEVP_CIPHER_CTX ctx; 2288 int len1, len2; 2289 if (!EVP_DecryptInit_ex(ctx.get(), EVP_aes_128_cbc(), nullptr, kZeros, iv) || 2290 !EVP_DecryptUpdate(ctx.get(), plaintext.get(), &len1, ciphertext, len) || 2291 !EVP_DecryptFinal_ex(ctx.get(), plaintext.get() + len1, &len2)) { 2292 return false; 2293 } 2294 2295 len = static_cast<size_t>(len1 + len2); 2296 #endif 2297 2298 bssl::UniquePtr<SSL_CTX> ssl_ctx(SSL_CTX_new(TLS_method())); 2299 if (!ssl_ctx) { 2300 return false; 2301 } 2302 bssl::UniquePtr<SSL_SESSION> server_session( 2303 SSL_SESSION_from_bytes(plaintext.get(), len, ssl_ctx.get())); 2304 if (!server_session) { 2305 return false; 2306 } 2307 2308 *out = SSL_SESSION_get_time(server_session.get()); 2309 return true; 2310 } 2311 2312 TEST_P(SSLVersionTest, SessionTimeout) { 2313 for (bool server_test : {false, true}) { 2314 SCOPED_TRACE(server_test); 2315 2316 ResetContexts(); 2317 SSL_CTX_set_session_cache_mode(client_ctx_.get(), SSL_SESS_CACHE_BOTH); 2318 SSL_CTX_set_session_cache_mode(server_ctx_.get(), SSL_SESS_CACHE_BOTH); 2319 2320 static const time_t kStartTime = 1000; 2321 g_current_time.tv_sec = kStartTime; 2322 2323 // We are willing to use a longer lifetime for TLS 1.3 sessions as 2324 // resumptions still perform ECDHE. 2325 const time_t timeout = version() == TLS1_3_VERSION 2326 ? SSL_DEFAULT_SESSION_PSK_DHE_TIMEOUT 2327 : SSL_DEFAULT_SESSION_TIMEOUT; 2328 2329 // Both client and server must enforce session timeouts. We configure the 2330 // other side with a frozen clock so it never expires tickets. 2331 if (server_test) { 2332 SSL_CTX_set_current_time_cb(client_ctx_.get(), FrozenTimeCallback); 2333 SSL_CTX_set_current_time_cb(server_ctx_.get(), CurrentTimeCallback); 2334 } else { 2335 SSL_CTX_set_current_time_cb(client_ctx_.get(), CurrentTimeCallback); 2336 SSL_CTX_set_current_time_cb(server_ctx_.get(), FrozenTimeCallback); 2337 } 2338 2339 // Configure a ticket callback which renews tickets. 2340 SSL_CTX_set_tlsext_ticket_key_cb(server_ctx_.get(), RenewTicketCallback); 2341 2342 bssl::UniquePtr<SSL_SESSION> session = 2343 CreateClientSession(client_ctx_.get(), server_ctx_.get()); 2344 ASSERT_TRUE(session); 2345 2346 // Advance the clock just behind the timeout. 2347 g_current_time.tv_sec += timeout - 1; 2348 2349 TRACED_CALL(ExpectSessionReused(client_ctx_.get(), server_ctx_.get(), 2350 session.get(), 2351 true /* expect session reused */)); 2352 2353 // Advance the clock one more second. 2354 g_current_time.tv_sec++; 2355 2356 TRACED_CALL(ExpectSessionReused(client_ctx_.get(), server_ctx_.get(), 2357 session.get(), 2358 false /* expect session not reused */)); 2359 2360 // Rewind the clock to before the session was minted. 2361 g_current_time.tv_sec = kStartTime - 1; 2362 2363 TRACED_CALL(ExpectSessionReused(client_ctx_.get(), server_ctx_.get(), 2364 session.get(), 2365 false /* expect session not reused */)); 2366 2367 // Renew the session 10 seconds before expiration. 2368 time_t new_start_time = kStartTime + timeout - 10; 2369 g_current_time.tv_sec = new_start_time; 2370 bssl::UniquePtr<SSL_SESSION> new_session = ExpectSessionRenewed( 2371 client_ctx_.get(), server_ctx_.get(), session.get()); 2372 ASSERT_TRUE(new_session); 2373 2374 // This new session is not the same object as before. 2375 EXPECT_NE(session.get(), new_session.get()); 2376 2377 // Check the sessions have timestamps measured from issuance. 2378 long session_time = 0; 2379 if (server_test) { 2380 ASSERT_TRUE(GetServerTicketTime(&session_time, new_session.get())); 2381 } else { 2382 session_time = SSL_SESSION_get_time(new_session.get()); 2383 } 2384 2385 ASSERT_EQ(session_time, g_current_time.tv_sec); 2386 2387 if (version() == TLS1_3_VERSION) { 2388 // Renewal incorporates fresh key material in TLS 1.3, so we extend the 2389 // lifetime TLS 1.3. 2390 g_current_time.tv_sec = new_start_time + timeout - 1; 2391 TRACED_CALL(ExpectSessionReused(client_ctx_.get(), server_ctx_.get(), 2392 new_session.get(), 2393 true /* expect session reused */)); 2394 2395 // The new session expires after the new timeout. 2396 g_current_time.tv_sec = new_start_time + timeout + 1; 2397 TRACED_CALL(ExpectSessionReused(client_ctx_.get(), server_ctx_.get(), 2398 new_session.get(), 2399 false /* expect session ot reused */)); 2400 2401 // Renew the session until it begins just past the auth timeout. 2402 time_t auth_end_time = kStartTime + SSL_DEFAULT_SESSION_AUTH_TIMEOUT; 2403 while (new_start_time < auth_end_time - 1000) { 2404 // Get as close as possible to target start time. 2405 new_start_time = 2406 std::min(auth_end_time - 1000, new_start_time + timeout - 1); 2407 g_current_time.tv_sec = new_start_time; 2408 new_session = ExpectSessionRenewed(client_ctx_.get(), server_ctx_.get(), 2409 new_session.get()); 2410 ASSERT_TRUE(new_session); 2411 } 2412 2413 // Now the session's lifetime is bound by the auth timeout. 2414 g_current_time.tv_sec = auth_end_time - 1; 2415 TRACED_CALL(ExpectSessionReused(client_ctx_.get(), server_ctx_.get(), 2416 new_session.get(), 2417 true /* expect session reused */)); 2418 2419 g_current_time.tv_sec = auth_end_time + 1; 2420 TRACED_CALL(ExpectSessionReused(client_ctx_.get(), server_ctx_.get(), 2421 new_session.get(), 2422 false /* expect session ot reused */)); 2423 } else { 2424 // The new session is usable just before the old expiration. 2425 g_current_time.tv_sec = kStartTime + timeout - 1; 2426 TRACED_CALL(ExpectSessionReused(client_ctx_.get(), server_ctx_.get(), 2427 new_session.get(), 2428 true /* expect session reused */)); 2429 2430 // Renewal does not extend the lifetime, so it is not usable beyond the 2431 // old expiration. 2432 g_current_time.tv_sec = kStartTime + timeout + 1; 2433 TRACED_CALL(ExpectSessionReused(client_ctx_.get(), server_ctx_.get(), 2434 new_session.get(), 2435 false /* expect session not reused */)); 2436 } 2437 } 2438 } 2439 2440 TEST_P(SSLVersionTest, DefaultTicketKeyInitialization) { 2441 static const uint8_t kZeroKey[kTicketKeyLen] = {}; 2442 uint8_t ticket_key[kTicketKeyLen]; 2443 ASSERT_EQ(1, SSL_CTX_get_tlsext_ticket_keys(server_ctx_.get(), ticket_key, 2444 kTicketKeyLen)); 2445 ASSERT_NE(0, OPENSSL_memcmp(ticket_key, kZeroKey, kTicketKeyLen)); 2446 } 2447 2448 TEST_P(SSLVersionTest, DefaultTicketKeyRotation) { 2449 static const time_t kStartTime = 1001; 2450 g_current_time.tv_sec = kStartTime; 2451 2452 // We use session reuse as a proxy for ticket decryption success, hence 2453 // disable session timeouts. 2454 SSL_CTX_set_timeout(server_ctx_.get(), std::numeric_limits<uint32_t>::max()); 2455 SSL_CTX_set_session_psk_dhe_timeout(server_ctx_.get(), 2456 std::numeric_limits<uint32_t>::max()); 2457 2458 SSL_CTX_set_current_time_cb(client_ctx_.get(), FrozenTimeCallback); 2459 SSL_CTX_set_current_time_cb(server_ctx_.get(), CurrentTimeCallback); 2460 2461 SSL_CTX_set_session_cache_mode(client_ctx_.get(), SSL_SESS_CACHE_BOTH); 2462 SSL_CTX_set_session_cache_mode(server_ctx_.get(), SSL_SESS_CACHE_OFF); 2463 2464 // Initialize ticket_key with the current key and check that it was 2465 // initialized to something, not all zeros. 2466 uint8_t ticket_key[kTicketKeyLen] = {0}; 2467 TRACED_CALL(ExpectTicketKeyChanged(server_ctx_.get(), ticket_key, 2468 true /* changed */)); 2469 2470 // Verify ticket resumption actually works. 2471 bssl::UniquePtr<SSL> client, server; 2472 bssl::UniquePtr<SSL_SESSION> session = 2473 CreateClientSession(client_ctx_.get(), server_ctx_.get()); 2474 ASSERT_TRUE(session); 2475 TRACED_CALL(ExpectSessionReused(client_ctx_.get(), server_ctx_.get(), 2476 session.get(), true /* reused */)); 2477 2478 // Advance time to just before key rotation. 2479 g_current_time.tv_sec += SSL_DEFAULT_TICKET_KEY_ROTATION_INTERVAL - 1; 2480 TRACED_CALL(ExpectSessionReused(client_ctx_.get(), server_ctx_.get(), 2481 session.get(), true /* reused */)); 2482 TRACED_CALL(ExpectTicketKeyChanged(server_ctx_.get(), ticket_key, 2483 false /* NOT changed */)); 2484 2485 // Force key rotation. 2486 g_current_time.tv_sec += 1; 2487 bssl::UniquePtr<SSL_SESSION> new_session = 2488 CreateClientSession(client_ctx_.get(), server_ctx_.get()); 2489 TRACED_CALL(ExpectTicketKeyChanged(server_ctx_.get(), ticket_key, 2490 true /* changed */)); 2491 2492 // Resumption with both old and new ticket should work. 2493 TRACED_CALL(ExpectSessionReused(client_ctx_.get(), server_ctx_.get(), 2494 session.get(), true /* reused */)); 2495 TRACED_CALL(ExpectSessionReused(client_ctx_.get(), server_ctx_.get(), 2496 new_session.get(), true /* reused */)); 2497 TRACED_CALL(ExpectTicketKeyChanged(server_ctx_.get(), ticket_key, 2498 false /* NOT changed */)); 2499 2500 // Force key rotation again. Resumption with the old ticket now fails. 2501 g_current_time.tv_sec += SSL_DEFAULT_TICKET_KEY_ROTATION_INTERVAL; 2502 TRACED_CALL(ExpectSessionReused(client_ctx_.get(), server_ctx_.get(), 2503 session.get(), false /* NOT reused */)); 2504 TRACED_CALL(ExpectTicketKeyChanged(server_ctx_.get(), ticket_key, 2505 true /* changed */)); 2506 2507 // But resumption with the newer session still works. 2508 TRACED_CALL(ExpectSessionReused(client_ctx_.get(), server_ctx_.get(), 2509 new_session.get(), true /* reused */)); 2510 } 2511 2512 static int SwitchContext(SSL *ssl, int *out_alert, void *arg) { 2513 SSL_CTX *ctx = reinterpret_cast<SSL_CTX *>(arg); 2514 SSL_set_SSL_CTX(ssl, ctx); 2515 return SSL_TLSEXT_ERR_OK; 2516 } 2517 2518 TEST_P(SSLVersionTest, SNICallback) { 2519 bssl::UniquePtr<X509> cert2 = GetECDSATestCertificate(); 2520 ASSERT_TRUE(cert2); 2521 bssl::UniquePtr<EVP_PKEY> key2 = GetECDSATestKey(); 2522 ASSERT_TRUE(key2); 2523 2524 // Test that switching the |SSL_CTX| at the SNI callback behaves correctly. 2525 static const uint16_t kECDSAWithSHA256 = SSL_SIGN_ECDSA_SECP256R1_SHA256; 2526 2527 static const uint8_t kSCTList[] = {0, 6, 0, 4, 5, 6, 7, 8}; 2528 static const uint8_t kOCSPResponse[] = {1, 2, 3, 4}; 2529 2530 bssl::UniquePtr<SSL_CTX> server_ctx2 = CreateContext(); 2531 ASSERT_TRUE(server_ctx2); 2532 ASSERT_TRUE(SSL_CTX_use_certificate(server_ctx2.get(), cert2.get())); 2533 ASSERT_TRUE(SSL_CTX_use_PrivateKey(server_ctx2.get(), key2.get())); 2534 ASSERT_TRUE(SSL_CTX_set_signed_cert_timestamp_list( 2535 server_ctx2.get(), kSCTList, sizeof(kSCTList))); 2536 ASSERT_TRUE(SSL_CTX_set_ocsp_response(server_ctx2.get(), kOCSPResponse, 2537 sizeof(kOCSPResponse))); 2538 // Historically signing preferences would be lost in some cases with the 2539 // SNI callback, which triggers the TLS 1.2 SHA-1 default. To ensure 2540 // this doesn't happen when |version| is TLS 1.2, configure the private 2541 // key to only sign SHA-256. 2542 ASSERT_TRUE(SSL_CTX_set_signing_algorithm_prefs(server_ctx2.get(), 2543 &kECDSAWithSHA256, 1)); 2544 2545 SSL_CTX_set_tlsext_servername_callback(server_ctx_.get(), SwitchContext); 2546 SSL_CTX_set_tlsext_servername_arg(server_ctx_.get(), server_ctx2.get()); 2547 2548 SSL_CTX_enable_signed_cert_timestamps(client_ctx_.get()); 2549 SSL_CTX_enable_ocsp_stapling(client_ctx_.get()); 2550 2551 ASSERT_TRUE(Connect()); 2552 2553 // The client should have received |cert2|. 2554 bssl::UniquePtr<X509> peer(SSL_get_peer_certificate(client_.get())); 2555 ASSERT_TRUE(peer); 2556 EXPECT_EQ(X509_cmp(peer.get(), cert2.get()), 0); 2557 2558 // The client should have received |server_ctx2|'s SCT list. 2559 const uint8_t *data; 2560 size_t len; 2561 SSL_get0_signed_cert_timestamp_list(client_.get(), &data, &len); 2562 EXPECT_EQ(Bytes(kSCTList), Bytes(data, len)); 2563 2564 // The client should have received |server_ctx2|'s OCSP response. 2565 SSL_get0_ocsp_response(client_.get(), &data, &len); 2566 EXPECT_EQ(Bytes(kOCSPResponse), Bytes(data, len)); 2567 } 2568 2569 // Test that the early callback can swap the maximum version. 2570 TEST(SSLTest, EarlyCallbackVersionSwitch) { 2571 bssl::UniquePtr<X509> cert = GetTestCertificate(); 2572 bssl::UniquePtr<EVP_PKEY> key = GetTestKey(); 2573 bssl::UniquePtr<SSL_CTX> server_ctx(SSL_CTX_new(TLS_method())); 2574 bssl::UniquePtr<SSL_CTX> client_ctx(SSL_CTX_new(TLS_method())); 2575 ASSERT_TRUE(cert); 2576 ASSERT_TRUE(key); 2577 ASSERT_TRUE(server_ctx); 2578 ASSERT_TRUE(client_ctx); 2579 ASSERT_TRUE(SSL_CTX_use_certificate(server_ctx.get(), cert.get())); 2580 ASSERT_TRUE(SSL_CTX_use_PrivateKey(server_ctx.get(), key.get())); 2581 ASSERT_TRUE(SSL_CTX_set_max_proto_version(client_ctx.get(), TLS1_3_VERSION)); 2582 ASSERT_TRUE(SSL_CTX_set_max_proto_version(server_ctx.get(), TLS1_3_VERSION)); 2583 2584 SSL_CTX_set_select_certificate_cb( 2585 server_ctx.get(), 2586 [](const SSL_CLIENT_HELLO *client_hello) -> ssl_select_cert_result_t { 2587 if (!SSL_set_max_proto_version(client_hello->ssl, TLS1_2_VERSION)) { 2588 return ssl_select_cert_error; 2589 } 2590 2591 return ssl_select_cert_success; 2592 }); 2593 2594 bssl::UniquePtr<SSL> client, server; 2595 ASSERT_TRUE(ConnectClientAndServer(&client, &server, client_ctx.get(), 2596 server_ctx.get())); 2597 EXPECT_EQ(TLS1_2_VERSION, SSL_version(client.get())); 2598 } 2599 2600 TEST(SSLTest, SetVersion) { 2601 bssl::UniquePtr<SSL_CTX> ctx(SSL_CTX_new(TLS_method())); 2602 ASSERT_TRUE(ctx); 2603 2604 // Set valid TLS versions. 2605 EXPECT_TRUE(SSL_CTX_set_max_proto_version(ctx.get(), TLS1_VERSION)); 2606 EXPECT_TRUE(SSL_CTX_set_max_proto_version(ctx.get(), TLS1_1_VERSION)); 2607 EXPECT_TRUE(SSL_CTX_set_min_proto_version(ctx.get(), TLS1_VERSION)); 2608 EXPECT_TRUE(SSL_CTX_set_min_proto_version(ctx.get(), TLS1_1_VERSION)); 2609 2610 // Invalid TLS versions are rejected. 2611 EXPECT_FALSE(SSL_CTX_set_max_proto_version(ctx.get(), DTLS1_VERSION)); 2612 EXPECT_FALSE(SSL_CTX_set_max_proto_version(ctx.get(), 0x0200)); 2613 EXPECT_FALSE(SSL_CTX_set_max_proto_version(ctx.get(), 0x1234)); 2614 EXPECT_FALSE(SSL_CTX_set_min_proto_version(ctx.get(), DTLS1_VERSION)); 2615 EXPECT_FALSE(SSL_CTX_set_min_proto_version(ctx.get(), 0x0200)); 2616 EXPECT_FALSE(SSL_CTX_set_min_proto_version(ctx.get(), 0x1234)); 2617 2618 // Zero is the default version. 2619 EXPECT_TRUE(SSL_CTX_set_max_proto_version(ctx.get(), 0)); 2620 EXPECT_EQ(TLS1_2_VERSION, ctx->conf_max_version); 2621 EXPECT_TRUE(SSL_CTX_set_min_proto_version(ctx.get(), 0)); 2622 EXPECT_EQ(TLS1_VERSION, ctx->conf_min_version); 2623 2624 // TLS 1.3 is available, but not by default. 2625 EXPECT_TRUE(SSL_CTX_set_max_proto_version(ctx.get(), TLS1_3_VERSION)); 2626 EXPECT_EQ(TLS1_3_VERSION, ctx->conf_max_version); 2627 2628 // SSL 3.0 is not available. 2629 EXPECT_FALSE(SSL_CTX_set_min_proto_version(ctx.get(), SSL3_VERSION)); 2630 2631 ctx.reset(SSL_CTX_new(DTLS_method())); 2632 ASSERT_TRUE(ctx); 2633 2634 EXPECT_TRUE(SSL_CTX_set_max_proto_version(ctx.get(), DTLS1_VERSION)); 2635 EXPECT_TRUE(SSL_CTX_set_max_proto_version(ctx.get(), DTLS1_2_VERSION)); 2636 EXPECT_TRUE(SSL_CTX_set_min_proto_version(ctx.get(), DTLS1_VERSION)); 2637 EXPECT_TRUE(SSL_CTX_set_min_proto_version(ctx.get(), DTLS1_2_VERSION)); 2638 2639 EXPECT_FALSE(SSL_CTX_set_max_proto_version(ctx.get(), TLS1_VERSION)); 2640 EXPECT_FALSE(SSL_CTX_set_max_proto_version(ctx.get(), 0xfefe /* DTLS 1.1 */)); 2641 EXPECT_FALSE(SSL_CTX_set_max_proto_version(ctx.get(), 0xfffe /* DTLS 0.1 */)); 2642 EXPECT_FALSE(SSL_CTX_set_max_proto_version(ctx.get(), 0x1234)); 2643 EXPECT_FALSE(SSL_CTX_set_min_proto_version(ctx.get(), TLS1_VERSION)); 2644 EXPECT_FALSE(SSL_CTX_set_min_proto_version(ctx.get(), 0xfefe /* DTLS 1.1 */)); 2645 EXPECT_FALSE(SSL_CTX_set_min_proto_version(ctx.get(), 0xfffe /* DTLS 0.1 */)); 2646 EXPECT_FALSE(SSL_CTX_set_min_proto_version(ctx.get(), 0x1234)); 2647 2648 EXPECT_TRUE(SSL_CTX_set_max_proto_version(ctx.get(), 0)); 2649 EXPECT_EQ(TLS1_2_VERSION, ctx->conf_max_version); 2650 EXPECT_TRUE(SSL_CTX_set_min_proto_version(ctx.get(), 0)); 2651 EXPECT_EQ(TLS1_1_VERSION, ctx->conf_min_version); 2652 } 2653 2654 static const char *GetVersionName(uint16_t version) { 2655 switch (version) { 2656 case TLS1_VERSION: 2657 return "TLSv1"; 2658 case TLS1_1_VERSION: 2659 return "TLSv1.1"; 2660 case TLS1_2_VERSION: 2661 return "TLSv1.2"; 2662 case TLS1_3_VERSION: 2663 return "TLSv1.3"; 2664 case DTLS1_VERSION: 2665 return "DTLSv1"; 2666 case DTLS1_2_VERSION: 2667 return "DTLSv1.2"; 2668 default: 2669 return "???"; 2670 } 2671 } 2672 2673 TEST_P(SSLVersionTest, Version) { 2674 ASSERT_TRUE(Connect()); 2675 2676 EXPECT_EQ(SSL_version(client_.get()), version()); 2677 EXPECT_EQ(SSL_version(server_.get()), version()); 2678 2679 // Test the version name is reported as expected. 2680 const char *version_name = GetVersionName(version()); 2681 EXPECT_EQ(strcmp(version_name, SSL_get_version(client_.get())), 0); 2682 EXPECT_EQ(strcmp(version_name, SSL_get_version(server_.get())), 0); 2683 2684 // Test SSL_SESSION reports the same name. 2685 const char *client_name = 2686 SSL_SESSION_get_version(SSL_get_session(client_.get())); 2687 const char *server_name = 2688 SSL_SESSION_get_version(SSL_get_session(server_.get())); 2689 EXPECT_EQ(strcmp(version_name, client_name), 0); 2690 EXPECT_EQ(strcmp(version_name, server_name), 0); 2691 } 2692 2693 // Tests that that |SSL_get_pending_cipher| is available during the ALPN 2694 // selection callback. 2695 TEST_P(SSLVersionTest, ALPNCipherAvailable) { 2696 ASSERT_TRUE(UseCertAndKey(client_ctx_.get())); 2697 2698 static const uint8_t kALPNProtos[] = {0x03, 'f', 'o', 'o'}; 2699 ASSERT_EQ(SSL_CTX_set_alpn_protos(client_ctx_.get(), kALPNProtos, 2700 sizeof(kALPNProtos)), 2701 0); 2702 2703 // The ALPN callback does not fail the handshake on error, so have the 2704 // callback write a boolean. 2705 std::pair<uint16_t, bool> callback_state(version(), false); 2706 SSL_CTX_set_alpn_select_cb( 2707 server_ctx_.get(), 2708 [](SSL *ssl, const uint8_t **out, uint8_t *out_len, const uint8_t *in, 2709 unsigned in_len, void *arg) -> int { 2710 auto state = reinterpret_cast<std::pair<uint16_t, bool> *>(arg); 2711 if (SSL_get_pending_cipher(ssl) != nullptr && 2712 SSL_version(ssl) == state->first) { 2713 state->second = true; 2714 } 2715 return SSL_TLSEXT_ERR_NOACK; 2716 }, 2717 &callback_state); 2718 2719 ASSERT_TRUE(Connect()); 2720 2721 ASSERT_TRUE(callback_state.second); 2722 } 2723 2724 TEST_P(SSLVersionTest, SSLClearSessionResumption) { 2725 // Skip this for TLS 1.3. TLS 1.3's ticket mechanism is incompatible with this 2726 // API pattern. 2727 if (version() == TLS1_3_VERSION) { 2728 return; 2729 } 2730 2731 shed_handshake_config_ = false; 2732 ASSERT_TRUE(Connect()); 2733 2734 EXPECT_FALSE(SSL_session_reused(client_.get())); 2735 EXPECT_FALSE(SSL_session_reused(server_.get())); 2736 2737 // Reset everything. 2738 ASSERT_TRUE(SSL_clear(client_.get())); 2739 ASSERT_TRUE(SSL_clear(server_.get())); 2740 2741 // Attempt to connect a second time. 2742 ASSERT_TRUE(CompleteHandshakes(client_.get(), server_.get())); 2743 2744 // |SSL_clear| should implicitly offer the previous session to the server. 2745 EXPECT_TRUE(SSL_session_reused(client_.get())); 2746 EXPECT_TRUE(SSL_session_reused(server_.get())); 2747 } 2748 2749 TEST_P(SSLVersionTest, SSLClearFailsWithShedding) { 2750 shed_handshake_config_ = false; 2751 ASSERT_TRUE(Connect()); 2752 ASSERT_TRUE(CompleteHandshakes(client_.get(), server_.get())); 2753 2754 // Reset everything. 2755 ASSERT_TRUE(SSL_clear(client_.get())); 2756 ASSERT_TRUE(SSL_clear(server_.get())); 2757 2758 // Now enable shedding, and connect a second time. 2759 shed_handshake_config_ = true; 2760 ASSERT_TRUE(Connect()); 2761 ASSERT_TRUE(CompleteHandshakes(client_.get(), server_.get())); 2762 2763 // |SSL_clear| should now fail. 2764 ASSERT_FALSE(SSL_clear(client_.get())); 2765 ASSERT_FALSE(SSL_clear(server_.get())); 2766 } 2767 2768 static bool ChainsEqual(STACK_OF(X509) * chain, 2769 const std::vector<X509 *> &expected) { 2770 if (sk_X509_num(chain) != expected.size()) { 2771 return false; 2772 } 2773 2774 for (size_t i = 0; i < expected.size(); i++) { 2775 if (X509_cmp(sk_X509_value(chain, i), expected[i]) != 0) { 2776 return false; 2777 } 2778 } 2779 2780 return true; 2781 } 2782 2783 TEST_P(SSLVersionTest, AutoChain) { 2784 cert_ = GetChainTestCertificate(); 2785 ASSERT_TRUE(cert_); 2786 key_ = GetChainTestKey(); 2787 ASSERT_TRUE(key_); 2788 bssl::UniquePtr<X509> intermediate = GetChainTestIntermediate(); 2789 ASSERT_TRUE(intermediate); 2790 2791 ASSERT_TRUE(UseCertAndKey(client_ctx_.get())); 2792 ASSERT_TRUE(UseCertAndKey(server_ctx_.get())); 2793 2794 // Configure both client and server to accept any certificate. Add 2795 // |intermediate| to the cert store. 2796 ASSERT_TRUE(X509_STORE_add_cert(SSL_CTX_get_cert_store(client_ctx_.get()), 2797 intermediate.get())); 2798 ASSERT_TRUE(X509_STORE_add_cert(SSL_CTX_get_cert_store(server_ctx_.get()), 2799 intermediate.get())); 2800 SSL_CTX_set_verify(client_ctx_.get(), 2801 SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT, 2802 nullptr); 2803 SSL_CTX_set_verify(server_ctx_.get(), 2804 SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT, 2805 nullptr); 2806 SSL_CTX_set_cert_verify_callback(client_ctx_.get(), VerifySucceed, NULL); 2807 SSL_CTX_set_cert_verify_callback(server_ctx_.get(), VerifySucceed, NULL); 2808 2809 // By default, the client and server should each only send the leaf. 2810 ASSERT_TRUE(Connect()); 2811 2812 EXPECT_TRUE( 2813 ChainsEqual(SSL_get_peer_full_cert_chain(client_.get()), {cert_.get()})); 2814 EXPECT_TRUE( 2815 ChainsEqual(SSL_get_peer_full_cert_chain(server_.get()), {cert_.get()})); 2816 2817 // If auto-chaining is enabled, then the intermediate is sent. 2818 SSL_CTX_clear_mode(client_ctx_.get(), SSL_MODE_NO_AUTO_CHAIN); 2819 SSL_CTX_clear_mode(server_ctx_.get(), SSL_MODE_NO_AUTO_CHAIN); 2820 ASSERT_TRUE(Connect()); 2821 2822 EXPECT_TRUE(ChainsEqual(SSL_get_peer_full_cert_chain(client_.get()), 2823 {cert_.get(), intermediate.get()})); 2824 EXPECT_TRUE(ChainsEqual(SSL_get_peer_full_cert_chain(server_.get()), 2825 {cert_.get(), intermediate.get()})); 2826 2827 // Auto-chaining does not override explicitly-configured intermediates. 2828 ASSERT_TRUE(SSL_CTX_add1_chain_cert(client_ctx_.get(), cert_.get())); 2829 ASSERT_TRUE(SSL_CTX_add1_chain_cert(server_ctx_.get(), cert_.get())); 2830 ASSERT_TRUE(Connect()); 2831 2832 EXPECT_TRUE(ChainsEqual(SSL_get_peer_full_cert_chain(client_.get()), 2833 {cert_.get(), cert_.get()})); 2834 2835 EXPECT_TRUE(ChainsEqual(SSL_get_peer_full_cert_chain(server_.get()), 2836 {cert_.get(), cert_.get()})); 2837 } 2838 2839 static bool ExpectBadWriteRetry() { 2840 int err = ERR_get_error(); 2841 if (ERR_GET_LIB(err) != ERR_LIB_SSL || 2842 ERR_GET_REASON(err) != SSL_R_BAD_WRITE_RETRY) { 2843 char buf[ERR_ERROR_STRING_BUF_LEN]; 2844 ERR_error_string_n(err, buf, sizeof(buf)); 2845 fprintf(stderr, "Wanted SSL_R_BAD_WRITE_RETRY, got: %s.\n", buf); 2846 return false; 2847 } 2848 2849 if (ERR_peek_error() != 0) { 2850 fprintf(stderr, "Unexpected error following SSL_R_BAD_WRITE_RETRY.\n"); 2851 return false; 2852 } 2853 2854 return true; 2855 } 2856 2857 TEST_P(SSLVersionTest, SSLWriteRetry) { 2858 if (is_dtls()) { 2859 return; 2860 } 2861 2862 for (bool enable_partial_write : {false, true}) { 2863 SCOPED_TRACE(enable_partial_write); 2864 2865 // Connect a client and server. 2866 ASSERT_TRUE(UseCertAndKey(client_ctx_.get())); 2867 2868 ASSERT_TRUE(Connect()); 2869 2870 if (enable_partial_write) { 2871 SSL_set_mode(client_.get(), SSL_MODE_ENABLE_PARTIAL_WRITE); 2872 } 2873 2874 // Write without reading until the buffer is full and we have an unfinished 2875 // write. Keep a count so we may reread it again later. "hello!" will be 2876 // written in two chunks, "hello" and "!". 2877 char data[] = "hello!"; 2878 static const int kChunkLen = 5; // The length of "hello". 2879 unsigned count = 0; 2880 for (;;) { 2881 int ret = SSL_write(client_.get(), data, kChunkLen); 2882 if (ret <= 0) { 2883 ASSERT_EQ(SSL_get_error(client_.get(), ret), SSL_ERROR_WANT_WRITE); 2884 break; 2885 } 2886 2887 ASSERT_EQ(ret, 5); 2888 2889 count++; 2890 } 2891 2892 // Retrying with the same parameters is legal. 2893 ASSERT_EQ( 2894 SSL_get_error(client_.get(), SSL_write(client_.get(), data, kChunkLen)), 2895 SSL_ERROR_WANT_WRITE); 2896 2897 // Retrying with the same buffer but shorter length is not legal. 2898 ASSERT_EQ(SSL_get_error(client_.get(), 2899 SSL_write(client_.get(), data, kChunkLen - 1)), 2900 SSL_ERROR_SSL); 2901 ASSERT_TRUE(ExpectBadWriteRetry()); 2902 2903 // Retrying with a different buffer pointer is not legal. 2904 char data2[] = "hello"; 2905 ASSERT_EQ(SSL_get_error(client_.get(), 2906 SSL_write(client_.get(), data2, kChunkLen)), 2907 SSL_ERROR_SSL); 2908 ASSERT_TRUE(ExpectBadWriteRetry()); 2909 2910 // With |SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER|, the buffer may move. 2911 SSL_set_mode(client_.get(), SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER); 2912 ASSERT_EQ(SSL_get_error(client_.get(), 2913 SSL_write(client_.get(), data2, kChunkLen)), 2914 SSL_ERROR_WANT_WRITE); 2915 2916 // |SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER| does not disable length checks. 2917 ASSERT_EQ(SSL_get_error(client_.get(), 2918 SSL_write(client_.get(), data2, kChunkLen - 1)), 2919 SSL_ERROR_SSL); 2920 ASSERT_TRUE(ExpectBadWriteRetry()); 2921 2922 // Retrying with a larger buffer is legal. 2923 ASSERT_EQ(SSL_get_error(client_.get(), 2924 SSL_write(client_.get(), data, kChunkLen + 1)), 2925 SSL_ERROR_WANT_WRITE); 2926 2927 // Drain the buffer. 2928 char buf[20]; 2929 for (unsigned i = 0; i < count; i++) { 2930 ASSERT_EQ(SSL_read(server_.get(), buf, sizeof(buf)), kChunkLen); 2931 ASSERT_EQ(OPENSSL_memcmp(buf, "hello", kChunkLen), 0); 2932 } 2933 2934 // Now that there is space, a retry with a larger buffer should flush the 2935 // pending record, skip over that many bytes of input (on assumption they 2936 // are the same), and write the remainder. If SSL_MODE_ENABLE_PARTIAL_WRITE 2937 // is set, this will complete in two steps. 2938 char data3[] = "_____!"; 2939 if (enable_partial_write) { 2940 ASSERT_EQ(SSL_write(client_.get(), data3, kChunkLen + 1), kChunkLen); 2941 ASSERT_EQ(SSL_write(client_.get(), data3 + kChunkLen, 1), 1); 2942 } else { 2943 ASSERT_EQ(SSL_write(client_.get(), data3, kChunkLen + 1), kChunkLen + 1); 2944 } 2945 2946 // Check the last write was correct. The data will be spread over two 2947 // records, so SSL_read returns twice. 2948 ASSERT_EQ(SSL_read(server_.get(), buf, sizeof(buf)), kChunkLen); 2949 ASSERT_EQ(OPENSSL_memcmp(buf, "hello", kChunkLen), 0); 2950 ASSERT_EQ(SSL_read(server_.get(), buf, sizeof(buf)), 1); 2951 ASSERT_EQ(buf[0], '!'); 2952 } 2953 } 2954 2955 TEST_P(SSLVersionTest, RecordCallback) { 2956 for (bool test_server : {true, false}) { 2957 SCOPED_TRACE(test_server); 2958 ResetContexts(); 2959 2960 bool read_seen = false; 2961 bool write_seen = false; 2962 auto cb = [&](int is_write, int cb_version, int cb_type, const void *buf, 2963 size_t len, SSL *ssl) { 2964 if (cb_type != SSL3_RT_HEADER) { 2965 return; 2966 } 2967 2968 // The callback does not report a version for records. 2969 EXPECT_EQ(0, cb_version); 2970 2971 if (is_write) { 2972 write_seen = true; 2973 } else { 2974 read_seen = true; 2975 } 2976 2977 // Sanity-check that the record header is plausible. 2978 CBS cbs; 2979 CBS_init(&cbs, reinterpret_cast<const uint8_t *>(buf), len); 2980 uint8_t type; 2981 uint16_t record_version, length; 2982 ASSERT_TRUE(CBS_get_u8(&cbs, &type)); 2983 ASSERT_TRUE(CBS_get_u16(&cbs, &record_version)); 2984 EXPECT_EQ(record_version & 0xff00, version() & 0xff00); 2985 if (is_dtls()) { 2986 uint16_t epoch; 2987 ASSERT_TRUE(CBS_get_u16(&cbs, &epoch)); 2988 EXPECT_TRUE(epoch == 0 || epoch == 1) << "Invalid epoch: " << epoch; 2989 ASSERT_TRUE(CBS_skip(&cbs, 6)); 2990 } 2991 ASSERT_TRUE(CBS_get_u16(&cbs, &length)); 2992 EXPECT_EQ(0u, CBS_len(&cbs)); 2993 }; 2994 using CallbackType = decltype(cb); 2995 SSL_CTX *ctx = test_server ? server_ctx_.get() : client_ctx_.get(); 2996 SSL_CTX_set_msg_callback( 2997 ctx, [](int is_write, int cb_version, int cb_type, const void *buf, 2998 size_t len, SSL *ssl, void *arg) { 2999 CallbackType *cb_ptr = reinterpret_cast<CallbackType *>(arg); 3000 (*cb_ptr)(is_write, cb_version, cb_type, buf, len, ssl); 3001 }); 3002 SSL_CTX_set_msg_callback_arg(ctx, &cb); 3003 3004 ASSERT_TRUE(Connect()); 3005 3006 EXPECT_TRUE(read_seen); 3007 EXPECT_TRUE(write_seen); 3008 } 3009 } 3010 3011 TEST_P(SSLVersionTest, GetServerName) { 3012 ClientConfig config; 3013 config.servername = "host1"; 3014 3015 SSL_CTX_set_tlsext_servername_callback( 3016 server_ctx_.get(), [](SSL *ssl, int *out_alert, void *arg) -> int { 3017 // During the handshake, |SSL_get_servername| must match |config|. 3018 ClientConfig *config_p = reinterpret_cast<ClientConfig *>(arg); 3019 EXPECT_STREQ(config_p->servername.c_str(), 3020 SSL_get_servername(ssl, TLSEXT_NAMETYPE_host_name)); 3021 return SSL_TLSEXT_ERR_OK; 3022 }); 3023 SSL_CTX_set_tlsext_servername_arg(server_ctx_.get(), &config); 3024 3025 ASSERT_TRUE(Connect(config)); 3026 // After the handshake, it must also be available. 3027 EXPECT_STREQ(config.servername.c_str(), 3028 SSL_get_servername(server_.get(), TLSEXT_NAMETYPE_host_name)); 3029 3030 // Establish a session under host1. 3031 SSL_CTX_set_session_cache_mode(client_ctx_.get(), SSL_SESS_CACHE_BOTH); 3032 SSL_CTX_set_session_cache_mode(server_ctx_.get(), SSL_SESS_CACHE_BOTH); 3033 bssl::UniquePtr<SSL_SESSION> session = 3034 CreateClientSession(client_ctx_.get(), server_ctx_.get(), config); 3035 3036 // If the client resumes a session with a different name, |SSL_get_servername| 3037 // must return the new name. 3038 ASSERT_TRUE(session); 3039 config.session = session.get(); 3040 config.servername = "host2"; 3041 ASSERT_TRUE(Connect(config)); 3042 EXPECT_STREQ(config.servername.c_str(), 3043 SSL_get_servername(server_.get(), TLSEXT_NAMETYPE_host_name)); 3044 } 3045 3046 // Test that session cache mode bits are honored in the client session callback. 3047 TEST_P(SSLVersionTest, ClientSessionCacheMode) { 3048 SSL_CTX_set_session_cache_mode(client_ctx_.get(), SSL_SESS_CACHE_OFF); 3049 EXPECT_FALSE(CreateClientSession(client_ctx_.get(), server_ctx_.get())); 3050 3051 SSL_CTX_set_session_cache_mode(client_ctx_.get(), SSL_SESS_CACHE_CLIENT); 3052 EXPECT_TRUE(CreateClientSession(client_ctx_.get(), server_ctx_.get())); 3053 3054 SSL_CTX_set_session_cache_mode(client_ctx_.get(), SSL_SESS_CACHE_SERVER); 3055 EXPECT_FALSE(CreateClientSession(client_ctx_.get(), server_ctx_.get())); 3056 } 3057 3058 TEST(SSLTest, AddChainCertHack) { 3059 // Ensure that we don't accidently break the hack that we have in place to 3060 // keep curl and serf happy when they use an |X509| even after transfering 3061 // ownership. 3062 3063 bssl::UniquePtr<SSL_CTX> ctx(SSL_CTX_new(TLS_method())); 3064 ASSERT_TRUE(ctx); 3065 X509 *cert = GetTestCertificate().release(); 3066 ASSERT_TRUE(cert); 3067 SSL_CTX_add0_chain_cert(ctx.get(), cert); 3068 3069 // This should not trigger a use-after-free. 3070 X509_cmp(cert, cert); 3071 } 3072 3073 TEST(SSLTest, GetCertificate) { 3074 bssl::UniquePtr<SSL_CTX> ctx(SSL_CTX_new(TLS_method())); 3075 ASSERT_TRUE(ctx); 3076 bssl::UniquePtr<X509> cert = GetTestCertificate(); 3077 ASSERT_TRUE(cert); 3078 ASSERT_TRUE(SSL_CTX_use_certificate(ctx.get(), cert.get())); 3079 bssl::UniquePtr<SSL> ssl(SSL_new(ctx.get())); 3080 ASSERT_TRUE(ssl); 3081 3082 X509 *cert2 = SSL_CTX_get0_certificate(ctx.get()); 3083 ASSERT_TRUE(cert2); 3084 X509 *cert3 = SSL_get_certificate(ssl.get()); 3085 ASSERT_TRUE(cert3); 3086 3087 // The old and new certificates must be identical. 3088 EXPECT_EQ(0, X509_cmp(cert.get(), cert2)); 3089 EXPECT_EQ(0, X509_cmp(cert.get(), cert3)); 3090 3091 uint8_t *der = nullptr; 3092 long der_len = i2d_X509(cert.get(), &der); 3093 ASSERT_LT(0, der_len); 3094 bssl::UniquePtr<uint8_t> free_der(der); 3095 3096 uint8_t *der2 = nullptr; 3097 long der2_len = i2d_X509(cert2, &der2); 3098 ASSERT_LT(0, der2_len); 3099 bssl::UniquePtr<uint8_t> free_der2(der2); 3100 3101 uint8_t *der3 = nullptr; 3102 long der3_len = i2d_X509(cert3, &der3); 3103 ASSERT_LT(0, der3_len); 3104 bssl::UniquePtr<uint8_t> free_der3(der3); 3105 3106 // They must also encode identically. 3107 EXPECT_EQ(Bytes(der, der_len), Bytes(der2, der2_len)); 3108 EXPECT_EQ(Bytes(der, der_len), Bytes(der3, der3_len)); 3109 } 3110 3111 TEST(SSLTest, SetChainAndKeyMismatch) { 3112 bssl::UniquePtr<SSL_CTX> ctx(SSL_CTX_new(TLS_with_buffers_method())); 3113 ASSERT_TRUE(ctx); 3114 3115 bssl::UniquePtr<EVP_PKEY> key = GetTestKey(); 3116 ASSERT_TRUE(key); 3117 bssl::UniquePtr<CRYPTO_BUFFER> leaf = GetChainTestCertificateBuffer(); 3118 ASSERT_TRUE(leaf); 3119 std::vector<CRYPTO_BUFFER*> chain = { 3120 leaf.get(), 3121 }; 3122 3123 // Should fail because |GetTestKey| doesn't match the chain-test certificate. 3124 ASSERT_FALSE(SSL_CTX_set_chain_and_key(ctx.get(), &chain[0], chain.size(), 3125 key.get(), nullptr)); 3126 ERR_clear_error(); 3127 } 3128 3129 TEST(SSLTest, SetChainAndKey) { 3130 bssl::UniquePtr<SSL_CTX> client_ctx(SSL_CTX_new(TLS_with_buffers_method())); 3131 ASSERT_TRUE(client_ctx); 3132 bssl::UniquePtr<SSL_CTX> server_ctx(SSL_CTX_new(TLS_with_buffers_method())); 3133 ASSERT_TRUE(server_ctx); 3134 3135 bssl::UniquePtr<EVP_PKEY> key = GetChainTestKey(); 3136 ASSERT_TRUE(key); 3137 bssl::UniquePtr<CRYPTO_BUFFER> leaf = GetChainTestCertificateBuffer(); 3138 ASSERT_TRUE(leaf); 3139 bssl::UniquePtr<CRYPTO_BUFFER> intermediate = 3140 GetChainTestIntermediateBuffer(); 3141 ASSERT_TRUE(intermediate); 3142 std::vector<CRYPTO_BUFFER*> chain = { 3143 leaf.get(), intermediate.get(), 3144 }; 3145 ASSERT_TRUE(SSL_CTX_set_chain_and_key(server_ctx.get(), &chain[0], 3146 chain.size(), key.get(), nullptr)); 3147 3148 SSL_CTX_set_custom_verify( 3149 client_ctx.get(), SSL_VERIFY_PEER, 3150 [](SSL *ssl, uint8_t *out_alert) -> ssl_verify_result_t { 3151 return ssl_verify_ok; 3152 }); 3153 3154 bssl::UniquePtr<SSL> client, server; 3155 ASSERT_TRUE(ConnectClientAndServer(&client, &server, client_ctx.get(), 3156 server_ctx.get())); 3157 } 3158 3159 TEST(SSLTest, BuffersFailWithoutCustomVerify) { 3160 bssl::UniquePtr<SSL_CTX> client_ctx(SSL_CTX_new(TLS_with_buffers_method())); 3161 ASSERT_TRUE(client_ctx); 3162 bssl::UniquePtr<SSL_CTX> server_ctx(SSL_CTX_new(TLS_with_buffers_method())); 3163 ASSERT_TRUE(server_ctx); 3164 3165 bssl::UniquePtr<EVP_PKEY> key = GetChainTestKey(); 3166 ASSERT_TRUE(key); 3167 bssl::UniquePtr<CRYPTO_BUFFER> leaf = GetChainTestCertificateBuffer(); 3168 ASSERT_TRUE(leaf); 3169 std::vector<CRYPTO_BUFFER*> chain = { leaf.get() }; 3170 ASSERT_TRUE(SSL_CTX_set_chain_and_key(server_ctx.get(), &chain[0], 3171 chain.size(), key.get(), nullptr)); 3172 3173 // Without SSL_CTX_set_custom_verify(), i.e. with everything in the default 3174 // configuration, certificate verification should fail. 3175 bssl::UniquePtr<SSL> client, server; 3176 ASSERT_FALSE(ConnectClientAndServer(&client, &server, client_ctx.get(), 3177 server_ctx.get())); 3178 3179 // Whereas with a verifier, the connection should succeed. 3180 SSL_CTX_set_custom_verify( 3181 client_ctx.get(), SSL_VERIFY_PEER, 3182 [](SSL *ssl, uint8_t *out_alert) -> ssl_verify_result_t { 3183 return ssl_verify_ok; 3184 }); 3185 ASSERT_TRUE(ConnectClientAndServer(&client, &server, client_ctx.get(), 3186 server_ctx.get())); 3187 } 3188 3189 TEST(SSLTest, CustomVerify) { 3190 bssl::UniquePtr<SSL_CTX> client_ctx(SSL_CTX_new(TLS_with_buffers_method())); 3191 ASSERT_TRUE(client_ctx); 3192 bssl::UniquePtr<SSL_CTX> server_ctx(SSL_CTX_new(TLS_with_buffers_method())); 3193 ASSERT_TRUE(server_ctx); 3194 3195 bssl::UniquePtr<EVP_PKEY> key = GetChainTestKey(); 3196 ASSERT_TRUE(key); 3197 bssl::UniquePtr<CRYPTO_BUFFER> leaf = GetChainTestCertificateBuffer(); 3198 ASSERT_TRUE(leaf); 3199 std::vector<CRYPTO_BUFFER*> chain = { leaf.get() }; 3200 ASSERT_TRUE(SSL_CTX_set_chain_and_key(server_ctx.get(), &chain[0], 3201 chain.size(), key.get(), nullptr)); 3202 3203 SSL_CTX_set_custom_verify( 3204 client_ctx.get(), SSL_VERIFY_PEER, 3205 [](SSL *ssl, uint8_t *out_alert) -> ssl_verify_result_t { 3206 return ssl_verify_ok; 3207 }); 3208 3209 bssl::UniquePtr<SSL> client, server; 3210 ASSERT_TRUE(ConnectClientAndServer(&client, &server, client_ctx.get(), 3211 server_ctx.get())); 3212 3213 // With SSL_VERIFY_PEER, ssl_verify_invalid should result in a dropped 3214 // connection. 3215 SSL_CTX_set_custom_verify( 3216 client_ctx.get(), SSL_VERIFY_PEER, 3217 [](SSL *ssl, uint8_t *out_alert) -> ssl_verify_result_t { 3218 return ssl_verify_invalid; 3219 }); 3220 3221 ASSERT_FALSE(ConnectClientAndServer(&client, &server, client_ctx.get(), 3222 server_ctx.get())); 3223 3224 // But with SSL_VERIFY_NONE, ssl_verify_invalid should not cause a dropped 3225 // connection. 3226 SSL_CTX_set_custom_verify( 3227 client_ctx.get(), SSL_VERIFY_NONE, 3228 [](SSL *ssl, uint8_t *out_alert) -> ssl_verify_result_t { 3229 return ssl_verify_invalid; 3230 }); 3231 3232 ASSERT_TRUE(ConnectClientAndServer(&client, &server, client_ctx.get(), 3233 server_ctx.get())); 3234 } 3235 3236 TEST(SSLTest, ClientCABuffers) { 3237 bssl::UniquePtr<SSL_CTX> client_ctx(SSL_CTX_new(TLS_with_buffers_method())); 3238 ASSERT_TRUE(client_ctx); 3239 bssl::UniquePtr<SSL_CTX> server_ctx(SSL_CTX_new(TLS_with_buffers_method())); 3240 ASSERT_TRUE(server_ctx); 3241 3242 bssl::UniquePtr<EVP_PKEY> key = GetChainTestKey(); 3243 ASSERT_TRUE(key); 3244 bssl::UniquePtr<CRYPTO_BUFFER> leaf = GetChainTestCertificateBuffer(); 3245 ASSERT_TRUE(leaf); 3246 bssl::UniquePtr<CRYPTO_BUFFER> intermediate = 3247 GetChainTestIntermediateBuffer(); 3248 ASSERT_TRUE(intermediate); 3249 std::vector<CRYPTO_BUFFER *> chain = { 3250 leaf.get(), 3251 intermediate.get(), 3252 }; 3253 ASSERT_TRUE(SSL_CTX_set_chain_and_key(server_ctx.get(), &chain[0], 3254 chain.size(), key.get(), nullptr)); 3255 3256 bssl::UniquePtr<CRYPTO_BUFFER> ca_name( 3257 CRYPTO_BUFFER_new(kTestName, sizeof(kTestName), nullptr)); 3258 ASSERT_TRUE(ca_name); 3259 bssl::UniquePtr<STACK_OF(CRYPTO_BUFFER)> ca_names( 3260 sk_CRYPTO_BUFFER_new_null()); 3261 ASSERT_TRUE(ca_names); 3262 ASSERT_TRUE(PushToStack(ca_names.get(), std::move(ca_name))); 3263 SSL_CTX_set0_client_CAs(server_ctx.get(), ca_names.release()); 3264 3265 // Configure client and server to accept all certificates. 3266 SSL_CTX_set_custom_verify( 3267 client_ctx.get(), SSL_VERIFY_PEER, 3268 [](SSL *ssl, uint8_t *out_alert) -> ssl_verify_result_t { 3269 return ssl_verify_ok; 3270 }); 3271 SSL_CTX_set_custom_verify( 3272 server_ctx.get(), SSL_VERIFY_PEER, 3273 [](SSL *ssl, uint8_t *out_alert) -> ssl_verify_result_t { 3274 return ssl_verify_ok; 3275 }); 3276 3277 bool cert_cb_called = false; 3278 SSL_CTX_set_cert_cb( 3279 client_ctx.get(), 3280 [](SSL *ssl, void *arg) -> int { 3281 const STACK_OF(CRYPTO_BUFFER) *peer_names = 3282 SSL_get0_server_requested_CAs(ssl); 3283 EXPECT_EQ(1u, sk_CRYPTO_BUFFER_num(peer_names)); 3284 CRYPTO_BUFFER *peer_name = sk_CRYPTO_BUFFER_value(peer_names, 0); 3285 EXPECT_EQ(Bytes(kTestName), Bytes(CRYPTO_BUFFER_data(peer_name), 3286 CRYPTO_BUFFER_len(peer_name))); 3287 *reinterpret_cast<bool *>(arg) = true; 3288 return 1; 3289 }, 3290 &cert_cb_called); 3291 3292 bssl::UniquePtr<SSL> client, server; 3293 ASSERT_TRUE(ConnectClientAndServer(&client, &server, client_ctx.get(), 3294 server_ctx.get())); 3295 EXPECT_TRUE(cert_cb_called); 3296 } 3297 3298 // Configuring the empty cipher list, though an error, should still modify the 3299 // configuration. 3300 TEST(SSLTest, EmptyCipherList) { 3301 bssl::UniquePtr<SSL_CTX> ctx(SSL_CTX_new(TLS_method())); 3302 ASSERT_TRUE(ctx); 3303 3304 // Initially, the cipher list is not empty. 3305 EXPECT_NE(0u, sk_SSL_CIPHER_num(SSL_CTX_get_ciphers(ctx.get()))); 3306 3307 // Configuring the empty cipher list fails. 3308 EXPECT_FALSE(SSL_CTX_set_cipher_list(ctx.get(), "")); 3309 ERR_clear_error(); 3310 3311 // But the cipher list is still updated to empty. 3312 EXPECT_EQ(0u, sk_SSL_CIPHER_num(SSL_CTX_get_ciphers(ctx.get()))); 3313 } 3314 3315 // ssl_test_ticket_aead_failure_mode enumerates the possible ways in which the 3316 // test |SSL_TICKET_AEAD_METHOD| can fail. 3317 enum ssl_test_ticket_aead_failure_mode { 3318 ssl_test_ticket_aead_ok = 0, 3319 ssl_test_ticket_aead_seal_fail, 3320 ssl_test_ticket_aead_open_soft_fail, 3321 ssl_test_ticket_aead_open_hard_fail, 3322 }; 3323 3324 struct ssl_test_ticket_aead_state { 3325 unsigned retry_count; 3326 ssl_test_ticket_aead_failure_mode failure_mode; 3327 }; 3328 3329 static int ssl_test_ticket_aead_ex_index_dup(CRYPTO_EX_DATA *to, 3330 const CRYPTO_EX_DATA *from, 3331 void **from_d, int index, 3332 long argl, void *argp) { 3333 abort(); 3334 } 3335 3336 static void ssl_test_ticket_aead_ex_index_free(void *parent, void *ptr, 3337 CRYPTO_EX_DATA *ad, int index, 3338 long argl, void *argp) { 3339 auto state = reinterpret_cast<ssl_test_ticket_aead_state*>(ptr); 3340 if (state == nullptr) { 3341 return; 3342 } 3343 3344 OPENSSL_free(state); 3345 } 3346 3347 static CRYPTO_once_t g_ssl_test_ticket_aead_ex_index_once = CRYPTO_ONCE_INIT; 3348 static int g_ssl_test_ticket_aead_ex_index; 3349 3350 static int ssl_test_ticket_aead_get_ex_index() { 3351 CRYPTO_once(&g_ssl_test_ticket_aead_ex_index_once, [] { 3352 g_ssl_test_ticket_aead_ex_index = SSL_get_ex_new_index( 3353 0, nullptr, nullptr, ssl_test_ticket_aead_ex_index_dup, 3354 ssl_test_ticket_aead_ex_index_free); 3355 }); 3356 return g_ssl_test_ticket_aead_ex_index; 3357 } 3358 3359 static size_t ssl_test_ticket_aead_max_overhead(SSL *ssl) { 3360 return 1; 3361 } 3362 3363 static int ssl_test_ticket_aead_seal(SSL *ssl, uint8_t *out, size_t *out_len, 3364 size_t max_out_len, const uint8_t *in, 3365 size_t in_len) { 3366 auto state = reinterpret_cast<ssl_test_ticket_aead_state *>( 3367 SSL_get_ex_data(ssl, ssl_test_ticket_aead_get_ex_index())); 3368 3369 if (state->failure_mode == ssl_test_ticket_aead_seal_fail || 3370 max_out_len < in_len + 1) { 3371 return 0; 3372 } 3373 3374 OPENSSL_memmove(out, in, in_len); 3375 out[in_len] = 0xff; 3376 *out_len = in_len + 1; 3377 3378 return 1; 3379 } 3380 3381 static ssl_ticket_aead_result_t ssl_test_ticket_aead_open( 3382 SSL *ssl, uint8_t *out, size_t *out_len, size_t max_out_len, 3383 const uint8_t *in, size_t in_len) { 3384 auto state = reinterpret_cast<ssl_test_ticket_aead_state *>( 3385 SSL_get_ex_data(ssl, ssl_test_ticket_aead_get_ex_index())); 3386 3387 if (state->retry_count > 0) { 3388 state->retry_count--; 3389 return ssl_ticket_aead_retry; 3390 } 3391 3392 switch (state->failure_mode) { 3393 case ssl_test_ticket_aead_ok: 3394 break; 3395 case ssl_test_ticket_aead_seal_fail: 3396 // If |seal| failed then there shouldn't be any ticket to try and 3397 // decrypt. 3398 abort(); 3399 break; 3400 case ssl_test_ticket_aead_open_soft_fail: 3401 return ssl_ticket_aead_ignore_ticket; 3402 case ssl_test_ticket_aead_open_hard_fail: 3403 return ssl_ticket_aead_error; 3404 } 3405 3406 if (in_len == 0 || in[in_len - 1] != 0xff) { 3407 return ssl_ticket_aead_ignore_ticket; 3408 } 3409 3410 if (max_out_len < in_len - 1) { 3411 return ssl_ticket_aead_error; 3412 } 3413 3414 OPENSSL_memmove(out, in, in_len - 1); 3415 *out_len = in_len - 1; 3416 return ssl_ticket_aead_success; 3417 } 3418 3419 static const SSL_TICKET_AEAD_METHOD kSSLTestTicketMethod = { 3420 ssl_test_ticket_aead_max_overhead, 3421 ssl_test_ticket_aead_seal, 3422 ssl_test_ticket_aead_open, 3423 }; 3424 3425 static void ConnectClientAndServerWithTicketMethod( 3426 bssl::UniquePtr<SSL> *out_client, bssl::UniquePtr<SSL> *out_server, 3427 SSL_CTX *client_ctx, SSL_CTX *server_ctx, unsigned retry_count, 3428 ssl_test_ticket_aead_failure_mode failure_mode, SSL_SESSION *session) { 3429 bssl::UniquePtr<SSL> client(SSL_new(client_ctx)), server(SSL_new(server_ctx)); 3430 ASSERT_TRUE(client); 3431 ASSERT_TRUE(server); 3432 SSL_set_connect_state(client.get()); 3433 SSL_set_accept_state(server.get()); 3434 3435 auto state = reinterpret_cast<ssl_test_ticket_aead_state *>( 3436 OPENSSL_malloc(sizeof(ssl_test_ticket_aead_state))); 3437 ASSERT_TRUE(state); 3438 OPENSSL_memset(state, 0, sizeof(ssl_test_ticket_aead_state)); 3439 state->retry_count = retry_count; 3440 state->failure_mode = failure_mode; 3441 3442 ASSERT_TRUE(SSL_set_ex_data(server.get(), ssl_test_ticket_aead_get_ex_index(), 3443 state)); 3444 3445 SSL_set_session(client.get(), session); 3446 3447 BIO *bio1, *bio2; 3448 ASSERT_TRUE(BIO_new_bio_pair(&bio1, 0, &bio2, 0)); 3449 3450 // SSL_set_bio takes ownership. 3451 SSL_set_bio(client.get(), bio1, bio1); 3452 SSL_set_bio(server.get(), bio2, bio2); 3453 3454 if (CompleteHandshakes(client.get(), server.get())) { 3455 *out_client = std::move(client); 3456 *out_server = std::move(server); 3457 } else { 3458 out_client->reset(); 3459 out_server->reset(); 3460 } 3461 } 3462 3463 using TicketAEADMethodParam = 3464 testing::tuple<uint16_t, unsigned, ssl_test_ticket_aead_failure_mode>; 3465 3466 class TicketAEADMethodTest 3467 : public ::testing::TestWithParam<TicketAEADMethodParam> {}; 3468 3469 TEST_P(TicketAEADMethodTest, Resume) { 3470 bssl::UniquePtr<X509> cert = GetTestCertificate(); 3471 ASSERT_TRUE(cert); 3472 bssl::UniquePtr<EVP_PKEY> key = GetTestKey(); 3473 ASSERT_TRUE(key); 3474 3475 bssl::UniquePtr<SSL_CTX> server_ctx(SSL_CTX_new(TLS_method())); 3476 ASSERT_TRUE(server_ctx); 3477 bssl::UniquePtr<SSL_CTX> client_ctx(SSL_CTX_new(TLS_method())); 3478 ASSERT_TRUE(client_ctx); 3479 3480 const uint16_t version = testing::get<0>(GetParam()); 3481 const unsigned retry_count = testing::get<1>(GetParam()); 3482 const ssl_test_ticket_aead_failure_mode failure_mode = 3483 testing::get<2>(GetParam()); 3484 3485 ASSERT_TRUE(SSL_CTX_use_certificate(server_ctx.get(), cert.get())); 3486 ASSERT_TRUE(SSL_CTX_use_PrivateKey(server_ctx.get(), key.get())); 3487 ASSERT_TRUE(SSL_CTX_set_min_proto_version(client_ctx.get(), version)); 3488 ASSERT_TRUE(SSL_CTX_set_max_proto_version(client_ctx.get(), version)); 3489 ASSERT_TRUE(SSL_CTX_set_min_proto_version(server_ctx.get(), version)); 3490 ASSERT_TRUE(SSL_CTX_set_max_proto_version(server_ctx.get(), version)); 3491 3492 SSL_CTX_set_session_cache_mode(client_ctx.get(), SSL_SESS_CACHE_BOTH); 3493 SSL_CTX_set_session_cache_mode(server_ctx.get(), SSL_SESS_CACHE_BOTH); 3494 SSL_CTX_set_current_time_cb(client_ctx.get(), FrozenTimeCallback); 3495 SSL_CTX_set_current_time_cb(server_ctx.get(), FrozenTimeCallback); 3496 SSL_CTX_sess_set_new_cb(client_ctx.get(), SaveLastSession); 3497 3498 SSL_CTX_set_ticket_aead_method(server_ctx.get(), &kSSLTestTicketMethod); 3499 3500 bssl::UniquePtr<SSL> client, server; 3501 ConnectClientAndServerWithTicketMethod(&client, &server, client_ctx.get(), 3502 server_ctx.get(), retry_count, 3503 failure_mode, nullptr); 3504 switch (failure_mode) { 3505 case ssl_test_ticket_aead_ok: 3506 case ssl_test_ticket_aead_open_hard_fail: 3507 case ssl_test_ticket_aead_open_soft_fail: 3508 ASSERT_TRUE(client); 3509 break; 3510 case ssl_test_ticket_aead_seal_fail: 3511 EXPECT_FALSE(client); 3512 return; 3513 } 3514 EXPECT_FALSE(SSL_session_reused(client.get())); 3515 EXPECT_FALSE(SSL_session_reused(server.get())); 3516 3517 // Run the read loop to account for post-handshake tickets in TLS 1.3. 3518 SSL_read(client.get(), nullptr, 0); 3519 3520 bssl::UniquePtr<SSL_SESSION> session = std::move(g_last_session); 3521 ConnectClientAndServerWithTicketMethod(&client, &server, client_ctx.get(), 3522 server_ctx.get(), retry_count, 3523 failure_mode, session.get()); 3524 switch (failure_mode) { 3525 case ssl_test_ticket_aead_ok: 3526 ASSERT_TRUE(client); 3527 EXPECT_TRUE(SSL_session_reused(client.get())); 3528 EXPECT_TRUE(SSL_session_reused(server.get())); 3529 break; 3530 case ssl_test_ticket_aead_seal_fail: 3531 abort(); 3532 break; 3533 case ssl_test_ticket_aead_open_hard_fail: 3534 EXPECT_FALSE(client); 3535 break; 3536 case ssl_test_ticket_aead_open_soft_fail: 3537 ASSERT_TRUE(client); 3538 EXPECT_FALSE(SSL_session_reused(client.get())); 3539 EXPECT_FALSE(SSL_session_reused(server.get())); 3540 } 3541 } 3542 3543 std::string TicketAEADMethodParamToString( 3544 const testing::TestParamInfo<TicketAEADMethodParam> ¶ms) { 3545 std::string ret = GetVersionName(std::get<0>(params.param)); 3546 // GTest only allows alphanumeric characters and '_' in the parameter 3547 // string. Additionally filter out the 'v' to get "TLS13" over "TLSv13". 3548 for (auto it = ret.begin(); it != ret.end();) { 3549 if (*it == '.' || *it == 'v') { 3550 it = ret.erase(it); 3551 } else { 3552 ++it; 3553 } 3554 } 3555 char retry_count[256]; 3556 snprintf(retry_count, sizeof(retry_count), "%d", std::get<1>(params.param)); 3557 ret += "_"; 3558 ret += retry_count; 3559 ret += "Retries_"; 3560 switch (std::get<2>(params.param)) { 3561 case ssl_test_ticket_aead_ok: 3562 ret += "OK"; 3563 break; 3564 case ssl_test_ticket_aead_seal_fail: 3565 ret += "SealFail"; 3566 break; 3567 case ssl_test_ticket_aead_open_soft_fail: 3568 ret += "OpenSoftFail"; 3569 break; 3570 case ssl_test_ticket_aead_open_hard_fail: 3571 ret += "OpenHardFail"; 3572 break; 3573 } 3574 return ret; 3575 } 3576 3577 INSTANTIATE_TEST_CASE_P( 3578 TicketAEADMethodTests, TicketAEADMethodTest, 3579 testing::Combine(testing::Values(TLS1_2_VERSION, TLS1_3_VERSION), 3580 testing::Values(0, 1, 2), 3581 testing::Values(ssl_test_ticket_aead_ok, 3582 ssl_test_ticket_aead_seal_fail, 3583 ssl_test_ticket_aead_open_soft_fail, 3584 ssl_test_ticket_aead_open_hard_fail)), 3585 TicketAEADMethodParamToString); 3586 3587 TEST(SSLTest, SelectNextProto) { 3588 uint8_t *result; 3589 uint8_t result_len; 3590 3591 // If there is an overlap, it should be returned. 3592 EXPECT_EQ(OPENSSL_NPN_NEGOTIATED, 3593 SSL_select_next_proto(&result, &result_len, 3594 (const uint8_t *)"\1a\2bb\3ccc", 9, 3595 (const uint8_t *)"\1x\1y\1a\1z", 8)); 3596 EXPECT_EQ(Bytes("a"), Bytes(result, result_len)); 3597 3598 EXPECT_EQ(OPENSSL_NPN_NEGOTIATED, 3599 SSL_select_next_proto(&result, &result_len, 3600 (const uint8_t *)"\1a\2bb\3ccc", 9, 3601 (const uint8_t *)"\1x\1y\2bb\1z", 9)); 3602 EXPECT_EQ(Bytes("bb"), Bytes(result, result_len)); 3603 3604 EXPECT_EQ(OPENSSL_NPN_NEGOTIATED, 3605 SSL_select_next_proto(&result, &result_len, 3606 (const uint8_t *)"\1a\2bb\3ccc", 9, 3607 (const uint8_t *)"\1x\1y\3ccc\1z", 10)); 3608 EXPECT_EQ(Bytes("ccc"), Bytes(result, result_len)); 3609 3610 // Peer preference order takes precedence over local. 3611 EXPECT_EQ(OPENSSL_NPN_NEGOTIATED, 3612 SSL_select_next_proto(&result, &result_len, 3613 (const uint8_t *)"\1a\2bb\3ccc", 9, 3614 (const uint8_t *)"\3ccc\2bb\1a", 9)); 3615 EXPECT_EQ(Bytes("a"), Bytes(result, result_len)); 3616 3617 // If there is no overlap, return the first local protocol. 3618 EXPECT_EQ(OPENSSL_NPN_NO_OVERLAP, 3619 SSL_select_next_proto(&result, &result_len, 3620 (const uint8_t *)"\1a\2bb\3ccc", 9, 3621 (const uint8_t *)"\1x\2yy\3zzz", 9)); 3622 EXPECT_EQ(Bytes("x"), Bytes(result, result_len)); 3623 3624 EXPECT_EQ(OPENSSL_NPN_NO_OVERLAP, 3625 SSL_select_next_proto(&result, &result_len, nullptr, 0, 3626 (const uint8_t *)"\1x\2yy\3zzz", 9)); 3627 EXPECT_EQ(Bytes("x"), Bytes(result, result_len)); 3628 } 3629 3630 TEST(SSLTest, SealRecord) { 3631 bssl::UniquePtr<SSL_CTX> client_ctx(SSL_CTX_new(TLS_method())), 3632 server_ctx(SSL_CTX_new(TLS_method())); 3633 ASSERT_TRUE(client_ctx); 3634 ASSERT_TRUE(server_ctx); 3635 3636 bssl::UniquePtr<X509> cert = GetTestCertificate(); 3637 bssl::UniquePtr<EVP_PKEY> key = GetTestKey(); 3638 ASSERT_TRUE(cert); 3639 ASSERT_TRUE(key); 3640 ASSERT_TRUE(SSL_CTX_use_certificate(server_ctx.get(), cert.get())); 3641 ASSERT_TRUE(SSL_CTX_use_PrivateKey(server_ctx.get(), key.get())); 3642 3643 bssl::UniquePtr<SSL> client, server; 3644 ASSERT_TRUE(ConnectClientAndServer(&client, &server, client_ctx.get(), 3645 server_ctx.get())); 3646 3647 const std::vector<uint8_t> record = {1, 2, 3, 4, 5}; 3648 std::vector<uint8_t> prefix( 3649 bssl::SealRecordPrefixLen(client.get(), record.size())), 3650 body(record.size()), 3651 suffix(bssl::SealRecordSuffixLen(client.get(), record.size())); 3652 ASSERT_TRUE(bssl::SealRecord(client.get(), bssl::MakeSpan(prefix), 3653 bssl::MakeSpan(body), bssl::MakeSpan(suffix), 3654 record)); 3655 3656 std::vector<uint8_t> sealed; 3657 sealed.insert(sealed.end(), prefix.begin(), prefix.end()); 3658 sealed.insert(sealed.end(), body.begin(), body.end()); 3659 sealed.insert(sealed.end(), suffix.begin(), suffix.end()); 3660 std::vector<uint8_t> sealed_copy = sealed; 3661 3662 bssl::Span<uint8_t> plaintext; 3663 size_t record_len; 3664 uint8_t alert = 255; 3665 EXPECT_EQ(bssl::OpenRecord(server.get(), &plaintext, &record_len, &alert, 3666 bssl::MakeSpan(sealed)), 3667 bssl::OpenRecordResult::kOK); 3668 EXPECT_EQ(record_len, sealed.size()); 3669 EXPECT_EQ(plaintext, record); 3670 EXPECT_EQ(255, alert); 3671 } 3672 3673 TEST(SSLTest, SealRecordInPlace) { 3674 bssl::UniquePtr<SSL_CTX> client_ctx(SSL_CTX_new(TLS_method())), 3675 server_ctx(SSL_CTX_new(TLS_method())); 3676 ASSERT_TRUE(client_ctx); 3677 ASSERT_TRUE(server_ctx); 3678 3679 bssl::UniquePtr<X509> cert = GetTestCertificate(); 3680 bssl::UniquePtr<EVP_PKEY> key = GetTestKey(); 3681 ASSERT_TRUE(cert); 3682 ASSERT_TRUE(key); 3683 ASSERT_TRUE(SSL_CTX_use_certificate(server_ctx.get(), cert.get())); 3684 ASSERT_TRUE(SSL_CTX_use_PrivateKey(server_ctx.get(), key.get())); 3685 3686 bssl::UniquePtr<SSL> client, server; 3687 ASSERT_TRUE(ConnectClientAndServer(&client, &server, client_ctx.get(), 3688 server_ctx.get())); 3689 3690 const std::vector<uint8_t> plaintext = {1, 2, 3, 4, 5}; 3691 std::vector<uint8_t> record = plaintext; 3692 std::vector<uint8_t> prefix( 3693 bssl::SealRecordPrefixLen(client.get(), record.size())), 3694 suffix(bssl::SealRecordSuffixLen(client.get(), record.size())); 3695 ASSERT_TRUE(bssl::SealRecord(client.get(), bssl::MakeSpan(prefix), 3696 bssl::MakeSpan(record), bssl::MakeSpan(suffix), 3697 record)); 3698 record.insert(record.begin(), prefix.begin(), prefix.end()); 3699 record.insert(record.end(), suffix.begin(), suffix.end()); 3700 3701 bssl::Span<uint8_t> result; 3702 size_t record_len; 3703 uint8_t alert; 3704 EXPECT_EQ(bssl::OpenRecord(server.get(), &result, &record_len, &alert, 3705 bssl::MakeSpan(record)), 3706 bssl::OpenRecordResult::kOK); 3707 EXPECT_EQ(record_len, record.size()); 3708 EXPECT_EQ(plaintext, result); 3709 } 3710 3711 TEST(SSLTest, SealRecordTrailingData) { 3712 bssl::UniquePtr<SSL_CTX> client_ctx(SSL_CTX_new(TLS_method())), 3713 server_ctx(SSL_CTX_new(TLS_method())); 3714 ASSERT_TRUE(client_ctx); 3715 ASSERT_TRUE(server_ctx); 3716 3717 bssl::UniquePtr<X509> cert = GetTestCertificate(); 3718 bssl::UniquePtr<EVP_PKEY> key = GetTestKey(); 3719 ASSERT_TRUE(cert); 3720 ASSERT_TRUE(key); 3721 ASSERT_TRUE(SSL_CTX_use_certificate(server_ctx.get(), cert.get())); 3722 ASSERT_TRUE(SSL_CTX_use_PrivateKey(server_ctx.get(), key.get())); 3723 3724 bssl::UniquePtr<SSL> client, server; 3725 ASSERT_TRUE(ConnectClientAndServer(&client, &server, client_ctx.get(), 3726 server_ctx.get())); 3727 3728 const std::vector<uint8_t> plaintext = {1, 2, 3, 4, 5}; 3729 std::vector<uint8_t> record = plaintext; 3730 std::vector<uint8_t> prefix( 3731 bssl::SealRecordPrefixLen(client.get(), record.size())), 3732 suffix(bssl::SealRecordSuffixLen(client.get(), record.size())); 3733 ASSERT_TRUE(bssl::SealRecord(client.get(), bssl::MakeSpan(prefix), 3734 bssl::MakeSpan(record), bssl::MakeSpan(suffix), 3735 record)); 3736 record.insert(record.begin(), prefix.begin(), prefix.end()); 3737 record.insert(record.end(), suffix.begin(), suffix.end()); 3738 record.insert(record.end(), {5, 4, 3, 2, 1}); 3739 3740 bssl::Span<uint8_t> result; 3741 size_t record_len; 3742 uint8_t alert; 3743 EXPECT_EQ(bssl::OpenRecord(server.get(), &result, &record_len, &alert, 3744 bssl::MakeSpan(record)), 3745 bssl::OpenRecordResult::kOK); 3746 EXPECT_EQ(record_len, record.size() - 5); 3747 EXPECT_EQ(plaintext, result); 3748 } 3749 3750 TEST(SSLTest, SealRecordInvalidSpanSize) { 3751 bssl::UniquePtr<SSL_CTX> client_ctx(SSL_CTX_new(TLS_method())), 3752 server_ctx(SSL_CTX_new(TLS_method())); 3753 ASSERT_TRUE(client_ctx); 3754 ASSERT_TRUE(server_ctx); 3755 3756 bssl::UniquePtr<X509> cert = GetTestCertificate(); 3757 bssl::UniquePtr<EVP_PKEY> key = GetTestKey(); 3758 ASSERT_TRUE(cert); 3759 ASSERT_TRUE(key); 3760 ASSERT_TRUE(SSL_CTX_use_certificate(server_ctx.get(), cert.get())); 3761 ASSERT_TRUE(SSL_CTX_use_PrivateKey(server_ctx.get(), key.get())); 3762 3763 bssl::UniquePtr<SSL> client, server; 3764 ASSERT_TRUE(ConnectClientAndServer(&client, &server, client_ctx.get(), 3765 server_ctx.get())); 3766 3767 std::vector<uint8_t> record = {1, 2, 3, 4, 5}; 3768 std::vector<uint8_t> prefix( 3769 bssl::SealRecordPrefixLen(client.get(), record.size())), 3770 body(record.size()), 3771 suffix(bssl::SealRecordSuffixLen(client.get(), record.size())); 3772 3773 auto expect_err = []() { 3774 int err = ERR_get_error(); 3775 EXPECT_EQ(ERR_GET_LIB(err), ERR_LIB_SSL); 3776 EXPECT_EQ(ERR_GET_REASON(err), SSL_R_BUFFER_TOO_SMALL); 3777 ERR_clear_error(); 3778 }; 3779 EXPECT_FALSE(bssl::SealRecord( 3780 client.get(), bssl::MakeSpan(prefix.data(), prefix.size() - 1), 3781 bssl::MakeSpan(record), bssl::MakeSpan(suffix), record)); 3782 expect_err(); 3783 EXPECT_FALSE(bssl::SealRecord( 3784 client.get(), bssl::MakeSpan(prefix.data(), prefix.size() + 1), 3785 bssl::MakeSpan(record), bssl::MakeSpan(suffix), record)); 3786 expect_err(); 3787 3788 EXPECT_FALSE( 3789 bssl::SealRecord(client.get(), bssl::MakeSpan(prefix), 3790 bssl::MakeSpan(record.data(), record.size() - 1), 3791 bssl::MakeSpan(suffix), record)); 3792 expect_err(); 3793 EXPECT_FALSE( 3794 bssl::SealRecord(client.get(), bssl::MakeSpan(prefix), 3795 bssl::MakeSpan(record.data(), record.size() + 1), 3796 bssl::MakeSpan(suffix), record)); 3797 expect_err(); 3798 3799 EXPECT_FALSE(bssl::SealRecord( 3800 client.get(), bssl::MakeSpan(prefix), bssl::MakeSpan(record), 3801 bssl::MakeSpan(suffix.data(), suffix.size() - 1), record)); 3802 expect_err(); 3803 EXPECT_FALSE(bssl::SealRecord( 3804 client.get(), bssl::MakeSpan(prefix), bssl::MakeSpan(record), 3805 bssl::MakeSpan(suffix.data(), suffix.size() + 1), record)); 3806 expect_err(); 3807 } 3808 3809 // The client should gracefully handle no suitable ciphers being enabled. 3810 TEST(SSLTest, NoCiphersAvailable) { 3811 bssl::UniquePtr<SSL_CTX> ctx(SSL_CTX_new(TLS_method())); 3812 ASSERT_TRUE(ctx); 3813 3814 // Configure |client_ctx| with a cipher list that does not intersect with its 3815 // version configuration. 3816 ASSERT_TRUE(SSL_CTX_set_strict_cipher_list( 3817 ctx.get(), "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256")); 3818 ASSERT_TRUE(SSL_CTX_set_max_proto_version(ctx.get(), TLS1_1_VERSION)); 3819 3820 bssl::UniquePtr<SSL> ssl(SSL_new(ctx.get())); 3821 ASSERT_TRUE(ssl); 3822 SSL_set_connect_state(ssl.get()); 3823 3824 UniquePtr<BIO> rbio(BIO_new(BIO_s_mem())), wbio(BIO_new(BIO_s_mem())); 3825 ASSERT_TRUE(rbio); 3826 ASSERT_TRUE(wbio); 3827 SSL_set0_rbio(ssl.get(), rbio.release()); 3828 SSL_set0_wbio(ssl.get(), wbio.release()); 3829 3830 int ret = SSL_do_handshake(ssl.get()); 3831 EXPECT_EQ(-1, ret); 3832 EXPECT_EQ(SSL_ERROR_SSL, SSL_get_error(ssl.get(), ret)); 3833 uint32_t err = ERR_get_error(); 3834 EXPECT_EQ(ERR_LIB_SSL, ERR_GET_LIB(err)); 3835 EXPECT_EQ(SSL_R_NO_CIPHERS_AVAILABLE, ERR_GET_REASON(err)); 3836 } 3837 3838 TEST_P(SSLVersionTest, SessionVersion) { 3839 SSL_CTX_set_session_cache_mode(client_ctx_.get(), SSL_SESS_CACHE_BOTH); 3840 SSL_CTX_set_session_cache_mode(server_ctx_.get(), SSL_SESS_CACHE_BOTH); 3841 3842 bssl::UniquePtr<SSL_SESSION> session = 3843 CreateClientSession(client_ctx_.get(), server_ctx_.get()); 3844 ASSERT_TRUE(session); 3845 EXPECT_EQ(version(), SSL_SESSION_get_protocol_version(session.get())); 3846 3847 // Sessions in TLS 1.3 and later should be single-use. 3848 EXPECT_EQ(version() == TLS1_3_VERSION, 3849 !!SSL_SESSION_should_be_single_use(session.get())); 3850 3851 // Making fake sessions for testing works. 3852 session.reset(SSL_SESSION_new(client_ctx_.get())); 3853 ASSERT_TRUE(session); 3854 ASSERT_TRUE(SSL_SESSION_set_protocol_version(session.get(), version())); 3855 EXPECT_EQ(version(), SSL_SESSION_get_protocol_version(session.get())); 3856 } 3857 3858 TEST_P(SSLVersionTest, SSLPending) { 3859 UniquePtr<SSL> ssl(SSL_new(client_ctx_.get())); 3860 ASSERT_TRUE(ssl); 3861 EXPECT_EQ(0, SSL_pending(ssl.get())); 3862 3863 ASSERT_TRUE(Connect()); 3864 EXPECT_EQ(0, SSL_pending(client_.get())); 3865 3866 ASSERT_EQ(5, SSL_write(server_.get(), "hello", 5)); 3867 ASSERT_EQ(5, SSL_write(server_.get(), "world", 5)); 3868 EXPECT_EQ(0, SSL_pending(client_.get())); 3869 3870 char buf[10]; 3871 ASSERT_EQ(1, SSL_peek(client_.get(), buf, 1)); 3872 EXPECT_EQ(5, SSL_pending(client_.get())); 3873 3874 ASSERT_EQ(1, SSL_read(client_.get(), buf, 1)); 3875 EXPECT_EQ(4, SSL_pending(client_.get())); 3876 3877 ASSERT_EQ(4, SSL_read(client_.get(), buf, 10)); 3878 EXPECT_EQ(0, SSL_pending(client_.get())); 3879 3880 ASSERT_EQ(2, SSL_read(client_.get(), buf, 2)); 3881 EXPECT_EQ(3, SSL_pending(client_.get())); 3882 } 3883 3884 // Test that post-handshake tickets consumed by |SSL_shutdown| are ignored. 3885 TEST(SSLTest, ShutdownIgnoresTickets) { 3886 bssl::UniquePtr<SSL_CTX> ctx(SSL_CTX_new(TLS_method())); 3887 ASSERT_TRUE(ctx); 3888 ASSERT_TRUE(SSL_CTX_set_min_proto_version(ctx.get(), TLS1_3_VERSION)); 3889 ASSERT_TRUE(SSL_CTX_set_max_proto_version(ctx.get(), TLS1_3_VERSION)); 3890 3891 bssl::UniquePtr<X509> cert = GetTestCertificate(); 3892 bssl::UniquePtr<EVP_PKEY> key = GetTestKey(); 3893 ASSERT_TRUE(cert); 3894 ASSERT_TRUE(key); 3895 ASSERT_TRUE(SSL_CTX_use_certificate(ctx.get(), cert.get())); 3896 ASSERT_TRUE(SSL_CTX_use_PrivateKey(ctx.get(), key.get())); 3897 3898 SSL_CTX_set_session_cache_mode(ctx.get(), SSL_SESS_CACHE_BOTH); 3899 3900 bssl::UniquePtr<SSL> client, server; 3901 ASSERT_TRUE(ConnectClientAndServer(&client, &server, ctx.get(), ctx.get())); 3902 3903 SSL_CTX_sess_set_new_cb(ctx.get(), [](SSL *ssl, SSL_SESSION *session) -> int { 3904 ADD_FAILURE() << "New session callback called during SSL_shutdown"; 3905 return 0; 3906 }); 3907 3908 // Send close_notify. 3909 EXPECT_EQ(0, SSL_shutdown(server.get())); 3910 EXPECT_EQ(0, SSL_shutdown(client.get())); 3911 3912 // Receive close_notify. 3913 EXPECT_EQ(1, SSL_shutdown(server.get())); 3914 EXPECT_EQ(1, SSL_shutdown(client.get())); 3915 } 3916 3917 TEST(SSLTest, SignatureAlgorithmProperties) { 3918 EXPECT_EQ(EVP_PKEY_NONE, SSL_get_signature_algorithm_key_type(0x1234)); 3919 EXPECT_EQ(nullptr, SSL_get_signature_algorithm_digest(0x1234)); 3920 EXPECT_FALSE(SSL_is_signature_algorithm_rsa_pss(0x1234)); 3921 3922 EXPECT_EQ(EVP_PKEY_RSA, 3923 SSL_get_signature_algorithm_key_type(SSL_SIGN_RSA_PKCS1_MD5_SHA1)); 3924 EXPECT_EQ(EVP_md5_sha1(), 3925 SSL_get_signature_algorithm_digest(SSL_SIGN_RSA_PKCS1_MD5_SHA1)); 3926 EXPECT_FALSE(SSL_is_signature_algorithm_rsa_pss(SSL_SIGN_RSA_PKCS1_MD5_SHA1)); 3927 3928 EXPECT_EQ(EVP_PKEY_EC, SSL_get_signature_algorithm_key_type( 3929 SSL_SIGN_ECDSA_SECP256R1_SHA256)); 3930 EXPECT_EQ(EVP_sha256(), SSL_get_signature_algorithm_digest( 3931 SSL_SIGN_ECDSA_SECP256R1_SHA256)); 3932 EXPECT_FALSE( 3933 SSL_is_signature_algorithm_rsa_pss(SSL_SIGN_ECDSA_SECP256R1_SHA256)); 3934 3935 EXPECT_EQ(EVP_PKEY_RSA, 3936 SSL_get_signature_algorithm_key_type(SSL_SIGN_RSA_PSS_RSAE_SHA384)); 3937 EXPECT_EQ(EVP_sha384(), 3938 SSL_get_signature_algorithm_digest(SSL_SIGN_RSA_PSS_RSAE_SHA384)); 3939 EXPECT_TRUE(SSL_is_signature_algorithm_rsa_pss(SSL_SIGN_RSA_PSS_RSAE_SHA384)); 3940 } 3941 3942 static int XORCompressFunc(SSL *ssl, CBB *out, const uint8_t *in, 3943 size_t in_len) { 3944 for (size_t i = 0; i < in_len; i++) { 3945 if (!CBB_add_u8(out, in[i] ^ 0x55)) { 3946 return 0; 3947 } 3948 } 3949 3950 SSL_set_app_data(ssl, XORCompressFunc); 3951 3952 return 1; 3953 } 3954 3955 static int XORDecompressFunc(SSL *ssl, CRYPTO_BUFFER **out, 3956 size_t uncompressed_len, const uint8_t *in, 3957 size_t in_len) { 3958 if (in_len != uncompressed_len) { 3959 return 0; 3960 } 3961 3962 uint8_t *data; 3963 *out = CRYPTO_BUFFER_alloc(&data, uncompressed_len); 3964 if (*out == nullptr) { 3965 return 0; 3966 } 3967 3968 for (size_t i = 0; i < in_len; i++) { 3969 data[i] = in[i] ^ 0x55; 3970 } 3971 3972 SSL_set_app_data(ssl, XORDecompressFunc); 3973 3974 return 1; 3975 } 3976 3977 TEST(SSLTest, CertCompression) { 3978 bssl::UniquePtr<SSL_CTX> client_ctx(SSL_CTX_new(TLS_method())); 3979 bssl::UniquePtr<SSL_CTX> server_ctx(SSL_CTX_new(TLS_method())); 3980 ASSERT_TRUE(client_ctx); 3981 ASSERT_TRUE(server_ctx); 3982 3983 bssl::UniquePtr<X509> cert = GetTestCertificate(); 3984 bssl::UniquePtr<EVP_PKEY> key = GetTestKey(); 3985 ASSERT_TRUE(cert); 3986 ASSERT_TRUE(key); 3987 ASSERT_TRUE(SSL_CTX_use_certificate(server_ctx.get(), cert.get())); 3988 ASSERT_TRUE(SSL_CTX_use_PrivateKey(server_ctx.get(), key.get())); 3989 3990 ASSERT_TRUE(SSL_CTX_set_max_proto_version(client_ctx.get(), TLS1_3_VERSION)); 3991 ASSERT_TRUE(SSL_CTX_set_max_proto_version(server_ctx.get(), TLS1_3_VERSION)); 3992 ASSERT_TRUE(SSL_CTX_add_cert_compression_alg( 3993 client_ctx.get(), 0x1234, XORCompressFunc, XORDecompressFunc)); 3994 ASSERT_TRUE(SSL_CTX_add_cert_compression_alg( 3995 server_ctx.get(), 0x1234, XORCompressFunc, XORDecompressFunc)); 3996 3997 bssl::UniquePtr<SSL> client, server; 3998 ASSERT_TRUE(ConnectClientAndServer(&client, &server, client_ctx.get(), 3999 server_ctx.get())); 4000 4001 EXPECT_TRUE(SSL_get_app_data(client.get()) == XORDecompressFunc); 4002 EXPECT_TRUE(SSL_get_app_data(server.get()) == XORCompressFunc); 4003 } 4004 4005 void MoveBIOs(SSL *dest, SSL *src) { 4006 BIO *rbio = SSL_get_rbio(src); 4007 BIO_up_ref(rbio); 4008 SSL_set0_rbio(dest, rbio); 4009 4010 BIO *wbio = SSL_get_wbio(src); 4011 BIO_up_ref(wbio); 4012 SSL_set0_wbio(dest, wbio); 4013 4014 SSL_set0_rbio(src, nullptr); 4015 SSL_set0_wbio(src, nullptr); 4016 } 4017 4018 TEST(SSLTest, Handoff) { 4019 bssl::UniquePtr<SSL_CTX> client_ctx(SSL_CTX_new(TLS_method())); 4020 bssl::UniquePtr<SSL_CTX> server_ctx(SSL_CTX_new(TLS_method())); 4021 bssl::UniquePtr<SSL_CTX> handshaker_ctx(SSL_CTX_new(TLS_method())); 4022 ASSERT_TRUE(client_ctx); 4023 ASSERT_TRUE(server_ctx); 4024 ASSERT_TRUE(handshaker_ctx); 4025 4026 SSL_CTX_set_handoff_mode(server_ctx.get(), 1); 4027 ASSERT_TRUE(SSL_CTX_set_max_proto_version(server_ctx.get(), TLS1_2_VERSION)); 4028 ASSERT_TRUE( 4029 SSL_CTX_set_max_proto_version(handshaker_ctx.get(), TLS1_2_VERSION)); 4030 4031 bssl::UniquePtr<X509> cert = GetTestCertificate(); 4032 bssl::UniquePtr<EVP_PKEY> key = GetTestKey(); 4033 ASSERT_TRUE(cert); 4034 ASSERT_TRUE(key); 4035 ASSERT_TRUE(SSL_CTX_use_certificate(handshaker_ctx.get(), cert.get())); 4036 ASSERT_TRUE(SSL_CTX_use_PrivateKey(handshaker_ctx.get(), key.get())); 4037 4038 bssl::UniquePtr<SSL> client, server; 4039 ASSERT_TRUE(ConnectClientAndServer(&client, &server, client_ctx.get(), 4040 server_ctx.get(), ClientConfig(), 4041 false /* don't handshake */)); 4042 4043 int client_ret = SSL_do_handshake(client.get()); 4044 int client_err = SSL_get_error(client.get(), client_ret); 4045 ASSERT_EQ(client_err, SSL_ERROR_WANT_READ); 4046 4047 int server_ret = SSL_do_handshake(server.get()); 4048 int server_err = SSL_get_error(server.get(), server_ret); 4049 ASSERT_EQ(server_err, SSL_ERROR_HANDOFF); 4050 4051 ScopedCBB cbb; 4052 Array<uint8_t> handoff; 4053 ASSERT_TRUE(CBB_init(cbb.get(), 256)); 4054 ASSERT_TRUE(SSL_serialize_handoff(server.get(), cbb.get())); 4055 ASSERT_TRUE(CBBFinishArray(cbb.get(), &handoff)); 4056 4057 bssl::UniquePtr<SSL> handshaker(SSL_new(handshaker_ctx.get())); 4058 ASSERT_TRUE(SSL_apply_handoff(handshaker.get(), handoff)); 4059 4060 MoveBIOs(handshaker.get(), server.get()); 4061 4062 int handshake_ret = SSL_do_handshake(handshaker.get()); 4063 int handshake_err = SSL_get_error(handshaker.get(), handshake_ret); 4064 ASSERT_EQ(handshake_err, SSL_ERROR_HANDBACK); 4065 4066 // Double-check that additional calls to |SSL_do_handshake| continue 4067 // to get |SSL_ERRROR_HANDBACK|. 4068 handshake_ret = SSL_do_handshake(handshaker.get()); 4069 handshake_err = SSL_get_error(handshaker.get(), handshake_ret); 4070 ASSERT_EQ(handshake_err, SSL_ERROR_HANDBACK); 4071 4072 ScopedCBB cbb_handback; 4073 Array<uint8_t> handback; 4074 ASSERT_TRUE(CBB_init(cbb_handback.get(), 1024)); 4075 ASSERT_TRUE(SSL_serialize_handback(handshaker.get(), cbb_handback.get())); 4076 ASSERT_TRUE(CBBFinishArray(cbb_handback.get(), &handback)); 4077 4078 bssl::UniquePtr<SSL> server2(SSL_new(server_ctx.get())); 4079 ASSERT_TRUE(SSL_apply_handback(server2.get(), handback)); 4080 4081 MoveBIOs(server2.get(), handshaker.get()); 4082 ASSERT_TRUE(CompleteHandshakes(client.get(), server2.get())); 4083 4084 uint8_t byte = 42; 4085 EXPECT_EQ(SSL_write(client.get(), &byte, 1), 1); 4086 EXPECT_EQ(SSL_read(server2.get(), &byte, 1), 1); 4087 EXPECT_EQ(42, byte); 4088 4089 byte = 43; 4090 EXPECT_EQ(SSL_write(server2.get(), &byte, 1), 1); 4091 EXPECT_EQ(SSL_read(client.get(), &byte, 1), 1); 4092 EXPECT_EQ(43, byte); 4093 } 4094 4095 TEST(SSLTest, HandoffDeclined) { 4096 bssl::UniquePtr<SSL_CTX> client_ctx(SSL_CTX_new(TLS_method())); 4097 bssl::UniquePtr<SSL_CTX> server_ctx(SSL_CTX_new(TLS_method())); 4098 ASSERT_TRUE(client_ctx); 4099 ASSERT_TRUE(server_ctx); 4100 4101 SSL_CTX_set_handoff_mode(server_ctx.get(), 1); 4102 ASSERT_TRUE(SSL_CTX_set_max_proto_version(server_ctx.get(), TLS1_2_VERSION)); 4103 4104 bssl::UniquePtr<X509> cert = GetTestCertificate(); 4105 bssl::UniquePtr<EVP_PKEY> key = GetTestKey(); 4106 ASSERT_TRUE(cert); 4107 ASSERT_TRUE(key); 4108 ASSERT_TRUE(SSL_CTX_use_certificate(server_ctx.get(), cert.get())); 4109 ASSERT_TRUE(SSL_CTX_use_PrivateKey(server_ctx.get(), key.get())); 4110 4111 bssl::UniquePtr<SSL> client, server; 4112 ASSERT_TRUE(ConnectClientAndServer(&client, &server, client_ctx.get(), 4113 server_ctx.get(), ClientConfig(), 4114 false /* don't handshake */)); 4115 4116 int client_ret = SSL_do_handshake(client.get()); 4117 int client_err = SSL_get_error(client.get(), client_ret); 4118 ASSERT_EQ(client_err, SSL_ERROR_WANT_READ); 4119 4120 int server_ret = SSL_do_handshake(server.get()); 4121 int server_err = SSL_get_error(server.get(), server_ret); 4122 ASSERT_EQ(server_err, SSL_ERROR_HANDOFF); 4123 4124 ScopedCBB cbb; 4125 ASSERT_TRUE(CBB_init(cbb.get(), 256)); 4126 ASSERT_TRUE(SSL_serialize_handoff(server.get(), cbb.get())); 4127 4128 ASSERT_TRUE(SSL_decline_handoff(server.get())); 4129 4130 ASSERT_TRUE(CompleteHandshakes(client.get(), server.get())); 4131 4132 uint8_t byte = 42; 4133 EXPECT_EQ(SSL_write(client.get(), &byte, 1), 1); 4134 EXPECT_EQ(SSL_read(server.get(), &byte, 1), 1); 4135 EXPECT_EQ(42, byte); 4136 4137 byte = 43; 4138 EXPECT_EQ(SSL_write(server.get(), &byte, 1), 1); 4139 EXPECT_EQ(SSL_read(client.get(), &byte, 1), 1); 4140 EXPECT_EQ(43, byte); 4141 } 4142 4143 static std::string SigAlgsToString(Span<const uint16_t> sigalgs) { 4144 std::string ret = "{"; 4145 4146 for (uint16_t v : sigalgs) { 4147 if (ret.size() > 1) { 4148 ret += ", "; 4149 } 4150 4151 char buf[8]; 4152 snprintf(buf, sizeof(buf) - 1, "0x%02x", v); 4153 buf[sizeof(buf)-1] = 0; 4154 ret += std::string(buf); 4155 } 4156 4157 ret += "}"; 4158 return ret; 4159 } 4160 4161 void ExpectSigAlgsEqual(Span<const uint16_t> expected, 4162 Span<const uint16_t> actual) { 4163 bool matches = false; 4164 if (expected.size() == actual.size()) { 4165 matches = true; 4166 4167 for (size_t i = 0; i < expected.size(); i++) { 4168 if (expected[i] != actual[i]) { 4169 matches = false; 4170 break; 4171 } 4172 } 4173 } 4174 4175 if (!matches) { 4176 ADD_FAILURE() << "expected: " << SigAlgsToString(expected) 4177 << " got: " << SigAlgsToString(actual); 4178 } 4179 } 4180 4181 TEST(SSLTest, SigAlgs) { 4182 static const struct { 4183 std::vector<int> input; 4184 bool ok; 4185 std::vector<uint16_t> expected; 4186 } kTests[] = { 4187 {{}, true, {}}, 4188 {{1}, false, {}}, 4189 {{1, 2, 3}, false, {}}, 4190 {{NID_sha256, EVP_PKEY_ED25519}, false, {}}, 4191 {{NID_sha256, EVP_PKEY_RSA, NID_sha256, EVP_PKEY_RSA}, false, {}}, 4192 4193 {{NID_sha256, EVP_PKEY_RSA}, true, {SSL_SIGN_RSA_PKCS1_SHA256}}, 4194 {{NID_sha512, EVP_PKEY_RSA}, true, {SSL_SIGN_RSA_PKCS1_SHA512}}, 4195 {{NID_sha256, EVP_PKEY_RSA_PSS}, true, {SSL_SIGN_RSA_PSS_RSAE_SHA256}}, 4196 {{NID_undef, EVP_PKEY_ED25519}, true, {SSL_SIGN_ED25519}}, 4197 {{NID_undef, EVP_PKEY_ED25519, NID_sha384, EVP_PKEY_EC}, 4198 true, 4199 {SSL_SIGN_ED25519, SSL_SIGN_ECDSA_SECP384R1_SHA384}}, 4200 }; 4201 4202 UniquePtr<SSL_CTX> ctx(SSL_CTX_new(TLS_method())); 4203 4204 unsigned n = 1; 4205 for (const auto &test : kTests) { 4206 SCOPED_TRACE(n++); 4207 4208 const bool ok = 4209 SSL_CTX_set1_sigalgs(ctx.get(), test.input.data(), test.input.size()); 4210 EXPECT_EQ(ok, test.ok); 4211 4212 if (!ok) { 4213 ERR_clear_error(); 4214 } 4215 4216 if (!test.ok) { 4217 continue; 4218 } 4219 4220 ExpectSigAlgsEqual(test.expected, ctx->cert->sigalgs); 4221 } 4222 } 4223 4224 TEST(SSLTest, SigAlgsList) { 4225 static const struct { 4226 const char *input; 4227 bool ok; 4228 std::vector<uint16_t> expected; 4229 } kTests[] = { 4230 {"", false, {}}, 4231 {":", false, {}}, 4232 {"+", false, {}}, 4233 {"RSA", false, {}}, 4234 {"RSA+", false, {}}, 4235 {"RSA+SHA256:", false, {}}, 4236 {":RSA+SHA256:", false, {}}, 4237 {":RSA+SHA256+:", false, {}}, 4238 {"!", false, {}}, 4239 {"\x01", false, {}}, 4240 {"RSA+SHA256:RSA+SHA384:RSA+SHA256", false, {}}, 4241 {"RSA-PSS+SHA256:rsa_pss_rsae_sha256", false, {}}, 4242 4243 {"RSA+SHA256", true, {SSL_SIGN_RSA_PKCS1_SHA256}}, 4244 {"RSA+SHA256:ed25519", 4245 true, 4246 {SSL_SIGN_RSA_PKCS1_SHA256, SSL_SIGN_ED25519}}, 4247 {"ECDSA+SHA256:RSA+SHA512", 4248 true, 4249 {SSL_SIGN_ECDSA_SECP256R1_SHA256, SSL_SIGN_RSA_PKCS1_SHA512}}, 4250 {"ecdsa_secp256r1_sha256:rsa_pss_rsae_sha256", 4251 true, 4252 {SSL_SIGN_ECDSA_SECP256R1_SHA256, SSL_SIGN_RSA_PSS_RSAE_SHA256}}, 4253 {"RSA-PSS+SHA256", true, {SSL_SIGN_RSA_PSS_RSAE_SHA256}}, 4254 {"PSS+SHA256", true, {SSL_SIGN_RSA_PSS_RSAE_SHA256}}, 4255 }; 4256 4257 UniquePtr<SSL_CTX> ctx(SSL_CTX_new(TLS_method())); 4258 4259 unsigned n = 1; 4260 for (const auto &test : kTests) { 4261 SCOPED_TRACE(n++); 4262 4263 const bool ok = SSL_CTX_set1_sigalgs_list(ctx.get(), test.input); 4264 EXPECT_EQ(ok, test.ok); 4265 4266 if (!ok) { 4267 if (test.ok) { 4268 ERR_print_errors_fp(stderr); 4269 } 4270 ERR_clear_error(); 4271 } 4272 4273 if (!test.ok) { 4274 continue; 4275 } 4276 4277 ExpectSigAlgsEqual(test.expected, ctx->cert->sigalgs); 4278 } 4279 } 4280 4281 TEST(SSLTest, ApplyHandoffRemovesUnsupportedCiphers) { 4282 bssl::UniquePtr<SSL_CTX> server_ctx(SSL_CTX_new(TLS_method())); 4283 bssl::UniquePtr<SSL> server(SSL_new(server_ctx.get())); 4284 4285 // handoff is a handoff message that has been artificially modified to pretend 4286 // that only cipher 0x0A is supported. When it is applied to |server|, all 4287 // ciphers but that one should be removed. 4288 // 4289 // To make a new one of these, try sticking this in the |Handoff| test above: 4290 // 4291 // hexdump(stderr, "", handoff.data(), handoff.size()); 4292 // sed -e 's/\(..\)/0x\1, /g' 4293 // 4294 // and modify serialize_features() to emit only cipher 0x0A. 4295 4296 uint8_t handoff[] = { 4297 0x30, 0x81, 0x9a, 0x02, 0x01, 0x00, 0x04, 0x00, 0x04, 0x81, 0x82, 0x01, 4298 0x00, 0x00, 0x7e, 0x03, 0x03, 0x30, 0x8e, 0x8f, 0x79, 0xd2, 0x87, 0x39, 4299 0xc2, 0x23, 0x23, 0x13, 0xca, 0x3c, 0x80, 0x44, 0xfd, 0x80, 0x83, 0x62, 4300 0x3c, 0xcc, 0xf8, 0x76, 0xd3, 0x62, 0xbb, 0x54, 0xe3, 0xc4, 0x39, 0x24, 4301 0xa5, 0x00, 0x00, 0x1e, 0xc0, 0x2b, 0xc0, 0x2f, 0xc0, 0x2c, 0xc0, 0x30, 4302 0xcc, 0xa9, 0xcc, 0xa8, 0xc0, 0x09, 0xc0, 0x13, 0xc0, 0x0a, 0xc0, 0x14, 4303 0x00, 0x9c, 0x00, 0x9d, 0x00, 0x2f, 0x00, 0x35, 0x00, 0x0a, 0x01, 0x00, 4304 0x00, 0x37, 0x00, 0x17, 0x00, 0x00, 0xff, 0x01, 0x00, 0x01, 0x00, 0x00, 4305 0x0a, 0x00, 0x08, 0x00, 0x06, 0x00, 0x1d, 0x00, 0x17, 0x00, 0x18, 0x00, 4306 0x0b, 0x00, 0x02, 0x01, 0x00, 0x00, 0x23, 0x00, 0x00, 0x00, 0x0d, 0x00, 4307 0x14, 0x00, 0x12, 0x04, 0x03, 0x08, 0x04, 0x04, 0x01, 0x05, 0x03, 0x08, 4308 0x05, 0x05, 0x01, 0x08, 0x06, 0x06, 0x01, 0x02, 0x01, 0x04, 0x02, 0x00, 4309 0x0a, 0x04, 0x0a, 0x00, 0x15, 0x00, 0x17, 0x00, 0x18, 0x00, 0x19, 0x00, 4310 0x1d, 4311 }; 4312 4313 EXPECT_EQ(20u, sk_SSL_CIPHER_num(SSL_get_ciphers(server.get()))); 4314 ASSERT_TRUE( 4315 SSL_apply_handoff(server.get(), {handoff, OPENSSL_ARRAY_SIZE(handoff)})); 4316 EXPECT_EQ(1u, sk_SSL_CIPHER_num(SSL_get_ciphers(server.get()))); 4317 } 4318 4319 TEST(SSLTest, ApplyHandoffRemovesUnsupportedCurves) { 4320 bssl::UniquePtr<SSL_CTX> server_ctx(SSL_CTX_new(TLS_method())); 4321 bssl::UniquePtr<SSL> server(SSL_new(server_ctx.get())); 4322 4323 // handoff is a handoff message that has been artificially modified to pretend 4324 // that only one curve is supported. When it is applied to |server|, all 4325 // curves but that one should be removed. 4326 // 4327 // See |ApplyHandoffRemovesUnsupportedCiphers| for how to make a new one of 4328 // these. 4329 uint8_t handoff[] = { 4330 0x30, 0x81, 0xc0, 0x02, 0x01, 0x00, 0x04, 0x00, 0x04, 0x81, 0x82, 0x01, 4331 0x00, 0x00, 0x7e, 0x03, 0x03, 0x98, 0x30, 0xce, 0xd9, 0xb0, 0xdf, 0x5f, 4332 0x82, 0x05, 0x4a, 0x43, 0x67, 0x7e, 0xdb, 0x6a, 0x4f, 0x21, 0x18, 0x4e, 4333 0x0d, 0x94, 0x63, 0x18, 0x8b, 0x54, 0x89, 0xdb, 0x8b, 0x1d, 0x84, 0xbc, 4334 0x09, 0x00, 0x00, 0x1e, 0xc0, 0x2b, 0xc0, 0x2f, 0xc0, 0x2c, 0xc0, 0x30, 4335 0xcc, 0xa9, 0xcc, 0xa8, 0xc0, 0x09, 0xc0, 0x13, 0xc0, 0x0a, 0xc0, 0x14, 4336 0x00, 0x9c, 0x00, 0x9d, 0x00, 0x2f, 0x00, 0x35, 0x00, 0x0a, 0x01, 0x00, 4337 0x00, 0x37, 0x00, 0x17, 0x00, 0x00, 0xff, 0x01, 0x00, 0x01, 0x00, 0x00, 4338 0x0a, 0x00, 0x08, 0x00, 0x06, 0x00, 0x1d, 0x00, 0x17, 0x00, 0x18, 0x00, 4339 0x0b, 0x00, 0x02, 0x01, 0x00, 0x00, 0x23, 0x00, 0x00, 0x00, 0x0d, 0x00, 4340 0x14, 0x00, 0x12, 0x04, 0x03, 0x08, 0x04, 0x04, 0x01, 0x05, 0x03, 0x08, 4341 0x05, 0x05, 0x01, 0x08, 0x06, 0x06, 0x01, 0x02, 0x01, 0x04, 0x30, 0x00, 4342 0x02, 0x00, 0x0a, 0x00, 0x2f, 0x00, 0x35, 0x00, 0x8c, 0x00, 0x8d, 0x00, 4343 0x9c, 0x00, 0x9d, 0x13, 0x01, 0x13, 0x02, 0x13, 0x03, 0xc0, 0x09, 0xc0, 4344 0x0a, 0xc0, 0x13, 0xc0, 0x14, 0xc0, 0x2b, 0xc0, 0x2c, 0xc0, 0x2f, 0xc0, 4345 0x30, 0xc0, 0x35, 0xc0, 0x36, 0xcc, 0xa8, 0xcc, 0xa9, 0xcc, 0xac, 0x04, 4346 0x02, 0x00, 0x17, 4347 }; 4348 4349 // The zero length means that the default list of groups is used. 4350 EXPECT_EQ(0u, server->config->supported_group_list.size()); 4351 ASSERT_TRUE( 4352 SSL_apply_handoff(server.get(), {handoff, OPENSSL_ARRAY_SIZE(handoff)})); 4353 EXPECT_EQ(1u, server->config->supported_group_list.size()); 4354 } 4355 4356 TEST(SSLTest, ZeroSizedWiteFlushesHandshakeMessages) { 4357 // If there are pending handshake mesages, an |SSL_write| of zero bytes should 4358 // flush them. 4359 bssl::UniquePtr<SSL_CTX> server_ctx(SSL_CTX_new(TLS_method())); 4360 EXPECT_TRUE(SSL_CTX_set_max_proto_version(server_ctx.get(), TLS1_3_VERSION)); 4361 EXPECT_TRUE(SSL_CTX_set_min_proto_version(server_ctx.get(), TLS1_3_VERSION)); 4362 bssl::UniquePtr<X509> cert = GetTestCertificate(); 4363 bssl::UniquePtr<EVP_PKEY> key = GetTestKey(); 4364 ASSERT_TRUE(cert); 4365 ASSERT_TRUE(key); 4366 ASSERT_TRUE(SSL_CTX_use_certificate(server_ctx.get(), cert.get())); 4367 ASSERT_TRUE(SSL_CTX_use_PrivateKey(server_ctx.get(), key.get())); 4368 4369 bssl::UniquePtr<SSL_CTX> client_ctx(SSL_CTX_new(TLS_method())); 4370 EXPECT_TRUE(SSL_CTX_set_max_proto_version(client_ctx.get(), TLS1_3_VERSION)); 4371 EXPECT_TRUE(SSL_CTX_set_min_proto_version(client_ctx.get(), TLS1_3_VERSION)); 4372 4373 bssl::UniquePtr<SSL> client, server; 4374 ASSERT_TRUE(ConnectClientAndServer(&client, &server, client_ctx.get(), 4375 server_ctx.get())); 4376 4377 BIO *client_wbio = SSL_get_wbio(client.get()); 4378 EXPECT_EQ(0u, BIO_wpending(client_wbio)); 4379 EXPECT_TRUE(SSL_key_update(client.get(), SSL_KEY_UPDATE_NOT_REQUESTED)); 4380 EXPECT_EQ(0u, BIO_wpending(client_wbio)); 4381 EXPECT_EQ(0, SSL_write(client.get(), nullptr, 0)); 4382 EXPECT_NE(0u, BIO_wpending(client_wbio)); 4383 } 4384 4385 TEST_P(SSLVersionTest, VerifyBeforeCertRequest) { 4386 // Configure the server to request client certificates. 4387 SSL_CTX_set_custom_verify( 4388 server_ctx_.get(), SSL_VERIFY_PEER, 4389 [](SSL *ssl, uint8_t *out_alert) { return ssl_verify_ok; }); 4390 4391 // Configure the client to reject the server certificate. 4392 SSL_CTX_set_custom_verify( 4393 client_ctx_.get(), SSL_VERIFY_PEER, 4394 [](SSL *ssl, uint8_t *out_alert) { return ssl_verify_invalid; }); 4395 4396 // cert_cb should not be called. Verification should fail first. 4397 SSL_CTX_set_cert_cb(client_ctx_.get(), 4398 [](SSL *ssl, void *arg) { 4399 ADD_FAILURE() << "cert_cb unexpectedly called"; 4400 return 0; 4401 }, 4402 nullptr); 4403 4404 bssl::UniquePtr<SSL> client, server; 4405 EXPECT_FALSE(ConnectClientAndServer(&client, &server, client_ctx_.get(), 4406 server_ctx_.get())); 4407 } 4408 4409 // Test that ticket-based sessions on the client get fake session IDs. 4410 TEST_P(SSLVersionTest, FakeIDsForTickets) { 4411 SSL_CTX_set_session_cache_mode(client_ctx_.get(), SSL_SESS_CACHE_BOTH); 4412 SSL_CTX_set_session_cache_mode(server_ctx_.get(), SSL_SESS_CACHE_BOTH); 4413 4414 bssl::UniquePtr<SSL_SESSION> session = 4415 CreateClientSession(client_ctx_.get(), server_ctx_.get()); 4416 ASSERT_TRUE(session); 4417 4418 EXPECT_TRUE(SSL_SESSION_has_ticket(session.get())); 4419 unsigned session_id_length; 4420 SSL_SESSION_get_id(session.get(), &session_id_length); 4421 EXPECT_NE(session_id_length, 0u); 4422 } 4423 4424 // These tests test multi-threaded behavior. They are intended to run with 4425 // ThreadSanitizer. 4426 #if defined(OPENSSL_THREADS) 4427 TEST_P(SSLVersionTest, SessionCacheThreads) { 4428 SSL_CTX_set_options(server_ctx_.get(), SSL_OP_NO_TICKET); 4429 SSL_CTX_set_session_cache_mode(client_ctx_.get(), SSL_SESS_CACHE_BOTH); 4430 SSL_CTX_set_session_cache_mode(server_ctx_.get(), SSL_SESS_CACHE_BOTH); 4431 4432 if (version() == TLS1_3_VERSION) { 4433 // Our TLS 1.3 implementation does not support stateful resumption. 4434 ASSERT_FALSE(CreateClientSession(client_ctx_.get(), server_ctx_.get())); 4435 return; 4436 } 4437 4438 // Establish two client sessions to test with. 4439 bssl::UniquePtr<SSL_SESSION> session1 = 4440 CreateClientSession(client_ctx_.get(), server_ctx_.get()); 4441 ASSERT_TRUE(session1); 4442 bssl::UniquePtr<SSL_SESSION> session2 = 4443 CreateClientSession(client_ctx_.get(), server_ctx_.get()); 4444 ASSERT_TRUE(session2); 4445 4446 auto connect_with_session = [&](SSL_SESSION *session) { 4447 ClientConfig config; 4448 config.session = session; 4449 UniquePtr<SSL> client, server; 4450 EXPECT_TRUE(ConnectClientAndServer(&client, &server, client_ctx_.get(), 4451 server_ctx_.get(), config)); 4452 }; 4453 4454 // Resume sessions in parallel with establishing new ones. 4455 { 4456 std::vector<std::thread> threads; 4457 threads.emplace_back([&] { connect_with_session(nullptr); }); 4458 threads.emplace_back([&] { connect_with_session(nullptr); }); 4459 threads.emplace_back([&] { connect_with_session(session1.get()); }); 4460 threads.emplace_back([&] { connect_with_session(session1.get()); }); 4461 threads.emplace_back([&] { connect_with_session(session2.get()); }); 4462 threads.emplace_back([&] { connect_with_session(session2.get()); }); 4463 for (auto &thread : threads) { 4464 thread.join(); 4465 } 4466 } 4467 4468 // Hit the maximum session cache size across multiple threads 4469 size_t limit = SSL_CTX_sess_number(server_ctx_.get()) + 2; 4470 SSL_CTX_sess_set_cache_size(server_ctx_.get(), limit); 4471 { 4472 std::vector<std::thread> threads; 4473 for (int i = 0; i < 4; i++) { 4474 threads.emplace_back([&]() { 4475 connect_with_session(nullptr); 4476 EXPECT_LE(SSL_CTX_sess_number(server_ctx_.get()), limit); 4477 }); 4478 } 4479 for (auto &thread : threads) { 4480 thread.join(); 4481 } 4482 EXPECT_EQ(SSL_CTX_sess_number(server_ctx_.get()), limit); 4483 } 4484 } 4485 4486 TEST_P(SSLVersionTest, SessionTicketThreads) { 4487 for (bool renew_ticket : {false, true}) { 4488 SCOPED_TRACE(renew_ticket); 4489 ResetContexts(); 4490 SSL_CTX_set_session_cache_mode(client_ctx_.get(), SSL_SESS_CACHE_BOTH); 4491 SSL_CTX_set_session_cache_mode(server_ctx_.get(), SSL_SESS_CACHE_BOTH); 4492 if (renew_ticket) { 4493 SSL_CTX_set_tlsext_ticket_key_cb(server_ctx_.get(), RenewTicketCallback); 4494 } 4495 4496 // Establish two client sessions to test with. 4497 bssl::UniquePtr<SSL_SESSION> session1 = 4498 CreateClientSession(client_ctx_.get(), server_ctx_.get()); 4499 ASSERT_TRUE(session1); 4500 bssl::UniquePtr<SSL_SESSION> session2 = 4501 CreateClientSession(client_ctx_.get(), server_ctx_.get()); 4502 ASSERT_TRUE(session2); 4503 4504 auto connect_with_session = [&](SSL_SESSION *session) { 4505 ClientConfig config; 4506 config.session = session; 4507 UniquePtr<SSL> client, server; 4508 EXPECT_TRUE(ConnectClientAndServer(&client, &server, client_ctx_.get(), 4509 server_ctx_.get(), config)); 4510 }; 4511 4512 // Resume sessions in parallel with establishing new ones. 4513 { 4514 std::vector<std::thread> threads; 4515 threads.emplace_back([&] { connect_with_session(nullptr); }); 4516 threads.emplace_back([&] { connect_with_session(nullptr); }); 4517 threads.emplace_back([&] { connect_with_session(session1.get()); }); 4518 threads.emplace_back([&] { connect_with_session(session1.get()); }); 4519 threads.emplace_back([&] { connect_with_session(session2.get()); }); 4520 threads.emplace_back([&] { connect_with_session(session2.get()); }); 4521 for (auto &thread : threads) { 4522 thread.join(); 4523 } 4524 } 4525 } 4526 } 4527 4528 // SSL_CTX_get0_certificate needs to lock internally. Test this works. 4529 TEST(SSLTest, GetCertificateThreads) { 4530 bssl::UniquePtr<SSL_CTX> ctx(SSL_CTX_new(TLS_method())); 4531 ASSERT_TRUE(ctx); 4532 bssl::UniquePtr<X509> cert = GetTestCertificate(); 4533 ASSERT_TRUE(cert); 4534 ASSERT_TRUE(SSL_CTX_use_certificate(ctx.get(), cert.get())); 4535 4536 // Existing code expects |SSL_CTX_get0_certificate| to be callable from two 4537 // threads concurrently. It originally was an immutable operation. Now we 4538 // implement it with a thread-safe cache, so it is worth testing. 4539 X509 *cert2_thread; 4540 std::thread thread( 4541 [&] { cert2_thread = SSL_CTX_get0_certificate(ctx.get()); }); 4542 X509 *cert2 = SSL_CTX_get0_certificate(ctx.get()); 4543 thread.join(); 4544 4545 EXPECT_EQ(cert2, cert2_thread); 4546 EXPECT_EQ(0, X509_cmp(cert.get(), cert2)); 4547 } 4548 4549 // Functions which access properties on the negotiated session are thread-safe 4550 // where needed. Prior to TLS 1.3, clients resuming sessions and servers 4551 // performing stateful resumption will share an underlying SSL_SESSION object, 4552 // potentially across threads. 4553 TEST_P(SSLVersionTest, SessionPropertiesThreads) { 4554 if (version() == TLS1_3_VERSION) { 4555 // Our TLS 1.3 implementation does not support stateful resumption. 4556 ASSERT_FALSE(CreateClientSession(client_ctx_.get(), server_ctx_.get())); 4557 return; 4558 } 4559 4560 SSL_CTX_set_options(server_ctx_.get(), SSL_OP_NO_TICKET); 4561 SSL_CTX_set_session_cache_mode(client_ctx_.get(), SSL_SESS_CACHE_BOTH); 4562 SSL_CTX_set_session_cache_mode(server_ctx_.get(), SSL_SESS_CACHE_BOTH); 4563 4564 ASSERT_TRUE(UseCertAndKey(client_ctx_.get())); 4565 ASSERT_TRUE(UseCertAndKey(server_ctx_.get())); 4566 4567 // Configure mutual authentication, so we have more session state. 4568 SSL_CTX_set_custom_verify( 4569 client_ctx_.get(), SSL_VERIFY_PEER, 4570 [](SSL *ssl, uint8_t *out_alert) { return ssl_verify_ok; }); 4571 SSL_CTX_set_custom_verify( 4572 server_ctx_.get(), SSL_VERIFY_PEER, 4573 [](SSL *ssl, uint8_t *out_alert) { return ssl_verify_ok; }); 4574 4575 // Establish a client session to test with. 4576 bssl::UniquePtr<SSL_SESSION> session = 4577 CreateClientSession(client_ctx_.get(), server_ctx_.get()); 4578 ASSERT_TRUE(session); 4579 4580 // Resume with it twice. 4581 UniquePtr<SSL> ssls[4]; 4582 ClientConfig config; 4583 config.session = session.get(); 4584 ASSERT_TRUE(ConnectClientAndServer(&ssls[0], &ssls[1], client_ctx_.get(), 4585 server_ctx_.get(), config)); 4586 ASSERT_TRUE(ConnectClientAndServer(&ssls[2], &ssls[3], client_ctx_.get(), 4587 server_ctx_.get(), config)); 4588 4589 // Read properties in parallel. 4590 auto read_properties = [](const SSL *ssl) { 4591 EXPECT_TRUE(SSL_get_peer_cert_chain(ssl)); 4592 bssl::UniquePtr<X509> peer(SSL_get_peer_certificate(ssl)); 4593 EXPECT_TRUE(peer); 4594 EXPECT_TRUE(SSL_get_current_cipher(ssl)); 4595 EXPECT_TRUE(SSL_get_curve_id(ssl)); 4596 }; 4597 4598 std::vector<std::thread> threads; 4599 for (const auto &ssl_ptr : ssls) { 4600 const SSL *ssl = ssl_ptr.get(); 4601 threads.emplace_back([=] { read_properties(ssl); }); 4602 } 4603 for (auto &thread : threads) { 4604 thread.join(); 4605 } 4606 } 4607 #endif 4608 4609 constexpr size_t kNumQUICLevels = 4; 4610 static_assert(ssl_encryption_initial < kNumQUICLevels, 4611 "kNumQUICLevels is wrong"); 4612 static_assert(ssl_encryption_early_data < kNumQUICLevels, 4613 "kNumQUICLevels is wrong"); 4614 static_assert(ssl_encryption_handshake < kNumQUICLevels, 4615 "kNumQUICLevels is wrong"); 4616 static_assert(ssl_encryption_application < kNumQUICLevels, 4617 "kNumQUICLevels is wrong"); 4618 4619 class MockQUICTransport { 4620 public: 4621 MockQUICTransport() { 4622 // The caller is expected to configure initial secrets. 4623 levels_[ssl_encryption_initial].write_secret = {1}; 4624 levels_[ssl_encryption_initial].read_secret = {1}; 4625 } 4626 4627 void set_peer(MockQUICTransport *peer) { peer_ = peer; } 4628 4629 bool has_alert() const { return has_alert_; } 4630 ssl_encryption_level_t alert_level() const { return alert_level_; } 4631 uint8_t alert() const { return alert_; } 4632 4633 bool PeerSecretsMatch(ssl_encryption_level_t level) const { 4634 return levels_[level].write_secret == peer_->levels_[level].read_secret && 4635 levels_[level].read_secret == peer_->levels_[level].write_secret && 4636 levels_[level].cipher == peer_->levels_[level].cipher; 4637 } 4638 4639 bool HasSecrets(ssl_encryption_level_t level) const { 4640 return !levels_[level].write_secret.empty() || 4641 !levels_[level].read_secret.empty(); 4642 } 4643 4644 bool SetEncryptionSecrets(ssl_encryption_level_t level, 4645 const uint8_t *read_secret, 4646 const uint8_t *write_secret, size_t secret_len, 4647 const SSL_CIPHER *cipher) { 4648 if (HasSecrets(level)) { 4649 ADD_FAILURE() << "duplicate keys configured"; 4650 return false; 4651 } 4652 4653 if (cipher == nullptr) { 4654 ADD_FAILURE() << "current cipher unavailable"; 4655 return false; 4656 } 4657 4658 if (level != ssl_encryption_early_data && 4659 (read_secret == nullptr || write_secret == nullptr)) { 4660 ADD_FAILURE() << "key was unexpectedly null"; 4661 return false; 4662 } 4663 if (read_secret != nullptr) { 4664 levels_[level].read_secret.assign(read_secret, read_secret + secret_len); 4665 } 4666 if (write_secret != nullptr) { 4667 levels_[level].write_secret.assign(write_secret, 4668 write_secret + secret_len); 4669 } 4670 levels_[level].cipher = SSL_CIPHER_get_id(cipher); 4671 return true; 4672 } 4673 4674 bool WriteHandshakeData(ssl_encryption_level_t level, 4675 Span<const uint8_t> data) { 4676 if (levels_[level].write_secret.empty()) { 4677 ADD_FAILURE() << "data written before keys configured"; 4678 return false; 4679 } 4680 levels_[level].write_data.insert(levels_[level].write_data.end(), 4681 data.begin(), data.end()); 4682 return true; 4683 } 4684 4685 bool SendAlert(ssl_encryption_level_t level, uint8_t alert_value) { 4686 if (has_alert_) { 4687 ADD_FAILURE() << "duplicate alert sent"; 4688 return false; 4689 } 4690 4691 if (levels_[level].write_secret.empty()) { 4692 ADD_FAILURE() << "alert sent before keys configured"; 4693 return false; 4694 } 4695 4696 has_alert_ = true; 4697 alert_level_ = level; 4698 alert_ = alert_value; 4699 return true; 4700 } 4701 4702 bool ReadHandshakeData(std::vector<uint8_t> *out, 4703 ssl_encryption_level_t level, 4704 size_t num = std::numeric_limits<size_t>::max()) { 4705 if (levels_[level].read_secret.empty()) { 4706 ADD_FAILURE() << "data read before keys configured"; 4707 return false; 4708 } 4709 // The peer may not have configured any keys yet. 4710 if (peer_->levels_[level].write_secret.empty()) { 4711 return true; 4712 } 4713 // Check the peer computed the same key. 4714 if (peer_->levels_[level].write_secret != levels_[level].read_secret) { 4715 ADD_FAILURE() << "peer write key does not match read key"; 4716 return false; 4717 } 4718 if (peer_->levels_[level].cipher != levels_[level].cipher) { 4719 ADD_FAILURE() << "peer cipher does not match"; 4720 return false; 4721 } 4722 std::vector<uint8_t> *peer_data = &peer_->levels_[level].write_data; 4723 num = std::min(num, peer_data->size()); 4724 out->assign(peer_data->begin(), peer_data->begin() + num); 4725 peer_data->erase(peer_data->begin(), peer_data->begin() + num); 4726 return true; 4727 } 4728 4729 private: 4730 MockQUICTransport *peer_ = nullptr; 4731 4732 bool has_alert_ = false; 4733 ssl_encryption_level_t alert_level_ = ssl_encryption_initial; 4734 uint8_t alert_ = 0; 4735 4736 struct Level { 4737 std::vector<uint8_t> write_data; 4738 std::vector<uint8_t> write_secret; 4739 std::vector<uint8_t> read_secret; 4740 uint32_t cipher = 0; 4741 }; 4742 Level levels_[kNumQUICLevels]; 4743 }; 4744 4745 class MockQUICTransportPair { 4746 public: 4747 MockQUICTransportPair() { 4748 server_.set_peer(&client_); 4749 client_.set_peer(&server_); 4750 } 4751 4752 ~MockQUICTransportPair() { 4753 server_.set_peer(nullptr); 4754 client_.set_peer(nullptr); 4755 } 4756 4757 MockQUICTransport *client() { return &client_; } 4758 MockQUICTransport *server() { return &server_; } 4759 4760 bool SecretsMatch(ssl_encryption_level_t level) const { 4761 return client_.PeerSecretsMatch(level); 4762 } 4763 4764 private: 4765 MockQUICTransport client_; 4766 MockQUICTransport server_; 4767 }; 4768 4769 class QUICMethodTest : public testing::Test { 4770 protected: 4771 void SetUp() override { 4772 client_ctx_.reset(SSL_CTX_new(TLS_method())); 4773 server_ctx_.reset(SSL_CTX_new(TLS_method())); 4774 ASSERT_TRUE(client_ctx_); 4775 ASSERT_TRUE(server_ctx_); 4776 4777 bssl::UniquePtr<X509> cert = GetTestCertificate(); 4778 bssl::UniquePtr<EVP_PKEY> key = GetTestKey(); 4779 ASSERT_TRUE(cert); 4780 ASSERT_TRUE(key); 4781 ASSERT_TRUE(SSL_CTX_use_certificate(server_ctx_.get(), cert.get())); 4782 ASSERT_TRUE(SSL_CTX_use_PrivateKey(server_ctx_.get(), key.get())); 4783 4784 SSL_CTX_set_min_proto_version(server_ctx_.get(), TLS1_3_VERSION); 4785 SSL_CTX_set_max_proto_version(server_ctx_.get(), TLS1_3_VERSION); 4786 SSL_CTX_set_min_proto_version(client_ctx_.get(), TLS1_3_VERSION); 4787 SSL_CTX_set_max_proto_version(client_ctx_.get(), TLS1_3_VERSION); 4788 } 4789 4790 static MockQUICTransport *TransportFromSSL(const SSL *ssl) { 4791 return ex_data_.Get(ssl); 4792 } 4793 4794 static bool ProvideHandshakeData( 4795 SSL *ssl, size_t num = std::numeric_limits<size_t>::max()) { 4796 MockQUICTransport *transport = TransportFromSSL(ssl); 4797 ssl_encryption_level_t level = SSL_quic_read_level(ssl); 4798 std::vector<uint8_t> data; 4799 return transport->ReadHandshakeData(&data, level, num) && 4800 SSL_provide_quic_data(ssl, level, data.data(), data.size()); 4801 } 4802 4803 bool CreateClientAndServer() { 4804 client_.reset(SSL_new(client_ctx_.get())); 4805 server_.reset(SSL_new(server_ctx_.get())); 4806 if (!client_ || !server_) { 4807 return false; 4808 } 4809 4810 SSL_set_connect_state(client_.get()); 4811 SSL_set_accept_state(server_.get()); 4812 4813 ex_data_.Set(client_.get(), transport_.client()); 4814 ex_data_.Set(server_.get(), transport_.server()); 4815 return true; 4816 } 4817 4818 bool CreateSecondClientAndServer() { 4819 client_.reset(SSL_new(client_ctx_.get())); 4820 server_.reset(SSL_new(server_ctx_.get())); 4821 if (!client_ || !server_) { 4822 return false; 4823 } 4824 4825 SSL_set_connect_state(client_.get()); 4826 SSL_set_accept_state(server_.get()); 4827 4828 ex_data_.Set(client_.get(), second_transport_.client()); 4829 ex_data_.Set(server_.get(), second_transport_.server()); 4830 return true; 4831 } 4832 4833 // The following functions may be configured on an |SSL_QUIC_METHOD| as 4834 // default implementations. 4835 4836 static int SetEncryptionSecretsCallback(SSL *ssl, 4837 ssl_encryption_level_t level, 4838 const uint8_t *read_key, 4839 const uint8_t *write_key, 4840 size_t key_len) { 4841 return TransportFromSSL(ssl)->SetEncryptionSecrets( 4842 level, read_key, write_key, key_len, SSL_get_current_cipher(ssl)); 4843 } 4844 4845 static int AddHandshakeDataCallback(SSL *ssl, 4846 enum ssl_encryption_level_t level, 4847 const uint8_t *data, size_t len) { 4848 EXPECT_EQ(level, SSL_quic_write_level(ssl)); 4849 return TransportFromSSL(ssl)->WriteHandshakeData(level, 4850 MakeConstSpan(data, len)); 4851 } 4852 4853 static int FlushFlightCallback(SSL *ssl) { return 1; } 4854 4855 static int SendAlertCallback(SSL *ssl, ssl_encryption_level_t level, 4856 uint8_t alert) { 4857 EXPECT_EQ(level, SSL_quic_write_level(ssl)); 4858 return TransportFromSSL(ssl)->SendAlert(level, alert); 4859 } 4860 4861 bssl::UniquePtr<SSL_CTX> client_ctx_; 4862 bssl::UniquePtr<SSL_CTX> server_ctx_; 4863 4864 static UnownedSSLExData<MockQUICTransport> ex_data_; 4865 MockQUICTransportPair transport_; 4866 MockQUICTransportPair second_transport_; 4867 4868 bssl::UniquePtr<SSL> client_; 4869 bssl::UniquePtr<SSL> server_; 4870 }; 4871 4872 UnownedSSLExData<MockQUICTransport> QUICMethodTest::ex_data_; 4873 4874 // Test a full handshake works. 4875 TEST_F(QUICMethodTest, Basic) { 4876 const SSL_QUIC_METHOD quic_method = { 4877 SetEncryptionSecretsCallback, 4878 AddHandshakeDataCallback, 4879 FlushFlightCallback, 4880 SendAlertCallback, 4881 }; 4882 4883 g_last_session = nullptr; 4884 4885 SSL_CTX_set_session_cache_mode(client_ctx_.get(), SSL_SESS_CACHE_BOTH); 4886 SSL_CTX_sess_set_new_cb(client_ctx_.get(), SaveLastSession); 4887 ASSERT_TRUE(SSL_CTX_set_quic_method(client_ctx_.get(), &quic_method)); 4888 ASSERT_TRUE(SSL_CTX_set_quic_method(server_ctx_.get(), &quic_method)); 4889 ASSERT_TRUE(CreateClientAndServer()); 4890 4891 for (;;) { 4892 ASSERT_TRUE(ProvideHandshakeData(client_.get())); 4893 int client_ret = SSL_do_handshake(client_.get()); 4894 if (client_ret != 1) { 4895 ASSERT_EQ(client_ret, -1); 4896 ASSERT_EQ(SSL_get_error(client_.get(), client_ret), SSL_ERROR_WANT_READ); 4897 } 4898 4899 ASSERT_TRUE(ProvideHandshakeData(server_.get())); 4900 int server_ret = SSL_do_handshake(server_.get()); 4901 if (server_ret != 1) { 4902 ASSERT_EQ(server_ret, -1); 4903 ASSERT_EQ(SSL_get_error(server_.get(), server_ret), SSL_ERROR_WANT_READ); 4904 } 4905 4906 if (client_ret == 1 && server_ret == 1) { 4907 break; 4908 } 4909 } 4910 4911 EXPECT_EQ(SSL_do_handshake(client_.get()), 1); 4912 EXPECT_EQ(SSL_do_handshake(server_.get()), 1); 4913 EXPECT_TRUE(transport_.SecretsMatch(ssl_encryption_application)); 4914 EXPECT_FALSE(transport_.client()->has_alert()); 4915 EXPECT_FALSE(transport_.server()->has_alert()); 4916 4917 // The server sent NewSessionTicket messages in the handshake. 4918 EXPECT_FALSE(g_last_session); 4919 ASSERT_TRUE(ProvideHandshakeData(client_.get())); 4920 EXPECT_EQ(SSL_process_quic_post_handshake(client_.get()), 1); 4921 EXPECT_TRUE(g_last_session); 4922 4923 // Create a second connection to verify resumption works. 4924 ASSERT_TRUE(CreateSecondClientAndServer()); 4925 bssl::UniquePtr<SSL_SESSION> session = std::move(g_last_session); 4926 SSL_set_session(client_.get(), session.get()); 4927 4928 for (;;) { 4929 ASSERT_TRUE(ProvideHandshakeData(client_.get())); 4930 int client_ret = SSL_do_handshake(client_.get()); 4931 if (client_ret != 1) { 4932 ASSERT_EQ(client_ret, -1); 4933 ASSERT_EQ(SSL_get_error(client_.get(), client_ret), SSL_ERROR_WANT_READ); 4934 } 4935 4936 ASSERT_TRUE(ProvideHandshakeData(server_.get())); 4937 int server_ret = SSL_do_handshake(server_.get()); 4938 if (server_ret != 1) { 4939 ASSERT_EQ(server_ret, -1); 4940 ASSERT_EQ(SSL_get_error(server_.get(), server_ret), SSL_ERROR_WANT_READ); 4941 } 4942 4943 if (client_ret == 1 && server_ret == 1) { 4944 break; 4945 } 4946 } 4947 4948 EXPECT_EQ(SSL_do_handshake(client_.get()), 1); 4949 EXPECT_EQ(SSL_do_handshake(server_.get()), 1); 4950 EXPECT_TRUE(transport_.SecretsMatch(ssl_encryption_application)); 4951 EXPECT_FALSE(transport_.client()->has_alert()); 4952 EXPECT_FALSE(transport_.server()->has_alert()); 4953 EXPECT_TRUE(SSL_session_reused(client_.get())); 4954 EXPECT_TRUE(SSL_session_reused(server_.get())); 4955 } 4956 4957 // Test only releasing data to QUIC one byte at a time on request, to maximize 4958 // state machine pauses. Additionally, test that existing asynchronous callbacks 4959 // still work. 4960 TEST_F(QUICMethodTest, Async) { 4961 const SSL_QUIC_METHOD quic_method = { 4962 SetEncryptionSecretsCallback, 4963 AddHandshakeDataCallback, 4964 FlushFlightCallback, 4965 SendAlertCallback, 4966 }; 4967 4968 ASSERT_TRUE(SSL_CTX_set_quic_method(client_ctx_.get(), &quic_method)); 4969 ASSERT_TRUE(SSL_CTX_set_quic_method(server_ctx_.get(), &quic_method)); 4970 ASSERT_TRUE(CreateClientAndServer()); 4971 4972 // Install an asynchronous certificate callback. 4973 bool cert_cb_ok = false; 4974 SSL_set_cert_cb(server_.get(), 4975 [](SSL *, void *arg) -> int { 4976 return *static_cast<bool *>(arg) ? 1 : -1; 4977 }, 4978 &cert_cb_ok); 4979 4980 for (;;) { 4981 int client_ret = SSL_do_handshake(client_.get()); 4982 if (client_ret != 1) { 4983 ASSERT_EQ(client_ret, -1); 4984 ASSERT_EQ(SSL_get_error(client_.get(), client_ret), SSL_ERROR_WANT_READ); 4985 ASSERT_TRUE(ProvideHandshakeData(client_.get(), 1)); 4986 } 4987 4988 int server_ret = SSL_do_handshake(server_.get()); 4989 if (server_ret != 1) { 4990 ASSERT_EQ(server_ret, -1); 4991 int ssl_err = SSL_get_error(server_.get(), server_ret); 4992 switch (ssl_err) { 4993 case SSL_ERROR_WANT_READ: 4994 ASSERT_TRUE(ProvideHandshakeData(server_.get(), 1)); 4995 break; 4996 case SSL_ERROR_WANT_X509_LOOKUP: 4997 ASSERT_FALSE(cert_cb_ok); 4998 cert_cb_ok = true; 4999 break; 5000 default: 5001 FAIL() << "Unexpected SSL_get_error result: " << ssl_err; 5002 } 5003 } 5004 5005 if (client_ret == 1 && server_ret == 1) { 5006 break; 5007 } 5008 } 5009 5010 EXPECT_EQ(SSL_do_handshake(client_.get()), 1); 5011 EXPECT_EQ(SSL_do_handshake(server_.get()), 1); 5012 EXPECT_TRUE(transport_.SecretsMatch(ssl_encryption_application)); 5013 EXPECT_FALSE(transport_.client()->has_alert()); 5014 EXPECT_FALSE(transport_.server()->has_alert()); 5015 } 5016 5017 // Test buffering write data until explicit flushes. 5018 TEST_F(QUICMethodTest, Buffered) { 5019 struct BufferedFlight { 5020 std::vector<uint8_t> data[kNumQUICLevels]; 5021 }; 5022 static UnownedSSLExData<BufferedFlight> buffered_flights; 5023 5024 auto add_handshake_data = [](SSL *ssl, enum ssl_encryption_level_t level, 5025 const uint8_t *data, size_t len) -> int { 5026 BufferedFlight *flight = buffered_flights.Get(ssl); 5027 flight->data[level].insert(flight->data[level].end(), data, data + len); 5028 return 1; 5029 }; 5030 5031 auto flush_flight = [](SSL *ssl) -> int { 5032 BufferedFlight *flight = buffered_flights.Get(ssl); 5033 for (size_t level = 0; level < kNumQUICLevels; level++) { 5034 if (!flight->data[level].empty()) { 5035 if (!TransportFromSSL(ssl)->WriteHandshakeData( 5036 static_cast<ssl_encryption_level_t>(level), 5037 flight->data[level])) { 5038 return 0; 5039 } 5040 flight->data[level].clear(); 5041 } 5042 } 5043 return 1; 5044 }; 5045 5046 const SSL_QUIC_METHOD quic_method = { 5047 SetEncryptionSecretsCallback, 5048 add_handshake_data, 5049 flush_flight, 5050 SendAlertCallback, 5051 }; 5052 5053 ASSERT_TRUE(SSL_CTX_set_quic_method(client_ctx_.get(), &quic_method)); 5054 ASSERT_TRUE(SSL_CTX_set_quic_method(server_ctx_.get(), &quic_method)); 5055 ASSERT_TRUE(CreateClientAndServer()); 5056 5057 BufferedFlight client_flight, server_flight; 5058 buffered_flights.Set(client_.get(), &client_flight); 5059 buffered_flights.Set(server_.get(), &server_flight); 5060 5061 for (;;) { 5062 ASSERT_TRUE(ProvideHandshakeData(client_.get())); 5063 int client_ret = SSL_do_handshake(client_.get()); 5064 if (client_ret != 1) { 5065 ASSERT_EQ(client_ret, -1); 5066 ASSERT_EQ(SSL_get_error(client_.get(), client_ret), SSL_ERROR_WANT_READ); 5067 } 5068 5069 ASSERT_TRUE(ProvideHandshakeData(server_.get())); 5070 int server_ret = SSL_do_handshake(server_.get()); 5071 if (server_ret != 1) { 5072 ASSERT_EQ(server_ret, -1); 5073 ASSERT_EQ(SSL_get_error(server_.get(), server_ret), SSL_ERROR_WANT_READ); 5074 } 5075 5076 if (client_ret == 1 && server_ret == 1) { 5077 break; 5078 } 5079 } 5080 5081 EXPECT_EQ(SSL_do_handshake(client_.get()), 1); 5082 EXPECT_EQ(SSL_do_handshake(server_.get()), 1); 5083 EXPECT_TRUE(transport_.SecretsMatch(ssl_encryption_application)); 5084 EXPECT_FALSE(transport_.client()->has_alert()); 5085 EXPECT_FALSE(transport_.server()->has_alert()); 5086 } 5087 5088 // Test that excess data at one level is rejected. That is, if a single 5089 // |SSL_provide_quic_data| call included both ServerHello and 5090 // EncryptedExtensions in a single chunk, BoringSSL notices and rejects this on 5091 // key change. 5092 TEST_F(QUICMethodTest, ExcessProvidedData) { 5093 auto add_handshake_data = [](SSL *ssl, enum ssl_encryption_level_t level, 5094 const uint8_t *data, size_t len) -> int { 5095 // Switch everything to the initial level. 5096 return TransportFromSSL(ssl)->WriteHandshakeData(ssl_encryption_initial, 5097 MakeConstSpan(data, len)); 5098 }; 5099 5100 const SSL_QUIC_METHOD quic_method = { 5101 SetEncryptionSecretsCallback, 5102 add_handshake_data, 5103 FlushFlightCallback, 5104 SendAlertCallback, 5105 }; 5106 5107 ASSERT_TRUE(SSL_CTX_set_quic_method(client_ctx_.get(), &quic_method)); 5108 ASSERT_TRUE(SSL_CTX_set_quic_method(server_ctx_.get(), &quic_method)); 5109 ASSERT_TRUE(CreateClientAndServer()); 5110 5111 // Send the ClientHello and ServerHello through Finished. 5112 ASSERT_EQ(SSL_do_handshake(client_.get()), -1); 5113 ASSERT_EQ(SSL_get_error(client_.get(), -1), SSL_ERROR_WANT_READ); 5114 ASSERT_TRUE(ProvideHandshakeData(server_.get())); 5115 ASSERT_EQ(SSL_do_handshake(server_.get()), -1); 5116 ASSERT_EQ(SSL_get_error(server_.get(), -1), SSL_ERROR_WANT_READ); 5117 5118 // The client is still waiting for the ServerHello at initial 5119 // encryption. 5120 ASSERT_EQ(ssl_encryption_initial, SSL_quic_read_level(client_.get())); 5121 5122 // |add_handshake_data| incorrectly wrote everything at the initial level, so 5123 // this queues up ServerHello through Finished in one chunk. 5124 ASSERT_TRUE(ProvideHandshakeData(client_.get())); 5125 5126 // The client reads ServerHello successfully, but then rejects the buffered 5127 // EncryptedExtensions on key change. 5128 ASSERT_EQ(SSL_do_handshake(client_.get()), -1); 5129 ASSERT_EQ(SSL_get_error(client_.get(), -1), SSL_ERROR_SSL); 5130 uint32_t err = ERR_get_error(); 5131 EXPECT_EQ(ERR_GET_LIB(err), ERR_LIB_SSL); 5132 EXPECT_EQ(ERR_GET_REASON(err), SSL_R_BUFFERED_MESSAGES_ON_CIPHER_CHANGE); 5133 5134 // The client sends an alert in response to this. 5135 ASSERT_TRUE(transport_.client()->has_alert()); 5136 EXPECT_EQ(transport_.client()->alert_level(), ssl_encryption_initial); 5137 EXPECT_EQ(transport_.client()->alert(), SSL_AD_UNEXPECTED_MESSAGE); 5138 5139 // Sanity-check client did get far enough to process the ServerHello and 5140 // install keys. 5141 EXPECT_TRUE(transport_.client()->HasSecrets(ssl_encryption_handshake)); 5142 } 5143 5144 // Test that |SSL_provide_quic_data| will reject data at the wrong level. 5145 TEST_F(QUICMethodTest, ProvideWrongLevel) { 5146 const SSL_QUIC_METHOD quic_method = { 5147 SetEncryptionSecretsCallback, 5148 AddHandshakeDataCallback, 5149 FlushFlightCallback, 5150 SendAlertCallback, 5151 }; 5152 5153 ASSERT_TRUE(SSL_CTX_set_quic_method(client_ctx_.get(), &quic_method)); 5154 ASSERT_TRUE(SSL_CTX_set_quic_method(server_ctx_.get(), &quic_method)); 5155 ASSERT_TRUE(CreateClientAndServer()); 5156 5157 // Send the ClientHello and ServerHello through Finished. 5158 ASSERT_EQ(SSL_do_handshake(client_.get()), -1); 5159 ASSERT_EQ(SSL_get_error(client_.get(), -1), SSL_ERROR_WANT_READ); 5160 ASSERT_TRUE(ProvideHandshakeData(server_.get())); 5161 ASSERT_EQ(SSL_do_handshake(server_.get()), -1); 5162 ASSERT_EQ(SSL_get_error(server_.get(), -1), SSL_ERROR_WANT_READ); 5163 5164 // The client is still waiting for the ServerHello at initial 5165 // encryption. 5166 ASSERT_EQ(ssl_encryption_initial, SSL_quic_read_level(client_.get())); 5167 5168 // Data cannot be provided at the next level. 5169 std::vector<uint8_t> data; 5170 ASSERT_TRUE( 5171 transport_.client()->ReadHandshakeData(&data, ssl_encryption_initial)); 5172 ASSERT_FALSE(SSL_provide_quic_data(client_.get(), ssl_encryption_handshake, 5173 data.data(), data.size())); 5174 ERR_clear_error(); 5175 5176 // Progress to EncryptedExtensions. 5177 ASSERT_TRUE(SSL_provide_quic_data(client_.get(), ssl_encryption_initial, 5178 data.data(), data.size())); 5179 ASSERT_EQ(SSL_do_handshake(client_.get()), -1); 5180 ASSERT_EQ(SSL_get_error(client_.get(), -1), SSL_ERROR_WANT_READ); 5181 ASSERT_EQ(ssl_encryption_handshake, SSL_quic_read_level(client_.get())); 5182 5183 // Data cannot be provided at the previous level. 5184 ASSERT_TRUE( 5185 transport_.client()->ReadHandshakeData(&data, ssl_encryption_handshake)); 5186 ASSERT_FALSE(SSL_provide_quic_data(client_.get(), ssl_encryption_initial, 5187 data.data(), data.size())); 5188 } 5189 5190 TEST_F(QUICMethodTest, TooMuchData) { 5191 const SSL_QUIC_METHOD quic_method = { 5192 SetEncryptionSecretsCallback, 5193 AddHandshakeDataCallback, 5194 FlushFlightCallback, 5195 SendAlertCallback, 5196 }; 5197 5198 ASSERT_TRUE(SSL_CTX_set_quic_method(client_ctx_.get(), &quic_method)); 5199 ASSERT_TRUE(SSL_CTX_set_quic_method(server_ctx_.get(), &quic_method)); 5200 ASSERT_TRUE(CreateClientAndServer()); 5201 5202 size_t limit = 5203 SSL_quic_max_handshake_flight_len(client_.get(), ssl_encryption_initial); 5204 uint8_t b = 0; 5205 for (size_t i = 0; i < limit; i++) { 5206 ASSERT_TRUE( 5207 SSL_provide_quic_data(client_.get(), ssl_encryption_initial, &b, 1)); 5208 } 5209 5210 EXPECT_FALSE( 5211 SSL_provide_quic_data(client_.get(), ssl_encryption_initial, &b, 1)); 5212 } 5213 5214 // Provide invalid post-handshake data. 5215 TEST_F(QUICMethodTest, BadPostHandshake) { 5216 const SSL_QUIC_METHOD quic_method = { 5217 SetEncryptionSecretsCallback, 5218 AddHandshakeDataCallback, 5219 FlushFlightCallback, 5220 SendAlertCallback, 5221 }; 5222 5223 g_last_session = nullptr; 5224 5225 SSL_CTX_set_session_cache_mode(client_ctx_.get(), SSL_SESS_CACHE_BOTH); 5226 SSL_CTX_sess_set_new_cb(client_ctx_.get(), SaveLastSession); 5227 ASSERT_TRUE(SSL_CTX_set_quic_method(client_ctx_.get(), &quic_method)); 5228 ASSERT_TRUE(SSL_CTX_set_quic_method(server_ctx_.get(), &quic_method)); 5229 ASSERT_TRUE(CreateClientAndServer()); 5230 5231 for (;;) { 5232 ASSERT_TRUE(ProvideHandshakeData(client_.get())); 5233 int client_ret = SSL_do_handshake(client_.get()); 5234 if (client_ret != 1) { 5235 ASSERT_EQ(client_ret, -1); 5236 ASSERT_EQ(SSL_get_error(client_.get(), client_ret), SSL_ERROR_WANT_READ); 5237 } 5238 5239 ASSERT_TRUE(ProvideHandshakeData(server_.get())); 5240 int server_ret = SSL_do_handshake(server_.get()); 5241 if (server_ret != 1) { 5242 ASSERT_EQ(server_ret, -1); 5243 ASSERT_EQ(SSL_get_error(server_.get(), server_ret), SSL_ERROR_WANT_READ); 5244 } 5245 5246 if (client_ret == 1 && server_ret == 1) { 5247 break; 5248 } 5249 } 5250 5251 EXPECT_EQ(SSL_do_handshake(client_.get()), 1); 5252 EXPECT_EQ(SSL_do_handshake(server_.get()), 1); 5253 EXPECT_TRUE(transport_.SecretsMatch(ssl_encryption_application)); 5254 EXPECT_FALSE(transport_.client()->has_alert()); 5255 EXPECT_FALSE(transport_.server()->has_alert()); 5256 5257 // Junk sent as part of post-handshake data should cause an error. 5258 uint8_t kJunk[] = {0x17, 0x0, 0x0, 0x4, 0xB, 0xE, 0xE, 0xF}; 5259 ASSERT_TRUE(SSL_provide_quic_data(client_.get(), ssl_encryption_application, 5260 kJunk, sizeof(kJunk))); 5261 EXPECT_EQ(SSL_process_quic_post_handshake(client_.get()), 0); 5262 } 5263 5264 // TODO(davidben): Convert this file to GTest properly. 5265 TEST(SSLTest, AllTests) { 5266 if (!TestSSL_SESSIONEncoding(kOpenSSLSession) || 5267 !TestSSL_SESSIONEncoding(kCustomSession) || 5268 !TestSSL_SESSIONEncoding(kBoringSSLSession) || 5269 !TestBadSSL_SESSIONEncoding(kBadSessionExtraField) || 5270 !TestBadSSL_SESSIONEncoding(kBadSessionVersion) || 5271 !TestBadSSL_SESSIONEncoding(kBadSessionTrailingData) || 5272 // Test the padding extension at TLS 1.2. 5273 !TestPaddingExtension(TLS1_2_VERSION, TLS1_2_VERSION) || 5274 // Test the padding extension at TLS 1.3 with a TLS 1.2 session, so there 5275 // will be no PSK binder after the padding extension. 5276 !TestPaddingExtension(TLS1_3_VERSION, TLS1_2_VERSION) || 5277 // Test the padding extension at TLS 1.3 with a TLS 1.3 session, so there 5278 // will be a PSK binder after the padding extension. 5279 !TestPaddingExtension(TLS1_3_VERSION, TLS1_3_VERSION)) { 5280 ADD_FAILURE() << "Tests failed"; 5281 } 5282 } 5283 5284 } // namespace 5285 BSSL_NAMESPACE_END 5286
