1 /* Copyright (c) 2014, Google Inc.
2 *
3 * Permission to use, copy, modify, and/or distribute this software for any
4 * purpose with or without fee is hereby granted, provided that the above
5 * copyright notice and this permission notice appear in all copies.
6 *
7 * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
8 * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
9 * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY
10 * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
11 * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION
12 * OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN
13 * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */
14
15 #include <stdio.h>
16 #include <string.h>
17 #include <time.h>
18
19 #include <algorithm>
20 #include <limits>
21 #include <string>
22 #include <utility>
23 #include <vector>
24
25 #include <gtest/gtest.h>
26
27 #include <openssl/aead.h>
28 #include <openssl/base64.h>
29 #include <openssl/bio.h>
30 #include <openssl/cipher.h>
31 #include <openssl/crypto.h>
32 #include <openssl/err.h>
33 #include <openssl/hmac.h>
34 #include <openssl/pem.h>
35 #include <openssl/sha.h>
36 #include <openssl/ssl.h>
37 #include <openssl/rand.h>
38 #include <openssl/x509.h>
39
40 #include "internal.h"
41 #include "../crypto/internal.h"
42 #include "../crypto/test/test_util.h"
43
44 #if defined(OPENSSL_WINDOWS)
45 // Windows defines struct timeval in winsock2.h.
46 OPENSSL_MSVC_PRAGMA(warning(push, 3))
47 #include <winsock2.h>
48 OPENSSL_MSVC_PRAGMA(warning(pop))
49 #else
50 #include <sys/time.h>
51 #endif
52
53 #if defined(OPENSSL_THREADS)
54 #include <thread>
55 #endif
56
57
58 BSSL_NAMESPACE_BEGIN
59
60 namespace {
61
62 #define TRACED_CALL(code) \
63 do { \
64 SCOPED_TRACE("<- called from here"); \
65 code; \
66 if (::testing::Test::HasFatalFailure()) { \
67 return; \
68 } \
69 } while (false)
70
71 struct VersionParam {
72 uint16_t version;
73 enum { is_tls, is_dtls } ssl_method;
74 const char name[8];
75 };
76
77 static const size_t kTicketKeyLen = 48;
78
79 static const VersionParam kAllVersions[] = {
80 {TLS1_VERSION, VersionParam::is_tls, "TLS1"},
81 {TLS1_1_VERSION, VersionParam::is_tls, "TLS1_1"},
82 {TLS1_2_VERSION, VersionParam::is_tls, "TLS1_2"},
83 {TLS1_3_VERSION, VersionParam::is_tls, "TLS1_3"},
84 {DTLS1_VERSION, VersionParam::is_dtls, "DTLS1"},
85 {DTLS1_2_VERSION, VersionParam::is_dtls, "DTLS1_2"},
86 };
87
88 struct ExpectedCipher {
89 unsigned long id;
90 int in_group_flag;
91 };
92
93 struct CipherTest {
94 // The rule string to apply.
95 const char *rule;
96 // The list of expected ciphers, in order.
97 std::vector<ExpectedCipher> expected;
98 // True if this cipher list should fail in strict mode.
99 bool strict_fail;
100 };
101
102 struct CurveTest {
103 // The rule string to apply.
104 const char *rule;
105 // The list of expected curves, in order.
106 std::vector<uint16_t> expected;
107 };
108
109 template <typename T>
110 class UnownedSSLExData {
111 public:
UnownedSSLExData()112 UnownedSSLExData() {
113 index_ = SSL_get_ex_new_index(0, nullptr, nullptr, nullptr, nullptr);
114 }
115
Get(const SSL * ssl)116 T *Get(const SSL *ssl) {
117 return index_ < 0 ? nullptr
118 : static_cast<T *>(SSL_get_ex_data(ssl, index_));
119 }
120
Set(SSL * ssl,T * t)121 bool Set(SSL *ssl, T *t) {
122 return index_ >= 0 && SSL_set_ex_data(ssl, index_, t);
123 }
124
125 private:
126 int index_;
127 };
128
129 static const CipherTest kCipherTests[] = {
130 // Selecting individual ciphers should work.
131 {
132 "ECDHE-ECDSA-CHACHA20-POLY1305:"
133 "ECDHE-RSA-CHACHA20-POLY1305:"
134 "ECDHE-ECDSA-AES128-GCM-SHA256:"
135 "ECDHE-RSA-AES128-GCM-SHA256",
136 {
137 {TLS1_CK_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256, 0},
138 {TLS1_CK_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256, 0},
139 {TLS1_CK_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, 0},
140 {TLS1_CK_ECDHE_RSA_WITH_AES_128_GCM_SHA256, 0},
141 },
142 false,
143 },
144 // + reorders selected ciphers to the end, keeping their relative order.
145 {
146 "ECDHE-ECDSA-CHACHA20-POLY1305:"
147 "ECDHE-RSA-CHACHA20-POLY1305:"
148 "ECDHE-ECDSA-AES128-GCM-SHA256:"
149 "ECDHE-RSA-AES128-GCM-SHA256:"
150 "+aRSA",
151 {
152 {TLS1_CK_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256, 0},
153 {TLS1_CK_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, 0},
154 {TLS1_CK_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256, 0},
155 {TLS1_CK_ECDHE_RSA_WITH_AES_128_GCM_SHA256, 0},
156 },
157 false,
158 },
159 // ! banishes ciphers from future selections.
160 {
161 "!aRSA:"
162 "ECDHE-ECDSA-CHACHA20-POLY1305:"
163 "ECDHE-RSA-CHACHA20-POLY1305:"
164 "ECDHE-ECDSA-AES128-GCM-SHA256:"
165 "ECDHE-RSA-AES128-GCM-SHA256",
166 {
167 {TLS1_CK_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256, 0},
168 {TLS1_CK_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, 0},
169 },
170 false,
171 },
172 // Multiple masks can be ANDed in a single rule.
173 {
174 "kRSA+AESGCM+AES128",
175 {
176 {TLS1_CK_RSA_WITH_AES_128_GCM_SHA256, 0},
177 },
178 false,
179 },
180 // - removes selected ciphers, but preserves their order for future
181 // selections. Select AES_128_GCM, but order the key exchanges RSA,
182 // ECDHE_RSA.
183 {
184 "ALL:-kECDHE:"
185 "-kRSA:-ALL:"
186 "AESGCM+AES128+aRSA",
187 {
188 {TLS1_CK_RSA_WITH_AES_128_GCM_SHA256, 0},
189 {TLS1_CK_ECDHE_RSA_WITH_AES_128_GCM_SHA256, 0},
190 },
191 false,
192 },
193 // Unknown selectors are no-ops, except in strict mode.
194 {
195 "ECDHE-ECDSA-CHACHA20-POLY1305:"
196 "ECDHE-RSA-CHACHA20-POLY1305:"
197 "ECDHE-ECDSA-AES128-GCM-SHA256:"
198 "ECDHE-RSA-AES128-GCM-SHA256:"
199 "BOGUS1",
200 {
201 {TLS1_CK_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256, 0},
202 {TLS1_CK_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256, 0},
203 {TLS1_CK_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, 0},
204 {TLS1_CK_ECDHE_RSA_WITH_AES_128_GCM_SHA256, 0},
205 },
206 true,
207 },
208 // Unknown selectors are no-ops, except in strict mode.
209 {
210 "ECDHE-ECDSA-CHACHA20-POLY1305:"
211 "ECDHE-RSA-CHACHA20-POLY1305:"
212 "ECDHE-ECDSA-AES128-GCM-SHA256:"
213 "ECDHE-RSA-AES128-GCM-SHA256:"
214 "-BOGUS2:+BOGUS3:!BOGUS4",
215 {
216 {TLS1_CK_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256, 0},
217 {TLS1_CK_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256, 0},
218 {TLS1_CK_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, 0},
219 {TLS1_CK_ECDHE_RSA_WITH_AES_128_GCM_SHA256, 0},
220 },
221 true,
222 },
223 // Square brackets specify equi-preference groups.
224 {
225 "[ECDHE-ECDSA-CHACHA20-POLY1305|ECDHE-ECDSA-AES128-GCM-SHA256]:"
226 "[ECDHE-RSA-CHACHA20-POLY1305]:"
227 "ECDHE-RSA-AES128-GCM-SHA256",
228 {
229 {TLS1_CK_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256, 1},
230 {TLS1_CK_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, 0},
231 {TLS1_CK_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256, 0},
232 {TLS1_CK_ECDHE_RSA_WITH_AES_128_GCM_SHA256, 0},
233 },
234 false,
235 },
236 // Standard names may be used instead of OpenSSL names.
237 {
238 "[TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256|"
239 "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256]:"
240 "[TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256]:"
241 "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",
242 {
243 {TLS1_CK_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256, 1},
244 {TLS1_CK_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, 0},
245 {TLS1_CK_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256, 0},
246 {TLS1_CK_ECDHE_RSA_WITH_AES_128_GCM_SHA256, 0},
247 },
248 false,
249 },
250 // @STRENGTH performs a stable strength-sort of the selected ciphers and
251 // only the selected ciphers.
252 {
253 // To simplify things, banish all but {ECDHE_RSA,RSA} x
254 // {CHACHA20,AES_256_CBC,AES_128_CBC} x SHA1.
255 "!AESGCM:!3DES:"
256 // Order some ciphers backwards by strength.
257 "ALL:-CHACHA20:-AES256:-AES128:-ALL:"
258 // Select ECDHE ones and sort them by strength. Ties should resolve
259 // based on the order above.
260 "kECDHE:@STRENGTH:-ALL:"
261 // Now bring back everything uses RSA. ECDHE_RSA should be first, sorted
262 // by strength. Then RSA, backwards by strength.
263 "aRSA",
264 {
265 {TLS1_CK_ECDHE_RSA_WITH_AES_256_CBC_SHA, 0},
266 {TLS1_CK_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256, 0},
267 {TLS1_CK_ECDHE_RSA_WITH_AES_128_CBC_SHA, 0},
268 {TLS1_CK_RSA_WITH_AES_128_SHA, 0},
269 {TLS1_CK_RSA_WITH_AES_256_SHA, 0},
270 },
271 false,
272 },
273 // Additional masks after @STRENGTH get silently discarded.
274 //
275 // TODO(davidben): Make this an error. If not silently discarded, they get
276 // interpreted as + opcodes which are very different.
277 {
278 "ECDHE-RSA-AES128-GCM-SHA256:"
279 "ECDHE-RSA-AES256-GCM-SHA384:"
280 "@STRENGTH+AES256",
281 {
282 {TLS1_CK_ECDHE_RSA_WITH_AES_256_GCM_SHA384, 0},
283 {TLS1_CK_ECDHE_RSA_WITH_AES_128_GCM_SHA256, 0},
284 },
285 false,
286 },
287 {
288 "ECDHE-RSA-AES128-GCM-SHA256:"
289 "ECDHE-RSA-AES256-GCM-SHA384:"
290 "@STRENGTH+AES256:"
291 "ECDHE-RSA-CHACHA20-POLY1305",
292 {
293 {TLS1_CK_ECDHE_RSA_WITH_AES_256_GCM_SHA384, 0},
294 {TLS1_CK_ECDHE_RSA_WITH_AES_128_GCM_SHA256, 0},
295 {TLS1_CK_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256, 0},
296 },
297 false,
298 },
299 // Exact ciphers may not be used in multi-part rules; they are treated
300 // as unknown aliases.
301 {
302 "ECDHE-ECDSA-AES128-GCM-SHA256:"
303 "ECDHE-RSA-AES128-GCM-SHA256:"
304 "!ECDHE-RSA-AES128-GCM-SHA256+RSA:"
305 "!ECDSA+ECDHE-ECDSA-AES128-GCM-SHA256",
306 {
307 {TLS1_CK_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, 0},
308 {TLS1_CK_ECDHE_RSA_WITH_AES_128_GCM_SHA256, 0},
309 },
310 true,
311 },
312 // SSLv3 matches everything that existed before TLS 1.2.
313 {
314 "AES128-SHA:ECDHE-RSA-AES128-GCM-SHA256:!SSLv3",
315 {
316 {TLS1_CK_ECDHE_RSA_WITH_AES_128_GCM_SHA256, 0},
317 },
318 false,
319 },
320 // TLSv1.2 matches everything added in TLS 1.2.
321 {
322 "AES128-SHA:ECDHE-RSA-AES128-GCM-SHA256:!TLSv1.2",
323 {
324 {TLS1_CK_RSA_WITH_AES_128_SHA, 0},
325 },
326 false,
327 },
328 // The two directives have no intersection. But each component is valid, so
329 // even in strict mode it is accepted.
330 {
331 "AES128-SHA:ECDHE-RSA-AES128-GCM-SHA256:!TLSv1.2+SSLv3",
332 {
333 {TLS1_CK_RSA_WITH_AES_128_SHA, 0},
334 {TLS1_CK_ECDHE_RSA_WITH_AES_128_GCM_SHA256, 0},
335 },
336 false,
337 },
338 // Spaces, semi-colons and commas are separators.
339 {
340 "AES128-SHA: ECDHE-RSA-AES128-GCM-SHA256 AES256-SHA ,ECDHE-ECDSA-AES128-GCM-SHA256 ; AES128-GCM-SHA256",
341 {
342 {TLS1_CK_RSA_WITH_AES_128_SHA, 0},
343 {TLS1_CK_ECDHE_RSA_WITH_AES_128_GCM_SHA256, 0},
344 {TLS1_CK_RSA_WITH_AES_256_SHA, 0},
345 {TLS1_CK_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, 0},
346 {TLS1_CK_RSA_WITH_AES_128_GCM_SHA256, 0},
347 },
348 // …but not in strict mode.
349 true,
350 },
351 };
352
353 static const char *kBadRules[] = {
354 // Invalid brackets.
355 "[ECDHE-RSA-CHACHA20-POLY1305|ECDHE-RSA-AES128-GCM-SHA256",
356 "RSA]",
357 "[[RSA]]",
358 // Operators inside brackets.
359 "[+RSA]",
360 // Unknown directive.
361 "@BOGUS",
362 // Empty cipher lists error at SSL_CTX_set_cipher_list.
363 "",
364 "BOGUS",
365 // COMPLEMENTOFDEFAULT is empty.
366 "COMPLEMENTOFDEFAULT",
367 // Invalid command.
368 "?BAR",
369 // Special operators are not allowed if groups are used.
370 "[ECDHE-RSA-CHACHA20-POLY1305|ECDHE-RSA-AES128-GCM-SHA256]:+FOO",
371 "[ECDHE-RSA-CHACHA20-POLY1305|ECDHE-RSA-AES128-GCM-SHA256]:!FOO",
372 "[ECDHE-RSA-CHACHA20-POLY1305|ECDHE-RSA-AES128-GCM-SHA256]:-FOO",
373 "[ECDHE-RSA-CHACHA20-POLY1305|ECDHE-RSA-AES128-GCM-SHA256]:@STRENGTH",
374 // Opcode supplied, but missing selector.
375 "+",
376 // Spaces are forbidden in equal-preference groups.
377 "[AES128-SHA | AES128-SHA256]",
378 };
379
380 static const char *kMustNotIncludeNull[] = {
381 "ALL",
382 "DEFAULT",
383 "HIGH",
384 "FIPS",
385 "SHA",
386 "SHA1",
387 "RSA",
388 "SSLv3",
389 "TLSv1",
390 "TLSv1.2",
391 };
392
393 static const CurveTest kCurveTests[] = {
394 {
395 "P-256",
396 { SSL_CURVE_SECP256R1 },
397 },
398 {
399 "P-256:CECPQ2",
400 { SSL_CURVE_SECP256R1, SSL_CURVE_CECPQ2 },
401 },
402
403 {
404 "P-256:P-384:P-521:X25519",
405 {
406 SSL_CURVE_SECP256R1,
407 SSL_CURVE_SECP384R1,
408 SSL_CURVE_SECP521R1,
409 SSL_CURVE_X25519,
410 },
411 },
412 {
413 "prime256v1:secp384r1:secp521r1:x25519",
414 {
415 SSL_CURVE_SECP256R1,
416 SSL_CURVE_SECP384R1,
417 SSL_CURVE_SECP521R1,
418 SSL_CURVE_X25519,
419 },
420 },
421 };
422
423 static const char *kBadCurvesLists[] = {
424 "",
425 ":",
426 "::",
427 "P-256::X25519",
428 "RSA:P-256",
429 "P-256:RSA",
430 "X25519:P-256:",
431 ":X25519:P-256",
432 };
433
CipherListToString(SSL_CTX * ctx)434 static std::string CipherListToString(SSL_CTX *ctx) {
435 bool in_group = false;
436 std::string ret;
437 const STACK_OF(SSL_CIPHER) *ciphers = SSL_CTX_get_ciphers(ctx);
438 for (size_t i = 0; i < sk_SSL_CIPHER_num(ciphers); i++) {
439 const SSL_CIPHER *cipher = sk_SSL_CIPHER_value(ciphers, i);
440 if (!in_group && SSL_CTX_cipher_in_group(ctx, i)) {
441 ret += "\t[\n";
442 in_group = true;
443 }
444 ret += "\t";
445 if (in_group) {
446 ret += " ";
447 }
448 ret += SSL_CIPHER_get_name(cipher);
449 ret += "\n";
450 if (in_group && !SSL_CTX_cipher_in_group(ctx, i)) {
451 ret += "\t]\n";
452 in_group = false;
453 }
454 }
455 return ret;
456 }
457
CipherListsEqual(SSL_CTX * ctx,const std::vector<ExpectedCipher> & expected)458 static bool CipherListsEqual(SSL_CTX *ctx,
459 const std::vector<ExpectedCipher> &expected) {
460 const STACK_OF(SSL_CIPHER) *ciphers = SSL_CTX_get_ciphers(ctx);
461 if (sk_SSL_CIPHER_num(ciphers) != expected.size()) {
462 return false;
463 }
464
465 for (size_t i = 0; i < expected.size(); i++) {
466 const SSL_CIPHER *cipher = sk_SSL_CIPHER_value(ciphers, i);
467 if (expected[i].id != SSL_CIPHER_get_id(cipher) ||
468 expected[i].in_group_flag != !!SSL_CTX_cipher_in_group(ctx, i)) {
469 return false;
470 }
471 }
472
473 return true;
474 }
475
TEST(GrowableArrayTest,Resize)476 TEST(GrowableArrayTest, Resize) {
477 GrowableArray<size_t> array;
478 ASSERT_TRUE(array.empty());
479 EXPECT_EQ(array.size(), 0u);
480
481 ASSERT_TRUE(array.Push(42));
482 ASSERT_TRUE(!array.empty());
483 EXPECT_EQ(array.size(), 1u);
484
485 // Force a resize operation to occur
486 for (size_t i = 0; i < 16; i++) {
487 ASSERT_TRUE(array.Push(i + 1));
488 }
489
490 EXPECT_EQ(array.size(), 17u);
491
492 // Verify that expected values are still contained in array
493 for (size_t i = 0; i < array.size(); i++) {
494 EXPECT_EQ(array[i], i == 0 ? 42 : i);
495 }
496 }
497
TEST(GrowableArrayTest,MoveConstructor)498 TEST(GrowableArrayTest, MoveConstructor) {
499 GrowableArray<size_t> array;
500 for (size_t i = 0; i < 100; i++) {
501 ASSERT_TRUE(array.Push(i));
502 }
503
504 GrowableArray<size_t> array_moved(std::move(array));
505 for (size_t i = 0; i < 100; i++) {
506 EXPECT_EQ(array_moved[i], i);
507 }
508 }
509
TEST(GrowableArrayTest,GrowableArrayContainingGrowableArrays)510 TEST(GrowableArrayTest, GrowableArrayContainingGrowableArrays) {
511 // Representative example of a struct that contains a GrowableArray.
512 struct TagAndArray {
513 size_t tag;
514 GrowableArray<size_t> array;
515 };
516
517 GrowableArray<TagAndArray> array;
518 for (size_t i = 0; i < 100; i++) {
519 TagAndArray elem;
520 elem.tag = i;
521 for (size_t j = 0; j < i; j++) {
522 ASSERT_TRUE(elem.array.Push(j));
523 }
524 ASSERT_TRUE(array.Push(std::move(elem)));
525 }
526 EXPECT_EQ(array.size(), static_cast<size_t>(100));
527
528 GrowableArray<TagAndArray> array_moved(std::move(array));
529 EXPECT_EQ(array_moved.size(), static_cast<size_t>(100));
530 size_t count = 0;
531 for (const TagAndArray &elem : array_moved) {
532 // Test the square bracket operator returns the same value as iteration.
533 EXPECT_EQ(&elem, &array_moved[count]);
534
535 EXPECT_EQ(elem.tag, count);
536 EXPECT_EQ(elem.array.size(), count);
537 for (size_t j = 0; j < count; j++) {
538 EXPECT_EQ(elem.array[j], j);
539 }
540 count++;
541 }
542 }
543
TEST(SSLTest,CipherRules)544 TEST(SSLTest, CipherRules) {
545 for (const CipherTest &t : kCipherTests) {
546 SCOPED_TRACE(t.rule);
547 bssl::UniquePtr<SSL_CTX> ctx(SSL_CTX_new(TLS_method()));
548 ASSERT_TRUE(ctx);
549
550 // Test lax mode.
551 ASSERT_TRUE(SSL_CTX_set_cipher_list(ctx.get(), t.rule));
552 EXPECT_TRUE(CipherListsEqual(ctx.get(), t.expected))
553 << "Cipher rule evaluated to:\n"
554 << CipherListToString(ctx.get());
555
556 // Test strict mode.
557 if (t.strict_fail) {
558 EXPECT_FALSE(SSL_CTX_set_strict_cipher_list(ctx.get(), t.rule));
559 } else {
560 ASSERT_TRUE(SSL_CTX_set_strict_cipher_list(ctx.get(), t.rule));
561 EXPECT_TRUE(CipherListsEqual(ctx.get(), t.expected))
562 << "Cipher rule evaluated to:\n"
563 << CipherListToString(ctx.get());
564 }
565 }
566
567 for (const char *rule : kBadRules) {
568 SCOPED_TRACE(rule);
569 bssl::UniquePtr<SSL_CTX> ctx(SSL_CTX_new(TLS_method()));
570 ASSERT_TRUE(ctx);
571
572 EXPECT_FALSE(SSL_CTX_set_cipher_list(ctx.get(), rule));
573 ERR_clear_error();
574 }
575
576 for (const char *rule : kMustNotIncludeNull) {
577 SCOPED_TRACE(rule);
578 bssl::UniquePtr<SSL_CTX> ctx(SSL_CTX_new(TLS_method()));
579 ASSERT_TRUE(ctx);
580
581 ASSERT_TRUE(SSL_CTX_set_strict_cipher_list(ctx.get(), rule));
582 for (const SSL_CIPHER *cipher : SSL_CTX_get_ciphers(ctx.get())) {
583 EXPECT_NE(NID_undef, SSL_CIPHER_get_cipher_nid(cipher));
584 }
585 }
586 }
587
TEST(SSLTest,CurveRules)588 TEST(SSLTest, CurveRules) {
589 for (const CurveTest &t : kCurveTests) {
590 SCOPED_TRACE(t.rule);
591 bssl::UniquePtr<SSL_CTX> ctx(SSL_CTX_new(TLS_method()));
592 ASSERT_TRUE(ctx);
593
594 ASSERT_TRUE(SSL_CTX_set1_curves_list(ctx.get(), t.rule));
595 ASSERT_EQ(t.expected.size(), ctx->supported_group_list.size());
596 for (size_t i = 0; i < t.expected.size(); i++) {
597 EXPECT_EQ(t.expected[i], ctx->supported_group_list[i]);
598 }
599 }
600
601 for (const char *rule : kBadCurvesLists) {
602 SCOPED_TRACE(rule);
603 bssl::UniquePtr<SSL_CTX> ctx(SSL_CTX_new(TLS_method()));
604 ASSERT_TRUE(ctx);
605
606 EXPECT_FALSE(SSL_CTX_set1_curves_list(ctx.get(), rule));
607 ERR_clear_error();
608 }
609 }
610
611 // kOpenSSLSession is a serialized SSL_SESSION.
612 static const char kOpenSSLSession[] =
613 "MIIFqgIBAQICAwMEAsAvBCAG5Q1ndq4Yfmbeo1zwLkNRKmCXGdNgWvGT3cskV0yQ"
614 "kAQwJlrlzkAWBOWiLj/jJ76D7l+UXoizP2KI2C7I2FccqMmIfFmmkUy32nIJ0mZH"
615 "IWoJoQYCBFRDO46iBAICASyjggR6MIIEdjCCA16gAwIBAgIIK9dUvsPWSlUwDQYJ"
616 "KoZIhvcNAQEFBQAwSTELMAkGA1UEBhMCVVMxEzARBgNVBAoTCkdvb2dsZSBJbmMx"
617 "JTAjBgNVBAMTHEdvb2dsZSBJbnRlcm5ldCBBdXRob3JpdHkgRzIwHhcNMTQxMDA4"
618 "MTIwNzU3WhcNMTUwMTA2MDAwMDAwWjBoMQswCQYDVQQGEwJVUzETMBEGA1UECAwK"
619 "Q2FsaWZvcm5pYTEWMBQGA1UEBwwNTW91bnRhaW4gVmlldzETMBEGA1UECgwKR29v"
620 "Z2xlIEluYzEXMBUGA1UEAwwOd3d3Lmdvb2dsZS5jb20wggEiMA0GCSqGSIb3DQEB"
621 "AQUAA4IBDwAwggEKAoIBAQCcKeLrplAC+Lofy8t/wDwtB6eu72CVp0cJ4V3lknN6"
622 "huH9ct6FFk70oRIh/VBNBBz900jYy+7111Jm1b8iqOTQ9aT5C7SEhNcQFJvqzH3e"
623 "MPkb6ZSWGm1yGF7MCQTGQXF20Sk/O16FSjAynU/b3oJmOctcycWYkY0ytS/k3LBu"
624 "Id45PJaoMqjB0WypqvNeJHC3q5JjCB4RP7Nfx5jjHSrCMhw8lUMW4EaDxjaR9KDh"
625 "PLgjsk+LDIySRSRDaCQGhEOWLJZVLzLo4N6/UlctCHEllpBUSvEOyFga52qroGjg"
626 "rf3WOQ925MFwzd6AK+Ich0gDRg8sQfdLH5OuP1cfLfU1AgMBAAGjggFBMIIBPTAd"
627 "BgNVHSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwGQYDVR0RBBIwEIIOd3d3Lmdv"
628 "b2dsZS5jb20waAYIKwYBBQUHAQEEXDBaMCsGCCsGAQUFBzAChh9odHRwOi8vcGtp"
629 "Lmdvb2dsZS5jb20vR0lBRzIuY3J0MCsGCCsGAQUFBzABhh9odHRwOi8vY2xpZW50"
630 "czEuZ29vZ2xlLmNvbS9vY3NwMB0GA1UdDgQWBBQ7a+CcxsZByOpc+xpYFcIbnUMZ"
631 "hTAMBgNVHRMBAf8EAjAAMB8GA1UdIwQYMBaAFErdBhYbvPZotXb1gba7Yhq6WoEv"
632 "MBcGA1UdIAQQMA4wDAYKKwYBBAHWeQIFATAwBgNVHR8EKTAnMCWgI6Ahhh9odHRw"
633 "Oi8vcGtpLmdvb2dsZS5jb20vR0lBRzIuY3JsMA0GCSqGSIb3DQEBBQUAA4IBAQCa"
634 "OXCBdoqUy5bxyq+Wrh1zsyyCFim1PH5VU2+yvDSWrgDY8ibRGJmfff3r4Lud5kal"
635 "dKs9k8YlKD3ITG7P0YT/Rk8hLgfEuLcq5cc0xqmE42xJ+Eo2uzq9rYorc5emMCxf"
636 "5L0TJOXZqHQpOEcuptZQ4OjdYMfSxk5UzueUhA3ogZKRcRkdB3WeWRp+nYRhx4St"
637 "o2rt2A0MKmY9165GHUqMK9YaaXHDXqBu7Sefr1uSoAP9gyIJKeihMivsGqJ1TD6Z"
638 "cc6LMe+dN2P8cZEQHtD1y296ul4Mivqk3jatUVL8/hCwgch9A8O4PGZq9WqBfEWm"
639 "IyHh1dPtbg1lOXdYCWtjpAIEAKUDAgEUqQUCAwGJwKqBpwSBpBwUQvoeOk0Kg36S"
640 "YTcLEkXqKwOBfF9vE4KX0NxeLwjcDTpsuh3qXEaZ992r1N38VDcyS6P7I6HBYN9B"
641 "sNHM362zZnY27GpTw+Kwd751CLoXFPoaMOe57dbBpXoro6Pd3BTbf/Tzr88K06yE"
642 "OTDKPNj3+inbMaVigtK4PLyPq+Topyzvx9USFgRvyuoxn0Hgb+R0A3j6SLRuyOdA"
643 "i4gv7Y5oliyntgMBAQA=";
644
645 // kCustomSession is a custom serialized SSL_SESSION generated by
646 // filling in missing fields from |kOpenSSLSession|. This includes
647 // providing |peer_sha256|, so |peer| is not serialized.
648 static const char kCustomSession[] =
649 "MIIBZAIBAQICAwMEAsAvBCAG5Q1ndq4Yfmbeo1zwLkNRKmCXGdNgWvGT3cskV0yQ"
650 "kAQwJlrlzkAWBOWiLj/jJ76D7l+UXoizP2KI2C7I2FccqMmIfFmmkUy32nIJ0mZH"
651 "IWoJoQYCBFRDO46iBAICASykAwQBAqUDAgEUqAcEBXdvcmxkqQUCAwGJwKqBpwSB"
652 "pBwUQvoeOk0Kg36SYTcLEkXqKwOBfF9vE4KX0NxeLwjcDTpsuh3qXEaZ992r1N38"
653 "VDcyS6P7I6HBYN9BsNHM362zZnY27GpTw+Kwd751CLoXFPoaMOe57dbBpXoro6Pd"
654 "3BTbf/Tzr88K06yEOTDKPNj3+inbMaVigtK4PLyPq+Topyzvx9USFgRvyuoxn0Hg"
655 "b+R0A3j6SLRuyOdAi4gv7Y5oliynrSIEIAYGBgYGBgYGBgYGBgYGBgYGBgYGBgYG"
656 "BgYGBgYGBgYGrgMEAQevAwQBBLADBAEF";
657
658 // kBoringSSLSession is a serialized SSL_SESSION generated from bssl client.
659 static const char kBoringSSLSession[] =
660 "MIIRwQIBAQICAwMEAsAvBCDdoGxGK26mR+8lM0uq6+k9xYuxPnwAjpcF9n0Yli9R"
661 "kQQwbyshfWhdi5XQ1++7n2L1qqrcVlmHBPpr6yknT/u4pUrpQB5FZ7vqvNn8MdHf"
662 "9rWgoQYCBFXgs7uiBAICHCCjggR6MIIEdjCCA16gAwIBAgIIf+yfD7Y6UicwDQYJ"
663 "KoZIhvcNAQELBQAwSTELMAkGA1UEBhMCVVMxEzARBgNVBAoTCkdvb2dsZSBJbmMx"
664 "JTAjBgNVBAMTHEdvb2dsZSBJbnRlcm5ldCBBdXRob3JpdHkgRzIwHhcNMTUwODEy"
665 "MTQ1MzE1WhcNMTUxMTEwMDAwMDAwWjBoMQswCQYDVQQGEwJVUzETMBEGA1UECAwK"
666 "Q2FsaWZvcm5pYTEWMBQGA1UEBwwNTW91bnRhaW4gVmlldzETMBEGA1UECgwKR29v"
667 "Z2xlIEluYzEXMBUGA1UEAwwOd3d3Lmdvb2dsZS5jb20wggEiMA0GCSqGSIb3DQEB"
668 "AQUAA4IBDwAwggEKAoIBAQC0MeG5YGQ0t+IeJeoneP/PrhEaieibeKYkbKVLNZpo"
669 "PLuBinvhkXZo3DC133NpCBpy6ZktBwamqyixAyuk/NU6OjgXqwwxfQ7di1AInLIU"
670 "792c7hFyNXSUCG7At8Ifi3YwBX9Ba6u/1d6rWTGZJrdCq3QU11RkKYyTq2KT5mce"
671 "Tv9iGKqSkSTlp8puy/9SZ/3DbU3U+BuqCFqeSlz7zjwFmk35acdCilpJlVDDN5C/"
672 "RCh8/UKc8PaL+cxlt531qoTENvYrflBno14YEZlCBZsPiFeUSILpKEj3Ccwhy0eL"
673 "EucWQ72YZU8mUzXBoXGn0zA0crFl5ci/2sTBBGZsylNBAgMBAAGjggFBMIIBPTAd"
674 "BgNVHSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwGQYDVR0RBBIwEIIOd3d3Lmdv"
675 "b2dsZS5jb20waAYIKwYBBQUHAQEEXDBaMCsGCCsGAQUFBzAChh9odHRwOi8vcGtp"
676 "Lmdvb2dsZS5jb20vR0lBRzIuY3J0MCsGCCsGAQUFBzABhh9odHRwOi8vY2xpZW50"
677 "czEuZ29vZ2xlLmNvbS9vY3NwMB0GA1UdDgQWBBS/bzHxcE73Q4j3slC4BLbMtLjG"
678 "GjAMBgNVHRMBAf8EAjAAMB8GA1UdIwQYMBaAFErdBhYbvPZotXb1gba7Yhq6WoEv"
679 "MBcGA1UdIAQQMA4wDAYKKwYBBAHWeQIFATAwBgNVHR8EKTAnMCWgI6Ahhh9odHRw"
680 "Oi8vcGtpLmdvb2dsZS5jb20vR0lBRzIuY3JsMA0GCSqGSIb3DQEBCwUAA4IBAQAb"
681 "qdWPZEHk0X7iKPCTHL6S3w6q1eR67goxZGFSM1lk1hjwyu7XcLJuvALVV9uY3ovE"
682 "kQZSHwT+pyOPWQhsSjO+1GyjvCvK/CAwiUmBX+bQRGaqHsRcio7xSbdVcajQ3bXd"
683 "X+s0WdbOpn6MStKAiBVloPlSxEI8pxY6x/BBCnTIk/+DMB17uZlOjG3vbAnkDkP+"
684 "n0OTucD9sHV7EVj9XUxi51nOfNBCN/s7lpUjDS/NJ4k3iwOtbCPswiot8vLO779a"
685 "f07vR03r349Iz/KTzk95rlFtX0IU+KYNxFNsanIXZ+C9FYGRXkwhHcvFb4qMUB1y"
686 "TTlM80jBMOwyjZXmjRAhpAIEAKUDAgEUqQUCAwGJwKqBpwSBpOgebbmn9NRUtMWH"
687 "+eJpqA5JLMFSMCChOsvKey3toBaCNGU7HfAEiiXNuuAdCBoK262BjQc2YYfqFzqH"
688 "zuppopXCvhohx7j/tnCNZIMgLYt/O9SXK2RYI5z8FhCCHvB4CbD5G0LGl5EFP27s"
689 "Jb6S3aTTYPkQe8yZSlxevg6NDwmTogLO9F7UUkaYmVcMQhzssEE2ZRYNwSOU6KjE"
690 "0Yj+8fAiBtbQriIEIN2L8ZlpaVrdN5KFNdvcmOxJu81P8q53X55xQyGTnGWwsgMC"
691 "ARezggvvMIIEdjCCA16gAwIBAgIIf+yfD7Y6UicwDQYJKoZIhvcNAQELBQAwSTEL"
692 "MAkGA1UEBhMCVVMxEzARBgNVBAoTCkdvb2dsZSBJbmMxJTAjBgNVBAMTHEdvb2ds"
693 "ZSBJbnRlcm5ldCBBdXRob3JpdHkgRzIwHhcNMTUwODEyMTQ1MzE1WhcNMTUxMTEw"
694 "MDAwMDAwWjBoMQswCQYDVQQGEwJVUzETMBEGA1UECAwKQ2FsaWZvcm5pYTEWMBQG"
695 "A1UEBwwNTW91bnRhaW4gVmlldzETMBEGA1UECgwKR29vZ2xlIEluYzEXMBUGA1UE"
696 "AwwOd3d3Lmdvb2dsZS5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIB"
697 "AQC0MeG5YGQ0t+IeJeoneP/PrhEaieibeKYkbKVLNZpoPLuBinvhkXZo3DC133Np"
698 "CBpy6ZktBwamqyixAyuk/NU6OjgXqwwxfQ7di1AInLIU792c7hFyNXSUCG7At8If"
699 "i3YwBX9Ba6u/1d6rWTGZJrdCq3QU11RkKYyTq2KT5mceTv9iGKqSkSTlp8puy/9S"
700 "Z/3DbU3U+BuqCFqeSlz7zjwFmk35acdCilpJlVDDN5C/RCh8/UKc8PaL+cxlt531"
701 "qoTENvYrflBno14YEZlCBZsPiFeUSILpKEj3Ccwhy0eLEucWQ72YZU8mUzXBoXGn"
702 "0zA0crFl5ci/2sTBBGZsylNBAgMBAAGjggFBMIIBPTAdBgNVHSUEFjAUBggrBgEF"
703 "BQcDAQYIKwYBBQUHAwIwGQYDVR0RBBIwEIIOd3d3Lmdvb2dsZS5jb20waAYIKwYB"
704 "BQUHAQEEXDBaMCsGCCsGAQUFBzAChh9odHRwOi8vcGtpLmdvb2dsZS5jb20vR0lB"
705 "RzIuY3J0MCsGCCsGAQUFBzABhh9odHRwOi8vY2xpZW50czEuZ29vZ2xlLmNvbS9v"
706 "Y3NwMB0GA1UdDgQWBBS/bzHxcE73Q4j3slC4BLbMtLjGGjAMBgNVHRMBAf8EAjAA"
707 "MB8GA1UdIwQYMBaAFErdBhYbvPZotXb1gba7Yhq6WoEvMBcGA1UdIAQQMA4wDAYK"
708 "KwYBBAHWeQIFATAwBgNVHR8EKTAnMCWgI6Ahhh9odHRwOi8vcGtpLmdvb2dsZS5j"
709 "b20vR0lBRzIuY3JsMA0GCSqGSIb3DQEBCwUAA4IBAQAbqdWPZEHk0X7iKPCTHL6S"
710 "3w6q1eR67goxZGFSM1lk1hjwyu7XcLJuvALVV9uY3ovEkQZSHwT+pyOPWQhsSjO+"
711 "1GyjvCvK/CAwiUmBX+bQRGaqHsRcio7xSbdVcajQ3bXdX+s0WdbOpn6MStKAiBVl"
712 "oPlSxEI8pxY6x/BBCnTIk/+DMB17uZlOjG3vbAnkDkP+n0OTucD9sHV7EVj9XUxi"
713 "51nOfNBCN/s7lpUjDS/NJ4k3iwOtbCPswiot8vLO779af07vR03r349Iz/KTzk95"
714 "rlFtX0IU+KYNxFNsanIXZ+C9FYGRXkwhHcvFb4qMUB1yTTlM80jBMOwyjZXmjRAh"
715 "MIID8DCCAtigAwIBAgIDAjqDMA0GCSqGSIb3DQEBCwUAMEIxCzAJBgNVBAYTAlVT"
716 "MRYwFAYDVQQKEw1HZW9UcnVzdCBJbmMuMRswGQYDVQQDExJHZW9UcnVzdCBHbG9i"
717 "YWwgQ0EwHhcNMTMwNDA1MTUxNTU2WhcNMTYxMjMxMjM1OTU5WjBJMQswCQYDVQQG"
718 "EwJVUzETMBEGA1UEChMKR29vZ2xlIEluYzElMCMGA1UEAxMcR29vZ2xlIEludGVy"
719 "bmV0IEF1dGhvcml0eSBHMjCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEB"
720 "AJwqBHdc2FCROgajguDYUEi8iT/xGXAaiEZ+4I/F8YnOIe5a/mENtzJEiaB0C1NP"
721 "VaTOgmKV7utZX8bhBYASxF6UP7xbSDj0U/ck5vuR6RXEz/RTDfRK/J9U3n2+oGtv"
722 "h8DQUB8oMANA2ghzUWx//zo8pzcGjr1LEQTrfSTe5vn8MXH7lNVg8y5Kr0LSy+rE"
723 "ahqyzFPdFUuLH8gZYR/Nnag+YyuENWllhMgZxUYi+FOVvuOAShDGKuy6lyARxzmZ"
724 "EASg8GF6lSWMTlJ14rbtCMoU/M4iarNOz0YDl5cDfsCx3nuvRTPPuj5xt970JSXC"
725 "DTWJnZ37DhF5iR43xa+OcmkCAwEAAaOB5zCB5DAfBgNVHSMEGDAWgBTAephojYn7"
726 "qwVkDBF9qn1luMrMTjAdBgNVHQ4EFgQUSt0GFhu89mi1dvWBtrtiGrpagS8wDgYD"
727 "VR0PAQH/BAQDAgEGMC4GCCsGAQUFBwEBBCIwIDAeBggrBgEFBQcwAYYSaHR0cDov"
728 "L2cuc3ltY2QuY29tMBIGA1UdEwEB/wQIMAYBAf8CAQAwNQYDVR0fBC4wLDAqoCig"
729 "JoYkaHR0cDovL2cuc3ltY2IuY29tL2NybHMvZ3RnbG9iYWwuY3JsMBcGA1UdIAQQ"
730 "MA4wDAYKKwYBBAHWeQIFATANBgkqhkiG9w0BAQsFAAOCAQEAqvqpIM1qZ4PtXtR+"
731 "3h3Ef+AlBgDFJPupyC1tft6dgmUsgWM0Zj7pUsIItMsv91+ZOmqcUHqFBYx90SpI"
732 "hNMJbHzCzTWf84LuUt5oX+QAihcglvcpjZpNy6jehsgNb1aHA30DP9z6eX0hGfnI"
733 "Oi9RdozHQZJxjyXON/hKTAAj78Q1EK7gI4BzfE00LshukNYQHpmEcxpw8u1VDu4X"
734 "Bupn7jLrLN1nBz/2i8Jw3lsA5rsb0zYaImxssDVCbJAJPZPpZAkiDoUGn8JzIdPm"
735 "X4DkjYUiOnMDsWCOrmji9D6X52ASCWg23jrW4kOVWzeBkoEfu43XrVJkFleW2V40"
736 "fsg12DCCA30wggLmoAMCAQICAxK75jANBgkqhkiG9w0BAQUFADBOMQswCQYDVQQG"
737 "EwJVUzEQMA4GA1UEChMHRXF1aWZheDEtMCsGA1UECxMkRXF1aWZheCBTZWN1cmUg"
738 "Q2VydGlmaWNhdGUgQXV0aG9yaXR5MB4XDTAyMDUyMTA0MDAwMFoXDTE4MDgyMTA0"
739 "MDAwMFowQjELMAkGA1UEBhMCVVMxFjAUBgNVBAoTDUdlb1RydXN0IEluYy4xGzAZ"
740 "BgNVBAMTEkdlb1RydXN0IEdsb2JhbCBDQTCCASIwDQYJKoZIhvcNAQEBBQADggEP"
741 "ADCCAQoCggEBANrMGGMw/fQXIxpWflvfPGw45HG3eJHUvKHYTPioQ7YD6U0hBwiI"
742 "2lgvZjkpvQV4i5046AW3an5xpObEYKaw74DkiSgPniXW7YPzraaRx5jJQhg1FJ2t"
743 "mEaSLk/K8YdDwRaVVy1Q74ktgHpXrfLuX2vSAI25FPgUFTXZwEaje3LIkb/JVSvN"
744 "0Jc+nCZkzN/Ogxlxyk7m1NV7qRnNVd7I7NJeOFPlXE+MLf5QIzb8ZubLjqQ5GQC3"
745 "lQI5kQsO/jgu0R0FmvZNPm8PBx2vLB6PYDni+jZTEznUXiYr2z2oFL0y6xgDKFIE"
746 "ceWrMz3hOLsHNoRinHnqFjD0X8Ar6HFr5PkCAwEAAaOB8DCB7TAfBgNVHSMEGDAW"
747 "gBRI5mj5K9KylddH2CMgEE8zmJCf1DAdBgNVHQ4EFgQUwHqYaI2J+6sFZAwRfap9"
748 "ZbjKzE4wDwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMCAQYwOgYDVR0fBDMw"
749 "MTAvoC2gK4YpaHR0cDovL2NybC5nZW90cnVzdC5jb20vY3Jscy9zZWN1cmVjYS5j"
750 "cmwwTgYDVR0gBEcwRTBDBgRVHSAAMDswOQYIKwYBBQUHAgEWLWh0dHBzOi8vd3d3"
751 "Lmdlb3RydXN0LmNvbS9yZXNvdXJjZXMvcmVwb3NpdG9yeTANBgkqhkiG9w0BAQUF"
752 "AAOBgQB24RJuTksWEoYwBrKBCM/wCMfHcX5m7sLt1Dsf//DwyE7WQziwuTB9GNBV"
753 "g6JqyzYRnOhIZqNtf7gT1Ef+i1pcc/yu2RsyGTirlzQUqpbS66McFAhJtrvlke+D"
754 "NusdVm/K2rxzY5Dkf3s+Iss9B+1fOHSc4wNQTqGvmO5h8oQ/Eg==";
755
756 // kBadSessionExtraField is a custom serialized SSL_SESSION generated by replacing
757 // the final (optional) element of |kCustomSession| with tag number 30.
758 static const char kBadSessionExtraField[] =
759 "MIIBdgIBAQICAwMEAsAvBCAG5Q1ndq4Yfmbeo1zwLkNRKmCXGdNgWvGT3cskV0yQ"
760 "kAQwJlrlzkAWBOWiLj/jJ76D7l+UXoizP2KI2C7I2FccqMmIfFmmkUy32nIJ0mZH"
761 "IWoJoQYCBFRDO46iBAICASykAwQBAqUDAgEUphAEDnd3dy5nb29nbGUuY29tqAcE"
762 "BXdvcmxkqQUCAwGJwKqBpwSBpBwUQvoeOk0Kg36SYTcLEkXqKwOBfF9vE4KX0Nxe"
763 "LwjcDTpsuh3qXEaZ992r1N38VDcyS6P7I6HBYN9BsNHM362zZnY27GpTw+Kwd751"
764 "CLoXFPoaMOe57dbBpXoro6Pd3BTbf/Tzr88K06yEOTDKPNj3+inbMaVigtK4PLyP"
765 "q+Topyzvx9USFgRvyuoxn0Hgb+R0A3j6SLRuyOdAi4gv7Y5oliynrSIEIAYGBgYG"
766 "BgYGBgYGBgYGBgYGBgYGBgYGBgYGBgYGBgYGrgMEAQevAwQBBL4DBAEF";
767
768 // kBadSessionVersion is a custom serialized SSL_SESSION generated by replacing
769 // the version of |kCustomSession| with 2.
770 static const char kBadSessionVersion[] =
771 "MIIBdgIBAgICAwMEAsAvBCAG5Q1ndq4Yfmbeo1zwLkNRKmCXGdNgWvGT3cskV0yQ"
772 "kAQwJlrlzkAWBOWiLj/jJ76D7l+UXoizP2KI2C7I2FccqMmIfFmmkUy32nIJ0mZH"
773 "IWoJoQYCBFRDO46iBAICASykAwQBAqUDAgEUphAEDnd3dy5nb29nbGUuY29tqAcE"
774 "BXdvcmxkqQUCAwGJwKqBpwSBpBwUQvoeOk0Kg36SYTcLEkXqKwOBfF9vE4KX0Nxe"
775 "LwjcDTpsuh3qXEaZ992r1N38VDcyS6P7I6HBYN9BsNHM362zZnY27GpTw+Kwd751"
776 "CLoXFPoaMOe57dbBpXoro6Pd3BTbf/Tzr88K06yEOTDKPNj3+inbMaVigtK4PLyP"
777 "q+Topyzvx9USFgRvyuoxn0Hgb+R0A3j6SLRuyOdAi4gv7Y5oliynrSIEIAYGBgYG"
778 "BgYGBgYGBgYGBgYGBgYGBgYGBgYGBgYGBgYGrgMEAQevAwQBBLADBAEF";
779
780 // kBadSessionTrailingData is a custom serialized SSL_SESSION with trailing data
781 // appended.
782 static const char kBadSessionTrailingData[] =
783 "MIIBdgIBAQICAwMEAsAvBCAG5Q1ndq4Yfmbeo1zwLkNRKmCXGdNgWvGT3cskV0yQ"
784 "kAQwJlrlzkAWBOWiLj/jJ76D7l+UXoizP2KI2C7I2FccqMmIfFmmkUy32nIJ0mZH"
785 "IWoJoQYCBFRDO46iBAICASykAwQBAqUDAgEUphAEDnd3dy5nb29nbGUuY29tqAcE"
786 "BXdvcmxkqQUCAwGJwKqBpwSBpBwUQvoeOk0Kg36SYTcLEkXqKwOBfF9vE4KX0Nxe"
787 "LwjcDTpsuh3qXEaZ992r1N38VDcyS6P7I6HBYN9BsNHM362zZnY27GpTw+Kwd751"
788 "CLoXFPoaMOe57dbBpXoro6Pd3BTbf/Tzr88K06yEOTDKPNj3+inbMaVigtK4PLyP"
789 "q+Topyzvx9USFgRvyuoxn0Hgb+R0A3j6SLRuyOdAi4gv7Y5oliynrSIEIAYGBgYG"
790 "BgYGBgYGBgYGBgYGBgYGBgYGBgYGBgYGBgYGrgMEAQevAwQBBLADBAEFAAAA";
791
DecodeBase64(std::vector<uint8_t> * out,const char * in)792 static bool DecodeBase64(std::vector<uint8_t> *out, const char *in) {
793 size_t len;
794 if (!EVP_DecodedLength(&len, strlen(in))) {
795 fprintf(stderr, "EVP_DecodedLength failed\n");
796 return false;
797 }
798
799 out->resize(len);
800 if (!EVP_DecodeBase64(out->data(), &len, len, (const uint8_t *)in,
801 strlen(in))) {
802 fprintf(stderr, "EVP_DecodeBase64 failed\n");
803 return false;
804 }
805 out->resize(len);
806 return true;
807 }
808
TEST(SSLTest,SessionEncoding)809 TEST(SSLTest, SessionEncoding) {
810 for (const char *input_b64 : {
811 kOpenSSLSession,
812 kCustomSession,
813 kBoringSSLSession,
814 }) {
815 SCOPED_TRACE(std::string(input_b64));
816 // Decode the input.
817 std::vector<uint8_t> input;
818 ASSERT_TRUE(DecodeBase64(&input, input_b64));
819
820 // Verify the SSL_SESSION decodes.
821 bssl::UniquePtr<SSL_CTX> ssl_ctx(SSL_CTX_new(TLS_method()));
822 ASSERT_TRUE(ssl_ctx);
823 bssl::UniquePtr<SSL_SESSION> session(
824 SSL_SESSION_from_bytes(input.data(), input.size(), ssl_ctx.get()));
825 ASSERT_TRUE(session) << "SSL_SESSION_from_bytes failed";
826
827 // Verify the SSL_SESSION encoding round-trips.
828 size_t encoded_len;
829 bssl::UniquePtr<uint8_t> encoded;
830 uint8_t *encoded_raw;
831 ASSERT_TRUE(SSL_SESSION_to_bytes(session.get(), &encoded_raw, &encoded_len))
832 << "SSL_SESSION_to_bytes failed";
833 encoded.reset(encoded_raw);
834 EXPECT_EQ(Bytes(encoded.get(), encoded_len), Bytes(input))
835 << "SSL_SESSION_to_bytes did not round-trip";
836
837 // Verify the SSL_SESSION also decodes with the legacy API.
838 const uint8_t *cptr = input.data();
839 session.reset(d2i_SSL_SESSION(NULL, &cptr, input.size()));
840 ASSERT_TRUE(session) << "d2i_SSL_SESSION failed";
841 EXPECT_EQ(cptr, input.data() + input.size());
842
843 // Verify the SSL_SESSION encoding round-trips via the legacy API.
844 int len = i2d_SSL_SESSION(session.get(), NULL);
845 ASSERT_GT(len, 0) << "i2d_SSL_SESSION failed";
846 ASSERT_EQ(static_cast<size_t>(len), input.size())
847 << "i2d_SSL_SESSION(NULL) returned invalid length";
848
849 encoded.reset((uint8_t *)OPENSSL_malloc(input.size()));
850 ASSERT_TRUE(encoded);
851
852 uint8_t *ptr = encoded.get();
853 len = i2d_SSL_SESSION(session.get(), &ptr);
854 ASSERT_GT(len, 0) << "i2d_SSL_SESSION failed";
855 ASSERT_EQ(static_cast<size_t>(len), input.size())
856 << "i2d_SSL_SESSION(NULL) returned invalid length";
857 ASSERT_EQ(ptr, encoded.get() + input.size())
858 << "i2d_SSL_SESSION did not advance ptr correctly";
859 EXPECT_EQ(Bytes(encoded.get(), encoded_len), Bytes(input))
860 << "SSL_SESSION_to_bytes did not round-trip";
861 }
862
863 for (const char *input_b64 : {
864 kBadSessionExtraField,
865 kBadSessionVersion,
866 kBadSessionTrailingData,
867 }) {
868 SCOPED_TRACE(std::string(input_b64));
869 std::vector<uint8_t> input;
870 ASSERT_TRUE(DecodeBase64(&input, input_b64));
871
872 // Verify that the SSL_SESSION fails to decode.
873 bssl::UniquePtr<SSL_CTX> ssl_ctx(SSL_CTX_new(TLS_method()));
874 ASSERT_TRUE(ssl_ctx);
875 bssl::UniquePtr<SSL_SESSION> session(
876 SSL_SESSION_from_bytes(input.data(), input.size(), ssl_ctx.get()));
877 EXPECT_FALSE(session) << "SSL_SESSION_from_bytes unexpectedly succeeded";
878 ERR_clear_error();
879 }
880 }
881
ExpectDefaultVersion(uint16_t min_version,uint16_t max_version,const SSL_METHOD * (* method)(void))882 static void ExpectDefaultVersion(uint16_t min_version, uint16_t max_version,
883 const SSL_METHOD *(*method)(void)) {
884 bssl::UniquePtr<SSL_CTX> ctx(SSL_CTX_new(method()));
885 ASSERT_TRUE(ctx);
886 EXPECT_EQ(min_version, SSL_CTX_get_min_proto_version(ctx.get()));
887 EXPECT_EQ(max_version, SSL_CTX_get_max_proto_version(ctx.get()));
888 }
889
TEST(SSLTest,DefaultVersion)890 TEST(SSLTest, DefaultVersion) {
891 // TODO(svaldez): Update this when TLS 1.3 is enabled by default.
892 ExpectDefaultVersion(TLS1_VERSION, TLS1_2_VERSION, &TLS_method);
893 ExpectDefaultVersion(TLS1_VERSION, TLS1_VERSION, &TLSv1_method);
894 ExpectDefaultVersion(TLS1_1_VERSION, TLS1_1_VERSION, &TLSv1_1_method);
895 ExpectDefaultVersion(TLS1_2_VERSION, TLS1_2_VERSION, &TLSv1_2_method);
896 ExpectDefaultVersion(DTLS1_VERSION, DTLS1_2_VERSION, &DTLS_method);
897 ExpectDefaultVersion(DTLS1_VERSION, DTLS1_VERSION, &DTLSv1_method);
898 ExpectDefaultVersion(DTLS1_2_VERSION, DTLS1_2_VERSION, &DTLSv1_2_method);
899 }
900
TEST(SSLTest,CipherProperties)901 TEST(SSLTest, CipherProperties) {
902 static const struct {
903 int id;
904 const char *standard_name;
905 int cipher_nid;
906 int digest_nid;
907 int kx_nid;
908 int auth_nid;
909 int prf_nid;
910 } kTests[] = {
911 {
912 SSL3_CK_RSA_DES_192_CBC3_SHA,
913 "TLS_RSA_WITH_3DES_EDE_CBC_SHA",
914 NID_des_ede3_cbc,
915 NID_sha1,
916 NID_kx_rsa,
917 NID_auth_rsa,
918 NID_md5_sha1,
919 },
920 {
921 TLS1_CK_RSA_WITH_AES_128_SHA,
922 "TLS_RSA_WITH_AES_128_CBC_SHA",
923 NID_aes_128_cbc,
924 NID_sha1,
925 NID_kx_rsa,
926 NID_auth_rsa,
927 NID_md5_sha1,
928 },
929 {
930 TLS1_CK_PSK_WITH_AES_256_CBC_SHA,
931 "TLS_PSK_WITH_AES_256_CBC_SHA",
932 NID_aes_256_cbc,
933 NID_sha1,
934 NID_kx_psk,
935 NID_auth_psk,
936 NID_md5_sha1,
937 },
938 {
939 TLS1_CK_ECDHE_RSA_WITH_AES_128_CBC_SHA,
940 "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA",
941 NID_aes_128_cbc,
942 NID_sha1,
943 NID_kx_ecdhe,
944 NID_auth_rsa,
945 NID_md5_sha1,
946 },
947 {
948 TLS1_CK_ECDHE_RSA_WITH_AES_256_CBC_SHA,
949 "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA",
950 NID_aes_256_cbc,
951 NID_sha1,
952 NID_kx_ecdhe,
953 NID_auth_rsa,
954 NID_md5_sha1,
955 },
956 {
957 TLS1_CK_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
958 "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",
959 NID_aes_128_gcm,
960 NID_undef,
961 NID_kx_ecdhe,
962 NID_auth_rsa,
963 NID_sha256,
964 },
965 {
966 TLS1_CK_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
967 "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256",
968 NID_aes_128_gcm,
969 NID_undef,
970 NID_kx_ecdhe,
971 NID_auth_ecdsa,
972 NID_sha256,
973 },
974 {
975 TLS1_CK_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
976 "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384",
977 NID_aes_256_gcm,
978 NID_undef,
979 NID_kx_ecdhe,
980 NID_auth_ecdsa,
981 NID_sha384,
982 },
983 {
984 TLS1_CK_ECDHE_PSK_WITH_AES_128_CBC_SHA,
985 "TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA",
986 NID_aes_128_cbc,
987 NID_sha1,
988 NID_kx_ecdhe,
989 NID_auth_psk,
990 NID_md5_sha1,
991 },
992 {
993 TLS1_CK_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256,
994 "TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256",
995 NID_chacha20_poly1305,
996 NID_undef,
997 NID_kx_ecdhe,
998 NID_auth_rsa,
999 NID_sha256,
1000 },
1001 {
1002 TLS1_CK_AES_256_GCM_SHA384,
1003 "TLS_AES_256_GCM_SHA384",
1004 NID_aes_256_gcm,
1005 NID_undef,
1006 NID_kx_any,
1007 NID_auth_any,
1008 NID_sha384,
1009 },
1010 {
1011 TLS1_CK_AES_128_GCM_SHA256,
1012 "TLS_AES_128_GCM_SHA256",
1013 NID_aes_128_gcm,
1014 NID_undef,
1015 NID_kx_any,
1016 NID_auth_any,
1017 NID_sha256,
1018 },
1019 {
1020 TLS1_CK_CHACHA20_POLY1305_SHA256,
1021 "TLS_CHACHA20_POLY1305_SHA256",
1022 NID_chacha20_poly1305,
1023 NID_undef,
1024 NID_kx_any,
1025 NID_auth_any,
1026 NID_sha256,
1027 },
1028 };
1029
1030 for (const auto &t : kTests) {
1031 SCOPED_TRACE(t.standard_name);
1032
1033 const SSL_CIPHER *cipher = SSL_get_cipher_by_value(t.id & 0xffff);
1034 ASSERT_TRUE(cipher);
1035 EXPECT_STREQ(t.standard_name, SSL_CIPHER_standard_name(cipher));
1036
1037 bssl::UniquePtr<char> rfc_name(SSL_CIPHER_get_rfc_name(cipher));
1038 ASSERT_TRUE(rfc_name);
1039 EXPECT_STREQ(t.standard_name, rfc_name.get());
1040
1041 EXPECT_EQ(t.cipher_nid, SSL_CIPHER_get_cipher_nid(cipher));
1042 EXPECT_EQ(t.digest_nid, SSL_CIPHER_get_digest_nid(cipher));
1043 EXPECT_EQ(t.kx_nid, SSL_CIPHER_get_kx_nid(cipher));
1044 EXPECT_EQ(t.auth_nid, SSL_CIPHER_get_auth_nid(cipher));
1045 EXPECT_EQ(t.prf_nid, SSL_CIPHER_get_prf_nid(cipher));
1046 }
1047 }
1048
1049 // CreateSessionWithTicket returns a sample |SSL_SESSION| with the specified
1050 // version and ticket length or nullptr on failure.
CreateSessionWithTicket(uint16_t version,size_t ticket_len)1051 static bssl::UniquePtr<SSL_SESSION> CreateSessionWithTicket(uint16_t version,
1052 size_t ticket_len) {
1053 std::vector<uint8_t> der;
1054 if (!DecodeBase64(&der, kOpenSSLSession)) {
1055 return nullptr;
1056 }
1057
1058 bssl::UniquePtr<SSL_CTX> ssl_ctx(SSL_CTX_new(TLS_method()));
1059 if (!ssl_ctx) {
1060 return nullptr;
1061 }
1062 // Use a garbage ticket.
1063 std::vector<uint8_t> ticket(ticket_len, 'a');
1064 bssl::UniquePtr<SSL_SESSION> session(
1065 SSL_SESSION_from_bytes(der.data(), der.size(), ssl_ctx.get()));
1066 if (!session ||
1067 !SSL_SESSION_set_protocol_version(session.get(), version) ||
1068 !SSL_SESSION_set_ticket(session.get(), ticket.data(), ticket.size())) {
1069 return nullptr;
1070 }
1071 // Fix up the timeout.
1072 #if defined(BORINGSSL_UNSAFE_DETERMINISTIC_MODE)
1073 SSL_SESSION_set_time(session.get(), 1234);
1074 #else
1075 SSL_SESSION_set_time(session.get(), time(nullptr));
1076 #endif
1077 return session;
1078 }
1079
GetClientHello(SSL * ssl,std::vector<uint8_t> * out)1080 static bool GetClientHello(SSL *ssl, std::vector<uint8_t> *out) {
1081 bssl::UniquePtr<BIO> bio(BIO_new(BIO_s_mem()));
1082 if (!bio) {
1083 return false;
1084 }
1085 // Do not configure a reading BIO, but record what's written to a memory BIO.
1086 BIO_up_ref(bio.get());
1087 SSL_set_bio(ssl, nullptr /* rbio */, bio.get());
1088 int ret = SSL_connect(ssl);
1089 if (ret > 0) {
1090 // SSL_connect should fail without a BIO to write to.
1091 return false;
1092 }
1093 ERR_clear_error();
1094
1095 const uint8_t *client_hello;
1096 size_t client_hello_len;
1097 if (!BIO_mem_contents(bio.get(), &client_hello, &client_hello_len)) {
1098 return false;
1099 }
1100 *out = std::vector<uint8_t>(client_hello, client_hello + client_hello_len);
1101 return true;
1102 }
1103
1104 // GetClientHelloLen creates a client SSL connection with the specified version
1105 // and ticket length. It returns the length of the ClientHello, not including
1106 // the record header, on success and zero on error.
GetClientHelloLen(uint16_t max_version,uint16_t session_version,size_t ticket_len)1107 static size_t GetClientHelloLen(uint16_t max_version, uint16_t session_version,
1108 size_t ticket_len) {
1109 bssl::UniquePtr<SSL_CTX> ctx(SSL_CTX_new(TLS_method()));
1110 bssl::UniquePtr<SSL_SESSION> session =
1111 CreateSessionWithTicket(session_version, ticket_len);
1112 if (!ctx || !session) {
1113 return 0;
1114 }
1115
1116 // Set a one-element cipher list so the baseline ClientHello is unpadded.
1117 bssl::UniquePtr<SSL> ssl(SSL_new(ctx.get()));
1118 if (!ssl || !SSL_set_session(ssl.get(), session.get()) ||
1119 !SSL_set_strict_cipher_list(ssl.get(), "ECDHE-RSA-AES128-GCM-SHA256") ||
1120 !SSL_set_max_proto_version(ssl.get(), max_version)) {
1121 return 0;
1122 }
1123
1124 std::vector<uint8_t> client_hello;
1125 if (!GetClientHello(ssl.get(), &client_hello) ||
1126 client_hello.size() <= SSL3_RT_HEADER_LENGTH) {
1127 return 0;
1128 }
1129
1130 return client_hello.size() - SSL3_RT_HEADER_LENGTH;
1131 }
1132
TEST(SSLTest,Padding)1133 TEST(SSLTest, Padding) {
1134 struct PaddingVersions {
1135 uint16_t max_version, session_version;
1136 };
1137 static const PaddingVersions kPaddingVersions[] = {
1138 // Test the padding extension at TLS 1.2.
1139 {TLS1_2_VERSION, TLS1_2_VERSION},
1140 // Test the padding extension at TLS 1.3 with a TLS 1.2 session, so there
1141 // will be no PSK binder after the padding extension.
1142 {TLS1_3_VERSION, TLS1_2_VERSION},
1143 // Test the padding extension at TLS 1.3 with a TLS 1.3 session, so there
1144 // will be a PSK binder after the padding extension.
1145 {TLS1_3_VERSION, TLS1_3_VERSION},
1146
1147 };
1148
1149 struct PaddingTest {
1150 size_t input_len, padded_len;
1151 };
1152 static const PaddingTest kPaddingTests[] = {
1153 // ClientHellos of length below 0x100 do not require padding.
1154 {0xfe, 0xfe},
1155 {0xff, 0xff},
1156 // ClientHellos of length 0x100 through 0x1fb are padded up to 0x200.
1157 {0x100, 0x200},
1158 {0x123, 0x200},
1159 {0x1fb, 0x200},
1160 // ClientHellos of length 0x1fc through 0x1ff get padded beyond 0x200. The
1161 // padding extension takes a minimum of four bytes plus one required
1162 // content
1163 // byte. (To work around yet more server bugs, we avoid empty final
1164 // extensions.)
1165 {0x1fc, 0x201},
1166 {0x1fd, 0x202},
1167 {0x1fe, 0x203},
1168 {0x1ff, 0x204},
1169 // Finally, larger ClientHellos need no padding.
1170 {0x200, 0x200},
1171 {0x201, 0x201},
1172 };
1173
1174 for (const PaddingVersions &versions : kPaddingVersions) {
1175 SCOPED_TRACE(versions.max_version);
1176 SCOPED_TRACE(versions.session_version);
1177
1178 // Sample a baseline length.
1179 size_t base_len =
1180 GetClientHelloLen(versions.max_version, versions.session_version, 1);
1181 ASSERT_NE(base_len, 0u) << "Baseline length could not be sampled";
1182
1183 for (const PaddingTest &test : kPaddingTests) {
1184 SCOPED_TRACE(test.input_len);
1185 ASSERT_LE(base_len, test.input_len) << "Baseline ClientHello too long";
1186
1187 size_t padded_len =
1188 GetClientHelloLen(versions.max_version, versions.session_version,
1189 1 + test.input_len - base_len);
1190 EXPECT_EQ(padded_len, test.padded_len)
1191 << "ClientHello was not padded to expected length";
1192 }
1193 }
1194 }
1195
GetTestCertificate()1196 static bssl::UniquePtr<X509> GetTestCertificate() {
1197 static const char kCertPEM[] =
1198 "-----BEGIN CERTIFICATE-----\n"
1199 "MIICWDCCAcGgAwIBAgIJAPuwTC6rEJsMMA0GCSqGSIb3DQEBBQUAMEUxCzAJBgNV\n"
1200 "BAYTAkFVMRMwEQYDVQQIDApTb21lLVN0YXRlMSEwHwYDVQQKDBhJbnRlcm5ldCBX\n"
1201 "aWRnaXRzIFB0eSBMdGQwHhcNMTQwNDIzMjA1MDQwWhcNMTcwNDIyMjA1MDQwWjBF\n"
1202 "MQswCQYDVQQGEwJBVTETMBEGA1UECAwKU29tZS1TdGF0ZTEhMB8GA1UECgwYSW50\n"
1203 "ZXJuZXQgV2lkZ2l0cyBQdHkgTHRkMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKB\n"
1204 "gQDYK8imMuRi/03z0K1Zi0WnvfFHvwlYeyK9Na6XJYaUoIDAtB92kWdGMdAQhLci\n"
1205 "HnAjkXLI6W15OoV3gA/ElRZ1xUpxTMhjP6PyY5wqT5r6y8FxbiiFKKAnHmUcrgfV\n"
1206 "W28tQ+0rkLGMryRtrukXOgXBv7gcrmU7G1jC2a7WqmeI8QIDAQABo1AwTjAdBgNV\n"
1207 "HQ4EFgQUi3XVrMsIvg4fZbf6Vr5sp3Xaha8wHwYDVR0jBBgwFoAUi3XVrMsIvg4f\n"
1208 "Zbf6Vr5sp3Xaha8wDAYDVR0TBAUwAwEB/zANBgkqhkiG9w0BAQUFAAOBgQA76Hht\n"
1209 "ldY9avcTGSwbwoiuIqv0jTL1fHFnzy3RHMLDh+Lpvolc5DSrSJHCP5WuK0eeJXhr\n"
1210 "T5oQpHL9z/cCDLAKCKRa4uV0fhEdOWBqyR9p8y5jJtye72t6CuFUV5iqcpF4BH4f\n"
1211 "j2VNHwsSrJwkD4QUGlUtH7vwnQmyCFxZMmWAJg==\n"
1212 "-----END CERTIFICATE-----\n";
1213 bssl::UniquePtr<BIO> bio(BIO_new_mem_buf(kCertPEM, strlen(kCertPEM)));
1214 return bssl::UniquePtr<X509>(
1215 PEM_read_bio_X509(bio.get(), nullptr, nullptr, nullptr));
1216 }
1217
GetTestKey()1218 static bssl::UniquePtr<EVP_PKEY> GetTestKey() {
1219 static const char kKeyPEM[] =
1220 "-----BEGIN RSA PRIVATE KEY-----\n"
1221 "MIICXgIBAAKBgQDYK8imMuRi/03z0K1Zi0WnvfFHvwlYeyK9Na6XJYaUoIDAtB92\n"
1222 "kWdGMdAQhLciHnAjkXLI6W15OoV3gA/ElRZ1xUpxTMhjP6PyY5wqT5r6y8FxbiiF\n"
1223 "KKAnHmUcrgfVW28tQ+0rkLGMryRtrukXOgXBv7gcrmU7G1jC2a7WqmeI8QIDAQAB\n"
1224 "AoGBAIBy09Fd4DOq/Ijp8HeKuCMKTHqTW1xGHshLQ6jwVV2vWZIn9aIgmDsvkjCe\n"
1225 "i6ssZvnbjVcwzSoByhjN8ZCf/i15HECWDFFh6gt0P5z0MnChwzZmvatV/FXCT0j+\n"
1226 "WmGNB/gkehKjGXLLcjTb6dRYVJSCZhVuOLLcbWIV10gggJQBAkEA8S8sGe4ezyyZ\n"
1227 "m4e9r95g6s43kPqtj5rewTsUxt+2n4eVodD+ZUlCULWVNAFLkYRTBCASlSrm9Xhj\n"
1228 "QpmWAHJUkQJBAOVzQdFUaewLtdOJoPCtpYoY1zd22eae8TQEmpGOR11L6kbxLQsk\n"
1229 "aMly/DOnOaa82tqAGTdqDEZgSNmCeKKknmECQAvpnY8GUOVAubGR6c+W90iBuQLj\n"
1230 "LtFp/9ihd2w/PoDwrHZaoUYVcT4VSfJQog/k7kjE4MYXYWL8eEKg3WTWQNECQQDk\n"
1231 "104Wi91Umd1PzF0ijd2jXOERJU1wEKe6XLkYYNHWQAe5l4J4MWj9OdxFXAxIuuR/\n"
1232 "tfDwbqkta4xcux67//khAkEAvvRXLHTaa6VFzTaiiO8SaFsHV3lQyXOtMrBpB5jd\n"
1233 "moZWgjHvB2W9Ckn7sDqsPB+U2tyX0joDdQEyuiMECDY8oQ==\n"
1234 "-----END RSA PRIVATE KEY-----\n";
1235 bssl::UniquePtr<BIO> bio(BIO_new_mem_buf(kKeyPEM, strlen(kKeyPEM)));
1236 return bssl::UniquePtr<EVP_PKEY>(
1237 PEM_read_bio_PrivateKey(bio.get(), nullptr, nullptr, nullptr));
1238 }
1239
GetECDSATestCertificate()1240 static bssl::UniquePtr<X509> GetECDSATestCertificate() {
1241 static const char kCertPEM[] =
1242 "-----BEGIN CERTIFICATE-----\n"
1243 "MIIBzzCCAXagAwIBAgIJANlMBNpJfb/rMAkGByqGSM49BAEwRTELMAkGA1UEBhMC\n"
1244 "QVUxEzARBgNVBAgMClNvbWUtU3RhdGUxITAfBgNVBAoMGEludGVybmV0IFdpZGdp\n"
1245 "dHMgUHR5IEx0ZDAeFw0xNDA0MjMyMzIxNTdaFw0xNDA1MjMyMzIxNTdaMEUxCzAJ\n"
1246 "BgNVBAYTAkFVMRMwEQYDVQQIDApTb21lLVN0YXRlMSEwHwYDVQQKDBhJbnRlcm5l\n"
1247 "dCBXaWRnaXRzIFB0eSBMdGQwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAATmK2ni\n"
1248 "v2Wfl74vHg2UikzVl2u3qR4NRvvdqakendy6WgHn1peoChj5w8SjHlbifINI2xYa\n"
1249 "HPUdfvGULUvPciLBo1AwTjAdBgNVHQ4EFgQUq4TSrKuV8IJOFngHVVdf5CaNgtEw\n"
1250 "HwYDVR0jBBgwFoAUq4TSrKuV8IJOFngHVVdf5CaNgtEwDAYDVR0TBAUwAwEB/zAJ\n"
1251 "BgcqhkjOPQQBA0gAMEUCIQDyoDVeUTo2w4J5m+4nUIWOcAZ0lVfSKXQA9L4Vh13E\n"
1252 "BwIgfB55FGohg/B6dGh5XxSZmmi08cueFV7mHzJSYV51yRQ=\n"
1253 "-----END CERTIFICATE-----\n";
1254 bssl::UniquePtr<BIO> bio(BIO_new_mem_buf(kCertPEM, strlen(kCertPEM)));
1255 return bssl::UniquePtr<X509>(PEM_read_bio_X509(bio.get(), nullptr, nullptr, nullptr));
1256 }
1257
GetECDSATestKey()1258 static bssl::UniquePtr<EVP_PKEY> GetECDSATestKey() {
1259 static const char kKeyPEM[] =
1260 "-----BEGIN PRIVATE KEY-----\n"
1261 "MIGHAgEAMBMGByqGSM49AgEGCCqGSM49AwEHBG0wawIBAQQgBw8IcnrUoEqc3VnJ\n"
1262 "TYlodwi1b8ldMHcO6NHJzgqLtGqhRANCAATmK2niv2Wfl74vHg2UikzVl2u3qR4N\n"
1263 "Rvvdqakendy6WgHn1peoChj5w8SjHlbifINI2xYaHPUdfvGULUvPciLB\n"
1264 "-----END PRIVATE KEY-----\n";
1265 bssl::UniquePtr<BIO> bio(BIO_new_mem_buf(kKeyPEM, strlen(kKeyPEM)));
1266 return bssl::UniquePtr<EVP_PKEY>(
1267 PEM_read_bio_PrivateKey(bio.get(), nullptr, nullptr, nullptr));
1268 }
1269
BufferFromPEM(const char * pem)1270 static bssl::UniquePtr<CRYPTO_BUFFER> BufferFromPEM(const char *pem) {
1271 bssl::UniquePtr<BIO> bio(BIO_new_mem_buf(pem, strlen(pem)));
1272 char *name, *header;
1273 uint8_t *data;
1274 long data_len;
1275 if (!PEM_read_bio(bio.get(), &name, &header, &data,
1276 &data_len)) {
1277 return nullptr;
1278 }
1279 OPENSSL_free(name);
1280 OPENSSL_free(header);
1281
1282 auto ret = bssl::UniquePtr<CRYPTO_BUFFER>(
1283 CRYPTO_BUFFER_new(data, data_len, nullptr));
1284 OPENSSL_free(data);
1285 return ret;
1286 }
1287
GetChainTestCertificateBuffer()1288 static bssl::UniquePtr<CRYPTO_BUFFER> GetChainTestCertificateBuffer() {
1289 static const char kCertPEM[] =
1290 "-----BEGIN CERTIFICATE-----\n"
1291 "MIIC0jCCAbqgAwIBAgICEAAwDQYJKoZIhvcNAQELBQAwDzENMAsGA1UEAwwEQiBD\n"
1292 "QTAeFw0xNjAyMjgyMDI3MDNaFw0yNjAyMjUyMDI3MDNaMBgxFjAUBgNVBAMMDUNs\n"
1293 "aWVudCBDZXJ0IEEwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDRvaz8\n"
1294 "CC/cshpCafJo4jLkHEoBqDLhdgFelJoAiQUyIqyWl2O7YHPnpJH+TgR7oelzNzt/\n"
1295 "kLRcH89M/TszB6zqyLTC4aqmvzKL0peD/jL2LWBucR0WXIvjA3zoRuF/x86+rYH3\n"
1296 "tHb+xs2PSs8EGL/Ev+ss+qTzTGEn26fuGNHkNw6tOwPpc+o8+wUtzf/kAthamo+c\n"
1297 "IDs2rQ+lP7+aLZTLeU/q4gcLutlzcK5imex5xy2jPkweq48kijK0kIzl1cPlA5d1\n"
1298 "z7C8jU50Pj9X9sQDJTN32j7UYRisJeeYQF8GaaN8SbrDI6zHgKzrRLyxDt/KQa9V\n"
1299 "iLeXANgZi+Xx9KgfAgMBAAGjLzAtMAwGA1UdEwEB/wQCMAAwHQYDVR0lBBYwFAYI\n"
1300 "KwYBBQUHAwEGCCsGAQUFBwMCMA0GCSqGSIb3DQEBCwUAA4IBAQBFEVbmYl+2RtNw\n"
1301 "rDftRDF1v2QUbcN2ouSnQDHxeDQdSgasLzT3ui8iYu0Rw2WWcZ0DV5e0ztGPhWq7\n"
1302 "AO0B120aFRMOY+4+bzu9Q2FFkQqc7/fKTvTDzIJI5wrMnFvUfzzvxh3OHWMYSs/w\n"
1303 "giq33hTKeHEq6Jyk3btCny0Ycecyc3yGXH10sizUfiHlhviCkDuESk8mFDwDDzqW\n"
1304 "ZF0IipzFbEDHoIxLlm3GQxpiLoEV4k8KYJp3R5KBLFyxM6UGPz8h72mIPCJp2RuK\n"
1305 "MYgF91UDvVzvnYm6TfseM2+ewKirC00GOrZ7rEcFvtxnKSqYf4ckqfNdSU1Y+RRC\n"
1306 "1ngWZ7Ih\n"
1307 "-----END CERTIFICATE-----\n";
1308 return BufferFromPEM(kCertPEM);
1309 }
1310
X509FromBuffer(bssl::UniquePtr<CRYPTO_BUFFER> buffer)1311 static bssl::UniquePtr<X509> X509FromBuffer(
1312 bssl::UniquePtr<CRYPTO_BUFFER> buffer) {
1313 if (!buffer) {
1314 return nullptr;
1315 }
1316 const uint8_t *derp = CRYPTO_BUFFER_data(buffer.get());
1317 return bssl::UniquePtr<X509>(
1318 d2i_X509(NULL, &derp, CRYPTO_BUFFER_len(buffer.get())));
1319 }
1320
GetChainTestCertificate()1321 static bssl::UniquePtr<X509> GetChainTestCertificate() {
1322 return X509FromBuffer(GetChainTestCertificateBuffer());
1323 }
1324
GetChainTestIntermediateBuffer()1325 static bssl::UniquePtr<CRYPTO_BUFFER> GetChainTestIntermediateBuffer() {
1326 static const char kCertPEM[] =
1327 "-----BEGIN CERTIFICATE-----\n"
1328 "MIICwjCCAaqgAwIBAgICEAEwDQYJKoZIhvcNAQELBQAwFDESMBAGA1UEAwwJQyBS\n"
1329 "b290IENBMB4XDTE2MDIyODIwMjcwM1oXDTI2MDIyNTIwMjcwM1owDzENMAsGA1UE\n"
1330 "AwwEQiBDQTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALsSCYmDip2D\n"
1331 "GkjFxw7ykz26JSjELkl6ArlYjFJ3aT/SCh8qbS4gln7RH8CPBd78oFdfhIKQrwtZ\n"
1332 "3/q21ykD9BAS3qHe2YdcJfm8/kWAy5DvXk6NXU4qX334KofBAEpgdA/igEFq1P1l\n"
1333 "HAuIfZCpMRfT+i5WohVsGi8f/NgpRvVaMONLNfgw57mz1lbtFeBEISmX0kbsuJxF\n"
1334 "Qj/Bwhi5/0HAEXG8e7zN4cEx0yPRvmOATRdVb/8dW2pwOHRJq9R5M0NUkIsTSnL7\n"
1335 "6N/z8hRAHMsV3IudC5Yd7GXW1AGu9a+iKU+Q4xcZCoj0DC99tL4VKujrV1kAeqsM\n"
1336 "cz5/dKzi6+cCAwEAAaMjMCEwDwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMC\n"
1337 "AQYwDQYJKoZIhvcNAQELBQADggEBAIIeZiEeNhWWQ8Y4D+AGDwqUUeG8NjCbKrXQ\n"
1338 "BlHg5wZ8xftFaiP1Dp/UAezmx2LNazdmuwrYB8lm3FVTyaPDTKEGIPS4wJKHgqH1\n"
1339 "QPDhqNm85ey7TEtI9oYjsNim/Rb+iGkIAMXaxt58SzxbjvP0kMr1JfJIZbic9vye\n"
1340 "NwIspMFIpP3FB8ywyu0T0hWtCQgL4J47nigCHpOu58deP88fS/Nyz/fyGVWOZ76b\n"
1341 "WhWwgM3P3X95fQ3d7oFPR/bVh0YV+Cf861INwplokXgXQ3/TCQ+HNXeAMWn3JLWv\n"
1342 "XFwk8owk9dq/kQGdndGgy3KTEW4ctPX5GNhf3LJ9Q7dLji4ReQ4=\n"
1343 "-----END CERTIFICATE-----\n";
1344 return BufferFromPEM(kCertPEM);
1345 }
1346
GetChainTestIntermediate()1347 static bssl::UniquePtr<X509> GetChainTestIntermediate() {
1348 return X509FromBuffer(GetChainTestIntermediateBuffer());
1349 }
1350
GetChainTestKey()1351 static bssl::UniquePtr<EVP_PKEY> GetChainTestKey() {
1352 static const char kKeyPEM[] =
1353 "-----BEGIN PRIVATE KEY-----\n"
1354 "MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQDRvaz8CC/cshpC\n"
1355 "afJo4jLkHEoBqDLhdgFelJoAiQUyIqyWl2O7YHPnpJH+TgR7oelzNzt/kLRcH89M\n"
1356 "/TszB6zqyLTC4aqmvzKL0peD/jL2LWBucR0WXIvjA3zoRuF/x86+rYH3tHb+xs2P\n"
1357 "Ss8EGL/Ev+ss+qTzTGEn26fuGNHkNw6tOwPpc+o8+wUtzf/kAthamo+cIDs2rQ+l\n"
1358 "P7+aLZTLeU/q4gcLutlzcK5imex5xy2jPkweq48kijK0kIzl1cPlA5d1z7C8jU50\n"
1359 "Pj9X9sQDJTN32j7UYRisJeeYQF8GaaN8SbrDI6zHgKzrRLyxDt/KQa9ViLeXANgZ\n"
1360 "i+Xx9KgfAgMBAAECggEBAK0VjSJzkyPaamcyTVSWjo7GdaBGcK60lk657RjR+lK0\n"
1361 "YJ7pkej4oM2hdsVZFsP8Cs4E33nXLa/0pDsRov/qrp0WQm2skwqGMC1I/bZ0WRPk\n"
1362 "wHaDrBBfESWnJDX/AGpVtlyOjPmgmK6J2usMPihQUDkKdAYrVWJePrMIxt1q6BMe\n"
1363 "iczs3qriMmtY3bUc4UyUwJ5fhDLjshHvfuIpYQyI6EXZM6dZksn9LylXJnigY6QJ\n"
1364 "HxOYO0BDwOsZ8yQ8J8afLk88i0GizEkgE1z3REtQUwgWfxr1WV/ud+T6/ZhSAgH9\n"
1365 "042mQvSFZnIUSEsmCvjhWuAunfxHKCTcAoYISWfzWpkCgYEA7gpf3HHU5Tn+CgUn\n"
1366 "1X5uGpG3DmcMgfeGgs2r2f/IIg/5Ac1dfYILiybL1tN9zbyLCJfcbFpWBc9hJL6f\n"
1367 "CPc5hUiwWFJqBJewxQkC1Ae/HakHbip+IZ+Jr0842O4BAArvixk4Lb7/N2Ct9sTE\n"
1368 "NJO6RtK9lbEZ5uK61DglHy8CS2UCgYEA4ZC1o36kPAMQBggajgnucb2yuUEelk0f\n"
1369 "AEr+GI32MGE+93xMr7rAhBoqLg4AITyIfEnOSQ5HwagnIHonBbv1LV/Gf9ursx8Z\n"
1370 "YOGbvT8zzzC+SU1bkDzdjAYnFQVGIjMtKOBJ3K07++ypwX1fr4QsQ8uKL8WSOWwt\n"
1371 "Z3Bym6XiZzMCgYADnhy+2OwHX85AkLt+PyGlPbmuelpyTzS4IDAQbBa6jcuW/2wA\n"
1372 "UE2km75VUXmD+u2R/9zVuLm99NzhFhSMqlUxdV1YukfqMfP5yp1EY6m/5aW7QuIP\n"
1373 "2MDa7TVL9rIFMiVZ09RKvbBbQxjhuzPQKL6X/PPspnhiTefQ+dl2k9xREQKBgHDS\n"
1374 "fMfGNEeAEKezrfSVqxphE9/tXms3L+ZpnCaT+yu/uEr5dTIAawKoQ6i9f/sf1/Sy\n"
1375 "xedsqR+IB+oKrzIDDWMgoJybN4pkZ8E5lzhVQIjFjKgFdWLzzqyW9z1gYfABQPlN\n"
1376 "FiS20WX0vgP1vcKAjdNrHzc9zyHBpgQzDmAj3NZZAoGBAI8vKCKdH7w3aL5CNkZQ\n"
1377 "2buIeWNA2HZazVwAGG5F2TU/LmXfRKnG6dX5bkU+AkBZh56jNZy//hfFSewJB4Kk\n"
1378 "buB7ERSdaNbO21zXt9FEA3+z0RfMd/Zv2vlIWOSB5nzl/7UKti3sribK6s9ZVLfi\n"
1379 "SxpiPQ8d/hmSGwn4ksrWUsJD\n"
1380 "-----END PRIVATE KEY-----\n";
1381 bssl::UniquePtr<BIO> bio(BIO_new_mem_buf(kKeyPEM, strlen(kKeyPEM)));
1382 return bssl::UniquePtr<EVP_PKEY>(
1383 PEM_read_bio_PrivateKey(bio.get(), nullptr, nullptr, nullptr));
1384 }
1385
1386 // Test that |SSL_get_client_CA_list| echoes back the configured parameter even
1387 // before configuring as a server.
TEST(SSLTest,ClientCAList)1388 TEST(SSLTest, ClientCAList) {
1389 bssl::UniquePtr<SSL_CTX> ctx(SSL_CTX_new(TLS_method()));
1390 ASSERT_TRUE(ctx);
1391 bssl::UniquePtr<SSL> ssl(SSL_new(ctx.get()));
1392 ASSERT_TRUE(ssl);
1393
1394 bssl::UniquePtr<X509_NAME> name(X509_NAME_new());
1395 ASSERT_TRUE(name);
1396
1397 bssl::UniquePtr<X509_NAME> name_dup(X509_NAME_dup(name.get()));
1398 ASSERT_TRUE(name_dup);
1399
1400 bssl::UniquePtr<STACK_OF(X509_NAME)> stack(sk_X509_NAME_new_null());
1401 ASSERT_TRUE(stack);
1402 ASSERT_TRUE(PushToStack(stack.get(), std::move(name_dup)));
1403
1404 // |SSL_set_client_CA_list| takes ownership.
1405 SSL_set_client_CA_list(ssl.get(), stack.release());
1406
1407 STACK_OF(X509_NAME) *result = SSL_get_client_CA_list(ssl.get());
1408 ASSERT_TRUE(result);
1409 ASSERT_EQ(1u, sk_X509_NAME_num(result));
1410 EXPECT_EQ(0, X509_NAME_cmp(sk_X509_NAME_value(result, 0), name.get()));
1411 }
1412
TEST(SSLTest,AddClientCA)1413 TEST(SSLTest, AddClientCA) {
1414 bssl::UniquePtr<SSL_CTX> ctx(SSL_CTX_new(TLS_method()));
1415 ASSERT_TRUE(ctx);
1416 bssl::UniquePtr<SSL> ssl(SSL_new(ctx.get()));
1417 ASSERT_TRUE(ssl);
1418
1419 bssl::UniquePtr<X509> cert1 = GetTestCertificate();
1420 bssl::UniquePtr<X509> cert2 = GetChainTestCertificate();
1421 ASSERT_TRUE(cert1 && cert2);
1422 X509_NAME *name1 = X509_get_subject_name(cert1.get());
1423 X509_NAME *name2 = X509_get_subject_name(cert2.get());
1424
1425 EXPECT_EQ(0u, sk_X509_NAME_num(SSL_get_client_CA_list(ssl.get())));
1426
1427 ASSERT_TRUE(SSL_add_client_CA(ssl.get(), cert1.get()));
1428 ASSERT_TRUE(SSL_add_client_CA(ssl.get(), cert2.get()));
1429
1430 STACK_OF(X509_NAME) *list = SSL_get_client_CA_list(ssl.get());
1431 ASSERT_EQ(2u, sk_X509_NAME_num(list));
1432 EXPECT_EQ(0, X509_NAME_cmp(sk_X509_NAME_value(list, 0), name1));
1433 EXPECT_EQ(0, X509_NAME_cmp(sk_X509_NAME_value(list, 1), name2));
1434
1435 ASSERT_TRUE(SSL_add_client_CA(ssl.get(), cert1.get()));
1436
1437 list = SSL_get_client_CA_list(ssl.get());
1438 ASSERT_EQ(3u, sk_X509_NAME_num(list));
1439 EXPECT_EQ(0, X509_NAME_cmp(sk_X509_NAME_value(list, 0), name1));
1440 EXPECT_EQ(0, X509_NAME_cmp(sk_X509_NAME_value(list, 1), name2));
1441 EXPECT_EQ(0, X509_NAME_cmp(sk_X509_NAME_value(list, 2), name1));
1442 }
1443
AppendSession(SSL_SESSION * session,void * arg)1444 static void AppendSession(SSL_SESSION *session, void *arg) {
1445 std::vector<SSL_SESSION*> *out =
1446 reinterpret_cast<std::vector<SSL_SESSION*>*>(arg);
1447 out->push_back(session);
1448 }
1449
1450 // CacheEquals returns true if |ctx|'s session cache consists of |expected|, in
1451 // order.
CacheEquals(SSL_CTX * ctx,const std::vector<SSL_SESSION * > & expected)1452 static bool CacheEquals(SSL_CTX *ctx,
1453 const std::vector<SSL_SESSION*> &expected) {
1454 // Check the linked list.
1455 SSL_SESSION *ptr = ctx->session_cache_head;
1456 for (SSL_SESSION *session : expected) {
1457 if (ptr != session) {
1458 return false;
1459 }
1460 // TODO(davidben): This is an absurd way to denote the end of the list.
1461 if (ptr->next ==
1462 reinterpret_cast<SSL_SESSION *>(&ctx->session_cache_tail)) {
1463 ptr = nullptr;
1464 } else {
1465 ptr = ptr->next;
1466 }
1467 }
1468 if (ptr != nullptr) {
1469 return false;
1470 }
1471
1472 // Check the hash table.
1473 std::vector<SSL_SESSION*> actual, expected_copy;
1474 lh_SSL_SESSION_doall_arg(ctx->sessions, AppendSession, &actual);
1475 expected_copy = expected;
1476
1477 std::sort(actual.begin(), actual.end());
1478 std::sort(expected_copy.begin(), expected_copy.end());
1479
1480 return actual == expected_copy;
1481 }
1482
CreateTestSession(uint32_t number)1483 static bssl::UniquePtr<SSL_SESSION> CreateTestSession(uint32_t number) {
1484 bssl::UniquePtr<SSL_CTX> ssl_ctx(SSL_CTX_new(TLS_method()));
1485 if (!ssl_ctx) {
1486 return nullptr;
1487 }
1488 bssl::UniquePtr<SSL_SESSION> ret(SSL_SESSION_new(ssl_ctx.get()));
1489 if (!ret) {
1490 return nullptr;
1491 }
1492
1493 uint8_t id[SSL3_SSL_SESSION_ID_LENGTH] = {0};
1494 OPENSSL_memcpy(id, &number, sizeof(number));
1495 if (!SSL_SESSION_set1_id(ret.get(), id, sizeof(id))) {
1496 return nullptr;
1497 }
1498 return ret;
1499 }
1500
1501 // Test that the internal session cache behaves as expected.
TEST(SSLTest,InternalSessionCache)1502 TEST(SSLTest, InternalSessionCache) {
1503 bssl::UniquePtr<SSL_CTX> ctx(SSL_CTX_new(TLS_method()));
1504 ASSERT_TRUE(ctx);
1505
1506 // Prepare 10 test sessions.
1507 std::vector<bssl::UniquePtr<SSL_SESSION>> sessions;
1508 for (int i = 0; i < 10; i++) {
1509 bssl::UniquePtr<SSL_SESSION> session = CreateTestSession(i);
1510 ASSERT_TRUE(session);
1511 sessions.push_back(std::move(session));
1512 }
1513
1514 SSL_CTX_sess_set_cache_size(ctx.get(), 5);
1515
1516 // Insert all the test sessions.
1517 for (const auto &session : sessions) {
1518 ASSERT_TRUE(SSL_CTX_add_session(ctx.get(), session.get()));
1519 }
1520
1521 // Only the last five should be in the list.
1522 ASSERT_TRUE(CacheEquals(
1523 ctx.get(), {sessions[9].get(), sessions[8].get(), sessions[7].get(),
1524 sessions[6].get(), sessions[5].get()}));
1525
1526 // Inserting an element already in the cache should fail and leave the cache
1527 // unchanged.
1528 ASSERT_FALSE(SSL_CTX_add_session(ctx.get(), sessions[7].get()));
1529 ASSERT_TRUE(CacheEquals(
1530 ctx.get(), {sessions[9].get(), sessions[8].get(), sessions[7].get(),
1531 sessions[6].get(), sessions[5].get()}));
1532
1533 // Although collisions should be impossible (256-bit session IDs), the cache
1534 // must handle them gracefully.
1535 bssl::UniquePtr<SSL_SESSION> collision(CreateTestSession(7));
1536 ASSERT_TRUE(collision);
1537 ASSERT_TRUE(SSL_CTX_add_session(ctx.get(), collision.get()));
1538 ASSERT_TRUE(CacheEquals(
1539 ctx.get(), {collision.get(), sessions[9].get(), sessions[8].get(),
1540 sessions[6].get(), sessions[5].get()}));
1541
1542 // Removing sessions behaves correctly.
1543 ASSERT_TRUE(SSL_CTX_remove_session(ctx.get(), sessions[6].get()));
1544 ASSERT_TRUE(CacheEquals(ctx.get(), {collision.get(), sessions[9].get(),
1545 sessions[8].get(), sessions[5].get()}));
1546
1547 // Removing sessions requires an exact match.
1548 ASSERT_FALSE(SSL_CTX_remove_session(ctx.get(), sessions[0].get()));
1549 ASSERT_FALSE(SSL_CTX_remove_session(ctx.get(), sessions[7].get()));
1550
1551 // The cache remains unchanged.
1552 ASSERT_TRUE(CacheEquals(ctx.get(), {collision.get(), sessions[9].get(),
1553 sessions[8].get(), sessions[5].get()}));
1554 }
1555
EpochFromSequence(uint64_t seq)1556 static uint16_t EpochFromSequence(uint64_t seq) {
1557 return static_cast<uint16_t>(seq >> 48);
1558 }
1559
1560 static const uint8_t kTestName[] = {
1561 0x30, 0x45, 0x31, 0x0b, 0x30, 0x09, 0x06, 0x03, 0x55, 0x04, 0x06, 0x13,
1562 0x02, 0x41, 0x55, 0x31, 0x13, 0x30, 0x11, 0x06, 0x03, 0x55, 0x04, 0x08,
1563 0x0c, 0x0a, 0x53, 0x6f, 0x6d, 0x65, 0x2d, 0x53, 0x74, 0x61, 0x74, 0x65,
1564 0x31, 0x21, 0x30, 0x1f, 0x06, 0x03, 0x55, 0x04, 0x0a, 0x0c, 0x18, 0x49,
1565 0x6e, 0x74, 0x65, 0x72, 0x6e, 0x65, 0x74, 0x20, 0x57, 0x69, 0x64, 0x67,
1566 0x69, 0x74, 0x73, 0x20, 0x50, 0x74, 0x79, 0x20, 0x4c, 0x74, 0x64,
1567 };
1568
CompleteHandshakes(SSL * client,SSL * server)1569 static bool CompleteHandshakes(SSL *client, SSL *server) {
1570 // Drive both their handshakes to completion.
1571 for (;;) {
1572 int client_ret = SSL_do_handshake(client);
1573 int client_err = SSL_get_error(client, client_ret);
1574 if (client_err != SSL_ERROR_NONE &&
1575 client_err != SSL_ERROR_WANT_READ &&
1576 client_err != SSL_ERROR_WANT_WRITE &&
1577 client_err != SSL_ERROR_PENDING_TICKET) {
1578 fprintf(stderr, "Client error: %d\n", client_err);
1579 return false;
1580 }
1581
1582 int server_ret = SSL_do_handshake(server);
1583 int server_err = SSL_get_error(server, server_ret);
1584 if (server_err != SSL_ERROR_NONE &&
1585 server_err != SSL_ERROR_WANT_READ &&
1586 server_err != SSL_ERROR_WANT_WRITE &&
1587 server_err != SSL_ERROR_PENDING_TICKET) {
1588 fprintf(stderr, "Server error: %d\n", server_err);
1589 return false;
1590 }
1591
1592 if (client_ret == 1 && server_ret == 1) {
1593 break;
1594 }
1595 }
1596
1597 return true;
1598 }
1599
FlushNewSessionTickets(SSL * client,SSL * server)1600 static bool FlushNewSessionTickets(SSL *client, SSL *server) {
1601 // NewSessionTickets are deferred on the server to |SSL_write|, and clients do
1602 // not pick them up until |SSL_read|.
1603 for (;;) {
1604 int server_ret = SSL_write(server, nullptr, 0);
1605 int server_err = SSL_get_error(server, server_ret);
1606 // The server may either succeed (|server_ret| is zero) or block on write
1607 // (|server_ret| is -1 and |server_err| is |SSL_ERROR_WANT_WRITE|).
1608 if (server_ret > 0 ||
1609 (server_ret < 0 && server_err != SSL_ERROR_WANT_WRITE)) {
1610 fprintf(stderr, "Unexpected server result: %d %d\n", server_ret,
1611 server_err);
1612 return false;
1613 }
1614
1615 int client_ret = SSL_read(client, nullptr, 0);
1616 int client_err = SSL_get_error(client, client_ret);
1617 // The client must always block on read.
1618 if (client_ret != -1 || client_err != SSL_ERROR_WANT_READ) {
1619 fprintf(stderr, "Unexpected client result: %d %d\n", client_ret,
1620 client_err);
1621 return false;
1622 }
1623
1624 // The server flushed everything it had to write.
1625 if (server_ret == 0) {
1626 return true;
1627 }
1628 }
1629 }
1630
1631 struct ClientConfig {
1632 SSL_SESSION *session = nullptr;
1633 std::string servername;
1634 };
1635
ConnectClientAndServer(bssl::UniquePtr<SSL> * out_client,bssl::UniquePtr<SSL> * out_server,SSL_CTX * client_ctx,SSL_CTX * server_ctx,const ClientConfig & config=ClientConfig (),bool do_handshake=true,bool shed_handshake_config=true)1636 static bool ConnectClientAndServer(bssl::UniquePtr<SSL> *out_client,
1637 bssl::UniquePtr<SSL> *out_server,
1638 SSL_CTX *client_ctx, SSL_CTX *server_ctx,
1639 const ClientConfig &config = ClientConfig(),
1640 bool do_handshake = true,
1641 bool shed_handshake_config = true) {
1642 bssl::UniquePtr<SSL> client(SSL_new(client_ctx)), server(SSL_new(server_ctx));
1643 if (!client || !server) {
1644 return false;
1645 }
1646 SSL_set_connect_state(client.get());
1647 SSL_set_accept_state(server.get());
1648
1649 if (config.session) {
1650 SSL_set_session(client.get(), config.session);
1651 }
1652 if (!config.servername.empty() &&
1653 !SSL_set_tlsext_host_name(client.get(), config.servername.c_str())) {
1654 return false;
1655 }
1656
1657 BIO *bio1, *bio2;
1658 if (!BIO_new_bio_pair(&bio1, 0, &bio2, 0)) {
1659 return false;
1660 }
1661 // SSL_set_bio takes ownership.
1662 SSL_set_bio(client.get(), bio1, bio1);
1663 SSL_set_bio(server.get(), bio2, bio2);
1664
1665 SSL_set_shed_handshake_config(client.get(), shed_handshake_config);
1666 SSL_set_shed_handshake_config(server.get(), shed_handshake_config);
1667
1668 if (do_handshake && !CompleteHandshakes(client.get(), server.get())) {
1669 return false;
1670 }
1671
1672 *out_client = std::move(client);
1673 *out_server = std::move(server);
1674 return true;
1675 }
1676
1677 // SSLVersionTest executes its test cases under all available protocol versions.
1678 // Test cases call |Connect| to create a connection using context objects with
1679 // the protocol version fixed to the current version under test.
1680 class SSLVersionTest : public ::testing::TestWithParam<VersionParam> {
1681 protected:
SSLVersionTest()1682 SSLVersionTest() : cert_(GetTestCertificate()), key_(GetTestKey()) {}
1683
SetUp()1684 void SetUp() { ResetContexts(); }
1685
CreateContext() const1686 bssl::UniquePtr<SSL_CTX> CreateContext() const {
1687 const SSL_METHOD *method = is_dtls() ? DTLS_method() : TLS_method();
1688 bssl::UniquePtr<SSL_CTX> ctx(SSL_CTX_new(method));
1689 if (!ctx || !SSL_CTX_set_min_proto_version(ctx.get(), version()) ||
1690 !SSL_CTX_set_max_proto_version(ctx.get(), version())) {
1691 return nullptr;
1692 }
1693 return ctx;
1694 }
1695
ResetContexts()1696 void ResetContexts() {
1697 ASSERT_TRUE(cert_);
1698 ASSERT_TRUE(key_);
1699 client_ctx_ = CreateContext();
1700 ASSERT_TRUE(client_ctx_);
1701 server_ctx_ = CreateContext();
1702 ASSERT_TRUE(server_ctx_);
1703 // Set up a server cert. Client certs can be set up explicitly.
1704 ASSERT_TRUE(UseCertAndKey(server_ctx_.get()));
1705 }
1706
UseCertAndKey(SSL_CTX * ctx) const1707 bool UseCertAndKey(SSL_CTX *ctx) const {
1708 return SSL_CTX_use_certificate(ctx, cert_.get()) &&
1709 SSL_CTX_use_PrivateKey(ctx, key_.get());
1710 }
1711
Connect(const ClientConfig & config=ClientConfig ())1712 bool Connect(const ClientConfig &config = ClientConfig()) {
1713 return ConnectClientAndServer(&client_, &server_, client_ctx_.get(),
1714 server_ctx_.get(), config, true,
1715 shed_handshake_config_);
1716 }
1717
version() const1718 uint16_t version() const { return GetParam().version; }
1719
is_dtls() const1720 bool is_dtls() const {
1721 return GetParam().ssl_method == VersionParam::is_dtls;
1722 }
1723
1724 bool shed_handshake_config_ = true;
1725 bssl::UniquePtr<SSL> client_, server_;
1726 bssl::UniquePtr<SSL_CTX> server_ctx_, client_ctx_;
1727 bssl::UniquePtr<X509> cert_;
1728 bssl::UniquePtr<EVP_PKEY> key_;
1729 };
1730
1731 INSTANTIATE_TEST_SUITE_P(WithVersion, SSLVersionTest,
1732 testing::ValuesIn(kAllVersions),
__anon9c4f6ca60402(const testing::TestParamInfo<VersionParam> &i) 1733 [](const testing::TestParamInfo<VersionParam> &i) {
1734 return i.param.name;
1735 });
1736
TEST_P(SSLVersionTest,SequenceNumber)1737 TEST_P(SSLVersionTest, SequenceNumber) {
1738 ASSERT_TRUE(Connect());
1739
1740 // Drain any post-handshake messages to ensure there are no unread records
1741 // on either end.
1742 ASSERT_TRUE(FlushNewSessionTickets(client_.get(), server_.get()));
1743
1744 uint64_t client_read_seq = SSL_get_read_sequence(client_.get());
1745 uint64_t client_write_seq = SSL_get_write_sequence(client_.get());
1746 uint64_t server_read_seq = SSL_get_read_sequence(server_.get());
1747 uint64_t server_write_seq = SSL_get_write_sequence(server_.get());
1748
1749 if (is_dtls()) {
1750 // Both client and server must be at epoch 1.
1751 EXPECT_EQ(EpochFromSequence(client_read_seq), 1);
1752 EXPECT_EQ(EpochFromSequence(client_write_seq), 1);
1753 EXPECT_EQ(EpochFromSequence(server_read_seq), 1);
1754 EXPECT_EQ(EpochFromSequence(server_write_seq), 1);
1755
1756 // The next record to be written should exceed the largest received.
1757 EXPECT_GT(client_write_seq, server_read_seq);
1758 EXPECT_GT(server_write_seq, client_read_seq);
1759 } else {
1760 // The next record to be written should equal the next to be received.
1761 EXPECT_EQ(client_write_seq, server_read_seq);
1762 EXPECT_EQ(server_write_seq, client_read_seq);
1763 }
1764
1765 // Send a record from client to server.
1766 uint8_t byte = 0;
1767 EXPECT_EQ(SSL_write(client_.get(), &byte, 1), 1);
1768 EXPECT_EQ(SSL_read(server_.get(), &byte, 1), 1);
1769
1770 // The client write and server read sequence numbers should have
1771 // incremented.
1772 EXPECT_EQ(client_write_seq + 1, SSL_get_write_sequence(client_.get()));
1773 EXPECT_EQ(server_read_seq + 1, SSL_get_read_sequence(server_.get()));
1774 }
1775
TEST_P(SSLVersionTest,OneSidedShutdown)1776 TEST_P(SSLVersionTest, OneSidedShutdown) {
1777 // SSL_shutdown is a no-op in DTLS.
1778 if (is_dtls()) {
1779 return;
1780 }
1781 ASSERT_TRUE(Connect());
1782
1783 // Shut down half the connection. SSL_shutdown will return 0 to signal only
1784 // one side has shut down.
1785 ASSERT_EQ(SSL_shutdown(client_.get()), 0);
1786
1787 // Reading from the server should consume the EOF.
1788 uint8_t byte;
1789 ASSERT_EQ(SSL_read(server_.get(), &byte, 1), 0);
1790 ASSERT_EQ(SSL_get_error(server_.get(), 0), SSL_ERROR_ZERO_RETURN);
1791
1792 // However, the server may continue to write data and then shut down the
1793 // connection.
1794 byte = 42;
1795 ASSERT_EQ(SSL_write(server_.get(), &byte, 1), 1);
1796 ASSERT_EQ(SSL_read(client_.get(), &byte, 1), 1);
1797 ASSERT_EQ(byte, 42);
1798
1799 // The server may then shutdown the connection.
1800 EXPECT_EQ(SSL_shutdown(server_.get()), 1);
1801 EXPECT_EQ(SSL_shutdown(client_.get()), 1);
1802 }
1803
TEST(SSLTest,SessionDuplication)1804 TEST(SSLTest, SessionDuplication) {
1805 bssl::UniquePtr<SSL_CTX> client_ctx(SSL_CTX_new(TLS_method()));
1806 bssl::UniquePtr<SSL_CTX> server_ctx(SSL_CTX_new(TLS_method()));
1807 ASSERT_TRUE(client_ctx);
1808 ASSERT_TRUE(server_ctx);
1809
1810 bssl::UniquePtr<X509> cert = GetTestCertificate();
1811 bssl::UniquePtr<EVP_PKEY> key = GetTestKey();
1812 ASSERT_TRUE(cert);
1813 ASSERT_TRUE(key);
1814 ASSERT_TRUE(SSL_CTX_use_certificate(server_ctx.get(), cert.get()));
1815 ASSERT_TRUE(SSL_CTX_use_PrivateKey(server_ctx.get(), key.get()));
1816
1817 bssl::UniquePtr<SSL> client, server;
1818 ASSERT_TRUE(ConnectClientAndServer(&client, &server, client_ctx.get(),
1819 server_ctx.get()));
1820
1821 SSL_SESSION *session0 = SSL_get_session(client.get());
1822 bssl::UniquePtr<SSL_SESSION> session1 =
1823 bssl::SSL_SESSION_dup(session0, SSL_SESSION_DUP_ALL);
1824 ASSERT_TRUE(session1);
1825
1826 session1->not_resumable = false;
1827
1828 uint8_t *s0_bytes, *s1_bytes;
1829 size_t s0_len, s1_len;
1830
1831 ASSERT_TRUE(SSL_SESSION_to_bytes(session0, &s0_bytes, &s0_len));
1832 bssl::UniquePtr<uint8_t> free_s0(s0_bytes);
1833
1834 ASSERT_TRUE(SSL_SESSION_to_bytes(session1.get(), &s1_bytes, &s1_len));
1835 bssl::UniquePtr<uint8_t> free_s1(s1_bytes);
1836
1837 EXPECT_EQ(Bytes(s0_bytes, s0_len), Bytes(s1_bytes, s1_len));
1838 }
1839
ExpectFDs(const SSL * ssl,int rfd,int wfd)1840 static void ExpectFDs(const SSL *ssl, int rfd, int wfd) {
1841 EXPECT_EQ(rfd, SSL_get_fd(ssl));
1842 EXPECT_EQ(rfd, SSL_get_rfd(ssl));
1843 EXPECT_EQ(wfd, SSL_get_wfd(ssl));
1844
1845 // The wrapper BIOs are always equal when fds are equal, even if set
1846 // individually.
1847 if (rfd == wfd) {
1848 EXPECT_EQ(SSL_get_rbio(ssl), SSL_get_wbio(ssl));
1849 }
1850 }
1851
TEST(SSLTest,SetFD)1852 TEST(SSLTest, SetFD) {
1853 bssl::UniquePtr<SSL_CTX> ctx(SSL_CTX_new(TLS_method()));
1854 ASSERT_TRUE(ctx);
1855
1856 // Test setting different read and write FDs.
1857 bssl::UniquePtr<SSL> ssl(SSL_new(ctx.get()));
1858 ASSERT_TRUE(ssl);
1859 EXPECT_TRUE(SSL_set_rfd(ssl.get(), 1));
1860 EXPECT_TRUE(SSL_set_wfd(ssl.get(), 2));
1861 ExpectFDs(ssl.get(), 1, 2);
1862
1863 // Test setting the same FD.
1864 ssl.reset(SSL_new(ctx.get()));
1865 ASSERT_TRUE(ssl);
1866 EXPECT_TRUE(SSL_set_fd(ssl.get(), 1));
1867 ExpectFDs(ssl.get(), 1, 1);
1868
1869 // Test setting the same FD one side at a time.
1870 ssl.reset(SSL_new(ctx.get()));
1871 ASSERT_TRUE(ssl);
1872 EXPECT_TRUE(SSL_set_rfd(ssl.get(), 1));
1873 EXPECT_TRUE(SSL_set_wfd(ssl.get(), 1));
1874 ExpectFDs(ssl.get(), 1, 1);
1875
1876 // Test setting the same FD in the other order.
1877 ssl.reset(SSL_new(ctx.get()));
1878 ASSERT_TRUE(ssl);
1879 EXPECT_TRUE(SSL_set_wfd(ssl.get(), 1));
1880 EXPECT_TRUE(SSL_set_rfd(ssl.get(), 1));
1881 ExpectFDs(ssl.get(), 1, 1);
1882
1883 // Test changing the read FD partway through.
1884 ssl.reset(SSL_new(ctx.get()));
1885 ASSERT_TRUE(ssl);
1886 EXPECT_TRUE(SSL_set_fd(ssl.get(), 1));
1887 EXPECT_TRUE(SSL_set_rfd(ssl.get(), 2));
1888 ExpectFDs(ssl.get(), 2, 1);
1889
1890 // Test changing the write FD partway through.
1891 ssl.reset(SSL_new(ctx.get()));
1892 ASSERT_TRUE(ssl);
1893 EXPECT_TRUE(SSL_set_fd(ssl.get(), 1));
1894 EXPECT_TRUE(SSL_set_wfd(ssl.get(), 2));
1895 ExpectFDs(ssl.get(), 1, 2);
1896
1897 // Test a no-op change to the read FD partway through.
1898 ssl.reset(SSL_new(ctx.get()));
1899 ASSERT_TRUE(ssl);
1900 EXPECT_TRUE(SSL_set_fd(ssl.get(), 1));
1901 EXPECT_TRUE(SSL_set_rfd(ssl.get(), 1));
1902 ExpectFDs(ssl.get(), 1, 1);
1903
1904 // Test a no-op change to the write FD partway through.
1905 ssl.reset(SSL_new(ctx.get()));
1906 ASSERT_TRUE(ssl);
1907 EXPECT_TRUE(SSL_set_fd(ssl.get(), 1));
1908 EXPECT_TRUE(SSL_set_wfd(ssl.get(), 1));
1909 ExpectFDs(ssl.get(), 1, 1);
1910
1911 // ASan builds will implicitly test that the internal |BIO| reference-counting
1912 // is correct.
1913 }
1914
TEST(SSLTest,SetBIO)1915 TEST(SSLTest, SetBIO) {
1916 bssl::UniquePtr<SSL_CTX> ctx(SSL_CTX_new(TLS_method()));
1917 ASSERT_TRUE(ctx);
1918
1919 bssl::UniquePtr<SSL> ssl(SSL_new(ctx.get()));
1920 bssl::UniquePtr<BIO> bio1(BIO_new(BIO_s_mem())), bio2(BIO_new(BIO_s_mem())),
1921 bio3(BIO_new(BIO_s_mem()));
1922 ASSERT_TRUE(ssl);
1923 ASSERT_TRUE(bio1);
1924 ASSERT_TRUE(bio2);
1925 ASSERT_TRUE(bio3);
1926
1927 // SSL_set_bio takes one reference when the parameters are the same.
1928 BIO_up_ref(bio1.get());
1929 SSL_set_bio(ssl.get(), bio1.get(), bio1.get());
1930
1931 // Repeating the call does nothing.
1932 SSL_set_bio(ssl.get(), bio1.get(), bio1.get());
1933
1934 // It takes one reference each when the parameters are different.
1935 BIO_up_ref(bio2.get());
1936 BIO_up_ref(bio3.get());
1937 SSL_set_bio(ssl.get(), bio2.get(), bio3.get());
1938
1939 // Repeating the call does nothing.
1940 SSL_set_bio(ssl.get(), bio2.get(), bio3.get());
1941
1942 // It takes one reference when changing only wbio.
1943 BIO_up_ref(bio1.get());
1944 SSL_set_bio(ssl.get(), bio2.get(), bio1.get());
1945
1946 // It takes one reference when changing only rbio and the two are different.
1947 BIO_up_ref(bio3.get());
1948 SSL_set_bio(ssl.get(), bio3.get(), bio1.get());
1949
1950 // If setting wbio to rbio, it takes no additional references.
1951 SSL_set_bio(ssl.get(), bio3.get(), bio3.get());
1952
1953 // From there, wbio may be switched to something else.
1954 BIO_up_ref(bio1.get());
1955 SSL_set_bio(ssl.get(), bio3.get(), bio1.get());
1956
1957 // If setting rbio to wbio, it takes no additional references.
1958 SSL_set_bio(ssl.get(), bio1.get(), bio1.get());
1959
1960 // From there, rbio may be switched to something else, but, for historical
1961 // reasons, it takes a reference to both parameters.
1962 BIO_up_ref(bio1.get());
1963 BIO_up_ref(bio2.get());
1964 SSL_set_bio(ssl.get(), bio2.get(), bio1.get());
1965
1966 // ASAN builds will implicitly test that the internal |BIO| reference-counting
1967 // is correct.
1968 }
1969
VerifySucceed(X509_STORE_CTX * store_ctx,void * arg)1970 static int VerifySucceed(X509_STORE_CTX *store_ctx, void *arg) { return 1; }
1971
TEST_P(SSLVersionTest,GetPeerCertificate)1972 TEST_P(SSLVersionTest, GetPeerCertificate) {
1973 ASSERT_TRUE(UseCertAndKey(client_ctx_.get()));
1974
1975 // Configure both client and server to accept any certificate.
1976 SSL_CTX_set_verify(client_ctx_.get(),
1977 SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT,
1978 nullptr);
1979 SSL_CTX_set_cert_verify_callback(client_ctx_.get(), VerifySucceed, NULL);
1980 SSL_CTX_set_verify(server_ctx_.get(),
1981 SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT,
1982 nullptr);
1983 SSL_CTX_set_cert_verify_callback(server_ctx_.get(), VerifySucceed, NULL);
1984
1985 ASSERT_TRUE(Connect());
1986
1987 // Client and server should both see the leaf certificate.
1988 bssl::UniquePtr<X509> peer(SSL_get_peer_certificate(server_.get()));
1989 ASSERT_TRUE(peer);
1990 ASSERT_EQ(X509_cmp(cert_.get(), peer.get()), 0);
1991
1992 peer.reset(SSL_get_peer_certificate(client_.get()));
1993 ASSERT_TRUE(peer);
1994 ASSERT_EQ(X509_cmp(cert_.get(), peer.get()), 0);
1995
1996 // However, for historical reasons, the X509 chain includes the leaf on the
1997 // client, but does not on the server.
1998 EXPECT_EQ(sk_X509_num(SSL_get_peer_cert_chain(client_.get())), 1u);
1999 EXPECT_EQ(sk_CRYPTO_BUFFER_num(SSL_get0_peer_certificates(client_.get())),
2000 1u);
2001
2002 EXPECT_EQ(sk_X509_num(SSL_get_peer_cert_chain(server_.get())), 0u);
2003 EXPECT_EQ(sk_CRYPTO_BUFFER_num(SSL_get0_peer_certificates(server_.get())),
2004 1u);
2005 }
2006
TEST_P(SSLVersionTest,NoPeerCertificate)2007 TEST_P(SSLVersionTest, NoPeerCertificate) {
2008 SSL_CTX_set_verify(server_ctx_.get(), SSL_VERIFY_PEER, nullptr);
2009 SSL_CTX_set_cert_verify_callback(server_ctx_.get(), VerifySucceed, NULL);
2010 SSL_CTX_set_cert_verify_callback(client_ctx_.get(), VerifySucceed, NULL);
2011
2012 ASSERT_TRUE(Connect());
2013
2014 // Server should not see a peer certificate.
2015 bssl::UniquePtr<X509> peer(SSL_get_peer_certificate(server_.get()));
2016 ASSERT_FALSE(peer);
2017 ASSERT_FALSE(SSL_get0_peer_certificates(server_.get()));
2018 }
2019
TEST_P(SSLVersionTest,RetainOnlySHA256OfCerts)2020 TEST_P(SSLVersionTest, RetainOnlySHA256OfCerts) {
2021 uint8_t *cert_der = NULL;
2022 int cert_der_len = i2d_X509(cert_.get(), &cert_der);
2023 ASSERT_GE(cert_der_len, 0);
2024 bssl::UniquePtr<uint8_t> free_cert_der(cert_der);
2025
2026 uint8_t cert_sha256[SHA256_DIGEST_LENGTH];
2027 SHA256(cert_der, cert_der_len, cert_sha256);
2028
2029 ASSERT_TRUE(UseCertAndKey(client_ctx_.get()));
2030
2031 // Configure both client and server to accept any certificate, but the
2032 // server must retain only the SHA-256 of the peer.
2033 SSL_CTX_set_verify(client_ctx_.get(),
2034 SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT,
2035 nullptr);
2036 SSL_CTX_set_verify(server_ctx_.get(),
2037 SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT,
2038 nullptr);
2039 SSL_CTX_set_cert_verify_callback(client_ctx_.get(), VerifySucceed, NULL);
2040 SSL_CTX_set_cert_verify_callback(server_ctx_.get(), VerifySucceed, NULL);
2041 SSL_CTX_set_retain_only_sha256_of_client_certs(server_ctx_.get(), 1);
2042
2043 ASSERT_TRUE(Connect());
2044
2045 // The peer certificate has been dropped.
2046 bssl::UniquePtr<X509> peer(SSL_get_peer_certificate(server_.get()));
2047 EXPECT_FALSE(peer);
2048
2049 SSL_SESSION *session = SSL_get_session(server_.get());
2050 EXPECT_TRUE(SSL_SESSION_has_peer_sha256(session));
2051
2052 const uint8_t *peer_sha256;
2053 size_t peer_sha256_len;
2054 SSL_SESSION_get0_peer_sha256(session, &peer_sha256, &peer_sha256_len);
2055 EXPECT_EQ(Bytes(cert_sha256), Bytes(peer_sha256, peer_sha256_len));
2056 }
2057
2058 // Tests that our ClientHellos do not change unexpectedly. These are purely
2059 // change detection tests. If they fail as part of an intentional ClientHello
2060 // change, update the test vector.
TEST(SSLTest,ClientHello)2061 TEST(SSLTest, ClientHello) {
2062 struct {
2063 uint16_t max_version;
2064 std::vector<uint8_t> expected;
2065 } kTests[] = {
2066 {TLS1_VERSION,
2067 {0x16, 0x03, 0x01, 0x00, 0x5a, 0x01, 0x00, 0x00, 0x56, 0x03, 0x01, 0x00,
2068 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2069 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2070 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x0e, 0xc0, 0x09,
2071 0xc0, 0x13, 0xc0, 0x0a, 0xc0, 0x14, 0x00, 0x2f, 0x00, 0x35, 0x00, 0x0a,
2072 0x01, 0x00, 0x00, 0x1f, 0x00, 0x17, 0x00, 0x00, 0xff, 0x01, 0x00, 0x01,
2073 0x00, 0x00, 0x0a, 0x00, 0x08, 0x00, 0x06, 0x00, 0x1d, 0x00, 0x17, 0x00,
2074 0x18, 0x00, 0x0b, 0x00, 0x02, 0x01, 0x00, 0x00, 0x23, 0x00, 0x00}},
2075 {TLS1_1_VERSION,
2076 {0x16, 0x03, 0x01, 0x00, 0x5a, 0x01, 0x00, 0x00, 0x56, 0x03, 0x02, 0x00,
2077 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2078 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2079 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x0e, 0xc0, 0x09,
2080 0xc0, 0x13, 0xc0, 0x0a, 0xc0, 0x14, 0x00, 0x2f, 0x00, 0x35, 0x00, 0x0a,
2081 0x01, 0x00, 0x00, 0x1f, 0x00, 0x17, 0x00, 0x00, 0xff, 0x01, 0x00, 0x01,
2082 0x00, 0x00, 0x0a, 0x00, 0x08, 0x00, 0x06, 0x00, 0x1d, 0x00, 0x17, 0x00,
2083 0x18, 0x00, 0x0b, 0x00, 0x02, 0x01, 0x00, 0x00, 0x23, 0x00, 0x00}},
2084 {TLS1_2_VERSION,
2085 {0x16, 0x03, 0x01, 0x00, 0x82, 0x01, 0x00, 0x00, 0x7e, 0x03, 0x03, 0x00,
2086 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2087 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2088 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x1e, 0xcc, 0xa9,
2089 0xcc, 0xa8, 0xc0, 0x2b, 0xc0, 0x2f, 0xc0, 0x2c, 0xc0, 0x30, 0xc0, 0x09,
2090 0xc0, 0x13, 0xc0, 0x0a, 0xc0, 0x14, 0x00, 0x9c, 0x00, 0x9d, 0x00, 0x2f,
2091 0x00, 0x35, 0x00, 0x0a, 0x01, 0x00, 0x00, 0x37, 0x00, 0x17, 0x00, 0x00,
2092 0xff, 0x01, 0x00, 0x01, 0x00, 0x00, 0x0a, 0x00, 0x08, 0x00, 0x06, 0x00,
2093 0x1d, 0x00, 0x17, 0x00, 0x18, 0x00, 0x0b, 0x00, 0x02, 0x01, 0x00, 0x00,
2094 0x23, 0x00, 0x00, 0x00, 0x0d, 0x00, 0x14, 0x00, 0x12, 0x04, 0x03, 0x08,
2095 0x04, 0x04, 0x01, 0x05, 0x03, 0x08, 0x05, 0x05, 0x01, 0x08, 0x06, 0x06,
2096 0x01, 0x02, 0x01}},
2097 // TODO(davidben): Add a change detector for TLS 1.3 once the spec and our
2098 // implementation has settled enough that it won't change.
2099 };
2100
2101 for (const auto &t : kTests) {
2102 SCOPED_TRACE(t.max_version);
2103
2104 bssl::UniquePtr<SSL_CTX> ctx(SSL_CTX_new(TLS_method()));
2105 ASSERT_TRUE(ctx);
2106 // Our default cipher list varies by CPU capabilities, so manually place the
2107 // ChaCha20 ciphers in front.
2108 const char *cipher_list = "CHACHA20:ALL";
2109 ASSERT_TRUE(SSL_CTX_set_max_proto_version(ctx.get(), t.max_version));
2110 ASSERT_TRUE(SSL_CTX_set_strict_cipher_list(ctx.get(), cipher_list));
2111
2112 bssl::UniquePtr<SSL> ssl(SSL_new(ctx.get()));
2113 ASSERT_TRUE(ssl);
2114 std::vector<uint8_t> client_hello;
2115 ASSERT_TRUE(GetClientHello(ssl.get(), &client_hello));
2116
2117 // Zero the client_random.
2118 constexpr size_t kRandomOffset = 1 + 2 + 2 + // record header
2119 1 + 3 + // handshake message header
2120 2; // client_version
2121 ASSERT_GE(client_hello.size(), kRandomOffset + SSL3_RANDOM_SIZE);
2122 OPENSSL_memset(client_hello.data() + kRandomOffset, 0, SSL3_RANDOM_SIZE);
2123
2124 if (client_hello != t.expected) {
2125 ADD_FAILURE() << "ClientHellos did not match.";
2126 // Print the value manually so it is easier to update the test vector.
2127 for (size_t i = 0; i < client_hello.size(); i += 12) {
2128 printf(" %c", i == 0 ? '{' : ' ');
2129 for (size_t j = i; j < client_hello.size() && j < i + 12; j++) {
2130 if (j > i) {
2131 printf(" ");
2132 }
2133 printf("0x%02x", client_hello[j]);
2134 if (j < client_hello.size() - 1) {
2135 printf(",");
2136 }
2137 }
2138 if (i + 12 >= client_hello.size()) {
2139 printf("}},");
2140 }
2141 printf("\n");
2142 }
2143 }
2144 }
2145 }
2146
2147 static bssl::UniquePtr<SSL_SESSION> g_last_session;
2148
SaveLastSession(SSL * ssl,SSL_SESSION * session)2149 static int SaveLastSession(SSL *ssl, SSL_SESSION *session) {
2150 // Save the most recent session.
2151 g_last_session.reset(session);
2152 return 1;
2153 }
2154
CreateClientSession(SSL_CTX * client_ctx,SSL_CTX * server_ctx,const ClientConfig & config=ClientConfig ())2155 static bssl::UniquePtr<SSL_SESSION> CreateClientSession(
2156 SSL_CTX *client_ctx, SSL_CTX *server_ctx,
2157 const ClientConfig &config = ClientConfig()) {
2158 g_last_session = nullptr;
2159 SSL_CTX_sess_set_new_cb(client_ctx, SaveLastSession);
2160
2161 // Connect client and server to get a session.
2162 bssl::UniquePtr<SSL> client, server;
2163 if (!ConnectClientAndServer(&client, &server, client_ctx, server_ctx,
2164 config) ||
2165 !FlushNewSessionTickets(client.get(), server.get())) {
2166 fprintf(stderr, "Failed to connect client and server.\n");
2167 return nullptr;
2168 }
2169
2170 SSL_CTX_sess_set_new_cb(client_ctx, nullptr);
2171
2172 if (!g_last_session) {
2173 fprintf(stderr, "Client did not receive a session.\n");
2174 return nullptr;
2175 }
2176 return std::move(g_last_session);
2177 }
2178
ExpectSessionReused(SSL_CTX * client_ctx,SSL_CTX * server_ctx,SSL_SESSION * session,bool want_reused)2179 static void ExpectSessionReused(SSL_CTX *client_ctx, SSL_CTX *server_ctx,
2180 SSL_SESSION *session, bool want_reused) {
2181 bssl::UniquePtr<SSL> client, server;
2182 ClientConfig config;
2183 config.session = session;
2184 EXPECT_TRUE(
2185 ConnectClientAndServer(&client, &server, client_ctx, server_ctx, config));
2186
2187 EXPECT_EQ(SSL_session_reused(client.get()), SSL_session_reused(server.get()));
2188
2189 bool was_reused = !!SSL_session_reused(client.get());
2190 EXPECT_EQ(was_reused, want_reused);
2191 }
2192
ExpectSessionRenewed(SSL_CTX * client_ctx,SSL_CTX * server_ctx,SSL_SESSION * session)2193 static bssl::UniquePtr<SSL_SESSION> ExpectSessionRenewed(SSL_CTX *client_ctx,
2194 SSL_CTX *server_ctx,
2195 SSL_SESSION *session) {
2196 g_last_session = nullptr;
2197 SSL_CTX_sess_set_new_cb(client_ctx, SaveLastSession);
2198
2199 bssl::UniquePtr<SSL> client, server;
2200 ClientConfig config;
2201 config.session = session;
2202 if (!ConnectClientAndServer(&client, &server, client_ctx, server_ctx,
2203 config) ||
2204 !FlushNewSessionTickets(client.get(), server.get())) {
2205 fprintf(stderr, "Failed to connect client and server.\n");
2206 return nullptr;
2207 }
2208
2209 if (SSL_session_reused(client.get()) != SSL_session_reused(server.get())) {
2210 fprintf(stderr, "Client and server were inconsistent.\n");
2211 return nullptr;
2212 }
2213
2214 if (!SSL_session_reused(client.get())) {
2215 fprintf(stderr, "Session was not reused.\n");
2216 return nullptr;
2217 }
2218
2219 SSL_CTX_sess_set_new_cb(client_ctx, nullptr);
2220
2221 if (!g_last_session) {
2222 fprintf(stderr, "Client did not receive a renewed session.\n");
2223 return nullptr;
2224 }
2225 return std::move(g_last_session);
2226 }
2227
ExpectTicketKeyChanged(SSL_CTX * ctx,uint8_t * inout_key,bool changed)2228 static void ExpectTicketKeyChanged(SSL_CTX *ctx, uint8_t *inout_key,
2229 bool changed) {
2230 uint8_t new_key[kTicketKeyLen];
2231 // May return 0, 1 or 48.
2232 ASSERT_EQ(SSL_CTX_get_tlsext_ticket_keys(ctx, new_key, kTicketKeyLen), 1);
2233 if (changed) {
2234 ASSERT_NE(Bytes(inout_key, kTicketKeyLen), Bytes(new_key));
2235 } else {
2236 ASSERT_EQ(Bytes(inout_key, kTicketKeyLen), Bytes(new_key));
2237 }
2238 OPENSSL_memcpy(inout_key, new_key, kTicketKeyLen);
2239 }
2240
SwitchSessionIDContextSNI(SSL * ssl,int * out_alert,void * arg)2241 static int SwitchSessionIDContextSNI(SSL *ssl, int *out_alert, void *arg) {
2242 static const uint8_t kContext[] = {3};
2243
2244 if (!SSL_set_session_id_context(ssl, kContext, sizeof(kContext))) {
2245 return SSL_TLSEXT_ERR_ALERT_FATAL;
2246 }
2247
2248 return SSL_TLSEXT_ERR_OK;
2249 }
2250
TEST_P(SSLVersionTest,SessionIDContext)2251 TEST_P(SSLVersionTest, SessionIDContext) {
2252 static const uint8_t kContext1[] = {1};
2253 static const uint8_t kContext2[] = {2};
2254
2255 ASSERT_TRUE(SSL_CTX_set_session_id_context(server_ctx_.get(), kContext1,
2256 sizeof(kContext1)));
2257
2258 SSL_CTX_set_session_cache_mode(client_ctx_.get(), SSL_SESS_CACHE_BOTH);
2259 SSL_CTX_set_session_cache_mode(server_ctx_.get(), SSL_SESS_CACHE_BOTH);
2260
2261 bssl::UniquePtr<SSL_SESSION> session =
2262 CreateClientSession(client_ctx_.get(), server_ctx_.get());
2263 ASSERT_TRUE(session);
2264
2265 TRACED_CALL(ExpectSessionReused(client_ctx_.get(), server_ctx_.get(),
2266 session.get(),
2267 true /* expect session reused */));
2268
2269 // Change the session ID context.
2270 ASSERT_TRUE(SSL_CTX_set_session_id_context(server_ctx_.get(), kContext2,
2271 sizeof(kContext2)));
2272
2273 TRACED_CALL(ExpectSessionReused(client_ctx_.get(), server_ctx_.get(),
2274 session.get(),
2275 false /* expect session not reused */));
2276
2277 // Change the session ID context back and install an SNI callback to switch
2278 // it.
2279 ASSERT_TRUE(SSL_CTX_set_session_id_context(server_ctx_.get(), kContext1,
2280 sizeof(kContext1)));
2281
2282 SSL_CTX_set_tlsext_servername_callback(server_ctx_.get(),
2283 SwitchSessionIDContextSNI);
2284
2285 TRACED_CALL(ExpectSessionReused(client_ctx_.get(), server_ctx_.get(),
2286 session.get(),
2287 false /* expect session not reused */));
2288
2289 // Switch the session ID context with the early callback instead.
2290 SSL_CTX_set_tlsext_servername_callback(server_ctx_.get(), nullptr);
2291 SSL_CTX_set_select_certificate_cb(
2292 server_ctx_.get(),
2293 [](const SSL_CLIENT_HELLO *client_hello) -> ssl_select_cert_result_t {
2294 static const uint8_t kContext[] = {3};
2295
2296 if (!SSL_set_session_id_context(client_hello->ssl, kContext,
2297 sizeof(kContext))) {
2298 return ssl_select_cert_error;
2299 }
2300
2301 return ssl_select_cert_success;
2302 });
2303
2304 TRACED_CALL(ExpectSessionReused(client_ctx_.get(), server_ctx_.get(),
2305 session.get(),
2306 false /* expect session not reused */));
2307 }
2308
2309 static timeval g_current_time;
2310
CurrentTimeCallback(const SSL * ssl,timeval * out_clock)2311 static void CurrentTimeCallback(const SSL *ssl, timeval *out_clock) {
2312 *out_clock = g_current_time;
2313 }
2314
FrozenTimeCallback(const SSL * ssl,timeval * out_clock)2315 static void FrozenTimeCallback(const SSL *ssl, timeval *out_clock) {
2316 out_clock->tv_sec = 1000;
2317 out_clock->tv_usec = 0;
2318 }
2319
RenewTicketCallback(SSL * ssl,uint8_t * key_name,uint8_t * iv,EVP_CIPHER_CTX * ctx,HMAC_CTX * hmac_ctx,int encrypt)2320 static int RenewTicketCallback(SSL *ssl, uint8_t *key_name, uint8_t *iv,
2321 EVP_CIPHER_CTX *ctx, HMAC_CTX *hmac_ctx,
2322 int encrypt) {
2323 static const uint8_t kZeros[16] = {0};
2324
2325 if (encrypt) {
2326 OPENSSL_memcpy(key_name, kZeros, sizeof(kZeros));
2327 RAND_bytes(iv, 16);
2328 } else if (OPENSSL_memcmp(key_name, kZeros, 16) != 0) {
2329 return 0;
2330 }
2331
2332 if (!HMAC_Init_ex(hmac_ctx, kZeros, sizeof(kZeros), EVP_sha256(), NULL) ||
2333 !EVP_CipherInit_ex(ctx, EVP_aes_128_cbc(), NULL, kZeros, iv, encrypt)) {
2334 return -1;
2335 }
2336
2337 // Returning two from the callback in decrypt mode renews the
2338 // session in TLS 1.2 and below.
2339 return encrypt ? 1 : 2;
2340 }
2341
GetServerTicketTime(long * out,const SSL_SESSION * session)2342 static bool GetServerTicketTime(long *out, const SSL_SESSION *session) {
2343 const uint8_t *ticket;
2344 size_t ticket_len;
2345 SSL_SESSION_get0_ticket(session, &ticket, &ticket_len);
2346 if (ticket_len < 16 + 16 + SHA256_DIGEST_LENGTH) {
2347 return false;
2348 }
2349
2350 const uint8_t *ciphertext = ticket + 16 + 16;
2351 size_t len = ticket_len - 16 - 16 - SHA256_DIGEST_LENGTH;
2352 std::unique_ptr<uint8_t[]> plaintext(new uint8_t[len]);
2353
2354 #if defined(BORINGSSL_UNSAFE_FUZZER_MODE)
2355 // Fuzzer-mode tickets are unencrypted.
2356 OPENSSL_memcpy(plaintext.get(), ciphertext, len);
2357 #else
2358 static const uint8_t kZeros[16] = {0};
2359 const uint8_t *iv = ticket + 16;
2360 bssl::ScopedEVP_CIPHER_CTX ctx;
2361 int len1, len2;
2362 if (!EVP_DecryptInit_ex(ctx.get(), EVP_aes_128_cbc(), nullptr, kZeros, iv) ||
2363 !EVP_DecryptUpdate(ctx.get(), plaintext.get(), &len1, ciphertext, len) ||
2364 !EVP_DecryptFinal_ex(ctx.get(), plaintext.get() + len1, &len2)) {
2365 return false;
2366 }
2367
2368 len = static_cast<size_t>(len1 + len2);
2369 #endif
2370
2371 bssl::UniquePtr<SSL_CTX> ssl_ctx(SSL_CTX_new(TLS_method()));
2372 if (!ssl_ctx) {
2373 return false;
2374 }
2375 bssl::UniquePtr<SSL_SESSION> server_session(
2376 SSL_SESSION_from_bytes(plaintext.get(), len, ssl_ctx.get()));
2377 if (!server_session) {
2378 return false;
2379 }
2380
2381 *out = SSL_SESSION_get_time(server_session.get());
2382 return true;
2383 }
2384
TEST_P(SSLVersionTest,SessionTimeout)2385 TEST_P(SSLVersionTest, SessionTimeout) {
2386 for (bool server_test : {false, true}) {
2387 SCOPED_TRACE(server_test);
2388
2389 ResetContexts();
2390 SSL_CTX_set_session_cache_mode(client_ctx_.get(), SSL_SESS_CACHE_BOTH);
2391 SSL_CTX_set_session_cache_mode(server_ctx_.get(), SSL_SESS_CACHE_BOTH);
2392
2393 static const time_t kStartTime = 1000;
2394 g_current_time.tv_sec = kStartTime;
2395
2396 // We are willing to use a longer lifetime for TLS 1.3 sessions as
2397 // resumptions still perform ECDHE.
2398 const time_t timeout = version() == TLS1_3_VERSION
2399 ? SSL_DEFAULT_SESSION_PSK_DHE_TIMEOUT
2400 : SSL_DEFAULT_SESSION_TIMEOUT;
2401
2402 // Both client and server must enforce session timeouts. We configure the
2403 // other side with a frozen clock so it never expires tickets.
2404 if (server_test) {
2405 SSL_CTX_set_current_time_cb(client_ctx_.get(), FrozenTimeCallback);
2406 SSL_CTX_set_current_time_cb(server_ctx_.get(), CurrentTimeCallback);
2407 } else {
2408 SSL_CTX_set_current_time_cb(client_ctx_.get(), CurrentTimeCallback);
2409 SSL_CTX_set_current_time_cb(server_ctx_.get(), FrozenTimeCallback);
2410 }
2411
2412 // Configure a ticket callback which renews tickets.
2413 SSL_CTX_set_tlsext_ticket_key_cb(server_ctx_.get(), RenewTicketCallback);
2414
2415 bssl::UniquePtr<SSL_SESSION> session =
2416 CreateClientSession(client_ctx_.get(), server_ctx_.get());
2417 ASSERT_TRUE(session);
2418
2419 // Advance the clock just behind the timeout.
2420 g_current_time.tv_sec += timeout - 1;
2421
2422 TRACED_CALL(ExpectSessionReused(client_ctx_.get(), server_ctx_.get(),
2423 session.get(),
2424 true /* expect session reused */));
2425
2426 // Advance the clock one more second.
2427 g_current_time.tv_sec++;
2428
2429 TRACED_CALL(ExpectSessionReused(client_ctx_.get(), server_ctx_.get(),
2430 session.get(),
2431 false /* expect session not reused */));
2432
2433 // Rewind the clock to before the session was minted.
2434 g_current_time.tv_sec = kStartTime - 1;
2435
2436 TRACED_CALL(ExpectSessionReused(client_ctx_.get(), server_ctx_.get(),
2437 session.get(),
2438 false /* expect session not reused */));
2439
2440 // Renew the session 10 seconds before expiration.
2441 time_t new_start_time = kStartTime + timeout - 10;
2442 g_current_time.tv_sec = new_start_time;
2443 bssl::UniquePtr<SSL_SESSION> new_session = ExpectSessionRenewed(
2444 client_ctx_.get(), server_ctx_.get(), session.get());
2445 ASSERT_TRUE(new_session);
2446
2447 // This new session is not the same object as before.
2448 EXPECT_NE(session.get(), new_session.get());
2449
2450 // Check the sessions have timestamps measured from issuance.
2451 long session_time = 0;
2452 if (server_test) {
2453 ASSERT_TRUE(GetServerTicketTime(&session_time, new_session.get()));
2454 } else {
2455 session_time = SSL_SESSION_get_time(new_session.get());
2456 }
2457
2458 ASSERT_EQ(session_time, g_current_time.tv_sec);
2459
2460 if (version() == TLS1_3_VERSION) {
2461 // Renewal incorporates fresh key material in TLS 1.3, so we extend the
2462 // lifetime TLS 1.3.
2463 g_current_time.tv_sec = new_start_time + timeout - 1;
2464 TRACED_CALL(ExpectSessionReused(client_ctx_.get(), server_ctx_.get(),
2465 new_session.get(),
2466 true /* expect session reused */));
2467
2468 // The new session expires after the new timeout.
2469 g_current_time.tv_sec = new_start_time + timeout + 1;
2470 TRACED_CALL(ExpectSessionReused(client_ctx_.get(), server_ctx_.get(),
2471 new_session.get(),
2472 false /* expect session ot reused */));
2473
2474 // Renew the session until it begins just past the auth timeout.
2475 time_t auth_end_time = kStartTime + SSL_DEFAULT_SESSION_AUTH_TIMEOUT;
2476 while (new_start_time < auth_end_time - 1000) {
2477 // Get as close as possible to target start time.
2478 new_start_time =
2479 std::min(auth_end_time - 1000, new_start_time + timeout - 1);
2480 g_current_time.tv_sec = new_start_time;
2481 new_session = ExpectSessionRenewed(client_ctx_.get(), server_ctx_.get(),
2482 new_session.get());
2483 ASSERT_TRUE(new_session);
2484 }
2485
2486 // Now the session's lifetime is bound by the auth timeout.
2487 g_current_time.tv_sec = auth_end_time - 1;
2488 TRACED_CALL(ExpectSessionReused(client_ctx_.get(), server_ctx_.get(),
2489 new_session.get(),
2490 true /* expect session reused */));
2491
2492 g_current_time.tv_sec = auth_end_time + 1;
2493 TRACED_CALL(ExpectSessionReused(client_ctx_.get(), server_ctx_.get(),
2494 new_session.get(),
2495 false /* expect session ot reused */));
2496 } else {
2497 // The new session is usable just before the old expiration.
2498 g_current_time.tv_sec = kStartTime + timeout - 1;
2499 TRACED_CALL(ExpectSessionReused(client_ctx_.get(), server_ctx_.get(),
2500 new_session.get(),
2501 true /* expect session reused */));
2502
2503 // Renewal does not extend the lifetime, so it is not usable beyond the
2504 // old expiration.
2505 g_current_time.tv_sec = kStartTime + timeout + 1;
2506 TRACED_CALL(ExpectSessionReused(client_ctx_.get(), server_ctx_.get(),
2507 new_session.get(),
2508 false /* expect session not reused */));
2509 }
2510 }
2511 }
2512
TEST_P(SSLVersionTest,DefaultTicketKeyInitialization)2513 TEST_P(SSLVersionTest, DefaultTicketKeyInitialization) {
2514 static const uint8_t kZeroKey[kTicketKeyLen] = {};
2515 uint8_t ticket_key[kTicketKeyLen];
2516 ASSERT_EQ(1, SSL_CTX_get_tlsext_ticket_keys(server_ctx_.get(), ticket_key,
2517 kTicketKeyLen));
2518 ASSERT_NE(0, OPENSSL_memcmp(ticket_key, kZeroKey, kTicketKeyLen));
2519 }
2520
TEST_P(SSLVersionTest,DefaultTicketKeyRotation)2521 TEST_P(SSLVersionTest, DefaultTicketKeyRotation) {
2522 static const time_t kStartTime = 1001;
2523 g_current_time.tv_sec = kStartTime;
2524
2525 // We use session reuse as a proxy for ticket decryption success, hence
2526 // disable session timeouts.
2527 SSL_CTX_set_timeout(server_ctx_.get(), std::numeric_limits<uint32_t>::max());
2528 SSL_CTX_set_session_psk_dhe_timeout(server_ctx_.get(),
2529 std::numeric_limits<uint32_t>::max());
2530
2531 SSL_CTX_set_current_time_cb(client_ctx_.get(), FrozenTimeCallback);
2532 SSL_CTX_set_current_time_cb(server_ctx_.get(), CurrentTimeCallback);
2533
2534 SSL_CTX_set_session_cache_mode(client_ctx_.get(), SSL_SESS_CACHE_BOTH);
2535 SSL_CTX_set_session_cache_mode(server_ctx_.get(), SSL_SESS_CACHE_OFF);
2536
2537 // Initialize ticket_key with the current key and check that it was
2538 // initialized to something, not all zeros.
2539 uint8_t ticket_key[kTicketKeyLen] = {0};
2540 TRACED_CALL(ExpectTicketKeyChanged(server_ctx_.get(), ticket_key,
2541 true /* changed */));
2542
2543 // Verify ticket resumption actually works.
2544 bssl::UniquePtr<SSL> client, server;
2545 bssl::UniquePtr<SSL_SESSION> session =
2546 CreateClientSession(client_ctx_.get(), server_ctx_.get());
2547 ASSERT_TRUE(session);
2548 TRACED_CALL(ExpectSessionReused(client_ctx_.get(), server_ctx_.get(),
2549 session.get(), true /* reused */));
2550
2551 // Advance time to just before key rotation.
2552 g_current_time.tv_sec += SSL_DEFAULT_TICKET_KEY_ROTATION_INTERVAL - 1;
2553 TRACED_CALL(ExpectSessionReused(client_ctx_.get(), server_ctx_.get(),
2554 session.get(), true /* reused */));
2555 TRACED_CALL(ExpectTicketKeyChanged(server_ctx_.get(), ticket_key,
2556 false /* NOT changed */));
2557
2558 // Force key rotation.
2559 g_current_time.tv_sec += 1;
2560 bssl::UniquePtr<SSL_SESSION> new_session =
2561 CreateClientSession(client_ctx_.get(), server_ctx_.get());
2562 TRACED_CALL(ExpectTicketKeyChanged(server_ctx_.get(), ticket_key,
2563 true /* changed */));
2564
2565 // Resumption with both old and new ticket should work.
2566 TRACED_CALL(ExpectSessionReused(client_ctx_.get(), server_ctx_.get(),
2567 session.get(), true /* reused */));
2568 TRACED_CALL(ExpectSessionReused(client_ctx_.get(), server_ctx_.get(),
2569 new_session.get(), true /* reused */));
2570 TRACED_CALL(ExpectTicketKeyChanged(server_ctx_.get(), ticket_key,
2571 false /* NOT changed */));
2572
2573 // Force key rotation again. Resumption with the old ticket now fails.
2574 g_current_time.tv_sec += SSL_DEFAULT_TICKET_KEY_ROTATION_INTERVAL;
2575 TRACED_CALL(ExpectSessionReused(client_ctx_.get(), server_ctx_.get(),
2576 session.get(), false /* NOT reused */));
2577 TRACED_CALL(ExpectTicketKeyChanged(server_ctx_.get(), ticket_key,
2578 true /* changed */));
2579
2580 // But resumption with the newer session still works.
2581 TRACED_CALL(ExpectSessionReused(client_ctx_.get(), server_ctx_.get(),
2582 new_session.get(), true /* reused */));
2583 }
2584
SwitchContext(SSL * ssl,int * out_alert,void * arg)2585 static int SwitchContext(SSL *ssl, int *out_alert, void *arg) {
2586 SSL_CTX *ctx = reinterpret_cast<SSL_CTX *>(arg);
2587 SSL_set_SSL_CTX(ssl, ctx);
2588 return SSL_TLSEXT_ERR_OK;
2589 }
2590
TEST_P(SSLVersionTest,SNICallback)2591 TEST_P(SSLVersionTest, SNICallback) {
2592 bssl::UniquePtr<X509> cert2 = GetECDSATestCertificate();
2593 ASSERT_TRUE(cert2);
2594 bssl::UniquePtr<EVP_PKEY> key2 = GetECDSATestKey();
2595 ASSERT_TRUE(key2);
2596
2597 // Test that switching the |SSL_CTX| at the SNI callback behaves correctly.
2598 static const uint16_t kECDSAWithSHA256 = SSL_SIGN_ECDSA_SECP256R1_SHA256;
2599
2600 static const uint8_t kSCTList[] = {0, 6, 0, 4, 5, 6, 7, 8};
2601 static const uint8_t kOCSPResponse[] = {1, 2, 3, 4};
2602
2603 bssl::UniquePtr<SSL_CTX> server_ctx2 = CreateContext();
2604 ASSERT_TRUE(server_ctx2);
2605 ASSERT_TRUE(SSL_CTX_use_certificate(server_ctx2.get(), cert2.get()));
2606 ASSERT_TRUE(SSL_CTX_use_PrivateKey(server_ctx2.get(), key2.get()));
2607 ASSERT_TRUE(SSL_CTX_set_signed_cert_timestamp_list(
2608 server_ctx2.get(), kSCTList, sizeof(kSCTList)));
2609 ASSERT_TRUE(SSL_CTX_set_ocsp_response(server_ctx2.get(), kOCSPResponse,
2610 sizeof(kOCSPResponse)));
2611 // Historically signing preferences would be lost in some cases with the
2612 // SNI callback, which triggers the TLS 1.2 SHA-1 default. To ensure
2613 // this doesn't happen when |version| is TLS 1.2, configure the private
2614 // key to only sign SHA-256.
2615 ASSERT_TRUE(SSL_CTX_set_signing_algorithm_prefs(server_ctx2.get(),
2616 &kECDSAWithSHA256, 1));
2617
2618 SSL_CTX_set_tlsext_servername_callback(server_ctx_.get(), SwitchContext);
2619 SSL_CTX_set_tlsext_servername_arg(server_ctx_.get(), server_ctx2.get());
2620
2621 SSL_CTX_enable_signed_cert_timestamps(client_ctx_.get());
2622 SSL_CTX_enable_ocsp_stapling(client_ctx_.get());
2623
2624 ASSERT_TRUE(Connect());
2625
2626 // The client should have received |cert2|.
2627 bssl::UniquePtr<X509> peer(SSL_get_peer_certificate(client_.get()));
2628 ASSERT_TRUE(peer);
2629 EXPECT_EQ(X509_cmp(peer.get(), cert2.get()), 0);
2630
2631 // The client should have received |server_ctx2|'s SCT list.
2632 const uint8_t *data;
2633 size_t len;
2634 SSL_get0_signed_cert_timestamp_list(client_.get(), &data, &len);
2635 EXPECT_EQ(Bytes(kSCTList), Bytes(data, len));
2636
2637 // The client should have received |server_ctx2|'s OCSP response.
2638 SSL_get0_ocsp_response(client_.get(), &data, &len);
2639 EXPECT_EQ(Bytes(kOCSPResponse), Bytes(data, len));
2640 }
2641
2642 // Test that the early callback can swap the maximum version.
TEST(SSLTest,EarlyCallbackVersionSwitch)2643 TEST(SSLTest, EarlyCallbackVersionSwitch) {
2644 bssl::UniquePtr<X509> cert = GetTestCertificate();
2645 bssl::UniquePtr<EVP_PKEY> key = GetTestKey();
2646 bssl::UniquePtr<SSL_CTX> server_ctx(SSL_CTX_new(TLS_method()));
2647 bssl::UniquePtr<SSL_CTX> client_ctx(SSL_CTX_new(TLS_method()));
2648 ASSERT_TRUE(cert);
2649 ASSERT_TRUE(key);
2650 ASSERT_TRUE(server_ctx);
2651 ASSERT_TRUE(client_ctx);
2652 ASSERT_TRUE(SSL_CTX_use_certificate(server_ctx.get(), cert.get()));
2653 ASSERT_TRUE(SSL_CTX_use_PrivateKey(server_ctx.get(), key.get()));
2654 ASSERT_TRUE(SSL_CTX_set_max_proto_version(client_ctx.get(), TLS1_3_VERSION));
2655 ASSERT_TRUE(SSL_CTX_set_max_proto_version(server_ctx.get(), TLS1_3_VERSION));
2656
2657 SSL_CTX_set_select_certificate_cb(
2658 server_ctx.get(),
2659 [](const SSL_CLIENT_HELLO *client_hello) -> ssl_select_cert_result_t {
2660 if (!SSL_set_max_proto_version(client_hello->ssl, TLS1_2_VERSION)) {
2661 return ssl_select_cert_error;
2662 }
2663
2664 return ssl_select_cert_success;
2665 });
2666
2667 bssl::UniquePtr<SSL> client, server;
2668 ASSERT_TRUE(ConnectClientAndServer(&client, &server, client_ctx.get(),
2669 server_ctx.get()));
2670 EXPECT_EQ(TLS1_2_VERSION, SSL_version(client.get()));
2671 }
2672
TEST(SSLTest,SetVersion)2673 TEST(SSLTest, SetVersion) {
2674 bssl::UniquePtr<SSL_CTX> ctx(SSL_CTX_new(TLS_method()));
2675 ASSERT_TRUE(ctx);
2676
2677 // Set valid TLS versions.
2678 EXPECT_TRUE(SSL_CTX_set_max_proto_version(ctx.get(), TLS1_VERSION));
2679 EXPECT_TRUE(SSL_CTX_set_max_proto_version(ctx.get(), TLS1_1_VERSION));
2680 EXPECT_TRUE(SSL_CTX_set_min_proto_version(ctx.get(), TLS1_VERSION));
2681 EXPECT_TRUE(SSL_CTX_set_min_proto_version(ctx.get(), TLS1_1_VERSION));
2682
2683 // Invalid TLS versions are rejected.
2684 EXPECT_FALSE(SSL_CTX_set_max_proto_version(ctx.get(), DTLS1_VERSION));
2685 EXPECT_FALSE(SSL_CTX_set_max_proto_version(ctx.get(), 0x0200));
2686 EXPECT_FALSE(SSL_CTX_set_max_proto_version(ctx.get(), 0x1234));
2687 EXPECT_FALSE(SSL_CTX_set_min_proto_version(ctx.get(), DTLS1_VERSION));
2688 EXPECT_FALSE(SSL_CTX_set_min_proto_version(ctx.get(), 0x0200));
2689 EXPECT_FALSE(SSL_CTX_set_min_proto_version(ctx.get(), 0x1234));
2690
2691 // Zero is the default version.
2692 EXPECT_TRUE(SSL_CTX_set_max_proto_version(ctx.get(), 0));
2693 EXPECT_EQ(TLS1_2_VERSION, SSL_CTX_get_max_proto_version(ctx.get()));
2694 EXPECT_TRUE(SSL_CTX_set_min_proto_version(ctx.get(), 0));
2695 EXPECT_EQ(TLS1_VERSION, SSL_CTX_get_min_proto_version(ctx.get()));
2696
2697 // TLS 1.3 is available, but not by default.
2698 EXPECT_TRUE(SSL_CTX_set_max_proto_version(ctx.get(), TLS1_3_VERSION));
2699 EXPECT_EQ(TLS1_3_VERSION, SSL_CTX_get_max_proto_version(ctx.get()));
2700
2701 // SSL 3.0 is not available.
2702 EXPECT_FALSE(SSL_CTX_set_min_proto_version(ctx.get(), SSL3_VERSION));
2703
2704 ctx.reset(SSL_CTX_new(DTLS_method()));
2705 ASSERT_TRUE(ctx);
2706
2707 EXPECT_TRUE(SSL_CTX_set_max_proto_version(ctx.get(), DTLS1_VERSION));
2708 EXPECT_TRUE(SSL_CTX_set_max_proto_version(ctx.get(), DTLS1_2_VERSION));
2709 EXPECT_TRUE(SSL_CTX_set_min_proto_version(ctx.get(), DTLS1_VERSION));
2710 EXPECT_TRUE(SSL_CTX_set_min_proto_version(ctx.get(), DTLS1_2_VERSION));
2711
2712 EXPECT_FALSE(SSL_CTX_set_max_proto_version(ctx.get(), TLS1_VERSION));
2713 EXPECT_FALSE(SSL_CTX_set_max_proto_version(ctx.get(), 0xfefe /* DTLS 1.1 */));
2714 EXPECT_FALSE(SSL_CTX_set_max_proto_version(ctx.get(), 0xfffe /* DTLS 0.1 */));
2715 EXPECT_FALSE(SSL_CTX_set_max_proto_version(ctx.get(), 0x1234));
2716 EXPECT_FALSE(SSL_CTX_set_min_proto_version(ctx.get(), TLS1_VERSION));
2717 EXPECT_FALSE(SSL_CTX_set_min_proto_version(ctx.get(), 0xfefe /* DTLS 1.1 */));
2718 EXPECT_FALSE(SSL_CTX_set_min_proto_version(ctx.get(), 0xfffe /* DTLS 0.1 */));
2719 EXPECT_FALSE(SSL_CTX_set_min_proto_version(ctx.get(), 0x1234));
2720
2721 EXPECT_TRUE(SSL_CTX_set_max_proto_version(ctx.get(), 0));
2722 EXPECT_EQ(DTLS1_2_VERSION, SSL_CTX_get_max_proto_version(ctx.get()));
2723 EXPECT_TRUE(SSL_CTX_set_min_proto_version(ctx.get(), 0));
2724 EXPECT_EQ(DTLS1_VERSION, SSL_CTX_get_min_proto_version(ctx.get()));
2725 }
2726
GetVersionName(uint16_t version)2727 static const char *GetVersionName(uint16_t version) {
2728 switch (version) {
2729 case TLS1_VERSION:
2730 return "TLSv1";
2731 case TLS1_1_VERSION:
2732 return "TLSv1.1";
2733 case TLS1_2_VERSION:
2734 return "TLSv1.2";
2735 case TLS1_3_VERSION:
2736 return "TLSv1.3";
2737 case DTLS1_VERSION:
2738 return "DTLSv1";
2739 case DTLS1_2_VERSION:
2740 return "DTLSv1.2";
2741 default:
2742 return "???";
2743 }
2744 }
2745
TEST_P(SSLVersionTest,Version)2746 TEST_P(SSLVersionTest, Version) {
2747 ASSERT_TRUE(Connect());
2748
2749 EXPECT_EQ(SSL_version(client_.get()), version());
2750 EXPECT_EQ(SSL_version(server_.get()), version());
2751
2752 // Test the version name is reported as expected.
2753 const char *version_name = GetVersionName(version());
2754 EXPECT_EQ(strcmp(version_name, SSL_get_version(client_.get())), 0);
2755 EXPECT_EQ(strcmp(version_name, SSL_get_version(server_.get())), 0);
2756
2757 // Test SSL_SESSION reports the same name.
2758 const char *client_name =
2759 SSL_SESSION_get_version(SSL_get_session(client_.get()));
2760 const char *server_name =
2761 SSL_SESSION_get_version(SSL_get_session(server_.get()));
2762 EXPECT_EQ(strcmp(version_name, client_name), 0);
2763 EXPECT_EQ(strcmp(version_name, server_name), 0);
2764 }
2765
2766 // Tests that that |SSL_get_pending_cipher| is available during the ALPN
2767 // selection callback.
TEST_P(SSLVersionTest,ALPNCipherAvailable)2768 TEST_P(SSLVersionTest, ALPNCipherAvailable) {
2769 ASSERT_TRUE(UseCertAndKey(client_ctx_.get()));
2770
2771 static const uint8_t kALPNProtos[] = {0x03, 'f', 'o', 'o'};
2772 ASSERT_EQ(SSL_CTX_set_alpn_protos(client_ctx_.get(), kALPNProtos,
2773 sizeof(kALPNProtos)),
2774 0);
2775
2776 // The ALPN callback does not fail the handshake on error, so have the
2777 // callback write a boolean.
2778 std::pair<uint16_t, bool> callback_state(version(), false);
2779 SSL_CTX_set_alpn_select_cb(
2780 server_ctx_.get(),
2781 [](SSL *ssl, const uint8_t **out, uint8_t *out_len, const uint8_t *in,
2782 unsigned in_len, void *arg) -> int {
2783 auto state = reinterpret_cast<std::pair<uint16_t, bool> *>(arg);
2784 if (SSL_get_pending_cipher(ssl) != nullptr &&
2785 SSL_version(ssl) == state->first) {
2786 state->second = true;
2787 }
2788 return SSL_TLSEXT_ERR_NOACK;
2789 },
2790 &callback_state);
2791
2792 ASSERT_TRUE(Connect());
2793
2794 ASSERT_TRUE(callback_state.second);
2795 }
2796
TEST_P(SSLVersionTest,SSLClearSessionResumption)2797 TEST_P(SSLVersionTest, SSLClearSessionResumption) {
2798 // Skip this for TLS 1.3. TLS 1.3's ticket mechanism is incompatible with this
2799 // API pattern.
2800 if (version() == TLS1_3_VERSION) {
2801 return;
2802 }
2803
2804 shed_handshake_config_ = false;
2805 ASSERT_TRUE(Connect());
2806
2807 EXPECT_FALSE(SSL_session_reused(client_.get()));
2808 EXPECT_FALSE(SSL_session_reused(server_.get()));
2809
2810 // Reset everything.
2811 ASSERT_TRUE(SSL_clear(client_.get()));
2812 ASSERT_TRUE(SSL_clear(server_.get()));
2813
2814 // Attempt to connect a second time.
2815 ASSERT_TRUE(CompleteHandshakes(client_.get(), server_.get()));
2816
2817 // |SSL_clear| should implicitly offer the previous session to the server.
2818 EXPECT_TRUE(SSL_session_reused(client_.get()));
2819 EXPECT_TRUE(SSL_session_reused(server_.get()));
2820 }
2821
TEST_P(SSLVersionTest,SSLClearFailsWithShedding)2822 TEST_P(SSLVersionTest, SSLClearFailsWithShedding) {
2823 shed_handshake_config_ = false;
2824 ASSERT_TRUE(Connect());
2825 ASSERT_TRUE(CompleteHandshakes(client_.get(), server_.get()));
2826
2827 // Reset everything.
2828 ASSERT_TRUE(SSL_clear(client_.get()));
2829 ASSERT_TRUE(SSL_clear(server_.get()));
2830
2831 // Now enable shedding, and connect a second time.
2832 shed_handshake_config_ = true;
2833 ASSERT_TRUE(Connect());
2834 ASSERT_TRUE(CompleteHandshakes(client_.get(), server_.get()));
2835
2836 // |SSL_clear| should now fail.
2837 ASSERT_FALSE(SSL_clear(client_.get()));
2838 ASSERT_FALSE(SSL_clear(server_.get()));
2839 }
2840
ChainsEqual(STACK_OF (X509)* chain,const std::vector<X509 * > & expected)2841 static bool ChainsEqual(STACK_OF(X509) * chain,
2842 const std::vector<X509 *> &expected) {
2843 if (sk_X509_num(chain) != expected.size()) {
2844 return false;
2845 }
2846
2847 for (size_t i = 0; i < expected.size(); i++) {
2848 if (X509_cmp(sk_X509_value(chain, i), expected[i]) != 0) {
2849 return false;
2850 }
2851 }
2852
2853 return true;
2854 }
2855
TEST_P(SSLVersionTest,AutoChain)2856 TEST_P(SSLVersionTest, AutoChain) {
2857 cert_ = GetChainTestCertificate();
2858 ASSERT_TRUE(cert_);
2859 key_ = GetChainTestKey();
2860 ASSERT_TRUE(key_);
2861 bssl::UniquePtr<X509> intermediate = GetChainTestIntermediate();
2862 ASSERT_TRUE(intermediate);
2863
2864 ASSERT_TRUE(UseCertAndKey(client_ctx_.get()));
2865 ASSERT_TRUE(UseCertAndKey(server_ctx_.get()));
2866
2867 // Configure both client and server to accept any certificate. Add
2868 // |intermediate| to the cert store.
2869 ASSERT_TRUE(X509_STORE_add_cert(SSL_CTX_get_cert_store(client_ctx_.get()),
2870 intermediate.get()));
2871 ASSERT_TRUE(X509_STORE_add_cert(SSL_CTX_get_cert_store(server_ctx_.get()),
2872 intermediate.get()));
2873 SSL_CTX_set_verify(client_ctx_.get(),
2874 SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT,
2875 nullptr);
2876 SSL_CTX_set_verify(server_ctx_.get(),
2877 SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT,
2878 nullptr);
2879 SSL_CTX_set_cert_verify_callback(client_ctx_.get(), VerifySucceed, NULL);
2880 SSL_CTX_set_cert_verify_callback(server_ctx_.get(), VerifySucceed, NULL);
2881
2882 // By default, the client and server should each only send the leaf.
2883 ASSERT_TRUE(Connect());
2884
2885 EXPECT_TRUE(
2886 ChainsEqual(SSL_get_peer_full_cert_chain(client_.get()), {cert_.get()}));
2887 EXPECT_TRUE(
2888 ChainsEqual(SSL_get_peer_full_cert_chain(server_.get()), {cert_.get()}));
2889
2890 // If auto-chaining is enabled, then the intermediate is sent.
2891 SSL_CTX_clear_mode(client_ctx_.get(), SSL_MODE_NO_AUTO_CHAIN);
2892 SSL_CTX_clear_mode(server_ctx_.get(), SSL_MODE_NO_AUTO_CHAIN);
2893 ASSERT_TRUE(Connect());
2894
2895 EXPECT_TRUE(ChainsEqual(SSL_get_peer_full_cert_chain(client_.get()),
2896 {cert_.get(), intermediate.get()}));
2897 EXPECT_TRUE(ChainsEqual(SSL_get_peer_full_cert_chain(server_.get()),
2898 {cert_.get(), intermediate.get()}));
2899
2900 // Auto-chaining does not override explicitly-configured intermediates.
2901 ASSERT_TRUE(SSL_CTX_add1_chain_cert(client_ctx_.get(), cert_.get()));
2902 ASSERT_TRUE(SSL_CTX_add1_chain_cert(server_ctx_.get(), cert_.get()));
2903 ASSERT_TRUE(Connect());
2904
2905 EXPECT_TRUE(ChainsEqual(SSL_get_peer_full_cert_chain(client_.get()),
2906 {cert_.get(), cert_.get()}));
2907
2908 EXPECT_TRUE(ChainsEqual(SSL_get_peer_full_cert_chain(server_.get()),
2909 {cert_.get(), cert_.get()}));
2910 }
2911
ExpectBadWriteRetry()2912 static bool ExpectBadWriteRetry() {
2913 int err = ERR_get_error();
2914 if (ERR_GET_LIB(err) != ERR_LIB_SSL ||
2915 ERR_GET_REASON(err) != SSL_R_BAD_WRITE_RETRY) {
2916 char buf[ERR_ERROR_STRING_BUF_LEN];
2917 ERR_error_string_n(err, buf, sizeof(buf));
2918 fprintf(stderr, "Wanted SSL_R_BAD_WRITE_RETRY, got: %s.\n", buf);
2919 return false;
2920 }
2921
2922 if (ERR_peek_error() != 0) {
2923 fprintf(stderr, "Unexpected error following SSL_R_BAD_WRITE_RETRY.\n");
2924 return false;
2925 }
2926
2927 return true;
2928 }
2929
TEST_P(SSLVersionTest,SSLWriteRetry)2930 TEST_P(SSLVersionTest, SSLWriteRetry) {
2931 if (is_dtls()) {
2932 return;
2933 }
2934
2935 for (bool enable_partial_write : {false, true}) {
2936 SCOPED_TRACE(enable_partial_write);
2937
2938 // Connect a client and server.
2939 ASSERT_TRUE(UseCertAndKey(client_ctx_.get()));
2940
2941 ASSERT_TRUE(Connect());
2942
2943 if (enable_partial_write) {
2944 SSL_set_mode(client_.get(), SSL_MODE_ENABLE_PARTIAL_WRITE);
2945 }
2946
2947 // Write without reading until the buffer is full and we have an unfinished
2948 // write. Keep a count so we may reread it again later. "hello!" will be
2949 // written in two chunks, "hello" and "!".
2950 char data[] = "hello!";
2951 static const int kChunkLen = 5; // The length of "hello".
2952 unsigned count = 0;
2953 for (;;) {
2954 int ret = SSL_write(client_.get(), data, kChunkLen);
2955 if (ret <= 0) {
2956 ASSERT_EQ(SSL_get_error(client_.get(), ret), SSL_ERROR_WANT_WRITE);
2957 break;
2958 }
2959
2960 ASSERT_EQ(ret, 5);
2961
2962 count++;
2963 }
2964
2965 // Retrying with the same parameters is legal.
2966 ASSERT_EQ(
2967 SSL_get_error(client_.get(), SSL_write(client_.get(), data, kChunkLen)),
2968 SSL_ERROR_WANT_WRITE);
2969
2970 // Retrying with the same buffer but shorter length is not legal.
2971 ASSERT_EQ(SSL_get_error(client_.get(),
2972 SSL_write(client_.get(), data, kChunkLen - 1)),
2973 SSL_ERROR_SSL);
2974 ASSERT_TRUE(ExpectBadWriteRetry());
2975
2976 // Retrying with a different buffer pointer is not legal.
2977 char data2[] = "hello";
2978 ASSERT_EQ(SSL_get_error(client_.get(),
2979 SSL_write(client_.get(), data2, kChunkLen)),
2980 SSL_ERROR_SSL);
2981 ASSERT_TRUE(ExpectBadWriteRetry());
2982
2983 // With |SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER|, the buffer may move.
2984 SSL_set_mode(client_.get(), SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER);
2985 ASSERT_EQ(SSL_get_error(client_.get(),
2986 SSL_write(client_.get(), data2, kChunkLen)),
2987 SSL_ERROR_WANT_WRITE);
2988
2989 // |SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER| does not disable length checks.
2990 ASSERT_EQ(SSL_get_error(client_.get(),
2991 SSL_write(client_.get(), data2, kChunkLen - 1)),
2992 SSL_ERROR_SSL);
2993 ASSERT_TRUE(ExpectBadWriteRetry());
2994
2995 // Retrying with a larger buffer is legal.
2996 ASSERT_EQ(SSL_get_error(client_.get(),
2997 SSL_write(client_.get(), data, kChunkLen + 1)),
2998 SSL_ERROR_WANT_WRITE);
2999
3000 // Drain the buffer.
3001 char buf[20];
3002 for (unsigned i = 0; i < count; i++) {
3003 ASSERT_EQ(SSL_read(server_.get(), buf, sizeof(buf)), kChunkLen);
3004 ASSERT_EQ(OPENSSL_memcmp(buf, "hello", kChunkLen), 0);
3005 }
3006
3007 // Now that there is space, a retry with a larger buffer should flush the
3008 // pending record, skip over that many bytes of input (on assumption they
3009 // are the same), and write the remainder. If SSL_MODE_ENABLE_PARTIAL_WRITE
3010 // is set, this will complete in two steps.
3011 char data3[] = "_____!";
3012 if (enable_partial_write) {
3013 ASSERT_EQ(SSL_write(client_.get(), data3, kChunkLen + 1), kChunkLen);
3014 ASSERT_EQ(SSL_write(client_.get(), data3 + kChunkLen, 1), 1);
3015 } else {
3016 ASSERT_EQ(SSL_write(client_.get(), data3, kChunkLen + 1), kChunkLen + 1);
3017 }
3018
3019 // Check the last write was correct. The data will be spread over two
3020 // records, so SSL_read returns twice.
3021 ASSERT_EQ(SSL_read(server_.get(), buf, sizeof(buf)), kChunkLen);
3022 ASSERT_EQ(OPENSSL_memcmp(buf, "hello", kChunkLen), 0);
3023 ASSERT_EQ(SSL_read(server_.get(), buf, sizeof(buf)), 1);
3024 ASSERT_EQ(buf[0], '!');
3025 }
3026 }
3027
TEST_P(SSLVersionTest,RecordCallback)3028 TEST_P(SSLVersionTest, RecordCallback) {
3029 for (bool test_server : {true, false}) {
3030 SCOPED_TRACE(test_server);
3031 ResetContexts();
3032
3033 bool read_seen = false;
3034 bool write_seen = false;
3035 auto cb = [&](int is_write, int cb_version, int cb_type, const void *buf,
3036 size_t len, SSL *ssl) {
3037 if (cb_type != SSL3_RT_HEADER) {
3038 return;
3039 }
3040
3041 // The callback does not report a version for records.
3042 EXPECT_EQ(0, cb_version);
3043
3044 if (is_write) {
3045 write_seen = true;
3046 } else {
3047 read_seen = true;
3048 }
3049
3050 // Sanity-check that the record header is plausible.
3051 CBS cbs;
3052 CBS_init(&cbs, reinterpret_cast<const uint8_t *>(buf), len);
3053 uint8_t type;
3054 uint16_t record_version, length;
3055 ASSERT_TRUE(CBS_get_u8(&cbs, &type));
3056 ASSERT_TRUE(CBS_get_u16(&cbs, &record_version));
3057 EXPECT_EQ(record_version & 0xff00, version() & 0xff00);
3058 if (is_dtls()) {
3059 uint16_t epoch;
3060 ASSERT_TRUE(CBS_get_u16(&cbs, &epoch));
3061 EXPECT_TRUE(epoch == 0 || epoch == 1) << "Invalid epoch: " << epoch;
3062 ASSERT_TRUE(CBS_skip(&cbs, 6));
3063 }
3064 ASSERT_TRUE(CBS_get_u16(&cbs, &length));
3065 EXPECT_EQ(0u, CBS_len(&cbs));
3066 };
3067 using CallbackType = decltype(cb);
3068 SSL_CTX *ctx = test_server ? server_ctx_.get() : client_ctx_.get();
3069 SSL_CTX_set_msg_callback(
3070 ctx, [](int is_write, int cb_version, int cb_type, const void *buf,
3071 size_t len, SSL *ssl, void *arg) {
3072 CallbackType *cb_ptr = reinterpret_cast<CallbackType *>(arg);
3073 (*cb_ptr)(is_write, cb_version, cb_type, buf, len, ssl);
3074 });
3075 SSL_CTX_set_msg_callback_arg(ctx, &cb);
3076
3077 ASSERT_TRUE(Connect());
3078
3079 EXPECT_TRUE(read_seen);
3080 EXPECT_TRUE(write_seen);
3081 }
3082 }
3083
TEST_P(SSLVersionTest,GetServerName)3084 TEST_P(SSLVersionTest, GetServerName) {
3085 ClientConfig config;
3086 config.servername = "host1";
3087
3088 SSL_CTX_set_tlsext_servername_callback(
3089 server_ctx_.get(), [](SSL *ssl, int *out_alert, void *arg) -> int {
3090 // During the handshake, |SSL_get_servername| must match |config|.
3091 ClientConfig *config_p = reinterpret_cast<ClientConfig *>(arg);
3092 EXPECT_STREQ(config_p->servername.c_str(),
3093 SSL_get_servername(ssl, TLSEXT_NAMETYPE_host_name));
3094 return SSL_TLSEXT_ERR_OK;
3095 });
3096 SSL_CTX_set_tlsext_servername_arg(server_ctx_.get(), &config);
3097
3098 ASSERT_TRUE(Connect(config));
3099 // After the handshake, it must also be available.
3100 EXPECT_STREQ(config.servername.c_str(),
3101 SSL_get_servername(server_.get(), TLSEXT_NAMETYPE_host_name));
3102
3103 // Establish a session under host1.
3104 SSL_CTX_set_session_cache_mode(client_ctx_.get(), SSL_SESS_CACHE_BOTH);
3105 SSL_CTX_set_session_cache_mode(server_ctx_.get(), SSL_SESS_CACHE_BOTH);
3106 bssl::UniquePtr<SSL_SESSION> session =
3107 CreateClientSession(client_ctx_.get(), server_ctx_.get(), config);
3108
3109 // If the client resumes a session with a different name, |SSL_get_servername|
3110 // must return the new name.
3111 ASSERT_TRUE(session);
3112 config.session = session.get();
3113 config.servername = "host2";
3114 ASSERT_TRUE(Connect(config));
3115 EXPECT_STREQ(config.servername.c_str(),
3116 SSL_get_servername(server_.get(), TLSEXT_NAMETYPE_host_name));
3117 }
3118
3119 // Test that session cache mode bits are honored in the client session callback.
TEST_P(SSLVersionTest,ClientSessionCacheMode)3120 TEST_P(SSLVersionTest, ClientSessionCacheMode) {
3121 SSL_CTX_set_session_cache_mode(client_ctx_.get(), SSL_SESS_CACHE_OFF);
3122 EXPECT_FALSE(CreateClientSession(client_ctx_.get(), server_ctx_.get()));
3123
3124 SSL_CTX_set_session_cache_mode(client_ctx_.get(), SSL_SESS_CACHE_CLIENT);
3125 EXPECT_TRUE(CreateClientSession(client_ctx_.get(), server_ctx_.get()));
3126
3127 SSL_CTX_set_session_cache_mode(client_ctx_.get(), SSL_SESS_CACHE_SERVER);
3128 EXPECT_FALSE(CreateClientSession(client_ctx_.get(), server_ctx_.get()));
3129 }
3130
3131 // Test that all versions survive tiny write buffers. In particular, TLS 1.3
3132 // NewSessionTickets are written post-handshake. Servers that block
3133 // |SSL_do_handshake| on writing them will deadlock if clients are not draining
3134 // the buffer. Test that we do not do this.
TEST_P(SSLVersionTest,SmallBuffer)3135 TEST_P(SSLVersionTest, SmallBuffer) {
3136 // DTLS is a datagram protocol and requires packet-sized buffers.
3137 if (is_dtls()) {
3138 return;
3139 }
3140
3141 // Test both flushing NewSessionTickets with a zero-sized write and
3142 // non-zero-sized write.
3143 for (bool use_zero_write : {false, true}) {
3144 SCOPED_TRACE(use_zero_write);
3145
3146 g_last_session = nullptr;
3147 SSL_CTX_set_session_cache_mode(client_ctx_.get(), SSL_SESS_CACHE_BOTH);
3148 SSL_CTX_sess_set_new_cb(client_ctx_.get(), SaveLastSession);
3149
3150 bssl::UniquePtr<SSL> client(SSL_new(client_ctx_.get())),
3151 server(SSL_new(server_ctx_.get()));
3152 ASSERT_TRUE(client);
3153 ASSERT_TRUE(server);
3154 SSL_set_connect_state(client.get());
3155 SSL_set_accept_state(server.get());
3156
3157 // Use a tiny buffer.
3158 BIO *bio1, *bio2;
3159 ASSERT_TRUE(BIO_new_bio_pair(&bio1, 1, &bio2, 1));
3160
3161 // SSL_set_bio takes ownership.
3162 SSL_set_bio(client.get(), bio1, bio1);
3163 SSL_set_bio(server.get(), bio2, bio2);
3164
3165 ASSERT_TRUE(CompleteHandshakes(client.get(), server.get()));
3166 if (version() >= TLS1_3_VERSION) {
3167 // The post-handshake ticket should not have been processed yet.
3168 EXPECT_FALSE(g_last_session);
3169 }
3170
3171 if (use_zero_write) {
3172 ASSERT_TRUE(FlushNewSessionTickets(client.get(), server.get()));
3173 EXPECT_TRUE(g_last_session);
3174 }
3175
3176 // Send some data from server to client. If |use_zero_write| is false, this
3177 // will also flush the NewSessionTickets.
3178 static const char kMessage[] = "hello world";
3179 char buf[sizeof(kMessage)];
3180 for (;;) {
3181 int server_ret = SSL_write(server.get(), kMessage, sizeof(kMessage));
3182 int server_err = SSL_get_error(server.get(), server_ret);
3183 int client_ret = SSL_read(client.get(), buf, sizeof(buf));
3184 int client_err = SSL_get_error(client.get(), client_ret);
3185
3186 // The server will write a single record, so every iteration should see
3187 // |SSL_ERROR_WANT_WRITE| and |SSL_ERROR_WANT_READ|, until the final
3188 // iteration, where both will complete.
3189 if (server_ret > 0) {
3190 EXPECT_EQ(server_ret, static_cast<int>(sizeof(kMessage)));
3191 EXPECT_EQ(client_ret, static_cast<int>(sizeof(kMessage)));
3192 EXPECT_EQ(Bytes(buf), Bytes(kMessage));
3193 break;
3194 }
3195
3196 ASSERT_EQ(server_ret, -1);
3197 ASSERT_EQ(server_err, SSL_ERROR_WANT_WRITE);
3198 ASSERT_EQ(client_ret, -1);
3199 ASSERT_EQ(client_err, SSL_ERROR_WANT_READ);
3200 }
3201
3202 // The NewSessionTickets should have been flushed and processed.
3203 EXPECT_TRUE(g_last_session);
3204 }
3205 }
3206
TEST(SSLTest,AddChainCertHack)3207 TEST(SSLTest, AddChainCertHack) {
3208 // Ensure that we don't accidently break the hack that we have in place to
3209 // keep curl and serf happy when they use an |X509| even after transfering
3210 // ownership.
3211
3212 bssl::UniquePtr<SSL_CTX> ctx(SSL_CTX_new(TLS_method()));
3213 ASSERT_TRUE(ctx);
3214 X509 *cert = GetTestCertificate().release();
3215 ASSERT_TRUE(cert);
3216 SSL_CTX_add0_chain_cert(ctx.get(), cert);
3217
3218 // This should not trigger a use-after-free.
3219 X509_cmp(cert, cert);
3220 }
3221
TEST(SSLTest,GetCertificate)3222 TEST(SSLTest, GetCertificate) {
3223 bssl::UniquePtr<SSL_CTX> ctx(SSL_CTX_new(TLS_method()));
3224 ASSERT_TRUE(ctx);
3225 bssl::UniquePtr<X509> cert = GetTestCertificate();
3226 ASSERT_TRUE(cert);
3227 ASSERT_TRUE(SSL_CTX_use_certificate(ctx.get(), cert.get()));
3228 bssl::UniquePtr<SSL> ssl(SSL_new(ctx.get()));
3229 ASSERT_TRUE(ssl);
3230
3231 X509 *cert2 = SSL_CTX_get0_certificate(ctx.get());
3232 ASSERT_TRUE(cert2);
3233 X509 *cert3 = SSL_get_certificate(ssl.get());
3234 ASSERT_TRUE(cert3);
3235
3236 // The old and new certificates must be identical.
3237 EXPECT_EQ(0, X509_cmp(cert.get(), cert2));
3238 EXPECT_EQ(0, X509_cmp(cert.get(), cert3));
3239
3240 uint8_t *der = nullptr;
3241 long der_len = i2d_X509(cert.get(), &der);
3242 ASSERT_LT(0, der_len);
3243 bssl::UniquePtr<uint8_t> free_der(der);
3244
3245 uint8_t *der2 = nullptr;
3246 long der2_len = i2d_X509(cert2, &der2);
3247 ASSERT_LT(0, der2_len);
3248 bssl::UniquePtr<uint8_t> free_der2(der2);
3249
3250 uint8_t *der3 = nullptr;
3251 long der3_len = i2d_X509(cert3, &der3);
3252 ASSERT_LT(0, der3_len);
3253 bssl::UniquePtr<uint8_t> free_der3(der3);
3254
3255 // They must also encode identically.
3256 EXPECT_EQ(Bytes(der, der_len), Bytes(der2, der2_len));
3257 EXPECT_EQ(Bytes(der, der_len), Bytes(der3, der3_len));
3258 }
3259
TEST(SSLTest,SetChainAndKeyMismatch)3260 TEST(SSLTest, SetChainAndKeyMismatch) {
3261 bssl::UniquePtr<SSL_CTX> ctx(SSL_CTX_new(TLS_with_buffers_method()));
3262 ASSERT_TRUE(ctx);
3263
3264 bssl::UniquePtr<EVP_PKEY> key = GetTestKey();
3265 ASSERT_TRUE(key);
3266 bssl::UniquePtr<CRYPTO_BUFFER> leaf = GetChainTestCertificateBuffer();
3267 ASSERT_TRUE(leaf);
3268 std::vector<CRYPTO_BUFFER*> chain = {
3269 leaf.get(),
3270 };
3271
3272 // Should fail because |GetTestKey| doesn't match the chain-test certificate.
3273 ASSERT_FALSE(SSL_CTX_set_chain_and_key(ctx.get(), &chain[0], chain.size(),
3274 key.get(), nullptr));
3275 ERR_clear_error();
3276 }
3277
TEST(SSLTest,SetChainAndKey)3278 TEST(SSLTest, SetChainAndKey) {
3279 bssl::UniquePtr<SSL_CTX> client_ctx(SSL_CTX_new(TLS_with_buffers_method()));
3280 ASSERT_TRUE(client_ctx);
3281 bssl::UniquePtr<SSL_CTX> server_ctx(SSL_CTX_new(TLS_with_buffers_method()));
3282 ASSERT_TRUE(server_ctx);
3283
3284 bssl::UniquePtr<EVP_PKEY> key = GetChainTestKey();
3285 ASSERT_TRUE(key);
3286 bssl::UniquePtr<CRYPTO_BUFFER> leaf = GetChainTestCertificateBuffer();
3287 ASSERT_TRUE(leaf);
3288 bssl::UniquePtr<CRYPTO_BUFFER> intermediate =
3289 GetChainTestIntermediateBuffer();
3290 ASSERT_TRUE(intermediate);
3291 std::vector<CRYPTO_BUFFER*> chain = {
3292 leaf.get(), intermediate.get(),
3293 };
3294 ASSERT_TRUE(SSL_CTX_set_chain_and_key(server_ctx.get(), &chain[0],
3295 chain.size(), key.get(), nullptr));
3296
3297 SSL_CTX_set_custom_verify(
3298 client_ctx.get(), SSL_VERIFY_PEER,
3299 [](SSL *ssl, uint8_t *out_alert) -> ssl_verify_result_t {
3300 return ssl_verify_ok;
3301 });
3302
3303 bssl::UniquePtr<SSL> client, server;
3304 ASSERT_TRUE(ConnectClientAndServer(&client, &server, client_ctx.get(),
3305 server_ctx.get()));
3306 }
3307
TEST(SSLTest,BuffersFailWithoutCustomVerify)3308 TEST(SSLTest, BuffersFailWithoutCustomVerify) {
3309 bssl::UniquePtr<SSL_CTX> client_ctx(SSL_CTX_new(TLS_with_buffers_method()));
3310 ASSERT_TRUE(client_ctx);
3311 bssl::UniquePtr<SSL_CTX> server_ctx(SSL_CTX_new(TLS_with_buffers_method()));
3312 ASSERT_TRUE(server_ctx);
3313
3314 bssl::UniquePtr<EVP_PKEY> key = GetChainTestKey();
3315 ASSERT_TRUE(key);
3316 bssl::UniquePtr<CRYPTO_BUFFER> leaf = GetChainTestCertificateBuffer();
3317 ASSERT_TRUE(leaf);
3318 std::vector<CRYPTO_BUFFER*> chain = { leaf.get() };
3319 ASSERT_TRUE(SSL_CTX_set_chain_and_key(server_ctx.get(), &chain[0],
3320 chain.size(), key.get(), nullptr));
3321
3322 // Without SSL_CTX_set_custom_verify(), i.e. with everything in the default
3323 // configuration, certificate verification should fail.
3324 bssl::UniquePtr<SSL> client, server;
3325 ASSERT_FALSE(ConnectClientAndServer(&client, &server, client_ctx.get(),
3326 server_ctx.get()));
3327
3328 // Whereas with a verifier, the connection should succeed.
3329 SSL_CTX_set_custom_verify(
3330 client_ctx.get(), SSL_VERIFY_PEER,
3331 [](SSL *ssl, uint8_t *out_alert) -> ssl_verify_result_t {
3332 return ssl_verify_ok;
3333 });
3334 ASSERT_TRUE(ConnectClientAndServer(&client, &server, client_ctx.get(),
3335 server_ctx.get()));
3336 }
3337
TEST(SSLTest,CustomVerify)3338 TEST(SSLTest, CustomVerify) {
3339 bssl::UniquePtr<SSL_CTX> client_ctx(SSL_CTX_new(TLS_with_buffers_method()));
3340 ASSERT_TRUE(client_ctx);
3341 bssl::UniquePtr<SSL_CTX> server_ctx(SSL_CTX_new(TLS_with_buffers_method()));
3342 ASSERT_TRUE(server_ctx);
3343
3344 bssl::UniquePtr<EVP_PKEY> key = GetChainTestKey();
3345 ASSERT_TRUE(key);
3346 bssl::UniquePtr<CRYPTO_BUFFER> leaf = GetChainTestCertificateBuffer();
3347 ASSERT_TRUE(leaf);
3348 std::vector<CRYPTO_BUFFER*> chain = { leaf.get() };
3349 ASSERT_TRUE(SSL_CTX_set_chain_and_key(server_ctx.get(), &chain[0],
3350 chain.size(), key.get(), nullptr));
3351
3352 SSL_CTX_set_custom_verify(
3353 client_ctx.get(), SSL_VERIFY_PEER,
3354 [](SSL *ssl, uint8_t *out_alert) -> ssl_verify_result_t {
3355 return ssl_verify_ok;
3356 });
3357
3358 bssl::UniquePtr<SSL> client, server;
3359 ASSERT_TRUE(ConnectClientAndServer(&client, &server, client_ctx.get(),
3360 server_ctx.get()));
3361
3362 // With SSL_VERIFY_PEER, ssl_verify_invalid should result in a dropped
3363 // connection.
3364 SSL_CTX_set_custom_verify(
3365 client_ctx.get(), SSL_VERIFY_PEER,
3366 [](SSL *ssl, uint8_t *out_alert) -> ssl_verify_result_t {
3367 return ssl_verify_invalid;
3368 });
3369
3370 ASSERT_FALSE(ConnectClientAndServer(&client, &server, client_ctx.get(),
3371 server_ctx.get()));
3372
3373 // But with SSL_VERIFY_NONE, ssl_verify_invalid should not cause a dropped
3374 // connection.
3375 SSL_CTX_set_custom_verify(
3376 client_ctx.get(), SSL_VERIFY_NONE,
3377 [](SSL *ssl, uint8_t *out_alert) -> ssl_verify_result_t {
3378 return ssl_verify_invalid;
3379 });
3380
3381 ASSERT_TRUE(ConnectClientAndServer(&client, &server, client_ctx.get(),
3382 server_ctx.get()));
3383 }
3384
TEST(SSLTest,ClientCABuffers)3385 TEST(SSLTest, ClientCABuffers) {
3386 bssl::UniquePtr<SSL_CTX> client_ctx(SSL_CTX_new(TLS_with_buffers_method()));
3387 ASSERT_TRUE(client_ctx);
3388 bssl::UniquePtr<SSL_CTX> server_ctx(SSL_CTX_new(TLS_with_buffers_method()));
3389 ASSERT_TRUE(server_ctx);
3390
3391 bssl::UniquePtr<EVP_PKEY> key = GetChainTestKey();
3392 ASSERT_TRUE(key);
3393 bssl::UniquePtr<CRYPTO_BUFFER> leaf = GetChainTestCertificateBuffer();
3394 ASSERT_TRUE(leaf);
3395 bssl::UniquePtr<CRYPTO_BUFFER> intermediate =
3396 GetChainTestIntermediateBuffer();
3397 ASSERT_TRUE(intermediate);
3398 std::vector<CRYPTO_BUFFER *> chain = {
3399 leaf.get(),
3400 intermediate.get(),
3401 };
3402 ASSERT_TRUE(SSL_CTX_set_chain_and_key(server_ctx.get(), &chain[0],
3403 chain.size(), key.get(), nullptr));
3404
3405 bssl::UniquePtr<CRYPTO_BUFFER> ca_name(
3406 CRYPTO_BUFFER_new(kTestName, sizeof(kTestName), nullptr));
3407 ASSERT_TRUE(ca_name);
3408 bssl::UniquePtr<STACK_OF(CRYPTO_BUFFER)> ca_names(
3409 sk_CRYPTO_BUFFER_new_null());
3410 ASSERT_TRUE(ca_names);
3411 ASSERT_TRUE(PushToStack(ca_names.get(), std::move(ca_name)));
3412 SSL_CTX_set0_client_CAs(server_ctx.get(), ca_names.release());
3413
3414 // Configure client and server to accept all certificates.
3415 SSL_CTX_set_custom_verify(
3416 client_ctx.get(), SSL_VERIFY_PEER,
3417 [](SSL *ssl, uint8_t *out_alert) -> ssl_verify_result_t {
3418 return ssl_verify_ok;
3419 });
3420 SSL_CTX_set_custom_verify(
3421 server_ctx.get(), SSL_VERIFY_PEER,
3422 [](SSL *ssl, uint8_t *out_alert) -> ssl_verify_result_t {
3423 return ssl_verify_ok;
3424 });
3425
3426 bool cert_cb_called = false;
3427 SSL_CTX_set_cert_cb(
3428 client_ctx.get(),
3429 [](SSL *ssl, void *arg) -> int {
3430 const STACK_OF(CRYPTO_BUFFER) *peer_names =
3431 SSL_get0_server_requested_CAs(ssl);
3432 EXPECT_EQ(1u, sk_CRYPTO_BUFFER_num(peer_names));
3433 CRYPTO_BUFFER *peer_name = sk_CRYPTO_BUFFER_value(peer_names, 0);
3434 EXPECT_EQ(Bytes(kTestName), Bytes(CRYPTO_BUFFER_data(peer_name),
3435 CRYPTO_BUFFER_len(peer_name)));
3436 *reinterpret_cast<bool *>(arg) = true;
3437 return 1;
3438 },
3439 &cert_cb_called);
3440
3441 bssl::UniquePtr<SSL> client, server;
3442 ASSERT_TRUE(ConnectClientAndServer(&client, &server, client_ctx.get(),
3443 server_ctx.get()));
3444 EXPECT_TRUE(cert_cb_called);
3445 }
3446
3447 // Configuring the empty cipher list, though an error, should still modify the
3448 // configuration.
TEST(SSLTest,EmptyCipherList)3449 TEST(SSLTest, EmptyCipherList) {
3450 bssl::UniquePtr<SSL_CTX> ctx(SSL_CTX_new(TLS_method()));
3451 ASSERT_TRUE(ctx);
3452
3453 // Initially, the cipher list is not empty.
3454 EXPECT_NE(0u, sk_SSL_CIPHER_num(SSL_CTX_get_ciphers(ctx.get())));
3455
3456 // Configuring the empty cipher list fails.
3457 EXPECT_FALSE(SSL_CTX_set_cipher_list(ctx.get(), ""));
3458 ERR_clear_error();
3459
3460 // But the cipher list is still updated to empty.
3461 EXPECT_EQ(0u, sk_SSL_CIPHER_num(SSL_CTX_get_ciphers(ctx.get())));
3462 }
3463
3464 // ssl_test_ticket_aead_failure_mode enumerates the possible ways in which the
3465 // test |SSL_TICKET_AEAD_METHOD| can fail.
3466 enum ssl_test_ticket_aead_failure_mode {
3467 ssl_test_ticket_aead_ok = 0,
3468 ssl_test_ticket_aead_seal_fail,
3469 ssl_test_ticket_aead_open_soft_fail,
3470 ssl_test_ticket_aead_open_hard_fail,
3471 };
3472
3473 struct ssl_test_ticket_aead_state {
3474 unsigned retry_count;
3475 ssl_test_ticket_aead_failure_mode failure_mode;
3476 };
3477
ssl_test_ticket_aead_ex_index_dup(CRYPTO_EX_DATA * to,const CRYPTO_EX_DATA * from,void ** from_d,int index,long argl,void * argp)3478 static int ssl_test_ticket_aead_ex_index_dup(CRYPTO_EX_DATA *to,
3479 const CRYPTO_EX_DATA *from,
3480 void **from_d, int index,
3481 long argl, void *argp) {
3482 abort();
3483 }
3484
ssl_test_ticket_aead_ex_index_free(void * parent,void * ptr,CRYPTO_EX_DATA * ad,int index,long argl,void * argp)3485 static void ssl_test_ticket_aead_ex_index_free(void *parent, void *ptr,
3486 CRYPTO_EX_DATA *ad, int index,
3487 long argl, void *argp) {
3488 auto state = reinterpret_cast<ssl_test_ticket_aead_state*>(ptr);
3489 if (state == nullptr) {
3490 return;
3491 }
3492
3493 OPENSSL_free(state);
3494 }
3495
3496 static CRYPTO_once_t g_ssl_test_ticket_aead_ex_index_once = CRYPTO_ONCE_INIT;
3497 static int g_ssl_test_ticket_aead_ex_index;
3498
ssl_test_ticket_aead_get_ex_index()3499 static int ssl_test_ticket_aead_get_ex_index() {
3500 CRYPTO_once(&g_ssl_test_ticket_aead_ex_index_once, [] {
3501 g_ssl_test_ticket_aead_ex_index = SSL_get_ex_new_index(
3502 0, nullptr, nullptr, ssl_test_ticket_aead_ex_index_dup,
3503 ssl_test_ticket_aead_ex_index_free);
3504 });
3505 return g_ssl_test_ticket_aead_ex_index;
3506 }
3507
ssl_test_ticket_aead_max_overhead(SSL * ssl)3508 static size_t ssl_test_ticket_aead_max_overhead(SSL *ssl) {
3509 return 1;
3510 }
3511
ssl_test_ticket_aead_seal(SSL * ssl,uint8_t * out,size_t * out_len,size_t max_out_len,const uint8_t * in,size_t in_len)3512 static int ssl_test_ticket_aead_seal(SSL *ssl, uint8_t *out, size_t *out_len,
3513 size_t max_out_len, const uint8_t *in,
3514 size_t in_len) {
3515 auto state = reinterpret_cast<ssl_test_ticket_aead_state *>(
3516 SSL_get_ex_data(ssl, ssl_test_ticket_aead_get_ex_index()));
3517
3518 if (state->failure_mode == ssl_test_ticket_aead_seal_fail ||
3519 max_out_len < in_len + 1) {
3520 return 0;
3521 }
3522
3523 OPENSSL_memmove(out, in, in_len);
3524 out[in_len] = 0xff;
3525 *out_len = in_len + 1;
3526
3527 return 1;
3528 }
3529
ssl_test_ticket_aead_open(SSL * ssl,uint8_t * out,size_t * out_len,size_t max_out_len,const uint8_t * in,size_t in_len)3530 static ssl_ticket_aead_result_t ssl_test_ticket_aead_open(
3531 SSL *ssl, uint8_t *out, size_t *out_len, size_t max_out_len,
3532 const uint8_t *in, size_t in_len) {
3533 auto state = reinterpret_cast<ssl_test_ticket_aead_state *>(
3534 SSL_get_ex_data(ssl, ssl_test_ticket_aead_get_ex_index()));
3535
3536 if (state->retry_count > 0) {
3537 state->retry_count--;
3538 return ssl_ticket_aead_retry;
3539 }
3540
3541 switch (state->failure_mode) {
3542 case ssl_test_ticket_aead_ok:
3543 break;
3544 case ssl_test_ticket_aead_seal_fail:
3545 // If |seal| failed then there shouldn't be any ticket to try and
3546 // decrypt.
3547 abort();
3548 break;
3549 case ssl_test_ticket_aead_open_soft_fail:
3550 return ssl_ticket_aead_ignore_ticket;
3551 case ssl_test_ticket_aead_open_hard_fail:
3552 return ssl_ticket_aead_error;
3553 }
3554
3555 if (in_len == 0 || in[in_len - 1] != 0xff) {
3556 return ssl_ticket_aead_ignore_ticket;
3557 }
3558
3559 if (max_out_len < in_len - 1) {
3560 return ssl_ticket_aead_error;
3561 }
3562
3563 OPENSSL_memmove(out, in, in_len - 1);
3564 *out_len = in_len - 1;
3565 return ssl_ticket_aead_success;
3566 }
3567
3568 static const SSL_TICKET_AEAD_METHOD kSSLTestTicketMethod = {
3569 ssl_test_ticket_aead_max_overhead,
3570 ssl_test_ticket_aead_seal,
3571 ssl_test_ticket_aead_open,
3572 };
3573
ConnectClientAndServerWithTicketMethod(bssl::UniquePtr<SSL> * out_client,bssl::UniquePtr<SSL> * out_server,SSL_CTX * client_ctx,SSL_CTX * server_ctx,unsigned retry_count,ssl_test_ticket_aead_failure_mode failure_mode,SSL_SESSION * session)3574 static void ConnectClientAndServerWithTicketMethod(
3575 bssl::UniquePtr<SSL> *out_client, bssl::UniquePtr<SSL> *out_server,
3576 SSL_CTX *client_ctx, SSL_CTX *server_ctx, unsigned retry_count,
3577 ssl_test_ticket_aead_failure_mode failure_mode, SSL_SESSION *session) {
3578 bssl::UniquePtr<SSL> client(SSL_new(client_ctx)), server(SSL_new(server_ctx));
3579 ASSERT_TRUE(client);
3580 ASSERT_TRUE(server);
3581 SSL_set_connect_state(client.get());
3582 SSL_set_accept_state(server.get());
3583
3584 auto state = reinterpret_cast<ssl_test_ticket_aead_state *>(
3585 OPENSSL_malloc(sizeof(ssl_test_ticket_aead_state)));
3586 ASSERT_TRUE(state);
3587 OPENSSL_memset(state, 0, sizeof(ssl_test_ticket_aead_state));
3588 state->retry_count = retry_count;
3589 state->failure_mode = failure_mode;
3590
3591 ASSERT_TRUE(SSL_set_ex_data(server.get(), ssl_test_ticket_aead_get_ex_index(),
3592 state));
3593
3594 SSL_set_session(client.get(), session);
3595
3596 BIO *bio1, *bio2;
3597 ASSERT_TRUE(BIO_new_bio_pair(&bio1, 0, &bio2, 0));
3598
3599 // SSL_set_bio takes ownership.
3600 SSL_set_bio(client.get(), bio1, bio1);
3601 SSL_set_bio(server.get(), bio2, bio2);
3602
3603 if (CompleteHandshakes(client.get(), server.get())) {
3604 *out_client = std::move(client);
3605 *out_server = std::move(server);
3606 } else {
3607 out_client->reset();
3608 out_server->reset();
3609 }
3610 }
3611
3612 using TicketAEADMethodParam =
3613 testing::tuple<uint16_t, unsigned, ssl_test_ticket_aead_failure_mode>;
3614
3615 class TicketAEADMethodTest
3616 : public ::testing::TestWithParam<TicketAEADMethodParam> {};
3617
TEST_P(TicketAEADMethodTest,Resume)3618 TEST_P(TicketAEADMethodTest, Resume) {
3619 bssl::UniquePtr<X509> cert = GetTestCertificate();
3620 ASSERT_TRUE(cert);
3621 bssl::UniquePtr<EVP_PKEY> key = GetTestKey();
3622 ASSERT_TRUE(key);
3623
3624 bssl::UniquePtr<SSL_CTX> server_ctx(SSL_CTX_new(TLS_method()));
3625 ASSERT_TRUE(server_ctx);
3626 bssl::UniquePtr<SSL_CTX> client_ctx(SSL_CTX_new(TLS_method()));
3627 ASSERT_TRUE(client_ctx);
3628
3629 const uint16_t version = testing::get<0>(GetParam());
3630 const unsigned retry_count = testing::get<1>(GetParam());
3631 const ssl_test_ticket_aead_failure_mode failure_mode =
3632 testing::get<2>(GetParam());
3633
3634 ASSERT_TRUE(SSL_CTX_use_certificate(server_ctx.get(), cert.get()));
3635 ASSERT_TRUE(SSL_CTX_use_PrivateKey(server_ctx.get(), key.get()));
3636 ASSERT_TRUE(SSL_CTX_set_min_proto_version(client_ctx.get(), version));
3637 ASSERT_TRUE(SSL_CTX_set_max_proto_version(client_ctx.get(), version));
3638 ASSERT_TRUE(SSL_CTX_set_min_proto_version(server_ctx.get(), version));
3639 ASSERT_TRUE(SSL_CTX_set_max_proto_version(server_ctx.get(), version));
3640
3641 SSL_CTX_set_session_cache_mode(client_ctx.get(), SSL_SESS_CACHE_BOTH);
3642 SSL_CTX_set_session_cache_mode(server_ctx.get(), SSL_SESS_CACHE_BOTH);
3643 SSL_CTX_set_current_time_cb(client_ctx.get(), FrozenTimeCallback);
3644 SSL_CTX_set_current_time_cb(server_ctx.get(), FrozenTimeCallback);
3645 SSL_CTX_sess_set_new_cb(client_ctx.get(), SaveLastSession);
3646
3647 SSL_CTX_set_ticket_aead_method(server_ctx.get(), &kSSLTestTicketMethod);
3648
3649 bssl::UniquePtr<SSL> client, server;
3650 ConnectClientAndServerWithTicketMethod(&client, &server, client_ctx.get(),
3651 server_ctx.get(), retry_count,
3652 failure_mode, nullptr);
3653 switch (failure_mode) {
3654 case ssl_test_ticket_aead_ok:
3655 case ssl_test_ticket_aead_open_hard_fail:
3656 case ssl_test_ticket_aead_open_soft_fail:
3657 ASSERT_TRUE(client);
3658 break;
3659 case ssl_test_ticket_aead_seal_fail:
3660 EXPECT_FALSE(client);
3661 return;
3662 }
3663 EXPECT_FALSE(SSL_session_reused(client.get()));
3664 EXPECT_FALSE(SSL_session_reused(server.get()));
3665
3666 ASSERT_TRUE(FlushNewSessionTickets(client.get(), server.get()));
3667 bssl::UniquePtr<SSL_SESSION> session = std::move(g_last_session);
3668 ConnectClientAndServerWithTicketMethod(&client, &server, client_ctx.get(),
3669 server_ctx.get(), retry_count,
3670 failure_mode, session.get());
3671 switch (failure_mode) {
3672 case ssl_test_ticket_aead_ok:
3673 ASSERT_TRUE(client);
3674 EXPECT_TRUE(SSL_session_reused(client.get()));
3675 EXPECT_TRUE(SSL_session_reused(server.get()));
3676 break;
3677 case ssl_test_ticket_aead_seal_fail:
3678 abort();
3679 break;
3680 case ssl_test_ticket_aead_open_hard_fail:
3681 EXPECT_FALSE(client);
3682 break;
3683 case ssl_test_ticket_aead_open_soft_fail:
3684 ASSERT_TRUE(client);
3685 EXPECT_FALSE(SSL_session_reused(client.get()));
3686 EXPECT_FALSE(SSL_session_reused(server.get()));
3687 }
3688 }
3689
TicketAEADMethodParamToString(const testing::TestParamInfo<TicketAEADMethodParam> & params)3690 std::string TicketAEADMethodParamToString(
3691 const testing::TestParamInfo<TicketAEADMethodParam> ¶ms) {
3692 std::string ret = GetVersionName(std::get<0>(params.param));
3693 // GTest only allows alphanumeric characters and '_' in the parameter
3694 // string. Additionally filter out the 'v' to get "TLS13" over "TLSv13".
3695 for (auto it = ret.begin(); it != ret.end();) {
3696 if (*it == '.' || *it == 'v') {
3697 it = ret.erase(it);
3698 } else {
3699 ++it;
3700 }
3701 }
3702 char retry_count[256];
3703 snprintf(retry_count, sizeof(retry_count), "%d", std::get<1>(params.param));
3704 ret += "_";
3705 ret += retry_count;
3706 ret += "Retries_";
3707 switch (std::get<2>(params.param)) {
3708 case ssl_test_ticket_aead_ok:
3709 ret += "OK";
3710 break;
3711 case ssl_test_ticket_aead_seal_fail:
3712 ret += "SealFail";
3713 break;
3714 case ssl_test_ticket_aead_open_soft_fail:
3715 ret += "OpenSoftFail";
3716 break;
3717 case ssl_test_ticket_aead_open_hard_fail:
3718 ret += "OpenHardFail";
3719 break;
3720 }
3721 return ret;
3722 }
3723
3724 INSTANTIATE_TEST_SUITE_P(
3725 TicketAEADMethodTests, TicketAEADMethodTest,
3726 testing::Combine(testing::Values(TLS1_2_VERSION, TLS1_3_VERSION),
3727 testing::Values(0, 1, 2),
3728 testing::Values(ssl_test_ticket_aead_ok,
3729 ssl_test_ticket_aead_seal_fail,
3730 ssl_test_ticket_aead_open_soft_fail,
3731 ssl_test_ticket_aead_open_hard_fail)),
3732 TicketAEADMethodParamToString);
3733
TEST(SSLTest,SelectNextProto)3734 TEST(SSLTest, SelectNextProto) {
3735 uint8_t *result;
3736 uint8_t result_len;
3737
3738 // If there is an overlap, it should be returned.
3739 EXPECT_EQ(OPENSSL_NPN_NEGOTIATED,
3740 SSL_select_next_proto(&result, &result_len,
3741 (const uint8_t *)"\1a\2bb\3ccc", 9,
3742 (const uint8_t *)"\1x\1y\1a\1z", 8));
3743 EXPECT_EQ(Bytes("a"), Bytes(result, result_len));
3744
3745 EXPECT_EQ(OPENSSL_NPN_NEGOTIATED,
3746 SSL_select_next_proto(&result, &result_len,
3747 (const uint8_t *)"\1a\2bb\3ccc", 9,
3748 (const uint8_t *)"\1x\1y\2bb\1z", 9));
3749 EXPECT_EQ(Bytes("bb"), Bytes(result, result_len));
3750
3751 EXPECT_EQ(OPENSSL_NPN_NEGOTIATED,
3752 SSL_select_next_proto(&result, &result_len,
3753 (const uint8_t *)"\1a\2bb\3ccc", 9,
3754 (const uint8_t *)"\1x\1y\3ccc\1z", 10));
3755 EXPECT_EQ(Bytes("ccc"), Bytes(result, result_len));
3756
3757 // Peer preference order takes precedence over local.
3758 EXPECT_EQ(OPENSSL_NPN_NEGOTIATED,
3759 SSL_select_next_proto(&result, &result_len,
3760 (const uint8_t *)"\1a\2bb\3ccc", 9,
3761 (const uint8_t *)"\3ccc\2bb\1a", 9));
3762 EXPECT_EQ(Bytes("a"), Bytes(result, result_len));
3763
3764 // If there is no overlap, return the first local protocol.
3765 EXPECT_EQ(OPENSSL_NPN_NO_OVERLAP,
3766 SSL_select_next_proto(&result, &result_len,
3767 (const uint8_t *)"\1a\2bb\3ccc", 9,
3768 (const uint8_t *)"\1x\2yy\3zzz", 9));
3769 EXPECT_EQ(Bytes("x"), Bytes(result, result_len));
3770
3771 EXPECT_EQ(OPENSSL_NPN_NO_OVERLAP,
3772 SSL_select_next_proto(&result, &result_len, nullptr, 0,
3773 (const uint8_t *)"\1x\2yy\3zzz", 9));
3774 EXPECT_EQ(Bytes("x"), Bytes(result, result_len));
3775 }
3776
TEST(SSLTest,SealRecord)3777 TEST(SSLTest, SealRecord) {
3778 bssl::UniquePtr<SSL_CTX> client_ctx(SSL_CTX_new(TLS_method())),
3779 server_ctx(SSL_CTX_new(TLS_method()));
3780 ASSERT_TRUE(client_ctx);
3781 ASSERT_TRUE(server_ctx);
3782
3783 bssl::UniquePtr<X509> cert = GetTestCertificate();
3784 bssl::UniquePtr<EVP_PKEY> key = GetTestKey();
3785 ASSERT_TRUE(cert);
3786 ASSERT_TRUE(key);
3787 ASSERT_TRUE(SSL_CTX_use_certificate(server_ctx.get(), cert.get()));
3788 ASSERT_TRUE(SSL_CTX_use_PrivateKey(server_ctx.get(), key.get()));
3789
3790 bssl::UniquePtr<SSL> client, server;
3791 ASSERT_TRUE(ConnectClientAndServer(&client, &server, client_ctx.get(),
3792 server_ctx.get()));
3793
3794 const std::vector<uint8_t> record = {1, 2, 3, 4, 5};
3795 std::vector<uint8_t> prefix(
3796 bssl::SealRecordPrefixLen(client.get(), record.size())),
3797 body(record.size()),
3798 suffix(bssl::SealRecordSuffixLen(client.get(), record.size()));
3799 ASSERT_TRUE(bssl::SealRecord(client.get(), bssl::MakeSpan(prefix),
3800 bssl::MakeSpan(body), bssl::MakeSpan(suffix),
3801 record));
3802
3803 std::vector<uint8_t> sealed;
3804 sealed.insert(sealed.end(), prefix.begin(), prefix.end());
3805 sealed.insert(sealed.end(), body.begin(), body.end());
3806 sealed.insert(sealed.end(), suffix.begin(), suffix.end());
3807 std::vector<uint8_t> sealed_copy = sealed;
3808
3809 bssl::Span<uint8_t> plaintext;
3810 size_t record_len;
3811 uint8_t alert = 255;
3812 EXPECT_EQ(bssl::OpenRecord(server.get(), &plaintext, &record_len, &alert,
3813 bssl::MakeSpan(sealed)),
3814 bssl::OpenRecordResult::kOK);
3815 EXPECT_EQ(record_len, sealed.size());
3816 EXPECT_EQ(plaintext, record);
3817 EXPECT_EQ(255, alert);
3818 }
3819
TEST(SSLTest,SealRecordInPlace)3820 TEST(SSLTest, SealRecordInPlace) {
3821 bssl::UniquePtr<SSL_CTX> client_ctx(SSL_CTX_new(TLS_method())),
3822 server_ctx(SSL_CTX_new(TLS_method()));
3823 ASSERT_TRUE(client_ctx);
3824 ASSERT_TRUE(server_ctx);
3825
3826 bssl::UniquePtr<X509> cert = GetTestCertificate();
3827 bssl::UniquePtr<EVP_PKEY> key = GetTestKey();
3828 ASSERT_TRUE(cert);
3829 ASSERT_TRUE(key);
3830 ASSERT_TRUE(SSL_CTX_use_certificate(server_ctx.get(), cert.get()));
3831 ASSERT_TRUE(SSL_CTX_use_PrivateKey(server_ctx.get(), key.get()));
3832
3833 bssl::UniquePtr<SSL> client, server;
3834 ASSERT_TRUE(ConnectClientAndServer(&client, &server, client_ctx.get(),
3835 server_ctx.get()));
3836
3837 const std::vector<uint8_t> plaintext = {1, 2, 3, 4, 5};
3838 std::vector<uint8_t> record = plaintext;
3839 std::vector<uint8_t> prefix(
3840 bssl::SealRecordPrefixLen(client.get(), record.size())),
3841 suffix(bssl::SealRecordSuffixLen(client.get(), record.size()));
3842 ASSERT_TRUE(bssl::SealRecord(client.get(), bssl::MakeSpan(prefix),
3843 bssl::MakeSpan(record), bssl::MakeSpan(suffix),
3844 record));
3845 record.insert(record.begin(), prefix.begin(), prefix.end());
3846 record.insert(record.end(), suffix.begin(), suffix.end());
3847
3848 bssl::Span<uint8_t> result;
3849 size_t record_len;
3850 uint8_t alert;
3851 EXPECT_EQ(bssl::OpenRecord(server.get(), &result, &record_len, &alert,
3852 bssl::MakeSpan(record)),
3853 bssl::OpenRecordResult::kOK);
3854 EXPECT_EQ(record_len, record.size());
3855 EXPECT_EQ(plaintext, result);
3856 }
3857
TEST(SSLTest,SealRecordTrailingData)3858 TEST(SSLTest, SealRecordTrailingData) {
3859 bssl::UniquePtr<SSL_CTX> client_ctx(SSL_CTX_new(TLS_method())),
3860 server_ctx(SSL_CTX_new(TLS_method()));
3861 ASSERT_TRUE(client_ctx);
3862 ASSERT_TRUE(server_ctx);
3863
3864 bssl::UniquePtr<X509> cert = GetTestCertificate();
3865 bssl::UniquePtr<EVP_PKEY> key = GetTestKey();
3866 ASSERT_TRUE(cert);
3867 ASSERT_TRUE(key);
3868 ASSERT_TRUE(SSL_CTX_use_certificate(server_ctx.get(), cert.get()));
3869 ASSERT_TRUE(SSL_CTX_use_PrivateKey(server_ctx.get(), key.get()));
3870
3871 bssl::UniquePtr<SSL> client, server;
3872 ASSERT_TRUE(ConnectClientAndServer(&client, &server, client_ctx.get(),
3873 server_ctx.get()));
3874
3875 const std::vector<uint8_t> plaintext = {1, 2, 3, 4, 5};
3876 std::vector<uint8_t> record = plaintext;
3877 std::vector<uint8_t> prefix(
3878 bssl::SealRecordPrefixLen(client.get(), record.size())),
3879 suffix(bssl::SealRecordSuffixLen(client.get(), record.size()));
3880 ASSERT_TRUE(bssl::SealRecord(client.get(), bssl::MakeSpan(prefix),
3881 bssl::MakeSpan(record), bssl::MakeSpan(suffix),
3882 record));
3883 record.insert(record.begin(), prefix.begin(), prefix.end());
3884 record.insert(record.end(), suffix.begin(), suffix.end());
3885 record.insert(record.end(), {5, 4, 3, 2, 1});
3886
3887 bssl::Span<uint8_t> result;
3888 size_t record_len;
3889 uint8_t alert;
3890 EXPECT_EQ(bssl::OpenRecord(server.get(), &result, &record_len, &alert,
3891 bssl::MakeSpan(record)),
3892 bssl::OpenRecordResult::kOK);
3893 EXPECT_EQ(record_len, record.size() - 5);
3894 EXPECT_EQ(plaintext, result);
3895 }
3896
TEST(SSLTest,SealRecordInvalidSpanSize)3897 TEST(SSLTest, SealRecordInvalidSpanSize) {
3898 bssl::UniquePtr<SSL_CTX> client_ctx(SSL_CTX_new(TLS_method())),
3899 server_ctx(SSL_CTX_new(TLS_method()));
3900 ASSERT_TRUE(client_ctx);
3901 ASSERT_TRUE(server_ctx);
3902
3903 bssl::UniquePtr<X509> cert = GetTestCertificate();
3904 bssl::UniquePtr<EVP_PKEY> key = GetTestKey();
3905 ASSERT_TRUE(cert);
3906 ASSERT_TRUE(key);
3907 ASSERT_TRUE(SSL_CTX_use_certificate(server_ctx.get(), cert.get()));
3908 ASSERT_TRUE(SSL_CTX_use_PrivateKey(server_ctx.get(), key.get()));
3909
3910 bssl::UniquePtr<SSL> client, server;
3911 ASSERT_TRUE(ConnectClientAndServer(&client, &server, client_ctx.get(),
3912 server_ctx.get()));
3913
3914 std::vector<uint8_t> record = {1, 2, 3, 4, 5};
3915 std::vector<uint8_t> prefix(
3916 bssl::SealRecordPrefixLen(client.get(), record.size())),
3917 body(record.size()),
3918 suffix(bssl::SealRecordSuffixLen(client.get(), record.size()));
3919
3920 auto expect_err = []() {
3921 int err = ERR_get_error();
3922 EXPECT_EQ(ERR_GET_LIB(err), ERR_LIB_SSL);
3923 EXPECT_EQ(ERR_GET_REASON(err), SSL_R_BUFFER_TOO_SMALL);
3924 ERR_clear_error();
3925 };
3926 EXPECT_FALSE(bssl::SealRecord(
3927 client.get(), bssl::MakeSpan(prefix.data(), prefix.size() - 1),
3928 bssl::MakeSpan(record), bssl::MakeSpan(suffix), record));
3929 expect_err();
3930 EXPECT_FALSE(bssl::SealRecord(
3931 client.get(), bssl::MakeSpan(prefix.data(), prefix.size() + 1),
3932 bssl::MakeSpan(record), bssl::MakeSpan(suffix), record));
3933 expect_err();
3934
3935 EXPECT_FALSE(
3936 bssl::SealRecord(client.get(), bssl::MakeSpan(prefix),
3937 bssl::MakeSpan(record.data(), record.size() - 1),
3938 bssl::MakeSpan(suffix), record));
3939 expect_err();
3940 EXPECT_FALSE(
3941 bssl::SealRecord(client.get(), bssl::MakeSpan(prefix),
3942 bssl::MakeSpan(record.data(), record.size() + 1),
3943 bssl::MakeSpan(suffix), record));
3944 expect_err();
3945
3946 EXPECT_FALSE(bssl::SealRecord(
3947 client.get(), bssl::MakeSpan(prefix), bssl::MakeSpan(record),
3948 bssl::MakeSpan(suffix.data(), suffix.size() - 1), record));
3949 expect_err();
3950 EXPECT_FALSE(bssl::SealRecord(
3951 client.get(), bssl::MakeSpan(prefix), bssl::MakeSpan(record),
3952 bssl::MakeSpan(suffix.data(), suffix.size() + 1), record));
3953 expect_err();
3954 }
3955
3956 // The client should gracefully handle no suitable ciphers being enabled.
TEST(SSLTest,NoCiphersAvailable)3957 TEST(SSLTest, NoCiphersAvailable) {
3958 bssl::UniquePtr<SSL_CTX> ctx(SSL_CTX_new(TLS_method()));
3959 ASSERT_TRUE(ctx);
3960
3961 // Configure |client_ctx| with a cipher list that does not intersect with its
3962 // version configuration.
3963 ASSERT_TRUE(SSL_CTX_set_strict_cipher_list(
3964 ctx.get(), "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256"));
3965 ASSERT_TRUE(SSL_CTX_set_max_proto_version(ctx.get(), TLS1_1_VERSION));
3966
3967 bssl::UniquePtr<SSL> ssl(SSL_new(ctx.get()));
3968 ASSERT_TRUE(ssl);
3969 SSL_set_connect_state(ssl.get());
3970
3971 UniquePtr<BIO> rbio(BIO_new(BIO_s_mem())), wbio(BIO_new(BIO_s_mem()));
3972 ASSERT_TRUE(rbio);
3973 ASSERT_TRUE(wbio);
3974 SSL_set0_rbio(ssl.get(), rbio.release());
3975 SSL_set0_wbio(ssl.get(), wbio.release());
3976
3977 int ret = SSL_do_handshake(ssl.get());
3978 EXPECT_EQ(-1, ret);
3979 EXPECT_EQ(SSL_ERROR_SSL, SSL_get_error(ssl.get(), ret));
3980 uint32_t err = ERR_get_error();
3981 EXPECT_EQ(ERR_LIB_SSL, ERR_GET_LIB(err));
3982 EXPECT_EQ(SSL_R_NO_CIPHERS_AVAILABLE, ERR_GET_REASON(err));
3983 }
3984
TEST_P(SSLVersionTest,SessionVersion)3985 TEST_P(SSLVersionTest, SessionVersion) {
3986 SSL_CTX_set_session_cache_mode(client_ctx_.get(), SSL_SESS_CACHE_BOTH);
3987 SSL_CTX_set_session_cache_mode(server_ctx_.get(), SSL_SESS_CACHE_BOTH);
3988
3989 bssl::UniquePtr<SSL_SESSION> session =
3990 CreateClientSession(client_ctx_.get(), server_ctx_.get());
3991 ASSERT_TRUE(session);
3992 EXPECT_EQ(version(), SSL_SESSION_get_protocol_version(session.get()));
3993
3994 // Sessions in TLS 1.3 and later should be single-use.
3995 EXPECT_EQ(version() == TLS1_3_VERSION,
3996 !!SSL_SESSION_should_be_single_use(session.get()));
3997
3998 // Making fake sessions for testing works.
3999 session.reset(SSL_SESSION_new(client_ctx_.get()));
4000 ASSERT_TRUE(session);
4001 ASSERT_TRUE(SSL_SESSION_set_protocol_version(session.get(), version()));
4002 EXPECT_EQ(version(), SSL_SESSION_get_protocol_version(session.get()));
4003 }
4004
TEST_P(SSLVersionTest,SSLPending)4005 TEST_P(SSLVersionTest, SSLPending) {
4006 UniquePtr<SSL> ssl(SSL_new(client_ctx_.get()));
4007 ASSERT_TRUE(ssl);
4008 EXPECT_EQ(0, SSL_pending(ssl.get()));
4009
4010 ASSERT_TRUE(Connect());
4011 EXPECT_EQ(0, SSL_pending(client_.get()));
4012
4013 ASSERT_EQ(5, SSL_write(server_.get(), "hello", 5));
4014 ASSERT_EQ(5, SSL_write(server_.get(), "world", 5));
4015 EXPECT_EQ(0, SSL_pending(client_.get()));
4016
4017 char buf[10];
4018 ASSERT_EQ(1, SSL_peek(client_.get(), buf, 1));
4019 EXPECT_EQ(5, SSL_pending(client_.get()));
4020
4021 ASSERT_EQ(1, SSL_read(client_.get(), buf, 1));
4022 EXPECT_EQ(4, SSL_pending(client_.get()));
4023
4024 ASSERT_EQ(4, SSL_read(client_.get(), buf, 10));
4025 EXPECT_EQ(0, SSL_pending(client_.get()));
4026
4027 ASSERT_EQ(2, SSL_read(client_.get(), buf, 2));
4028 EXPECT_EQ(3, SSL_pending(client_.get()));
4029 }
4030
4031 // Test that post-handshake tickets consumed by |SSL_shutdown| are ignored.
TEST(SSLTest,ShutdownIgnoresTickets)4032 TEST(SSLTest, ShutdownIgnoresTickets) {
4033 bssl::UniquePtr<SSL_CTX> ctx(SSL_CTX_new(TLS_method()));
4034 ASSERT_TRUE(ctx);
4035 ASSERT_TRUE(SSL_CTX_set_min_proto_version(ctx.get(), TLS1_3_VERSION));
4036 ASSERT_TRUE(SSL_CTX_set_max_proto_version(ctx.get(), TLS1_3_VERSION));
4037
4038 bssl::UniquePtr<X509> cert = GetTestCertificate();
4039 bssl::UniquePtr<EVP_PKEY> key = GetTestKey();
4040 ASSERT_TRUE(cert);
4041 ASSERT_TRUE(key);
4042 ASSERT_TRUE(SSL_CTX_use_certificate(ctx.get(), cert.get()));
4043 ASSERT_TRUE(SSL_CTX_use_PrivateKey(ctx.get(), key.get()));
4044
4045 SSL_CTX_set_session_cache_mode(ctx.get(), SSL_SESS_CACHE_BOTH);
4046
4047 bssl::UniquePtr<SSL> client, server;
4048 ASSERT_TRUE(ConnectClientAndServer(&client, &server, ctx.get(), ctx.get()));
4049
4050 SSL_CTX_sess_set_new_cb(ctx.get(), [](SSL *ssl, SSL_SESSION *session) -> int {
4051 ADD_FAILURE() << "New session callback called during SSL_shutdown";
4052 return 0;
4053 });
4054
4055 // Send close_notify.
4056 EXPECT_EQ(0, SSL_shutdown(server.get()));
4057 EXPECT_EQ(0, SSL_shutdown(client.get()));
4058
4059 // Receive close_notify.
4060 EXPECT_EQ(1, SSL_shutdown(server.get()));
4061 EXPECT_EQ(1, SSL_shutdown(client.get()));
4062 }
4063
TEST(SSLTest,SignatureAlgorithmProperties)4064 TEST(SSLTest, SignatureAlgorithmProperties) {
4065 EXPECT_EQ(EVP_PKEY_NONE, SSL_get_signature_algorithm_key_type(0x1234));
4066 EXPECT_EQ(nullptr, SSL_get_signature_algorithm_digest(0x1234));
4067 EXPECT_FALSE(SSL_is_signature_algorithm_rsa_pss(0x1234));
4068
4069 EXPECT_EQ(EVP_PKEY_RSA,
4070 SSL_get_signature_algorithm_key_type(SSL_SIGN_RSA_PKCS1_MD5_SHA1));
4071 EXPECT_EQ(EVP_md5_sha1(),
4072 SSL_get_signature_algorithm_digest(SSL_SIGN_RSA_PKCS1_MD5_SHA1));
4073 EXPECT_FALSE(SSL_is_signature_algorithm_rsa_pss(SSL_SIGN_RSA_PKCS1_MD5_SHA1));
4074
4075 EXPECT_EQ(EVP_PKEY_EC, SSL_get_signature_algorithm_key_type(
4076 SSL_SIGN_ECDSA_SECP256R1_SHA256));
4077 EXPECT_EQ(EVP_sha256(), SSL_get_signature_algorithm_digest(
4078 SSL_SIGN_ECDSA_SECP256R1_SHA256));
4079 EXPECT_FALSE(
4080 SSL_is_signature_algorithm_rsa_pss(SSL_SIGN_ECDSA_SECP256R1_SHA256));
4081
4082 EXPECT_EQ(EVP_PKEY_RSA,
4083 SSL_get_signature_algorithm_key_type(SSL_SIGN_RSA_PSS_RSAE_SHA384));
4084 EXPECT_EQ(EVP_sha384(),
4085 SSL_get_signature_algorithm_digest(SSL_SIGN_RSA_PSS_RSAE_SHA384));
4086 EXPECT_TRUE(SSL_is_signature_algorithm_rsa_pss(SSL_SIGN_RSA_PSS_RSAE_SHA384));
4087 }
4088
XORCompressFunc(SSL * ssl,CBB * out,const uint8_t * in,size_t in_len)4089 static int XORCompressFunc(SSL *ssl, CBB *out, const uint8_t *in,
4090 size_t in_len) {
4091 for (size_t i = 0; i < in_len; i++) {
4092 if (!CBB_add_u8(out, in[i] ^ 0x55)) {
4093 return 0;
4094 }
4095 }
4096
4097 SSL_set_app_data(ssl, XORCompressFunc);
4098
4099 return 1;
4100 }
4101
XORDecompressFunc(SSL * ssl,CRYPTO_BUFFER ** out,size_t uncompressed_len,const uint8_t * in,size_t in_len)4102 static int XORDecompressFunc(SSL *ssl, CRYPTO_BUFFER **out,
4103 size_t uncompressed_len, const uint8_t *in,
4104 size_t in_len) {
4105 if (in_len != uncompressed_len) {
4106 return 0;
4107 }
4108
4109 uint8_t *data;
4110 *out = CRYPTO_BUFFER_alloc(&data, uncompressed_len);
4111 if (*out == nullptr) {
4112 return 0;
4113 }
4114
4115 for (size_t i = 0; i < in_len; i++) {
4116 data[i] = in[i] ^ 0x55;
4117 }
4118
4119 SSL_set_app_data(ssl, XORDecompressFunc);
4120
4121 return 1;
4122 }
4123
TEST(SSLTest,CertCompression)4124 TEST(SSLTest, CertCompression) {
4125 bssl::UniquePtr<SSL_CTX> client_ctx(SSL_CTX_new(TLS_method()));
4126 bssl::UniquePtr<SSL_CTX> server_ctx(SSL_CTX_new(TLS_method()));
4127 ASSERT_TRUE(client_ctx);
4128 ASSERT_TRUE(server_ctx);
4129
4130 bssl::UniquePtr<X509> cert = GetTestCertificate();
4131 bssl::UniquePtr<EVP_PKEY> key = GetTestKey();
4132 ASSERT_TRUE(cert);
4133 ASSERT_TRUE(key);
4134 ASSERT_TRUE(SSL_CTX_use_certificate(server_ctx.get(), cert.get()));
4135 ASSERT_TRUE(SSL_CTX_use_PrivateKey(server_ctx.get(), key.get()));
4136
4137 ASSERT_TRUE(SSL_CTX_set_max_proto_version(client_ctx.get(), TLS1_3_VERSION));
4138 ASSERT_TRUE(SSL_CTX_set_max_proto_version(server_ctx.get(), TLS1_3_VERSION));
4139 ASSERT_TRUE(SSL_CTX_add_cert_compression_alg(
4140 client_ctx.get(), 0x1234, XORCompressFunc, XORDecompressFunc));
4141 ASSERT_TRUE(SSL_CTX_add_cert_compression_alg(
4142 server_ctx.get(), 0x1234, XORCompressFunc, XORDecompressFunc));
4143
4144 bssl::UniquePtr<SSL> client, server;
4145 ASSERT_TRUE(ConnectClientAndServer(&client, &server, client_ctx.get(),
4146 server_ctx.get()));
4147
4148 EXPECT_TRUE(SSL_get_app_data(client.get()) == XORDecompressFunc);
4149 EXPECT_TRUE(SSL_get_app_data(server.get()) == XORCompressFunc);
4150 }
4151
MoveBIOs(SSL * dest,SSL * src)4152 void MoveBIOs(SSL *dest, SSL *src) {
4153 BIO *rbio = SSL_get_rbio(src);
4154 BIO_up_ref(rbio);
4155 SSL_set0_rbio(dest, rbio);
4156
4157 BIO *wbio = SSL_get_wbio(src);
4158 BIO_up_ref(wbio);
4159 SSL_set0_wbio(dest, wbio);
4160
4161 SSL_set0_rbio(src, nullptr);
4162 SSL_set0_wbio(src, nullptr);
4163 }
4164
TEST(SSLTest,Handoff)4165 TEST(SSLTest, Handoff) {
4166 bssl::UniquePtr<SSL_CTX> client_ctx(SSL_CTX_new(TLS_method()));
4167 bssl::UniquePtr<SSL_CTX> server_ctx(SSL_CTX_new(TLS_method()));
4168 bssl::UniquePtr<SSL_CTX> handshaker_ctx(SSL_CTX_new(TLS_method()));
4169 ASSERT_TRUE(client_ctx);
4170 ASSERT_TRUE(server_ctx);
4171 ASSERT_TRUE(handshaker_ctx);
4172
4173 SSL_CTX_set_handoff_mode(server_ctx.get(), 1);
4174 ASSERT_TRUE(SSL_CTX_set_max_proto_version(server_ctx.get(), TLS1_2_VERSION));
4175 ASSERT_TRUE(
4176 SSL_CTX_set_max_proto_version(handshaker_ctx.get(), TLS1_2_VERSION));
4177
4178 bssl::UniquePtr<X509> cert = GetTestCertificate();
4179 bssl::UniquePtr<EVP_PKEY> key = GetTestKey();
4180 ASSERT_TRUE(cert);
4181 ASSERT_TRUE(key);
4182 ASSERT_TRUE(SSL_CTX_use_certificate(handshaker_ctx.get(), cert.get()));
4183 ASSERT_TRUE(SSL_CTX_use_PrivateKey(handshaker_ctx.get(), key.get()));
4184
4185 bssl::UniquePtr<SSL> client, server;
4186 ASSERT_TRUE(ConnectClientAndServer(&client, &server, client_ctx.get(),
4187 server_ctx.get(), ClientConfig(),
4188 false /* don't handshake */));
4189
4190 int client_ret = SSL_do_handshake(client.get());
4191 int client_err = SSL_get_error(client.get(), client_ret);
4192 ASSERT_EQ(client_err, SSL_ERROR_WANT_READ);
4193
4194 int server_ret = SSL_do_handshake(server.get());
4195 int server_err = SSL_get_error(server.get(), server_ret);
4196 ASSERT_EQ(server_err, SSL_ERROR_HANDOFF);
4197
4198 ScopedCBB cbb;
4199 Array<uint8_t> handoff;
4200 SSL_CLIENT_HELLO hello;
4201 ASSERT_TRUE(CBB_init(cbb.get(), 256));
4202 ASSERT_TRUE(SSL_serialize_handoff(server.get(), cbb.get(), &hello));
4203 ASSERT_TRUE(CBBFinishArray(cbb.get(), &handoff));
4204
4205 bssl::UniquePtr<SSL> handshaker(SSL_new(handshaker_ctx.get()));
4206 ASSERT_TRUE(SSL_apply_handoff(handshaker.get(), handoff));
4207
4208 MoveBIOs(handshaker.get(), server.get());
4209
4210 int handshake_ret = SSL_do_handshake(handshaker.get());
4211 int handshake_err = SSL_get_error(handshaker.get(), handshake_ret);
4212 ASSERT_EQ(handshake_err, SSL_ERROR_HANDBACK);
4213
4214 // Double-check that additional calls to |SSL_do_handshake| continue
4215 // to get |SSL_ERRROR_HANDBACK|.
4216 handshake_ret = SSL_do_handshake(handshaker.get());
4217 handshake_err = SSL_get_error(handshaker.get(), handshake_ret);
4218 ASSERT_EQ(handshake_err, SSL_ERROR_HANDBACK);
4219
4220 ScopedCBB cbb_handback;
4221 Array<uint8_t> handback;
4222 ASSERT_TRUE(CBB_init(cbb_handback.get(), 1024));
4223 ASSERT_TRUE(SSL_serialize_handback(handshaker.get(), cbb_handback.get()));
4224 ASSERT_TRUE(CBBFinishArray(cbb_handback.get(), &handback));
4225
4226 bssl::UniquePtr<SSL> server2(SSL_new(server_ctx.get()));
4227 ASSERT_TRUE(SSL_apply_handback(server2.get(), handback));
4228
4229 MoveBIOs(server2.get(), handshaker.get());
4230 ASSERT_TRUE(CompleteHandshakes(client.get(), server2.get()));
4231
4232 uint8_t byte = 42;
4233 EXPECT_EQ(SSL_write(client.get(), &byte, 1), 1);
4234 EXPECT_EQ(SSL_read(server2.get(), &byte, 1), 1);
4235 EXPECT_EQ(42, byte);
4236
4237 byte = 43;
4238 EXPECT_EQ(SSL_write(server2.get(), &byte, 1), 1);
4239 EXPECT_EQ(SSL_read(client.get(), &byte, 1), 1);
4240 EXPECT_EQ(43, byte);
4241 }
4242
TEST(SSLTest,HandoffDeclined)4243 TEST(SSLTest, HandoffDeclined) {
4244 bssl::UniquePtr<SSL_CTX> client_ctx(SSL_CTX_new(TLS_method()));
4245 bssl::UniquePtr<SSL_CTX> server_ctx(SSL_CTX_new(TLS_method()));
4246 ASSERT_TRUE(client_ctx);
4247 ASSERT_TRUE(server_ctx);
4248
4249 SSL_CTX_set_handoff_mode(server_ctx.get(), 1);
4250 ASSERT_TRUE(SSL_CTX_set_max_proto_version(server_ctx.get(), TLS1_2_VERSION));
4251
4252 bssl::UniquePtr<X509> cert = GetTestCertificate();
4253 bssl::UniquePtr<EVP_PKEY> key = GetTestKey();
4254 ASSERT_TRUE(cert);
4255 ASSERT_TRUE(key);
4256 ASSERT_TRUE(SSL_CTX_use_certificate(server_ctx.get(), cert.get()));
4257 ASSERT_TRUE(SSL_CTX_use_PrivateKey(server_ctx.get(), key.get()));
4258
4259 bssl::UniquePtr<SSL> client, server;
4260 ASSERT_TRUE(ConnectClientAndServer(&client, &server, client_ctx.get(),
4261 server_ctx.get(), ClientConfig(),
4262 false /* don't handshake */));
4263
4264 int client_ret = SSL_do_handshake(client.get());
4265 int client_err = SSL_get_error(client.get(), client_ret);
4266 ASSERT_EQ(client_err, SSL_ERROR_WANT_READ);
4267
4268 int server_ret = SSL_do_handshake(server.get());
4269 int server_err = SSL_get_error(server.get(), server_ret);
4270 ASSERT_EQ(server_err, SSL_ERROR_HANDOFF);
4271
4272 ScopedCBB cbb;
4273 SSL_CLIENT_HELLO hello;
4274 ASSERT_TRUE(CBB_init(cbb.get(), 256));
4275 ASSERT_TRUE(SSL_serialize_handoff(server.get(), cbb.get(), &hello));
4276
4277 ASSERT_TRUE(SSL_decline_handoff(server.get()));
4278
4279 ASSERT_TRUE(CompleteHandshakes(client.get(), server.get()));
4280
4281 uint8_t byte = 42;
4282 EXPECT_EQ(SSL_write(client.get(), &byte, 1), 1);
4283 EXPECT_EQ(SSL_read(server.get(), &byte, 1), 1);
4284 EXPECT_EQ(42, byte);
4285
4286 byte = 43;
4287 EXPECT_EQ(SSL_write(server.get(), &byte, 1), 1);
4288 EXPECT_EQ(SSL_read(client.get(), &byte, 1), 1);
4289 EXPECT_EQ(43, byte);
4290 }
4291
SigAlgsToString(Span<const uint16_t> sigalgs)4292 static std::string SigAlgsToString(Span<const uint16_t> sigalgs) {
4293 std::string ret = "{";
4294
4295 for (uint16_t v : sigalgs) {
4296 if (ret.size() > 1) {
4297 ret += ", ";
4298 }
4299
4300 char buf[8];
4301 snprintf(buf, sizeof(buf) - 1, "0x%02x", v);
4302 buf[sizeof(buf)-1] = 0;
4303 ret += std::string(buf);
4304 }
4305
4306 ret += "}";
4307 return ret;
4308 }
4309
ExpectSigAlgsEqual(Span<const uint16_t> expected,Span<const uint16_t> actual)4310 void ExpectSigAlgsEqual(Span<const uint16_t> expected,
4311 Span<const uint16_t> actual) {
4312 bool matches = false;
4313 if (expected.size() == actual.size()) {
4314 matches = true;
4315
4316 for (size_t i = 0; i < expected.size(); i++) {
4317 if (expected[i] != actual[i]) {
4318 matches = false;
4319 break;
4320 }
4321 }
4322 }
4323
4324 if (!matches) {
4325 ADD_FAILURE() << "expected: " << SigAlgsToString(expected)
4326 << " got: " << SigAlgsToString(actual);
4327 }
4328 }
4329
TEST(SSLTest,SigAlgs)4330 TEST(SSLTest, SigAlgs) {
4331 static const struct {
4332 std::vector<int> input;
4333 bool ok;
4334 std::vector<uint16_t> expected;
4335 } kTests[] = {
4336 {{}, true, {}},
4337 {{1}, false, {}},
4338 {{1, 2, 3}, false, {}},
4339 {{NID_sha256, EVP_PKEY_ED25519}, false, {}},
4340 {{NID_sha256, EVP_PKEY_RSA, NID_sha256, EVP_PKEY_RSA}, false, {}},
4341
4342 {{NID_sha256, EVP_PKEY_RSA}, true, {SSL_SIGN_RSA_PKCS1_SHA256}},
4343 {{NID_sha512, EVP_PKEY_RSA}, true, {SSL_SIGN_RSA_PKCS1_SHA512}},
4344 {{NID_sha256, EVP_PKEY_RSA_PSS}, true, {SSL_SIGN_RSA_PSS_RSAE_SHA256}},
4345 {{NID_undef, EVP_PKEY_ED25519}, true, {SSL_SIGN_ED25519}},
4346 {{NID_undef, EVP_PKEY_ED25519, NID_sha384, EVP_PKEY_EC},
4347 true,
4348 {SSL_SIGN_ED25519, SSL_SIGN_ECDSA_SECP384R1_SHA384}},
4349 };
4350
4351 UniquePtr<SSL_CTX> ctx(SSL_CTX_new(TLS_method()));
4352
4353 unsigned n = 1;
4354 for (const auto &test : kTests) {
4355 SCOPED_TRACE(n++);
4356
4357 const bool ok =
4358 SSL_CTX_set1_sigalgs(ctx.get(), test.input.data(), test.input.size());
4359 EXPECT_EQ(ok, test.ok);
4360
4361 if (!ok) {
4362 ERR_clear_error();
4363 }
4364
4365 if (!test.ok) {
4366 continue;
4367 }
4368
4369 ExpectSigAlgsEqual(test.expected, ctx->cert->sigalgs);
4370 }
4371 }
4372
TEST(SSLTest,SigAlgsList)4373 TEST(SSLTest, SigAlgsList) {
4374 static const struct {
4375 const char *input;
4376 bool ok;
4377 std::vector<uint16_t> expected;
4378 } kTests[] = {
4379 {"", false, {}},
4380 {":", false, {}},
4381 {"+", false, {}},
4382 {"RSA", false, {}},
4383 {"RSA+", false, {}},
4384 {"RSA+SHA256:", false, {}},
4385 {":RSA+SHA256:", false, {}},
4386 {":RSA+SHA256+:", false, {}},
4387 {"!", false, {}},
4388 {"\x01", false, {}},
4389 {"RSA+SHA256:RSA+SHA384:RSA+SHA256", false, {}},
4390 {"RSA-PSS+SHA256:rsa_pss_rsae_sha256", false, {}},
4391
4392 {"RSA+SHA256", true, {SSL_SIGN_RSA_PKCS1_SHA256}},
4393 {"RSA+SHA256:ed25519",
4394 true,
4395 {SSL_SIGN_RSA_PKCS1_SHA256, SSL_SIGN_ED25519}},
4396 {"ECDSA+SHA256:RSA+SHA512",
4397 true,
4398 {SSL_SIGN_ECDSA_SECP256R1_SHA256, SSL_SIGN_RSA_PKCS1_SHA512}},
4399 {"ecdsa_secp256r1_sha256:rsa_pss_rsae_sha256",
4400 true,
4401 {SSL_SIGN_ECDSA_SECP256R1_SHA256, SSL_SIGN_RSA_PSS_RSAE_SHA256}},
4402 {"RSA-PSS+SHA256", true, {SSL_SIGN_RSA_PSS_RSAE_SHA256}},
4403 {"PSS+SHA256", true, {SSL_SIGN_RSA_PSS_RSAE_SHA256}},
4404 };
4405
4406 UniquePtr<SSL_CTX> ctx(SSL_CTX_new(TLS_method()));
4407
4408 unsigned n = 1;
4409 for (const auto &test : kTests) {
4410 SCOPED_TRACE(n++);
4411
4412 const bool ok = SSL_CTX_set1_sigalgs_list(ctx.get(), test.input);
4413 EXPECT_EQ(ok, test.ok);
4414
4415 if (!ok) {
4416 if (test.ok) {
4417 ERR_print_errors_fp(stderr);
4418 }
4419 ERR_clear_error();
4420 }
4421
4422 if (!test.ok) {
4423 continue;
4424 }
4425
4426 ExpectSigAlgsEqual(test.expected, ctx->cert->sigalgs);
4427 }
4428 }
4429
TEST(SSLTest,ApplyHandoffRemovesUnsupportedCiphers)4430 TEST(SSLTest, ApplyHandoffRemovesUnsupportedCiphers) {
4431 bssl::UniquePtr<SSL_CTX> server_ctx(SSL_CTX_new(TLS_method()));
4432 bssl::UniquePtr<SSL> server(SSL_new(server_ctx.get()));
4433
4434 // handoff is a handoff message that has been artificially modified to pretend
4435 // that only cipher 0x0A is supported. When it is applied to |server|, all
4436 // ciphers but that one should be removed.
4437 //
4438 // To make a new one of these, try sticking this in the |Handoff| test above:
4439 //
4440 // hexdump(stderr, "", handoff.data(), handoff.size());
4441 // sed -e 's/\(..\)/0x\1, /g'
4442 //
4443 // and modify serialize_features() to emit only cipher 0x0A.
4444
4445 uint8_t handoff[] = {
4446 0x30, 0x81, 0x9a, 0x02, 0x01, 0x00, 0x04, 0x00, 0x04, 0x81, 0x82, 0x01,
4447 0x00, 0x00, 0x7e, 0x03, 0x03, 0x30, 0x8e, 0x8f, 0x79, 0xd2, 0x87, 0x39,
4448 0xc2, 0x23, 0x23, 0x13, 0xca, 0x3c, 0x80, 0x44, 0xfd, 0x80, 0x83, 0x62,
4449 0x3c, 0xcc, 0xf8, 0x76, 0xd3, 0x62, 0xbb, 0x54, 0xe3, 0xc4, 0x39, 0x24,
4450 0xa5, 0x00, 0x00, 0x1e, 0xc0, 0x2b, 0xc0, 0x2f, 0xc0, 0x2c, 0xc0, 0x30,
4451 0xcc, 0xa9, 0xcc, 0xa8, 0xc0, 0x09, 0xc0, 0x13, 0xc0, 0x0a, 0xc0, 0x14,
4452 0x00, 0x9c, 0x00, 0x9d, 0x00, 0x2f, 0x00, 0x35, 0x00, 0x0a, 0x01, 0x00,
4453 0x00, 0x37, 0x00, 0x17, 0x00, 0x00, 0xff, 0x01, 0x00, 0x01, 0x00, 0x00,
4454 0x0a, 0x00, 0x08, 0x00, 0x06, 0x00, 0x1d, 0x00, 0x17, 0x00, 0x18, 0x00,
4455 0x0b, 0x00, 0x02, 0x01, 0x00, 0x00, 0x23, 0x00, 0x00, 0x00, 0x0d, 0x00,
4456 0x14, 0x00, 0x12, 0x04, 0x03, 0x08, 0x04, 0x04, 0x01, 0x05, 0x03, 0x08,
4457 0x05, 0x05, 0x01, 0x08, 0x06, 0x06, 0x01, 0x02, 0x01, 0x04, 0x02, 0x00,
4458 0x0a, 0x04, 0x0a, 0x00, 0x15, 0x00, 0x17, 0x00, 0x18, 0x00, 0x19, 0x00,
4459 0x1d,
4460 };
4461
4462 EXPECT_EQ(20u, sk_SSL_CIPHER_num(SSL_get_ciphers(server.get())));
4463 ASSERT_TRUE(
4464 SSL_apply_handoff(server.get(), {handoff, OPENSSL_ARRAY_SIZE(handoff)}));
4465 EXPECT_EQ(1u, sk_SSL_CIPHER_num(SSL_get_ciphers(server.get())));
4466 }
4467
TEST(SSLTest,ApplyHandoffRemovesUnsupportedCurves)4468 TEST(SSLTest, ApplyHandoffRemovesUnsupportedCurves) {
4469 bssl::UniquePtr<SSL_CTX> server_ctx(SSL_CTX_new(TLS_method()));
4470 bssl::UniquePtr<SSL> server(SSL_new(server_ctx.get()));
4471
4472 // handoff is a handoff message that has been artificially modified to pretend
4473 // that only one curve is supported. When it is applied to |server|, all
4474 // curves but that one should be removed.
4475 //
4476 // See |ApplyHandoffRemovesUnsupportedCiphers| for how to make a new one of
4477 // these.
4478 uint8_t handoff[] = {
4479 0x30, 0x81, 0xc0, 0x02, 0x01, 0x00, 0x04, 0x00, 0x04, 0x81, 0x82, 0x01,
4480 0x00, 0x00, 0x7e, 0x03, 0x03, 0x98, 0x30, 0xce, 0xd9, 0xb0, 0xdf, 0x5f,
4481 0x82, 0x05, 0x4a, 0x43, 0x67, 0x7e, 0xdb, 0x6a, 0x4f, 0x21, 0x18, 0x4e,
4482 0x0d, 0x94, 0x63, 0x18, 0x8b, 0x54, 0x89, 0xdb, 0x8b, 0x1d, 0x84, 0xbc,
4483 0x09, 0x00, 0x00, 0x1e, 0xc0, 0x2b, 0xc0, 0x2f, 0xc0, 0x2c, 0xc0, 0x30,
4484 0xcc, 0xa9, 0xcc, 0xa8, 0xc0, 0x09, 0xc0, 0x13, 0xc0, 0x0a, 0xc0, 0x14,
4485 0x00, 0x9c, 0x00, 0x9d, 0x00, 0x2f, 0x00, 0x35, 0x00, 0x0a, 0x01, 0x00,
4486 0x00, 0x37, 0x00, 0x17, 0x00, 0x00, 0xff, 0x01, 0x00, 0x01, 0x00, 0x00,
4487 0x0a, 0x00, 0x08, 0x00, 0x06, 0x00, 0x1d, 0x00, 0x17, 0x00, 0x18, 0x00,
4488 0x0b, 0x00, 0x02, 0x01, 0x00, 0x00, 0x23, 0x00, 0x00, 0x00, 0x0d, 0x00,
4489 0x14, 0x00, 0x12, 0x04, 0x03, 0x08, 0x04, 0x04, 0x01, 0x05, 0x03, 0x08,
4490 0x05, 0x05, 0x01, 0x08, 0x06, 0x06, 0x01, 0x02, 0x01, 0x04, 0x30, 0x00,
4491 0x02, 0x00, 0x0a, 0x00, 0x2f, 0x00, 0x35, 0x00, 0x8c, 0x00, 0x8d, 0x00,
4492 0x9c, 0x00, 0x9d, 0x13, 0x01, 0x13, 0x02, 0x13, 0x03, 0xc0, 0x09, 0xc0,
4493 0x0a, 0xc0, 0x13, 0xc0, 0x14, 0xc0, 0x2b, 0xc0, 0x2c, 0xc0, 0x2f, 0xc0,
4494 0x30, 0xc0, 0x35, 0xc0, 0x36, 0xcc, 0xa8, 0xcc, 0xa9, 0xcc, 0xac, 0x04,
4495 0x02, 0x00, 0x17,
4496 };
4497
4498 // The zero length means that the default list of groups is used.
4499 EXPECT_EQ(0u, server->config->supported_group_list.size());
4500 ASSERT_TRUE(
4501 SSL_apply_handoff(server.get(), {handoff, OPENSSL_ARRAY_SIZE(handoff)}));
4502 EXPECT_EQ(1u, server->config->supported_group_list.size());
4503 }
4504
TEST(SSLTest,ZeroSizedWiteFlushesHandshakeMessages)4505 TEST(SSLTest, ZeroSizedWiteFlushesHandshakeMessages) {
4506 // If there are pending handshake mesages, an |SSL_write| of zero bytes should
4507 // flush them.
4508 bssl::UniquePtr<SSL_CTX> server_ctx(SSL_CTX_new(TLS_method()));
4509 EXPECT_TRUE(SSL_CTX_set_max_proto_version(server_ctx.get(), TLS1_3_VERSION));
4510 EXPECT_TRUE(SSL_CTX_set_min_proto_version(server_ctx.get(), TLS1_3_VERSION));
4511 bssl::UniquePtr<X509> cert = GetTestCertificate();
4512 bssl::UniquePtr<EVP_PKEY> key = GetTestKey();
4513 ASSERT_TRUE(cert);
4514 ASSERT_TRUE(key);
4515 ASSERT_TRUE(SSL_CTX_use_certificate(server_ctx.get(), cert.get()));
4516 ASSERT_TRUE(SSL_CTX_use_PrivateKey(server_ctx.get(), key.get()));
4517
4518 bssl::UniquePtr<SSL_CTX> client_ctx(SSL_CTX_new(TLS_method()));
4519 EXPECT_TRUE(SSL_CTX_set_max_proto_version(client_ctx.get(), TLS1_3_VERSION));
4520 EXPECT_TRUE(SSL_CTX_set_min_proto_version(client_ctx.get(), TLS1_3_VERSION));
4521
4522 bssl::UniquePtr<SSL> client, server;
4523 ASSERT_TRUE(ConnectClientAndServer(&client, &server, client_ctx.get(),
4524 server_ctx.get()));
4525
4526 BIO *client_wbio = SSL_get_wbio(client.get());
4527 EXPECT_EQ(0u, BIO_wpending(client_wbio));
4528 EXPECT_TRUE(SSL_key_update(client.get(), SSL_KEY_UPDATE_NOT_REQUESTED));
4529 EXPECT_EQ(0u, BIO_wpending(client_wbio));
4530 EXPECT_EQ(0, SSL_write(client.get(), nullptr, 0));
4531 EXPECT_NE(0u, BIO_wpending(client_wbio));
4532 }
4533
TEST_P(SSLVersionTest,VerifyBeforeCertRequest)4534 TEST_P(SSLVersionTest, VerifyBeforeCertRequest) {
4535 // Configure the server to request client certificates.
4536 SSL_CTX_set_custom_verify(
4537 server_ctx_.get(), SSL_VERIFY_PEER,
4538 [](SSL *ssl, uint8_t *out_alert) { return ssl_verify_ok; });
4539
4540 // Configure the client to reject the server certificate.
4541 SSL_CTX_set_custom_verify(
4542 client_ctx_.get(), SSL_VERIFY_PEER,
4543 [](SSL *ssl, uint8_t *out_alert) { return ssl_verify_invalid; });
4544
4545 // cert_cb should not be called. Verification should fail first.
4546 SSL_CTX_set_cert_cb(client_ctx_.get(),
4547 [](SSL *ssl, void *arg) {
4548 ADD_FAILURE() << "cert_cb unexpectedly called";
4549 return 0;
4550 },
4551 nullptr);
4552
4553 bssl::UniquePtr<SSL> client, server;
4554 EXPECT_FALSE(ConnectClientAndServer(&client, &server, client_ctx_.get(),
4555 server_ctx_.get()));
4556 }
4557
4558 // Test that ticket-based sessions on the client get fake session IDs.
TEST_P(SSLVersionTest,FakeIDsForTickets)4559 TEST_P(SSLVersionTest, FakeIDsForTickets) {
4560 SSL_CTX_set_session_cache_mode(client_ctx_.get(), SSL_SESS_CACHE_BOTH);
4561 SSL_CTX_set_session_cache_mode(server_ctx_.get(), SSL_SESS_CACHE_BOTH);
4562
4563 bssl::UniquePtr<SSL_SESSION> session =
4564 CreateClientSession(client_ctx_.get(), server_ctx_.get());
4565 ASSERT_TRUE(session);
4566
4567 EXPECT_TRUE(SSL_SESSION_has_ticket(session.get()));
4568 unsigned session_id_length;
4569 SSL_SESSION_get_id(session.get(), &session_id_length);
4570 EXPECT_NE(session_id_length, 0u);
4571 }
4572
4573 // These tests test multi-threaded behavior. They are intended to run with
4574 // ThreadSanitizer.
4575 #if defined(OPENSSL_THREADS)
TEST_P(SSLVersionTest,SessionCacheThreads)4576 TEST_P(SSLVersionTest, SessionCacheThreads) {
4577 SSL_CTX_set_options(server_ctx_.get(), SSL_OP_NO_TICKET);
4578 SSL_CTX_set_session_cache_mode(client_ctx_.get(), SSL_SESS_CACHE_BOTH);
4579 SSL_CTX_set_session_cache_mode(server_ctx_.get(), SSL_SESS_CACHE_BOTH);
4580
4581 if (version() == TLS1_3_VERSION) {
4582 // Our TLS 1.3 implementation does not support stateful resumption.
4583 ASSERT_FALSE(CreateClientSession(client_ctx_.get(), server_ctx_.get()));
4584 return;
4585 }
4586
4587 // Establish two client sessions to test with.
4588 bssl::UniquePtr<SSL_SESSION> session1 =
4589 CreateClientSession(client_ctx_.get(), server_ctx_.get());
4590 ASSERT_TRUE(session1);
4591 bssl::UniquePtr<SSL_SESSION> session2 =
4592 CreateClientSession(client_ctx_.get(), server_ctx_.get());
4593 ASSERT_TRUE(session2);
4594
4595 auto connect_with_session = [&](SSL_SESSION *session) {
4596 ClientConfig config;
4597 config.session = session;
4598 UniquePtr<SSL> client, server;
4599 EXPECT_TRUE(ConnectClientAndServer(&client, &server, client_ctx_.get(),
4600 server_ctx_.get(), config));
4601 };
4602
4603 // Resume sessions in parallel with establishing new ones.
4604 {
4605 std::vector<std::thread> threads;
4606 threads.emplace_back([&] { connect_with_session(nullptr); });
4607 threads.emplace_back([&] { connect_with_session(nullptr); });
4608 threads.emplace_back([&] { connect_with_session(session1.get()); });
4609 threads.emplace_back([&] { connect_with_session(session1.get()); });
4610 threads.emplace_back([&] { connect_with_session(session2.get()); });
4611 threads.emplace_back([&] { connect_with_session(session2.get()); });
4612 for (auto &thread : threads) {
4613 thread.join();
4614 }
4615 }
4616
4617 // Hit the maximum session cache size across multiple threads
4618 size_t limit = SSL_CTX_sess_number(server_ctx_.get()) + 2;
4619 SSL_CTX_sess_set_cache_size(server_ctx_.get(), limit);
4620 {
4621 std::vector<std::thread> threads;
4622 for (int i = 0; i < 4; i++) {
4623 threads.emplace_back([&]() {
4624 connect_with_session(nullptr);
4625 EXPECT_LE(SSL_CTX_sess_number(server_ctx_.get()), limit);
4626 });
4627 }
4628 for (auto &thread : threads) {
4629 thread.join();
4630 }
4631 EXPECT_EQ(SSL_CTX_sess_number(server_ctx_.get()), limit);
4632 }
4633 }
4634
TEST_P(SSLVersionTest,SessionTicketThreads)4635 TEST_P(SSLVersionTest, SessionTicketThreads) {
4636 for (bool renew_ticket : {false, true}) {
4637 SCOPED_TRACE(renew_ticket);
4638 ResetContexts();
4639 SSL_CTX_set_session_cache_mode(client_ctx_.get(), SSL_SESS_CACHE_BOTH);
4640 SSL_CTX_set_session_cache_mode(server_ctx_.get(), SSL_SESS_CACHE_BOTH);
4641 if (renew_ticket) {
4642 SSL_CTX_set_tlsext_ticket_key_cb(server_ctx_.get(), RenewTicketCallback);
4643 }
4644
4645 // Establish two client sessions to test with.
4646 bssl::UniquePtr<SSL_SESSION> session1 =
4647 CreateClientSession(client_ctx_.get(), server_ctx_.get());
4648 ASSERT_TRUE(session1);
4649 bssl::UniquePtr<SSL_SESSION> session2 =
4650 CreateClientSession(client_ctx_.get(), server_ctx_.get());
4651 ASSERT_TRUE(session2);
4652
4653 auto connect_with_session = [&](SSL_SESSION *session) {
4654 ClientConfig config;
4655 config.session = session;
4656 UniquePtr<SSL> client, server;
4657 EXPECT_TRUE(ConnectClientAndServer(&client, &server, client_ctx_.get(),
4658 server_ctx_.get(), config));
4659 };
4660
4661 // Resume sessions in parallel with establishing new ones.
4662 {
4663 std::vector<std::thread> threads;
4664 threads.emplace_back([&] { connect_with_session(nullptr); });
4665 threads.emplace_back([&] { connect_with_session(nullptr); });
4666 threads.emplace_back([&] { connect_with_session(session1.get()); });
4667 threads.emplace_back([&] { connect_with_session(session1.get()); });
4668 threads.emplace_back([&] { connect_with_session(session2.get()); });
4669 threads.emplace_back([&] { connect_with_session(session2.get()); });
4670 for (auto &thread : threads) {
4671 thread.join();
4672 }
4673 }
4674 }
4675 }
4676
4677 // SSL_CTX_get0_certificate needs to lock internally. Test this works.
TEST(SSLTest,GetCertificateThreads)4678 TEST(SSLTest, GetCertificateThreads) {
4679 bssl::UniquePtr<SSL_CTX> ctx(SSL_CTX_new(TLS_method()));
4680 ASSERT_TRUE(ctx);
4681 bssl::UniquePtr<X509> cert = GetTestCertificate();
4682 ASSERT_TRUE(cert);
4683 ASSERT_TRUE(SSL_CTX_use_certificate(ctx.get(), cert.get()));
4684
4685 // Existing code expects |SSL_CTX_get0_certificate| to be callable from two
4686 // threads concurrently. It originally was an immutable operation. Now we
4687 // implement it with a thread-safe cache, so it is worth testing.
4688 X509 *cert2_thread;
4689 std::thread thread(
4690 [&] { cert2_thread = SSL_CTX_get0_certificate(ctx.get()); });
4691 X509 *cert2 = SSL_CTX_get0_certificate(ctx.get());
4692 thread.join();
4693
4694 EXPECT_EQ(cert2, cert2_thread);
4695 EXPECT_EQ(0, X509_cmp(cert.get(), cert2));
4696 }
4697
4698 // Functions which access properties on the negotiated session are thread-safe
4699 // where needed. Prior to TLS 1.3, clients resuming sessions and servers
4700 // performing stateful resumption will share an underlying SSL_SESSION object,
4701 // potentially across threads.
TEST_P(SSLVersionTest,SessionPropertiesThreads)4702 TEST_P(SSLVersionTest, SessionPropertiesThreads) {
4703 if (version() == TLS1_3_VERSION) {
4704 // Our TLS 1.3 implementation does not support stateful resumption.
4705 ASSERT_FALSE(CreateClientSession(client_ctx_.get(), server_ctx_.get()));
4706 return;
4707 }
4708
4709 SSL_CTX_set_options(server_ctx_.get(), SSL_OP_NO_TICKET);
4710 SSL_CTX_set_session_cache_mode(client_ctx_.get(), SSL_SESS_CACHE_BOTH);
4711 SSL_CTX_set_session_cache_mode(server_ctx_.get(), SSL_SESS_CACHE_BOTH);
4712
4713 ASSERT_TRUE(UseCertAndKey(client_ctx_.get()));
4714 ASSERT_TRUE(UseCertAndKey(server_ctx_.get()));
4715
4716 // Configure mutual authentication, so we have more session state.
4717 SSL_CTX_set_custom_verify(
4718 client_ctx_.get(), SSL_VERIFY_PEER,
4719 [](SSL *ssl, uint8_t *out_alert) { return ssl_verify_ok; });
4720 SSL_CTX_set_custom_verify(
4721 server_ctx_.get(), SSL_VERIFY_PEER,
4722 [](SSL *ssl, uint8_t *out_alert) { return ssl_verify_ok; });
4723
4724 // Establish a client session to test with.
4725 bssl::UniquePtr<SSL_SESSION> session =
4726 CreateClientSession(client_ctx_.get(), server_ctx_.get());
4727 ASSERT_TRUE(session);
4728
4729 // Resume with it twice.
4730 UniquePtr<SSL> ssls[4];
4731 ClientConfig config;
4732 config.session = session.get();
4733 ASSERT_TRUE(ConnectClientAndServer(&ssls[0], &ssls[1], client_ctx_.get(),
4734 server_ctx_.get(), config));
4735 ASSERT_TRUE(ConnectClientAndServer(&ssls[2], &ssls[3], client_ctx_.get(),
4736 server_ctx_.get(), config));
4737
4738 // Read properties in parallel.
4739 auto read_properties = [](const SSL *ssl) {
4740 EXPECT_TRUE(SSL_get_peer_cert_chain(ssl));
4741 bssl::UniquePtr<X509> peer(SSL_get_peer_certificate(ssl));
4742 EXPECT_TRUE(peer);
4743 EXPECT_TRUE(SSL_get_current_cipher(ssl));
4744 EXPECT_TRUE(SSL_get_curve_id(ssl));
4745 };
4746
4747 std::vector<std::thread> threads;
4748 for (const auto &ssl_ptr : ssls) {
4749 const SSL *ssl = ssl_ptr.get();
4750 threads.emplace_back([=] { read_properties(ssl); });
4751 }
4752 for (auto &thread : threads) {
4753 thread.join();
4754 }
4755 }
4756 #endif // OPENSSL_THREADS
4757
4758 constexpr size_t kNumQUICLevels = 4;
4759 static_assert(ssl_encryption_initial < kNumQUICLevels,
4760 "kNumQUICLevels is wrong");
4761 static_assert(ssl_encryption_early_data < kNumQUICLevels,
4762 "kNumQUICLevels is wrong");
4763 static_assert(ssl_encryption_handshake < kNumQUICLevels,
4764 "kNumQUICLevels is wrong");
4765 static_assert(ssl_encryption_application < kNumQUICLevels,
4766 "kNumQUICLevels is wrong");
4767
4768 class MockQUICTransport {
4769 public:
4770 enum class Role { kClient, kServer };
4771
MockQUICTransport(Role role)4772 explicit MockQUICTransport(Role role) : role_(role) {
4773 // The caller is expected to configure initial secrets.
4774 levels_[ssl_encryption_initial].write_secret = {1};
4775 levels_[ssl_encryption_initial].read_secret = {1};
4776 }
4777
set_peer(MockQUICTransport * peer)4778 void set_peer(MockQUICTransport *peer) { peer_ = peer; }
4779
has_alert() const4780 bool has_alert() const { return has_alert_; }
alert_level() const4781 ssl_encryption_level_t alert_level() const { return alert_level_; }
alert() const4782 uint8_t alert() const { return alert_; }
4783
PeerSecretsMatch(ssl_encryption_level_t level) const4784 bool PeerSecretsMatch(ssl_encryption_level_t level) const {
4785 return levels_[level].write_secret == peer_->levels_[level].read_secret &&
4786 levels_[level].read_secret == peer_->levels_[level].write_secret &&
4787 levels_[level].cipher == peer_->levels_[level].cipher;
4788 }
4789
HasSecrets(ssl_encryption_level_t level) const4790 bool HasSecrets(ssl_encryption_level_t level) const {
4791 return !levels_[level].write_secret.empty() ||
4792 !levels_[level].read_secret.empty();
4793 }
4794
SetEncryptionSecrets(ssl_encryption_level_t level,const uint8_t * read_secret,const uint8_t * write_secret,size_t secret_len,const SSL_CIPHER * cipher)4795 bool SetEncryptionSecrets(ssl_encryption_level_t level,
4796 const uint8_t *read_secret,
4797 const uint8_t *write_secret, size_t secret_len,
4798 const SSL_CIPHER *cipher) {
4799 if (HasSecrets(level)) {
4800 ADD_FAILURE() << "duplicate keys configured";
4801 return false;
4802 }
4803
4804 if (cipher == nullptr) {
4805 ADD_FAILURE() << "current cipher unavailable";
4806 return false;
4807 }
4808
4809 bool expect_read_secret = true, expect_write_secret = true;
4810 if (level == ssl_encryption_early_data) {
4811 if (role_ == Role::kClient) {
4812 expect_read_secret = false;
4813 } else {
4814 expect_write_secret = false;
4815 }
4816 }
4817
4818 if (expect_read_secret) {
4819 if (read_secret == nullptr) {
4820 ADD_FAILURE() << "read secret was unexpectedly null";
4821 return false;
4822 }
4823 levels_[level].read_secret.assign(read_secret, read_secret + secret_len);
4824 } else if (read_secret != nullptr) {
4825 ADD_FAILURE() << "unexpected read secret";
4826 return false;
4827 }
4828
4829 if (expect_write_secret) {
4830 if (write_secret == nullptr) {
4831 ADD_FAILURE() << "write secret was unexpectedly null";
4832 return false;
4833 }
4834 levels_[level].write_secret.assign(write_secret,
4835 write_secret + secret_len);
4836 } else if (write_secret != nullptr) {
4837 ADD_FAILURE() << "unexpected write secret";
4838 return false;
4839 }
4840
4841 levels_[level].cipher = SSL_CIPHER_get_id(cipher);
4842 return true;
4843 }
4844
WriteHandshakeData(ssl_encryption_level_t level,Span<const uint8_t> data)4845 bool WriteHandshakeData(ssl_encryption_level_t level,
4846 Span<const uint8_t> data) {
4847 if (levels_[level].write_secret.empty()) {
4848 ADD_FAILURE() << "data written before keys configured";
4849 return false;
4850 }
4851 levels_[level].write_data.insert(levels_[level].write_data.end(),
4852 data.begin(), data.end());
4853 return true;
4854 }
4855
SendAlert(ssl_encryption_level_t level,uint8_t alert_value)4856 bool SendAlert(ssl_encryption_level_t level, uint8_t alert_value) {
4857 if (has_alert_) {
4858 ADD_FAILURE() << "duplicate alert sent";
4859 return false;
4860 }
4861
4862 if (levels_[level].write_secret.empty()) {
4863 ADD_FAILURE() << "alert sent before keys configured";
4864 return false;
4865 }
4866
4867 has_alert_ = true;
4868 alert_level_ = level;
4869 alert_ = alert_value;
4870 return true;
4871 }
4872
ReadHandshakeData(std::vector<uint8_t> * out,ssl_encryption_level_t level,size_t num=std::numeric_limits<size_t>::max ())4873 bool ReadHandshakeData(std::vector<uint8_t> *out,
4874 ssl_encryption_level_t level,
4875 size_t num = std::numeric_limits<size_t>::max()) {
4876 if (levels_[level].read_secret.empty()) {
4877 ADD_FAILURE() << "data read before keys configured in level " << level;
4878 return false;
4879 }
4880 // The peer may not have configured any keys yet.
4881 if (peer_->levels_[level].write_secret.empty()) {
4882 out->clear();
4883 return true;
4884 }
4885 // Check the peer computed the same key.
4886 if (peer_->levels_[level].write_secret != levels_[level].read_secret) {
4887 ADD_FAILURE() << "peer write key does not match read key in level "
4888 << level;
4889 return false;
4890 }
4891 if (peer_->levels_[level].cipher != levels_[level].cipher) {
4892 ADD_FAILURE() << "peer cipher does not match in level " << level;
4893 return false;
4894 }
4895 std::vector<uint8_t> *peer_data = &peer_->levels_[level].write_data;
4896 num = std::min(num, peer_data->size());
4897 out->assign(peer_data->begin(), peer_data->begin() + num);
4898 peer_data->erase(peer_data->begin(), peer_data->begin() + num);
4899 return true;
4900 }
4901
4902 private:
4903 Role role_;
4904 MockQUICTransport *peer_ = nullptr;
4905
4906 bool has_alert_ = false;
4907 ssl_encryption_level_t alert_level_ = ssl_encryption_initial;
4908 uint8_t alert_ = 0;
4909
4910 struct Level {
4911 std::vector<uint8_t> write_data;
4912 std::vector<uint8_t> write_secret;
4913 std::vector<uint8_t> read_secret;
4914 uint32_t cipher = 0;
4915 };
4916 Level levels_[kNumQUICLevels];
4917 };
4918
4919 class MockQUICTransportPair {
4920 public:
MockQUICTransportPair()4921 MockQUICTransportPair()
4922 : client_(MockQUICTransport::Role::kClient),
4923 server_(MockQUICTransport::Role::kServer) {
4924 client_.set_peer(&server_);
4925 server_.set_peer(&client_);
4926 }
4927
~MockQUICTransportPair()4928 ~MockQUICTransportPair() {
4929 client_.set_peer(nullptr);
4930 server_.set_peer(nullptr);
4931 }
4932
client()4933 MockQUICTransport *client() { return &client_; }
server()4934 MockQUICTransport *server() { return &server_; }
4935
SecretsMatch(ssl_encryption_level_t level) const4936 bool SecretsMatch(ssl_encryption_level_t level) const {
4937 return client_.HasSecrets(level) && server_.HasSecrets(level) &&
4938 client_.PeerSecretsMatch(level);
4939 }
4940
4941 private:
4942 MockQUICTransport client_;
4943 MockQUICTransport server_;
4944 };
4945
4946 class QUICMethodTest : public testing::Test {
4947 protected:
SetUp()4948 void SetUp() override {
4949 client_ctx_.reset(SSL_CTX_new(TLS_method()));
4950 server_ctx_.reset(SSL_CTX_new(TLS_method()));
4951 ASSERT_TRUE(client_ctx_);
4952 ASSERT_TRUE(server_ctx_);
4953
4954 bssl::UniquePtr<X509> cert = GetTestCertificate();
4955 bssl::UniquePtr<EVP_PKEY> key = GetTestKey();
4956 ASSERT_TRUE(cert);
4957 ASSERT_TRUE(key);
4958 ASSERT_TRUE(SSL_CTX_use_certificate(server_ctx_.get(), cert.get()));
4959 ASSERT_TRUE(SSL_CTX_use_PrivateKey(server_ctx_.get(), key.get()));
4960
4961 SSL_CTX_set_min_proto_version(server_ctx_.get(), TLS1_3_VERSION);
4962 SSL_CTX_set_max_proto_version(server_ctx_.get(), TLS1_3_VERSION);
4963 SSL_CTX_set_min_proto_version(client_ctx_.get(), TLS1_3_VERSION);
4964 SSL_CTX_set_max_proto_version(client_ctx_.get(), TLS1_3_VERSION);
4965 }
4966
TransportFromSSL(const SSL * ssl)4967 static MockQUICTransport *TransportFromSSL(const SSL *ssl) {
4968 return ex_data_.Get(ssl);
4969 }
4970
ProvideHandshakeData(SSL * ssl,size_t num=std::numeric_limits<size_t>::max ())4971 static bool ProvideHandshakeData(
4972 SSL *ssl, size_t num = std::numeric_limits<size_t>::max()) {
4973 MockQUICTransport *transport = TransportFromSSL(ssl);
4974 ssl_encryption_level_t level = SSL_quic_read_level(ssl);
4975 std::vector<uint8_t> data;
4976 return transport->ReadHandshakeData(&data, level, num) &&
4977 SSL_provide_quic_data(ssl, level, data.data(), data.size());
4978 }
4979
CreateClientAndServer()4980 bool CreateClientAndServer() {
4981 client_.reset(SSL_new(client_ctx_.get()));
4982 server_.reset(SSL_new(server_ctx_.get()));
4983 if (!client_ || !server_) {
4984 return false;
4985 }
4986
4987 SSL_set_connect_state(client_.get());
4988 SSL_set_accept_state(server_.get());
4989
4990 transport_.reset(new MockQUICTransportPair);
4991 ex_data_.Set(client_.get(), transport_->client());
4992 ex_data_.Set(server_.get(), transport_->server());
4993 return true;
4994 }
4995
4996 // CompleteHandshakesForQUIC runs |SSL_do_handshake| on |client_| and
4997 // |server_| until each completes once. It returns true on success and false
4998 // on failure.
CompleteHandshakesForQUIC()4999 bool CompleteHandshakesForQUIC() {
5000 bool client_done = false, server_done = false;
5001 while (!client_done || !server_done) {
5002 if (!client_done) {
5003 if (!ProvideHandshakeData(client_.get())) {
5004 ADD_FAILURE() << "ProvideHandshakeData(client_) failed";
5005 return false;
5006 }
5007 int client_ret = SSL_do_handshake(client_.get());
5008 if (client_ret == 1) {
5009 client_done = true;
5010 } else {
5011 EXPECT_EQ(client_ret, -1);
5012 EXPECT_EQ(SSL_get_error(client_.get(), client_ret),
5013 SSL_ERROR_WANT_READ);
5014 }
5015 }
5016
5017 if (!server_done) {
5018 if (!ProvideHandshakeData(server_.get())) {
5019 ADD_FAILURE() << "ProvideHandshakeData(server_) failed";
5020 return false;
5021 }
5022 int server_ret = SSL_do_handshake(server_.get());
5023 if (server_ret == 1) {
5024 server_done = true;
5025 } else {
5026 EXPECT_EQ(server_ret, -1);
5027 EXPECT_EQ(SSL_get_error(server_.get(), server_ret),
5028 SSL_ERROR_WANT_READ);
5029 }
5030 }
5031 }
5032 return true;
5033 }
5034
CreateClientSessionForQUIC()5035 bssl::UniquePtr<SSL_SESSION> CreateClientSessionForQUIC() {
5036 g_last_session = nullptr;
5037 SSL_CTX_sess_set_new_cb(client_ctx_.get(), SaveLastSession);
5038 if (!CreateClientAndServer() ||
5039 !CompleteHandshakesForQUIC()) {
5040 return nullptr;
5041 }
5042
5043 // The server sent NewSessionTicket messages in the handshake.
5044 if (!ProvideHandshakeData(client_.get()) ||
5045 !SSL_process_quic_post_handshake(client_.get())) {
5046 return nullptr;
5047 }
5048
5049 return std::move(g_last_session);
5050 }
5051
ExpectHandshakeSuccess()5052 void ExpectHandshakeSuccess() {
5053 EXPECT_TRUE(transport_->SecretsMatch(ssl_encryption_application));
5054 EXPECT_EQ(ssl_encryption_application, SSL_quic_read_level(client_.get()));
5055 EXPECT_EQ(ssl_encryption_application, SSL_quic_write_level(client_.get()));
5056 EXPECT_EQ(ssl_encryption_application, SSL_quic_read_level(server_.get()));
5057 EXPECT_EQ(ssl_encryption_application, SSL_quic_write_level(server_.get()));
5058 EXPECT_FALSE(transport_->client()->has_alert());
5059 EXPECT_FALSE(transport_->server()->has_alert());
5060
5061 // SSL_do_handshake is now idempotent.
5062 EXPECT_EQ(SSL_do_handshake(client_.get()), 1);
5063 EXPECT_EQ(SSL_do_handshake(server_.get()), 1);
5064 }
5065
5066 // The following functions may be configured on an |SSL_QUIC_METHOD| as
5067 // default implementations.
5068
SetEncryptionSecretsCallback(SSL * ssl,ssl_encryption_level_t level,const uint8_t * read_key,const uint8_t * write_key,size_t key_len)5069 static int SetEncryptionSecretsCallback(SSL *ssl,
5070 ssl_encryption_level_t level,
5071 const uint8_t *read_key,
5072 const uint8_t *write_key,
5073 size_t key_len) {
5074 return TransportFromSSL(ssl)->SetEncryptionSecrets(
5075 level, read_key, write_key, key_len, SSL_get_current_cipher(ssl));
5076 }
5077
AddHandshakeDataCallback(SSL * ssl,enum ssl_encryption_level_t level,const uint8_t * data,size_t len)5078 static int AddHandshakeDataCallback(SSL *ssl,
5079 enum ssl_encryption_level_t level,
5080 const uint8_t *data, size_t len) {
5081 EXPECT_EQ(level, SSL_quic_write_level(ssl));
5082 return TransportFromSSL(ssl)->WriteHandshakeData(level,
5083 MakeConstSpan(data, len));
5084 }
5085
FlushFlightCallback(SSL * ssl)5086 static int FlushFlightCallback(SSL *ssl) { return 1; }
5087
SendAlertCallback(SSL * ssl,ssl_encryption_level_t level,uint8_t alert)5088 static int SendAlertCallback(SSL *ssl, ssl_encryption_level_t level,
5089 uint8_t alert) {
5090 EXPECT_EQ(level, SSL_quic_write_level(ssl));
5091 return TransportFromSSL(ssl)->SendAlert(level, alert);
5092 }
5093
5094 bssl::UniquePtr<SSL_CTX> client_ctx_;
5095 bssl::UniquePtr<SSL_CTX> server_ctx_;
5096
5097 static UnownedSSLExData<MockQUICTransport> ex_data_;
5098 std::unique_ptr<MockQUICTransportPair> transport_;
5099
5100 bssl::UniquePtr<SSL> client_;
5101 bssl::UniquePtr<SSL> server_;
5102 };
5103
5104 UnownedSSLExData<MockQUICTransport> QUICMethodTest::ex_data_;
5105
5106 // Test a full handshake and resumption work.
TEST_F(QUICMethodTest,Basic)5107 TEST_F(QUICMethodTest, Basic) {
5108 const SSL_QUIC_METHOD quic_method = {
5109 SetEncryptionSecretsCallback,
5110 AddHandshakeDataCallback,
5111 FlushFlightCallback,
5112 SendAlertCallback,
5113 };
5114
5115 g_last_session = nullptr;
5116
5117 SSL_CTX_set_session_cache_mode(client_ctx_.get(), SSL_SESS_CACHE_BOTH);
5118 SSL_CTX_sess_set_new_cb(client_ctx_.get(), SaveLastSession);
5119 ASSERT_TRUE(SSL_CTX_set_quic_method(client_ctx_.get(), &quic_method));
5120 ASSERT_TRUE(SSL_CTX_set_quic_method(server_ctx_.get(), &quic_method));
5121
5122 ASSERT_TRUE(CreateClientAndServer());
5123 ASSERT_TRUE(CompleteHandshakesForQUIC());
5124
5125 ExpectHandshakeSuccess();
5126 EXPECT_FALSE(SSL_session_reused(client_.get()));
5127 EXPECT_FALSE(SSL_session_reused(server_.get()));
5128
5129 // The server sent NewSessionTicket messages in the handshake.
5130 EXPECT_FALSE(g_last_session);
5131 ASSERT_TRUE(ProvideHandshakeData(client_.get()));
5132 EXPECT_EQ(SSL_process_quic_post_handshake(client_.get()), 1);
5133 EXPECT_TRUE(g_last_session);
5134
5135 // Create a second connection to verify resumption works.
5136 ASSERT_TRUE(CreateClientAndServer());
5137 bssl::UniquePtr<SSL_SESSION> session = std::move(g_last_session);
5138 SSL_set_session(client_.get(), session.get());
5139
5140 ASSERT_TRUE(CompleteHandshakesForQUIC());
5141
5142 ExpectHandshakeSuccess();
5143 EXPECT_TRUE(SSL_session_reused(client_.get()));
5144 EXPECT_TRUE(SSL_session_reused(server_.get()));
5145 }
5146
5147 // Test that HelloRetryRequest in QUIC works.
TEST_F(QUICMethodTest,HelloRetryRequest)5148 TEST_F(QUICMethodTest, HelloRetryRequest) {
5149 const SSL_QUIC_METHOD quic_method = {
5150 SetEncryptionSecretsCallback,
5151 AddHandshakeDataCallback,
5152 FlushFlightCallback,
5153 SendAlertCallback,
5154 };
5155
5156 ASSERT_TRUE(SSL_CTX_set_quic_method(client_ctx_.get(), &quic_method));
5157 ASSERT_TRUE(SSL_CTX_set_quic_method(server_ctx_.get(), &quic_method));
5158
5159 // BoringSSL predicts the most preferred curve, so using different preferences
5160 // will trigger HelloRetryRequest.
5161 static const int kClientPrefs[] = {NID_X25519, NID_X9_62_prime256v1};
5162 ASSERT_TRUE(SSL_CTX_set1_curves(client_ctx_.get(), kClientPrefs,
5163 OPENSSL_ARRAY_SIZE(kClientPrefs)));
5164 static const int kServerPrefs[] = {NID_X9_62_prime256v1, NID_X25519};
5165 ASSERT_TRUE(SSL_CTX_set1_curves(server_ctx_.get(), kServerPrefs,
5166 OPENSSL_ARRAY_SIZE(kServerPrefs)));
5167
5168 ASSERT_TRUE(CreateClientAndServer());
5169 ASSERT_TRUE(CompleteHandshakesForQUIC());
5170 ExpectHandshakeSuccess();
5171 }
5172
TEST_F(QUICMethodTest,ZeroRTTAccept)5173 TEST_F(QUICMethodTest, ZeroRTTAccept) {
5174 const SSL_QUIC_METHOD quic_method = {
5175 SetEncryptionSecretsCallback,
5176 AddHandshakeDataCallback,
5177 FlushFlightCallback,
5178 SendAlertCallback,
5179 };
5180
5181 SSL_CTX_set_session_cache_mode(client_ctx_.get(), SSL_SESS_CACHE_BOTH);
5182 SSL_CTX_set_early_data_enabled(client_ctx_.get(), 1);
5183 SSL_CTX_set_early_data_enabled(server_ctx_.get(), 1);
5184 ASSERT_TRUE(SSL_CTX_set_quic_method(client_ctx_.get(), &quic_method));
5185 ASSERT_TRUE(SSL_CTX_set_quic_method(server_ctx_.get(), &quic_method));
5186
5187 bssl::UniquePtr<SSL_SESSION> session = CreateClientSessionForQUIC();
5188 ASSERT_TRUE(session);
5189
5190 ASSERT_TRUE(CreateClientAndServer());
5191 SSL_set_session(client_.get(), session.get());
5192
5193 // The client handshake should return immediately into the early data state.
5194 ASSERT_EQ(SSL_do_handshake(client_.get()), 1);
5195 EXPECT_TRUE(SSL_in_early_data(client_.get()));
5196 // The transport should have keys for sending 0-RTT data.
5197 EXPECT_TRUE(
5198 transport_->client()->HasSecrets(ssl_encryption_early_data));
5199
5200 // The server will consume the ClientHello and also enter the early data
5201 // state.
5202 ASSERT_TRUE(ProvideHandshakeData(server_.get()));
5203 ASSERT_EQ(SSL_do_handshake(server_.get()), 1);
5204 EXPECT_TRUE(SSL_in_early_data(server_.get()));
5205 EXPECT_TRUE(transport_->SecretsMatch(ssl_encryption_early_data));
5206 // The transport should have keys for sending half-RTT data.
5207 EXPECT_TRUE(
5208 transport_->server()->HasSecrets(ssl_encryption_application));
5209
5210 // Finish up the client and server handshakes.
5211 ASSERT_TRUE(CompleteHandshakesForQUIC());
5212
5213 // Both sides can now exchange 1-RTT data.
5214 ExpectHandshakeSuccess();
5215 EXPECT_TRUE(SSL_session_reused(client_.get()));
5216 EXPECT_TRUE(SSL_session_reused(server_.get()));
5217 EXPECT_FALSE(SSL_in_early_data(client_.get()));
5218 EXPECT_FALSE(SSL_in_early_data(server_.get()));
5219 EXPECT_TRUE(SSL_early_data_accepted(client_.get()));
5220 EXPECT_TRUE(SSL_early_data_accepted(server_.get()));
5221 }
5222
TEST_F(QUICMethodTest,ZeroRTTReject)5223 TEST_F(QUICMethodTest, ZeroRTTReject) {
5224 const SSL_QUIC_METHOD quic_method = {
5225 SetEncryptionSecretsCallback,
5226 AddHandshakeDataCallback,
5227 FlushFlightCallback,
5228 SendAlertCallback,
5229 };
5230
5231 SSL_CTX_set_session_cache_mode(client_ctx_.get(), SSL_SESS_CACHE_BOTH);
5232 SSL_CTX_set_early_data_enabled(client_ctx_.get(), 1);
5233 SSL_CTX_set_early_data_enabled(server_ctx_.get(), 1);
5234 ASSERT_TRUE(SSL_CTX_set_quic_method(client_ctx_.get(), &quic_method));
5235 ASSERT_TRUE(SSL_CTX_set_quic_method(server_ctx_.get(), &quic_method));
5236
5237 bssl::UniquePtr<SSL_SESSION> session = CreateClientSessionForQUIC();
5238 ASSERT_TRUE(session);
5239
5240 for (bool reject_hrr : {false, true}) {
5241 SCOPED_TRACE(reject_hrr);
5242
5243 ASSERT_TRUE(CreateClientAndServer());
5244 if (reject_hrr) {
5245 // Configure the server to prefer P-256, which will reject 0-RTT via
5246 // HelloRetryRequest.
5247 int p256 = NID_X9_62_prime256v1;
5248 ASSERT_TRUE(SSL_set1_curves(server_.get(), &p256, 1));
5249 } else {
5250 // Disable 0-RTT on the server, so it will reject it.
5251 SSL_set_early_data_enabled(server_.get(), 0);
5252 }
5253 SSL_set_session(client_.get(), session.get());
5254
5255 // The client handshake should return immediately into the early data state.
5256 ASSERT_EQ(SSL_do_handshake(client_.get()), 1);
5257 EXPECT_TRUE(SSL_in_early_data(client_.get()));
5258 // The transport should have keys for sending 0-RTT data.
5259 EXPECT_TRUE(transport_->client()->HasSecrets(ssl_encryption_early_data));
5260
5261 // The server will consume the ClientHello, but it will not accept 0-RTT.
5262 ASSERT_TRUE(ProvideHandshakeData(server_.get()));
5263 ASSERT_EQ(SSL_do_handshake(server_.get()), -1);
5264 EXPECT_EQ(SSL_ERROR_WANT_READ, SSL_get_error(server_.get(), -1));
5265 EXPECT_FALSE(SSL_in_early_data(server_.get()));
5266 EXPECT_FALSE(transport_->server()->HasSecrets(ssl_encryption_early_data));
5267
5268 // The client consumes the server response and signals 0-RTT rejection.
5269 for (;;) {
5270 ASSERT_TRUE(ProvideHandshakeData(client_.get()));
5271 ASSERT_EQ(-1, SSL_do_handshake(client_.get()));
5272 int err = SSL_get_error(client_.get(), -1);
5273 if (err == SSL_ERROR_EARLY_DATA_REJECTED) {
5274 break;
5275 }
5276 ASSERT_EQ(SSL_ERROR_WANT_READ, err);
5277 }
5278
5279 // As in TLS over TCP, 0-RTT rejection is sticky.
5280 ASSERT_EQ(-1, SSL_do_handshake(client_.get()));
5281 ASSERT_EQ(SSL_ERROR_EARLY_DATA_REJECTED, SSL_get_error(client_.get(), -1));
5282
5283 // Finish up the client and server handshakes.
5284 SSL_reset_early_data_reject(client_.get());
5285 ASSERT_TRUE(CompleteHandshakesForQUIC());
5286
5287 // Both sides can now exchange 1-RTT data.
5288 ExpectHandshakeSuccess();
5289 EXPECT_TRUE(SSL_session_reused(client_.get()));
5290 EXPECT_TRUE(SSL_session_reused(server_.get()));
5291 EXPECT_FALSE(SSL_in_early_data(client_.get()));
5292 EXPECT_FALSE(SSL_in_early_data(server_.get()));
5293 EXPECT_FALSE(SSL_early_data_accepted(client_.get()));
5294 EXPECT_FALSE(SSL_early_data_accepted(server_.get()));
5295 }
5296 }
5297
5298 // Test only releasing data to QUIC one byte at a time on request, to maximize
5299 // state machine pauses. Additionally, test that existing asynchronous callbacks
5300 // still work.
TEST_F(QUICMethodTest,Async)5301 TEST_F(QUICMethodTest, Async) {
5302 const SSL_QUIC_METHOD quic_method = {
5303 SetEncryptionSecretsCallback,
5304 AddHandshakeDataCallback,
5305 FlushFlightCallback,
5306 SendAlertCallback,
5307 };
5308
5309 ASSERT_TRUE(SSL_CTX_set_quic_method(client_ctx_.get(), &quic_method));
5310 ASSERT_TRUE(SSL_CTX_set_quic_method(server_ctx_.get(), &quic_method));
5311 ASSERT_TRUE(CreateClientAndServer());
5312
5313 // Install an asynchronous certificate callback.
5314 bool cert_cb_ok = false;
5315 SSL_set_cert_cb(server_.get(),
5316 [](SSL *, void *arg) -> int {
5317 return *static_cast<bool *>(arg) ? 1 : -1;
5318 },
5319 &cert_cb_ok);
5320
5321 for (;;) {
5322 int client_ret = SSL_do_handshake(client_.get());
5323 if (client_ret != 1) {
5324 ASSERT_EQ(client_ret, -1);
5325 ASSERT_EQ(SSL_get_error(client_.get(), client_ret), SSL_ERROR_WANT_READ);
5326 ASSERT_TRUE(ProvideHandshakeData(client_.get(), 1));
5327 }
5328
5329 int server_ret = SSL_do_handshake(server_.get());
5330 if (server_ret != 1) {
5331 ASSERT_EQ(server_ret, -1);
5332 int ssl_err = SSL_get_error(server_.get(), server_ret);
5333 switch (ssl_err) {
5334 case SSL_ERROR_WANT_READ:
5335 ASSERT_TRUE(ProvideHandshakeData(server_.get(), 1));
5336 break;
5337 case SSL_ERROR_WANT_X509_LOOKUP:
5338 ASSERT_FALSE(cert_cb_ok);
5339 cert_cb_ok = true;
5340 break;
5341 default:
5342 FAIL() << "Unexpected SSL_get_error result: " << ssl_err;
5343 }
5344 }
5345
5346 if (client_ret == 1 && server_ret == 1) {
5347 break;
5348 }
5349 }
5350
5351 ExpectHandshakeSuccess();
5352 }
5353
5354 // Test buffering write data until explicit flushes.
TEST_F(QUICMethodTest,Buffered)5355 TEST_F(QUICMethodTest, Buffered) {
5356 struct BufferedFlight {
5357 std::vector<uint8_t> data[kNumQUICLevels];
5358 };
5359 static UnownedSSLExData<BufferedFlight> buffered_flights;
5360
5361 auto add_handshake_data = [](SSL *ssl, enum ssl_encryption_level_t level,
5362 const uint8_t *data, size_t len) -> int {
5363 BufferedFlight *flight = buffered_flights.Get(ssl);
5364 flight->data[level].insert(flight->data[level].end(), data, data + len);
5365 return 1;
5366 };
5367
5368 auto flush_flight = [](SSL *ssl) -> int {
5369 BufferedFlight *flight = buffered_flights.Get(ssl);
5370 for (size_t level = 0; level < kNumQUICLevels; level++) {
5371 if (!flight->data[level].empty()) {
5372 if (!TransportFromSSL(ssl)->WriteHandshakeData(
5373 static_cast<ssl_encryption_level_t>(level),
5374 flight->data[level])) {
5375 return 0;
5376 }
5377 flight->data[level].clear();
5378 }
5379 }
5380 return 1;
5381 };
5382
5383 const SSL_QUIC_METHOD quic_method = {
5384 SetEncryptionSecretsCallback,
5385 add_handshake_data,
5386 flush_flight,
5387 SendAlertCallback,
5388 };
5389
5390 ASSERT_TRUE(SSL_CTX_set_quic_method(client_ctx_.get(), &quic_method));
5391 ASSERT_TRUE(SSL_CTX_set_quic_method(server_ctx_.get(), &quic_method));
5392 ASSERT_TRUE(CreateClientAndServer());
5393
5394 BufferedFlight client_flight, server_flight;
5395 buffered_flights.Set(client_.get(), &client_flight);
5396 buffered_flights.Set(server_.get(), &server_flight);
5397
5398 ASSERT_TRUE(CompleteHandshakesForQUIC());
5399
5400 ExpectHandshakeSuccess();
5401 }
5402
5403 // Test that excess data at one level is rejected. That is, if a single
5404 // |SSL_provide_quic_data| call included both ServerHello and
5405 // EncryptedExtensions in a single chunk, BoringSSL notices and rejects this on
5406 // key change.
TEST_F(QUICMethodTest,ExcessProvidedData)5407 TEST_F(QUICMethodTest, ExcessProvidedData) {
5408 auto add_handshake_data = [](SSL *ssl, enum ssl_encryption_level_t level,
5409 const uint8_t *data, size_t len) -> int {
5410 // Switch everything to the initial level.
5411 return TransportFromSSL(ssl)->WriteHandshakeData(ssl_encryption_initial,
5412 MakeConstSpan(data, len));
5413 };
5414
5415 const SSL_QUIC_METHOD quic_method = {
5416 SetEncryptionSecretsCallback,
5417 add_handshake_data,
5418 FlushFlightCallback,
5419 SendAlertCallback,
5420 };
5421
5422 ASSERT_TRUE(SSL_CTX_set_quic_method(client_ctx_.get(), &quic_method));
5423 ASSERT_TRUE(SSL_CTX_set_quic_method(server_ctx_.get(), &quic_method));
5424 ASSERT_TRUE(CreateClientAndServer());
5425
5426 // Send the ClientHello and ServerHello through Finished.
5427 ASSERT_EQ(SSL_do_handshake(client_.get()), -1);
5428 ASSERT_EQ(SSL_get_error(client_.get(), -1), SSL_ERROR_WANT_READ);
5429 ASSERT_TRUE(ProvideHandshakeData(server_.get()));
5430 ASSERT_EQ(SSL_do_handshake(server_.get()), -1);
5431 ASSERT_EQ(SSL_get_error(server_.get(), -1), SSL_ERROR_WANT_READ);
5432
5433 // The client is still waiting for the ServerHello at initial
5434 // encryption.
5435 ASSERT_EQ(ssl_encryption_initial, SSL_quic_read_level(client_.get()));
5436
5437 // |add_handshake_data| incorrectly wrote everything at the initial level, so
5438 // this queues up ServerHello through Finished in one chunk.
5439 ASSERT_TRUE(ProvideHandshakeData(client_.get()));
5440
5441 // The client reads ServerHello successfully, but then rejects the buffered
5442 // EncryptedExtensions on key change.
5443 ASSERT_EQ(SSL_do_handshake(client_.get()), -1);
5444 ASSERT_EQ(SSL_get_error(client_.get(), -1), SSL_ERROR_SSL);
5445 uint32_t err = ERR_get_error();
5446 EXPECT_EQ(ERR_GET_LIB(err), ERR_LIB_SSL);
5447 EXPECT_EQ(ERR_GET_REASON(err), SSL_R_BUFFERED_MESSAGES_ON_CIPHER_CHANGE);
5448
5449 // The client sends an alert in response to this.
5450 ASSERT_TRUE(transport_->client()->has_alert());
5451 EXPECT_EQ(transport_->client()->alert_level(), ssl_encryption_initial);
5452 EXPECT_EQ(transport_->client()->alert(), SSL_AD_UNEXPECTED_MESSAGE);
5453
5454 // Sanity-check client did get far enough to process the ServerHello and
5455 // install keys.
5456 EXPECT_TRUE(transport_->client()->HasSecrets(ssl_encryption_handshake));
5457 }
5458
5459 // Test that |SSL_provide_quic_data| will reject data at the wrong level.
TEST_F(QUICMethodTest,ProvideWrongLevel)5460 TEST_F(QUICMethodTest, ProvideWrongLevel) {
5461 const SSL_QUIC_METHOD quic_method = {
5462 SetEncryptionSecretsCallback,
5463 AddHandshakeDataCallback,
5464 FlushFlightCallback,
5465 SendAlertCallback,
5466 };
5467
5468 ASSERT_TRUE(SSL_CTX_set_quic_method(client_ctx_.get(), &quic_method));
5469 ASSERT_TRUE(SSL_CTX_set_quic_method(server_ctx_.get(), &quic_method));
5470 ASSERT_TRUE(CreateClientAndServer());
5471
5472 // Send the ClientHello and ServerHello through Finished.
5473 ASSERT_EQ(SSL_do_handshake(client_.get()), -1);
5474 ASSERT_EQ(SSL_get_error(client_.get(), -1), SSL_ERROR_WANT_READ);
5475 ASSERT_TRUE(ProvideHandshakeData(server_.get()));
5476 ASSERT_EQ(SSL_do_handshake(server_.get()), -1);
5477 ASSERT_EQ(SSL_get_error(server_.get(), -1), SSL_ERROR_WANT_READ);
5478
5479 // The client is still waiting for the ServerHello at initial
5480 // encryption.
5481 ASSERT_EQ(ssl_encryption_initial, SSL_quic_read_level(client_.get()));
5482
5483 // Data cannot be provided at the next level.
5484 std::vector<uint8_t> data;
5485 ASSERT_TRUE(
5486 transport_->client()->ReadHandshakeData(&data, ssl_encryption_initial));
5487 ASSERT_FALSE(SSL_provide_quic_data(client_.get(), ssl_encryption_handshake,
5488 data.data(), data.size()));
5489 ERR_clear_error();
5490
5491 // Progress to EncryptedExtensions.
5492 ASSERT_TRUE(SSL_provide_quic_data(client_.get(), ssl_encryption_initial,
5493 data.data(), data.size()));
5494 ASSERT_EQ(SSL_do_handshake(client_.get()), -1);
5495 ASSERT_EQ(SSL_get_error(client_.get(), -1), SSL_ERROR_WANT_READ);
5496 ASSERT_EQ(ssl_encryption_handshake, SSL_quic_read_level(client_.get()));
5497
5498 // Data cannot be provided at the previous level.
5499 ASSERT_TRUE(
5500 transport_->client()->ReadHandshakeData(&data, ssl_encryption_handshake));
5501 ASSERT_FALSE(SSL_provide_quic_data(client_.get(), ssl_encryption_initial,
5502 data.data(), data.size()));
5503 }
5504
TEST_F(QUICMethodTest,TooMuchData)5505 TEST_F(QUICMethodTest, TooMuchData) {
5506 const SSL_QUIC_METHOD quic_method = {
5507 SetEncryptionSecretsCallback,
5508 AddHandshakeDataCallback,
5509 FlushFlightCallback,
5510 SendAlertCallback,
5511 };
5512
5513 ASSERT_TRUE(SSL_CTX_set_quic_method(client_ctx_.get(), &quic_method));
5514 ASSERT_TRUE(SSL_CTX_set_quic_method(server_ctx_.get(), &quic_method));
5515 ASSERT_TRUE(CreateClientAndServer());
5516
5517 size_t limit =
5518 SSL_quic_max_handshake_flight_len(client_.get(), ssl_encryption_initial);
5519 uint8_t b = 0;
5520 for (size_t i = 0; i < limit; i++) {
5521 ASSERT_TRUE(
5522 SSL_provide_quic_data(client_.get(), ssl_encryption_initial, &b, 1));
5523 }
5524
5525 EXPECT_FALSE(
5526 SSL_provide_quic_data(client_.get(), ssl_encryption_initial, &b, 1));
5527 }
5528
5529 // Provide invalid post-handshake data.
TEST_F(QUICMethodTest,BadPostHandshake)5530 TEST_F(QUICMethodTest, BadPostHandshake) {
5531 const SSL_QUIC_METHOD quic_method = {
5532 SetEncryptionSecretsCallback,
5533 AddHandshakeDataCallback,
5534 FlushFlightCallback,
5535 SendAlertCallback,
5536 };
5537
5538 g_last_session = nullptr;
5539
5540 SSL_CTX_set_session_cache_mode(client_ctx_.get(), SSL_SESS_CACHE_BOTH);
5541 SSL_CTX_sess_set_new_cb(client_ctx_.get(), SaveLastSession);
5542 ASSERT_TRUE(SSL_CTX_set_quic_method(client_ctx_.get(), &quic_method));
5543 ASSERT_TRUE(SSL_CTX_set_quic_method(server_ctx_.get(), &quic_method));
5544 ASSERT_TRUE(CreateClientAndServer());
5545 ASSERT_TRUE(CompleteHandshakesForQUIC());
5546
5547 EXPECT_EQ(SSL_do_handshake(client_.get()), 1);
5548 EXPECT_EQ(SSL_do_handshake(server_.get()), 1);
5549 EXPECT_TRUE(transport_->SecretsMatch(ssl_encryption_application));
5550 EXPECT_FALSE(transport_->client()->has_alert());
5551 EXPECT_FALSE(transport_->server()->has_alert());
5552
5553 // Junk sent as part of post-handshake data should cause an error.
5554 uint8_t kJunk[] = {0x17, 0x0, 0x0, 0x4, 0xB, 0xE, 0xE, 0xF};
5555 ASSERT_TRUE(SSL_provide_quic_data(client_.get(), ssl_encryption_application,
5556 kJunk, sizeof(kJunk)));
5557 EXPECT_EQ(SSL_process_quic_post_handshake(client_.get()), 0);
5558 }
5559
5560 extern "C" {
5561 int BORINGSSL_enum_c_type_test(void);
5562 }
5563
TEST(SSLTest,EnumTypes)5564 TEST(SSLTest, EnumTypes) {
5565 EXPECT_EQ(sizeof(int), sizeof(ssl_private_key_result_t));
5566 EXPECT_EQ(1, BORINGSSL_enum_c_type_test());
5567 }
5568
TEST_P(SSLVersionTest,DoubleSSLError)5569 TEST_P(SSLVersionTest, DoubleSSLError) {
5570 // Connect the inner SSL connections.
5571 ASSERT_TRUE(Connect());
5572
5573 // Make a pair of |BIO|s which wrap |client_| and |server_|.
5574 UniquePtr<BIO_METHOD> bio_method(BIO_meth_new(0, nullptr));
5575 ASSERT_TRUE(bio_method);
5576 ASSERT_TRUE(BIO_meth_set_read(
5577 bio_method.get(), [](BIO *bio, char *out, int len) -> int {
5578 SSL *ssl = static_cast<SSL *>(BIO_get_data(bio));
5579 int ret = SSL_read(ssl, out, len);
5580 int ssl_ret = SSL_get_error(ssl, ret);
5581 if (ssl_ret == SSL_ERROR_WANT_READ) {
5582 BIO_set_retry_read(bio);
5583 }
5584 return ret;
5585 }));
5586 ASSERT_TRUE(BIO_meth_set_write(
5587 bio_method.get(), [](BIO *bio, const char *in, int len) -> int {
5588 SSL *ssl = static_cast<SSL *>(BIO_get_data(bio));
5589 int ret = SSL_write(ssl, in, len);
5590 int ssl_ret = SSL_get_error(ssl, ret);
5591 if (ssl_ret == SSL_ERROR_WANT_WRITE) {
5592 BIO_set_retry_write(bio);
5593 }
5594 return ret;
5595 }));
5596 ASSERT_TRUE(BIO_meth_set_ctrl(
5597 bio_method.get(), [](BIO *bio, int cmd, long larg, void *parg) -> long {
5598 // |SSL| objects require |BIO_flush| support.
5599 if (cmd == BIO_CTRL_FLUSH) {
5600 return 1;
5601 }
5602 return 0;
5603 }));
5604
5605 UniquePtr<BIO> client_bio(BIO_new(bio_method.get()));
5606 ASSERT_TRUE(client_bio);
5607 BIO_set_data(client_bio.get(), client_.get());
5608 BIO_set_init(client_bio.get(), 1);
5609
5610 UniquePtr<BIO> server_bio(BIO_new(bio_method.get()));
5611 ASSERT_TRUE(server_bio);
5612 BIO_set_data(server_bio.get(), server_.get());
5613 BIO_set_init(server_bio.get(), 1);
5614
5615 // Wrap the inner connections in another layer of SSL.
5616 UniquePtr<SSL> client_outer(SSL_new(client_ctx_.get()));
5617 ASSERT_TRUE(client_outer);
5618 SSL_set_connect_state(client_outer.get());
5619 SSL_set_bio(client_outer.get(), client_bio.get(), client_bio.get());
5620 client_bio.release(); // |SSL_set_bio| takes ownership.
5621
5622 UniquePtr<SSL> server_outer(SSL_new(server_ctx_.get()));
5623 ASSERT_TRUE(server_outer);
5624 SSL_set_accept_state(server_outer.get());
5625 SSL_set_bio(server_outer.get(), server_bio.get(), server_bio.get());
5626 server_bio.release(); // |SSL_set_bio| takes ownership.
5627
5628 // Configure |client_outer| to reject the server certificate.
5629 SSL_set_custom_verify(
5630 client_outer.get(), SSL_VERIFY_PEER,
5631 [](SSL *ssl, uint8_t *out_alert) -> ssl_verify_result_t {
5632 return ssl_verify_invalid;
5633 });
5634
5635 for (;;) {
5636 int client_ret = SSL_do_handshake(client_outer.get());
5637 int client_err = SSL_get_error(client_outer.get(), client_ret);
5638 if (client_err != SSL_ERROR_WANT_READ &&
5639 client_err != SSL_ERROR_WANT_WRITE) {
5640 // The client handshake should terminate on a certificate verification
5641 // error.
5642 EXPECT_EQ(SSL_ERROR_SSL, client_err);
5643 uint32_t err = ERR_peek_error();
5644 EXPECT_EQ(ERR_LIB_SSL, ERR_GET_LIB(err));
5645 EXPECT_EQ(SSL_R_CERTIFICATE_VERIFY_FAILED, ERR_GET_REASON(err));
5646 break;
5647 }
5648
5649 // Run the server handshake and continue.
5650 int server_ret = SSL_do_handshake(server_outer.get());
5651 int server_err = SSL_get_error(server_outer.get(), server_ret);
5652 ASSERT_TRUE(server_err == SSL_ERROR_NONE ||
5653 server_err == SSL_ERROR_WANT_READ ||
5654 server_err == SSL_ERROR_WANT_WRITE);
5655 }
5656 }
5657
TEST(SSLTest,WriteWhileExplicitRenegotiate)5658 TEST(SSLTest, WriteWhileExplicitRenegotiate) {
5659 bssl::UniquePtr<SSL_CTX> ctx(SSL_CTX_new(TLS_method()));
5660 ASSERT_TRUE(ctx);
5661
5662 bssl::UniquePtr<X509> cert = GetTestCertificate();
5663 bssl::UniquePtr<EVP_PKEY> pkey = GetTestKey();
5664 ASSERT_TRUE(cert);
5665 ASSERT_TRUE(pkey);
5666 ASSERT_TRUE(SSL_CTX_use_certificate(ctx.get(), cert.get()));
5667 ASSERT_TRUE(SSL_CTX_use_PrivateKey(ctx.get(), pkey.get()));
5668 ASSERT_TRUE(SSL_CTX_set_min_proto_version(ctx.get(), TLS1_2_VERSION));
5669 ASSERT_TRUE(SSL_CTX_set_max_proto_version(ctx.get(), TLS1_2_VERSION));
5670 ASSERT_TRUE(SSL_CTX_set_strict_cipher_list(
5671 ctx.get(), "TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256"));
5672
5673 bssl::UniquePtr<SSL> client, server;
5674 ASSERT_TRUE(ConnectClientAndServer(&client, &server, ctx.get(), ctx.get(),
5675 ClientConfig(), true /* do_handshake */,
5676 false /* don't shed handshake config */));
5677 SSL_set_renegotiate_mode(client.get(), ssl_renegotiate_explicit);
5678
5679 static const uint8_t kInput[] = {'h', 'e', 'l', 'l', 'o'};
5680
5681 // Write "hello" until the buffer is full, so |client| has a pending write.
5682 size_t num_writes = 0;
5683 for (;;) {
5684 int ret = SSL_write(client.get(), kInput, sizeof(kInput));
5685 if (ret != int(sizeof(kInput))) {
5686 ASSERT_EQ(-1, ret);
5687 ASSERT_EQ(SSL_ERROR_WANT_WRITE, SSL_get_error(client.get(), ret));
5688 break;
5689 }
5690 num_writes++;
5691 }
5692
5693 // Encrypt a HelloRequest.
5694 uint8_t in[] = {SSL3_MT_HELLO_REQUEST, 0, 0, 0};
5695 #if defined(BORINGSSL_UNSAFE_FUZZER_MODE)
5696 // Fuzzer-mode records are unencrypted.
5697 uint8_t record[5 + sizeof(in)];
5698 record[0] = SSL3_RT_HANDSHAKE;
5699 record[1] = 3;
5700 record[2] = 3; // TLS 1.2
5701 record[3] = 0;
5702 record[4] = sizeof(record) - 5;
5703 memcpy(record + 5, in, sizeof(in));
5704 #else
5705 // Extract key material from |server|.
5706 static const size_t kKeyLen = 32;
5707 static const size_t kNonceLen = 12;
5708 ASSERT_EQ(2u * (kKeyLen + kNonceLen), SSL_get_key_block_len(server.get()));
5709 uint8_t key_block[2u * (kKeyLen + kNonceLen)];
5710 ASSERT_TRUE(
5711 SSL_generate_key_block(server.get(), key_block, sizeof(key_block)));
5712 Span<uint8_t> key = MakeSpan(key_block + kKeyLen, kKeyLen);
5713 Span<uint8_t> nonce =
5714 MakeSpan(key_block + kKeyLen + kKeyLen + kNonceLen, kNonceLen);
5715
5716 uint8_t ad[13];
5717 uint64_t seq = SSL_get_write_sequence(server.get());
5718 for (size_t i = 0; i < 8; i++) {
5719 // The nonce is XORed with the sequence number.
5720 nonce[11 - i] ^= uint8_t(seq);
5721 ad[7 - i] = uint8_t(seq);
5722 seq >>= 8;
5723 }
5724
5725 ad[8] = SSL3_RT_HANDSHAKE;
5726 ad[9] = 3;
5727 ad[10] = 3; // TLS 1.2
5728 ad[11] = 0;
5729 ad[12] = sizeof(in);
5730
5731 uint8_t record[5 + sizeof(in) + 16];
5732 record[0] = SSL3_RT_HANDSHAKE;
5733 record[1] = 3;
5734 record[2] = 3; // TLS 1.2
5735 record[3] = 0;
5736 record[4] = sizeof(record) - 5;
5737
5738 ScopedEVP_AEAD_CTX aead;
5739 ASSERT_TRUE(EVP_AEAD_CTX_init(aead.get(), EVP_aead_chacha20_poly1305(),
5740 key.data(), key.size(),
5741 EVP_AEAD_DEFAULT_TAG_LENGTH, nullptr));
5742 size_t len;
5743 ASSERT_TRUE(EVP_AEAD_CTX_seal(aead.get(), record + 5, &len,
5744 sizeof(record) - 5, nonce.data(), nonce.size(),
5745 in, sizeof(in), ad, sizeof(ad)));
5746 ASSERT_EQ(sizeof(record) - 5, len);
5747 #endif // BORINGSSL_UNSAFE_FUZZER_MODE
5748
5749 ASSERT_EQ(int(sizeof(record)),
5750 BIO_write(SSL_get_wbio(server.get()), record, sizeof(record)));
5751
5752 // |SSL_read| should pick up the HelloRequest.
5753 uint8_t byte;
5754 ASSERT_EQ(-1, SSL_read(client.get(), &byte, 1));
5755 ASSERT_EQ(SSL_ERROR_WANT_RENEGOTIATE, SSL_get_error(client.get(), -1));
5756
5757 // Drain the data from the |client|.
5758 uint8_t buf[sizeof(kInput)];
5759 for (size_t i = 0; i < num_writes; i++) {
5760 ASSERT_EQ(int(sizeof(buf)), SSL_read(server.get(), buf, sizeof(buf)));
5761 EXPECT_EQ(Bytes(buf), Bytes(kInput));
5762 }
5763
5764 // |client| should be able to finish the pending write and continue to write,
5765 // despite the paused HelloRequest.
5766 ASSERT_EQ(int(sizeof(kInput)),
5767 SSL_write(client.get(), kInput, sizeof(kInput)));
5768 ASSERT_EQ(int(sizeof(buf)), SSL_read(server.get(), buf, sizeof(buf)));
5769 EXPECT_EQ(Bytes(buf), Bytes(kInput));
5770
5771 ASSERT_EQ(int(sizeof(kInput)),
5772 SSL_write(client.get(), kInput, sizeof(kInput)));
5773 ASSERT_EQ(int(sizeof(buf)), SSL_read(server.get(), buf, sizeof(buf)));
5774 EXPECT_EQ(Bytes(buf), Bytes(kInput));
5775
5776 // |SSL_read| is stuck until we acknowledge the HelloRequest.
5777 ASSERT_EQ(-1, SSL_read(client.get(), &byte, 1));
5778 ASSERT_EQ(SSL_ERROR_WANT_RENEGOTIATE, SSL_get_error(client.get(), -1));
5779
5780 ASSERT_TRUE(SSL_renegotiate(client.get()));
5781 ASSERT_EQ(-1, SSL_read(client.get(), &byte, 1));
5782 ASSERT_EQ(SSL_ERROR_WANT_READ, SSL_get_error(client.get(), -1));
5783
5784 // We never renegotiate as a server.
5785 ASSERT_EQ(-1, SSL_read(server.get(), buf, sizeof(buf)));
5786 ASSERT_EQ(SSL_ERROR_SSL, SSL_get_error(server.get(), -1));
5787 uint32_t err = ERR_get_error();
5788 EXPECT_EQ(ERR_LIB_SSL, ERR_GET_LIB(err));
5789 EXPECT_EQ(SSL_R_NO_RENEGOTIATION, ERR_GET_REASON(err));
5790 }
5791
5792 } // namespace
5793 BSSL_NAMESPACE_END
5794