• Home
  • Line#
  • Scopes#
  • Navigate#
  • Raw
  • Download
1 /* Copyright (c) 2014, Google Inc.
2  *
3  * Permission to use, copy, modify, and/or distribute this software for any
4  * purpose with or without fee is hereby granted, provided that the above
5  * copyright notice and this permission notice appear in all copies.
6  *
7  * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
8  * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
9  * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY
10  * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
11  * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION
12  * OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN
13  * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */
14 
15 #include <stdio.h>
16 #include <string.h>
17 #include <time.h>
18 
19 #include <algorithm>
20 #include <limits>
21 #include <string>
22 #include <utility>
23 #include <vector>
24 
25 #include <gtest/gtest.h>
26 
27 #include <openssl/base64.h>
28 #include <openssl/bio.h>
29 #include <openssl/cipher.h>
30 #include <openssl/crypto.h>
31 #include <openssl/err.h>
32 #include <openssl/hmac.h>
33 #include <openssl/pem.h>
34 #include <openssl/sha.h>
35 #include <openssl/ssl.h>
36 #include <openssl/rand.h>
37 #include <openssl/x509.h>
38 
39 #include "internal.h"
40 #include "../crypto/internal.h"
41 #include "../crypto/test/test_util.h"
42 
43 #if defined(OPENSSL_WINDOWS)
44 // Windows defines struct timeval in winsock2.h.
45 OPENSSL_MSVC_PRAGMA(warning(push, 3))
46 #include <winsock2.h>
47 OPENSSL_MSVC_PRAGMA(warning(pop))
48 #else
49 #include <sys/time.h>
50 #endif
51 
52 #if defined(OPENSSL_THREADS)
53 #include <thread>
54 #endif
55 
56 
57 BSSL_NAMESPACE_BEGIN
58 
59 namespace {
60 
61 #define TRACED_CALL(code)                     \
62   do {                                        \
63     SCOPED_TRACE("<- called from here");      \
64     code;                                     \
65     if (::testing::Test::HasFatalFailure()) { \
66       return;                                 \
67     }                                         \
68   } while (false)
69 
70 struct VersionParam {
71   uint16_t version;
72   enum { is_tls, is_dtls } ssl_method;
73   const char name[8];
74 };
75 
76 static const size_t kTicketKeyLen = 48;
77 
78 static const VersionParam kAllVersions[] = {
79     {TLS1_VERSION, VersionParam::is_tls, "TLS1"},
80     {TLS1_1_VERSION, VersionParam::is_tls, "TLS1_1"},
81     {TLS1_2_VERSION, VersionParam::is_tls, "TLS1_2"},
82     {TLS1_3_VERSION, VersionParam::is_tls, "TLS1_3"},
83     {DTLS1_VERSION, VersionParam::is_dtls, "DTLS1"},
84     {DTLS1_2_VERSION, VersionParam::is_dtls, "DTLS1_2"},
85 };
86 
87 struct ExpectedCipher {
88   unsigned long id;
89   int in_group_flag;
90 };
91 
92 struct CipherTest {
93   // The rule string to apply.
94   const char *rule;
95   // The list of expected ciphers, in order.
96   std::vector<ExpectedCipher> expected;
97   // True if this cipher list should fail in strict mode.
98   bool strict_fail;
99 };
100 
101 struct CurveTest {
102   // The rule string to apply.
103   const char *rule;
104   // The list of expected curves, in order.
105   std::vector<uint16_t> expected;
106 };
107 
108 template <typename T>
109 class UnownedSSLExData {
110  public:
UnownedSSLExData()111   UnownedSSLExData() {
112     index_ = SSL_get_ex_new_index(0, nullptr, nullptr, nullptr, nullptr);
113   }
114 
Get(const SSL * ssl)115   T *Get(const SSL *ssl) {
116     return index_ < 0 ? nullptr
117                       : static_cast<T *>(SSL_get_ex_data(ssl, index_));
118   }
119 
Set(SSL * ssl,T * t)120   bool Set(SSL *ssl, T *t) {
121     return index_ >= 0 && SSL_set_ex_data(ssl, index_, t);
122   }
123 
124  private:
125   int index_;
126 };
127 
128 static const CipherTest kCipherTests[] = {
129     // Selecting individual ciphers should work.
130     {
131         "ECDHE-ECDSA-CHACHA20-POLY1305:"
132         "ECDHE-RSA-CHACHA20-POLY1305:"
133         "ECDHE-ECDSA-AES128-GCM-SHA256:"
134         "ECDHE-RSA-AES128-GCM-SHA256",
135         {
136             {TLS1_CK_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256, 0},
137             {TLS1_CK_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256, 0},
138             {TLS1_CK_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, 0},
139             {TLS1_CK_ECDHE_RSA_WITH_AES_128_GCM_SHA256, 0},
140         },
141         false,
142     },
143     // + reorders selected ciphers to the end, keeping their relative order.
144     {
145         "ECDHE-ECDSA-CHACHA20-POLY1305:"
146         "ECDHE-RSA-CHACHA20-POLY1305:"
147         "ECDHE-ECDSA-AES128-GCM-SHA256:"
148         "ECDHE-RSA-AES128-GCM-SHA256:"
149         "+aRSA",
150         {
151             {TLS1_CK_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256, 0},
152             {TLS1_CK_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, 0},
153             {TLS1_CK_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256, 0},
154             {TLS1_CK_ECDHE_RSA_WITH_AES_128_GCM_SHA256, 0},
155         },
156         false,
157     },
158     // ! banishes ciphers from future selections.
159     {
160         "!aRSA:"
161         "ECDHE-ECDSA-CHACHA20-POLY1305:"
162         "ECDHE-RSA-CHACHA20-POLY1305:"
163         "ECDHE-ECDSA-AES128-GCM-SHA256:"
164         "ECDHE-RSA-AES128-GCM-SHA256",
165         {
166             {TLS1_CK_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256, 0},
167             {TLS1_CK_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, 0},
168         },
169         false,
170     },
171     // Multiple masks can be ANDed in a single rule.
172     {
173         "kRSA+AESGCM+AES128",
174         {
175             {TLS1_CK_RSA_WITH_AES_128_GCM_SHA256, 0},
176         },
177         false,
178     },
179     // - removes selected ciphers, but preserves their order for future
180     // selections. Select AES_128_GCM, but order the key exchanges RSA,
181     // ECDHE_RSA.
182     {
183         "ALL:-kECDHE:"
184         "-kRSA:-ALL:"
185         "AESGCM+AES128+aRSA",
186         {
187             {TLS1_CK_RSA_WITH_AES_128_GCM_SHA256, 0},
188             {TLS1_CK_ECDHE_RSA_WITH_AES_128_GCM_SHA256, 0},
189         },
190         false,
191     },
192     // Unknown selectors are no-ops, except in strict mode.
193     {
194         "ECDHE-ECDSA-CHACHA20-POLY1305:"
195         "ECDHE-RSA-CHACHA20-POLY1305:"
196         "ECDHE-ECDSA-AES128-GCM-SHA256:"
197         "ECDHE-RSA-AES128-GCM-SHA256:"
198         "BOGUS1",
199         {
200             {TLS1_CK_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256, 0},
201             {TLS1_CK_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256, 0},
202             {TLS1_CK_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, 0},
203             {TLS1_CK_ECDHE_RSA_WITH_AES_128_GCM_SHA256, 0},
204         },
205         true,
206     },
207     // Unknown selectors are no-ops, except in strict mode.
208     {
209         "ECDHE-ECDSA-CHACHA20-POLY1305:"
210         "ECDHE-RSA-CHACHA20-POLY1305:"
211         "ECDHE-ECDSA-AES128-GCM-SHA256:"
212         "ECDHE-RSA-AES128-GCM-SHA256:"
213         "-BOGUS2:+BOGUS3:!BOGUS4",
214         {
215             {TLS1_CK_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256, 0},
216             {TLS1_CK_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256, 0},
217             {TLS1_CK_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, 0},
218             {TLS1_CK_ECDHE_RSA_WITH_AES_128_GCM_SHA256, 0},
219         },
220         true,
221     },
222     // Square brackets specify equi-preference groups.
223     {
224         "[ECDHE-ECDSA-CHACHA20-POLY1305|ECDHE-ECDSA-AES128-GCM-SHA256]:"
225         "[ECDHE-RSA-CHACHA20-POLY1305]:"
226         "ECDHE-RSA-AES128-GCM-SHA256",
227         {
228             {TLS1_CK_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256, 1},
229             {TLS1_CK_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, 0},
230             {TLS1_CK_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256, 0},
231             {TLS1_CK_ECDHE_RSA_WITH_AES_128_GCM_SHA256, 0},
232         },
233         false,
234     },
235     // Standard names may be used instead of OpenSSL names.
236     {
237         "[TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256|"
238         "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256]:"
239         "[TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256]:"
240         "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",
241         {
242             {TLS1_CK_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256, 1},
243             {TLS1_CK_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, 0},
244             {TLS1_CK_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256, 0},
245             {TLS1_CK_ECDHE_RSA_WITH_AES_128_GCM_SHA256, 0},
246         },
247         false,
248     },
249     // @STRENGTH performs a stable strength-sort of the selected ciphers and
250     // only the selected ciphers.
251     {
252         // To simplify things, banish all but {ECDHE_RSA,RSA} x
253         // {CHACHA20,AES_256_CBC,AES_128_CBC} x SHA1.
254         "!AESGCM:!3DES:"
255         // Order some ciphers backwards by strength.
256         "ALL:-CHACHA20:-AES256:-AES128:-ALL:"
257         // Select ECDHE ones and sort them by strength. Ties should resolve
258         // based on the order above.
259         "kECDHE:@STRENGTH:-ALL:"
260         // Now bring back everything uses RSA. ECDHE_RSA should be first, sorted
261         // by strength. Then RSA, backwards by strength.
262         "aRSA",
263         {
264             {TLS1_CK_ECDHE_RSA_WITH_AES_256_CBC_SHA, 0},
265             {TLS1_CK_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256, 0},
266             {TLS1_CK_ECDHE_RSA_WITH_AES_128_CBC_SHA, 0},
267             {TLS1_CK_RSA_WITH_AES_128_SHA, 0},
268             {TLS1_CK_RSA_WITH_AES_256_SHA, 0},
269         },
270         false,
271     },
272     // Additional masks after @STRENGTH get silently discarded.
273     //
274     // TODO(davidben): Make this an error. If not silently discarded, they get
275     // interpreted as + opcodes which are very different.
276     {
277         "ECDHE-RSA-AES128-GCM-SHA256:"
278         "ECDHE-RSA-AES256-GCM-SHA384:"
279         "@STRENGTH+AES256",
280         {
281             {TLS1_CK_ECDHE_RSA_WITH_AES_256_GCM_SHA384, 0},
282             {TLS1_CK_ECDHE_RSA_WITH_AES_128_GCM_SHA256, 0},
283         },
284         false,
285     },
286     {
287         "ECDHE-RSA-AES128-GCM-SHA256:"
288         "ECDHE-RSA-AES256-GCM-SHA384:"
289         "@STRENGTH+AES256:"
290         "ECDHE-RSA-CHACHA20-POLY1305",
291         {
292             {TLS1_CK_ECDHE_RSA_WITH_AES_256_GCM_SHA384, 0},
293             {TLS1_CK_ECDHE_RSA_WITH_AES_128_GCM_SHA256, 0},
294             {TLS1_CK_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256, 0},
295         },
296         false,
297     },
298     // Exact ciphers may not be used in multi-part rules; they are treated
299     // as unknown aliases.
300     {
301         "ECDHE-ECDSA-AES128-GCM-SHA256:"
302         "ECDHE-RSA-AES128-GCM-SHA256:"
303         "!ECDHE-RSA-AES128-GCM-SHA256+RSA:"
304         "!ECDSA+ECDHE-ECDSA-AES128-GCM-SHA256",
305         {
306             {TLS1_CK_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, 0},
307             {TLS1_CK_ECDHE_RSA_WITH_AES_128_GCM_SHA256, 0},
308         },
309         true,
310     },
311     // SSLv3 matches everything that existed before TLS 1.2.
312     {
313         "AES128-SHA:ECDHE-RSA-AES128-GCM-SHA256:!SSLv3",
314         {
315             {TLS1_CK_ECDHE_RSA_WITH_AES_128_GCM_SHA256, 0},
316         },
317         false,
318     },
319     // TLSv1.2 matches everything added in TLS 1.2.
320     {
321         "AES128-SHA:ECDHE-RSA-AES128-GCM-SHA256:!TLSv1.2",
322         {
323             {TLS1_CK_RSA_WITH_AES_128_SHA, 0},
324         },
325         false,
326     },
327     // The two directives have no intersection.  But each component is valid, so
328     // even in strict mode it is accepted.
329     {
330         "AES128-SHA:ECDHE-RSA-AES128-GCM-SHA256:!TLSv1.2+SSLv3",
331         {
332             {TLS1_CK_RSA_WITH_AES_128_SHA, 0},
333             {TLS1_CK_ECDHE_RSA_WITH_AES_128_GCM_SHA256, 0},
334         },
335         false,
336     },
337     // Spaces, semi-colons and commas are separators.
338     {
339         "AES128-SHA: ECDHE-RSA-AES128-GCM-SHA256 AES256-SHA ,ECDHE-ECDSA-AES128-GCM-SHA256 ; AES128-GCM-SHA256",
340         {
341             {TLS1_CK_RSA_WITH_AES_128_SHA, 0},
342             {TLS1_CK_ECDHE_RSA_WITH_AES_128_GCM_SHA256, 0},
343             {TLS1_CK_RSA_WITH_AES_256_SHA, 0},
344             {TLS1_CK_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, 0},
345             {TLS1_CK_RSA_WITH_AES_128_GCM_SHA256, 0},
346         },
347         // …but not in strict mode.
348         true,
349     },
350 };
351 
352 static const char *kBadRules[] = {
353   // Invalid brackets.
354   "[ECDHE-RSA-CHACHA20-POLY1305|ECDHE-RSA-AES128-GCM-SHA256",
355   "RSA]",
356   "[[RSA]]",
357   // Operators inside brackets.
358   "[+RSA]",
359   // Unknown directive.
360   "@BOGUS",
361   // Empty cipher lists error at SSL_CTX_set_cipher_list.
362   "",
363   "BOGUS",
364   // COMPLEMENTOFDEFAULT is empty.
365   "COMPLEMENTOFDEFAULT",
366   // Invalid command.
367   "?BAR",
368   // Special operators are not allowed if groups are used.
369   "[ECDHE-RSA-CHACHA20-POLY1305|ECDHE-RSA-AES128-GCM-SHA256]:+FOO",
370   "[ECDHE-RSA-CHACHA20-POLY1305|ECDHE-RSA-AES128-GCM-SHA256]:!FOO",
371   "[ECDHE-RSA-CHACHA20-POLY1305|ECDHE-RSA-AES128-GCM-SHA256]:-FOO",
372   "[ECDHE-RSA-CHACHA20-POLY1305|ECDHE-RSA-AES128-GCM-SHA256]:@STRENGTH",
373   // Opcode supplied, but missing selector.
374   "+",
375   // Spaces are forbidden in equal-preference groups.
376   "[AES128-SHA | AES128-SHA256]",
377 };
378 
379 static const char *kMustNotIncludeNull[] = {
380   "ALL",
381   "DEFAULT",
382   "HIGH",
383   "FIPS",
384   "SHA",
385   "SHA1",
386   "RSA",
387   "SSLv3",
388   "TLSv1",
389   "TLSv1.2",
390 };
391 
392 static const CurveTest kCurveTests[] = {
393   {
394     "P-256",
395     { SSL_CURVE_SECP256R1 },
396   },
397   {
398     "P-256:CECPQ2",
399     { SSL_CURVE_SECP256R1, SSL_CURVE_CECPQ2 },
400   },
401 
402   {
403     "P-256:P-384:P-521:X25519",
404     {
405       SSL_CURVE_SECP256R1,
406       SSL_CURVE_SECP384R1,
407       SSL_CURVE_SECP521R1,
408       SSL_CURVE_X25519,
409     },
410   },
411   {
412     "prime256v1:secp384r1:secp521r1:x25519",
413     {
414       SSL_CURVE_SECP256R1,
415       SSL_CURVE_SECP384R1,
416       SSL_CURVE_SECP521R1,
417       SSL_CURVE_X25519,
418     },
419   },
420 };
421 
422 static const char *kBadCurvesLists[] = {
423   "",
424   ":",
425   "::",
426   "P-256::X25519",
427   "RSA:P-256",
428   "P-256:RSA",
429   "X25519:P-256:",
430   ":X25519:P-256",
431 };
432 
CipherListToString(SSL_CTX * ctx)433 static std::string CipherListToString(SSL_CTX *ctx) {
434   bool in_group = false;
435   std::string ret;
436   const STACK_OF(SSL_CIPHER) *ciphers = SSL_CTX_get_ciphers(ctx);
437   for (size_t i = 0; i < sk_SSL_CIPHER_num(ciphers); i++) {
438     const SSL_CIPHER *cipher = sk_SSL_CIPHER_value(ciphers, i);
439     if (!in_group && SSL_CTX_cipher_in_group(ctx, i)) {
440       ret += "\t[\n";
441       in_group = true;
442     }
443     ret += "\t";
444     if (in_group) {
445       ret += "  ";
446     }
447     ret += SSL_CIPHER_get_name(cipher);
448     ret += "\n";
449     if (in_group && !SSL_CTX_cipher_in_group(ctx, i)) {
450       ret += "\t]\n";
451       in_group = false;
452     }
453   }
454   return ret;
455 }
456 
CipherListsEqual(SSL_CTX * ctx,const std::vector<ExpectedCipher> & expected)457 static bool CipherListsEqual(SSL_CTX *ctx,
458                              const std::vector<ExpectedCipher> &expected) {
459   const STACK_OF(SSL_CIPHER) *ciphers = SSL_CTX_get_ciphers(ctx);
460   if (sk_SSL_CIPHER_num(ciphers) != expected.size()) {
461     return false;
462   }
463 
464   for (size_t i = 0; i < expected.size(); i++) {
465     const SSL_CIPHER *cipher = sk_SSL_CIPHER_value(ciphers, i);
466     if (expected[i].id != SSL_CIPHER_get_id(cipher) ||
467         expected[i].in_group_flag != !!SSL_CTX_cipher_in_group(ctx, i)) {
468       return false;
469     }
470   }
471 
472   return true;
473 }
474 
TEST(SSLTest,CipherRules)475 TEST(SSLTest, CipherRules) {
476   for (const CipherTest &t : kCipherTests) {
477     SCOPED_TRACE(t.rule);
478     bssl::UniquePtr<SSL_CTX> ctx(SSL_CTX_new(TLS_method()));
479     ASSERT_TRUE(ctx);
480 
481     // Test lax mode.
482     ASSERT_TRUE(SSL_CTX_set_cipher_list(ctx.get(), t.rule));
483     EXPECT_TRUE(CipherListsEqual(ctx.get(), t.expected))
484         << "Cipher rule evaluated to:\n"
485         << CipherListToString(ctx.get());
486 
487     // Test strict mode.
488     if (t.strict_fail) {
489       EXPECT_FALSE(SSL_CTX_set_strict_cipher_list(ctx.get(), t.rule));
490     } else {
491       ASSERT_TRUE(SSL_CTX_set_strict_cipher_list(ctx.get(), t.rule));
492       EXPECT_TRUE(CipherListsEqual(ctx.get(), t.expected))
493           << "Cipher rule evaluated to:\n"
494           << CipherListToString(ctx.get());
495     }
496   }
497 
498   for (const char *rule : kBadRules) {
499     SCOPED_TRACE(rule);
500     bssl::UniquePtr<SSL_CTX> ctx(SSL_CTX_new(TLS_method()));
501     ASSERT_TRUE(ctx);
502 
503     EXPECT_FALSE(SSL_CTX_set_cipher_list(ctx.get(), rule));
504     ERR_clear_error();
505   }
506 
507   for (const char *rule : kMustNotIncludeNull) {
508     SCOPED_TRACE(rule);
509     bssl::UniquePtr<SSL_CTX> ctx(SSL_CTX_new(TLS_method()));
510     ASSERT_TRUE(ctx);
511 
512     ASSERT_TRUE(SSL_CTX_set_strict_cipher_list(ctx.get(), rule));
513     for (const SSL_CIPHER *cipher : SSL_CTX_get_ciphers(ctx.get())) {
514       EXPECT_NE(NID_undef, SSL_CIPHER_get_cipher_nid(cipher));
515     }
516   }
517 }
518 
TEST(SSLTest,CurveRules)519 TEST(SSLTest, CurveRules) {
520   for (const CurveTest &t : kCurveTests) {
521     SCOPED_TRACE(t.rule);
522     bssl::UniquePtr<SSL_CTX> ctx(SSL_CTX_new(TLS_method()));
523     ASSERT_TRUE(ctx);
524 
525     ASSERT_TRUE(SSL_CTX_set1_curves_list(ctx.get(), t.rule));
526     ASSERT_EQ(t.expected.size(), ctx->supported_group_list.size());
527     for (size_t i = 0; i < t.expected.size(); i++) {
528       EXPECT_EQ(t.expected[i], ctx->supported_group_list[i]);
529     }
530   }
531 
532   for (const char *rule : kBadCurvesLists) {
533     SCOPED_TRACE(rule);
534     bssl::UniquePtr<SSL_CTX> ctx(SSL_CTX_new(TLS_method()));
535     ASSERT_TRUE(ctx);
536 
537     EXPECT_FALSE(SSL_CTX_set1_curves_list(ctx.get(), rule));
538     ERR_clear_error();
539   }
540 }
541 
542 // kOpenSSLSession is a serialized SSL_SESSION.
543 static const char kOpenSSLSession[] =
544     "MIIFqgIBAQICAwMEAsAvBCAG5Q1ndq4Yfmbeo1zwLkNRKmCXGdNgWvGT3cskV0yQ"
545     "kAQwJlrlzkAWBOWiLj/jJ76D7l+UXoizP2KI2C7I2FccqMmIfFmmkUy32nIJ0mZH"
546     "IWoJoQYCBFRDO46iBAICASyjggR6MIIEdjCCA16gAwIBAgIIK9dUvsPWSlUwDQYJ"
547     "KoZIhvcNAQEFBQAwSTELMAkGA1UEBhMCVVMxEzARBgNVBAoTCkdvb2dsZSBJbmMx"
548     "JTAjBgNVBAMTHEdvb2dsZSBJbnRlcm5ldCBBdXRob3JpdHkgRzIwHhcNMTQxMDA4"
549     "MTIwNzU3WhcNMTUwMTA2MDAwMDAwWjBoMQswCQYDVQQGEwJVUzETMBEGA1UECAwK"
550     "Q2FsaWZvcm5pYTEWMBQGA1UEBwwNTW91bnRhaW4gVmlldzETMBEGA1UECgwKR29v"
551     "Z2xlIEluYzEXMBUGA1UEAwwOd3d3Lmdvb2dsZS5jb20wggEiMA0GCSqGSIb3DQEB"
552     "AQUAA4IBDwAwggEKAoIBAQCcKeLrplAC+Lofy8t/wDwtB6eu72CVp0cJ4V3lknN6"
553     "huH9ct6FFk70oRIh/VBNBBz900jYy+7111Jm1b8iqOTQ9aT5C7SEhNcQFJvqzH3e"
554     "MPkb6ZSWGm1yGF7MCQTGQXF20Sk/O16FSjAynU/b3oJmOctcycWYkY0ytS/k3LBu"
555     "Id45PJaoMqjB0WypqvNeJHC3q5JjCB4RP7Nfx5jjHSrCMhw8lUMW4EaDxjaR9KDh"
556     "PLgjsk+LDIySRSRDaCQGhEOWLJZVLzLo4N6/UlctCHEllpBUSvEOyFga52qroGjg"
557     "rf3WOQ925MFwzd6AK+Ich0gDRg8sQfdLH5OuP1cfLfU1AgMBAAGjggFBMIIBPTAd"
558     "BgNVHSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwGQYDVR0RBBIwEIIOd3d3Lmdv"
559     "b2dsZS5jb20waAYIKwYBBQUHAQEEXDBaMCsGCCsGAQUFBzAChh9odHRwOi8vcGtp"
560     "Lmdvb2dsZS5jb20vR0lBRzIuY3J0MCsGCCsGAQUFBzABhh9odHRwOi8vY2xpZW50"
561     "czEuZ29vZ2xlLmNvbS9vY3NwMB0GA1UdDgQWBBQ7a+CcxsZByOpc+xpYFcIbnUMZ"
562     "hTAMBgNVHRMBAf8EAjAAMB8GA1UdIwQYMBaAFErdBhYbvPZotXb1gba7Yhq6WoEv"
563     "MBcGA1UdIAQQMA4wDAYKKwYBBAHWeQIFATAwBgNVHR8EKTAnMCWgI6Ahhh9odHRw"
564     "Oi8vcGtpLmdvb2dsZS5jb20vR0lBRzIuY3JsMA0GCSqGSIb3DQEBBQUAA4IBAQCa"
565     "OXCBdoqUy5bxyq+Wrh1zsyyCFim1PH5VU2+yvDSWrgDY8ibRGJmfff3r4Lud5kal"
566     "dKs9k8YlKD3ITG7P0YT/Rk8hLgfEuLcq5cc0xqmE42xJ+Eo2uzq9rYorc5emMCxf"
567     "5L0TJOXZqHQpOEcuptZQ4OjdYMfSxk5UzueUhA3ogZKRcRkdB3WeWRp+nYRhx4St"
568     "o2rt2A0MKmY9165GHUqMK9YaaXHDXqBu7Sefr1uSoAP9gyIJKeihMivsGqJ1TD6Z"
569     "cc6LMe+dN2P8cZEQHtD1y296ul4Mivqk3jatUVL8/hCwgch9A8O4PGZq9WqBfEWm"
570     "IyHh1dPtbg1lOXdYCWtjpAIEAKUDAgEUqQUCAwGJwKqBpwSBpBwUQvoeOk0Kg36S"
571     "YTcLEkXqKwOBfF9vE4KX0NxeLwjcDTpsuh3qXEaZ992r1N38VDcyS6P7I6HBYN9B"
572     "sNHM362zZnY27GpTw+Kwd751CLoXFPoaMOe57dbBpXoro6Pd3BTbf/Tzr88K06yE"
573     "OTDKPNj3+inbMaVigtK4PLyPq+Topyzvx9USFgRvyuoxn0Hgb+R0A3j6SLRuyOdA"
574     "i4gv7Y5oliyntgMBAQA=";
575 
576 // kCustomSession is a custom serialized SSL_SESSION generated by
577 // filling in missing fields from |kOpenSSLSession|. This includes
578 // providing |peer_sha256|, so |peer| is not serialized.
579 static const char kCustomSession[] =
580     "MIIBZAIBAQICAwMEAsAvBCAG5Q1ndq4Yfmbeo1zwLkNRKmCXGdNgWvGT3cskV0yQ"
581     "kAQwJlrlzkAWBOWiLj/jJ76D7l+UXoizP2KI2C7I2FccqMmIfFmmkUy32nIJ0mZH"
582     "IWoJoQYCBFRDO46iBAICASykAwQBAqUDAgEUqAcEBXdvcmxkqQUCAwGJwKqBpwSB"
583     "pBwUQvoeOk0Kg36SYTcLEkXqKwOBfF9vE4KX0NxeLwjcDTpsuh3qXEaZ992r1N38"
584     "VDcyS6P7I6HBYN9BsNHM362zZnY27GpTw+Kwd751CLoXFPoaMOe57dbBpXoro6Pd"
585     "3BTbf/Tzr88K06yEOTDKPNj3+inbMaVigtK4PLyPq+Topyzvx9USFgRvyuoxn0Hg"
586     "b+R0A3j6SLRuyOdAi4gv7Y5oliynrSIEIAYGBgYGBgYGBgYGBgYGBgYGBgYGBgYG"
587     "BgYGBgYGBgYGrgMEAQevAwQBBLADBAEF";
588 
589 // kBoringSSLSession is a serialized SSL_SESSION generated from bssl client.
590 static const char kBoringSSLSession[] =
591     "MIIRwQIBAQICAwMEAsAvBCDdoGxGK26mR+8lM0uq6+k9xYuxPnwAjpcF9n0Yli9R"
592     "kQQwbyshfWhdi5XQ1++7n2L1qqrcVlmHBPpr6yknT/u4pUrpQB5FZ7vqvNn8MdHf"
593     "9rWgoQYCBFXgs7uiBAICHCCjggR6MIIEdjCCA16gAwIBAgIIf+yfD7Y6UicwDQYJ"
594     "KoZIhvcNAQELBQAwSTELMAkGA1UEBhMCVVMxEzARBgNVBAoTCkdvb2dsZSBJbmMx"
595     "JTAjBgNVBAMTHEdvb2dsZSBJbnRlcm5ldCBBdXRob3JpdHkgRzIwHhcNMTUwODEy"
596     "MTQ1MzE1WhcNMTUxMTEwMDAwMDAwWjBoMQswCQYDVQQGEwJVUzETMBEGA1UECAwK"
597     "Q2FsaWZvcm5pYTEWMBQGA1UEBwwNTW91bnRhaW4gVmlldzETMBEGA1UECgwKR29v"
598     "Z2xlIEluYzEXMBUGA1UEAwwOd3d3Lmdvb2dsZS5jb20wggEiMA0GCSqGSIb3DQEB"
599     "AQUAA4IBDwAwggEKAoIBAQC0MeG5YGQ0t+IeJeoneP/PrhEaieibeKYkbKVLNZpo"
600     "PLuBinvhkXZo3DC133NpCBpy6ZktBwamqyixAyuk/NU6OjgXqwwxfQ7di1AInLIU"
601     "792c7hFyNXSUCG7At8Ifi3YwBX9Ba6u/1d6rWTGZJrdCq3QU11RkKYyTq2KT5mce"
602     "Tv9iGKqSkSTlp8puy/9SZ/3DbU3U+BuqCFqeSlz7zjwFmk35acdCilpJlVDDN5C/"
603     "RCh8/UKc8PaL+cxlt531qoTENvYrflBno14YEZlCBZsPiFeUSILpKEj3Ccwhy0eL"
604     "EucWQ72YZU8mUzXBoXGn0zA0crFl5ci/2sTBBGZsylNBAgMBAAGjggFBMIIBPTAd"
605     "BgNVHSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwGQYDVR0RBBIwEIIOd3d3Lmdv"
606     "b2dsZS5jb20waAYIKwYBBQUHAQEEXDBaMCsGCCsGAQUFBzAChh9odHRwOi8vcGtp"
607     "Lmdvb2dsZS5jb20vR0lBRzIuY3J0MCsGCCsGAQUFBzABhh9odHRwOi8vY2xpZW50"
608     "czEuZ29vZ2xlLmNvbS9vY3NwMB0GA1UdDgQWBBS/bzHxcE73Q4j3slC4BLbMtLjG"
609     "GjAMBgNVHRMBAf8EAjAAMB8GA1UdIwQYMBaAFErdBhYbvPZotXb1gba7Yhq6WoEv"
610     "MBcGA1UdIAQQMA4wDAYKKwYBBAHWeQIFATAwBgNVHR8EKTAnMCWgI6Ahhh9odHRw"
611     "Oi8vcGtpLmdvb2dsZS5jb20vR0lBRzIuY3JsMA0GCSqGSIb3DQEBCwUAA4IBAQAb"
612     "qdWPZEHk0X7iKPCTHL6S3w6q1eR67goxZGFSM1lk1hjwyu7XcLJuvALVV9uY3ovE"
613     "kQZSHwT+pyOPWQhsSjO+1GyjvCvK/CAwiUmBX+bQRGaqHsRcio7xSbdVcajQ3bXd"
614     "X+s0WdbOpn6MStKAiBVloPlSxEI8pxY6x/BBCnTIk/+DMB17uZlOjG3vbAnkDkP+"
615     "n0OTucD9sHV7EVj9XUxi51nOfNBCN/s7lpUjDS/NJ4k3iwOtbCPswiot8vLO779a"
616     "f07vR03r349Iz/KTzk95rlFtX0IU+KYNxFNsanIXZ+C9FYGRXkwhHcvFb4qMUB1y"
617     "TTlM80jBMOwyjZXmjRAhpAIEAKUDAgEUqQUCAwGJwKqBpwSBpOgebbmn9NRUtMWH"
618     "+eJpqA5JLMFSMCChOsvKey3toBaCNGU7HfAEiiXNuuAdCBoK262BjQc2YYfqFzqH"
619     "zuppopXCvhohx7j/tnCNZIMgLYt/O9SXK2RYI5z8FhCCHvB4CbD5G0LGl5EFP27s"
620     "Jb6S3aTTYPkQe8yZSlxevg6NDwmTogLO9F7UUkaYmVcMQhzssEE2ZRYNwSOU6KjE"
621     "0Yj+8fAiBtbQriIEIN2L8ZlpaVrdN5KFNdvcmOxJu81P8q53X55xQyGTnGWwsgMC"
622     "ARezggvvMIIEdjCCA16gAwIBAgIIf+yfD7Y6UicwDQYJKoZIhvcNAQELBQAwSTEL"
623     "MAkGA1UEBhMCVVMxEzARBgNVBAoTCkdvb2dsZSBJbmMxJTAjBgNVBAMTHEdvb2ds"
624     "ZSBJbnRlcm5ldCBBdXRob3JpdHkgRzIwHhcNMTUwODEyMTQ1MzE1WhcNMTUxMTEw"
625     "MDAwMDAwWjBoMQswCQYDVQQGEwJVUzETMBEGA1UECAwKQ2FsaWZvcm5pYTEWMBQG"
626     "A1UEBwwNTW91bnRhaW4gVmlldzETMBEGA1UECgwKR29vZ2xlIEluYzEXMBUGA1UE"
627     "AwwOd3d3Lmdvb2dsZS5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIB"
628     "AQC0MeG5YGQ0t+IeJeoneP/PrhEaieibeKYkbKVLNZpoPLuBinvhkXZo3DC133Np"
629     "CBpy6ZktBwamqyixAyuk/NU6OjgXqwwxfQ7di1AInLIU792c7hFyNXSUCG7At8If"
630     "i3YwBX9Ba6u/1d6rWTGZJrdCq3QU11RkKYyTq2KT5mceTv9iGKqSkSTlp8puy/9S"
631     "Z/3DbU3U+BuqCFqeSlz7zjwFmk35acdCilpJlVDDN5C/RCh8/UKc8PaL+cxlt531"
632     "qoTENvYrflBno14YEZlCBZsPiFeUSILpKEj3Ccwhy0eLEucWQ72YZU8mUzXBoXGn"
633     "0zA0crFl5ci/2sTBBGZsylNBAgMBAAGjggFBMIIBPTAdBgNVHSUEFjAUBggrBgEF"
634     "BQcDAQYIKwYBBQUHAwIwGQYDVR0RBBIwEIIOd3d3Lmdvb2dsZS5jb20waAYIKwYB"
635     "BQUHAQEEXDBaMCsGCCsGAQUFBzAChh9odHRwOi8vcGtpLmdvb2dsZS5jb20vR0lB"
636     "RzIuY3J0MCsGCCsGAQUFBzABhh9odHRwOi8vY2xpZW50czEuZ29vZ2xlLmNvbS9v"
637     "Y3NwMB0GA1UdDgQWBBS/bzHxcE73Q4j3slC4BLbMtLjGGjAMBgNVHRMBAf8EAjAA"
638     "MB8GA1UdIwQYMBaAFErdBhYbvPZotXb1gba7Yhq6WoEvMBcGA1UdIAQQMA4wDAYK"
639     "KwYBBAHWeQIFATAwBgNVHR8EKTAnMCWgI6Ahhh9odHRwOi8vcGtpLmdvb2dsZS5j"
640     "b20vR0lBRzIuY3JsMA0GCSqGSIb3DQEBCwUAA4IBAQAbqdWPZEHk0X7iKPCTHL6S"
641     "3w6q1eR67goxZGFSM1lk1hjwyu7XcLJuvALVV9uY3ovEkQZSHwT+pyOPWQhsSjO+"
642     "1GyjvCvK/CAwiUmBX+bQRGaqHsRcio7xSbdVcajQ3bXdX+s0WdbOpn6MStKAiBVl"
643     "oPlSxEI8pxY6x/BBCnTIk/+DMB17uZlOjG3vbAnkDkP+n0OTucD9sHV7EVj9XUxi"
644     "51nOfNBCN/s7lpUjDS/NJ4k3iwOtbCPswiot8vLO779af07vR03r349Iz/KTzk95"
645     "rlFtX0IU+KYNxFNsanIXZ+C9FYGRXkwhHcvFb4qMUB1yTTlM80jBMOwyjZXmjRAh"
646     "MIID8DCCAtigAwIBAgIDAjqDMA0GCSqGSIb3DQEBCwUAMEIxCzAJBgNVBAYTAlVT"
647     "MRYwFAYDVQQKEw1HZW9UcnVzdCBJbmMuMRswGQYDVQQDExJHZW9UcnVzdCBHbG9i"
648     "YWwgQ0EwHhcNMTMwNDA1MTUxNTU2WhcNMTYxMjMxMjM1OTU5WjBJMQswCQYDVQQG"
649     "EwJVUzETMBEGA1UEChMKR29vZ2xlIEluYzElMCMGA1UEAxMcR29vZ2xlIEludGVy"
650     "bmV0IEF1dGhvcml0eSBHMjCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEB"
651     "AJwqBHdc2FCROgajguDYUEi8iT/xGXAaiEZ+4I/F8YnOIe5a/mENtzJEiaB0C1NP"
652     "VaTOgmKV7utZX8bhBYASxF6UP7xbSDj0U/ck5vuR6RXEz/RTDfRK/J9U3n2+oGtv"
653     "h8DQUB8oMANA2ghzUWx//zo8pzcGjr1LEQTrfSTe5vn8MXH7lNVg8y5Kr0LSy+rE"
654     "ahqyzFPdFUuLH8gZYR/Nnag+YyuENWllhMgZxUYi+FOVvuOAShDGKuy6lyARxzmZ"
655     "EASg8GF6lSWMTlJ14rbtCMoU/M4iarNOz0YDl5cDfsCx3nuvRTPPuj5xt970JSXC"
656     "DTWJnZ37DhF5iR43xa+OcmkCAwEAAaOB5zCB5DAfBgNVHSMEGDAWgBTAephojYn7"
657     "qwVkDBF9qn1luMrMTjAdBgNVHQ4EFgQUSt0GFhu89mi1dvWBtrtiGrpagS8wDgYD"
658     "VR0PAQH/BAQDAgEGMC4GCCsGAQUFBwEBBCIwIDAeBggrBgEFBQcwAYYSaHR0cDov"
659     "L2cuc3ltY2QuY29tMBIGA1UdEwEB/wQIMAYBAf8CAQAwNQYDVR0fBC4wLDAqoCig"
660     "JoYkaHR0cDovL2cuc3ltY2IuY29tL2NybHMvZ3RnbG9iYWwuY3JsMBcGA1UdIAQQ"
661     "MA4wDAYKKwYBBAHWeQIFATANBgkqhkiG9w0BAQsFAAOCAQEAqvqpIM1qZ4PtXtR+"
662     "3h3Ef+AlBgDFJPupyC1tft6dgmUsgWM0Zj7pUsIItMsv91+ZOmqcUHqFBYx90SpI"
663     "hNMJbHzCzTWf84LuUt5oX+QAihcglvcpjZpNy6jehsgNb1aHA30DP9z6eX0hGfnI"
664     "Oi9RdozHQZJxjyXON/hKTAAj78Q1EK7gI4BzfE00LshukNYQHpmEcxpw8u1VDu4X"
665     "Bupn7jLrLN1nBz/2i8Jw3lsA5rsb0zYaImxssDVCbJAJPZPpZAkiDoUGn8JzIdPm"
666     "X4DkjYUiOnMDsWCOrmji9D6X52ASCWg23jrW4kOVWzeBkoEfu43XrVJkFleW2V40"
667     "fsg12DCCA30wggLmoAMCAQICAxK75jANBgkqhkiG9w0BAQUFADBOMQswCQYDVQQG"
668     "EwJVUzEQMA4GA1UEChMHRXF1aWZheDEtMCsGA1UECxMkRXF1aWZheCBTZWN1cmUg"
669     "Q2VydGlmaWNhdGUgQXV0aG9yaXR5MB4XDTAyMDUyMTA0MDAwMFoXDTE4MDgyMTA0"
670     "MDAwMFowQjELMAkGA1UEBhMCVVMxFjAUBgNVBAoTDUdlb1RydXN0IEluYy4xGzAZ"
671     "BgNVBAMTEkdlb1RydXN0IEdsb2JhbCBDQTCCASIwDQYJKoZIhvcNAQEBBQADggEP"
672     "ADCCAQoCggEBANrMGGMw/fQXIxpWflvfPGw45HG3eJHUvKHYTPioQ7YD6U0hBwiI"
673     "2lgvZjkpvQV4i5046AW3an5xpObEYKaw74DkiSgPniXW7YPzraaRx5jJQhg1FJ2t"
674     "mEaSLk/K8YdDwRaVVy1Q74ktgHpXrfLuX2vSAI25FPgUFTXZwEaje3LIkb/JVSvN"
675     "0Jc+nCZkzN/Ogxlxyk7m1NV7qRnNVd7I7NJeOFPlXE+MLf5QIzb8ZubLjqQ5GQC3"
676     "lQI5kQsO/jgu0R0FmvZNPm8PBx2vLB6PYDni+jZTEznUXiYr2z2oFL0y6xgDKFIE"
677     "ceWrMz3hOLsHNoRinHnqFjD0X8Ar6HFr5PkCAwEAAaOB8DCB7TAfBgNVHSMEGDAW"
678     "gBRI5mj5K9KylddH2CMgEE8zmJCf1DAdBgNVHQ4EFgQUwHqYaI2J+6sFZAwRfap9"
679     "ZbjKzE4wDwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMCAQYwOgYDVR0fBDMw"
680     "MTAvoC2gK4YpaHR0cDovL2NybC5nZW90cnVzdC5jb20vY3Jscy9zZWN1cmVjYS5j"
681     "cmwwTgYDVR0gBEcwRTBDBgRVHSAAMDswOQYIKwYBBQUHAgEWLWh0dHBzOi8vd3d3"
682     "Lmdlb3RydXN0LmNvbS9yZXNvdXJjZXMvcmVwb3NpdG9yeTANBgkqhkiG9w0BAQUF"
683     "AAOBgQB24RJuTksWEoYwBrKBCM/wCMfHcX5m7sLt1Dsf//DwyE7WQziwuTB9GNBV"
684     "g6JqyzYRnOhIZqNtf7gT1Ef+i1pcc/yu2RsyGTirlzQUqpbS66McFAhJtrvlke+D"
685     "NusdVm/K2rxzY5Dkf3s+Iss9B+1fOHSc4wNQTqGvmO5h8oQ/Eg==";
686 
687 // kBadSessionExtraField is a custom serialized SSL_SESSION generated by replacing
688 // the final (optional) element of |kCustomSession| with tag number 30.
689 static const char kBadSessionExtraField[] =
690     "MIIBdgIBAQICAwMEAsAvBCAG5Q1ndq4Yfmbeo1zwLkNRKmCXGdNgWvGT3cskV0yQ"
691     "kAQwJlrlzkAWBOWiLj/jJ76D7l+UXoizP2KI2C7I2FccqMmIfFmmkUy32nIJ0mZH"
692     "IWoJoQYCBFRDO46iBAICASykAwQBAqUDAgEUphAEDnd3dy5nb29nbGUuY29tqAcE"
693     "BXdvcmxkqQUCAwGJwKqBpwSBpBwUQvoeOk0Kg36SYTcLEkXqKwOBfF9vE4KX0Nxe"
694     "LwjcDTpsuh3qXEaZ992r1N38VDcyS6P7I6HBYN9BsNHM362zZnY27GpTw+Kwd751"
695     "CLoXFPoaMOe57dbBpXoro6Pd3BTbf/Tzr88K06yEOTDKPNj3+inbMaVigtK4PLyP"
696     "q+Topyzvx9USFgRvyuoxn0Hgb+R0A3j6SLRuyOdAi4gv7Y5oliynrSIEIAYGBgYG"
697     "BgYGBgYGBgYGBgYGBgYGBgYGBgYGBgYGBgYGrgMEAQevAwQBBL4DBAEF";
698 
699 // kBadSessionVersion is a custom serialized SSL_SESSION generated by replacing
700 // the version of |kCustomSession| with 2.
701 static const char kBadSessionVersion[] =
702     "MIIBdgIBAgICAwMEAsAvBCAG5Q1ndq4Yfmbeo1zwLkNRKmCXGdNgWvGT3cskV0yQ"
703     "kAQwJlrlzkAWBOWiLj/jJ76D7l+UXoizP2KI2C7I2FccqMmIfFmmkUy32nIJ0mZH"
704     "IWoJoQYCBFRDO46iBAICASykAwQBAqUDAgEUphAEDnd3dy5nb29nbGUuY29tqAcE"
705     "BXdvcmxkqQUCAwGJwKqBpwSBpBwUQvoeOk0Kg36SYTcLEkXqKwOBfF9vE4KX0Nxe"
706     "LwjcDTpsuh3qXEaZ992r1N38VDcyS6P7I6HBYN9BsNHM362zZnY27GpTw+Kwd751"
707     "CLoXFPoaMOe57dbBpXoro6Pd3BTbf/Tzr88K06yEOTDKPNj3+inbMaVigtK4PLyP"
708     "q+Topyzvx9USFgRvyuoxn0Hgb+R0A3j6SLRuyOdAi4gv7Y5oliynrSIEIAYGBgYG"
709     "BgYGBgYGBgYGBgYGBgYGBgYGBgYGBgYGBgYGrgMEAQevAwQBBLADBAEF";
710 
711 // kBadSessionTrailingData is a custom serialized SSL_SESSION with trailing data
712 // appended.
713 static const char kBadSessionTrailingData[] =
714     "MIIBdgIBAQICAwMEAsAvBCAG5Q1ndq4Yfmbeo1zwLkNRKmCXGdNgWvGT3cskV0yQ"
715     "kAQwJlrlzkAWBOWiLj/jJ76D7l+UXoizP2KI2C7I2FccqMmIfFmmkUy32nIJ0mZH"
716     "IWoJoQYCBFRDO46iBAICASykAwQBAqUDAgEUphAEDnd3dy5nb29nbGUuY29tqAcE"
717     "BXdvcmxkqQUCAwGJwKqBpwSBpBwUQvoeOk0Kg36SYTcLEkXqKwOBfF9vE4KX0Nxe"
718     "LwjcDTpsuh3qXEaZ992r1N38VDcyS6P7I6HBYN9BsNHM362zZnY27GpTw+Kwd751"
719     "CLoXFPoaMOe57dbBpXoro6Pd3BTbf/Tzr88K06yEOTDKPNj3+inbMaVigtK4PLyP"
720     "q+Topyzvx9USFgRvyuoxn0Hgb+R0A3j6SLRuyOdAi4gv7Y5oliynrSIEIAYGBgYG"
721     "BgYGBgYGBgYGBgYGBgYGBgYGBgYGBgYGBgYGrgMEAQevAwQBBLADBAEFAAAA";
722 
DecodeBase64(std::vector<uint8_t> * out,const char * in)723 static bool DecodeBase64(std::vector<uint8_t> *out, const char *in) {
724   size_t len;
725   if (!EVP_DecodedLength(&len, strlen(in))) {
726     fprintf(stderr, "EVP_DecodedLength failed\n");
727     return false;
728   }
729 
730   out->resize(len);
731   if (!EVP_DecodeBase64(out->data(), &len, len, (const uint8_t *)in,
732                         strlen(in))) {
733     fprintf(stderr, "EVP_DecodeBase64 failed\n");
734     return false;
735   }
736   out->resize(len);
737   return true;
738 }
739 
TestSSL_SESSIONEncoding(const char * input_b64)740 static bool TestSSL_SESSIONEncoding(const char *input_b64) {
741   const uint8_t *cptr;
742   uint8_t *ptr;
743 
744   // Decode the input.
745   std::vector<uint8_t> input;
746   if (!DecodeBase64(&input, input_b64)) {
747     return false;
748   }
749 
750   // Verify the SSL_SESSION decodes.
751   bssl::UniquePtr<SSL_CTX> ssl_ctx(SSL_CTX_new(TLS_method()));
752   if (!ssl_ctx) {
753     return false;
754   }
755   bssl::UniquePtr<SSL_SESSION> session(
756       SSL_SESSION_from_bytes(input.data(), input.size(), ssl_ctx.get()));
757   if (!session) {
758     fprintf(stderr, "SSL_SESSION_from_bytes failed\n");
759     return false;
760   }
761 
762   // Verify the SSL_SESSION encoding round-trips.
763   size_t encoded_len;
764   bssl::UniquePtr<uint8_t> encoded;
765   uint8_t *encoded_raw;
766   if (!SSL_SESSION_to_bytes(session.get(), &encoded_raw, &encoded_len)) {
767     fprintf(stderr, "SSL_SESSION_to_bytes failed\n");
768     return false;
769   }
770   encoded.reset(encoded_raw);
771   if (encoded_len != input.size() ||
772       OPENSSL_memcmp(input.data(), encoded.get(), input.size()) != 0) {
773     fprintf(stderr, "SSL_SESSION_to_bytes did not round-trip\n");
774     hexdump(stderr, "Before: ", input.data(), input.size());
775     hexdump(stderr, "After:  ", encoded_raw, encoded_len);
776     return false;
777   }
778 
779   // Verify the SSL_SESSION also decodes with the legacy API.
780   cptr = input.data();
781   session.reset(d2i_SSL_SESSION(NULL, &cptr, input.size()));
782   if (!session || cptr != input.data() + input.size()) {
783     fprintf(stderr, "d2i_SSL_SESSION failed\n");
784     return false;
785   }
786 
787   // Verify the SSL_SESSION encoding round-trips via the legacy API.
788   int len = i2d_SSL_SESSION(session.get(), NULL);
789   if (len < 0 || (size_t)len != input.size()) {
790     fprintf(stderr, "i2d_SSL_SESSION(NULL) returned invalid length\n");
791     return false;
792   }
793 
794   encoded.reset((uint8_t *)OPENSSL_malloc(input.size()));
795   if (!encoded) {
796     fprintf(stderr, "malloc failed\n");
797     return false;
798   }
799 
800   ptr = encoded.get();
801   len = i2d_SSL_SESSION(session.get(), &ptr);
802   if (len < 0 || (size_t)len != input.size()) {
803     fprintf(stderr, "i2d_SSL_SESSION returned invalid length\n");
804     return false;
805   }
806   if (ptr != encoded.get() + input.size()) {
807     fprintf(stderr, "i2d_SSL_SESSION did not advance ptr correctly\n");
808     return false;
809   }
810   if (OPENSSL_memcmp(input.data(), encoded.get(), input.size()) != 0) {
811     fprintf(stderr, "i2d_SSL_SESSION did not round-trip\n");
812     return false;
813   }
814 
815   return true;
816 }
817 
TestBadSSL_SESSIONEncoding(const char * input_b64)818 static bool TestBadSSL_SESSIONEncoding(const char *input_b64) {
819   std::vector<uint8_t> input;
820   if (!DecodeBase64(&input, input_b64)) {
821     return false;
822   }
823 
824   // Verify that the SSL_SESSION fails to decode.
825   bssl::UniquePtr<SSL_CTX> ssl_ctx(SSL_CTX_new(TLS_method()));
826   if (!ssl_ctx) {
827     return false;
828   }
829   bssl::UniquePtr<SSL_SESSION> session(
830       SSL_SESSION_from_bytes(input.data(), input.size(), ssl_ctx.get()));
831   if (session) {
832     fprintf(stderr, "SSL_SESSION_from_bytes unexpectedly succeeded\n");
833     return false;
834   }
835   ERR_clear_error();
836   return true;
837 }
838 
ExpectDefaultVersion(uint16_t min_version,uint16_t max_version,const SSL_METHOD * (* method)(void))839 static void ExpectDefaultVersion(uint16_t min_version, uint16_t max_version,
840                                  const SSL_METHOD *(*method)(void)) {
841   bssl::UniquePtr<SSL_CTX> ctx(SSL_CTX_new(method()));
842   ASSERT_TRUE(ctx);
843   EXPECT_EQ(min_version, ctx->conf_min_version);
844   EXPECT_EQ(max_version, ctx->conf_max_version);
845 }
846 
TEST(SSLTest,DefaultVersion)847 TEST(SSLTest, DefaultVersion) {
848   // TODO(svaldez): Update this when TLS 1.3 is enabled by default.
849   ExpectDefaultVersion(TLS1_VERSION, TLS1_2_VERSION, &TLS_method);
850   ExpectDefaultVersion(TLS1_VERSION, TLS1_VERSION, &TLSv1_method);
851   ExpectDefaultVersion(TLS1_1_VERSION, TLS1_1_VERSION, &TLSv1_1_method);
852   ExpectDefaultVersion(TLS1_2_VERSION, TLS1_2_VERSION, &TLSv1_2_method);
853   ExpectDefaultVersion(TLS1_1_VERSION, TLS1_2_VERSION, &DTLS_method);
854   ExpectDefaultVersion(TLS1_1_VERSION, TLS1_1_VERSION, &DTLSv1_method);
855   ExpectDefaultVersion(TLS1_2_VERSION, TLS1_2_VERSION, &DTLSv1_2_method);
856 }
857 
TEST(SSLTest,CipherProperties)858 TEST(SSLTest, CipherProperties) {
859   static const struct {
860     int id;
861     const char *standard_name;
862     int cipher_nid;
863     int digest_nid;
864     int kx_nid;
865     int auth_nid;
866     int prf_nid;
867   } kTests[] = {
868       {
869           SSL3_CK_RSA_DES_192_CBC3_SHA,
870           "TLS_RSA_WITH_3DES_EDE_CBC_SHA",
871           NID_des_ede3_cbc,
872           NID_sha1,
873           NID_kx_rsa,
874           NID_auth_rsa,
875           NID_md5_sha1,
876       },
877       {
878           TLS1_CK_RSA_WITH_AES_128_SHA,
879           "TLS_RSA_WITH_AES_128_CBC_SHA",
880           NID_aes_128_cbc,
881           NID_sha1,
882           NID_kx_rsa,
883           NID_auth_rsa,
884           NID_md5_sha1,
885       },
886       {
887           TLS1_CK_PSK_WITH_AES_256_CBC_SHA,
888           "TLS_PSK_WITH_AES_256_CBC_SHA",
889           NID_aes_256_cbc,
890           NID_sha1,
891           NID_kx_psk,
892           NID_auth_psk,
893           NID_md5_sha1,
894       },
895       {
896           TLS1_CK_ECDHE_RSA_WITH_AES_128_CBC_SHA,
897           "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA",
898           NID_aes_128_cbc,
899           NID_sha1,
900           NID_kx_ecdhe,
901           NID_auth_rsa,
902           NID_md5_sha1,
903       },
904       {
905           TLS1_CK_ECDHE_RSA_WITH_AES_256_CBC_SHA,
906           "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA",
907           NID_aes_256_cbc,
908           NID_sha1,
909           NID_kx_ecdhe,
910           NID_auth_rsa,
911           NID_md5_sha1,
912       },
913       {
914           TLS1_CK_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
915           "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",
916           NID_aes_128_gcm,
917           NID_undef,
918           NID_kx_ecdhe,
919           NID_auth_rsa,
920           NID_sha256,
921       },
922       {
923           TLS1_CK_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
924           "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256",
925           NID_aes_128_gcm,
926           NID_undef,
927           NID_kx_ecdhe,
928           NID_auth_ecdsa,
929           NID_sha256,
930       },
931       {
932           TLS1_CK_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
933           "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384",
934           NID_aes_256_gcm,
935           NID_undef,
936           NID_kx_ecdhe,
937           NID_auth_ecdsa,
938           NID_sha384,
939       },
940       {
941           TLS1_CK_ECDHE_PSK_WITH_AES_128_CBC_SHA,
942           "TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA",
943           NID_aes_128_cbc,
944           NID_sha1,
945           NID_kx_ecdhe,
946           NID_auth_psk,
947           NID_md5_sha1,
948       },
949       {
950           TLS1_CK_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256,
951           "TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256",
952           NID_chacha20_poly1305,
953           NID_undef,
954           NID_kx_ecdhe,
955           NID_auth_rsa,
956           NID_sha256,
957       },
958       {
959           TLS1_CK_AES_256_GCM_SHA384,
960           "TLS_AES_256_GCM_SHA384",
961           NID_aes_256_gcm,
962           NID_undef,
963           NID_kx_any,
964           NID_auth_any,
965           NID_sha384,
966       },
967       {
968           TLS1_CK_AES_128_GCM_SHA256,
969           "TLS_AES_128_GCM_SHA256",
970           NID_aes_128_gcm,
971           NID_undef,
972           NID_kx_any,
973           NID_auth_any,
974           NID_sha256,
975       },
976       {
977           TLS1_CK_CHACHA20_POLY1305_SHA256,
978           "TLS_CHACHA20_POLY1305_SHA256",
979           NID_chacha20_poly1305,
980           NID_undef,
981           NID_kx_any,
982           NID_auth_any,
983           NID_sha256,
984       },
985   };
986 
987   for (const auto &t : kTests) {
988     SCOPED_TRACE(t.standard_name);
989 
990     const SSL_CIPHER *cipher = SSL_get_cipher_by_value(t.id & 0xffff);
991     ASSERT_TRUE(cipher);
992     EXPECT_STREQ(t.standard_name, SSL_CIPHER_standard_name(cipher));
993 
994     bssl::UniquePtr<char> rfc_name(SSL_CIPHER_get_rfc_name(cipher));
995     ASSERT_TRUE(rfc_name);
996     EXPECT_STREQ(t.standard_name, rfc_name.get());
997 
998     EXPECT_EQ(t.cipher_nid, SSL_CIPHER_get_cipher_nid(cipher));
999     EXPECT_EQ(t.digest_nid, SSL_CIPHER_get_digest_nid(cipher));
1000     EXPECT_EQ(t.kx_nid, SSL_CIPHER_get_kx_nid(cipher));
1001     EXPECT_EQ(t.auth_nid, SSL_CIPHER_get_auth_nid(cipher));
1002     EXPECT_EQ(t.prf_nid, SSL_CIPHER_get_prf_nid(cipher));
1003   }
1004 }
1005 
1006 // CreateSessionWithTicket returns a sample |SSL_SESSION| with the specified
1007 // version and ticket length or nullptr on failure.
CreateSessionWithTicket(uint16_t version,size_t ticket_len)1008 static bssl::UniquePtr<SSL_SESSION> CreateSessionWithTicket(uint16_t version,
1009                                                             size_t ticket_len) {
1010   std::vector<uint8_t> der;
1011   if (!DecodeBase64(&der, kOpenSSLSession)) {
1012     return nullptr;
1013   }
1014 
1015   bssl::UniquePtr<SSL_CTX> ssl_ctx(SSL_CTX_new(TLS_method()));
1016   if (!ssl_ctx) {
1017     return nullptr;
1018   }
1019   // Use a garbage ticket.
1020   std::vector<uint8_t> ticket(ticket_len, 'a');
1021   bssl::UniquePtr<SSL_SESSION> session(
1022       SSL_SESSION_from_bytes(der.data(), der.size(), ssl_ctx.get()));
1023   if (!session ||
1024       !SSL_SESSION_set_protocol_version(session.get(), version) ||
1025       !SSL_SESSION_set_ticket(session.get(), ticket.data(), ticket.size())) {
1026     return nullptr;
1027   }
1028   // Fix up the timeout.
1029 #if defined(BORINGSSL_UNSAFE_DETERMINISTIC_MODE)
1030   SSL_SESSION_set_time(session.get(), 1234);
1031 #else
1032   SSL_SESSION_set_time(session.get(), time(nullptr));
1033 #endif
1034   return session;
1035 }
1036 
GetClientHello(SSL * ssl,std::vector<uint8_t> * out)1037 static bool GetClientHello(SSL *ssl, std::vector<uint8_t> *out) {
1038   bssl::UniquePtr<BIO> bio(BIO_new(BIO_s_mem()));
1039   if (!bio) {
1040     return false;
1041   }
1042   // Do not configure a reading BIO, but record what's written to a memory BIO.
1043   BIO_up_ref(bio.get());
1044   SSL_set_bio(ssl, nullptr /* rbio */, bio.get());
1045   int ret = SSL_connect(ssl);
1046   if (ret > 0) {
1047     // SSL_connect should fail without a BIO to write to.
1048     return false;
1049   }
1050   ERR_clear_error();
1051 
1052   const uint8_t *client_hello;
1053   size_t client_hello_len;
1054   if (!BIO_mem_contents(bio.get(), &client_hello, &client_hello_len)) {
1055     return false;
1056   }
1057   *out = std::vector<uint8_t>(client_hello, client_hello + client_hello_len);
1058   return true;
1059 }
1060 
1061 // GetClientHelloLen creates a client SSL connection with the specified version
1062 // and ticket length. It returns the length of the ClientHello, not including
1063 // the record header, on success and zero on error.
GetClientHelloLen(uint16_t max_version,uint16_t session_version,size_t ticket_len)1064 static size_t GetClientHelloLen(uint16_t max_version, uint16_t session_version,
1065                                 size_t ticket_len) {
1066   bssl::UniquePtr<SSL_CTX> ctx(SSL_CTX_new(TLS_method()));
1067   bssl::UniquePtr<SSL_SESSION> session =
1068       CreateSessionWithTicket(session_version, ticket_len);
1069   if (!ctx || !session) {
1070     return 0;
1071   }
1072 
1073   // Set a one-element cipher list so the baseline ClientHello is unpadded.
1074   bssl::UniquePtr<SSL> ssl(SSL_new(ctx.get()));
1075   if (!ssl || !SSL_set_session(ssl.get(), session.get()) ||
1076       !SSL_set_strict_cipher_list(ssl.get(), "ECDHE-RSA-AES128-GCM-SHA256") ||
1077       !SSL_set_max_proto_version(ssl.get(), max_version)) {
1078     return 0;
1079   }
1080 
1081   std::vector<uint8_t> client_hello;
1082   if (!GetClientHello(ssl.get(), &client_hello) ||
1083       client_hello.size() <= SSL3_RT_HEADER_LENGTH) {
1084     return 0;
1085   }
1086 
1087   return client_hello.size() - SSL3_RT_HEADER_LENGTH;
1088 }
1089 
1090 struct PaddingTest {
1091   size_t input_len, padded_len;
1092 };
1093 
1094 static const PaddingTest kPaddingTests[] = {
1095     // ClientHellos of length below 0x100 do not require padding.
1096     {0xfe, 0xfe},
1097     {0xff, 0xff},
1098     // ClientHellos of length 0x100 through 0x1fb are padded up to 0x200.
1099     {0x100, 0x200},
1100     {0x123, 0x200},
1101     {0x1fb, 0x200},
1102     // ClientHellos of length 0x1fc through 0x1ff get padded beyond 0x200. The
1103     // padding extension takes a minimum of four bytes plus one required content
1104     // byte. (To work around yet more server bugs, we avoid empty final
1105     // extensions.)
1106     {0x1fc, 0x201},
1107     {0x1fd, 0x202},
1108     {0x1fe, 0x203},
1109     {0x1ff, 0x204},
1110     // Finally, larger ClientHellos need no padding.
1111     {0x200, 0x200},
1112     {0x201, 0x201},
1113 };
1114 
TestPaddingExtension(uint16_t max_version,uint16_t session_version)1115 static bool TestPaddingExtension(uint16_t max_version,
1116                                  uint16_t session_version) {
1117   // Sample a baseline length.
1118   size_t base_len = GetClientHelloLen(max_version, session_version, 1);
1119   if (base_len == 0) {
1120     return false;
1121   }
1122 
1123   for (const PaddingTest &test : kPaddingTests) {
1124     if (base_len > test.input_len) {
1125       fprintf(stderr,
1126               "Baseline ClientHello too long (max_version = %04x, "
1127               "session_version = %04x).\n",
1128               max_version, session_version);
1129       return false;
1130     }
1131 
1132     size_t padded_len = GetClientHelloLen(max_version, session_version,
1133                                           1 + test.input_len - base_len);
1134     if (padded_len != test.padded_len) {
1135       fprintf(stderr,
1136               "%u-byte ClientHello padded to %u bytes, not %u (max_version = "
1137               "%04x, session_version = %04x).\n",
1138               static_cast<unsigned>(test.input_len),
1139               static_cast<unsigned>(padded_len),
1140               static_cast<unsigned>(test.padded_len), max_version,
1141               session_version);
1142       return false;
1143     }
1144   }
1145 
1146   return true;
1147 }
1148 
GetTestCertificate()1149 static bssl::UniquePtr<X509> GetTestCertificate() {
1150   static const char kCertPEM[] =
1151       "-----BEGIN CERTIFICATE-----\n"
1152       "MIICWDCCAcGgAwIBAgIJAPuwTC6rEJsMMA0GCSqGSIb3DQEBBQUAMEUxCzAJBgNV\n"
1153       "BAYTAkFVMRMwEQYDVQQIDApTb21lLVN0YXRlMSEwHwYDVQQKDBhJbnRlcm5ldCBX\n"
1154       "aWRnaXRzIFB0eSBMdGQwHhcNMTQwNDIzMjA1MDQwWhcNMTcwNDIyMjA1MDQwWjBF\n"
1155       "MQswCQYDVQQGEwJBVTETMBEGA1UECAwKU29tZS1TdGF0ZTEhMB8GA1UECgwYSW50\n"
1156       "ZXJuZXQgV2lkZ2l0cyBQdHkgTHRkMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKB\n"
1157       "gQDYK8imMuRi/03z0K1Zi0WnvfFHvwlYeyK9Na6XJYaUoIDAtB92kWdGMdAQhLci\n"
1158       "HnAjkXLI6W15OoV3gA/ElRZ1xUpxTMhjP6PyY5wqT5r6y8FxbiiFKKAnHmUcrgfV\n"
1159       "W28tQ+0rkLGMryRtrukXOgXBv7gcrmU7G1jC2a7WqmeI8QIDAQABo1AwTjAdBgNV\n"
1160       "HQ4EFgQUi3XVrMsIvg4fZbf6Vr5sp3Xaha8wHwYDVR0jBBgwFoAUi3XVrMsIvg4f\n"
1161       "Zbf6Vr5sp3Xaha8wDAYDVR0TBAUwAwEB/zANBgkqhkiG9w0BAQUFAAOBgQA76Hht\n"
1162       "ldY9avcTGSwbwoiuIqv0jTL1fHFnzy3RHMLDh+Lpvolc5DSrSJHCP5WuK0eeJXhr\n"
1163       "T5oQpHL9z/cCDLAKCKRa4uV0fhEdOWBqyR9p8y5jJtye72t6CuFUV5iqcpF4BH4f\n"
1164       "j2VNHwsSrJwkD4QUGlUtH7vwnQmyCFxZMmWAJg==\n"
1165       "-----END CERTIFICATE-----\n";
1166   bssl::UniquePtr<BIO> bio(BIO_new_mem_buf(kCertPEM, strlen(kCertPEM)));
1167   return bssl::UniquePtr<X509>(
1168       PEM_read_bio_X509(bio.get(), nullptr, nullptr, nullptr));
1169 }
1170 
GetTestKey()1171 static bssl::UniquePtr<EVP_PKEY> GetTestKey() {
1172   static const char kKeyPEM[] =
1173       "-----BEGIN RSA PRIVATE KEY-----\n"
1174       "MIICXgIBAAKBgQDYK8imMuRi/03z0K1Zi0WnvfFHvwlYeyK9Na6XJYaUoIDAtB92\n"
1175       "kWdGMdAQhLciHnAjkXLI6W15OoV3gA/ElRZ1xUpxTMhjP6PyY5wqT5r6y8FxbiiF\n"
1176       "KKAnHmUcrgfVW28tQ+0rkLGMryRtrukXOgXBv7gcrmU7G1jC2a7WqmeI8QIDAQAB\n"
1177       "AoGBAIBy09Fd4DOq/Ijp8HeKuCMKTHqTW1xGHshLQ6jwVV2vWZIn9aIgmDsvkjCe\n"
1178       "i6ssZvnbjVcwzSoByhjN8ZCf/i15HECWDFFh6gt0P5z0MnChwzZmvatV/FXCT0j+\n"
1179       "WmGNB/gkehKjGXLLcjTb6dRYVJSCZhVuOLLcbWIV10gggJQBAkEA8S8sGe4ezyyZ\n"
1180       "m4e9r95g6s43kPqtj5rewTsUxt+2n4eVodD+ZUlCULWVNAFLkYRTBCASlSrm9Xhj\n"
1181       "QpmWAHJUkQJBAOVzQdFUaewLtdOJoPCtpYoY1zd22eae8TQEmpGOR11L6kbxLQsk\n"
1182       "aMly/DOnOaa82tqAGTdqDEZgSNmCeKKknmECQAvpnY8GUOVAubGR6c+W90iBuQLj\n"
1183       "LtFp/9ihd2w/PoDwrHZaoUYVcT4VSfJQog/k7kjE4MYXYWL8eEKg3WTWQNECQQDk\n"
1184       "104Wi91Umd1PzF0ijd2jXOERJU1wEKe6XLkYYNHWQAe5l4J4MWj9OdxFXAxIuuR/\n"
1185       "tfDwbqkta4xcux67//khAkEAvvRXLHTaa6VFzTaiiO8SaFsHV3lQyXOtMrBpB5jd\n"
1186       "moZWgjHvB2W9Ckn7sDqsPB+U2tyX0joDdQEyuiMECDY8oQ==\n"
1187       "-----END RSA PRIVATE KEY-----\n";
1188   bssl::UniquePtr<BIO> bio(BIO_new_mem_buf(kKeyPEM, strlen(kKeyPEM)));
1189   return bssl::UniquePtr<EVP_PKEY>(
1190       PEM_read_bio_PrivateKey(bio.get(), nullptr, nullptr, nullptr));
1191 }
1192 
GetECDSATestCertificate()1193 static bssl::UniquePtr<X509> GetECDSATestCertificate() {
1194   static const char kCertPEM[] =
1195       "-----BEGIN CERTIFICATE-----\n"
1196       "MIIBzzCCAXagAwIBAgIJANlMBNpJfb/rMAkGByqGSM49BAEwRTELMAkGA1UEBhMC\n"
1197       "QVUxEzARBgNVBAgMClNvbWUtU3RhdGUxITAfBgNVBAoMGEludGVybmV0IFdpZGdp\n"
1198       "dHMgUHR5IEx0ZDAeFw0xNDA0MjMyMzIxNTdaFw0xNDA1MjMyMzIxNTdaMEUxCzAJ\n"
1199       "BgNVBAYTAkFVMRMwEQYDVQQIDApTb21lLVN0YXRlMSEwHwYDVQQKDBhJbnRlcm5l\n"
1200       "dCBXaWRnaXRzIFB0eSBMdGQwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAATmK2ni\n"
1201       "v2Wfl74vHg2UikzVl2u3qR4NRvvdqakendy6WgHn1peoChj5w8SjHlbifINI2xYa\n"
1202       "HPUdfvGULUvPciLBo1AwTjAdBgNVHQ4EFgQUq4TSrKuV8IJOFngHVVdf5CaNgtEw\n"
1203       "HwYDVR0jBBgwFoAUq4TSrKuV8IJOFngHVVdf5CaNgtEwDAYDVR0TBAUwAwEB/zAJ\n"
1204       "BgcqhkjOPQQBA0gAMEUCIQDyoDVeUTo2w4J5m+4nUIWOcAZ0lVfSKXQA9L4Vh13E\n"
1205       "BwIgfB55FGohg/B6dGh5XxSZmmi08cueFV7mHzJSYV51yRQ=\n"
1206       "-----END CERTIFICATE-----\n";
1207   bssl::UniquePtr<BIO> bio(BIO_new_mem_buf(kCertPEM, strlen(kCertPEM)));
1208   return bssl::UniquePtr<X509>(PEM_read_bio_X509(bio.get(), nullptr, nullptr, nullptr));
1209 }
1210 
GetECDSATestKey()1211 static bssl::UniquePtr<EVP_PKEY> GetECDSATestKey() {
1212   static const char kKeyPEM[] =
1213       "-----BEGIN PRIVATE KEY-----\n"
1214       "MIGHAgEAMBMGByqGSM49AgEGCCqGSM49AwEHBG0wawIBAQQgBw8IcnrUoEqc3VnJ\n"
1215       "TYlodwi1b8ldMHcO6NHJzgqLtGqhRANCAATmK2niv2Wfl74vHg2UikzVl2u3qR4N\n"
1216       "Rvvdqakendy6WgHn1peoChj5w8SjHlbifINI2xYaHPUdfvGULUvPciLB\n"
1217       "-----END PRIVATE KEY-----\n";
1218   bssl::UniquePtr<BIO> bio(BIO_new_mem_buf(kKeyPEM, strlen(kKeyPEM)));
1219   return bssl::UniquePtr<EVP_PKEY>(
1220       PEM_read_bio_PrivateKey(bio.get(), nullptr, nullptr, nullptr));
1221 }
1222 
BufferFromPEM(const char * pem)1223 static bssl::UniquePtr<CRYPTO_BUFFER> BufferFromPEM(const char *pem) {
1224   bssl::UniquePtr<BIO> bio(BIO_new_mem_buf(pem, strlen(pem)));
1225   char *name, *header;
1226   uint8_t *data;
1227   long data_len;
1228   if (!PEM_read_bio(bio.get(), &name, &header, &data,
1229                     &data_len)) {
1230     return nullptr;
1231   }
1232   OPENSSL_free(name);
1233   OPENSSL_free(header);
1234 
1235   auto ret = bssl::UniquePtr<CRYPTO_BUFFER>(
1236       CRYPTO_BUFFER_new(data, data_len, nullptr));
1237   OPENSSL_free(data);
1238   return ret;
1239 }
1240 
GetChainTestCertificateBuffer()1241 static bssl::UniquePtr<CRYPTO_BUFFER> GetChainTestCertificateBuffer() {
1242   static const char kCertPEM[] =
1243       "-----BEGIN CERTIFICATE-----\n"
1244       "MIIC0jCCAbqgAwIBAgICEAAwDQYJKoZIhvcNAQELBQAwDzENMAsGA1UEAwwEQiBD\n"
1245       "QTAeFw0xNjAyMjgyMDI3MDNaFw0yNjAyMjUyMDI3MDNaMBgxFjAUBgNVBAMMDUNs\n"
1246       "aWVudCBDZXJ0IEEwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDRvaz8\n"
1247       "CC/cshpCafJo4jLkHEoBqDLhdgFelJoAiQUyIqyWl2O7YHPnpJH+TgR7oelzNzt/\n"
1248       "kLRcH89M/TszB6zqyLTC4aqmvzKL0peD/jL2LWBucR0WXIvjA3zoRuF/x86+rYH3\n"
1249       "tHb+xs2PSs8EGL/Ev+ss+qTzTGEn26fuGNHkNw6tOwPpc+o8+wUtzf/kAthamo+c\n"
1250       "IDs2rQ+lP7+aLZTLeU/q4gcLutlzcK5imex5xy2jPkweq48kijK0kIzl1cPlA5d1\n"
1251       "z7C8jU50Pj9X9sQDJTN32j7UYRisJeeYQF8GaaN8SbrDI6zHgKzrRLyxDt/KQa9V\n"
1252       "iLeXANgZi+Xx9KgfAgMBAAGjLzAtMAwGA1UdEwEB/wQCMAAwHQYDVR0lBBYwFAYI\n"
1253       "KwYBBQUHAwEGCCsGAQUFBwMCMA0GCSqGSIb3DQEBCwUAA4IBAQBFEVbmYl+2RtNw\n"
1254       "rDftRDF1v2QUbcN2ouSnQDHxeDQdSgasLzT3ui8iYu0Rw2WWcZ0DV5e0ztGPhWq7\n"
1255       "AO0B120aFRMOY+4+bzu9Q2FFkQqc7/fKTvTDzIJI5wrMnFvUfzzvxh3OHWMYSs/w\n"
1256       "giq33hTKeHEq6Jyk3btCny0Ycecyc3yGXH10sizUfiHlhviCkDuESk8mFDwDDzqW\n"
1257       "ZF0IipzFbEDHoIxLlm3GQxpiLoEV4k8KYJp3R5KBLFyxM6UGPz8h72mIPCJp2RuK\n"
1258       "MYgF91UDvVzvnYm6TfseM2+ewKirC00GOrZ7rEcFvtxnKSqYf4ckqfNdSU1Y+RRC\n"
1259       "1ngWZ7Ih\n"
1260       "-----END CERTIFICATE-----\n";
1261   return BufferFromPEM(kCertPEM);
1262 }
1263 
X509FromBuffer(bssl::UniquePtr<CRYPTO_BUFFER> buffer)1264 static bssl::UniquePtr<X509> X509FromBuffer(
1265     bssl::UniquePtr<CRYPTO_BUFFER> buffer) {
1266   if (!buffer) {
1267     return nullptr;
1268   }
1269   const uint8_t *derp = CRYPTO_BUFFER_data(buffer.get());
1270   return bssl::UniquePtr<X509>(
1271       d2i_X509(NULL, &derp, CRYPTO_BUFFER_len(buffer.get())));
1272 }
1273 
GetChainTestCertificate()1274 static bssl::UniquePtr<X509> GetChainTestCertificate() {
1275   return X509FromBuffer(GetChainTestCertificateBuffer());
1276 }
1277 
GetChainTestIntermediateBuffer()1278 static bssl::UniquePtr<CRYPTO_BUFFER> GetChainTestIntermediateBuffer() {
1279   static const char kCertPEM[] =
1280       "-----BEGIN CERTIFICATE-----\n"
1281       "MIICwjCCAaqgAwIBAgICEAEwDQYJKoZIhvcNAQELBQAwFDESMBAGA1UEAwwJQyBS\n"
1282       "b290IENBMB4XDTE2MDIyODIwMjcwM1oXDTI2MDIyNTIwMjcwM1owDzENMAsGA1UE\n"
1283       "AwwEQiBDQTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALsSCYmDip2D\n"
1284       "GkjFxw7ykz26JSjELkl6ArlYjFJ3aT/SCh8qbS4gln7RH8CPBd78oFdfhIKQrwtZ\n"
1285       "3/q21ykD9BAS3qHe2YdcJfm8/kWAy5DvXk6NXU4qX334KofBAEpgdA/igEFq1P1l\n"
1286       "HAuIfZCpMRfT+i5WohVsGi8f/NgpRvVaMONLNfgw57mz1lbtFeBEISmX0kbsuJxF\n"
1287       "Qj/Bwhi5/0HAEXG8e7zN4cEx0yPRvmOATRdVb/8dW2pwOHRJq9R5M0NUkIsTSnL7\n"
1288       "6N/z8hRAHMsV3IudC5Yd7GXW1AGu9a+iKU+Q4xcZCoj0DC99tL4VKujrV1kAeqsM\n"
1289       "cz5/dKzi6+cCAwEAAaMjMCEwDwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMC\n"
1290       "AQYwDQYJKoZIhvcNAQELBQADggEBAIIeZiEeNhWWQ8Y4D+AGDwqUUeG8NjCbKrXQ\n"
1291       "BlHg5wZ8xftFaiP1Dp/UAezmx2LNazdmuwrYB8lm3FVTyaPDTKEGIPS4wJKHgqH1\n"
1292       "QPDhqNm85ey7TEtI9oYjsNim/Rb+iGkIAMXaxt58SzxbjvP0kMr1JfJIZbic9vye\n"
1293       "NwIspMFIpP3FB8ywyu0T0hWtCQgL4J47nigCHpOu58deP88fS/Nyz/fyGVWOZ76b\n"
1294       "WhWwgM3P3X95fQ3d7oFPR/bVh0YV+Cf861INwplokXgXQ3/TCQ+HNXeAMWn3JLWv\n"
1295       "XFwk8owk9dq/kQGdndGgy3KTEW4ctPX5GNhf3LJ9Q7dLji4ReQ4=\n"
1296       "-----END CERTIFICATE-----\n";
1297   return BufferFromPEM(kCertPEM);
1298 }
1299 
GetChainTestIntermediate()1300 static bssl::UniquePtr<X509> GetChainTestIntermediate() {
1301   return X509FromBuffer(GetChainTestIntermediateBuffer());
1302 }
1303 
GetChainTestKey()1304 static bssl::UniquePtr<EVP_PKEY> GetChainTestKey() {
1305   static const char kKeyPEM[] =
1306       "-----BEGIN PRIVATE KEY-----\n"
1307       "MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQDRvaz8CC/cshpC\n"
1308       "afJo4jLkHEoBqDLhdgFelJoAiQUyIqyWl2O7YHPnpJH+TgR7oelzNzt/kLRcH89M\n"
1309       "/TszB6zqyLTC4aqmvzKL0peD/jL2LWBucR0WXIvjA3zoRuF/x86+rYH3tHb+xs2P\n"
1310       "Ss8EGL/Ev+ss+qTzTGEn26fuGNHkNw6tOwPpc+o8+wUtzf/kAthamo+cIDs2rQ+l\n"
1311       "P7+aLZTLeU/q4gcLutlzcK5imex5xy2jPkweq48kijK0kIzl1cPlA5d1z7C8jU50\n"
1312       "Pj9X9sQDJTN32j7UYRisJeeYQF8GaaN8SbrDI6zHgKzrRLyxDt/KQa9ViLeXANgZ\n"
1313       "i+Xx9KgfAgMBAAECggEBAK0VjSJzkyPaamcyTVSWjo7GdaBGcK60lk657RjR+lK0\n"
1314       "YJ7pkej4oM2hdsVZFsP8Cs4E33nXLa/0pDsRov/qrp0WQm2skwqGMC1I/bZ0WRPk\n"
1315       "wHaDrBBfESWnJDX/AGpVtlyOjPmgmK6J2usMPihQUDkKdAYrVWJePrMIxt1q6BMe\n"
1316       "iczs3qriMmtY3bUc4UyUwJ5fhDLjshHvfuIpYQyI6EXZM6dZksn9LylXJnigY6QJ\n"
1317       "HxOYO0BDwOsZ8yQ8J8afLk88i0GizEkgE1z3REtQUwgWfxr1WV/ud+T6/ZhSAgH9\n"
1318       "042mQvSFZnIUSEsmCvjhWuAunfxHKCTcAoYISWfzWpkCgYEA7gpf3HHU5Tn+CgUn\n"
1319       "1X5uGpG3DmcMgfeGgs2r2f/IIg/5Ac1dfYILiybL1tN9zbyLCJfcbFpWBc9hJL6f\n"
1320       "CPc5hUiwWFJqBJewxQkC1Ae/HakHbip+IZ+Jr0842O4BAArvixk4Lb7/N2Ct9sTE\n"
1321       "NJO6RtK9lbEZ5uK61DglHy8CS2UCgYEA4ZC1o36kPAMQBggajgnucb2yuUEelk0f\n"
1322       "AEr+GI32MGE+93xMr7rAhBoqLg4AITyIfEnOSQ5HwagnIHonBbv1LV/Gf9ursx8Z\n"
1323       "YOGbvT8zzzC+SU1bkDzdjAYnFQVGIjMtKOBJ3K07++ypwX1fr4QsQ8uKL8WSOWwt\n"
1324       "Z3Bym6XiZzMCgYADnhy+2OwHX85AkLt+PyGlPbmuelpyTzS4IDAQbBa6jcuW/2wA\n"
1325       "UE2km75VUXmD+u2R/9zVuLm99NzhFhSMqlUxdV1YukfqMfP5yp1EY6m/5aW7QuIP\n"
1326       "2MDa7TVL9rIFMiVZ09RKvbBbQxjhuzPQKL6X/PPspnhiTefQ+dl2k9xREQKBgHDS\n"
1327       "fMfGNEeAEKezrfSVqxphE9/tXms3L+ZpnCaT+yu/uEr5dTIAawKoQ6i9f/sf1/Sy\n"
1328       "xedsqR+IB+oKrzIDDWMgoJybN4pkZ8E5lzhVQIjFjKgFdWLzzqyW9z1gYfABQPlN\n"
1329       "FiS20WX0vgP1vcKAjdNrHzc9zyHBpgQzDmAj3NZZAoGBAI8vKCKdH7w3aL5CNkZQ\n"
1330       "2buIeWNA2HZazVwAGG5F2TU/LmXfRKnG6dX5bkU+AkBZh56jNZy//hfFSewJB4Kk\n"
1331       "buB7ERSdaNbO21zXt9FEA3+z0RfMd/Zv2vlIWOSB5nzl/7UKti3sribK6s9ZVLfi\n"
1332       "SxpiPQ8d/hmSGwn4ksrWUsJD\n"
1333       "-----END PRIVATE KEY-----\n";
1334   bssl::UniquePtr<BIO> bio(BIO_new_mem_buf(kKeyPEM, strlen(kKeyPEM)));
1335   return bssl::UniquePtr<EVP_PKEY>(
1336       PEM_read_bio_PrivateKey(bio.get(), nullptr, nullptr, nullptr));
1337 }
1338 
1339 // Test that |SSL_get_client_CA_list| echoes back the configured parameter even
1340 // before configuring as a server.
TEST(SSLTest,ClientCAList)1341 TEST(SSLTest, ClientCAList) {
1342   bssl::UniquePtr<SSL_CTX> ctx(SSL_CTX_new(TLS_method()));
1343   ASSERT_TRUE(ctx);
1344   bssl::UniquePtr<SSL> ssl(SSL_new(ctx.get()));
1345   ASSERT_TRUE(ssl);
1346 
1347   bssl::UniquePtr<X509_NAME> name(X509_NAME_new());
1348   ASSERT_TRUE(name);
1349 
1350   bssl::UniquePtr<X509_NAME> name_dup(X509_NAME_dup(name.get()));
1351   ASSERT_TRUE(name_dup);
1352 
1353   bssl::UniquePtr<STACK_OF(X509_NAME)> stack(sk_X509_NAME_new_null());
1354   ASSERT_TRUE(stack);
1355   ASSERT_TRUE(PushToStack(stack.get(), std::move(name_dup)));
1356 
1357   // |SSL_set_client_CA_list| takes ownership.
1358   SSL_set_client_CA_list(ssl.get(), stack.release());
1359 
1360   STACK_OF(X509_NAME) *result = SSL_get_client_CA_list(ssl.get());
1361   ASSERT_TRUE(result);
1362   ASSERT_EQ(1u, sk_X509_NAME_num(result));
1363   EXPECT_EQ(0, X509_NAME_cmp(sk_X509_NAME_value(result, 0), name.get()));
1364 }
1365 
TEST(SSLTest,AddClientCA)1366 TEST(SSLTest, AddClientCA) {
1367   bssl::UniquePtr<SSL_CTX> ctx(SSL_CTX_new(TLS_method()));
1368   ASSERT_TRUE(ctx);
1369   bssl::UniquePtr<SSL> ssl(SSL_new(ctx.get()));
1370   ASSERT_TRUE(ssl);
1371 
1372   bssl::UniquePtr<X509> cert1 = GetTestCertificate();
1373   bssl::UniquePtr<X509> cert2 = GetChainTestCertificate();
1374   ASSERT_TRUE(cert1 && cert2);
1375   X509_NAME *name1 = X509_get_subject_name(cert1.get());
1376   X509_NAME *name2 = X509_get_subject_name(cert2.get());
1377 
1378   EXPECT_EQ(0u, sk_X509_NAME_num(SSL_get_client_CA_list(ssl.get())));
1379 
1380   ASSERT_TRUE(SSL_add_client_CA(ssl.get(), cert1.get()));
1381   ASSERT_TRUE(SSL_add_client_CA(ssl.get(), cert2.get()));
1382 
1383   STACK_OF(X509_NAME) *list = SSL_get_client_CA_list(ssl.get());
1384   ASSERT_EQ(2u, sk_X509_NAME_num(list));
1385   EXPECT_EQ(0, X509_NAME_cmp(sk_X509_NAME_value(list, 0), name1));
1386   EXPECT_EQ(0, X509_NAME_cmp(sk_X509_NAME_value(list, 1), name2));
1387 
1388   ASSERT_TRUE(SSL_add_client_CA(ssl.get(), cert1.get()));
1389 
1390   list = SSL_get_client_CA_list(ssl.get());
1391   ASSERT_EQ(3u, sk_X509_NAME_num(list));
1392   EXPECT_EQ(0, X509_NAME_cmp(sk_X509_NAME_value(list, 0), name1));
1393   EXPECT_EQ(0, X509_NAME_cmp(sk_X509_NAME_value(list, 1), name2));
1394   EXPECT_EQ(0, X509_NAME_cmp(sk_X509_NAME_value(list, 2), name1));
1395 }
1396 
AppendSession(SSL_SESSION * session,void * arg)1397 static void AppendSession(SSL_SESSION *session, void *arg) {
1398   std::vector<SSL_SESSION*> *out =
1399       reinterpret_cast<std::vector<SSL_SESSION*>*>(arg);
1400   out->push_back(session);
1401 }
1402 
1403 // CacheEquals returns true if |ctx|'s session cache consists of |expected|, in
1404 // order.
CacheEquals(SSL_CTX * ctx,const std::vector<SSL_SESSION * > & expected)1405 static bool CacheEquals(SSL_CTX *ctx,
1406                         const std::vector<SSL_SESSION*> &expected) {
1407   // Check the linked list.
1408   SSL_SESSION *ptr = ctx->session_cache_head;
1409   for (SSL_SESSION *session : expected) {
1410     if (ptr != session) {
1411       return false;
1412     }
1413     // TODO(davidben): This is an absurd way to denote the end of the list.
1414     if (ptr->next ==
1415         reinterpret_cast<SSL_SESSION *>(&ctx->session_cache_tail)) {
1416       ptr = nullptr;
1417     } else {
1418       ptr = ptr->next;
1419     }
1420   }
1421   if (ptr != nullptr) {
1422     return false;
1423   }
1424 
1425   // Check the hash table.
1426   std::vector<SSL_SESSION*> actual, expected_copy;
1427   lh_SSL_SESSION_doall_arg(ctx->sessions, AppendSession, &actual);
1428   expected_copy = expected;
1429 
1430   std::sort(actual.begin(), actual.end());
1431   std::sort(expected_copy.begin(), expected_copy.end());
1432 
1433   return actual == expected_copy;
1434 }
1435 
CreateTestSession(uint32_t number)1436 static bssl::UniquePtr<SSL_SESSION> CreateTestSession(uint32_t number) {
1437   bssl::UniquePtr<SSL_CTX> ssl_ctx(SSL_CTX_new(TLS_method()));
1438   if (!ssl_ctx) {
1439     return nullptr;
1440   }
1441   bssl::UniquePtr<SSL_SESSION> ret(SSL_SESSION_new(ssl_ctx.get()));
1442   if (!ret) {
1443     return nullptr;
1444   }
1445 
1446   uint8_t id[SSL3_SSL_SESSION_ID_LENGTH] = {0};
1447   OPENSSL_memcpy(id, &number, sizeof(number));
1448   if (!SSL_SESSION_set1_id(ret.get(), id, sizeof(id))) {
1449     return nullptr;
1450   }
1451   return ret;
1452 }
1453 
1454 // Test that the internal session cache behaves as expected.
TEST(SSLTest,InternalSessionCache)1455 TEST(SSLTest, InternalSessionCache) {
1456   bssl::UniquePtr<SSL_CTX> ctx(SSL_CTX_new(TLS_method()));
1457   ASSERT_TRUE(ctx);
1458 
1459   // Prepare 10 test sessions.
1460   std::vector<bssl::UniquePtr<SSL_SESSION>> sessions;
1461   for (int i = 0; i < 10; i++) {
1462     bssl::UniquePtr<SSL_SESSION> session = CreateTestSession(i);
1463     ASSERT_TRUE(session);
1464     sessions.push_back(std::move(session));
1465   }
1466 
1467   SSL_CTX_sess_set_cache_size(ctx.get(), 5);
1468 
1469   // Insert all the test sessions.
1470   for (const auto &session : sessions) {
1471     ASSERT_TRUE(SSL_CTX_add_session(ctx.get(), session.get()));
1472   }
1473 
1474   // Only the last five should be in the list.
1475   ASSERT_TRUE(CacheEquals(
1476       ctx.get(), {sessions[9].get(), sessions[8].get(), sessions[7].get(),
1477                   sessions[6].get(), sessions[5].get()}));
1478 
1479   // Inserting an element already in the cache should fail and leave the cache
1480   // unchanged.
1481   ASSERT_FALSE(SSL_CTX_add_session(ctx.get(), sessions[7].get()));
1482   ASSERT_TRUE(CacheEquals(
1483       ctx.get(), {sessions[9].get(), sessions[8].get(), sessions[7].get(),
1484                   sessions[6].get(), sessions[5].get()}));
1485 
1486   // Although collisions should be impossible (256-bit session IDs), the cache
1487   // must handle them gracefully.
1488   bssl::UniquePtr<SSL_SESSION> collision(CreateTestSession(7));
1489   ASSERT_TRUE(collision);
1490   ASSERT_TRUE(SSL_CTX_add_session(ctx.get(), collision.get()));
1491   ASSERT_TRUE(CacheEquals(
1492       ctx.get(), {collision.get(), sessions[9].get(), sessions[8].get(),
1493                   sessions[6].get(), sessions[5].get()}));
1494 
1495   // Removing sessions behaves correctly.
1496   ASSERT_TRUE(SSL_CTX_remove_session(ctx.get(), sessions[6].get()));
1497   ASSERT_TRUE(CacheEquals(ctx.get(), {collision.get(), sessions[9].get(),
1498                                       sessions[8].get(), sessions[5].get()}));
1499 
1500   // Removing sessions requires an exact match.
1501   ASSERT_FALSE(SSL_CTX_remove_session(ctx.get(), sessions[0].get()));
1502   ASSERT_FALSE(SSL_CTX_remove_session(ctx.get(), sessions[7].get()));
1503 
1504   // The cache remains unchanged.
1505   ASSERT_TRUE(CacheEquals(ctx.get(), {collision.get(), sessions[9].get(),
1506                                       sessions[8].get(), sessions[5].get()}));
1507 }
1508 
EpochFromSequence(uint64_t seq)1509 static uint16_t EpochFromSequence(uint64_t seq) {
1510   return static_cast<uint16_t>(seq >> 48);
1511 }
1512 
1513 static const uint8_t kTestName[] = {
1514     0x30, 0x45, 0x31, 0x0b, 0x30, 0x09, 0x06, 0x03, 0x55, 0x04, 0x06, 0x13,
1515     0x02, 0x41, 0x55, 0x31, 0x13, 0x30, 0x11, 0x06, 0x03, 0x55, 0x04, 0x08,
1516     0x0c, 0x0a, 0x53, 0x6f, 0x6d, 0x65, 0x2d, 0x53, 0x74, 0x61, 0x74, 0x65,
1517     0x31, 0x21, 0x30, 0x1f, 0x06, 0x03, 0x55, 0x04, 0x0a, 0x0c, 0x18, 0x49,
1518     0x6e, 0x74, 0x65, 0x72, 0x6e, 0x65, 0x74, 0x20, 0x57, 0x69, 0x64, 0x67,
1519     0x69, 0x74, 0x73, 0x20, 0x50, 0x74, 0x79, 0x20, 0x4c, 0x74, 0x64,
1520 };
1521 
CompleteHandshakes(SSL * client,SSL * server)1522 static bool CompleteHandshakes(SSL *client, SSL *server) {
1523   // Drive both their handshakes to completion.
1524   for (;;) {
1525     int client_ret = SSL_do_handshake(client);
1526     int client_err = SSL_get_error(client, client_ret);
1527     if (client_err != SSL_ERROR_NONE &&
1528         client_err != SSL_ERROR_WANT_READ &&
1529         client_err != SSL_ERROR_WANT_WRITE &&
1530         client_err != SSL_ERROR_PENDING_TICKET) {
1531       fprintf(stderr, "Client error: %d\n", client_err);
1532       return false;
1533     }
1534 
1535     int server_ret = SSL_do_handshake(server);
1536     int server_err = SSL_get_error(server, server_ret);
1537     if (server_err != SSL_ERROR_NONE &&
1538         server_err != SSL_ERROR_WANT_READ &&
1539         server_err != SSL_ERROR_WANT_WRITE &&
1540         server_err != SSL_ERROR_PENDING_TICKET) {
1541       fprintf(stderr, "Server error: %d\n", server_err);
1542       return false;
1543     }
1544 
1545     if (client_ret == 1 && server_ret == 1) {
1546       break;
1547     }
1548   }
1549 
1550   return true;
1551 }
1552 
1553 struct ClientConfig {
1554   SSL_SESSION *session = nullptr;
1555   std::string servername;
1556 };
1557 
ConnectClientAndServer(bssl::UniquePtr<SSL> * out_client,bssl::UniquePtr<SSL> * out_server,SSL_CTX * client_ctx,SSL_CTX * server_ctx,const ClientConfig & config=ClientConfig (),bool do_handshake=true,bool shed_handshake_config=true)1558 static bool ConnectClientAndServer(bssl::UniquePtr<SSL> *out_client,
1559                                    bssl::UniquePtr<SSL> *out_server,
1560                                    SSL_CTX *client_ctx, SSL_CTX *server_ctx,
1561                                    const ClientConfig &config = ClientConfig(),
1562                                    bool do_handshake = true,
1563                                    bool shed_handshake_config = true) {
1564   bssl::UniquePtr<SSL> client(SSL_new(client_ctx)), server(SSL_new(server_ctx));
1565   if (!client || !server) {
1566     return false;
1567   }
1568   SSL_set_connect_state(client.get());
1569   SSL_set_accept_state(server.get());
1570 
1571   if (config.session) {
1572     SSL_set_session(client.get(), config.session);
1573   }
1574   if (!config.servername.empty() &&
1575       !SSL_set_tlsext_host_name(client.get(), config.servername.c_str())) {
1576     return false;
1577   }
1578 
1579   BIO *bio1, *bio2;
1580   if (!BIO_new_bio_pair(&bio1, 0, &bio2, 0)) {
1581     return false;
1582   }
1583   // SSL_set_bio takes ownership.
1584   SSL_set_bio(client.get(), bio1, bio1);
1585   SSL_set_bio(server.get(), bio2, bio2);
1586 
1587   SSL_set_shed_handshake_config(client.get(), shed_handshake_config);
1588   SSL_set_shed_handshake_config(server.get(), shed_handshake_config);
1589 
1590   if (do_handshake && !CompleteHandshakes(client.get(), server.get())) {
1591     return false;
1592   }
1593 
1594   *out_client = std::move(client);
1595   *out_server = std::move(server);
1596   return true;
1597 }
1598 
1599 // SSLVersionTest executes its test cases under all available protocol versions.
1600 // Test cases call |Connect| to create a connection using context objects with
1601 // the protocol version fixed to the current version under test.
1602 class SSLVersionTest : public ::testing::TestWithParam<VersionParam> {
1603  protected:
SSLVersionTest()1604   SSLVersionTest() : cert_(GetTestCertificate()), key_(GetTestKey()) {}
1605 
SetUp()1606   void SetUp() { ResetContexts(); }
1607 
CreateContext() const1608   bssl::UniquePtr<SSL_CTX> CreateContext() const {
1609     const SSL_METHOD *method = is_dtls() ? DTLS_method() : TLS_method();
1610     bssl::UniquePtr<SSL_CTX> ctx(SSL_CTX_new(method));
1611     if (!ctx || !SSL_CTX_set_min_proto_version(ctx.get(), version()) ||
1612         !SSL_CTX_set_max_proto_version(ctx.get(), version())) {
1613       return nullptr;
1614     }
1615     return ctx;
1616   }
1617 
ResetContexts()1618   void ResetContexts() {
1619     ASSERT_TRUE(cert_);
1620     ASSERT_TRUE(key_);
1621     client_ctx_ = CreateContext();
1622     ASSERT_TRUE(client_ctx_);
1623     server_ctx_ = CreateContext();
1624     ASSERT_TRUE(server_ctx_);
1625     // Set up a server cert. Client certs can be set up explicitly.
1626     ASSERT_TRUE(UseCertAndKey(server_ctx_.get()));
1627   }
1628 
UseCertAndKey(SSL_CTX * ctx) const1629   bool UseCertAndKey(SSL_CTX *ctx) const {
1630     return SSL_CTX_use_certificate(ctx, cert_.get()) &&
1631            SSL_CTX_use_PrivateKey(ctx, key_.get());
1632   }
1633 
Connect(const ClientConfig & config=ClientConfig ())1634   bool Connect(const ClientConfig &config = ClientConfig()) {
1635     return ConnectClientAndServer(&client_, &server_, client_ctx_.get(),
1636                                   server_ctx_.get(), config, true,
1637                                   shed_handshake_config_);
1638   }
1639 
version() const1640   uint16_t version() const { return GetParam().version; }
1641 
is_dtls() const1642   bool is_dtls() const {
1643     return GetParam().ssl_method == VersionParam::is_dtls;
1644   }
1645 
1646   bool shed_handshake_config_ = true;
1647   bssl::UniquePtr<SSL> client_, server_;
1648   bssl::UniquePtr<SSL_CTX> server_ctx_, client_ctx_;
1649   bssl::UniquePtr<X509> cert_;
1650   bssl::UniquePtr<EVP_PKEY> key_;
1651 };
1652 
1653 INSTANTIATE_TEST_CASE_P(WithVersion, SSLVersionTest,
1654                         testing::ValuesIn(kAllVersions),
__anond8fd7f190402(const testing::TestParamInfo<VersionParam> &i) 1655                         [](const testing::TestParamInfo<VersionParam> &i) {
1656                           return i.param.name;
1657                         });
1658 
TEST_P(SSLVersionTest,SequenceNumber)1659 TEST_P(SSLVersionTest, SequenceNumber) {
1660   ASSERT_TRUE(Connect());
1661 
1662   // Drain any post-handshake messages to ensure there are no unread records
1663   // on either end.
1664   uint8_t byte = 0;
1665   ASSERT_LE(SSL_read(client_.get(), &byte, 1), 0);
1666   ASSERT_LE(SSL_read(server_.get(), &byte, 1), 0);
1667 
1668   uint64_t client_read_seq = SSL_get_read_sequence(client_.get());
1669   uint64_t client_write_seq = SSL_get_write_sequence(client_.get());
1670   uint64_t server_read_seq = SSL_get_read_sequence(server_.get());
1671   uint64_t server_write_seq = SSL_get_write_sequence(server_.get());
1672 
1673   if (is_dtls()) {
1674     // Both client and server must be at epoch 1.
1675     EXPECT_EQ(EpochFromSequence(client_read_seq), 1);
1676     EXPECT_EQ(EpochFromSequence(client_write_seq), 1);
1677     EXPECT_EQ(EpochFromSequence(server_read_seq), 1);
1678     EXPECT_EQ(EpochFromSequence(server_write_seq), 1);
1679 
1680     // The next record to be written should exceed the largest received.
1681     EXPECT_GT(client_write_seq, server_read_seq);
1682     EXPECT_GT(server_write_seq, client_read_seq);
1683   } else {
1684     // The next record to be written should equal the next to be received.
1685     EXPECT_EQ(client_write_seq, server_read_seq);
1686     EXPECT_EQ(server_write_seq, client_read_seq);
1687   }
1688 
1689   // Send a record from client to server.
1690   EXPECT_EQ(SSL_write(client_.get(), &byte, 1), 1);
1691   EXPECT_EQ(SSL_read(server_.get(), &byte, 1), 1);
1692 
1693   // The client write and server read sequence numbers should have
1694   // incremented.
1695   EXPECT_EQ(client_write_seq + 1, SSL_get_write_sequence(client_.get()));
1696   EXPECT_EQ(server_read_seq + 1, SSL_get_read_sequence(server_.get()));
1697 }
1698 
TEST_P(SSLVersionTest,OneSidedShutdown)1699 TEST_P(SSLVersionTest, OneSidedShutdown) {
1700   // SSL_shutdown is a no-op in DTLS.
1701   if (is_dtls()) {
1702     return;
1703   }
1704   ASSERT_TRUE(Connect());
1705 
1706   // Shut down half the connection. SSL_shutdown will return 0 to signal only
1707   // one side has shut down.
1708   ASSERT_EQ(SSL_shutdown(client_.get()), 0);
1709 
1710   // Reading from the server should consume the EOF.
1711   uint8_t byte;
1712   ASSERT_EQ(SSL_read(server_.get(), &byte, 1), 0);
1713   ASSERT_EQ(SSL_get_error(server_.get(), 0), SSL_ERROR_ZERO_RETURN);
1714 
1715   // However, the server may continue to write data and then shut down the
1716   // connection.
1717   byte = 42;
1718   ASSERT_EQ(SSL_write(server_.get(), &byte, 1), 1);
1719   ASSERT_EQ(SSL_read(client_.get(), &byte, 1), 1);
1720   ASSERT_EQ(byte, 42);
1721 
1722   // The server may then shutdown the connection.
1723   EXPECT_EQ(SSL_shutdown(server_.get()), 1);
1724   EXPECT_EQ(SSL_shutdown(client_.get()), 1);
1725 }
1726 
TEST(SSLTest,SessionDuplication)1727 TEST(SSLTest, SessionDuplication) {
1728   bssl::UniquePtr<SSL_CTX> client_ctx(SSL_CTX_new(TLS_method()));
1729   bssl::UniquePtr<SSL_CTX> server_ctx(SSL_CTX_new(TLS_method()));
1730   ASSERT_TRUE(client_ctx);
1731   ASSERT_TRUE(server_ctx);
1732 
1733   bssl::UniquePtr<X509> cert = GetTestCertificate();
1734   bssl::UniquePtr<EVP_PKEY> key = GetTestKey();
1735   ASSERT_TRUE(cert);
1736   ASSERT_TRUE(key);
1737   ASSERT_TRUE(SSL_CTX_use_certificate(server_ctx.get(), cert.get()));
1738   ASSERT_TRUE(SSL_CTX_use_PrivateKey(server_ctx.get(), key.get()));
1739 
1740   bssl::UniquePtr<SSL> client, server;
1741   ASSERT_TRUE(ConnectClientAndServer(&client, &server, client_ctx.get(),
1742                                      server_ctx.get()));
1743 
1744   SSL_SESSION *session0 = SSL_get_session(client.get());
1745   bssl::UniquePtr<SSL_SESSION> session1 =
1746       bssl::SSL_SESSION_dup(session0, SSL_SESSION_DUP_ALL);
1747   ASSERT_TRUE(session1);
1748 
1749   session1->not_resumable = false;
1750 
1751   uint8_t *s0_bytes, *s1_bytes;
1752   size_t s0_len, s1_len;
1753 
1754   ASSERT_TRUE(SSL_SESSION_to_bytes(session0, &s0_bytes, &s0_len));
1755   bssl::UniquePtr<uint8_t> free_s0(s0_bytes);
1756 
1757   ASSERT_TRUE(SSL_SESSION_to_bytes(session1.get(), &s1_bytes, &s1_len));
1758   bssl::UniquePtr<uint8_t> free_s1(s1_bytes);
1759 
1760   EXPECT_EQ(Bytes(s0_bytes, s0_len), Bytes(s1_bytes, s1_len));
1761 }
1762 
ExpectFDs(const SSL * ssl,int rfd,int wfd)1763 static void ExpectFDs(const SSL *ssl, int rfd, int wfd) {
1764   EXPECT_EQ(rfd, SSL_get_fd(ssl));
1765   EXPECT_EQ(rfd, SSL_get_rfd(ssl));
1766   EXPECT_EQ(wfd, SSL_get_wfd(ssl));
1767 
1768   // The wrapper BIOs are always equal when fds are equal, even if set
1769   // individually.
1770   if (rfd == wfd) {
1771     EXPECT_EQ(SSL_get_rbio(ssl), SSL_get_wbio(ssl));
1772   }
1773 }
1774 
TEST(SSLTest,SetFD)1775 TEST(SSLTest, SetFD) {
1776   bssl::UniquePtr<SSL_CTX> ctx(SSL_CTX_new(TLS_method()));
1777   ASSERT_TRUE(ctx);
1778 
1779   // Test setting different read and write FDs.
1780   bssl::UniquePtr<SSL> ssl(SSL_new(ctx.get()));
1781   ASSERT_TRUE(ssl);
1782   EXPECT_TRUE(SSL_set_rfd(ssl.get(), 1));
1783   EXPECT_TRUE(SSL_set_wfd(ssl.get(), 2));
1784   ExpectFDs(ssl.get(), 1, 2);
1785 
1786   // Test setting the same FD.
1787   ssl.reset(SSL_new(ctx.get()));
1788   ASSERT_TRUE(ssl);
1789   EXPECT_TRUE(SSL_set_fd(ssl.get(), 1));
1790   ExpectFDs(ssl.get(), 1, 1);
1791 
1792   // Test setting the same FD one side at a time.
1793   ssl.reset(SSL_new(ctx.get()));
1794   ASSERT_TRUE(ssl);
1795   EXPECT_TRUE(SSL_set_rfd(ssl.get(), 1));
1796   EXPECT_TRUE(SSL_set_wfd(ssl.get(), 1));
1797   ExpectFDs(ssl.get(), 1, 1);
1798 
1799   // Test setting the same FD in the other order.
1800   ssl.reset(SSL_new(ctx.get()));
1801   ASSERT_TRUE(ssl);
1802   EXPECT_TRUE(SSL_set_wfd(ssl.get(), 1));
1803   EXPECT_TRUE(SSL_set_rfd(ssl.get(), 1));
1804   ExpectFDs(ssl.get(), 1, 1);
1805 
1806   // Test changing the read FD partway through.
1807   ssl.reset(SSL_new(ctx.get()));
1808   ASSERT_TRUE(ssl);
1809   EXPECT_TRUE(SSL_set_fd(ssl.get(), 1));
1810   EXPECT_TRUE(SSL_set_rfd(ssl.get(), 2));
1811   ExpectFDs(ssl.get(), 2, 1);
1812 
1813   // Test changing the write FD partway through.
1814   ssl.reset(SSL_new(ctx.get()));
1815   ASSERT_TRUE(ssl);
1816   EXPECT_TRUE(SSL_set_fd(ssl.get(), 1));
1817   EXPECT_TRUE(SSL_set_wfd(ssl.get(), 2));
1818   ExpectFDs(ssl.get(), 1, 2);
1819 
1820   // Test a no-op change to the read FD partway through.
1821   ssl.reset(SSL_new(ctx.get()));
1822   ASSERT_TRUE(ssl);
1823   EXPECT_TRUE(SSL_set_fd(ssl.get(), 1));
1824   EXPECT_TRUE(SSL_set_rfd(ssl.get(), 1));
1825   ExpectFDs(ssl.get(), 1, 1);
1826 
1827   // Test a no-op change to the write FD partway through.
1828   ssl.reset(SSL_new(ctx.get()));
1829   ASSERT_TRUE(ssl);
1830   EXPECT_TRUE(SSL_set_fd(ssl.get(), 1));
1831   EXPECT_TRUE(SSL_set_wfd(ssl.get(), 1));
1832   ExpectFDs(ssl.get(), 1, 1);
1833 
1834   // ASan builds will implicitly test that the internal |BIO| reference-counting
1835   // is correct.
1836 }
1837 
TEST(SSLTest,SetBIO)1838 TEST(SSLTest, SetBIO) {
1839   bssl::UniquePtr<SSL_CTX> ctx(SSL_CTX_new(TLS_method()));
1840   ASSERT_TRUE(ctx);
1841 
1842   bssl::UniquePtr<SSL> ssl(SSL_new(ctx.get()));
1843   bssl::UniquePtr<BIO> bio1(BIO_new(BIO_s_mem())), bio2(BIO_new(BIO_s_mem())),
1844       bio3(BIO_new(BIO_s_mem()));
1845   ASSERT_TRUE(ssl);
1846   ASSERT_TRUE(bio1);
1847   ASSERT_TRUE(bio2);
1848   ASSERT_TRUE(bio3);
1849 
1850   // SSL_set_bio takes one reference when the parameters are the same.
1851   BIO_up_ref(bio1.get());
1852   SSL_set_bio(ssl.get(), bio1.get(), bio1.get());
1853 
1854   // Repeating the call does nothing.
1855   SSL_set_bio(ssl.get(), bio1.get(), bio1.get());
1856 
1857   // It takes one reference each when the parameters are different.
1858   BIO_up_ref(bio2.get());
1859   BIO_up_ref(bio3.get());
1860   SSL_set_bio(ssl.get(), bio2.get(), bio3.get());
1861 
1862   // Repeating the call does nothing.
1863   SSL_set_bio(ssl.get(), bio2.get(), bio3.get());
1864 
1865   // It takes one reference when changing only wbio.
1866   BIO_up_ref(bio1.get());
1867   SSL_set_bio(ssl.get(), bio2.get(), bio1.get());
1868 
1869   // It takes one reference when changing only rbio and the two are different.
1870   BIO_up_ref(bio3.get());
1871   SSL_set_bio(ssl.get(), bio3.get(), bio1.get());
1872 
1873   // If setting wbio to rbio, it takes no additional references.
1874   SSL_set_bio(ssl.get(), bio3.get(), bio3.get());
1875 
1876   // From there, wbio may be switched to something else.
1877   BIO_up_ref(bio1.get());
1878   SSL_set_bio(ssl.get(), bio3.get(), bio1.get());
1879 
1880   // If setting rbio to wbio, it takes no additional references.
1881   SSL_set_bio(ssl.get(), bio1.get(), bio1.get());
1882 
1883   // From there, rbio may be switched to something else, but, for historical
1884   // reasons, it takes a reference to both parameters.
1885   BIO_up_ref(bio1.get());
1886   BIO_up_ref(bio2.get());
1887   SSL_set_bio(ssl.get(), bio2.get(), bio1.get());
1888 
1889   // ASAN builds will implicitly test that the internal |BIO| reference-counting
1890   // is correct.
1891 }
1892 
VerifySucceed(X509_STORE_CTX * store_ctx,void * arg)1893 static int VerifySucceed(X509_STORE_CTX *store_ctx, void *arg) { return 1; }
1894 
TEST_P(SSLVersionTest,GetPeerCertificate)1895 TEST_P(SSLVersionTest, GetPeerCertificate) {
1896   ASSERT_TRUE(UseCertAndKey(client_ctx_.get()));
1897 
1898   // Configure both client and server to accept any certificate.
1899   SSL_CTX_set_verify(client_ctx_.get(),
1900                      SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT,
1901                      nullptr);
1902   SSL_CTX_set_cert_verify_callback(client_ctx_.get(), VerifySucceed, NULL);
1903   SSL_CTX_set_verify(server_ctx_.get(),
1904                      SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT,
1905                      nullptr);
1906   SSL_CTX_set_cert_verify_callback(server_ctx_.get(), VerifySucceed, NULL);
1907 
1908   ASSERT_TRUE(Connect());
1909 
1910   // Client and server should both see the leaf certificate.
1911   bssl::UniquePtr<X509> peer(SSL_get_peer_certificate(server_.get()));
1912   ASSERT_TRUE(peer);
1913   ASSERT_EQ(X509_cmp(cert_.get(), peer.get()), 0);
1914 
1915   peer.reset(SSL_get_peer_certificate(client_.get()));
1916   ASSERT_TRUE(peer);
1917   ASSERT_EQ(X509_cmp(cert_.get(), peer.get()), 0);
1918 
1919   // However, for historical reasons, the X509 chain includes the leaf on the
1920   // client, but does not on the server.
1921   EXPECT_EQ(sk_X509_num(SSL_get_peer_cert_chain(client_.get())), 1u);
1922   EXPECT_EQ(sk_CRYPTO_BUFFER_num(SSL_get0_peer_certificates(client_.get())),
1923             1u);
1924 
1925   EXPECT_EQ(sk_X509_num(SSL_get_peer_cert_chain(server_.get())), 0u);
1926   EXPECT_EQ(sk_CRYPTO_BUFFER_num(SSL_get0_peer_certificates(server_.get())),
1927             1u);
1928 }
1929 
TEST_P(SSLVersionTest,NoPeerCertificate)1930 TEST_P(SSLVersionTest, NoPeerCertificate) {
1931   SSL_CTX_set_verify(server_ctx_.get(), SSL_VERIFY_PEER, nullptr);
1932   SSL_CTX_set_cert_verify_callback(server_ctx_.get(), VerifySucceed, NULL);
1933   SSL_CTX_set_cert_verify_callback(client_ctx_.get(), VerifySucceed, NULL);
1934 
1935   ASSERT_TRUE(Connect());
1936 
1937   // Server should not see a peer certificate.
1938   bssl::UniquePtr<X509> peer(SSL_get_peer_certificate(server_.get()));
1939   ASSERT_FALSE(peer);
1940   ASSERT_FALSE(SSL_get0_peer_certificates(server_.get()));
1941 }
1942 
TEST_P(SSLVersionTest,RetainOnlySHA256OfCerts)1943 TEST_P(SSLVersionTest, RetainOnlySHA256OfCerts) {
1944   uint8_t *cert_der = NULL;
1945   int cert_der_len = i2d_X509(cert_.get(), &cert_der);
1946   ASSERT_GE(cert_der_len, 0);
1947   bssl::UniquePtr<uint8_t> free_cert_der(cert_der);
1948 
1949   uint8_t cert_sha256[SHA256_DIGEST_LENGTH];
1950   SHA256(cert_der, cert_der_len, cert_sha256);
1951 
1952   ASSERT_TRUE(UseCertAndKey(client_ctx_.get()));
1953 
1954   // Configure both client and server to accept any certificate, but the
1955   // server must retain only the SHA-256 of the peer.
1956   SSL_CTX_set_verify(client_ctx_.get(),
1957                      SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT,
1958                      nullptr);
1959   SSL_CTX_set_verify(server_ctx_.get(),
1960                      SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT,
1961                      nullptr);
1962   SSL_CTX_set_cert_verify_callback(client_ctx_.get(), VerifySucceed, NULL);
1963   SSL_CTX_set_cert_verify_callback(server_ctx_.get(), VerifySucceed, NULL);
1964   SSL_CTX_set_retain_only_sha256_of_client_certs(server_ctx_.get(), 1);
1965 
1966   ASSERT_TRUE(Connect());
1967 
1968   // The peer certificate has been dropped.
1969   bssl::UniquePtr<X509> peer(SSL_get_peer_certificate(server_.get()));
1970   EXPECT_FALSE(peer);
1971 
1972   SSL_SESSION *session = SSL_get_session(server_.get());
1973   EXPECT_TRUE(SSL_SESSION_has_peer_sha256(session));
1974 
1975   const uint8_t *peer_sha256;
1976   size_t peer_sha256_len;
1977   SSL_SESSION_get0_peer_sha256(session, &peer_sha256, &peer_sha256_len);
1978   EXPECT_EQ(Bytes(cert_sha256), Bytes(peer_sha256, peer_sha256_len));
1979 }
1980 
1981 // Tests that our ClientHellos do not change unexpectedly. These are purely
1982 // change detection tests. If they fail as part of an intentional ClientHello
1983 // change, update the test vector.
TEST(SSLTest,ClientHello)1984 TEST(SSLTest, ClientHello) {
1985   struct {
1986     uint16_t max_version;
1987     std::vector<uint8_t> expected;
1988   } kTests[] = {
1989     {TLS1_VERSION,
1990      {0x16, 0x03, 0x01, 0x00, 0x5a, 0x01, 0x00, 0x00, 0x56, 0x03, 0x01, 0x00,
1991       0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1992       0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1993       0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x0e, 0xc0, 0x09,
1994       0xc0, 0x13, 0xc0, 0x0a, 0xc0, 0x14, 0x00, 0x2f, 0x00, 0x35, 0x00, 0x0a,
1995       0x01, 0x00, 0x00, 0x1f, 0x00, 0x17, 0x00, 0x00, 0xff, 0x01, 0x00, 0x01,
1996       0x00, 0x00, 0x0a, 0x00, 0x08, 0x00, 0x06, 0x00, 0x1d, 0x00, 0x17, 0x00,
1997       0x18, 0x00, 0x0b, 0x00, 0x02, 0x01, 0x00, 0x00, 0x23, 0x00, 0x00}},
1998     {TLS1_1_VERSION,
1999      {0x16, 0x03, 0x01, 0x00, 0x5a, 0x01, 0x00, 0x00, 0x56, 0x03, 0x02, 0x00,
2000       0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2001       0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2002       0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x0e, 0xc0, 0x09,
2003       0xc0, 0x13, 0xc0, 0x0a, 0xc0, 0x14, 0x00, 0x2f, 0x00, 0x35, 0x00, 0x0a,
2004       0x01, 0x00, 0x00, 0x1f, 0x00, 0x17, 0x00, 0x00, 0xff, 0x01, 0x00, 0x01,
2005       0x00, 0x00, 0x0a, 0x00, 0x08, 0x00, 0x06, 0x00, 0x1d, 0x00, 0x17, 0x00,
2006       0x18, 0x00, 0x0b, 0x00, 0x02, 0x01, 0x00, 0x00, 0x23, 0x00, 0x00}},
2007     {TLS1_2_VERSION,
2008      {0x16, 0x03, 0x01, 0x00, 0x82, 0x01, 0x00, 0x00, 0x7e, 0x03, 0x03, 0x00,
2009       0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2010       0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2011       0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x1e, 0xcc, 0xa9,
2012       0xcc, 0xa8, 0xc0, 0x2b, 0xc0, 0x2f, 0xc0, 0x2c, 0xc0, 0x30, 0xc0, 0x09,
2013       0xc0, 0x13, 0xc0, 0x0a, 0xc0, 0x14, 0x00, 0x9c, 0x00, 0x9d, 0x00, 0x2f,
2014       0x00, 0x35, 0x00, 0x0a, 0x01, 0x00, 0x00, 0x37, 0x00, 0x17, 0x00, 0x00,
2015       0xff, 0x01, 0x00, 0x01, 0x00, 0x00, 0x0a, 0x00, 0x08, 0x00, 0x06, 0x00,
2016       0x1d, 0x00, 0x17, 0x00, 0x18, 0x00, 0x0b, 0x00, 0x02, 0x01, 0x00, 0x00,
2017       0x23, 0x00, 0x00, 0x00, 0x0d, 0x00, 0x14, 0x00, 0x12, 0x04, 0x03, 0x08,
2018       0x04, 0x04, 0x01, 0x05, 0x03, 0x08, 0x05, 0x05, 0x01, 0x08, 0x06, 0x06,
2019       0x01, 0x02, 0x01}},
2020     // TODO(davidben): Add a change detector for TLS 1.3 once the spec and our
2021     // implementation has settled enough that it won't change.
2022   };
2023 
2024   for (const auto &t : kTests) {
2025     SCOPED_TRACE(t.max_version);
2026 
2027     bssl::UniquePtr<SSL_CTX> ctx(SSL_CTX_new(TLS_method()));
2028     ASSERT_TRUE(ctx);
2029     // Our default cipher list varies by CPU capabilities, so manually place the
2030     // ChaCha20 ciphers in front.
2031     const char *cipher_list = "CHACHA20:ALL";
2032     ASSERT_TRUE(SSL_CTX_set_max_proto_version(ctx.get(), t.max_version));
2033     ASSERT_TRUE(SSL_CTX_set_strict_cipher_list(ctx.get(), cipher_list));
2034 
2035     bssl::UniquePtr<SSL> ssl(SSL_new(ctx.get()));
2036     ASSERT_TRUE(ssl);
2037     std::vector<uint8_t> client_hello;
2038     ASSERT_TRUE(GetClientHello(ssl.get(), &client_hello));
2039 
2040     // Zero the client_random.
2041     constexpr size_t kRandomOffset = 1 + 2 + 2 +  // record header
2042                                      1 + 3 +      // handshake message header
2043                                      2;           // client_version
2044     ASSERT_GE(client_hello.size(), kRandomOffset + SSL3_RANDOM_SIZE);
2045     OPENSSL_memset(client_hello.data() + kRandomOffset, 0, SSL3_RANDOM_SIZE);
2046 
2047     if (client_hello != t.expected) {
2048       ADD_FAILURE() << "ClientHellos did not match.";
2049       // Print the value manually so it is easier to update the test vector.
2050       for (size_t i = 0; i < client_hello.size(); i += 12) {
2051         printf("     %c", i == 0 ? '{' : ' ');
2052         for (size_t j = i; j < client_hello.size() && j < i + 12; j++) {
2053           if (j > i) {
2054             printf(" ");
2055           }
2056           printf("0x%02x", client_hello[j]);
2057           if (j < client_hello.size() - 1) {
2058             printf(",");
2059           }
2060         }
2061         if (i + 12 >= client_hello.size()) {
2062           printf("}},");
2063         }
2064         printf("\n");
2065       }
2066     }
2067   }
2068 }
2069 
2070 static bssl::UniquePtr<SSL_SESSION> g_last_session;
2071 
SaveLastSession(SSL * ssl,SSL_SESSION * session)2072 static int SaveLastSession(SSL *ssl, SSL_SESSION *session) {
2073   // Save the most recent session.
2074   g_last_session.reset(session);
2075   return 1;
2076 }
2077 
CreateClientSession(SSL_CTX * client_ctx,SSL_CTX * server_ctx,const ClientConfig & config=ClientConfig ())2078 static bssl::UniquePtr<SSL_SESSION> CreateClientSession(
2079     SSL_CTX *client_ctx, SSL_CTX *server_ctx,
2080     const ClientConfig &config = ClientConfig()) {
2081   g_last_session = nullptr;
2082   SSL_CTX_sess_set_new_cb(client_ctx, SaveLastSession);
2083 
2084   // Connect client and server to get a session.
2085   bssl::UniquePtr<SSL> client, server;
2086   if (!ConnectClientAndServer(&client, &server, client_ctx, server_ctx,
2087                               config)) {
2088     fprintf(stderr, "Failed to connect client and server.\n");
2089     return nullptr;
2090   }
2091 
2092   // Run the read loop to account for post-handshake tickets in TLS 1.3.
2093   SSL_read(client.get(), nullptr, 0);
2094 
2095   SSL_CTX_sess_set_new_cb(client_ctx, nullptr);
2096 
2097   if (!g_last_session) {
2098     fprintf(stderr, "Client did not receive a session.\n");
2099     return nullptr;
2100   }
2101   return std::move(g_last_session);
2102 }
2103 
ExpectSessionReused(SSL_CTX * client_ctx,SSL_CTX * server_ctx,SSL_SESSION * session,bool want_reused)2104 static void ExpectSessionReused(SSL_CTX *client_ctx, SSL_CTX *server_ctx,
2105                                 SSL_SESSION *session, bool want_reused) {
2106   bssl::UniquePtr<SSL> client, server;
2107   ClientConfig config;
2108   config.session = session;
2109   EXPECT_TRUE(
2110       ConnectClientAndServer(&client, &server, client_ctx, server_ctx, config));
2111 
2112   EXPECT_EQ(SSL_session_reused(client.get()), SSL_session_reused(server.get()));
2113 
2114   bool was_reused = !!SSL_session_reused(client.get());
2115   EXPECT_EQ(was_reused, want_reused);
2116 }
2117 
ExpectSessionRenewed(SSL_CTX * client_ctx,SSL_CTX * server_ctx,SSL_SESSION * session)2118 static bssl::UniquePtr<SSL_SESSION> ExpectSessionRenewed(SSL_CTX *client_ctx,
2119                                                          SSL_CTX *server_ctx,
2120                                                          SSL_SESSION *session) {
2121   g_last_session = nullptr;
2122   SSL_CTX_sess_set_new_cb(client_ctx, SaveLastSession);
2123 
2124   bssl::UniquePtr<SSL> client, server;
2125   ClientConfig config;
2126   config.session = session;
2127   if (!ConnectClientAndServer(&client, &server, client_ctx, server_ctx,
2128                               config)) {
2129     fprintf(stderr, "Failed to connect client and server.\n");
2130     return nullptr;
2131   }
2132 
2133   if (SSL_session_reused(client.get()) != SSL_session_reused(server.get())) {
2134     fprintf(stderr, "Client and server were inconsistent.\n");
2135     return nullptr;
2136   }
2137 
2138   if (!SSL_session_reused(client.get())) {
2139     fprintf(stderr, "Session was not reused.\n");
2140     return nullptr;
2141   }
2142 
2143   // Run the read loop to account for post-handshake tickets in TLS 1.3.
2144   SSL_read(client.get(), nullptr, 0);
2145 
2146   SSL_CTX_sess_set_new_cb(client_ctx, nullptr);
2147 
2148   if (!g_last_session) {
2149     fprintf(stderr, "Client did not receive a renewed session.\n");
2150     return nullptr;
2151   }
2152   return std::move(g_last_session);
2153 }
2154 
ExpectTicketKeyChanged(SSL_CTX * ctx,uint8_t * inout_key,bool changed)2155 static void ExpectTicketKeyChanged(SSL_CTX *ctx, uint8_t *inout_key,
2156                                    bool changed) {
2157   uint8_t new_key[kTicketKeyLen];
2158   // May return 0, 1 or 48.
2159   ASSERT_EQ(SSL_CTX_get_tlsext_ticket_keys(ctx, new_key, kTicketKeyLen), 1);
2160   if (changed) {
2161     ASSERT_NE(Bytes(inout_key, kTicketKeyLen), Bytes(new_key));
2162   } else {
2163     ASSERT_EQ(Bytes(inout_key, kTicketKeyLen), Bytes(new_key));
2164   }
2165   OPENSSL_memcpy(inout_key, new_key, kTicketKeyLen);
2166 }
2167 
SwitchSessionIDContextSNI(SSL * ssl,int * out_alert,void * arg)2168 static int SwitchSessionIDContextSNI(SSL *ssl, int *out_alert, void *arg) {
2169   static const uint8_t kContext[] = {3};
2170 
2171   if (!SSL_set_session_id_context(ssl, kContext, sizeof(kContext))) {
2172     return SSL_TLSEXT_ERR_ALERT_FATAL;
2173   }
2174 
2175   return SSL_TLSEXT_ERR_OK;
2176 }
2177 
TEST_P(SSLVersionTest,SessionIDContext)2178 TEST_P(SSLVersionTest, SessionIDContext) {
2179   static const uint8_t kContext1[] = {1};
2180   static const uint8_t kContext2[] = {2};
2181 
2182   ASSERT_TRUE(SSL_CTX_set_session_id_context(server_ctx_.get(), kContext1,
2183                                              sizeof(kContext1)));
2184 
2185   SSL_CTX_set_session_cache_mode(client_ctx_.get(), SSL_SESS_CACHE_BOTH);
2186   SSL_CTX_set_session_cache_mode(server_ctx_.get(), SSL_SESS_CACHE_BOTH);
2187 
2188   bssl::UniquePtr<SSL_SESSION> session =
2189       CreateClientSession(client_ctx_.get(), server_ctx_.get());
2190   ASSERT_TRUE(session);
2191 
2192   TRACED_CALL(ExpectSessionReused(client_ctx_.get(), server_ctx_.get(),
2193                                   session.get(),
2194                                   true /* expect session reused */));
2195 
2196   // Change the session ID context.
2197   ASSERT_TRUE(SSL_CTX_set_session_id_context(server_ctx_.get(), kContext2,
2198                                              sizeof(kContext2)));
2199 
2200   TRACED_CALL(ExpectSessionReused(client_ctx_.get(), server_ctx_.get(),
2201                                   session.get(),
2202                                   false /* expect session not reused */));
2203 
2204   // Change the session ID context back and install an SNI callback to switch
2205   // it.
2206   ASSERT_TRUE(SSL_CTX_set_session_id_context(server_ctx_.get(), kContext1,
2207                                              sizeof(kContext1)));
2208 
2209   SSL_CTX_set_tlsext_servername_callback(server_ctx_.get(),
2210                                          SwitchSessionIDContextSNI);
2211 
2212   TRACED_CALL(ExpectSessionReused(client_ctx_.get(), server_ctx_.get(),
2213                                   session.get(),
2214                                   false /* expect session not reused */));
2215 
2216   // Switch the session ID context with the early callback instead.
2217   SSL_CTX_set_tlsext_servername_callback(server_ctx_.get(), nullptr);
2218   SSL_CTX_set_select_certificate_cb(
2219       server_ctx_.get(),
2220       [](const SSL_CLIENT_HELLO *client_hello) -> ssl_select_cert_result_t {
2221         static const uint8_t kContext[] = {3};
2222 
2223         if (!SSL_set_session_id_context(client_hello->ssl, kContext,
2224                                         sizeof(kContext))) {
2225           return ssl_select_cert_error;
2226         }
2227 
2228         return ssl_select_cert_success;
2229       });
2230 
2231   TRACED_CALL(ExpectSessionReused(client_ctx_.get(), server_ctx_.get(),
2232                                   session.get(),
2233                                   false /* expect session not reused */));
2234 }
2235 
2236 static timeval g_current_time;
2237 
CurrentTimeCallback(const SSL * ssl,timeval * out_clock)2238 static void CurrentTimeCallback(const SSL *ssl, timeval *out_clock) {
2239   *out_clock = g_current_time;
2240 }
2241 
FrozenTimeCallback(const SSL * ssl,timeval * out_clock)2242 static void FrozenTimeCallback(const SSL *ssl, timeval *out_clock) {
2243   out_clock->tv_sec = 1000;
2244   out_clock->tv_usec = 0;
2245 }
2246 
RenewTicketCallback(SSL * ssl,uint8_t * key_name,uint8_t * iv,EVP_CIPHER_CTX * ctx,HMAC_CTX * hmac_ctx,int encrypt)2247 static int RenewTicketCallback(SSL *ssl, uint8_t *key_name, uint8_t *iv,
2248                                EVP_CIPHER_CTX *ctx, HMAC_CTX *hmac_ctx,
2249                                int encrypt) {
2250   static const uint8_t kZeros[16] = {0};
2251 
2252   if (encrypt) {
2253     OPENSSL_memcpy(key_name, kZeros, sizeof(kZeros));
2254     RAND_bytes(iv, 16);
2255   } else if (OPENSSL_memcmp(key_name, kZeros, 16) != 0) {
2256     return 0;
2257   }
2258 
2259   if (!HMAC_Init_ex(hmac_ctx, kZeros, sizeof(kZeros), EVP_sha256(), NULL) ||
2260       !EVP_CipherInit_ex(ctx, EVP_aes_128_cbc(), NULL, kZeros, iv, encrypt)) {
2261     return -1;
2262   }
2263 
2264   // Returning two from the callback in decrypt mode renews the
2265   // session in TLS 1.2 and below.
2266   return encrypt ? 1 : 2;
2267 }
2268 
GetServerTicketTime(long * out,const SSL_SESSION * session)2269 static bool GetServerTicketTime(long *out, const SSL_SESSION *session) {
2270   const uint8_t *ticket;
2271   size_t ticket_len;
2272   SSL_SESSION_get0_ticket(session, &ticket, &ticket_len);
2273   if (ticket_len < 16 + 16 + SHA256_DIGEST_LENGTH) {
2274     return false;
2275   }
2276 
2277   const uint8_t *ciphertext = ticket + 16 + 16;
2278   size_t len = ticket_len - 16 - 16 - SHA256_DIGEST_LENGTH;
2279   std::unique_ptr<uint8_t[]> plaintext(new uint8_t[len]);
2280 
2281 #if defined(BORINGSSL_UNSAFE_FUZZER_MODE)
2282   // Fuzzer-mode tickets are unencrypted.
2283   OPENSSL_memcpy(plaintext.get(), ciphertext, len);
2284 #else
2285   static const uint8_t kZeros[16] = {0};
2286   const uint8_t *iv = ticket + 16;
2287   bssl::ScopedEVP_CIPHER_CTX ctx;
2288   int len1, len2;
2289   if (!EVP_DecryptInit_ex(ctx.get(), EVP_aes_128_cbc(), nullptr, kZeros, iv) ||
2290       !EVP_DecryptUpdate(ctx.get(), plaintext.get(), &len1, ciphertext, len) ||
2291       !EVP_DecryptFinal_ex(ctx.get(), plaintext.get() + len1, &len2)) {
2292     return false;
2293   }
2294 
2295   len = static_cast<size_t>(len1 + len2);
2296 #endif
2297 
2298   bssl::UniquePtr<SSL_CTX> ssl_ctx(SSL_CTX_new(TLS_method()));
2299   if (!ssl_ctx) {
2300     return false;
2301   }
2302   bssl::UniquePtr<SSL_SESSION> server_session(
2303       SSL_SESSION_from_bytes(plaintext.get(), len, ssl_ctx.get()));
2304   if (!server_session) {
2305     return false;
2306   }
2307 
2308   *out = SSL_SESSION_get_time(server_session.get());
2309   return true;
2310 }
2311 
TEST_P(SSLVersionTest,SessionTimeout)2312 TEST_P(SSLVersionTest, SessionTimeout) {
2313   for (bool server_test : {false, true}) {
2314     SCOPED_TRACE(server_test);
2315 
2316     ResetContexts();
2317     SSL_CTX_set_session_cache_mode(client_ctx_.get(), SSL_SESS_CACHE_BOTH);
2318     SSL_CTX_set_session_cache_mode(server_ctx_.get(), SSL_SESS_CACHE_BOTH);
2319 
2320     static const time_t kStartTime = 1000;
2321     g_current_time.tv_sec = kStartTime;
2322 
2323     // We are willing to use a longer lifetime for TLS 1.3 sessions as
2324     // resumptions still perform ECDHE.
2325     const time_t timeout = version() == TLS1_3_VERSION
2326                                ? SSL_DEFAULT_SESSION_PSK_DHE_TIMEOUT
2327                                : SSL_DEFAULT_SESSION_TIMEOUT;
2328 
2329     // Both client and server must enforce session timeouts. We configure the
2330     // other side with a frozen clock so it never expires tickets.
2331     if (server_test) {
2332       SSL_CTX_set_current_time_cb(client_ctx_.get(), FrozenTimeCallback);
2333       SSL_CTX_set_current_time_cb(server_ctx_.get(), CurrentTimeCallback);
2334     } else {
2335       SSL_CTX_set_current_time_cb(client_ctx_.get(), CurrentTimeCallback);
2336       SSL_CTX_set_current_time_cb(server_ctx_.get(), FrozenTimeCallback);
2337     }
2338 
2339     // Configure a ticket callback which renews tickets.
2340     SSL_CTX_set_tlsext_ticket_key_cb(server_ctx_.get(), RenewTicketCallback);
2341 
2342     bssl::UniquePtr<SSL_SESSION> session =
2343         CreateClientSession(client_ctx_.get(), server_ctx_.get());
2344     ASSERT_TRUE(session);
2345 
2346     // Advance the clock just behind the timeout.
2347     g_current_time.tv_sec += timeout - 1;
2348 
2349     TRACED_CALL(ExpectSessionReused(client_ctx_.get(), server_ctx_.get(),
2350                                     session.get(),
2351                                     true /* expect session reused */));
2352 
2353     // Advance the clock one more second.
2354     g_current_time.tv_sec++;
2355 
2356     TRACED_CALL(ExpectSessionReused(client_ctx_.get(), server_ctx_.get(),
2357                                     session.get(),
2358                                     false /* expect session not reused */));
2359 
2360     // Rewind the clock to before the session was minted.
2361     g_current_time.tv_sec = kStartTime - 1;
2362 
2363     TRACED_CALL(ExpectSessionReused(client_ctx_.get(), server_ctx_.get(),
2364                                     session.get(),
2365                                     false /* expect session not reused */));
2366 
2367     // Renew the session 10 seconds before expiration.
2368     time_t new_start_time = kStartTime + timeout - 10;
2369     g_current_time.tv_sec = new_start_time;
2370     bssl::UniquePtr<SSL_SESSION> new_session = ExpectSessionRenewed(
2371         client_ctx_.get(), server_ctx_.get(), session.get());
2372     ASSERT_TRUE(new_session);
2373 
2374     // This new session is not the same object as before.
2375     EXPECT_NE(session.get(), new_session.get());
2376 
2377     // Check the sessions have timestamps measured from issuance.
2378     long session_time = 0;
2379     if (server_test) {
2380       ASSERT_TRUE(GetServerTicketTime(&session_time, new_session.get()));
2381     } else {
2382       session_time = SSL_SESSION_get_time(new_session.get());
2383     }
2384 
2385     ASSERT_EQ(session_time, g_current_time.tv_sec);
2386 
2387     if (version() == TLS1_3_VERSION) {
2388       // Renewal incorporates fresh key material in TLS 1.3, so we extend the
2389       // lifetime TLS 1.3.
2390       g_current_time.tv_sec = new_start_time + timeout - 1;
2391       TRACED_CALL(ExpectSessionReused(client_ctx_.get(), server_ctx_.get(),
2392                                       new_session.get(),
2393                                       true /* expect session reused */));
2394 
2395       // The new session expires after the new timeout.
2396       g_current_time.tv_sec = new_start_time + timeout + 1;
2397       TRACED_CALL(ExpectSessionReused(client_ctx_.get(), server_ctx_.get(),
2398                                       new_session.get(),
2399                                       false /* expect session ot reused */));
2400 
2401       // Renew the session until it begins just past the auth timeout.
2402       time_t auth_end_time = kStartTime + SSL_DEFAULT_SESSION_AUTH_TIMEOUT;
2403       while (new_start_time < auth_end_time - 1000) {
2404         // Get as close as possible to target start time.
2405         new_start_time =
2406             std::min(auth_end_time - 1000, new_start_time + timeout - 1);
2407         g_current_time.tv_sec = new_start_time;
2408         new_session = ExpectSessionRenewed(client_ctx_.get(), server_ctx_.get(),
2409                                            new_session.get());
2410         ASSERT_TRUE(new_session);
2411       }
2412 
2413       // Now the session's lifetime is bound by the auth timeout.
2414       g_current_time.tv_sec = auth_end_time - 1;
2415       TRACED_CALL(ExpectSessionReused(client_ctx_.get(), server_ctx_.get(),
2416                                       new_session.get(),
2417                                       true /* expect session reused */));
2418 
2419       g_current_time.tv_sec = auth_end_time + 1;
2420       TRACED_CALL(ExpectSessionReused(client_ctx_.get(), server_ctx_.get(),
2421                                       new_session.get(),
2422                                       false /* expect session ot reused */));
2423     } else {
2424       // The new session is usable just before the old expiration.
2425       g_current_time.tv_sec = kStartTime + timeout - 1;
2426       TRACED_CALL(ExpectSessionReused(client_ctx_.get(), server_ctx_.get(),
2427                                       new_session.get(),
2428                                       true /* expect session reused */));
2429 
2430       // Renewal does not extend the lifetime, so it is not usable beyond the
2431       // old expiration.
2432       g_current_time.tv_sec = kStartTime + timeout + 1;
2433       TRACED_CALL(ExpectSessionReused(client_ctx_.get(), server_ctx_.get(),
2434                                       new_session.get(),
2435                                       false /* expect session not reused */));
2436     }
2437   }
2438 }
2439 
TEST_P(SSLVersionTest,DefaultTicketKeyInitialization)2440 TEST_P(SSLVersionTest, DefaultTicketKeyInitialization) {
2441   static const uint8_t kZeroKey[kTicketKeyLen] = {};
2442   uint8_t ticket_key[kTicketKeyLen];
2443   ASSERT_EQ(1, SSL_CTX_get_tlsext_ticket_keys(server_ctx_.get(), ticket_key,
2444                                               kTicketKeyLen));
2445   ASSERT_NE(0, OPENSSL_memcmp(ticket_key, kZeroKey, kTicketKeyLen));
2446 }
2447 
TEST_P(SSLVersionTest,DefaultTicketKeyRotation)2448 TEST_P(SSLVersionTest, DefaultTicketKeyRotation) {
2449   static const time_t kStartTime = 1001;
2450   g_current_time.tv_sec = kStartTime;
2451 
2452   // We use session reuse as a proxy for ticket decryption success, hence
2453   // disable session timeouts.
2454   SSL_CTX_set_timeout(server_ctx_.get(), std::numeric_limits<uint32_t>::max());
2455   SSL_CTX_set_session_psk_dhe_timeout(server_ctx_.get(),
2456                                       std::numeric_limits<uint32_t>::max());
2457 
2458   SSL_CTX_set_current_time_cb(client_ctx_.get(), FrozenTimeCallback);
2459   SSL_CTX_set_current_time_cb(server_ctx_.get(), CurrentTimeCallback);
2460 
2461   SSL_CTX_set_session_cache_mode(client_ctx_.get(), SSL_SESS_CACHE_BOTH);
2462   SSL_CTX_set_session_cache_mode(server_ctx_.get(), SSL_SESS_CACHE_OFF);
2463 
2464   // Initialize ticket_key with the current key and check that it was
2465   // initialized to something, not all zeros.
2466   uint8_t ticket_key[kTicketKeyLen] = {0};
2467   TRACED_CALL(ExpectTicketKeyChanged(server_ctx_.get(), ticket_key,
2468                                      true /* changed */));
2469 
2470   // Verify ticket resumption actually works.
2471   bssl::UniquePtr<SSL> client, server;
2472   bssl::UniquePtr<SSL_SESSION> session =
2473       CreateClientSession(client_ctx_.get(), server_ctx_.get());
2474   ASSERT_TRUE(session);
2475   TRACED_CALL(ExpectSessionReused(client_ctx_.get(), server_ctx_.get(),
2476                                   session.get(), true /* reused */));
2477 
2478   // Advance time to just before key rotation.
2479   g_current_time.tv_sec += SSL_DEFAULT_TICKET_KEY_ROTATION_INTERVAL - 1;
2480   TRACED_CALL(ExpectSessionReused(client_ctx_.get(), server_ctx_.get(),
2481                                   session.get(), true /* reused */));
2482   TRACED_CALL(ExpectTicketKeyChanged(server_ctx_.get(), ticket_key,
2483                                      false /* NOT changed */));
2484 
2485   // Force key rotation.
2486   g_current_time.tv_sec += 1;
2487   bssl::UniquePtr<SSL_SESSION> new_session =
2488       CreateClientSession(client_ctx_.get(), server_ctx_.get());
2489   TRACED_CALL(ExpectTicketKeyChanged(server_ctx_.get(), ticket_key,
2490                                      true /* changed */));
2491 
2492   // Resumption with both old and new ticket should work.
2493   TRACED_CALL(ExpectSessionReused(client_ctx_.get(), server_ctx_.get(),
2494                                   session.get(), true /* reused */));
2495   TRACED_CALL(ExpectSessionReused(client_ctx_.get(), server_ctx_.get(),
2496                                   new_session.get(), true /* reused */));
2497   TRACED_CALL(ExpectTicketKeyChanged(server_ctx_.get(), ticket_key,
2498                                      false /* NOT changed */));
2499 
2500   // Force key rotation again. Resumption with the old ticket now fails.
2501   g_current_time.tv_sec += SSL_DEFAULT_TICKET_KEY_ROTATION_INTERVAL;
2502   TRACED_CALL(ExpectSessionReused(client_ctx_.get(), server_ctx_.get(),
2503                                   session.get(), false /* NOT reused */));
2504   TRACED_CALL(ExpectTicketKeyChanged(server_ctx_.get(), ticket_key,
2505                                      true /* changed */));
2506 
2507   // But resumption with the newer session still works.
2508   TRACED_CALL(ExpectSessionReused(client_ctx_.get(), server_ctx_.get(),
2509                                   new_session.get(), true /* reused */));
2510 }
2511 
SwitchContext(SSL * ssl,int * out_alert,void * arg)2512 static int SwitchContext(SSL *ssl, int *out_alert, void *arg) {
2513   SSL_CTX *ctx = reinterpret_cast<SSL_CTX *>(arg);
2514   SSL_set_SSL_CTX(ssl, ctx);
2515   return SSL_TLSEXT_ERR_OK;
2516 }
2517 
TEST_P(SSLVersionTest,SNICallback)2518 TEST_P(SSLVersionTest, SNICallback) {
2519   bssl::UniquePtr<X509> cert2 = GetECDSATestCertificate();
2520   ASSERT_TRUE(cert2);
2521   bssl::UniquePtr<EVP_PKEY> key2 = GetECDSATestKey();
2522   ASSERT_TRUE(key2);
2523 
2524   // Test that switching the |SSL_CTX| at the SNI callback behaves correctly.
2525   static const uint16_t kECDSAWithSHA256 = SSL_SIGN_ECDSA_SECP256R1_SHA256;
2526 
2527   static const uint8_t kSCTList[] = {0, 6, 0, 4, 5, 6, 7, 8};
2528   static const uint8_t kOCSPResponse[] = {1, 2, 3, 4};
2529 
2530   bssl::UniquePtr<SSL_CTX> server_ctx2 = CreateContext();
2531   ASSERT_TRUE(server_ctx2);
2532   ASSERT_TRUE(SSL_CTX_use_certificate(server_ctx2.get(), cert2.get()));
2533   ASSERT_TRUE(SSL_CTX_use_PrivateKey(server_ctx2.get(), key2.get()));
2534   ASSERT_TRUE(SSL_CTX_set_signed_cert_timestamp_list(
2535       server_ctx2.get(), kSCTList, sizeof(kSCTList)));
2536   ASSERT_TRUE(SSL_CTX_set_ocsp_response(server_ctx2.get(), kOCSPResponse,
2537                                         sizeof(kOCSPResponse)));
2538   // Historically signing preferences would be lost in some cases with the
2539   // SNI callback, which triggers the TLS 1.2 SHA-1 default. To ensure
2540   // this doesn't happen when |version| is TLS 1.2, configure the private
2541   // key to only sign SHA-256.
2542   ASSERT_TRUE(SSL_CTX_set_signing_algorithm_prefs(server_ctx2.get(),
2543                                                   &kECDSAWithSHA256, 1));
2544 
2545   SSL_CTX_set_tlsext_servername_callback(server_ctx_.get(), SwitchContext);
2546   SSL_CTX_set_tlsext_servername_arg(server_ctx_.get(), server_ctx2.get());
2547 
2548   SSL_CTX_enable_signed_cert_timestamps(client_ctx_.get());
2549   SSL_CTX_enable_ocsp_stapling(client_ctx_.get());
2550 
2551   ASSERT_TRUE(Connect());
2552 
2553   // The client should have received |cert2|.
2554   bssl::UniquePtr<X509> peer(SSL_get_peer_certificate(client_.get()));
2555   ASSERT_TRUE(peer);
2556   EXPECT_EQ(X509_cmp(peer.get(), cert2.get()), 0);
2557 
2558   // The client should have received |server_ctx2|'s SCT list.
2559   const uint8_t *data;
2560   size_t len;
2561   SSL_get0_signed_cert_timestamp_list(client_.get(), &data, &len);
2562   EXPECT_EQ(Bytes(kSCTList), Bytes(data, len));
2563 
2564   // The client should have received |server_ctx2|'s OCSP response.
2565   SSL_get0_ocsp_response(client_.get(), &data, &len);
2566   EXPECT_EQ(Bytes(kOCSPResponse), Bytes(data, len));
2567 }
2568 
2569 // Test that the early callback can swap the maximum version.
TEST(SSLTest,EarlyCallbackVersionSwitch)2570 TEST(SSLTest, EarlyCallbackVersionSwitch) {
2571   bssl::UniquePtr<X509> cert = GetTestCertificate();
2572   bssl::UniquePtr<EVP_PKEY> key = GetTestKey();
2573   bssl::UniquePtr<SSL_CTX> server_ctx(SSL_CTX_new(TLS_method()));
2574   bssl::UniquePtr<SSL_CTX> client_ctx(SSL_CTX_new(TLS_method()));
2575   ASSERT_TRUE(cert);
2576   ASSERT_TRUE(key);
2577   ASSERT_TRUE(server_ctx);
2578   ASSERT_TRUE(client_ctx);
2579   ASSERT_TRUE(SSL_CTX_use_certificate(server_ctx.get(), cert.get()));
2580   ASSERT_TRUE(SSL_CTX_use_PrivateKey(server_ctx.get(), key.get()));
2581   ASSERT_TRUE(SSL_CTX_set_max_proto_version(client_ctx.get(), TLS1_3_VERSION));
2582   ASSERT_TRUE(SSL_CTX_set_max_proto_version(server_ctx.get(), TLS1_3_VERSION));
2583 
2584   SSL_CTX_set_select_certificate_cb(
2585       server_ctx.get(),
2586       [](const SSL_CLIENT_HELLO *client_hello) -> ssl_select_cert_result_t {
2587         if (!SSL_set_max_proto_version(client_hello->ssl, TLS1_2_VERSION)) {
2588           return ssl_select_cert_error;
2589         }
2590 
2591         return ssl_select_cert_success;
2592       });
2593 
2594   bssl::UniquePtr<SSL> client, server;
2595   ASSERT_TRUE(ConnectClientAndServer(&client, &server, client_ctx.get(),
2596                                      server_ctx.get()));
2597   EXPECT_EQ(TLS1_2_VERSION, SSL_version(client.get()));
2598 }
2599 
TEST(SSLTest,SetVersion)2600 TEST(SSLTest, SetVersion) {
2601   bssl::UniquePtr<SSL_CTX> ctx(SSL_CTX_new(TLS_method()));
2602   ASSERT_TRUE(ctx);
2603 
2604   // Set valid TLS versions.
2605   EXPECT_TRUE(SSL_CTX_set_max_proto_version(ctx.get(), TLS1_VERSION));
2606   EXPECT_TRUE(SSL_CTX_set_max_proto_version(ctx.get(), TLS1_1_VERSION));
2607   EXPECT_TRUE(SSL_CTX_set_min_proto_version(ctx.get(), TLS1_VERSION));
2608   EXPECT_TRUE(SSL_CTX_set_min_proto_version(ctx.get(), TLS1_1_VERSION));
2609 
2610   // Invalid TLS versions are rejected.
2611   EXPECT_FALSE(SSL_CTX_set_max_proto_version(ctx.get(), DTLS1_VERSION));
2612   EXPECT_FALSE(SSL_CTX_set_max_proto_version(ctx.get(), 0x0200));
2613   EXPECT_FALSE(SSL_CTX_set_max_proto_version(ctx.get(), 0x1234));
2614   EXPECT_FALSE(SSL_CTX_set_min_proto_version(ctx.get(), DTLS1_VERSION));
2615   EXPECT_FALSE(SSL_CTX_set_min_proto_version(ctx.get(), 0x0200));
2616   EXPECT_FALSE(SSL_CTX_set_min_proto_version(ctx.get(), 0x1234));
2617 
2618   // Zero is the default version.
2619   EXPECT_TRUE(SSL_CTX_set_max_proto_version(ctx.get(), 0));
2620   EXPECT_EQ(TLS1_2_VERSION, ctx->conf_max_version);
2621   EXPECT_TRUE(SSL_CTX_set_min_proto_version(ctx.get(), 0));
2622   EXPECT_EQ(TLS1_VERSION, ctx->conf_min_version);
2623 
2624   // TLS 1.3 is available, but not by default.
2625   EXPECT_TRUE(SSL_CTX_set_max_proto_version(ctx.get(), TLS1_3_VERSION));
2626   EXPECT_EQ(TLS1_3_VERSION, ctx->conf_max_version);
2627 
2628   // SSL 3.0 is not available.
2629   EXPECT_FALSE(SSL_CTX_set_min_proto_version(ctx.get(), SSL3_VERSION));
2630 
2631   ctx.reset(SSL_CTX_new(DTLS_method()));
2632   ASSERT_TRUE(ctx);
2633 
2634   EXPECT_TRUE(SSL_CTX_set_max_proto_version(ctx.get(), DTLS1_VERSION));
2635   EXPECT_TRUE(SSL_CTX_set_max_proto_version(ctx.get(), DTLS1_2_VERSION));
2636   EXPECT_TRUE(SSL_CTX_set_min_proto_version(ctx.get(), DTLS1_VERSION));
2637   EXPECT_TRUE(SSL_CTX_set_min_proto_version(ctx.get(), DTLS1_2_VERSION));
2638 
2639   EXPECT_FALSE(SSL_CTX_set_max_proto_version(ctx.get(), TLS1_VERSION));
2640   EXPECT_FALSE(SSL_CTX_set_max_proto_version(ctx.get(), 0xfefe /* DTLS 1.1 */));
2641   EXPECT_FALSE(SSL_CTX_set_max_proto_version(ctx.get(), 0xfffe /* DTLS 0.1 */));
2642   EXPECT_FALSE(SSL_CTX_set_max_proto_version(ctx.get(), 0x1234));
2643   EXPECT_FALSE(SSL_CTX_set_min_proto_version(ctx.get(), TLS1_VERSION));
2644   EXPECT_FALSE(SSL_CTX_set_min_proto_version(ctx.get(), 0xfefe /* DTLS 1.1 */));
2645   EXPECT_FALSE(SSL_CTX_set_min_proto_version(ctx.get(), 0xfffe /* DTLS 0.1 */));
2646   EXPECT_FALSE(SSL_CTX_set_min_proto_version(ctx.get(), 0x1234));
2647 
2648   EXPECT_TRUE(SSL_CTX_set_max_proto_version(ctx.get(), 0));
2649   EXPECT_EQ(TLS1_2_VERSION, ctx->conf_max_version);
2650   EXPECT_TRUE(SSL_CTX_set_min_proto_version(ctx.get(), 0));
2651   EXPECT_EQ(TLS1_1_VERSION, ctx->conf_min_version);
2652 }
2653 
GetVersionName(uint16_t version)2654 static const char *GetVersionName(uint16_t version) {
2655   switch (version) {
2656     case TLS1_VERSION:
2657       return "TLSv1";
2658     case TLS1_1_VERSION:
2659       return "TLSv1.1";
2660     case TLS1_2_VERSION:
2661       return "TLSv1.2";
2662     case TLS1_3_VERSION:
2663       return "TLSv1.3";
2664     case DTLS1_VERSION:
2665       return "DTLSv1";
2666     case DTLS1_2_VERSION:
2667       return "DTLSv1.2";
2668     default:
2669       return "???";
2670   }
2671 }
2672 
TEST_P(SSLVersionTest,Version)2673 TEST_P(SSLVersionTest, Version) {
2674   ASSERT_TRUE(Connect());
2675 
2676   EXPECT_EQ(SSL_version(client_.get()), version());
2677   EXPECT_EQ(SSL_version(server_.get()), version());
2678 
2679   // Test the version name is reported as expected.
2680   const char *version_name = GetVersionName(version());
2681   EXPECT_EQ(strcmp(version_name, SSL_get_version(client_.get())), 0);
2682   EXPECT_EQ(strcmp(version_name, SSL_get_version(server_.get())), 0);
2683 
2684   // Test SSL_SESSION reports the same name.
2685   const char *client_name =
2686       SSL_SESSION_get_version(SSL_get_session(client_.get()));
2687   const char *server_name =
2688       SSL_SESSION_get_version(SSL_get_session(server_.get()));
2689   EXPECT_EQ(strcmp(version_name, client_name), 0);
2690   EXPECT_EQ(strcmp(version_name, server_name), 0);
2691 }
2692 
2693 // Tests that that |SSL_get_pending_cipher| is available during the ALPN
2694 // selection callback.
TEST_P(SSLVersionTest,ALPNCipherAvailable)2695 TEST_P(SSLVersionTest, ALPNCipherAvailable) {
2696   ASSERT_TRUE(UseCertAndKey(client_ctx_.get()));
2697 
2698   static const uint8_t kALPNProtos[] = {0x03, 'f', 'o', 'o'};
2699   ASSERT_EQ(SSL_CTX_set_alpn_protos(client_ctx_.get(), kALPNProtos,
2700                                     sizeof(kALPNProtos)),
2701             0);
2702 
2703   // The ALPN callback does not fail the handshake on error, so have the
2704   // callback write a boolean.
2705   std::pair<uint16_t, bool> callback_state(version(), false);
2706   SSL_CTX_set_alpn_select_cb(
2707       server_ctx_.get(),
2708       [](SSL *ssl, const uint8_t **out, uint8_t *out_len, const uint8_t *in,
2709          unsigned in_len, void *arg) -> int {
2710         auto state = reinterpret_cast<std::pair<uint16_t, bool> *>(arg);
2711         if (SSL_get_pending_cipher(ssl) != nullptr &&
2712             SSL_version(ssl) == state->first) {
2713           state->second = true;
2714         }
2715         return SSL_TLSEXT_ERR_NOACK;
2716       },
2717       &callback_state);
2718 
2719   ASSERT_TRUE(Connect());
2720 
2721   ASSERT_TRUE(callback_state.second);
2722 }
2723 
TEST_P(SSLVersionTest,SSLClearSessionResumption)2724 TEST_P(SSLVersionTest, SSLClearSessionResumption) {
2725   // Skip this for TLS 1.3. TLS 1.3's ticket mechanism is incompatible with this
2726   // API pattern.
2727   if (version() == TLS1_3_VERSION) {
2728     return;
2729   }
2730 
2731   shed_handshake_config_ = false;
2732   ASSERT_TRUE(Connect());
2733 
2734   EXPECT_FALSE(SSL_session_reused(client_.get()));
2735   EXPECT_FALSE(SSL_session_reused(server_.get()));
2736 
2737   // Reset everything.
2738   ASSERT_TRUE(SSL_clear(client_.get()));
2739   ASSERT_TRUE(SSL_clear(server_.get()));
2740 
2741   // Attempt to connect a second time.
2742   ASSERT_TRUE(CompleteHandshakes(client_.get(), server_.get()));
2743 
2744   // |SSL_clear| should implicitly offer the previous session to the server.
2745   EXPECT_TRUE(SSL_session_reused(client_.get()));
2746   EXPECT_TRUE(SSL_session_reused(server_.get()));
2747 }
2748 
TEST_P(SSLVersionTest,SSLClearFailsWithShedding)2749 TEST_P(SSLVersionTest, SSLClearFailsWithShedding) {
2750   shed_handshake_config_ = false;
2751   ASSERT_TRUE(Connect());
2752   ASSERT_TRUE(CompleteHandshakes(client_.get(), server_.get()));
2753 
2754   // Reset everything.
2755   ASSERT_TRUE(SSL_clear(client_.get()));
2756   ASSERT_TRUE(SSL_clear(server_.get()));
2757 
2758   // Now enable shedding, and connect a second time.
2759   shed_handshake_config_ = true;
2760   ASSERT_TRUE(Connect());
2761   ASSERT_TRUE(CompleteHandshakes(client_.get(), server_.get()));
2762 
2763   // |SSL_clear| should now fail.
2764   ASSERT_FALSE(SSL_clear(client_.get()));
2765   ASSERT_FALSE(SSL_clear(server_.get()));
2766 }
2767 
ChainsEqual(STACK_OF (X509)* chain,const std::vector<X509 * > & expected)2768 static bool ChainsEqual(STACK_OF(X509) * chain,
2769                         const std::vector<X509 *> &expected) {
2770   if (sk_X509_num(chain) != expected.size()) {
2771     return false;
2772   }
2773 
2774   for (size_t i = 0; i < expected.size(); i++) {
2775     if (X509_cmp(sk_X509_value(chain, i), expected[i]) != 0) {
2776       return false;
2777     }
2778   }
2779 
2780   return true;
2781 }
2782 
TEST_P(SSLVersionTest,AutoChain)2783 TEST_P(SSLVersionTest, AutoChain) {
2784   cert_ = GetChainTestCertificate();
2785   ASSERT_TRUE(cert_);
2786   key_ = GetChainTestKey();
2787   ASSERT_TRUE(key_);
2788   bssl::UniquePtr<X509> intermediate = GetChainTestIntermediate();
2789   ASSERT_TRUE(intermediate);
2790 
2791   ASSERT_TRUE(UseCertAndKey(client_ctx_.get()));
2792   ASSERT_TRUE(UseCertAndKey(server_ctx_.get()));
2793 
2794   // Configure both client and server to accept any certificate. Add
2795   // |intermediate| to the cert store.
2796   ASSERT_TRUE(X509_STORE_add_cert(SSL_CTX_get_cert_store(client_ctx_.get()),
2797                                   intermediate.get()));
2798   ASSERT_TRUE(X509_STORE_add_cert(SSL_CTX_get_cert_store(server_ctx_.get()),
2799                                   intermediate.get()));
2800   SSL_CTX_set_verify(client_ctx_.get(),
2801                      SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT,
2802                      nullptr);
2803   SSL_CTX_set_verify(server_ctx_.get(),
2804                      SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT,
2805                      nullptr);
2806   SSL_CTX_set_cert_verify_callback(client_ctx_.get(), VerifySucceed, NULL);
2807   SSL_CTX_set_cert_verify_callback(server_ctx_.get(), VerifySucceed, NULL);
2808 
2809   // By default, the client and server should each only send the leaf.
2810   ASSERT_TRUE(Connect());
2811 
2812   EXPECT_TRUE(
2813       ChainsEqual(SSL_get_peer_full_cert_chain(client_.get()), {cert_.get()}));
2814   EXPECT_TRUE(
2815       ChainsEqual(SSL_get_peer_full_cert_chain(server_.get()), {cert_.get()}));
2816 
2817   // If auto-chaining is enabled, then the intermediate is sent.
2818   SSL_CTX_clear_mode(client_ctx_.get(), SSL_MODE_NO_AUTO_CHAIN);
2819   SSL_CTX_clear_mode(server_ctx_.get(), SSL_MODE_NO_AUTO_CHAIN);
2820   ASSERT_TRUE(Connect());
2821 
2822   EXPECT_TRUE(ChainsEqual(SSL_get_peer_full_cert_chain(client_.get()),
2823                           {cert_.get(), intermediate.get()}));
2824   EXPECT_TRUE(ChainsEqual(SSL_get_peer_full_cert_chain(server_.get()),
2825                           {cert_.get(), intermediate.get()}));
2826 
2827   // Auto-chaining does not override explicitly-configured intermediates.
2828   ASSERT_TRUE(SSL_CTX_add1_chain_cert(client_ctx_.get(), cert_.get()));
2829   ASSERT_TRUE(SSL_CTX_add1_chain_cert(server_ctx_.get(), cert_.get()));
2830   ASSERT_TRUE(Connect());
2831 
2832   EXPECT_TRUE(ChainsEqual(SSL_get_peer_full_cert_chain(client_.get()),
2833                           {cert_.get(), cert_.get()}));
2834 
2835   EXPECT_TRUE(ChainsEqual(SSL_get_peer_full_cert_chain(server_.get()),
2836                           {cert_.get(), cert_.get()}));
2837 }
2838 
ExpectBadWriteRetry()2839 static bool ExpectBadWriteRetry() {
2840   int err = ERR_get_error();
2841   if (ERR_GET_LIB(err) != ERR_LIB_SSL ||
2842       ERR_GET_REASON(err) != SSL_R_BAD_WRITE_RETRY) {
2843     char buf[ERR_ERROR_STRING_BUF_LEN];
2844     ERR_error_string_n(err, buf, sizeof(buf));
2845     fprintf(stderr, "Wanted SSL_R_BAD_WRITE_RETRY, got: %s.\n", buf);
2846     return false;
2847   }
2848 
2849   if (ERR_peek_error() != 0) {
2850     fprintf(stderr, "Unexpected error following SSL_R_BAD_WRITE_RETRY.\n");
2851     return false;
2852   }
2853 
2854   return true;
2855 }
2856 
TEST_P(SSLVersionTest,SSLWriteRetry)2857 TEST_P(SSLVersionTest, SSLWriteRetry) {
2858   if (is_dtls()) {
2859     return;
2860   }
2861 
2862   for (bool enable_partial_write : {false, true}) {
2863     SCOPED_TRACE(enable_partial_write);
2864 
2865     // Connect a client and server.
2866     ASSERT_TRUE(UseCertAndKey(client_ctx_.get()));
2867 
2868     ASSERT_TRUE(Connect());
2869 
2870     if (enable_partial_write) {
2871       SSL_set_mode(client_.get(), SSL_MODE_ENABLE_PARTIAL_WRITE);
2872     }
2873 
2874     // Write without reading until the buffer is full and we have an unfinished
2875     // write. Keep a count so we may reread it again later. "hello!" will be
2876     // written in two chunks, "hello" and "!".
2877     char data[] = "hello!";
2878     static const int kChunkLen = 5;  // The length of "hello".
2879     unsigned count = 0;
2880     for (;;) {
2881       int ret = SSL_write(client_.get(), data, kChunkLen);
2882       if (ret <= 0) {
2883         ASSERT_EQ(SSL_get_error(client_.get(), ret), SSL_ERROR_WANT_WRITE);
2884         break;
2885       }
2886 
2887       ASSERT_EQ(ret, 5);
2888 
2889       count++;
2890     }
2891 
2892     // Retrying with the same parameters is legal.
2893     ASSERT_EQ(
2894         SSL_get_error(client_.get(), SSL_write(client_.get(), data, kChunkLen)),
2895         SSL_ERROR_WANT_WRITE);
2896 
2897     // Retrying with the same buffer but shorter length is not legal.
2898     ASSERT_EQ(SSL_get_error(client_.get(),
2899                             SSL_write(client_.get(), data, kChunkLen - 1)),
2900               SSL_ERROR_SSL);
2901     ASSERT_TRUE(ExpectBadWriteRetry());
2902 
2903     // Retrying with a different buffer pointer is not legal.
2904     char data2[] = "hello";
2905     ASSERT_EQ(SSL_get_error(client_.get(),
2906                             SSL_write(client_.get(), data2, kChunkLen)),
2907               SSL_ERROR_SSL);
2908     ASSERT_TRUE(ExpectBadWriteRetry());
2909 
2910     // With |SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER|, the buffer may move.
2911     SSL_set_mode(client_.get(), SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER);
2912     ASSERT_EQ(SSL_get_error(client_.get(),
2913                             SSL_write(client_.get(), data2, kChunkLen)),
2914               SSL_ERROR_WANT_WRITE);
2915 
2916     // |SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER| does not disable length checks.
2917     ASSERT_EQ(SSL_get_error(client_.get(),
2918                             SSL_write(client_.get(), data2, kChunkLen - 1)),
2919               SSL_ERROR_SSL);
2920     ASSERT_TRUE(ExpectBadWriteRetry());
2921 
2922     // Retrying with a larger buffer is legal.
2923     ASSERT_EQ(SSL_get_error(client_.get(),
2924                             SSL_write(client_.get(), data, kChunkLen + 1)),
2925               SSL_ERROR_WANT_WRITE);
2926 
2927     // Drain the buffer.
2928     char buf[20];
2929     for (unsigned i = 0; i < count; i++) {
2930       ASSERT_EQ(SSL_read(server_.get(), buf, sizeof(buf)), kChunkLen);
2931       ASSERT_EQ(OPENSSL_memcmp(buf, "hello", kChunkLen), 0);
2932     }
2933 
2934     // Now that there is space, a retry with a larger buffer should flush the
2935     // pending record, skip over that many bytes of input (on assumption they
2936     // are the same), and write the remainder. If SSL_MODE_ENABLE_PARTIAL_WRITE
2937     // is set, this will complete in two steps.
2938     char data3[] = "_____!";
2939     if (enable_partial_write) {
2940       ASSERT_EQ(SSL_write(client_.get(), data3, kChunkLen + 1), kChunkLen);
2941       ASSERT_EQ(SSL_write(client_.get(), data3 + kChunkLen, 1), 1);
2942     } else {
2943       ASSERT_EQ(SSL_write(client_.get(), data3, kChunkLen + 1), kChunkLen + 1);
2944     }
2945 
2946     // Check the last write was correct. The data will be spread over two
2947     // records, so SSL_read returns twice.
2948     ASSERT_EQ(SSL_read(server_.get(), buf, sizeof(buf)), kChunkLen);
2949     ASSERT_EQ(OPENSSL_memcmp(buf, "hello", kChunkLen), 0);
2950     ASSERT_EQ(SSL_read(server_.get(), buf, sizeof(buf)), 1);
2951     ASSERT_EQ(buf[0], '!');
2952   }
2953 }
2954 
TEST_P(SSLVersionTest,RecordCallback)2955 TEST_P(SSLVersionTest, RecordCallback) {
2956   for (bool test_server : {true, false}) {
2957     SCOPED_TRACE(test_server);
2958     ResetContexts();
2959 
2960     bool read_seen = false;
2961     bool write_seen = false;
2962     auto cb = [&](int is_write, int cb_version, int cb_type, const void *buf,
2963                   size_t len, SSL *ssl) {
2964       if (cb_type != SSL3_RT_HEADER) {
2965         return;
2966       }
2967 
2968       // The callback does not report a version for records.
2969       EXPECT_EQ(0, cb_version);
2970 
2971       if (is_write) {
2972         write_seen = true;
2973       } else {
2974         read_seen = true;
2975       }
2976 
2977       // Sanity-check that the record header is plausible.
2978       CBS cbs;
2979       CBS_init(&cbs, reinterpret_cast<const uint8_t *>(buf), len);
2980       uint8_t type;
2981       uint16_t record_version, length;
2982       ASSERT_TRUE(CBS_get_u8(&cbs, &type));
2983       ASSERT_TRUE(CBS_get_u16(&cbs, &record_version));
2984       EXPECT_EQ(record_version & 0xff00, version() & 0xff00);
2985       if (is_dtls()) {
2986         uint16_t epoch;
2987         ASSERT_TRUE(CBS_get_u16(&cbs, &epoch));
2988         EXPECT_TRUE(epoch == 0 || epoch == 1) << "Invalid epoch: " << epoch;
2989         ASSERT_TRUE(CBS_skip(&cbs, 6));
2990       }
2991       ASSERT_TRUE(CBS_get_u16(&cbs, &length));
2992       EXPECT_EQ(0u, CBS_len(&cbs));
2993     };
2994     using CallbackType = decltype(cb);
2995     SSL_CTX *ctx = test_server ? server_ctx_.get() : client_ctx_.get();
2996     SSL_CTX_set_msg_callback(
2997         ctx, [](int is_write, int cb_version, int cb_type, const void *buf,
2998                 size_t len, SSL *ssl, void *arg) {
2999           CallbackType *cb_ptr = reinterpret_cast<CallbackType *>(arg);
3000           (*cb_ptr)(is_write, cb_version, cb_type, buf, len, ssl);
3001         });
3002     SSL_CTX_set_msg_callback_arg(ctx, &cb);
3003 
3004     ASSERT_TRUE(Connect());
3005 
3006     EXPECT_TRUE(read_seen);
3007     EXPECT_TRUE(write_seen);
3008   }
3009 }
3010 
TEST_P(SSLVersionTest,GetServerName)3011 TEST_P(SSLVersionTest, GetServerName) {
3012   ClientConfig config;
3013   config.servername = "host1";
3014 
3015   SSL_CTX_set_tlsext_servername_callback(
3016       server_ctx_.get(), [](SSL *ssl, int *out_alert, void *arg) -> int {
3017         // During the handshake, |SSL_get_servername| must match |config|.
3018         ClientConfig *config_p = reinterpret_cast<ClientConfig *>(arg);
3019         EXPECT_STREQ(config_p->servername.c_str(),
3020                      SSL_get_servername(ssl, TLSEXT_NAMETYPE_host_name));
3021         return SSL_TLSEXT_ERR_OK;
3022       });
3023   SSL_CTX_set_tlsext_servername_arg(server_ctx_.get(), &config);
3024 
3025   ASSERT_TRUE(Connect(config));
3026   // After the handshake, it must also be available.
3027   EXPECT_STREQ(config.servername.c_str(),
3028                SSL_get_servername(server_.get(), TLSEXT_NAMETYPE_host_name));
3029 
3030   // Establish a session under host1.
3031   SSL_CTX_set_session_cache_mode(client_ctx_.get(), SSL_SESS_CACHE_BOTH);
3032   SSL_CTX_set_session_cache_mode(server_ctx_.get(), SSL_SESS_CACHE_BOTH);
3033   bssl::UniquePtr<SSL_SESSION> session =
3034       CreateClientSession(client_ctx_.get(), server_ctx_.get(), config);
3035 
3036   // If the client resumes a session with a different name, |SSL_get_servername|
3037   // must return the new name.
3038   ASSERT_TRUE(session);
3039   config.session = session.get();
3040   config.servername = "host2";
3041   ASSERT_TRUE(Connect(config));
3042   EXPECT_STREQ(config.servername.c_str(),
3043                SSL_get_servername(server_.get(), TLSEXT_NAMETYPE_host_name));
3044 }
3045 
3046 // Test that session cache mode bits are honored in the client session callback.
TEST_P(SSLVersionTest,ClientSessionCacheMode)3047 TEST_P(SSLVersionTest, ClientSessionCacheMode) {
3048   SSL_CTX_set_session_cache_mode(client_ctx_.get(), SSL_SESS_CACHE_OFF);
3049   EXPECT_FALSE(CreateClientSession(client_ctx_.get(), server_ctx_.get()));
3050 
3051   SSL_CTX_set_session_cache_mode(client_ctx_.get(), SSL_SESS_CACHE_CLIENT);
3052   EXPECT_TRUE(CreateClientSession(client_ctx_.get(), server_ctx_.get()));
3053 
3054   SSL_CTX_set_session_cache_mode(client_ctx_.get(), SSL_SESS_CACHE_SERVER);
3055   EXPECT_FALSE(CreateClientSession(client_ctx_.get(), server_ctx_.get()));
3056 }
3057 
TEST(SSLTest,AddChainCertHack)3058 TEST(SSLTest, AddChainCertHack) {
3059   // Ensure that we don't accidently break the hack that we have in place to
3060   // keep curl and serf happy when they use an |X509| even after transfering
3061   // ownership.
3062 
3063   bssl::UniquePtr<SSL_CTX> ctx(SSL_CTX_new(TLS_method()));
3064   ASSERT_TRUE(ctx);
3065   X509 *cert = GetTestCertificate().release();
3066   ASSERT_TRUE(cert);
3067   SSL_CTX_add0_chain_cert(ctx.get(), cert);
3068 
3069   // This should not trigger a use-after-free.
3070   X509_cmp(cert, cert);
3071 }
3072 
TEST(SSLTest,GetCertificate)3073 TEST(SSLTest, GetCertificate) {
3074   bssl::UniquePtr<SSL_CTX> ctx(SSL_CTX_new(TLS_method()));
3075   ASSERT_TRUE(ctx);
3076   bssl::UniquePtr<X509> cert = GetTestCertificate();
3077   ASSERT_TRUE(cert);
3078   ASSERT_TRUE(SSL_CTX_use_certificate(ctx.get(), cert.get()));
3079   bssl::UniquePtr<SSL> ssl(SSL_new(ctx.get()));
3080   ASSERT_TRUE(ssl);
3081 
3082   X509 *cert2 = SSL_CTX_get0_certificate(ctx.get());
3083   ASSERT_TRUE(cert2);
3084   X509 *cert3 = SSL_get_certificate(ssl.get());
3085   ASSERT_TRUE(cert3);
3086 
3087   // The old and new certificates must be identical.
3088   EXPECT_EQ(0, X509_cmp(cert.get(), cert2));
3089   EXPECT_EQ(0, X509_cmp(cert.get(), cert3));
3090 
3091   uint8_t *der = nullptr;
3092   long der_len = i2d_X509(cert.get(), &der);
3093   ASSERT_LT(0, der_len);
3094   bssl::UniquePtr<uint8_t> free_der(der);
3095 
3096   uint8_t *der2 = nullptr;
3097   long der2_len = i2d_X509(cert2, &der2);
3098   ASSERT_LT(0, der2_len);
3099   bssl::UniquePtr<uint8_t> free_der2(der2);
3100 
3101   uint8_t *der3 = nullptr;
3102   long der3_len = i2d_X509(cert3, &der3);
3103   ASSERT_LT(0, der3_len);
3104   bssl::UniquePtr<uint8_t> free_der3(der3);
3105 
3106   // They must also encode identically.
3107   EXPECT_EQ(Bytes(der, der_len), Bytes(der2, der2_len));
3108   EXPECT_EQ(Bytes(der, der_len), Bytes(der3, der3_len));
3109 }
3110 
TEST(SSLTest,SetChainAndKeyMismatch)3111 TEST(SSLTest, SetChainAndKeyMismatch) {
3112   bssl::UniquePtr<SSL_CTX> ctx(SSL_CTX_new(TLS_with_buffers_method()));
3113   ASSERT_TRUE(ctx);
3114 
3115   bssl::UniquePtr<EVP_PKEY> key = GetTestKey();
3116   ASSERT_TRUE(key);
3117   bssl::UniquePtr<CRYPTO_BUFFER> leaf = GetChainTestCertificateBuffer();
3118   ASSERT_TRUE(leaf);
3119   std::vector<CRYPTO_BUFFER*> chain = {
3120       leaf.get(),
3121   };
3122 
3123   // Should fail because |GetTestKey| doesn't match the chain-test certificate.
3124   ASSERT_FALSE(SSL_CTX_set_chain_and_key(ctx.get(), &chain[0], chain.size(),
3125                                          key.get(), nullptr));
3126   ERR_clear_error();
3127 }
3128 
TEST(SSLTest,SetChainAndKey)3129 TEST(SSLTest, SetChainAndKey) {
3130   bssl::UniquePtr<SSL_CTX> client_ctx(SSL_CTX_new(TLS_with_buffers_method()));
3131   ASSERT_TRUE(client_ctx);
3132   bssl::UniquePtr<SSL_CTX> server_ctx(SSL_CTX_new(TLS_with_buffers_method()));
3133   ASSERT_TRUE(server_ctx);
3134 
3135   bssl::UniquePtr<EVP_PKEY> key = GetChainTestKey();
3136   ASSERT_TRUE(key);
3137   bssl::UniquePtr<CRYPTO_BUFFER> leaf = GetChainTestCertificateBuffer();
3138   ASSERT_TRUE(leaf);
3139   bssl::UniquePtr<CRYPTO_BUFFER> intermediate =
3140       GetChainTestIntermediateBuffer();
3141   ASSERT_TRUE(intermediate);
3142   std::vector<CRYPTO_BUFFER*> chain = {
3143       leaf.get(), intermediate.get(),
3144   };
3145   ASSERT_TRUE(SSL_CTX_set_chain_and_key(server_ctx.get(), &chain[0],
3146                                         chain.size(), key.get(), nullptr));
3147 
3148   SSL_CTX_set_custom_verify(
3149       client_ctx.get(), SSL_VERIFY_PEER,
3150       [](SSL *ssl, uint8_t *out_alert) -> ssl_verify_result_t {
3151         return ssl_verify_ok;
3152       });
3153 
3154   bssl::UniquePtr<SSL> client, server;
3155   ASSERT_TRUE(ConnectClientAndServer(&client, &server, client_ctx.get(),
3156                                      server_ctx.get()));
3157 }
3158 
TEST(SSLTest,BuffersFailWithoutCustomVerify)3159 TEST(SSLTest, BuffersFailWithoutCustomVerify) {
3160   bssl::UniquePtr<SSL_CTX> client_ctx(SSL_CTX_new(TLS_with_buffers_method()));
3161   ASSERT_TRUE(client_ctx);
3162   bssl::UniquePtr<SSL_CTX> server_ctx(SSL_CTX_new(TLS_with_buffers_method()));
3163   ASSERT_TRUE(server_ctx);
3164 
3165   bssl::UniquePtr<EVP_PKEY> key = GetChainTestKey();
3166   ASSERT_TRUE(key);
3167   bssl::UniquePtr<CRYPTO_BUFFER> leaf = GetChainTestCertificateBuffer();
3168   ASSERT_TRUE(leaf);
3169   std::vector<CRYPTO_BUFFER*> chain = { leaf.get() };
3170   ASSERT_TRUE(SSL_CTX_set_chain_and_key(server_ctx.get(), &chain[0],
3171                                         chain.size(), key.get(), nullptr));
3172 
3173   // Without SSL_CTX_set_custom_verify(), i.e. with everything in the default
3174   // configuration, certificate verification should fail.
3175   bssl::UniquePtr<SSL> client, server;
3176   ASSERT_FALSE(ConnectClientAndServer(&client, &server, client_ctx.get(),
3177                                       server_ctx.get()));
3178 
3179   // Whereas with a verifier, the connection should succeed.
3180   SSL_CTX_set_custom_verify(
3181       client_ctx.get(), SSL_VERIFY_PEER,
3182       [](SSL *ssl, uint8_t *out_alert) -> ssl_verify_result_t {
3183         return ssl_verify_ok;
3184       });
3185   ASSERT_TRUE(ConnectClientAndServer(&client, &server, client_ctx.get(),
3186                                      server_ctx.get()));
3187 }
3188 
TEST(SSLTest,CustomVerify)3189 TEST(SSLTest, CustomVerify) {
3190   bssl::UniquePtr<SSL_CTX> client_ctx(SSL_CTX_new(TLS_with_buffers_method()));
3191   ASSERT_TRUE(client_ctx);
3192   bssl::UniquePtr<SSL_CTX> server_ctx(SSL_CTX_new(TLS_with_buffers_method()));
3193   ASSERT_TRUE(server_ctx);
3194 
3195   bssl::UniquePtr<EVP_PKEY> key = GetChainTestKey();
3196   ASSERT_TRUE(key);
3197   bssl::UniquePtr<CRYPTO_BUFFER> leaf = GetChainTestCertificateBuffer();
3198   ASSERT_TRUE(leaf);
3199   std::vector<CRYPTO_BUFFER*> chain = { leaf.get() };
3200   ASSERT_TRUE(SSL_CTX_set_chain_and_key(server_ctx.get(), &chain[0],
3201                                         chain.size(), key.get(), nullptr));
3202 
3203   SSL_CTX_set_custom_verify(
3204       client_ctx.get(), SSL_VERIFY_PEER,
3205       [](SSL *ssl, uint8_t *out_alert) -> ssl_verify_result_t {
3206         return ssl_verify_ok;
3207       });
3208 
3209   bssl::UniquePtr<SSL> client, server;
3210   ASSERT_TRUE(ConnectClientAndServer(&client, &server, client_ctx.get(),
3211                                      server_ctx.get()));
3212 
3213   // With SSL_VERIFY_PEER, ssl_verify_invalid should result in a dropped
3214   // connection.
3215   SSL_CTX_set_custom_verify(
3216       client_ctx.get(), SSL_VERIFY_PEER,
3217       [](SSL *ssl, uint8_t *out_alert) -> ssl_verify_result_t {
3218         return ssl_verify_invalid;
3219       });
3220 
3221   ASSERT_FALSE(ConnectClientAndServer(&client, &server, client_ctx.get(),
3222                                       server_ctx.get()));
3223 
3224   // But with SSL_VERIFY_NONE, ssl_verify_invalid should not cause a dropped
3225   // connection.
3226   SSL_CTX_set_custom_verify(
3227       client_ctx.get(), SSL_VERIFY_NONE,
3228       [](SSL *ssl, uint8_t *out_alert) -> ssl_verify_result_t {
3229         return ssl_verify_invalid;
3230       });
3231 
3232   ASSERT_TRUE(ConnectClientAndServer(&client, &server, client_ctx.get(),
3233                                      server_ctx.get()));
3234 }
3235 
TEST(SSLTest,ClientCABuffers)3236 TEST(SSLTest, ClientCABuffers) {
3237   bssl::UniquePtr<SSL_CTX> client_ctx(SSL_CTX_new(TLS_with_buffers_method()));
3238   ASSERT_TRUE(client_ctx);
3239   bssl::UniquePtr<SSL_CTX> server_ctx(SSL_CTX_new(TLS_with_buffers_method()));
3240   ASSERT_TRUE(server_ctx);
3241 
3242   bssl::UniquePtr<EVP_PKEY> key = GetChainTestKey();
3243   ASSERT_TRUE(key);
3244   bssl::UniquePtr<CRYPTO_BUFFER> leaf = GetChainTestCertificateBuffer();
3245   ASSERT_TRUE(leaf);
3246   bssl::UniquePtr<CRYPTO_BUFFER> intermediate =
3247       GetChainTestIntermediateBuffer();
3248   ASSERT_TRUE(intermediate);
3249   std::vector<CRYPTO_BUFFER *> chain = {
3250       leaf.get(),
3251       intermediate.get(),
3252   };
3253   ASSERT_TRUE(SSL_CTX_set_chain_and_key(server_ctx.get(), &chain[0],
3254                                         chain.size(), key.get(), nullptr));
3255 
3256   bssl::UniquePtr<CRYPTO_BUFFER> ca_name(
3257       CRYPTO_BUFFER_new(kTestName, sizeof(kTestName), nullptr));
3258   ASSERT_TRUE(ca_name);
3259   bssl::UniquePtr<STACK_OF(CRYPTO_BUFFER)> ca_names(
3260       sk_CRYPTO_BUFFER_new_null());
3261   ASSERT_TRUE(ca_names);
3262   ASSERT_TRUE(PushToStack(ca_names.get(), std::move(ca_name)));
3263   SSL_CTX_set0_client_CAs(server_ctx.get(), ca_names.release());
3264 
3265   // Configure client and server to accept all certificates.
3266   SSL_CTX_set_custom_verify(
3267       client_ctx.get(), SSL_VERIFY_PEER,
3268       [](SSL *ssl, uint8_t *out_alert) -> ssl_verify_result_t {
3269         return ssl_verify_ok;
3270       });
3271   SSL_CTX_set_custom_verify(
3272       server_ctx.get(), SSL_VERIFY_PEER,
3273       [](SSL *ssl, uint8_t *out_alert) -> ssl_verify_result_t {
3274         return ssl_verify_ok;
3275       });
3276 
3277   bool cert_cb_called = false;
3278   SSL_CTX_set_cert_cb(
3279       client_ctx.get(),
3280       [](SSL *ssl, void *arg) -> int {
3281         const STACK_OF(CRYPTO_BUFFER) *peer_names =
3282             SSL_get0_server_requested_CAs(ssl);
3283         EXPECT_EQ(1u, sk_CRYPTO_BUFFER_num(peer_names));
3284         CRYPTO_BUFFER *peer_name = sk_CRYPTO_BUFFER_value(peer_names, 0);
3285         EXPECT_EQ(Bytes(kTestName), Bytes(CRYPTO_BUFFER_data(peer_name),
3286                                           CRYPTO_BUFFER_len(peer_name)));
3287         *reinterpret_cast<bool *>(arg) = true;
3288         return 1;
3289       },
3290       &cert_cb_called);
3291 
3292   bssl::UniquePtr<SSL> client, server;
3293   ASSERT_TRUE(ConnectClientAndServer(&client, &server, client_ctx.get(),
3294                                      server_ctx.get()));
3295   EXPECT_TRUE(cert_cb_called);
3296 }
3297 
3298 // Configuring the empty cipher list, though an error, should still modify the
3299 // configuration.
TEST(SSLTest,EmptyCipherList)3300 TEST(SSLTest, EmptyCipherList) {
3301   bssl::UniquePtr<SSL_CTX> ctx(SSL_CTX_new(TLS_method()));
3302   ASSERT_TRUE(ctx);
3303 
3304   // Initially, the cipher list is not empty.
3305   EXPECT_NE(0u, sk_SSL_CIPHER_num(SSL_CTX_get_ciphers(ctx.get())));
3306 
3307   // Configuring the empty cipher list fails.
3308   EXPECT_FALSE(SSL_CTX_set_cipher_list(ctx.get(), ""));
3309   ERR_clear_error();
3310 
3311   // But the cipher list is still updated to empty.
3312   EXPECT_EQ(0u, sk_SSL_CIPHER_num(SSL_CTX_get_ciphers(ctx.get())));
3313 }
3314 
3315 // ssl_test_ticket_aead_failure_mode enumerates the possible ways in which the
3316 // test |SSL_TICKET_AEAD_METHOD| can fail.
3317 enum ssl_test_ticket_aead_failure_mode {
3318   ssl_test_ticket_aead_ok = 0,
3319   ssl_test_ticket_aead_seal_fail,
3320   ssl_test_ticket_aead_open_soft_fail,
3321   ssl_test_ticket_aead_open_hard_fail,
3322 };
3323 
3324 struct ssl_test_ticket_aead_state {
3325   unsigned retry_count;
3326   ssl_test_ticket_aead_failure_mode failure_mode;
3327 };
3328 
ssl_test_ticket_aead_ex_index_dup(CRYPTO_EX_DATA * to,const CRYPTO_EX_DATA * from,void ** from_d,int index,long argl,void * argp)3329 static int ssl_test_ticket_aead_ex_index_dup(CRYPTO_EX_DATA *to,
3330                                              const CRYPTO_EX_DATA *from,
3331                                              void **from_d, int index,
3332                                              long argl, void *argp) {
3333   abort();
3334 }
3335 
ssl_test_ticket_aead_ex_index_free(void * parent,void * ptr,CRYPTO_EX_DATA * ad,int index,long argl,void * argp)3336 static void ssl_test_ticket_aead_ex_index_free(void *parent, void *ptr,
3337                                                CRYPTO_EX_DATA *ad, int index,
3338                                                long argl, void *argp) {
3339   auto state = reinterpret_cast<ssl_test_ticket_aead_state*>(ptr);
3340   if (state == nullptr) {
3341     return;
3342   }
3343 
3344   OPENSSL_free(state);
3345 }
3346 
3347 static CRYPTO_once_t g_ssl_test_ticket_aead_ex_index_once = CRYPTO_ONCE_INIT;
3348 static int g_ssl_test_ticket_aead_ex_index;
3349 
ssl_test_ticket_aead_get_ex_index()3350 static int ssl_test_ticket_aead_get_ex_index() {
3351   CRYPTO_once(&g_ssl_test_ticket_aead_ex_index_once, [] {
3352     g_ssl_test_ticket_aead_ex_index = SSL_get_ex_new_index(
3353         0, nullptr, nullptr, ssl_test_ticket_aead_ex_index_dup,
3354         ssl_test_ticket_aead_ex_index_free);
3355   });
3356   return g_ssl_test_ticket_aead_ex_index;
3357 }
3358 
ssl_test_ticket_aead_max_overhead(SSL * ssl)3359 static size_t ssl_test_ticket_aead_max_overhead(SSL *ssl) {
3360   return 1;
3361 }
3362 
ssl_test_ticket_aead_seal(SSL * ssl,uint8_t * out,size_t * out_len,size_t max_out_len,const uint8_t * in,size_t in_len)3363 static int ssl_test_ticket_aead_seal(SSL *ssl, uint8_t *out, size_t *out_len,
3364                                      size_t max_out_len, const uint8_t *in,
3365                                      size_t in_len) {
3366   auto state = reinterpret_cast<ssl_test_ticket_aead_state *>(
3367       SSL_get_ex_data(ssl, ssl_test_ticket_aead_get_ex_index()));
3368 
3369   if (state->failure_mode == ssl_test_ticket_aead_seal_fail ||
3370       max_out_len < in_len + 1) {
3371     return 0;
3372   }
3373 
3374   OPENSSL_memmove(out, in, in_len);
3375   out[in_len] = 0xff;
3376   *out_len = in_len + 1;
3377 
3378   return 1;
3379 }
3380 
ssl_test_ticket_aead_open(SSL * ssl,uint8_t * out,size_t * out_len,size_t max_out_len,const uint8_t * in,size_t in_len)3381 static ssl_ticket_aead_result_t ssl_test_ticket_aead_open(
3382     SSL *ssl, uint8_t *out, size_t *out_len, size_t max_out_len,
3383     const uint8_t *in, size_t in_len) {
3384   auto state = reinterpret_cast<ssl_test_ticket_aead_state *>(
3385       SSL_get_ex_data(ssl, ssl_test_ticket_aead_get_ex_index()));
3386 
3387   if (state->retry_count > 0) {
3388     state->retry_count--;
3389     return ssl_ticket_aead_retry;
3390   }
3391 
3392   switch (state->failure_mode) {
3393     case ssl_test_ticket_aead_ok:
3394       break;
3395     case ssl_test_ticket_aead_seal_fail:
3396       // If |seal| failed then there shouldn't be any ticket to try and
3397       // decrypt.
3398       abort();
3399       break;
3400     case ssl_test_ticket_aead_open_soft_fail:
3401       return ssl_ticket_aead_ignore_ticket;
3402     case ssl_test_ticket_aead_open_hard_fail:
3403       return ssl_ticket_aead_error;
3404   }
3405 
3406   if (in_len == 0 || in[in_len - 1] != 0xff) {
3407     return ssl_ticket_aead_ignore_ticket;
3408   }
3409 
3410   if (max_out_len < in_len - 1) {
3411     return ssl_ticket_aead_error;
3412   }
3413 
3414   OPENSSL_memmove(out, in, in_len - 1);
3415   *out_len = in_len - 1;
3416   return ssl_ticket_aead_success;
3417 }
3418 
3419 static const SSL_TICKET_AEAD_METHOD kSSLTestTicketMethod = {
3420   ssl_test_ticket_aead_max_overhead,
3421   ssl_test_ticket_aead_seal,
3422   ssl_test_ticket_aead_open,
3423 };
3424 
ConnectClientAndServerWithTicketMethod(bssl::UniquePtr<SSL> * out_client,bssl::UniquePtr<SSL> * out_server,SSL_CTX * client_ctx,SSL_CTX * server_ctx,unsigned retry_count,ssl_test_ticket_aead_failure_mode failure_mode,SSL_SESSION * session)3425 static void ConnectClientAndServerWithTicketMethod(
3426     bssl::UniquePtr<SSL> *out_client, bssl::UniquePtr<SSL> *out_server,
3427     SSL_CTX *client_ctx, SSL_CTX *server_ctx, unsigned retry_count,
3428     ssl_test_ticket_aead_failure_mode failure_mode, SSL_SESSION *session) {
3429   bssl::UniquePtr<SSL> client(SSL_new(client_ctx)), server(SSL_new(server_ctx));
3430   ASSERT_TRUE(client);
3431   ASSERT_TRUE(server);
3432   SSL_set_connect_state(client.get());
3433   SSL_set_accept_state(server.get());
3434 
3435   auto state = reinterpret_cast<ssl_test_ticket_aead_state *>(
3436       OPENSSL_malloc(sizeof(ssl_test_ticket_aead_state)));
3437   ASSERT_TRUE(state);
3438   OPENSSL_memset(state, 0, sizeof(ssl_test_ticket_aead_state));
3439   state->retry_count = retry_count;
3440   state->failure_mode = failure_mode;
3441 
3442   ASSERT_TRUE(SSL_set_ex_data(server.get(), ssl_test_ticket_aead_get_ex_index(),
3443                               state));
3444 
3445   SSL_set_session(client.get(), session);
3446 
3447   BIO *bio1, *bio2;
3448   ASSERT_TRUE(BIO_new_bio_pair(&bio1, 0, &bio2, 0));
3449 
3450   // SSL_set_bio takes ownership.
3451   SSL_set_bio(client.get(), bio1, bio1);
3452   SSL_set_bio(server.get(), bio2, bio2);
3453 
3454   if (CompleteHandshakes(client.get(), server.get())) {
3455     *out_client = std::move(client);
3456     *out_server = std::move(server);
3457   } else {
3458     out_client->reset();
3459     out_server->reset();
3460   }
3461 }
3462 
3463 using TicketAEADMethodParam =
3464     testing::tuple<uint16_t, unsigned, ssl_test_ticket_aead_failure_mode>;
3465 
3466 class TicketAEADMethodTest
3467     : public ::testing::TestWithParam<TicketAEADMethodParam> {};
3468 
TEST_P(TicketAEADMethodTest,Resume)3469 TEST_P(TicketAEADMethodTest, Resume) {
3470   bssl::UniquePtr<X509> cert = GetTestCertificate();
3471   ASSERT_TRUE(cert);
3472   bssl::UniquePtr<EVP_PKEY> key = GetTestKey();
3473   ASSERT_TRUE(key);
3474 
3475   bssl::UniquePtr<SSL_CTX> server_ctx(SSL_CTX_new(TLS_method()));
3476   ASSERT_TRUE(server_ctx);
3477   bssl::UniquePtr<SSL_CTX> client_ctx(SSL_CTX_new(TLS_method()));
3478   ASSERT_TRUE(client_ctx);
3479 
3480   const uint16_t version = testing::get<0>(GetParam());
3481   const unsigned retry_count = testing::get<1>(GetParam());
3482   const ssl_test_ticket_aead_failure_mode failure_mode =
3483       testing::get<2>(GetParam());
3484 
3485   ASSERT_TRUE(SSL_CTX_use_certificate(server_ctx.get(), cert.get()));
3486   ASSERT_TRUE(SSL_CTX_use_PrivateKey(server_ctx.get(), key.get()));
3487   ASSERT_TRUE(SSL_CTX_set_min_proto_version(client_ctx.get(), version));
3488   ASSERT_TRUE(SSL_CTX_set_max_proto_version(client_ctx.get(), version));
3489   ASSERT_TRUE(SSL_CTX_set_min_proto_version(server_ctx.get(), version));
3490   ASSERT_TRUE(SSL_CTX_set_max_proto_version(server_ctx.get(), version));
3491 
3492   SSL_CTX_set_session_cache_mode(client_ctx.get(), SSL_SESS_CACHE_BOTH);
3493   SSL_CTX_set_session_cache_mode(server_ctx.get(), SSL_SESS_CACHE_BOTH);
3494   SSL_CTX_set_current_time_cb(client_ctx.get(), FrozenTimeCallback);
3495   SSL_CTX_set_current_time_cb(server_ctx.get(), FrozenTimeCallback);
3496   SSL_CTX_sess_set_new_cb(client_ctx.get(), SaveLastSession);
3497 
3498   SSL_CTX_set_ticket_aead_method(server_ctx.get(), &kSSLTestTicketMethod);
3499 
3500   bssl::UniquePtr<SSL> client, server;
3501   ConnectClientAndServerWithTicketMethod(&client, &server, client_ctx.get(),
3502                                          server_ctx.get(), retry_count,
3503                                          failure_mode, nullptr);
3504   switch (failure_mode) {
3505     case ssl_test_ticket_aead_ok:
3506     case ssl_test_ticket_aead_open_hard_fail:
3507     case ssl_test_ticket_aead_open_soft_fail:
3508       ASSERT_TRUE(client);
3509       break;
3510     case ssl_test_ticket_aead_seal_fail:
3511       EXPECT_FALSE(client);
3512       return;
3513   }
3514   EXPECT_FALSE(SSL_session_reused(client.get()));
3515   EXPECT_FALSE(SSL_session_reused(server.get()));
3516 
3517   // Run the read loop to account for post-handshake tickets in TLS 1.3.
3518   SSL_read(client.get(), nullptr, 0);
3519 
3520   bssl::UniquePtr<SSL_SESSION> session = std::move(g_last_session);
3521   ConnectClientAndServerWithTicketMethod(&client, &server, client_ctx.get(),
3522                                          server_ctx.get(), retry_count,
3523                                          failure_mode, session.get());
3524   switch (failure_mode) {
3525     case ssl_test_ticket_aead_ok:
3526       ASSERT_TRUE(client);
3527       EXPECT_TRUE(SSL_session_reused(client.get()));
3528       EXPECT_TRUE(SSL_session_reused(server.get()));
3529       break;
3530     case ssl_test_ticket_aead_seal_fail:
3531       abort();
3532       break;
3533     case ssl_test_ticket_aead_open_hard_fail:
3534       EXPECT_FALSE(client);
3535       break;
3536     case ssl_test_ticket_aead_open_soft_fail:
3537       ASSERT_TRUE(client);
3538       EXPECT_FALSE(SSL_session_reused(client.get()));
3539       EXPECT_FALSE(SSL_session_reused(server.get()));
3540   }
3541 }
3542 
TicketAEADMethodParamToString(const testing::TestParamInfo<TicketAEADMethodParam> & params)3543 std::string TicketAEADMethodParamToString(
3544     const testing::TestParamInfo<TicketAEADMethodParam> &params) {
3545   std::string ret = GetVersionName(std::get<0>(params.param));
3546   // GTest only allows alphanumeric characters and '_' in the parameter
3547   // string. Additionally filter out the 'v' to get "TLS13" over "TLSv13".
3548   for (auto it = ret.begin(); it != ret.end();) {
3549     if (*it == '.' || *it == 'v') {
3550       it = ret.erase(it);
3551     } else {
3552       ++it;
3553     }
3554   }
3555   char retry_count[256];
3556   snprintf(retry_count, sizeof(retry_count), "%d", std::get<1>(params.param));
3557   ret += "_";
3558   ret += retry_count;
3559   ret += "Retries_";
3560   switch (std::get<2>(params.param)) {
3561     case ssl_test_ticket_aead_ok:
3562       ret += "OK";
3563       break;
3564     case ssl_test_ticket_aead_seal_fail:
3565       ret += "SealFail";
3566       break;
3567     case ssl_test_ticket_aead_open_soft_fail:
3568       ret += "OpenSoftFail";
3569       break;
3570     case ssl_test_ticket_aead_open_hard_fail:
3571       ret += "OpenHardFail";
3572       break;
3573   }
3574   return ret;
3575 }
3576 
3577 INSTANTIATE_TEST_CASE_P(
3578     TicketAEADMethodTests, TicketAEADMethodTest,
3579     testing::Combine(testing::Values(TLS1_2_VERSION, TLS1_3_VERSION),
3580                      testing::Values(0, 1, 2),
3581                      testing::Values(ssl_test_ticket_aead_ok,
3582                                      ssl_test_ticket_aead_seal_fail,
3583                                      ssl_test_ticket_aead_open_soft_fail,
3584                                      ssl_test_ticket_aead_open_hard_fail)),
3585     TicketAEADMethodParamToString);
3586 
TEST(SSLTest,SelectNextProto)3587 TEST(SSLTest, SelectNextProto) {
3588   uint8_t *result;
3589   uint8_t result_len;
3590 
3591   // If there is an overlap, it should be returned.
3592   EXPECT_EQ(OPENSSL_NPN_NEGOTIATED,
3593             SSL_select_next_proto(&result, &result_len,
3594                                   (const uint8_t *)"\1a\2bb\3ccc", 9,
3595                                   (const uint8_t *)"\1x\1y\1a\1z", 8));
3596   EXPECT_EQ(Bytes("a"), Bytes(result, result_len));
3597 
3598   EXPECT_EQ(OPENSSL_NPN_NEGOTIATED,
3599             SSL_select_next_proto(&result, &result_len,
3600                                   (const uint8_t *)"\1a\2bb\3ccc", 9,
3601                                   (const uint8_t *)"\1x\1y\2bb\1z", 9));
3602   EXPECT_EQ(Bytes("bb"), Bytes(result, result_len));
3603 
3604   EXPECT_EQ(OPENSSL_NPN_NEGOTIATED,
3605             SSL_select_next_proto(&result, &result_len,
3606                                   (const uint8_t *)"\1a\2bb\3ccc", 9,
3607                                   (const uint8_t *)"\1x\1y\3ccc\1z", 10));
3608   EXPECT_EQ(Bytes("ccc"), Bytes(result, result_len));
3609 
3610   // Peer preference order takes precedence over local.
3611   EXPECT_EQ(OPENSSL_NPN_NEGOTIATED,
3612             SSL_select_next_proto(&result, &result_len,
3613                                   (const uint8_t *)"\1a\2bb\3ccc", 9,
3614                                   (const uint8_t *)"\3ccc\2bb\1a", 9));
3615   EXPECT_EQ(Bytes("a"), Bytes(result, result_len));
3616 
3617   // If there is no overlap, return the first local protocol.
3618   EXPECT_EQ(OPENSSL_NPN_NO_OVERLAP,
3619             SSL_select_next_proto(&result, &result_len,
3620                                   (const uint8_t *)"\1a\2bb\3ccc", 9,
3621                                   (const uint8_t *)"\1x\2yy\3zzz", 9));
3622   EXPECT_EQ(Bytes("x"), Bytes(result, result_len));
3623 
3624   EXPECT_EQ(OPENSSL_NPN_NO_OVERLAP,
3625             SSL_select_next_proto(&result, &result_len, nullptr, 0,
3626                                   (const uint8_t *)"\1x\2yy\3zzz", 9));
3627   EXPECT_EQ(Bytes("x"), Bytes(result, result_len));
3628 }
3629 
TEST(SSLTest,SealRecord)3630 TEST(SSLTest, SealRecord) {
3631   bssl::UniquePtr<SSL_CTX> client_ctx(SSL_CTX_new(TLS_method())),
3632       server_ctx(SSL_CTX_new(TLS_method()));
3633   ASSERT_TRUE(client_ctx);
3634   ASSERT_TRUE(server_ctx);
3635 
3636   bssl::UniquePtr<X509> cert = GetTestCertificate();
3637   bssl::UniquePtr<EVP_PKEY> key = GetTestKey();
3638   ASSERT_TRUE(cert);
3639   ASSERT_TRUE(key);
3640   ASSERT_TRUE(SSL_CTX_use_certificate(server_ctx.get(), cert.get()));
3641   ASSERT_TRUE(SSL_CTX_use_PrivateKey(server_ctx.get(), key.get()));
3642 
3643   bssl::UniquePtr<SSL> client, server;
3644   ASSERT_TRUE(ConnectClientAndServer(&client, &server, client_ctx.get(),
3645                                      server_ctx.get()));
3646 
3647   const std::vector<uint8_t> record = {1, 2, 3, 4, 5};
3648   std::vector<uint8_t> prefix(
3649       bssl::SealRecordPrefixLen(client.get(), record.size())),
3650       body(record.size()),
3651       suffix(bssl::SealRecordSuffixLen(client.get(), record.size()));
3652   ASSERT_TRUE(bssl::SealRecord(client.get(), bssl::MakeSpan(prefix),
3653                                bssl::MakeSpan(body), bssl::MakeSpan(suffix),
3654                                record));
3655 
3656   std::vector<uint8_t> sealed;
3657   sealed.insert(sealed.end(), prefix.begin(), prefix.end());
3658   sealed.insert(sealed.end(), body.begin(), body.end());
3659   sealed.insert(sealed.end(), suffix.begin(), suffix.end());
3660   std::vector<uint8_t> sealed_copy = sealed;
3661 
3662   bssl::Span<uint8_t> plaintext;
3663   size_t record_len;
3664   uint8_t alert = 255;
3665   EXPECT_EQ(bssl::OpenRecord(server.get(), &plaintext, &record_len, &alert,
3666                              bssl::MakeSpan(sealed)),
3667             bssl::OpenRecordResult::kOK);
3668   EXPECT_EQ(record_len, sealed.size());
3669   EXPECT_EQ(plaintext, record);
3670   EXPECT_EQ(255, alert);
3671 }
3672 
TEST(SSLTest,SealRecordInPlace)3673 TEST(SSLTest, SealRecordInPlace) {
3674   bssl::UniquePtr<SSL_CTX> client_ctx(SSL_CTX_new(TLS_method())),
3675       server_ctx(SSL_CTX_new(TLS_method()));
3676   ASSERT_TRUE(client_ctx);
3677   ASSERT_TRUE(server_ctx);
3678 
3679   bssl::UniquePtr<X509> cert = GetTestCertificate();
3680   bssl::UniquePtr<EVP_PKEY> key = GetTestKey();
3681   ASSERT_TRUE(cert);
3682   ASSERT_TRUE(key);
3683   ASSERT_TRUE(SSL_CTX_use_certificate(server_ctx.get(), cert.get()));
3684   ASSERT_TRUE(SSL_CTX_use_PrivateKey(server_ctx.get(), key.get()));
3685 
3686   bssl::UniquePtr<SSL> client, server;
3687   ASSERT_TRUE(ConnectClientAndServer(&client, &server, client_ctx.get(),
3688                                      server_ctx.get()));
3689 
3690   const std::vector<uint8_t> plaintext = {1, 2, 3, 4, 5};
3691   std::vector<uint8_t> record = plaintext;
3692   std::vector<uint8_t> prefix(
3693       bssl::SealRecordPrefixLen(client.get(), record.size())),
3694       suffix(bssl::SealRecordSuffixLen(client.get(), record.size()));
3695   ASSERT_TRUE(bssl::SealRecord(client.get(), bssl::MakeSpan(prefix),
3696                                bssl::MakeSpan(record), bssl::MakeSpan(suffix),
3697                                record));
3698   record.insert(record.begin(), prefix.begin(), prefix.end());
3699   record.insert(record.end(), suffix.begin(), suffix.end());
3700 
3701   bssl::Span<uint8_t> result;
3702   size_t record_len;
3703   uint8_t alert;
3704   EXPECT_EQ(bssl::OpenRecord(server.get(), &result, &record_len, &alert,
3705                              bssl::MakeSpan(record)),
3706             bssl::OpenRecordResult::kOK);
3707   EXPECT_EQ(record_len, record.size());
3708   EXPECT_EQ(plaintext, result);
3709 }
3710 
TEST(SSLTest,SealRecordTrailingData)3711 TEST(SSLTest, SealRecordTrailingData) {
3712   bssl::UniquePtr<SSL_CTX> client_ctx(SSL_CTX_new(TLS_method())),
3713       server_ctx(SSL_CTX_new(TLS_method()));
3714   ASSERT_TRUE(client_ctx);
3715   ASSERT_TRUE(server_ctx);
3716 
3717   bssl::UniquePtr<X509> cert = GetTestCertificate();
3718   bssl::UniquePtr<EVP_PKEY> key = GetTestKey();
3719   ASSERT_TRUE(cert);
3720   ASSERT_TRUE(key);
3721   ASSERT_TRUE(SSL_CTX_use_certificate(server_ctx.get(), cert.get()));
3722   ASSERT_TRUE(SSL_CTX_use_PrivateKey(server_ctx.get(), key.get()));
3723 
3724   bssl::UniquePtr<SSL> client, server;
3725   ASSERT_TRUE(ConnectClientAndServer(&client, &server, client_ctx.get(),
3726                                      server_ctx.get()));
3727 
3728   const std::vector<uint8_t> plaintext = {1, 2, 3, 4, 5};
3729   std::vector<uint8_t> record = plaintext;
3730   std::vector<uint8_t> prefix(
3731       bssl::SealRecordPrefixLen(client.get(), record.size())),
3732       suffix(bssl::SealRecordSuffixLen(client.get(), record.size()));
3733   ASSERT_TRUE(bssl::SealRecord(client.get(), bssl::MakeSpan(prefix),
3734                                bssl::MakeSpan(record), bssl::MakeSpan(suffix),
3735                                record));
3736   record.insert(record.begin(), prefix.begin(), prefix.end());
3737   record.insert(record.end(), suffix.begin(), suffix.end());
3738   record.insert(record.end(), {5, 4, 3, 2, 1});
3739 
3740   bssl::Span<uint8_t> result;
3741   size_t record_len;
3742   uint8_t alert;
3743   EXPECT_EQ(bssl::OpenRecord(server.get(), &result, &record_len, &alert,
3744                              bssl::MakeSpan(record)),
3745             bssl::OpenRecordResult::kOK);
3746   EXPECT_EQ(record_len, record.size() - 5);
3747   EXPECT_EQ(plaintext, result);
3748 }
3749 
TEST(SSLTest,SealRecordInvalidSpanSize)3750 TEST(SSLTest, SealRecordInvalidSpanSize) {
3751   bssl::UniquePtr<SSL_CTX> client_ctx(SSL_CTX_new(TLS_method())),
3752       server_ctx(SSL_CTX_new(TLS_method()));
3753   ASSERT_TRUE(client_ctx);
3754   ASSERT_TRUE(server_ctx);
3755 
3756   bssl::UniquePtr<X509> cert = GetTestCertificate();
3757   bssl::UniquePtr<EVP_PKEY> key = GetTestKey();
3758   ASSERT_TRUE(cert);
3759   ASSERT_TRUE(key);
3760   ASSERT_TRUE(SSL_CTX_use_certificate(server_ctx.get(), cert.get()));
3761   ASSERT_TRUE(SSL_CTX_use_PrivateKey(server_ctx.get(), key.get()));
3762 
3763   bssl::UniquePtr<SSL> client, server;
3764   ASSERT_TRUE(ConnectClientAndServer(&client, &server, client_ctx.get(),
3765                                      server_ctx.get()));
3766 
3767   std::vector<uint8_t> record = {1, 2, 3, 4, 5};
3768   std::vector<uint8_t> prefix(
3769       bssl::SealRecordPrefixLen(client.get(), record.size())),
3770       body(record.size()),
3771       suffix(bssl::SealRecordSuffixLen(client.get(), record.size()));
3772 
3773   auto expect_err = []() {
3774     int err = ERR_get_error();
3775     EXPECT_EQ(ERR_GET_LIB(err), ERR_LIB_SSL);
3776     EXPECT_EQ(ERR_GET_REASON(err), SSL_R_BUFFER_TOO_SMALL);
3777     ERR_clear_error();
3778   };
3779   EXPECT_FALSE(bssl::SealRecord(
3780       client.get(), bssl::MakeSpan(prefix.data(), prefix.size() - 1),
3781       bssl::MakeSpan(record), bssl::MakeSpan(suffix), record));
3782   expect_err();
3783   EXPECT_FALSE(bssl::SealRecord(
3784       client.get(), bssl::MakeSpan(prefix.data(), prefix.size() + 1),
3785       bssl::MakeSpan(record), bssl::MakeSpan(suffix), record));
3786   expect_err();
3787 
3788   EXPECT_FALSE(
3789       bssl::SealRecord(client.get(), bssl::MakeSpan(prefix),
3790                        bssl::MakeSpan(record.data(), record.size() - 1),
3791                        bssl::MakeSpan(suffix), record));
3792   expect_err();
3793   EXPECT_FALSE(
3794       bssl::SealRecord(client.get(), bssl::MakeSpan(prefix),
3795                        bssl::MakeSpan(record.data(), record.size() + 1),
3796                        bssl::MakeSpan(suffix), record));
3797   expect_err();
3798 
3799   EXPECT_FALSE(bssl::SealRecord(
3800       client.get(), bssl::MakeSpan(prefix), bssl::MakeSpan(record),
3801       bssl::MakeSpan(suffix.data(), suffix.size() - 1), record));
3802   expect_err();
3803   EXPECT_FALSE(bssl::SealRecord(
3804       client.get(), bssl::MakeSpan(prefix), bssl::MakeSpan(record),
3805       bssl::MakeSpan(suffix.data(), suffix.size() + 1), record));
3806   expect_err();
3807 }
3808 
3809 // The client should gracefully handle no suitable ciphers being enabled.
TEST(SSLTest,NoCiphersAvailable)3810 TEST(SSLTest, NoCiphersAvailable) {
3811   bssl::UniquePtr<SSL_CTX> ctx(SSL_CTX_new(TLS_method()));
3812   ASSERT_TRUE(ctx);
3813 
3814   // Configure |client_ctx| with a cipher list that does not intersect with its
3815   // version configuration.
3816   ASSERT_TRUE(SSL_CTX_set_strict_cipher_list(
3817       ctx.get(), "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256"));
3818   ASSERT_TRUE(SSL_CTX_set_max_proto_version(ctx.get(), TLS1_1_VERSION));
3819 
3820   bssl::UniquePtr<SSL> ssl(SSL_new(ctx.get()));
3821   ASSERT_TRUE(ssl);
3822   SSL_set_connect_state(ssl.get());
3823 
3824   UniquePtr<BIO> rbio(BIO_new(BIO_s_mem())), wbio(BIO_new(BIO_s_mem()));
3825   ASSERT_TRUE(rbio);
3826   ASSERT_TRUE(wbio);
3827   SSL_set0_rbio(ssl.get(), rbio.release());
3828   SSL_set0_wbio(ssl.get(), wbio.release());
3829 
3830   int ret = SSL_do_handshake(ssl.get());
3831   EXPECT_EQ(-1, ret);
3832   EXPECT_EQ(SSL_ERROR_SSL, SSL_get_error(ssl.get(), ret));
3833   uint32_t err = ERR_get_error();
3834   EXPECT_EQ(ERR_LIB_SSL, ERR_GET_LIB(err));
3835   EXPECT_EQ(SSL_R_NO_CIPHERS_AVAILABLE, ERR_GET_REASON(err));
3836 }
3837 
TEST_P(SSLVersionTest,SessionVersion)3838 TEST_P(SSLVersionTest, SessionVersion) {
3839   SSL_CTX_set_session_cache_mode(client_ctx_.get(), SSL_SESS_CACHE_BOTH);
3840   SSL_CTX_set_session_cache_mode(server_ctx_.get(), SSL_SESS_CACHE_BOTH);
3841 
3842   bssl::UniquePtr<SSL_SESSION> session =
3843       CreateClientSession(client_ctx_.get(), server_ctx_.get());
3844   ASSERT_TRUE(session);
3845   EXPECT_EQ(version(), SSL_SESSION_get_protocol_version(session.get()));
3846 
3847   // Sessions in TLS 1.3 and later should be single-use.
3848   EXPECT_EQ(version() == TLS1_3_VERSION,
3849             !!SSL_SESSION_should_be_single_use(session.get()));
3850 
3851   // Making fake sessions for testing works.
3852   session.reset(SSL_SESSION_new(client_ctx_.get()));
3853   ASSERT_TRUE(session);
3854   ASSERT_TRUE(SSL_SESSION_set_protocol_version(session.get(), version()));
3855   EXPECT_EQ(version(), SSL_SESSION_get_protocol_version(session.get()));
3856 }
3857 
TEST_P(SSLVersionTest,SSLPending)3858 TEST_P(SSLVersionTest, SSLPending) {
3859   UniquePtr<SSL> ssl(SSL_new(client_ctx_.get()));
3860   ASSERT_TRUE(ssl);
3861   EXPECT_EQ(0, SSL_pending(ssl.get()));
3862 
3863   ASSERT_TRUE(Connect());
3864   EXPECT_EQ(0, SSL_pending(client_.get()));
3865 
3866   ASSERT_EQ(5, SSL_write(server_.get(), "hello", 5));
3867   ASSERT_EQ(5, SSL_write(server_.get(), "world", 5));
3868   EXPECT_EQ(0, SSL_pending(client_.get()));
3869 
3870   char buf[10];
3871   ASSERT_EQ(1, SSL_peek(client_.get(), buf, 1));
3872   EXPECT_EQ(5, SSL_pending(client_.get()));
3873 
3874   ASSERT_EQ(1, SSL_read(client_.get(), buf, 1));
3875   EXPECT_EQ(4, SSL_pending(client_.get()));
3876 
3877   ASSERT_EQ(4, SSL_read(client_.get(), buf, 10));
3878   EXPECT_EQ(0, SSL_pending(client_.get()));
3879 
3880   ASSERT_EQ(2, SSL_read(client_.get(), buf, 2));
3881   EXPECT_EQ(3, SSL_pending(client_.get()));
3882 }
3883 
3884 // Test that post-handshake tickets consumed by |SSL_shutdown| are ignored.
TEST(SSLTest,ShutdownIgnoresTickets)3885 TEST(SSLTest, ShutdownIgnoresTickets) {
3886   bssl::UniquePtr<SSL_CTX> ctx(SSL_CTX_new(TLS_method()));
3887   ASSERT_TRUE(ctx);
3888   ASSERT_TRUE(SSL_CTX_set_min_proto_version(ctx.get(), TLS1_3_VERSION));
3889   ASSERT_TRUE(SSL_CTX_set_max_proto_version(ctx.get(), TLS1_3_VERSION));
3890 
3891   bssl::UniquePtr<X509> cert = GetTestCertificate();
3892   bssl::UniquePtr<EVP_PKEY> key = GetTestKey();
3893   ASSERT_TRUE(cert);
3894   ASSERT_TRUE(key);
3895   ASSERT_TRUE(SSL_CTX_use_certificate(ctx.get(), cert.get()));
3896   ASSERT_TRUE(SSL_CTX_use_PrivateKey(ctx.get(), key.get()));
3897 
3898   SSL_CTX_set_session_cache_mode(ctx.get(), SSL_SESS_CACHE_BOTH);
3899 
3900   bssl::UniquePtr<SSL> client, server;
3901   ASSERT_TRUE(ConnectClientAndServer(&client, &server, ctx.get(), ctx.get()));
3902 
3903   SSL_CTX_sess_set_new_cb(ctx.get(), [](SSL *ssl, SSL_SESSION *session) -> int {
3904     ADD_FAILURE() << "New session callback called during SSL_shutdown";
3905     return 0;
3906   });
3907 
3908   // Send close_notify.
3909   EXPECT_EQ(0, SSL_shutdown(server.get()));
3910   EXPECT_EQ(0, SSL_shutdown(client.get()));
3911 
3912   // Receive close_notify.
3913   EXPECT_EQ(1, SSL_shutdown(server.get()));
3914   EXPECT_EQ(1, SSL_shutdown(client.get()));
3915 }
3916 
TEST(SSLTest,SignatureAlgorithmProperties)3917 TEST(SSLTest, SignatureAlgorithmProperties) {
3918   EXPECT_EQ(EVP_PKEY_NONE, SSL_get_signature_algorithm_key_type(0x1234));
3919   EXPECT_EQ(nullptr, SSL_get_signature_algorithm_digest(0x1234));
3920   EXPECT_FALSE(SSL_is_signature_algorithm_rsa_pss(0x1234));
3921 
3922   EXPECT_EQ(EVP_PKEY_RSA,
3923             SSL_get_signature_algorithm_key_type(SSL_SIGN_RSA_PKCS1_MD5_SHA1));
3924   EXPECT_EQ(EVP_md5_sha1(),
3925             SSL_get_signature_algorithm_digest(SSL_SIGN_RSA_PKCS1_MD5_SHA1));
3926   EXPECT_FALSE(SSL_is_signature_algorithm_rsa_pss(SSL_SIGN_RSA_PKCS1_MD5_SHA1));
3927 
3928   EXPECT_EQ(EVP_PKEY_EC, SSL_get_signature_algorithm_key_type(
3929                              SSL_SIGN_ECDSA_SECP256R1_SHA256));
3930   EXPECT_EQ(EVP_sha256(), SSL_get_signature_algorithm_digest(
3931                               SSL_SIGN_ECDSA_SECP256R1_SHA256));
3932   EXPECT_FALSE(
3933       SSL_is_signature_algorithm_rsa_pss(SSL_SIGN_ECDSA_SECP256R1_SHA256));
3934 
3935   EXPECT_EQ(EVP_PKEY_RSA,
3936             SSL_get_signature_algorithm_key_type(SSL_SIGN_RSA_PSS_RSAE_SHA384));
3937   EXPECT_EQ(EVP_sha384(),
3938             SSL_get_signature_algorithm_digest(SSL_SIGN_RSA_PSS_RSAE_SHA384));
3939   EXPECT_TRUE(SSL_is_signature_algorithm_rsa_pss(SSL_SIGN_RSA_PSS_RSAE_SHA384));
3940 }
3941 
XORCompressFunc(SSL * ssl,CBB * out,const uint8_t * in,size_t in_len)3942 static int XORCompressFunc(SSL *ssl, CBB *out, const uint8_t *in,
3943                            size_t in_len) {
3944   for (size_t i = 0; i < in_len; i++) {
3945     if (!CBB_add_u8(out, in[i] ^ 0x55)) {
3946       return 0;
3947     }
3948   }
3949 
3950   SSL_set_app_data(ssl, XORCompressFunc);
3951 
3952   return 1;
3953 }
3954 
XORDecompressFunc(SSL * ssl,CRYPTO_BUFFER ** out,size_t uncompressed_len,const uint8_t * in,size_t in_len)3955 static int XORDecompressFunc(SSL *ssl, CRYPTO_BUFFER **out,
3956                              size_t uncompressed_len, const uint8_t *in,
3957                              size_t in_len) {
3958   if (in_len != uncompressed_len) {
3959     return 0;
3960   }
3961 
3962   uint8_t *data;
3963   *out = CRYPTO_BUFFER_alloc(&data, uncompressed_len);
3964   if (*out == nullptr) {
3965     return 0;
3966   }
3967 
3968   for (size_t i = 0; i < in_len; i++) {
3969     data[i] = in[i] ^ 0x55;
3970   }
3971 
3972   SSL_set_app_data(ssl, XORDecompressFunc);
3973 
3974   return 1;
3975 }
3976 
TEST(SSLTest,CertCompression)3977 TEST(SSLTest, CertCompression) {
3978   bssl::UniquePtr<SSL_CTX> client_ctx(SSL_CTX_new(TLS_method()));
3979   bssl::UniquePtr<SSL_CTX> server_ctx(SSL_CTX_new(TLS_method()));
3980   ASSERT_TRUE(client_ctx);
3981   ASSERT_TRUE(server_ctx);
3982 
3983   bssl::UniquePtr<X509> cert = GetTestCertificate();
3984   bssl::UniquePtr<EVP_PKEY> key = GetTestKey();
3985   ASSERT_TRUE(cert);
3986   ASSERT_TRUE(key);
3987   ASSERT_TRUE(SSL_CTX_use_certificate(server_ctx.get(), cert.get()));
3988   ASSERT_TRUE(SSL_CTX_use_PrivateKey(server_ctx.get(), key.get()));
3989 
3990   ASSERT_TRUE(SSL_CTX_set_max_proto_version(client_ctx.get(), TLS1_3_VERSION));
3991   ASSERT_TRUE(SSL_CTX_set_max_proto_version(server_ctx.get(), TLS1_3_VERSION));
3992   ASSERT_TRUE(SSL_CTX_add_cert_compression_alg(
3993       client_ctx.get(), 0x1234, XORCompressFunc, XORDecompressFunc));
3994   ASSERT_TRUE(SSL_CTX_add_cert_compression_alg(
3995       server_ctx.get(), 0x1234, XORCompressFunc, XORDecompressFunc));
3996 
3997   bssl::UniquePtr<SSL> client, server;
3998   ASSERT_TRUE(ConnectClientAndServer(&client, &server, client_ctx.get(),
3999                                      server_ctx.get()));
4000 
4001   EXPECT_TRUE(SSL_get_app_data(client.get()) == XORDecompressFunc);
4002   EXPECT_TRUE(SSL_get_app_data(server.get()) == XORCompressFunc);
4003 }
4004 
MoveBIOs(SSL * dest,SSL * src)4005 void MoveBIOs(SSL *dest, SSL *src) {
4006   BIO *rbio = SSL_get_rbio(src);
4007   BIO_up_ref(rbio);
4008   SSL_set0_rbio(dest, rbio);
4009 
4010   BIO *wbio = SSL_get_wbio(src);
4011   BIO_up_ref(wbio);
4012   SSL_set0_wbio(dest, wbio);
4013 
4014   SSL_set0_rbio(src, nullptr);
4015   SSL_set0_wbio(src, nullptr);
4016 }
4017 
TEST(SSLTest,Handoff)4018 TEST(SSLTest, Handoff) {
4019   bssl::UniquePtr<SSL_CTX> client_ctx(SSL_CTX_new(TLS_method()));
4020   bssl::UniquePtr<SSL_CTX> server_ctx(SSL_CTX_new(TLS_method()));
4021   bssl::UniquePtr<SSL_CTX> handshaker_ctx(SSL_CTX_new(TLS_method()));
4022   ASSERT_TRUE(client_ctx);
4023   ASSERT_TRUE(server_ctx);
4024   ASSERT_TRUE(handshaker_ctx);
4025 
4026   SSL_CTX_set_handoff_mode(server_ctx.get(), 1);
4027   ASSERT_TRUE(SSL_CTX_set_max_proto_version(server_ctx.get(), TLS1_2_VERSION));
4028   ASSERT_TRUE(
4029       SSL_CTX_set_max_proto_version(handshaker_ctx.get(), TLS1_2_VERSION));
4030 
4031   bssl::UniquePtr<X509> cert = GetTestCertificate();
4032   bssl::UniquePtr<EVP_PKEY> key = GetTestKey();
4033   ASSERT_TRUE(cert);
4034   ASSERT_TRUE(key);
4035   ASSERT_TRUE(SSL_CTX_use_certificate(handshaker_ctx.get(), cert.get()));
4036   ASSERT_TRUE(SSL_CTX_use_PrivateKey(handshaker_ctx.get(), key.get()));
4037 
4038   bssl::UniquePtr<SSL> client, server;
4039   ASSERT_TRUE(ConnectClientAndServer(&client, &server, client_ctx.get(),
4040                                      server_ctx.get(), ClientConfig(),
4041                                      false /* don't handshake */));
4042 
4043   int client_ret = SSL_do_handshake(client.get());
4044   int client_err = SSL_get_error(client.get(), client_ret);
4045   ASSERT_EQ(client_err, SSL_ERROR_WANT_READ);
4046 
4047   int server_ret = SSL_do_handshake(server.get());
4048   int server_err = SSL_get_error(server.get(), server_ret);
4049   ASSERT_EQ(server_err, SSL_ERROR_HANDOFF);
4050 
4051   ScopedCBB cbb;
4052   Array<uint8_t> handoff;
4053   ASSERT_TRUE(CBB_init(cbb.get(), 256));
4054   ASSERT_TRUE(SSL_serialize_handoff(server.get(), cbb.get()));
4055   ASSERT_TRUE(CBBFinishArray(cbb.get(), &handoff));
4056 
4057   bssl::UniquePtr<SSL> handshaker(SSL_new(handshaker_ctx.get()));
4058   ASSERT_TRUE(SSL_apply_handoff(handshaker.get(), handoff));
4059 
4060   MoveBIOs(handshaker.get(), server.get());
4061 
4062   int handshake_ret = SSL_do_handshake(handshaker.get());
4063   int handshake_err = SSL_get_error(handshaker.get(), handshake_ret);
4064   ASSERT_EQ(handshake_err, SSL_ERROR_HANDBACK);
4065 
4066   // Double-check that additional calls to |SSL_do_handshake| continue
4067   // to get |SSL_ERRROR_HANDBACK|.
4068   handshake_ret = SSL_do_handshake(handshaker.get());
4069   handshake_err = SSL_get_error(handshaker.get(), handshake_ret);
4070   ASSERT_EQ(handshake_err, SSL_ERROR_HANDBACK);
4071 
4072   ScopedCBB cbb_handback;
4073   Array<uint8_t> handback;
4074   ASSERT_TRUE(CBB_init(cbb_handback.get(), 1024));
4075   ASSERT_TRUE(SSL_serialize_handback(handshaker.get(), cbb_handback.get()));
4076   ASSERT_TRUE(CBBFinishArray(cbb_handback.get(), &handback));
4077 
4078   bssl::UniquePtr<SSL> server2(SSL_new(server_ctx.get()));
4079   ASSERT_TRUE(SSL_apply_handback(server2.get(), handback));
4080 
4081   MoveBIOs(server2.get(), handshaker.get());
4082   ASSERT_TRUE(CompleteHandshakes(client.get(), server2.get()));
4083 
4084   uint8_t byte = 42;
4085   EXPECT_EQ(SSL_write(client.get(), &byte, 1), 1);
4086   EXPECT_EQ(SSL_read(server2.get(), &byte, 1), 1);
4087   EXPECT_EQ(42, byte);
4088 
4089   byte = 43;
4090   EXPECT_EQ(SSL_write(server2.get(), &byte, 1), 1);
4091   EXPECT_EQ(SSL_read(client.get(), &byte, 1), 1);
4092   EXPECT_EQ(43, byte);
4093 }
4094 
TEST(SSLTest,HandoffDeclined)4095 TEST(SSLTest, HandoffDeclined) {
4096   bssl::UniquePtr<SSL_CTX> client_ctx(SSL_CTX_new(TLS_method()));
4097   bssl::UniquePtr<SSL_CTX> server_ctx(SSL_CTX_new(TLS_method()));
4098   ASSERT_TRUE(client_ctx);
4099   ASSERT_TRUE(server_ctx);
4100 
4101   SSL_CTX_set_handoff_mode(server_ctx.get(), 1);
4102   ASSERT_TRUE(SSL_CTX_set_max_proto_version(server_ctx.get(), TLS1_2_VERSION));
4103 
4104   bssl::UniquePtr<X509> cert = GetTestCertificate();
4105   bssl::UniquePtr<EVP_PKEY> key = GetTestKey();
4106   ASSERT_TRUE(cert);
4107   ASSERT_TRUE(key);
4108   ASSERT_TRUE(SSL_CTX_use_certificate(server_ctx.get(), cert.get()));
4109   ASSERT_TRUE(SSL_CTX_use_PrivateKey(server_ctx.get(), key.get()));
4110 
4111   bssl::UniquePtr<SSL> client, server;
4112   ASSERT_TRUE(ConnectClientAndServer(&client, &server, client_ctx.get(),
4113                                      server_ctx.get(), ClientConfig(),
4114                                      false /* don't handshake */));
4115 
4116   int client_ret = SSL_do_handshake(client.get());
4117   int client_err = SSL_get_error(client.get(), client_ret);
4118   ASSERT_EQ(client_err, SSL_ERROR_WANT_READ);
4119 
4120   int server_ret = SSL_do_handshake(server.get());
4121   int server_err = SSL_get_error(server.get(), server_ret);
4122   ASSERT_EQ(server_err, SSL_ERROR_HANDOFF);
4123 
4124   ScopedCBB cbb;
4125   ASSERT_TRUE(CBB_init(cbb.get(), 256));
4126   ASSERT_TRUE(SSL_serialize_handoff(server.get(), cbb.get()));
4127 
4128   ASSERT_TRUE(SSL_decline_handoff(server.get()));
4129 
4130   ASSERT_TRUE(CompleteHandshakes(client.get(), server.get()));
4131 
4132   uint8_t byte = 42;
4133   EXPECT_EQ(SSL_write(client.get(), &byte, 1), 1);
4134   EXPECT_EQ(SSL_read(server.get(), &byte, 1), 1);
4135   EXPECT_EQ(42, byte);
4136 
4137   byte = 43;
4138   EXPECT_EQ(SSL_write(server.get(), &byte, 1), 1);
4139   EXPECT_EQ(SSL_read(client.get(), &byte, 1), 1);
4140   EXPECT_EQ(43, byte);
4141 }
4142 
SigAlgsToString(Span<const uint16_t> sigalgs)4143 static std::string SigAlgsToString(Span<const uint16_t> sigalgs) {
4144   std::string ret = "{";
4145 
4146   for (uint16_t v : sigalgs) {
4147     if (ret.size() > 1) {
4148       ret += ", ";
4149     }
4150 
4151     char buf[8];
4152     snprintf(buf, sizeof(buf) - 1, "0x%02x", v);
4153     buf[sizeof(buf)-1] = 0;
4154     ret += std::string(buf);
4155   }
4156 
4157   ret += "}";
4158   return ret;
4159 }
4160 
ExpectSigAlgsEqual(Span<const uint16_t> expected,Span<const uint16_t> actual)4161 void ExpectSigAlgsEqual(Span<const uint16_t> expected,
4162                         Span<const uint16_t> actual) {
4163   bool matches = false;
4164   if (expected.size() == actual.size()) {
4165     matches = true;
4166 
4167     for (size_t i = 0; i < expected.size(); i++) {
4168       if (expected[i] != actual[i]) {
4169         matches = false;
4170         break;
4171       }
4172     }
4173   }
4174 
4175   if (!matches) {
4176     ADD_FAILURE() << "expected: " << SigAlgsToString(expected)
4177                   << " got: " << SigAlgsToString(actual);
4178   }
4179 }
4180 
TEST(SSLTest,SigAlgs)4181 TEST(SSLTest, SigAlgs) {
4182   static const struct {
4183     std::vector<int> input;
4184     bool ok;
4185     std::vector<uint16_t> expected;
4186   } kTests[] = {
4187       {{}, true, {}},
4188       {{1}, false, {}},
4189       {{1, 2, 3}, false, {}},
4190       {{NID_sha256, EVP_PKEY_ED25519}, false, {}},
4191       {{NID_sha256, EVP_PKEY_RSA, NID_sha256, EVP_PKEY_RSA}, false, {}},
4192 
4193       {{NID_sha256, EVP_PKEY_RSA}, true, {SSL_SIGN_RSA_PKCS1_SHA256}},
4194       {{NID_sha512, EVP_PKEY_RSA}, true, {SSL_SIGN_RSA_PKCS1_SHA512}},
4195       {{NID_sha256, EVP_PKEY_RSA_PSS}, true, {SSL_SIGN_RSA_PSS_RSAE_SHA256}},
4196       {{NID_undef, EVP_PKEY_ED25519}, true, {SSL_SIGN_ED25519}},
4197       {{NID_undef, EVP_PKEY_ED25519, NID_sha384, EVP_PKEY_EC},
4198        true,
4199        {SSL_SIGN_ED25519, SSL_SIGN_ECDSA_SECP384R1_SHA384}},
4200   };
4201 
4202   UniquePtr<SSL_CTX> ctx(SSL_CTX_new(TLS_method()));
4203 
4204   unsigned n = 1;
4205   for (const auto &test : kTests) {
4206     SCOPED_TRACE(n++);
4207 
4208     const bool ok =
4209         SSL_CTX_set1_sigalgs(ctx.get(), test.input.data(), test.input.size());
4210     EXPECT_EQ(ok, test.ok);
4211 
4212     if (!ok) {
4213       ERR_clear_error();
4214     }
4215 
4216     if (!test.ok) {
4217       continue;
4218     }
4219 
4220     ExpectSigAlgsEqual(test.expected, ctx->cert->sigalgs);
4221   }
4222 }
4223 
TEST(SSLTest,SigAlgsList)4224 TEST(SSLTest, SigAlgsList) {
4225   static const struct {
4226     const char *input;
4227     bool ok;
4228     std::vector<uint16_t> expected;
4229   } kTests[] = {
4230       {"", false, {}},
4231       {":", false, {}},
4232       {"+", false, {}},
4233       {"RSA", false, {}},
4234       {"RSA+", false, {}},
4235       {"RSA+SHA256:", false, {}},
4236       {":RSA+SHA256:", false, {}},
4237       {":RSA+SHA256+:", false, {}},
4238       {"!", false, {}},
4239       {"\x01", false, {}},
4240       {"RSA+SHA256:RSA+SHA384:RSA+SHA256", false, {}},
4241       {"RSA-PSS+SHA256:rsa_pss_rsae_sha256", false, {}},
4242 
4243       {"RSA+SHA256", true, {SSL_SIGN_RSA_PKCS1_SHA256}},
4244       {"RSA+SHA256:ed25519",
4245        true,
4246        {SSL_SIGN_RSA_PKCS1_SHA256, SSL_SIGN_ED25519}},
4247       {"ECDSA+SHA256:RSA+SHA512",
4248        true,
4249        {SSL_SIGN_ECDSA_SECP256R1_SHA256, SSL_SIGN_RSA_PKCS1_SHA512}},
4250       {"ecdsa_secp256r1_sha256:rsa_pss_rsae_sha256",
4251        true,
4252        {SSL_SIGN_ECDSA_SECP256R1_SHA256, SSL_SIGN_RSA_PSS_RSAE_SHA256}},
4253       {"RSA-PSS+SHA256", true, {SSL_SIGN_RSA_PSS_RSAE_SHA256}},
4254       {"PSS+SHA256", true, {SSL_SIGN_RSA_PSS_RSAE_SHA256}},
4255   };
4256 
4257   UniquePtr<SSL_CTX> ctx(SSL_CTX_new(TLS_method()));
4258 
4259   unsigned n = 1;
4260   for (const auto &test : kTests) {
4261     SCOPED_TRACE(n++);
4262 
4263     const bool ok = SSL_CTX_set1_sigalgs_list(ctx.get(), test.input);
4264     EXPECT_EQ(ok, test.ok);
4265 
4266     if (!ok) {
4267       if (test.ok) {
4268         ERR_print_errors_fp(stderr);
4269       }
4270       ERR_clear_error();
4271     }
4272 
4273     if (!test.ok) {
4274       continue;
4275     }
4276 
4277     ExpectSigAlgsEqual(test.expected, ctx->cert->sigalgs);
4278   }
4279 }
4280 
TEST(SSLTest,ApplyHandoffRemovesUnsupportedCiphers)4281 TEST(SSLTest, ApplyHandoffRemovesUnsupportedCiphers) {
4282   bssl::UniquePtr<SSL_CTX> server_ctx(SSL_CTX_new(TLS_method()));
4283   bssl::UniquePtr<SSL> server(SSL_new(server_ctx.get()));
4284 
4285   // handoff is a handoff message that has been artificially modified to pretend
4286   // that only cipher 0x0A is supported.  When it is applied to |server|, all
4287   // ciphers but that one should be removed.
4288   //
4289   // To make a new one of these, try sticking this in the |Handoff| test above:
4290   //
4291   // hexdump(stderr, "", handoff.data(), handoff.size());
4292   // sed -e 's/\(..\)/0x\1, /g'
4293   //
4294   // and modify serialize_features() to emit only cipher 0x0A.
4295 
4296   uint8_t handoff[] = {
4297       0x30, 0x81, 0x9a, 0x02, 0x01, 0x00, 0x04, 0x00, 0x04, 0x81, 0x82, 0x01,
4298       0x00, 0x00, 0x7e, 0x03, 0x03, 0x30, 0x8e, 0x8f, 0x79, 0xd2, 0x87, 0x39,
4299       0xc2, 0x23, 0x23, 0x13, 0xca, 0x3c, 0x80, 0x44, 0xfd, 0x80, 0x83, 0x62,
4300       0x3c, 0xcc, 0xf8, 0x76, 0xd3, 0x62, 0xbb, 0x54, 0xe3, 0xc4, 0x39, 0x24,
4301       0xa5, 0x00, 0x00, 0x1e, 0xc0, 0x2b, 0xc0, 0x2f, 0xc0, 0x2c, 0xc0, 0x30,
4302       0xcc, 0xa9, 0xcc, 0xa8, 0xc0, 0x09, 0xc0, 0x13, 0xc0, 0x0a, 0xc0, 0x14,
4303       0x00, 0x9c, 0x00, 0x9d, 0x00, 0x2f, 0x00, 0x35, 0x00, 0x0a, 0x01, 0x00,
4304       0x00, 0x37, 0x00, 0x17, 0x00, 0x00, 0xff, 0x01, 0x00, 0x01, 0x00, 0x00,
4305       0x0a, 0x00, 0x08, 0x00, 0x06, 0x00, 0x1d, 0x00, 0x17, 0x00, 0x18, 0x00,
4306       0x0b, 0x00, 0x02, 0x01, 0x00, 0x00, 0x23, 0x00, 0x00, 0x00, 0x0d, 0x00,
4307       0x14, 0x00, 0x12, 0x04, 0x03, 0x08, 0x04, 0x04, 0x01, 0x05, 0x03, 0x08,
4308       0x05, 0x05, 0x01, 0x08, 0x06, 0x06, 0x01, 0x02, 0x01, 0x04, 0x02, 0x00,
4309       0x0a, 0x04, 0x0a, 0x00, 0x15, 0x00, 0x17, 0x00, 0x18, 0x00, 0x19, 0x00,
4310       0x1d,
4311   };
4312 
4313   EXPECT_EQ(20u, sk_SSL_CIPHER_num(SSL_get_ciphers(server.get())));
4314   ASSERT_TRUE(
4315       SSL_apply_handoff(server.get(), {handoff, OPENSSL_ARRAY_SIZE(handoff)}));
4316   EXPECT_EQ(1u, sk_SSL_CIPHER_num(SSL_get_ciphers(server.get())));
4317 }
4318 
TEST(SSLTest,ApplyHandoffRemovesUnsupportedCurves)4319 TEST(SSLTest, ApplyHandoffRemovesUnsupportedCurves) {
4320   bssl::UniquePtr<SSL_CTX> server_ctx(SSL_CTX_new(TLS_method()));
4321   bssl::UniquePtr<SSL> server(SSL_new(server_ctx.get()));
4322 
4323   // handoff is a handoff message that has been artificially modified to pretend
4324   // that only one curve is supported.  When it is applied to |server|, all
4325   // curves but that one should be removed.
4326   //
4327   // See |ApplyHandoffRemovesUnsupportedCiphers| for how to make a new one of
4328   // these.
4329   uint8_t handoff[] = {
4330       0x30, 0x81, 0xc0, 0x02, 0x01, 0x00, 0x04, 0x00, 0x04, 0x81, 0x82, 0x01,
4331       0x00, 0x00, 0x7e, 0x03, 0x03, 0x98, 0x30, 0xce, 0xd9, 0xb0, 0xdf, 0x5f,
4332       0x82, 0x05, 0x4a, 0x43, 0x67, 0x7e, 0xdb, 0x6a, 0x4f, 0x21, 0x18, 0x4e,
4333       0x0d, 0x94, 0x63, 0x18, 0x8b, 0x54, 0x89, 0xdb, 0x8b, 0x1d, 0x84, 0xbc,
4334       0x09, 0x00, 0x00, 0x1e, 0xc0, 0x2b, 0xc0, 0x2f, 0xc0, 0x2c, 0xc0, 0x30,
4335       0xcc, 0xa9, 0xcc, 0xa8, 0xc0, 0x09, 0xc0, 0x13, 0xc0, 0x0a, 0xc0, 0x14,
4336       0x00, 0x9c, 0x00, 0x9d, 0x00, 0x2f, 0x00, 0x35, 0x00, 0x0a, 0x01, 0x00,
4337       0x00, 0x37, 0x00, 0x17, 0x00, 0x00, 0xff, 0x01, 0x00, 0x01, 0x00, 0x00,
4338       0x0a, 0x00, 0x08, 0x00, 0x06, 0x00, 0x1d, 0x00, 0x17, 0x00, 0x18, 0x00,
4339       0x0b, 0x00, 0x02, 0x01, 0x00, 0x00, 0x23, 0x00, 0x00, 0x00, 0x0d, 0x00,
4340       0x14, 0x00, 0x12, 0x04, 0x03, 0x08, 0x04, 0x04, 0x01, 0x05, 0x03, 0x08,
4341       0x05, 0x05, 0x01, 0x08, 0x06, 0x06, 0x01, 0x02, 0x01, 0x04, 0x30, 0x00,
4342       0x02, 0x00, 0x0a, 0x00, 0x2f, 0x00, 0x35, 0x00, 0x8c, 0x00, 0x8d, 0x00,
4343       0x9c, 0x00, 0x9d, 0x13, 0x01, 0x13, 0x02, 0x13, 0x03, 0xc0, 0x09, 0xc0,
4344       0x0a, 0xc0, 0x13, 0xc0, 0x14, 0xc0, 0x2b, 0xc0, 0x2c, 0xc0, 0x2f, 0xc0,
4345       0x30, 0xc0, 0x35, 0xc0, 0x36, 0xcc, 0xa8, 0xcc, 0xa9, 0xcc, 0xac, 0x04,
4346       0x02, 0x00, 0x17,
4347   };
4348 
4349   // The zero length means that the default list of groups is used.
4350   EXPECT_EQ(0u, server->config->supported_group_list.size());
4351   ASSERT_TRUE(
4352       SSL_apply_handoff(server.get(), {handoff, OPENSSL_ARRAY_SIZE(handoff)}));
4353   EXPECT_EQ(1u, server->config->supported_group_list.size());
4354 }
4355 
TEST(SSLTest,ZeroSizedWiteFlushesHandshakeMessages)4356 TEST(SSLTest, ZeroSizedWiteFlushesHandshakeMessages) {
4357   // If there are pending handshake mesages, an |SSL_write| of zero bytes should
4358   // flush them.
4359   bssl::UniquePtr<SSL_CTX> server_ctx(SSL_CTX_new(TLS_method()));
4360   EXPECT_TRUE(SSL_CTX_set_max_proto_version(server_ctx.get(), TLS1_3_VERSION));
4361   EXPECT_TRUE(SSL_CTX_set_min_proto_version(server_ctx.get(), TLS1_3_VERSION));
4362   bssl::UniquePtr<X509> cert = GetTestCertificate();
4363   bssl::UniquePtr<EVP_PKEY> key = GetTestKey();
4364   ASSERT_TRUE(cert);
4365   ASSERT_TRUE(key);
4366   ASSERT_TRUE(SSL_CTX_use_certificate(server_ctx.get(), cert.get()));
4367   ASSERT_TRUE(SSL_CTX_use_PrivateKey(server_ctx.get(), key.get()));
4368 
4369   bssl::UniquePtr<SSL_CTX> client_ctx(SSL_CTX_new(TLS_method()));
4370   EXPECT_TRUE(SSL_CTX_set_max_proto_version(client_ctx.get(), TLS1_3_VERSION));
4371   EXPECT_TRUE(SSL_CTX_set_min_proto_version(client_ctx.get(), TLS1_3_VERSION));
4372 
4373   bssl::UniquePtr<SSL> client, server;
4374   ASSERT_TRUE(ConnectClientAndServer(&client, &server, client_ctx.get(),
4375                                      server_ctx.get()));
4376 
4377   BIO *client_wbio = SSL_get_wbio(client.get());
4378   EXPECT_EQ(0u, BIO_wpending(client_wbio));
4379   EXPECT_TRUE(SSL_key_update(client.get(), SSL_KEY_UPDATE_NOT_REQUESTED));
4380   EXPECT_EQ(0u, BIO_wpending(client_wbio));
4381   EXPECT_EQ(0, SSL_write(client.get(), nullptr, 0));
4382   EXPECT_NE(0u, BIO_wpending(client_wbio));
4383 }
4384 
TEST_P(SSLVersionTest,VerifyBeforeCertRequest)4385 TEST_P(SSLVersionTest, VerifyBeforeCertRequest) {
4386   // Configure the server to request client certificates.
4387   SSL_CTX_set_custom_verify(
4388       server_ctx_.get(), SSL_VERIFY_PEER,
4389       [](SSL *ssl, uint8_t *out_alert) { return ssl_verify_ok; });
4390 
4391   // Configure the client to reject the server certificate.
4392   SSL_CTX_set_custom_verify(
4393       client_ctx_.get(), SSL_VERIFY_PEER,
4394       [](SSL *ssl, uint8_t *out_alert) { return ssl_verify_invalid; });
4395 
4396   // cert_cb should not be called. Verification should fail first.
4397   SSL_CTX_set_cert_cb(client_ctx_.get(),
4398                       [](SSL *ssl, void *arg) {
4399                         ADD_FAILURE() << "cert_cb unexpectedly called";
4400                         return 0;
4401                       },
4402                       nullptr);
4403 
4404   bssl::UniquePtr<SSL> client, server;
4405   EXPECT_FALSE(ConnectClientAndServer(&client, &server, client_ctx_.get(),
4406                                       server_ctx_.get()));
4407 }
4408 
4409 // Test that ticket-based sessions on the client get fake session IDs.
TEST_P(SSLVersionTest,FakeIDsForTickets)4410 TEST_P(SSLVersionTest, FakeIDsForTickets) {
4411   SSL_CTX_set_session_cache_mode(client_ctx_.get(), SSL_SESS_CACHE_BOTH);
4412   SSL_CTX_set_session_cache_mode(server_ctx_.get(), SSL_SESS_CACHE_BOTH);
4413 
4414   bssl::UniquePtr<SSL_SESSION> session =
4415       CreateClientSession(client_ctx_.get(), server_ctx_.get());
4416   ASSERT_TRUE(session);
4417 
4418   EXPECT_TRUE(SSL_SESSION_has_ticket(session.get()));
4419   unsigned session_id_length;
4420   SSL_SESSION_get_id(session.get(), &session_id_length);
4421   EXPECT_NE(session_id_length, 0u);
4422 }
4423 
4424 // These tests test multi-threaded behavior. They are intended to run with
4425 // ThreadSanitizer.
4426 #if defined(OPENSSL_THREADS)
TEST_P(SSLVersionTest,SessionCacheThreads)4427 TEST_P(SSLVersionTest, SessionCacheThreads) {
4428   SSL_CTX_set_options(server_ctx_.get(), SSL_OP_NO_TICKET);
4429   SSL_CTX_set_session_cache_mode(client_ctx_.get(), SSL_SESS_CACHE_BOTH);
4430   SSL_CTX_set_session_cache_mode(server_ctx_.get(), SSL_SESS_CACHE_BOTH);
4431 
4432   if (version() == TLS1_3_VERSION) {
4433     // Our TLS 1.3 implementation does not support stateful resumption.
4434     ASSERT_FALSE(CreateClientSession(client_ctx_.get(), server_ctx_.get()));
4435     return;
4436   }
4437 
4438   // Establish two client sessions to test with.
4439   bssl::UniquePtr<SSL_SESSION> session1 =
4440       CreateClientSession(client_ctx_.get(), server_ctx_.get());
4441   ASSERT_TRUE(session1);
4442   bssl::UniquePtr<SSL_SESSION> session2 =
4443       CreateClientSession(client_ctx_.get(), server_ctx_.get());
4444   ASSERT_TRUE(session2);
4445 
4446   auto connect_with_session = [&](SSL_SESSION *session) {
4447     ClientConfig config;
4448     config.session = session;
4449     UniquePtr<SSL> client, server;
4450     EXPECT_TRUE(ConnectClientAndServer(&client, &server, client_ctx_.get(),
4451                                        server_ctx_.get(), config));
4452   };
4453 
4454   // Resume sessions in parallel with establishing new ones.
4455   {
4456     std::vector<std::thread> threads;
4457     threads.emplace_back([&] { connect_with_session(nullptr); });
4458     threads.emplace_back([&] { connect_with_session(nullptr); });
4459     threads.emplace_back([&] { connect_with_session(session1.get()); });
4460     threads.emplace_back([&] { connect_with_session(session1.get()); });
4461     threads.emplace_back([&] { connect_with_session(session2.get()); });
4462     threads.emplace_back([&] { connect_with_session(session2.get()); });
4463     for (auto &thread : threads) {
4464       thread.join();
4465     }
4466   }
4467 
4468   // Hit the maximum session cache size across multiple threads
4469   size_t limit = SSL_CTX_sess_number(server_ctx_.get()) + 2;
4470   SSL_CTX_sess_set_cache_size(server_ctx_.get(), limit);
4471   {
4472     std::vector<std::thread> threads;
4473     for (int i = 0; i < 4; i++) {
4474       threads.emplace_back([&]() {
4475         connect_with_session(nullptr);
4476         EXPECT_LE(SSL_CTX_sess_number(server_ctx_.get()), limit);
4477       });
4478     }
4479     for (auto &thread : threads) {
4480       thread.join();
4481     }
4482     EXPECT_EQ(SSL_CTX_sess_number(server_ctx_.get()), limit);
4483   }
4484 }
4485 
TEST_P(SSLVersionTest,SessionTicketThreads)4486 TEST_P(SSLVersionTest, SessionTicketThreads) {
4487   for (bool renew_ticket : {false, true}) {
4488     SCOPED_TRACE(renew_ticket);
4489     ResetContexts();
4490     SSL_CTX_set_session_cache_mode(client_ctx_.get(), SSL_SESS_CACHE_BOTH);
4491     SSL_CTX_set_session_cache_mode(server_ctx_.get(), SSL_SESS_CACHE_BOTH);
4492     if (renew_ticket) {
4493       SSL_CTX_set_tlsext_ticket_key_cb(server_ctx_.get(), RenewTicketCallback);
4494     }
4495 
4496     // Establish two client sessions to test with.
4497     bssl::UniquePtr<SSL_SESSION> session1 =
4498         CreateClientSession(client_ctx_.get(), server_ctx_.get());
4499     ASSERT_TRUE(session1);
4500     bssl::UniquePtr<SSL_SESSION> session2 =
4501         CreateClientSession(client_ctx_.get(), server_ctx_.get());
4502     ASSERT_TRUE(session2);
4503 
4504     auto connect_with_session = [&](SSL_SESSION *session) {
4505       ClientConfig config;
4506       config.session = session;
4507       UniquePtr<SSL> client, server;
4508       EXPECT_TRUE(ConnectClientAndServer(&client, &server, client_ctx_.get(),
4509                                          server_ctx_.get(), config));
4510     };
4511 
4512     // Resume sessions in parallel with establishing new ones.
4513     {
4514       std::vector<std::thread> threads;
4515       threads.emplace_back([&] { connect_with_session(nullptr); });
4516       threads.emplace_back([&] { connect_with_session(nullptr); });
4517       threads.emplace_back([&] { connect_with_session(session1.get()); });
4518       threads.emplace_back([&] { connect_with_session(session1.get()); });
4519       threads.emplace_back([&] { connect_with_session(session2.get()); });
4520       threads.emplace_back([&] { connect_with_session(session2.get()); });
4521       for (auto &thread : threads) {
4522         thread.join();
4523       }
4524     }
4525   }
4526 }
4527 
4528 // SSL_CTX_get0_certificate needs to lock internally. Test this works.
TEST(SSLTest,GetCertificateThreads)4529 TEST(SSLTest, GetCertificateThreads) {
4530   bssl::UniquePtr<SSL_CTX> ctx(SSL_CTX_new(TLS_method()));
4531   ASSERT_TRUE(ctx);
4532   bssl::UniquePtr<X509> cert = GetTestCertificate();
4533   ASSERT_TRUE(cert);
4534   ASSERT_TRUE(SSL_CTX_use_certificate(ctx.get(), cert.get()));
4535 
4536   // Existing code expects |SSL_CTX_get0_certificate| to be callable from two
4537   // threads concurrently. It originally was an immutable operation. Now we
4538   // implement it with a thread-safe cache, so it is worth testing.
4539   X509 *cert2_thread;
4540   std::thread thread(
4541       [&] { cert2_thread = SSL_CTX_get0_certificate(ctx.get()); });
4542   X509 *cert2 = SSL_CTX_get0_certificate(ctx.get());
4543   thread.join();
4544 
4545   EXPECT_EQ(cert2, cert2_thread);
4546   EXPECT_EQ(0, X509_cmp(cert.get(), cert2));
4547 }
4548 
4549 // Functions which access properties on the negotiated session are thread-safe
4550 // where needed. Prior to TLS 1.3, clients resuming sessions and servers
4551 // performing stateful resumption will share an underlying SSL_SESSION object,
4552 // potentially across threads.
TEST_P(SSLVersionTest,SessionPropertiesThreads)4553 TEST_P(SSLVersionTest, SessionPropertiesThreads) {
4554   if (version() == TLS1_3_VERSION) {
4555     // Our TLS 1.3 implementation does not support stateful resumption.
4556     ASSERT_FALSE(CreateClientSession(client_ctx_.get(), server_ctx_.get()));
4557     return;
4558   }
4559 
4560   SSL_CTX_set_options(server_ctx_.get(), SSL_OP_NO_TICKET);
4561   SSL_CTX_set_session_cache_mode(client_ctx_.get(), SSL_SESS_CACHE_BOTH);
4562   SSL_CTX_set_session_cache_mode(server_ctx_.get(), SSL_SESS_CACHE_BOTH);
4563 
4564   ASSERT_TRUE(UseCertAndKey(client_ctx_.get()));
4565   ASSERT_TRUE(UseCertAndKey(server_ctx_.get()));
4566 
4567   // Configure mutual authentication, so we have more session state.
4568   SSL_CTX_set_custom_verify(
4569       client_ctx_.get(), SSL_VERIFY_PEER,
4570       [](SSL *ssl, uint8_t *out_alert) { return ssl_verify_ok; });
4571   SSL_CTX_set_custom_verify(
4572       server_ctx_.get(), SSL_VERIFY_PEER,
4573       [](SSL *ssl, uint8_t *out_alert) { return ssl_verify_ok; });
4574 
4575   // Establish a client session to test with.
4576   bssl::UniquePtr<SSL_SESSION> session =
4577       CreateClientSession(client_ctx_.get(), server_ctx_.get());
4578   ASSERT_TRUE(session);
4579 
4580   // Resume with it twice.
4581   UniquePtr<SSL> ssls[4];
4582   ClientConfig config;
4583   config.session = session.get();
4584   ASSERT_TRUE(ConnectClientAndServer(&ssls[0], &ssls[1], client_ctx_.get(),
4585                                      server_ctx_.get(), config));
4586   ASSERT_TRUE(ConnectClientAndServer(&ssls[2], &ssls[3], client_ctx_.get(),
4587                                      server_ctx_.get(), config));
4588 
4589   // Read properties in parallel.
4590   auto read_properties = [](const SSL *ssl) {
4591     EXPECT_TRUE(SSL_get_peer_cert_chain(ssl));
4592     bssl::UniquePtr<X509> peer(SSL_get_peer_certificate(ssl));
4593     EXPECT_TRUE(peer);
4594     EXPECT_TRUE(SSL_get_current_cipher(ssl));
4595     EXPECT_TRUE(SSL_get_curve_id(ssl));
4596   };
4597 
4598   std::vector<std::thread> threads;
4599   for (const auto &ssl_ptr : ssls) {
4600     const SSL *ssl = ssl_ptr.get();
4601     threads.emplace_back([=] { read_properties(ssl); });
4602   }
4603   for (auto &thread : threads) {
4604     thread.join();
4605   }
4606 }
4607 #endif
4608 
4609 constexpr size_t kNumQUICLevels = 4;
4610 static_assert(ssl_encryption_initial < kNumQUICLevels,
4611               "kNumQUICLevels is wrong");
4612 static_assert(ssl_encryption_early_data < kNumQUICLevels,
4613               "kNumQUICLevels is wrong");
4614 static_assert(ssl_encryption_handshake < kNumQUICLevels,
4615               "kNumQUICLevels is wrong");
4616 static_assert(ssl_encryption_application < kNumQUICLevels,
4617               "kNumQUICLevels is wrong");
4618 
4619 class MockQUICTransport {
4620  public:
MockQUICTransport()4621   MockQUICTransport() {
4622     // The caller is expected to configure initial secrets.
4623     levels_[ssl_encryption_initial].write_secret = {1};
4624     levels_[ssl_encryption_initial].read_secret = {1};
4625   }
4626 
set_peer(MockQUICTransport * peer)4627   void set_peer(MockQUICTransport *peer) { peer_ = peer; }
4628 
has_alert() const4629   bool has_alert() const { return has_alert_; }
alert_level() const4630   ssl_encryption_level_t alert_level() const { return alert_level_; }
alert() const4631   uint8_t alert() const { return alert_; }
4632 
PeerSecretsMatch(ssl_encryption_level_t level) const4633   bool PeerSecretsMatch(ssl_encryption_level_t level) const {
4634     return levels_[level].write_secret == peer_->levels_[level].read_secret &&
4635            levels_[level].read_secret == peer_->levels_[level].write_secret &&
4636            levels_[level].cipher == peer_->levels_[level].cipher;
4637   }
4638 
HasSecrets(ssl_encryption_level_t level) const4639   bool HasSecrets(ssl_encryption_level_t level) const {
4640     return !levels_[level].write_secret.empty() ||
4641            !levels_[level].read_secret.empty();
4642   }
4643 
SetEncryptionSecrets(ssl_encryption_level_t level,const uint8_t * read_secret,const uint8_t * write_secret,size_t secret_len,const SSL_CIPHER * cipher)4644   bool SetEncryptionSecrets(ssl_encryption_level_t level,
4645                             const uint8_t *read_secret,
4646                             const uint8_t *write_secret, size_t secret_len,
4647                             const SSL_CIPHER *cipher) {
4648     if (HasSecrets(level)) {
4649       ADD_FAILURE() << "duplicate keys configured";
4650       return false;
4651     }
4652 
4653     if (cipher == nullptr) {
4654       ADD_FAILURE() << "current cipher unavailable";
4655       return false;
4656     }
4657 
4658     if (level != ssl_encryption_early_data &&
4659         (read_secret == nullptr || write_secret == nullptr)) {
4660       ADD_FAILURE() << "key was unexpectedly null";
4661       return false;
4662     }
4663     if (read_secret != nullptr) {
4664       levels_[level].read_secret.assign(read_secret, read_secret + secret_len);
4665     }
4666     if (write_secret != nullptr) {
4667       levels_[level].write_secret.assign(write_secret,
4668                                          write_secret + secret_len);
4669     }
4670     levels_[level].cipher = SSL_CIPHER_get_id(cipher);
4671     return true;
4672   }
4673 
WriteHandshakeData(ssl_encryption_level_t level,Span<const uint8_t> data)4674   bool WriteHandshakeData(ssl_encryption_level_t level,
4675                           Span<const uint8_t> data) {
4676     if (levels_[level].write_secret.empty()) {
4677       ADD_FAILURE() << "data written before keys configured";
4678       return false;
4679     }
4680     levels_[level].write_data.insert(levels_[level].write_data.end(),
4681                                      data.begin(), data.end());
4682     return true;
4683   }
4684 
SendAlert(ssl_encryption_level_t level,uint8_t alert_value)4685   bool SendAlert(ssl_encryption_level_t level, uint8_t alert_value) {
4686     if (has_alert_) {
4687       ADD_FAILURE() << "duplicate alert sent";
4688       return false;
4689     }
4690 
4691     if (levels_[level].write_secret.empty()) {
4692       ADD_FAILURE() << "alert sent before keys configured";
4693       return false;
4694     }
4695 
4696     has_alert_ = true;
4697     alert_level_ = level;
4698     alert_ = alert_value;
4699     return true;
4700   }
4701 
ReadHandshakeData(std::vector<uint8_t> * out,ssl_encryption_level_t level,size_t num=std::numeric_limits<size_t>::max ())4702   bool ReadHandshakeData(std::vector<uint8_t> *out,
4703                          ssl_encryption_level_t level,
4704                          size_t num = std::numeric_limits<size_t>::max()) {
4705     if (levels_[level].read_secret.empty()) {
4706       ADD_FAILURE() << "data read before keys configured";
4707       return false;
4708     }
4709     // The peer may not have configured any keys yet.
4710     if (peer_->levels_[level].write_secret.empty()) {
4711       return true;
4712     }
4713     // Check the peer computed the same key.
4714     if (peer_->levels_[level].write_secret != levels_[level].read_secret) {
4715       ADD_FAILURE() << "peer write key does not match read key";
4716       return false;
4717     }
4718     if (peer_->levels_[level].cipher != levels_[level].cipher) {
4719       ADD_FAILURE() << "peer cipher does not match";
4720       return false;
4721     }
4722     std::vector<uint8_t> *peer_data = &peer_->levels_[level].write_data;
4723     num = std::min(num, peer_data->size());
4724     out->assign(peer_data->begin(), peer_data->begin() + num);
4725     peer_data->erase(peer_data->begin(), peer_data->begin() + num);
4726     return true;
4727   }
4728 
4729  private:
4730   MockQUICTransport *peer_ = nullptr;
4731 
4732   bool has_alert_ = false;
4733   ssl_encryption_level_t alert_level_ = ssl_encryption_initial;
4734   uint8_t alert_ = 0;
4735 
4736   struct Level {
4737     std::vector<uint8_t> write_data;
4738     std::vector<uint8_t> write_secret;
4739     std::vector<uint8_t> read_secret;
4740     uint32_t cipher = 0;
4741   };
4742   Level levels_[kNumQUICLevels];
4743 };
4744 
4745 class MockQUICTransportPair {
4746  public:
MockQUICTransportPair()4747   MockQUICTransportPair() {
4748     server_.set_peer(&client_);
4749     client_.set_peer(&server_);
4750   }
4751 
~MockQUICTransportPair()4752   ~MockQUICTransportPair() {
4753     server_.set_peer(nullptr);
4754     client_.set_peer(nullptr);
4755   }
4756 
client()4757   MockQUICTransport *client() { return &client_; }
server()4758   MockQUICTransport *server() { return &server_; }
4759 
SecretsMatch(ssl_encryption_level_t level) const4760   bool SecretsMatch(ssl_encryption_level_t level) const {
4761     return client_.PeerSecretsMatch(level);
4762   }
4763 
4764  private:
4765   MockQUICTransport client_;
4766   MockQUICTransport server_;
4767 };
4768 
4769 class QUICMethodTest : public testing::Test {
4770  protected:
SetUp()4771   void SetUp() override {
4772     client_ctx_.reset(SSL_CTX_new(TLS_method()));
4773     server_ctx_.reset(SSL_CTX_new(TLS_method()));
4774     ASSERT_TRUE(client_ctx_);
4775     ASSERT_TRUE(server_ctx_);
4776 
4777     bssl::UniquePtr<X509> cert = GetTestCertificate();
4778     bssl::UniquePtr<EVP_PKEY> key = GetTestKey();
4779     ASSERT_TRUE(cert);
4780     ASSERT_TRUE(key);
4781     ASSERT_TRUE(SSL_CTX_use_certificate(server_ctx_.get(), cert.get()));
4782     ASSERT_TRUE(SSL_CTX_use_PrivateKey(server_ctx_.get(), key.get()));
4783 
4784     SSL_CTX_set_min_proto_version(server_ctx_.get(), TLS1_3_VERSION);
4785     SSL_CTX_set_max_proto_version(server_ctx_.get(), TLS1_3_VERSION);
4786     SSL_CTX_set_min_proto_version(client_ctx_.get(), TLS1_3_VERSION);
4787     SSL_CTX_set_max_proto_version(client_ctx_.get(), TLS1_3_VERSION);
4788   }
4789 
TransportFromSSL(const SSL * ssl)4790   static MockQUICTransport *TransportFromSSL(const SSL *ssl) {
4791     return ex_data_.Get(ssl);
4792   }
4793 
ProvideHandshakeData(SSL * ssl,size_t num=std::numeric_limits<size_t>::max ())4794   static bool ProvideHandshakeData(
4795       SSL *ssl, size_t num = std::numeric_limits<size_t>::max()) {
4796     MockQUICTransport *transport = TransportFromSSL(ssl);
4797     ssl_encryption_level_t level = SSL_quic_read_level(ssl);
4798     std::vector<uint8_t> data;
4799     return transport->ReadHandshakeData(&data, level, num) &&
4800            SSL_provide_quic_data(ssl, level, data.data(), data.size());
4801   }
4802 
CreateClientAndServer()4803   bool CreateClientAndServer() {
4804     client_.reset(SSL_new(client_ctx_.get()));
4805     server_.reset(SSL_new(server_ctx_.get()));
4806     if (!client_ || !server_) {
4807       return false;
4808     }
4809 
4810     SSL_set_connect_state(client_.get());
4811     SSL_set_accept_state(server_.get());
4812 
4813     ex_data_.Set(client_.get(), transport_.client());
4814     ex_data_.Set(server_.get(), transport_.server());
4815     return true;
4816   }
4817 
CreateSecondClientAndServer()4818   bool CreateSecondClientAndServer() {
4819     client_.reset(SSL_new(client_ctx_.get()));
4820     server_.reset(SSL_new(server_ctx_.get()));
4821     if (!client_ || !server_) {
4822       return false;
4823     }
4824 
4825     SSL_set_connect_state(client_.get());
4826     SSL_set_accept_state(server_.get());
4827 
4828     ex_data_.Set(client_.get(), second_transport_.client());
4829     ex_data_.Set(server_.get(), second_transport_.server());
4830     return true;
4831   }
4832 
4833   // The following functions may be configured on an |SSL_QUIC_METHOD| as
4834   // default implementations.
4835 
SetEncryptionSecretsCallback(SSL * ssl,ssl_encryption_level_t level,const uint8_t * read_key,const uint8_t * write_key,size_t key_len)4836   static int SetEncryptionSecretsCallback(SSL *ssl,
4837                                           ssl_encryption_level_t level,
4838                                           const uint8_t *read_key,
4839                                           const uint8_t *write_key,
4840                                           size_t key_len) {
4841     return TransportFromSSL(ssl)->SetEncryptionSecrets(
4842         level, read_key, write_key, key_len, SSL_get_current_cipher(ssl));
4843   }
4844 
AddHandshakeDataCallback(SSL * ssl,enum ssl_encryption_level_t level,const uint8_t * data,size_t len)4845   static int AddHandshakeDataCallback(SSL *ssl,
4846                                       enum ssl_encryption_level_t level,
4847                                       const uint8_t *data, size_t len) {
4848     EXPECT_EQ(level, SSL_quic_write_level(ssl));
4849     return TransportFromSSL(ssl)->WriteHandshakeData(level,
4850                                                      MakeConstSpan(data, len));
4851   }
4852 
FlushFlightCallback(SSL * ssl)4853   static int FlushFlightCallback(SSL *ssl) { return 1; }
4854 
SendAlertCallback(SSL * ssl,ssl_encryption_level_t level,uint8_t alert)4855   static int SendAlertCallback(SSL *ssl, ssl_encryption_level_t level,
4856                                uint8_t alert) {
4857     EXPECT_EQ(level, SSL_quic_write_level(ssl));
4858     return TransportFromSSL(ssl)->SendAlert(level, alert);
4859   }
4860 
4861   bssl::UniquePtr<SSL_CTX> client_ctx_;
4862   bssl::UniquePtr<SSL_CTX> server_ctx_;
4863 
4864   static UnownedSSLExData<MockQUICTransport> ex_data_;
4865   MockQUICTransportPair transport_;
4866   MockQUICTransportPair second_transport_;
4867 
4868   bssl::UniquePtr<SSL> client_;
4869   bssl::UniquePtr<SSL> server_;
4870 };
4871 
4872 UnownedSSLExData<MockQUICTransport> QUICMethodTest::ex_data_;
4873 
4874 // Test a full handshake works.
TEST_F(QUICMethodTest,Basic)4875 TEST_F(QUICMethodTest, Basic) {
4876   const SSL_QUIC_METHOD quic_method = {
4877       SetEncryptionSecretsCallback,
4878       AddHandshakeDataCallback,
4879       FlushFlightCallback,
4880       SendAlertCallback,
4881   };
4882 
4883   g_last_session = nullptr;
4884 
4885   SSL_CTX_set_session_cache_mode(client_ctx_.get(), SSL_SESS_CACHE_BOTH);
4886   SSL_CTX_sess_set_new_cb(client_ctx_.get(), SaveLastSession);
4887   ASSERT_TRUE(SSL_CTX_set_quic_method(client_ctx_.get(), &quic_method));
4888   ASSERT_TRUE(SSL_CTX_set_quic_method(server_ctx_.get(), &quic_method));
4889   ASSERT_TRUE(CreateClientAndServer());
4890 
4891   for (;;) {
4892     ASSERT_TRUE(ProvideHandshakeData(client_.get()));
4893     int client_ret = SSL_do_handshake(client_.get());
4894     if (client_ret != 1) {
4895       ASSERT_EQ(client_ret, -1);
4896       ASSERT_EQ(SSL_get_error(client_.get(), client_ret), SSL_ERROR_WANT_READ);
4897     }
4898 
4899     ASSERT_TRUE(ProvideHandshakeData(server_.get()));
4900     int server_ret = SSL_do_handshake(server_.get());
4901     if (server_ret != 1) {
4902       ASSERT_EQ(server_ret, -1);
4903       ASSERT_EQ(SSL_get_error(server_.get(), server_ret), SSL_ERROR_WANT_READ);
4904     }
4905 
4906     if (client_ret == 1 && server_ret == 1) {
4907       break;
4908     }
4909   }
4910 
4911   EXPECT_EQ(SSL_do_handshake(client_.get()), 1);
4912   EXPECT_EQ(SSL_do_handshake(server_.get()), 1);
4913   EXPECT_TRUE(transport_.SecretsMatch(ssl_encryption_application));
4914   EXPECT_FALSE(transport_.client()->has_alert());
4915   EXPECT_FALSE(transport_.server()->has_alert());
4916 
4917   // The server sent NewSessionTicket messages in the handshake.
4918   EXPECT_FALSE(g_last_session);
4919   ASSERT_TRUE(ProvideHandshakeData(client_.get()));
4920   EXPECT_EQ(SSL_process_quic_post_handshake(client_.get()), 1);
4921   EXPECT_TRUE(g_last_session);
4922 
4923   // Create a second connection to verify resumption works.
4924   ASSERT_TRUE(CreateSecondClientAndServer());
4925   bssl::UniquePtr<SSL_SESSION> session = std::move(g_last_session);
4926   SSL_set_session(client_.get(), session.get());
4927 
4928   for (;;) {
4929     ASSERT_TRUE(ProvideHandshakeData(client_.get()));
4930     int client_ret = SSL_do_handshake(client_.get());
4931     if (client_ret != 1) {
4932       ASSERT_EQ(client_ret, -1);
4933       ASSERT_EQ(SSL_get_error(client_.get(), client_ret), SSL_ERROR_WANT_READ);
4934     }
4935 
4936     ASSERT_TRUE(ProvideHandshakeData(server_.get()));
4937     int server_ret = SSL_do_handshake(server_.get());
4938     if (server_ret != 1) {
4939       ASSERT_EQ(server_ret, -1);
4940       ASSERT_EQ(SSL_get_error(server_.get(), server_ret), SSL_ERROR_WANT_READ);
4941     }
4942 
4943     if (client_ret == 1 && server_ret == 1) {
4944       break;
4945     }
4946   }
4947 
4948   EXPECT_EQ(SSL_do_handshake(client_.get()), 1);
4949   EXPECT_EQ(SSL_do_handshake(server_.get()), 1);
4950   EXPECT_TRUE(transport_.SecretsMatch(ssl_encryption_application));
4951   EXPECT_FALSE(transport_.client()->has_alert());
4952   EXPECT_FALSE(transport_.server()->has_alert());
4953   EXPECT_TRUE(SSL_session_reused(client_.get()));
4954   EXPECT_TRUE(SSL_session_reused(server_.get()));
4955 }
4956 
4957 // Test only releasing data to QUIC one byte at a time on request, to maximize
4958 // state machine pauses. Additionally, test that existing asynchronous callbacks
4959 // still work.
TEST_F(QUICMethodTest,Async)4960 TEST_F(QUICMethodTest, Async) {
4961   const SSL_QUIC_METHOD quic_method = {
4962       SetEncryptionSecretsCallback,
4963       AddHandshakeDataCallback,
4964       FlushFlightCallback,
4965       SendAlertCallback,
4966   };
4967 
4968   ASSERT_TRUE(SSL_CTX_set_quic_method(client_ctx_.get(), &quic_method));
4969   ASSERT_TRUE(SSL_CTX_set_quic_method(server_ctx_.get(), &quic_method));
4970   ASSERT_TRUE(CreateClientAndServer());
4971 
4972   // Install an asynchronous certificate callback.
4973   bool cert_cb_ok = false;
4974   SSL_set_cert_cb(server_.get(),
4975                   [](SSL *, void *arg) -> int {
4976                     return *static_cast<bool *>(arg) ? 1 : -1;
4977                   },
4978                   &cert_cb_ok);
4979 
4980   for (;;) {
4981     int client_ret = SSL_do_handshake(client_.get());
4982     if (client_ret != 1) {
4983       ASSERT_EQ(client_ret, -1);
4984       ASSERT_EQ(SSL_get_error(client_.get(), client_ret), SSL_ERROR_WANT_READ);
4985       ASSERT_TRUE(ProvideHandshakeData(client_.get(), 1));
4986     }
4987 
4988     int server_ret = SSL_do_handshake(server_.get());
4989     if (server_ret != 1) {
4990       ASSERT_EQ(server_ret, -1);
4991       int ssl_err = SSL_get_error(server_.get(), server_ret);
4992       switch (ssl_err) {
4993         case SSL_ERROR_WANT_READ:
4994           ASSERT_TRUE(ProvideHandshakeData(server_.get(), 1));
4995           break;
4996         case SSL_ERROR_WANT_X509_LOOKUP:
4997           ASSERT_FALSE(cert_cb_ok);
4998           cert_cb_ok = true;
4999           break;
5000         default:
5001           FAIL() << "Unexpected SSL_get_error result: " << ssl_err;
5002       }
5003     }
5004 
5005     if (client_ret == 1 && server_ret == 1) {
5006       break;
5007     }
5008   }
5009 
5010   EXPECT_EQ(SSL_do_handshake(client_.get()), 1);
5011   EXPECT_EQ(SSL_do_handshake(server_.get()), 1);
5012   EXPECT_TRUE(transport_.SecretsMatch(ssl_encryption_application));
5013   EXPECT_FALSE(transport_.client()->has_alert());
5014   EXPECT_FALSE(transport_.server()->has_alert());
5015 }
5016 
5017 // Test buffering write data until explicit flushes.
TEST_F(QUICMethodTest,Buffered)5018 TEST_F(QUICMethodTest, Buffered) {
5019   struct BufferedFlight {
5020     std::vector<uint8_t> data[kNumQUICLevels];
5021   };
5022   static UnownedSSLExData<BufferedFlight> buffered_flights;
5023 
5024   auto add_handshake_data = [](SSL *ssl, enum ssl_encryption_level_t level,
5025                                const uint8_t *data, size_t len) -> int {
5026     BufferedFlight *flight = buffered_flights.Get(ssl);
5027     flight->data[level].insert(flight->data[level].end(), data, data + len);
5028     return 1;
5029   };
5030 
5031   auto flush_flight = [](SSL *ssl) -> int {
5032     BufferedFlight *flight = buffered_flights.Get(ssl);
5033     for (size_t level = 0; level < kNumQUICLevels; level++) {
5034       if (!flight->data[level].empty()) {
5035         if (!TransportFromSSL(ssl)->WriteHandshakeData(
5036                 static_cast<ssl_encryption_level_t>(level),
5037                 flight->data[level])) {
5038           return 0;
5039         }
5040         flight->data[level].clear();
5041       }
5042     }
5043     return 1;
5044   };
5045 
5046   const SSL_QUIC_METHOD quic_method = {
5047     SetEncryptionSecretsCallback,
5048     add_handshake_data,
5049     flush_flight,
5050     SendAlertCallback,
5051   };
5052 
5053   ASSERT_TRUE(SSL_CTX_set_quic_method(client_ctx_.get(), &quic_method));
5054   ASSERT_TRUE(SSL_CTX_set_quic_method(server_ctx_.get(), &quic_method));
5055   ASSERT_TRUE(CreateClientAndServer());
5056 
5057   BufferedFlight client_flight, server_flight;
5058   buffered_flights.Set(client_.get(), &client_flight);
5059   buffered_flights.Set(server_.get(), &server_flight);
5060 
5061   for (;;) {
5062     ASSERT_TRUE(ProvideHandshakeData(client_.get()));
5063     int client_ret = SSL_do_handshake(client_.get());
5064     if (client_ret != 1) {
5065       ASSERT_EQ(client_ret, -1);
5066       ASSERT_EQ(SSL_get_error(client_.get(), client_ret), SSL_ERROR_WANT_READ);
5067     }
5068 
5069     ASSERT_TRUE(ProvideHandshakeData(server_.get()));
5070     int server_ret = SSL_do_handshake(server_.get());
5071     if (server_ret != 1) {
5072       ASSERT_EQ(server_ret, -1);
5073       ASSERT_EQ(SSL_get_error(server_.get(), server_ret), SSL_ERROR_WANT_READ);
5074     }
5075 
5076     if (client_ret == 1 && server_ret == 1) {
5077       break;
5078     }
5079   }
5080 
5081   EXPECT_EQ(SSL_do_handshake(client_.get()), 1);
5082   EXPECT_EQ(SSL_do_handshake(server_.get()), 1);
5083   EXPECT_TRUE(transport_.SecretsMatch(ssl_encryption_application));
5084   EXPECT_FALSE(transport_.client()->has_alert());
5085   EXPECT_FALSE(transport_.server()->has_alert());
5086 }
5087 
5088 // Test that excess data at one level is rejected. That is, if a single
5089 // |SSL_provide_quic_data| call included both ServerHello and
5090 // EncryptedExtensions in a single chunk, BoringSSL notices and rejects this on
5091 // key change.
TEST_F(QUICMethodTest,ExcessProvidedData)5092 TEST_F(QUICMethodTest, ExcessProvidedData) {
5093   auto add_handshake_data = [](SSL *ssl, enum ssl_encryption_level_t level,
5094                                const uint8_t *data, size_t len) -> int {
5095     // Switch everything to the initial level.
5096     return TransportFromSSL(ssl)->WriteHandshakeData(ssl_encryption_initial,
5097                                                      MakeConstSpan(data, len));
5098   };
5099 
5100   const SSL_QUIC_METHOD quic_method = {
5101       SetEncryptionSecretsCallback,
5102       add_handshake_data,
5103       FlushFlightCallback,
5104       SendAlertCallback,
5105   };
5106 
5107   ASSERT_TRUE(SSL_CTX_set_quic_method(client_ctx_.get(), &quic_method));
5108   ASSERT_TRUE(SSL_CTX_set_quic_method(server_ctx_.get(), &quic_method));
5109   ASSERT_TRUE(CreateClientAndServer());
5110 
5111   // Send the ClientHello and ServerHello through Finished.
5112   ASSERT_EQ(SSL_do_handshake(client_.get()), -1);
5113   ASSERT_EQ(SSL_get_error(client_.get(), -1), SSL_ERROR_WANT_READ);
5114   ASSERT_TRUE(ProvideHandshakeData(server_.get()));
5115   ASSERT_EQ(SSL_do_handshake(server_.get()), -1);
5116   ASSERT_EQ(SSL_get_error(server_.get(), -1), SSL_ERROR_WANT_READ);
5117 
5118   // The client is still waiting for the ServerHello at initial
5119   // encryption.
5120   ASSERT_EQ(ssl_encryption_initial, SSL_quic_read_level(client_.get()));
5121 
5122   // |add_handshake_data| incorrectly wrote everything at the initial level, so
5123   // this queues up ServerHello through Finished in one chunk.
5124   ASSERT_TRUE(ProvideHandshakeData(client_.get()));
5125 
5126   // The client reads ServerHello successfully, but then rejects the buffered
5127   // EncryptedExtensions on key change.
5128   ASSERT_EQ(SSL_do_handshake(client_.get()), -1);
5129   ASSERT_EQ(SSL_get_error(client_.get(), -1), SSL_ERROR_SSL);
5130   uint32_t err = ERR_get_error();
5131   EXPECT_EQ(ERR_GET_LIB(err), ERR_LIB_SSL);
5132   EXPECT_EQ(ERR_GET_REASON(err), SSL_R_BUFFERED_MESSAGES_ON_CIPHER_CHANGE);
5133 
5134   // The client sends an alert in response to this.
5135   ASSERT_TRUE(transport_.client()->has_alert());
5136   EXPECT_EQ(transport_.client()->alert_level(), ssl_encryption_initial);
5137   EXPECT_EQ(transport_.client()->alert(), SSL_AD_UNEXPECTED_MESSAGE);
5138 
5139   // Sanity-check client did get far enough to process the ServerHello and
5140   // install keys.
5141   EXPECT_TRUE(transport_.client()->HasSecrets(ssl_encryption_handshake));
5142 }
5143 
5144 // Test that |SSL_provide_quic_data| will reject data at the wrong level.
TEST_F(QUICMethodTest,ProvideWrongLevel)5145 TEST_F(QUICMethodTest, ProvideWrongLevel) {
5146   const SSL_QUIC_METHOD quic_method = {
5147       SetEncryptionSecretsCallback,
5148       AddHandshakeDataCallback,
5149       FlushFlightCallback,
5150       SendAlertCallback,
5151   };
5152 
5153   ASSERT_TRUE(SSL_CTX_set_quic_method(client_ctx_.get(), &quic_method));
5154   ASSERT_TRUE(SSL_CTX_set_quic_method(server_ctx_.get(), &quic_method));
5155   ASSERT_TRUE(CreateClientAndServer());
5156 
5157   // Send the ClientHello and ServerHello through Finished.
5158   ASSERT_EQ(SSL_do_handshake(client_.get()), -1);
5159   ASSERT_EQ(SSL_get_error(client_.get(), -1), SSL_ERROR_WANT_READ);
5160   ASSERT_TRUE(ProvideHandshakeData(server_.get()));
5161   ASSERT_EQ(SSL_do_handshake(server_.get()), -1);
5162   ASSERT_EQ(SSL_get_error(server_.get(), -1), SSL_ERROR_WANT_READ);
5163 
5164   // The client is still waiting for the ServerHello at initial
5165   // encryption.
5166   ASSERT_EQ(ssl_encryption_initial, SSL_quic_read_level(client_.get()));
5167 
5168   // Data cannot be provided at the next level.
5169   std::vector<uint8_t> data;
5170   ASSERT_TRUE(
5171       transport_.client()->ReadHandshakeData(&data, ssl_encryption_initial));
5172   ASSERT_FALSE(SSL_provide_quic_data(client_.get(), ssl_encryption_handshake,
5173                                      data.data(), data.size()));
5174   ERR_clear_error();
5175 
5176   // Progress to EncryptedExtensions.
5177   ASSERT_TRUE(SSL_provide_quic_data(client_.get(), ssl_encryption_initial,
5178                                     data.data(), data.size()));
5179   ASSERT_EQ(SSL_do_handshake(client_.get()), -1);
5180   ASSERT_EQ(SSL_get_error(client_.get(), -1), SSL_ERROR_WANT_READ);
5181   ASSERT_EQ(ssl_encryption_handshake, SSL_quic_read_level(client_.get()));
5182 
5183   // Data cannot be provided at the previous level.
5184   ASSERT_TRUE(
5185       transport_.client()->ReadHandshakeData(&data, ssl_encryption_handshake));
5186   ASSERT_FALSE(SSL_provide_quic_data(client_.get(), ssl_encryption_initial,
5187                                      data.data(), data.size()));
5188 }
5189 
TEST_F(QUICMethodTest,TooMuchData)5190 TEST_F(QUICMethodTest, TooMuchData) {
5191   const SSL_QUIC_METHOD quic_method = {
5192       SetEncryptionSecretsCallback,
5193       AddHandshakeDataCallback,
5194       FlushFlightCallback,
5195       SendAlertCallback,
5196   };
5197 
5198   ASSERT_TRUE(SSL_CTX_set_quic_method(client_ctx_.get(), &quic_method));
5199   ASSERT_TRUE(SSL_CTX_set_quic_method(server_ctx_.get(), &quic_method));
5200   ASSERT_TRUE(CreateClientAndServer());
5201 
5202   size_t limit =
5203       SSL_quic_max_handshake_flight_len(client_.get(), ssl_encryption_initial);
5204   uint8_t b = 0;
5205   for (size_t i = 0; i < limit; i++) {
5206     ASSERT_TRUE(
5207         SSL_provide_quic_data(client_.get(), ssl_encryption_initial, &b, 1));
5208   }
5209 
5210   EXPECT_FALSE(
5211       SSL_provide_quic_data(client_.get(), ssl_encryption_initial, &b, 1));
5212 }
5213 
5214 // Provide invalid post-handshake data.
TEST_F(QUICMethodTest,BadPostHandshake)5215 TEST_F(QUICMethodTest, BadPostHandshake) {
5216   const SSL_QUIC_METHOD quic_method = {
5217       SetEncryptionSecretsCallback,
5218       AddHandshakeDataCallback,
5219       FlushFlightCallback,
5220       SendAlertCallback,
5221   };
5222 
5223   g_last_session = nullptr;
5224 
5225   SSL_CTX_set_session_cache_mode(client_ctx_.get(), SSL_SESS_CACHE_BOTH);
5226   SSL_CTX_sess_set_new_cb(client_ctx_.get(), SaveLastSession);
5227   ASSERT_TRUE(SSL_CTX_set_quic_method(client_ctx_.get(), &quic_method));
5228   ASSERT_TRUE(SSL_CTX_set_quic_method(server_ctx_.get(), &quic_method));
5229   ASSERT_TRUE(CreateClientAndServer());
5230 
5231   for (;;) {
5232     ASSERT_TRUE(ProvideHandshakeData(client_.get()));
5233     int client_ret = SSL_do_handshake(client_.get());
5234     if (client_ret != 1) {
5235       ASSERT_EQ(client_ret, -1);
5236       ASSERT_EQ(SSL_get_error(client_.get(), client_ret), SSL_ERROR_WANT_READ);
5237     }
5238 
5239     ASSERT_TRUE(ProvideHandshakeData(server_.get()));
5240     int server_ret = SSL_do_handshake(server_.get());
5241     if (server_ret != 1) {
5242       ASSERT_EQ(server_ret, -1);
5243       ASSERT_EQ(SSL_get_error(server_.get(), server_ret), SSL_ERROR_WANT_READ);
5244     }
5245 
5246     if (client_ret == 1 && server_ret == 1) {
5247       break;
5248     }
5249   }
5250 
5251   EXPECT_EQ(SSL_do_handshake(client_.get()), 1);
5252   EXPECT_EQ(SSL_do_handshake(server_.get()), 1);
5253   EXPECT_TRUE(transport_.SecretsMatch(ssl_encryption_application));
5254   EXPECT_FALSE(transport_.client()->has_alert());
5255   EXPECT_FALSE(transport_.server()->has_alert());
5256 
5257   // Junk sent as part of post-handshake data should cause an error.
5258   uint8_t kJunk[] = {0x17, 0x0, 0x0, 0x4, 0xB, 0xE, 0xE, 0xF};
5259   ASSERT_TRUE(SSL_provide_quic_data(client_.get(), ssl_encryption_application,
5260                                     kJunk, sizeof(kJunk)));
5261   EXPECT_EQ(SSL_process_quic_post_handshake(client_.get()), 0);
5262 }
5263 
5264 // TODO(davidben): Convert this file to GTest properly.
TEST(SSLTest,AllTests)5265 TEST(SSLTest, AllTests) {
5266   if (!TestSSL_SESSIONEncoding(kOpenSSLSession) ||
5267       !TestSSL_SESSIONEncoding(kCustomSession) ||
5268       !TestSSL_SESSIONEncoding(kBoringSSLSession) ||
5269       !TestBadSSL_SESSIONEncoding(kBadSessionExtraField) ||
5270       !TestBadSSL_SESSIONEncoding(kBadSessionVersion) ||
5271       !TestBadSSL_SESSIONEncoding(kBadSessionTrailingData) ||
5272       // Test the padding extension at TLS 1.2.
5273       !TestPaddingExtension(TLS1_2_VERSION, TLS1_2_VERSION) ||
5274       // Test the padding extension at TLS 1.3 with a TLS 1.2 session, so there
5275       // will be no PSK binder after the padding extension.
5276       !TestPaddingExtension(TLS1_3_VERSION, TLS1_2_VERSION) ||
5277       // Test the padding extension at TLS 1.3 with a TLS 1.3 session, so there
5278       // will be a PSK binder after the padding extension.
5279       !TestPaddingExtension(TLS1_3_VERSION, TLS1_3_VERSION)) {
5280     ADD_FAILURE() << "Tests failed";
5281   }
5282 }
5283 
5284 }  // namespace
5285 BSSL_NAMESPACE_END
5286