1 /* Copyright (c) 2014, Google Inc.
2 *
3 * Permission to use, copy, modify, and/or distribute this software for any
4 * purpose with or without fee is hereby granted, provided that the above
5 * copyright notice and this permission notice appear in all copies.
6 *
7 * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
8 * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
9 * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY
10 * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
11 * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION
12 * OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN
13 * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */
14
15 #include <limits.h>
16 #include <stdio.h>
17 #include <string.h>
18 #include <time.h>
19
20 #include <algorithm>
21 #include <limits>
22 #include <string>
23 #include <utility>
24 #include <vector>
25
26 #include <gtest/gtest.h>
27
28 #include <openssl/aead.h>
29 #include <openssl/base64.h>
30 #include <openssl/bytestring.h>
31 #include <openssl/bio.h>
32 #include <openssl/cipher.h>
33 #include <openssl/crypto.h>
34 #include <openssl/curve25519.h>
35 #include <openssl/err.h>
36 #include <openssl/hmac.h>
37 #include <openssl/hpke.h>
38 #include <openssl/pem.h>
39 #include <openssl/sha.h>
40 #include <openssl/ssl.h>
41 #include <openssl/rand.h>
42 #include <openssl/x509.h>
43 #include <openssl/x509v3.h>
44
45 #include "internal.h"
46 #include "../crypto/internal.h"
47 #include "../crypto/test/test_util.h"
48
49 #if defined(OPENSSL_WINDOWS)
50 // Windows defines struct timeval in winsock2.h.
51 OPENSSL_MSVC_PRAGMA(warning(push, 3))
52 #include <winsock2.h>
53 OPENSSL_MSVC_PRAGMA(warning(pop))
54 #else
55 #include <sys/time.h>
56 #endif
57
58 #if defined(OPENSSL_THREADS)
59 #include <thread>
60 #endif
61
62
63 BSSL_NAMESPACE_BEGIN
64
65 namespace {
66
67 #define TRACED_CALL(code) \
68 do { \
69 SCOPED_TRACE("<- called from here"); \
70 code; \
71 if (::testing::Test::HasFatalFailure()) { \
72 return; \
73 } \
74 } while (false)
75
76 struct VersionParam {
77 uint16_t version;
78 enum { is_tls, is_dtls } ssl_method;
79 const char name[8];
80 };
81
82 static const size_t kTicketKeyLen = 48;
83
84 static const VersionParam kAllVersions[] = {
85 {TLS1_VERSION, VersionParam::is_tls, "TLS1"},
86 {TLS1_1_VERSION, VersionParam::is_tls, "TLS1_1"},
87 {TLS1_2_VERSION, VersionParam::is_tls, "TLS1_2"},
88 {TLS1_3_VERSION, VersionParam::is_tls, "TLS1_3"},
89 {DTLS1_VERSION, VersionParam::is_dtls, "DTLS1"},
90 {DTLS1_2_VERSION, VersionParam::is_dtls, "DTLS1_2"},
91 };
92
93 struct ExpectedCipher {
94 unsigned long id;
95 int in_group_flag;
96 };
97
98 struct CipherTest {
99 // The rule string to apply.
100 const char *rule;
101 // The list of expected ciphers, in order.
102 std::vector<ExpectedCipher> expected;
103 // True if this cipher list should fail in strict mode.
104 bool strict_fail;
105 };
106
107 struct CurveTest {
108 // The rule string to apply.
109 const char *rule;
110 // The list of expected curves, in order.
111 std::vector<uint16_t> expected;
112 };
113
114 template <typename T>
115 class UnownedSSLExData {
116 public:
UnownedSSLExData()117 UnownedSSLExData() {
118 index_ = SSL_get_ex_new_index(0, nullptr, nullptr, nullptr, nullptr);
119 }
120
Get(const SSL * ssl)121 T *Get(const SSL *ssl) {
122 return index_ < 0 ? nullptr
123 : static_cast<T *>(SSL_get_ex_data(ssl, index_));
124 }
125
Set(SSL * ssl,T * t)126 bool Set(SSL *ssl, T *t) {
127 return index_ >= 0 && SSL_set_ex_data(ssl, index_, t);
128 }
129
130 private:
131 int index_;
132 };
133
134 static const CipherTest kCipherTests[] = {
135 // Selecting individual ciphers should work.
136 {
137 "ECDHE-ECDSA-CHACHA20-POLY1305:"
138 "ECDHE-RSA-CHACHA20-POLY1305:"
139 "ECDHE-ECDSA-AES128-GCM-SHA256:"
140 "ECDHE-RSA-AES128-GCM-SHA256",
141 {
142 {TLS1_CK_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256, 0},
143 {TLS1_CK_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256, 0},
144 {TLS1_CK_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, 0},
145 {TLS1_CK_ECDHE_RSA_WITH_AES_128_GCM_SHA256, 0},
146 },
147 false,
148 },
149 // + reorders selected ciphers to the end, keeping their relative order.
150 {
151 "ECDHE-ECDSA-CHACHA20-POLY1305:"
152 "ECDHE-RSA-CHACHA20-POLY1305:"
153 "ECDHE-ECDSA-AES128-GCM-SHA256:"
154 "ECDHE-RSA-AES128-GCM-SHA256:"
155 "+aRSA",
156 {
157 {TLS1_CK_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256, 0},
158 {TLS1_CK_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, 0},
159 {TLS1_CK_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256, 0},
160 {TLS1_CK_ECDHE_RSA_WITH_AES_128_GCM_SHA256, 0},
161 },
162 false,
163 },
164 // ! banishes ciphers from future selections.
165 {
166 "!aRSA:"
167 "ECDHE-ECDSA-CHACHA20-POLY1305:"
168 "ECDHE-RSA-CHACHA20-POLY1305:"
169 "ECDHE-ECDSA-AES128-GCM-SHA256:"
170 "ECDHE-RSA-AES128-GCM-SHA256",
171 {
172 {TLS1_CK_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256, 0},
173 {TLS1_CK_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, 0},
174 },
175 false,
176 },
177 // Multiple masks can be ANDed in a single rule.
178 {
179 "kRSA+AESGCM+AES128",
180 {
181 {TLS1_CK_RSA_WITH_AES_128_GCM_SHA256, 0},
182 },
183 false,
184 },
185 // - removes selected ciphers, but preserves their order for future
186 // selections. Select AES_128_GCM, but order the key exchanges RSA,
187 // ECDHE_RSA.
188 {
189 "ALL:-kECDHE:"
190 "-kRSA:-ALL:"
191 "AESGCM+AES128+aRSA",
192 {
193 {TLS1_CK_RSA_WITH_AES_128_GCM_SHA256, 0},
194 {TLS1_CK_ECDHE_RSA_WITH_AES_128_GCM_SHA256, 0},
195 },
196 false,
197 },
198 // Unknown selectors are no-ops, except in strict mode.
199 {
200 "ECDHE-ECDSA-CHACHA20-POLY1305:"
201 "ECDHE-RSA-CHACHA20-POLY1305:"
202 "ECDHE-ECDSA-AES128-GCM-SHA256:"
203 "ECDHE-RSA-AES128-GCM-SHA256:"
204 "BOGUS1",
205 {
206 {TLS1_CK_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256, 0},
207 {TLS1_CK_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256, 0},
208 {TLS1_CK_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, 0},
209 {TLS1_CK_ECDHE_RSA_WITH_AES_128_GCM_SHA256, 0},
210 },
211 true,
212 },
213 // Unknown selectors are no-ops, except in strict mode.
214 {
215 "ECDHE-ECDSA-CHACHA20-POLY1305:"
216 "ECDHE-RSA-CHACHA20-POLY1305:"
217 "ECDHE-ECDSA-AES128-GCM-SHA256:"
218 "ECDHE-RSA-AES128-GCM-SHA256:"
219 "-BOGUS2:+BOGUS3:!BOGUS4",
220 {
221 {TLS1_CK_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256, 0},
222 {TLS1_CK_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256, 0},
223 {TLS1_CK_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, 0},
224 {TLS1_CK_ECDHE_RSA_WITH_AES_128_GCM_SHA256, 0},
225 },
226 true,
227 },
228 // Square brackets specify equi-preference groups.
229 {
230 "[ECDHE-ECDSA-CHACHA20-POLY1305|ECDHE-ECDSA-AES128-GCM-SHA256]:"
231 "[ECDHE-RSA-CHACHA20-POLY1305]:"
232 "ECDHE-RSA-AES128-GCM-SHA256",
233 {
234 {TLS1_CK_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256, 1},
235 {TLS1_CK_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, 0},
236 {TLS1_CK_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256, 0},
237 {TLS1_CK_ECDHE_RSA_WITH_AES_128_GCM_SHA256, 0},
238 },
239 false,
240 },
241 // Standard names may be used instead of OpenSSL names.
242 {
243 "[TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256|"
244 "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256]:"
245 "[TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256]:"
246 "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",
247 {
248 {TLS1_CK_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256, 1},
249 {TLS1_CK_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, 0},
250 {TLS1_CK_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256, 0},
251 {TLS1_CK_ECDHE_RSA_WITH_AES_128_GCM_SHA256, 0},
252 },
253 false,
254 },
255 // @STRENGTH performs a stable strength-sort of the selected ciphers and
256 // only the selected ciphers.
257 {
258 // To simplify things, banish all but {ECDHE_RSA,RSA} x
259 // {CHACHA20,AES_256_CBC,AES_128_CBC} x SHA1.
260 "!AESGCM:!3DES:"
261 // Order some ciphers backwards by strength.
262 "ALL:-CHACHA20:-AES256:-AES128:-ALL:"
263 // Select ECDHE ones and sort them by strength. Ties should resolve
264 // based on the order above.
265 "kECDHE:@STRENGTH:-ALL:"
266 // Now bring back everything uses RSA. ECDHE_RSA should be first, sorted
267 // by strength. Then RSA, backwards by strength.
268 "aRSA",
269 {
270 {TLS1_CK_ECDHE_RSA_WITH_AES_256_CBC_SHA, 0},
271 {TLS1_CK_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256, 0},
272 {TLS1_CK_ECDHE_RSA_WITH_AES_128_CBC_SHA, 0},
273 {TLS1_CK_RSA_WITH_AES_128_SHA, 0},
274 {TLS1_CK_RSA_WITH_AES_256_SHA, 0},
275 },
276 false,
277 },
278 // Additional masks after @STRENGTH get silently discarded.
279 //
280 // TODO(davidben): Make this an error. If not silently discarded, they get
281 // interpreted as + opcodes which are very different.
282 {
283 "ECDHE-RSA-AES128-GCM-SHA256:"
284 "ECDHE-RSA-AES256-GCM-SHA384:"
285 "@STRENGTH+AES256",
286 {
287 {TLS1_CK_ECDHE_RSA_WITH_AES_256_GCM_SHA384, 0},
288 {TLS1_CK_ECDHE_RSA_WITH_AES_128_GCM_SHA256, 0},
289 },
290 false,
291 },
292 {
293 "ECDHE-RSA-AES128-GCM-SHA256:"
294 "ECDHE-RSA-AES256-GCM-SHA384:"
295 "@STRENGTH+AES256:"
296 "ECDHE-RSA-CHACHA20-POLY1305",
297 {
298 {TLS1_CK_ECDHE_RSA_WITH_AES_256_GCM_SHA384, 0},
299 {TLS1_CK_ECDHE_RSA_WITH_AES_128_GCM_SHA256, 0},
300 {TLS1_CK_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256, 0},
301 },
302 false,
303 },
304 // Exact ciphers may not be used in multi-part rules; they are treated
305 // as unknown aliases.
306 {
307 "ECDHE-ECDSA-AES128-GCM-SHA256:"
308 "ECDHE-RSA-AES128-GCM-SHA256:"
309 "!ECDHE-RSA-AES128-GCM-SHA256+RSA:"
310 "!ECDSA+ECDHE-ECDSA-AES128-GCM-SHA256",
311 {
312 {TLS1_CK_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, 0},
313 {TLS1_CK_ECDHE_RSA_WITH_AES_128_GCM_SHA256, 0},
314 },
315 true,
316 },
317 // SSLv3 matches everything that existed before TLS 1.2.
318 {
319 "AES128-SHA:ECDHE-RSA-AES128-GCM-SHA256:!SSLv3",
320 {
321 {TLS1_CK_ECDHE_RSA_WITH_AES_128_GCM_SHA256, 0},
322 },
323 false,
324 },
325 // TLSv1.2 matches everything added in TLS 1.2.
326 {
327 "AES128-SHA:ECDHE-RSA-AES128-GCM-SHA256:!TLSv1.2",
328 {
329 {TLS1_CK_RSA_WITH_AES_128_SHA, 0},
330 },
331 false,
332 },
333 // The two directives have no intersection. But each component is valid, so
334 // even in strict mode it is accepted.
335 {
336 "AES128-SHA:ECDHE-RSA-AES128-GCM-SHA256:!TLSv1.2+SSLv3",
337 {
338 {TLS1_CK_RSA_WITH_AES_128_SHA, 0},
339 {TLS1_CK_ECDHE_RSA_WITH_AES_128_GCM_SHA256, 0},
340 },
341 false,
342 },
343 // Spaces, semi-colons and commas are separators.
344 {
345 "AES128-SHA: ECDHE-RSA-AES128-GCM-SHA256 AES256-SHA ,ECDHE-ECDSA-AES128-GCM-SHA256 ; AES128-GCM-SHA256",
346 {
347 {TLS1_CK_RSA_WITH_AES_128_SHA, 0},
348 {TLS1_CK_ECDHE_RSA_WITH_AES_128_GCM_SHA256, 0},
349 {TLS1_CK_RSA_WITH_AES_256_SHA, 0},
350 {TLS1_CK_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, 0},
351 {TLS1_CK_RSA_WITH_AES_128_GCM_SHA256, 0},
352 },
353 // …but not in strict mode.
354 true,
355 },
356 };
357
358 static const char *kBadRules[] = {
359 // Invalid brackets.
360 "[ECDHE-RSA-CHACHA20-POLY1305|ECDHE-RSA-AES128-GCM-SHA256",
361 "RSA]",
362 "[[RSA]]",
363 // Operators inside brackets.
364 "[+RSA]",
365 // Unknown directive.
366 "@BOGUS",
367 // Empty cipher lists error at SSL_CTX_set_cipher_list.
368 "",
369 "BOGUS",
370 // COMPLEMENTOFDEFAULT is empty.
371 "COMPLEMENTOFDEFAULT",
372 // Invalid command.
373 "?BAR",
374 // Special operators are not allowed if groups are used.
375 "[ECDHE-RSA-CHACHA20-POLY1305|ECDHE-RSA-AES128-GCM-SHA256]:+FOO",
376 "[ECDHE-RSA-CHACHA20-POLY1305|ECDHE-RSA-AES128-GCM-SHA256]:!FOO",
377 "[ECDHE-RSA-CHACHA20-POLY1305|ECDHE-RSA-AES128-GCM-SHA256]:-FOO",
378 "[ECDHE-RSA-CHACHA20-POLY1305|ECDHE-RSA-AES128-GCM-SHA256]:@STRENGTH",
379 // Opcode supplied, but missing selector.
380 "+",
381 // Spaces are forbidden in equal-preference groups.
382 "[AES128-SHA | AES128-SHA256]",
383 };
384
385 static const char *kMustNotIncludeNull[] = {
386 "ALL",
387 "DEFAULT",
388 "HIGH",
389 "FIPS",
390 "SHA",
391 "SHA1",
392 "RSA",
393 "SSLv3",
394 "TLSv1",
395 "TLSv1.2",
396 };
397
398 static const CurveTest kCurveTests[] = {
399 {
400 "P-256",
401 { SSL_CURVE_SECP256R1 },
402 },
403 {
404 "P-256:X25519KYBER",
405 { SSL_CURVE_SECP256R1, SSL_CURVE_X25519KYBER768 },
406 },
407
408 {
409 "P-256:P-384:P-521:X25519",
410 {
411 SSL_CURVE_SECP256R1,
412 SSL_CURVE_SECP384R1,
413 SSL_CURVE_SECP521R1,
414 SSL_CURVE_X25519,
415 },
416 },
417 {
418 "prime256v1:secp384r1:secp521r1:x25519",
419 {
420 SSL_CURVE_SECP256R1,
421 SSL_CURVE_SECP384R1,
422 SSL_CURVE_SECP521R1,
423 SSL_CURVE_X25519,
424 },
425 },
426 };
427
428 static const char *kBadCurvesLists[] = {
429 "",
430 ":",
431 "::",
432 "P-256::X25519",
433 "RSA:P-256",
434 "P-256:RSA",
435 "X25519:P-256:",
436 ":X25519:P-256",
437 };
438
CipherListToString(SSL_CTX * ctx)439 static std::string CipherListToString(SSL_CTX *ctx) {
440 bool in_group = false;
441 std::string ret;
442 const STACK_OF(SSL_CIPHER) *ciphers = SSL_CTX_get_ciphers(ctx);
443 for (size_t i = 0; i < sk_SSL_CIPHER_num(ciphers); i++) {
444 const SSL_CIPHER *cipher = sk_SSL_CIPHER_value(ciphers, i);
445 if (!in_group && SSL_CTX_cipher_in_group(ctx, i)) {
446 ret += "\t[\n";
447 in_group = true;
448 }
449 ret += "\t";
450 if (in_group) {
451 ret += " ";
452 }
453 ret += SSL_CIPHER_get_name(cipher);
454 ret += "\n";
455 if (in_group && !SSL_CTX_cipher_in_group(ctx, i)) {
456 ret += "\t]\n";
457 in_group = false;
458 }
459 }
460 return ret;
461 }
462
CipherListsEqual(SSL_CTX * ctx,const std::vector<ExpectedCipher> & expected)463 static bool CipherListsEqual(SSL_CTX *ctx,
464 const std::vector<ExpectedCipher> &expected) {
465 const STACK_OF(SSL_CIPHER) *ciphers = SSL_CTX_get_ciphers(ctx);
466 if (sk_SSL_CIPHER_num(ciphers) != expected.size()) {
467 return false;
468 }
469
470 for (size_t i = 0; i < expected.size(); i++) {
471 const SSL_CIPHER *cipher = sk_SSL_CIPHER_value(ciphers, i);
472 if (expected[i].id != SSL_CIPHER_get_id(cipher) ||
473 expected[i].in_group_flag != !!SSL_CTX_cipher_in_group(ctx, i)) {
474 return false;
475 }
476 }
477
478 return true;
479 }
480
TEST(GrowableArrayTest,Resize)481 TEST(GrowableArrayTest, Resize) {
482 GrowableArray<size_t> array;
483 ASSERT_TRUE(array.empty());
484 EXPECT_EQ(array.size(), 0u);
485
486 ASSERT_TRUE(array.Push(42));
487 ASSERT_TRUE(!array.empty());
488 EXPECT_EQ(array.size(), 1u);
489
490 // Force a resize operation to occur
491 for (size_t i = 0; i < 16; i++) {
492 ASSERT_TRUE(array.Push(i + 1));
493 }
494
495 EXPECT_EQ(array.size(), 17u);
496
497 // Verify that expected values are still contained in array
498 for (size_t i = 0; i < array.size(); i++) {
499 EXPECT_EQ(array[i], i == 0 ? 42 : i);
500 }
501 }
502
TEST(GrowableArrayTest,MoveConstructor)503 TEST(GrowableArrayTest, MoveConstructor) {
504 GrowableArray<size_t> array;
505 for (size_t i = 0; i < 100; i++) {
506 ASSERT_TRUE(array.Push(i));
507 }
508
509 GrowableArray<size_t> array_moved(std::move(array));
510 for (size_t i = 0; i < 100; i++) {
511 EXPECT_EQ(array_moved[i], i);
512 }
513 }
514
TEST(GrowableArrayTest,GrowableArrayContainingGrowableArrays)515 TEST(GrowableArrayTest, GrowableArrayContainingGrowableArrays) {
516 // Representative example of a struct that contains a GrowableArray.
517 struct TagAndArray {
518 size_t tag;
519 GrowableArray<size_t> array;
520 };
521
522 GrowableArray<TagAndArray> array;
523 for (size_t i = 0; i < 100; i++) {
524 TagAndArray elem;
525 elem.tag = i;
526 for (size_t j = 0; j < i; j++) {
527 ASSERT_TRUE(elem.array.Push(j));
528 }
529 ASSERT_TRUE(array.Push(std::move(elem)));
530 }
531 EXPECT_EQ(array.size(), static_cast<size_t>(100));
532
533 GrowableArray<TagAndArray> array_moved(std::move(array));
534 EXPECT_EQ(array_moved.size(), static_cast<size_t>(100));
535 size_t count = 0;
536 for (const TagAndArray &elem : array_moved) {
537 // Test the square bracket operator returns the same value as iteration.
538 EXPECT_EQ(&elem, &array_moved[count]);
539
540 EXPECT_EQ(elem.tag, count);
541 EXPECT_EQ(elem.array.size(), count);
542 for (size_t j = 0; j < count; j++) {
543 EXPECT_EQ(elem.array[j], j);
544 }
545 count++;
546 }
547 }
548
TEST(SSLTest,CipherRules)549 TEST(SSLTest, CipherRules) {
550 for (const CipherTest &t : kCipherTests) {
551 SCOPED_TRACE(t.rule);
552 bssl::UniquePtr<SSL_CTX> ctx(SSL_CTX_new(TLS_method()));
553 ASSERT_TRUE(ctx);
554
555 // Test lax mode.
556 ASSERT_TRUE(SSL_CTX_set_cipher_list(ctx.get(), t.rule));
557 EXPECT_TRUE(CipherListsEqual(ctx.get(), t.expected))
558 << "Cipher rule evaluated to:\n"
559 << CipherListToString(ctx.get());
560
561 // Test strict mode.
562 if (t.strict_fail) {
563 EXPECT_FALSE(SSL_CTX_set_strict_cipher_list(ctx.get(), t.rule));
564 } else {
565 ASSERT_TRUE(SSL_CTX_set_strict_cipher_list(ctx.get(), t.rule));
566 EXPECT_TRUE(CipherListsEqual(ctx.get(), t.expected))
567 << "Cipher rule evaluated to:\n"
568 << CipherListToString(ctx.get());
569 }
570 }
571
572 for (const char *rule : kBadRules) {
573 SCOPED_TRACE(rule);
574 bssl::UniquePtr<SSL_CTX> ctx(SSL_CTX_new(TLS_method()));
575 ASSERT_TRUE(ctx);
576
577 EXPECT_FALSE(SSL_CTX_set_cipher_list(ctx.get(), rule));
578 ERR_clear_error();
579 }
580
581 for (const char *rule : kMustNotIncludeNull) {
582 SCOPED_TRACE(rule);
583 bssl::UniquePtr<SSL_CTX> ctx(SSL_CTX_new(TLS_method()));
584 ASSERT_TRUE(ctx);
585
586 ASSERT_TRUE(SSL_CTX_set_strict_cipher_list(ctx.get(), rule));
587 for (const SSL_CIPHER *cipher : SSL_CTX_get_ciphers(ctx.get())) {
588 EXPECT_NE(NID_undef, SSL_CIPHER_get_cipher_nid(cipher));
589 }
590 }
591 }
592
TEST(SSLTest,CurveRules)593 TEST(SSLTest, CurveRules) {
594 for (const CurveTest &t : kCurveTests) {
595 SCOPED_TRACE(t.rule);
596 bssl::UniquePtr<SSL_CTX> ctx(SSL_CTX_new(TLS_method()));
597 ASSERT_TRUE(ctx);
598
599 ASSERT_TRUE(SSL_CTX_set1_curves_list(ctx.get(), t.rule));
600 ASSERT_EQ(t.expected.size(), ctx->supported_group_list.size());
601 for (size_t i = 0; i < t.expected.size(); i++) {
602 EXPECT_EQ(t.expected[i], ctx->supported_group_list[i]);
603 }
604 }
605
606 for (const char *rule : kBadCurvesLists) {
607 SCOPED_TRACE(rule);
608 bssl::UniquePtr<SSL_CTX> ctx(SSL_CTX_new(TLS_method()));
609 ASSERT_TRUE(ctx);
610
611 EXPECT_FALSE(SSL_CTX_set1_curves_list(ctx.get(), rule));
612 ERR_clear_error();
613 }
614 }
615
616 // kOpenSSLSession is a serialized SSL_SESSION.
617 static const char kOpenSSLSession[] =
618 "MIIFqgIBAQICAwMEAsAvBCAG5Q1ndq4Yfmbeo1zwLkNRKmCXGdNgWvGT3cskV0yQ"
619 "kAQwJlrlzkAWBOWiLj/jJ76D7l+UXoizP2KI2C7I2FccqMmIfFmmkUy32nIJ0mZH"
620 "IWoJoQYCBFRDO46iBAICASyjggR6MIIEdjCCA16gAwIBAgIIK9dUvsPWSlUwDQYJ"
621 "KoZIhvcNAQEFBQAwSTELMAkGA1UEBhMCVVMxEzARBgNVBAoTCkdvb2dsZSBJbmMx"
622 "JTAjBgNVBAMTHEdvb2dsZSBJbnRlcm5ldCBBdXRob3JpdHkgRzIwHhcNMTQxMDA4"
623 "MTIwNzU3WhcNMTUwMTA2MDAwMDAwWjBoMQswCQYDVQQGEwJVUzETMBEGA1UECAwK"
624 "Q2FsaWZvcm5pYTEWMBQGA1UEBwwNTW91bnRhaW4gVmlldzETMBEGA1UECgwKR29v"
625 "Z2xlIEluYzEXMBUGA1UEAwwOd3d3Lmdvb2dsZS5jb20wggEiMA0GCSqGSIb3DQEB"
626 "AQUAA4IBDwAwggEKAoIBAQCcKeLrplAC+Lofy8t/wDwtB6eu72CVp0cJ4V3lknN6"
627 "huH9ct6FFk70oRIh/VBNBBz900jYy+7111Jm1b8iqOTQ9aT5C7SEhNcQFJvqzH3e"
628 "MPkb6ZSWGm1yGF7MCQTGQXF20Sk/O16FSjAynU/b3oJmOctcycWYkY0ytS/k3LBu"
629 "Id45PJaoMqjB0WypqvNeJHC3q5JjCB4RP7Nfx5jjHSrCMhw8lUMW4EaDxjaR9KDh"
630 "PLgjsk+LDIySRSRDaCQGhEOWLJZVLzLo4N6/UlctCHEllpBUSvEOyFga52qroGjg"
631 "rf3WOQ925MFwzd6AK+Ich0gDRg8sQfdLH5OuP1cfLfU1AgMBAAGjggFBMIIBPTAd"
632 "BgNVHSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwGQYDVR0RBBIwEIIOd3d3Lmdv"
633 "b2dsZS5jb20waAYIKwYBBQUHAQEEXDBaMCsGCCsGAQUFBzAChh9odHRwOi8vcGtp"
634 "Lmdvb2dsZS5jb20vR0lBRzIuY3J0MCsGCCsGAQUFBzABhh9odHRwOi8vY2xpZW50"
635 "czEuZ29vZ2xlLmNvbS9vY3NwMB0GA1UdDgQWBBQ7a+CcxsZByOpc+xpYFcIbnUMZ"
636 "hTAMBgNVHRMBAf8EAjAAMB8GA1UdIwQYMBaAFErdBhYbvPZotXb1gba7Yhq6WoEv"
637 "MBcGA1UdIAQQMA4wDAYKKwYBBAHWeQIFATAwBgNVHR8EKTAnMCWgI6Ahhh9odHRw"
638 "Oi8vcGtpLmdvb2dsZS5jb20vR0lBRzIuY3JsMA0GCSqGSIb3DQEBBQUAA4IBAQCa"
639 "OXCBdoqUy5bxyq+Wrh1zsyyCFim1PH5VU2+yvDSWrgDY8ibRGJmfff3r4Lud5kal"
640 "dKs9k8YlKD3ITG7P0YT/Rk8hLgfEuLcq5cc0xqmE42xJ+Eo2uzq9rYorc5emMCxf"
641 "5L0TJOXZqHQpOEcuptZQ4OjdYMfSxk5UzueUhA3ogZKRcRkdB3WeWRp+nYRhx4St"
642 "o2rt2A0MKmY9165GHUqMK9YaaXHDXqBu7Sefr1uSoAP9gyIJKeihMivsGqJ1TD6Z"
643 "cc6LMe+dN2P8cZEQHtD1y296ul4Mivqk3jatUVL8/hCwgch9A8O4PGZq9WqBfEWm"
644 "IyHh1dPtbg1lOXdYCWtjpAIEAKUDAgEUqQUCAwGJwKqBpwSBpBwUQvoeOk0Kg36S"
645 "YTcLEkXqKwOBfF9vE4KX0NxeLwjcDTpsuh3qXEaZ992r1N38VDcyS6P7I6HBYN9B"
646 "sNHM362zZnY27GpTw+Kwd751CLoXFPoaMOe57dbBpXoro6Pd3BTbf/Tzr88K06yE"
647 "OTDKPNj3+inbMaVigtK4PLyPq+Topyzvx9USFgRvyuoxn0Hgb+R0A3j6SLRuyOdA"
648 "i4gv7Y5oliyntgMBAQA=";
649
650 // kCustomSession is a custom serialized SSL_SESSION generated by
651 // filling in missing fields from |kOpenSSLSession|. This includes
652 // providing |peer_sha256|, so |peer| is not serialized.
653 static const char kCustomSession[] =
654 "MIIBZAIBAQICAwMEAsAvBCAG5Q1ndq4Yfmbeo1zwLkNRKmCXGdNgWvGT3cskV0yQ"
655 "kAQwJlrlzkAWBOWiLj/jJ76D7l+UXoizP2KI2C7I2FccqMmIfFmmkUy32nIJ0mZH"
656 "IWoJoQYCBFRDO46iBAICASykAwQBAqUDAgEUqAcEBXdvcmxkqQUCAwGJwKqBpwSB"
657 "pBwUQvoeOk0Kg36SYTcLEkXqKwOBfF9vE4KX0NxeLwjcDTpsuh3qXEaZ992r1N38"
658 "VDcyS6P7I6HBYN9BsNHM362zZnY27GpTw+Kwd751CLoXFPoaMOe57dbBpXoro6Pd"
659 "3BTbf/Tzr88K06yEOTDKPNj3+inbMaVigtK4PLyPq+Topyzvx9USFgRvyuoxn0Hg"
660 "b+R0A3j6SLRuyOdAi4gv7Y5oliynrSIEIAYGBgYGBgYGBgYGBgYGBgYGBgYGBgYG"
661 "BgYGBgYGBgYGrgMEAQevAwQBBLADBAEF";
662
663 // kBoringSSLSession is a serialized SSL_SESSION generated from bssl client.
664 static const char kBoringSSLSession[] =
665 "MIIRwQIBAQICAwMEAsAvBCDdoGxGK26mR+8lM0uq6+k9xYuxPnwAjpcF9n0Yli9R"
666 "kQQwbyshfWhdi5XQ1++7n2L1qqrcVlmHBPpr6yknT/u4pUrpQB5FZ7vqvNn8MdHf"
667 "9rWgoQYCBFXgs7uiBAICHCCjggR6MIIEdjCCA16gAwIBAgIIf+yfD7Y6UicwDQYJ"
668 "KoZIhvcNAQELBQAwSTELMAkGA1UEBhMCVVMxEzARBgNVBAoTCkdvb2dsZSBJbmMx"
669 "JTAjBgNVBAMTHEdvb2dsZSBJbnRlcm5ldCBBdXRob3JpdHkgRzIwHhcNMTUwODEy"
670 "MTQ1MzE1WhcNMTUxMTEwMDAwMDAwWjBoMQswCQYDVQQGEwJVUzETMBEGA1UECAwK"
671 "Q2FsaWZvcm5pYTEWMBQGA1UEBwwNTW91bnRhaW4gVmlldzETMBEGA1UECgwKR29v"
672 "Z2xlIEluYzEXMBUGA1UEAwwOd3d3Lmdvb2dsZS5jb20wggEiMA0GCSqGSIb3DQEB"
673 "AQUAA4IBDwAwggEKAoIBAQC0MeG5YGQ0t+IeJeoneP/PrhEaieibeKYkbKVLNZpo"
674 "PLuBinvhkXZo3DC133NpCBpy6ZktBwamqyixAyuk/NU6OjgXqwwxfQ7di1AInLIU"
675 "792c7hFyNXSUCG7At8Ifi3YwBX9Ba6u/1d6rWTGZJrdCq3QU11RkKYyTq2KT5mce"
676 "Tv9iGKqSkSTlp8puy/9SZ/3DbU3U+BuqCFqeSlz7zjwFmk35acdCilpJlVDDN5C/"
677 "RCh8/UKc8PaL+cxlt531qoTENvYrflBno14YEZlCBZsPiFeUSILpKEj3Ccwhy0eL"
678 "EucWQ72YZU8mUzXBoXGn0zA0crFl5ci/2sTBBGZsylNBAgMBAAGjggFBMIIBPTAd"
679 "BgNVHSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwGQYDVR0RBBIwEIIOd3d3Lmdv"
680 "b2dsZS5jb20waAYIKwYBBQUHAQEEXDBaMCsGCCsGAQUFBzAChh9odHRwOi8vcGtp"
681 "Lmdvb2dsZS5jb20vR0lBRzIuY3J0MCsGCCsGAQUFBzABhh9odHRwOi8vY2xpZW50"
682 "czEuZ29vZ2xlLmNvbS9vY3NwMB0GA1UdDgQWBBS/bzHxcE73Q4j3slC4BLbMtLjG"
683 "GjAMBgNVHRMBAf8EAjAAMB8GA1UdIwQYMBaAFErdBhYbvPZotXb1gba7Yhq6WoEv"
684 "MBcGA1UdIAQQMA4wDAYKKwYBBAHWeQIFATAwBgNVHR8EKTAnMCWgI6Ahhh9odHRw"
685 "Oi8vcGtpLmdvb2dsZS5jb20vR0lBRzIuY3JsMA0GCSqGSIb3DQEBCwUAA4IBAQAb"
686 "qdWPZEHk0X7iKPCTHL6S3w6q1eR67goxZGFSM1lk1hjwyu7XcLJuvALVV9uY3ovE"
687 "kQZSHwT+pyOPWQhsSjO+1GyjvCvK/CAwiUmBX+bQRGaqHsRcio7xSbdVcajQ3bXd"
688 "X+s0WdbOpn6MStKAiBVloPlSxEI8pxY6x/BBCnTIk/+DMB17uZlOjG3vbAnkDkP+"
689 "n0OTucD9sHV7EVj9XUxi51nOfNBCN/s7lpUjDS/NJ4k3iwOtbCPswiot8vLO779a"
690 "f07vR03r349Iz/KTzk95rlFtX0IU+KYNxFNsanIXZ+C9FYGRXkwhHcvFb4qMUB1y"
691 "TTlM80jBMOwyjZXmjRAhpAIEAKUDAgEUqQUCAwGJwKqBpwSBpOgebbmn9NRUtMWH"
692 "+eJpqA5JLMFSMCChOsvKey3toBaCNGU7HfAEiiXNuuAdCBoK262BjQc2YYfqFzqH"
693 "zuppopXCvhohx7j/tnCNZIMgLYt/O9SXK2RYI5z8FhCCHvB4CbD5G0LGl5EFP27s"
694 "Jb6S3aTTYPkQe8yZSlxevg6NDwmTogLO9F7UUkaYmVcMQhzssEE2ZRYNwSOU6KjE"
695 "0Yj+8fAiBtbQriIEIN2L8ZlpaVrdN5KFNdvcmOxJu81P8q53X55xQyGTnGWwsgMC"
696 "ARezggvvMIIEdjCCA16gAwIBAgIIf+yfD7Y6UicwDQYJKoZIhvcNAQELBQAwSTEL"
697 "MAkGA1UEBhMCVVMxEzARBgNVBAoTCkdvb2dsZSBJbmMxJTAjBgNVBAMTHEdvb2ds"
698 "ZSBJbnRlcm5ldCBBdXRob3JpdHkgRzIwHhcNMTUwODEyMTQ1MzE1WhcNMTUxMTEw"
699 "MDAwMDAwWjBoMQswCQYDVQQGEwJVUzETMBEGA1UECAwKQ2FsaWZvcm5pYTEWMBQG"
700 "A1UEBwwNTW91bnRhaW4gVmlldzETMBEGA1UECgwKR29vZ2xlIEluYzEXMBUGA1UE"
701 "AwwOd3d3Lmdvb2dsZS5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIB"
702 "AQC0MeG5YGQ0t+IeJeoneP/PrhEaieibeKYkbKVLNZpoPLuBinvhkXZo3DC133Np"
703 "CBpy6ZktBwamqyixAyuk/NU6OjgXqwwxfQ7di1AInLIU792c7hFyNXSUCG7At8If"
704 "i3YwBX9Ba6u/1d6rWTGZJrdCq3QU11RkKYyTq2KT5mceTv9iGKqSkSTlp8puy/9S"
705 "Z/3DbU3U+BuqCFqeSlz7zjwFmk35acdCilpJlVDDN5C/RCh8/UKc8PaL+cxlt531"
706 "qoTENvYrflBno14YEZlCBZsPiFeUSILpKEj3Ccwhy0eLEucWQ72YZU8mUzXBoXGn"
707 "0zA0crFl5ci/2sTBBGZsylNBAgMBAAGjggFBMIIBPTAdBgNVHSUEFjAUBggrBgEF"
708 "BQcDAQYIKwYBBQUHAwIwGQYDVR0RBBIwEIIOd3d3Lmdvb2dsZS5jb20waAYIKwYB"
709 "BQUHAQEEXDBaMCsGCCsGAQUFBzAChh9odHRwOi8vcGtpLmdvb2dsZS5jb20vR0lB"
710 "RzIuY3J0MCsGCCsGAQUFBzABhh9odHRwOi8vY2xpZW50czEuZ29vZ2xlLmNvbS9v"
711 "Y3NwMB0GA1UdDgQWBBS/bzHxcE73Q4j3slC4BLbMtLjGGjAMBgNVHRMBAf8EAjAA"
712 "MB8GA1UdIwQYMBaAFErdBhYbvPZotXb1gba7Yhq6WoEvMBcGA1UdIAQQMA4wDAYK"
713 "KwYBBAHWeQIFATAwBgNVHR8EKTAnMCWgI6Ahhh9odHRwOi8vcGtpLmdvb2dsZS5j"
714 "b20vR0lBRzIuY3JsMA0GCSqGSIb3DQEBCwUAA4IBAQAbqdWPZEHk0X7iKPCTHL6S"
715 "3w6q1eR67goxZGFSM1lk1hjwyu7XcLJuvALVV9uY3ovEkQZSHwT+pyOPWQhsSjO+"
716 "1GyjvCvK/CAwiUmBX+bQRGaqHsRcio7xSbdVcajQ3bXdX+s0WdbOpn6MStKAiBVl"
717 "oPlSxEI8pxY6x/BBCnTIk/+DMB17uZlOjG3vbAnkDkP+n0OTucD9sHV7EVj9XUxi"
718 "51nOfNBCN/s7lpUjDS/NJ4k3iwOtbCPswiot8vLO779af07vR03r349Iz/KTzk95"
719 "rlFtX0IU+KYNxFNsanIXZ+C9FYGRXkwhHcvFb4qMUB1yTTlM80jBMOwyjZXmjRAh"
720 "MIID8DCCAtigAwIBAgIDAjqDMA0GCSqGSIb3DQEBCwUAMEIxCzAJBgNVBAYTAlVT"
721 "MRYwFAYDVQQKEw1HZW9UcnVzdCBJbmMuMRswGQYDVQQDExJHZW9UcnVzdCBHbG9i"
722 "YWwgQ0EwHhcNMTMwNDA1MTUxNTU2WhcNMTYxMjMxMjM1OTU5WjBJMQswCQYDVQQG"
723 "EwJVUzETMBEGA1UEChMKR29vZ2xlIEluYzElMCMGA1UEAxMcR29vZ2xlIEludGVy"
724 "bmV0IEF1dGhvcml0eSBHMjCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEB"
725 "AJwqBHdc2FCROgajguDYUEi8iT/xGXAaiEZ+4I/F8YnOIe5a/mENtzJEiaB0C1NP"
726 "VaTOgmKV7utZX8bhBYASxF6UP7xbSDj0U/ck5vuR6RXEz/RTDfRK/J9U3n2+oGtv"
727 "h8DQUB8oMANA2ghzUWx//zo8pzcGjr1LEQTrfSTe5vn8MXH7lNVg8y5Kr0LSy+rE"
728 "ahqyzFPdFUuLH8gZYR/Nnag+YyuENWllhMgZxUYi+FOVvuOAShDGKuy6lyARxzmZ"
729 "EASg8GF6lSWMTlJ14rbtCMoU/M4iarNOz0YDl5cDfsCx3nuvRTPPuj5xt970JSXC"
730 "DTWJnZ37DhF5iR43xa+OcmkCAwEAAaOB5zCB5DAfBgNVHSMEGDAWgBTAephojYn7"
731 "qwVkDBF9qn1luMrMTjAdBgNVHQ4EFgQUSt0GFhu89mi1dvWBtrtiGrpagS8wDgYD"
732 "VR0PAQH/BAQDAgEGMC4GCCsGAQUFBwEBBCIwIDAeBggrBgEFBQcwAYYSaHR0cDov"
733 "L2cuc3ltY2QuY29tMBIGA1UdEwEB/wQIMAYBAf8CAQAwNQYDVR0fBC4wLDAqoCig"
734 "JoYkaHR0cDovL2cuc3ltY2IuY29tL2NybHMvZ3RnbG9iYWwuY3JsMBcGA1UdIAQQ"
735 "MA4wDAYKKwYBBAHWeQIFATANBgkqhkiG9w0BAQsFAAOCAQEAqvqpIM1qZ4PtXtR+"
736 "3h3Ef+AlBgDFJPupyC1tft6dgmUsgWM0Zj7pUsIItMsv91+ZOmqcUHqFBYx90SpI"
737 "hNMJbHzCzTWf84LuUt5oX+QAihcglvcpjZpNy6jehsgNb1aHA30DP9z6eX0hGfnI"
738 "Oi9RdozHQZJxjyXON/hKTAAj78Q1EK7gI4BzfE00LshukNYQHpmEcxpw8u1VDu4X"
739 "Bupn7jLrLN1nBz/2i8Jw3lsA5rsb0zYaImxssDVCbJAJPZPpZAkiDoUGn8JzIdPm"
740 "X4DkjYUiOnMDsWCOrmji9D6X52ASCWg23jrW4kOVWzeBkoEfu43XrVJkFleW2V40"
741 "fsg12DCCA30wggLmoAMCAQICAxK75jANBgkqhkiG9w0BAQUFADBOMQswCQYDVQQG"
742 "EwJVUzEQMA4GA1UEChMHRXF1aWZheDEtMCsGA1UECxMkRXF1aWZheCBTZWN1cmUg"
743 "Q2VydGlmaWNhdGUgQXV0aG9yaXR5MB4XDTAyMDUyMTA0MDAwMFoXDTE4MDgyMTA0"
744 "MDAwMFowQjELMAkGA1UEBhMCVVMxFjAUBgNVBAoTDUdlb1RydXN0IEluYy4xGzAZ"
745 "BgNVBAMTEkdlb1RydXN0IEdsb2JhbCBDQTCCASIwDQYJKoZIhvcNAQEBBQADggEP"
746 "ADCCAQoCggEBANrMGGMw/fQXIxpWflvfPGw45HG3eJHUvKHYTPioQ7YD6U0hBwiI"
747 "2lgvZjkpvQV4i5046AW3an5xpObEYKaw74DkiSgPniXW7YPzraaRx5jJQhg1FJ2t"
748 "mEaSLk/K8YdDwRaVVy1Q74ktgHpXrfLuX2vSAI25FPgUFTXZwEaje3LIkb/JVSvN"
749 "0Jc+nCZkzN/Ogxlxyk7m1NV7qRnNVd7I7NJeOFPlXE+MLf5QIzb8ZubLjqQ5GQC3"
750 "lQI5kQsO/jgu0R0FmvZNPm8PBx2vLB6PYDni+jZTEznUXiYr2z2oFL0y6xgDKFIE"
751 "ceWrMz3hOLsHNoRinHnqFjD0X8Ar6HFr5PkCAwEAAaOB8DCB7TAfBgNVHSMEGDAW"
752 "gBRI5mj5K9KylddH2CMgEE8zmJCf1DAdBgNVHQ4EFgQUwHqYaI2J+6sFZAwRfap9"
753 "ZbjKzE4wDwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMCAQYwOgYDVR0fBDMw"
754 "MTAvoC2gK4YpaHR0cDovL2NybC5nZW90cnVzdC5jb20vY3Jscy9zZWN1cmVjYS5j"
755 "cmwwTgYDVR0gBEcwRTBDBgRVHSAAMDswOQYIKwYBBQUHAgEWLWh0dHBzOi8vd3d3"
756 "Lmdlb3RydXN0LmNvbS9yZXNvdXJjZXMvcmVwb3NpdG9yeTANBgkqhkiG9w0BAQUF"
757 "AAOBgQB24RJuTksWEoYwBrKBCM/wCMfHcX5m7sLt1Dsf//DwyE7WQziwuTB9GNBV"
758 "g6JqyzYRnOhIZqNtf7gT1Ef+i1pcc/yu2RsyGTirlzQUqpbS66McFAhJtrvlke+D"
759 "NusdVm/K2rxzY5Dkf3s+Iss9B+1fOHSc4wNQTqGvmO5h8oQ/Eg==";
760
761 // kBadSessionExtraField is a custom serialized SSL_SESSION generated by replacing
762 // the final (optional) element of |kCustomSession| with tag number 99.
763 static const char kBadSessionExtraField[] =
764 "MIIBdgIBAQICAwMEAsAvBCAG5Q1ndq4Yfmbeo1zwLkNRKmCXGdNgWvGT3cskV0yQ"
765 "kAQwJlrlzkAWBOWiLj/jJ76D7l+UXoizP2KI2C7I2FccqMmIfFmmkUy32nIJ0mZH"
766 "IWoJoQYCBFRDO46iBAICASykAwQBAqUDAgEUphAEDnd3dy5nb29nbGUuY29tqAcE"
767 "BXdvcmxkqQUCAwGJwKqBpwSBpBwUQvoeOk0Kg36SYTcLEkXqKwOBfF9vE4KX0Nxe"
768 "LwjcDTpsuh3qXEaZ992r1N38VDcyS6P7I6HBYN9BsNHM362zZnY27GpTw+Kwd751"
769 "CLoXFPoaMOe57dbBpXoro6Pd3BTbf/Tzr88K06yEOTDKPNj3+inbMaVigtK4PLyP"
770 "q+Topyzvx9USFgRvyuoxn0Hgb+R0A3j6SLRuyOdAi4gv7Y5oliynrSIEIAYGBgYG"
771 "BgYGBgYGBgYGBgYGBgYGBgYGBgYGBgYGBgYGrgMEAQevAwQBBOMDBAEF";
772
773 // kBadSessionVersion is a custom serialized SSL_SESSION generated by replacing
774 // the version of |kCustomSession| with 2.
775 static const char kBadSessionVersion[] =
776 "MIIBdgIBAgICAwMEAsAvBCAG5Q1ndq4Yfmbeo1zwLkNRKmCXGdNgWvGT3cskV0yQ"
777 "kAQwJlrlzkAWBOWiLj/jJ76D7l+UXoizP2KI2C7I2FccqMmIfFmmkUy32nIJ0mZH"
778 "IWoJoQYCBFRDO46iBAICASykAwQBAqUDAgEUphAEDnd3dy5nb29nbGUuY29tqAcE"
779 "BXdvcmxkqQUCAwGJwKqBpwSBpBwUQvoeOk0Kg36SYTcLEkXqKwOBfF9vE4KX0Nxe"
780 "LwjcDTpsuh3qXEaZ992r1N38VDcyS6P7I6HBYN9BsNHM362zZnY27GpTw+Kwd751"
781 "CLoXFPoaMOe57dbBpXoro6Pd3BTbf/Tzr88K06yEOTDKPNj3+inbMaVigtK4PLyP"
782 "q+Topyzvx9USFgRvyuoxn0Hgb+R0A3j6SLRuyOdAi4gv7Y5oliynrSIEIAYGBgYG"
783 "BgYGBgYGBgYGBgYGBgYGBgYGBgYGBgYGBgYGrgMEAQevAwQBBLADBAEF";
784
785 // kBadSessionTrailingData is a custom serialized SSL_SESSION with trailing data
786 // appended.
787 static const char kBadSessionTrailingData[] =
788 "MIIBdgIBAQICAwMEAsAvBCAG5Q1ndq4Yfmbeo1zwLkNRKmCXGdNgWvGT3cskV0yQ"
789 "kAQwJlrlzkAWBOWiLj/jJ76D7l+UXoizP2KI2C7I2FccqMmIfFmmkUy32nIJ0mZH"
790 "IWoJoQYCBFRDO46iBAICASykAwQBAqUDAgEUphAEDnd3dy5nb29nbGUuY29tqAcE"
791 "BXdvcmxkqQUCAwGJwKqBpwSBpBwUQvoeOk0Kg36SYTcLEkXqKwOBfF9vE4KX0Nxe"
792 "LwjcDTpsuh3qXEaZ992r1N38VDcyS6P7I6HBYN9BsNHM362zZnY27GpTw+Kwd751"
793 "CLoXFPoaMOe57dbBpXoro6Pd3BTbf/Tzr88K06yEOTDKPNj3+inbMaVigtK4PLyP"
794 "q+Topyzvx9USFgRvyuoxn0Hgb+R0A3j6SLRuyOdAi4gv7Y5oliynrSIEIAYGBgYG"
795 "BgYGBgYGBgYGBgYGBgYGBgYGBgYGBgYGBgYGrgMEAQevAwQBBLADBAEFAAAA";
796
DecodeBase64(std::vector<uint8_t> * out,const char * in)797 static bool DecodeBase64(std::vector<uint8_t> *out, const char *in) {
798 size_t len;
799 if (!EVP_DecodedLength(&len, strlen(in))) {
800 fprintf(stderr, "EVP_DecodedLength failed\n");
801 return false;
802 }
803
804 out->resize(len);
805 if (!EVP_DecodeBase64(out->data(), &len, len, (const uint8_t *)in,
806 strlen(in))) {
807 fprintf(stderr, "EVP_DecodeBase64 failed\n");
808 return false;
809 }
810 out->resize(len);
811 return true;
812 }
813
TEST(SSLTest,SessionEncoding)814 TEST(SSLTest, SessionEncoding) {
815 for (const char *input_b64 : {
816 kOpenSSLSession,
817 kCustomSession,
818 kBoringSSLSession,
819 }) {
820 SCOPED_TRACE(std::string(input_b64));
821 // Decode the input.
822 std::vector<uint8_t> input;
823 ASSERT_TRUE(DecodeBase64(&input, input_b64));
824
825 // Verify the SSL_SESSION decodes.
826 bssl::UniquePtr<SSL_CTX> ssl_ctx(SSL_CTX_new(TLS_method()));
827 ASSERT_TRUE(ssl_ctx);
828 bssl::UniquePtr<SSL_SESSION> session(
829 SSL_SESSION_from_bytes(input.data(), input.size(), ssl_ctx.get()));
830 ASSERT_TRUE(session) << "SSL_SESSION_from_bytes failed";
831
832 // Verify the SSL_SESSION encoding round-trips.
833 size_t encoded_len;
834 bssl::UniquePtr<uint8_t> encoded;
835 uint8_t *encoded_raw;
836 ASSERT_TRUE(SSL_SESSION_to_bytes(session.get(), &encoded_raw, &encoded_len))
837 << "SSL_SESSION_to_bytes failed";
838 encoded.reset(encoded_raw);
839 EXPECT_EQ(Bytes(encoded.get(), encoded_len), Bytes(input))
840 << "SSL_SESSION_to_bytes did not round-trip";
841
842 // Verify the SSL_SESSION also decodes with the legacy API.
843 const uint8_t *cptr = input.data();
844 session.reset(d2i_SSL_SESSION(NULL, &cptr, input.size()));
845 ASSERT_TRUE(session) << "d2i_SSL_SESSION failed";
846 EXPECT_EQ(cptr, input.data() + input.size());
847
848 // Verify the SSL_SESSION encoding round-trips via the legacy API.
849 int len = i2d_SSL_SESSION(session.get(), NULL);
850 ASSERT_GT(len, 0) << "i2d_SSL_SESSION failed";
851 ASSERT_EQ(static_cast<size_t>(len), input.size())
852 << "i2d_SSL_SESSION(NULL) returned invalid length";
853
854 encoded.reset((uint8_t *)OPENSSL_malloc(input.size()));
855 ASSERT_TRUE(encoded);
856
857 uint8_t *ptr = encoded.get();
858 len = i2d_SSL_SESSION(session.get(), &ptr);
859 ASSERT_GT(len, 0) << "i2d_SSL_SESSION failed";
860 ASSERT_EQ(static_cast<size_t>(len), input.size())
861 << "i2d_SSL_SESSION(NULL) returned invalid length";
862 ASSERT_EQ(ptr, encoded.get() + input.size())
863 << "i2d_SSL_SESSION did not advance ptr correctly";
864 EXPECT_EQ(Bytes(encoded.get(), encoded_len), Bytes(input))
865 << "SSL_SESSION_to_bytes did not round-trip";
866 }
867
868 for (const char *input_b64 : {
869 kBadSessionExtraField,
870 kBadSessionVersion,
871 kBadSessionTrailingData,
872 }) {
873 SCOPED_TRACE(std::string(input_b64));
874 std::vector<uint8_t> input;
875 ASSERT_TRUE(DecodeBase64(&input, input_b64));
876
877 // Verify that the SSL_SESSION fails to decode.
878 bssl::UniquePtr<SSL_CTX> ssl_ctx(SSL_CTX_new(TLS_method()));
879 ASSERT_TRUE(ssl_ctx);
880 bssl::UniquePtr<SSL_SESSION> session(
881 SSL_SESSION_from_bytes(input.data(), input.size(), ssl_ctx.get()));
882 EXPECT_FALSE(session) << "SSL_SESSION_from_bytes unexpectedly succeeded";
883 ERR_clear_error();
884 }
885 }
886
ExpectDefaultVersion(uint16_t min_version,uint16_t max_version,const SSL_METHOD * (* method)(void))887 static void ExpectDefaultVersion(uint16_t min_version, uint16_t max_version,
888 const SSL_METHOD *(*method)(void)) {
889 bssl::UniquePtr<SSL_CTX> ctx(SSL_CTX_new(method()));
890 ASSERT_TRUE(ctx);
891 EXPECT_EQ(min_version, SSL_CTX_get_min_proto_version(ctx.get()));
892 EXPECT_EQ(max_version, SSL_CTX_get_max_proto_version(ctx.get()));
893 }
894
TEST(SSLTest,DefaultVersion)895 TEST(SSLTest, DefaultVersion) {
896 ExpectDefaultVersion(TLS1_VERSION, TLS1_3_VERSION, &TLS_method);
897 ExpectDefaultVersion(TLS1_VERSION, TLS1_VERSION, &TLSv1_method);
898 ExpectDefaultVersion(TLS1_1_VERSION, TLS1_1_VERSION, &TLSv1_1_method);
899 ExpectDefaultVersion(TLS1_2_VERSION, TLS1_2_VERSION, &TLSv1_2_method);
900 ExpectDefaultVersion(DTLS1_VERSION, DTLS1_2_VERSION, &DTLS_method);
901 ExpectDefaultVersion(DTLS1_VERSION, DTLS1_VERSION, &DTLSv1_method);
902 ExpectDefaultVersion(DTLS1_2_VERSION, DTLS1_2_VERSION, &DTLSv1_2_method);
903 }
904
TEST(SSLTest,CipherProperties)905 TEST(SSLTest, CipherProperties) {
906 static const struct {
907 int id;
908 const char *standard_name;
909 int cipher_nid;
910 int digest_nid;
911 int kx_nid;
912 int auth_nid;
913 int prf_nid;
914 } kTests[] = {
915 {
916 SSL3_CK_RSA_DES_192_CBC3_SHA,
917 "TLS_RSA_WITH_3DES_EDE_CBC_SHA",
918 NID_des_ede3_cbc,
919 NID_sha1,
920 NID_kx_rsa,
921 NID_auth_rsa,
922 NID_md5_sha1,
923 },
924 {
925 TLS1_CK_RSA_WITH_AES_128_SHA,
926 "TLS_RSA_WITH_AES_128_CBC_SHA",
927 NID_aes_128_cbc,
928 NID_sha1,
929 NID_kx_rsa,
930 NID_auth_rsa,
931 NID_md5_sha1,
932 },
933 {
934 TLS1_CK_PSK_WITH_AES_256_CBC_SHA,
935 "TLS_PSK_WITH_AES_256_CBC_SHA",
936 NID_aes_256_cbc,
937 NID_sha1,
938 NID_kx_psk,
939 NID_auth_psk,
940 NID_md5_sha1,
941 },
942 {
943 TLS1_CK_ECDHE_RSA_WITH_AES_128_CBC_SHA,
944 "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA",
945 NID_aes_128_cbc,
946 NID_sha1,
947 NID_kx_ecdhe,
948 NID_auth_rsa,
949 NID_md5_sha1,
950 },
951 {
952 TLS1_CK_ECDHE_RSA_WITH_AES_256_CBC_SHA,
953 "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA",
954 NID_aes_256_cbc,
955 NID_sha1,
956 NID_kx_ecdhe,
957 NID_auth_rsa,
958 NID_md5_sha1,
959 },
960 {
961 TLS1_CK_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
962 "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",
963 NID_aes_128_gcm,
964 NID_undef,
965 NID_kx_ecdhe,
966 NID_auth_rsa,
967 NID_sha256,
968 },
969 {
970 TLS1_CK_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
971 "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256",
972 NID_aes_128_gcm,
973 NID_undef,
974 NID_kx_ecdhe,
975 NID_auth_ecdsa,
976 NID_sha256,
977 },
978 {
979 TLS1_CK_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
980 "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384",
981 NID_aes_256_gcm,
982 NID_undef,
983 NID_kx_ecdhe,
984 NID_auth_ecdsa,
985 NID_sha384,
986 },
987 {
988 TLS1_CK_ECDHE_PSK_WITH_AES_128_CBC_SHA,
989 "TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA",
990 NID_aes_128_cbc,
991 NID_sha1,
992 NID_kx_ecdhe,
993 NID_auth_psk,
994 NID_md5_sha1,
995 },
996 {
997 TLS1_CK_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256,
998 "TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256",
999 NID_chacha20_poly1305,
1000 NID_undef,
1001 NID_kx_ecdhe,
1002 NID_auth_rsa,
1003 NID_sha256,
1004 },
1005 {
1006 TLS1_3_CK_AES_256_GCM_SHA384,
1007 "TLS_AES_256_GCM_SHA384",
1008 NID_aes_256_gcm,
1009 NID_undef,
1010 NID_kx_any,
1011 NID_auth_any,
1012 NID_sha384,
1013 },
1014 {
1015 TLS1_3_CK_AES_128_GCM_SHA256,
1016 "TLS_AES_128_GCM_SHA256",
1017 NID_aes_128_gcm,
1018 NID_undef,
1019 NID_kx_any,
1020 NID_auth_any,
1021 NID_sha256,
1022 },
1023 {
1024 TLS1_3_CK_CHACHA20_POLY1305_SHA256,
1025 "TLS_CHACHA20_POLY1305_SHA256",
1026 NID_chacha20_poly1305,
1027 NID_undef,
1028 NID_kx_any,
1029 NID_auth_any,
1030 NID_sha256,
1031 },
1032 };
1033
1034 for (const auto &t : kTests) {
1035 SCOPED_TRACE(t.standard_name);
1036
1037 const SSL_CIPHER *cipher = SSL_get_cipher_by_value(t.id & 0xffff);
1038 ASSERT_TRUE(cipher);
1039 EXPECT_STREQ(t.standard_name, SSL_CIPHER_standard_name(cipher));
1040
1041 EXPECT_EQ(t.cipher_nid, SSL_CIPHER_get_cipher_nid(cipher));
1042 EXPECT_EQ(t.digest_nid, SSL_CIPHER_get_digest_nid(cipher));
1043 EXPECT_EQ(t.kx_nid, SSL_CIPHER_get_kx_nid(cipher));
1044 EXPECT_EQ(t.auth_nid, SSL_CIPHER_get_auth_nid(cipher));
1045 EXPECT_EQ(t.prf_nid, SSL_CIPHER_get_prf_nid(cipher));
1046 }
1047 }
1048
1049 // CreateSessionWithTicket returns a sample |SSL_SESSION| with the specified
1050 // version and ticket length or nullptr on failure.
CreateSessionWithTicket(uint16_t version,size_t ticket_len)1051 static bssl::UniquePtr<SSL_SESSION> CreateSessionWithTicket(uint16_t version,
1052 size_t ticket_len) {
1053 std::vector<uint8_t> der;
1054 if (!DecodeBase64(&der, kOpenSSLSession)) {
1055 return nullptr;
1056 }
1057
1058 bssl::UniquePtr<SSL_CTX> ssl_ctx(SSL_CTX_new(TLS_method()));
1059 if (!ssl_ctx) {
1060 return nullptr;
1061 }
1062 // Use a garbage ticket.
1063 std::vector<uint8_t> ticket(ticket_len, 'a');
1064 bssl::UniquePtr<SSL_SESSION> session(
1065 SSL_SESSION_from_bytes(der.data(), der.size(), ssl_ctx.get()));
1066 if (!session ||
1067 !SSL_SESSION_set_protocol_version(session.get(), version) ||
1068 !SSL_SESSION_set_ticket(session.get(), ticket.data(), ticket.size())) {
1069 return nullptr;
1070 }
1071 // Fix up the timeout.
1072 #if defined(BORINGSSL_UNSAFE_DETERMINISTIC_MODE)
1073 SSL_SESSION_set_time(session.get(), 1234);
1074 #else
1075 SSL_SESSION_set_time(session.get(), time(nullptr));
1076 #endif
1077 return session;
1078 }
1079
GetClientHello(SSL * ssl,std::vector<uint8_t> * out)1080 static bool GetClientHello(SSL *ssl, std::vector<uint8_t> *out) {
1081 bssl::UniquePtr<BIO> bio(BIO_new(BIO_s_mem()));
1082 if (!bio) {
1083 return false;
1084 }
1085 // Do not configure a reading BIO, but record what's written to a memory BIO.
1086 BIO_up_ref(bio.get());
1087 SSL_set_bio(ssl, nullptr /* rbio */, bio.get());
1088 int ret = SSL_connect(ssl);
1089 if (ret > 0) {
1090 // SSL_connect should fail without a BIO to write to.
1091 return false;
1092 }
1093 ERR_clear_error();
1094
1095 const uint8_t *client_hello;
1096 size_t client_hello_len;
1097 if (!BIO_mem_contents(bio.get(), &client_hello, &client_hello_len)) {
1098 return false;
1099 }
1100
1101 // We did not get far enough to write a ClientHello.
1102 if (client_hello_len == 0) {
1103 return false;
1104 }
1105
1106 *out = std::vector<uint8_t>(client_hello, client_hello + client_hello_len);
1107 return true;
1108 }
1109
1110 // GetClientHelloLen creates a client SSL connection with the specified version
1111 // and ticket length. It returns the length of the ClientHello, not including
1112 // the record header, on success and zero on error.
GetClientHelloLen(uint16_t max_version,uint16_t session_version,size_t ticket_len)1113 static size_t GetClientHelloLen(uint16_t max_version, uint16_t session_version,
1114 size_t ticket_len) {
1115 bssl::UniquePtr<SSL_CTX> ctx(SSL_CTX_new(TLS_method()));
1116 bssl::UniquePtr<SSL_SESSION> session =
1117 CreateSessionWithTicket(session_version, ticket_len);
1118 if (!ctx || !session) {
1119 return 0;
1120 }
1121
1122 // Set a one-element cipher list so the baseline ClientHello is unpadded.
1123 bssl::UniquePtr<SSL> ssl(SSL_new(ctx.get()));
1124 if (!ssl || !SSL_set_session(ssl.get(), session.get()) ||
1125 !SSL_set_strict_cipher_list(ssl.get(), "ECDHE-RSA-AES128-GCM-SHA256") ||
1126 !SSL_set_max_proto_version(ssl.get(), max_version)) {
1127 return 0;
1128 }
1129
1130 std::vector<uint8_t> client_hello;
1131 if (!GetClientHello(ssl.get(), &client_hello) ||
1132 client_hello.size() <= SSL3_RT_HEADER_LENGTH) {
1133 return 0;
1134 }
1135
1136 return client_hello.size() - SSL3_RT_HEADER_LENGTH;
1137 }
1138
TEST(SSLTest,Padding)1139 TEST(SSLTest, Padding) {
1140 struct PaddingVersions {
1141 uint16_t max_version, session_version;
1142 };
1143 static const PaddingVersions kPaddingVersions[] = {
1144 // Test the padding extension at TLS 1.2.
1145 {TLS1_2_VERSION, TLS1_2_VERSION},
1146 // Test the padding extension at TLS 1.3 with a TLS 1.2 session, so there
1147 // will be no PSK binder after the padding extension.
1148 {TLS1_3_VERSION, TLS1_2_VERSION},
1149 // Test the padding extension at TLS 1.3 with a TLS 1.3 session, so there
1150 // will be a PSK binder after the padding extension.
1151 {TLS1_3_VERSION, TLS1_3_VERSION},
1152
1153 };
1154
1155 struct PaddingTest {
1156 size_t input_len, padded_len;
1157 };
1158 static const PaddingTest kPaddingTests[] = {
1159 // ClientHellos of length below 0x100 do not require padding.
1160 {0xfe, 0xfe},
1161 {0xff, 0xff},
1162 // ClientHellos of length 0x100 through 0x1fb are padded up to 0x200.
1163 {0x100, 0x200},
1164 {0x123, 0x200},
1165 {0x1fb, 0x200},
1166 // ClientHellos of length 0x1fc through 0x1ff get padded beyond 0x200. The
1167 // padding extension takes a minimum of four bytes plus one required
1168 // content
1169 // byte. (To work around yet more server bugs, we avoid empty final
1170 // extensions.)
1171 {0x1fc, 0x201},
1172 {0x1fd, 0x202},
1173 {0x1fe, 0x203},
1174 {0x1ff, 0x204},
1175 // Finally, larger ClientHellos need no padding.
1176 {0x200, 0x200},
1177 {0x201, 0x201},
1178 };
1179
1180 for (const PaddingVersions &versions : kPaddingVersions) {
1181 SCOPED_TRACE(versions.max_version);
1182 SCOPED_TRACE(versions.session_version);
1183
1184 // Sample a baseline length.
1185 size_t base_len =
1186 GetClientHelloLen(versions.max_version, versions.session_version, 1);
1187 ASSERT_NE(base_len, 0u) << "Baseline length could not be sampled";
1188
1189 for (const PaddingTest &test : kPaddingTests) {
1190 SCOPED_TRACE(test.input_len);
1191 ASSERT_LE(base_len, test.input_len) << "Baseline ClientHello too long";
1192
1193 size_t padded_len =
1194 GetClientHelloLen(versions.max_version, versions.session_version,
1195 1 + test.input_len - base_len);
1196 EXPECT_EQ(padded_len, test.padded_len)
1197 << "ClientHello was not padded to expected length";
1198 }
1199 }
1200 }
1201
CertFromPEM(const char * pem)1202 static bssl::UniquePtr<X509> CertFromPEM(const char *pem) {
1203 bssl::UniquePtr<BIO> bio(BIO_new_mem_buf(pem, strlen(pem)));
1204 if (!bio) {
1205 return nullptr;
1206 }
1207 return bssl::UniquePtr<X509>(
1208 PEM_read_bio_X509(bio.get(), nullptr, nullptr, nullptr));
1209 }
1210
KeyFromPEM(const char * pem)1211 static bssl::UniquePtr<EVP_PKEY> KeyFromPEM(const char *pem) {
1212 bssl::UniquePtr<BIO> bio(BIO_new_mem_buf(pem, strlen(pem)));
1213 if (!bio) {
1214 return nullptr;
1215 }
1216 return bssl::UniquePtr<EVP_PKEY>(
1217 PEM_read_bio_PrivateKey(bio.get(), nullptr, nullptr, nullptr));
1218 }
1219
GetTestCertificate()1220 static bssl::UniquePtr<X509> GetTestCertificate() {
1221 static const char kCertPEM[] =
1222 "-----BEGIN CERTIFICATE-----\n"
1223 "MIICWDCCAcGgAwIBAgIJAPuwTC6rEJsMMA0GCSqGSIb3DQEBBQUAMEUxCzAJBgNV\n"
1224 "BAYTAkFVMRMwEQYDVQQIDApTb21lLVN0YXRlMSEwHwYDVQQKDBhJbnRlcm5ldCBX\n"
1225 "aWRnaXRzIFB0eSBMdGQwHhcNMTQwNDIzMjA1MDQwWhcNMTcwNDIyMjA1MDQwWjBF\n"
1226 "MQswCQYDVQQGEwJBVTETMBEGA1UECAwKU29tZS1TdGF0ZTEhMB8GA1UECgwYSW50\n"
1227 "ZXJuZXQgV2lkZ2l0cyBQdHkgTHRkMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKB\n"
1228 "gQDYK8imMuRi/03z0K1Zi0WnvfFHvwlYeyK9Na6XJYaUoIDAtB92kWdGMdAQhLci\n"
1229 "HnAjkXLI6W15OoV3gA/ElRZ1xUpxTMhjP6PyY5wqT5r6y8FxbiiFKKAnHmUcrgfV\n"
1230 "W28tQ+0rkLGMryRtrukXOgXBv7gcrmU7G1jC2a7WqmeI8QIDAQABo1AwTjAdBgNV\n"
1231 "HQ4EFgQUi3XVrMsIvg4fZbf6Vr5sp3Xaha8wHwYDVR0jBBgwFoAUi3XVrMsIvg4f\n"
1232 "Zbf6Vr5sp3Xaha8wDAYDVR0TBAUwAwEB/zANBgkqhkiG9w0BAQUFAAOBgQA76Hht\n"
1233 "ldY9avcTGSwbwoiuIqv0jTL1fHFnzy3RHMLDh+Lpvolc5DSrSJHCP5WuK0eeJXhr\n"
1234 "T5oQpHL9z/cCDLAKCKRa4uV0fhEdOWBqyR9p8y5jJtye72t6CuFUV5iqcpF4BH4f\n"
1235 "j2VNHwsSrJwkD4QUGlUtH7vwnQmyCFxZMmWAJg==\n"
1236 "-----END CERTIFICATE-----\n";
1237 return CertFromPEM(kCertPEM);
1238 }
1239
GetTestKey()1240 static bssl::UniquePtr<EVP_PKEY> GetTestKey() {
1241 static const char kKeyPEM[] =
1242 "-----BEGIN RSA PRIVATE KEY-----\n"
1243 "MIICXgIBAAKBgQDYK8imMuRi/03z0K1Zi0WnvfFHvwlYeyK9Na6XJYaUoIDAtB92\n"
1244 "kWdGMdAQhLciHnAjkXLI6W15OoV3gA/ElRZ1xUpxTMhjP6PyY5wqT5r6y8FxbiiF\n"
1245 "KKAnHmUcrgfVW28tQ+0rkLGMryRtrukXOgXBv7gcrmU7G1jC2a7WqmeI8QIDAQAB\n"
1246 "AoGBAIBy09Fd4DOq/Ijp8HeKuCMKTHqTW1xGHshLQ6jwVV2vWZIn9aIgmDsvkjCe\n"
1247 "i6ssZvnbjVcwzSoByhjN8ZCf/i15HECWDFFh6gt0P5z0MnChwzZmvatV/FXCT0j+\n"
1248 "WmGNB/gkehKjGXLLcjTb6dRYVJSCZhVuOLLcbWIV10gggJQBAkEA8S8sGe4ezyyZ\n"
1249 "m4e9r95g6s43kPqtj5rewTsUxt+2n4eVodD+ZUlCULWVNAFLkYRTBCASlSrm9Xhj\n"
1250 "QpmWAHJUkQJBAOVzQdFUaewLtdOJoPCtpYoY1zd22eae8TQEmpGOR11L6kbxLQsk\n"
1251 "aMly/DOnOaa82tqAGTdqDEZgSNmCeKKknmECQAvpnY8GUOVAubGR6c+W90iBuQLj\n"
1252 "LtFp/9ihd2w/PoDwrHZaoUYVcT4VSfJQog/k7kjE4MYXYWL8eEKg3WTWQNECQQDk\n"
1253 "104Wi91Umd1PzF0ijd2jXOERJU1wEKe6XLkYYNHWQAe5l4J4MWj9OdxFXAxIuuR/\n"
1254 "tfDwbqkta4xcux67//khAkEAvvRXLHTaa6VFzTaiiO8SaFsHV3lQyXOtMrBpB5jd\n"
1255 "moZWgjHvB2W9Ckn7sDqsPB+U2tyX0joDdQEyuiMECDY8oQ==\n"
1256 "-----END RSA PRIVATE KEY-----\n";
1257 return KeyFromPEM(kKeyPEM);
1258 }
1259
CreateContextWithTestCertificate(const SSL_METHOD * method)1260 static bssl::UniquePtr<SSL_CTX> CreateContextWithTestCertificate(
1261 const SSL_METHOD *method) {
1262 bssl::UniquePtr<SSL_CTX> ctx(SSL_CTX_new(TLS_method()));
1263 bssl::UniquePtr<X509> cert = GetTestCertificate();
1264 bssl::UniquePtr<EVP_PKEY> key = GetTestKey();
1265 if (!ctx || !cert || !key ||
1266 !SSL_CTX_use_certificate(ctx.get(), cert.get()) ||
1267 !SSL_CTX_use_PrivateKey(ctx.get(), key.get())) {
1268 return nullptr;
1269 }
1270 return ctx;
1271 }
1272
GetECDSATestCertificate()1273 static bssl::UniquePtr<X509> GetECDSATestCertificate() {
1274 static const char kCertPEM[] =
1275 "-----BEGIN CERTIFICATE-----\n"
1276 "MIIBzzCCAXagAwIBAgIJANlMBNpJfb/rMAkGByqGSM49BAEwRTELMAkGA1UEBhMC\n"
1277 "QVUxEzARBgNVBAgMClNvbWUtU3RhdGUxITAfBgNVBAoMGEludGVybmV0IFdpZGdp\n"
1278 "dHMgUHR5IEx0ZDAeFw0xNDA0MjMyMzIxNTdaFw0xNDA1MjMyMzIxNTdaMEUxCzAJ\n"
1279 "BgNVBAYTAkFVMRMwEQYDVQQIDApTb21lLVN0YXRlMSEwHwYDVQQKDBhJbnRlcm5l\n"
1280 "dCBXaWRnaXRzIFB0eSBMdGQwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAATmK2ni\n"
1281 "v2Wfl74vHg2UikzVl2u3qR4NRvvdqakendy6WgHn1peoChj5w8SjHlbifINI2xYa\n"
1282 "HPUdfvGULUvPciLBo1AwTjAdBgNVHQ4EFgQUq4TSrKuV8IJOFngHVVdf5CaNgtEw\n"
1283 "HwYDVR0jBBgwFoAUq4TSrKuV8IJOFngHVVdf5CaNgtEwDAYDVR0TBAUwAwEB/zAJ\n"
1284 "BgcqhkjOPQQBA0gAMEUCIQDyoDVeUTo2w4J5m+4nUIWOcAZ0lVfSKXQA9L4Vh13E\n"
1285 "BwIgfB55FGohg/B6dGh5XxSZmmi08cueFV7mHzJSYV51yRQ=\n"
1286 "-----END CERTIFICATE-----\n";
1287 return CertFromPEM(kCertPEM);
1288 }
1289
GetECDSATestKey()1290 static bssl::UniquePtr<EVP_PKEY> GetECDSATestKey() {
1291 static const char kKeyPEM[] =
1292 "-----BEGIN PRIVATE KEY-----\n"
1293 "MIGHAgEAMBMGByqGSM49AgEGCCqGSM49AwEHBG0wawIBAQQgBw8IcnrUoEqc3VnJ\n"
1294 "TYlodwi1b8ldMHcO6NHJzgqLtGqhRANCAATmK2niv2Wfl74vHg2UikzVl2u3qR4N\n"
1295 "Rvvdqakendy6WgHn1peoChj5w8SjHlbifINI2xYaHPUdfvGULUvPciLB\n"
1296 "-----END PRIVATE KEY-----\n";
1297 return KeyFromPEM(kKeyPEM);
1298 }
1299
BufferFromPEM(const char * pem)1300 static bssl::UniquePtr<CRYPTO_BUFFER> BufferFromPEM(const char *pem) {
1301 bssl::UniquePtr<BIO> bio(BIO_new_mem_buf(pem, strlen(pem)));
1302 char *name, *header;
1303 uint8_t *data;
1304 long data_len;
1305 if (!PEM_read_bio(bio.get(), &name, &header, &data,
1306 &data_len)) {
1307 return nullptr;
1308 }
1309 OPENSSL_free(name);
1310 OPENSSL_free(header);
1311
1312 auto ret = bssl::UniquePtr<CRYPTO_BUFFER>(
1313 CRYPTO_BUFFER_new(data, data_len, nullptr));
1314 OPENSSL_free(data);
1315 return ret;
1316 }
1317
GetChainTestCertificateBuffer()1318 static bssl::UniquePtr<CRYPTO_BUFFER> GetChainTestCertificateBuffer() {
1319 static const char kCertPEM[] =
1320 "-----BEGIN CERTIFICATE-----\n"
1321 "MIIC0jCCAbqgAwIBAgICEAAwDQYJKoZIhvcNAQELBQAwDzENMAsGA1UEAwwEQiBD\n"
1322 "QTAeFw0xNjAyMjgyMDI3MDNaFw0yNjAyMjUyMDI3MDNaMBgxFjAUBgNVBAMMDUNs\n"
1323 "aWVudCBDZXJ0IEEwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDRvaz8\n"
1324 "CC/cshpCafJo4jLkHEoBqDLhdgFelJoAiQUyIqyWl2O7YHPnpJH+TgR7oelzNzt/\n"
1325 "kLRcH89M/TszB6zqyLTC4aqmvzKL0peD/jL2LWBucR0WXIvjA3zoRuF/x86+rYH3\n"
1326 "tHb+xs2PSs8EGL/Ev+ss+qTzTGEn26fuGNHkNw6tOwPpc+o8+wUtzf/kAthamo+c\n"
1327 "IDs2rQ+lP7+aLZTLeU/q4gcLutlzcK5imex5xy2jPkweq48kijK0kIzl1cPlA5d1\n"
1328 "z7C8jU50Pj9X9sQDJTN32j7UYRisJeeYQF8GaaN8SbrDI6zHgKzrRLyxDt/KQa9V\n"
1329 "iLeXANgZi+Xx9KgfAgMBAAGjLzAtMAwGA1UdEwEB/wQCMAAwHQYDVR0lBBYwFAYI\n"
1330 "KwYBBQUHAwEGCCsGAQUFBwMCMA0GCSqGSIb3DQEBCwUAA4IBAQBFEVbmYl+2RtNw\n"
1331 "rDftRDF1v2QUbcN2ouSnQDHxeDQdSgasLzT3ui8iYu0Rw2WWcZ0DV5e0ztGPhWq7\n"
1332 "AO0B120aFRMOY+4+bzu9Q2FFkQqc7/fKTvTDzIJI5wrMnFvUfzzvxh3OHWMYSs/w\n"
1333 "giq33hTKeHEq6Jyk3btCny0Ycecyc3yGXH10sizUfiHlhviCkDuESk8mFDwDDzqW\n"
1334 "ZF0IipzFbEDHoIxLlm3GQxpiLoEV4k8KYJp3R5KBLFyxM6UGPz8h72mIPCJp2RuK\n"
1335 "MYgF91UDvVzvnYm6TfseM2+ewKirC00GOrZ7rEcFvtxnKSqYf4ckqfNdSU1Y+RRC\n"
1336 "1ngWZ7Ih\n"
1337 "-----END CERTIFICATE-----\n";
1338 return BufferFromPEM(kCertPEM);
1339 }
1340
X509FromBuffer(bssl::UniquePtr<CRYPTO_BUFFER> buffer)1341 static bssl::UniquePtr<X509> X509FromBuffer(
1342 bssl::UniquePtr<CRYPTO_BUFFER> buffer) {
1343 if (!buffer) {
1344 return nullptr;
1345 }
1346 const uint8_t *derp = CRYPTO_BUFFER_data(buffer.get());
1347 return bssl::UniquePtr<X509>(
1348 d2i_X509(NULL, &derp, CRYPTO_BUFFER_len(buffer.get())));
1349 }
1350
GetChainTestCertificate()1351 static bssl::UniquePtr<X509> GetChainTestCertificate() {
1352 return X509FromBuffer(GetChainTestCertificateBuffer());
1353 }
1354
GetChainTestIntermediateBuffer()1355 static bssl::UniquePtr<CRYPTO_BUFFER> GetChainTestIntermediateBuffer() {
1356 static const char kCertPEM[] =
1357 "-----BEGIN CERTIFICATE-----\n"
1358 "MIICwjCCAaqgAwIBAgICEAEwDQYJKoZIhvcNAQELBQAwFDESMBAGA1UEAwwJQyBS\n"
1359 "b290IENBMB4XDTE2MDIyODIwMjcwM1oXDTI2MDIyNTIwMjcwM1owDzENMAsGA1UE\n"
1360 "AwwEQiBDQTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALsSCYmDip2D\n"
1361 "GkjFxw7ykz26JSjELkl6ArlYjFJ3aT/SCh8qbS4gln7RH8CPBd78oFdfhIKQrwtZ\n"
1362 "3/q21ykD9BAS3qHe2YdcJfm8/kWAy5DvXk6NXU4qX334KofBAEpgdA/igEFq1P1l\n"
1363 "HAuIfZCpMRfT+i5WohVsGi8f/NgpRvVaMONLNfgw57mz1lbtFeBEISmX0kbsuJxF\n"
1364 "Qj/Bwhi5/0HAEXG8e7zN4cEx0yPRvmOATRdVb/8dW2pwOHRJq9R5M0NUkIsTSnL7\n"
1365 "6N/z8hRAHMsV3IudC5Yd7GXW1AGu9a+iKU+Q4xcZCoj0DC99tL4VKujrV1kAeqsM\n"
1366 "cz5/dKzi6+cCAwEAAaMjMCEwDwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMC\n"
1367 "AQYwDQYJKoZIhvcNAQELBQADggEBAIIeZiEeNhWWQ8Y4D+AGDwqUUeG8NjCbKrXQ\n"
1368 "BlHg5wZ8xftFaiP1Dp/UAezmx2LNazdmuwrYB8lm3FVTyaPDTKEGIPS4wJKHgqH1\n"
1369 "QPDhqNm85ey7TEtI9oYjsNim/Rb+iGkIAMXaxt58SzxbjvP0kMr1JfJIZbic9vye\n"
1370 "NwIspMFIpP3FB8ywyu0T0hWtCQgL4J47nigCHpOu58deP88fS/Nyz/fyGVWOZ76b\n"
1371 "WhWwgM3P3X95fQ3d7oFPR/bVh0YV+Cf861INwplokXgXQ3/TCQ+HNXeAMWn3JLWv\n"
1372 "XFwk8owk9dq/kQGdndGgy3KTEW4ctPX5GNhf3LJ9Q7dLji4ReQ4=\n"
1373 "-----END CERTIFICATE-----\n";
1374 return BufferFromPEM(kCertPEM);
1375 }
1376
GetChainTestIntermediate()1377 static bssl::UniquePtr<X509> GetChainTestIntermediate() {
1378 return X509FromBuffer(GetChainTestIntermediateBuffer());
1379 }
1380
GetChainTestKey()1381 static bssl::UniquePtr<EVP_PKEY> GetChainTestKey() {
1382 static const char kKeyPEM[] =
1383 "-----BEGIN PRIVATE KEY-----\n"
1384 "MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQDRvaz8CC/cshpC\n"
1385 "afJo4jLkHEoBqDLhdgFelJoAiQUyIqyWl2O7YHPnpJH+TgR7oelzNzt/kLRcH89M\n"
1386 "/TszB6zqyLTC4aqmvzKL0peD/jL2LWBucR0WXIvjA3zoRuF/x86+rYH3tHb+xs2P\n"
1387 "Ss8EGL/Ev+ss+qTzTGEn26fuGNHkNw6tOwPpc+o8+wUtzf/kAthamo+cIDs2rQ+l\n"
1388 "P7+aLZTLeU/q4gcLutlzcK5imex5xy2jPkweq48kijK0kIzl1cPlA5d1z7C8jU50\n"
1389 "Pj9X9sQDJTN32j7UYRisJeeYQF8GaaN8SbrDI6zHgKzrRLyxDt/KQa9ViLeXANgZ\n"
1390 "i+Xx9KgfAgMBAAECggEBAK0VjSJzkyPaamcyTVSWjo7GdaBGcK60lk657RjR+lK0\n"
1391 "YJ7pkej4oM2hdsVZFsP8Cs4E33nXLa/0pDsRov/qrp0WQm2skwqGMC1I/bZ0WRPk\n"
1392 "wHaDrBBfESWnJDX/AGpVtlyOjPmgmK6J2usMPihQUDkKdAYrVWJePrMIxt1q6BMe\n"
1393 "iczs3qriMmtY3bUc4UyUwJ5fhDLjshHvfuIpYQyI6EXZM6dZksn9LylXJnigY6QJ\n"
1394 "HxOYO0BDwOsZ8yQ8J8afLk88i0GizEkgE1z3REtQUwgWfxr1WV/ud+T6/ZhSAgH9\n"
1395 "042mQvSFZnIUSEsmCvjhWuAunfxHKCTcAoYISWfzWpkCgYEA7gpf3HHU5Tn+CgUn\n"
1396 "1X5uGpG3DmcMgfeGgs2r2f/IIg/5Ac1dfYILiybL1tN9zbyLCJfcbFpWBc9hJL6f\n"
1397 "CPc5hUiwWFJqBJewxQkC1Ae/HakHbip+IZ+Jr0842O4BAArvixk4Lb7/N2Ct9sTE\n"
1398 "NJO6RtK9lbEZ5uK61DglHy8CS2UCgYEA4ZC1o36kPAMQBggajgnucb2yuUEelk0f\n"
1399 "AEr+GI32MGE+93xMr7rAhBoqLg4AITyIfEnOSQ5HwagnIHonBbv1LV/Gf9ursx8Z\n"
1400 "YOGbvT8zzzC+SU1bkDzdjAYnFQVGIjMtKOBJ3K07++ypwX1fr4QsQ8uKL8WSOWwt\n"
1401 "Z3Bym6XiZzMCgYADnhy+2OwHX85AkLt+PyGlPbmuelpyTzS4IDAQbBa6jcuW/2wA\n"
1402 "UE2km75VUXmD+u2R/9zVuLm99NzhFhSMqlUxdV1YukfqMfP5yp1EY6m/5aW7QuIP\n"
1403 "2MDa7TVL9rIFMiVZ09RKvbBbQxjhuzPQKL6X/PPspnhiTefQ+dl2k9xREQKBgHDS\n"
1404 "fMfGNEeAEKezrfSVqxphE9/tXms3L+ZpnCaT+yu/uEr5dTIAawKoQ6i9f/sf1/Sy\n"
1405 "xedsqR+IB+oKrzIDDWMgoJybN4pkZ8E5lzhVQIjFjKgFdWLzzqyW9z1gYfABQPlN\n"
1406 "FiS20WX0vgP1vcKAjdNrHzc9zyHBpgQzDmAj3NZZAoGBAI8vKCKdH7w3aL5CNkZQ\n"
1407 "2buIeWNA2HZazVwAGG5F2TU/LmXfRKnG6dX5bkU+AkBZh56jNZy//hfFSewJB4Kk\n"
1408 "buB7ERSdaNbO21zXt9FEA3+z0RfMd/Zv2vlIWOSB5nzl/7UKti3sribK6s9ZVLfi\n"
1409 "SxpiPQ8d/hmSGwn4ksrWUsJD\n"
1410 "-----END PRIVATE KEY-----\n";
1411 return KeyFromPEM(kKeyPEM);
1412 }
1413
CompleteHandshakes(SSL * client,SSL * server)1414 static bool CompleteHandshakes(SSL *client, SSL *server) {
1415 // Drive both their handshakes to completion.
1416 for (;;) {
1417 int client_ret = SSL_do_handshake(client);
1418 int client_err = SSL_get_error(client, client_ret);
1419 if (client_err != SSL_ERROR_NONE &&
1420 client_err != SSL_ERROR_WANT_READ &&
1421 client_err != SSL_ERROR_WANT_WRITE &&
1422 client_err != SSL_ERROR_PENDING_TICKET) {
1423 fprintf(stderr, "Client error: %s\n", SSL_error_description(client_err));
1424 return false;
1425 }
1426
1427 int server_ret = SSL_do_handshake(server);
1428 int server_err = SSL_get_error(server, server_ret);
1429 if (server_err != SSL_ERROR_NONE &&
1430 server_err != SSL_ERROR_WANT_READ &&
1431 server_err != SSL_ERROR_WANT_WRITE &&
1432 server_err != SSL_ERROR_PENDING_TICKET) {
1433 fprintf(stderr, "Server error: %s\n", SSL_error_description(server_err));
1434 return false;
1435 }
1436
1437 if (client_ret == 1 && server_ret == 1) {
1438 break;
1439 }
1440 }
1441
1442 return true;
1443 }
1444
FlushNewSessionTickets(SSL * client,SSL * server)1445 static bool FlushNewSessionTickets(SSL *client, SSL *server) {
1446 // NewSessionTickets are deferred on the server to |SSL_write|, and clients do
1447 // not pick them up until |SSL_read|.
1448 for (;;) {
1449 int server_ret = SSL_write(server, nullptr, 0);
1450 int server_err = SSL_get_error(server, server_ret);
1451 // The server may either succeed (|server_ret| is zero) or block on write
1452 // (|server_ret| is -1 and |server_err| is |SSL_ERROR_WANT_WRITE|).
1453 if (server_ret > 0 ||
1454 (server_ret < 0 && server_err != SSL_ERROR_WANT_WRITE)) {
1455 fprintf(stderr, "Unexpected server result: %d %d\n", server_ret,
1456 server_err);
1457 return false;
1458 }
1459
1460 int client_ret = SSL_read(client, nullptr, 0);
1461 int client_err = SSL_get_error(client, client_ret);
1462 // The client must always block on read.
1463 if (client_ret != -1 || client_err != SSL_ERROR_WANT_READ) {
1464 fprintf(stderr, "Unexpected client result: %d %d\n", client_ret,
1465 client_err);
1466 return false;
1467 }
1468
1469 // The server flushed everything it had to write.
1470 if (server_ret == 0) {
1471 return true;
1472 }
1473 }
1474 }
1475
1476 // CreateClientAndServer creates a client and server |SSL| objects whose |BIO|s
1477 // are paired with each other. It does not run the handshake. The caller is
1478 // expected to configure the objects and drive the handshake as needed.
CreateClientAndServer(bssl::UniquePtr<SSL> * out_client,bssl::UniquePtr<SSL> * out_server,SSL_CTX * client_ctx,SSL_CTX * server_ctx)1479 static bool CreateClientAndServer(bssl::UniquePtr<SSL> *out_client,
1480 bssl::UniquePtr<SSL> *out_server,
1481 SSL_CTX *client_ctx, SSL_CTX *server_ctx) {
1482 bssl::UniquePtr<SSL> client(SSL_new(client_ctx)), server(SSL_new(server_ctx));
1483 if (!client || !server) {
1484 return false;
1485 }
1486 SSL_set_connect_state(client.get());
1487 SSL_set_accept_state(server.get());
1488
1489 BIO *bio1, *bio2;
1490 if (!BIO_new_bio_pair(&bio1, 0, &bio2, 0)) {
1491 return false;
1492 }
1493 // SSL_set_bio takes ownership.
1494 SSL_set_bio(client.get(), bio1, bio1);
1495 SSL_set_bio(server.get(), bio2, bio2);
1496
1497 *out_client = std::move(client);
1498 *out_server = std::move(server);
1499 return true;
1500 }
1501
1502 struct ClientConfig {
1503 SSL_SESSION *session = nullptr;
1504 std::string servername;
1505 std::string verify_hostname;
1506 unsigned hostflags = 0;
1507 bool early_data = false;
1508 };
1509
ConnectClientAndServer(bssl::UniquePtr<SSL> * out_client,bssl::UniquePtr<SSL> * out_server,SSL_CTX * client_ctx,SSL_CTX * server_ctx,const ClientConfig & config=ClientConfig (),bool shed_handshake_config=true)1510 static bool ConnectClientAndServer(bssl::UniquePtr<SSL> *out_client,
1511 bssl::UniquePtr<SSL> *out_server,
1512 SSL_CTX *client_ctx, SSL_CTX *server_ctx,
1513 const ClientConfig &config = ClientConfig(),
1514 bool shed_handshake_config = true) {
1515 bssl::UniquePtr<SSL> client, server;
1516 if (!CreateClientAndServer(&client, &server, client_ctx, server_ctx)) {
1517 return false;
1518 }
1519 if (config.early_data) {
1520 SSL_set_early_data_enabled(client.get(), 1);
1521 }
1522 if (config.session) {
1523 SSL_set_session(client.get(), config.session);
1524 }
1525 if (!config.servername.empty() &&
1526 !SSL_set_tlsext_host_name(client.get(), config.servername.c_str())) {
1527 return false;
1528 }
1529 if (!config.verify_hostname.empty()) {
1530 if (!SSL_set1_host(client.get(), config.verify_hostname.c_str())) {
1531 return false;
1532 }
1533 SSL_set_hostflags(client.get(), config.hostflags);
1534 }
1535
1536 SSL_set_shed_handshake_config(client.get(), shed_handshake_config);
1537 SSL_set_shed_handshake_config(server.get(), shed_handshake_config);
1538
1539 if (!CompleteHandshakes(client.get(), server.get())) {
1540 return false;
1541 }
1542
1543 *out_client = std::move(client);
1544 *out_server = std::move(server);
1545 return true;
1546 }
1547
1548 static bssl::UniquePtr<SSL_SESSION> g_last_session;
1549
SaveLastSession(SSL * ssl,SSL_SESSION * session)1550 static int SaveLastSession(SSL *ssl, SSL_SESSION *session) {
1551 // Save the most recent session.
1552 g_last_session.reset(session);
1553 return 1;
1554 }
1555
CreateClientSession(SSL_CTX * client_ctx,SSL_CTX * server_ctx,const ClientConfig & config=ClientConfig ())1556 static bssl::UniquePtr<SSL_SESSION> CreateClientSession(
1557 SSL_CTX *client_ctx, SSL_CTX *server_ctx,
1558 const ClientConfig &config = ClientConfig()) {
1559 g_last_session = nullptr;
1560 SSL_CTX_sess_set_new_cb(client_ctx, SaveLastSession);
1561
1562 // Connect client and server to get a session.
1563 bssl::UniquePtr<SSL> client, server;
1564 if (!ConnectClientAndServer(&client, &server, client_ctx, server_ctx,
1565 config) ||
1566 !FlushNewSessionTickets(client.get(), server.get())) {
1567 fprintf(stderr, "Failed to connect client and server.\n");
1568 return nullptr;
1569 }
1570
1571 SSL_CTX_sess_set_new_cb(client_ctx, nullptr);
1572
1573 if (!g_last_session) {
1574 fprintf(stderr, "Client did not receive a session.\n");
1575 return nullptr;
1576 }
1577 return std::move(g_last_session);
1578 }
1579
1580 // Test that |SSL_get_client_CA_list| echoes back the configured parameter even
1581 // before configuring as a server.
TEST(SSLTest,ClientCAList)1582 TEST(SSLTest, ClientCAList) {
1583 bssl::UniquePtr<SSL_CTX> ctx(SSL_CTX_new(TLS_method()));
1584 ASSERT_TRUE(ctx);
1585 bssl::UniquePtr<SSL> ssl(SSL_new(ctx.get()));
1586 ASSERT_TRUE(ssl);
1587
1588 bssl::UniquePtr<X509_NAME> name(X509_NAME_new());
1589 ASSERT_TRUE(name);
1590
1591 bssl::UniquePtr<X509_NAME> name_dup(X509_NAME_dup(name.get()));
1592 ASSERT_TRUE(name_dup);
1593
1594 bssl::UniquePtr<STACK_OF(X509_NAME)> stack(sk_X509_NAME_new_null());
1595 ASSERT_TRUE(stack);
1596 ASSERT_TRUE(PushToStack(stack.get(), std::move(name_dup)));
1597
1598 // |SSL_set_client_CA_list| takes ownership.
1599 SSL_set_client_CA_list(ssl.get(), stack.release());
1600
1601 STACK_OF(X509_NAME) *result = SSL_get_client_CA_list(ssl.get());
1602 ASSERT_TRUE(result);
1603 ASSERT_EQ(1u, sk_X509_NAME_num(result));
1604 EXPECT_EQ(0, X509_NAME_cmp(sk_X509_NAME_value(result, 0), name.get()));
1605 }
1606
TEST(SSLTest,AddClientCA)1607 TEST(SSLTest, AddClientCA) {
1608 bssl::UniquePtr<SSL_CTX> ctx(SSL_CTX_new(TLS_method()));
1609 ASSERT_TRUE(ctx);
1610 bssl::UniquePtr<SSL> ssl(SSL_new(ctx.get()));
1611 ASSERT_TRUE(ssl);
1612
1613 bssl::UniquePtr<X509> cert1 = GetTestCertificate();
1614 bssl::UniquePtr<X509> cert2 = GetChainTestCertificate();
1615 ASSERT_TRUE(cert1 && cert2);
1616 X509_NAME *name1 = X509_get_subject_name(cert1.get());
1617 X509_NAME *name2 = X509_get_subject_name(cert2.get());
1618
1619 EXPECT_EQ(0u, sk_X509_NAME_num(SSL_get_client_CA_list(ssl.get())));
1620
1621 ASSERT_TRUE(SSL_add_client_CA(ssl.get(), cert1.get()));
1622 ASSERT_TRUE(SSL_add_client_CA(ssl.get(), cert2.get()));
1623
1624 STACK_OF(X509_NAME) *list = SSL_get_client_CA_list(ssl.get());
1625 ASSERT_EQ(2u, sk_X509_NAME_num(list));
1626 EXPECT_EQ(0, X509_NAME_cmp(sk_X509_NAME_value(list, 0), name1));
1627 EXPECT_EQ(0, X509_NAME_cmp(sk_X509_NAME_value(list, 1), name2));
1628
1629 ASSERT_TRUE(SSL_add_client_CA(ssl.get(), cert1.get()));
1630
1631 list = SSL_get_client_CA_list(ssl.get());
1632 ASSERT_EQ(3u, sk_X509_NAME_num(list));
1633 EXPECT_EQ(0, X509_NAME_cmp(sk_X509_NAME_value(list, 0), name1));
1634 EXPECT_EQ(0, X509_NAME_cmp(sk_X509_NAME_value(list, 1), name2));
1635 EXPECT_EQ(0, X509_NAME_cmp(sk_X509_NAME_value(list, 2), name1));
1636 }
1637
1638 struct ECHConfigParams {
1639 uint16_t version = TLSEXT_TYPE_encrypted_client_hello;
1640 uint16_t config_id = 1;
1641 std::string public_name = "example.com";
1642 const EVP_HPKE_KEY *key = nullptr;
1643 // kem_id, if zero, takes its value from |key|.
1644 uint16_t kem_id = 0;
1645 // public_key, if empty takes its value from |key|.
1646 std::vector<uint8_t> public_key;
1647 size_t max_name_len = 16;
1648 // cipher_suites is a list of code points which should contain pairs of KDF
1649 // and AEAD IDs.
1650 std::vector<uint16_t> cipher_suites = {EVP_HPKE_HKDF_SHA256,
1651 EVP_HPKE_AES_128_GCM};
1652 std::vector<uint8_t> extensions;
1653 };
1654
1655 // MakeECHConfig serializes an ECHConfig from |params| and writes it to
1656 // |*out|.
MakeECHConfig(std::vector<uint8_t> * out,const ECHConfigParams & params)1657 bool MakeECHConfig(std::vector<uint8_t> *out,
1658 const ECHConfigParams ¶ms) {
1659 uint16_t kem_id = params.kem_id == 0
1660 ? EVP_HPKE_KEM_id(EVP_HPKE_KEY_kem(params.key))
1661 : params.kem_id;
1662 std::vector<uint8_t> public_key = params.public_key;
1663 if (public_key.empty()) {
1664 public_key.resize(EVP_HPKE_MAX_PUBLIC_KEY_LENGTH);
1665 size_t len;
1666 if (!EVP_HPKE_KEY_public_key(params.key, public_key.data(), &len,
1667 public_key.size())) {
1668 return false;
1669 }
1670 public_key.resize(len);
1671 }
1672
1673 bssl::ScopedCBB cbb;
1674 CBB contents, child;
1675 if (!CBB_init(cbb.get(), 64) ||
1676 !CBB_add_u16(cbb.get(), params.version) ||
1677 !CBB_add_u16_length_prefixed(cbb.get(), &contents) ||
1678 !CBB_add_u8(&contents, params.config_id) ||
1679 !CBB_add_u16(&contents, kem_id) ||
1680 !CBB_add_u16_length_prefixed(&contents, &child) ||
1681 !CBB_add_bytes(&child, public_key.data(), public_key.size()) ||
1682 !CBB_add_u16_length_prefixed(&contents, &child)) {
1683 return false;
1684 }
1685 for (uint16_t cipher_suite : params.cipher_suites) {
1686 if (!CBB_add_u16(&child, cipher_suite)) {
1687 return false;
1688 }
1689 }
1690 if (!CBB_add_u8(&contents, params.max_name_len) ||
1691 !CBB_add_u8_length_prefixed(&contents, &child) ||
1692 !CBB_add_bytes(
1693 &child, reinterpret_cast<const uint8_t *>(params.public_name.data()),
1694 params.public_name.size()) ||
1695 !CBB_add_u16_length_prefixed(&contents, &child) ||
1696 !CBB_add_bytes(&child, params.extensions.data(),
1697 params.extensions.size()) ||
1698 !CBB_flush(cbb.get())) {
1699 return false;
1700 }
1701
1702 out->assign(CBB_data(cbb.get()), CBB_data(cbb.get()) + CBB_len(cbb.get()));
1703 return true;
1704 }
1705
MakeTestECHKeys(uint8_t config_id=1)1706 static bssl::UniquePtr<SSL_ECH_KEYS> MakeTestECHKeys(uint8_t config_id = 1) {
1707 bssl::ScopedEVP_HPKE_KEY key;
1708 uint8_t *ech_config;
1709 size_t ech_config_len;
1710 if (!EVP_HPKE_KEY_generate(key.get(), EVP_hpke_x25519_hkdf_sha256()) ||
1711 !SSL_marshal_ech_config(&ech_config, &ech_config_len, config_id,
1712 key.get(), "public.example", 16)) {
1713 return nullptr;
1714 }
1715 bssl::UniquePtr<uint8_t> free_ech_config(ech_config);
1716
1717 // Install a non-retry config.
1718 bssl::UniquePtr<SSL_ECH_KEYS> keys(SSL_ECH_KEYS_new());
1719 if (!keys || !SSL_ECH_KEYS_add(keys.get(), /*is_retry_config=*/1, ech_config,
1720 ech_config_len, key.get())) {
1721 return nullptr;
1722 }
1723 return keys;
1724 }
1725
InstallECHConfigList(SSL * client,const SSL_ECH_KEYS * keys)1726 static bool InstallECHConfigList(SSL *client, const SSL_ECH_KEYS *keys) {
1727 uint8_t *ech_config_list;
1728 size_t ech_config_list_len;
1729 if (!SSL_ECH_KEYS_marshal_retry_configs(keys, &ech_config_list,
1730 &ech_config_list_len)) {
1731 return false;
1732 }
1733 bssl::UniquePtr<uint8_t> free_ech_config_list(ech_config_list);
1734 return SSL_set1_ech_config_list(client, ech_config_list, ech_config_list_len);
1735 }
1736
1737 // Test that |SSL_marshal_ech_config| and |SSL_ECH_KEYS_marshal_retry_configs|
1738 // output values as expected.
TEST(SSLTest,MarshalECHConfig)1739 TEST(SSLTest, MarshalECHConfig) {
1740 static const uint8_t kPrivateKey[X25519_PRIVATE_KEY_LEN] = {
1741 0xbc, 0xb5, 0x51, 0x29, 0x31, 0x10, 0x30, 0xc9, 0xed, 0x26, 0xde,
1742 0xd4, 0xb3, 0xdf, 0x3a, 0xce, 0x06, 0x8a, 0xee, 0x17, 0xab, 0xce,
1743 0xd7, 0xdb, 0xf3, 0x11, 0xe5, 0xa8, 0xf3, 0xb1, 0x8e, 0x24};
1744 bssl::ScopedEVP_HPKE_KEY key;
1745 ASSERT_TRUE(EVP_HPKE_KEY_init(key.get(), EVP_hpke_x25519_hkdf_sha256(),
1746 kPrivateKey, sizeof(kPrivateKey)));
1747
1748 static const uint8_t kECHConfig[] = {
1749 // version
1750 0xfe, 0x0d,
1751 // length
1752 0x00, 0x41,
1753 // contents.config_id
1754 0x01,
1755 // contents.kem_id
1756 0x00, 0x20,
1757 // contents.public_key
1758 0x00, 0x20, 0xa6, 0x9a, 0x41, 0x48, 0x5d, 0x32, 0x96, 0xa4, 0xe0, 0xc3,
1759 0x6a, 0xee, 0xf6, 0x63, 0x0f, 0x59, 0x32, 0x6f, 0xdc, 0xff, 0x81, 0x29,
1760 0x59, 0xa5, 0x85, 0xd3, 0x9b, 0x3b, 0xde, 0x98, 0x55, 0x5c,
1761 // contents.cipher_suites
1762 0x00, 0x08, 0x00, 0x01, 0x00, 0x01, 0x00, 0x01, 0x00, 0x03,
1763 // contents.maximum_name_length
1764 0x10,
1765 // contents.public_name
1766 0x0e, 0x70, 0x75, 0x62, 0x6c, 0x69, 0x63, 0x2e, 0x65, 0x78, 0x61, 0x6d,
1767 0x70, 0x6c, 0x65,
1768 // contents.extensions
1769 0x00, 0x00};
1770 uint8_t *ech_config;
1771 size_t ech_config_len;
1772 ASSERT_TRUE(SSL_marshal_ech_config(&ech_config, &ech_config_len,
1773 /*config_id=*/1, key.get(),
1774 "public.example", 16));
1775 bssl::UniquePtr<uint8_t> free_ech_config(ech_config);
1776 EXPECT_EQ(Bytes(kECHConfig), Bytes(ech_config, ech_config_len));
1777
1778 // Generate a second ECHConfig.
1779 bssl::ScopedEVP_HPKE_KEY key2;
1780 ASSERT_TRUE(EVP_HPKE_KEY_generate(key2.get(), EVP_hpke_x25519_hkdf_sha256()));
1781 uint8_t *ech_config2;
1782 size_t ech_config2_len;
1783 ASSERT_TRUE(SSL_marshal_ech_config(&ech_config2, &ech_config2_len,
1784 /*config_id=*/2, key2.get(),
1785 "public.example", 16));
1786 bssl::UniquePtr<uint8_t> free_ech_config2(ech_config2);
1787
1788 // Install both ECHConfigs in an |SSL_ECH_KEYS|.
1789 bssl::UniquePtr<SSL_ECH_KEYS> keys(SSL_ECH_KEYS_new());
1790 ASSERT_TRUE(keys);
1791 ASSERT_TRUE(SSL_ECH_KEYS_add(keys.get(), /*is_retry_config=*/1, ech_config,
1792 ech_config_len, key.get()));
1793 ASSERT_TRUE(SSL_ECH_KEYS_add(keys.get(), /*is_retry_config=*/1, ech_config2,
1794 ech_config2_len, key2.get()));
1795
1796 // The ECHConfigList should be correctly serialized.
1797 uint8_t *ech_config_list;
1798 size_t ech_config_list_len;
1799 ASSERT_TRUE(SSL_ECH_KEYS_marshal_retry_configs(keys.get(), &ech_config_list,
1800 &ech_config_list_len));
1801 bssl::UniquePtr<uint8_t> free_ech_config_list(ech_config_list);
1802
1803 // ECHConfigList is just the concatenation with a length prefix.
1804 size_t len = ech_config_len + ech_config2_len;
1805 std::vector<uint8_t> expected = {uint8_t(len >> 8), uint8_t(len)};
1806 expected.insert(expected.end(), ech_config, ech_config + ech_config_len);
1807 expected.insert(expected.end(), ech_config2, ech_config2 + ech_config2_len);
1808 EXPECT_EQ(Bytes(expected), Bytes(ech_config_list, ech_config_list_len));
1809 }
1810
TEST(SSLTest,ECHHasDuplicateConfigID)1811 TEST(SSLTest, ECHHasDuplicateConfigID) {
1812 const struct {
1813 std::vector<uint8_t> ids;
1814 bool has_duplicate;
1815 } kTests[] = {
1816 {{}, false},
1817 {{1}, false},
1818 {{1, 2, 3, 255}, false},
1819 {{1, 2, 3, 1}, true},
1820 };
1821 for (const auto &test : kTests) {
1822 bssl::UniquePtr<SSL_ECH_KEYS> keys(SSL_ECH_KEYS_new());
1823 ASSERT_TRUE(keys);
1824 for (const uint8_t id : test.ids) {
1825 bssl::ScopedEVP_HPKE_KEY key;
1826 ASSERT_TRUE(
1827 EVP_HPKE_KEY_generate(key.get(), EVP_hpke_x25519_hkdf_sha256()));
1828 uint8_t *ech_config;
1829 size_t ech_config_len;
1830 ASSERT_TRUE(SSL_marshal_ech_config(&ech_config, &ech_config_len, id,
1831 key.get(), "public.example", 16));
1832 bssl::UniquePtr<uint8_t> free_ech_config(ech_config);
1833 ASSERT_TRUE(SSL_ECH_KEYS_add(keys.get(), /*is_retry_config=*/1,
1834 ech_config, ech_config_len, key.get()));
1835 }
1836
1837 EXPECT_EQ(test.has_duplicate ? 1 : 0,
1838 SSL_ECH_KEYS_has_duplicate_config_id(keys.get()));
1839 }
1840 }
1841
1842 // Test that |SSL_ECH_KEYS_add| checks consistency between the public and
1843 // private key.
TEST(SSLTest,ECHKeyConsistency)1844 TEST(SSLTest, ECHKeyConsistency) {
1845 bssl::UniquePtr<SSL_ECH_KEYS> keys(SSL_ECH_KEYS_new());
1846 ASSERT_TRUE(keys);
1847 bssl::ScopedEVP_HPKE_KEY key;
1848 ASSERT_TRUE(EVP_HPKE_KEY_generate(key.get(), EVP_hpke_x25519_hkdf_sha256()));
1849 uint8_t public_key[EVP_HPKE_MAX_PUBLIC_KEY_LENGTH];
1850 size_t public_key_len;
1851 ASSERT_TRUE(EVP_HPKE_KEY_public_key(key.get(), public_key, &public_key_len,
1852 sizeof(public_key)));
1853
1854 // Adding an ECHConfig with the matching public key succeeds.
1855 ECHConfigParams params;
1856 params.key = key.get();
1857 std::vector<uint8_t> ech_config;
1858 ASSERT_TRUE(MakeECHConfig(&ech_config, params));
1859 EXPECT_TRUE(SSL_ECH_KEYS_add(keys.get(), /*is_retry_config=*/1,
1860 ech_config.data(), ech_config.size(),
1861 key.get()));
1862
1863 // Adding an ECHConfig with the wrong public key is an error.
1864 bssl::ScopedEVP_HPKE_KEY wrong_key;
1865 ASSERT_TRUE(
1866 EVP_HPKE_KEY_generate(wrong_key.get(), EVP_hpke_x25519_hkdf_sha256()));
1867 EXPECT_FALSE(SSL_ECH_KEYS_add(keys.get(), /*is_retry_config=*/1,
1868 ech_config.data(), ech_config.size(),
1869 wrong_key.get()));
1870
1871 // Adding an ECHConfig with a truncated public key is an error.
1872 ECHConfigParams truncated;
1873 truncated.key = key.get();
1874 truncated.public_key.assign(public_key, public_key + public_key_len - 1);
1875 ASSERT_TRUE(MakeECHConfig(&ech_config, truncated));
1876 EXPECT_FALSE(SSL_ECH_KEYS_add(keys.get(), /*is_retry_config=*/1,
1877 ech_config.data(), ech_config.size(), key.get()));
1878
1879 // Adding an ECHConfig with the right public key, but wrong KEM ID, is an
1880 // error.
1881 ECHConfigParams wrong_kem;
1882 wrong_kem.key = key.get();
1883 wrong_kem.kem_id = 0x0010; // DHKEM(P-256, HKDF-SHA256)
1884 ASSERT_TRUE(MakeECHConfig(&ech_config, wrong_kem));
1885 EXPECT_FALSE(SSL_ECH_KEYS_add(keys.get(), /*is_retry_config=*/1,
1886 ech_config.data(), ech_config.size(),
1887 key.get()));
1888 }
1889
1890 // Test that |SSL_CTX_set1_ech_keys| fails when the config list
1891 // has no retry configs.
TEST(SSLTest,ECHServerConfigsWithoutRetryConfigs)1892 TEST(SSLTest, ECHServerConfigsWithoutRetryConfigs) {
1893 bssl::ScopedEVP_HPKE_KEY key;
1894 ASSERT_TRUE(EVP_HPKE_KEY_generate(key.get(), EVP_hpke_x25519_hkdf_sha256()));
1895 uint8_t *ech_config;
1896 size_t ech_config_len;
1897 ASSERT_TRUE(SSL_marshal_ech_config(&ech_config, &ech_config_len,
1898 /*config_id=*/1, key.get(),
1899 "public.example", 16));
1900 bssl::UniquePtr<uint8_t> free_ech_config(ech_config);
1901
1902 // Install a non-retry config.
1903 bssl::UniquePtr<SSL_ECH_KEYS> keys(SSL_ECH_KEYS_new());
1904 ASSERT_TRUE(keys);
1905 ASSERT_TRUE(SSL_ECH_KEYS_add(keys.get(), /*is_retry_config=*/0, ech_config,
1906 ech_config_len, key.get()));
1907
1908 // |keys| has no retry configs.
1909 bssl::UniquePtr<SSL_CTX> ctx(SSL_CTX_new(TLS_method()));
1910 ASSERT_TRUE(ctx);
1911 EXPECT_FALSE(SSL_CTX_set1_ech_keys(ctx.get(), keys.get()));
1912
1913 // Add the same ECHConfig to the list, but this time mark it as a retry
1914 // config.
1915 ASSERT_TRUE(SSL_ECH_KEYS_add(keys.get(), /*is_retry_config=*/1, ech_config,
1916 ech_config_len, key.get()));
1917 EXPECT_TRUE(SSL_CTX_set1_ech_keys(ctx.get(), keys.get()));
1918 }
1919
1920 // Test that the server APIs reject ECHConfigs with unsupported features.
TEST(SSLTest,UnsupportedECHConfig)1921 TEST(SSLTest, UnsupportedECHConfig) {
1922 bssl::UniquePtr<SSL_ECH_KEYS> keys(SSL_ECH_KEYS_new());
1923 ASSERT_TRUE(keys);
1924 bssl::ScopedEVP_HPKE_KEY key;
1925 ASSERT_TRUE(EVP_HPKE_KEY_generate(key.get(), EVP_hpke_x25519_hkdf_sha256()));
1926
1927 // Unsupported versions are rejected.
1928 ECHConfigParams unsupported_version;
1929 unsupported_version.version = 0xffff;
1930 unsupported_version.key = key.get();
1931 std::vector<uint8_t> ech_config;
1932 ASSERT_TRUE(MakeECHConfig(&ech_config, unsupported_version));
1933 EXPECT_FALSE(SSL_ECH_KEYS_add(keys.get(), /*is_retry_config=*/1,
1934 ech_config.data(), ech_config.size(),
1935 key.get()));
1936
1937 // Unsupported cipher suites are rejected. (We only support HKDF-SHA256.)
1938 ECHConfigParams unsupported_kdf;
1939 unsupported_kdf.key = key.get();
1940 unsupported_kdf.cipher_suites = {0x002 /* HKDF-SHA384 */,
1941 EVP_HPKE_AES_128_GCM};
1942 ASSERT_TRUE(MakeECHConfig(&ech_config, unsupported_kdf));
1943 EXPECT_FALSE(SSL_ECH_KEYS_add(keys.get(), /*is_retry_config=*/1,
1944 ech_config.data(), ech_config.size(),
1945 key.get()));
1946 ECHConfigParams unsupported_aead;
1947 unsupported_aead.key = key.get();
1948 unsupported_aead.cipher_suites = {EVP_HPKE_HKDF_SHA256, 0xffff};
1949 ASSERT_TRUE(MakeECHConfig(&ech_config, unsupported_aead));
1950 EXPECT_FALSE(SSL_ECH_KEYS_add(keys.get(), /*is_retry_config=*/1,
1951 ech_config.data(), ech_config.size(),
1952 key.get()));
1953
1954
1955 // Unsupported extensions are rejected.
1956 ECHConfigParams extensions;
1957 extensions.key = key.get();
1958 extensions.extensions = {0x00, 0x01, 0x00, 0x00};
1959 ASSERT_TRUE(MakeECHConfig(&ech_config, extensions));
1960 EXPECT_FALSE(SSL_ECH_KEYS_add(keys.get(), /*is_retry_config=*/1,
1961 ech_config.data(), ech_config.size(),
1962 key.get()));
1963
1964 // Invalid public names are rejected.
1965 ECHConfigParams invalid_public_name;
1966 invalid_public_name.key = key.get();
1967 invalid_public_name.public_name = "dns_names_have_no_underscores.example";
1968 ASSERT_TRUE(MakeECHConfig(&ech_config, invalid_public_name));
1969 EXPECT_FALSE(SSL_ECH_KEYS_add(keys.get(), /*is_retry_config=*/1,
1970 ech_config.data(), ech_config.size(),
1971 key.get()));
1972 }
1973
1974 // Test that |SSL_get_client_random| reports the correct value on both client
1975 // and server in ECH. The client sends two different random values. When ECH is
1976 // accepted, we should report the inner one.
TEST(SSLTest,ECHClientRandomsMatch)1977 TEST(SSLTest, ECHClientRandomsMatch) {
1978 bssl::UniquePtr<SSL_CTX> server_ctx =
1979 CreateContextWithTestCertificate(TLS_method());
1980 ASSERT_TRUE(server_ctx);
1981 bssl::UniquePtr<SSL_ECH_KEYS> keys = MakeTestECHKeys();
1982 ASSERT_TRUE(keys);
1983 ASSERT_TRUE(SSL_CTX_set1_ech_keys(server_ctx.get(), keys.get()));
1984
1985 bssl::UniquePtr<SSL_CTX> client_ctx(SSL_CTX_new(TLS_method()));
1986 ASSERT_TRUE(client_ctx);
1987 bssl::UniquePtr<SSL> client, server;
1988 ASSERT_TRUE(CreateClientAndServer(&client, &server, client_ctx.get(),
1989 server_ctx.get()));
1990 ASSERT_TRUE(InstallECHConfigList(client.get(), keys.get()));
1991 ASSERT_TRUE(CompleteHandshakes(client.get(), server.get()));
1992
1993 EXPECT_TRUE(SSL_ech_accepted(client.get()));
1994 EXPECT_TRUE(SSL_ech_accepted(server.get()));
1995
1996 // An ECH server will fairly naturally record the inner ClientHello random,
1997 // but an ECH client may forget to update the random once ClientHelloInner is
1998 // selected.
1999 uint8_t client_random1[SSL3_RANDOM_SIZE];
2000 uint8_t client_random2[SSL3_RANDOM_SIZE];
2001 ASSERT_EQ(sizeof(client_random1),
2002 SSL_get_client_random(client.get(), client_random1,
2003 sizeof(client_random1)));
2004 ASSERT_EQ(sizeof(client_random2),
2005 SSL_get_client_random(server.get(), client_random2,
2006 sizeof(client_random2)));
2007 EXPECT_EQ(Bytes(client_random1), Bytes(client_random2));
2008 }
2009
2010 // GetECHLength sets |*out_client_hello_len| and |*out_ech_len| to the lengths
2011 // of the ClientHello and ECH extension, respectively, when a client created
2012 // from |ctx| constructs a ClientHello with name |name| and an ECHConfig with
2013 // maximum name length |max_name_len|.
GetECHLength(SSL_CTX * ctx,size_t * out_client_hello_len,size_t * out_ech_len,size_t max_name_len,const char * name)2014 static bool GetECHLength(SSL_CTX *ctx, size_t *out_client_hello_len,
2015 size_t *out_ech_len, size_t max_name_len,
2016 const char *name) {
2017 bssl::ScopedEVP_HPKE_KEY key;
2018 uint8_t *ech_config;
2019 size_t ech_config_len;
2020 if (!EVP_HPKE_KEY_generate(key.get(), EVP_hpke_x25519_hkdf_sha256()) ||
2021 !SSL_marshal_ech_config(&ech_config, &ech_config_len,
2022 /*config_id=*/1, key.get(), "public.example",
2023 max_name_len)) {
2024 return false;
2025 }
2026 bssl::UniquePtr<uint8_t> free_ech_config(ech_config);
2027
2028 bssl::UniquePtr<SSL_ECH_KEYS> keys(SSL_ECH_KEYS_new());
2029 if (!keys || !SSL_ECH_KEYS_add(keys.get(), /*is_retry_config=*/1, ech_config,
2030 ech_config_len, key.get())) {
2031 return false;
2032 }
2033
2034 bssl::UniquePtr<SSL> ssl(SSL_new(ctx));
2035 if (!ssl || !InstallECHConfigList(ssl.get(), keys.get()) ||
2036 (name != nullptr && !SSL_set_tlsext_host_name(ssl.get(), name))) {
2037 return false;
2038 }
2039 SSL_set_connect_state(ssl.get());
2040
2041 std::vector<uint8_t> client_hello;
2042 SSL_CLIENT_HELLO parsed;
2043 const uint8_t *unused;
2044 if (!GetClientHello(ssl.get(), &client_hello) ||
2045 !ssl_client_hello_init(
2046 ssl.get(), &parsed,
2047 // Skip record and handshake headers. This assumes the ClientHello
2048 // fits in one record.
2049 MakeConstSpan(client_hello)
2050 .subspan(SSL3_RT_HEADER_LENGTH + SSL3_HM_HEADER_LENGTH)) ||
2051 !SSL_early_callback_ctx_extension_get(
2052 &parsed, TLSEXT_TYPE_encrypted_client_hello, &unused, out_ech_len)) {
2053 return false;
2054 }
2055 *out_client_hello_len = client_hello.size();
2056 return true;
2057 }
2058
TEST(SSLTest,ECHPadding)2059 TEST(SSLTest, ECHPadding) {
2060 bssl::UniquePtr<SSL_CTX> ctx(SSL_CTX_new(TLS_method()));
2061 ASSERT_TRUE(ctx);
2062
2063 // Sample lengths with max_name_len = 128 as baseline.
2064 size_t client_hello_len_baseline, ech_len_baseline;
2065 ASSERT_TRUE(GetECHLength(ctx.get(), &client_hello_len_baseline,
2066 &ech_len_baseline, 128, "example.com"));
2067
2068 // Check that all name lengths under the server's maximum look the same.
2069 for (size_t name_len : {1, 2, 32, 64, 127, 128}) {
2070 SCOPED_TRACE(name_len);
2071 size_t client_hello_len, ech_len;
2072 ASSERT_TRUE(GetECHLength(ctx.get(), &client_hello_len, &ech_len, 128,
2073 std::string(name_len, 'a').c_str()));
2074 EXPECT_EQ(client_hello_len, client_hello_len_baseline);
2075 EXPECT_EQ(ech_len, ech_len_baseline);
2076 }
2077
2078 // When sending no SNI, we must still pad as if we are sending one.
2079 size_t client_hello_len, ech_len;
2080 ASSERT_TRUE(
2081 GetECHLength(ctx.get(), &client_hello_len, &ech_len, 128, nullptr));
2082 EXPECT_EQ(client_hello_len, client_hello_len_baseline);
2083 EXPECT_EQ(ech_len, ech_len_baseline);
2084
2085 // Name lengths above the maximum do not get named-based padding, but the
2086 // overall input is padded to a multiple of 32.
2087 size_t client_hello_len_baseline2, ech_len_baseline2;
2088 ASSERT_TRUE(GetECHLength(ctx.get(), &client_hello_len_baseline2,
2089 &ech_len_baseline2, 128,
2090 std::string(128 + 32, 'a').c_str()));
2091 EXPECT_EQ(ech_len_baseline2, ech_len_baseline + 32);
2092 // The ClientHello lengths may match if we are still under the threshold for
2093 // padding extension.
2094 EXPECT_GE(client_hello_len_baseline2, client_hello_len_baseline);
2095
2096 for (size_t name_len = 128 + 1; name_len < 128 + 32; name_len++) {
2097 SCOPED_TRACE(name_len);
2098 ASSERT_TRUE(GetECHLength(ctx.get(), &client_hello_len, &ech_len, 128,
2099 std::string(name_len, 'a').c_str()));
2100 EXPECT_TRUE(ech_len == ech_len_baseline || ech_len == ech_len_baseline2)
2101 << ech_len;
2102 EXPECT_TRUE(client_hello_len == client_hello_len_baseline ||
2103 client_hello_len == client_hello_len_baseline2)
2104 << client_hello_len;
2105 }
2106 }
2107
TEST(SSLTest,ECHPublicName)2108 TEST(SSLTest, ECHPublicName) {
2109 auto str_to_span = [](const char *str) -> Span<const uint8_t> {
2110 return MakeConstSpan(reinterpret_cast<const uint8_t *>(str), strlen(str));
2111 };
2112
2113 EXPECT_FALSE(ssl_is_valid_ech_public_name(str_to_span("")));
2114 EXPECT_TRUE(ssl_is_valid_ech_public_name(str_to_span("example.com")));
2115 EXPECT_FALSE(ssl_is_valid_ech_public_name(str_to_span(".example.com")));
2116 EXPECT_FALSE(ssl_is_valid_ech_public_name(str_to_span("example.com.")));
2117 EXPECT_FALSE(ssl_is_valid_ech_public_name(str_to_span("example..com")));
2118 EXPECT_FALSE(ssl_is_valid_ech_public_name(str_to_span("www.-example.com")));
2119 EXPECT_FALSE(ssl_is_valid_ech_public_name(str_to_span("www.example-.com")));
2120 EXPECT_FALSE(
2121 ssl_is_valid_ech_public_name(str_to_span("no_underscores.example")));
2122 EXPECT_FALSE(ssl_is_valid_ech_public_name(
2123 str_to_span("invalid_chars.\x01.example")));
2124 EXPECT_FALSE(ssl_is_valid_ech_public_name(
2125 str_to_span("invalid_chars.\xff.example")));
2126 static const uint8_t kWithNUL[] = {'t', 'e', 's', 't', 0};
2127 EXPECT_FALSE(ssl_is_valid_ech_public_name(kWithNUL));
2128
2129 // Test an LDH label with every character and the maximum length.
2130 EXPECT_TRUE(ssl_is_valid_ech_public_name(str_to_span(
2131 "abcdefhijklmnopqrstuvwxyz-ABCDEFGHIJKLMNOPQRSTUVWXYZ-0123456789")));
2132 EXPECT_FALSE(ssl_is_valid_ech_public_name(str_to_span(
2133 "abcdefhijklmnopqrstuvwxyz-ABCDEFGHIJKLMNOPQRSTUVWXYZ-01234567899")));
2134
2135 // Inputs with trailing numeric components are rejected.
2136 EXPECT_FALSE(ssl_is_valid_ech_public_name(str_to_span("127.0.0.1")));
2137 EXPECT_FALSE(ssl_is_valid_ech_public_name(str_to_span("example.1")));
2138 EXPECT_FALSE(ssl_is_valid_ech_public_name(str_to_span("example.01")));
2139 EXPECT_FALSE(ssl_is_valid_ech_public_name(str_to_span("example.0x01")));
2140 EXPECT_FALSE(ssl_is_valid_ech_public_name(str_to_span("example.0X01")));
2141 // Leading zeros and values that overflow |uint32_t| are still rejected.
2142 EXPECT_FALSE(ssl_is_valid_ech_public_name(
2143 str_to_span("example.123456789000000000000000")));
2144 EXPECT_FALSE(ssl_is_valid_ech_public_name(
2145 str_to_span("example.012345678900000000000000")));
2146 EXPECT_FALSE(ssl_is_valid_ech_public_name(
2147 str_to_span("example.0x123456789abcdefABCDEF0")));
2148 EXPECT_FALSE(ssl_is_valid_ech_public_name(
2149 str_to_span("example.0x0123456789abcdefABCDEF")));
2150 // Adding a non-digit or non-hex character makes it a valid DNS name again.
2151 // Single-component numbers are rejected.
2152 EXPECT_TRUE(ssl_is_valid_ech_public_name(
2153 str_to_span("example.1234567890a")));
2154 EXPECT_TRUE(ssl_is_valid_ech_public_name(
2155 str_to_span("example.01234567890a")));
2156 EXPECT_TRUE(ssl_is_valid_ech_public_name(
2157 str_to_span("example.0x123456789abcdefg")));
2158 EXPECT_FALSE(ssl_is_valid_ech_public_name(str_to_span("1")));
2159 EXPECT_FALSE(ssl_is_valid_ech_public_name(str_to_span("01")));
2160 EXPECT_FALSE(ssl_is_valid_ech_public_name(str_to_span("0x01")));
2161 EXPECT_FALSE(ssl_is_valid_ech_public_name(str_to_span("0X01")));
2162 // Numbers with trailing dots are rejected. (They are already rejected by the
2163 // LDH label rules, but the WHATWG URL parser additionally rejects them.)
2164 EXPECT_FALSE(ssl_is_valid_ech_public_name(str_to_span("1.")));
2165 EXPECT_FALSE(ssl_is_valid_ech_public_name(str_to_span("01.")));
2166 EXPECT_FALSE(ssl_is_valid_ech_public_name(str_to_span("0x01.")));
2167 EXPECT_FALSE(ssl_is_valid_ech_public_name(str_to_span("0X01.")));
2168 }
2169
2170 // When using the built-in verifier, test that |SSL_get0_ech_name_override| is
2171 // applied automatically.
TEST(SSLTest,ECHBuiltinVerifier)2172 TEST(SSLTest, ECHBuiltinVerifier) {
2173 // These test certificates generated with the following Go program.
2174 /* clang-format off
2175 func main() {
2176 notBefore := time.Date(2000, time.January, 1, 0, 0, 0, 0, time.UTC)
2177 notAfter := time.Date(2099, time.January, 1, 0, 0, 0, 0, time.UTC)
2178 rootKey, _ := ecdsa.GenerateKey(elliptic.P256(), rand.Reader)
2179 rootTemplate := &x509.Certificate{
2180 SerialNumber: big.NewInt(1),
2181 Subject: pkix.Name{CommonName: "Test CA"},
2182 NotBefore: notBefore,
2183 NotAfter: notAfter,
2184 BasicConstraintsValid: true,
2185 IsCA: true,
2186 }
2187 rootDER, _ := x509.CreateCertificate(rand.Reader, rootTemplate, rootTemplate, &rootKey.PublicKey, rootKey)
2188 root, _ := x509.ParseCertificate(rootDER)
2189 pem.Encode(os.Stdout, &pem.Block{Type: "CERTIFICATE", Bytes: rootDER})
2190 leafKey, _ := ecdsa.GenerateKey(elliptic.P256(), rand.Reader)
2191 leafKeyDER, _ := x509.MarshalPKCS8PrivateKey(leafKey)
2192 pem.Encode(os.Stdout, &pem.Block{Type: "PRIVATE KEY", Bytes: leafKeyDER})
2193 for i, name := range []string{"public.example", "secret.example"} {
2194 leafTemplate := &x509.Certificate{
2195 SerialNumber: big.NewInt(int64(i) + 2),
2196 Subject: pkix.Name{CommonName: name},
2197 NotBefore: notBefore,
2198 NotAfter: notAfter,
2199 BasicConstraintsValid: true,
2200 DNSNames: []string{name},
2201 }
2202 leafDER, _ := x509.CreateCertificate(rand.Reader, leafTemplate, root, &leafKey.PublicKey, rootKey)
2203 pem.Encode(os.Stdout, &pem.Block{Type: "CERTIFICATE", Bytes: leafDER})
2204 }
2205 }
2206 clang-format on */
2207 bssl::UniquePtr<X509> root = CertFromPEM(R"(
2208 -----BEGIN CERTIFICATE-----
2209 MIIBRzCB7aADAgECAgEBMAoGCCqGSM49BAMCMBIxEDAOBgNVBAMTB1Rlc3QgQ0Ew
2210 IBcNMDAwMTAxMDAwMDAwWhgPMjA5OTAxMDEwMDAwMDBaMBIxEDAOBgNVBAMTB1Rl
2211 c3QgQ0EwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAAT5JUjrI1DAxSpEl88UkmJw
2212 tAJqxo/YrSFo9V3MkcNkfTixi5p6MUtO8DazhEgekBcd2+tBAWtl7dy0qpvTqx92
2213 ozIwMDAPBgNVHRMBAf8EBTADAQH/MB0GA1UdDgQWBBTw6ftkexAI6o4r5FntJIfL
2214 GU5F4zAKBggqhkjOPQQDAgNJADBGAiEAiiNowddQeHZaZFIygwe6RW5/WG4sUXWC
2215 dkyl9CQzRaYCIQCFS1EvwZbZtMny27fYm1eeYciY0TkJTEi34H1KwyzzIA==
2216 -----END CERTIFICATE-----
2217 )");
2218 ASSERT_TRUE(root);
2219 bssl::UniquePtr<EVP_PKEY> leaf_key = KeyFromPEM(R"(
2220 -----BEGIN PRIVATE KEY-----
2221 MIGHAgEAMBMGByqGSM49AgEGCCqGSM49AwEHBG0wawIBAQQgj5WKHwHnziiyPauf
2222 7QukxTwtTyGZkk8qNdms4puJfxqhRANCAARNrkhxabALDlJrHtvkuDwvCWUF/oVC
2223 hr6PDITHi1lDlJzvVT4aXBH87sH2n2UV5zpx13NHkq1bIC8eRT8eOIe0
2224 -----END PRIVATE KEY-----
2225 )");
2226 ASSERT_TRUE(leaf_key);
2227 bssl::UniquePtr<X509> leaf_public = CertFromPEM(R"(
2228 -----BEGIN CERTIFICATE-----
2229 MIIBaDCCAQ6gAwIBAgIBAjAKBggqhkjOPQQDAjASMRAwDgYDVQQDEwdUZXN0IENB
2230 MCAXDTAwMDEwMTAwMDAwMFoYDzIwOTkwMTAxMDAwMDAwWjAZMRcwFQYDVQQDEw5w
2231 dWJsaWMuZXhhbXBsZTBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABE2uSHFpsAsO
2232 Umse2+S4PC8JZQX+hUKGvo8MhMeLWUOUnO9VPhpcEfzuwfafZRXnOnHXc0eSrVsg
2233 Lx5FPx44h7SjTDBKMAwGA1UdEwEB/wQCMAAwHwYDVR0jBBgwFoAU8On7ZHsQCOqO
2234 K+RZ7SSHyxlOReMwGQYDVR0RBBIwEIIOcHVibGljLmV4YW1wbGUwCgYIKoZIzj0E
2235 AwIDSAAwRQIhANqZRhDR/+QL05hsWXMYEwaiHifd9iakKoFEhKFchcF3AiBRAeXw
2236 wRGGT6+iPmTYM6N5/IDyAb5B9Ke38O6lLEsUwA==
2237 -----END CERTIFICATE-----
2238 )");
2239 ASSERT_TRUE(leaf_public);
2240 bssl::UniquePtr<X509> leaf_secret = CertFromPEM(R"(
2241 -----BEGIN CERTIFICATE-----
2242 MIIBaTCCAQ6gAwIBAgIBAzAKBggqhkjOPQQDAjASMRAwDgYDVQQDEwdUZXN0IENB
2243 MCAXDTAwMDEwMTAwMDAwMFoYDzIwOTkwMTAxMDAwMDAwWjAZMRcwFQYDVQQDEw5z
2244 ZWNyZXQuZXhhbXBsZTBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABE2uSHFpsAsO
2245 Umse2+S4PC8JZQX+hUKGvo8MhMeLWUOUnO9VPhpcEfzuwfafZRXnOnHXc0eSrVsg
2246 Lx5FPx44h7SjTDBKMAwGA1UdEwEB/wQCMAAwHwYDVR0jBBgwFoAU8On7ZHsQCOqO
2247 K+RZ7SSHyxlOReMwGQYDVR0RBBIwEIIOc2VjcmV0LmV4YW1wbGUwCgYIKoZIzj0E
2248 AwIDSQAwRgIhAPQdIz1xCFkc9WuSkxOxJDpywZiEp9SnKcxJ9nwrlRp3AiEA+O3+
2249 XRqE7XFhHL+7TNC2a9OOAjQsEF137YPWo+rhgko=
2250 -----END CERTIFICATE-----
2251 )");
2252 ASSERT_TRUE(leaf_secret);
2253
2254 // Use different config IDs so that fuzzer mode, which breaks trial
2255 // decryption, will observe the key mismatch.
2256 bssl::UniquePtr<SSL_ECH_KEYS> keys = MakeTestECHKeys(/*config_id=*/1);
2257 ASSERT_TRUE(keys);
2258 bssl::UniquePtr<SSL_ECH_KEYS> wrong_keys = MakeTestECHKeys(/*config_id=*/2);
2259 ASSERT_TRUE(wrong_keys);
2260 bssl::UniquePtr<SSL_CTX> server_ctx =
2261 CreateContextWithTestCertificate(TLS_method());
2262 ASSERT_TRUE(server_ctx);
2263 bssl::UniquePtr<SSL_CTX> client_ctx(SSL_CTX_new(TLS_method()));
2264 ASSERT_TRUE(client_ctx);
2265
2266 // Configure the client to verify certificates and expect the secret name.
2267 // This is the name the client is trying to connect to. If ECH is rejected,
2268 // BoringSSL will internally override this setting with the public name.
2269 bssl::UniquePtr<X509_STORE> store(X509_STORE_new());
2270 ASSERT_TRUE(store);
2271 ASSERT_TRUE(X509_STORE_add_cert(store.get(), root.get()));
2272 SSL_CTX_set_cert_store(client_ctx.get(), store.release());
2273 SSL_CTX_set_verify(client_ctx.get(), SSL_VERIFY_PEER, nullptr);
2274 X509_VERIFY_PARAM_set_flags(SSL_CTX_get0_param(client_ctx.get()),
2275 X509_V_FLAG_NO_CHECK_TIME);
2276 static const char kSecretName[] = "secret.example";
2277 ASSERT_TRUE(X509_VERIFY_PARAM_set1_host(SSL_CTX_get0_param(client_ctx.get()),
2278 kSecretName, strlen(kSecretName)));
2279
2280 // For simplicity, we only run through a pair of representative scenarios here
2281 // and rely on runner.go to verify that |SSL_get0_ech_name_override| behaves
2282 // correctly.
2283 for (bool accept_ech : {false, true}) {
2284 SCOPED_TRACE(accept_ech);
2285 for (bool use_leaf_secret : {false, true}) {
2286 SCOPED_TRACE(use_leaf_secret);
2287
2288 // The server will reject ECH when configured with the wrong keys.
2289 ASSERT_TRUE(SSL_CTX_set1_ech_keys(
2290 server_ctx.get(), accept_ech ? keys.get() : wrong_keys.get()));
2291
2292 bssl::UniquePtr<SSL> client, server;
2293 ASSERT_TRUE(CreateClientAndServer(&client, &server, client_ctx.get(),
2294 server_ctx.get()));
2295 ASSERT_TRUE(InstallECHConfigList(client.get(), keys.get()));
2296
2297 // Configure the server with the selected certificate.
2298 ASSERT_TRUE(SSL_use_certificate(server.get(), use_leaf_secret
2299 ? leaf_secret.get()
2300 : leaf_public.get()));
2301 ASSERT_TRUE(SSL_use_PrivateKey(server.get(), leaf_key.get()));
2302
2303 // The handshake may fail due to name mismatch or ECH reject. We check
2304 // |SSL_get_verify_result| to confirm the handshake got far enough.
2305 CompleteHandshakes(client.get(), server.get());
2306 EXPECT_EQ(accept_ech == use_leaf_secret ? X509_V_OK
2307 : X509_V_ERR_HOSTNAME_MISMATCH,
2308 SSL_get_verify_result(client.get()));
2309 }
2310 }
2311 }
2312
2313 #if defined(OPENSSL_THREADS)
2314 // Test that the server ECH config can be swapped out while the |SSL_CTX| is
2315 // in use on other threads. This test is intended to be run with TSan.
TEST(SSLTest,ECHThreads)2316 TEST(SSLTest, ECHThreads) {
2317 // Generate a pair of ECHConfigs.
2318 bssl::ScopedEVP_HPKE_KEY key1;
2319 ASSERT_TRUE(EVP_HPKE_KEY_generate(key1.get(), EVP_hpke_x25519_hkdf_sha256()));
2320 uint8_t *ech_config1;
2321 size_t ech_config1_len;
2322 ASSERT_TRUE(SSL_marshal_ech_config(&ech_config1, &ech_config1_len,
2323 /*config_id=*/1, key1.get(),
2324 "public.example", 16));
2325 bssl::UniquePtr<uint8_t> free_ech_config1(ech_config1);
2326 bssl::ScopedEVP_HPKE_KEY key2;
2327 ASSERT_TRUE(EVP_HPKE_KEY_generate(key2.get(), EVP_hpke_x25519_hkdf_sha256()));
2328 uint8_t *ech_config2;
2329 size_t ech_config2_len;
2330 ASSERT_TRUE(SSL_marshal_ech_config(&ech_config2, &ech_config2_len,
2331 /*config_id=*/2, key2.get(),
2332 "public.example", 16));
2333 bssl::UniquePtr<uint8_t> free_ech_config2(ech_config2);
2334
2335 // |keys1| contains the first config. |keys12| contains both.
2336 bssl::UniquePtr<SSL_ECH_KEYS> keys1(SSL_ECH_KEYS_new());
2337 ASSERT_TRUE(keys1);
2338 ASSERT_TRUE(SSL_ECH_KEYS_add(keys1.get(), /*is_retry_config=*/1, ech_config1,
2339 ech_config1_len, key1.get()));
2340 bssl::UniquePtr<SSL_ECH_KEYS> keys12(SSL_ECH_KEYS_new());
2341 ASSERT_TRUE(keys12);
2342 ASSERT_TRUE(SSL_ECH_KEYS_add(keys12.get(), /*is_retry_config=*/1, ech_config2,
2343 ech_config2_len, key2.get()));
2344 ASSERT_TRUE(SSL_ECH_KEYS_add(keys12.get(), /*is_retry_config=*/0, ech_config1,
2345 ech_config1_len, key1.get()));
2346
2347 bssl::UniquePtr<SSL_CTX> server_ctx =
2348 CreateContextWithTestCertificate(TLS_method());
2349 ASSERT_TRUE(server_ctx);
2350 ASSERT_TRUE(SSL_CTX_set1_ech_keys(server_ctx.get(), keys1.get()));
2351
2352 bssl::UniquePtr<SSL_CTX> client_ctx(SSL_CTX_new(TLS_method()));
2353 ASSERT_TRUE(client_ctx);
2354 bssl::UniquePtr<SSL> client, server;
2355 ASSERT_TRUE(CreateClientAndServer(&client, &server, client_ctx.get(),
2356 server_ctx.get()));
2357 ASSERT_TRUE(InstallECHConfigList(client.get(), keys1.get()));
2358
2359 // In parallel, complete the connection and reconfigure the ECHConfig. Note
2360 // |keys12| supports all the keys in |keys1|, so the handshake should complete
2361 // the same whichever the server uses.
2362 std::vector<std::thread> threads;
2363 threads.emplace_back([&] {
2364 ASSERT_TRUE(CompleteHandshakes(client.get(), server.get()));
2365 EXPECT_TRUE(SSL_ech_accepted(client.get()));
2366 EXPECT_TRUE(SSL_ech_accepted(server.get()));
2367 });
2368 threads.emplace_back([&] {
2369 EXPECT_TRUE(SSL_CTX_set1_ech_keys(server_ctx.get(), keys12.get()));
2370 });
2371 for (auto &thread : threads) {
2372 thread.join();
2373 }
2374 }
2375 #endif // OPENSSL_THREADS
2376
TEST(SSLTest,TLS13ExporterAvailability)2377 TEST(SSLTest, TLS13ExporterAvailability) {
2378 bssl::UniquePtr<SSL_CTX> client_ctx(SSL_CTX_new(TLS_method()));
2379 bssl::UniquePtr<SSL_CTX> server_ctx =
2380 CreateContextWithTestCertificate(TLS_method());
2381 ASSERT_TRUE(client_ctx);
2382 ASSERT_TRUE(server_ctx);
2383 // Configure only TLS 1.3.
2384 ASSERT_TRUE(SSL_CTX_set_min_proto_version(client_ctx.get(), TLS1_3_VERSION));
2385 ASSERT_TRUE(SSL_CTX_set_max_proto_version(client_ctx.get(), TLS1_3_VERSION));
2386
2387 bssl::UniquePtr<SSL> client, server;
2388 ASSERT_TRUE(CreateClientAndServer(&client, &server, client_ctx.get(),
2389 server_ctx.get()));
2390
2391 std::vector<uint8_t> buffer(32);
2392 const char *label = "EXPORTER-test-label";
2393
2394 // The exporters are not available before the handshake starts.
2395 EXPECT_FALSE(SSL_export_keying_material(client.get(), buffer.data(),
2396 buffer.size(), label, strlen(label),
2397 nullptr, 0, 0));
2398 EXPECT_FALSE(SSL_export_keying_material(server.get(), buffer.data(),
2399 buffer.size(), label, strlen(label),
2400 nullptr, 0, 0));
2401
2402 // Send the client's first flight of handshake messages.
2403 int client_ret = SSL_do_handshake(client.get());
2404 EXPECT_EQ(SSL_get_error(client.get(), client_ret), SSL_ERROR_WANT_READ);
2405
2406 // The handshake isn't far enough for the exporters to work.
2407 EXPECT_FALSE(SSL_export_keying_material(client.get(), buffer.data(),
2408 buffer.size(), label, strlen(label),
2409 nullptr, 0, 0));
2410 EXPECT_FALSE(SSL_export_keying_material(server.get(), buffer.data(),
2411 buffer.size(), label, strlen(label),
2412 nullptr, 0, 0));
2413
2414 // Send all the server's handshake messages.
2415 int server_ret = SSL_do_handshake(server.get());
2416 EXPECT_EQ(SSL_get_error(server.get(), server_ret), SSL_ERROR_WANT_READ);
2417
2418 // At this point in the handshake, the server should have the exporter key
2419 // derived since it's sent its Finished message. The client hasn't yet
2420 // processed the server's handshake messages, so the exporter shouldn't be
2421 // available to the client.
2422 EXPECT_FALSE(SSL_export_keying_material(client.get(), buffer.data(),
2423 buffer.size(), label, strlen(label),
2424 nullptr, 0, 0));
2425 EXPECT_TRUE(SSL_export_keying_material(server.get(), buffer.data(),
2426 buffer.size(), label, strlen(label),
2427 nullptr, 0, 0));
2428
2429 // Finish the handshake on the client.
2430 EXPECT_EQ(SSL_do_handshake(client.get()), 1);
2431
2432 // The exporter should be available on both endpoints.
2433 EXPECT_TRUE(SSL_export_keying_material(client.get(), buffer.data(),
2434 buffer.size(), label, strlen(label),
2435 nullptr, 0, 0));
2436 EXPECT_TRUE(SSL_export_keying_material(server.get(), buffer.data(),
2437 buffer.size(), label, strlen(label),
2438 nullptr, 0, 0));
2439
2440 // Finish the handshake on the server.
2441 EXPECT_EQ(SSL_do_handshake(server.get()), 1);
2442
2443 // The exporter should still be available on both endpoints.
2444 EXPECT_TRUE(SSL_export_keying_material(client.get(), buffer.data(),
2445 buffer.size(), label, strlen(label),
2446 nullptr, 0, 0));
2447 EXPECT_TRUE(SSL_export_keying_material(server.get(), buffer.data(),
2448 buffer.size(), label, strlen(label),
2449 nullptr, 0, 0));
2450 }
2451
AppendSession(SSL_SESSION * session,void * arg)2452 static void AppendSession(SSL_SESSION *session, void *arg) {
2453 std::vector<SSL_SESSION*> *out =
2454 reinterpret_cast<std::vector<SSL_SESSION*>*>(arg);
2455 out->push_back(session);
2456 }
2457
2458 // CacheEquals returns true if |ctx|'s session cache consists of |expected|, in
2459 // order.
CacheEquals(SSL_CTX * ctx,const std::vector<SSL_SESSION * > & expected)2460 static bool CacheEquals(SSL_CTX *ctx,
2461 const std::vector<SSL_SESSION*> &expected) {
2462 // Check the linked list.
2463 SSL_SESSION *ptr = ctx->session_cache_head;
2464 for (SSL_SESSION *session : expected) {
2465 if (ptr != session) {
2466 return false;
2467 }
2468 // TODO(davidben): This is an absurd way to denote the end of the list.
2469 if (ptr->next ==
2470 reinterpret_cast<SSL_SESSION *>(&ctx->session_cache_tail)) {
2471 ptr = nullptr;
2472 } else {
2473 ptr = ptr->next;
2474 }
2475 }
2476 if (ptr != nullptr) {
2477 return false;
2478 }
2479
2480 // Check the hash table.
2481 std::vector<SSL_SESSION*> actual, expected_copy;
2482 lh_SSL_SESSION_doall_arg(ctx->sessions, AppendSession, &actual);
2483 expected_copy = expected;
2484
2485 std::sort(actual.begin(), actual.end());
2486 std::sort(expected_copy.begin(), expected_copy.end());
2487
2488 return actual == expected_copy;
2489 }
2490
CreateTestSession(uint32_t number)2491 static bssl::UniquePtr<SSL_SESSION> CreateTestSession(uint32_t number) {
2492 bssl::UniquePtr<SSL_CTX> ssl_ctx(SSL_CTX_new(TLS_method()));
2493 if (!ssl_ctx) {
2494 return nullptr;
2495 }
2496 bssl::UniquePtr<SSL_SESSION> ret(SSL_SESSION_new(ssl_ctx.get()));
2497 if (!ret) {
2498 return nullptr;
2499 }
2500
2501 uint8_t id[SSL3_SSL_SESSION_ID_LENGTH] = {0};
2502 OPENSSL_memcpy(id, &number, sizeof(number));
2503 if (!SSL_SESSION_set1_id(ret.get(), id, sizeof(id))) {
2504 return nullptr;
2505 }
2506 return ret;
2507 }
2508
2509 // Test that the internal session cache behaves as expected.
TEST(SSLTest,InternalSessionCache)2510 TEST(SSLTest, InternalSessionCache) {
2511 bssl::UniquePtr<SSL_CTX> ctx(SSL_CTX_new(TLS_method()));
2512 ASSERT_TRUE(ctx);
2513
2514 // Prepare 10 test sessions.
2515 std::vector<bssl::UniquePtr<SSL_SESSION>> sessions;
2516 for (int i = 0; i < 10; i++) {
2517 bssl::UniquePtr<SSL_SESSION> session = CreateTestSession(i);
2518 ASSERT_TRUE(session);
2519 sessions.push_back(std::move(session));
2520 }
2521
2522 SSL_CTX_sess_set_cache_size(ctx.get(), 5);
2523
2524 // Insert all the test sessions.
2525 for (const auto &session : sessions) {
2526 ASSERT_TRUE(SSL_CTX_add_session(ctx.get(), session.get()));
2527 }
2528
2529 // Only the last five should be in the list.
2530 ASSERT_TRUE(CacheEquals(
2531 ctx.get(), {sessions[9].get(), sessions[8].get(), sessions[7].get(),
2532 sessions[6].get(), sessions[5].get()}));
2533
2534 // Inserting an element already in the cache should fail and leave the cache
2535 // unchanged.
2536 ASSERT_FALSE(SSL_CTX_add_session(ctx.get(), sessions[7].get()));
2537 ASSERT_TRUE(CacheEquals(
2538 ctx.get(), {sessions[9].get(), sessions[8].get(), sessions[7].get(),
2539 sessions[6].get(), sessions[5].get()}));
2540
2541 // Although collisions should be impossible (256-bit session IDs), the cache
2542 // must handle them gracefully.
2543 bssl::UniquePtr<SSL_SESSION> collision(CreateTestSession(7));
2544 ASSERT_TRUE(collision);
2545 ASSERT_TRUE(SSL_CTX_add_session(ctx.get(), collision.get()));
2546 ASSERT_TRUE(CacheEquals(
2547 ctx.get(), {collision.get(), sessions[9].get(), sessions[8].get(),
2548 sessions[6].get(), sessions[5].get()}));
2549
2550 // Removing sessions behaves correctly.
2551 ASSERT_TRUE(SSL_CTX_remove_session(ctx.get(), sessions[6].get()));
2552 ASSERT_TRUE(CacheEquals(ctx.get(), {collision.get(), sessions[9].get(),
2553 sessions[8].get(), sessions[5].get()}));
2554
2555 // Removing sessions requires an exact match.
2556 ASSERT_FALSE(SSL_CTX_remove_session(ctx.get(), sessions[0].get()));
2557 ASSERT_FALSE(SSL_CTX_remove_session(ctx.get(), sessions[7].get()));
2558
2559 // The cache remains unchanged.
2560 ASSERT_TRUE(CacheEquals(ctx.get(), {collision.get(), sessions[9].get(),
2561 sessions[8].get(), sessions[5].get()}));
2562 }
2563
EpochFromSequence(uint64_t seq)2564 static uint16_t EpochFromSequence(uint64_t seq) {
2565 return static_cast<uint16_t>(seq >> 48);
2566 }
2567
2568 static const uint8_t kTestName[] = {
2569 0x30, 0x45, 0x31, 0x0b, 0x30, 0x09, 0x06, 0x03, 0x55, 0x04, 0x06, 0x13,
2570 0x02, 0x41, 0x55, 0x31, 0x13, 0x30, 0x11, 0x06, 0x03, 0x55, 0x04, 0x08,
2571 0x0c, 0x0a, 0x53, 0x6f, 0x6d, 0x65, 0x2d, 0x53, 0x74, 0x61, 0x74, 0x65,
2572 0x31, 0x21, 0x30, 0x1f, 0x06, 0x03, 0x55, 0x04, 0x0a, 0x0c, 0x18, 0x49,
2573 0x6e, 0x74, 0x65, 0x72, 0x6e, 0x65, 0x74, 0x20, 0x57, 0x69, 0x64, 0x67,
2574 0x69, 0x74, 0x73, 0x20, 0x50, 0x74, 0x79, 0x20, 0x4c, 0x74, 0x64,
2575 };
2576
2577 // SSLVersionTest executes its test cases under all available protocol versions.
2578 // Test cases call |Connect| to create a connection using context objects with
2579 // the protocol version fixed to the current version under test.
2580 class SSLVersionTest : public ::testing::TestWithParam<VersionParam> {
2581 protected:
SSLVersionTest()2582 SSLVersionTest() : cert_(GetTestCertificate()), key_(GetTestKey()) {}
2583
SetUp()2584 void SetUp() { ResetContexts(); }
2585
CreateContext() const2586 bssl::UniquePtr<SSL_CTX> CreateContext() const {
2587 const SSL_METHOD *method = is_dtls() ? DTLS_method() : TLS_method();
2588 bssl::UniquePtr<SSL_CTX> ctx(SSL_CTX_new(method));
2589 if (!ctx || !SSL_CTX_set_min_proto_version(ctx.get(), version()) ||
2590 !SSL_CTX_set_max_proto_version(ctx.get(), version())) {
2591 return nullptr;
2592 }
2593 return ctx;
2594 }
2595
ResetContexts()2596 void ResetContexts() {
2597 ASSERT_TRUE(cert_);
2598 ASSERT_TRUE(key_);
2599 client_ctx_ = CreateContext();
2600 ASSERT_TRUE(client_ctx_);
2601 server_ctx_ = CreateContext();
2602 ASSERT_TRUE(server_ctx_);
2603 // Set up a server cert. Client certs can be set up explicitly.
2604 ASSERT_TRUE(UseCertAndKey(server_ctx_.get()));
2605 }
2606
UseCertAndKey(SSL_CTX * ctx) const2607 bool UseCertAndKey(SSL_CTX *ctx) const {
2608 return SSL_CTX_use_certificate(ctx, cert_.get()) &&
2609 SSL_CTX_use_PrivateKey(ctx, key_.get());
2610 }
2611
Connect(const ClientConfig & config=ClientConfig ())2612 bool Connect(const ClientConfig &config = ClientConfig()) {
2613 return ConnectClientAndServer(&client_, &server_, client_ctx_.get(),
2614 server_ctx_.get(), config,
2615 shed_handshake_config_);
2616 }
2617
version() const2618 uint16_t version() const { return GetParam().version; }
2619
is_dtls() const2620 bool is_dtls() const {
2621 return GetParam().ssl_method == VersionParam::is_dtls;
2622 }
2623
2624 bool shed_handshake_config_ = true;
2625 bssl::UniquePtr<SSL> client_, server_;
2626 bssl::UniquePtr<SSL_CTX> server_ctx_, client_ctx_;
2627 bssl::UniquePtr<X509> cert_;
2628 bssl::UniquePtr<EVP_PKEY> key_;
2629 };
2630
2631 INSTANTIATE_TEST_SUITE_P(WithVersion, SSLVersionTest,
2632 testing::ValuesIn(kAllVersions),
__anon4706cec80802(const testing::TestParamInfo<VersionParam> &i) 2633 [](const testing::TestParamInfo<VersionParam> &i) {
2634 return i.param.name;
2635 });
2636
TEST_P(SSLVersionTest,SequenceNumber)2637 TEST_P(SSLVersionTest, SequenceNumber) {
2638 ASSERT_TRUE(Connect());
2639
2640 // Drain any post-handshake messages to ensure there are no unread records
2641 // on either end.
2642 ASSERT_TRUE(FlushNewSessionTickets(client_.get(), server_.get()));
2643
2644 uint64_t client_read_seq = SSL_get_read_sequence(client_.get());
2645 uint64_t client_write_seq = SSL_get_write_sequence(client_.get());
2646 uint64_t server_read_seq = SSL_get_read_sequence(server_.get());
2647 uint64_t server_write_seq = SSL_get_write_sequence(server_.get());
2648
2649 if (is_dtls()) {
2650 // Both client and server must be at epoch 1.
2651 EXPECT_EQ(EpochFromSequence(client_read_seq), 1);
2652 EXPECT_EQ(EpochFromSequence(client_write_seq), 1);
2653 EXPECT_EQ(EpochFromSequence(server_read_seq), 1);
2654 EXPECT_EQ(EpochFromSequence(server_write_seq), 1);
2655
2656 // The next record to be written should exceed the largest received.
2657 EXPECT_GT(client_write_seq, server_read_seq);
2658 EXPECT_GT(server_write_seq, client_read_seq);
2659 } else {
2660 // The next record to be written should equal the next to be received.
2661 EXPECT_EQ(client_write_seq, server_read_seq);
2662 EXPECT_EQ(server_write_seq, client_read_seq);
2663 }
2664
2665 // Send a record from client to server.
2666 uint8_t byte = 0;
2667 EXPECT_EQ(SSL_write(client_.get(), &byte, 1), 1);
2668 EXPECT_EQ(SSL_read(server_.get(), &byte, 1), 1);
2669
2670 // The client write and server read sequence numbers should have
2671 // incremented.
2672 EXPECT_EQ(client_write_seq + 1, SSL_get_write_sequence(client_.get()));
2673 EXPECT_EQ(server_read_seq + 1, SSL_get_read_sequence(server_.get()));
2674 }
2675
TEST_P(SSLVersionTest,OneSidedShutdown)2676 TEST_P(SSLVersionTest, OneSidedShutdown) {
2677 // SSL_shutdown is a no-op in DTLS.
2678 if (is_dtls()) {
2679 return;
2680 }
2681 ASSERT_TRUE(Connect());
2682
2683 // Shut down half the connection. |SSL_shutdown| will return 0 to signal only
2684 // one side has shut down.
2685 ASSERT_EQ(SSL_shutdown(client_.get()), 0);
2686
2687 // Reading from the server should consume the EOF.
2688 uint8_t byte;
2689 ASSERT_EQ(SSL_read(server_.get(), &byte, 1), 0);
2690 ASSERT_EQ(SSL_get_error(server_.get(), 0), SSL_ERROR_ZERO_RETURN);
2691
2692 // However, the server may continue to write data and then shut down the
2693 // connection.
2694 byte = 42;
2695 ASSERT_EQ(SSL_write(server_.get(), &byte, 1), 1);
2696 ASSERT_EQ(SSL_read(client_.get(), &byte, 1), 1);
2697 ASSERT_EQ(byte, 42);
2698
2699 // The server may then shutdown the connection.
2700 EXPECT_EQ(SSL_shutdown(server_.get()), 1);
2701 EXPECT_EQ(SSL_shutdown(client_.get()), 1);
2702 }
2703
2704 // Test that, after calling |SSL_shutdown|, |SSL_write| fails.
TEST_P(SSLVersionTest,WriteAfterShutdown)2705 TEST_P(SSLVersionTest, WriteAfterShutdown) {
2706 ASSERT_TRUE(Connect());
2707
2708 for (SSL *ssl : {client_.get(), server_.get()}) {
2709 SCOPED_TRACE(SSL_is_server(ssl) ? "server" : "client");
2710
2711 bssl::UniquePtr<BIO> mem(BIO_new(BIO_s_mem()));
2712 ASSERT_TRUE(mem);
2713 SSL_set0_wbio(ssl, bssl::UpRef(mem).release());
2714
2715 // Shut down half the connection. |SSL_shutdown| will return 0 to signal
2716 // only one side has shut down.
2717 ASSERT_EQ(SSL_shutdown(ssl), 0);
2718
2719 // |ssl| should have written an alert to the transport.
2720 const uint8_t *unused;
2721 size_t len;
2722 ASSERT_TRUE(BIO_mem_contents(mem.get(), &unused, &len));
2723 EXPECT_NE(0u, len);
2724 EXPECT_TRUE(BIO_reset(mem.get()));
2725
2726 // Writing should fail.
2727 EXPECT_EQ(-1, SSL_write(ssl, "a", 1));
2728
2729 // Nothing should be written to the transport.
2730 ASSERT_TRUE(BIO_mem_contents(mem.get(), &unused, &len));
2731 EXPECT_EQ(0u, len);
2732 }
2733 }
2734
2735 // Test that, after sending a fatal alert in a failed |SSL_read|, |SSL_write|
2736 // fails.
TEST_P(SSLVersionTest,WriteAfterReadSentFatalAlert)2737 TEST_P(SSLVersionTest, WriteAfterReadSentFatalAlert) {
2738 // Decryption failures are not fatal in DTLS.
2739 if (is_dtls()) {
2740 return;
2741 }
2742
2743 ASSERT_TRUE(Connect());
2744
2745 // Save the write |BIO|s as the test will overwrite them.
2746 bssl::UniquePtr<BIO> client_wbio = bssl::UpRef(SSL_get_wbio(client_.get()));
2747 bssl::UniquePtr<BIO> server_wbio = bssl::UpRef(SSL_get_wbio(server_.get()));
2748
2749 for (bool test_server : {false, true}) {
2750 SCOPED_TRACE(test_server ? "server" : "client");
2751 SSL *ssl = test_server ? server_.get() : client_.get();
2752 BIO *other_wbio = test_server ? client_wbio.get() : server_wbio.get();
2753
2754 bssl::UniquePtr<BIO> mem(BIO_new(BIO_s_mem()));
2755 ASSERT_TRUE(mem);
2756 SSL_set0_wbio(ssl, bssl::UpRef(mem).release());
2757
2758 // Read an invalid record from the peer.
2759 static const uint8_t kInvalidRecord[] = "invalid record";
2760 EXPECT_EQ(int{sizeof(kInvalidRecord)},
2761 BIO_write(other_wbio, kInvalidRecord, sizeof(kInvalidRecord)));
2762 char buf[256];
2763 EXPECT_EQ(-1, SSL_read(ssl, buf, sizeof(buf)));
2764
2765 // |ssl| should have written an alert to the transport.
2766 const uint8_t *unused;
2767 size_t len;
2768 ASSERT_TRUE(BIO_mem_contents(mem.get(), &unused, &len));
2769 EXPECT_NE(0u, len);
2770 EXPECT_TRUE(BIO_reset(mem.get()));
2771
2772 // Writing should fail.
2773 EXPECT_EQ(-1, SSL_write(ssl, "a", 1));
2774
2775 // Nothing should be written to the transport.
2776 ASSERT_TRUE(BIO_mem_contents(mem.get(), &unused, &len));
2777 EXPECT_EQ(0u, len);
2778 }
2779 }
2780
2781 // Test that, after sending a fatal alert from the handshake, |SSL_write| fails.
TEST_P(SSLVersionTest,WriteAfterHandshakeSentFatalAlert)2782 TEST_P(SSLVersionTest, WriteAfterHandshakeSentFatalAlert) {
2783 for (bool test_server : {false, true}) {
2784 SCOPED_TRACE(test_server ? "server" : "client");
2785
2786 bssl::UniquePtr<SSL> ssl(
2787 SSL_new(test_server ? server_ctx_.get() : client_ctx_.get()));
2788 ASSERT_TRUE(ssl);
2789 if (test_server) {
2790 SSL_set_accept_state(ssl.get());
2791 } else {
2792 SSL_set_connect_state(ssl.get());
2793 }
2794
2795 std::vector<uint8_t> invalid;
2796 if (is_dtls()) {
2797 // In DTLS, invalid records are discarded. To cause the handshake to fail,
2798 // use a valid handshake record with invalid contents.
2799 invalid.push_back(SSL3_RT_HANDSHAKE);
2800 invalid.push_back(DTLS1_VERSION >> 8);
2801 invalid.push_back(DTLS1_VERSION & 0xff);
2802 // epoch and sequence_number
2803 for (int i = 0; i < 8; i++) {
2804 invalid.push_back(0);
2805 }
2806 // A one-byte fragment is invalid.
2807 invalid.push_back(0);
2808 invalid.push_back(1);
2809 // Arbitrary contents.
2810 invalid.push_back(0);
2811 } else {
2812 invalid = {'i', 'n', 'v', 'a', 'l', 'i', 'd'};
2813 }
2814 bssl::UniquePtr<BIO> rbio(
2815 BIO_new_mem_buf(invalid.data(), invalid.size()));
2816 ASSERT_TRUE(rbio);
2817 SSL_set0_rbio(ssl.get(), rbio.release());
2818
2819 bssl::UniquePtr<BIO> mem(BIO_new(BIO_s_mem()));
2820 ASSERT_TRUE(mem);
2821 SSL_set0_wbio(ssl.get(), bssl::UpRef(mem).release());
2822
2823 // The handshake should fail.
2824 EXPECT_EQ(-1, SSL_do_handshake(ssl.get()));
2825 EXPECT_EQ(SSL_ERROR_SSL, SSL_get_error(ssl.get(), -1));
2826 uint32_t err = ERR_get_error();
2827
2828 // |ssl| should have written an alert (and, in the client's case, a
2829 // ClientHello) to the transport.
2830 const uint8_t *unused;
2831 size_t len;
2832 ASSERT_TRUE(BIO_mem_contents(mem.get(), &unused, &len));
2833 EXPECT_NE(0u, len);
2834 EXPECT_TRUE(BIO_reset(mem.get()));
2835
2836 // Writing should fail, with the same error as the handshake.
2837 EXPECT_EQ(-1, SSL_write(ssl.get(), "a", 1));
2838 EXPECT_EQ(SSL_ERROR_SSL, SSL_get_error(ssl.get(), -1));
2839 EXPECT_EQ(err, ERR_get_error());
2840
2841 // Nothing should be written to the transport.
2842 ASSERT_TRUE(BIO_mem_contents(mem.get(), &unused, &len));
2843 EXPECT_EQ(0u, len);
2844 }
2845 }
2846
2847 // Test that, after seeing TLS 1.2 in response to early data, |SSL_write|
2848 // continues to report |SSL_R_WRONG_VERSION_ON_EARLY_DATA|. See
2849 // https://crbug.com/1078515.
TEST(SSLTest,WriteAfterWrongVersionOnEarlyData)2850 TEST(SSLTest, WriteAfterWrongVersionOnEarlyData) {
2851 // Set up some 0-RTT-enabled contexts.
2852 bssl::UniquePtr<SSL_CTX> client_ctx(SSL_CTX_new(TLS_method()));
2853 bssl::UniquePtr<SSL_CTX> server_ctx =
2854 CreateContextWithTestCertificate(TLS_method());
2855 ASSERT_TRUE(client_ctx);
2856 ASSERT_TRUE(server_ctx);
2857 SSL_CTX_set_early_data_enabled(client_ctx.get(), 1);
2858 SSL_CTX_set_early_data_enabled(server_ctx.get(), 1);
2859 SSL_CTX_set_session_cache_mode(client_ctx.get(), SSL_SESS_CACHE_BOTH);
2860 SSL_CTX_set_session_cache_mode(server_ctx.get(), SSL_SESS_CACHE_BOTH);
2861
2862 // Get an early-data-capable session.
2863 bssl::UniquePtr<SSL_SESSION> session =
2864 CreateClientSession(client_ctx.get(), server_ctx.get());
2865 ASSERT_TRUE(session);
2866 EXPECT_TRUE(SSL_SESSION_early_data_capable(session.get()));
2867
2868 // Offer the session to the server, but now the server speaks TLS 1.2.
2869 bssl::UniquePtr<SSL> client, server;
2870 ASSERT_TRUE(CreateClientAndServer(&client, &server, client_ctx.get(),
2871 server_ctx.get()));
2872 SSL_set_session(client.get(), session.get());
2873 EXPECT_TRUE(SSL_set_max_proto_version(server.get(), TLS1_2_VERSION));
2874
2875 // The client handshake initially succeeds in the early data state.
2876 EXPECT_EQ(1, SSL_do_handshake(client.get()));
2877 EXPECT_TRUE(SSL_in_early_data(client.get()));
2878
2879 // The server processes the ClientHello and negotiates TLS 1.2.
2880 EXPECT_EQ(-1, SSL_do_handshake(server.get()));
2881 EXPECT_EQ(SSL_ERROR_WANT_READ, SSL_get_error(server.get(), -1));
2882 EXPECT_EQ(TLS1_2_VERSION, SSL_version(server.get()));
2883
2884 // Capture the client's output.
2885 bssl::UniquePtr<BIO> mem(BIO_new(BIO_s_mem()));
2886 ASSERT_TRUE(mem);
2887 SSL_set0_wbio(client.get(), bssl::UpRef(mem).release());
2888
2889 // The client processes the ServerHello and fails.
2890 EXPECT_EQ(-1, SSL_do_handshake(client.get()));
2891 EXPECT_EQ(SSL_ERROR_SSL, SSL_get_error(client.get(), -1));
2892 uint32_t err = ERR_get_error();
2893 EXPECT_EQ(ERR_LIB_SSL, ERR_GET_LIB(err));
2894 EXPECT_EQ(SSL_R_WRONG_VERSION_ON_EARLY_DATA, ERR_GET_REASON(err));
2895
2896 // The client should have written an alert to the transport.
2897 const uint8_t *unused;
2898 size_t len;
2899 ASSERT_TRUE(BIO_mem_contents(mem.get(), &unused, &len));
2900 EXPECT_NE(0u, len);
2901 EXPECT_TRUE(BIO_reset(mem.get()));
2902
2903 // Writing should fail, with the same error as the handshake.
2904 EXPECT_EQ(-1, SSL_write(client.get(), "a", 1));
2905 EXPECT_EQ(SSL_ERROR_SSL, SSL_get_error(client.get(), -1));
2906 err = ERR_get_error();
2907 EXPECT_EQ(ERR_LIB_SSL, ERR_GET_LIB(err));
2908 EXPECT_EQ(SSL_R_WRONG_VERSION_ON_EARLY_DATA, ERR_GET_REASON(err));
2909
2910 // Nothing should be written to the transport.
2911 ASSERT_TRUE(BIO_mem_contents(mem.get(), &unused, &len));
2912 EXPECT_EQ(0u, len);
2913 }
2914
TEST(SSLTest,SessionDuplication)2915 TEST(SSLTest, SessionDuplication) {
2916 bssl::UniquePtr<SSL_CTX> client_ctx(SSL_CTX_new(TLS_method()));
2917 bssl::UniquePtr<SSL_CTX> server_ctx =
2918 CreateContextWithTestCertificate(TLS_method());
2919 ASSERT_TRUE(client_ctx);
2920 ASSERT_TRUE(server_ctx);
2921
2922 bssl::UniquePtr<SSL> client, server;
2923 ASSERT_TRUE(ConnectClientAndServer(&client, &server, client_ctx.get(),
2924 server_ctx.get()));
2925
2926 SSL_SESSION *session0 = SSL_get_session(client.get());
2927 bssl::UniquePtr<SSL_SESSION> session1 =
2928 bssl::SSL_SESSION_dup(session0, SSL_SESSION_DUP_ALL);
2929 ASSERT_TRUE(session1);
2930
2931 session1->not_resumable = false;
2932
2933 uint8_t *s0_bytes, *s1_bytes;
2934 size_t s0_len, s1_len;
2935
2936 ASSERT_TRUE(SSL_SESSION_to_bytes(session0, &s0_bytes, &s0_len));
2937 bssl::UniquePtr<uint8_t> free_s0(s0_bytes);
2938
2939 ASSERT_TRUE(SSL_SESSION_to_bytes(session1.get(), &s1_bytes, &s1_len));
2940 bssl::UniquePtr<uint8_t> free_s1(s1_bytes);
2941
2942 EXPECT_EQ(Bytes(s0_bytes, s0_len), Bytes(s1_bytes, s1_len));
2943 }
2944
ExpectFDs(const SSL * ssl,int rfd,int wfd)2945 static void ExpectFDs(const SSL *ssl, int rfd, int wfd) {
2946 EXPECT_EQ(rfd, SSL_get_fd(ssl));
2947 EXPECT_EQ(rfd, SSL_get_rfd(ssl));
2948 EXPECT_EQ(wfd, SSL_get_wfd(ssl));
2949
2950 // The wrapper BIOs are always equal when fds are equal, even if set
2951 // individually.
2952 if (rfd == wfd) {
2953 EXPECT_EQ(SSL_get_rbio(ssl), SSL_get_wbio(ssl));
2954 }
2955 }
2956
TEST(SSLTest,SetFD)2957 TEST(SSLTest, SetFD) {
2958 bssl::UniquePtr<SSL_CTX> ctx(SSL_CTX_new(TLS_method()));
2959 ASSERT_TRUE(ctx);
2960
2961 // Test setting different read and write FDs.
2962 bssl::UniquePtr<SSL> ssl(SSL_new(ctx.get()));
2963 ASSERT_TRUE(ssl);
2964 EXPECT_TRUE(SSL_set_rfd(ssl.get(), 1));
2965 EXPECT_TRUE(SSL_set_wfd(ssl.get(), 2));
2966 ExpectFDs(ssl.get(), 1, 2);
2967
2968 // Test setting the same FD.
2969 ssl.reset(SSL_new(ctx.get()));
2970 ASSERT_TRUE(ssl);
2971 EXPECT_TRUE(SSL_set_fd(ssl.get(), 1));
2972 ExpectFDs(ssl.get(), 1, 1);
2973
2974 // Test setting the same FD one side at a time.
2975 ssl.reset(SSL_new(ctx.get()));
2976 ASSERT_TRUE(ssl);
2977 EXPECT_TRUE(SSL_set_rfd(ssl.get(), 1));
2978 EXPECT_TRUE(SSL_set_wfd(ssl.get(), 1));
2979 ExpectFDs(ssl.get(), 1, 1);
2980
2981 // Test setting the same FD in the other order.
2982 ssl.reset(SSL_new(ctx.get()));
2983 ASSERT_TRUE(ssl);
2984 EXPECT_TRUE(SSL_set_wfd(ssl.get(), 1));
2985 EXPECT_TRUE(SSL_set_rfd(ssl.get(), 1));
2986 ExpectFDs(ssl.get(), 1, 1);
2987
2988 // Test changing the read FD partway through.
2989 ssl.reset(SSL_new(ctx.get()));
2990 ASSERT_TRUE(ssl);
2991 EXPECT_TRUE(SSL_set_fd(ssl.get(), 1));
2992 EXPECT_TRUE(SSL_set_rfd(ssl.get(), 2));
2993 ExpectFDs(ssl.get(), 2, 1);
2994
2995 // Test changing the write FD partway through.
2996 ssl.reset(SSL_new(ctx.get()));
2997 ASSERT_TRUE(ssl);
2998 EXPECT_TRUE(SSL_set_fd(ssl.get(), 1));
2999 EXPECT_TRUE(SSL_set_wfd(ssl.get(), 2));
3000 ExpectFDs(ssl.get(), 1, 2);
3001
3002 // Test a no-op change to the read FD partway through.
3003 ssl.reset(SSL_new(ctx.get()));
3004 ASSERT_TRUE(ssl);
3005 EXPECT_TRUE(SSL_set_fd(ssl.get(), 1));
3006 EXPECT_TRUE(SSL_set_rfd(ssl.get(), 1));
3007 ExpectFDs(ssl.get(), 1, 1);
3008
3009 // Test a no-op change to the write FD partway through.
3010 ssl.reset(SSL_new(ctx.get()));
3011 ASSERT_TRUE(ssl);
3012 EXPECT_TRUE(SSL_set_fd(ssl.get(), 1));
3013 EXPECT_TRUE(SSL_set_wfd(ssl.get(), 1));
3014 ExpectFDs(ssl.get(), 1, 1);
3015
3016 // ASan builds will implicitly test that the internal |BIO| reference-counting
3017 // is correct.
3018 }
3019
TEST(SSLTest,SetBIO)3020 TEST(SSLTest, SetBIO) {
3021 bssl::UniquePtr<SSL_CTX> ctx(SSL_CTX_new(TLS_method()));
3022 ASSERT_TRUE(ctx);
3023
3024 bssl::UniquePtr<SSL> ssl(SSL_new(ctx.get()));
3025 bssl::UniquePtr<BIO> bio1(BIO_new(BIO_s_mem())), bio2(BIO_new(BIO_s_mem())),
3026 bio3(BIO_new(BIO_s_mem()));
3027 ASSERT_TRUE(ssl);
3028 ASSERT_TRUE(bio1);
3029 ASSERT_TRUE(bio2);
3030 ASSERT_TRUE(bio3);
3031
3032 // SSL_set_bio takes one reference when the parameters are the same.
3033 BIO_up_ref(bio1.get());
3034 SSL_set_bio(ssl.get(), bio1.get(), bio1.get());
3035
3036 // Repeating the call does nothing.
3037 SSL_set_bio(ssl.get(), bio1.get(), bio1.get());
3038
3039 // It takes one reference each when the parameters are different.
3040 BIO_up_ref(bio2.get());
3041 BIO_up_ref(bio3.get());
3042 SSL_set_bio(ssl.get(), bio2.get(), bio3.get());
3043
3044 // Repeating the call does nothing.
3045 SSL_set_bio(ssl.get(), bio2.get(), bio3.get());
3046
3047 // It takes one reference when changing only wbio.
3048 BIO_up_ref(bio1.get());
3049 SSL_set_bio(ssl.get(), bio2.get(), bio1.get());
3050
3051 // It takes one reference when changing only rbio and the two are different.
3052 BIO_up_ref(bio3.get());
3053 SSL_set_bio(ssl.get(), bio3.get(), bio1.get());
3054
3055 // If setting wbio to rbio, it takes no additional references.
3056 SSL_set_bio(ssl.get(), bio3.get(), bio3.get());
3057
3058 // From there, wbio may be switched to something else.
3059 BIO_up_ref(bio1.get());
3060 SSL_set_bio(ssl.get(), bio3.get(), bio1.get());
3061
3062 // If setting rbio to wbio, it takes no additional references.
3063 SSL_set_bio(ssl.get(), bio1.get(), bio1.get());
3064
3065 // From there, rbio may be switched to something else, but, for historical
3066 // reasons, it takes a reference to both parameters.
3067 BIO_up_ref(bio1.get());
3068 BIO_up_ref(bio2.get());
3069 SSL_set_bio(ssl.get(), bio2.get(), bio1.get());
3070
3071 // ASAN builds will implicitly test that the internal |BIO| reference-counting
3072 // is correct.
3073 }
3074
VerifySucceed(X509_STORE_CTX * store_ctx,void * arg)3075 static int VerifySucceed(X509_STORE_CTX *store_ctx, void *arg) { return 1; }
3076
TEST_P(SSLVersionTest,GetPeerCertificate)3077 TEST_P(SSLVersionTest, GetPeerCertificate) {
3078 ASSERT_TRUE(UseCertAndKey(client_ctx_.get()));
3079
3080 // Configure both client and server to accept any certificate.
3081 SSL_CTX_set_verify(client_ctx_.get(),
3082 SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT,
3083 nullptr);
3084 SSL_CTX_set_cert_verify_callback(client_ctx_.get(), VerifySucceed, NULL);
3085 SSL_CTX_set_verify(server_ctx_.get(),
3086 SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT,
3087 nullptr);
3088 SSL_CTX_set_cert_verify_callback(server_ctx_.get(), VerifySucceed, NULL);
3089
3090 ASSERT_TRUE(Connect());
3091
3092 // Client and server should both see the leaf certificate.
3093 bssl::UniquePtr<X509> peer(SSL_get_peer_certificate(server_.get()));
3094 ASSERT_TRUE(peer);
3095 ASSERT_EQ(X509_cmp(cert_.get(), peer.get()), 0);
3096
3097 peer.reset(SSL_get_peer_certificate(client_.get()));
3098 ASSERT_TRUE(peer);
3099 ASSERT_EQ(X509_cmp(cert_.get(), peer.get()), 0);
3100
3101 // However, for historical reasons, the X509 chain includes the leaf on the
3102 // client, but does not on the server.
3103 EXPECT_EQ(sk_X509_num(SSL_get_peer_cert_chain(client_.get())), 1u);
3104 EXPECT_EQ(sk_CRYPTO_BUFFER_num(SSL_get0_peer_certificates(client_.get())),
3105 1u);
3106
3107 EXPECT_EQ(sk_X509_num(SSL_get_peer_cert_chain(server_.get())), 0u);
3108 EXPECT_EQ(sk_CRYPTO_BUFFER_num(SSL_get0_peer_certificates(server_.get())),
3109 1u);
3110 }
3111
TEST_P(SSLVersionTest,NoPeerCertificate)3112 TEST_P(SSLVersionTest, NoPeerCertificate) {
3113 SSL_CTX_set_verify(server_ctx_.get(), SSL_VERIFY_PEER, nullptr);
3114 SSL_CTX_set_cert_verify_callback(server_ctx_.get(), VerifySucceed, NULL);
3115 SSL_CTX_set_cert_verify_callback(client_ctx_.get(), VerifySucceed, NULL);
3116
3117 ASSERT_TRUE(Connect());
3118
3119 // Server should not see a peer certificate.
3120 bssl::UniquePtr<X509> peer(SSL_get_peer_certificate(server_.get()));
3121 ASSERT_FALSE(peer);
3122 ASSERT_FALSE(SSL_get0_peer_certificates(server_.get()));
3123 }
3124
TEST_P(SSLVersionTest,RetainOnlySHA256OfCerts)3125 TEST_P(SSLVersionTest, RetainOnlySHA256OfCerts) {
3126 uint8_t *cert_der = NULL;
3127 int cert_der_len = i2d_X509(cert_.get(), &cert_der);
3128 ASSERT_GE(cert_der_len, 0);
3129 bssl::UniquePtr<uint8_t> free_cert_der(cert_der);
3130
3131 uint8_t cert_sha256[SHA256_DIGEST_LENGTH];
3132 SHA256(cert_der, cert_der_len, cert_sha256);
3133
3134 ASSERT_TRUE(UseCertAndKey(client_ctx_.get()));
3135
3136 // Configure both client and server to accept any certificate, but the
3137 // server must retain only the SHA-256 of the peer.
3138 SSL_CTX_set_verify(client_ctx_.get(),
3139 SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT,
3140 nullptr);
3141 SSL_CTX_set_verify(server_ctx_.get(),
3142 SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT,
3143 nullptr);
3144 SSL_CTX_set_cert_verify_callback(client_ctx_.get(), VerifySucceed, NULL);
3145 SSL_CTX_set_cert_verify_callback(server_ctx_.get(), VerifySucceed, NULL);
3146 SSL_CTX_set_retain_only_sha256_of_client_certs(server_ctx_.get(), 1);
3147
3148 ASSERT_TRUE(Connect());
3149
3150 // The peer certificate has been dropped.
3151 bssl::UniquePtr<X509> peer(SSL_get_peer_certificate(server_.get()));
3152 EXPECT_FALSE(peer);
3153
3154 SSL_SESSION *session = SSL_get_session(server_.get());
3155 EXPECT_TRUE(SSL_SESSION_has_peer_sha256(session));
3156
3157 const uint8_t *peer_sha256;
3158 size_t peer_sha256_len;
3159 SSL_SESSION_get0_peer_sha256(session, &peer_sha256, &peer_sha256_len);
3160 EXPECT_EQ(Bytes(cert_sha256), Bytes(peer_sha256, peer_sha256_len));
3161 }
3162
3163 // Tests that our ClientHellos do not change unexpectedly. These are purely
3164 // change detection tests. If they fail as part of an intentional ClientHello
3165 // change, update the test vector.
TEST(SSLTest,ClientHello)3166 TEST(SSLTest, ClientHello) {
3167 struct {
3168 uint16_t max_version;
3169 std::vector<uint8_t> expected;
3170 } kTests[] = {
3171 {TLS1_VERSION,
3172 {0x16, 0x03, 0x01, 0x00, 0x5a, 0x01, 0x00, 0x00, 0x56, 0x03, 0x01, 0x00,
3173 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
3174 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
3175 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x0e, 0xc0, 0x09,
3176 0xc0, 0x13, 0xc0, 0x0a, 0xc0, 0x14, 0x00, 0x2f, 0x00, 0x35, 0x00, 0x0a,
3177 0x01, 0x00, 0x00, 0x1f, 0x00, 0x17, 0x00, 0x00, 0xff, 0x01, 0x00, 0x01,
3178 0x00, 0x00, 0x0a, 0x00, 0x08, 0x00, 0x06, 0x00, 0x1d, 0x00, 0x17, 0x00,
3179 0x18, 0x00, 0x0b, 0x00, 0x02, 0x01, 0x00, 0x00, 0x23, 0x00, 0x00}},
3180 {TLS1_1_VERSION,
3181 {0x16, 0x03, 0x01, 0x00, 0x5a, 0x01, 0x00, 0x00, 0x56, 0x03, 0x02, 0x00,
3182 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
3183 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
3184 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x0e, 0xc0, 0x09,
3185 0xc0, 0x13, 0xc0, 0x0a, 0xc0, 0x14, 0x00, 0x2f, 0x00, 0x35, 0x00, 0x0a,
3186 0x01, 0x00, 0x00, 0x1f, 0x00, 0x17, 0x00, 0x00, 0xff, 0x01, 0x00, 0x01,
3187 0x00, 0x00, 0x0a, 0x00, 0x08, 0x00, 0x06, 0x00, 0x1d, 0x00, 0x17, 0x00,
3188 0x18, 0x00, 0x0b, 0x00, 0x02, 0x01, 0x00, 0x00, 0x23, 0x00, 0x00}},
3189 {TLS1_2_VERSION,
3190 {0x16, 0x03, 0x01, 0x00, 0x82, 0x01, 0x00, 0x00, 0x7e, 0x03, 0x03, 0x00,
3191 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
3192 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
3193 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x1e, 0xcc, 0xa9,
3194 0xcc, 0xa8, 0xc0, 0x2b, 0xc0, 0x2f, 0xc0, 0x2c, 0xc0, 0x30, 0xc0, 0x09,
3195 0xc0, 0x13, 0xc0, 0x0a, 0xc0, 0x14, 0x00, 0x9c, 0x00, 0x9d, 0x00, 0x2f,
3196 0x00, 0x35, 0x00, 0x0a, 0x01, 0x00, 0x00, 0x37, 0x00, 0x17, 0x00, 0x00,
3197 0xff, 0x01, 0x00, 0x01, 0x00, 0x00, 0x0a, 0x00, 0x08, 0x00, 0x06, 0x00,
3198 0x1d, 0x00, 0x17, 0x00, 0x18, 0x00, 0x0b, 0x00, 0x02, 0x01, 0x00, 0x00,
3199 0x23, 0x00, 0x00, 0x00, 0x0d, 0x00, 0x14, 0x00, 0x12, 0x04, 0x03, 0x08,
3200 0x04, 0x04, 0x01, 0x05, 0x03, 0x08, 0x05, 0x05, 0x01, 0x08, 0x06, 0x06,
3201 0x01, 0x02, 0x01}},
3202 // TODO(davidben): Add a change detector for TLS 1.3 once the spec and our
3203 // implementation has settled enough that it won't change.
3204 };
3205
3206 for (const auto &t : kTests) {
3207 SCOPED_TRACE(t.max_version);
3208
3209 bssl::UniquePtr<SSL_CTX> ctx(SSL_CTX_new(TLS_method()));
3210 ASSERT_TRUE(ctx);
3211 // Our default cipher list varies by CPU capabilities, so manually place the
3212 // ChaCha20 ciphers in front.
3213 const char *cipher_list = "CHACHA20:ALL";
3214 ASSERT_TRUE(SSL_CTX_set_max_proto_version(ctx.get(), t.max_version));
3215 ASSERT_TRUE(SSL_CTX_set_strict_cipher_list(ctx.get(), cipher_list));
3216
3217 bssl::UniquePtr<SSL> ssl(SSL_new(ctx.get()));
3218 ASSERT_TRUE(ssl);
3219 std::vector<uint8_t> client_hello;
3220 ASSERT_TRUE(GetClientHello(ssl.get(), &client_hello));
3221
3222 // Zero the client_random.
3223 constexpr size_t kRandomOffset = 1 + 2 + 2 + // record header
3224 1 + 3 + // handshake message header
3225 2; // client_version
3226 ASSERT_GE(client_hello.size(), kRandomOffset + SSL3_RANDOM_SIZE);
3227 OPENSSL_memset(client_hello.data() + kRandomOffset, 0, SSL3_RANDOM_SIZE);
3228
3229 if (client_hello != t.expected) {
3230 ADD_FAILURE() << "ClientHellos did not match.";
3231 // Print the value manually so it is easier to update the test vector.
3232 for (size_t i = 0; i < client_hello.size(); i += 12) {
3233 printf(" %c", i == 0 ? '{' : ' ');
3234 for (size_t j = i; j < client_hello.size() && j < i + 12; j++) {
3235 if (j > i) {
3236 printf(" ");
3237 }
3238 printf("0x%02x", client_hello[j]);
3239 if (j < client_hello.size() - 1) {
3240 printf(",");
3241 }
3242 }
3243 if (i + 12 >= client_hello.size()) {
3244 printf("}},");
3245 }
3246 printf("\n");
3247 }
3248 }
3249 }
3250 }
3251
ExpectSessionReused(SSL_CTX * client_ctx,SSL_CTX * server_ctx,SSL_SESSION * session,bool want_reused)3252 static void ExpectSessionReused(SSL_CTX *client_ctx, SSL_CTX *server_ctx,
3253 SSL_SESSION *session, bool want_reused) {
3254 bssl::UniquePtr<SSL> client, server;
3255 ClientConfig config;
3256 config.session = session;
3257 ASSERT_TRUE(
3258 ConnectClientAndServer(&client, &server, client_ctx, server_ctx, config));
3259
3260 EXPECT_EQ(SSL_session_reused(client.get()), SSL_session_reused(server.get()));
3261
3262 bool was_reused = !!SSL_session_reused(client.get());
3263 EXPECT_EQ(was_reused, want_reused);
3264 }
3265
ExpectSessionRenewed(SSL_CTX * client_ctx,SSL_CTX * server_ctx,SSL_SESSION * session)3266 static bssl::UniquePtr<SSL_SESSION> ExpectSessionRenewed(SSL_CTX *client_ctx,
3267 SSL_CTX *server_ctx,
3268 SSL_SESSION *session) {
3269 g_last_session = nullptr;
3270 SSL_CTX_sess_set_new_cb(client_ctx, SaveLastSession);
3271
3272 bssl::UniquePtr<SSL> client, server;
3273 ClientConfig config;
3274 config.session = session;
3275 if (!ConnectClientAndServer(&client, &server, client_ctx, server_ctx,
3276 config) ||
3277 !FlushNewSessionTickets(client.get(), server.get())) {
3278 fprintf(stderr, "Failed to connect client and server.\n");
3279 return nullptr;
3280 }
3281
3282 if (SSL_session_reused(client.get()) != SSL_session_reused(server.get())) {
3283 fprintf(stderr, "Client and server were inconsistent.\n");
3284 return nullptr;
3285 }
3286
3287 if (!SSL_session_reused(client.get())) {
3288 fprintf(stderr, "Session was not reused.\n");
3289 return nullptr;
3290 }
3291
3292 SSL_CTX_sess_set_new_cb(client_ctx, nullptr);
3293
3294 if (!g_last_session) {
3295 fprintf(stderr, "Client did not receive a renewed session.\n");
3296 return nullptr;
3297 }
3298 return std::move(g_last_session);
3299 }
3300
ExpectTicketKeyChanged(SSL_CTX * ctx,uint8_t * inout_key,bool changed)3301 static void ExpectTicketKeyChanged(SSL_CTX *ctx, uint8_t *inout_key,
3302 bool changed) {
3303 uint8_t new_key[kTicketKeyLen];
3304 // May return 0, 1 or 48.
3305 ASSERT_EQ(SSL_CTX_get_tlsext_ticket_keys(ctx, new_key, kTicketKeyLen), 1);
3306 if (changed) {
3307 ASSERT_NE(Bytes(inout_key, kTicketKeyLen), Bytes(new_key));
3308 } else {
3309 ASSERT_EQ(Bytes(inout_key, kTicketKeyLen), Bytes(new_key));
3310 }
3311 OPENSSL_memcpy(inout_key, new_key, kTicketKeyLen);
3312 }
3313
SwitchSessionIDContextSNI(SSL * ssl,int * out_alert,void * arg)3314 static int SwitchSessionIDContextSNI(SSL *ssl, int *out_alert, void *arg) {
3315 static const uint8_t kContext[] = {3};
3316
3317 if (!SSL_set_session_id_context(ssl, kContext, sizeof(kContext))) {
3318 return SSL_TLSEXT_ERR_ALERT_FATAL;
3319 }
3320
3321 return SSL_TLSEXT_ERR_OK;
3322 }
3323
TEST_P(SSLVersionTest,SessionIDContext)3324 TEST_P(SSLVersionTest, SessionIDContext) {
3325 static const uint8_t kContext1[] = {1};
3326 static const uint8_t kContext2[] = {2};
3327
3328 ASSERT_TRUE(SSL_CTX_set_session_id_context(server_ctx_.get(), kContext1,
3329 sizeof(kContext1)));
3330
3331 SSL_CTX_set_session_cache_mode(client_ctx_.get(), SSL_SESS_CACHE_BOTH);
3332 SSL_CTX_set_session_cache_mode(server_ctx_.get(), SSL_SESS_CACHE_BOTH);
3333
3334 bssl::UniquePtr<SSL_SESSION> session =
3335 CreateClientSession(client_ctx_.get(), server_ctx_.get());
3336 ASSERT_TRUE(session);
3337
3338 TRACED_CALL(ExpectSessionReused(client_ctx_.get(), server_ctx_.get(),
3339 session.get(),
3340 true /* expect session reused */));
3341
3342 // Change the session ID context.
3343 ASSERT_TRUE(SSL_CTX_set_session_id_context(server_ctx_.get(), kContext2,
3344 sizeof(kContext2)));
3345
3346 TRACED_CALL(ExpectSessionReused(client_ctx_.get(), server_ctx_.get(),
3347 session.get(),
3348 false /* expect session not reused */));
3349
3350 // Change the session ID context back and install an SNI callback to switch
3351 // it.
3352 ASSERT_TRUE(SSL_CTX_set_session_id_context(server_ctx_.get(), kContext1,
3353 sizeof(kContext1)));
3354
3355 SSL_CTX_set_tlsext_servername_callback(server_ctx_.get(),
3356 SwitchSessionIDContextSNI);
3357
3358 TRACED_CALL(ExpectSessionReused(client_ctx_.get(), server_ctx_.get(),
3359 session.get(),
3360 false /* expect session not reused */));
3361
3362 // Switch the session ID context with the early callback instead.
3363 SSL_CTX_set_tlsext_servername_callback(server_ctx_.get(), nullptr);
3364 SSL_CTX_set_select_certificate_cb(
3365 server_ctx_.get(),
3366 [](const SSL_CLIENT_HELLO *client_hello) -> ssl_select_cert_result_t {
3367 static const uint8_t kContext[] = {3};
3368
3369 if (!SSL_set_session_id_context(client_hello->ssl, kContext,
3370 sizeof(kContext))) {
3371 return ssl_select_cert_error;
3372 }
3373
3374 return ssl_select_cert_success;
3375 });
3376
3377 TRACED_CALL(ExpectSessionReused(client_ctx_.get(), server_ctx_.get(),
3378 session.get(),
3379 false /* expect session not reused */));
3380 }
3381
3382 static timeval g_current_time;
3383
CurrentTimeCallback(const SSL * ssl,timeval * out_clock)3384 static void CurrentTimeCallback(const SSL *ssl, timeval *out_clock) {
3385 *out_clock = g_current_time;
3386 }
3387
FrozenTimeCallback(const SSL * ssl,timeval * out_clock)3388 static void FrozenTimeCallback(const SSL *ssl, timeval *out_clock) {
3389 out_clock->tv_sec = 1000;
3390 out_clock->tv_usec = 0;
3391 }
3392
RenewTicketCallback(SSL * ssl,uint8_t * key_name,uint8_t * iv,EVP_CIPHER_CTX * ctx,HMAC_CTX * hmac_ctx,int encrypt)3393 static int RenewTicketCallback(SSL *ssl, uint8_t *key_name, uint8_t *iv,
3394 EVP_CIPHER_CTX *ctx, HMAC_CTX *hmac_ctx,
3395 int encrypt) {
3396 static const uint8_t kZeros[16] = {0};
3397
3398 if (encrypt) {
3399 OPENSSL_memcpy(key_name, kZeros, sizeof(kZeros));
3400 RAND_bytes(iv, 16);
3401 } else if (OPENSSL_memcmp(key_name, kZeros, 16) != 0) {
3402 return 0;
3403 }
3404
3405 if (!HMAC_Init_ex(hmac_ctx, kZeros, sizeof(kZeros), EVP_sha256(), NULL) ||
3406 !EVP_CipherInit_ex(ctx, EVP_aes_128_cbc(), NULL, kZeros, iv, encrypt)) {
3407 return -1;
3408 }
3409
3410 // Returning two from the callback in decrypt mode renews the
3411 // session in TLS 1.2 and below.
3412 return encrypt ? 1 : 2;
3413 }
3414
GetServerTicketTime(long * out,const SSL_SESSION * session)3415 static bool GetServerTicketTime(long *out, const SSL_SESSION *session) {
3416 const uint8_t *ticket;
3417 size_t ticket_len;
3418 SSL_SESSION_get0_ticket(session, &ticket, &ticket_len);
3419 if (ticket_len < 16 + 16 + SHA256_DIGEST_LENGTH) {
3420 return false;
3421 }
3422
3423 const uint8_t *ciphertext = ticket + 16 + 16;
3424 size_t len = ticket_len - 16 - 16 - SHA256_DIGEST_LENGTH;
3425 std::unique_ptr<uint8_t[]> plaintext(new uint8_t[len]);
3426
3427 #if defined(BORINGSSL_UNSAFE_FUZZER_MODE)
3428 // Fuzzer-mode tickets are unencrypted.
3429 OPENSSL_memcpy(plaintext.get(), ciphertext, len);
3430 #else
3431 static const uint8_t kZeros[16] = {0};
3432 const uint8_t *iv = ticket + 16;
3433 bssl::ScopedEVP_CIPHER_CTX ctx;
3434 int len1, len2;
3435 if (len > INT_MAX ||
3436 !EVP_DecryptInit_ex(ctx.get(), EVP_aes_128_cbc(), nullptr, kZeros, iv) ||
3437 !EVP_DecryptUpdate(ctx.get(), plaintext.get(), &len1, ciphertext,
3438 static_cast<int>(len)) ||
3439 !EVP_DecryptFinal_ex(ctx.get(), plaintext.get() + len1, &len2)) {
3440 return false;
3441 }
3442
3443 len = static_cast<size_t>(len1 + len2);
3444 #endif
3445
3446 bssl::UniquePtr<SSL_CTX> ssl_ctx(SSL_CTX_new(TLS_method()));
3447 if (!ssl_ctx) {
3448 return false;
3449 }
3450 bssl::UniquePtr<SSL_SESSION> server_session(
3451 SSL_SESSION_from_bytes(plaintext.get(), len, ssl_ctx.get()));
3452 if (!server_session) {
3453 return false;
3454 }
3455
3456 *out = SSL_SESSION_get_time(server_session.get());
3457 return true;
3458 }
3459
TEST_P(SSLVersionTest,SessionTimeout)3460 TEST_P(SSLVersionTest, SessionTimeout) {
3461 for (bool server_test : {false, true}) {
3462 SCOPED_TRACE(server_test);
3463
3464 ASSERT_NO_FATAL_FAILURE(ResetContexts());
3465 SSL_CTX_set_session_cache_mode(client_ctx_.get(), SSL_SESS_CACHE_BOTH);
3466 SSL_CTX_set_session_cache_mode(server_ctx_.get(), SSL_SESS_CACHE_BOTH);
3467
3468 static const time_t kStartTime = 1000;
3469 g_current_time.tv_sec = kStartTime;
3470
3471 // We are willing to use a longer lifetime for TLS 1.3 sessions as
3472 // resumptions still perform ECDHE.
3473 const time_t timeout = version() == TLS1_3_VERSION
3474 ? SSL_DEFAULT_SESSION_PSK_DHE_TIMEOUT
3475 : SSL_DEFAULT_SESSION_TIMEOUT;
3476
3477 // Both client and server must enforce session timeouts. We configure the
3478 // other side with a frozen clock so it never expires tickets.
3479 if (server_test) {
3480 SSL_CTX_set_current_time_cb(client_ctx_.get(), FrozenTimeCallback);
3481 SSL_CTX_set_current_time_cb(server_ctx_.get(), CurrentTimeCallback);
3482 } else {
3483 SSL_CTX_set_current_time_cb(client_ctx_.get(), CurrentTimeCallback);
3484 SSL_CTX_set_current_time_cb(server_ctx_.get(), FrozenTimeCallback);
3485 }
3486
3487 // Configure a ticket callback which renews tickets.
3488 SSL_CTX_set_tlsext_ticket_key_cb(server_ctx_.get(), RenewTicketCallback);
3489
3490 bssl::UniquePtr<SSL_SESSION> session =
3491 CreateClientSession(client_ctx_.get(), server_ctx_.get());
3492 ASSERT_TRUE(session);
3493
3494 // Advance the clock just behind the timeout.
3495 g_current_time.tv_sec += timeout - 1;
3496
3497 TRACED_CALL(ExpectSessionReused(client_ctx_.get(), server_ctx_.get(),
3498 session.get(),
3499 true /* expect session reused */));
3500
3501 // Advance the clock one more second.
3502 g_current_time.tv_sec++;
3503
3504 TRACED_CALL(ExpectSessionReused(client_ctx_.get(), server_ctx_.get(),
3505 session.get(),
3506 false /* expect session not reused */));
3507
3508 // Rewind the clock to before the session was minted.
3509 g_current_time.tv_sec = kStartTime - 1;
3510
3511 TRACED_CALL(ExpectSessionReused(client_ctx_.get(), server_ctx_.get(),
3512 session.get(),
3513 false /* expect session not reused */));
3514
3515 // Renew the session 10 seconds before expiration.
3516 time_t new_start_time = kStartTime + timeout - 10;
3517 g_current_time.tv_sec = new_start_time;
3518 bssl::UniquePtr<SSL_SESSION> new_session = ExpectSessionRenewed(
3519 client_ctx_.get(), server_ctx_.get(), session.get());
3520 ASSERT_TRUE(new_session);
3521
3522 // This new session is not the same object as before.
3523 EXPECT_NE(session.get(), new_session.get());
3524
3525 // Check the sessions have timestamps measured from issuance.
3526 long session_time = 0;
3527 if (server_test) {
3528 ASSERT_TRUE(GetServerTicketTime(&session_time, new_session.get()));
3529 } else {
3530 session_time = SSL_SESSION_get_time(new_session.get());
3531 }
3532
3533 ASSERT_EQ(session_time, g_current_time.tv_sec);
3534
3535 if (version() == TLS1_3_VERSION) {
3536 // Renewal incorporates fresh key material in TLS 1.3, so we extend the
3537 // lifetime TLS 1.3.
3538 g_current_time.tv_sec = new_start_time + timeout - 1;
3539 TRACED_CALL(ExpectSessionReused(client_ctx_.get(), server_ctx_.get(),
3540 new_session.get(),
3541 true /* expect session reused */));
3542
3543 // The new session expires after the new timeout.
3544 g_current_time.tv_sec = new_start_time + timeout + 1;
3545 TRACED_CALL(ExpectSessionReused(client_ctx_.get(), server_ctx_.get(),
3546 new_session.get(),
3547 false /* expect session ot reused */));
3548
3549 // Renew the session until it begins just past the auth timeout.
3550 time_t auth_end_time = kStartTime + SSL_DEFAULT_SESSION_AUTH_TIMEOUT;
3551 while (new_start_time < auth_end_time - 1000) {
3552 // Get as close as possible to target start time.
3553 new_start_time =
3554 std::min(auth_end_time - 1000, new_start_time + timeout - 1);
3555 g_current_time.tv_sec = new_start_time;
3556 new_session = ExpectSessionRenewed(client_ctx_.get(), server_ctx_.get(),
3557 new_session.get());
3558 ASSERT_TRUE(new_session);
3559 }
3560
3561 // Now the session's lifetime is bound by the auth timeout.
3562 g_current_time.tv_sec = auth_end_time - 1;
3563 TRACED_CALL(ExpectSessionReused(client_ctx_.get(), server_ctx_.get(),
3564 new_session.get(),
3565 true /* expect session reused */));
3566
3567 g_current_time.tv_sec = auth_end_time + 1;
3568 TRACED_CALL(ExpectSessionReused(client_ctx_.get(), server_ctx_.get(),
3569 new_session.get(),
3570 false /* expect session ot reused */));
3571 } else {
3572 // The new session is usable just before the old expiration.
3573 g_current_time.tv_sec = kStartTime + timeout - 1;
3574 TRACED_CALL(ExpectSessionReused(client_ctx_.get(), server_ctx_.get(),
3575 new_session.get(),
3576 true /* expect session reused */));
3577
3578 // Renewal does not extend the lifetime, so it is not usable beyond the
3579 // old expiration.
3580 g_current_time.tv_sec = kStartTime + timeout + 1;
3581 TRACED_CALL(ExpectSessionReused(client_ctx_.get(), server_ctx_.get(),
3582 new_session.get(),
3583 false /* expect session not reused */));
3584 }
3585 }
3586 }
3587
TEST_P(SSLVersionTest,DefaultTicketKeyInitialization)3588 TEST_P(SSLVersionTest, DefaultTicketKeyInitialization) {
3589 static const uint8_t kZeroKey[kTicketKeyLen] = {};
3590 uint8_t ticket_key[kTicketKeyLen];
3591 ASSERT_EQ(1, SSL_CTX_get_tlsext_ticket_keys(server_ctx_.get(), ticket_key,
3592 kTicketKeyLen));
3593 ASSERT_NE(0, OPENSSL_memcmp(ticket_key, kZeroKey, kTicketKeyLen));
3594 }
3595
TEST_P(SSLVersionTest,DefaultTicketKeyRotation)3596 TEST_P(SSLVersionTest, DefaultTicketKeyRotation) {
3597 static const time_t kStartTime = 1001;
3598 g_current_time.tv_sec = kStartTime;
3599
3600 // We use session reuse as a proxy for ticket decryption success, hence
3601 // disable session timeouts.
3602 SSL_CTX_set_timeout(server_ctx_.get(), std::numeric_limits<uint32_t>::max());
3603 SSL_CTX_set_session_psk_dhe_timeout(server_ctx_.get(),
3604 std::numeric_limits<uint32_t>::max());
3605
3606 SSL_CTX_set_current_time_cb(client_ctx_.get(), FrozenTimeCallback);
3607 SSL_CTX_set_current_time_cb(server_ctx_.get(), CurrentTimeCallback);
3608
3609 SSL_CTX_set_session_cache_mode(client_ctx_.get(), SSL_SESS_CACHE_BOTH);
3610 SSL_CTX_set_session_cache_mode(server_ctx_.get(), SSL_SESS_CACHE_OFF);
3611
3612 // Initialize ticket_key with the current key and check that it was
3613 // initialized to something, not all zeros.
3614 uint8_t ticket_key[kTicketKeyLen] = {0};
3615 TRACED_CALL(ExpectTicketKeyChanged(server_ctx_.get(), ticket_key,
3616 true /* changed */));
3617
3618 // Verify ticket resumption actually works.
3619 bssl::UniquePtr<SSL> client, server;
3620 bssl::UniquePtr<SSL_SESSION> session =
3621 CreateClientSession(client_ctx_.get(), server_ctx_.get());
3622 ASSERT_TRUE(session);
3623 TRACED_CALL(ExpectSessionReused(client_ctx_.get(), server_ctx_.get(),
3624 session.get(), true /* reused */));
3625
3626 // Advance time to just before key rotation.
3627 g_current_time.tv_sec += SSL_DEFAULT_TICKET_KEY_ROTATION_INTERVAL - 1;
3628 TRACED_CALL(ExpectSessionReused(client_ctx_.get(), server_ctx_.get(),
3629 session.get(), true /* reused */));
3630 TRACED_CALL(ExpectTicketKeyChanged(server_ctx_.get(), ticket_key,
3631 false /* NOT changed */));
3632
3633 // Force key rotation.
3634 g_current_time.tv_sec += 1;
3635 bssl::UniquePtr<SSL_SESSION> new_session =
3636 CreateClientSession(client_ctx_.get(), server_ctx_.get());
3637 TRACED_CALL(ExpectTicketKeyChanged(server_ctx_.get(), ticket_key,
3638 true /* changed */));
3639
3640 // Resumption with both old and new ticket should work.
3641 TRACED_CALL(ExpectSessionReused(client_ctx_.get(), server_ctx_.get(),
3642 session.get(), true /* reused */));
3643 TRACED_CALL(ExpectSessionReused(client_ctx_.get(), server_ctx_.get(),
3644 new_session.get(), true /* reused */));
3645 TRACED_CALL(ExpectTicketKeyChanged(server_ctx_.get(), ticket_key,
3646 false /* NOT changed */));
3647
3648 // Force key rotation again. Resumption with the old ticket now fails.
3649 g_current_time.tv_sec += SSL_DEFAULT_TICKET_KEY_ROTATION_INTERVAL;
3650 TRACED_CALL(ExpectSessionReused(client_ctx_.get(), server_ctx_.get(),
3651 session.get(), false /* NOT reused */));
3652 TRACED_CALL(ExpectTicketKeyChanged(server_ctx_.get(), ticket_key,
3653 true /* changed */));
3654
3655 // But resumption with the newer session still works.
3656 TRACED_CALL(ExpectSessionReused(client_ctx_.get(), server_ctx_.get(),
3657 new_session.get(), true /* reused */));
3658 }
3659
SwitchContext(SSL * ssl,int * out_alert,void * arg)3660 static int SwitchContext(SSL *ssl, int *out_alert, void *arg) {
3661 SSL_CTX *ctx = reinterpret_cast<SSL_CTX *>(arg);
3662 SSL_set_SSL_CTX(ssl, ctx);
3663 return SSL_TLSEXT_ERR_OK;
3664 }
3665
TEST_P(SSLVersionTest,SNICallback)3666 TEST_P(SSLVersionTest, SNICallback) {
3667 bssl::UniquePtr<X509> cert2 = GetECDSATestCertificate();
3668 ASSERT_TRUE(cert2);
3669 bssl::UniquePtr<EVP_PKEY> key2 = GetECDSATestKey();
3670 ASSERT_TRUE(key2);
3671
3672 // Test that switching the |SSL_CTX| at the SNI callback behaves correctly.
3673 static const uint16_t kECDSAWithSHA256 = SSL_SIGN_ECDSA_SECP256R1_SHA256;
3674
3675 static const uint8_t kSCTList[] = {0, 6, 0, 4, 5, 6, 7, 8};
3676 static const uint8_t kOCSPResponse[] = {1, 2, 3, 4};
3677
3678 bssl::UniquePtr<SSL_CTX> server_ctx2 = CreateContext();
3679 ASSERT_TRUE(server_ctx2);
3680 ASSERT_TRUE(SSL_CTX_use_certificate(server_ctx2.get(), cert2.get()));
3681 ASSERT_TRUE(SSL_CTX_use_PrivateKey(server_ctx2.get(), key2.get()));
3682 ASSERT_TRUE(SSL_CTX_set_signed_cert_timestamp_list(
3683 server_ctx2.get(), kSCTList, sizeof(kSCTList)));
3684 ASSERT_TRUE(SSL_CTX_set_ocsp_response(server_ctx2.get(), kOCSPResponse,
3685 sizeof(kOCSPResponse)));
3686 // Historically signing preferences would be lost in some cases with the
3687 // SNI callback, which triggers the TLS 1.2 SHA-1 default. To ensure
3688 // this doesn't happen when |version| is TLS 1.2, configure the private
3689 // key to only sign SHA-256.
3690 ASSERT_TRUE(SSL_CTX_set_signing_algorithm_prefs(server_ctx2.get(),
3691 &kECDSAWithSHA256, 1));
3692
3693 SSL_CTX_set_tlsext_servername_callback(server_ctx_.get(), SwitchContext);
3694 SSL_CTX_set_tlsext_servername_arg(server_ctx_.get(), server_ctx2.get());
3695
3696 SSL_CTX_enable_signed_cert_timestamps(client_ctx_.get());
3697 SSL_CTX_enable_ocsp_stapling(client_ctx_.get());
3698
3699 ASSERT_TRUE(Connect());
3700
3701 // The client should have received |cert2|.
3702 bssl::UniquePtr<X509> peer(SSL_get_peer_certificate(client_.get()));
3703 ASSERT_TRUE(peer);
3704 EXPECT_EQ(X509_cmp(peer.get(), cert2.get()), 0);
3705
3706 // The client should have received |server_ctx2|'s SCT list.
3707 const uint8_t *data;
3708 size_t len;
3709 SSL_get0_signed_cert_timestamp_list(client_.get(), &data, &len);
3710 EXPECT_EQ(Bytes(kSCTList), Bytes(data, len));
3711
3712 // The client should have received |server_ctx2|'s OCSP response.
3713 SSL_get0_ocsp_response(client_.get(), &data, &len);
3714 EXPECT_EQ(Bytes(kOCSPResponse), Bytes(data, len));
3715 }
3716
3717 // Test that the early callback can swap the maximum version.
TEST(SSLTest,EarlyCallbackVersionSwitch)3718 TEST(SSLTest, EarlyCallbackVersionSwitch) {
3719 bssl::UniquePtr<SSL_CTX> server_ctx =
3720 CreateContextWithTestCertificate(TLS_method());
3721 bssl::UniquePtr<SSL_CTX> client_ctx(SSL_CTX_new(TLS_method()));
3722 ASSERT_TRUE(server_ctx);
3723 ASSERT_TRUE(client_ctx);
3724 ASSERT_TRUE(SSL_CTX_set_max_proto_version(client_ctx.get(), TLS1_3_VERSION));
3725 ASSERT_TRUE(SSL_CTX_set_max_proto_version(server_ctx.get(), TLS1_3_VERSION));
3726
3727 SSL_CTX_set_select_certificate_cb(
3728 server_ctx.get(),
3729 [](const SSL_CLIENT_HELLO *client_hello) -> ssl_select_cert_result_t {
3730 if (!SSL_set_max_proto_version(client_hello->ssl, TLS1_2_VERSION)) {
3731 return ssl_select_cert_error;
3732 }
3733
3734 return ssl_select_cert_success;
3735 });
3736
3737 bssl::UniquePtr<SSL> client, server;
3738 ASSERT_TRUE(ConnectClientAndServer(&client, &server, client_ctx.get(),
3739 server_ctx.get()));
3740 EXPECT_EQ(TLS1_2_VERSION, SSL_version(client.get()));
3741 }
3742
TEST(SSLTest,SetVersion)3743 TEST(SSLTest, SetVersion) {
3744 bssl::UniquePtr<SSL_CTX> ctx(SSL_CTX_new(TLS_method()));
3745 ASSERT_TRUE(ctx);
3746
3747 // Set valid TLS versions.
3748 for (const auto &vers : kAllVersions) {
3749 SCOPED_TRACE(vers.name);
3750 if (vers.ssl_method == VersionParam::is_tls) {
3751 EXPECT_TRUE(SSL_CTX_set_max_proto_version(ctx.get(), vers.version));
3752 EXPECT_EQ(SSL_CTX_get_max_proto_version(ctx.get()), vers.version);
3753 EXPECT_TRUE(SSL_CTX_set_min_proto_version(ctx.get(), vers.version));
3754 EXPECT_EQ(SSL_CTX_get_min_proto_version(ctx.get()), vers.version);
3755 }
3756 }
3757
3758 // Invalid TLS versions are rejected.
3759 EXPECT_FALSE(SSL_CTX_set_max_proto_version(ctx.get(), DTLS1_VERSION));
3760 EXPECT_FALSE(SSL_CTX_set_max_proto_version(ctx.get(), 0x0200));
3761 EXPECT_FALSE(SSL_CTX_set_max_proto_version(ctx.get(), 0x1234));
3762 EXPECT_FALSE(SSL_CTX_set_min_proto_version(ctx.get(), DTLS1_VERSION));
3763 EXPECT_FALSE(SSL_CTX_set_min_proto_version(ctx.get(), 0x0200));
3764 EXPECT_FALSE(SSL_CTX_set_min_proto_version(ctx.get(), 0x1234));
3765
3766 // Zero is the default version.
3767 EXPECT_TRUE(SSL_CTX_set_max_proto_version(ctx.get(), 0));
3768 EXPECT_EQ(TLS1_3_VERSION, SSL_CTX_get_max_proto_version(ctx.get()));
3769 EXPECT_TRUE(SSL_CTX_set_min_proto_version(ctx.get(), 0));
3770 EXPECT_EQ(TLS1_VERSION, SSL_CTX_get_min_proto_version(ctx.get()));
3771
3772 // SSL 3.0 is not available.
3773 EXPECT_FALSE(SSL_CTX_set_min_proto_version(ctx.get(), SSL3_VERSION));
3774
3775 ctx.reset(SSL_CTX_new(DTLS_method()));
3776 ASSERT_TRUE(ctx);
3777
3778 // Set valid DTLS versions.
3779 for (const auto &vers : kAllVersions) {
3780 SCOPED_TRACE(vers.name);
3781 if (vers.ssl_method == VersionParam::is_dtls) {
3782 EXPECT_TRUE(SSL_CTX_set_max_proto_version(ctx.get(), vers.version));
3783 EXPECT_EQ(SSL_CTX_get_max_proto_version(ctx.get()), vers.version);
3784 EXPECT_TRUE(SSL_CTX_set_min_proto_version(ctx.get(), vers.version));
3785 EXPECT_EQ(SSL_CTX_get_min_proto_version(ctx.get()), vers.version);
3786 }
3787 }
3788
3789 // Invalid DTLS versions are rejected.
3790 EXPECT_FALSE(SSL_CTX_set_max_proto_version(ctx.get(), TLS1_VERSION));
3791 EXPECT_FALSE(SSL_CTX_set_max_proto_version(ctx.get(), 0xfefe /* DTLS 1.1 */));
3792 EXPECT_FALSE(SSL_CTX_set_max_proto_version(ctx.get(), 0xfffe /* DTLS 0.1 */));
3793 EXPECT_FALSE(SSL_CTX_set_max_proto_version(ctx.get(), 0x1234));
3794 EXPECT_FALSE(SSL_CTX_set_min_proto_version(ctx.get(), TLS1_VERSION));
3795 EXPECT_FALSE(SSL_CTX_set_min_proto_version(ctx.get(), 0xfefe /* DTLS 1.1 */));
3796 EXPECT_FALSE(SSL_CTX_set_min_proto_version(ctx.get(), 0xfffe /* DTLS 0.1 */));
3797 EXPECT_FALSE(SSL_CTX_set_min_proto_version(ctx.get(), 0x1234));
3798
3799 // Zero is the default version.
3800 EXPECT_TRUE(SSL_CTX_set_max_proto_version(ctx.get(), 0));
3801 EXPECT_EQ(DTLS1_2_VERSION, SSL_CTX_get_max_proto_version(ctx.get()));
3802 EXPECT_TRUE(SSL_CTX_set_min_proto_version(ctx.get(), 0));
3803 EXPECT_EQ(DTLS1_VERSION, SSL_CTX_get_min_proto_version(ctx.get()));
3804 }
3805
GetVersionName(uint16_t version)3806 static const char *GetVersionName(uint16_t version) {
3807 switch (version) {
3808 case TLS1_VERSION:
3809 return "TLSv1";
3810 case TLS1_1_VERSION:
3811 return "TLSv1.1";
3812 case TLS1_2_VERSION:
3813 return "TLSv1.2";
3814 case TLS1_3_VERSION:
3815 return "TLSv1.3";
3816 case DTLS1_VERSION:
3817 return "DTLSv1";
3818 case DTLS1_2_VERSION:
3819 return "DTLSv1.2";
3820 default:
3821 return "???";
3822 }
3823 }
3824
TEST_P(SSLVersionTest,Version)3825 TEST_P(SSLVersionTest, Version) {
3826 ASSERT_TRUE(Connect());
3827
3828 EXPECT_EQ(SSL_version(client_.get()), version());
3829 EXPECT_EQ(SSL_version(server_.get()), version());
3830
3831 // Test the version name is reported as expected.
3832 const char *version_name = GetVersionName(version());
3833 EXPECT_EQ(strcmp(version_name, SSL_get_version(client_.get())), 0);
3834 EXPECT_EQ(strcmp(version_name, SSL_get_version(server_.get())), 0);
3835
3836 // Test SSL_SESSION reports the same name.
3837 const char *client_name =
3838 SSL_SESSION_get_version(SSL_get_session(client_.get()));
3839 const char *server_name =
3840 SSL_SESSION_get_version(SSL_get_session(server_.get()));
3841 EXPECT_EQ(strcmp(version_name, client_name), 0);
3842 EXPECT_EQ(strcmp(version_name, server_name), 0);
3843 }
3844
3845 // Tests that that |SSL_get_pending_cipher| is available during the ALPN
3846 // selection callback.
TEST_P(SSLVersionTest,ALPNCipherAvailable)3847 TEST_P(SSLVersionTest, ALPNCipherAvailable) {
3848 ASSERT_TRUE(UseCertAndKey(client_ctx_.get()));
3849
3850 static const uint8_t kALPNProtos[] = {0x03, 'f', 'o', 'o'};
3851 ASSERT_EQ(SSL_CTX_set_alpn_protos(client_ctx_.get(), kALPNProtos,
3852 sizeof(kALPNProtos)),
3853 0);
3854
3855 // The ALPN callback does not fail the handshake on error, so have the
3856 // callback write a boolean.
3857 std::pair<uint16_t, bool> callback_state(version(), false);
3858 SSL_CTX_set_alpn_select_cb(
3859 server_ctx_.get(),
3860 [](SSL *ssl, const uint8_t **out, uint8_t *out_len, const uint8_t *in,
3861 unsigned in_len, void *arg) -> int {
3862 auto state = reinterpret_cast<std::pair<uint16_t, bool> *>(arg);
3863 if (SSL_get_pending_cipher(ssl) != nullptr &&
3864 SSL_version(ssl) == state->first) {
3865 state->second = true;
3866 }
3867 return SSL_TLSEXT_ERR_NOACK;
3868 },
3869 &callback_state);
3870
3871 ASSERT_TRUE(Connect());
3872
3873 ASSERT_TRUE(callback_state.second);
3874 }
3875
TEST_P(SSLVersionTest,SSLClearSessionResumption)3876 TEST_P(SSLVersionTest, SSLClearSessionResumption) {
3877 // Skip this for TLS 1.3. TLS 1.3's ticket mechanism is incompatible with this
3878 // API pattern.
3879 if (version() == TLS1_3_VERSION) {
3880 return;
3881 }
3882
3883 shed_handshake_config_ = false;
3884 ASSERT_TRUE(Connect());
3885
3886 EXPECT_FALSE(SSL_session_reused(client_.get()));
3887 EXPECT_FALSE(SSL_session_reused(server_.get()));
3888
3889 // Reset everything.
3890 ASSERT_TRUE(SSL_clear(client_.get()));
3891 ASSERT_TRUE(SSL_clear(server_.get()));
3892
3893 // Attempt to connect a second time.
3894 ASSERT_TRUE(CompleteHandshakes(client_.get(), server_.get()));
3895
3896 // |SSL_clear| should implicitly offer the previous session to the server.
3897 EXPECT_TRUE(SSL_session_reused(client_.get()));
3898 EXPECT_TRUE(SSL_session_reused(server_.get()));
3899 }
3900
TEST_P(SSLVersionTest,SSLClearFailsWithShedding)3901 TEST_P(SSLVersionTest, SSLClearFailsWithShedding) {
3902 shed_handshake_config_ = false;
3903 ASSERT_TRUE(Connect());
3904 ASSERT_TRUE(CompleteHandshakes(client_.get(), server_.get()));
3905
3906 // Reset everything.
3907 ASSERT_TRUE(SSL_clear(client_.get()));
3908 ASSERT_TRUE(SSL_clear(server_.get()));
3909
3910 // Now enable shedding, and connect a second time.
3911 shed_handshake_config_ = true;
3912 ASSERT_TRUE(Connect());
3913 ASSERT_TRUE(CompleteHandshakes(client_.get(), server_.get()));
3914
3915 // |SSL_clear| should now fail.
3916 ASSERT_FALSE(SSL_clear(client_.get()));
3917 ASSERT_FALSE(SSL_clear(server_.get()));
3918 }
3919
ChainsEqual(STACK_OF (X509)* chain,const std::vector<X509 * > & expected)3920 static bool ChainsEqual(STACK_OF(X509) * chain,
3921 const std::vector<X509 *> &expected) {
3922 if (sk_X509_num(chain) != expected.size()) {
3923 return false;
3924 }
3925
3926 for (size_t i = 0; i < expected.size(); i++) {
3927 if (X509_cmp(sk_X509_value(chain, i), expected[i]) != 0) {
3928 return false;
3929 }
3930 }
3931
3932 return true;
3933 }
3934
TEST_P(SSLVersionTest,AutoChain)3935 TEST_P(SSLVersionTest, AutoChain) {
3936 cert_ = GetChainTestCertificate();
3937 ASSERT_TRUE(cert_);
3938 key_ = GetChainTestKey();
3939 ASSERT_TRUE(key_);
3940 bssl::UniquePtr<X509> intermediate = GetChainTestIntermediate();
3941 ASSERT_TRUE(intermediate);
3942
3943 ASSERT_TRUE(UseCertAndKey(client_ctx_.get()));
3944 ASSERT_TRUE(UseCertAndKey(server_ctx_.get()));
3945
3946 // Configure both client and server to accept any certificate. Add
3947 // |intermediate| to the cert store.
3948 ASSERT_TRUE(X509_STORE_add_cert(SSL_CTX_get_cert_store(client_ctx_.get()),
3949 intermediate.get()));
3950 ASSERT_TRUE(X509_STORE_add_cert(SSL_CTX_get_cert_store(server_ctx_.get()),
3951 intermediate.get()));
3952 SSL_CTX_set_verify(client_ctx_.get(),
3953 SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT,
3954 nullptr);
3955 SSL_CTX_set_verify(server_ctx_.get(),
3956 SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT,
3957 nullptr);
3958 SSL_CTX_set_cert_verify_callback(client_ctx_.get(), VerifySucceed, NULL);
3959 SSL_CTX_set_cert_verify_callback(server_ctx_.get(), VerifySucceed, NULL);
3960
3961 // By default, the client and server should each only send the leaf.
3962 ASSERT_TRUE(Connect());
3963
3964 EXPECT_TRUE(
3965 ChainsEqual(SSL_get_peer_full_cert_chain(client_.get()), {cert_.get()}));
3966 EXPECT_TRUE(
3967 ChainsEqual(SSL_get_peer_full_cert_chain(server_.get()), {cert_.get()}));
3968
3969 // If auto-chaining is enabled, then the intermediate is sent.
3970 SSL_CTX_clear_mode(client_ctx_.get(), SSL_MODE_NO_AUTO_CHAIN);
3971 SSL_CTX_clear_mode(server_ctx_.get(), SSL_MODE_NO_AUTO_CHAIN);
3972 ASSERT_TRUE(Connect());
3973
3974 EXPECT_TRUE(ChainsEqual(SSL_get_peer_full_cert_chain(client_.get()),
3975 {cert_.get(), intermediate.get()}));
3976 EXPECT_TRUE(ChainsEqual(SSL_get_peer_full_cert_chain(server_.get()),
3977 {cert_.get(), intermediate.get()}));
3978
3979 // Auto-chaining does not override explicitly-configured intermediates.
3980 ASSERT_TRUE(SSL_CTX_add1_chain_cert(client_ctx_.get(), cert_.get()));
3981 ASSERT_TRUE(SSL_CTX_add1_chain_cert(server_ctx_.get(), cert_.get()));
3982 ASSERT_TRUE(Connect());
3983
3984 EXPECT_TRUE(ChainsEqual(SSL_get_peer_full_cert_chain(client_.get()),
3985 {cert_.get(), cert_.get()}));
3986
3987 EXPECT_TRUE(ChainsEqual(SSL_get_peer_full_cert_chain(server_.get()),
3988 {cert_.get(), cert_.get()}));
3989 }
3990
ExpectSingleError(int lib,int reason)3991 static bool ExpectSingleError(int lib, int reason) {
3992 const char *expected = ERR_reason_error_string(ERR_PACK(lib, reason));
3993 int err = ERR_get_error();
3994 if (ERR_GET_LIB(err) != lib || ERR_GET_REASON(err) != reason) {
3995 char buf[ERR_ERROR_STRING_BUF_LEN];
3996 ERR_error_string_n(err, buf, sizeof(buf));
3997 fprintf(stderr, "Wanted %s, got: %s.\n", expected, buf);
3998 return false;
3999 }
4000
4001 if (ERR_peek_error() != 0) {
4002 fprintf(stderr, "Unexpected error following %s.\n", expected);
4003 return false;
4004 }
4005
4006 return true;
4007 }
4008
TEST_P(SSLVersionTest,SSLWriteRetry)4009 TEST_P(SSLVersionTest, SSLWriteRetry) {
4010 if (is_dtls()) {
4011 return;
4012 }
4013
4014 for (bool enable_partial_write : {false, true}) {
4015 SCOPED_TRACE(enable_partial_write);
4016
4017 // Connect a client and server.
4018 ASSERT_TRUE(Connect());
4019
4020 if (enable_partial_write) {
4021 SSL_set_mode(client_.get(), SSL_MODE_ENABLE_PARTIAL_WRITE);
4022 }
4023
4024 // Write without reading until the buffer is full and we have an unfinished
4025 // write. Keep a count so we may reread it again later. "hello!" will be
4026 // written in two chunks, "hello" and "!".
4027 char data[] = "hello!";
4028 static const int kChunkLen = 5; // The length of "hello".
4029 unsigned count = 0;
4030 for (;;) {
4031 int ret = SSL_write(client_.get(), data, kChunkLen);
4032 if (ret <= 0) {
4033 ASSERT_EQ(SSL_get_error(client_.get(), ret), SSL_ERROR_WANT_WRITE);
4034 break;
4035 }
4036 ASSERT_EQ(ret, 5);
4037 count++;
4038 }
4039
4040 // Retrying with the same parameters is legal.
4041 ASSERT_EQ(
4042 SSL_get_error(client_.get(), SSL_write(client_.get(), data, kChunkLen)),
4043 SSL_ERROR_WANT_WRITE);
4044
4045 // Retrying with the same buffer but shorter length is not legal.
4046 ASSERT_EQ(SSL_get_error(client_.get(),
4047 SSL_write(client_.get(), data, kChunkLen - 1)),
4048 SSL_ERROR_SSL);
4049 ASSERT_TRUE(ExpectSingleError(ERR_LIB_SSL, SSL_R_BAD_WRITE_RETRY));
4050
4051 // Retrying with a different buffer pointer is not legal.
4052 char data2[] = "hello";
4053 ASSERT_EQ(SSL_get_error(client_.get(),
4054 SSL_write(client_.get(), data2, kChunkLen)),
4055 SSL_ERROR_SSL);
4056 ASSERT_TRUE(ExpectSingleError(ERR_LIB_SSL, SSL_R_BAD_WRITE_RETRY));
4057
4058 // With |SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER|, the buffer may move.
4059 SSL_set_mode(client_.get(), SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER);
4060 ASSERT_EQ(SSL_get_error(client_.get(),
4061 SSL_write(client_.get(), data2, kChunkLen)),
4062 SSL_ERROR_WANT_WRITE);
4063
4064 // |SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER| does not disable length checks.
4065 ASSERT_EQ(SSL_get_error(client_.get(),
4066 SSL_write(client_.get(), data2, kChunkLen - 1)),
4067 SSL_ERROR_SSL);
4068 ASSERT_TRUE(ExpectSingleError(ERR_LIB_SSL, SSL_R_BAD_WRITE_RETRY));
4069
4070 // Retrying with a larger buffer is legal.
4071 ASSERT_EQ(SSL_get_error(client_.get(),
4072 SSL_write(client_.get(), data, kChunkLen + 1)),
4073 SSL_ERROR_WANT_WRITE);
4074
4075 // Drain the buffer.
4076 char buf[20];
4077 for (unsigned i = 0; i < count; i++) {
4078 ASSERT_EQ(SSL_read(server_.get(), buf, sizeof(buf)), kChunkLen);
4079 ASSERT_EQ(OPENSSL_memcmp(buf, "hello", kChunkLen), 0);
4080 }
4081
4082 // Now that there is space, a retry with a larger buffer should flush the
4083 // pending record, skip over that many bytes of input (on assumption they
4084 // are the same), and write the remainder. If SSL_MODE_ENABLE_PARTIAL_WRITE
4085 // is set, this will complete in two steps.
4086 char data_longer[] = "_____!!!!!";
4087 if (enable_partial_write) {
4088 ASSERT_EQ(SSL_write(client_.get(), data_longer, 2 * kChunkLen),
4089 kChunkLen);
4090 ASSERT_EQ(SSL_write(client_.get(), data_longer + kChunkLen, kChunkLen),
4091 kChunkLen);
4092 } else {
4093 ASSERT_EQ(SSL_write(client_.get(), data_longer, 2 * kChunkLen),
4094 2 * kChunkLen);
4095 }
4096
4097 // Check the last write was correct. The data will be spread over two
4098 // records, so SSL_read returns twice.
4099 ASSERT_EQ(SSL_read(server_.get(), buf, sizeof(buf)), kChunkLen);
4100 ASSERT_EQ(OPENSSL_memcmp(buf, "hello", kChunkLen), 0);
4101 ASSERT_EQ(SSL_read(server_.get(), buf, sizeof(buf)), kChunkLen);
4102 ASSERT_EQ(OPENSSL_memcmp(buf, "!!!!!", kChunkLen), 0);
4103
4104 // Fill the transport buffer again. This time only leave room for one
4105 // record.
4106 count = 0;
4107 for (;;) {
4108 int ret = SSL_write(client_.get(), data, kChunkLen);
4109 if (ret <= 0) {
4110 ASSERT_EQ(SSL_get_error(client_.get(), ret), SSL_ERROR_WANT_WRITE);
4111 break;
4112 }
4113 ASSERT_EQ(ret, 5);
4114 count++;
4115 }
4116 ASSERT_EQ(SSL_read(server_.get(), buf, sizeof(buf)), kChunkLen);
4117 ASSERT_EQ(OPENSSL_memcmp(buf, "hello", kChunkLen), 0);
4118 count--;
4119
4120 // Retry the last write, with a longer input. The first half is the most
4121 // recently failed write, from filling the buffer. |SSL_write| should write
4122 // that to the transport, and then attempt to write the second half.
4123 int ret = SSL_write(client_.get(), data_longer, 2 * kChunkLen);
4124 if (enable_partial_write) {
4125 // If partial writes are allowed, the write will succeed partially.
4126 ASSERT_EQ(ret, kChunkLen);
4127
4128 // Check the first half and make room for another record.
4129 ASSERT_EQ(SSL_read(server_.get(), buf, sizeof(buf)), kChunkLen);
4130 ASSERT_EQ(OPENSSL_memcmp(buf, "hello", kChunkLen), 0);
4131 count--;
4132
4133 // Finish writing the input.
4134 ASSERT_EQ(SSL_write(client_.get(), data_longer + kChunkLen, kChunkLen),
4135 kChunkLen);
4136 } else {
4137 // Otherwise, although the first half made it to the transport, the second
4138 // half is blocked.
4139 ASSERT_EQ(ret, -1);
4140 ASSERT_EQ(SSL_get_error(client_.get(), -1), SSL_ERROR_WANT_WRITE);
4141
4142 // Check the first half and make room for another record.
4143 ASSERT_EQ(SSL_read(server_.get(), buf, sizeof(buf)), kChunkLen);
4144 ASSERT_EQ(OPENSSL_memcmp(buf, "hello", kChunkLen), 0);
4145 count--;
4146
4147 // Retrying with fewer bytes than previously attempted is an error. If the
4148 // input length is less than the number of bytes successfully written, the
4149 // check happens at a different point, with a different error.
4150 //
4151 // TODO(davidben): Should these cases use the same error?
4152 ASSERT_EQ(
4153 SSL_get_error(client_.get(),
4154 SSL_write(client_.get(), data_longer, kChunkLen - 1)),
4155 SSL_ERROR_SSL);
4156 ASSERT_TRUE(ExpectSingleError(ERR_LIB_SSL, SSL_R_BAD_LENGTH));
4157
4158 // Complete the write with the correct retry.
4159 ASSERT_EQ(SSL_write(client_.get(), data_longer, 2 * kChunkLen),
4160 2 * kChunkLen);
4161 }
4162
4163 // Drain the input and ensure everything was written correctly.
4164 for (unsigned i = 0; i < count; i++) {
4165 ASSERT_EQ(SSL_read(server_.get(), buf, sizeof(buf)), kChunkLen);
4166 ASSERT_EQ(OPENSSL_memcmp(buf, "hello", kChunkLen), 0);
4167 }
4168
4169 // The final write is spread over two records.
4170 ASSERT_EQ(SSL_read(server_.get(), buf, sizeof(buf)), kChunkLen);
4171 ASSERT_EQ(OPENSSL_memcmp(buf, "hello", kChunkLen), 0);
4172 ASSERT_EQ(SSL_read(server_.get(), buf, sizeof(buf)), kChunkLen);
4173 ASSERT_EQ(OPENSSL_memcmp(buf, "!!!!!", kChunkLen), 0);
4174 }
4175 }
4176
TEST_P(SSLVersionTest,RecordCallback)4177 TEST_P(SSLVersionTest, RecordCallback) {
4178 for (bool test_server : {true, false}) {
4179 SCOPED_TRACE(test_server);
4180 ASSERT_NO_FATAL_FAILURE(ResetContexts());
4181
4182 bool read_seen = false;
4183 bool write_seen = false;
4184 auto cb = [&](int is_write, int cb_version, int cb_type, const void *buf,
4185 size_t len, SSL *ssl) {
4186 if (cb_type != SSL3_RT_HEADER) {
4187 return;
4188 }
4189
4190 // The callback does not report a version for records.
4191 EXPECT_EQ(0, cb_version);
4192
4193 if (is_write) {
4194 write_seen = true;
4195 } else {
4196 read_seen = true;
4197 }
4198
4199 // Sanity-check that the record header is plausible.
4200 CBS cbs;
4201 CBS_init(&cbs, reinterpret_cast<const uint8_t *>(buf), len);
4202 uint8_t type;
4203 uint16_t record_version, length;
4204 ASSERT_TRUE(CBS_get_u8(&cbs, &type));
4205 ASSERT_TRUE(CBS_get_u16(&cbs, &record_version));
4206 EXPECT_EQ(record_version & 0xff00, version() & 0xff00);
4207 if (is_dtls()) {
4208 uint16_t epoch;
4209 ASSERT_TRUE(CBS_get_u16(&cbs, &epoch));
4210 EXPECT_TRUE(epoch == 0 || epoch == 1) << "Invalid epoch: " << epoch;
4211 ASSERT_TRUE(CBS_skip(&cbs, 6));
4212 }
4213 ASSERT_TRUE(CBS_get_u16(&cbs, &length));
4214 EXPECT_EQ(0u, CBS_len(&cbs));
4215 };
4216 using CallbackType = decltype(cb);
4217 SSL_CTX *ctx = test_server ? server_ctx_.get() : client_ctx_.get();
4218 SSL_CTX_set_msg_callback(
4219 ctx, [](int is_write, int cb_version, int cb_type, const void *buf,
4220 size_t len, SSL *ssl, void *arg) {
4221 CallbackType *cb_ptr = reinterpret_cast<CallbackType *>(arg);
4222 (*cb_ptr)(is_write, cb_version, cb_type, buf, len, ssl);
4223 });
4224 SSL_CTX_set_msg_callback_arg(ctx, &cb);
4225
4226 ASSERT_TRUE(Connect());
4227
4228 EXPECT_TRUE(read_seen);
4229 EXPECT_TRUE(write_seen);
4230 }
4231 }
4232
TEST_P(SSLVersionTest,GetServerName)4233 TEST_P(SSLVersionTest, GetServerName) {
4234 ClientConfig config;
4235 config.servername = "host1";
4236
4237 SSL_CTX_set_tlsext_servername_callback(
4238 server_ctx_.get(), [](SSL *ssl, int *out_alert, void *arg) -> int {
4239 // During the handshake, |SSL_get_servername| must match |config|.
4240 ClientConfig *config_p = reinterpret_cast<ClientConfig *>(arg);
4241 EXPECT_STREQ(config_p->servername.c_str(),
4242 SSL_get_servername(ssl, TLSEXT_NAMETYPE_host_name));
4243 return SSL_TLSEXT_ERR_OK;
4244 });
4245 SSL_CTX_set_tlsext_servername_arg(server_ctx_.get(), &config);
4246
4247 ASSERT_TRUE(Connect(config));
4248 // After the handshake, it must also be available.
4249 EXPECT_STREQ(config.servername.c_str(),
4250 SSL_get_servername(server_.get(), TLSEXT_NAMETYPE_host_name));
4251
4252 // Establish a session under host1.
4253 SSL_CTX_set_session_cache_mode(client_ctx_.get(), SSL_SESS_CACHE_BOTH);
4254 SSL_CTX_set_session_cache_mode(server_ctx_.get(), SSL_SESS_CACHE_BOTH);
4255 bssl::UniquePtr<SSL_SESSION> session =
4256 CreateClientSession(client_ctx_.get(), server_ctx_.get(), config);
4257
4258 // If the client resumes a session with a different name, |SSL_get_servername|
4259 // must return the new name.
4260 ASSERT_TRUE(session);
4261 config.session = session.get();
4262 config.servername = "host2";
4263 ASSERT_TRUE(Connect(config));
4264 EXPECT_STREQ(config.servername.c_str(),
4265 SSL_get_servername(server_.get(), TLSEXT_NAMETYPE_host_name));
4266 }
4267
4268 // Test that session cache mode bits are honored in the client session callback.
TEST_P(SSLVersionTest,ClientSessionCacheMode)4269 TEST_P(SSLVersionTest, ClientSessionCacheMode) {
4270 SSL_CTX_set_session_cache_mode(client_ctx_.get(), SSL_SESS_CACHE_OFF);
4271 EXPECT_FALSE(CreateClientSession(client_ctx_.get(), server_ctx_.get()));
4272
4273 SSL_CTX_set_session_cache_mode(client_ctx_.get(), SSL_SESS_CACHE_CLIENT);
4274 EXPECT_TRUE(CreateClientSession(client_ctx_.get(), server_ctx_.get()));
4275
4276 SSL_CTX_set_session_cache_mode(client_ctx_.get(), SSL_SESS_CACHE_SERVER);
4277 EXPECT_FALSE(CreateClientSession(client_ctx_.get(), server_ctx_.get()));
4278 }
4279
4280 // Test that all versions survive tiny write buffers. In particular, TLS 1.3
4281 // NewSessionTickets are written post-handshake. Servers that block
4282 // |SSL_do_handshake| on writing them will deadlock if clients are not draining
4283 // the buffer. Test that we do not do this.
TEST_P(SSLVersionTest,SmallBuffer)4284 TEST_P(SSLVersionTest, SmallBuffer) {
4285 // DTLS is a datagram protocol and requires packet-sized buffers.
4286 if (is_dtls()) {
4287 return;
4288 }
4289
4290 // Test both flushing NewSessionTickets with a zero-sized write and
4291 // non-zero-sized write.
4292 for (bool use_zero_write : {false, true}) {
4293 SCOPED_TRACE(use_zero_write);
4294
4295 g_last_session = nullptr;
4296 SSL_CTX_set_session_cache_mode(client_ctx_.get(), SSL_SESS_CACHE_BOTH);
4297 SSL_CTX_sess_set_new_cb(client_ctx_.get(), SaveLastSession);
4298
4299 bssl::UniquePtr<SSL> client(SSL_new(client_ctx_.get())),
4300 server(SSL_new(server_ctx_.get()));
4301 ASSERT_TRUE(client);
4302 ASSERT_TRUE(server);
4303 SSL_set_connect_state(client.get());
4304 SSL_set_accept_state(server.get());
4305
4306 // Use a tiny buffer.
4307 BIO *bio1, *bio2;
4308 ASSERT_TRUE(BIO_new_bio_pair(&bio1, 1, &bio2, 1));
4309
4310 // SSL_set_bio takes ownership.
4311 SSL_set_bio(client.get(), bio1, bio1);
4312 SSL_set_bio(server.get(), bio2, bio2);
4313
4314 ASSERT_TRUE(CompleteHandshakes(client.get(), server.get()));
4315 if (version() >= TLS1_3_VERSION) {
4316 // The post-handshake ticket should not have been processed yet.
4317 EXPECT_FALSE(g_last_session);
4318 }
4319
4320 if (use_zero_write) {
4321 ASSERT_TRUE(FlushNewSessionTickets(client.get(), server.get()));
4322 EXPECT_TRUE(g_last_session);
4323 }
4324
4325 // Send some data from server to client. If |use_zero_write| is false, this
4326 // will also flush the NewSessionTickets.
4327 static const char kMessage[] = "hello world";
4328 char buf[sizeof(kMessage)];
4329 for (;;) {
4330 int server_ret = SSL_write(server.get(), kMessage, sizeof(kMessage));
4331 int server_err = SSL_get_error(server.get(), server_ret);
4332 int client_ret = SSL_read(client.get(), buf, sizeof(buf));
4333 int client_err = SSL_get_error(client.get(), client_ret);
4334
4335 // The server will write a single record, so every iteration should see
4336 // |SSL_ERROR_WANT_WRITE| and |SSL_ERROR_WANT_READ|, until the final
4337 // iteration, where both will complete.
4338 if (server_ret > 0) {
4339 EXPECT_EQ(server_ret, static_cast<int>(sizeof(kMessage)));
4340 EXPECT_EQ(client_ret, static_cast<int>(sizeof(kMessage)));
4341 EXPECT_EQ(Bytes(buf), Bytes(kMessage));
4342 break;
4343 }
4344
4345 ASSERT_EQ(server_ret, -1);
4346 ASSERT_EQ(server_err, SSL_ERROR_WANT_WRITE);
4347 ASSERT_EQ(client_ret, -1);
4348 ASSERT_EQ(client_err, SSL_ERROR_WANT_READ);
4349 }
4350
4351 // The NewSessionTickets should have been flushed and processed.
4352 EXPECT_TRUE(g_last_session);
4353 }
4354 }
4355
TEST(SSLTest,AddChainCertHack)4356 TEST(SSLTest, AddChainCertHack) {
4357 // Ensure that we don't accidently break the hack that we have in place to
4358 // keep curl and serf happy when they use an |X509| even after transfering
4359 // ownership.
4360
4361 bssl::UniquePtr<SSL_CTX> ctx(SSL_CTX_new(TLS_method()));
4362 ASSERT_TRUE(ctx);
4363 X509 *cert = GetTestCertificate().release();
4364 ASSERT_TRUE(cert);
4365 SSL_CTX_add0_chain_cert(ctx.get(), cert);
4366
4367 // This should not trigger a use-after-free.
4368 X509_cmp(cert, cert);
4369 }
4370
TEST(SSLTest,GetCertificate)4371 TEST(SSLTest, GetCertificate) {
4372 bssl::UniquePtr<SSL_CTX> ctx(SSL_CTX_new(TLS_method()));
4373 ASSERT_TRUE(ctx);
4374 bssl::UniquePtr<X509> cert = GetTestCertificate();
4375 ASSERT_TRUE(cert);
4376 ASSERT_TRUE(SSL_CTX_use_certificate(ctx.get(), cert.get()));
4377 bssl::UniquePtr<SSL> ssl(SSL_new(ctx.get()));
4378 ASSERT_TRUE(ssl);
4379
4380 X509 *cert2 = SSL_CTX_get0_certificate(ctx.get());
4381 ASSERT_TRUE(cert2);
4382 X509 *cert3 = SSL_get_certificate(ssl.get());
4383 ASSERT_TRUE(cert3);
4384
4385 // The old and new certificates must be identical.
4386 EXPECT_EQ(0, X509_cmp(cert.get(), cert2));
4387 EXPECT_EQ(0, X509_cmp(cert.get(), cert3));
4388
4389 uint8_t *der = nullptr;
4390 long der_len = i2d_X509(cert.get(), &der);
4391 ASSERT_LT(0, der_len);
4392 bssl::UniquePtr<uint8_t> free_der(der);
4393
4394 uint8_t *der2 = nullptr;
4395 long der2_len = i2d_X509(cert2, &der2);
4396 ASSERT_LT(0, der2_len);
4397 bssl::UniquePtr<uint8_t> free_der2(der2);
4398
4399 uint8_t *der3 = nullptr;
4400 long der3_len = i2d_X509(cert3, &der3);
4401 ASSERT_LT(0, der3_len);
4402 bssl::UniquePtr<uint8_t> free_der3(der3);
4403
4404 // They must also encode identically.
4405 EXPECT_EQ(Bytes(der, der_len), Bytes(der2, der2_len));
4406 EXPECT_EQ(Bytes(der, der_len), Bytes(der3, der3_len));
4407 }
4408
TEST(SSLTest,SetChainAndKeyMismatch)4409 TEST(SSLTest, SetChainAndKeyMismatch) {
4410 bssl::UniquePtr<SSL_CTX> ctx(SSL_CTX_new(TLS_with_buffers_method()));
4411 ASSERT_TRUE(ctx);
4412
4413 bssl::UniquePtr<EVP_PKEY> key = GetTestKey();
4414 ASSERT_TRUE(key);
4415 bssl::UniquePtr<CRYPTO_BUFFER> leaf = GetChainTestCertificateBuffer();
4416 ASSERT_TRUE(leaf);
4417 std::vector<CRYPTO_BUFFER*> chain = {
4418 leaf.get(),
4419 };
4420
4421 // Should fail because |GetTestKey| doesn't match the chain-test certificate.
4422 ASSERT_FALSE(SSL_CTX_set_chain_and_key(ctx.get(), &chain[0], chain.size(),
4423 key.get(), nullptr));
4424 ERR_clear_error();
4425 }
4426
TEST(SSLTest,SetChainAndKey)4427 TEST(SSLTest, SetChainAndKey) {
4428 bssl::UniquePtr<SSL_CTX> client_ctx(SSL_CTX_new(TLS_with_buffers_method()));
4429 ASSERT_TRUE(client_ctx);
4430 bssl::UniquePtr<SSL_CTX> server_ctx(SSL_CTX_new(TLS_with_buffers_method()));
4431 ASSERT_TRUE(server_ctx);
4432
4433 ASSERT_EQ(nullptr, SSL_CTX_get0_chain(server_ctx.get()));
4434
4435 bssl::UniquePtr<EVP_PKEY> key = GetChainTestKey();
4436 ASSERT_TRUE(key);
4437 bssl::UniquePtr<CRYPTO_BUFFER> leaf = GetChainTestCertificateBuffer();
4438 ASSERT_TRUE(leaf);
4439 bssl::UniquePtr<CRYPTO_BUFFER> intermediate =
4440 GetChainTestIntermediateBuffer();
4441 ASSERT_TRUE(intermediate);
4442 std::vector<CRYPTO_BUFFER*> chain = {
4443 leaf.get(), intermediate.get(),
4444 };
4445 ASSERT_TRUE(SSL_CTX_set_chain_and_key(server_ctx.get(), &chain[0],
4446 chain.size(), key.get(), nullptr));
4447
4448 ASSERT_EQ(chain.size(),
4449 sk_CRYPTO_BUFFER_num(SSL_CTX_get0_chain(server_ctx.get())));
4450
4451 SSL_CTX_set_custom_verify(
4452 client_ctx.get(), SSL_VERIFY_PEER,
4453 [](SSL *ssl, uint8_t *out_alert) -> ssl_verify_result_t {
4454 return ssl_verify_ok;
4455 });
4456
4457 bssl::UniquePtr<SSL> client, server;
4458 ASSERT_TRUE(ConnectClientAndServer(&client, &server, client_ctx.get(),
4459 server_ctx.get()));
4460 }
4461
TEST(SSLTest,BuffersFailWithoutCustomVerify)4462 TEST(SSLTest, BuffersFailWithoutCustomVerify) {
4463 bssl::UniquePtr<SSL_CTX> client_ctx(SSL_CTX_new(TLS_with_buffers_method()));
4464 ASSERT_TRUE(client_ctx);
4465 bssl::UniquePtr<SSL_CTX> server_ctx(SSL_CTX_new(TLS_with_buffers_method()));
4466 ASSERT_TRUE(server_ctx);
4467
4468 bssl::UniquePtr<EVP_PKEY> key = GetChainTestKey();
4469 ASSERT_TRUE(key);
4470 bssl::UniquePtr<CRYPTO_BUFFER> leaf = GetChainTestCertificateBuffer();
4471 ASSERT_TRUE(leaf);
4472 std::vector<CRYPTO_BUFFER*> chain = { leaf.get() };
4473 ASSERT_TRUE(SSL_CTX_set_chain_and_key(server_ctx.get(), &chain[0],
4474 chain.size(), key.get(), nullptr));
4475
4476 // Without SSL_CTX_set_custom_verify(), i.e. with everything in the default
4477 // configuration, certificate verification should fail.
4478 bssl::UniquePtr<SSL> client, server;
4479 ASSERT_FALSE(ConnectClientAndServer(&client, &server, client_ctx.get(),
4480 server_ctx.get()));
4481
4482 // Whereas with a verifier, the connection should succeed.
4483 SSL_CTX_set_custom_verify(
4484 client_ctx.get(), SSL_VERIFY_PEER,
4485 [](SSL *ssl, uint8_t *out_alert) -> ssl_verify_result_t {
4486 return ssl_verify_ok;
4487 });
4488 ASSERT_TRUE(ConnectClientAndServer(&client, &server, client_ctx.get(),
4489 server_ctx.get()));
4490 }
4491
TEST(SSLTest,CustomVerify)4492 TEST(SSLTest, CustomVerify) {
4493 bssl::UniquePtr<SSL_CTX> client_ctx(SSL_CTX_new(TLS_with_buffers_method()));
4494 ASSERT_TRUE(client_ctx);
4495 bssl::UniquePtr<SSL_CTX> server_ctx(SSL_CTX_new(TLS_with_buffers_method()));
4496 ASSERT_TRUE(server_ctx);
4497
4498 bssl::UniquePtr<EVP_PKEY> key = GetChainTestKey();
4499 ASSERT_TRUE(key);
4500 bssl::UniquePtr<CRYPTO_BUFFER> leaf = GetChainTestCertificateBuffer();
4501 ASSERT_TRUE(leaf);
4502 std::vector<CRYPTO_BUFFER*> chain = { leaf.get() };
4503 ASSERT_TRUE(SSL_CTX_set_chain_and_key(server_ctx.get(), &chain[0],
4504 chain.size(), key.get(), nullptr));
4505
4506 SSL_CTX_set_custom_verify(
4507 client_ctx.get(), SSL_VERIFY_PEER,
4508 [](SSL *ssl, uint8_t *out_alert) -> ssl_verify_result_t {
4509 return ssl_verify_ok;
4510 });
4511
4512 bssl::UniquePtr<SSL> client, server;
4513 ASSERT_TRUE(ConnectClientAndServer(&client, &server, client_ctx.get(),
4514 server_ctx.get()));
4515
4516 // With SSL_VERIFY_PEER, ssl_verify_invalid should result in a dropped
4517 // connection.
4518 SSL_CTX_set_custom_verify(
4519 client_ctx.get(), SSL_VERIFY_PEER,
4520 [](SSL *ssl, uint8_t *out_alert) -> ssl_verify_result_t {
4521 return ssl_verify_invalid;
4522 });
4523
4524 ASSERT_FALSE(ConnectClientAndServer(&client, &server, client_ctx.get(),
4525 server_ctx.get()));
4526
4527 // But with SSL_VERIFY_NONE, ssl_verify_invalid should not cause a dropped
4528 // connection.
4529 SSL_CTX_set_custom_verify(
4530 client_ctx.get(), SSL_VERIFY_NONE,
4531 [](SSL *ssl, uint8_t *out_alert) -> ssl_verify_result_t {
4532 return ssl_verify_invalid;
4533 });
4534
4535 ASSERT_TRUE(ConnectClientAndServer(&client, &server, client_ctx.get(),
4536 server_ctx.get()));
4537 }
4538
TEST(SSLTest,ClientCABuffers)4539 TEST(SSLTest, ClientCABuffers) {
4540 bssl::UniquePtr<SSL_CTX> client_ctx(SSL_CTX_new(TLS_with_buffers_method()));
4541 ASSERT_TRUE(client_ctx);
4542 bssl::UniquePtr<SSL_CTX> server_ctx(SSL_CTX_new(TLS_with_buffers_method()));
4543 ASSERT_TRUE(server_ctx);
4544
4545 bssl::UniquePtr<EVP_PKEY> key = GetChainTestKey();
4546 ASSERT_TRUE(key);
4547 bssl::UniquePtr<CRYPTO_BUFFER> leaf = GetChainTestCertificateBuffer();
4548 ASSERT_TRUE(leaf);
4549 bssl::UniquePtr<CRYPTO_BUFFER> intermediate =
4550 GetChainTestIntermediateBuffer();
4551 ASSERT_TRUE(intermediate);
4552 std::vector<CRYPTO_BUFFER *> chain = {
4553 leaf.get(),
4554 intermediate.get(),
4555 };
4556 ASSERT_TRUE(SSL_CTX_set_chain_and_key(server_ctx.get(), &chain[0],
4557 chain.size(), key.get(), nullptr));
4558
4559 bssl::UniquePtr<CRYPTO_BUFFER> ca_name(
4560 CRYPTO_BUFFER_new(kTestName, sizeof(kTestName), nullptr));
4561 ASSERT_TRUE(ca_name);
4562 bssl::UniquePtr<STACK_OF(CRYPTO_BUFFER)> ca_names(
4563 sk_CRYPTO_BUFFER_new_null());
4564 ASSERT_TRUE(ca_names);
4565 ASSERT_TRUE(PushToStack(ca_names.get(), std::move(ca_name)));
4566 SSL_CTX_set0_client_CAs(server_ctx.get(), ca_names.release());
4567
4568 // Configure client and server to accept all certificates.
4569 SSL_CTX_set_custom_verify(
4570 client_ctx.get(), SSL_VERIFY_PEER,
4571 [](SSL *ssl, uint8_t *out_alert) -> ssl_verify_result_t {
4572 return ssl_verify_ok;
4573 });
4574 SSL_CTX_set_custom_verify(
4575 server_ctx.get(), SSL_VERIFY_PEER,
4576 [](SSL *ssl, uint8_t *out_alert) -> ssl_verify_result_t {
4577 return ssl_verify_ok;
4578 });
4579
4580 bool cert_cb_called = false;
4581 SSL_CTX_set_cert_cb(
4582 client_ctx.get(),
4583 [](SSL *ssl, void *arg) -> int {
4584 const STACK_OF(CRYPTO_BUFFER) *peer_names =
4585 SSL_get0_server_requested_CAs(ssl);
4586 EXPECT_EQ(1u, sk_CRYPTO_BUFFER_num(peer_names));
4587 CRYPTO_BUFFER *peer_name = sk_CRYPTO_BUFFER_value(peer_names, 0);
4588 EXPECT_EQ(Bytes(kTestName), Bytes(CRYPTO_BUFFER_data(peer_name),
4589 CRYPTO_BUFFER_len(peer_name)));
4590 *reinterpret_cast<bool *>(arg) = true;
4591 return 1;
4592 },
4593 &cert_cb_called);
4594
4595 bssl::UniquePtr<SSL> client, server;
4596 ASSERT_TRUE(ConnectClientAndServer(&client, &server, client_ctx.get(),
4597 server_ctx.get()));
4598 EXPECT_TRUE(cert_cb_called);
4599 }
4600
4601 // Configuring the empty cipher list, though an error, should still modify the
4602 // configuration.
TEST(SSLTest,EmptyCipherList)4603 TEST(SSLTest, EmptyCipherList) {
4604 bssl::UniquePtr<SSL_CTX> ctx(SSL_CTX_new(TLS_method()));
4605 ASSERT_TRUE(ctx);
4606
4607 // Initially, the cipher list is not empty.
4608 EXPECT_NE(0u, sk_SSL_CIPHER_num(SSL_CTX_get_ciphers(ctx.get())));
4609
4610 // Configuring the empty cipher list fails.
4611 EXPECT_FALSE(SSL_CTX_set_cipher_list(ctx.get(), ""));
4612 ERR_clear_error();
4613
4614 // But the cipher list is still updated to empty.
4615 EXPECT_EQ(0u, sk_SSL_CIPHER_num(SSL_CTX_get_ciphers(ctx.get())));
4616 }
4617
4618 // ssl_test_ticket_aead_failure_mode enumerates the possible ways in which the
4619 // test |SSL_TICKET_AEAD_METHOD| can fail.
4620 enum ssl_test_ticket_aead_failure_mode {
4621 ssl_test_ticket_aead_ok = 0,
4622 ssl_test_ticket_aead_seal_fail,
4623 ssl_test_ticket_aead_open_soft_fail,
4624 ssl_test_ticket_aead_open_hard_fail,
4625 };
4626
4627 struct ssl_test_ticket_aead_state {
4628 unsigned retry_count;
4629 ssl_test_ticket_aead_failure_mode failure_mode;
4630 };
4631
ssl_test_ticket_aead_ex_index_dup(CRYPTO_EX_DATA * to,const CRYPTO_EX_DATA * from,void ** from_d,int index,long argl,void * argp)4632 static int ssl_test_ticket_aead_ex_index_dup(CRYPTO_EX_DATA *to,
4633 const CRYPTO_EX_DATA *from,
4634 void **from_d, int index,
4635 long argl, void *argp) {
4636 abort();
4637 }
4638
ssl_test_ticket_aead_ex_index_free(void * parent,void * ptr,CRYPTO_EX_DATA * ad,int index,long argl,void * argp)4639 static void ssl_test_ticket_aead_ex_index_free(void *parent, void *ptr,
4640 CRYPTO_EX_DATA *ad, int index,
4641 long argl, void *argp) {
4642 auto state = reinterpret_cast<ssl_test_ticket_aead_state*>(ptr);
4643 if (state == nullptr) {
4644 return;
4645 }
4646
4647 OPENSSL_free(state);
4648 }
4649
4650 static CRYPTO_once_t g_ssl_test_ticket_aead_ex_index_once = CRYPTO_ONCE_INIT;
4651 static int g_ssl_test_ticket_aead_ex_index;
4652
ssl_test_ticket_aead_get_ex_index()4653 static int ssl_test_ticket_aead_get_ex_index() {
4654 CRYPTO_once(&g_ssl_test_ticket_aead_ex_index_once, [] {
4655 g_ssl_test_ticket_aead_ex_index = SSL_get_ex_new_index(
4656 0, nullptr, nullptr, ssl_test_ticket_aead_ex_index_dup,
4657 ssl_test_ticket_aead_ex_index_free);
4658 });
4659 return g_ssl_test_ticket_aead_ex_index;
4660 }
4661
ssl_test_ticket_aead_max_overhead(SSL * ssl)4662 static size_t ssl_test_ticket_aead_max_overhead(SSL *ssl) {
4663 return 1;
4664 }
4665
ssl_test_ticket_aead_seal(SSL * ssl,uint8_t * out,size_t * out_len,size_t max_out_len,const uint8_t * in,size_t in_len)4666 static int ssl_test_ticket_aead_seal(SSL *ssl, uint8_t *out, size_t *out_len,
4667 size_t max_out_len, const uint8_t *in,
4668 size_t in_len) {
4669 auto state = reinterpret_cast<ssl_test_ticket_aead_state *>(
4670 SSL_get_ex_data(ssl, ssl_test_ticket_aead_get_ex_index()));
4671
4672 if (state->failure_mode == ssl_test_ticket_aead_seal_fail ||
4673 max_out_len < in_len + 1) {
4674 return 0;
4675 }
4676
4677 OPENSSL_memmove(out, in, in_len);
4678 out[in_len] = 0xff;
4679 *out_len = in_len + 1;
4680
4681 return 1;
4682 }
4683
ssl_test_ticket_aead_open(SSL * ssl,uint8_t * out,size_t * out_len,size_t max_out_len,const uint8_t * in,size_t in_len)4684 static ssl_ticket_aead_result_t ssl_test_ticket_aead_open(
4685 SSL *ssl, uint8_t *out, size_t *out_len, size_t max_out_len,
4686 const uint8_t *in, size_t in_len) {
4687 auto state = reinterpret_cast<ssl_test_ticket_aead_state *>(
4688 SSL_get_ex_data(ssl, ssl_test_ticket_aead_get_ex_index()));
4689
4690 if (state->retry_count > 0) {
4691 state->retry_count--;
4692 return ssl_ticket_aead_retry;
4693 }
4694
4695 switch (state->failure_mode) {
4696 case ssl_test_ticket_aead_ok:
4697 break;
4698 case ssl_test_ticket_aead_seal_fail:
4699 // If |seal| failed then there shouldn't be any ticket to try and
4700 // decrypt.
4701 abort();
4702 break;
4703 case ssl_test_ticket_aead_open_soft_fail:
4704 return ssl_ticket_aead_ignore_ticket;
4705 case ssl_test_ticket_aead_open_hard_fail:
4706 return ssl_ticket_aead_error;
4707 }
4708
4709 if (in_len == 0 || in[in_len - 1] != 0xff) {
4710 return ssl_ticket_aead_ignore_ticket;
4711 }
4712
4713 if (max_out_len < in_len - 1) {
4714 return ssl_ticket_aead_error;
4715 }
4716
4717 OPENSSL_memmove(out, in, in_len - 1);
4718 *out_len = in_len - 1;
4719 return ssl_ticket_aead_success;
4720 }
4721
4722 static const SSL_TICKET_AEAD_METHOD kSSLTestTicketMethod = {
4723 ssl_test_ticket_aead_max_overhead,
4724 ssl_test_ticket_aead_seal,
4725 ssl_test_ticket_aead_open,
4726 };
4727
ConnectClientAndServerWithTicketMethod(bssl::UniquePtr<SSL> * out_client,bssl::UniquePtr<SSL> * out_server,SSL_CTX * client_ctx,SSL_CTX * server_ctx,unsigned retry_count,ssl_test_ticket_aead_failure_mode failure_mode,SSL_SESSION * session)4728 static void ConnectClientAndServerWithTicketMethod(
4729 bssl::UniquePtr<SSL> *out_client, bssl::UniquePtr<SSL> *out_server,
4730 SSL_CTX *client_ctx, SSL_CTX *server_ctx, unsigned retry_count,
4731 ssl_test_ticket_aead_failure_mode failure_mode, SSL_SESSION *session) {
4732 bssl::UniquePtr<SSL> client(SSL_new(client_ctx)), server(SSL_new(server_ctx));
4733 ASSERT_TRUE(client);
4734 ASSERT_TRUE(server);
4735 SSL_set_connect_state(client.get());
4736 SSL_set_accept_state(server.get());
4737
4738 auto state = reinterpret_cast<ssl_test_ticket_aead_state *>(
4739 OPENSSL_malloc(sizeof(ssl_test_ticket_aead_state)));
4740 ASSERT_TRUE(state);
4741 OPENSSL_memset(state, 0, sizeof(ssl_test_ticket_aead_state));
4742 state->retry_count = retry_count;
4743 state->failure_mode = failure_mode;
4744
4745 ASSERT_GE(ssl_test_ticket_aead_get_ex_index(), 0);
4746 ASSERT_TRUE(SSL_set_ex_data(server.get(), ssl_test_ticket_aead_get_ex_index(),
4747 state));
4748
4749 SSL_set_session(client.get(), session);
4750
4751 BIO *bio1, *bio2;
4752 ASSERT_TRUE(BIO_new_bio_pair(&bio1, 0, &bio2, 0));
4753
4754 // SSL_set_bio takes ownership.
4755 SSL_set_bio(client.get(), bio1, bio1);
4756 SSL_set_bio(server.get(), bio2, bio2);
4757
4758 if (CompleteHandshakes(client.get(), server.get())) {
4759 *out_client = std::move(client);
4760 *out_server = std::move(server);
4761 } else {
4762 out_client->reset();
4763 out_server->reset();
4764 }
4765 }
4766
4767 using TicketAEADMethodParam =
4768 testing::tuple<uint16_t, unsigned, ssl_test_ticket_aead_failure_mode>;
4769
4770 class TicketAEADMethodTest
4771 : public ::testing::TestWithParam<TicketAEADMethodParam> {};
4772
TEST_P(TicketAEADMethodTest,Resume)4773 TEST_P(TicketAEADMethodTest, Resume) {
4774 bssl::UniquePtr<SSL_CTX> server_ctx =
4775 CreateContextWithTestCertificate(TLS_method());
4776 ASSERT_TRUE(server_ctx);
4777 bssl::UniquePtr<SSL_CTX> client_ctx(SSL_CTX_new(TLS_method()));
4778 ASSERT_TRUE(client_ctx);
4779
4780 const uint16_t version = testing::get<0>(GetParam());
4781 const unsigned retry_count = testing::get<1>(GetParam());
4782 const ssl_test_ticket_aead_failure_mode failure_mode =
4783 testing::get<2>(GetParam());
4784
4785 ASSERT_TRUE(SSL_CTX_set_min_proto_version(client_ctx.get(), version));
4786 ASSERT_TRUE(SSL_CTX_set_max_proto_version(client_ctx.get(), version));
4787 ASSERT_TRUE(SSL_CTX_set_min_proto_version(server_ctx.get(), version));
4788 ASSERT_TRUE(SSL_CTX_set_max_proto_version(server_ctx.get(), version));
4789
4790 SSL_CTX_set_session_cache_mode(client_ctx.get(), SSL_SESS_CACHE_BOTH);
4791 SSL_CTX_set_session_cache_mode(server_ctx.get(), SSL_SESS_CACHE_BOTH);
4792 SSL_CTX_set_current_time_cb(client_ctx.get(), FrozenTimeCallback);
4793 SSL_CTX_set_current_time_cb(server_ctx.get(), FrozenTimeCallback);
4794 SSL_CTX_sess_set_new_cb(client_ctx.get(), SaveLastSession);
4795
4796 SSL_CTX_set_ticket_aead_method(server_ctx.get(), &kSSLTestTicketMethod);
4797
4798 bssl::UniquePtr<SSL> client, server;
4799 ASSERT_NO_FATAL_FAILURE(ConnectClientAndServerWithTicketMethod(
4800 &client, &server, client_ctx.get(), server_ctx.get(), retry_count,
4801 failure_mode, nullptr));
4802 switch (failure_mode) {
4803 case ssl_test_ticket_aead_ok:
4804 case ssl_test_ticket_aead_open_hard_fail:
4805 case ssl_test_ticket_aead_open_soft_fail:
4806 ASSERT_TRUE(client);
4807 break;
4808 case ssl_test_ticket_aead_seal_fail:
4809 EXPECT_FALSE(client);
4810 return;
4811 }
4812 EXPECT_FALSE(SSL_session_reused(client.get()));
4813 EXPECT_FALSE(SSL_session_reused(server.get()));
4814
4815 ASSERT_TRUE(FlushNewSessionTickets(client.get(), server.get()));
4816 bssl::UniquePtr<SSL_SESSION> session = std::move(g_last_session);
4817 ASSERT_NO_FATAL_FAILURE(ConnectClientAndServerWithTicketMethod(
4818 &client, &server, client_ctx.get(), server_ctx.get(), retry_count,
4819 failure_mode, session.get()));
4820 switch (failure_mode) {
4821 case ssl_test_ticket_aead_ok:
4822 ASSERT_TRUE(client);
4823 EXPECT_TRUE(SSL_session_reused(client.get()));
4824 EXPECT_TRUE(SSL_session_reused(server.get()));
4825 break;
4826 case ssl_test_ticket_aead_seal_fail:
4827 abort();
4828 break;
4829 case ssl_test_ticket_aead_open_hard_fail:
4830 EXPECT_FALSE(client);
4831 break;
4832 case ssl_test_ticket_aead_open_soft_fail:
4833 ASSERT_TRUE(client);
4834 EXPECT_FALSE(SSL_session_reused(client.get()));
4835 EXPECT_FALSE(SSL_session_reused(server.get()));
4836 }
4837 }
4838
TicketAEADMethodParamToString(const testing::TestParamInfo<TicketAEADMethodParam> & params)4839 std::string TicketAEADMethodParamToString(
4840 const testing::TestParamInfo<TicketAEADMethodParam> ¶ms) {
4841 std::string ret = GetVersionName(std::get<0>(params.param));
4842 // GTest only allows alphanumeric characters and '_' in the parameter
4843 // string. Additionally filter out the 'v' to get "TLS13" over "TLSv13".
4844 for (auto it = ret.begin(); it != ret.end();) {
4845 if (*it == '.' || *it == 'v') {
4846 it = ret.erase(it);
4847 } else {
4848 ++it;
4849 }
4850 }
4851 char retry_count[256];
4852 snprintf(retry_count, sizeof(retry_count), "%u", std::get<1>(params.param));
4853 ret += "_";
4854 ret += retry_count;
4855 ret += "Retries_";
4856 switch (std::get<2>(params.param)) {
4857 case ssl_test_ticket_aead_ok:
4858 ret += "OK";
4859 break;
4860 case ssl_test_ticket_aead_seal_fail:
4861 ret += "SealFail";
4862 break;
4863 case ssl_test_ticket_aead_open_soft_fail:
4864 ret += "OpenSoftFail";
4865 break;
4866 case ssl_test_ticket_aead_open_hard_fail:
4867 ret += "OpenHardFail";
4868 break;
4869 }
4870 return ret;
4871 }
4872
4873 INSTANTIATE_TEST_SUITE_P(
4874 TicketAEADMethodTests, TicketAEADMethodTest,
4875 testing::Combine(testing::Values(TLS1_2_VERSION, TLS1_3_VERSION),
4876 testing::Values(0, 1, 2),
4877 testing::Values(ssl_test_ticket_aead_ok,
4878 ssl_test_ticket_aead_seal_fail,
4879 ssl_test_ticket_aead_open_soft_fail,
4880 ssl_test_ticket_aead_open_hard_fail)),
4881 TicketAEADMethodParamToString);
4882
TEST(SSLTest,SelectNextProto)4883 TEST(SSLTest, SelectNextProto) {
4884 uint8_t *result;
4885 uint8_t result_len;
4886
4887 // If there is an overlap, it should be returned.
4888 EXPECT_EQ(OPENSSL_NPN_NEGOTIATED,
4889 SSL_select_next_proto(&result, &result_len,
4890 (const uint8_t *)"\1a\2bb\3ccc", 9,
4891 (const uint8_t *)"\1x\1y\1a\1z", 8));
4892 EXPECT_EQ(Bytes("a"), Bytes(result, result_len));
4893
4894 EXPECT_EQ(OPENSSL_NPN_NEGOTIATED,
4895 SSL_select_next_proto(&result, &result_len,
4896 (const uint8_t *)"\1a\2bb\3ccc", 9,
4897 (const uint8_t *)"\1x\1y\2bb\1z", 9));
4898 EXPECT_EQ(Bytes("bb"), Bytes(result, result_len));
4899
4900 EXPECT_EQ(OPENSSL_NPN_NEGOTIATED,
4901 SSL_select_next_proto(&result, &result_len,
4902 (const uint8_t *)"\1a\2bb\3ccc", 9,
4903 (const uint8_t *)"\1x\1y\3ccc\1z", 10));
4904 EXPECT_EQ(Bytes("ccc"), Bytes(result, result_len));
4905
4906 // Peer preference order takes precedence over local.
4907 EXPECT_EQ(OPENSSL_NPN_NEGOTIATED,
4908 SSL_select_next_proto(&result, &result_len,
4909 (const uint8_t *)"\1a\2bb\3ccc", 9,
4910 (const uint8_t *)"\3ccc\2bb\1a", 9));
4911 EXPECT_EQ(Bytes("a"), Bytes(result, result_len));
4912
4913 // If there is no overlap, return the first local protocol.
4914 EXPECT_EQ(OPENSSL_NPN_NO_OVERLAP,
4915 SSL_select_next_proto(&result, &result_len,
4916 (const uint8_t *)"\1a\2bb\3ccc", 9,
4917 (const uint8_t *)"\1x\2yy\3zzz", 9));
4918 EXPECT_EQ(Bytes("x"), Bytes(result, result_len));
4919
4920 EXPECT_EQ(OPENSSL_NPN_NO_OVERLAP,
4921 SSL_select_next_proto(&result, &result_len, nullptr, 0,
4922 (const uint8_t *)"\1x\2yy\3zzz", 9));
4923 EXPECT_EQ(Bytes("x"), Bytes(result, result_len));
4924 }
4925
4926 // The client should gracefully handle no suitable ciphers being enabled.
TEST(SSLTest,NoCiphersAvailable)4927 TEST(SSLTest, NoCiphersAvailable) {
4928 bssl::UniquePtr<SSL_CTX> ctx(SSL_CTX_new(TLS_method()));
4929 ASSERT_TRUE(ctx);
4930
4931 // Configure |client_ctx| with a cipher list that does not intersect with its
4932 // version configuration.
4933 ASSERT_TRUE(SSL_CTX_set_strict_cipher_list(
4934 ctx.get(), "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256"));
4935 ASSERT_TRUE(SSL_CTX_set_max_proto_version(ctx.get(), TLS1_1_VERSION));
4936
4937 bssl::UniquePtr<SSL> ssl(SSL_new(ctx.get()));
4938 ASSERT_TRUE(ssl);
4939 SSL_set_connect_state(ssl.get());
4940
4941 UniquePtr<BIO> rbio(BIO_new(BIO_s_mem())), wbio(BIO_new(BIO_s_mem()));
4942 ASSERT_TRUE(rbio);
4943 ASSERT_TRUE(wbio);
4944 SSL_set0_rbio(ssl.get(), rbio.release());
4945 SSL_set0_wbio(ssl.get(), wbio.release());
4946
4947 int ret = SSL_do_handshake(ssl.get());
4948 EXPECT_EQ(-1, ret);
4949 EXPECT_EQ(SSL_ERROR_SSL, SSL_get_error(ssl.get(), ret));
4950 uint32_t err = ERR_get_error();
4951 EXPECT_EQ(ERR_LIB_SSL, ERR_GET_LIB(err));
4952 EXPECT_EQ(SSL_R_NO_CIPHERS_AVAILABLE, ERR_GET_REASON(err));
4953 }
4954
TEST_P(SSLVersionTest,SessionVersion)4955 TEST_P(SSLVersionTest, SessionVersion) {
4956 SSL_CTX_set_session_cache_mode(client_ctx_.get(), SSL_SESS_CACHE_BOTH);
4957 SSL_CTX_set_session_cache_mode(server_ctx_.get(), SSL_SESS_CACHE_BOTH);
4958
4959 bssl::UniquePtr<SSL_SESSION> session =
4960 CreateClientSession(client_ctx_.get(), server_ctx_.get());
4961 ASSERT_TRUE(session);
4962 EXPECT_EQ(version(), SSL_SESSION_get_protocol_version(session.get()));
4963
4964 // Sessions in TLS 1.3 and later should be single-use.
4965 EXPECT_EQ(version() == TLS1_3_VERSION,
4966 !!SSL_SESSION_should_be_single_use(session.get()));
4967
4968 // Making fake sessions for testing works.
4969 session.reset(SSL_SESSION_new(client_ctx_.get()));
4970 ASSERT_TRUE(session);
4971 ASSERT_TRUE(SSL_SESSION_set_protocol_version(session.get(), version()));
4972 EXPECT_EQ(version(), SSL_SESSION_get_protocol_version(session.get()));
4973 }
4974
TEST_P(SSLVersionTest,SSLPending)4975 TEST_P(SSLVersionTest, SSLPending) {
4976 UniquePtr<SSL> ssl(SSL_new(client_ctx_.get()));
4977 ASSERT_TRUE(ssl);
4978 EXPECT_EQ(0, SSL_pending(ssl.get()));
4979
4980 ASSERT_TRUE(Connect());
4981 EXPECT_EQ(0, SSL_pending(client_.get()));
4982 EXPECT_EQ(0, SSL_has_pending(client_.get()));
4983
4984 ASSERT_EQ(5, SSL_write(server_.get(), "hello", 5));
4985 ASSERT_EQ(5, SSL_write(server_.get(), "world", 5));
4986 EXPECT_EQ(0, SSL_pending(client_.get()));
4987 EXPECT_EQ(0, SSL_has_pending(client_.get()));
4988
4989 char buf[10];
4990 ASSERT_EQ(1, SSL_peek(client_.get(), buf, 1));
4991 EXPECT_EQ(5, SSL_pending(client_.get()));
4992 EXPECT_EQ(1, SSL_has_pending(client_.get()));
4993
4994 ASSERT_EQ(1, SSL_read(client_.get(), buf, 1));
4995 EXPECT_EQ(4, SSL_pending(client_.get()));
4996 EXPECT_EQ(1, SSL_has_pending(client_.get()));
4997
4998 ASSERT_EQ(4, SSL_read(client_.get(), buf, 10));
4999 EXPECT_EQ(0, SSL_pending(client_.get()));
5000 if (is_dtls()) {
5001 // In DTLS, the two records would have been read as a single datagram and
5002 // buffered inside |client_|. Thus, |SSL_has_pending| should return true.
5003 //
5004 // This test is slightly unrealistic. It relies on |ConnectClientAndServer|
5005 // using a |BIO| pair, which does not preserve datagram boundaries. Reading
5006 // 1 byte, then 4 bytes, from the first record also relies on
5007 // https://crbug.com/boringssl/65. But it does test the codepaths. When
5008 // fixing either of these bugs, this test may need to be redone.
5009 EXPECT_EQ(1, SSL_has_pending(client_.get()));
5010 } else {
5011 // In TLS, we do not overread, so |SSL_has_pending| should report no data is
5012 // buffered.
5013 EXPECT_EQ(0, SSL_has_pending(client_.get()));
5014 }
5015
5016 ASSERT_EQ(2, SSL_read(client_.get(), buf, 2));
5017 EXPECT_EQ(3, SSL_pending(client_.get()));
5018 EXPECT_EQ(1, SSL_has_pending(client_.get()));
5019 }
5020
5021 // Test that post-handshake tickets consumed by |SSL_shutdown| are ignored.
TEST(SSLTest,ShutdownIgnoresTickets)5022 TEST(SSLTest, ShutdownIgnoresTickets) {
5023 bssl::UniquePtr<SSL_CTX> ctx(CreateContextWithTestCertificate(TLS_method()));
5024 ASSERT_TRUE(ctx);
5025 ASSERT_TRUE(SSL_CTX_set_min_proto_version(ctx.get(), TLS1_3_VERSION));
5026 ASSERT_TRUE(SSL_CTX_set_max_proto_version(ctx.get(), TLS1_3_VERSION));
5027
5028 SSL_CTX_set_session_cache_mode(ctx.get(), SSL_SESS_CACHE_BOTH);
5029
5030 bssl::UniquePtr<SSL> client, server;
5031 ASSERT_TRUE(ConnectClientAndServer(&client, &server, ctx.get(), ctx.get()));
5032
5033 SSL_CTX_sess_set_new_cb(ctx.get(), [](SSL *ssl, SSL_SESSION *session) -> int {
5034 ADD_FAILURE() << "New session callback called during SSL_shutdown";
5035 return 0;
5036 });
5037
5038 // Send close_notify.
5039 EXPECT_EQ(0, SSL_shutdown(server.get()));
5040 EXPECT_EQ(0, SSL_shutdown(client.get()));
5041
5042 // Receive close_notify.
5043 EXPECT_EQ(1, SSL_shutdown(server.get()));
5044 EXPECT_EQ(1, SSL_shutdown(client.get()));
5045 }
5046
TEST(SSLTest,SignatureAlgorithmProperties)5047 TEST(SSLTest, SignatureAlgorithmProperties) {
5048 EXPECT_EQ(EVP_PKEY_NONE, SSL_get_signature_algorithm_key_type(0x1234));
5049 EXPECT_EQ(nullptr, SSL_get_signature_algorithm_digest(0x1234));
5050 EXPECT_FALSE(SSL_is_signature_algorithm_rsa_pss(0x1234));
5051
5052 EXPECT_EQ(EVP_PKEY_RSA,
5053 SSL_get_signature_algorithm_key_type(SSL_SIGN_RSA_PKCS1_MD5_SHA1));
5054 EXPECT_EQ(EVP_md5_sha1(),
5055 SSL_get_signature_algorithm_digest(SSL_SIGN_RSA_PKCS1_MD5_SHA1));
5056 EXPECT_FALSE(SSL_is_signature_algorithm_rsa_pss(SSL_SIGN_RSA_PKCS1_MD5_SHA1));
5057
5058 EXPECT_EQ(EVP_PKEY_EC, SSL_get_signature_algorithm_key_type(
5059 SSL_SIGN_ECDSA_SECP256R1_SHA256));
5060 EXPECT_EQ(EVP_sha256(), SSL_get_signature_algorithm_digest(
5061 SSL_SIGN_ECDSA_SECP256R1_SHA256));
5062 EXPECT_FALSE(
5063 SSL_is_signature_algorithm_rsa_pss(SSL_SIGN_ECDSA_SECP256R1_SHA256));
5064
5065 EXPECT_EQ(EVP_PKEY_RSA,
5066 SSL_get_signature_algorithm_key_type(SSL_SIGN_RSA_PSS_RSAE_SHA384));
5067 EXPECT_EQ(EVP_sha384(),
5068 SSL_get_signature_algorithm_digest(SSL_SIGN_RSA_PSS_RSAE_SHA384));
5069 EXPECT_TRUE(SSL_is_signature_algorithm_rsa_pss(SSL_SIGN_RSA_PSS_RSAE_SHA384));
5070 }
5071
XORCompressFunc(SSL * ssl,CBB * out,const uint8_t * in,size_t in_len)5072 static int XORCompressFunc(SSL *ssl, CBB *out, const uint8_t *in,
5073 size_t in_len) {
5074 for (size_t i = 0; i < in_len; i++) {
5075 if (!CBB_add_u8(out, in[i] ^ 0x55)) {
5076 return 0;
5077 }
5078 }
5079
5080 SSL_set_app_data(ssl, XORCompressFunc);
5081
5082 return 1;
5083 }
5084
XORDecompressFunc(SSL * ssl,CRYPTO_BUFFER ** out,size_t uncompressed_len,const uint8_t * in,size_t in_len)5085 static int XORDecompressFunc(SSL *ssl, CRYPTO_BUFFER **out,
5086 size_t uncompressed_len, const uint8_t *in,
5087 size_t in_len) {
5088 if (in_len != uncompressed_len) {
5089 return 0;
5090 }
5091
5092 uint8_t *data;
5093 *out = CRYPTO_BUFFER_alloc(&data, uncompressed_len);
5094 if (*out == nullptr) {
5095 return 0;
5096 }
5097
5098 for (size_t i = 0; i < in_len; i++) {
5099 data[i] = in[i] ^ 0x55;
5100 }
5101
5102 SSL_set_app_data(ssl, XORDecompressFunc);
5103
5104 return 1;
5105 }
5106
TEST(SSLTest,CertCompression)5107 TEST(SSLTest, CertCompression) {
5108 bssl::UniquePtr<SSL_CTX> client_ctx(SSL_CTX_new(TLS_method()));
5109 bssl::UniquePtr<SSL_CTX> server_ctx(
5110 CreateContextWithTestCertificate(TLS_method()));
5111 ASSERT_TRUE(client_ctx);
5112 ASSERT_TRUE(server_ctx);
5113
5114 ASSERT_TRUE(SSL_CTX_set_max_proto_version(client_ctx.get(), TLS1_3_VERSION));
5115 ASSERT_TRUE(SSL_CTX_set_max_proto_version(server_ctx.get(), TLS1_3_VERSION));
5116 ASSERT_TRUE(SSL_CTX_add_cert_compression_alg(
5117 client_ctx.get(), 0x1234, XORCompressFunc, XORDecompressFunc));
5118 ASSERT_TRUE(SSL_CTX_add_cert_compression_alg(
5119 server_ctx.get(), 0x1234, XORCompressFunc, XORDecompressFunc));
5120
5121 bssl::UniquePtr<SSL> client, server;
5122 ASSERT_TRUE(ConnectClientAndServer(&client, &server, client_ctx.get(),
5123 server_ctx.get()));
5124
5125 EXPECT_TRUE(SSL_get_app_data(client.get()) == XORDecompressFunc);
5126 EXPECT_TRUE(SSL_get_app_data(server.get()) == XORCompressFunc);
5127 }
5128
MoveBIOs(SSL * dest,SSL * src)5129 void MoveBIOs(SSL *dest, SSL *src) {
5130 BIO *rbio = SSL_get_rbio(src);
5131 BIO_up_ref(rbio);
5132 SSL_set0_rbio(dest, rbio);
5133
5134 BIO *wbio = SSL_get_wbio(src);
5135 BIO_up_ref(wbio);
5136 SSL_set0_wbio(dest, wbio);
5137
5138 SSL_set0_rbio(src, nullptr);
5139 SSL_set0_wbio(src, nullptr);
5140 }
5141
TEST(SSLTest,Handoff)5142 TEST(SSLTest, Handoff) {
5143 bssl::UniquePtr<SSL_CTX> client_ctx(SSL_CTX_new(TLS_method()));
5144 bssl::UniquePtr<SSL_CTX> server_ctx(SSL_CTX_new(TLS_method()));
5145 bssl::UniquePtr<SSL_CTX> handshaker_ctx(
5146 CreateContextWithTestCertificate(TLS_method()));
5147 ASSERT_TRUE(client_ctx);
5148 ASSERT_TRUE(server_ctx);
5149 ASSERT_TRUE(handshaker_ctx);
5150
5151 SSL_CTX_set_session_cache_mode(client_ctx.get(), SSL_SESS_CACHE_CLIENT);
5152 SSL_CTX_sess_set_new_cb(client_ctx.get(), SaveLastSession);
5153 SSL_CTX_set_handoff_mode(server_ctx.get(), true);
5154 uint8_t keys[48];
5155 SSL_CTX_get_tlsext_ticket_keys(server_ctx.get(), &keys, sizeof(keys));
5156 SSL_CTX_set_tlsext_ticket_keys(handshaker_ctx.get(), &keys, sizeof(keys));
5157
5158 for (bool early_data : {false, true}) {
5159 SCOPED_TRACE(early_data);
5160 for (bool is_resume : {false, true}) {
5161 SCOPED_TRACE(is_resume);
5162 bssl::UniquePtr<SSL> client, server;
5163 ASSERT_TRUE(CreateClientAndServer(&client, &server, client_ctx.get(),
5164 server_ctx.get()));
5165 SSL_set_early_data_enabled(client.get(), early_data);
5166 if (is_resume) {
5167 ASSERT_TRUE(g_last_session);
5168 SSL_set_session(client.get(), g_last_session.get());
5169 if (early_data) {
5170 EXPECT_GT(g_last_session->ticket_max_early_data, 0u);
5171 }
5172 }
5173
5174
5175 int client_ret = SSL_do_handshake(client.get());
5176 int client_err = SSL_get_error(client.get(), client_ret);
5177
5178 uint8_t byte_written;
5179 if (early_data && is_resume) {
5180 ASSERT_EQ(client_err, 0);
5181 EXPECT_TRUE(SSL_in_early_data(client.get()));
5182 // Attempt to write early data.
5183 byte_written = 43;
5184 EXPECT_EQ(SSL_write(client.get(), &byte_written, 1), 1);
5185 } else {
5186 ASSERT_EQ(client_err, SSL_ERROR_WANT_READ);
5187 }
5188
5189 int server_ret = SSL_do_handshake(server.get());
5190 int server_err = SSL_get_error(server.get(), server_ret);
5191 ASSERT_EQ(server_err, SSL_ERROR_HANDOFF);
5192
5193 ScopedCBB cbb;
5194 Array<uint8_t> handoff;
5195 SSL_CLIENT_HELLO hello;
5196 ASSERT_TRUE(CBB_init(cbb.get(), 256));
5197 ASSERT_TRUE(SSL_serialize_handoff(server.get(), cbb.get(), &hello));
5198 ASSERT_TRUE(CBBFinishArray(cbb.get(), &handoff));
5199
5200 bssl::UniquePtr<SSL> handshaker(SSL_new(handshaker_ctx.get()));
5201 ASSERT_TRUE(handshaker);
5202 // Note split handshakes determines 0-RTT support, for both the current
5203 // handshake and newly-issued tickets, entirely by |handshaker|. There is
5204 // no need to call |SSL_set_early_data_enabled| on |server|.
5205 SSL_set_early_data_enabled(handshaker.get(), 1);
5206 ASSERT_TRUE(SSL_apply_handoff(handshaker.get(), handoff));
5207
5208 MoveBIOs(handshaker.get(), server.get());
5209
5210 int handshake_ret = SSL_do_handshake(handshaker.get());
5211 int handshake_err = SSL_get_error(handshaker.get(), handshake_ret);
5212 ASSERT_EQ(handshake_err, SSL_ERROR_HANDBACK);
5213
5214 // Double-check that additional calls to |SSL_do_handshake| continue
5215 // to get |SSL_ERROR_HANDBACK|.
5216 handshake_ret = SSL_do_handshake(handshaker.get());
5217 handshake_err = SSL_get_error(handshaker.get(), handshake_ret);
5218 ASSERT_EQ(handshake_err, SSL_ERROR_HANDBACK);
5219
5220 ScopedCBB cbb_handback;
5221 Array<uint8_t> handback;
5222 ASSERT_TRUE(CBB_init(cbb_handback.get(), 1024));
5223 ASSERT_TRUE(SSL_serialize_handback(handshaker.get(), cbb_handback.get()));
5224 ASSERT_TRUE(CBBFinishArray(cbb_handback.get(), &handback));
5225
5226 bssl::UniquePtr<SSL> server2(SSL_new(server_ctx.get()));
5227 ASSERT_TRUE(server2);
5228 ASSERT_TRUE(SSL_apply_handback(server2.get(), handback));
5229
5230 MoveBIOs(server2.get(), handshaker.get());
5231 ASSERT_TRUE(CompleteHandshakes(client.get(), server2.get()));
5232 EXPECT_EQ(is_resume, SSL_session_reused(client.get()));
5233
5234 if (early_data && is_resume) {
5235 // In this case, one byte of early data has already been written above.
5236 EXPECT_TRUE(SSL_early_data_accepted(client.get()));
5237 } else {
5238 byte_written = 42;
5239 EXPECT_EQ(SSL_write(client.get(), &byte_written, 1), 1);
5240 }
5241 uint8_t byte;
5242 EXPECT_EQ(SSL_read(server2.get(), &byte, 1), 1);
5243 EXPECT_EQ(byte_written, byte);
5244
5245 byte = 44;
5246 EXPECT_EQ(SSL_write(server2.get(), &byte, 1), 1);
5247 EXPECT_EQ(SSL_read(client.get(), &byte, 1), 1);
5248 EXPECT_EQ(44, byte);
5249 }
5250 }
5251 }
5252
TEST(SSLTest,HandoffDeclined)5253 TEST(SSLTest, HandoffDeclined) {
5254 bssl::UniquePtr<SSL_CTX> client_ctx(SSL_CTX_new(TLS_method()));
5255 bssl::UniquePtr<SSL_CTX> server_ctx(
5256 CreateContextWithTestCertificate(TLS_method()));
5257 ASSERT_TRUE(client_ctx);
5258 ASSERT_TRUE(server_ctx);
5259
5260 SSL_CTX_set_handoff_mode(server_ctx.get(), true);
5261 ASSERT_TRUE(SSL_CTX_set_max_proto_version(server_ctx.get(), TLS1_2_VERSION));
5262
5263 bssl::UniquePtr<SSL> client, server;
5264 ASSERT_TRUE(CreateClientAndServer(&client, &server, client_ctx.get(),
5265 server_ctx.get()));
5266
5267 int client_ret = SSL_do_handshake(client.get());
5268 int client_err = SSL_get_error(client.get(), client_ret);
5269 ASSERT_EQ(client_err, SSL_ERROR_WANT_READ);
5270
5271 int server_ret = SSL_do_handshake(server.get());
5272 int server_err = SSL_get_error(server.get(), server_ret);
5273 ASSERT_EQ(server_err, SSL_ERROR_HANDOFF);
5274
5275 ScopedCBB cbb;
5276 SSL_CLIENT_HELLO hello;
5277 ASSERT_TRUE(CBB_init(cbb.get(), 256));
5278 ASSERT_TRUE(SSL_serialize_handoff(server.get(), cbb.get(), &hello));
5279
5280 ASSERT_TRUE(SSL_decline_handoff(server.get()));
5281
5282 ASSERT_TRUE(CompleteHandshakes(client.get(), server.get()));
5283
5284 uint8_t byte = 42;
5285 EXPECT_EQ(SSL_write(client.get(), &byte, 1), 1);
5286 EXPECT_EQ(SSL_read(server.get(), &byte, 1), 1);
5287 EXPECT_EQ(42, byte);
5288
5289 byte = 43;
5290 EXPECT_EQ(SSL_write(server.get(), &byte, 1), 1);
5291 EXPECT_EQ(SSL_read(client.get(), &byte, 1), 1);
5292 EXPECT_EQ(43, byte);
5293 }
5294
SigAlgsToString(Span<const uint16_t> sigalgs)5295 static std::string SigAlgsToString(Span<const uint16_t> sigalgs) {
5296 std::string ret = "{";
5297
5298 for (uint16_t v : sigalgs) {
5299 if (ret.size() > 1) {
5300 ret += ", ";
5301 }
5302
5303 char buf[8];
5304 snprintf(buf, sizeof(buf) - 1, "0x%02x", v);
5305 buf[sizeof(buf)-1] = 0;
5306 ret += std::string(buf);
5307 }
5308
5309 ret += "}";
5310 return ret;
5311 }
5312
ExpectSigAlgsEqual(Span<const uint16_t> expected,Span<const uint16_t> actual)5313 void ExpectSigAlgsEqual(Span<const uint16_t> expected,
5314 Span<const uint16_t> actual) {
5315 bool matches = false;
5316 if (expected.size() == actual.size()) {
5317 matches = true;
5318
5319 for (size_t i = 0; i < expected.size(); i++) {
5320 if (expected[i] != actual[i]) {
5321 matches = false;
5322 break;
5323 }
5324 }
5325 }
5326
5327 if (!matches) {
5328 ADD_FAILURE() << "expected: " << SigAlgsToString(expected)
5329 << " got: " << SigAlgsToString(actual);
5330 }
5331 }
5332
TEST(SSLTest,SigAlgs)5333 TEST(SSLTest, SigAlgs) {
5334 static const struct {
5335 std::vector<int> input;
5336 bool ok;
5337 std::vector<uint16_t> expected;
5338 } kTests[] = {
5339 {{}, true, {}},
5340 {{1}, false, {}},
5341 {{1, 2, 3}, false, {}},
5342 {{NID_sha256, EVP_PKEY_ED25519}, false, {}},
5343 {{NID_sha256, EVP_PKEY_RSA, NID_sha256, EVP_PKEY_RSA}, false, {}},
5344
5345 {{NID_sha256, EVP_PKEY_RSA}, true, {SSL_SIGN_RSA_PKCS1_SHA256}},
5346 {{NID_sha512, EVP_PKEY_RSA}, true, {SSL_SIGN_RSA_PKCS1_SHA512}},
5347 {{NID_sha256, EVP_PKEY_RSA_PSS}, true, {SSL_SIGN_RSA_PSS_RSAE_SHA256}},
5348 {{NID_undef, EVP_PKEY_ED25519}, true, {SSL_SIGN_ED25519}},
5349 {{NID_undef, EVP_PKEY_ED25519, NID_sha384, EVP_PKEY_EC},
5350 true,
5351 {SSL_SIGN_ED25519, SSL_SIGN_ECDSA_SECP384R1_SHA384}},
5352 };
5353
5354 UniquePtr<SSL_CTX> ctx(SSL_CTX_new(TLS_method()));
5355 ASSERT_TRUE(ctx);
5356
5357 unsigned n = 1;
5358 for (const auto &test : kTests) {
5359 SCOPED_TRACE(n++);
5360
5361 const bool ok =
5362 SSL_CTX_set1_sigalgs(ctx.get(), test.input.data(), test.input.size());
5363 EXPECT_EQ(ok, test.ok);
5364
5365 if (!ok) {
5366 ERR_clear_error();
5367 }
5368
5369 if (!test.ok) {
5370 continue;
5371 }
5372
5373 ExpectSigAlgsEqual(test.expected, ctx->cert->sigalgs);
5374 }
5375 }
5376
TEST(SSLTest,SigAlgsList)5377 TEST(SSLTest, SigAlgsList) {
5378 static const struct {
5379 const char *input;
5380 bool ok;
5381 std::vector<uint16_t> expected;
5382 } kTests[] = {
5383 {"", false, {}},
5384 {":", false, {}},
5385 {"+", false, {}},
5386 {"RSA", false, {}},
5387 {"RSA+", false, {}},
5388 {"RSA+SHA256:", false, {}},
5389 {":RSA+SHA256:", false, {}},
5390 {":RSA+SHA256+:", false, {}},
5391 {"!", false, {}},
5392 {"\x01", false, {}},
5393 {"RSA+SHA256:RSA+SHA384:RSA+SHA256", false, {}},
5394 {"RSA-PSS+SHA256:rsa_pss_rsae_sha256", false, {}},
5395
5396 {"RSA+SHA256", true, {SSL_SIGN_RSA_PKCS1_SHA256}},
5397 {"RSA+SHA256:ed25519",
5398 true,
5399 {SSL_SIGN_RSA_PKCS1_SHA256, SSL_SIGN_ED25519}},
5400 {"ECDSA+SHA256:RSA+SHA512",
5401 true,
5402 {SSL_SIGN_ECDSA_SECP256R1_SHA256, SSL_SIGN_RSA_PKCS1_SHA512}},
5403 {"ecdsa_secp256r1_sha256:rsa_pss_rsae_sha256",
5404 true,
5405 {SSL_SIGN_ECDSA_SECP256R1_SHA256, SSL_SIGN_RSA_PSS_RSAE_SHA256}},
5406 {"RSA-PSS+SHA256", true, {SSL_SIGN_RSA_PSS_RSAE_SHA256}},
5407 {"PSS+SHA256", true, {SSL_SIGN_RSA_PSS_RSAE_SHA256}},
5408 };
5409
5410 UniquePtr<SSL_CTX> ctx(SSL_CTX_new(TLS_method()));
5411 ASSERT_TRUE(ctx);
5412
5413 unsigned n = 1;
5414 for (const auto &test : kTests) {
5415 SCOPED_TRACE(n++);
5416
5417 const bool ok = SSL_CTX_set1_sigalgs_list(ctx.get(), test.input);
5418 EXPECT_EQ(ok, test.ok);
5419
5420 if (!ok) {
5421 if (test.ok) {
5422 ERR_print_errors_fp(stderr);
5423 }
5424 ERR_clear_error();
5425 }
5426
5427 if (!test.ok) {
5428 continue;
5429 }
5430
5431 ExpectSigAlgsEqual(test.expected, ctx->cert->sigalgs);
5432 }
5433 }
5434
TEST(SSLTest,ApplyHandoffRemovesUnsupportedCiphers)5435 TEST(SSLTest, ApplyHandoffRemovesUnsupportedCiphers) {
5436 bssl::UniquePtr<SSL_CTX> server_ctx(SSL_CTX_new(TLS_method()));
5437 ASSERT_TRUE(server_ctx);
5438 bssl::UniquePtr<SSL> server(SSL_new(server_ctx.get()));
5439 ASSERT_TRUE(server);
5440
5441 // handoff is a handoff message that has been artificially modified to pretend
5442 // that only cipher 0x0A is supported. When it is applied to |server|, all
5443 // ciphers but that one should be removed.
5444 //
5445 // To make a new one of these, try sticking this in the |Handoff| test above:
5446 //
5447 // hexdump(stderr, "", handoff.data(), handoff.size());
5448 // sed -e 's/\(..\)/0x\1, /g'
5449 //
5450 // and modify serialize_features() to emit only cipher 0x0A.
5451
5452 uint8_t handoff[] = {
5453 0x30, 0x81, 0x9a, 0x02, 0x01, 0x00, 0x04, 0x00, 0x04, 0x81, 0x82, 0x01,
5454 0x00, 0x00, 0x7e, 0x03, 0x03, 0x30, 0x8e, 0x8f, 0x79, 0xd2, 0x87, 0x39,
5455 0xc2, 0x23, 0x23, 0x13, 0xca, 0x3c, 0x80, 0x44, 0xfd, 0x80, 0x83, 0x62,
5456 0x3c, 0xcc, 0xf8, 0x76, 0xd3, 0x62, 0xbb, 0x54, 0xe3, 0xc4, 0x39, 0x24,
5457 0xa5, 0x00, 0x00, 0x1e, 0xc0, 0x2b, 0xc0, 0x2f, 0xc0, 0x2c, 0xc0, 0x30,
5458 0xcc, 0xa9, 0xcc, 0xa8, 0xc0, 0x09, 0xc0, 0x13, 0xc0, 0x0a, 0xc0, 0x14,
5459 0x00, 0x9c, 0x00, 0x9d, 0x00, 0x2f, 0x00, 0x35, 0x00, 0x0a, 0x01, 0x00,
5460 0x00, 0x37, 0x00, 0x17, 0x00, 0x00, 0xff, 0x01, 0x00, 0x01, 0x00, 0x00,
5461 0x0a, 0x00, 0x08, 0x00, 0x06, 0x00, 0x1d, 0x00, 0x17, 0x00, 0x18, 0x00,
5462 0x0b, 0x00, 0x02, 0x01, 0x00, 0x00, 0x23, 0x00, 0x00, 0x00, 0x0d, 0x00,
5463 0x14, 0x00, 0x12, 0x04, 0x03, 0x08, 0x04, 0x04, 0x01, 0x05, 0x03, 0x08,
5464 0x05, 0x05, 0x01, 0x08, 0x06, 0x06, 0x01, 0x02, 0x01, 0x04, 0x02, 0x00,
5465 0x0a, 0x04, 0x0a, 0x00, 0x15, 0x00, 0x17, 0x00, 0x18, 0x00, 0x19, 0x00,
5466 0x1d,
5467 };
5468
5469 EXPECT_EQ(20u, sk_SSL_CIPHER_num(SSL_get_ciphers(server.get())));
5470 ASSERT_TRUE(
5471 SSL_apply_handoff(server.get(), {handoff, OPENSSL_ARRAY_SIZE(handoff)}));
5472 EXPECT_EQ(1u, sk_SSL_CIPHER_num(SSL_get_ciphers(server.get())));
5473 }
5474
TEST(SSLTest,ApplyHandoffRemovesUnsupportedCurves)5475 TEST(SSLTest, ApplyHandoffRemovesUnsupportedCurves) {
5476 bssl::UniquePtr<SSL_CTX> server_ctx(SSL_CTX_new(TLS_method()));
5477 ASSERT_TRUE(server_ctx);
5478 bssl::UniquePtr<SSL> server(SSL_new(server_ctx.get()));
5479 ASSERT_TRUE(server);
5480
5481 // handoff is a handoff message that has been artificially modified to pretend
5482 // that only one curve is supported. When it is applied to |server|, all
5483 // curves but that one should be removed.
5484 //
5485 // See |ApplyHandoffRemovesUnsupportedCiphers| for how to make a new one of
5486 // these.
5487 uint8_t handoff[] = {
5488 0x30, 0x81, 0xc0, 0x02, 0x01, 0x00, 0x04, 0x00, 0x04, 0x81, 0x82, 0x01,
5489 0x00, 0x00, 0x7e, 0x03, 0x03, 0x98, 0x30, 0xce, 0xd9, 0xb0, 0xdf, 0x5f,
5490 0x82, 0x05, 0x4a, 0x43, 0x67, 0x7e, 0xdb, 0x6a, 0x4f, 0x21, 0x18, 0x4e,
5491 0x0d, 0x94, 0x63, 0x18, 0x8b, 0x54, 0x89, 0xdb, 0x8b, 0x1d, 0x84, 0xbc,
5492 0x09, 0x00, 0x00, 0x1e, 0xc0, 0x2b, 0xc0, 0x2f, 0xc0, 0x2c, 0xc0, 0x30,
5493 0xcc, 0xa9, 0xcc, 0xa8, 0xc0, 0x09, 0xc0, 0x13, 0xc0, 0x0a, 0xc0, 0x14,
5494 0x00, 0x9c, 0x00, 0x9d, 0x00, 0x2f, 0x00, 0x35, 0x00, 0x0a, 0x01, 0x00,
5495 0x00, 0x37, 0x00, 0x17, 0x00, 0x00, 0xff, 0x01, 0x00, 0x01, 0x00, 0x00,
5496 0x0a, 0x00, 0x08, 0x00, 0x06, 0x00, 0x1d, 0x00, 0x17, 0x00, 0x18, 0x00,
5497 0x0b, 0x00, 0x02, 0x01, 0x00, 0x00, 0x23, 0x00, 0x00, 0x00, 0x0d, 0x00,
5498 0x14, 0x00, 0x12, 0x04, 0x03, 0x08, 0x04, 0x04, 0x01, 0x05, 0x03, 0x08,
5499 0x05, 0x05, 0x01, 0x08, 0x06, 0x06, 0x01, 0x02, 0x01, 0x04, 0x30, 0x00,
5500 0x02, 0x00, 0x0a, 0x00, 0x2f, 0x00, 0x35, 0x00, 0x8c, 0x00, 0x8d, 0x00,
5501 0x9c, 0x00, 0x9d, 0x13, 0x01, 0x13, 0x02, 0x13, 0x03, 0xc0, 0x09, 0xc0,
5502 0x0a, 0xc0, 0x13, 0xc0, 0x14, 0xc0, 0x2b, 0xc0, 0x2c, 0xc0, 0x2f, 0xc0,
5503 0x30, 0xc0, 0x35, 0xc0, 0x36, 0xcc, 0xa8, 0xcc, 0xa9, 0xcc, 0xac, 0x04,
5504 0x02, 0x00, 0x17,
5505 };
5506
5507 // The zero length means that the default list of groups is used.
5508 EXPECT_EQ(0u, server->config->supported_group_list.size());
5509 ASSERT_TRUE(
5510 SSL_apply_handoff(server.get(), {handoff, OPENSSL_ARRAY_SIZE(handoff)}));
5511 EXPECT_EQ(1u, server->config->supported_group_list.size());
5512 }
5513
TEST(SSLTest,ZeroSizedWiteFlushesHandshakeMessages)5514 TEST(SSLTest, ZeroSizedWiteFlushesHandshakeMessages) {
5515 // If there are pending handshake mesages, an |SSL_write| of zero bytes should
5516 // flush them.
5517 bssl::UniquePtr<SSL_CTX> server_ctx(
5518 CreateContextWithTestCertificate(TLS_method()));
5519 ASSERT_TRUE(server_ctx);
5520 EXPECT_TRUE(SSL_CTX_set_max_proto_version(server_ctx.get(), TLS1_3_VERSION));
5521 EXPECT_TRUE(SSL_CTX_set_min_proto_version(server_ctx.get(), TLS1_3_VERSION));
5522
5523 bssl::UniquePtr<SSL_CTX> client_ctx(SSL_CTX_new(TLS_method()));
5524 ASSERT_TRUE(client_ctx);
5525 EXPECT_TRUE(SSL_CTX_set_max_proto_version(client_ctx.get(), TLS1_3_VERSION));
5526 EXPECT_TRUE(SSL_CTX_set_min_proto_version(client_ctx.get(), TLS1_3_VERSION));
5527
5528 bssl::UniquePtr<SSL> client, server;
5529 ASSERT_TRUE(ConnectClientAndServer(&client, &server, client_ctx.get(),
5530 server_ctx.get()));
5531
5532 BIO *client_wbio = SSL_get_wbio(client.get());
5533 EXPECT_EQ(0u, BIO_wpending(client_wbio));
5534 EXPECT_TRUE(SSL_key_update(client.get(), SSL_KEY_UPDATE_NOT_REQUESTED));
5535 EXPECT_EQ(0u, BIO_wpending(client_wbio));
5536 EXPECT_EQ(0, SSL_write(client.get(), nullptr, 0));
5537 EXPECT_NE(0u, BIO_wpending(client_wbio));
5538 }
5539
TEST_P(SSLVersionTest,VerifyBeforeCertRequest)5540 TEST_P(SSLVersionTest, VerifyBeforeCertRequest) {
5541 // Configure the server to request client certificates.
5542 SSL_CTX_set_custom_verify(
5543 server_ctx_.get(), SSL_VERIFY_PEER,
5544 [](SSL *ssl, uint8_t *out_alert) { return ssl_verify_ok; });
5545
5546 // Configure the client to reject the server certificate.
5547 SSL_CTX_set_custom_verify(
5548 client_ctx_.get(), SSL_VERIFY_PEER,
5549 [](SSL *ssl, uint8_t *out_alert) { return ssl_verify_invalid; });
5550
5551 // cert_cb should not be called. Verification should fail first.
5552 SSL_CTX_set_cert_cb(client_ctx_.get(),
5553 [](SSL *ssl, void *arg) {
5554 ADD_FAILURE() << "cert_cb unexpectedly called";
5555 return 0;
5556 },
5557 nullptr);
5558
5559 bssl::UniquePtr<SSL> client, server;
5560 EXPECT_FALSE(ConnectClientAndServer(&client, &server, client_ctx_.get(),
5561 server_ctx_.get()));
5562 }
5563
5564 // Test that ticket-based sessions on the client get fake session IDs.
TEST_P(SSLVersionTest,FakeIDsForTickets)5565 TEST_P(SSLVersionTest, FakeIDsForTickets) {
5566 SSL_CTX_set_session_cache_mode(client_ctx_.get(), SSL_SESS_CACHE_BOTH);
5567 SSL_CTX_set_session_cache_mode(server_ctx_.get(), SSL_SESS_CACHE_BOTH);
5568
5569 bssl::UniquePtr<SSL_SESSION> session =
5570 CreateClientSession(client_ctx_.get(), server_ctx_.get());
5571 ASSERT_TRUE(session);
5572
5573 EXPECT_TRUE(SSL_SESSION_has_ticket(session.get()));
5574 unsigned session_id_length;
5575 SSL_SESSION_get_id(session.get(), &session_id_length);
5576 EXPECT_NE(session_id_length, 0u);
5577 }
5578
5579 // These tests test multi-threaded behavior. They are intended to run with
5580 // ThreadSanitizer.
5581 #if defined(OPENSSL_THREADS)
TEST_P(SSLVersionTest,SessionCacheThreads)5582 TEST_P(SSLVersionTest, SessionCacheThreads) {
5583 SSL_CTX_set_options(server_ctx_.get(), SSL_OP_NO_TICKET);
5584 SSL_CTX_set_session_cache_mode(client_ctx_.get(), SSL_SESS_CACHE_BOTH);
5585 SSL_CTX_set_session_cache_mode(server_ctx_.get(), SSL_SESS_CACHE_BOTH);
5586
5587 if (version() == TLS1_3_VERSION) {
5588 // Our TLS 1.3 implementation does not support stateful resumption.
5589 ASSERT_FALSE(CreateClientSession(client_ctx_.get(), server_ctx_.get()));
5590 return;
5591 }
5592
5593 // Establish two client sessions to test with.
5594 bssl::UniquePtr<SSL_SESSION> session1 =
5595 CreateClientSession(client_ctx_.get(), server_ctx_.get());
5596 ASSERT_TRUE(session1);
5597 bssl::UniquePtr<SSL_SESSION> session2 =
5598 CreateClientSession(client_ctx_.get(), server_ctx_.get());
5599 ASSERT_TRUE(session2);
5600
5601 auto connect_with_session = [&](SSL_SESSION *session) {
5602 ClientConfig config;
5603 config.session = session;
5604 UniquePtr<SSL> client, server;
5605 ASSERT_TRUE(ConnectClientAndServer(&client, &server, client_ctx_.get(),
5606 server_ctx_.get(), config));
5607 };
5608
5609 // Resume sessions in parallel with establishing new ones.
5610 {
5611 std::vector<std::thread> threads;
5612 threads.emplace_back([&] { connect_with_session(nullptr); });
5613 threads.emplace_back([&] { connect_with_session(nullptr); });
5614 threads.emplace_back([&] { connect_with_session(session1.get()); });
5615 threads.emplace_back([&] { connect_with_session(session1.get()); });
5616 threads.emplace_back([&] { connect_with_session(session2.get()); });
5617 threads.emplace_back([&] { connect_with_session(session2.get()); });
5618 for (auto &thread : threads) {
5619 thread.join();
5620 }
5621 }
5622
5623 // Hit the maximum session cache size across multiple threads, to test the
5624 // size enforcement logic.
5625 size_t limit = SSL_CTX_sess_number(server_ctx_.get()) + 2;
5626 SSL_CTX_sess_set_cache_size(server_ctx_.get(), limit);
5627 {
5628 std::vector<std::thread> threads;
5629 for (int i = 0; i < 4; i++) {
5630 threads.emplace_back([&]() {
5631 connect_with_session(nullptr);
5632 EXPECT_LE(SSL_CTX_sess_number(server_ctx_.get()), limit);
5633 });
5634 }
5635 for (auto &thread : threads) {
5636 thread.join();
5637 }
5638 EXPECT_EQ(SSL_CTX_sess_number(server_ctx_.get()), limit);
5639 }
5640
5641 // Reset the session cache, this time with a mock clock.
5642 ASSERT_NO_FATAL_FAILURE(ResetContexts());
5643 SSL_CTX_set_options(server_ctx_.get(), SSL_OP_NO_TICKET);
5644 SSL_CTX_set_session_cache_mode(client_ctx_.get(), SSL_SESS_CACHE_BOTH);
5645 SSL_CTX_set_session_cache_mode(server_ctx_.get(), SSL_SESS_CACHE_BOTH);
5646 SSL_CTX_set_current_time_cb(server_ctx_.get(), CurrentTimeCallback);
5647
5648 // Make some sessions at an arbitrary start time. Then expire them.
5649 g_current_time.tv_sec = 1000;
5650 bssl::UniquePtr<SSL_SESSION> expired_session1 =
5651 CreateClientSession(client_ctx_.get(), server_ctx_.get());
5652 ASSERT_TRUE(expired_session1);
5653 bssl::UniquePtr<SSL_SESSION> expired_session2 =
5654 CreateClientSession(client_ctx_.get(), server_ctx_.get());
5655 ASSERT_TRUE(expired_session2);
5656 g_current_time.tv_sec += 100 * SSL_DEFAULT_SESSION_TIMEOUT;
5657
5658 session1 = CreateClientSession(client_ctx_.get(), server_ctx_.get());
5659 ASSERT_TRUE(session1);
5660
5661 // Every 256 connections, we flush stale sessions from the session cache. Test
5662 // this logic is correctly synchronized with other connection attempts.
5663 static const int kNumConnections = 256;
5664 {
5665 std::vector<std::thread> threads;
5666 threads.emplace_back([&] {
5667 for (int i = 0; i < kNumConnections; i++) {
5668 connect_with_session(nullptr);
5669 }
5670 });
5671 threads.emplace_back([&] {
5672 for (int i = 0; i < kNumConnections; i++) {
5673 connect_with_session(nullptr);
5674 }
5675 });
5676 threads.emplace_back([&] {
5677 // Never connect with |expired_session2|. The session cache eagerly
5678 // removes expired sessions when it sees them. Leaving |expired_session2|
5679 // untouched ensures it is instead cleared by periodic flushing.
5680 for (int i = 0; i < kNumConnections; i++) {
5681 connect_with_session(expired_session1.get());
5682 }
5683 });
5684 threads.emplace_back([&] {
5685 for (int i = 0; i < kNumConnections; i++) {
5686 connect_with_session(session1.get());
5687 }
5688 });
5689 for (auto &thread : threads) {
5690 thread.join();
5691 }
5692 }
5693 }
5694
TEST_P(SSLVersionTest,SessionTicketThreads)5695 TEST_P(SSLVersionTest, SessionTicketThreads) {
5696 for (bool renew_ticket : {false, true}) {
5697 SCOPED_TRACE(renew_ticket);
5698 ASSERT_NO_FATAL_FAILURE(ResetContexts());
5699 SSL_CTX_set_session_cache_mode(client_ctx_.get(), SSL_SESS_CACHE_BOTH);
5700 SSL_CTX_set_session_cache_mode(server_ctx_.get(), SSL_SESS_CACHE_BOTH);
5701 if (renew_ticket) {
5702 SSL_CTX_set_tlsext_ticket_key_cb(server_ctx_.get(), RenewTicketCallback);
5703 }
5704
5705 // Establish two client sessions to test with.
5706 bssl::UniquePtr<SSL_SESSION> session1 =
5707 CreateClientSession(client_ctx_.get(), server_ctx_.get());
5708 ASSERT_TRUE(session1);
5709 bssl::UniquePtr<SSL_SESSION> session2 =
5710 CreateClientSession(client_ctx_.get(), server_ctx_.get());
5711 ASSERT_TRUE(session2);
5712
5713 auto connect_with_session = [&](SSL_SESSION *session) {
5714 ClientConfig config;
5715 config.session = session;
5716 UniquePtr<SSL> client, server;
5717 ASSERT_TRUE(ConnectClientAndServer(&client, &server, client_ctx_.get(),
5718 server_ctx_.get(), config));
5719 };
5720
5721 // Resume sessions in parallel with establishing new ones.
5722 {
5723 std::vector<std::thread> threads;
5724 threads.emplace_back([&] { connect_with_session(nullptr); });
5725 threads.emplace_back([&] { connect_with_session(nullptr); });
5726 threads.emplace_back([&] { connect_with_session(session1.get()); });
5727 threads.emplace_back([&] { connect_with_session(session1.get()); });
5728 threads.emplace_back([&] { connect_with_session(session2.get()); });
5729 threads.emplace_back([&] { connect_with_session(session2.get()); });
5730 for (auto &thread : threads) {
5731 thread.join();
5732 }
5733 }
5734 }
5735 }
5736
5737 // SSL_CTX_get0_certificate needs to lock internally. Test this works.
TEST(SSLTest,GetCertificateThreads)5738 TEST(SSLTest, GetCertificateThreads) {
5739 bssl::UniquePtr<SSL_CTX> ctx(SSL_CTX_new(TLS_method()));
5740 ASSERT_TRUE(ctx);
5741 bssl::UniquePtr<X509> cert = GetTestCertificate();
5742 ASSERT_TRUE(cert);
5743 ASSERT_TRUE(SSL_CTX_use_certificate(ctx.get(), cert.get()));
5744
5745 // Existing code expects |SSL_CTX_get0_certificate| to be callable from two
5746 // threads concurrently. It originally was an immutable operation. Now we
5747 // implement it with a thread-safe cache, so it is worth testing.
5748 X509 *cert2_thread;
5749 std::thread thread(
5750 [&] { cert2_thread = SSL_CTX_get0_certificate(ctx.get()); });
5751 X509 *cert2 = SSL_CTX_get0_certificate(ctx.get());
5752 thread.join();
5753
5754 ASSERT_TRUE(cert2);
5755 ASSERT_TRUE(cert2_thread);
5756 EXPECT_EQ(cert2, cert2_thread);
5757 EXPECT_EQ(0, X509_cmp(cert.get(), cert2));
5758 }
5759
5760 // Functions which access properties on the negotiated session are thread-safe
5761 // where needed. Prior to TLS 1.3, clients resuming sessions and servers
5762 // performing stateful resumption will share an underlying SSL_SESSION object,
5763 // potentially across threads.
TEST_P(SSLVersionTest,SessionPropertiesThreads)5764 TEST_P(SSLVersionTest, SessionPropertiesThreads) {
5765 if (version() == TLS1_3_VERSION) {
5766 // Our TLS 1.3 implementation does not support stateful resumption.
5767 ASSERT_FALSE(CreateClientSession(client_ctx_.get(), server_ctx_.get()));
5768 return;
5769 }
5770
5771 SSL_CTX_set_options(server_ctx_.get(), SSL_OP_NO_TICKET);
5772 SSL_CTX_set_session_cache_mode(client_ctx_.get(), SSL_SESS_CACHE_BOTH);
5773 SSL_CTX_set_session_cache_mode(server_ctx_.get(), SSL_SESS_CACHE_BOTH);
5774
5775 ASSERT_TRUE(UseCertAndKey(client_ctx_.get()));
5776 ASSERT_TRUE(UseCertAndKey(server_ctx_.get()));
5777
5778 // Configure mutual authentication, so we have more session state.
5779 SSL_CTX_set_custom_verify(
5780 client_ctx_.get(), SSL_VERIFY_PEER,
5781 [](SSL *ssl, uint8_t *out_alert) { return ssl_verify_ok; });
5782 SSL_CTX_set_custom_verify(
5783 server_ctx_.get(), SSL_VERIFY_PEER,
5784 [](SSL *ssl, uint8_t *out_alert) { return ssl_verify_ok; });
5785
5786 // Establish a client session to test with.
5787 bssl::UniquePtr<SSL_SESSION> session =
5788 CreateClientSession(client_ctx_.get(), server_ctx_.get());
5789 ASSERT_TRUE(session);
5790
5791 // Resume with it twice.
5792 UniquePtr<SSL> ssls[4];
5793 ClientConfig config;
5794 config.session = session.get();
5795 ASSERT_TRUE(ConnectClientAndServer(&ssls[0], &ssls[1], client_ctx_.get(),
5796 server_ctx_.get(), config));
5797 ASSERT_TRUE(ConnectClientAndServer(&ssls[2], &ssls[3], client_ctx_.get(),
5798 server_ctx_.get(), config));
5799
5800 // Read properties in parallel.
5801 auto read_properties = [](const SSL *ssl) {
5802 EXPECT_TRUE(SSL_get_peer_cert_chain(ssl));
5803 bssl::UniquePtr<X509> peer(SSL_get_peer_certificate(ssl));
5804 EXPECT_TRUE(peer);
5805 EXPECT_TRUE(SSL_get_current_cipher(ssl));
5806 EXPECT_TRUE(SSL_get_curve_id(ssl));
5807 };
5808
5809 std::vector<std::thread> threads;
5810 for (const auto &ssl_ptr : ssls) {
5811 const SSL *ssl = ssl_ptr.get();
5812 threads.emplace_back([=] { read_properties(ssl); });
5813 }
5814 for (auto &thread : threads) {
5815 thread.join();
5816 }
5817 }
5818 #endif // OPENSSL_THREADS
5819
5820 constexpr size_t kNumQUICLevels = 4;
5821 static_assert(ssl_encryption_initial < kNumQUICLevels,
5822 "kNumQUICLevels is wrong");
5823 static_assert(ssl_encryption_early_data < kNumQUICLevels,
5824 "kNumQUICLevels is wrong");
5825 static_assert(ssl_encryption_handshake < kNumQUICLevels,
5826 "kNumQUICLevels is wrong");
5827 static_assert(ssl_encryption_application < kNumQUICLevels,
5828 "kNumQUICLevels is wrong");
5829
LevelToString(ssl_encryption_level_t level)5830 const char *LevelToString(ssl_encryption_level_t level) {
5831 switch (level) {
5832 case ssl_encryption_initial:
5833 return "initial";
5834 case ssl_encryption_early_data:
5835 return "early data";
5836 case ssl_encryption_handshake:
5837 return "handshake";
5838 case ssl_encryption_application:
5839 return "application";
5840 }
5841 return "<unknown>";
5842 }
5843
5844 class MockQUICTransport {
5845 public:
5846 enum class Role { kClient, kServer };
5847
MockQUICTransport(Role role)5848 explicit MockQUICTransport(Role role) : role_(role) {
5849 // The caller is expected to configure initial secrets.
5850 levels_[ssl_encryption_initial].write_secret = {1};
5851 levels_[ssl_encryption_initial].read_secret = {1};
5852 }
5853
set_peer(MockQUICTransport * peer)5854 void set_peer(MockQUICTransport *peer) { peer_ = peer; }
5855
has_alert() const5856 bool has_alert() const { return has_alert_; }
alert_level() const5857 ssl_encryption_level_t alert_level() const { return alert_level_; }
alert() const5858 uint8_t alert() const { return alert_; }
5859
PeerSecretsMatch(ssl_encryption_level_t level) const5860 bool PeerSecretsMatch(ssl_encryption_level_t level) const {
5861 return levels_[level].write_secret == peer_->levels_[level].read_secret &&
5862 levels_[level].read_secret == peer_->levels_[level].write_secret &&
5863 levels_[level].cipher == peer_->levels_[level].cipher;
5864 }
5865
HasReadSecret(ssl_encryption_level_t level) const5866 bool HasReadSecret(ssl_encryption_level_t level) const {
5867 return !levels_[level].read_secret.empty();
5868 }
5869
HasWriteSecret(ssl_encryption_level_t level) const5870 bool HasWriteSecret(ssl_encryption_level_t level) const {
5871 return !levels_[level].write_secret.empty();
5872 }
5873
AllowOutOfOrderWrites()5874 void AllowOutOfOrderWrites() { allow_out_of_order_writes_ = true; }
5875
SetReadSecret(ssl_encryption_level_t level,const SSL_CIPHER * cipher,Span<const uint8_t> secret)5876 bool SetReadSecret(ssl_encryption_level_t level, const SSL_CIPHER *cipher,
5877 Span<const uint8_t> secret) {
5878 if (HasReadSecret(level)) {
5879 ADD_FAILURE() << LevelToString(level) << " read secret configured twice";
5880 return false;
5881 }
5882
5883 if (role_ == Role::kClient && level == ssl_encryption_early_data) {
5884 ADD_FAILURE() << "Unexpected early data read secret";
5885 return false;
5886 }
5887
5888 ssl_encryption_level_t ack_level =
5889 level == ssl_encryption_early_data ? ssl_encryption_application : level;
5890 if (!HasWriteSecret(ack_level)) {
5891 ADD_FAILURE() << LevelToString(level)
5892 << " read secret configured before ACK write secret";
5893 return false;
5894 }
5895
5896 if (cipher == nullptr) {
5897 ADD_FAILURE() << "Unexpected null cipher";
5898 return false;
5899 }
5900
5901 if (level != ssl_encryption_early_data &&
5902 SSL_CIPHER_get_id(cipher) != levels_[level].cipher) {
5903 ADD_FAILURE() << "Cipher suite inconsistent";
5904 return false;
5905 }
5906
5907 levels_[level].read_secret.assign(secret.begin(), secret.end());
5908 levels_[level].cipher = SSL_CIPHER_get_id(cipher);
5909 return true;
5910 }
5911
SetWriteSecret(ssl_encryption_level_t level,const SSL_CIPHER * cipher,Span<const uint8_t> secret)5912 bool SetWriteSecret(ssl_encryption_level_t level, const SSL_CIPHER *cipher,
5913 Span<const uint8_t> secret) {
5914 if (HasWriteSecret(level)) {
5915 ADD_FAILURE() << LevelToString(level) << " write secret configured twice";
5916 return false;
5917 }
5918
5919 if (role_ == Role::kServer && level == ssl_encryption_early_data) {
5920 ADD_FAILURE() << "Unexpected early data write secret";
5921 return false;
5922 }
5923
5924 if (cipher == nullptr) {
5925 ADD_FAILURE() << "Unexpected null cipher";
5926 return false;
5927 }
5928
5929 levels_[level].write_secret.assign(secret.begin(), secret.end());
5930 levels_[level].cipher = SSL_CIPHER_get_id(cipher);
5931 return true;
5932 }
5933
WriteHandshakeData(ssl_encryption_level_t level,Span<const uint8_t> data)5934 bool WriteHandshakeData(ssl_encryption_level_t level,
5935 Span<const uint8_t> data) {
5936 if (levels_[level].write_secret.empty()) {
5937 ADD_FAILURE() << LevelToString(level)
5938 << " write secret not yet configured";
5939 return false;
5940 }
5941
5942 // Although the levels are conceptually separate, BoringSSL finishes writing
5943 // data from a previous level before installing keys for the next level.
5944 if (!allow_out_of_order_writes_) {
5945 switch (level) {
5946 case ssl_encryption_early_data:
5947 ADD_FAILURE() << "unexpected handshake data at early data level";
5948 return false;
5949 case ssl_encryption_initial:
5950 if (!levels_[ssl_encryption_handshake].write_secret.empty()) {
5951 ADD_FAILURE()
5952 << LevelToString(level)
5953 << " handshake data written after handshake keys installed";
5954 return false;
5955 }
5956 OPENSSL_FALLTHROUGH;
5957 case ssl_encryption_handshake:
5958 if (!levels_[ssl_encryption_application].write_secret.empty()) {
5959 ADD_FAILURE()
5960 << LevelToString(level)
5961 << " handshake data written after application keys installed";
5962 return false;
5963 }
5964 OPENSSL_FALLTHROUGH;
5965 case ssl_encryption_application:
5966 break;
5967 }
5968 }
5969
5970 levels_[level].write_data.insert(levels_[level].write_data.end(),
5971 data.begin(), data.end());
5972 return true;
5973 }
5974
SendAlert(ssl_encryption_level_t level,uint8_t alert_value)5975 bool SendAlert(ssl_encryption_level_t level, uint8_t alert_value) {
5976 if (has_alert_) {
5977 ADD_FAILURE() << "duplicate alert sent";
5978 return false;
5979 }
5980
5981 if (levels_[level].write_secret.empty()) {
5982 ADD_FAILURE() << LevelToString(level)
5983 << " write secret not yet configured";
5984 return false;
5985 }
5986
5987 has_alert_ = true;
5988 alert_level_ = level;
5989 alert_ = alert_value;
5990 return true;
5991 }
5992
ReadHandshakeData(std::vector<uint8_t> * out,ssl_encryption_level_t level,size_t num=std::numeric_limits<size_t>::max ())5993 bool ReadHandshakeData(std::vector<uint8_t> *out,
5994 ssl_encryption_level_t level,
5995 size_t num = std::numeric_limits<size_t>::max()) {
5996 if (levels_[level].read_secret.empty()) {
5997 ADD_FAILURE() << "data read before keys configured in level " << level;
5998 return false;
5999 }
6000 // The peer may not have configured any keys yet.
6001 if (peer_->levels_[level].write_secret.empty()) {
6002 out->clear();
6003 return true;
6004 }
6005 // Check the peer computed the same key.
6006 if (peer_->levels_[level].write_secret != levels_[level].read_secret) {
6007 ADD_FAILURE() << "peer write key does not match read key in level "
6008 << level;
6009 return false;
6010 }
6011 if (peer_->levels_[level].cipher != levels_[level].cipher) {
6012 ADD_FAILURE() << "peer cipher does not match in level " << level;
6013 return false;
6014 }
6015 std::vector<uint8_t> *peer_data = &peer_->levels_[level].write_data;
6016 num = std::min(num, peer_data->size());
6017 out->assign(peer_data->begin(), peer_data->begin() + num);
6018 peer_data->erase(peer_data->begin(), peer_data->begin() + num);
6019 return true;
6020 }
6021
6022 private:
6023 Role role_;
6024 MockQUICTransport *peer_ = nullptr;
6025
6026 bool allow_out_of_order_writes_ = false;
6027 bool has_alert_ = false;
6028 ssl_encryption_level_t alert_level_ = ssl_encryption_initial;
6029 uint8_t alert_ = 0;
6030
6031 struct Level {
6032 std::vector<uint8_t> write_data;
6033 std::vector<uint8_t> write_secret;
6034 std::vector<uint8_t> read_secret;
6035 uint32_t cipher = 0;
6036 };
6037 Level levels_[kNumQUICLevels];
6038 };
6039
6040 class MockQUICTransportPair {
6041 public:
MockQUICTransportPair()6042 MockQUICTransportPair()
6043 : client_(MockQUICTransport::Role::kClient),
6044 server_(MockQUICTransport::Role::kServer) {
6045 client_.set_peer(&server_);
6046 server_.set_peer(&client_);
6047 }
6048
~MockQUICTransportPair()6049 ~MockQUICTransportPair() {
6050 client_.set_peer(nullptr);
6051 server_.set_peer(nullptr);
6052 }
6053
client()6054 MockQUICTransport *client() { return &client_; }
server()6055 MockQUICTransport *server() { return &server_; }
6056
SecretsMatch(ssl_encryption_level_t level) const6057 bool SecretsMatch(ssl_encryption_level_t level) const {
6058 // We only need to check |HasReadSecret| and |HasWriteSecret| on |client_|.
6059 // |PeerSecretsMatch| checks that |server_| is analogously configured.
6060 return client_.PeerSecretsMatch(level) &&
6061 client_.HasWriteSecret(level) &&
6062 (level == ssl_encryption_early_data || client_.HasReadSecret(level));
6063 }
6064
6065 private:
6066 MockQUICTransport client_;
6067 MockQUICTransport server_;
6068 };
6069
6070 class QUICMethodTest : public testing::Test {
6071 protected:
SetUp()6072 void SetUp() override {
6073 client_ctx_.reset(SSL_CTX_new(TLS_method()));
6074 server_ctx_ = CreateContextWithTestCertificate(TLS_method());
6075 ASSERT_TRUE(client_ctx_);
6076 ASSERT_TRUE(server_ctx_);
6077
6078 SSL_CTX_set_min_proto_version(server_ctx_.get(), TLS1_3_VERSION);
6079 SSL_CTX_set_max_proto_version(server_ctx_.get(), TLS1_3_VERSION);
6080 SSL_CTX_set_min_proto_version(client_ctx_.get(), TLS1_3_VERSION);
6081 SSL_CTX_set_max_proto_version(client_ctx_.get(), TLS1_3_VERSION);
6082
6083 static const uint8_t kALPNProtos[] = {0x03, 'f', 'o', 'o'};
6084 ASSERT_EQ(SSL_CTX_set_alpn_protos(client_ctx_.get(), kALPNProtos,
6085 sizeof(kALPNProtos)),
6086 0);
6087 SSL_CTX_set_alpn_select_cb(
6088 server_ctx_.get(),
6089 [](SSL *ssl, const uint8_t **out, uint8_t *out_len, const uint8_t *in,
6090 unsigned in_len, void *arg) -> int {
6091 return SSL_select_next_proto(
6092 const_cast<uint8_t **>(out), out_len, in, in_len,
6093 kALPNProtos, sizeof(kALPNProtos)) == OPENSSL_NPN_NEGOTIATED
6094 ? SSL_TLSEXT_ERR_OK
6095 : SSL_TLSEXT_ERR_NOACK;
6096 },
6097 nullptr);
6098 }
6099
TransportFromSSL(const SSL * ssl)6100 static MockQUICTransport *TransportFromSSL(const SSL *ssl) {
6101 return ex_data_.Get(ssl);
6102 }
6103
ProvideHandshakeData(SSL * ssl,size_t num=std::numeric_limits<size_t>::max ())6104 static bool ProvideHandshakeData(
6105 SSL *ssl, size_t num = std::numeric_limits<size_t>::max()) {
6106 MockQUICTransport *transport = TransportFromSSL(ssl);
6107 ssl_encryption_level_t level = SSL_quic_read_level(ssl);
6108 std::vector<uint8_t> data;
6109 return transport->ReadHandshakeData(&data, level, num) &&
6110 SSL_provide_quic_data(ssl, level, data.data(), data.size());
6111 }
6112
AllowOutOfOrderWrites()6113 void AllowOutOfOrderWrites() {
6114 allow_out_of_order_writes_ = true;
6115 }
6116
CreateClientAndServer()6117 bool CreateClientAndServer() {
6118 client_.reset(SSL_new(client_ctx_.get()));
6119 server_.reset(SSL_new(server_ctx_.get()));
6120 if (!client_ || !server_) {
6121 return false;
6122 }
6123
6124 SSL_set_connect_state(client_.get());
6125 SSL_set_accept_state(server_.get());
6126
6127 transport_.reset(new MockQUICTransportPair);
6128 if (!ex_data_.Set(client_.get(), transport_->client()) ||
6129 !ex_data_.Set(server_.get(), transport_->server())) {
6130 return false;
6131 }
6132 if (allow_out_of_order_writes_) {
6133 transport_->client()->AllowOutOfOrderWrites();
6134 transport_->server()->AllowOutOfOrderWrites();
6135 }
6136 static const uint8_t client_transport_params[] = {0};
6137 if (!SSL_set_quic_transport_params(client_.get(), client_transport_params,
6138 sizeof(client_transport_params)) ||
6139 !SSL_set_quic_transport_params(server_.get(),
6140 server_transport_params_.data(),
6141 server_transport_params_.size()) ||
6142 !SSL_set_quic_early_data_context(
6143 server_.get(), server_quic_early_data_context_.data(),
6144 server_quic_early_data_context_.size())) {
6145 return false;
6146 }
6147 return true;
6148 }
6149
6150 enum class ExpectedError {
6151 kNoError,
6152 kClientError,
6153 kServerError,
6154 };
6155
6156 // CompleteHandshakesForQUIC runs |SSL_do_handshake| on |client_| and
6157 // |server_| until each completes once. It returns true on success and false
6158 // on failure.
CompleteHandshakesForQUIC()6159 bool CompleteHandshakesForQUIC() {
6160 return RunQUICHandshakesAndExpectError(ExpectedError::kNoError);
6161 }
6162
6163 // Runs |SSL_do_handshake| on |client_| and |server_| until each completes
6164 // once. If |expect_client_error| is true, it will return true only if the
6165 // client handshake failed. Otherwise, it returns true if both handshakes
6166 // succeed and false otherwise.
RunQUICHandshakesAndExpectError(ExpectedError expected_error)6167 bool RunQUICHandshakesAndExpectError(ExpectedError expected_error) {
6168 bool client_done = false, server_done = false;
6169 while (!client_done || !server_done) {
6170 if (!client_done) {
6171 if (!ProvideHandshakeData(client_.get())) {
6172 ADD_FAILURE() << "ProvideHandshakeData(client_) failed";
6173 return false;
6174 }
6175 int client_ret = SSL_do_handshake(client_.get());
6176 int client_err = SSL_get_error(client_.get(), client_ret);
6177 if (client_ret == 1) {
6178 client_done = true;
6179 } else if (client_ret != -1 || client_err != SSL_ERROR_WANT_READ) {
6180 if (expected_error == ExpectedError::kClientError) {
6181 return true;
6182 }
6183 ADD_FAILURE() << "Unexpected client output: " << client_ret << " "
6184 << client_err;
6185 return false;
6186 }
6187 }
6188
6189 if (!server_done) {
6190 if (!ProvideHandshakeData(server_.get())) {
6191 ADD_FAILURE() << "ProvideHandshakeData(server_) failed";
6192 return false;
6193 }
6194 int server_ret = SSL_do_handshake(server_.get());
6195 int server_err = SSL_get_error(server_.get(), server_ret);
6196 if (server_ret == 1) {
6197 server_done = true;
6198 } else if (server_ret != -1 || server_err != SSL_ERROR_WANT_READ) {
6199 if (expected_error == ExpectedError::kServerError) {
6200 return true;
6201 }
6202 ADD_FAILURE() << "Unexpected server output: " << server_ret << " "
6203 << server_err;
6204 return false;
6205 }
6206 }
6207 }
6208 return expected_error == ExpectedError::kNoError;
6209 }
6210
CreateClientSessionForQUIC()6211 bssl::UniquePtr<SSL_SESSION> CreateClientSessionForQUIC() {
6212 g_last_session = nullptr;
6213 SSL_CTX_sess_set_new_cb(client_ctx_.get(), SaveLastSession);
6214 if (!CreateClientAndServer() ||
6215 !CompleteHandshakesForQUIC()) {
6216 return nullptr;
6217 }
6218
6219 // The server sent NewSessionTicket messages in the handshake.
6220 if (!ProvideHandshakeData(client_.get()) ||
6221 !SSL_process_quic_post_handshake(client_.get())) {
6222 return nullptr;
6223 }
6224
6225 return std::move(g_last_session);
6226 }
6227
ExpectHandshakeSuccess()6228 void ExpectHandshakeSuccess() {
6229 EXPECT_TRUE(transport_->SecretsMatch(ssl_encryption_application));
6230 EXPECT_EQ(ssl_encryption_application, SSL_quic_read_level(client_.get()));
6231 EXPECT_EQ(ssl_encryption_application, SSL_quic_write_level(client_.get()));
6232 EXPECT_EQ(ssl_encryption_application, SSL_quic_read_level(server_.get()));
6233 EXPECT_EQ(ssl_encryption_application, SSL_quic_write_level(server_.get()));
6234 EXPECT_FALSE(transport_->client()->has_alert());
6235 EXPECT_FALSE(transport_->server()->has_alert());
6236
6237 // SSL_do_handshake is now idempotent.
6238 EXPECT_EQ(SSL_do_handshake(client_.get()), 1);
6239 EXPECT_EQ(SSL_do_handshake(server_.get()), 1);
6240 }
6241
6242 // Returns a default SSL_QUIC_METHOD. Individual methods may be overwritten by
6243 // the test.
DefaultQUICMethod()6244 SSL_QUIC_METHOD DefaultQUICMethod() {
6245 return SSL_QUIC_METHOD{
6246 SetReadSecretCallback, SetWriteSecretCallback, AddHandshakeDataCallback,
6247 FlushFlightCallback, SendAlertCallback,
6248 };
6249 }
6250
SetReadSecretCallback(SSL * ssl,ssl_encryption_level_t level,const SSL_CIPHER * cipher,const uint8_t * secret,size_t secret_len)6251 static int SetReadSecretCallback(SSL *ssl, ssl_encryption_level_t level,
6252 const SSL_CIPHER *cipher,
6253 const uint8_t *secret, size_t secret_len) {
6254 return TransportFromSSL(ssl)->SetReadSecret(
6255 level, cipher, MakeConstSpan(secret, secret_len));
6256 }
6257
SetWriteSecretCallback(SSL * ssl,ssl_encryption_level_t level,const SSL_CIPHER * cipher,const uint8_t * secret,size_t secret_len)6258 static int SetWriteSecretCallback(SSL *ssl, ssl_encryption_level_t level,
6259 const SSL_CIPHER *cipher,
6260 const uint8_t *secret, size_t secret_len) {
6261 return TransportFromSSL(ssl)->SetWriteSecret(
6262 level, cipher, MakeConstSpan(secret, secret_len));
6263 }
6264
AddHandshakeDataCallback(SSL * ssl,enum ssl_encryption_level_t level,const uint8_t * data,size_t len)6265 static int AddHandshakeDataCallback(SSL *ssl,
6266 enum ssl_encryption_level_t level,
6267 const uint8_t *data, size_t len) {
6268 EXPECT_EQ(level, SSL_quic_write_level(ssl));
6269 return TransportFromSSL(ssl)->WriteHandshakeData(level,
6270 MakeConstSpan(data, len));
6271 }
6272
FlushFlightCallback(SSL * ssl)6273 static int FlushFlightCallback(SSL *ssl) { return 1; }
6274
SendAlertCallback(SSL * ssl,ssl_encryption_level_t level,uint8_t alert)6275 static int SendAlertCallback(SSL *ssl, ssl_encryption_level_t level,
6276 uint8_t alert) {
6277 EXPECT_EQ(level, SSL_quic_write_level(ssl));
6278 return TransportFromSSL(ssl)->SendAlert(level, alert);
6279 }
6280
6281 bssl::UniquePtr<SSL_CTX> client_ctx_;
6282 bssl::UniquePtr<SSL_CTX> server_ctx_;
6283
6284 static UnownedSSLExData<MockQUICTransport> ex_data_;
6285 std::unique_ptr<MockQUICTransportPair> transport_;
6286
6287 bssl::UniquePtr<SSL> client_;
6288 bssl::UniquePtr<SSL> server_;
6289
6290 std::vector<uint8_t> server_transport_params_ = {1};
6291 std::vector<uint8_t> server_quic_early_data_context_ = {2};
6292
6293 bool allow_out_of_order_writes_ = false;
6294 };
6295
6296 UnownedSSLExData<MockQUICTransport> QUICMethodTest::ex_data_;
6297
6298 // Test a full handshake and resumption work.
TEST_F(QUICMethodTest,Basic)6299 TEST_F(QUICMethodTest, Basic) {
6300 const SSL_QUIC_METHOD quic_method = DefaultQUICMethod();
6301
6302 g_last_session = nullptr;
6303
6304 SSL_CTX_set_session_cache_mode(client_ctx_.get(), SSL_SESS_CACHE_BOTH);
6305 SSL_CTX_sess_set_new_cb(client_ctx_.get(), SaveLastSession);
6306 ASSERT_TRUE(SSL_CTX_set_quic_method(client_ctx_.get(), &quic_method));
6307 ASSERT_TRUE(SSL_CTX_set_quic_method(server_ctx_.get(), &quic_method));
6308
6309 ASSERT_TRUE(CreateClientAndServer());
6310 ASSERT_TRUE(CompleteHandshakesForQUIC());
6311
6312 ExpectHandshakeSuccess();
6313 EXPECT_FALSE(SSL_session_reused(client_.get()));
6314 EXPECT_FALSE(SSL_session_reused(server_.get()));
6315
6316 // The server sent NewSessionTicket messages in the handshake.
6317 EXPECT_FALSE(g_last_session);
6318 ASSERT_TRUE(ProvideHandshakeData(client_.get()));
6319 EXPECT_EQ(SSL_process_quic_post_handshake(client_.get()), 1);
6320 EXPECT_TRUE(g_last_session);
6321
6322 // Create a second connection to verify resumption works.
6323 ASSERT_TRUE(CreateClientAndServer());
6324 bssl::UniquePtr<SSL_SESSION> session = std::move(g_last_session);
6325 SSL_set_session(client_.get(), session.get());
6326
6327 ASSERT_TRUE(CompleteHandshakesForQUIC());
6328
6329 ExpectHandshakeSuccess();
6330 EXPECT_TRUE(SSL_session_reused(client_.get()));
6331 EXPECT_TRUE(SSL_session_reused(server_.get()));
6332 }
6333
6334 // Test that HelloRetryRequest in QUIC works.
TEST_F(QUICMethodTest,HelloRetryRequest)6335 TEST_F(QUICMethodTest, HelloRetryRequest) {
6336 const SSL_QUIC_METHOD quic_method = DefaultQUICMethod();
6337
6338 ASSERT_TRUE(SSL_CTX_set_quic_method(client_ctx_.get(), &quic_method));
6339 ASSERT_TRUE(SSL_CTX_set_quic_method(server_ctx_.get(), &quic_method));
6340
6341 // BoringSSL predicts the most preferred curve, so using different preferences
6342 // will trigger HelloRetryRequest.
6343 static const int kClientPrefs[] = {NID_X25519, NID_X9_62_prime256v1};
6344 ASSERT_TRUE(SSL_CTX_set1_curves(client_ctx_.get(), kClientPrefs,
6345 OPENSSL_ARRAY_SIZE(kClientPrefs)));
6346 static const int kServerPrefs[] = {NID_X9_62_prime256v1, NID_X25519};
6347 ASSERT_TRUE(SSL_CTX_set1_curves(server_ctx_.get(), kServerPrefs,
6348 OPENSSL_ARRAY_SIZE(kServerPrefs)));
6349
6350 ASSERT_TRUE(CreateClientAndServer());
6351 ASSERT_TRUE(CompleteHandshakesForQUIC());
6352 ExpectHandshakeSuccess();
6353 }
6354
6355 // Test that the client does not send a legacy_session_id in the ClientHello.
TEST_F(QUICMethodTest,NoLegacySessionId)6356 TEST_F(QUICMethodTest, NoLegacySessionId) {
6357 const SSL_QUIC_METHOD quic_method = DefaultQUICMethod();
6358
6359 ASSERT_TRUE(SSL_CTX_set_quic_method(client_ctx_.get(), &quic_method));
6360 ASSERT_TRUE(SSL_CTX_set_quic_method(server_ctx_.get(), &quic_method));
6361 // Check that the session ID length is 0 in an early callback.
6362 SSL_CTX_set_select_certificate_cb(
6363 server_ctx_.get(),
6364 [](const SSL_CLIENT_HELLO *client_hello) -> ssl_select_cert_result_t {
6365 EXPECT_EQ(client_hello->session_id_len, 0u);
6366 return ssl_select_cert_success;
6367 });
6368
6369 ASSERT_TRUE(CreateClientAndServer());
6370 ASSERT_TRUE(CompleteHandshakesForQUIC());
6371
6372 ExpectHandshakeSuccess();
6373 }
6374
6375 // Test that, even in a 1-RTT handshake, the server installs keys at the right
6376 // time. Half-RTT keys are available early, but 1-RTT read keys are deferred.
TEST_F(QUICMethodTest,HalfRTTKeys)6377 TEST_F(QUICMethodTest, HalfRTTKeys) {
6378 const SSL_QUIC_METHOD quic_method = DefaultQUICMethod();
6379
6380 ASSERT_TRUE(SSL_CTX_set_quic_method(client_ctx_.get(), &quic_method));
6381 ASSERT_TRUE(SSL_CTX_set_quic_method(server_ctx_.get(), &quic_method));
6382 ASSERT_TRUE(CreateClientAndServer());
6383
6384 // The client sends ClientHello.
6385 ASSERT_EQ(SSL_do_handshake(client_.get()), -1);
6386 ASSERT_EQ(SSL_ERROR_WANT_READ, SSL_get_error(client_.get(), -1));
6387
6388 // The server reads ClientHello and sends ServerHello..Finished.
6389 ASSERT_TRUE(ProvideHandshakeData(server_.get()));
6390 ASSERT_EQ(SSL_do_handshake(server_.get()), -1);
6391 ASSERT_EQ(SSL_ERROR_WANT_READ, SSL_get_error(server_.get(), -1));
6392
6393 // At this point, the server has half-RTT write keys, but it cannot access
6394 // 1-RTT read keys until client Finished.
6395 EXPECT_TRUE(transport_->server()->HasWriteSecret(ssl_encryption_application));
6396 EXPECT_FALSE(transport_->server()->HasReadSecret(ssl_encryption_application));
6397
6398 // Finish up the client and server handshakes.
6399 ASSERT_TRUE(CompleteHandshakesForQUIC());
6400
6401 // Both sides can now exchange 1-RTT data.
6402 ExpectHandshakeSuccess();
6403 }
6404
TEST_F(QUICMethodTest,ZeroRTTAccept)6405 TEST_F(QUICMethodTest, ZeroRTTAccept) {
6406 const SSL_QUIC_METHOD quic_method = DefaultQUICMethod();
6407
6408 SSL_CTX_set_session_cache_mode(client_ctx_.get(), SSL_SESS_CACHE_BOTH);
6409 SSL_CTX_set_early_data_enabled(client_ctx_.get(), 1);
6410 SSL_CTX_set_early_data_enabled(server_ctx_.get(), 1);
6411 ASSERT_TRUE(SSL_CTX_set_quic_method(client_ctx_.get(), &quic_method));
6412 ASSERT_TRUE(SSL_CTX_set_quic_method(server_ctx_.get(), &quic_method));
6413
6414 bssl::UniquePtr<SSL_SESSION> session = CreateClientSessionForQUIC();
6415 ASSERT_TRUE(session);
6416
6417 ASSERT_TRUE(CreateClientAndServer());
6418 SSL_set_session(client_.get(), session.get());
6419
6420 // The client handshake should return immediately into the early data state.
6421 ASSERT_EQ(SSL_do_handshake(client_.get()), 1);
6422 EXPECT_TRUE(SSL_in_early_data(client_.get()));
6423 // The transport should have keys for sending 0-RTT data.
6424 EXPECT_TRUE(transport_->client()->HasWriteSecret(ssl_encryption_early_data));
6425
6426 // The server will consume the ClientHello and also enter the early data
6427 // state.
6428 ASSERT_TRUE(ProvideHandshakeData(server_.get()));
6429 ASSERT_EQ(SSL_do_handshake(server_.get()), 1);
6430 EXPECT_TRUE(SSL_in_early_data(server_.get()));
6431 EXPECT_TRUE(transport_->SecretsMatch(ssl_encryption_early_data));
6432 // At this point, the server has half-RTT write keys, but it cannot access
6433 // 1-RTT read keys until client Finished.
6434 EXPECT_TRUE(transport_->server()->HasWriteSecret(ssl_encryption_application));
6435 EXPECT_FALSE(transport_->server()->HasReadSecret(ssl_encryption_application));
6436
6437 // Finish up the client and server handshakes.
6438 ASSERT_TRUE(CompleteHandshakesForQUIC());
6439
6440 // Both sides can now exchange 1-RTT data.
6441 ExpectHandshakeSuccess();
6442 EXPECT_TRUE(SSL_session_reused(client_.get()));
6443 EXPECT_TRUE(SSL_session_reused(server_.get()));
6444 EXPECT_FALSE(SSL_in_early_data(client_.get()));
6445 EXPECT_FALSE(SSL_in_early_data(server_.get()));
6446 EXPECT_TRUE(SSL_early_data_accepted(client_.get()));
6447 EXPECT_TRUE(SSL_early_data_accepted(server_.get()));
6448
6449 // Finish handling post-handshake messages after the first 0-RTT resumption.
6450 EXPECT_TRUE(ProvideHandshakeData(client_.get()));
6451 EXPECT_TRUE(SSL_process_quic_post_handshake(client_.get()));
6452
6453 // Perform a second 0-RTT resumption attempt, and confirm that 0-RTT is
6454 // accepted again.
6455 ASSERT_TRUE(CreateClientAndServer());
6456 SSL_set_session(client_.get(), g_last_session.get());
6457
6458 // The client handshake should return immediately into the early data state.
6459 ASSERT_EQ(SSL_do_handshake(client_.get()), 1);
6460 EXPECT_TRUE(SSL_in_early_data(client_.get()));
6461 // The transport should have keys for sending 0-RTT data.
6462 EXPECT_TRUE(transport_->client()->HasWriteSecret(ssl_encryption_early_data));
6463
6464 // The server will consume the ClientHello and also enter the early data
6465 // state.
6466 ASSERT_TRUE(ProvideHandshakeData(server_.get()));
6467 ASSERT_EQ(SSL_do_handshake(server_.get()), 1);
6468 EXPECT_TRUE(SSL_in_early_data(server_.get()));
6469 EXPECT_TRUE(transport_->SecretsMatch(ssl_encryption_early_data));
6470 // At this point, the server has half-RTT write keys, but it cannot access
6471 // 1-RTT read keys until client Finished.
6472 EXPECT_TRUE(transport_->server()->HasWriteSecret(ssl_encryption_application));
6473 EXPECT_FALSE(transport_->server()->HasReadSecret(ssl_encryption_application));
6474
6475 // Finish up the client and server handshakes.
6476 ASSERT_TRUE(CompleteHandshakesForQUIC());
6477
6478 // Both sides can now exchange 1-RTT data.
6479 ExpectHandshakeSuccess();
6480 EXPECT_TRUE(SSL_session_reused(client_.get()));
6481 EXPECT_TRUE(SSL_session_reused(server_.get()));
6482 EXPECT_FALSE(SSL_in_early_data(client_.get()));
6483 EXPECT_FALSE(SSL_in_early_data(server_.get()));
6484 EXPECT_TRUE(SSL_early_data_accepted(client_.get()));
6485 EXPECT_TRUE(SSL_early_data_accepted(server_.get()));
6486 EXPECT_EQ(SSL_get_early_data_reason(client_.get()), ssl_early_data_accepted);
6487 EXPECT_EQ(SSL_get_early_data_reason(server_.get()), ssl_early_data_accepted);
6488 }
6489
TEST_F(QUICMethodTest,ZeroRTTRejectMismatchedParameters)6490 TEST_F(QUICMethodTest, ZeroRTTRejectMismatchedParameters) {
6491 const SSL_QUIC_METHOD quic_method = DefaultQUICMethod();
6492
6493 SSL_CTX_set_session_cache_mode(client_ctx_.get(), SSL_SESS_CACHE_BOTH);
6494 SSL_CTX_set_early_data_enabled(client_ctx_.get(), 1);
6495 SSL_CTX_set_early_data_enabled(server_ctx_.get(), 1);
6496 ASSERT_TRUE(SSL_CTX_set_quic_method(client_ctx_.get(), &quic_method));
6497 ASSERT_TRUE(SSL_CTX_set_quic_method(server_ctx_.get(), &quic_method));
6498
6499
6500 bssl::UniquePtr<SSL_SESSION> session = CreateClientSessionForQUIC();
6501 ASSERT_TRUE(session);
6502
6503 ASSERT_TRUE(CreateClientAndServer());
6504 static const uint8_t new_context[] = {4};
6505 ASSERT_TRUE(SSL_set_quic_early_data_context(server_.get(), new_context,
6506 sizeof(new_context)));
6507 SSL_set_session(client_.get(), session.get());
6508
6509 // The client handshake should return immediately into the early data
6510 // state.
6511 ASSERT_EQ(SSL_do_handshake(client_.get()), 1);
6512 EXPECT_TRUE(SSL_in_early_data(client_.get()));
6513 // The transport should have keys for sending 0-RTT data.
6514 EXPECT_TRUE(transport_->client()->HasWriteSecret(ssl_encryption_early_data));
6515
6516 // The server will consume the ClientHello, but it will not accept 0-RTT.
6517 ASSERT_TRUE(ProvideHandshakeData(server_.get()));
6518 ASSERT_EQ(SSL_do_handshake(server_.get()), -1);
6519 ASSERT_EQ(SSL_ERROR_WANT_READ, SSL_get_error(server_.get(), -1));
6520 EXPECT_FALSE(SSL_in_early_data(server_.get()));
6521 EXPECT_FALSE(transport_->server()->HasReadSecret(ssl_encryption_early_data));
6522
6523 // The client consumes the server response and signals 0-RTT rejection.
6524 for (;;) {
6525 ASSERT_TRUE(ProvideHandshakeData(client_.get()));
6526 ASSERT_EQ(-1, SSL_do_handshake(client_.get()));
6527 int err = SSL_get_error(client_.get(), -1);
6528 if (err == SSL_ERROR_EARLY_DATA_REJECTED) {
6529 break;
6530 }
6531 ASSERT_EQ(SSL_ERROR_WANT_READ, err);
6532 }
6533
6534 // As in TLS over TCP, 0-RTT rejection is sticky.
6535 ASSERT_EQ(-1, SSL_do_handshake(client_.get()));
6536 ASSERT_EQ(SSL_ERROR_EARLY_DATA_REJECTED, SSL_get_error(client_.get(), -1));
6537
6538 // Finish up the client and server handshakes.
6539 SSL_reset_early_data_reject(client_.get());
6540 ASSERT_TRUE(CompleteHandshakesForQUIC());
6541
6542 // Both sides can now exchange 1-RTT data.
6543 ExpectHandshakeSuccess();
6544 EXPECT_TRUE(SSL_session_reused(client_.get()));
6545 EXPECT_TRUE(SSL_session_reused(server_.get()));
6546 EXPECT_FALSE(SSL_in_early_data(client_.get()));
6547 EXPECT_FALSE(SSL_in_early_data(server_.get()));
6548 EXPECT_FALSE(SSL_early_data_accepted(client_.get()));
6549 EXPECT_FALSE(SSL_early_data_accepted(server_.get()));
6550 }
6551
TEST_F(QUICMethodTest,NoZeroRTTTicketWithoutEarlyDataContext)6552 TEST_F(QUICMethodTest, NoZeroRTTTicketWithoutEarlyDataContext) {
6553 server_quic_early_data_context_ = {};
6554 const SSL_QUIC_METHOD quic_method = DefaultQUICMethod();
6555
6556 SSL_CTX_set_session_cache_mode(client_ctx_.get(), SSL_SESS_CACHE_BOTH);
6557 SSL_CTX_set_early_data_enabled(client_ctx_.get(), 1);
6558 SSL_CTX_set_early_data_enabled(server_ctx_.get(), 1);
6559 ASSERT_TRUE(SSL_CTX_set_quic_method(client_ctx_.get(), &quic_method));
6560 ASSERT_TRUE(SSL_CTX_set_quic_method(server_ctx_.get(), &quic_method));
6561
6562 bssl::UniquePtr<SSL_SESSION> session = CreateClientSessionForQUIC();
6563 ASSERT_TRUE(session);
6564 EXPECT_FALSE(SSL_SESSION_early_data_capable(session.get()));
6565 }
6566
TEST_F(QUICMethodTest,ZeroRTTReject)6567 TEST_F(QUICMethodTest, ZeroRTTReject) {
6568 const SSL_QUIC_METHOD quic_method = DefaultQUICMethod();
6569
6570 SSL_CTX_set_session_cache_mode(client_ctx_.get(), SSL_SESS_CACHE_BOTH);
6571 SSL_CTX_set_early_data_enabled(client_ctx_.get(), 1);
6572 SSL_CTX_set_early_data_enabled(server_ctx_.get(), 1);
6573 ASSERT_TRUE(SSL_CTX_set_quic_method(client_ctx_.get(), &quic_method));
6574 ASSERT_TRUE(SSL_CTX_set_quic_method(server_ctx_.get(), &quic_method));
6575
6576 bssl::UniquePtr<SSL_SESSION> session = CreateClientSessionForQUIC();
6577 ASSERT_TRUE(session);
6578
6579 for (bool reject_hrr : {false, true}) {
6580 SCOPED_TRACE(reject_hrr);
6581
6582 ASSERT_TRUE(CreateClientAndServer());
6583 if (reject_hrr) {
6584 // Configure the server to prefer P-256, which will reject 0-RTT via
6585 // HelloRetryRequest.
6586 int p256 = NID_X9_62_prime256v1;
6587 ASSERT_TRUE(SSL_set1_curves(server_.get(), &p256, 1));
6588 } else {
6589 // Disable 0-RTT on the server, so it will reject it.
6590 SSL_set_early_data_enabled(server_.get(), 0);
6591 }
6592 SSL_set_session(client_.get(), session.get());
6593
6594 // The client handshake should return immediately into the early data state.
6595 ASSERT_EQ(SSL_do_handshake(client_.get()), 1);
6596 EXPECT_TRUE(SSL_in_early_data(client_.get()));
6597 // The transport should have keys for sending 0-RTT data.
6598 EXPECT_TRUE(
6599 transport_->client()->HasWriteSecret(ssl_encryption_early_data));
6600
6601 // The server will consume the ClientHello, but it will not accept 0-RTT.
6602 ASSERT_TRUE(ProvideHandshakeData(server_.get()));
6603 ASSERT_EQ(SSL_do_handshake(server_.get()), -1);
6604 ASSERT_EQ(SSL_ERROR_WANT_READ, SSL_get_error(server_.get(), -1));
6605 EXPECT_FALSE(SSL_in_early_data(server_.get()));
6606 EXPECT_FALSE(
6607 transport_->server()->HasReadSecret(ssl_encryption_early_data));
6608
6609 // The client consumes the server response and signals 0-RTT rejection.
6610 for (;;) {
6611 ASSERT_TRUE(ProvideHandshakeData(client_.get()));
6612 ASSERT_EQ(-1, SSL_do_handshake(client_.get()));
6613 int err = SSL_get_error(client_.get(), -1);
6614 if (err == SSL_ERROR_EARLY_DATA_REJECTED) {
6615 break;
6616 }
6617 ASSERT_EQ(SSL_ERROR_WANT_READ, err);
6618 }
6619
6620 // As in TLS over TCP, 0-RTT rejection is sticky.
6621 ASSERT_EQ(-1, SSL_do_handshake(client_.get()));
6622 ASSERT_EQ(SSL_ERROR_EARLY_DATA_REJECTED, SSL_get_error(client_.get(), -1));
6623
6624 // Finish up the client and server handshakes.
6625 SSL_reset_early_data_reject(client_.get());
6626 ASSERT_TRUE(CompleteHandshakesForQUIC());
6627
6628 // Both sides can now exchange 1-RTT data.
6629 ExpectHandshakeSuccess();
6630 EXPECT_TRUE(SSL_session_reused(client_.get()));
6631 EXPECT_TRUE(SSL_session_reused(server_.get()));
6632 EXPECT_FALSE(SSL_in_early_data(client_.get()));
6633 EXPECT_FALSE(SSL_in_early_data(server_.get()));
6634 EXPECT_FALSE(SSL_early_data_accepted(client_.get()));
6635 EXPECT_FALSE(SSL_early_data_accepted(server_.get()));
6636 }
6637 }
6638
TEST_F(QUICMethodTest,NoZeroRTTKeysBeforeReverify)6639 TEST_F(QUICMethodTest, NoZeroRTTKeysBeforeReverify) {
6640 const SSL_QUIC_METHOD quic_method = DefaultQUICMethod();
6641
6642 SSL_CTX_set_session_cache_mode(client_ctx_.get(), SSL_SESS_CACHE_BOTH);
6643 SSL_CTX_set_early_data_enabled(client_ctx_.get(), 1);
6644 SSL_CTX_set_reverify_on_resume(client_ctx_.get(), 1);
6645 SSL_CTX_set_early_data_enabled(server_ctx_.get(), 1);
6646 ASSERT_TRUE(SSL_CTX_set_quic_method(client_ctx_.get(), &quic_method));
6647 ASSERT_TRUE(SSL_CTX_set_quic_method(server_ctx_.get(), &quic_method));
6648
6649 bssl::UniquePtr<SSL_SESSION> session = CreateClientSessionForQUIC();
6650 ASSERT_TRUE(session);
6651
6652 ASSERT_TRUE(CreateClientAndServer());
6653 SSL_set_session(client_.get(), session.get());
6654
6655 // Configure the certificate (re)verification to never complete. The client
6656 // handshake should pause.
6657 SSL_set_custom_verify(
6658 client_.get(), SSL_VERIFY_PEER,
6659 [](SSL *ssl, uint8_t *out_alert) -> ssl_verify_result_t {
6660 return ssl_verify_retry;
6661 });
6662 ASSERT_EQ(SSL_do_handshake(client_.get()), -1);
6663 ASSERT_EQ(SSL_get_error(client_.get(), -1),
6664 SSL_ERROR_WANT_CERTIFICATE_VERIFY);
6665
6666 // The early data keys have not yet been released.
6667 EXPECT_FALSE(transport_->client()->HasWriteSecret(ssl_encryption_early_data));
6668
6669 // After the verification completes, the handshake progresses to the 0-RTT
6670 // point and releases keys.
6671 SSL_set_custom_verify(
6672 client_.get(), SSL_VERIFY_PEER,
6673 [](SSL *ssl, uint8_t *out_alert) -> ssl_verify_result_t {
6674 return ssl_verify_ok;
6675 });
6676 ASSERT_EQ(SSL_do_handshake(client_.get()), 1);
6677 EXPECT_TRUE(SSL_in_early_data(client_.get()));
6678 EXPECT_TRUE(transport_->client()->HasWriteSecret(ssl_encryption_early_data));
6679 }
6680
6681 // Test only releasing data to QUIC one byte at a time on request, to maximize
6682 // state machine pauses. Additionally, test that existing asynchronous callbacks
6683 // still work.
TEST_F(QUICMethodTest,Async)6684 TEST_F(QUICMethodTest, Async) {
6685 const SSL_QUIC_METHOD quic_method = DefaultQUICMethod();
6686
6687 ASSERT_TRUE(SSL_CTX_set_quic_method(client_ctx_.get(), &quic_method));
6688 ASSERT_TRUE(SSL_CTX_set_quic_method(server_ctx_.get(), &quic_method));
6689 ASSERT_TRUE(CreateClientAndServer());
6690
6691 // Install an asynchronous certificate callback.
6692 bool cert_cb_ok = false;
6693 SSL_set_cert_cb(server_.get(),
6694 [](SSL *, void *arg) -> int {
6695 return *static_cast<bool *>(arg) ? 1 : -1;
6696 },
6697 &cert_cb_ok);
6698
6699 for (;;) {
6700 int client_ret = SSL_do_handshake(client_.get());
6701 if (client_ret != 1) {
6702 ASSERT_EQ(client_ret, -1);
6703 ASSERT_EQ(SSL_get_error(client_.get(), client_ret), SSL_ERROR_WANT_READ);
6704 ASSERT_TRUE(ProvideHandshakeData(client_.get(), 1));
6705 }
6706
6707 int server_ret = SSL_do_handshake(server_.get());
6708 if (server_ret != 1) {
6709 ASSERT_EQ(server_ret, -1);
6710 int ssl_err = SSL_get_error(server_.get(), server_ret);
6711 switch (ssl_err) {
6712 case SSL_ERROR_WANT_READ:
6713 ASSERT_TRUE(ProvideHandshakeData(server_.get(), 1));
6714 break;
6715 case SSL_ERROR_WANT_X509_LOOKUP:
6716 ASSERT_FALSE(cert_cb_ok);
6717 cert_cb_ok = true;
6718 break;
6719 default:
6720 FAIL() << "Unexpected SSL_get_error result: " << ssl_err;
6721 }
6722 }
6723
6724 if (client_ret == 1 && server_ret == 1) {
6725 break;
6726 }
6727 }
6728
6729 ExpectHandshakeSuccess();
6730 }
6731
6732 // Test buffering write data until explicit flushes.
TEST_F(QUICMethodTest,Buffered)6733 TEST_F(QUICMethodTest, Buffered) {
6734 AllowOutOfOrderWrites();
6735
6736 struct BufferedFlight {
6737 std::vector<uint8_t> data[kNumQUICLevels];
6738 };
6739 static UnownedSSLExData<BufferedFlight> buffered_flights;
6740
6741 auto add_handshake_data = [](SSL *ssl, enum ssl_encryption_level_t level,
6742 const uint8_t *data, size_t len) -> int {
6743 BufferedFlight *flight = buffered_flights.Get(ssl);
6744 flight->data[level].insert(flight->data[level].end(), data, data + len);
6745 return 1;
6746 };
6747
6748 auto flush_flight = [](SSL *ssl) -> int {
6749 BufferedFlight *flight = buffered_flights.Get(ssl);
6750 for (size_t level = 0; level < kNumQUICLevels; level++) {
6751 if (!flight->data[level].empty()) {
6752 if (!TransportFromSSL(ssl)->WriteHandshakeData(
6753 static_cast<ssl_encryption_level_t>(level),
6754 flight->data[level])) {
6755 return 0;
6756 }
6757 flight->data[level].clear();
6758 }
6759 }
6760 return 1;
6761 };
6762
6763 SSL_QUIC_METHOD quic_method = DefaultQUICMethod();
6764 quic_method.add_handshake_data = add_handshake_data;
6765 quic_method.flush_flight = flush_flight;
6766
6767 ASSERT_TRUE(SSL_CTX_set_quic_method(client_ctx_.get(), &quic_method));
6768 ASSERT_TRUE(SSL_CTX_set_quic_method(server_ctx_.get(), &quic_method));
6769 ASSERT_TRUE(CreateClientAndServer());
6770
6771 BufferedFlight client_flight, server_flight;
6772 ASSERT_TRUE(buffered_flights.Set(client_.get(), &client_flight));
6773 ASSERT_TRUE(buffered_flights.Set(server_.get(), &server_flight));
6774
6775 ASSERT_TRUE(CompleteHandshakesForQUIC());
6776
6777 ExpectHandshakeSuccess();
6778 }
6779
6780 // Test that excess data at one level is rejected. That is, if a single
6781 // |SSL_provide_quic_data| call included both ServerHello and
6782 // EncryptedExtensions in a single chunk, BoringSSL notices and rejects this on
6783 // key change.
TEST_F(QUICMethodTest,ExcessProvidedData)6784 TEST_F(QUICMethodTest, ExcessProvidedData) {
6785 AllowOutOfOrderWrites();
6786
6787 auto add_handshake_data = [](SSL *ssl, enum ssl_encryption_level_t level,
6788 const uint8_t *data, size_t len) -> int {
6789 // Switch everything to the initial level.
6790 return TransportFromSSL(ssl)->WriteHandshakeData(ssl_encryption_initial,
6791 MakeConstSpan(data, len));
6792 };
6793
6794 SSL_QUIC_METHOD quic_method = DefaultQUICMethod();
6795 quic_method.add_handshake_data = add_handshake_data;
6796
6797 ASSERT_TRUE(SSL_CTX_set_quic_method(client_ctx_.get(), &quic_method));
6798 ASSERT_TRUE(SSL_CTX_set_quic_method(server_ctx_.get(), &quic_method));
6799 ASSERT_TRUE(CreateClientAndServer());
6800
6801 // Send the ClientHello and ServerHello through Finished.
6802 ASSERT_EQ(SSL_do_handshake(client_.get()), -1);
6803 ASSERT_EQ(SSL_get_error(client_.get(), -1), SSL_ERROR_WANT_READ);
6804 ASSERT_TRUE(ProvideHandshakeData(server_.get()));
6805 ASSERT_EQ(SSL_do_handshake(server_.get()), -1);
6806 ASSERT_EQ(SSL_get_error(server_.get(), -1), SSL_ERROR_WANT_READ);
6807
6808 // The client is still waiting for the ServerHello at initial
6809 // encryption.
6810 ASSERT_EQ(ssl_encryption_initial, SSL_quic_read_level(client_.get()));
6811
6812 // |add_handshake_data| incorrectly wrote everything at the initial level, so
6813 // this queues up ServerHello through Finished in one chunk.
6814 ASSERT_TRUE(ProvideHandshakeData(client_.get()));
6815
6816 // The client reads ServerHello successfully, but then rejects the buffered
6817 // EncryptedExtensions on key change.
6818 ASSERT_EQ(SSL_do_handshake(client_.get()), -1);
6819 ASSERT_EQ(SSL_get_error(client_.get(), -1), SSL_ERROR_SSL);
6820 uint32_t err = ERR_get_error();
6821 EXPECT_EQ(ERR_GET_LIB(err), ERR_LIB_SSL);
6822 EXPECT_EQ(ERR_GET_REASON(err), SSL_R_EXCESS_HANDSHAKE_DATA);
6823
6824 // The client sends an alert in response to this. The alert is sent at
6825 // handshake level because we install write secrets before read secrets and
6826 // the error is discovered when installing the read secret. (How to send
6827 // alerts on protocol syntax errors near key changes is ambiguous in general.)
6828 ASSERT_TRUE(transport_->client()->has_alert());
6829 EXPECT_EQ(transport_->client()->alert_level(), ssl_encryption_handshake);
6830 EXPECT_EQ(transport_->client()->alert(), SSL_AD_UNEXPECTED_MESSAGE);
6831
6832 // Sanity-check handshake secrets. The error is discovered while setting the
6833 // read secret, so only the write secret has been installed.
6834 EXPECT_TRUE(transport_->client()->HasWriteSecret(ssl_encryption_handshake));
6835 EXPECT_FALSE(transport_->client()->HasReadSecret(ssl_encryption_handshake));
6836 }
6837
6838 // Test that |SSL_provide_quic_data| will reject data at the wrong level.
TEST_F(QUICMethodTest,ProvideWrongLevel)6839 TEST_F(QUICMethodTest, ProvideWrongLevel) {
6840 const SSL_QUIC_METHOD quic_method = DefaultQUICMethod();
6841
6842 ASSERT_TRUE(SSL_CTX_set_quic_method(client_ctx_.get(), &quic_method));
6843 ASSERT_TRUE(SSL_CTX_set_quic_method(server_ctx_.get(), &quic_method));
6844 ASSERT_TRUE(CreateClientAndServer());
6845
6846 // Send the ClientHello and ServerHello through Finished.
6847 ASSERT_EQ(SSL_do_handshake(client_.get()), -1);
6848 ASSERT_EQ(SSL_get_error(client_.get(), -1), SSL_ERROR_WANT_READ);
6849 ASSERT_TRUE(ProvideHandshakeData(server_.get()));
6850 ASSERT_EQ(SSL_do_handshake(server_.get()), -1);
6851 ASSERT_EQ(SSL_get_error(server_.get(), -1), SSL_ERROR_WANT_READ);
6852
6853 // The client is still waiting for the ServerHello at initial
6854 // encryption.
6855 ASSERT_EQ(ssl_encryption_initial, SSL_quic_read_level(client_.get()));
6856
6857 // Data cannot be provided at the next level.
6858 std::vector<uint8_t> data;
6859 ASSERT_TRUE(
6860 transport_->client()->ReadHandshakeData(&data, ssl_encryption_initial));
6861 ASSERT_FALSE(SSL_provide_quic_data(client_.get(), ssl_encryption_handshake,
6862 data.data(), data.size()));
6863 ERR_clear_error();
6864
6865 // Progress to EncryptedExtensions.
6866 ASSERT_TRUE(SSL_provide_quic_data(client_.get(), ssl_encryption_initial,
6867 data.data(), data.size()));
6868 ASSERT_EQ(SSL_do_handshake(client_.get()), -1);
6869 ASSERT_EQ(SSL_get_error(client_.get(), -1), SSL_ERROR_WANT_READ);
6870 ASSERT_EQ(ssl_encryption_handshake, SSL_quic_read_level(client_.get()));
6871
6872 // Data cannot be provided at the previous level.
6873 ASSERT_TRUE(
6874 transport_->client()->ReadHandshakeData(&data, ssl_encryption_handshake));
6875 ASSERT_FALSE(SSL_provide_quic_data(client_.get(), ssl_encryption_initial,
6876 data.data(), data.size()));
6877 }
6878
TEST_F(QUICMethodTest,TooMuchData)6879 TEST_F(QUICMethodTest, TooMuchData) {
6880 const SSL_QUIC_METHOD quic_method = DefaultQUICMethod();
6881
6882 ASSERT_TRUE(SSL_CTX_set_quic_method(client_ctx_.get(), &quic_method));
6883 ASSERT_TRUE(SSL_CTX_set_quic_method(server_ctx_.get(), &quic_method));
6884 ASSERT_TRUE(CreateClientAndServer());
6885
6886 size_t limit =
6887 SSL_quic_max_handshake_flight_len(client_.get(), ssl_encryption_initial);
6888 uint8_t b = 0;
6889 for (size_t i = 0; i < limit; i++) {
6890 ASSERT_TRUE(
6891 SSL_provide_quic_data(client_.get(), ssl_encryption_initial, &b, 1));
6892 }
6893
6894 EXPECT_FALSE(
6895 SSL_provide_quic_data(client_.get(), ssl_encryption_initial, &b, 1));
6896 }
6897
6898 // Provide invalid post-handshake data.
TEST_F(QUICMethodTest,BadPostHandshake)6899 TEST_F(QUICMethodTest, BadPostHandshake) {
6900 const SSL_QUIC_METHOD quic_method = DefaultQUICMethod();
6901
6902 g_last_session = nullptr;
6903
6904 SSL_CTX_set_session_cache_mode(client_ctx_.get(), SSL_SESS_CACHE_BOTH);
6905 SSL_CTX_sess_set_new_cb(client_ctx_.get(), SaveLastSession);
6906 ASSERT_TRUE(SSL_CTX_set_quic_method(client_ctx_.get(), &quic_method));
6907 ASSERT_TRUE(SSL_CTX_set_quic_method(server_ctx_.get(), &quic_method));
6908 ASSERT_TRUE(CreateClientAndServer());
6909 ASSERT_TRUE(CompleteHandshakesForQUIC());
6910
6911 EXPECT_EQ(SSL_do_handshake(client_.get()), 1);
6912 EXPECT_EQ(SSL_do_handshake(server_.get()), 1);
6913 EXPECT_TRUE(transport_->SecretsMatch(ssl_encryption_application));
6914 EXPECT_FALSE(transport_->client()->has_alert());
6915 EXPECT_FALSE(transport_->server()->has_alert());
6916
6917 // Junk sent as part of post-handshake data should cause an error.
6918 uint8_t kJunk[] = {0x17, 0x0, 0x0, 0x4, 0xB, 0xE, 0xE, 0xF};
6919 ASSERT_TRUE(SSL_provide_quic_data(client_.get(), ssl_encryption_application,
6920 kJunk, sizeof(kJunk)));
6921 EXPECT_EQ(SSL_process_quic_post_handshake(client_.get()), 0);
6922 }
6923
ExpectReceivedTransportParamsEqual(const SSL * ssl,Span<const uint8_t> expected)6924 static void ExpectReceivedTransportParamsEqual(const SSL *ssl,
6925 Span<const uint8_t> expected) {
6926 const uint8_t *received;
6927 size_t received_len;
6928 SSL_get_peer_quic_transport_params(ssl, &received, &received_len);
6929 ASSERT_EQ(received_len, expected.size());
6930 EXPECT_EQ(Bytes(received, received_len), Bytes(expected));
6931 }
6932
TEST_F(QUICMethodTest,SetTransportParameters)6933 TEST_F(QUICMethodTest, SetTransportParameters) {
6934 const SSL_QUIC_METHOD quic_method = DefaultQUICMethod();
6935 ASSERT_TRUE(SSL_CTX_set_quic_method(client_ctx_.get(), &quic_method));
6936 ASSERT_TRUE(SSL_CTX_set_quic_method(server_ctx_.get(), &quic_method));
6937
6938 ASSERT_TRUE(CreateClientAndServer());
6939 uint8_t kClientParams[] = {1, 2, 3, 4};
6940 uint8_t kServerParams[] = {5, 6, 7};
6941 ASSERT_TRUE(SSL_set_quic_transport_params(client_.get(), kClientParams,
6942 sizeof(kClientParams)));
6943 ASSERT_TRUE(SSL_set_quic_transport_params(server_.get(), kServerParams,
6944 sizeof(kServerParams)));
6945
6946 ASSERT_TRUE(CompleteHandshakesForQUIC());
6947 ExpectReceivedTransportParamsEqual(client_.get(), kServerParams);
6948 ExpectReceivedTransportParamsEqual(server_.get(), kClientParams);
6949 }
6950
TEST_F(QUICMethodTest,SetTransportParamsInCallback)6951 TEST_F(QUICMethodTest, SetTransportParamsInCallback) {
6952 const SSL_QUIC_METHOD quic_method = DefaultQUICMethod();
6953 ASSERT_TRUE(SSL_CTX_set_quic_method(client_ctx_.get(), &quic_method));
6954 ASSERT_TRUE(SSL_CTX_set_quic_method(server_ctx_.get(), &quic_method));
6955
6956 ASSERT_TRUE(CreateClientAndServer());
6957 uint8_t kClientParams[] = {1, 2, 3, 4};
6958 static uint8_t kServerParams[] = {5, 6, 7};
6959 ASSERT_TRUE(SSL_set_quic_transport_params(client_.get(), kClientParams,
6960 sizeof(kClientParams)));
6961 SSL_CTX_set_tlsext_servername_callback(
6962 server_ctx_.get(), [](SSL *ssl, int *out_alert, void *arg) -> int {
6963 EXPECT_TRUE(SSL_set_quic_transport_params(ssl, kServerParams,
6964 sizeof(kServerParams)));
6965 return SSL_TLSEXT_ERR_OK;
6966 });
6967
6968 ASSERT_TRUE(CompleteHandshakesForQUIC());
6969 ExpectReceivedTransportParamsEqual(client_.get(), kServerParams);
6970 ExpectReceivedTransportParamsEqual(server_.get(), kClientParams);
6971 }
6972
TEST_F(QUICMethodTest,ForbidCrossProtocolResumptionClient)6973 TEST_F(QUICMethodTest, ForbidCrossProtocolResumptionClient) {
6974 const SSL_QUIC_METHOD quic_method = DefaultQUICMethod();
6975
6976 g_last_session = nullptr;
6977
6978 SSL_CTX_set_session_cache_mode(client_ctx_.get(), SSL_SESS_CACHE_BOTH);
6979 SSL_CTX_sess_set_new_cb(client_ctx_.get(), SaveLastSession);
6980 ASSERT_TRUE(SSL_CTX_set_quic_method(client_ctx_.get(), &quic_method));
6981 ASSERT_TRUE(SSL_CTX_set_quic_method(server_ctx_.get(), &quic_method));
6982
6983 ASSERT_TRUE(CreateClientAndServer());
6984 ASSERT_TRUE(CompleteHandshakesForQUIC());
6985
6986 ExpectHandshakeSuccess();
6987 EXPECT_FALSE(SSL_session_reused(client_.get()));
6988 EXPECT_FALSE(SSL_session_reused(server_.get()));
6989
6990 // The server sent NewSessionTicket messages in the handshake.
6991 EXPECT_FALSE(g_last_session);
6992 ASSERT_TRUE(ProvideHandshakeData(client_.get()));
6993 EXPECT_EQ(SSL_process_quic_post_handshake(client_.get()), 1);
6994 ASSERT_TRUE(g_last_session);
6995
6996 // Pretend that g_last_session came from a TLS-over-TCP connection.
6997 g_last_session->is_quic = false;
6998
6999 // Create a second connection and verify that resumption does not occur with
7000 // a session from a non-QUIC connection. This tests that the client does not
7001 // offer over QUIC a session believed to be received over TCP. The server
7002 // believes this is a QUIC session, so if the client offered the session, the
7003 // server would have resumed it.
7004 ASSERT_TRUE(CreateClientAndServer());
7005 bssl::UniquePtr<SSL_SESSION> session = std::move(g_last_session);
7006 SSL_set_session(client_.get(), session.get());
7007
7008 ASSERT_TRUE(CompleteHandshakesForQUIC());
7009 ExpectHandshakeSuccess();
7010 EXPECT_FALSE(SSL_session_reused(client_.get()));
7011 EXPECT_FALSE(SSL_session_reused(server_.get()));
7012 }
7013
TEST_F(QUICMethodTest,ForbidCrossProtocolResumptionServer)7014 TEST_F(QUICMethodTest, ForbidCrossProtocolResumptionServer) {
7015 const SSL_QUIC_METHOD quic_method = DefaultQUICMethod();
7016
7017 g_last_session = nullptr;
7018
7019 SSL_CTX_set_session_cache_mode(client_ctx_.get(), SSL_SESS_CACHE_BOTH);
7020 SSL_CTX_sess_set_new_cb(client_ctx_.get(), SaveLastSession);
7021 ASSERT_TRUE(SSL_CTX_set_quic_method(client_ctx_.get(), &quic_method));
7022 ASSERT_TRUE(SSL_CTX_set_quic_method(server_ctx_.get(), &quic_method));
7023
7024 ASSERT_TRUE(CreateClientAndServer());
7025 ASSERT_TRUE(CompleteHandshakesForQUIC());
7026
7027 ExpectHandshakeSuccess();
7028 EXPECT_FALSE(SSL_session_reused(client_.get()));
7029 EXPECT_FALSE(SSL_session_reused(server_.get()));
7030
7031 // The server sent NewSessionTicket messages in the handshake.
7032 EXPECT_FALSE(g_last_session);
7033 ASSERT_TRUE(ProvideHandshakeData(client_.get()));
7034 EXPECT_EQ(SSL_process_quic_post_handshake(client_.get()), 1);
7035 ASSERT_TRUE(g_last_session);
7036
7037 // Attempt a resumption with g_last_session using TLS_method.
7038 bssl::UniquePtr<SSL_CTX> client_ctx(SSL_CTX_new(TLS_method()));
7039 ASSERT_TRUE(client_ctx);
7040
7041 ASSERT_TRUE(SSL_CTX_set_quic_method(server_ctx_.get(), nullptr));
7042
7043 bssl::UniquePtr<SSL> client(SSL_new(client_ctx.get())),
7044 server(SSL_new(server_ctx_.get()));
7045 ASSERT_TRUE(client);
7046 ASSERT_TRUE(server);
7047 SSL_set_connect_state(client.get());
7048 SSL_set_accept_state(server.get());
7049
7050 // The TLS-over-TCP client will refuse to resume with a quic session, so
7051 // mark is_quic = false to bypass the client check to test the server check.
7052 g_last_session->is_quic = false;
7053 SSL_set_session(client.get(), g_last_session.get());
7054
7055 BIO *bio1, *bio2;
7056 ASSERT_TRUE(BIO_new_bio_pair(&bio1, 0, &bio2, 0));
7057
7058 // SSL_set_bio takes ownership.
7059 SSL_set_bio(client.get(), bio1, bio1);
7060 SSL_set_bio(server.get(), bio2, bio2);
7061 ASSERT_TRUE(CompleteHandshakes(client.get(), server.get()));
7062
7063 EXPECT_FALSE(SSL_session_reused(client.get()));
7064 EXPECT_FALSE(SSL_session_reused(server.get()));
7065 }
7066
TEST_F(QUICMethodTest,ClientRejectsMissingTransportParams)7067 TEST_F(QUICMethodTest, ClientRejectsMissingTransportParams) {
7068 const SSL_QUIC_METHOD quic_method = DefaultQUICMethod();
7069 ASSERT_TRUE(SSL_CTX_set_quic_method(client_ctx_.get(), &quic_method));
7070 ASSERT_TRUE(SSL_CTX_set_quic_method(server_ctx_.get(), &quic_method));
7071
7072 ASSERT_TRUE(CreateClientAndServer());
7073 ASSERT_TRUE(SSL_set_quic_transport_params(server_.get(), nullptr, 0));
7074 ASSERT_TRUE(RunQUICHandshakesAndExpectError(ExpectedError::kServerError));
7075 }
7076
TEST_F(QUICMethodTest,ServerRejectsMissingTransportParams)7077 TEST_F(QUICMethodTest, ServerRejectsMissingTransportParams) {
7078 const SSL_QUIC_METHOD quic_method = DefaultQUICMethod();
7079 ASSERT_TRUE(SSL_CTX_set_quic_method(client_ctx_.get(), &quic_method));
7080 ASSERT_TRUE(SSL_CTX_set_quic_method(server_ctx_.get(), &quic_method));
7081
7082 ASSERT_TRUE(CreateClientAndServer());
7083 ASSERT_TRUE(SSL_set_quic_transport_params(client_.get(), nullptr, 0));
7084 ASSERT_TRUE(RunQUICHandshakesAndExpectError(ExpectedError::kClientError));
7085 }
7086
TEST_F(QUICMethodTest,QuicLegacyCodepointEnabled)7087 TEST_F(QUICMethodTest, QuicLegacyCodepointEnabled) {
7088 const SSL_QUIC_METHOD quic_method = DefaultQUICMethod();
7089 ASSERT_TRUE(SSL_CTX_set_quic_method(client_ctx_.get(), &quic_method));
7090 ASSERT_TRUE(SSL_CTX_set_quic_method(server_ctx_.get(), &quic_method));
7091
7092 ASSERT_TRUE(CreateClientAndServer());
7093 uint8_t kClientParams[] = {1, 2, 3, 4};
7094 uint8_t kServerParams[] = {5, 6, 7};
7095 SSL_set_quic_use_legacy_codepoint(client_.get(), 1);
7096 SSL_set_quic_use_legacy_codepoint(server_.get(), 1);
7097 ASSERT_TRUE(SSL_set_quic_transport_params(client_.get(), kClientParams,
7098 sizeof(kClientParams)));
7099 ASSERT_TRUE(SSL_set_quic_transport_params(server_.get(), kServerParams,
7100 sizeof(kServerParams)));
7101
7102 ASSERT_TRUE(CompleteHandshakesForQUIC());
7103 ExpectReceivedTransportParamsEqual(client_.get(), kServerParams);
7104 ExpectReceivedTransportParamsEqual(server_.get(), kClientParams);
7105 }
7106
TEST_F(QUICMethodTest,QuicLegacyCodepointDisabled)7107 TEST_F(QUICMethodTest, QuicLegacyCodepointDisabled) {
7108 const SSL_QUIC_METHOD quic_method = DefaultQUICMethod();
7109 ASSERT_TRUE(SSL_CTX_set_quic_method(client_ctx_.get(), &quic_method));
7110 ASSERT_TRUE(SSL_CTX_set_quic_method(server_ctx_.get(), &quic_method));
7111
7112 ASSERT_TRUE(CreateClientAndServer());
7113 uint8_t kClientParams[] = {1, 2, 3, 4};
7114 uint8_t kServerParams[] = {5, 6, 7};
7115 SSL_set_quic_use_legacy_codepoint(client_.get(), 0);
7116 SSL_set_quic_use_legacy_codepoint(server_.get(), 0);
7117 ASSERT_TRUE(SSL_set_quic_transport_params(client_.get(), kClientParams,
7118 sizeof(kClientParams)));
7119 ASSERT_TRUE(SSL_set_quic_transport_params(server_.get(), kServerParams,
7120 sizeof(kServerParams)));
7121
7122 ASSERT_TRUE(CompleteHandshakesForQUIC());
7123 ExpectReceivedTransportParamsEqual(client_.get(), kServerParams);
7124 ExpectReceivedTransportParamsEqual(server_.get(), kClientParams);
7125 }
7126
TEST_F(QUICMethodTest,QuicLegacyCodepointClientOnly)7127 TEST_F(QUICMethodTest, QuicLegacyCodepointClientOnly) {
7128 const SSL_QUIC_METHOD quic_method = DefaultQUICMethod();
7129 ASSERT_TRUE(SSL_CTX_set_quic_method(client_ctx_.get(), &quic_method));
7130 ASSERT_TRUE(SSL_CTX_set_quic_method(server_ctx_.get(), &quic_method));
7131
7132 ASSERT_TRUE(CreateClientAndServer());
7133 uint8_t kClientParams[] = {1, 2, 3, 4};
7134 uint8_t kServerParams[] = {5, 6, 7};
7135 SSL_set_quic_use_legacy_codepoint(client_.get(), 1);
7136 SSL_set_quic_use_legacy_codepoint(server_.get(), 0);
7137 ASSERT_TRUE(SSL_set_quic_transport_params(client_.get(), kClientParams,
7138 sizeof(kClientParams)));
7139 ASSERT_TRUE(SSL_set_quic_transport_params(server_.get(), kServerParams,
7140 sizeof(kServerParams)));
7141
7142 ASSERT_TRUE(RunQUICHandshakesAndExpectError(ExpectedError::kServerError));
7143 }
7144
TEST_F(QUICMethodTest,QuicLegacyCodepointServerOnly)7145 TEST_F(QUICMethodTest, QuicLegacyCodepointServerOnly) {
7146 const SSL_QUIC_METHOD quic_method = DefaultQUICMethod();
7147 ASSERT_TRUE(SSL_CTX_set_quic_method(client_ctx_.get(), &quic_method));
7148 ASSERT_TRUE(SSL_CTX_set_quic_method(server_ctx_.get(), &quic_method));
7149
7150 ASSERT_TRUE(CreateClientAndServer());
7151 uint8_t kClientParams[] = {1, 2, 3, 4};
7152 uint8_t kServerParams[] = {5, 6, 7};
7153 SSL_set_quic_use_legacy_codepoint(client_.get(), 0);
7154 SSL_set_quic_use_legacy_codepoint(server_.get(), 1);
7155 ASSERT_TRUE(SSL_set_quic_transport_params(client_.get(), kClientParams,
7156 sizeof(kClientParams)));
7157 ASSERT_TRUE(SSL_set_quic_transport_params(server_.get(), kServerParams,
7158 sizeof(kServerParams)));
7159
7160 ASSERT_TRUE(RunQUICHandshakesAndExpectError(ExpectedError::kServerError));
7161 }
7162
7163 // Test that the default QUIC code point is consistent with
7164 // |TLSEXT_TYPE_quic_transport_parameters|. This test ensures we remember to
7165 // update the two values together.
TEST_F(QUICMethodTest,QuicCodePointDefault)7166 TEST_F(QUICMethodTest, QuicCodePointDefault) {
7167 const SSL_QUIC_METHOD quic_method = DefaultQUICMethod();
7168 ASSERT_TRUE(SSL_CTX_set_quic_method(client_ctx_.get(), &quic_method));
7169 ASSERT_TRUE(SSL_CTX_set_quic_method(server_ctx_.get(), &quic_method));
7170 SSL_CTX_set_select_certificate_cb(
7171 server_ctx_.get(),
7172 [](const SSL_CLIENT_HELLO *client_hello) -> ssl_select_cert_result_t {
7173 const uint8_t *data;
7174 size_t len;
7175 if (!SSL_early_callback_ctx_extension_get(
7176 client_hello, TLSEXT_TYPE_quic_transport_parameters, &data,
7177 &len)) {
7178 ADD_FAILURE() << "Could not find quic_transport_parameters extension";
7179 return ssl_select_cert_error;
7180 }
7181 return ssl_select_cert_success;
7182 });
7183
7184 ASSERT_TRUE(CreateClientAndServer());
7185 ASSERT_TRUE(CompleteHandshakesForQUIC());
7186 }
7187
7188 extern "C" {
7189 int BORINGSSL_enum_c_type_test(void);
7190 }
7191
TEST(SSLTest,EnumTypes)7192 TEST(SSLTest, EnumTypes) {
7193 EXPECT_EQ(sizeof(int), sizeof(ssl_private_key_result_t));
7194 EXPECT_EQ(1, BORINGSSL_enum_c_type_test());
7195 }
7196
TEST_P(SSLVersionTest,DoubleSSLError)7197 TEST_P(SSLVersionTest, DoubleSSLError) {
7198 // Connect the inner SSL connections.
7199 ASSERT_TRUE(Connect());
7200
7201 // Make a pair of |BIO|s which wrap |client_| and |server_|.
7202 UniquePtr<BIO_METHOD> bio_method(BIO_meth_new(0, nullptr));
7203 ASSERT_TRUE(bio_method);
7204 ASSERT_TRUE(BIO_meth_set_read(
7205 bio_method.get(), [](BIO *bio, char *out, int len) -> int {
7206 SSL *ssl = static_cast<SSL *>(BIO_get_data(bio));
7207 int ret = SSL_read(ssl, out, len);
7208 int ssl_ret = SSL_get_error(ssl, ret);
7209 if (ssl_ret == SSL_ERROR_WANT_READ) {
7210 BIO_set_retry_read(bio);
7211 }
7212 return ret;
7213 }));
7214 ASSERT_TRUE(BIO_meth_set_write(
7215 bio_method.get(), [](BIO *bio, const char *in, int len) -> int {
7216 SSL *ssl = static_cast<SSL *>(BIO_get_data(bio));
7217 int ret = SSL_write(ssl, in, len);
7218 int ssl_ret = SSL_get_error(ssl, ret);
7219 if (ssl_ret == SSL_ERROR_WANT_WRITE) {
7220 BIO_set_retry_write(bio);
7221 }
7222 return ret;
7223 }));
7224 ASSERT_TRUE(BIO_meth_set_ctrl(
7225 bio_method.get(), [](BIO *bio, int cmd, long larg, void *parg) -> long {
7226 // |SSL| objects require |BIO_flush| support.
7227 if (cmd == BIO_CTRL_FLUSH) {
7228 return 1;
7229 }
7230 return 0;
7231 }));
7232
7233 UniquePtr<BIO> client_bio(BIO_new(bio_method.get()));
7234 ASSERT_TRUE(client_bio);
7235 BIO_set_data(client_bio.get(), client_.get());
7236 BIO_set_init(client_bio.get(), 1);
7237
7238 UniquePtr<BIO> server_bio(BIO_new(bio_method.get()));
7239 ASSERT_TRUE(server_bio);
7240 BIO_set_data(server_bio.get(), server_.get());
7241 BIO_set_init(server_bio.get(), 1);
7242
7243 // Wrap the inner connections in another layer of SSL.
7244 UniquePtr<SSL> client_outer(SSL_new(client_ctx_.get()));
7245 ASSERT_TRUE(client_outer);
7246 SSL_set_connect_state(client_outer.get());
7247 SSL_set_bio(client_outer.get(), client_bio.get(), client_bio.get());
7248 client_bio.release(); // |SSL_set_bio| takes ownership.
7249
7250 UniquePtr<SSL> server_outer(SSL_new(server_ctx_.get()));
7251 ASSERT_TRUE(server_outer);
7252 SSL_set_accept_state(server_outer.get());
7253 SSL_set_bio(server_outer.get(), server_bio.get(), server_bio.get());
7254 server_bio.release(); // |SSL_set_bio| takes ownership.
7255
7256 // Configure |client_outer| to reject the server certificate.
7257 SSL_set_custom_verify(
7258 client_outer.get(), SSL_VERIFY_PEER,
7259 [](SSL *ssl, uint8_t *out_alert) -> ssl_verify_result_t {
7260 return ssl_verify_invalid;
7261 });
7262
7263 for (;;) {
7264 int client_ret = SSL_do_handshake(client_outer.get());
7265 int client_err = SSL_get_error(client_outer.get(), client_ret);
7266 if (client_err != SSL_ERROR_WANT_READ &&
7267 client_err != SSL_ERROR_WANT_WRITE) {
7268 // The client handshake should terminate on a certificate verification
7269 // error.
7270 EXPECT_EQ(SSL_ERROR_SSL, client_err);
7271 uint32_t err = ERR_peek_error();
7272 EXPECT_EQ(ERR_LIB_SSL, ERR_GET_LIB(err));
7273 EXPECT_EQ(SSL_R_CERTIFICATE_VERIFY_FAILED, ERR_GET_REASON(err));
7274 break;
7275 }
7276
7277 // Run the server handshake and continue.
7278 int server_ret = SSL_do_handshake(server_outer.get());
7279 int server_err = SSL_get_error(server_outer.get(), server_ret);
7280 ASSERT_TRUE(server_err == SSL_ERROR_NONE ||
7281 server_err == SSL_ERROR_WANT_READ ||
7282 server_err == SSL_ERROR_WANT_WRITE);
7283 }
7284 }
7285
TEST_P(SSLVersionTest,SameKeyResume)7286 TEST_P(SSLVersionTest, SameKeyResume) {
7287 uint8_t key[48];
7288 RAND_bytes(key, sizeof(key));
7289
7290 bssl::UniquePtr<SSL_CTX> server_ctx2 = CreateContext();
7291 ASSERT_TRUE(server_ctx2);
7292 ASSERT_TRUE(UseCertAndKey(server_ctx2.get()));
7293 ASSERT_TRUE(
7294 SSL_CTX_set_tlsext_ticket_keys(server_ctx_.get(), key, sizeof(key)));
7295 ASSERT_TRUE(
7296 SSL_CTX_set_tlsext_ticket_keys(server_ctx2.get(), key, sizeof(key)));
7297
7298 SSL_CTX_set_session_cache_mode(client_ctx_.get(), SSL_SESS_CACHE_BOTH);
7299 SSL_CTX_set_session_cache_mode(server_ctx_.get(), SSL_SESS_CACHE_BOTH);
7300 SSL_CTX_set_session_cache_mode(server_ctx2.get(), SSL_SESS_CACHE_BOTH);
7301
7302 // Establish a session for |server_ctx_|.
7303 bssl::UniquePtr<SSL_SESSION> session =
7304 CreateClientSession(client_ctx_.get(), server_ctx_.get());
7305 ASSERT_TRUE(session);
7306 ClientConfig config;
7307 config.session = session.get();
7308
7309 // Resuming with |server_ctx_| again works.
7310 bssl::UniquePtr<SSL> client, server;
7311 ASSERT_TRUE(ConnectClientAndServer(&client, &server, client_ctx_.get(),
7312 server_ctx_.get(), config));
7313 EXPECT_TRUE(SSL_session_reused(client.get()));
7314 EXPECT_TRUE(SSL_session_reused(server.get()));
7315
7316 // Resuming with |server_ctx2| also works.
7317 ASSERT_TRUE(ConnectClientAndServer(&client, &server, client_ctx_.get(),
7318 server_ctx2.get(), config));
7319 EXPECT_TRUE(SSL_session_reused(client.get()));
7320 EXPECT_TRUE(SSL_session_reused(server.get()));
7321 }
7322
TEST_P(SSLVersionTest,DifferentKeyNoResume)7323 TEST_P(SSLVersionTest, DifferentKeyNoResume) {
7324 uint8_t key1[48], key2[48];
7325 RAND_bytes(key1, sizeof(key1));
7326 RAND_bytes(key2, sizeof(key2));
7327
7328 bssl::UniquePtr<SSL_CTX> server_ctx2 = CreateContext();
7329 ASSERT_TRUE(server_ctx2);
7330 ASSERT_TRUE(UseCertAndKey(server_ctx2.get()));
7331 ASSERT_TRUE(
7332 SSL_CTX_set_tlsext_ticket_keys(server_ctx_.get(), key1, sizeof(key1)));
7333 ASSERT_TRUE(
7334 SSL_CTX_set_tlsext_ticket_keys(server_ctx2.get(), key2, sizeof(key2)));
7335
7336 SSL_CTX_set_session_cache_mode(client_ctx_.get(), SSL_SESS_CACHE_BOTH);
7337 SSL_CTX_set_session_cache_mode(server_ctx_.get(), SSL_SESS_CACHE_BOTH);
7338 SSL_CTX_set_session_cache_mode(server_ctx2.get(), SSL_SESS_CACHE_BOTH);
7339
7340 // Establish a session for |server_ctx_|.
7341 bssl::UniquePtr<SSL_SESSION> session =
7342 CreateClientSession(client_ctx_.get(), server_ctx_.get());
7343 ASSERT_TRUE(session);
7344 ClientConfig config;
7345 config.session = session.get();
7346
7347 // Resuming with |server_ctx_| again works.
7348 bssl::UniquePtr<SSL> client, server;
7349 ASSERT_TRUE(ConnectClientAndServer(&client, &server, client_ctx_.get(),
7350 server_ctx_.get(), config));
7351 EXPECT_TRUE(SSL_session_reused(client.get()));
7352 EXPECT_TRUE(SSL_session_reused(server.get()));
7353
7354 // Resuming with |server_ctx2| does not work.
7355 ASSERT_TRUE(ConnectClientAndServer(&client, &server, client_ctx_.get(),
7356 server_ctx2.get(), config));
7357 EXPECT_FALSE(SSL_session_reused(client.get()));
7358 EXPECT_FALSE(SSL_session_reused(server.get()));
7359 }
7360
TEST_P(SSLVersionTest,UnrelatedServerNoResume)7361 TEST_P(SSLVersionTest, UnrelatedServerNoResume) {
7362 bssl::UniquePtr<SSL_CTX> server_ctx2 = CreateContext();
7363 ASSERT_TRUE(server_ctx2);
7364 ASSERT_TRUE(UseCertAndKey(server_ctx2.get()));
7365
7366 SSL_CTX_set_session_cache_mode(client_ctx_.get(), SSL_SESS_CACHE_BOTH);
7367 SSL_CTX_set_session_cache_mode(server_ctx_.get(), SSL_SESS_CACHE_BOTH);
7368 SSL_CTX_set_session_cache_mode(server_ctx2.get(), SSL_SESS_CACHE_BOTH);
7369
7370 // Establish a session for |server_ctx_|.
7371 bssl::UniquePtr<SSL_SESSION> session =
7372 CreateClientSession(client_ctx_.get(), server_ctx_.get());
7373 ASSERT_TRUE(session);
7374 ClientConfig config;
7375 config.session = session.get();
7376
7377 // Resuming with |server_ctx_| again works.
7378 bssl::UniquePtr<SSL> client, server;
7379 ASSERT_TRUE(ConnectClientAndServer(&client, &server, client_ctx_.get(),
7380 server_ctx_.get(), config));
7381 EXPECT_TRUE(SSL_session_reused(client.get()));
7382 EXPECT_TRUE(SSL_session_reused(server.get()));
7383
7384 // Resuming with |server_ctx2| does not work.
7385 ASSERT_TRUE(ConnectClientAndServer(&client, &server, client_ctx_.get(),
7386 server_ctx2.get(), config));
7387 EXPECT_FALSE(SSL_session_reused(client.get()));
7388 EXPECT_FALSE(SSL_session_reused(server.get()));
7389 }
7390
SessionIDOf(const SSL * ssl)7391 Span<const uint8_t> SessionIDOf(const SSL* ssl) {
7392 const SSL_SESSION *session = SSL_get_session(ssl);
7393 unsigned len;
7394 const uint8_t *data = SSL_SESSION_get_id(session, &len);
7395 return MakeConstSpan(data, len);
7396 }
7397
TEST_P(SSLVersionTest,TicketSessionIDsMatch)7398 TEST_P(SSLVersionTest, TicketSessionIDsMatch) {
7399 // This checks that the session IDs at client and server match after a ticket
7400 // resumption. It's unclear whether this should be true, but Envoy depends
7401 // on it in their tests so this will give an early signal if we break it.
7402 SSL_CTX_set_session_cache_mode(client_ctx_.get(), SSL_SESS_CACHE_BOTH);
7403 SSL_CTX_set_session_cache_mode(server_ctx_.get(), SSL_SESS_CACHE_BOTH);
7404
7405 bssl::UniquePtr<SSL_SESSION> session =
7406 CreateClientSession(client_ctx_.get(), server_ctx_.get());
7407
7408 bssl::UniquePtr<SSL> client, server;
7409 ClientConfig config;
7410 config.session = session.get();
7411 ASSERT_TRUE(ConnectClientAndServer(&client, &server, client_ctx_.get(),
7412 server_ctx_.get(), config));
7413 EXPECT_TRUE(SSL_session_reused(client.get()));
7414 EXPECT_TRUE(SSL_session_reused(server.get()));
7415
7416 EXPECT_EQ(Bytes(SessionIDOf(client.get())), Bytes(SessionIDOf(server.get())));
7417 }
7418
WriteHelloRequest(SSL * server)7419 static void WriteHelloRequest(SSL *server) {
7420 // This function assumes TLS 1.2 with ChaCha20-Poly1305.
7421 ASSERT_EQ(SSL_version(server), TLS1_2_VERSION);
7422 ASSERT_EQ(SSL_CIPHER_get_cipher_nid(SSL_get_current_cipher(server)),
7423 NID_chacha20_poly1305);
7424
7425 // Encrypt a HelloRequest.
7426 uint8_t in[] = {SSL3_MT_HELLO_REQUEST, 0, 0, 0};
7427 #if defined(BORINGSSL_UNSAFE_FUZZER_MODE)
7428 // Fuzzer-mode records are unencrypted.
7429 uint8_t record[5 + sizeof(in)];
7430 record[0] = SSL3_RT_HANDSHAKE;
7431 record[1] = 3;
7432 record[2] = 3; // TLS 1.2
7433 record[3] = 0;
7434 record[4] = sizeof(record) - 5;
7435 memcpy(record + 5, in, sizeof(in));
7436 #else
7437 // Extract key material from |server|.
7438 static const size_t kKeyLen = 32;
7439 static const size_t kNonceLen = 12;
7440 ASSERT_EQ(2u * (kKeyLen + kNonceLen), SSL_get_key_block_len(server));
7441 uint8_t key_block[2u * (kKeyLen + kNonceLen)];
7442 ASSERT_TRUE(SSL_generate_key_block(server, key_block, sizeof(key_block)));
7443 Span<uint8_t> key = MakeSpan(key_block + kKeyLen, kKeyLen);
7444 Span<uint8_t> nonce =
7445 MakeSpan(key_block + kKeyLen + kKeyLen + kNonceLen, kNonceLen);
7446
7447 uint8_t ad[13];
7448 uint64_t seq = SSL_get_write_sequence(server);
7449 for (size_t i = 0; i < 8; i++) {
7450 // The nonce is XORed with the sequence number.
7451 nonce[11 - i] ^= uint8_t(seq);
7452 ad[7 - i] = uint8_t(seq);
7453 seq >>= 8;
7454 }
7455
7456 ad[8] = SSL3_RT_HANDSHAKE;
7457 ad[9] = 3;
7458 ad[10] = 3; // TLS 1.2
7459 ad[11] = 0;
7460 ad[12] = sizeof(in);
7461
7462 uint8_t record[5 + sizeof(in) + 16];
7463 record[0] = SSL3_RT_HANDSHAKE;
7464 record[1] = 3;
7465 record[2] = 3; // TLS 1.2
7466 record[3] = 0;
7467 record[4] = sizeof(record) - 5;
7468
7469 ScopedEVP_AEAD_CTX aead;
7470 ASSERT_TRUE(EVP_AEAD_CTX_init(aead.get(), EVP_aead_chacha20_poly1305(),
7471 key.data(), key.size(),
7472 EVP_AEAD_DEFAULT_TAG_LENGTH, nullptr));
7473 size_t len;
7474 ASSERT_TRUE(EVP_AEAD_CTX_seal(aead.get(), record + 5, &len,
7475 sizeof(record) - 5, nonce.data(), nonce.size(),
7476 in, sizeof(in), ad, sizeof(ad)));
7477 ASSERT_EQ(sizeof(record) - 5, len);
7478 #endif // BORINGSSL_UNSAFE_FUZZER_MODE
7479
7480 ASSERT_EQ(int(sizeof(record)),
7481 BIO_write(SSL_get_wbio(server), record, sizeof(record)));
7482 }
7483
TEST(SSLTest,WriteWhileExplicitRenegotiate)7484 TEST(SSLTest, WriteWhileExplicitRenegotiate) {
7485 bssl::UniquePtr<SSL_CTX> ctx(CreateContextWithTestCertificate(TLS_method()));
7486 ASSERT_TRUE(ctx);
7487
7488 ASSERT_TRUE(SSL_CTX_set_min_proto_version(ctx.get(), TLS1_2_VERSION));
7489 ASSERT_TRUE(SSL_CTX_set_max_proto_version(ctx.get(), TLS1_2_VERSION));
7490 ASSERT_TRUE(SSL_CTX_set_strict_cipher_list(
7491 ctx.get(), "TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256"));
7492
7493 bssl::UniquePtr<SSL> client, server;
7494 ASSERT_TRUE(CreateClientAndServer(&client, &server, ctx.get(), ctx.get()));
7495 SSL_set_renegotiate_mode(client.get(), ssl_renegotiate_explicit);
7496 ASSERT_TRUE(CompleteHandshakes(client.get(), server.get()));
7497
7498 static const uint8_t kInput[] = {'h', 'e', 'l', 'l', 'o'};
7499
7500 // Write "hello" until the buffer is full, so |client| has a pending write.
7501 size_t num_writes = 0;
7502 for (;;) {
7503 int ret = SSL_write(client.get(), kInput, sizeof(kInput));
7504 if (ret != int(sizeof(kInput))) {
7505 ASSERT_EQ(-1, ret);
7506 ASSERT_EQ(SSL_ERROR_WANT_WRITE, SSL_get_error(client.get(), ret));
7507 break;
7508 }
7509 num_writes++;
7510 }
7511
7512 ASSERT_NO_FATAL_FAILURE(WriteHelloRequest(server.get()));
7513
7514 // |SSL_read| should pick up the HelloRequest.
7515 uint8_t byte;
7516 ASSERT_EQ(-1, SSL_read(client.get(), &byte, 1));
7517 ASSERT_EQ(SSL_ERROR_WANT_RENEGOTIATE, SSL_get_error(client.get(), -1));
7518
7519 // Drain the data from the |client|.
7520 uint8_t buf[sizeof(kInput)];
7521 for (size_t i = 0; i < num_writes; i++) {
7522 ASSERT_EQ(int(sizeof(buf)), SSL_read(server.get(), buf, sizeof(buf)));
7523 EXPECT_EQ(Bytes(buf), Bytes(kInput));
7524 }
7525
7526 // |client| should be able to finish the pending write and continue to write,
7527 // despite the paused HelloRequest.
7528 ASSERT_EQ(int(sizeof(kInput)),
7529 SSL_write(client.get(), kInput, sizeof(kInput)));
7530 ASSERT_EQ(int(sizeof(buf)), SSL_read(server.get(), buf, sizeof(buf)));
7531 EXPECT_EQ(Bytes(buf), Bytes(kInput));
7532
7533 ASSERT_EQ(int(sizeof(kInput)),
7534 SSL_write(client.get(), kInput, sizeof(kInput)));
7535 ASSERT_EQ(int(sizeof(buf)), SSL_read(server.get(), buf, sizeof(buf)));
7536 EXPECT_EQ(Bytes(buf), Bytes(kInput));
7537
7538 // |SSL_read| is stuck until we acknowledge the HelloRequest.
7539 ASSERT_EQ(-1, SSL_read(client.get(), &byte, 1));
7540 ASSERT_EQ(SSL_ERROR_WANT_RENEGOTIATE, SSL_get_error(client.get(), -1));
7541
7542 ASSERT_TRUE(SSL_renegotiate(client.get()));
7543 ASSERT_EQ(-1, SSL_read(client.get(), &byte, 1));
7544 ASSERT_EQ(SSL_ERROR_WANT_READ, SSL_get_error(client.get(), -1));
7545
7546 // We never renegotiate as a server.
7547 ASSERT_EQ(-1, SSL_read(server.get(), buf, sizeof(buf)));
7548 ASSERT_EQ(SSL_ERROR_SSL, SSL_get_error(server.get(), -1));
7549 uint32_t err = ERR_get_error();
7550 EXPECT_EQ(ERR_LIB_SSL, ERR_GET_LIB(err));
7551 EXPECT_EQ(SSL_R_NO_RENEGOTIATION, ERR_GET_REASON(err));
7552 }
7553
TEST(SSLTest,ConnectionPropertiesDuringRenegotiate)7554 TEST(SSLTest, ConnectionPropertiesDuringRenegotiate) {
7555 // Configure known connection properties, so we can check against them.
7556 bssl::UniquePtr<SSL_CTX> ctx(SSL_CTX_new(TLS_method()));
7557 ASSERT_TRUE(ctx);
7558 bssl::UniquePtr<X509> cert = GetTestCertificate();
7559 ASSERT_TRUE(cert);
7560 bssl::UniquePtr<EVP_PKEY> key = GetTestKey();
7561 ASSERT_TRUE(key);
7562 ASSERT_TRUE(SSL_CTX_use_certificate(ctx.get(), cert.get()));
7563 ASSERT_TRUE(SSL_CTX_use_PrivateKey(ctx.get(), key.get()));
7564 ASSERT_TRUE(SSL_CTX_set_min_proto_version(ctx.get(), TLS1_2_VERSION));
7565 ASSERT_TRUE(SSL_CTX_set_max_proto_version(ctx.get(), TLS1_2_VERSION));
7566 ASSERT_TRUE(SSL_CTX_set_strict_cipher_list(
7567 ctx.get(), "TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256"));
7568 ASSERT_TRUE(SSL_CTX_set1_curves_list(ctx.get(), "X25519"));
7569 ASSERT_TRUE(SSL_CTX_set1_sigalgs_list(ctx.get(), "rsa_pkcs1_sha256"));
7570
7571 // Connect a client and server that accept renegotiation.
7572 bssl::UniquePtr<SSL> client, server;
7573 ASSERT_TRUE(CreateClientAndServer(&client, &server, ctx.get(), ctx.get()));
7574 SSL_set_renegotiate_mode(client.get(), ssl_renegotiate_freely);
7575 ASSERT_TRUE(CompleteHandshakes(client.get(), server.get()));
7576
7577 auto check_properties = [&] {
7578 EXPECT_EQ(SSL_version(client.get()), TLS1_2_VERSION);
7579 const SSL_CIPHER *cipher = SSL_get_current_cipher(client.get());
7580 ASSERT_TRUE(cipher);
7581 EXPECT_EQ(SSL_CIPHER_get_id(cipher),
7582 uint32_t{TLS1_CK_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256});
7583 EXPECT_EQ(SSL_get_curve_id(client.get()), SSL_CURVE_X25519);
7584 EXPECT_EQ(SSL_get_peer_signature_algorithm(client.get()),
7585 SSL_SIGN_RSA_PKCS1_SHA256);
7586 bssl::UniquePtr<X509> peer(SSL_get_peer_certificate(client.get()));
7587 ASSERT_TRUE(peer);
7588 EXPECT_EQ(X509_cmp(cert.get(), peer.get()), 0);
7589 };
7590 check_properties();
7591
7592 // The server sends a HelloRequest.
7593 ASSERT_NO_FATAL_FAILURE(WriteHelloRequest(server.get()));
7594
7595 // Reading from the client will consume the HelloRequest, start a
7596 // renegotiation, and then block on a ServerHello from the server.
7597 uint8_t byte;
7598 ASSERT_EQ(-1, SSL_read(client.get(), &byte, 1));
7599 ASSERT_EQ(SSL_ERROR_WANT_READ, SSL_get_error(client.get(), -1));
7600
7601 // Connection properties should continue to report values from the original
7602 // handshake.
7603 check_properties();
7604 }
7605
TEST(SSLTest,CopyWithoutEarlyData)7606 TEST(SSLTest, CopyWithoutEarlyData) {
7607 bssl::UniquePtr<SSL_CTX> client_ctx(SSL_CTX_new(TLS_method()));
7608 bssl::UniquePtr<SSL_CTX> server_ctx(
7609 CreateContextWithTestCertificate(TLS_method()));
7610 ASSERT_TRUE(client_ctx);
7611 ASSERT_TRUE(server_ctx);
7612
7613 SSL_CTX_set_session_cache_mode(client_ctx.get(), SSL_SESS_CACHE_BOTH);
7614 SSL_CTX_set_session_cache_mode(server_ctx.get(), SSL_SESS_CACHE_BOTH);
7615 SSL_CTX_set_early_data_enabled(client_ctx.get(), 1);
7616 SSL_CTX_set_early_data_enabled(server_ctx.get(), 1);
7617
7618 bssl::UniquePtr<SSL_SESSION> session =
7619 CreateClientSession(client_ctx.get(), server_ctx.get());
7620 ASSERT_TRUE(session);
7621
7622 // The client should attempt early data with |session|.
7623 bssl::UniquePtr<SSL> client, server;
7624 ASSERT_TRUE(CreateClientAndServer(&client, &server, client_ctx.get(),
7625 server_ctx.get()));
7626 SSL_set_session(client.get(), session.get());
7627 SSL_set_early_data_enabled(client.get(), 1);
7628 ASSERT_EQ(1, SSL_do_handshake(client.get()));
7629 EXPECT_TRUE(SSL_in_early_data(client.get()));
7630
7631 // |SSL_SESSION_copy_without_early_data| should disable early data but
7632 // still resume the session.
7633 bssl::UniquePtr<SSL_SESSION> session2(
7634 SSL_SESSION_copy_without_early_data(session.get()));
7635 ASSERT_TRUE(session2);
7636 EXPECT_NE(session.get(), session2.get());
7637 ASSERT_TRUE(CreateClientAndServer(&client, &server, client_ctx.get(),
7638 server_ctx.get()));
7639 SSL_set_session(client.get(), session2.get());
7640 SSL_set_early_data_enabled(client.get(), 1);
7641 EXPECT_TRUE(CompleteHandshakes(client.get(), server.get()));
7642 EXPECT_TRUE(SSL_session_reused(client.get()));
7643 EXPECT_EQ(ssl_early_data_unsupported_for_session,
7644 SSL_get_early_data_reason(client.get()));
7645
7646 // |SSL_SESSION_copy_without_early_data| should be a reference count increase
7647 // when passed an early-data-incapable session.
7648 bssl::UniquePtr<SSL_SESSION> session3(
7649 SSL_SESSION_copy_without_early_data(session2.get()));
7650 EXPECT_EQ(session2.get(), session3.get());
7651 }
7652
TEST(SSLTest,ProcessTLS13NewSessionTicket)7653 TEST(SSLTest, ProcessTLS13NewSessionTicket) {
7654 // Configure client and server to negotiate TLS 1.3 only.
7655 bssl::UniquePtr<SSL_CTX> client_ctx(SSL_CTX_new(TLS_method()));
7656 bssl::UniquePtr<SSL_CTX> server_ctx(
7657 CreateContextWithTestCertificate(TLS_method()));
7658 ASSERT_TRUE(client_ctx);
7659 ASSERT_TRUE(server_ctx);
7660 ASSERT_TRUE(SSL_CTX_set_min_proto_version(client_ctx.get(), TLS1_3_VERSION));
7661 ASSERT_TRUE(SSL_CTX_set_min_proto_version(server_ctx.get(), TLS1_3_VERSION));
7662 ASSERT_TRUE(SSL_CTX_set_max_proto_version(client_ctx.get(), TLS1_3_VERSION));
7663 ASSERT_TRUE(SSL_CTX_set_max_proto_version(server_ctx.get(), TLS1_3_VERSION));
7664
7665 bssl::UniquePtr<SSL> client, server;
7666 ASSERT_TRUE(ConnectClientAndServer(&client, &server, client_ctx.get(),
7667 server_ctx.get()));
7668 EXPECT_EQ(TLS1_3_VERSION, SSL_version(client.get()));
7669
7670 // Process a TLS 1.3 NewSessionTicket.
7671 static const uint8_t kTicket[] = {
7672 0x04, 0x00, 0x00, 0xb2, 0x00, 0x02, 0xa3, 0x00, 0x04, 0x03, 0x02, 0x01,
7673 0x01, 0x00, 0x00, 0xa0, 0x01, 0x06, 0x09, 0x11, 0x16, 0x19, 0x21, 0x26,
7674 0x29, 0x31, 0x36, 0x39, 0x41, 0x46, 0x49, 0x51, 0x03, 0x06, 0x09, 0x13,
7675 0x16, 0x19, 0x23, 0x26, 0x29, 0x33, 0x36, 0x39, 0x43, 0x46, 0x49, 0x53,
7676 0xf7, 0x00, 0x29, 0xec, 0xf2, 0xc4, 0xa4, 0x41, 0xfc, 0x30, 0x17, 0x2e,
7677 0x9f, 0x7c, 0xa8, 0xaf, 0x75, 0x70, 0xf0, 0x1f, 0xc7, 0x98, 0xf7, 0xcf,
7678 0x5a, 0x5a, 0x6b, 0x5b, 0xfe, 0xf1, 0xe7, 0x3a, 0xe8, 0xf7, 0x6c, 0xd2,
7679 0xa8, 0xa6, 0x92, 0x5b, 0x96, 0x8d, 0xde, 0xdb, 0xd3, 0x20, 0x6a, 0xcb,
7680 0x69, 0x06, 0xf4, 0x91, 0x85, 0x2e, 0xe6, 0x5e, 0x0c, 0x59, 0xf2, 0x9e,
7681 0x9b, 0x79, 0x91, 0x24, 0x7e, 0x4a, 0x32, 0x3d, 0xbe, 0x4b, 0x80, 0x70,
7682 0xaf, 0xd0, 0x1d, 0xe2, 0xca, 0x05, 0x35, 0x09, 0x09, 0x05, 0x0f, 0xbb,
7683 0xc4, 0xae, 0xd7, 0xc4, 0xed, 0xd7, 0xae, 0x35, 0xc8, 0x73, 0x63, 0x78,
7684 0x64, 0xc9, 0x7a, 0x1f, 0xed, 0x7a, 0x9a, 0x47, 0x44, 0xfd, 0x50, 0xf7,
7685 0xb7, 0xe0, 0x64, 0xa9, 0x02, 0xc1, 0x5c, 0x23, 0x18, 0x3f, 0xc4, 0xcf,
7686 0x72, 0x02, 0x59, 0x2d, 0xe1, 0xaa, 0x61, 0x72, 0x00, 0x04, 0x5a, 0x5a,
7687 0x00, 0x00,
7688 };
7689 bssl::UniquePtr<SSL_SESSION> session(SSL_process_tls13_new_session_ticket(
7690 client.get(), kTicket, sizeof(kTicket)));
7691 ASSERT_TRUE(session);
7692 ASSERT_TRUE(SSL_SESSION_has_ticket(session.get()));
7693
7694 uint8_t *session_buf = nullptr;
7695 size_t session_length = 0;
7696 ASSERT_TRUE(
7697 SSL_SESSION_to_bytes(session.get(), &session_buf, &session_length));
7698 bssl::UniquePtr<uint8_t> session_buf_free(session_buf);
7699 ASSERT_TRUE(session_buf);
7700 ASSERT_GT(session_length, 0u);
7701
7702 // Servers cannot call |SSL_process_tls13_new_session_ticket|.
7703 ASSERT_FALSE(SSL_process_tls13_new_session_ticket(server.get(), kTicket,
7704 sizeof(kTicket)));
7705
7706 // Clients cannot call |SSL_process_tls13_new_session_ticket| before the
7707 // handshake completes.
7708 bssl::UniquePtr<SSL> client2(SSL_new(client_ctx.get()));
7709 ASSERT_TRUE(client2);
7710 SSL_set_connect_state(client2.get());
7711 ASSERT_FALSE(SSL_process_tls13_new_session_ticket(client2.get(), kTicket,
7712 sizeof(kTicket)));
7713 }
7714
TEST(SSLTest,BIO)7715 TEST(SSLTest, BIO) {
7716 bssl::UniquePtr<SSL_CTX> client_ctx(SSL_CTX_new(TLS_method()));
7717 bssl::UniquePtr<SSL_CTX> server_ctx(
7718 CreateContextWithTestCertificate(TLS_method()));
7719 ASSERT_TRUE(client_ctx);
7720 ASSERT_TRUE(server_ctx);
7721
7722 for (bool take_ownership : {true, false}) {
7723 // For simplicity, get the handshake out of the way first.
7724 bssl::UniquePtr<SSL> client, server;
7725 ASSERT_TRUE(ConnectClientAndServer(&client, &server, client_ctx.get(),
7726 server_ctx.get()));
7727
7728 // Wrap |client| in an SSL BIO.
7729 bssl::UniquePtr<BIO> client_bio(BIO_new(BIO_f_ssl()));
7730 ASSERT_TRUE(client_bio);
7731 ASSERT_EQ(1, BIO_set_ssl(client_bio.get(), client.get(), take_ownership));
7732 if (take_ownership) {
7733 client.release();
7734 }
7735
7736 // Flushing the BIO should not crash.
7737 EXPECT_EQ(1, BIO_flush(client_bio.get()));
7738
7739 // Exchange some data.
7740 EXPECT_EQ(5, BIO_write(client_bio.get(), "hello", 5));
7741 uint8_t buf[5];
7742 ASSERT_EQ(5, SSL_read(server.get(), buf, sizeof(buf)));
7743 EXPECT_EQ(Bytes("hello"), Bytes(buf));
7744
7745 EXPECT_EQ(5, SSL_write(server.get(), "world", 5));
7746 ASSERT_EQ(5, BIO_read(client_bio.get(), buf, sizeof(buf)));
7747 EXPECT_EQ(Bytes("world"), Bytes(buf));
7748
7749 // |BIO_should_read| should work.
7750 EXPECT_EQ(-1, BIO_read(client_bio.get(), buf, sizeof(buf)));
7751 EXPECT_TRUE(BIO_should_read(client_bio.get()));
7752
7753 // Writing data should eventually exceed the buffer size and fail, reporting
7754 // |BIO_should_write|.
7755 int ret;
7756 for (int i = 0; i < 1024; i++) {
7757 const uint8_t kZeros[1024] = {0};
7758 ret = BIO_write(client_bio.get(), kZeros, sizeof(kZeros));
7759 if (ret <= 0) {
7760 break;
7761 }
7762 }
7763 EXPECT_EQ(-1, ret);
7764 EXPECT_TRUE(BIO_should_write(client_bio.get()));
7765 }
7766 }
7767
TEST(SSLTest,ALPNConfig)7768 TEST(SSLTest, ALPNConfig) {
7769 bssl::UniquePtr<SSL_CTX> ctx(SSL_CTX_new(TLS_method()));
7770 ASSERT_TRUE(ctx);
7771 bssl::UniquePtr<X509> cert = GetTestCertificate();
7772 bssl::UniquePtr<EVP_PKEY> key = GetTestKey();
7773 ASSERT_TRUE(cert);
7774 ASSERT_TRUE(key);
7775 ASSERT_TRUE(SSL_CTX_use_certificate(ctx.get(), cert.get()));
7776 ASSERT_TRUE(SSL_CTX_use_PrivateKey(ctx.get(), key.get()));
7777
7778 // Set up some machinery to check the configured ALPN against what is actually
7779 // sent over the wire. Note that the ALPN callback is only called when the
7780 // client offers ALPN.
7781 std::vector<uint8_t> observed_alpn;
7782 SSL_CTX_set_alpn_select_cb(
7783 ctx.get(),
7784 [](SSL *ssl, const uint8_t **out, uint8_t *out_len, const uint8_t *in,
7785 unsigned in_len, void *arg) -> int {
7786 std::vector<uint8_t> *observed_alpn_ptr =
7787 static_cast<std::vector<uint8_t> *>(arg);
7788 observed_alpn_ptr->assign(in, in + in_len);
7789 return SSL_TLSEXT_ERR_NOACK;
7790 },
7791 &observed_alpn);
7792 auto check_alpn_proto = [&](Span<const uint8_t> expected) {
7793 observed_alpn.clear();
7794 bssl::UniquePtr<SSL> client, server;
7795 ASSERT_TRUE(ConnectClientAndServer(&client, &server, ctx.get(), ctx.get()));
7796 EXPECT_EQ(Bytes(expected), Bytes(observed_alpn));
7797 };
7798
7799 // Note that |SSL_CTX_set_alpn_protos|'s return value is reversed.
7800 static const uint8_t kValidList[] = {0x03, 'f', 'o', 'o',
7801 0x03, 'b', 'a', 'r'};
7802 EXPECT_EQ(0,
7803 SSL_CTX_set_alpn_protos(ctx.get(), kValidList, sizeof(kValidList)));
7804 check_alpn_proto(kValidList);
7805
7806 // Invalid lists are rejected.
7807 static const uint8_t kInvalidList[] = {0x04, 'f', 'o', 'o'};
7808 EXPECT_EQ(1, SSL_CTX_set_alpn_protos(ctx.get(), kInvalidList,
7809 sizeof(kInvalidList)));
7810
7811 // Empty lists are valid and are interpreted as disabling ALPN.
7812 EXPECT_EQ(0, SSL_CTX_set_alpn_protos(ctx.get(), nullptr, 0));
7813 check_alpn_proto({});
7814 }
7815
7816 // Test that the key usage checker can correctly handle issuerUID and
7817 // subjectUID. See https://crbug.com/1199744.
TEST(SSLTest,KeyUsageWithUIDs)7818 TEST(SSLTest, KeyUsageWithUIDs) {
7819 static const char kGoodKeyUsage[] = R"(
7820 -----BEGIN CERTIFICATE-----
7821 MIIB7DCCAZOgAwIBAgIJANlMBNpJfb/rMAoGCCqGSM49BAMCMEUxCzAJBgNVBAYT
7822 AkFVMRMwEQYDVQQIDApTb21lLVN0YXRlMSEwHwYDVQQKDBhJbnRlcm5ldCBXaWRn
7823 aXRzIFB0eSBMdGQwHhcNMTQwNDIzMjMyMTU3WhcNMTQwNTIzMjMyMTU3WjBFMQsw
7824 CQYDVQQGEwJBVTETMBEGA1UECAwKU29tZS1TdGF0ZTEhMB8GA1UECgwYSW50ZXJu
7825 ZXQgV2lkZ2l0cyBQdHkgTHRkMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE5itp
7826 4r9ln5e+Lx4NlIpM1Zdrt6keDUb73ampHp3culoB59aXqAoY+cPEox5W4nyDSNsW
7827 Ghz1HX7xlC1Lz3IiwYEEABI0VoIEABI0VqNgMF4wHQYDVR0OBBYEFKuE0qyrlfCC
7828 ThZ4B1VXX+QmjYLRMB8GA1UdIwQYMBaAFKuE0qyrlfCCThZ4B1VXX+QmjYLRMA4G
7829 A1UdDwEB/wQEAwIHgDAMBgNVHRMEBTADAQH/MAoGCCqGSM49BAMCA0cAMEQCIEWJ
7830 34EcqW5MHwLIA1hZ2Tj/jV2QjN02KLxis9mFsqDKAiAMlMTkzsM51vVs9Ohqa+Rc
7831 4Z7qDhjIhiF4dM0uEDYRVA==
7832 -----END CERTIFICATE-----
7833 )";
7834 static const char kBadKeyUsage[] = R"(
7835 -----BEGIN CERTIFICATE-----
7836 MIIB7jCCAZOgAwIBAgIJANlMBNpJfb/rMAoGCCqGSM49BAMCMEUxCzAJBgNVBAYT
7837 AkFVMRMwEQYDVQQIDApTb21lLVN0YXRlMSEwHwYDVQQKDBhJbnRlcm5ldCBXaWRn
7838 aXRzIFB0eSBMdGQwHhcNMTQwNDIzMjMyMTU3WhcNMTQwNTIzMjMyMTU3WjBFMQsw
7839 CQYDVQQGEwJBVTETMBEGA1UECAwKU29tZS1TdGF0ZTEhMB8GA1UECgwYSW50ZXJu
7840 ZXQgV2lkZ2l0cyBQdHkgTHRkMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE5itp
7841 4r9ln5e+Lx4NlIpM1Zdrt6keDUb73ampHp3culoB59aXqAoY+cPEox5W4nyDSNsW
7842 Ghz1HX7xlC1Lz3IiwYEEABI0VoIEABI0VqNgMF4wHQYDVR0OBBYEFKuE0qyrlfCC
7843 ThZ4B1VXX+QmjYLRMB8GA1UdIwQYMBaAFKuE0qyrlfCCThZ4B1VXX+QmjYLRMA4G
7844 A1UdDwEB/wQEAwIDCDAMBgNVHRMEBTADAQH/MAoGCCqGSM49BAMCA0kAMEYCIQC6
7845 taYBUDu2gcZC6EMk79FBHArYI0ucF+kzvETegZCbBAIhANtObFec5gtso/47moPD
7846 RHrQbWsFUakETXL9QMlegh5t
7847 -----END CERTIFICATE-----
7848 )";
7849
7850 bssl::UniquePtr<X509> good = CertFromPEM(kGoodKeyUsage);
7851 ASSERT_TRUE(good);
7852 bssl::UniquePtr<X509> bad = CertFromPEM(kBadKeyUsage);
7853 ASSERT_TRUE(bad);
7854
7855 // We check key usage when configuring EC certificates to distinguish ECDSA
7856 // and ECDH.
7857 bssl::UniquePtr<SSL_CTX> ctx(SSL_CTX_new(TLS_method()));
7858 ASSERT_TRUE(ctx);
7859 EXPECT_TRUE(SSL_CTX_use_certificate(ctx.get(), good.get()));
7860 EXPECT_FALSE(SSL_CTX_use_certificate(ctx.get(), bad.get()));
7861 }
7862
7863 // Test that |SSL_can_release_private_key| reports true as early as expected.
7864 // The internal asserts in the library check we do not report true too early.
TEST(SSLTest,CanReleasePrivateKey)7865 TEST(SSLTest, CanReleasePrivateKey) {
7866 bssl::UniquePtr<SSL_CTX> client_ctx =
7867 CreateContextWithTestCertificate(TLS_method());
7868 ASSERT_TRUE(client_ctx);
7869 SSL_CTX_set_session_cache_mode(client_ctx.get(), SSL_SESS_CACHE_BOTH);
7870
7871 // Note this assumes the transport buffer is large enough to fit the client
7872 // and server first flights. We check this with |SSL_ERROR_WANT_READ|. If the
7873 // transport buffer was too small it would return |SSL_ERROR_WANT_WRITE|.
7874 auto check_first_server_round_trip = [&](SSL *client, SSL *server) {
7875 // Write the ClientHello.
7876 ASSERT_EQ(-1, SSL_do_handshake(client));
7877 ASSERT_EQ(SSL_ERROR_WANT_READ, SSL_get_error(client, -1));
7878
7879 // Consume the ClientHello and write the server flight.
7880 ASSERT_EQ(-1, SSL_do_handshake(server));
7881 ASSERT_EQ(SSL_ERROR_WANT_READ, SSL_get_error(server, -1));
7882
7883 EXPECT_TRUE(SSL_can_release_private_key(server));
7884 };
7885
7886 {
7887 SCOPED_TRACE("TLS 1.2 ECDHE");
7888 bssl::UniquePtr<SSL_CTX> server_ctx(
7889 CreateContextWithTestCertificate(TLS_method()));
7890 ASSERT_TRUE(server_ctx);
7891 ASSERT_TRUE(
7892 SSL_CTX_set_max_proto_version(server_ctx.get(), TLS1_2_VERSION));
7893 ASSERT_TRUE(SSL_CTX_set_strict_cipher_list(
7894 server_ctx.get(), "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256"));
7895 // Configure the server to request client certificates, so we can also test
7896 // the client half.
7897 SSL_CTX_set_custom_verify(
7898 server_ctx.get(), SSL_VERIFY_PEER,
7899 [](SSL *ssl, uint8_t *out_alert) { return ssl_verify_ok; });
7900 bssl::UniquePtr<SSL> client, server;
7901 ASSERT_TRUE(CreateClientAndServer(&client, &server, client_ctx.get(),
7902 server_ctx.get()));
7903 check_first_server_round_trip(client.get(), server.get());
7904
7905 // Consume the server flight and write the client response. The client still
7906 // has a Finished message to consume but can also release its key early.
7907 ASSERT_EQ(-1, SSL_do_handshake(client.get()));
7908 ASSERT_EQ(SSL_ERROR_WANT_READ, SSL_get_error(client.get(), -1));
7909 EXPECT_TRUE(SSL_can_release_private_key(client.get()));
7910
7911 // However, a client that has not disabled renegotiation can never release
7912 // the key.
7913 ASSERT_TRUE(CreateClientAndServer(&client, &server, client_ctx.get(),
7914 server_ctx.get()));
7915 SSL_set_renegotiate_mode(client.get(), ssl_renegotiate_freely);
7916 check_first_server_round_trip(client.get(), server.get());
7917 ASSERT_EQ(-1, SSL_do_handshake(client.get()));
7918 ASSERT_EQ(SSL_ERROR_WANT_READ, SSL_get_error(client.get(), -1));
7919 EXPECT_FALSE(SSL_can_release_private_key(client.get()));
7920 }
7921
7922 {
7923 SCOPED_TRACE("TLS 1.2 resumption");
7924 bssl::UniquePtr<SSL_CTX> server_ctx(
7925 CreateContextWithTestCertificate(TLS_method()));
7926 ASSERT_TRUE(server_ctx);
7927 ASSERT_TRUE(
7928 SSL_CTX_set_max_proto_version(server_ctx.get(), TLS1_2_VERSION));
7929 bssl::UniquePtr<SSL_SESSION> session =
7930 CreateClientSession(client_ctx.get(), server_ctx.get());
7931 ASSERT_TRUE(session);
7932 bssl::UniquePtr<SSL> client, server;
7933 ASSERT_TRUE(CreateClientAndServer(&client, &server, client_ctx.get(),
7934 server_ctx.get()));
7935 SSL_set_session(client.get(), session.get());
7936 check_first_server_round_trip(client.get(), server.get());
7937 }
7938
7939 {
7940 SCOPED_TRACE("TLS 1.3 1-RTT");
7941 bssl::UniquePtr<SSL_CTX> server_ctx(
7942 CreateContextWithTestCertificate(TLS_method()));
7943 ASSERT_TRUE(server_ctx);
7944 ASSERT_TRUE(
7945 SSL_CTX_set_max_proto_version(server_ctx.get(), TLS1_3_VERSION));
7946 bssl::UniquePtr<SSL> client, server;
7947 ASSERT_TRUE(CreateClientAndServer(&client, &server, client_ctx.get(),
7948 server_ctx.get()));
7949 check_first_server_round_trip(client.get(), server.get());
7950 }
7951
7952 {
7953 SCOPED_TRACE("TLS 1.3 resumption");
7954 bssl::UniquePtr<SSL_CTX> server_ctx(
7955 CreateContextWithTestCertificate(TLS_method()));
7956 ASSERT_TRUE(server_ctx);
7957 ASSERT_TRUE(
7958 SSL_CTX_set_max_proto_version(server_ctx.get(), TLS1_3_VERSION));
7959 bssl::UniquePtr<SSL_SESSION> session =
7960 CreateClientSession(client_ctx.get(), server_ctx.get());
7961 ASSERT_TRUE(session);
7962 bssl::UniquePtr<SSL> client, server;
7963 ASSERT_TRUE(CreateClientAndServer(&client, &server, client_ctx.get(),
7964 server_ctx.get()));
7965 SSL_set_session(client.get(), session.get());
7966 check_first_server_round_trip(client.get(), server.get());
7967 }
7968 }
7969
7970 // GetExtensionOrder sets |*out| to the list of extensions a client attached to
7971 // |ctx| will send in the ClientHello. If |ech_keys| is non-null, the client
7972 // will offer ECH with the public component. If |decrypt_ech| is true, |*out|
7973 // will be set to the ClientHelloInner's extensions, rather than
7974 // ClientHelloOuter.
GetExtensionOrder(SSL_CTX * client_ctx,std::vector<uint16_t> * out,SSL_ECH_KEYS * ech_keys,bool decrypt_ech)7975 static bool GetExtensionOrder(SSL_CTX *client_ctx, std::vector<uint16_t> *out,
7976 SSL_ECH_KEYS *ech_keys, bool decrypt_ech) {
7977 struct AppData {
7978 std::vector<uint16_t> *out;
7979 bool decrypt_ech;
7980 bool callback_done = false;
7981 };
7982 AppData app_data;
7983 app_data.out = out;
7984 app_data.decrypt_ech = decrypt_ech;
7985
7986 bssl::UniquePtr<SSL_CTX> server_ctx =
7987 CreateContextWithTestCertificate(TLS_method());
7988 if (!server_ctx || //
7989 !SSL_CTX_set_app_data(server_ctx.get(), &app_data) ||
7990 (decrypt_ech && !SSL_CTX_set1_ech_keys(server_ctx.get(), ech_keys))) {
7991 return false;
7992 }
7993
7994 // Configure the server to record the ClientHello extension order. We use a
7995 // server rather than |GetClientHello| so it can decrypt ClientHelloInner.
7996 SSL_CTX_set_select_certificate_cb(
7997 server_ctx.get(),
7998 [](const SSL_CLIENT_HELLO *client_hello) -> ssl_select_cert_result_t {
7999 AppData *app_data_ptr = static_cast<AppData *>(
8000 SSL_CTX_get_app_data(SSL_get_SSL_CTX(client_hello->ssl)));
8001 EXPECT_EQ(app_data_ptr->decrypt_ech ? 1 : 0,
8002 SSL_ech_accepted(client_hello->ssl));
8003
8004 app_data_ptr->out->clear();
8005 CBS extensions;
8006 CBS_init(&extensions, client_hello->extensions,
8007 client_hello->extensions_len);
8008 while (CBS_len(&extensions)) {
8009 uint16_t type;
8010 CBS body;
8011 if (!CBS_get_u16(&extensions, &type) ||
8012 !CBS_get_u16_length_prefixed(&extensions, &body)) {
8013 return ssl_select_cert_error;
8014 }
8015 app_data_ptr->out->push_back(type);
8016 }
8017
8018 // Don't bother completing the handshake.
8019 app_data_ptr->callback_done = true;
8020 return ssl_select_cert_error;
8021 });
8022
8023 bssl::UniquePtr<SSL> client, server;
8024 if (!CreateClientAndServer(&client, &server, client_ctx, server_ctx.get()) ||
8025 (ech_keys != nullptr && !InstallECHConfigList(client.get(), ech_keys))) {
8026 return false;
8027 }
8028
8029 // Run the handshake far enough to process the ClientHello.
8030 SSL_do_handshake(client.get());
8031 SSL_do_handshake(server.get());
8032 return app_data.callback_done;
8033 }
8034
8035 // Test that, when extension permutation is enabled, the ClientHello extension
8036 // order changes, both with and without ECH, and in both ClientHelloInner and
8037 // ClientHelloOuter.
TEST(SSLTest,PermuteExtensions)8038 TEST(SSLTest, PermuteExtensions) {
8039 bssl::UniquePtr<SSL_ECH_KEYS> keys = MakeTestECHKeys();
8040 ASSERT_TRUE(keys);
8041 for (bool offer_ech : {false, true}) {
8042 SCOPED_TRACE(offer_ech);
8043 SSL_ECH_KEYS *maybe_keys = offer_ech ? keys.get() : nullptr;
8044 for (bool decrypt_ech : {false, true}) {
8045 SCOPED_TRACE(decrypt_ech);
8046 if (!offer_ech && decrypt_ech) {
8047 continue;
8048 }
8049
8050 // When extension permutation is disabled, the order should be consistent.
8051 bssl::UniquePtr<SSL_CTX> ctx(SSL_CTX_new(TLS_method()));
8052 ASSERT_TRUE(ctx);
8053 std::vector<uint16_t> order1, order2;
8054 ASSERT_TRUE(
8055 GetExtensionOrder(ctx.get(), &order1, maybe_keys, decrypt_ech));
8056 ASSERT_TRUE(
8057 GetExtensionOrder(ctx.get(), &order2, maybe_keys, decrypt_ech));
8058 EXPECT_EQ(order1, order2);
8059
8060 ctx.reset(SSL_CTX_new(TLS_method()));
8061 ASSERT_TRUE(ctx);
8062 SSL_CTX_set_permute_extensions(ctx.get(), 1);
8063
8064 // When extension permutation is enabled, each ClientHello should have a
8065 // different order.
8066 //
8067 // This test is inherently flaky, so we run it multiple times. We send at
8068 // least five extensions by default from TLS 1.3: supported_versions,
8069 // key_share, supported_groups, psk_key_exchange_modes, and
8070 // signature_algorithms. That means the probability of a false negative is
8071 // at most 1/120. Repeating the test 14 times lowers false negative rate
8072 // to under 2^-96.
8073 ASSERT_TRUE(
8074 GetExtensionOrder(ctx.get(), &order1, maybe_keys, decrypt_ech));
8075 EXPECT_GE(order1.size(), 5u);
8076 static const int kNumIterations = 14;
8077 bool passed = false;
8078 for (int i = 0; i < kNumIterations; i++) {
8079 ASSERT_TRUE(
8080 GetExtensionOrder(ctx.get(), &order2, maybe_keys, decrypt_ech));
8081 if (order1 != order2) {
8082 passed = true;
8083 break;
8084 }
8085 }
8086 EXPECT_TRUE(passed) << "Extensions were not permuted";
8087 }
8088 }
8089 }
8090
TEST(SSLTest,HostMatching)8091 TEST(SSLTest, HostMatching) {
8092 static const char kCertPEM[] = R"(
8093 -----BEGIN CERTIFICATE-----
8094 MIIB9jCCAZ2gAwIBAgIQeudG9R61BOxUvWkeVhU5DTAKBggqhkjOPQQDAjApMRAw
8095 DgYDVQQKEwdBY21lIENvMRUwEwYDVQQDEwxleGFtcGxlMy5jb20wHhcNMjExMjA2
8096 MjA1NjU2WhcNMjIxMjA2MjA1NjU2WjApMRAwDgYDVQQKEwdBY21lIENvMRUwEwYD
8097 VQQDEwxleGFtcGxlMy5jb20wWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAAS7l2VO
8098 Bl2TjVm9WfGk24+hMbVFUNB+RVHWbCvFvNZAoWiIJ2z34RLGInyZvCZ8xLAvsuaW
8099 ULDDaoeDl1M0t4Hmo4GmMIGjMA4GA1UdDwEB/wQEAwIChDATBgNVHSUEDDAKBggr
8100 BgEFBQcDATAPBgNVHRMBAf8EBTADAQH/MB0GA1UdDgQWBBTTJWurcc1t+VPQBko3
8101 Gsw6cbcWSTBMBgNVHREERTBDggxleGFtcGxlMS5jb22CDGV4YW1wbGUyLmNvbYIP
8102 YSouZXhhbXBsZTQuY29tgg4qLmV4YW1wbGU1LmNvbYcEAQIDBDAKBggqhkjOPQQD
8103 AgNHADBEAiAAv0ljHJGrgyzZDkG6XvNZ5ewxRfnXcZuD0Y7E4giCZgIgNK1qjilu
8104 5DyVbfKeeJhOCtGxqE1dWLXyJBnoRomSYBY=
8105 -----END CERTIFICATE-----
8106 )";
8107 bssl::UniquePtr<X509> cert(CertFromPEM(kCertPEM));
8108 ASSERT_TRUE(cert);
8109 static const char kCertNoSANsPEM[] = R"(
8110 -----BEGIN CERTIFICATE-----
8111 MIIBqzCCAVGgAwIBAgIQeudG9R61BOxUvWkeVhU5DTAKBggqhkjOPQQDAjArMRIw
8112 EAYDVQQKEwlBY21lIENvIDIxFTATBgNVBAMTDGV4YW1wbGUzLmNvbTAeFw0yMTEy
8113 MDYyMDU2NTZaFw0yMjEyMDYyMDU2NTZaMCsxEjAQBgNVBAoTCUFjbWUgQ28gMjEV
8114 MBMGA1UEAxMMZXhhbXBsZTMuY29tMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE
8115 u5dlTgZdk41ZvVnxpNuPoTG1RVDQfkVR1mwrxbzWQKFoiCds9+ESxiJ8mbwmfMSw
8116 L7LmllCww2qHg5dTNLeB5qNXMFUwDgYDVR0PAQH/BAQDAgKEMBMGA1UdJQQMMAoG
8117 CCsGAQUFBwMBMA8GA1UdEwEB/wQFMAMBAf8wHQYDVR0OBBYEFNMla6txzW35U9AG
8118 SjcazDpxtxZJMAoGCCqGSM49BAMCA0gAMEUCIG3YWGWtpVhbcGV7wFKQwTfmvwHW
8119 pw4qCFZlool4hCwsAiEA+2fc6NfSbNpFEtQkDOMJW2ANiScAVEmImNqPfb2klz4=
8120 -----END CERTIFICATE-----
8121 )";
8122 bssl::UniquePtr<X509> cert_no_sans(CertFromPEM(kCertNoSANsPEM));
8123 ASSERT_TRUE(cert_no_sans);
8124
8125 static const char kKeyPEM[] = R"(
8126 -----BEGIN PRIVATE KEY-----
8127 MIGHAgEAMBMGByqGSM49AgEGCCqGSM49AwEHBG0wawIBAQQghsaSZhUzZAcQlLyJ
8128 MDuy7WPdyqNsAX9rmEP650LF/q2hRANCAAS7l2VOBl2TjVm9WfGk24+hMbVFUNB+
8129 RVHWbCvFvNZAoWiIJ2z34RLGInyZvCZ8xLAvsuaWULDDaoeDl1M0t4Hm
8130 -----END PRIVATE KEY-----
8131 )";
8132 bssl::UniquePtr<EVP_PKEY> key(KeyFromPEM(kKeyPEM));
8133 ASSERT_TRUE(key);
8134
8135 bssl::UniquePtr<SSL_CTX> client_ctx(SSL_CTX_new(TLS_method()));
8136 ASSERT_TRUE(client_ctx);
8137 ASSERT_TRUE(X509_STORE_add_cert(SSL_CTX_get_cert_store(client_ctx.get()),
8138 cert.get()));
8139 ASSERT_TRUE(X509_STORE_add_cert(SSL_CTX_get_cert_store(client_ctx.get()),
8140 cert_no_sans.get()));
8141 SSL_CTX_set_verify(client_ctx.get(),
8142 SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT,
8143 nullptr);
8144 X509_VERIFY_PARAM_set_flags(SSL_CTX_get0_param(client_ctx.get()),
8145 X509_V_FLAG_NO_CHECK_TIME);
8146
8147 struct TestCase {
8148 X509 *cert;
8149 std::string hostname;
8150 unsigned flags;
8151 bool should_match;
8152 };
8153 std::vector<TestCase> kTests = {
8154 // These two names are present as SANs in the certificate.
8155 {cert.get(), "example1.com", 0, true},
8156 {cert.get(), "example2.com", 0, true},
8157 // This is the CN of the certificate, but that shouldn't matter if a SAN
8158 // extension is present.
8159 {cert.get(), "example3.com", 0, false},
8160 // If the SAN is not present, we, for now, look for DNS names in the CN.
8161 {cert_no_sans.get(), "example3.com", 0, true},
8162 // ... but this can be turned off.
8163 {cert_no_sans.get(), "example3.com", X509_CHECK_FLAG_NEVER_CHECK_SUBJECT,
8164 false},
8165 // a*.example4.com is a SAN, but is invalid.
8166 {cert.get(), "abc.example4.com", 0, false},
8167 // *.example5.com is a SAN in the certificate, which is a normal and valid
8168 // wildcard.
8169 {cert.get(), "abc.example5.com", 0, true},
8170 // This name is not present.
8171 {cert.get(), "notexample1.com", 0, false},
8172 // The IPv4 address 1.2.3.4 is a SAN, but that shouldn't match against a
8173 // hostname that happens to be its textual representation.
8174 {cert.get(), "1.2.3.4", 0, false},
8175 };
8176
8177 for (const TestCase &test : kTests) {
8178 SCOPED_TRACE(test.hostname);
8179
8180 bssl::UniquePtr<SSL_CTX> server_ctx(SSL_CTX_new(TLS_method()));
8181 ASSERT_TRUE(server_ctx);
8182 ASSERT_TRUE(SSL_CTX_use_certificate(server_ctx.get(), test.cert));
8183 ASSERT_TRUE(SSL_CTX_use_PrivateKey(server_ctx.get(), key.get()));
8184
8185 ClientConfig config;
8186 bssl::UniquePtr<SSL> client, server;
8187 config.verify_hostname = test.hostname;
8188 config.hostflags = test.flags;
8189 EXPECT_EQ(test.should_match,
8190 ConnectClientAndServer(&client, &server, client_ctx.get(),
8191 server_ctx.get(), config));
8192 }
8193 }
8194
TEST(SSLTest,NumTickets)8195 TEST(SSLTest, NumTickets) {
8196 bssl::UniquePtr<SSL_CTX> server_ctx(SSL_CTX_new(TLS_method()));
8197 ASSERT_TRUE(server_ctx);
8198 bssl::UniquePtr<SSL_CTX> client_ctx(SSL_CTX_new(TLS_method()));
8199 ASSERT_TRUE(client_ctx);
8200 bssl::UniquePtr<X509> cert = GetTestCertificate();
8201 ASSERT_TRUE(cert);
8202 bssl::UniquePtr<EVP_PKEY> key = GetTestKey();
8203 ASSERT_TRUE(key);
8204 ASSERT_TRUE(SSL_CTX_use_certificate(server_ctx.get(), cert.get()));
8205 ASSERT_TRUE(SSL_CTX_use_PrivateKey(server_ctx.get(), key.get()));
8206 SSL_CTX_set_session_cache_mode(server_ctx.get(), SSL_SESS_CACHE_BOTH);
8207
8208 SSL_CTX_set_session_cache_mode(client_ctx.get(), SSL_SESS_CACHE_BOTH);
8209 static size_t ticket_count;
8210 SSL_CTX_sess_set_new_cb(client_ctx.get(), [](SSL *, SSL_SESSION *) -> int {
8211 ticket_count++;
8212 return 0;
8213 });
8214
8215 auto count_tickets = [&]() -> size_t {
8216 ticket_count = 0;
8217 bssl::UniquePtr<SSL> client, server;
8218 if (!ConnectClientAndServer(&client, &server, client_ctx.get(),
8219 server_ctx.get()) ||
8220 !FlushNewSessionTickets(client.get(), server.get())) {
8221 ADD_FAILURE() << "Could not run handshake";
8222 return 0;
8223 }
8224 return ticket_count;
8225 };
8226
8227 // By default, we should send two tickets.
8228 EXPECT_EQ(count_tickets(), 2u);
8229
8230 for (size_t num_tickets : {0, 1, 2, 3, 4, 5}) {
8231 SCOPED_TRACE(num_tickets);
8232 ASSERT_TRUE(SSL_CTX_set_num_tickets(server_ctx.get(), num_tickets));
8233 EXPECT_EQ(SSL_CTX_get_num_tickets(server_ctx.get()), num_tickets);
8234 EXPECT_EQ(count_tickets(), num_tickets);
8235 }
8236
8237 // Configuring too many tickets causes us to stop at some point.
8238 ASSERT_TRUE(SSL_CTX_set_num_tickets(server_ctx.get(), 100000));
8239 EXPECT_EQ(SSL_CTX_get_num_tickets(server_ctx.get()), 16u);
8240 EXPECT_EQ(count_tickets(), 16u);
8241 }
8242
TEST(SSLTest,CertSubjectsToStack)8243 TEST(SSLTest, CertSubjectsToStack) {
8244 const std::string kCert1 = R"(
8245 -----BEGIN CERTIFICATE-----
8246 MIIBzzCCAXagAwIBAgIJANlMBNpJfb/rMAkGByqGSM49BAEwRTELMAkGA1UEBhMC
8247 QVUxEzARBgNVBAgMClNvbWUtU3RhdGUxITAfBgNVBAoMGEludGVybmV0IFdpZGdp
8248 dHMgUHR5IEx0ZDAeFw0xNDA0MjMyMzIxNTdaFw0xNDA1MjMyMzIxNTdaMEUxCzAJ
8249 BgNVBAYTAkFVMRMwEQYDVQQIDApTb21lLVN0YXRlMSEwHwYDVQQKDBhJbnRlcm5l
8250 dCBXaWRnaXRzIFB0eSBMdGQwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAATmK2ni
8251 v2Wfl74vHg2UikzVl2u3qR4NRvvdqakendy6WgHn1peoChj5w8SjHlbifINI2xYa
8252 HPUdfvGULUvPciLBo1AwTjAdBgNVHQ4EFgQUq4TSrKuV8IJOFngHVVdf5CaNgtEw
8253 HwYDVR0jBBgwFoAUq4TSrKuV8IJOFngHVVdf5CaNgtEwDAYDVR0TBAUwAwEB/zAJ
8254 BgcqhkjOPQQBA0gAMEUCIQDyoDVeUTo2w4J5m+4nUIWOcAZ0lVfSKXQA9L4Vh13E
8255 BwIgfB55FGohg/B6dGh5XxSZmmi08cueFV7mHzJSYV51yRQ=
8256 -----END CERTIFICATE-----
8257 )";
8258 const std::vector<uint8_t> kName1 = {
8259 0x30, 0x45, 0x31, 0x0b, 0x30, 0x09, 0x06, 0x03, 0x55, 0x04, 0x06, 0x13,
8260 0x02, 0x41, 0x55, 0x31, 0x13, 0x30, 0x11, 0x06, 0x03, 0x55, 0x04, 0x08,
8261 0x0c, 0x0a, 0x53, 0x6f, 0x6d, 0x65, 0x2d, 0x53, 0x74, 0x61, 0x74, 0x65,
8262 0x31, 0x21, 0x30, 0x1f, 0x06, 0x03, 0x55, 0x04, 0x0a, 0x0c, 0x18, 0x49,
8263 0x6e, 0x74, 0x65, 0x72, 0x6e, 0x65, 0x74, 0x20, 0x57, 0x69, 0x64, 0x67,
8264 0x69, 0x74, 0x73, 0x20, 0x50, 0x74, 0x79, 0x20, 0x4c, 0x74, 0x64};
8265 const std::string kCert2 = R"(
8266 -----BEGIN CERTIFICATE-----
8267 MIICXjCCAcegAwIBAgIIWjO48ufpunYwDQYJKoZIhvcNAQELBQAwNjEaMBgGA1UE
8268 ChMRQm9yaW5nU1NMIFRFU1RJTkcxGDAWBgNVBAMTD0ludGVybWVkaWF0ZSBDQTAg
8269 Fw0xNTAxMDEwMDAwMDBaGA8yMTAwMDEwMTAwMDAwMFowMjEaMBgGA1UEChMRQm9y
8270 aW5nU1NMIFRFU1RJTkcxFDASBgNVBAMTC2V4YW1wbGUuY29tMIGfMA0GCSqGSIb3
8271 DQEBAQUAA4GNADCBiQKBgQDD0U0ZYgqShJ7oOjsyNKyVXEHqeafmk/bAoPqY/h1c
8272 oPw2E8KmeqiUSoTPjG5IXSblOxcqpbAXgnjPzo8DI3GNMhAf8SYNYsoH7gc7Uy7j
8273 5x8bUrisGnuTHqkqH6d4/e7ETJ7i3CpR8bvK16DggEvQTudLipz8FBHtYhFakfdh
8274 TwIDAQABo3cwdTAOBgNVHQ8BAf8EBAMCBaAwHQYDVR0lBBYwFAYIKwYBBQUHAwEG
8275 CCsGAQUFBwMCMAwGA1UdEwEB/wQCMAAwGQYDVR0OBBIEEKN5pvbur7mlXjeMEYA0
8276 4nUwGwYDVR0jBBQwEoAQjBpoqLV2211Xex+NFLIGozANBgkqhkiG9w0BAQsFAAOB
8277 gQBj/p+JChp//LnXWC1k121LM/ii7hFzQzMrt70bny406SGz9jAjaPOX4S3gt38y
8278 rhjpPukBlSzgQXFg66y6q5qp1nQTD1Cw6NkKBe9WuBlY3iYfmsf7WT8nhlT1CttU
8279 xNCwyMX9mtdXdQicOfNjIGUCD5OLV5PgHFPRKiHHioBAhg==
8280 -----END CERTIFICATE-----
8281 )";
8282 const std::vector<uint8_t> kName2 = {
8283 0x30, 0x32, 0x31, 0x1a, 0x30, 0x18, 0x06, 0x03, 0x55, 0x04, 0x0a,
8284 0x13, 0x11, 0x42, 0x6f, 0x72, 0x69, 0x6e, 0x67, 0x53, 0x53, 0x4c,
8285 0x20, 0x54, 0x45, 0x53, 0x54, 0x49, 0x4e, 0x47, 0x31, 0x14, 0x30,
8286 0x12, 0x06, 0x03, 0x55, 0x04, 0x03, 0x13, 0x0b, 0x65, 0x78, 0x61,
8287 0x6d, 0x70, 0x6c, 0x65, 0x2e, 0x63, 0x6f, 0x6d};
8288
8289 const struct {
8290 std::vector<std::vector<uint8_t>> existing;
8291 std::string pem;
8292 std::vector<std::vector<uint8_t>> expected;
8293 } kTests[] = {
8294 // Do nothing.
8295 {{}, "", {}},
8296 // Append to an empty list, skipping duplicates.
8297 {{}, kCert1 + kCert2 + kCert1, {kName1, kName2}},
8298 // One of the names was already present.
8299 {{kName1}, kCert1 + kCert2, {kName1, kName2}},
8300 // Both names were already present.
8301 {{kName1, kName2}, kCert1 + kCert2, {kName1, kName2}},
8302 // Preserve existing duplicates.
8303 {{kName1, kName2, kName2}, kCert1 + kCert2, {kName1, kName2, kName2}},
8304 };
8305 for (size_t i = 0; i < OPENSSL_ARRAY_SIZE(kTests); i++) {
8306 SCOPED_TRACE(i);
8307 const auto &t = kTests[i];
8308
8309 bssl::UniquePtr<STACK_OF(X509_NAME)> stack(sk_X509_NAME_new_null());
8310 ASSERT_TRUE(stack);
8311 for (const auto& name : t.existing) {
8312 const uint8_t *inp = name.data();
8313 bssl::UniquePtr<X509_NAME> name_obj(
8314 d2i_X509_NAME(nullptr, &inp, name.size()));
8315 ASSERT_TRUE(name_obj);
8316 EXPECT_EQ(inp, name.data() + name.size());
8317 ASSERT_TRUE(bssl::PushToStack(stack.get(), std::move(name_obj)));
8318 }
8319
8320 bssl::UniquePtr<BIO> bio(BIO_new_mem_buf(t.pem.data(), t.pem.size()));
8321 ASSERT_TRUE(bio);
8322 ASSERT_TRUE(SSL_add_bio_cert_subjects_to_stack(stack.get(), bio.get()));
8323
8324 // The function should have left |stack|'s comparison function alone.
8325 EXPECT_EQ(nullptr, sk_X509_NAME_set_cmp_func(stack.get(), nullptr));
8326
8327 std::vector<std::vector<uint8_t>> expected = t.expected, result;
8328 for (X509_NAME *name : stack.get()) {
8329 uint8_t *der = nullptr;
8330 int der_len = i2d_X509_NAME(name, &der);
8331 ASSERT_GE(der_len, 0);
8332 result.push_back(std::vector<uint8_t>(der, der + der_len));
8333 OPENSSL_free(der);
8334 }
8335
8336 // |SSL_add_bio_cert_subjects_to_stack| does not return the output in a
8337 // well-defined order.
8338 std::sort(expected.begin(), expected.end());
8339 std::sort(result.begin(), result.end());
8340 EXPECT_EQ(result, expected);
8341 }
8342 }
8343
8344 #if defined(OPENSSL_LINUX) || defined(OPENSSL_APPLE)
TEST(SSLTest,EmptyClientCAList)8345 TEST(SSLTest, EmptyClientCAList) {
8346 // Use /dev/null on POSIX systems as an empty file.
8347 bssl::UniquePtr<STACK_OF(X509_NAME)> names(
8348 SSL_load_client_CA_file("/dev/null"));
8349 EXPECT_FALSE(names);
8350 }
8351 #endif // OPENSSL_LINUX || OPENSSL_APPLE
8352
TEST(SSLTest,EmptyWriteBlockedOnHandshakeData)8353 TEST(SSLTest, EmptyWriteBlockedOnHandshakeData) {
8354 bssl::UniquePtr<SSL_CTX> client_ctx(SSL_CTX_new(TLS_method()));
8355 bssl::UniquePtr<SSL_CTX> server_ctx =
8356 CreateContextWithTestCertificate(TLS_method());
8357 ASSERT_TRUE(client_ctx);
8358 ASSERT_TRUE(server_ctx);
8359 // Configure only TLS 1.3. This test requires post-handshake NewSessionTicket.
8360 ASSERT_TRUE(SSL_CTX_set_min_proto_version(client_ctx.get(), TLS1_3_VERSION));
8361 ASSERT_TRUE(SSL_CTX_set_max_proto_version(client_ctx.get(), TLS1_3_VERSION));
8362
8363 // Connect a client and server with tiny buffer between the two.
8364 bssl::UniquePtr<SSL> client(SSL_new(client_ctx.get())),
8365 server(SSL_new(server_ctx.get()));
8366 ASSERT_TRUE(client);
8367 ASSERT_TRUE(server);
8368 SSL_set_connect_state(client.get());
8369 SSL_set_accept_state(server.get());
8370 BIO *bio1, *bio2;
8371 ASSERT_TRUE(BIO_new_bio_pair(&bio1, 1, &bio2, 1));
8372 SSL_set_bio(client.get(), bio1, bio1);
8373 SSL_set_bio(server.get(), bio2, bio2);
8374 ASSERT_TRUE(CompleteHandshakes(client.get(), server.get()));
8375
8376 // We defer NewSessionTicket to the first write, so the server has a pending
8377 // NewSessionTicket. See https://boringssl-review.googlesource.com/34948. This
8378 // means an empty write will flush the ticket. However, the transport only
8379 // allows one byte through, so this will fail with |SSL_ERROR_WANT_WRITE|.
8380 int ret = SSL_write(server.get(), nullptr, 0);
8381 ASSERT_EQ(ret, -1);
8382 ASSERT_EQ(SSL_get_error(server.get(), ret), SSL_ERROR_WANT_WRITE);
8383
8384 // Attempting to write non-zero data should not trip |SSL_R_BAD_WRITE_RETRY|.
8385 const uint8_t kData[] = {'h', 'e', 'l', 'l', 'o'};
8386 ret = SSL_write(server.get(), kData, sizeof(kData));
8387 ASSERT_EQ(ret, -1);
8388 ASSERT_EQ(SSL_get_error(server.get(), ret), SSL_ERROR_WANT_WRITE);
8389
8390 // Byte by byte, the data should eventually get through.
8391 uint8_t buf[sizeof(kData)];
8392 for (;;) {
8393 ret = SSL_read(client.get(), buf, sizeof(buf));
8394 ASSERT_EQ(ret, -1);
8395 ASSERT_EQ(SSL_get_error(client.get(), ret), SSL_ERROR_WANT_READ);
8396
8397 ret = SSL_write(server.get(), kData, sizeof(kData));
8398 if (ret > 0) {
8399 ASSERT_EQ(ret, 5);
8400 break;
8401 }
8402 ASSERT_EQ(ret, -1);
8403 ASSERT_EQ(SSL_get_error(server.get(), ret), SSL_ERROR_WANT_WRITE);
8404 }
8405
8406 ret = SSL_read(client.get(), buf, sizeof(buf));
8407 ASSERT_EQ(ret, static_cast<int>(sizeof(kData)));
8408 ASSERT_EQ(Bytes(buf, ret), Bytes(kData));
8409 }
8410
8411 // Test that |SSL_ERROR_SYSCALL| continues to work after a close_notify.
TEST(SSLTest,ErrorSyscallAfterCloseNotify)8412 TEST(SSLTest, ErrorSyscallAfterCloseNotify) {
8413 // Make a custom |BIO| where writes fail, but without pushing to the error
8414 // queue.
8415 bssl::UniquePtr<BIO_METHOD> method(BIO_meth_new(0, nullptr));
8416 ASSERT_TRUE(method);
8417 BIO_meth_set_create(method.get(), [](BIO *b) -> int {
8418 BIO_set_init(b, 1);
8419 return 1;
8420 });
8421 static bool write_failed = false;
8422 BIO_meth_set_write(method.get(), [](BIO *, const char *, int) -> int {
8423 // Fail the operation and don't add to the error queue.
8424 write_failed = true;
8425 return -1;
8426 });
8427 bssl::UniquePtr<BIO> wbio_silent_error(BIO_new(method.get()));
8428 ASSERT_TRUE(wbio_silent_error);
8429
8430 bssl::UniquePtr<SSL_CTX> client_ctx(SSL_CTX_new(TLS_method()));
8431 bssl::UniquePtr<SSL_CTX> server_ctx =
8432 CreateContextWithTestCertificate(TLS_method());
8433 ASSERT_TRUE(client_ctx);
8434 ASSERT_TRUE(server_ctx);
8435 bssl::UniquePtr<SSL> client, server;
8436 ASSERT_TRUE(ConnectClientAndServer(&client, &server, client_ctx.get(),
8437 server_ctx.get()));
8438
8439 // Replace the write |BIO| with |wbio_silent_error|.
8440 SSL_set0_wbio(client.get(), wbio_silent_error.release());
8441
8442 // Writes should fail. There is nothing in the error queue, so
8443 // |SSL_ERROR_SYSCALL| indicates the caller needs to check out-of-band.
8444 const uint8_t data[1] = {0};
8445 int ret = SSL_write(client.get(), data, sizeof(data));
8446 EXPECT_EQ(ret, -1);
8447 EXPECT_EQ(SSL_get_error(client.get(), ret), SSL_ERROR_SYSCALL);
8448 EXPECT_TRUE(write_failed);
8449 write_failed = false;
8450
8451 // Send a close_notify from the server. It should return 0 because
8452 // close_notify was sent, but not received. Confusingly, this is a success
8453 // output for |SSL_shutdown|'s API.
8454 EXPECT_EQ(SSL_shutdown(server.get()), 0);
8455
8456 // Read the close_notify on the client.
8457 uint8_t buf[1];
8458 ret = SSL_read(client.get(), buf, sizeof(buf));
8459 EXPECT_EQ(ret, 0);
8460 EXPECT_EQ(SSL_get_error(client.get(), ret), SSL_ERROR_ZERO_RETURN);
8461
8462 // Further calls to |SSL_read| continue to report |SSL_ERROR_ZERO_RETURN|.
8463 ret = SSL_read(client.get(), buf, sizeof(buf));
8464 EXPECT_EQ(ret, 0);
8465 EXPECT_EQ(SSL_get_error(client.get(), ret), SSL_ERROR_ZERO_RETURN);
8466
8467 // Although the client has seen close_notify, it should continue to report
8468 // |SSL_ERROR_SYSCALL| when its writes fail.
8469 ret = SSL_write(client.get(), data, sizeof(data));
8470 EXPECT_EQ(ret, -1);
8471 EXPECT_EQ(SSL_get_error(client.get(), ret), SSL_ERROR_SYSCALL);
8472 EXPECT_TRUE(write_failed);
8473 write_failed = false;
8474
8475 // Cause |BIO_write| to fail with a return value of zero instead.
8476 // |SSL_get_error| should not misinterpret this as a close_notify.
8477 //
8478 // This is not actually a correct implementation of |BIO_write|, but the rest
8479 // of the code treats zero from |BIO_write| as an error, so ensure it does so
8480 // correctly. Fixing https://crbug.com/boringssl/503 will make this case moot.
8481 BIO_meth_set_write(method.get(), [](BIO *, const char *, int) -> int {
8482 write_failed = true;
8483 return 0;
8484 });
8485 ret = SSL_write(client.get(), data, sizeof(data));
8486 EXPECT_EQ(ret, 0);
8487 EXPECT_EQ(SSL_get_error(client.get(), ret), SSL_ERROR_SYSCALL);
8488 EXPECT_TRUE(write_failed);
8489 write_failed = false;
8490 }
8491
8492 // Test that |SSL_shutdown|, when quiet shutdown is enabled, simulates receiving
8493 // a close_notify, down to |SSL_read| reporting |SSL_ERROR_ZERO_RETURN|.
TEST(SSLTest,QuietShutdown)8494 TEST(SSLTest, QuietShutdown) {
8495 bssl::UniquePtr<SSL_CTX> client_ctx(SSL_CTX_new(TLS_method()));
8496 bssl::UniquePtr<SSL_CTX> server_ctx =
8497 CreateContextWithTestCertificate(TLS_method());
8498 ASSERT_TRUE(client_ctx);
8499 ASSERT_TRUE(server_ctx);
8500 SSL_CTX_set_quiet_shutdown(server_ctx.get(), 1);
8501 bssl::UniquePtr<SSL> client, server;
8502 ASSERT_TRUE(ConnectClientAndServer(&client, &server, client_ctx.get(),
8503 server_ctx.get()));
8504
8505 // Quiet shutdown is enabled, so |SSL_shutdown| on the server should
8506 // immediately return that bidirectional shutdown "completed".
8507 EXPECT_EQ(SSL_shutdown(server.get()), 1);
8508
8509 // Shut down writes so the client gets an EOF.
8510 EXPECT_TRUE(BIO_shutdown_wr(SSL_get_wbio(server.get())));
8511
8512 // Confirm no close notify was actually sent. Client reads should report a
8513 // transport EOF, not a close_notify. (Both have zero return, but
8514 // |SSL_get_error| is different.)
8515 char buf[1];
8516 int ret = SSL_read(client.get(), buf, sizeof(buf));
8517 EXPECT_EQ(ret, 0);
8518 EXPECT_EQ(SSL_get_error(client.get(), ret), SSL_ERROR_SYSCALL);
8519
8520 // The server believes bidirectional shutdown completed, so reads should
8521 // replay the (simulated) close_notify.
8522 ret = SSL_read(server.get(), buf, sizeof(buf));
8523 EXPECT_EQ(ret, 0);
8524 EXPECT_EQ(SSL_get_error(server.get(), ret), SSL_ERROR_ZERO_RETURN);
8525 }
8526
TEST(SSLTest,InvalidSignatureAlgorithm)8527 TEST(SSLTest, InvalidSignatureAlgorithm) {
8528 bssl::UniquePtr<SSL_CTX> ctx(SSL_CTX_new(TLS_method()));
8529 ASSERT_TRUE(ctx);
8530
8531 static const uint16_t kInvalidPrefs[] = {1234};
8532 EXPECT_FALSE(SSL_CTX_set_signing_algorithm_prefs(
8533 ctx.get(), kInvalidPrefs, OPENSSL_ARRAY_SIZE(kInvalidPrefs)));
8534 EXPECT_FALSE(SSL_CTX_set_verify_algorithm_prefs(
8535 ctx.get(), kInvalidPrefs, OPENSSL_ARRAY_SIZE(kInvalidPrefs)));
8536
8537 static const uint16_t kDuplicatePrefs[] = {SSL_SIGN_RSA_PKCS1_SHA256,
8538 SSL_SIGN_RSA_PKCS1_SHA256};
8539 EXPECT_FALSE(SSL_CTX_set_signing_algorithm_prefs(
8540 ctx.get(), kDuplicatePrefs, OPENSSL_ARRAY_SIZE(kDuplicatePrefs)));
8541 EXPECT_FALSE(SSL_CTX_set_verify_algorithm_prefs(
8542 ctx.get(), kDuplicatePrefs, OPENSSL_ARRAY_SIZE(kDuplicatePrefs)));
8543 }
8544
8545 } // namespace
8546 BSSL_NAMESPACE_END
8547