1 /* Copyright (c) 2014, Google Inc.
2 *
3 * Permission to use, copy, modify, and/or distribute this software for any
4 * purpose with or without fee is hereby granted, provided that the above
5 * copyright notice and this permission notice appear in all copies.
6 *
7 * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
8 * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
9 * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY
10 * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
11 * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION
12 * OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN
13 * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */
14
15 #include <limits.h>
16 #include <stdio.h>
17 #include <string.h>
18 #include <time.h>
19
20 #include <algorithm>
21 #include <limits>
22 #include <string>
23 #include <utility>
24 #include <vector>
25
26 #include <gmock/gmock.h>
27 #include <gtest/gtest.h>
28
29 #include <openssl/aead.h>
30 #include <openssl/base64.h>
31 #include <openssl/bytestring.h>
32 #include <openssl/bio.h>
33 #include <openssl/cipher.h>
34 #include <openssl/crypto.h>
35 #include <openssl/curve25519.h>
36 #include <openssl/err.h>
37 #include <openssl/hmac.h>
38 #include <openssl/hpke.h>
39 #include <openssl/pem.h>
40 #include <openssl/sha.h>
41 #include <openssl/ssl.h>
42 #include <openssl/rand.h>
43 #include <openssl/x509.h>
44
45 #include "internal.h"
46 #include "../crypto/internal.h"
47 #include "../crypto/test/file_util.h"
48 #include "../crypto/test/test_util.h"
49
50 #if defined(OPENSSL_WINDOWS)
51 // Windows defines struct timeval in winsock2.h.
52 OPENSSL_MSVC_PRAGMA(warning(push, 3))
53 #include <winsock2.h>
54 OPENSSL_MSVC_PRAGMA(warning(pop))
55 #else
56 #include <sys/time.h>
57 #endif
58
59 #if defined(OPENSSL_THREADS)
60 #include <thread>
61 #endif
62
63
64 using testing::ElementsAre;
65 using testing::Key;
66
67 BSSL_NAMESPACE_BEGIN
68
69 namespace {
70
71 #define TRACED_CALL(code) \
72 do { \
73 SCOPED_TRACE("<- called from here"); \
74 code; \
75 if (::testing::Test::HasFatalFailure()) { \
76 return; \
77 } \
78 } while (false)
79
80 struct VersionParam {
81 uint16_t version;
82 enum { is_tls, is_dtls } ssl_method;
83 const char name[8];
84 };
85
86 static const size_t kTicketKeyLen = 48;
87
88 static const VersionParam kAllVersions[] = {
89 {TLS1_VERSION, VersionParam::is_tls, "TLS1"},
90 {TLS1_1_VERSION, VersionParam::is_tls, "TLS1_1"},
91 {TLS1_2_VERSION, VersionParam::is_tls, "TLS1_2"},
92 {TLS1_3_VERSION, VersionParam::is_tls, "TLS1_3"},
93 {DTLS1_VERSION, VersionParam::is_dtls, "DTLS1"},
94 {DTLS1_2_VERSION, VersionParam::is_dtls, "DTLS1_2"},
95 };
96
97 struct ExpectedCipher {
98 unsigned long id;
99 int in_group_flag;
100 };
101
102 struct CipherTest {
103 // The rule string to apply.
104 const char *rule;
105 // The list of expected ciphers, in order.
106 std::vector<ExpectedCipher> expected;
107 // True if this cipher list should fail in strict mode.
108 bool strict_fail;
109 };
110
111 struct CurveTest {
112 // The rule string to apply.
113 const char *rule;
114 // The list of expected curves, in order.
115 std::vector<uint16_t> expected;
116 };
117
118 template <typename T>
119 class UnownedSSLExData {
120 public:
UnownedSSLExData()121 UnownedSSLExData() {
122 index_ = SSL_get_ex_new_index(0, nullptr, nullptr, nullptr, nullptr);
123 }
124
Get(const SSL * ssl)125 T *Get(const SSL *ssl) {
126 return index_ < 0 ? nullptr
127 : static_cast<T *>(SSL_get_ex_data(ssl, index_));
128 }
129
Set(SSL * ssl,T * t)130 bool Set(SSL *ssl, T *t) {
131 return index_ >= 0 && SSL_set_ex_data(ssl, index_, t);
132 }
133
134 private:
135 int index_;
136 };
137
138 static const CipherTest kCipherTests[] = {
139 // Selecting individual ciphers should work.
140 {
141 "ECDHE-ECDSA-CHACHA20-POLY1305:"
142 "ECDHE-RSA-CHACHA20-POLY1305:"
143 "ECDHE-ECDSA-AES128-GCM-SHA256:"
144 "ECDHE-RSA-AES128-GCM-SHA256",
145 {
146 {TLS1_CK_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256, 0},
147 {TLS1_CK_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256, 0},
148 {TLS1_CK_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, 0},
149 {TLS1_CK_ECDHE_RSA_WITH_AES_128_GCM_SHA256, 0},
150 },
151 false,
152 },
153 // + reorders selected ciphers to the end, keeping their relative order.
154 {
155 "ECDHE-ECDSA-CHACHA20-POLY1305:"
156 "ECDHE-RSA-CHACHA20-POLY1305:"
157 "ECDHE-ECDSA-AES128-GCM-SHA256:"
158 "ECDHE-RSA-AES128-GCM-SHA256:"
159 "+aRSA",
160 {
161 {TLS1_CK_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256, 0},
162 {TLS1_CK_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, 0},
163 {TLS1_CK_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256, 0},
164 {TLS1_CK_ECDHE_RSA_WITH_AES_128_GCM_SHA256, 0},
165 },
166 false,
167 },
168 // ! banishes ciphers from future selections.
169 {
170 "!aRSA:"
171 "ECDHE-ECDSA-CHACHA20-POLY1305:"
172 "ECDHE-RSA-CHACHA20-POLY1305:"
173 "ECDHE-ECDSA-AES128-GCM-SHA256:"
174 "ECDHE-RSA-AES128-GCM-SHA256",
175 {
176 {TLS1_CK_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256, 0},
177 {TLS1_CK_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, 0},
178 },
179 false,
180 },
181 // Multiple masks can be ANDed in a single rule.
182 {
183 "kRSA+AESGCM+AES128",
184 {
185 {TLS1_CK_RSA_WITH_AES_128_GCM_SHA256, 0},
186 },
187 false,
188 },
189 // - removes selected ciphers, but preserves their order for future
190 // selections. Select AES_128_GCM, but order the key exchanges RSA,
191 // ECDHE_RSA.
192 {
193 "ALL:-kECDHE:"
194 "-kRSA:-ALL:"
195 "AESGCM+AES128+aRSA",
196 {
197 {TLS1_CK_RSA_WITH_AES_128_GCM_SHA256, 0},
198 {TLS1_CK_ECDHE_RSA_WITH_AES_128_GCM_SHA256, 0},
199 },
200 false,
201 },
202 // Unknown selectors are no-ops, except in strict mode.
203 {
204 "ECDHE-ECDSA-CHACHA20-POLY1305:"
205 "ECDHE-RSA-CHACHA20-POLY1305:"
206 "ECDHE-ECDSA-AES128-GCM-SHA256:"
207 "ECDHE-RSA-AES128-GCM-SHA256:"
208 "BOGUS1",
209 {
210 {TLS1_CK_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256, 0},
211 {TLS1_CK_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256, 0},
212 {TLS1_CK_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, 0},
213 {TLS1_CK_ECDHE_RSA_WITH_AES_128_GCM_SHA256, 0},
214 },
215 true,
216 },
217 // Unknown selectors are no-ops, except in strict mode.
218 {
219 "ECDHE-ECDSA-CHACHA20-POLY1305:"
220 "ECDHE-RSA-CHACHA20-POLY1305:"
221 "ECDHE-ECDSA-AES128-GCM-SHA256:"
222 "ECDHE-RSA-AES128-GCM-SHA256:"
223 "-BOGUS2:+BOGUS3:!BOGUS4",
224 {
225 {TLS1_CK_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256, 0},
226 {TLS1_CK_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256, 0},
227 {TLS1_CK_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, 0},
228 {TLS1_CK_ECDHE_RSA_WITH_AES_128_GCM_SHA256, 0},
229 },
230 true,
231 },
232 // Square brackets specify equi-preference groups.
233 {
234 "[ECDHE-ECDSA-CHACHA20-POLY1305|ECDHE-ECDSA-AES128-GCM-SHA256]:"
235 "[ECDHE-RSA-CHACHA20-POLY1305]:"
236 "ECDHE-RSA-AES128-GCM-SHA256",
237 {
238 {TLS1_CK_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256, 1},
239 {TLS1_CK_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, 0},
240 {TLS1_CK_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256, 0},
241 {TLS1_CK_ECDHE_RSA_WITH_AES_128_GCM_SHA256, 0},
242 },
243 false,
244 },
245 // Standard names may be used instead of OpenSSL names.
246 {
247 "[TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256|"
248 "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256]:"
249 "[TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256]:"
250 "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",
251 {
252 {TLS1_CK_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256, 1},
253 {TLS1_CK_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, 0},
254 {TLS1_CK_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256, 0},
255 {TLS1_CK_ECDHE_RSA_WITH_AES_128_GCM_SHA256, 0},
256 },
257 false,
258 },
259 // @STRENGTH performs a stable strength-sort of the selected ciphers and
260 // only the selected ciphers.
261 {
262 // To simplify things, banish all but {ECDHE_RSA,RSA} x
263 // {CHACHA20,AES_256_CBC,AES_128_CBC} x SHA1.
264 "!AESGCM:!3DES:"
265 // Order some ciphers backwards by strength.
266 "ALL:-CHACHA20:-AES256:-AES128:-ALL:"
267 // Select ECDHE ones and sort them by strength. Ties should resolve
268 // based on the order above.
269 "kECDHE:@STRENGTH:-ALL:"
270 // Now bring back everything uses RSA. ECDHE_RSA should be first, sorted
271 // by strength. Then RSA, backwards by strength.
272 "aRSA",
273 {
274 {TLS1_CK_ECDHE_RSA_WITH_AES_256_CBC_SHA, 0},
275 {TLS1_CK_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256, 0},
276 {TLS1_CK_ECDHE_RSA_WITH_AES_128_CBC_SHA, 0},
277 {TLS1_CK_RSA_WITH_AES_128_SHA, 0},
278 {TLS1_CK_RSA_WITH_AES_256_SHA, 0},
279 },
280 false,
281 },
282 // Additional masks after @STRENGTH get silently discarded.
283 //
284 // TODO(davidben): Make this an error. If not silently discarded, they get
285 // interpreted as + opcodes which are very different.
286 {
287 "ECDHE-RSA-AES128-GCM-SHA256:"
288 "ECDHE-RSA-AES256-GCM-SHA384:"
289 "@STRENGTH+AES256",
290 {
291 {TLS1_CK_ECDHE_RSA_WITH_AES_256_GCM_SHA384, 0},
292 {TLS1_CK_ECDHE_RSA_WITH_AES_128_GCM_SHA256, 0},
293 },
294 false,
295 },
296 {
297 "ECDHE-RSA-AES128-GCM-SHA256:"
298 "ECDHE-RSA-AES256-GCM-SHA384:"
299 "@STRENGTH+AES256:"
300 "ECDHE-RSA-CHACHA20-POLY1305",
301 {
302 {TLS1_CK_ECDHE_RSA_WITH_AES_256_GCM_SHA384, 0},
303 {TLS1_CK_ECDHE_RSA_WITH_AES_128_GCM_SHA256, 0},
304 {TLS1_CK_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256, 0},
305 },
306 false,
307 },
308 // Exact ciphers may not be used in multi-part rules; they are treated
309 // as unknown aliases.
310 {
311 "ECDHE-ECDSA-AES128-GCM-SHA256:"
312 "ECDHE-RSA-AES128-GCM-SHA256:"
313 "!ECDHE-RSA-AES128-GCM-SHA256+RSA:"
314 "!ECDSA+ECDHE-ECDSA-AES128-GCM-SHA256",
315 {
316 {TLS1_CK_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, 0},
317 {TLS1_CK_ECDHE_RSA_WITH_AES_128_GCM_SHA256, 0},
318 },
319 true,
320 },
321 // SSLv3 matches everything that existed before TLS 1.2.
322 {
323 "AES128-SHA:ECDHE-RSA-AES128-GCM-SHA256:!SSLv3",
324 {
325 {TLS1_CK_ECDHE_RSA_WITH_AES_128_GCM_SHA256, 0},
326 },
327 false,
328 },
329 // TLSv1.2 matches everything added in TLS 1.2.
330 {
331 "AES128-SHA:ECDHE-RSA-AES128-GCM-SHA256:!TLSv1.2",
332 {
333 {TLS1_CK_RSA_WITH_AES_128_SHA, 0},
334 },
335 false,
336 },
337 // The two directives have no intersection. But each component is valid, so
338 // even in strict mode it is accepted.
339 {
340 "AES128-SHA:ECDHE-RSA-AES128-GCM-SHA256:!TLSv1.2+SSLv3",
341 {
342 {TLS1_CK_RSA_WITH_AES_128_SHA, 0},
343 {TLS1_CK_ECDHE_RSA_WITH_AES_128_GCM_SHA256, 0},
344 },
345 false,
346 },
347 // Spaces, semi-colons and commas are separators.
348 {
349 "AES128-SHA: ECDHE-RSA-AES128-GCM-SHA256 AES256-SHA ,ECDHE-ECDSA-AES128-GCM-SHA256 ; AES128-GCM-SHA256",
350 {
351 {TLS1_CK_RSA_WITH_AES_128_SHA, 0},
352 {TLS1_CK_ECDHE_RSA_WITH_AES_128_GCM_SHA256, 0},
353 {TLS1_CK_RSA_WITH_AES_256_SHA, 0},
354 {TLS1_CK_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, 0},
355 {TLS1_CK_RSA_WITH_AES_128_GCM_SHA256, 0},
356 },
357 // …but not in strict mode.
358 true,
359 },
360 // 3DES ciphers are disabled by default.
361 {
362 "RSA",
363 {
364 {TLS1_CK_RSA_WITH_AES_128_GCM_SHA256, 0},
365 {TLS1_CK_RSA_WITH_AES_256_GCM_SHA384, 0},
366 {TLS1_CK_RSA_WITH_AES_128_SHA, 0},
367 {TLS1_CK_RSA_WITH_AES_256_SHA, 0},
368 },
369 false,
370 },
371 // But 3DES ciphers may be specified by name.
372 {
373 "TLS_RSA_WITH_3DES_EDE_CBC_SHA",
374 {
375 {SSL3_CK_RSA_DES_192_CBC3_SHA, 0},
376 },
377 false,
378 },
379 {
380 "DES-CBC3-SHA",
381 {
382 {SSL3_CK_RSA_DES_192_CBC3_SHA, 0},
383 },
384 false,
385 },
386 // Or by a selector that specifically includes deprecated ciphers.
387 {
388 "3DES",
389 {
390 {SSL3_CK_RSA_DES_192_CBC3_SHA, 0},
391 },
392 false,
393 },
394 // Such selectors may be combined with other selectors that would otherwise
395 // not allow deprecated ciphers.
396 {
397 "RSA+3DES",
398 {
399 {SSL3_CK_RSA_DES_192_CBC3_SHA, 0},
400 },
401 false,
402 },
403 // The cipher must still match all combined selectors, however. "ECDHE+3DES"
404 // matches nothing because we do not implement
405 // TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA. (The test includes
406 // TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 so the final list is not empty.)
407 {
408 "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256:ECDHE+3DES",
409 {
410 {TLS1_CK_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, 0},
411 },
412 false,
413 },
414 // Although alises like "RSA" do not match 3DES when adding ciphers, they do
415 // match it when removing ciphers.
416 {
417 "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256:RSA:RSA+3DES:!RSA",
418 {
419 {TLS1_CK_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, 0},
420 },
421 false,
422 },
423 // 3DES still participates in strength sorting.
424 {
425 "RSA:3DES:@STRENGTH",
426 {
427 {TLS1_CK_RSA_WITH_AES_256_GCM_SHA384, 0},
428 {TLS1_CK_RSA_WITH_AES_256_SHA, 0},
429 {TLS1_CK_RSA_WITH_AES_128_GCM_SHA256, 0},
430 {TLS1_CK_RSA_WITH_AES_128_SHA, 0},
431 {SSL3_CK_RSA_DES_192_CBC3_SHA, 0},
432 },
433 false,
434 },
435 };
436
437 static const char *kBadRules[] = {
438 // Invalid brackets.
439 "[ECDHE-RSA-CHACHA20-POLY1305|ECDHE-RSA-AES128-GCM-SHA256",
440 "RSA]",
441 "[[RSA]]",
442 // Operators inside brackets.
443 "[+RSA]",
444 // Unknown directive.
445 "@BOGUS",
446 // Empty cipher lists error at SSL_CTX_set_cipher_list.
447 "",
448 "BOGUS",
449 // COMPLEMENTOFDEFAULT is empty.
450 "COMPLEMENTOFDEFAULT",
451 // Invalid command.
452 "?BAR",
453 // Special operators are not allowed if equi-preference groups are used.
454 "[ECDHE-RSA-CHACHA20-POLY1305|ECDHE-RSA-AES128-GCM-SHA256]:+FOO",
455 "[ECDHE-RSA-CHACHA20-POLY1305|ECDHE-RSA-AES128-GCM-SHA256]:!FOO",
456 "[ECDHE-RSA-CHACHA20-POLY1305|ECDHE-RSA-AES128-GCM-SHA256]:-FOO",
457 "[ECDHE-RSA-CHACHA20-POLY1305|ECDHE-RSA-AES128-GCM-SHA256]:@STRENGTH",
458 // Opcode supplied, but missing selector.
459 "+",
460 // Spaces are forbidden in equal-preference groups.
461 "[AES128-SHA | AES128-SHA256]",
462 };
463
464 static const char *kMustNotIncludeDeprecated[] = {
465 "ALL",
466 "DEFAULT",
467 "HIGH",
468 "FIPS",
469 "SHA",
470 "SHA1",
471 "RSA",
472 "SSLv3",
473 "TLSv1",
474 "TLSv1.2",
475 };
476
477 static const char* kShouldIncludeCBCSHA256[] = {
478 "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256",
479 "ALL:TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256",
480 };
481
482 static const CurveTest kCurveTests[] = {
483 {
484 "P-256",
485 { SSL_GROUP_SECP256R1 },
486 },
487 {
488 "P-256:X25519Kyber768Draft00",
489 { SSL_GROUP_SECP256R1, SSL_GROUP_X25519_KYBER768_DRAFT00 },
490 },
491
492 {
493 "P-256:P-384:P-521:X25519",
494 {
495 SSL_GROUP_SECP256R1,
496 SSL_GROUP_SECP384R1,
497 SSL_GROUP_SECP521R1,
498 SSL_GROUP_X25519,
499 },
500 },
501 {
502 "prime256v1:secp384r1:secp521r1:x25519",
503 {
504 SSL_GROUP_SECP256R1,
505 SSL_GROUP_SECP384R1,
506 SSL_GROUP_SECP521R1,
507 SSL_GROUP_X25519,
508 },
509 },
510 };
511
512 static const char *kBadCurvesLists[] = {
513 "",
514 ":",
515 "::",
516 "P-256::X25519",
517 "RSA:P-256",
518 "P-256:RSA",
519 "X25519:P-256:",
520 ":X25519:P-256",
521 };
522
CipherListToString(SSL_CTX * ctx)523 static std::string CipherListToString(SSL_CTX *ctx) {
524 bool in_group = false;
525 std::string ret;
526 const STACK_OF(SSL_CIPHER) *ciphers = SSL_CTX_get_ciphers(ctx);
527 for (size_t i = 0; i < sk_SSL_CIPHER_num(ciphers); i++) {
528 const SSL_CIPHER *cipher = sk_SSL_CIPHER_value(ciphers, i);
529 if (!in_group && SSL_CTX_cipher_in_group(ctx, i)) {
530 ret += "\t[\n";
531 in_group = true;
532 }
533 ret += "\t";
534 if (in_group) {
535 ret += " ";
536 }
537 ret += SSL_CIPHER_get_name(cipher);
538 ret += "\n";
539 if (in_group && !SSL_CTX_cipher_in_group(ctx, i)) {
540 ret += "\t]\n";
541 in_group = false;
542 }
543 }
544 return ret;
545 }
546
CipherListsEqual(SSL_CTX * ctx,const std::vector<ExpectedCipher> & expected)547 static bool CipherListsEqual(SSL_CTX *ctx,
548 const std::vector<ExpectedCipher> &expected) {
549 const STACK_OF(SSL_CIPHER) *ciphers = SSL_CTX_get_ciphers(ctx);
550 if (sk_SSL_CIPHER_num(ciphers) != expected.size()) {
551 return false;
552 }
553
554 for (size_t i = 0; i < expected.size(); i++) {
555 const SSL_CIPHER *cipher = sk_SSL_CIPHER_value(ciphers, i);
556 if (expected[i].id != SSL_CIPHER_get_id(cipher) ||
557 expected[i].in_group_flag != !!SSL_CTX_cipher_in_group(ctx, i)) {
558 return false;
559 }
560 }
561
562 return true;
563 }
564
TEST(GrowableArrayTest,Resize)565 TEST(GrowableArrayTest, Resize) {
566 GrowableArray<size_t> array;
567 ASSERT_TRUE(array.empty());
568 EXPECT_EQ(array.size(), 0u);
569
570 ASSERT_TRUE(array.Push(42));
571 ASSERT_TRUE(!array.empty());
572 EXPECT_EQ(array.size(), 1u);
573
574 // Force a resize operation to occur
575 for (size_t i = 0; i < 16; i++) {
576 ASSERT_TRUE(array.Push(i + 1));
577 }
578
579 EXPECT_EQ(array.size(), 17u);
580
581 // Verify that expected values are still contained in array
582 for (size_t i = 0; i < array.size(); i++) {
583 EXPECT_EQ(array[i], i == 0 ? 42 : i);
584 }
585 }
586
TEST(GrowableArrayTest,MoveConstructor)587 TEST(GrowableArrayTest, MoveConstructor) {
588 GrowableArray<size_t> array;
589 for (size_t i = 0; i < 100; i++) {
590 ASSERT_TRUE(array.Push(i));
591 }
592
593 GrowableArray<size_t> array_moved(std::move(array));
594 for (size_t i = 0; i < 100; i++) {
595 EXPECT_EQ(array_moved[i], i);
596 }
597 }
598
TEST(GrowableArrayTest,GrowableArrayContainingGrowableArrays)599 TEST(GrowableArrayTest, GrowableArrayContainingGrowableArrays) {
600 // Representative example of a struct that contains a GrowableArray.
601 struct TagAndArray {
602 size_t tag;
603 GrowableArray<size_t> array;
604 };
605
606 GrowableArray<TagAndArray> array;
607 for (size_t i = 0; i < 100; i++) {
608 TagAndArray elem;
609 elem.tag = i;
610 for (size_t j = 0; j < i; j++) {
611 ASSERT_TRUE(elem.array.Push(j));
612 }
613 ASSERT_TRUE(array.Push(std::move(elem)));
614 }
615 EXPECT_EQ(array.size(), static_cast<size_t>(100));
616
617 GrowableArray<TagAndArray> array_moved(std::move(array));
618 EXPECT_EQ(array_moved.size(), static_cast<size_t>(100));
619 size_t count = 0;
620 for (const TagAndArray &elem : array_moved) {
621 // Test the square bracket operator returns the same value as iteration.
622 EXPECT_EQ(&elem, &array_moved[count]);
623
624 EXPECT_EQ(elem.tag, count);
625 EXPECT_EQ(elem.array.size(), count);
626 for (size_t j = 0; j < count; j++) {
627 EXPECT_EQ(elem.array[j], j);
628 }
629 count++;
630 }
631 }
632
TEST(SSLTest,CipherRules)633 TEST(SSLTest, CipherRules) {
634 for (const CipherTest &t : kCipherTests) {
635 SCOPED_TRACE(t.rule);
636 bssl::UniquePtr<SSL_CTX> ctx(SSL_CTX_new(TLS_method()));
637 ASSERT_TRUE(ctx);
638
639 // Test lax mode.
640 ASSERT_TRUE(SSL_CTX_set_cipher_list(ctx.get(), t.rule));
641 EXPECT_TRUE(CipherListsEqual(ctx.get(), t.expected))
642 << "Cipher rule evaluated to:\n"
643 << CipherListToString(ctx.get());
644
645 // Test strict mode.
646 if (t.strict_fail) {
647 EXPECT_FALSE(SSL_CTX_set_strict_cipher_list(ctx.get(), t.rule));
648 } else {
649 ASSERT_TRUE(SSL_CTX_set_strict_cipher_list(ctx.get(), t.rule));
650 EXPECT_TRUE(CipherListsEqual(ctx.get(), t.expected))
651 << "Cipher rule evaluated to:\n"
652 << CipherListToString(ctx.get());
653 }
654 }
655
656 for (const char *rule : kBadRules) {
657 SCOPED_TRACE(rule);
658 bssl::UniquePtr<SSL_CTX> ctx(SSL_CTX_new(TLS_method()));
659 ASSERT_TRUE(ctx);
660
661 EXPECT_FALSE(SSL_CTX_set_cipher_list(ctx.get(), rule));
662 ERR_clear_error();
663 }
664
665 for (const char *rule : kMustNotIncludeDeprecated) {
666 SCOPED_TRACE(rule);
667 bssl::UniquePtr<SSL_CTX> ctx(SSL_CTX_new(TLS_method()));
668 ASSERT_TRUE(ctx);
669
670 ASSERT_TRUE(SSL_CTX_set_strict_cipher_list(ctx.get(), rule));
671 for (const SSL_CIPHER *cipher : SSL_CTX_get_ciphers(ctx.get())) {
672 EXPECT_NE(NID_undef, SSL_CIPHER_get_cipher_nid(cipher));
673 EXPECT_FALSE(ssl_cipher_is_deprecated(cipher));
674 }
675 }
676
677 {
678 for (const char *rule : kShouldIncludeCBCSHA256) {
679 bssl::UniquePtr<SSL_CTX> ctx(SSL_CTX_new(TLS_method()));
680 ASSERT_TRUE(ctx);
681 ASSERT_TRUE(SSL_CTX_set_strict_cipher_list(ctx.get(), rule));
682
683 bool found = false;
684 for (const SSL_CIPHER *cipher : SSL_CTX_get_ciphers(ctx.get())) {
685 if ((TLS1_CK_ECDHE_RSA_WITH_AES_128_CBC_SHA256 & 0xffff) ==
686 SSL_CIPHER_get_protocol_id(cipher)) {
687 found = true;
688 break;
689 }
690 }
691 EXPECT_TRUE(found);
692 }
693 }
694 }
695
TEST(SSLTest,CurveRules)696 TEST(SSLTest, CurveRules) {
697 for (const CurveTest &t : kCurveTests) {
698 SCOPED_TRACE(t.rule);
699 bssl::UniquePtr<SSL_CTX> ctx(SSL_CTX_new(TLS_method()));
700 ASSERT_TRUE(ctx);
701
702 ASSERT_TRUE(SSL_CTX_set1_groups_list(ctx.get(), t.rule));
703 ASSERT_EQ(t.expected.size(), ctx->supported_group_list.size());
704 for (size_t i = 0; i < t.expected.size(); i++) {
705 EXPECT_EQ(t.expected[i], ctx->supported_group_list[i]);
706 }
707 }
708
709 for (const char *rule : kBadCurvesLists) {
710 SCOPED_TRACE(rule);
711 bssl::UniquePtr<SSL_CTX> ctx(SSL_CTX_new(TLS_method()));
712 ASSERT_TRUE(ctx);
713
714 EXPECT_FALSE(SSL_CTX_set1_groups_list(ctx.get(), rule));
715 ERR_clear_error();
716 }
717 }
718
719 // kOpenSSLSession is a serialized SSL_SESSION.
720 static const char kOpenSSLSession[] =
721 "MIIFqgIBAQICAwMEAsAvBCAG5Q1ndq4Yfmbeo1zwLkNRKmCXGdNgWvGT3cskV0yQ"
722 "kAQwJlrlzkAWBOWiLj/jJ76D7l+UXoizP2KI2C7I2FccqMmIfFmmkUy32nIJ0mZH"
723 "IWoJoQYCBFRDO46iBAICASyjggR6MIIEdjCCA16gAwIBAgIIK9dUvsPWSlUwDQYJ"
724 "KoZIhvcNAQEFBQAwSTELMAkGA1UEBhMCVVMxEzARBgNVBAoTCkdvb2dsZSBJbmMx"
725 "JTAjBgNVBAMTHEdvb2dsZSBJbnRlcm5ldCBBdXRob3JpdHkgRzIwHhcNMTQxMDA4"
726 "MTIwNzU3WhcNMTUwMTA2MDAwMDAwWjBoMQswCQYDVQQGEwJVUzETMBEGA1UECAwK"
727 "Q2FsaWZvcm5pYTEWMBQGA1UEBwwNTW91bnRhaW4gVmlldzETMBEGA1UECgwKR29v"
728 "Z2xlIEluYzEXMBUGA1UEAwwOd3d3Lmdvb2dsZS5jb20wggEiMA0GCSqGSIb3DQEB"
729 "AQUAA4IBDwAwggEKAoIBAQCcKeLrplAC+Lofy8t/wDwtB6eu72CVp0cJ4V3lknN6"
730 "huH9ct6FFk70oRIh/VBNBBz900jYy+7111Jm1b8iqOTQ9aT5C7SEhNcQFJvqzH3e"
731 "MPkb6ZSWGm1yGF7MCQTGQXF20Sk/O16FSjAynU/b3oJmOctcycWYkY0ytS/k3LBu"
732 "Id45PJaoMqjB0WypqvNeJHC3q5JjCB4RP7Nfx5jjHSrCMhw8lUMW4EaDxjaR9KDh"
733 "PLgjsk+LDIySRSRDaCQGhEOWLJZVLzLo4N6/UlctCHEllpBUSvEOyFga52qroGjg"
734 "rf3WOQ925MFwzd6AK+Ich0gDRg8sQfdLH5OuP1cfLfU1AgMBAAGjggFBMIIBPTAd"
735 "BgNVHSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwGQYDVR0RBBIwEIIOd3d3Lmdv"
736 "b2dsZS5jb20waAYIKwYBBQUHAQEEXDBaMCsGCCsGAQUFBzAChh9odHRwOi8vcGtp"
737 "Lmdvb2dsZS5jb20vR0lBRzIuY3J0MCsGCCsGAQUFBzABhh9odHRwOi8vY2xpZW50"
738 "czEuZ29vZ2xlLmNvbS9vY3NwMB0GA1UdDgQWBBQ7a+CcxsZByOpc+xpYFcIbnUMZ"
739 "hTAMBgNVHRMBAf8EAjAAMB8GA1UdIwQYMBaAFErdBhYbvPZotXb1gba7Yhq6WoEv"
740 "MBcGA1UdIAQQMA4wDAYKKwYBBAHWeQIFATAwBgNVHR8EKTAnMCWgI6Ahhh9odHRw"
741 "Oi8vcGtpLmdvb2dsZS5jb20vR0lBRzIuY3JsMA0GCSqGSIb3DQEBBQUAA4IBAQCa"
742 "OXCBdoqUy5bxyq+Wrh1zsyyCFim1PH5VU2+yvDSWrgDY8ibRGJmfff3r4Lud5kal"
743 "dKs9k8YlKD3ITG7P0YT/Rk8hLgfEuLcq5cc0xqmE42xJ+Eo2uzq9rYorc5emMCxf"
744 "5L0TJOXZqHQpOEcuptZQ4OjdYMfSxk5UzueUhA3ogZKRcRkdB3WeWRp+nYRhx4St"
745 "o2rt2A0MKmY9165GHUqMK9YaaXHDXqBu7Sefr1uSoAP9gyIJKeihMivsGqJ1TD6Z"
746 "cc6LMe+dN2P8cZEQHtD1y296ul4Mivqk3jatUVL8/hCwgch9A8O4PGZq9WqBfEWm"
747 "IyHh1dPtbg1lOXdYCWtjpAIEAKUDAgEUqQUCAwGJwKqBpwSBpBwUQvoeOk0Kg36S"
748 "YTcLEkXqKwOBfF9vE4KX0NxeLwjcDTpsuh3qXEaZ992r1N38VDcyS6P7I6HBYN9B"
749 "sNHM362zZnY27GpTw+Kwd751CLoXFPoaMOe57dbBpXoro6Pd3BTbf/Tzr88K06yE"
750 "OTDKPNj3+inbMaVigtK4PLyPq+Topyzvx9USFgRvyuoxn0Hgb+R0A3j6SLRuyOdA"
751 "i4gv7Y5oliyntgMBAQA=";
752
753 // kCustomSession is a custom serialized SSL_SESSION generated by
754 // filling in missing fields from |kOpenSSLSession|. This includes
755 // providing |peer_sha256|, so |peer| is not serialized.
756 static const char kCustomSession[] =
757 "MIIBZAIBAQICAwMEAsAvBCAG5Q1ndq4Yfmbeo1zwLkNRKmCXGdNgWvGT3cskV0yQ"
758 "kAQwJlrlzkAWBOWiLj/jJ76D7l+UXoizP2KI2C7I2FccqMmIfFmmkUy32nIJ0mZH"
759 "IWoJoQYCBFRDO46iBAICASykAwQBAqUDAgEUqAcEBXdvcmxkqQUCAwGJwKqBpwSB"
760 "pBwUQvoeOk0Kg36SYTcLEkXqKwOBfF9vE4KX0NxeLwjcDTpsuh3qXEaZ992r1N38"
761 "VDcyS6P7I6HBYN9BsNHM362zZnY27GpTw+Kwd751CLoXFPoaMOe57dbBpXoro6Pd"
762 "3BTbf/Tzr88K06yEOTDKPNj3+inbMaVigtK4PLyPq+Topyzvx9USFgRvyuoxn0Hg"
763 "b+R0A3j6SLRuyOdAi4gv7Y5oliynrSIEIAYGBgYGBgYGBgYGBgYGBgYGBgYGBgYG"
764 "BgYGBgYGBgYGrgMEAQevAwQBBLADBAEF";
765
766 // kBoringSSLSession is a serialized SSL_SESSION generated from bssl client.
767 static const char kBoringSSLSession[] =
768 "MIIRwQIBAQICAwMEAsAvBCDdoGxGK26mR+8lM0uq6+k9xYuxPnwAjpcF9n0Yli9R"
769 "kQQwbyshfWhdi5XQ1++7n2L1qqrcVlmHBPpr6yknT/u4pUrpQB5FZ7vqvNn8MdHf"
770 "9rWgoQYCBFXgs7uiBAICHCCjggR6MIIEdjCCA16gAwIBAgIIf+yfD7Y6UicwDQYJ"
771 "KoZIhvcNAQELBQAwSTELMAkGA1UEBhMCVVMxEzARBgNVBAoTCkdvb2dsZSBJbmMx"
772 "JTAjBgNVBAMTHEdvb2dsZSBJbnRlcm5ldCBBdXRob3JpdHkgRzIwHhcNMTUwODEy"
773 "MTQ1MzE1WhcNMTUxMTEwMDAwMDAwWjBoMQswCQYDVQQGEwJVUzETMBEGA1UECAwK"
774 "Q2FsaWZvcm5pYTEWMBQGA1UEBwwNTW91bnRhaW4gVmlldzETMBEGA1UECgwKR29v"
775 "Z2xlIEluYzEXMBUGA1UEAwwOd3d3Lmdvb2dsZS5jb20wggEiMA0GCSqGSIb3DQEB"
776 "AQUAA4IBDwAwggEKAoIBAQC0MeG5YGQ0t+IeJeoneP/PrhEaieibeKYkbKVLNZpo"
777 "PLuBinvhkXZo3DC133NpCBpy6ZktBwamqyixAyuk/NU6OjgXqwwxfQ7di1AInLIU"
778 "792c7hFyNXSUCG7At8Ifi3YwBX9Ba6u/1d6rWTGZJrdCq3QU11RkKYyTq2KT5mce"
779 "Tv9iGKqSkSTlp8puy/9SZ/3DbU3U+BuqCFqeSlz7zjwFmk35acdCilpJlVDDN5C/"
780 "RCh8/UKc8PaL+cxlt531qoTENvYrflBno14YEZlCBZsPiFeUSILpKEj3Ccwhy0eL"
781 "EucWQ72YZU8mUzXBoXGn0zA0crFl5ci/2sTBBGZsylNBAgMBAAGjggFBMIIBPTAd"
782 "BgNVHSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwGQYDVR0RBBIwEIIOd3d3Lmdv"
783 "b2dsZS5jb20waAYIKwYBBQUHAQEEXDBaMCsGCCsGAQUFBzAChh9odHRwOi8vcGtp"
784 "Lmdvb2dsZS5jb20vR0lBRzIuY3J0MCsGCCsGAQUFBzABhh9odHRwOi8vY2xpZW50"
785 "czEuZ29vZ2xlLmNvbS9vY3NwMB0GA1UdDgQWBBS/bzHxcE73Q4j3slC4BLbMtLjG"
786 "GjAMBgNVHRMBAf8EAjAAMB8GA1UdIwQYMBaAFErdBhYbvPZotXb1gba7Yhq6WoEv"
787 "MBcGA1UdIAQQMA4wDAYKKwYBBAHWeQIFATAwBgNVHR8EKTAnMCWgI6Ahhh9odHRw"
788 "Oi8vcGtpLmdvb2dsZS5jb20vR0lBRzIuY3JsMA0GCSqGSIb3DQEBCwUAA4IBAQAb"
789 "qdWPZEHk0X7iKPCTHL6S3w6q1eR67goxZGFSM1lk1hjwyu7XcLJuvALVV9uY3ovE"
790 "kQZSHwT+pyOPWQhsSjO+1GyjvCvK/CAwiUmBX+bQRGaqHsRcio7xSbdVcajQ3bXd"
791 "X+s0WdbOpn6MStKAiBVloPlSxEI8pxY6x/BBCnTIk/+DMB17uZlOjG3vbAnkDkP+"
792 "n0OTucD9sHV7EVj9XUxi51nOfNBCN/s7lpUjDS/NJ4k3iwOtbCPswiot8vLO779a"
793 "f07vR03r349Iz/KTzk95rlFtX0IU+KYNxFNsanIXZ+C9FYGRXkwhHcvFb4qMUB1y"
794 "TTlM80jBMOwyjZXmjRAhpAIEAKUDAgEUqQUCAwGJwKqBpwSBpOgebbmn9NRUtMWH"
795 "+eJpqA5JLMFSMCChOsvKey3toBaCNGU7HfAEiiXNuuAdCBoK262BjQc2YYfqFzqH"
796 "zuppopXCvhohx7j/tnCNZIMgLYt/O9SXK2RYI5z8FhCCHvB4CbD5G0LGl5EFP27s"
797 "Jb6S3aTTYPkQe8yZSlxevg6NDwmTogLO9F7UUkaYmVcMQhzssEE2ZRYNwSOU6KjE"
798 "0Yj+8fAiBtbQriIEIN2L8ZlpaVrdN5KFNdvcmOxJu81P8q53X55xQyGTnGWwsgMC"
799 "ARezggvvMIIEdjCCA16gAwIBAgIIf+yfD7Y6UicwDQYJKoZIhvcNAQELBQAwSTEL"
800 "MAkGA1UEBhMCVVMxEzARBgNVBAoTCkdvb2dsZSBJbmMxJTAjBgNVBAMTHEdvb2ds"
801 "ZSBJbnRlcm5ldCBBdXRob3JpdHkgRzIwHhcNMTUwODEyMTQ1MzE1WhcNMTUxMTEw"
802 "MDAwMDAwWjBoMQswCQYDVQQGEwJVUzETMBEGA1UECAwKQ2FsaWZvcm5pYTEWMBQG"
803 "A1UEBwwNTW91bnRhaW4gVmlldzETMBEGA1UECgwKR29vZ2xlIEluYzEXMBUGA1UE"
804 "AwwOd3d3Lmdvb2dsZS5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIB"
805 "AQC0MeG5YGQ0t+IeJeoneP/PrhEaieibeKYkbKVLNZpoPLuBinvhkXZo3DC133Np"
806 "CBpy6ZktBwamqyixAyuk/NU6OjgXqwwxfQ7di1AInLIU792c7hFyNXSUCG7At8If"
807 "i3YwBX9Ba6u/1d6rWTGZJrdCq3QU11RkKYyTq2KT5mceTv9iGKqSkSTlp8puy/9S"
808 "Z/3DbU3U+BuqCFqeSlz7zjwFmk35acdCilpJlVDDN5C/RCh8/UKc8PaL+cxlt531"
809 "qoTENvYrflBno14YEZlCBZsPiFeUSILpKEj3Ccwhy0eLEucWQ72YZU8mUzXBoXGn"
810 "0zA0crFl5ci/2sTBBGZsylNBAgMBAAGjggFBMIIBPTAdBgNVHSUEFjAUBggrBgEF"
811 "BQcDAQYIKwYBBQUHAwIwGQYDVR0RBBIwEIIOd3d3Lmdvb2dsZS5jb20waAYIKwYB"
812 "BQUHAQEEXDBaMCsGCCsGAQUFBzAChh9odHRwOi8vcGtpLmdvb2dsZS5jb20vR0lB"
813 "RzIuY3J0MCsGCCsGAQUFBzABhh9odHRwOi8vY2xpZW50czEuZ29vZ2xlLmNvbS9v"
814 "Y3NwMB0GA1UdDgQWBBS/bzHxcE73Q4j3slC4BLbMtLjGGjAMBgNVHRMBAf8EAjAA"
815 "MB8GA1UdIwQYMBaAFErdBhYbvPZotXb1gba7Yhq6WoEvMBcGA1UdIAQQMA4wDAYK"
816 "KwYBBAHWeQIFATAwBgNVHR8EKTAnMCWgI6Ahhh9odHRwOi8vcGtpLmdvb2dsZS5j"
817 "b20vR0lBRzIuY3JsMA0GCSqGSIb3DQEBCwUAA4IBAQAbqdWPZEHk0X7iKPCTHL6S"
818 "3w6q1eR67goxZGFSM1lk1hjwyu7XcLJuvALVV9uY3ovEkQZSHwT+pyOPWQhsSjO+"
819 "1GyjvCvK/CAwiUmBX+bQRGaqHsRcio7xSbdVcajQ3bXdX+s0WdbOpn6MStKAiBVl"
820 "oPlSxEI8pxY6x/BBCnTIk/+DMB17uZlOjG3vbAnkDkP+n0OTucD9sHV7EVj9XUxi"
821 "51nOfNBCN/s7lpUjDS/NJ4k3iwOtbCPswiot8vLO779af07vR03r349Iz/KTzk95"
822 "rlFtX0IU+KYNxFNsanIXZ+C9FYGRXkwhHcvFb4qMUB1yTTlM80jBMOwyjZXmjRAh"
823 "MIID8DCCAtigAwIBAgIDAjqDMA0GCSqGSIb3DQEBCwUAMEIxCzAJBgNVBAYTAlVT"
824 "MRYwFAYDVQQKEw1HZW9UcnVzdCBJbmMuMRswGQYDVQQDExJHZW9UcnVzdCBHbG9i"
825 "YWwgQ0EwHhcNMTMwNDA1MTUxNTU2WhcNMTYxMjMxMjM1OTU5WjBJMQswCQYDVQQG"
826 "EwJVUzETMBEGA1UEChMKR29vZ2xlIEluYzElMCMGA1UEAxMcR29vZ2xlIEludGVy"
827 "bmV0IEF1dGhvcml0eSBHMjCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEB"
828 "AJwqBHdc2FCROgajguDYUEi8iT/xGXAaiEZ+4I/F8YnOIe5a/mENtzJEiaB0C1NP"
829 "VaTOgmKV7utZX8bhBYASxF6UP7xbSDj0U/ck5vuR6RXEz/RTDfRK/J9U3n2+oGtv"
830 "h8DQUB8oMANA2ghzUWx//zo8pzcGjr1LEQTrfSTe5vn8MXH7lNVg8y5Kr0LSy+rE"
831 "ahqyzFPdFUuLH8gZYR/Nnag+YyuENWllhMgZxUYi+FOVvuOAShDGKuy6lyARxzmZ"
832 "EASg8GF6lSWMTlJ14rbtCMoU/M4iarNOz0YDl5cDfsCx3nuvRTPPuj5xt970JSXC"
833 "DTWJnZ37DhF5iR43xa+OcmkCAwEAAaOB5zCB5DAfBgNVHSMEGDAWgBTAephojYn7"
834 "qwVkDBF9qn1luMrMTjAdBgNVHQ4EFgQUSt0GFhu89mi1dvWBtrtiGrpagS8wDgYD"
835 "VR0PAQH/BAQDAgEGMC4GCCsGAQUFBwEBBCIwIDAeBggrBgEFBQcwAYYSaHR0cDov"
836 "L2cuc3ltY2QuY29tMBIGA1UdEwEB/wQIMAYBAf8CAQAwNQYDVR0fBC4wLDAqoCig"
837 "JoYkaHR0cDovL2cuc3ltY2IuY29tL2NybHMvZ3RnbG9iYWwuY3JsMBcGA1UdIAQQ"
838 "MA4wDAYKKwYBBAHWeQIFATANBgkqhkiG9w0BAQsFAAOCAQEAqvqpIM1qZ4PtXtR+"
839 "3h3Ef+AlBgDFJPupyC1tft6dgmUsgWM0Zj7pUsIItMsv91+ZOmqcUHqFBYx90SpI"
840 "hNMJbHzCzTWf84LuUt5oX+QAihcglvcpjZpNy6jehsgNb1aHA30DP9z6eX0hGfnI"
841 "Oi9RdozHQZJxjyXON/hKTAAj78Q1EK7gI4BzfE00LshukNYQHpmEcxpw8u1VDu4X"
842 "Bupn7jLrLN1nBz/2i8Jw3lsA5rsb0zYaImxssDVCbJAJPZPpZAkiDoUGn8JzIdPm"
843 "X4DkjYUiOnMDsWCOrmji9D6X52ASCWg23jrW4kOVWzeBkoEfu43XrVJkFleW2V40"
844 "fsg12DCCA30wggLmoAMCAQICAxK75jANBgkqhkiG9w0BAQUFADBOMQswCQYDVQQG"
845 "EwJVUzEQMA4GA1UEChMHRXF1aWZheDEtMCsGA1UECxMkRXF1aWZheCBTZWN1cmUg"
846 "Q2VydGlmaWNhdGUgQXV0aG9yaXR5MB4XDTAyMDUyMTA0MDAwMFoXDTE4MDgyMTA0"
847 "MDAwMFowQjELMAkGA1UEBhMCVVMxFjAUBgNVBAoTDUdlb1RydXN0IEluYy4xGzAZ"
848 "BgNVBAMTEkdlb1RydXN0IEdsb2JhbCBDQTCCASIwDQYJKoZIhvcNAQEBBQADggEP"
849 "ADCCAQoCggEBANrMGGMw/fQXIxpWflvfPGw45HG3eJHUvKHYTPioQ7YD6U0hBwiI"
850 "2lgvZjkpvQV4i5046AW3an5xpObEYKaw74DkiSgPniXW7YPzraaRx5jJQhg1FJ2t"
851 "mEaSLk/K8YdDwRaVVy1Q74ktgHpXrfLuX2vSAI25FPgUFTXZwEaje3LIkb/JVSvN"
852 "0Jc+nCZkzN/Ogxlxyk7m1NV7qRnNVd7I7NJeOFPlXE+MLf5QIzb8ZubLjqQ5GQC3"
853 "lQI5kQsO/jgu0R0FmvZNPm8PBx2vLB6PYDni+jZTEznUXiYr2z2oFL0y6xgDKFIE"
854 "ceWrMz3hOLsHNoRinHnqFjD0X8Ar6HFr5PkCAwEAAaOB8DCB7TAfBgNVHSMEGDAW"
855 "gBRI5mj5K9KylddH2CMgEE8zmJCf1DAdBgNVHQ4EFgQUwHqYaI2J+6sFZAwRfap9"
856 "ZbjKzE4wDwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMCAQYwOgYDVR0fBDMw"
857 "MTAvoC2gK4YpaHR0cDovL2NybC5nZW90cnVzdC5jb20vY3Jscy9zZWN1cmVjYS5j"
858 "cmwwTgYDVR0gBEcwRTBDBgRVHSAAMDswOQYIKwYBBQUHAgEWLWh0dHBzOi8vd3d3"
859 "Lmdlb3RydXN0LmNvbS9yZXNvdXJjZXMvcmVwb3NpdG9yeTANBgkqhkiG9w0BAQUF"
860 "AAOBgQB24RJuTksWEoYwBrKBCM/wCMfHcX5m7sLt1Dsf//DwyE7WQziwuTB9GNBV"
861 "g6JqyzYRnOhIZqNtf7gT1Ef+i1pcc/yu2RsyGTirlzQUqpbS66McFAhJtrvlke+D"
862 "NusdVm/K2rxzY5Dkf3s+Iss9B+1fOHSc4wNQTqGvmO5h8oQ/Eg==";
863
864 // kBadSessionExtraField is a custom serialized SSL_SESSION generated by replacing
865 // the final (optional) element of |kCustomSession| with tag number 99.
866 static const char kBadSessionExtraField[] =
867 "MIIBdgIBAQICAwMEAsAvBCAG5Q1ndq4Yfmbeo1zwLkNRKmCXGdNgWvGT3cskV0yQ"
868 "kAQwJlrlzkAWBOWiLj/jJ76D7l+UXoizP2KI2C7I2FccqMmIfFmmkUy32nIJ0mZH"
869 "IWoJoQYCBFRDO46iBAICASykAwQBAqUDAgEUphAEDnd3dy5nb29nbGUuY29tqAcE"
870 "BXdvcmxkqQUCAwGJwKqBpwSBpBwUQvoeOk0Kg36SYTcLEkXqKwOBfF9vE4KX0Nxe"
871 "LwjcDTpsuh3qXEaZ992r1N38VDcyS6P7I6HBYN9BsNHM362zZnY27GpTw+Kwd751"
872 "CLoXFPoaMOe57dbBpXoro6Pd3BTbf/Tzr88K06yEOTDKPNj3+inbMaVigtK4PLyP"
873 "q+Topyzvx9USFgRvyuoxn0Hgb+R0A3j6SLRuyOdAi4gv7Y5oliynrSIEIAYGBgYG"
874 "BgYGBgYGBgYGBgYGBgYGBgYGBgYGBgYGBgYGrgMEAQevAwQBBOMDBAEF";
875
876 // kBadSessionVersion is a custom serialized SSL_SESSION generated by replacing
877 // the version of |kCustomSession| with 2.
878 static const char kBadSessionVersion[] =
879 "MIIBdgIBAgICAwMEAsAvBCAG5Q1ndq4Yfmbeo1zwLkNRKmCXGdNgWvGT3cskV0yQ"
880 "kAQwJlrlzkAWBOWiLj/jJ76D7l+UXoizP2KI2C7I2FccqMmIfFmmkUy32nIJ0mZH"
881 "IWoJoQYCBFRDO46iBAICASykAwQBAqUDAgEUphAEDnd3dy5nb29nbGUuY29tqAcE"
882 "BXdvcmxkqQUCAwGJwKqBpwSBpBwUQvoeOk0Kg36SYTcLEkXqKwOBfF9vE4KX0Nxe"
883 "LwjcDTpsuh3qXEaZ992r1N38VDcyS6P7I6HBYN9BsNHM362zZnY27GpTw+Kwd751"
884 "CLoXFPoaMOe57dbBpXoro6Pd3BTbf/Tzr88K06yEOTDKPNj3+inbMaVigtK4PLyP"
885 "q+Topyzvx9USFgRvyuoxn0Hgb+R0A3j6SLRuyOdAi4gv7Y5oliynrSIEIAYGBgYG"
886 "BgYGBgYGBgYGBgYGBgYGBgYGBgYGBgYGBgYGrgMEAQevAwQBBLADBAEF";
887
888 // kBadSessionTrailingData is a custom serialized SSL_SESSION with trailing data
889 // appended.
890 static const char kBadSessionTrailingData[] =
891 "MIIBdgIBAQICAwMEAsAvBCAG5Q1ndq4Yfmbeo1zwLkNRKmCXGdNgWvGT3cskV0yQ"
892 "kAQwJlrlzkAWBOWiLj/jJ76D7l+UXoizP2KI2C7I2FccqMmIfFmmkUy32nIJ0mZH"
893 "IWoJoQYCBFRDO46iBAICASykAwQBAqUDAgEUphAEDnd3dy5nb29nbGUuY29tqAcE"
894 "BXdvcmxkqQUCAwGJwKqBpwSBpBwUQvoeOk0Kg36SYTcLEkXqKwOBfF9vE4KX0Nxe"
895 "LwjcDTpsuh3qXEaZ992r1N38VDcyS6P7I6HBYN9BsNHM362zZnY27GpTw+Kwd751"
896 "CLoXFPoaMOe57dbBpXoro6Pd3BTbf/Tzr88K06yEOTDKPNj3+inbMaVigtK4PLyP"
897 "q+Topyzvx9USFgRvyuoxn0Hgb+R0A3j6SLRuyOdAi4gv7Y5oliynrSIEIAYGBgYG"
898 "BgYGBgYGBgYGBgYGBgYGBgYGBgYGBgYGBgYGrgMEAQevAwQBBLADBAEFAAAA";
899
DecodeBase64(std::vector<uint8_t> * out,const char * in)900 static bool DecodeBase64(std::vector<uint8_t> *out, const char *in) {
901 size_t len;
902 if (!EVP_DecodedLength(&len, strlen(in))) {
903 fprintf(stderr, "EVP_DecodedLength failed\n");
904 return false;
905 }
906
907 out->resize(len);
908 if (!EVP_DecodeBase64(out->data(), &len, len, (const uint8_t *)in,
909 strlen(in))) {
910 fprintf(stderr, "EVP_DecodeBase64 failed\n");
911 return false;
912 }
913 out->resize(len);
914 return true;
915 }
916
DecodeLowerHex(std::vector<uint8_t> * out,bssl::Span<const char> in)917 static bool DecodeLowerHex(std::vector<uint8_t> *out,
918 bssl::Span<const char> in) {
919 if (in.size() % 2 != 0) {
920 return false;
921 }
922 out->resize(in.size() / 2);
923 for (size_t i = 0; i < out->size(); i++) {
924 char hi = in[2 * i], lo = in[2 * i + 1];
925 uint8_t b = 0;
926 if ('0' <= hi && hi <= '9') {
927 b |= hi - '0';
928 } else if ('a' <= hi && hi <= 'f') {
929 b |= hi - 'a' + 10;
930 } else {
931 return false;
932 }
933 b <<= 4;
934 if ('0' <= lo && lo <= '9') {
935 b |= lo - '0';
936 } else if ('a' <= lo && lo <= 'f') {
937 b |= lo - 'a' + 10;
938 } else {
939 return false;
940 }
941 (*out)[i] = b;
942 }
943 return true;
944 }
945
TEST(SSLTest,SessionEncoding)946 TEST(SSLTest, SessionEncoding) {
947 for (const char *input_b64 : {
948 kOpenSSLSession,
949 kCustomSession,
950 kBoringSSLSession,
951 }) {
952 SCOPED_TRACE(std::string(input_b64));
953 // Decode the input.
954 std::vector<uint8_t> input;
955 ASSERT_TRUE(DecodeBase64(&input, input_b64));
956
957 // Verify the SSL_SESSION decodes.
958 bssl::UniquePtr<SSL_CTX> ssl_ctx(SSL_CTX_new(TLS_method()));
959 ASSERT_TRUE(ssl_ctx);
960 bssl::UniquePtr<SSL_SESSION> session(
961 SSL_SESSION_from_bytes(input.data(), input.size(), ssl_ctx.get()));
962 ASSERT_TRUE(session) << "SSL_SESSION_from_bytes failed";
963
964 // Verify the SSL_SESSION encoding round-trips.
965 size_t encoded_len;
966 bssl::UniquePtr<uint8_t> encoded;
967 uint8_t *encoded_raw;
968 ASSERT_TRUE(SSL_SESSION_to_bytes(session.get(), &encoded_raw, &encoded_len))
969 << "SSL_SESSION_to_bytes failed";
970 encoded.reset(encoded_raw);
971 EXPECT_EQ(Bytes(encoded.get(), encoded_len), Bytes(input))
972 << "SSL_SESSION_to_bytes did not round-trip";
973
974 // Verify the SSL_SESSION also decodes with the legacy API.
975 const uint8_t *cptr = input.data();
976 session.reset(d2i_SSL_SESSION(NULL, &cptr, input.size()));
977 ASSERT_TRUE(session) << "d2i_SSL_SESSION failed";
978 EXPECT_EQ(cptr, input.data() + input.size());
979
980 // Verify the SSL_SESSION encoding round-trips via the legacy API.
981 int len = i2d_SSL_SESSION(session.get(), NULL);
982 ASSERT_GT(len, 0) << "i2d_SSL_SESSION failed";
983 ASSERT_EQ(static_cast<size_t>(len), input.size())
984 << "i2d_SSL_SESSION(NULL) returned invalid length";
985
986 encoded.reset((uint8_t *)OPENSSL_malloc(input.size()));
987 ASSERT_TRUE(encoded);
988
989 uint8_t *ptr = encoded.get();
990 len = i2d_SSL_SESSION(session.get(), &ptr);
991 ASSERT_GT(len, 0) << "i2d_SSL_SESSION failed";
992 ASSERT_EQ(static_cast<size_t>(len), input.size())
993 << "i2d_SSL_SESSION(NULL) returned invalid length";
994 ASSERT_EQ(ptr, encoded.get() + input.size())
995 << "i2d_SSL_SESSION did not advance ptr correctly";
996 EXPECT_EQ(Bytes(encoded.get(), encoded_len), Bytes(input))
997 << "SSL_SESSION_to_bytes did not round-trip";
998 }
999
1000 for (const char *input_b64 : {
1001 kBadSessionExtraField,
1002 kBadSessionVersion,
1003 kBadSessionTrailingData,
1004 }) {
1005 SCOPED_TRACE(std::string(input_b64));
1006 std::vector<uint8_t> input;
1007 ASSERT_TRUE(DecodeBase64(&input, input_b64));
1008
1009 // Verify that the SSL_SESSION fails to decode.
1010 bssl::UniquePtr<SSL_CTX> ssl_ctx(SSL_CTX_new(TLS_method()));
1011 ASSERT_TRUE(ssl_ctx);
1012 bssl::UniquePtr<SSL_SESSION> session(
1013 SSL_SESSION_from_bytes(input.data(), input.size(), ssl_ctx.get()));
1014 EXPECT_FALSE(session) << "SSL_SESSION_from_bytes unexpectedly succeeded";
1015 ERR_clear_error();
1016 }
1017 }
1018
ExpectDefaultVersion(uint16_t min_version,uint16_t max_version,const SSL_METHOD * (* method)(void))1019 static void ExpectDefaultVersion(uint16_t min_version, uint16_t max_version,
1020 const SSL_METHOD *(*method)(void)) {
1021 bssl::UniquePtr<SSL_CTX> ctx(SSL_CTX_new(method()));
1022 ASSERT_TRUE(ctx);
1023 EXPECT_EQ(min_version, SSL_CTX_get_min_proto_version(ctx.get()));
1024 EXPECT_EQ(max_version, SSL_CTX_get_max_proto_version(ctx.get()));
1025 }
1026
TEST(SSLTest,DefaultVersion)1027 TEST(SSLTest, DefaultVersion) {
1028 ExpectDefaultVersion(TLS1_VERSION, TLS1_3_VERSION, &TLS_method);
1029 ExpectDefaultVersion(TLS1_VERSION, TLS1_VERSION, &TLSv1_method);
1030 ExpectDefaultVersion(TLS1_1_VERSION, TLS1_1_VERSION, &TLSv1_1_method);
1031 ExpectDefaultVersion(TLS1_2_VERSION, TLS1_2_VERSION, &TLSv1_2_method);
1032 ExpectDefaultVersion(DTLS1_VERSION, DTLS1_2_VERSION, &DTLS_method);
1033 ExpectDefaultVersion(DTLS1_VERSION, DTLS1_VERSION, &DTLSv1_method);
1034 ExpectDefaultVersion(DTLS1_2_VERSION, DTLS1_2_VERSION, &DTLSv1_2_method);
1035 }
1036
TEST(SSLTest,CipherProperties)1037 TEST(SSLTest, CipherProperties) {
1038 static const struct {
1039 int id;
1040 const char *standard_name;
1041 int cipher_nid;
1042 int digest_nid;
1043 int kx_nid;
1044 int auth_nid;
1045 int prf_nid;
1046 } kTests[] = {
1047 {
1048 SSL3_CK_RSA_DES_192_CBC3_SHA,
1049 "TLS_RSA_WITH_3DES_EDE_CBC_SHA",
1050 NID_des_ede3_cbc,
1051 NID_sha1,
1052 NID_kx_rsa,
1053 NID_auth_rsa,
1054 NID_md5_sha1,
1055 },
1056 {
1057 TLS1_CK_RSA_WITH_AES_128_SHA,
1058 "TLS_RSA_WITH_AES_128_CBC_SHA",
1059 NID_aes_128_cbc,
1060 NID_sha1,
1061 NID_kx_rsa,
1062 NID_auth_rsa,
1063 NID_md5_sha1,
1064 },
1065 {
1066 TLS1_CK_PSK_WITH_AES_256_CBC_SHA,
1067 "TLS_PSK_WITH_AES_256_CBC_SHA",
1068 NID_aes_256_cbc,
1069 NID_sha1,
1070 NID_kx_psk,
1071 NID_auth_psk,
1072 NID_md5_sha1,
1073 },
1074 {
1075 TLS1_CK_ECDHE_RSA_WITH_AES_128_CBC_SHA,
1076 "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA",
1077 NID_aes_128_cbc,
1078 NID_sha1,
1079 NID_kx_ecdhe,
1080 NID_auth_rsa,
1081 NID_md5_sha1,
1082 },
1083 {
1084 TLS1_CK_ECDHE_RSA_WITH_AES_256_CBC_SHA,
1085 "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA",
1086 NID_aes_256_cbc,
1087 NID_sha1,
1088 NID_kx_ecdhe,
1089 NID_auth_rsa,
1090 NID_md5_sha1,
1091 },
1092 {
1093 TLS1_CK_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
1094 "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",
1095 NID_aes_128_gcm,
1096 NID_undef,
1097 NID_kx_ecdhe,
1098 NID_auth_rsa,
1099 NID_sha256,
1100 },
1101 {
1102 TLS1_CK_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
1103 "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256",
1104 NID_aes_128_gcm,
1105 NID_undef,
1106 NID_kx_ecdhe,
1107 NID_auth_ecdsa,
1108 NID_sha256,
1109 },
1110 {
1111 TLS1_CK_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
1112 "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384",
1113 NID_aes_256_gcm,
1114 NID_undef,
1115 NID_kx_ecdhe,
1116 NID_auth_ecdsa,
1117 NID_sha384,
1118 },
1119 {
1120 TLS1_CK_ECDHE_PSK_WITH_AES_128_CBC_SHA,
1121 "TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA",
1122 NID_aes_128_cbc,
1123 NID_sha1,
1124 NID_kx_ecdhe,
1125 NID_auth_psk,
1126 NID_md5_sha1,
1127 },
1128 {
1129 TLS1_CK_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256,
1130 "TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256",
1131 NID_chacha20_poly1305,
1132 NID_undef,
1133 NID_kx_ecdhe,
1134 NID_auth_rsa,
1135 NID_sha256,
1136 },
1137 {
1138 TLS1_3_CK_AES_256_GCM_SHA384,
1139 "TLS_AES_256_GCM_SHA384",
1140 NID_aes_256_gcm,
1141 NID_undef,
1142 NID_kx_any,
1143 NID_auth_any,
1144 NID_sha384,
1145 },
1146 {
1147 TLS1_3_CK_AES_128_GCM_SHA256,
1148 "TLS_AES_128_GCM_SHA256",
1149 NID_aes_128_gcm,
1150 NID_undef,
1151 NID_kx_any,
1152 NID_auth_any,
1153 NID_sha256,
1154 },
1155 {
1156 TLS1_3_CK_CHACHA20_POLY1305_SHA256,
1157 "TLS_CHACHA20_POLY1305_SHA256",
1158 NID_chacha20_poly1305,
1159 NID_undef,
1160 NID_kx_any,
1161 NID_auth_any,
1162 NID_sha256,
1163 },
1164 };
1165
1166 for (const auto &t : kTests) {
1167 SCOPED_TRACE(t.standard_name);
1168
1169 const SSL_CIPHER *cipher = SSL_get_cipher_by_value(t.id & 0xffff);
1170 ASSERT_TRUE(cipher);
1171 EXPECT_STREQ(t.standard_name, SSL_CIPHER_standard_name(cipher));
1172
1173 EXPECT_EQ(t.cipher_nid, SSL_CIPHER_get_cipher_nid(cipher));
1174 EXPECT_EQ(t.digest_nid, SSL_CIPHER_get_digest_nid(cipher));
1175 EXPECT_EQ(t.kx_nid, SSL_CIPHER_get_kx_nid(cipher));
1176 EXPECT_EQ(t.auth_nid, SSL_CIPHER_get_auth_nid(cipher));
1177 EXPECT_EQ(t.prf_nid, EVP_MD_nid(SSL_CIPHER_get_handshake_digest(cipher)));
1178 EXPECT_EQ(t.prf_nid, SSL_CIPHER_get_prf_nid(cipher));
1179 }
1180 }
1181
1182 // CreateSessionWithTicket returns a sample |SSL_SESSION| with the specified
1183 // version and ticket length or nullptr on failure.
CreateSessionWithTicket(uint16_t version,size_t ticket_len)1184 static bssl::UniquePtr<SSL_SESSION> CreateSessionWithTicket(uint16_t version,
1185 size_t ticket_len) {
1186 std::vector<uint8_t> der;
1187 if (!DecodeBase64(&der, kOpenSSLSession)) {
1188 return nullptr;
1189 }
1190
1191 bssl::UniquePtr<SSL_CTX> ssl_ctx(SSL_CTX_new(TLS_method()));
1192 if (!ssl_ctx) {
1193 return nullptr;
1194 }
1195 // Use a garbage ticket.
1196 std::vector<uint8_t> ticket(ticket_len, 'a');
1197 bssl::UniquePtr<SSL_SESSION> session(
1198 SSL_SESSION_from_bytes(der.data(), der.size(), ssl_ctx.get()));
1199 if (!session ||
1200 !SSL_SESSION_set_protocol_version(session.get(), version) ||
1201 !SSL_SESSION_set_ticket(session.get(), ticket.data(), ticket.size())) {
1202 return nullptr;
1203 }
1204 // Fix up the timeout.
1205 #if defined(BORINGSSL_UNSAFE_DETERMINISTIC_MODE)
1206 SSL_SESSION_set_time(session.get(), 1234);
1207 #else
1208 SSL_SESSION_set_time(session.get(), time(nullptr));
1209 #endif
1210 return session;
1211 }
1212
GetClientHello(SSL * ssl,std::vector<uint8_t> * out)1213 static bool GetClientHello(SSL *ssl, std::vector<uint8_t> *out) {
1214 bssl::UniquePtr<BIO> bio(BIO_new(BIO_s_mem()));
1215 if (!bio) {
1216 return false;
1217 }
1218 // Do not configure a reading BIO, but record what's written to a memory BIO.
1219 BIO_up_ref(bio.get());
1220 SSL_set_bio(ssl, nullptr /* rbio */, bio.get());
1221 int ret = SSL_connect(ssl);
1222 if (ret > 0) {
1223 // SSL_connect should fail without a BIO to write to.
1224 return false;
1225 }
1226 ERR_clear_error();
1227
1228 const uint8_t *client_hello;
1229 size_t client_hello_len;
1230 if (!BIO_mem_contents(bio.get(), &client_hello, &client_hello_len)) {
1231 return false;
1232 }
1233
1234 // We did not get far enough to write a ClientHello.
1235 if (client_hello_len == 0) {
1236 return false;
1237 }
1238
1239 *out = std::vector<uint8_t>(client_hello, client_hello + client_hello_len);
1240 return true;
1241 }
1242
1243 // GetClientHelloLen creates a client SSL connection with the specified version
1244 // and ticket length. It returns the length of the ClientHello, not including
1245 // the record header, on success and zero on error.
GetClientHelloLen(uint16_t max_version,uint16_t session_version,size_t ticket_len)1246 static size_t GetClientHelloLen(uint16_t max_version, uint16_t session_version,
1247 size_t ticket_len) {
1248 bssl::UniquePtr<SSL_CTX> ctx(SSL_CTX_new(TLS_method()));
1249 bssl::UniquePtr<SSL_SESSION> session =
1250 CreateSessionWithTicket(session_version, ticket_len);
1251 if (!ctx || !session) {
1252 return 0;
1253 }
1254
1255 // Set a one-element cipher list so the baseline ClientHello is unpadded.
1256 bssl::UniquePtr<SSL> ssl(SSL_new(ctx.get()));
1257 if (!ssl || !SSL_set_session(ssl.get(), session.get()) ||
1258 !SSL_set_strict_cipher_list(ssl.get(), "ECDHE-RSA-AES128-GCM-SHA256") ||
1259 !SSL_set_max_proto_version(ssl.get(), max_version)) {
1260 return 0;
1261 }
1262
1263 std::vector<uint8_t> client_hello;
1264 if (!GetClientHello(ssl.get(), &client_hello) ||
1265 client_hello.size() <= SSL3_RT_HEADER_LENGTH) {
1266 return 0;
1267 }
1268
1269 return client_hello.size() - SSL3_RT_HEADER_LENGTH;
1270 }
1271
TEST(SSLTest,Padding)1272 TEST(SSLTest, Padding) {
1273 struct PaddingVersions {
1274 uint16_t max_version, session_version;
1275 };
1276 static const PaddingVersions kPaddingVersions[] = {
1277 // Test the padding extension at TLS 1.2.
1278 {TLS1_2_VERSION, TLS1_2_VERSION},
1279 // Test the padding extension at TLS 1.3 with a TLS 1.2 session, so there
1280 // will be no PSK binder after the padding extension.
1281 {TLS1_3_VERSION, TLS1_2_VERSION},
1282 // Test the padding extension at TLS 1.3 with a TLS 1.3 session, so there
1283 // will be a PSK binder after the padding extension.
1284 {TLS1_3_VERSION, TLS1_3_VERSION},
1285
1286 };
1287
1288 struct PaddingTest {
1289 size_t input_len, padded_len;
1290 };
1291 static const PaddingTest kPaddingTests[] = {
1292 // ClientHellos of length below 0x100 do not require padding.
1293 {0xfe, 0xfe},
1294 {0xff, 0xff},
1295 // ClientHellos of length 0x100 through 0x1fb are padded up to 0x200.
1296 {0x100, 0x200},
1297 {0x123, 0x200},
1298 {0x1fb, 0x200},
1299 // ClientHellos of length 0x1fc through 0x1ff get padded beyond 0x200. The
1300 // padding extension takes a minimum of four bytes plus one required
1301 // content
1302 // byte. (To work around yet more server bugs, we avoid empty final
1303 // extensions.)
1304 {0x1fc, 0x201},
1305 {0x1fd, 0x202},
1306 {0x1fe, 0x203},
1307 {0x1ff, 0x204},
1308 // Finally, larger ClientHellos need no padding.
1309 {0x200, 0x200},
1310 {0x201, 0x201},
1311 };
1312
1313 for (const PaddingVersions &versions : kPaddingVersions) {
1314 SCOPED_TRACE(versions.max_version);
1315 SCOPED_TRACE(versions.session_version);
1316
1317 // Sample a baseline length.
1318 size_t base_len =
1319 GetClientHelloLen(versions.max_version, versions.session_version, 1);
1320 ASSERT_NE(base_len, 0u) << "Baseline length could not be sampled";
1321
1322 for (const PaddingTest &test : kPaddingTests) {
1323 SCOPED_TRACE(test.input_len);
1324 ASSERT_LE(base_len, test.input_len) << "Baseline ClientHello too long";
1325
1326 size_t padded_len =
1327 GetClientHelloLen(versions.max_version, versions.session_version,
1328 1 + test.input_len - base_len);
1329 EXPECT_EQ(padded_len, test.padded_len)
1330 << "ClientHello was not padded to expected length";
1331 }
1332 }
1333 }
1334
CertFromPEM(const char * pem)1335 static bssl::UniquePtr<X509> CertFromPEM(const char *pem) {
1336 bssl::UniquePtr<BIO> bio(BIO_new_mem_buf(pem, strlen(pem)));
1337 if (!bio) {
1338 return nullptr;
1339 }
1340 return bssl::UniquePtr<X509>(
1341 PEM_read_bio_X509(bio.get(), nullptr, nullptr, nullptr));
1342 }
1343
KeyFromPEM(const char * pem)1344 static bssl::UniquePtr<EVP_PKEY> KeyFromPEM(const char *pem) {
1345 bssl::UniquePtr<BIO> bio(BIO_new_mem_buf(pem, strlen(pem)));
1346 if (!bio) {
1347 return nullptr;
1348 }
1349 return bssl::UniquePtr<EVP_PKEY>(
1350 PEM_read_bio_PrivateKey(bio.get(), nullptr, nullptr, nullptr));
1351 }
1352
BufferFromPEM(const char * pem)1353 static bssl::UniquePtr<CRYPTO_BUFFER> BufferFromPEM(const char *pem) {
1354 bssl::UniquePtr<BIO> bio(BIO_new_mem_buf(pem, strlen(pem)));
1355 char *name, *header;
1356 uint8_t *data;
1357 long data_len;
1358 if (!PEM_read_bio(bio.get(), &name, &header, &data,
1359 &data_len)) {
1360 return nullptr;
1361 }
1362 OPENSSL_free(name);
1363 OPENSSL_free(header);
1364
1365 auto ret = bssl::UniquePtr<CRYPTO_BUFFER>(
1366 CRYPTO_BUFFER_new(data, data_len, nullptr));
1367 OPENSSL_free(data);
1368 return ret;
1369 }
1370
X509FromBuffer(bssl::UniquePtr<CRYPTO_BUFFER> buffer)1371 static bssl::UniquePtr<X509> X509FromBuffer(
1372 bssl::UniquePtr<CRYPTO_BUFFER> buffer) {
1373 if (!buffer) {
1374 return nullptr;
1375 }
1376 const uint8_t *derp = CRYPTO_BUFFER_data(buffer.get());
1377 return bssl::UniquePtr<X509>(
1378 d2i_X509(NULL, &derp, CRYPTO_BUFFER_len(buffer.get())));
1379 }
1380
GetTestCertificate()1381 static bssl::UniquePtr<X509> GetTestCertificate() {
1382 static const char kCertPEM[] =
1383 "-----BEGIN CERTIFICATE-----\n"
1384 "MIICWDCCAcGgAwIBAgIJAPuwTC6rEJsMMA0GCSqGSIb3DQEBBQUAMEUxCzAJBgNV\n"
1385 "BAYTAkFVMRMwEQYDVQQIDApTb21lLVN0YXRlMSEwHwYDVQQKDBhJbnRlcm5ldCBX\n"
1386 "aWRnaXRzIFB0eSBMdGQwHhcNMTQwNDIzMjA1MDQwWhcNMTcwNDIyMjA1MDQwWjBF\n"
1387 "MQswCQYDVQQGEwJBVTETMBEGA1UECAwKU29tZS1TdGF0ZTEhMB8GA1UECgwYSW50\n"
1388 "ZXJuZXQgV2lkZ2l0cyBQdHkgTHRkMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKB\n"
1389 "gQDYK8imMuRi/03z0K1Zi0WnvfFHvwlYeyK9Na6XJYaUoIDAtB92kWdGMdAQhLci\n"
1390 "HnAjkXLI6W15OoV3gA/ElRZ1xUpxTMhjP6PyY5wqT5r6y8FxbiiFKKAnHmUcrgfV\n"
1391 "W28tQ+0rkLGMryRtrukXOgXBv7gcrmU7G1jC2a7WqmeI8QIDAQABo1AwTjAdBgNV\n"
1392 "HQ4EFgQUi3XVrMsIvg4fZbf6Vr5sp3Xaha8wHwYDVR0jBBgwFoAUi3XVrMsIvg4f\n"
1393 "Zbf6Vr5sp3Xaha8wDAYDVR0TBAUwAwEB/zANBgkqhkiG9w0BAQUFAAOBgQA76Hht\n"
1394 "ldY9avcTGSwbwoiuIqv0jTL1fHFnzy3RHMLDh+Lpvolc5DSrSJHCP5WuK0eeJXhr\n"
1395 "T5oQpHL9z/cCDLAKCKRa4uV0fhEdOWBqyR9p8y5jJtye72t6CuFUV5iqcpF4BH4f\n"
1396 "j2VNHwsSrJwkD4QUGlUtH7vwnQmyCFxZMmWAJg==\n"
1397 "-----END CERTIFICATE-----\n";
1398 return CertFromPEM(kCertPEM);
1399 }
1400
GetTestKey()1401 static bssl::UniquePtr<EVP_PKEY> GetTestKey() {
1402 static const char kKeyPEM[] =
1403 "-----BEGIN RSA PRIVATE KEY-----\n"
1404 "MIICXgIBAAKBgQDYK8imMuRi/03z0K1Zi0WnvfFHvwlYeyK9Na6XJYaUoIDAtB92\n"
1405 "kWdGMdAQhLciHnAjkXLI6W15OoV3gA/ElRZ1xUpxTMhjP6PyY5wqT5r6y8FxbiiF\n"
1406 "KKAnHmUcrgfVW28tQ+0rkLGMryRtrukXOgXBv7gcrmU7G1jC2a7WqmeI8QIDAQAB\n"
1407 "AoGBAIBy09Fd4DOq/Ijp8HeKuCMKTHqTW1xGHshLQ6jwVV2vWZIn9aIgmDsvkjCe\n"
1408 "i6ssZvnbjVcwzSoByhjN8ZCf/i15HECWDFFh6gt0P5z0MnChwzZmvatV/FXCT0j+\n"
1409 "WmGNB/gkehKjGXLLcjTb6dRYVJSCZhVuOLLcbWIV10gggJQBAkEA8S8sGe4ezyyZ\n"
1410 "m4e9r95g6s43kPqtj5rewTsUxt+2n4eVodD+ZUlCULWVNAFLkYRTBCASlSrm9Xhj\n"
1411 "QpmWAHJUkQJBAOVzQdFUaewLtdOJoPCtpYoY1zd22eae8TQEmpGOR11L6kbxLQsk\n"
1412 "aMly/DOnOaa82tqAGTdqDEZgSNmCeKKknmECQAvpnY8GUOVAubGR6c+W90iBuQLj\n"
1413 "LtFp/9ihd2w/PoDwrHZaoUYVcT4VSfJQog/k7kjE4MYXYWL8eEKg3WTWQNECQQDk\n"
1414 "104Wi91Umd1PzF0ijd2jXOERJU1wEKe6XLkYYNHWQAe5l4J4MWj9OdxFXAxIuuR/\n"
1415 "tfDwbqkta4xcux67//khAkEAvvRXLHTaa6VFzTaiiO8SaFsHV3lQyXOtMrBpB5jd\n"
1416 "moZWgjHvB2W9Ckn7sDqsPB+U2tyX0joDdQEyuiMECDY8oQ==\n"
1417 "-----END RSA PRIVATE KEY-----\n";
1418 return KeyFromPEM(kKeyPEM);
1419 }
1420
CreateContextWithTestCertificate(const SSL_METHOD * method)1421 static bssl::UniquePtr<SSL_CTX> CreateContextWithTestCertificate(
1422 const SSL_METHOD *method) {
1423 bssl::UniquePtr<SSL_CTX> ctx(SSL_CTX_new(TLS_method()));
1424 bssl::UniquePtr<X509> cert = GetTestCertificate();
1425 bssl::UniquePtr<EVP_PKEY> key = GetTestKey();
1426 if (!ctx || !cert || !key ||
1427 !SSL_CTX_use_certificate(ctx.get(), cert.get()) ||
1428 !SSL_CTX_use_PrivateKey(ctx.get(), key.get())) {
1429 return nullptr;
1430 }
1431 return ctx;
1432 }
1433
GetECDSATestCertificateBuffer()1434 static bssl::UniquePtr<CRYPTO_BUFFER> GetECDSATestCertificateBuffer() {
1435 static const char kCertPEM[] =
1436 "-----BEGIN CERTIFICATE-----\n"
1437 "MIIBzzCCAXagAwIBAgIJANlMBNpJfb/rMAkGByqGSM49BAEwRTELMAkGA1UEBhMC\n"
1438 "QVUxEzARBgNVBAgMClNvbWUtU3RhdGUxITAfBgNVBAoMGEludGVybmV0IFdpZGdp\n"
1439 "dHMgUHR5IEx0ZDAeFw0xNDA0MjMyMzIxNTdaFw0xNDA1MjMyMzIxNTdaMEUxCzAJ\n"
1440 "BgNVBAYTAkFVMRMwEQYDVQQIDApTb21lLVN0YXRlMSEwHwYDVQQKDBhJbnRlcm5l\n"
1441 "dCBXaWRnaXRzIFB0eSBMdGQwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAATmK2ni\n"
1442 "v2Wfl74vHg2UikzVl2u3qR4NRvvdqakendy6WgHn1peoChj5w8SjHlbifINI2xYa\n"
1443 "HPUdfvGULUvPciLBo1AwTjAdBgNVHQ4EFgQUq4TSrKuV8IJOFngHVVdf5CaNgtEw\n"
1444 "HwYDVR0jBBgwFoAUq4TSrKuV8IJOFngHVVdf5CaNgtEwDAYDVR0TBAUwAwEB/zAJ\n"
1445 "BgcqhkjOPQQBA0gAMEUCIQDyoDVeUTo2w4J5m+4nUIWOcAZ0lVfSKXQA9L4Vh13E\n"
1446 "BwIgfB55FGohg/B6dGh5XxSZmmi08cueFV7mHzJSYV51yRQ=\n"
1447 "-----END CERTIFICATE-----\n";
1448 return BufferFromPEM(kCertPEM);
1449 }
1450
GetECDSATestCertificate()1451 static bssl::UniquePtr<X509> GetECDSATestCertificate() {
1452 return X509FromBuffer(GetECDSATestCertificateBuffer());
1453 }
1454
1455
GetECDSATestKey()1456 static bssl::UniquePtr<EVP_PKEY> GetECDSATestKey() {
1457 static const char kKeyPEM[] =
1458 "-----BEGIN PRIVATE KEY-----\n"
1459 "MIGHAgEAMBMGByqGSM49AgEGCCqGSM49AwEHBG0wawIBAQQgBw8IcnrUoEqc3VnJ\n"
1460 "TYlodwi1b8ldMHcO6NHJzgqLtGqhRANCAATmK2niv2Wfl74vHg2UikzVl2u3qR4N\n"
1461 "Rvvdqakendy6WgHn1peoChj5w8SjHlbifINI2xYaHPUdfvGULUvPciLB\n"
1462 "-----END PRIVATE KEY-----\n";
1463 return KeyFromPEM(kKeyPEM);
1464 }
1465
GetChainTestCertificateBuffer()1466 static bssl::UniquePtr<CRYPTO_BUFFER> GetChainTestCertificateBuffer() {
1467 static const char kCertPEM[] =
1468 "-----BEGIN CERTIFICATE-----\n"
1469 "MIIC0jCCAbqgAwIBAgICEAAwDQYJKoZIhvcNAQELBQAwDzENMAsGA1UEAwwEQiBD\n"
1470 "QTAeFw0xNjAyMjgyMDI3MDNaFw0yNjAyMjUyMDI3MDNaMBgxFjAUBgNVBAMMDUNs\n"
1471 "aWVudCBDZXJ0IEEwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDRvaz8\n"
1472 "CC/cshpCafJo4jLkHEoBqDLhdgFelJoAiQUyIqyWl2O7YHPnpJH+TgR7oelzNzt/\n"
1473 "kLRcH89M/TszB6zqyLTC4aqmvzKL0peD/jL2LWBucR0WXIvjA3zoRuF/x86+rYH3\n"
1474 "tHb+xs2PSs8EGL/Ev+ss+qTzTGEn26fuGNHkNw6tOwPpc+o8+wUtzf/kAthamo+c\n"
1475 "IDs2rQ+lP7+aLZTLeU/q4gcLutlzcK5imex5xy2jPkweq48kijK0kIzl1cPlA5d1\n"
1476 "z7C8jU50Pj9X9sQDJTN32j7UYRisJeeYQF8GaaN8SbrDI6zHgKzrRLyxDt/KQa9V\n"
1477 "iLeXANgZi+Xx9KgfAgMBAAGjLzAtMAwGA1UdEwEB/wQCMAAwHQYDVR0lBBYwFAYI\n"
1478 "KwYBBQUHAwEGCCsGAQUFBwMCMA0GCSqGSIb3DQEBCwUAA4IBAQBFEVbmYl+2RtNw\n"
1479 "rDftRDF1v2QUbcN2ouSnQDHxeDQdSgasLzT3ui8iYu0Rw2WWcZ0DV5e0ztGPhWq7\n"
1480 "AO0B120aFRMOY+4+bzu9Q2FFkQqc7/fKTvTDzIJI5wrMnFvUfzzvxh3OHWMYSs/w\n"
1481 "giq33hTKeHEq6Jyk3btCny0Ycecyc3yGXH10sizUfiHlhviCkDuESk8mFDwDDzqW\n"
1482 "ZF0IipzFbEDHoIxLlm3GQxpiLoEV4k8KYJp3R5KBLFyxM6UGPz8h72mIPCJp2RuK\n"
1483 "MYgF91UDvVzvnYm6TfseM2+ewKirC00GOrZ7rEcFvtxnKSqYf4ckqfNdSU1Y+RRC\n"
1484 "1ngWZ7Ih\n"
1485 "-----END CERTIFICATE-----\n";
1486 return BufferFromPEM(kCertPEM);
1487 }
1488
GetChainTestCertificate()1489 static bssl::UniquePtr<X509> GetChainTestCertificate() {
1490 return X509FromBuffer(GetChainTestCertificateBuffer());
1491 }
1492
GetChainTestIntermediateBuffer()1493 static bssl::UniquePtr<CRYPTO_BUFFER> GetChainTestIntermediateBuffer() {
1494 static const char kCertPEM[] =
1495 "-----BEGIN CERTIFICATE-----\n"
1496 "MIICwjCCAaqgAwIBAgICEAEwDQYJKoZIhvcNAQELBQAwFDESMBAGA1UEAwwJQyBS\n"
1497 "b290IENBMB4XDTE2MDIyODIwMjcwM1oXDTI2MDIyNTIwMjcwM1owDzENMAsGA1UE\n"
1498 "AwwEQiBDQTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALsSCYmDip2D\n"
1499 "GkjFxw7ykz26JSjELkl6ArlYjFJ3aT/SCh8qbS4gln7RH8CPBd78oFdfhIKQrwtZ\n"
1500 "3/q21ykD9BAS3qHe2YdcJfm8/kWAy5DvXk6NXU4qX334KofBAEpgdA/igEFq1P1l\n"
1501 "HAuIfZCpMRfT+i5WohVsGi8f/NgpRvVaMONLNfgw57mz1lbtFeBEISmX0kbsuJxF\n"
1502 "Qj/Bwhi5/0HAEXG8e7zN4cEx0yPRvmOATRdVb/8dW2pwOHRJq9R5M0NUkIsTSnL7\n"
1503 "6N/z8hRAHMsV3IudC5Yd7GXW1AGu9a+iKU+Q4xcZCoj0DC99tL4VKujrV1kAeqsM\n"
1504 "cz5/dKzi6+cCAwEAAaMjMCEwDwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMC\n"
1505 "AQYwDQYJKoZIhvcNAQELBQADggEBAIIeZiEeNhWWQ8Y4D+AGDwqUUeG8NjCbKrXQ\n"
1506 "BlHg5wZ8xftFaiP1Dp/UAezmx2LNazdmuwrYB8lm3FVTyaPDTKEGIPS4wJKHgqH1\n"
1507 "QPDhqNm85ey7TEtI9oYjsNim/Rb+iGkIAMXaxt58SzxbjvP0kMr1JfJIZbic9vye\n"
1508 "NwIspMFIpP3FB8ywyu0T0hWtCQgL4J47nigCHpOu58deP88fS/Nyz/fyGVWOZ76b\n"
1509 "WhWwgM3P3X95fQ3d7oFPR/bVh0YV+Cf861INwplokXgXQ3/TCQ+HNXeAMWn3JLWv\n"
1510 "XFwk8owk9dq/kQGdndGgy3KTEW4ctPX5GNhf3LJ9Q7dLji4ReQ4=\n"
1511 "-----END CERTIFICATE-----\n";
1512 return BufferFromPEM(kCertPEM);
1513 }
1514
GetChainTestIntermediate()1515 static bssl::UniquePtr<X509> GetChainTestIntermediate() {
1516 return X509FromBuffer(GetChainTestIntermediateBuffer());
1517 }
1518
GetChainTestKey()1519 static bssl::UniquePtr<EVP_PKEY> GetChainTestKey() {
1520 static const char kKeyPEM[] =
1521 "-----BEGIN PRIVATE KEY-----\n"
1522 "MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQDRvaz8CC/cshpC\n"
1523 "afJo4jLkHEoBqDLhdgFelJoAiQUyIqyWl2O7YHPnpJH+TgR7oelzNzt/kLRcH89M\n"
1524 "/TszB6zqyLTC4aqmvzKL0peD/jL2LWBucR0WXIvjA3zoRuF/x86+rYH3tHb+xs2P\n"
1525 "Ss8EGL/Ev+ss+qTzTGEn26fuGNHkNw6tOwPpc+o8+wUtzf/kAthamo+cIDs2rQ+l\n"
1526 "P7+aLZTLeU/q4gcLutlzcK5imex5xy2jPkweq48kijK0kIzl1cPlA5d1z7C8jU50\n"
1527 "Pj9X9sQDJTN32j7UYRisJeeYQF8GaaN8SbrDI6zHgKzrRLyxDt/KQa9ViLeXANgZ\n"
1528 "i+Xx9KgfAgMBAAECggEBAK0VjSJzkyPaamcyTVSWjo7GdaBGcK60lk657RjR+lK0\n"
1529 "YJ7pkej4oM2hdsVZFsP8Cs4E33nXLa/0pDsRov/qrp0WQm2skwqGMC1I/bZ0WRPk\n"
1530 "wHaDrBBfESWnJDX/AGpVtlyOjPmgmK6J2usMPihQUDkKdAYrVWJePrMIxt1q6BMe\n"
1531 "iczs3qriMmtY3bUc4UyUwJ5fhDLjshHvfuIpYQyI6EXZM6dZksn9LylXJnigY6QJ\n"
1532 "HxOYO0BDwOsZ8yQ8J8afLk88i0GizEkgE1z3REtQUwgWfxr1WV/ud+T6/ZhSAgH9\n"
1533 "042mQvSFZnIUSEsmCvjhWuAunfxHKCTcAoYISWfzWpkCgYEA7gpf3HHU5Tn+CgUn\n"
1534 "1X5uGpG3DmcMgfeGgs2r2f/IIg/5Ac1dfYILiybL1tN9zbyLCJfcbFpWBc9hJL6f\n"
1535 "CPc5hUiwWFJqBJewxQkC1Ae/HakHbip+IZ+Jr0842O4BAArvixk4Lb7/N2Ct9sTE\n"
1536 "NJO6RtK9lbEZ5uK61DglHy8CS2UCgYEA4ZC1o36kPAMQBggajgnucb2yuUEelk0f\n"
1537 "AEr+GI32MGE+93xMr7rAhBoqLg4AITyIfEnOSQ5HwagnIHonBbv1LV/Gf9ursx8Z\n"
1538 "YOGbvT8zzzC+SU1bkDzdjAYnFQVGIjMtKOBJ3K07++ypwX1fr4QsQ8uKL8WSOWwt\n"
1539 "Z3Bym6XiZzMCgYADnhy+2OwHX85AkLt+PyGlPbmuelpyTzS4IDAQbBa6jcuW/2wA\n"
1540 "UE2km75VUXmD+u2R/9zVuLm99NzhFhSMqlUxdV1YukfqMfP5yp1EY6m/5aW7QuIP\n"
1541 "2MDa7TVL9rIFMiVZ09RKvbBbQxjhuzPQKL6X/PPspnhiTefQ+dl2k9xREQKBgHDS\n"
1542 "fMfGNEeAEKezrfSVqxphE9/tXms3L+ZpnCaT+yu/uEr5dTIAawKoQ6i9f/sf1/Sy\n"
1543 "xedsqR+IB+oKrzIDDWMgoJybN4pkZ8E5lzhVQIjFjKgFdWLzzqyW9z1gYfABQPlN\n"
1544 "FiS20WX0vgP1vcKAjdNrHzc9zyHBpgQzDmAj3NZZAoGBAI8vKCKdH7w3aL5CNkZQ\n"
1545 "2buIeWNA2HZazVwAGG5F2TU/LmXfRKnG6dX5bkU+AkBZh56jNZy//hfFSewJB4Kk\n"
1546 "buB7ERSdaNbO21zXt9FEA3+z0RfMd/Zv2vlIWOSB5nzl/7UKti3sribK6s9ZVLfi\n"
1547 "SxpiPQ8d/hmSGwn4ksrWUsJD\n"
1548 "-----END PRIVATE KEY-----\n";
1549 return KeyFromPEM(kKeyPEM);
1550 }
1551
CompleteHandshakes(SSL * client,SSL * server)1552 static bool CompleteHandshakes(SSL *client, SSL *server) {
1553 // Drive both their handshakes to completion.
1554 for (;;) {
1555 int client_ret = SSL_do_handshake(client);
1556 int client_err = SSL_get_error(client, client_ret);
1557 if (client_err != SSL_ERROR_NONE &&
1558 client_err != SSL_ERROR_WANT_READ &&
1559 client_err != SSL_ERROR_WANT_WRITE &&
1560 client_err != SSL_ERROR_PENDING_TICKET) {
1561 fprintf(stderr, "Client error: %s\n", SSL_error_description(client_err));
1562 return false;
1563 }
1564
1565 int server_ret = SSL_do_handshake(server);
1566 int server_err = SSL_get_error(server, server_ret);
1567 if (server_err != SSL_ERROR_NONE &&
1568 server_err != SSL_ERROR_WANT_READ &&
1569 server_err != SSL_ERROR_WANT_WRITE &&
1570 server_err != SSL_ERROR_PENDING_TICKET) {
1571 fprintf(stderr, "Server error: %s\n", SSL_error_description(server_err));
1572 return false;
1573 }
1574
1575 if (client_ret == 1 && server_ret == 1) {
1576 break;
1577 }
1578 }
1579
1580 return true;
1581 }
1582
FlushNewSessionTickets(SSL * client,SSL * server)1583 static bool FlushNewSessionTickets(SSL *client, SSL *server) {
1584 // NewSessionTickets are deferred on the server to |SSL_write|, and clients do
1585 // not pick them up until |SSL_read|.
1586 for (;;) {
1587 int server_ret = SSL_write(server, nullptr, 0);
1588 int server_err = SSL_get_error(server, server_ret);
1589 // The server may either succeed (|server_ret| is zero) or block on write
1590 // (|server_ret| is -1 and |server_err| is |SSL_ERROR_WANT_WRITE|).
1591 if (server_ret > 0 ||
1592 (server_ret < 0 && server_err != SSL_ERROR_WANT_WRITE)) {
1593 fprintf(stderr, "Unexpected server result: %d %d\n", server_ret,
1594 server_err);
1595 return false;
1596 }
1597
1598 int client_ret = SSL_read(client, nullptr, 0);
1599 int client_err = SSL_get_error(client, client_ret);
1600 // The client must always block on read.
1601 if (client_ret != -1 || client_err != SSL_ERROR_WANT_READ) {
1602 fprintf(stderr, "Unexpected client result: %d %d\n", client_ret,
1603 client_err);
1604 return false;
1605 }
1606
1607 // The server flushed everything it had to write.
1608 if (server_ret == 0) {
1609 return true;
1610 }
1611 }
1612 }
1613
1614 // CreateClientAndServer creates a client and server |SSL| objects whose |BIO|s
1615 // are paired with each other. It does not run the handshake. The caller is
1616 // expected to configure the objects and drive the handshake as needed.
CreateClientAndServer(bssl::UniquePtr<SSL> * out_client,bssl::UniquePtr<SSL> * out_server,SSL_CTX * client_ctx,SSL_CTX * server_ctx)1617 static bool CreateClientAndServer(bssl::UniquePtr<SSL> *out_client,
1618 bssl::UniquePtr<SSL> *out_server,
1619 SSL_CTX *client_ctx, SSL_CTX *server_ctx) {
1620 bssl::UniquePtr<SSL> client(SSL_new(client_ctx)), server(SSL_new(server_ctx));
1621 if (!client || !server) {
1622 return false;
1623 }
1624 SSL_set_connect_state(client.get());
1625 SSL_set_accept_state(server.get());
1626
1627 BIO *bio1, *bio2;
1628 if (!BIO_new_bio_pair(&bio1, 0, &bio2, 0)) {
1629 return false;
1630 }
1631 // SSL_set_bio takes ownership.
1632 SSL_set_bio(client.get(), bio1, bio1);
1633 SSL_set_bio(server.get(), bio2, bio2);
1634
1635 *out_client = std::move(client);
1636 *out_server = std::move(server);
1637 return true;
1638 }
1639
1640 struct ClientConfig {
1641 SSL_SESSION *session = nullptr;
1642 std::string servername;
1643 std::string verify_hostname;
1644 unsigned hostflags = 0;
1645 bool early_data = false;
1646 };
1647
ConnectClientAndServer(bssl::UniquePtr<SSL> * out_client,bssl::UniquePtr<SSL> * out_server,SSL_CTX * client_ctx,SSL_CTX * server_ctx,const ClientConfig & config=ClientConfig (),bool shed_handshake_config=true)1648 static bool ConnectClientAndServer(bssl::UniquePtr<SSL> *out_client,
1649 bssl::UniquePtr<SSL> *out_server,
1650 SSL_CTX *client_ctx, SSL_CTX *server_ctx,
1651 const ClientConfig &config = ClientConfig(),
1652 bool shed_handshake_config = true) {
1653 bssl::UniquePtr<SSL> client, server;
1654 if (!CreateClientAndServer(&client, &server, client_ctx, server_ctx)) {
1655 return false;
1656 }
1657 if (config.early_data) {
1658 SSL_set_early_data_enabled(client.get(), 1);
1659 }
1660 if (config.session) {
1661 SSL_set_session(client.get(), config.session);
1662 }
1663 if (!config.servername.empty() &&
1664 !SSL_set_tlsext_host_name(client.get(), config.servername.c_str())) {
1665 return false;
1666 }
1667 if (!config.verify_hostname.empty()) {
1668 if (!SSL_set1_host(client.get(), config.verify_hostname.c_str())) {
1669 return false;
1670 }
1671 SSL_set_hostflags(client.get(), config.hostflags);
1672 }
1673
1674 SSL_set_shed_handshake_config(client.get(), shed_handshake_config);
1675 SSL_set_shed_handshake_config(server.get(), shed_handshake_config);
1676
1677 if (!CompleteHandshakes(client.get(), server.get())) {
1678 return false;
1679 }
1680
1681 *out_client = std::move(client);
1682 *out_server = std::move(server);
1683 return true;
1684 }
1685
1686 static bssl::UniquePtr<SSL_SESSION> g_last_session;
1687
SaveLastSession(SSL * ssl,SSL_SESSION * session)1688 static int SaveLastSession(SSL *ssl, SSL_SESSION *session) {
1689 // Save the most recent session.
1690 g_last_session.reset(session);
1691 return 1;
1692 }
1693
CreateClientSession(SSL_CTX * client_ctx,SSL_CTX * server_ctx,const ClientConfig & config=ClientConfig ())1694 static bssl::UniquePtr<SSL_SESSION> CreateClientSession(
1695 SSL_CTX *client_ctx, SSL_CTX *server_ctx,
1696 const ClientConfig &config = ClientConfig()) {
1697 g_last_session = nullptr;
1698 SSL_CTX_sess_set_new_cb(client_ctx, SaveLastSession);
1699
1700 // Connect client and server to get a session.
1701 bssl::UniquePtr<SSL> client, server;
1702 if (!ConnectClientAndServer(&client, &server, client_ctx, server_ctx,
1703 config) ||
1704 !FlushNewSessionTickets(client.get(), server.get())) {
1705 fprintf(stderr, "Failed to connect client and server.\n");
1706 return nullptr;
1707 }
1708
1709 SSL_CTX_sess_set_new_cb(client_ctx, nullptr);
1710
1711 if (!g_last_session) {
1712 fprintf(stderr, "Client did not receive a session.\n");
1713 return nullptr;
1714 }
1715 return std::move(g_last_session);
1716 }
1717
SetUpExpectedNewCodePoint(SSL_CTX * ctx)1718 static void SetUpExpectedNewCodePoint(SSL_CTX *ctx) {
1719 SSL_CTX_set_select_certificate_cb(
1720 ctx,
1721 [](const SSL_CLIENT_HELLO *client_hello) -> ssl_select_cert_result_t {
1722 const uint8_t *data;
1723 size_t len;
1724 if (!SSL_early_callback_ctx_extension_get(
1725 client_hello, TLSEXT_TYPE_application_settings, &data,
1726 &len)) {
1727 ADD_FAILURE() << "Could not find alps new codepoint.";
1728 return ssl_select_cert_error;
1729 }
1730 return ssl_select_cert_success;
1731 });
1732 }
1733
SetUpExpectedOldCodePoint(SSL_CTX * ctx)1734 static void SetUpExpectedOldCodePoint(SSL_CTX *ctx) {
1735 SSL_CTX_set_select_certificate_cb(
1736 ctx,
1737 [](const SSL_CLIENT_HELLO *client_hello) -> ssl_select_cert_result_t {
1738 const uint8_t *data;
1739 size_t len;
1740 if (!SSL_early_callback_ctx_extension_get(
1741 client_hello, TLSEXT_TYPE_application_settings_old, &data,
1742 &len)) {
1743 ADD_FAILURE() << "Could not find alps old codepoint.";
1744 return ssl_select_cert_error;
1745 }
1746 return ssl_select_cert_success;
1747 });
1748 }
1749
1750 // Test that |SSL_get_client_CA_list| echoes back the configured parameter even
1751 // before configuring as a server.
TEST(SSLTest,ClientCAList)1752 TEST(SSLTest, ClientCAList) {
1753 bssl::UniquePtr<SSL_CTX> ctx(SSL_CTX_new(TLS_method()));
1754 ASSERT_TRUE(ctx);
1755 bssl::UniquePtr<SSL> ssl(SSL_new(ctx.get()));
1756 ASSERT_TRUE(ssl);
1757
1758 bssl::UniquePtr<X509_NAME> name(X509_NAME_new());
1759 ASSERT_TRUE(name);
1760
1761 bssl::UniquePtr<X509_NAME> name_dup(X509_NAME_dup(name.get()));
1762 ASSERT_TRUE(name_dup);
1763
1764 bssl::UniquePtr<STACK_OF(X509_NAME)> stack(sk_X509_NAME_new_null());
1765 ASSERT_TRUE(stack);
1766 ASSERT_TRUE(PushToStack(stack.get(), std::move(name_dup)));
1767
1768 // |SSL_set_client_CA_list| takes ownership.
1769 SSL_set_client_CA_list(ssl.get(), stack.release());
1770
1771 STACK_OF(X509_NAME) *result = SSL_get_client_CA_list(ssl.get());
1772 ASSERT_TRUE(result);
1773 ASSERT_EQ(1u, sk_X509_NAME_num(result));
1774 EXPECT_EQ(0, X509_NAME_cmp(sk_X509_NAME_value(result, 0), name.get()));
1775 }
1776
TEST(SSLTest,AddClientCA)1777 TEST(SSLTest, AddClientCA) {
1778 bssl::UniquePtr<SSL_CTX> ctx(SSL_CTX_new(TLS_method()));
1779 ASSERT_TRUE(ctx);
1780 bssl::UniquePtr<SSL> ssl(SSL_new(ctx.get()));
1781 ASSERT_TRUE(ssl);
1782
1783 bssl::UniquePtr<X509> cert1 = GetTestCertificate();
1784 bssl::UniquePtr<X509> cert2 = GetChainTestCertificate();
1785 ASSERT_TRUE(cert1 && cert2);
1786 X509_NAME *name1 = X509_get_subject_name(cert1.get());
1787 X509_NAME *name2 = X509_get_subject_name(cert2.get());
1788
1789 EXPECT_EQ(0u, sk_X509_NAME_num(SSL_get_client_CA_list(ssl.get())));
1790
1791 ASSERT_TRUE(SSL_add_client_CA(ssl.get(), cert1.get()));
1792 ASSERT_TRUE(SSL_add_client_CA(ssl.get(), cert2.get()));
1793
1794 STACK_OF(X509_NAME) *list = SSL_get_client_CA_list(ssl.get());
1795 ASSERT_EQ(2u, sk_X509_NAME_num(list));
1796 EXPECT_EQ(0, X509_NAME_cmp(sk_X509_NAME_value(list, 0), name1));
1797 EXPECT_EQ(0, X509_NAME_cmp(sk_X509_NAME_value(list, 1), name2));
1798
1799 ASSERT_TRUE(SSL_add_client_CA(ssl.get(), cert1.get()));
1800
1801 list = SSL_get_client_CA_list(ssl.get());
1802 ASSERT_EQ(3u, sk_X509_NAME_num(list));
1803 EXPECT_EQ(0, X509_NAME_cmp(sk_X509_NAME_value(list, 0), name1));
1804 EXPECT_EQ(0, X509_NAME_cmp(sk_X509_NAME_value(list, 1), name2));
1805 EXPECT_EQ(0, X509_NAME_cmp(sk_X509_NAME_value(list, 2), name1));
1806 }
1807
1808 struct ECHConfigParams {
1809 uint16_t version = TLSEXT_TYPE_encrypted_client_hello;
1810 uint16_t config_id = 1;
1811 std::string public_name = "example.com";
1812 const EVP_HPKE_KEY *key = nullptr;
1813 // kem_id, if zero, takes its value from |key|.
1814 uint16_t kem_id = 0;
1815 // public_key, if empty takes its value from |key|.
1816 std::vector<uint8_t> public_key;
1817 size_t max_name_len = 16;
1818 // cipher_suites is a list of code points which should contain pairs of KDF
1819 // and AEAD IDs.
1820 std::vector<uint16_t> cipher_suites = {EVP_HPKE_HKDF_SHA256,
1821 EVP_HPKE_AES_128_GCM};
1822 std::vector<uint8_t> extensions;
1823 };
1824
1825 // MakeECHConfig serializes an ECHConfig from |params| and writes it to
1826 // |*out|.
MakeECHConfig(std::vector<uint8_t> * out,const ECHConfigParams & params)1827 bool MakeECHConfig(std::vector<uint8_t> *out,
1828 const ECHConfigParams ¶ms) {
1829 uint16_t kem_id = params.kem_id == 0
1830 ? EVP_HPKE_KEM_id(EVP_HPKE_KEY_kem(params.key))
1831 : params.kem_id;
1832 std::vector<uint8_t> public_key = params.public_key;
1833 if (public_key.empty()) {
1834 public_key.resize(EVP_HPKE_MAX_PUBLIC_KEY_LENGTH);
1835 size_t len;
1836 if (!EVP_HPKE_KEY_public_key(params.key, public_key.data(), &len,
1837 public_key.size())) {
1838 return false;
1839 }
1840 public_key.resize(len);
1841 }
1842
1843 bssl::ScopedCBB cbb;
1844 CBB contents, child;
1845 if (!CBB_init(cbb.get(), 64) ||
1846 !CBB_add_u16(cbb.get(), params.version) ||
1847 !CBB_add_u16_length_prefixed(cbb.get(), &contents) ||
1848 !CBB_add_u8(&contents, params.config_id) ||
1849 !CBB_add_u16(&contents, kem_id) ||
1850 !CBB_add_u16_length_prefixed(&contents, &child) ||
1851 !CBB_add_bytes(&child, public_key.data(), public_key.size()) ||
1852 !CBB_add_u16_length_prefixed(&contents, &child)) {
1853 return false;
1854 }
1855 for (uint16_t cipher_suite : params.cipher_suites) {
1856 if (!CBB_add_u16(&child, cipher_suite)) {
1857 return false;
1858 }
1859 }
1860 if (!CBB_add_u8(&contents, params.max_name_len) ||
1861 !CBB_add_u8_length_prefixed(&contents, &child) ||
1862 !CBB_add_bytes(
1863 &child, reinterpret_cast<const uint8_t *>(params.public_name.data()),
1864 params.public_name.size()) ||
1865 !CBB_add_u16_length_prefixed(&contents, &child) ||
1866 !CBB_add_bytes(&child, params.extensions.data(),
1867 params.extensions.size()) ||
1868 !CBB_flush(cbb.get())) {
1869 return false;
1870 }
1871
1872 out->assign(CBB_data(cbb.get()), CBB_data(cbb.get()) + CBB_len(cbb.get()));
1873 return true;
1874 }
1875
MakeTestECHKeys(uint8_t config_id=1)1876 static bssl::UniquePtr<SSL_ECH_KEYS> MakeTestECHKeys(uint8_t config_id = 1) {
1877 bssl::ScopedEVP_HPKE_KEY key;
1878 uint8_t *ech_config;
1879 size_t ech_config_len;
1880 if (!EVP_HPKE_KEY_generate(key.get(), EVP_hpke_x25519_hkdf_sha256()) ||
1881 !SSL_marshal_ech_config(&ech_config, &ech_config_len, config_id,
1882 key.get(), "public.example", 16)) {
1883 return nullptr;
1884 }
1885 bssl::UniquePtr<uint8_t> free_ech_config(ech_config);
1886
1887 // Install a non-retry config.
1888 bssl::UniquePtr<SSL_ECH_KEYS> keys(SSL_ECH_KEYS_new());
1889 if (!keys || !SSL_ECH_KEYS_add(keys.get(), /*is_retry_config=*/1, ech_config,
1890 ech_config_len, key.get())) {
1891 return nullptr;
1892 }
1893 return keys;
1894 }
1895
InstallECHConfigList(SSL * client,const SSL_ECH_KEYS * keys)1896 static bool InstallECHConfigList(SSL *client, const SSL_ECH_KEYS *keys) {
1897 uint8_t *ech_config_list;
1898 size_t ech_config_list_len;
1899 if (!SSL_ECH_KEYS_marshal_retry_configs(keys, &ech_config_list,
1900 &ech_config_list_len)) {
1901 return false;
1902 }
1903 bssl::UniquePtr<uint8_t> free_ech_config_list(ech_config_list);
1904 return SSL_set1_ech_config_list(client, ech_config_list, ech_config_list_len);
1905 }
1906
1907 // Test that |SSL_marshal_ech_config| and |SSL_ECH_KEYS_marshal_retry_configs|
1908 // output values as expected.
TEST(SSLTest,MarshalECHConfig)1909 TEST(SSLTest, MarshalECHConfig) {
1910 static const uint8_t kPrivateKey[X25519_PRIVATE_KEY_LEN] = {
1911 0xbc, 0xb5, 0x51, 0x29, 0x31, 0x10, 0x30, 0xc9, 0xed, 0x26, 0xde,
1912 0xd4, 0xb3, 0xdf, 0x3a, 0xce, 0x06, 0x8a, 0xee, 0x17, 0xab, 0xce,
1913 0xd7, 0xdb, 0xf3, 0x11, 0xe5, 0xa8, 0xf3, 0xb1, 0x8e, 0x24};
1914 bssl::ScopedEVP_HPKE_KEY key;
1915 ASSERT_TRUE(EVP_HPKE_KEY_init(key.get(), EVP_hpke_x25519_hkdf_sha256(),
1916 kPrivateKey, sizeof(kPrivateKey)));
1917
1918 static const uint8_t kECHConfig[] = {
1919 // version
1920 0xfe, 0x0d,
1921 // length
1922 0x00, 0x41,
1923 // contents.config_id
1924 0x01,
1925 // contents.kem_id
1926 0x00, 0x20,
1927 // contents.public_key
1928 0x00, 0x20, 0xa6, 0x9a, 0x41, 0x48, 0x5d, 0x32, 0x96, 0xa4, 0xe0, 0xc3,
1929 0x6a, 0xee, 0xf6, 0x63, 0x0f, 0x59, 0x32, 0x6f, 0xdc, 0xff, 0x81, 0x29,
1930 0x59, 0xa5, 0x85, 0xd3, 0x9b, 0x3b, 0xde, 0x98, 0x55, 0x5c,
1931 // contents.cipher_suites
1932 0x00, 0x08, 0x00, 0x01, 0x00, 0x01, 0x00, 0x01, 0x00, 0x03,
1933 // contents.maximum_name_length
1934 0x10,
1935 // contents.public_name
1936 0x0e, 0x70, 0x75, 0x62, 0x6c, 0x69, 0x63, 0x2e, 0x65, 0x78, 0x61, 0x6d,
1937 0x70, 0x6c, 0x65,
1938 // contents.extensions
1939 0x00, 0x00};
1940 uint8_t *ech_config;
1941 size_t ech_config_len;
1942 ASSERT_TRUE(SSL_marshal_ech_config(&ech_config, &ech_config_len,
1943 /*config_id=*/1, key.get(),
1944 "public.example", 16));
1945 bssl::UniquePtr<uint8_t> free_ech_config(ech_config);
1946 EXPECT_EQ(Bytes(kECHConfig), Bytes(ech_config, ech_config_len));
1947
1948 // Generate a second ECHConfig.
1949 bssl::ScopedEVP_HPKE_KEY key2;
1950 ASSERT_TRUE(EVP_HPKE_KEY_generate(key2.get(), EVP_hpke_x25519_hkdf_sha256()));
1951 uint8_t *ech_config2;
1952 size_t ech_config2_len;
1953 ASSERT_TRUE(SSL_marshal_ech_config(&ech_config2, &ech_config2_len,
1954 /*config_id=*/2, key2.get(),
1955 "public.example", 16));
1956 bssl::UniquePtr<uint8_t> free_ech_config2(ech_config2);
1957
1958 // Install both ECHConfigs in an |SSL_ECH_KEYS|.
1959 bssl::UniquePtr<SSL_ECH_KEYS> keys(SSL_ECH_KEYS_new());
1960 ASSERT_TRUE(keys);
1961 ASSERT_TRUE(SSL_ECH_KEYS_add(keys.get(), /*is_retry_config=*/1, ech_config,
1962 ech_config_len, key.get()));
1963 ASSERT_TRUE(SSL_ECH_KEYS_add(keys.get(), /*is_retry_config=*/1, ech_config2,
1964 ech_config2_len, key2.get()));
1965
1966 // The ECHConfigList should be correctly serialized.
1967 uint8_t *ech_config_list;
1968 size_t ech_config_list_len;
1969 ASSERT_TRUE(SSL_ECH_KEYS_marshal_retry_configs(keys.get(), &ech_config_list,
1970 &ech_config_list_len));
1971 bssl::UniquePtr<uint8_t> free_ech_config_list(ech_config_list);
1972
1973 // ECHConfigList is just the concatenation with a length prefix.
1974 size_t len = ech_config_len + ech_config2_len;
1975 std::vector<uint8_t> expected = {uint8_t(len >> 8), uint8_t(len)};
1976 expected.insert(expected.end(), ech_config, ech_config + ech_config_len);
1977 expected.insert(expected.end(), ech_config2, ech_config2 + ech_config2_len);
1978 EXPECT_EQ(Bytes(expected), Bytes(ech_config_list, ech_config_list_len));
1979 }
1980
TEST(SSLTest,ECHHasDuplicateConfigID)1981 TEST(SSLTest, ECHHasDuplicateConfigID) {
1982 const struct {
1983 std::vector<uint8_t> ids;
1984 bool has_duplicate;
1985 } kTests[] = {
1986 {{}, false},
1987 {{1}, false},
1988 {{1, 2, 3, 255}, false},
1989 {{1, 2, 3, 1}, true},
1990 };
1991 for (const auto &test : kTests) {
1992 bssl::UniquePtr<SSL_ECH_KEYS> keys(SSL_ECH_KEYS_new());
1993 ASSERT_TRUE(keys);
1994 for (const uint8_t id : test.ids) {
1995 bssl::ScopedEVP_HPKE_KEY key;
1996 ASSERT_TRUE(
1997 EVP_HPKE_KEY_generate(key.get(), EVP_hpke_x25519_hkdf_sha256()));
1998 uint8_t *ech_config;
1999 size_t ech_config_len;
2000 ASSERT_TRUE(SSL_marshal_ech_config(&ech_config, &ech_config_len, id,
2001 key.get(), "public.example", 16));
2002 bssl::UniquePtr<uint8_t> free_ech_config(ech_config);
2003 ASSERT_TRUE(SSL_ECH_KEYS_add(keys.get(), /*is_retry_config=*/1,
2004 ech_config, ech_config_len, key.get()));
2005 }
2006
2007 EXPECT_EQ(test.has_duplicate ? 1 : 0,
2008 SSL_ECH_KEYS_has_duplicate_config_id(keys.get()));
2009 }
2010 }
2011
2012 // Test that |SSL_ECH_KEYS_add| checks consistency between the public and
2013 // private key.
TEST(SSLTest,ECHKeyConsistency)2014 TEST(SSLTest, ECHKeyConsistency) {
2015 bssl::UniquePtr<SSL_ECH_KEYS> keys(SSL_ECH_KEYS_new());
2016 ASSERT_TRUE(keys);
2017 bssl::ScopedEVP_HPKE_KEY key;
2018 ASSERT_TRUE(EVP_HPKE_KEY_generate(key.get(), EVP_hpke_x25519_hkdf_sha256()));
2019 uint8_t public_key[EVP_HPKE_MAX_PUBLIC_KEY_LENGTH];
2020 size_t public_key_len;
2021 ASSERT_TRUE(EVP_HPKE_KEY_public_key(key.get(), public_key, &public_key_len,
2022 sizeof(public_key)));
2023
2024 // Adding an ECHConfig with the matching public key succeeds.
2025 ECHConfigParams params;
2026 params.key = key.get();
2027 std::vector<uint8_t> ech_config;
2028 ASSERT_TRUE(MakeECHConfig(&ech_config, params));
2029 EXPECT_TRUE(SSL_ECH_KEYS_add(keys.get(), /*is_retry_config=*/1,
2030 ech_config.data(), ech_config.size(),
2031 key.get()));
2032
2033 // Adding an ECHConfig with the wrong public key is an error.
2034 bssl::ScopedEVP_HPKE_KEY wrong_key;
2035 ASSERT_TRUE(
2036 EVP_HPKE_KEY_generate(wrong_key.get(), EVP_hpke_x25519_hkdf_sha256()));
2037 EXPECT_FALSE(SSL_ECH_KEYS_add(keys.get(), /*is_retry_config=*/1,
2038 ech_config.data(), ech_config.size(),
2039 wrong_key.get()));
2040
2041 // Adding an ECHConfig with a truncated public key is an error.
2042 ECHConfigParams truncated;
2043 truncated.key = key.get();
2044 truncated.public_key.assign(public_key, public_key + public_key_len - 1);
2045 ASSERT_TRUE(MakeECHConfig(&ech_config, truncated));
2046 EXPECT_FALSE(SSL_ECH_KEYS_add(keys.get(), /*is_retry_config=*/1,
2047 ech_config.data(), ech_config.size(), key.get()));
2048
2049 // Adding an ECHConfig with the right public key, but wrong KEM ID, is an
2050 // error.
2051 ECHConfigParams wrong_kem;
2052 wrong_kem.key = key.get();
2053 wrong_kem.kem_id = 0x0010; // DHKEM(P-256, HKDF-SHA256)
2054 ASSERT_TRUE(MakeECHConfig(&ech_config, wrong_kem));
2055 EXPECT_FALSE(SSL_ECH_KEYS_add(keys.get(), /*is_retry_config=*/1,
2056 ech_config.data(), ech_config.size(),
2057 key.get()));
2058 }
2059
2060 // Test that |SSL_CTX_set1_ech_keys| fails when the config list
2061 // has no retry configs.
TEST(SSLTest,ECHServerConfigsWithoutRetryConfigs)2062 TEST(SSLTest, ECHServerConfigsWithoutRetryConfigs) {
2063 bssl::ScopedEVP_HPKE_KEY key;
2064 ASSERT_TRUE(EVP_HPKE_KEY_generate(key.get(), EVP_hpke_x25519_hkdf_sha256()));
2065 uint8_t *ech_config;
2066 size_t ech_config_len;
2067 ASSERT_TRUE(SSL_marshal_ech_config(&ech_config, &ech_config_len,
2068 /*config_id=*/1, key.get(),
2069 "public.example", 16));
2070 bssl::UniquePtr<uint8_t> free_ech_config(ech_config);
2071
2072 // Install a non-retry config.
2073 bssl::UniquePtr<SSL_ECH_KEYS> keys(SSL_ECH_KEYS_new());
2074 ASSERT_TRUE(keys);
2075 ASSERT_TRUE(SSL_ECH_KEYS_add(keys.get(), /*is_retry_config=*/0, ech_config,
2076 ech_config_len, key.get()));
2077
2078 // |keys| has no retry configs.
2079 bssl::UniquePtr<SSL_CTX> ctx(SSL_CTX_new(TLS_method()));
2080 ASSERT_TRUE(ctx);
2081 EXPECT_FALSE(SSL_CTX_set1_ech_keys(ctx.get(), keys.get()));
2082
2083 // Add the same ECHConfig to the list, but this time mark it as a retry
2084 // config.
2085 ASSERT_TRUE(SSL_ECH_KEYS_add(keys.get(), /*is_retry_config=*/1, ech_config,
2086 ech_config_len, key.get()));
2087 EXPECT_TRUE(SSL_CTX_set1_ech_keys(ctx.get(), keys.get()));
2088 }
2089
2090 // Test that the server APIs reject ECHConfigs with unsupported features.
TEST(SSLTest,UnsupportedECHConfig)2091 TEST(SSLTest, UnsupportedECHConfig) {
2092 bssl::UniquePtr<SSL_ECH_KEYS> keys(SSL_ECH_KEYS_new());
2093 ASSERT_TRUE(keys);
2094 bssl::ScopedEVP_HPKE_KEY key;
2095 ASSERT_TRUE(EVP_HPKE_KEY_generate(key.get(), EVP_hpke_x25519_hkdf_sha256()));
2096
2097 // Unsupported versions are rejected.
2098 ECHConfigParams unsupported_version;
2099 unsupported_version.version = 0xffff;
2100 unsupported_version.key = key.get();
2101 std::vector<uint8_t> ech_config;
2102 ASSERT_TRUE(MakeECHConfig(&ech_config, unsupported_version));
2103 EXPECT_FALSE(SSL_ECH_KEYS_add(keys.get(), /*is_retry_config=*/1,
2104 ech_config.data(), ech_config.size(),
2105 key.get()));
2106
2107 // Unsupported cipher suites are rejected. (We only support HKDF-SHA256.)
2108 ECHConfigParams unsupported_kdf;
2109 unsupported_kdf.key = key.get();
2110 unsupported_kdf.cipher_suites = {0x002 /* HKDF-SHA384 */,
2111 EVP_HPKE_AES_128_GCM};
2112 ASSERT_TRUE(MakeECHConfig(&ech_config, unsupported_kdf));
2113 EXPECT_FALSE(SSL_ECH_KEYS_add(keys.get(), /*is_retry_config=*/1,
2114 ech_config.data(), ech_config.size(),
2115 key.get()));
2116 ECHConfigParams unsupported_aead;
2117 unsupported_aead.key = key.get();
2118 unsupported_aead.cipher_suites = {EVP_HPKE_HKDF_SHA256, 0xffff};
2119 ASSERT_TRUE(MakeECHConfig(&ech_config, unsupported_aead));
2120 EXPECT_FALSE(SSL_ECH_KEYS_add(keys.get(), /*is_retry_config=*/1,
2121 ech_config.data(), ech_config.size(),
2122 key.get()));
2123
2124
2125 // Unsupported extensions are rejected.
2126 ECHConfigParams extensions;
2127 extensions.key = key.get();
2128 extensions.extensions = {0x00, 0x01, 0x00, 0x00};
2129 ASSERT_TRUE(MakeECHConfig(&ech_config, extensions));
2130 EXPECT_FALSE(SSL_ECH_KEYS_add(keys.get(), /*is_retry_config=*/1,
2131 ech_config.data(), ech_config.size(),
2132 key.get()));
2133
2134 // Invalid public names are rejected.
2135 ECHConfigParams invalid_public_name;
2136 invalid_public_name.key = key.get();
2137 invalid_public_name.public_name = "dns_names_have_no_underscores.example";
2138 ASSERT_TRUE(MakeECHConfig(&ech_config, invalid_public_name));
2139 EXPECT_FALSE(SSL_ECH_KEYS_add(keys.get(), /*is_retry_config=*/1,
2140 ech_config.data(), ech_config.size(),
2141 key.get()));
2142 }
2143
2144 // Test that |SSL_get_client_random| reports the correct value on both client
2145 // and server in ECH. The client sends two different random values. When ECH is
2146 // accepted, we should report the inner one.
TEST(SSLTest,ECHClientRandomsMatch)2147 TEST(SSLTest, ECHClientRandomsMatch) {
2148 bssl::UniquePtr<SSL_CTX> server_ctx =
2149 CreateContextWithTestCertificate(TLS_method());
2150 ASSERT_TRUE(server_ctx);
2151 bssl::UniquePtr<SSL_ECH_KEYS> keys = MakeTestECHKeys();
2152 ASSERT_TRUE(keys);
2153 ASSERT_TRUE(SSL_CTX_set1_ech_keys(server_ctx.get(), keys.get()));
2154
2155 bssl::UniquePtr<SSL_CTX> client_ctx(SSL_CTX_new(TLS_method()));
2156 ASSERT_TRUE(client_ctx);
2157 bssl::UniquePtr<SSL> client, server;
2158 ASSERT_TRUE(CreateClientAndServer(&client, &server, client_ctx.get(),
2159 server_ctx.get()));
2160 ASSERT_TRUE(InstallECHConfigList(client.get(), keys.get()));
2161 ASSERT_TRUE(CompleteHandshakes(client.get(), server.get()));
2162
2163 EXPECT_TRUE(SSL_ech_accepted(client.get()));
2164 EXPECT_TRUE(SSL_ech_accepted(server.get()));
2165
2166 // An ECH server will fairly naturally record the inner ClientHello random,
2167 // but an ECH client may forget to update the random once ClientHelloInner is
2168 // selected.
2169 uint8_t client_random1[SSL3_RANDOM_SIZE];
2170 uint8_t client_random2[SSL3_RANDOM_SIZE];
2171 ASSERT_EQ(sizeof(client_random1),
2172 SSL_get_client_random(client.get(), client_random1,
2173 sizeof(client_random1)));
2174 ASSERT_EQ(sizeof(client_random2),
2175 SSL_get_client_random(server.get(), client_random2,
2176 sizeof(client_random2)));
2177 EXPECT_EQ(Bytes(client_random1), Bytes(client_random2));
2178 }
2179
2180 // GetECHLength sets |*out_client_hello_len| and |*out_ech_len| to the lengths
2181 // of the ClientHello and ECH extension, respectively, when a client created
2182 // from |ctx| constructs a ClientHello with name |name| and an ECHConfig with
2183 // maximum name length |max_name_len|.
GetECHLength(SSL_CTX * ctx,size_t * out_client_hello_len,size_t * out_ech_len,size_t max_name_len,const char * name)2184 static bool GetECHLength(SSL_CTX *ctx, size_t *out_client_hello_len,
2185 size_t *out_ech_len, size_t max_name_len,
2186 const char *name) {
2187 bssl::ScopedEVP_HPKE_KEY key;
2188 uint8_t *ech_config;
2189 size_t ech_config_len;
2190 if (!EVP_HPKE_KEY_generate(key.get(), EVP_hpke_x25519_hkdf_sha256()) ||
2191 !SSL_marshal_ech_config(&ech_config, &ech_config_len,
2192 /*config_id=*/1, key.get(), "public.example",
2193 max_name_len)) {
2194 return false;
2195 }
2196 bssl::UniquePtr<uint8_t> free_ech_config(ech_config);
2197
2198 bssl::UniquePtr<SSL_ECH_KEYS> keys(SSL_ECH_KEYS_new());
2199 if (!keys || !SSL_ECH_KEYS_add(keys.get(), /*is_retry_config=*/1, ech_config,
2200 ech_config_len, key.get())) {
2201 return false;
2202 }
2203
2204 bssl::UniquePtr<SSL> ssl(SSL_new(ctx));
2205 if (!ssl || !InstallECHConfigList(ssl.get(), keys.get()) ||
2206 (name != nullptr && !SSL_set_tlsext_host_name(ssl.get(), name))) {
2207 return false;
2208 }
2209 SSL_set_connect_state(ssl.get());
2210
2211 std::vector<uint8_t> client_hello;
2212 SSL_CLIENT_HELLO parsed;
2213 const uint8_t *unused;
2214 if (!GetClientHello(ssl.get(), &client_hello) ||
2215 !ssl_client_hello_init(
2216 ssl.get(), &parsed,
2217 // Skip record and handshake headers. This assumes the ClientHello
2218 // fits in one record.
2219 MakeConstSpan(client_hello)
2220 .subspan(SSL3_RT_HEADER_LENGTH + SSL3_HM_HEADER_LENGTH)) ||
2221 !SSL_early_callback_ctx_extension_get(
2222 &parsed, TLSEXT_TYPE_encrypted_client_hello, &unused, out_ech_len)) {
2223 return false;
2224 }
2225 *out_client_hello_len = client_hello.size();
2226 return true;
2227 }
2228
TEST(SSLTest,ECHPadding)2229 TEST(SSLTest, ECHPadding) {
2230 bssl::UniquePtr<SSL_CTX> ctx(SSL_CTX_new(TLS_method()));
2231 ASSERT_TRUE(ctx);
2232
2233 // Sample lengths with max_name_len = 128 as baseline.
2234 size_t client_hello_len_baseline, ech_len_baseline;
2235 ASSERT_TRUE(GetECHLength(ctx.get(), &client_hello_len_baseline,
2236 &ech_len_baseline, 128, "example.com"));
2237
2238 // Check that all name lengths under the server's maximum look the same.
2239 for (size_t name_len : {1, 2, 32, 64, 127, 128}) {
2240 SCOPED_TRACE(name_len);
2241 size_t client_hello_len, ech_len;
2242 ASSERT_TRUE(GetECHLength(ctx.get(), &client_hello_len, &ech_len, 128,
2243 std::string(name_len, 'a').c_str()));
2244 EXPECT_EQ(client_hello_len, client_hello_len_baseline);
2245 EXPECT_EQ(ech_len, ech_len_baseline);
2246 }
2247
2248 // When sending no SNI, we must still pad as if we are sending one.
2249 size_t client_hello_len, ech_len;
2250 ASSERT_TRUE(
2251 GetECHLength(ctx.get(), &client_hello_len, &ech_len, 128, nullptr));
2252 EXPECT_EQ(client_hello_len, client_hello_len_baseline);
2253 EXPECT_EQ(ech_len, ech_len_baseline);
2254
2255 // Name lengths above the maximum do not get named-based padding, but the
2256 // overall input is padded to a multiple of 32.
2257 size_t client_hello_len_baseline2, ech_len_baseline2;
2258 ASSERT_TRUE(GetECHLength(ctx.get(), &client_hello_len_baseline2,
2259 &ech_len_baseline2, 128,
2260 std::string(128 + 32, 'a').c_str()));
2261 EXPECT_EQ(ech_len_baseline2, ech_len_baseline + 32);
2262 // The ClientHello lengths may match if we are still under the threshold for
2263 // padding extension.
2264 EXPECT_GE(client_hello_len_baseline2, client_hello_len_baseline);
2265
2266 for (size_t name_len = 128 + 1; name_len < 128 + 32; name_len++) {
2267 SCOPED_TRACE(name_len);
2268 ASSERT_TRUE(GetECHLength(ctx.get(), &client_hello_len, &ech_len, 128,
2269 std::string(name_len, 'a').c_str()));
2270 EXPECT_TRUE(ech_len == ech_len_baseline || ech_len == ech_len_baseline2)
2271 << ech_len;
2272 EXPECT_TRUE(client_hello_len == client_hello_len_baseline ||
2273 client_hello_len == client_hello_len_baseline2)
2274 << client_hello_len;
2275 }
2276 }
2277
TEST(SSLTest,ECHPublicName)2278 TEST(SSLTest, ECHPublicName) {
2279 auto str_to_span = [](const char *str) -> Span<const uint8_t> {
2280 return MakeConstSpan(reinterpret_cast<const uint8_t *>(str), strlen(str));
2281 };
2282
2283 EXPECT_FALSE(ssl_is_valid_ech_public_name(str_to_span("")));
2284 EXPECT_TRUE(ssl_is_valid_ech_public_name(str_to_span("example.com")));
2285 EXPECT_FALSE(ssl_is_valid_ech_public_name(str_to_span(".example.com")));
2286 EXPECT_FALSE(ssl_is_valid_ech_public_name(str_to_span("example.com.")));
2287 EXPECT_FALSE(ssl_is_valid_ech_public_name(str_to_span("example..com")));
2288 EXPECT_FALSE(ssl_is_valid_ech_public_name(str_to_span("www.-example.com")));
2289 EXPECT_FALSE(ssl_is_valid_ech_public_name(str_to_span("www.example-.com")));
2290 EXPECT_FALSE(
2291 ssl_is_valid_ech_public_name(str_to_span("no_underscores.example")));
2292 EXPECT_FALSE(ssl_is_valid_ech_public_name(
2293 str_to_span("invalid_chars.\x01.example")));
2294 EXPECT_FALSE(ssl_is_valid_ech_public_name(
2295 str_to_span("invalid_chars.\xff.example")));
2296 static const uint8_t kWithNUL[] = {'t', 'e', 's', 't', 0};
2297 EXPECT_FALSE(ssl_is_valid_ech_public_name(kWithNUL));
2298
2299 // Test an LDH label with every character and the maximum length.
2300 EXPECT_TRUE(ssl_is_valid_ech_public_name(str_to_span(
2301 "abcdefhijklmnopqrstuvwxyz-ABCDEFGHIJKLMNOPQRSTUVWXYZ-0123456789")));
2302 EXPECT_FALSE(ssl_is_valid_ech_public_name(str_to_span(
2303 "abcdefhijklmnopqrstuvwxyz-ABCDEFGHIJKLMNOPQRSTUVWXYZ-01234567899")));
2304
2305 // Inputs with trailing numeric components are rejected.
2306 EXPECT_FALSE(ssl_is_valid_ech_public_name(str_to_span("127.0.0.1")));
2307 EXPECT_FALSE(ssl_is_valid_ech_public_name(str_to_span("example.1")));
2308 EXPECT_FALSE(ssl_is_valid_ech_public_name(str_to_span("example.01")));
2309 EXPECT_FALSE(ssl_is_valid_ech_public_name(str_to_span("example.0x01")));
2310 EXPECT_FALSE(ssl_is_valid_ech_public_name(str_to_span("example.0X01")));
2311 // Leading zeros and values that overflow |uint32_t| are still rejected.
2312 EXPECT_FALSE(ssl_is_valid_ech_public_name(
2313 str_to_span("example.123456789000000000000000")));
2314 EXPECT_FALSE(ssl_is_valid_ech_public_name(
2315 str_to_span("example.012345678900000000000000")));
2316 EXPECT_FALSE(ssl_is_valid_ech_public_name(
2317 str_to_span("example.0x123456789abcdefABCDEF0")));
2318 EXPECT_FALSE(ssl_is_valid_ech_public_name(
2319 str_to_span("example.0x0123456789abcdefABCDEF")));
2320 // Adding a non-digit or non-hex character makes it a valid DNS name again.
2321 // Single-component numbers are rejected.
2322 EXPECT_TRUE(ssl_is_valid_ech_public_name(
2323 str_to_span("example.1234567890a")));
2324 EXPECT_TRUE(ssl_is_valid_ech_public_name(
2325 str_to_span("example.01234567890a")));
2326 EXPECT_TRUE(ssl_is_valid_ech_public_name(
2327 str_to_span("example.0x123456789abcdefg")));
2328 EXPECT_FALSE(ssl_is_valid_ech_public_name(str_to_span("1")));
2329 EXPECT_FALSE(ssl_is_valid_ech_public_name(str_to_span("01")));
2330 EXPECT_FALSE(ssl_is_valid_ech_public_name(str_to_span("0x01")));
2331 EXPECT_FALSE(ssl_is_valid_ech_public_name(str_to_span("0X01")));
2332 // Numbers with trailing dots are rejected. (They are already rejected by the
2333 // LDH label rules, but the WHATWG URL parser additionally rejects them.)
2334 EXPECT_FALSE(ssl_is_valid_ech_public_name(str_to_span("1.")));
2335 EXPECT_FALSE(ssl_is_valid_ech_public_name(str_to_span("01.")));
2336 EXPECT_FALSE(ssl_is_valid_ech_public_name(str_to_span("0x01.")));
2337 EXPECT_FALSE(ssl_is_valid_ech_public_name(str_to_span("0X01.")));
2338 }
2339
2340 // When using the built-in verifier, test that |SSL_get0_ech_name_override| is
2341 // applied automatically.
TEST(SSLTest,ECHBuiltinVerifier)2342 TEST(SSLTest, ECHBuiltinVerifier) {
2343 // These test certificates generated with the following Go program.
2344 /* clang-format off
2345 func main() {
2346 notBefore := time.Date(2000, time.January, 1, 0, 0, 0, 0, time.UTC)
2347 notAfter := time.Date(2099, time.January, 1, 0, 0, 0, 0, time.UTC)
2348 rootKey, _ := ecdsa.GenerateKey(elliptic.P256(), rand.Reader)
2349 rootTemplate := &x509.Certificate{
2350 SerialNumber: big.NewInt(1),
2351 Subject: pkix.Name{CommonName: "Test CA"},
2352 NotBefore: notBefore,
2353 NotAfter: notAfter,
2354 BasicConstraintsValid: true,
2355 IsCA: true,
2356 }
2357 rootDER, _ := x509.CreateCertificate(rand.Reader, rootTemplate, rootTemplate, &rootKey.PublicKey, rootKey)
2358 root, _ := x509.ParseCertificate(rootDER)
2359 pem.Encode(os.Stdout, &pem.Block{Type: "CERTIFICATE", Bytes: rootDER})
2360 leafKey, _ := ecdsa.GenerateKey(elliptic.P256(), rand.Reader)
2361 leafKeyDER, _ := x509.MarshalPKCS8PrivateKey(leafKey)
2362 pem.Encode(os.Stdout, &pem.Block{Type: "PRIVATE KEY", Bytes: leafKeyDER})
2363 for i, name := range []string{"public.example", "secret.example"} {
2364 leafTemplate := &x509.Certificate{
2365 SerialNumber: big.NewInt(int64(i) + 2),
2366 Subject: pkix.Name{CommonName: name},
2367 NotBefore: notBefore,
2368 NotAfter: notAfter,
2369 BasicConstraintsValid: true,
2370 DNSNames: []string{name},
2371 }
2372 leafDER, _ := x509.CreateCertificate(rand.Reader, leafTemplate, root, &leafKey.PublicKey, rootKey)
2373 pem.Encode(os.Stdout, &pem.Block{Type: "CERTIFICATE", Bytes: leafDER})
2374 }
2375 }
2376 clang-format on */
2377 bssl::UniquePtr<X509> root = CertFromPEM(R"(
2378 -----BEGIN CERTIFICATE-----
2379 MIIBRzCB7aADAgECAgEBMAoGCCqGSM49BAMCMBIxEDAOBgNVBAMTB1Rlc3QgQ0Ew
2380 IBcNMDAwMTAxMDAwMDAwWhgPMjA5OTAxMDEwMDAwMDBaMBIxEDAOBgNVBAMTB1Rl
2381 c3QgQ0EwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAAT5JUjrI1DAxSpEl88UkmJw
2382 tAJqxo/YrSFo9V3MkcNkfTixi5p6MUtO8DazhEgekBcd2+tBAWtl7dy0qpvTqx92
2383 ozIwMDAPBgNVHRMBAf8EBTADAQH/MB0GA1UdDgQWBBTw6ftkexAI6o4r5FntJIfL
2384 GU5F4zAKBggqhkjOPQQDAgNJADBGAiEAiiNowddQeHZaZFIygwe6RW5/WG4sUXWC
2385 dkyl9CQzRaYCIQCFS1EvwZbZtMny27fYm1eeYciY0TkJTEi34H1KwyzzIA==
2386 -----END CERTIFICATE-----
2387 )");
2388 ASSERT_TRUE(root);
2389 bssl::UniquePtr<EVP_PKEY> leaf_key = KeyFromPEM(R"(
2390 -----BEGIN PRIVATE KEY-----
2391 MIGHAgEAMBMGByqGSM49AgEGCCqGSM49AwEHBG0wawIBAQQgj5WKHwHnziiyPauf
2392 7QukxTwtTyGZkk8qNdms4puJfxqhRANCAARNrkhxabALDlJrHtvkuDwvCWUF/oVC
2393 hr6PDITHi1lDlJzvVT4aXBH87sH2n2UV5zpx13NHkq1bIC8eRT8eOIe0
2394 -----END PRIVATE KEY-----
2395 )");
2396 ASSERT_TRUE(leaf_key);
2397 bssl::UniquePtr<X509> leaf_public = CertFromPEM(R"(
2398 -----BEGIN CERTIFICATE-----
2399 MIIBaDCCAQ6gAwIBAgIBAjAKBggqhkjOPQQDAjASMRAwDgYDVQQDEwdUZXN0IENB
2400 MCAXDTAwMDEwMTAwMDAwMFoYDzIwOTkwMTAxMDAwMDAwWjAZMRcwFQYDVQQDEw5w
2401 dWJsaWMuZXhhbXBsZTBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABE2uSHFpsAsO
2402 Umse2+S4PC8JZQX+hUKGvo8MhMeLWUOUnO9VPhpcEfzuwfafZRXnOnHXc0eSrVsg
2403 Lx5FPx44h7SjTDBKMAwGA1UdEwEB/wQCMAAwHwYDVR0jBBgwFoAU8On7ZHsQCOqO
2404 K+RZ7SSHyxlOReMwGQYDVR0RBBIwEIIOcHVibGljLmV4YW1wbGUwCgYIKoZIzj0E
2405 AwIDSAAwRQIhANqZRhDR/+QL05hsWXMYEwaiHifd9iakKoFEhKFchcF3AiBRAeXw
2406 wRGGT6+iPmTYM6N5/IDyAb5B9Ke38O6lLEsUwA==
2407 -----END CERTIFICATE-----
2408 )");
2409 ASSERT_TRUE(leaf_public);
2410 bssl::UniquePtr<X509> leaf_secret = CertFromPEM(R"(
2411 -----BEGIN CERTIFICATE-----
2412 MIIBaTCCAQ6gAwIBAgIBAzAKBggqhkjOPQQDAjASMRAwDgYDVQQDEwdUZXN0IENB
2413 MCAXDTAwMDEwMTAwMDAwMFoYDzIwOTkwMTAxMDAwMDAwWjAZMRcwFQYDVQQDEw5z
2414 ZWNyZXQuZXhhbXBsZTBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABE2uSHFpsAsO
2415 Umse2+S4PC8JZQX+hUKGvo8MhMeLWUOUnO9VPhpcEfzuwfafZRXnOnHXc0eSrVsg
2416 Lx5FPx44h7SjTDBKMAwGA1UdEwEB/wQCMAAwHwYDVR0jBBgwFoAU8On7ZHsQCOqO
2417 K+RZ7SSHyxlOReMwGQYDVR0RBBIwEIIOc2VjcmV0LmV4YW1wbGUwCgYIKoZIzj0E
2418 AwIDSQAwRgIhAPQdIz1xCFkc9WuSkxOxJDpywZiEp9SnKcxJ9nwrlRp3AiEA+O3+
2419 XRqE7XFhHL+7TNC2a9OOAjQsEF137YPWo+rhgko=
2420 -----END CERTIFICATE-----
2421 )");
2422 ASSERT_TRUE(leaf_secret);
2423
2424 // Use different config IDs so that fuzzer mode, which breaks trial
2425 // decryption, will observe the key mismatch.
2426 bssl::UniquePtr<SSL_ECH_KEYS> keys = MakeTestECHKeys(/*config_id=*/1);
2427 ASSERT_TRUE(keys);
2428 bssl::UniquePtr<SSL_ECH_KEYS> wrong_keys = MakeTestECHKeys(/*config_id=*/2);
2429 ASSERT_TRUE(wrong_keys);
2430 bssl::UniquePtr<SSL_CTX> server_ctx =
2431 CreateContextWithTestCertificate(TLS_method());
2432 ASSERT_TRUE(server_ctx);
2433 bssl::UniquePtr<SSL_CTX> client_ctx(SSL_CTX_new(TLS_method()));
2434 ASSERT_TRUE(client_ctx);
2435
2436 // Configure the client to verify certificates and expect the secret name.
2437 // This is the name the client is trying to connect to. If ECH is rejected,
2438 // BoringSSL will internally override this setting with the public name.
2439 bssl::UniquePtr<X509_STORE> store(X509_STORE_new());
2440 ASSERT_TRUE(store);
2441 ASSERT_TRUE(X509_STORE_add_cert(store.get(), root.get()));
2442 SSL_CTX_set_cert_store(client_ctx.get(), store.release());
2443 SSL_CTX_set_verify(client_ctx.get(), SSL_VERIFY_PEER, nullptr);
2444 X509_VERIFY_PARAM_set_flags(SSL_CTX_get0_param(client_ctx.get()),
2445 X509_V_FLAG_NO_CHECK_TIME);
2446 static const char kSecretName[] = "secret.example";
2447 ASSERT_TRUE(X509_VERIFY_PARAM_set1_host(SSL_CTX_get0_param(client_ctx.get()),
2448 kSecretName, strlen(kSecretName)));
2449
2450 // For simplicity, we only run through a pair of representative scenarios here
2451 // and rely on runner.go to verify that |SSL_get0_ech_name_override| behaves
2452 // correctly.
2453 for (bool accept_ech : {false, true}) {
2454 SCOPED_TRACE(accept_ech);
2455 for (bool use_leaf_secret : {false, true}) {
2456 SCOPED_TRACE(use_leaf_secret);
2457
2458 // The server will reject ECH when configured with the wrong keys.
2459 ASSERT_TRUE(SSL_CTX_set1_ech_keys(
2460 server_ctx.get(), accept_ech ? keys.get() : wrong_keys.get()));
2461
2462 bssl::UniquePtr<SSL> client, server;
2463 ASSERT_TRUE(CreateClientAndServer(&client, &server, client_ctx.get(),
2464 server_ctx.get()));
2465 ASSERT_TRUE(InstallECHConfigList(client.get(), keys.get()));
2466
2467 // Configure the server with the selected certificate.
2468 ASSERT_TRUE(SSL_use_certificate(server.get(), use_leaf_secret
2469 ? leaf_secret.get()
2470 : leaf_public.get()));
2471 ASSERT_TRUE(SSL_use_PrivateKey(server.get(), leaf_key.get()));
2472
2473 // The handshake may fail due to name mismatch or ECH reject. We check
2474 // |SSL_get_verify_result| to confirm the handshake got far enough.
2475 CompleteHandshakes(client.get(), server.get());
2476 EXPECT_EQ(accept_ech == use_leaf_secret ? X509_V_OK
2477 : X509_V_ERR_HOSTNAME_MISMATCH,
2478 SSL_get_verify_result(client.get()));
2479 }
2480 }
2481 }
2482
2483 #if defined(OPENSSL_THREADS)
2484 // Test that the server ECH config can be swapped out while the |SSL_CTX| is
2485 // in use on other threads. This test is intended to be run with TSan.
TEST(SSLTest,ECHThreads)2486 TEST(SSLTest, ECHThreads) {
2487 // Generate a pair of ECHConfigs.
2488 bssl::ScopedEVP_HPKE_KEY key1;
2489 ASSERT_TRUE(EVP_HPKE_KEY_generate(key1.get(), EVP_hpke_x25519_hkdf_sha256()));
2490 uint8_t *ech_config1;
2491 size_t ech_config1_len;
2492 ASSERT_TRUE(SSL_marshal_ech_config(&ech_config1, &ech_config1_len,
2493 /*config_id=*/1, key1.get(),
2494 "public.example", 16));
2495 bssl::UniquePtr<uint8_t> free_ech_config1(ech_config1);
2496 bssl::ScopedEVP_HPKE_KEY key2;
2497 ASSERT_TRUE(EVP_HPKE_KEY_generate(key2.get(), EVP_hpke_x25519_hkdf_sha256()));
2498 uint8_t *ech_config2;
2499 size_t ech_config2_len;
2500 ASSERT_TRUE(SSL_marshal_ech_config(&ech_config2, &ech_config2_len,
2501 /*config_id=*/2, key2.get(),
2502 "public.example", 16));
2503 bssl::UniquePtr<uint8_t> free_ech_config2(ech_config2);
2504
2505 // |keys1| contains the first config. |keys12| contains both.
2506 bssl::UniquePtr<SSL_ECH_KEYS> keys1(SSL_ECH_KEYS_new());
2507 ASSERT_TRUE(keys1);
2508 ASSERT_TRUE(SSL_ECH_KEYS_add(keys1.get(), /*is_retry_config=*/1, ech_config1,
2509 ech_config1_len, key1.get()));
2510 bssl::UniquePtr<SSL_ECH_KEYS> keys12(SSL_ECH_KEYS_new());
2511 ASSERT_TRUE(keys12);
2512 ASSERT_TRUE(SSL_ECH_KEYS_add(keys12.get(), /*is_retry_config=*/1, ech_config2,
2513 ech_config2_len, key2.get()));
2514 ASSERT_TRUE(SSL_ECH_KEYS_add(keys12.get(), /*is_retry_config=*/0, ech_config1,
2515 ech_config1_len, key1.get()));
2516
2517 bssl::UniquePtr<SSL_CTX> server_ctx =
2518 CreateContextWithTestCertificate(TLS_method());
2519 ASSERT_TRUE(server_ctx);
2520 ASSERT_TRUE(SSL_CTX_set1_ech_keys(server_ctx.get(), keys1.get()));
2521
2522 bssl::UniquePtr<SSL_CTX> client_ctx(SSL_CTX_new(TLS_method()));
2523 ASSERT_TRUE(client_ctx);
2524 bssl::UniquePtr<SSL> client, server;
2525 ASSERT_TRUE(CreateClientAndServer(&client, &server, client_ctx.get(),
2526 server_ctx.get()));
2527 ASSERT_TRUE(InstallECHConfigList(client.get(), keys1.get()));
2528
2529 // In parallel, complete the connection and reconfigure the ECHConfig. Note
2530 // |keys12| supports all the keys in |keys1|, so the handshake should complete
2531 // the same whichever the server uses.
2532 std::vector<std::thread> threads;
2533 threads.emplace_back([&] {
2534 ASSERT_TRUE(CompleteHandshakes(client.get(), server.get()));
2535 EXPECT_TRUE(SSL_ech_accepted(client.get()));
2536 EXPECT_TRUE(SSL_ech_accepted(server.get()));
2537 });
2538 threads.emplace_back([&] {
2539 EXPECT_TRUE(SSL_CTX_set1_ech_keys(server_ctx.get(), keys12.get()));
2540 });
2541 for (auto &thread : threads) {
2542 thread.join();
2543 }
2544 }
2545 #endif // OPENSSL_THREADS
2546
TEST(SSLTest,TLS13ExporterAvailability)2547 TEST(SSLTest, TLS13ExporterAvailability) {
2548 bssl::UniquePtr<SSL_CTX> client_ctx(SSL_CTX_new(TLS_method()));
2549 bssl::UniquePtr<SSL_CTX> server_ctx =
2550 CreateContextWithTestCertificate(TLS_method());
2551 ASSERT_TRUE(client_ctx);
2552 ASSERT_TRUE(server_ctx);
2553 // Configure only TLS 1.3.
2554 ASSERT_TRUE(SSL_CTX_set_min_proto_version(client_ctx.get(), TLS1_3_VERSION));
2555 ASSERT_TRUE(SSL_CTX_set_max_proto_version(client_ctx.get(), TLS1_3_VERSION));
2556
2557 bssl::UniquePtr<SSL> client, server;
2558 ASSERT_TRUE(CreateClientAndServer(&client, &server, client_ctx.get(),
2559 server_ctx.get()));
2560
2561 std::vector<uint8_t> buffer(32);
2562 const char *label = "EXPORTER-test-label";
2563
2564 // The exporters are not available before the handshake starts.
2565 EXPECT_FALSE(SSL_export_keying_material(client.get(), buffer.data(),
2566 buffer.size(), label, strlen(label),
2567 nullptr, 0, 0));
2568 EXPECT_FALSE(SSL_export_keying_material(server.get(), buffer.data(),
2569 buffer.size(), label, strlen(label),
2570 nullptr, 0, 0));
2571
2572 // Send the client's first flight of handshake messages.
2573 int client_ret = SSL_do_handshake(client.get());
2574 EXPECT_EQ(SSL_get_error(client.get(), client_ret), SSL_ERROR_WANT_READ);
2575
2576 // The handshake isn't far enough for the exporters to work.
2577 EXPECT_FALSE(SSL_export_keying_material(client.get(), buffer.data(),
2578 buffer.size(), label, strlen(label),
2579 nullptr, 0, 0));
2580 EXPECT_FALSE(SSL_export_keying_material(server.get(), buffer.data(),
2581 buffer.size(), label, strlen(label),
2582 nullptr, 0, 0));
2583
2584 // Send all the server's handshake messages.
2585 int server_ret = SSL_do_handshake(server.get());
2586 EXPECT_EQ(SSL_get_error(server.get(), server_ret), SSL_ERROR_WANT_READ);
2587
2588 // At this point in the handshake, the server should have the exporter key
2589 // derived since it's sent its Finished message. The client hasn't yet
2590 // processed the server's handshake messages, so the exporter shouldn't be
2591 // available to the client.
2592 EXPECT_FALSE(SSL_export_keying_material(client.get(), buffer.data(),
2593 buffer.size(), label, strlen(label),
2594 nullptr, 0, 0));
2595 EXPECT_TRUE(SSL_export_keying_material(server.get(), buffer.data(),
2596 buffer.size(), label, strlen(label),
2597 nullptr, 0, 0));
2598
2599 // Finish the handshake on the client.
2600 EXPECT_EQ(SSL_do_handshake(client.get()), 1);
2601
2602 // The exporter should be available on both endpoints.
2603 EXPECT_TRUE(SSL_export_keying_material(client.get(), buffer.data(),
2604 buffer.size(), label, strlen(label),
2605 nullptr, 0, 0));
2606 EXPECT_TRUE(SSL_export_keying_material(server.get(), buffer.data(),
2607 buffer.size(), label, strlen(label),
2608 nullptr, 0, 0));
2609
2610 // Finish the handshake on the server.
2611 EXPECT_EQ(SSL_do_handshake(server.get()), 1);
2612
2613 // The exporter should still be available on both endpoints.
2614 EXPECT_TRUE(SSL_export_keying_material(client.get(), buffer.data(),
2615 buffer.size(), label, strlen(label),
2616 nullptr, 0, 0));
2617 EXPECT_TRUE(SSL_export_keying_material(server.get(), buffer.data(),
2618 buffer.size(), label, strlen(label),
2619 nullptr, 0, 0));
2620 }
2621
AppendSession(SSL_SESSION * session,void * arg)2622 static void AppendSession(SSL_SESSION *session, void *arg) {
2623 std::vector<SSL_SESSION*> *out =
2624 reinterpret_cast<std::vector<SSL_SESSION*>*>(arg);
2625 out->push_back(session);
2626 }
2627
2628 // CacheEquals returns true if |ctx|'s session cache consists of |expected|, in
2629 // order.
CacheEquals(SSL_CTX * ctx,const std::vector<SSL_SESSION * > & expected)2630 static bool CacheEquals(SSL_CTX *ctx,
2631 const std::vector<SSL_SESSION*> &expected) {
2632 // Check the linked list.
2633 SSL_SESSION *ptr = ctx->session_cache_head;
2634 for (SSL_SESSION *session : expected) {
2635 if (ptr != session) {
2636 return false;
2637 }
2638 // TODO(davidben): This is an absurd way to denote the end of the list.
2639 if (ptr->next ==
2640 reinterpret_cast<SSL_SESSION *>(&ctx->session_cache_tail)) {
2641 ptr = nullptr;
2642 } else {
2643 ptr = ptr->next;
2644 }
2645 }
2646 if (ptr != nullptr) {
2647 return false;
2648 }
2649
2650 // Check the hash table.
2651 std::vector<SSL_SESSION*> actual, expected_copy;
2652 lh_SSL_SESSION_doall_arg(ctx->sessions, AppendSession, &actual);
2653 expected_copy = expected;
2654
2655 std::sort(actual.begin(), actual.end());
2656 std::sort(expected_copy.begin(), expected_copy.end());
2657
2658 return actual == expected_copy;
2659 }
2660
CreateTestSession(uint32_t number)2661 static bssl::UniquePtr<SSL_SESSION> CreateTestSession(uint32_t number) {
2662 bssl::UniquePtr<SSL_CTX> ssl_ctx(SSL_CTX_new(TLS_method()));
2663 if (!ssl_ctx) {
2664 return nullptr;
2665 }
2666 bssl::UniquePtr<SSL_SESSION> ret(SSL_SESSION_new(ssl_ctx.get()));
2667 if (!ret) {
2668 return nullptr;
2669 }
2670
2671 uint8_t id[SSL3_SSL_SESSION_ID_LENGTH] = {0};
2672 OPENSSL_memcpy(id, &number, sizeof(number));
2673 if (!SSL_SESSION_set1_id(ret.get(), id, sizeof(id))) {
2674 return nullptr;
2675 }
2676 return ret;
2677 }
2678
2679 // Test that the internal session cache behaves as expected.
TEST(SSLTest,InternalSessionCache)2680 TEST(SSLTest, InternalSessionCache) {
2681 bssl::UniquePtr<SSL_CTX> ctx(SSL_CTX_new(TLS_method()));
2682 ASSERT_TRUE(ctx);
2683
2684 // Prepare 10 test sessions.
2685 std::vector<bssl::UniquePtr<SSL_SESSION>> sessions;
2686 for (int i = 0; i < 10; i++) {
2687 bssl::UniquePtr<SSL_SESSION> session = CreateTestSession(i);
2688 ASSERT_TRUE(session);
2689 sessions.push_back(std::move(session));
2690 }
2691
2692 SSL_CTX_sess_set_cache_size(ctx.get(), 5);
2693
2694 // Insert all the test sessions.
2695 for (const auto &session : sessions) {
2696 ASSERT_TRUE(SSL_CTX_add_session(ctx.get(), session.get()));
2697 }
2698
2699 // Only the last five should be in the list.
2700 ASSERT_TRUE(CacheEquals(
2701 ctx.get(), {sessions[9].get(), sessions[8].get(), sessions[7].get(),
2702 sessions[6].get(), sessions[5].get()}));
2703
2704 // Inserting an element already in the cache should fail and leave the cache
2705 // unchanged.
2706 ASSERT_FALSE(SSL_CTX_add_session(ctx.get(), sessions[7].get()));
2707 ASSERT_TRUE(CacheEquals(
2708 ctx.get(), {sessions[9].get(), sessions[8].get(), sessions[7].get(),
2709 sessions[6].get(), sessions[5].get()}));
2710
2711 // Although collisions should be impossible (256-bit session IDs), the cache
2712 // must handle them gracefully.
2713 bssl::UniquePtr<SSL_SESSION> collision(CreateTestSession(7));
2714 ASSERT_TRUE(collision);
2715 ASSERT_TRUE(SSL_CTX_add_session(ctx.get(), collision.get()));
2716 ASSERT_TRUE(CacheEquals(
2717 ctx.get(), {collision.get(), sessions[9].get(), sessions[8].get(),
2718 sessions[6].get(), sessions[5].get()}));
2719
2720 // Removing sessions behaves correctly.
2721 ASSERT_TRUE(SSL_CTX_remove_session(ctx.get(), sessions[6].get()));
2722 ASSERT_TRUE(CacheEquals(ctx.get(), {collision.get(), sessions[9].get(),
2723 sessions[8].get(), sessions[5].get()}));
2724
2725 // Removing sessions requires an exact match.
2726 ASSERT_FALSE(SSL_CTX_remove_session(ctx.get(), sessions[0].get()));
2727 ASSERT_FALSE(SSL_CTX_remove_session(ctx.get(), sessions[7].get()));
2728
2729 // The cache remains unchanged.
2730 ASSERT_TRUE(CacheEquals(ctx.get(), {collision.get(), sessions[9].get(),
2731 sessions[8].get(), sessions[5].get()}));
2732 }
2733
EpochFromSequence(uint64_t seq)2734 static uint16_t EpochFromSequence(uint64_t seq) {
2735 return static_cast<uint16_t>(seq >> 48);
2736 }
2737
2738 static const uint8_t kTestName[] = {
2739 0x30, 0x45, 0x31, 0x0b, 0x30, 0x09, 0x06, 0x03, 0x55, 0x04, 0x06, 0x13,
2740 0x02, 0x41, 0x55, 0x31, 0x13, 0x30, 0x11, 0x06, 0x03, 0x55, 0x04, 0x08,
2741 0x0c, 0x0a, 0x53, 0x6f, 0x6d, 0x65, 0x2d, 0x53, 0x74, 0x61, 0x74, 0x65,
2742 0x31, 0x21, 0x30, 0x1f, 0x06, 0x03, 0x55, 0x04, 0x0a, 0x0c, 0x18, 0x49,
2743 0x6e, 0x74, 0x65, 0x72, 0x6e, 0x65, 0x74, 0x20, 0x57, 0x69, 0x64, 0x67,
2744 0x69, 0x74, 0x73, 0x20, 0x50, 0x74, 0x79, 0x20, 0x4c, 0x74, 0x64,
2745 };
2746
2747 // SSLVersionTest executes its test cases under all available protocol versions.
2748 // Test cases call |Connect| to create a connection using context objects with
2749 // the protocol version fixed to the current version under test.
2750 class SSLVersionTest : public ::testing::TestWithParam<VersionParam> {
2751 protected:
SSLVersionTest()2752 SSLVersionTest() : cert_(GetTestCertificate()), key_(GetTestKey()) {}
2753
SetUp()2754 void SetUp() { ResetContexts(); }
2755
CreateContext() const2756 bssl::UniquePtr<SSL_CTX> CreateContext() const {
2757 const SSL_METHOD *method = is_dtls() ? DTLS_method() : TLS_method();
2758 bssl::UniquePtr<SSL_CTX> ctx(SSL_CTX_new(method));
2759 if (!ctx || !SSL_CTX_set_min_proto_version(ctx.get(), version()) ||
2760 !SSL_CTX_set_max_proto_version(ctx.get(), version())) {
2761 return nullptr;
2762 }
2763 return ctx;
2764 }
2765
ResetContexts()2766 void ResetContexts() {
2767 ASSERT_TRUE(cert_);
2768 ASSERT_TRUE(key_);
2769 client_ctx_ = CreateContext();
2770 ASSERT_TRUE(client_ctx_);
2771 server_ctx_ = CreateContext();
2772 ASSERT_TRUE(server_ctx_);
2773 // Set up a server cert. Client certs can be set up explicitly.
2774 ASSERT_TRUE(UseCertAndKey(server_ctx_.get()));
2775 }
2776
UseCertAndKey(SSL_CTX * ctx) const2777 bool UseCertAndKey(SSL_CTX *ctx) const {
2778 return SSL_CTX_use_certificate(ctx, cert_.get()) &&
2779 SSL_CTX_use_PrivateKey(ctx, key_.get());
2780 }
2781
Connect(const ClientConfig & config=ClientConfig ())2782 bool Connect(const ClientConfig &config = ClientConfig()) {
2783 return ConnectClientAndServer(&client_, &server_, client_ctx_.get(),
2784 server_ctx_.get(), config,
2785 shed_handshake_config_);
2786 }
2787
version() const2788 uint16_t version() const { return GetParam().version; }
2789
is_dtls() const2790 bool is_dtls() const {
2791 return GetParam().ssl_method == VersionParam::is_dtls;
2792 }
2793
2794 bool shed_handshake_config_ = true;
2795 bssl::UniquePtr<SSL> client_, server_;
2796 bssl::UniquePtr<SSL_CTX> server_ctx_, client_ctx_;
2797 bssl::UniquePtr<X509> cert_;
2798 bssl::UniquePtr<EVP_PKEY> key_;
2799 };
2800
2801 INSTANTIATE_TEST_SUITE_P(WithVersion, SSLVersionTest,
2802 testing::ValuesIn(kAllVersions),
__anon628ae4a40a02(const testing::TestParamInfo<VersionParam> &i) 2803 [](const testing::TestParamInfo<VersionParam> &i) {
2804 return i.param.name;
2805 });
2806
TEST_P(SSLVersionTest,SequenceNumber)2807 TEST_P(SSLVersionTest, SequenceNumber) {
2808 ASSERT_TRUE(Connect());
2809
2810 // Drain any post-handshake messages to ensure there are no unread records
2811 // on either end.
2812 ASSERT_TRUE(FlushNewSessionTickets(client_.get(), server_.get()));
2813
2814 uint64_t client_read_seq = SSL_get_read_sequence(client_.get());
2815 uint64_t client_write_seq = SSL_get_write_sequence(client_.get());
2816 uint64_t server_read_seq = SSL_get_read_sequence(server_.get());
2817 uint64_t server_write_seq = SSL_get_write_sequence(server_.get());
2818
2819 if (is_dtls()) {
2820 // Both client and server must be at epoch 1.
2821 EXPECT_EQ(EpochFromSequence(client_read_seq), 1);
2822 EXPECT_EQ(EpochFromSequence(client_write_seq), 1);
2823 EXPECT_EQ(EpochFromSequence(server_read_seq), 1);
2824 EXPECT_EQ(EpochFromSequence(server_write_seq), 1);
2825
2826 // The next record to be written should exceed the largest received.
2827 EXPECT_GT(client_write_seq, server_read_seq);
2828 EXPECT_GT(server_write_seq, client_read_seq);
2829 } else {
2830 // The next record to be written should equal the next to be received.
2831 EXPECT_EQ(client_write_seq, server_read_seq);
2832 EXPECT_EQ(server_write_seq, client_read_seq);
2833 }
2834
2835 // Send a record from client to server.
2836 uint8_t byte = 0;
2837 EXPECT_EQ(SSL_write(client_.get(), &byte, 1), 1);
2838 EXPECT_EQ(SSL_read(server_.get(), &byte, 1), 1);
2839
2840 // The client write and server read sequence numbers should have
2841 // incremented.
2842 EXPECT_EQ(client_write_seq + 1, SSL_get_write_sequence(client_.get()));
2843 EXPECT_EQ(server_read_seq + 1, SSL_get_read_sequence(server_.get()));
2844 }
2845
TEST_P(SSLVersionTest,OneSidedShutdown)2846 TEST_P(SSLVersionTest, OneSidedShutdown) {
2847 // SSL_shutdown is a no-op in DTLS.
2848 if (is_dtls()) {
2849 return;
2850 }
2851 ASSERT_TRUE(Connect());
2852
2853 // Shut down half the connection. |SSL_shutdown| will return 0 to signal only
2854 // one side has shut down.
2855 ASSERT_EQ(SSL_shutdown(client_.get()), 0);
2856
2857 // Reading from the server should consume the EOF.
2858 uint8_t byte;
2859 ASSERT_EQ(SSL_read(server_.get(), &byte, 1), 0);
2860 ASSERT_EQ(SSL_get_error(server_.get(), 0), SSL_ERROR_ZERO_RETURN);
2861
2862 // However, the server may continue to write data and then shut down the
2863 // connection.
2864 byte = 42;
2865 ASSERT_EQ(SSL_write(server_.get(), &byte, 1), 1);
2866 ASSERT_EQ(SSL_read(client_.get(), &byte, 1), 1);
2867 ASSERT_EQ(byte, 42);
2868
2869 // The server may then shutdown the connection.
2870 EXPECT_EQ(SSL_shutdown(server_.get()), 1);
2871 EXPECT_EQ(SSL_shutdown(client_.get()), 1);
2872 }
2873
2874 // Test that, after calling |SSL_shutdown|, |SSL_write| fails.
TEST_P(SSLVersionTest,WriteAfterShutdown)2875 TEST_P(SSLVersionTest, WriteAfterShutdown) {
2876 ASSERT_TRUE(Connect());
2877
2878 for (SSL *ssl : {client_.get(), server_.get()}) {
2879 SCOPED_TRACE(SSL_is_server(ssl) ? "server" : "client");
2880
2881 bssl::UniquePtr<BIO> mem(BIO_new(BIO_s_mem()));
2882 ASSERT_TRUE(mem);
2883 SSL_set0_wbio(ssl, bssl::UpRef(mem).release());
2884
2885 // Shut down half the connection. |SSL_shutdown| will return 0 to signal
2886 // only one side has shut down.
2887 ASSERT_EQ(SSL_shutdown(ssl), 0);
2888
2889 // |ssl| should have written an alert to the transport.
2890 const uint8_t *unused;
2891 size_t len;
2892 ASSERT_TRUE(BIO_mem_contents(mem.get(), &unused, &len));
2893 EXPECT_NE(0u, len);
2894 EXPECT_TRUE(BIO_reset(mem.get()));
2895
2896 // Writing should fail.
2897 EXPECT_EQ(-1, SSL_write(ssl, "a", 1));
2898
2899 // Nothing should be written to the transport.
2900 ASSERT_TRUE(BIO_mem_contents(mem.get(), &unused, &len));
2901 EXPECT_EQ(0u, len);
2902 }
2903 }
2904
2905 // Test that, after sending a fatal alert in a failed |SSL_read|, |SSL_write|
2906 // fails.
TEST_P(SSLVersionTest,WriteAfterReadSentFatalAlert)2907 TEST_P(SSLVersionTest, WriteAfterReadSentFatalAlert) {
2908 // Decryption failures are not fatal in DTLS.
2909 if (is_dtls()) {
2910 return;
2911 }
2912
2913 ASSERT_TRUE(Connect());
2914
2915 // Save the write |BIO|s as the test will overwrite them.
2916 bssl::UniquePtr<BIO> client_wbio = bssl::UpRef(SSL_get_wbio(client_.get()));
2917 bssl::UniquePtr<BIO> server_wbio = bssl::UpRef(SSL_get_wbio(server_.get()));
2918
2919 for (bool test_server : {false, true}) {
2920 SCOPED_TRACE(test_server ? "server" : "client");
2921 SSL *ssl = test_server ? server_.get() : client_.get();
2922 BIO *other_wbio = test_server ? client_wbio.get() : server_wbio.get();
2923
2924 bssl::UniquePtr<BIO> mem(BIO_new(BIO_s_mem()));
2925 ASSERT_TRUE(mem);
2926 SSL_set0_wbio(ssl, bssl::UpRef(mem).release());
2927
2928 // Read an invalid record from the peer.
2929 static const uint8_t kInvalidRecord[] = "invalid record";
2930 EXPECT_EQ(int{sizeof(kInvalidRecord)},
2931 BIO_write(other_wbio, kInvalidRecord, sizeof(kInvalidRecord)));
2932 char buf[256];
2933 EXPECT_EQ(-1, SSL_read(ssl, buf, sizeof(buf)));
2934
2935 // |ssl| should have written an alert to the transport.
2936 const uint8_t *unused;
2937 size_t len;
2938 ASSERT_TRUE(BIO_mem_contents(mem.get(), &unused, &len));
2939 EXPECT_NE(0u, len);
2940 EXPECT_TRUE(BIO_reset(mem.get()));
2941
2942 // Writing should fail.
2943 EXPECT_EQ(-1, SSL_write(ssl, "a", 1));
2944
2945 // Nothing should be written to the transport.
2946 ASSERT_TRUE(BIO_mem_contents(mem.get(), &unused, &len));
2947 EXPECT_EQ(0u, len);
2948 }
2949 }
2950
2951 // Test that, after sending a fatal alert from the handshake, |SSL_write| fails.
TEST_P(SSLVersionTest,WriteAfterHandshakeSentFatalAlert)2952 TEST_P(SSLVersionTest, WriteAfterHandshakeSentFatalAlert) {
2953 for (bool test_server : {false, true}) {
2954 SCOPED_TRACE(test_server ? "server" : "client");
2955
2956 bssl::UniquePtr<SSL> ssl(
2957 SSL_new(test_server ? server_ctx_.get() : client_ctx_.get()));
2958 ASSERT_TRUE(ssl);
2959 if (test_server) {
2960 SSL_set_accept_state(ssl.get());
2961 } else {
2962 SSL_set_connect_state(ssl.get());
2963 }
2964
2965 std::vector<uint8_t> invalid;
2966 if (is_dtls()) {
2967 // In DTLS, invalid records are discarded. To cause the handshake to fail,
2968 // use a valid handshake record with invalid contents.
2969 invalid.push_back(SSL3_RT_HANDSHAKE);
2970 invalid.push_back(DTLS1_VERSION >> 8);
2971 invalid.push_back(DTLS1_VERSION & 0xff);
2972 // epoch and sequence_number
2973 for (int i = 0; i < 8; i++) {
2974 invalid.push_back(0);
2975 }
2976 // A one-byte fragment is invalid.
2977 invalid.push_back(0);
2978 invalid.push_back(1);
2979 // Arbitrary contents.
2980 invalid.push_back(0);
2981 } else {
2982 invalid = {'i', 'n', 'v', 'a', 'l', 'i', 'd'};
2983 }
2984 bssl::UniquePtr<BIO> rbio(
2985 BIO_new_mem_buf(invalid.data(), invalid.size()));
2986 ASSERT_TRUE(rbio);
2987 SSL_set0_rbio(ssl.get(), rbio.release());
2988
2989 bssl::UniquePtr<BIO> mem(BIO_new(BIO_s_mem()));
2990 ASSERT_TRUE(mem);
2991 SSL_set0_wbio(ssl.get(), bssl::UpRef(mem).release());
2992
2993 // The handshake should fail.
2994 EXPECT_EQ(-1, SSL_do_handshake(ssl.get()));
2995 EXPECT_EQ(SSL_ERROR_SSL, SSL_get_error(ssl.get(), -1));
2996 uint32_t err = ERR_get_error();
2997
2998 // |ssl| should have written an alert (and, in the client's case, a
2999 // ClientHello) to the transport.
3000 const uint8_t *unused;
3001 size_t len;
3002 ASSERT_TRUE(BIO_mem_contents(mem.get(), &unused, &len));
3003 EXPECT_NE(0u, len);
3004 EXPECT_TRUE(BIO_reset(mem.get()));
3005
3006 // Writing should fail, with the same error as the handshake.
3007 EXPECT_EQ(-1, SSL_write(ssl.get(), "a", 1));
3008 EXPECT_EQ(SSL_ERROR_SSL, SSL_get_error(ssl.get(), -1));
3009 EXPECT_EQ(err, ERR_get_error());
3010
3011 // Nothing should be written to the transport.
3012 ASSERT_TRUE(BIO_mem_contents(mem.get(), &unused, &len));
3013 EXPECT_EQ(0u, len);
3014 }
3015 }
3016
3017 // Test that, after seeing TLS 1.2 in response to early data, |SSL_write|
3018 // continues to report |SSL_R_WRONG_VERSION_ON_EARLY_DATA|. See
3019 // https://crbug.com/1078515.
TEST(SSLTest,WriteAfterWrongVersionOnEarlyData)3020 TEST(SSLTest, WriteAfterWrongVersionOnEarlyData) {
3021 // Set up some 0-RTT-enabled contexts.
3022 bssl::UniquePtr<SSL_CTX> client_ctx(SSL_CTX_new(TLS_method()));
3023 bssl::UniquePtr<SSL_CTX> server_ctx =
3024 CreateContextWithTestCertificate(TLS_method());
3025 ASSERT_TRUE(client_ctx);
3026 ASSERT_TRUE(server_ctx);
3027 SSL_CTX_set_early_data_enabled(client_ctx.get(), 1);
3028 SSL_CTX_set_early_data_enabled(server_ctx.get(), 1);
3029 SSL_CTX_set_session_cache_mode(client_ctx.get(), SSL_SESS_CACHE_BOTH);
3030 SSL_CTX_set_session_cache_mode(server_ctx.get(), SSL_SESS_CACHE_BOTH);
3031
3032 // Get an early-data-capable session.
3033 bssl::UniquePtr<SSL_SESSION> session =
3034 CreateClientSession(client_ctx.get(), server_ctx.get());
3035 ASSERT_TRUE(session);
3036 EXPECT_TRUE(SSL_SESSION_early_data_capable(session.get()));
3037
3038 // Offer the session to the server, but now the server speaks TLS 1.2.
3039 bssl::UniquePtr<SSL> client, server;
3040 ASSERT_TRUE(CreateClientAndServer(&client, &server, client_ctx.get(),
3041 server_ctx.get()));
3042 SSL_set_session(client.get(), session.get());
3043 EXPECT_TRUE(SSL_set_max_proto_version(server.get(), TLS1_2_VERSION));
3044
3045 // The client handshake initially succeeds in the early data state.
3046 EXPECT_EQ(1, SSL_do_handshake(client.get()));
3047 EXPECT_TRUE(SSL_in_early_data(client.get()));
3048
3049 // The server processes the ClientHello and negotiates TLS 1.2.
3050 EXPECT_EQ(-1, SSL_do_handshake(server.get()));
3051 EXPECT_EQ(SSL_ERROR_WANT_READ, SSL_get_error(server.get(), -1));
3052 EXPECT_EQ(TLS1_2_VERSION, SSL_version(server.get()));
3053
3054 // Capture the client's output.
3055 bssl::UniquePtr<BIO> mem(BIO_new(BIO_s_mem()));
3056 ASSERT_TRUE(mem);
3057 SSL_set0_wbio(client.get(), bssl::UpRef(mem).release());
3058
3059 // The client processes the ServerHello and fails.
3060 EXPECT_EQ(-1, SSL_do_handshake(client.get()));
3061 EXPECT_EQ(SSL_ERROR_SSL, SSL_get_error(client.get(), -1));
3062 EXPECT_TRUE(ErrorEquals(ERR_get_error(), ERR_LIB_SSL,
3063 SSL_R_WRONG_VERSION_ON_EARLY_DATA));
3064
3065 // The client should have written an alert to the transport.
3066 const uint8_t *unused;
3067 size_t len;
3068 ASSERT_TRUE(BIO_mem_contents(mem.get(), &unused, &len));
3069 EXPECT_NE(0u, len);
3070 EXPECT_TRUE(BIO_reset(mem.get()));
3071
3072 // Writing should fail, with the same error as the handshake.
3073 EXPECT_EQ(-1, SSL_write(client.get(), "a", 1));
3074 EXPECT_EQ(SSL_ERROR_SSL, SSL_get_error(client.get(), -1));
3075 EXPECT_TRUE(ErrorEquals(ERR_get_error(), ERR_LIB_SSL,
3076 SSL_R_WRONG_VERSION_ON_EARLY_DATA));
3077
3078 // Nothing should be written to the transport.
3079 ASSERT_TRUE(BIO_mem_contents(mem.get(), &unused, &len));
3080 EXPECT_EQ(0u, len);
3081 }
3082
TEST(SSLTest,SessionDuplication)3083 TEST(SSLTest, SessionDuplication) {
3084 bssl::UniquePtr<SSL_CTX> client_ctx(SSL_CTX_new(TLS_method()));
3085 bssl::UniquePtr<SSL_CTX> server_ctx =
3086 CreateContextWithTestCertificate(TLS_method());
3087 ASSERT_TRUE(client_ctx);
3088 ASSERT_TRUE(server_ctx);
3089
3090 bssl::UniquePtr<SSL> client, server;
3091 ASSERT_TRUE(ConnectClientAndServer(&client, &server, client_ctx.get(),
3092 server_ctx.get()));
3093
3094 SSL_SESSION *session0 = SSL_get_session(client.get());
3095 bssl::UniquePtr<SSL_SESSION> session1 =
3096 bssl::SSL_SESSION_dup(session0, SSL_SESSION_DUP_ALL);
3097 ASSERT_TRUE(session1);
3098
3099 session1->not_resumable = false;
3100
3101 uint8_t *s0_bytes, *s1_bytes;
3102 size_t s0_len, s1_len;
3103
3104 ASSERT_TRUE(SSL_SESSION_to_bytes(session0, &s0_bytes, &s0_len));
3105 bssl::UniquePtr<uint8_t> free_s0(s0_bytes);
3106
3107 ASSERT_TRUE(SSL_SESSION_to_bytes(session1.get(), &s1_bytes, &s1_len));
3108 bssl::UniquePtr<uint8_t> free_s1(s1_bytes);
3109
3110 EXPECT_EQ(Bytes(s0_bytes, s0_len), Bytes(s1_bytes, s1_len));
3111 }
3112
ExpectFDs(const SSL * ssl,int rfd,int wfd)3113 static void ExpectFDs(const SSL *ssl, int rfd, int wfd) {
3114 EXPECT_EQ(rfd, SSL_get_fd(ssl));
3115 EXPECT_EQ(rfd, SSL_get_rfd(ssl));
3116 EXPECT_EQ(wfd, SSL_get_wfd(ssl));
3117
3118 // The wrapper BIOs are always equal when fds are equal, even if set
3119 // individually.
3120 if (rfd == wfd) {
3121 EXPECT_EQ(SSL_get_rbio(ssl), SSL_get_wbio(ssl));
3122 }
3123 }
3124
TEST(SSLTest,SetFD)3125 TEST(SSLTest, SetFD) {
3126 bssl::UniquePtr<SSL_CTX> ctx(SSL_CTX_new(TLS_method()));
3127 ASSERT_TRUE(ctx);
3128
3129 // Test setting different read and write FDs.
3130 bssl::UniquePtr<SSL> ssl(SSL_new(ctx.get()));
3131 ASSERT_TRUE(ssl);
3132 EXPECT_TRUE(SSL_set_rfd(ssl.get(), 1));
3133 EXPECT_TRUE(SSL_set_wfd(ssl.get(), 2));
3134 ExpectFDs(ssl.get(), 1, 2);
3135
3136 // Test setting the same FD.
3137 ssl.reset(SSL_new(ctx.get()));
3138 ASSERT_TRUE(ssl);
3139 EXPECT_TRUE(SSL_set_fd(ssl.get(), 1));
3140 ExpectFDs(ssl.get(), 1, 1);
3141
3142 // Test setting the same FD one side at a time.
3143 ssl.reset(SSL_new(ctx.get()));
3144 ASSERT_TRUE(ssl);
3145 EXPECT_TRUE(SSL_set_rfd(ssl.get(), 1));
3146 EXPECT_TRUE(SSL_set_wfd(ssl.get(), 1));
3147 ExpectFDs(ssl.get(), 1, 1);
3148
3149 // Test setting the same FD in the other order.
3150 ssl.reset(SSL_new(ctx.get()));
3151 ASSERT_TRUE(ssl);
3152 EXPECT_TRUE(SSL_set_wfd(ssl.get(), 1));
3153 EXPECT_TRUE(SSL_set_rfd(ssl.get(), 1));
3154 ExpectFDs(ssl.get(), 1, 1);
3155
3156 // Test changing the read FD partway through.
3157 ssl.reset(SSL_new(ctx.get()));
3158 ASSERT_TRUE(ssl);
3159 EXPECT_TRUE(SSL_set_fd(ssl.get(), 1));
3160 EXPECT_TRUE(SSL_set_rfd(ssl.get(), 2));
3161 ExpectFDs(ssl.get(), 2, 1);
3162
3163 // Test changing the write FD partway through.
3164 ssl.reset(SSL_new(ctx.get()));
3165 ASSERT_TRUE(ssl);
3166 EXPECT_TRUE(SSL_set_fd(ssl.get(), 1));
3167 EXPECT_TRUE(SSL_set_wfd(ssl.get(), 2));
3168 ExpectFDs(ssl.get(), 1, 2);
3169
3170 // Test a no-op change to the read FD partway through.
3171 ssl.reset(SSL_new(ctx.get()));
3172 ASSERT_TRUE(ssl);
3173 EXPECT_TRUE(SSL_set_fd(ssl.get(), 1));
3174 EXPECT_TRUE(SSL_set_rfd(ssl.get(), 1));
3175 ExpectFDs(ssl.get(), 1, 1);
3176
3177 // Test a no-op change to the write FD partway through.
3178 ssl.reset(SSL_new(ctx.get()));
3179 ASSERT_TRUE(ssl);
3180 EXPECT_TRUE(SSL_set_fd(ssl.get(), 1));
3181 EXPECT_TRUE(SSL_set_wfd(ssl.get(), 1));
3182 ExpectFDs(ssl.get(), 1, 1);
3183
3184 // ASan builds will implicitly test that the internal |BIO| reference-counting
3185 // is correct.
3186 }
3187
TEST(SSLTest,SetBIO)3188 TEST(SSLTest, SetBIO) {
3189 bssl::UniquePtr<SSL_CTX> ctx(SSL_CTX_new(TLS_method()));
3190 ASSERT_TRUE(ctx);
3191
3192 bssl::UniquePtr<SSL> ssl(SSL_new(ctx.get()));
3193 bssl::UniquePtr<BIO> bio1(BIO_new(BIO_s_mem())), bio2(BIO_new(BIO_s_mem())),
3194 bio3(BIO_new(BIO_s_mem()));
3195 ASSERT_TRUE(ssl);
3196 ASSERT_TRUE(bio1);
3197 ASSERT_TRUE(bio2);
3198 ASSERT_TRUE(bio3);
3199
3200 // SSL_set_bio takes one reference when the parameters are the same.
3201 BIO_up_ref(bio1.get());
3202 SSL_set_bio(ssl.get(), bio1.get(), bio1.get());
3203
3204 // Repeating the call does nothing.
3205 SSL_set_bio(ssl.get(), bio1.get(), bio1.get());
3206
3207 // It takes one reference each when the parameters are different.
3208 BIO_up_ref(bio2.get());
3209 BIO_up_ref(bio3.get());
3210 SSL_set_bio(ssl.get(), bio2.get(), bio3.get());
3211
3212 // Repeating the call does nothing.
3213 SSL_set_bio(ssl.get(), bio2.get(), bio3.get());
3214
3215 // It takes one reference when changing only wbio.
3216 BIO_up_ref(bio1.get());
3217 SSL_set_bio(ssl.get(), bio2.get(), bio1.get());
3218
3219 // It takes one reference when changing only rbio and the two are different.
3220 BIO_up_ref(bio3.get());
3221 SSL_set_bio(ssl.get(), bio3.get(), bio1.get());
3222
3223 // If setting wbio to rbio, it takes no additional references.
3224 SSL_set_bio(ssl.get(), bio3.get(), bio3.get());
3225
3226 // From there, wbio may be switched to something else.
3227 BIO_up_ref(bio1.get());
3228 SSL_set_bio(ssl.get(), bio3.get(), bio1.get());
3229
3230 // If setting rbio to wbio, it takes no additional references.
3231 SSL_set_bio(ssl.get(), bio1.get(), bio1.get());
3232
3233 // From there, rbio may be switched to something else, but, for historical
3234 // reasons, it takes a reference to both parameters.
3235 BIO_up_ref(bio1.get());
3236 BIO_up_ref(bio2.get());
3237 SSL_set_bio(ssl.get(), bio2.get(), bio1.get());
3238
3239 // ASAN builds will implicitly test that the internal |BIO| reference-counting
3240 // is correct.
3241 }
3242
VerifySucceed(X509_STORE_CTX * store_ctx,void * arg)3243 static int VerifySucceed(X509_STORE_CTX *store_ctx, void *arg) { return 1; }
3244
TEST_P(SSLVersionTest,GetPeerCertificate)3245 TEST_P(SSLVersionTest, GetPeerCertificate) {
3246 ASSERT_TRUE(UseCertAndKey(client_ctx_.get()));
3247
3248 // Configure both client and server to accept any certificate.
3249 SSL_CTX_set_verify(client_ctx_.get(),
3250 SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT,
3251 nullptr);
3252 SSL_CTX_set_cert_verify_callback(client_ctx_.get(), VerifySucceed, NULL);
3253 SSL_CTX_set_verify(server_ctx_.get(),
3254 SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT,
3255 nullptr);
3256 SSL_CTX_set_cert_verify_callback(server_ctx_.get(), VerifySucceed, NULL);
3257
3258 ASSERT_TRUE(Connect());
3259
3260 // Client and server should both see the leaf certificate.
3261 bssl::UniquePtr<X509> peer(SSL_get_peer_certificate(server_.get()));
3262 ASSERT_TRUE(peer);
3263 ASSERT_EQ(X509_cmp(cert_.get(), peer.get()), 0);
3264
3265 peer.reset(SSL_get_peer_certificate(client_.get()));
3266 ASSERT_TRUE(peer);
3267 ASSERT_EQ(X509_cmp(cert_.get(), peer.get()), 0);
3268
3269 // However, for historical reasons, the X509 chain includes the leaf on the
3270 // client, but does not on the server.
3271 EXPECT_EQ(sk_X509_num(SSL_get_peer_cert_chain(client_.get())), 1u);
3272 EXPECT_EQ(sk_CRYPTO_BUFFER_num(SSL_get0_peer_certificates(client_.get())),
3273 1u);
3274
3275 EXPECT_EQ(sk_X509_num(SSL_get_peer_cert_chain(server_.get())), 0u);
3276 EXPECT_EQ(sk_CRYPTO_BUFFER_num(SSL_get0_peer_certificates(server_.get())),
3277 1u);
3278 }
3279
TEST_P(SSLVersionTest,NoPeerCertificate)3280 TEST_P(SSLVersionTest, NoPeerCertificate) {
3281 SSL_CTX_set_verify(server_ctx_.get(), SSL_VERIFY_PEER, nullptr);
3282 SSL_CTX_set_cert_verify_callback(server_ctx_.get(), VerifySucceed, NULL);
3283 SSL_CTX_set_cert_verify_callback(client_ctx_.get(), VerifySucceed, NULL);
3284
3285 ASSERT_TRUE(Connect());
3286
3287 // Server should not see a peer certificate.
3288 bssl::UniquePtr<X509> peer(SSL_get_peer_certificate(server_.get()));
3289 ASSERT_FALSE(peer);
3290 ASSERT_FALSE(SSL_get0_peer_certificates(server_.get()));
3291 }
3292
TEST_P(SSLVersionTest,RetainOnlySHA256OfCerts)3293 TEST_P(SSLVersionTest, RetainOnlySHA256OfCerts) {
3294 uint8_t *cert_der = NULL;
3295 int cert_der_len = i2d_X509(cert_.get(), &cert_der);
3296 ASSERT_GE(cert_der_len, 0);
3297 bssl::UniquePtr<uint8_t> free_cert_der(cert_der);
3298
3299 uint8_t cert_sha256[SHA256_DIGEST_LENGTH];
3300 SHA256(cert_der, cert_der_len, cert_sha256);
3301
3302 ASSERT_TRUE(UseCertAndKey(client_ctx_.get()));
3303
3304 // Configure both client and server to accept any certificate, but the
3305 // server must retain only the SHA-256 of the peer.
3306 SSL_CTX_set_verify(client_ctx_.get(),
3307 SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT,
3308 nullptr);
3309 SSL_CTX_set_verify(server_ctx_.get(),
3310 SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT,
3311 nullptr);
3312 SSL_CTX_set_cert_verify_callback(client_ctx_.get(), VerifySucceed, NULL);
3313 SSL_CTX_set_cert_verify_callback(server_ctx_.get(), VerifySucceed, NULL);
3314 SSL_CTX_set_retain_only_sha256_of_client_certs(server_ctx_.get(), 1);
3315
3316 ASSERT_TRUE(Connect());
3317
3318 // The peer certificate has been dropped.
3319 bssl::UniquePtr<X509> peer(SSL_get_peer_certificate(server_.get()));
3320 EXPECT_FALSE(peer);
3321
3322 SSL_SESSION *session = SSL_get_session(server_.get());
3323 EXPECT_TRUE(SSL_SESSION_has_peer_sha256(session));
3324
3325 const uint8_t *peer_sha256;
3326 size_t peer_sha256_len;
3327 SSL_SESSION_get0_peer_sha256(session, &peer_sha256, &peer_sha256_len);
3328 EXPECT_EQ(Bytes(cert_sha256), Bytes(peer_sha256, peer_sha256_len));
3329 }
3330
3331 // Tests that our ClientHellos do not change unexpectedly. These are purely
3332 // change detection tests. If they fail as part of an intentional ClientHello
3333 // change, update the test vector.
TEST(SSLTest,ClientHello)3334 TEST(SSLTest, ClientHello) {
3335 struct {
3336 uint16_t max_version;
3337 std::vector<uint8_t> expected;
3338 } kTests[] = {
3339 {TLS1_VERSION,
3340 {0x16, 0x03, 0x01, 0x00, 0x58, 0x01, 0x00, 0x00, 0x54, 0x03, 0x01, 0x00,
3341 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
3342 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
3343 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x0c, 0xc0, 0x09,
3344 0xc0, 0x13, 0xc0, 0x0a, 0xc0, 0x14, 0x00, 0x2f, 0x00, 0x35, 0x01, 0x00,
3345 0x00, 0x1f, 0x00, 0x17, 0x00, 0x00, 0xff, 0x01, 0x00, 0x01, 0x00, 0x00,
3346 0x0a, 0x00, 0x08, 0x00, 0x06, 0x00, 0x1d, 0x00, 0x17, 0x00, 0x18, 0x00,
3347 0x0b, 0x00, 0x02, 0x01, 0x00, 0x00, 0x23, 0x00, 0x00}},
3348 {TLS1_1_VERSION,
3349 {0x16, 0x03, 0x01, 0x00, 0x58, 0x01, 0x00, 0x00, 0x54, 0x03, 0x02, 0x00,
3350 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
3351 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
3352 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x0c, 0xc0, 0x09,
3353 0xc0, 0x13, 0xc0, 0x0a, 0xc0, 0x14, 0x00, 0x2f, 0x00, 0x35, 0x01, 0x00,
3354 0x00, 0x1f, 0x00, 0x17, 0x00, 0x00, 0xff, 0x01, 0x00, 0x01, 0x00, 0x00,
3355 0x0a, 0x00, 0x08, 0x00, 0x06, 0x00, 0x1d, 0x00, 0x17, 0x00, 0x18, 0x00,
3356 0x0b, 0x00, 0x02, 0x01, 0x00, 0x00, 0x23, 0x00, 0x00}},
3357 {TLS1_2_VERSION,
3358 {0x16, 0x03, 0x01, 0x00, 0x80, 0x01, 0x00, 0x00, 0x7c, 0x03, 0x03, 0x00,
3359 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
3360 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
3361 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x1c, 0xcc, 0xa9,
3362 0xcc, 0xa8, 0xc0, 0x2b, 0xc0, 0x2f, 0xc0, 0x2c, 0xc0, 0x30, 0xc0, 0x09,
3363 0xc0, 0x13, 0xc0, 0x0a, 0xc0, 0x14, 0x00, 0x9c, 0x00, 0x9d, 0x00, 0x2f,
3364 0x00, 0x35, 0x01, 0x00, 0x00, 0x37, 0x00, 0x17, 0x00, 0x00, 0xff, 0x01,
3365 0x00, 0x01, 0x00, 0x00, 0x0a, 0x00, 0x08, 0x00, 0x06, 0x00, 0x1d, 0x00,
3366 0x17, 0x00, 0x18, 0x00, 0x0b, 0x00, 0x02, 0x01, 0x00, 0x00, 0x23, 0x00,
3367 0x00, 0x00, 0x0d, 0x00, 0x14, 0x00, 0x12, 0x04, 0x03, 0x08, 0x04, 0x04,
3368 0x01, 0x05, 0x03, 0x08, 0x05, 0x05, 0x01, 0x08, 0x06, 0x06, 0x01, 0x02,
3369 0x01}},
3370 // TODO(davidben): Add a change detector for TLS 1.3 once the spec and our
3371 // implementation has settled enough that it won't change.
3372 };
3373
3374 for (const auto &t : kTests) {
3375 SCOPED_TRACE(t.max_version);
3376
3377 bssl::UniquePtr<SSL_CTX> ctx(SSL_CTX_new(TLS_method()));
3378 ASSERT_TRUE(ctx);
3379 // Our default cipher list varies by CPU capabilities, so manually place the
3380 // ChaCha20 ciphers in front.
3381 const char *cipher_list = "CHACHA20:ALL";
3382 ASSERT_TRUE(SSL_CTX_set_max_proto_version(ctx.get(), t.max_version));
3383 ASSERT_TRUE(SSL_CTX_set_strict_cipher_list(ctx.get(), cipher_list));
3384
3385 bssl::UniquePtr<SSL> ssl(SSL_new(ctx.get()));
3386 ASSERT_TRUE(ssl);
3387 std::vector<uint8_t> client_hello;
3388 ASSERT_TRUE(GetClientHello(ssl.get(), &client_hello));
3389
3390 // Zero the client_random.
3391 constexpr size_t kRandomOffset = 1 + 2 + 2 + // record header
3392 1 + 3 + // handshake message header
3393 2; // client_version
3394 ASSERT_GE(client_hello.size(), kRandomOffset + SSL3_RANDOM_SIZE);
3395 OPENSSL_memset(client_hello.data() + kRandomOffset, 0, SSL3_RANDOM_SIZE);
3396
3397 if (client_hello != t.expected) {
3398 ADD_FAILURE() << "ClientHellos did not match.";
3399 // Print the value manually so it is easier to update the test vector.
3400 for (size_t i = 0; i < client_hello.size(); i += 12) {
3401 printf(" %c", i == 0 ? '{' : ' ');
3402 for (size_t j = i; j < client_hello.size() && j < i + 12; j++) {
3403 if (j > i) {
3404 printf(" ");
3405 }
3406 printf("0x%02x", client_hello[j]);
3407 if (j < client_hello.size() - 1) {
3408 printf(",");
3409 }
3410 }
3411 if (i + 12 >= client_hello.size()) {
3412 printf("}},");
3413 }
3414 printf("\n");
3415 }
3416 }
3417 }
3418 }
3419
ExpectSessionReused(SSL_CTX * client_ctx,SSL_CTX * server_ctx,SSL_SESSION * session,bool want_reused)3420 static void ExpectSessionReused(SSL_CTX *client_ctx, SSL_CTX *server_ctx,
3421 SSL_SESSION *session, bool want_reused) {
3422 bssl::UniquePtr<SSL> client, server;
3423 ClientConfig config;
3424 config.session = session;
3425 ASSERT_TRUE(
3426 ConnectClientAndServer(&client, &server, client_ctx, server_ctx, config));
3427
3428 EXPECT_EQ(SSL_session_reused(client.get()), SSL_session_reused(server.get()));
3429
3430 bool was_reused = !!SSL_session_reused(client.get());
3431 EXPECT_EQ(was_reused, want_reused);
3432 }
3433
ExpectSessionRenewed(SSL_CTX * client_ctx,SSL_CTX * server_ctx,SSL_SESSION * session)3434 static bssl::UniquePtr<SSL_SESSION> ExpectSessionRenewed(SSL_CTX *client_ctx,
3435 SSL_CTX *server_ctx,
3436 SSL_SESSION *session) {
3437 g_last_session = nullptr;
3438 SSL_CTX_sess_set_new_cb(client_ctx, SaveLastSession);
3439
3440 bssl::UniquePtr<SSL> client, server;
3441 ClientConfig config;
3442 config.session = session;
3443 if (!ConnectClientAndServer(&client, &server, client_ctx, server_ctx,
3444 config) ||
3445 !FlushNewSessionTickets(client.get(), server.get())) {
3446 fprintf(stderr, "Failed to connect client and server.\n");
3447 return nullptr;
3448 }
3449
3450 if (SSL_session_reused(client.get()) != SSL_session_reused(server.get())) {
3451 fprintf(stderr, "Client and server were inconsistent.\n");
3452 return nullptr;
3453 }
3454
3455 if (!SSL_session_reused(client.get())) {
3456 fprintf(stderr, "Session was not reused.\n");
3457 return nullptr;
3458 }
3459
3460 SSL_CTX_sess_set_new_cb(client_ctx, nullptr);
3461
3462 if (!g_last_session) {
3463 fprintf(stderr, "Client did not receive a renewed session.\n");
3464 return nullptr;
3465 }
3466 return std::move(g_last_session);
3467 }
3468
ExpectTicketKeyChanged(SSL_CTX * ctx,uint8_t * inout_key,bool changed)3469 static void ExpectTicketKeyChanged(SSL_CTX *ctx, uint8_t *inout_key,
3470 bool changed) {
3471 uint8_t new_key[kTicketKeyLen];
3472 // May return 0, 1 or 48.
3473 ASSERT_EQ(SSL_CTX_get_tlsext_ticket_keys(ctx, new_key, kTicketKeyLen), 1);
3474 if (changed) {
3475 ASSERT_NE(Bytes(inout_key, kTicketKeyLen), Bytes(new_key));
3476 } else {
3477 ASSERT_EQ(Bytes(inout_key, kTicketKeyLen), Bytes(new_key));
3478 }
3479 OPENSSL_memcpy(inout_key, new_key, kTicketKeyLen);
3480 }
3481
SwitchSessionIDContextSNI(SSL * ssl,int * out_alert,void * arg)3482 static int SwitchSessionIDContextSNI(SSL *ssl, int *out_alert, void *arg) {
3483 static const uint8_t kContext[] = {3};
3484
3485 if (!SSL_set_session_id_context(ssl, kContext, sizeof(kContext))) {
3486 return SSL_TLSEXT_ERR_ALERT_FATAL;
3487 }
3488
3489 return SSL_TLSEXT_ERR_OK;
3490 }
3491
TEST_P(SSLVersionTest,SessionIDContext)3492 TEST_P(SSLVersionTest, SessionIDContext) {
3493 static const uint8_t kContext1[] = {1};
3494 static const uint8_t kContext2[] = {2};
3495
3496 ASSERT_TRUE(SSL_CTX_set_session_id_context(server_ctx_.get(), kContext1,
3497 sizeof(kContext1)));
3498
3499 SSL_CTX_set_session_cache_mode(client_ctx_.get(), SSL_SESS_CACHE_BOTH);
3500 SSL_CTX_set_session_cache_mode(server_ctx_.get(), SSL_SESS_CACHE_BOTH);
3501
3502 bssl::UniquePtr<SSL_SESSION> session =
3503 CreateClientSession(client_ctx_.get(), server_ctx_.get());
3504 ASSERT_TRUE(session);
3505
3506 TRACED_CALL(ExpectSessionReused(client_ctx_.get(), server_ctx_.get(),
3507 session.get(),
3508 true /* expect session reused */));
3509
3510 // Change the session ID context.
3511 ASSERT_TRUE(SSL_CTX_set_session_id_context(server_ctx_.get(), kContext2,
3512 sizeof(kContext2)));
3513
3514 TRACED_CALL(ExpectSessionReused(client_ctx_.get(), server_ctx_.get(),
3515 session.get(),
3516 false /* expect session not reused */));
3517
3518 // Change the session ID context back and install an SNI callback to switch
3519 // it.
3520 ASSERT_TRUE(SSL_CTX_set_session_id_context(server_ctx_.get(), kContext1,
3521 sizeof(kContext1)));
3522
3523 SSL_CTX_set_tlsext_servername_callback(server_ctx_.get(),
3524 SwitchSessionIDContextSNI);
3525
3526 TRACED_CALL(ExpectSessionReused(client_ctx_.get(), server_ctx_.get(),
3527 session.get(),
3528 false /* expect session not reused */));
3529
3530 // Switch the session ID context with the early callback instead.
3531 SSL_CTX_set_tlsext_servername_callback(server_ctx_.get(), nullptr);
3532 SSL_CTX_set_select_certificate_cb(
3533 server_ctx_.get(),
3534 [](const SSL_CLIENT_HELLO *client_hello) -> ssl_select_cert_result_t {
3535 static const uint8_t kContext[] = {3};
3536
3537 if (!SSL_set_session_id_context(client_hello->ssl, kContext,
3538 sizeof(kContext))) {
3539 return ssl_select_cert_error;
3540 }
3541
3542 return ssl_select_cert_success;
3543 });
3544
3545 TRACED_CALL(ExpectSessionReused(client_ctx_.get(), server_ctx_.get(),
3546 session.get(),
3547 false /* expect session not reused */));
3548 }
3549
3550 static timeval g_current_time;
3551
CurrentTimeCallback(const SSL * ssl,timeval * out_clock)3552 static void CurrentTimeCallback(const SSL *ssl, timeval *out_clock) {
3553 *out_clock = g_current_time;
3554 }
3555
FrozenTimeCallback(const SSL * ssl,timeval * out_clock)3556 static void FrozenTimeCallback(const SSL *ssl, timeval *out_clock) {
3557 out_clock->tv_sec = 1000;
3558 out_clock->tv_usec = 0;
3559 }
3560
RenewTicketCallback(SSL * ssl,uint8_t * key_name,uint8_t * iv,EVP_CIPHER_CTX * ctx,HMAC_CTX * hmac_ctx,int encrypt)3561 static int RenewTicketCallback(SSL *ssl, uint8_t *key_name, uint8_t *iv,
3562 EVP_CIPHER_CTX *ctx, HMAC_CTX *hmac_ctx,
3563 int encrypt) {
3564 static const uint8_t kZeros[16] = {0};
3565
3566 if (encrypt) {
3567 OPENSSL_memcpy(key_name, kZeros, sizeof(kZeros));
3568 RAND_bytes(iv, 16);
3569 } else if (OPENSSL_memcmp(key_name, kZeros, 16) != 0) {
3570 return 0;
3571 }
3572
3573 if (!HMAC_Init_ex(hmac_ctx, kZeros, sizeof(kZeros), EVP_sha256(), NULL) ||
3574 !EVP_CipherInit_ex(ctx, EVP_aes_128_cbc(), NULL, kZeros, iv, encrypt)) {
3575 return -1;
3576 }
3577
3578 // Returning two from the callback in decrypt mode renews the
3579 // session in TLS 1.2 and below.
3580 return encrypt ? 1 : 2;
3581 }
3582
GetServerTicketTime(long * out,const SSL_SESSION * session)3583 static bool GetServerTicketTime(long *out, const SSL_SESSION *session) {
3584 const uint8_t *ticket;
3585 size_t ticket_len;
3586 SSL_SESSION_get0_ticket(session, &ticket, &ticket_len);
3587 if (ticket_len < 16 + 16 + SHA256_DIGEST_LENGTH) {
3588 return false;
3589 }
3590
3591 const uint8_t *ciphertext = ticket + 16 + 16;
3592 size_t len = ticket_len - 16 - 16 - SHA256_DIGEST_LENGTH;
3593 auto plaintext = std::make_unique<uint8_t[]>(len);
3594
3595 #if defined(BORINGSSL_UNSAFE_FUZZER_MODE)
3596 // Fuzzer-mode tickets are unencrypted.
3597 OPENSSL_memcpy(plaintext.get(), ciphertext, len);
3598 #else
3599 static const uint8_t kZeros[16] = {0};
3600 const uint8_t *iv = ticket + 16;
3601 bssl::ScopedEVP_CIPHER_CTX ctx;
3602 int len1, len2;
3603 if (len > INT_MAX ||
3604 !EVP_DecryptInit_ex(ctx.get(), EVP_aes_128_cbc(), nullptr, kZeros, iv) ||
3605 !EVP_DecryptUpdate(ctx.get(), plaintext.get(), &len1, ciphertext,
3606 static_cast<int>(len)) ||
3607 !EVP_DecryptFinal_ex(ctx.get(), plaintext.get() + len1, &len2)) {
3608 return false;
3609 }
3610
3611 len = static_cast<size_t>(len1 + len2);
3612 #endif
3613
3614 bssl::UniquePtr<SSL_CTX> ssl_ctx(SSL_CTX_new(TLS_method()));
3615 if (!ssl_ctx) {
3616 return false;
3617 }
3618 bssl::UniquePtr<SSL_SESSION> server_session(
3619 SSL_SESSION_from_bytes(plaintext.get(), len, ssl_ctx.get()));
3620 if (!server_session) {
3621 return false;
3622 }
3623
3624 *out = SSL_SESSION_get_time(server_session.get());
3625 return true;
3626 }
3627
TEST_P(SSLVersionTest,SessionTimeout)3628 TEST_P(SSLVersionTest, SessionTimeout) {
3629 for (bool server_test : {false, true}) {
3630 SCOPED_TRACE(server_test);
3631
3632 ASSERT_NO_FATAL_FAILURE(ResetContexts());
3633 SSL_CTX_set_session_cache_mode(client_ctx_.get(), SSL_SESS_CACHE_BOTH);
3634 SSL_CTX_set_session_cache_mode(server_ctx_.get(), SSL_SESS_CACHE_BOTH);
3635
3636 static const time_t kStartTime = 1000;
3637 g_current_time.tv_sec = kStartTime;
3638
3639 // We are willing to use a longer lifetime for TLS 1.3 sessions as
3640 // resumptions still perform ECDHE.
3641 const time_t timeout = version() == TLS1_3_VERSION
3642 ? SSL_DEFAULT_SESSION_PSK_DHE_TIMEOUT
3643 : SSL_DEFAULT_SESSION_TIMEOUT;
3644
3645 // Both client and server must enforce session timeouts. We configure the
3646 // other side with a frozen clock so it never expires tickets.
3647 if (server_test) {
3648 SSL_CTX_set_current_time_cb(client_ctx_.get(), FrozenTimeCallback);
3649 SSL_CTX_set_current_time_cb(server_ctx_.get(), CurrentTimeCallback);
3650 } else {
3651 SSL_CTX_set_current_time_cb(client_ctx_.get(), CurrentTimeCallback);
3652 SSL_CTX_set_current_time_cb(server_ctx_.get(), FrozenTimeCallback);
3653 }
3654
3655 // Configure a ticket callback which renews tickets.
3656 SSL_CTX_set_tlsext_ticket_key_cb(server_ctx_.get(), RenewTicketCallback);
3657
3658 bssl::UniquePtr<SSL_SESSION> session =
3659 CreateClientSession(client_ctx_.get(), server_ctx_.get());
3660 ASSERT_TRUE(session);
3661
3662 // Advance the clock just behind the timeout.
3663 g_current_time.tv_sec += timeout - 1;
3664
3665 TRACED_CALL(ExpectSessionReused(client_ctx_.get(), server_ctx_.get(),
3666 session.get(),
3667 true /* expect session reused */));
3668
3669 // Advance the clock one more second.
3670 g_current_time.tv_sec++;
3671
3672 TRACED_CALL(ExpectSessionReused(client_ctx_.get(), server_ctx_.get(),
3673 session.get(),
3674 false /* expect session not reused */));
3675
3676 // Rewind the clock to before the session was minted.
3677 g_current_time.tv_sec = kStartTime - 1;
3678
3679 TRACED_CALL(ExpectSessionReused(client_ctx_.get(), server_ctx_.get(),
3680 session.get(),
3681 false /* expect session not reused */));
3682
3683 // Renew the session 10 seconds before expiration.
3684 time_t new_start_time = kStartTime + timeout - 10;
3685 g_current_time.tv_sec = new_start_time;
3686 bssl::UniquePtr<SSL_SESSION> new_session = ExpectSessionRenewed(
3687 client_ctx_.get(), server_ctx_.get(), session.get());
3688 ASSERT_TRUE(new_session);
3689
3690 // This new session is not the same object as before.
3691 EXPECT_NE(session.get(), new_session.get());
3692
3693 // Check the sessions have timestamps measured from issuance.
3694 long session_time = 0;
3695 if (server_test) {
3696 ASSERT_TRUE(GetServerTicketTime(&session_time, new_session.get()));
3697 } else {
3698 session_time = SSL_SESSION_get_time(new_session.get());
3699 }
3700
3701 ASSERT_EQ(session_time, g_current_time.tv_sec);
3702
3703 if (version() == TLS1_3_VERSION) {
3704 // Renewal incorporates fresh key material in TLS 1.3, so we extend the
3705 // lifetime TLS 1.3.
3706 g_current_time.tv_sec = new_start_time + timeout - 1;
3707 TRACED_CALL(ExpectSessionReused(client_ctx_.get(), server_ctx_.get(),
3708 new_session.get(),
3709 true /* expect session reused */));
3710
3711 // The new session expires after the new timeout.
3712 g_current_time.tv_sec = new_start_time + timeout + 1;
3713 TRACED_CALL(ExpectSessionReused(client_ctx_.get(), server_ctx_.get(),
3714 new_session.get(),
3715 false /* expect session ot reused */));
3716
3717 // Renew the session until it begins just past the auth timeout.
3718 time_t auth_end_time = kStartTime + SSL_DEFAULT_SESSION_AUTH_TIMEOUT;
3719 while (new_start_time < auth_end_time - 1000) {
3720 // Get as close as possible to target start time.
3721 new_start_time =
3722 std::min(auth_end_time - 1000, new_start_time + timeout - 1);
3723 g_current_time.tv_sec = new_start_time;
3724 new_session = ExpectSessionRenewed(client_ctx_.get(), server_ctx_.get(),
3725 new_session.get());
3726 ASSERT_TRUE(new_session);
3727 }
3728
3729 // Now the session's lifetime is bound by the auth timeout.
3730 g_current_time.tv_sec = auth_end_time - 1;
3731 TRACED_CALL(ExpectSessionReused(client_ctx_.get(), server_ctx_.get(),
3732 new_session.get(),
3733 true /* expect session reused */));
3734
3735 g_current_time.tv_sec = auth_end_time + 1;
3736 TRACED_CALL(ExpectSessionReused(client_ctx_.get(), server_ctx_.get(),
3737 new_session.get(),
3738 false /* expect session ot reused */));
3739 } else {
3740 // The new session is usable just before the old expiration.
3741 g_current_time.tv_sec = kStartTime + timeout - 1;
3742 TRACED_CALL(ExpectSessionReused(client_ctx_.get(), server_ctx_.get(),
3743 new_session.get(),
3744 true /* expect session reused */));
3745
3746 // Renewal does not extend the lifetime, so it is not usable beyond the
3747 // old expiration.
3748 g_current_time.tv_sec = kStartTime + timeout + 1;
3749 TRACED_CALL(ExpectSessionReused(client_ctx_.get(), server_ctx_.get(),
3750 new_session.get(),
3751 false /* expect session not reused */));
3752 }
3753 }
3754 }
3755
TEST_P(SSLVersionTest,DefaultTicketKeyInitialization)3756 TEST_P(SSLVersionTest, DefaultTicketKeyInitialization) {
3757 static const uint8_t kZeroKey[kTicketKeyLen] = {};
3758 uint8_t ticket_key[kTicketKeyLen];
3759 ASSERT_EQ(1, SSL_CTX_get_tlsext_ticket_keys(server_ctx_.get(), ticket_key,
3760 kTicketKeyLen));
3761 ASSERT_NE(0, OPENSSL_memcmp(ticket_key, kZeroKey, kTicketKeyLen));
3762 }
3763
TEST_P(SSLVersionTest,DefaultTicketKeyRotation)3764 TEST_P(SSLVersionTest, DefaultTicketKeyRotation) {
3765 static const time_t kStartTime = 1001;
3766 g_current_time.tv_sec = kStartTime;
3767
3768 // We use session reuse as a proxy for ticket decryption success, hence
3769 // disable session timeouts.
3770 SSL_CTX_set_timeout(server_ctx_.get(), std::numeric_limits<uint32_t>::max());
3771 SSL_CTX_set_session_psk_dhe_timeout(server_ctx_.get(),
3772 std::numeric_limits<uint32_t>::max());
3773
3774 SSL_CTX_set_current_time_cb(client_ctx_.get(), FrozenTimeCallback);
3775 SSL_CTX_set_current_time_cb(server_ctx_.get(), CurrentTimeCallback);
3776
3777 SSL_CTX_set_session_cache_mode(client_ctx_.get(), SSL_SESS_CACHE_BOTH);
3778 SSL_CTX_set_session_cache_mode(server_ctx_.get(), SSL_SESS_CACHE_OFF);
3779
3780 // Initialize ticket_key with the current key and check that it was
3781 // initialized to something, not all zeros.
3782 uint8_t ticket_key[kTicketKeyLen] = {0};
3783 TRACED_CALL(ExpectTicketKeyChanged(server_ctx_.get(), ticket_key,
3784 true /* changed */));
3785
3786 // Verify ticket resumption actually works.
3787 bssl::UniquePtr<SSL> client, server;
3788 bssl::UniquePtr<SSL_SESSION> session =
3789 CreateClientSession(client_ctx_.get(), server_ctx_.get());
3790 ASSERT_TRUE(session);
3791 TRACED_CALL(ExpectSessionReused(client_ctx_.get(), server_ctx_.get(),
3792 session.get(), true /* reused */));
3793
3794 // Advance time to just before key rotation.
3795 g_current_time.tv_sec += SSL_DEFAULT_TICKET_KEY_ROTATION_INTERVAL - 1;
3796 TRACED_CALL(ExpectSessionReused(client_ctx_.get(), server_ctx_.get(),
3797 session.get(), true /* reused */));
3798 TRACED_CALL(ExpectTicketKeyChanged(server_ctx_.get(), ticket_key,
3799 false /* NOT changed */));
3800
3801 // Force key rotation.
3802 g_current_time.tv_sec += 1;
3803 bssl::UniquePtr<SSL_SESSION> new_session =
3804 CreateClientSession(client_ctx_.get(), server_ctx_.get());
3805 TRACED_CALL(ExpectTicketKeyChanged(server_ctx_.get(), ticket_key,
3806 true /* changed */));
3807
3808 // Resumption with both old and new ticket should work.
3809 TRACED_CALL(ExpectSessionReused(client_ctx_.get(), server_ctx_.get(),
3810 session.get(), true /* reused */));
3811 TRACED_CALL(ExpectSessionReused(client_ctx_.get(), server_ctx_.get(),
3812 new_session.get(), true /* reused */));
3813 TRACED_CALL(ExpectTicketKeyChanged(server_ctx_.get(), ticket_key,
3814 false /* NOT changed */));
3815
3816 // Force key rotation again. Resumption with the old ticket now fails.
3817 g_current_time.tv_sec += SSL_DEFAULT_TICKET_KEY_ROTATION_INTERVAL;
3818 TRACED_CALL(ExpectSessionReused(client_ctx_.get(), server_ctx_.get(),
3819 session.get(), false /* NOT reused */));
3820 TRACED_CALL(ExpectTicketKeyChanged(server_ctx_.get(), ticket_key,
3821 true /* changed */));
3822
3823 // But resumption with the newer session still works.
3824 TRACED_CALL(ExpectSessionReused(client_ctx_.get(), server_ctx_.get(),
3825 new_session.get(), true /* reused */));
3826 }
3827
SwitchContext(SSL * ssl,int * out_alert,void * arg)3828 static int SwitchContext(SSL *ssl, int *out_alert, void *arg) {
3829 SSL_CTX *ctx = reinterpret_cast<SSL_CTX *>(arg);
3830 SSL_set_SSL_CTX(ssl, ctx);
3831 return SSL_TLSEXT_ERR_OK;
3832 }
3833
TEST_P(SSLVersionTest,SNICallback)3834 TEST_P(SSLVersionTest, SNICallback) {
3835 bssl::UniquePtr<X509> cert2 = GetECDSATestCertificate();
3836 ASSERT_TRUE(cert2);
3837 bssl::UniquePtr<EVP_PKEY> key2 = GetECDSATestKey();
3838 ASSERT_TRUE(key2);
3839
3840 // Test that switching the |SSL_CTX| at the SNI callback behaves correctly.
3841 static const uint16_t kECDSAWithSHA256 = SSL_SIGN_ECDSA_SECP256R1_SHA256;
3842
3843 static const uint8_t kSCTList[] = {0, 6, 0, 4, 5, 6, 7, 8};
3844 static const uint8_t kOCSPResponse[] = {1, 2, 3, 4};
3845
3846 bssl::UniquePtr<SSL_CTX> server_ctx2 = CreateContext();
3847 ASSERT_TRUE(server_ctx2);
3848 ASSERT_TRUE(SSL_CTX_use_certificate(server_ctx2.get(), cert2.get()));
3849 ASSERT_TRUE(SSL_CTX_use_PrivateKey(server_ctx2.get(), key2.get()));
3850 ASSERT_TRUE(SSL_CTX_set_signed_cert_timestamp_list(
3851 server_ctx2.get(), kSCTList, sizeof(kSCTList)));
3852 ASSERT_TRUE(SSL_CTX_set_ocsp_response(server_ctx2.get(), kOCSPResponse,
3853 sizeof(kOCSPResponse)));
3854 // Historically signing preferences would be lost in some cases with the
3855 // SNI callback, which triggers the TLS 1.2 SHA-1 default. To ensure
3856 // this doesn't happen when |version| is TLS 1.2, configure the private
3857 // key to only sign SHA-256.
3858 ASSERT_TRUE(SSL_CTX_set_signing_algorithm_prefs(server_ctx2.get(),
3859 &kECDSAWithSHA256, 1));
3860
3861 SSL_CTX_set_tlsext_servername_callback(server_ctx_.get(), SwitchContext);
3862 SSL_CTX_set_tlsext_servername_arg(server_ctx_.get(), server_ctx2.get());
3863
3864 SSL_CTX_enable_signed_cert_timestamps(client_ctx_.get());
3865 SSL_CTX_enable_ocsp_stapling(client_ctx_.get());
3866
3867 ASSERT_TRUE(Connect());
3868
3869 // The client should have received |cert2|.
3870 bssl::UniquePtr<X509> peer(SSL_get_peer_certificate(client_.get()));
3871 ASSERT_TRUE(peer);
3872 EXPECT_EQ(X509_cmp(peer.get(), cert2.get()), 0);
3873
3874 // The client should have received |server_ctx2|'s SCT list.
3875 const uint8_t *data;
3876 size_t len;
3877 SSL_get0_signed_cert_timestamp_list(client_.get(), &data, &len);
3878 EXPECT_EQ(Bytes(kSCTList), Bytes(data, len));
3879
3880 // The client should have received |server_ctx2|'s OCSP response.
3881 SSL_get0_ocsp_response(client_.get(), &data, &len);
3882 EXPECT_EQ(Bytes(kOCSPResponse), Bytes(data, len));
3883 }
3884
3885 // Test that the early callback can swap the maximum version.
TEST(SSLTest,EarlyCallbackVersionSwitch)3886 TEST(SSLTest, EarlyCallbackVersionSwitch) {
3887 bssl::UniquePtr<SSL_CTX> server_ctx =
3888 CreateContextWithTestCertificate(TLS_method());
3889 bssl::UniquePtr<SSL_CTX> client_ctx(SSL_CTX_new(TLS_method()));
3890 ASSERT_TRUE(server_ctx);
3891 ASSERT_TRUE(client_ctx);
3892 ASSERT_TRUE(SSL_CTX_set_max_proto_version(client_ctx.get(), TLS1_3_VERSION));
3893 ASSERT_TRUE(SSL_CTX_set_max_proto_version(server_ctx.get(), TLS1_3_VERSION));
3894
3895 SSL_CTX_set_select_certificate_cb(
3896 server_ctx.get(),
3897 [](const SSL_CLIENT_HELLO *client_hello) -> ssl_select_cert_result_t {
3898 if (!SSL_set_max_proto_version(client_hello->ssl, TLS1_2_VERSION)) {
3899 return ssl_select_cert_error;
3900 }
3901
3902 return ssl_select_cert_success;
3903 });
3904
3905 bssl::UniquePtr<SSL> client, server;
3906 ASSERT_TRUE(ConnectClientAndServer(&client, &server, client_ctx.get(),
3907 server_ctx.get()));
3908 EXPECT_EQ(TLS1_2_VERSION, SSL_version(client.get()));
3909 }
3910
TEST(SSLTest,SetVersion)3911 TEST(SSLTest, SetVersion) {
3912 bssl::UniquePtr<SSL_CTX> ctx(SSL_CTX_new(TLS_method()));
3913 ASSERT_TRUE(ctx);
3914
3915 // Set valid TLS versions.
3916 for (const auto &vers : kAllVersions) {
3917 SCOPED_TRACE(vers.name);
3918 if (vers.ssl_method == VersionParam::is_tls) {
3919 EXPECT_TRUE(SSL_CTX_set_max_proto_version(ctx.get(), vers.version));
3920 EXPECT_EQ(SSL_CTX_get_max_proto_version(ctx.get()), vers.version);
3921 EXPECT_TRUE(SSL_CTX_set_min_proto_version(ctx.get(), vers.version));
3922 EXPECT_EQ(SSL_CTX_get_min_proto_version(ctx.get()), vers.version);
3923 }
3924 }
3925
3926 // Invalid TLS versions are rejected.
3927 EXPECT_FALSE(SSL_CTX_set_max_proto_version(ctx.get(), DTLS1_VERSION));
3928 EXPECT_FALSE(SSL_CTX_set_max_proto_version(ctx.get(), 0x0200));
3929 EXPECT_FALSE(SSL_CTX_set_max_proto_version(ctx.get(), 0x1234));
3930 EXPECT_FALSE(SSL_CTX_set_min_proto_version(ctx.get(), DTLS1_VERSION));
3931 EXPECT_FALSE(SSL_CTX_set_min_proto_version(ctx.get(), 0x0200));
3932 EXPECT_FALSE(SSL_CTX_set_min_proto_version(ctx.get(), 0x1234));
3933
3934 // Zero is the default version.
3935 EXPECT_TRUE(SSL_CTX_set_max_proto_version(ctx.get(), 0));
3936 EXPECT_EQ(TLS1_3_VERSION, SSL_CTX_get_max_proto_version(ctx.get()));
3937 EXPECT_TRUE(SSL_CTX_set_min_proto_version(ctx.get(), 0));
3938 EXPECT_EQ(TLS1_VERSION, SSL_CTX_get_min_proto_version(ctx.get()));
3939
3940 // SSL 3.0 is not available.
3941 EXPECT_FALSE(SSL_CTX_set_min_proto_version(ctx.get(), SSL3_VERSION));
3942
3943 ctx.reset(SSL_CTX_new(DTLS_method()));
3944 ASSERT_TRUE(ctx);
3945
3946 // Set valid DTLS versions.
3947 for (const auto &vers : kAllVersions) {
3948 SCOPED_TRACE(vers.name);
3949 if (vers.ssl_method == VersionParam::is_dtls) {
3950 EXPECT_TRUE(SSL_CTX_set_max_proto_version(ctx.get(), vers.version));
3951 EXPECT_EQ(SSL_CTX_get_max_proto_version(ctx.get()), vers.version);
3952 EXPECT_TRUE(SSL_CTX_set_min_proto_version(ctx.get(), vers.version));
3953 EXPECT_EQ(SSL_CTX_get_min_proto_version(ctx.get()), vers.version);
3954 }
3955 }
3956
3957 // Invalid DTLS versions are rejected.
3958 EXPECT_FALSE(SSL_CTX_set_max_proto_version(ctx.get(), TLS1_VERSION));
3959 EXPECT_FALSE(SSL_CTX_set_max_proto_version(ctx.get(), 0xfefe /* DTLS 1.1 */));
3960 EXPECT_FALSE(SSL_CTX_set_max_proto_version(ctx.get(), 0xfffe /* DTLS 0.1 */));
3961 EXPECT_FALSE(SSL_CTX_set_max_proto_version(ctx.get(), 0x1234));
3962 EXPECT_FALSE(SSL_CTX_set_min_proto_version(ctx.get(), TLS1_VERSION));
3963 EXPECT_FALSE(SSL_CTX_set_min_proto_version(ctx.get(), 0xfefe /* DTLS 1.1 */));
3964 EXPECT_FALSE(SSL_CTX_set_min_proto_version(ctx.get(), 0xfffe /* DTLS 0.1 */));
3965 EXPECT_FALSE(SSL_CTX_set_min_proto_version(ctx.get(), 0x1234));
3966
3967 // Zero is the default version.
3968 EXPECT_TRUE(SSL_CTX_set_max_proto_version(ctx.get(), 0));
3969 EXPECT_EQ(DTLS1_2_VERSION, SSL_CTX_get_max_proto_version(ctx.get()));
3970 EXPECT_TRUE(SSL_CTX_set_min_proto_version(ctx.get(), 0));
3971 EXPECT_EQ(DTLS1_VERSION, SSL_CTX_get_min_proto_version(ctx.get()));
3972 }
3973
GetVersionName(uint16_t version)3974 static const char *GetVersionName(uint16_t version) {
3975 switch (version) {
3976 case TLS1_VERSION:
3977 return "TLSv1";
3978 case TLS1_1_VERSION:
3979 return "TLSv1.1";
3980 case TLS1_2_VERSION:
3981 return "TLSv1.2";
3982 case TLS1_3_VERSION:
3983 return "TLSv1.3";
3984 case DTLS1_VERSION:
3985 return "DTLSv1";
3986 case DTLS1_2_VERSION:
3987 return "DTLSv1.2";
3988 default:
3989 return "???";
3990 }
3991 }
3992
TEST_P(SSLVersionTest,Version)3993 TEST_P(SSLVersionTest, Version) {
3994 ASSERT_TRUE(Connect());
3995
3996 EXPECT_EQ(SSL_version(client_.get()), version());
3997 EXPECT_EQ(SSL_version(server_.get()), version());
3998
3999 // Test the version name is reported as expected.
4000 const char *version_name = GetVersionName(version());
4001 EXPECT_EQ(strcmp(version_name, SSL_get_version(client_.get())), 0);
4002 EXPECT_EQ(strcmp(version_name, SSL_get_version(server_.get())), 0);
4003
4004 // Test SSL_SESSION reports the same name.
4005 const char *client_name =
4006 SSL_SESSION_get_version(SSL_get_session(client_.get()));
4007 const char *server_name =
4008 SSL_SESSION_get_version(SSL_get_session(server_.get()));
4009 EXPECT_EQ(strcmp(version_name, client_name), 0);
4010 EXPECT_EQ(strcmp(version_name, server_name), 0);
4011 }
4012
4013 // Tests that that |SSL_get_pending_cipher| is available during the ALPN
4014 // selection callback.
TEST_P(SSLVersionTest,ALPNCipherAvailable)4015 TEST_P(SSLVersionTest, ALPNCipherAvailable) {
4016 ASSERT_TRUE(UseCertAndKey(client_ctx_.get()));
4017
4018 static const uint8_t kALPNProtos[] = {0x03, 'f', 'o', 'o'};
4019 ASSERT_EQ(SSL_CTX_set_alpn_protos(client_ctx_.get(), kALPNProtos,
4020 sizeof(kALPNProtos)),
4021 0);
4022
4023 // The ALPN callback does not fail the handshake on error, so have the
4024 // callback write a boolean.
4025 std::pair<uint16_t, bool> callback_state(version(), false);
4026 SSL_CTX_set_alpn_select_cb(
4027 server_ctx_.get(),
4028 [](SSL *ssl, const uint8_t **out, uint8_t *out_len, const uint8_t *in,
4029 unsigned in_len, void *arg) -> int {
4030 auto state = reinterpret_cast<std::pair<uint16_t, bool> *>(arg);
4031 if (SSL_get_pending_cipher(ssl) != nullptr &&
4032 SSL_version(ssl) == state->first) {
4033 state->second = true;
4034 }
4035 return SSL_TLSEXT_ERR_NOACK;
4036 },
4037 &callback_state);
4038
4039 ASSERT_TRUE(Connect());
4040
4041 ASSERT_TRUE(callback_state.second);
4042 }
4043
TEST_P(SSLVersionTest,SSLClearSessionResumption)4044 TEST_P(SSLVersionTest, SSLClearSessionResumption) {
4045 // Skip this for TLS 1.3. TLS 1.3's ticket mechanism is incompatible with this
4046 // API pattern.
4047 if (version() == TLS1_3_VERSION) {
4048 return;
4049 }
4050
4051 shed_handshake_config_ = false;
4052 ASSERT_TRUE(Connect());
4053
4054 EXPECT_FALSE(SSL_session_reused(client_.get()));
4055 EXPECT_FALSE(SSL_session_reused(server_.get()));
4056
4057 // Reset everything.
4058 ASSERT_TRUE(SSL_clear(client_.get()));
4059 ASSERT_TRUE(SSL_clear(server_.get()));
4060
4061 // Attempt to connect a second time.
4062 ASSERT_TRUE(CompleteHandshakes(client_.get(), server_.get()));
4063
4064 // |SSL_clear| should implicitly offer the previous session to the server.
4065 EXPECT_TRUE(SSL_session_reused(client_.get()));
4066 EXPECT_TRUE(SSL_session_reused(server_.get()));
4067 }
4068
TEST_P(SSLVersionTest,SSLClearFailsWithShedding)4069 TEST_P(SSLVersionTest, SSLClearFailsWithShedding) {
4070 shed_handshake_config_ = false;
4071 ASSERT_TRUE(Connect());
4072 ASSERT_TRUE(CompleteHandshakes(client_.get(), server_.get()));
4073
4074 // Reset everything.
4075 ASSERT_TRUE(SSL_clear(client_.get()));
4076 ASSERT_TRUE(SSL_clear(server_.get()));
4077
4078 // Now enable shedding, and connect a second time.
4079 shed_handshake_config_ = true;
4080 ASSERT_TRUE(Connect());
4081 ASSERT_TRUE(CompleteHandshakes(client_.get(), server_.get()));
4082
4083 // |SSL_clear| should now fail.
4084 ASSERT_FALSE(SSL_clear(client_.get()));
4085 ASSERT_FALSE(SSL_clear(server_.get()));
4086 }
4087
ChainsEqual(const STACK_OF (X509)* chain,const std::vector<X509 * > & expected)4088 static bool ChainsEqual(const STACK_OF(X509) *chain,
4089 const std::vector<X509 *> &expected) {
4090 if (sk_X509_num(chain) != expected.size()) {
4091 return false;
4092 }
4093
4094 for (size_t i = 0; i < expected.size(); i++) {
4095 if (X509_cmp(sk_X509_value(chain, i), expected[i]) != 0) {
4096 return false;
4097 }
4098 }
4099
4100 return true;
4101 }
4102
BuffersEqual(const STACK_OF (CRYPTO_BUFFER)* chain,const std::vector<CRYPTO_BUFFER * > & expected)4103 static bool BuffersEqual(const STACK_OF(CRYPTO_BUFFER) *chain,
4104 const std::vector<CRYPTO_BUFFER *> &expected) {
4105 if (sk_CRYPTO_BUFFER_num(chain) != expected.size()) {
4106 return false;
4107 }
4108
4109 for (size_t i = 0; i < expected.size(); i++) {
4110 const CRYPTO_BUFFER *buf = sk_CRYPTO_BUFFER_value(chain, i);
4111 if (Bytes(CRYPTO_BUFFER_data(buf), CRYPTO_BUFFER_len(buf)) !=
4112 Bytes(CRYPTO_BUFFER_data(expected[i]),
4113 CRYPTO_BUFFER_len(expected[i]))) {
4114 return false;
4115 }
4116 }
4117
4118 return true;
4119 }
4120
TEST_P(SSLVersionTest,AutoChain)4121 TEST_P(SSLVersionTest, AutoChain) {
4122 cert_ = GetChainTestCertificate();
4123 ASSERT_TRUE(cert_);
4124 key_ = GetChainTestKey();
4125 ASSERT_TRUE(key_);
4126 bssl::UniquePtr<X509> intermediate = GetChainTestIntermediate();
4127 ASSERT_TRUE(intermediate);
4128
4129 ASSERT_TRUE(UseCertAndKey(client_ctx_.get()));
4130 ASSERT_TRUE(UseCertAndKey(server_ctx_.get()));
4131
4132 // Configure both client and server to accept any certificate. Add
4133 // |intermediate| to the cert store.
4134 ASSERT_TRUE(X509_STORE_add_cert(SSL_CTX_get_cert_store(client_ctx_.get()),
4135 intermediate.get()));
4136 ASSERT_TRUE(X509_STORE_add_cert(SSL_CTX_get_cert_store(server_ctx_.get()),
4137 intermediate.get()));
4138 SSL_CTX_set_verify(client_ctx_.get(),
4139 SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT,
4140 nullptr);
4141 SSL_CTX_set_verify(server_ctx_.get(),
4142 SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT,
4143 nullptr);
4144 SSL_CTX_set_cert_verify_callback(client_ctx_.get(), VerifySucceed, NULL);
4145 SSL_CTX_set_cert_verify_callback(server_ctx_.get(), VerifySucceed, NULL);
4146
4147 // By default, the client and server should each only send the leaf.
4148 ASSERT_TRUE(Connect());
4149
4150 EXPECT_TRUE(
4151 ChainsEqual(SSL_get_peer_full_cert_chain(client_.get()), {cert_.get()}));
4152 EXPECT_TRUE(
4153 ChainsEqual(SSL_get_peer_full_cert_chain(server_.get()), {cert_.get()}));
4154
4155 // If auto-chaining is enabled, then the intermediate is sent.
4156 SSL_CTX_clear_mode(client_ctx_.get(), SSL_MODE_NO_AUTO_CHAIN);
4157 SSL_CTX_clear_mode(server_ctx_.get(), SSL_MODE_NO_AUTO_CHAIN);
4158 ASSERT_TRUE(Connect());
4159
4160 EXPECT_TRUE(ChainsEqual(SSL_get_peer_full_cert_chain(client_.get()),
4161 {cert_.get(), intermediate.get()}));
4162 EXPECT_TRUE(ChainsEqual(SSL_get_peer_full_cert_chain(server_.get()),
4163 {cert_.get(), intermediate.get()}));
4164
4165 // Auto-chaining does not override explicitly-configured intermediates.
4166 ASSERT_TRUE(SSL_CTX_add1_chain_cert(client_ctx_.get(), cert_.get()));
4167 ASSERT_TRUE(SSL_CTX_add1_chain_cert(server_ctx_.get(), cert_.get()));
4168 ASSERT_TRUE(Connect());
4169
4170 EXPECT_TRUE(ChainsEqual(SSL_get_peer_full_cert_chain(client_.get()),
4171 {cert_.get(), cert_.get()}));
4172
4173 EXPECT_TRUE(ChainsEqual(SSL_get_peer_full_cert_chain(server_.get()),
4174 {cert_.get(), cert_.get()}));
4175 }
4176
ExpectSingleError(int lib,int reason)4177 static bool ExpectSingleError(int lib, int reason) {
4178 const char *expected = ERR_reason_error_string(ERR_PACK(lib, reason));
4179 int err = ERR_get_error();
4180 if (ERR_GET_LIB(err) != lib || ERR_GET_REASON(err) != reason) {
4181 char buf[ERR_ERROR_STRING_BUF_LEN];
4182 ERR_error_string_n(err, buf, sizeof(buf));
4183 fprintf(stderr, "Wanted %s, got: %s.\n", expected, buf);
4184 return false;
4185 }
4186
4187 if (ERR_peek_error() != 0) {
4188 fprintf(stderr, "Unexpected error following %s.\n", expected);
4189 return false;
4190 }
4191
4192 return true;
4193 }
4194
TEST_P(SSLVersionTest,SSLWriteRetry)4195 TEST_P(SSLVersionTest, SSLWriteRetry) {
4196 if (is_dtls()) {
4197 return;
4198 }
4199
4200 for (bool enable_partial_write : {false, true}) {
4201 SCOPED_TRACE(enable_partial_write);
4202
4203 // Connect a client and server.
4204 ASSERT_TRUE(Connect());
4205
4206 if (enable_partial_write) {
4207 SSL_set_mode(client_.get(), SSL_MODE_ENABLE_PARTIAL_WRITE);
4208 }
4209
4210 // Write without reading until the buffer is full and we have an unfinished
4211 // write. Keep a count so we may reread it again later. "hello!" will be
4212 // written in two chunks, "hello" and "!".
4213 char data[] = "hello!";
4214 static const int kChunkLen = 5; // The length of "hello".
4215 unsigned count = 0;
4216 for (;;) {
4217 int ret = SSL_write(client_.get(), data, kChunkLen);
4218 if (ret <= 0) {
4219 ASSERT_EQ(SSL_get_error(client_.get(), ret), SSL_ERROR_WANT_WRITE);
4220 break;
4221 }
4222 ASSERT_EQ(ret, 5);
4223 count++;
4224 }
4225
4226 // Retrying with the same parameters is legal.
4227 ASSERT_EQ(
4228 SSL_get_error(client_.get(), SSL_write(client_.get(), data, kChunkLen)),
4229 SSL_ERROR_WANT_WRITE);
4230
4231 // Retrying with the same buffer but shorter length is not legal.
4232 ASSERT_EQ(SSL_get_error(client_.get(),
4233 SSL_write(client_.get(), data, kChunkLen - 1)),
4234 SSL_ERROR_SSL);
4235 ASSERT_TRUE(ExpectSingleError(ERR_LIB_SSL, SSL_R_BAD_WRITE_RETRY));
4236
4237 // Retrying with a different buffer pointer is not legal.
4238 char data2[] = "hello";
4239 ASSERT_EQ(SSL_get_error(client_.get(),
4240 SSL_write(client_.get(), data2, kChunkLen)),
4241 SSL_ERROR_SSL);
4242 ASSERT_TRUE(ExpectSingleError(ERR_LIB_SSL, SSL_R_BAD_WRITE_RETRY));
4243
4244 // With |SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER|, the buffer may move.
4245 SSL_set_mode(client_.get(), SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER);
4246 ASSERT_EQ(SSL_get_error(client_.get(),
4247 SSL_write(client_.get(), data2, kChunkLen)),
4248 SSL_ERROR_WANT_WRITE);
4249
4250 // |SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER| does not disable length checks.
4251 ASSERT_EQ(SSL_get_error(client_.get(),
4252 SSL_write(client_.get(), data2, kChunkLen - 1)),
4253 SSL_ERROR_SSL);
4254 ASSERT_TRUE(ExpectSingleError(ERR_LIB_SSL, SSL_R_BAD_WRITE_RETRY));
4255
4256 // Retrying with a larger buffer is legal.
4257 ASSERT_EQ(SSL_get_error(client_.get(),
4258 SSL_write(client_.get(), data, kChunkLen + 1)),
4259 SSL_ERROR_WANT_WRITE);
4260
4261 // Drain the buffer.
4262 char buf[20];
4263 for (unsigned i = 0; i < count; i++) {
4264 ASSERT_EQ(SSL_read(server_.get(), buf, sizeof(buf)), kChunkLen);
4265 ASSERT_EQ(OPENSSL_memcmp(buf, "hello", kChunkLen), 0);
4266 }
4267
4268 // Now that there is space, a retry with a larger buffer should flush the
4269 // pending record, skip over that many bytes of input (on assumption they
4270 // are the same), and write the remainder. If SSL_MODE_ENABLE_PARTIAL_WRITE
4271 // is set, this will complete in two steps.
4272 char data_longer[] = "_____!!!!!";
4273 if (enable_partial_write) {
4274 ASSERT_EQ(SSL_write(client_.get(), data_longer, 2 * kChunkLen),
4275 kChunkLen);
4276 ASSERT_EQ(SSL_write(client_.get(), data_longer + kChunkLen, kChunkLen),
4277 kChunkLen);
4278 } else {
4279 ASSERT_EQ(SSL_write(client_.get(), data_longer, 2 * kChunkLen),
4280 2 * kChunkLen);
4281 }
4282
4283 // Check the last write was correct. The data will be spread over two
4284 // records, so SSL_read returns twice.
4285 ASSERT_EQ(SSL_read(server_.get(), buf, sizeof(buf)), kChunkLen);
4286 ASSERT_EQ(OPENSSL_memcmp(buf, "hello", kChunkLen), 0);
4287 ASSERT_EQ(SSL_read(server_.get(), buf, sizeof(buf)), kChunkLen);
4288 ASSERT_EQ(OPENSSL_memcmp(buf, "!!!!!", kChunkLen), 0);
4289
4290 // Fill the transport buffer again. This time only leave room for one
4291 // record.
4292 count = 0;
4293 for (;;) {
4294 int ret = SSL_write(client_.get(), data, kChunkLen);
4295 if (ret <= 0) {
4296 ASSERT_EQ(SSL_get_error(client_.get(), ret), SSL_ERROR_WANT_WRITE);
4297 break;
4298 }
4299 ASSERT_EQ(ret, 5);
4300 count++;
4301 }
4302 ASSERT_EQ(SSL_read(server_.get(), buf, sizeof(buf)), kChunkLen);
4303 ASSERT_EQ(OPENSSL_memcmp(buf, "hello", kChunkLen), 0);
4304 count--;
4305
4306 // Retry the last write, with a longer input. The first half is the most
4307 // recently failed write, from filling the buffer. |SSL_write| should write
4308 // that to the transport, and then attempt to write the second half.
4309 int ret = SSL_write(client_.get(), data_longer, 2 * kChunkLen);
4310 if (enable_partial_write) {
4311 // If partial writes are allowed, the write will succeed partially.
4312 ASSERT_EQ(ret, kChunkLen);
4313
4314 // Check the first half and make room for another record.
4315 ASSERT_EQ(SSL_read(server_.get(), buf, sizeof(buf)), kChunkLen);
4316 ASSERT_EQ(OPENSSL_memcmp(buf, "hello", kChunkLen), 0);
4317 count--;
4318
4319 // Finish writing the input.
4320 ASSERT_EQ(SSL_write(client_.get(), data_longer + kChunkLen, kChunkLen),
4321 kChunkLen);
4322 } else {
4323 // Otherwise, although the first half made it to the transport, the second
4324 // half is blocked.
4325 ASSERT_EQ(ret, -1);
4326 ASSERT_EQ(SSL_get_error(client_.get(), -1), SSL_ERROR_WANT_WRITE);
4327
4328 // Check the first half and make room for another record.
4329 ASSERT_EQ(SSL_read(server_.get(), buf, sizeof(buf)), kChunkLen);
4330 ASSERT_EQ(OPENSSL_memcmp(buf, "hello", kChunkLen), 0);
4331 count--;
4332
4333 // Retrying with fewer bytes than previously attempted is an error. If the
4334 // input length is less than the number of bytes successfully written, the
4335 // check happens at a different point, with a different error.
4336 //
4337 // TODO(davidben): Should these cases use the same error?
4338 ASSERT_EQ(
4339 SSL_get_error(client_.get(),
4340 SSL_write(client_.get(), data_longer, kChunkLen - 1)),
4341 SSL_ERROR_SSL);
4342 ASSERT_TRUE(ExpectSingleError(ERR_LIB_SSL, SSL_R_BAD_LENGTH));
4343
4344 // Complete the write with the correct retry.
4345 ASSERT_EQ(SSL_write(client_.get(), data_longer, 2 * kChunkLen),
4346 2 * kChunkLen);
4347 }
4348
4349 // Drain the input and ensure everything was written correctly.
4350 for (unsigned i = 0; i < count; i++) {
4351 ASSERT_EQ(SSL_read(server_.get(), buf, sizeof(buf)), kChunkLen);
4352 ASSERT_EQ(OPENSSL_memcmp(buf, "hello", kChunkLen), 0);
4353 }
4354
4355 // The final write is spread over two records.
4356 ASSERT_EQ(SSL_read(server_.get(), buf, sizeof(buf)), kChunkLen);
4357 ASSERT_EQ(OPENSSL_memcmp(buf, "hello", kChunkLen), 0);
4358 ASSERT_EQ(SSL_read(server_.get(), buf, sizeof(buf)), kChunkLen);
4359 ASSERT_EQ(OPENSSL_memcmp(buf, "!!!!!", kChunkLen), 0);
4360 }
4361 }
4362
TEST_P(SSLVersionTest,RecordCallback)4363 TEST_P(SSLVersionTest, RecordCallback) {
4364 for (bool test_server : {true, false}) {
4365 SCOPED_TRACE(test_server);
4366 ASSERT_NO_FATAL_FAILURE(ResetContexts());
4367
4368 bool read_seen = false;
4369 bool write_seen = false;
4370 auto cb = [&](int is_write, int cb_version, int cb_type, const void *buf,
4371 size_t len, SSL *ssl) {
4372 if (cb_type != SSL3_RT_HEADER) {
4373 return;
4374 }
4375
4376 // The callback does not report a version for records.
4377 EXPECT_EQ(0, cb_version);
4378
4379 if (is_write) {
4380 write_seen = true;
4381 } else {
4382 read_seen = true;
4383 }
4384
4385 // Sanity-check that the record header is plausible.
4386 CBS cbs;
4387 CBS_init(&cbs, reinterpret_cast<const uint8_t *>(buf), len);
4388 uint8_t type;
4389 uint16_t record_version, length;
4390 ASSERT_TRUE(CBS_get_u8(&cbs, &type));
4391 ASSERT_TRUE(CBS_get_u16(&cbs, &record_version));
4392 EXPECT_EQ(record_version & 0xff00, version() & 0xff00);
4393 if (is_dtls()) {
4394 uint16_t epoch;
4395 ASSERT_TRUE(CBS_get_u16(&cbs, &epoch));
4396 EXPECT_TRUE(epoch == 0 || epoch == 1) << "Invalid epoch: " << epoch;
4397 ASSERT_TRUE(CBS_skip(&cbs, 6));
4398 }
4399 ASSERT_TRUE(CBS_get_u16(&cbs, &length));
4400 EXPECT_EQ(0u, CBS_len(&cbs));
4401 };
4402 using CallbackType = decltype(cb);
4403 SSL_CTX *ctx = test_server ? server_ctx_.get() : client_ctx_.get();
4404 SSL_CTX_set_msg_callback(
4405 ctx, [](int is_write, int cb_version, int cb_type, const void *buf,
4406 size_t len, SSL *ssl, void *arg) {
4407 CallbackType *cb_ptr = reinterpret_cast<CallbackType *>(arg);
4408 (*cb_ptr)(is_write, cb_version, cb_type, buf, len, ssl);
4409 });
4410 SSL_CTX_set_msg_callback_arg(ctx, &cb);
4411
4412 ASSERT_TRUE(Connect());
4413
4414 EXPECT_TRUE(read_seen);
4415 EXPECT_TRUE(write_seen);
4416 }
4417 }
4418
TEST_P(SSLVersionTest,GetServerName)4419 TEST_P(SSLVersionTest, GetServerName) {
4420 ClientConfig config;
4421 config.servername = "host1";
4422
4423 SSL_CTX_set_tlsext_servername_callback(
4424 server_ctx_.get(), [](SSL *ssl, int *out_alert, void *arg) -> int {
4425 // During the handshake, |SSL_get_servername| must match |config|.
4426 ClientConfig *config_p = reinterpret_cast<ClientConfig *>(arg);
4427 EXPECT_STREQ(config_p->servername.c_str(),
4428 SSL_get_servername(ssl, TLSEXT_NAMETYPE_host_name));
4429 return SSL_TLSEXT_ERR_OK;
4430 });
4431 SSL_CTX_set_tlsext_servername_arg(server_ctx_.get(), &config);
4432
4433 ASSERT_TRUE(Connect(config));
4434 // After the handshake, it must also be available.
4435 EXPECT_STREQ(config.servername.c_str(),
4436 SSL_get_servername(server_.get(), TLSEXT_NAMETYPE_host_name));
4437
4438 // Establish a session under host1.
4439 SSL_CTX_set_session_cache_mode(client_ctx_.get(), SSL_SESS_CACHE_BOTH);
4440 SSL_CTX_set_session_cache_mode(server_ctx_.get(), SSL_SESS_CACHE_BOTH);
4441 bssl::UniquePtr<SSL_SESSION> session =
4442 CreateClientSession(client_ctx_.get(), server_ctx_.get(), config);
4443
4444 // If the client resumes a session with a different name, |SSL_get_servername|
4445 // must return the new name.
4446 ASSERT_TRUE(session);
4447 config.session = session.get();
4448 config.servername = "host2";
4449 ASSERT_TRUE(Connect(config));
4450 EXPECT_STREQ(config.servername.c_str(),
4451 SSL_get_servername(server_.get(), TLSEXT_NAMETYPE_host_name));
4452 }
4453
4454 // Test that session cache mode bits are honored in the client session callback.
TEST_P(SSLVersionTest,ClientSessionCacheMode)4455 TEST_P(SSLVersionTest, ClientSessionCacheMode) {
4456 SSL_CTX_set_session_cache_mode(client_ctx_.get(), SSL_SESS_CACHE_OFF);
4457 EXPECT_FALSE(CreateClientSession(client_ctx_.get(), server_ctx_.get()));
4458
4459 SSL_CTX_set_session_cache_mode(client_ctx_.get(), SSL_SESS_CACHE_CLIENT);
4460 EXPECT_TRUE(CreateClientSession(client_ctx_.get(), server_ctx_.get()));
4461
4462 SSL_CTX_set_session_cache_mode(client_ctx_.get(), SSL_SESS_CACHE_SERVER);
4463 EXPECT_FALSE(CreateClientSession(client_ctx_.get(), server_ctx_.get()));
4464 }
4465
4466 // Test that all versions survive tiny write buffers. In particular, TLS 1.3
4467 // NewSessionTickets are written post-handshake. Servers that block
4468 // |SSL_do_handshake| on writing them will deadlock if clients are not draining
4469 // the buffer. Test that we do not do this.
TEST_P(SSLVersionTest,SmallBuffer)4470 TEST_P(SSLVersionTest, SmallBuffer) {
4471 // DTLS is a datagram protocol and requires packet-sized buffers.
4472 if (is_dtls()) {
4473 return;
4474 }
4475
4476 // Test both flushing NewSessionTickets with a zero-sized write and
4477 // non-zero-sized write.
4478 for (bool use_zero_write : {false, true}) {
4479 SCOPED_TRACE(use_zero_write);
4480
4481 g_last_session = nullptr;
4482 SSL_CTX_set_session_cache_mode(client_ctx_.get(), SSL_SESS_CACHE_BOTH);
4483 SSL_CTX_sess_set_new_cb(client_ctx_.get(), SaveLastSession);
4484
4485 bssl::UniquePtr<SSL> client(SSL_new(client_ctx_.get())),
4486 server(SSL_new(server_ctx_.get()));
4487 ASSERT_TRUE(client);
4488 ASSERT_TRUE(server);
4489 SSL_set_connect_state(client.get());
4490 SSL_set_accept_state(server.get());
4491
4492 // Use a tiny buffer.
4493 BIO *bio1, *bio2;
4494 ASSERT_TRUE(BIO_new_bio_pair(&bio1, 1, &bio2, 1));
4495
4496 // SSL_set_bio takes ownership.
4497 SSL_set_bio(client.get(), bio1, bio1);
4498 SSL_set_bio(server.get(), bio2, bio2);
4499
4500 ASSERT_TRUE(CompleteHandshakes(client.get(), server.get()));
4501 if (version() >= TLS1_3_VERSION) {
4502 // The post-handshake ticket should not have been processed yet.
4503 EXPECT_FALSE(g_last_session);
4504 }
4505
4506 if (use_zero_write) {
4507 ASSERT_TRUE(FlushNewSessionTickets(client.get(), server.get()));
4508 EXPECT_TRUE(g_last_session);
4509 }
4510
4511 // Send some data from server to client. If |use_zero_write| is false, this
4512 // will also flush the NewSessionTickets.
4513 static const char kMessage[] = "hello world";
4514 char buf[sizeof(kMessage)];
4515 for (;;) {
4516 int server_ret = SSL_write(server.get(), kMessage, sizeof(kMessage));
4517 int server_err = SSL_get_error(server.get(), server_ret);
4518 int client_ret = SSL_read(client.get(), buf, sizeof(buf));
4519 int client_err = SSL_get_error(client.get(), client_ret);
4520
4521 // The server will write a single record, so every iteration should see
4522 // |SSL_ERROR_WANT_WRITE| and |SSL_ERROR_WANT_READ|, until the final
4523 // iteration, where both will complete.
4524 if (server_ret > 0) {
4525 EXPECT_EQ(server_ret, static_cast<int>(sizeof(kMessage)));
4526 EXPECT_EQ(client_ret, static_cast<int>(sizeof(kMessage)));
4527 EXPECT_EQ(Bytes(buf), Bytes(kMessage));
4528 break;
4529 }
4530
4531 ASSERT_EQ(server_ret, -1);
4532 ASSERT_EQ(server_err, SSL_ERROR_WANT_WRITE);
4533 ASSERT_EQ(client_ret, -1);
4534 ASSERT_EQ(client_err, SSL_ERROR_WANT_READ);
4535 }
4536
4537 // The NewSessionTickets should have been flushed and processed.
4538 EXPECT_TRUE(g_last_session);
4539 }
4540 }
4541
TEST(SSLTest,AddChainCertHack)4542 TEST(SSLTest, AddChainCertHack) {
4543 // Ensure that we don't accidently break the hack that we have in place to
4544 // keep curl and serf happy when they use an |X509| even after transfering
4545 // ownership.
4546
4547 bssl::UniquePtr<SSL_CTX> ctx(SSL_CTX_new(TLS_method()));
4548 ASSERT_TRUE(ctx);
4549 X509 *cert = GetTestCertificate().release();
4550 ASSERT_TRUE(cert);
4551 SSL_CTX_add0_chain_cert(ctx.get(), cert);
4552
4553 // This should not trigger a use-after-free.
4554 X509_cmp(cert, cert);
4555 }
4556
TEST(SSLTest,GetCertificate)4557 TEST(SSLTest, GetCertificate) {
4558 bssl::UniquePtr<SSL_CTX> ctx(SSL_CTX_new(TLS_method()));
4559 ASSERT_TRUE(ctx);
4560 bssl::UniquePtr<X509> cert = GetTestCertificate();
4561 ASSERT_TRUE(cert);
4562 ASSERT_TRUE(SSL_CTX_use_certificate(ctx.get(), cert.get()));
4563 bssl::UniquePtr<SSL> ssl(SSL_new(ctx.get()));
4564 ASSERT_TRUE(ssl);
4565
4566 X509 *cert2 = SSL_CTX_get0_certificate(ctx.get());
4567 ASSERT_TRUE(cert2);
4568 X509 *cert3 = SSL_get_certificate(ssl.get());
4569 ASSERT_TRUE(cert3);
4570
4571 // The old and new certificates must be identical.
4572 EXPECT_EQ(0, X509_cmp(cert.get(), cert2));
4573 EXPECT_EQ(0, X509_cmp(cert.get(), cert3));
4574
4575 uint8_t *der = nullptr;
4576 long der_len = i2d_X509(cert.get(), &der);
4577 ASSERT_LT(0, der_len);
4578 bssl::UniquePtr<uint8_t> free_der(der);
4579
4580 uint8_t *der2 = nullptr;
4581 long der2_len = i2d_X509(cert2, &der2);
4582 ASSERT_LT(0, der2_len);
4583 bssl::UniquePtr<uint8_t> free_der2(der2);
4584
4585 uint8_t *der3 = nullptr;
4586 long der3_len = i2d_X509(cert3, &der3);
4587 ASSERT_LT(0, der3_len);
4588 bssl::UniquePtr<uint8_t> free_der3(der3);
4589
4590 // They must also encode identically.
4591 EXPECT_EQ(Bytes(der, der_len), Bytes(der2, der2_len));
4592 EXPECT_EQ(Bytes(der, der_len), Bytes(der3, der3_len));
4593 }
4594
TEST(SSLTest,SetChainAndKeyMismatch)4595 TEST(SSLTest, SetChainAndKeyMismatch) {
4596 bssl::UniquePtr<SSL_CTX> ctx(SSL_CTX_new(TLS_with_buffers_method()));
4597 ASSERT_TRUE(ctx);
4598
4599 bssl::UniquePtr<EVP_PKEY> key = GetTestKey();
4600 ASSERT_TRUE(key);
4601 bssl::UniquePtr<CRYPTO_BUFFER> leaf = GetChainTestCertificateBuffer();
4602 ASSERT_TRUE(leaf);
4603 std::vector<CRYPTO_BUFFER*> chain = {
4604 leaf.get(),
4605 };
4606
4607 // Should fail because |GetTestKey| doesn't match the chain-test certificate.
4608 ASSERT_FALSE(SSL_CTX_set_chain_and_key(ctx.get(), chain.data(), chain.size(),
4609 key.get(), nullptr));
4610 ERR_clear_error();
4611 }
4612
TEST(SSLTest,CertThenKeyMismatch)4613 TEST(SSLTest, CertThenKeyMismatch) {
4614 bssl::UniquePtr<SSL_CTX> ctx(SSL_CTX_new(TLS_method()));
4615 ASSERT_TRUE(ctx);
4616
4617 bssl::UniquePtr<EVP_PKEY> key = GetTestKey();
4618 ASSERT_TRUE(key);
4619 bssl::UniquePtr<X509> leaf = GetChainTestCertificate();
4620 ASSERT_TRUE(leaf);
4621
4622 // There is no key or certificate, so |SSL_CTX_check_private_key| fails.
4623 EXPECT_FALSE(SSL_CTX_check_private_key(ctx.get()));
4624
4625 // With only a certificate, |SSL_CTX_check_private_key| still fails.
4626 ASSERT_TRUE(SSL_CTX_use_certificate(ctx.get(), leaf.get()));
4627 EXPECT_FALSE(SSL_CTX_check_private_key(ctx.get()));
4628
4629 // The private key does not match the certificate, so it should fail.
4630 EXPECT_FALSE(SSL_CTX_use_PrivateKey(ctx.get(), key.get()));
4631
4632 // Checking the private key fails, but this is really because there is still
4633 // no private key.
4634 EXPECT_FALSE(SSL_CTX_check_private_key(ctx.get()));
4635 EXPECT_EQ(nullptr, SSL_CTX_get0_privatekey(ctx.get()));
4636 }
4637
TEST(SSLTest,KeyThenCertMismatch)4638 TEST(SSLTest, KeyThenCertMismatch) {
4639 bssl::UniquePtr<SSL_CTX> ctx(SSL_CTX_new(TLS_method()));
4640 ASSERT_TRUE(ctx);
4641
4642 bssl::UniquePtr<EVP_PKEY> key = GetTestKey();
4643 ASSERT_TRUE(key);
4644 bssl::UniquePtr<X509> leaf = GetChainTestCertificate();
4645 ASSERT_TRUE(leaf);
4646
4647 // There is no key or certificate, so |SSL_CTX_check_private_key| fails.
4648 EXPECT_FALSE(SSL_CTX_check_private_key(ctx.get()));
4649
4650 // With only a key, |SSL_CTX_check_private_key| still fails.
4651 ASSERT_TRUE(SSL_CTX_use_PrivateKey(ctx.get(), key.get()));
4652 EXPECT_FALSE(SSL_CTX_check_private_key(ctx.get()));
4653
4654 // If configuring a certificate that doesn't match the key, configuration
4655 // actually succeeds. We just silently drop the private key.
4656 ASSERT_TRUE(SSL_CTX_use_certificate(ctx.get(), leaf.get()));
4657 EXPECT_EQ(nullptr, SSL_CTX_get0_privatekey(ctx.get()));
4658
4659 // Some callers configure the private key, then the certificate, and then
4660 // expect |SSL_CTX_check_private_key| to check consistency. It does, but only
4661 // by way of noticing there is no private key. The actual consistency check
4662 // happened in |SSL_CTX_use_certificate|.
4663 EXPECT_FALSE(SSL_CTX_check_private_key(ctx.get()));
4664 }
4665
TEST(SSLTest,OverrideCertAndKey)4666 TEST(SSLTest, OverrideCertAndKey) {
4667 // It is possible to override an existing certificate by configuring
4668 // certificate, then key, due to |SSL_CTX_use_certificate|'s above silent
4669 // dropping behavior.
4670 bssl::UniquePtr<SSL_CTX> ctx(SSL_CTX_new(TLS_method()));
4671 ASSERT_TRUE(ctx);
4672
4673 bssl::UniquePtr<EVP_PKEY> key = GetTestKey();
4674 ASSERT_TRUE(key);
4675 bssl::UniquePtr<X509> leaf = GetTestCertificate();
4676 ASSERT_TRUE(leaf);
4677 bssl::UniquePtr<EVP_PKEY> key2 = GetChainTestKey();
4678 ASSERT_TRUE(key2);
4679 bssl::UniquePtr<X509> leaf2 = GetChainTestCertificate();
4680 ASSERT_TRUE(leaf2);
4681
4682 ASSERT_TRUE(SSL_CTX_use_certificate(ctx.get(), leaf.get()));
4683 ASSERT_TRUE(SSL_CTX_use_PrivateKey(ctx.get(), key.get()));
4684
4685 ASSERT_TRUE(SSL_CTX_use_certificate(ctx.get(), leaf2.get()));
4686 ASSERT_TRUE(SSL_CTX_use_PrivateKey(ctx.get(), key2.get()));
4687 }
4688
TEST(SSLTest,OverrideKeyMethodWithKey)4689 TEST(SSLTest, OverrideKeyMethodWithKey) {
4690 // Make an SSL_PRIVATE_KEY_METHOD that should never be called.
4691 static const SSL_PRIVATE_KEY_METHOD kErrorMethod = {
4692 [](SSL *ssl, uint8_t *out, size_t *out_len, size_t max_out,
4693 uint16_t signature_algorithm, const uint8_t *in,
4694 size_t in_len) { return ssl_private_key_failure; },
4695 [](SSL *ssl, uint8_t *out, size_t *out_len, size_t max_out,
4696 const uint8_t *in, size_t in_len) { return ssl_private_key_failure; },
4697 [](SSL *ssl, uint8_t *out, size_t *out_len, size_t max_oun) {
4698 return ssl_private_key_failure;
4699 },
4700 };
4701
4702 bssl::UniquePtr<EVP_PKEY> key = GetTestKey();
4703 ASSERT_TRUE(key);
4704 bssl::UniquePtr<X509> leaf = GetTestCertificate();
4705 ASSERT_TRUE(leaf);
4706
4707 bssl::UniquePtr<SSL_CTX> ctx(SSL_CTX_new(TLS_method()));
4708 ASSERT_TRUE(ctx);
4709 ASSERT_TRUE(SSL_CTX_use_certificate(ctx.get(), leaf.get()));
4710
4711 // Configuring an |SSL_PRIVATE_KEY_METHOD| and then overwriting it with an
4712 // |EVP_PKEY| should clear the |SSL_PRIVATE_KEY_METHOD|.
4713 SSL_CTX_set_private_key_method(ctx.get(), &kErrorMethod);
4714 ASSERT_TRUE(SSL_CTX_use_PrivateKey(ctx.get(), key.get()));
4715
4716 bssl::UniquePtr<SSL> client, server;
4717 ASSERT_TRUE(ConnectClientAndServer(&client, &server, ctx.get(), ctx.get()));
4718 }
4719
4720 // Configuring a chain and then overwriting it with a different chain should
4721 // clear the old one.
TEST(SSLTest,OverrideChain)4722 TEST(SSLTest, OverrideChain) {
4723 bssl::UniquePtr<EVP_PKEY> key = GetChainTestKey();
4724 ASSERT_TRUE(key);
4725 bssl::UniquePtr<X509> leaf = GetChainTestCertificate();
4726 ASSERT_TRUE(leaf);
4727 bssl::UniquePtr<X509> ca = GetChainTestIntermediate();
4728 ASSERT_TRUE(ca);
4729
4730 bssl::UniquePtr<STACK_OF(X509)> chain(sk_X509_new_null());
4731 ASSERT_TRUE(chain);
4732 ASSERT_TRUE(bssl::PushToStack(chain.get(), bssl::UpRef(ca)));
4733
4734 bssl::UniquePtr<STACK_OF(X509)> wrong_chain(sk_X509_new_null());
4735 ASSERT_TRUE(wrong_chain);
4736 ASSERT_TRUE(bssl::PushToStack(wrong_chain.get(), bssl::UpRef(leaf)));
4737 ASSERT_TRUE(bssl::PushToStack(wrong_chain.get(), bssl::UpRef(leaf)));
4738
4739 bssl::UniquePtr<SSL_CTX> ctx(SSL_CTX_new(TLS_method()));
4740 ASSERT_TRUE(ctx);
4741 ASSERT_TRUE(SSL_CTX_use_certificate(ctx.get(), leaf.get()));
4742 ASSERT_TRUE(SSL_CTX_use_PrivateKey(ctx.get(), key.get()));
4743
4744 // Configure one chain, then replace it with another. Note this API considers
4745 // the chain to exclude the leaf.
4746 ASSERT_TRUE(SSL_CTX_set1_chain(ctx.get(), wrong_chain.get()));
4747 ASSERT_TRUE(SSL_CTX_set1_chain(ctx.get(), chain.get()));
4748
4749 bssl::UniquePtr<SSL> client, server;
4750 ASSERT_TRUE(ConnectClientAndServer(&client, &server, ctx.get(), ctx.get()));
4751 EXPECT_TRUE(ChainsEqual(SSL_get_peer_full_cert_chain(client.get()),
4752 {leaf.get(), ca.get()}));
4753 }
4754
TEST(SSLTest,OverrideChainAndKey)4755 TEST(SSLTest, OverrideChainAndKey) {
4756 bssl::UniquePtr<EVP_PKEY> key1 = GetChainTestKey();
4757 ASSERT_TRUE(key1);
4758 bssl::UniquePtr<CRYPTO_BUFFER> leaf1 = GetChainTestCertificateBuffer();
4759 ASSERT_TRUE(leaf1);
4760 bssl::UniquePtr<CRYPTO_BUFFER> ca1 = GetChainTestIntermediateBuffer();
4761 ASSERT_TRUE(ca1);
4762 bssl::UniquePtr<EVP_PKEY> key2 = GetECDSATestKey();
4763 ASSERT_TRUE(key2);
4764 bssl::UniquePtr<CRYPTO_BUFFER> leaf2 = GetECDSATestCertificateBuffer();
4765 ASSERT_TRUE(leaf2);
4766
4767 bssl::UniquePtr<SSL_CTX> ctx(SSL_CTX_new(TLS_method()));
4768 ASSERT_TRUE(ctx);
4769
4770 // Configure one cert and key pair, then replace it with noather.
4771 std::vector<CRYPTO_BUFFER *> certs = {leaf1.get(), ca1.get()};
4772 ASSERT_TRUE(SSL_CTX_set_chain_and_key(ctx.get(), certs.data(), certs.size(),
4773 key1.get(), nullptr));
4774 certs = {leaf2.get()};
4775 ASSERT_TRUE(SSL_CTX_set_chain_and_key(ctx.get(), certs.data(), certs.size(),
4776 key2.get(), nullptr));
4777
4778 bssl::UniquePtr<SSL> client, server;
4779 ASSERT_TRUE(ConnectClientAndServer(&client, &server, ctx.get(), ctx.get()));
4780 EXPECT_TRUE(
4781 BuffersEqual(SSL_get0_peer_certificates(client.get()), {leaf2.get()}));
4782 }
4783
TEST(SSLTest,OverrideCredentialChain)4784 TEST(SSLTest, OverrideCredentialChain) {
4785 bssl::UniquePtr<EVP_PKEY> key = GetChainTestKey();
4786 ASSERT_TRUE(key);
4787 bssl::UniquePtr<CRYPTO_BUFFER> leaf = GetChainTestCertificateBuffer();
4788 ASSERT_TRUE(leaf);
4789 bssl::UniquePtr<CRYPTO_BUFFER> ca = GetChainTestIntermediateBuffer();
4790 ASSERT_TRUE(ca);
4791
4792 std::vector<CRYPTO_BUFFER *> chain = {leaf.get(), ca.get()};
4793 std::vector<CRYPTO_BUFFER *> wrong_chain = {leaf.get(), leaf.get(),
4794 leaf.get()};
4795
4796 bssl::UniquePtr<SSL_CTX> ctx(SSL_CTX_new(TLS_method()));
4797 ASSERT_TRUE(ctx);
4798 bssl::UniquePtr<SSL_CREDENTIAL> cred(SSL_CREDENTIAL_new_x509());
4799 ASSERT_TRUE(cred);
4800
4801 // Configure one chain (including the leaf), then replace it with another.
4802 ASSERT_TRUE(SSL_CREDENTIAL_set1_cert_chain(cred.get(), wrong_chain.data(),
4803 wrong_chain.size()));
4804 ASSERT_TRUE(
4805 SSL_CREDENTIAL_set1_cert_chain(cred.get(), chain.data(), chain.size()));
4806
4807 ASSERT_TRUE(SSL_CREDENTIAL_set1_private_key(cred.get(), key.get()));
4808 ASSERT_TRUE(SSL_CTX_add1_credential(ctx.get(), cred.get()));
4809
4810 bssl::UniquePtr<SSL> client, server;
4811 ASSERT_TRUE(ConnectClientAndServer(&client, &server, ctx.get(), ctx.get()));
4812 EXPECT_TRUE(BuffersEqual(SSL_get0_peer_certificates(client.get()),
4813 {leaf.get(), ca.get()}));
4814 }
4815
TEST(SSLTest,SetChainAndKeyCtx)4816 TEST(SSLTest, SetChainAndKeyCtx) {
4817 bssl::UniquePtr<SSL_CTX> client_ctx(SSL_CTX_new(TLS_with_buffers_method()));
4818 ASSERT_TRUE(client_ctx);
4819 bssl::UniquePtr<SSL_CTX> server_ctx(SSL_CTX_new(TLS_with_buffers_method()));
4820 ASSERT_TRUE(server_ctx);
4821
4822 ASSERT_EQ(nullptr, SSL_CTX_get0_chain(server_ctx.get()));
4823
4824 bssl::UniquePtr<EVP_PKEY> key = GetChainTestKey();
4825 ASSERT_TRUE(key);
4826 bssl::UniquePtr<CRYPTO_BUFFER> leaf = GetChainTestCertificateBuffer();
4827 ASSERT_TRUE(leaf);
4828 bssl::UniquePtr<CRYPTO_BUFFER> intermediate =
4829 GetChainTestIntermediateBuffer();
4830 ASSERT_TRUE(intermediate);
4831 std::vector<CRYPTO_BUFFER*> chain = {
4832 leaf.get(), intermediate.get(),
4833 };
4834 ASSERT_TRUE(SSL_CTX_set_chain_and_key(server_ctx.get(), chain.data(),
4835 chain.size(), key.get(), nullptr));
4836
4837 ASSERT_EQ(chain.size(),
4838 sk_CRYPTO_BUFFER_num(SSL_CTX_get0_chain(server_ctx.get())));
4839
4840 SSL_CTX_set_custom_verify(
4841 client_ctx.get(), SSL_VERIFY_PEER,
4842 [](SSL *ssl, uint8_t *out_alert) -> ssl_verify_result_t {
4843 return ssl_verify_ok;
4844 });
4845
4846 bssl::UniquePtr<SSL> client, server;
4847 ASSERT_TRUE(ConnectClientAndServer(&client, &server, client_ctx.get(),
4848 server_ctx.get()));
4849 }
4850
TEST(SSLTest,SetChainAndKeySSL)4851 TEST(SSLTest, SetChainAndKeySSL) {
4852 bssl::UniquePtr<SSL_CTX> client_ctx(SSL_CTX_new(TLS_with_buffers_method()));
4853 ASSERT_TRUE(client_ctx);
4854 bssl::UniquePtr<SSL_CTX> server_ctx(SSL_CTX_new(TLS_with_buffers_method()));
4855 ASSERT_TRUE(server_ctx);
4856
4857 bssl::UniquePtr<SSL> client, server;
4858 ASSERT_TRUE(CreateClientAndServer(&client, &server, client_ctx.get(),
4859 server_ctx.get()));
4860 SSL_set_shed_handshake_config(client.get(), true);
4861 SSL_set_shed_handshake_config(server.get(), true);
4862
4863 ASSERT_EQ(nullptr, SSL_get0_chain(server.get()));
4864
4865 bssl::UniquePtr<EVP_PKEY> key = GetChainTestKey();
4866 ASSERT_TRUE(key);
4867 bssl::UniquePtr<CRYPTO_BUFFER> leaf = GetChainTestCertificateBuffer();
4868 ASSERT_TRUE(leaf);
4869 bssl::UniquePtr<CRYPTO_BUFFER> intermediate =
4870 GetChainTestIntermediateBuffer();
4871 ASSERT_TRUE(intermediate);
4872 std::vector<CRYPTO_BUFFER*> chain = {
4873 leaf.get(), intermediate.get(),
4874 };
4875 ASSERT_TRUE(SSL_set_chain_and_key(server.get(), chain.data(),
4876 chain.size(), key.get(), nullptr));
4877
4878 ASSERT_EQ(chain.size(),
4879 sk_CRYPTO_BUFFER_num(SSL_get0_chain(server.get())));
4880
4881 SSL_set_custom_verify(
4882 client.get(), SSL_VERIFY_PEER,
4883 [](SSL *ssl, uint8_t *out_alert) -> ssl_verify_result_t {
4884 return ssl_verify_ok;
4885 });
4886
4887 ASSERT_TRUE(CompleteHandshakes(client.get(), server.get()));
4888
4889 // The server is configured to shed handshake config, so the certificate is no
4890 // longer available after the handshake.
4891 ASSERT_EQ(nullptr, SSL_get0_chain(server.get()));
4892 }
4893
TEST(SSLTest,BuffersFailWithoutCustomVerify)4894 TEST(SSLTest, BuffersFailWithoutCustomVerify) {
4895 bssl::UniquePtr<SSL_CTX> client_ctx(SSL_CTX_new(TLS_with_buffers_method()));
4896 ASSERT_TRUE(client_ctx);
4897 bssl::UniquePtr<SSL_CTX> server_ctx(SSL_CTX_new(TLS_with_buffers_method()));
4898 ASSERT_TRUE(server_ctx);
4899
4900 bssl::UniquePtr<EVP_PKEY> key = GetChainTestKey();
4901 ASSERT_TRUE(key);
4902 bssl::UniquePtr<CRYPTO_BUFFER> leaf = GetChainTestCertificateBuffer();
4903 ASSERT_TRUE(leaf);
4904 std::vector<CRYPTO_BUFFER*> chain = { leaf.get() };
4905 ASSERT_TRUE(SSL_CTX_set_chain_and_key(server_ctx.get(), chain.data(),
4906 chain.size(), key.get(), nullptr));
4907
4908 // Without SSL_CTX_set_custom_verify(), i.e. with everything in the default
4909 // configuration, certificate verification should fail.
4910 bssl::UniquePtr<SSL> client, server;
4911 ASSERT_FALSE(ConnectClientAndServer(&client, &server, client_ctx.get(),
4912 server_ctx.get()));
4913
4914 // Whereas with a verifier, the connection should succeed.
4915 SSL_CTX_set_custom_verify(
4916 client_ctx.get(), SSL_VERIFY_PEER,
4917 [](SSL *ssl, uint8_t *out_alert) -> ssl_verify_result_t {
4918 return ssl_verify_ok;
4919 });
4920 ASSERT_TRUE(ConnectClientAndServer(&client, &server, client_ctx.get(),
4921 server_ctx.get()));
4922 }
4923
TEST(SSLTest,CustomVerify)4924 TEST(SSLTest, CustomVerify) {
4925 bssl::UniquePtr<SSL_CTX> client_ctx(SSL_CTX_new(TLS_with_buffers_method()));
4926 ASSERT_TRUE(client_ctx);
4927 bssl::UniquePtr<SSL_CTX> server_ctx(SSL_CTX_new(TLS_with_buffers_method()));
4928 ASSERT_TRUE(server_ctx);
4929
4930 bssl::UniquePtr<EVP_PKEY> key = GetChainTestKey();
4931 ASSERT_TRUE(key);
4932 bssl::UniquePtr<CRYPTO_BUFFER> leaf = GetChainTestCertificateBuffer();
4933 ASSERT_TRUE(leaf);
4934 std::vector<CRYPTO_BUFFER*> chain = { leaf.get() };
4935 ASSERT_TRUE(SSL_CTX_set_chain_and_key(server_ctx.get(), chain.data(),
4936 chain.size(), key.get(), nullptr));
4937
4938 SSL_CTX_set_custom_verify(
4939 client_ctx.get(), SSL_VERIFY_PEER,
4940 [](SSL *ssl, uint8_t *out_alert) -> ssl_verify_result_t {
4941 return ssl_verify_ok;
4942 });
4943
4944 bssl::UniquePtr<SSL> client, server;
4945 ASSERT_TRUE(ConnectClientAndServer(&client, &server, client_ctx.get(),
4946 server_ctx.get()));
4947
4948 // With SSL_VERIFY_PEER, ssl_verify_invalid should result in a dropped
4949 // connection.
4950 SSL_CTX_set_custom_verify(
4951 client_ctx.get(), SSL_VERIFY_PEER,
4952 [](SSL *ssl, uint8_t *out_alert) -> ssl_verify_result_t {
4953 return ssl_verify_invalid;
4954 });
4955
4956 ASSERT_FALSE(ConnectClientAndServer(&client, &server, client_ctx.get(),
4957 server_ctx.get()));
4958
4959 // But with SSL_VERIFY_NONE, ssl_verify_invalid should not cause a dropped
4960 // connection.
4961 SSL_CTX_set_custom_verify(
4962 client_ctx.get(), SSL_VERIFY_NONE,
4963 [](SSL *ssl, uint8_t *out_alert) -> ssl_verify_result_t {
4964 return ssl_verify_invalid;
4965 });
4966
4967 ASSERT_TRUE(ConnectClientAndServer(&client, &server, client_ctx.get(),
4968 server_ctx.get()));
4969 }
4970
TEST(SSLTest,ClientCABuffers)4971 TEST(SSLTest, ClientCABuffers) {
4972 bssl::UniquePtr<SSL_CTX> client_ctx(SSL_CTX_new(TLS_with_buffers_method()));
4973 ASSERT_TRUE(client_ctx);
4974 bssl::UniquePtr<SSL_CTX> server_ctx(SSL_CTX_new(TLS_with_buffers_method()));
4975 ASSERT_TRUE(server_ctx);
4976
4977 bssl::UniquePtr<EVP_PKEY> key = GetChainTestKey();
4978 ASSERT_TRUE(key);
4979 bssl::UniquePtr<CRYPTO_BUFFER> leaf = GetChainTestCertificateBuffer();
4980 ASSERT_TRUE(leaf);
4981 bssl::UniquePtr<CRYPTO_BUFFER> intermediate =
4982 GetChainTestIntermediateBuffer();
4983 ASSERT_TRUE(intermediate);
4984 std::vector<CRYPTO_BUFFER *> chain = {
4985 leaf.get(),
4986 intermediate.get(),
4987 };
4988 ASSERT_TRUE(SSL_CTX_set_chain_and_key(server_ctx.get(), chain.data(),
4989 chain.size(), key.get(), nullptr));
4990
4991 bssl::UniquePtr<CRYPTO_BUFFER> ca_name(
4992 CRYPTO_BUFFER_new(kTestName, sizeof(kTestName), nullptr));
4993 ASSERT_TRUE(ca_name);
4994 bssl::UniquePtr<STACK_OF(CRYPTO_BUFFER)> ca_names(
4995 sk_CRYPTO_BUFFER_new_null());
4996 ASSERT_TRUE(ca_names);
4997 ASSERT_TRUE(PushToStack(ca_names.get(), std::move(ca_name)));
4998 SSL_CTX_set0_client_CAs(server_ctx.get(), ca_names.release());
4999
5000 // Configure client and server to accept all certificates.
5001 SSL_CTX_set_custom_verify(
5002 client_ctx.get(), SSL_VERIFY_PEER,
5003 [](SSL *ssl, uint8_t *out_alert) -> ssl_verify_result_t {
5004 return ssl_verify_ok;
5005 });
5006 SSL_CTX_set_custom_verify(
5007 server_ctx.get(), SSL_VERIFY_PEER,
5008 [](SSL *ssl, uint8_t *out_alert) -> ssl_verify_result_t {
5009 return ssl_verify_ok;
5010 });
5011
5012 bool cert_cb_called = false;
5013 SSL_CTX_set_cert_cb(
5014 client_ctx.get(),
5015 [](SSL *ssl, void *arg) -> int {
5016 const STACK_OF(CRYPTO_BUFFER) *peer_names =
5017 SSL_get0_server_requested_CAs(ssl);
5018 EXPECT_EQ(1u, sk_CRYPTO_BUFFER_num(peer_names));
5019 CRYPTO_BUFFER *peer_name = sk_CRYPTO_BUFFER_value(peer_names, 0);
5020 EXPECT_EQ(Bytes(kTestName), Bytes(CRYPTO_BUFFER_data(peer_name),
5021 CRYPTO_BUFFER_len(peer_name)));
5022 *reinterpret_cast<bool *>(arg) = true;
5023 return 1;
5024 },
5025 &cert_cb_called);
5026
5027 bssl::UniquePtr<SSL> client, server;
5028 ASSERT_TRUE(ConnectClientAndServer(&client, &server, client_ctx.get(),
5029 server_ctx.get()));
5030 EXPECT_TRUE(cert_cb_called);
5031 }
5032
5033 // Configuring the empty cipher list, though an error, should still modify the
5034 // configuration.
TEST(SSLTest,EmptyCipherList)5035 TEST(SSLTest, EmptyCipherList) {
5036 bssl::UniquePtr<SSL_CTX> ctx(SSL_CTX_new(TLS_method()));
5037 ASSERT_TRUE(ctx);
5038
5039 // Initially, the cipher list is not empty.
5040 EXPECT_NE(0u, sk_SSL_CIPHER_num(SSL_CTX_get_ciphers(ctx.get())));
5041
5042 // Configuring the empty cipher list fails.
5043 EXPECT_FALSE(SSL_CTX_set_cipher_list(ctx.get(), ""));
5044 ERR_clear_error();
5045
5046 // But the cipher list is still updated to empty.
5047 EXPECT_EQ(0u, sk_SSL_CIPHER_num(SSL_CTX_get_ciphers(ctx.get())));
5048 }
5049
5050 // ssl_test_ticket_aead_failure_mode enumerates the possible ways in which the
5051 // test |SSL_TICKET_AEAD_METHOD| can fail.
5052 enum ssl_test_ticket_aead_failure_mode {
5053 ssl_test_ticket_aead_ok = 0,
5054 ssl_test_ticket_aead_seal_fail,
5055 ssl_test_ticket_aead_open_soft_fail,
5056 ssl_test_ticket_aead_open_hard_fail,
5057 };
5058
5059 struct ssl_test_ticket_aead_state {
5060 unsigned retry_count = 0;
5061 ssl_test_ticket_aead_failure_mode failure_mode = ssl_test_ticket_aead_ok;
5062 };
5063
ssl_test_ticket_aead_ex_index_dup(CRYPTO_EX_DATA * to,const CRYPTO_EX_DATA * from,void ** from_d,int index,long argl,void * argp)5064 static int ssl_test_ticket_aead_ex_index_dup(CRYPTO_EX_DATA *to,
5065 const CRYPTO_EX_DATA *from,
5066 void **from_d, int index,
5067 long argl, void *argp) {
5068 abort();
5069 }
5070
ssl_test_ticket_aead_ex_index_free(void * parent,void * ptr,CRYPTO_EX_DATA * ad,int index,long argl,void * argp)5071 static void ssl_test_ticket_aead_ex_index_free(void *parent, void *ptr,
5072 CRYPTO_EX_DATA *ad, int index,
5073 long argl, void *argp) {
5074 delete reinterpret_cast<ssl_test_ticket_aead_state*>(ptr);
5075 }
5076
5077 static CRYPTO_once_t g_ssl_test_ticket_aead_ex_index_once = CRYPTO_ONCE_INIT;
5078 static int g_ssl_test_ticket_aead_ex_index;
5079
ssl_test_ticket_aead_get_ex_index()5080 static int ssl_test_ticket_aead_get_ex_index() {
5081 CRYPTO_once(&g_ssl_test_ticket_aead_ex_index_once, [] {
5082 g_ssl_test_ticket_aead_ex_index = SSL_get_ex_new_index(
5083 0, nullptr, nullptr, ssl_test_ticket_aead_ex_index_dup,
5084 ssl_test_ticket_aead_ex_index_free);
5085 });
5086 return g_ssl_test_ticket_aead_ex_index;
5087 }
5088
ssl_test_ticket_aead_max_overhead(SSL * ssl)5089 static size_t ssl_test_ticket_aead_max_overhead(SSL *ssl) {
5090 return 1;
5091 }
5092
ssl_test_ticket_aead_seal(SSL * ssl,uint8_t * out,size_t * out_len,size_t max_out_len,const uint8_t * in,size_t in_len)5093 static int ssl_test_ticket_aead_seal(SSL *ssl, uint8_t *out, size_t *out_len,
5094 size_t max_out_len, const uint8_t *in,
5095 size_t in_len) {
5096 auto state = reinterpret_cast<ssl_test_ticket_aead_state *>(
5097 SSL_get_ex_data(ssl, ssl_test_ticket_aead_get_ex_index()));
5098
5099 if (state->failure_mode == ssl_test_ticket_aead_seal_fail ||
5100 max_out_len < in_len + 1) {
5101 return 0;
5102 }
5103
5104 OPENSSL_memmove(out, in, in_len);
5105 out[in_len] = 0xff;
5106 *out_len = in_len + 1;
5107
5108 return 1;
5109 }
5110
ssl_test_ticket_aead_open(SSL * ssl,uint8_t * out,size_t * out_len,size_t max_out_len,const uint8_t * in,size_t in_len)5111 static ssl_ticket_aead_result_t ssl_test_ticket_aead_open(
5112 SSL *ssl, uint8_t *out, size_t *out_len, size_t max_out_len,
5113 const uint8_t *in, size_t in_len) {
5114 auto state = reinterpret_cast<ssl_test_ticket_aead_state *>(
5115 SSL_get_ex_data(ssl, ssl_test_ticket_aead_get_ex_index()));
5116
5117 if (state->retry_count > 0) {
5118 state->retry_count--;
5119 return ssl_ticket_aead_retry;
5120 }
5121
5122 switch (state->failure_mode) {
5123 case ssl_test_ticket_aead_ok:
5124 break;
5125 case ssl_test_ticket_aead_seal_fail:
5126 // If |seal| failed then there shouldn't be any ticket to try and
5127 // decrypt.
5128 abort();
5129 break;
5130 case ssl_test_ticket_aead_open_soft_fail:
5131 return ssl_ticket_aead_ignore_ticket;
5132 case ssl_test_ticket_aead_open_hard_fail:
5133 return ssl_ticket_aead_error;
5134 }
5135
5136 if (in_len == 0 || in[in_len - 1] != 0xff) {
5137 return ssl_ticket_aead_ignore_ticket;
5138 }
5139
5140 if (max_out_len < in_len - 1) {
5141 return ssl_ticket_aead_error;
5142 }
5143
5144 OPENSSL_memmove(out, in, in_len - 1);
5145 *out_len = in_len - 1;
5146 return ssl_ticket_aead_success;
5147 }
5148
5149 static const SSL_TICKET_AEAD_METHOD kSSLTestTicketMethod = {
5150 ssl_test_ticket_aead_max_overhead,
5151 ssl_test_ticket_aead_seal,
5152 ssl_test_ticket_aead_open,
5153 };
5154
ConnectClientAndServerWithTicketMethod(bssl::UniquePtr<SSL> * out_client,bssl::UniquePtr<SSL> * out_server,SSL_CTX * client_ctx,SSL_CTX * server_ctx,unsigned retry_count,ssl_test_ticket_aead_failure_mode failure_mode,SSL_SESSION * session)5155 static void ConnectClientAndServerWithTicketMethod(
5156 bssl::UniquePtr<SSL> *out_client, bssl::UniquePtr<SSL> *out_server,
5157 SSL_CTX *client_ctx, SSL_CTX *server_ctx, unsigned retry_count,
5158 ssl_test_ticket_aead_failure_mode failure_mode, SSL_SESSION *session) {
5159 bssl::UniquePtr<SSL> client(SSL_new(client_ctx)), server(SSL_new(server_ctx));
5160 ASSERT_TRUE(client);
5161 ASSERT_TRUE(server);
5162 SSL_set_connect_state(client.get());
5163 SSL_set_accept_state(server.get());
5164
5165 auto state = new ssl_test_ticket_aead_state;
5166 state->retry_count = retry_count;
5167 state->failure_mode = failure_mode;
5168
5169 ASSERT_GE(ssl_test_ticket_aead_get_ex_index(), 0);
5170 ASSERT_TRUE(SSL_set_ex_data(server.get(), ssl_test_ticket_aead_get_ex_index(),
5171 state));
5172
5173 SSL_set_session(client.get(), session);
5174
5175 BIO *bio1, *bio2;
5176 ASSERT_TRUE(BIO_new_bio_pair(&bio1, 0, &bio2, 0));
5177
5178 // SSL_set_bio takes ownership.
5179 SSL_set_bio(client.get(), bio1, bio1);
5180 SSL_set_bio(server.get(), bio2, bio2);
5181
5182 if (CompleteHandshakes(client.get(), server.get())) {
5183 *out_client = std::move(client);
5184 *out_server = std::move(server);
5185 } else {
5186 out_client->reset();
5187 out_server->reset();
5188 }
5189 }
5190
5191 using TicketAEADMethodParam =
5192 testing::tuple<uint16_t, unsigned, ssl_test_ticket_aead_failure_mode>;
5193
5194 class TicketAEADMethodTest
5195 : public ::testing::TestWithParam<TicketAEADMethodParam> {};
5196
TEST_P(TicketAEADMethodTest,Resume)5197 TEST_P(TicketAEADMethodTest, Resume) {
5198 bssl::UniquePtr<SSL_CTX> server_ctx =
5199 CreateContextWithTestCertificate(TLS_method());
5200 ASSERT_TRUE(server_ctx);
5201 bssl::UniquePtr<SSL_CTX> client_ctx(SSL_CTX_new(TLS_method()));
5202 ASSERT_TRUE(client_ctx);
5203
5204 const uint16_t version = testing::get<0>(GetParam());
5205 const unsigned retry_count = testing::get<1>(GetParam());
5206 const ssl_test_ticket_aead_failure_mode failure_mode =
5207 testing::get<2>(GetParam());
5208
5209 ASSERT_TRUE(SSL_CTX_set_min_proto_version(client_ctx.get(), version));
5210 ASSERT_TRUE(SSL_CTX_set_max_proto_version(client_ctx.get(), version));
5211 ASSERT_TRUE(SSL_CTX_set_min_proto_version(server_ctx.get(), version));
5212 ASSERT_TRUE(SSL_CTX_set_max_proto_version(server_ctx.get(), version));
5213
5214 SSL_CTX_set_session_cache_mode(client_ctx.get(), SSL_SESS_CACHE_BOTH);
5215 SSL_CTX_set_session_cache_mode(server_ctx.get(), SSL_SESS_CACHE_BOTH);
5216 SSL_CTX_set_current_time_cb(client_ctx.get(), FrozenTimeCallback);
5217 SSL_CTX_set_current_time_cb(server_ctx.get(), FrozenTimeCallback);
5218 SSL_CTX_sess_set_new_cb(client_ctx.get(), SaveLastSession);
5219
5220 SSL_CTX_set_ticket_aead_method(server_ctx.get(), &kSSLTestTicketMethod);
5221
5222 bssl::UniquePtr<SSL> client, server;
5223 ASSERT_NO_FATAL_FAILURE(ConnectClientAndServerWithTicketMethod(
5224 &client, &server, client_ctx.get(), server_ctx.get(), retry_count,
5225 failure_mode, nullptr));
5226 switch (failure_mode) {
5227 case ssl_test_ticket_aead_ok:
5228 case ssl_test_ticket_aead_open_hard_fail:
5229 case ssl_test_ticket_aead_open_soft_fail:
5230 ASSERT_TRUE(client);
5231 break;
5232 case ssl_test_ticket_aead_seal_fail:
5233 EXPECT_FALSE(client);
5234 return;
5235 }
5236 EXPECT_FALSE(SSL_session_reused(client.get()));
5237 EXPECT_FALSE(SSL_session_reused(server.get()));
5238
5239 ASSERT_TRUE(FlushNewSessionTickets(client.get(), server.get()));
5240 bssl::UniquePtr<SSL_SESSION> session = std::move(g_last_session);
5241 ASSERT_NO_FATAL_FAILURE(ConnectClientAndServerWithTicketMethod(
5242 &client, &server, client_ctx.get(), server_ctx.get(), retry_count,
5243 failure_mode, session.get()));
5244 switch (failure_mode) {
5245 case ssl_test_ticket_aead_ok:
5246 ASSERT_TRUE(client);
5247 EXPECT_TRUE(SSL_session_reused(client.get()));
5248 EXPECT_TRUE(SSL_session_reused(server.get()));
5249 break;
5250 case ssl_test_ticket_aead_seal_fail:
5251 abort();
5252 break;
5253 case ssl_test_ticket_aead_open_hard_fail:
5254 EXPECT_FALSE(client);
5255 break;
5256 case ssl_test_ticket_aead_open_soft_fail:
5257 ASSERT_TRUE(client);
5258 EXPECT_FALSE(SSL_session_reused(client.get()));
5259 EXPECT_FALSE(SSL_session_reused(server.get()));
5260 }
5261 }
5262
TicketAEADMethodParamToString(const testing::TestParamInfo<TicketAEADMethodParam> & params)5263 std::string TicketAEADMethodParamToString(
5264 const testing::TestParamInfo<TicketAEADMethodParam> ¶ms) {
5265 std::string ret = GetVersionName(std::get<0>(params.param));
5266 // GTest only allows alphanumeric characters and '_' in the parameter
5267 // string. Additionally filter out the 'v' to get "TLS13" over "TLSv13".
5268 for (auto it = ret.begin(); it != ret.end();) {
5269 if (*it == '.' || *it == 'v') {
5270 it = ret.erase(it);
5271 } else {
5272 ++it;
5273 }
5274 }
5275 char retry_count[256];
5276 snprintf(retry_count, sizeof(retry_count), "%u", std::get<1>(params.param));
5277 ret += "_";
5278 ret += retry_count;
5279 ret += "Retries_";
5280 switch (std::get<2>(params.param)) {
5281 case ssl_test_ticket_aead_ok:
5282 ret += "OK";
5283 break;
5284 case ssl_test_ticket_aead_seal_fail:
5285 ret += "SealFail";
5286 break;
5287 case ssl_test_ticket_aead_open_soft_fail:
5288 ret += "OpenSoftFail";
5289 break;
5290 case ssl_test_ticket_aead_open_hard_fail:
5291 ret += "OpenHardFail";
5292 break;
5293 }
5294 return ret;
5295 }
5296
5297 INSTANTIATE_TEST_SUITE_P(
5298 TicketAEADMethodTests, TicketAEADMethodTest,
5299 testing::Combine(testing::Values(TLS1_2_VERSION, TLS1_3_VERSION),
5300 testing::Values(0, 1, 2),
5301 testing::Values(ssl_test_ticket_aead_ok,
5302 ssl_test_ticket_aead_seal_fail,
5303 ssl_test_ticket_aead_open_soft_fail,
5304 ssl_test_ticket_aead_open_hard_fail)),
5305 TicketAEADMethodParamToString);
5306
TEST(SSLTest,SelectNextProto)5307 TEST(SSLTest, SelectNextProto) {
5308 uint8_t *result;
5309 uint8_t result_len;
5310
5311 // If there is an overlap, it should be returned.
5312 EXPECT_EQ(OPENSSL_NPN_NEGOTIATED,
5313 SSL_select_next_proto(&result, &result_len,
5314 (const uint8_t *)"\1a\2bb\3ccc", 9,
5315 (const uint8_t *)"\1x\1y\1a\1z", 8));
5316 EXPECT_EQ(Bytes("a"), Bytes(result, result_len));
5317
5318 EXPECT_EQ(OPENSSL_NPN_NEGOTIATED,
5319 SSL_select_next_proto(&result, &result_len,
5320 (const uint8_t *)"\1a\2bb\3ccc", 9,
5321 (const uint8_t *)"\1x\1y\2bb\1z", 9));
5322 EXPECT_EQ(Bytes("bb"), Bytes(result, result_len));
5323
5324 EXPECT_EQ(OPENSSL_NPN_NEGOTIATED,
5325 SSL_select_next_proto(&result, &result_len,
5326 (const uint8_t *)"\1a\2bb\3ccc", 9,
5327 (const uint8_t *)"\1x\1y\3ccc\1z", 10));
5328 EXPECT_EQ(Bytes("ccc"), Bytes(result, result_len));
5329
5330 // Peer preference order takes precedence over local.
5331 EXPECT_EQ(OPENSSL_NPN_NEGOTIATED,
5332 SSL_select_next_proto(&result, &result_len,
5333 (const uint8_t *)"\1a\2bb\3ccc", 9,
5334 (const uint8_t *)"\3ccc\2bb\1a", 9));
5335 EXPECT_EQ(Bytes("a"), Bytes(result, result_len));
5336
5337 // If there is no overlap, return the first local protocol.
5338 EXPECT_EQ(OPENSSL_NPN_NO_OVERLAP,
5339 SSL_select_next_proto(&result, &result_len,
5340 (const uint8_t *)"\1a\2bb\3ccc", 9,
5341 (const uint8_t *)"\1x\2yy\3zzz", 9));
5342 EXPECT_EQ(Bytes("x"), Bytes(result, result_len));
5343
5344 EXPECT_EQ(OPENSSL_NPN_NO_OVERLAP,
5345 SSL_select_next_proto(&result, &result_len, nullptr, 0,
5346 (const uint8_t *)"\1x\2yy\3zzz", 9));
5347 EXPECT_EQ(Bytes("x"), Bytes(result, result_len));
5348 }
5349
5350 // The client should gracefully handle no suitable ciphers being enabled.
TEST(SSLTest,NoCiphersAvailable)5351 TEST(SSLTest, NoCiphersAvailable) {
5352 bssl::UniquePtr<SSL_CTX> ctx(SSL_CTX_new(TLS_method()));
5353 ASSERT_TRUE(ctx);
5354
5355 // Configure |client_ctx| with a cipher list that does not intersect with its
5356 // version configuration.
5357 ASSERT_TRUE(SSL_CTX_set_strict_cipher_list(
5358 ctx.get(), "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256"));
5359 ASSERT_TRUE(SSL_CTX_set_max_proto_version(ctx.get(), TLS1_1_VERSION));
5360
5361 bssl::UniquePtr<SSL> ssl(SSL_new(ctx.get()));
5362 ASSERT_TRUE(ssl);
5363 SSL_set_connect_state(ssl.get());
5364
5365 UniquePtr<BIO> rbio(BIO_new(BIO_s_mem())), wbio(BIO_new(BIO_s_mem()));
5366 ASSERT_TRUE(rbio);
5367 ASSERT_TRUE(wbio);
5368 SSL_set0_rbio(ssl.get(), rbio.release());
5369 SSL_set0_wbio(ssl.get(), wbio.release());
5370
5371 int ret = SSL_do_handshake(ssl.get());
5372 EXPECT_EQ(-1, ret);
5373 EXPECT_EQ(SSL_ERROR_SSL, SSL_get_error(ssl.get(), ret));
5374 EXPECT_TRUE(
5375 ErrorEquals(ERR_get_error(), ERR_LIB_SSL, SSL_R_NO_CIPHERS_AVAILABLE));
5376 }
5377
TEST_P(SSLVersionTest,SessionVersion)5378 TEST_P(SSLVersionTest, SessionVersion) {
5379 SSL_CTX_set_session_cache_mode(client_ctx_.get(), SSL_SESS_CACHE_BOTH);
5380 SSL_CTX_set_session_cache_mode(server_ctx_.get(), SSL_SESS_CACHE_BOTH);
5381
5382 bssl::UniquePtr<SSL_SESSION> session =
5383 CreateClientSession(client_ctx_.get(), server_ctx_.get());
5384 ASSERT_TRUE(session);
5385 EXPECT_EQ(version(), SSL_SESSION_get_protocol_version(session.get()));
5386
5387 // Sessions in TLS 1.3 and later should be single-use.
5388 EXPECT_EQ(version() == TLS1_3_VERSION,
5389 !!SSL_SESSION_should_be_single_use(session.get()));
5390
5391 // Making fake sessions for testing works.
5392 session.reset(SSL_SESSION_new(client_ctx_.get()));
5393 ASSERT_TRUE(session);
5394 ASSERT_TRUE(SSL_SESSION_set_protocol_version(session.get(), version()));
5395 EXPECT_EQ(version(), SSL_SESSION_get_protocol_version(session.get()));
5396 }
5397
TEST_P(SSLVersionTest,SSLPending)5398 TEST_P(SSLVersionTest, SSLPending) {
5399 UniquePtr<SSL> ssl(SSL_new(client_ctx_.get()));
5400 ASSERT_TRUE(ssl);
5401 EXPECT_EQ(0, SSL_pending(ssl.get()));
5402
5403 ASSERT_TRUE(Connect());
5404 EXPECT_EQ(0, SSL_pending(client_.get()));
5405 EXPECT_EQ(0, SSL_has_pending(client_.get()));
5406
5407 ASSERT_EQ(5, SSL_write(server_.get(), "hello", 5));
5408 ASSERT_EQ(5, SSL_write(server_.get(), "world", 5));
5409 EXPECT_EQ(0, SSL_pending(client_.get()));
5410 EXPECT_EQ(0, SSL_has_pending(client_.get()));
5411
5412 char buf[10];
5413 ASSERT_EQ(1, SSL_peek(client_.get(), buf, 1));
5414 EXPECT_EQ(5, SSL_pending(client_.get()));
5415 EXPECT_EQ(1, SSL_has_pending(client_.get()));
5416
5417 ASSERT_EQ(1, SSL_read(client_.get(), buf, 1));
5418 EXPECT_EQ(4, SSL_pending(client_.get()));
5419 EXPECT_EQ(1, SSL_has_pending(client_.get()));
5420
5421 ASSERT_EQ(4, SSL_read(client_.get(), buf, 10));
5422 EXPECT_EQ(0, SSL_pending(client_.get()));
5423 if (is_dtls()) {
5424 // In DTLS, the two records would have been read as a single datagram and
5425 // buffered inside |client_|. Thus, |SSL_has_pending| should return true.
5426 //
5427 // This test is slightly unrealistic. It relies on |ConnectClientAndServer|
5428 // using a |BIO| pair, which does not preserve datagram boundaries. Reading
5429 // 1 byte, then 4 bytes, from the first record also relies on
5430 // https://crbug.com/boringssl/65. But it does test the codepaths. When
5431 // fixing either of these bugs, this test may need to be redone.
5432 EXPECT_EQ(1, SSL_has_pending(client_.get()));
5433 } else {
5434 // In TLS, we do not overread, so |SSL_has_pending| should report no data is
5435 // buffered.
5436 EXPECT_EQ(0, SSL_has_pending(client_.get()));
5437 }
5438
5439 ASSERT_EQ(2, SSL_read(client_.get(), buf, 2));
5440 EXPECT_EQ(3, SSL_pending(client_.get()));
5441 EXPECT_EQ(1, SSL_has_pending(client_.get()));
5442 }
5443
5444 // Test that post-handshake tickets consumed by |SSL_shutdown| are ignored.
TEST(SSLTest,ShutdownIgnoresTickets)5445 TEST(SSLTest, ShutdownIgnoresTickets) {
5446 bssl::UniquePtr<SSL_CTX> ctx(CreateContextWithTestCertificate(TLS_method()));
5447 ASSERT_TRUE(ctx);
5448 ASSERT_TRUE(SSL_CTX_set_min_proto_version(ctx.get(), TLS1_3_VERSION));
5449 ASSERT_TRUE(SSL_CTX_set_max_proto_version(ctx.get(), TLS1_3_VERSION));
5450
5451 SSL_CTX_set_session_cache_mode(ctx.get(), SSL_SESS_CACHE_BOTH);
5452
5453 bssl::UniquePtr<SSL> client, server;
5454 ASSERT_TRUE(ConnectClientAndServer(&client, &server, ctx.get(), ctx.get()));
5455
5456 SSL_CTX_sess_set_new_cb(ctx.get(), [](SSL *ssl, SSL_SESSION *session) -> int {
5457 ADD_FAILURE() << "New session callback called during SSL_shutdown";
5458 return 0;
5459 });
5460
5461 // Send close_notify.
5462 EXPECT_EQ(0, SSL_shutdown(server.get()));
5463 EXPECT_EQ(0, SSL_shutdown(client.get()));
5464
5465 // Receive close_notify.
5466 EXPECT_EQ(1, SSL_shutdown(server.get()));
5467 EXPECT_EQ(1, SSL_shutdown(client.get()));
5468 }
5469
TEST(SSLTest,SignatureAlgorithmProperties)5470 TEST(SSLTest, SignatureAlgorithmProperties) {
5471 EXPECT_EQ(EVP_PKEY_NONE, SSL_get_signature_algorithm_key_type(0x1234));
5472 EXPECT_EQ(nullptr, SSL_get_signature_algorithm_digest(0x1234));
5473 EXPECT_FALSE(SSL_is_signature_algorithm_rsa_pss(0x1234));
5474
5475 EXPECT_EQ(EVP_PKEY_RSA,
5476 SSL_get_signature_algorithm_key_type(SSL_SIGN_RSA_PKCS1_MD5_SHA1));
5477 EXPECT_EQ(EVP_md5_sha1(),
5478 SSL_get_signature_algorithm_digest(SSL_SIGN_RSA_PKCS1_MD5_SHA1));
5479 EXPECT_FALSE(SSL_is_signature_algorithm_rsa_pss(SSL_SIGN_RSA_PKCS1_MD5_SHA1));
5480
5481 EXPECT_EQ(EVP_PKEY_EC, SSL_get_signature_algorithm_key_type(
5482 SSL_SIGN_ECDSA_SECP256R1_SHA256));
5483 EXPECT_EQ(EVP_sha256(), SSL_get_signature_algorithm_digest(
5484 SSL_SIGN_ECDSA_SECP256R1_SHA256));
5485 EXPECT_FALSE(
5486 SSL_is_signature_algorithm_rsa_pss(SSL_SIGN_ECDSA_SECP256R1_SHA256));
5487
5488 EXPECT_EQ(EVP_PKEY_RSA,
5489 SSL_get_signature_algorithm_key_type(SSL_SIGN_RSA_PSS_RSAE_SHA384));
5490 EXPECT_EQ(EVP_sha384(),
5491 SSL_get_signature_algorithm_digest(SSL_SIGN_RSA_PSS_RSAE_SHA384));
5492 EXPECT_TRUE(SSL_is_signature_algorithm_rsa_pss(SSL_SIGN_RSA_PSS_RSAE_SHA384));
5493 }
5494
XORCompressFunc(SSL * ssl,CBB * out,const uint8_t * in,size_t in_len)5495 static int XORCompressFunc(SSL *ssl, CBB *out, const uint8_t *in,
5496 size_t in_len) {
5497 for (size_t i = 0; i < in_len; i++) {
5498 if (!CBB_add_u8(out, in[i] ^ 0x55)) {
5499 return 0;
5500 }
5501 }
5502
5503 SSL_set_app_data(ssl, XORCompressFunc);
5504
5505 return 1;
5506 }
5507
XORDecompressFunc(SSL * ssl,CRYPTO_BUFFER ** out,size_t uncompressed_len,const uint8_t * in,size_t in_len)5508 static int XORDecompressFunc(SSL *ssl, CRYPTO_BUFFER **out,
5509 size_t uncompressed_len, const uint8_t *in,
5510 size_t in_len) {
5511 if (in_len != uncompressed_len) {
5512 return 0;
5513 }
5514
5515 uint8_t *data;
5516 *out = CRYPTO_BUFFER_alloc(&data, uncompressed_len);
5517 if (*out == nullptr) {
5518 return 0;
5519 }
5520
5521 for (size_t i = 0; i < in_len; i++) {
5522 data[i] = in[i] ^ 0x55;
5523 }
5524
5525 SSL_set_app_data(ssl, XORDecompressFunc);
5526
5527 return 1;
5528 }
5529
TEST(SSLTest,CertCompression)5530 TEST(SSLTest, CertCompression) {
5531 bssl::UniquePtr<SSL_CTX> client_ctx(SSL_CTX_new(TLS_method()));
5532 bssl::UniquePtr<SSL_CTX> server_ctx(
5533 CreateContextWithTestCertificate(TLS_method()));
5534 ASSERT_TRUE(client_ctx);
5535 ASSERT_TRUE(server_ctx);
5536
5537 ASSERT_TRUE(SSL_CTX_set_max_proto_version(client_ctx.get(), TLS1_3_VERSION));
5538 ASSERT_TRUE(SSL_CTX_set_max_proto_version(server_ctx.get(), TLS1_3_VERSION));
5539 ASSERT_TRUE(SSL_CTX_add_cert_compression_alg(
5540 client_ctx.get(), 0x1234, XORCompressFunc, XORDecompressFunc));
5541 ASSERT_TRUE(SSL_CTX_add_cert_compression_alg(
5542 server_ctx.get(), 0x1234, XORCompressFunc, XORDecompressFunc));
5543
5544 bssl::UniquePtr<SSL> client, server;
5545 ASSERT_TRUE(ConnectClientAndServer(&client, &server, client_ctx.get(),
5546 server_ctx.get()));
5547
5548 EXPECT_TRUE(SSL_get_app_data(client.get()) == XORDecompressFunc);
5549 EXPECT_TRUE(SSL_get_app_data(server.get()) == XORCompressFunc);
5550 }
5551
MoveBIOs(SSL * dest,SSL * src)5552 void MoveBIOs(SSL *dest, SSL *src) {
5553 BIO *rbio = SSL_get_rbio(src);
5554 BIO_up_ref(rbio);
5555 SSL_set0_rbio(dest, rbio);
5556
5557 BIO *wbio = SSL_get_wbio(src);
5558 BIO_up_ref(wbio);
5559 SSL_set0_wbio(dest, wbio);
5560
5561 SSL_set0_rbio(src, nullptr);
5562 SSL_set0_wbio(src, nullptr);
5563 }
5564
VerifyHandoff(bool use_new_alps_codepoint)5565 void VerifyHandoff(bool use_new_alps_codepoint) {
5566 static const uint8_t alpn[] = {0x03, 'f', 'o', 'o'};
5567 static const uint8_t proto[] = {'f', 'o', 'o'};
5568 static const uint8_t alps[] = {0x04, 'a', 'l', 'p', 's'};
5569
5570 bssl::UniquePtr<SSL_CTX> client_ctx(SSL_CTX_new(TLS_method()));
5571 bssl::UniquePtr<SSL_CTX> server_ctx(SSL_CTX_new(TLS_method()));
5572 bssl::UniquePtr<SSL_CTX> handshaker_ctx(
5573 CreateContextWithTestCertificate(TLS_method()));
5574 ASSERT_TRUE(client_ctx);
5575 ASSERT_TRUE(server_ctx);
5576 ASSERT_TRUE(handshaker_ctx);
5577
5578 if (!use_new_alps_codepoint) {
5579 SetUpExpectedOldCodePoint(server_ctx.get());
5580 } else {
5581 SetUpExpectedNewCodePoint(server_ctx.get());
5582 }
5583
5584 SSL_CTX_set_session_cache_mode(client_ctx.get(), SSL_SESS_CACHE_CLIENT);
5585 SSL_CTX_sess_set_new_cb(client_ctx.get(), SaveLastSession);
5586 SSL_CTX_set_handoff_mode(server_ctx.get(), true);
5587 uint8_t keys[48];
5588 SSL_CTX_get_tlsext_ticket_keys(server_ctx.get(), &keys, sizeof(keys));
5589 SSL_CTX_set_tlsext_ticket_keys(handshaker_ctx.get(), &keys, sizeof(keys));
5590
5591 for (bool early_data : {false, true}) {
5592 SCOPED_TRACE(early_data);
5593 for (bool is_resume : {false, true}) {
5594 SCOPED_TRACE(is_resume);
5595 bssl::UniquePtr<SSL> client, server;
5596 ASSERT_TRUE(CreateClientAndServer(&client, &server, client_ctx.get(),
5597 server_ctx.get()));
5598 SSL_set_early_data_enabled(client.get(), early_data);
5599
5600 // Set up client ALPS settings.
5601 SSL_set_alps_use_new_codepoint(client.get(), use_new_alps_codepoint);
5602 ASSERT_TRUE(SSL_set_alpn_protos(client.get(), alpn, sizeof(alpn)) == 0);
5603 ASSERT_TRUE(SSL_add_application_settings(client.get(), proto,
5604 sizeof(proto), nullptr, 0));
5605 if (is_resume) {
5606 ASSERT_TRUE(g_last_session);
5607 SSL_set_session(client.get(), g_last_session.get());
5608 if (early_data) {
5609 EXPECT_GT(g_last_session->ticket_max_early_data, 0u);
5610 }
5611 }
5612
5613
5614 int client_ret = SSL_do_handshake(client.get());
5615 int client_err = SSL_get_error(client.get(), client_ret);
5616
5617 uint8_t byte_written;
5618 if (early_data && is_resume) {
5619 ASSERT_EQ(client_err, 0);
5620 EXPECT_TRUE(SSL_in_early_data(client.get()));
5621 // Attempt to write early data.
5622 byte_written = 43;
5623 EXPECT_EQ(SSL_write(client.get(), &byte_written, 1), 1);
5624 } else {
5625 ASSERT_EQ(client_err, SSL_ERROR_WANT_READ);
5626 }
5627
5628 int server_ret = SSL_do_handshake(server.get());
5629 int server_err = SSL_get_error(server.get(), server_ret);
5630 ASSERT_EQ(server_err, SSL_ERROR_HANDOFF);
5631
5632 ScopedCBB cbb;
5633 Array<uint8_t> handoff;
5634 SSL_CLIENT_HELLO hello;
5635 ASSERT_TRUE(CBB_init(cbb.get(), 256));
5636 ASSERT_TRUE(SSL_serialize_handoff(server.get(), cbb.get(), &hello));
5637 ASSERT_TRUE(CBBFinishArray(cbb.get(), &handoff));
5638
5639 bssl::UniquePtr<SSL> handshaker(SSL_new(handshaker_ctx.get()));
5640 ASSERT_TRUE(handshaker);
5641 // Note split handshakes determines 0-RTT support, for both the current
5642 // handshake and newly-issued tickets, entirely by |handshaker|. There is
5643 // no need to call |SSL_set_early_data_enabled| on |server|.
5644 SSL_set_early_data_enabled(handshaker.get(), 1);
5645
5646 // Set up handshaker ALPS settings.
5647 SSL_set_alps_use_new_codepoint(handshaker.get(), use_new_alps_codepoint);
5648 SSL_CTX_set_alpn_select_cb(
5649 handshaker_ctx.get(),
5650 [](SSL *ssl, const uint8_t **out, uint8_t *out_len, const uint8_t *in,
5651 unsigned in_len, void *arg) -> int {
5652 return SSL_select_next_proto(
5653 const_cast<uint8_t **>(out), out_len, in, in_len,
5654 alpn, sizeof(alpn)) == OPENSSL_NPN_NEGOTIATED
5655 ? SSL_TLSEXT_ERR_OK
5656 : SSL_TLSEXT_ERR_NOACK;
5657 },
5658 nullptr);
5659 ASSERT_TRUE(SSL_add_application_settings(handshaker.get(), proto,
5660 sizeof(proto), alps, sizeof(alps)));
5661
5662 ASSERT_TRUE(SSL_apply_handoff(handshaker.get(), handoff));
5663
5664 MoveBIOs(handshaker.get(), server.get());
5665
5666 int handshake_ret = SSL_do_handshake(handshaker.get());
5667 int handshake_err = SSL_get_error(handshaker.get(), handshake_ret);
5668 ASSERT_EQ(handshake_err, SSL_ERROR_HANDBACK);
5669
5670 // Double-check that additional calls to |SSL_do_handshake| continue
5671 // to get |SSL_ERROR_HANDBACK|.
5672 handshake_ret = SSL_do_handshake(handshaker.get());
5673 handshake_err = SSL_get_error(handshaker.get(), handshake_ret);
5674 ASSERT_EQ(handshake_err, SSL_ERROR_HANDBACK);
5675
5676 ScopedCBB cbb_handback;
5677 Array<uint8_t> handback;
5678 ASSERT_TRUE(CBB_init(cbb_handback.get(), 1024));
5679 ASSERT_TRUE(SSL_serialize_handback(handshaker.get(), cbb_handback.get()));
5680 ASSERT_TRUE(CBBFinishArray(cbb_handback.get(), &handback));
5681
5682 bssl::UniquePtr<SSL> server2(SSL_new(server_ctx.get()));
5683 ASSERT_TRUE(server2);
5684 ASSERT_TRUE(SSL_apply_handback(server2.get(), handback));
5685
5686 MoveBIOs(server2.get(), handshaker.get());
5687 ASSERT_TRUE(CompleteHandshakes(client.get(), server2.get()));
5688 EXPECT_EQ(is_resume, SSL_session_reused(client.get()));
5689 // Verify application settings.
5690 ASSERT_TRUE(SSL_has_application_settings(client.get()));
5691
5692 if (early_data && is_resume) {
5693 // In this case, one byte of early data has already been written above.
5694 EXPECT_TRUE(SSL_early_data_accepted(client.get()));
5695 } else {
5696 byte_written = 42;
5697 EXPECT_EQ(SSL_write(client.get(), &byte_written, 1), 1);
5698 }
5699 uint8_t byte;
5700 EXPECT_EQ(SSL_read(server2.get(), &byte, 1), 1);
5701 EXPECT_EQ(byte_written, byte);
5702
5703 byte = 44;
5704 EXPECT_EQ(SSL_write(server2.get(), &byte, 1), 1);
5705 EXPECT_EQ(SSL_read(client.get(), &byte, 1), 1);
5706 EXPECT_EQ(44, byte);
5707 }
5708 }
5709 }
5710
TEST(SSLTest,Handoff)5711 TEST(SSLTest, Handoff) {
5712 for (bool use_new_alps_codepoint : {false, true}) {
5713 SCOPED_TRACE(use_new_alps_codepoint);
5714 VerifyHandoff(use_new_alps_codepoint);
5715 }
5716 }
5717
TEST(SSLTest,HandoffDeclined)5718 TEST(SSLTest, HandoffDeclined) {
5719 bssl::UniquePtr<SSL_CTX> client_ctx(SSL_CTX_new(TLS_method()));
5720 bssl::UniquePtr<SSL_CTX> server_ctx(
5721 CreateContextWithTestCertificate(TLS_method()));
5722 ASSERT_TRUE(client_ctx);
5723 ASSERT_TRUE(server_ctx);
5724
5725 SSL_CTX_set_handoff_mode(server_ctx.get(), true);
5726 ASSERT_TRUE(SSL_CTX_set_max_proto_version(server_ctx.get(), TLS1_2_VERSION));
5727
5728 bssl::UniquePtr<SSL> client, server;
5729 ASSERT_TRUE(CreateClientAndServer(&client, &server, client_ctx.get(),
5730 server_ctx.get()));
5731
5732 int client_ret = SSL_do_handshake(client.get());
5733 int client_err = SSL_get_error(client.get(), client_ret);
5734 ASSERT_EQ(client_err, SSL_ERROR_WANT_READ);
5735
5736 int server_ret = SSL_do_handshake(server.get());
5737 int server_err = SSL_get_error(server.get(), server_ret);
5738 ASSERT_EQ(server_err, SSL_ERROR_HANDOFF);
5739
5740 ScopedCBB cbb;
5741 SSL_CLIENT_HELLO hello;
5742 ASSERT_TRUE(CBB_init(cbb.get(), 256));
5743 ASSERT_TRUE(SSL_serialize_handoff(server.get(), cbb.get(), &hello));
5744
5745 ASSERT_TRUE(SSL_decline_handoff(server.get()));
5746
5747 ASSERT_TRUE(CompleteHandshakes(client.get(), server.get()));
5748
5749 uint8_t byte = 42;
5750 EXPECT_EQ(SSL_write(client.get(), &byte, 1), 1);
5751 EXPECT_EQ(SSL_read(server.get(), &byte, 1), 1);
5752 EXPECT_EQ(42, byte);
5753
5754 byte = 43;
5755 EXPECT_EQ(SSL_write(server.get(), &byte, 1), 1);
5756 EXPECT_EQ(SSL_read(client.get(), &byte, 1), 1);
5757 EXPECT_EQ(43, byte);
5758 }
5759
SigAlgsToString(Span<const uint16_t> sigalgs)5760 static std::string SigAlgsToString(Span<const uint16_t> sigalgs) {
5761 std::string ret = "{";
5762
5763 for (uint16_t v : sigalgs) {
5764 if (ret.size() > 1) {
5765 ret += ", ";
5766 }
5767
5768 char buf[8];
5769 snprintf(buf, sizeof(buf) - 1, "0x%02x", v);
5770 buf[sizeof(buf)-1] = 0;
5771 ret += std::string(buf);
5772 }
5773
5774 ret += "}";
5775 return ret;
5776 }
5777
ExpectSigAlgsEqual(Span<const uint16_t> expected,Span<const uint16_t> actual)5778 void ExpectSigAlgsEqual(Span<const uint16_t> expected,
5779 Span<const uint16_t> actual) {
5780 bool matches = false;
5781 if (expected.size() == actual.size()) {
5782 matches = true;
5783
5784 for (size_t i = 0; i < expected.size(); i++) {
5785 if (expected[i] != actual[i]) {
5786 matches = false;
5787 break;
5788 }
5789 }
5790 }
5791
5792 if (!matches) {
5793 ADD_FAILURE() << "expected: " << SigAlgsToString(expected)
5794 << " got: " << SigAlgsToString(actual);
5795 }
5796 }
5797
TEST(SSLTest,SigAlgs)5798 TEST(SSLTest, SigAlgs) {
5799 static const struct {
5800 std::vector<int> input;
5801 bool ok;
5802 std::vector<uint16_t> expected;
5803 } kTests[] = {
5804 {{}, true, {}},
5805 {{1}, false, {}},
5806 {{1, 2, 3}, false, {}},
5807 {{NID_sha256, EVP_PKEY_ED25519}, false, {}},
5808 {{NID_sha256, EVP_PKEY_RSA, NID_sha256, EVP_PKEY_RSA}, false, {}},
5809
5810 {{NID_sha256, EVP_PKEY_RSA}, true, {SSL_SIGN_RSA_PKCS1_SHA256}},
5811 {{NID_sha512, EVP_PKEY_RSA}, true, {SSL_SIGN_RSA_PKCS1_SHA512}},
5812 {{NID_sha256, EVP_PKEY_RSA_PSS}, true, {SSL_SIGN_RSA_PSS_RSAE_SHA256}},
5813 {{NID_undef, EVP_PKEY_ED25519}, true, {SSL_SIGN_ED25519}},
5814 {{NID_undef, EVP_PKEY_ED25519, NID_sha384, EVP_PKEY_EC},
5815 true,
5816 {SSL_SIGN_ED25519, SSL_SIGN_ECDSA_SECP384R1_SHA384}},
5817 };
5818
5819 UniquePtr<SSL_CTX> ctx(SSL_CTX_new(TLS_method()));
5820 ASSERT_TRUE(ctx);
5821
5822 unsigned n = 1;
5823 for (const auto &test : kTests) {
5824 SCOPED_TRACE(n++);
5825
5826 const bool ok =
5827 SSL_CTX_set1_sigalgs(ctx.get(), test.input.data(), test.input.size());
5828 EXPECT_EQ(ok, test.ok);
5829
5830 if (!ok) {
5831 ERR_clear_error();
5832 }
5833
5834 if (!test.ok) {
5835 continue;
5836 }
5837
5838 ExpectSigAlgsEqual(test.expected, ctx->cert->default_credential->sigalgs);
5839 }
5840 }
5841
TEST(SSLTest,SigAlgsList)5842 TEST(SSLTest, SigAlgsList) {
5843 static const struct {
5844 const char *input;
5845 bool ok;
5846 std::vector<uint16_t> expected;
5847 } kTests[] = {
5848 {"", false, {}},
5849 {":", false, {}},
5850 {"+", false, {}},
5851 {"RSA", false, {}},
5852 {"RSA+", false, {}},
5853 {"RSA+SHA256:", false, {}},
5854 {":RSA+SHA256:", false, {}},
5855 {":RSA+SHA256+:", false, {}},
5856 {"!", false, {}},
5857 {"\x01", false, {}},
5858 {"RSA+SHA256:RSA+SHA384:RSA+SHA256", false, {}},
5859 {"RSA-PSS+SHA256:rsa_pss_rsae_sha256", false, {}},
5860
5861 {"RSA+SHA256", true, {SSL_SIGN_RSA_PKCS1_SHA256}},
5862 {"RSA+SHA256:ed25519",
5863 true,
5864 {SSL_SIGN_RSA_PKCS1_SHA256, SSL_SIGN_ED25519}},
5865 {"ECDSA+SHA256:RSA+SHA512",
5866 true,
5867 {SSL_SIGN_ECDSA_SECP256R1_SHA256, SSL_SIGN_RSA_PKCS1_SHA512}},
5868 {"ecdsa_secp256r1_sha256:rsa_pss_rsae_sha256",
5869 true,
5870 {SSL_SIGN_ECDSA_SECP256R1_SHA256, SSL_SIGN_RSA_PSS_RSAE_SHA256}},
5871 {"RSA-PSS+SHA256", true, {SSL_SIGN_RSA_PSS_RSAE_SHA256}},
5872 {"PSS+SHA256", true, {SSL_SIGN_RSA_PSS_RSAE_SHA256}},
5873 };
5874
5875 UniquePtr<SSL_CTX> ctx(SSL_CTX_new(TLS_method()));
5876 ASSERT_TRUE(ctx);
5877
5878 unsigned n = 1;
5879 for (const auto &test : kTests) {
5880 SCOPED_TRACE(n++);
5881
5882 const bool ok = SSL_CTX_set1_sigalgs_list(ctx.get(), test.input);
5883 EXPECT_EQ(ok, test.ok);
5884
5885 if (!ok) {
5886 if (test.ok) {
5887 ERR_print_errors_fp(stderr);
5888 }
5889 ERR_clear_error();
5890 }
5891
5892 if (!test.ok) {
5893 continue;
5894 }
5895
5896 ExpectSigAlgsEqual(test.expected, ctx->cert->default_credential->sigalgs);
5897 }
5898 }
5899
TEST(SSLTest,ApplyHandoffRemovesUnsupportedCiphers)5900 TEST(SSLTest, ApplyHandoffRemovesUnsupportedCiphers) {
5901 bssl::UniquePtr<SSL_CTX> server_ctx(SSL_CTX_new(TLS_method()));
5902 ASSERT_TRUE(server_ctx);
5903 bssl::UniquePtr<SSL> server(SSL_new(server_ctx.get()));
5904 ASSERT_TRUE(server);
5905
5906 // handoff is a handoff message that has been artificially modified to pretend
5907 // that only TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (0xc02f) is supported. When
5908 // it is applied to |server|, all ciphers but that one should be removed.
5909 //
5910 // To make a new one of these, try sticking this in the |Handoff| test above:
5911 //
5912 // hexdump(stderr, "", handoff.data(), handoff.size());
5913 // sed -e 's/\(..\)/0x\1, /g'
5914 //
5915 // and modify serialize_features() to emit only cipher 0x0A.
5916
5917 uint8_t handoff[] = {
5918 0x30, 0x81, 0x9a, 0x02, 0x01, 0x00, 0x04, 0x00, 0x04, 0x81, 0x82, 0x01,
5919 0x00, 0x00, 0x7e, 0x03, 0x03, 0x30, 0x8e, 0x8f, 0x79, 0xd2, 0x87, 0x39,
5920 0xc2, 0x23, 0x23, 0x13, 0xca, 0x3c, 0x80, 0x44, 0xfd, 0x80, 0x83, 0x62,
5921 0x3c, 0xcc, 0xf8, 0x76, 0xd3, 0x62, 0xbb, 0x54, 0xe3, 0xc4, 0x39, 0x24,
5922 0xa5, 0x00, 0x00, 0x1e, 0xc0, 0x2b, 0xc0, 0x2f, 0xc0, 0x2c, 0xc0, 0x30,
5923 0xcc, 0xa9, 0xcc, 0xa8, 0xc0, 0x09, 0xc0, 0x13, 0xc0, 0x0a, 0xc0, 0x14,
5924 0x00, 0x9c, 0x00, 0x9d, 0x00, 0x2f, 0x00, 0x35, 0x00, 0x0a, 0x01, 0x00,
5925 0x00, 0x37, 0x00, 0x17, 0x00, 0x00, 0xff, 0x01, 0x00, 0x01, 0x00, 0x00,
5926 0x0a, 0x00, 0x08, 0x00, 0x06, 0x00, 0x1d, 0x00, 0x17, 0x00, 0x18, 0x00,
5927 0x0b, 0x00, 0x02, 0x01, 0x00, 0x00, 0x23, 0x00, 0x00, 0x00, 0x0d, 0x00,
5928 0x14, 0x00, 0x12, 0x04, 0x03, 0x08, 0x04, 0x04, 0x01, 0x05, 0x03, 0x08,
5929 0x05, 0x05, 0x01, 0x08, 0x06, 0x06, 0x01, 0x02, 0x01, 0x04, 0x02, 0xc0,
5930 0x2f, 0x04, 0x0a, 0x00, 0x15, 0x00, 0x17, 0x00, 0x18, 0x00, 0x19, 0x00,
5931 0x1d,
5932 };
5933
5934 EXPECT_LT(1u, sk_SSL_CIPHER_num(SSL_get_ciphers(server.get())));
5935 ASSERT_TRUE(
5936 SSL_apply_handoff(server.get(), {handoff, OPENSSL_ARRAY_SIZE(handoff)}));
5937 EXPECT_EQ(1u, sk_SSL_CIPHER_num(SSL_get_ciphers(server.get())));
5938 }
5939
TEST(SSLTest,ApplyHandoffRemovesUnsupportedCurves)5940 TEST(SSLTest, ApplyHandoffRemovesUnsupportedCurves) {
5941 bssl::UniquePtr<SSL_CTX> server_ctx(SSL_CTX_new(TLS_method()));
5942 ASSERT_TRUE(server_ctx);
5943 bssl::UniquePtr<SSL> server(SSL_new(server_ctx.get()));
5944 ASSERT_TRUE(server);
5945
5946 // handoff is a handoff message that has been artificially modified to pretend
5947 // that only one ECDH group is supported. When it is applied to |server|, all
5948 // groups but that one should be removed.
5949 //
5950 // See |ApplyHandoffRemovesUnsupportedCiphers| for how to make a new one of
5951 // these.
5952 uint8_t handoff[] = {
5953 0x30, 0x81, 0xc0, 0x02, 0x01, 0x00, 0x04, 0x00, 0x04, 0x81, 0x82, 0x01,
5954 0x00, 0x00, 0x7e, 0x03, 0x03, 0x98, 0x30, 0xce, 0xd9, 0xb0, 0xdf, 0x5f,
5955 0x82, 0x05, 0x4a, 0x43, 0x67, 0x7e, 0xdb, 0x6a, 0x4f, 0x21, 0x18, 0x4e,
5956 0x0d, 0x94, 0x63, 0x18, 0x8b, 0x54, 0x89, 0xdb, 0x8b, 0x1d, 0x84, 0xbc,
5957 0x09, 0x00, 0x00, 0x1e, 0xc0, 0x2b, 0xc0, 0x2f, 0xc0, 0x2c, 0xc0, 0x30,
5958 0xcc, 0xa9, 0xcc, 0xa8, 0xc0, 0x09, 0xc0, 0x13, 0xc0, 0x0a, 0xc0, 0x14,
5959 0x00, 0x9c, 0x00, 0x9d, 0x00, 0x2f, 0x00, 0x35, 0x00, 0x0a, 0x01, 0x00,
5960 0x00, 0x37, 0x00, 0x17, 0x00, 0x00, 0xff, 0x01, 0x00, 0x01, 0x00, 0x00,
5961 0x0a, 0x00, 0x08, 0x00, 0x06, 0x00, 0x1d, 0x00, 0x17, 0x00, 0x18, 0x00,
5962 0x0b, 0x00, 0x02, 0x01, 0x00, 0x00, 0x23, 0x00, 0x00, 0x00, 0x0d, 0x00,
5963 0x14, 0x00, 0x12, 0x04, 0x03, 0x08, 0x04, 0x04, 0x01, 0x05, 0x03, 0x08,
5964 0x05, 0x05, 0x01, 0x08, 0x06, 0x06, 0x01, 0x02, 0x01, 0x04, 0x30, 0x00,
5965 0x02, 0x00, 0x0a, 0x00, 0x2f, 0x00, 0x35, 0x00, 0x8c, 0x00, 0x8d, 0x00,
5966 0x9c, 0x00, 0x9d, 0x13, 0x01, 0x13, 0x02, 0x13, 0x03, 0xc0, 0x09, 0xc0,
5967 0x0a, 0xc0, 0x13, 0xc0, 0x14, 0xc0, 0x2b, 0xc0, 0x2c, 0xc0, 0x2f, 0xc0,
5968 0x30, 0xc0, 0x35, 0xc0, 0x36, 0xcc, 0xa8, 0xcc, 0xa9, 0xcc, 0xac, 0x04,
5969 0x02, 0x00, 0x17,
5970 };
5971
5972 // The zero length means that the default list of groups is used.
5973 EXPECT_EQ(0u, server->config->supported_group_list.size());
5974 ASSERT_TRUE(
5975 SSL_apply_handoff(server.get(), {handoff, OPENSSL_ARRAY_SIZE(handoff)}));
5976 EXPECT_EQ(1u, server->config->supported_group_list.size());
5977 }
5978
TEST(SSLTest,ZeroSizedWiteFlushesHandshakeMessages)5979 TEST(SSLTest, ZeroSizedWiteFlushesHandshakeMessages) {
5980 // If there are pending handshake mesages, an |SSL_write| of zero bytes should
5981 // flush them.
5982 bssl::UniquePtr<SSL_CTX> server_ctx(
5983 CreateContextWithTestCertificate(TLS_method()));
5984 ASSERT_TRUE(server_ctx);
5985 EXPECT_TRUE(SSL_CTX_set_max_proto_version(server_ctx.get(), TLS1_3_VERSION));
5986 EXPECT_TRUE(SSL_CTX_set_min_proto_version(server_ctx.get(), TLS1_3_VERSION));
5987
5988 bssl::UniquePtr<SSL_CTX> client_ctx(SSL_CTX_new(TLS_method()));
5989 ASSERT_TRUE(client_ctx);
5990 EXPECT_TRUE(SSL_CTX_set_max_proto_version(client_ctx.get(), TLS1_3_VERSION));
5991 EXPECT_TRUE(SSL_CTX_set_min_proto_version(client_ctx.get(), TLS1_3_VERSION));
5992
5993 bssl::UniquePtr<SSL> client, server;
5994 ASSERT_TRUE(ConnectClientAndServer(&client, &server, client_ctx.get(),
5995 server_ctx.get()));
5996
5997 BIO *client_wbio = SSL_get_wbio(client.get());
5998 EXPECT_EQ(0u, BIO_wpending(client_wbio));
5999 EXPECT_TRUE(SSL_key_update(client.get(), SSL_KEY_UPDATE_NOT_REQUESTED));
6000 EXPECT_EQ(0u, BIO_wpending(client_wbio));
6001 EXPECT_EQ(0, SSL_write(client.get(), nullptr, 0));
6002 EXPECT_NE(0u, BIO_wpending(client_wbio));
6003 }
6004
TEST_P(SSLVersionTest,VerifyBeforeCertRequest)6005 TEST_P(SSLVersionTest, VerifyBeforeCertRequest) {
6006 // Configure the server to request client certificates.
6007 SSL_CTX_set_custom_verify(
6008 server_ctx_.get(), SSL_VERIFY_PEER,
6009 [](SSL *ssl, uint8_t *out_alert) { return ssl_verify_ok; });
6010
6011 // Configure the client to reject the server certificate.
6012 SSL_CTX_set_custom_verify(
6013 client_ctx_.get(), SSL_VERIFY_PEER,
6014 [](SSL *ssl, uint8_t *out_alert) { return ssl_verify_invalid; });
6015
6016 // cert_cb should not be called. Verification should fail first.
6017 SSL_CTX_set_cert_cb(client_ctx_.get(),
6018 [](SSL *ssl, void *arg) {
6019 ADD_FAILURE() << "cert_cb unexpectedly called";
6020 return 0;
6021 },
6022 nullptr);
6023
6024 bssl::UniquePtr<SSL> client, server;
6025 EXPECT_FALSE(ConnectClientAndServer(&client, &server, client_ctx_.get(),
6026 server_ctx_.get()));
6027 }
6028
6029 // Test that ticket-based sessions on the client get fake session IDs.
TEST_P(SSLVersionTest,FakeIDsForTickets)6030 TEST_P(SSLVersionTest, FakeIDsForTickets) {
6031 SSL_CTX_set_session_cache_mode(client_ctx_.get(), SSL_SESS_CACHE_BOTH);
6032 SSL_CTX_set_session_cache_mode(server_ctx_.get(), SSL_SESS_CACHE_BOTH);
6033
6034 bssl::UniquePtr<SSL_SESSION> session =
6035 CreateClientSession(client_ctx_.get(), server_ctx_.get());
6036 ASSERT_TRUE(session);
6037
6038 EXPECT_TRUE(SSL_SESSION_has_ticket(session.get()));
6039 unsigned session_id_length;
6040 SSL_SESSION_get_id(session.get(), &session_id_length);
6041 EXPECT_NE(session_id_length, 0u);
6042 }
6043
6044 // These tests test multi-threaded behavior. They are intended to run with
6045 // ThreadSanitizer.
6046 #if defined(OPENSSL_THREADS)
TEST_P(SSLVersionTest,SessionCacheThreads)6047 TEST_P(SSLVersionTest, SessionCacheThreads) {
6048 SSL_CTX_set_options(server_ctx_.get(), SSL_OP_NO_TICKET);
6049 SSL_CTX_set_session_cache_mode(client_ctx_.get(), SSL_SESS_CACHE_BOTH);
6050 SSL_CTX_set_session_cache_mode(server_ctx_.get(), SSL_SESS_CACHE_BOTH);
6051
6052 if (version() == TLS1_3_VERSION) {
6053 // Our TLS 1.3 implementation does not support stateful resumption.
6054 ASSERT_FALSE(CreateClientSession(client_ctx_.get(), server_ctx_.get()));
6055 return;
6056 }
6057
6058 // Establish two client sessions to test with.
6059 bssl::UniquePtr<SSL_SESSION> session1 =
6060 CreateClientSession(client_ctx_.get(), server_ctx_.get());
6061 ASSERT_TRUE(session1);
6062 bssl::UniquePtr<SSL_SESSION> session2 =
6063 CreateClientSession(client_ctx_.get(), server_ctx_.get());
6064 ASSERT_TRUE(session2);
6065
6066 auto connect_with_session = [&](SSL_SESSION *session) {
6067 ClientConfig config;
6068 config.session = session;
6069 UniquePtr<SSL> client, server;
6070 ASSERT_TRUE(ConnectClientAndServer(&client, &server, client_ctx_.get(),
6071 server_ctx_.get(), config));
6072 };
6073
6074 // Resume sessions in parallel with establishing new ones.
6075 {
6076 std::vector<std::thread> threads;
6077 threads.emplace_back([&] { connect_with_session(nullptr); });
6078 threads.emplace_back([&] { connect_with_session(nullptr); });
6079 threads.emplace_back([&] { connect_with_session(session1.get()); });
6080 threads.emplace_back([&] { connect_with_session(session1.get()); });
6081 threads.emplace_back([&] { connect_with_session(session2.get()); });
6082 threads.emplace_back([&] { connect_with_session(session2.get()); });
6083 for (auto &thread : threads) {
6084 thread.join();
6085 }
6086 }
6087
6088 // Hit the maximum session cache size across multiple threads, to test the
6089 // size enforcement logic.
6090 size_t limit = SSL_CTX_sess_number(server_ctx_.get()) + 2;
6091 SSL_CTX_sess_set_cache_size(server_ctx_.get(), limit);
6092 {
6093 std::vector<std::thread> threads;
6094 for (int i = 0; i < 4; i++) {
6095 threads.emplace_back([&]() {
6096 connect_with_session(nullptr);
6097 EXPECT_LE(SSL_CTX_sess_number(server_ctx_.get()), limit);
6098 });
6099 }
6100 for (auto &thread : threads) {
6101 thread.join();
6102 }
6103 EXPECT_EQ(SSL_CTX_sess_number(server_ctx_.get()), limit);
6104 }
6105
6106 // Reset the session cache, this time with a mock clock.
6107 ASSERT_NO_FATAL_FAILURE(ResetContexts());
6108 SSL_CTX_set_options(server_ctx_.get(), SSL_OP_NO_TICKET);
6109 SSL_CTX_set_session_cache_mode(client_ctx_.get(), SSL_SESS_CACHE_BOTH);
6110 SSL_CTX_set_session_cache_mode(server_ctx_.get(), SSL_SESS_CACHE_BOTH);
6111 SSL_CTX_set_current_time_cb(server_ctx_.get(), CurrentTimeCallback);
6112
6113 // Make some sessions at an arbitrary start time. Then expire them.
6114 g_current_time.tv_sec = 1000;
6115 bssl::UniquePtr<SSL_SESSION> expired_session1 =
6116 CreateClientSession(client_ctx_.get(), server_ctx_.get());
6117 ASSERT_TRUE(expired_session1);
6118 bssl::UniquePtr<SSL_SESSION> expired_session2 =
6119 CreateClientSession(client_ctx_.get(), server_ctx_.get());
6120 ASSERT_TRUE(expired_session2);
6121 g_current_time.tv_sec += 100 * SSL_DEFAULT_SESSION_TIMEOUT;
6122
6123 session1 = CreateClientSession(client_ctx_.get(), server_ctx_.get());
6124 ASSERT_TRUE(session1);
6125
6126 // Every 256 connections, we flush stale sessions from the session cache. Test
6127 // this logic is correctly synchronized with other connection attempts.
6128 static const int kNumConnections = 256;
6129 {
6130 std::vector<std::thread> threads;
6131 threads.emplace_back([&] {
6132 for (int i = 0; i < kNumConnections; i++) {
6133 connect_with_session(nullptr);
6134 }
6135 });
6136 threads.emplace_back([&] {
6137 for (int i = 0; i < kNumConnections; i++) {
6138 connect_with_session(nullptr);
6139 }
6140 });
6141 threads.emplace_back([&] {
6142 // Never connect with |expired_session2|. The session cache eagerly
6143 // removes expired sessions when it sees them. Leaving |expired_session2|
6144 // untouched ensures it is instead cleared by periodic flushing.
6145 for (int i = 0; i < kNumConnections; i++) {
6146 connect_with_session(expired_session1.get());
6147 }
6148 });
6149 threads.emplace_back([&] {
6150 for (int i = 0; i < kNumConnections; i++) {
6151 connect_with_session(session1.get());
6152 }
6153 });
6154 for (auto &thread : threads) {
6155 thread.join();
6156 }
6157 }
6158 }
6159
TEST_P(SSLVersionTest,SessionTicketThreads)6160 TEST_P(SSLVersionTest, SessionTicketThreads) {
6161 for (bool renew_ticket : {false, true}) {
6162 SCOPED_TRACE(renew_ticket);
6163 ASSERT_NO_FATAL_FAILURE(ResetContexts());
6164 SSL_CTX_set_session_cache_mode(client_ctx_.get(), SSL_SESS_CACHE_BOTH);
6165 SSL_CTX_set_session_cache_mode(server_ctx_.get(), SSL_SESS_CACHE_BOTH);
6166 if (renew_ticket) {
6167 SSL_CTX_set_tlsext_ticket_key_cb(server_ctx_.get(), RenewTicketCallback);
6168 }
6169
6170 // Establish two client sessions to test with.
6171 bssl::UniquePtr<SSL_SESSION> session1 =
6172 CreateClientSession(client_ctx_.get(), server_ctx_.get());
6173 ASSERT_TRUE(session1);
6174 bssl::UniquePtr<SSL_SESSION> session2 =
6175 CreateClientSession(client_ctx_.get(), server_ctx_.get());
6176 ASSERT_TRUE(session2);
6177
6178 auto connect_with_session = [&](SSL_SESSION *session) {
6179 ClientConfig config;
6180 config.session = session;
6181 UniquePtr<SSL> client, server;
6182 ASSERT_TRUE(ConnectClientAndServer(&client, &server, client_ctx_.get(),
6183 server_ctx_.get(), config));
6184 };
6185
6186 // Resume sessions in parallel with establishing new ones.
6187 {
6188 std::vector<std::thread> threads;
6189 threads.emplace_back([&] { connect_with_session(nullptr); });
6190 threads.emplace_back([&] { connect_with_session(nullptr); });
6191 threads.emplace_back([&] { connect_with_session(session1.get()); });
6192 threads.emplace_back([&] { connect_with_session(session1.get()); });
6193 threads.emplace_back([&] { connect_with_session(session2.get()); });
6194 threads.emplace_back([&] { connect_with_session(session2.get()); });
6195 for (auto &thread : threads) {
6196 thread.join();
6197 }
6198 }
6199 }
6200 }
6201
6202 // SSL_CTX_get0_certificate needs to lock internally. Test this works.
TEST(SSLTest,GetCertificateThreads)6203 TEST(SSLTest, GetCertificateThreads) {
6204 bssl::UniquePtr<SSL_CTX> ctx(SSL_CTX_new(TLS_method()));
6205 ASSERT_TRUE(ctx);
6206 bssl::UniquePtr<X509> cert = GetTestCertificate();
6207 ASSERT_TRUE(cert);
6208 ASSERT_TRUE(SSL_CTX_use_certificate(ctx.get(), cert.get()));
6209
6210 // Existing code expects |SSL_CTX_get0_certificate| to be callable from two
6211 // threads concurrently. It originally was an immutable operation. Now we
6212 // implement it with a thread-safe cache, so it is worth testing.
6213 X509 *cert2_thread;
6214 std::thread thread(
6215 [&] { cert2_thread = SSL_CTX_get0_certificate(ctx.get()); });
6216 X509 *cert2 = SSL_CTX_get0_certificate(ctx.get());
6217 thread.join();
6218
6219 ASSERT_TRUE(cert2);
6220 ASSERT_TRUE(cert2_thread);
6221 EXPECT_EQ(cert2, cert2_thread);
6222 EXPECT_EQ(0, X509_cmp(cert.get(), cert2));
6223 }
6224
6225 // Functions which access properties on the negotiated session are thread-safe
6226 // where needed. Prior to TLS 1.3, clients resuming sessions and servers
6227 // performing stateful resumption will share an underlying SSL_SESSION object,
6228 // potentially across threads.
TEST_P(SSLVersionTest,SessionPropertiesThreads)6229 TEST_P(SSLVersionTest, SessionPropertiesThreads) {
6230 if (version() == TLS1_3_VERSION) {
6231 // Our TLS 1.3 implementation does not support stateful resumption.
6232 ASSERT_FALSE(CreateClientSession(client_ctx_.get(), server_ctx_.get()));
6233 return;
6234 }
6235
6236 SSL_CTX_set_options(server_ctx_.get(), SSL_OP_NO_TICKET);
6237 SSL_CTX_set_session_cache_mode(client_ctx_.get(), SSL_SESS_CACHE_BOTH);
6238 SSL_CTX_set_session_cache_mode(server_ctx_.get(), SSL_SESS_CACHE_BOTH);
6239
6240 ASSERT_TRUE(UseCertAndKey(client_ctx_.get()));
6241 ASSERT_TRUE(UseCertAndKey(server_ctx_.get()));
6242
6243 // Configure mutual authentication, so we have more session state.
6244 SSL_CTX_set_custom_verify(
6245 client_ctx_.get(), SSL_VERIFY_PEER,
6246 [](SSL *ssl, uint8_t *out_alert) { return ssl_verify_ok; });
6247 SSL_CTX_set_custom_verify(
6248 server_ctx_.get(), SSL_VERIFY_PEER,
6249 [](SSL *ssl, uint8_t *out_alert) { return ssl_verify_ok; });
6250
6251 // Establish a client session to test with.
6252 bssl::UniquePtr<SSL_SESSION> session =
6253 CreateClientSession(client_ctx_.get(), server_ctx_.get());
6254 ASSERT_TRUE(session);
6255
6256 // Resume with it twice.
6257 UniquePtr<SSL> ssls[4];
6258 ClientConfig config;
6259 config.session = session.get();
6260 ASSERT_TRUE(ConnectClientAndServer(&ssls[0], &ssls[1], client_ctx_.get(),
6261 server_ctx_.get(), config));
6262 ASSERT_TRUE(ConnectClientAndServer(&ssls[2], &ssls[3], client_ctx_.get(),
6263 server_ctx_.get(), config));
6264
6265 // Read properties in parallel.
6266 auto read_properties = [](const SSL *ssl) {
6267 EXPECT_TRUE(SSL_get_peer_cert_chain(ssl));
6268 bssl::UniquePtr<X509> peer(SSL_get_peer_certificate(ssl));
6269 EXPECT_TRUE(peer);
6270 EXPECT_TRUE(SSL_get_current_cipher(ssl));
6271 EXPECT_TRUE(SSL_get_group_id(ssl));
6272 };
6273
6274 std::vector<std::thread> threads;
6275 for (const auto &ssl_ptr : ssls) {
6276 const SSL *ssl = ssl_ptr.get();
6277 threads.emplace_back([=] { read_properties(ssl); });
6278 }
6279 for (auto &thread : threads) {
6280 thread.join();
6281 }
6282 }
6283
SetValueOnFree(void * parent,void * ptr,CRYPTO_EX_DATA * ad,int index,long argl,void * argp)6284 static void SetValueOnFree(void *parent, void *ptr, CRYPTO_EX_DATA *ad,
6285 int index, long argl, void *argp) {
6286 if (ptr != nullptr) {
6287 *static_cast<long *>(ptr) = argl;
6288 }
6289 }
6290
6291 // Test that one thread can register ex_data while another thread is destroying
6292 // an object that uses it.
TEST(SSLTest,ExDataThreads)6293 TEST(SSLTest, ExDataThreads) {
6294 static bool already_run = false;
6295 if (already_run) {
6296 GTEST_SKIP() << "This test consumes process-global resources and can only "
6297 "be run once in a process. It is not compatible with "
6298 "--gtest_repeat.";
6299 }
6300 already_run = true;
6301
6302 bssl::UniquePtr<SSL_CTX> ctx(SSL_CTX_new(TLS_method()));
6303 ASSERT_TRUE(ctx);
6304
6305 // Register an initial index, so the threads can exercise having any ex_data.
6306 int first_index =
6307 SSL_get_ex_new_index(-1, nullptr, nullptr, nullptr, SetValueOnFree);
6308 ASSERT_GE(first_index, 0);
6309
6310 // Callers may register indices concurrently with using other indices. This
6311 // may happen if one part of an application is initializing while another part
6312 // is already running.
6313 static constexpr int kNumIndices = 3;
6314 static constexpr int kNumSSLs = 10;
6315 int index[kNumIndices];
6316 long values[kNumSSLs];
6317 std::fill(std::begin(values), std::end(values), -2);
6318 std::vector<std::thread> threads;
6319 for (size_t i = 0; i < kNumIndices; i++) {
6320 threads.emplace_back([&, i] {
6321 index[i] = SSL_get_ex_new_index(static_cast<long>(i), nullptr, nullptr,
6322 nullptr, SetValueOnFree);
6323 ASSERT_GE(index[i], 0);
6324 });
6325 }
6326 for (size_t i = 0; i < kNumSSLs; i++) {
6327 threads.emplace_back([&, i] {
6328 bssl::UniquePtr<SSL> ssl(SSL_new(ctx.get()));
6329 ASSERT_TRUE(ssl);
6330 ASSERT_TRUE(SSL_set_ex_data(ssl.get(), first_index, &values[i]));
6331 });
6332 }
6333 for (auto &thread : threads) {
6334 thread.join();
6335 }
6336
6337 // Each of the SSL threads should have set their flag via ex_data.
6338 for (size_t i = 0; i < kNumSSLs; i++) {
6339 EXPECT_EQ(values[i], -1);
6340 }
6341
6342 // Each of the newly-registered indices should be distinct and work correctly.
6343 static_assert(kNumIndices <= kNumSSLs, "values buffer too small");
6344 std::fill(std::begin(values), std::end(values), -2);
6345 bssl::UniquePtr<SSL> ssl(SSL_new(ctx.get()));
6346 ASSERT_TRUE(ssl);
6347 for (size_t i = 0; i < kNumIndices; i++) {
6348 for (size_t j = 0; j < i; j++) {
6349 EXPECT_NE(index[i], index[j]);
6350 }
6351 ASSERT_TRUE(SSL_set_ex_data(ssl.get(), index[i], &values[i]));
6352 }
6353 ssl = nullptr;
6354 for (size_t i = 0; i < kNumIndices; i++) {
6355 EXPECT_EQ(values[i], static_cast<long>(i));
6356 }
6357 }
6358 #endif // OPENSSL_THREADS
6359
6360 constexpr size_t kNumQUICLevels = 4;
6361 static_assert(ssl_encryption_initial < kNumQUICLevels,
6362 "kNumQUICLevels is wrong");
6363 static_assert(ssl_encryption_early_data < kNumQUICLevels,
6364 "kNumQUICLevels is wrong");
6365 static_assert(ssl_encryption_handshake < kNumQUICLevels,
6366 "kNumQUICLevels is wrong");
6367 static_assert(ssl_encryption_application < kNumQUICLevels,
6368 "kNumQUICLevels is wrong");
6369
LevelToString(ssl_encryption_level_t level)6370 const char *LevelToString(ssl_encryption_level_t level) {
6371 switch (level) {
6372 case ssl_encryption_initial:
6373 return "initial";
6374 case ssl_encryption_early_data:
6375 return "early data";
6376 case ssl_encryption_handshake:
6377 return "handshake";
6378 case ssl_encryption_application:
6379 return "application";
6380 }
6381 return "<unknown>";
6382 }
6383
6384 class MockQUICTransport {
6385 public:
6386 enum class Role { kClient, kServer };
6387
MockQUICTransport(Role role)6388 explicit MockQUICTransport(Role role) : role_(role) {
6389 // The caller is expected to configure initial secrets.
6390 levels_[ssl_encryption_initial].write_secret = {1};
6391 levels_[ssl_encryption_initial].read_secret = {1};
6392 }
6393
set_peer(MockQUICTransport * peer)6394 void set_peer(MockQUICTransport *peer) { peer_ = peer; }
6395
has_alert() const6396 bool has_alert() const { return has_alert_; }
alert_level() const6397 ssl_encryption_level_t alert_level() const { return alert_level_; }
alert() const6398 uint8_t alert() const { return alert_; }
6399
PeerSecretsMatch(ssl_encryption_level_t level) const6400 bool PeerSecretsMatch(ssl_encryption_level_t level) const {
6401 return levels_[level].write_secret == peer_->levels_[level].read_secret &&
6402 levels_[level].read_secret == peer_->levels_[level].write_secret &&
6403 levels_[level].cipher == peer_->levels_[level].cipher;
6404 }
6405
HasReadSecret(ssl_encryption_level_t level) const6406 bool HasReadSecret(ssl_encryption_level_t level) const {
6407 return !levels_[level].read_secret.empty();
6408 }
6409
HasWriteSecret(ssl_encryption_level_t level) const6410 bool HasWriteSecret(ssl_encryption_level_t level) const {
6411 return !levels_[level].write_secret.empty();
6412 }
6413
AllowOutOfOrderWrites()6414 void AllowOutOfOrderWrites() { allow_out_of_order_writes_ = true; }
6415
SetReadSecret(ssl_encryption_level_t level,const SSL_CIPHER * cipher,Span<const uint8_t> secret)6416 bool SetReadSecret(ssl_encryption_level_t level, const SSL_CIPHER *cipher,
6417 Span<const uint8_t> secret) {
6418 if (HasReadSecret(level)) {
6419 ADD_FAILURE() << LevelToString(level) << " read secret configured twice";
6420 return false;
6421 }
6422
6423 if (role_ == Role::kClient && level == ssl_encryption_early_data) {
6424 ADD_FAILURE() << "Unexpected early data read secret";
6425 return false;
6426 }
6427
6428 ssl_encryption_level_t ack_level =
6429 level == ssl_encryption_early_data ? ssl_encryption_application : level;
6430 if (!HasWriteSecret(ack_level)) {
6431 ADD_FAILURE() << LevelToString(level)
6432 << " read secret configured before ACK write secret";
6433 return false;
6434 }
6435
6436 if (cipher == nullptr) {
6437 ADD_FAILURE() << "Unexpected null cipher";
6438 return false;
6439 }
6440
6441 if (level != ssl_encryption_early_data &&
6442 SSL_CIPHER_get_id(cipher) != levels_[level].cipher) {
6443 ADD_FAILURE() << "Cipher suite inconsistent";
6444 return false;
6445 }
6446
6447 levels_[level].read_secret.assign(secret.begin(), secret.end());
6448 levels_[level].cipher = SSL_CIPHER_get_id(cipher);
6449 return true;
6450 }
6451
SetWriteSecret(ssl_encryption_level_t level,const SSL_CIPHER * cipher,Span<const uint8_t> secret)6452 bool SetWriteSecret(ssl_encryption_level_t level, const SSL_CIPHER *cipher,
6453 Span<const uint8_t> secret) {
6454 if (HasWriteSecret(level)) {
6455 ADD_FAILURE() << LevelToString(level) << " write secret configured twice";
6456 return false;
6457 }
6458
6459 if (role_ == Role::kServer && level == ssl_encryption_early_data) {
6460 ADD_FAILURE() << "Unexpected early data write secret";
6461 return false;
6462 }
6463
6464 if (cipher == nullptr) {
6465 ADD_FAILURE() << "Unexpected null cipher";
6466 return false;
6467 }
6468
6469 levels_[level].write_secret.assign(secret.begin(), secret.end());
6470 levels_[level].cipher = SSL_CIPHER_get_id(cipher);
6471 return true;
6472 }
6473
WriteHandshakeData(ssl_encryption_level_t level,Span<const uint8_t> data)6474 bool WriteHandshakeData(ssl_encryption_level_t level,
6475 Span<const uint8_t> data) {
6476 if (levels_[level].write_secret.empty()) {
6477 ADD_FAILURE() << LevelToString(level)
6478 << " write secret not yet configured";
6479 return false;
6480 }
6481
6482 // Although the levels are conceptually separate, BoringSSL finishes writing
6483 // data from a previous level before installing keys for the next level.
6484 if (!allow_out_of_order_writes_) {
6485 switch (level) {
6486 case ssl_encryption_early_data:
6487 ADD_FAILURE() << "unexpected handshake data at early data level";
6488 return false;
6489 case ssl_encryption_initial:
6490 if (!levels_[ssl_encryption_handshake].write_secret.empty()) {
6491 ADD_FAILURE()
6492 << LevelToString(level)
6493 << " handshake data written after handshake keys installed";
6494 return false;
6495 }
6496 OPENSSL_FALLTHROUGH;
6497 case ssl_encryption_handshake:
6498 if (!levels_[ssl_encryption_application].write_secret.empty()) {
6499 ADD_FAILURE()
6500 << LevelToString(level)
6501 << " handshake data written after application keys installed";
6502 return false;
6503 }
6504 OPENSSL_FALLTHROUGH;
6505 case ssl_encryption_application:
6506 break;
6507 }
6508 }
6509
6510 levels_[level].write_data.insert(levels_[level].write_data.end(),
6511 data.begin(), data.end());
6512 return true;
6513 }
6514
SendAlert(ssl_encryption_level_t level,uint8_t alert_value)6515 bool SendAlert(ssl_encryption_level_t level, uint8_t alert_value) {
6516 if (has_alert_) {
6517 ADD_FAILURE() << "duplicate alert sent";
6518 return false;
6519 }
6520
6521 if (levels_[level].write_secret.empty()) {
6522 ADD_FAILURE() << LevelToString(level)
6523 << " write secret not yet configured";
6524 return false;
6525 }
6526
6527 has_alert_ = true;
6528 alert_level_ = level;
6529 alert_ = alert_value;
6530 return true;
6531 }
6532
ReadHandshakeData(std::vector<uint8_t> * out,ssl_encryption_level_t level,size_t num=std::numeric_limits<size_t>::max ())6533 bool ReadHandshakeData(std::vector<uint8_t> *out,
6534 ssl_encryption_level_t level,
6535 size_t num = std::numeric_limits<size_t>::max()) {
6536 if (levels_[level].read_secret.empty()) {
6537 ADD_FAILURE() << "data read before keys configured in level " << level;
6538 return false;
6539 }
6540 // The peer may not have configured any keys yet.
6541 if (peer_->levels_[level].write_secret.empty()) {
6542 out->clear();
6543 return true;
6544 }
6545 // Check the peer computed the same key.
6546 if (peer_->levels_[level].write_secret != levels_[level].read_secret) {
6547 ADD_FAILURE() << "peer write key does not match read key in level "
6548 << level;
6549 return false;
6550 }
6551 if (peer_->levels_[level].cipher != levels_[level].cipher) {
6552 ADD_FAILURE() << "peer cipher does not match in level " << level;
6553 return false;
6554 }
6555 std::vector<uint8_t> *peer_data = &peer_->levels_[level].write_data;
6556 num = std::min(num, peer_data->size());
6557 out->assign(peer_data->begin(), peer_data->begin() + num);
6558 peer_data->erase(peer_data->begin(), peer_data->begin() + num);
6559 return true;
6560 }
6561
6562 private:
6563 Role role_;
6564 MockQUICTransport *peer_ = nullptr;
6565
6566 bool allow_out_of_order_writes_ = false;
6567 bool has_alert_ = false;
6568 ssl_encryption_level_t alert_level_ = ssl_encryption_initial;
6569 uint8_t alert_ = 0;
6570
6571 struct Level {
6572 std::vector<uint8_t> write_data;
6573 std::vector<uint8_t> write_secret;
6574 std::vector<uint8_t> read_secret;
6575 uint32_t cipher = 0;
6576 };
6577 Level levels_[kNumQUICLevels];
6578 };
6579
6580 class MockQUICTransportPair {
6581 public:
MockQUICTransportPair()6582 MockQUICTransportPair()
6583 : client_(MockQUICTransport::Role::kClient),
6584 server_(MockQUICTransport::Role::kServer) {
6585 client_.set_peer(&server_);
6586 server_.set_peer(&client_);
6587 }
6588
~MockQUICTransportPair()6589 ~MockQUICTransportPair() {
6590 client_.set_peer(nullptr);
6591 server_.set_peer(nullptr);
6592 }
6593
client()6594 MockQUICTransport *client() { return &client_; }
server()6595 MockQUICTransport *server() { return &server_; }
6596
SecretsMatch(ssl_encryption_level_t level) const6597 bool SecretsMatch(ssl_encryption_level_t level) const {
6598 // We only need to check |HasReadSecret| and |HasWriteSecret| on |client_|.
6599 // |PeerSecretsMatch| checks that |server_| is analogously configured.
6600 return client_.PeerSecretsMatch(level) &&
6601 client_.HasWriteSecret(level) &&
6602 (level == ssl_encryption_early_data || client_.HasReadSecret(level));
6603 }
6604
6605 private:
6606 MockQUICTransport client_;
6607 MockQUICTransport server_;
6608 };
6609
6610 class QUICMethodTest : public testing::Test {
6611 protected:
SetUp()6612 void SetUp() override {
6613 client_ctx_.reset(SSL_CTX_new(TLS_method()));
6614 server_ctx_ = CreateContextWithTestCertificate(TLS_method());
6615 ASSERT_TRUE(client_ctx_);
6616 ASSERT_TRUE(server_ctx_);
6617
6618 SSL_CTX_set_min_proto_version(server_ctx_.get(), TLS1_3_VERSION);
6619 SSL_CTX_set_max_proto_version(server_ctx_.get(), TLS1_3_VERSION);
6620 SSL_CTX_set_min_proto_version(client_ctx_.get(), TLS1_3_VERSION);
6621 SSL_CTX_set_max_proto_version(client_ctx_.get(), TLS1_3_VERSION);
6622
6623 static const uint8_t kALPNProtos[] = {0x03, 'f', 'o', 'o'};
6624 ASSERT_EQ(SSL_CTX_set_alpn_protos(client_ctx_.get(), kALPNProtos,
6625 sizeof(kALPNProtos)),
6626 0);
6627 SSL_CTX_set_alpn_select_cb(
6628 server_ctx_.get(),
6629 [](SSL *ssl, const uint8_t **out, uint8_t *out_len, const uint8_t *in,
6630 unsigned in_len, void *arg) -> int {
6631 return SSL_select_next_proto(
6632 const_cast<uint8_t **>(out), out_len, in, in_len,
6633 kALPNProtos, sizeof(kALPNProtos)) == OPENSSL_NPN_NEGOTIATED
6634 ? SSL_TLSEXT_ERR_OK
6635 : SSL_TLSEXT_ERR_NOACK;
6636 },
6637 nullptr);
6638 }
6639
TransportFromSSL(const SSL * ssl)6640 static MockQUICTransport *TransportFromSSL(const SSL *ssl) {
6641 return ex_data_.Get(ssl);
6642 }
6643
ProvideHandshakeData(SSL * ssl,size_t num=std::numeric_limits<size_t>::max ())6644 static bool ProvideHandshakeData(
6645 SSL *ssl, size_t num = std::numeric_limits<size_t>::max()) {
6646 MockQUICTransport *transport = TransportFromSSL(ssl);
6647 ssl_encryption_level_t level = SSL_quic_read_level(ssl);
6648 std::vector<uint8_t> data;
6649 return transport->ReadHandshakeData(&data, level, num) &&
6650 SSL_provide_quic_data(ssl, level, data.data(), data.size());
6651 }
6652
AllowOutOfOrderWrites()6653 void AllowOutOfOrderWrites() {
6654 allow_out_of_order_writes_ = true;
6655 }
6656
CreateClientAndServer()6657 bool CreateClientAndServer() {
6658 client_.reset(SSL_new(client_ctx_.get()));
6659 server_.reset(SSL_new(server_ctx_.get()));
6660 if (!client_ || !server_) {
6661 return false;
6662 }
6663
6664 SSL_set_connect_state(client_.get());
6665 SSL_set_accept_state(server_.get());
6666
6667 transport_ = std::make_unique<MockQUICTransportPair>();
6668 if (!ex_data_.Set(client_.get(), transport_->client()) ||
6669 !ex_data_.Set(server_.get(), transport_->server())) {
6670 return false;
6671 }
6672 if (allow_out_of_order_writes_) {
6673 transport_->client()->AllowOutOfOrderWrites();
6674 transport_->server()->AllowOutOfOrderWrites();
6675 }
6676 static const uint8_t client_transport_params[] = {0};
6677 if (!SSL_set_quic_transport_params(client_.get(), client_transport_params,
6678 sizeof(client_transport_params)) ||
6679 !SSL_set_quic_transport_params(server_.get(),
6680 server_transport_params_.data(),
6681 server_transport_params_.size()) ||
6682 !SSL_set_quic_early_data_context(
6683 server_.get(), server_quic_early_data_context_.data(),
6684 server_quic_early_data_context_.size())) {
6685 return false;
6686 }
6687 return true;
6688 }
6689
6690 enum class ExpectedError {
6691 kNoError,
6692 kClientError,
6693 kServerError,
6694 };
6695
6696 // CompleteHandshakesForQUIC runs |SSL_do_handshake| on |client_| and
6697 // |server_| until each completes once. It returns true on success and false
6698 // on failure.
CompleteHandshakesForQUIC()6699 bool CompleteHandshakesForQUIC() {
6700 return RunQUICHandshakesAndExpectError(ExpectedError::kNoError);
6701 }
6702
6703 // Runs |SSL_do_handshake| on |client_| and |server_| until each completes
6704 // once. If |expect_client_error| is true, it will return true only if the
6705 // client handshake failed. Otherwise, it returns true if both handshakes
6706 // succeed and false otherwise.
RunQUICHandshakesAndExpectError(ExpectedError expected_error)6707 bool RunQUICHandshakesAndExpectError(ExpectedError expected_error) {
6708 bool client_done = false, server_done = false;
6709 while (!client_done || !server_done) {
6710 if (!client_done) {
6711 if (!ProvideHandshakeData(client_.get())) {
6712 ADD_FAILURE() << "ProvideHandshakeData(client_) failed";
6713 return false;
6714 }
6715 int client_ret = SSL_do_handshake(client_.get());
6716 int client_err = SSL_get_error(client_.get(), client_ret);
6717 if (client_ret == 1) {
6718 client_done = true;
6719 } else if (client_ret != -1 || client_err != SSL_ERROR_WANT_READ) {
6720 if (expected_error == ExpectedError::kClientError) {
6721 return true;
6722 }
6723 ADD_FAILURE() << "Unexpected client output: " << client_ret << " "
6724 << client_err;
6725 return false;
6726 }
6727 }
6728
6729 if (!server_done) {
6730 if (!ProvideHandshakeData(server_.get())) {
6731 ADD_FAILURE() << "ProvideHandshakeData(server_) failed";
6732 return false;
6733 }
6734 int server_ret = SSL_do_handshake(server_.get());
6735 int server_err = SSL_get_error(server_.get(), server_ret);
6736 if (server_ret == 1) {
6737 server_done = true;
6738 } else if (server_ret != -1 || server_err != SSL_ERROR_WANT_READ) {
6739 if (expected_error == ExpectedError::kServerError) {
6740 return true;
6741 }
6742 ADD_FAILURE() << "Unexpected server output: " << server_ret << " "
6743 << server_err;
6744 return false;
6745 }
6746 }
6747 }
6748 return expected_error == ExpectedError::kNoError;
6749 }
6750
CreateClientSessionForQUIC()6751 bssl::UniquePtr<SSL_SESSION> CreateClientSessionForQUIC() {
6752 g_last_session = nullptr;
6753 SSL_CTX_sess_set_new_cb(client_ctx_.get(), SaveLastSession);
6754 if (!CreateClientAndServer() ||
6755 !CompleteHandshakesForQUIC()) {
6756 return nullptr;
6757 }
6758
6759 // The server sent NewSessionTicket messages in the handshake.
6760 if (!ProvideHandshakeData(client_.get()) ||
6761 !SSL_process_quic_post_handshake(client_.get())) {
6762 return nullptr;
6763 }
6764
6765 return std::move(g_last_session);
6766 }
6767
ExpectHandshakeSuccess()6768 void ExpectHandshakeSuccess() {
6769 EXPECT_TRUE(transport_->SecretsMatch(ssl_encryption_application));
6770 EXPECT_EQ(ssl_encryption_application, SSL_quic_read_level(client_.get()));
6771 EXPECT_EQ(ssl_encryption_application, SSL_quic_write_level(client_.get()));
6772 EXPECT_EQ(ssl_encryption_application, SSL_quic_read_level(server_.get()));
6773 EXPECT_EQ(ssl_encryption_application, SSL_quic_write_level(server_.get()));
6774 EXPECT_FALSE(transport_->client()->has_alert());
6775 EXPECT_FALSE(transport_->server()->has_alert());
6776
6777 // SSL_do_handshake is now idempotent.
6778 EXPECT_EQ(SSL_do_handshake(client_.get()), 1);
6779 EXPECT_EQ(SSL_do_handshake(server_.get()), 1);
6780 }
6781
6782 // Returns a default SSL_QUIC_METHOD. Individual methods may be overwritten by
6783 // the test.
DefaultQUICMethod()6784 SSL_QUIC_METHOD DefaultQUICMethod() {
6785 return SSL_QUIC_METHOD{
6786 SetReadSecretCallback, SetWriteSecretCallback, AddHandshakeDataCallback,
6787 FlushFlightCallback, SendAlertCallback,
6788 };
6789 }
6790
SetReadSecretCallback(SSL * ssl,ssl_encryption_level_t level,const SSL_CIPHER * cipher,const uint8_t * secret,size_t secret_len)6791 static int SetReadSecretCallback(SSL *ssl, ssl_encryption_level_t level,
6792 const SSL_CIPHER *cipher,
6793 const uint8_t *secret, size_t secret_len) {
6794 return TransportFromSSL(ssl)->SetReadSecret(
6795 level, cipher, MakeConstSpan(secret, secret_len));
6796 }
6797
SetWriteSecretCallback(SSL * ssl,ssl_encryption_level_t level,const SSL_CIPHER * cipher,const uint8_t * secret,size_t secret_len)6798 static int SetWriteSecretCallback(SSL *ssl, ssl_encryption_level_t level,
6799 const SSL_CIPHER *cipher,
6800 const uint8_t *secret, size_t secret_len) {
6801 return TransportFromSSL(ssl)->SetWriteSecret(
6802 level, cipher, MakeConstSpan(secret, secret_len));
6803 }
6804
AddHandshakeDataCallback(SSL * ssl,enum ssl_encryption_level_t level,const uint8_t * data,size_t len)6805 static int AddHandshakeDataCallback(SSL *ssl,
6806 enum ssl_encryption_level_t level,
6807 const uint8_t *data, size_t len) {
6808 EXPECT_EQ(level, SSL_quic_write_level(ssl));
6809 return TransportFromSSL(ssl)->WriteHandshakeData(level,
6810 MakeConstSpan(data, len));
6811 }
6812
FlushFlightCallback(SSL * ssl)6813 static int FlushFlightCallback(SSL *ssl) { return 1; }
6814
SendAlertCallback(SSL * ssl,ssl_encryption_level_t level,uint8_t alert)6815 static int SendAlertCallback(SSL *ssl, ssl_encryption_level_t level,
6816 uint8_t alert) {
6817 EXPECT_EQ(level, SSL_quic_write_level(ssl));
6818 return TransportFromSSL(ssl)->SendAlert(level, alert);
6819 }
6820
6821 bssl::UniquePtr<SSL_CTX> client_ctx_;
6822 bssl::UniquePtr<SSL_CTX> server_ctx_;
6823
6824 static UnownedSSLExData<MockQUICTransport> ex_data_;
6825 std::unique_ptr<MockQUICTransportPair> transport_;
6826
6827 bssl::UniquePtr<SSL> client_;
6828 bssl::UniquePtr<SSL> server_;
6829
6830 std::vector<uint8_t> server_transport_params_ = {1};
6831 std::vector<uint8_t> server_quic_early_data_context_ = {2};
6832
6833 bool allow_out_of_order_writes_ = false;
6834 };
6835
6836 UnownedSSLExData<MockQUICTransport> QUICMethodTest::ex_data_;
6837
6838 // Test a full handshake and resumption work.
TEST_F(QUICMethodTest,Basic)6839 TEST_F(QUICMethodTest, Basic) {
6840 const SSL_QUIC_METHOD quic_method = DefaultQUICMethod();
6841
6842 g_last_session = nullptr;
6843
6844 SSL_CTX_set_session_cache_mode(client_ctx_.get(), SSL_SESS_CACHE_BOTH);
6845 SSL_CTX_sess_set_new_cb(client_ctx_.get(), SaveLastSession);
6846 ASSERT_TRUE(SSL_CTX_set_quic_method(client_ctx_.get(), &quic_method));
6847 ASSERT_TRUE(SSL_CTX_set_quic_method(server_ctx_.get(), &quic_method));
6848
6849 ASSERT_TRUE(CreateClientAndServer());
6850 ASSERT_TRUE(CompleteHandshakesForQUIC());
6851
6852 ExpectHandshakeSuccess();
6853 EXPECT_FALSE(SSL_session_reused(client_.get()));
6854 EXPECT_FALSE(SSL_session_reused(server_.get()));
6855
6856 // The server sent NewSessionTicket messages in the handshake.
6857 EXPECT_FALSE(g_last_session);
6858 ASSERT_TRUE(ProvideHandshakeData(client_.get()));
6859 EXPECT_EQ(SSL_process_quic_post_handshake(client_.get()), 1);
6860 EXPECT_TRUE(g_last_session);
6861
6862 // Create a second connection to verify resumption works.
6863 ASSERT_TRUE(CreateClientAndServer());
6864 bssl::UniquePtr<SSL_SESSION> session = std::move(g_last_session);
6865 SSL_set_session(client_.get(), session.get());
6866
6867 ASSERT_TRUE(CompleteHandshakesForQUIC());
6868
6869 ExpectHandshakeSuccess();
6870 EXPECT_TRUE(SSL_session_reused(client_.get()));
6871 EXPECT_TRUE(SSL_session_reused(server_.get()));
6872 }
6873
6874 // Test that HelloRetryRequest in QUIC works.
TEST_F(QUICMethodTest,HelloRetryRequest)6875 TEST_F(QUICMethodTest, HelloRetryRequest) {
6876 const SSL_QUIC_METHOD quic_method = DefaultQUICMethod();
6877
6878 ASSERT_TRUE(SSL_CTX_set_quic_method(client_ctx_.get(), &quic_method));
6879 ASSERT_TRUE(SSL_CTX_set_quic_method(server_ctx_.get(), &quic_method));
6880
6881 // BoringSSL predicts the most preferred ECDH group, so using different
6882 // preferences will trigger HelloRetryRequest.
6883 static const int kClientPrefs[] = {NID_X25519, NID_X9_62_prime256v1};
6884 ASSERT_TRUE(SSL_CTX_set1_groups(client_ctx_.get(), kClientPrefs,
6885 OPENSSL_ARRAY_SIZE(kClientPrefs)));
6886 static const int kServerPrefs[] = {NID_X9_62_prime256v1, NID_X25519};
6887 ASSERT_TRUE(SSL_CTX_set1_groups(server_ctx_.get(), kServerPrefs,
6888 OPENSSL_ARRAY_SIZE(kServerPrefs)));
6889
6890 ASSERT_TRUE(CreateClientAndServer());
6891 ASSERT_TRUE(CompleteHandshakesForQUIC());
6892 ExpectHandshakeSuccess();
6893 }
6894
6895 // Test that the client does not send a legacy_session_id in the ClientHello.
TEST_F(QUICMethodTest,NoLegacySessionId)6896 TEST_F(QUICMethodTest, NoLegacySessionId) {
6897 const SSL_QUIC_METHOD quic_method = DefaultQUICMethod();
6898
6899 ASSERT_TRUE(SSL_CTX_set_quic_method(client_ctx_.get(), &quic_method));
6900 ASSERT_TRUE(SSL_CTX_set_quic_method(server_ctx_.get(), &quic_method));
6901 // Check that the session ID length is 0 in an early callback.
6902 SSL_CTX_set_select_certificate_cb(
6903 server_ctx_.get(),
6904 [](const SSL_CLIENT_HELLO *client_hello) -> ssl_select_cert_result_t {
6905 EXPECT_EQ(client_hello->session_id_len, 0u);
6906 return ssl_select_cert_success;
6907 });
6908
6909 ASSERT_TRUE(CreateClientAndServer());
6910 ASSERT_TRUE(CompleteHandshakesForQUIC());
6911
6912 ExpectHandshakeSuccess();
6913 }
6914
6915 // Test that, even in a 1-RTT handshake, the server installs keys at the right
6916 // time. Half-RTT keys are available early, but 1-RTT read keys are deferred.
TEST_F(QUICMethodTest,HalfRTTKeys)6917 TEST_F(QUICMethodTest, HalfRTTKeys) {
6918 const SSL_QUIC_METHOD quic_method = DefaultQUICMethod();
6919
6920 ASSERT_TRUE(SSL_CTX_set_quic_method(client_ctx_.get(), &quic_method));
6921 ASSERT_TRUE(SSL_CTX_set_quic_method(server_ctx_.get(), &quic_method));
6922 ASSERT_TRUE(CreateClientAndServer());
6923
6924 // The client sends ClientHello.
6925 ASSERT_EQ(SSL_do_handshake(client_.get()), -1);
6926 ASSERT_EQ(SSL_ERROR_WANT_READ, SSL_get_error(client_.get(), -1));
6927
6928 // The server reads ClientHello and sends ServerHello..Finished.
6929 ASSERT_TRUE(ProvideHandshakeData(server_.get()));
6930 ASSERT_EQ(SSL_do_handshake(server_.get()), -1);
6931 ASSERT_EQ(SSL_ERROR_WANT_READ, SSL_get_error(server_.get(), -1));
6932
6933 // At this point, the server has half-RTT write keys, but it cannot access
6934 // 1-RTT read keys until client Finished.
6935 EXPECT_TRUE(transport_->server()->HasWriteSecret(ssl_encryption_application));
6936 EXPECT_FALSE(transport_->server()->HasReadSecret(ssl_encryption_application));
6937
6938 // Finish up the client and server handshakes.
6939 ASSERT_TRUE(CompleteHandshakesForQUIC());
6940
6941 // Both sides can now exchange 1-RTT data.
6942 ExpectHandshakeSuccess();
6943 }
6944
TEST_F(QUICMethodTest,ZeroRTTAccept)6945 TEST_F(QUICMethodTest, ZeroRTTAccept) {
6946 const SSL_QUIC_METHOD quic_method = DefaultQUICMethod();
6947
6948 SSL_CTX_set_session_cache_mode(client_ctx_.get(), SSL_SESS_CACHE_BOTH);
6949 SSL_CTX_set_early_data_enabled(client_ctx_.get(), 1);
6950 SSL_CTX_set_early_data_enabled(server_ctx_.get(), 1);
6951 ASSERT_TRUE(SSL_CTX_set_quic_method(client_ctx_.get(), &quic_method));
6952 ASSERT_TRUE(SSL_CTX_set_quic_method(server_ctx_.get(), &quic_method));
6953
6954 bssl::UniquePtr<SSL_SESSION> session = CreateClientSessionForQUIC();
6955 ASSERT_TRUE(session);
6956
6957 ASSERT_TRUE(CreateClientAndServer());
6958 SSL_set_session(client_.get(), session.get());
6959
6960 // The client handshake should return immediately into the early data state.
6961 ASSERT_EQ(SSL_do_handshake(client_.get()), 1);
6962 EXPECT_TRUE(SSL_in_early_data(client_.get()));
6963 // The transport should have keys for sending 0-RTT data.
6964 EXPECT_TRUE(transport_->client()->HasWriteSecret(ssl_encryption_early_data));
6965
6966 // The server will consume the ClientHello and also enter the early data
6967 // state.
6968 ASSERT_TRUE(ProvideHandshakeData(server_.get()));
6969 ASSERT_EQ(SSL_do_handshake(server_.get()), 1);
6970 EXPECT_TRUE(SSL_in_early_data(server_.get()));
6971 EXPECT_TRUE(transport_->SecretsMatch(ssl_encryption_early_data));
6972 // At this point, the server has half-RTT write keys, but it cannot access
6973 // 1-RTT read keys until client Finished.
6974 EXPECT_TRUE(transport_->server()->HasWriteSecret(ssl_encryption_application));
6975 EXPECT_FALSE(transport_->server()->HasReadSecret(ssl_encryption_application));
6976
6977 // Finish up the client and server handshakes.
6978 ASSERT_TRUE(CompleteHandshakesForQUIC());
6979
6980 // Both sides can now exchange 1-RTT data.
6981 ExpectHandshakeSuccess();
6982 EXPECT_TRUE(SSL_session_reused(client_.get()));
6983 EXPECT_TRUE(SSL_session_reused(server_.get()));
6984 EXPECT_FALSE(SSL_in_early_data(client_.get()));
6985 EXPECT_FALSE(SSL_in_early_data(server_.get()));
6986 EXPECT_TRUE(SSL_early_data_accepted(client_.get()));
6987 EXPECT_TRUE(SSL_early_data_accepted(server_.get()));
6988
6989 // Finish handling post-handshake messages after the first 0-RTT resumption.
6990 EXPECT_TRUE(ProvideHandshakeData(client_.get()));
6991 EXPECT_TRUE(SSL_process_quic_post_handshake(client_.get()));
6992
6993 // Perform a second 0-RTT resumption attempt, and confirm that 0-RTT is
6994 // accepted again.
6995 ASSERT_TRUE(CreateClientAndServer());
6996 SSL_set_session(client_.get(), g_last_session.get());
6997
6998 // The client handshake should return immediately into the early data state.
6999 ASSERT_EQ(SSL_do_handshake(client_.get()), 1);
7000 EXPECT_TRUE(SSL_in_early_data(client_.get()));
7001 // The transport should have keys for sending 0-RTT data.
7002 EXPECT_TRUE(transport_->client()->HasWriteSecret(ssl_encryption_early_data));
7003
7004 // The server will consume the ClientHello and also enter the early data
7005 // state.
7006 ASSERT_TRUE(ProvideHandshakeData(server_.get()));
7007 ASSERT_EQ(SSL_do_handshake(server_.get()), 1);
7008 EXPECT_TRUE(SSL_in_early_data(server_.get()));
7009 EXPECT_TRUE(transport_->SecretsMatch(ssl_encryption_early_data));
7010 // At this point, the server has half-RTT write keys, but it cannot access
7011 // 1-RTT read keys until client Finished.
7012 EXPECT_TRUE(transport_->server()->HasWriteSecret(ssl_encryption_application));
7013 EXPECT_FALSE(transport_->server()->HasReadSecret(ssl_encryption_application));
7014
7015 // Finish up the client and server handshakes.
7016 ASSERT_TRUE(CompleteHandshakesForQUIC());
7017
7018 // Both sides can now exchange 1-RTT data.
7019 ExpectHandshakeSuccess();
7020 EXPECT_TRUE(SSL_session_reused(client_.get()));
7021 EXPECT_TRUE(SSL_session_reused(server_.get()));
7022 EXPECT_FALSE(SSL_in_early_data(client_.get()));
7023 EXPECT_FALSE(SSL_in_early_data(server_.get()));
7024 EXPECT_TRUE(SSL_early_data_accepted(client_.get()));
7025 EXPECT_TRUE(SSL_early_data_accepted(server_.get()));
7026 EXPECT_EQ(SSL_get_early_data_reason(client_.get()), ssl_early_data_accepted);
7027 EXPECT_EQ(SSL_get_early_data_reason(server_.get()), ssl_early_data_accepted);
7028 }
7029
TEST_F(QUICMethodTest,ZeroRTTRejectMismatchedParameters)7030 TEST_F(QUICMethodTest, ZeroRTTRejectMismatchedParameters) {
7031 const SSL_QUIC_METHOD quic_method = DefaultQUICMethod();
7032
7033 SSL_CTX_set_session_cache_mode(client_ctx_.get(), SSL_SESS_CACHE_BOTH);
7034 SSL_CTX_set_early_data_enabled(client_ctx_.get(), 1);
7035 SSL_CTX_set_early_data_enabled(server_ctx_.get(), 1);
7036 ASSERT_TRUE(SSL_CTX_set_quic_method(client_ctx_.get(), &quic_method));
7037 ASSERT_TRUE(SSL_CTX_set_quic_method(server_ctx_.get(), &quic_method));
7038
7039
7040 bssl::UniquePtr<SSL_SESSION> session = CreateClientSessionForQUIC();
7041 ASSERT_TRUE(session);
7042
7043 ASSERT_TRUE(CreateClientAndServer());
7044 static const uint8_t new_context[] = {4};
7045 ASSERT_TRUE(SSL_set_quic_early_data_context(server_.get(), new_context,
7046 sizeof(new_context)));
7047 SSL_set_session(client_.get(), session.get());
7048
7049 // The client handshake should return immediately into the early data
7050 // state.
7051 ASSERT_EQ(SSL_do_handshake(client_.get()), 1);
7052 EXPECT_TRUE(SSL_in_early_data(client_.get()));
7053 // The transport should have keys for sending 0-RTT data.
7054 EXPECT_TRUE(transport_->client()->HasWriteSecret(ssl_encryption_early_data));
7055
7056 // The server will consume the ClientHello, but it will not accept 0-RTT.
7057 ASSERT_TRUE(ProvideHandshakeData(server_.get()));
7058 ASSERT_EQ(SSL_do_handshake(server_.get()), -1);
7059 ASSERT_EQ(SSL_ERROR_WANT_READ, SSL_get_error(server_.get(), -1));
7060 EXPECT_FALSE(SSL_in_early_data(server_.get()));
7061 EXPECT_FALSE(transport_->server()->HasReadSecret(ssl_encryption_early_data));
7062
7063 // The client consumes the server response and signals 0-RTT rejection.
7064 for (;;) {
7065 ASSERT_TRUE(ProvideHandshakeData(client_.get()));
7066 ASSERT_EQ(-1, SSL_do_handshake(client_.get()));
7067 int err = SSL_get_error(client_.get(), -1);
7068 if (err == SSL_ERROR_EARLY_DATA_REJECTED) {
7069 break;
7070 }
7071 ASSERT_EQ(SSL_ERROR_WANT_READ, err);
7072 }
7073
7074 // As in TLS over TCP, 0-RTT rejection is sticky.
7075 ASSERT_EQ(-1, SSL_do_handshake(client_.get()));
7076 ASSERT_EQ(SSL_ERROR_EARLY_DATA_REJECTED, SSL_get_error(client_.get(), -1));
7077
7078 // Finish up the client and server handshakes.
7079 SSL_reset_early_data_reject(client_.get());
7080 ASSERT_TRUE(CompleteHandshakesForQUIC());
7081
7082 // Both sides can now exchange 1-RTT data.
7083 ExpectHandshakeSuccess();
7084 EXPECT_TRUE(SSL_session_reused(client_.get()));
7085 EXPECT_TRUE(SSL_session_reused(server_.get()));
7086 EXPECT_FALSE(SSL_in_early_data(client_.get()));
7087 EXPECT_FALSE(SSL_in_early_data(server_.get()));
7088 EXPECT_FALSE(SSL_early_data_accepted(client_.get()));
7089 EXPECT_FALSE(SSL_early_data_accepted(server_.get()));
7090 }
7091
TEST_F(QUICMethodTest,NoZeroRTTTicketWithoutEarlyDataContext)7092 TEST_F(QUICMethodTest, NoZeroRTTTicketWithoutEarlyDataContext) {
7093 server_quic_early_data_context_ = {};
7094 const SSL_QUIC_METHOD quic_method = DefaultQUICMethod();
7095
7096 SSL_CTX_set_session_cache_mode(client_ctx_.get(), SSL_SESS_CACHE_BOTH);
7097 SSL_CTX_set_early_data_enabled(client_ctx_.get(), 1);
7098 SSL_CTX_set_early_data_enabled(server_ctx_.get(), 1);
7099 ASSERT_TRUE(SSL_CTX_set_quic_method(client_ctx_.get(), &quic_method));
7100 ASSERT_TRUE(SSL_CTX_set_quic_method(server_ctx_.get(), &quic_method));
7101
7102 bssl::UniquePtr<SSL_SESSION> session = CreateClientSessionForQUIC();
7103 ASSERT_TRUE(session);
7104 EXPECT_FALSE(SSL_SESSION_early_data_capable(session.get()));
7105 }
7106
TEST_F(QUICMethodTest,ZeroRTTReject)7107 TEST_F(QUICMethodTest, ZeroRTTReject) {
7108 const SSL_QUIC_METHOD quic_method = DefaultQUICMethod();
7109
7110 SSL_CTX_set_session_cache_mode(client_ctx_.get(), SSL_SESS_CACHE_BOTH);
7111 SSL_CTX_set_early_data_enabled(client_ctx_.get(), 1);
7112 SSL_CTX_set_early_data_enabled(server_ctx_.get(), 1);
7113 ASSERT_TRUE(SSL_CTX_set_quic_method(client_ctx_.get(), &quic_method));
7114 ASSERT_TRUE(SSL_CTX_set_quic_method(server_ctx_.get(), &quic_method));
7115
7116 bssl::UniquePtr<SSL_SESSION> session = CreateClientSessionForQUIC();
7117 ASSERT_TRUE(session);
7118
7119 for (bool reject_hrr : {false, true}) {
7120 SCOPED_TRACE(reject_hrr);
7121
7122 ASSERT_TRUE(CreateClientAndServer());
7123 if (reject_hrr) {
7124 // Configure the server to prefer P-256, which will reject 0-RTT via
7125 // HelloRetryRequest.
7126 int p256 = NID_X9_62_prime256v1;
7127 ASSERT_TRUE(SSL_set1_groups(server_.get(), &p256, 1));
7128 } else {
7129 // Disable 0-RTT on the server, so it will reject it.
7130 SSL_set_early_data_enabled(server_.get(), 0);
7131 }
7132 SSL_set_session(client_.get(), session.get());
7133
7134 // The client handshake should return immediately into the early data state.
7135 ASSERT_EQ(SSL_do_handshake(client_.get()), 1);
7136 EXPECT_TRUE(SSL_in_early_data(client_.get()));
7137 // The transport should have keys for sending 0-RTT data.
7138 EXPECT_TRUE(
7139 transport_->client()->HasWriteSecret(ssl_encryption_early_data));
7140
7141 // The server will consume the ClientHello, but it will not accept 0-RTT.
7142 ASSERT_TRUE(ProvideHandshakeData(server_.get()));
7143 ASSERT_EQ(SSL_do_handshake(server_.get()), -1);
7144 ASSERT_EQ(SSL_ERROR_WANT_READ, SSL_get_error(server_.get(), -1));
7145 EXPECT_FALSE(SSL_in_early_data(server_.get()));
7146 EXPECT_FALSE(
7147 transport_->server()->HasReadSecret(ssl_encryption_early_data));
7148
7149 // The client consumes the server response and signals 0-RTT rejection.
7150 for (;;) {
7151 ASSERT_TRUE(ProvideHandshakeData(client_.get()));
7152 ASSERT_EQ(-1, SSL_do_handshake(client_.get()));
7153 int err = SSL_get_error(client_.get(), -1);
7154 if (err == SSL_ERROR_EARLY_DATA_REJECTED) {
7155 break;
7156 }
7157 ASSERT_EQ(SSL_ERROR_WANT_READ, err);
7158 }
7159
7160 // As in TLS over TCP, 0-RTT rejection is sticky.
7161 ASSERT_EQ(-1, SSL_do_handshake(client_.get()));
7162 ASSERT_EQ(SSL_ERROR_EARLY_DATA_REJECTED, SSL_get_error(client_.get(), -1));
7163
7164 // Finish up the client and server handshakes.
7165 SSL_reset_early_data_reject(client_.get());
7166 ASSERT_TRUE(CompleteHandshakesForQUIC());
7167
7168 // Both sides can now exchange 1-RTT data.
7169 ExpectHandshakeSuccess();
7170 EXPECT_TRUE(SSL_session_reused(client_.get()));
7171 EXPECT_TRUE(SSL_session_reused(server_.get()));
7172 EXPECT_FALSE(SSL_in_early_data(client_.get()));
7173 EXPECT_FALSE(SSL_in_early_data(server_.get()));
7174 EXPECT_FALSE(SSL_early_data_accepted(client_.get()));
7175 EXPECT_FALSE(SSL_early_data_accepted(server_.get()));
7176 }
7177 }
7178
TEST_F(QUICMethodTest,NoZeroRTTKeysBeforeReverify)7179 TEST_F(QUICMethodTest, NoZeroRTTKeysBeforeReverify) {
7180 const SSL_QUIC_METHOD quic_method = DefaultQUICMethod();
7181
7182 SSL_CTX_set_session_cache_mode(client_ctx_.get(), SSL_SESS_CACHE_BOTH);
7183 SSL_CTX_set_early_data_enabled(client_ctx_.get(), 1);
7184 SSL_CTX_set_reverify_on_resume(client_ctx_.get(), 1);
7185 SSL_CTX_set_early_data_enabled(server_ctx_.get(), 1);
7186 ASSERT_TRUE(SSL_CTX_set_quic_method(client_ctx_.get(), &quic_method));
7187 ASSERT_TRUE(SSL_CTX_set_quic_method(server_ctx_.get(), &quic_method));
7188
7189 bssl::UniquePtr<SSL_SESSION> session = CreateClientSessionForQUIC();
7190 ASSERT_TRUE(session);
7191
7192 ASSERT_TRUE(CreateClientAndServer());
7193 SSL_set_session(client_.get(), session.get());
7194
7195 // Configure the certificate (re)verification to never complete. The client
7196 // handshake should pause.
7197 SSL_set_custom_verify(
7198 client_.get(), SSL_VERIFY_PEER,
7199 [](SSL *ssl, uint8_t *out_alert) -> ssl_verify_result_t {
7200 return ssl_verify_retry;
7201 });
7202 ASSERT_EQ(SSL_do_handshake(client_.get()), -1);
7203 ASSERT_EQ(SSL_get_error(client_.get(), -1),
7204 SSL_ERROR_WANT_CERTIFICATE_VERIFY);
7205
7206 // The early data keys have not yet been released.
7207 EXPECT_FALSE(transport_->client()->HasWriteSecret(ssl_encryption_early_data));
7208
7209 // After the verification completes, the handshake progresses to the 0-RTT
7210 // point and releases keys.
7211 SSL_set_custom_verify(
7212 client_.get(), SSL_VERIFY_PEER,
7213 [](SSL *ssl, uint8_t *out_alert) -> ssl_verify_result_t {
7214 return ssl_verify_ok;
7215 });
7216 ASSERT_EQ(SSL_do_handshake(client_.get()), 1);
7217 EXPECT_TRUE(SSL_in_early_data(client_.get()));
7218 EXPECT_TRUE(transport_->client()->HasWriteSecret(ssl_encryption_early_data));
7219 }
7220
7221 // Test only releasing data to QUIC one byte at a time on request, to maximize
7222 // state machine pauses. Additionally, test that existing asynchronous callbacks
7223 // still work.
TEST_F(QUICMethodTest,Async)7224 TEST_F(QUICMethodTest, Async) {
7225 const SSL_QUIC_METHOD quic_method = DefaultQUICMethod();
7226
7227 ASSERT_TRUE(SSL_CTX_set_quic_method(client_ctx_.get(), &quic_method));
7228 ASSERT_TRUE(SSL_CTX_set_quic_method(server_ctx_.get(), &quic_method));
7229 ASSERT_TRUE(CreateClientAndServer());
7230
7231 // Install an asynchronous certificate callback.
7232 bool cert_cb_ok = false;
7233 SSL_set_cert_cb(server_.get(),
7234 [](SSL *, void *arg) -> int {
7235 return *static_cast<bool *>(arg) ? 1 : -1;
7236 },
7237 &cert_cb_ok);
7238
7239 for (;;) {
7240 int client_ret = SSL_do_handshake(client_.get());
7241 if (client_ret != 1) {
7242 ASSERT_EQ(client_ret, -1);
7243 ASSERT_EQ(SSL_get_error(client_.get(), client_ret), SSL_ERROR_WANT_READ);
7244 ASSERT_TRUE(ProvideHandshakeData(client_.get(), 1));
7245 }
7246
7247 int server_ret = SSL_do_handshake(server_.get());
7248 if (server_ret != 1) {
7249 ASSERT_EQ(server_ret, -1);
7250 int ssl_err = SSL_get_error(server_.get(), server_ret);
7251 switch (ssl_err) {
7252 case SSL_ERROR_WANT_READ:
7253 ASSERT_TRUE(ProvideHandshakeData(server_.get(), 1));
7254 break;
7255 case SSL_ERROR_WANT_X509_LOOKUP:
7256 ASSERT_FALSE(cert_cb_ok);
7257 cert_cb_ok = true;
7258 break;
7259 default:
7260 FAIL() << "Unexpected SSL_get_error result: " << ssl_err;
7261 }
7262 }
7263
7264 if (client_ret == 1 && server_ret == 1) {
7265 break;
7266 }
7267 }
7268
7269 ExpectHandshakeSuccess();
7270 }
7271
7272 // Test buffering write data until explicit flushes.
TEST_F(QUICMethodTest,Buffered)7273 TEST_F(QUICMethodTest, Buffered) {
7274 AllowOutOfOrderWrites();
7275
7276 struct BufferedFlight {
7277 std::vector<uint8_t> data[kNumQUICLevels];
7278 };
7279 static UnownedSSLExData<BufferedFlight> buffered_flights;
7280
7281 auto add_handshake_data = [](SSL *ssl, enum ssl_encryption_level_t level,
7282 const uint8_t *data, size_t len) -> int {
7283 BufferedFlight *flight = buffered_flights.Get(ssl);
7284 flight->data[level].insert(flight->data[level].end(), data, data + len);
7285 return 1;
7286 };
7287
7288 auto flush_flight = [](SSL *ssl) -> int {
7289 BufferedFlight *flight = buffered_flights.Get(ssl);
7290 for (size_t level = 0; level < kNumQUICLevels; level++) {
7291 if (!flight->data[level].empty()) {
7292 if (!TransportFromSSL(ssl)->WriteHandshakeData(
7293 static_cast<ssl_encryption_level_t>(level),
7294 flight->data[level])) {
7295 return 0;
7296 }
7297 flight->data[level].clear();
7298 }
7299 }
7300 return 1;
7301 };
7302
7303 SSL_QUIC_METHOD quic_method = DefaultQUICMethod();
7304 quic_method.add_handshake_data = add_handshake_data;
7305 quic_method.flush_flight = flush_flight;
7306
7307 ASSERT_TRUE(SSL_CTX_set_quic_method(client_ctx_.get(), &quic_method));
7308 ASSERT_TRUE(SSL_CTX_set_quic_method(server_ctx_.get(), &quic_method));
7309 ASSERT_TRUE(CreateClientAndServer());
7310
7311 BufferedFlight client_flight, server_flight;
7312 ASSERT_TRUE(buffered_flights.Set(client_.get(), &client_flight));
7313 ASSERT_TRUE(buffered_flights.Set(server_.get(), &server_flight));
7314
7315 ASSERT_TRUE(CompleteHandshakesForQUIC());
7316
7317 ExpectHandshakeSuccess();
7318 }
7319
7320 // Test that excess data at one level is rejected. That is, if a single
7321 // |SSL_provide_quic_data| call included both ServerHello and
7322 // EncryptedExtensions in a single chunk, BoringSSL notices and rejects this on
7323 // key change.
TEST_F(QUICMethodTest,ExcessProvidedData)7324 TEST_F(QUICMethodTest, ExcessProvidedData) {
7325 AllowOutOfOrderWrites();
7326
7327 auto add_handshake_data = [](SSL *ssl, enum ssl_encryption_level_t level,
7328 const uint8_t *data, size_t len) -> int {
7329 // Switch everything to the initial level.
7330 return TransportFromSSL(ssl)->WriteHandshakeData(ssl_encryption_initial,
7331 MakeConstSpan(data, len));
7332 };
7333
7334 SSL_QUIC_METHOD quic_method = DefaultQUICMethod();
7335 quic_method.add_handshake_data = add_handshake_data;
7336
7337 ASSERT_TRUE(SSL_CTX_set_quic_method(client_ctx_.get(), &quic_method));
7338 ASSERT_TRUE(SSL_CTX_set_quic_method(server_ctx_.get(), &quic_method));
7339 ASSERT_TRUE(CreateClientAndServer());
7340
7341 // Send the ClientHello and ServerHello through Finished.
7342 ASSERT_EQ(SSL_do_handshake(client_.get()), -1);
7343 ASSERT_EQ(SSL_get_error(client_.get(), -1), SSL_ERROR_WANT_READ);
7344 ASSERT_TRUE(ProvideHandshakeData(server_.get()));
7345 ASSERT_EQ(SSL_do_handshake(server_.get()), -1);
7346 ASSERT_EQ(SSL_get_error(server_.get(), -1), SSL_ERROR_WANT_READ);
7347
7348 // The client is still waiting for the ServerHello at initial
7349 // encryption.
7350 ASSERT_EQ(ssl_encryption_initial, SSL_quic_read_level(client_.get()));
7351
7352 // |add_handshake_data| incorrectly wrote everything at the initial level, so
7353 // this queues up ServerHello through Finished in one chunk.
7354 ASSERT_TRUE(ProvideHandshakeData(client_.get()));
7355
7356 // The client reads ServerHello successfully, but then rejects the buffered
7357 // EncryptedExtensions on key change.
7358 ASSERT_EQ(SSL_do_handshake(client_.get()), -1);
7359 ASSERT_EQ(SSL_get_error(client_.get(), -1), SSL_ERROR_SSL);
7360 EXPECT_TRUE(
7361 ErrorEquals(ERR_get_error(), ERR_LIB_SSL, SSL_R_EXCESS_HANDSHAKE_DATA));
7362
7363 // The client sends an alert in response to this. The alert is sent at
7364 // handshake level because we install write secrets before read secrets and
7365 // the error is discovered when installing the read secret. (How to send
7366 // alerts on protocol syntax errors near key changes is ambiguous in general.)
7367 ASSERT_TRUE(transport_->client()->has_alert());
7368 EXPECT_EQ(transport_->client()->alert_level(), ssl_encryption_handshake);
7369 EXPECT_EQ(transport_->client()->alert(), SSL_AD_UNEXPECTED_MESSAGE);
7370
7371 // Sanity-check handshake secrets. The error is discovered while setting the
7372 // read secret, so only the write secret has been installed.
7373 EXPECT_TRUE(transport_->client()->HasWriteSecret(ssl_encryption_handshake));
7374 EXPECT_FALSE(transport_->client()->HasReadSecret(ssl_encryption_handshake));
7375 }
7376
7377 // Test that |SSL_provide_quic_data| will reject data at the wrong level.
TEST_F(QUICMethodTest,ProvideWrongLevel)7378 TEST_F(QUICMethodTest, ProvideWrongLevel) {
7379 const SSL_QUIC_METHOD quic_method = DefaultQUICMethod();
7380
7381 ASSERT_TRUE(SSL_CTX_set_quic_method(client_ctx_.get(), &quic_method));
7382 ASSERT_TRUE(SSL_CTX_set_quic_method(server_ctx_.get(), &quic_method));
7383 ASSERT_TRUE(CreateClientAndServer());
7384
7385 // Send the ClientHello and ServerHello through Finished.
7386 ASSERT_EQ(SSL_do_handshake(client_.get()), -1);
7387 ASSERT_EQ(SSL_get_error(client_.get(), -1), SSL_ERROR_WANT_READ);
7388 ASSERT_TRUE(ProvideHandshakeData(server_.get()));
7389 ASSERT_EQ(SSL_do_handshake(server_.get()), -1);
7390 ASSERT_EQ(SSL_get_error(server_.get(), -1), SSL_ERROR_WANT_READ);
7391
7392 // The client is still waiting for the ServerHello at initial
7393 // encryption.
7394 ASSERT_EQ(ssl_encryption_initial, SSL_quic_read_level(client_.get()));
7395
7396 // Data cannot be provided at the next level.
7397 std::vector<uint8_t> data;
7398 ASSERT_TRUE(
7399 transport_->client()->ReadHandshakeData(&data, ssl_encryption_initial));
7400 ASSERT_FALSE(SSL_provide_quic_data(client_.get(), ssl_encryption_handshake,
7401 data.data(), data.size()));
7402 ERR_clear_error();
7403
7404 // Progress to EncryptedExtensions.
7405 ASSERT_TRUE(SSL_provide_quic_data(client_.get(), ssl_encryption_initial,
7406 data.data(), data.size()));
7407 ASSERT_EQ(SSL_do_handshake(client_.get()), -1);
7408 ASSERT_EQ(SSL_get_error(client_.get(), -1), SSL_ERROR_WANT_READ);
7409 ASSERT_EQ(ssl_encryption_handshake, SSL_quic_read_level(client_.get()));
7410
7411 // Data cannot be provided at the previous level.
7412 ASSERT_TRUE(
7413 transport_->client()->ReadHandshakeData(&data, ssl_encryption_handshake));
7414 ASSERT_FALSE(SSL_provide_quic_data(client_.get(), ssl_encryption_initial,
7415 data.data(), data.size()));
7416 }
7417
TEST_F(QUICMethodTest,TooMuchData)7418 TEST_F(QUICMethodTest, TooMuchData) {
7419 const SSL_QUIC_METHOD quic_method = DefaultQUICMethod();
7420
7421 ASSERT_TRUE(SSL_CTX_set_quic_method(client_ctx_.get(), &quic_method));
7422 ASSERT_TRUE(SSL_CTX_set_quic_method(server_ctx_.get(), &quic_method));
7423 ASSERT_TRUE(CreateClientAndServer());
7424
7425 size_t limit =
7426 SSL_quic_max_handshake_flight_len(client_.get(), ssl_encryption_initial);
7427 uint8_t b = 0;
7428 for (size_t i = 0; i < limit; i++) {
7429 ASSERT_TRUE(
7430 SSL_provide_quic_data(client_.get(), ssl_encryption_initial, &b, 1));
7431 }
7432
7433 EXPECT_FALSE(
7434 SSL_provide_quic_data(client_.get(), ssl_encryption_initial, &b, 1));
7435 }
7436
7437 // Provide invalid post-handshake data.
TEST_F(QUICMethodTest,BadPostHandshake)7438 TEST_F(QUICMethodTest, BadPostHandshake) {
7439 const SSL_QUIC_METHOD quic_method = DefaultQUICMethod();
7440
7441 g_last_session = nullptr;
7442
7443 SSL_CTX_set_session_cache_mode(client_ctx_.get(), SSL_SESS_CACHE_BOTH);
7444 SSL_CTX_sess_set_new_cb(client_ctx_.get(), SaveLastSession);
7445 ASSERT_TRUE(SSL_CTX_set_quic_method(client_ctx_.get(), &quic_method));
7446 ASSERT_TRUE(SSL_CTX_set_quic_method(server_ctx_.get(), &quic_method));
7447 ASSERT_TRUE(CreateClientAndServer());
7448 ASSERT_TRUE(CompleteHandshakesForQUIC());
7449
7450 EXPECT_EQ(SSL_do_handshake(client_.get()), 1);
7451 EXPECT_EQ(SSL_do_handshake(server_.get()), 1);
7452 EXPECT_TRUE(transport_->SecretsMatch(ssl_encryption_application));
7453 EXPECT_FALSE(transport_->client()->has_alert());
7454 EXPECT_FALSE(transport_->server()->has_alert());
7455
7456 // Junk sent as part of post-handshake data should cause an error.
7457 uint8_t kJunk[] = {0x17, 0x0, 0x0, 0x4, 0xB, 0xE, 0xE, 0xF};
7458 ASSERT_TRUE(SSL_provide_quic_data(client_.get(), ssl_encryption_application,
7459 kJunk, sizeof(kJunk)));
7460 EXPECT_EQ(SSL_process_quic_post_handshake(client_.get()), 0);
7461 }
7462
ExpectReceivedTransportParamsEqual(const SSL * ssl,Span<const uint8_t> expected)7463 static void ExpectReceivedTransportParamsEqual(const SSL *ssl,
7464 Span<const uint8_t> expected) {
7465 const uint8_t *received;
7466 size_t received_len;
7467 SSL_get_peer_quic_transport_params(ssl, &received, &received_len);
7468 ASSERT_EQ(received_len, expected.size());
7469 EXPECT_EQ(Bytes(received, received_len), Bytes(expected));
7470 }
7471
TEST_F(QUICMethodTest,SetTransportParameters)7472 TEST_F(QUICMethodTest, SetTransportParameters) {
7473 const SSL_QUIC_METHOD quic_method = DefaultQUICMethod();
7474 ASSERT_TRUE(SSL_CTX_set_quic_method(client_ctx_.get(), &quic_method));
7475 ASSERT_TRUE(SSL_CTX_set_quic_method(server_ctx_.get(), &quic_method));
7476
7477 ASSERT_TRUE(CreateClientAndServer());
7478 uint8_t kClientParams[] = {1, 2, 3, 4};
7479 uint8_t kServerParams[] = {5, 6, 7};
7480 ASSERT_TRUE(SSL_set_quic_transport_params(client_.get(), kClientParams,
7481 sizeof(kClientParams)));
7482 ASSERT_TRUE(SSL_set_quic_transport_params(server_.get(), kServerParams,
7483 sizeof(kServerParams)));
7484
7485 ASSERT_TRUE(CompleteHandshakesForQUIC());
7486 ExpectReceivedTransportParamsEqual(client_.get(), kServerParams);
7487 ExpectReceivedTransportParamsEqual(server_.get(), kClientParams);
7488 }
7489
TEST_F(QUICMethodTest,SetTransportParamsInCallback)7490 TEST_F(QUICMethodTest, SetTransportParamsInCallback) {
7491 const SSL_QUIC_METHOD quic_method = DefaultQUICMethod();
7492 ASSERT_TRUE(SSL_CTX_set_quic_method(client_ctx_.get(), &quic_method));
7493 ASSERT_TRUE(SSL_CTX_set_quic_method(server_ctx_.get(), &quic_method));
7494
7495 ASSERT_TRUE(CreateClientAndServer());
7496 uint8_t kClientParams[] = {1, 2, 3, 4};
7497 static uint8_t kServerParams[] = {5, 6, 7};
7498 ASSERT_TRUE(SSL_set_quic_transport_params(client_.get(), kClientParams,
7499 sizeof(kClientParams)));
7500 SSL_CTX_set_tlsext_servername_callback(
7501 server_ctx_.get(), [](SSL *ssl, int *out_alert, void *arg) -> int {
7502 EXPECT_TRUE(SSL_set_quic_transport_params(ssl, kServerParams,
7503 sizeof(kServerParams)));
7504 return SSL_TLSEXT_ERR_OK;
7505 });
7506
7507 ASSERT_TRUE(CompleteHandshakesForQUIC());
7508 ExpectReceivedTransportParamsEqual(client_.get(), kServerParams);
7509 ExpectReceivedTransportParamsEqual(server_.get(), kClientParams);
7510 }
7511
TEST_F(QUICMethodTest,ForbidCrossProtocolResumptionClient)7512 TEST_F(QUICMethodTest, ForbidCrossProtocolResumptionClient) {
7513 const SSL_QUIC_METHOD quic_method = DefaultQUICMethod();
7514
7515 g_last_session = nullptr;
7516
7517 SSL_CTX_set_session_cache_mode(client_ctx_.get(), SSL_SESS_CACHE_BOTH);
7518 SSL_CTX_sess_set_new_cb(client_ctx_.get(), SaveLastSession);
7519 ASSERT_TRUE(SSL_CTX_set_quic_method(client_ctx_.get(), &quic_method));
7520 ASSERT_TRUE(SSL_CTX_set_quic_method(server_ctx_.get(), &quic_method));
7521
7522 ASSERT_TRUE(CreateClientAndServer());
7523 ASSERT_TRUE(CompleteHandshakesForQUIC());
7524
7525 ExpectHandshakeSuccess();
7526 EXPECT_FALSE(SSL_session_reused(client_.get()));
7527 EXPECT_FALSE(SSL_session_reused(server_.get()));
7528
7529 // The server sent NewSessionTicket messages in the handshake.
7530 EXPECT_FALSE(g_last_session);
7531 ASSERT_TRUE(ProvideHandshakeData(client_.get()));
7532 EXPECT_EQ(SSL_process_quic_post_handshake(client_.get()), 1);
7533 ASSERT_TRUE(g_last_session);
7534
7535 // Pretend that g_last_session came from a TLS-over-TCP connection.
7536 g_last_session->is_quic = false;
7537
7538 // Create a second connection and verify that resumption does not occur with
7539 // a session from a non-QUIC connection. This tests that the client does not
7540 // offer over QUIC a session believed to be received over TCP. The server
7541 // believes this is a QUIC session, so if the client offered the session, the
7542 // server would have resumed it.
7543 ASSERT_TRUE(CreateClientAndServer());
7544 bssl::UniquePtr<SSL_SESSION> session = std::move(g_last_session);
7545 SSL_set_session(client_.get(), session.get());
7546
7547 ASSERT_TRUE(CompleteHandshakesForQUIC());
7548 ExpectHandshakeSuccess();
7549 EXPECT_FALSE(SSL_session_reused(client_.get()));
7550 EXPECT_FALSE(SSL_session_reused(server_.get()));
7551 }
7552
TEST_F(QUICMethodTest,ForbidCrossProtocolResumptionServer)7553 TEST_F(QUICMethodTest, ForbidCrossProtocolResumptionServer) {
7554 const SSL_QUIC_METHOD quic_method = DefaultQUICMethod();
7555
7556 g_last_session = nullptr;
7557
7558 SSL_CTX_set_session_cache_mode(client_ctx_.get(), SSL_SESS_CACHE_BOTH);
7559 SSL_CTX_sess_set_new_cb(client_ctx_.get(), SaveLastSession);
7560 ASSERT_TRUE(SSL_CTX_set_quic_method(client_ctx_.get(), &quic_method));
7561 ASSERT_TRUE(SSL_CTX_set_quic_method(server_ctx_.get(), &quic_method));
7562
7563 ASSERT_TRUE(CreateClientAndServer());
7564 ASSERT_TRUE(CompleteHandshakesForQUIC());
7565
7566 ExpectHandshakeSuccess();
7567 EXPECT_FALSE(SSL_session_reused(client_.get()));
7568 EXPECT_FALSE(SSL_session_reused(server_.get()));
7569
7570 // The server sent NewSessionTicket messages in the handshake.
7571 EXPECT_FALSE(g_last_session);
7572 ASSERT_TRUE(ProvideHandshakeData(client_.get()));
7573 EXPECT_EQ(SSL_process_quic_post_handshake(client_.get()), 1);
7574 ASSERT_TRUE(g_last_session);
7575
7576 // Attempt a resumption with g_last_session using TLS_method.
7577 bssl::UniquePtr<SSL_CTX> client_ctx(SSL_CTX_new(TLS_method()));
7578 ASSERT_TRUE(client_ctx);
7579
7580 ASSERT_TRUE(SSL_CTX_set_quic_method(server_ctx_.get(), nullptr));
7581
7582 bssl::UniquePtr<SSL> client(SSL_new(client_ctx.get())),
7583 server(SSL_new(server_ctx_.get()));
7584 ASSERT_TRUE(client);
7585 ASSERT_TRUE(server);
7586 SSL_set_connect_state(client.get());
7587 SSL_set_accept_state(server.get());
7588
7589 // The TLS-over-TCP client will refuse to resume with a quic session, so
7590 // mark is_quic = false to bypass the client check to test the server check.
7591 g_last_session->is_quic = false;
7592 SSL_set_session(client.get(), g_last_session.get());
7593
7594 BIO *bio1, *bio2;
7595 ASSERT_TRUE(BIO_new_bio_pair(&bio1, 0, &bio2, 0));
7596
7597 // SSL_set_bio takes ownership.
7598 SSL_set_bio(client.get(), bio1, bio1);
7599 SSL_set_bio(server.get(), bio2, bio2);
7600 ASSERT_TRUE(CompleteHandshakes(client.get(), server.get()));
7601
7602 EXPECT_FALSE(SSL_session_reused(client.get()));
7603 EXPECT_FALSE(SSL_session_reused(server.get()));
7604 }
7605
TEST_F(QUICMethodTest,ClientRejectsMissingTransportParams)7606 TEST_F(QUICMethodTest, ClientRejectsMissingTransportParams) {
7607 const SSL_QUIC_METHOD quic_method = DefaultQUICMethod();
7608 ASSERT_TRUE(SSL_CTX_set_quic_method(client_ctx_.get(), &quic_method));
7609 ASSERT_TRUE(SSL_CTX_set_quic_method(server_ctx_.get(), &quic_method));
7610
7611 ASSERT_TRUE(CreateClientAndServer());
7612 ASSERT_TRUE(SSL_set_quic_transport_params(server_.get(), nullptr, 0));
7613 ASSERT_TRUE(RunQUICHandshakesAndExpectError(ExpectedError::kServerError));
7614 }
7615
TEST_F(QUICMethodTest,ServerRejectsMissingTransportParams)7616 TEST_F(QUICMethodTest, ServerRejectsMissingTransportParams) {
7617 const SSL_QUIC_METHOD quic_method = DefaultQUICMethod();
7618 ASSERT_TRUE(SSL_CTX_set_quic_method(client_ctx_.get(), &quic_method));
7619 ASSERT_TRUE(SSL_CTX_set_quic_method(server_ctx_.get(), &quic_method));
7620
7621 ASSERT_TRUE(CreateClientAndServer());
7622 ASSERT_TRUE(SSL_set_quic_transport_params(client_.get(), nullptr, 0));
7623 ASSERT_TRUE(RunQUICHandshakesAndExpectError(ExpectedError::kClientError));
7624 }
7625
TEST_F(QUICMethodTest,QuicLegacyCodepointEnabled)7626 TEST_F(QUICMethodTest, QuicLegacyCodepointEnabled) {
7627 const SSL_QUIC_METHOD quic_method = DefaultQUICMethod();
7628 ASSERT_TRUE(SSL_CTX_set_quic_method(client_ctx_.get(), &quic_method));
7629 ASSERT_TRUE(SSL_CTX_set_quic_method(server_ctx_.get(), &quic_method));
7630
7631 ASSERT_TRUE(CreateClientAndServer());
7632 uint8_t kClientParams[] = {1, 2, 3, 4};
7633 uint8_t kServerParams[] = {5, 6, 7};
7634 SSL_set_quic_use_legacy_codepoint(client_.get(), 1);
7635 SSL_set_quic_use_legacy_codepoint(server_.get(), 1);
7636 ASSERT_TRUE(SSL_set_quic_transport_params(client_.get(), kClientParams,
7637 sizeof(kClientParams)));
7638 ASSERT_TRUE(SSL_set_quic_transport_params(server_.get(), kServerParams,
7639 sizeof(kServerParams)));
7640
7641 ASSERT_TRUE(CompleteHandshakesForQUIC());
7642 ExpectReceivedTransportParamsEqual(client_.get(), kServerParams);
7643 ExpectReceivedTransportParamsEqual(server_.get(), kClientParams);
7644 }
7645
TEST_F(QUICMethodTest,QuicLegacyCodepointDisabled)7646 TEST_F(QUICMethodTest, QuicLegacyCodepointDisabled) {
7647 const SSL_QUIC_METHOD quic_method = DefaultQUICMethod();
7648 ASSERT_TRUE(SSL_CTX_set_quic_method(client_ctx_.get(), &quic_method));
7649 ASSERT_TRUE(SSL_CTX_set_quic_method(server_ctx_.get(), &quic_method));
7650
7651 ASSERT_TRUE(CreateClientAndServer());
7652 uint8_t kClientParams[] = {1, 2, 3, 4};
7653 uint8_t kServerParams[] = {5, 6, 7};
7654 SSL_set_quic_use_legacy_codepoint(client_.get(), 0);
7655 SSL_set_quic_use_legacy_codepoint(server_.get(), 0);
7656 ASSERT_TRUE(SSL_set_quic_transport_params(client_.get(), kClientParams,
7657 sizeof(kClientParams)));
7658 ASSERT_TRUE(SSL_set_quic_transport_params(server_.get(), kServerParams,
7659 sizeof(kServerParams)));
7660
7661 ASSERT_TRUE(CompleteHandshakesForQUIC());
7662 ExpectReceivedTransportParamsEqual(client_.get(), kServerParams);
7663 ExpectReceivedTransportParamsEqual(server_.get(), kClientParams);
7664 }
7665
TEST_F(QUICMethodTest,QuicLegacyCodepointClientOnly)7666 TEST_F(QUICMethodTest, QuicLegacyCodepointClientOnly) {
7667 const SSL_QUIC_METHOD quic_method = DefaultQUICMethod();
7668 ASSERT_TRUE(SSL_CTX_set_quic_method(client_ctx_.get(), &quic_method));
7669 ASSERT_TRUE(SSL_CTX_set_quic_method(server_ctx_.get(), &quic_method));
7670
7671 ASSERT_TRUE(CreateClientAndServer());
7672 uint8_t kClientParams[] = {1, 2, 3, 4};
7673 uint8_t kServerParams[] = {5, 6, 7};
7674 SSL_set_quic_use_legacy_codepoint(client_.get(), 1);
7675 SSL_set_quic_use_legacy_codepoint(server_.get(), 0);
7676 ASSERT_TRUE(SSL_set_quic_transport_params(client_.get(), kClientParams,
7677 sizeof(kClientParams)));
7678 ASSERT_TRUE(SSL_set_quic_transport_params(server_.get(), kServerParams,
7679 sizeof(kServerParams)));
7680
7681 ASSERT_TRUE(RunQUICHandshakesAndExpectError(ExpectedError::kServerError));
7682 }
7683
TEST_F(QUICMethodTest,QuicLegacyCodepointServerOnly)7684 TEST_F(QUICMethodTest, QuicLegacyCodepointServerOnly) {
7685 const SSL_QUIC_METHOD quic_method = DefaultQUICMethod();
7686 ASSERT_TRUE(SSL_CTX_set_quic_method(client_ctx_.get(), &quic_method));
7687 ASSERT_TRUE(SSL_CTX_set_quic_method(server_ctx_.get(), &quic_method));
7688
7689 ASSERT_TRUE(CreateClientAndServer());
7690 uint8_t kClientParams[] = {1, 2, 3, 4};
7691 uint8_t kServerParams[] = {5, 6, 7};
7692 SSL_set_quic_use_legacy_codepoint(client_.get(), 0);
7693 SSL_set_quic_use_legacy_codepoint(server_.get(), 1);
7694 ASSERT_TRUE(SSL_set_quic_transport_params(client_.get(), kClientParams,
7695 sizeof(kClientParams)));
7696 ASSERT_TRUE(SSL_set_quic_transport_params(server_.get(), kServerParams,
7697 sizeof(kServerParams)));
7698
7699 ASSERT_TRUE(RunQUICHandshakesAndExpectError(ExpectedError::kServerError));
7700 }
7701
7702 // Test that the default QUIC code point is consistent with
7703 // |TLSEXT_TYPE_quic_transport_parameters|. This test ensures we remember to
7704 // update the two values together.
TEST_F(QUICMethodTest,QuicCodePointDefault)7705 TEST_F(QUICMethodTest, QuicCodePointDefault) {
7706 const SSL_QUIC_METHOD quic_method = DefaultQUICMethod();
7707 ASSERT_TRUE(SSL_CTX_set_quic_method(client_ctx_.get(), &quic_method));
7708 ASSERT_TRUE(SSL_CTX_set_quic_method(server_ctx_.get(), &quic_method));
7709 SSL_CTX_set_select_certificate_cb(
7710 server_ctx_.get(),
7711 [](const SSL_CLIENT_HELLO *client_hello) -> ssl_select_cert_result_t {
7712 const uint8_t *data;
7713 size_t len;
7714 if (!SSL_early_callback_ctx_extension_get(
7715 client_hello, TLSEXT_TYPE_quic_transport_parameters, &data,
7716 &len)) {
7717 ADD_FAILURE() << "Could not find quic_transport_parameters extension";
7718 return ssl_select_cert_error;
7719 }
7720 return ssl_select_cert_success;
7721 });
7722
7723 ASSERT_TRUE(CreateClientAndServer());
7724 ASSERT_TRUE(CompleteHandshakesForQUIC());
7725 }
7726
7727 extern "C" {
7728 int BORINGSSL_enum_c_type_test(void);
7729 }
7730
TEST(SSLTest,EnumTypes)7731 TEST(SSLTest, EnumTypes) {
7732 EXPECT_EQ(sizeof(int), sizeof(ssl_private_key_result_t));
7733 EXPECT_EQ(1, BORINGSSL_enum_c_type_test());
7734 }
7735
TEST_P(SSLVersionTest,DoubleSSLError)7736 TEST_P(SSLVersionTest, DoubleSSLError) {
7737 // Connect the inner SSL connections.
7738 ASSERT_TRUE(Connect());
7739
7740 // Make a pair of |BIO|s which wrap |client_| and |server_|.
7741 UniquePtr<BIO_METHOD> bio_method(BIO_meth_new(0, nullptr));
7742 ASSERT_TRUE(bio_method);
7743 ASSERT_TRUE(BIO_meth_set_read(
7744 bio_method.get(), [](BIO *bio, char *out, int len) -> int {
7745 SSL *ssl = static_cast<SSL *>(BIO_get_data(bio));
7746 int ret = SSL_read(ssl, out, len);
7747 int ssl_ret = SSL_get_error(ssl, ret);
7748 if (ssl_ret == SSL_ERROR_WANT_READ) {
7749 BIO_set_retry_read(bio);
7750 }
7751 return ret;
7752 }));
7753 ASSERT_TRUE(BIO_meth_set_write(
7754 bio_method.get(), [](BIO *bio, const char *in, int len) -> int {
7755 SSL *ssl = static_cast<SSL *>(BIO_get_data(bio));
7756 int ret = SSL_write(ssl, in, len);
7757 int ssl_ret = SSL_get_error(ssl, ret);
7758 if (ssl_ret == SSL_ERROR_WANT_WRITE) {
7759 BIO_set_retry_write(bio);
7760 }
7761 return ret;
7762 }));
7763 ASSERT_TRUE(BIO_meth_set_ctrl(
7764 bio_method.get(), [](BIO *bio, int cmd, long larg, void *parg) -> long {
7765 // |SSL| objects require |BIO_flush| support.
7766 if (cmd == BIO_CTRL_FLUSH) {
7767 return 1;
7768 }
7769 return 0;
7770 }));
7771
7772 UniquePtr<BIO> client_bio(BIO_new(bio_method.get()));
7773 ASSERT_TRUE(client_bio);
7774 BIO_set_data(client_bio.get(), client_.get());
7775 BIO_set_init(client_bio.get(), 1);
7776
7777 UniquePtr<BIO> server_bio(BIO_new(bio_method.get()));
7778 ASSERT_TRUE(server_bio);
7779 BIO_set_data(server_bio.get(), server_.get());
7780 BIO_set_init(server_bio.get(), 1);
7781
7782 // Wrap the inner connections in another layer of SSL.
7783 UniquePtr<SSL> client_outer(SSL_new(client_ctx_.get()));
7784 ASSERT_TRUE(client_outer);
7785 SSL_set_connect_state(client_outer.get());
7786 SSL_set_bio(client_outer.get(), client_bio.get(), client_bio.get());
7787 client_bio.release(); // |SSL_set_bio| takes ownership.
7788
7789 UniquePtr<SSL> server_outer(SSL_new(server_ctx_.get()));
7790 ASSERT_TRUE(server_outer);
7791 SSL_set_accept_state(server_outer.get());
7792 SSL_set_bio(server_outer.get(), server_bio.get(), server_bio.get());
7793 server_bio.release(); // |SSL_set_bio| takes ownership.
7794
7795 // Configure |client_outer| to reject the server certificate.
7796 SSL_set_custom_verify(
7797 client_outer.get(), SSL_VERIFY_PEER,
7798 [](SSL *ssl, uint8_t *out_alert) -> ssl_verify_result_t {
7799 return ssl_verify_invalid;
7800 });
7801
7802 for (;;) {
7803 int client_ret = SSL_do_handshake(client_outer.get());
7804 int client_err = SSL_get_error(client_outer.get(), client_ret);
7805 if (client_err != SSL_ERROR_WANT_READ &&
7806 client_err != SSL_ERROR_WANT_WRITE) {
7807 // The client handshake should terminate on a certificate verification
7808 // error.
7809 EXPECT_EQ(SSL_ERROR_SSL, client_err);
7810 EXPECT_TRUE(ErrorEquals(ERR_peek_error(), ERR_LIB_SSL,
7811 SSL_R_CERTIFICATE_VERIFY_FAILED));
7812 break;
7813 }
7814
7815 // Run the server handshake and continue.
7816 int server_ret = SSL_do_handshake(server_outer.get());
7817 int server_err = SSL_get_error(server_outer.get(), server_ret);
7818 ASSERT_TRUE(server_err == SSL_ERROR_NONE ||
7819 server_err == SSL_ERROR_WANT_READ ||
7820 server_err == SSL_ERROR_WANT_WRITE);
7821 }
7822 }
7823
TEST_P(SSLVersionTest,SameKeyResume)7824 TEST_P(SSLVersionTest, SameKeyResume) {
7825 uint8_t key[48];
7826 RAND_bytes(key, sizeof(key));
7827
7828 bssl::UniquePtr<SSL_CTX> server_ctx2 = CreateContext();
7829 ASSERT_TRUE(server_ctx2);
7830 ASSERT_TRUE(UseCertAndKey(server_ctx2.get()));
7831 ASSERT_TRUE(
7832 SSL_CTX_set_tlsext_ticket_keys(server_ctx_.get(), key, sizeof(key)));
7833 ASSERT_TRUE(
7834 SSL_CTX_set_tlsext_ticket_keys(server_ctx2.get(), key, sizeof(key)));
7835
7836 SSL_CTX_set_session_cache_mode(client_ctx_.get(), SSL_SESS_CACHE_BOTH);
7837 SSL_CTX_set_session_cache_mode(server_ctx_.get(), SSL_SESS_CACHE_BOTH);
7838 SSL_CTX_set_session_cache_mode(server_ctx2.get(), SSL_SESS_CACHE_BOTH);
7839
7840 // Establish a session for |server_ctx_|.
7841 bssl::UniquePtr<SSL_SESSION> session =
7842 CreateClientSession(client_ctx_.get(), server_ctx_.get());
7843 ASSERT_TRUE(session);
7844 ClientConfig config;
7845 config.session = session.get();
7846
7847 // Resuming with |server_ctx_| again works.
7848 bssl::UniquePtr<SSL> client, server;
7849 ASSERT_TRUE(ConnectClientAndServer(&client, &server, client_ctx_.get(),
7850 server_ctx_.get(), config));
7851 EXPECT_TRUE(SSL_session_reused(client.get()));
7852 EXPECT_TRUE(SSL_session_reused(server.get()));
7853
7854 // Resuming with |server_ctx2| also works.
7855 ASSERT_TRUE(ConnectClientAndServer(&client, &server, client_ctx_.get(),
7856 server_ctx2.get(), config));
7857 EXPECT_TRUE(SSL_session_reused(client.get()));
7858 EXPECT_TRUE(SSL_session_reused(server.get()));
7859 }
7860
TEST_P(SSLVersionTest,DifferentKeyNoResume)7861 TEST_P(SSLVersionTest, DifferentKeyNoResume) {
7862 uint8_t key1[48], key2[48];
7863 RAND_bytes(key1, sizeof(key1));
7864 RAND_bytes(key2, sizeof(key2));
7865
7866 bssl::UniquePtr<SSL_CTX> server_ctx2 = CreateContext();
7867 ASSERT_TRUE(server_ctx2);
7868 ASSERT_TRUE(UseCertAndKey(server_ctx2.get()));
7869 ASSERT_TRUE(
7870 SSL_CTX_set_tlsext_ticket_keys(server_ctx_.get(), key1, sizeof(key1)));
7871 ASSERT_TRUE(
7872 SSL_CTX_set_tlsext_ticket_keys(server_ctx2.get(), key2, sizeof(key2)));
7873
7874 SSL_CTX_set_session_cache_mode(client_ctx_.get(), SSL_SESS_CACHE_BOTH);
7875 SSL_CTX_set_session_cache_mode(server_ctx_.get(), SSL_SESS_CACHE_BOTH);
7876 SSL_CTX_set_session_cache_mode(server_ctx2.get(), SSL_SESS_CACHE_BOTH);
7877
7878 // Establish a session for |server_ctx_|.
7879 bssl::UniquePtr<SSL_SESSION> session =
7880 CreateClientSession(client_ctx_.get(), server_ctx_.get());
7881 ASSERT_TRUE(session);
7882 ClientConfig config;
7883 config.session = session.get();
7884
7885 // Resuming with |server_ctx_| again works.
7886 bssl::UniquePtr<SSL> client, server;
7887 ASSERT_TRUE(ConnectClientAndServer(&client, &server, client_ctx_.get(),
7888 server_ctx_.get(), config));
7889 EXPECT_TRUE(SSL_session_reused(client.get()));
7890 EXPECT_TRUE(SSL_session_reused(server.get()));
7891
7892 // Resuming with |server_ctx2| does not work.
7893 ASSERT_TRUE(ConnectClientAndServer(&client, &server, client_ctx_.get(),
7894 server_ctx2.get(), config));
7895 EXPECT_FALSE(SSL_session_reused(client.get()));
7896 EXPECT_FALSE(SSL_session_reused(server.get()));
7897 }
7898
TEST_P(SSLVersionTest,UnrelatedServerNoResume)7899 TEST_P(SSLVersionTest, UnrelatedServerNoResume) {
7900 bssl::UniquePtr<SSL_CTX> server_ctx2 = CreateContext();
7901 ASSERT_TRUE(server_ctx2);
7902 ASSERT_TRUE(UseCertAndKey(server_ctx2.get()));
7903
7904 SSL_CTX_set_session_cache_mode(client_ctx_.get(), SSL_SESS_CACHE_BOTH);
7905 SSL_CTX_set_session_cache_mode(server_ctx_.get(), SSL_SESS_CACHE_BOTH);
7906 SSL_CTX_set_session_cache_mode(server_ctx2.get(), SSL_SESS_CACHE_BOTH);
7907
7908 // Establish a session for |server_ctx_|.
7909 bssl::UniquePtr<SSL_SESSION> session =
7910 CreateClientSession(client_ctx_.get(), server_ctx_.get());
7911 ASSERT_TRUE(session);
7912 ClientConfig config;
7913 config.session = session.get();
7914
7915 // Resuming with |server_ctx_| again works.
7916 bssl::UniquePtr<SSL> client, server;
7917 ASSERT_TRUE(ConnectClientAndServer(&client, &server, client_ctx_.get(),
7918 server_ctx_.get(), config));
7919 EXPECT_TRUE(SSL_session_reused(client.get()));
7920 EXPECT_TRUE(SSL_session_reused(server.get()));
7921
7922 // Resuming with |server_ctx2| does not work.
7923 ASSERT_TRUE(ConnectClientAndServer(&client, &server, client_ctx_.get(),
7924 server_ctx2.get(), config));
7925 EXPECT_FALSE(SSL_session_reused(client.get()));
7926 EXPECT_FALSE(SSL_session_reused(server.get()));
7927 }
7928
SessionIDOf(const SSL * ssl)7929 Span<const uint8_t> SessionIDOf(const SSL* ssl) {
7930 const SSL_SESSION *session = SSL_get_session(ssl);
7931 unsigned len;
7932 const uint8_t *data = SSL_SESSION_get_id(session, &len);
7933 return MakeConstSpan(data, len);
7934 }
7935
TEST_P(SSLVersionTest,TicketSessionIDsMatch)7936 TEST_P(SSLVersionTest, TicketSessionIDsMatch) {
7937 // This checks that the session IDs at client and server match after a ticket
7938 // resumption. It's unclear whether this should be true, but Envoy depends
7939 // on it in their tests so this will give an early signal if we break it.
7940 SSL_CTX_set_session_cache_mode(client_ctx_.get(), SSL_SESS_CACHE_BOTH);
7941 SSL_CTX_set_session_cache_mode(server_ctx_.get(), SSL_SESS_CACHE_BOTH);
7942
7943 bssl::UniquePtr<SSL_SESSION> session =
7944 CreateClientSession(client_ctx_.get(), server_ctx_.get());
7945
7946 bssl::UniquePtr<SSL> client, server;
7947 ClientConfig config;
7948 config.session = session.get();
7949 ASSERT_TRUE(ConnectClientAndServer(&client, &server, client_ctx_.get(),
7950 server_ctx_.get(), config));
7951 EXPECT_TRUE(SSL_session_reused(client.get()));
7952 EXPECT_TRUE(SSL_session_reused(server.get()));
7953
7954 EXPECT_EQ(Bytes(SessionIDOf(client.get())), Bytes(SessionIDOf(server.get())));
7955 }
7956
WriteHelloRequest(SSL * server)7957 static void WriteHelloRequest(SSL *server) {
7958 // This function assumes TLS 1.2 with ChaCha20-Poly1305.
7959 ASSERT_EQ(SSL_version(server), TLS1_2_VERSION);
7960 ASSERT_EQ(SSL_CIPHER_get_cipher_nid(SSL_get_current_cipher(server)),
7961 NID_chacha20_poly1305);
7962
7963 // Encrypt a HelloRequest.
7964 uint8_t in[] = {SSL3_MT_HELLO_REQUEST, 0, 0, 0};
7965 #if defined(BORINGSSL_UNSAFE_FUZZER_MODE)
7966 // Fuzzer-mode records are unencrypted.
7967 uint8_t record[5 + sizeof(in)];
7968 record[0] = SSL3_RT_HANDSHAKE;
7969 record[1] = 3;
7970 record[2] = 3; // TLS 1.2
7971 record[3] = 0;
7972 record[4] = sizeof(record) - 5;
7973 memcpy(record + 5, in, sizeof(in));
7974 #else
7975 // Extract key material from |server|.
7976 static const size_t kKeyLen = 32;
7977 static const size_t kNonceLen = 12;
7978 ASSERT_EQ(2u * (kKeyLen + kNonceLen), SSL_get_key_block_len(server));
7979 uint8_t key_block[2u * (kKeyLen + kNonceLen)];
7980 ASSERT_TRUE(SSL_generate_key_block(server, key_block, sizeof(key_block)));
7981 Span<uint8_t> key = MakeSpan(key_block + kKeyLen, kKeyLen);
7982 Span<uint8_t> nonce =
7983 MakeSpan(key_block + kKeyLen + kKeyLen + kNonceLen, kNonceLen);
7984
7985 uint8_t ad[13];
7986 uint64_t seq = SSL_get_write_sequence(server);
7987 for (size_t i = 0; i < 8; i++) {
7988 // The nonce is XORed with the sequence number.
7989 nonce[11 - i] ^= uint8_t(seq);
7990 ad[7 - i] = uint8_t(seq);
7991 seq >>= 8;
7992 }
7993
7994 ad[8] = SSL3_RT_HANDSHAKE;
7995 ad[9] = 3;
7996 ad[10] = 3; // TLS 1.2
7997 ad[11] = 0;
7998 ad[12] = sizeof(in);
7999
8000 uint8_t record[5 + sizeof(in) + 16];
8001 record[0] = SSL3_RT_HANDSHAKE;
8002 record[1] = 3;
8003 record[2] = 3; // TLS 1.2
8004 record[3] = 0;
8005 record[4] = sizeof(record) - 5;
8006
8007 ScopedEVP_AEAD_CTX aead;
8008 ASSERT_TRUE(EVP_AEAD_CTX_init(aead.get(), EVP_aead_chacha20_poly1305(),
8009 key.data(), key.size(),
8010 EVP_AEAD_DEFAULT_TAG_LENGTH, nullptr));
8011 size_t len;
8012 ASSERT_TRUE(EVP_AEAD_CTX_seal(aead.get(), record + 5, &len,
8013 sizeof(record) - 5, nonce.data(), nonce.size(),
8014 in, sizeof(in), ad, sizeof(ad)));
8015 ASSERT_EQ(sizeof(record) - 5, len);
8016 #endif // BORINGSSL_UNSAFE_FUZZER_MODE
8017
8018 ASSERT_EQ(int(sizeof(record)),
8019 BIO_write(SSL_get_wbio(server), record, sizeof(record)));
8020 }
8021
TEST(SSLTest,WriteWhileExplicitRenegotiate)8022 TEST(SSLTest, WriteWhileExplicitRenegotiate) {
8023 bssl::UniquePtr<SSL_CTX> ctx(CreateContextWithTestCertificate(TLS_method()));
8024 ASSERT_TRUE(ctx);
8025
8026 ASSERT_TRUE(SSL_CTX_set_min_proto_version(ctx.get(), TLS1_2_VERSION));
8027 ASSERT_TRUE(SSL_CTX_set_max_proto_version(ctx.get(), TLS1_2_VERSION));
8028 ASSERT_TRUE(SSL_CTX_set_strict_cipher_list(
8029 ctx.get(), "TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256"));
8030
8031 bssl::UniquePtr<SSL> client, server;
8032 ASSERT_TRUE(CreateClientAndServer(&client, &server, ctx.get(), ctx.get()));
8033 SSL_set_renegotiate_mode(client.get(), ssl_renegotiate_explicit);
8034 ASSERT_TRUE(CompleteHandshakes(client.get(), server.get()));
8035
8036 static const uint8_t kInput[] = {'h', 'e', 'l', 'l', 'o'};
8037
8038 // Write "hello" until the buffer is full, so |client| has a pending write.
8039 size_t num_writes = 0;
8040 for (;;) {
8041 int ret = SSL_write(client.get(), kInput, sizeof(kInput));
8042 if (ret != int(sizeof(kInput))) {
8043 ASSERT_EQ(-1, ret);
8044 ASSERT_EQ(SSL_ERROR_WANT_WRITE, SSL_get_error(client.get(), ret));
8045 break;
8046 }
8047 num_writes++;
8048 }
8049
8050 ASSERT_NO_FATAL_FAILURE(WriteHelloRequest(server.get()));
8051
8052 // |SSL_read| should pick up the HelloRequest.
8053 uint8_t byte;
8054 ASSERT_EQ(-1, SSL_read(client.get(), &byte, 1));
8055 ASSERT_EQ(SSL_ERROR_WANT_RENEGOTIATE, SSL_get_error(client.get(), -1));
8056
8057 // Drain the data from the |client|.
8058 uint8_t buf[sizeof(kInput)];
8059 for (size_t i = 0; i < num_writes; i++) {
8060 ASSERT_EQ(int(sizeof(buf)), SSL_read(server.get(), buf, sizeof(buf)));
8061 EXPECT_EQ(Bytes(buf), Bytes(kInput));
8062 }
8063
8064 // |client| should be able to finish the pending write and continue to write,
8065 // despite the paused HelloRequest.
8066 ASSERT_EQ(int(sizeof(kInput)),
8067 SSL_write(client.get(), kInput, sizeof(kInput)));
8068 ASSERT_EQ(int(sizeof(buf)), SSL_read(server.get(), buf, sizeof(buf)));
8069 EXPECT_EQ(Bytes(buf), Bytes(kInput));
8070
8071 ASSERT_EQ(int(sizeof(kInput)),
8072 SSL_write(client.get(), kInput, sizeof(kInput)));
8073 ASSERT_EQ(int(sizeof(buf)), SSL_read(server.get(), buf, sizeof(buf)));
8074 EXPECT_EQ(Bytes(buf), Bytes(kInput));
8075
8076 // |SSL_read| is stuck until we acknowledge the HelloRequest.
8077 ASSERT_EQ(-1, SSL_read(client.get(), &byte, 1));
8078 ASSERT_EQ(SSL_ERROR_WANT_RENEGOTIATE, SSL_get_error(client.get(), -1));
8079
8080 ASSERT_TRUE(SSL_renegotiate(client.get()));
8081 ASSERT_EQ(-1, SSL_read(client.get(), &byte, 1));
8082 ASSERT_EQ(SSL_ERROR_WANT_READ, SSL_get_error(client.get(), -1));
8083
8084 // We never renegotiate as a server.
8085 ASSERT_EQ(-1, SSL_read(server.get(), buf, sizeof(buf)));
8086 ASSERT_EQ(SSL_ERROR_SSL, SSL_get_error(server.get(), -1));
8087 EXPECT_TRUE(
8088 ErrorEquals(ERR_get_error(), ERR_LIB_SSL, SSL_R_NO_RENEGOTIATION));
8089 }
8090
TEST(SSLTest,ConnectionPropertiesDuringRenegotiate)8091 TEST(SSLTest, ConnectionPropertiesDuringRenegotiate) {
8092 // Configure known connection properties, so we can check against them.
8093 bssl::UniquePtr<SSL_CTX> ctx(SSL_CTX_new(TLS_method()));
8094 ASSERT_TRUE(ctx);
8095 bssl::UniquePtr<X509> cert = GetTestCertificate();
8096 ASSERT_TRUE(cert);
8097 bssl::UniquePtr<EVP_PKEY> key = GetTestKey();
8098 ASSERT_TRUE(key);
8099 ASSERT_TRUE(SSL_CTX_use_certificate(ctx.get(), cert.get()));
8100 ASSERT_TRUE(SSL_CTX_use_PrivateKey(ctx.get(), key.get()));
8101 ASSERT_TRUE(SSL_CTX_set_min_proto_version(ctx.get(), TLS1_2_VERSION));
8102 ASSERT_TRUE(SSL_CTX_set_max_proto_version(ctx.get(), TLS1_2_VERSION));
8103 ASSERT_TRUE(SSL_CTX_set_strict_cipher_list(
8104 ctx.get(), "TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256"));
8105 ASSERT_TRUE(SSL_CTX_set1_groups_list(ctx.get(), "X25519"));
8106 ASSERT_TRUE(SSL_CTX_set1_sigalgs_list(ctx.get(), "rsa_pkcs1_sha256"));
8107
8108 // Connect a client and server that accept renegotiation.
8109 bssl::UniquePtr<SSL> client, server;
8110 ASSERT_TRUE(CreateClientAndServer(&client, &server, ctx.get(), ctx.get()));
8111 SSL_set_renegotiate_mode(client.get(), ssl_renegotiate_freely);
8112 ASSERT_TRUE(CompleteHandshakes(client.get(), server.get()));
8113
8114 auto check_properties = [&] {
8115 EXPECT_EQ(SSL_version(client.get()), TLS1_2_VERSION);
8116 const SSL_CIPHER *cipher = SSL_get_current_cipher(client.get());
8117 ASSERT_TRUE(cipher);
8118 EXPECT_EQ(SSL_CIPHER_get_id(cipher),
8119 uint32_t{TLS1_CK_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256});
8120 EXPECT_EQ(SSL_get_group_id(client.get()), SSL_GROUP_X25519);
8121 EXPECT_EQ(SSL_get_negotiated_group(client.get()), NID_X25519);
8122 EXPECT_EQ(SSL_get_peer_signature_algorithm(client.get()),
8123 SSL_SIGN_RSA_PKCS1_SHA256);
8124 bssl::UniquePtr<X509> peer(SSL_get_peer_certificate(client.get()));
8125 ASSERT_TRUE(peer);
8126 EXPECT_EQ(X509_cmp(cert.get(), peer.get()), 0);
8127 };
8128 check_properties();
8129
8130 // The server sends a HelloRequest.
8131 ASSERT_NO_FATAL_FAILURE(WriteHelloRequest(server.get()));
8132
8133 // Reading from the client will consume the HelloRequest, start a
8134 // renegotiation, and then block on a ServerHello from the server.
8135 uint8_t byte;
8136 ASSERT_EQ(-1, SSL_read(client.get(), &byte, 1));
8137 ASSERT_EQ(SSL_ERROR_WANT_READ, SSL_get_error(client.get(), -1));
8138
8139 // Connection properties should continue to report values from the original
8140 // handshake.
8141 check_properties();
8142 }
8143
TEST(SSLTest,CopyWithoutEarlyData)8144 TEST(SSLTest, CopyWithoutEarlyData) {
8145 bssl::UniquePtr<SSL_CTX> client_ctx(SSL_CTX_new(TLS_method()));
8146 bssl::UniquePtr<SSL_CTX> server_ctx(
8147 CreateContextWithTestCertificate(TLS_method()));
8148 ASSERT_TRUE(client_ctx);
8149 ASSERT_TRUE(server_ctx);
8150
8151 SSL_CTX_set_session_cache_mode(client_ctx.get(), SSL_SESS_CACHE_BOTH);
8152 SSL_CTX_set_session_cache_mode(server_ctx.get(), SSL_SESS_CACHE_BOTH);
8153 SSL_CTX_set_early_data_enabled(client_ctx.get(), 1);
8154 SSL_CTX_set_early_data_enabled(server_ctx.get(), 1);
8155
8156 bssl::UniquePtr<SSL_SESSION> session =
8157 CreateClientSession(client_ctx.get(), server_ctx.get());
8158 ASSERT_TRUE(session);
8159
8160 // The client should attempt early data with |session|.
8161 bssl::UniquePtr<SSL> client, server;
8162 ASSERT_TRUE(CreateClientAndServer(&client, &server, client_ctx.get(),
8163 server_ctx.get()));
8164 SSL_set_session(client.get(), session.get());
8165 SSL_set_early_data_enabled(client.get(), 1);
8166 ASSERT_EQ(1, SSL_do_handshake(client.get()));
8167 EXPECT_TRUE(SSL_in_early_data(client.get()));
8168
8169 // |SSL_SESSION_copy_without_early_data| should disable early data but
8170 // still resume the session.
8171 bssl::UniquePtr<SSL_SESSION> session2(
8172 SSL_SESSION_copy_without_early_data(session.get()));
8173 ASSERT_TRUE(session2);
8174 EXPECT_NE(session.get(), session2.get());
8175 ASSERT_TRUE(CreateClientAndServer(&client, &server, client_ctx.get(),
8176 server_ctx.get()));
8177 SSL_set_session(client.get(), session2.get());
8178 SSL_set_early_data_enabled(client.get(), 1);
8179 EXPECT_TRUE(CompleteHandshakes(client.get(), server.get()));
8180 EXPECT_TRUE(SSL_session_reused(client.get()));
8181 EXPECT_EQ(ssl_early_data_unsupported_for_session,
8182 SSL_get_early_data_reason(client.get()));
8183
8184 // |SSL_SESSION_copy_without_early_data| should be a reference count increase
8185 // when passed an early-data-incapable session.
8186 bssl::UniquePtr<SSL_SESSION> session3(
8187 SSL_SESSION_copy_without_early_data(session2.get()));
8188 EXPECT_EQ(session2.get(), session3.get());
8189 }
8190
TEST(SSLTest,ProcessTLS13NewSessionTicket)8191 TEST(SSLTest, ProcessTLS13NewSessionTicket) {
8192 // Configure client and server to negotiate TLS 1.3 only.
8193 bssl::UniquePtr<SSL_CTX> client_ctx(SSL_CTX_new(TLS_method()));
8194 bssl::UniquePtr<SSL_CTX> server_ctx(
8195 CreateContextWithTestCertificate(TLS_method()));
8196 ASSERT_TRUE(client_ctx);
8197 ASSERT_TRUE(server_ctx);
8198 ASSERT_TRUE(SSL_CTX_set_min_proto_version(client_ctx.get(), TLS1_3_VERSION));
8199 ASSERT_TRUE(SSL_CTX_set_min_proto_version(server_ctx.get(), TLS1_3_VERSION));
8200 ASSERT_TRUE(SSL_CTX_set_max_proto_version(client_ctx.get(), TLS1_3_VERSION));
8201 ASSERT_TRUE(SSL_CTX_set_max_proto_version(server_ctx.get(), TLS1_3_VERSION));
8202
8203 bssl::UniquePtr<SSL> client, server;
8204 ASSERT_TRUE(ConnectClientAndServer(&client, &server, client_ctx.get(),
8205 server_ctx.get()));
8206 EXPECT_EQ(TLS1_3_VERSION, SSL_version(client.get()));
8207
8208 // Process a TLS 1.3 NewSessionTicket.
8209 static const uint8_t kTicket[] = {
8210 0x04, 0x00, 0x00, 0xb2, 0x00, 0x02, 0xa3, 0x00, 0x04, 0x03, 0x02, 0x01,
8211 0x01, 0x00, 0x00, 0xa0, 0x01, 0x06, 0x09, 0x11, 0x16, 0x19, 0x21, 0x26,
8212 0x29, 0x31, 0x36, 0x39, 0x41, 0x46, 0x49, 0x51, 0x03, 0x06, 0x09, 0x13,
8213 0x16, 0x19, 0x23, 0x26, 0x29, 0x33, 0x36, 0x39, 0x43, 0x46, 0x49, 0x53,
8214 0xf7, 0x00, 0x29, 0xec, 0xf2, 0xc4, 0xa4, 0x41, 0xfc, 0x30, 0x17, 0x2e,
8215 0x9f, 0x7c, 0xa8, 0xaf, 0x75, 0x70, 0xf0, 0x1f, 0xc7, 0x98, 0xf7, 0xcf,
8216 0x5a, 0x5a, 0x6b, 0x5b, 0xfe, 0xf1, 0xe7, 0x3a, 0xe8, 0xf7, 0x6c, 0xd2,
8217 0xa8, 0xa6, 0x92, 0x5b, 0x96, 0x8d, 0xde, 0xdb, 0xd3, 0x20, 0x6a, 0xcb,
8218 0x69, 0x06, 0xf4, 0x91, 0x85, 0x2e, 0xe6, 0x5e, 0x0c, 0x59, 0xf2, 0x9e,
8219 0x9b, 0x79, 0x91, 0x24, 0x7e, 0x4a, 0x32, 0x3d, 0xbe, 0x4b, 0x80, 0x70,
8220 0xaf, 0xd0, 0x1d, 0xe2, 0xca, 0x05, 0x35, 0x09, 0x09, 0x05, 0x0f, 0xbb,
8221 0xc4, 0xae, 0xd7, 0xc4, 0xed, 0xd7, 0xae, 0x35, 0xc8, 0x73, 0x63, 0x78,
8222 0x64, 0xc9, 0x7a, 0x1f, 0xed, 0x7a, 0x9a, 0x47, 0x44, 0xfd, 0x50, 0xf7,
8223 0xb7, 0xe0, 0x64, 0xa9, 0x02, 0xc1, 0x5c, 0x23, 0x18, 0x3f, 0xc4, 0xcf,
8224 0x72, 0x02, 0x59, 0x2d, 0xe1, 0xaa, 0x61, 0x72, 0x00, 0x04, 0x5a, 0x5a,
8225 0x00, 0x00,
8226 };
8227 bssl::UniquePtr<SSL_SESSION> session(SSL_process_tls13_new_session_ticket(
8228 client.get(), kTicket, sizeof(kTicket)));
8229 ASSERT_TRUE(session);
8230 ASSERT_TRUE(SSL_SESSION_has_ticket(session.get()));
8231
8232 uint8_t *session_buf = nullptr;
8233 size_t session_length = 0;
8234 ASSERT_TRUE(
8235 SSL_SESSION_to_bytes(session.get(), &session_buf, &session_length));
8236 bssl::UniquePtr<uint8_t> session_buf_free(session_buf);
8237 ASSERT_TRUE(session_buf);
8238 ASSERT_GT(session_length, 0u);
8239
8240 // Servers cannot call |SSL_process_tls13_new_session_ticket|.
8241 ASSERT_FALSE(SSL_process_tls13_new_session_ticket(server.get(), kTicket,
8242 sizeof(kTicket)));
8243
8244 // Clients cannot call |SSL_process_tls13_new_session_ticket| before the
8245 // handshake completes.
8246 bssl::UniquePtr<SSL> client2(SSL_new(client_ctx.get()));
8247 ASSERT_TRUE(client2);
8248 SSL_set_connect_state(client2.get());
8249 ASSERT_FALSE(SSL_process_tls13_new_session_ticket(client2.get(), kTicket,
8250 sizeof(kTicket)));
8251 }
8252
TEST(SSLTest,BIO)8253 TEST(SSLTest, BIO) {
8254 bssl::UniquePtr<SSL_CTX> client_ctx(SSL_CTX_new(TLS_method()));
8255 bssl::UniquePtr<SSL_CTX> server_ctx(
8256 CreateContextWithTestCertificate(TLS_method()));
8257 ASSERT_TRUE(client_ctx);
8258 ASSERT_TRUE(server_ctx);
8259
8260 for (bool take_ownership : {true, false}) {
8261 // For simplicity, get the handshake out of the way first.
8262 bssl::UniquePtr<SSL> client, server;
8263 ASSERT_TRUE(ConnectClientAndServer(&client, &server, client_ctx.get(),
8264 server_ctx.get()));
8265
8266 // Wrap |client| in an SSL BIO.
8267 bssl::UniquePtr<BIO> client_bio(BIO_new(BIO_f_ssl()));
8268 ASSERT_TRUE(client_bio);
8269 ASSERT_EQ(1, BIO_set_ssl(client_bio.get(), client.get(), take_ownership));
8270 if (take_ownership) {
8271 client.release();
8272 }
8273
8274 // Flushing the BIO should not crash.
8275 EXPECT_EQ(1, BIO_flush(client_bio.get()));
8276
8277 // Exchange some data.
8278 EXPECT_EQ(5, BIO_write(client_bio.get(), "hello", 5));
8279 uint8_t buf[5];
8280 ASSERT_EQ(5, SSL_read(server.get(), buf, sizeof(buf)));
8281 EXPECT_EQ(Bytes("hello"), Bytes(buf));
8282
8283 EXPECT_EQ(5, SSL_write(server.get(), "world", 5));
8284 ASSERT_EQ(5, BIO_read(client_bio.get(), buf, sizeof(buf)));
8285 EXPECT_EQ(Bytes("world"), Bytes(buf));
8286
8287 // |BIO_should_read| should work.
8288 EXPECT_EQ(-1, BIO_read(client_bio.get(), buf, sizeof(buf)));
8289 EXPECT_TRUE(BIO_should_read(client_bio.get()));
8290
8291 // Writing data should eventually exceed the buffer size and fail, reporting
8292 // |BIO_should_write|.
8293 int ret;
8294 for (int i = 0; i < 1024; i++) {
8295 const uint8_t kZeros[1024] = {0};
8296 ret = BIO_write(client_bio.get(), kZeros, sizeof(kZeros));
8297 if (ret <= 0) {
8298 break;
8299 }
8300 }
8301 EXPECT_EQ(-1, ret);
8302 EXPECT_TRUE(BIO_should_write(client_bio.get()));
8303 }
8304 }
8305
TEST(SSLTest,ALPNConfig)8306 TEST(SSLTest, ALPNConfig) {
8307 bssl::UniquePtr<SSL_CTX> ctx(SSL_CTX_new(TLS_method()));
8308 ASSERT_TRUE(ctx);
8309 bssl::UniquePtr<X509> cert = GetTestCertificate();
8310 bssl::UniquePtr<EVP_PKEY> key = GetTestKey();
8311 ASSERT_TRUE(cert);
8312 ASSERT_TRUE(key);
8313 ASSERT_TRUE(SSL_CTX_use_certificate(ctx.get(), cert.get()));
8314 ASSERT_TRUE(SSL_CTX_use_PrivateKey(ctx.get(), key.get()));
8315
8316 // Set up some machinery to check the configured ALPN against what is actually
8317 // sent over the wire. Note that the ALPN callback is only called when the
8318 // client offers ALPN.
8319 std::vector<uint8_t> observed_alpn;
8320 SSL_CTX_set_alpn_select_cb(
8321 ctx.get(),
8322 [](SSL *ssl, const uint8_t **out, uint8_t *out_len, const uint8_t *in,
8323 unsigned in_len, void *arg) -> int {
8324 std::vector<uint8_t> *observed_alpn_ptr =
8325 static_cast<std::vector<uint8_t> *>(arg);
8326 observed_alpn_ptr->assign(in, in + in_len);
8327 return SSL_TLSEXT_ERR_NOACK;
8328 },
8329 &observed_alpn);
8330 auto check_alpn_proto = [&](Span<const uint8_t> expected) {
8331 observed_alpn.clear();
8332 bssl::UniquePtr<SSL> client, server;
8333 ASSERT_TRUE(ConnectClientAndServer(&client, &server, ctx.get(), ctx.get()));
8334 EXPECT_EQ(Bytes(expected), Bytes(observed_alpn));
8335 };
8336
8337 // Note that |SSL_CTX_set_alpn_protos|'s return value is reversed.
8338 static const uint8_t kValidList[] = {0x03, 'f', 'o', 'o',
8339 0x03, 'b', 'a', 'r'};
8340 EXPECT_EQ(0,
8341 SSL_CTX_set_alpn_protos(ctx.get(), kValidList, sizeof(kValidList)));
8342 check_alpn_proto(kValidList);
8343
8344 // Invalid lists are rejected.
8345 static const uint8_t kInvalidList[] = {0x04, 'f', 'o', 'o'};
8346 EXPECT_EQ(1, SSL_CTX_set_alpn_protos(ctx.get(), kInvalidList,
8347 sizeof(kInvalidList)));
8348
8349 // Empty lists are valid and are interpreted as disabling ALPN.
8350 EXPECT_EQ(0, SSL_CTX_set_alpn_protos(ctx.get(), nullptr, 0));
8351 check_alpn_proto({});
8352 }
8353
8354 // This is a basic unit-test class to verify completing handshake successfully,
8355 // sending the correct codepoint extension and having correct application
8356 // setting on different combination of ALPS codepoint settings. More integration
8357 // tests on runner.go.
8358 class AlpsNewCodepointTest : public testing::Test {
8359 protected:
SetUp()8360 void SetUp() override {
8361 client_ctx_.reset(SSL_CTX_new(TLS_method()));
8362 server_ctx_ = CreateContextWithTestCertificate(TLS_method());
8363 ASSERT_TRUE(client_ctx_);
8364 ASSERT_TRUE(server_ctx_);
8365 }
8366
SetUpApplicationSetting()8367 void SetUpApplicationSetting() {
8368 static const uint8_t alpn[] = {0x03, 'f', 'o', 'o'};
8369 static const uint8_t proto[] = {'f', 'o', 'o'};
8370 static const uint8_t alps[] = {0x04, 'a', 'l', 'p', 's'};
8371 // SSL_set_alpn_protos's return value is backwards. It returns zero on
8372 // success and one on failure.
8373 ASSERT_FALSE(SSL_set_alpn_protos(client_.get(), alpn, sizeof(alpn)));
8374 SSL_CTX_set_alpn_select_cb(
8375 server_ctx_.get(),
8376 [](SSL *ssl, const uint8_t **out, uint8_t *out_len, const uint8_t *in,
8377 unsigned in_len, void *arg) -> int {
8378 return SSL_select_next_proto(
8379 const_cast<uint8_t **>(out), out_len, in, in_len,
8380 alpn, sizeof(alpn)) == OPENSSL_NPN_NEGOTIATED
8381 ? SSL_TLSEXT_ERR_OK
8382 : SSL_TLSEXT_ERR_NOACK;
8383 },
8384 nullptr);
8385 ASSERT_TRUE(SSL_add_application_settings(client_.get(), proto,
8386 sizeof(proto), nullptr, 0));
8387 ASSERT_TRUE(SSL_add_application_settings(server_.get(), proto,
8388 sizeof(proto), alps, sizeof(alps)));
8389 }
8390
8391 bssl::UniquePtr<SSL_CTX> client_ctx_;
8392 bssl::UniquePtr<SSL_CTX> server_ctx_;
8393
8394 bssl::UniquePtr<SSL> client_;
8395 bssl::UniquePtr<SSL> server_;
8396 };
8397
TEST_F(AlpsNewCodepointTest,Enabled)8398 TEST_F(AlpsNewCodepointTest, Enabled) {
8399 SetUpExpectedNewCodePoint(server_ctx_.get());
8400
8401 ASSERT_TRUE(CreateClientAndServer(&client_, &server_, client_ctx_.get(),
8402 server_ctx_.get()));
8403
8404 SSL_set_alps_use_new_codepoint(client_.get(), 1);
8405 SSL_set_alps_use_new_codepoint(server_.get(), 1);
8406
8407 SetUpApplicationSetting();
8408 ASSERT_TRUE(CompleteHandshakes(client_.get(), server_.get()));
8409 ASSERT_TRUE(SSL_has_application_settings(client_.get()));
8410 }
8411
TEST_F(AlpsNewCodepointTest,Disabled)8412 TEST_F(AlpsNewCodepointTest, Disabled) {
8413 // Both client and server disable alps new codepoint.
8414 SetUpExpectedOldCodePoint(server_ctx_.get());
8415
8416 ASSERT_TRUE(CreateClientAndServer(&client_, &server_, client_ctx_.get(),
8417 server_ctx_.get()));
8418
8419 SSL_set_alps_use_new_codepoint(client_.get(), 0);
8420 SSL_set_alps_use_new_codepoint(server_.get(), 0);
8421
8422 SetUpApplicationSetting();
8423 ASSERT_TRUE(CompleteHandshakes(client_.get(), server_.get()));
8424 ASSERT_TRUE(SSL_has_application_settings(client_.get()));
8425 }
8426
TEST_F(AlpsNewCodepointTest,ClientOnly)8427 TEST_F(AlpsNewCodepointTest, ClientOnly) {
8428 // If client set new codepoint but server doesn't set, server ignores it.
8429 SetUpExpectedNewCodePoint(server_ctx_.get());
8430
8431 ASSERT_TRUE(CreateClientAndServer(&client_, &server_, client_ctx_.get(),
8432 server_ctx_.get()));
8433
8434 SSL_set_alps_use_new_codepoint(client_.get(), 1);
8435 SSL_set_alps_use_new_codepoint(server_.get(), 0);
8436
8437 SetUpApplicationSetting();
8438 ASSERT_TRUE(CompleteHandshakes(client_.get(), server_.get()));
8439 ASSERT_FALSE(SSL_has_application_settings(client_.get()));
8440 }
8441
TEST_F(AlpsNewCodepointTest,ServerOnly)8442 TEST_F(AlpsNewCodepointTest, ServerOnly) {
8443 // If client doesn't set new codepoint, while server set.
8444 SetUpExpectedOldCodePoint(server_ctx_.get());
8445
8446 ASSERT_TRUE(CreateClientAndServer(&client_, &server_, client_ctx_.get(),
8447 server_ctx_.get()));
8448
8449 SSL_set_alps_use_new_codepoint(client_.get(), 0);
8450 SSL_set_alps_use_new_codepoint(server_.get(), 1);
8451
8452 SetUpApplicationSetting();
8453 ASSERT_TRUE(CompleteHandshakes(client_.get(), server_.get()));
8454 ASSERT_FALSE(SSL_has_application_settings(client_.get()));
8455 }
8456
8457 // Test that the key usage checker can correctly handle issuerUID and
8458 // subjectUID. See https://crbug.com/1199744.
TEST(SSLTest,KeyUsageWithUIDs)8459 TEST(SSLTest, KeyUsageWithUIDs) {
8460 static const char kGoodKeyUsage[] = R"(
8461 -----BEGIN CERTIFICATE-----
8462 MIIB7DCCAZOgAwIBAgIJANlMBNpJfb/rMAoGCCqGSM49BAMCMEUxCzAJBgNVBAYT
8463 AkFVMRMwEQYDVQQIDApTb21lLVN0YXRlMSEwHwYDVQQKDBhJbnRlcm5ldCBXaWRn
8464 aXRzIFB0eSBMdGQwHhcNMTQwNDIzMjMyMTU3WhcNMTQwNTIzMjMyMTU3WjBFMQsw
8465 CQYDVQQGEwJBVTETMBEGA1UECAwKU29tZS1TdGF0ZTEhMB8GA1UECgwYSW50ZXJu
8466 ZXQgV2lkZ2l0cyBQdHkgTHRkMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE5itp
8467 4r9ln5e+Lx4NlIpM1Zdrt6keDUb73ampHp3culoB59aXqAoY+cPEox5W4nyDSNsW
8468 Ghz1HX7xlC1Lz3IiwYEEABI0VoIEABI0VqNgMF4wHQYDVR0OBBYEFKuE0qyrlfCC
8469 ThZ4B1VXX+QmjYLRMB8GA1UdIwQYMBaAFKuE0qyrlfCCThZ4B1VXX+QmjYLRMA4G
8470 A1UdDwEB/wQEAwIHgDAMBgNVHRMEBTADAQH/MAoGCCqGSM49BAMCA0cAMEQCIEWJ
8471 34EcqW5MHwLIA1hZ2Tj/jV2QjN02KLxis9mFsqDKAiAMlMTkzsM51vVs9Ohqa+Rc
8472 4Z7qDhjIhiF4dM0uEDYRVA==
8473 -----END CERTIFICATE-----
8474 )";
8475 static const char kBadKeyUsage[] = R"(
8476 -----BEGIN CERTIFICATE-----
8477 MIIB7jCCAZOgAwIBAgIJANlMBNpJfb/rMAoGCCqGSM49BAMCMEUxCzAJBgNVBAYT
8478 AkFVMRMwEQYDVQQIDApTb21lLVN0YXRlMSEwHwYDVQQKDBhJbnRlcm5ldCBXaWRn
8479 aXRzIFB0eSBMdGQwHhcNMTQwNDIzMjMyMTU3WhcNMTQwNTIzMjMyMTU3WjBFMQsw
8480 CQYDVQQGEwJBVTETMBEGA1UECAwKU29tZS1TdGF0ZTEhMB8GA1UECgwYSW50ZXJu
8481 ZXQgV2lkZ2l0cyBQdHkgTHRkMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE5itp
8482 4r9ln5e+Lx4NlIpM1Zdrt6keDUb73ampHp3culoB59aXqAoY+cPEox5W4nyDSNsW
8483 Ghz1HX7xlC1Lz3IiwYEEABI0VoIEABI0VqNgMF4wHQYDVR0OBBYEFKuE0qyrlfCC
8484 ThZ4B1VXX+QmjYLRMB8GA1UdIwQYMBaAFKuE0qyrlfCCThZ4B1VXX+QmjYLRMA4G
8485 A1UdDwEB/wQEAwIDCDAMBgNVHRMEBTADAQH/MAoGCCqGSM49BAMCA0kAMEYCIQC6
8486 taYBUDu2gcZC6EMk79FBHArYI0ucF+kzvETegZCbBAIhANtObFec5gtso/47moPD
8487 RHrQbWsFUakETXL9QMlegh5t
8488 -----END CERTIFICATE-----
8489 )";
8490
8491 bssl::UniquePtr<X509> good = CertFromPEM(kGoodKeyUsage);
8492 ASSERT_TRUE(good);
8493 bssl::UniquePtr<X509> bad = CertFromPEM(kBadKeyUsage);
8494 ASSERT_TRUE(bad);
8495
8496 // We check key usage when configuring EC certificates to distinguish ECDSA
8497 // and ECDH.
8498 bssl::UniquePtr<SSL_CTX> ctx(SSL_CTX_new(TLS_method()));
8499 ASSERT_TRUE(ctx);
8500 EXPECT_TRUE(SSL_CTX_use_certificate(ctx.get(), good.get()));
8501 EXPECT_FALSE(SSL_CTX_use_certificate(ctx.get(), bad.get()));
8502 }
8503
8504 // Test that |SSL_can_release_private_key| reports true as early as expected.
8505 // The internal asserts in the library check we do not report true too early.
TEST(SSLTest,CanReleasePrivateKey)8506 TEST(SSLTest, CanReleasePrivateKey) {
8507 bssl::UniquePtr<SSL_CTX> client_ctx =
8508 CreateContextWithTestCertificate(TLS_method());
8509 ASSERT_TRUE(client_ctx);
8510 SSL_CTX_set_session_cache_mode(client_ctx.get(), SSL_SESS_CACHE_BOTH);
8511
8512 // Note this assumes the transport buffer is large enough to fit the client
8513 // and server first flights. We check this with |SSL_ERROR_WANT_READ|. If the
8514 // transport buffer was too small it would return |SSL_ERROR_WANT_WRITE|.
8515 auto check_first_server_round_trip = [&](SSL *client, SSL *server) {
8516 // Write the ClientHello.
8517 ASSERT_EQ(-1, SSL_do_handshake(client));
8518 ASSERT_EQ(SSL_ERROR_WANT_READ, SSL_get_error(client, -1));
8519
8520 // Consume the ClientHello and write the server flight.
8521 ASSERT_EQ(-1, SSL_do_handshake(server));
8522 ASSERT_EQ(SSL_ERROR_WANT_READ, SSL_get_error(server, -1));
8523
8524 EXPECT_TRUE(SSL_can_release_private_key(server));
8525 };
8526
8527 {
8528 SCOPED_TRACE("TLS 1.2 ECDHE");
8529 bssl::UniquePtr<SSL_CTX> server_ctx(
8530 CreateContextWithTestCertificate(TLS_method()));
8531 ASSERT_TRUE(server_ctx);
8532 ASSERT_TRUE(
8533 SSL_CTX_set_max_proto_version(server_ctx.get(), TLS1_2_VERSION));
8534 ASSERT_TRUE(SSL_CTX_set_strict_cipher_list(
8535 server_ctx.get(), "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256"));
8536 // Configure the server to request client certificates, so we can also test
8537 // the client half.
8538 SSL_CTX_set_custom_verify(
8539 server_ctx.get(), SSL_VERIFY_PEER,
8540 [](SSL *ssl, uint8_t *out_alert) { return ssl_verify_ok; });
8541 bssl::UniquePtr<SSL> client, server;
8542 ASSERT_TRUE(CreateClientAndServer(&client, &server, client_ctx.get(),
8543 server_ctx.get()));
8544 check_first_server_round_trip(client.get(), server.get());
8545
8546 // Consume the server flight and write the client response. The client still
8547 // has a Finished message to consume but can also release its key early.
8548 ASSERT_EQ(-1, SSL_do_handshake(client.get()));
8549 ASSERT_EQ(SSL_ERROR_WANT_READ, SSL_get_error(client.get(), -1));
8550 EXPECT_TRUE(SSL_can_release_private_key(client.get()));
8551
8552 // However, a client that has not disabled renegotiation can never release
8553 // the key.
8554 ASSERT_TRUE(CreateClientAndServer(&client, &server, client_ctx.get(),
8555 server_ctx.get()));
8556 SSL_set_renegotiate_mode(client.get(), ssl_renegotiate_freely);
8557 check_first_server_round_trip(client.get(), server.get());
8558 ASSERT_EQ(-1, SSL_do_handshake(client.get()));
8559 ASSERT_EQ(SSL_ERROR_WANT_READ, SSL_get_error(client.get(), -1));
8560 EXPECT_FALSE(SSL_can_release_private_key(client.get()));
8561 }
8562
8563 {
8564 SCOPED_TRACE("TLS 1.2 resumption");
8565 bssl::UniquePtr<SSL_CTX> server_ctx(
8566 CreateContextWithTestCertificate(TLS_method()));
8567 ASSERT_TRUE(server_ctx);
8568 ASSERT_TRUE(
8569 SSL_CTX_set_max_proto_version(server_ctx.get(), TLS1_2_VERSION));
8570 bssl::UniquePtr<SSL_SESSION> session =
8571 CreateClientSession(client_ctx.get(), server_ctx.get());
8572 ASSERT_TRUE(session);
8573 bssl::UniquePtr<SSL> client, server;
8574 ASSERT_TRUE(CreateClientAndServer(&client, &server, client_ctx.get(),
8575 server_ctx.get()));
8576 SSL_set_session(client.get(), session.get());
8577 check_first_server_round_trip(client.get(), server.get());
8578 }
8579
8580 {
8581 SCOPED_TRACE("TLS 1.3 1-RTT");
8582 bssl::UniquePtr<SSL_CTX> server_ctx(
8583 CreateContextWithTestCertificate(TLS_method()));
8584 ASSERT_TRUE(server_ctx);
8585 ASSERT_TRUE(
8586 SSL_CTX_set_max_proto_version(server_ctx.get(), TLS1_3_VERSION));
8587 bssl::UniquePtr<SSL> client, server;
8588 ASSERT_TRUE(CreateClientAndServer(&client, &server, client_ctx.get(),
8589 server_ctx.get()));
8590 check_first_server_round_trip(client.get(), server.get());
8591 }
8592
8593 {
8594 SCOPED_TRACE("TLS 1.3 resumption");
8595 bssl::UniquePtr<SSL_CTX> server_ctx(
8596 CreateContextWithTestCertificate(TLS_method()));
8597 ASSERT_TRUE(server_ctx);
8598 ASSERT_TRUE(
8599 SSL_CTX_set_max_proto_version(server_ctx.get(), TLS1_3_VERSION));
8600 bssl::UniquePtr<SSL_SESSION> session =
8601 CreateClientSession(client_ctx.get(), server_ctx.get());
8602 ASSERT_TRUE(session);
8603 bssl::UniquePtr<SSL> client, server;
8604 ASSERT_TRUE(CreateClientAndServer(&client, &server, client_ctx.get(),
8605 server_ctx.get()));
8606 SSL_set_session(client.get(), session.get());
8607 check_first_server_round_trip(client.get(), server.get());
8608 }
8609 }
8610
8611 // GetExtensionOrder sets |*out| to the list of extensions a client attached to
8612 // |ctx| will send in the ClientHello. If |ech_keys| is non-null, the client
8613 // will offer ECH with the public component. If |decrypt_ech| is true, |*out|
8614 // will be set to the ClientHelloInner's extensions, rather than
8615 // ClientHelloOuter.
GetExtensionOrder(SSL_CTX * client_ctx,std::vector<uint16_t> * out,SSL_ECH_KEYS * ech_keys,bool decrypt_ech)8616 static bool GetExtensionOrder(SSL_CTX *client_ctx, std::vector<uint16_t> *out,
8617 SSL_ECH_KEYS *ech_keys, bool decrypt_ech) {
8618 struct AppData {
8619 std::vector<uint16_t> *out;
8620 bool decrypt_ech;
8621 bool callback_done = false;
8622 };
8623 AppData app_data;
8624 app_data.out = out;
8625 app_data.decrypt_ech = decrypt_ech;
8626
8627 bssl::UniquePtr<SSL_CTX> server_ctx =
8628 CreateContextWithTestCertificate(TLS_method());
8629 if (!server_ctx || //
8630 !SSL_CTX_set_app_data(server_ctx.get(), &app_data) ||
8631 (decrypt_ech && !SSL_CTX_set1_ech_keys(server_ctx.get(), ech_keys))) {
8632 return false;
8633 }
8634
8635 // Configure the server to record the ClientHello extension order. We use a
8636 // server rather than |GetClientHello| so it can decrypt ClientHelloInner.
8637 SSL_CTX_set_select_certificate_cb(
8638 server_ctx.get(),
8639 [](const SSL_CLIENT_HELLO *client_hello) -> ssl_select_cert_result_t {
8640 AppData *app_data_ptr = static_cast<AppData *>(
8641 SSL_CTX_get_app_data(SSL_get_SSL_CTX(client_hello->ssl)));
8642 EXPECT_EQ(app_data_ptr->decrypt_ech ? 1 : 0,
8643 SSL_ech_accepted(client_hello->ssl));
8644
8645 app_data_ptr->out->clear();
8646 CBS extensions;
8647 CBS_init(&extensions, client_hello->extensions,
8648 client_hello->extensions_len);
8649 while (CBS_len(&extensions)) {
8650 uint16_t type;
8651 CBS body;
8652 if (!CBS_get_u16(&extensions, &type) ||
8653 !CBS_get_u16_length_prefixed(&extensions, &body)) {
8654 return ssl_select_cert_error;
8655 }
8656 app_data_ptr->out->push_back(type);
8657 }
8658
8659 // Don't bother completing the handshake.
8660 app_data_ptr->callback_done = true;
8661 return ssl_select_cert_error;
8662 });
8663
8664 bssl::UniquePtr<SSL> client, server;
8665 if (!CreateClientAndServer(&client, &server, client_ctx, server_ctx.get()) ||
8666 (ech_keys != nullptr && !InstallECHConfigList(client.get(), ech_keys))) {
8667 return false;
8668 }
8669
8670 // Run the handshake far enough to process the ClientHello.
8671 SSL_do_handshake(client.get());
8672 SSL_do_handshake(server.get());
8673 return app_data.callback_done;
8674 }
8675
8676 // Test that, when extension permutation is enabled, the ClientHello extension
8677 // order changes, both with and without ECH, and in both ClientHelloInner and
8678 // ClientHelloOuter.
TEST(SSLTest,PermuteExtensions)8679 TEST(SSLTest, PermuteExtensions) {
8680 bssl::UniquePtr<SSL_ECH_KEYS> keys = MakeTestECHKeys();
8681 ASSERT_TRUE(keys);
8682 for (bool offer_ech : {false, true}) {
8683 SCOPED_TRACE(offer_ech);
8684 SSL_ECH_KEYS *maybe_keys = offer_ech ? keys.get() : nullptr;
8685 for (bool decrypt_ech : {false, true}) {
8686 SCOPED_TRACE(decrypt_ech);
8687 if (!offer_ech && decrypt_ech) {
8688 continue;
8689 }
8690
8691 // When extension permutation is disabled, the order should be consistent.
8692 bssl::UniquePtr<SSL_CTX> ctx(SSL_CTX_new(TLS_method()));
8693 ASSERT_TRUE(ctx);
8694 std::vector<uint16_t> order1, order2;
8695 ASSERT_TRUE(
8696 GetExtensionOrder(ctx.get(), &order1, maybe_keys, decrypt_ech));
8697 ASSERT_TRUE(
8698 GetExtensionOrder(ctx.get(), &order2, maybe_keys, decrypt_ech));
8699 EXPECT_EQ(order1, order2);
8700
8701 ctx.reset(SSL_CTX_new(TLS_method()));
8702 ASSERT_TRUE(ctx);
8703 SSL_CTX_set_permute_extensions(ctx.get(), 1);
8704
8705 // When extension permutation is enabled, each ClientHello should have a
8706 // different order.
8707 //
8708 // This test is inherently flaky, so we run it multiple times. We send at
8709 // least five extensions by default from TLS 1.3: supported_versions,
8710 // key_share, supported_groups, psk_key_exchange_modes, and
8711 // signature_algorithms. That means the probability of a false negative is
8712 // at most 1/120. Repeating the test 14 times lowers false negative rate
8713 // to under 2^-96.
8714 ASSERT_TRUE(
8715 GetExtensionOrder(ctx.get(), &order1, maybe_keys, decrypt_ech));
8716 EXPECT_GE(order1.size(), 5u);
8717 static const int kNumIterations = 14;
8718 bool passed = false;
8719 for (int i = 0; i < kNumIterations; i++) {
8720 ASSERT_TRUE(
8721 GetExtensionOrder(ctx.get(), &order2, maybe_keys, decrypt_ech));
8722 if (order1 != order2) {
8723 passed = true;
8724 break;
8725 }
8726 }
8727 EXPECT_TRUE(passed) << "Extensions were not permuted";
8728 }
8729 }
8730 }
8731
TEST(SSLTest,HostMatching)8732 TEST(SSLTest, HostMatching) {
8733 static const char kCertPEM[] = R"(
8734 -----BEGIN CERTIFICATE-----
8735 MIIB9jCCAZ2gAwIBAgIQeudG9R61BOxUvWkeVhU5DTAKBggqhkjOPQQDAjApMRAw
8736 DgYDVQQKEwdBY21lIENvMRUwEwYDVQQDEwxleGFtcGxlMy5jb20wHhcNMjExMjA2
8737 MjA1NjU2WhcNMjIxMjA2MjA1NjU2WjApMRAwDgYDVQQKEwdBY21lIENvMRUwEwYD
8738 VQQDEwxleGFtcGxlMy5jb20wWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAAS7l2VO
8739 Bl2TjVm9WfGk24+hMbVFUNB+RVHWbCvFvNZAoWiIJ2z34RLGInyZvCZ8xLAvsuaW
8740 ULDDaoeDl1M0t4Hmo4GmMIGjMA4GA1UdDwEB/wQEAwIChDATBgNVHSUEDDAKBggr
8741 BgEFBQcDATAPBgNVHRMBAf8EBTADAQH/MB0GA1UdDgQWBBTTJWurcc1t+VPQBko3
8742 Gsw6cbcWSTBMBgNVHREERTBDggxleGFtcGxlMS5jb22CDGV4YW1wbGUyLmNvbYIP
8743 YSouZXhhbXBsZTQuY29tgg4qLmV4YW1wbGU1LmNvbYcEAQIDBDAKBggqhkjOPQQD
8744 AgNHADBEAiAAv0ljHJGrgyzZDkG6XvNZ5ewxRfnXcZuD0Y7E4giCZgIgNK1qjilu
8745 5DyVbfKeeJhOCtGxqE1dWLXyJBnoRomSYBY=
8746 -----END CERTIFICATE-----
8747 )";
8748 bssl::UniquePtr<X509> cert(CertFromPEM(kCertPEM));
8749 ASSERT_TRUE(cert);
8750 static const char kCertNoSANsPEM[] = R"(
8751 -----BEGIN CERTIFICATE-----
8752 MIIBqzCCAVGgAwIBAgIQeudG9R61BOxUvWkeVhU5DTAKBggqhkjOPQQDAjArMRIw
8753 EAYDVQQKEwlBY21lIENvIDIxFTATBgNVBAMTDGV4YW1wbGUzLmNvbTAeFw0yMTEy
8754 MDYyMDU2NTZaFw0yMjEyMDYyMDU2NTZaMCsxEjAQBgNVBAoTCUFjbWUgQ28gMjEV
8755 MBMGA1UEAxMMZXhhbXBsZTMuY29tMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE
8756 u5dlTgZdk41ZvVnxpNuPoTG1RVDQfkVR1mwrxbzWQKFoiCds9+ESxiJ8mbwmfMSw
8757 L7LmllCww2qHg5dTNLeB5qNXMFUwDgYDVR0PAQH/BAQDAgKEMBMGA1UdJQQMMAoG
8758 CCsGAQUFBwMBMA8GA1UdEwEB/wQFMAMBAf8wHQYDVR0OBBYEFNMla6txzW35U9AG
8759 SjcazDpxtxZJMAoGCCqGSM49BAMCA0gAMEUCIG3YWGWtpVhbcGV7wFKQwTfmvwHW
8760 pw4qCFZlool4hCwsAiEA+2fc6NfSbNpFEtQkDOMJW2ANiScAVEmImNqPfb2klz4=
8761 -----END CERTIFICATE-----
8762 )";
8763 bssl::UniquePtr<X509> cert_no_sans(CertFromPEM(kCertNoSANsPEM));
8764 ASSERT_TRUE(cert_no_sans);
8765
8766 static const char kKeyPEM[] = R"(
8767 -----BEGIN PRIVATE KEY-----
8768 MIGHAgEAMBMGByqGSM49AgEGCCqGSM49AwEHBG0wawIBAQQghsaSZhUzZAcQlLyJ
8769 MDuy7WPdyqNsAX9rmEP650LF/q2hRANCAAS7l2VOBl2TjVm9WfGk24+hMbVFUNB+
8770 RVHWbCvFvNZAoWiIJ2z34RLGInyZvCZ8xLAvsuaWULDDaoeDl1M0t4Hm
8771 -----END PRIVATE KEY-----
8772 )";
8773 bssl::UniquePtr<EVP_PKEY> key(KeyFromPEM(kKeyPEM));
8774 ASSERT_TRUE(key);
8775
8776 bssl::UniquePtr<SSL_CTX> client_ctx(SSL_CTX_new(TLS_method()));
8777 ASSERT_TRUE(client_ctx);
8778 ASSERT_TRUE(X509_STORE_add_cert(SSL_CTX_get_cert_store(client_ctx.get()),
8779 cert.get()));
8780 ASSERT_TRUE(X509_STORE_add_cert(SSL_CTX_get_cert_store(client_ctx.get()),
8781 cert_no_sans.get()));
8782 SSL_CTX_set_verify(client_ctx.get(),
8783 SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT,
8784 nullptr);
8785 X509_VERIFY_PARAM_set_flags(SSL_CTX_get0_param(client_ctx.get()),
8786 X509_V_FLAG_NO_CHECK_TIME);
8787
8788 struct TestCase {
8789 X509 *cert;
8790 std::string hostname;
8791 unsigned flags;
8792 bool should_match;
8793 };
8794 std::vector<TestCase> kTests = {
8795 // These two names are present as SANs in the certificate.
8796 {cert.get(), "example1.com", 0, true},
8797 {cert.get(), "example2.com", 0, true},
8798 // This is the CN of the certificate, but that shouldn't matter if a SAN
8799 // extension is present.
8800 {cert.get(), "example3.com", 0, false},
8801 // If the SAN is not present, we, for now, look for DNS names in the CN.
8802 {cert_no_sans.get(), "example3.com", 0, true},
8803 // ... but this can be turned off.
8804 {cert_no_sans.get(), "example3.com", X509_CHECK_FLAG_NEVER_CHECK_SUBJECT,
8805 false},
8806 // a*.example4.com is a SAN, but is invalid.
8807 {cert.get(), "abc.example4.com", 0, false},
8808 // *.example5.com is a SAN in the certificate, which is a normal and valid
8809 // wildcard.
8810 {cert.get(), "abc.example5.com", 0, true},
8811 // This name is not present.
8812 {cert.get(), "notexample1.com", 0, false},
8813 // The IPv4 address 1.2.3.4 is a SAN, but that shouldn't match against a
8814 // hostname that happens to be its textual representation.
8815 {cert.get(), "1.2.3.4", 0, false},
8816 };
8817
8818 for (const TestCase &test : kTests) {
8819 SCOPED_TRACE(test.hostname);
8820
8821 bssl::UniquePtr<SSL_CTX> server_ctx(SSL_CTX_new(TLS_method()));
8822 ASSERT_TRUE(server_ctx);
8823 ASSERT_TRUE(SSL_CTX_use_certificate(server_ctx.get(), test.cert));
8824 ASSERT_TRUE(SSL_CTX_use_PrivateKey(server_ctx.get(), key.get()));
8825
8826 ClientConfig config;
8827 bssl::UniquePtr<SSL> client, server;
8828 config.verify_hostname = test.hostname;
8829 config.hostflags = test.flags;
8830 EXPECT_EQ(test.should_match,
8831 ConnectClientAndServer(&client, &server, client_ctx.get(),
8832 server_ctx.get(), config));
8833 }
8834 }
8835
TEST(SSLTest,NumTickets)8836 TEST(SSLTest, NumTickets) {
8837 bssl::UniquePtr<SSL_CTX> server_ctx(SSL_CTX_new(TLS_method()));
8838 ASSERT_TRUE(server_ctx);
8839 bssl::UniquePtr<SSL_CTX> client_ctx(SSL_CTX_new(TLS_method()));
8840 ASSERT_TRUE(client_ctx);
8841 bssl::UniquePtr<X509> cert = GetTestCertificate();
8842 ASSERT_TRUE(cert);
8843 bssl::UniquePtr<EVP_PKEY> key = GetTestKey();
8844 ASSERT_TRUE(key);
8845 ASSERT_TRUE(SSL_CTX_use_certificate(server_ctx.get(), cert.get()));
8846 ASSERT_TRUE(SSL_CTX_use_PrivateKey(server_ctx.get(), key.get()));
8847 SSL_CTX_set_session_cache_mode(server_ctx.get(), SSL_SESS_CACHE_BOTH);
8848
8849 SSL_CTX_set_session_cache_mode(client_ctx.get(), SSL_SESS_CACHE_BOTH);
8850 static size_t ticket_count;
8851 SSL_CTX_sess_set_new_cb(client_ctx.get(), [](SSL *, SSL_SESSION *) -> int {
8852 ticket_count++;
8853 return 0;
8854 });
8855
8856 auto count_tickets = [&]() -> size_t {
8857 ticket_count = 0;
8858 bssl::UniquePtr<SSL> client, server;
8859 if (!ConnectClientAndServer(&client, &server, client_ctx.get(),
8860 server_ctx.get()) ||
8861 !FlushNewSessionTickets(client.get(), server.get())) {
8862 ADD_FAILURE() << "Could not run handshake";
8863 return 0;
8864 }
8865 return ticket_count;
8866 };
8867
8868 // By default, we should send two tickets.
8869 EXPECT_EQ(count_tickets(), 2u);
8870
8871 for (size_t num_tickets : {0, 1, 2, 3, 4, 5}) {
8872 SCOPED_TRACE(num_tickets);
8873 ASSERT_TRUE(SSL_CTX_set_num_tickets(server_ctx.get(), num_tickets));
8874 EXPECT_EQ(SSL_CTX_get_num_tickets(server_ctx.get()), num_tickets);
8875 EXPECT_EQ(count_tickets(), num_tickets);
8876 }
8877
8878 // Configuring too many tickets causes us to stop at some point.
8879 ASSERT_TRUE(SSL_CTX_set_num_tickets(server_ctx.get(), 100000));
8880 EXPECT_EQ(SSL_CTX_get_num_tickets(server_ctx.get()), 16u);
8881 EXPECT_EQ(count_tickets(), 16u);
8882 }
8883
TEST(SSLTest,CertSubjectsToStack)8884 TEST(SSLTest, CertSubjectsToStack) {
8885 const std::string kCert1 = R"(
8886 -----BEGIN CERTIFICATE-----
8887 MIIBzzCCAXagAwIBAgIJANlMBNpJfb/rMAkGByqGSM49BAEwRTELMAkGA1UEBhMC
8888 QVUxEzARBgNVBAgMClNvbWUtU3RhdGUxITAfBgNVBAoMGEludGVybmV0IFdpZGdp
8889 dHMgUHR5IEx0ZDAeFw0xNDA0MjMyMzIxNTdaFw0xNDA1MjMyMzIxNTdaMEUxCzAJ
8890 BgNVBAYTAkFVMRMwEQYDVQQIDApTb21lLVN0YXRlMSEwHwYDVQQKDBhJbnRlcm5l
8891 dCBXaWRnaXRzIFB0eSBMdGQwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAATmK2ni
8892 v2Wfl74vHg2UikzVl2u3qR4NRvvdqakendy6WgHn1peoChj5w8SjHlbifINI2xYa
8893 HPUdfvGULUvPciLBo1AwTjAdBgNVHQ4EFgQUq4TSrKuV8IJOFngHVVdf5CaNgtEw
8894 HwYDVR0jBBgwFoAUq4TSrKuV8IJOFngHVVdf5CaNgtEwDAYDVR0TBAUwAwEB/zAJ
8895 BgcqhkjOPQQBA0gAMEUCIQDyoDVeUTo2w4J5m+4nUIWOcAZ0lVfSKXQA9L4Vh13E
8896 BwIgfB55FGohg/B6dGh5XxSZmmi08cueFV7mHzJSYV51yRQ=
8897 -----END CERTIFICATE-----
8898 )";
8899 const std::vector<uint8_t> kName1 = {
8900 0x30, 0x45, 0x31, 0x0b, 0x30, 0x09, 0x06, 0x03, 0x55, 0x04, 0x06, 0x13,
8901 0x02, 0x41, 0x55, 0x31, 0x13, 0x30, 0x11, 0x06, 0x03, 0x55, 0x04, 0x08,
8902 0x0c, 0x0a, 0x53, 0x6f, 0x6d, 0x65, 0x2d, 0x53, 0x74, 0x61, 0x74, 0x65,
8903 0x31, 0x21, 0x30, 0x1f, 0x06, 0x03, 0x55, 0x04, 0x0a, 0x0c, 0x18, 0x49,
8904 0x6e, 0x74, 0x65, 0x72, 0x6e, 0x65, 0x74, 0x20, 0x57, 0x69, 0x64, 0x67,
8905 0x69, 0x74, 0x73, 0x20, 0x50, 0x74, 0x79, 0x20, 0x4c, 0x74, 0x64};
8906 const std::string kCert2 = R"(
8907 -----BEGIN CERTIFICATE-----
8908 MIICXjCCAcegAwIBAgIIWjO48ufpunYwDQYJKoZIhvcNAQELBQAwNjEaMBgGA1UE
8909 ChMRQm9yaW5nU1NMIFRFU1RJTkcxGDAWBgNVBAMTD0ludGVybWVkaWF0ZSBDQTAg
8910 Fw0xNTAxMDEwMDAwMDBaGA8yMTAwMDEwMTAwMDAwMFowMjEaMBgGA1UEChMRQm9y
8911 aW5nU1NMIFRFU1RJTkcxFDASBgNVBAMTC2V4YW1wbGUuY29tMIGfMA0GCSqGSIb3
8912 DQEBAQUAA4GNADCBiQKBgQDD0U0ZYgqShJ7oOjsyNKyVXEHqeafmk/bAoPqY/h1c
8913 oPw2E8KmeqiUSoTPjG5IXSblOxcqpbAXgnjPzo8DI3GNMhAf8SYNYsoH7gc7Uy7j
8914 5x8bUrisGnuTHqkqH6d4/e7ETJ7i3CpR8bvK16DggEvQTudLipz8FBHtYhFakfdh
8915 TwIDAQABo3cwdTAOBgNVHQ8BAf8EBAMCBaAwHQYDVR0lBBYwFAYIKwYBBQUHAwEG
8916 CCsGAQUFBwMCMAwGA1UdEwEB/wQCMAAwGQYDVR0OBBIEEKN5pvbur7mlXjeMEYA0
8917 4nUwGwYDVR0jBBQwEoAQjBpoqLV2211Xex+NFLIGozANBgkqhkiG9w0BAQsFAAOB
8918 gQBj/p+JChp//LnXWC1k121LM/ii7hFzQzMrt70bny406SGz9jAjaPOX4S3gt38y
8919 rhjpPukBlSzgQXFg66y6q5qp1nQTD1Cw6NkKBe9WuBlY3iYfmsf7WT8nhlT1CttU
8920 xNCwyMX9mtdXdQicOfNjIGUCD5OLV5PgHFPRKiHHioBAhg==
8921 -----END CERTIFICATE-----
8922 )";
8923 const std::vector<uint8_t> kName2 = {
8924 0x30, 0x32, 0x31, 0x1a, 0x30, 0x18, 0x06, 0x03, 0x55, 0x04, 0x0a,
8925 0x13, 0x11, 0x42, 0x6f, 0x72, 0x69, 0x6e, 0x67, 0x53, 0x53, 0x4c,
8926 0x20, 0x54, 0x45, 0x53, 0x54, 0x49, 0x4e, 0x47, 0x31, 0x14, 0x30,
8927 0x12, 0x06, 0x03, 0x55, 0x04, 0x03, 0x13, 0x0b, 0x65, 0x78, 0x61,
8928 0x6d, 0x70, 0x6c, 0x65, 0x2e, 0x63, 0x6f, 0x6d};
8929
8930 const struct {
8931 std::vector<std::vector<uint8_t>> existing;
8932 std::string pem;
8933 std::vector<std::vector<uint8_t>> expected;
8934 } kTests[] = {
8935 // Do nothing.
8936 {{}, "", {}},
8937 // Append to an empty list, skipping duplicates.
8938 {{}, kCert1 + kCert2 + kCert1, {kName1, kName2}},
8939 // One of the names was already present.
8940 {{kName1}, kCert1 + kCert2, {kName1, kName2}},
8941 // Both names were already present.
8942 {{kName1, kName2}, kCert1 + kCert2, {kName1, kName2}},
8943 // Preserve existing duplicates.
8944 {{kName1, kName2, kName2}, kCert1 + kCert2, {kName1, kName2, kName2}},
8945 };
8946 for (size_t i = 0; i < OPENSSL_ARRAY_SIZE(kTests); i++) {
8947 SCOPED_TRACE(i);
8948 const auto &t = kTests[i];
8949
8950 bssl::UniquePtr<STACK_OF(X509_NAME)> stack(sk_X509_NAME_new_null());
8951 ASSERT_TRUE(stack);
8952 for (const auto& name : t.existing) {
8953 const uint8_t *inp = name.data();
8954 bssl::UniquePtr<X509_NAME> name_obj(
8955 d2i_X509_NAME(nullptr, &inp, name.size()));
8956 ASSERT_TRUE(name_obj);
8957 EXPECT_EQ(inp, name.data() + name.size());
8958 ASSERT_TRUE(bssl::PushToStack(stack.get(), std::move(name_obj)));
8959 }
8960
8961 bssl::UniquePtr<BIO> bio(BIO_new_mem_buf(t.pem.data(), t.pem.size()));
8962 ASSERT_TRUE(bio);
8963 ASSERT_TRUE(SSL_add_bio_cert_subjects_to_stack(stack.get(), bio.get()));
8964
8965 // The function should have left |stack|'s comparison function alone.
8966 EXPECT_EQ(nullptr, sk_X509_NAME_set_cmp_func(stack.get(), nullptr));
8967
8968 std::vector<std::vector<uint8_t>> expected = t.expected, result;
8969 for (X509_NAME *name : stack.get()) {
8970 uint8_t *der = nullptr;
8971 int der_len = i2d_X509_NAME(name, &der);
8972 ASSERT_GE(der_len, 0);
8973 result.push_back(std::vector<uint8_t>(der, der + der_len));
8974 OPENSSL_free(der);
8975 }
8976
8977 // |SSL_add_bio_cert_subjects_to_stack| does not return the output in a
8978 // well-defined order.
8979 std::sort(expected.begin(), expected.end());
8980 std::sort(result.begin(), result.end());
8981 EXPECT_EQ(result, expected);
8982 }
8983 }
8984
TEST(SSLTest,EmptyClientCAList)8985 TEST(SSLTest, EmptyClientCAList) {
8986 if (SkipTempFileTests()) {
8987 GTEST_SKIP();
8988 }
8989
8990 TemporaryFile empty;
8991 ASSERT_TRUE(empty.Init());
8992 bssl::UniquePtr<STACK_OF(X509_NAME)> names(
8993 SSL_load_client_CA_file(empty.path().c_str()));
8994 EXPECT_FALSE(names);
8995 }
8996
TEST(SSLTest,EmptyWriteBlockedOnHandshakeData)8997 TEST(SSLTest, EmptyWriteBlockedOnHandshakeData) {
8998 bssl::UniquePtr<SSL_CTX> client_ctx(SSL_CTX_new(TLS_method()));
8999 bssl::UniquePtr<SSL_CTX> server_ctx =
9000 CreateContextWithTestCertificate(TLS_method());
9001 ASSERT_TRUE(client_ctx);
9002 ASSERT_TRUE(server_ctx);
9003 // Configure only TLS 1.3. This test requires post-handshake NewSessionTicket.
9004 ASSERT_TRUE(SSL_CTX_set_min_proto_version(client_ctx.get(), TLS1_3_VERSION));
9005 ASSERT_TRUE(SSL_CTX_set_max_proto_version(client_ctx.get(), TLS1_3_VERSION));
9006
9007 // Connect a client and server with tiny buffer between the two.
9008 bssl::UniquePtr<SSL> client(SSL_new(client_ctx.get())),
9009 server(SSL_new(server_ctx.get()));
9010 ASSERT_TRUE(client);
9011 ASSERT_TRUE(server);
9012 SSL_set_connect_state(client.get());
9013 SSL_set_accept_state(server.get());
9014 BIO *bio1, *bio2;
9015 ASSERT_TRUE(BIO_new_bio_pair(&bio1, 1, &bio2, 1));
9016 SSL_set_bio(client.get(), bio1, bio1);
9017 SSL_set_bio(server.get(), bio2, bio2);
9018 ASSERT_TRUE(CompleteHandshakes(client.get(), server.get()));
9019
9020 // We defer NewSessionTicket to the first write, so the server has a pending
9021 // NewSessionTicket. See https://boringssl-review.googlesource.com/34948. This
9022 // means an empty write will flush the ticket. However, the transport only
9023 // allows one byte through, so this will fail with |SSL_ERROR_WANT_WRITE|.
9024 int ret = SSL_write(server.get(), nullptr, 0);
9025 ASSERT_EQ(ret, -1);
9026 ASSERT_EQ(SSL_get_error(server.get(), ret), SSL_ERROR_WANT_WRITE);
9027
9028 // Attempting to write non-zero data should not trip |SSL_R_BAD_WRITE_RETRY|.
9029 const uint8_t kData[] = {'h', 'e', 'l', 'l', 'o'};
9030 ret = SSL_write(server.get(), kData, sizeof(kData));
9031 ASSERT_EQ(ret, -1);
9032 ASSERT_EQ(SSL_get_error(server.get(), ret), SSL_ERROR_WANT_WRITE);
9033
9034 // Byte by byte, the data should eventually get through.
9035 uint8_t buf[sizeof(kData)];
9036 for (;;) {
9037 ret = SSL_read(client.get(), buf, sizeof(buf));
9038 ASSERT_EQ(ret, -1);
9039 ASSERT_EQ(SSL_get_error(client.get(), ret), SSL_ERROR_WANT_READ);
9040
9041 ret = SSL_write(server.get(), kData, sizeof(kData));
9042 if (ret > 0) {
9043 ASSERT_EQ(ret, 5);
9044 break;
9045 }
9046 ASSERT_EQ(ret, -1);
9047 ASSERT_EQ(SSL_get_error(server.get(), ret), SSL_ERROR_WANT_WRITE);
9048 }
9049
9050 ret = SSL_read(client.get(), buf, sizeof(buf));
9051 ASSERT_EQ(ret, static_cast<int>(sizeof(kData)));
9052 ASSERT_EQ(Bytes(buf, ret), Bytes(kData));
9053 }
9054
9055 // Test that |SSL_ERROR_SYSCALL| continues to work after a close_notify.
TEST(SSLTest,ErrorSyscallAfterCloseNotify)9056 TEST(SSLTest, ErrorSyscallAfterCloseNotify) {
9057 // Make a custom |BIO| where writes fail, but without pushing to the error
9058 // queue.
9059 bssl::UniquePtr<BIO_METHOD> method(BIO_meth_new(0, nullptr));
9060 ASSERT_TRUE(method);
9061 BIO_meth_set_create(method.get(), [](BIO *b) -> int {
9062 BIO_set_init(b, 1);
9063 return 1;
9064 });
9065 static bool write_failed = false;
9066 BIO_meth_set_write(method.get(), [](BIO *, const char *, int) -> int {
9067 // Fail the operation and don't add to the error queue.
9068 write_failed = true;
9069 return -1;
9070 });
9071 bssl::UniquePtr<BIO> wbio_silent_error(BIO_new(method.get()));
9072 ASSERT_TRUE(wbio_silent_error);
9073
9074 bssl::UniquePtr<SSL_CTX> client_ctx(SSL_CTX_new(TLS_method()));
9075 bssl::UniquePtr<SSL_CTX> server_ctx =
9076 CreateContextWithTestCertificate(TLS_method());
9077 ASSERT_TRUE(client_ctx);
9078 ASSERT_TRUE(server_ctx);
9079 bssl::UniquePtr<SSL> client, server;
9080 ASSERT_TRUE(ConnectClientAndServer(&client, &server, client_ctx.get(),
9081 server_ctx.get()));
9082
9083 // Replace the write |BIO| with |wbio_silent_error|.
9084 SSL_set0_wbio(client.get(), wbio_silent_error.release());
9085
9086 // Writes should fail. There is nothing in the error queue, so
9087 // |SSL_ERROR_SYSCALL| indicates the caller needs to check out-of-band.
9088 const uint8_t data[1] = {0};
9089 int ret = SSL_write(client.get(), data, sizeof(data));
9090 EXPECT_EQ(ret, -1);
9091 EXPECT_EQ(SSL_get_error(client.get(), ret), SSL_ERROR_SYSCALL);
9092 EXPECT_TRUE(write_failed);
9093 write_failed = false;
9094
9095 // Send a close_notify from the server. It should return 0 because
9096 // close_notify was sent, but not received. Confusingly, this is a success
9097 // output for |SSL_shutdown|'s API.
9098 EXPECT_EQ(SSL_shutdown(server.get()), 0);
9099
9100 // Read the close_notify on the client.
9101 uint8_t buf[1];
9102 ret = SSL_read(client.get(), buf, sizeof(buf));
9103 EXPECT_EQ(ret, 0);
9104 EXPECT_EQ(SSL_get_error(client.get(), ret), SSL_ERROR_ZERO_RETURN);
9105
9106 // Further calls to |SSL_read| continue to report |SSL_ERROR_ZERO_RETURN|.
9107 ret = SSL_read(client.get(), buf, sizeof(buf));
9108 EXPECT_EQ(ret, 0);
9109 EXPECT_EQ(SSL_get_error(client.get(), ret), SSL_ERROR_ZERO_RETURN);
9110
9111 // Although the client has seen close_notify, it should continue to report
9112 // |SSL_ERROR_SYSCALL| when its writes fail.
9113 ret = SSL_write(client.get(), data, sizeof(data));
9114 EXPECT_EQ(ret, -1);
9115 EXPECT_EQ(SSL_get_error(client.get(), ret), SSL_ERROR_SYSCALL);
9116 EXPECT_TRUE(write_failed);
9117 write_failed = false;
9118
9119 // Cause |BIO_write| to fail with a return value of zero instead.
9120 // |SSL_get_error| should not misinterpret this as a close_notify.
9121 //
9122 // This is not actually a correct implementation of |BIO_write|, but the rest
9123 // of the code treats zero from |BIO_write| as an error, so ensure it does so
9124 // correctly. Fixing https://crbug.com/boringssl/503 will make this case moot.
9125 BIO_meth_set_write(method.get(), [](BIO *, const char *, int) -> int {
9126 write_failed = true;
9127 return 0;
9128 });
9129 ret = SSL_write(client.get(), data, sizeof(data));
9130 EXPECT_EQ(ret, 0);
9131 EXPECT_EQ(SSL_get_error(client.get(), ret), SSL_ERROR_SYSCALL);
9132 EXPECT_TRUE(write_failed);
9133 write_failed = false;
9134 }
9135
9136 // Test that |SSL_shutdown|, when quiet shutdown is enabled, simulates receiving
9137 // a close_notify, down to |SSL_read| reporting |SSL_ERROR_ZERO_RETURN|.
TEST(SSLTest,QuietShutdown)9138 TEST(SSLTest, QuietShutdown) {
9139 bssl::UniquePtr<SSL_CTX> client_ctx(SSL_CTX_new(TLS_method()));
9140 bssl::UniquePtr<SSL_CTX> server_ctx =
9141 CreateContextWithTestCertificate(TLS_method());
9142 ASSERT_TRUE(client_ctx);
9143 ASSERT_TRUE(server_ctx);
9144 SSL_CTX_set_quiet_shutdown(server_ctx.get(), 1);
9145 bssl::UniquePtr<SSL> client, server;
9146 ASSERT_TRUE(ConnectClientAndServer(&client, &server, client_ctx.get(),
9147 server_ctx.get()));
9148
9149 // Quiet shutdown is enabled, so |SSL_shutdown| on the server should
9150 // immediately return that bidirectional shutdown "completed".
9151 EXPECT_EQ(SSL_shutdown(server.get()), 1);
9152
9153 // Shut down writes so the client gets an EOF.
9154 EXPECT_TRUE(BIO_shutdown_wr(SSL_get_wbio(server.get())));
9155
9156 // Confirm no close notify was actually sent. Client reads should report a
9157 // transport EOF, not a close_notify. (Both have zero return, but
9158 // |SSL_get_error| is different.)
9159 char buf[1];
9160 int ret = SSL_read(client.get(), buf, sizeof(buf));
9161 EXPECT_EQ(ret, 0);
9162 EXPECT_EQ(SSL_get_error(client.get(), ret), SSL_ERROR_SYSCALL);
9163
9164 // The server believes bidirectional shutdown completed, so reads should
9165 // replay the (simulated) close_notify.
9166 ret = SSL_read(server.get(), buf, sizeof(buf));
9167 EXPECT_EQ(ret, 0);
9168 EXPECT_EQ(SSL_get_error(server.get(), ret), SSL_ERROR_ZERO_RETURN);
9169 }
9170
TEST(SSLTest,InvalidSignatureAlgorithm)9171 TEST(SSLTest, InvalidSignatureAlgorithm) {
9172 bssl::UniquePtr<SSL_CTX> ctx(SSL_CTX_new(TLS_method()));
9173 ASSERT_TRUE(ctx);
9174
9175 static const uint16_t kInvalidPrefs[] = {1234};
9176 EXPECT_FALSE(SSL_CTX_set_signing_algorithm_prefs(
9177 ctx.get(), kInvalidPrefs, OPENSSL_ARRAY_SIZE(kInvalidPrefs)));
9178 EXPECT_FALSE(SSL_CTX_set_verify_algorithm_prefs(
9179 ctx.get(), kInvalidPrefs, OPENSSL_ARRAY_SIZE(kInvalidPrefs)));
9180
9181 static const uint16_t kDuplicatePrefs[] = {SSL_SIGN_RSA_PKCS1_SHA256,
9182 SSL_SIGN_RSA_PKCS1_SHA256};
9183 EXPECT_FALSE(SSL_CTX_set_signing_algorithm_prefs(
9184 ctx.get(), kDuplicatePrefs, OPENSSL_ARRAY_SIZE(kDuplicatePrefs)));
9185 EXPECT_FALSE(SSL_CTX_set_verify_algorithm_prefs(
9186 ctx.get(), kDuplicatePrefs, OPENSSL_ARRAY_SIZE(kDuplicatePrefs)));
9187 }
9188
TEST(SSLTest,InvalidGroups)9189 TEST(SSLTest, InvalidGroups) {
9190 bssl::UniquePtr<SSL_CTX> ctx(SSL_CTX_new(TLS_method()));
9191 ASSERT_TRUE(ctx);
9192
9193 static const uint16_t kInvalidIDs[] = {1234};
9194 EXPECT_FALSE(SSL_CTX_set1_group_ids(
9195 ctx.get(), kInvalidIDs, OPENSSL_ARRAY_SIZE(kInvalidIDs)));
9196
9197 // This is a valid NID, but it is not a valid group.
9198 static const int kInvalidNIDs[] = {NID_rsaEncryption};
9199 EXPECT_FALSE(SSL_CTX_set1_groups(
9200 ctx.get(), kInvalidNIDs, OPENSSL_ARRAY_SIZE(kInvalidNIDs)));
9201 }
9202
TEST(SSLTest,NameLists)9203 TEST(SSLTest, NameLists) {
9204 struct {
9205 size_t (*func)(const char **, size_t);
9206 std::vector<std::string> expected;
9207 } kTests[] = {
9208 {SSL_get_all_version_names, {"TLSv1.3", "DTLSv1.2", "unknown"}},
9209 {SSL_get_all_standard_cipher_names,
9210 {"TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256", "TLS_AES_128_GCM_SHA256"}},
9211 {SSL_get_all_cipher_names,
9212 {"ECDHE-ECDSA-AES128-GCM-SHA256", "TLS_AES_128_GCM_SHA256", "(NONE)"}},
9213 {SSL_get_all_group_names, {"P-256", "X25519"}},
9214 {SSL_get_all_signature_algorithm_names,
9215 {"rsa_pkcs1_sha256", "ecdsa_secp256r1_sha256", "ecdsa_sha256"}},
9216 };
9217 for (const auto &t : kTests) {
9218 size_t num = t.func(nullptr, 0);
9219 EXPECT_GT(num, 0u);
9220
9221 std::vector<const char*> list(num);
9222 EXPECT_EQ(num, t.func(list.data(), list.size()));
9223
9224 // Check the expected values are in the list.
9225 for (const auto &s : t.expected) {
9226 EXPECT_NE(list.end(), std::find(list.begin(), list.end(), s))
9227 << "Could not find " << s;
9228 }
9229
9230 // Passing in a larger buffer should leave excess space alone.
9231 std::vector<const char *> list2(num + 1, "placeholder");
9232 EXPECT_EQ(num, t.func(list2.data(), list2.size()));
9233 for (size_t i = 0; i < num; i++) {
9234 EXPECT_STREQ(list[i], list2[i]);
9235 }
9236 EXPECT_STREQ(list2.back(), "placeholder");
9237
9238 // Passing in a shorter buffer should truncate the list.
9239 for (size_t l = 0; l < num; l++) {
9240 SCOPED_TRACE(l);
9241 list2.resize(l);
9242 EXPECT_EQ(num, t.func(list2.data(), list2.size()));
9243 for (size_t i = 0; i < l; i++) {
9244 EXPECT_STREQ(list[i], list2[i]);
9245 }
9246 }
9247 }
9248 }
9249
9250 // Test that it is possible for the certificate to be configured on a mix of
9251 // SSL_CTX and SSL. This ensures that we do not inadvertently overshare objects
9252 // in SSL_new.
TEST(SSLTest,MixContextAndConnection)9253 TEST(SSLTest, MixContextAndConnection) {
9254 bssl::UniquePtr<SSL_CTX> ctx(SSL_CTX_new(TLS_method()));
9255 ASSERT_TRUE(ctx);
9256 bssl::UniquePtr<X509> cert = GetTestCertificate();
9257 ASSERT_TRUE(cert);
9258 bssl::UniquePtr<EVP_PKEY> key = GetTestKey();
9259 ASSERT_TRUE(key);
9260
9261 // Configure the certificate, but not the private key, on the context.
9262 ASSERT_TRUE(SSL_CTX_use_certificate(ctx.get(), cert.get()));
9263
9264 bssl::UniquePtr<SSL> ssl1(SSL_new(ctx.get()));
9265 ASSERT_TRUE(ssl1.get());
9266 bssl::UniquePtr<SSL> ssl2(SSL_new(ctx.get()));
9267 ASSERT_TRUE(ssl2.get());
9268
9269 // There is no private key configured yet.
9270 EXPECT_FALSE(SSL_CTX_get0_privatekey(ctx.get()));
9271 EXPECT_FALSE(SSL_get_privatekey(ssl1.get()));
9272 EXPECT_FALSE(SSL_get_privatekey(ssl2.get()));
9273
9274 // Configuring the private key on |ssl1| works.
9275 ASSERT_TRUE(SSL_use_PrivateKey(ssl1.get(), key.get()));
9276 EXPECT_TRUE(SSL_get_privatekey(ssl1.get()));
9277
9278 // It does not impact the other connection or the context.
9279 EXPECT_FALSE(SSL_CTX_get0_privatekey(ctx.get()));
9280 EXPECT_FALSE(SSL_get_privatekey(ssl2.get()));
9281 }
9282
9283 // Test that the server handshake cleanly fails if it had no certificate
9284 // configured, at all versions.
TEST_P(SSLVersionTest,NoCertOrKey)9285 TEST_P(SSLVersionTest, NoCertOrKey) {
9286 bssl::UniquePtr<X509> cert = GetChainTestCertificate();
9287 ASSERT_TRUE(cert);
9288 bssl::UniquePtr<EVP_PKEY> key = GetChainTestKey();
9289 ASSERT_TRUE(key);
9290 bssl::UniquePtr<X509> intermediate = GetChainTestIntermediate();
9291 ASSERT_TRUE(intermediate);
9292 bssl::UniquePtr<STACK_OF(X509)> chain(sk_X509_new_null());
9293 ASSERT_TRUE(chain);
9294 ASSERT_TRUE(bssl::PushToStack(chain.get(), std::move(intermediate)));
9295
9296 const struct {
9297 bool has_cert;
9298 bool has_key;
9299 bool has_chain;
9300 } kTests[] = {
9301 // If nothing is configured, there is unambiguously no certificate.
9302 {/*has_cert=*/false, /*has_key=*/false, /*has_chain=*/false},
9303
9304 // If only one of the key and certificate is configured, it is still treated
9305 // as if there is no certificate.
9306 {/*has_cert=*/true, /*has_key=*/false, /*has_chain=*/false},
9307 {/*has_cert=*/false, /*has_key=*/true, /*has_chain=*/false},
9308
9309 // The key and intermediates may be configured, but without a leaf there is
9310 // no certificate. This case is interesting because we internally store the
9311 // chain with a somewhat fragile null fist entry.
9312 {/*has_cert=*/false, /*has_key=*/true, /*has_chain=*/true},
9313 };
9314 for (const auto &t : kTests) {
9315 SCOPED_TRACE(testing::Message() << "has_cert = " << t.has_cert);
9316 SCOPED_TRACE(testing::Message() << "has_key = " << t.has_key);
9317 SCOPED_TRACE(testing::Message() << "has_chain = " << t.has_chain);
9318 for (bool client : {false, true}) {
9319 SCOPED_TRACE(testing::Message() << "client = " << client);
9320
9321 EXPECT_NO_FATAL_FAILURE(ResetContexts());
9322 if (client) {
9323 // Request client certificates from the server.
9324 SSL_CTX_set_verify(server_ctx_.get(), SSL_VERIFY_PEER, nullptr);
9325 SSL_CTX_set_cert_verify_callback(client_ctx_.get(), VerifySucceed,
9326 nullptr);
9327 } else {
9328 // Recreate the server context. ResetContexts automatically adds server
9329 // certificates.
9330 server_ctx_ = CreateContext();
9331 ASSERT_TRUE(server_ctx_);
9332 }
9333
9334 SSL_CTX *ctx = client ? client_ctx_.get() : server_ctx_.get();
9335 if (t.has_cert) {
9336 ASSERT_TRUE(SSL_CTX_use_certificate(ctx, cert.get()));
9337 }
9338 if (t.has_key) {
9339 ASSERT_TRUE(SSL_CTX_use_PrivateKey(ctx, key.get()));
9340 }
9341 if (t.has_chain) {
9342 ASSERT_TRUE(SSL_CTX_set1_chain(ctx, chain.get()));
9343 }
9344
9345 // In each of these cases, |SSL_CTX_check_private_key| should report the
9346 // certificate was not configured.
9347 EXPECT_FALSE(SSL_CTX_check_private_key(ctx));
9348 ERR_clear_error();
9349
9350 if (client) {
9351 // The client should cleanly handshake without asserting a certificate.
9352 EXPECT_TRUE(Connect());
9353 EXPECT_FALSE(SSL_get0_peer_certificates(server_.get()));
9354 } else {
9355 // Servers cannot be anonymous. The connection should fail.
9356 EXPECT_FALSE(Connect());
9357 // Depending on the TLS version, this should either appear as
9358 // NO_SHARED_CIPHER (TLS 1.2) or NO_CERTIFICATE_SET (TLS 1.3).
9359 uint32_t err = ERR_get_error();
9360 if (!ErrorEquals(err, ERR_LIB_SSL, SSL_R_NO_SHARED_CIPHER)) {
9361 EXPECT_TRUE(ErrorEquals(err, ERR_LIB_SSL, SSL_R_NO_CERTIFICATE_SET));
9362 }
9363 }
9364 }
9365 }
9366 }
9367
TEST_P(SSLVersionTest,KeyLog)9368 TEST_P(SSLVersionTest, KeyLog) {
9369 using KeyLog = std::map<std::string, std::vector<uint8_t>>;
9370 KeyLog client_log, server_log;
9371
9372 SSL_CTX_set_app_data(client_ctx_.get(), &client_log);
9373 SSL_CTX_set_app_data(server_ctx_.get(), &server_log);
9374
9375 auto keylog_callback = [](const SSL *ssl, const char *line) {
9376 SSL_CTX *ctx = SSL_get_SSL_CTX(ssl);
9377 KeyLog *log = static_cast<KeyLog *>(SSL_CTX_get_app_data(ctx));
9378 ASSERT_TRUE(log);
9379
9380 const char *space1 = strchr(line, ' ');
9381 ASSERT_TRUE(space1);
9382 std::string name(line, space1 - line);
9383 space1++;
9384 const char *space2 = strchr(space1, ' ');
9385 ASSERT_TRUE(space2);
9386 bssl::Span<const char> client_random_hex(space1, space2 - space1);
9387 space2++;
9388 bssl::Span<const char> secret_hex(space2, strlen(space2));
9389
9390 std::vector<uint8_t> client_random, secret;
9391 ASSERT_TRUE(DecodeLowerHex(&client_random, client_random_hex));
9392 ASSERT_TRUE(DecodeLowerHex(&secret, secret_hex));
9393
9394 // The client_random field identifies the connection. Check it matches
9395 // the connection.
9396 uint8_t expected_random[SSL3_RANDOM_SIZE];
9397 ASSERT_EQ(
9398 sizeof(expected_random),
9399 SSL_get_client_random(ssl, expected_random, sizeof(expected_random)));
9400 ASSERT_EQ(Bytes(expected_random), Bytes(client_random));
9401
9402 ASSERT_EQ(log->count(name), 0u) << "duplicate name " << name;
9403 log->emplace(std::move(name), std::move(secret));
9404 };
9405 SSL_CTX_set_keylog_callback(client_ctx_.get(), keylog_callback);
9406 SSL_CTX_set_keylog_callback(server_ctx_.get(), keylog_callback);
9407
9408 // Connect and capture the various secrets.
9409 ASSERT_TRUE(Connect());
9410
9411 // Check that we logged the secrets we expected to log.
9412 if (version() == TLS1_3_VERSION) {
9413 EXPECT_THAT(client_log, ElementsAre(Key("CLIENT_HANDSHAKE_TRAFFIC_SECRET"),
9414 Key("CLIENT_TRAFFIC_SECRET_0"),
9415 Key("EXPORTER_SECRET"),
9416 Key("SERVER_HANDSHAKE_TRAFFIC_SECRET"),
9417 Key("SERVER_TRAFFIC_SECRET_0")));
9418
9419 // Ideally we'd check the other values, but those are harder to check
9420 // without actually decrypting the records.
9421 Span<const uint8_t> read_secret, write_secret;
9422 ASSERT_TRUE(bssl::SSL_get_traffic_secrets(client_.get(), &read_secret,
9423 &write_secret));
9424 EXPECT_EQ(Bytes(read_secret), Bytes(client_log["SERVER_TRAFFIC_SECRET_0"]));
9425 EXPECT_EQ(Bytes(write_secret),
9426 Bytes(client_log["CLIENT_TRAFFIC_SECRET_0"]));
9427 } else {
9428 EXPECT_THAT(client_log, ElementsAre(Key("CLIENT_RANDOM")));
9429
9430 size_t len =
9431 SSL_SESSION_get_master_key(SSL_get0_session(client_.get()), nullptr, 0);
9432 std::vector<uint8_t> expected(len);
9433 ASSERT_EQ(SSL_SESSION_get_master_key(SSL_get0_session(client_.get()),
9434 expected.data(), expected.size()),
9435 expected.size());
9436 EXPECT_EQ(Bytes(expected), Bytes(client_log["CLIENT_RANDOM"]));
9437 }
9438
9439 // The server should have logged the same secrets as the client.
9440 EXPECT_EQ(client_log, server_log);
9441 }
9442
9443 } // namespace
9444 BSSL_NAMESPACE_END
9445