1 /* Copyright (c) 2014, Google Inc.
2 *
3 * Permission to use, copy, modify, and/or distribute this software for any
4 * purpose with or without fee is hereby granted, provided that the above
5 * copyright notice and this permission notice appear in all copies.
6 *
7 * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
8 * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
9 * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY
10 * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
11 * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION
12 * OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN
13 * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */
14
15 #include <limits.h>
16 #include <stdio.h>
17 #include <string.h>
18 #include <time.h>
19
20 #include <algorithm>
21 #include <limits>
22 #include <string>
23 #include <utility>
24 #include <vector>
25
26 #include <gtest/gtest.h>
27
28 #include <openssl/aead.h>
29 #include <openssl/base64.h>
30 #include <openssl/bytestring.h>
31 #include <openssl/bio.h>
32 #include <openssl/cipher.h>
33 #include <openssl/crypto.h>
34 #include <openssl/curve25519.h>
35 #include <openssl/err.h>
36 #include <openssl/hmac.h>
37 #include <openssl/hpke.h>
38 #include <openssl/pem.h>
39 #include <openssl/sha.h>
40 #include <openssl/ssl.h>
41 #include <openssl/rand.h>
42 #include <openssl/x509.h>
43 #include <openssl/x509v3.h>
44
45 #include "internal.h"
46 #include "../crypto/internal.h"
47 #include "../crypto/test/test_util.h"
48
49 #if defined(OPENSSL_WINDOWS)
50 // Windows defines struct timeval in winsock2.h.
51 OPENSSL_MSVC_PRAGMA(warning(push, 3))
52 #include <winsock2.h>
53 OPENSSL_MSVC_PRAGMA(warning(pop))
54 #else
55 #include <sys/time.h>
56 #endif
57
58 #if defined(OPENSSL_THREADS)
59 #include <thread>
60 #endif
61
62
63 BSSL_NAMESPACE_BEGIN
64
65 namespace {
66
67 #define TRACED_CALL(code) \
68 do { \
69 SCOPED_TRACE("<- called from here"); \
70 code; \
71 if (::testing::Test::HasFatalFailure()) { \
72 return; \
73 } \
74 } while (false)
75
76 struct VersionParam {
77 uint16_t version;
78 enum { is_tls, is_dtls } ssl_method;
79 const char name[8];
80 };
81
82 static const size_t kTicketKeyLen = 48;
83
84 static const VersionParam kAllVersions[] = {
85 {TLS1_VERSION, VersionParam::is_tls, "TLS1"},
86 {TLS1_1_VERSION, VersionParam::is_tls, "TLS1_1"},
87 {TLS1_2_VERSION, VersionParam::is_tls, "TLS1_2"},
88 {TLS1_3_VERSION, VersionParam::is_tls, "TLS1_3"},
89 {DTLS1_VERSION, VersionParam::is_dtls, "DTLS1"},
90 {DTLS1_2_VERSION, VersionParam::is_dtls, "DTLS1_2"},
91 };
92
93 struct ExpectedCipher {
94 unsigned long id;
95 int in_group_flag;
96 };
97
98 struct CipherTest {
99 // The rule string to apply.
100 const char *rule;
101 // The list of expected ciphers, in order.
102 std::vector<ExpectedCipher> expected;
103 // True if this cipher list should fail in strict mode.
104 bool strict_fail;
105 };
106
107 struct CurveTest {
108 // The rule string to apply.
109 const char *rule;
110 // The list of expected curves, in order.
111 std::vector<uint16_t> expected;
112 };
113
114 template <typename T>
115 class UnownedSSLExData {
116 public:
UnownedSSLExData()117 UnownedSSLExData() {
118 index_ = SSL_get_ex_new_index(0, nullptr, nullptr, nullptr, nullptr);
119 }
120
Get(const SSL * ssl)121 T *Get(const SSL *ssl) {
122 return index_ < 0 ? nullptr
123 : static_cast<T *>(SSL_get_ex_data(ssl, index_));
124 }
125
Set(SSL * ssl,T * t)126 bool Set(SSL *ssl, T *t) {
127 return index_ >= 0 && SSL_set_ex_data(ssl, index_, t);
128 }
129
130 private:
131 int index_;
132 };
133
134 static const CipherTest kCipherTests[] = {
135 // Selecting individual ciphers should work.
136 {
137 "ECDHE-ECDSA-CHACHA20-POLY1305:"
138 "ECDHE-RSA-CHACHA20-POLY1305:"
139 "ECDHE-ECDSA-AES128-GCM-SHA256:"
140 "ECDHE-RSA-AES128-GCM-SHA256",
141 {
142 {TLS1_CK_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256, 0},
143 {TLS1_CK_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256, 0},
144 {TLS1_CK_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, 0},
145 {TLS1_CK_ECDHE_RSA_WITH_AES_128_GCM_SHA256, 0},
146 },
147 false,
148 },
149 // + reorders selected ciphers to the end, keeping their relative order.
150 {
151 "ECDHE-ECDSA-CHACHA20-POLY1305:"
152 "ECDHE-RSA-CHACHA20-POLY1305:"
153 "ECDHE-ECDSA-AES128-GCM-SHA256:"
154 "ECDHE-RSA-AES128-GCM-SHA256:"
155 "+aRSA",
156 {
157 {TLS1_CK_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256, 0},
158 {TLS1_CK_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, 0},
159 {TLS1_CK_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256, 0},
160 {TLS1_CK_ECDHE_RSA_WITH_AES_128_GCM_SHA256, 0},
161 },
162 false,
163 },
164 // ! banishes ciphers from future selections.
165 {
166 "!aRSA:"
167 "ECDHE-ECDSA-CHACHA20-POLY1305:"
168 "ECDHE-RSA-CHACHA20-POLY1305:"
169 "ECDHE-ECDSA-AES128-GCM-SHA256:"
170 "ECDHE-RSA-AES128-GCM-SHA256",
171 {
172 {TLS1_CK_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256, 0},
173 {TLS1_CK_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, 0},
174 },
175 false,
176 },
177 // Multiple masks can be ANDed in a single rule.
178 {
179 "kRSA+AESGCM+AES128",
180 {
181 {TLS1_CK_RSA_WITH_AES_128_GCM_SHA256, 0},
182 },
183 false,
184 },
185 // - removes selected ciphers, but preserves their order for future
186 // selections. Select AES_128_GCM, but order the key exchanges RSA,
187 // ECDHE_RSA.
188 {
189 "ALL:-kECDHE:"
190 "-kRSA:-ALL:"
191 "AESGCM+AES128+aRSA",
192 {
193 {TLS1_CK_RSA_WITH_AES_128_GCM_SHA256, 0},
194 {TLS1_CK_ECDHE_RSA_WITH_AES_128_GCM_SHA256, 0},
195 },
196 false,
197 },
198 // Unknown selectors are no-ops, except in strict mode.
199 {
200 "ECDHE-ECDSA-CHACHA20-POLY1305:"
201 "ECDHE-RSA-CHACHA20-POLY1305:"
202 "ECDHE-ECDSA-AES128-GCM-SHA256:"
203 "ECDHE-RSA-AES128-GCM-SHA256:"
204 "BOGUS1",
205 {
206 {TLS1_CK_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256, 0},
207 {TLS1_CK_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256, 0},
208 {TLS1_CK_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, 0},
209 {TLS1_CK_ECDHE_RSA_WITH_AES_128_GCM_SHA256, 0},
210 },
211 true,
212 },
213 // Unknown selectors are no-ops, except in strict mode.
214 {
215 "ECDHE-ECDSA-CHACHA20-POLY1305:"
216 "ECDHE-RSA-CHACHA20-POLY1305:"
217 "ECDHE-ECDSA-AES128-GCM-SHA256:"
218 "ECDHE-RSA-AES128-GCM-SHA256:"
219 "-BOGUS2:+BOGUS3:!BOGUS4",
220 {
221 {TLS1_CK_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256, 0},
222 {TLS1_CK_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256, 0},
223 {TLS1_CK_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, 0},
224 {TLS1_CK_ECDHE_RSA_WITH_AES_128_GCM_SHA256, 0},
225 },
226 true,
227 },
228 // Square brackets specify equi-preference groups.
229 {
230 "[ECDHE-ECDSA-CHACHA20-POLY1305|ECDHE-ECDSA-AES128-GCM-SHA256]:"
231 "[ECDHE-RSA-CHACHA20-POLY1305]:"
232 "ECDHE-RSA-AES128-GCM-SHA256",
233 {
234 {TLS1_CK_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256, 1},
235 {TLS1_CK_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, 0},
236 {TLS1_CK_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256, 0},
237 {TLS1_CK_ECDHE_RSA_WITH_AES_128_GCM_SHA256, 0},
238 },
239 false,
240 },
241 // Standard names may be used instead of OpenSSL names.
242 {
243 "[TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256|"
244 "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256]:"
245 "[TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256]:"
246 "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",
247 {
248 {TLS1_CK_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256, 1},
249 {TLS1_CK_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, 0},
250 {TLS1_CK_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256, 0},
251 {TLS1_CK_ECDHE_RSA_WITH_AES_128_GCM_SHA256, 0},
252 },
253 false,
254 },
255 // @STRENGTH performs a stable strength-sort of the selected ciphers and
256 // only the selected ciphers.
257 {
258 // To simplify things, banish all but {ECDHE_RSA,RSA} x
259 // {CHACHA20,AES_256_CBC,AES_128_CBC} x SHA1.
260 "!AESGCM:!3DES:"
261 // Order some ciphers backwards by strength.
262 "ALL:-CHACHA20:-AES256:-AES128:-ALL:"
263 // Select ECDHE ones and sort them by strength. Ties should resolve
264 // based on the order above.
265 "kECDHE:@STRENGTH:-ALL:"
266 // Now bring back everything uses RSA. ECDHE_RSA should be first, sorted
267 // by strength. Then RSA, backwards by strength.
268 "aRSA",
269 {
270 {TLS1_CK_ECDHE_RSA_WITH_AES_256_CBC_SHA, 0},
271 {TLS1_CK_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256, 0},
272 {TLS1_CK_ECDHE_RSA_WITH_AES_128_CBC_SHA, 0},
273 {TLS1_CK_RSA_WITH_AES_128_SHA, 0},
274 {TLS1_CK_RSA_WITH_AES_256_SHA, 0},
275 },
276 false,
277 },
278 // Additional masks after @STRENGTH get silently discarded.
279 //
280 // TODO(davidben): Make this an error. If not silently discarded, they get
281 // interpreted as + opcodes which are very different.
282 {
283 "ECDHE-RSA-AES128-GCM-SHA256:"
284 "ECDHE-RSA-AES256-GCM-SHA384:"
285 "@STRENGTH+AES256",
286 {
287 {TLS1_CK_ECDHE_RSA_WITH_AES_256_GCM_SHA384, 0},
288 {TLS1_CK_ECDHE_RSA_WITH_AES_128_GCM_SHA256, 0},
289 },
290 false,
291 },
292 {
293 "ECDHE-RSA-AES128-GCM-SHA256:"
294 "ECDHE-RSA-AES256-GCM-SHA384:"
295 "@STRENGTH+AES256:"
296 "ECDHE-RSA-CHACHA20-POLY1305",
297 {
298 {TLS1_CK_ECDHE_RSA_WITH_AES_256_GCM_SHA384, 0},
299 {TLS1_CK_ECDHE_RSA_WITH_AES_128_GCM_SHA256, 0},
300 {TLS1_CK_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256, 0},
301 },
302 false,
303 },
304 // Exact ciphers may not be used in multi-part rules; they are treated
305 // as unknown aliases.
306 {
307 "ECDHE-ECDSA-AES128-GCM-SHA256:"
308 "ECDHE-RSA-AES128-GCM-SHA256:"
309 "!ECDHE-RSA-AES128-GCM-SHA256+RSA:"
310 "!ECDSA+ECDHE-ECDSA-AES128-GCM-SHA256",
311 {
312 {TLS1_CK_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, 0},
313 {TLS1_CK_ECDHE_RSA_WITH_AES_128_GCM_SHA256, 0},
314 },
315 true,
316 },
317 // SSLv3 matches everything that existed before TLS 1.2.
318 {
319 "AES128-SHA:ECDHE-RSA-AES128-GCM-SHA256:!SSLv3",
320 {
321 {TLS1_CK_ECDHE_RSA_WITH_AES_128_GCM_SHA256, 0},
322 },
323 false,
324 },
325 // TLSv1.2 matches everything added in TLS 1.2.
326 {
327 "AES128-SHA:ECDHE-RSA-AES128-GCM-SHA256:!TLSv1.2",
328 {
329 {TLS1_CK_RSA_WITH_AES_128_SHA, 0},
330 },
331 false,
332 },
333 // The two directives have no intersection. But each component is valid, so
334 // even in strict mode it is accepted.
335 {
336 "AES128-SHA:ECDHE-RSA-AES128-GCM-SHA256:!TLSv1.2+SSLv3",
337 {
338 {TLS1_CK_RSA_WITH_AES_128_SHA, 0},
339 {TLS1_CK_ECDHE_RSA_WITH_AES_128_GCM_SHA256, 0},
340 },
341 false,
342 },
343 // Spaces, semi-colons and commas are separators.
344 {
345 "AES128-SHA: ECDHE-RSA-AES128-GCM-SHA256 AES256-SHA ,ECDHE-ECDSA-AES128-GCM-SHA256 ; AES128-GCM-SHA256",
346 {
347 {TLS1_CK_RSA_WITH_AES_128_SHA, 0},
348 {TLS1_CK_ECDHE_RSA_WITH_AES_128_GCM_SHA256, 0},
349 {TLS1_CK_RSA_WITH_AES_256_SHA, 0},
350 {TLS1_CK_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, 0},
351 {TLS1_CK_RSA_WITH_AES_128_GCM_SHA256, 0},
352 },
353 // …but not in strict mode.
354 true,
355 },
356 // 3DES ciphers are disabled by default.
357 {
358 "RSA",
359 {
360 {TLS1_CK_RSA_WITH_AES_128_GCM_SHA256, 0},
361 {TLS1_CK_RSA_WITH_AES_256_GCM_SHA384, 0},
362 {TLS1_CK_RSA_WITH_AES_128_SHA, 0},
363 {TLS1_CK_RSA_WITH_AES_256_SHA, 0},
364 },
365 false,
366 },
367 // But 3DES ciphers may be specified by name.
368 {
369 "TLS_RSA_WITH_3DES_EDE_CBC_SHA",
370 {
371 {SSL3_CK_RSA_DES_192_CBC3_SHA, 0},
372 },
373 false,
374 },
375 {
376 "DES-CBC3-SHA",
377 {
378 {SSL3_CK_RSA_DES_192_CBC3_SHA, 0},
379 },
380 false,
381 },
382 // Or by a selector that specifically includes deprecated ciphers.
383 {
384 "3DES",
385 {
386 {SSL3_CK_RSA_DES_192_CBC3_SHA, 0},
387 },
388 false,
389 },
390 // Such selectors may be combined with other selectors that would otherwise
391 // not allow deprecated ciphers.
392 {
393 "RSA+3DES",
394 {
395 {SSL3_CK_RSA_DES_192_CBC3_SHA, 0},
396 },
397 false,
398 },
399 // The cipher must still match all combined selectors, however. "ECDHE+3DES"
400 // matches nothing because we do not implement
401 // TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA. (The test includes
402 // TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 so the final list is not empty.)
403 {
404 "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256:ECDHE+3DES",
405 {
406 {TLS1_CK_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, 0},
407 },
408 false,
409 },
410 // Although alises like "RSA" do not match 3DES when adding ciphers, they do
411 // match it when removing ciphers.
412 {
413 "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256:RSA:RSA+3DES:!RSA",
414 {
415 {TLS1_CK_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, 0},
416 },
417 false,
418 },
419 // 3DES still participates in strength sorting.
420 {
421 "RSA:3DES:@STRENGTH",
422 {
423 {TLS1_CK_RSA_WITH_AES_256_GCM_SHA384, 0},
424 {TLS1_CK_RSA_WITH_AES_256_SHA, 0},
425 {TLS1_CK_RSA_WITH_AES_128_GCM_SHA256, 0},
426 {TLS1_CK_RSA_WITH_AES_128_SHA, 0},
427 {SSL3_CK_RSA_DES_192_CBC3_SHA, 0},
428 },
429 false,
430 },
431 };
432
433 static const char *kBadRules[] = {
434 // Invalid brackets.
435 "[ECDHE-RSA-CHACHA20-POLY1305|ECDHE-RSA-AES128-GCM-SHA256",
436 "RSA]",
437 "[[RSA]]",
438 // Operators inside brackets.
439 "[+RSA]",
440 // Unknown directive.
441 "@BOGUS",
442 // Empty cipher lists error at SSL_CTX_set_cipher_list.
443 "",
444 "BOGUS",
445 // COMPLEMENTOFDEFAULT is empty.
446 "COMPLEMENTOFDEFAULT",
447 // Invalid command.
448 "?BAR",
449 // Special operators are not allowed if equi-preference groups are used.
450 "[ECDHE-RSA-CHACHA20-POLY1305|ECDHE-RSA-AES128-GCM-SHA256]:+FOO",
451 "[ECDHE-RSA-CHACHA20-POLY1305|ECDHE-RSA-AES128-GCM-SHA256]:!FOO",
452 "[ECDHE-RSA-CHACHA20-POLY1305|ECDHE-RSA-AES128-GCM-SHA256]:-FOO",
453 "[ECDHE-RSA-CHACHA20-POLY1305|ECDHE-RSA-AES128-GCM-SHA256]:@STRENGTH",
454 // Opcode supplied, but missing selector.
455 "+",
456 // Spaces are forbidden in equal-preference groups.
457 "[AES128-SHA | AES128-SHA256]",
458 };
459
460 static const char *kMustNotIncludeDeprecated[] = {
461 "ALL",
462 "DEFAULT",
463 "HIGH",
464 "FIPS",
465 "SHA",
466 "SHA1",
467 "RSA",
468 "SSLv3",
469 "TLSv1",
470 "TLSv1.2",
471 };
472
473 static const char* kShouldIncludeCBCSHA256[] = {
474 "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256",
475 "ALL:TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256",
476 };
477
478 static const CurveTest kCurveTests[] = {
479 {
480 "P-256",
481 { SSL_GROUP_SECP256R1 },
482 },
483 {
484 "P-256:X25519Kyber768Draft00",
485 { SSL_GROUP_SECP256R1, SSL_GROUP_X25519_KYBER768_DRAFT00 },
486 },
487
488 {
489 "P-256:P-384:P-521:X25519",
490 {
491 SSL_GROUP_SECP256R1,
492 SSL_GROUP_SECP384R1,
493 SSL_GROUP_SECP521R1,
494 SSL_GROUP_X25519,
495 },
496 },
497 {
498 "prime256v1:secp384r1:secp521r1:x25519",
499 {
500 SSL_GROUP_SECP256R1,
501 SSL_GROUP_SECP384R1,
502 SSL_GROUP_SECP521R1,
503 SSL_GROUP_X25519,
504 },
505 },
506 };
507
508 static const char *kBadCurvesLists[] = {
509 "",
510 ":",
511 "::",
512 "P-256::X25519",
513 "RSA:P-256",
514 "P-256:RSA",
515 "X25519:P-256:",
516 ":X25519:P-256",
517 };
518
CipherListToString(SSL_CTX * ctx)519 static std::string CipherListToString(SSL_CTX *ctx) {
520 bool in_group = false;
521 std::string ret;
522 const STACK_OF(SSL_CIPHER) *ciphers = SSL_CTX_get_ciphers(ctx);
523 for (size_t i = 0; i < sk_SSL_CIPHER_num(ciphers); i++) {
524 const SSL_CIPHER *cipher = sk_SSL_CIPHER_value(ciphers, i);
525 if (!in_group && SSL_CTX_cipher_in_group(ctx, i)) {
526 ret += "\t[\n";
527 in_group = true;
528 }
529 ret += "\t";
530 if (in_group) {
531 ret += " ";
532 }
533 ret += SSL_CIPHER_get_name(cipher);
534 ret += "\n";
535 if (in_group && !SSL_CTX_cipher_in_group(ctx, i)) {
536 ret += "\t]\n";
537 in_group = false;
538 }
539 }
540 return ret;
541 }
542
CipherListsEqual(SSL_CTX * ctx,const std::vector<ExpectedCipher> & expected)543 static bool CipherListsEqual(SSL_CTX *ctx,
544 const std::vector<ExpectedCipher> &expected) {
545 const STACK_OF(SSL_CIPHER) *ciphers = SSL_CTX_get_ciphers(ctx);
546 if (sk_SSL_CIPHER_num(ciphers) != expected.size()) {
547 return false;
548 }
549
550 for (size_t i = 0; i < expected.size(); i++) {
551 const SSL_CIPHER *cipher = sk_SSL_CIPHER_value(ciphers, i);
552 if (expected[i].id != SSL_CIPHER_get_id(cipher) ||
553 expected[i].in_group_flag != !!SSL_CTX_cipher_in_group(ctx, i)) {
554 return false;
555 }
556 }
557
558 return true;
559 }
560
TEST(GrowableArrayTest,Resize)561 TEST(GrowableArrayTest, Resize) {
562 GrowableArray<size_t> array;
563 ASSERT_TRUE(array.empty());
564 EXPECT_EQ(array.size(), 0u);
565
566 ASSERT_TRUE(array.Push(42));
567 ASSERT_TRUE(!array.empty());
568 EXPECT_EQ(array.size(), 1u);
569
570 // Force a resize operation to occur
571 for (size_t i = 0; i < 16; i++) {
572 ASSERT_TRUE(array.Push(i + 1));
573 }
574
575 EXPECT_EQ(array.size(), 17u);
576
577 // Verify that expected values are still contained in array
578 for (size_t i = 0; i < array.size(); i++) {
579 EXPECT_EQ(array[i], i == 0 ? 42 : i);
580 }
581 }
582
TEST(GrowableArrayTest,MoveConstructor)583 TEST(GrowableArrayTest, MoveConstructor) {
584 GrowableArray<size_t> array;
585 for (size_t i = 0; i < 100; i++) {
586 ASSERT_TRUE(array.Push(i));
587 }
588
589 GrowableArray<size_t> array_moved(std::move(array));
590 for (size_t i = 0; i < 100; i++) {
591 EXPECT_EQ(array_moved[i], i);
592 }
593 }
594
TEST(GrowableArrayTest,GrowableArrayContainingGrowableArrays)595 TEST(GrowableArrayTest, GrowableArrayContainingGrowableArrays) {
596 // Representative example of a struct that contains a GrowableArray.
597 struct TagAndArray {
598 size_t tag;
599 GrowableArray<size_t> array;
600 };
601
602 GrowableArray<TagAndArray> array;
603 for (size_t i = 0; i < 100; i++) {
604 TagAndArray elem;
605 elem.tag = i;
606 for (size_t j = 0; j < i; j++) {
607 ASSERT_TRUE(elem.array.Push(j));
608 }
609 ASSERT_TRUE(array.Push(std::move(elem)));
610 }
611 EXPECT_EQ(array.size(), static_cast<size_t>(100));
612
613 GrowableArray<TagAndArray> array_moved(std::move(array));
614 EXPECT_EQ(array_moved.size(), static_cast<size_t>(100));
615 size_t count = 0;
616 for (const TagAndArray &elem : array_moved) {
617 // Test the square bracket operator returns the same value as iteration.
618 EXPECT_EQ(&elem, &array_moved[count]);
619
620 EXPECT_EQ(elem.tag, count);
621 EXPECT_EQ(elem.array.size(), count);
622 for (size_t j = 0; j < count; j++) {
623 EXPECT_EQ(elem.array[j], j);
624 }
625 count++;
626 }
627 }
628
TEST(SSLTest,CipherRules)629 TEST(SSLTest, CipherRules) {
630 for (const CipherTest &t : kCipherTests) {
631 SCOPED_TRACE(t.rule);
632 bssl::UniquePtr<SSL_CTX> ctx(SSL_CTX_new(TLS_method()));
633 ASSERT_TRUE(ctx);
634
635 // Test lax mode.
636 ASSERT_TRUE(SSL_CTX_set_cipher_list(ctx.get(), t.rule));
637 EXPECT_TRUE(CipherListsEqual(ctx.get(), t.expected))
638 << "Cipher rule evaluated to:\n"
639 << CipherListToString(ctx.get());
640
641 // Test strict mode.
642 if (t.strict_fail) {
643 EXPECT_FALSE(SSL_CTX_set_strict_cipher_list(ctx.get(), t.rule));
644 } else {
645 ASSERT_TRUE(SSL_CTX_set_strict_cipher_list(ctx.get(), t.rule));
646 EXPECT_TRUE(CipherListsEqual(ctx.get(), t.expected))
647 << "Cipher rule evaluated to:\n"
648 << CipherListToString(ctx.get());
649 }
650 }
651
652 for (const char *rule : kBadRules) {
653 SCOPED_TRACE(rule);
654 bssl::UniquePtr<SSL_CTX> ctx(SSL_CTX_new(TLS_method()));
655 ASSERT_TRUE(ctx);
656
657 EXPECT_FALSE(SSL_CTX_set_cipher_list(ctx.get(), rule));
658 ERR_clear_error();
659 }
660
661 for (const char *rule : kMustNotIncludeDeprecated) {
662 SCOPED_TRACE(rule);
663 bssl::UniquePtr<SSL_CTX> ctx(SSL_CTX_new(TLS_method()));
664 ASSERT_TRUE(ctx);
665
666 ASSERT_TRUE(SSL_CTX_set_strict_cipher_list(ctx.get(), rule));
667 for (const SSL_CIPHER *cipher : SSL_CTX_get_ciphers(ctx.get())) {
668 EXPECT_NE(NID_undef, SSL_CIPHER_get_cipher_nid(cipher));
669 EXPECT_FALSE(ssl_cipher_is_deprecated(cipher));
670 }
671 }
672
673 {
674 for (const char *rule : kShouldIncludeCBCSHA256) {
675 bssl::UniquePtr<SSL_CTX> ctx(SSL_CTX_new(TLS_method()));
676 ASSERT_TRUE(ctx);
677 ASSERT_TRUE(SSL_CTX_set_strict_cipher_list(ctx.get(), rule));
678
679 bool found = false;
680 for (const SSL_CIPHER *cipher : SSL_CTX_get_ciphers(ctx.get())) {
681 if ((TLS1_CK_ECDHE_RSA_WITH_AES_128_CBC_SHA256 & 0xffff) ==
682 SSL_CIPHER_get_protocol_id(cipher)) {
683 found = true;
684 break;
685 }
686 }
687 EXPECT_TRUE(found);
688 }
689 }
690 }
691
TEST(SSLTest,CurveRules)692 TEST(SSLTest, CurveRules) {
693 for (const CurveTest &t : kCurveTests) {
694 SCOPED_TRACE(t.rule);
695 bssl::UniquePtr<SSL_CTX> ctx(SSL_CTX_new(TLS_method()));
696 ASSERT_TRUE(ctx);
697
698 ASSERT_TRUE(SSL_CTX_set1_groups_list(ctx.get(), t.rule));
699 ASSERT_EQ(t.expected.size(), ctx->supported_group_list.size());
700 for (size_t i = 0; i < t.expected.size(); i++) {
701 EXPECT_EQ(t.expected[i], ctx->supported_group_list[i]);
702 }
703 }
704
705 for (const char *rule : kBadCurvesLists) {
706 SCOPED_TRACE(rule);
707 bssl::UniquePtr<SSL_CTX> ctx(SSL_CTX_new(TLS_method()));
708 ASSERT_TRUE(ctx);
709
710 EXPECT_FALSE(SSL_CTX_set1_groups_list(ctx.get(), rule));
711 ERR_clear_error();
712 }
713 }
714
715 // kOpenSSLSession is a serialized SSL_SESSION.
716 static const char kOpenSSLSession[] =
717 "MIIFqgIBAQICAwMEAsAvBCAG5Q1ndq4Yfmbeo1zwLkNRKmCXGdNgWvGT3cskV0yQ"
718 "kAQwJlrlzkAWBOWiLj/jJ76D7l+UXoizP2KI2C7I2FccqMmIfFmmkUy32nIJ0mZH"
719 "IWoJoQYCBFRDO46iBAICASyjggR6MIIEdjCCA16gAwIBAgIIK9dUvsPWSlUwDQYJ"
720 "KoZIhvcNAQEFBQAwSTELMAkGA1UEBhMCVVMxEzARBgNVBAoTCkdvb2dsZSBJbmMx"
721 "JTAjBgNVBAMTHEdvb2dsZSBJbnRlcm5ldCBBdXRob3JpdHkgRzIwHhcNMTQxMDA4"
722 "MTIwNzU3WhcNMTUwMTA2MDAwMDAwWjBoMQswCQYDVQQGEwJVUzETMBEGA1UECAwK"
723 "Q2FsaWZvcm5pYTEWMBQGA1UEBwwNTW91bnRhaW4gVmlldzETMBEGA1UECgwKR29v"
724 "Z2xlIEluYzEXMBUGA1UEAwwOd3d3Lmdvb2dsZS5jb20wggEiMA0GCSqGSIb3DQEB"
725 "AQUAA4IBDwAwggEKAoIBAQCcKeLrplAC+Lofy8t/wDwtB6eu72CVp0cJ4V3lknN6"
726 "huH9ct6FFk70oRIh/VBNBBz900jYy+7111Jm1b8iqOTQ9aT5C7SEhNcQFJvqzH3e"
727 "MPkb6ZSWGm1yGF7MCQTGQXF20Sk/O16FSjAynU/b3oJmOctcycWYkY0ytS/k3LBu"
728 "Id45PJaoMqjB0WypqvNeJHC3q5JjCB4RP7Nfx5jjHSrCMhw8lUMW4EaDxjaR9KDh"
729 "PLgjsk+LDIySRSRDaCQGhEOWLJZVLzLo4N6/UlctCHEllpBUSvEOyFga52qroGjg"
730 "rf3WOQ925MFwzd6AK+Ich0gDRg8sQfdLH5OuP1cfLfU1AgMBAAGjggFBMIIBPTAd"
731 "BgNVHSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwGQYDVR0RBBIwEIIOd3d3Lmdv"
732 "b2dsZS5jb20waAYIKwYBBQUHAQEEXDBaMCsGCCsGAQUFBzAChh9odHRwOi8vcGtp"
733 "Lmdvb2dsZS5jb20vR0lBRzIuY3J0MCsGCCsGAQUFBzABhh9odHRwOi8vY2xpZW50"
734 "czEuZ29vZ2xlLmNvbS9vY3NwMB0GA1UdDgQWBBQ7a+CcxsZByOpc+xpYFcIbnUMZ"
735 "hTAMBgNVHRMBAf8EAjAAMB8GA1UdIwQYMBaAFErdBhYbvPZotXb1gba7Yhq6WoEv"
736 "MBcGA1UdIAQQMA4wDAYKKwYBBAHWeQIFATAwBgNVHR8EKTAnMCWgI6Ahhh9odHRw"
737 "Oi8vcGtpLmdvb2dsZS5jb20vR0lBRzIuY3JsMA0GCSqGSIb3DQEBBQUAA4IBAQCa"
738 "OXCBdoqUy5bxyq+Wrh1zsyyCFim1PH5VU2+yvDSWrgDY8ibRGJmfff3r4Lud5kal"
739 "dKs9k8YlKD3ITG7P0YT/Rk8hLgfEuLcq5cc0xqmE42xJ+Eo2uzq9rYorc5emMCxf"
740 "5L0TJOXZqHQpOEcuptZQ4OjdYMfSxk5UzueUhA3ogZKRcRkdB3WeWRp+nYRhx4St"
741 "o2rt2A0MKmY9165GHUqMK9YaaXHDXqBu7Sefr1uSoAP9gyIJKeihMivsGqJ1TD6Z"
742 "cc6LMe+dN2P8cZEQHtD1y296ul4Mivqk3jatUVL8/hCwgch9A8O4PGZq9WqBfEWm"
743 "IyHh1dPtbg1lOXdYCWtjpAIEAKUDAgEUqQUCAwGJwKqBpwSBpBwUQvoeOk0Kg36S"
744 "YTcLEkXqKwOBfF9vE4KX0NxeLwjcDTpsuh3qXEaZ992r1N38VDcyS6P7I6HBYN9B"
745 "sNHM362zZnY27GpTw+Kwd751CLoXFPoaMOe57dbBpXoro6Pd3BTbf/Tzr88K06yE"
746 "OTDKPNj3+inbMaVigtK4PLyPq+Topyzvx9USFgRvyuoxn0Hgb+R0A3j6SLRuyOdA"
747 "i4gv7Y5oliyntgMBAQA=";
748
749 // kCustomSession is a custom serialized SSL_SESSION generated by
750 // filling in missing fields from |kOpenSSLSession|. This includes
751 // providing |peer_sha256|, so |peer| is not serialized.
752 static const char kCustomSession[] =
753 "MIIBZAIBAQICAwMEAsAvBCAG5Q1ndq4Yfmbeo1zwLkNRKmCXGdNgWvGT3cskV0yQ"
754 "kAQwJlrlzkAWBOWiLj/jJ76D7l+UXoizP2KI2C7I2FccqMmIfFmmkUy32nIJ0mZH"
755 "IWoJoQYCBFRDO46iBAICASykAwQBAqUDAgEUqAcEBXdvcmxkqQUCAwGJwKqBpwSB"
756 "pBwUQvoeOk0Kg36SYTcLEkXqKwOBfF9vE4KX0NxeLwjcDTpsuh3qXEaZ992r1N38"
757 "VDcyS6P7I6HBYN9BsNHM362zZnY27GpTw+Kwd751CLoXFPoaMOe57dbBpXoro6Pd"
758 "3BTbf/Tzr88K06yEOTDKPNj3+inbMaVigtK4PLyPq+Topyzvx9USFgRvyuoxn0Hg"
759 "b+R0A3j6SLRuyOdAi4gv7Y5oliynrSIEIAYGBgYGBgYGBgYGBgYGBgYGBgYGBgYG"
760 "BgYGBgYGBgYGrgMEAQevAwQBBLADBAEF";
761
762 // kBoringSSLSession is a serialized SSL_SESSION generated from bssl client.
763 static const char kBoringSSLSession[] =
764 "MIIRwQIBAQICAwMEAsAvBCDdoGxGK26mR+8lM0uq6+k9xYuxPnwAjpcF9n0Yli9R"
765 "kQQwbyshfWhdi5XQ1++7n2L1qqrcVlmHBPpr6yknT/u4pUrpQB5FZ7vqvNn8MdHf"
766 "9rWgoQYCBFXgs7uiBAICHCCjggR6MIIEdjCCA16gAwIBAgIIf+yfD7Y6UicwDQYJ"
767 "KoZIhvcNAQELBQAwSTELMAkGA1UEBhMCVVMxEzARBgNVBAoTCkdvb2dsZSBJbmMx"
768 "JTAjBgNVBAMTHEdvb2dsZSBJbnRlcm5ldCBBdXRob3JpdHkgRzIwHhcNMTUwODEy"
769 "MTQ1MzE1WhcNMTUxMTEwMDAwMDAwWjBoMQswCQYDVQQGEwJVUzETMBEGA1UECAwK"
770 "Q2FsaWZvcm5pYTEWMBQGA1UEBwwNTW91bnRhaW4gVmlldzETMBEGA1UECgwKR29v"
771 "Z2xlIEluYzEXMBUGA1UEAwwOd3d3Lmdvb2dsZS5jb20wggEiMA0GCSqGSIb3DQEB"
772 "AQUAA4IBDwAwggEKAoIBAQC0MeG5YGQ0t+IeJeoneP/PrhEaieibeKYkbKVLNZpo"
773 "PLuBinvhkXZo3DC133NpCBpy6ZktBwamqyixAyuk/NU6OjgXqwwxfQ7di1AInLIU"
774 "792c7hFyNXSUCG7At8Ifi3YwBX9Ba6u/1d6rWTGZJrdCq3QU11RkKYyTq2KT5mce"
775 "Tv9iGKqSkSTlp8puy/9SZ/3DbU3U+BuqCFqeSlz7zjwFmk35acdCilpJlVDDN5C/"
776 "RCh8/UKc8PaL+cxlt531qoTENvYrflBno14YEZlCBZsPiFeUSILpKEj3Ccwhy0eL"
777 "EucWQ72YZU8mUzXBoXGn0zA0crFl5ci/2sTBBGZsylNBAgMBAAGjggFBMIIBPTAd"
778 "BgNVHSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwGQYDVR0RBBIwEIIOd3d3Lmdv"
779 "b2dsZS5jb20waAYIKwYBBQUHAQEEXDBaMCsGCCsGAQUFBzAChh9odHRwOi8vcGtp"
780 "Lmdvb2dsZS5jb20vR0lBRzIuY3J0MCsGCCsGAQUFBzABhh9odHRwOi8vY2xpZW50"
781 "czEuZ29vZ2xlLmNvbS9vY3NwMB0GA1UdDgQWBBS/bzHxcE73Q4j3slC4BLbMtLjG"
782 "GjAMBgNVHRMBAf8EAjAAMB8GA1UdIwQYMBaAFErdBhYbvPZotXb1gba7Yhq6WoEv"
783 "MBcGA1UdIAQQMA4wDAYKKwYBBAHWeQIFATAwBgNVHR8EKTAnMCWgI6Ahhh9odHRw"
784 "Oi8vcGtpLmdvb2dsZS5jb20vR0lBRzIuY3JsMA0GCSqGSIb3DQEBCwUAA4IBAQAb"
785 "qdWPZEHk0X7iKPCTHL6S3w6q1eR67goxZGFSM1lk1hjwyu7XcLJuvALVV9uY3ovE"
786 "kQZSHwT+pyOPWQhsSjO+1GyjvCvK/CAwiUmBX+bQRGaqHsRcio7xSbdVcajQ3bXd"
787 "X+s0WdbOpn6MStKAiBVloPlSxEI8pxY6x/BBCnTIk/+DMB17uZlOjG3vbAnkDkP+"
788 "n0OTucD9sHV7EVj9XUxi51nOfNBCN/s7lpUjDS/NJ4k3iwOtbCPswiot8vLO779a"
789 "f07vR03r349Iz/KTzk95rlFtX0IU+KYNxFNsanIXZ+C9FYGRXkwhHcvFb4qMUB1y"
790 "TTlM80jBMOwyjZXmjRAhpAIEAKUDAgEUqQUCAwGJwKqBpwSBpOgebbmn9NRUtMWH"
791 "+eJpqA5JLMFSMCChOsvKey3toBaCNGU7HfAEiiXNuuAdCBoK262BjQc2YYfqFzqH"
792 "zuppopXCvhohx7j/tnCNZIMgLYt/O9SXK2RYI5z8FhCCHvB4CbD5G0LGl5EFP27s"
793 "Jb6S3aTTYPkQe8yZSlxevg6NDwmTogLO9F7UUkaYmVcMQhzssEE2ZRYNwSOU6KjE"
794 "0Yj+8fAiBtbQriIEIN2L8ZlpaVrdN5KFNdvcmOxJu81P8q53X55xQyGTnGWwsgMC"
795 "ARezggvvMIIEdjCCA16gAwIBAgIIf+yfD7Y6UicwDQYJKoZIhvcNAQELBQAwSTEL"
796 "MAkGA1UEBhMCVVMxEzARBgNVBAoTCkdvb2dsZSBJbmMxJTAjBgNVBAMTHEdvb2ds"
797 "ZSBJbnRlcm5ldCBBdXRob3JpdHkgRzIwHhcNMTUwODEyMTQ1MzE1WhcNMTUxMTEw"
798 "MDAwMDAwWjBoMQswCQYDVQQGEwJVUzETMBEGA1UECAwKQ2FsaWZvcm5pYTEWMBQG"
799 "A1UEBwwNTW91bnRhaW4gVmlldzETMBEGA1UECgwKR29vZ2xlIEluYzEXMBUGA1UE"
800 "AwwOd3d3Lmdvb2dsZS5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIB"
801 "AQC0MeG5YGQ0t+IeJeoneP/PrhEaieibeKYkbKVLNZpoPLuBinvhkXZo3DC133Np"
802 "CBpy6ZktBwamqyixAyuk/NU6OjgXqwwxfQ7di1AInLIU792c7hFyNXSUCG7At8If"
803 "i3YwBX9Ba6u/1d6rWTGZJrdCq3QU11RkKYyTq2KT5mceTv9iGKqSkSTlp8puy/9S"
804 "Z/3DbU3U+BuqCFqeSlz7zjwFmk35acdCilpJlVDDN5C/RCh8/UKc8PaL+cxlt531"
805 "qoTENvYrflBno14YEZlCBZsPiFeUSILpKEj3Ccwhy0eLEucWQ72YZU8mUzXBoXGn"
806 "0zA0crFl5ci/2sTBBGZsylNBAgMBAAGjggFBMIIBPTAdBgNVHSUEFjAUBggrBgEF"
807 "BQcDAQYIKwYBBQUHAwIwGQYDVR0RBBIwEIIOd3d3Lmdvb2dsZS5jb20waAYIKwYB"
808 "BQUHAQEEXDBaMCsGCCsGAQUFBzAChh9odHRwOi8vcGtpLmdvb2dsZS5jb20vR0lB"
809 "RzIuY3J0MCsGCCsGAQUFBzABhh9odHRwOi8vY2xpZW50czEuZ29vZ2xlLmNvbS9v"
810 "Y3NwMB0GA1UdDgQWBBS/bzHxcE73Q4j3slC4BLbMtLjGGjAMBgNVHRMBAf8EAjAA"
811 "MB8GA1UdIwQYMBaAFErdBhYbvPZotXb1gba7Yhq6WoEvMBcGA1UdIAQQMA4wDAYK"
812 "KwYBBAHWeQIFATAwBgNVHR8EKTAnMCWgI6Ahhh9odHRwOi8vcGtpLmdvb2dsZS5j"
813 "b20vR0lBRzIuY3JsMA0GCSqGSIb3DQEBCwUAA4IBAQAbqdWPZEHk0X7iKPCTHL6S"
814 "3w6q1eR67goxZGFSM1lk1hjwyu7XcLJuvALVV9uY3ovEkQZSHwT+pyOPWQhsSjO+"
815 "1GyjvCvK/CAwiUmBX+bQRGaqHsRcio7xSbdVcajQ3bXdX+s0WdbOpn6MStKAiBVl"
816 "oPlSxEI8pxY6x/BBCnTIk/+DMB17uZlOjG3vbAnkDkP+n0OTucD9sHV7EVj9XUxi"
817 "51nOfNBCN/s7lpUjDS/NJ4k3iwOtbCPswiot8vLO779af07vR03r349Iz/KTzk95"
818 "rlFtX0IU+KYNxFNsanIXZ+C9FYGRXkwhHcvFb4qMUB1yTTlM80jBMOwyjZXmjRAh"
819 "MIID8DCCAtigAwIBAgIDAjqDMA0GCSqGSIb3DQEBCwUAMEIxCzAJBgNVBAYTAlVT"
820 "MRYwFAYDVQQKEw1HZW9UcnVzdCBJbmMuMRswGQYDVQQDExJHZW9UcnVzdCBHbG9i"
821 "YWwgQ0EwHhcNMTMwNDA1MTUxNTU2WhcNMTYxMjMxMjM1OTU5WjBJMQswCQYDVQQG"
822 "EwJVUzETMBEGA1UEChMKR29vZ2xlIEluYzElMCMGA1UEAxMcR29vZ2xlIEludGVy"
823 "bmV0IEF1dGhvcml0eSBHMjCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEB"
824 "AJwqBHdc2FCROgajguDYUEi8iT/xGXAaiEZ+4I/F8YnOIe5a/mENtzJEiaB0C1NP"
825 "VaTOgmKV7utZX8bhBYASxF6UP7xbSDj0U/ck5vuR6RXEz/RTDfRK/J9U3n2+oGtv"
826 "h8DQUB8oMANA2ghzUWx//zo8pzcGjr1LEQTrfSTe5vn8MXH7lNVg8y5Kr0LSy+rE"
827 "ahqyzFPdFUuLH8gZYR/Nnag+YyuENWllhMgZxUYi+FOVvuOAShDGKuy6lyARxzmZ"
828 "EASg8GF6lSWMTlJ14rbtCMoU/M4iarNOz0YDl5cDfsCx3nuvRTPPuj5xt970JSXC"
829 "DTWJnZ37DhF5iR43xa+OcmkCAwEAAaOB5zCB5DAfBgNVHSMEGDAWgBTAephojYn7"
830 "qwVkDBF9qn1luMrMTjAdBgNVHQ4EFgQUSt0GFhu89mi1dvWBtrtiGrpagS8wDgYD"
831 "VR0PAQH/BAQDAgEGMC4GCCsGAQUFBwEBBCIwIDAeBggrBgEFBQcwAYYSaHR0cDov"
832 "L2cuc3ltY2QuY29tMBIGA1UdEwEB/wQIMAYBAf8CAQAwNQYDVR0fBC4wLDAqoCig"
833 "JoYkaHR0cDovL2cuc3ltY2IuY29tL2NybHMvZ3RnbG9iYWwuY3JsMBcGA1UdIAQQ"
834 "MA4wDAYKKwYBBAHWeQIFATANBgkqhkiG9w0BAQsFAAOCAQEAqvqpIM1qZ4PtXtR+"
835 "3h3Ef+AlBgDFJPupyC1tft6dgmUsgWM0Zj7pUsIItMsv91+ZOmqcUHqFBYx90SpI"
836 "hNMJbHzCzTWf84LuUt5oX+QAihcglvcpjZpNy6jehsgNb1aHA30DP9z6eX0hGfnI"
837 "Oi9RdozHQZJxjyXON/hKTAAj78Q1EK7gI4BzfE00LshukNYQHpmEcxpw8u1VDu4X"
838 "Bupn7jLrLN1nBz/2i8Jw3lsA5rsb0zYaImxssDVCbJAJPZPpZAkiDoUGn8JzIdPm"
839 "X4DkjYUiOnMDsWCOrmji9D6X52ASCWg23jrW4kOVWzeBkoEfu43XrVJkFleW2V40"
840 "fsg12DCCA30wggLmoAMCAQICAxK75jANBgkqhkiG9w0BAQUFADBOMQswCQYDVQQG"
841 "EwJVUzEQMA4GA1UEChMHRXF1aWZheDEtMCsGA1UECxMkRXF1aWZheCBTZWN1cmUg"
842 "Q2VydGlmaWNhdGUgQXV0aG9yaXR5MB4XDTAyMDUyMTA0MDAwMFoXDTE4MDgyMTA0"
843 "MDAwMFowQjELMAkGA1UEBhMCVVMxFjAUBgNVBAoTDUdlb1RydXN0IEluYy4xGzAZ"
844 "BgNVBAMTEkdlb1RydXN0IEdsb2JhbCBDQTCCASIwDQYJKoZIhvcNAQEBBQADggEP"
845 "ADCCAQoCggEBANrMGGMw/fQXIxpWflvfPGw45HG3eJHUvKHYTPioQ7YD6U0hBwiI"
846 "2lgvZjkpvQV4i5046AW3an5xpObEYKaw74DkiSgPniXW7YPzraaRx5jJQhg1FJ2t"
847 "mEaSLk/K8YdDwRaVVy1Q74ktgHpXrfLuX2vSAI25FPgUFTXZwEaje3LIkb/JVSvN"
848 "0Jc+nCZkzN/Ogxlxyk7m1NV7qRnNVd7I7NJeOFPlXE+MLf5QIzb8ZubLjqQ5GQC3"
849 "lQI5kQsO/jgu0R0FmvZNPm8PBx2vLB6PYDni+jZTEznUXiYr2z2oFL0y6xgDKFIE"
850 "ceWrMz3hOLsHNoRinHnqFjD0X8Ar6HFr5PkCAwEAAaOB8DCB7TAfBgNVHSMEGDAW"
851 "gBRI5mj5K9KylddH2CMgEE8zmJCf1DAdBgNVHQ4EFgQUwHqYaI2J+6sFZAwRfap9"
852 "ZbjKzE4wDwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMCAQYwOgYDVR0fBDMw"
853 "MTAvoC2gK4YpaHR0cDovL2NybC5nZW90cnVzdC5jb20vY3Jscy9zZWN1cmVjYS5j"
854 "cmwwTgYDVR0gBEcwRTBDBgRVHSAAMDswOQYIKwYBBQUHAgEWLWh0dHBzOi8vd3d3"
855 "Lmdlb3RydXN0LmNvbS9yZXNvdXJjZXMvcmVwb3NpdG9yeTANBgkqhkiG9w0BAQUF"
856 "AAOBgQB24RJuTksWEoYwBrKBCM/wCMfHcX5m7sLt1Dsf//DwyE7WQziwuTB9GNBV"
857 "g6JqyzYRnOhIZqNtf7gT1Ef+i1pcc/yu2RsyGTirlzQUqpbS66McFAhJtrvlke+D"
858 "NusdVm/K2rxzY5Dkf3s+Iss9B+1fOHSc4wNQTqGvmO5h8oQ/Eg==";
859
860 // kBadSessionExtraField is a custom serialized SSL_SESSION generated by replacing
861 // the final (optional) element of |kCustomSession| with tag number 99.
862 static const char kBadSessionExtraField[] =
863 "MIIBdgIBAQICAwMEAsAvBCAG5Q1ndq4Yfmbeo1zwLkNRKmCXGdNgWvGT3cskV0yQ"
864 "kAQwJlrlzkAWBOWiLj/jJ76D7l+UXoizP2KI2C7I2FccqMmIfFmmkUy32nIJ0mZH"
865 "IWoJoQYCBFRDO46iBAICASykAwQBAqUDAgEUphAEDnd3dy5nb29nbGUuY29tqAcE"
866 "BXdvcmxkqQUCAwGJwKqBpwSBpBwUQvoeOk0Kg36SYTcLEkXqKwOBfF9vE4KX0Nxe"
867 "LwjcDTpsuh3qXEaZ992r1N38VDcyS6P7I6HBYN9BsNHM362zZnY27GpTw+Kwd751"
868 "CLoXFPoaMOe57dbBpXoro6Pd3BTbf/Tzr88K06yEOTDKPNj3+inbMaVigtK4PLyP"
869 "q+Topyzvx9USFgRvyuoxn0Hgb+R0A3j6SLRuyOdAi4gv7Y5oliynrSIEIAYGBgYG"
870 "BgYGBgYGBgYGBgYGBgYGBgYGBgYGBgYGBgYGrgMEAQevAwQBBOMDBAEF";
871
872 // kBadSessionVersion is a custom serialized SSL_SESSION generated by replacing
873 // the version of |kCustomSession| with 2.
874 static const char kBadSessionVersion[] =
875 "MIIBdgIBAgICAwMEAsAvBCAG5Q1ndq4Yfmbeo1zwLkNRKmCXGdNgWvGT3cskV0yQ"
876 "kAQwJlrlzkAWBOWiLj/jJ76D7l+UXoizP2KI2C7I2FccqMmIfFmmkUy32nIJ0mZH"
877 "IWoJoQYCBFRDO46iBAICASykAwQBAqUDAgEUphAEDnd3dy5nb29nbGUuY29tqAcE"
878 "BXdvcmxkqQUCAwGJwKqBpwSBpBwUQvoeOk0Kg36SYTcLEkXqKwOBfF9vE4KX0Nxe"
879 "LwjcDTpsuh3qXEaZ992r1N38VDcyS6P7I6HBYN9BsNHM362zZnY27GpTw+Kwd751"
880 "CLoXFPoaMOe57dbBpXoro6Pd3BTbf/Tzr88K06yEOTDKPNj3+inbMaVigtK4PLyP"
881 "q+Topyzvx9USFgRvyuoxn0Hgb+R0A3j6SLRuyOdAi4gv7Y5oliynrSIEIAYGBgYG"
882 "BgYGBgYGBgYGBgYGBgYGBgYGBgYGBgYGBgYGrgMEAQevAwQBBLADBAEF";
883
884 // kBadSessionTrailingData is a custom serialized SSL_SESSION with trailing data
885 // appended.
886 static const char kBadSessionTrailingData[] =
887 "MIIBdgIBAQICAwMEAsAvBCAG5Q1ndq4Yfmbeo1zwLkNRKmCXGdNgWvGT3cskV0yQ"
888 "kAQwJlrlzkAWBOWiLj/jJ76D7l+UXoizP2KI2C7I2FccqMmIfFmmkUy32nIJ0mZH"
889 "IWoJoQYCBFRDO46iBAICASykAwQBAqUDAgEUphAEDnd3dy5nb29nbGUuY29tqAcE"
890 "BXdvcmxkqQUCAwGJwKqBpwSBpBwUQvoeOk0Kg36SYTcLEkXqKwOBfF9vE4KX0Nxe"
891 "LwjcDTpsuh3qXEaZ992r1N38VDcyS6P7I6HBYN9BsNHM362zZnY27GpTw+Kwd751"
892 "CLoXFPoaMOe57dbBpXoro6Pd3BTbf/Tzr88K06yEOTDKPNj3+inbMaVigtK4PLyP"
893 "q+Topyzvx9USFgRvyuoxn0Hgb+R0A3j6SLRuyOdAi4gv7Y5oliynrSIEIAYGBgYG"
894 "BgYGBgYGBgYGBgYGBgYGBgYGBgYGBgYGBgYGrgMEAQevAwQBBLADBAEFAAAA";
895
DecodeBase64(std::vector<uint8_t> * out,const char * in)896 static bool DecodeBase64(std::vector<uint8_t> *out, const char *in) {
897 size_t len;
898 if (!EVP_DecodedLength(&len, strlen(in))) {
899 fprintf(stderr, "EVP_DecodedLength failed\n");
900 return false;
901 }
902
903 out->resize(len);
904 if (!EVP_DecodeBase64(out->data(), &len, len, (const uint8_t *)in,
905 strlen(in))) {
906 fprintf(stderr, "EVP_DecodeBase64 failed\n");
907 return false;
908 }
909 out->resize(len);
910 return true;
911 }
912
TEST(SSLTest,SessionEncoding)913 TEST(SSLTest, SessionEncoding) {
914 for (const char *input_b64 : {
915 kOpenSSLSession,
916 kCustomSession,
917 kBoringSSLSession,
918 }) {
919 SCOPED_TRACE(std::string(input_b64));
920 // Decode the input.
921 std::vector<uint8_t> input;
922 ASSERT_TRUE(DecodeBase64(&input, input_b64));
923
924 // Verify the SSL_SESSION decodes.
925 bssl::UniquePtr<SSL_CTX> ssl_ctx(SSL_CTX_new(TLS_method()));
926 ASSERT_TRUE(ssl_ctx);
927 bssl::UniquePtr<SSL_SESSION> session(
928 SSL_SESSION_from_bytes(input.data(), input.size(), ssl_ctx.get()));
929 ASSERT_TRUE(session) << "SSL_SESSION_from_bytes failed";
930
931 // Verify the SSL_SESSION encoding round-trips.
932 size_t encoded_len;
933 bssl::UniquePtr<uint8_t> encoded;
934 uint8_t *encoded_raw;
935 ASSERT_TRUE(SSL_SESSION_to_bytes(session.get(), &encoded_raw, &encoded_len))
936 << "SSL_SESSION_to_bytes failed";
937 encoded.reset(encoded_raw);
938 EXPECT_EQ(Bytes(encoded.get(), encoded_len), Bytes(input))
939 << "SSL_SESSION_to_bytes did not round-trip";
940
941 // Verify the SSL_SESSION also decodes with the legacy API.
942 const uint8_t *cptr = input.data();
943 session.reset(d2i_SSL_SESSION(NULL, &cptr, input.size()));
944 ASSERT_TRUE(session) << "d2i_SSL_SESSION failed";
945 EXPECT_EQ(cptr, input.data() + input.size());
946
947 // Verify the SSL_SESSION encoding round-trips via the legacy API.
948 int len = i2d_SSL_SESSION(session.get(), NULL);
949 ASSERT_GT(len, 0) << "i2d_SSL_SESSION failed";
950 ASSERT_EQ(static_cast<size_t>(len), input.size())
951 << "i2d_SSL_SESSION(NULL) returned invalid length";
952
953 encoded.reset((uint8_t *)OPENSSL_malloc(input.size()));
954 ASSERT_TRUE(encoded);
955
956 uint8_t *ptr = encoded.get();
957 len = i2d_SSL_SESSION(session.get(), &ptr);
958 ASSERT_GT(len, 0) << "i2d_SSL_SESSION failed";
959 ASSERT_EQ(static_cast<size_t>(len), input.size())
960 << "i2d_SSL_SESSION(NULL) returned invalid length";
961 ASSERT_EQ(ptr, encoded.get() + input.size())
962 << "i2d_SSL_SESSION did not advance ptr correctly";
963 EXPECT_EQ(Bytes(encoded.get(), encoded_len), Bytes(input))
964 << "SSL_SESSION_to_bytes did not round-trip";
965 }
966
967 for (const char *input_b64 : {
968 kBadSessionExtraField,
969 kBadSessionVersion,
970 kBadSessionTrailingData,
971 }) {
972 SCOPED_TRACE(std::string(input_b64));
973 std::vector<uint8_t> input;
974 ASSERT_TRUE(DecodeBase64(&input, input_b64));
975
976 // Verify that the SSL_SESSION fails to decode.
977 bssl::UniquePtr<SSL_CTX> ssl_ctx(SSL_CTX_new(TLS_method()));
978 ASSERT_TRUE(ssl_ctx);
979 bssl::UniquePtr<SSL_SESSION> session(
980 SSL_SESSION_from_bytes(input.data(), input.size(), ssl_ctx.get()));
981 EXPECT_FALSE(session) << "SSL_SESSION_from_bytes unexpectedly succeeded";
982 ERR_clear_error();
983 }
984 }
985
ExpectDefaultVersion(uint16_t min_version,uint16_t max_version,const SSL_METHOD * (* method)(void))986 static void ExpectDefaultVersion(uint16_t min_version, uint16_t max_version,
987 const SSL_METHOD *(*method)(void)) {
988 bssl::UniquePtr<SSL_CTX> ctx(SSL_CTX_new(method()));
989 ASSERT_TRUE(ctx);
990 EXPECT_EQ(min_version, SSL_CTX_get_min_proto_version(ctx.get()));
991 EXPECT_EQ(max_version, SSL_CTX_get_max_proto_version(ctx.get()));
992 }
993
TEST(SSLTest,DefaultVersion)994 TEST(SSLTest, DefaultVersion) {
995 ExpectDefaultVersion(TLS1_VERSION, TLS1_3_VERSION, &TLS_method);
996 ExpectDefaultVersion(TLS1_VERSION, TLS1_VERSION, &TLSv1_method);
997 ExpectDefaultVersion(TLS1_1_VERSION, TLS1_1_VERSION, &TLSv1_1_method);
998 ExpectDefaultVersion(TLS1_2_VERSION, TLS1_2_VERSION, &TLSv1_2_method);
999 ExpectDefaultVersion(DTLS1_VERSION, DTLS1_2_VERSION, &DTLS_method);
1000 ExpectDefaultVersion(DTLS1_VERSION, DTLS1_VERSION, &DTLSv1_method);
1001 ExpectDefaultVersion(DTLS1_2_VERSION, DTLS1_2_VERSION, &DTLSv1_2_method);
1002 }
1003
TEST(SSLTest,CipherProperties)1004 TEST(SSLTest, CipherProperties) {
1005 static const struct {
1006 int id;
1007 const char *standard_name;
1008 int cipher_nid;
1009 int digest_nid;
1010 int kx_nid;
1011 int auth_nid;
1012 int prf_nid;
1013 } kTests[] = {
1014 {
1015 SSL3_CK_RSA_DES_192_CBC3_SHA,
1016 "TLS_RSA_WITH_3DES_EDE_CBC_SHA",
1017 NID_des_ede3_cbc,
1018 NID_sha1,
1019 NID_kx_rsa,
1020 NID_auth_rsa,
1021 NID_md5_sha1,
1022 },
1023 {
1024 TLS1_CK_RSA_WITH_AES_128_SHA,
1025 "TLS_RSA_WITH_AES_128_CBC_SHA",
1026 NID_aes_128_cbc,
1027 NID_sha1,
1028 NID_kx_rsa,
1029 NID_auth_rsa,
1030 NID_md5_sha1,
1031 },
1032 {
1033 TLS1_CK_PSK_WITH_AES_256_CBC_SHA,
1034 "TLS_PSK_WITH_AES_256_CBC_SHA",
1035 NID_aes_256_cbc,
1036 NID_sha1,
1037 NID_kx_psk,
1038 NID_auth_psk,
1039 NID_md5_sha1,
1040 },
1041 {
1042 TLS1_CK_ECDHE_RSA_WITH_AES_128_CBC_SHA,
1043 "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA",
1044 NID_aes_128_cbc,
1045 NID_sha1,
1046 NID_kx_ecdhe,
1047 NID_auth_rsa,
1048 NID_md5_sha1,
1049 },
1050 {
1051 TLS1_CK_ECDHE_RSA_WITH_AES_256_CBC_SHA,
1052 "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA",
1053 NID_aes_256_cbc,
1054 NID_sha1,
1055 NID_kx_ecdhe,
1056 NID_auth_rsa,
1057 NID_md5_sha1,
1058 },
1059 {
1060 TLS1_CK_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
1061 "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",
1062 NID_aes_128_gcm,
1063 NID_undef,
1064 NID_kx_ecdhe,
1065 NID_auth_rsa,
1066 NID_sha256,
1067 },
1068 {
1069 TLS1_CK_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
1070 "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256",
1071 NID_aes_128_gcm,
1072 NID_undef,
1073 NID_kx_ecdhe,
1074 NID_auth_ecdsa,
1075 NID_sha256,
1076 },
1077 {
1078 TLS1_CK_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
1079 "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384",
1080 NID_aes_256_gcm,
1081 NID_undef,
1082 NID_kx_ecdhe,
1083 NID_auth_ecdsa,
1084 NID_sha384,
1085 },
1086 {
1087 TLS1_CK_ECDHE_PSK_WITH_AES_128_CBC_SHA,
1088 "TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA",
1089 NID_aes_128_cbc,
1090 NID_sha1,
1091 NID_kx_ecdhe,
1092 NID_auth_psk,
1093 NID_md5_sha1,
1094 },
1095 {
1096 TLS1_CK_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256,
1097 "TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256",
1098 NID_chacha20_poly1305,
1099 NID_undef,
1100 NID_kx_ecdhe,
1101 NID_auth_rsa,
1102 NID_sha256,
1103 },
1104 {
1105 TLS1_3_CK_AES_256_GCM_SHA384,
1106 "TLS_AES_256_GCM_SHA384",
1107 NID_aes_256_gcm,
1108 NID_undef,
1109 NID_kx_any,
1110 NID_auth_any,
1111 NID_sha384,
1112 },
1113 {
1114 TLS1_3_CK_AES_128_GCM_SHA256,
1115 "TLS_AES_128_GCM_SHA256",
1116 NID_aes_128_gcm,
1117 NID_undef,
1118 NID_kx_any,
1119 NID_auth_any,
1120 NID_sha256,
1121 },
1122 {
1123 TLS1_3_CK_CHACHA20_POLY1305_SHA256,
1124 "TLS_CHACHA20_POLY1305_SHA256",
1125 NID_chacha20_poly1305,
1126 NID_undef,
1127 NID_kx_any,
1128 NID_auth_any,
1129 NID_sha256,
1130 },
1131 };
1132
1133 for (const auto &t : kTests) {
1134 SCOPED_TRACE(t.standard_name);
1135
1136 const SSL_CIPHER *cipher = SSL_get_cipher_by_value(t.id & 0xffff);
1137 ASSERT_TRUE(cipher);
1138 EXPECT_STREQ(t.standard_name, SSL_CIPHER_standard_name(cipher));
1139
1140 EXPECT_EQ(t.cipher_nid, SSL_CIPHER_get_cipher_nid(cipher));
1141 EXPECT_EQ(t.digest_nid, SSL_CIPHER_get_digest_nid(cipher));
1142 EXPECT_EQ(t.kx_nid, SSL_CIPHER_get_kx_nid(cipher));
1143 EXPECT_EQ(t.auth_nid, SSL_CIPHER_get_auth_nid(cipher));
1144 EXPECT_EQ(t.prf_nid, EVP_MD_nid(SSL_CIPHER_get_handshake_digest(cipher)));
1145 EXPECT_EQ(t.prf_nid, SSL_CIPHER_get_prf_nid(cipher));
1146 }
1147 }
1148
1149 // CreateSessionWithTicket returns a sample |SSL_SESSION| with the specified
1150 // version and ticket length or nullptr on failure.
CreateSessionWithTicket(uint16_t version,size_t ticket_len)1151 static bssl::UniquePtr<SSL_SESSION> CreateSessionWithTicket(uint16_t version,
1152 size_t ticket_len) {
1153 std::vector<uint8_t> der;
1154 if (!DecodeBase64(&der, kOpenSSLSession)) {
1155 return nullptr;
1156 }
1157
1158 bssl::UniquePtr<SSL_CTX> ssl_ctx(SSL_CTX_new(TLS_method()));
1159 if (!ssl_ctx) {
1160 return nullptr;
1161 }
1162 // Use a garbage ticket.
1163 std::vector<uint8_t> ticket(ticket_len, 'a');
1164 bssl::UniquePtr<SSL_SESSION> session(
1165 SSL_SESSION_from_bytes(der.data(), der.size(), ssl_ctx.get()));
1166 if (!session ||
1167 !SSL_SESSION_set_protocol_version(session.get(), version) ||
1168 !SSL_SESSION_set_ticket(session.get(), ticket.data(), ticket.size())) {
1169 return nullptr;
1170 }
1171 // Fix up the timeout.
1172 #if defined(BORINGSSL_UNSAFE_DETERMINISTIC_MODE)
1173 SSL_SESSION_set_time(session.get(), 1234);
1174 #else
1175 SSL_SESSION_set_time(session.get(), time(nullptr));
1176 #endif
1177 return session;
1178 }
1179
GetClientHello(SSL * ssl,std::vector<uint8_t> * out)1180 static bool GetClientHello(SSL *ssl, std::vector<uint8_t> *out) {
1181 bssl::UniquePtr<BIO> bio(BIO_new(BIO_s_mem()));
1182 if (!bio) {
1183 return false;
1184 }
1185 // Do not configure a reading BIO, but record what's written to a memory BIO.
1186 BIO_up_ref(bio.get());
1187 SSL_set_bio(ssl, nullptr /* rbio */, bio.get());
1188 int ret = SSL_connect(ssl);
1189 if (ret > 0) {
1190 // SSL_connect should fail without a BIO to write to.
1191 return false;
1192 }
1193 ERR_clear_error();
1194
1195 const uint8_t *client_hello;
1196 size_t client_hello_len;
1197 if (!BIO_mem_contents(bio.get(), &client_hello, &client_hello_len)) {
1198 return false;
1199 }
1200
1201 // We did not get far enough to write a ClientHello.
1202 if (client_hello_len == 0) {
1203 return false;
1204 }
1205
1206 *out = std::vector<uint8_t>(client_hello, client_hello + client_hello_len);
1207 return true;
1208 }
1209
1210 // GetClientHelloLen creates a client SSL connection with the specified version
1211 // and ticket length. It returns the length of the ClientHello, not including
1212 // the record header, on success and zero on error.
GetClientHelloLen(uint16_t max_version,uint16_t session_version,size_t ticket_len)1213 static size_t GetClientHelloLen(uint16_t max_version, uint16_t session_version,
1214 size_t ticket_len) {
1215 bssl::UniquePtr<SSL_CTX> ctx(SSL_CTX_new(TLS_method()));
1216 bssl::UniquePtr<SSL_SESSION> session =
1217 CreateSessionWithTicket(session_version, ticket_len);
1218 if (!ctx || !session) {
1219 return 0;
1220 }
1221
1222 // Set a one-element cipher list so the baseline ClientHello is unpadded.
1223 bssl::UniquePtr<SSL> ssl(SSL_new(ctx.get()));
1224 if (!ssl || !SSL_set_session(ssl.get(), session.get()) ||
1225 !SSL_set_strict_cipher_list(ssl.get(), "ECDHE-RSA-AES128-GCM-SHA256") ||
1226 !SSL_set_max_proto_version(ssl.get(), max_version)) {
1227 return 0;
1228 }
1229
1230 std::vector<uint8_t> client_hello;
1231 if (!GetClientHello(ssl.get(), &client_hello) ||
1232 client_hello.size() <= SSL3_RT_HEADER_LENGTH) {
1233 return 0;
1234 }
1235
1236 return client_hello.size() - SSL3_RT_HEADER_LENGTH;
1237 }
1238
TEST(SSLTest,Padding)1239 TEST(SSLTest, Padding) {
1240 struct PaddingVersions {
1241 uint16_t max_version, session_version;
1242 };
1243 static const PaddingVersions kPaddingVersions[] = {
1244 // Test the padding extension at TLS 1.2.
1245 {TLS1_2_VERSION, TLS1_2_VERSION},
1246 // Test the padding extension at TLS 1.3 with a TLS 1.2 session, so there
1247 // will be no PSK binder after the padding extension.
1248 {TLS1_3_VERSION, TLS1_2_VERSION},
1249 // Test the padding extension at TLS 1.3 with a TLS 1.3 session, so there
1250 // will be a PSK binder after the padding extension.
1251 {TLS1_3_VERSION, TLS1_3_VERSION},
1252
1253 };
1254
1255 struct PaddingTest {
1256 size_t input_len, padded_len;
1257 };
1258 static const PaddingTest kPaddingTests[] = {
1259 // ClientHellos of length below 0x100 do not require padding.
1260 {0xfe, 0xfe},
1261 {0xff, 0xff},
1262 // ClientHellos of length 0x100 through 0x1fb are padded up to 0x200.
1263 {0x100, 0x200},
1264 {0x123, 0x200},
1265 {0x1fb, 0x200},
1266 // ClientHellos of length 0x1fc through 0x1ff get padded beyond 0x200. The
1267 // padding extension takes a minimum of four bytes plus one required
1268 // content
1269 // byte. (To work around yet more server bugs, we avoid empty final
1270 // extensions.)
1271 {0x1fc, 0x201},
1272 {0x1fd, 0x202},
1273 {0x1fe, 0x203},
1274 {0x1ff, 0x204},
1275 // Finally, larger ClientHellos need no padding.
1276 {0x200, 0x200},
1277 {0x201, 0x201},
1278 };
1279
1280 for (const PaddingVersions &versions : kPaddingVersions) {
1281 SCOPED_TRACE(versions.max_version);
1282 SCOPED_TRACE(versions.session_version);
1283
1284 // Sample a baseline length.
1285 size_t base_len =
1286 GetClientHelloLen(versions.max_version, versions.session_version, 1);
1287 ASSERT_NE(base_len, 0u) << "Baseline length could not be sampled";
1288
1289 for (const PaddingTest &test : kPaddingTests) {
1290 SCOPED_TRACE(test.input_len);
1291 ASSERT_LE(base_len, test.input_len) << "Baseline ClientHello too long";
1292
1293 size_t padded_len =
1294 GetClientHelloLen(versions.max_version, versions.session_version,
1295 1 + test.input_len - base_len);
1296 EXPECT_EQ(padded_len, test.padded_len)
1297 << "ClientHello was not padded to expected length";
1298 }
1299 }
1300 }
1301
CertFromPEM(const char * pem)1302 static bssl::UniquePtr<X509> CertFromPEM(const char *pem) {
1303 bssl::UniquePtr<BIO> bio(BIO_new_mem_buf(pem, strlen(pem)));
1304 if (!bio) {
1305 return nullptr;
1306 }
1307 return bssl::UniquePtr<X509>(
1308 PEM_read_bio_X509(bio.get(), nullptr, nullptr, nullptr));
1309 }
1310
KeyFromPEM(const char * pem)1311 static bssl::UniquePtr<EVP_PKEY> KeyFromPEM(const char *pem) {
1312 bssl::UniquePtr<BIO> bio(BIO_new_mem_buf(pem, strlen(pem)));
1313 if (!bio) {
1314 return nullptr;
1315 }
1316 return bssl::UniquePtr<EVP_PKEY>(
1317 PEM_read_bio_PrivateKey(bio.get(), nullptr, nullptr, nullptr));
1318 }
1319
GetTestCertificate()1320 static bssl::UniquePtr<X509> GetTestCertificate() {
1321 static const char kCertPEM[] =
1322 "-----BEGIN CERTIFICATE-----\n"
1323 "MIICWDCCAcGgAwIBAgIJAPuwTC6rEJsMMA0GCSqGSIb3DQEBBQUAMEUxCzAJBgNV\n"
1324 "BAYTAkFVMRMwEQYDVQQIDApTb21lLVN0YXRlMSEwHwYDVQQKDBhJbnRlcm5ldCBX\n"
1325 "aWRnaXRzIFB0eSBMdGQwHhcNMTQwNDIzMjA1MDQwWhcNMTcwNDIyMjA1MDQwWjBF\n"
1326 "MQswCQYDVQQGEwJBVTETMBEGA1UECAwKU29tZS1TdGF0ZTEhMB8GA1UECgwYSW50\n"
1327 "ZXJuZXQgV2lkZ2l0cyBQdHkgTHRkMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKB\n"
1328 "gQDYK8imMuRi/03z0K1Zi0WnvfFHvwlYeyK9Na6XJYaUoIDAtB92kWdGMdAQhLci\n"
1329 "HnAjkXLI6W15OoV3gA/ElRZ1xUpxTMhjP6PyY5wqT5r6y8FxbiiFKKAnHmUcrgfV\n"
1330 "W28tQ+0rkLGMryRtrukXOgXBv7gcrmU7G1jC2a7WqmeI8QIDAQABo1AwTjAdBgNV\n"
1331 "HQ4EFgQUi3XVrMsIvg4fZbf6Vr5sp3Xaha8wHwYDVR0jBBgwFoAUi3XVrMsIvg4f\n"
1332 "Zbf6Vr5sp3Xaha8wDAYDVR0TBAUwAwEB/zANBgkqhkiG9w0BAQUFAAOBgQA76Hht\n"
1333 "ldY9avcTGSwbwoiuIqv0jTL1fHFnzy3RHMLDh+Lpvolc5DSrSJHCP5WuK0eeJXhr\n"
1334 "T5oQpHL9z/cCDLAKCKRa4uV0fhEdOWBqyR9p8y5jJtye72t6CuFUV5iqcpF4BH4f\n"
1335 "j2VNHwsSrJwkD4QUGlUtH7vwnQmyCFxZMmWAJg==\n"
1336 "-----END CERTIFICATE-----\n";
1337 return CertFromPEM(kCertPEM);
1338 }
1339
GetTestKey()1340 static bssl::UniquePtr<EVP_PKEY> GetTestKey() {
1341 static const char kKeyPEM[] =
1342 "-----BEGIN RSA PRIVATE KEY-----\n"
1343 "MIICXgIBAAKBgQDYK8imMuRi/03z0K1Zi0WnvfFHvwlYeyK9Na6XJYaUoIDAtB92\n"
1344 "kWdGMdAQhLciHnAjkXLI6W15OoV3gA/ElRZ1xUpxTMhjP6PyY5wqT5r6y8FxbiiF\n"
1345 "KKAnHmUcrgfVW28tQ+0rkLGMryRtrukXOgXBv7gcrmU7G1jC2a7WqmeI8QIDAQAB\n"
1346 "AoGBAIBy09Fd4DOq/Ijp8HeKuCMKTHqTW1xGHshLQ6jwVV2vWZIn9aIgmDsvkjCe\n"
1347 "i6ssZvnbjVcwzSoByhjN8ZCf/i15HECWDFFh6gt0P5z0MnChwzZmvatV/FXCT0j+\n"
1348 "WmGNB/gkehKjGXLLcjTb6dRYVJSCZhVuOLLcbWIV10gggJQBAkEA8S8sGe4ezyyZ\n"
1349 "m4e9r95g6s43kPqtj5rewTsUxt+2n4eVodD+ZUlCULWVNAFLkYRTBCASlSrm9Xhj\n"
1350 "QpmWAHJUkQJBAOVzQdFUaewLtdOJoPCtpYoY1zd22eae8TQEmpGOR11L6kbxLQsk\n"
1351 "aMly/DOnOaa82tqAGTdqDEZgSNmCeKKknmECQAvpnY8GUOVAubGR6c+W90iBuQLj\n"
1352 "LtFp/9ihd2w/PoDwrHZaoUYVcT4VSfJQog/k7kjE4MYXYWL8eEKg3WTWQNECQQDk\n"
1353 "104Wi91Umd1PzF0ijd2jXOERJU1wEKe6XLkYYNHWQAe5l4J4MWj9OdxFXAxIuuR/\n"
1354 "tfDwbqkta4xcux67//khAkEAvvRXLHTaa6VFzTaiiO8SaFsHV3lQyXOtMrBpB5jd\n"
1355 "moZWgjHvB2W9Ckn7sDqsPB+U2tyX0joDdQEyuiMECDY8oQ==\n"
1356 "-----END RSA PRIVATE KEY-----\n";
1357 return KeyFromPEM(kKeyPEM);
1358 }
1359
CreateContextWithTestCertificate(const SSL_METHOD * method)1360 static bssl::UniquePtr<SSL_CTX> CreateContextWithTestCertificate(
1361 const SSL_METHOD *method) {
1362 bssl::UniquePtr<SSL_CTX> ctx(SSL_CTX_new(TLS_method()));
1363 bssl::UniquePtr<X509> cert = GetTestCertificate();
1364 bssl::UniquePtr<EVP_PKEY> key = GetTestKey();
1365 if (!ctx || !cert || !key ||
1366 !SSL_CTX_use_certificate(ctx.get(), cert.get()) ||
1367 !SSL_CTX_use_PrivateKey(ctx.get(), key.get())) {
1368 return nullptr;
1369 }
1370 return ctx;
1371 }
1372
GetECDSATestCertificate()1373 static bssl::UniquePtr<X509> GetECDSATestCertificate() {
1374 static const char kCertPEM[] =
1375 "-----BEGIN CERTIFICATE-----\n"
1376 "MIIBzzCCAXagAwIBAgIJANlMBNpJfb/rMAkGByqGSM49BAEwRTELMAkGA1UEBhMC\n"
1377 "QVUxEzARBgNVBAgMClNvbWUtU3RhdGUxITAfBgNVBAoMGEludGVybmV0IFdpZGdp\n"
1378 "dHMgUHR5IEx0ZDAeFw0xNDA0MjMyMzIxNTdaFw0xNDA1MjMyMzIxNTdaMEUxCzAJ\n"
1379 "BgNVBAYTAkFVMRMwEQYDVQQIDApTb21lLVN0YXRlMSEwHwYDVQQKDBhJbnRlcm5l\n"
1380 "dCBXaWRnaXRzIFB0eSBMdGQwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAATmK2ni\n"
1381 "v2Wfl74vHg2UikzVl2u3qR4NRvvdqakendy6WgHn1peoChj5w8SjHlbifINI2xYa\n"
1382 "HPUdfvGULUvPciLBo1AwTjAdBgNVHQ4EFgQUq4TSrKuV8IJOFngHVVdf5CaNgtEw\n"
1383 "HwYDVR0jBBgwFoAUq4TSrKuV8IJOFngHVVdf5CaNgtEwDAYDVR0TBAUwAwEB/zAJ\n"
1384 "BgcqhkjOPQQBA0gAMEUCIQDyoDVeUTo2w4J5m+4nUIWOcAZ0lVfSKXQA9L4Vh13E\n"
1385 "BwIgfB55FGohg/B6dGh5XxSZmmi08cueFV7mHzJSYV51yRQ=\n"
1386 "-----END CERTIFICATE-----\n";
1387 return CertFromPEM(kCertPEM);
1388 }
1389
GetECDSATestKey()1390 static bssl::UniquePtr<EVP_PKEY> GetECDSATestKey() {
1391 static const char kKeyPEM[] =
1392 "-----BEGIN PRIVATE KEY-----\n"
1393 "MIGHAgEAMBMGByqGSM49AgEGCCqGSM49AwEHBG0wawIBAQQgBw8IcnrUoEqc3VnJ\n"
1394 "TYlodwi1b8ldMHcO6NHJzgqLtGqhRANCAATmK2niv2Wfl74vHg2UikzVl2u3qR4N\n"
1395 "Rvvdqakendy6WgHn1peoChj5w8SjHlbifINI2xYaHPUdfvGULUvPciLB\n"
1396 "-----END PRIVATE KEY-----\n";
1397 return KeyFromPEM(kKeyPEM);
1398 }
1399
BufferFromPEM(const char * pem)1400 static bssl::UniquePtr<CRYPTO_BUFFER> BufferFromPEM(const char *pem) {
1401 bssl::UniquePtr<BIO> bio(BIO_new_mem_buf(pem, strlen(pem)));
1402 char *name, *header;
1403 uint8_t *data;
1404 long data_len;
1405 if (!PEM_read_bio(bio.get(), &name, &header, &data,
1406 &data_len)) {
1407 return nullptr;
1408 }
1409 OPENSSL_free(name);
1410 OPENSSL_free(header);
1411
1412 auto ret = bssl::UniquePtr<CRYPTO_BUFFER>(
1413 CRYPTO_BUFFER_new(data, data_len, nullptr));
1414 OPENSSL_free(data);
1415 return ret;
1416 }
1417
GetChainTestCertificateBuffer()1418 static bssl::UniquePtr<CRYPTO_BUFFER> GetChainTestCertificateBuffer() {
1419 static const char kCertPEM[] =
1420 "-----BEGIN CERTIFICATE-----\n"
1421 "MIIC0jCCAbqgAwIBAgICEAAwDQYJKoZIhvcNAQELBQAwDzENMAsGA1UEAwwEQiBD\n"
1422 "QTAeFw0xNjAyMjgyMDI3MDNaFw0yNjAyMjUyMDI3MDNaMBgxFjAUBgNVBAMMDUNs\n"
1423 "aWVudCBDZXJ0IEEwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDRvaz8\n"
1424 "CC/cshpCafJo4jLkHEoBqDLhdgFelJoAiQUyIqyWl2O7YHPnpJH+TgR7oelzNzt/\n"
1425 "kLRcH89M/TszB6zqyLTC4aqmvzKL0peD/jL2LWBucR0WXIvjA3zoRuF/x86+rYH3\n"
1426 "tHb+xs2PSs8EGL/Ev+ss+qTzTGEn26fuGNHkNw6tOwPpc+o8+wUtzf/kAthamo+c\n"
1427 "IDs2rQ+lP7+aLZTLeU/q4gcLutlzcK5imex5xy2jPkweq48kijK0kIzl1cPlA5d1\n"
1428 "z7C8jU50Pj9X9sQDJTN32j7UYRisJeeYQF8GaaN8SbrDI6zHgKzrRLyxDt/KQa9V\n"
1429 "iLeXANgZi+Xx9KgfAgMBAAGjLzAtMAwGA1UdEwEB/wQCMAAwHQYDVR0lBBYwFAYI\n"
1430 "KwYBBQUHAwEGCCsGAQUFBwMCMA0GCSqGSIb3DQEBCwUAA4IBAQBFEVbmYl+2RtNw\n"
1431 "rDftRDF1v2QUbcN2ouSnQDHxeDQdSgasLzT3ui8iYu0Rw2WWcZ0DV5e0ztGPhWq7\n"
1432 "AO0B120aFRMOY+4+bzu9Q2FFkQqc7/fKTvTDzIJI5wrMnFvUfzzvxh3OHWMYSs/w\n"
1433 "giq33hTKeHEq6Jyk3btCny0Ycecyc3yGXH10sizUfiHlhviCkDuESk8mFDwDDzqW\n"
1434 "ZF0IipzFbEDHoIxLlm3GQxpiLoEV4k8KYJp3R5KBLFyxM6UGPz8h72mIPCJp2RuK\n"
1435 "MYgF91UDvVzvnYm6TfseM2+ewKirC00GOrZ7rEcFvtxnKSqYf4ckqfNdSU1Y+RRC\n"
1436 "1ngWZ7Ih\n"
1437 "-----END CERTIFICATE-----\n";
1438 return BufferFromPEM(kCertPEM);
1439 }
1440
X509FromBuffer(bssl::UniquePtr<CRYPTO_BUFFER> buffer)1441 static bssl::UniquePtr<X509> X509FromBuffer(
1442 bssl::UniquePtr<CRYPTO_BUFFER> buffer) {
1443 if (!buffer) {
1444 return nullptr;
1445 }
1446 const uint8_t *derp = CRYPTO_BUFFER_data(buffer.get());
1447 return bssl::UniquePtr<X509>(
1448 d2i_X509(NULL, &derp, CRYPTO_BUFFER_len(buffer.get())));
1449 }
1450
GetChainTestCertificate()1451 static bssl::UniquePtr<X509> GetChainTestCertificate() {
1452 return X509FromBuffer(GetChainTestCertificateBuffer());
1453 }
1454
GetChainTestIntermediateBuffer()1455 static bssl::UniquePtr<CRYPTO_BUFFER> GetChainTestIntermediateBuffer() {
1456 static const char kCertPEM[] =
1457 "-----BEGIN CERTIFICATE-----\n"
1458 "MIICwjCCAaqgAwIBAgICEAEwDQYJKoZIhvcNAQELBQAwFDESMBAGA1UEAwwJQyBS\n"
1459 "b290IENBMB4XDTE2MDIyODIwMjcwM1oXDTI2MDIyNTIwMjcwM1owDzENMAsGA1UE\n"
1460 "AwwEQiBDQTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALsSCYmDip2D\n"
1461 "GkjFxw7ykz26JSjELkl6ArlYjFJ3aT/SCh8qbS4gln7RH8CPBd78oFdfhIKQrwtZ\n"
1462 "3/q21ykD9BAS3qHe2YdcJfm8/kWAy5DvXk6NXU4qX334KofBAEpgdA/igEFq1P1l\n"
1463 "HAuIfZCpMRfT+i5WohVsGi8f/NgpRvVaMONLNfgw57mz1lbtFeBEISmX0kbsuJxF\n"
1464 "Qj/Bwhi5/0HAEXG8e7zN4cEx0yPRvmOATRdVb/8dW2pwOHRJq9R5M0NUkIsTSnL7\n"
1465 "6N/z8hRAHMsV3IudC5Yd7GXW1AGu9a+iKU+Q4xcZCoj0DC99tL4VKujrV1kAeqsM\n"
1466 "cz5/dKzi6+cCAwEAAaMjMCEwDwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMC\n"
1467 "AQYwDQYJKoZIhvcNAQELBQADggEBAIIeZiEeNhWWQ8Y4D+AGDwqUUeG8NjCbKrXQ\n"
1468 "BlHg5wZ8xftFaiP1Dp/UAezmx2LNazdmuwrYB8lm3FVTyaPDTKEGIPS4wJKHgqH1\n"
1469 "QPDhqNm85ey7TEtI9oYjsNim/Rb+iGkIAMXaxt58SzxbjvP0kMr1JfJIZbic9vye\n"
1470 "NwIspMFIpP3FB8ywyu0T0hWtCQgL4J47nigCHpOu58deP88fS/Nyz/fyGVWOZ76b\n"
1471 "WhWwgM3P3X95fQ3d7oFPR/bVh0YV+Cf861INwplokXgXQ3/TCQ+HNXeAMWn3JLWv\n"
1472 "XFwk8owk9dq/kQGdndGgy3KTEW4ctPX5GNhf3LJ9Q7dLji4ReQ4=\n"
1473 "-----END CERTIFICATE-----\n";
1474 return BufferFromPEM(kCertPEM);
1475 }
1476
GetChainTestIntermediate()1477 static bssl::UniquePtr<X509> GetChainTestIntermediate() {
1478 return X509FromBuffer(GetChainTestIntermediateBuffer());
1479 }
1480
GetChainTestKey()1481 static bssl::UniquePtr<EVP_PKEY> GetChainTestKey() {
1482 static const char kKeyPEM[] =
1483 "-----BEGIN PRIVATE KEY-----\n"
1484 "MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQDRvaz8CC/cshpC\n"
1485 "afJo4jLkHEoBqDLhdgFelJoAiQUyIqyWl2O7YHPnpJH+TgR7oelzNzt/kLRcH89M\n"
1486 "/TszB6zqyLTC4aqmvzKL0peD/jL2LWBucR0WXIvjA3zoRuF/x86+rYH3tHb+xs2P\n"
1487 "Ss8EGL/Ev+ss+qTzTGEn26fuGNHkNw6tOwPpc+o8+wUtzf/kAthamo+cIDs2rQ+l\n"
1488 "P7+aLZTLeU/q4gcLutlzcK5imex5xy2jPkweq48kijK0kIzl1cPlA5d1z7C8jU50\n"
1489 "Pj9X9sQDJTN32j7UYRisJeeYQF8GaaN8SbrDI6zHgKzrRLyxDt/KQa9ViLeXANgZ\n"
1490 "i+Xx9KgfAgMBAAECggEBAK0VjSJzkyPaamcyTVSWjo7GdaBGcK60lk657RjR+lK0\n"
1491 "YJ7pkej4oM2hdsVZFsP8Cs4E33nXLa/0pDsRov/qrp0WQm2skwqGMC1I/bZ0WRPk\n"
1492 "wHaDrBBfESWnJDX/AGpVtlyOjPmgmK6J2usMPihQUDkKdAYrVWJePrMIxt1q6BMe\n"
1493 "iczs3qriMmtY3bUc4UyUwJ5fhDLjshHvfuIpYQyI6EXZM6dZksn9LylXJnigY6QJ\n"
1494 "HxOYO0BDwOsZ8yQ8J8afLk88i0GizEkgE1z3REtQUwgWfxr1WV/ud+T6/ZhSAgH9\n"
1495 "042mQvSFZnIUSEsmCvjhWuAunfxHKCTcAoYISWfzWpkCgYEA7gpf3HHU5Tn+CgUn\n"
1496 "1X5uGpG3DmcMgfeGgs2r2f/IIg/5Ac1dfYILiybL1tN9zbyLCJfcbFpWBc9hJL6f\n"
1497 "CPc5hUiwWFJqBJewxQkC1Ae/HakHbip+IZ+Jr0842O4BAArvixk4Lb7/N2Ct9sTE\n"
1498 "NJO6RtK9lbEZ5uK61DglHy8CS2UCgYEA4ZC1o36kPAMQBggajgnucb2yuUEelk0f\n"
1499 "AEr+GI32MGE+93xMr7rAhBoqLg4AITyIfEnOSQ5HwagnIHonBbv1LV/Gf9ursx8Z\n"
1500 "YOGbvT8zzzC+SU1bkDzdjAYnFQVGIjMtKOBJ3K07++ypwX1fr4QsQ8uKL8WSOWwt\n"
1501 "Z3Bym6XiZzMCgYADnhy+2OwHX85AkLt+PyGlPbmuelpyTzS4IDAQbBa6jcuW/2wA\n"
1502 "UE2km75VUXmD+u2R/9zVuLm99NzhFhSMqlUxdV1YukfqMfP5yp1EY6m/5aW7QuIP\n"
1503 "2MDa7TVL9rIFMiVZ09RKvbBbQxjhuzPQKL6X/PPspnhiTefQ+dl2k9xREQKBgHDS\n"
1504 "fMfGNEeAEKezrfSVqxphE9/tXms3L+ZpnCaT+yu/uEr5dTIAawKoQ6i9f/sf1/Sy\n"
1505 "xedsqR+IB+oKrzIDDWMgoJybN4pkZ8E5lzhVQIjFjKgFdWLzzqyW9z1gYfABQPlN\n"
1506 "FiS20WX0vgP1vcKAjdNrHzc9zyHBpgQzDmAj3NZZAoGBAI8vKCKdH7w3aL5CNkZQ\n"
1507 "2buIeWNA2HZazVwAGG5F2TU/LmXfRKnG6dX5bkU+AkBZh56jNZy//hfFSewJB4Kk\n"
1508 "buB7ERSdaNbO21zXt9FEA3+z0RfMd/Zv2vlIWOSB5nzl/7UKti3sribK6s9ZVLfi\n"
1509 "SxpiPQ8d/hmSGwn4ksrWUsJD\n"
1510 "-----END PRIVATE KEY-----\n";
1511 return KeyFromPEM(kKeyPEM);
1512 }
1513
CompleteHandshakes(SSL * client,SSL * server)1514 static bool CompleteHandshakes(SSL *client, SSL *server) {
1515 // Drive both their handshakes to completion.
1516 for (;;) {
1517 int client_ret = SSL_do_handshake(client);
1518 int client_err = SSL_get_error(client, client_ret);
1519 if (client_err != SSL_ERROR_NONE &&
1520 client_err != SSL_ERROR_WANT_READ &&
1521 client_err != SSL_ERROR_WANT_WRITE &&
1522 client_err != SSL_ERROR_PENDING_TICKET) {
1523 fprintf(stderr, "Client error: %s\n", SSL_error_description(client_err));
1524 return false;
1525 }
1526
1527 int server_ret = SSL_do_handshake(server);
1528 int server_err = SSL_get_error(server, server_ret);
1529 if (server_err != SSL_ERROR_NONE &&
1530 server_err != SSL_ERROR_WANT_READ &&
1531 server_err != SSL_ERROR_WANT_WRITE &&
1532 server_err != SSL_ERROR_PENDING_TICKET) {
1533 fprintf(stderr, "Server error: %s\n", SSL_error_description(server_err));
1534 return false;
1535 }
1536
1537 if (client_ret == 1 && server_ret == 1) {
1538 break;
1539 }
1540 }
1541
1542 return true;
1543 }
1544
FlushNewSessionTickets(SSL * client,SSL * server)1545 static bool FlushNewSessionTickets(SSL *client, SSL *server) {
1546 // NewSessionTickets are deferred on the server to |SSL_write|, and clients do
1547 // not pick them up until |SSL_read|.
1548 for (;;) {
1549 int server_ret = SSL_write(server, nullptr, 0);
1550 int server_err = SSL_get_error(server, server_ret);
1551 // The server may either succeed (|server_ret| is zero) or block on write
1552 // (|server_ret| is -1 and |server_err| is |SSL_ERROR_WANT_WRITE|).
1553 if (server_ret > 0 ||
1554 (server_ret < 0 && server_err != SSL_ERROR_WANT_WRITE)) {
1555 fprintf(stderr, "Unexpected server result: %d %d\n", server_ret,
1556 server_err);
1557 return false;
1558 }
1559
1560 int client_ret = SSL_read(client, nullptr, 0);
1561 int client_err = SSL_get_error(client, client_ret);
1562 // The client must always block on read.
1563 if (client_ret != -1 || client_err != SSL_ERROR_WANT_READ) {
1564 fprintf(stderr, "Unexpected client result: %d %d\n", client_ret,
1565 client_err);
1566 return false;
1567 }
1568
1569 // The server flushed everything it had to write.
1570 if (server_ret == 0) {
1571 return true;
1572 }
1573 }
1574 }
1575
1576 // CreateClientAndServer creates a client and server |SSL| objects whose |BIO|s
1577 // are paired with each other. It does not run the handshake. The caller is
1578 // expected to configure the objects and drive the handshake as needed.
CreateClientAndServer(bssl::UniquePtr<SSL> * out_client,bssl::UniquePtr<SSL> * out_server,SSL_CTX * client_ctx,SSL_CTX * server_ctx)1579 static bool CreateClientAndServer(bssl::UniquePtr<SSL> *out_client,
1580 bssl::UniquePtr<SSL> *out_server,
1581 SSL_CTX *client_ctx, SSL_CTX *server_ctx) {
1582 bssl::UniquePtr<SSL> client(SSL_new(client_ctx)), server(SSL_new(server_ctx));
1583 if (!client || !server) {
1584 return false;
1585 }
1586 SSL_set_connect_state(client.get());
1587 SSL_set_accept_state(server.get());
1588
1589 BIO *bio1, *bio2;
1590 if (!BIO_new_bio_pair(&bio1, 0, &bio2, 0)) {
1591 return false;
1592 }
1593 // SSL_set_bio takes ownership.
1594 SSL_set_bio(client.get(), bio1, bio1);
1595 SSL_set_bio(server.get(), bio2, bio2);
1596
1597 *out_client = std::move(client);
1598 *out_server = std::move(server);
1599 return true;
1600 }
1601
1602 struct ClientConfig {
1603 SSL_SESSION *session = nullptr;
1604 std::string servername;
1605 std::string verify_hostname;
1606 unsigned hostflags = 0;
1607 bool early_data = false;
1608 };
1609
ConnectClientAndServer(bssl::UniquePtr<SSL> * out_client,bssl::UniquePtr<SSL> * out_server,SSL_CTX * client_ctx,SSL_CTX * server_ctx,const ClientConfig & config=ClientConfig (),bool shed_handshake_config=true)1610 static bool ConnectClientAndServer(bssl::UniquePtr<SSL> *out_client,
1611 bssl::UniquePtr<SSL> *out_server,
1612 SSL_CTX *client_ctx, SSL_CTX *server_ctx,
1613 const ClientConfig &config = ClientConfig(),
1614 bool shed_handshake_config = true) {
1615 bssl::UniquePtr<SSL> client, server;
1616 if (!CreateClientAndServer(&client, &server, client_ctx, server_ctx)) {
1617 return false;
1618 }
1619 if (config.early_data) {
1620 SSL_set_early_data_enabled(client.get(), 1);
1621 }
1622 if (config.session) {
1623 SSL_set_session(client.get(), config.session);
1624 }
1625 if (!config.servername.empty() &&
1626 !SSL_set_tlsext_host_name(client.get(), config.servername.c_str())) {
1627 return false;
1628 }
1629 if (!config.verify_hostname.empty()) {
1630 if (!SSL_set1_host(client.get(), config.verify_hostname.c_str())) {
1631 return false;
1632 }
1633 SSL_set_hostflags(client.get(), config.hostflags);
1634 }
1635
1636 SSL_set_shed_handshake_config(client.get(), shed_handshake_config);
1637 SSL_set_shed_handshake_config(server.get(), shed_handshake_config);
1638
1639 if (!CompleteHandshakes(client.get(), server.get())) {
1640 return false;
1641 }
1642
1643 *out_client = std::move(client);
1644 *out_server = std::move(server);
1645 return true;
1646 }
1647
1648 static bssl::UniquePtr<SSL_SESSION> g_last_session;
1649
SaveLastSession(SSL * ssl,SSL_SESSION * session)1650 static int SaveLastSession(SSL *ssl, SSL_SESSION *session) {
1651 // Save the most recent session.
1652 g_last_session.reset(session);
1653 return 1;
1654 }
1655
CreateClientSession(SSL_CTX * client_ctx,SSL_CTX * server_ctx,const ClientConfig & config=ClientConfig ())1656 static bssl::UniquePtr<SSL_SESSION> CreateClientSession(
1657 SSL_CTX *client_ctx, SSL_CTX *server_ctx,
1658 const ClientConfig &config = ClientConfig()) {
1659 g_last_session = nullptr;
1660 SSL_CTX_sess_set_new_cb(client_ctx, SaveLastSession);
1661
1662 // Connect client and server to get a session.
1663 bssl::UniquePtr<SSL> client, server;
1664 if (!ConnectClientAndServer(&client, &server, client_ctx, server_ctx,
1665 config) ||
1666 !FlushNewSessionTickets(client.get(), server.get())) {
1667 fprintf(stderr, "Failed to connect client and server.\n");
1668 return nullptr;
1669 }
1670
1671 SSL_CTX_sess_set_new_cb(client_ctx, nullptr);
1672
1673 if (!g_last_session) {
1674 fprintf(stderr, "Client did not receive a session.\n");
1675 return nullptr;
1676 }
1677 return std::move(g_last_session);
1678 }
1679
SetUpExpectedNewCodePoint(SSL_CTX * ctx)1680 static void SetUpExpectedNewCodePoint(SSL_CTX *ctx) {
1681 SSL_CTX_set_select_certificate_cb(
1682 ctx,
1683 [](const SSL_CLIENT_HELLO *client_hello) -> ssl_select_cert_result_t {
1684 const uint8_t *data;
1685 size_t len;
1686 if (!SSL_early_callback_ctx_extension_get(
1687 client_hello, TLSEXT_TYPE_application_settings, &data,
1688 &len)) {
1689 ADD_FAILURE() << "Could not find alps new codepoint.";
1690 return ssl_select_cert_error;
1691 }
1692 return ssl_select_cert_success;
1693 });
1694 }
1695
SetUpExpectedOldCodePoint(SSL_CTX * ctx)1696 static void SetUpExpectedOldCodePoint(SSL_CTX *ctx) {
1697 SSL_CTX_set_select_certificate_cb(
1698 ctx,
1699 [](const SSL_CLIENT_HELLO *client_hello) -> ssl_select_cert_result_t {
1700 const uint8_t *data;
1701 size_t len;
1702 if (!SSL_early_callback_ctx_extension_get(
1703 client_hello, TLSEXT_TYPE_application_settings_old, &data,
1704 &len)) {
1705 ADD_FAILURE() << "Could not find alps old codepoint.";
1706 return ssl_select_cert_error;
1707 }
1708 return ssl_select_cert_success;
1709 });
1710 }
1711
1712 // Test that |SSL_get_client_CA_list| echoes back the configured parameter even
1713 // before configuring as a server.
TEST(SSLTest,ClientCAList)1714 TEST(SSLTest, ClientCAList) {
1715 bssl::UniquePtr<SSL_CTX> ctx(SSL_CTX_new(TLS_method()));
1716 ASSERT_TRUE(ctx);
1717 bssl::UniquePtr<SSL> ssl(SSL_new(ctx.get()));
1718 ASSERT_TRUE(ssl);
1719
1720 bssl::UniquePtr<X509_NAME> name(X509_NAME_new());
1721 ASSERT_TRUE(name);
1722
1723 bssl::UniquePtr<X509_NAME> name_dup(X509_NAME_dup(name.get()));
1724 ASSERT_TRUE(name_dup);
1725
1726 bssl::UniquePtr<STACK_OF(X509_NAME)> stack(sk_X509_NAME_new_null());
1727 ASSERT_TRUE(stack);
1728 ASSERT_TRUE(PushToStack(stack.get(), std::move(name_dup)));
1729
1730 // |SSL_set_client_CA_list| takes ownership.
1731 SSL_set_client_CA_list(ssl.get(), stack.release());
1732
1733 STACK_OF(X509_NAME) *result = SSL_get_client_CA_list(ssl.get());
1734 ASSERT_TRUE(result);
1735 ASSERT_EQ(1u, sk_X509_NAME_num(result));
1736 EXPECT_EQ(0, X509_NAME_cmp(sk_X509_NAME_value(result, 0), name.get()));
1737 }
1738
TEST(SSLTest,AddClientCA)1739 TEST(SSLTest, AddClientCA) {
1740 bssl::UniquePtr<SSL_CTX> ctx(SSL_CTX_new(TLS_method()));
1741 ASSERT_TRUE(ctx);
1742 bssl::UniquePtr<SSL> ssl(SSL_new(ctx.get()));
1743 ASSERT_TRUE(ssl);
1744
1745 bssl::UniquePtr<X509> cert1 = GetTestCertificate();
1746 bssl::UniquePtr<X509> cert2 = GetChainTestCertificate();
1747 ASSERT_TRUE(cert1 && cert2);
1748 X509_NAME *name1 = X509_get_subject_name(cert1.get());
1749 X509_NAME *name2 = X509_get_subject_name(cert2.get());
1750
1751 EXPECT_EQ(0u, sk_X509_NAME_num(SSL_get_client_CA_list(ssl.get())));
1752
1753 ASSERT_TRUE(SSL_add_client_CA(ssl.get(), cert1.get()));
1754 ASSERT_TRUE(SSL_add_client_CA(ssl.get(), cert2.get()));
1755
1756 STACK_OF(X509_NAME) *list = SSL_get_client_CA_list(ssl.get());
1757 ASSERT_EQ(2u, sk_X509_NAME_num(list));
1758 EXPECT_EQ(0, X509_NAME_cmp(sk_X509_NAME_value(list, 0), name1));
1759 EXPECT_EQ(0, X509_NAME_cmp(sk_X509_NAME_value(list, 1), name2));
1760
1761 ASSERT_TRUE(SSL_add_client_CA(ssl.get(), cert1.get()));
1762
1763 list = SSL_get_client_CA_list(ssl.get());
1764 ASSERT_EQ(3u, sk_X509_NAME_num(list));
1765 EXPECT_EQ(0, X509_NAME_cmp(sk_X509_NAME_value(list, 0), name1));
1766 EXPECT_EQ(0, X509_NAME_cmp(sk_X509_NAME_value(list, 1), name2));
1767 EXPECT_EQ(0, X509_NAME_cmp(sk_X509_NAME_value(list, 2), name1));
1768 }
1769
1770 struct ECHConfigParams {
1771 uint16_t version = TLSEXT_TYPE_encrypted_client_hello;
1772 uint16_t config_id = 1;
1773 std::string public_name = "example.com";
1774 const EVP_HPKE_KEY *key = nullptr;
1775 // kem_id, if zero, takes its value from |key|.
1776 uint16_t kem_id = 0;
1777 // public_key, if empty takes its value from |key|.
1778 std::vector<uint8_t> public_key;
1779 size_t max_name_len = 16;
1780 // cipher_suites is a list of code points which should contain pairs of KDF
1781 // and AEAD IDs.
1782 std::vector<uint16_t> cipher_suites = {EVP_HPKE_HKDF_SHA256,
1783 EVP_HPKE_AES_128_GCM};
1784 std::vector<uint8_t> extensions;
1785 };
1786
1787 // MakeECHConfig serializes an ECHConfig from |params| and writes it to
1788 // |*out|.
MakeECHConfig(std::vector<uint8_t> * out,const ECHConfigParams & params)1789 bool MakeECHConfig(std::vector<uint8_t> *out,
1790 const ECHConfigParams ¶ms) {
1791 uint16_t kem_id = params.kem_id == 0
1792 ? EVP_HPKE_KEM_id(EVP_HPKE_KEY_kem(params.key))
1793 : params.kem_id;
1794 std::vector<uint8_t> public_key = params.public_key;
1795 if (public_key.empty()) {
1796 public_key.resize(EVP_HPKE_MAX_PUBLIC_KEY_LENGTH);
1797 size_t len;
1798 if (!EVP_HPKE_KEY_public_key(params.key, public_key.data(), &len,
1799 public_key.size())) {
1800 return false;
1801 }
1802 public_key.resize(len);
1803 }
1804
1805 bssl::ScopedCBB cbb;
1806 CBB contents, child;
1807 if (!CBB_init(cbb.get(), 64) ||
1808 !CBB_add_u16(cbb.get(), params.version) ||
1809 !CBB_add_u16_length_prefixed(cbb.get(), &contents) ||
1810 !CBB_add_u8(&contents, params.config_id) ||
1811 !CBB_add_u16(&contents, kem_id) ||
1812 !CBB_add_u16_length_prefixed(&contents, &child) ||
1813 !CBB_add_bytes(&child, public_key.data(), public_key.size()) ||
1814 !CBB_add_u16_length_prefixed(&contents, &child)) {
1815 return false;
1816 }
1817 for (uint16_t cipher_suite : params.cipher_suites) {
1818 if (!CBB_add_u16(&child, cipher_suite)) {
1819 return false;
1820 }
1821 }
1822 if (!CBB_add_u8(&contents, params.max_name_len) ||
1823 !CBB_add_u8_length_prefixed(&contents, &child) ||
1824 !CBB_add_bytes(
1825 &child, reinterpret_cast<const uint8_t *>(params.public_name.data()),
1826 params.public_name.size()) ||
1827 !CBB_add_u16_length_prefixed(&contents, &child) ||
1828 !CBB_add_bytes(&child, params.extensions.data(),
1829 params.extensions.size()) ||
1830 !CBB_flush(cbb.get())) {
1831 return false;
1832 }
1833
1834 out->assign(CBB_data(cbb.get()), CBB_data(cbb.get()) + CBB_len(cbb.get()));
1835 return true;
1836 }
1837
MakeTestECHKeys(uint8_t config_id=1)1838 static bssl::UniquePtr<SSL_ECH_KEYS> MakeTestECHKeys(uint8_t config_id = 1) {
1839 bssl::ScopedEVP_HPKE_KEY key;
1840 uint8_t *ech_config;
1841 size_t ech_config_len;
1842 if (!EVP_HPKE_KEY_generate(key.get(), EVP_hpke_x25519_hkdf_sha256()) ||
1843 !SSL_marshal_ech_config(&ech_config, &ech_config_len, config_id,
1844 key.get(), "public.example", 16)) {
1845 return nullptr;
1846 }
1847 bssl::UniquePtr<uint8_t> free_ech_config(ech_config);
1848
1849 // Install a non-retry config.
1850 bssl::UniquePtr<SSL_ECH_KEYS> keys(SSL_ECH_KEYS_new());
1851 if (!keys || !SSL_ECH_KEYS_add(keys.get(), /*is_retry_config=*/1, ech_config,
1852 ech_config_len, key.get())) {
1853 return nullptr;
1854 }
1855 return keys;
1856 }
1857
InstallECHConfigList(SSL * client,const SSL_ECH_KEYS * keys)1858 static bool InstallECHConfigList(SSL *client, const SSL_ECH_KEYS *keys) {
1859 uint8_t *ech_config_list;
1860 size_t ech_config_list_len;
1861 if (!SSL_ECH_KEYS_marshal_retry_configs(keys, &ech_config_list,
1862 &ech_config_list_len)) {
1863 return false;
1864 }
1865 bssl::UniquePtr<uint8_t> free_ech_config_list(ech_config_list);
1866 return SSL_set1_ech_config_list(client, ech_config_list, ech_config_list_len);
1867 }
1868
1869 // Test that |SSL_marshal_ech_config| and |SSL_ECH_KEYS_marshal_retry_configs|
1870 // output values as expected.
TEST(SSLTest,MarshalECHConfig)1871 TEST(SSLTest, MarshalECHConfig) {
1872 static const uint8_t kPrivateKey[X25519_PRIVATE_KEY_LEN] = {
1873 0xbc, 0xb5, 0x51, 0x29, 0x31, 0x10, 0x30, 0xc9, 0xed, 0x26, 0xde,
1874 0xd4, 0xb3, 0xdf, 0x3a, 0xce, 0x06, 0x8a, 0xee, 0x17, 0xab, 0xce,
1875 0xd7, 0xdb, 0xf3, 0x11, 0xe5, 0xa8, 0xf3, 0xb1, 0x8e, 0x24};
1876 bssl::ScopedEVP_HPKE_KEY key;
1877 ASSERT_TRUE(EVP_HPKE_KEY_init(key.get(), EVP_hpke_x25519_hkdf_sha256(),
1878 kPrivateKey, sizeof(kPrivateKey)));
1879
1880 static const uint8_t kECHConfig[] = {
1881 // version
1882 0xfe, 0x0d,
1883 // length
1884 0x00, 0x41,
1885 // contents.config_id
1886 0x01,
1887 // contents.kem_id
1888 0x00, 0x20,
1889 // contents.public_key
1890 0x00, 0x20, 0xa6, 0x9a, 0x41, 0x48, 0x5d, 0x32, 0x96, 0xa4, 0xe0, 0xc3,
1891 0x6a, 0xee, 0xf6, 0x63, 0x0f, 0x59, 0x32, 0x6f, 0xdc, 0xff, 0x81, 0x29,
1892 0x59, 0xa5, 0x85, 0xd3, 0x9b, 0x3b, 0xde, 0x98, 0x55, 0x5c,
1893 // contents.cipher_suites
1894 0x00, 0x08, 0x00, 0x01, 0x00, 0x01, 0x00, 0x01, 0x00, 0x03,
1895 // contents.maximum_name_length
1896 0x10,
1897 // contents.public_name
1898 0x0e, 0x70, 0x75, 0x62, 0x6c, 0x69, 0x63, 0x2e, 0x65, 0x78, 0x61, 0x6d,
1899 0x70, 0x6c, 0x65,
1900 // contents.extensions
1901 0x00, 0x00};
1902 uint8_t *ech_config;
1903 size_t ech_config_len;
1904 ASSERT_TRUE(SSL_marshal_ech_config(&ech_config, &ech_config_len,
1905 /*config_id=*/1, key.get(),
1906 "public.example", 16));
1907 bssl::UniquePtr<uint8_t> free_ech_config(ech_config);
1908 EXPECT_EQ(Bytes(kECHConfig), Bytes(ech_config, ech_config_len));
1909
1910 // Generate a second ECHConfig.
1911 bssl::ScopedEVP_HPKE_KEY key2;
1912 ASSERT_TRUE(EVP_HPKE_KEY_generate(key2.get(), EVP_hpke_x25519_hkdf_sha256()));
1913 uint8_t *ech_config2;
1914 size_t ech_config2_len;
1915 ASSERT_TRUE(SSL_marshal_ech_config(&ech_config2, &ech_config2_len,
1916 /*config_id=*/2, key2.get(),
1917 "public.example", 16));
1918 bssl::UniquePtr<uint8_t> free_ech_config2(ech_config2);
1919
1920 // Install both ECHConfigs in an |SSL_ECH_KEYS|.
1921 bssl::UniquePtr<SSL_ECH_KEYS> keys(SSL_ECH_KEYS_new());
1922 ASSERT_TRUE(keys);
1923 ASSERT_TRUE(SSL_ECH_KEYS_add(keys.get(), /*is_retry_config=*/1, ech_config,
1924 ech_config_len, key.get()));
1925 ASSERT_TRUE(SSL_ECH_KEYS_add(keys.get(), /*is_retry_config=*/1, ech_config2,
1926 ech_config2_len, key2.get()));
1927
1928 // The ECHConfigList should be correctly serialized.
1929 uint8_t *ech_config_list;
1930 size_t ech_config_list_len;
1931 ASSERT_TRUE(SSL_ECH_KEYS_marshal_retry_configs(keys.get(), &ech_config_list,
1932 &ech_config_list_len));
1933 bssl::UniquePtr<uint8_t> free_ech_config_list(ech_config_list);
1934
1935 // ECHConfigList is just the concatenation with a length prefix.
1936 size_t len = ech_config_len + ech_config2_len;
1937 std::vector<uint8_t> expected = {uint8_t(len >> 8), uint8_t(len)};
1938 expected.insert(expected.end(), ech_config, ech_config + ech_config_len);
1939 expected.insert(expected.end(), ech_config2, ech_config2 + ech_config2_len);
1940 EXPECT_EQ(Bytes(expected), Bytes(ech_config_list, ech_config_list_len));
1941 }
1942
TEST(SSLTest,ECHHasDuplicateConfigID)1943 TEST(SSLTest, ECHHasDuplicateConfigID) {
1944 const struct {
1945 std::vector<uint8_t> ids;
1946 bool has_duplicate;
1947 } kTests[] = {
1948 {{}, false},
1949 {{1}, false},
1950 {{1, 2, 3, 255}, false},
1951 {{1, 2, 3, 1}, true},
1952 };
1953 for (const auto &test : kTests) {
1954 bssl::UniquePtr<SSL_ECH_KEYS> keys(SSL_ECH_KEYS_new());
1955 ASSERT_TRUE(keys);
1956 for (const uint8_t id : test.ids) {
1957 bssl::ScopedEVP_HPKE_KEY key;
1958 ASSERT_TRUE(
1959 EVP_HPKE_KEY_generate(key.get(), EVP_hpke_x25519_hkdf_sha256()));
1960 uint8_t *ech_config;
1961 size_t ech_config_len;
1962 ASSERT_TRUE(SSL_marshal_ech_config(&ech_config, &ech_config_len, id,
1963 key.get(), "public.example", 16));
1964 bssl::UniquePtr<uint8_t> free_ech_config(ech_config);
1965 ASSERT_TRUE(SSL_ECH_KEYS_add(keys.get(), /*is_retry_config=*/1,
1966 ech_config, ech_config_len, key.get()));
1967 }
1968
1969 EXPECT_EQ(test.has_duplicate ? 1 : 0,
1970 SSL_ECH_KEYS_has_duplicate_config_id(keys.get()));
1971 }
1972 }
1973
1974 // Test that |SSL_ECH_KEYS_add| checks consistency between the public and
1975 // private key.
TEST(SSLTest,ECHKeyConsistency)1976 TEST(SSLTest, ECHKeyConsistency) {
1977 bssl::UniquePtr<SSL_ECH_KEYS> keys(SSL_ECH_KEYS_new());
1978 ASSERT_TRUE(keys);
1979 bssl::ScopedEVP_HPKE_KEY key;
1980 ASSERT_TRUE(EVP_HPKE_KEY_generate(key.get(), EVP_hpke_x25519_hkdf_sha256()));
1981 uint8_t public_key[EVP_HPKE_MAX_PUBLIC_KEY_LENGTH];
1982 size_t public_key_len;
1983 ASSERT_TRUE(EVP_HPKE_KEY_public_key(key.get(), public_key, &public_key_len,
1984 sizeof(public_key)));
1985
1986 // Adding an ECHConfig with the matching public key succeeds.
1987 ECHConfigParams params;
1988 params.key = key.get();
1989 std::vector<uint8_t> ech_config;
1990 ASSERT_TRUE(MakeECHConfig(&ech_config, params));
1991 EXPECT_TRUE(SSL_ECH_KEYS_add(keys.get(), /*is_retry_config=*/1,
1992 ech_config.data(), ech_config.size(),
1993 key.get()));
1994
1995 // Adding an ECHConfig with the wrong public key is an error.
1996 bssl::ScopedEVP_HPKE_KEY wrong_key;
1997 ASSERT_TRUE(
1998 EVP_HPKE_KEY_generate(wrong_key.get(), EVP_hpke_x25519_hkdf_sha256()));
1999 EXPECT_FALSE(SSL_ECH_KEYS_add(keys.get(), /*is_retry_config=*/1,
2000 ech_config.data(), ech_config.size(),
2001 wrong_key.get()));
2002
2003 // Adding an ECHConfig with a truncated public key is an error.
2004 ECHConfigParams truncated;
2005 truncated.key = key.get();
2006 truncated.public_key.assign(public_key, public_key + public_key_len - 1);
2007 ASSERT_TRUE(MakeECHConfig(&ech_config, truncated));
2008 EXPECT_FALSE(SSL_ECH_KEYS_add(keys.get(), /*is_retry_config=*/1,
2009 ech_config.data(), ech_config.size(), key.get()));
2010
2011 // Adding an ECHConfig with the right public key, but wrong KEM ID, is an
2012 // error.
2013 ECHConfigParams wrong_kem;
2014 wrong_kem.key = key.get();
2015 wrong_kem.kem_id = 0x0010; // DHKEM(P-256, HKDF-SHA256)
2016 ASSERT_TRUE(MakeECHConfig(&ech_config, wrong_kem));
2017 EXPECT_FALSE(SSL_ECH_KEYS_add(keys.get(), /*is_retry_config=*/1,
2018 ech_config.data(), ech_config.size(),
2019 key.get()));
2020 }
2021
2022 // Test that |SSL_CTX_set1_ech_keys| fails when the config list
2023 // has no retry configs.
TEST(SSLTest,ECHServerConfigsWithoutRetryConfigs)2024 TEST(SSLTest, ECHServerConfigsWithoutRetryConfigs) {
2025 bssl::ScopedEVP_HPKE_KEY key;
2026 ASSERT_TRUE(EVP_HPKE_KEY_generate(key.get(), EVP_hpke_x25519_hkdf_sha256()));
2027 uint8_t *ech_config;
2028 size_t ech_config_len;
2029 ASSERT_TRUE(SSL_marshal_ech_config(&ech_config, &ech_config_len,
2030 /*config_id=*/1, key.get(),
2031 "public.example", 16));
2032 bssl::UniquePtr<uint8_t> free_ech_config(ech_config);
2033
2034 // Install a non-retry config.
2035 bssl::UniquePtr<SSL_ECH_KEYS> keys(SSL_ECH_KEYS_new());
2036 ASSERT_TRUE(keys);
2037 ASSERT_TRUE(SSL_ECH_KEYS_add(keys.get(), /*is_retry_config=*/0, ech_config,
2038 ech_config_len, key.get()));
2039
2040 // |keys| has no retry configs.
2041 bssl::UniquePtr<SSL_CTX> ctx(SSL_CTX_new(TLS_method()));
2042 ASSERT_TRUE(ctx);
2043 EXPECT_FALSE(SSL_CTX_set1_ech_keys(ctx.get(), keys.get()));
2044
2045 // Add the same ECHConfig to the list, but this time mark it as a retry
2046 // config.
2047 ASSERT_TRUE(SSL_ECH_KEYS_add(keys.get(), /*is_retry_config=*/1, ech_config,
2048 ech_config_len, key.get()));
2049 EXPECT_TRUE(SSL_CTX_set1_ech_keys(ctx.get(), keys.get()));
2050 }
2051
2052 // Test that the server APIs reject ECHConfigs with unsupported features.
TEST(SSLTest,UnsupportedECHConfig)2053 TEST(SSLTest, UnsupportedECHConfig) {
2054 bssl::UniquePtr<SSL_ECH_KEYS> keys(SSL_ECH_KEYS_new());
2055 ASSERT_TRUE(keys);
2056 bssl::ScopedEVP_HPKE_KEY key;
2057 ASSERT_TRUE(EVP_HPKE_KEY_generate(key.get(), EVP_hpke_x25519_hkdf_sha256()));
2058
2059 // Unsupported versions are rejected.
2060 ECHConfigParams unsupported_version;
2061 unsupported_version.version = 0xffff;
2062 unsupported_version.key = key.get();
2063 std::vector<uint8_t> ech_config;
2064 ASSERT_TRUE(MakeECHConfig(&ech_config, unsupported_version));
2065 EXPECT_FALSE(SSL_ECH_KEYS_add(keys.get(), /*is_retry_config=*/1,
2066 ech_config.data(), ech_config.size(),
2067 key.get()));
2068
2069 // Unsupported cipher suites are rejected. (We only support HKDF-SHA256.)
2070 ECHConfigParams unsupported_kdf;
2071 unsupported_kdf.key = key.get();
2072 unsupported_kdf.cipher_suites = {0x002 /* HKDF-SHA384 */,
2073 EVP_HPKE_AES_128_GCM};
2074 ASSERT_TRUE(MakeECHConfig(&ech_config, unsupported_kdf));
2075 EXPECT_FALSE(SSL_ECH_KEYS_add(keys.get(), /*is_retry_config=*/1,
2076 ech_config.data(), ech_config.size(),
2077 key.get()));
2078 ECHConfigParams unsupported_aead;
2079 unsupported_aead.key = key.get();
2080 unsupported_aead.cipher_suites = {EVP_HPKE_HKDF_SHA256, 0xffff};
2081 ASSERT_TRUE(MakeECHConfig(&ech_config, unsupported_aead));
2082 EXPECT_FALSE(SSL_ECH_KEYS_add(keys.get(), /*is_retry_config=*/1,
2083 ech_config.data(), ech_config.size(),
2084 key.get()));
2085
2086
2087 // Unsupported extensions are rejected.
2088 ECHConfigParams extensions;
2089 extensions.key = key.get();
2090 extensions.extensions = {0x00, 0x01, 0x00, 0x00};
2091 ASSERT_TRUE(MakeECHConfig(&ech_config, extensions));
2092 EXPECT_FALSE(SSL_ECH_KEYS_add(keys.get(), /*is_retry_config=*/1,
2093 ech_config.data(), ech_config.size(),
2094 key.get()));
2095
2096 // Invalid public names are rejected.
2097 ECHConfigParams invalid_public_name;
2098 invalid_public_name.key = key.get();
2099 invalid_public_name.public_name = "dns_names_have_no_underscores.example";
2100 ASSERT_TRUE(MakeECHConfig(&ech_config, invalid_public_name));
2101 EXPECT_FALSE(SSL_ECH_KEYS_add(keys.get(), /*is_retry_config=*/1,
2102 ech_config.data(), ech_config.size(),
2103 key.get()));
2104 }
2105
2106 // Test that |SSL_get_client_random| reports the correct value on both client
2107 // and server in ECH. The client sends two different random values. When ECH is
2108 // accepted, we should report the inner one.
TEST(SSLTest,ECHClientRandomsMatch)2109 TEST(SSLTest, ECHClientRandomsMatch) {
2110 bssl::UniquePtr<SSL_CTX> server_ctx =
2111 CreateContextWithTestCertificate(TLS_method());
2112 ASSERT_TRUE(server_ctx);
2113 bssl::UniquePtr<SSL_ECH_KEYS> keys = MakeTestECHKeys();
2114 ASSERT_TRUE(keys);
2115 ASSERT_TRUE(SSL_CTX_set1_ech_keys(server_ctx.get(), keys.get()));
2116
2117 bssl::UniquePtr<SSL_CTX> client_ctx(SSL_CTX_new(TLS_method()));
2118 ASSERT_TRUE(client_ctx);
2119 bssl::UniquePtr<SSL> client, server;
2120 ASSERT_TRUE(CreateClientAndServer(&client, &server, client_ctx.get(),
2121 server_ctx.get()));
2122 ASSERT_TRUE(InstallECHConfigList(client.get(), keys.get()));
2123 ASSERT_TRUE(CompleteHandshakes(client.get(), server.get()));
2124
2125 EXPECT_TRUE(SSL_ech_accepted(client.get()));
2126 EXPECT_TRUE(SSL_ech_accepted(server.get()));
2127
2128 // An ECH server will fairly naturally record the inner ClientHello random,
2129 // but an ECH client may forget to update the random once ClientHelloInner is
2130 // selected.
2131 uint8_t client_random1[SSL3_RANDOM_SIZE];
2132 uint8_t client_random2[SSL3_RANDOM_SIZE];
2133 ASSERT_EQ(sizeof(client_random1),
2134 SSL_get_client_random(client.get(), client_random1,
2135 sizeof(client_random1)));
2136 ASSERT_EQ(sizeof(client_random2),
2137 SSL_get_client_random(server.get(), client_random2,
2138 sizeof(client_random2)));
2139 EXPECT_EQ(Bytes(client_random1), Bytes(client_random2));
2140 }
2141
2142 // GetECHLength sets |*out_client_hello_len| and |*out_ech_len| to the lengths
2143 // of the ClientHello and ECH extension, respectively, when a client created
2144 // from |ctx| constructs a ClientHello with name |name| and an ECHConfig with
2145 // maximum name length |max_name_len|.
GetECHLength(SSL_CTX * ctx,size_t * out_client_hello_len,size_t * out_ech_len,size_t max_name_len,const char * name)2146 static bool GetECHLength(SSL_CTX *ctx, size_t *out_client_hello_len,
2147 size_t *out_ech_len, size_t max_name_len,
2148 const char *name) {
2149 bssl::ScopedEVP_HPKE_KEY key;
2150 uint8_t *ech_config;
2151 size_t ech_config_len;
2152 if (!EVP_HPKE_KEY_generate(key.get(), EVP_hpke_x25519_hkdf_sha256()) ||
2153 !SSL_marshal_ech_config(&ech_config, &ech_config_len,
2154 /*config_id=*/1, key.get(), "public.example",
2155 max_name_len)) {
2156 return false;
2157 }
2158 bssl::UniquePtr<uint8_t> free_ech_config(ech_config);
2159
2160 bssl::UniquePtr<SSL_ECH_KEYS> keys(SSL_ECH_KEYS_new());
2161 if (!keys || !SSL_ECH_KEYS_add(keys.get(), /*is_retry_config=*/1, ech_config,
2162 ech_config_len, key.get())) {
2163 return false;
2164 }
2165
2166 bssl::UniquePtr<SSL> ssl(SSL_new(ctx));
2167 if (!ssl || !InstallECHConfigList(ssl.get(), keys.get()) ||
2168 (name != nullptr && !SSL_set_tlsext_host_name(ssl.get(), name))) {
2169 return false;
2170 }
2171 SSL_set_connect_state(ssl.get());
2172
2173 std::vector<uint8_t> client_hello;
2174 SSL_CLIENT_HELLO parsed;
2175 const uint8_t *unused;
2176 if (!GetClientHello(ssl.get(), &client_hello) ||
2177 !ssl_client_hello_init(
2178 ssl.get(), &parsed,
2179 // Skip record and handshake headers. This assumes the ClientHello
2180 // fits in one record.
2181 MakeConstSpan(client_hello)
2182 .subspan(SSL3_RT_HEADER_LENGTH + SSL3_HM_HEADER_LENGTH)) ||
2183 !SSL_early_callback_ctx_extension_get(
2184 &parsed, TLSEXT_TYPE_encrypted_client_hello, &unused, out_ech_len)) {
2185 return false;
2186 }
2187 *out_client_hello_len = client_hello.size();
2188 return true;
2189 }
2190
TEST(SSLTest,ECHPadding)2191 TEST(SSLTest, ECHPadding) {
2192 bssl::UniquePtr<SSL_CTX> ctx(SSL_CTX_new(TLS_method()));
2193 ASSERT_TRUE(ctx);
2194
2195 // Sample lengths with max_name_len = 128 as baseline.
2196 size_t client_hello_len_baseline, ech_len_baseline;
2197 ASSERT_TRUE(GetECHLength(ctx.get(), &client_hello_len_baseline,
2198 &ech_len_baseline, 128, "example.com"));
2199
2200 // Check that all name lengths under the server's maximum look the same.
2201 for (size_t name_len : {1, 2, 32, 64, 127, 128}) {
2202 SCOPED_TRACE(name_len);
2203 size_t client_hello_len, ech_len;
2204 ASSERT_TRUE(GetECHLength(ctx.get(), &client_hello_len, &ech_len, 128,
2205 std::string(name_len, 'a').c_str()));
2206 EXPECT_EQ(client_hello_len, client_hello_len_baseline);
2207 EXPECT_EQ(ech_len, ech_len_baseline);
2208 }
2209
2210 // When sending no SNI, we must still pad as if we are sending one.
2211 size_t client_hello_len, ech_len;
2212 ASSERT_TRUE(
2213 GetECHLength(ctx.get(), &client_hello_len, &ech_len, 128, nullptr));
2214 EXPECT_EQ(client_hello_len, client_hello_len_baseline);
2215 EXPECT_EQ(ech_len, ech_len_baseline);
2216
2217 // Name lengths above the maximum do not get named-based padding, but the
2218 // overall input is padded to a multiple of 32.
2219 size_t client_hello_len_baseline2, ech_len_baseline2;
2220 ASSERT_TRUE(GetECHLength(ctx.get(), &client_hello_len_baseline2,
2221 &ech_len_baseline2, 128,
2222 std::string(128 + 32, 'a').c_str()));
2223 EXPECT_EQ(ech_len_baseline2, ech_len_baseline + 32);
2224 // The ClientHello lengths may match if we are still under the threshold for
2225 // padding extension.
2226 EXPECT_GE(client_hello_len_baseline2, client_hello_len_baseline);
2227
2228 for (size_t name_len = 128 + 1; name_len < 128 + 32; name_len++) {
2229 SCOPED_TRACE(name_len);
2230 ASSERT_TRUE(GetECHLength(ctx.get(), &client_hello_len, &ech_len, 128,
2231 std::string(name_len, 'a').c_str()));
2232 EXPECT_TRUE(ech_len == ech_len_baseline || ech_len == ech_len_baseline2)
2233 << ech_len;
2234 EXPECT_TRUE(client_hello_len == client_hello_len_baseline ||
2235 client_hello_len == client_hello_len_baseline2)
2236 << client_hello_len;
2237 }
2238 }
2239
TEST(SSLTest,ECHPublicName)2240 TEST(SSLTest, ECHPublicName) {
2241 auto str_to_span = [](const char *str) -> Span<const uint8_t> {
2242 return MakeConstSpan(reinterpret_cast<const uint8_t *>(str), strlen(str));
2243 };
2244
2245 EXPECT_FALSE(ssl_is_valid_ech_public_name(str_to_span("")));
2246 EXPECT_TRUE(ssl_is_valid_ech_public_name(str_to_span("example.com")));
2247 EXPECT_FALSE(ssl_is_valid_ech_public_name(str_to_span(".example.com")));
2248 EXPECT_FALSE(ssl_is_valid_ech_public_name(str_to_span("example.com.")));
2249 EXPECT_FALSE(ssl_is_valid_ech_public_name(str_to_span("example..com")));
2250 EXPECT_FALSE(ssl_is_valid_ech_public_name(str_to_span("www.-example.com")));
2251 EXPECT_FALSE(ssl_is_valid_ech_public_name(str_to_span("www.example-.com")));
2252 EXPECT_FALSE(
2253 ssl_is_valid_ech_public_name(str_to_span("no_underscores.example")));
2254 EXPECT_FALSE(ssl_is_valid_ech_public_name(
2255 str_to_span("invalid_chars.\x01.example")));
2256 EXPECT_FALSE(ssl_is_valid_ech_public_name(
2257 str_to_span("invalid_chars.\xff.example")));
2258 static const uint8_t kWithNUL[] = {'t', 'e', 's', 't', 0};
2259 EXPECT_FALSE(ssl_is_valid_ech_public_name(kWithNUL));
2260
2261 // Test an LDH label with every character and the maximum length.
2262 EXPECT_TRUE(ssl_is_valid_ech_public_name(str_to_span(
2263 "abcdefhijklmnopqrstuvwxyz-ABCDEFGHIJKLMNOPQRSTUVWXYZ-0123456789")));
2264 EXPECT_FALSE(ssl_is_valid_ech_public_name(str_to_span(
2265 "abcdefhijklmnopqrstuvwxyz-ABCDEFGHIJKLMNOPQRSTUVWXYZ-01234567899")));
2266
2267 // Inputs with trailing numeric components are rejected.
2268 EXPECT_FALSE(ssl_is_valid_ech_public_name(str_to_span("127.0.0.1")));
2269 EXPECT_FALSE(ssl_is_valid_ech_public_name(str_to_span("example.1")));
2270 EXPECT_FALSE(ssl_is_valid_ech_public_name(str_to_span("example.01")));
2271 EXPECT_FALSE(ssl_is_valid_ech_public_name(str_to_span("example.0x01")));
2272 EXPECT_FALSE(ssl_is_valid_ech_public_name(str_to_span("example.0X01")));
2273 // Leading zeros and values that overflow |uint32_t| are still rejected.
2274 EXPECT_FALSE(ssl_is_valid_ech_public_name(
2275 str_to_span("example.123456789000000000000000")));
2276 EXPECT_FALSE(ssl_is_valid_ech_public_name(
2277 str_to_span("example.012345678900000000000000")));
2278 EXPECT_FALSE(ssl_is_valid_ech_public_name(
2279 str_to_span("example.0x123456789abcdefABCDEF0")));
2280 EXPECT_FALSE(ssl_is_valid_ech_public_name(
2281 str_to_span("example.0x0123456789abcdefABCDEF")));
2282 // Adding a non-digit or non-hex character makes it a valid DNS name again.
2283 // Single-component numbers are rejected.
2284 EXPECT_TRUE(ssl_is_valid_ech_public_name(
2285 str_to_span("example.1234567890a")));
2286 EXPECT_TRUE(ssl_is_valid_ech_public_name(
2287 str_to_span("example.01234567890a")));
2288 EXPECT_TRUE(ssl_is_valid_ech_public_name(
2289 str_to_span("example.0x123456789abcdefg")));
2290 EXPECT_FALSE(ssl_is_valid_ech_public_name(str_to_span("1")));
2291 EXPECT_FALSE(ssl_is_valid_ech_public_name(str_to_span("01")));
2292 EXPECT_FALSE(ssl_is_valid_ech_public_name(str_to_span("0x01")));
2293 EXPECT_FALSE(ssl_is_valid_ech_public_name(str_to_span("0X01")));
2294 // Numbers with trailing dots are rejected. (They are already rejected by the
2295 // LDH label rules, but the WHATWG URL parser additionally rejects them.)
2296 EXPECT_FALSE(ssl_is_valid_ech_public_name(str_to_span("1.")));
2297 EXPECT_FALSE(ssl_is_valid_ech_public_name(str_to_span("01.")));
2298 EXPECT_FALSE(ssl_is_valid_ech_public_name(str_to_span("0x01.")));
2299 EXPECT_FALSE(ssl_is_valid_ech_public_name(str_to_span("0X01.")));
2300 }
2301
2302 // When using the built-in verifier, test that |SSL_get0_ech_name_override| is
2303 // applied automatically.
TEST(SSLTest,ECHBuiltinVerifier)2304 TEST(SSLTest, ECHBuiltinVerifier) {
2305 // These test certificates generated with the following Go program.
2306 /* clang-format off
2307 func main() {
2308 notBefore := time.Date(2000, time.January, 1, 0, 0, 0, 0, time.UTC)
2309 notAfter := time.Date(2099, time.January, 1, 0, 0, 0, 0, time.UTC)
2310 rootKey, _ := ecdsa.GenerateKey(elliptic.P256(), rand.Reader)
2311 rootTemplate := &x509.Certificate{
2312 SerialNumber: big.NewInt(1),
2313 Subject: pkix.Name{CommonName: "Test CA"},
2314 NotBefore: notBefore,
2315 NotAfter: notAfter,
2316 BasicConstraintsValid: true,
2317 IsCA: true,
2318 }
2319 rootDER, _ := x509.CreateCertificate(rand.Reader, rootTemplate, rootTemplate, &rootKey.PublicKey, rootKey)
2320 root, _ := x509.ParseCertificate(rootDER)
2321 pem.Encode(os.Stdout, &pem.Block{Type: "CERTIFICATE", Bytes: rootDER})
2322 leafKey, _ := ecdsa.GenerateKey(elliptic.P256(), rand.Reader)
2323 leafKeyDER, _ := x509.MarshalPKCS8PrivateKey(leafKey)
2324 pem.Encode(os.Stdout, &pem.Block{Type: "PRIVATE KEY", Bytes: leafKeyDER})
2325 for i, name := range []string{"public.example", "secret.example"} {
2326 leafTemplate := &x509.Certificate{
2327 SerialNumber: big.NewInt(int64(i) + 2),
2328 Subject: pkix.Name{CommonName: name},
2329 NotBefore: notBefore,
2330 NotAfter: notAfter,
2331 BasicConstraintsValid: true,
2332 DNSNames: []string{name},
2333 }
2334 leafDER, _ := x509.CreateCertificate(rand.Reader, leafTemplate, root, &leafKey.PublicKey, rootKey)
2335 pem.Encode(os.Stdout, &pem.Block{Type: "CERTIFICATE", Bytes: leafDER})
2336 }
2337 }
2338 clang-format on */
2339 bssl::UniquePtr<X509> root = CertFromPEM(R"(
2340 -----BEGIN CERTIFICATE-----
2341 MIIBRzCB7aADAgECAgEBMAoGCCqGSM49BAMCMBIxEDAOBgNVBAMTB1Rlc3QgQ0Ew
2342 IBcNMDAwMTAxMDAwMDAwWhgPMjA5OTAxMDEwMDAwMDBaMBIxEDAOBgNVBAMTB1Rl
2343 c3QgQ0EwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAAT5JUjrI1DAxSpEl88UkmJw
2344 tAJqxo/YrSFo9V3MkcNkfTixi5p6MUtO8DazhEgekBcd2+tBAWtl7dy0qpvTqx92
2345 ozIwMDAPBgNVHRMBAf8EBTADAQH/MB0GA1UdDgQWBBTw6ftkexAI6o4r5FntJIfL
2346 GU5F4zAKBggqhkjOPQQDAgNJADBGAiEAiiNowddQeHZaZFIygwe6RW5/WG4sUXWC
2347 dkyl9CQzRaYCIQCFS1EvwZbZtMny27fYm1eeYciY0TkJTEi34H1KwyzzIA==
2348 -----END CERTIFICATE-----
2349 )");
2350 ASSERT_TRUE(root);
2351 bssl::UniquePtr<EVP_PKEY> leaf_key = KeyFromPEM(R"(
2352 -----BEGIN PRIVATE KEY-----
2353 MIGHAgEAMBMGByqGSM49AgEGCCqGSM49AwEHBG0wawIBAQQgj5WKHwHnziiyPauf
2354 7QukxTwtTyGZkk8qNdms4puJfxqhRANCAARNrkhxabALDlJrHtvkuDwvCWUF/oVC
2355 hr6PDITHi1lDlJzvVT4aXBH87sH2n2UV5zpx13NHkq1bIC8eRT8eOIe0
2356 -----END PRIVATE KEY-----
2357 )");
2358 ASSERT_TRUE(leaf_key);
2359 bssl::UniquePtr<X509> leaf_public = CertFromPEM(R"(
2360 -----BEGIN CERTIFICATE-----
2361 MIIBaDCCAQ6gAwIBAgIBAjAKBggqhkjOPQQDAjASMRAwDgYDVQQDEwdUZXN0IENB
2362 MCAXDTAwMDEwMTAwMDAwMFoYDzIwOTkwMTAxMDAwMDAwWjAZMRcwFQYDVQQDEw5w
2363 dWJsaWMuZXhhbXBsZTBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABE2uSHFpsAsO
2364 Umse2+S4PC8JZQX+hUKGvo8MhMeLWUOUnO9VPhpcEfzuwfafZRXnOnHXc0eSrVsg
2365 Lx5FPx44h7SjTDBKMAwGA1UdEwEB/wQCMAAwHwYDVR0jBBgwFoAU8On7ZHsQCOqO
2366 K+RZ7SSHyxlOReMwGQYDVR0RBBIwEIIOcHVibGljLmV4YW1wbGUwCgYIKoZIzj0E
2367 AwIDSAAwRQIhANqZRhDR/+QL05hsWXMYEwaiHifd9iakKoFEhKFchcF3AiBRAeXw
2368 wRGGT6+iPmTYM6N5/IDyAb5B9Ke38O6lLEsUwA==
2369 -----END CERTIFICATE-----
2370 )");
2371 ASSERT_TRUE(leaf_public);
2372 bssl::UniquePtr<X509> leaf_secret = CertFromPEM(R"(
2373 -----BEGIN CERTIFICATE-----
2374 MIIBaTCCAQ6gAwIBAgIBAzAKBggqhkjOPQQDAjASMRAwDgYDVQQDEwdUZXN0IENB
2375 MCAXDTAwMDEwMTAwMDAwMFoYDzIwOTkwMTAxMDAwMDAwWjAZMRcwFQYDVQQDEw5z
2376 ZWNyZXQuZXhhbXBsZTBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABE2uSHFpsAsO
2377 Umse2+S4PC8JZQX+hUKGvo8MhMeLWUOUnO9VPhpcEfzuwfafZRXnOnHXc0eSrVsg
2378 Lx5FPx44h7SjTDBKMAwGA1UdEwEB/wQCMAAwHwYDVR0jBBgwFoAU8On7ZHsQCOqO
2379 K+RZ7SSHyxlOReMwGQYDVR0RBBIwEIIOc2VjcmV0LmV4YW1wbGUwCgYIKoZIzj0E
2380 AwIDSQAwRgIhAPQdIz1xCFkc9WuSkxOxJDpywZiEp9SnKcxJ9nwrlRp3AiEA+O3+
2381 XRqE7XFhHL+7TNC2a9OOAjQsEF137YPWo+rhgko=
2382 -----END CERTIFICATE-----
2383 )");
2384 ASSERT_TRUE(leaf_secret);
2385
2386 // Use different config IDs so that fuzzer mode, which breaks trial
2387 // decryption, will observe the key mismatch.
2388 bssl::UniquePtr<SSL_ECH_KEYS> keys = MakeTestECHKeys(/*config_id=*/1);
2389 ASSERT_TRUE(keys);
2390 bssl::UniquePtr<SSL_ECH_KEYS> wrong_keys = MakeTestECHKeys(/*config_id=*/2);
2391 ASSERT_TRUE(wrong_keys);
2392 bssl::UniquePtr<SSL_CTX> server_ctx =
2393 CreateContextWithTestCertificate(TLS_method());
2394 ASSERT_TRUE(server_ctx);
2395 bssl::UniquePtr<SSL_CTX> client_ctx(SSL_CTX_new(TLS_method()));
2396 ASSERT_TRUE(client_ctx);
2397
2398 // Configure the client to verify certificates and expect the secret name.
2399 // This is the name the client is trying to connect to. If ECH is rejected,
2400 // BoringSSL will internally override this setting with the public name.
2401 bssl::UniquePtr<X509_STORE> store(X509_STORE_new());
2402 ASSERT_TRUE(store);
2403 ASSERT_TRUE(X509_STORE_add_cert(store.get(), root.get()));
2404 SSL_CTX_set_cert_store(client_ctx.get(), store.release());
2405 SSL_CTX_set_verify(client_ctx.get(), SSL_VERIFY_PEER, nullptr);
2406 X509_VERIFY_PARAM_set_flags(SSL_CTX_get0_param(client_ctx.get()),
2407 X509_V_FLAG_NO_CHECK_TIME);
2408 static const char kSecretName[] = "secret.example";
2409 ASSERT_TRUE(X509_VERIFY_PARAM_set1_host(SSL_CTX_get0_param(client_ctx.get()),
2410 kSecretName, strlen(kSecretName)));
2411
2412 // For simplicity, we only run through a pair of representative scenarios here
2413 // and rely on runner.go to verify that |SSL_get0_ech_name_override| behaves
2414 // correctly.
2415 for (bool accept_ech : {false, true}) {
2416 SCOPED_TRACE(accept_ech);
2417 for (bool use_leaf_secret : {false, true}) {
2418 SCOPED_TRACE(use_leaf_secret);
2419
2420 // The server will reject ECH when configured with the wrong keys.
2421 ASSERT_TRUE(SSL_CTX_set1_ech_keys(
2422 server_ctx.get(), accept_ech ? keys.get() : wrong_keys.get()));
2423
2424 bssl::UniquePtr<SSL> client, server;
2425 ASSERT_TRUE(CreateClientAndServer(&client, &server, client_ctx.get(),
2426 server_ctx.get()));
2427 ASSERT_TRUE(InstallECHConfigList(client.get(), keys.get()));
2428
2429 // Configure the server with the selected certificate.
2430 ASSERT_TRUE(SSL_use_certificate(server.get(), use_leaf_secret
2431 ? leaf_secret.get()
2432 : leaf_public.get()));
2433 ASSERT_TRUE(SSL_use_PrivateKey(server.get(), leaf_key.get()));
2434
2435 // The handshake may fail due to name mismatch or ECH reject. We check
2436 // |SSL_get_verify_result| to confirm the handshake got far enough.
2437 CompleteHandshakes(client.get(), server.get());
2438 EXPECT_EQ(accept_ech == use_leaf_secret ? X509_V_OK
2439 : X509_V_ERR_HOSTNAME_MISMATCH,
2440 SSL_get_verify_result(client.get()));
2441 }
2442 }
2443 }
2444
2445 #if defined(OPENSSL_THREADS)
2446 // Test that the server ECH config can be swapped out while the |SSL_CTX| is
2447 // in use on other threads. This test is intended to be run with TSan.
TEST(SSLTest,ECHThreads)2448 TEST(SSLTest, ECHThreads) {
2449 // Generate a pair of ECHConfigs.
2450 bssl::ScopedEVP_HPKE_KEY key1;
2451 ASSERT_TRUE(EVP_HPKE_KEY_generate(key1.get(), EVP_hpke_x25519_hkdf_sha256()));
2452 uint8_t *ech_config1;
2453 size_t ech_config1_len;
2454 ASSERT_TRUE(SSL_marshal_ech_config(&ech_config1, &ech_config1_len,
2455 /*config_id=*/1, key1.get(),
2456 "public.example", 16));
2457 bssl::UniquePtr<uint8_t> free_ech_config1(ech_config1);
2458 bssl::ScopedEVP_HPKE_KEY key2;
2459 ASSERT_TRUE(EVP_HPKE_KEY_generate(key2.get(), EVP_hpke_x25519_hkdf_sha256()));
2460 uint8_t *ech_config2;
2461 size_t ech_config2_len;
2462 ASSERT_TRUE(SSL_marshal_ech_config(&ech_config2, &ech_config2_len,
2463 /*config_id=*/2, key2.get(),
2464 "public.example", 16));
2465 bssl::UniquePtr<uint8_t> free_ech_config2(ech_config2);
2466
2467 // |keys1| contains the first config. |keys12| contains both.
2468 bssl::UniquePtr<SSL_ECH_KEYS> keys1(SSL_ECH_KEYS_new());
2469 ASSERT_TRUE(keys1);
2470 ASSERT_TRUE(SSL_ECH_KEYS_add(keys1.get(), /*is_retry_config=*/1, ech_config1,
2471 ech_config1_len, key1.get()));
2472 bssl::UniquePtr<SSL_ECH_KEYS> keys12(SSL_ECH_KEYS_new());
2473 ASSERT_TRUE(keys12);
2474 ASSERT_TRUE(SSL_ECH_KEYS_add(keys12.get(), /*is_retry_config=*/1, ech_config2,
2475 ech_config2_len, key2.get()));
2476 ASSERT_TRUE(SSL_ECH_KEYS_add(keys12.get(), /*is_retry_config=*/0, ech_config1,
2477 ech_config1_len, key1.get()));
2478
2479 bssl::UniquePtr<SSL_CTX> server_ctx =
2480 CreateContextWithTestCertificate(TLS_method());
2481 ASSERT_TRUE(server_ctx);
2482 ASSERT_TRUE(SSL_CTX_set1_ech_keys(server_ctx.get(), keys1.get()));
2483
2484 bssl::UniquePtr<SSL_CTX> client_ctx(SSL_CTX_new(TLS_method()));
2485 ASSERT_TRUE(client_ctx);
2486 bssl::UniquePtr<SSL> client, server;
2487 ASSERT_TRUE(CreateClientAndServer(&client, &server, client_ctx.get(),
2488 server_ctx.get()));
2489 ASSERT_TRUE(InstallECHConfigList(client.get(), keys1.get()));
2490
2491 // In parallel, complete the connection and reconfigure the ECHConfig. Note
2492 // |keys12| supports all the keys in |keys1|, so the handshake should complete
2493 // the same whichever the server uses.
2494 std::vector<std::thread> threads;
2495 threads.emplace_back([&] {
2496 ASSERT_TRUE(CompleteHandshakes(client.get(), server.get()));
2497 EXPECT_TRUE(SSL_ech_accepted(client.get()));
2498 EXPECT_TRUE(SSL_ech_accepted(server.get()));
2499 });
2500 threads.emplace_back([&] {
2501 EXPECT_TRUE(SSL_CTX_set1_ech_keys(server_ctx.get(), keys12.get()));
2502 });
2503 for (auto &thread : threads) {
2504 thread.join();
2505 }
2506 }
2507 #endif // OPENSSL_THREADS
2508
TEST(SSLTest,TLS13ExporterAvailability)2509 TEST(SSLTest, TLS13ExporterAvailability) {
2510 bssl::UniquePtr<SSL_CTX> client_ctx(SSL_CTX_new(TLS_method()));
2511 bssl::UniquePtr<SSL_CTX> server_ctx =
2512 CreateContextWithTestCertificate(TLS_method());
2513 ASSERT_TRUE(client_ctx);
2514 ASSERT_TRUE(server_ctx);
2515 // Configure only TLS 1.3.
2516 ASSERT_TRUE(SSL_CTX_set_min_proto_version(client_ctx.get(), TLS1_3_VERSION));
2517 ASSERT_TRUE(SSL_CTX_set_max_proto_version(client_ctx.get(), TLS1_3_VERSION));
2518
2519 bssl::UniquePtr<SSL> client, server;
2520 ASSERT_TRUE(CreateClientAndServer(&client, &server, client_ctx.get(),
2521 server_ctx.get()));
2522
2523 std::vector<uint8_t> buffer(32);
2524 const char *label = "EXPORTER-test-label";
2525
2526 // The exporters are not available before the handshake starts.
2527 EXPECT_FALSE(SSL_export_keying_material(client.get(), buffer.data(),
2528 buffer.size(), label, strlen(label),
2529 nullptr, 0, 0));
2530 EXPECT_FALSE(SSL_export_keying_material(server.get(), buffer.data(),
2531 buffer.size(), label, strlen(label),
2532 nullptr, 0, 0));
2533
2534 // Send the client's first flight of handshake messages.
2535 int client_ret = SSL_do_handshake(client.get());
2536 EXPECT_EQ(SSL_get_error(client.get(), client_ret), SSL_ERROR_WANT_READ);
2537
2538 // The handshake isn't far enough for the exporters to work.
2539 EXPECT_FALSE(SSL_export_keying_material(client.get(), buffer.data(),
2540 buffer.size(), label, strlen(label),
2541 nullptr, 0, 0));
2542 EXPECT_FALSE(SSL_export_keying_material(server.get(), buffer.data(),
2543 buffer.size(), label, strlen(label),
2544 nullptr, 0, 0));
2545
2546 // Send all the server's handshake messages.
2547 int server_ret = SSL_do_handshake(server.get());
2548 EXPECT_EQ(SSL_get_error(server.get(), server_ret), SSL_ERROR_WANT_READ);
2549
2550 // At this point in the handshake, the server should have the exporter key
2551 // derived since it's sent its Finished message. The client hasn't yet
2552 // processed the server's handshake messages, so the exporter shouldn't be
2553 // available to the client.
2554 EXPECT_FALSE(SSL_export_keying_material(client.get(), buffer.data(),
2555 buffer.size(), label, strlen(label),
2556 nullptr, 0, 0));
2557 EXPECT_TRUE(SSL_export_keying_material(server.get(), buffer.data(),
2558 buffer.size(), label, strlen(label),
2559 nullptr, 0, 0));
2560
2561 // Finish the handshake on the client.
2562 EXPECT_EQ(SSL_do_handshake(client.get()), 1);
2563
2564 // The exporter should be available on both endpoints.
2565 EXPECT_TRUE(SSL_export_keying_material(client.get(), buffer.data(),
2566 buffer.size(), label, strlen(label),
2567 nullptr, 0, 0));
2568 EXPECT_TRUE(SSL_export_keying_material(server.get(), buffer.data(),
2569 buffer.size(), label, strlen(label),
2570 nullptr, 0, 0));
2571
2572 // Finish the handshake on the server.
2573 EXPECT_EQ(SSL_do_handshake(server.get()), 1);
2574
2575 // The exporter should still be available on both endpoints.
2576 EXPECT_TRUE(SSL_export_keying_material(client.get(), buffer.data(),
2577 buffer.size(), label, strlen(label),
2578 nullptr, 0, 0));
2579 EXPECT_TRUE(SSL_export_keying_material(server.get(), buffer.data(),
2580 buffer.size(), label, strlen(label),
2581 nullptr, 0, 0));
2582 }
2583
AppendSession(SSL_SESSION * session,void * arg)2584 static void AppendSession(SSL_SESSION *session, void *arg) {
2585 std::vector<SSL_SESSION*> *out =
2586 reinterpret_cast<std::vector<SSL_SESSION*>*>(arg);
2587 out->push_back(session);
2588 }
2589
2590 // CacheEquals returns true if |ctx|'s session cache consists of |expected|, in
2591 // order.
CacheEquals(SSL_CTX * ctx,const std::vector<SSL_SESSION * > & expected)2592 static bool CacheEquals(SSL_CTX *ctx,
2593 const std::vector<SSL_SESSION*> &expected) {
2594 // Check the linked list.
2595 SSL_SESSION *ptr = ctx->session_cache_head;
2596 for (SSL_SESSION *session : expected) {
2597 if (ptr != session) {
2598 return false;
2599 }
2600 // TODO(davidben): This is an absurd way to denote the end of the list.
2601 if (ptr->next ==
2602 reinterpret_cast<SSL_SESSION *>(&ctx->session_cache_tail)) {
2603 ptr = nullptr;
2604 } else {
2605 ptr = ptr->next;
2606 }
2607 }
2608 if (ptr != nullptr) {
2609 return false;
2610 }
2611
2612 // Check the hash table.
2613 std::vector<SSL_SESSION*> actual, expected_copy;
2614 lh_SSL_SESSION_doall_arg(ctx->sessions, AppendSession, &actual);
2615 expected_copy = expected;
2616
2617 std::sort(actual.begin(), actual.end());
2618 std::sort(expected_copy.begin(), expected_copy.end());
2619
2620 return actual == expected_copy;
2621 }
2622
CreateTestSession(uint32_t number)2623 static bssl::UniquePtr<SSL_SESSION> CreateTestSession(uint32_t number) {
2624 bssl::UniquePtr<SSL_CTX> ssl_ctx(SSL_CTX_new(TLS_method()));
2625 if (!ssl_ctx) {
2626 return nullptr;
2627 }
2628 bssl::UniquePtr<SSL_SESSION> ret(SSL_SESSION_new(ssl_ctx.get()));
2629 if (!ret) {
2630 return nullptr;
2631 }
2632
2633 uint8_t id[SSL3_SSL_SESSION_ID_LENGTH] = {0};
2634 OPENSSL_memcpy(id, &number, sizeof(number));
2635 if (!SSL_SESSION_set1_id(ret.get(), id, sizeof(id))) {
2636 return nullptr;
2637 }
2638 return ret;
2639 }
2640
2641 // Test that the internal session cache behaves as expected.
TEST(SSLTest,InternalSessionCache)2642 TEST(SSLTest, InternalSessionCache) {
2643 bssl::UniquePtr<SSL_CTX> ctx(SSL_CTX_new(TLS_method()));
2644 ASSERT_TRUE(ctx);
2645
2646 // Prepare 10 test sessions.
2647 std::vector<bssl::UniquePtr<SSL_SESSION>> sessions;
2648 for (int i = 0; i < 10; i++) {
2649 bssl::UniquePtr<SSL_SESSION> session = CreateTestSession(i);
2650 ASSERT_TRUE(session);
2651 sessions.push_back(std::move(session));
2652 }
2653
2654 SSL_CTX_sess_set_cache_size(ctx.get(), 5);
2655
2656 // Insert all the test sessions.
2657 for (const auto &session : sessions) {
2658 ASSERT_TRUE(SSL_CTX_add_session(ctx.get(), session.get()));
2659 }
2660
2661 // Only the last five should be in the list.
2662 ASSERT_TRUE(CacheEquals(
2663 ctx.get(), {sessions[9].get(), sessions[8].get(), sessions[7].get(),
2664 sessions[6].get(), sessions[5].get()}));
2665
2666 // Inserting an element already in the cache should fail and leave the cache
2667 // unchanged.
2668 ASSERT_FALSE(SSL_CTX_add_session(ctx.get(), sessions[7].get()));
2669 ASSERT_TRUE(CacheEquals(
2670 ctx.get(), {sessions[9].get(), sessions[8].get(), sessions[7].get(),
2671 sessions[6].get(), sessions[5].get()}));
2672
2673 // Although collisions should be impossible (256-bit session IDs), the cache
2674 // must handle them gracefully.
2675 bssl::UniquePtr<SSL_SESSION> collision(CreateTestSession(7));
2676 ASSERT_TRUE(collision);
2677 ASSERT_TRUE(SSL_CTX_add_session(ctx.get(), collision.get()));
2678 ASSERT_TRUE(CacheEquals(
2679 ctx.get(), {collision.get(), sessions[9].get(), sessions[8].get(),
2680 sessions[6].get(), sessions[5].get()}));
2681
2682 // Removing sessions behaves correctly.
2683 ASSERT_TRUE(SSL_CTX_remove_session(ctx.get(), sessions[6].get()));
2684 ASSERT_TRUE(CacheEquals(ctx.get(), {collision.get(), sessions[9].get(),
2685 sessions[8].get(), sessions[5].get()}));
2686
2687 // Removing sessions requires an exact match.
2688 ASSERT_FALSE(SSL_CTX_remove_session(ctx.get(), sessions[0].get()));
2689 ASSERT_FALSE(SSL_CTX_remove_session(ctx.get(), sessions[7].get()));
2690
2691 // The cache remains unchanged.
2692 ASSERT_TRUE(CacheEquals(ctx.get(), {collision.get(), sessions[9].get(),
2693 sessions[8].get(), sessions[5].get()}));
2694 }
2695
EpochFromSequence(uint64_t seq)2696 static uint16_t EpochFromSequence(uint64_t seq) {
2697 return static_cast<uint16_t>(seq >> 48);
2698 }
2699
2700 static const uint8_t kTestName[] = {
2701 0x30, 0x45, 0x31, 0x0b, 0x30, 0x09, 0x06, 0x03, 0x55, 0x04, 0x06, 0x13,
2702 0x02, 0x41, 0x55, 0x31, 0x13, 0x30, 0x11, 0x06, 0x03, 0x55, 0x04, 0x08,
2703 0x0c, 0x0a, 0x53, 0x6f, 0x6d, 0x65, 0x2d, 0x53, 0x74, 0x61, 0x74, 0x65,
2704 0x31, 0x21, 0x30, 0x1f, 0x06, 0x03, 0x55, 0x04, 0x0a, 0x0c, 0x18, 0x49,
2705 0x6e, 0x74, 0x65, 0x72, 0x6e, 0x65, 0x74, 0x20, 0x57, 0x69, 0x64, 0x67,
2706 0x69, 0x74, 0x73, 0x20, 0x50, 0x74, 0x79, 0x20, 0x4c, 0x74, 0x64,
2707 };
2708
2709 // SSLVersionTest executes its test cases under all available protocol versions.
2710 // Test cases call |Connect| to create a connection using context objects with
2711 // the protocol version fixed to the current version under test.
2712 class SSLVersionTest : public ::testing::TestWithParam<VersionParam> {
2713 protected:
SSLVersionTest()2714 SSLVersionTest() : cert_(GetTestCertificate()), key_(GetTestKey()) {}
2715
SetUp()2716 void SetUp() { ResetContexts(); }
2717
CreateContext() const2718 bssl::UniquePtr<SSL_CTX> CreateContext() const {
2719 const SSL_METHOD *method = is_dtls() ? DTLS_method() : TLS_method();
2720 bssl::UniquePtr<SSL_CTX> ctx(SSL_CTX_new(method));
2721 if (!ctx || !SSL_CTX_set_min_proto_version(ctx.get(), version()) ||
2722 !SSL_CTX_set_max_proto_version(ctx.get(), version())) {
2723 return nullptr;
2724 }
2725 return ctx;
2726 }
2727
ResetContexts()2728 void ResetContexts() {
2729 ASSERT_TRUE(cert_);
2730 ASSERT_TRUE(key_);
2731 client_ctx_ = CreateContext();
2732 ASSERT_TRUE(client_ctx_);
2733 server_ctx_ = CreateContext();
2734 ASSERT_TRUE(server_ctx_);
2735 // Set up a server cert. Client certs can be set up explicitly.
2736 ASSERT_TRUE(UseCertAndKey(server_ctx_.get()));
2737 }
2738
UseCertAndKey(SSL_CTX * ctx) const2739 bool UseCertAndKey(SSL_CTX *ctx) const {
2740 return SSL_CTX_use_certificate(ctx, cert_.get()) &&
2741 SSL_CTX_use_PrivateKey(ctx, key_.get());
2742 }
2743
Connect(const ClientConfig & config=ClientConfig ())2744 bool Connect(const ClientConfig &config = ClientConfig()) {
2745 return ConnectClientAndServer(&client_, &server_, client_ctx_.get(),
2746 server_ctx_.get(), config,
2747 shed_handshake_config_);
2748 }
2749
version() const2750 uint16_t version() const { return GetParam().version; }
2751
is_dtls() const2752 bool is_dtls() const {
2753 return GetParam().ssl_method == VersionParam::is_dtls;
2754 }
2755
2756 bool shed_handshake_config_ = true;
2757 bssl::UniquePtr<SSL> client_, server_;
2758 bssl::UniquePtr<SSL_CTX> server_ctx_, client_ctx_;
2759 bssl::UniquePtr<X509> cert_;
2760 bssl::UniquePtr<EVP_PKEY> key_;
2761 };
2762
2763 INSTANTIATE_TEST_SUITE_P(WithVersion, SSLVersionTest,
2764 testing::ValuesIn(kAllVersions),
__anone965bbb70a02(const testing::TestParamInfo<VersionParam> &i) 2765 [](const testing::TestParamInfo<VersionParam> &i) {
2766 return i.param.name;
2767 });
2768
TEST_P(SSLVersionTest,SequenceNumber)2769 TEST_P(SSLVersionTest, SequenceNumber) {
2770 ASSERT_TRUE(Connect());
2771
2772 // Drain any post-handshake messages to ensure there are no unread records
2773 // on either end.
2774 ASSERT_TRUE(FlushNewSessionTickets(client_.get(), server_.get()));
2775
2776 uint64_t client_read_seq = SSL_get_read_sequence(client_.get());
2777 uint64_t client_write_seq = SSL_get_write_sequence(client_.get());
2778 uint64_t server_read_seq = SSL_get_read_sequence(server_.get());
2779 uint64_t server_write_seq = SSL_get_write_sequence(server_.get());
2780
2781 if (is_dtls()) {
2782 // Both client and server must be at epoch 1.
2783 EXPECT_EQ(EpochFromSequence(client_read_seq), 1);
2784 EXPECT_EQ(EpochFromSequence(client_write_seq), 1);
2785 EXPECT_EQ(EpochFromSequence(server_read_seq), 1);
2786 EXPECT_EQ(EpochFromSequence(server_write_seq), 1);
2787
2788 // The next record to be written should exceed the largest received.
2789 EXPECT_GT(client_write_seq, server_read_seq);
2790 EXPECT_GT(server_write_seq, client_read_seq);
2791 } else {
2792 // The next record to be written should equal the next to be received.
2793 EXPECT_EQ(client_write_seq, server_read_seq);
2794 EXPECT_EQ(server_write_seq, client_read_seq);
2795 }
2796
2797 // Send a record from client to server.
2798 uint8_t byte = 0;
2799 EXPECT_EQ(SSL_write(client_.get(), &byte, 1), 1);
2800 EXPECT_EQ(SSL_read(server_.get(), &byte, 1), 1);
2801
2802 // The client write and server read sequence numbers should have
2803 // incremented.
2804 EXPECT_EQ(client_write_seq + 1, SSL_get_write_sequence(client_.get()));
2805 EXPECT_EQ(server_read_seq + 1, SSL_get_read_sequence(server_.get()));
2806 }
2807
TEST_P(SSLVersionTest,OneSidedShutdown)2808 TEST_P(SSLVersionTest, OneSidedShutdown) {
2809 // SSL_shutdown is a no-op in DTLS.
2810 if (is_dtls()) {
2811 return;
2812 }
2813 ASSERT_TRUE(Connect());
2814
2815 // Shut down half the connection. |SSL_shutdown| will return 0 to signal only
2816 // one side has shut down.
2817 ASSERT_EQ(SSL_shutdown(client_.get()), 0);
2818
2819 // Reading from the server should consume the EOF.
2820 uint8_t byte;
2821 ASSERT_EQ(SSL_read(server_.get(), &byte, 1), 0);
2822 ASSERT_EQ(SSL_get_error(server_.get(), 0), SSL_ERROR_ZERO_RETURN);
2823
2824 // However, the server may continue to write data and then shut down the
2825 // connection.
2826 byte = 42;
2827 ASSERT_EQ(SSL_write(server_.get(), &byte, 1), 1);
2828 ASSERT_EQ(SSL_read(client_.get(), &byte, 1), 1);
2829 ASSERT_EQ(byte, 42);
2830
2831 // The server may then shutdown the connection.
2832 EXPECT_EQ(SSL_shutdown(server_.get()), 1);
2833 EXPECT_EQ(SSL_shutdown(client_.get()), 1);
2834 }
2835
2836 // Test that, after calling |SSL_shutdown|, |SSL_write| fails.
TEST_P(SSLVersionTest,WriteAfterShutdown)2837 TEST_P(SSLVersionTest, WriteAfterShutdown) {
2838 ASSERT_TRUE(Connect());
2839
2840 for (SSL *ssl : {client_.get(), server_.get()}) {
2841 SCOPED_TRACE(SSL_is_server(ssl) ? "server" : "client");
2842
2843 bssl::UniquePtr<BIO> mem(BIO_new(BIO_s_mem()));
2844 ASSERT_TRUE(mem);
2845 SSL_set0_wbio(ssl, bssl::UpRef(mem).release());
2846
2847 // Shut down half the connection. |SSL_shutdown| will return 0 to signal
2848 // only one side has shut down.
2849 ASSERT_EQ(SSL_shutdown(ssl), 0);
2850
2851 // |ssl| should have written an alert to the transport.
2852 const uint8_t *unused;
2853 size_t len;
2854 ASSERT_TRUE(BIO_mem_contents(mem.get(), &unused, &len));
2855 EXPECT_NE(0u, len);
2856 EXPECT_TRUE(BIO_reset(mem.get()));
2857
2858 // Writing should fail.
2859 EXPECT_EQ(-1, SSL_write(ssl, "a", 1));
2860
2861 // Nothing should be written to the transport.
2862 ASSERT_TRUE(BIO_mem_contents(mem.get(), &unused, &len));
2863 EXPECT_EQ(0u, len);
2864 }
2865 }
2866
2867 // Test that, after sending a fatal alert in a failed |SSL_read|, |SSL_write|
2868 // fails.
TEST_P(SSLVersionTest,WriteAfterReadSentFatalAlert)2869 TEST_P(SSLVersionTest, WriteAfterReadSentFatalAlert) {
2870 // Decryption failures are not fatal in DTLS.
2871 if (is_dtls()) {
2872 return;
2873 }
2874
2875 ASSERT_TRUE(Connect());
2876
2877 // Save the write |BIO|s as the test will overwrite them.
2878 bssl::UniquePtr<BIO> client_wbio = bssl::UpRef(SSL_get_wbio(client_.get()));
2879 bssl::UniquePtr<BIO> server_wbio = bssl::UpRef(SSL_get_wbio(server_.get()));
2880
2881 for (bool test_server : {false, true}) {
2882 SCOPED_TRACE(test_server ? "server" : "client");
2883 SSL *ssl = test_server ? server_.get() : client_.get();
2884 BIO *other_wbio = test_server ? client_wbio.get() : server_wbio.get();
2885
2886 bssl::UniquePtr<BIO> mem(BIO_new(BIO_s_mem()));
2887 ASSERT_TRUE(mem);
2888 SSL_set0_wbio(ssl, bssl::UpRef(mem).release());
2889
2890 // Read an invalid record from the peer.
2891 static const uint8_t kInvalidRecord[] = "invalid record";
2892 EXPECT_EQ(int{sizeof(kInvalidRecord)},
2893 BIO_write(other_wbio, kInvalidRecord, sizeof(kInvalidRecord)));
2894 char buf[256];
2895 EXPECT_EQ(-1, SSL_read(ssl, buf, sizeof(buf)));
2896
2897 // |ssl| should have written an alert to the transport.
2898 const uint8_t *unused;
2899 size_t len;
2900 ASSERT_TRUE(BIO_mem_contents(mem.get(), &unused, &len));
2901 EXPECT_NE(0u, len);
2902 EXPECT_TRUE(BIO_reset(mem.get()));
2903
2904 // Writing should fail.
2905 EXPECT_EQ(-1, SSL_write(ssl, "a", 1));
2906
2907 // Nothing should be written to the transport.
2908 ASSERT_TRUE(BIO_mem_contents(mem.get(), &unused, &len));
2909 EXPECT_EQ(0u, len);
2910 }
2911 }
2912
2913 // Test that, after sending a fatal alert from the handshake, |SSL_write| fails.
TEST_P(SSLVersionTest,WriteAfterHandshakeSentFatalAlert)2914 TEST_P(SSLVersionTest, WriteAfterHandshakeSentFatalAlert) {
2915 for (bool test_server : {false, true}) {
2916 SCOPED_TRACE(test_server ? "server" : "client");
2917
2918 bssl::UniquePtr<SSL> ssl(
2919 SSL_new(test_server ? server_ctx_.get() : client_ctx_.get()));
2920 ASSERT_TRUE(ssl);
2921 if (test_server) {
2922 SSL_set_accept_state(ssl.get());
2923 } else {
2924 SSL_set_connect_state(ssl.get());
2925 }
2926
2927 std::vector<uint8_t> invalid;
2928 if (is_dtls()) {
2929 // In DTLS, invalid records are discarded. To cause the handshake to fail,
2930 // use a valid handshake record with invalid contents.
2931 invalid.push_back(SSL3_RT_HANDSHAKE);
2932 invalid.push_back(DTLS1_VERSION >> 8);
2933 invalid.push_back(DTLS1_VERSION & 0xff);
2934 // epoch and sequence_number
2935 for (int i = 0; i < 8; i++) {
2936 invalid.push_back(0);
2937 }
2938 // A one-byte fragment is invalid.
2939 invalid.push_back(0);
2940 invalid.push_back(1);
2941 // Arbitrary contents.
2942 invalid.push_back(0);
2943 } else {
2944 invalid = {'i', 'n', 'v', 'a', 'l', 'i', 'd'};
2945 }
2946 bssl::UniquePtr<BIO> rbio(
2947 BIO_new_mem_buf(invalid.data(), invalid.size()));
2948 ASSERT_TRUE(rbio);
2949 SSL_set0_rbio(ssl.get(), rbio.release());
2950
2951 bssl::UniquePtr<BIO> mem(BIO_new(BIO_s_mem()));
2952 ASSERT_TRUE(mem);
2953 SSL_set0_wbio(ssl.get(), bssl::UpRef(mem).release());
2954
2955 // The handshake should fail.
2956 EXPECT_EQ(-1, SSL_do_handshake(ssl.get()));
2957 EXPECT_EQ(SSL_ERROR_SSL, SSL_get_error(ssl.get(), -1));
2958 uint32_t err = ERR_get_error();
2959
2960 // |ssl| should have written an alert (and, in the client's case, a
2961 // ClientHello) to the transport.
2962 const uint8_t *unused;
2963 size_t len;
2964 ASSERT_TRUE(BIO_mem_contents(mem.get(), &unused, &len));
2965 EXPECT_NE(0u, len);
2966 EXPECT_TRUE(BIO_reset(mem.get()));
2967
2968 // Writing should fail, with the same error as the handshake.
2969 EXPECT_EQ(-1, SSL_write(ssl.get(), "a", 1));
2970 EXPECT_EQ(SSL_ERROR_SSL, SSL_get_error(ssl.get(), -1));
2971 EXPECT_EQ(err, ERR_get_error());
2972
2973 // Nothing should be written to the transport.
2974 ASSERT_TRUE(BIO_mem_contents(mem.get(), &unused, &len));
2975 EXPECT_EQ(0u, len);
2976 }
2977 }
2978
2979 // Test that, after seeing TLS 1.2 in response to early data, |SSL_write|
2980 // continues to report |SSL_R_WRONG_VERSION_ON_EARLY_DATA|. See
2981 // https://crbug.com/1078515.
TEST(SSLTest,WriteAfterWrongVersionOnEarlyData)2982 TEST(SSLTest, WriteAfterWrongVersionOnEarlyData) {
2983 // Set up some 0-RTT-enabled contexts.
2984 bssl::UniquePtr<SSL_CTX> client_ctx(SSL_CTX_new(TLS_method()));
2985 bssl::UniquePtr<SSL_CTX> server_ctx =
2986 CreateContextWithTestCertificate(TLS_method());
2987 ASSERT_TRUE(client_ctx);
2988 ASSERT_TRUE(server_ctx);
2989 SSL_CTX_set_early_data_enabled(client_ctx.get(), 1);
2990 SSL_CTX_set_early_data_enabled(server_ctx.get(), 1);
2991 SSL_CTX_set_session_cache_mode(client_ctx.get(), SSL_SESS_CACHE_BOTH);
2992 SSL_CTX_set_session_cache_mode(server_ctx.get(), SSL_SESS_CACHE_BOTH);
2993
2994 // Get an early-data-capable session.
2995 bssl::UniquePtr<SSL_SESSION> session =
2996 CreateClientSession(client_ctx.get(), server_ctx.get());
2997 ASSERT_TRUE(session);
2998 EXPECT_TRUE(SSL_SESSION_early_data_capable(session.get()));
2999
3000 // Offer the session to the server, but now the server speaks TLS 1.2.
3001 bssl::UniquePtr<SSL> client, server;
3002 ASSERT_TRUE(CreateClientAndServer(&client, &server, client_ctx.get(),
3003 server_ctx.get()));
3004 SSL_set_session(client.get(), session.get());
3005 EXPECT_TRUE(SSL_set_max_proto_version(server.get(), TLS1_2_VERSION));
3006
3007 // The client handshake initially succeeds in the early data state.
3008 EXPECT_EQ(1, SSL_do_handshake(client.get()));
3009 EXPECT_TRUE(SSL_in_early_data(client.get()));
3010
3011 // The server processes the ClientHello and negotiates TLS 1.2.
3012 EXPECT_EQ(-1, SSL_do_handshake(server.get()));
3013 EXPECT_EQ(SSL_ERROR_WANT_READ, SSL_get_error(server.get(), -1));
3014 EXPECT_EQ(TLS1_2_VERSION, SSL_version(server.get()));
3015
3016 // Capture the client's output.
3017 bssl::UniquePtr<BIO> mem(BIO_new(BIO_s_mem()));
3018 ASSERT_TRUE(mem);
3019 SSL_set0_wbio(client.get(), bssl::UpRef(mem).release());
3020
3021 // The client processes the ServerHello and fails.
3022 EXPECT_EQ(-1, SSL_do_handshake(client.get()));
3023 EXPECT_EQ(SSL_ERROR_SSL, SSL_get_error(client.get(), -1));
3024 uint32_t err = ERR_get_error();
3025 EXPECT_EQ(ERR_LIB_SSL, ERR_GET_LIB(err));
3026 EXPECT_EQ(SSL_R_WRONG_VERSION_ON_EARLY_DATA, ERR_GET_REASON(err));
3027
3028 // The client should have written an alert to the transport.
3029 const uint8_t *unused;
3030 size_t len;
3031 ASSERT_TRUE(BIO_mem_contents(mem.get(), &unused, &len));
3032 EXPECT_NE(0u, len);
3033 EXPECT_TRUE(BIO_reset(mem.get()));
3034
3035 // Writing should fail, with the same error as the handshake.
3036 EXPECT_EQ(-1, SSL_write(client.get(), "a", 1));
3037 EXPECT_EQ(SSL_ERROR_SSL, SSL_get_error(client.get(), -1));
3038 err = ERR_get_error();
3039 EXPECT_EQ(ERR_LIB_SSL, ERR_GET_LIB(err));
3040 EXPECT_EQ(SSL_R_WRONG_VERSION_ON_EARLY_DATA, ERR_GET_REASON(err));
3041
3042 // Nothing should be written to the transport.
3043 ASSERT_TRUE(BIO_mem_contents(mem.get(), &unused, &len));
3044 EXPECT_EQ(0u, len);
3045 }
3046
TEST(SSLTest,SessionDuplication)3047 TEST(SSLTest, SessionDuplication) {
3048 bssl::UniquePtr<SSL_CTX> client_ctx(SSL_CTX_new(TLS_method()));
3049 bssl::UniquePtr<SSL_CTX> server_ctx =
3050 CreateContextWithTestCertificate(TLS_method());
3051 ASSERT_TRUE(client_ctx);
3052 ASSERT_TRUE(server_ctx);
3053
3054 bssl::UniquePtr<SSL> client, server;
3055 ASSERT_TRUE(ConnectClientAndServer(&client, &server, client_ctx.get(),
3056 server_ctx.get()));
3057
3058 SSL_SESSION *session0 = SSL_get_session(client.get());
3059 bssl::UniquePtr<SSL_SESSION> session1 =
3060 bssl::SSL_SESSION_dup(session0, SSL_SESSION_DUP_ALL);
3061 ASSERT_TRUE(session1);
3062
3063 session1->not_resumable = false;
3064
3065 uint8_t *s0_bytes, *s1_bytes;
3066 size_t s0_len, s1_len;
3067
3068 ASSERT_TRUE(SSL_SESSION_to_bytes(session0, &s0_bytes, &s0_len));
3069 bssl::UniquePtr<uint8_t> free_s0(s0_bytes);
3070
3071 ASSERT_TRUE(SSL_SESSION_to_bytes(session1.get(), &s1_bytes, &s1_len));
3072 bssl::UniquePtr<uint8_t> free_s1(s1_bytes);
3073
3074 EXPECT_EQ(Bytes(s0_bytes, s0_len), Bytes(s1_bytes, s1_len));
3075 }
3076
ExpectFDs(const SSL * ssl,int rfd,int wfd)3077 static void ExpectFDs(const SSL *ssl, int rfd, int wfd) {
3078 EXPECT_EQ(rfd, SSL_get_fd(ssl));
3079 EXPECT_EQ(rfd, SSL_get_rfd(ssl));
3080 EXPECT_EQ(wfd, SSL_get_wfd(ssl));
3081
3082 // The wrapper BIOs are always equal when fds are equal, even if set
3083 // individually.
3084 if (rfd == wfd) {
3085 EXPECT_EQ(SSL_get_rbio(ssl), SSL_get_wbio(ssl));
3086 }
3087 }
3088
TEST(SSLTest,SetFD)3089 TEST(SSLTest, SetFD) {
3090 bssl::UniquePtr<SSL_CTX> ctx(SSL_CTX_new(TLS_method()));
3091 ASSERT_TRUE(ctx);
3092
3093 // Test setting different read and write FDs.
3094 bssl::UniquePtr<SSL> ssl(SSL_new(ctx.get()));
3095 ASSERT_TRUE(ssl);
3096 EXPECT_TRUE(SSL_set_rfd(ssl.get(), 1));
3097 EXPECT_TRUE(SSL_set_wfd(ssl.get(), 2));
3098 ExpectFDs(ssl.get(), 1, 2);
3099
3100 // Test setting the same FD.
3101 ssl.reset(SSL_new(ctx.get()));
3102 ASSERT_TRUE(ssl);
3103 EXPECT_TRUE(SSL_set_fd(ssl.get(), 1));
3104 ExpectFDs(ssl.get(), 1, 1);
3105
3106 // Test setting the same FD one side at a time.
3107 ssl.reset(SSL_new(ctx.get()));
3108 ASSERT_TRUE(ssl);
3109 EXPECT_TRUE(SSL_set_rfd(ssl.get(), 1));
3110 EXPECT_TRUE(SSL_set_wfd(ssl.get(), 1));
3111 ExpectFDs(ssl.get(), 1, 1);
3112
3113 // Test setting the same FD in the other order.
3114 ssl.reset(SSL_new(ctx.get()));
3115 ASSERT_TRUE(ssl);
3116 EXPECT_TRUE(SSL_set_wfd(ssl.get(), 1));
3117 EXPECT_TRUE(SSL_set_rfd(ssl.get(), 1));
3118 ExpectFDs(ssl.get(), 1, 1);
3119
3120 // Test changing the read FD partway through.
3121 ssl.reset(SSL_new(ctx.get()));
3122 ASSERT_TRUE(ssl);
3123 EXPECT_TRUE(SSL_set_fd(ssl.get(), 1));
3124 EXPECT_TRUE(SSL_set_rfd(ssl.get(), 2));
3125 ExpectFDs(ssl.get(), 2, 1);
3126
3127 // Test changing the write FD partway through.
3128 ssl.reset(SSL_new(ctx.get()));
3129 ASSERT_TRUE(ssl);
3130 EXPECT_TRUE(SSL_set_fd(ssl.get(), 1));
3131 EXPECT_TRUE(SSL_set_wfd(ssl.get(), 2));
3132 ExpectFDs(ssl.get(), 1, 2);
3133
3134 // Test a no-op change to the read FD partway through.
3135 ssl.reset(SSL_new(ctx.get()));
3136 ASSERT_TRUE(ssl);
3137 EXPECT_TRUE(SSL_set_fd(ssl.get(), 1));
3138 EXPECT_TRUE(SSL_set_rfd(ssl.get(), 1));
3139 ExpectFDs(ssl.get(), 1, 1);
3140
3141 // Test a no-op change to the write FD partway through.
3142 ssl.reset(SSL_new(ctx.get()));
3143 ASSERT_TRUE(ssl);
3144 EXPECT_TRUE(SSL_set_fd(ssl.get(), 1));
3145 EXPECT_TRUE(SSL_set_wfd(ssl.get(), 1));
3146 ExpectFDs(ssl.get(), 1, 1);
3147
3148 // ASan builds will implicitly test that the internal |BIO| reference-counting
3149 // is correct.
3150 }
3151
TEST(SSLTest,SetBIO)3152 TEST(SSLTest, SetBIO) {
3153 bssl::UniquePtr<SSL_CTX> ctx(SSL_CTX_new(TLS_method()));
3154 ASSERT_TRUE(ctx);
3155
3156 bssl::UniquePtr<SSL> ssl(SSL_new(ctx.get()));
3157 bssl::UniquePtr<BIO> bio1(BIO_new(BIO_s_mem())), bio2(BIO_new(BIO_s_mem())),
3158 bio3(BIO_new(BIO_s_mem()));
3159 ASSERT_TRUE(ssl);
3160 ASSERT_TRUE(bio1);
3161 ASSERT_TRUE(bio2);
3162 ASSERT_TRUE(bio3);
3163
3164 // SSL_set_bio takes one reference when the parameters are the same.
3165 BIO_up_ref(bio1.get());
3166 SSL_set_bio(ssl.get(), bio1.get(), bio1.get());
3167
3168 // Repeating the call does nothing.
3169 SSL_set_bio(ssl.get(), bio1.get(), bio1.get());
3170
3171 // It takes one reference each when the parameters are different.
3172 BIO_up_ref(bio2.get());
3173 BIO_up_ref(bio3.get());
3174 SSL_set_bio(ssl.get(), bio2.get(), bio3.get());
3175
3176 // Repeating the call does nothing.
3177 SSL_set_bio(ssl.get(), bio2.get(), bio3.get());
3178
3179 // It takes one reference when changing only wbio.
3180 BIO_up_ref(bio1.get());
3181 SSL_set_bio(ssl.get(), bio2.get(), bio1.get());
3182
3183 // It takes one reference when changing only rbio and the two are different.
3184 BIO_up_ref(bio3.get());
3185 SSL_set_bio(ssl.get(), bio3.get(), bio1.get());
3186
3187 // If setting wbio to rbio, it takes no additional references.
3188 SSL_set_bio(ssl.get(), bio3.get(), bio3.get());
3189
3190 // From there, wbio may be switched to something else.
3191 BIO_up_ref(bio1.get());
3192 SSL_set_bio(ssl.get(), bio3.get(), bio1.get());
3193
3194 // If setting rbio to wbio, it takes no additional references.
3195 SSL_set_bio(ssl.get(), bio1.get(), bio1.get());
3196
3197 // From there, rbio may be switched to something else, but, for historical
3198 // reasons, it takes a reference to both parameters.
3199 BIO_up_ref(bio1.get());
3200 BIO_up_ref(bio2.get());
3201 SSL_set_bio(ssl.get(), bio2.get(), bio1.get());
3202
3203 // ASAN builds will implicitly test that the internal |BIO| reference-counting
3204 // is correct.
3205 }
3206
VerifySucceed(X509_STORE_CTX * store_ctx,void * arg)3207 static int VerifySucceed(X509_STORE_CTX *store_ctx, void *arg) { return 1; }
3208
TEST_P(SSLVersionTest,GetPeerCertificate)3209 TEST_P(SSLVersionTest, GetPeerCertificate) {
3210 ASSERT_TRUE(UseCertAndKey(client_ctx_.get()));
3211
3212 // Configure both client and server to accept any certificate.
3213 SSL_CTX_set_verify(client_ctx_.get(),
3214 SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT,
3215 nullptr);
3216 SSL_CTX_set_cert_verify_callback(client_ctx_.get(), VerifySucceed, NULL);
3217 SSL_CTX_set_verify(server_ctx_.get(),
3218 SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT,
3219 nullptr);
3220 SSL_CTX_set_cert_verify_callback(server_ctx_.get(), VerifySucceed, NULL);
3221
3222 ASSERT_TRUE(Connect());
3223
3224 // Client and server should both see the leaf certificate.
3225 bssl::UniquePtr<X509> peer(SSL_get_peer_certificate(server_.get()));
3226 ASSERT_TRUE(peer);
3227 ASSERT_EQ(X509_cmp(cert_.get(), peer.get()), 0);
3228
3229 peer.reset(SSL_get_peer_certificate(client_.get()));
3230 ASSERT_TRUE(peer);
3231 ASSERT_EQ(X509_cmp(cert_.get(), peer.get()), 0);
3232
3233 // However, for historical reasons, the X509 chain includes the leaf on the
3234 // client, but does not on the server.
3235 EXPECT_EQ(sk_X509_num(SSL_get_peer_cert_chain(client_.get())), 1u);
3236 EXPECT_EQ(sk_CRYPTO_BUFFER_num(SSL_get0_peer_certificates(client_.get())),
3237 1u);
3238
3239 EXPECT_EQ(sk_X509_num(SSL_get_peer_cert_chain(server_.get())), 0u);
3240 EXPECT_EQ(sk_CRYPTO_BUFFER_num(SSL_get0_peer_certificates(server_.get())),
3241 1u);
3242 }
3243
TEST_P(SSLVersionTest,NoPeerCertificate)3244 TEST_P(SSLVersionTest, NoPeerCertificate) {
3245 SSL_CTX_set_verify(server_ctx_.get(), SSL_VERIFY_PEER, nullptr);
3246 SSL_CTX_set_cert_verify_callback(server_ctx_.get(), VerifySucceed, NULL);
3247 SSL_CTX_set_cert_verify_callback(client_ctx_.get(), VerifySucceed, NULL);
3248
3249 ASSERT_TRUE(Connect());
3250
3251 // Server should not see a peer certificate.
3252 bssl::UniquePtr<X509> peer(SSL_get_peer_certificate(server_.get()));
3253 ASSERT_FALSE(peer);
3254 ASSERT_FALSE(SSL_get0_peer_certificates(server_.get()));
3255 }
3256
TEST_P(SSLVersionTest,RetainOnlySHA256OfCerts)3257 TEST_P(SSLVersionTest, RetainOnlySHA256OfCerts) {
3258 uint8_t *cert_der = NULL;
3259 int cert_der_len = i2d_X509(cert_.get(), &cert_der);
3260 ASSERT_GE(cert_der_len, 0);
3261 bssl::UniquePtr<uint8_t> free_cert_der(cert_der);
3262
3263 uint8_t cert_sha256[SHA256_DIGEST_LENGTH];
3264 SHA256(cert_der, cert_der_len, cert_sha256);
3265
3266 ASSERT_TRUE(UseCertAndKey(client_ctx_.get()));
3267
3268 // Configure both client and server to accept any certificate, but the
3269 // server must retain only the SHA-256 of the peer.
3270 SSL_CTX_set_verify(client_ctx_.get(),
3271 SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT,
3272 nullptr);
3273 SSL_CTX_set_verify(server_ctx_.get(),
3274 SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT,
3275 nullptr);
3276 SSL_CTX_set_cert_verify_callback(client_ctx_.get(), VerifySucceed, NULL);
3277 SSL_CTX_set_cert_verify_callback(server_ctx_.get(), VerifySucceed, NULL);
3278 SSL_CTX_set_retain_only_sha256_of_client_certs(server_ctx_.get(), 1);
3279
3280 ASSERT_TRUE(Connect());
3281
3282 // The peer certificate has been dropped.
3283 bssl::UniquePtr<X509> peer(SSL_get_peer_certificate(server_.get()));
3284 EXPECT_FALSE(peer);
3285
3286 SSL_SESSION *session = SSL_get_session(server_.get());
3287 EXPECT_TRUE(SSL_SESSION_has_peer_sha256(session));
3288
3289 const uint8_t *peer_sha256;
3290 size_t peer_sha256_len;
3291 SSL_SESSION_get0_peer_sha256(session, &peer_sha256, &peer_sha256_len);
3292 EXPECT_EQ(Bytes(cert_sha256), Bytes(peer_sha256, peer_sha256_len));
3293 }
3294
3295 // Tests that our ClientHellos do not change unexpectedly. These are purely
3296 // change detection tests. If they fail as part of an intentional ClientHello
3297 // change, update the test vector.
TEST(SSLTest,ClientHello)3298 TEST(SSLTest, ClientHello) {
3299 struct {
3300 uint16_t max_version;
3301 std::vector<uint8_t> expected;
3302 } kTests[] = {
3303 {TLS1_VERSION,
3304 {0x16, 0x03, 0x01, 0x00, 0x58, 0x01, 0x00, 0x00, 0x54, 0x03, 0x01, 0x00,
3305 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
3306 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
3307 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x0c, 0xc0, 0x09,
3308 0xc0, 0x13, 0xc0, 0x0a, 0xc0, 0x14, 0x00, 0x2f, 0x00, 0x35, 0x01, 0x00,
3309 0x00, 0x1f, 0x00, 0x17, 0x00, 0x00, 0xff, 0x01, 0x00, 0x01, 0x00, 0x00,
3310 0x0a, 0x00, 0x08, 0x00, 0x06, 0x00, 0x1d, 0x00, 0x17, 0x00, 0x18, 0x00,
3311 0x0b, 0x00, 0x02, 0x01, 0x00, 0x00, 0x23, 0x00, 0x00}},
3312 {TLS1_1_VERSION,
3313 {0x16, 0x03, 0x01, 0x00, 0x58, 0x01, 0x00, 0x00, 0x54, 0x03, 0x02, 0x00,
3314 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
3315 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
3316 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x0c, 0xc0, 0x09,
3317 0xc0, 0x13, 0xc0, 0x0a, 0xc0, 0x14, 0x00, 0x2f, 0x00, 0x35, 0x01, 0x00,
3318 0x00, 0x1f, 0x00, 0x17, 0x00, 0x00, 0xff, 0x01, 0x00, 0x01, 0x00, 0x00,
3319 0x0a, 0x00, 0x08, 0x00, 0x06, 0x00, 0x1d, 0x00, 0x17, 0x00, 0x18, 0x00,
3320 0x0b, 0x00, 0x02, 0x01, 0x00, 0x00, 0x23, 0x00, 0x00}},
3321 {TLS1_2_VERSION,
3322 {0x16, 0x03, 0x01, 0x00, 0x80, 0x01, 0x00, 0x00, 0x7c, 0x03, 0x03, 0x00,
3323 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
3324 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
3325 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x1c, 0xcc, 0xa9,
3326 0xcc, 0xa8, 0xc0, 0x2b, 0xc0, 0x2f, 0xc0, 0x2c, 0xc0, 0x30, 0xc0, 0x09,
3327 0xc0, 0x13, 0xc0, 0x0a, 0xc0, 0x14, 0x00, 0x9c, 0x00, 0x9d, 0x00, 0x2f,
3328 0x00, 0x35, 0x01, 0x00, 0x00, 0x37, 0x00, 0x17, 0x00, 0x00, 0xff, 0x01,
3329 0x00, 0x01, 0x00, 0x00, 0x0a, 0x00, 0x08, 0x00, 0x06, 0x00, 0x1d, 0x00,
3330 0x17, 0x00, 0x18, 0x00, 0x0b, 0x00, 0x02, 0x01, 0x00, 0x00, 0x23, 0x00,
3331 0x00, 0x00, 0x0d, 0x00, 0x14, 0x00, 0x12, 0x04, 0x03, 0x08, 0x04, 0x04,
3332 0x01, 0x05, 0x03, 0x08, 0x05, 0x05, 0x01, 0x08, 0x06, 0x06, 0x01, 0x02,
3333 0x01}},
3334 // TODO(davidben): Add a change detector for TLS 1.3 once the spec and our
3335 // implementation has settled enough that it won't change.
3336 };
3337
3338 for (const auto &t : kTests) {
3339 SCOPED_TRACE(t.max_version);
3340
3341 bssl::UniquePtr<SSL_CTX> ctx(SSL_CTX_new(TLS_method()));
3342 ASSERT_TRUE(ctx);
3343 // Our default cipher list varies by CPU capabilities, so manually place the
3344 // ChaCha20 ciphers in front.
3345 const char *cipher_list = "CHACHA20:ALL";
3346 ASSERT_TRUE(SSL_CTX_set_max_proto_version(ctx.get(), t.max_version));
3347 ASSERT_TRUE(SSL_CTX_set_strict_cipher_list(ctx.get(), cipher_list));
3348
3349 bssl::UniquePtr<SSL> ssl(SSL_new(ctx.get()));
3350 ASSERT_TRUE(ssl);
3351 std::vector<uint8_t> client_hello;
3352 ASSERT_TRUE(GetClientHello(ssl.get(), &client_hello));
3353
3354 // Zero the client_random.
3355 constexpr size_t kRandomOffset = 1 + 2 + 2 + // record header
3356 1 + 3 + // handshake message header
3357 2; // client_version
3358 ASSERT_GE(client_hello.size(), kRandomOffset + SSL3_RANDOM_SIZE);
3359 OPENSSL_memset(client_hello.data() + kRandomOffset, 0, SSL3_RANDOM_SIZE);
3360
3361 if (client_hello != t.expected) {
3362 ADD_FAILURE() << "ClientHellos did not match.";
3363 // Print the value manually so it is easier to update the test vector.
3364 for (size_t i = 0; i < client_hello.size(); i += 12) {
3365 printf(" %c", i == 0 ? '{' : ' ');
3366 for (size_t j = i; j < client_hello.size() && j < i + 12; j++) {
3367 if (j > i) {
3368 printf(" ");
3369 }
3370 printf("0x%02x", client_hello[j]);
3371 if (j < client_hello.size() - 1) {
3372 printf(",");
3373 }
3374 }
3375 if (i + 12 >= client_hello.size()) {
3376 printf("}},");
3377 }
3378 printf("\n");
3379 }
3380 }
3381 }
3382 }
3383
ExpectSessionReused(SSL_CTX * client_ctx,SSL_CTX * server_ctx,SSL_SESSION * session,bool want_reused)3384 static void ExpectSessionReused(SSL_CTX *client_ctx, SSL_CTX *server_ctx,
3385 SSL_SESSION *session, bool want_reused) {
3386 bssl::UniquePtr<SSL> client, server;
3387 ClientConfig config;
3388 config.session = session;
3389 ASSERT_TRUE(
3390 ConnectClientAndServer(&client, &server, client_ctx, server_ctx, config));
3391
3392 EXPECT_EQ(SSL_session_reused(client.get()), SSL_session_reused(server.get()));
3393
3394 bool was_reused = !!SSL_session_reused(client.get());
3395 EXPECT_EQ(was_reused, want_reused);
3396 }
3397
ExpectSessionRenewed(SSL_CTX * client_ctx,SSL_CTX * server_ctx,SSL_SESSION * session)3398 static bssl::UniquePtr<SSL_SESSION> ExpectSessionRenewed(SSL_CTX *client_ctx,
3399 SSL_CTX *server_ctx,
3400 SSL_SESSION *session) {
3401 g_last_session = nullptr;
3402 SSL_CTX_sess_set_new_cb(client_ctx, SaveLastSession);
3403
3404 bssl::UniquePtr<SSL> client, server;
3405 ClientConfig config;
3406 config.session = session;
3407 if (!ConnectClientAndServer(&client, &server, client_ctx, server_ctx,
3408 config) ||
3409 !FlushNewSessionTickets(client.get(), server.get())) {
3410 fprintf(stderr, "Failed to connect client and server.\n");
3411 return nullptr;
3412 }
3413
3414 if (SSL_session_reused(client.get()) != SSL_session_reused(server.get())) {
3415 fprintf(stderr, "Client and server were inconsistent.\n");
3416 return nullptr;
3417 }
3418
3419 if (!SSL_session_reused(client.get())) {
3420 fprintf(stderr, "Session was not reused.\n");
3421 return nullptr;
3422 }
3423
3424 SSL_CTX_sess_set_new_cb(client_ctx, nullptr);
3425
3426 if (!g_last_session) {
3427 fprintf(stderr, "Client did not receive a renewed session.\n");
3428 return nullptr;
3429 }
3430 return std::move(g_last_session);
3431 }
3432
ExpectTicketKeyChanged(SSL_CTX * ctx,uint8_t * inout_key,bool changed)3433 static void ExpectTicketKeyChanged(SSL_CTX *ctx, uint8_t *inout_key,
3434 bool changed) {
3435 uint8_t new_key[kTicketKeyLen];
3436 // May return 0, 1 or 48.
3437 ASSERT_EQ(SSL_CTX_get_tlsext_ticket_keys(ctx, new_key, kTicketKeyLen), 1);
3438 if (changed) {
3439 ASSERT_NE(Bytes(inout_key, kTicketKeyLen), Bytes(new_key));
3440 } else {
3441 ASSERT_EQ(Bytes(inout_key, kTicketKeyLen), Bytes(new_key));
3442 }
3443 OPENSSL_memcpy(inout_key, new_key, kTicketKeyLen);
3444 }
3445
SwitchSessionIDContextSNI(SSL * ssl,int * out_alert,void * arg)3446 static int SwitchSessionIDContextSNI(SSL *ssl, int *out_alert, void *arg) {
3447 static const uint8_t kContext[] = {3};
3448
3449 if (!SSL_set_session_id_context(ssl, kContext, sizeof(kContext))) {
3450 return SSL_TLSEXT_ERR_ALERT_FATAL;
3451 }
3452
3453 return SSL_TLSEXT_ERR_OK;
3454 }
3455
TEST_P(SSLVersionTest,SessionIDContext)3456 TEST_P(SSLVersionTest, SessionIDContext) {
3457 static const uint8_t kContext1[] = {1};
3458 static const uint8_t kContext2[] = {2};
3459
3460 ASSERT_TRUE(SSL_CTX_set_session_id_context(server_ctx_.get(), kContext1,
3461 sizeof(kContext1)));
3462
3463 SSL_CTX_set_session_cache_mode(client_ctx_.get(), SSL_SESS_CACHE_BOTH);
3464 SSL_CTX_set_session_cache_mode(server_ctx_.get(), SSL_SESS_CACHE_BOTH);
3465
3466 bssl::UniquePtr<SSL_SESSION> session =
3467 CreateClientSession(client_ctx_.get(), server_ctx_.get());
3468 ASSERT_TRUE(session);
3469
3470 TRACED_CALL(ExpectSessionReused(client_ctx_.get(), server_ctx_.get(),
3471 session.get(),
3472 true /* expect session reused */));
3473
3474 // Change the session ID context.
3475 ASSERT_TRUE(SSL_CTX_set_session_id_context(server_ctx_.get(), kContext2,
3476 sizeof(kContext2)));
3477
3478 TRACED_CALL(ExpectSessionReused(client_ctx_.get(), server_ctx_.get(),
3479 session.get(),
3480 false /* expect session not reused */));
3481
3482 // Change the session ID context back and install an SNI callback to switch
3483 // it.
3484 ASSERT_TRUE(SSL_CTX_set_session_id_context(server_ctx_.get(), kContext1,
3485 sizeof(kContext1)));
3486
3487 SSL_CTX_set_tlsext_servername_callback(server_ctx_.get(),
3488 SwitchSessionIDContextSNI);
3489
3490 TRACED_CALL(ExpectSessionReused(client_ctx_.get(), server_ctx_.get(),
3491 session.get(),
3492 false /* expect session not reused */));
3493
3494 // Switch the session ID context with the early callback instead.
3495 SSL_CTX_set_tlsext_servername_callback(server_ctx_.get(), nullptr);
3496 SSL_CTX_set_select_certificate_cb(
3497 server_ctx_.get(),
3498 [](const SSL_CLIENT_HELLO *client_hello) -> ssl_select_cert_result_t {
3499 static const uint8_t kContext[] = {3};
3500
3501 if (!SSL_set_session_id_context(client_hello->ssl, kContext,
3502 sizeof(kContext))) {
3503 return ssl_select_cert_error;
3504 }
3505
3506 return ssl_select_cert_success;
3507 });
3508
3509 TRACED_CALL(ExpectSessionReused(client_ctx_.get(), server_ctx_.get(),
3510 session.get(),
3511 false /* expect session not reused */));
3512 }
3513
3514 static timeval g_current_time;
3515
CurrentTimeCallback(const SSL * ssl,timeval * out_clock)3516 static void CurrentTimeCallback(const SSL *ssl, timeval *out_clock) {
3517 *out_clock = g_current_time;
3518 }
3519
FrozenTimeCallback(const SSL * ssl,timeval * out_clock)3520 static void FrozenTimeCallback(const SSL *ssl, timeval *out_clock) {
3521 out_clock->tv_sec = 1000;
3522 out_clock->tv_usec = 0;
3523 }
3524
RenewTicketCallback(SSL * ssl,uint8_t * key_name,uint8_t * iv,EVP_CIPHER_CTX * ctx,HMAC_CTX * hmac_ctx,int encrypt)3525 static int RenewTicketCallback(SSL *ssl, uint8_t *key_name, uint8_t *iv,
3526 EVP_CIPHER_CTX *ctx, HMAC_CTX *hmac_ctx,
3527 int encrypt) {
3528 static const uint8_t kZeros[16] = {0};
3529
3530 if (encrypt) {
3531 OPENSSL_memcpy(key_name, kZeros, sizeof(kZeros));
3532 RAND_bytes(iv, 16);
3533 } else if (OPENSSL_memcmp(key_name, kZeros, 16) != 0) {
3534 return 0;
3535 }
3536
3537 if (!HMAC_Init_ex(hmac_ctx, kZeros, sizeof(kZeros), EVP_sha256(), NULL) ||
3538 !EVP_CipherInit_ex(ctx, EVP_aes_128_cbc(), NULL, kZeros, iv, encrypt)) {
3539 return -1;
3540 }
3541
3542 // Returning two from the callback in decrypt mode renews the
3543 // session in TLS 1.2 and below.
3544 return encrypt ? 1 : 2;
3545 }
3546
GetServerTicketTime(long * out,const SSL_SESSION * session)3547 static bool GetServerTicketTime(long *out, const SSL_SESSION *session) {
3548 const uint8_t *ticket;
3549 size_t ticket_len;
3550 SSL_SESSION_get0_ticket(session, &ticket, &ticket_len);
3551 if (ticket_len < 16 + 16 + SHA256_DIGEST_LENGTH) {
3552 return false;
3553 }
3554
3555 const uint8_t *ciphertext = ticket + 16 + 16;
3556 size_t len = ticket_len - 16 - 16 - SHA256_DIGEST_LENGTH;
3557 auto plaintext = std::make_unique<uint8_t[]>(len);
3558
3559 #if defined(BORINGSSL_UNSAFE_FUZZER_MODE)
3560 // Fuzzer-mode tickets are unencrypted.
3561 OPENSSL_memcpy(plaintext.get(), ciphertext, len);
3562 #else
3563 static const uint8_t kZeros[16] = {0};
3564 const uint8_t *iv = ticket + 16;
3565 bssl::ScopedEVP_CIPHER_CTX ctx;
3566 int len1, len2;
3567 if (len > INT_MAX ||
3568 !EVP_DecryptInit_ex(ctx.get(), EVP_aes_128_cbc(), nullptr, kZeros, iv) ||
3569 !EVP_DecryptUpdate(ctx.get(), plaintext.get(), &len1, ciphertext,
3570 static_cast<int>(len)) ||
3571 !EVP_DecryptFinal_ex(ctx.get(), plaintext.get() + len1, &len2)) {
3572 return false;
3573 }
3574
3575 len = static_cast<size_t>(len1 + len2);
3576 #endif
3577
3578 bssl::UniquePtr<SSL_CTX> ssl_ctx(SSL_CTX_new(TLS_method()));
3579 if (!ssl_ctx) {
3580 return false;
3581 }
3582 bssl::UniquePtr<SSL_SESSION> server_session(
3583 SSL_SESSION_from_bytes(plaintext.get(), len, ssl_ctx.get()));
3584 if (!server_session) {
3585 return false;
3586 }
3587
3588 *out = SSL_SESSION_get_time(server_session.get());
3589 return true;
3590 }
3591
TEST_P(SSLVersionTest,SessionTimeout)3592 TEST_P(SSLVersionTest, SessionTimeout) {
3593 for (bool server_test : {false, true}) {
3594 SCOPED_TRACE(server_test);
3595
3596 ASSERT_NO_FATAL_FAILURE(ResetContexts());
3597 SSL_CTX_set_session_cache_mode(client_ctx_.get(), SSL_SESS_CACHE_BOTH);
3598 SSL_CTX_set_session_cache_mode(server_ctx_.get(), SSL_SESS_CACHE_BOTH);
3599
3600 static const time_t kStartTime = 1000;
3601 g_current_time.tv_sec = kStartTime;
3602
3603 // We are willing to use a longer lifetime for TLS 1.3 sessions as
3604 // resumptions still perform ECDHE.
3605 const time_t timeout = version() == TLS1_3_VERSION
3606 ? SSL_DEFAULT_SESSION_PSK_DHE_TIMEOUT
3607 : SSL_DEFAULT_SESSION_TIMEOUT;
3608
3609 // Both client and server must enforce session timeouts. We configure the
3610 // other side with a frozen clock so it never expires tickets.
3611 if (server_test) {
3612 SSL_CTX_set_current_time_cb(client_ctx_.get(), FrozenTimeCallback);
3613 SSL_CTX_set_current_time_cb(server_ctx_.get(), CurrentTimeCallback);
3614 } else {
3615 SSL_CTX_set_current_time_cb(client_ctx_.get(), CurrentTimeCallback);
3616 SSL_CTX_set_current_time_cb(server_ctx_.get(), FrozenTimeCallback);
3617 }
3618
3619 // Configure a ticket callback which renews tickets.
3620 SSL_CTX_set_tlsext_ticket_key_cb(server_ctx_.get(), RenewTicketCallback);
3621
3622 bssl::UniquePtr<SSL_SESSION> session =
3623 CreateClientSession(client_ctx_.get(), server_ctx_.get());
3624 ASSERT_TRUE(session);
3625
3626 // Advance the clock just behind the timeout.
3627 g_current_time.tv_sec += timeout - 1;
3628
3629 TRACED_CALL(ExpectSessionReused(client_ctx_.get(), server_ctx_.get(),
3630 session.get(),
3631 true /* expect session reused */));
3632
3633 // Advance the clock one more second.
3634 g_current_time.tv_sec++;
3635
3636 TRACED_CALL(ExpectSessionReused(client_ctx_.get(), server_ctx_.get(),
3637 session.get(),
3638 false /* expect session not reused */));
3639
3640 // Rewind the clock to before the session was minted.
3641 g_current_time.tv_sec = kStartTime - 1;
3642
3643 TRACED_CALL(ExpectSessionReused(client_ctx_.get(), server_ctx_.get(),
3644 session.get(),
3645 false /* expect session not reused */));
3646
3647 // Renew the session 10 seconds before expiration.
3648 time_t new_start_time = kStartTime + timeout - 10;
3649 g_current_time.tv_sec = new_start_time;
3650 bssl::UniquePtr<SSL_SESSION> new_session = ExpectSessionRenewed(
3651 client_ctx_.get(), server_ctx_.get(), session.get());
3652 ASSERT_TRUE(new_session);
3653
3654 // This new session is not the same object as before.
3655 EXPECT_NE(session.get(), new_session.get());
3656
3657 // Check the sessions have timestamps measured from issuance.
3658 long session_time = 0;
3659 if (server_test) {
3660 ASSERT_TRUE(GetServerTicketTime(&session_time, new_session.get()));
3661 } else {
3662 session_time = SSL_SESSION_get_time(new_session.get());
3663 }
3664
3665 ASSERT_EQ(session_time, g_current_time.tv_sec);
3666
3667 if (version() == TLS1_3_VERSION) {
3668 // Renewal incorporates fresh key material in TLS 1.3, so we extend the
3669 // lifetime TLS 1.3.
3670 g_current_time.tv_sec = new_start_time + timeout - 1;
3671 TRACED_CALL(ExpectSessionReused(client_ctx_.get(), server_ctx_.get(),
3672 new_session.get(),
3673 true /* expect session reused */));
3674
3675 // The new session expires after the new timeout.
3676 g_current_time.tv_sec = new_start_time + timeout + 1;
3677 TRACED_CALL(ExpectSessionReused(client_ctx_.get(), server_ctx_.get(),
3678 new_session.get(),
3679 false /* expect session ot reused */));
3680
3681 // Renew the session until it begins just past the auth timeout.
3682 time_t auth_end_time = kStartTime + SSL_DEFAULT_SESSION_AUTH_TIMEOUT;
3683 while (new_start_time < auth_end_time - 1000) {
3684 // Get as close as possible to target start time.
3685 new_start_time =
3686 std::min(auth_end_time - 1000, new_start_time + timeout - 1);
3687 g_current_time.tv_sec = new_start_time;
3688 new_session = ExpectSessionRenewed(client_ctx_.get(), server_ctx_.get(),
3689 new_session.get());
3690 ASSERT_TRUE(new_session);
3691 }
3692
3693 // Now the session's lifetime is bound by the auth timeout.
3694 g_current_time.tv_sec = auth_end_time - 1;
3695 TRACED_CALL(ExpectSessionReused(client_ctx_.get(), server_ctx_.get(),
3696 new_session.get(),
3697 true /* expect session reused */));
3698
3699 g_current_time.tv_sec = auth_end_time + 1;
3700 TRACED_CALL(ExpectSessionReused(client_ctx_.get(), server_ctx_.get(),
3701 new_session.get(),
3702 false /* expect session ot reused */));
3703 } else {
3704 // The new session is usable just before the old expiration.
3705 g_current_time.tv_sec = kStartTime + timeout - 1;
3706 TRACED_CALL(ExpectSessionReused(client_ctx_.get(), server_ctx_.get(),
3707 new_session.get(),
3708 true /* expect session reused */));
3709
3710 // Renewal does not extend the lifetime, so it is not usable beyond the
3711 // old expiration.
3712 g_current_time.tv_sec = kStartTime + timeout + 1;
3713 TRACED_CALL(ExpectSessionReused(client_ctx_.get(), server_ctx_.get(),
3714 new_session.get(),
3715 false /* expect session not reused */));
3716 }
3717 }
3718 }
3719
TEST_P(SSLVersionTest,DefaultTicketKeyInitialization)3720 TEST_P(SSLVersionTest, DefaultTicketKeyInitialization) {
3721 static const uint8_t kZeroKey[kTicketKeyLen] = {};
3722 uint8_t ticket_key[kTicketKeyLen];
3723 ASSERT_EQ(1, SSL_CTX_get_tlsext_ticket_keys(server_ctx_.get(), ticket_key,
3724 kTicketKeyLen));
3725 ASSERT_NE(0, OPENSSL_memcmp(ticket_key, kZeroKey, kTicketKeyLen));
3726 }
3727
TEST_P(SSLVersionTest,DefaultTicketKeyRotation)3728 TEST_P(SSLVersionTest, DefaultTicketKeyRotation) {
3729 static const time_t kStartTime = 1001;
3730 g_current_time.tv_sec = kStartTime;
3731
3732 // We use session reuse as a proxy for ticket decryption success, hence
3733 // disable session timeouts.
3734 SSL_CTX_set_timeout(server_ctx_.get(), std::numeric_limits<uint32_t>::max());
3735 SSL_CTX_set_session_psk_dhe_timeout(server_ctx_.get(),
3736 std::numeric_limits<uint32_t>::max());
3737
3738 SSL_CTX_set_current_time_cb(client_ctx_.get(), FrozenTimeCallback);
3739 SSL_CTX_set_current_time_cb(server_ctx_.get(), CurrentTimeCallback);
3740
3741 SSL_CTX_set_session_cache_mode(client_ctx_.get(), SSL_SESS_CACHE_BOTH);
3742 SSL_CTX_set_session_cache_mode(server_ctx_.get(), SSL_SESS_CACHE_OFF);
3743
3744 // Initialize ticket_key with the current key and check that it was
3745 // initialized to something, not all zeros.
3746 uint8_t ticket_key[kTicketKeyLen] = {0};
3747 TRACED_CALL(ExpectTicketKeyChanged(server_ctx_.get(), ticket_key,
3748 true /* changed */));
3749
3750 // Verify ticket resumption actually works.
3751 bssl::UniquePtr<SSL> client, server;
3752 bssl::UniquePtr<SSL_SESSION> session =
3753 CreateClientSession(client_ctx_.get(), server_ctx_.get());
3754 ASSERT_TRUE(session);
3755 TRACED_CALL(ExpectSessionReused(client_ctx_.get(), server_ctx_.get(),
3756 session.get(), true /* reused */));
3757
3758 // Advance time to just before key rotation.
3759 g_current_time.tv_sec += SSL_DEFAULT_TICKET_KEY_ROTATION_INTERVAL - 1;
3760 TRACED_CALL(ExpectSessionReused(client_ctx_.get(), server_ctx_.get(),
3761 session.get(), true /* reused */));
3762 TRACED_CALL(ExpectTicketKeyChanged(server_ctx_.get(), ticket_key,
3763 false /* NOT changed */));
3764
3765 // Force key rotation.
3766 g_current_time.tv_sec += 1;
3767 bssl::UniquePtr<SSL_SESSION> new_session =
3768 CreateClientSession(client_ctx_.get(), server_ctx_.get());
3769 TRACED_CALL(ExpectTicketKeyChanged(server_ctx_.get(), ticket_key,
3770 true /* changed */));
3771
3772 // Resumption with both old and new ticket should work.
3773 TRACED_CALL(ExpectSessionReused(client_ctx_.get(), server_ctx_.get(),
3774 session.get(), true /* reused */));
3775 TRACED_CALL(ExpectSessionReused(client_ctx_.get(), server_ctx_.get(),
3776 new_session.get(), true /* reused */));
3777 TRACED_CALL(ExpectTicketKeyChanged(server_ctx_.get(), ticket_key,
3778 false /* NOT changed */));
3779
3780 // Force key rotation again. Resumption with the old ticket now fails.
3781 g_current_time.tv_sec += SSL_DEFAULT_TICKET_KEY_ROTATION_INTERVAL;
3782 TRACED_CALL(ExpectSessionReused(client_ctx_.get(), server_ctx_.get(),
3783 session.get(), false /* NOT reused */));
3784 TRACED_CALL(ExpectTicketKeyChanged(server_ctx_.get(), ticket_key,
3785 true /* changed */));
3786
3787 // But resumption with the newer session still works.
3788 TRACED_CALL(ExpectSessionReused(client_ctx_.get(), server_ctx_.get(),
3789 new_session.get(), true /* reused */));
3790 }
3791
SwitchContext(SSL * ssl,int * out_alert,void * arg)3792 static int SwitchContext(SSL *ssl, int *out_alert, void *arg) {
3793 SSL_CTX *ctx = reinterpret_cast<SSL_CTX *>(arg);
3794 SSL_set_SSL_CTX(ssl, ctx);
3795 return SSL_TLSEXT_ERR_OK;
3796 }
3797
TEST_P(SSLVersionTest,SNICallback)3798 TEST_P(SSLVersionTest, SNICallback) {
3799 bssl::UniquePtr<X509> cert2 = GetECDSATestCertificate();
3800 ASSERT_TRUE(cert2);
3801 bssl::UniquePtr<EVP_PKEY> key2 = GetECDSATestKey();
3802 ASSERT_TRUE(key2);
3803
3804 // Test that switching the |SSL_CTX| at the SNI callback behaves correctly.
3805 static const uint16_t kECDSAWithSHA256 = SSL_SIGN_ECDSA_SECP256R1_SHA256;
3806
3807 static const uint8_t kSCTList[] = {0, 6, 0, 4, 5, 6, 7, 8};
3808 static const uint8_t kOCSPResponse[] = {1, 2, 3, 4};
3809
3810 bssl::UniquePtr<SSL_CTX> server_ctx2 = CreateContext();
3811 ASSERT_TRUE(server_ctx2);
3812 ASSERT_TRUE(SSL_CTX_use_certificate(server_ctx2.get(), cert2.get()));
3813 ASSERT_TRUE(SSL_CTX_use_PrivateKey(server_ctx2.get(), key2.get()));
3814 ASSERT_TRUE(SSL_CTX_set_signed_cert_timestamp_list(
3815 server_ctx2.get(), kSCTList, sizeof(kSCTList)));
3816 ASSERT_TRUE(SSL_CTX_set_ocsp_response(server_ctx2.get(), kOCSPResponse,
3817 sizeof(kOCSPResponse)));
3818 // Historically signing preferences would be lost in some cases with the
3819 // SNI callback, which triggers the TLS 1.2 SHA-1 default. To ensure
3820 // this doesn't happen when |version| is TLS 1.2, configure the private
3821 // key to only sign SHA-256.
3822 ASSERT_TRUE(SSL_CTX_set_signing_algorithm_prefs(server_ctx2.get(),
3823 &kECDSAWithSHA256, 1));
3824
3825 SSL_CTX_set_tlsext_servername_callback(server_ctx_.get(), SwitchContext);
3826 SSL_CTX_set_tlsext_servername_arg(server_ctx_.get(), server_ctx2.get());
3827
3828 SSL_CTX_enable_signed_cert_timestamps(client_ctx_.get());
3829 SSL_CTX_enable_ocsp_stapling(client_ctx_.get());
3830
3831 ASSERT_TRUE(Connect());
3832
3833 // The client should have received |cert2|.
3834 bssl::UniquePtr<X509> peer(SSL_get_peer_certificate(client_.get()));
3835 ASSERT_TRUE(peer);
3836 EXPECT_EQ(X509_cmp(peer.get(), cert2.get()), 0);
3837
3838 // The client should have received |server_ctx2|'s SCT list.
3839 const uint8_t *data;
3840 size_t len;
3841 SSL_get0_signed_cert_timestamp_list(client_.get(), &data, &len);
3842 EXPECT_EQ(Bytes(kSCTList), Bytes(data, len));
3843
3844 // The client should have received |server_ctx2|'s OCSP response.
3845 SSL_get0_ocsp_response(client_.get(), &data, &len);
3846 EXPECT_EQ(Bytes(kOCSPResponse), Bytes(data, len));
3847 }
3848
3849 // Test that the early callback can swap the maximum version.
TEST(SSLTest,EarlyCallbackVersionSwitch)3850 TEST(SSLTest, EarlyCallbackVersionSwitch) {
3851 bssl::UniquePtr<SSL_CTX> server_ctx =
3852 CreateContextWithTestCertificate(TLS_method());
3853 bssl::UniquePtr<SSL_CTX> client_ctx(SSL_CTX_new(TLS_method()));
3854 ASSERT_TRUE(server_ctx);
3855 ASSERT_TRUE(client_ctx);
3856 ASSERT_TRUE(SSL_CTX_set_max_proto_version(client_ctx.get(), TLS1_3_VERSION));
3857 ASSERT_TRUE(SSL_CTX_set_max_proto_version(server_ctx.get(), TLS1_3_VERSION));
3858
3859 SSL_CTX_set_select_certificate_cb(
3860 server_ctx.get(),
3861 [](const SSL_CLIENT_HELLO *client_hello) -> ssl_select_cert_result_t {
3862 if (!SSL_set_max_proto_version(client_hello->ssl, TLS1_2_VERSION)) {
3863 return ssl_select_cert_error;
3864 }
3865
3866 return ssl_select_cert_success;
3867 });
3868
3869 bssl::UniquePtr<SSL> client, server;
3870 ASSERT_TRUE(ConnectClientAndServer(&client, &server, client_ctx.get(),
3871 server_ctx.get()));
3872 EXPECT_EQ(TLS1_2_VERSION, SSL_version(client.get()));
3873 }
3874
TEST(SSLTest,SetVersion)3875 TEST(SSLTest, SetVersion) {
3876 bssl::UniquePtr<SSL_CTX> ctx(SSL_CTX_new(TLS_method()));
3877 ASSERT_TRUE(ctx);
3878
3879 // Set valid TLS versions.
3880 for (const auto &vers : kAllVersions) {
3881 SCOPED_TRACE(vers.name);
3882 if (vers.ssl_method == VersionParam::is_tls) {
3883 EXPECT_TRUE(SSL_CTX_set_max_proto_version(ctx.get(), vers.version));
3884 EXPECT_EQ(SSL_CTX_get_max_proto_version(ctx.get()), vers.version);
3885 EXPECT_TRUE(SSL_CTX_set_min_proto_version(ctx.get(), vers.version));
3886 EXPECT_EQ(SSL_CTX_get_min_proto_version(ctx.get()), vers.version);
3887 }
3888 }
3889
3890 // Invalid TLS versions are rejected.
3891 EXPECT_FALSE(SSL_CTX_set_max_proto_version(ctx.get(), DTLS1_VERSION));
3892 EXPECT_FALSE(SSL_CTX_set_max_proto_version(ctx.get(), 0x0200));
3893 EXPECT_FALSE(SSL_CTX_set_max_proto_version(ctx.get(), 0x1234));
3894 EXPECT_FALSE(SSL_CTX_set_min_proto_version(ctx.get(), DTLS1_VERSION));
3895 EXPECT_FALSE(SSL_CTX_set_min_proto_version(ctx.get(), 0x0200));
3896 EXPECT_FALSE(SSL_CTX_set_min_proto_version(ctx.get(), 0x1234));
3897
3898 // Zero is the default version.
3899 EXPECT_TRUE(SSL_CTX_set_max_proto_version(ctx.get(), 0));
3900 EXPECT_EQ(TLS1_3_VERSION, SSL_CTX_get_max_proto_version(ctx.get()));
3901 EXPECT_TRUE(SSL_CTX_set_min_proto_version(ctx.get(), 0));
3902 EXPECT_EQ(TLS1_VERSION, SSL_CTX_get_min_proto_version(ctx.get()));
3903
3904 // SSL 3.0 is not available.
3905 EXPECT_FALSE(SSL_CTX_set_min_proto_version(ctx.get(), SSL3_VERSION));
3906
3907 ctx.reset(SSL_CTX_new(DTLS_method()));
3908 ASSERT_TRUE(ctx);
3909
3910 // Set valid DTLS versions.
3911 for (const auto &vers : kAllVersions) {
3912 SCOPED_TRACE(vers.name);
3913 if (vers.ssl_method == VersionParam::is_dtls) {
3914 EXPECT_TRUE(SSL_CTX_set_max_proto_version(ctx.get(), vers.version));
3915 EXPECT_EQ(SSL_CTX_get_max_proto_version(ctx.get()), vers.version);
3916 EXPECT_TRUE(SSL_CTX_set_min_proto_version(ctx.get(), vers.version));
3917 EXPECT_EQ(SSL_CTX_get_min_proto_version(ctx.get()), vers.version);
3918 }
3919 }
3920
3921 // Invalid DTLS versions are rejected.
3922 EXPECT_FALSE(SSL_CTX_set_max_proto_version(ctx.get(), TLS1_VERSION));
3923 EXPECT_FALSE(SSL_CTX_set_max_proto_version(ctx.get(), 0xfefe /* DTLS 1.1 */));
3924 EXPECT_FALSE(SSL_CTX_set_max_proto_version(ctx.get(), 0xfffe /* DTLS 0.1 */));
3925 EXPECT_FALSE(SSL_CTX_set_max_proto_version(ctx.get(), 0x1234));
3926 EXPECT_FALSE(SSL_CTX_set_min_proto_version(ctx.get(), TLS1_VERSION));
3927 EXPECT_FALSE(SSL_CTX_set_min_proto_version(ctx.get(), 0xfefe /* DTLS 1.1 */));
3928 EXPECT_FALSE(SSL_CTX_set_min_proto_version(ctx.get(), 0xfffe /* DTLS 0.1 */));
3929 EXPECT_FALSE(SSL_CTX_set_min_proto_version(ctx.get(), 0x1234));
3930
3931 // Zero is the default version.
3932 EXPECT_TRUE(SSL_CTX_set_max_proto_version(ctx.get(), 0));
3933 EXPECT_EQ(DTLS1_2_VERSION, SSL_CTX_get_max_proto_version(ctx.get()));
3934 EXPECT_TRUE(SSL_CTX_set_min_proto_version(ctx.get(), 0));
3935 EXPECT_EQ(DTLS1_VERSION, SSL_CTX_get_min_proto_version(ctx.get()));
3936 }
3937
GetVersionName(uint16_t version)3938 static const char *GetVersionName(uint16_t version) {
3939 switch (version) {
3940 case TLS1_VERSION:
3941 return "TLSv1";
3942 case TLS1_1_VERSION:
3943 return "TLSv1.1";
3944 case TLS1_2_VERSION:
3945 return "TLSv1.2";
3946 case TLS1_3_VERSION:
3947 return "TLSv1.3";
3948 case DTLS1_VERSION:
3949 return "DTLSv1";
3950 case DTLS1_2_VERSION:
3951 return "DTLSv1.2";
3952 default:
3953 return "???";
3954 }
3955 }
3956
TEST_P(SSLVersionTest,Version)3957 TEST_P(SSLVersionTest, Version) {
3958 ASSERT_TRUE(Connect());
3959
3960 EXPECT_EQ(SSL_version(client_.get()), version());
3961 EXPECT_EQ(SSL_version(server_.get()), version());
3962
3963 // Test the version name is reported as expected.
3964 const char *version_name = GetVersionName(version());
3965 EXPECT_EQ(strcmp(version_name, SSL_get_version(client_.get())), 0);
3966 EXPECT_EQ(strcmp(version_name, SSL_get_version(server_.get())), 0);
3967
3968 // Test SSL_SESSION reports the same name.
3969 const char *client_name =
3970 SSL_SESSION_get_version(SSL_get_session(client_.get()));
3971 const char *server_name =
3972 SSL_SESSION_get_version(SSL_get_session(server_.get()));
3973 EXPECT_EQ(strcmp(version_name, client_name), 0);
3974 EXPECT_EQ(strcmp(version_name, server_name), 0);
3975 }
3976
3977 // Tests that that |SSL_get_pending_cipher| is available during the ALPN
3978 // selection callback.
TEST_P(SSLVersionTest,ALPNCipherAvailable)3979 TEST_P(SSLVersionTest, ALPNCipherAvailable) {
3980 ASSERT_TRUE(UseCertAndKey(client_ctx_.get()));
3981
3982 static const uint8_t kALPNProtos[] = {0x03, 'f', 'o', 'o'};
3983 ASSERT_EQ(SSL_CTX_set_alpn_protos(client_ctx_.get(), kALPNProtos,
3984 sizeof(kALPNProtos)),
3985 0);
3986
3987 // The ALPN callback does not fail the handshake on error, so have the
3988 // callback write a boolean.
3989 std::pair<uint16_t, bool> callback_state(version(), false);
3990 SSL_CTX_set_alpn_select_cb(
3991 server_ctx_.get(),
3992 [](SSL *ssl, const uint8_t **out, uint8_t *out_len, const uint8_t *in,
3993 unsigned in_len, void *arg) -> int {
3994 auto state = reinterpret_cast<std::pair<uint16_t, bool> *>(arg);
3995 if (SSL_get_pending_cipher(ssl) != nullptr &&
3996 SSL_version(ssl) == state->first) {
3997 state->second = true;
3998 }
3999 return SSL_TLSEXT_ERR_NOACK;
4000 },
4001 &callback_state);
4002
4003 ASSERT_TRUE(Connect());
4004
4005 ASSERT_TRUE(callback_state.second);
4006 }
4007
TEST_P(SSLVersionTest,SSLClearSessionResumption)4008 TEST_P(SSLVersionTest, SSLClearSessionResumption) {
4009 // Skip this for TLS 1.3. TLS 1.3's ticket mechanism is incompatible with this
4010 // API pattern.
4011 if (version() == TLS1_3_VERSION) {
4012 return;
4013 }
4014
4015 shed_handshake_config_ = false;
4016 ASSERT_TRUE(Connect());
4017
4018 EXPECT_FALSE(SSL_session_reused(client_.get()));
4019 EXPECT_FALSE(SSL_session_reused(server_.get()));
4020
4021 // Reset everything.
4022 ASSERT_TRUE(SSL_clear(client_.get()));
4023 ASSERT_TRUE(SSL_clear(server_.get()));
4024
4025 // Attempt to connect a second time.
4026 ASSERT_TRUE(CompleteHandshakes(client_.get(), server_.get()));
4027
4028 // |SSL_clear| should implicitly offer the previous session to the server.
4029 EXPECT_TRUE(SSL_session_reused(client_.get()));
4030 EXPECT_TRUE(SSL_session_reused(server_.get()));
4031 }
4032
TEST_P(SSLVersionTest,SSLClearFailsWithShedding)4033 TEST_P(SSLVersionTest, SSLClearFailsWithShedding) {
4034 shed_handshake_config_ = false;
4035 ASSERT_TRUE(Connect());
4036 ASSERT_TRUE(CompleteHandshakes(client_.get(), server_.get()));
4037
4038 // Reset everything.
4039 ASSERT_TRUE(SSL_clear(client_.get()));
4040 ASSERT_TRUE(SSL_clear(server_.get()));
4041
4042 // Now enable shedding, and connect a second time.
4043 shed_handshake_config_ = true;
4044 ASSERT_TRUE(Connect());
4045 ASSERT_TRUE(CompleteHandshakes(client_.get(), server_.get()));
4046
4047 // |SSL_clear| should now fail.
4048 ASSERT_FALSE(SSL_clear(client_.get()));
4049 ASSERT_FALSE(SSL_clear(server_.get()));
4050 }
4051
ChainsEqual(STACK_OF (X509)* chain,const std::vector<X509 * > & expected)4052 static bool ChainsEqual(STACK_OF(X509) * chain,
4053 const std::vector<X509 *> &expected) {
4054 if (sk_X509_num(chain) != expected.size()) {
4055 return false;
4056 }
4057
4058 for (size_t i = 0; i < expected.size(); i++) {
4059 if (X509_cmp(sk_X509_value(chain, i), expected[i]) != 0) {
4060 return false;
4061 }
4062 }
4063
4064 return true;
4065 }
4066
TEST_P(SSLVersionTest,AutoChain)4067 TEST_P(SSLVersionTest, AutoChain) {
4068 cert_ = GetChainTestCertificate();
4069 ASSERT_TRUE(cert_);
4070 key_ = GetChainTestKey();
4071 ASSERT_TRUE(key_);
4072 bssl::UniquePtr<X509> intermediate = GetChainTestIntermediate();
4073 ASSERT_TRUE(intermediate);
4074
4075 ASSERT_TRUE(UseCertAndKey(client_ctx_.get()));
4076 ASSERT_TRUE(UseCertAndKey(server_ctx_.get()));
4077
4078 // Configure both client and server to accept any certificate. Add
4079 // |intermediate| to the cert store.
4080 ASSERT_TRUE(X509_STORE_add_cert(SSL_CTX_get_cert_store(client_ctx_.get()),
4081 intermediate.get()));
4082 ASSERT_TRUE(X509_STORE_add_cert(SSL_CTX_get_cert_store(server_ctx_.get()),
4083 intermediate.get()));
4084 SSL_CTX_set_verify(client_ctx_.get(),
4085 SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT,
4086 nullptr);
4087 SSL_CTX_set_verify(server_ctx_.get(),
4088 SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT,
4089 nullptr);
4090 SSL_CTX_set_cert_verify_callback(client_ctx_.get(), VerifySucceed, NULL);
4091 SSL_CTX_set_cert_verify_callback(server_ctx_.get(), VerifySucceed, NULL);
4092
4093 // By default, the client and server should each only send the leaf.
4094 ASSERT_TRUE(Connect());
4095
4096 EXPECT_TRUE(
4097 ChainsEqual(SSL_get_peer_full_cert_chain(client_.get()), {cert_.get()}));
4098 EXPECT_TRUE(
4099 ChainsEqual(SSL_get_peer_full_cert_chain(server_.get()), {cert_.get()}));
4100
4101 // If auto-chaining is enabled, then the intermediate is sent.
4102 SSL_CTX_clear_mode(client_ctx_.get(), SSL_MODE_NO_AUTO_CHAIN);
4103 SSL_CTX_clear_mode(server_ctx_.get(), SSL_MODE_NO_AUTO_CHAIN);
4104 ASSERT_TRUE(Connect());
4105
4106 EXPECT_TRUE(ChainsEqual(SSL_get_peer_full_cert_chain(client_.get()),
4107 {cert_.get(), intermediate.get()}));
4108 EXPECT_TRUE(ChainsEqual(SSL_get_peer_full_cert_chain(server_.get()),
4109 {cert_.get(), intermediate.get()}));
4110
4111 // Auto-chaining does not override explicitly-configured intermediates.
4112 ASSERT_TRUE(SSL_CTX_add1_chain_cert(client_ctx_.get(), cert_.get()));
4113 ASSERT_TRUE(SSL_CTX_add1_chain_cert(server_ctx_.get(), cert_.get()));
4114 ASSERT_TRUE(Connect());
4115
4116 EXPECT_TRUE(ChainsEqual(SSL_get_peer_full_cert_chain(client_.get()),
4117 {cert_.get(), cert_.get()}));
4118
4119 EXPECT_TRUE(ChainsEqual(SSL_get_peer_full_cert_chain(server_.get()),
4120 {cert_.get(), cert_.get()}));
4121 }
4122
ExpectSingleError(int lib,int reason)4123 static bool ExpectSingleError(int lib, int reason) {
4124 const char *expected = ERR_reason_error_string(ERR_PACK(lib, reason));
4125 int err = ERR_get_error();
4126 if (ERR_GET_LIB(err) != lib || ERR_GET_REASON(err) != reason) {
4127 char buf[ERR_ERROR_STRING_BUF_LEN];
4128 ERR_error_string_n(err, buf, sizeof(buf));
4129 fprintf(stderr, "Wanted %s, got: %s.\n", expected, buf);
4130 return false;
4131 }
4132
4133 if (ERR_peek_error() != 0) {
4134 fprintf(stderr, "Unexpected error following %s.\n", expected);
4135 return false;
4136 }
4137
4138 return true;
4139 }
4140
TEST_P(SSLVersionTest,SSLWriteRetry)4141 TEST_P(SSLVersionTest, SSLWriteRetry) {
4142 if (is_dtls()) {
4143 return;
4144 }
4145
4146 for (bool enable_partial_write : {false, true}) {
4147 SCOPED_TRACE(enable_partial_write);
4148
4149 // Connect a client and server.
4150 ASSERT_TRUE(Connect());
4151
4152 if (enable_partial_write) {
4153 SSL_set_mode(client_.get(), SSL_MODE_ENABLE_PARTIAL_WRITE);
4154 }
4155
4156 // Write without reading until the buffer is full and we have an unfinished
4157 // write. Keep a count so we may reread it again later. "hello!" will be
4158 // written in two chunks, "hello" and "!".
4159 char data[] = "hello!";
4160 static const int kChunkLen = 5; // The length of "hello".
4161 unsigned count = 0;
4162 for (;;) {
4163 int ret = SSL_write(client_.get(), data, kChunkLen);
4164 if (ret <= 0) {
4165 ASSERT_EQ(SSL_get_error(client_.get(), ret), SSL_ERROR_WANT_WRITE);
4166 break;
4167 }
4168 ASSERT_EQ(ret, 5);
4169 count++;
4170 }
4171
4172 // Retrying with the same parameters is legal.
4173 ASSERT_EQ(
4174 SSL_get_error(client_.get(), SSL_write(client_.get(), data, kChunkLen)),
4175 SSL_ERROR_WANT_WRITE);
4176
4177 // Retrying with the same buffer but shorter length is not legal.
4178 ASSERT_EQ(SSL_get_error(client_.get(),
4179 SSL_write(client_.get(), data, kChunkLen - 1)),
4180 SSL_ERROR_SSL);
4181 ASSERT_TRUE(ExpectSingleError(ERR_LIB_SSL, SSL_R_BAD_WRITE_RETRY));
4182
4183 // Retrying with a different buffer pointer is not legal.
4184 char data2[] = "hello";
4185 ASSERT_EQ(SSL_get_error(client_.get(),
4186 SSL_write(client_.get(), data2, kChunkLen)),
4187 SSL_ERROR_SSL);
4188 ASSERT_TRUE(ExpectSingleError(ERR_LIB_SSL, SSL_R_BAD_WRITE_RETRY));
4189
4190 // With |SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER|, the buffer may move.
4191 SSL_set_mode(client_.get(), SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER);
4192 ASSERT_EQ(SSL_get_error(client_.get(),
4193 SSL_write(client_.get(), data2, kChunkLen)),
4194 SSL_ERROR_WANT_WRITE);
4195
4196 // |SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER| does not disable length checks.
4197 ASSERT_EQ(SSL_get_error(client_.get(),
4198 SSL_write(client_.get(), data2, kChunkLen - 1)),
4199 SSL_ERROR_SSL);
4200 ASSERT_TRUE(ExpectSingleError(ERR_LIB_SSL, SSL_R_BAD_WRITE_RETRY));
4201
4202 // Retrying with a larger buffer is legal.
4203 ASSERT_EQ(SSL_get_error(client_.get(),
4204 SSL_write(client_.get(), data, kChunkLen + 1)),
4205 SSL_ERROR_WANT_WRITE);
4206
4207 // Drain the buffer.
4208 char buf[20];
4209 for (unsigned i = 0; i < count; i++) {
4210 ASSERT_EQ(SSL_read(server_.get(), buf, sizeof(buf)), kChunkLen);
4211 ASSERT_EQ(OPENSSL_memcmp(buf, "hello", kChunkLen), 0);
4212 }
4213
4214 // Now that there is space, a retry with a larger buffer should flush the
4215 // pending record, skip over that many bytes of input (on assumption they
4216 // are the same), and write the remainder. If SSL_MODE_ENABLE_PARTIAL_WRITE
4217 // is set, this will complete in two steps.
4218 char data_longer[] = "_____!!!!!";
4219 if (enable_partial_write) {
4220 ASSERT_EQ(SSL_write(client_.get(), data_longer, 2 * kChunkLen),
4221 kChunkLen);
4222 ASSERT_EQ(SSL_write(client_.get(), data_longer + kChunkLen, kChunkLen),
4223 kChunkLen);
4224 } else {
4225 ASSERT_EQ(SSL_write(client_.get(), data_longer, 2 * kChunkLen),
4226 2 * kChunkLen);
4227 }
4228
4229 // Check the last write was correct. The data will be spread over two
4230 // records, so SSL_read returns twice.
4231 ASSERT_EQ(SSL_read(server_.get(), buf, sizeof(buf)), kChunkLen);
4232 ASSERT_EQ(OPENSSL_memcmp(buf, "hello", kChunkLen), 0);
4233 ASSERT_EQ(SSL_read(server_.get(), buf, sizeof(buf)), kChunkLen);
4234 ASSERT_EQ(OPENSSL_memcmp(buf, "!!!!!", kChunkLen), 0);
4235
4236 // Fill the transport buffer again. This time only leave room for one
4237 // record.
4238 count = 0;
4239 for (;;) {
4240 int ret = SSL_write(client_.get(), data, kChunkLen);
4241 if (ret <= 0) {
4242 ASSERT_EQ(SSL_get_error(client_.get(), ret), SSL_ERROR_WANT_WRITE);
4243 break;
4244 }
4245 ASSERT_EQ(ret, 5);
4246 count++;
4247 }
4248 ASSERT_EQ(SSL_read(server_.get(), buf, sizeof(buf)), kChunkLen);
4249 ASSERT_EQ(OPENSSL_memcmp(buf, "hello", kChunkLen), 0);
4250 count--;
4251
4252 // Retry the last write, with a longer input. The first half is the most
4253 // recently failed write, from filling the buffer. |SSL_write| should write
4254 // that to the transport, and then attempt to write the second half.
4255 int ret = SSL_write(client_.get(), data_longer, 2 * kChunkLen);
4256 if (enable_partial_write) {
4257 // If partial writes are allowed, the write will succeed partially.
4258 ASSERT_EQ(ret, kChunkLen);
4259
4260 // Check the first half and make room for another record.
4261 ASSERT_EQ(SSL_read(server_.get(), buf, sizeof(buf)), kChunkLen);
4262 ASSERT_EQ(OPENSSL_memcmp(buf, "hello", kChunkLen), 0);
4263 count--;
4264
4265 // Finish writing the input.
4266 ASSERT_EQ(SSL_write(client_.get(), data_longer + kChunkLen, kChunkLen),
4267 kChunkLen);
4268 } else {
4269 // Otherwise, although the first half made it to the transport, the second
4270 // half is blocked.
4271 ASSERT_EQ(ret, -1);
4272 ASSERT_EQ(SSL_get_error(client_.get(), -1), SSL_ERROR_WANT_WRITE);
4273
4274 // Check the first half and make room for another record.
4275 ASSERT_EQ(SSL_read(server_.get(), buf, sizeof(buf)), kChunkLen);
4276 ASSERT_EQ(OPENSSL_memcmp(buf, "hello", kChunkLen), 0);
4277 count--;
4278
4279 // Retrying with fewer bytes than previously attempted is an error. If the
4280 // input length is less than the number of bytes successfully written, the
4281 // check happens at a different point, with a different error.
4282 //
4283 // TODO(davidben): Should these cases use the same error?
4284 ASSERT_EQ(
4285 SSL_get_error(client_.get(),
4286 SSL_write(client_.get(), data_longer, kChunkLen - 1)),
4287 SSL_ERROR_SSL);
4288 ASSERT_TRUE(ExpectSingleError(ERR_LIB_SSL, SSL_R_BAD_LENGTH));
4289
4290 // Complete the write with the correct retry.
4291 ASSERT_EQ(SSL_write(client_.get(), data_longer, 2 * kChunkLen),
4292 2 * kChunkLen);
4293 }
4294
4295 // Drain the input and ensure everything was written correctly.
4296 for (unsigned i = 0; i < count; i++) {
4297 ASSERT_EQ(SSL_read(server_.get(), buf, sizeof(buf)), kChunkLen);
4298 ASSERT_EQ(OPENSSL_memcmp(buf, "hello", kChunkLen), 0);
4299 }
4300
4301 // The final write is spread over two records.
4302 ASSERT_EQ(SSL_read(server_.get(), buf, sizeof(buf)), kChunkLen);
4303 ASSERT_EQ(OPENSSL_memcmp(buf, "hello", kChunkLen), 0);
4304 ASSERT_EQ(SSL_read(server_.get(), buf, sizeof(buf)), kChunkLen);
4305 ASSERT_EQ(OPENSSL_memcmp(buf, "!!!!!", kChunkLen), 0);
4306 }
4307 }
4308
TEST_P(SSLVersionTest,RecordCallback)4309 TEST_P(SSLVersionTest, RecordCallback) {
4310 for (bool test_server : {true, false}) {
4311 SCOPED_TRACE(test_server);
4312 ASSERT_NO_FATAL_FAILURE(ResetContexts());
4313
4314 bool read_seen = false;
4315 bool write_seen = false;
4316 auto cb = [&](int is_write, int cb_version, int cb_type, const void *buf,
4317 size_t len, SSL *ssl) {
4318 if (cb_type != SSL3_RT_HEADER) {
4319 return;
4320 }
4321
4322 // The callback does not report a version for records.
4323 EXPECT_EQ(0, cb_version);
4324
4325 if (is_write) {
4326 write_seen = true;
4327 } else {
4328 read_seen = true;
4329 }
4330
4331 // Sanity-check that the record header is plausible.
4332 CBS cbs;
4333 CBS_init(&cbs, reinterpret_cast<const uint8_t *>(buf), len);
4334 uint8_t type;
4335 uint16_t record_version, length;
4336 ASSERT_TRUE(CBS_get_u8(&cbs, &type));
4337 ASSERT_TRUE(CBS_get_u16(&cbs, &record_version));
4338 EXPECT_EQ(record_version & 0xff00, version() & 0xff00);
4339 if (is_dtls()) {
4340 uint16_t epoch;
4341 ASSERT_TRUE(CBS_get_u16(&cbs, &epoch));
4342 EXPECT_TRUE(epoch == 0 || epoch == 1) << "Invalid epoch: " << epoch;
4343 ASSERT_TRUE(CBS_skip(&cbs, 6));
4344 }
4345 ASSERT_TRUE(CBS_get_u16(&cbs, &length));
4346 EXPECT_EQ(0u, CBS_len(&cbs));
4347 };
4348 using CallbackType = decltype(cb);
4349 SSL_CTX *ctx = test_server ? server_ctx_.get() : client_ctx_.get();
4350 SSL_CTX_set_msg_callback(
4351 ctx, [](int is_write, int cb_version, int cb_type, const void *buf,
4352 size_t len, SSL *ssl, void *arg) {
4353 CallbackType *cb_ptr = reinterpret_cast<CallbackType *>(arg);
4354 (*cb_ptr)(is_write, cb_version, cb_type, buf, len, ssl);
4355 });
4356 SSL_CTX_set_msg_callback_arg(ctx, &cb);
4357
4358 ASSERT_TRUE(Connect());
4359
4360 EXPECT_TRUE(read_seen);
4361 EXPECT_TRUE(write_seen);
4362 }
4363 }
4364
TEST_P(SSLVersionTest,GetServerName)4365 TEST_P(SSLVersionTest, GetServerName) {
4366 ClientConfig config;
4367 config.servername = "host1";
4368
4369 SSL_CTX_set_tlsext_servername_callback(
4370 server_ctx_.get(), [](SSL *ssl, int *out_alert, void *arg) -> int {
4371 // During the handshake, |SSL_get_servername| must match |config|.
4372 ClientConfig *config_p = reinterpret_cast<ClientConfig *>(arg);
4373 EXPECT_STREQ(config_p->servername.c_str(),
4374 SSL_get_servername(ssl, TLSEXT_NAMETYPE_host_name));
4375 return SSL_TLSEXT_ERR_OK;
4376 });
4377 SSL_CTX_set_tlsext_servername_arg(server_ctx_.get(), &config);
4378
4379 ASSERT_TRUE(Connect(config));
4380 // After the handshake, it must also be available.
4381 EXPECT_STREQ(config.servername.c_str(),
4382 SSL_get_servername(server_.get(), TLSEXT_NAMETYPE_host_name));
4383
4384 // Establish a session under host1.
4385 SSL_CTX_set_session_cache_mode(client_ctx_.get(), SSL_SESS_CACHE_BOTH);
4386 SSL_CTX_set_session_cache_mode(server_ctx_.get(), SSL_SESS_CACHE_BOTH);
4387 bssl::UniquePtr<SSL_SESSION> session =
4388 CreateClientSession(client_ctx_.get(), server_ctx_.get(), config);
4389
4390 // If the client resumes a session with a different name, |SSL_get_servername|
4391 // must return the new name.
4392 ASSERT_TRUE(session);
4393 config.session = session.get();
4394 config.servername = "host2";
4395 ASSERT_TRUE(Connect(config));
4396 EXPECT_STREQ(config.servername.c_str(),
4397 SSL_get_servername(server_.get(), TLSEXT_NAMETYPE_host_name));
4398 }
4399
4400 // Test that session cache mode bits are honored in the client session callback.
TEST_P(SSLVersionTest,ClientSessionCacheMode)4401 TEST_P(SSLVersionTest, ClientSessionCacheMode) {
4402 SSL_CTX_set_session_cache_mode(client_ctx_.get(), SSL_SESS_CACHE_OFF);
4403 EXPECT_FALSE(CreateClientSession(client_ctx_.get(), server_ctx_.get()));
4404
4405 SSL_CTX_set_session_cache_mode(client_ctx_.get(), SSL_SESS_CACHE_CLIENT);
4406 EXPECT_TRUE(CreateClientSession(client_ctx_.get(), server_ctx_.get()));
4407
4408 SSL_CTX_set_session_cache_mode(client_ctx_.get(), SSL_SESS_CACHE_SERVER);
4409 EXPECT_FALSE(CreateClientSession(client_ctx_.get(), server_ctx_.get()));
4410 }
4411
4412 // Test that all versions survive tiny write buffers. In particular, TLS 1.3
4413 // NewSessionTickets are written post-handshake. Servers that block
4414 // |SSL_do_handshake| on writing them will deadlock if clients are not draining
4415 // the buffer. Test that we do not do this.
TEST_P(SSLVersionTest,SmallBuffer)4416 TEST_P(SSLVersionTest, SmallBuffer) {
4417 // DTLS is a datagram protocol and requires packet-sized buffers.
4418 if (is_dtls()) {
4419 return;
4420 }
4421
4422 // Test both flushing NewSessionTickets with a zero-sized write and
4423 // non-zero-sized write.
4424 for (bool use_zero_write : {false, true}) {
4425 SCOPED_TRACE(use_zero_write);
4426
4427 g_last_session = nullptr;
4428 SSL_CTX_set_session_cache_mode(client_ctx_.get(), SSL_SESS_CACHE_BOTH);
4429 SSL_CTX_sess_set_new_cb(client_ctx_.get(), SaveLastSession);
4430
4431 bssl::UniquePtr<SSL> client(SSL_new(client_ctx_.get())),
4432 server(SSL_new(server_ctx_.get()));
4433 ASSERT_TRUE(client);
4434 ASSERT_TRUE(server);
4435 SSL_set_connect_state(client.get());
4436 SSL_set_accept_state(server.get());
4437
4438 // Use a tiny buffer.
4439 BIO *bio1, *bio2;
4440 ASSERT_TRUE(BIO_new_bio_pair(&bio1, 1, &bio2, 1));
4441
4442 // SSL_set_bio takes ownership.
4443 SSL_set_bio(client.get(), bio1, bio1);
4444 SSL_set_bio(server.get(), bio2, bio2);
4445
4446 ASSERT_TRUE(CompleteHandshakes(client.get(), server.get()));
4447 if (version() >= TLS1_3_VERSION) {
4448 // The post-handshake ticket should not have been processed yet.
4449 EXPECT_FALSE(g_last_session);
4450 }
4451
4452 if (use_zero_write) {
4453 ASSERT_TRUE(FlushNewSessionTickets(client.get(), server.get()));
4454 EXPECT_TRUE(g_last_session);
4455 }
4456
4457 // Send some data from server to client. If |use_zero_write| is false, this
4458 // will also flush the NewSessionTickets.
4459 static const char kMessage[] = "hello world";
4460 char buf[sizeof(kMessage)];
4461 for (;;) {
4462 int server_ret = SSL_write(server.get(), kMessage, sizeof(kMessage));
4463 int server_err = SSL_get_error(server.get(), server_ret);
4464 int client_ret = SSL_read(client.get(), buf, sizeof(buf));
4465 int client_err = SSL_get_error(client.get(), client_ret);
4466
4467 // The server will write a single record, so every iteration should see
4468 // |SSL_ERROR_WANT_WRITE| and |SSL_ERROR_WANT_READ|, until the final
4469 // iteration, where both will complete.
4470 if (server_ret > 0) {
4471 EXPECT_EQ(server_ret, static_cast<int>(sizeof(kMessage)));
4472 EXPECT_EQ(client_ret, static_cast<int>(sizeof(kMessage)));
4473 EXPECT_EQ(Bytes(buf), Bytes(kMessage));
4474 break;
4475 }
4476
4477 ASSERT_EQ(server_ret, -1);
4478 ASSERT_EQ(server_err, SSL_ERROR_WANT_WRITE);
4479 ASSERT_EQ(client_ret, -1);
4480 ASSERT_EQ(client_err, SSL_ERROR_WANT_READ);
4481 }
4482
4483 // The NewSessionTickets should have been flushed and processed.
4484 EXPECT_TRUE(g_last_session);
4485 }
4486 }
4487
TEST(SSLTest,AddChainCertHack)4488 TEST(SSLTest, AddChainCertHack) {
4489 // Ensure that we don't accidently break the hack that we have in place to
4490 // keep curl and serf happy when they use an |X509| even after transfering
4491 // ownership.
4492
4493 bssl::UniquePtr<SSL_CTX> ctx(SSL_CTX_new(TLS_method()));
4494 ASSERT_TRUE(ctx);
4495 X509 *cert = GetTestCertificate().release();
4496 ASSERT_TRUE(cert);
4497 SSL_CTX_add0_chain_cert(ctx.get(), cert);
4498
4499 // This should not trigger a use-after-free.
4500 X509_cmp(cert, cert);
4501 }
4502
TEST(SSLTest,GetCertificate)4503 TEST(SSLTest, GetCertificate) {
4504 bssl::UniquePtr<SSL_CTX> ctx(SSL_CTX_new(TLS_method()));
4505 ASSERT_TRUE(ctx);
4506 bssl::UniquePtr<X509> cert = GetTestCertificate();
4507 ASSERT_TRUE(cert);
4508 ASSERT_TRUE(SSL_CTX_use_certificate(ctx.get(), cert.get()));
4509 bssl::UniquePtr<SSL> ssl(SSL_new(ctx.get()));
4510 ASSERT_TRUE(ssl);
4511
4512 X509 *cert2 = SSL_CTX_get0_certificate(ctx.get());
4513 ASSERT_TRUE(cert2);
4514 X509 *cert3 = SSL_get_certificate(ssl.get());
4515 ASSERT_TRUE(cert3);
4516
4517 // The old and new certificates must be identical.
4518 EXPECT_EQ(0, X509_cmp(cert.get(), cert2));
4519 EXPECT_EQ(0, X509_cmp(cert.get(), cert3));
4520
4521 uint8_t *der = nullptr;
4522 long der_len = i2d_X509(cert.get(), &der);
4523 ASSERT_LT(0, der_len);
4524 bssl::UniquePtr<uint8_t> free_der(der);
4525
4526 uint8_t *der2 = nullptr;
4527 long der2_len = i2d_X509(cert2, &der2);
4528 ASSERT_LT(0, der2_len);
4529 bssl::UniquePtr<uint8_t> free_der2(der2);
4530
4531 uint8_t *der3 = nullptr;
4532 long der3_len = i2d_X509(cert3, &der3);
4533 ASSERT_LT(0, der3_len);
4534 bssl::UniquePtr<uint8_t> free_der3(der3);
4535
4536 // They must also encode identically.
4537 EXPECT_EQ(Bytes(der, der_len), Bytes(der2, der2_len));
4538 EXPECT_EQ(Bytes(der, der_len), Bytes(der3, der3_len));
4539 }
4540
TEST(SSLTest,SetChainAndKeyMismatch)4541 TEST(SSLTest, SetChainAndKeyMismatch) {
4542 bssl::UniquePtr<SSL_CTX> ctx(SSL_CTX_new(TLS_with_buffers_method()));
4543 ASSERT_TRUE(ctx);
4544
4545 bssl::UniquePtr<EVP_PKEY> key = GetTestKey();
4546 ASSERT_TRUE(key);
4547 bssl::UniquePtr<CRYPTO_BUFFER> leaf = GetChainTestCertificateBuffer();
4548 ASSERT_TRUE(leaf);
4549 std::vector<CRYPTO_BUFFER*> chain = {
4550 leaf.get(),
4551 };
4552
4553 // Should fail because |GetTestKey| doesn't match the chain-test certificate.
4554 ASSERT_FALSE(SSL_CTX_set_chain_and_key(ctx.get(), &chain[0], chain.size(),
4555 key.get(), nullptr));
4556 ERR_clear_error();
4557 }
4558
TEST(SSLTest,SetChainAndKey)4559 TEST(SSLTest, SetChainAndKey) {
4560 bssl::UniquePtr<SSL_CTX> client_ctx(SSL_CTX_new(TLS_with_buffers_method()));
4561 ASSERT_TRUE(client_ctx);
4562 bssl::UniquePtr<SSL_CTX> server_ctx(SSL_CTX_new(TLS_with_buffers_method()));
4563 ASSERT_TRUE(server_ctx);
4564
4565 ASSERT_EQ(nullptr, SSL_CTX_get0_chain(server_ctx.get()));
4566
4567 bssl::UniquePtr<EVP_PKEY> key = GetChainTestKey();
4568 ASSERT_TRUE(key);
4569 bssl::UniquePtr<CRYPTO_BUFFER> leaf = GetChainTestCertificateBuffer();
4570 ASSERT_TRUE(leaf);
4571 bssl::UniquePtr<CRYPTO_BUFFER> intermediate =
4572 GetChainTestIntermediateBuffer();
4573 ASSERT_TRUE(intermediate);
4574 std::vector<CRYPTO_BUFFER*> chain = {
4575 leaf.get(), intermediate.get(),
4576 };
4577 ASSERT_TRUE(SSL_CTX_set_chain_and_key(server_ctx.get(), &chain[0],
4578 chain.size(), key.get(), nullptr));
4579
4580 ASSERT_EQ(chain.size(),
4581 sk_CRYPTO_BUFFER_num(SSL_CTX_get0_chain(server_ctx.get())));
4582
4583 SSL_CTX_set_custom_verify(
4584 client_ctx.get(), SSL_VERIFY_PEER,
4585 [](SSL *ssl, uint8_t *out_alert) -> ssl_verify_result_t {
4586 return ssl_verify_ok;
4587 });
4588
4589 bssl::UniquePtr<SSL> client, server;
4590 ASSERT_TRUE(ConnectClientAndServer(&client, &server, client_ctx.get(),
4591 server_ctx.get()));
4592 }
4593
TEST(SSLTest,BuffersFailWithoutCustomVerify)4594 TEST(SSLTest, BuffersFailWithoutCustomVerify) {
4595 bssl::UniquePtr<SSL_CTX> client_ctx(SSL_CTX_new(TLS_with_buffers_method()));
4596 ASSERT_TRUE(client_ctx);
4597 bssl::UniquePtr<SSL_CTX> server_ctx(SSL_CTX_new(TLS_with_buffers_method()));
4598 ASSERT_TRUE(server_ctx);
4599
4600 bssl::UniquePtr<EVP_PKEY> key = GetChainTestKey();
4601 ASSERT_TRUE(key);
4602 bssl::UniquePtr<CRYPTO_BUFFER> leaf = GetChainTestCertificateBuffer();
4603 ASSERT_TRUE(leaf);
4604 std::vector<CRYPTO_BUFFER*> chain = { leaf.get() };
4605 ASSERT_TRUE(SSL_CTX_set_chain_and_key(server_ctx.get(), &chain[0],
4606 chain.size(), key.get(), nullptr));
4607
4608 // Without SSL_CTX_set_custom_verify(), i.e. with everything in the default
4609 // configuration, certificate verification should fail.
4610 bssl::UniquePtr<SSL> client, server;
4611 ASSERT_FALSE(ConnectClientAndServer(&client, &server, client_ctx.get(),
4612 server_ctx.get()));
4613
4614 // Whereas with a verifier, the connection should succeed.
4615 SSL_CTX_set_custom_verify(
4616 client_ctx.get(), SSL_VERIFY_PEER,
4617 [](SSL *ssl, uint8_t *out_alert) -> ssl_verify_result_t {
4618 return ssl_verify_ok;
4619 });
4620 ASSERT_TRUE(ConnectClientAndServer(&client, &server, client_ctx.get(),
4621 server_ctx.get()));
4622 }
4623
TEST(SSLTest,CustomVerify)4624 TEST(SSLTest, CustomVerify) {
4625 bssl::UniquePtr<SSL_CTX> client_ctx(SSL_CTX_new(TLS_with_buffers_method()));
4626 ASSERT_TRUE(client_ctx);
4627 bssl::UniquePtr<SSL_CTX> server_ctx(SSL_CTX_new(TLS_with_buffers_method()));
4628 ASSERT_TRUE(server_ctx);
4629
4630 bssl::UniquePtr<EVP_PKEY> key = GetChainTestKey();
4631 ASSERT_TRUE(key);
4632 bssl::UniquePtr<CRYPTO_BUFFER> leaf = GetChainTestCertificateBuffer();
4633 ASSERT_TRUE(leaf);
4634 std::vector<CRYPTO_BUFFER*> chain = { leaf.get() };
4635 ASSERT_TRUE(SSL_CTX_set_chain_and_key(server_ctx.get(), &chain[0],
4636 chain.size(), key.get(), nullptr));
4637
4638 SSL_CTX_set_custom_verify(
4639 client_ctx.get(), SSL_VERIFY_PEER,
4640 [](SSL *ssl, uint8_t *out_alert) -> ssl_verify_result_t {
4641 return ssl_verify_ok;
4642 });
4643
4644 bssl::UniquePtr<SSL> client, server;
4645 ASSERT_TRUE(ConnectClientAndServer(&client, &server, client_ctx.get(),
4646 server_ctx.get()));
4647
4648 // With SSL_VERIFY_PEER, ssl_verify_invalid should result in a dropped
4649 // connection.
4650 SSL_CTX_set_custom_verify(
4651 client_ctx.get(), SSL_VERIFY_PEER,
4652 [](SSL *ssl, uint8_t *out_alert) -> ssl_verify_result_t {
4653 return ssl_verify_invalid;
4654 });
4655
4656 ASSERT_FALSE(ConnectClientAndServer(&client, &server, client_ctx.get(),
4657 server_ctx.get()));
4658
4659 // But with SSL_VERIFY_NONE, ssl_verify_invalid should not cause a dropped
4660 // connection.
4661 SSL_CTX_set_custom_verify(
4662 client_ctx.get(), SSL_VERIFY_NONE,
4663 [](SSL *ssl, uint8_t *out_alert) -> ssl_verify_result_t {
4664 return ssl_verify_invalid;
4665 });
4666
4667 ASSERT_TRUE(ConnectClientAndServer(&client, &server, client_ctx.get(),
4668 server_ctx.get()));
4669 }
4670
TEST(SSLTest,ClientCABuffers)4671 TEST(SSLTest, ClientCABuffers) {
4672 bssl::UniquePtr<SSL_CTX> client_ctx(SSL_CTX_new(TLS_with_buffers_method()));
4673 ASSERT_TRUE(client_ctx);
4674 bssl::UniquePtr<SSL_CTX> server_ctx(SSL_CTX_new(TLS_with_buffers_method()));
4675 ASSERT_TRUE(server_ctx);
4676
4677 bssl::UniquePtr<EVP_PKEY> key = GetChainTestKey();
4678 ASSERT_TRUE(key);
4679 bssl::UniquePtr<CRYPTO_BUFFER> leaf = GetChainTestCertificateBuffer();
4680 ASSERT_TRUE(leaf);
4681 bssl::UniquePtr<CRYPTO_BUFFER> intermediate =
4682 GetChainTestIntermediateBuffer();
4683 ASSERT_TRUE(intermediate);
4684 std::vector<CRYPTO_BUFFER *> chain = {
4685 leaf.get(),
4686 intermediate.get(),
4687 };
4688 ASSERT_TRUE(SSL_CTX_set_chain_and_key(server_ctx.get(), &chain[0],
4689 chain.size(), key.get(), nullptr));
4690
4691 bssl::UniquePtr<CRYPTO_BUFFER> ca_name(
4692 CRYPTO_BUFFER_new(kTestName, sizeof(kTestName), nullptr));
4693 ASSERT_TRUE(ca_name);
4694 bssl::UniquePtr<STACK_OF(CRYPTO_BUFFER)> ca_names(
4695 sk_CRYPTO_BUFFER_new_null());
4696 ASSERT_TRUE(ca_names);
4697 ASSERT_TRUE(PushToStack(ca_names.get(), std::move(ca_name)));
4698 SSL_CTX_set0_client_CAs(server_ctx.get(), ca_names.release());
4699
4700 // Configure client and server to accept all certificates.
4701 SSL_CTX_set_custom_verify(
4702 client_ctx.get(), SSL_VERIFY_PEER,
4703 [](SSL *ssl, uint8_t *out_alert) -> ssl_verify_result_t {
4704 return ssl_verify_ok;
4705 });
4706 SSL_CTX_set_custom_verify(
4707 server_ctx.get(), SSL_VERIFY_PEER,
4708 [](SSL *ssl, uint8_t *out_alert) -> ssl_verify_result_t {
4709 return ssl_verify_ok;
4710 });
4711
4712 bool cert_cb_called = false;
4713 SSL_CTX_set_cert_cb(
4714 client_ctx.get(),
4715 [](SSL *ssl, void *arg) -> int {
4716 const STACK_OF(CRYPTO_BUFFER) *peer_names =
4717 SSL_get0_server_requested_CAs(ssl);
4718 EXPECT_EQ(1u, sk_CRYPTO_BUFFER_num(peer_names));
4719 CRYPTO_BUFFER *peer_name = sk_CRYPTO_BUFFER_value(peer_names, 0);
4720 EXPECT_EQ(Bytes(kTestName), Bytes(CRYPTO_BUFFER_data(peer_name),
4721 CRYPTO_BUFFER_len(peer_name)));
4722 *reinterpret_cast<bool *>(arg) = true;
4723 return 1;
4724 },
4725 &cert_cb_called);
4726
4727 bssl::UniquePtr<SSL> client, server;
4728 ASSERT_TRUE(ConnectClientAndServer(&client, &server, client_ctx.get(),
4729 server_ctx.get()));
4730 EXPECT_TRUE(cert_cb_called);
4731 }
4732
4733 // Configuring the empty cipher list, though an error, should still modify the
4734 // configuration.
TEST(SSLTest,EmptyCipherList)4735 TEST(SSLTest, EmptyCipherList) {
4736 bssl::UniquePtr<SSL_CTX> ctx(SSL_CTX_new(TLS_method()));
4737 ASSERT_TRUE(ctx);
4738
4739 // Initially, the cipher list is not empty.
4740 EXPECT_NE(0u, sk_SSL_CIPHER_num(SSL_CTX_get_ciphers(ctx.get())));
4741
4742 // Configuring the empty cipher list fails.
4743 EXPECT_FALSE(SSL_CTX_set_cipher_list(ctx.get(), ""));
4744 ERR_clear_error();
4745
4746 // But the cipher list is still updated to empty.
4747 EXPECT_EQ(0u, sk_SSL_CIPHER_num(SSL_CTX_get_ciphers(ctx.get())));
4748 }
4749
4750 // ssl_test_ticket_aead_failure_mode enumerates the possible ways in which the
4751 // test |SSL_TICKET_AEAD_METHOD| can fail.
4752 enum ssl_test_ticket_aead_failure_mode {
4753 ssl_test_ticket_aead_ok = 0,
4754 ssl_test_ticket_aead_seal_fail,
4755 ssl_test_ticket_aead_open_soft_fail,
4756 ssl_test_ticket_aead_open_hard_fail,
4757 };
4758
4759 struct ssl_test_ticket_aead_state {
4760 unsigned retry_count = 0;
4761 ssl_test_ticket_aead_failure_mode failure_mode = ssl_test_ticket_aead_ok;
4762 };
4763
ssl_test_ticket_aead_ex_index_dup(CRYPTO_EX_DATA * to,const CRYPTO_EX_DATA * from,void ** from_d,int index,long argl,void * argp)4764 static int ssl_test_ticket_aead_ex_index_dup(CRYPTO_EX_DATA *to,
4765 const CRYPTO_EX_DATA *from,
4766 void **from_d, int index,
4767 long argl, void *argp) {
4768 abort();
4769 }
4770
ssl_test_ticket_aead_ex_index_free(void * parent,void * ptr,CRYPTO_EX_DATA * ad,int index,long argl,void * argp)4771 static void ssl_test_ticket_aead_ex_index_free(void *parent, void *ptr,
4772 CRYPTO_EX_DATA *ad, int index,
4773 long argl, void *argp) {
4774 delete reinterpret_cast<ssl_test_ticket_aead_state*>(ptr);
4775 }
4776
4777 static CRYPTO_once_t g_ssl_test_ticket_aead_ex_index_once = CRYPTO_ONCE_INIT;
4778 static int g_ssl_test_ticket_aead_ex_index;
4779
ssl_test_ticket_aead_get_ex_index()4780 static int ssl_test_ticket_aead_get_ex_index() {
4781 CRYPTO_once(&g_ssl_test_ticket_aead_ex_index_once, [] {
4782 g_ssl_test_ticket_aead_ex_index = SSL_get_ex_new_index(
4783 0, nullptr, nullptr, ssl_test_ticket_aead_ex_index_dup,
4784 ssl_test_ticket_aead_ex_index_free);
4785 });
4786 return g_ssl_test_ticket_aead_ex_index;
4787 }
4788
ssl_test_ticket_aead_max_overhead(SSL * ssl)4789 static size_t ssl_test_ticket_aead_max_overhead(SSL *ssl) {
4790 return 1;
4791 }
4792
ssl_test_ticket_aead_seal(SSL * ssl,uint8_t * out,size_t * out_len,size_t max_out_len,const uint8_t * in,size_t in_len)4793 static int ssl_test_ticket_aead_seal(SSL *ssl, uint8_t *out, size_t *out_len,
4794 size_t max_out_len, const uint8_t *in,
4795 size_t in_len) {
4796 auto state = reinterpret_cast<ssl_test_ticket_aead_state *>(
4797 SSL_get_ex_data(ssl, ssl_test_ticket_aead_get_ex_index()));
4798
4799 if (state->failure_mode == ssl_test_ticket_aead_seal_fail ||
4800 max_out_len < in_len + 1) {
4801 return 0;
4802 }
4803
4804 OPENSSL_memmove(out, in, in_len);
4805 out[in_len] = 0xff;
4806 *out_len = in_len + 1;
4807
4808 return 1;
4809 }
4810
ssl_test_ticket_aead_open(SSL * ssl,uint8_t * out,size_t * out_len,size_t max_out_len,const uint8_t * in,size_t in_len)4811 static ssl_ticket_aead_result_t ssl_test_ticket_aead_open(
4812 SSL *ssl, uint8_t *out, size_t *out_len, size_t max_out_len,
4813 const uint8_t *in, size_t in_len) {
4814 auto state = reinterpret_cast<ssl_test_ticket_aead_state *>(
4815 SSL_get_ex_data(ssl, ssl_test_ticket_aead_get_ex_index()));
4816
4817 if (state->retry_count > 0) {
4818 state->retry_count--;
4819 return ssl_ticket_aead_retry;
4820 }
4821
4822 switch (state->failure_mode) {
4823 case ssl_test_ticket_aead_ok:
4824 break;
4825 case ssl_test_ticket_aead_seal_fail:
4826 // If |seal| failed then there shouldn't be any ticket to try and
4827 // decrypt.
4828 abort();
4829 break;
4830 case ssl_test_ticket_aead_open_soft_fail:
4831 return ssl_ticket_aead_ignore_ticket;
4832 case ssl_test_ticket_aead_open_hard_fail:
4833 return ssl_ticket_aead_error;
4834 }
4835
4836 if (in_len == 0 || in[in_len - 1] != 0xff) {
4837 return ssl_ticket_aead_ignore_ticket;
4838 }
4839
4840 if (max_out_len < in_len - 1) {
4841 return ssl_ticket_aead_error;
4842 }
4843
4844 OPENSSL_memmove(out, in, in_len - 1);
4845 *out_len = in_len - 1;
4846 return ssl_ticket_aead_success;
4847 }
4848
4849 static const SSL_TICKET_AEAD_METHOD kSSLTestTicketMethod = {
4850 ssl_test_ticket_aead_max_overhead,
4851 ssl_test_ticket_aead_seal,
4852 ssl_test_ticket_aead_open,
4853 };
4854
ConnectClientAndServerWithTicketMethod(bssl::UniquePtr<SSL> * out_client,bssl::UniquePtr<SSL> * out_server,SSL_CTX * client_ctx,SSL_CTX * server_ctx,unsigned retry_count,ssl_test_ticket_aead_failure_mode failure_mode,SSL_SESSION * session)4855 static void ConnectClientAndServerWithTicketMethod(
4856 bssl::UniquePtr<SSL> *out_client, bssl::UniquePtr<SSL> *out_server,
4857 SSL_CTX *client_ctx, SSL_CTX *server_ctx, unsigned retry_count,
4858 ssl_test_ticket_aead_failure_mode failure_mode, SSL_SESSION *session) {
4859 bssl::UniquePtr<SSL> client(SSL_new(client_ctx)), server(SSL_new(server_ctx));
4860 ASSERT_TRUE(client);
4861 ASSERT_TRUE(server);
4862 SSL_set_connect_state(client.get());
4863 SSL_set_accept_state(server.get());
4864
4865 auto state = new ssl_test_ticket_aead_state;
4866 state->retry_count = retry_count;
4867 state->failure_mode = failure_mode;
4868
4869 ASSERT_GE(ssl_test_ticket_aead_get_ex_index(), 0);
4870 ASSERT_TRUE(SSL_set_ex_data(server.get(), ssl_test_ticket_aead_get_ex_index(),
4871 state));
4872
4873 SSL_set_session(client.get(), session);
4874
4875 BIO *bio1, *bio2;
4876 ASSERT_TRUE(BIO_new_bio_pair(&bio1, 0, &bio2, 0));
4877
4878 // SSL_set_bio takes ownership.
4879 SSL_set_bio(client.get(), bio1, bio1);
4880 SSL_set_bio(server.get(), bio2, bio2);
4881
4882 if (CompleteHandshakes(client.get(), server.get())) {
4883 *out_client = std::move(client);
4884 *out_server = std::move(server);
4885 } else {
4886 out_client->reset();
4887 out_server->reset();
4888 }
4889 }
4890
4891 using TicketAEADMethodParam =
4892 testing::tuple<uint16_t, unsigned, ssl_test_ticket_aead_failure_mode>;
4893
4894 class TicketAEADMethodTest
4895 : public ::testing::TestWithParam<TicketAEADMethodParam> {};
4896
TEST_P(TicketAEADMethodTest,Resume)4897 TEST_P(TicketAEADMethodTest, Resume) {
4898 bssl::UniquePtr<SSL_CTX> server_ctx =
4899 CreateContextWithTestCertificate(TLS_method());
4900 ASSERT_TRUE(server_ctx);
4901 bssl::UniquePtr<SSL_CTX> client_ctx(SSL_CTX_new(TLS_method()));
4902 ASSERT_TRUE(client_ctx);
4903
4904 const uint16_t version = testing::get<0>(GetParam());
4905 const unsigned retry_count = testing::get<1>(GetParam());
4906 const ssl_test_ticket_aead_failure_mode failure_mode =
4907 testing::get<2>(GetParam());
4908
4909 ASSERT_TRUE(SSL_CTX_set_min_proto_version(client_ctx.get(), version));
4910 ASSERT_TRUE(SSL_CTX_set_max_proto_version(client_ctx.get(), version));
4911 ASSERT_TRUE(SSL_CTX_set_min_proto_version(server_ctx.get(), version));
4912 ASSERT_TRUE(SSL_CTX_set_max_proto_version(server_ctx.get(), version));
4913
4914 SSL_CTX_set_session_cache_mode(client_ctx.get(), SSL_SESS_CACHE_BOTH);
4915 SSL_CTX_set_session_cache_mode(server_ctx.get(), SSL_SESS_CACHE_BOTH);
4916 SSL_CTX_set_current_time_cb(client_ctx.get(), FrozenTimeCallback);
4917 SSL_CTX_set_current_time_cb(server_ctx.get(), FrozenTimeCallback);
4918 SSL_CTX_sess_set_new_cb(client_ctx.get(), SaveLastSession);
4919
4920 SSL_CTX_set_ticket_aead_method(server_ctx.get(), &kSSLTestTicketMethod);
4921
4922 bssl::UniquePtr<SSL> client, server;
4923 ASSERT_NO_FATAL_FAILURE(ConnectClientAndServerWithTicketMethod(
4924 &client, &server, client_ctx.get(), server_ctx.get(), retry_count,
4925 failure_mode, nullptr));
4926 switch (failure_mode) {
4927 case ssl_test_ticket_aead_ok:
4928 case ssl_test_ticket_aead_open_hard_fail:
4929 case ssl_test_ticket_aead_open_soft_fail:
4930 ASSERT_TRUE(client);
4931 break;
4932 case ssl_test_ticket_aead_seal_fail:
4933 EXPECT_FALSE(client);
4934 return;
4935 }
4936 EXPECT_FALSE(SSL_session_reused(client.get()));
4937 EXPECT_FALSE(SSL_session_reused(server.get()));
4938
4939 ASSERT_TRUE(FlushNewSessionTickets(client.get(), server.get()));
4940 bssl::UniquePtr<SSL_SESSION> session = std::move(g_last_session);
4941 ASSERT_NO_FATAL_FAILURE(ConnectClientAndServerWithTicketMethod(
4942 &client, &server, client_ctx.get(), server_ctx.get(), retry_count,
4943 failure_mode, session.get()));
4944 switch (failure_mode) {
4945 case ssl_test_ticket_aead_ok:
4946 ASSERT_TRUE(client);
4947 EXPECT_TRUE(SSL_session_reused(client.get()));
4948 EXPECT_TRUE(SSL_session_reused(server.get()));
4949 break;
4950 case ssl_test_ticket_aead_seal_fail:
4951 abort();
4952 break;
4953 case ssl_test_ticket_aead_open_hard_fail:
4954 EXPECT_FALSE(client);
4955 break;
4956 case ssl_test_ticket_aead_open_soft_fail:
4957 ASSERT_TRUE(client);
4958 EXPECT_FALSE(SSL_session_reused(client.get()));
4959 EXPECT_FALSE(SSL_session_reused(server.get()));
4960 }
4961 }
4962
TicketAEADMethodParamToString(const testing::TestParamInfo<TicketAEADMethodParam> & params)4963 std::string TicketAEADMethodParamToString(
4964 const testing::TestParamInfo<TicketAEADMethodParam> ¶ms) {
4965 std::string ret = GetVersionName(std::get<0>(params.param));
4966 // GTest only allows alphanumeric characters and '_' in the parameter
4967 // string. Additionally filter out the 'v' to get "TLS13" over "TLSv13".
4968 for (auto it = ret.begin(); it != ret.end();) {
4969 if (*it == '.' || *it == 'v') {
4970 it = ret.erase(it);
4971 } else {
4972 ++it;
4973 }
4974 }
4975 char retry_count[256];
4976 snprintf(retry_count, sizeof(retry_count), "%u", std::get<1>(params.param));
4977 ret += "_";
4978 ret += retry_count;
4979 ret += "Retries_";
4980 switch (std::get<2>(params.param)) {
4981 case ssl_test_ticket_aead_ok:
4982 ret += "OK";
4983 break;
4984 case ssl_test_ticket_aead_seal_fail:
4985 ret += "SealFail";
4986 break;
4987 case ssl_test_ticket_aead_open_soft_fail:
4988 ret += "OpenSoftFail";
4989 break;
4990 case ssl_test_ticket_aead_open_hard_fail:
4991 ret += "OpenHardFail";
4992 break;
4993 }
4994 return ret;
4995 }
4996
4997 INSTANTIATE_TEST_SUITE_P(
4998 TicketAEADMethodTests, TicketAEADMethodTest,
4999 testing::Combine(testing::Values(TLS1_2_VERSION, TLS1_3_VERSION),
5000 testing::Values(0, 1, 2),
5001 testing::Values(ssl_test_ticket_aead_ok,
5002 ssl_test_ticket_aead_seal_fail,
5003 ssl_test_ticket_aead_open_soft_fail,
5004 ssl_test_ticket_aead_open_hard_fail)),
5005 TicketAEADMethodParamToString);
5006
TEST(SSLTest,SelectNextProto)5007 TEST(SSLTest, SelectNextProto) {
5008 uint8_t *result;
5009 uint8_t result_len;
5010
5011 // If there is an overlap, it should be returned.
5012 EXPECT_EQ(OPENSSL_NPN_NEGOTIATED,
5013 SSL_select_next_proto(&result, &result_len,
5014 (const uint8_t *)"\1a\2bb\3ccc", 9,
5015 (const uint8_t *)"\1x\1y\1a\1z", 8));
5016 EXPECT_EQ(Bytes("a"), Bytes(result, result_len));
5017
5018 EXPECT_EQ(OPENSSL_NPN_NEGOTIATED,
5019 SSL_select_next_proto(&result, &result_len,
5020 (const uint8_t *)"\1a\2bb\3ccc", 9,
5021 (const uint8_t *)"\1x\1y\2bb\1z", 9));
5022 EXPECT_EQ(Bytes("bb"), Bytes(result, result_len));
5023
5024 EXPECT_EQ(OPENSSL_NPN_NEGOTIATED,
5025 SSL_select_next_proto(&result, &result_len,
5026 (const uint8_t *)"\1a\2bb\3ccc", 9,
5027 (const uint8_t *)"\1x\1y\3ccc\1z", 10));
5028 EXPECT_EQ(Bytes("ccc"), Bytes(result, result_len));
5029
5030 // Peer preference order takes precedence over local.
5031 EXPECT_EQ(OPENSSL_NPN_NEGOTIATED,
5032 SSL_select_next_proto(&result, &result_len,
5033 (const uint8_t *)"\1a\2bb\3ccc", 9,
5034 (const uint8_t *)"\3ccc\2bb\1a", 9));
5035 EXPECT_EQ(Bytes("a"), Bytes(result, result_len));
5036
5037 // If there is no overlap, return the first local protocol.
5038 EXPECT_EQ(OPENSSL_NPN_NO_OVERLAP,
5039 SSL_select_next_proto(&result, &result_len,
5040 (const uint8_t *)"\1a\2bb\3ccc", 9,
5041 (const uint8_t *)"\1x\2yy\3zzz", 9));
5042 EXPECT_EQ(Bytes("x"), Bytes(result, result_len));
5043
5044 EXPECT_EQ(OPENSSL_NPN_NO_OVERLAP,
5045 SSL_select_next_proto(&result, &result_len, nullptr, 0,
5046 (const uint8_t *)"\1x\2yy\3zzz", 9));
5047 EXPECT_EQ(Bytes("x"), Bytes(result, result_len));
5048 }
5049
5050 // The client should gracefully handle no suitable ciphers being enabled.
TEST(SSLTest,NoCiphersAvailable)5051 TEST(SSLTest, NoCiphersAvailable) {
5052 bssl::UniquePtr<SSL_CTX> ctx(SSL_CTX_new(TLS_method()));
5053 ASSERT_TRUE(ctx);
5054
5055 // Configure |client_ctx| with a cipher list that does not intersect with its
5056 // version configuration.
5057 ASSERT_TRUE(SSL_CTX_set_strict_cipher_list(
5058 ctx.get(), "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256"));
5059 ASSERT_TRUE(SSL_CTX_set_max_proto_version(ctx.get(), TLS1_1_VERSION));
5060
5061 bssl::UniquePtr<SSL> ssl(SSL_new(ctx.get()));
5062 ASSERT_TRUE(ssl);
5063 SSL_set_connect_state(ssl.get());
5064
5065 UniquePtr<BIO> rbio(BIO_new(BIO_s_mem())), wbio(BIO_new(BIO_s_mem()));
5066 ASSERT_TRUE(rbio);
5067 ASSERT_TRUE(wbio);
5068 SSL_set0_rbio(ssl.get(), rbio.release());
5069 SSL_set0_wbio(ssl.get(), wbio.release());
5070
5071 int ret = SSL_do_handshake(ssl.get());
5072 EXPECT_EQ(-1, ret);
5073 EXPECT_EQ(SSL_ERROR_SSL, SSL_get_error(ssl.get(), ret));
5074 uint32_t err = ERR_get_error();
5075 EXPECT_EQ(ERR_LIB_SSL, ERR_GET_LIB(err));
5076 EXPECT_EQ(SSL_R_NO_CIPHERS_AVAILABLE, ERR_GET_REASON(err));
5077 }
5078
TEST_P(SSLVersionTest,SessionVersion)5079 TEST_P(SSLVersionTest, SessionVersion) {
5080 SSL_CTX_set_session_cache_mode(client_ctx_.get(), SSL_SESS_CACHE_BOTH);
5081 SSL_CTX_set_session_cache_mode(server_ctx_.get(), SSL_SESS_CACHE_BOTH);
5082
5083 bssl::UniquePtr<SSL_SESSION> session =
5084 CreateClientSession(client_ctx_.get(), server_ctx_.get());
5085 ASSERT_TRUE(session);
5086 EXPECT_EQ(version(), SSL_SESSION_get_protocol_version(session.get()));
5087
5088 // Sessions in TLS 1.3 and later should be single-use.
5089 EXPECT_EQ(version() == TLS1_3_VERSION,
5090 !!SSL_SESSION_should_be_single_use(session.get()));
5091
5092 // Making fake sessions for testing works.
5093 session.reset(SSL_SESSION_new(client_ctx_.get()));
5094 ASSERT_TRUE(session);
5095 ASSERT_TRUE(SSL_SESSION_set_protocol_version(session.get(), version()));
5096 EXPECT_EQ(version(), SSL_SESSION_get_protocol_version(session.get()));
5097 }
5098
TEST_P(SSLVersionTest,SSLPending)5099 TEST_P(SSLVersionTest, SSLPending) {
5100 UniquePtr<SSL> ssl(SSL_new(client_ctx_.get()));
5101 ASSERT_TRUE(ssl);
5102 EXPECT_EQ(0, SSL_pending(ssl.get()));
5103
5104 ASSERT_TRUE(Connect());
5105 EXPECT_EQ(0, SSL_pending(client_.get()));
5106 EXPECT_EQ(0, SSL_has_pending(client_.get()));
5107
5108 ASSERT_EQ(5, SSL_write(server_.get(), "hello", 5));
5109 ASSERT_EQ(5, SSL_write(server_.get(), "world", 5));
5110 EXPECT_EQ(0, SSL_pending(client_.get()));
5111 EXPECT_EQ(0, SSL_has_pending(client_.get()));
5112
5113 char buf[10];
5114 ASSERT_EQ(1, SSL_peek(client_.get(), buf, 1));
5115 EXPECT_EQ(5, SSL_pending(client_.get()));
5116 EXPECT_EQ(1, SSL_has_pending(client_.get()));
5117
5118 ASSERT_EQ(1, SSL_read(client_.get(), buf, 1));
5119 EXPECT_EQ(4, SSL_pending(client_.get()));
5120 EXPECT_EQ(1, SSL_has_pending(client_.get()));
5121
5122 ASSERT_EQ(4, SSL_read(client_.get(), buf, 10));
5123 EXPECT_EQ(0, SSL_pending(client_.get()));
5124 if (is_dtls()) {
5125 // In DTLS, the two records would have been read as a single datagram and
5126 // buffered inside |client_|. Thus, |SSL_has_pending| should return true.
5127 //
5128 // This test is slightly unrealistic. It relies on |ConnectClientAndServer|
5129 // using a |BIO| pair, which does not preserve datagram boundaries. Reading
5130 // 1 byte, then 4 bytes, from the first record also relies on
5131 // https://crbug.com/boringssl/65. But it does test the codepaths. When
5132 // fixing either of these bugs, this test may need to be redone.
5133 EXPECT_EQ(1, SSL_has_pending(client_.get()));
5134 } else {
5135 // In TLS, we do not overread, so |SSL_has_pending| should report no data is
5136 // buffered.
5137 EXPECT_EQ(0, SSL_has_pending(client_.get()));
5138 }
5139
5140 ASSERT_EQ(2, SSL_read(client_.get(), buf, 2));
5141 EXPECT_EQ(3, SSL_pending(client_.get()));
5142 EXPECT_EQ(1, SSL_has_pending(client_.get()));
5143 }
5144
5145 // Test that post-handshake tickets consumed by |SSL_shutdown| are ignored.
TEST(SSLTest,ShutdownIgnoresTickets)5146 TEST(SSLTest, ShutdownIgnoresTickets) {
5147 bssl::UniquePtr<SSL_CTX> ctx(CreateContextWithTestCertificate(TLS_method()));
5148 ASSERT_TRUE(ctx);
5149 ASSERT_TRUE(SSL_CTX_set_min_proto_version(ctx.get(), TLS1_3_VERSION));
5150 ASSERT_TRUE(SSL_CTX_set_max_proto_version(ctx.get(), TLS1_3_VERSION));
5151
5152 SSL_CTX_set_session_cache_mode(ctx.get(), SSL_SESS_CACHE_BOTH);
5153
5154 bssl::UniquePtr<SSL> client, server;
5155 ASSERT_TRUE(ConnectClientAndServer(&client, &server, ctx.get(), ctx.get()));
5156
5157 SSL_CTX_sess_set_new_cb(ctx.get(), [](SSL *ssl, SSL_SESSION *session) -> int {
5158 ADD_FAILURE() << "New session callback called during SSL_shutdown";
5159 return 0;
5160 });
5161
5162 // Send close_notify.
5163 EXPECT_EQ(0, SSL_shutdown(server.get()));
5164 EXPECT_EQ(0, SSL_shutdown(client.get()));
5165
5166 // Receive close_notify.
5167 EXPECT_EQ(1, SSL_shutdown(server.get()));
5168 EXPECT_EQ(1, SSL_shutdown(client.get()));
5169 }
5170
TEST(SSLTest,SignatureAlgorithmProperties)5171 TEST(SSLTest, SignatureAlgorithmProperties) {
5172 EXPECT_EQ(EVP_PKEY_NONE, SSL_get_signature_algorithm_key_type(0x1234));
5173 EXPECT_EQ(nullptr, SSL_get_signature_algorithm_digest(0x1234));
5174 EXPECT_FALSE(SSL_is_signature_algorithm_rsa_pss(0x1234));
5175
5176 EXPECT_EQ(EVP_PKEY_RSA,
5177 SSL_get_signature_algorithm_key_type(SSL_SIGN_RSA_PKCS1_MD5_SHA1));
5178 EXPECT_EQ(EVP_md5_sha1(),
5179 SSL_get_signature_algorithm_digest(SSL_SIGN_RSA_PKCS1_MD5_SHA1));
5180 EXPECT_FALSE(SSL_is_signature_algorithm_rsa_pss(SSL_SIGN_RSA_PKCS1_MD5_SHA1));
5181
5182 EXPECT_EQ(EVP_PKEY_EC, SSL_get_signature_algorithm_key_type(
5183 SSL_SIGN_ECDSA_SECP256R1_SHA256));
5184 EXPECT_EQ(EVP_sha256(), SSL_get_signature_algorithm_digest(
5185 SSL_SIGN_ECDSA_SECP256R1_SHA256));
5186 EXPECT_FALSE(
5187 SSL_is_signature_algorithm_rsa_pss(SSL_SIGN_ECDSA_SECP256R1_SHA256));
5188
5189 EXPECT_EQ(EVP_PKEY_RSA,
5190 SSL_get_signature_algorithm_key_type(SSL_SIGN_RSA_PSS_RSAE_SHA384));
5191 EXPECT_EQ(EVP_sha384(),
5192 SSL_get_signature_algorithm_digest(SSL_SIGN_RSA_PSS_RSAE_SHA384));
5193 EXPECT_TRUE(SSL_is_signature_algorithm_rsa_pss(SSL_SIGN_RSA_PSS_RSAE_SHA384));
5194 }
5195
XORCompressFunc(SSL * ssl,CBB * out,const uint8_t * in,size_t in_len)5196 static int XORCompressFunc(SSL *ssl, CBB *out, const uint8_t *in,
5197 size_t in_len) {
5198 for (size_t i = 0; i < in_len; i++) {
5199 if (!CBB_add_u8(out, in[i] ^ 0x55)) {
5200 return 0;
5201 }
5202 }
5203
5204 SSL_set_app_data(ssl, XORCompressFunc);
5205
5206 return 1;
5207 }
5208
XORDecompressFunc(SSL * ssl,CRYPTO_BUFFER ** out,size_t uncompressed_len,const uint8_t * in,size_t in_len)5209 static int XORDecompressFunc(SSL *ssl, CRYPTO_BUFFER **out,
5210 size_t uncompressed_len, const uint8_t *in,
5211 size_t in_len) {
5212 if (in_len != uncompressed_len) {
5213 return 0;
5214 }
5215
5216 uint8_t *data;
5217 *out = CRYPTO_BUFFER_alloc(&data, uncompressed_len);
5218 if (*out == nullptr) {
5219 return 0;
5220 }
5221
5222 for (size_t i = 0; i < in_len; i++) {
5223 data[i] = in[i] ^ 0x55;
5224 }
5225
5226 SSL_set_app_data(ssl, XORDecompressFunc);
5227
5228 return 1;
5229 }
5230
TEST(SSLTest,CertCompression)5231 TEST(SSLTest, CertCompression) {
5232 bssl::UniquePtr<SSL_CTX> client_ctx(SSL_CTX_new(TLS_method()));
5233 bssl::UniquePtr<SSL_CTX> server_ctx(
5234 CreateContextWithTestCertificate(TLS_method()));
5235 ASSERT_TRUE(client_ctx);
5236 ASSERT_TRUE(server_ctx);
5237
5238 ASSERT_TRUE(SSL_CTX_set_max_proto_version(client_ctx.get(), TLS1_3_VERSION));
5239 ASSERT_TRUE(SSL_CTX_set_max_proto_version(server_ctx.get(), TLS1_3_VERSION));
5240 ASSERT_TRUE(SSL_CTX_add_cert_compression_alg(
5241 client_ctx.get(), 0x1234, XORCompressFunc, XORDecompressFunc));
5242 ASSERT_TRUE(SSL_CTX_add_cert_compression_alg(
5243 server_ctx.get(), 0x1234, XORCompressFunc, XORDecompressFunc));
5244
5245 bssl::UniquePtr<SSL> client, server;
5246 ASSERT_TRUE(ConnectClientAndServer(&client, &server, client_ctx.get(),
5247 server_ctx.get()));
5248
5249 EXPECT_TRUE(SSL_get_app_data(client.get()) == XORDecompressFunc);
5250 EXPECT_TRUE(SSL_get_app_data(server.get()) == XORCompressFunc);
5251 }
5252
MoveBIOs(SSL * dest,SSL * src)5253 void MoveBIOs(SSL *dest, SSL *src) {
5254 BIO *rbio = SSL_get_rbio(src);
5255 BIO_up_ref(rbio);
5256 SSL_set0_rbio(dest, rbio);
5257
5258 BIO *wbio = SSL_get_wbio(src);
5259 BIO_up_ref(wbio);
5260 SSL_set0_wbio(dest, wbio);
5261
5262 SSL_set0_rbio(src, nullptr);
5263 SSL_set0_wbio(src, nullptr);
5264 }
5265
VerifyHandoff(bool use_new_alps_codepoint)5266 void VerifyHandoff(bool use_new_alps_codepoint) {
5267 static const uint8_t alpn[] = {0x03, 'f', 'o', 'o'};
5268 static const uint8_t proto[] = {'f', 'o', 'o'};
5269 static const uint8_t alps[] = {0x04, 'a', 'l', 'p', 's'};
5270
5271 bssl::UniquePtr<SSL_CTX> client_ctx(SSL_CTX_new(TLS_method()));
5272 bssl::UniquePtr<SSL_CTX> server_ctx(SSL_CTX_new(TLS_method()));
5273 bssl::UniquePtr<SSL_CTX> handshaker_ctx(
5274 CreateContextWithTestCertificate(TLS_method()));
5275 ASSERT_TRUE(client_ctx);
5276 ASSERT_TRUE(server_ctx);
5277 ASSERT_TRUE(handshaker_ctx);
5278
5279 if (!use_new_alps_codepoint) {
5280 SetUpExpectedOldCodePoint(server_ctx.get());
5281 } else {
5282 SetUpExpectedNewCodePoint(server_ctx.get());
5283 }
5284
5285 SSL_CTX_set_session_cache_mode(client_ctx.get(), SSL_SESS_CACHE_CLIENT);
5286 SSL_CTX_sess_set_new_cb(client_ctx.get(), SaveLastSession);
5287 SSL_CTX_set_handoff_mode(server_ctx.get(), true);
5288 uint8_t keys[48];
5289 SSL_CTX_get_tlsext_ticket_keys(server_ctx.get(), &keys, sizeof(keys));
5290 SSL_CTX_set_tlsext_ticket_keys(handshaker_ctx.get(), &keys, sizeof(keys));
5291
5292 for (bool early_data : {false, true}) {
5293 SCOPED_TRACE(early_data);
5294 for (bool is_resume : {false, true}) {
5295 SCOPED_TRACE(is_resume);
5296 bssl::UniquePtr<SSL> client, server;
5297 ASSERT_TRUE(CreateClientAndServer(&client, &server, client_ctx.get(),
5298 server_ctx.get()));
5299 SSL_set_early_data_enabled(client.get(), early_data);
5300
5301 // Set up client ALPS settings.
5302 SSL_set_alps_use_new_codepoint(client.get(), use_new_alps_codepoint);
5303 ASSERT_TRUE(SSL_set_alpn_protos(client.get(), alpn, sizeof(alpn)) == 0);
5304 ASSERT_TRUE(SSL_add_application_settings(client.get(), proto,
5305 sizeof(proto), nullptr, 0));
5306 if (is_resume) {
5307 ASSERT_TRUE(g_last_session);
5308 SSL_set_session(client.get(), g_last_session.get());
5309 if (early_data) {
5310 EXPECT_GT(g_last_session->ticket_max_early_data, 0u);
5311 }
5312 }
5313
5314
5315 int client_ret = SSL_do_handshake(client.get());
5316 int client_err = SSL_get_error(client.get(), client_ret);
5317
5318 uint8_t byte_written;
5319 if (early_data && is_resume) {
5320 ASSERT_EQ(client_err, 0);
5321 EXPECT_TRUE(SSL_in_early_data(client.get()));
5322 // Attempt to write early data.
5323 byte_written = 43;
5324 EXPECT_EQ(SSL_write(client.get(), &byte_written, 1), 1);
5325 } else {
5326 ASSERT_EQ(client_err, SSL_ERROR_WANT_READ);
5327 }
5328
5329 int server_ret = SSL_do_handshake(server.get());
5330 int server_err = SSL_get_error(server.get(), server_ret);
5331 ASSERT_EQ(server_err, SSL_ERROR_HANDOFF);
5332
5333 ScopedCBB cbb;
5334 Array<uint8_t> handoff;
5335 SSL_CLIENT_HELLO hello;
5336 ASSERT_TRUE(CBB_init(cbb.get(), 256));
5337 ASSERT_TRUE(SSL_serialize_handoff(server.get(), cbb.get(), &hello));
5338 ASSERT_TRUE(CBBFinishArray(cbb.get(), &handoff));
5339
5340 bssl::UniquePtr<SSL> handshaker(SSL_new(handshaker_ctx.get()));
5341 ASSERT_TRUE(handshaker);
5342 // Note split handshakes determines 0-RTT support, for both the current
5343 // handshake and newly-issued tickets, entirely by |handshaker|. There is
5344 // no need to call |SSL_set_early_data_enabled| on |server|.
5345 SSL_set_early_data_enabled(handshaker.get(), 1);
5346
5347 // Set up handshaker ALPS settings.
5348 SSL_set_alps_use_new_codepoint(handshaker.get(), use_new_alps_codepoint);
5349 SSL_CTX_set_alpn_select_cb(
5350 handshaker_ctx.get(),
5351 [](SSL *ssl, const uint8_t **out, uint8_t *out_len, const uint8_t *in,
5352 unsigned in_len, void *arg) -> int {
5353 return SSL_select_next_proto(
5354 const_cast<uint8_t **>(out), out_len, in, in_len,
5355 alpn, sizeof(alpn)) == OPENSSL_NPN_NEGOTIATED
5356 ? SSL_TLSEXT_ERR_OK
5357 : SSL_TLSEXT_ERR_NOACK;
5358 },
5359 nullptr);
5360 ASSERT_TRUE(SSL_add_application_settings(handshaker.get(), proto,
5361 sizeof(proto), alps, sizeof(alps)));
5362
5363 ASSERT_TRUE(SSL_apply_handoff(handshaker.get(), handoff));
5364
5365 MoveBIOs(handshaker.get(), server.get());
5366
5367 int handshake_ret = SSL_do_handshake(handshaker.get());
5368 int handshake_err = SSL_get_error(handshaker.get(), handshake_ret);
5369 ASSERT_EQ(handshake_err, SSL_ERROR_HANDBACK);
5370
5371 // Double-check that additional calls to |SSL_do_handshake| continue
5372 // to get |SSL_ERROR_HANDBACK|.
5373 handshake_ret = SSL_do_handshake(handshaker.get());
5374 handshake_err = SSL_get_error(handshaker.get(), handshake_ret);
5375 ASSERT_EQ(handshake_err, SSL_ERROR_HANDBACK);
5376
5377 ScopedCBB cbb_handback;
5378 Array<uint8_t> handback;
5379 ASSERT_TRUE(CBB_init(cbb_handback.get(), 1024));
5380 ASSERT_TRUE(SSL_serialize_handback(handshaker.get(), cbb_handback.get()));
5381 ASSERT_TRUE(CBBFinishArray(cbb_handback.get(), &handback));
5382
5383 bssl::UniquePtr<SSL> server2(SSL_new(server_ctx.get()));
5384 ASSERT_TRUE(server2);
5385 ASSERT_TRUE(SSL_apply_handback(server2.get(), handback));
5386
5387 MoveBIOs(server2.get(), handshaker.get());
5388 ASSERT_TRUE(CompleteHandshakes(client.get(), server2.get()));
5389 EXPECT_EQ(is_resume, SSL_session_reused(client.get()));
5390 // Verify application settings.
5391 ASSERT_TRUE(SSL_has_application_settings(client.get()));
5392
5393 if (early_data && is_resume) {
5394 // In this case, one byte of early data has already been written above.
5395 EXPECT_TRUE(SSL_early_data_accepted(client.get()));
5396 } else {
5397 byte_written = 42;
5398 EXPECT_EQ(SSL_write(client.get(), &byte_written, 1), 1);
5399 }
5400 uint8_t byte;
5401 EXPECT_EQ(SSL_read(server2.get(), &byte, 1), 1);
5402 EXPECT_EQ(byte_written, byte);
5403
5404 byte = 44;
5405 EXPECT_EQ(SSL_write(server2.get(), &byte, 1), 1);
5406 EXPECT_EQ(SSL_read(client.get(), &byte, 1), 1);
5407 EXPECT_EQ(44, byte);
5408 }
5409 }
5410 }
5411
TEST(SSLTest,Handoff)5412 TEST(SSLTest, Handoff) {
5413 for (bool use_new_alps_codepoint : {false, true}) {
5414 SCOPED_TRACE(use_new_alps_codepoint);
5415 VerifyHandoff(use_new_alps_codepoint);
5416 }
5417 }
5418
TEST(SSLTest,HandoffDeclined)5419 TEST(SSLTest, HandoffDeclined) {
5420 bssl::UniquePtr<SSL_CTX> client_ctx(SSL_CTX_new(TLS_method()));
5421 bssl::UniquePtr<SSL_CTX> server_ctx(
5422 CreateContextWithTestCertificate(TLS_method()));
5423 ASSERT_TRUE(client_ctx);
5424 ASSERT_TRUE(server_ctx);
5425
5426 SSL_CTX_set_handoff_mode(server_ctx.get(), true);
5427 ASSERT_TRUE(SSL_CTX_set_max_proto_version(server_ctx.get(), TLS1_2_VERSION));
5428
5429 bssl::UniquePtr<SSL> client, server;
5430 ASSERT_TRUE(CreateClientAndServer(&client, &server, client_ctx.get(),
5431 server_ctx.get()));
5432
5433 int client_ret = SSL_do_handshake(client.get());
5434 int client_err = SSL_get_error(client.get(), client_ret);
5435 ASSERT_EQ(client_err, SSL_ERROR_WANT_READ);
5436
5437 int server_ret = SSL_do_handshake(server.get());
5438 int server_err = SSL_get_error(server.get(), server_ret);
5439 ASSERT_EQ(server_err, SSL_ERROR_HANDOFF);
5440
5441 ScopedCBB cbb;
5442 SSL_CLIENT_HELLO hello;
5443 ASSERT_TRUE(CBB_init(cbb.get(), 256));
5444 ASSERT_TRUE(SSL_serialize_handoff(server.get(), cbb.get(), &hello));
5445
5446 ASSERT_TRUE(SSL_decline_handoff(server.get()));
5447
5448 ASSERT_TRUE(CompleteHandshakes(client.get(), server.get()));
5449
5450 uint8_t byte = 42;
5451 EXPECT_EQ(SSL_write(client.get(), &byte, 1), 1);
5452 EXPECT_EQ(SSL_read(server.get(), &byte, 1), 1);
5453 EXPECT_EQ(42, byte);
5454
5455 byte = 43;
5456 EXPECT_EQ(SSL_write(server.get(), &byte, 1), 1);
5457 EXPECT_EQ(SSL_read(client.get(), &byte, 1), 1);
5458 EXPECT_EQ(43, byte);
5459 }
5460
SigAlgsToString(Span<const uint16_t> sigalgs)5461 static std::string SigAlgsToString(Span<const uint16_t> sigalgs) {
5462 std::string ret = "{";
5463
5464 for (uint16_t v : sigalgs) {
5465 if (ret.size() > 1) {
5466 ret += ", ";
5467 }
5468
5469 char buf[8];
5470 snprintf(buf, sizeof(buf) - 1, "0x%02x", v);
5471 buf[sizeof(buf)-1] = 0;
5472 ret += std::string(buf);
5473 }
5474
5475 ret += "}";
5476 return ret;
5477 }
5478
ExpectSigAlgsEqual(Span<const uint16_t> expected,Span<const uint16_t> actual)5479 void ExpectSigAlgsEqual(Span<const uint16_t> expected,
5480 Span<const uint16_t> actual) {
5481 bool matches = false;
5482 if (expected.size() == actual.size()) {
5483 matches = true;
5484
5485 for (size_t i = 0; i < expected.size(); i++) {
5486 if (expected[i] != actual[i]) {
5487 matches = false;
5488 break;
5489 }
5490 }
5491 }
5492
5493 if (!matches) {
5494 ADD_FAILURE() << "expected: " << SigAlgsToString(expected)
5495 << " got: " << SigAlgsToString(actual);
5496 }
5497 }
5498
TEST(SSLTest,SigAlgs)5499 TEST(SSLTest, SigAlgs) {
5500 static const struct {
5501 std::vector<int> input;
5502 bool ok;
5503 std::vector<uint16_t> expected;
5504 } kTests[] = {
5505 {{}, true, {}},
5506 {{1}, false, {}},
5507 {{1, 2, 3}, false, {}},
5508 {{NID_sha256, EVP_PKEY_ED25519}, false, {}},
5509 {{NID_sha256, EVP_PKEY_RSA, NID_sha256, EVP_PKEY_RSA}, false, {}},
5510
5511 {{NID_sha256, EVP_PKEY_RSA}, true, {SSL_SIGN_RSA_PKCS1_SHA256}},
5512 {{NID_sha512, EVP_PKEY_RSA}, true, {SSL_SIGN_RSA_PKCS1_SHA512}},
5513 {{NID_sha256, EVP_PKEY_RSA_PSS}, true, {SSL_SIGN_RSA_PSS_RSAE_SHA256}},
5514 {{NID_undef, EVP_PKEY_ED25519}, true, {SSL_SIGN_ED25519}},
5515 {{NID_undef, EVP_PKEY_ED25519, NID_sha384, EVP_PKEY_EC},
5516 true,
5517 {SSL_SIGN_ED25519, SSL_SIGN_ECDSA_SECP384R1_SHA384}},
5518 };
5519
5520 UniquePtr<SSL_CTX> ctx(SSL_CTX_new(TLS_method()));
5521 ASSERT_TRUE(ctx);
5522
5523 unsigned n = 1;
5524 for (const auto &test : kTests) {
5525 SCOPED_TRACE(n++);
5526
5527 const bool ok =
5528 SSL_CTX_set1_sigalgs(ctx.get(), test.input.data(), test.input.size());
5529 EXPECT_EQ(ok, test.ok);
5530
5531 if (!ok) {
5532 ERR_clear_error();
5533 }
5534
5535 if (!test.ok) {
5536 continue;
5537 }
5538
5539 ExpectSigAlgsEqual(test.expected, ctx->cert->sigalgs);
5540 }
5541 }
5542
TEST(SSLTest,SigAlgsList)5543 TEST(SSLTest, SigAlgsList) {
5544 static const struct {
5545 const char *input;
5546 bool ok;
5547 std::vector<uint16_t> expected;
5548 } kTests[] = {
5549 {"", false, {}},
5550 {":", false, {}},
5551 {"+", false, {}},
5552 {"RSA", false, {}},
5553 {"RSA+", false, {}},
5554 {"RSA+SHA256:", false, {}},
5555 {":RSA+SHA256:", false, {}},
5556 {":RSA+SHA256+:", false, {}},
5557 {"!", false, {}},
5558 {"\x01", false, {}},
5559 {"RSA+SHA256:RSA+SHA384:RSA+SHA256", false, {}},
5560 {"RSA-PSS+SHA256:rsa_pss_rsae_sha256", false, {}},
5561
5562 {"RSA+SHA256", true, {SSL_SIGN_RSA_PKCS1_SHA256}},
5563 {"RSA+SHA256:ed25519",
5564 true,
5565 {SSL_SIGN_RSA_PKCS1_SHA256, SSL_SIGN_ED25519}},
5566 {"ECDSA+SHA256:RSA+SHA512",
5567 true,
5568 {SSL_SIGN_ECDSA_SECP256R1_SHA256, SSL_SIGN_RSA_PKCS1_SHA512}},
5569 {"ecdsa_secp256r1_sha256:rsa_pss_rsae_sha256",
5570 true,
5571 {SSL_SIGN_ECDSA_SECP256R1_SHA256, SSL_SIGN_RSA_PSS_RSAE_SHA256}},
5572 {"RSA-PSS+SHA256", true, {SSL_SIGN_RSA_PSS_RSAE_SHA256}},
5573 {"PSS+SHA256", true, {SSL_SIGN_RSA_PSS_RSAE_SHA256}},
5574 };
5575
5576 UniquePtr<SSL_CTX> ctx(SSL_CTX_new(TLS_method()));
5577 ASSERT_TRUE(ctx);
5578
5579 unsigned n = 1;
5580 for (const auto &test : kTests) {
5581 SCOPED_TRACE(n++);
5582
5583 const bool ok = SSL_CTX_set1_sigalgs_list(ctx.get(), test.input);
5584 EXPECT_EQ(ok, test.ok);
5585
5586 if (!ok) {
5587 if (test.ok) {
5588 ERR_print_errors_fp(stderr);
5589 }
5590 ERR_clear_error();
5591 }
5592
5593 if (!test.ok) {
5594 continue;
5595 }
5596
5597 ExpectSigAlgsEqual(test.expected, ctx->cert->sigalgs);
5598 }
5599 }
5600
TEST(SSLTest,ApplyHandoffRemovesUnsupportedCiphers)5601 TEST(SSLTest, ApplyHandoffRemovesUnsupportedCiphers) {
5602 bssl::UniquePtr<SSL_CTX> server_ctx(SSL_CTX_new(TLS_method()));
5603 ASSERT_TRUE(server_ctx);
5604 bssl::UniquePtr<SSL> server(SSL_new(server_ctx.get()));
5605 ASSERT_TRUE(server);
5606
5607 // handoff is a handoff message that has been artificially modified to pretend
5608 // that only TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (0xc02f) is supported. When
5609 // it is applied to |server|, all ciphers but that one should be removed.
5610 //
5611 // To make a new one of these, try sticking this in the |Handoff| test above:
5612 //
5613 // hexdump(stderr, "", handoff.data(), handoff.size());
5614 // sed -e 's/\(..\)/0x\1, /g'
5615 //
5616 // and modify serialize_features() to emit only cipher 0x0A.
5617
5618 uint8_t handoff[] = {
5619 0x30, 0x81, 0x9a, 0x02, 0x01, 0x00, 0x04, 0x00, 0x04, 0x81, 0x82, 0x01,
5620 0x00, 0x00, 0x7e, 0x03, 0x03, 0x30, 0x8e, 0x8f, 0x79, 0xd2, 0x87, 0x39,
5621 0xc2, 0x23, 0x23, 0x13, 0xca, 0x3c, 0x80, 0x44, 0xfd, 0x80, 0x83, 0x62,
5622 0x3c, 0xcc, 0xf8, 0x76, 0xd3, 0x62, 0xbb, 0x54, 0xe3, 0xc4, 0x39, 0x24,
5623 0xa5, 0x00, 0x00, 0x1e, 0xc0, 0x2b, 0xc0, 0x2f, 0xc0, 0x2c, 0xc0, 0x30,
5624 0xcc, 0xa9, 0xcc, 0xa8, 0xc0, 0x09, 0xc0, 0x13, 0xc0, 0x0a, 0xc0, 0x14,
5625 0x00, 0x9c, 0x00, 0x9d, 0x00, 0x2f, 0x00, 0x35, 0x00, 0x0a, 0x01, 0x00,
5626 0x00, 0x37, 0x00, 0x17, 0x00, 0x00, 0xff, 0x01, 0x00, 0x01, 0x00, 0x00,
5627 0x0a, 0x00, 0x08, 0x00, 0x06, 0x00, 0x1d, 0x00, 0x17, 0x00, 0x18, 0x00,
5628 0x0b, 0x00, 0x02, 0x01, 0x00, 0x00, 0x23, 0x00, 0x00, 0x00, 0x0d, 0x00,
5629 0x14, 0x00, 0x12, 0x04, 0x03, 0x08, 0x04, 0x04, 0x01, 0x05, 0x03, 0x08,
5630 0x05, 0x05, 0x01, 0x08, 0x06, 0x06, 0x01, 0x02, 0x01, 0x04, 0x02, 0xc0,
5631 0x2f, 0x04, 0x0a, 0x00, 0x15, 0x00, 0x17, 0x00, 0x18, 0x00, 0x19, 0x00,
5632 0x1d,
5633 };
5634
5635 EXPECT_LT(1u, sk_SSL_CIPHER_num(SSL_get_ciphers(server.get())));
5636 ASSERT_TRUE(
5637 SSL_apply_handoff(server.get(), {handoff, OPENSSL_ARRAY_SIZE(handoff)}));
5638 EXPECT_EQ(1u, sk_SSL_CIPHER_num(SSL_get_ciphers(server.get())));
5639 }
5640
TEST(SSLTest,ApplyHandoffRemovesUnsupportedCurves)5641 TEST(SSLTest, ApplyHandoffRemovesUnsupportedCurves) {
5642 bssl::UniquePtr<SSL_CTX> server_ctx(SSL_CTX_new(TLS_method()));
5643 ASSERT_TRUE(server_ctx);
5644 bssl::UniquePtr<SSL> server(SSL_new(server_ctx.get()));
5645 ASSERT_TRUE(server);
5646
5647 // handoff is a handoff message that has been artificially modified to pretend
5648 // that only one ECDH group is supported. When it is applied to |server|, all
5649 // groups but that one should be removed.
5650 //
5651 // See |ApplyHandoffRemovesUnsupportedCiphers| for how to make a new one of
5652 // these.
5653 uint8_t handoff[] = {
5654 0x30, 0x81, 0xc0, 0x02, 0x01, 0x00, 0x04, 0x00, 0x04, 0x81, 0x82, 0x01,
5655 0x00, 0x00, 0x7e, 0x03, 0x03, 0x98, 0x30, 0xce, 0xd9, 0xb0, 0xdf, 0x5f,
5656 0x82, 0x05, 0x4a, 0x43, 0x67, 0x7e, 0xdb, 0x6a, 0x4f, 0x21, 0x18, 0x4e,
5657 0x0d, 0x94, 0x63, 0x18, 0x8b, 0x54, 0x89, 0xdb, 0x8b, 0x1d, 0x84, 0xbc,
5658 0x09, 0x00, 0x00, 0x1e, 0xc0, 0x2b, 0xc0, 0x2f, 0xc0, 0x2c, 0xc0, 0x30,
5659 0xcc, 0xa9, 0xcc, 0xa8, 0xc0, 0x09, 0xc0, 0x13, 0xc0, 0x0a, 0xc0, 0x14,
5660 0x00, 0x9c, 0x00, 0x9d, 0x00, 0x2f, 0x00, 0x35, 0x00, 0x0a, 0x01, 0x00,
5661 0x00, 0x37, 0x00, 0x17, 0x00, 0x00, 0xff, 0x01, 0x00, 0x01, 0x00, 0x00,
5662 0x0a, 0x00, 0x08, 0x00, 0x06, 0x00, 0x1d, 0x00, 0x17, 0x00, 0x18, 0x00,
5663 0x0b, 0x00, 0x02, 0x01, 0x00, 0x00, 0x23, 0x00, 0x00, 0x00, 0x0d, 0x00,
5664 0x14, 0x00, 0x12, 0x04, 0x03, 0x08, 0x04, 0x04, 0x01, 0x05, 0x03, 0x08,
5665 0x05, 0x05, 0x01, 0x08, 0x06, 0x06, 0x01, 0x02, 0x01, 0x04, 0x30, 0x00,
5666 0x02, 0x00, 0x0a, 0x00, 0x2f, 0x00, 0x35, 0x00, 0x8c, 0x00, 0x8d, 0x00,
5667 0x9c, 0x00, 0x9d, 0x13, 0x01, 0x13, 0x02, 0x13, 0x03, 0xc0, 0x09, 0xc0,
5668 0x0a, 0xc0, 0x13, 0xc0, 0x14, 0xc0, 0x2b, 0xc0, 0x2c, 0xc0, 0x2f, 0xc0,
5669 0x30, 0xc0, 0x35, 0xc0, 0x36, 0xcc, 0xa8, 0xcc, 0xa9, 0xcc, 0xac, 0x04,
5670 0x02, 0x00, 0x17,
5671 };
5672
5673 // The zero length means that the default list of groups is used.
5674 EXPECT_EQ(0u, server->config->supported_group_list.size());
5675 ASSERT_TRUE(
5676 SSL_apply_handoff(server.get(), {handoff, OPENSSL_ARRAY_SIZE(handoff)}));
5677 EXPECT_EQ(1u, server->config->supported_group_list.size());
5678 }
5679
TEST(SSLTest,ZeroSizedWiteFlushesHandshakeMessages)5680 TEST(SSLTest, ZeroSizedWiteFlushesHandshakeMessages) {
5681 // If there are pending handshake mesages, an |SSL_write| of zero bytes should
5682 // flush them.
5683 bssl::UniquePtr<SSL_CTX> server_ctx(
5684 CreateContextWithTestCertificate(TLS_method()));
5685 ASSERT_TRUE(server_ctx);
5686 EXPECT_TRUE(SSL_CTX_set_max_proto_version(server_ctx.get(), TLS1_3_VERSION));
5687 EXPECT_TRUE(SSL_CTX_set_min_proto_version(server_ctx.get(), TLS1_3_VERSION));
5688
5689 bssl::UniquePtr<SSL_CTX> client_ctx(SSL_CTX_new(TLS_method()));
5690 ASSERT_TRUE(client_ctx);
5691 EXPECT_TRUE(SSL_CTX_set_max_proto_version(client_ctx.get(), TLS1_3_VERSION));
5692 EXPECT_TRUE(SSL_CTX_set_min_proto_version(client_ctx.get(), TLS1_3_VERSION));
5693
5694 bssl::UniquePtr<SSL> client, server;
5695 ASSERT_TRUE(ConnectClientAndServer(&client, &server, client_ctx.get(),
5696 server_ctx.get()));
5697
5698 BIO *client_wbio = SSL_get_wbio(client.get());
5699 EXPECT_EQ(0u, BIO_wpending(client_wbio));
5700 EXPECT_TRUE(SSL_key_update(client.get(), SSL_KEY_UPDATE_NOT_REQUESTED));
5701 EXPECT_EQ(0u, BIO_wpending(client_wbio));
5702 EXPECT_EQ(0, SSL_write(client.get(), nullptr, 0));
5703 EXPECT_NE(0u, BIO_wpending(client_wbio));
5704 }
5705
TEST_P(SSLVersionTest,VerifyBeforeCertRequest)5706 TEST_P(SSLVersionTest, VerifyBeforeCertRequest) {
5707 // Configure the server to request client certificates.
5708 SSL_CTX_set_custom_verify(
5709 server_ctx_.get(), SSL_VERIFY_PEER,
5710 [](SSL *ssl, uint8_t *out_alert) { return ssl_verify_ok; });
5711
5712 // Configure the client to reject the server certificate.
5713 SSL_CTX_set_custom_verify(
5714 client_ctx_.get(), SSL_VERIFY_PEER,
5715 [](SSL *ssl, uint8_t *out_alert) { return ssl_verify_invalid; });
5716
5717 // cert_cb should not be called. Verification should fail first.
5718 SSL_CTX_set_cert_cb(client_ctx_.get(),
5719 [](SSL *ssl, void *arg) {
5720 ADD_FAILURE() << "cert_cb unexpectedly called";
5721 return 0;
5722 },
5723 nullptr);
5724
5725 bssl::UniquePtr<SSL> client, server;
5726 EXPECT_FALSE(ConnectClientAndServer(&client, &server, client_ctx_.get(),
5727 server_ctx_.get()));
5728 }
5729
5730 // Test that ticket-based sessions on the client get fake session IDs.
TEST_P(SSLVersionTest,FakeIDsForTickets)5731 TEST_P(SSLVersionTest, FakeIDsForTickets) {
5732 SSL_CTX_set_session_cache_mode(client_ctx_.get(), SSL_SESS_CACHE_BOTH);
5733 SSL_CTX_set_session_cache_mode(server_ctx_.get(), SSL_SESS_CACHE_BOTH);
5734
5735 bssl::UniquePtr<SSL_SESSION> session =
5736 CreateClientSession(client_ctx_.get(), server_ctx_.get());
5737 ASSERT_TRUE(session);
5738
5739 EXPECT_TRUE(SSL_SESSION_has_ticket(session.get()));
5740 unsigned session_id_length;
5741 SSL_SESSION_get_id(session.get(), &session_id_length);
5742 EXPECT_NE(session_id_length, 0u);
5743 }
5744
5745 // These tests test multi-threaded behavior. They are intended to run with
5746 // ThreadSanitizer.
5747 #if defined(OPENSSL_THREADS)
TEST_P(SSLVersionTest,SessionCacheThreads)5748 TEST_P(SSLVersionTest, SessionCacheThreads) {
5749 SSL_CTX_set_options(server_ctx_.get(), SSL_OP_NO_TICKET);
5750 SSL_CTX_set_session_cache_mode(client_ctx_.get(), SSL_SESS_CACHE_BOTH);
5751 SSL_CTX_set_session_cache_mode(server_ctx_.get(), SSL_SESS_CACHE_BOTH);
5752
5753 if (version() == TLS1_3_VERSION) {
5754 // Our TLS 1.3 implementation does not support stateful resumption.
5755 ASSERT_FALSE(CreateClientSession(client_ctx_.get(), server_ctx_.get()));
5756 return;
5757 }
5758
5759 // Establish two client sessions to test with.
5760 bssl::UniquePtr<SSL_SESSION> session1 =
5761 CreateClientSession(client_ctx_.get(), server_ctx_.get());
5762 ASSERT_TRUE(session1);
5763 bssl::UniquePtr<SSL_SESSION> session2 =
5764 CreateClientSession(client_ctx_.get(), server_ctx_.get());
5765 ASSERT_TRUE(session2);
5766
5767 auto connect_with_session = [&](SSL_SESSION *session) {
5768 ClientConfig config;
5769 config.session = session;
5770 UniquePtr<SSL> client, server;
5771 ASSERT_TRUE(ConnectClientAndServer(&client, &server, client_ctx_.get(),
5772 server_ctx_.get(), config));
5773 };
5774
5775 // Resume sessions in parallel with establishing new ones.
5776 {
5777 std::vector<std::thread> threads;
5778 threads.emplace_back([&] { connect_with_session(nullptr); });
5779 threads.emplace_back([&] { connect_with_session(nullptr); });
5780 threads.emplace_back([&] { connect_with_session(session1.get()); });
5781 threads.emplace_back([&] { connect_with_session(session1.get()); });
5782 threads.emplace_back([&] { connect_with_session(session2.get()); });
5783 threads.emplace_back([&] { connect_with_session(session2.get()); });
5784 for (auto &thread : threads) {
5785 thread.join();
5786 }
5787 }
5788
5789 // Hit the maximum session cache size across multiple threads, to test the
5790 // size enforcement logic.
5791 size_t limit = SSL_CTX_sess_number(server_ctx_.get()) + 2;
5792 SSL_CTX_sess_set_cache_size(server_ctx_.get(), limit);
5793 {
5794 std::vector<std::thread> threads;
5795 for (int i = 0; i < 4; i++) {
5796 threads.emplace_back([&]() {
5797 connect_with_session(nullptr);
5798 EXPECT_LE(SSL_CTX_sess_number(server_ctx_.get()), limit);
5799 });
5800 }
5801 for (auto &thread : threads) {
5802 thread.join();
5803 }
5804 EXPECT_EQ(SSL_CTX_sess_number(server_ctx_.get()), limit);
5805 }
5806
5807 // Reset the session cache, this time with a mock clock.
5808 ASSERT_NO_FATAL_FAILURE(ResetContexts());
5809 SSL_CTX_set_options(server_ctx_.get(), SSL_OP_NO_TICKET);
5810 SSL_CTX_set_session_cache_mode(client_ctx_.get(), SSL_SESS_CACHE_BOTH);
5811 SSL_CTX_set_session_cache_mode(server_ctx_.get(), SSL_SESS_CACHE_BOTH);
5812 SSL_CTX_set_current_time_cb(server_ctx_.get(), CurrentTimeCallback);
5813
5814 // Make some sessions at an arbitrary start time. Then expire them.
5815 g_current_time.tv_sec = 1000;
5816 bssl::UniquePtr<SSL_SESSION> expired_session1 =
5817 CreateClientSession(client_ctx_.get(), server_ctx_.get());
5818 ASSERT_TRUE(expired_session1);
5819 bssl::UniquePtr<SSL_SESSION> expired_session2 =
5820 CreateClientSession(client_ctx_.get(), server_ctx_.get());
5821 ASSERT_TRUE(expired_session2);
5822 g_current_time.tv_sec += 100 * SSL_DEFAULT_SESSION_TIMEOUT;
5823
5824 session1 = CreateClientSession(client_ctx_.get(), server_ctx_.get());
5825 ASSERT_TRUE(session1);
5826
5827 // Every 256 connections, we flush stale sessions from the session cache. Test
5828 // this logic is correctly synchronized with other connection attempts.
5829 static const int kNumConnections = 256;
5830 {
5831 std::vector<std::thread> threads;
5832 threads.emplace_back([&] {
5833 for (int i = 0; i < kNumConnections; i++) {
5834 connect_with_session(nullptr);
5835 }
5836 });
5837 threads.emplace_back([&] {
5838 for (int i = 0; i < kNumConnections; i++) {
5839 connect_with_session(nullptr);
5840 }
5841 });
5842 threads.emplace_back([&] {
5843 // Never connect with |expired_session2|. The session cache eagerly
5844 // removes expired sessions when it sees them. Leaving |expired_session2|
5845 // untouched ensures it is instead cleared by periodic flushing.
5846 for (int i = 0; i < kNumConnections; i++) {
5847 connect_with_session(expired_session1.get());
5848 }
5849 });
5850 threads.emplace_back([&] {
5851 for (int i = 0; i < kNumConnections; i++) {
5852 connect_with_session(session1.get());
5853 }
5854 });
5855 for (auto &thread : threads) {
5856 thread.join();
5857 }
5858 }
5859 }
5860
TEST_P(SSLVersionTest,SessionTicketThreads)5861 TEST_P(SSLVersionTest, SessionTicketThreads) {
5862 for (bool renew_ticket : {false, true}) {
5863 SCOPED_TRACE(renew_ticket);
5864 ASSERT_NO_FATAL_FAILURE(ResetContexts());
5865 SSL_CTX_set_session_cache_mode(client_ctx_.get(), SSL_SESS_CACHE_BOTH);
5866 SSL_CTX_set_session_cache_mode(server_ctx_.get(), SSL_SESS_CACHE_BOTH);
5867 if (renew_ticket) {
5868 SSL_CTX_set_tlsext_ticket_key_cb(server_ctx_.get(), RenewTicketCallback);
5869 }
5870
5871 // Establish two client sessions to test with.
5872 bssl::UniquePtr<SSL_SESSION> session1 =
5873 CreateClientSession(client_ctx_.get(), server_ctx_.get());
5874 ASSERT_TRUE(session1);
5875 bssl::UniquePtr<SSL_SESSION> session2 =
5876 CreateClientSession(client_ctx_.get(), server_ctx_.get());
5877 ASSERT_TRUE(session2);
5878
5879 auto connect_with_session = [&](SSL_SESSION *session) {
5880 ClientConfig config;
5881 config.session = session;
5882 UniquePtr<SSL> client, server;
5883 ASSERT_TRUE(ConnectClientAndServer(&client, &server, client_ctx_.get(),
5884 server_ctx_.get(), config));
5885 };
5886
5887 // Resume sessions in parallel with establishing new ones.
5888 {
5889 std::vector<std::thread> threads;
5890 threads.emplace_back([&] { connect_with_session(nullptr); });
5891 threads.emplace_back([&] { connect_with_session(nullptr); });
5892 threads.emplace_back([&] { connect_with_session(session1.get()); });
5893 threads.emplace_back([&] { connect_with_session(session1.get()); });
5894 threads.emplace_back([&] { connect_with_session(session2.get()); });
5895 threads.emplace_back([&] { connect_with_session(session2.get()); });
5896 for (auto &thread : threads) {
5897 thread.join();
5898 }
5899 }
5900 }
5901 }
5902
5903 // SSL_CTX_get0_certificate needs to lock internally. Test this works.
TEST(SSLTest,GetCertificateThreads)5904 TEST(SSLTest, GetCertificateThreads) {
5905 bssl::UniquePtr<SSL_CTX> ctx(SSL_CTX_new(TLS_method()));
5906 ASSERT_TRUE(ctx);
5907 bssl::UniquePtr<X509> cert = GetTestCertificate();
5908 ASSERT_TRUE(cert);
5909 ASSERT_TRUE(SSL_CTX_use_certificate(ctx.get(), cert.get()));
5910
5911 // Existing code expects |SSL_CTX_get0_certificate| to be callable from two
5912 // threads concurrently. It originally was an immutable operation. Now we
5913 // implement it with a thread-safe cache, so it is worth testing.
5914 X509 *cert2_thread;
5915 std::thread thread(
5916 [&] { cert2_thread = SSL_CTX_get0_certificate(ctx.get()); });
5917 X509 *cert2 = SSL_CTX_get0_certificate(ctx.get());
5918 thread.join();
5919
5920 ASSERT_TRUE(cert2);
5921 ASSERT_TRUE(cert2_thread);
5922 EXPECT_EQ(cert2, cert2_thread);
5923 EXPECT_EQ(0, X509_cmp(cert.get(), cert2));
5924 }
5925
5926 // Functions which access properties on the negotiated session are thread-safe
5927 // where needed. Prior to TLS 1.3, clients resuming sessions and servers
5928 // performing stateful resumption will share an underlying SSL_SESSION object,
5929 // potentially across threads.
TEST_P(SSLVersionTest,SessionPropertiesThreads)5930 TEST_P(SSLVersionTest, SessionPropertiesThreads) {
5931 if (version() == TLS1_3_VERSION) {
5932 // Our TLS 1.3 implementation does not support stateful resumption.
5933 ASSERT_FALSE(CreateClientSession(client_ctx_.get(), server_ctx_.get()));
5934 return;
5935 }
5936
5937 SSL_CTX_set_options(server_ctx_.get(), SSL_OP_NO_TICKET);
5938 SSL_CTX_set_session_cache_mode(client_ctx_.get(), SSL_SESS_CACHE_BOTH);
5939 SSL_CTX_set_session_cache_mode(server_ctx_.get(), SSL_SESS_CACHE_BOTH);
5940
5941 ASSERT_TRUE(UseCertAndKey(client_ctx_.get()));
5942 ASSERT_TRUE(UseCertAndKey(server_ctx_.get()));
5943
5944 // Configure mutual authentication, so we have more session state.
5945 SSL_CTX_set_custom_verify(
5946 client_ctx_.get(), SSL_VERIFY_PEER,
5947 [](SSL *ssl, uint8_t *out_alert) { return ssl_verify_ok; });
5948 SSL_CTX_set_custom_verify(
5949 server_ctx_.get(), SSL_VERIFY_PEER,
5950 [](SSL *ssl, uint8_t *out_alert) { return ssl_verify_ok; });
5951
5952 // Establish a client session to test with.
5953 bssl::UniquePtr<SSL_SESSION> session =
5954 CreateClientSession(client_ctx_.get(), server_ctx_.get());
5955 ASSERT_TRUE(session);
5956
5957 // Resume with it twice.
5958 UniquePtr<SSL> ssls[4];
5959 ClientConfig config;
5960 config.session = session.get();
5961 ASSERT_TRUE(ConnectClientAndServer(&ssls[0], &ssls[1], client_ctx_.get(),
5962 server_ctx_.get(), config));
5963 ASSERT_TRUE(ConnectClientAndServer(&ssls[2], &ssls[3], client_ctx_.get(),
5964 server_ctx_.get(), config));
5965
5966 // Read properties in parallel.
5967 auto read_properties = [](const SSL *ssl) {
5968 EXPECT_TRUE(SSL_get_peer_cert_chain(ssl));
5969 bssl::UniquePtr<X509> peer(SSL_get_peer_certificate(ssl));
5970 EXPECT_TRUE(peer);
5971 EXPECT_TRUE(SSL_get_current_cipher(ssl));
5972 EXPECT_TRUE(SSL_get_group_id(ssl));
5973 };
5974
5975 std::vector<std::thread> threads;
5976 for (const auto &ssl_ptr : ssls) {
5977 const SSL *ssl = ssl_ptr.get();
5978 threads.emplace_back([=] { read_properties(ssl); });
5979 }
5980 for (auto &thread : threads) {
5981 thread.join();
5982 }
5983 }
5984
SetValueOnFree(void * parent,void * ptr,CRYPTO_EX_DATA * ad,int index,long argl,void * argp)5985 static void SetValueOnFree(void *parent, void *ptr, CRYPTO_EX_DATA *ad,
5986 int index, long argl, void *argp) {
5987 if (ptr != nullptr) {
5988 *static_cast<long *>(ptr) = argl;
5989 }
5990 }
5991
5992 // Test that one thread can register ex_data while another thread is destroying
5993 // an object that uses it.
TEST(SSLTest,ExDataThreads)5994 TEST(SSLTest, ExDataThreads) {
5995 static bool already_run = false;
5996 if (already_run) {
5997 GTEST_SKIP() << "This test consumes process-global resources and can only "
5998 "be run once in a process. It is not compatible with "
5999 "--gtest_repeat.";
6000 }
6001 already_run = true;
6002
6003 bssl::UniquePtr<SSL_CTX> ctx(SSL_CTX_new(TLS_method()));
6004 ASSERT_TRUE(ctx);
6005
6006 // Register an initial index, so the threads can exercise having any ex_data.
6007 int first_index =
6008 SSL_get_ex_new_index(-1, nullptr, nullptr, nullptr, SetValueOnFree);
6009 ASSERT_GE(first_index, 0);
6010
6011 // Callers may register indices concurrently with using other indices. This
6012 // may happen if one part of an application is initializing while another part
6013 // is already running.
6014 static constexpr int kNumIndices = 3;
6015 static constexpr int kNumSSLs = 10;
6016 int index[kNumIndices];
6017 long values[kNumSSLs];
6018 std::fill(std::begin(values), std::end(values), -2);
6019 std::vector<std::thread> threads;
6020 for (size_t i = 0; i < kNumIndices; i++) {
6021 threads.emplace_back([&, i] {
6022 index[i] = SSL_get_ex_new_index(static_cast<long>(i), nullptr, nullptr,
6023 nullptr, SetValueOnFree);
6024 ASSERT_GE(index[i], 0);
6025 });
6026 }
6027 for (size_t i = 0; i < kNumSSLs; i++) {
6028 threads.emplace_back([&, i] {
6029 bssl::UniquePtr<SSL> ssl(SSL_new(ctx.get()));
6030 ASSERT_TRUE(ssl);
6031 ASSERT_TRUE(SSL_set_ex_data(ssl.get(), first_index, &values[i]));
6032 });
6033 }
6034 for (auto &thread : threads) {
6035 thread.join();
6036 }
6037
6038 // Each of the SSL threads should have set their flag via ex_data.
6039 for (size_t i = 0; i < kNumSSLs; i++) {
6040 EXPECT_EQ(values[i], -1);
6041 }
6042
6043 // Each of the newly-registered indices should be distinct and work correctly.
6044 static_assert(kNumIndices <= kNumSSLs, "values buffer too small");
6045 std::fill(std::begin(values), std::end(values), -2);
6046 bssl::UniquePtr<SSL> ssl(SSL_new(ctx.get()));
6047 ASSERT_TRUE(ssl);
6048 for (size_t i = 0; i < kNumIndices; i++) {
6049 for (size_t j = 0; j < i; j++) {
6050 EXPECT_NE(index[i], index[j]);
6051 }
6052 ASSERT_TRUE(SSL_set_ex_data(ssl.get(), index[i], &values[i]));
6053 }
6054 ssl = nullptr;
6055 for (size_t i = 0; i < kNumIndices; i++) {
6056 EXPECT_EQ(values[i], static_cast<long>(i));
6057 }
6058 }
6059 #endif // OPENSSL_THREADS
6060
6061 constexpr size_t kNumQUICLevels = 4;
6062 static_assert(ssl_encryption_initial < kNumQUICLevels,
6063 "kNumQUICLevels is wrong");
6064 static_assert(ssl_encryption_early_data < kNumQUICLevels,
6065 "kNumQUICLevels is wrong");
6066 static_assert(ssl_encryption_handshake < kNumQUICLevels,
6067 "kNumQUICLevels is wrong");
6068 static_assert(ssl_encryption_application < kNumQUICLevels,
6069 "kNumQUICLevels is wrong");
6070
LevelToString(ssl_encryption_level_t level)6071 const char *LevelToString(ssl_encryption_level_t level) {
6072 switch (level) {
6073 case ssl_encryption_initial:
6074 return "initial";
6075 case ssl_encryption_early_data:
6076 return "early data";
6077 case ssl_encryption_handshake:
6078 return "handshake";
6079 case ssl_encryption_application:
6080 return "application";
6081 }
6082 return "<unknown>";
6083 }
6084
6085 class MockQUICTransport {
6086 public:
6087 enum class Role { kClient, kServer };
6088
MockQUICTransport(Role role)6089 explicit MockQUICTransport(Role role) : role_(role) {
6090 // The caller is expected to configure initial secrets.
6091 levels_[ssl_encryption_initial].write_secret = {1};
6092 levels_[ssl_encryption_initial].read_secret = {1};
6093 }
6094
set_peer(MockQUICTransport * peer)6095 void set_peer(MockQUICTransport *peer) { peer_ = peer; }
6096
has_alert() const6097 bool has_alert() const { return has_alert_; }
alert_level() const6098 ssl_encryption_level_t alert_level() const { return alert_level_; }
alert() const6099 uint8_t alert() const { return alert_; }
6100
PeerSecretsMatch(ssl_encryption_level_t level) const6101 bool PeerSecretsMatch(ssl_encryption_level_t level) const {
6102 return levels_[level].write_secret == peer_->levels_[level].read_secret &&
6103 levels_[level].read_secret == peer_->levels_[level].write_secret &&
6104 levels_[level].cipher == peer_->levels_[level].cipher;
6105 }
6106
HasReadSecret(ssl_encryption_level_t level) const6107 bool HasReadSecret(ssl_encryption_level_t level) const {
6108 return !levels_[level].read_secret.empty();
6109 }
6110
HasWriteSecret(ssl_encryption_level_t level) const6111 bool HasWriteSecret(ssl_encryption_level_t level) const {
6112 return !levels_[level].write_secret.empty();
6113 }
6114
AllowOutOfOrderWrites()6115 void AllowOutOfOrderWrites() { allow_out_of_order_writes_ = true; }
6116
SetReadSecret(ssl_encryption_level_t level,const SSL_CIPHER * cipher,Span<const uint8_t> secret)6117 bool SetReadSecret(ssl_encryption_level_t level, const SSL_CIPHER *cipher,
6118 Span<const uint8_t> secret) {
6119 if (HasReadSecret(level)) {
6120 ADD_FAILURE() << LevelToString(level) << " read secret configured twice";
6121 return false;
6122 }
6123
6124 if (role_ == Role::kClient && level == ssl_encryption_early_data) {
6125 ADD_FAILURE() << "Unexpected early data read secret";
6126 return false;
6127 }
6128
6129 ssl_encryption_level_t ack_level =
6130 level == ssl_encryption_early_data ? ssl_encryption_application : level;
6131 if (!HasWriteSecret(ack_level)) {
6132 ADD_FAILURE() << LevelToString(level)
6133 << " read secret configured before ACK write secret";
6134 return false;
6135 }
6136
6137 if (cipher == nullptr) {
6138 ADD_FAILURE() << "Unexpected null cipher";
6139 return false;
6140 }
6141
6142 if (level != ssl_encryption_early_data &&
6143 SSL_CIPHER_get_id(cipher) != levels_[level].cipher) {
6144 ADD_FAILURE() << "Cipher suite inconsistent";
6145 return false;
6146 }
6147
6148 levels_[level].read_secret.assign(secret.begin(), secret.end());
6149 levels_[level].cipher = SSL_CIPHER_get_id(cipher);
6150 return true;
6151 }
6152
SetWriteSecret(ssl_encryption_level_t level,const SSL_CIPHER * cipher,Span<const uint8_t> secret)6153 bool SetWriteSecret(ssl_encryption_level_t level, const SSL_CIPHER *cipher,
6154 Span<const uint8_t> secret) {
6155 if (HasWriteSecret(level)) {
6156 ADD_FAILURE() << LevelToString(level) << " write secret configured twice";
6157 return false;
6158 }
6159
6160 if (role_ == Role::kServer && level == ssl_encryption_early_data) {
6161 ADD_FAILURE() << "Unexpected early data write secret";
6162 return false;
6163 }
6164
6165 if (cipher == nullptr) {
6166 ADD_FAILURE() << "Unexpected null cipher";
6167 return false;
6168 }
6169
6170 levels_[level].write_secret.assign(secret.begin(), secret.end());
6171 levels_[level].cipher = SSL_CIPHER_get_id(cipher);
6172 return true;
6173 }
6174
WriteHandshakeData(ssl_encryption_level_t level,Span<const uint8_t> data)6175 bool WriteHandshakeData(ssl_encryption_level_t level,
6176 Span<const uint8_t> data) {
6177 if (levels_[level].write_secret.empty()) {
6178 ADD_FAILURE() << LevelToString(level)
6179 << " write secret not yet configured";
6180 return false;
6181 }
6182
6183 // Although the levels are conceptually separate, BoringSSL finishes writing
6184 // data from a previous level before installing keys for the next level.
6185 if (!allow_out_of_order_writes_) {
6186 switch (level) {
6187 case ssl_encryption_early_data:
6188 ADD_FAILURE() << "unexpected handshake data at early data level";
6189 return false;
6190 case ssl_encryption_initial:
6191 if (!levels_[ssl_encryption_handshake].write_secret.empty()) {
6192 ADD_FAILURE()
6193 << LevelToString(level)
6194 << " handshake data written after handshake keys installed";
6195 return false;
6196 }
6197 OPENSSL_FALLTHROUGH;
6198 case ssl_encryption_handshake:
6199 if (!levels_[ssl_encryption_application].write_secret.empty()) {
6200 ADD_FAILURE()
6201 << LevelToString(level)
6202 << " handshake data written after application keys installed";
6203 return false;
6204 }
6205 OPENSSL_FALLTHROUGH;
6206 case ssl_encryption_application:
6207 break;
6208 }
6209 }
6210
6211 levels_[level].write_data.insert(levels_[level].write_data.end(),
6212 data.begin(), data.end());
6213 return true;
6214 }
6215
SendAlert(ssl_encryption_level_t level,uint8_t alert_value)6216 bool SendAlert(ssl_encryption_level_t level, uint8_t alert_value) {
6217 if (has_alert_) {
6218 ADD_FAILURE() << "duplicate alert sent";
6219 return false;
6220 }
6221
6222 if (levels_[level].write_secret.empty()) {
6223 ADD_FAILURE() << LevelToString(level)
6224 << " write secret not yet configured";
6225 return false;
6226 }
6227
6228 has_alert_ = true;
6229 alert_level_ = level;
6230 alert_ = alert_value;
6231 return true;
6232 }
6233
ReadHandshakeData(std::vector<uint8_t> * out,ssl_encryption_level_t level,size_t num=std::numeric_limits<size_t>::max ())6234 bool ReadHandshakeData(std::vector<uint8_t> *out,
6235 ssl_encryption_level_t level,
6236 size_t num = std::numeric_limits<size_t>::max()) {
6237 if (levels_[level].read_secret.empty()) {
6238 ADD_FAILURE() << "data read before keys configured in level " << level;
6239 return false;
6240 }
6241 // The peer may not have configured any keys yet.
6242 if (peer_->levels_[level].write_secret.empty()) {
6243 out->clear();
6244 return true;
6245 }
6246 // Check the peer computed the same key.
6247 if (peer_->levels_[level].write_secret != levels_[level].read_secret) {
6248 ADD_FAILURE() << "peer write key does not match read key in level "
6249 << level;
6250 return false;
6251 }
6252 if (peer_->levels_[level].cipher != levels_[level].cipher) {
6253 ADD_FAILURE() << "peer cipher does not match in level " << level;
6254 return false;
6255 }
6256 std::vector<uint8_t> *peer_data = &peer_->levels_[level].write_data;
6257 num = std::min(num, peer_data->size());
6258 out->assign(peer_data->begin(), peer_data->begin() + num);
6259 peer_data->erase(peer_data->begin(), peer_data->begin() + num);
6260 return true;
6261 }
6262
6263 private:
6264 Role role_;
6265 MockQUICTransport *peer_ = nullptr;
6266
6267 bool allow_out_of_order_writes_ = false;
6268 bool has_alert_ = false;
6269 ssl_encryption_level_t alert_level_ = ssl_encryption_initial;
6270 uint8_t alert_ = 0;
6271
6272 struct Level {
6273 std::vector<uint8_t> write_data;
6274 std::vector<uint8_t> write_secret;
6275 std::vector<uint8_t> read_secret;
6276 uint32_t cipher = 0;
6277 };
6278 Level levels_[kNumQUICLevels];
6279 };
6280
6281 class MockQUICTransportPair {
6282 public:
MockQUICTransportPair()6283 MockQUICTransportPair()
6284 : client_(MockQUICTransport::Role::kClient),
6285 server_(MockQUICTransport::Role::kServer) {
6286 client_.set_peer(&server_);
6287 server_.set_peer(&client_);
6288 }
6289
~MockQUICTransportPair()6290 ~MockQUICTransportPair() {
6291 client_.set_peer(nullptr);
6292 server_.set_peer(nullptr);
6293 }
6294
client()6295 MockQUICTransport *client() { return &client_; }
server()6296 MockQUICTransport *server() { return &server_; }
6297
SecretsMatch(ssl_encryption_level_t level) const6298 bool SecretsMatch(ssl_encryption_level_t level) const {
6299 // We only need to check |HasReadSecret| and |HasWriteSecret| on |client_|.
6300 // |PeerSecretsMatch| checks that |server_| is analogously configured.
6301 return client_.PeerSecretsMatch(level) &&
6302 client_.HasWriteSecret(level) &&
6303 (level == ssl_encryption_early_data || client_.HasReadSecret(level));
6304 }
6305
6306 private:
6307 MockQUICTransport client_;
6308 MockQUICTransport server_;
6309 };
6310
6311 class QUICMethodTest : public testing::Test {
6312 protected:
SetUp()6313 void SetUp() override {
6314 client_ctx_.reset(SSL_CTX_new(TLS_method()));
6315 server_ctx_ = CreateContextWithTestCertificate(TLS_method());
6316 ASSERT_TRUE(client_ctx_);
6317 ASSERT_TRUE(server_ctx_);
6318
6319 SSL_CTX_set_min_proto_version(server_ctx_.get(), TLS1_3_VERSION);
6320 SSL_CTX_set_max_proto_version(server_ctx_.get(), TLS1_3_VERSION);
6321 SSL_CTX_set_min_proto_version(client_ctx_.get(), TLS1_3_VERSION);
6322 SSL_CTX_set_max_proto_version(client_ctx_.get(), TLS1_3_VERSION);
6323
6324 static const uint8_t kALPNProtos[] = {0x03, 'f', 'o', 'o'};
6325 ASSERT_EQ(SSL_CTX_set_alpn_protos(client_ctx_.get(), kALPNProtos,
6326 sizeof(kALPNProtos)),
6327 0);
6328 SSL_CTX_set_alpn_select_cb(
6329 server_ctx_.get(),
6330 [](SSL *ssl, const uint8_t **out, uint8_t *out_len, const uint8_t *in,
6331 unsigned in_len, void *arg) -> int {
6332 return SSL_select_next_proto(
6333 const_cast<uint8_t **>(out), out_len, in, in_len,
6334 kALPNProtos, sizeof(kALPNProtos)) == OPENSSL_NPN_NEGOTIATED
6335 ? SSL_TLSEXT_ERR_OK
6336 : SSL_TLSEXT_ERR_NOACK;
6337 },
6338 nullptr);
6339 }
6340
TransportFromSSL(const SSL * ssl)6341 static MockQUICTransport *TransportFromSSL(const SSL *ssl) {
6342 return ex_data_.Get(ssl);
6343 }
6344
ProvideHandshakeData(SSL * ssl,size_t num=std::numeric_limits<size_t>::max ())6345 static bool ProvideHandshakeData(
6346 SSL *ssl, size_t num = std::numeric_limits<size_t>::max()) {
6347 MockQUICTransport *transport = TransportFromSSL(ssl);
6348 ssl_encryption_level_t level = SSL_quic_read_level(ssl);
6349 std::vector<uint8_t> data;
6350 return transport->ReadHandshakeData(&data, level, num) &&
6351 SSL_provide_quic_data(ssl, level, data.data(), data.size());
6352 }
6353
AllowOutOfOrderWrites()6354 void AllowOutOfOrderWrites() {
6355 allow_out_of_order_writes_ = true;
6356 }
6357
CreateClientAndServer()6358 bool CreateClientAndServer() {
6359 client_.reset(SSL_new(client_ctx_.get()));
6360 server_.reset(SSL_new(server_ctx_.get()));
6361 if (!client_ || !server_) {
6362 return false;
6363 }
6364
6365 SSL_set_connect_state(client_.get());
6366 SSL_set_accept_state(server_.get());
6367
6368 transport_ = std::make_unique<MockQUICTransportPair>();
6369 if (!ex_data_.Set(client_.get(), transport_->client()) ||
6370 !ex_data_.Set(server_.get(), transport_->server())) {
6371 return false;
6372 }
6373 if (allow_out_of_order_writes_) {
6374 transport_->client()->AllowOutOfOrderWrites();
6375 transport_->server()->AllowOutOfOrderWrites();
6376 }
6377 static const uint8_t client_transport_params[] = {0};
6378 if (!SSL_set_quic_transport_params(client_.get(), client_transport_params,
6379 sizeof(client_transport_params)) ||
6380 !SSL_set_quic_transport_params(server_.get(),
6381 server_transport_params_.data(),
6382 server_transport_params_.size()) ||
6383 !SSL_set_quic_early_data_context(
6384 server_.get(), server_quic_early_data_context_.data(),
6385 server_quic_early_data_context_.size())) {
6386 return false;
6387 }
6388 return true;
6389 }
6390
6391 enum class ExpectedError {
6392 kNoError,
6393 kClientError,
6394 kServerError,
6395 };
6396
6397 // CompleteHandshakesForQUIC runs |SSL_do_handshake| on |client_| and
6398 // |server_| until each completes once. It returns true on success and false
6399 // on failure.
CompleteHandshakesForQUIC()6400 bool CompleteHandshakesForQUIC() {
6401 return RunQUICHandshakesAndExpectError(ExpectedError::kNoError);
6402 }
6403
6404 // Runs |SSL_do_handshake| on |client_| and |server_| until each completes
6405 // once. If |expect_client_error| is true, it will return true only if the
6406 // client handshake failed. Otherwise, it returns true if both handshakes
6407 // succeed and false otherwise.
RunQUICHandshakesAndExpectError(ExpectedError expected_error)6408 bool RunQUICHandshakesAndExpectError(ExpectedError expected_error) {
6409 bool client_done = false, server_done = false;
6410 while (!client_done || !server_done) {
6411 if (!client_done) {
6412 if (!ProvideHandshakeData(client_.get())) {
6413 ADD_FAILURE() << "ProvideHandshakeData(client_) failed";
6414 return false;
6415 }
6416 int client_ret = SSL_do_handshake(client_.get());
6417 int client_err = SSL_get_error(client_.get(), client_ret);
6418 if (client_ret == 1) {
6419 client_done = true;
6420 } else if (client_ret != -1 || client_err != SSL_ERROR_WANT_READ) {
6421 if (expected_error == ExpectedError::kClientError) {
6422 return true;
6423 }
6424 ADD_FAILURE() << "Unexpected client output: " << client_ret << " "
6425 << client_err;
6426 return false;
6427 }
6428 }
6429
6430 if (!server_done) {
6431 if (!ProvideHandshakeData(server_.get())) {
6432 ADD_FAILURE() << "ProvideHandshakeData(server_) failed";
6433 return false;
6434 }
6435 int server_ret = SSL_do_handshake(server_.get());
6436 int server_err = SSL_get_error(server_.get(), server_ret);
6437 if (server_ret == 1) {
6438 server_done = true;
6439 } else if (server_ret != -1 || server_err != SSL_ERROR_WANT_READ) {
6440 if (expected_error == ExpectedError::kServerError) {
6441 return true;
6442 }
6443 ADD_FAILURE() << "Unexpected server output: " << server_ret << " "
6444 << server_err;
6445 return false;
6446 }
6447 }
6448 }
6449 return expected_error == ExpectedError::kNoError;
6450 }
6451
CreateClientSessionForQUIC()6452 bssl::UniquePtr<SSL_SESSION> CreateClientSessionForQUIC() {
6453 g_last_session = nullptr;
6454 SSL_CTX_sess_set_new_cb(client_ctx_.get(), SaveLastSession);
6455 if (!CreateClientAndServer() ||
6456 !CompleteHandshakesForQUIC()) {
6457 return nullptr;
6458 }
6459
6460 // The server sent NewSessionTicket messages in the handshake.
6461 if (!ProvideHandshakeData(client_.get()) ||
6462 !SSL_process_quic_post_handshake(client_.get())) {
6463 return nullptr;
6464 }
6465
6466 return std::move(g_last_session);
6467 }
6468
ExpectHandshakeSuccess()6469 void ExpectHandshakeSuccess() {
6470 EXPECT_TRUE(transport_->SecretsMatch(ssl_encryption_application));
6471 EXPECT_EQ(ssl_encryption_application, SSL_quic_read_level(client_.get()));
6472 EXPECT_EQ(ssl_encryption_application, SSL_quic_write_level(client_.get()));
6473 EXPECT_EQ(ssl_encryption_application, SSL_quic_read_level(server_.get()));
6474 EXPECT_EQ(ssl_encryption_application, SSL_quic_write_level(server_.get()));
6475 EXPECT_FALSE(transport_->client()->has_alert());
6476 EXPECT_FALSE(transport_->server()->has_alert());
6477
6478 // SSL_do_handshake is now idempotent.
6479 EXPECT_EQ(SSL_do_handshake(client_.get()), 1);
6480 EXPECT_EQ(SSL_do_handshake(server_.get()), 1);
6481 }
6482
6483 // Returns a default SSL_QUIC_METHOD. Individual methods may be overwritten by
6484 // the test.
DefaultQUICMethod()6485 SSL_QUIC_METHOD DefaultQUICMethod() {
6486 return SSL_QUIC_METHOD{
6487 SetReadSecretCallback, SetWriteSecretCallback, AddHandshakeDataCallback,
6488 FlushFlightCallback, SendAlertCallback,
6489 };
6490 }
6491
SetReadSecretCallback(SSL * ssl,ssl_encryption_level_t level,const SSL_CIPHER * cipher,const uint8_t * secret,size_t secret_len)6492 static int SetReadSecretCallback(SSL *ssl, ssl_encryption_level_t level,
6493 const SSL_CIPHER *cipher,
6494 const uint8_t *secret, size_t secret_len) {
6495 return TransportFromSSL(ssl)->SetReadSecret(
6496 level, cipher, MakeConstSpan(secret, secret_len));
6497 }
6498
SetWriteSecretCallback(SSL * ssl,ssl_encryption_level_t level,const SSL_CIPHER * cipher,const uint8_t * secret,size_t secret_len)6499 static int SetWriteSecretCallback(SSL *ssl, ssl_encryption_level_t level,
6500 const SSL_CIPHER *cipher,
6501 const uint8_t *secret, size_t secret_len) {
6502 return TransportFromSSL(ssl)->SetWriteSecret(
6503 level, cipher, MakeConstSpan(secret, secret_len));
6504 }
6505
AddHandshakeDataCallback(SSL * ssl,enum ssl_encryption_level_t level,const uint8_t * data,size_t len)6506 static int AddHandshakeDataCallback(SSL *ssl,
6507 enum ssl_encryption_level_t level,
6508 const uint8_t *data, size_t len) {
6509 EXPECT_EQ(level, SSL_quic_write_level(ssl));
6510 return TransportFromSSL(ssl)->WriteHandshakeData(level,
6511 MakeConstSpan(data, len));
6512 }
6513
FlushFlightCallback(SSL * ssl)6514 static int FlushFlightCallback(SSL *ssl) { return 1; }
6515
SendAlertCallback(SSL * ssl,ssl_encryption_level_t level,uint8_t alert)6516 static int SendAlertCallback(SSL *ssl, ssl_encryption_level_t level,
6517 uint8_t alert) {
6518 EXPECT_EQ(level, SSL_quic_write_level(ssl));
6519 return TransportFromSSL(ssl)->SendAlert(level, alert);
6520 }
6521
6522 bssl::UniquePtr<SSL_CTX> client_ctx_;
6523 bssl::UniquePtr<SSL_CTX> server_ctx_;
6524
6525 static UnownedSSLExData<MockQUICTransport> ex_data_;
6526 std::unique_ptr<MockQUICTransportPair> transport_;
6527
6528 bssl::UniquePtr<SSL> client_;
6529 bssl::UniquePtr<SSL> server_;
6530
6531 std::vector<uint8_t> server_transport_params_ = {1};
6532 std::vector<uint8_t> server_quic_early_data_context_ = {2};
6533
6534 bool allow_out_of_order_writes_ = false;
6535 };
6536
6537 UnownedSSLExData<MockQUICTransport> QUICMethodTest::ex_data_;
6538
6539 // Test a full handshake and resumption work.
TEST_F(QUICMethodTest,Basic)6540 TEST_F(QUICMethodTest, Basic) {
6541 const SSL_QUIC_METHOD quic_method = DefaultQUICMethod();
6542
6543 g_last_session = nullptr;
6544
6545 SSL_CTX_set_session_cache_mode(client_ctx_.get(), SSL_SESS_CACHE_BOTH);
6546 SSL_CTX_sess_set_new_cb(client_ctx_.get(), SaveLastSession);
6547 ASSERT_TRUE(SSL_CTX_set_quic_method(client_ctx_.get(), &quic_method));
6548 ASSERT_TRUE(SSL_CTX_set_quic_method(server_ctx_.get(), &quic_method));
6549
6550 ASSERT_TRUE(CreateClientAndServer());
6551 ASSERT_TRUE(CompleteHandshakesForQUIC());
6552
6553 ExpectHandshakeSuccess();
6554 EXPECT_FALSE(SSL_session_reused(client_.get()));
6555 EXPECT_FALSE(SSL_session_reused(server_.get()));
6556
6557 // The server sent NewSessionTicket messages in the handshake.
6558 EXPECT_FALSE(g_last_session);
6559 ASSERT_TRUE(ProvideHandshakeData(client_.get()));
6560 EXPECT_EQ(SSL_process_quic_post_handshake(client_.get()), 1);
6561 EXPECT_TRUE(g_last_session);
6562
6563 // Create a second connection to verify resumption works.
6564 ASSERT_TRUE(CreateClientAndServer());
6565 bssl::UniquePtr<SSL_SESSION> session = std::move(g_last_session);
6566 SSL_set_session(client_.get(), session.get());
6567
6568 ASSERT_TRUE(CompleteHandshakesForQUIC());
6569
6570 ExpectHandshakeSuccess();
6571 EXPECT_TRUE(SSL_session_reused(client_.get()));
6572 EXPECT_TRUE(SSL_session_reused(server_.get()));
6573 }
6574
6575 // Test that HelloRetryRequest in QUIC works.
TEST_F(QUICMethodTest,HelloRetryRequest)6576 TEST_F(QUICMethodTest, HelloRetryRequest) {
6577 const SSL_QUIC_METHOD quic_method = DefaultQUICMethod();
6578
6579 ASSERT_TRUE(SSL_CTX_set_quic_method(client_ctx_.get(), &quic_method));
6580 ASSERT_TRUE(SSL_CTX_set_quic_method(server_ctx_.get(), &quic_method));
6581
6582 // BoringSSL predicts the most preferred ECDH group, so using different
6583 // preferences will trigger HelloRetryRequest.
6584 static const int kClientPrefs[] = {NID_X25519, NID_X9_62_prime256v1};
6585 ASSERT_TRUE(SSL_CTX_set1_groups(client_ctx_.get(), kClientPrefs,
6586 OPENSSL_ARRAY_SIZE(kClientPrefs)));
6587 static const int kServerPrefs[] = {NID_X9_62_prime256v1, NID_X25519};
6588 ASSERT_TRUE(SSL_CTX_set1_groups(server_ctx_.get(), kServerPrefs,
6589 OPENSSL_ARRAY_SIZE(kServerPrefs)));
6590
6591 ASSERT_TRUE(CreateClientAndServer());
6592 ASSERT_TRUE(CompleteHandshakesForQUIC());
6593 ExpectHandshakeSuccess();
6594 }
6595
6596 // Test that the client does not send a legacy_session_id in the ClientHello.
TEST_F(QUICMethodTest,NoLegacySessionId)6597 TEST_F(QUICMethodTest, NoLegacySessionId) {
6598 const SSL_QUIC_METHOD quic_method = DefaultQUICMethod();
6599
6600 ASSERT_TRUE(SSL_CTX_set_quic_method(client_ctx_.get(), &quic_method));
6601 ASSERT_TRUE(SSL_CTX_set_quic_method(server_ctx_.get(), &quic_method));
6602 // Check that the session ID length is 0 in an early callback.
6603 SSL_CTX_set_select_certificate_cb(
6604 server_ctx_.get(),
6605 [](const SSL_CLIENT_HELLO *client_hello) -> ssl_select_cert_result_t {
6606 EXPECT_EQ(client_hello->session_id_len, 0u);
6607 return ssl_select_cert_success;
6608 });
6609
6610 ASSERT_TRUE(CreateClientAndServer());
6611 ASSERT_TRUE(CompleteHandshakesForQUIC());
6612
6613 ExpectHandshakeSuccess();
6614 }
6615
6616 // Test that, even in a 1-RTT handshake, the server installs keys at the right
6617 // time. Half-RTT keys are available early, but 1-RTT read keys are deferred.
TEST_F(QUICMethodTest,HalfRTTKeys)6618 TEST_F(QUICMethodTest, HalfRTTKeys) {
6619 const SSL_QUIC_METHOD quic_method = DefaultQUICMethod();
6620
6621 ASSERT_TRUE(SSL_CTX_set_quic_method(client_ctx_.get(), &quic_method));
6622 ASSERT_TRUE(SSL_CTX_set_quic_method(server_ctx_.get(), &quic_method));
6623 ASSERT_TRUE(CreateClientAndServer());
6624
6625 // The client sends ClientHello.
6626 ASSERT_EQ(SSL_do_handshake(client_.get()), -1);
6627 ASSERT_EQ(SSL_ERROR_WANT_READ, SSL_get_error(client_.get(), -1));
6628
6629 // The server reads ClientHello and sends ServerHello..Finished.
6630 ASSERT_TRUE(ProvideHandshakeData(server_.get()));
6631 ASSERT_EQ(SSL_do_handshake(server_.get()), -1);
6632 ASSERT_EQ(SSL_ERROR_WANT_READ, SSL_get_error(server_.get(), -1));
6633
6634 // At this point, the server has half-RTT write keys, but it cannot access
6635 // 1-RTT read keys until client Finished.
6636 EXPECT_TRUE(transport_->server()->HasWriteSecret(ssl_encryption_application));
6637 EXPECT_FALSE(transport_->server()->HasReadSecret(ssl_encryption_application));
6638
6639 // Finish up the client and server handshakes.
6640 ASSERT_TRUE(CompleteHandshakesForQUIC());
6641
6642 // Both sides can now exchange 1-RTT data.
6643 ExpectHandshakeSuccess();
6644 }
6645
TEST_F(QUICMethodTest,ZeroRTTAccept)6646 TEST_F(QUICMethodTest, ZeroRTTAccept) {
6647 const SSL_QUIC_METHOD quic_method = DefaultQUICMethod();
6648
6649 SSL_CTX_set_session_cache_mode(client_ctx_.get(), SSL_SESS_CACHE_BOTH);
6650 SSL_CTX_set_early_data_enabled(client_ctx_.get(), 1);
6651 SSL_CTX_set_early_data_enabled(server_ctx_.get(), 1);
6652 ASSERT_TRUE(SSL_CTX_set_quic_method(client_ctx_.get(), &quic_method));
6653 ASSERT_TRUE(SSL_CTX_set_quic_method(server_ctx_.get(), &quic_method));
6654
6655 bssl::UniquePtr<SSL_SESSION> session = CreateClientSessionForQUIC();
6656 ASSERT_TRUE(session);
6657
6658 ASSERT_TRUE(CreateClientAndServer());
6659 SSL_set_session(client_.get(), session.get());
6660
6661 // The client handshake should return immediately into the early data state.
6662 ASSERT_EQ(SSL_do_handshake(client_.get()), 1);
6663 EXPECT_TRUE(SSL_in_early_data(client_.get()));
6664 // The transport should have keys for sending 0-RTT data.
6665 EXPECT_TRUE(transport_->client()->HasWriteSecret(ssl_encryption_early_data));
6666
6667 // The server will consume the ClientHello and also enter the early data
6668 // state.
6669 ASSERT_TRUE(ProvideHandshakeData(server_.get()));
6670 ASSERT_EQ(SSL_do_handshake(server_.get()), 1);
6671 EXPECT_TRUE(SSL_in_early_data(server_.get()));
6672 EXPECT_TRUE(transport_->SecretsMatch(ssl_encryption_early_data));
6673 // At this point, the server has half-RTT write keys, but it cannot access
6674 // 1-RTT read keys until client Finished.
6675 EXPECT_TRUE(transport_->server()->HasWriteSecret(ssl_encryption_application));
6676 EXPECT_FALSE(transport_->server()->HasReadSecret(ssl_encryption_application));
6677
6678 // Finish up the client and server handshakes.
6679 ASSERT_TRUE(CompleteHandshakesForQUIC());
6680
6681 // Both sides can now exchange 1-RTT data.
6682 ExpectHandshakeSuccess();
6683 EXPECT_TRUE(SSL_session_reused(client_.get()));
6684 EXPECT_TRUE(SSL_session_reused(server_.get()));
6685 EXPECT_FALSE(SSL_in_early_data(client_.get()));
6686 EXPECT_FALSE(SSL_in_early_data(server_.get()));
6687 EXPECT_TRUE(SSL_early_data_accepted(client_.get()));
6688 EXPECT_TRUE(SSL_early_data_accepted(server_.get()));
6689
6690 // Finish handling post-handshake messages after the first 0-RTT resumption.
6691 EXPECT_TRUE(ProvideHandshakeData(client_.get()));
6692 EXPECT_TRUE(SSL_process_quic_post_handshake(client_.get()));
6693
6694 // Perform a second 0-RTT resumption attempt, and confirm that 0-RTT is
6695 // accepted again.
6696 ASSERT_TRUE(CreateClientAndServer());
6697 SSL_set_session(client_.get(), g_last_session.get());
6698
6699 // The client handshake should return immediately into the early data state.
6700 ASSERT_EQ(SSL_do_handshake(client_.get()), 1);
6701 EXPECT_TRUE(SSL_in_early_data(client_.get()));
6702 // The transport should have keys for sending 0-RTT data.
6703 EXPECT_TRUE(transport_->client()->HasWriteSecret(ssl_encryption_early_data));
6704
6705 // The server will consume the ClientHello and also enter the early data
6706 // state.
6707 ASSERT_TRUE(ProvideHandshakeData(server_.get()));
6708 ASSERT_EQ(SSL_do_handshake(server_.get()), 1);
6709 EXPECT_TRUE(SSL_in_early_data(server_.get()));
6710 EXPECT_TRUE(transport_->SecretsMatch(ssl_encryption_early_data));
6711 // At this point, the server has half-RTT write keys, but it cannot access
6712 // 1-RTT read keys until client Finished.
6713 EXPECT_TRUE(transport_->server()->HasWriteSecret(ssl_encryption_application));
6714 EXPECT_FALSE(transport_->server()->HasReadSecret(ssl_encryption_application));
6715
6716 // Finish up the client and server handshakes.
6717 ASSERT_TRUE(CompleteHandshakesForQUIC());
6718
6719 // Both sides can now exchange 1-RTT data.
6720 ExpectHandshakeSuccess();
6721 EXPECT_TRUE(SSL_session_reused(client_.get()));
6722 EXPECT_TRUE(SSL_session_reused(server_.get()));
6723 EXPECT_FALSE(SSL_in_early_data(client_.get()));
6724 EXPECT_FALSE(SSL_in_early_data(server_.get()));
6725 EXPECT_TRUE(SSL_early_data_accepted(client_.get()));
6726 EXPECT_TRUE(SSL_early_data_accepted(server_.get()));
6727 EXPECT_EQ(SSL_get_early_data_reason(client_.get()), ssl_early_data_accepted);
6728 EXPECT_EQ(SSL_get_early_data_reason(server_.get()), ssl_early_data_accepted);
6729 }
6730
TEST_F(QUICMethodTest,ZeroRTTRejectMismatchedParameters)6731 TEST_F(QUICMethodTest, ZeroRTTRejectMismatchedParameters) {
6732 const SSL_QUIC_METHOD quic_method = DefaultQUICMethod();
6733
6734 SSL_CTX_set_session_cache_mode(client_ctx_.get(), SSL_SESS_CACHE_BOTH);
6735 SSL_CTX_set_early_data_enabled(client_ctx_.get(), 1);
6736 SSL_CTX_set_early_data_enabled(server_ctx_.get(), 1);
6737 ASSERT_TRUE(SSL_CTX_set_quic_method(client_ctx_.get(), &quic_method));
6738 ASSERT_TRUE(SSL_CTX_set_quic_method(server_ctx_.get(), &quic_method));
6739
6740
6741 bssl::UniquePtr<SSL_SESSION> session = CreateClientSessionForQUIC();
6742 ASSERT_TRUE(session);
6743
6744 ASSERT_TRUE(CreateClientAndServer());
6745 static const uint8_t new_context[] = {4};
6746 ASSERT_TRUE(SSL_set_quic_early_data_context(server_.get(), new_context,
6747 sizeof(new_context)));
6748 SSL_set_session(client_.get(), session.get());
6749
6750 // The client handshake should return immediately into the early data
6751 // state.
6752 ASSERT_EQ(SSL_do_handshake(client_.get()), 1);
6753 EXPECT_TRUE(SSL_in_early_data(client_.get()));
6754 // The transport should have keys for sending 0-RTT data.
6755 EXPECT_TRUE(transport_->client()->HasWriteSecret(ssl_encryption_early_data));
6756
6757 // The server will consume the ClientHello, but it will not accept 0-RTT.
6758 ASSERT_TRUE(ProvideHandshakeData(server_.get()));
6759 ASSERT_EQ(SSL_do_handshake(server_.get()), -1);
6760 ASSERT_EQ(SSL_ERROR_WANT_READ, SSL_get_error(server_.get(), -1));
6761 EXPECT_FALSE(SSL_in_early_data(server_.get()));
6762 EXPECT_FALSE(transport_->server()->HasReadSecret(ssl_encryption_early_data));
6763
6764 // The client consumes the server response and signals 0-RTT rejection.
6765 for (;;) {
6766 ASSERT_TRUE(ProvideHandshakeData(client_.get()));
6767 ASSERT_EQ(-1, SSL_do_handshake(client_.get()));
6768 int err = SSL_get_error(client_.get(), -1);
6769 if (err == SSL_ERROR_EARLY_DATA_REJECTED) {
6770 break;
6771 }
6772 ASSERT_EQ(SSL_ERROR_WANT_READ, err);
6773 }
6774
6775 // As in TLS over TCP, 0-RTT rejection is sticky.
6776 ASSERT_EQ(-1, SSL_do_handshake(client_.get()));
6777 ASSERT_EQ(SSL_ERROR_EARLY_DATA_REJECTED, SSL_get_error(client_.get(), -1));
6778
6779 // Finish up the client and server handshakes.
6780 SSL_reset_early_data_reject(client_.get());
6781 ASSERT_TRUE(CompleteHandshakesForQUIC());
6782
6783 // Both sides can now exchange 1-RTT data.
6784 ExpectHandshakeSuccess();
6785 EXPECT_TRUE(SSL_session_reused(client_.get()));
6786 EXPECT_TRUE(SSL_session_reused(server_.get()));
6787 EXPECT_FALSE(SSL_in_early_data(client_.get()));
6788 EXPECT_FALSE(SSL_in_early_data(server_.get()));
6789 EXPECT_FALSE(SSL_early_data_accepted(client_.get()));
6790 EXPECT_FALSE(SSL_early_data_accepted(server_.get()));
6791 }
6792
TEST_F(QUICMethodTest,NoZeroRTTTicketWithoutEarlyDataContext)6793 TEST_F(QUICMethodTest, NoZeroRTTTicketWithoutEarlyDataContext) {
6794 server_quic_early_data_context_ = {};
6795 const SSL_QUIC_METHOD quic_method = DefaultQUICMethod();
6796
6797 SSL_CTX_set_session_cache_mode(client_ctx_.get(), SSL_SESS_CACHE_BOTH);
6798 SSL_CTX_set_early_data_enabled(client_ctx_.get(), 1);
6799 SSL_CTX_set_early_data_enabled(server_ctx_.get(), 1);
6800 ASSERT_TRUE(SSL_CTX_set_quic_method(client_ctx_.get(), &quic_method));
6801 ASSERT_TRUE(SSL_CTX_set_quic_method(server_ctx_.get(), &quic_method));
6802
6803 bssl::UniquePtr<SSL_SESSION> session = CreateClientSessionForQUIC();
6804 ASSERT_TRUE(session);
6805 EXPECT_FALSE(SSL_SESSION_early_data_capable(session.get()));
6806 }
6807
TEST_F(QUICMethodTest,ZeroRTTReject)6808 TEST_F(QUICMethodTest, ZeroRTTReject) {
6809 const SSL_QUIC_METHOD quic_method = DefaultQUICMethod();
6810
6811 SSL_CTX_set_session_cache_mode(client_ctx_.get(), SSL_SESS_CACHE_BOTH);
6812 SSL_CTX_set_early_data_enabled(client_ctx_.get(), 1);
6813 SSL_CTX_set_early_data_enabled(server_ctx_.get(), 1);
6814 ASSERT_TRUE(SSL_CTX_set_quic_method(client_ctx_.get(), &quic_method));
6815 ASSERT_TRUE(SSL_CTX_set_quic_method(server_ctx_.get(), &quic_method));
6816
6817 bssl::UniquePtr<SSL_SESSION> session = CreateClientSessionForQUIC();
6818 ASSERT_TRUE(session);
6819
6820 for (bool reject_hrr : {false, true}) {
6821 SCOPED_TRACE(reject_hrr);
6822
6823 ASSERT_TRUE(CreateClientAndServer());
6824 if (reject_hrr) {
6825 // Configure the server to prefer P-256, which will reject 0-RTT via
6826 // HelloRetryRequest.
6827 int p256 = NID_X9_62_prime256v1;
6828 ASSERT_TRUE(SSL_set1_groups(server_.get(), &p256, 1));
6829 } else {
6830 // Disable 0-RTT on the server, so it will reject it.
6831 SSL_set_early_data_enabled(server_.get(), 0);
6832 }
6833 SSL_set_session(client_.get(), session.get());
6834
6835 // The client handshake should return immediately into the early data state.
6836 ASSERT_EQ(SSL_do_handshake(client_.get()), 1);
6837 EXPECT_TRUE(SSL_in_early_data(client_.get()));
6838 // The transport should have keys for sending 0-RTT data.
6839 EXPECT_TRUE(
6840 transport_->client()->HasWriteSecret(ssl_encryption_early_data));
6841
6842 // The server will consume the ClientHello, but it will not accept 0-RTT.
6843 ASSERT_TRUE(ProvideHandshakeData(server_.get()));
6844 ASSERT_EQ(SSL_do_handshake(server_.get()), -1);
6845 ASSERT_EQ(SSL_ERROR_WANT_READ, SSL_get_error(server_.get(), -1));
6846 EXPECT_FALSE(SSL_in_early_data(server_.get()));
6847 EXPECT_FALSE(
6848 transport_->server()->HasReadSecret(ssl_encryption_early_data));
6849
6850 // The client consumes the server response and signals 0-RTT rejection.
6851 for (;;) {
6852 ASSERT_TRUE(ProvideHandshakeData(client_.get()));
6853 ASSERT_EQ(-1, SSL_do_handshake(client_.get()));
6854 int err = SSL_get_error(client_.get(), -1);
6855 if (err == SSL_ERROR_EARLY_DATA_REJECTED) {
6856 break;
6857 }
6858 ASSERT_EQ(SSL_ERROR_WANT_READ, err);
6859 }
6860
6861 // As in TLS over TCP, 0-RTT rejection is sticky.
6862 ASSERT_EQ(-1, SSL_do_handshake(client_.get()));
6863 ASSERT_EQ(SSL_ERROR_EARLY_DATA_REJECTED, SSL_get_error(client_.get(), -1));
6864
6865 // Finish up the client and server handshakes.
6866 SSL_reset_early_data_reject(client_.get());
6867 ASSERT_TRUE(CompleteHandshakesForQUIC());
6868
6869 // Both sides can now exchange 1-RTT data.
6870 ExpectHandshakeSuccess();
6871 EXPECT_TRUE(SSL_session_reused(client_.get()));
6872 EXPECT_TRUE(SSL_session_reused(server_.get()));
6873 EXPECT_FALSE(SSL_in_early_data(client_.get()));
6874 EXPECT_FALSE(SSL_in_early_data(server_.get()));
6875 EXPECT_FALSE(SSL_early_data_accepted(client_.get()));
6876 EXPECT_FALSE(SSL_early_data_accepted(server_.get()));
6877 }
6878 }
6879
TEST_F(QUICMethodTest,NoZeroRTTKeysBeforeReverify)6880 TEST_F(QUICMethodTest, NoZeroRTTKeysBeforeReverify) {
6881 const SSL_QUIC_METHOD quic_method = DefaultQUICMethod();
6882
6883 SSL_CTX_set_session_cache_mode(client_ctx_.get(), SSL_SESS_CACHE_BOTH);
6884 SSL_CTX_set_early_data_enabled(client_ctx_.get(), 1);
6885 SSL_CTX_set_reverify_on_resume(client_ctx_.get(), 1);
6886 SSL_CTX_set_early_data_enabled(server_ctx_.get(), 1);
6887 ASSERT_TRUE(SSL_CTX_set_quic_method(client_ctx_.get(), &quic_method));
6888 ASSERT_TRUE(SSL_CTX_set_quic_method(server_ctx_.get(), &quic_method));
6889
6890 bssl::UniquePtr<SSL_SESSION> session = CreateClientSessionForQUIC();
6891 ASSERT_TRUE(session);
6892
6893 ASSERT_TRUE(CreateClientAndServer());
6894 SSL_set_session(client_.get(), session.get());
6895
6896 // Configure the certificate (re)verification to never complete. The client
6897 // handshake should pause.
6898 SSL_set_custom_verify(
6899 client_.get(), SSL_VERIFY_PEER,
6900 [](SSL *ssl, uint8_t *out_alert) -> ssl_verify_result_t {
6901 return ssl_verify_retry;
6902 });
6903 ASSERT_EQ(SSL_do_handshake(client_.get()), -1);
6904 ASSERT_EQ(SSL_get_error(client_.get(), -1),
6905 SSL_ERROR_WANT_CERTIFICATE_VERIFY);
6906
6907 // The early data keys have not yet been released.
6908 EXPECT_FALSE(transport_->client()->HasWriteSecret(ssl_encryption_early_data));
6909
6910 // After the verification completes, the handshake progresses to the 0-RTT
6911 // point and releases keys.
6912 SSL_set_custom_verify(
6913 client_.get(), SSL_VERIFY_PEER,
6914 [](SSL *ssl, uint8_t *out_alert) -> ssl_verify_result_t {
6915 return ssl_verify_ok;
6916 });
6917 ASSERT_EQ(SSL_do_handshake(client_.get()), 1);
6918 EXPECT_TRUE(SSL_in_early_data(client_.get()));
6919 EXPECT_TRUE(transport_->client()->HasWriteSecret(ssl_encryption_early_data));
6920 }
6921
6922 // Test only releasing data to QUIC one byte at a time on request, to maximize
6923 // state machine pauses. Additionally, test that existing asynchronous callbacks
6924 // still work.
TEST_F(QUICMethodTest,Async)6925 TEST_F(QUICMethodTest, Async) {
6926 const SSL_QUIC_METHOD quic_method = DefaultQUICMethod();
6927
6928 ASSERT_TRUE(SSL_CTX_set_quic_method(client_ctx_.get(), &quic_method));
6929 ASSERT_TRUE(SSL_CTX_set_quic_method(server_ctx_.get(), &quic_method));
6930 ASSERT_TRUE(CreateClientAndServer());
6931
6932 // Install an asynchronous certificate callback.
6933 bool cert_cb_ok = false;
6934 SSL_set_cert_cb(server_.get(),
6935 [](SSL *, void *arg) -> int {
6936 return *static_cast<bool *>(arg) ? 1 : -1;
6937 },
6938 &cert_cb_ok);
6939
6940 for (;;) {
6941 int client_ret = SSL_do_handshake(client_.get());
6942 if (client_ret != 1) {
6943 ASSERT_EQ(client_ret, -1);
6944 ASSERT_EQ(SSL_get_error(client_.get(), client_ret), SSL_ERROR_WANT_READ);
6945 ASSERT_TRUE(ProvideHandshakeData(client_.get(), 1));
6946 }
6947
6948 int server_ret = SSL_do_handshake(server_.get());
6949 if (server_ret != 1) {
6950 ASSERT_EQ(server_ret, -1);
6951 int ssl_err = SSL_get_error(server_.get(), server_ret);
6952 switch (ssl_err) {
6953 case SSL_ERROR_WANT_READ:
6954 ASSERT_TRUE(ProvideHandshakeData(server_.get(), 1));
6955 break;
6956 case SSL_ERROR_WANT_X509_LOOKUP:
6957 ASSERT_FALSE(cert_cb_ok);
6958 cert_cb_ok = true;
6959 break;
6960 default:
6961 FAIL() << "Unexpected SSL_get_error result: " << ssl_err;
6962 }
6963 }
6964
6965 if (client_ret == 1 && server_ret == 1) {
6966 break;
6967 }
6968 }
6969
6970 ExpectHandshakeSuccess();
6971 }
6972
6973 // Test buffering write data until explicit flushes.
TEST_F(QUICMethodTest,Buffered)6974 TEST_F(QUICMethodTest, Buffered) {
6975 AllowOutOfOrderWrites();
6976
6977 struct BufferedFlight {
6978 std::vector<uint8_t> data[kNumQUICLevels];
6979 };
6980 static UnownedSSLExData<BufferedFlight> buffered_flights;
6981
6982 auto add_handshake_data = [](SSL *ssl, enum ssl_encryption_level_t level,
6983 const uint8_t *data, size_t len) -> int {
6984 BufferedFlight *flight = buffered_flights.Get(ssl);
6985 flight->data[level].insert(flight->data[level].end(), data, data + len);
6986 return 1;
6987 };
6988
6989 auto flush_flight = [](SSL *ssl) -> int {
6990 BufferedFlight *flight = buffered_flights.Get(ssl);
6991 for (size_t level = 0; level < kNumQUICLevels; level++) {
6992 if (!flight->data[level].empty()) {
6993 if (!TransportFromSSL(ssl)->WriteHandshakeData(
6994 static_cast<ssl_encryption_level_t>(level),
6995 flight->data[level])) {
6996 return 0;
6997 }
6998 flight->data[level].clear();
6999 }
7000 }
7001 return 1;
7002 };
7003
7004 SSL_QUIC_METHOD quic_method = DefaultQUICMethod();
7005 quic_method.add_handshake_data = add_handshake_data;
7006 quic_method.flush_flight = flush_flight;
7007
7008 ASSERT_TRUE(SSL_CTX_set_quic_method(client_ctx_.get(), &quic_method));
7009 ASSERT_TRUE(SSL_CTX_set_quic_method(server_ctx_.get(), &quic_method));
7010 ASSERT_TRUE(CreateClientAndServer());
7011
7012 BufferedFlight client_flight, server_flight;
7013 ASSERT_TRUE(buffered_flights.Set(client_.get(), &client_flight));
7014 ASSERT_TRUE(buffered_flights.Set(server_.get(), &server_flight));
7015
7016 ASSERT_TRUE(CompleteHandshakesForQUIC());
7017
7018 ExpectHandshakeSuccess();
7019 }
7020
7021 // Test that excess data at one level is rejected. That is, if a single
7022 // |SSL_provide_quic_data| call included both ServerHello and
7023 // EncryptedExtensions in a single chunk, BoringSSL notices and rejects this on
7024 // key change.
TEST_F(QUICMethodTest,ExcessProvidedData)7025 TEST_F(QUICMethodTest, ExcessProvidedData) {
7026 AllowOutOfOrderWrites();
7027
7028 auto add_handshake_data = [](SSL *ssl, enum ssl_encryption_level_t level,
7029 const uint8_t *data, size_t len) -> int {
7030 // Switch everything to the initial level.
7031 return TransportFromSSL(ssl)->WriteHandshakeData(ssl_encryption_initial,
7032 MakeConstSpan(data, len));
7033 };
7034
7035 SSL_QUIC_METHOD quic_method = DefaultQUICMethod();
7036 quic_method.add_handshake_data = add_handshake_data;
7037
7038 ASSERT_TRUE(SSL_CTX_set_quic_method(client_ctx_.get(), &quic_method));
7039 ASSERT_TRUE(SSL_CTX_set_quic_method(server_ctx_.get(), &quic_method));
7040 ASSERT_TRUE(CreateClientAndServer());
7041
7042 // Send the ClientHello and ServerHello through Finished.
7043 ASSERT_EQ(SSL_do_handshake(client_.get()), -1);
7044 ASSERT_EQ(SSL_get_error(client_.get(), -1), SSL_ERROR_WANT_READ);
7045 ASSERT_TRUE(ProvideHandshakeData(server_.get()));
7046 ASSERT_EQ(SSL_do_handshake(server_.get()), -1);
7047 ASSERT_EQ(SSL_get_error(server_.get(), -1), SSL_ERROR_WANT_READ);
7048
7049 // The client is still waiting for the ServerHello at initial
7050 // encryption.
7051 ASSERT_EQ(ssl_encryption_initial, SSL_quic_read_level(client_.get()));
7052
7053 // |add_handshake_data| incorrectly wrote everything at the initial level, so
7054 // this queues up ServerHello through Finished in one chunk.
7055 ASSERT_TRUE(ProvideHandshakeData(client_.get()));
7056
7057 // The client reads ServerHello successfully, but then rejects the buffered
7058 // EncryptedExtensions on key change.
7059 ASSERT_EQ(SSL_do_handshake(client_.get()), -1);
7060 ASSERT_EQ(SSL_get_error(client_.get(), -1), SSL_ERROR_SSL);
7061 uint32_t err = ERR_get_error();
7062 EXPECT_EQ(ERR_GET_LIB(err), ERR_LIB_SSL);
7063 EXPECT_EQ(ERR_GET_REASON(err), SSL_R_EXCESS_HANDSHAKE_DATA);
7064
7065 // The client sends an alert in response to this. The alert is sent at
7066 // handshake level because we install write secrets before read secrets and
7067 // the error is discovered when installing the read secret. (How to send
7068 // alerts on protocol syntax errors near key changes is ambiguous in general.)
7069 ASSERT_TRUE(transport_->client()->has_alert());
7070 EXPECT_EQ(transport_->client()->alert_level(), ssl_encryption_handshake);
7071 EXPECT_EQ(transport_->client()->alert(), SSL_AD_UNEXPECTED_MESSAGE);
7072
7073 // Sanity-check handshake secrets. The error is discovered while setting the
7074 // read secret, so only the write secret has been installed.
7075 EXPECT_TRUE(transport_->client()->HasWriteSecret(ssl_encryption_handshake));
7076 EXPECT_FALSE(transport_->client()->HasReadSecret(ssl_encryption_handshake));
7077 }
7078
7079 // Test that |SSL_provide_quic_data| will reject data at the wrong level.
TEST_F(QUICMethodTest,ProvideWrongLevel)7080 TEST_F(QUICMethodTest, ProvideWrongLevel) {
7081 const SSL_QUIC_METHOD quic_method = DefaultQUICMethod();
7082
7083 ASSERT_TRUE(SSL_CTX_set_quic_method(client_ctx_.get(), &quic_method));
7084 ASSERT_TRUE(SSL_CTX_set_quic_method(server_ctx_.get(), &quic_method));
7085 ASSERT_TRUE(CreateClientAndServer());
7086
7087 // Send the ClientHello and ServerHello through Finished.
7088 ASSERT_EQ(SSL_do_handshake(client_.get()), -1);
7089 ASSERT_EQ(SSL_get_error(client_.get(), -1), SSL_ERROR_WANT_READ);
7090 ASSERT_TRUE(ProvideHandshakeData(server_.get()));
7091 ASSERT_EQ(SSL_do_handshake(server_.get()), -1);
7092 ASSERT_EQ(SSL_get_error(server_.get(), -1), SSL_ERROR_WANT_READ);
7093
7094 // The client is still waiting for the ServerHello at initial
7095 // encryption.
7096 ASSERT_EQ(ssl_encryption_initial, SSL_quic_read_level(client_.get()));
7097
7098 // Data cannot be provided at the next level.
7099 std::vector<uint8_t> data;
7100 ASSERT_TRUE(
7101 transport_->client()->ReadHandshakeData(&data, ssl_encryption_initial));
7102 ASSERT_FALSE(SSL_provide_quic_data(client_.get(), ssl_encryption_handshake,
7103 data.data(), data.size()));
7104 ERR_clear_error();
7105
7106 // Progress to EncryptedExtensions.
7107 ASSERT_TRUE(SSL_provide_quic_data(client_.get(), ssl_encryption_initial,
7108 data.data(), data.size()));
7109 ASSERT_EQ(SSL_do_handshake(client_.get()), -1);
7110 ASSERT_EQ(SSL_get_error(client_.get(), -1), SSL_ERROR_WANT_READ);
7111 ASSERT_EQ(ssl_encryption_handshake, SSL_quic_read_level(client_.get()));
7112
7113 // Data cannot be provided at the previous level.
7114 ASSERT_TRUE(
7115 transport_->client()->ReadHandshakeData(&data, ssl_encryption_handshake));
7116 ASSERT_FALSE(SSL_provide_quic_data(client_.get(), ssl_encryption_initial,
7117 data.data(), data.size()));
7118 }
7119
TEST_F(QUICMethodTest,TooMuchData)7120 TEST_F(QUICMethodTest, TooMuchData) {
7121 const SSL_QUIC_METHOD quic_method = DefaultQUICMethod();
7122
7123 ASSERT_TRUE(SSL_CTX_set_quic_method(client_ctx_.get(), &quic_method));
7124 ASSERT_TRUE(SSL_CTX_set_quic_method(server_ctx_.get(), &quic_method));
7125 ASSERT_TRUE(CreateClientAndServer());
7126
7127 size_t limit =
7128 SSL_quic_max_handshake_flight_len(client_.get(), ssl_encryption_initial);
7129 uint8_t b = 0;
7130 for (size_t i = 0; i < limit; i++) {
7131 ASSERT_TRUE(
7132 SSL_provide_quic_data(client_.get(), ssl_encryption_initial, &b, 1));
7133 }
7134
7135 EXPECT_FALSE(
7136 SSL_provide_quic_data(client_.get(), ssl_encryption_initial, &b, 1));
7137 }
7138
7139 // Provide invalid post-handshake data.
TEST_F(QUICMethodTest,BadPostHandshake)7140 TEST_F(QUICMethodTest, BadPostHandshake) {
7141 const SSL_QUIC_METHOD quic_method = DefaultQUICMethod();
7142
7143 g_last_session = nullptr;
7144
7145 SSL_CTX_set_session_cache_mode(client_ctx_.get(), SSL_SESS_CACHE_BOTH);
7146 SSL_CTX_sess_set_new_cb(client_ctx_.get(), SaveLastSession);
7147 ASSERT_TRUE(SSL_CTX_set_quic_method(client_ctx_.get(), &quic_method));
7148 ASSERT_TRUE(SSL_CTX_set_quic_method(server_ctx_.get(), &quic_method));
7149 ASSERT_TRUE(CreateClientAndServer());
7150 ASSERT_TRUE(CompleteHandshakesForQUIC());
7151
7152 EXPECT_EQ(SSL_do_handshake(client_.get()), 1);
7153 EXPECT_EQ(SSL_do_handshake(server_.get()), 1);
7154 EXPECT_TRUE(transport_->SecretsMatch(ssl_encryption_application));
7155 EXPECT_FALSE(transport_->client()->has_alert());
7156 EXPECT_FALSE(transport_->server()->has_alert());
7157
7158 // Junk sent as part of post-handshake data should cause an error.
7159 uint8_t kJunk[] = {0x17, 0x0, 0x0, 0x4, 0xB, 0xE, 0xE, 0xF};
7160 ASSERT_TRUE(SSL_provide_quic_data(client_.get(), ssl_encryption_application,
7161 kJunk, sizeof(kJunk)));
7162 EXPECT_EQ(SSL_process_quic_post_handshake(client_.get()), 0);
7163 }
7164
ExpectReceivedTransportParamsEqual(const SSL * ssl,Span<const uint8_t> expected)7165 static void ExpectReceivedTransportParamsEqual(const SSL *ssl,
7166 Span<const uint8_t> expected) {
7167 const uint8_t *received;
7168 size_t received_len;
7169 SSL_get_peer_quic_transport_params(ssl, &received, &received_len);
7170 ASSERT_EQ(received_len, expected.size());
7171 EXPECT_EQ(Bytes(received, received_len), Bytes(expected));
7172 }
7173
TEST_F(QUICMethodTest,SetTransportParameters)7174 TEST_F(QUICMethodTest, SetTransportParameters) {
7175 const SSL_QUIC_METHOD quic_method = DefaultQUICMethod();
7176 ASSERT_TRUE(SSL_CTX_set_quic_method(client_ctx_.get(), &quic_method));
7177 ASSERT_TRUE(SSL_CTX_set_quic_method(server_ctx_.get(), &quic_method));
7178
7179 ASSERT_TRUE(CreateClientAndServer());
7180 uint8_t kClientParams[] = {1, 2, 3, 4};
7181 uint8_t kServerParams[] = {5, 6, 7};
7182 ASSERT_TRUE(SSL_set_quic_transport_params(client_.get(), kClientParams,
7183 sizeof(kClientParams)));
7184 ASSERT_TRUE(SSL_set_quic_transport_params(server_.get(), kServerParams,
7185 sizeof(kServerParams)));
7186
7187 ASSERT_TRUE(CompleteHandshakesForQUIC());
7188 ExpectReceivedTransportParamsEqual(client_.get(), kServerParams);
7189 ExpectReceivedTransportParamsEqual(server_.get(), kClientParams);
7190 }
7191
TEST_F(QUICMethodTest,SetTransportParamsInCallback)7192 TEST_F(QUICMethodTest, SetTransportParamsInCallback) {
7193 const SSL_QUIC_METHOD quic_method = DefaultQUICMethod();
7194 ASSERT_TRUE(SSL_CTX_set_quic_method(client_ctx_.get(), &quic_method));
7195 ASSERT_TRUE(SSL_CTX_set_quic_method(server_ctx_.get(), &quic_method));
7196
7197 ASSERT_TRUE(CreateClientAndServer());
7198 uint8_t kClientParams[] = {1, 2, 3, 4};
7199 static uint8_t kServerParams[] = {5, 6, 7};
7200 ASSERT_TRUE(SSL_set_quic_transport_params(client_.get(), kClientParams,
7201 sizeof(kClientParams)));
7202 SSL_CTX_set_tlsext_servername_callback(
7203 server_ctx_.get(), [](SSL *ssl, int *out_alert, void *arg) -> int {
7204 EXPECT_TRUE(SSL_set_quic_transport_params(ssl, kServerParams,
7205 sizeof(kServerParams)));
7206 return SSL_TLSEXT_ERR_OK;
7207 });
7208
7209 ASSERT_TRUE(CompleteHandshakesForQUIC());
7210 ExpectReceivedTransportParamsEqual(client_.get(), kServerParams);
7211 ExpectReceivedTransportParamsEqual(server_.get(), kClientParams);
7212 }
7213
TEST_F(QUICMethodTest,ForbidCrossProtocolResumptionClient)7214 TEST_F(QUICMethodTest, ForbidCrossProtocolResumptionClient) {
7215 const SSL_QUIC_METHOD quic_method = DefaultQUICMethod();
7216
7217 g_last_session = nullptr;
7218
7219 SSL_CTX_set_session_cache_mode(client_ctx_.get(), SSL_SESS_CACHE_BOTH);
7220 SSL_CTX_sess_set_new_cb(client_ctx_.get(), SaveLastSession);
7221 ASSERT_TRUE(SSL_CTX_set_quic_method(client_ctx_.get(), &quic_method));
7222 ASSERT_TRUE(SSL_CTX_set_quic_method(server_ctx_.get(), &quic_method));
7223
7224 ASSERT_TRUE(CreateClientAndServer());
7225 ASSERT_TRUE(CompleteHandshakesForQUIC());
7226
7227 ExpectHandshakeSuccess();
7228 EXPECT_FALSE(SSL_session_reused(client_.get()));
7229 EXPECT_FALSE(SSL_session_reused(server_.get()));
7230
7231 // The server sent NewSessionTicket messages in the handshake.
7232 EXPECT_FALSE(g_last_session);
7233 ASSERT_TRUE(ProvideHandshakeData(client_.get()));
7234 EXPECT_EQ(SSL_process_quic_post_handshake(client_.get()), 1);
7235 ASSERT_TRUE(g_last_session);
7236
7237 // Pretend that g_last_session came from a TLS-over-TCP connection.
7238 g_last_session->is_quic = false;
7239
7240 // Create a second connection and verify that resumption does not occur with
7241 // a session from a non-QUIC connection. This tests that the client does not
7242 // offer over QUIC a session believed to be received over TCP. The server
7243 // believes this is a QUIC session, so if the client offered the session, the
7244 // server would have resumed it.
7245 ASSERT_TRUE(CreateClientAndServer());
7246 bssl::UniquePtr<SSL_SESSION> session = std::move(g_last_session);
7247 SSL_set_session(client_.get(), session.get());
7248
7249 ASSERT_TRUE(CompleteHandshakesForQUIC());
7250 ExpectHandshakeSuccess();
7251 EXPECT_FALSE(SSL_session_reused(client_.get()));
7252 EXPECT_FALSE(SSL_session_reused(server_.get()));
7253 }
7254
TEST_F(QUICMethodTest,ForbidCrossProtocolResumptionServer)7255 TEST_F(QUICMethodTest, ForbidCrossProtocolResumptionServer) {
7256 const SSL_QUIC_METHOD quic_method = DefaultQUICMethod();
7257
7258 g_last_session = nullptr;
7259
7260 SSL_CTX_set_session_cache_mode(client_ctx_.get(), SSL_SESS_CACHE_BOTH);
7261 SSL_CTX_sess_set_new_cb(client_ctx_.get(), SaveLastSession);
7262 ASSERT_TRUE(SSL_CTX_set_quic_method(client_ctx_.get(), &quic_method));
7263 ASSERT_TRUE(SSL_CTX_set_quic_method(server_ctx_.get(), &quic_method));
7264
7265 ASSERT_TRUE(CreateClientAndServer());
7266 ASSERT_TRUE(CompleteHandshakesForQUIC());
7267
7268 ExpectHandshakeSuccess();
7269 EXPECT_FALSE(SSL_session_reused(client_.get()));
7270 EXPECT_FALSE(SSL_session_reused(server_.get()));
7271
7272 // The server sent NewSessionTicket messages in the handshake.
7273 EXPECT_FALSE(g_last_session);
7274 ASSERT_TRUE(ProvideHandshakeData(client_.get()));
7275 EXPECT_EQ(SSL_process_quic_post_handshake(client_.get()), 1);
7276 ASSERT_TRUE(g_last_session);
7277
7278 // Attempt a resumption with g_last_session using TLS_method.
7279 bssl::UniquePtr<SSL_CTX> client_ctx(SSL_CTX_new(TLS_method()));
7280 ASSERT_TRUE(client_ctx);
7281
7282 ASSERT_TRUE(SSL_CTX_set_quic_method(server_ctx_.get(), nullptr));
7283
7284 bssl::UniquePtr<SSL> client(SSL_new(client_ctx.get())),
7285 server(SSL_new(server_ctx_.get()));
7286 ASSERT_TRUE(client);
7287 ASSERT_TRUE(server);
7288 SSL_set_connect_state(client.get());
7289 SSL_set_accept_state(server.get());
7290
7291 // The TLS-over-TCP client will refuse to resume with a quic session, so
7292 // mark is_quic = false to bypass the client check to test the server check.
7293 g_last_session->is_quic = false;
7294 SSL_set_session(client.get(), g_last_session.get());
7295
7296 BIO *bio1, *bio2;
7297 ASSERT_TRUE(BIO_new_bio_pair(&bio1, 0, &bio2, 0));
7298
7299 // SSL_set_bio takes ownership.
7300 SSL_set_bio(client.get(), bio1, bio1);
7301 SSL_set_bio(server.get(), bio2, bio2);
7302 ASSERT_TRUE(CompleteHandshakes(client.get(), server.get()));
7303
7304 EXPECT_FALSE(SSL_session_reused(client.get()));
7305 EXPECT_FALSE(SSL_session_reused(server.get()));
7306 }
7307
TEST_F(QUICMethodTest,ClientRejectsMissingTransportParams)7308 TEST_F(QUICMethodTest, ClientRejectsMissingTransportParams) {
7309 const SSL_QUIC_METHOD quic_method = DefaultQUICMethod();
7310 ASSERT_TRUE(SSL_CTX_set_quic_method(client_ctx_.get(), &quic_method));
7311 ASSERT_TRUE(SSL_CTX_set_quic_method(server_ctx_.get(), &quic_method));
7312
7313 ASSERT_TRUE(CreateClientAndServer());
7314 ASSERT_TRUE(SSL_set_quic_transport_params(server_.get(), nullptr, 0));
7315 ASSERT_TRUE(RunQUICHandshakesAndExpectError(ExpectedError::kServerError));
7316 }
7317
TEST_F(QUICMethodTest,ServerRejectsMissingTransportParams)7318 TEST_F(QUICMethodTest, ServerRejectsMissingTransportParams) {
7319 const SSL_QUIC_METHOD quic_method = DefaultQUICMethod();
7320 ASSERT_TRUE(SSL_CTX_set_quic_method(client_ctx_.get(), &quic_method));
7321 ASSERT_TRUE(SSL_CTX_set_quic_method(server_ctx_.get(), &quic_method));
7322
7323 ASSERT_TRUE(CreateClientAndServer());
7324 ASSERT_TRUE(SSL_set_quic_transport_params(client_.get(), nullptr, 0));
7325 ASSERT_TRUE(RunQUICHandshakesAndExpectError(ExpectedError::kClientError));
7326 }
7327
TEST_F(QUICMethodTest,QuicLegacyCodepointEnabled)7328 TEST_F(QUICMethodTest, QuicLegacyCodepointEnabled) {
7329 const SSL_QUIC_METHOD quic_method = DefaultQUICMethod();
7330 ASSERT_TRUE(SSL_CTX_set_quic_method(client_ctx_.get(), &quic_method));
7331 ASSERT_TRUE(SSL_CTX_set_quic_method(server_ctx_.get(), &quic_method));
7332
7333 ASSERT_TRUE(CreateClientAndServer());
7334 uint8_t kClientParams[] = {1, 2, 3, 4};
7335 uint8_t kServerParams[] = {5, 6, 7};
7336 SSL_set_quic_use_legacy_codepoint(client_.get(), 1);
7337 SSL_set_quic_use_legacy_codepoint(server_.get(), 1);
7338 ASSERT_TRUE(SSL_set_quic_transport_params(client_.get(), kClientParams,
7339 sizeof(kClientParams)));
7340 ASSERT_TRUE(SSL_set_quic_transport_params(server_.get(), kServerParams,
7341 sizeof(kServerParams)));
7342
7343 ASSERT_TRUE(CompleteHandshakesForQUIC());
7344 ExpectReceivedTransportParamsEqual(client_.get(), kServerParams);
7345 ExpectReceivedTransportParamsEqual(server_.get(), kClientParams);
7346 }
7347
TEST_F(QUICMethodTest,QuicLegacyCodepointDisabled)7348 TEST_F(QUICMethodTest, QuicLegacyCodepointDisabled) {
7349 const SSL_QUIC_METHOD quic_method = DefaultQUICMethod();
7350 ASSERT_TRUE(SSL_CTX_set_quic_method(client_ctx_.get(), &quic_method));
7351 ASSERT_TRUE(SSL_CTX_set_quic_method(server_ctx_.get(), &quic_method));
7352
7353 ASSERT_TRUE(CreateClientAndServer());
7354 uint8_t kClientParams[] = {1, 2, 3, 4};
7355 uint8_t kServerParams[] = {5, 6, 7};
7356 SSL_set_quic_use_legacy_codepoint(client_.get(), 0);
7357 SSL_set_quic_use_legacy_codepoint(server_.get(), 0);
7358 ASSERT_TRUE(SSL_set_quic_transport_params(client_.get(), kClientParams,
7359 sizeof(kClientParams)));
7360 ASSERT_TRUE(SSL_set_quic_transport_params(server_.get(), kServerParams,
7361 sizeof(kServerParams)));
7362
7363 ASSERT_TRUE(CompleteHandshakesForQUIC());
7364 ExpectReceivedTransportParamsEqual(client_.get(), kServerParams);
7365 ExpectReceivedTransportParamsEqual(server_.get(), kClientParams);
7366 }
7367
TEST_F(QUICMethodTest,QuicLegacyCodepointClientOnly)7368 TEST_F(QUICMethodTest, QuicLegacyCodepointClientOnly) {
7369 const SSL_QUIC_METHOD quic_method = DefaultQUICMethod();
7370 ASSERT_TRUE(SSL_CTX_set_quic_method(client_ctx_.get(), &quic_method));
7371 ASSERT_TRUE(SSL_CTX_set_quic_method(server_ctx_.get(), &quic_method));
7372
7373 ASSERT_TRUE(CreateClientAndServer());
7374 uint8_t kClientParams[] = {1, 2, 3, 4};
7375 uint8_t kServerParams[] = {5, 6, 7};
7376 SSL_set_quic_use_legacy_codepoint(client_.get(), 1);
7377 SSL_set_quic_use_legacy_codepoint(server_.get(), 0);
7378 ASSERT_TRUE(SSL_set_quic_transport_params(client_.get(), kClientParams,
7379 sizeof(kClientParams)));
7380 ASSERT_TRUE(SSL_set_quic_transport_params(server_.get(), kServerParams,
7381 sizeof(kServerParams)));
7382
7383 ASSERT_TRUE(RunQUICHandshakesAndExpectError(ExpectedError::kServerError));
7384 }
7385
TEST_F(QUICMethodTest,QuicLegacyCodepointServerOnly)7386 TEST_F(QUICMethodTest, QuicLegacyCodepointServerOnly) {
7387 const SSL_QUIC_METHOD quic_method = DefaultQUICMethod();
7388 ASSERT_TRUE(SSL_CTX_set_quic_method(client_ctx_.get(), &quic_method));
7389 ASSERT_TRUE(SSL_CTX_set_quic_method(server_ctx_.get(), &quic_method));
7390
7391 ASSERT_TRUE(CreateClientAndServer());
7392 uint8_t kClientParams[] = {1, 2, 3, 4};
7393 uint8_t kServerParams[] = {5, 6, 7};
7394 SSL_set_quic_use_legacy_codepoint(client_.get(), 0);
7395 SSL_set_quic_use_legacy_codepoint(server_.get(), 1);
7396 ASSERT_TRUE(SSL_set_quic_transport_params(client_.get(), kClientParams,
7397 sizeof(kClientParams)));
7398 ASSERT_TRUE(SSL_set_quic_transport_params(server_.get(), kServerParams,
7399 sizeof(kServerParams)));
7400
7401 ASSERT_TRUE(RunQUICHandshakesAndExpectError(ExpectedError::kServerError));
7402 }
7403
7404 // Test that the default QUIC code point is consistent with
7405 // |TLSEXT_TYPE_quic_transport_parameters|. This test ensures we remember to
7406 // update the two values together.
TEST_F(QUICMethodTest,QuicCodePointDefault)7407 TEST_F(QUICMethodTest, QuicCodePointDefault) {
7408 const SSL_QUIC_METHOD quic_method = DefaultQUICMethod();
7409 ASSERT_TRUE(SSL_CTX_set_quic_method(client_ctx_.get(), &quic_method));
7410 ASSERT_TRUE(SSL_CTX_set_quic_method(server_ctx_.get(), &quic_method));
7411 SSL_CTX_set_select_certificate_cb(
7412 server_ctx_.get(),
7413 [](const SSL_CLIENT_HELLO *client_hello) -> ssl_select_cert_result_t {
7414 const uint8_t *data;
7415 size_t len;
7416 if (!SSL_early_callback_ctx_extension_get(
7417 client_hello, TLSEXT_TYPE_quic_transport_parameters, &data,
7418 &len)) {
7419 ADD_FAILURE() << "Could not find quic_transport_parameters extension";
7420 return ssl_select_cert_error;
7421 }
7422 return ssl_select_cert_success;
7423 });
7424
7425 ASSERT_TRUE(CreateClientAndServer());
7426 ASSERT_TRUE(CompleteHandshakesForQUIC());
7427 }
7428
7429 extern "C" {
7430 int BORINGSSL_enum_c_type_test(void);
7431 }
7432
TEST(SSLTest,EnumTypes)7433 TEST(SSLTest, EnumTypes) {
7434 EXPECT_EQ(sizeof(int), sizeof(ssl_private_key_result_t));
7435 EXPECT_EQ(1, BORINGSSL_enum_c_type_test());
7436 }
7437
TEST_P(SSLVersionTest,DoubleSSLError)7438 TEST_P(SSLVersionTest, DoubleSSLError) {
7439 // Connect the inner SSL connections.
7440 ASSERT_TRUE(Connect());
7441
7442 // Make a pair of |BIO|s which wrap |client_| and |server_|.
7443 UniquePtr<BIO_METHOD> bio_method(BIO_meth_new(0, nullptr));
7444 ASSERT_TRUE(bio_method);
7445 ASSERT_TRUE(BIO_meth_set_read(
7446 bio_method.get(), [](BIO *bio, char *out, int len) -> int {
7447 SSL *ssl = static_cast<SSL *>(BIO_get_data(bio));
7448 int ret = SSL_read(ssl, out, len);
7449 int ssl_ret = SSL_get_error(ssl, ret);
7450 if (ssl_ret == SSL_ERROR_WANT_READ) {
7451 BIO_set_retry_read(bio);
7452 }
7453 return ret;
7454 }));
7455 ASSERT_TRUE(BIO_meth_set_write(
7456 bio_method.get(), [](BIO *bio, const char *in, int len) -> int {
7457 SSL *ssl = static_cast<SSL *>(BIO_get_data(bio));
7458 int ret = SSL_write(ssl, in, len);
7459 int ssl_ret = SSL_get_error(ssl, ret);
7460 if (ssl_ret == SSL_ERROR_WANT_WRITE) {
7461 BIO_set_retry_write(bio);
7462 }
7463 return ret;
7464 }));
7465 ASSERT_TRUE(BIO_meth_set_ctrl(
7466 bio_method.get(), [](BIO *bio, int cmd, long larg, void *parg) -> long {
7467 // |SSL| objects require |BIO_flush| support.
7468 if (cmd == BIO_CTRL_FLUSH) {
7469 return 1;
7470 }
7471 return 0;
7472 }));
7473
7474 UniquePtr<BIO> client_bio(BIO_new(bio_method.get()));
7475 ASSERT_TRUE(client_bio);
7476 BIO_set_data(client_bio.get(), client_.get());
7477 BIO_set_init(client_bio.get(), 1);
7478
7479 UniquePtr<BIO> server_bio(BIO_new(bio_method.get()));
7480 ASSERT_TRUE(server_bio);
7481 BIO_set_data(server_bio.get(), server_.get());
7482 BIO_set_init(server_bio.get(), 1);
7483
7484 // Wrap the inner connections in another layer of SSL.
7485 UniquePtr<SSL> client_outer(SSL_new(client_ctx_.get()));
7486 ASSERT_TRUE(client_outer);
7487 SSL_set_connect_state(client_outer.get());
7488 SSL_set_bio(client_outer.get(), client_bio.get(), client_bio.get());
7489 client_bio.release(); // |SSL_set_bio| takes ownership.
7490
7491 UniquePtr<SSL> server_outer(SSL_new(server_ctx_.get()));
7492 ASSERT_TRUE(server_outer);
7493 SSL_set_accept_state(server_outer.get());
7494 SSL_set_bio(server_outer.get(), server_bio.get(), server_bio.get());
7495 server_bio.release(); // |SSL_set_bio| takes ownership.
7496
7497 // Configure |client_outer| to reject the server certificate.
7498 SSL_set_custom_verify(
7499 client_outer.get(), SSL_VERIFY_PEER,
7500 [](SSL *ssl, uint8_t *out_alert) -> ssl_verify_result_t {
7501 return ssl_verify_invalid;
7502 });
7503
7504 for (;;) {
7505 int client_ret = SSL_do_handshake(client_outer.get());
7506 int client_err = SSL_get_error(client_outer.get(), client_ret);
7507 if (client_err != SSL_ERROR_WANT_READ &&
7508 client_err != SSL_ERROR_WANT_WRITE) {
7509 // The client handshake should terminate on a certificate verification
7510 // error.
7511 EXPECT_EQ(SSL_ERROR_SSL, client_err);
7512 uint32_t err = ERR_peek_error();
7513 EXPECT_EQ(ERR_LIB_SSL, ERR_GET_LIB(err));
7514 EXPECT_EQ(SSL_R_CERTIFICATE_VERIFY_FAILED, ERR_GET_REASON(err));
7515 break;
7516 }
7517
7518 // Run the server handshake and continue.
7519 int server_ret = SSL_do_handshake(server_outer.get());
7520 int server_err = SSL_get_error(server_outer.get(), server_ret);
7521 ASSERT_TRUE(server_err == SSL_ERROR_NONE ||
7522 server_err == SSL_ERROR_WANT_READ ||
7523 server_err == SSL_ERROR_WANT_WRITE);
7524 }
7525 }
7526
TEST_P(SSLVersionTest,SameKeyResume)7527 TEST_P(SSLVersionTest, SameKeyResume) {
7528 uint8_t key[48];
7529 RAND_bytes(key, sizeof(key));
7530
7531 bssl::UniquePtr<SSL_CTX> server_ctx2 = CreateContext();
7532 ASSERT_TRUE(server_ctx2);
7533 ASSERT_TRUE(UseCertAndKey(server_ctx2.get()));
7534 ASSERT_TRUE(
7535 SSL_CTX_set_tlsext_ticket_keys(server_ctx_.get(), key, sizeof(key)));
7536 ASSERT_TRUE(
7537 SSL_CTX_set_tlsext_ticket_keys(server_ctx2.get(), key, sizeof(key)));
7538
7539 SSL_CTX_set_session_cache_mode(client_ctx_.get(), SSL_SESS_CACHE_BOTH);
7540 SSL_CTX_set_session_cache_mode(server_ctx_.get(), SSL_SESS_CACHE_BOTH);
7541 SSL_CTX_set_session_cache_mode(server_ctx2.get(), SSL_SESS_CACHE_BOTH);
7542
7543 // Establish a session for |server_ctx_|.
7544 bssl::UniquePtr<SSL_SESSION> session =
7545 CreateClientSession(client_ctx_.get(), server_ctx_.get());
7546 ASSERT_TRUE(session);
7547 ClientConfig config;
7548 config.session = session.get();
7549
7550 // Resuming with |server_ctx_| again works.
7551 bssl::UniquePtr<SSL> client, server;
7552 ASSERT_TRUE(ConnectClientAndServer(&client, &server, client_ctx_.get(),
7553 server_ctx_.get(), config));
7554 EXPECT_TRUE(SSL_session_reused(client.get()));
7555 EXPECT_TRUE(SSL_session_reused(server.get()));
7556
7557 // Resuming with |server_ctx2| also works.
7558 ASSERT_TRUE(ConnectClientAndServer(&client, &server, client_ctx_.get(),
7559 server_ctx2.get(), config));
7560 EXPECT_TRUE(SSL_session_reused(client.get()));
7561 EXPECT_TRUE(SSL_session_reused(server.get()));
7562 }
7563
TEST_P(SSLVersionTest,DifferentKeyNoResume)7564 TEST_P(SSLVersionTest, DifferentKeyNoResume) {
7565 uint8_t key1[48], key2[48];
7566 RAND_bytes(key1, sizeof(key1));
7567 RAND_bytes(key2, sizeof(key2));
7568
7569 bssl::UniquePtr<SSL_CTX> server_ctx2 = CreateContext();
7570 ASSERT_TRUE(server_ctx2);
7571 ASSERT_TRUE(UseCertAndKey(server_ctx2.get()));
7572 ASSERT_TRUE(
7573 SSL_CTX_set_tlsext_ticket_keys(server_ctx_.get(), key1, sizeof(key1)));
7574 ASSERT_TRUE(
7575 SSL_CTX_set_tlsext_ticket_keys(server_ctx2.get(), key2, sizeof(key2)));
7576
7577 SSL_CTX_set_session_cache_mode(client_ctx_.get(), SSL_SESS_CACHE_BOTH);
7578 SSL_CTX_set_session_cache_mode(server_ctx_.get(), SSL_SESS_CACHE_BOTH);
7579 SSL_CTX_set_session_cache_mode(server_ctx2.get(), SSL_SESS_CACHE_BOTH);
7580
7581 // Establish a session for |server_ctx_|.
7582 bssl::UniquePtr<SSL_SESSION> session =
7583 CreateClientSession(client_ctx_.get(), server_ctx_.get());
7584 ASSERT_TRUE(session);
7585 ClientConfig config;
7586 config.session = session.get();
7587
7588 // Resuming with |server_ctx_| again works.
7589 bssl::UniquePtr<SSL> client, server;
7590 ASSERT_TRUE(ConnectClientAndServer(&client, &server, client_ctx_.get(),
7591 server_ctx_.get(), config));
7592 EXPECT_TRUE(SSL_session_reused(client.get()));
7593 EXPECT_TRUE(SSL_session_reused(server.get()));
7594
7595 // Resuming with |server_ctx2| does not work.
7596 ASSERT_TRUE(ConnectClientAndServer(&client, &server, client_ctx_.get(),
7597 server_ctx2.get(), config));
7598 EXPECT_FALSE(SSL_session_reused(client.get()));
7599 EXPECT_FALSE(SSL_session_reused(server.get()));
7600 }
7601
TEST_P(SSLVersionTest,UnrelatedServerNoResume)7602 TEST_P(SSLVersionTest, UnrelatedServerNoResume) {
7603 bssl::UniquePtr<SSL_CTX> server_ctx2 = CreateContext();
7604 ASSERT_TRUE(server_ctx2);
7605 ASSERT_TRUE(UseCertAndKey(server_ctx2.get()));
7606
7607 SSL_CTX_set_session_cache_mode(client_ctx_.get(), SSL_SESS_CACHE_BOTH);
7608 SSL_CTX_set_session_cache_mode(server_ctx_.get(), SSL_SESS_CACHE_BOTH);
7609 SSL_CTX_set_session_cache_mode(server_ctx2.get(), SSL_SESS_CACHE_BOTH);
7610
7611 // Establish a session for |server_ctx_|.
7612 bssl::UniquePtr<SSL_SESSION> session =
7613 CreateClientSession(client_ctx_.get(), server_ctx_.get());
7614 ASSERT_TRUE(session);
7615 ClientConfig config;
7616 config.session = session.get();
7617
7618 // Resuming with |server_ctx_| again works.
7619 bssl::UniquePtr<SSL> client, server;
7620 ASSERT_TRUE(ConnectClientAndServer(&client, &server, client_ctx_.get(),
7621 server_ctx_.get(), config));
7622 EXPECT_TRUE(SSL_session_reused(client.get()));
7623 EXPECT_TRUE(SSL_session_reused(server.get()));
7624
7625 // Resuming with |server_ctx2| does not work.
7626 ASSERT_TRUE(ConnectClientAndServer(&client, &server, client_ctx_.get(),
7627 server_ctx2.get(), config));
7628 EXPECT_FALSE(SSL_session_reused(client.get()));
7629 EXPECT_FALSE(SSL_session_reused(server.get()));
7630 }
7631
SessionIDOf(const SSL * ssl)7632 Span<const uint8_t> SessionIDOf(const SSL* ssl) {
7633 const SSL_SESSION *session = SSL_get_session(ssl);
7634 unsigned len;
7635 const uint8_t *data = SSL_SESSION_get_id(session, &len);
7636 return MakeConstSpan(data, len);
7637 }
7638
TEST_P(SSLVersionTest,TicketSessionIDsMatch)7639 TEST_P(SSLVersionTest, TicketSessionIDsMatch) {
7640 // This checks that the session IDs at client and server match after a ticket
7641 // resumption. It's unclear whether this should be true, but Envoy depends
7642 // on it in their tests so this will give an early signal if we break it.
7643 SSL_CTX_set_session_cache_mode(client_ctx_.get(), SSL_SESS_CACHE_BOTH);
7644 SSL_CTX_set_session_cache_mode(server_ctx_.get(), SSL_SESS_CACHE_BOTH);
7645
7646 bssl::UniquePtr<SSL_SESSION> session =
7647 CreateClientSession(client_ctx_.get(), server_ctx_.get());
7648
7649 bssl::UniquePtr<SSL> client, server;
7650 ClientConfig config;
7651 config.session = session.get();
7652 ASSERT_TRUE(ConnectClientAndServer(&client, &server, client_ctx_.get(),
7653 server_ctx_.get(), config));
7654 EXPECT_TRUE(SSL_session_reused(client.get()));
7655 EXPECT_TRUE(SSL_session_reused(server.get()));
7656
7657 EXPECT_EQ(Bytes(SessionIDOf(client.get())), Bytes(SessionIDOf(server.get())));
7658 }
7659
WriteHelloRequest(SSL * server)7660 static void WriteHelloRequest(SSL *server) {
7661 // This function assumes TLS 1.2 with ChaCha20-Poly1305.
7662 ASSERT_EQ(SSL_version(server), TLS1_2_VERSION);
7663 ASSERT_EQ(SSL_CIPHER_get_cipher_nid(SSL_get_current_cipher(server)),
7664 NID_chacha20_poly1305);
7665
7666 // Encrypt a HelloRequest.
7667 uint8_t in[] = {SSL3_MT_HELLO_REQUEST, 0, 0, 0};
7668 #if defined(BORINGSSL_UNSAFE_FUZZER_MODE)
7669 // Fuzzer-mode records are unencrypted.
7670 uint8_t record[5 + sizeof(in)];
7671 record[0] = SSL3_RT_HANDSHAKE;
7672 record[1] = 3;
7673 record[2] = 3; // TLS 1.2
7674 record[3] = 0;
7675 record[4] = sizeof(record) - 5;
7676 memcpy(record + 5, in, sizeof(in));
7677 #else
7678 // Extract key material from |server|.
7679 static const size_t kKeyLen = 32;
7680 static const size_t kNonceLen = 12;
7681 ASSERT_EQ(2u * (kKeyLen + kNonceLen), SSL_get_key_block_len(server));
7682 uint8_t key_block[2u * (kKeyLen + kNonceLen)];
7683 ASSERT_TRUE(SSL_generate_key_block(server, key_block, sizeof(key_block)));
7684 Span<uint8_t> key = MakeSpan(key_block + kKeyLen, kKeyLen);
7685 Span<uint8_t> nonce =
7686 MakeSpan(key_block + kKeyLen + kKeyLen + kNonceLen, kNonceLen);
7687
7688 uint8_t ad[13];
7689 uint64_t seq = SSL_get_write_sequence(server);
7690 for (size_t i = 0; i < 8; i++) {
7691 // The nonce is XORed with the sequence number.
7692 nonce[11 - i] ^= uint8_t(seq);
7693 ad[7 - i] = uint8_t(seq);
7694 seq >>= 8;
7695 }
7696
7697 ad[8] = SSL3_RT_HANDSHAKE;
7698 ad[9] = 3;
7699 ad[10] = 3; // TLS 1.2
7700 ad[11] = 0;
7701 ad[12] = sizeof(in);
7702
7703 uint8_t record[5 + sizeof(in) + 16];
7704 record[0] = SSL3_RT_HANDSHAKE;
7705 record[1] = 3;
7706 record[2] = 3; // TLS 1.2
7707 record[3] = 0;
7708 record[4] = sizeof(record) - 5;
7709
7710 ScopedEVP_AEAD_CTX aead;
7711 ASSERT_TRUE(EVP_AEAD_CTX_init(aead.get(), EVP_aead_chacha20_poly1305(),
7712 key.data(), key.size(),
7713 EVP_AEAD_DEFAULT_TAG_LENGTH, nullptr));
7714 size_t len;
7715 ASSERT_TRUE(EVP_AEAD_CTX_seal(aead.get(), record + 5, &len,
7716 sizeof(record) - 5, nonce.data(), nonce.size(),
7717 in, sizeof(in), ad, sizeof(ad)));
7718 ASSERT_EQ(sizeof(record) - 5, len);
7719 #endif // BORINGSSL_UNSAFE_FUZZER_MODE
7720
7721 ASSERT_EQ(int(sizeof(record)),
7722 BIO_write(SSL_get_wbio(server), record, sizeof(record)));
7723 }
7724
TEST(SSLTest,WriteWhileExplicitRenegotiate)7725 TEST(SSLTest, WriteWhileExplicitRenegotiate) {
7726 bssl::UniquePtr<SSL_CTX> ctx(CreateContextWithTestCertificate(TLS_method()));
7727 ASSERT_TRUE(ctx);
7728
7729 ASSERT_TRUE(SSL_CTX_set_min_proto_version(ctx.get(), TLS1_2_VERSION));
7730 ASSERT_TRUE(SSL_CTX_set_max_proto_version(ctx.get(), TLS1_2_VERSION));
7731 ASSERT_TRUE(SSL_CTX_set_strict_cipher_list(
7732 ctx.get(), "TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256"));
7733
7734 bssl::UniquePtr<SSL> client, server;
7735 ASSERT_TRUE(CreateClientAndServer(&client, &server, ctx.get(), ctx.get()));
7736 SSL_set_renegotiate_mode(client.get(), ssl_renegotiate_explicit);
7737 ASSERT_TRUE(CompleteHandshakes(client.get(), server.get()));
7738
7739 static const uint8_t kInput[] = {'h', 'e', 'l', 'l', 'o'};
7740
7741 // Write "hello" until the buffer is full, so |client| has a pending write.
7742 size_t num_writes = 0;
7743 for (;;) {
7744 int ret = SSL_write(client.get(), kInput, sizeof(kInput));
7745 if (ret != int(sizeof(kInput))) {
7746 ASSERT_EQ(-1, ret);
7747 ASSERT_EQ(SSL_ERROR_WANT_WRITE, SSL_get_error(client.get(), ret));
7748 break;
7749 }
7750 num_writes++;
7751 }
7752
7753 ASSERT_NO_FATAL_FAILURE(WriteHelloRequest(server.get()));
7754
7755 // |SSL_read| should pick up the HelloRequest.
7756 uint8_t byte;
7757 ASSERT_EQ(-1, SSL_read(client.get(), &byte, 1));
7758 ASSERT_EQ(SSL_ERROR_WANT_RENEGOTIATE, SSL_get_error(client.get(), -1));
7759
7760 // Drain the data from the |client|.
7761 uint8_t buf[sizeof(kInput)];
7762 for (size_t i = 0; i < num_writes; i++) {
7763 ASSERT_EQ(int(sizeof(buf)), SSL_read(server.get(), buf, sizeof(buf)));
7764 EXPECT_EQ(Bytes(buf), Bytes(kInput));
7765 }
7766
7767 // |client| should be able to finish the pending write and continue to write,
7768 // despite the paused HelloRequest.
7769 ASSERT_EQ(int(sizeof(kInput)),
7770 SSL_write(client.get(), kInput, sizeof(kInput)));
7771 ASSERT_EQ(int(sizeof(buf)), SSL_read(server.get(), buf, sizeof(buf)));
7772 EXPECT_EQ(Bytes(buf), Bytes(kInput));
7773
7774 ASSERT_EQ(int(sizeof(kInput)),
7775 SSL_write(client.get(), kInput, sizeof(kInput)));
7776 ASSERT_EQ(int(sizeof(buf)), SSL_read(server.get(), buf, sizeof(buf)));
7777 EXPECT_EQ(Bytes(buf), Bytes(kInput));
7778
7779 // |SSL_read| is stuck until we acknowledge the HelloRequest.
7780 ASSERT_EQ(-1, SSL_read(client.get(), &byte, 1));
7781 ASSERT_EQ(SSL_ERROR_WANT_RENEGOTIATE, SSL_get_error(client.get(), -1));
7782
7783 ASSERT_TRUE(SSL_renegotiate(client.get()));
7784 ASSERT_EQ(-1, SSL_read(client.get(), &byte, 1));
7785 ASSERT_EQ(SSL_ERROR_WANT_READ, SSL_get_error(client.get(), -1));
7786
7787 // We never renegotiate as a server.
7788 ASSERT_EQ(-1, SSL_read(server.get(), buf, sizeof(buf)));
7789 ASSERT_EQ(SSL_ERROR_SSL, SSL_get_error(server.get(), -1));
7790 uint32_t err = ERR_get_error();
7791 EXPECT_EQ(ERR_LIB_SSL, ERR_GET_LIB(err));
7792 EXPECT_EQ(SSL_R_NO_RENEGOTIATION, ERR_GET_REASON(err));
7793 }
7794
TEST(SSLTest,ConnectionPropertiesDuringRenegotiate)7795 TEST(SSLTest, ConnectionPropertiesDuringRenegotiate) {
7796 // Configure known connection properties, so we can check against them.
7797 bssl::UniquePtr<SSL_CTX> ctx(SSL_CTX_new(TLS_method()));
7798 ASSERT_TRUE(ctx);
7799 bssl::UniquePtr<X509> cert = GetTestCertificate();
7800 ASSERT_TRUE(cert);
7801 bssl::UniquePtr<EVP_PKEY> key = GetTestKey();
7802 ASSERT_TRUE(key);
7803 ASSERT_TRUE(SSL_CTX_use_certificate(ctx.get(), cert.get()));
7804 ASSERT_TRUE(SSL_CTX_use_PrivateKey(ctx.get(), key.get()));
7805 ASSERT_TRUE(SSL_CTX_set_min_proto_version(ctx.get(), TLS1_2_VERSION));
7806 ASSERT_TRUE(SSL_CTX_set_max_proto_version(ctx.get(), TLS1_2_VERSION));
7807 ASSERT_TRUE(SSL_CTX_set_strict_cipher_list(
7808 ctx.get(), "TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256"));
7809 ASSERT_TRUE(SSL_CTX_set1_groups_list(ctx.get(), "X25519"));
7810 ASSERT_TRUE(SSL_CTX_set1_sigalgs_list(ctx.get(), "rsa_pkcs1_sha256"));
7811
7812 // Connect a client and server that accept renegotiation.
7813 bssl::UniquePtr<SSL> client, server;
7814 ASSERT_TRUE(CreateClientAndServer(&client, &server, ctx.get(), ctx.get()));
7815 SSL_set_renegotiate_mode(client.get(), ssl_renegotiate_freely);
7816 ASSERT_TRUE(CompleteHandshakes(client.get(), server.get()));
7817
7818 auto check_properties = [&] {
7819 EXPECT_EQ(SSL_version(client.get()), TLS1_2_VERSION);
7820 const SSL_CIPHER *cipher = SSL_get_current_cipher(client.get());
7821 ASSERT_TRUE(cipher);
7822 EXPECT_EQ(SSL_CIPHER_get_id(cipher),
7823 uint32_t{TLS1_CK_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256});
7824 EXPECT_EQ(SSL_get_group_id(client.get()), SSL_GROUP_X25519);
7825 EXPECT_EQ(SSL_get_negotiated_group(client.get()), NID_X25519);
7826 EXPECT_EQ(SSL_get_peer_signature_algorithm(client.get()),
7827 SSL_SIGN_RSA_PKCS1_SHA256);
7828 bssl::UniquePtr<X509> peer(SSL_get_peer_certificate(client.get()));
7829 ASSERT_TRUE(peer);
7830 EXPECT_EQ(X509_cmp(cert.get(), peer.get()), 0);
7831 };
7832 check_properties();
7833
7834 // The server sends a HelloRequest.
7835 ASSERT_NO_FATAL_FAILURE(WriteHelloRequest(server.get()));
7836
7837 // Reading from the client will consume the HelloRequest, start a
7838 // renegotiation, and then block on a ServerHello from the server.
7839 uint8_t byte;
7840 ASSERT_EQ(-1, SSL_read(client.get(), &byte, 1));
7841 ASSERT_EQ(SSL_ERROR_WANT_READ, SSL_get_error(client.get(), -1));
7842
7843 // Connection properties should continue to report values from the original
7844 // handshake.
7845 check_properties();
7846 }
7847
TEST(SSLTest,CopyWithoutEarlyData)7848 TEST(SSLTest, CopyWithoutEarlyData) {
7849 bssl::UniquePtr<SSL_CTX> client_ctx(SSL_CTX_new(TLS_method()));
7850 bssl::UniquePtr<SSL_CTX> server_ctx(
7851 CreateContextWithTestCertificate(TLS_method()));
7852 ASSERT_TRUE(client_ctx);
7853 ASSERT_TRUE(server_ctx);
7854
7855 SSL_CTX_set_session_cache_mode(client_ctx.get(), SSL_SESS_CACHE_BOTH);
7856 SSL_CTX_set_session_cache_mode(server_ctx.get(), SSL_SESS_CACHE_BOTH);
7857 SSL_CTX_set_early_data_enabled(client_ctx.get(), 1);
7858 SSL_CTX_set_early_data_enabled(server_ctx.get(), 1);
7859
7860 bssl::UniquePtr<SSL_SESSION> session =
7861 CreateClientSession(client_ctx.get(), server_ctx.get());
7862 ASSERT_TRUE(session);
7863
7864 // The client should attempt early data with |session|.
7865 bssl::UniquePtr<SSL> client, server;
7866 ASSERT_TRUE(CreateClientAndServer(&client, &server, client_ctx.get(),
7867 server_ctx.get()));
7868 SSL_set_session(client.get(), session.get());
7869 SSL_set_early_data_enabled(client.get(), 1);
7870 ASSERT_EQ(1, SSL_do_handshake(client.get()));
7871 EXPECT_TRUE(SSL_in_early_data(client.get()));
7872
7873 // |SSL_SESSION_copy_without_early_data| should disable early data but
7874 // still resume the session.
7875 bssl::UniquePtr<SSL_SESSION> session2(
7876 SSL_SESSION_copy_without_early_data(session.get()));
7877 ASSERT_TRUE(session2);
7878 EXPECT_NE(session.get(), session2.get());
7879 ASSERT_TRUE(CreateClientAndServer(&client, &server, client_ctx.get(),
7880 server_ctx.get()));
7881 SSL_set_session(client.get(), session2.get());
7882 SSL_set_early_data_enabled(client.get(), 1);
7883 EXPECT_TRUE(CompleteHandshakes(client.get(), server.get()));
7884 EXPECT_TRUE(SSL_session_reused(client.get()));
7885 EXPECT_EQ(ssl_early_data_unsupported_for_session,
7886 SSL_get_early_data_reason(client.get()));
7887
7888 // |SSL_SESSION_copy_without_early_data| should be a reference count increase
7889 // when passed an early-data-incapable session.
7890 bssl::UniquePtr<SSL_SESSION> session3(
7891 SSL_SESSION_copy_without_early_data(session2.get()));
7892 EXPECT_EQ(session2.get(), session3.get());
7893 }
7894
TEST(SSLTest,ProcessTLS13NewSessionTicket)7895 TEST(SSLTest, ProcessTLS13NewSessionTicket) {
7896 // Configure client and server to negotiate TLS 1.3 only.
7897 bssl::UniquePtr<SSL_CTX> client_ctx(SSL_CTX_new(TLS_method()));
7898 bssl::UniquePtr<SSL_CTX> server_ctx(
7899 CreateContextWithTestCertificate(TLS_method()));
7900 ASSERT_TRUE(client_ctx);
7901 ASSERT_TRUE(server_ctx);
7902 ASSERT_TRUE(SSL_CTX_set_min_proto_version(client_ctx.get(), TLS1_3_VERSION));
7903 ASSERT_TRUE(SSL_CTX_set_min_proto_version(server_ctx.get(), TLS1_3_VERSION));
7904 ASSERT_TRUE(SSL_CTX_set_max_proto_version(client_ctx.get(), TLS1_3_VERSION));
7905 ASSERT_TRUE(SSL_CTX_set_max_proto_version(server_ctx.get(), TLS1_3_VERSION));
7906
7907 bssl::UniquePtr<SSL> client, server;
7908 ASSERT_TRUE(ConnectClientAndServer(&client, &server, client_ctx.get(),
7909 server_ctx.get()));
7910 EXPECT_EQ(TLS1_3_VERSION, SSL_version(client.get()));
7911
7912 // Process a TLS 1.3 NewSessionTicket.
7913 static const uint8_t kTicket[] = {
7914 0x04, 0x00, 0x00, 0xb2, 0x00, 0x02, 0xa3, 0x00, 0x04, 0x03, 0x02, 0x01,
7915 0x01, 0x00, 0x00, 0xa0, 0x01, 0x06, 0x09, 0x11, 0x16, 0x19, 0x21, 0x26,
7916 0x29, 0x31, 0x36, 0x39, 0x41, 0x46, 0x49, 0x51, 0x03, 0x06, 0x09, 0x13,
7917 0x16, 0x19, 0x23, 0x26, 0x29, 0x33, 0x36, 0x39, 0x43, 0x46, 0x49, 0x53,
7918 0xf7, 0x00, 0x29, 0xec, 0xf2, 0xc4, 0xa4, 0x41, 0xfc, 0x30, 0x17, 0x2e,
7919 0x9f, 0x7c, 0xa8, 0xaf, 0x75, 0x70, 0xf0, 0x1f, 0xc7, 0x98, 0xf7, 0xcf,
7920 0x5a, 0x5a, 0x6b, 0x5b, 0xfe, 0xf1, 0xe7, 0x3a, 0xe8, 0xf7, 0x6c, 0xd2,
7921 0xa8, 0xa6, 0x92, 0x5b, 0x96, 0x8d, 0xde, 0xdb, 0xd3, 0x20, 0x6a, 0xcb,
7922 0x69, 0x06, 0xf4, 0x91, 0x85, 0x2e, 0xe6, 0x5e, 0x0c, 0x59, 0xf2, 0x9e,
7923 0x9b, 0x79, 0x91, 0x24, 0x7e, 0x4a, 0x32, 0x3d, 0xbe, 0x4b, 0x80, 0x70,
7924 0xaf, 0xd0, 0x1d, 0xe2, 0xca, 0x05, 0x35, 0x09, 0x09, 0x05, 0x0f, 0xbb,
7925 0xc4, 0xae, 0xd7, 0xc4, 0xed, 0xd7, 0xae, 0x35, 0xc8, 0x73, 0x63, 0x78,
7926 0x64, 0xc9, 0x7a, 0x1f, 0xed, 0x7a, 0x9a, 0x47, 0x44, 0xfd, 0x50, 0xf7,
7927 0xb7, 0xe0, 0x64, 0xa9, 0x02, 0xc1, 0x5c, 0x23, 0x18, 0x3f, 0xc4, 0xcf,
7928 0x72, 0x02, 0x59, 0x2d, 0xe1, 0xaa, 0x61, 0x72, 0x00, 0x04, 0x5a, 0x5a,
7929 0x00, 0x00,
7930 };
7931 bssl::UniquePtr<SSL_SESSION> session(SSL_process_tls13_new_session_ticket(
7932 client.get(), kTicket, sizeof(kTicket)));
7933 ASSERT_TRUE(session);
7934 ASSERT_TRUE(SSL_SESSION_has_ticket(session.get()));
7935
7936 uint8_t *session_buf = nullptr;
7937 size_t session_length = 0;
7938 ASSERT_TRUE(
7939 SSL_SESSION_to_bytes(session.get(), &session_buf, &session_length));
7940 bssl::UniquePtr<uint8_t> session_buf_free(session_buf);
7941 ASSERT_TRUE(session_buf);
7942 ASSERT_GT(session_length, 0u);
7943
7944 // Servers cannot call |SSL_process_tls13_new_session_ticket|.
7945 ASSERT_FALSE(SSL_process_tls13_new_session_ticket(server.get(), kTicket,
7946 sizeof(kTicket)));
7947
7948 // Clients cannot call |SSL_process_tls13_new_session_ticket| before the
7949 // handshake completes.
7950 bssl::UniquePtr<SSL> client2(SSL_new(client_ctx.get()));
7951 ASSERT_TRUE(client2);
7952 SSL_set_connect_state(client2.get());
7953 ASSERT_FALSE(SSL_process_tls13_new_session_ticket(client2.get(), kTicket,
7954 sizeof(kTicket)));
7955 }
7956
TEST(SSLTest,BIO)7957 TEST(SSLTest, BIO) {
7958 bssl::UniquePtr<SSL_CTX> client_ctx(SSL_CTX_new(TLS_method()));
7959 bssl::UniquePtr<SSL_CTX> server_ctx(
7960 CreateContextWithTestCertificate(TLS_method()));
7961 ASSERT_TRUE(client_ctx);
7962 ASSERT_TRUE(server_ctx);
7963
7964 for (bool take_ownership : {true, false}) {
7965 // For simplicity, get the handshake out of the way first.
7966 bssl::UniquePtr<SSL> client, server;
7967 ASSERT_TRUE(ConnectClientAndServer(&client, &server, client_ctx.get(),
7968 server_ctx.get()));
7969
7970 // Wrap |client| in an SSL BIO.
7971 bssl::UniquePtr<BIO> client_bio(BIO_new(BIO_f_ssl()));
7972 ASSERT_TRUE(client_bio);
7973 ASSERT_EQ(1, BIO_set_ssl(client_bio.get(), client.get(), take_ownership));
7974 if (take_ownership) {
7975 client.release();
7976 }
7977
7978 // Flushing the BIO should not crash.
7979 EXPECT_EQ(1, BIO_flush(client_bio.get()));
7980
7981 // Exchange some data.
7982 EXPECT_EQ(5, BIO_write(client_bio.get(), "hello", 5));
7983 uint8_t buf[5];
7984 ASSERT_EQ(5, SSL_read(server.get(), buf, sizeof(buf)));
7985 EXPECT_EQ(Bytes("hello"), Bytes(buf));
7986
7987 EXPECT_EQ(5, SSL_write(server.get(), "world", 5));
7988 ASSERT_EQ(5, BIO_read(client_bio.get(), buf, sizeof(buf)));
7989 EXPECT_EQ(Bytes("world"), Bytes(buf));
7990
7991 // |BIO_should_read| should work.
7992 EXPECT_EQ(-1, BIO_read(client_bio.get(), buf, sizeof(buf)));
7993 EXPECT_TRUE(BIO_should_read(client_bio.get()));
7994
7995 // Writing data should eventually exceed the buffer size and fail, reporting
7996 // |BIO_should_write|.
7997 int ret;
7998 for (int i = 0; i < 1024; i++) {
7999 const uint8_t kZeros[1024] = {0};
8000 ret = BIO_write(client_bio.get(), kZeros, sizeof(kZeros));
8001 if (ret <= 0) {
8002 break;
8003 }
8004 }
8005 EXPECT_EQ(-1, ret);
8006 EXPECT_TRUE(BIO_should_write(client_bio.get()));
8007 }
8008 }
8009
TEST(SSLTest,ALPNConfig)8010 TEST(SSLTest, ALPNConfig) {
8011 bssl::UniquePtr<SSL_CTX> ctx(SSL_CTX_new(TLS_method()));
8012 ASSERT_TRUE(ctx);
8013 bssl::UniquePtr<X509> cert = GetTestCertificate();
8014 bssl::UniquePtr<EVP_PKEY> key = GetTestKey();
8015 ASSERT_TRUE(cert);
8016 ASSERT_TRUE(key);
8017 ASSERT_TRUE(SSL_CTX_use_certificate(ctx.get(), cert.get()));
8018 ASSERT_TRUE(SSL_CTX_use_PrivateKey(ctx.get(), key.get()));
8019
8020 // Set up some machinery to check the configured ALPN against what is actually
8021 // sent over the wire. Note that the ALPN callback is only called when the
8022 // client offers ALPN.
8023 std::vector<uint8_t> observed_alpn;
8024 SSL_CTX_set_alpn_select_cb(
8025 ctx.get(),
8026 [](SSL *ssl, const uint8_t **out, uint8_t *out_len, const uint8_t *in,
8027 unsigned in_len, void *arg) -> int {
8028 std::vector<uint8_t> *observed_alpn_ptr =
8029 static_cast<std::vector<uint8_t> *>(arg);
8030 observed_alpn_ptr->assign(in, in + in_len);
8031 return SSL_TLSEXT_ERR_NOACK;
8032 },
8033 &observed_alpn);
8034 auto check_alpn_proto = [&](Span<const uint8_t> expected) {
8035 observed_alpn.clear();
8036 bssl::UniquePtr<SSL> client, server;
8037 ASSERT_TRUE(ConnectClientAndServer(&client, &server, ctx.get(), ctx.get()));
8038 EXPECT_EQ(Bytes(expected), Bytes(observed_alpn));
8039 };
8040
8041 // Note that |SSL_CTX_set_alpn_protos|'s return value is reversed.
8042 static const uint8_t kValidList[] = {0x03, 'f', 'o', 'o',
8043 0x03, 'b', 'a', 'r'};
8044 EXPECT_EQ(0,
8045 SSL_CTX_set_alpn_protos(ctx.get(), kValidList, sizeof(kValidList)));
8046 check_alpn_proto(kValidList);
8047
8048 // Invalid lists are rejected.
8049 static const uint8_t kInvalidList[] = {0x04, 'f', 'o', 'o'};
8050 EXPECT_EQ(1, SSL_CTX_set_alpn_protos(ctx.get(), kInvalidList,
8051 sizeof(kInvalidList)));
8052
8053 // Empty lists are valid and are interpreted as disabling ALPN.
8054 EXPECT_EQ(0, SSL_CTX_set_alpn_protos(ctx.get(), nullptr, 0));
8055 check_alpn_proto({});
8056 }
8057
8058 // This is a basic unit-test class to verify completing handshake successfully,
8059 // sending the correct codepoint extension and having correct application
8060 // setting on different combination of ALPS codepoint settings. More integration
8061 // tests on runner.go.
8062 class AlpsNewCodepointTest : public testing::Test {
8063 protected:
SetUp()8064 void SetUp() override {
8065 client_ctx_.reset(SSL_CTX_new(TLS_method()));
8066 server_ctx_ = CreateContextWithTestCertificate(TLS_method());
8067 ASSERT_TRUE(client_ctx_);
8068 ASSERT_TRUE(server_ctx_);
8069 }
8070
SetUpApplicationSetting()8071 void SetUpApplicationSetting() {
8072 static const uint8_t alpn[] = {0x03, 'f', 'o', 'o'};
8073 static const uint8_t proto[] = {'f', 'o', 'o'};
8074 static const uint8_t alps[] = {0x04, 'a', 'l', 'p', 's'};
8075 // SSL_set_alpn_protos's return value is backwards. It returns zero on
8076 // success and one on failure.
8077 ASSERT_FALSE(SSL_set_alpn_protos(client_.get(), alpn, sizeof(alpn)));
8078 SSL_CTX_set_alpn_select_cb(
8079 server_ctx_.get(),
8080 [](SSL *ssl, const uint8_t **out, uint8_t *out_len, const uint8_t *in,
8081 unsigned in_len, void *arg) -> int {
8082 return SSL_select_next_proto(
8083 const_cast<uint8_t **>(out), out_len, in, in_len,
8084 alpn, sizeof(alpn)) == OPENSSL_NPN_NEGOTIATED
8085 ? SSL_TLSEXT_ERR_OK
8086 : SSL_TLSEXT_ERR_NOACK;
8087 },
8088 nullptr);
8089 ASSERT_TRUE(SSL_add_application_settings(client_.get(), proto,
8090 sizeof(proto), nullptr, 0));
8091 ASSERT_TRUE(SSL_add_application_settings(server_.get(), proto,
8092 sizeof(proto), alps, sizeof(alps)));
8093 }
8094
8095 bssl::UniquePtr<SSL_CTX> client_ctx_;
8096 bssl::UniquePtr<SSL_CTX> server_ctx_;
8097
8098 bssl::UniquePtr<SSL> client_;
8099 bssl::UniquePtr<SSL> server_;
8100 };
8101
TEST_F(AlpsNewCodepointTest,Enabled)8102 TEST_F(AlpsNewCodepointTest, Enabled) {
8103 SetUpExpectedNewCodePoint(server_ctx_.get());
8104
8105 ASSERT_TRUE(CreateClientAndServer(&client_, &server_, client_ctx_.get(),
8106 server_ctx_.get()));
8107
8108 SSL_set_alps_use_new_codepoint(client_.get(), 1);
8109 SSL_set_alps_use_new_codepoint(server_.get(), 1);
8110
8111 SetUpApplicationSetting();
8112 ASSERT_TRUE(CompleteHandshakes(client_.get(), server_.get()));
8113 ASSERT_TRUE(SSL_has_application_settings(client_.get()));
8114 }
8115
TEST_F(AlpsNewCodepointTest,Disabled)8116 TEST_F(AlpsNewCodepointTest, Disabled) {
8117 // Both client and server disable alps new codepoint.
8118 SetUpExpectedOldCodePoint(server_ctx_.get());
8119
8120 ASSERT_TRUE(CreateClientAndServer(&client_, &server_, client_ctx_.get(),
8121 server_ctx_.get()));
8122
8123 SSL_set_alps_use_new_codepoint(client_.get(), 0);
8124 SSL_set_alps_use_new_codepoint(server_.get(), 0);
8125
8126 SetUpApplicationSetting();
8127 ASSERT_TRUE(CompleteHandshakes(client_.get(), server_.get()));
8128 ASSERT_TRUE(SSL_has_application_settings(client_.get()));
8129 }
8130
TEST_F(AlpsNewCodepointTest,ClientOnly)8131 TEST_F(AlpsNewCodepointTest, ClientOnly) {
8132 // If client set new codepoint but server doesn't set, server ignores it.
8133 SetUpExpectedNewCodePoint(server_ctx_.get());
8134
8135 ASSERT_TRUE(CreateClientAndServer(&client_, &server_, client_ctx_.get(),
8136 server_ctx_.get()));
8137
8138 SSL_set_alps_use_new_codepoint(client_.get(), 1);
8139 SSL_set_alps_use_new_codepoint(server_.get(), 0);
8140
8141 SetUpApplicationSetting();
8142 ASSERT_TRUE(CompleteHandshakes(client_.get(), server_.get()));
8143 ASSERT_FALSE(SSL_has_application_settings(client_.get()));
8144 }
8145
TEST_F(AlpsNewCodepointTest,ServerOnly)8146 TEST_F(AlpsNewCodepointTest, ServerOnly) {
8147 // If client doesn't set new codepoint, while server set.
8148 SetUpExpectedOldCodePoint(server_ctx_.get());
8149
8150 ASSERT_TRUE(CreateClientAndServer(&client_, &server_, client_ctx_.get(),
8151 server_ctx_.get()));
8152
8153 SSL_set_alps_use_new_codepoint(client_.get(), 0);
8154 SSL_set_alps_use_new_codepoint(server_.get(), 1);
8155
8156 SetUpApplicationSetting();
8157 ASSERT_TRUE(CompleteHandshakes(client_.get(), server_.get()));
8158 ASSERT_FALSE(SSL_has_application_settings(client_.get()));
8159 }
8160
8161 // Test that the key usage checker can correctly handle issuerUID and
8162 // subjectUID. See https://crbug.com/1199744.
TEST(SSLTest,KeyUsageWithUIDs)8163 TEST(SSLTest, KeyUsageWithUIDs) {
8164 static const char kGoodKeyUsage[] = R"(
8165 -----BEGIN CERTIFICATE-----
8166 MIIB7DCCAZOgAwIBAgIJANlMBNpJfb/rMAoGCCqGSM49BAMCMEUxCzAJBgNVBAYT
8167 AkFVMRMwEQYDVQQIDApTb21lLVN0YXRlMSEwHwYDVQQKDBhJbnRlcm5ldCBXaWRn
8168 aXRzIFB0eSBMdGQwHhcNMTQwNDIzMjMyMTU3WhcNMTQwNTIzMjMyMTU3WjBFMQsw
8169 CQYDVQQGEwJBVTETMBEGA1UECAwKU29tZS1TdGF0ZTEhMB8GA1UECgwYSW50ZXJu
8170 ZXQgV2lkZ2l0cyBQdHkgTHRkMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE5itp
8171 4r9ln5e+Lx4NlIpM1Zdrt6keDUb73ampHp3culoB59aXqAoY+cPEox5W4nyDSNsW
8172 Ghz1HX7xlC1Lz3IiwYEEABI0VoIEABI0VqNgMF4wHQYDVR0OBBYEFKuE0qyrlfCC
8173 ThZ4B1VXX+QmjYLRMB8GA1UdIwQYMBaAFKuE0qyrlfCCThZ4B1VXX+QmjYLRMA4G
8174 A1UdDwEB/wQEAwIHgDAMBgNVHRMEBTADAQH/MAoGCCqGSM49BAMCA0cAMEQCIEWJ
8175 34EcqW5MHwLIA1hZ2Tj/jV2QjN02KLxis9mFsqDKAiAMlMTkzsM51vVs9Ohqa+Rc
8176 4Z7qDhjIhiF4dM0uEDYRVA==
8177 -----END CERTIFICATE-----
8178 )";
8179 static const char kBadKeyUsage[] = R"(
8180 -----BEGIN CERTIFICATE-----
8181 MIIB7jCCAZOgAwIBAgIJANlMBNpJfb/rMAoGCCqGSM49BAMCMEUxCzAJBgNVBAYT
8182 AkFVMRMwEQYDVQQIDApTb21lLVN0YXRlMSEwHwYDVQQKDBhJbnRlcm5ldCBXaWRn
8183 aXRzIFB0eSBMdGQwHhcNMTQwNDIzMjMyMTU3WhcNMTQwNTIzMjMyMTU3WjBFMQsw
8184 CQYDVQQGEwJBVTETMBEGA1UECAwKU29tZS1TdGF0ZTEhMB8GA1UECgwYSW50ZXJu
8185 ZXQgV2lkZ2l0cyBQdHkgTHRkMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE5itp
8186 4r9ln5e+Lx4NlIpM1Zdrt6keDUb73ampHp3culoB59aXqAoY+cPEox5W4nyDSNsW
8187 Ghz1HX7xlC1Lz3IiwYEEABI0VoIEABI0VqNgMF4wHQYDVR0OBBYEFKuE0qyrlfCC
8188 ThZ4B1VXX+QmjYLRMB8GA1UdIwQYMBaAFKuE0qyrlfCCThZ4B1VXX+QmjYLRMA4G
8189 A1UdDwEB/wQEAwIDCDAMBgNVHRMEBTADAQH/MAoGCCqGSM49BAMCA0kAMEYCIQC6
8190 taYBUDu2gcZC6EMk79FBHArYI0ucF+kzvETegZCbBAIhANtObFec5gtso/47moPD
8191 RHrQbWsFUakETXL9QMlegh5t
8192 -----END CERTIFICATE-----
8193 )";
8194
8195 bssl::UniquePtr<X509> good = CertFromPEM(kGoodKeyUsage);
8196 ASSERT_TRUE(good);
8197 bssl::UniquePtr<X509> bad = CertFromPEM(kBadKeyUsage);
8198 ASSERT_TRUE(bad);
8199
8200 // We check key usage when configuring EC certificates to distinguish ECDSA
8201 // and ECDH.
8202 bssl::UniquePtr<SSL_CTX> ctx(SSL_CTX_new(TLS_method()));
8203 ASSERT_TRUE(ctx);
8204 EXPECT_TRUE(SSL_CTX_use_certificate(ctx.get(), good.get()));
8205 EXPECT_FALSE(SSL_CTX_use_certificate(ctx.get(), bad.get()));
8206 }
8207
8208 // Test that |SSL_can_release_private_key| reports true as early as expected.
8209 // The internal asserts in the library check we do not report true too early.
TEST(SSLTest,CanReleasePrivateKey)8210 TEST(SSLTest, CanReleasePrivateKey) {
8211 bssl::UniquePtr<SSL_CTX> client_ctx =
8212 CreateContextWithTestCertificate(TLS_method());
8213 ASSERT_TRUE(client_ctx);
8214 SSL_CTX_set_session_cache_mode(client_ctx.get(), SSL_SESS_CACHE_BOTH);
8215
8216 // Note this assumes the transport buffer is large enough to fit the client
8217 // and server first flights. We check this with |SSL_ERROR_WANT_READ|. If the
8218 // transport buffer was too small it would return |SSL_ERROR_WANT_WRITE|.
8219 auto check_first_server_round_trip = [&](SSL *client, SSL *server) {
8220 // Write the ClientHello.
8221 ASSERT_EQ(-1, SSL_do_handshake(client));
8222 ASSERT_EQ(SSL_ERROR_WANT_READ, SSL_get_error(client, -1));
8223
8224 // Consume the ClientHello and write the server flight.
8225 ASSERT_EQ(-1, SSL_do_handshake(server));
8226 ASSERT_EQ(SSL_ERROR_WANT_READ, SSL_get_error(server, -1));
8227
8228 EXPECT_TRUE(SSL_can_release_private_key(server));
8229 };
8230
8231 {
8232 SCOPED_TRACE("TLS 1.2 ECDHE");
8233 bssl::UniquePtr<SSL_CTX> server_ctx(
8234 CreateContextWithTestCertificate(TLS_method()));
8235 ASSERT_TRUE(server_ctx);
8236 ASSERT_TRUE(
8237 SSL_CTX_set_max_proto_version(server_ctx.get(), TLS1_2_VERSION));
8238 ASSERT_TRUE(SSL_CTX_set_strict_cipher_list(
8239 server_ctx.get(), "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256"));
8240 // Configure the server to request client certificates, so we can also test
8241 // the client half.
8242 SSL_CTX_set_custom_verify(
8243 server_ctx.get(), SSL_VERIFY_PEER,
8244 [](SSL *ssl, uint8_t *out_alert) { return ssl_verify_ok; });
8245 bssl::UniquePtr<SSL> client, server;
8246 ASSERT_TRUE(CreateClientAndServer(&client, &server, client_ctx.get(),
8247 server_ctx.get()));
8248 check_first_server_round_trip(client.get(), server.get());
8249
8250 // Consume the server flight and write the client response. The client still
8251 // has a Finished message to consume but can also release its key early.
8252 ASSERT_EQ(-1, SSL_do_handshake(client.get()));
8253 ASSERT_EQ(SSL_ERROR_WANT_READ, SSL_get_error(client.get(), -1));
8254 EXPECT_TRUE(SSL_can_release_private_key(client.get()));
8255
8256 // However, a client that has not disabled renegotiation can never release
8257 // the key.
8258 ASSERT_TRUE(CreateClientAndServer(&client, &server, client_ctx.get(),
8259 server_ctx.get()));
8260 SSL_set_renegotiate_mode(client.get(), ssl_renegotiate_freely);
8261 check_first_server_round_trip(client.get(), server.get());
8262 ASSERT_EQ(-1, SSL_do_handshake(client.get()));
8263 ASSERT_EQ(SSL_ERROR_WANT_READ, SSL_get_error(client.get(), -1));
8264 EXPECT_FALSE(SSL_can_release_private_key(client.get()));
8265 }
8266
8267 {
8268 SCOPED_TRACE("TLS 1.2 resumption");
8269 bssl::UniquePtr<SSL_CTX> server_ctx(
8270 CreateContextWithTestCertificate(TLS_method()));
8271 ASSERT_TRUE(server_ctx);
8272 ASSERT_TRUE(
8273 SSL_CTX_set_max_proto_version(server_ctx.get(), TLS1_2_VERSION));
8274 bssl::UniquePtr<SSL_SESSION> session =
8275 CreateClientSession(client_ctx.get(), server_ctx.get());
8276 ASSERT_TRUE(session);
8277 bssl::UniquePtr<SSL> client, server;
8278 ASSERT_TRUE(CreateClientAndServer(&client, &server, client_ctx.get(),
8279 server_ctx.get()));
8280 SSL_set_session(client.get(), session.get());
8281 check_first_server_round_trip(client.get(), server.get());
8282 }
8283
8284 {
8285 SCOPED_TRACE("TLS 1.3 1-RTT");
8286 bssl::UniquePtr<SSL_CTX> server_ctx(
8287 CreateContextWithTestCertificate(TLS_method()));
8288 ASSERT_TRUE(server_ctx);
8289 ASSERT_TRUE(
8290 SSL_CTX_set_max_proto_version(server_ctx.get(), TLS1_3_VERSION));
8291 bssl::UniquePtr<SSL> client, server;
8292 ASSERT_TRUE(CreateClientAndServer(&client, &server, client_ctx.get(),
8293 server_ctx.get()));
8294 check_first_server_round_trip(client.get(), server.get());
8295 }
8296
8297 {
8298 SCOPED_TRACE("TLS 1.3 resumption");
8299 bssl::UniquePtr<SSL_CTX> server_ctx(
8300 CreateContextWithTestCertificate(TLS_method()));
8301 ASSERT_TRUE(server_ctx);
8302 ASSERT_TRUE(
8303 SSL_CTX_set_max_proto_version(server_ctx.get(), TLS1_3_VERSION));
8304 bssl::UniquePtr<SSL_SESSION> session =
8305 CreateClientSession(client_ctx.get(), server_ctx.get());
8306 ASSERT_TRUE(session);
8307 bssl::UniquePtr<SSL> client, server;
8308 ASSERT_TRUE(CreateClientAndServer(&client, &server, client_ctx.get(),
8309 server_ctx.get()));
8310 SSL_set_session(client.get(), session.get());
8311 check_first_server_round_trip(client.get(), server.get());
8312 }
8313 }
8314
8315 // GetExtensionOrder sets |*out| to the list of extensions a client attached to
8316 // |ctx| will send in the ClientHello. If |ech_keys| is non-null, the client
8317 // will offer ECH with the public component. If |decrypt_ech| is true, |*out|
8318 // will be set to the ClientHelloInner's extensions, rather than
8319 // ClientHelloOuter.
GetExtensionOrder(SSL_CTX * client_ctx,std::vector<uint16_t> * out,SSL_ECH_KEYS * ech_keys,bool decrypt_ech)8320 static bool GetExtensionOrder(SSL_CTX *client_ctx, std::vector<uint16_t> *out,
8321 SSL_ECH_KEYS *ech_keys, bool decrypt_ech) {
8322 struct AppData {
8323 std::vector<uint16_t> *out;
8324 bool decrypt_ech;
8325 bool callback_done = false;
8326 };
8327 AppData app_data;
8328 app_data.out = out;
8329 app_data.decrypt_ech = decrypt_ech;
8330
8331 bssl::UniquePtr<SSL_CTX> server_ctx =
8332 CreateContextWithTestCertificate(TLS_method());
8333 if (!server_ctx || //
8334 !SSL_CTX_set_app_data(server_ctx.get(), &app_data) ||
8335 (decrypt_ech && !SSL_CTX_set1_ech_keys(server_ctx.get(), ech_keys))) {
8336 return false;
8337 }
8338
8339 // Configure the server to record the ClientHello extension order. We use a
8340 // server rather than |GetClientHello| so it can decrypt ClientHelloInner.
8341 SSL_CTX_set_select_certificate_cb(
8342 server_ctx.get(),
8343 [](const SSL_CLIENT_HELLO *client_hello) -> ssl_select_cert_result_t {
8344 AppData *app_data_ptr = static_cast<AppData *>(
8345 SSL_CTX_get_app_data(SSL_get_SSL_CTX(client_hello->ssl)));
8346 EXPECT_EQ(app_data_ptr->decrypt_ech ? 1 : 0,
8347 SSL_ech_accepted(client_hello->ssl));
8348
8349 app_data_ptr->out->clear();
8350 CBS extensions;
8351 CBS_init(&extensions, client_hello->extensions,
8352 client_hello->extensions_len);
8353 while (CBS_len(&extensions)) {
8354 uint16_t type;
8355 CBS body;
8356 if (!CBS_get_u16(&extensions, &type) ||
8357 !CBS_get_u16_length_prefixed(&extensions, &body)) {
8358 return ssl_select_cert_error;
8359 }
8360 app_data_ptr->out->push_back(type);
8361 }
8362
8363 // Don't bother completing the handshake.
8364 app_data_ptr->callback_done = true;
8365 return ssl_select_cert_error;
8366 });
8367
8368 bssl::UniquePtr<SSL> client, server;
8369 if (!CreateClientAndServer(&client, &server, client_ctx, server_ctx.get()) ||
8370 (ech_keys != nullptr && !InstallECHConfigList(client.get(), ech_keys))) {
8371 return false;
8372 }
8373
8374 // Run the handshake far enough to process the ClientHello.
8375 SSL_do_handshake(client.get());
8376 SSL_do_handshake(server.get());
8377 return app_data.callback_done;
8378 }
8379
8380 // Test that, when extension permutation is enabled, the ClientHello extension
8381 // order changes, both with and without ECH, and in both ClientHelloInner and
8382 // ClientHelloOuter.
TEST(SSLTest,PermuteExtensions)8383 TEST(SSLTest, PermuteExtensions) {
8384 bssl::UniquePtr<SSL_ECH_KEYS> keys = MakeTestECHKeys();
8385 ASSERT_TRUE(keys);
8386 for (bool offer_ech : {false, true}) {
8387 SCOPED_TRACE(offer_ech);
8388 SSL_ECH_KEYS *maybe_keys = offer_ech ? keys.get() : nullptr;
8389 for (bool decrypt_ech : {false, true}) {
8390 SCOPED_TRACE(decrypt_ech);
8391 if (!offer_ech && decrypt_ech) {
8392 continue;
8393 }
8394
8395 // When extension permutation is disabled, the order should be consistent.
8396 bssl::UniquePtr<SSL_CTX> ctx(SSL_CTX_new(TLS_method()));
8397 ASSERT_TRUE(ctx);
8398 std::vector<uint16_t> order1, order2;
8399 ASSERT_TRUE(
8400 GetExtensionOrder(ctx.get(), &order1, maybe_keys, decrypt_ech));
8401 ASSERT_TRUE(
8402 GetExtensionOrder(ctx.get(), &order2, maybe_keys, decrypt_ech));
8403 EXPECT_EQ(order1, order2);
8404
8405 ctx.reset(SSL_CTX_new(TLS_method()));
8406 ASSERT_TRUE(ctx);
8407 SSL_CTX_set_permute_extensions(ctx.get(), 1);
8408
8409 // When extension permutation is enabled, each ClientHello should have a
8410 // different order.
8411 //
8412 // This test is inherently flaky, so we run it multiple times. We send at
8413 // least five extensions by default from TLS 1.3: supported_versions,
8414 // key_share, supported_groups, psk_key_exchange_modes, and
8415 // signature_algorithms. That means the probability of a false negative is
8416 // at most 1/120. Repeating the test 14 times lowers false negative rate
8417 // to under 2^-96.
8418 ASSERT_TRUE(
8419 GetExtensionOrder(ctx.get(), &order1, maybe_keys, decrypt_ech));
8420 EXPECT_GE(order1.size(), 5u);
8421 static const int kNumIterations = 14;
8422 bool passed = false;
8423 for (int i = 0; i < kNumIterations; i++) {
8424 ASSERT_TRUE(
8425 GetExtensionOrder(ctx.get(), &order2, maybe_keys, decrypt_ech));
8426 if (order1 != order2) {
8427 passed = true;
8428 break;
8429 }
8430 }
8431 EXPECT_TRUE(passed) << "Extensions were not permuted";
8432 }
8433 }
8434 }
8435
TEST(SSLTest,HostMatching)8436 TEST(SSLTest, HostMatching) {
8437 static const char kCertPEM[] = R"(
8438 -----BEGIN CERTIFICATE-----
8439 MIIB9jCCAZ2gAwIBAgIQeudG9R61BOxUvWkeVhU5DTAKBggqhkjOPQQDAjApMRAw
8440 DgYDVQQKEwdBY21lIENvMRUwEwYDVQQDEwxleGFtcGxlMy5jb20wHhcNMjExMjA2
8441 MjA1NjU2WhcNMjIxMjA2MjA1NjU2WjApMRAwDgYDVQQKEwdBY21lIENvMRUwEwYD
8442 VQQDEwxleGFtcGxlMy5jb20wWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAAS7l2VO
8443 Bl2TjVm9WfGk24+hMbVFUNB+RVHWbCvFvNZAoWiIJ2z34RLGInyZvCZ8xLAvsuaW
8444 ULDDaoeDl1M0t4Hmo4GmMIGjMA4GA1UdDwEB/wQEAwIChDATBgNVHSUEDDAKBggr
8445 BgEFBQcDATAPBgNVHRMBAf8EBTADAQH/MB0GA1UdDgQWBBTTJWurcc1t+VPQBko3
8446 Gsw6cbcWSTBMBgNVHREERTBDggxleGFtcGxlMS5jb22CDGV4YW1wbGUyLmNvbYIP
8447 YSouZXhhbXBsZTQuY29tgg4qLmV4YW1wbGU1LmNvbYcEAQIDBDAKBggqhkjOPQQD
8448 AgNHADBEAiAAv0ljHJGrgyzZDkG6XvNZ5ewxRfnXcZuD0Y7E4giCZgIgNK1qjilu
8449 5DyVbfKeeJhOCtGxqE1dWLXyJBnoRomSYBY=
8450 -----END CERTIFICATE-----
8451 )";
8452 bssl::UniquePtr<X509> cert(CertFromPEM(kCertPEM));
8453 ASSERT_TRUE(cert);
8454 static const char kCertNoSANsPEM[] = R"(
8455 -----BEGIN CERTIFICATE-----
8456 MIIBqzCCAVGgAwIBAgIQeudG9R61BOxUvWkeVhU5DTAKBggqhkjOPQQDAjArMRIw
8457 EAYDVQQKEwlBY21lIENvIDIxFTATBgNVBAMTDGV4YW1wbGUzLmNvbTAeFw0yMTEy
8458 MDYyMDU2NTZaFw0yMjEyMDYyMDU2NTZaMCsxEjAQBgNVBAoTCUFjbWUgQ28gMjEV
8459 MBMGA1UEAxMMZXhhbXBsZTMuY29tMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE
8460 u5dlTgZdk41ZvVnxpNuPoTG1RVDQfkVR1mwrxbzWQKFoiCds9+ESxiJ8mbwmfMSw
8461 L7LmllCww2qHg5dTNLeB5qNXMFUwDgYDVR0PAQH/BAQDAgKEMBMGA1UdJQQMMAoG
8462 CCsGAQUFBwMBMA8GA1UdEwEB/wQFMAMBAf8wHQYDVR0OBBYEFNMla6txzW35U9AG
8463 SjcazDpxtxZJMAoGCCqGSM49BAMCA0gAMEUCIG3YWGWtpVhbcGV7wFKQwTfmvwHW
8464 pw4qCFZlool4hCwsAiEA+2fc6NfSbNpFEtQkDOMJW2ANiScAVEmImNqPfb2klz4=
8465 -----END CERTIFICATE-----
8466 )";
8467 bssl::UniquePtr<X509> cert_no_sans(CertFromPEM(kCertNoSANsPEM));
8468 ASSERT_TRUE(cert_no_sans);
8469
8470 static const char kKeyPEM[] = R"(
8471 -----BEGIN PRIVATE KEY-----
8472 MIGHAgEAMBMGByqGSM49AgEGCCqGSM49AwEHBG0wawIBAQQghsaSZhUzZAcQlLyJ
8473 MDuy7WPdyqNsAX9rmEP650LF/q2hRANCAAS7l2VOBl2TjVm9WfGk24+hMbVFUNB+
8474 RVHWbCvFvNZAoWiIJ2z34RLGInyZvCZ8xLAvsuaWULDDaoeDl1M0t4Hm
8475 -----END PRIVATE KEY-----
8476 )";
8477 bssl::UniquePtr<EVP_PKEY> key(KeyFromPEM(kKeyPEM));
8478 ASSERT_TRUE(key);
8479
8480 bssl::UniquePtr<SSL_CTX> client_ctx(SSL_CTX_new(TLS_method()));
8481 ASSERT_TRUE(client_ctx);
8482 ASSERT_TRUE(X509_STORE_add_cert(SSL_CTX_get_cert_store(client_ctx.get()),
8483 cert.get()));
8484 ASSERT_TRUE(X509_STORE_add_cert(SSL_CTX_get_cert_store(client_ctx.get()),
8485 cert_no_sans.get()));
8486 SSL_CTX_set_verify(client_ctx.get(),
8487 SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT,
8488 nullptr);
8489 X509_VERIFY_PARAM_set_flags(SSL_CTX_get0_param(client_ctx.get()),
8490 X509_V_FLAG_NO_CHECK_TIME);
8491
8492 struct TestCase {
8493 X509 *cert;
8494 std::string hostname;
8495 unsigned flags;
8496 bool should_match;
8497 };
8498 std::vector<TestCase> kTests = {
8499 // These two names are present as SANs in the certificate.
8500 {cert.get(), "example1.com", 0, true},
8501 {cert.get(), "example2.com", 0, true},
8502 // This is the CN of the certificate, but that shouldn't matter if a SAN
8503 // extension is present.
8504 {cert.get(), "example3.com", 0, false},
8505 // If the SAN is not present, we, for now, look for DNS names in the CN.
8506 {cert_no_sans.get(), "example3.com", 0, true},
8507 // ... but this can be turned off.
8508 {cert_no_sans.get(), "example3.com", X509_CHECK_FLAG_NEVER_CHECK_SUBJECT,
8509 false},
8510 // a*.example4.com is a SAN, but is invalid.
8511 {cert.get(), "abc.example4.com", 0, false},
8512 // *.example5.com is a SAN in the certificate, which is a normal and valid
8513 // wildcard.
8514 {cert.get(), "abc.example5.com", 0, true},
8515 // This name is not present.
8516 {cert.get(), "notexample1.com", 0, false},
8517 // The IPv4 address 1.2.3.4 is a SAN, but that shouldn't match against a
8518 // hostname that happens to be its textual representation.
8519 {cert.get(), "1.2.3.4", 0, false},
8520 };
8521
8522 for (const TestCase &test : kTests) {
8523 SCOPED_TRACE(test.hostname);
8524
8525 bssl::UniquePtr<SSL_CTX> server_ctx(SSL_CTX_new(TLS_method()));
8526 ASSERT_TRUE(server_ctx);
8527 ASSERT_TRUE(SSL_CTX_use_certificate(server_ctx.get(), test.cert));
8528 ASSERT_TRUE(SSL_CTX_use_PrivateKey(server_ctx.get(), key.get()));
8529
8530 ClientConfig config;
8531 bssl::UniquePtr<SSL> client, server;
8532 config.verify_hostname = test.hostname;
8533 config.hostflags = test.flags;
8534 EXPECT_EQ(test.should_match,
8535 ConnectClientAndServer(&client, &server, client_ctx.get(),
8536 server_ctx.get(), config));
8537 }
8538 }
8539
TEST(SSLTest,NumTickets)8540 TEST(SSLTest, NumTickets) {
8541 bssl::UniquePtr<SSL_CTX> server_ctx(SSL_CTX_new(TLS_method()));
8542 ASSERT_TRUE(server_ctx);
8543 bssl::UniquePtr<SSL_CTX> client_ctx(SSL_CTX_new(TLS_method()));
8544 ASSERT_TRUE(client_ctx);
8545 bssl::UniquePtr<X509> cert = GetTestCertificate();
8546 ASSERT_TRUE(cert);
8547 bssl::UniquePtr<EVP_PKEY> key = GetTestKey();
8548 ASSERT_TRUE(key);
8549 ASSERT_TRUE(SSL_CTX_use_certificate(server_ctx.get(), cert.get()));
8550 ASSERT_TRUE(SSL_CTX_use_PrivateKey(server_ctx.get(), key.get()));
8551 SSL_CTX_set_session_cache_mode(server_ctx.get(), SSL_SESS_CACHE_BOTH);
8552
8553 SSL_CTX_set_session_cache_mode(client_ctx.get(), SSL_SESS_CACHE_BOTH);
8554 static size_t ticket_count;
8555 SSL_CTX_sess_set_new_cb(client_ctx.get(), [](SSL *, SSL_SESSION *) -> int {
8556 ticket_count++;
8557 return 0;
8558 });
8559
8560 auto count_tickets = [&]() -> size_t {
8561 ticket_count = 0;
8562 bssl::UniquePtr<SSL> client, server;
8563 if (!ConnectClientAndServer(&client, &server, client_ctx.get(),
8564 server_ctx.get()) ||
8565 !FlushNewSessionTickets(client.get(), server.get())) {
8566 ADD_FAILURE() << "Could not run handshake";
8567 return 0;
8568 }
8569 return ticket_count;
8570 };
8571
8572 // By default, we should send two tickets.
8573 EXPECT_EQ(count_tickets(), 2u);
8574
8575 for (size_t num_tickets : {0, 1, 2, 3, 4, 5}) {
8576 SCOPED_TRACE(num_tickets);
8577 ASSERT_TRUE(SSL_CTX_set_num_tickets(server_ctx.get(), num_tickets));
8578 EXPECT_EQ(SSL_CTX_get_num_tickets(server_ctx.get()), num_tickets);
8579 EXPECT_EQ(count_tickets(), num_tickets);
8580 }
8581
8582 // Configuring too many tickets causes us to stop at some point.
8583 ASSERT_TRUE(SSL_CTX_set_num_tickets(server_ctx.get(), 100000));
8584 EXPECT_EQ(SSL_CTX_get_num_tickets(server_ctx.get()), 16u);
8585 EXPECT_EQ(count_tickets(), 16u);
8586 }
8587
TEST(SSLTest,CertSubjectsToStack)8588 TEST(SSLTest, CertSubjectsToStack) {
8589 const std::string kCert1 = R"(
8590 -----BEGIN CERTIFICATE-----
8591 MIIBzzCCAXagAwIBAgIJANlMBNpJfb/rMAkGByqGSM49BAEwRTELMAkGA1UEBhMC
8592 QVUxEzARBgNVBAgMClNvbWUtU3RhdGUxITAfBgNVBAoMGEludGVybmV0IFdpZGdp
8593 dHMgUHR5IEx0ZDAeFw0xNDA0MjMyMzIxNTdaFw0xNDA1MjMyMzIxNTdaMEUxCzAJ
8594 BgNVBAYTAkFVMRMwEQYDVQQIDApTb21lLVN0YXRlMSEwHwYDVQQKDBhJbnRlcm5l
8595 dCBXaWRnaXRzIFB0eSBMdGQwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAATmK2ni
8596 v2Wfl74vHg2UikzVl2u3qR4NRvvdqakendy6WgHn1peoChj5w8SjHlbifINI2xYa
8597 HPUdfvGULUvPciLBo1AwTjAdBgNVHQ4EFgQUq4TSrKuV8IJOFngHVVdf5CaNgtEw
8598 HwYDVR0jBBgwFoAUq4TSrKuV8IJOFngHVVdf5CaNgtEwDAYDVR0TBAUwAwEB/zAJ
8599 BgcqhkjOPQQBA0gAMEUCIQDyoDVeUTo2w4J5m+4nUIWOcAZ0lVfSKXQA9L4Vh13E
8600 BwIgfB55FGohg/B6dGh5XxSZmmi08cueFV7mHzJSYV51yRQ=
8601 -----END CERTIFICATE-----
8602 )";
8603 const std::vector<uint8_t> kName1 = {
8604 0x30, 0x45, 0x31, 0x0b, 0x30, 0x09, 0x06, 0x03, 0x55, 0x04, 0x06, 0x13,
8605 0x02, 0x41, 0x55, 0x31, 0x13, 0x30, 0x11, 0x06, 0x03, 0x55, 0x04, 0x08,
8606 0x0c, 0x0a, 0x53, 0x6f, 0x6d, 0x65, 0x2d, 0x53, 0x74, 0x61, 0x74, 0x65,
8607 0x31, 0x21, 0x30, 0x1f, 0x06, 0x03, 0x55, 0x04, 0x0a, 0x0c, 0x18, 0x49,
8608 0x6e, 0x74, 0x65, 0x72, 0x6e, 0x65, 0x74, 0x20, 0x57, 0x69, 0x64, 0x67,
8609 0x69, 0x74, 0x73, 0x20, 0x50, 0x74, 0x79, 0x20, 0x4c, 0x74, 0x64};
8610 const std::string kCert2 = R"(
8611 -----BEGIN CERTIFICATE-----
8612 MIICXjCCAcegAwIBAgIIWjO48ufpunYwDQYJKoZIhvcNAQELBQAwNjEaMBgGA1UE
8613 ChMRQm9yaW5nU1NMIFRFU1RJTkcxGDAWBgNVBAMTD0ludGVybWVkaWF0ZSBDQTAg
8614 Fw0xNTAxMDEwMDAwMDBaGA8yMTAwMDEwMTAwMDAwMFowMjEaMBgGA1UEChMRQm9y
8615 aW5nU1NMIFRFU1RJTkcxFDASBgNVBAMTC2V4YW1wbGUuY29tMIGfMA0GCSqGSIb3
8616 DQEBAQUAA4GNADCBiQKBgQDD0U0ZYgqShJ7oOjsyNKyVXEHqeafmk/bAoPqY/h1c
8617 oPw2E8KmeqiUSoTPjG5IXSblOxcqpbAXgnjPzo8DI3GNMhAf8SYNYsoH7gc7Uy7j
8618 5x8bUrisGnuTHqkqH6d4/e7ETJ7i3CpR8bvK16DggEvQTudLipz8FBHtYhFakfdh
8619 TwIDAQABo3cwdTAOBgNVHQ8BAf8EBAMCBaAwHQYDVR0lBBYwFAYIKwYBBQUHAwEG
8620 CCsGAQUFBwMCMAwGA1UdEwEB/wQCMAAwGQYDVR0OBBIEEKN5pvbur7mlXjeMEYA0
8621 4nUwGwYDVR0jBBQwEoAQjBpoqLV2211Xex+NFLIGozANBgkqhkiG9w0BAQsFAAOB
8622 gQBj/p+JChp//LnXWC1k121LM/ii7hFzQzMrt70bny406SGz9jAjaPOX4S3gt38y
8623 rhjpPukBlSzgQXFg66y6q5qp1nQTD1Cw6NkKBe9WuBlY3iYfmsf7WT8nhlT1CttU
8624 xNCwyMX9mtdXdQicOfNjIGUCD5OLV5PgHFPRKiHHioBAhg==
8625 -----END CERTIFICATE-----
8626 )";
8627 const std::vector<uint8_t> kName2 = {
8628 0x30, 0x32, 0x31, 0x1a, 0x30, 0x18, 0x06, 0x03, 0x55, 0x04, 0x0a,
8629 0x13, 0x11, 0x42, 0x6f, 0x72, 0x69, 0x6e, 0x67, 0x53, 0x53, 0x4c,
8630 0x20, 0x54, 0x45, 0x53, 0x54, 0x49, 0x4e, 0x47, 0x31, 0x14, 0x30,
8631 0x12, 0x06, 0x03, 0x55, 0x04, 0x03, 0x13, 0x0b, 0x65, 0x78, 0x61,
8632 0x6d, 0x70, 0x6c, 0x65, 0x2e, 0x63, 0x6f, 0x6d};
8633
8634 const struct {
8635 std::vector<std::vector<uint8_t>> existing;
8636 std::string pem;
8637 std::vector<std::vector<uint8_t>> expected;
8638 } kTests[] = {
8639 // Do nothing.
8640 {{}, "", {}},
8641 // Append to an empty list, skipping duplicates.
8642 {{}, kCert1 + kCert2 + kCert1, {kName1, kName2}},
8643 // One of the names was already present.
8644 {{kName1}, kCert1 + kCert2, {kName1, kName2}},
8645 // Both names were already present.
8646 {{kName1, kName2}, kCert1 + kCert2, {kName1, kName2}},
8647 // Preserve existing duplicates.
8648 {{kName1, kName2, kName2}, kCert1 + kCert2, {kName1, kName2, kName2}},
8649 };
8650 for (size_t i = 0; i < OPENSSL_ARRAY_SIZE(kTests); i++) {
8651 SCOPED_TRACE(i);
8652 const auto &t = kTests[i];
8653
8654 bssl::UniquePtr<STACK_OF(X509_NAME)> stack(sk_X509_NAME_new_null());
8655 ASSERT_TRUE(stack);
8656 for (const auto& name : t.existing) {
8657 const uint8_t *inp = name.data();
8658 bssl::UniquePtr<X509_NAME> name_obj(
8659 d2i_X509_NAME(nullptr, &inp, name.size()));
8660 ASSERT_TRUE(name_obj);
8661 EXPECT_EQ(inp, name.data() + name.size());
8662 ASSERT_TRUE(bssl::PushToStack(stack.get(), std::move(name_obj)));
8663 }
8664
8665 bssl::UniquePtr<BIO> bio(BIO_new_mem_buf(t.pem.data(), t.pem.size()));
8666 ASSERT_TRUE(bio);
8667 ASSERT_TRUE(SSL_add_bio_cert_subjects_to_stack(stack.get(), bio.get()));
8668
8669 // The function should have left |stack|'s comparison function alone.
8670 EXPECT_EQ(nullptr, sk_X509_NAME_set_cmp_func(stack.get(), nullptr));
8671
8672 std::vector<std::vector<uint8_t>> expected = t.expected, result;
8673 for (X509_NAME *name : stack.get()) {
8674 uint8_t *der = nullptr;
8675 int der_len = i2d_X509_NAME(name, &der);
8676 ASSERT_GE(der_len, 0);
8677 result.push_back(std::vector<uint8_t>(der, der + der_len));
8678 OPENSSL_free(der);
8679 }
8680
8681 // |SSL_add_bio_cert_subjects_to_stack| does not return the output in a
8682 // well-defined order.
8683 std::sort(expected.begin(), expected.end());
8684 std::sort(result.begin(), result.end());
8685 EXPECT_EQ(result, expected);
8686 }
8687 }
8688
8689 #if defined(OPENSSL_LINUX) || defined(OPENSSL_APPLE)
TEST(SSLTest,EmptyClientCAList)8690 TEST(SSLTest, EmptyClientCAList) {
8691 // Use /dev/null on POSIX systems as an empty file.
8692 bssl::UniquePtr<STACK_OF(X509_NAME)> names(
8693 SSL_load_client_CA_file("/dev/null"));
8694 EXPECT_FALSE(names);
8695 }
8696 #endif // OPENSSL_LINUX || OPENSSL_APPLE
8697
TEST(SSLTest,EmptyWriteBlockedOnHandshakeData)8698 TEST(SSLTest, EmptyWriteBlockedOnHandshakeData) {
8699 bssl::UniquePtr<SSL_CTX> client_ctx(SSL_CTX_new(TLS_method()));
8700 bssl::UniquePtr<SSL_CTX> server_ctx =
8701 CreateContextWithTestCertificate(TLS_method());
8702 ASSERT_TRUE(client_ctx);
8703 ASSERT_TRUE(server_ctx);
8704 // Configure only TLS 1.3. This test requires post-handshake NewSessionTicket.
8705 ASSERT_TRUE(SSL_CTX_set_min_proto_version(client_ctx.get(), TLS1_3_VERSION));
8706 ASSERT_TRUE(SSL_CTX_set_max_proto_version(client_ctx.get(), TLS1_3_VERSION));
8707
8708 // Connect a client and server with tiny buffer between the two.
8709 bssl::UniquePtr<SSL> client(SSL_new(client_ctx.get())),
8710 server(SSL_new(server_ctx.get()));
8711 ASSERT_TRUE(client);
8712 ASSERT_TRUE(server);
8713 SSL_set_connect_state(client.get());
8714 SSL_set_accept_state(server.get());
8715 BIO *bio1, *bio2;
8716 ASSERT_TRUE(BIO_new_bio_pair(&bio1, 1, &bio2, 1));
8717 SSL_set_bio(client.get(), bio1, bio1);
8718 SSL_set_bio(server.get(), bio2, bio2);
8719 ASSERT_TRUE(CompleteHandshakes(client.get(), server.get()));
8720
8721 // We defer NewSessionTicket to the first write, so the server has a pending
8722 // NewSessionTicket. See https://boringssl-review.googlesource.com/34948. This
8723 // means an empty write will flush the ticket. However, the transport only
8724 // allows one byte through, so this will fail with |SSL_ERROR_WANT_WRITE|.
8725 int ret = SSL_write(server.get(), nullptr, 0);
8726 ASSERT_EQ(ret, -1);
8727 ASSERT_EQ(SSL_get_error(server.get(), ret), SSL_ERROR_WANT_WRITE);
8728
8729 // Attempting to write non-zero data should not trip |SSL_R_BAD_WRITE_RETRY|.
8730 const uint8_t kData[] = {'h', 'e', 'l', 'l', 'o'};
8731 ret = SSL_write(server.get(), kData, sizeof(kData));
8732 ASSERT_EQ(ret, -1);
8733 ASSERT_EQ(SSL_get_error(server.get(), ret), SSL_ERROR_WANT_WRITE);
8734
8735 // Byte by byte, the data should eventually get through.
8736 uint8_t buf[sizeof(kData)];
8737 for (;;) {
8738 ret = SSL_read(client.get(), buf, sizeof(buf));
8739 ASSERT_EQ(ret, -1);
8740 ASSERT_EQ(SSL_get_error(client.get(), ret), SSL_ERROR_WANT_READ);
8741
8742 ret = SSL_write(server.get(), kData, sizeof(kData));
8743 if (ret > 0) {
8744 ASSERT_EQ(ret, 5);
8745 break;
8746 }
8747 ASSERT_EQ(ret, -1);
8748 ASSERT_EQ(SSL_get_error(server.get(), ret), SSL_ERROR_WANT_WRITE);
8749 }
8750
8751 ret = SSL_read(client.get(), buf, sizeof(buf));
8752 ASSERT_EQ(ret, static_cast<int>(sizeof(kData)));
8753 ASSERT_EQ(Bytes(buf, ret), Bytes(kData));
8754 }
8755
8756 // Test that |SSL_ERROR_SYSCALL| continues to work after a close_notify.
TEST(SSLTest,ErrorSyscallAfterCloseNotify)8757 TEST(SSLTest, ErrorSyscallAfterCloseNotify) {
8758 // Make a custom |BIO| where writes fail, but without pushing to the error
8759 // queue.
8760 bssl::UniquePtr<BIO_METHOD> method(BIO_meth_new(0, nullptr));
8761 ASSERT_TRUE(method);
8762 BIO_meth_set_create(method.get(), [](BIO *b) -> int {
8763 BIO_set_init(b, 1);
8764 return 1;
8765 });
8766 static bool write_failed = false;
8767 BIO_meth_set_write(method.get(), [](BIO *, const char *, int) -> int {
8768 // Fail the operation and don't add to the error queue.
8769 write_failed = true;
8770 return -1;
8771 });
8772 bssl::UniquePtr<BIO> wbio_silent_error(BIO_new(method.get()));
8773 ASSERT_TRUE(wbio_silent_error);
8774
8775 bssl::UniquePtr<SSL_CTX> client_ctx(SSL_CTX_new(TLS_method()));
8776 bssl::UniquePtr<SSL_CTX> server_ctx =
8777 CreateContextWithTestCertificate(TLS_method());
8778 ASSERT_TRUE(client_ctx);
8779 ASSERT_TRUE(server_ctx);
8780 bssl::UniquePtr<SSL> client, server;
8781 ASSERT_TRUE(ConnectClientAndServer(&client, &server, client_ctx.get(),
8782 server_ctx.get()));
8783
8784 // Replace the write |BIO| with |wbio_silent_error|.
8785 SSL_set0_wbio(client.get(), wbio_silent_error.release());
8786
8787 // Writes should fail. There is nothing in the error queue, so
8788 // |SSL_ERROR_SYSCALL| indicates the caller needs to check out-of-band.
8789 const uint8_t data[1] = {0};
8790 int ret = SSL_write(client.get(), data, sizeof(data));
8791 EXPECT_EQ(ret, -1);
8792 EXPECT_EQ(SSL_get_error(client.get(), ret), SSL_ERROR_SYSCALL);
8793 EXPECT_TRUE(write_failed);
8794 write_failed = false;
8795
8796 // Send a close_notify from the server. It should return 0 because
8797 // close_notify was sent, but not received. Confusingly, this is a success
8798 // output for |SSL_shutdown|'s API.
8799 EXPECT_EQ(SSL_shutdown(server.get()), 0);
8800
8801 // Read the close_notify on the client.
8802 uint8_t buf[1];
8803 ret = SSL_read(client.get(), buf, sizeof(buf));
8804 EXPECT_EQ(ret, 0);
8805 EXPECT_EQ(SSL_get_error(client.get(), ret), SSL_ERROR_ZERO_RETURN);
8806
8807 // Further calls to |SSL_read| continue to report |SSL_ERROR_ZERO_RETURN|.
8808 ret = SSL_read(client.get(), buf, sizeof(buf));
8809 EXPECT_EQ(ret, 0);
8810 EXPECT_EQ(SSL_get_error(client.get(), ret), SSL_ERROR_ZERO_RETURN);
8811
8812 // Although the client has seen close_notify, it should continue to report
8813 // |SSL_ERROR_SYSCALL| when its writes fail.
8814 ret = SSL_write(client.get(), data, sizeof(data));
8815 EXPECT_EQ(ret, -1);
8816 EXPECT_EQ(SSL_get_error(client.get(), ret), SSL_ERROR_SYSCALL);
8817 EXPECT_TRUE(write_failed);
8818 write_failed = false;
8819
8820 // Cause |BIO_write| to fail with a return value of zero instead.
8821 // |SSL_get_error| should not misinterpret this as a close_notify.
8822 //
8823 // This is not actually a correct implementation of |BIO_write|, but the rest
8824 // of the code treats zero from |BIO_write| as an error, so ensure it does so
8825 // correctly. Fixing https://crbug.com/boringssl/503 will make this case moot.
8826 BIO_meth_set_write(method.get(), [](BIO *, const char *, int) -> int {
8827 write_failed = true;
8828 return 0;
8829 });
8830 ret = SSL_write(client.get(), data, sizeof(data));
8831 EXPECT_EQ(ret, 0);
8832 EXPECT_EQ(SSL_get_error(client.get(), ret), SSL_ERROR_SYSCALL);
8833 EXPECT_TRUE(write_failed);
8834 write_failed = false;
8835 }
8836
8837 // Test that |SSL_shutdown|, when quiet shutdown is enabled, simulates receiving
8838 // a close_notify, down to |SSL_read| reporting |SSL_ERROR_ZERO_RETURN|.
TEST(SSLTest,QuietShutdown)8839 TEST(SSLTest, QuietShutdown) {
8840 bssl::UniquePtr<SSL_CTX> client_ctx(SSL_CTX_new(TLS_method()));
8841 bssl::UniquePtr<SSL_CTX> server_ctx =
8842 CreateContextWithTestCertificate(TLS_method());
8843 ASSERT_TRUE(client_ctx);
8844 ASSERT_TRUE(server_ctx);
8845 SSL_CTX_set_quiet_shutdown(server_ctx.get(), 1);
8846 bssl::UniquePtr<SSL> client, server;
8847 ASSERT_TRUE(ConnectClientAndServer(&client, &server, client_ctx.get(),
8848 server_ctx.get()));
8849
8850 // Quiet shutdown is enabled, so |SSL_shutdown| on the server should
8851 // immediately return that bidirectional shutdown "completed".
8852 EXPECT_EQ(SSL_shutdown(server.get()), 1);
8853
8854 // Shut down writes so the client gets an EOF.
8855 EXPECT_TRUE(BIO_shutdown_wr(SSL_get_wbio(server.get())));
8856
8857 // Confirm no close notify was actually sent. Client reads should report a
8858 // transport EOF, not a close_notify. (Both have zero return, but
8859 // |SSL_get_error| is different.)
8860 char buf[1];
8861 int ret = SSL_read(client.get(), buf, sizeof(buf));
8862 EXPECT_EQ(ret, 0);
8863 EXPECT_EQ(SSL_get_error(client.get(), ret), SSL_ERROR_SYSCALL);
8864
8865 // The server believes bidirectional shutdown completed, so reads should
8866 // replay the (simulated) close_notify.
8867 ret = SSL_read(server.get(), buf, sizeof(buf));
8868 EXPECT_EQ(ret, 0);
8869 EXPECT_EQ(SSL_get_error(server.get(), ret), SSL_ERROR_ZERO_RETURN);
8870 }
8871
TEST(SSLTest,InvalidSignatureAlgorithm)8872 TEST(SSLTest, InvalidSignatureAlgorithm) {
8873 bssl::UniquePtr<SSL_CTX> ctx(SSL_CTX_new(TLS_method()));
8874 ASSERT_TRUE(ctx);
8875
8876 static const uint16_t kInvalidPrefs[] = {1234};
8877 EXPECT_FALSE(SSL_CTX_set_signing_algorithm_prefs(
8878 ctx.get(), kInvalidPrefs, OPENSSL_ARRAY_SIZE(kInvalidPrefs)));
8879 EXPECT_FALSE(SSL_CTX_set_verify_algorithm_prefs(
8880 ctx.get(), kInvalidPrefs, OPENSSL_ARRAY_SIZE(kInvalidPrefs)));
8881
8882 static const uint16_t kDuplicatePrefs[] = {SSL_SIGN_RSA_PKCS1_SHA256,
8883 SSL_SIGN_RSA_PKCS1_SHA256};
8884 EXPECT_FALSE(SSL_CTX_set_signing_algorithm_prefs(
8885 ctx.get(), kDuplicatePrefs, OPENSSL_ARRAY_SIZE(kDuplicatePrefs)));
8886 EXPECT_FALSE(SSL_CTX_set_verify_algorithm_prefs(
8887 ctx.get(), kDuplicatePrefs, OPENSSL_ARRAY_SIZE(kDuplicatePrefs)));
8888 }
8889
TEST(SSLTest,InvalidGroups)8890 TEST(SSLTest, InvalidGroups) {
8891 bssl::UniquePtr<SSL_CTX> ctx(SSL_CTX_new(TLS_method()));
8892 ASSERT_TRUE(ctx);
8893
8894 static const uint16_t kInvalidIDs[] = {1234};
8895 EXPECT_FALSE(SSL_CTX_set1_group_ids(
8896 ctx.get(), kInvalidIDs, OPENSSL_ARRAY_SIZE(kInvalidIDs)));
8897
8898 // This is a valid NID, but it is not a valid group.
8899 static const int kInvalidNIDs[] = {NID_rsaEncryption};
8900 EXPECT_FALSE(SSL_CTX_set1_groups(
8901 ctx.get(), kInvalidNIDs, OPENSSL_ARRAY_SIZE(kInvalidNIDs)));
8902 }
8903
TEST(SSLTest,NameLists)8904 TEST(SSLTest, NameLists) {
8905 struct {
8906 size_t (*func)(const char **, size_t);
8907 std::vector<std::string> expected;
8908 } kTests[] = {
8909 {SSL_get_all_version_names, {"TLSv1.3", "DTLSv1.2", "unknown"}},
8910 {SSL_get_all_standard_cipher_names,
8911 {"TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256", "TLS_AES_128_GCM_SHA256"}},
8912 {SSL_get_all_cipher_names,
8913 {"ECDHE-ECDSA-AES128-GCM-SHA256", "TLS_AES_128_GCM_SHA256", "(NONE)"}},
8914 {SSL_get_all_group_names, {"P-256", "X25519"}},
8915 {SSL_get_all_signature_algorithm_names,
8916 {"rsa_pkcs1_sha256", "ecdsa_secp256r1_sha256", "ecdsa_sha256"}},
8917 };
8918 for (const auto &t : kTests) {
8919 size_t num = t.func(nullptr, 0);
8920 EXPECT_GT(num, 0u);
8921
8922 std::vector<const char*> list(num);
8923 EXPECT_EQ(num, t.func(list.data(), list.size()));
8924
8925 // Check the expected values are in the list.
8926 for (const auto &s : t.expected) {
8927 EXPECT_NE(list.end(), std::find(list.begin(), list.end(), s))
8928 << "Could not find " << s;
8929 }
8930
8931 // Passing in a larger buffer should leave excess space alone.
8932 std::vector<const char *> list2(num + 1, "placeholder");
8933 EXPECT_EQ(num, t.func(list2.data(), list2.size()));
8934 for (size_t i = 0; i < num; i++) {
8935 EXPECT_STREQ(list[i], list2[i]);
8936 }
8937 EXPECT_STREQ(list2.back(), "placeholder");
8938
8939 // Passing in a shorter buffer should truncate the list.
8940 for (size_t l = 0; l < num; l++) {
8941 SCOPED_TRACE(l);
8942 list2.resize(l);
8943 EXPECT_EQ(num, t.func(list2.data(), list2.size()));
8944 for (size_t i = 0; i < l; i++) {
8945 EXPECT_STREQ(list[i], list2[i]);
8946 }
8947 }
8948 }
8949 }
8950
8951 } // namespace
8952 BSSL_NAMESPACE_END
8953