1 /* Copyright (c) 2014, Google Inc.
2 *
3 * Permission to use, copy, modify, and/or distribute this software for any
4 * purpose with or without fee is hereby granted, provided that the above
5 * copyright notice and this permission notice appear in all copies.
6 *
7 * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
8 * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
9 * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY
10 * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
11 * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION
12 * OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN
13 * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */
14
15 #include <stdio.h>
16 #include <string.h>
17 #include <time.h>
18
19 #include <algorithm>
20 #include <limits>
21 #include <string>
22 #include <utility>
23 #include <vector>
24
25 #include <gtest/gtest.h>
26
27 #include <openssl/aead.h>
28 #include <openssl/base64.h>
29 #include <openssl/bytestring.h>
30 #include <openssl/bio.h>
31 #include <openssl/cipher.h>
32 #include <openssl/crypto.h>
33 #include <openssl/curve25519.h>
34 #include <openssl/err.h>
35 #include <openssl/hmac.h>
36 #include <openssl/hpke.h>
37 #include <openssl/pem.h>
38 #include <openssl/sha.h>
39 #include <openssl/ssl.h>
40 #include <openssl/rand.h>
41 #include <openssl/x509.h>
42
43 #include "internal.h"
44 #include "../crypto/internal.h"
45 #include "../crypto/test/test_util.h"
46
47 #if defined(OPENSSL_WINDOWS)
48 // Windows defines struct timeval in winsock2.h.
49 OPENSSL_MSVC_PRAGMA(warning(push, 3))
50 #include <winsock2.h>
51 OPENSSL_MSVC_PRAGMA(warning(pop))
52 #else
53 #include <sys/time.h>
54 #endif
55
56 #if defined(OPENSSL_THREADS)
57 #include <thread>
58 #endif
59
60
61 BSSL_NAMESPACE_BEGIN
62
63 namespace {
64
65 #define TRACED_CALL(code) \
66 do { \
67 SCOPED_TRACE("<- called from here"); \
68 code; \
69 if (::testing::Test::HasFatalFailure()) { \
70 return; \
71 } \
72 } while (false)
73
74 struct VersionParam {
75 uint16_t version;
76 enum { is_tls, is_dtls } ssl_method;
77 const char name[8];
78 };
79
80 static const size_t kTicketKeyLen = 48;
81
82 static const VersionParam kAllVersions[] = {
83 {TLS1_VERSION, VersionParam::is_tls, "TLS1"},
84 {TLS1_1_VERSION, VersionParam::is_tls, "TLS1_1"},
85 {TLS1_2_VERSION, VersionParam::is_tls, "TLS1_2"},
86 {TLS1_3_VERSION, VersionParam::is_tls, "TLS1_3"},
87 {DTLS1_VERSION, VersionParam::is_dtls, "DTLS1"},
88 {DTLS1_2_VERSION, VersionParam::is_dtls, "DTLS1_2"},
89 };
90
91 struct ExpectedCipher {
92 unsigned long id;
93 int in_group_flag;
94 };
95
96 struct CipherTest {
97 // The rule string to apply.
98 const char *rule;
99 // The list of expected ciphers, in order.
100 std::vector<ExpectedCipher> expected;
101 // True if this cipher list should fail in strict mode.
102 bool strict_fail;
103 };
104
105 struct CurveTest {
106 // The rule string to apply.
107 const char *rule;
108 // The list of expected curves, in order.
109 std::vector<uint16_t> expected;
110 };
111
112 template <typename T>
113 class UnownedSSLExData {
114 public:
UnownedSSLExData()115 UnownedSSLExData() {
116 index_ = SSL_get_ex_new_index(0, nullptr, nullptr, nullptr, nullptr);
117 }
118
Get(const SSL * ssl)119 T *Get(const SSL *ssl) {
120 return index_ < 0 ? nullptr
121 : static_cast<T *>(SSL_get_ex_data(ssl, index_));
122 }
123
Set(SSL * ssl,T * t)124 bool Set(SSL *ssl, T *t) {
125 return index_ >= 0 && SSL_set_ex_data(ssl, index_, t);
126 }
127
128 private:
129 int index_;
130 };
131
132 static const CipherTest kCipherTests[] = {
133 // Selecting individual ciphers should work.
134 {
135 "ECDHE-ECDSA-CHACHA20-POLY1305:"
136 "ECDHE-RSA-CHACHA20-POLY1305:"
137 "ECDHE-ECDSA-AES128-GCM-SHA256:"
138 "ECDHE-RSA-AES128-GCM-SHA256",
139 {
140 {TLS1_CK_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256, 0},
141 {TLS1_CK_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256, 0},
142 {TLS1_CK_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, 0},
143 {TLS1_CK_ECDHE_RSA_WITH_AES_128_GCM_SHA256, 0},
144 },
145 false,
146 },
147 // + reorders selected ciphers to the end, keeping their relative order.
148 {
149 "ECDHE-ECDSA-CHACHA20-POLY1305:"
150 "ECDHE-RSA-CHACHA20-POLY1305:"
151 "ECDHE-ECDSA-AES128-GCM-SHA256:"
152 "ECDHE-RSA-AES128-GCM-SHA256:"
153 "+aRSA",
154 {
155 {TLS1_CK_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256, 0},
156 {TLS1_CK_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, 0},
157 {TLS1_CK_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256, 0},
158 {TLS1_CK_ECDHE_RSA_WITH_AES_128_GCM_SHA256, 0},
159 },
160 false,
161 },
162 // ! banishes ciphers from future selections.
163 {
164 "!aRSA:"
165 "ECDHE-ECDSA-CHACHA20-POLY1305:"
166 "ECDHE-RSA-CHACHA20-POLY1305:"
167 "ECDHE-ECDSA-AES128-GCM-SHA256:"
168 "ECDHE-RSA-AES128-GCM-SHA256",
169 {
170 {TLS1_CK_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256, 0},
171 {TLS1_CK_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, 0},
172 },
173 false,
174 },
175 // Multiple masks can be ANDed in a single rule.
176 {
177 "kRSA+AESGCM+AES128",
178 {
179 {TLS1_CK_RSA_WITH_AES_128_GCM_SHA256, 0},
180 },
181 false,
182 },
183 // - removes selected ciphers, but preserves their order for future
184 // selections. Select AES_128_GCM, but order the key exchanges RSA,
185 // ECDHE_RSA.
186 {
187 "ALL:-kECDHE:"
188 "-kRSA:-ALL:"
189 "AESGCM+AES128+aRSA",
190 {
191 {TLS1_CK_RSA_WITH_AES_128_GCM_SHA256, 0},
192 {TLS1_CK_ECDHE_RSA_WITH_AES_128_GCM_SHA256, 0},
193 },
194 false,
195 },
196 // Unknown selectors are no-ops, except in strict mode.
197 {
198 "ECDHE-ECDSA-CHACHA20-POLY1305:"
199 "ECDHE-RSA-CHACHA20-POLY1305:"
200 "ECDHE-ECDSA-AES128-GCM-SHA256:"
201 "ECDHE-RSA-AES128-GCM-SHA256:"
202 "BOGUS1",
203 {
204 {TLS1_CK_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256, 0},
205 {TLS1_CK_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256, 0},
206 {TLS1_CK_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, 0},
207 {TLS1_CK_ECDHE_RSA_WITH_AES_128_GCM_SHA256, 0},
208 },
209 true,
210 },
211 // Unknown selectors are no-ops, except in strict mode.
212 {
213 "ECDHE-ECDSA-CHACHA20-POLY1305:"
214 "ECDHE-RSA-CHACHA20-POLY1305:"
215 "ECDHE-ECDSA-AES128-GCM-SHA256:"
216 "ECDHE-RSA-AES128-GCM-SHA256:"
217 "-BOGUS2:+BOGUS3:!BOGUS4",
218 {
219 {TLS1_CK_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256, 0},
220 {TLS1_CK_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256, 0},
221 {TLS1_CK_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, 0},
222 {TLS1_CK_ECDHE_RSA_WITH_AES_128_GCM_SHA256, 0},
223 },
224 true,
225 },
226 // Square brackets specify equi-preference groups.
227 {
228 "[ECDHE-ECDSA-CHACHA20-POLY1305|ECDHE-ECDSA-AES128-GCM-SHA256]:"
229 "[ECDHE-RSA-CHACHA20-POLY1305]:"
230 "ECDHE-RSA-AES128-GCM-SHA256",
231 {
232 {TLS1_CK_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256, 1},
233 {TLS1_CK_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, 0},
234 {TLS1_CK_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256, 0},
235 {TLS1_CK_ECDHE_RSA_WITH_AES_128_GCM_SHA256, 0},
236 },
237 false,
238 },
239 // Standard names may be used instead of OpenSSL names.
240 {
241 "[TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256|"
242 "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256]:"
243 "[TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256]:"
244 "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",
245 {
246 {TLS1_CK_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256, 1},
247 {TLS1_CK_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, 0},
248 {TLS1_CK_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256, 0},
249 {TLS1_CK_ECDHE_RSA_WITH_AES_128_GCM_SHA256, 0},
250 },
251 false,
252 },
253 // @STRENGTH performs a stable strength-sort of the selected ciphers and
254 // only the selected ciphers.
255 {
256 // To simplify things, banish all but {ECDHE_RSA,RSA} x
257 // {CHACHA20,AES_256_CBC,AES_128_CBC} x SHA1.
258 "!AESGCM:!3DES:"
259 // Order some ciphers backwards by strength.
260 "ALL:-CHACHA20:-AES256:-AES128:-ALL:"
261 // Select ECDHE ones and sort them by strength. Ties should resolve
262 // based on the order above.
263 "kECDHE:@STRENGTH:-ALL:"
264 // Now bring back everything uses RSA. ECDHE_RSA should be first, sorted
265 // by strength. Then RSA, backwards by strength.
266 "aRSA",
267 {
268 {TLS1_CK_ECDHE_RSA_WITH_AES_256_CBC_SHA, 0},
269 {TLS1_CK_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256, 0},
270 {TLS1_CK_ECDHE_RSA_WITH_AES_128_CBC_SHA, 0},
271 {TLS1_CK_RSA_WITH_AES_128_SHA, 0},
272 {TLS1_CK_RSA_WITH_AES_256_SHA, 0},
273 },
274 false,
275 },
276 // Additional masks after @STRENGTH get silently discarded.
277 //
278 // TODO(davidben): Make this an error. If not silently discarded, they get
279 // interpreted as + opcodes which are very different.
280 {
281 "ECDHE-RSA-AES128-GCM-SHA256:"
282 "ECDHE-RSA-AES256-GCM-SHA384:"
283 "@STRENGTH+AES256",
284 {
285 {TLS1_CK_ECDHE_RSA_WITH_AES_256_GCM_SHA384, 0},
286 {TLS1_CK_ECDHE_RSA_WITH_AES_128_GCM_SHA256, 0},
287 },
288 false,
289 },
290 {
291 "ECDHE-RSA-AES128-GCM-SHA256:"
292 "ECDHE-RSA-AES256-GCM-SHA384:"
293 "@STRENGTH+AES256:"
294 "ECDHE-RSA-CHACHA20-POLY1305",
295 {
296 {TLS1_CK_ECDHE_RSA_WITH_AES_256_GCM_SHA384, 0},
297 {TLS1_CK_ECDHE_RSA_WITH_AES_128_GCM_SHA256, 0},
298 {TLS1_CK_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256, 0},
299 },
300 false,
301 },
302 // Exact ciphers may not be used in multi-part rules; they are treated
303 // as unknown aliases.
304 {
305 "ECDHE-ECDSA-AES128-GCM-SHA256:"
306 "ECDHE-RSA-AES128-GCM-SHA256:"
307 "!ECDHE-RSA-AES128-GCM-SHA256+RSA:"
308 "!ECDSA+ECDHE-ECDSA-AES128-GCM-SHA256",
309 {
310 {TLS1_CK_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, 0},
311 {TLS1_CK_ECDHE_RSA_WITH_AES_128_GCM_SHA256, 0},
312 },
313 true,
314 },
315 // SSLv3 matches everything that existed before TLS 1.2.
316 {
317 "AES128-SHA:ECDHE-RSA-AES128-GCM-SHA256:!SSLv3",
318 {
319 {TLS1_CK_ECDHE_RSA_WITH_AES_128_GCM_SHA256, 0},
320 },
321 false,
322 },
323 // TLSv1.2 matches everything added in TLS 1.2.
324 {
325 "AES128-SHA:ECDHE-RSA-AES128-GCM-SHA256:!TLSv1.2",
326 {
327 {TLS1_CK_RSA_WITH_AES_128_SHA, 0},
328 },
329 false,
330 },
331 // The two directives have no intersection. But each component is valid, so
332 // even in strict mode it is accepted.
333 {
334 "AES128-SHA:ECDHE-RSA-AES128-GCM-SHA256:!TLSv1.2+SSLv3",
335 {
336 {TLS1_CK_RSA_WITH_AES_128_SHA, 0},
337 {TLS1_CK_ECDHE_RSA_WITH_AES_128_GCM_SHA256, 0},
338 },
339 false,
340 },
341 // Spaces, semi-colons and commas are separators.
342 {
343 "AES128-SHA: ECDHE-RSA-AES128-GCM-SHA256 AES256-SHA ,ECDHE-ECDSA-AES128-GCM-SHA256 ; AES128-GCM-SHA256",
344 {
345 {TLS1_CK_RSA_WITH_AES_128_SHA, 0},
346 {TLS1_CK_ECDHE_RSA_WITH_AES_128_GCM_SHA256, 0},
347 {TLS1_CK_RSA_WITH_AES_256_SHA, 0},
348 {TLS1_CK_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, 0},
349 {TLS1_CK_RSA_WITH_AES_128_GCM_SHA256, 0},
350 },
351 // …but not in strict mode.
352 true,
353 },
354 };
355
356 static const char *kBadRules[] = {
357 // Invalid brackets.
358 "[ECDHE-RSA-CHACHA20-POLY1305|ECDHE-RSA-AES128-GCM-SHA256",
359 "RSA]",
360 "[[RSA]]",
361 // Operators inside brackets.
362 "[+RSA]",
363 // Unknown directive.
364 "@BOGUS",
365 // Empty cipher lists error at SSL_CTX_set_cipher_list.
366 "",
367 "BOGUS",
368 // COMPLEMENTOFDEFAULT is empty.
369 "COMPLEMENTOFDEFAULT",
370 // Invalid command.
371 "?BAR",
372 // Special operators are not allowed if groups are used.
373 "[ECDHE-RSA-CHACHA20-POLY1305|ECDHE-RSA-AES128-GCM-SHA256]:+FOO",
374 "[ECDHE-RSA-CHACHA20-POLY1305|ECDHE-RSA-AES128-GCM-SHA256]:!FOO",
375 "[ECDHE-RSA-CHACHA20-POLY1305|ECDHE-RSA-AES128-GCM-SHA256]:-FOO",
376 "[ECDHE-RSA-CHACHA20-POLY1305|ECDHE-RSA-AES128-GCM-SHA256]:@STRENGTH",
377 // Opcode supplied, but missing selector.
378 "+",
379 // Spaces are forbidden in equal-preference groups.
380 "[AES128-SHA | AES128-SHA256]",
381 };
382
383 static const char *kMustNotIncludeNull[] = {
384 "ALL",
385 "DEFAULT",
386 "HIGH",
387 "FIPS",
388 "SHA",
389 "SHA1",
390 "RSA",
391 "SSLv3",
392 "TLSv1",
393 "TLSv1.2",
394 };
395
396 static const CurveTest kCurveTests[] = {
397 {
398 "P-256",
399 { SSL_CURVE_SECP256R1 },
400 },
401 {
402 "P-256:CECPQ2",
403 { SSL_CURVE_SECP256R1, SSL_CURVE_CECPQ2 },
404 },
405
406 {
407 "P-256:P-384:P-521:X25519",
408 {
409 SSL_CURVE_SECP256R1,
410 SSL_CURVE_SECP384R1,
411 SSL_CURVE_SECP521R1,
412 SSL_CURVE_X25519,
413 },
414 },
415 {
416 "prime256v1:secp384r1:secp521r1:x25519",
417 {
418 SSL_CURVE_SECP256R1,
419 SSL_CURVE_SECP384R1,
420 SSL_CURVE_SECP521R1,
421 SSL_CURVE_X25519,
422 },
423 },
424 };
425
426 static const char *kBadCurvesLists[] = {
427 "",
428 ":",
429 "::",
430 "P-256::X25519",
431 "RSA:P-256",
432 "P-256:RSA",
433 "X25519:P-256:",
434 ":X25519:P-256",
435 };
436
CipherListToString(SSL_CTX * ctx)437 static std::string CipherListToString(SSL_CTX *ctx) {
438 bool in_group = false;
439 std::string ret;
440 const STACK_OF(SSL_CIPHER) *ciphers = SSL_CTX_get_ciphers(ctx);
441 for (size_t i = 0; i < sk_SSL_CIPHER_num(ciphers); i++) {
442 const SSL_CIPHER *cipher = sk_SSL_CIPHER_value(ciphers, i);
443 if (!in_group && SSL_CTX_cipher_in_group(ctx, i)) {
444 ret += "\t[\n";
445 in_group = true;
446 }
447 ret += "\t";
448 if (in_group) {
449 ret += " ";
450 }
451 ret += SSL_CIPHER_get_name(cipher);
452 ret += "\n";
453 if (in_group && !SSL_CTX_cipher_in_group(ctx, i)) {
454 ret += "\t]\n";
455 in_group = false;
456 }
457 }
458 return ret;
459 }
460
CipherListsEqual(SSL_CTX * ctx,const std::vector<ExpectedCipher> & expected)461 static bool CipherListsEqual(SSL_CTX *ctx,
462 const std::vector<ExpectedCipher> &expected) {
463 const STACK_OF(SSL_CIPHER) *ciphers = SSL_CTX_get_ciphers(ctx);
464 if (sk_SSL_CIPHER_num(ciphers) != expected.size()) {
465 return false;
466 }
467
468 for (size_t i = 0; i < expected.size(); i++) {
469 const SSL_CIPHER *cipher = sk_SSL_CIPHER_value(ciphers, i);
470 if (expected[i].id != SSL_CIPHER_get_id(cipher) ||
471 expected[i].in_group_flag != !!SSL_CTX_cipher_in_group(ctx, i)) {
472 return false;
473 }
474 }
475
476 return true;
477 }
478
TEST(GrowableArrayTest,Resize)479 TEST(GrowableArrayTest, Resize) {
480 GrowableArray<size_t> array;
481 ASSERT_TRUE(array.empty());
482 EXPECT_EQ(array.size(), 0u);
483
484 ASSERT_TRUE(array.Push(42));
485 ASSERT_TRUE(!array.empty());
486 EXPECT_EQ(array.size(), 1u);
487
488 // Force a resize operation to occur
489 for (size_t i = 0; i < 16; i++) {
490 ASSERT_TRUE(array.Push(i + 1));
491 }
492
493 EXPECT_EQ(array.size(), 17u);
494
495 // Verify that expected values are still contained in array
496 for (size_t i = 0; i < array.size(); i++) {
497 EXPECT_EQ(array[i], i == 0 ? 42 : i);
498 }
499 }
500
TEST(GrowableArrayTest,MoveConstructor)501 TEST(GrowableArrayTest, MoveConstructor) {
502 GrowableArray<size_t> array;
503 for (size_t i = 0; i < 100; i++) {
504 ASSERT_TRUE(array.Push(i));
505 }
506
507 GrowableArray<size_t> array_moved(std::move(array));
508 for (size_t i = 0; i < 100; i++) {
509 EXPECT_EQ(array_moved[i], i);
510 }
511 }
512
TEST(GrowableArrayTest,GrowableArrayContainingGrowableArrays)513 TEST(GrowableArrayTest, GrowableArrayContainingGrowableArrays) {
514 // Representative example of a struct that contains a GrowableArray.
515 struct TagAndArray {
516 size_t tag;
517 GrowableArray<size_t> array;
518 };
519
520 GrowableArray<TagAndArray> array;
521 for (size_t i = 0; i < 100; i++) {
522 TagAndArray elem;
523 elem.tag = i;
524 for (size_t j = 0; j < i; j++) {
525 ASSERT_TRUE(elem.array.Push(j));
526 }
527 ASSERT_TRUE(array.Push(std::move(elem)));
528 }
529 EXPECT_EQ(array.size(), static_cast<size_t>(100));
530
531 GrowableArray<TagAndArray> array_moved(std::move(array));
532 EXPECT_EQ(array_moved.size(), static_cast<size_t>(100));
533 size_t count = 0;
534 for (const TagAndArray &elem : array_moved) {
535 // Test the square bracket operator returns the same value as iteration.
536 EXPECT_EQ(&elem, &array_moved[count]);
537
538 EXPECT_EQ(elem.tag, count);
539 EXPECT_EQ(elem.array.size(), count);
540 for (size_t j = 0; j < count; j++) {
541 EXPECT_EQ(elem.array[j], j);
542 }
543 count++;
544 }
545 }
546
TEST(SSLTest,CipherRules)547 TEST(SSLTest, CipherRules) {
548 for (const CipherTest &t : kCipherTests) {
549 SCOPED_TRACE(t.rule);
550 bssl::UniquePtr<SSL_CTX> ctx(SSL_CTX_new(TLS_method()));
551 ASSERT_TRUE(ctx);
552
553 // Test lax mode.
554 ASSERT_TRUE(SSL_CTX_set_cipher_list(ctx.get(), t.rule));
555 EXPECT_TRUE(CipherListsEqual(ctx.get(), t.expected))
556 << "Cipher rule evaluated to:\n"
557 << CipherListToString(ctx.get());
558
559 // Test strict mode.
560 if (t.strict_fail) {
561 EXPECT_FALSE(SSL_CTX_set_strict_cipher_list(ctx.get(), t.rule));
562 } else {
563 ASSERT_TRUE(SSL_CTX_set_strict_cipher_list(ctx.get(), t.rule));
564 EXPECT_TRUE(CipherListsEqual(ctx.get(), t.expected))
565 << "Cipher rule evaluated to:\n"
566 << CipherListToString(ctx.get());
567 }
568 }
569
570 for (const char *rule : kBadRules) {
571 SCOPED_TRACE(rule);
572 bssl::UniquePtr<SSL_CTX> ctx(SSL_CTX_new(TLS_method()));
573 ASSERT_TRUE(ctx);
574
575 EXPECT_FALSE(SSL_CTX_set_cipher_list(ctx.get(), rule));
576 ERR_clear_error();
577 }
578
579 for (const char *rule : kMustNotIncludeNull) {
580 SCOPED_TRACE(rule);
581 bssl::UniquePtr<SSL_CTX> ctx(SSL_CTX_new(TLS_method()));
582 ASSERT_TRUE(ctx);
583
584 ASSERT_TRUE(SSL_CTX_set_strict_cipher_list(ctx.get(), rule));
585 for (const SSL_CIPHER *cipher : SSL_CTX_get_ciphers(ctx.get())) {
586 EXPECT_NE(NID_undef, SSL_CIPHER_get_cipher_nid(cipher));
587 }
588 }
589 }
590
TEST(SSLTest,CurveRules)591 TEST(SSLTest, CurveRules) {
592 for (const CurveTest &t : kCurveTests) {
593 SCOPED_TRACE(t.rule);
594 bssl::UniquePtr<SSL_CTX> ctx(SSL_CTX_new(TLS_method()));
595 ASSERT_TRUE(ctx);
596
597 ASSERT_TRUE(SSL_CTX_set1_curves_list(ctx.get(), t.rule));
598 ASSERT_EQ(t.expected.size(), ctx->supported_group_list.size());
599 for (size_t i = 0; i < t.expected.size(); i++) {
600 EXPECT_EQ(t.expected[i], ctx->supported_group_list[i]);
601 }
602 }
603
604 for (const char *rule : kBadCurvesLists) {
605 SCOPED_TRACE(rule);
606 bssl::UniquePtr<SSL_CTX> ctx(SSL_CTX_new(TLS_method()));
607 ASSERT_TRUE(ctx);
608
609 EXPECT_FALSE(SSL_CTX_set1_curves_list(ctx.get(), rule));
610 ERR_clear_error();
611 }
612 }
613
614 // kOpenSSLSession is a serialized SSL_SESSION.
615 static const char kOpenSSLSession[] =
616 "MIIFqgIBAQICAwMEAsAvBCAG5Q1ndq4Yfmbeo1zwLkNRKmCXGdNgWvGT3cskV0yQ"
617 "kAQwJlrlzkAWBOWiLj/jJ76D7l+UXoizP2KI2C7I2FccqMmIfFmmkUy32nIJ0mZH"
618 "IWoJoQYCBFRDO46iBAICASyjggR6MIIEdjCCA16gAwIBAgIIK9dUvsPWSlUwDQYJ"
619 "KoZIhvcNAQEFBQAwSTELMAkGA1UEBhMCVVMxEzARBgNVBAoTCkdvb2dsZSBJbmMx"
620 "JTAjBgNVBAMTHEdvb2dsZSBJbnRlcm5ldCBBdXRob3JpdHkgRzIwHhcNMTQxMDA4"
621 "MTIwNzU3WhcNMTUwMTA2MDAwMDAwWjBoMQswCQYDVQQGEwJVUzETMBEGA1UECAwK"
622 "Q2FsaWZvcm5pYTEWMBQGA1UEBwwNTW91bnRhaW4gVmlldzETMBEGA1UECgwKR29v"
623 "Z2xlIEluYzEXMBUGA1UEAwwOd3d3Lmdvb2dsZS5jb20wggEiMA0GCSqGSIb3DQEB"
624 "AQUAA4IBDwAwggEKAoIBAQCcKeLrplAC+Lofy8t/wDwtB6eu72CVp0cJ4V3lknN6"
625 "huH9ct6FFk70oRIh/VBNBBz900jYy+7111Jm1b8iqOTQ9aT5C7SEhNcQFJvqzH3e"
626 "MPkb6ZSWGm1yGF7MCQTGQXF20Sk/O16FSjAynU/b3oJmOctcycWYkY0ytS/k3LBu"
627 "Id45PJaoMqjB0WypqvNeJHC3q5JjCB4RP7Nfx5jjHSrCMhw8lUMW4EaDxjaR9KDh"
628 "PLgjsk+LDIySRSRDaCQGhEOWLJZVLzLo4N6/UlctCHEllpBUSvEOyFga52qroGjg"
629 "rf3WOQ925MFwzd6AK+Ich0gDRg8sQfdLH5OuP1cfLfU1AgMBAAGjggFBMIIBPTAd"
630 "BgNVHSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwGQYDVR0RBBIwEIIOd3d3Lmdv"
631 "b2dsZS5jb20waAYIKwYBBQUHAQEEXDBaMCsGCCsGAQUFBzAChh9odHRwOi8vcGtp"
632 "Lmdvb2dsZS5jb20vR0lBRzIuY3J0MCsGCCsGAQUFBzABhh9odHRwOi8vY2xpZW50"
633 "czEuZ29vZ2xlLmNvbS9vY3NwMB0GA1UdDgQWBBQ7a+CcxsZByOpc+xpYFcIbnUMZ"
634 "hTAMBgNVHRMBAf8EAjAAMB8GA1UdIwQYMBaAFErdBhYbvPZotXb1gba7Yhq6WoEv"
635 "MBcGA1UdIAQQMA4wDAYKKwYBBAHWeQIFATAwBgNVHR8EKTAnMCWgI6Ahhh9odHRw"
636 "Oi8vcGtpLmdvb2dsZS5jb20vR0lBRzIuY3JsMA0GCSqGSIb3DQEBBQUAA4IBAQCa"
637 "OXCBdoqUy5bxyq+Wrh1zsyyCFim1PH5VU2+yvDSWrgDY8ibRGJmfff3r4Lud5kal"
638 "dKs9k8YlKD3ITG7P0YT/Rk8hLgfEuLcq5cc0xqmE42xJ+Eo2uzq9rYorc5emMCxf"
639 "5L0TJOXZqHQpOEcuptZQ4OjdYMfSxk5UzueUhA3ogZKRcRkdB3WeWRp+nYRhx4St"
640 "o2rt2A0MKmY9165GHUqMK9YaaXHDXqBu7Sefr1uSoAP9gyIJKeihMivsGqJ1TD6Z"
641 "cc6LMe+dN2P8cZEQHtD1y296ul4Mivqk3jatUVL8/hCwgch9A8O4PGZq9WqBfEWm"
642 "IyHh1dPtbg1lOXdYCWtjpAIEAKUDAgEUqQUCAwGJwKqBpwSBpBwUQvoeOk0Kg36S"
643 "YTcLEkXqKwOBfF9vE4KX0NxeLwjcDTpsuh3qXEaZ992r1N38VDcyS6P7I6HBYN9B"
644 "sNHM362zZnY27GpTw+Kwd751CLoXFPoaMOe57dbBpXoro6Pd3BTbf/Tzr88K06yE"
645 "OTDKPNj3+inbMaVigtK4PLyPq+Topyzvx9USFgRvyuoxn0Hgb+R0A3j6SLRuyOdA"
646 "i4gv7Y5oliyntgMBAQA=";
647
648 // kCustomSession is a custom serialized SSL_SESSION generated by
649 // filling in missing fields from |kOpenSSLSession|. This includes
650 // providing |peer_sha256|, so |peer| is not serialized.
651 static const char kCustomSession[] =
652 "MIIBZAIBAQICAwMEAsAvBCAG5Q1ndq4Yfmbeo1zwLkNRKmCXGdNgWvGT3cskV0yQ"
653 "kAQwJlrlzkAWBOWiLj/jJ76D7l+UXoizP2KI2C7I2FccqMmIfFmmkUy32nIJ0mZH"
654 "IWoJoQYCBFRDO46iBAICASykAwQBAqUDAgEUqAcEBXdvcmxkqQUCAwGJwKqBpwSB"
655 "pBwUQvoeOk0Kg36SYTcLEkXqKwOBfF9vE4KX0NxeLwjcDTpsuh3qXEaZ992r1N38"
656 "VDcyS6P7I6HBYN9BsNHM362zZnY27GpTw+Kwd751CLoXFPoaMOe57dbBpXoro6Pd"
657 "3BTbf/Tzr88K06yEOTDKPNj3+inbMaVigtK4PLyPq+Topyzvx9USFgRvyuoxn0Hg"
658 "b+R0A3j6SLRuyOdAi4gv7Y5oliynrSIEIAYGBgYGBgYGBgYGBgYGBgYGBgYGBgYG"
659 "BgYGBgYGBgYGrgMEAQevAwQBBLADBAEF";
660
661 // kBoringSSLSession is a serialized SSL_SESSION generated from bssl client.
662 static const char kBoringSSLSession[] =
663 "MIIRwQIBAQICAwMEAsAvBCDdoGxGK26mR+8lM0uq6+k9xYuxPnwAjpcF9n0Yli9R"
664 "kQQwbyshfWhdi5XQ1++7n2L1qqrcVlmHBPpr6yknT/u4pUrpQB5FZ7vqvNn8MdHf"
665 "9rWgoQYCBFXgs7uiBAICHCCjggR6MIIEdjCCA16gAwIBAgIIf+yfD7Y6UicwDQYJ"
666 "KoZIhvcNAQELBQAwSTELMAkGA1UEBhMCVVMxEzARBgNVBAoTCkdvb2dsZSBJbmMx"
667 "JTAjBgNVBAMTHEdvb2dsZSBJbnRlcm5ldCBBdXRob3JpdHkgRzIwHhcNMTUwODEy"
668 "MTQ1MzE1WhcNMTUxMTEwMDAwMDAwWjBoMQswCQYDVQQGEwJVUzETMBEGA1UECAwK"
669 "Q2FsaWZvcm5pYTEWMBQGA1UEBwwNTW91bnRhaW4gVmlldzETMBEGA1UECgwKR29v"
670 "Z2xlIEluYzEXMBUGA1UEAwwOd3d3Lmdvb2dsZS5jb20wggEiMA0GCSqGSIb3DQEB"
671 "AQUAA4IBDwAwggEKAoIBAQC0MeG5YGQ0t+IeJeoneP/PrhEaieibeKYkbKVLNZpo"
672 "PLuBinvhkXZo3DC133NpCBpy6ZktBwamqyixAyuk/NU6OjgXqwwxfQ7di1AInLIU"
673 "792c7hFyNXSUCG7At8Ifi3YwBX9Ba6u/1d6rWTGZJrdCq3QU11RkKYyTq2KT5mce"
674 "Tv9iGKqSkSTlp8puy/9SZ/3DbU3U+BuqCFqeSlz7zjwFmk35acdCilpJlVDDN5C/"
675 "RCh8/UKc8PaL+cxlt531qoTENvYrflBno14YEZlCBZsPiFeUSILpKEj3Ccwhy0eL"
676 "EucWQ72YZU8mUzXBoXGn0zA0crFl5ci/2sTBBGZsylNBAgMBAAGjggFBMIIBPTAd"
677 "BgNVHSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwGQYDVR0RBBIwEIIOd3d3Lmdv"
678 "b2dsZS5jb20waAYIKwYBBQUHAQEEXDBaMCsGCCsGAQUFBzAChh9odHRwOi8vcGtp"
679 "Lmdvb2dsZS5jb20vR0lBRzIuY3J0MCsGCCsGAQUFBzABhh9odHRwOi8vY2xpZW50"
680 "czEuZ29vZ2xlLmNvbS9vY3NwMB0GA1UdDgQWBBS/bzHxcE73Q4j3slC4BLbMtLjG"
681 "GjAMBgNVHRMBAf8EAjAAMB8GA1UdIwQYMBaAFErdBhYbvPZotXb1gba7Yhq6WoEv"
682 "MBcGA1UdIAQQMA4wDAYKKwYBBAHWeQIFATAwBgNVHR8EKTAnMCWgI6Ahhh9odHRw"
683 "Oi8vcGtpLmdvb2dsZS5jb20vR0lBRzIuY3JsMA0GCSqGSIb3DQEBCwUAA4IBAQAb"
684 "qdWPZEHk0X7iKPCTHL6S3w6q1eR67goxZGFSM1lk1hjwyu7XcLJuvALVV9uY3ovE"
685 "kQZSHwT+pyOPWQhsSjO+1GyjvCvK/CAwiUmBX+bQRGaqHsRcio7xSbdVcajQ3bXd"
686 "X+s0WdbOpn6MStKAiBVloPlSxEI8pxY6x/BBCnTIk/+DMB17uZlOjG3vbAnkDkP+"
687 "n0OTucD9sHV7EVj9XUxi51nOfNBCN/s7lpUjDS/NJ4k3iwOtbCPswiot8vLO779a"
688 "f07vR03r349Iz/KTzk95rlFtX0IU+KYNxFNsanIXZ+C9FYGRXkwhHcvFb4qMUB1y"
689 "TTlM80jBMOwyjZXmjRAhpAIEAKUDAgEUqQUCAwGJwKqBpwSBpOgebbmn9NRUtMWH"
690 "+eJpqA5JLMFSMCChOsvKey3toBaCNGU7HfAEiiXNuuAdCBoK262BjQc2YYfqFzqH"
691 "zuppopXCvhohx7j/tnCNZIMgLYt/O9SXK2RYI5z8FhCCHvB4CbD5G0LGl5EFP27s"
692 "Jb6S3aTTYPkQe8yZSlxevg6NDwmTogLO9F7UUkaYmVcMQhzssEE2ZRYNwSOU6KjE"
693 "0Yj+8fAiBtbQriIEIN2L8ZlpaVrdN5KFNdvcmOxJu81P8q53X55xQyGTnGWwsgMC"
694 "ARezggvvMIIEdjCCA16gAwIBAgIIf+yfD7Y6UicwDQYJKoZIhvcNAQELBQAwSTEL"
695 "MAkGA1UEBhMCVVMxEzARBgNVBAoTCkdvb2dsZSBJbmMxJTAjBgNVBAMTHEdvb2ds"
696 "ZSBJbnRlcm5ldCBBdXRob3JpdHkgRzIwHhcNMTUwODEyMTQ1MzE1WhcNMTUxMTEw"
697 "MDAwMDAwWjBoMQswCQYDVQQGEwJVUzETMBEGA1UECAwKQ2FsaWZvcm5pYTEWMBQG"
698 "A1UEBwwNTW91bnRhaW4gVmlldzETMBEGA1UECgwKR29vZ2xlIEluYzEXMBUGA1UE"
699 "AwwOd3d3Lmdvb2dsZS5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIB"
700 "AQC0MeG5YGQ0t+IeJeoneP/PrhEaieibeKYkbKVLNZpoPLuBinvhkXZo3DC133Np"
701 "CBpy6ZktBwamqyixAyuk/NU6OjgXqwwxfQ7di1AInLIU792c7hFyNXSUCG7At8If"
702 "i3YwBX9Ba6u/1d6rWTGZJrdCq3QU11RkKYyTq2KT5mceTv9iGKqSkSTlp8puy/9S"
703 "Z/3DbU3U+BuqCFqeSlz7zjwFmk35acdCilpJlVDDN5C/RCh8/UKc8PaL+cxlt531"
704 "qoTENvYrflBno14YEZlCBZsPiFeUSILpKEj3Ccwhy0eLEucWQ72YZU8mUzXBoXGn"
705 "0zA0crFl5ci/2sTBBGZsylNBAgMBAAGjggFBMIIBPTAdBgNVHSUEFjAUBggrBgEF"
706 "BQcDAQYIKwYBBQUHAwIwGQYDVR0RBBIwEIIOd3d3Lmdvb2dsZS5jb20waAYIKwYB"
707 "BQUHAQEEXDBaMCsGCCsGAQUFBzAChh9odHRwOi8vcGtpLmdvb2dsZS5jb20vR0lB"
708 "RzIuY3J0MCsGCCsGAQUFBzABhh9odHRwOi8vY2xpZW50czEuZ29vZ2xlLmNvbS9v"
709 "Y3NwMB0GA1UdDgQWBBS/bzHxcE73Q4j3slC4BLbMtLjGGjAMBgNVHRMBAf8EAjAA"
710 "MB8GA1UdIwQYMBaAFErdBhYbvPZotXb1gba7Yhq6WoEvMBcGA1UdIAQQMA4wDAYK"
711 "KwYBBAHWeQIFATAwBgNVHR8EKTAnMCWgI6Ahhh9odHRwOi8vcGtpLmdvb2dsZS5j"
712 "b20vR0lBRzIuY3JsMA0GCSqGSIb3DQEBCwUAA4IBAQAbqdWPZEHk0X7iKPCTHL6S"
713 "3w6q1eR67goxZGFSM1lk1hjwyu7XcLJuvALVV9uY3ovEkQZSHwT+pyOPWQhsSjO+"
714 "1GyjvCvK/CAwiUmBX+bQRGaqHsRcio7xSbdVcajQ3bXdX+s0WdbOpn6MStKAiBVl"
715 "oPlSxEI8pxY6x/BBCnTIk/+DMB17uZlOjG3vbAnkDkP+n0OTucD9sHV7EVj9XUxi"
716 "51nOfNBCN/s7lpUjDS/NJ4k3iwOtbCPswiot8vLO779af07vR03r349Iz/KTzk95"
717 "rlFtX0IU+KYNxFNsanIXZ+C9FYGRXkwhHcvFb4qMUB1yTTlM80jBMOwyjZXmjRAh"
718 "MIID8DCCAtigAwIBAgIDAjqDMA0GCSqGSIb3DQEBCwUAMEIxCzAJBgNVBAYTAlVT"
719 "MRYwFAYDVQQKEw1HZW9UcnVzdCBJbmMuMRswGQYDVQQDExJHZW9UcnVzdCBHbG9i"
720 "YWwgQ0EwHhcNMTMwNDA1MTUxNTU2WhcNMTYxMjMxMjM1OTU5WjBJMQswCQYDVQQG"
721 "EwJVUzETMBEGA1UEChMKR29vZ2xlIEluYzElMCMGA1UEAxMcR29vZ2xlIEludGVy"
722 "bmV0IEF1dGhvcml0eSBHMjCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEB"
723 "AJwqBHdc2FCROgajguDYUEi8iT/xGXAaiEZ+4I/F8YnOIe5a/mENtzJEiaB0C1NP"
724 "VaTOgmKV7utZX8bhBYASxF6UP7xbSDj0U/ck5vuR6RXEz/RTDfRK/J9U3n2+oGtv"
725 "h8DQUB8oMANA2ghzUWx//zo8pzcGjr1LEQTrfSTe5vn8MXH7lNVg8y5Kr0LSy+rE"
726 "ahqyzFPdFUuLH8gZYR/Nnag+YyuENWllhMgZxUYi+FOVvuOAShDGKuy6lyARxzmZ"
727 "EASg8GF6lSWMTlJ14rbtCMoU/M4iarNOz0YDl5cDfsCx3nuvRTPPuj5xt970JSXC"
728 "DTWJnZ37DhF5iR43xa+OcmkCAwEAAaOB5zCB5DAfBgNVHSMEGDAWgBTAephojYn7"
729 "qwVkDBF9qn1luMrMTjAdBgNVHQ4EFgQUSt0GFhu89mi1dvWBtrtiGrpagS8wDgYD"
730 "VR0PAQH/BAQDAgEGMC4GCCsGAQUFBwEBBCIwIDAeBggrBgEFBQcwAYYSaHR0cDov"
731 "L2cuc3ltY2QuY29tMBIGA1UdEwEB/wQIMAYBAf8CAQAwNQYDVR0fBC4wLDAqoCig"
732 "JoYkaHR0cDovL2cuc3ltY2IuY29tL2NybHMvZ3RnbG9iYWwuY3JsMBcGA1UdIAQQ"
733 "MA4wDAYKKwYBBAHWeQIFATANBgkqhkiG9w0BAQsFAAOCAQEAqvqpIM1qZ4PtXtR+"
734 "3h3Ef+AlBgDFJPupyC1tft6dgmUsgWM0Zj7pUsIItMsv91+ZOmqcUHqFBYx90SpI"
735 "hNMJbHzCzTWf84LuUt5oX+QAihcglvcpjZpNy6jehsgNb1aHA30DP9z6eX0hGfnI"
736 "Oi9RdozHQZJxjyXON/hKTAAj78Q1EK7gI4BzfE00LshukNYQHpmEcxpw8u1VDu4X"
737 "Bupn7jLrLN1nBz/2i8Jw3lsA5rsb0zYaImxssDVCbJAJPZPpZAkiDoUGn8JzIdPm"
738 "X4DkjYUiOnMDsWCOrmji9D6X52ASCWg23jrW4kOVWzeBkoEfu43XrVJkFleW2V40"
739 "fsg12DCCA30wggLmoAMCAQICAxK75jANBgkqhkiG9w0BAQUFADBOMQswCQYDVQQG"
740 "EwJVUzEQMA4GA1UEChMHRXF1aWZheDEtMCsGA1UECxMkRXF1aWZheCBTZWN1cmUg"
741 "Q2VydGlmaWNhdGUgQXV0aG9yaXR5MB4XDTAyMDUyMTA0MDAwMFoXDTE4MDgyMTA0"
742 "MDAwMFowQjELMAkGA1UEBhMCVVMxFjAUBgNVBAoTDUdlb1RydXN0IEluYy4xGzAZ"
743 "BgNVBAMTEkdlb1RydXN0IEdsb2JhbCBDQTCCASIwDQYJKoZIhvcNAQEBBQADggEP"
744 "ADCCAQoCggEBANrMGGMw/fQXIxpWflvfPGw45HG3eJHUvKHYTPioQ7YD6U0hBwiI"
745 "2lgvZjkpvQV4i5046AW3an5xpObEYKaw74DkiSgPniXW7YPzraaRx5jJQhg1FJ2t"
746 "mEaSLk/K8YdDwRaVVy1Q74ktgHpXrfLuX2vSAI25FPgUFTXZwEaje3LIkb/JVSvN"
747 "0Jc+nCZkzN/Ogxlxyk7m1NV7qRnNVd7I7NJeOFPlXE+MLf5QIzb8ZubLjqQ5GQC3"
748 "lQI5kQsO/jgu0R0FmvZNPm8PBx2vLB6PYDni+jZTEznUXiYr2z2oFL0y6xgDKFIE"
749 "ceWrMz3hOLsHNoRinHnqFjD0X8Ar6HFr5PkCAwEAAaOB8DCB7TAfBgNVHSMEGDAW"
750 "gBRI5mj5K9KylddH2CMgEE8zmJCf1DAdBgNVHQ4EFgQUwHqYaI2J+6sFZAwRfap9"
751 "ZbjKzE4wDwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMCAQYwOgYDVR0fBDMw"
752 "MTAvoC2gK4YpaHR0cDovL2NybC5nZW90cnVzdC5jb20vY3Jscy9zZWN1cmVjYS5j"
753 "cmwwTgYDVR0gBEcwRTBDBgRVHSAAMDswOQYIKwYBBQUHAgEWLWh0dHBzOi8vd3d3"
754 "Lmdlb3RydXN0LmNvbS9yZXNvdXJjZXMvcmVwb3NpdG9yeTANBgkqhkiG9w0BAQUF"
755 "AAOBgQB24RJuTksWEoYwBrKBCM/wCMfHcX5m7sLt1Dsf//DwyE7WQziwuTB9GNBV"
756 "g6JqyzYRnOhIZqNtf7gT1Ef+i1pcc/yu2RsyGTirlzQUqpbS66McFAhJtrvlke+D"
757 "NusdVm/K2rxzY5Dkf3s+Iss9B+1fOHSc4wNQTqGvmO5h8oQ/Eg==";
758
759 // kBadSessionExtraField is a custom serialized SSL_SESSION generated by replacing
760 // the final (optional) element of |kCustomSession| with tag number 99.
761 static const char kBadSessionExtraField[] =
762 "MIIBdgIBAQICAwMEAsAvBCAG5Q1ndq4Yfmbeo1zwLkNRKmCXGdNgWvGT3cskV0yQ"
763 "kAQwJlrlzkAWBOWiLj/jJ76D7l+UXoizP2KI2C7I2FccqMmIfFmmkUy32nIJ0mZH"
764 "IWoJoQYCBFRDO46iBAICASykAwQBAqUDAgEUphAEDnd3dy5nb29nbGUuY29tqAcE"
765 "BXdvcmxkqQUCAwGJwKqBpwSBpBwUQvoeOk0Kg36SYTcLEkXqKwOBfF9vE4KX0Nxe"
766 "LwjcDTpsuh3qXEaZ992r1N38VDcyS6P7I6HBYN9BsNHM362zZnY27GpTw+Kwd751"
767 "CLoXFPoaMOe57dbBpXoro6Pd3BTbf/Tzr88K06yEOTDKPNj3+inbMaVigtK4PLyP"
768 "q+Topyzvx9USFgRvyuoxn0Hgb+R0A3j6SLRuyOdAi4gv7Y5oliynrSIEIAYGBgYG"
769 "BgYGBgYGBgYGBgYGBgYGBgYGBgYGBgYGBgYGrgMEAQevAwQBBOMDBAEF";
770
771 // kBadSessionVersion is a custom serialized SSL_SESSION generated by replacing
772 // the version of |kCustomSession| with 2.
773 static const char kBadSessionVersion[] =
774 "MIIBdgIBAgICAwMEAsAvBCAG5Q1ndq4Yfmbeo1zwLkNRKmCXGdNgWvGT3cskV0yQ"
775 "kAQwJlrlzkAWBOWiLj/jJ76D7l+UXoizP2KI2C7I2FccqMmIfFmmkUy32nIJ0mZH"
776 "IWoJoQYCBFRDO46iBAICASykAwQBAqUDAgEUphAEDnd3dy5nb29nbGUuY29tqAcE"
777 "BXdvcmxkqQUCAwGJwKqBpwSBpBwUQvoeOk0Kg36SYTcLEkXqKwOBfF9vE4KX0Nxe"
778 "LwjcDTpsuh3qXEaZ992r1N38VDcyS6P7I6HBYN9BsNHM362zZnY27GpTw+Kwd751"
779 "CLoXFPoaMOe57dbBpXoro6Pd3BTbf/Tzr88K06yEOTDKPNj3+inbMaVigtK4PLyP"
780 "q+Topyzvx9USFgRvyuoxn0Hgb+R0A3j6SLRuyOdAi4gv7Y5oliynrSIEIAYGBgYG"
781 "BgYGBgYGBgYGBgYGBgYGBgYGBgYGBgYGBgYGrgMEAQevAwQBBLADBAEF";
782
783 // kBadSessionTrailingData is a custom serialized SSL_SESSION with trailing data
784 // appended.
785 static const char kBadSessionTrailingData[] =
786 "MIIBdgIBAQICAwMEAsAvBCAG5Q1ndq4Yfmbeo1zwLkNRKmCXGdNgWvGT3cskV0yQ"
787 "kAQwJlrlzkAWBOWiLj/jJ76D7l+UXoizP2KI2C7I2FccqMmIfFmmkUy32nIJ0mZH"
788 "IWoJoQYCBFRDO46iBAICASykAwQBAqUDAgEUphAEDnd3dy5nb29nbGUuY29tqAcE"
789 "BXdvcmxkqQUCAwGJwKqBpwSBpBwUQvoeOk0Kg36SYTcLEkXqKwOBfF9vE4KX0Nxe"
790 "LwjcDTpsuh3qXEaZ992r1N38VDcyS6P7I6HBYN9BsNHM362zZnY27GpTw+Kwd751"
791 "CLoXFPoaMOe57dbBpXoro6Pd3BTbf/Tzr88K06yEOTDKPNj3+inbMaVigtK4PLyP"
792 "q+Topyzvx9USFgRvyuoxn0Hgb+R0A3j6SLRuyOdAi4gv7Y5oliynrSIEIAYGBgYG"
793 "BgYGBgYGBgYGBgYGBgYGBgYGBgYGBgYGBgYGrgMEAQevAwQBBLADBAEFAAAA";
794
DecodeBase64(std::vector<uint8_t> * out,const char * in)795 static bool DecodeBase64(std::vector<uint8_t> *out, const char *in) {
796 size_t len;
797 if (!EVP_DecodedLength(&len, strlen(in))) {
798 fprintf(stderr, "EVP_DecodedLength failed\n");
799 return false;
800 }
801
802 out->resize(len);
803 if (!EVP_DecodeBase64(out->data(), &len, len, (const uint8_t *)in,
804 strlen(in))) {
805 fprintf(stderr, "EVP_DecodeBase64 failed\n");
806 return false;
807 }
808 out->resize(len);
809 return true;
810 }
811
TEST(SSLTest,SessionEncoding)812 TEST(SSLTest, SessionEncoding) {
813 for (const char *input_b64 : {
814 kOpenSSLSession,
815 kCustomSession,
816 kBoringSSLSession,
817 }) {
818 SCOPED_TRACE(std::string(input_b64));
819 // Decode the input.
820 std::vector<uint8_t> input;
821 ASSERT_TRUE(DecodeBase64(&input, input_b64));
822
823 // Verify the SSL_SESSION decodes.
824 bssl::UniquePtr<SSL_CTX> ssl_ctx(SSL_CTX_new(TLS_method()));
825 ASSERT_TRUE(ssl_ctx);
826 bssl::UniquePtr<SSL_SESSION> session(
827 SSL_SESSION_from_bytes(input.data(), input.size(), ssl_ctx.get()));
828 ASSERT_TRUE(session) << "SSL_SESSION_from_bytes failed";
829
830 // Verify the SSL_SESSION encoding round-trips.
831 size_t encoded_len;
832 bssl::UniquePtr<uint8_t> encoded;
833 uint8_t *encoded_raw;
834 ASSERT_TRUE(SSL_SESSION_to_bytes(session.get(), &encoded_raw, &encoded_len))
835 << "SSL_SESSION_to_bytes failed";
836 encoded.reset(encoded_raw);
837 EXPECT_EQ(Bytes(encoded.get(), encoded_len), Bytes(input))
838 << "SSL_SESSION_to_bytes did not round-trip";
839
840 // Verify the SSL_SESSION also decodes with the legacy API.
841 const uint8_t *cptr = input.data();
842 session.reset(d2i_SSL_SESSION(NULL, &cptr, input.size()));
843 ASSERT_TRUE(session) << "d2i_SSL_SESSION failed";
844 EXPECT_EQ(cptr, input.data() + input.size());
845
846 // Verify the SSL_SESSION encoding round-trips via the legacy API.
847 int len = i2d_SSL_SESSION(session.get(), NULL);
848 ASSERT_GT(len, 0) << "i2d_SSL_SESSION failed";
849 ASSERT_EQ(static_cast<size_t>(len), input.size())
850 << "i2d_SSL_SESSION(NULL) returned invalid length";
851
852 encoded.reset((uint8_t *)OPENSSL_malloc(input.size()));
853 ASSERT_TRUE(encoded);
854
855 uint8_t *ptr = encoded.get();
856 len = i2d_SSL_SESSION(session.get(), &ptr);
857 ASSERT_GT(len, 0) << "i2d_SSL_SESSION failed";
858 ASSERT_EQ(static_cast<size_t>(len), input.size())
859 << "i2d_SSL_SESSION(NULL) returned invalid length";
860 ASSERT_EQ(ptr, encoded.get() + input.size())
861 << "i2d_SSL_SESSION did not advance ptr correctly";
862 EXPECT_EQ(Bytes(encoded.get(), encoded_len), Bytes(input))
863 << "SSL_SESSION_to_bytes did not round-trip";
864 }
865
866 for (const char *input_b64 : {
867 kBadSessionExtraField,
868 kBadSessionVersion,
869 kBadSessionTrailingData,
870 }) {
871 SCOPED_TRACE(std::string(input_b64));
872 std::vector<uint8_t> input;
873 ASSERT_TRUE(DecodeBase64(&input, input_b64));
874
875 // Verify that the SSL_SESSION fails to decode.
876 bssl::UniquePtr<SSL_CTX> ssl_ctx(SSL_CTX_new(TLS_method()));
877 ASSERT_TRUE(ssl_ctx);
878 bssl::UniquePtr<SSL_SESSION> session(
879 SSL_SESSION_from_bytes(input.data(), input.size(), ssl_ctx.get()));
880 EXPECT_FALSE(session) << "SSL_SESSION_from_bytes unexpectedly succeeded";
881 ERR_clear_error();
882 }
883 }
884
ExpectDefaultVersion(uint16_t min_version,uint16_t max_version,const SSL_METHOD * (* method)(void))885 static void ExpectDefaultVersion(uint16_t min_version, uint16_t max_version,
886 const SSL_METHOD *(*method)(void)) {
887 bssl::UniquePtr<SSL_CTX> ctx(SSL_CTX_new(method()));
888 ASSERT_TRUE(ctx);
889 EXPECT_EQ(min_version, SSL_CTX_get_min_proto_version(ctx.get()));
890 EXPECT_EQ(max_version, SSL_CTX_get_max_proto_version(ctx.get()));
891 }
892
TEST(SSLTest,DefaultVersion)893 TEST(SSLTest, DefaultVersion) {
894 ExpectDefaultVersion(TLS1_VERSION, TLS1_3_VERSION, &TLS_method);
895 ExpectDefaultVersion(TLS1_VERSION, TLS1_VERSION, &TLSv1_method);
896 ExpectDefaultVersion(TLS1_1_VERSION, TLS1_1_VERSION, &TLSv1_1_method);
897 ExpectDefaultVersion(TLS1_2_VERSION, TLS1_2_VERSION, &TLSv1_2_method);
898 ExpectDefaultVersion(DTLS1_VERSION, DTLS1_2_VERSION, &DTLS_method);
899 ExpectDefaultVersion(DTLS1_VERSION, DTLS1_VERSION, &DTLSv1_method);
900 ExpectDefaultVersion(DTLS1_2_VERSION, DTLS1_2_VERSION, &DTLSv1_2_method);
901 }
902
TEST(SSLTest,CipherProperties)903 TEST(SSLTest, CipherProperties) {
904 static const struct {
905 int id;
906 const char *standard_name;
907 int cipher_nid;
908 int digest_nid;
909 int kx_nid;
910 int auth_nid;
911 int prf_nid;
912 } kTests[] = {
913 {
914 SSL3_CK_RSA_DES_192_CBC3_SHA,
915 "TLS_RSA_WITH_3DES_EDE_CBC_SHA",
916 NID_des_ede3_cbc,
917 NID_sha1,
918 NID_kx_rsa,
919 NID_auth_rsa,
920 NID_md5_sha1,
921 },
922 {
923 TLS1_CK_RSA_WITH_AES_128_SHA,
924 "TLS_RSA_WITH_AES_128_CBC_SHA",
925 NID_aes_128_cbc,
926 NID_sha1,
927 NID_kx_rsa,
928 NID_auth_rsa,
929 NID_md5_sha1,
930 },
931 {
932 TLS1_CK_PSK_WITH_AES_256_CBC_SHA,
933 "TLS_PSK_WITH_AES_256_CBC_SHA",
934 NID_aes_256_cbc,
935 NID_sha1,
936 NID_kx_psk,
937 NID_auth_psk,
938 NID_md5_sha1,
939 },
940 {
941 TLS1_CK_ECDHE_RSA_WITH_AES_128_CBC_SHA,
942 "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA",
943 NID_aes_128_cbc,
944 NID_sha1,
945 NID_kx_ecdhe,
946 NID_auth_rsa,
947 NID_md5_sha1,
948 },
949 {
950 TLS1_CK_ECDHE_RSA_WITH_AES_256_CBC_SHA,
951 "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA",
952 NID_aes_256_cbc,
953 NID_sha1,
954 NID_kx_ecdhe,
955 NID_auth_rsa,
956 NID_md5_sha1,
957 },
958 {
959 TLS1_CK_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
960 "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",
961 NID_aes_128_gcm,
962 NID_undef,
963 NID_kx_ecdhe,
964 NID_auth_rsa,
965 NID_sha256,
966 },
967 {
968 TLS1_CK_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
969 "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256",
970 NID_aes_128_gcm,
971 NID_undef,
972 NID_kx_ecdhe,
973 NID_auth_ecdsa,
974 NID_sha256,
975 },
976 {
977 TLS1_CK_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
978 "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384",
979 NID_aes_256_gcm,
980 NID_undef,
981 NID_kx_ecdhe,
982 NID_auth_ecdsa,
983 NID_sha384,
984 },
985 {
986 TLS1_CK_ECDHE_PSK_WITH_AES_128_CBC_SHA,
987 "TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA",
988 NID_aes_128_cbc,
989 NID_sha1,
990 NID_kx_ecdhe,
991 NID_auth_psk,
992 NID_md5_sha1,
993 },
994 {
995 TLS1_CK_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256,
996 "TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256",
997 NID_chacha20_poly1305,
998 NID_undef,
999 NID_kx_ecdhe,
1000 NID_auth_rsa,
1001 NID_sha256,
1002 },
1003 {
1004 TLS1_CK_AES_256_GCM_SHA384,
1005 "TLS_AES_256_GCM_SHA384",
1006 NID_aes_256_gcm,
1007 NID_undef,
1008 NID_kx_any,
1009 NID_auth_any,
1010 NID_sha384,
1011 },
1012 {
1013 TLS1_CK_AES_128_GCM_SHA256,
1014 "TLS_AES_128_GCM_SHA256",
1015 NID_aes_128_gcm,
1016 NID_undef,
1017 NID_kx_any,
1018 NID_auth_any,
1019 NID_sha256,
1020 },
1021 {
1022 TLS1_CK_CHACHA20_POLY1305_SHA256,
1023 "TLS_CHACHA20_POLY1305_SHA256",
1024 NID_chacha20_poly1305,
1025 NID_undef,
1026 NID_kx_any,
1027 NID_auth_any,
1028 NID_sha256,
1029 },
1030 };
1031
1032 for (const auto &t : kTests) {
1033 SCOPED_TRACE(t.standard_name);
1034
1035 const SSL_CIPHER *cipher = SSL_get_cipher_by_value(t.id & 0xffff);
1036 ASSERT_TRUE(cipher);
1037 EXPECT_STREQ(t.standard_name, SSL_CIPHER_standard_name(cipher));
1038
1039 bssl::UniquePtr<char> rfc_name(SSL_CIPHER_get_rfc_name(cipher));
1040 ASSERT_TRUE(rfc_name);
1041 EXPECT_STREQ(t.standard_name, rfc_name.get());
1042
1043 EXPECT_EQ(t.cipher_nid, SSL_CIPHER_get_cipher_nid(cipher));
1044 EXPECT_EQ(t.digest_nid, SSL_CIPHER_get_digest_nid(cipher));
1045 EXPECT_EQ(t.kx_nid, SSL_CIPHER_get_kx_nid(cipher));
1046 EXPECT_EQ(t.auth_nid, SSL_CIPHER_get_auth_nid(cipher));
1047 EXPECT_EQ(t.prf_nid, SSL_CIPHER_get_prf_nid(cipher));
1048 }
1049 }
1050
1051 // CreateSessionWithTicket returns a sample |SSL_SESSION| with the specified
1052 // version and ticket length or nullptr on failure.
CreateSessionWithTicket(uint16_t version,size_t ticket_len)1053 static bssl::UniquePtr<SSL_SESSION> CreateSessionWithTicket(uint16_t version,
1054 size_t ticket_len) {
1055 std::vector<uint8_t> der;
1056 if (!DecodeBase64(&der, kOpenSSLSession)) {
1057 return nullptr;
1058 }
1059
1060 bssl::UniquePtr<SSL_CTX> ssl_ctx(SSL_CTX_new(TLS_method()));
1061 if (!ssl_ctx) {
1062 return nullptr;
1063 }
1064 // Use a garbage ticket.
1065 std::vector<uint8_t> ticket(ticket_len, 'a');
1066 bssl::UniquePtr<SSL_SESSION> session(
1067 SSL_SESSION_from_bytes(der.data(), der.size(), ssl_ctx.get()));
1068 if (!session ||
1069 !SSL_SESSION_set_protocol_version(session.get(), version) ||
1070 !SSL_SESSION_set_ticket(session.get(), ticket.data(), ticket.size())) {
1071 return nullptr;
1072 }
1073 // Fix up the timeout.
1074 #if defined(BORINGSSL_UNSAFE_DETERMINISTIC_MODE)
1075 SSL_SESSION_set_time(session.get(), 1234);
1076 #else
1077 SSL_SESSION_set_time(session.get(), time(nullptr));
1078 #endif
1079 return session;
1080 }
1081
GetClientHello(SSL * ssl,std::vector<uint8_t> * out)1082 static bool GetClientHello(SSL *ssl, std::vector<uint8_t> *out) {
1083 bssl::UniquePtr<BIO> bio(BIO_new(BIO_s_mem()));
1084 if (!bio) {
1085 return false;
1086 }
1087 // Do not configure a reading BIO, but record what's written to a memory BIO.
1088 BIO_up_ref(bio.get());
1089 SSL_set_bio(ssl, nullptr /* rbio */, bio.get());
1090 int ret = SSL_connect(ssl);
1091 if (ret > 0) {
1092 // SSL_connect should fail without a BIO to write to.
1093 return false;
1094 }
1095 ERR_clear_error();
1096
1097 const uint8_t *client_hello;
1098 size_t client_hello_len;
1099 if (!BIO_mem_contents(bio.get(), &client_hello, &client_hello_len)) {
1100 return false;
1101 }
1102 *out = std::vector<uint8_t>(client_hello, client_hello + client_hello_len);
1103 return true;
1104 }
1105
1106 // GetClientHelloLen creates a client SSL connection with the specified version
1107 // and ticket length. It returns the length of the ClientHello, not including
1108 // the record header, on success and zero on error.
GetClientHelloLen(uint16_t max_version,uint16_t session_version,size_t ticket_len)1109 static size_t GetClientHelloLen(uint16_t max_version, uint16_t session_version,
1110 size_t ticket_len) {
1111 bssl::UniquePtr<SSL_CTX> ctx(SSL_CTX_new(TLS_method()));
1112 bssl::UniquePtr<SSL_SESSION> session =
1113 CreateSessionWithTicket(session_version, ticket_len);
1114 if (!ctx || !session) {
1115 return 0;
1116 }
1117
1118 // Set a one-element cipher list so the baseline ClientHello is unpadded.
1119 bssl::UniquePtr<SSL> ssl(SSL_new(ctx.get()));
1120 if (!ssl || !SSL_set_session(ssl.get(), session.get()) ||
1121 !SSL_set_strict_cipher_list(ssl.get(), "ECDHE-RSA-AES128-GCM-SHA256") ||
1122 !SSL_set_max_proto_version(ssl.get(), max_version)) {
1123 return 0;
1124 }
1125
1126 std::vector<uint8_t> client_hello;
1127 if (!GetClientHello(ssl.get(), &client_hello) ||
1128 client_hello.size() <= SSL3_RT_HEADER_LENGTH) {
1129 return 0;
1130 }
1131
1132 return client_hello.size() - SSL3_RT_HEADER_LENGTH;
1133 }
1134
TEST(SSLTest,Padding)1135 TEST(SSLTest, Padding) {
1136 struct PaddingVersions {
1137 uint16_t max_version, session_version;
1138 };
1139 static const PaddingVersions kPaddingVersions[] = {
1140 // Test the padding extension at TLS 1.2.
1141 {TLS1_2_VERSION, TLS1_2_VERSION},
1142 // Test the padding extension at TLS 1.3 with a TLS 1.2 session, so there
1143 // will be no PSK binder after the padding extension.
1144 {TLS1_3_VERSION, TLS1_2_VERSION},
1145 // Test the padding extension at TLS 1.3 with a TLS 1.3 session, so there
1146 // will be a PSK binder after the padding extension.
1147 {TLS1_3_VERSION, TLS1_3_VERSION},
1148
1149 };
1150
1151 struct PaddingTest {
1152 size_t input_len, padded_len;
1153 };
1154 static const PaddingTest kPaddingTests[] = {
1155 // ClientHellos of length below 0x100 do not require padding.
1156 {0xfe, 0xfe},
1157 {0xff, 0xff},
1158 // ClientHellos of length 0x100 through 0x1fb are padded up to 0x200.
1159 {0x100, 0x200},
1160 {0x123, 0x200},
1161 {0x1fb, 0x200},
1162 // ClientHellos of length 0x1fc through 0x1ff get padded beyond 0x200. The
1163 // padding extension takes a minimum of four bytes plus one required
1164 // content
1165 // byte. (To work around yet more server bugs, we avoid empty final
1166 // extensions.)
1167 {0x1fc, 0x201},
1168 {0x1fd, 0x202},
1169 {0x1fe, 0x203},
1170 {0x1ff, 0x204},
1171 // Finally, larger ClientHellos need no padding.
1172 {0x200, 0x200},
1173 {0x201, 0x201},
1174 };
1175
1176 for (const PaddingVersions &versions : kPaddingVersions) {
1177 SCOPED_TRACE(versions.max_version);
1178 SCOPED_TRACE(versions.session_version);
1179
1180 // Sample a baseline length.
1181 size_t base_len =
1182 GetClientHelloLen(versions.max_version, versions.session_version, 1);
1183 ASSERT_NE(base_len, 0u) << "Baseline length could not be sampled";
1184
1185 for (const PaddingTest &test : kPaddingTests) {
1186 SCOPED_TRACE(test.input_len);
1187 ASSERT_LE(base_len, test.input_len) << "Baseline ClientHello too long";
1188
1189 size_t padded_len =
1190 GetClientHelloLen(versions.max_version, versions.session_version,
1191 1 + test.input_len - base_len);
1192 EXPECT_EQ(padded_len, test.padded_len)
1193 << "ClientHello was not padded to expected length";
1194 }
1195 }
1196 }
1197
CertFromPEM(const char * pem)1198 static bssl::UniquePtr<X509> CertFromPEM(const char *pem) {
1199 bssl::UniquePtr<BIO> bio(BIO_new_mem_buf(pem, strlen(pem)));
1200 if (!bio) {
1201 return nullptr;
1202 }
1203 return bssl::UniquePtr<X509>(
1204 PEM_read_bio_X509(bio.get(), nullptr, nullptr, nullptr));
1205 }
1206
KeyFromPEM(const char * pem)1207 static bssl::UniquePtr<EVP_PKEY> KeyFromPEM(const char *pem) {
1208 bssl::UniquePtr<BIO> bio(BIO_new_mem_buf(pem, strlen(pem)));
1209 if (!bio) {
1210 return nullptr;
1211 }
1212 return bssl::UniquePtr<EVP_PKEY>(
1213 PEM_read_bio_PrivateKey(bio.get(), nullptr, nullptr, nullptr));
1214 }
1215
GetTestCertificate()1216 static bssl::UniquePtr<X509> GetTestCertificate() {
1217 static const char kCertPEM[] =
1218 "-----BEGIN CERTIFICATE-----\n"
1219 "MIICWDCCAcGgAwIBAgIJAPuwTC6rEJsMMA0GCSqGSIb3DQEBBQUAMEUxCzAJBgNV\n"
1220 "BAYTAkFVMRMwEQYDVQQIDApTb21lLVN0YXRlMSEwHwYDVQQKDBhJbnRlcm5ldCBX\n"
1221 "aWRnaXRzIFB0eSBMdGQwHhcNMTQwNDIzMjA1MDQwWhcNMTcwNDIyMjA1MDQwWjBF\n"
1222 "MQswCQYDVQQGEwJBVTETMBEGA1UECAwKU29tZS1TdGF0ZTEhMB8GA1UECgwYSW50\n"
1223 "ZXJuZXQgV2lkZ2l0cyBQdHkgTHRkMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKB\n"
1224 "gQDYK8imMuRi/03z0K1Zi0WnvfFHvwlYeyK9Na6XJYaUoIDAtB92kWdGMdAQhLci\n"
1225 "HnAjkXLI6W15OoV3gA/ElRZ1xUpxTMhjP6PyY5wqT5r6y8FxbiiFKKAnHmUcrgfV\n"
1226 "W28tQ+0rkLGMryRtrukXOgXBv7gcrmU7G1jC2a7WqmeI8QIDAQABo1AwTjAdBgNV\n"
1227 "HQ4EFgQUi3XVrMsIvg4fZbf6Vr5sp3Xaha8wHwYDVR0jBBgwFoAUi3XVrMsIvg4f\n"
1228 "Zbf6Vr5sp3Xaha8wDAYDVR0TBAUwAwEB/zANBgkqhkiG9w0BAQUFAAOBgQA76Hht\n"
1229 "ldY9avcTGSwbwoiuIqv0jTL1fHFnzy3RHMLDh+Lpvolc5DSrSJHCP5WuK0eeJXhr\n"
1230 "T5oQpHL9z/cCDLAKCKRa4uV0fhEdOWBqyR9p8y5jJtye72t6CuFUV5iqcpF4BH4f\n"
1231 "j2VNHwsSrJwkD4QUGlUtH7vwnQmyCFxZMmWAJg==\n"
1232 "-----END CERTIFICATE-----\n";
1233 return CertFromPEM(kCertPEM);
1234 }
1235
GetTestKey()1236 static bssl::UniquePtr<EVP_PKEY> GetTestKey() {
1237 static const char kKeyPEM[] =
1238 "-----BEGIN RSA PRIVATE KEY-----\n"
1239 "MIICXgIBAAKBgQDYK8imMuRi/03z0K1Zi0WnvfFHvwlYeyK9Na6XJYaUoIDAtB92\n"
1240 "kWdGMdAQhLciHnAjkXLI6W15OoV3gA/ElRZ1xUpxTMhjP6PyY5wqT5r6y8FxbiiF\n"
1241 "KKAnHmUcrgfVW28tQ+0rkLGMryRtrukXOgXBv7gcrmU7G1jC2a7WqmeI8QIDAQAB\n"
1242 "AoGBAIBy09Fd4DOq/Ijp8HeKuCMKTHqTW1xGHshLQ6jwVV2vWZIn9aIgmDsvkjCe\n"
1243 "i6ssZvnbjVcwzSoByhjN8ZCf/i15HECWDFFh6gt0P5z0MnChwzZmvatV/FXCT0j+\n"
1244 "WmGNB/gkehKjGXLLcjTb6dRYVJSCZhVuOLLcbWIV10gggJQBAkEA8S8sGe4ezyyZ\n"
1245 "m4e9r95g6s43kPqtj5rewTsUxt+2n4eVodD+ZUlCULWVNAFLkYRTBCASlSrm9Xhj\n"
1246 "QpmWAHJUkQJBAOVzQdFUaewLtdOJoPCtpYoY1zd22eae8TQEmpGOR11L6kbxLQsk\n"
1247 "aMly/DOnOaa82tqAGTdqDEZgSNmCeKKknmECQAvpnY8GUOVAubGR6c+W90iBuQLj\n"
1248 "LtFp/9ihd2w/PoDwrHZaoUYVcT4VSfJQog/k7kjE4MYXYWL8eEKg3WTWQNECQQDk\n"
1249 "104Wi91Umd1PzF0ijd2jXOERJU1wEKe6XLkYYNHWQAe5l4J4MWj9OdxFXAxIuuR/\n"
1250 "tfDwbqkta4xcux67//khAkEAvvRXLHTaa6VFzTaiiO8SaFsHV3lQyXOtMrBpB5jd\n"
1251 "moZWgjHvB2W9Ckn7sDqsPB+U2tyX0joDdQEyuiMECDY8oQ==\n"
1252 "-----END RSA PRIVATE KEY-----\n";
1253 return KeyFromPEM(kKeyPEM);
1254 }
1255
CreateContextWithTestCertificate(const SSL_METHOD * method)1256 static bssl::UniquePtr<SSL_CTX> CreateContextWithTestCertificate(
1257 const SSL_METHOD *method) {
1258 bssl::UniquePtr<SSL_CTX> ctx(SSL_CTX_new(TLS_method()));
1259 bssl::UniquePtr<X509> cert = GetTestCertificate();
1260 bssl::UniquePtr<EVP_PKEY> key = GetTestKey();
1261 if (!ctx || !cert || !key ||
1262 !SSL_CTX_use_certificate(ctx.get(), cert.get()) ||
1263 !SSL_CTX_use_PrivateKey(ctx.get(), key.get())) {
1264 return nullptr;
1265 }
1266 return ctx;
1267 }
1268
GetECDSATestCertificate()1269 static bssl::UniquePtr<X509> GetECDSATestCertificate() {
1270 static const char kCertPEM[] =
1271 "-----BEGIN CERTIFICATE-----\n"
1272 "MIIBzzCCAXagAwIBAgIJANlMBNpJfb/rMAkGByqGSM49BAEwRTELMAkGA1UEBhMC\n"
1273 "QVUxEzARBgNVBAgMClNvbWUtU3RhdGUxITAfBgNVBAoMGEludGVybmV0IFdpZGdp\n"
1274 "dHMgUHR5IEx0ZDAeFw0xNDA0MjMyMzIxNTdaFw0xNDA1MjMyMzIxNTdaMEUxCzAJ\n"
1275 "BgNVBAYTAkFVMRMwEQYDVQQIDApTb21lLVN0YXRlMSEwHwYDVQQKDBhJbnRlcm5l\n"
1276 "dCBXaWRnaXRzIFB0eSBMdGQwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAATmK2ni\n"
1277 "v2Wfl74vHg2UikzVl2u3qR4NRvvdqakendy6WgHn1peoChj5w8SjHlbifINI2xYa\n"
1278 "HPUdfvGULUvPciLBo1AwTjAdBgNVHQ4EFgQUq4TSrKuV8IJOFngHVVdf5CaNgtEw\n"
1279 "HwYDVR0jBBgwFoAUq4TSrKuV8IJOFngHVVdf5CaNgtEwDAYDVR0TBAUwAwEB/zAJ\n"
1280 "BgcqhkjOPQQBA0gAMEUCIQDyoDVeUTo2w4J5m+4nUIWOcAZ0lVfSKXQA9L4Vh13E\n"
1281 "BwIgfB55FGohg/B6dGh5XxSZmmi08cueFV7mHzJSYV51yRQ=\n"
1282 "-----END CERTIFICATE-----\n";
1283 return CertFromPEM(kCertPEM);
1284 }
1285
GetECDSATestKey()1286 static bssl::UniquePtr<EVP_PKEY> GetECDSATestKey() {
1287 static const char kKeyPEM[] =
1288 "-----BEGIN PRIVATE KEY-----\n"
1289 "MIGHAgEAMBMGByqGSM49AgEGCCqGSM49AwEHBG0wawIBAQQgBw8IcnrUoEqc3VnJ\n"
1290 "TYlodwi1b8ldMHcO6NHJzgqLtGqhRANCAATmK2niv2Wfl74vHg2UikzVl2u3qR4N\n"
1291 "Rvvdqakendy6WgHn1peoChj5w8SjHlbifINI2xYaHPUdfvGULUvPciLB\n"
1292 "-----END PRIVATE KEY-----\n";
1293 return KeyFromPEM(kKeyPEM);
1294 }
1295
BufferFromPEM(const char * pem)1296 static bssl::UniquePtr<CRYPTO_BUFFER> BufferFromPEM(const char *pem) {
1297 bssl::UniquePtr<BIO> bio(BIO_new_mem_buf(pem, strlen(pem)));
1298 char *name, *header;
1299 uint8_t *data;
1300 long data_len;
1301 if (!PEM_read_bio(bio.get(), &name, &header, &data,
1302 &data_len)) {
1303 return nullptr;
1304 }
1305 OPENSSL_free(name);
1306 OPENSSL_free(header);
1307
1308 auto ret = bssl::UniquePtr<CRYPTO_BUFFER>(
1309 CRYPTO_BUFFER_new(data, data_len, nullptr));
1310 OPENSSL_free(data);
1311 return ret;
1312 }
1313
GetChainTestCertificateBuffer()1314 static bssl::UniquePtr<CRYPTO_BUFFER> GetChainTestCertificateBuffer() {
1315 static const char kCertPEM[] =
1316 "-----BEGIN CERTIFICATE-----\n"
1317 "MIIC0jCCAbqgAwIBAgICEAAwDQYJKoZIhvcNAQELBQAwDzENMAsGA1UEAwwEQiBD\n"
1318 "QTAeFw0xNjAyMjgyMDI3MDNaFw0yNjAyMjUyMDI3MDNaMBgxFjAUBgNVBAMMDUNs\n"
1319 "aWVudCBDZXJ0IEEwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDRvaz8\n"
1320 "CC/cshpCafJo4jLkHEoBqDLhdgFelJoAiQUyIqyWl2O7YHPnpJH+TgR7oelzNzt/\n"
1321 "kLRcH89M/TszB6zqyLTC4aqmvzKL0peD/jL2LWBucR0WXIvjA3zoRuF/x86+rYH3\n"
1322 "tHb+xs2PSs8EGL/Ev+ss+qTzTGEn26fuGNHkNw6tOwPpc+o8+wUtzf/kAthamo+c\n"
1323 "IDs2rQ+lP7+aLZTLeU/q4gcLutlzcK5imex5xy2jPkweq48kijK0kIzl1cPlA5d1\n"
1324 "z7C8jU50Pj9X9sQDJTN32j7UYRisJeeYQF8GaaN8SbrDI6zHgKzrRLyxDt/KQa9V\n"
1325 "iLeXANgZi+Xx9KgfAgMBAAGjLzAtMAwGA1UdEwEB/wQCMAAwHQYDVR0lBBYwFAYI\n"
1326 "KwYBBQUHAwEGCCsGAQUFBwMCMA0GCSqGSIb3DQEBCwUAA4IBAQBFEVbmYl+2RtNw\n"
1327 "rDftRDF1v2QUbcN2ouSnQDHxeDQdSgasLzT3ui8iYu0Rw2WWcZ0DV5e0ztGPhWq7\n"
1328 "AO0B120aFRMOY+4+bzu9Q2FFkQqc7/fKTvTDzIJI5wrMnFvUfzzvxh3OHWMYSs/w\n"
1329 "giq33hTKeHEq6Jyk3btCny0Ycecyc3yGXH10sizUfiHlhviCkDuESk8mFDwDDzqW\n"
1330 "ZF0IipzFbEDHoIxLlm3GQxpiLoEV4k8KYJp3R5KBLFyxM6UGPz8h72mIPCJp2RuK\n"
1331 "MYgF91UDvVzvnYm6TfseM2+ewKirC00GOrZ7rEcFvtxnKSqYf4ckqfNdSU1Y+RRC\n"
1332 "1ngWZ7Ih\n"
1333 "-----END CERTIFICATE-----\n";
1334 return BufferFromPEM(kCertPEM);
1335 }
1336
X509FromBuffer(bssl::UniquePtr<CRYPTO_BUFFER> buffer)1337 static bssl::UniquePtr<X509> X509FromBuffer(
1338 bssl::UniquePtr<CRYPTO_BUFFER> buffer) {
1339 if (!buffer) {
1340 return nullptr;
1341 }
1342 const uint8_t *derp = CRYPTO_BUFFER_data(buffer.get());
1343 return bssl::UniquePtr<X509>(
1344 d2i_X509(NULL, &derp, CRYPTO_BUFFER_len(buffer.get())));
1345 }
1346
GetChainTestCertificate()1347 static bssl::UniquePtr<X509> GetChainTestCertificate() {
1348 return X509FromBuffer(GetChainTestCertificateBuffer());
1349 }
1350
GetChainTestIntermediateBuffer()1351 static bssl::UniquePtr<CRYPTO_BUFFER> GetChainTestIntermediateBuffer() {
1352 static const char kCertPEM[] =
1353 "-----BEGIN CERTIFICATE-----\n"
1354 "MIICwjCCAaqgAwIBAgICEAEwDQYJKoZIhvcNAQELBQAwFDESMBAGA1UEAwwJQyBS\n"
1355 "b290IENBMB4XDTE2MDIyODIwMjcwM1oXDTI2MDIyNTIwMjcwM1owDzENMAsGA1UE\n"
1356 "AwwEQiBDQTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALsSCYmDip2D\n"
1357 "GkjFxw7ykz26JSjELkl6ArlYjFJ3aT/SCh8qbS4gln7RH8CPBd78oFdfhIKQrwtZ\n"
1358 "3/q21ykD9BAS3qHe2YdcJfm8/kWAy5DvXk6NXU4qX334KofBAEpgdA/igEFq1P1l\n"
1359 "HAuIfZCpMRfT+i5WohVsGi8f/NgpRvVaMONLNfgw57mz1lbtFeBEISmX0kbsuJxF\n"
1360 "Qj/Bwhi5/0HAEXG8e7zN4cEx0yPRvmOATRdVb/8dW2pwOHRJq9R5M0NUkIsTSnL7\n"
1361 "6N/z8hRAHMsV3IudC5Yd7GXW1AGu9a+iKU+Q4xcZCoj0DC99tL4VKujrV1kAeqsM\n"
1362 "cz5/dKzi6+cCAwEAAaMjMCEwDwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMC\n"
1363 "AQYwDQYJKoZIhvcNAQELBQADggEBAIIeZiEeNhWWQ8Y4D+AGDwqUUeG8NjCbKrXQ\n"
1364 "BlHg5wZ8xftFaiP1Dp/UAezmx2LNazdmuwrYB8lm3FVTyaPDTKEGIPS4wJKHgqH1\n"
1365 "QPDhqNm85ey7TEtI9oYjsNim/Rb+iGkIAMXaxt58SzxbjvP0kMr1JfJIZbic9vye\n"
1366 "NwIspMFIpP3FB8ywyu0T0hWtCQgL4J47nigCHpOu58deP88fS/Nyz/fyGVWOZ76b\n"
1367 "WhWwgM3P3X95fQ3d7oFPR/bVh0YV+Cf861INwplokXgXQ3/TCQ+HNXeAMWn3JLWv\n"
1368 "XFwk8owk9dq/kQGdndGgy3KTEW4ctPX5GNhf3LJ9Q7dLji4ReQ4=\n"
1369 "-----END CERTIFICATE-----\n";
1370 return BufferFromPEM(kCertPEM);
1371 }
1372
GetChainTestIntermediate()1373 static bssl::UniquePtr<X509> GetChainTestIntermediate() {
1374 return X509FromBuffer(GetChainTestIntermediateBuffer());
1375 }
1376
GetChainTestKey()1377 static bssl::UniquePtr<EVP_PKEY> GetChainTestKey() {
1378 static const char kKeyPEM[] =
1379 "-----BEGIN PRIVATE KEY-----\n"
1380 "MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQDRvaz8CC/cshpC\n"
1381 "afJo4jLkHEoBqDLhdgFelJoAiQUyIqyWl2O7YHPnpJH+TgR7oelzNzt/kLRcH89M\n"
1382 "/TszB6zqyLTC4aqmvzKL0peD/jL2LWBucR0WXIvjA3zoRuF/x86+rYH3tHb+xs2P\n"
1383 "Ss8EGL/Ev+ss+qTzTGEn26fuGNHkNw6tOwPpc+o8+wUtzf/kAthamo+cIDs2rQ+l\n"
1384 "P7+aLZTLeU/q4gcLutlzcK5imex5xy2jPkweq48kijK0kIzl1cPlA5d1z7C8jU50\n"
1385 "Pj9X9sQDJTN32j7UYRisJeeYQF8GaaN8SbrDI6zHgKzrRLyxDt/KQa9ViLeXANgZ\n"
1386 "i+Xx9KgfAgMBAAECggEBAK0VjSJzkyPaamcyTVSWjo7GdaBGcK60lk657RjR+lK0\n"
1387 "YJ7pkej4oM2hdsVZFsP8Cs4E33nXLa/0pDsRov/qrp0WQm2skwqGMC1I/bZ0WRPk\n"
1388 "wHaDrBBfESWnJDX/AGpVtlyOjPmgmK6J2usMPihQUDkKdAYrVWJePrMIxt1q6BMe\n"
1389 "iczs3qriMmtY3bUc4UyUwJ5fhDLjshHvfuIpYQyI6EXZM6dZksn9LylXJnigY6QJ\n"
1390 "HxOYO0BDwOsZ8yQ8J8afLk88i0GizEkgE1z3REtQUwgWfxr1WV/ud+T6/ZhSAgH9\n"
1391 "042mQvSFZnIUSEsmCvjhWuAunfxHKCTcAoYISWfzWpkCgYEA7gpf3HHU5Tn+CgUn\n"
1392 "1X5uGpG3DmcMgfeGgs2r2f/IIg/5Ac1dfYILiybL1tN9zbyLCJfcbFpWBc9hJL6f\n"
1393 "CPc5hUiwWFJqBJewxQkC1Ae/HakHbip+IZ+Jr0842O4BAArvixk4Lb7/N2Ct9sTE\n"
1394 "NJO6RtK9lbEZ5uK61DglHy8CS2UCgYEA4ZC1o36kPAMQBggajgnucb2yuUEelk0f\n"
1395 "AEr+GI32MGE+93xMr7rAhBoqLg4AITyIfEnOSQ5HwagnIHonBbv1LV/Gf9ursx8Z\n"
1396 "YOGbvT8zzzC+SU1bkDzdjAYnFQVGIjMtKOBJ3K07++ypwX1fr4QsQ8uKL8WSOWwt\n"
1397 "Z3Bym6XiZzMCgYADnhy+2OwHX85AkLt+PyGlPbmuelpyTzS4IDAQbBa6jcuW/2wA\n"
1398 "UE2km75VUXmD+u2R/9zVuLm99NzhFhSMqlUxdV1YukfqMfP5yp1EY6m/5aW7QuIP\n"
1399 "2MDa7TVL9rIFMiVZ09RKvbBbQxjhuzPQKL6X/PPspnhiTefQ+dl2k9xREQKBgHDS\n"
1400 "fMfGNEeAEKezrfSVqxphE9/tXms3L+ZpnCaT+yu/uEr5dTIAawKoQ6i9f/sf1/Sy\n"
1401 "xedsqR+IB+oKrzIDDWMgoJybN4pkZ8E5lzhVQIjFjKgFdWLzzqyW9z1gYfABQPlN\n"
1402 "FiS20WX0vgP1vcKAjdNrHzc9zyHBpgQzDmAj3NZZAoGBAI8vKCKdH7w3aL5CNkZQ\n"
1403 "2buIeWNA2HZazVwAGG5F2TU/LmXfRKnG6dX5bkU+AkBZh56jNZy//hfFSewJB4Kk\n"
1404 "buB7ERSdaNbO21zXt9FEA3+z0RfMd/Zv2vlIWOSB5nzl/7UKti3sribK6s9ZVLfi\n"
1405 "SxpiPQ8d/hmSGwn4ksrWUsJD\n"
1406 "-----END PRIVATE KEY-----\n";
1407 return KeyFromPEM(kKeyPEM);
1408 }
1409
CompleteHandshakes(SSL * client,SSL * server)1410 static bool CompleteHandshakes(SSL *client, SSL *server) {
1411 // Drive both their handshakes to completion.
1412 for (;;) {
1413 int client_ret = SSL_do_handshake(client);
1414 int client_err = SSL_get_error(client, client_ret);
1415 if (client_err != SSL_ERROR_NONE &&
1416 client_err != SSL_ERROR_WANT_READ &&
1417 client_err != SSL_ERROR_WANT_WRITE &&
1418 client_err != SSL_ERROR_PENDING_TICKET) {
1419 fprintf(stderr, "Client error: %s\n", SSL_error_description(client_err));
1420 return false;
1421 }
1422
1423 int server_ret = SSL_do_handshake(server);
1424 int server_err = SSL_get_error(server, server_ret);
1425 if (server_err != SSL_ERROR_NONE &&
1426 server_err != SSL_ERROR_WANT_READ &&
1427 server_err != SSL_ERROR_WANT_WRITE &&
1428 server_err != SSL_ERROR_PENDING_TICKET) {
1429 fprintf(stderr, "Server error: %s\n", SSL_error_description(server_err));
1430 return false;
1431 }
1432
1433 if (client_ret == 1 && server_ret == 1) {
1434 break;
1435 }
1436 }
1437
1438 return true;
1439 }
1440
FlushNewSessionTickets(SSL * client,SSL * server)1441 static bool FlushNewSessionTickets(SSL *client, SSL *server) {
1442 // NewSessionTickets are deferred on the server to |SSL_write|, and clients do
1443 // not pick them up until |SSL_read|.
1444 for (;;) {
1445 int server_ret = SSL_write(server, nullptr, 0);
1446 int server_err = SSL_get_error(server, server_ret);
1447 // The server may either succeed (|server_ret| is zero) or block on write
1448 // (|server_ret| is -1 and |server_err| is |SSL_ERROR_WANT_WRITE|).
1449 if (server_ret > 0 ||
1450 (server_ret < 0 && server_err != SSL_ERROR_WANT_WRITE)) {
1451 fprintf(stderr, "Unexpected server result: %d %d\n", server_ret,
1452 server_err);
1453 return false;
1454 }
1455
1456 int client_ret = SSL_read(client, nullptr, 0);
1457 int client_err = SSL_get_error(client, client_ret);
1458 // The client must always block on read.
1459 if (client_ret != -1 || client_err != SSL_ERROR_WANT_READ) {
1460 fprintf(stderr, "Unexpected client result: %d %d\n", client_ret,
1461 client_err);
1462 return false;
1463 }
1464
1465 // The server flushed everything it had to write.
1466 if (server_ret == 0) {
1467 return true;
1468 }
1469 }
1470 }
1471
1472 // CreateClientAndServer creates a client and server |SSL| objects whose |BIO|s
1473 // are paired with each other. It does not run the handshake. The caller is
1474 // expected to configure the objects and drive the handshake as needed.
CreateClientAndServer(bssl::UniquePtr<SSL> * out_client,bssl::UniquePtr<SSL> * out_server,SSL_CTX * client_ctx,SSL_CTX * server_ctx)1475 static bool CreateClientAndServer(bssl::UniquePtr<SSL> *out_client,
1476 bssl::UniquePtr<SSL> *out_server,
1477 SSL_CTX *client_ctx, SSL_CTX *server_ctx) {
1478 bssl::UniquePtr<SSL> client(SSL_new(client_ctx)), server(SSL_new(server_ctx));
1479 if (!client || !server) {
1480 return false;
1481 }
1482 SSL_set_connect_state(client.get());
1483 SSL_set_accept_state(server.get());
1484
1485 BIO *bio1, *bio2;
1486 if (!BIO_new_bio_pair(&bio1, 0, &bio2, 0)) {
1487 return false;
1488 }
1489 // SSL_set_bio takes ownership.
1490 SSL_set_bio(client.get(), bio1, bio1);
1491 SSL_set_bio(server.get(), bio2, bio2);
1492
1493 *out_client = std::move(client);
1494 *out_server = std::move(server);
1495 return true;
1496 }
1497
1498 struct ClientConfig {
1499 SSL_SESSION *session = nullptr;
1500 std::string servername;
1501 bool early_data = false;
1502 };
1503
ConnectClientAndServer(bssl::UniquePtr<SSL> * out_client,bssl::UniquePtr<SSL> * out_server,SSL_CTX * client_ctx,SSL_CTX * server_ctx,const ClientConfig & config=ClientConfig (),bool shed_handshake_config=true)1504 static bool ConnectClientAndServer(bssl::UniquePtr<SSL> *out_client,
1505 bssl::UniquePtr<SSL> *out_server,
1506 SSL_CTX *client_ctx, SSL_CTX *server_ctx,
1507 const ClientConfig &config = ClientConfig(),
1508 bool shed_handshake_config = true) {
1509 bssl::UniquePtr<SSL> client, server;
1510 if (!CreateClientAndServer(&client, &server, client_ctx, server_ctx)) {
1511 return false;
1512 }
1513 if (config.early_data) {
1514 SSL_set_early_data_enabled(client.get(), 1);
1515 }
1516 if (config.session) {
1517 SSL_set_session(client.get(), config.session);
1518 }
1519 if (!config.servername.empty() &&
1520 !SSL_set_tlsext_host_name(client.get(), config.servername.c_str())) {
1521 return false;
1522 }
1523
1524 SSL_set_shed_handshake_config(client.get(), shed_handshake_config);
1525 SSL_set_shed_handshake_config(server.get(), shed_handshake_config);
1526
1527 if (!CompleteHandshakes(client.get(), server.get())) {
1528 return false;
1529 }
1530
1531 *out_client = std::move(client);
1532 *out_server = std::move(server);
1533 return true;
1534 }
1535
1536 static bssl::UniquePtr<SSL_SESSION> g_last_session;
1537
SaveLastSession(SSL * ssl,SSL_SESSION * session)1538 static int SaveLastSession(SSL *ssl, SSL_SESSION *session) {
1539 // Save the most recent session.
1540 g_last_session.reset(session);
1541 return 1;
1542 }
1543
CreateClientSession(SSL_CTX * client_ctx,SSL_CTX * server_ctx,const ClientConfig & config=ClientConfig ())1544 static bssl::UniquePtr<SSL_SESSION> CreateClientSession(
1545 SSL_CTX *client_ctx, SSL_CTX *server_ctx,
1546 const ClientConfig &config = ClientConfig()) {
1547 g_last_session = nullptr;
1548 SSL_CTX_sess_set_new_cb(client_ctx, SaveLastSession);
1549
1550 // Connect client and server to get a session.
1551 bssl::UniquePtr<SSL> client, server;
1552 if (!ConnectClientAndServer(&client, &server, client_ctx, server_ctx,
1553 config) ||
1554 !FlushNewSessionTickets(client.get(), server.get())) {
1555 fprintf(stderr, "Failed to connect client and server.\n");
1556 return nullptr;
1557 }
1558
1559 SSL_CTX_sess_set_new_cb(client_ctx, nullptr);
1560
1561 if (!g_last_session) {
1562 fprintf(stderr, "Client did not receive a session.\n");
1563 return nullptr;
1564 }
1565 return std::move(g_last_session);
1566 }
1567
1568 // Test that |SSL_get_client_CA_list| echoes back the configured parameter even
1569 // before configuring as a server.
TEST(SSLTest,ClientCAList)1570 TEST(SSLTest, ClientCAList) {
1571 bssl::UniquePtr<SSL_CTX> ctx(SSL_CTX_new(TLS_method()));
1572 ASSERT_TRUE(ctx);
1573 bssl::UniquePtr<SSL> ssl(SSL_new(ctx.get()));
1574 ASSERT_TRUE(ssl);
1575
1576 bssl::UniquePtr<X509_NAME> name(X509_NAME_new());
1577 ASSERT_TRUE(name);
1578
1579 bssl::UniquePtr<X509_NAME> name_dup(X509_NAME_dup(name.get()));
1580 ASSERT_TRUE(name_dup);
1581
1582 bssl::UniquePtr<STACK_OF(X509_NAME)> stack(sk_X509_NAME_new_null());
1583 ASSERT_TRUE(stack);
1584 ASSERT_TRUE(PushToStack(stack.get(), std::move(name_dup)));
1585
1586 // |SSL_set_client_CA_list| takes ownership.
1587 SSL_set_client_CA_list(ssl.get(), stack.release());
1588
1589 STACK_OF(X509_NAME) *result = SSL_get_client_CA_list(ssl.get());
1590 ASSERT_TRUE(result);
1591 ASSERT_EQ(1u, sk_X509_NAME_num(result));
1592 EXPECT_EQ(0, X509_NAME_cmp(sk_X509_NAME_value(result, 0), name.get()));
1593 }
1594
TEST(SSLTest,AddClientCA)1595 TEST(SSLTest, AddClientCA) {
1596 bssl::UniquePtr<SSL_CTX> ctx(SSL_CTX_new(TLS_method()));
1597 ASSERT_TRUE(ctx);
1598 bssl::UniquePtr<SSL> ssl(SSL_new(ctx.get()));
1599 ASSERT_TRUE(ssl);
1600
1601 bssl::UniquePtr<X509> cert1 = GetTestCertificate();
1602 bssl::UniquePtr<X509> cert2 = GetChainTestCertificate();
1603 ASSERT_TRUE(cert1 && cert2);
1604 X509_NAME *name1 = X509_get_subject_name(cert1.get());
1605 X509_NAME *name2 = X509_get_subject_name(cert2.get());
1606
1607 EXPECT_EQ(0u, sk_X509_NAME_num(SSL_get_client_CA_list(ssl.get())));
1608
1609 ASSERT_TRUE(SSL_add_client_CA(ssl.get(), cert1.get()));
1610 ASSERT_TRUE(SSL_add_client_CA(ssl.get(), cert2.get()));
1611
1612 STACK_OF(X509_NAME) *list = SSL_get_client_CA_list(ssl.get());
1613 ASSERT_EQ(2u, sk_X509_NAME_num(list));
1614 EXPECT_EQ(0, X509_NAME_cmp(sk_X509_NAME_value(list, 0), name1));
1615 EXPECT_EQ(0, X509_NAME_cmp(sk_X509_NAME_value(list, 1), name2));
1616
1617 ASSERT_TRUE(SSL_add_client_CA(ssl.get(), cert1.get()));
1618
1619 list = SSL_get_client_CA_list(ssl.get());
1620 ASSERT_EQ(3u, sk_X509_NAME_num(list));
1621 EXPECT_EQ(0, X509_NAME_cmp(sk_X509_NAME_value(list, 0), name1));
1622 EXPECT_EQ(0, X509_NAME_cmp(sk_X509_NAME_value(list, 1), name2));
1623 EXPECT_EQ(0, X509_NAME_cmp(sk_X509_NAME_value(list, 2), name1));
1624 }
1625
1626 struct ECHConfigParams {
1627 uint16_t version = TLSEXT_TYPE_encrypted_client_hello;
1628 uint16_t config_id = 1;
1629 std::string public_name = "example.com";
1630 const EVP_HPKE_KEY *key = nullptr;
1631 // kem_id, if zero, takes its value from |key|.
1632 uint16_t kem_id = 0;
1633 // public_key, if empty takes its value from |key|.
1634 std::vector<uint8_t> public_key;
1635 size_t max_name_len = 16;
1636 // cipher_suites is a list of code points which should contain pairs of KDF
1637 // and AEAD IDs.
1638 std::vector<uint16_t> cipher_suites = {EVP_HPKE_HKDF_SHA256,
1639 EVP_HPKE_AES_128_GCM};
1640 std::vector<uint8_t> extensions;
1641 };
1642
1643 // MakeECHConfig serializes an ECHConfig from |params| and writes it to
1644 // |*out|.
MakeECHConfig(std::vector<uint8_t> * out,const ECHConfigParams & params)1645 bool MakeECHConfig(std::vector<uint8_t> *out,
1646 const ECHConfigParams ¶ms) {
1647 uint16_t kem_id = params.kem_id == 0
1648 ? EVP_HPKE_KEM_id(EVP_HPKE_KEY_kem(params.key))
1649 : params.kem_id;
1650 std::vector<uint8_t> public_key = params.public_key;
1651 if (public_key.empty()) {
1652 public_key.resize(EVP_HPKE_MAX_PUBLIC_KEY_LENGTH);
1653 size_t len;
1654 if (!EVP_HPKE_KEY_public_key(params.key, public_key.data(), &len,
1655 public_key.size())) {
1656 return false;
1657 }
1658 public_key.resize(len);
1659 }
1660
1661 bssl::ScopedCBB cbb;
1662 CBB contents, child;
1663 if (!CBB_init(cbb.get(), 64) ||
1664 !CBB_add_u16(cbb.get(), params.version) ||
1665 !CBB_add_u16_length_prefixed(cbb.get(), &contents) ||
1666 !CBB_add_u8(&contents, params.config_id) ||
1667 !CBB_add_u16(&contents, kem_id) ||
1668 !CBB_add_u16_length_prefixed(&contents, &child) ||
1669 !CBB_add_bytes(&child, public_key.data(), public_key.size()) ||
1670 !CBB_add_u16_length_prefixed(&contents, &child)) {
1671 return false;
1672 }
1673 for (uint16_t cipher_suite : params.cipher_suites) {
1674 if (!CBB_add_u16(&child, cipher_suite)) {
1675 return false;
1676 }
1677 }
1678 if (!CBB_add_u8(&contents, params.max_name_len) ||
1679 !CBB_add_u8_length_prefixed(&contents, &child) ||
1680 !CBB_add_bytes(
1681 &child, reinterpret_cast<const uint8_t *>(params.public_name.data()),
1682 params.public_name.size()) ||
1683 !CBB_add_u16_length_prefixed(&contents, &child) ||
1684 !CBB_add_bytes(&child, params.extensions.data(),
1685 params.extensions.size()) ||
1686 !CBB_flush(cbb.get())) {
1687 return false;
1688 }
1689
1690 out->assign(CBB_data(cbb.get()), CBB_data(cbb.get()) + CBB_len(cbb.get()));
1691 return true;
1692 }
1693
MakeTestECHKeys(uint8_t config_id=1)1694 static bssl::UniquePtr<SSL_ECH_KEYS> MakeTestECHKeys(uint8_t config_id = 1) {
1695 bssl::ScopedEVP_HPKE_KEY key;
1696 uint8_t *ech_config;
1697 size_t ech_config_len;
1698 if (!EVP_HPKE_KEY_generate(key.get(), EVP_hpke_x25519_hkdf_sha256()) ||
1699 !SSL_marshal_ech_config(&ech_config, &ech_config_len, config_id,
1700 key.get(), "public.example", 16)) {
1701 return nullptr;
1702 }
1703 bssl::UniquePtr<uint8_t> free_ech_config(ech_config);
1704
1705 // Install a non-retry config.
1706 bssl::UniquePtr<SSL_ECH_KEYS> keys(SSL_ECH_KEYS_new());
1707 if (!keys || !SSL_ECH_KEYS_add(keys.get(), /*is_retry_config=*/1, ech_config,
1708 ech_config_len, key.get())) {
1709 return nullptr;
1710 }
1711 return keys;
1712 }
1713
InstallECHConfigList(SSL * client,const SSL_ECH_KEYS * keys)1714 static bool InstallECHConfigList(SSL *client, const SSL_ECH_KEYS *keys) {
1715 uint8_t *ech_config_list;
1716 size_t ech_config_list_len;
1717 if (!SSL_ECH_KEYS_marshal_retry_configs(keys, &ech_config_list,
1718 &ech_config_list_len)) {
1719 return false;
1720 }
1721 bssl::UniquePtr<uint8_t> free_ech_config_list(ech_config_list);
1722 return SSL_set1_ech_config_list(client, ech_config_list, ech_config_list_len);
1723 }
1724
1725 // Test that |SSL_marshal_ech_config| and |SSL_ECH_KEYS_marshal_retry_configs|
1726 // output values as expected.
TEST(SSLTest,MarshalECHConfig)1727 TEST(SSLTest, MarshalECHConfig) {
1728 static const uint8_t kPrivateKey[X25519_PRIVATE_KEY_LEN] = {
1729 0xbc, 0xb5, 0x51, 0x29, 0x31, 0x10, 0x30, 0xc9, 0xed, 0x26, 0xde,
1730 0xd4, 0xb3, 0xdf, 0x3a, 0xce, 0x06, 0x8a, 0xee, 0x17, 0xab, 0xce,
1731 0xd7, 0xdb, 0xf3, 0x11, 0xe5, 0xa8, 0xf3, 0xb1, 0x8e, 0x24};
1732 bssl::ScopedEVP_HPKE_KEY key;
1733 ASSERT_TRUE(EVP_HPKE_KEY_init(key.get(), EVP_hpke_x25519_hkdf_sha256(),
1734 kPrivateKey, sizeof(kPrivateKey)));
1735
1736 static const uint8_t kECHConfig[] = {
1737 // version
1738 0xfe, 0x0d,
1739 // length
1740 0x00, 0x41,
1741 // contents.config_id
1742 0x01,
1743 // contents.kem_id
1744 0x00, 0x20,
1745 // contents.public_key
1746 0x00, 0x20, 0xa6, 0x9a, 0x41, 0x48, 0x5d, 0x32, 0x96, 0xa4, 0xe0, 0xc3,
1747 0x6a, 0xee, 0xf6, 0x63, 0x0f, 0x59, 0x32, 0x6f, 0xdc, 0xff, 0x81, 0x29,
1748 0x59, 0xa5, 0x85, 0xd3, 0x9b, 0x3b, 0xde, 0x98, 0x55, 0x5c,
1749 // contents.cipher_suites
1750 0x00, 0x08, 0x00, 0x01, 0x00, 0x01, 0x00, 0x01, 0x00, 0x03,
1751 // contents.maximum_name_length
1752 0x10,
1753 // contents.public_name
1754 0x0e, 0x70, 0x75, 0x62, 0x6c, 0x69, 0x63, 0x2e, 0x65, 0x78, 0x61, 0x6d,
1755 0x70, 0x6c, 0x65,
1756 // contents.extensions
1757 0x00, 0x00};
1758 uint8_t *ech_config;
1759 size_t ech_config_len;
1760 ASSERT_TRUE(SSL_marshal_ech_config(&ech_config, &ech_config_len,
1761 /*config_id=*/1, key.get(),
1762 "public.example", 16));
1763 bssl::UniquePtr<uint8_t> free_ech_config(ech_config);
1764 EXPECT_EQ(Bytes(kECHConfig), Bytes(ech_config, ech_config_len));
1765
1766 // Generate a second ECHConfig.
1767 bssl::ScopedEVP_HPKE_KEY key2;
1768 ASSERT_TRUE(EVP_HPKE_KEY_generate(key2.get(), EVP_hpke_x25519_hkdf_sha256()));
1769 uint8_t *ech_config2;
1770 size_t ech_config2_len;
1771 ASSERT_TRUE(SSL_marshal_ech_config(&ech_config2, &ech_config2_len,
1772 /*config_id=*/2, key2.get(),
1773 "public.example", 16));
1774 bssl::UniquePtr<uint8_t> free_ech_config2(ech_config2);
1775
1776 // Install both ECHConfigs in an |SSL_ECH_KEYS|.
1777 bssl::UniquePtr<SSL_ECH_KEYS> keys(SSL_ECH_KEYS_new());
1778 ASSERT_TRUE(keys);
1779 ASSERT_TRUE(SSL_ECH_KEYS_add(keys.get(), /*is_retry_config=*/1, ech_config,
1780 ech_config_len, key.get()));
1781 ASSERT_TRUE(SSL_ECH_KEYS_add(keys.get(), /*is_retry_config=*/1, ech_config2,
1782 ech_config2_len, key2.get()));
1783
1784 // The ECHConfigList should be correctly serialized.
1785 uint8_t *ech_config_list;
1786 size_t ech_config_list_len;
1787 ASSERT_TRUE(SSL_ECH_KEYS_marshal_retry_configs(keys.get(), &ech_config_list,
1788 &ech_config_list_len));
1789 bssl::UniquePtr<uint8_t> free_ech_config_list(ech_config_list);
1790
1791 // ECHConfigList is just the concatenation with a length prefix.
1792 size_t len = ech_config_len + ech_config2_len;
1793 std::vector<uint8_t> expected = {uint8_t(len >> 8), uint8_t(len)};
1794 expected.insert(expected.end(), ech_config, ech_config + ech_config_len);
1795 expected.insert(expected.end(), ech_config2, ech_config2 + ech_config2_len);
1796 EXPECT_EQ(Bytes(expected), Bytes(ech_config_list, ech_config_list_len));
1797 }
1798
TEST(SSLTest,ECHHasDuplicateConfigID)1799 TEST(SSLTest, ECHHasDuplicateConfigID) {
1800 const struct {
1801 std::vector<uint8_t> ids;
1802 bool has_duplicate;
1803 } kTests[] = {
1804 {{}, false},
1805 {{1}, false},
1806 {{1, 2, 3, 255}, false},
1807 {{1, 2, 3, 1}, true},
1808 };
1809 for (const auto &test : kTests) {
1810 bssl::UniquePtr<SSL_ECH_KEYS> keys(SSL_ECH_KEYS_new());
1811 ASSERT_TRUE(keys);
1812 for (const uint8_t id : test.ids) {
1813 bssl::ScopedEVP_HPKE_KEY key;
1814 ASSERT_TRUE(
1815 EVP_HPKE_KEY_generate(key.get(), EVP_hpke_x25519_hkdf_sha256()));
1816 uint8_t *ech_config;
1817 size_t ech_config_len;
1818 ASSERT_TRUE(SSL_marshal_ech_config(&ech_config, &ech_config_len, id,
1819 key.get(), "public.example", 16));
1820 bssl::UniquePtr<uint8_t> free_ech_config(ech_config);
1821 ASSERT_TRUE(SSL_ECH_KEYS_add(keys.get(), /*is_retry_config=*/1,
1822 ech_config, ech_config_len, key.get()));
1823 }
1824
1825 EXPECT_EQ(test.has_duplicate ? 1 : 0,
1826 SSL_ECH_KEYS_has_duplicate_config_id(keys.get()));
1827 }
1828 }
1829
1830 // Test that |SSL_ECH_KEYS_add| checks consistency between the public and
1831 // private key.
TEST(SSLTest,ECHKeyConsistency)1832 TEST(SSLTest, ECHKeyConsistency) {
1833 bssl::UniquePtr<SSL_ECH_KEYS> keys(SSL_ECH_KEYS_new());
1834 ASSERT_TRUE(keys);
1835 bssl::ScopedEVP_HPKE_KEY key;
1836 ASSERT_TRUE(EVP_HPKE_KEY_generate(key.get(), EVP_hpke_x25519_hkdf_sha256()));
1837 uint8_t public_key[EVP_HPKE_MAX_PUBLIC_KEY_LENGTH];
1838 size_t public_key_len;
1839 ASSERT_TRUE(EVP_HPKE_KEY_public_key(key.get(), public_key, &public_key_len,
1840 sizeof(public_key)));
1841
1842 // Adding an ECHConfig with the matching public key succeeds.
1843 ECHConfigParams params;
1844 params.key = key.get();
1845 std::vector<uint8_t> ech_config;
1846 ASSERT_TRUE(MakeECHConfig(&ech_config, params));
1847 EXPECT_TRUE(SSL_ECH_KEYS_add(keys.get(), /*is_retry_config=*/1,
1848 ech_config.data(), ech_config.size(),
1849 key.get()));
1850
1851 // Adding an ECHConfig with the wrong public key is an error.
1852 bssl::ScopedEVP_HPKE_KEY wrong_key;
1853 ASSERT_TRUE(
1854 EVP_HPKE_KEY_generate(wrong_key.get(), EVP_hpke_x25519_hkdf_sha256()));
1855 EXPECT_FALSE(SSL_ECH_KEYS_add(keys.get(), /*is_retry_config=*/1,
1856 ech_config.data(), ech_config.size(),
1857 wrong_key.get()));
1858
1859 // Adding an ECHConfig with a truncated public key is an error.
1860 ECHConfigParams truncated;
1861 truncated.key = key.get();
1862 truncated.public_key.assign(public_key, public_key + public_key_len - 1);
1863 ASSERT_TRUE(MakeECHConfig(&ech_config, truncated));
1864 EXPECT_FALSE(SSL_ECH_KEYS_add(keys.get(), /*is_retry_config=*/1,
1865 ech_config.data(), ech_config.size(), key.get()));
1866
1867 // Adding an ECHConfig with the right public key, but wrong KEM ID, is an
1868 // error.
1869 ECHConfigParams wrong_kem;
1870 wrong_kem.key = key.get();
1871 wrong_kem.kem_id = 0x0010; // DHKEM(P-256, HKDF-SHA256)
1872 ASSERT_TRUE(MakeECHConfig(&ech_config, wrong_kem));
1873 EXPECT_FALSE(SSL_ECH_KEYS_add(keys.get(), /*is_retry_config=*/1,
1874 ech_config.data(), ech_config.size(),
1875 key.get()));
1876 }
1877
1878 // Test that |SSL_CTX_set1_ech_keys| fails when the config list
1879 // has no retry configs.
TEST(SSLTest,ECHServerConfigsWithoutRetryConfigs)1880 TEST(SSLTest, ECHServerConfigsWithoutRetryConfigs) {
1881 bssl::ScopedEVP_HPKE_KEY key;
1882 ASSERT_TRUE(EVP_HPKE_KEY_generate(key.get(), EVP_hpke_x25519_hkdf_sha256()));
1883 uint8_t *ech_config;
1884 size_t ech_config_len;
1885 ASSERT_TRUE(SSL_marshal_ech_config(&ech_config, &ech_config_len,
1886 /*config_id=*/1, key.get(),
1887 "public.example", 16));
1888 bssl::UniquePtr<uint8_t> free_ech_config(ech_config);
1889
1890 // Install a non-retry config.
1891 bssl::UniquePtr<SSL_ECH_KEYS> keys(SSL_ECH_KEYS_new());
1892 ASSERT_TRUE(keys);
1893 ASSERT_TRUE(SSL_ECH_KEYS_add(keys.get(), /*is_retry_config=*/0, ech_config,
1894 ech_config_len, key.get()));
1895
1896 // |keys| has no retry configs.
1897 bssl::UniquePtr<SSL_CTX> ctx(SSL_CTX_new(TLS_method()));
1898 ASSERT_TRUE(ctx);
1899 EXPECT_FALSE(SSL_CTX_set1_ech_keys(ctx.get(), keys.get()));
1900
1901 // Add the same ECHConfig to the list, but this time mark it as a retry
1902 // config.
1903 ASSERT_TRUE(SSL_ECH_KEYS_add(keys.get(), /*is_retry_config=*/1, ech_config,
1904 ech_config_len, key.get()));
1905 EXPECT_TRUE(SSL_CTX_set1_ech_keys(ctx.get(), keys.get()));
1906 }
1907
1908 // Test that the server APIs reject ECHConfigs with unsupported features.
TEST(SSLTest,UnsupportedECHConfig)1909 TEST(SSLTest, UnsupportedECHConfig) {
1910 bssl::UniquePtr<SSL_ECH_KEYS> keys(SSL_ECH_KEYS_new());
1911 ASSERT_TRUE(keys);
1912 bssl::ScopedEVP_HPKE_KEY key;
1913 ASSERT_TRUE(EVP_HPKE_KEY_generate(key.get(), EVP_hpke_x25519_hkdf_sha256()));
1914
1915 // Unsupported versions are rejected.
1916 ECHConfigParams unsupported_version;
1917 unsupported_version.version = 0xffff;
1918 unsupported_version.key = key.get();
1919 std::vector<uint8_t> ech_config;
1920 ASSERT_TRUE(MakeECHConfig(&ech_config, unsupported_version));
1921 EXPECT_FALSE(SSL_ECH_KEYS_add(keys.get(), /*is_retry_config=*/1,
1922 ech_config.data(), ech_config.size(),
1923 key.get()));
1924
1925 // Unsupported cipher suites are rejected. (We only support HKDF-SHA256.)
1926 ECHConfigParams unsupported_kdf;
1927 unsupported_kdf.key = key.get();
1928 unsupported_kdf.cipher_suites = {0x002 /* HKDF-SHA384 */,
1929 EVP_HPKE_AES_128_GCM};
1930 ASSERT_TRUE(MakeECHConfig(&ech_config, unsupported_kdf));
1931 EXPECT_FALSE(SSL_ECH_KEYS_add(keys.get(), /*is_retry_config=*/1,
1932 ech_config.data(), ech_config.size(),
1933 key.get()));
1934 ECHConfigParams unsupported_aead;
1935 unsupported_aead.key = key.get();
1936 unsupported_aead.cipher_suites = {EVP_HPKE_HKDF_SHA256, 0xffff};
1937 ASSERT_TRUE(MakeECHConfig(&ech_config, unsupported_aead));
1938 EXPECT_FALSE(SSL_ECH_KEYS_add(keys.get(), /*is_retry_config=*/1,
1939 ech_config.data(), ech_config.size(),
1940 key.get()));
1941
1942
1943 // Unsupported extensions are rejected.
1944 ECHConfigParams extensions;
1945 extensions.key = key.get();
1946 extensions.extensions = {0x00, 0x01, 0x00, 0x00};
1947 ASSERT_TRUE(MakeECHConfig(&ech_config, extensions));
1948 EXPECT_FALSE(SSL_ECH_KEYS_add(keys.get(), /*is_retry_config=*/1,
1949 ech_config.data(), ech_config.size(),
1950 key.get()));
1951
1952 // Invalid public names are rejected.
1953 ECHConfigParams invalid_public_name;
1954 invalid_public_name.key = key.get();
1955 invalid_public_name.public_name = "dns_names_have_no_underscores.example";
1956 ASSERT_TRUE(MakeECHConfig(&ech_config, invalid_public_name));
1957 EXPECT_FALSE(SSL_ECH_KEYS_add(keys.get(), /*is_retry_config=*/1,
1958 ech_config.data(), ech_config.size(),
1959 key.get()));
1960 }
1961
1962 // Test that |SSL_get_client_random| reports the correct value on both client
1963 // and server in ECH. The client sends two different random values. When ECH is
1964 // accepted, we should report the inner one.
TEST(SSLTest,ECHClientRandomsMatch)1965 TEST(SSLTest, ECHClientRandomsMatch) {
1966 bssl::UniquePtr<SSL_CTX> server_ctx =
1967 CreateContextWithTestCertificate(TLS_method());
1968 bssl::UniquePtr<SSL_ECH_KEYS> keys = MakeTestECHKeys();
1969 ASSERT_TRUE(keys);
1970 ASSERT_TRUE(SSL_CTX_set1_ech_keys(server_ctx.get(), keys.get()));
1971
1972 bssl::UniquePtr<SSL_CTX> client_ctx(SSL_CTX_new(TLS_method()));
1973 ASSERT_TRUE(client_ctx);
1974 bssl::UniquePtr<SSL> client, server;
1975 ASSERT_TRUE(CreateClientAndServer(&client, &server, client_ctx.get(),
1976 server_ctx.get()));
1977 ASSERT_TRUE(InstallECHConfigList(client.get(), keys.get()));
1978 ASSERT_TRUE(CompleteHandshakes(client.get(), server.get()));
1979
1980 EXPECT_TRUE(SSL_ech_accepted(client.get()));
1981 EXPECT_TRUE(SSL_ech_accepted(server.get()));
1982
1983 // An ECH server will fairly naturally record the inner ClientHello random,
1984 // but an ECH client may forget to update the random once ClientHelloInner is
1985 // selected.
1986 uint8_t client_random1[SSL3_RANDOM_SIZE];
1987 uint8_t client_random2[SSL3_RANDOM_SIZE];
1988 ASSERT_EQ(sizeof(client_random1),
1989 SSL_get_client_random(client.get(), client_random1,
1990 sizeof(client_random1)));
1991 ASSERT_EQ(sizeof(client_random2),
1992 SSL_get_client_random(server.get(), client_random2,
1993 sizeof(client_random2)));
1994 EXPECT_EQ(Bytes(client_random1), Bytes(client_random2));
1995 }
1996
1997 // GetECHLength sets |*out_client_hello_len| and |*out_ech_len| to the lengths
1998 // of the ClientHello and ECH extension, respectively, when a client created
1999 // from |ctx| constructs a ClientHello with name |name| and an ECHConfig with
2000 // maximum name length |max_name_len|.
GetECHLength(SSL_CTX * ctx,size_t * out_client_hello_len,size_t * out_ech_len,size_t max_name_len,const char * name)2001 static bool GetECHLength(SSL_CTX *ctx, size_t *out_client_hello_len,
2002 size_t *out_ech_len, size_t max_name_len,
2003 const char *name) {
2004 bssl::ScopedEVP_HPKE_KEY key;
2005 uint8_t *ech_config;
2006 size_t ech_config_len;
2007 if (!EVP_HPKE_KEY_generate(key.get(), EVP_hpke_x25519_hkdf_sha256()) ||
2008 !SSL_marshal_ech_config(&ech_config, &ech_config_len,
2009 /*config_id=*/1, key.get(), "public.example",
2010 max_name_len)) {
2011 return false;
2012 }
2013 bssl::UniquePtr<uint8_t> free_ech_config(ech_config);
2014
2015 bssl::UniquePtr<SSL_ECH_KEYS> keys(SSL_ECH_KEYS_new());
2016 if (!keys || !SSL_ECH_KEYS_add(keys.get(), /*is_retry_config=*/1, ech_config,
2017 ech_config_len, key.get())) {
2018 return false;
2019 }
2020
2021 bssl::UniquePtr<SSL> ssl(SSL_new(ctx));
2022 if (!ssl || !InstallECHConfigList(ssl.get(), keys.get()) ||
2023 (name != nullptr && !SSL_set_tlsext_host_name(ssl.get(), name))) {
2024 return false;
2025 }
2026 SSL_set_connect_state(ssl.get());
2027
2028 std::vector<uint8_t> client_hello;
2029 SSL_CLIENT_HELLO parsed;
2030 const uint8_t *unused;
2031 if (!GetClientHello(ssl.get(), &client_hello) ||
2032 !ssl_client_hello_init(
2033 ssl.get(), &parsed,
2034 // Skip record and handshake headers. This assumes the ClientHello
2035 // fits in one record.
2036 MakeConstSpan(client_hello)
2037 .subspan(SSL3_RT_HEADER_LENGTH + SSL3_HM_HEADER_LENGTH)) ||
2038 !SSL_early_callback_ctx_extension_get(
2039 &parsed, TLSEXT_TYPE_encrypted_client_hello, &unused, out_ech_len)) {
2040 return false;
2041 }
2042 *out_client_hello_len = client_hello.size();
2043 return true;
2044 }
2045
TEST(SSLTest,ECHPadding)2046 TEST(SSLTest, ECHPadding) {
2047 bssl::UniquePtr<SSL_CTX> ctx(SSL_CTX_new(TLS_method()));
2048 ASSERT_TRUE(ctx);
2049
2050 // Sample lengths with max_name_len = 128 as baseline.
2051 size_t client_hello_len_baseline, ech_len_baseline;
2052 ASSERT_TRUE(GetECHLength(ctx.get(), &client_hello_len_baseline,
2053 &ech_len_baseline, 128, "example.com"));
2054
2055 // Check that all name lengths under the server's maximum look the same.
2056 for (size_t name_len : {1, 2, 32, 64, 127, 128}) {
2057 SCOPED_TRACE(name_len);
2058 size_t client_hello_len, ech_len;
2059 ASSERT_TRUE(GetECHLength(ctx.get(), &client_hello_len, &ech_len, 128,
2060 std::string(name_len, 'a').c_str()));
2061 EXPECT_EQ(client_hello_len, client_hello_len_baseline);
2062 EXPECT_EQ(ech_len, ech_len_baseline);
2063 }
2064
2065 // When sending no SNI, we must still pad as if we are sending one.
2066 size_t client_hello_len, ech_len;
2067 ASSERT_TRUE(
2068 GetECHLength(ctx.get(), &client_hello_len, &ech_len, 128, nullptr));
2069 EXPECT_EQ(client_hello_len, client_hello_len_baseline);
2070 EXPECT_EQ(ech_len, ech_len_baseline);
2071
2072 // Name lengths above the maximum do not get named-based padding, but the
2073 // overall input is padded to a multiple of 32.
2074 size_t client_hello_len_baseline2, ech_len_baseline2;
2075 ASSERT_TRUE(GetECHLength(ctx.get(), &client_hello_len_baseline2,
2076 &ech_len_baseline2, 128,
2077 std::string(128 + 32, 'a').c_str()));
2078 EXPECT_EQ(ech_len_baseline2, ech_len_baseline + 32);
2079 // The ClientHello lengths may match if we are still under the threshold for
2080 // padding extension.
2081 EXPECT_GE(client_hello_len_baseline2, client_hello_len_baseline);
2082
2083 for (size_t name_len = 128 + 1; name_len < 128 + 32; name_len++) {
2084 SCOPED_TRACE(name_len);
2085 ASSERT_TRUE(GetECHLength(ctx.get(), &client_hello_len, &ech_len, 128,
2086 std::string(name_len, 'a').c_str()));
2087 EXPECT_TRUE(ech_len == ech_len_baseline || ech_len == ech_len_baseline2)
2088 << ech_len;
2089 EXPECT_TRUE(client_hello_len == client_hello_len_baseline ||
2090 client_hello_len == client_hello_len_baseline2)
2091 << client_hello_len;
2092 }
2093 }
2094
TEST(SSLTest,ECHPublicName)2095 TEST(SSLTest, ECHPublicName) {
2096 auto str_to_span = [](const char *str) -> Span<const uint8_t> {
2097 return MakeConstSpan(reinterpret_cast<const uint8_t *>(str), strlen(str));
2098 };
2099
2100 EXPECT_FALSE(ssl_is_valid_ech_public_name(str_to_span("")));
2101 EXPECT_TRUE(ssl_is_valid_ech_public_name(str_to_span("example.com")));
2102 EXPECT_FALSE(ssl_is_valid_ech_public_name(str_to_span(".example.com")));
2103 EXPECT_FALSE(ssl_is_valid_ech_public_name(str_to_span("example.com.")));
2104 EXPECT_FALSE(ssl_is_valid_ech_public_name(str_to_span("example..com")));
2105 EXPECT_FALSE(ssl_is_valid_ech_public_name(str_to_span("www.-example.com")));
2106 EXPECT_FALSE(ssl_is_valid_ech_public_name(str_to_span("www.example-.com")));
2107 EXPECT_FALSE(
2108 ssl_is_valid_ech_public_name(str_to_span("no_underscores.example")));
2109 EXPECT_FALSE(ssl_is_valid_ech_public_name(
2110 str_to_span("invalid_chars.\x01.example")));
2111 EXPECT_FALSE(ssl_is_valid_ech_public_name(
2112 str_to_span("invalid_chars.\xff.example")));
2113 static const uint8_t kWithNUL[] = {'t', 'e', 's', 't', 0};
2114 EXPECT_FALSE(ssl_is_valid_ech_public_name(kWithNUL));
2115
2116 // Test an LDH label with every character and the maximum length.
2117 EXPECT_TRUE(ssl_is_valid_ech_public_name(str_to_span(
2118 "abcdefhijklmnopqrstuvwxyz-ABCDEFGHIJKLMNOPQRSTUVWXYZ-0123456789")));
2119 EXPECT_FALSE(ssl_is_valid_ech_public_name(str_to_span(
2120 "abcdefhijklmnopqrstuvwxyz-ABCDEFGHIJKLMNOPQRSTUVWXYZ-01234567899")));
2121
2122 // Inputs that parse as IPv4 addresses are rejected.
2123 EXPECT_FALSE(ssl_is_valid_ech_public_name(str_to_span("127.0.0.1")));
2124 EXPECT_FALSE(ssl_is_valid_ech_public_name(str_to_span("0177.0.0.01")));
2125 EXPECT_FALSE(
2126 ssl_is_valid_ech_public_name(str_to_span("0x7f.0x.0x.0x00000001")));
2127 EXPECT_FALSE(
2128 ssl_is_valid_ech_public_name(str_to_span("0XAB.0XCD.0XEF.0X01")));
2129 EXPECT_FALSE(ssl_is_valid_ech_public_name(str_to_span("0.0.0.0")));
2130 EXPECT_FALSE(ssl_is_valid_ech_public_name(str_to_span("255.255.255.255")));
2131 // Out-of-bounds or overflowing components are not IP addresses.
2132 EXPECT_TRUE(ssl_is_valid_ech_public_name(str_to_span("256.255.255.255")));
2133 EXPECT_TRUE(ssl_is_valid_ech_public_name(str_to_span("255.0x100.255.255")));
2134 EXPECT_TRUE(ssl_is_valid_ech_public_name(str_to_span("255.255.255.0400")));
2135 EXPECT_TRUE(ssl_is_valid_ech_public_name(
2136 str_to_span("255.255.255.0x100000000")));
2137 // Invalid characters for the base are not IP addresses.
2138 EXPECT_TRUE(ssl_is_valid_ech_public_name(str_to_span("12a.0.0.1")));
2139 EXPECT_TRUE(ssl_is_valid_ech_public_name(str_to_span("0xg.0.0.1")));
2140 EXPECT_TRUE(ssl_is_valid_ech_public_name(str_to_span("08.0.0.1")));
2141 // Trailing components can be merged into a single component.
2142 EXPECT_FALSE(ssl_is_valid_ech_public_name(str_to_span("127.0.1")));
2143 EXPECT_FALSE(ssl_is_valid_ech_public_name(str_to_span("127.1")));
2144 EXPECT_FALSE(ssl_is_valid_ech_public_name(str_to_span("2130706433")));
2145 EXPECT_FALSE(ssl_is_valid_ech_public_name(str_to_span("0x7f000001")));
2146 // Merged components must respect their limits.
2147 EXPECT_FALSE(ssl_is_valid_ech_public_name(str_to_span("0.0.0.0xff")));
2148 EXPECT_FALSE(ssl_is_valid_ech_public_name(str_to_span("0.0.0xffff")));
2149 EXPECT_FALSE(ssl_is_valid_ech_public_name(str_to_span("0.0xffffff")));
2150 EXPECT_FALSE(ssl_is_valid_ech_public_name(str_to_span("0xffffffff")));
2151 EXPECT_TRUE(ssl_is_valid_ech_public_name(str_to_span("0.0.0.0x100")));
2152 EXPECT_TRUE(ssl_is_valid_ech_public_name(str_to_span("0.0.0x10000")));
2153 EXPECT_TRUE(ssl_is_valid_ech_public_name(str_to_span("0.0x1000000")));
2154 EXPECT_TRUE(ssl_is_valid_ech_public_name(str_to_span("0x100000000")));
2155 // Correctly handle overflow in decimal and octal.
2156 EXPECT_FALSE(ssl_is_valid_ech_public_name(str_to_span("037777777777")));
2157 EXPECT_TRUE(ssl_is_valid_ech_public_name(str_to_span("040000000000")));
2158 EXPECT_FALSE(ssl_is_valid_ech_public_name(str_to_span("4294967295")));
2159 EXPECT_TRUE(ssl_is_valid_ech_public_name(str_to_span("4294967296")));
2160 }
2161
2162 // When using the built-in verifier, test that |SSL_get0_ech_name_override| is
2163 // applied automatically.
TEST(SSLTest,ECHBuiltinVerifier)2164 TEST(SSLTest, ECHBuiltinVerifier) {
2165 // These test certificates generated with the following Go program.
2166 /* clang-format off
2167 func main() {
2168 notBefore := time.Date(2000, time.January, 1, 0, 0, 0, 0, time.UTC)
2169 notAfter := time.Date(2099, time.January, 1, 0, 0, 0, 0, time.UTC)
2170 rootKey, _ := ecdsa.GenerateKey(elliptic.P256(), rand.Reader)
2171 rootTemplate := &x509.Certificate{
2172 SerialNumber: big.NewInt(1),
2173 Subject: pkix.Name{CommonName: "Test CA"},
2174 NotBefore: notBefore,
2175 NotAfter: notAfter,
2176 BasicConstraintsValid: true,
2177 IsCA: true,
2178 }
2179 rootDER, _ := x509.CreateCertificate(rand.Reader, rootTemplate, rootTemplate, &rootKey.PublicKey, rootKey)
2180 root, _ := x509.ParseCertificate(rootDER)
2181 pem.Encode(os.Stdout, &pem.Block{Type: "CERTIFICATE", Bytes: rootDER})
2182 leafKey, _ := ecdsa.GenerateKey(elliptic.P256(), rand.Reader)
2183 leafKeyDER, _ := x509.MarshalPKCS8PrivateKey(leafKey)
2184 pem.Encode(os.Stdout, &pem.Block{Type: "PRIVATE KEY", Bytes: leafKeyDER})
2185 for i, name := range []string{"public.example", "secret.example"} {
2186 leafTemplate := &x509.Certificate{
2187 SerialNumber: big.NewInt(int64(i) + 2),
2188 Subject: pkix.Name{CommonName: name},
2189 NotBefore: notBefore,
2190 NotAfter: notAfter,
2191 BasicConstraintsValid: true,
2192 DNSNames: []string{name},
2193 }
2194 leafDER, _ := x509.CreateCertificate(rand.Reader, leafTemplate, root, &leafKey.PublicKey, rootKey)
2195 pem.Encode(os.Stdout, &pem.Block{Type: "CERTIFICATE", Bytes: leafDER})
2196 }
2197 }
2198 clang-format on */
2199 bssl::UniquePtr<X509> root = CertFromPEM(R"(
2200 -----BEGIN CERTIFICATE-----
2201 MIIBRzCB7aADAgECAgEBMAoGCCqGSM49BAMCMBIxEDAOBgNVBAMTB1Rlc3QgQ0Ew
2202 IBcNMDAwMTAxMDAwMDAwWhgPMjA5OTAxMDEwMDAwMDBaMBIxEDAOBgNVBAMTB1Rl
2203 c3QgQ0EwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAAT5JUjrI1DAxSpEl88UkmJw
2204 tAJqxo/YrSFo9V3MkcNkfTixi5p6MUtO8DazhEgekBcd2+tBAWtl7dy0qpvTqx92
2205 ozIwMDAPBgNVHRMBAf8EBTADAQH/MB0GA1UdDgQWBBTw6ftkexAI6o4r5FntJIfL
2206 GU5F4zAKBggqhkjOPQQDAgNJADBGAiEAiiNowddQeHZaZFIygwe6RW5/WG4sUXWC
2207 dkyl9CQzRaYCIQCFS1EvwZbZtMny27fYm1eeYciY0TkJTEi34H1KwyzzIA==
2208 -----END CERTIFICATE-----
2209 )");
2210 ASSERT_TRUE(root);
2211 bssl::UniquePtr<EVP_PKEY> leaf_key = KeyFromPEM(R"(
2212 -----BEGIN PRIVATE KEY-----
2213 MIGHAgEAMBMGByqGSM49AgEGCCqGSM49AwEHBG0wawIBAQQgj5WKHwHnziiyPauf
2214 7QukxTwtTyGZkk8qNdms4puJfxqhRANCAARNrkhxabALDlJrHtvkuDwvCWUF/oVC
2215 hr6PDITHi1lDlJzvVT4aXBH87sH2n2UV5zpx13NHkq1bIC8eRT8eOIe0
2216 -----END PRIVATE KEY-----
2217 )");
2218 ASSERT_TRUE(leaf_key);
2219 bssl::UniquePtr<X509> leaf_public = CertFromPEM(R"(
2220 -----BEGIN CERTIFICATE-----
2221 MIIBaDCCAQ6gAwIBAgIBAjAKBggqhkjOPQQDAjASMRAwDgYDVQQDEwdUZXN0IENB
2222 MCAXDTAwMDEwMTAwMDAwMFoYDzIwOTkwMTAxMDAwMDAwWjAZMRcwFQYDVQQDEw5w
2223 dWJsaWMuZXhhbXBsZTBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABE2uSHFpsAsO
2224 Umse2+S4PC8JZQX+hUKGvo8MhMeLWUOUnO9VPhpcEfzuwfafZRXnOnHXc0eSrVsg
2225 Lx5FPx44h7SjTDBKMAwGA1UdEwEB/wQCMAAwHwYDVR0jBBgwFoAU8On7ZHsQCOqO
2226 K+RZ7SSHyxlOReMwGQYDVR0RBBIwEIIOcHVibGljLmV4YW1wbGUwCgYIKoZIzj0E
2227 AwIDSAAwRQIhANqZRhDR/+QL05hsWXMYEwaiHifd9iakKoFEhKFchcF3AiBRAeXw
2228 wRGGT6+iPmTYM6N5/IDyAb5B9Ke38O6lLEsUwA==
2229 -----END CERTIFICATE-----
2230 )");
2231 ASSERT_TRUE(leaf_public);
2232 bssl::UniquePtr<X509> leaf_secret = CertFromPEM(R"(
2233 -----BEGIN CERTIFICATE-----
2234 MIIBaTCCAQ6gAwIBAgIBAzAKBggqhkjOPQQDAjASMRAwDgYDVQQDEwdUZXN0IENB
2235 MCAXDTAwMDEwMTAwMDAwMFoYDzIwOTkwMTAxMDAwMDAwWjAZMRcwFQYDVQQDEw5z
2236 ZWNyZXQuZXhhbXBsZTBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABE2uSHFpsAsO
2237 Umse2+S4PC8JZQX+hUKGvo8MhMeLWUOUnO9VPhpcEfzuwfafZRXnOnHXc0eSrVsg
2238 Lx5FPx44h7SjTDBKMAwGA1UdEwEB/wQCMAAwHwYDVR0jBBgwFoAU8On7ZHsQCOqO
2239 K+RZ7SSHyxlOReMwGQYDVR0RBBIwEIIOc2VjcmV0LmV4YW1wbGUwCgYIKoZIzj0E
2240 AwIDSQAwRgIhAPQdIz1xCFkc9WuSkxOxJDpywZiEp9SnKcxJ9nwrlRp3AiEA+O3+
2241 XRqE7XFhHL+7TNC2a9OOAjQsEF137YPWo+rhgko=
2242 -----END CERTIFICATE-----
2243 )");
2244 ASSERT_TRUE(leaf_secret);
2245
2246 // Use different config IDs so that fuzzer mode, which breaks trial
2247 // decryption, will observe the key mismatch.
2248 bssl::UniquePtr<SSL_ECH_KEYS> keys = MakeTestECHKeys(/*config_id=*/1);
2249 ASSERT_TRUE(keys);
2250 bssl::UniquePtr<SSL_ECH_KEYS> wrong_keys = MakeTestECHKeys(/*config_id=*/2);
2251 ASSERT_TRUE(wrong_keys);
2252 bssl::UniquePtr<SSL_CTX> server_ctx =
2253 CreateContextWithTestCertificate(TLS_method());
2254 ASSERT_TRUE(server_ctx);
2255 bssl::UniquePtr<SSL_CTX> client_ctx(SSL_CTX_new(TLS_method()));
2256 ASSERT_TRUE(client_ctx);
2257
2258 // Configure the client to verify certificates and expect the secret name.
2259 // This is the name the client is trying to connect to. If ECH is rejected,
2260 // BoringSSL will internally override this setting with the public name.
2261 bssl::UniquePtr<X509_STORE> store(X509_STORE_new());
2262 ASSERT_TRUE(store);
2263 ASSERT_TRUE(X509_STORE_add_cert(store.get(), root.get()));
2264 SSL_CTX_set_cert_store(client_ctx.get(), store.release());
2265 SSL_CTX_set_verify(client_ctx.get(), SSL_VERIFY_PEER, nullptr);
2266 static const char kSecretName[] = "secret.example";
2267 ASSERT_TRUE(X509_VERIFY_PARAM_set1_host(SSL_CTX_get0_param(client_ctx.get()),
2268 kSecretName, strlen(kSecretName)));
2269
2270 // For simplicity, we only run through a pair of representative scenarios here
2271 // and rely on runner.go to verify that |SSL_get0_ech_name_override| behaves
2272 // correctly.
2273 for (bool accept_ech : {false, true}) {
2274 SCOPED_TRACE(accept_ech);
2275 for (bool use_leaf_secret : {false, true}) {
2276 SCOPED_TRACE(use_leaf_secret);
2277
2278 // The server will reject ECH when configured with the wrong keys.
2279 ASSERT_TRUE(SSL_CTX_set1_ech_keys(
2280 server_ctx.get(), accept_ech ? keys.get() : wrong_keys.get()));
2281
2282 bssl::UniquePtr<SSL> client, server;
2283 ASSERT_TRUE(CreateClientAndServer(&client, &server, client_ctx.get(),
2284 server_ctx.get()));
2285 ASSERT_TRUE(InstallECHConfigList(client.get(), keys.get()));
2286
2287 // Configure the server with the selected certificate.
2288 ASSERT_TRUE(SSL_use_certificate(server.get(), use_leaf_secret
2289 ? leaf_secret.get()
2290 : leaf_public.get()));
2291 ASSERT_TRUE(SSL_use_PrivateKey(server.get(), leaf_key.get()));
2292
2293 // The handshake may fail due to name mismatch or ECH reject. We check
2294 // |SSL_get_verify_result| to confirm the handshake got far enough.
2295 CompleteHandshakes(client.get(), server.get());
2296 EXPECT_EQ(accept_ech == use_leaf_secret ? X509_V_OK
2297 : X509_V_ERR_HOSTNAME_MISMATCH,
2298 SSL_get_verify_result(client.get()));
2299 }
2300 }
2301 }
2302
2303 #if defined(OPENSSL_THREADS)
2304 // Test that the server ECH config can be swapped out while the |SSL_CTX| is
2305 // in use on other threads. This test is intended to be run with TSan.
TEST(SSLTest,ECHThreads)2306 TEST(SSLTest, ECHThreads) {
2307 // Generate a pair of ECHConfigs.
2308 bssl::ScopedEVP_HPKE_KEY key1;
2309 ASSERT_TRUE(EVP_HPKE_KEY_generate(key1.get(), EVP_hpke_x25519_hkdf_sha256()));
2310 uint8_t *ech_config1;
2311 size_t ech_config1_len;
2312 ASSERT_TRUE(SSL_marshal_ech_config(&ech_config1, &ech_config1_len,
2313 /*config_id=*/1, key1.get(),
2314 "public.example", 16));
2315 bssl::UniquePtr<uint8_t> free_ech_config1(ech_config1);
2316 bssl::ScopedEVP_HPKE_KEY key2;
2317 ASSERT_TRUE(EVP_HPKE_KEY_generate(key2.get(), EVP_hpke_x25519_hkdf_sha256()));
2318 uint8_t *ech_config2;
2319 size_t ech_config2_len;
2320 ASSERT_TRUE(SSL_marshal_ech_config(&ech_config2, &ech_config2_len,
2321 /*config_id=*/2, key2.get(),
2322 "public.example", 16));
2323 bssl::UniquePtr<uint8_t> free_ech_config2(ech_config2);
2324
2325 // |keys1| contains the first config. |keys12| contains both.
2326 bssl::UniquePtr<SSL_ECH_KEYS> keys1(SSL_ECH_KEYS_new());
2327 ASSERT_TRUE(keys1);
2328 ASSERT_TRUE(SSL_ECH_KEYS_add(keys1.get(), /*is_retry_config=*/1, ech_config1,
2329 ech_config1_len, key1.get()));
2330 bssl::UniquePtr<SSL_ECH_KEYS> keys12(SSL_ECH_KEYS_new());
2331 ASSERT_TRUE(keys12);
2332 ASSERT_TRUE(SSL_ECH_KEYS_add(keys12.get(), /*is_retry_config=*/1, ech_config2,
2333 ech_config2_len, key2.get()));
2334 ASSERT_TRUE(SSL_ECH_KEYS_add(keys12.get(), /*is_retry_config=*/0, ech_config1,
2335 ech_config1_len, key1.get()));
2336
2337 bssl::UniquePtr<SSL_CTX> server_ctx =
2338 CreateContextWithTestCertificate(TLS_method());
2339 ASSERT_TRUE(SSL_CTX_set1_ech_keys(server_ctx.get(), keys1.get()));
2340
2341 bssl::UniquePtr<SSL_CTX> client_ctx(SSL_CTX_new(TLS_method()));
2342 ASSERT_TRUE(client_ctx);
2343 bssl::UniquePtr<SSL> client, server;
2344 ASSERT_TRUE(CreateClientAndServer(&client, &server, client_ctx.get(),
2345 server_ctx.get()));
2346 ASSERT_TRUE(InstallECHConfigList(client.get(), keys1.get()));
2347
2348 // In parallel, complete the connection and reconfigure the ECHConfig. Note
2349 // |keys12| supports all the keys in |keys1|, so the handshake should complete
2350 // the same whichever the server uses.
2351 std::vector<std::thread> threads;
2352 threads.emplace_back([&] {
2353 ASSERT_TRUE(CompleteHandshakes(client.get(), server.get()));
2354 EXPECT_TRUE(SSL_ech_accepted(client.get()));
2355 EXPECT_TRUE(SSL_ech_accepted(server.get()));
2356 });
2357 threads.emplace_back([&] {
2358 EXPECT_TRUE(SSL_CTX_set1_ech_keys(server_ctx.get(), keys12.get()));
2359 });
2360 for (auto &thread : threads) {
2361 thread.join();
2362 }
2363 }
2364 #endif // OPENSSL_THREADS
2365
AppendSession(SSL_SESSION * session,void * arg)2366 static void AppendSession(SSL_SESSION *session, void *arg) {
2367 std::vector<SSL_SESSION*> *out =
2368 reinterpret_cast<std::vector<SSL_SESSION*>*>(arg);
2369 out->push_back(session);
2370 }
2371
2372 // CacheEquals returns true if |ctx|'s session cache consists of |expected|, in
2373 // order.
CacheEquals(SSL_CTX * ctx,const std::vector<SSL_SESSION * > & expected)2374 static bool CacheEquals(SSL_CTX *ctx,
2375 const std::vector<SSL_SESSION*> &expected) {
2376 // Check the linked list.
2377 SSL_SESSION *ptr = ctx->session_cache_head;
2378 for (SSL_SESSION *session : expected) {
2379 if (ptr != session) {
2380 return false;
2381 }
2382 // TODO(davidben): This is an absurd way to denote the end of the list.
2383 if (ptr->next ==
2384 reinterpret_cast<SSL_SESSION *>(&ctx->session_cache_tail)) {
2385 ptr = nullptr;
2386 } else {
2387 ptr = ptr->next;
2388 }
2389 }
2390 if (ptr != nullptr) {
2391 return false;
2392 }
2393
2394 // Check the hash table.
2395 std::vector<SSL_SESSION*> actual, expected_copy;
2396 lh_SSL_SESSION_doall_arg(ctx->sessions, AppendSession, &actual);
2397 expected_copy = expected;
2398
2399 std::sort(actual.begin(), actual.end());
2400 std::sort(expected_copy.begin(), expected_copy.end());
2401
2402 return actual == expected_copy;
2403 }
2404
CreateTestSession(uint32_t number)2405 static bssl::UniquePtr<SSL_SESSION> CreateTestSession(uint32_t number) {
2406 bssl::UniquePtr<SSL_CTX> ssl_ctx(SSL_CTX_new(TLS_method()));
2407 if (!ssl_ctx) {
2408 return nullptr;
2409 }
2410 bssl::UniquePtr<SSL_SESSION> ret(SSL_SESSION_new(ssl_ctx.get()));
2411 if (!ret) {
2412 return nullptr;
2413 }
2414
2415 uint8_t id[SSL3_SSL_SESSION_ID_LENGTH] = {0};
2416 OPENSSL_memcpy(id, &number, sizeof(number));
2417 if (!SSL_SESSION_set1_id(ret.get(), id, sizeof(id))) {
2418 return nullptr;
2419 }
2420 return ret;
2421 }
2422
2423 // Test that the internal session cache behaves as expected.
TEST(SSLTest,InternalSessionCache)2424 TEST(SSLTest, InternalSessionCache) {
2425 bssl::UniquePtr<SSL_CTX> ctx(SSL_CTX_new(TLS_method()));
2426 ASSERT_TRUE(ctx);
2427
2428 // Prepare 10 test sessions.
2429 std::vector<bssl::UniquePtr<SSL_SESSION>> sessions;
2430 for (int i = 0; i < 10; i++) {
2431 bssl::UniquePtr<SSL_SESSION> session = CreateTestSession(i);
2432 ASSERT_TRUE(session);
2433 sessions.push_back(std::move(session));
2434 }
2435
2436 SSL_CTX_sess_set_cache_size(ctx.get(), 5);
2437
2438 // Insert all the test sessions.
2439 for (const auto &session : sessions) {
2440 ASSERT_TRUE(SSL_CTX_add_session(ctx.get(), session.get()));
2441 }
2442
2443 // Only the last five should be in the list.
2444 ASSERT_TRUE(CacheEquals(
2445 ctx.get(), {sessions[9].get(), sessions[8].get(), sessions[7].get(),
2446 sessions[6].get(), sessions[5].get()}));
2447
2448 // Inserting an element already in the cache should fail and leave the cache
2449 // unchanged.
2450 ASSERT_FALSE(SSL_CTX_add_session(ctx.get(), sessions[7].get()));
2451 ASSERT_TRUE(CacheEquals(
2452 ctx.get(), {sessions[9].get(), sessions[8].get(), sessions[7].get(),
2453 sessions[6].get(), sessions[5].get()}));
2454
2455 // Although collisions should be impossible (256-bit session IDs), the cache
2456 // must handle them gracefully.
2457 bssl::UniquePtr<SSL_SESSION> collision(CreateTestSession(7));
2458 ASSERT_TRUE(collision);
2459 ASSERT_TRUE(SSL_CTX_add_session(ctx.get(), collision.get()));
2460 ASSERT_TRUE(CacheEquals(
2461 ctx.get(), {collision.get(), sessions[9].get(), sessions[8].get(),
2462 sessions[6].get(), sessions[5].get()}));
2463
2464 // Removing sessions behaves correctly.
2465 ASSERT_TRUE(SSL_CTX_remove_session(ctx.get(), sessions[6].get()));
2466 ASSERT_TRUE(CacheEquals(ctx.get(), {collision.get(), sessions[9].get(),
2467 sessions[8].get(), sessions[5].get()}));
2468
2469 // Removing sessions requires an exact match.
2470 ASSERT_FALSE(SSL_CTX_remove_session(ctx.get(), sessions[0].get()));
2471 ASSERT_FALSE(SSL_CTX_remove_session(ctx.get(), sessions[7].get()));
2472
2473 // The cache remains unchanged.
2474 ASSERT_TRUE(CacheEquals(ctx.get(), {collision.get(), sessions[9].get(),
2475 sessions[8].get(), sessions[5].get()}));
2476 }
2477
EpochFromSequence(uint64_t seq)2478 static uint16_t EpochFromSequence(uint64_t seq) {
2479 return static_cast<uint16_t>(seq >> 48);
2480 }
2481
2482 static const uint8_t kTestName[] = {
2483 0x30, 0x45, 0x31, 0x0b, 0x30, 0x09, 0x06, 0x03, 0x55, 0x04, 0x06, 0x13,
2484 0x02, 0x41, 0x55, 0x31, 0x13, 0x30, 0x11, 0x06, 0x03, 0x55, 0x04, 0x08,
2485 0x0c, 0x0a, 0x53, 0x6f, 0x6d, 0x65, 0x2d, 0x53, 0x74, 0x61, 0x74, 0x65,
2486 0x31, 0x21, 0x30, 0x1f, 0x06, 0x03, 0x55, 0x04, 0x0a, 0x0c, 0x18, 0x49,
2487 0x6e, 0x74, 0x65, 0x72, 0x6e, 0x65, 0x74, 0x20, 0x57, 0x69, 0x64, 0x67,
2488 0x69, 0x74, 0x73, 0x20, 0x50, 0x74, 0x79, 0x20, 0x4c, 0x74, 0x64,
2489 };
2490
2491 // SSLVersionTest executes its test cases under all available protocol versions.
2492 // Test cases call |Connect| to create a connection using context objects with
2493 // the protocol version fixed to the current version under test.
2494 class SSLVersionTest : public ::testing::TestWithParam<VersionParam> {
2495 protected:
SSLVersionTest()2496 SSLVersionTest() : cert_(GetTestCertificate()), key_(GetTestKey()) {}
2497
SetUp()2498 void SetUp() { ResetContexts(); }
2499
CreateContext() const2500 bssl::UniquePtr<SSL_CTX> CreateContext() const {
2501 const SSL_METHOD *method = is_dtls() ? DTLS_method() : TLS_method();
2502 bssl::UniquePtr<SSL_CTX> ctx(SSL_CTX_new(method));
2503 if (!ctx || !SSL_CTX_set_min_proto_version(ctx.get(), version()) ||
2504 !SSL_CTX_set_max_proto_version(ctx.get(), version())) {
2505 return nullptr;
2506 }
2507 return ctx;
2508 }
2509
ResetContexts()2510 void ResetContexts() {
2511 ASSERT_TRUE(cert_);
2512 ASSERT_TRUE(key_);
2513 client_ctx_ = CreateContext();
2514 ASSERT_TRUE(client_ctx_);
2515 server_ctx_ = CreateContext();
2516 ASSERT_TRUE(server_ctx_);
2517 // Set up a server cert. Client certs can be set up explicitly.
2518 ASSERT_TRUE(UseCertAndKey(server_ctx_.get()));
2519 }
2520
UseCertAndKey(SSL_CTX * ctx) const2521 bool UseCertAndKey(SSL_CTX *ctx) const {
2522 return SSL_CTX_use_certificate(ctx, cert_.get()) &&
2523 SSL_CTX_use_PrivateKey(ctx, key_.get());
2524 }
2525
Connect(const ClientConfig & config=ClientConfig ())2526 bool Connect(const ClientConfig &config = ClientConfig()) {
2527 return ConnectClientAndServer(&client_, &server_, client_ctx_.get(),
2528 server_ctx_.get(), config,
2529 shed_handshake_config_);
2530 }
2531
version() const2532 uint16_t version() const { return GetParam().version; }
2533
is_dtls() const2534 bool is_dtls() const {
2535 return GetParam().ssl_method == VersionParam::is_dtls;
2536 }
2537
2538 bool shed_handshake_config_ = true;
2539 bssl::UniquePtr<SSL> client_, server_;
2540 bssl::UniquePtr<SSL_CTX> server_ctx_, client_ctx_;
2541 bssl::UniquePtr<X509> cert_;
2542 bssl::UniquePtr<EVP_PKEY> key_;
2543 };
2544
2545 INSTANTIATE_TEST_SUITE_P(WithVersion, SSLVersionTest,
2546 testing::ValuesIn(kAllVersions),
__anon10d4a0fb0802(const testing::TestParamInfo<VersionParam> &i) 2547 [](const testing::TestParamInfo<VersionParam> &i) {
2548 return i.param.name;
2549 });
2550
TEST_P(SSLVersionTest,SequenceNumber)2551 TEST_P(SSLVersionTest, SequenceNumber) {
2552 ASSERT_TRUE(Connect());
2553
2554 // Drain any post-handshake messages to ensure there are no unread records
2555 // on either end.
2556 ASSERT_TRUE(FlushNewSessionTickets(client_.get(), server_.get()));
2557
2558 uint64_t client_read_seq = SSL_get_read_sequence(client_.get());
2559 uint64_t client_write_seq = SSL_get_write_sequence(client_.get());
2560 uint64_t server_read_seq = SSL_get_read_sequence(server_.get());
2561 uint64_t server_write_seq = SSL_get_write_sequence(server_.get());
2562
2563 if (is_dtls()) {
2564 // Both client and server must be at epoch 1.
2565 EXPECT_EQ(EpochFromSequence(client_read_seq), 1);
2566 EXPECT_EQ(EpochFromSequence(client_write_seq), 1);
2567 EXPECT_EQ(EpochFromSequence(server_read_seq), 1);
2568 EXPECT_EQ(EpochFromSequence(server_write_seq), 1);
2569
2570 // The next record to be written should exceed the largest received.
2571 EXPECT_GT(client_write_seq, server_read_seq);
2572 EXPECT_GT(server_write_seq, client_read_seq);
2573 } else {
2574 // The next record to be written should equal the next to be received.
2575 EXPECT_EQ(client_write_seq, server_read_seq);
2576 EXPECT_EQ(server_write_seq, client_read_seq);
2577 }
2578
2579 // Send a record from client to server.
2580 uint8_t byte = 0;
2581 EXPECT_EQ(SSL_write(client_.get(), &byte, 1), 1);
2582 EXPECT_EQ(SSL_read(server_.get(), &byte, 1), 1);
2583
2584 // The client write and server read sequence numbers should have
2585 // incremented.
2586 EXPECT_EQ(client_write_seq + 1, SSL_get_write_sequence(client_.get()));
2587 EXPECT_EQ(server_read_seq + 1, SSL_get_read_sequence(server_.get()));
2588 }
2589
TEST_P(SSLVersionTest,OneSidedShutdown)2590 TEST_P(SSLVersionTest, OneSidedShutdown) {
2591 // SSL_shutdown is a no-op in DTLS.
2592 if (is_dtls()) {
2593 return;
2594 }
2595 ASSERT_TRUE(Connect());
2596
2597 // Shut down half the connection. |SSL_shutdown| will return 0 to signal only
2598 // one side has shut down.
2599 ASSERT_EQ(SSL_shutdown(client_.get()), 0);
2600
2601 // Reading from the server should consume the EOF.
2602 uint8_t byte;
2603 ASSERT_EQ(SSL_read(server_.get(), &byte, 1), 0);
2604 ASSERT_EQ(SSL_get_error(server_.get(), 0), SSL_ERROR_ZERO_RETURN);
2605
2606 // However, the server may continue to write data and then shut down the
2607 // connection.
2608 byte = 42;
2609 ASSERT_EQ(SSL_write(server_.get(), &byte, 1), 1);
2610 ASSERT_EQ(SSL_read(client_.get(), &byte, 1), 1);
2611 ASSERT_EQ(byte, 42);
2612
2613 // The server may then shutdown the connection.
2614 EXPECT_EQ(SSL_shutdown(server_.get()), 1);
2615 EXPECT_EQ(SSL_shutdown(client_.get()), 1);
2616 }
2617
2618 // Test that, after calling |SSL_shutdown|, |SSL_write| fails.
TEST_P(SSLVersionTest,WriteAfterShutdown)2619 TEST_P(SSLVersionTest, WriteAfterShutdown) {
2620 ASSERT_TRUE(Connect());
2621
2622 for (SSL *ssl : {client_.get(), server_.get()}) {
2623 SCOPED_TRACE(SSL_is_server(ssl) ? "server" : "client");
2624
2625 bssl::UniquePtr<BIO> mem(BIO_new(BIO_s_mem()));
2626 ASSERT_TRUE(mem);
2627 SSL_set0_wbio(ssl, bssl::UpRef(mem).release());
2628
2629 // Shut down half the connection. |SSL_shutdown| will return 0 to signal
2630 // only one side has shut down.
2631 ASSERT_EQ(SSL_shutdown(ssl), 0);
2632
2633 // |ssl| should have written an alert to the transport.
2634 const uint8_t *unused;
2635 size_t len;
2636 ASSERT_TRUE(BIO_mem_contents(mem.get(), &unused, &len));
2637 EXPECT_NE(0u, len);
2638 EXPECT_TRUE(BIO_reset(mem.get()));
2639
2640 // Writing should fail.
2641 EXPECT_EQ(-1, SSL_write(ssl, "a", 1));
2642
2643 // Nothing should be written to the transport.
2644 ASSERT_TRUE(BIO_mem_contents(mem.get(), &unused, &len));
2645 EXPECT_EQ(0u, len);
2646 }
2647 }
2648
2649 // Test that, after sending a fatal alert in a failed |SSL_read|, |SSL_write|
2650 // fails.
TEST_P(SSLVersionTest,WriteAfterReadSentFatalAlert)2651 TEST_P(SSLVersionTest, WriteAfterReadSentFatalAlert) {
2652 // Decryption failures are not fatal in DTLS.
2653 if (is_dtls()) {
2654 return;
2655 }
2656
2657 ASSERT_TRUE(Connect());
2658
2659 // Save the write |BIO|s as the test will overwrite them.
2660 bssl::UniquePtr<BIO> client_wbio = bssl::UpRef(SSL_get_wbio(client_.get()));
2661 bssl::UniquePtr<BIO> server_wbio = bssl::UpRef(SSL_get_wbio(server_.get()));
2662
2663 for (bool test_server : {false, true}) {
2664 SCOPED_TRACE(test_server ? "server" : "client");
2665 SSL *ssl = test_server ? server_.get() : client_.get();
2666 BIO *other_wbio = test_server ? client_wbio.get() : server_wbio.get();
2667
2668 bssl::UniquePtr<BIO> mem(BIO_new(BIO_s_mem()));
2669 ASSERT_TRUE(mem);
2670 SSL_set0_wbio(ssl, bssl::UpRef(mem).release());
2671
2672 // Read an invalid record from the peer.
2673 static const uint8_t kInvalidRecord[] = "invalid record";
2674 EXPECT_EQ(int{sizeof(kInvalidRecord)},
2675 BIO_write(other_wbio, kInvalidRecord, sizeof(kInvalidRecord)));
2676 char buf[256];
2677 EXPECT_EQ(-1, SSL_read(ssl, buf, sizeof(buf)));
2678
2679 // |ssl| should have written an alert to the transport.
2680 const uint8_t *unused;
2681 size_t len;
2682 ASSERT_TRUE(BIO_mem_contents(mem.get(), &unused, &len));
2683 EXPECT_NE(0u, len);
2684 EXPECT_TRUE(BIO_reset(mem.get()));
2685
2686 // Writing should fail.
2687 EXPECT_EQ(-1, SSL_write(ssl, "a", 1));
2688
2689 // Nothing should be written to the transport.
2690 ASSERT_TRUE(BIO_mem_contents(mem.get(), &unused, &len));
2691 EXPECT_EQ(0u, len);
2692 }
2693 }
2694
2695 // Test that, after sending a fatal alert from the handshake, |SSL_write| fails.
TEST_P(SSLVersionTest,WriteAfterHandshakeSentFatalAlert)2696 TEST_P(SSLVersionTest, WriteAfterHandshakeSentFatalAlert) {
2697 for (bool test_server : {false, true}) {
2698 SCOPED_TRACE(test_server ? "server" : "client");
2699
2700 bssl::UniquePtr<SSL> ssl(
2701 SSL_new(test_server ? server_ctx_.get() : client_ctx_.get()));
2702 ASSERT_TRUE(ssl);
2703 if (test_server) {
2704 SSL_set_accept_state(ssl.get());
2705 } else {
2706 SSL_set_connect_state(ssl.get());
2707 }
2708
2709 std::vector<uint8_t> invalid;
2710 if (is_dtls()) {
2711 // In DTLS, invalid records are discarded. To cause the handshake to fail,
2712 // use a valid handshake record with invalid contents.
2713 invalid.push_back(SSL3_RT_HANDSHAKE);
2714 invalid.push_back(DTLS1_VERSION >> 8);
2715 invalid.push_back(DTLS1_VERSION & 0xff);
2716 // epoch and sequence_number
2717 for (int i = 0; i < 8; i++) {
2718 invalid.push_back(0);
2719 }
2720 // A one-byte fragment is invalid.
2721 invalid.push_back(0);
2722 invalid.push_back(1);
2723 // Arbitrary contents.
2724 invalid.push_back(0);
2725 } else {
2726 invalid = {'i', 'n', 'v', 'a', 'l', 'i', 'd'};
2727 }
2728 bssl::UniquePtr<BIO> rbio(
2729 BIO_new_mem_buf(invalid.data(), invalid.size()));
2730 ASSERT_TRUE(rbio);
2731 SSL_set0_rbio(ssl.get(), rbio.release());
2732
2733 bssl::UniquePtr<BIO> mem(BIO_new(BIO_s_mem()));
2734 ASSERT_TRUE(mem);
2735 SSL_set0_wbio(ssl.get(), bssl::UpRef(mem).release());
2736
2737 // The handshake should fail.
2738 EXPECT_EQ(-1, SSL_do_handshake(ssl.get()));
2739 EXPECT_EQ(SSL_ERROR_SSL, SSL_get_error(ssl.get(), -1));
2740 uint32_t err = ERR_get_error();
2741
2742 // |ssl| should have written an alert (and, in the client's case, a
2743 // ClientHello) to the transport.
2744 const uint8_t *unused;
2745 size_t len;
2746 ASSERT_TRUE(BIO_mem_contents(mem.get(), &unused, &len));
2747 EXPECT_NE(0u, len);
2748 EXPECT_TRUE(BIO_reset(mem.get()));
2749
2750 // Writing should fail, with the same error as the handshake.
2751 EXPECT_EQ(-1, SSL_write(ssl.get(), "a", 1));
2752 EXPECT_EQ(SSL_ERROR_SSL, SSL_get_error(ssl.get(), -1));
2753 EXPECT_EQ(err, ERR_get_error());
2754
2755 // Nothing should be written to the transport.
2756 ASSERT_TRUE(BIO_mem_contents(mem.get(), &unused, &len));
2757 EXPECT_EQ(0u, len);
2758 }
2759 }
2760
2761 // Test that, after seeing TLS 1.2 in response to early data, |SSL_write|
2762 // continues to report |SSL_R_WRONG_VERSION_ON_EARLY_DATA|. See
2763 // https://crbug.com/1078515.
TEST(SSLTest,WriteAfterWrongVersionOnEarlyData)2764 TEST(SSLTest, WriteAfterWrongVersionOnEarlyData) {
2765 // Set up some 0-RTT-enabled contexts.
2766 bssl::UniquePtr<SSL_CTX> client_ctx(SSL_CTX_new(TLS_method()));
2767 bssl::UniquePtr<SSL_CTX> server_ctx =
2768 CreateContextWithTestCertificate(TLS_method());
2769 ASSERT_TRUE(client_ctx);
2770 ASSERT_TRUE(server_ctx);
2771 SSL_CTX_set_early_data_enabled(client_ctx.get(), 1);
2772 SSL_CTX_set_early_data_enabled(server_ctx.get(), 1);
2773 SSL_CTX_set_session_cache_mode(client_ctx.get(), SSL_SESS_CACHE_BOTH);
2774 SSL_CTX_set_session_cache_mode(server_ctx.get(), SSL_SESS_CACHE_BOTH);
2775
2776 // Get an early-data-capable session.
2777 bssl::UniquePtr<SSL_SESSION> session =
2778 CreateClientSession(client_ctx.get(), server_ctx.get());
2779 ASSERT_TRUE(session);
2780 EXPECT_TRUE(SSL_SESSION_early_data_capable(session.get()));
2781
2782 // Offer the session to the server, but now the server speaks TLS 1.2.
2783 bssl::UniquePtr<SSL> client, server;
2784 ASSERT_TRUE(CreateClientAndServer(&client, &server, client_ctx.get(),
2785 server_ctx.get()));
2786 SSL_set_session(client.get(), session.get());
2787 EXPECT_TRUE(SSL_set_max_proto_version(server.get(), TLS1_2_VERSION));
2788
2789 // The client handshake initially succeeds in the early data state.
2790 EXPECT_EQ(1, SSL_do_handshake(client.get()));
2791 EXPECT_TRUE(SSL_in_early_data(client.get()));
2792
2793 // The server processes the ClientHello and negotiates TLS 1.2.
2794 EXPECT_EQ(-1, SSL_do_handshake(server.get()));
2795 EXPECT_EQ(SSL_ERROR_WANT_READ, SSL_get_error(server.get(), -1));
2796 EXPECT_EQ(TLS1_2_VERSION, SSL_version(server.get()));
2797
2798 // Capture the client's output.
2799 bssl::UniquePtr<BIO> mem(BIO_new(BIO_s_mem()));
2800 ASSERT_TRUE(mem);
2801 SSL_set0_wbio(client.get(), bssl::UpRef(mem).release());
2802
2803 // The client processes the ServerHello and fails.
2804 EXPECT_EQ(-1, SSL_do_handshake(client.get()));
2805 EXPECT_EQ(SSL_ERROR_SSL, SSL_get_error(client.get(), -1));
2806 uint32_t err = ERR_get_error();
2807 EXPECT_EQ(ERR_LIB_SSL, ERR_GET_LIB(err));
2808 EXPECT_EQ(SSL_R_WRONG_VERSION_ON_EARLY_DATA, ERR_GET_REASON(err));
2809
2810 // The client should have written an alert to the transport.
2811 const uint8_t *unused;
2812 size_t len;
2813 ASSERT_TRUE(BIO_mem_contents(mem.get(), &unused, &len));
2814 EXPECT_NE(0u, len);
2815 EXPECT_TRUE(BIO_reset(mem.get()));
2816
2817 // Writing should fail, with the same error as the handshake.
2818 EXPECT_EQ(-1, SSL_write(client.get(), "a", 1));
2819 EXPECT_EQ(SSL_ERROR_SSL, SSL_get_error(client.get(), -1));
2820 err = ERR_get_error();
2821 EXPECT_EQ(ERR_LIB_SSL, ERR_GET_LIB(err));
2822 EXPECT_EQ(SSL_R_WRONG_VERSION_ON_EARLY_DATA, ERR_GET_REASON(err));
2823
2824 // Nothing should be written to the transport.
2825 ASSERT_TRUE(BIO_mem_contents(mem.get(), &unused, &len));
2826 EXPECT_EQ(0u, len);
2827 }
2828
TEST(SSLTest,SessionDuplication)2829 TEST(SSLTest, SessionDuplication) {
2830 bssl::UniquePtr<SSL_CTX> client_ctx(SSL_CTX_new(TLS_method()));
2831 bssl::UniquePtr<SSL_CTX> server_ctx =
2832 CreateContextWithTestCertificate(TLS_method());
2833 ASSERT_TRUE(client_ctx);
2834 ASSERT_TRUE(server_ctx);
2835
2836 bssl::UniquePtr<SSL> client, server;
2837 ASSERT_TRUE(ConnectClientAndServer(&client, &server, client_ctx.get(),
2838 server_ctx.get()));
2839
2840 SSL_SESSION *session0 = SSL_get_session(client.get());
2841 bssl::UniquePtr<SSL_SESSION> session1 =
2842 bssl::SSL_SESSION_dup(session0, SSL_SESSION_DUP_ALL);
2843 ASSERT_TRUE(session1);
2844
2845 session1->not_resumable = false;
2846
2847 uint8_t *s0_bytes, *s1_bytes;
2848 size_t s0_len, s1_len;
2849
2850 ASSERT_TRUE(SSL_SESSION_to_bytes(session0, &s0_bytes, &s0_len));
2851 bssl::UniquePtr<uint8_t> free_s0(s0_bytes);
2852
2853 ASSERT_TRUE(SSL_SESSION_to_bytes(session1.get(), &s1_bytes, &s1_len));
2854 bssl::UniquePtr<uint8_t> free_s1(s1_bytes);
2855
2856 EXPECT_EQ(Bytes(s0_bytes, s0_len), Bytes(s1_bytes, s1_len));
2857 }
2858
ExpectFDs(const SSL * ssl,int rfd,int wfd)2859 static void ExpectFDs(const SSL *ssl, int rfd, int wfd) {
2860 EXPECT_EQ(rfd, SSL_get_fd(ssl));
2861 EXPECT_EQ(rfd, SSL_get_rfd(ssl));
2862 EXPECT_EQ(wfd, SSL_get_wfd(ssl));
2863
2864 // The wrapper BIOs are always equal when fds are equal, even if set
2865 // individually.
2866 if (rfd == wfd) {
2867 EXPECT_EQ(SSL_get_rbio(ssl), SSL_get_wbio(ssl));
2868 }
2869 }
2870
TEST(SSLTest,SetFD)2871 TEST(SSLTest, SetFD) {
2872 bssl::UniquePtr<SSL_CTX> ctx(SSL_CTX_new(TLS_method()));
2873 ASSERT_TRUE(ctx);
2874
2875 // Test setting different read and write FDs.
2876 bssl::UniquePtr<SSL> ssl(SSL_new(ctx.get()));
2877 ASSERT_TRUE(ssl);
2878 EXPECT_TRUE(SSL_set_rfd(ssl.get(), 1));
2879 EXPECT_TRUE(SSL_set_wfd(ssl.get(), 2));
2880 ExpectFDs(ssl.get(), 1, 2);
2881
2882 // Test setting the same FD.
2883 ssl.reset(SSL_new(ctx.get()));
2884 ASSERT_TRUE(ssl);
2885 EXPECT_TRUE(SSL_set_fd(ssl.get(), 1));
2886 ExpectFDs(ssl.get(), 1, 1);
2887
2888 // Test setting the same FD one side at a time.
2889 ssl.reset(SSL_new(ctx.get()));
2890 ASSERT_TRUE(ssl);
2891 EXPECT_TRUE(SSL_set_rfd(ssl.get(), 1));
2892 EXPECT_TRUE(SSL_set_wfd(ssl.get(), 1));
2893 ExpectFDs(ssl.get(), 1, 1);
2894
2895 // Test setting the same FD in the other order.
2896 ssl.reset(SSL_new(ctx.get()));
2897 ASSERT_TRUE(ssl);
2898 EXPECT_TRUE(SSL_set_wfd(ssl.get(), 1));
2899 EXPECT_TRUE(SSL_set_rfd(ssl.get(), 1));
2900 ExpectFDs(ssl.get(), 1, 1);
2901
2902 // Test changing the read FD partway through.
2903 ssl.reset(SSL_new(ctx.get()));
2904 ASSERT_TRUE(ssl);
2905 EXPECT_TRUE(SSL_set_fd(ssl.get(), 1));
2906 EXPECT_TRUE(SSL_set_rfd(ssl.get(), 2));
2907 ExpectFDs(ssl.get(), 2, 1);
2908
2909 // Test changing the write FD partway through.
2910 ssl.reset(SSL_new(ctx.get()));
2911 ASSERT_TRUE(ssl);
2912 EXPECT_TRUE(SSL_set_fd(ssl.get(), 1));
2913 EXPECT_TRUE(SSL_set_wfd(ssl.get(), 2));
2914 ExpectFDs(ssl.get(), 1, 2);
2915
2916 // Test a no-op change to the read FD partway through.
2917 ssl.reset(SSL_new(ctx.get()));
2918 ASSERT_TRUE(ssl);
2919 EXPECT_TRUE(SSL_set_fd(ssl.get(), 1));
2920 EXPECT_TRUE(SSL_set_rfd(ssl.get(), 1));
2921 ExpectFDs(ssl.get(), 1, 1);
2922
2923 // Test a no-op change to the write FD partway through.
2924 ssl.reset(SSL_new(ctx.get()));
2925 ASSERT_TRUE(ssl);
2926 EXPECT_TRUE(SSL_set_fd(ssl.get(), 1));
2927 EXPECT_TRUE(SSL_set_wfd(ssl.get(), 1));
2928 ExpectFDs(ssl.get(), 1, 1);
2929
2930 // ASan builds will implicitly test that the internal |BIO| reference-counting
2931 // is correct.
2932 }
2933
TEST(SSLTest,SetBIO)2934 TEST(SSLTest, SetBIO) {
2935 bssl::UniquePtr<SSL_CTX> ctx(SSL_CTX_new(TLS_method()));
2936 ASSERT_TRUE(ctx);
2937
2938 bssl::UniquePtr<SSL> ssl(SSL_new(ctx.get()));
2939 bssl::UniquePtr<BIO> bio1(BIO_new(BIO_s_mem())), bio2(BIO_new(BIO_s_mem())),
2940 bio3(BIO_new(BIO_s_mem()));
2941 ASSERT_TRUE(ssl);
2942 ASSERT_TRUE(bio1);
2943 ASSERT_TRUE(bio2);
2944 ASSERT_TRUE(bio3);
2945
2946 // SSL_set_bio takes one reference when the parameters are the same.
2947 BIO_up_ref(bio1.get());
2948 SSL_set_bio(ssl.get(), bio1.get(), bio1.get());
2949
2950 // Repeating the call does nothing.
2951 SSL_set_bio(ssl.get(), bio1.get(), bio1.get());
2952
2953 // It takes one reference each when the parameters are different.
2954 BIO_up_ref(bio2.get());
2955 BIO_up_ref(bio3.get());
2956 SSL_set_bio(ssl.get(), bio2.get(), bio3.get());
2957
2958 // Repeating the call does nothing.
2959 SSL_set_bio(ssl.get(), bio2.get(), bio3.get());
2960
2961 // It takes one reference when changing only wbio.
2962 BIO_up_ref(bio1.get());
2963 SSL_set_bio(ssl.get(), bio2.get(), bio1.get());
2964
2965 // It takes one reference when changing only rbio and the two are different.
2966 BIO_up_ref(bio3.get());
2967 SSL_set_bio(ssl.get(), bio3.get(), bio1.get());
2968
2969 // If setting wbio to rbio, it takes no additional references.
2970 SSL_set_bio(ssl.get(), bio3.get(), bio3.get());
2971
2972 // From there, wbio may be switched to something else.
2973 BIO_up_ref(bio1.get());
2974 SSL_set_bio(ssl.get(), bio3.get(), bio1.get());
2975
2976 // If setting rbio to wbio, it takes no additional references.
2977 SSL_set_bio(ssl.get(), bio1.get(), bio1.get());
2978
2979 // From there, rbio may be switched to something else, but, for historical
2980 // reasons, it takes a reference to both parameters.
2981 BIO_up_ref(bio1.get());
2982 BIO_up_ref(bio2.get());
2983 SSL_set_bio(ssl.get(), bio2.get(), bio1.get());
2984
2985 // ASAN builds will implicitly test that the internal |BIO| reference-counting
2986 // is correct.
2987 }
2988
VerifySucceed(X509_STORE_CTX * store_ctx,void * arg)2989 static int VerifySucceed(X509_STORE_CTX *store_ctx, void *arg) { return 1; }
2990
TEST_P(SSLVersionTest,GetPeerCertificate)2991 TEST_P(SSLVersionTest, GetPeerCertificate) {
2992 ASSERT_TRUE(UseCertAndKey(client_ctx_.get()));
2993
2994 // Configure both client and server to accept any certificate.
2995 SSL_CTX_set_verify(client_ctx_.get(),
2996 SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT,
2997 nullptr);
2998 SSL_CTX_set_cert_verify_callback(client_ctx_.get(), VerifySucceed, NULL);
2999 SSL_CTX_set_verify(server_ctx_.get(),
3000 SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT,
3001 nullptr);
3002 SSL_CTX_set_cert_verify_callback(server_ctx_.get(), VerifySucceed, NULL);
3003
3004 ASSERT_TRUE(Connect());
3005
3006 // Client and server should both see the leaf certificate.
3007 bssl::UniquePtr<X509> peer(SSL_get_peer_certificate(server_.get()));
3008 ASSERT_TRUE(peer);
3009 ASSERT_EQ(X509_cmp(cert_.get(), peer.get()), 0);
3010
3011 peer.reset(SSL_get_peer_certificate(client_.get()));
3012 ASSERT_TRUE(peer);
3013 ASSERT_EQ(X509_cmp(cert_.get(), peer.get()), 0);
3014
3015 // However, for historical reasons, the X509 chain includes the leaf on the
3016 // client, but does not on the server.
3017 EXPECT_EQ(sk_X509_num(SSL_get_peer_cert_chain(client_.get())), 1u);
3018 EXPECT_EQ(sk_CRYPTO_BUFFER_num(SSL_get0_peer_certificates(client_.get())),
3019 1u);
3020
3021 EXPECT_EQ(sk_X509_num(SSL_get_peer_cert_chain(server_.get())), 0u);
3022 EXPECT_EQ(sk_CRYPTO_BUFFER_num(SSL_get0_peer_certificates(server_.get())),
3023 1u);
3024 }
3025
TEST_P(SSLVersionTest,NoPeerCertificate)3026 TEST_P(SSLVersionTest, NoPeerCertificate) {
3027 SSL_CTX_set_verify(server_ctx_.get(), SSL_VERIFY_PEER, nullptr);
3028 SSL_CTX_set_cert_verify_callback(server_ctx_.get(), VerifySucceed, NULL);
3029 SSL_CTX_set_cert_verify_callback(client_ctx_.get(), VerifySucceed, NULL);
3030
3031 ASSERT_TRUE(Connect());
3032
3033 // Server should not see a peer certificate.
3034 bssl::UniquePtr<X509> peer(SSL_get_peer_certificate(server_.get()));
3035 ASSERT_FALSE(peer);
3036 ASSERT_FALSE(SSL_get0_peer_certificates(server_.get()));
3037 }
3038
TEST_P(SSLVersionTest,RetainOnlySHA256OfCerts)3039 TEST_P(SSLVersionTest, RetainOnlySHA256OfCerts) {
3040 uint8_t *cert_der = NULL;
3041 int cert_der_len = i2d_X509(cert_.get(), &cert_der);
3042 ASSERT_GE(cert_der_len, 0);
3043 bssl::UniquePtr<uint8_t> free_cert_der(cert_der);
3044
3045 uint8_t cert_sha256[SHA256_DIGEST_LENGTH];
3046 SHA256(cert_der, cert_der_len, cert_sha256);
3047
3048 ASSERT_TRUE(UseCertAndKey(client_ctx_.get()));
3049
3050 // Configure both client and server to accept any certificate, but the
3051 // server must retain only the SHA-256 of the peer.
3052 SSL_CTX_set_verify(client_ctx_.get(),
3053 SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT,
3054 nullptr);
3055 SSL_CTX_set_verify(server_ctx_.get(),
3056 SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT,
3057 nullptr);
3058 SSL_CTX_set_cert_verify_callback(client_ctx_.get(), VerifySucceed, NULL);
3059 SSL_CTX_set_cert_verify_callback(server_ctx_.get(), VerifySucceed, NULL);
3060 SSL_CTX_set_retain_only_sha256_of_client_certs(server_ctx_.get(), 1);
3061
3062 ASSERT_TRUE(Connect());
3063
3064 // The peer certificate has been dropped.
3065 bssl::UniquePtr<X509> peer(SSL_get_peer_certificate(server_.get()));
3066 EXPECT_FALSE(peer);
3067
3068 SSL_SESSION *session = SSL_get_session(server_.get());
3069 EXPECT_TRUE(SSL_SESSION_has_peer_sha256(session));
3070
3071 const uint8_t *peer_sha256;
3072 size_t peer_sha256_len;
3073 SSL_SESSION_get0_peer_sha256(session, &peer_sha256, &peer_sha256_len);
3074 EXPECT_EQ(Bytes(cert_sha256), Bytes(peer_sha256, peer_sha256_len));
3075 }
3076
3077 // Tests that our ClientHellos do not change unexpectedly. These are purely
3078 // change detection tests. If they fail as part of an intentional ClientHello
3079 // change, update the test vector.
TEST(SSLTest,ClientHello)3080 TEST(SSLTest, ClientHello) {
3081 struct {
3082 uint16_t max_version;
3083 std::vector<uint8_t> expected;
3084 } kTests[] = {
3085 {TLS1_VERSION,
3086 {0x16, 0x03, 0x01, 0x00, 0x5a, 0x01, 0x00, 0x00, 0x56, 0x03, 0x01, 0x00,
3087 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
3088 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
3089 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x0e, 0xc0, 0x09,
3090 0xc0, 0x13, 0xc0, 0x0a, 0xc0, 0x14, 0x00, 0x2f, 0x00, 0x35, 0x00, 0x0a,
3091 0x01, 0x00, 0x00, 0x1f, 0x00, 0x17, 0x00, 0x00, 0xff, 0x01, 0x00, 0x01,
3092 0x00, 0x00, 0x0a, 0x00, 0x08, 0x00, 0x06, 0x00, 0x1d, 0x00, 0x17, 0x00,
3093 0x18, 0x00, 0x0b, 0x00, 0x02, 0x01, 0x00, 0x00, 0x23, 0x00, 0x00}},
3094 {TLS1_1_VERSION,
3095 {0x16, 0x03, 0x01, 0x00, 0x5a, 0x01, 0x00, 0x00, 0x56, 0x03, 0x02, 0x00,
3096 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
3097 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
3098 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x0e, 0xc0, 0x09,
3099 0xc0, 0x13, 0xc0, 0x0a, 0xc0, 0x14, 0x00, 0x2f, 0x00, 0x35, 0x00, 0x0a,
3100 0x01, 0x00, 0x00, 0x1f, 0x00, 0x17, 0x00, 0x00, 0xff, 0x01, 0x00, 0x01,
3101 0x00, 0x00, 0x0a, 0x00, 0x08, 0x00, 0x06, 0x00, 0x1d, 0x00, 0x17, 0x00,
3102 0x18, 0x00, 0x0b, 0x00, 0x02, 0x01, 0x00, 0x00, 0x23, 0x00, 0x00}},
3103 {TLS1_2_VERSION,
3104 {0x16, 0x03, 0x01, 0x00, 0x82, 0x01, 0x00, 0x00, 0x7e, 0x03, 0x03, 0x00,
3105 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
3106 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
3107 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x1e, 0xcc, 0xa9,
3108 0xcc, 0xa8, 0xc0, 0x2b, 0xc0, 0x2f, 0xc0, 0x2c, 0xc0, 0x30, 0xc0, 0x09,
3109 0xc0, 0x13, 0xc0, 0x0a, 0xc0, 0x14, 0x00, 0x9c, 0x00, 0x9d, 0x00, 0x2f,
3110 0x00, 0x35, 0x00, 0x0a, 0x01, 0x00, 0x00, 0x37, 0x00, 0x17, 0x00, 0x00,
3111 0xff, 0x01, 0x00, 0x01, 0x00, 0x00, 0x0a, 0x00, 0x08, 0x00, 0x06, 0x00,
3112 0x1d, 0x00, 0x17, 0x00, 0x18, 0x00, 0x0b, 0x00, 0x02, 0x01, 0x00, 0x00,
3113 0x23, 0x00, 0x00, 0x00, 0x0d, 0x00, 0x14, 0x00, 0x12, 0x04, 0x03, 0x08,
3114 0x04, 0x04, 0x01, 0x05, 0x03, 0x08, 0x05, 0x05, 0x01, 0x08, 0x06, 0x06,
3115 0x01, 0x02, 0x01}},
3116 // TODO(davidben): Add a change detector for TLS 1.3 once the spec and our
3117 // implementation has settled enough that it won't change.
3118 };
3119
3120 for (const auto &t : kTests) {
3121 SCOPED_TRACE(t.max_version);
3122
3123 bssl::UniquePtr<SSL_CTX> ctx(SSL_CTX_new(TLS_method()));
3124 ASSERT_TRUE(ctx);
3125 // Our default cipher list varies by CPU capabilities, so manually place the
3126 // ChaCha20 ciphers in front.
3127 const char *cipher_list = "CHACHA20:ALL";
3128 ASSERT_TRUE(SSL_CTX_set_max_proto_version(ctx.get(), t.max_version));
3129 ASSERT_TRUE(SSL_CTX_set_strict_cipher_list(ctx.get(), cipher_list));
3130
3131 bssl::UniquePtr<SSL> ssl(SSL_new(ctx.get()));
3132 ASSERT_TRUE(ssl);
3133 std::vector<uint8_t> client_hello;
3134 ASSERT_TRUE(GetClientHello(ssl.get(), &client_hello));
3135
3136 // Zero the client_random.
3137 constexpr size_t kRandomOffset = 1 + 2 + 2 + // record header
3138 1 + 3 + // handshake message header
3139 2; // client_version
3140 ASSERT_GE(client_hello.size(), kRandomOffset + SSL3_RANDOM_SIZE);
3141 OPENSSL_memset(client_hello.data() + kRandomOffset, 0, SSL3_RANDOM_SIZE);
3142
3143 if (client_hello != t.expected) {
3144 ADD_FAILURE() << "ClientHellos did not match.";
3145 // Print the value manually so it is easier to update the test vector.
3146 for (size_t i = 0; i < client_hello.size(); i += 12) {
3147 printf(" %c", i == 0 ? '{' : ' ');
3148 for (size_t j = i; j < client_hello.size() && j < i + 12; j++) {
3149 if (j > i) {
3150 printf(" ");
3151 }
3152 printf("0x%02x", client_hello[j]);
3153 if (j < client_hello.size() - 1) {
3154 printf(",");
3155 }
3156 }
3157 if (i + 12 >= client_hello.size()) {
3158 printf("}},");
3159 }
3160 printf("\n");
3161 }
3162 }
3163 }
3164 }
3165
ExpectSessionReused(SSL_CTX * client_ctx,SSL_CTX * server_ctx,SSL_SESSION * session,bool want_reused)3166 static void ExpectSessionReused(SSL_CTX *client_ctx, SSL_CTX *server_ctx,
3167 SSL_SESSION *session, bool want_reused) {
3168 bssl::UniquePtr<SSL> client, server;
3169 ClientConfig config;
3170 config.session = session;
3171 EXPECT_TRUE(
3172 ConnectClientAndServer(&client, &server, client_ctx, server_ctx, config));
3173
3174 EXPECT_EQ(SSL_session_reused(client.get()), SSL_session_reused(server.get()));
3175
3176 bool was_reused = !!SSL_session_reused(client.get());
3177 EXPECT_EQ(was_reused, want_reused);
3178 }
3179
ExpectSessionRenewed(SSL_CTX * client_ctx,SSL_CTX * server_ctx,SSL_SESSION * session)3180 static bssl::UniquePtr<SSL_SESSION> ExpectSessionRenewed(SSL_CTX *client_ctx,
3181 SSL_CTX *server_ctx,
3182 SSL_SESSION *session) {
3183 g_last_session = nullptr;
3184 SSL_CTX_sess_set_new_cb(client_ctx, SaveLastSession);
3185
3186 bssl::UniquePtr<SSL> client, server;
3187 ClientConfig config;
3188 config.session = session;
3189 if (!ConnectClientAndServer(&client, &server, client_ctx, server_ctx,
3190 config) ||
3191 !FlushNewSessionTickets(client.get(), server.get())) {
3192 fprintf(stderr, "Failed to connect client and server.\n");
3193 return nullptr;
3194 }
3195
3196 if (SSL_session_reused(client.get()) != SSL_session_reused(server.get())) {
3197 fprintf(stderr, "Client and server were inconsistent.\n");
3198 return nullptr;
3199 }
3200
3201 if (!SSL_session_reused(client.get())) {
3202 fprintf(stderr, "Session was not reused.\n");
3203 return nullptr;
3204 }
3205
3206 SSL_CTX_sess_set_new_cb(client_ctx, nullptr);
3207
3208 if (!g_last_session) {
3209 fprintf(stderr, "Client did not receive a renewed session.\n");
3210 return nullptr;
3211 }
3212 return std::move(g_last_session);
3213 }
3214
ExpectTicketKeyChanged(SSL_CTX * ctx,uint8_t * inout_key,bool changed)3215 static void ExpectTicketKeyChanged(SSL_CTX *ctx, uint8_t *inout_key,
3216 bool changed) {
3217 uint8_t new_key[kTicketKeyLen];
3218 // May return 0, 1 or 48.
3219 ASSERT_EQ(SSL_CTX_get_tlsext_ticket_keys(ctx, new_key, kTicketKeyLen), 1);
3220 if (changed) {
3221 ASSERT_NE(Bytes(inout_key, kTicketKeyLen), Bytes(new_key));
3222 } else {
3223 ASSERT_EQ(Bytes(inout_key, kTicketKeyLen), Bytes(new_key));
3224 }
3225 OPENSSL_memcpy(inout_key, new_key, kTicketKeyLen);
3226 }
3227
SwitchSessionIDContextSNI(SSL * ssl,int * out_alert,void * arg)3228 static int SwitchSessionIDContextSNI(SSL *ssl, int *out_alert, void *arg) {
3229 static const uint8_t kContext[] = {3};
3230
3231 if (!SSL_set_session_id_context(ssl, kContext, sizeof(kContext))) {
3232 return SSL_TLSEXT_ERR_ALERT_FATAL;
3233 }
3234
3235 return SSL_TLSEXT_ERR_OK;
3236 }
3237
TEST_P(SSLVersionTest,SessionIDContext)3238 TEST_P(SSLVersionTest, SessionIDContext) {
3239 static const uint8_t kContext1[] = {1};
3240 static const uint8_t kContext2[] = {2};
3241
3242 ASSERT_TRUE(SSL_CTX_set_session_id_context(server_ctx_.get(), kContext1,
3243 sizeof(kContext1)));
3244
3245 SSL_CTX_set_session_cache_mode(client_ctx_.get(), SSL_SESS_CACHE_BOTH);
3246 SSL_CTX_set_session_cache_mode(server_ctx_.get(), SSL_SESS_CACHE_BOTH);
3247
3248 bssl::UniquePtr<SSL_SESSION> session =
3249 CreateClientSession(client_ctx_.get(), server_ctx_.get());
3250 ASSERT_TRUE(session);
3251
3252 TRACED_CALL(ExpectSessionReused(client_ctx_.get(), server_ctx_.get(),
3253 session.get(),
3254 true /* expect session reused */));
3255
3256 // Change the session ID context.
3257 ASSERT_TRUE(SSL_CTX_set_session_id_context(server_ctx_.get(), kContext2,
3258 sizeof(kContext2)));
3259
3260 TRACED_CALL(ExpectSessionReused(client_ctx_.get(), server_ctx_.get(),
3261 session.get(),
3262 false /* expect session not reused */));
3263
3264 // Change the session ID context back and install an SNI callback to switch
3265 // it.
3266 ASSERT_TRUE(SSL_CTX_set_session_id_context(server_ctx_.get(), kContext1,
3267 sizeof(kContext1)));
3268
3269 SSL_CTX_set_tlsext_servername_callback(server_ctx_.get(),
3270 SwitchSessionIDContextSNI);
3271
3272 TRACED_CALL(ExpectSessionReused(client_ctx_.get(), server_ctx_.get(),
3273 session.get(),
3274 false /* expect session not reused */));
3275
3276 // Switch the session ID context with the early callback instead.
3277 SSL_CTX_set_tlsext_servername_callback(server_ctx_.get(), nullptr);
3278 SSL_CTX_set_select_certificate_cb(
3279 server_ctx_.get(),
3280 [](const SSL_CLIENT_HELLO *client_hello) -> ssl_select_cert_result_t {
3281 static const uint8_t kContext[] = {3};
3282
3283 if (!SSL_set_session_id_context(client_hello->ssl, kContext,
3284 sizeof(kContext))) {
3285 return ssl_select_cert_error;
3286 }
3287
3288 return ssl_select_cert_success;
3289 });
3290
3291 TRACED_CALL(ExpectSessionReused(client_ctx_.get(), server_ctx_.get(),
3292 session.get(),
3293 false /* expect session not reused */));
3294 }
3295
3296 static timeval g_current_time;
3297
CurrentTimeCallback(const SSL * ssl,timeval * out_clock)3298 static void CurrentTimeCallback(const SSL *ssl, timeval *out_clock) {
3299 *out_clock = g_current_time;
3300 }
3301
FrozenTimeCallback(const SSL * ssl,timeval * out_clock)3302 static void FrozenTimeCallback(const SSL *ssl, timeval *out_clock) {
3303 out_clock->tv_sec = 1000;
3304 out_clock->tv_usec = 0;
3305 }
3306
RenewTicketCallback(SSL * ssl,uint8_t * key_name,uint8_t * iv,EVP_CIPHER_CTX * ctx,HMAC_CTX * hmac_ctx,int encrypt)3307 static int RenewTicketCallback(SSL *ssl, uint8_t *key_name, uint8_t *iv,
3308 EVP_CIPHER_CTX *ctx, HMAC_CTX *hmac_ctx,
3309 int encrypt) {
3310 static const uint8_t kZeros[16] = {0};
3311
3312 if (encrypt) {
3313 OPENSSL_memcpy(key_name, kZeros, sizeof(kZeros));
3314 RAND_bytes(iv, 16);
3315 } else if (OPENSSL_memcmp(key_name, kZeros, 16) != 0) {
3316 return 0;
3317 }
3318
3319 if (!HMAC_Init_ex(hmac_ctx, kZeros, sizeof(kZeros), EVP_sha256(), NULL) ||
3320 !EVP_CipherInit_ex(ctx, EVP_aes_128_cbc(), NULL, kZeros, iv, encrypt)) {
3321 return -1;
3322 }
3323
3324 // Returning two from the callback in decrypt mode renews the
3325 // session in TLS 1.2 and below.
3326 return encrypt ? 1 : 2;
3327 }
3328
GetServerTicketTime(long * out,const SSL_SESSION * session)3329 static bool GetServerTicketTime(long *out, const SSL_SESSION *session) {
3330 const uint8_t *ticket;
3331 size_t ticket_len;
3332 SSL_SESSION_get0_ticket(session, &ticket, &ticket_len);
3333 if (ticket_len < 16 + 16 + SHA256_DIGEST_LENGTH) {
3334 return false;
3335 }
3336
3337 const uint8_t *ciphertext = ticket + 16 + 16;
3338 size_t len = ticket_len - 16 - 16 - SHA256_DIGEST_LENGTH;
3339 std::unique_ptr<uint8_t[]> plaintext(new uint8_t[len]);
3340
3341 #if defined(BORINGSSL_UNSAFE_FUZZER_MODE)
3342 // Fuzzer-mode tickets are unencrypted.
3343 OPENSSL_memcpy(plaintext.get(), ciphertext, len);
3344 #else
3345 static const uint8_t kZeros[16] = {0};
3346 const uint8_t *iv = ticket + 16;
3347 bssl::ScopedEVP_CIPHER_CTX ctx;
3348 int len1, len2;
3349 if (!EVP_DecryptInit_ex(ctx.get(), EVP_aes_128_cbc(), nullptr, kZeros, iv) ||
3350 !EVP_DecryptUpdate(ctx.get(), plaintext.get(), &len1, ciphertext, len) ||
3351 !EVP_DecryptFinal_ex(ctx.get(), plaintext.get() + len1, &len2)) {
3352 return false;
3353 }
3354
3355 len = static_cast<size_t>(len1 + len2);
3356 #endif
3357
3358 bssl::UniquePtr<SSL_CTX> ssl_ctx(SSL_CTX_new(TLS_method()));
3359 if (!ssl_ctx) {
3360 return false;
3361 }
3362 bssl::UniquePtr<SSL_SESSION> server_session(
3363 SSL_SESSION_from_bytes(plaintext.get(), len, ssl_ctx.get()));
3364 if (!server_session) {
3365 return false;
3366 }
3367
3368 *out = SSL_SESSION_get_time(server_session.get());
3369 return true;
3370 }
3371
TEST_P(SSLVersionTest,SessionTimeout)3372 TEST_P(SSLVersionTest, SessionTimeout) {
3373 for (bool server_test : {false, true}) {
3374 SCOPED_TRACE(server_test);
3375
3376 ResetContexts();
3377 SSL_CTX_set_session_cache_mode(client_ctx_.get(), SSL_SESS_CACHE_BOTH);
3378 SSL_CTX_set_session_cache_mode(server_ctx_.get(), SSL_SESS_CACHE_BOTH);
3379
3380 static const time_t kStartTime = 1000;
3381 g_current_time.tv_sec = kStartTime;
3382
3383 // We are willing to use a longer lifetime for TLS 1.3 sessions as
3384 // resumptions still perform ECDHE.
3385 const time_t timeout = version() == TLS1_3_VERSION
3386 ? SSL_DEFAULT_SESSION_PSK_DHE_TIMEOUT
3387 : SSL_DEFAULT_SESSION_TIMEOUT;
3388
3389 // Both client and server must enforce session timeouts. We configure the
3390 // other side with a frozen clock so it never expires tickets.
3391 if (server_test) {
3392 SSL_CTX_set_current_time_cb(client_ctx_.get(), FrozenTimeCallback);
3393 SSL_CTX_set_current_time_cb(server_ctx_.get(), CurrentTimeCallback);
3394 } else {
3395 SSL_CTX_set_current_time_cb(client_ctx_.get(), CurrentTimeCallback);
3396 SSL_CTX_set_current_time_cb(server_ctx_.get(), FrozenTimeCallback);
3397 }
3398
3399 // Configure a ticket callback which renews tickets.
3400 SSL_CTX_set_tlsext_ticket_key_cb(server_ctx_.get(), RenewTicketCallback);
3401
3402 bssl::UniquePtr<SSL_SESSION> session =
3403 CreateClientSession(client_ctx_.get(), server_ctx_.get());
3404 ASSERT_TRUE(session);
3405
3406 // Advance the clock just behind the timeout.
3407 g_current_time.tv_sec += timeout - 1;
3408
3409 TRACED_CALL(ExpectSessionReused(client_ctx_.get(), server_ctx_.get(),
3410 session.get(),
3411 true /* expect session reused */));
3412
3413 // Advance the clock one more second.
3414 g_current_time.tv_sec++;
3415
3416 TRACED_CALL(ExpectSessionReused(client_ctx_.get(), server_ctx_.get(),
3417 session.get(),
3418 false /* expect session not reused */));
3419
3420 // Rewind the clock to before the session was minted.
3421 g_current_time.tv_sec = kStartTime - 1;
3422
3423 TRACED_CALL(ExpectSessionReused(client_ctx_.get(), server_ctx_.get(),
3424 session.get(),
3425 false /* expect session not reused */));
3426
3427 // Renew the session 10 seconds before expiration.
3428 time_t new_start_time = kStartTime + timeout - 10;
3429 g_current_time.tv_sec = new_start_time;
3430 bssl::UniquePtr<SSL_SESSION> new_session = ExpectSessionRenewed(
3431 client_ctx_.get(), server_ctx_.get(), session.get());
3432 ASSERT_TRUE(new_session);
3433
3434 // This new session is not the same object as before.
3435 EXPECT_NE(session.get(), new_session.get());
3436
3437 // Check the sessions have timestamps measured from issuance.
3438 long session_time = 0;
3439 if (server_test) {
3440 ASSERT_TRUE(GetServerTicketTime(&session_time, new_session.get()));
3441 } else {
3442 session_time = SSL_SESSION_get_time(new_session.get());
3443 }
3444
3445 ASSERT_EQ(session_time, g_current_time.tv_sec);
3446
3447 if (version() == TLS1_3_VERSION) {
3448 // Renewal incorporates fresh key material in TLS 1.3, so we extend the
3449 // lifetime TLS 1.3.
3450 g_current_time.tv_sec = new_start_time + timeout - 1;
3451 TRACED_CALL(ExpectSessionReused(client_ctx_.get(), server_ctx_.get(),
3452 new_session.get(),
3453 true /* expect session reused */));
3454
3455 // The new session expires after the new timeout.
3456 g_current_time.tv_sec = new_start_time + timeout + 1;
3457 TRACED_CALL(ExpectSessionReused(client_ctx_.get(), server_ctx_.get(),
3458 new_session.get(),
3459 false /* expect session ot reused */));
3460
3461 // Renew the session until it begins just past the auth timeout.
3462 time_t auth_end_time = kStartTime + SSL_DEFAULT_SESSION_AUTH_TIMEOUT;
3463 while (new_start_time < auth_end_time - 1000) {
3464 // Get as close as possible to target start time.
3465 new_start_time =
3466 std::min(auth_end_time - 1000, new_start_time + timeout - 1);
3467 g_current_time.tv_sec = new_start_time;
3468 new_session = ExpectSessionRenewed(client_ctx_.get(), server_ctx_.get(),
3469 new_session.get());
3470 ASSERT_TRUE(new_session);
3471 }
3472
3473 // Now the session's lifetime is bound by the auth timeout.
3474 g_current_time.tv_sec = auth_end_time - 1;
3475 TRACED_CALL(ExpectSessionReused(client_ctx_.get(), server_ctx_.get(),
3476 new_session.get(),
3477 true /* expect session reused */));
3478
3479 g_current_time.tv_sec = auth_end_time + 1;
3480 TRACED_CALL(ExpectSessionReused(client_ctx_.get(), server_ctx_.get(),
3481 new_session.get(),
3482 false /* expect session ot reused */));
3483 } else {
3484 // The new session is usable just before the old expiration.
3485 g_current_time.tv_sec = kStartTime + timeout - 1;
3486 TRACED_CALL(ExpectSessionReused(client_ctx_.get(), server_ctx_.get(),
3487 new_session.get(),
3488 true /* expect session reused */));
3489
3490 // Renewal does not extend the lifetime, so it is not usable beyond the
3491 // old expiration.
3492 g_current_time.tv_sec = kStartTime + timeout + 1;
3493 TRACED_CALL(ExpectSessionReused(client_ctx_.get(), server_ctx_.get(),
3494 new_session.get(),
3495 false /* expect session not reused */));
3496 }
3497 }
3498 }
3499
TEST_P(SSLVersionTest,DefaultTicketKeyInitialization)3500 TEST_P(SSLVersionTest, DefaultTicketKeyInitialization) {
3501 static const uint8_t kZeroKey[kTicketKeyLen] = {};
3502 uint8_t ticket_key[kTicketKeyLen];
3503 ASSERT_EQ(1, SSL_CTX_get_tlsext_ticket_keys(server_ctx_.get(), ticket_key,
3504 kTicketKeyLen));
3505 ASSERT_NE(0, OPENSSL_memcmp(ticket_key, kZeroKey, kTicketKeyLen));
3506 }
3507
TEST_P(SSLVersionTest,DefaultTicketKeyRotation)3508 TEST_P(SSLVersionTest, DefaultTicketKeyRotation) {
3509 static const time_t kStartTime = 1001;
3510 g_current_time.tv_sec = kStartTime;
3511
3512 // We use session reuse as a proxy for ticket decryption success, hence
3513 // disable session timeouts.
3514 SSL_CTX_set_timeout(server_ctx_.get(), std::numeric_limits<uint32_t>::max());
3515 SSL_CTX_set_session_psk_dhe_timeout(server_ctx_.get(),
3516 std::numeric_limits<uint32_t>::max());
3517
3518 SSL_CTX_set_current_time_cb(client_ctx_.get(), FrozenTimeCallback);
3519 SSL_CTX_set_current_time_cb(server_ctx_.get(), CurrentTimeCallback);
3520
3521 SSL_CTX_set_session_cache_mode(client_ctx_.get(), SSL_SESS_CACHE_BOTH);
3522 SSL_CTX_set_session_cache_mode(server_ctx_.get(), SSL_SESS_CACHE_OFF);
3523
3524 // Initialize ticket_key with the current key and check that it was
3525 // initialized to something, not all zeros.
3526 uint8_t ticket_key[kTicketKeyLen] = {0};
3527 TRACED_CALL(ExpectTicketKeyChanged(server_ctx_.get(), ticket_key,
3528 true /* changed */));
3529
3530 // Verify ticket resumption actually works.
3531 bssl::UniquePtr<SSL> client, server;
3532 bssl::UniquePtr<SSL_SESSION> session =
3533 CreateClientSession(client_ctx_.get(), server_ctx_.get());
3534 ASSERT_TRUE(session);
3535 TRACED_CALL(ExpectSessionReused(client_ctx_.get(), server_ctx_.get(),
3536 session.get(), true /* reused */));
3537
3538 // Advance time to just before key rotation.
3539 g_current_time.tv_sec += SSL_DEFAULT_TICKET_KEY_ROTATION_INTERVAL - 1;
3540 TRACED_CALL(ExpectSessionReused(client_ctx_.get(), server_ctx_.get(),
3541 session.get(), true /* reused */));
3542 TRACED_CALL(ExpectTicketKeyChanged(server_ctx_.get(), ticket_key,
3543 false /* NOT changed */));
3544
3545 // Force key rotation.
3546 g_current_time.tv_sec += 1;
3547 bssl::UniquePtr<SSL_SESSION> new_session =
3548 CreateClientSession(client_ctx_.get(), server_ctx_.get());
3549 TRACED_CALL(ExpectTicketKeyChanged(server_ctx_.get(), ticket_key,
3550 true /* changed */));
3551
3552 // Resumption with both old and new ticket should work.
3553 TRACED_CALL(ExpectSessionReused(client_ctx_.get(), server_ctx_.get(),
3554 session.get(), true /* reused */));
3555 TRACED_CALL(ExpectSessionReused(client_ctx_.get(), server_ctx_.get(),
3556 new_session.get(), true /* reused */));
3557 TRACED_CALL(ExpectTicketKeyChanged(server_ctx_.get(), ticket_key,
3558 false /* NOT changed */));
3559
3560 // Force key rotation again. Resumption with the old ticket now fails.
3561 g_current_time.tv_sec += SSL_DEFAULT_TICKET_KEY_ROTATION_INTERVAL;
3562 TRACED_CALL(ExpectSessionReused(client_ctx_.get(), server_ctx_.get(),
3563 session.get(), false /* NOT reused */));
3564 TRACED_CALL(ExpectTicketKeyChanged(server_ctx_.get(), ticket_key,
3565 true /* changed */));
3566
3567 // But resumption with the newer session still works.
3568 TRACED_CALL(ExpectSessionReused(client_ctx_.get(), server_ctx_.get(),
3569 new_session.get(), true /* reused */));
3570 }
3571
SwitchContext(SSL * ssl,int * out_alert,void * arg)3572 static int SwitchContext(SSL *ssl, int *out_alert, void *arg) {
3573 SSL_CTX *ctx = reinterpret_cast<SSL_CTX *>(arg);
3574 SSL_set_SSL_CTX(ssl, ctx);
3575 return SSL_TLSEXT_ERR_OK;
3576 }
3577
TEST_P(SSLVersionTest,SNICallback)3578 TEST_P(SSLVersionTest, SNICallback) {
3579 bssl::UniquePtr<X509> cert2 = GetECDSATestCertificate();
3580 ASSERT_TRUE(cert2);
3581 bssl::UniquePtr<EVP_PKEY> key2 = GetECDSATestKey();
3582 ASSERT_TRUE(key2);
3583
3584 // Test that switching the |SSL_CTX| at the SNI callback behaves correctly.
3585 static const uint16_t kECDSAWithSHA256 = SSL_SIGN_ECDSA_SECP256R1_SHA256;
3586
3587 static const uint8_t kSCTList[] = {0, 6, 0, 4, 5, 6, 7, 8};
3588 static const uint8_t kOCSPResponse[] = {1, 2, 3, 4};
3589
3590 bssl::UniquePtr<SSL_CTX> server_ctx2 = CreateContext();
3591 ASSERT_TRUE(server_ctx2);
3592 ASSERT_TRUE(SSL_CTX_use_certificate(server_ctx2.get(), cert2.get()));
3593 ASSERT_TRUE(SSL_CTX_use_PrivateKey(server_ctx2.get(), key2.get()));
3594 ASSERT_TRUE(SSL_CTX_set_signed_cert_timestamp_list(
3595 server_ctx2.get(), kSCTList, sizeof(kSCTList)));
3596 ASSERT_TRUE(SSL_CTX_set_ocsp_response(server_ctx2.get(), kOCSPResponse,
3597 sizeof(kOCSPResponse)));
3598 // Historically signing preferences would be lost in some cases with the
3599 // SNI callback, which triggers the TLS 1.2 SHA-1 default. To ensure
3600 // this doesn't happen when |version| is TLS 1.2, configure the private
3601 // key to only sign SHA-256.
3602 ASSERT_TRUE(SSL_CTX_set_signing_algorithm_prefs(server_ctx2.get(),
3603 &kECDSAWithSHA256, 1));
3604
3605 SSL_CTX_set_tlsext_servername_callback(server_ctx_.get(), SwitchContext);
3606 SSL_CTX_set_tlsext_servername_arg(server_ctx_.get(), server_ctx2.get());
3607
3608 SSL_CTX_enable_signed_cert_timestamps(client_ctx_.get());
3609 SSL_CTX_enable_ocsp_stapling(client_ctx_.get());
3610
3611 ASSERT_TRUE(Connect());
3612
3613 // The client should have received |cert2|.
3614 bssl::UniquePtr<X509> peer(SSL_get_peer_certificate(client_.get()));
3615 ASSERT_TRUE(peer);
3616 EXPECT_EQ(X509_cmp(peer.get(), cert2.get()), 0);
3617
3618 // The client should have received |server_ctx2|'s SCT list.
3619 const uint8_t *data;
3620 size_t len;
3621 SSL_get0_signed_cert_timestamp_list(client_.get(), &data, &len);
3622 EXPECT_EQ(Bytes(kSCTList), Bytes(data, len));
3623
3624 // The client should have received |server_ctx2|'s OCSP response.
3625 SSL_get0_ocsp_response(client_.get(), &data, &len);
3626 EXPECT_EQ(Bytes(kOCSPResponse), Bytes(data, len));
3627 }
3628
3629 // Test that the early callback can swap the maximum version.
TEST(SSLTest,EarlyCallbackVersionSwitch)3630 TEST(SSLTest, EarlyCallbackVersionSwitch) {
3631 bssl::UniquePtr<SSL_CTX> server_ctx =
3632 CreateContextWithTestCertificate(TLS_method());
3633 bssl::UniquePtr<SSL_CTX> client_ctx(SSL_CTX_new(TLS_method()));
3634 ASSERT_TRUE(server_ctx);
3635 ASSERT_TRUE(client_ctx);
3636 ASSERT_TRUE(SSL_CTX_set_max_proto_version(client_ctx.get(), TLS1_3_VERSION));
3637 ASSERT_TRUE(SSL_CTX_set_max_proto_version(server_ctx.get(), TLS1_3_VERSION));
3638
3639 SSL_CTX_set_select_certificate_cb(
3640 server_ctx.get(),
3641 [](const SSL_CLIENT_HELLO *client_hello) -> ssl_select_cert_result_t {
3642 if (!SSL_set_max_proto_version(client_hello->ssl, TLS1_2_VERSION)) {
3643 return ssl_select_cert_error;
3644 }
3645
3646 return ssl_select_cert_success;
3647 });
3648
3649 bssl::UniquePtr<SSL> client, server;
3650 ASSERT_TRUE(ConnectClientAndServer(&client, &server, client_ctx.get(),
3651 server_ctx.get()));
3652 EXPECT_EQ(TLS1_2_VERSION, SSL_version(client.get()));
3653 }
3654
TEST(SSLTest,SetVersion)3655 TEST(SSLTest, SetVersion) {
3656 bssl::UniquePtr<SSL_CTX> ctx(SSL_CTX_new(TLS_method()));
3657 ASSERT_TRUE(ctx);
3658
3659 // Set valid TLS versions.
3660 EXPECT_TRUE(SSL_CTX_set_max_proto_version(ctx.get(), TLS1_VERSION));
3661 EXPECT_TRUE(SSL_CTX_set_max_proto_version(ctx.get(), TLS1_1_VERSION));
3662 EXPECT_TRUE(SSL_CTX_set_min_proto_version(ctx.get(), TLS1_VERSION));
3663 EXPECT_TRUE(SSL_CTX_set_min_proto_version(ctx.get(), TLS1_1_VERSION));
3664
3665 // Invalid TLS versions are rejected.
3666 EXPECT_FALSE(SSL_CTX_set_max_proto_version(ctx.get(), DTLS1_VERSION));
3667 EXPECT_FALSE(SSL_CTX_set_max_proto_version(ctx.get(), 0x0200));
3668 EXPECT_FALSE(SSL_CTX_set_max_proto_version(ctx.get(), 0x1234));
3669 EXPECT_FALSE(SSL_CTX_set_min_proto_version(ctx.get(), DTLS1_VERSION));
3670 EXPECT_FALSE(SSL_CTX_set_min_proto_version(ctx.get(), 0x0200));
3671 EXPECT_FALSE(SSL_CTX_set_min_proto_version(ctx.get(), 0x1234));
3672
3673 // Zero is the default version.
3674 EXPECT_TRUE(SSL_CTX_set_max_proto_version(ctx.get(), 0));
3675 EXPECT_EQ(TLS1_3_VERSION, SSL_CTX_get_max_proto_version(ctx.get()));
3676 EXPECT_TRUE(SSL_CTX_set_min_proto_version(ctx.get(), 0));
3677 EXPECT_EQ(TLS1_VERSION, SSL_CTX_get_min_proto_version(ctx.get()));
3678
3679 // TLS 1.3 is available, but not by default.
3680 EXPECT_TRUE(SSL_CTX_set_max_proto_version(ctx.get(), TLS1_3_VERSION));
3681 EXPECT_EQ(TLS1_3_VERSION, SSL_CTX_get_max_proto_version(ctx.get()));
3682
3683 // SSL 3.0 is not available.
3684 EXPECT_FALSE(SSL_CTX_set_min_proto_version(ctx.get(), SSL3_VERSION));
3685
3686 ctx.reset(SSL_CTX_new(DTLS_method()));
3687 ASSERT_TRUE(ctx);
3688
3689 EXPECT_TRUE(SSL_CTX_set_max_proto_version(ctx.get(), DTLS1_VERSION));
3690 EXPECT_TRUE(SSL_CTX_set_max_proto_version(ctx.get(), DTLS1_2_VERSION));
3691 EXPECT_TRUE(SSL_CTX_set_min_proto_version(ctx.get(), DTLS1_VERSION));
3692 EXPECT_TRUE(SSL_CTX_set_min_proto_version(ctx.get(), DTLS1_2_VERSION));
3693
3694 EXPECT_FALSE(SSL_CTX_set_max_proto_version(ctx.get(), TLS1_VERSION));
3695 EXPECT_FALSE(SSL_CTX_set_max_proto_version(ctx.get(), 0xfefe /* DTLS 1.1 */));
3696 EXPECT_FALSE(SSL_CTX_set_max_proto_version(ctx.get(), 0xfffe /* DTLS 0.1 */));
3697 EXPECT_FALSE(SSL_CTX_set_max_proto_version(ctx.get(), 0x1234));
3698 EXPECT_FALSE(SSL_CTX_set_min_proto_version(ctx.get(), TLS1_VERSION));
3699 EXPECT_FALSE(SSL_CTX_set_min_proto_version(ctx.get(), 0xfefe /* DTLS 1.1 */));
3700 EXPECT_FALSE(SSL_CTX_set_min_proto_version(ctx.get(), 0xfffe /* DTLS 0.1 */));
3701 EXPECT_FALSE(SSL_CTX_set_min_proto_version(ctx.get(), 0x1234));
3702
3703 EXPECT_TRUE(SSL_CTX_set_max_proto_version(ctx.get(), 0));
3704 EXPECT_EQ(DTLS1_2_VERSION, SSL_CTX_get_max_proto_version(ctx.get()));
3705 EXPECT_TRUE(SSL_CTX_set_min_proto_version(ctx.get(), 0));
3706 EXPECT_EQ(DTLS1_VERSION, SSL_CTX_get_min_proto_version(ctx.get()));
3707 }
3708
GetVersionName(uint16_t version)3709 static const char *GetVersionName(uint16_t version) {
3710 switch (version) {
3711 case TLS1_VERSION:
3712 return "TLSv1";
3713 case TLS1_1_VERSION:
3714 return "TLSv1.1";
3715 case TLS1_2_VERSION:
3716 return "TLSv1.2";
3717 case TLS1_3_VERSION:
3718 return "TLSv1.3";
3719 case DTLS1_VERSION:
3720 return "DTLSv1";
3721 case DTLS1_2_VERSION:
3722 return "DTLSv1.2";
3723 default:
3724 return "???";
3725 }
3726 }
3727
TEST_P(SSLVersionTest,Version)3728 TEST_P(SSLVersionTest, Version) {
3729 ASSERT_TRUE(Connect());
3730
3731 EXPECT_EQ(SSL_version(client_.get()), version());
3732 EXPECT_EQ(SSL_version(server_.get()), version());
3733
3734 // Test the version name is reported as expected.
3735 const char *version_name = GetVersionName(version());
3736 EXPECT_EQ(strcmp(version_name, SSL_get_version(client_.get())), 0);
3737 EXPECT_EQ(strcmp(version_name, SSL_get_version(server_.get())), 0);
3738
3739 // Test SSL_SESSION reports the same name.
3740 const char *client_name =
3741 SSL_SESSION_get_version(SSL_get_session(client_.get()));
3742 const char *server_name =
3743 SSL_SESSION_get_version(SSL_get_session(server_.get()));
3744 EXPECT_EQ(strcmp(version_name, client_name), 0);
3745 EXPECT_EQ(strcmp(version_name, server_name), 0);
3746 }
3747
3748 // Tests that that |SSL_get_pending_cipher| is available during the ALPN
3749 // selection callback.
TEST_P(SSLVersionTest,ALPNCipherAvailable)3750 TEST_P(SSLVersionTest, ALPNCipherAvailable) {
3751 ASSERT_TRUE(UseCertAndKey(client_ctx_.get()));
3752
3753 static const uint8_t kALPNProtos[] = {0x03, 'f', 'o', 'o'};
3754 ASSERT_EQ(SSL_CTX_set_alpn_protos(client_ctx_.get(), kALPNProtos,
3755 sizeof(kALPNProtos)),
3756 0);
3757
3758 // The ALPN callback does not fail the handshake on error, so have the
3759 // callback write a boolean.
3760 std::pair<uint16_t, bool> callback_state(version(), false);
3761 SSL_CTX_set_alpn_select_cb(
3762 server_ctx_.get(),
3763 [](SSL *ssl, const uint8_t **out, uint8_t *out_len, const uint8_t *in,
3764 unsigned in_len, void *arg) -> int {
3765 auto state = reinterpret_cast<std::pair<uint16_t, bool> *>(arg);
3766 if (SSL_get_pending_cipher(ssl) != nullptr &&
3767 SSL_version(ssl) == state->first) {
3768 state->second = true;
3769 }
3770 return SSL_TLSEXT_ERR_NOACK;
3771 },
3772 &callback_state);
3773
3774 ASSERT_TRUE(Connect());
3775
3776 ASSERT_TRUE(callback_state.second);
3777 }
3778
TEST_P(SSLVersionTest,SSLClearSessionResumption)3779 TEST_P(SSLVersionTest, SSLClearSessionResumption) {
3780 // Skip this for TLS 1.3. TLS 1.3's ticket mechanism is incompatible with this
3781 // API pattern.
3782 if (version() == TLS1_3_VERSION) {
3783 return;
3784 }
3785
3786 shed_handshake_config_ = false;
3787 ASSERT_TRUE(Connect());
3788
3789 EXPECT_FALSE(SSL_session_reused(client_.get()));
3790 EXPECT_FALSE(SSL_session_reused(server_.get()));
3791
3792 // Reset everything.
3793 ASSERT_TRUE(SSL_clear(client_.get()));
3794 ASSERT_TRUE(SSL_clear(server_.get()));
3795
3796 // Attempt to connect a second time.
3797 ASSERT_TRUE(CompleteHandshakes(client_.get(), server_.get()));
3798
3799 // |SSL_clear| should implicitly offer the previous session to the server.
3800 EXPECT_TRUE(SSL_session_reused(client_.get()));
3801 EXPECT_TRUE(SSL_session_reused(server_.get()));
3802 }
3803
TEST_P(SSLVersionTest,SSLClearFailsWithShedding)3804 TEST_P(SSLVersionTest, SSLClearFailsWithShedding) {
3805 shed_handshake_config_ = false;
3806 ASSERT_TRUE(Connect());
3807 ASSERT_TRUE(CompleteHandshakes(client_.get(), server_.get()));
3808
3809 // Reset everything.
3810 ASSERT_TRUE(SSL_clear(client_.get()));
3811 ASSERT_TRUE(SSL_clear(server_.get()));
3812
3813 // Now enable shedding, and connect a second time.
3814 shed_handshake_config_ = true;
3815 ASSERT_TRUE(Connect());
3816 ASSERT_TRUE(CompleteHandshakes(client_.get(), server_.get()));
3817
3818 // |SSL_clear| should now fail.
3819 ASSERT_FALSE(SSL_clear(client_.get()));
3820 ASSERT_FALSE(SSL_clear(server_.get()));
3821 }
3822
ChainsEqual(STACK_OF (X509)* chain,const std::vector<X509 * > & expected)3823 static bool ChainsEqual(STACK_OF(X509) * chain,
3824 const std::vector<X509 *> &expected) {
3825 if (sk_X509_num(chain) != expected.size()) {
3826 return false;
3827 }
3828
3829 for (size_t i = 0; i < expected.size(); i++) {
3830 if (X509_cmp(sk_X509_value(chain, i), expected[i]) != 0) {
3831 return false;
3832 }
3833 }
3834
3835 return true;
3836 }
3837
TEST_P(SSLVersionTest,AutoChain)3838 TEST_P(SSLVersionTest, AutoChain) {
3839 cert_ = GetChainTestCertificate();
3840 ASSERT_TRUE(cert_);
3841 key_ = GetChainTestKey();
3842 ASSERT_TRUE(key_);
3843 bssl::UniquePtr<X509> intermediate = GetChainTestIntermediate();
3844 ASSERT_TRUE(intermediate);
3845
3846 ASSERT_TRUE(UseCertAndKey(client_ctx_.get()));
3847 ASSERT_TRUE(UseCertAndKey(server_ctx_.get()));
3848
3849 // Configure both client and server to accept any certificate. Add
3850 // |intermediate| to the cert store.
3851 ASSERT_TRUE(X509_STORE_add_cert(SSL_CTX_get_cert_store(client_ctx_.get()),
3852 intermediate.get()));
3853 ASSERT_TRUE(X509_STORE_add_cert(SSL_CTX_get_cert_store(server_ctx_.get()),
3854 intermediate.get()));
3855 SSL_CTX_set_verify(client_ctx_.get(),
3856 SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT,
3857 nullptr);
3858 SSL_CTX_set_verify(server_ctx_.get(),
3859 SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT,
3860 nullptr);
3861 SSL_CTX_set_cert_verify_callback(client_ctx_.get(), VerifySucceed, NULL);
3862 SSL_CTX_set_cert_verify_callback(server_ctx_.get(), VerifySucceed, NULL);
3863
3864 // By default, the client and server should each only send the leaf.
3865 ASSERT_TRUE(Connect());
3866
3867 EXPECT_TRUE(
3868 ChainsEqual(SSL_get_peer_full_cert_chain(client_.get()), {cert_.get()}));
3869 EXPECT_TRUE(
3870 ChainsEqual(SSL_get_peer_full_cert_chain(server_.get()), {cert_.get()}));
3871
3872 // If auto-chaining is enabled, then the intermediate is sent.
3873 SSL_CTX_clear_mode(client_ctx_.get(), SSL_MODE_NO_AUTO_CHAIN);
3874 SSL_CTX_clear_mode(server_ctx_.get(), SSL_MODE_NO_AUTO_CHAIN);
3875 ASSERT_TRUE(Connect());
3876
3877 EXPECT_TRUE(ChainsEqual(SSL_get_peer_full_cert_chain(client_.get()),
3878 {cert_.get(), intermediate.get()}));
3879 EXPECT_TRUE(ChainsEqual(SSL_get_peer_full_cert_chain(server_.get()),
3880 {cert_.get(), intermediate.get()}));
3881
3882 // Auto-chaining does not override explicitly-configured intermediates.
3883 ASSERT_TRUE(SSL_CTX_add1_chain_cert(client_ctx_.get(), cert_.get()));
3884 ASSERT_TRUE(SSL_CTX_add1_chain_cert(server_ctx_.get(), cert_.get()));
3885 ASSERT_TRUE(Connect());
3886
3887 EXPECT_TRUE(ChainsEqual(SSL_get_peer_full_cert_chain(client_.get()),
3888 {cert_.get(), cert_.get()}));
3889
3890 EXPECT_TRUE(ChainsEqual(SSL_get_peer_full_cert_chain(server_.get()),
3891 {cert_.get(), cert_.get()}));
3892 }
3893
ExpectBadWriteRetry()3894 static bool ExpectBadWriteRetry() {
3895 int err = ERR_get_error();
3896 if (ERR_GET_LIB(err) != ERR_LIB_SSL ||
3897 ERR_GET_REASON(err) != SSL_R_BAD_WRITE_RETRY) {
3898 char buf[ERR_ERROR_STRING_BUF_LEN];
3899 ERR_error_string_n(err, buf, sizeof(buf));
3900 fprintf(stderr, "Wanted SSL_R_BAD_WRITE_RETRY, got: %s.\n", buf);
3901 return false;
3902 }
3903
3904 if (ERR_peek_error() != 0) {
3905 fprintf(stderr, "Unexpected error following SSL_R_BAD_WRITE_RETRY.\n");
3906 return false;
3907 }
3908
3909 return true;
3910 }
3911
TEST_P(SSLVersionTest,SSLWriteRetry)3912 TEST_P(SSLVersionTest, SSLWriteRetry) {
3913 if (is_dtls()) {
3914 return;
3915 }
3916
3917 for (bool enable_partial_write : {false, true}) {
3918 SCOPED_TRACE(enable_partial_write);
3919
3920 // Connect a client and server.
3921 ASSERT_TRUE(UseCertAndKey(client_ctx_.get()));
3922
3923 ASSERT_TRUE(Connect());
3924
3925 if (enable_partial_write) {
3926 SSL_set_mode(client_.get(), SSL_MODE_ENABLE_PARTIAL_WRITE);
3927 }
3928
3929 // Write without reading until the buffer is full and we have an unfinished
3930 // write. Keep a count so we may reread it again later. "hello!" will be
3931 // written in two chunks, "hello" and "!".
3932 char data[] = "hello!";
3933 static const int kChunkLen = 5; // The length of "hello".
3934 unsigned count = 0;
3935 for (;;) {
3936 int ret = SSL_write(client_.get(), data, kChunkLen);
3937 if (ret <= 0) {
3938 ASSERT_EQ(SSL_get_error(client_.get(), ret), SSL_ERROR_WANT_WRITE);
3939 break;
3940 }
3941
3942 ASSERT_EQ(ret, 5);
3943
3944 count++;
3945 }
3946
3947 // Retrying with the same parameters is legal.
3948 ASSERT_EQ(
3949 SSL_get_error(client_.get(), SSL_write(client_.get(), data, kChunkLen)),
3950 SSL_ERROR_WANT_WRITE);
3951
3952 // Retrying with the same buffer but shorter length is not legal.
3953 ASSERT_EQ(SSL_get_error(client_.get(),
3954 SSL_write(client_.get(), data, kChunkLen - 1)),
3955 SSL_ERROR_SSL);
3956 ASSERT_TRUE(ExpectBadWriteRetry());
3957
3958 // Retrying with a different buffer pointer is not legal.
3959 char data2[] = "hello";
3960 ASSERT_EQ(SSL_get_error(client_.get(),
3961 SSL_write(client_.get(), data2, kChunkLen)),
3962 SSL_ERROR_SSL);
3963 ASSERT_TRUE(ExpectBadWriteRetry());
3964
3965 // With |SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER|, the buffer may move.
3966 SSL_set_mode(client_.get(), SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER);
3967 ASSERT_EQ(SSL_get_error(client_.get(),
3968 SSL_write(client_.get(), data2, kChunkLen)),
3969 SSL_ERROR_WANT_WRITE);
3970
3971 // |SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER| does not disable length checks.
3972 ASSERT_EQ(SSL_get_error(client_.get(),
3973 SSL_write(client_.get(), data2, kChunkLen - 1)),
3974 SSL_ERROR_SSL);
3975 ASSERT_TRUE(ExpectBadWriteRetry());
3976
3977 // Retrying with a larger buffer is legal.
3978 ASSERT_EQ(SSL_get_error(client_.get(),
3979 SSL_write(client_.get(), data, kChunkLen + 1)),
3980 SSL_ERROR_WANT_WRITE);
3981
3982 // Drain the buffer.
3983 char buf[20];
3984 for (unsigned i = 0; i < count; i++) {
3985 ASSERT_EQ(SSL_read(server_.get(), buf, sizeof(buf)), kChunkLen);
3986 ASSERT_EQ(OPENSSL_memcmp(buf, "hello", kChunkLen), 0);
3987 }
3988
3989 // Now that there is space, a retry with a larger buffer should flush the
3990 // pending record, skip over that many bytes of input (on assumption they
3991 // are the same), and write the remainder. If SSL_MODE_ENABLE_PARTIAL_WRITE
3992 // is set, this will complete in two steps.
3993 char data3[] = "_____!";
3994 if (enable_partial_write) {
3995 ASSERT_EQ(SSL_write(client_.get(), data3, kChunkLen + 1), kChunkLen);
3996 ASSERT_EQ(SSL_write(client_.get(), data3 + kChunkLen, 1), 1);
3997 } else {
3998 ASSERT_EQ(SSL_write(client_.get(), data3, kChunkLen + 1), kChunkLen + 1);
3999 }
4000
4001 // Check the last write was correct. The data will be spread over two
4002 // records, so SSL_read returns twice.
4003 ASSERT_EQ(SSL_read(server_.get(), buf, sizeof(buf)), kChunkLen);
4004 ASSERT_EQ(OPENSSL_memcmp(buf, "hello", kChunkLen), 0);
4005 ASSERT_EQ(SSL_read(server_.get(), buf, sizeof(buf)), 1);
4006 ASSERT_EQ(buf[0], '!');
4007 }
4008 }
4009
TEST_P(SSLVersionTest,RecordCallback)4010 TEST_P(SSLVersionTest, RecordCallback) {
4011 for (bool test_server : {true, false}) {
4012 SCOPED_TRACE(test_server);
4013 ResetContexts();
4014
4015 bool read_seen = false;
4016 bool write_seen = false;
4017 auto cb = [&](int is_write, int cb_version, int cb_type, const void *buf,
4018 size_t len, SSL *ssl) {
4019 if (cb_type != SSL3_RT_HEADER) {
4020 return;
4021 }
4022
4023 // The callback does not report a version for records.
4024 EXPECT_EQ(0, cb_version);
4025
4026 if (is_write) {
4027 write_seen = true;
4028 } else {
4029 read_seen = true;
4030 }
4031
4032 // Sanity-check that the record header is plausible.
4033 CBS cbs;
4034 CBS_init(&cbs, reinterpret_cast<const uint8_t *>(buf), len);
4035 uint8_t type;
4036 uint16_t record_version, length;
4037 ASSERT_TRUE(CBS_get_u8(&cbs, &type));
4038 ASSERT_TRUE(CBS_get_u16(&cbs, &record_version));
4039 EXPECT_EQ(record_version & 0xff00, version() & 0xff00);
4040 if (is_dtls()) {
4041 uint16_t epoch;
4042 ASSERT_TRUE(CBS_get_u16(&cbs, &epoch));
4043 EXPECT_TRUE(epoch == 0 || epoch == 1) << "Invalid epoch: " << epoch;
4044 ASSERT_TRUE(CBS_skip(&cbs, 6));
4045 }
4046 ASSERT_TRUE(CBS_get_u16(&cbs, &length));
4047 EXPECT_EQ(0u, CBS_len(&cbs));
4048 };
4049 using CallbackType = decltype(cb);
4050 SSL_CTX *ctx = test_server ? server_ctx_.get() : client_ctx_.get();
4051 SSL_CTX_set_msg_callback(
4052 ctx, [](int is_write, int cb_version, int cb_type, const void *buf,
4053 size_t len, SSL *ssl, void *arg) {
4054 CallbackType *cb_ptr = reinterpret_cast<CallbackType *>(arg);
4055 (*cb_ptr)(is_write, cb_version, cb_type, buf, len, ssl);
4056 });
4057 SSL_CTX_set_msg_callback_arg(ctx, &cb);
4058
4059 ASSERT_TRUE(Connect());
4060
4061 EXPECT_TRUE(read_seen);
4062 EXPECT_TRUE(write_seen);
4063 }
4064 }
4065
TEST_P(SSLVersionTest,GetServerName)4066 TEST_P(SSLVersionTest, GetServerName) {
4067 ClientConfig config;
4068 config.servername = "host1";
4069
4070 SSL_CTX_set_tlsext_servername_callback(
4071 server_ctx_.get(), [](SSL *ssl, int *out_alert, void *arg) -> int {
4072 // During the handshake, |SSL_get_servername| must match |config|.
4073 ClientConfig *config_p = reinterpret_cast<ClientConfig *>(arg);
4074 EXPECT_STREQ(config_p->servername.c_str(),
4075 SSL_get_servername(ssl, TLSEXT_NAMETYPE_host_name));
4076 return SSL_TLSEXT_ERR_OK;
4077 });
4078 SSL_CTX_set_tlsext_servername_arg(server_ctx_.get(), &config);
4079
4080 ASSERT_TRUE(Connect(config));
4081 // After the handshake, it must also be available.
4082 EXPECT_STREQ(config.servername.c_str(),
4083 SSL_get_servername(server_.get(), TLSEXT_NAMETYPE_host_name));
4084
4085 // Establish a session under host1.
4086 SSL_CTX_set_session_cache_mode(client_ctx_.get(), SSL_SESS_CACHE_BOTH);
4087 SSL_CTX_set_session_cache_mode(server_ctx_.get(), SSL_SESS_CACHE_BOTH);
4088 bssl::UniquePtr<SSL_SESSION> session =
4089 CreateClientSession(client_ctx_.get(), server_ctx_.get(), config);
4090
4091 // If the client resumes a session with a different name, |SSL_get_servername|
4092 // must return the new name.
4093 ASSERT_TRUE(session);
4094 config.session = session.get();
4095 config.servername = "host2";
4096 ASSERT_TRUE(Connect(config));
4097 EXPECT_STREQ(config.servername.c_str(),
4098 SSL_get_servername(server_.get(), TLSEXT_NAMETYPE_host_name));
4099 }
4100
4101 // Test that session cache mode bits are honored in the client session callback.
TEST_P(SSLVersionTest,ClientSessionCacheMode)4102 TEST_P(SSLVersionTest, ClientSessionCacheMode) {
4103 SSL_CTX_set_session_cache_mode(client_ctx_.get(), SSL_SESS_CACHE_OFF);
4104 EXPECT_FALSE(CreateClientSession(client_ctx_.get(), server_ctx_.get()));
4105
4106 SSL_CTX_set_session_cache_mode(client_ctx_.get(), SSL_SESS_CACHE_CLIENT);
4107 EXPECT_TRUE(CreateClientSession(client_ctx_.get(), server_ctx_.get()));
4108
4109 SSL_CTX_set_session_cache_mode(client_ctx_.get(), SSL_SESS_CACHE_SERVER);
4110 EXPECT_FALSE(CreateClientSession(client_ctx_.get(), server_ctx_.get()));
4111 }
4112
4113 // Test that all versions survive tiny write buffers. In particular, TLS 1.3
4114 // NewSessionTickets are written post-handshake. Servers that block
4115 // |SSL_do_handshake| on writing them will deadlock if clients are not draining
4116 // the buffer. Test that we do not do this.
TEST_P(SSLVersionTest,SmallBuffer)4117 TEST_P(SSLVersionTest, SmallBuffer) {
4118 // DTLS is a datagram protocol and requires packet-sized buffers.
4119 if (is_dtls()) {
4120 return;
4121 }
4122
4123 // Test both flushing NewSessionTickets with a zero-sized write and
4124 // non-zero-sized write.
4125 for (bool use_zero_write : {false, true}) {
4126 SCOPED_TRACE(use_zero_write);
4127
4128 g_last_session = nullptr;
4129 SSL_CTX_set_session_cache_mode(client_ctx_.get(), SSL_SESS_CACHE_BOTH);
4130 SSL_CTX_sess_set_new_cb(client_ctx_.get(), SaveLastSession);
4131
4132 bssl::UniquePtr<SSL> client(SSL_new(client_ctx_.get())),
4133 server(SSL_new(server_ctx_.get()));
4134 ASSERT_TRUE(client);
4135 ASSERT_TRUE(server);
4136 SSL_set_connect_state(client.get());
4137 SSL_set_accept_state(server.get());
4138
4139 // Use a tiny buffer.
4140 BIO *bio1, *bio2;
4141 ASSERT_TRUE(BIO_new_bio_pair(&bio1, 1, &bio2, 1));
4142
4143 // SSL_set_bio takes ownership.
4144 SSL_set_bio(client.get(), bio1, bio1);
4145 SSL_set_bio(server.get(), bio2, bio2);
4146
4147 ASSERT_TRUE(CompleteHandshakes(client.get(), server.get()));
4148 if (version() >= TLS1_3_VERSION) {
4149 // The post-handshake ticket should not have been processed yet.
4150 EXPECT_FALSE(g_last_session);
4151 }
4152
4153 if (use_zero_write) {
4154 ASSERT_TRUE(FlushNewSessionTickets(client.get(), server.get()));
4155 EXPECT_TRUE(g_last_session);
4156 }
4157
4158 // Send some data from server to client. If |use_zero_write| is false, this
4159 // will also flush the NewSessionTickets.
4160 static const char kMessage[] = "hello world";
4161 char buf[sizeof(kMessage)];
4162 for (;;) {
4163 int server_ret = SSL_write(server.get(), kMessage, sizeof(kMessage));
4164 int server_err = SSL_get_error(server.get(), server_ret);
4165 int client_ret = SSL_read(client.get(), buf, sizeof(buf));
4166 int client_err = SSL_get_error(client.get(), client_ret);
4167
4168 // The server will write a single record, so every iteration should see
4169 // |SSL_ERROR_WANT_WRITE| and |SSL_ERROR_WANT_READ|, until the final
4170 // iteration, where both will complete.
4171 if (server_ret > 0) {
4172 EXPECT_EQ(server_ret, static_cast<int>(sizeof(kMessage)));
4173 EXPECT_EQ(client_ret, static_cast<int>(sizeof(kMessage)));
4174 EXPECT_EQ(Bytes(buf), Bytes(kMessage));
4175 break;
4176 }
4177
4178 ASSERT_EQ(server_ret, -1);
4179 ASSERT_EQ(server_err, SSL_ERROR_WANT_WRITE);
4180 ASSERT_EQ(client_ret, -1);
4181 ASSERT_EQ(client_err, SSL_ERROR_WANT_READ);
4182 }
4183
4184 // The NewSessionTickets should have been flushed and processed.
4185 EXPECT_TRUE(g_last_session);
4186 }
4187 }
4188
TEST(SSLTest,AddChainCertHack)4189 TEST(SSLTest, AddChainCertHack) {
4190 // Ensure that we don't accidently break the hack that we have in place to
4191 // keep curl and serf happy when they use an |X509| even after transfering
4192 // ownership.
4193
4194 bssl::UniquePtr<SSL_CTX> ctx(SSL_CTX_new(TLS_method()));
4195 ASSERT_TRUE(ctx);
4196 X509 *cert = GetTestCertificate().release();
4197 ASSERT_TRUE(cert);
4198 SSL_CTX_add0_chain_cert(ctx.get(), cert);
4199
4200 // This should not trigger a use-after-free.
4201 X509_cmp(cert, cert);
4202 }
4203
TEST(SSLTest,GetCertificate)4204 TEST(SSLTest, GetCertificate) {
4205 bssl::UniquePtr<SSL_CTX> ctx(SSL_CTX_new(TLS_method()));
4206 ASSERT_TRUE(ctx);
4207 bssl::UniquePtr<X509> cert = GetTestCertificate();
4208 ASSERT_TRUE(cert);
4209 ASSERT_TRUE(SSL_CTX_use_certificate(ctx.get(), cert.get()));
4210 bssl::UniquePtr<SSL> ssl(SSL_new(ctx.get()));
4211 ASSERT_TRUE(ssl);
4212
4213 X509 *cert2 = SSL_CTX_get0_certificate(ctx.get());
4214 ASSERT_TRUE(cert2);
4215 X509 *cert3 = SSL_get_certificate(ssl.get());
4216 ASSERT_TRUE(cert3);
4217
4218 // The old and new certificates must be identical.
4219 EXPECT_EQ(0, X509_cmp(cert.get(), cert2));
4220 EXPECT_EQ(0, X509_cmp(cert.get(), cert3));
4221
4222 uint8_t *der = nullptr;
4223 long der_len = i2d_X509(cert.get(), &der);
4224 ASSERT_LT(0, der_len);
4225 bssl::UniquePtr<uint8_t> free_der(der);
4226
4227 uint8_t *der2 = nullptr;
4228 long der2_len = i2d_X509(cert2, &der2);
4229 ASSERT_LT(0, der2_len);
4230 bssl::UniquePtr<uint8_t> free_der2(der2);
4231
4232 uint8_t *der3 = nullptr;
4233 long der3_len = i2d_X509(cert3, &der3);
4234 ASSERT_LT(0, der3_len);
4235 bssl::UniquePtr<uint8_t> free_der3(der3);
4236
4237 // They must also encode identically.
4238 EXPECT_EQ(Bytes(der, der_len), Bytes(der2, der2_len));
4239 EXPECT_EQ(Bytes(der, der_len), Bytes(der3, der3_len));
4240 }
4241
TEST(SSLTest,SetChainAndKeyMismatch)4242 TEST(SSLTest, SetChainAndKeyMismatch) {
4243 bssl::UniquePtr<SSL_CTX> ctx(SSL_CTX_new(TLS_with_buffers_method()));
4244 ASSERT_TRUE(ctx);
4245
4246 bssl::UniquePtr<EVP_PKEY> key = GetTestKey();
4247 ASSERT_TRUE(key);
4248 bssl::UniquePtr<CRYPTO_BUFFER> leaf = GetChainTestCertificateBuffer();
4249 ASSERT_TRUE(leaf);
4250 std::vector<CRYPTO_BUFFER*> chain = {
4251 leaf.get(),
4252 };
4253
4254 // Should fail because |GetTestKey| doesn't match the chain-test certificate.
4255 ASSERT_FALSE(SSL_CTX_set_chain_and_key(ctx.get(), &chain[0], chain.size(),
4256 key.get(), nullptr));
4257 ERR_clear_error();
4258 }
4259
TEST(SSLTest,SetChainAndKey)4260 TEST(SSLTest, SetChainAndKey) {
4261 bssl::UniquePtr<SSL_CTX> client_ctx(SSL_CTX_new(TLS_with_buffers_method()));
4262 ASSERT_TRUE(client_ctx);
4263 bssl::UniquePtr<SSL_CTX> server_ctx(SSL_CTX_new(TLS_with_buffers_method()));
4264 ASSERT_TRUE(server_ctx);
4265
4266 ASSERT_EQ(nullptr, SSL_CTX_get0_chain(server_ctx.get()));
4267
4268 bssl::UniquePtr<EVP_PKEY> key = GetChainTestKey();
4269 ASSERT_TRUE(key);
4270 bssl::UniquePtr<CRYPTO_BUFFER> leaf = GetChainTestCertificateBuffer();
4271 ASSERT_TRUE(leaf);
4272 bssl::UniquePtr<CRYPTO_BUFFER> intermediate =
4273 GetChainTestIntermediateBuffer();
4274 ASSERT_TRUE(intermediate);
4275 std::vector<CRYPTO_BUFFER*> chain = {
4276 leaf.get(), intermediate.get(),
4277 };
4278 ASSERT_TRUE(SSL_CTX_set_chain_and_key(server_ctx.get(), &chain[0],
4279 chain.size(), key.get(), nullptr));
4280
4281 ASSERT_EQ(chain.size(),
4282 sk_CRYPTO_BUFFER_num(SSL_CTX_get0_chain(server_ctx.get())));
4283
4284 SSL_CTX_set_custom_verify(
4285 client_ctx.get(), SSL_VERIFY_PEER,
4286 [](SSL *ssl, uint8_t *out_alert) -> ssl_verify_result_t {
4287 return ssl_verify_ok;
4288 });
4289
4290 bssl::UniquePtr<SSL> client, server;
4291 ASSERT_TRUE(ConnectClientAndServer(&client, &server, client_ctx.get(),
4292 server_ctx.get()));
4293 }
4294
TEST(SSLTest,BuffersFailWithoutCustomVerify)4295 TEST(SSLTest, BuffersFailWithoutCustomVerify) {
4296 bssl::UniquePtr<SSL_CTX> client_ctx(SSL_CTX_new(TLS_with_buffers_method()));
4297 ASSERT_TRUE(client_ctx);
4298 bssl::UniquePtr<SSL_CTX> server_ctx(SSL_CTX_new(TLS_with_buffers_method()));
4299 ASSERT_TRUE(server_ctx);
4300
4301 bssl::UniquePtr<EVP_PKEY> key = GetChainTestKey();
4302 ASSERT_TRUE(key);
4303 bssl::UniquePtr<CRYPTO_BUFFER> leaf = GetChainTestCertificateBuffer();
4304 ASSERT_TRUE(leaf);
4305 std::vector<CRYPTO_BUFFER*> chain = { leaf.get() };
4306 ASSERT_TRUE(SSL_CTX_set_chain_and_key(server_ctx.get(), &chain[0],
4307 chain.size(), key.get(), nullptr));
4308
4309 // Without SSL_CTX_set_custom_verify(), i.e. with everything in the default
4310 // configuration, certificate verification should fail.
4311 bssl::UniquePtr<SSL> client, server;
4312 ASSERT_FALSE(ConnectClientAndServer(&client, &server, client_ctx.get(),
4313 server_ctx.get()));
4314
4315 // Whereas with a verifier, the connection should succeed.
4316 SSL_CTX_set_custom_verify(
4317 client_ctx.get(), SSL_VERIFY_PEER,
4318 [](SSL *ssl, uint8_t *out_alert) -> ssl_verify_result_t {
4319 return ssl_verify_ok;
4320 });
4321 ASSERT_TRUE(ConnectClientAndServer(&client, &server, client_ctx.get(),
4322 server_ctx.get()));
4323 }
4324
TEST(SSLTest,CustomVerify)4325 TEST(SSLTest, CustomVerify) {
4326 bssl::UniquePtr<SSL_CTX> client_ctx(SSL_CTX_new(TLS_with_buffers_method()));
4327 ASSERT_TRUE(client_ctx);
4328 bssl::UniquePtr<SSL_CTX> server_ctx(SSL_CTX_new(TLS_with_buffers_method()));
4329 ASSERT_TRUE(server_ctx);
4330
4331 bssl::UniquePtr<EVP_PKEY> key = GetChainTestKey();
4332 ASSERT_TRUE(key);
4333 bssl::UniquePtr<CRYPTO_BUFFER> leaf = GetChainTestCertificateBuffer();
4334 ASSERT_TRUE(leaf);
4335 std::vector<CRYPTO_BUFFER*> chain = { leaf.get() };
4336 ASSERT_TRUE(SSL_CTX_set_chain_and_key(server_ctx.get(), &chain[0],
4337 chain.size(), key.get(), nullptr));
4338
4339 SSL_CTX_set_custom_verify(
4340 client_ctx.get(), SSL_VERIFY_PEER,
4341 [](SSL *ssl, uint8_t *out_alert) -> ssl_verify_result_t {
4342 return ssl_verify_ok;
4343 });
4344
4345 bssl::UniquePtr<SSL> client, server;
4346 ASSERT_TRUE(ConnectClientAndServer(&client, &server, client_ctx.get(),
4347 server_ctx.get()));
4348
4349 // With SSL_VERIFY_PEER, ssl_verify_invalid should result in a dropped
4350 // connection.
4351 SSL_CTX_set_custom_verify(
4352 client_ctx.get(), SSL_VERIFY_PEER,
4353 [](SSL *ssl, uint8_t *out_alert) -> ssl_verify_result_t {
4354 return ssl_verify_invalid;
4355 });
4356
4357 ASSERT_FALSE(ConnectClientAndServer(&client, &server, client_ctx.get(),
4358 server_ctx.get()));
4359
4360 // But with SSL_VERIFY_NONE, ssl_verify_invalid should not cause a dropped
4361 // connection.
4362 SSL_CTX_set_custom_verify(
4363 client_ctx.get(), SSL_VERIFY_NONE,
4364 [](SSL *ssl, uint8_t *out_alert) -> ssl_verify_result_t {
4365 return ssl_verify_invalid;
4366 });
4367
4368 ASSERT_TRUE(ConnectClientAndServer(&client, &server, client_ctx.get(),
4369 server_ctx.get()));
4370 }
4371
TEST(SSLTest,ClientCABuffers)4372 TEST(SSLTest, ClientCABuffers) {
4373 bssl::UniquePtr<SSL_CTX> client_ctx(SSL_CTX_new(TLS_with_buffers_method()));
4374 ASSERT_TRUE(client_ctx);
4375 bssl::UniquePtr<SSL_CTX> server_ctx(SSL_CTX_new(TLS_with_buffers_method()));
4376 ASSERT_TRUE(server_ctx);
4377
4378 bssl::UniquePtr<EVP_PKEY> key = GetChainTestKey();
4379 ASSERT_TRUE(key);
4380 bssl::UniquePtr<CRYPTO_BUFFER> leaf = GetChainTestCertificateBuffer();
4381 ASSERT_TRUE(leaf);
4382 bssl::UniquePtr<CRYPTO_BUFFER> intermediate =
4383 GetChainTestIntermediateBuffer();
4384 ASSERT_TRUE(intermediate);
4385 std::vector<CRYPTO_BUFFER *> chain = {
4386 leaf.get(),
4387 intermediate.get(),
4388 };
4389 ASSERT_TRUE(SSL_CTX_set_chain_and_key(server_ctx.get(), &chain[0],
4390 chain.size(), key.get(), nullptr));
4391
4392 bssl::UniquePtr<CRYPTO_BUFFER> ca_name(
4393 CRYPTO_BUFFER_new(kTestName, sizeof(kTestName), nullptr));
4394 ASSERT_TRUE(ca_name);
4395 bssl::UniquePtr<STACK_OF(CRYPTO_BUFFER)> ca_names(
4396 sk_CRYPTO_BUFFER_new_null());
4397 ASSERT_TRUE(ca_names);
4398 ASSERT_TRUE(PushToStack(ca_names.get(), std::move(ca_name)));
4399 SSL_CTX_set0_client_CAs(server_ctx.get(), ca_names.release());
4400
4401 // Configure client and server to accept all certificates.
4402 SSL_CTX_set_custom_verify(
4403 client_ctx.get(), SSL_VERIFY_PEER,
4404 [](SSL *ssl, uint8_t *out_alert) -> ssl_verify_result_t {
4405 return ssl_verify_ok;
4406 });
4407 SSL_CTX_set_custom_verify(
4408 server_ctx.get(), SSL_VERIFY_PEER,
4409 [](SSL *ssl, uint8_t *out_alert) -> ssl_verify_result_t {
4410 return ssl_verify_ok;
4411 });
4412
4413 bool cert_cb_called = false;
4414 SSL_CTX_set_cert_cb(
4415 client_ctx.get(),
4416 [](SSL *ssl, void *arg) -> int {
4417 const STACK_OF(CRYPTO_BUFFER) *peer_names =
4418 SSL_get0_server_requested_CAs(ssl);
4419 EXPECT_EQ(1u, sk_CRYPTO_BUFFER_num(peer_names));
4420 CRYPTO_BUFFER *peer_name = sk_CRYPTO_BUFFER_value(peer_names, 0);
4421 EXPECT_EQ(Bytes(kTestName), Bytes(CRYPTO_BUFFER_data(peer_name),
4422 CRYPTO_BUFFER_len(peer_name)));
4423 *reinterpret_cast<bool *>(arg) = true;
4424 return 1;
4425 },
4426 &cert_cb_called);
4427
4428 bssl::UniquePtr<SSL> client, server;
4429 ASSERT_TRUE(ConnectClientAndServer(&client, &server, client_ctx.get(),
4430 server_ctx.get()));
4431 EXPECT_TRUE(cert_cb_called);
4432 }
4433
4434 // Configuring the empty cipher list, though an error, should still modify the
4435 // configuration.
TEST(SSLTest,EmptyCipherList)4436 TEST(SSLTest, EmptyCipherList) {
4437 bssl::UniquePtr<SSL_CTX> ctx(SSL_CTX_new(TLS_method()));
4438 ASSERT_TRUE(ctx);
4439
4440 // Initially, the cipher list is not empty.
4441 EXPECT_NE(0u, sk_SSL_CIPHER_num(SSL_CTX_get_ciphers(ctx.get())));
4442
4443 // Configuring the empty cipher list fails.
4444 EXPECT_FALSE(SSL_CTX_set_cipher_list(ctx.get(), ""));
4445 ERR_clear_error();
4446
4447 // But the cipher list is still updated to empty.
4448 EXPECT_EQ(0u, sk_SSL_CIPHER_num(SSL_CTX_get_ciphers(ctx.get())));
4449 }
4450
4451 // ssl_test_ticket_aead_failure_mode enumerates the possible ways in which the
4452 // test |SSL_TICKET_AEAD_METHOD| can fail.
4453 enum ssl_test_ticket_aead_failure_mode {
4454 ssl_test_ticket_aead_ok = 0,
4455 ssl_test_ticket_aead_seal_fail,
4456 ssl_test_ticket_aead_open_soft_fail,
4457 ssl_test_ticket_aead_open_hard_fail,
4458 };
4459
4460 struct ssl_test_ticket_aead_state {
4461 unsigned retry_count;
4462 ssl_test_ticket_aead_failure_mode failure_mode;
4463 };
4464
ssl_test_ticket_aead_ex_index_dup(CRYPTO_EX_DATA * to,const CRYPTO_EX_DATA * from,void ** from_d,int index,long argl,void * argp)4465 static int ssl_test_ticket_aead_ex_index_dup(CRYPTO_EX_DATA *to,
4466 const CRYPTO_EX_DATA *from,
4467 void **from_d, int index,
4468 long argl, void *argp) {
4469 abort();
4470 }
4471
ssl_test_ticket_aead_ex_index_free(void * parent,void * ptr,CRYPTO_EX_DATA * ad,int index,long argl,void * argp)4472 static void ssl_test_ticket_aead_ex_index_free(void *parent, void *ptr,
4473 CRYPTO_EX_DATA *ad, int index,
4474 long argl, void *argp) {
4475 auto state = reinterpret_cast<ssl_test_ticket_aead_state*>(ptr);
4476 if (state == nullptr) {
4477 return;
4478 }
4479
4480 OPENSSL_free(state);
4481 }
4482
4483 static CRYPTO_once_t g_ssl_test_ticket_aead_ex_index_once = CRYPTO_ONCE_INIT;
4484 static int g_ssl_test_ticket_aead_ex_index;
4485
ssl_test_ticket_aead_get_ex_index()4486 static int ssl_test_ticket_aead_get_ex_index() {
4487 CRYPTO_once(&g_ssl_test_ticket_aead_ex_index_once, [] {
4488 g_ssl_test_ticket_aead_ex_index = SSL_get_ex_new_index(
4489 0, nullptr, nullptr, ssl_test_ticket_aead_ex_index_dup,
4490 ssl_test_ticket_aead_ex_index_free);
4491 });
4492 return g_ssl_test_ticket_aead_ex_index;
4493 }
4494
ssl_test_ticket_aead_max_overhead(SSL * ssl)4495 static size_t ssl_test_ticket_aead_max_overhead(SSL *ssl) {
4496 return 1;
4497 }
4498
ssl_test_ticket_aead_seal(SSL * ssl,uint8_t * out,size_t * out_len,size_t max_out_len,const uint8_t * in,size_t in_len)4499 static int ssl_test_ticket_aead_seal(SSL *ssl, uint8_t *out, size_t *out_len,
4500 size_t max_out_len, const uint8_t *in,
4501 size_t in_len) {
4502 auto state = reinterpret_cast<ssl_test_ticket_aead_state *>(
4503 SSL_get_ex_data(ssl, ssl_test_ticket_aead_get_ex_index()));
4504
4505 if (state->failure_mode == ssl_test_ticket_aead_seal_fail ||
4506 max_out_len < in_len + 1) {
4507 return 0;
4508 }
4509
4510 OPENSSL_memmove(out, in, in_len);
4511 out[in_len] = 0xff;
4512 *out_len = in_len + 1;
4513
4514 return 1;
4515 }
4516
ssl_test_ticket_aead_open(SSL * ssl,uint8_t * out,size_t * out_len,size_t max_out_len,const uint8_t * in,size_t in_len)4517 static ssl_ticket_aead_result_t ssl_test_ticket_aead_open(
4518 SSL *ssl, uint8_t *out, size_t *out_len, size_t max_out_len,
4519 const uint8_t *in, size_t in_len) {
4520 auto state = reinterpret_cast<ssl_test_ticket_aead_state *>(
4521 SSL_get_ex_data(ssl, ssl_test_ticket_aead_get_ex_index()));
4522
4523 if (state->retry_count > 0) {
4524 state->retry_count--;
4525 return ssl_ticket_aead_retry;
4526 }
4527
4528 switch (state->failure_mode) {
4529 case ssl_test_ticket_aead_ok:
4530 break;
4531 case ssl_test_ticket_aead_seal_fail:
4532 // If |seal| failed then there shouldn't be any ticket to try and
4533 // decrypt.
4534 abort();
4535 break;
4536 case ssl_test_ticket_aead_open_soft_fail:
4537 return ssl_ticket_aead_ignore_ticket;
4538 case ssl_test_ticket_aead_open_hard_fail:
4539 return ssl_ticket_aead_error;
4540 }
4541
4542 if (in_len == 0 || in[in_len - 1] != 0xff) {
4543 return ssl_ticket_aead_ignore_ticket;
4544 }
4545
4546 if (max_out_len < in_len - 1) {
4547 return ssl_ticket_aead_error;
4548 }
4549
4550 OPENSSL_memmove(out, in, in_len - 1);
4551 *out_len = in_len - 1;
4552 return ssl_ticket_aead_success;
4553 }
4554
4555 static const SSL_TICKET_AEAD_METHOD kSSLTestTicketMethod = {
4556 ssl_test_ticket_aead_max_overhead,
4557 ssl_test_ticket_aead_seal,
4558 ssl_test_ticket_aead_open,
4559 };
4560
ConnectClientAndServerWithTicketMethod(bssl::UniquePtr<SSL> * out_client,bssl::UniquePtr<SSL> * out_server,SSL_CTX * client_ctx,SSL_CTX * server_ctx,unsigned retry_count,ssl_test_ticket_aead_failure_mode failure_mode,SSL_SESSION * session)4561 static void ConnectClientAndServerWithTicketMethod(
4562 bssl::UniquePtr<SSL> *out_client, bssl::UniquePtr<SSL> *out_server,
4563 SSL_CTX *client_ctx, SSL_CTX *server_ctx, unsigned retry_count,
4564 ssl_test_ticket_aead_failure_mode failure_mode, SSL_SESSION *session) {
4565 bssl::UniquePtr<SSL> client(SSL_new(client_ctx)), server(SSL_new(server_ctx));
4566 ASSERT_TRUE(client);
4567 ASSERT_TRUE(server);
4568 SSL_set_connect_state(client.get());
4569 SSL_set_accept_state(server.get());
4570
4571 auto state = reinterpret_cast<ssl_test_ticket_aead_state *>(
4572 OPENSSL_malloc(sizeof(ssl_test_ticket_aead_state)));
4573 ASSERT_TRUE(state);
4574 OPENSSL_memset(state, 0, sizeof(ssl_test_ticket_aead_state));
4575 state->retry_count = retry_count;
4576 state->failure_mode = failure_mode;
4577
4578 ASSERT_TRUE(SSL_set_ex_data(server.get(), ssl_test_ticket_aead_get_ex_index(),
4579 state));
4580
4581 SSL_set_session(client.get(), session);
4582
4583 BIO *bio1, *bio2;
4584 ASSERT_TRUE(BIO_new_bio_pair(&bio1, 0, &bio2, 0));
4585
4586 // SSL_set_bio takes ownership.
4587 SSL_set_bio(client.get(), bio1, bio1);
4588 SSL_set_bio(server.get(), bio2, bio2);
4589
4590 if (CompleteHandshakes(client.get(), server.get())) {
4591 *out_client = std::move(client);
4592 *out_server = std::move(server);
4593 } else {
4594 out_client->reset();
4595 out_server->reset();
4596 }
4597 }
4598
4599 using TicketAEADMethodParam =
4600 testing::tuple<uint16_t, unsigned, ssl_test_ticket_aead_failure_mode>;
4601
4602 class TicketAEADMethodTest
4603 : public ::testing::TestWithParam<TicketAEADMethodParam> {};
4604
TEST_P(TicketAEADMethodTest,Resume)4605 TEST_P(TicketAEADMethodTest, Resume) {
4606 bssl::UniquePtr<SSL_CTX> server_ctx =
4607 CreateContextWithTestCertificate(TLS_method());
4608 ASSERT_TRUE(server_ctx);
4609 bssl::UniquePtr<SSL_CTX> client_ctx(SSL_CTX_new(TLS_method()));
4610 ASSERT_TRUE(client_ctx);
4611
4612 const uint16_t version = testing::get<0>(GetParam());
4613 const unsigned retry_count = testing::get<1>(GetParam());
4614 const ssl_test_ticket_aead_failure_mode failure_mode =
4615 testing::get<2>(GetParam());
4616
4617 ASSERT_TRUE(SSL_CTX_set_min_proto_version(client_ctx.get(), version));
4618 ASSERT_TRUE(SSL_CTX_set_max_proto_version(client_ctx.get(), version));
4619 ASSERT_TRUE(SSL_CTX_set_min_proto_version(server_ctx.get(), version));
4620 ASSERT_TRUE(SSL_CTX_set_max_proto_version(server_ctx.get(), version));
4621
4622 SSL_CTX_set_session_cache_mode(client_ctx.get(), SSL_SESS_CACHE_BOTH);
4623 SSL_CTX_set_session_cache_mode(server_ctx.get(), SSL_SESS_CACHE_BOTH);
4624 SSL_CTX_set_current_time_cb(client_ctx.get(), FrozenTimeCallback);
4625 SSL_CTX_set_current_time_cb(server_ctx.get(), FrozenTimeCallback);
4626 SSL_CTX_sess_set_new_cb(client_ctx.get(), SaveLastSession);
4627
4628 SSL_CTX_set_ticket_aead_method(server_ctx.get(), &kSSLTestTicketMethod);
4629
4630 bssl::UniquePtr<SSL> client, server;
4631 ConnectClientAndServerWithTicketMethod(&client, &server, client_ctx.get(),
4632 server_ctx.get(), retry_count,
4633 failure_mode, nullptr);
4634 switch (failure_mode) {
4635 case ssl_test_ticket_aead_ok:
4636 case ssl_test_ticket_aead_open_hard_fail:
4637 case ssl_test_ticket_aead_open_soft_fail:
4638 ASSERT_TRUE(client);
4639 break;
4640 case ssl_test_ticket_aead_seal_fail:
4641 EXPECT_FALSE(client);
4642 return;
4643 }
4644 EXPECT_FALSE(SSL_session_reused(client.get()));
4645 EXPECT_FALSE(SSL_session_reused(server.get()));
4646
4647 ASSERT_TRUE(FlushNewSessionTickets(client.get(), server.get()));
4648 bssl::UniquePtr<SSL_SESSION> session = std::move(g_last_session);
4649 ConnectClientAndServerWithTicketMethod(&client, &server, client_ctx.get(),
4650 server_ctx.get(), retry_count,
4651 failure_mode, session.get());
4652 switch (failure_mode) {
4653 case ssl_test_ticket_aead_ok:
4654 ASSERT_TRUE(client);
4655 EXPECT_TRUE(SSL_session_reused(client.get()));
4656 EXPECT_TRUE(SSL_session_reused(server.get()));
4657 break;
4658 case ssl_test_ticket_aead_seal_fail:
4659 abort();
4660 break;
4661 case ssl_test_ticket_aead_open_hard_fail:
4662 EXPECT_FALSE(client);
4663 break;
4664 case ssl_test_ticket_aead_open_soft_fail:
4665 ASSERT_TRUE(client);
4666 EXPECT_FALSE(SSL_session_reused(client.get()));
4667 EXPECT_FALSE(SSL_session_reused(server.get()));
4668 }
4669 }
4670
TicketAEADMethodParamToString(const testing::TestParamInfo<TicketAEADMethodParam> & params)4671 std::string TicketAEADMethodParamToString(
4672 const testing::TestParamInfo<TicketAEADMethodParam> ¶ms) {
4673 std::string ret = GetVersionName(std::get<0>(params.param));
4674 // GTest only allows alphanumeric characters and '_' in the parameter
4675 // string. Additionally filter out the 'v' to get "TLS13" over "TLSv13".
4676 for (auto it = ret.begin(); it != ret.end();) {
4677 if (*it == '.' || *it == 'v') {
4678 it = ret.erase(it);
4679 } else {
4680 ++it;
4681 }
4682 }
4683 char retry_count[256];
4684 snprintf(retry_count, sizeof(retry_count), "%d", std::get<1>(params.param));
4685 ret += "_";
4686 ret += retry_count;
4687 ret += "Retries_";
4688 switch (std::get<2>(params.param)) {
4689 case ssl_test_ticket_aead_ok:
4690 ret += "OK";
4691 break;
4692 case ssl_test_ticket_aead_seal_fail:
4693 ret += "SealFail";
4694 break;
4695 case ssl_test_ticket_aead_open_soft_fail:
4696 ret += "OpenSoftFail";
4697 break;
4698 case ssl_test_ticket_aead_open_hard_fail:
4699 ret += "OpenHardFail";
4700 break;
4701 }
4702 return ret;
4703 }
4704
4705 INSTANTIATE_TEST_SUITE_P(
4706 TicketAEADMethodTests, TicketAEADMethodTest,
4707 testing::Combine(testing::Values(TLS1_2_VERSION, TLS1_3_VERSION),
4708 testing::Values(0, 1, 2),
4709 testing::Values(ssl_test_ticket_aead_ok,
4710 ssl_test_ticket_aead_seal_fail,
4711 ssl_test_ticket_aead_open_soft_fail,
4712 ssl_test_ticket_aead_open_hard_fail)),
4713 TicketAEADMethodParamToString);
4714
TEST(SSLTest,SelectNextProto)4715 TEST(SSLTest, SelectNextProto) {
4716 uint8_t *result;
4717 uint8_t result_len;
4718
4719 // If there is an overlap, it should be returned.
4720 EXPECT_EQ(OPENSSL_NPN_NEGOTIATED,
4721 SSL_select_next_proto(&result, &result_len,
4722 (const uint8_t *)"\1a\2bb\3ccc", 9,
4723 (const uint8_t *)"\1x\1y\1a\1z", 8));
4724 EXPECT_EQ(Bytes("a"), Bytes(result, result_len));
4725
4726 EXPECT_EQ(OPENSSL_NPN_NEGOTIATED,
4727 SSL_select_next_proto(&result, &result_len,
4728 (const uint8_t *)"\1a\2bb\3ccc", 9,
4729 (const uint8_t *)"\1x\1y\2bb\1z", 9));
4730 EXPECT_EQ(Bytes("bb"), Bytes(result, result_len));
4731
4732 EXPECT_EQ(OPENSSL_NPN_NEGOTIATED,
4733 SSL_select_next_proto(&result, &result_len,
4734 (const uint8_t *)"\1a\2bb\3ccc", 9,
4735 (const uint8_t *)"\1x\1y\3ccc\1z", 10));
4736 EXPECT_EQ(Bytes("ccc"), Bytes(result, result_len));
4737
4738 // Peer preference order takes precedence over local.
4739 EXPECT_EQ(OPENSSL_NPN_NEGOTIATED,
4740 SSL_select_next_proto(&result, &result_len,
4741 (const uint8_t *)"\1a\2bb\3ccc", 9,
4742 (const uint8_t *)"\3ccc\2bb\1a", 9));
4743 EXPECT_EQ(Bytes("a"), Bytes(result, result_len));
4744
4745 // If there is no overlap, return the first local protocol.
4746 EXPECT_EQ(OPENSSL_NPN_NO_OVERLAP,
4747 SSL_select_next_proto(&result, &result_len,
4748 (const uint8_t *)"\1a\2bb\3ccc", 9,
4749 (const uint8_t *)"\1x\2yy\3zzz", 9));
4750 EXPECT_EQ(Bytes("x"), Bytes(result, result_len));
4751
4752 EXPECT_EQ(OPENSSL_NPN_NO_OVERLAP,
4753 SSL_select_next_proto(&result, &result_len, nullptr, 0,
4754 (const uint8_t *)"\1x\2yy\3zzz", 9));
4755 EXPECT_EQ(Bytes("x"), Bytes(result, result_len));
4756 }
4757
TEST(SSLTest,SealRecord)4758 TEST(SSLTest, SealRecord) {
4759 bssl::UniquePtr<SSL_CTX> client_ctx(SSL_CTX_new(TLSv1_2_method())),
4760 server_ctx(CreateContextWithTestCertificate(TLSv1_2_method()));
4761 ASSERT_TRUE(client_ctx);
4762 ASSERT_TRUE(server_ctx);
4763
4764 bssl::UniquePtr<SSL> client, server;
4765 ASSERT_TRUE(ConnectClientAndServer(&client, &server, client_ctx.get(),
4766 server_ctx.get()));
4767
4768 const std::vector<uint8_t> record = {1, 2, 3, 4, 5};
4769 std::vector<uint8_t> prefix(
4770 bssl::SealRecordPrefixLen(client.get(), record.size())),
4771 body(record.size()),
4772 suffix(bssl::SealRecordSuffixLen(client.get(), record.size()));
4773 ASSERT_TRUE(bssl::SealRecord(client.get(), bssl::MakeSpan(prefix),
4774 bssl::MakeSpan(body), bssl::MakeSpan(suffix),
4775 record));
4776
4777 std::vector<uint8_t> sealed;
4778 sealed.insert(sealed.end(), prefix.begin(), prefix.end());
4779 sealed.insert(sealed.end(), body.begin(), body.end());
4780 sealed.insert(sealed.end(), suffix.begin(), suffix.end());
4781 std::vector<uint8_t> sealed_copy = sealed;
4782
4783 bssl::Span<uint8_t> plaintext;
4784 size_t record_len;
4785 uint8_t alert = 255;
4786 EXPECT_EQ(bssl::OpenRecord(server.get(), &plaintext, &record_len, &alert,
4787 bssl::MakeSpan(sealed)),
4788 bssl::OpenRecordResult::kOK);
4789 EXPECT_EQ(record_len, sealed.size());
4790 EXPECT_EQ(plaintext, record);
4791 EXPECT_EQ(255, alert);
4792 }
4793
TEST(SSLTest,SealRecordInPlace)4794 TEST(SSLTest, SealRecordInPlace) {
4795 bssl::UniquePtr<SSL_CTX> client_ctx(SSL_CTX_new(TLSv1_2_method())),
4796 server_ctx(CreateContextWithTestCertificate(TLSv1_2_method()));
4797 ASSERT_TRUE(client_ctx);
4798 ASSERT_TRUE(server_ctx);
4799
4800 bssl::UniquePtr<SSL> client, server;
4801 ASSERT_TRUE(ConnectClientAndServer(&client, &server, client_ctx.get(),
4802 server_ctx.get()));
4803
4804 const std::vector<uint8_t> plaintext = {1, 2, 3, 4, 5};
4805 std::vector<uint8_t> record = plaintext;
4806 std::vector<uint8_t> prefix(
4807 bssl::SealRecordPrefixLen(client.get(), record.size())),
4808 suffix(bssl::SealRecordSuffixLen(client.get(), record.size()));
4809 ASSERT_TRUE(bssl::SealRecord(client.get(), bssl::MakeSpan(prefix),
4810 bssl::MakeSpan(record), bssl::MakeSpan(suffix),
4811 record));
4812 record.insert(record.begin(), prefix.begin(), prefix.end());
4813 record.insert(record.end(), suffix.begin(), suffix.end());
4814
4815 bssl::Span<uint8_t> result;
4816 size_t record_len;
4817 uint8_t alert;
4818 EXPECT_EQ(bssl::OpenRecord(server.get(), &result, &record_len, &alert,
4819 bssl::MakeSpan(record)),
4820 bssl::OpenRecordResult::kOK);
4821 EXPECT_EQ(record_len, record.size());
4822 EXPECT_EQ(plaintext, result);
4823 }
4824
TEST(SSLTest,SealRecordTrailingData)4825 TEST(SSLTest, SealRecordTrailingData) {
4826 bssl::UniquePtr<SSL_CTX> client_ctx(SSL_CTX_new(TLSv1_2_method())),
4827 server_ctx(CreateContextWithTestCertificate(TLSv1_2_method()));
4828 ASSERT_TRUE(client_ctx);
4829 ASSERT_TRUE(server_ctx);
4830
4831 bssl::UniquePtr<SSL> client, server;
4832 ASSERT_TRUE(ConnectClientAndServer(&client, &server, client_ctx.get(),
4833 server_ctx.get()));
4834
4835 const std::vector<uint8_t> plaintext = {1, 2, 3, 4, 5};
4836 std::vector<uint8_t> record = plaintext;
4837 std::vector<uint8_t> prefix(
4838 bssl::SealRecordPrefixLen(client.get(), record.size())),
4839 suffix(bssl::SealRecordSuffixLen(client.get(), record.size()));
4840 ASSERT_TRUE(bssl::SealRecord(client.get(), bssl::MakeSpan(prefix),
4841 bssl::MakeSpan(record), bssl::MakeSpan(suffix),
4842 record));
4843 record.insert(record.begin(), prefix.begin(), prefix.end());
4844 record.insert(record.end(), suffix.begin(), suffix.end());
4845 record.insert(record.end(), {5, 4, 3, 2, 1});
4846
4847 bssl::Span<uint8_t> result;
4848 size_t record_len;
4849 uint8_t alert;
4850 EXPECT_EQ(bssl::OpenRecord(server.get(), &result, &record_len, &alert,
4851 bssl::MakeSpan(record)),
4852 bssl::OpenRecordResult::kOK);
4853 EXPECT_EQ(record_len, record.size() - 5);
4854 EXPECT_EQ(plaintext, result);
4855 }
4856
TEST(SSLTest,SealRecordInvalidSpanSize)4857 TEST(SSLTest, SealRecordInvalidSpanSize) {
4858 bssl::UniquePtr<SSL_CTX> client_ctx(SSL_CTX_new(TLSv1_2_method())),
4859 server_ctx(CreateContextWithTestCertificate(TLSv1_2_method()));
4860 ASSERT_TRUE(client_ctx);
4861 ASSERT_TRUE(server_ctx);
4862
4863 bssl::UniquePtr<SSL> client, server;
4864 ASSERT_TRUE(ConnectClientAndServer(&client, &server, client_ctx.get(),
4865 server_ctx.get()));
4866
4867 std::vector<uint8_t> record = {1, 2, 3, 4, 5};
4868 std::vector<uint8_t> prefix(
4869 bssl::SealRecordPrefixLen(client.get(), record.size())),
4870 body(record.size()),
4871 suffix(bssl::SealRecordSuffixLen(client.get(), record.size()));
4872
4873 auto expect_err = []() {
4874 int err = ERR_get_error();
4875 EXPECT_EQ(ERR_GET_LIB(err), ERR_LIB_SSL);
4876 EXPECT_EQ(ERR_GET_REASON(err), SSL_R_BUFFER_TOO_SMALL);
4877 ERR_clear_error();
4878 };
4879 EXPECT_FALSE(bssl::SealRecord(
4880 client.get(), bssl::MakeSpan(prefix.data(), prefix.size() - 1),
4881 bssl::MakeSpan(record), bssl::MakeSpan(suffix), record));
4882 expect_err();
4883 EXPECT_FALSE(bssl::SealRecord(
4884 client.get(), bssl::MakeSpan(prefix.data(), prefix.size() + 1),
4885 bssl::MakeSpan(record), bssl::MakeSpan(suffix), record));
4886 expect_err();
4887
4888 EXPECT_FALSE(
4889 bssl::SealRecord(client.get(), bssl::MakeSpan(prefix),
4890 bssl::MakeSpan(record.data(), record.size() - 1),
4891 bssl::MakeSpan(suffix), record));
4892 expect_err();
4893 EXPECT_FALSE(
4894 bssl::SealRecord(client.get(), bssl::MakeSpan(prefix),
4895 bssl::MakeSpan(record.data(), record.size() + 1),
4896 bssl::MakeSpan(suffix), record));
4897 expect_err();
4898
4899 EXPECT_FALSE(bssl::SealRecord(
4900 client.get(), bssl::MakeSpan(prefix), bssl::MakeSpan(record),
4901 bssl::MakeSpan(suffix.data(), suffix.size() - 1), record));
4902 expect_err();
4903 EXPECT_FALSE(bssl::SealRecord(
4904 client.get(), bssl::MakeSpan(prefix), bssl::MakeSpan(record),
4905 bssl::MakeSpan(suffix.data(), suffix.size() + 1), record));
4906 expect_err();
4907 }
4908
4909 // The client should gracefully handle no suitable ciphers being enabled.
TEST(SSLTest,NoCiphersAvailable)4910 TEST(SSLTest, NoCiphersAvailable) {
4911 bssl::UniquePtr<SSL_CTX> ctx(SSL_CTX_new(TLS_method()));
4912 ASSERT_TRUE(ctx);
4913
4914 // Configure |client_ctx| with a cipher list that does not intersect with its
4915 // version configuration.
4916 ASSERT_TRUE(SSL_CTX_set_strict_cipher_list(
4917 ctx.get(), "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256"));
4918 ASSERT_TRUE(SSL_CTX_set_max_proto_version(ctx.get(), TLS1_1_VERSION));
4919
4920 bssl::UniquePtr<SSL> ssl(SSL_new(ctx.get()));
4921 ASSERT_TRUE(ssl);
4922 SSL_set_connect_state(ssl.get());
4923
4924 UniquePtr<BIO> rbio(BIO_new(BIO_s_mem())), wbio(BIO_new(BIO_s_mem()));
4925 ASSERT_TRUE(rbio);
4926 ASSERT_TRUE(wbio);
4927 SSL_set0_rbio(ssl.get(), rbio.release());
4928 SSL_set0_wbio(ssl.get(), wbio.release());
4929
4930 int ret = SSL_do_handshake(ssl.get());
4931 EXPECT_EQ(-1, ret);
4932 EXPECT_EQ(SSL_ERROR_SSL, SSL_get_error(ssl.get(), ret));
4933 uint32_t err = ERR_get_error();
4934 EXPECT_EQ(ERR_LIB_SSL, ERR_GET_LIB(err));
4935 EXPECT_EQ(SSL_R_NO_CIPHERS_AVAILABLE, ERR_GET_REASON(err));
4936 }
4937
TEST_P(SSLVersionTest,SessionVersion)4938 TEST_P(SSLVersionTest, SessionVersion) {
4939 SSL_CTX_set_session_cache_mode(client_ctx_.get(), SSL_SESS_CACHE_BOTH);
4940 SSL_CTX_set_session_cache_mode(server_ctx_.get(), SSL_SESS_CACHE_BOTH);
4941
4942 bssl::UniquePtr<SSL_SESSION> session =
4943 CreateClientSession(client_ctx_.get(), server_ctx_.get());
4944 ASSERT_TRUE(session);
4945 EXPECT_EQ(version(), SSL_SESSION_get_protocol_version(session.get()));
4946
4947 // Sessions in TLS 1.3 and later should be single-use.
4948 EXPECT_EQ(version() == TLS1_3_VERSION,
4949 !!SSL_SESSION_should_be_single_use(session.get()));
4950
4951 // Making fake sessions for testing works.
4952 session.reset(SSL_SESSION_new(client_ctx_.get()));
4953 ASSERT_TRUE(session);
4954 ASSERT_TRUE(SSL_SESSION_set_protocol_version(session.get(), version()));
4955 EXPECT_EQ(version(), SSL_SESSION_get_protocol_version(session.get()));
4956 }
4957
TEST_P(SSLVersionTest,SSLPending)4958 TEST_P(SSLVersionTest, SSLPending) {
4959 UniquePtr<SSL> ssl(SSL_new(client_ctx_.get()));
4960 ASSERT_TRUE(ssl);
4961 EXPECT_EQ(0, SSL_pending(ssl.get()));
4962
4963 ASSERT_TRUE(Connect());
4964 EXPECT_EQ(0, SSL_pending(client_.get()));
4965
4966 ASSERT_EQ(5, SSL_write(server_.get(), "hello", 5));
4967 ASSERT_EQ(5, SSL_write(server_.get(), "world", 5));
4968 EXPECT_EQ(0, SSL_pending(client_.get()));
4969
4970 char buf[10];
4971 ASSERT_EQ(1, SSL_peek(client_.get(), buf, 1));
4972 EXPECT_EQ(5, SSL_pending(client_.get()));
4973
4974 ASSERT_EQ(1, SSL_read(client_.get(), buf, 1));
4975 EXPECT_EQ(4, SSL_pending(client_.get()));
4976
4977 ASSERT_EQ(4, SSL_read(client_.get(), buf, 10));
4978 EXPECT_EQ(0, SSL_pending(client_.get()));
4979
4980 ASSERT_EQ(2, SSL_read(client_.get(), buf, 2));
4981 EXPECT_EQ(3, SSL_pending(client_.get()));
4982 }
4983
4984 // Test that post-handshake tickets consumed by |SSL_shutdown| are ignored.
TEST(SSLTest,ShutdownIgnoresTickets)4985 TEST(SSLTest, ShutdownIgnoresTickets) {
4986 bssl::UniquePtr<SSL_CTX> ctx(CreateContextWithTestCertificate(TLS_method()));
4987 ASSERT_TRUE(ctx);
4988 ASSERT_TRUE(SSL_CTX_set_min_proto_version(ctx.get(), TLS1_3_VERSION));
4989 ASSERT_TRUE(SSL_CTX_set_max_proto_version(ctx.get(), TLS1_3_VERSION));
4990
4991 SSL_CTX_set_session_cache_mode(ctx.get(), SSL_SESS_CACHE_BOTH);
4992
4993 bssl::UniquePtr<SSL> client, server;
4994 ASSERT_TRUE(ConnectClientAndServer(&client, &server, ctx.get(), ctx.get()));
4995
4996 SSL_CTX_sess_set_new_cb(ctx.get(), [](SSL *ssl, SSL_SESSION *session) -> int {
4997 ADD_FAILURE() << "New session callback called during SSL_shutdown";
4998 return 0;
4999 });
5000
5001 // Send close_notify.
5002 EXPECT_EQ(0, SSL_shutdown(server.get()));
5003 EXPECT_EQ(0, SSL_shutdown(client.get()));
5004
5005 // Receive close_notify.
5006 EXPECT_EQ(1, SSL_shutdown(server.get()));
5007 EXPECT_EQ(1, SSL_shutdown(client.get()));
5008 }
5009
TEST(SSLTest,SignatureAlgorithmProperties)5010 TEST(SSLTest, SignatureAlgorithmProperties) {
5011 EXPECT_EQ(EVP_PKEY_NONE, SSL_get_signature_algorithm_key_type(0x1234));
5012 EXPECT_EQ(nullptr, SSL_get_signature_algorithm_digest(0x1234));
5013 EXPECT_FALSE(SSL_is_signature_algorithm_rsa_pss(0x1234));
5014
5015 EXPECT_EQ(EVP_PKEY_RSA,
5016 SSL_get_signature_algorithm_key_type(SSL_SIGN_RSA_PKCS1_MD5_SHA1));
5017 EXPECT_EQ(EVP_md5_sha1(),
5018 SSL_get_signature_algorithm_digest(SSL_SIGN_RSA_PKCS1_MD5_SHA1));
5019 EXPECT_FALSE(SSL_is_signature_algorithm_rsa_pss(SSL_SIGN_RSA_PKCS1_MD5_SHA1));
5020
5021 EXPECT_EQ(EVP_PKEY_EC, SSL_get_signature_algorithm_key_type(
5022 SSL_SIGN_ECDSA_SECP256R1_SHA256));
5023 EXPECT_EQ(EVP_sha256(), SSL_get_signature_algorithm_digest(
5024 SSL_SIGN_ECDSA_SECP256R1_SHA256));
5025 EXPECT_FALSE(
5026 SSL_is_signature_algorithm_rsa_pss(SSL_SIGN_ECDSA_SECP256R1_SHA256));
5027
5028 EXPECT_EQ(EVP_PKEY_RSA,
5029 SSL_get_signature_algorithm_key_type(SSL_SIGN_RSA_PSS_RSAE_SHA384));
5030 EXPECT_EQ(EVP_sha384(),
5031 SSL_get_signature_algorithm_digest(SSL_SIGN_RSA_PSS_RSAE_SHA384));
5032 EXPECT_TRUE(SSL_is_signature_algorithm_rsa_pss(SSL_SIGN_RSA_PSS_RSAE_SHA384));
5033 }
5034
XORCompressFunc(SSL * ssl,CBB * out,const uint8_t * in,size_t in_len)5035 static int XORCompressFunc(SSL *ssl, CBB *out, const uint8_t *in,
5036 size_t in_len) {
5037 for (size_t i = 0; i < in_len; i++) {
5038 if (!CBB_add_u8(out, in[i] ^ 0x55)) {
5039 return 0;
5040 }
5041 }
5042
5043 SSL_set_app_data(ssl, XORCompressFunc);
5044
5045 return 1;
5046 }
5047
XORDecompressFunc(SSL * ssl,CRYPTO_BUFFER ** out,size_t uncompressed_len,const uint8_t * in,size_t in_len)5048 static int XORDecompressFunc(SSL *ssl, CRYPTO_BUFFER **out,
5049 size_t uncompressed_len, const uint8_t *in,
5050 size_t in_len) {
5051 if (in_len != uncompressed_len) {
5052 return 0;
5053 }
5054
5055 uint8_t *data;
5056 *out = CRYPTO_BUFFER_alloc(&data, uncompressed_len);
5057 if (*out == nullptr) {
5058 return 0;
5059 }
5060
5061 for (size_t i = 0; i < in_len; i++) {
5062 data[i] = in[i] ^ 0x55;
5063 }
5064
5065 SSL_set_app_data(ssl, XORDecompressFunc);
5066
5067 return 1;
5068 }
5069
TEST(SSLTest,CertCompression)5070 TEST(SSLTest, CertCompression) {
5071 bssl::UniquePtr<SSL_CTX> client_ctx(SSL_CTX_new(TLS_method()));
5072 bssl::UniquePtr<SSL_CTX> server_ctx(
5073 CreateContextWithTestCertificate(TLS_method()));
5074 ASSERT_TRUE(client_ctx);
5075 ASSERT_TRUE(server_ctx);
5076
5077 ASSERT_TRUE(SSL_CTX_set_max_proto_version(client_ctx.get(), TLS1_3_VERSION));
5078 ASSERT_TRUE(SSL_CTX_set_max_proto_version(server_ctx.get(), TLS1_3_VERSION));
5079 ASSERT_TRUE(SSL_CTX_add_cert_compression_alg(
5080 client_ctx.get(), 0x1234, XORCompressFunc, XORDecompressFunc));
5081 ASSERT_TRUE(SSL_CTX_add_cert_compression_alg(
5082 server_ctx.get(), 0x1234, XORCompressFunc, XORDecompressFunc));
5083
5084 bssl::UniquePtr<SSL> client, server;
5085 ASSERT_TRUE(ConnectClientAndServer(&client, &server, client_ctx.get(),
5086 server_ctx.get()));
5087
5088 EXPECT_TRUE(SSL_get_app_data(client.get()) == XORDecompressFunc);
5089 EXPECT_TRUE(SSL_get_app_data(server.get()) == XORCompressFunc);
5090 }
5091
MoveBIOs(SSL * dest,SSL * src)5092 void MoveBIOs(SSL *dest, SSL *src) {
5093 BIO *rbio = SSL_get_rbio(src);
5094 BIO_up_ref(rbio);
5095 SSL_set0_rbio(dest, rbio);
5096
5097 BIO *wbio = SSL_get_wbio(src);
5098 BIO_up_ref(wbio);
5099 SSL_set0_wbio(dest, wbio);
5100
5101 SSL_set0_rbio(src, nullptr);
5102 SSL_set0_wbio(src, nullptr);
5103 }
5104
TEST(SSLTest,Handoff)5105 TEST(SSLTest, Handoff) {
5106 bssl::UniquePtr<SSL_CTX> client_ctx(SSL_CTX_new(TLS_method()));
5107 bssl::UniquePtr<SSL_CTX> server_ctx(SSL_CTX_new(TLS_method()));
5108 bssl::UniquePtr<SSL_CTX> handshaker_ctx(
5109 CreateContextWithTestCertificate(TLS_method()));
5110 ASSERT_TRUE(client_ctx);
5111 ASSERT_TRUE(server_ctx);
5112 ASSERT_TRUE(handshaker_ctx);
5113
5114 SSL_CTX_set_session_cache_mode(client_ctx.get(), SSL_SESS_CACHE_CLIENT);
5115 SSL_CTX_sess_set_new_cb(client_ctx.get(), SaveLastSession);
5116 SSL_CTX_set_handoff_mode(server_ctx.get(), 1);
5117 uint8_t keys[48];
5118 SSL_CTX_get_tlsext_ticket_keys(server_ctx.get(), &keys, sizeof(keys));
5119 SSL_CTX_set_tlsext_ticket_keys(handshaker_ctx.get(), &keys, sizeof(keys));
5120
5121 for (bool early_data : {false, true}) {
5122 SCOPED_TRACE(early_data);
5123 for (bool is_resume : {false, true}) {
5124 SCOPED_TRACE(is_resume);
5125 bssl::UniquePtr<SSL> client, server;
5126 ASSERT_TRUE(CreateClientAndServer(&client, &server, client_ctx.get(),
5127 server_ctx.get()));
5128 SSL_set_early_data_enabled(client.get(), early_data);
5129 if (is_resume) {
5130 ASSERT_TRUE(g_last_session);
5131 SSL_set_session(client.get(), g_last_session.get());
5132 if (early_data) {
5133 EXPECT_GT(g_last_session->ticket_max_early_data, 0u);
5134 }
5135 }
5136
5137
5138 int client_ret = SSL_do_handshake(client.get());
5139 int client_err = SSL_get_error(client.get(), client_ret);
5140
5141 uint8_t byte_written;
5142 if (early_data && is_resume) {
5143 ASSERT_EQ(client_err, 0);
5144 EXPECT_TRUE(SSL_in_early_data(client.get()));
5145 // Attempt to write early data.
5146 byte_written = 43;
5147 EXPECT_EQ(SSL_write(client.get(), &byte_written, 1), 1);
5148 } else {
5149 ASSERT_EQ(client_err, SSL_ERROR_WANT_READ);
5150 }
5151
5152 int server_ret = SSL_do_handshake(server.get());
5153 int server_err = SSL_get_error(server.get(), server_ret);
5154 ASSERT_EQ(server_err, SSL_ERROR_HANDOFF);
5155
5156 ScopedCBB cbb;
5157 Array<uint8_t> handoff;
5158 SSL_CLIENT_HELLO hello;
5159 ASSERT_TRUE(CBB_init(cbb.get(), 256));
5160 ASSERT_TRUE(SSL_serialize_handoff(server.get(), cbb.get(), &hello));
5161 ASSERT_TRUE(CBBFinishArray(cbb.get(), &handoff));
5162
5163 bssl::UniquePtr<SSL> handshaker(SSL_new(handshaker_ctx.get()));
5164 // Note split handshakes determines 0-RTT support, for both the current
5165 // handshake and newly-issued tickets, entirely by |handshaker|. There is
5166 // no need to call |SSL_set_early_data_enabled| on |server|.
5167 SSL_set_early_data_enabled(handshaker.get(), 1);
5168 ASSERT_TRUE(SSL_apply_handoff(handshaker.get(), handoff));
5169
5170 MoveBIOs(handshaker.get(), server.get());
5171
5172 int handshake_ret = SSL_do_handshake(handshaker.get());
5173 int handshake_err = SSL_get_error(handshaker.get(), handshake_ret);
5174 ASSERT_EQ(handshake_err, SSL_ERROR_HANDBACK);
5175
5176 // Double-check that additional calls to |SSL_do_handshake| continue
5177 // to get |SSL_ERROR_HANDBACK|.
5178 handshake_ret = SSL_do_handshake(handshaker.get());
5179 handshake_err = SSL_get_error(handshaker.get(), handshake_ret);
5180 ASSERT_EQ(handshake_err, SSL_ERROR_HANDBACK);
5181
5182 ScopedCBB cbb_handback;
5183 Array<uint8_t> handback;
5184 ASSERT_TRUE(CBB_init(cbb_handback.get(), 1024));
5185 ASSERT_TRUE(SSL_serialize_handback(handshaker.get(), cbb_handback.get()));
5186 ASSERT_TRUE(CBBFinishArray(cbb_handback.get(), &handback));
5187
5188 bssl::UniquePtr<SSL> server2(SSL_new(server_ctx.get()));
5189 ASSERT_TRUE(SSL_apply_handback(server2.get(), handback));
5190
5191 MoveBIOs(server2.get(), handshaker.get());
5192 ASSERT_TRUE(CompleteHandshakes(client.get(), server2.get()));
5193 EXPECT_EQ(is_resume, SSL_session_reused(client.get()));
5194
5195 if (early_data && is_resume) {
5196 // In this case, one byte of early data has already been written above.
5197 EXPECT_TRUE(SSL_early_data_accepted(client.get()));
5198 } else {
5199 byte_written = 42;
5200 EXPECT_EQ(SSL_write(client.get(), &byte_written, 1), 1);
5201 }
5202 uint8_t byte;
5203 EXPECT_EQ(SSL_read(server2.get(), &byte, 1), 1);
5204 EXPECT_EQ(byte_written, byte);
5205
5206 byte = 44;
5207 EXPECT_EQ(SSL_write(server2.get(), &byte, 1), 1);
5208 EXPECT_EQ(SSL_read(client.get(), &byte, 1), 1);
5209 EXPECT_EQ(44, byte);
5210 }
5211 }
5212 }
5213
TEST(SSLTest,HandoffDeclined)5214 TEST(SSLTest, HandoffDeclined) {
5215 bssl::UniquePtr<SSL_CTX> client_ctx(SSL_CTX_new(TLS_method()));
5216 bssl::UniquePtr<SSL_CTX> server_ctx(
5217 CreateContextWithTestCertificate(TLS_method()));
5218 ASSERT_TRUE(client_ctx);
5219 ASSERT_TRUE(server_ctx);
5220
5221 SSL_CTX_set_handoff_mode(server_ctx.get(), 1);
5222 ASSERT_TRUE(SSL_CTX_set_max_proto_version(server_ctx.get(), TLS1_2_VERSION));
5223
5224 bssl::UniquePtr<SSL> client, server;
5225 ASSERT_TRUE(CreateClientAndServer(&client, &server, client_ctx.get(),
5226 server_ctx.get()));
5227
5228 int client_ret = SSL_do_handshake(client.get());
5229 int client_err = SSL_get_error(client.get(), client_ret);
5230 ASSERT_EQ(client_err, SSL_ERROR_WANT_READ);
5231
5232 int server_ret = SSL_do_handshake(server.get());
5233 int server_err = SSL_get_error(server.get(), server_ret);
5234 ASSERT_EQ(server_err, SSL_ERROR_HANDOFF);
5235
5236 ScopedCBB cbb;
5237 SSL_CLIENT_HELLO hello;
5238 ASSERT_TRUE(CBB_init(cbb.get(), 256));
5239 ASSERT_TRUE(SSL_serialize_handoff(server.get(), cbb.get(), &hello));
5240
5241 ASSERT_TRUE(SSL_decline_handoff(server.get()));
5242
5243 ASSERT_TRUE(CompleteHandshakes(client.get(), server.get()));
5244
5245 uint8_t byte = 42;
5246 EXPECT_EQ(SSL_write(client.get(), &byte, 1), 1);
5247 EXPECT_EQ(SSL_read(server.get(), &byte, 1), 1);
5248 EXPECT_EQ(42, byte);
5249
5250 byte = 43;
5251 EXPECT_EQ(SSL_write(server.get(), &byte, 1), 1);
5252 EXPECT_EQ(SSL_read(client.get(), &byte, 1), 1);
5253 EXPECT_EQ(43, byte);
5254 }
5255
SigAlgsToString(Span<const uint16_t> sigalgs)5256 static std::string SigAlgsToString(Span<const uint16_t> sigalgs) {
5257 std::string ret = "{";
5258
5259 for (uint16_t v : sigalgs) {
5260 if (ret.size() > 1) {
5261 ret += ", ";
5262 }
5263
5264 char buf[8];
5265 snprintf(buf, sizeof(buf) - 1, "0x%02x", v);
5266 buf[sizeof(buf)-1] = 0;
5267 ret += std::string(buf);
5268 }
5269
5270 ret += "}";
5271 return ret;
5272 }
5273
ExpectSigAlgsEqual(Span<const uint16_t> expected,Span<const uint16_t> actual)5274 void ExpectSigAlgsEqual(Span<const uint16_t> expected,
5275 Span<const uint16_t> actual) {
5276 bool matches = false;
5277 if (expected.size() == actual.size()) {
5278 matches = true;
5279
5280 for (size_t i = 0; i < expected.size(); i++) {
5281 if (expected[i] != actual[i]) {
5282 matches = false;
5283 break;
5284 }
5285 }
5286 }
5287
5288 if (!matches) {
5289 ADD_FAILURE() << "expected: " << SigAlgsToString(expected)
5290 << " got: " << SigAlgsToString(actual);
5291 }
5292 }
5293
TEST(SSLTest,SigAlgs)5294 TEST(SSLTest, SigAlgs) {
5295 static const struct {
5296 std::vector<int> input;
5297 bool ok;
5298 std::vector<uint16_t> expected;
5299 } kTests[] = {
5300 {{}, true, {}},
5301 {{1}, false, {}},
5302 {{1, 2, 3}, false, {}},
5303 {{NID_sha256, EVP_PKEY_ED25519}, false, {}},
5304 {{NID_sha256, EVP_PKEY_RSA, NID_sha256, EVP_PKEY_RSA}, false, {}},
5305
5306 {{NID_sha256, EVP_PKEY_RSA}, true, {SSL_SIGN_RSA_PKCS1_SHA256}},
5307 {{NID_sha512, EVP_PKEY_RSA}, true, {SSL_SIGN_RSA_PKCS1_SHA512}},
5308 {{NID_sha256, EVP_PKEY_RSA_PSS}, true, {SSL_SIGN_RSA_PSS_RSAE_SHA256}},
5309 {{NID_undef, EVP_PKEY_ED25519}, true, {SSL_SIGN_ED25519}},
5310 {{NID_undef, EVP_PKEY_ED25519, NID_sha384, EVP_PKEY_EC},
5311 true,
5312 {SSL_SIGN_ED25519, SSL_SIGN_ECDSA_SECP384R1_SHA384}},
5313 };
5314
5315 UniquePtr<SSL_CTX> ctx(SSL_CTX_new(TLS_method()));
5316
5317 unsigned n = 1;
5318 for (const auto &test : kTests) {
5319 SCOPED_TRACE(n++);
5320
5321 const bool ok =
5322 SSL_CTX_set1_sigalgs(ctx.get(), test.input.data(), test.input.size());
5323 EXPECT_EQ(ok, test.ok);
5324
5325 if (!ok) {
5326 ERR_clear_error();
5327 }
5328
5329 if (!test.ok) {
5330 continue;
5331 }
5332
5333 ExpectSigAlgsEqual(test.expected, ctx->cert->sigalgs);
5334 }
5335 }
5336
TEST(SSLTest,SigAlgsList)5337 TEST(SSLTest, SigAlgsList) {
5338 static const struct {
5339 const char *input;
5340 bool ok;
5341 std::vector<uint16_t> expected;
5342 } kTests[] = {
5343 {"", false, {}},
5344 {":", false, {}},
5345 {"+", false, {}},
5346 {"RSA", false, {}},
5347 {"RSA+", false, {}},
5348 {"RSA+SHA256:", false, {}},
5349 {":RSA+SHA256:", false, {}},
5350 {":RSA+SHA256+:", false, {}},
5351 {"!", false, {}},
5352 {"\x01", false, {}},
5353 {"RSA+SHA256:RSA+SHA384:RSA+SHA256", false, {}},
5354 {"RSA-PSS+SHA256:rsa_pss_rsae_sha256", false, {}},
5355
5356 {"RSA+SHA256", true, {SSL_SIGN_RSA_PKCS1_SHA256}},
5357 {"RSA+SHA256:ed25519",
5358 true,
5359 {SSL_SIGN_RSA_PKCS1_SHA256, SSL_SIGN_ED25519}},
5360 {"ECDSA+SHA256:RSA+SHA512",
5361 true,
5362 {SSL_SIGN_ECDSA_SECP256R1_SHA256, SSL_SIGN_RSA_PKCS1_SHA512}},
5363 {"ecdsa_secp256r1_sha256:rsa_pss_rsae_sha256",
5364 true,
5365 {SSL_SIGN_ECDSA_SECP256R1_SHA256, SSL_SIGN_RSA_PSS_RSAE_SHA256}},
5366 {"RSA-PSS+SHA256", true, {SSL_SIGN_RSA_PSS_RSAE_SHA256}},
5367 {"PSS+SHA256", true, {SSL_SIGN_RSA_PSS_RSAE_SHA256}},
5368 };
5369
5370 UniquePtr<SSL_CTX> ctx(SSL_CTX_new(TLS_method()));
5371
5372 unsigned n = 1;
5373 for (const auto &test : kTests) {
5374 SCOPED_TRACE(n++);
5375
5376 const bool ok = SSL_CTX_set1_sigalgs_list(ctx.get(), test.input);
5377 EXPECT_EQ(ok, test.ok);
5378
5379 if (!ok) {
5380 if (test.ok) {
5381 ERR_print_errors_fp(stderr);
5382 }
5383 ERR_clear_error();
5384 }
5385
5386 if (!test.ok) {
5387 continue;
5388 }
5389
5390 ExpectSigAlgsEqual(test.expected, ctx->cert->sigalgs);
5391 }
5392 }
5393
TEST(SSLTest,ApplyHandoffRemovesUnsupportedCiphers)5394 TEST(SSLTest, ApplyHandoffRemovesUnsupportedCiphers) {
5395 bssl::UniquePtr<SSL_CTX> server_ctx(SSL_CTX_new(TLS_method()));
5396 bssl::UniquePtr<SSL> server(SSL_new(server_ctx.get()));
5397
5398 // handoff is a handoff message that has been artificially modified to pretend
5399 // that only cipher 0x0A is supported. When it is applied to |server|, all
5400 // ciphers but that one should be removed.
5401 //
5402 // To make a new one of these, try sticking this in the |Handoff| test above:
5403 //
5404 // hexdump(stderr, "", handoff.data(), handoff.size());
5405 // sed -e 's/\(..\)/0x\1, /g'
5406 //
5407 // and modify serialize_features() to emit only cipher 0x0A.
5408
5409 uint8_t handoff[] = {
5410 0x30, 0x81, 0x9a, 0x02, 0x01, 0x00, 0x04, 0x00, 0x04, 0x81, 0x82, 0x01,
5411 0x00, 0x00, 0x7e, 0x03, 0x03, 0x30, 0x8e, 0x8f, 0x79, 0xd2, 0x87, 0x39,
5412 0xc2, 0x23, 0x23, 0x13, 0xca, 0x3c, 0x80, 0x44, 0xfd, 0x80, 0x83, 0x62,
5413 0x3c, 0xcc, 0xf8, 0x76, 0xd3, 0x62, 0xbb, 0x54, 0xe3, 0xc4, 0x39, 0x24,
5414 0xa5, 0x00, 0x00, 0x1e, 0xc0, 0x2b, 0xc0, 0x2f, 0xc0, 0x2c, 0xc0, 0x30,
5415 0xcc, 0xa9, 0xcc, 0xa8, 0xc0, 0x09, 0xc0, 0x13, 0xc0, 0x0a, 0xc0, 0x14,
5416 0x00, 0x9c, 0x00, 0x9d, 0x00, 0x2f, 0x00, 0x35, 0x00, 0x0a, 0x01, 0x00,
5417 0x00, 0x37, 0x00, 0x17, 0x00, 0x00, 0xff, 0x01, 0x00, 0x01, 0x00, 0x00,
5418 0x0a, 0x00, 0x08, 0x00, 0x06, 0x00, 0x1d, 0x00, 0x17, 0x00, 0x18, 0x00,
5419 0x0b, 0x00, 0x02, 0x01, 0x00, 0x00, 0x23, 0x00, 0x00, 0x00, 0x0d, 0x00,
5420 0x14, 0x00, 0x12, 0x04, 0x03, 0x08, 0x04, 0x04, 0x01, 0x05, 0x03, 0x08,
5421 0x05, 0x05, 0x01, 0x08, 0x06, 0x06, 0x01, 0x02, 0x01, 0x04, 0x02, 0x00,
5422 0x0a, 0x04, 0x0a, 0x00, 0x15, 0x00, 0x17, 0x00, 0x18, 0x00, 0x19, 0x00,
5423 0x1d,
5424 };
5425
5426 EXPECT_EQ(20u, sk_SSL_CIPHER_num(SSL_get_ciphers(server.get())));
5427 ASSERT_TRUE(
5428 SSL_apply_handoff(server.get(), {handoff, OPENSSL_ARRAY_SIZE(handoff)}));
5429 EXPECT_EQ(1u, sk_SSL_CIPHER_num(SSL_get_ciphers(server.get())));
5430 }
5431
TEST(SSLTest,ApplyHandoffRemovesUnsupportedCurves)5432 TEST(SSLTest, ApplyHandoffRemovesUnsupportedCurves) {
5433 bssl::UniquePtr<SSL_CTX> server_ctx(SSL_CTX_new(TLS_method()));
5434 bssl::UniquePtr<SSL> server(SSL_new(server_ctx.get()));
5435
5436 // handoff is a handoff message that has been artificially modified to pretend
5437 // that only one curve is supported. When it is applied to |server|, all
5438 // curves but that one should be removed.
5439 //
5440 // See |ApplyHandoffRemovesUnsupportedCiphers| for how to make a new one of
5441 // these.
5442 uint8_t handoff[] = {
5443 0x30, 0x81, 0xc0, 0x02, 0x01, 0x00, 0x04, 0x00, 0x04, 0x81, 0x82, 0x01,
5444 0x00, 0x00, 0x7e, 0x03, 0x03, 0x98, 0x30, 0xce, 0xd9, 0xb0, 0xdf, 0x5f,
5445 0x82, 0x05, 0x4a, 0x43, 0x67, 0x7e, 0xdb, 0x6a, 0x4f, 0x21, 0x18, 0x4e,
5446 0x0d, 0x94, 0x63, 0x18, 0x8b, 0x54, 0x89, 0xdb, 0x8b, 0x1d, 0x84, 0xbc,
5447 0x09, 0x00, 0x00, 0x1e, 0xc0, 0x2b, 0xc0, 0x2f, 0xc0, 0x2c, 0xc0, 0x30,
5448 0xcc, 0xa9, 0xcc, 0xa8, 0xc0, 0x09, 0xc0, 0x13, 0xc0, 0x0a, 0xc0, 0x14,
5449 0x00, 0x9c, 0x00, 0x9d, 0x00, 0x2f, 0x00, 0x35, 0x00, 0x0a, 0x01, 0x00,
5450 0x00, 0x37, 0x00, 0x17, 0x00, 0x00, 0xff, 0x01, 0x00, 0x01, 0x00, 0x00,
5451 0x0a, 0x00, 0x08, 0x00, 0x06, 0x00, 0x1d, 0x00, 0x17, 0x00, 0x18, 0x00,
5452 0x0b, 0x00, 0x02, 0x01, 0x00, 0x00, 0x23, 0x00, 0x00, 0x00, 0x0d, 0x00,
5453 0x14, 0x00, 0x12, 0x04, 0x03, 0x08, 0x04, 0x04, 0x01, 0x05, 0x03, 0x08,
5454 0x05, 0x05, 0x01, 0x08, 0x06, 0x06, 0x01, 0x02, 0x01, 0x04, 0x30, 0x00,
5455 0x02, 0x00, 0x0a, 0x00, 0x2f, 0x00, 0x35, 0x00, 0x8c, 0x00, 0x8d, 0x00,
5456 0x9c, 0x00, 0x9d, 0x13, 0x01, 0x13, 0x02, 0x13, 0x03, 0xc0, 0x09, 0xc0,
5457 0x0a, 0xc0, 0x13, 0xc0, 0x14, 0xc0, 0x2b, 0xc0, 0x2c, 0xc0, 0x2f, 0xc0,
5458 0x30, 0xc0, 0x35, 0xc0, 0x36, 0xcc, 0xa8, 0xcc, 0xa9, 0xcc, 0xac, 0x04,
5459 0x02, 0x00, 0x17,
5460 };
5461
5462 // The zero length means that the default list of groups is used.
5463 EXPECT_EQ(0u, server->config->supported_group_list.size());
5464 ASSERT_TRUE(
5465 SSL_apply_handoff(server.get(), {handoff, OPENSSL_ARRAY_SIZE(handoff)}));
5466 EXPECT_EQ(1u, server->config->supported_group_list.size());
5467 }
5468
TEST(SSLTest,ZeroSizedWiteFlushesHandshakeMessages)5469 TEST(SSLTest, ZeroSizedWiteFlushesHandshakeMessages) {
5470 // If there are pending handshake mesages, an |SSL_write| of zero bytes should
5471 // flush them.
5472 bssl::UniquePtr<SSL_CTX> server_ctx(
5473 CreateContextWithTestCertificate(TLS_method()));
5474 EXPECT_TRUE(SSL_CTX_set_max_proto_version(server_ctx.get(), TLS1_3_VERSION));
5475 EXPECT_TRUE(SSL_CTX_set_min_proto_version(server_ctx.get(), TLS1_3_VERSION));
5476
5477 bssl::UniquePtr<SSL_CTX> client_ctx(SSL_CTX_new(TLS_method()));
5478 EXPECT_TRUE(SSL_CTX_set_max_proto_version(client_ctx.get(), TLS1_3_VERSION));
5479 EXPECT_TRUE(SSL_CTX_set_min_proto_version(client_ctx.get(), TLS1_3_VERSION));
5480
5481 bssl::UniquePtr<SSL> client, server;
5482 ASSERT_TRUE(ConnectClientAndServer(&client, &server, client_ctx.get(),
5483 server_ctx.get()));
5484
5485 BIO *client_wbio = SSL_get_wbio(client.get());
5486 EXPECT_EQ(0u, BIO_wpending(client_wbio));
5487 EXPECT_TRUE(SSL_key_update(client.get(), SSL_KEY_UPDATE_NOT_REQUESTED));
5488 EXPECT_EQ(0u, BIO_wpending(client_wbio));
5489 EXPECT_EQ(0, SSL_write(client.get(), nullptr, 0));
5490 EXPECT_NE(0u, BIO_wpending(client_wbio));
5491 }
5492
TEST_P(SSLVersionTest,VerifyBeforeCertRequest)5493 TEST_P(SSLVersionTest, VerifyBeforeCertRequest) {
5494 // Configure the server to request client certificates.
5495 SSL_CTX_set_custom_verify(
5496 server_ctx_.get(), SSL_VERIFY_PEER,
5497 [](SSL *ssl, uint8_t *out_alert) { return ssl_verify_ok; });
5498
5499 // Configure the client to reject the server certificate.
5500 SSL_CTX_set_custom_verify(
5501 client_ctx_.get(), SSL_VERIFY_PEER,
5502 [](SSL *ssl, uint8_t *out_alert) { return ssl_verify_invalid; });
5503
5504 // cert_cb should not be called. Verification should fail first.
5505 SSL_CTX_set_cert_cb(client_ctx_.get(),
5506 [](SSL *ssl, void *arg) {
5507 ADD_FAILURE() << "cert_cb unexpectedly called";
5508 return 0;
5509 },
5510 nullptr);
5511
5512 bssl::UniquePtr<SSL> client, server;
5513 EXPECT_FALSE(ConnectClientAndServer(&client, &server, client_ctx_.get(),
5514 server_ctx_.get()));
5515 }
5516
5517 // Test that ticket-based sessions on the client get fake session IDs.
TEST_P(SSLVersionTest,FakeIDsForTickets)5518 TEST_P(SSLVersionTest, FakeIDsForTickets) {
5519 SSL_CTX_set_session_cache_mode(client_ctx_.get(), SSL_SESS_CACHE_BOTH);
5520 SSL_CTX_set_session_cache_mode(server_ctx_.get(), SSL_SESS_CACHE_BOTH);
5521
5522 bssl::UniquePtr<SSL_SESSION> session =
5523 CreateClientSession(client_ctx_.get(), server_ctx_.get());
5524 ASSERT_TRUE(session);
5525
5526 EXPECT_TRUE(SSL_SESSION_has_ticket(session.get()));
5527 unsigned session_id_length;
5528 SSL_SESSION_get_id(session.get(), &session_id_length);
5529 EXPECT_NE(session_id_length, 0u);
5530 }
5531
5532 // These tests test multi-threaded behavior. They are intended to run with
5533 // ThreadSanitizer.
5534 #if defined(OPENSSL_THREADS)
TEST_P(SSLVersionTest,SessionCacheThreads)5535 TEST_P(SSLVersionTest, SessionCacheThreads) {
5536 SSL_CTX_set_options(server_ctx_.get(), SSL_OP_NO_TICKET);
5537 SSL_CTX_set_session_cache_mode(client_ctx_.get(), SSL_SESS_CACHE_BOTH);
5538 SSL_CTX_set_session_cache_mode(server_ctx_.get(), SSL_SESS_CACHE_BOTH);
5539
5540 if (version() == TLS1_3_VERSION) {
5541 // Our TLS 1.3 implementation does not support stateful resumption.
5542 ASSERT_FALSE(CreateClientSession(client_ctx_.get(), server_ctx_.get()));
5543 return;
5544 }
5545
5546 // Establish two client sessions to test with.
5547 bssl::UniquePtr<SSL_SESSION> session1 =
5548 CreateClientSession(client_ctx_.get(), server_ctx_.get());
5549 ASSERT_TRUE(session1);
5550 bssl::UniquePtr<SSL_SESSION> session2 =
5551 CreateClientSession(client_ctx_.get(), server_ctx_.get());
5552 ASSERT_TRUE(session2);
5553
5554 auto connect_with_session = [&](SSL_SESSION *session) {
5555 ClientConfig config;
5556 config.session = session;
5557 UniquePtr<SSL> client, server;
5558 EXPECT_TRUE(ConnectClientAndServer(&client, &server, client_ctx_.get(),
5559 server_ctx_.get(), config));
5560 };
5561
5562 // Resume sessions in parallel with establishing new ones.
5563 {
5564 std::vector<std::thread> threads;
5565 threads.emplace_back([&] { connect_with_session(nullptr); });
5566 threads.emplace_back([&] { connect_with_session(nullptr); });
5567 threads.emplace_back([&] { connect_with_session(session1.get()); });
5568 threads.emplace_back([&] { connect_with_session(session1.get()); });
5569 threads.emplace_back([&] { connect_with_session(session2.get()); });
5570 threads.emplace_back([&] { connect_with_session(session2.get()); });
5571 for (auto &thread : threads) {
5572 thread.join();
5573 }
5574 }
5575
5576 // Hit the maximum session cache size across multiple threads, to test the
5577 // size enforcement logic.
5578 size_t limit = SSL_CTX_sess_number(server_ctx_.get()) + 2;
5579 SSL_CTX_sess_set_cache_size(server_ctx_.get(), limit);
5580 {
5581 std::vector<std::thread> threads;
5582 for (int i = 0; i < 4; i++) {
5583 threads.emplace_back([&]() {
5584 connect_with_session(nullptr);
5585 EXPECT_LE(SSL_CTX_sess_number(server_ctx_.get()), limit);
5586 });
5587 }
5588 for (auto &thread : threads) {
5589 thread.join();
5590 }
5591 EXPECT_EQ(SSL_CTX_sess_number(server_ctx_.get()), limit);
5592 }
5593
5594 // Reset the session cache, this time with a mock clock.
5595 ASSERT_NO_FATAL_FAILURE(ResetContexts());
5596 SSL_CTX_set_options(server_ctx_.get(), SSL_OP_NO_TICKET);
5597 SSL_CTX_set_session_cache_mode(client_ctx_.get(), SSL_SESS_CACHE_BOTH);
5598 SSL_CTX_set_session_cache_mode(server_ctx_.get(), SSL_SESS_CACHE_BOTH);
5599 SSL_CTX_set_current_time_cb(server_ctx_.get(), CurrentTimeCallback);
5600
5601 // Make some sessions at an arbitrary start time. Then expire them.
5602 g_current_time.tv_sec = 1000;
5603 bssl::UniquePtr<SSL_SESSION> expired_session1 =
5604 CreateClientSession(client_ctx_.get(), server_ctx_.get());
5605 ASSERT_TRUE(expired_session1);
5606 bssl::UniquePtr<SSL_SESSION> expired_session2 =
5607 CreateClientSession(client_ctx_.get(), server_ctx_.get());
5608 ASSERT_TRUE(expired_session2);
5609 g_current_time.tv_sec += 100 * SSL_DEFAULT_SESSION_TIMEOUT;
5610
5611 session1 = CreateClientSession(client_ctx_.get(), server_ctx_.get());
5612 ASSERT_TRUE(session1);
5613
5614 // Every 256 connections, we flush stale sessions from the session cache. Test
5615 // this logic is correctly synchronized with other connection attempts.
5616 static const int kNumConnections = 256;
5617 {
5618 std::vector<std::thread> threads;
5619 threads.emplace_back([&] {
5620 for (int i = 0; i < kNumConnections; i++) {
5621 connect_with_session(nullptr);
5622 }
5623 });
5624 threads.emplace_back([&] {
5625 for (int i = 0; i < kNumConnections; i++) {
5626 connect_with_session(nullptr);
5627 }
5628 });
5629 threads.emplace_back([&] {
5630 // Never connect with |expired_session2|. The session cache eagerly
5631 // removes expired sessions when it sees them. Leaving |expired_session2|
5632 // untouched ensures it is instead cleared by periodic flushing.
5633 for (int i = 0; i < kNumConnections; i++) {
5634 connect_with_session(expired_session1.get());
5635 }
5636 });
5637 threads.emplace_back([&] {
5638 for (int i = 0; i < kNumConnections; i++) {
5639 connect_with_session(session1.get());
5640 }
5641 });
5642 for (auto &thread : threads) {
5643 thread.join();
5644 }
5645 }
5646 }
5647
TEST_P(SSLVersionTest,SessionTicketThreads)5648 TEST_P(SSLVersionTest, SessionTicketThreads) {
5649 for (bool renew_ticket : {false, true}) {
5650 SCOPED_TRACE(renew_ticket);
5651 ResetContexts();
5652 SSL_CTX_set_session_cache_mode(client_ctx_.get(), SSL_SESS_CACHE_BOTH);
5653 SSL_CTX_set_session_cache_mode(server_ctx_.get(), SSL_SESS_CACHE_BOTH);
5654 if (renew_ticket) {
5655 SSL_CTX_set_tlsext_ticket_key_cb(server_ctx_.get(), RenewTicketCallback);
5656 }
5657
5658 // Establish two client sessions to test with.
5659 bssl::UniquePtr<SSL_SESSION> session1 =
5660 CreateClientSession(client_ctx_.get(), server_ctx_.get());
5661 ASSERT_TRUE(session1);
5662 bssl::UniquePtr<SSL_SESSION> session2 =
5663 CreateClientSession(client_ctx_.get(), server_ctx_.get());
5664 ASSERT_TRUE(session2);
5665
5666 auto connect_with_session = [&](SSL_SESSION *session) {
5667 ClientConfig config;
5668 config.session = session;
5669 UniquePtr<SSL> client, server;
5670 EXPECT_TRUE(ConnectClientAndServer(&client, &server, client_ctx_.get(),
5671 server_ctx_.get(), config));
5672 };
5673
5674 // Resume sessions in parallel with establishing new ones.
5675 {
5676 std::vector<std::thread> threads;
5677 threads.emplace_back([&] { connect_with_session(nullptr); });
5678 threads.emplace_back([&] { connect_with_session(nullptr); });
5679 threads.emplace_back([&] { connect_with_session(session1.get()); });
5680 threads.emplace_back([&] { connect_with_session(session1.get()); });
5681 threads.emplace_back([&] { connect_with_session(session2.get()); });
5682 threads.emplace_back([&] { connect_with_session(session2.get()); });
5683 for (auto &thread : threads) {
5684 thread.join();
5685 }
5686 }
5687 }
5688 }
5689
5690 // SSL_CTX_get0_certificate needs to lock internally. Test this works.
TEST(SSLTest,GetCertificateThreads)5691 TEST(SSLTest, GetCertificateThreads) {
5692 bssl::UniquePtr<SSL_CTX> ctx(SSL_CTX_new(TLS_method()));
5693 ASSERT_TRUE(ctx);
5694 bssl::UniquePtr<X509> cert = GetTestCertificate();
5695 ASSERT_TRUE(cert);
5696 ASSERT_TRUE(SSL_CTX_use_certificate(ctx.get(), cert.get()));
5697
5698 // Existing code expects |SSL_CTX_get0_certificate| to be callable from two
5699 // threads concurrently. It originally was an immutable operation. Now we
5700 // implement it with a thread-safe cache, so it is worth testing.
5701 X509 *cert2_thread;
5702 std::thread thread(
5703 [&] { cert2_thread = SSL_CTX_get0_certificate(ctx.get()); });
5704 X509 *cert2 = SSL_CTX_get0_certificate(ctx.get());
5705 thread.join();
5706
5707 EXPECT_EQ(cert2, cert2_thread);
5708 EXPECT_EQ(0, X509_cmp(cert.get(), cert2));
5709 }
5710
5711 // Functions which access properties on the negotiated session are thread-safe
5712 // where needed. Prior to TLS 1.3, clients resuming sessions and servers
5713 // performing stateful resumption will share an underlying SSL_SESSION object,
5714 // potentially across threads.
TEST_P(SSLVersionTest,SessionPropertiesThreads)5715 TEST_P(SSLVersionTest, SessionPropertiesThreads) {
5716 if (version() == TLS1_3_VERSION) {
5717 // Our TLS 1.3 implementation does not support stateful resumption.
5718 ASSERT_FALSE(CreateClientSession(client_ctx_.get(), server_ctx_.get()));
5719 return;
5720 }
5721
5722 SSL_CTX_set_options(server_ctx_.get(), SSL_OP_NO_TICKET);
5723 SSL_CTX_set_session_cache_mode(client_ctx_.get(), SSL_SESS_CACHE_BOTH);
5724 SSL_CTX_set_session_cache_mode(server_ctx_.get(), SSL_SESS_CACHE_BOTH);
5725
5726 ASSERT_TRUE(UseCertAndKey(client_ctx_.get()));
5727 ASSERT_TRUE(UseCertAndKey(server_ctx_.get()));
5728
5729 // Configure mutual authentication, so we have more session state.
5730 SSL_CTX_set_custom_verify(
5731 client_ctx_.get(), SSL_VERIFY_PEER,
5732 [](SSL *ssl, uint8_t *out_alert) { return ssl_verify_ok; });
5733 SSL_CTX_set_custom_verify(
5734 server_ctx_.get(), SSL_VERIFY_PEER,
5735 [](SSL *ssl, uint8_t *out_alert) { return ssl_verify_ok; });
5736
5737 // Establish a client session to test with.
5738 bssl::UniquePtr<SSL_SESSION> session =
5739 CreateClientSession(client_ctx_.get(), server_ctx_.get());
5740 ASSERT_TRUE(session);
5741
5742 // Resume with it twice.
5743 UniquePtr<SSL> ssls[4];
5744 ClientConfig config;
5745 config.session = session.get();
5746 ASSERT_TRUE(ConnectClientAndServer(&ssls[0], &ssls[1], client_ctx_.get(),
5747 server_ctx_.get(), config));
5748 ASSERT_TRUE(ConnectClientAndServer(&ssls[2], &ssls[3], client_ctx_.get(),
5749 server_ctx_.get(), config));
5750
5751 // Read properties in parallel.
5752 auto read_properties = [](const SSL *ssl) {
5753 EXPECT_TRUE(SSL_get_peer_cert_chain(ssl));
5754 bssl::UniquePtr<X509> peer(SSL_get_peer_certificate(ssl));
5755 EXPECT_TRUE(peer);
5756 EXPECT_TRUE(SSL_get_current_cipher(ssl));
5757 EXPECT_TRUE(SSL_get_curve_id(ssl));
5758 };
5759
5760 std::vector<std::thread> threads;
5761 for (const auto &ssl_ptr : ssls) {
5762 const SSL *ssl = ssl_ptr.get();
5763 threads.emplace_back([=] { read_properties(ssl); });
5764 }
5765 for (auto &thread : threads) {
5766 thread.join();
5767 }
5768 }
5769 #endif // OPENSSL_THREADS
5770
5771 constexpr size_t kNumQUICLevels = 4;
5772 static_assert(ssl_encryption_initial < kNumQUICLevels,
5773 "kNumQUICLevels is wrong");
5774 static_assert(ssl_encryption_early_data < kNumQUICLevels,
5775 "kNumQUICLevels is wrong");
5776 static_assert(ssl_encryption_handshake < kNumQUICLevels,
5777 "kNumQUICLevels is wrong");
5778 static_assert(ssl_encryption_application < kNumQUICLevels,
5779 "kNumQUICLevels is wrong");
5780
LevelToString(ssl_encryption_level_t level)5781 const char *LevelToString(ssl_encryption_level_t level) {
5782 switch (level) {
5783 case ssl_encryption_initial:
5784 return "initial";
5785 case ssl_encryption_early_data:
5786 return "early data";
5787 case ssl_encryption_handshake:
5788 return "handshake";
5789 case ssl_encryption_application:
5790 return "application";
5791 }
5792 return "<unknown>";
5793 }
5794
5795 class MockQUICTransport {
5796 public:
5797 enum class Role { kClient, kServer };
5798
MockQUICTransport(Role role)5799 explicit MockQUICTransport(Role role) : role_(role) {
5800 // The caller is expected to configure initial secrets.
5801 levels_[ssl_encryption_initial].write_secret = {1};
5802 levels_[ssl_encryption_initial].read_secret = {1};
5803 }
5804
set_peer(MockQUICTransport * peer)5805 void set_peer(MockQUICTransport *peer) { peer_ = peer; }
5806
has_alert() const5807 bool has_alert() const { return has_alert_; }
alert_level() const5808 ssl_encryption_level_t alert_level() const { return alert_level_; }
alert() const5809 uint8_t alert() const { return alert_; }
5810
PeerSecretsMatch(ssl_encryption_level_t level) const5811 bool PeerSecretsMatch(ssl_encryption_level_t level) const {
5812 return levels_[level].write_secret == peer_->levels_[level].read_secret &&
5813 levels_[level].read_secret == peer_->levels_[level].write_secret &&
5814 levels_[level].cipher == peer_->levels_[level].cipher;
5815 }
5816
HasReadSecret(ssl_encryption_level_t level) const5817 bool HasReadSecret(ssl_encryption_level_t level) const {
5818 return !levels_[level].read_secret.empty();
5819 }
5820
HasWriteSecret(ssl_encryption_level_t level) const5821 bool HasWriteSecret(ssl_encryption_level_t level) const {
5822 return !levels_[level].write_secret.empty();
5823 }
5824
AllowOutOfOrderWrites()5825 void AllowOutOfOrderWrites() { allow_out_of_order_writes_ = true; }
5826
SetReadSecret(ssl_encryption_level_t level,const SSL_CIPHER * cipher,Span<const uint8_t> secret)5827 bool SetReadSecret(ssl_encryption_level_t level, const SSL_CIPHER *cipher,
5828 Span<const uint8_t> secret) {
5829 if (HasReadSecret(level)) {
5830 ADD_FAILURE() << LevelToString(level) << " read secret configured twice";
5831 return false;
5832 }
5833
5834 if (role_ == Role::kClient && level == ssl_encryption_early_data) {
5835 ADD_FAILURE() << "Unexpected early data read secret";
5836 return false;
5837 }
5838
5839 ssl_encryption_level_t ack_level =
5840 level == ssl_encryption_early_data ? ssl_encryption_application : level;
5841 if (!HasWriteSecret(ack_level)) {
5842 ADD_FAILURE() << LevelToString(level)
5843 << " read secret configured before ACK write secret";
5844 return false;
5845 }
5846
5847 if (cipher == nullptr) {
5848 ADD_FAILURE() << "Unexpected null cipher";
5849 return false;
5850 }
5851
5852 if (level != ssl_encryption_early_data &&
5853 SSL_CIPHER_get_id(cipher) != levels_[level].cipher) {
5854 ADD_FAILURE() << "Cipher suite inconsistent";
5855 return false;
5856 }
5857
5858 levels_[level].read_secret.assign(secret.begin(), secret.end());
5859 levels_[level].cipher = SSL_CIPHER_get_id(cipher);
5860 return true;
5861 }
5862
SetWriteSecret(ssl_encryption_level_t level,const SSL_CIPHER * cipher,Span<const uint8_t> secret)5863 bool SetWriteSecret(ssl_encryption_level_t level, const SSL_CIPHER *cipher,
5864 Span<const uint8_t> secret) {
5865 if (HasWriteSecret(level)) {
5866 ADD_FAILURE() << LevelToString(level) << " write secret configured twice";
5867 return false;
5868 }
5869
5870 if (role_ == Role::kServer && level == ssl_encryption_early_data) {
5871 ADD_FAILURE() << "Unexpected early data write secret";
5872 return false;
5873 }
5874
5875 if (cipher == nullptr) {
5876 ADD_FAILURE() << "Unexpected null cipher";
5877 return false;
5878 }
5879
5880 levels_[level].write_secret.assign(secret.begin(), secret.end());
5881 levels_[level].cipher = SSL_CIPHER_get_id(cipher);
5882 return true;
5883 }
5884
WriteHandshakeData(ssl_encryption_level_t level,Span<const uint8_t> data)5885 bool WriteHandshakeData(ssl_encryption_level_t level,
5886 Span<const uint8_t> data) {
5887 if (levels_[level].write_secret.empty()) {
5888 ADD_FAILURE() << LevelToString(level)
5889 << " write secret not yet configured";
5890 return false;
5891 }
5892
5893 // Although the levels are conceptually separate, BoringSSL finishes writing
5894 // data from a previous level before installing keys for the next level.
5895 if (!allow_out_of_order_writes_) {
5896 switch (level) {
5897 case ssl_encryption_early_data:
5898 ADD_FAILURE() << "unexpected handshake data at early data level";
5899 return false;
5900 case ssl_encryption_initial:
5901 if (!levels_[ssl_encryption_handshake].write_secret.empty()) {
5902 ADD_FAILURE()
5903 << LevelToString(level)
5904 << " handshake data written after handshake keys installed";
5905 return false;
5906 }
5907 OPENSSL_FALLTHROUGH;
5908 case ssl_encryption_handshake:
5909 if (!levels_[ssl_encryption_application].write_secret.empty()) {
5910 ADD_FAILURE()
5911 << LevelToString(level)
5912 << " handshake data written after application keys installed";
5913 return false;
5914 }
5915 OPENSSL_FALLTHROUGH;
5916 case ssl_encryption_application:
5917 break;
5918 }
5919 }
5920
5921 levels_[level].write_data.insert(levels_[level].write_data.end(),
5922 data.begin(), data.end());
5923 return true;
5924 }
5925
SendAlert(ssl_encryption_level_t level,uint8_t alert_value)5926 bool SendAlert(ssl_encryption_level_t level, uint8_t alert_value) {
5927 if (has_alert_) {
5928 ADD_FAILURE() << "duplicate alert sent";
5929 return false;
5930 }
5931
5932 if (levels_[level].write_secret.empty()) {
5933 ADD_FAILURE() << LevelToString(level)
5934 << " write secret not yet configured";
5935 return false;
5936 }
5937
5938 has_alert_ = true;
5939 alert_level_ = level;
5940 alert_ = alert_value;
5941 return true;
5942 }
5943
ReadHandshakeData(std::vector<uint8_t> * out,ssl_encryption_level_t level,size_t num=std::numeric_limits<size_t>::max ())5944 bool ReadHandshakeData(std::vector<uint8_t> *out,
5945 ssl_encryption_level_t level,
5946 size_t num = std::numeric_limits<size_t>::max()) {
5947 if (levels_[level].read_secret.empty()) {
5948 ADD_FAILURE() << "data read before keys configured in level " << level;
5949 return false;
5950 }
5951 // The peer may not have configured any keys yet.
5952 if (peer_->levels_[level].write_secret.empty()) {
5953 out->clear();
5954 return true;
5955 }
5956 // Check the peer computed the same key.
5957 if (peer_->levels_[level].write_secret != levels_[level].read_secret) {
5958 ADD_FAILURE() << "peer write key does not match read key in level "
5959 << level;
5960 return false;
5961 }
5962 if (peer_->levels_[level].cipher != levels_[level].cipher) {
5963 ADD_FAILURE() << "peer cipher does not match in level " << level;
5964 return false;
5965 }
5966 std::vector<uint8_t> *peer_data = &peer_->levels_[level].write_data;
5967 num = std::min(num, peer_data->size());
5968 out->assign(peer_data->begin(), peer_data->begin() + num);
5969 peer_data->erase(peer_data->begin(), peer_data->begin() + num);
5970 return true;
5971 }
5972
5973 private:
5974 Role role_;
5975 MockQUICTransport *peer_ = nullptr;
5976
5977 bool allow_out_of_order_writes_ = false;
5978 bool has_alert_ = false;
5979 ssl_encryption_level_t alert_level_ = ssl_encryption_initial;
5980 uint8_t alert_ = 0;
5981
5982 struct Level {
5983 std::vector<uint8_t> write_data;
5984 std::vector<uint8_t> write_secret;
5985 std::vector<uint8_t> read_secret;
5986 uint32_t cipher = 0;
5987 };
5988 Level levels_[kNumQUICLevels];
5989 };
5990
5991 class MockQUICTransportPair {
5992 public:
MockQUICTransportPair()5993 MockQUICTransportPair()
5994 : client_(MockQUICTransport::Role::kClient),
5995 server_(MockQUICTransport::Role::kServer) {
5996 client_.set_peer(&server_);
5997 server_.set_peer(&client_);
5998 }
5999
~MockQUICTransportPair()6000 ~MockQUICTransportPair() {
6001 client_.set_peer(nullptr);
6002 server_.set_peer(nullptr);
6003 }
6004
client()6005 MockQUICTransport *client() { return &client_; }
server()6006 MockQUICTransport *server() { return &server_; }
6007
SecretsMatch(ssl_encryption_level_t level) const6008 bool SecretsMatch(ssl_encryption_level_t level) const {
6009 // We only need to check |HasReadSecret| and |HasWriteSecret| on |client_|.
6010 // |PeerSecretsMatch| checks that |server_| is analogously configured.
6011 return client_.PeerSecretsMatch(level) &&
6012 client_.HasWriteSecret(level) &&
6013 (level == ssl_encryption_early_data || client_.HasReadSecret(level));
6014 }
6015
6016 private:
6017 MockQUICTransport client_;
6018 MockQUICTransport server_;
6019 };
6020
6021 class QUICMethodTest : public testing::Test {
6022 protected:
SetUp()6023 void SetUp() override {
6024 client_ctx_.reset(SSL_CTX_new(TLS_method()));
6025 server_ctx_ = CreateContextWithTestCertificate(TLS_method());
6026 ASSERT_TRUE(client_ctx_);
6027 ASSERT_TRUE(server_ctx_);
6028
6029 SSL_CTX_set_min_proto_version(server_ctx_.get(), TLS1_3_VERSION);
6030 SSL_CTX_set_max_proto_version(server_ctx_.get(), TLS1_3_VERSION);
6031 SSL_CTX_set_min_proto_version(client_ctx_.get(), TLS1_3_VERSION);
6032 SSL_CTX_set_max_proto_version(client_ctx_.get(), TLS1_3_VERSION);
6033
6034 static const uint8_t kALPNProtos[] = {0x03, 'f', 'o', 'o'};
6035 ASSERT_EQ(SSL_CTX_set_alpn_protos(client_ctx_.get(), kALPNProtos,
6036 sizeof(kALPNProtos)),
6037 0);
6038 SSL_CTX_set_alpn_select_cb(
6039 server_ctx_.get(),
6040 [](SSL *ssl, const uint8_t **out, uint8_t *out_len, const uint8_t *in,
6041 unsigned in_len, void *arg) -> int {
6042 return SSL_select_next_proto(
6043 const_cast<uint8_t **>(out), out_len, in, in_len,
6044 kALPNProtos, sizeof(kALPNProtos)) == OPENSSL_NPN_NEGOTIATED
6045 ? SSL_TLSEXT_ERR_OK
6046 : SSL_TLSEXT_ERR_NOACK;
6047 },
6048 nullptr);
6049 }
6050
TransportFromSSL(const SSL * ssl)6051 static MockQUICTransport *TransportFromSSL(const SSL *ssl) {
6052 return ex_data_.Get(ssl);
6053 }
6054
ProvideHandshakeData(SSL * ssl,size_t num=std::numeric_limits<size_t>::max ())6055 static bool ProvideHandshakeData(
6056 SSL *ssl, size_t num = std::numeric_limits<size_t>::max()) {
6057 MockQUICTransport *transport = TransportFromSSL(ssl);
6058 ssl_encryption_level_t level = SSL_quic_read_level(ssl);
6059 std::vector<uint8_t> data;
6060 return transport->ReadHandshakeData(&data, level, num) &&
6061 SSL_provide_quic_data(ssl, level, data.data(), data.size());
6062 }
6063
AllowOutOfOrderWrites()6064 void AllowOutOfOrderWrites() {
6065 allow_out_of_order_writes_ = true;
6066 }
6067
CreateClientAndServer()6068 bool CreateClientAndServer() {
6069 client_.reset(SSL_new(client_ctx_.get()));
6070 server_.reset(SSL_new(server_ctx_.get()));
6071 if (!client_ || !server_) {
6072 return false;
6073 }
6074
6075 SSL_set_connect_state(client_.get());
6076 SSL_set_accept_state(server_.get());
6077
6078 transport_.reset(new MockQUICTransportPair);
6079 ex_data_.Set(client_.get(), transport_->client());
6080 ex_data_.Set(server_.get(), transport_->server());
6081 if (allow_out_of_order_writes_) {
6082 transport_->client()->AllowOutOfOrderWrites();
6083 transport_->server()->AllowOutOfOrderWrites();
6084 }
6085 static const uint8_t client_transport_params[] = {0};
6086 if (!SSL_set_quic_transport_params(client_.get(), client_transport_params,
6087 sizeof(client_transport_params)) ||
6088 !SSL_set_quic_transport_params(server_.get(),
6089 server_transport_params_.data(),
6090 server_transport_params_.size()) ||
6091 !SSL_set_quic_early_data_context(
6092 server_.get(), server_quic_early_data_context_.data(),
6093 server_quic_early_data_context_.size())) {
6094 return false;
6095 }
6096 return true;
6097 }
6098
6099 enum class ExpectedError {
6100 kNoError,
6101 kClientError,
6102 kServerError,
6103 };
6104
6105 // CompleteHandshakesForQUIC runs |SSL_do_handshake| on |client_| and
6106 // |server_| until each completes once. It returns true on success and false
6107 // on failure.
CompleteHandshakesForQUIC()6108 bool CompleteHandshakesForQUIC() {
6109 return RunQUICHandshakesAndExpectError(ExpectedError::kNoError);
6110 }
6111
6112 // Runs |SSL_do_handshake| on |client_| and |server_| until each completes
6113 // once. If |expect_client_error| is true, it will return true only if the
6114 // client handshake failed. Otherwise, it returns true if both handshakes
6115 // succeed and false otherwise.
RunQUICHandshakesAndExpectError(ExpectedError expected_error)6116 bool RunQUICHandshakesAndExpectError(ExpectedError expected_error) {
6117 bool client_done = false, server_done = false;
6118 while (!client_done || !server_done) {
6119 if (!client_done) {
6120 if (!ProvideHandshakeData(client_.get())) {
6121 ADD_FAILURE() << "ProvideHandshakeData(client_) failed";
6122 return false;
6123 }
6124 int client_ret = SSL_do_handshake(client_.get());
6125 int client_err = SSL_get_error(client_.get(), client_ret);
6126 if (client_ret == 1) {
6127 client_done = true;
6128 } else if (client_ret != -1 || client_err != SSL_ERROR_WANT_READ) {
6129 if (expected_error == ExpectedError::kClientError) {
6130 return true;
6131 }
6132 ADD_FAILURE() << "Unexpected client output: " << client_ret << " "
6133 << client_err;
6134 return false;
6135 }
6136 }
6137
6138 if (!server_done) {
6139 if (!ProvideHandshakeData(server_.get())) {
6140 ADD_FAILURE() << "ProvideHandshakeData(server_) failed";
6141 return false;
6142 }
6143 int server_ret = SSL_do_handshake(server_.get());
6144 int server_err = SSL_get_error(server_.get(), server_ret);
6145 if (server_ret == 1) {
6146 server_done = true;
6147 } else if (server_ret != -1 || server_err != SSL_ERROR_WANT_READ) {
6148 if (expected_error == ExpectedError::kServerError) {
6149 return true;
6150 }
6151 ADD_FAILURE() << "Unexpected server output: " << server_ret << " "
6152 << server_err;
6153 return false;
6154 }
6155 }
6156 }
6157 return expected_error == ExpectedError::kNoError;
6158 }
6159
CreateClientSessionForQUIC()6160 bssl::UniquePtr<SSL_SESSION> CreateClientSessionForQUIC() {
6161 g_last_session = nullptr;
6162 SSL_CTX_sess_set_new_cb(client_ctx_.get(), SaveLastSession);
6163 if (!CreateClientAndServer() ||
6164 !CompleteHandshakesForQUIC()) {
6165 return nullptr;
6166 }
6167
6168 // The server sent NewSessionTicket messages in the handshake.
6169 if (!ProvideHandshakeData(client_.get()) ||
6170 !SSL_process_quic_post_handshake(client_.get())) {
6171 return nullptr;
6172 }
6173
6174 return std::move(g_last_session);
6175 }
6176
ExpectHandshakeSuccess()6177 void ExpectHandshakeSuccess() {
6178 EXPECT_TRUE(transport_->SecretsMatch(ssl_encryption_application));
6179 EXPECT_EQ(ssl_encryption_application, SSL_quic_read_level(client_.get()));
6180 EXPECT_EQ(ssl_encryption_application, SSL_quic_write_level(client_.get()));
6181 EXPECT_EQ(ssl_encryption_application, SSL_quic_read_level(server_.get()));
6182 EXPECT_EQ(ssl_encryption_application, SSL_quic_write_level(server_.get()));
6183 EXPECT_FALSE(transport_->client()->has_alert());
6184 EXPECT_FALSE(transport_->server()->has_alert());
6185
6186 // SSL_do_handshake is now idempotent.
6187 EXPECT_EQ(SSL_do_handshake(client_.get()), 1);
6188 EXPECT_EQ(SSL_do_handshake(server_.get()), 1);
6189 }
6190
6191 // Returns a default SSL_QUIC_METHOD. Individual methods may be overwritten by
6192 // the test.
DefaultQUICMethod()6193 SSL_QUIC_METHOD DefaultQUICMethod() {
6194 return SSL_QUIC_METHOD{
6195 SetReadSecretCallback, SetWriteSecretCallback, AddHandshakeDataCallback,
6196 FlushFlightCallback, SendAlertCallback,
6197 };
6198 }
6199
SetReadSecretCallback(SSL * ssl,ssl_encryption_level_t level,const SSL_CIPHER * cipher,const uint8_t * secret,size_t secret_len)6200 static int SetReadSecretCallback(SSL *ssl, ssl_encryption_level_t level,
6201 const SSL_CIPHER *cipher,
6202 const uint8_t *secret, size_t secret_len) {
6203 return TransportFromSSL(ssl)->SetReadSecret(
6204 level, cipher, MakeConstSpan(secret, secret_len));
6205 }
6206
SetWriteSecretCallback(SSL * ssl,ssl_encryption_level_t level,const SSL_CIPHER * cipher,const uint8_t * secret,size_t secret_len)6207 static int SetWriteSecretCallback(SSL *ssl, ssl_encryption_level_t level,
6208 const SSL_CIPHER *cipher,
6209 const uint8_t *secret, size_t secret_len) {
6210 return TransportFromSSL(ssl)->SetWriteSecret(
6211 level, cipher, MakeConstSpan(secret, secret_len));
6212 }
6213
AddHandshakeDataCallback(SSL * ssl,enum ssl_encryption_level_t level,const uint8_t * data,size_t len)6214 static int AddHandshakeDataCallback(SSL *ssl,
6215 enum ssl_encryption_level_t level,
6216 const uint8_t *data, size_t len) {
6217 EXPECT_EQ(level, SSL_quic_write_level(ssl));
6218 return TransportFromSSL(ssl)->WriteHandshakeData(level,
6219 MakeConstSpan(data, len));
6220 }
6221
FlushFlightCallback(SSL * ssl)6222 static int FlushFlightCallback(SSL *ssl) { return 1; }
6223
SendAlertCallback(SSL * ssl,ssl_encryption_level_t level,uint8_t alert)6224 static int SendAlertCallback(SSL *ssl, ssl_encryption_level_t level,
6225 uint8_t alert) {
6226 EXPECT_EQ(level, SSL_quic_write_level(ssl));
6227 return TransportFromSSL(ssl)->SendAlert(level, alert);
6228 }
6229
6230 bssl::UniquePtr<SSL_CTX> client_ctx_;
6231 bssl::UniquePtr<SSL_CTX> server_ctx_;
6232
6233 static UnownedSSLExData<MockQUICTransport> ex_data_;
6234 std::unique_ptr<MockQUICTransportPair> transport_;
6235
6236 bssl::UniquePtr<SSL> client_;
6237 bssl::UniquePtr<SSL> server_;
6238
6239 std::vector<uint8_t> server_transport_params_ = {1};
6240 std::vector<uint8_t> server_quic_early_data_context_ = {2};
6241
6242 bool allow_out_of_order_writes_ = false;
6243 };
6244
6245 UnownedSSLExData<MockQUICTransport> QUICMethodTest::ex_data_;
6246
6247 // Test a full handshake and resumption work.
TEST_F(QUICMethodTest,Basic)6248 TEST_F(QUICMethodTest, Basic) {
6249 const SSL_QUIC_METHOD quic_method = DefaultQUICMethod();
6250
6251 g_last_session = nullptr;
6252
6253 SSL_CTX_set_session_cache_mode(client_ctx_.get(), SSL_SESS_CACHE_BOTH);
6254 SSL_CTX_sess_set_new_cb(client_ctx_.get(), SaveLastSession);
6255 ASSERT_TRUE(SSL_CTX_set_quic_method(client_ctx_.get(), &quic_method));
6256 ASSERT_TRUE(SSL_CTX_set_quic_method(server_ctx_.get(), &quic_method));
6257
6258 ASSERT_TRUE(CreateClientAndServer());
6259 ASSERT_TRUE(CompleteHandshakesForQUIC());
6260
6261 ExpectHandshakeSuccess();
6262 EXPECT_FALSE(SSL_session_reused(client_.get()));
6263 EXPECT_FALSE(SSL_session_reused(server_.get()));
6264
6265 // The server sent NewSessionTicket messages in the handshake.
6266 EXPECT_FALSE(g_last_session);
6267 ASSERT_TRUE(ProvideHandshakeData(client_.get()));
6268 EXPECT_EQ(SSL_process_quic_post_handshake(client_.get()), 1);
6269 EXPECT_TRUE(g_last_session);
6270
6271 // Create a second connection to verify resumption works.
6272 ASSERT_TRUE(CreateClientAndServer());
6273 bssl::UniquePtr<SSL_SESSION> session = std::move(g_last_session);
6274 SSL_set_session(client_.get(), session.get());
6275
6276 ASSERT_TRUE(CompleteHandshakesForQUIC());
6277
6278 ExpectHandshakeSuccess();
6279 EXPECT_TRUE(SSL_session_reused(client_.get()));
6280 EXPECT_TRUE(SSL_session_reused(server_.get()));
6281 }
6282
6283 // Test that HelloRetryRequest in QUIC works.
TEST_F(QUICMethodTest,HelloRetryRequest)6284 TEST_F(QUICMethodTest, HelloRetryRequest) {
6285 const SSL_QUIC_METHOD quic_method = DefaultQUICMethod();
6286
6287 ASSERT_TRUE(SSL_CTX_set_quic_method(client_ctx_.get(), &quic_method));
6288 ASSERT_TRUE(SSL_CTX_set_quic_method(server_ctx_.get(), &quic_method));
6289
6290 // BoringSSL predicts the most preferred curve, so using different preferences
6291 // will trigger HelloRetryRequest.
6292 static const int kClientPrefs[] = {NID_X25519, NID_X9_62_prime256v1};
6293 ASSERT_TRUE(SSL_CTX_set1_curves(client_ctx_.get(), kClientPrefs,
6294 OPENSSL_ARRAY_SIZE(kClientPrefs)));
6295 static const int kServerPrefs[] = {NID_X9_62_prime256v1, NID_X25519};
6296 ASSERT_TRUE(SSL_CTX_set1_curves(server_ctx_.get(), kServerPrefs,
6297 OPENSSL_ARRAY_SIZE(kServerPrefs)));
6298
6299 ASSERT_TRUE(CreateClientAndServer());
6300 ASSERT_TRUE(CompleteHandshakesForQUIC());
6301 ExpectHandshakeSuccess();
6302 }
6303
6304 // Test that the client does not send a legacy_session_id in the ClientHello.
TEST_F(QUICMethodTest,NoLegacySessionId)6305 TEST_F(QUICMethodTest, NoLegacySessionId) {
6306 const SSL_QUIC_METHOD quic_method = DefaultQUICMethod();
6307
6308 ASSERT_TRUE(SSL_CTX_set_quic_method(client_ctx_.get(), &quic_method));
6309 ASSERT_TRUE(SSL_CTX_set_quic_method(server_ctx_.get(), &quic_method));
6310 // Check that the session ID length is 0 in an early callback.
6311 SSL_CTX_set_select_certificate_cb(
6312 server_ctx_.get(),
6313 [](const SSL_CLIENT_HELLO *client_hello) -> ssl_select_cert_result_t {
6314 EXPECT_EQ(client_hello->session_id_len, 0u);
6315 return ssl_select_cert_success;
6316 });
6317
6318 ASSERT_TRUE(CreateClientAndServer());
6319 ASSERT_TRUE(CompleteHandshakesForQUIC());
6320
6321 ExpectHandshakeSuccess();
6322 }
6323
6324 // Test that, even in a 1-RTT handshake, the server installs keys at the right
6325 // time. Half-RTT keys are available early, but 1-RTT read keys are deferred.
TEST_F(QUICMethodTest,HalfRTTKeys)6326 TEST_F(QUICMethodTest, HalfRTTKeys) {
6327 const SSL_QUIC_METHOD quic_method = DefaultQUICMethod();
6328
6329 ASSERT_TRUE(SSL_CTX_set_quic_method(client_ctx_.get(), &quic_method));
6330 ASSERT_TRUE(SSL_CTX_set_quic_method(server_ctx_.get(), &quic_method));
6331 ASSERT_TRUE(CreateClientAndServer());
6332
6333 // The client sends ClientHello.
6334 ASSERT_EQ(SSL_do_handshake(client_.get()), -1);
6335 ASSERT_EQ(SSL_ERROR_WANT_READ, SSL_get_error(client_.get(), -1));
6336
6337 // The server reads ClientHello and sends ServerHello..Finished.
6338 ASSERT_TRUE(ProvideHandshakeData(server_.get()));
6339 ASSERT_EQ(SSL_do_handshake(server_.get()), -1);
6340 ASSERT_EQ(SSL_ERROR_WANT_READ, SSL_get_error(server_.get(), -1));
6341
6342 // At this point, the server has half-RTT write keys, but it cannot access
6343 // 1-RTT read keys until client Finished.
6344 EXPECT_TRUE(transport_->server()->HasWriteSecret(ssl_encryption_application));
6345 EXPECT_FALSE(transport_->server()->HasReadSecret(ssl_encryption_application));
6346
6347 // Finish up the client and server handshakes.
6348 ASSERT_TRUE(CompleteHandshakesForQUIC());
6349
6350 // Both sides can now exchange 1-RTT data.
6351 ExpectHandshakeSuccess();
6352 }
6353
TEST_F(QUICMethodTest,ZeroRTTAccept)6354 TEST_F(QUICMethodTest, ZeroRTTAccept) {
6355 const SSL_QUIC_METHOD quic_method = DefaultQUICMethod();
6356
6357 SSL_CTX_set_session_cache_mode(client_ctx_.get(), SSL_SESS_CACHE_BOTH);
6358 SSL_CTX_set_early_data_enabled(client_ctx_.get(), 1);
6359 SSL_CTX_set_early_data_enabled(server_ctx_.get(), 1);
6360 ASSERT_TRUE(SSL_CTX_set_quic_method(client_ctx_.get(), &quic_method));
6361 ASSERT_TRUE(SSL_CTX_set_quic_method(server_ctx_.get(), &quic_method));
6362
6363 bssl::UniquePtr<SSL_SESSION> session = CreateClientSessionForQUIC();
6364 ASSERT_TRUE(session);
6365
6366 ASSERT_TRUE(CreateClientAndServer());
6367 SSL_set_session(client_.get(), session.get());
6368
6369 // The client handshake should return immediately into the early data state.
6370 ASSERT_EQ(SSL_do_handshake(client_.get()), 1);
6371 EXPECT_TRUE(SSL_in_early_data(client_.get()));
6372 // The transport should have keys for sending 0-RTT data.
6373 EXPECT_TRUE(transport_->client()->HasWriteSecret(ssl_encryption_early_data));
6374
6375 // The server will consume the ClientHello and also enter the early data
6376 // state.
6377 ASSERT_TRUE(ProvideHandshakeData(server_.get()));
6378 ASSERT_EQ(SSL_do_handshake(server_.get()), 1);
6379 EXPECT_TRUE(SSL_in_early_data(server_.get()));
6380 EXPECT_TRUE(transport_->SecretsMatch(ssl_encryption_early_data));
6381 // At this point, the server has half-RTT write keys, but it cannot access
6382 // 1-RTT read keys until client Finished.
6383 EXPECT_TRUE(transport_->server()->HasWriteSecret(ssl_encryption_application));
6384 EXPECT_FALSE(transport_->server()->HasReadSecret(ssl_encryption_application));
6385
6386 // Finish up the client and server handshakes.
6387 ASSERT_TRUE(CompleteHandshakesForQUIC());
6388
6389 // Both sides can now exchange 1-RTT data.
6390 ExpectHandshakeSuccess();
6391 EXPECT_TRUE(SSL_session_reused(client_.get()));
6392 EXPECT_TRUE(SSL_session_reused(server_.get()));
6393 EXPECT_FALSE(SSL_in_early_data(client_.get()));
6394 EXPECT_FALSE(SSL_in_early_data(server_.get()));
6395 EXPECT_TRUE(SSL_early_data_accepted(client_.get()));
6396 EXPECT_TRUE(SSL_early_data_accepted(server_.get()));
6397
6398 // Finish handling post-handshake messages after the first 0-RTT resumption.
6399 EXPECT_TRUE(ProvideHandshakeData(client_.get()));
6400 EXPECT_TRUE(SSL_process_quic_post_handshake(client_.get()));
6401
6402 // Perform a second 0-RTT resumption attempt, and confirm that 0-RTT is
6403 // accepted again.
6404 ASSERT_TRUE(CreateClientAndServer());
6405 SSL_set_session(client_.get(), g_last_session.get());
6406
6407 // The client handshake should return immediately into the early data state.
6408 ASSERT_EQ(SSL_do_handshake(client_.get()), 1);
6409 EXPECT_TRUE(SSL_in_early_data(client_.get()));
6410 // The transport should have keys for sending 0-RTT data.
6411 EXPECT_TRUE(transport_->client()->HasWriteSecret(ssl_encryption_early_data));
6412
6413 // The server will consume the ClientHello and also enter the early data
6414 // state.
6415 ASSERT_TRUE(ProvideHandshakeData(server_.get()));
6416 ASSERT_EQ(SSL_do_handshake(server_.get()), 1);
6417 EXPECT_TRUE(SSL_in_early_data(server_.get()));
6418 EXPECT_TRUE(transport_->SecretsMatch(ssl_encryption_early_data));
6419 // At this point, the server has half-RTT write keys, but it cannot access
6420 // 1-RTT read keys until client Finished.
6421 EXPECT_TRUE(transport_->server()->HasWriteSecret(ssl_encryption_application));
6422 EXPECT_FALSE(transport_->server()->HasReadSecret(ssl_encryption_application));
6423
6424 // Finish up the client and server handshakes.
6425 ASSERT_TRUE(CompleteHandshakesForQUIC());
6426
6427 // Both sides can now exchange 1-RTT data.
6428 ExpectHandshakeSuccess();
6429 EXPECT_TRUE(SSL_session_reused(client_.get()));
6430 EXPECT_TRUE(SSL_session_reused(server_.get()));
6431 EXPECT_FALSE(SSL_in_early_data(client_.get()));
6432 EXPECT_FALSE(SSL_in_early_data(server_.get()));
6433 EXPECT_TRUE(SSL_early_data_accepted(client_.get()));
6434 EXPECT_TRUE(SSL_early_data_accepted(server_.get()));
6435 EXPECT_EQ(SSL_get_early_data_reason(client_.get()), ssl_early_data_accepted);
6436 EXPECT_EQ(SSL_get_early_data_reason(server_.get()), ssl_early_data_accepted);
6437 }
6438
TEST_F(QUICMethodTest,ZeroRTTRejectMismatchedParameters)6439 TEST_F(QUICMethodTest, ZeroRTTRejectMismatchedParameters) {
6440 const SSL_QUIC_METHOD quic_method = DefaultQUICMethod();
6441
6442 SSL_CTX_set_session_cache_mode(client_ctx_.get(), SSL_SESS_CACHE_BOTH);
6443 SSL_CTX_set_early_data_enabled(client_ctx_.get(), 1);
6444 SSL_CTX_set_early_data_enabled(server_ctx_.get(), 1);
6445 ASSERT_TRUE(SSL_CTX_set_quic_method(client_ctx_.get(), &quic_method));
6446 ASSERT_TRUE(SSL_CTX_set_quic_method(server_ctx_.get(), &quic_method));
6447
6448
6449 bssl::UniquePtr<SSL_SESSION> session = CreateClientSessionForQUIC();
6450 ASSERT_TRUE(session);
6451
6452 ASSERT_TRUE(CreateClientAndServer());
6453 static const uint8_t new_context[] = {4};
6454 ASSERT_TRUE(SSL_set_quic_early_data_context(server_.get(), new_context,
6455 sizeof(new_context)));
6456 SSL_set_session(client_.get(), session.get());
6457
6458 // The client handshake should return immediately into the early data
6459 // state.
6460 ASSERT_EQ(SSL_do_handshake(client_.get()), 1);
6461 EXPECT_TRUE(SSL_in_early_data(client_.get()));
6462 // The transport should have keys for sending 0-RTT data.
6463 EXPECT_TRUE(transport_->client()->HasWriteSecret(ssl_encryption_early_data));
6464
6465 // The server will consume the ClientHello, but it will not accept 0-RTT.
6466 ASSERT_TRUE(ProvideHandshakeData(server_.get()));
6467 ASSERT_EQ(SSL_do_handshake(server_.get()), -1);
6468 EXPECT_EQ(SSL_ERROR_WANT_READ, SSL_get_error(server_.get(), -1));
6469 EXPECT_FALSE(SSL_in_early_data(server_.get()));
6470 EXPECT_FALSE(transport_->server()->HasReadSecret(ssl_encryption_early_data));
6471
6472 // The client consumes the server response and signals 0-RTT rejection.
6473 for (;;) {
6474 ASSERT_TRUE(ProvideHandshakeData(client_.get()));
6475 ASSERT_EQ(-1, SSL_do_handshake(client_.get()));
6476 int err = SSL_get_error(client_.get(), -1);
6477 if (err == SSL_ERROR_EARLY_DATA_REJECTED) {
6478 break;
6479 }
6480 ASSERT_EQ(SSL_ERROR_WANT_READ, err);
6481 }
6482
6483 // As in TLS over TCP, 0-RTT rejection is sticky.
6484 ASSERT_EQ(-1, SSL_do_handshake(client_.get()));
6485 ASSERT_EQ(SSL_ERROR_EARLY_DATA_REJECTED, SSL_get_error(client_.get(), -1));
6486
6487 // Finish up the client and server handshakes.
6488 SSL_reset_early_data_reject(client_.get());
6489 ASSERT_TRUE(CompleteHandshakesForQUIC());
6490
6491 // Both sides can now exchange 1-RTT data.
6492 ExpectHandshakeSuccess();
6493 EXPECT_TRUE(SSL_session_reused(client_.get()));
6494 EXPECT_TRUE(SSL_session_reused(server_.get()));
6495 EXPECT_FALSE(SSL_in_early_data(client_.get()));
6496 EXPECT_FALSE(SSL_in_early_data(server_.get()));
6497 EXPECT_FALSE(SSL_early_data_accepted(client_.get()));
6498 EXPECT_FALSE(SSL_early_data_accepted(server_.get()));
6499 }
6500
TEST_F(QUICMethodTest,NoZeroRTTTicketWithoutEarlyDataContext)6501 TEST_F(QUICMethodTest, NoZeroRTTTicketWithoutEarlyDataContext) {
6502 server_quic_early_data_context_ = {};
6503 const SSL_QUIC_METHOD quic_method = DefaultQUICMethod();
6504
6505 SSL_CTX_set_session_cache_mode(client_ctx_.get(), SSL_SESS_CACHE_BOTH);
6506 SSL_CTX_set_early_data_enabled(client_ctx_.get(), 1);
6507 SSL_CTX_set_early_data_enabled(server_ctx_.get(), 1);
6508 ASSERT_TRUE(SSL_CTX_set_quic_method(client_ctx_.get(), &quic_method));
6509 ASSERT_TRUE(SSL_CTX_set_quic_method(server_ctx_.get(), &quic_method));
6510
6511 bssl::UniquePtr<SSL_SESSION> session = CreateClientSessionForQUIC();
6512 ASSERT_TRUE(session);
6513 EXPECT_FALSE(SSL_SESSION_early_data_capable(session.get()));
6514 }
6515
TEST_F(QUICMethodTest,ZeroRTTReject)6516 TEST_F(QUICMethodTest, ZeroRTTReject) {
6517 const SSL_QUIC_METHOD quic_method = DefaultQUICMethod();
6518
6519 SSL_CTX_set_session_cache_mode(client_ctx_.get(), SSL_SESS_CACHE_BOTH);
6520 SSL_CTX_set_early_data_enabled(client_ctx_.get(), 1);
6521 SSL_CTX_set_early_data_enabled(server_ctx_.get(), 1);
6522 ASSERT_TRUE(SSL_CTX_set_quic_method(client_ctx_.get(), &quic_method));
6523 ASSERT_TRUE(SSL_CTX_set_quic_method(server_ctx_.get(), &quic_method));
6524
6525 bssl::UniquePtr<SSL_SESSION> session = CreateClientSessionForQUIC();
6526 ASSERT_TRUE(session);
6527
6528 for (bool reject_hrr : {false, true}) {
6529 SCOPED_TRACE(reject_hrr);
6530
6531 ASSERT_TRUE(CreateClientAndServer());
6532 if (reject_hrr) {
6533 // Configure the server to prefer P-256, which will reject 0-RTT via
6534 // HelloRetryRequest.
6535 int p256 = NID_X9_62_prime256v1;
6536 ASSERT_TRUE(SSL_set1_curves(server_.get(), &p256, 1));
6537 } else {
6538 // Disable 0-RTT on the server, so it will reject it.
6539 SSL_set_early_data_enabled(server_.get(), 0);
6540 }
6541 SSL_set_session(client_.get(), session.get());
6542
6543 // The client handshake should return immediately into the early data state.
6544 ASSERT_EQ(SSL_do_handshake(client_.get()), 1);
6545 EXPECT_TRUE(SSL_in_early_data(client_.get()));
6546 // The transport should have keys for sending 0-RTT data.
6547 EXPECT_TRUE(
6548 transport_->client()->HasWriteSecret(ssl_encryption_early_data));
6549
6550 // The server will consume the ClientHello, but it will not accept 0-RTT.
6551 ASSERT_TRUE(ProvideHandshakeData(server_.get()));
6552 ASSERT_EQ(SSL_do_handshake(server_.get()), -1);
6553 EXPECT_EQ(SSL_ERROR_WANT_READ, SSL_get_error(server_.get(), -1));
6554 EXPECT_FALSE(SSL_in_early_data(server_.get()));
6555 EXPECT_FALSE(
6556 transport_->server()->HasReadSecret(ssl_encryption_early_data));
6557
6558 // The client consumes the server response and signals 0-RTT rejection.
6559 for (;;) {
6560 ASSERT_TRUE(ProvideHandshakeData(client_.get()));
6561 ASSERT_EQ(-1, SSL_do_handshake(client_.get()));
6562 int err = SSL_get_error(client_.get(), -1);
6563 if (err == SSL_ERROR_EARLY_DATA_REJECTED) {
6564 break;
6565 }
6566 ASSERT_EQ(SSL_ERROR_WANT_READ, err);
6567 }
6568
6569 // As in TLS over TCP, 0-RTT rejection is sticky.
6570 ASSERT_EQ(-1, SSL_do_handshake(client_.get()));
6571 ASSERT_EQ(SSL_ERROR_EARLY_DATA_REJECTED, SSL_get_error(client_.get(), -1));
6572
6573 // Finish up the client and server handshakes.
6574 SSL_reset_early_data_reject(client_.get());
6575 ASSERT_TRUE(CompleteHandshakesForQUIC());
6576
6577 // Both sides can now exchange 1-RTT data.
6578 ExpectHandshakeSuccess();
6579 EXPECT_TRUE(SSL_session_reused(client_.get()));
6580 EXPECT_TRUE(SSL_session_reused(server_.get()));
6581 EXPECT_FALSE(SSL_in_early_data(client_.get()));
6582 EXPECT_FALSE(SSL_in_early_data(server_.get()));
6583 EXPECT_FALSE(SSL_early_data_accepted(client_.get()));
6584 EXPECT_FALSE(SSL_early_data_accepted(server_.get()));
6585 }
6586 }
6587
TEST_F(QUICMethodTest,NoZeroRTTKeysBeforeReverify)6588 TEST_F(QUICMethodTest, NoZeroRTTKeysBeforeReverify) {
6589 const SSL_QUIC_METHOD quic_method = DefaultQUICMethod();
6590
6591 SSL_CTX_set_session_cache_mode(client_ctx_.get(), SSL_SESS_CACHE_BOTH);
6592 SSL_CTX_set_early_data_enabled(client_ctx_.get(), 1);
6593 SSL_CTX_set_reverify_on_resume(client_ctx_.get(), 1);
6594 SSL_CTX_set_early_data_enabled(server_ctx_.get(), 1);
6595 ASSERT_TRUE(SSL_CTX_set_quic_method(client_ctx_.get(), &quic_method));
6596 ASSERT_TRUE(SSL_CTX_set_quic_method(server_ctx_.get(), &quic_method));
6597
6598 bssl::UniquePtr<SSL_SESSION> session = CreateClientSessionForQUIC();
6599 ASSERT_TRUE(session);
6600
6601 ASSERT_TRUE(CreateClientAndServer());
6602 SSL_set_session(client_.get(), session.get());
6603
6604 // Configure the certificate (re)verification to never complete. The client
6605 // handshake should pause.
6606 SSL_set_custom_verify(
6607 client_.get(), SSL_VERIFY_PEER,
6608 [](SSL *ssl, uint8_t *out_alert) -> ssl_verify_result_t {
6609 return ssl_verify_retry;
6610 });
6611 ASSERT_EQ(SSL_do_handshake(client_.get()), -1);
6612 ASSERT_EQ(SSL_get_error(client_.get(), -1),
6613 SSL_ERROR_WANT_CERTIFICATE_VERIFY);
6614
6615 // The early data keys have not yet been released.
6616 EXPECT_FALSE(transport_->client()->HasWriteSecret(ssl_encryption_early_data));
6617
6618 // After the verification completes, the handshake progresses to the 0-RTT
6619 // point and releases keys.
6620 SSL_set_custom_verify(
6621 client_.get(), SSL_VERIFY_PEER,
6622 [](SSL *ssl, uint8_t *out_alert) -> ssl_verify_result_t {
6623 return ssl_verify_ok;
6624 });
6625 ASSERT_EQ(SSL_do_handshake(client_.get()), 1);
6626 EXPECT_TRUE(SSL_in_early_data(client_.get()));
6627 EXPECT_TRUE(transport_->client()->HasWriteSecret(ssl_encryption_early_data));
6628 }
6629
6630 // Test only releasing data to QUIC one byte at a time on request, to maximize
6631 // state machine pauses. Additionally, test that existing asynchronous callbacks
6632 // still work.
TEST_F(QUICMethodTest,Async)6633 TEST_F(QUICMethodTest, Async) {
6634 const SSL_QUIC_METHOD quic_method = DefaultQUICMethod();
6635
6636 ASSERT_TRUE(SSL_CTX_set_quic_method(client_ctx_.get(), &quic_method));
6637 ASSERT_TRUE(SSL_CTX_set_quic_method(server_ctx_.get(), &quic_method));
6638 ASSERT_TRUE(CreateClientAndServer());
6639
6640 // Install an asynchronous certificate callback.
6641 bool cert_cb_ok = false;
6642 SSL_set_cert_cb(server_.get(),
6643 [](SSL *, void *arg) -> int {
6644 return *static_cast<bool *>(arg) ? 1 : -1;
6645 },
6646 &cert_cb_ok);
6647
6648 for (;;) {
6649 int client_ret = SSL_do_handshake(client_.get());
6650 if (client_ret != 1) {
6651 ASSERT_EQ(client_ret, -1);
6652 ASSERT_EQ(SSL_get_error(client_.get(), client_ret), SSL_ERROR_WANT_READ);
6653 ASSERT_TRUE(ProvideHandshakeData(client_.get(), 1));
6654 }
6655
6656 int server_ret = SSL_do_handshake(server_.get());
6657 if (server_ret != 1) {
6658 ASSERT_EQ(server_ret, -1);
6659 int ssl_err = SSL_get_error(server_.get(), server_ret);
6660 switch (ssl_err) {
6661 case SSL_ERROR_WANT_READ:
6662 ASSERT_TRUE(ProvideHandshakeData(server_.get(), 1));
6663 break;
6664 case SSL_ERROR_WANT_X509_LOOKUP:
6665 ASSERT_FALSE(cert_cb_ok);
6666 cert_cb_ok = true;
6667 break;
6668 default:
6669 FAIL() << "Unexpected SSL_get_error result: " << ssl_err;
6670 }
6671 }
6672
6673 if (client_ret == 1 && server_ret == 1) {
6674 break;
6675 }
6676 }
6677
6678 ExpectHandshakeSuccess();
6679 }
6680
6681 // Test buffering write data until explicit flushes.
TEST_F(QUICMethodTest,Buffered)6682 TEST_F(QUICMethodTest, Buffered) {
6683 AllowOutOfOrderWrites();
6684
6685 struct BufferedFlight {
6686 std::vector<uint8_t> data[kNumQUICLevels];
6687 };
6688 static UnownedSSLExData<BufferedFlight> buffered_flights;
6689
6690 auto add_handshake_data = [](SSL *ssl, enum ssl_encryption_level_t level,
6691 const uint8_t *data, size_t len) -> int {
6692 BufferedFlight *flight = buffered_flights.Get(ssl);
6693 flight->data[level].insert(flight->data[level].end(), data, data + len);
6694 return 1;
6695 };
6696
6697 auto flush_flight = [](SSL *ssl) -> int {
6698 BufferedFlight *flight = buffered_flights.Get(ssl);
6699 for (size_t level = 0; level < kNumQUICLevels; level++) {
6700 if (!flight->data[level].empty()) {
6701 if (!TransportFromSSL(ssl)->WriteHandshakeData(
6702 static_cast<ssl_encryption_level_t>(level),
6703 flight->data[level])) {
6704 return 0;
6705 }
6706 flight->data[level].clear();
6707 }
6708 }
6709 return 1;
6710 };
6711
6712 SSL_QUIC_METHOD quic_method = DefaultQUICMethod();
6713 quic_method.add_handshake_data = add_handshake_data;
6714 quic_method.flush_flight = flush_flight;
6715
6716 ASSERT_TRUE(SSL_CTX_set_quic_method(client_ctx_.get(), &quic_method));
6717 ASSERT_TRUE(SSL_CTX_set_quic_method(server_ctx_.get(), &quic_method));
6718 ASSERT_TRUE(CreateClientAndServer());
6719
6720 BufferedFlight client_flight, server_flight;
6721 buffered_flights.Set(client_.get(), &client_flight);
6722 buffered_flights.Set(server_.get(), &server_flight);
6723
6724 ASSERT_TRUE(CompleteHandshakesForQUIC());
6725
6726 ExpectHandshakeSuccess();
6727 }
6728
6729 // Test that excess data at one level is rejected. That is, if a single
6730 // |SSL_provide_quic_data| call included both ServerHello and
6731 // EncryptedExtensions in a single chunk, BoringSSL notices and rejects this on
6732 // key change.
TEST_F(QUICMethodTest,ExcessProvidedData)6733 TEST_F(QUICMethodTest, ExcessProvidedData) {
6734 AllowOutOfOrderWrites();
6735
6736 auto add_handshake_data = [](SSL *ssl, enum ssl_encryption_level_t level,
6737 const uint8_t *data, size_t len) -> int {
6738 // Switch everything to the initial level.
6739 return TransportFromSSL(ssl)->WriteHandshakeData(ssl_encryption_initial,
6740 MakeConstSpan(data, len));
6741 };
6742
6743 SSL_QUIC_METHOD quic_method = DefaultQUICMethod();
6744 quic_method.add_handshake_data = add_handshake_data;
6745
6746 ASSERT_TRUE(SSL_CTX_set_quic_method(client_ctx_.get(), &quic_method));
6747 ASSERT_TRUE(SSL_CTX_set_quic_method(server_ctx_.get(), &quic_method));
6748 ASSERT_TRUE(CreateClientAndServer());
6749
6750 // Send the ClientHello and ServerHello through Finished.
6751 ASSERT_EQ(SSL_do_handshake(client_.get()), -1);
6752 ASSERT_EQ(SSL_get_error(client_.get(), -1), SSL_ERROR_WANT_READ);
6753 ASSERT_TRUE(ProvideHandshakeData(server_.get()));
6754 ASSERT_EQ(SSL_do_handshake(server_.get()), -1);
6755 ASSERT_EQ(SSL_get_error(server_.get(), -1), SSL_ERROR_WANT_READ);
6756
6757 // The client is still waiting for the ServerHello at initial
6758 // encryption.
6759 ASSERT_EQ(ssl_encryption_initial, SSL_quic_read_level(client_.get()));
6760
6761 // |add_handshake_data| incorrectly wrote everything at the initial level, so
6762 // this queues up ServerHello through Finished in one chunk.
6763 ASSERT_TRUE(ProvideHandshakeData(client_.get()));
6764
6765 // The client reads ServerHello successfully, but then rejects the buffered
6766 // EncryptedExtensions on key change.
6767 ASSERT_EQ(SSL_do_handshake(client_.get()), -1);
6768 ASSERT_EQ(SSL_get_error(client_.get(), -1), SSL_ERROR_SSL);
6769 uint32_t err = ERR_get_error();
6770 EXPECT_EQ(ERR_GET_LIB(err), ERR_LIB_SSL);
6771 EXPECT_EQ(ERR_GET_REASON(err), SSL_R_EXCESS_HANDSHAKE_DATA);
6772
6773 // The client sends an alert in response to this. The alert is sent at
6774 // handshake level because we install write secrets before read secrets and
6775 // the error is discovered when installing the read secret. (How to send
6776 // alerts on protocol syntax errors near key changes is ambiguous in general.)
6777 ASSERT_TRUE(transport_->client()->has_alert());
6778 EXPECT_EQ(transport_->client()->alert_level(), ssl_encryption_handshake);
6779 EXPECT_EQ(transport_->client()->alert(), SSL_AD_UNEXPECTED_MESSAGE);
6780
6781 // Sanity-check handshake secrets. The error is discovered while setting the
6782 // read secret, so only the write secret has been installed.
6783 EXPECT_TRUE(transport_->client()->HasWriteSecret(ssl_encryption_handshake));
6784 EXPECT_FALSE(transport_->client()->HasReadSecret(ssl_encryption_handshake));
6785 }
6786
6787 // Test that |SSL_provide_quic_data| will reject data at the wrong level.
TEST_F(QUICMethodTest,ProvideWrongLevel)6788 TEST_F(QUICMethodTest, ProvideWrongLevel) {
6789 const SSL_QUIC_METHOD quic_method = DefaultQUICMethod();
6790
6791 ASSERT_TRUE(SSL_CTX_set_quic_method(client_ctx_.get(), &quic_method));
6792 ASSERT_TRUE(SSL_CTX_set_quic_method(server_ctx_.get(), &quic_method));
6793 ASSERT_TRUE(CreateClientAndServer());
6794
6795 // Send the ClientHello and ServerHello through Finished.
6796 ASSERT_EQ(SSL_do_handshake(client_.get()), -1);
6797 ASSERT_EQ(SSL_get_error(client_.get(), -1), SSL_ERROR_WANT_READ);
6798 ASSERT_TRUE(ProvideHandshakeData(server_.get()));
6799 ASSERT_EQ(SSL_do_handshake(server_.get()), -1);
6800 ASSERT_EQ(SSL_get_error(server_.get(), -1), SSL_ERROR_WANT_READ);
6801
6802 // The client is still waiting for the ServerHello at initial
6803 // encryption.
6804 ASSERT_EQ(ssl_encryption_initial, SSL_quic_read_level(client_.get()));
6805
6806 // Data cannot be provided at the next level.
6807 std::vector<uint8_t> data;
6808 ASSERT_TRUE(
6809 transport_->client()->ReadHandshakeData(&data, ssl_encryption_initial));
6810 ASSERT_FALSE(SSL_provide_quic_data(client_.get(), ssl_encryption_handshake,
6811 data.data(), data.size()));
6812 ERR_clear_error();
6813
6814 // Progress to EncryptedExtensions.
6815 ASSERT_TRUE(SSL_provide_quic_data(client_.get(), ssl_encryption_initial,
6816 data.data(), data.size()));
6817 ASSERT_EQ(SSL_do_handshake(client_.get()), -1);
6818 ASSERT_EQ(SSL_get_error(client_.get(), -1), SSL_ERROR_WANT_READ);
6819 ASSERT_EQ(ssl_encryption_handshake, SSL_quic_read_level(client_.get()));
6820
6821 // Data cannot be provided at the previous level.
6822 ASSERT_TRUE(
6823 transport_->client()->ReadHandshakeData(&data, ssl_encryption_handshake));
6824 ASSERT_FALSE(SSL_provide_quic_data(client_.get(), ssl_encryption_initial,
6825 data.data(), data.size()));
6826 }
6827
TEST_F(QUICMethodTest,TooMuchData)6828 TEST_F(QUICMethodTest, TooMuchData) {
6829 const SSL_QUIC_METHOD quic_method = DefaultQUICMethod();
6830
6831 ASSERT_TRUE(SSL_CTX_set_quic_method(client_ctx_.get(), &quic_method));
6832 ASSERT_TRUE(SSL_CTX_set_quic_method(server_ctx_.get(), &quic_method));
6833 ASSERT_TRUE(CreateClientAndServer());
6834
6835 size_t limit =
6836 SSL_quic_max_handshake_flight_len(client_.get(), ssl_encryption_initial);
6837 uint8_t b = 0;
6838 for (size_t i = 0; i < limit; i++) {
6839 ASSERT_TRUE(
6840 SSL_provide_quic_data(client_.get(), ssl_encryption_initial, &b, 1));
6841 }
6842
6843 EXPECT_FALSE(
6844 SSL_provide_quic_data(client_.get(), ssl_encryption_initial, &b, 1));
6845 }
6846
6847 // Provide invalid post-handshake data.
TEST_F(QUICMethodTest,BadPostHandshake)6848 TEST_F(QUICMethodTest, BadPostHandshake) {
6849 const SSL_QUIC_METHOD quic_method = DefaultQUICMethod();
6850
6851 g_last_session = nullptr;
6852
6853 SSL_CTX_set_session_cache_mode(client_ctx_.get(), SSL_SESS_CACHE_BOTH);
6854 SSL_CTX_sess_set_new_cb(client_ctx_.get(), SaveLastSession);
6855 ASSERT_TRUE(SSL_CTX_set_quic_method(client_ctx_.get(), &quic_method));
6856 ASSERT_TRUE(SSL_CTX_set_quic_method(server_ctx_.get(), &quic_method));
6857 ASSERT_TRUE(CreateClientAndServer());
6858 ASSERT_TRUE(CompleteHandshakesForQUIC());
6859
6860 EXPECT_EQ(SSL_do_handshake(client_.get()), 1);
6861 EXPECT_EQ(SSL_do_handshake(server_.get()), 1);
6862 EXPECT_TRUE(transport_->SecretsMatch(ssl_encryption_application));
6863 EXPECT_FALSE(transport_->client()->has_alert());
6864 EXPECT_FALSE(transport_->server()->has_alert());
6865
6866 // Junk sent as part of post-handshake data should cause an error.
6867 uint8_t kJunk[] = {0x17, 0x0, 0x0, 0x4, 0xB, 0xE, 0xE, 0xF};
6868 ASSERT_TRUE(SSL_provide_quic_data(client_.get(), ssl_encryption_application,
6869 kJunk, sizeof(kJunk)));
6870 EXPECT_EQ(SSL_process_quic_post_handshake(client_.get()), 0);
6871 }
6872
ExpectReceivedTransportParamsEqual(const SSL * ssl,Span<const uint8_t> expected)6873 static void ExpectReceivedTransportParamsEqual(const SSL *ssl,
6874 Span<const uint8_t> expected) {
6875 const uint8_t *received;
6876 size_t received_len;
6877 SSL_get_peer_quic_transport_params(ssl, &received, &received_len);
6878 ASSERT_EQ(received_len, expected.size());
6879 EXPECT_EQ(Bytes(received, received_len), Bytes(expected));
6880 }
6881
TEST_F(QUICMethodTest,SetTransportParameters)6882 TEST_F(QUICMethodTest, SetTransportParameters) {
6883 const SSL_QUIC_METHOD quic_method = DefaultQUICMethod();
6884 ASSERT_TRUE(SSL_CTX_set_quic_method(client_ctx_.get(), &quic_method));
6885 ASSERT_TRUE(SSL_CTX_set_quic_method(server_ctx_.get(), &quic_method));
6886
6887 ASSERT_TRUE(CreateClientAndServer());
6888 uint8_t kClientParams[] = {1, 2, 3, 4};
6889 uint8_t kServerParams[] = {5, 6, 7};
6890 ASSERT_TRUE(SSL_set_quic_transport_params(client_.get(), kClientParams,
6891 sizeof(kClientParams)));
6892 ASSERT_TRUE(SSL_set_quic_transport_params(server_.get(), kServerParams,
6893 sizeof(kServerParams)));
6894
6895 ASSERT_TRUE(CompleteHandshakesForQUIC());
6896 ExpectReceivedTransportParamsEqual(client_.get(), kServerParams);
6897 ExpectReceivedTransportParamsEqual(server_.get(), kClientParams);
6898 }
6899
TEST_F(QUICMethodTest,SetTransportParamsInCallback)6900 TEST_F(QUICMethodTest, SetTransportParamsInCallback) {
6901 const SSL_QUIC_METHOD quic_method = DefaultQUICMethod();
6902 ASSERT_TRUE(SSL_CTX_set_quic_method(client_ctx_.get(), &quic_method));
6903 ASSERT_TRUE(SSL_CTX_set_quic_method(server_ctx_.get(), &quic_method));
6904
6905 ASSERT_TRUE(CreateClientAndServer());
6906 uint8_t kClientParams[] = {1, 2, 3, 4};
6907 static uint8_t kServerParams[] = {5, 6, 7};
6908 ASSERT_TRUE(SSL_set_quic_transport_params(client_.get(), kClientParams,
6909 sizeof(kClientParams)));
6910 SSL_CTX_set_tlsext_servername_callback(
6911 server_ctx_.get(), [](SSL *ssl, int *out_alert, void *arg) -> int {
6912 EXPECT_TRUE(SSL_set_quic_transport_params(ssl, kServerParams,
6913 sizeof(kServerParams)));
6914 return SSL_TLSEXT_ERR_OK;
6915 });
6916
6917 ASSERT_TRUE(CompleteHandshakesForQUIC());
6918 ExpectReceivedTransportParamsEqual(client_.get(), kServerParams);
6919 ExpectReceivedTransportParamsEqual(server_.get(), kClientParams);
6920 }
6921
TEST_F(QUICMethodTest,ForbidCrossProtocolResumptionClient)6922 TEST_F(QUICMethodTest, ForbidCrossProtocolResumptionClient) {
6923 const SSL_QUIC_METHOD quic_method = DefaultQUICMethod();
6924
6925 g_last_session = nullptr;
6926
6927 SSL_CTX_set_session_cache_mode(client_ctx_.get(), SSL_SESS_CACHE_BOTH);
6928 SSL_CTX_sess_set_new_cb(client_ctx_.get(), SaveLastSession);
6929 ASSERT_TRUE(SSL_CTX_set_quic_method(client_ctx_.get(), &quic_method));
6930 ASSERT_TRUE(SSL_CTX_set_quic_method(server_ctx_.get(), &quic_method));
6931
6932 ASSERT_TRUE(CreateClientAndServer());
6933 ASSERT_TRUE(CompleteHandshakesForQUIC());
6934
6935 ExpectHandshakeSuccess();
6936 EXPECT_FALSE(SSL_session_reused(client_.get()));
6937 EXPECT_FALSE(SSL_session_reused(server_.get()));
6938
6939 // The server sent NewSessionTicket messages in the handshake.
6940 EXPECT_FALSE(g_last_session);
6941 ASSERT_TRUE(ProvideHandshakeData(client_.get()));
6942 EXPECT_EQ(SSL_process_quic_post_handshake(client_.get()), 1);
6943 EXPECT_TRUE(g_last_session);
6944
6945 // Pretend that g_last_session came from a TLS-over-TCP connection.
6946 g_last_session.get()->is_quic = false;
6947
6948 // Create a second connection and verify that resumption does not occur with
6949 // a session from a non-QUIC connection. This tests that the client does not
6950 // offer over QUIC a session believed to be received over TCP. The server
6951 // believes this is a QUIC session, so if the client offered the session, the
6952 // server would have resumed it.
6953 ASSERT_TRUE(CreateClientAndServer());
6954 bssl::UniquePtr<SSL_SESSION> session = std::move(g_last_session);
6955 SSL_set_session(client_.get(), session.get());
6956
6957 ASSERT_TRUE(CompleteHandshakesForQUIC());
6958 ExpectHandshakeSuccess();
6959 EXPECT_FALSE(SSL_session_reused(client_.get()));
6960 EXPECT_FALSE(SSL_session_reused(server_.get()));
6961 }
6962
TEST_F(QUICMethodTest,ForbidCrossProtocolResumptionServer)6963 TEST_F(QUICMethodTest, ForbidCrossProtocolResumptionServer) {
6964 const SSL_QUIC_METHOD quic_method = DefaultQUICMethod();
6965
6966 g_last_session = nullptr;
6967
6968 SSL_CTX_set_session_cache_mode(client_ctx_.get(), SSL_SESS_CACHE_BOTH);
6969 SSL_CTX_sess_set_new_cb(client_ctx_.get(), SaveLastSession);
6970 ASSERT_TRUE(SSL_CTX_set_quic_method(client_ctx_.get(), &quic_method));
6971 ASSERT_TRUE(SSL_CTX_set_quic_method(server_ctx_.get(), &quic_method));
6972
6973 ASSERT_TRUE(CreateClientAndServer());
6974 ASSERT_TRUE(CompleteHandshakesForQUIC());
6975
6976 ExpectHandshakeSuccess();
6977 EXPECT_FALSE(SSL_session_reused(client_.get()));
6978 EXPECT_FALSE(SSL_session_reused(server_.get()));
6979
6980 // The server sent NewSessionTicket messages in the handshake.
6981 EXPECT_FALSE(g_last_session);
6982 ASSERT_TRUE(ProvideHandshakeData(client_.get()));
6983 EXPECT_EQ(SSL_process_quic_post_handshake(client_.get()), 1);
6984 EXPECT_TRUE(g_last_session);
6985
6986 // Attempt a resumption with g_last_session using TLS_method.
6987 bssl::UniquePtr<SSL_CTX> client_ctx(SSL_CTX_new(TLS_method()));
6988 ASSERT_TRUE(client_ctx);
6989
6990 ASSERT_TRUE(SSL_CTX_set_quic_method(server_ctx_.get(), nullptr));
6991
6992 bssl::UniquePtr<SSL> client(SSL_new(client_ctx.get())),
6993 server(SSL_new(server_ctx_.get()));
6994 ASSERT_TRUE(client);
6995 ASSERT_TRUE(server);
6996 SSL_set_connect_state(client.get());
6997 SSL_set_accept_state(server.get());
6998
6999 // The TLS-over-TCP client will refuse to resume with a quic session, so
7000 // mark is_quic = false to bypass the client check to test the server check.
7001 g_last_session.get()->is_quic = false;
7002 SSL_set_session(client.get(), g_last_session.get());
7003
7004 BIO *bio1, *bio2;
7005 ASSERT_TRUE(BIO_new_bio_pair(&bio1, 0, &bio2, 0));
7006
7007 // SSL_set_bio takes ownership.
7008 SSL_set_bio(client.get(), bio1, bio1);
7009 SSL_set_bio(server.get(), bio2, bio2);
7010 ASSERT_TRUE(CompleteHandshakes(client.get(), server.get()));
7011
7012 EXPECT_FALSE(SSL_session_reused(client.get()));
7013 EXPECT_FALSE(SSL_session_reused(server.get()));
7014 }
7015
TEST_F(QUICMethodTest,ClientRejectsMissingTransportParams)7016 TEST_F(QUICMethodTest, ClientRejectsMissingTransportParams) {
7017 const SSL_QUIC_METHOD quic_method = DefaultQUICMethod();
7018 ASSERT_TRUE(SSL_CTX_set_quic_method(client_ctx_.get(), &quic_method));
7019 ASSERT_TRUE(SSL_CTX_set_quic_method(server_ctx_.get(), &quic_method));
7020
7021 ASSERT_TRUE(CreateClientAndServer());
7022 ASSERT_TRUE(SSL_set_quic_transport_params(server_.get(), nullptr, 0));
7023 ASSERT_TRUE(RunQUICHandshakesAndExpectError(ExpectedError::kServerError));
7024 }
7025
TEST_F(QUICMethodTest,ServerRejectsMissingTransportParams)7026 TEST_F(QUICMethodTest, ServerRejectsMissingTransportParams) {
7027 const SSL_QUIC_METHOD quic_method = DefaultQUICMethod();
7028 ASSERT_TRUE(SSL_CTX_set_quic_method(client_ctx_.get(), &quic_method));
7029 ASSERT_TRUE(SSL_CTX_set_quic_method(server_ctx_.get(), &quic_method));
7030
7031 ASSERT_TRUE(CreateClientAndServer());
7032 ASSERT_TRUE(SSL_set_quic_transport_params(client_.get(), nullptr, 0));
7033 ASSERT_TRUE(RunQUICHandshakesAndExpectError(ExpectedError::kClientError));
7034 }
7035
TEST_F(QUICMethodTest,QuicLegacyCodepointEnabled)7036 TEST_F(QUICMethodTest, QuicLegacyCodepointEnabled) {
7037 const SSL_QUIC_METHOD quic_method = DefaultQUICMethod();
7038 ASSERT_TRUE(SSL_CTX_set_quic_method(client_ctx_.get(), &quic_method));
7039 ASSERT_TRUE(SSL_CTX_set_quic_method(server_ctx_.get(), &quic_method));
7040
7041 ASSERT_TRUE(CreateClientAndServer());
7042 uint8_t kClientParams[] = {1, 2, 3, 4};
7043 uint8_t kServerParams[] = {5, 6, 7};
7044 SSL_set_quic_use_legacy_codepoint(client_.get(), 1);
7045 SSL_set_quic_use_legacy_codepoint(server_.get(), 1);
7046 ASSERT_TRUE(SSL_set_quic_transport_params(client_.get(), kClientParams,
7047 sizeof(kClientParams)));
7048 ASSERT_TRUE(SSL_set_quic_transport_params(server_.get(), kServerParams,
7049 sizeof(kServerParams)));
7050
7051 ASSERT_TRUE(CompleteHandshakesForQUIC());
7052 ExpectReceivedTransportParamsEqual(client_.get(), kServerParams);
7053 ExpectReceivedTransportParamsEqual(server_.get(), kClientParams);
7054 }
7055
TEST_F(QUICMethodTest,QuicLegacyCodepointDisabled)7056 TEST_F(QUICMethodTest, QuicLegacyCodepointDisabled) {
7057 const SSL_QUIC_METHOD quic_method = DefaultQUICMethod();
7058 ASSERT_TRUE(SSL_CTX_set_quic_method(client_ctx_.get(), &quic_method));
7059 ASSERT_TRUE(SSL_CTX_set_quic_method(server_ctx_.get(), &quic_method));
7060
7061 ASSERT_TRUE(CreateClientAndServer());
7062 uint8_t kClientParams[] = {1, 2, 3, 4};
7063 uint8_t kServerParams[] = {5, 6, 7};
7064 SSL_set_quic_use_legacy_codepoint(client_.get(), 0);
7065 SSL_set_quic_use_legacy_codepoint(server_.get(), 0);
7066 ASSERT_TRUE(SSL_set_quic_transport_params(client_.get(), kClientParams,
7067 sizeof(kClientParams)));
7068 ASSERT_TRUE(SSL_set_quic_transport_params(server_.get(), kServerParams,
7069 sizeof(kServerParams)));
7070
7071 ASSERT_TRUE(CompleteHandshakesForQUIC());
7072 ExpectReceivedTransportParamsEqual(client_.get(), kServerParams);
7073 ExpectReceivedTransportParamsEqual(server_.get(), kClientParams);
7074 }
7075
TEST_F(QUICMethodTest,QuicLegacyCodepointClientOnly)7076 TEST_F(QUICMethodTest, QuicLegacyCodepointClientOnly) {
7077 const SSL_QUIC_METHOD quic_method = DefaultQUICMethod();
7078 ASSERT_TRUE(SSL_CTX_set_quic_method(client_ctx_.get(), &quic_method));
7079 ASSERT_TRUE(SSL_CTX_set_quic_method(server_ctx_.get(), &quic_method));
7080
7081 ASSERT_TRUE(CreateClientAndServer());
7082 uint8_t kClientParams[] = {1, 2, 3, 4};
7083 uint8_t kServerParams[] = {5, 6, 7};
7084 SSL_set_quic_use_legacy_codepoint(client_.get(), 1);
7085 SSL_set_quic_use_legacy_codepoint(server_.get(), 0);
7086 ASSERT_TRUE(SSL_set_quic_transport_params(client_.get(), kClientParams,
7087 sizeof(kClientParams)));
7088 ASSERT_TRUE(SSL_set_quic_transport_params(server_.get(), kServerParams,
7089 sizeof(kServerParams)));
7090
7091 ASSERT_TRUE(RunQUICHandshakesAndExpectError(ExpectedError::kServerError));
7092 }
7093
TEST_F(QUICMethodTest,QuicLegacyCodepointServerOnly)7094 TEST_F(QUICMethodTest, QuicLegacyCodepointServerOnly) {
7095 const SSL_QUIC_METHOD quic_method = DefaultQUICMethod();
7096 ASSERT_TRUE(SSL_CTX_set_quic_method(client_ctx_.get(), &quic_method));
7097 ASSERT_TRUE(SSL_CTX_set_quic_method(server_ctx_.get(), &quic_method));
7098
7099 ASSERT_TRUE(CreateClientAndServer());
7100 uint8_t kClientParams[] = {1, 2, 3, 4};
7101 uint8_t kServerParams[] = {5, 6, 7};
7102 SSL_set_quic_use_legacy_codepoint(client_.get(), 0);
7103 SSL_set_quic_use_legacy_codepoint(server_.get(), 1);
7104 ASSERT_TRUE(SSL_set_quic_transport_params(client_.get(), kClientParams,
7105 sizeof(kClientParams)));
7106 ASSERT_TRUE(SSL_set_quic_transport_params(server_.get(), kServerParams,
7107 sizeof(kServerParams)));
7108
7109 ASSERT_TRUE(RunQUICHandshakesAndExpectError(ExpectedError::kServerError));
7110 }
7111
7112 // Test that the default QUIC code point is consistent with
7113 // |TLSEXT_TYPE_quic_transport_parameters|. This test ensures we remember to
7114 // update the two values together.
TEST_F(QUICMethodTest,QuicCodePointDefault)7115 TEST_F(QUICMethodTest, QuicCodePointDefault) {
7116 const SSL_QUIC_METHOD quic_method = DefaultQUICMethod();
7117 ASSERT_TRUE(SSL_CTX_set_quic_method(client_ctx_.get(), &quic_method));
7118 ASSERT_TRUE(SSL_CTX_set_quic_method(server_ctx_.get(), &quic_method));
7119 SSL_CTX_set_select_certificate_cb(
7120 server_ctx_.get(),
7121 [](const SSL_CLIENT_HELLO *client_hello) -> ssl_select_cert_result_t {
7122 const uint8_t *data;
7123 size_t len;
7124 if (!SSL_early_callback_ctx_extension_get(
7125 client_hello, TLSEXT_TYPE_quic_transport_parameters, &data,
7126 &len)) {
7127 ADD_FAILURE() << "Could not find quic_transport_parameters extension";
7128 return ssl_select_cert_error;
7129 }
7130 return ssl_select_cert_success;
7131 });
7132
7133 ASSERT_TRUE(CreateClientAndServer());
7134 ASSERT_TRUE(CompleteHandshakesForQUIC());
7135 }
7136
7137 extern "C" {
7138 int BORINGSSL_enum_c_type_test(void);
7139 }
7140
TEST(SSLTest,EnumTypes)7141 TEST(SSLTest, EnumTypes) {
7142 EXPECT_EQ(sizeof(int), sizeof(ssl_private_key_result_t));
7143 EXPECT_EQ(1, BORINGSSL_enum_c_type_test());
7144 }
7145
TEST_P(SSLVersionTest,DoubleSSLError)7146 TEST_P(SSLVersionTest, DoubleSSLError) {
7147 // Connect the inner SSL connections.
7148 ASSERT_TRUE(Connect());
7149
7150 // Make a pair of |BIO|s which wrap |client_| and |server_|.
7151 UniquePtr<BIO_METHOD> bio_method(BIO_meth_new(0, nullptr));
7152 ASSERT_TRUE(bio_method);
7153 ASSERT_TRUE(BIO_meth_set_read(
7154 bio_method.get(), [](BIO *bio, char *out, int len) -> int {
7155 SSL *ssl = static_cast<SSL *>(BIO_get_data(bio));
7156 int ret = SSL_read(ssl, out, len);
7157 int ssl_ret = SSL_get_error(ssl, ret);
7158 if (ssl_ret == SSL_ERROR_WANT_READ) {
7159 BIO_set_retry_read(bio);
7160 }
7161 return ret;
7162 }));
7163 ASSERT_TRUE(BIO_meth_set_write(
7164 bio_method.get(), [](BIO *bio, const char *in, int len) -> int {
7165 SSL *ssl = static_cast<SSL *>(BIO_get_data(bio));
7166 int ret = SSL_write(ssl, in, len);
7167 int ssl_ret = SSL_get_error(ssl, ret);
7168 if (ssl_ret == SSL_ERROR_WANT_WRITE) {
7169 BIO_set_retry_write(bio);
7170 }
7171 return ret;
7172 }));
7173 ASSERT_TRUE(BIO_meth_set_ctrl(
7174 bio_method.get(), [](BIO *bio, int cmd, long larg, void *parg) -> long {
7175 // |SSL| objects require |BIO_flush| support.
7176 if (cmd == BIO_CTRL_FLUSH) {
7177 return 1;
7178 }
7179 return 0;
7180 }));
7181
7182 UniquePtr<BIO> client_bio(BIO_new(bio_method.get()));
7183 ASSERT_TRUE(client_bio);
7184 BIO_set_data(client_bio.get(), client_.get());
7185 BIO_set_init(client_bio.get(), 1);
7186
7187 UniquePtr<BIO> server_bio(BIO_new(bio_method.get()));
7188 ASSERT_TRUE(server_bio);
7189 BIO_set_data(server_bio.get(), server_.get());
7190 BIO_set_init(server_bio.get(), 1);
7191
7192 // Wrap the inner connections in another layer of SSL.
7193 UniquePtr<SSL> client_outer(SSL_new(client_ctx_.get()));
7194 ASSERT_TRUE(client_outer);
7195 SSL_set_connect_state(client_outer.get());
7196 SSL_set_bio(client_outer.get(), client_bio.get(), client_bio.get());
7197 client_bio.release(); // |SSL_set_bio| takes ownership.
7198
7199 UniquePtr<SSL> server_outer(SSL_new(server_ctx_.get()));
7200 ASSERT_TRUE(server_outer);
7201 SSL_set_accept_state(server_outer.get());
7202 SSL_set_bio(server_outer.get(), server_bio.get(), server_bio.get());
7203 server_bio.release(); // |SSL_set_bio| takes ownership.
7204
7205 // Configure |client_outer| to reject the server certificate.
7206 SSL_set_custom_verify(
7207 client_outer.get(), SSL_VERIFY_PEER,
7208 [](SSL *ssl, uint8_t *out_alert) -> ssl_verify_result_t {
7209 return ssl_verify_invalid;
7210 });
7211
7212 for (;;) {
7213 int client_ret = SSL_do_handshake(client_outer.get());
7214 int client_err = SSL_get_error(client_outer.get(), client_ret);
7215 if (client_err != SSL_ERROR_WANT_READ &&
7216 client_err != SSL_ERROR_WANT_WRITE) {
7217 // The client handshake should terminate on a certificate verification
7218 // error.
7219 EXPECT_EQ(SSL_ERROR_SSL, client_err);
7220 uint32_t err = ERR_peek_error();
7221 EXPECT_EQ(ERR_LIB_SSL, ERR_GET_LIB(err));
7222 EXPECT_EQ(SSL_R_CERTIFICATE_VERIFY_FAILED, ERR_GET_REASON(err));
7223 break;
7224 }
7225
7226 // Run the server handshake and continue.
7227 int server_ret = SSL_do_handshake(server_outer.get());
7228 int server_err = SSL_get_error(server_outer.get(), server_ret);
7229 ASSERT_TRUE(server_err == SSL_ERROR_NONE ||
7230 server_err == SSL_ERROR_WANT_READ ||
7231 server_err == SSL_ERROR_WANT_WRITE);
7232 }
7233 }
7234
TEST_P(SSLVersionTest,SameKeyResume)7235 TEST_P(SSLVersionTest, SameKeyResume) {
7236 uint8_t key[48];
7237 RAND_bytes(key, sizeof(key));
7238
7239 bssl::UniquePtr<SSL_CTX> server_ctx2 = CreateContext();
7240 ASSERT_TRUE(server_ctx2);
7241 ASSERT_TRUE(UseCertAndKey(server_ctx2.get()));
7242 ASSERT_TRUE(
7243 SSL_CTX_set_tlsext_ticket_keys(server_ctx_.get(), key, sizeof(key)));
7244 ASSERT_TRUE(
7245 SSL_CTX_set_tlsext_ticket_keys(server_ctx2.get(), key, sizeof(key)));
7246
7247 SSL_CTX_set_session_cache_mode(client_ctx_.get(), SSL_SESS_CACHE_BOTH);
7248 SSL_CTX_set_session_cache_mode(server_ctx_.get(), SSL_SESS_CACHE_BOTH);
7249 SSL_CTX_set_session_cache_mode(server_ctx2.get(), SSL_SESS_CACHE_BOTH);
7250
7251 // Establish a session for |server_ctx_|.
7252 bssl::UniquePtr<SSL_SESSION> session =
7253 CreateClientSession(client_ctx_.get(), server_ctx_.get());
7254 ASSERT_TRUE(session);
7255 ClientConfig config;
7256 config.session = session.get();
7257
7258 // Resuming with |server_ctx_| again works.
7259 bssl::UniquePtr<SSL> client, server;
7260 ASSERT_TRUE(ConnectClientAndServer(&client, &server, client_ctx_.get(),
7261 server_ctx_.get(), config));
7262 EXPECT_TRUE(SSL_session_reused(client.get()));
7263 EXPECT_TRUE(SSL_session_reused(server.get()));
7264
7265 // Resuming with |server_ctx2| also works.
7266 ASSERT_TRUE(ConnectClientAndServer(&client, &server, client_ctx_.get(),
7267 server_ctx2.get(), config));
7268 EXPECT_TRUE(SSL_session_reused(client.get()));
7269 EXPECT_TRUE(SSL_session_reused(server.get()));
7270 }
7271
TEST_P(SSLVersionTest,DifferentKeyNoResume)7272 TEST_P(SSLVersionTest, DifferentKeyNoResume) {
7273 uint8_t key1[48], key2[48];
7274 RAND_bytes(key1, sizeof(key1));
7275 RAND_bytes(key2, sizeof(key2));
7276
7277 bssl::UniquePtr<SSL_CTX> server_ctx2 = CreateContext();
7278 ASSERT_TRUE(server_ctx2);
7279 ASSERT_TRUE(UseCertAndKey(server_ctx2.get()));
7280 ASSERT_TRUE(
7281 SSL_CTX_set_tlsext_ticket_keys(server_ctx_.get(), key1, sizeof(key1)));
7282 ASSERT_TRUE(
7283 SSL_CTX_set_tlsext_ticket_keys(server_ctx2.get(), key2, sizeof(key2)));
7284
7285 SSL_CTX_set_session_cache_mode(client_ctx_.get(), SSL_SESS_CACHE_BOTH);
7286 SSL_CTX_set_session_cache_mode(server_ctx_.get(), SSL_SESS_CACHE_BOTH);
7287 SSL_CTX_set_session_cache_mode(server_ctx2.get(), SSL_SESS_CACHE_BOTH);
7288
7289 // Establish a session for |server_ctx_|.
7290 bssl::UniquePtr<SSL_SESSION> session =
7291 CreateClientSession(client_ctx_.get(), server_ctx_.get());
7292 ASSERT_TRUE(session);
7293 ClientConfig config;
7294 config.session = session.get();
7295
7296 // Resuming with |server_ctx_| again works.
7297 bssl::UniquePtr<SSL> client, server;
7298 ASSERT_TRUE(ConnectClientAndServer(&client, &server, client_ctx_.get(),
7299 server_ctx_.get(), config));
7300 EXPECT_TRUE(SSL_session_reused(client.get()));
7301 EXPECT_TRUE(SSL_session_reused(server.get()));
7302
7303 // Resuming with |server_ctx2| does not work.
7304 ASSERT_TRUE(ConnectClientAndServer(&client, &server, client_ctx_.get(),
7305 server_ctx2.get(), config));
7306 EXPECT_FALSE(SSL_session_reused(client.get()));
7307 EXPECT_FALSE(SSL_session_reused(server.get()));
7308 }
7309
TEST_P(SSLVersionTest,UnrelatedServerNoResume)7310 TEST_P(SSLVersionTest, UnrelatedServerNoResume) {
7311 bssl::UniquePtr<SSL_CTX> server_ctx2 = CreateContext();
7312 ASSERT_TRUE(server_ctx2);
7313 ASSERT_TRUE(UseCertAndKey(server_ctx2.get()));
7314
7315 SSL_CTX_set_session_cache_mode(client_ctx_.get(), SSL_SESS_CACHE_BOTH);
7316 SSL_CTX_set_session_cache_mode(server_ctx_.get(), SSL_SESS_CACHE_BOTH);
7317 SSL_CTX_set_session_cache_mode(server_ctx2.get(), SSL_SESS_CACHE_BOTH);
7318
7319 // Establish a session for |server_ctx_|.
7320 bssl::UniquePtr<SSL_SESSION> session =
7321 CreateClientSession(client_ctx_.get(), server_ctx_.get());
7322 ASSERT_TRUE(session);
7323 ClientConfig config;
7324 config.session = session.get();
7325
7326 // Resuming with |server_ctx_| again works.
7327 bssl::UniquePtr<SSL> client, server;
7328 ASSERT_TRUE(ConnectClientAndServer(&client, &server, client_ctx_.get(),
7329 server_ctx_.get(), config));
7330 EXPECT_TRUE(SSL_session_reused(client.get()));
7331 EXPECT_TRUE(SSL_session_reused(server.get()));
7332
7333 // Resuming with |server_ctx2| does not work.
7334 ASSERT_TRUE(ConnectClientAndServer(&client, &server, client_ctx_.get(),
7335 server_ctx2.get(), config));
7336 EXPECT_FALSE(SSL_session_reused(client.get()));
7337 EXPECT_FALSE(SSL_session_reused(server.get()));
7338 }
7339
SessionIDOf(const SSL * ssl)7340 Span<const uint8_t> SessionIDOf(const SSL* ssl) {
7341 const SSL_SESSION *session = SSL_get_session(ssl);
7342 unsigned len;
7343 const uint8_t *data = SSL_SESSION_get_id(session, &len);
7344 return MakeConstSpan(data, len);
7345 }
7346
TEST_P(SSLVersionTest,TicketSessionIDsMatch)7347 TEST_P(SSLVersionTest, TicketSessionIDsMatch) {
7348 // This checks that the session IDs at client and server match after a ticket
7349 // resumption. It's unclear whether this should be true, but Envoy depends
7350 // on it in their tests so this will give an early signal if we break it.
7351 SSL_CTX_set_session_cache_mode(client_ctx_.get(), SSL_SESS_CACHE_BOTH);
7352 SSL_CTX_set_session_cache_mode(server_ctx_.get(), SSL_SESS_CACHE_BOTH);
7353
7354 bssl::UniquePtr<SSL_SESSION> session =
7355 CreateClientSession(client_ctx_.get(), server_ctx_.get());
7356
7357 bssl::UniquePtr<SSL> client, server;
7358 ClientConfig config;
7359 config.session = session.get();
7360 EXPECT_TRUE(ConnectClientAndServer(&client, &server, client_ctx_.get(),
7361 server_ctx_.get(), config));
7362 EXPECT_TRUE(SSL_session_reused(client.get()));
7363 EXPECT_TRUE(SSL_session_reused(server.get()));
7364
7365 EXPECT_EQ(Bytes(SessionIDOf(client.get())), Bytes(SessionIDOf(server.get())));
7366 }
7367
TEST(SSLTest,WriteWhileExplicitRenegotiate)7368 TEST(SSLTest, WriteWhileExplicitRenegotiate) {
7369 bssl::UniquePtr<SSL_CTX> ctx(CreateContextWithTestCertificate(TLS_method()));
7370 ASSERT_TRUE(ctx);
7371
7372 ASSERT_TRUE(SSL_CTX_set_min_proto_version(ctx.get(), TLS1_2_VERSION));
7373 ASSERT_TRUE(SSL_CTX_set_max_proto_version(ctx.get(), TLS1_2_VERSION));
7374 ASSERT_TRUE(SSL_CTX_set_strict_cipher_list(
7375 ctx.get(), "TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256"));
7376
7377 bssl::UniquePtr<SSL> client, server;
7378 ASSERT_TRUE(CreateClientAndServer(&client, &server, ctx.get(), ctx.get()));
7379 SSL_set_renegotiate_mode(client.get(), ssl_renegotiate_explicit);
7380 ASSERT_TRUE(CompleteHandshakes(client.get(), server.get()));
7381
7382 static const uint8_t kInput[] = {'h', 'e', 'l', 'l', 'o'};
7383
7384 // Write "hello" until the buffer is full, so |client| has a pending write.
7385 size_t num_writes = 0;
7386 for (;;) {
7387 int ret = SSL_write(client.get(), kInput, sizeof(kInput));
7388 if (ret != int(sizeof(kInput))) {
7389 ASSERT_EQ(-1, ret);
7390 ASSERT_EQ(SSL_ERROR_WANT_WRITE, SSL_get_error(client.get(), ret));
7391 break;
7392 }
7393 num_writes++;
7394 }
7395
7396 // Encrypt a HelloRequest.
7397 uint8_t in[] = {SSL3_MT_HELLO_REQUEST, 0, 0, 0};
7398 #if defined(BORINGSSL_UNSAFE_FUZZER_MODE)
7399 // Fuzzer-mode records are unencrypted.
7400 uint8_t record[5 + sizeof(in)];
7401 record[0] = SSL3_RT_HANDSHAKE;
7402 record[1] = 3;
7403 record[2] = 3; // TLS 1.2
7404 record[3] = 0;
7405 record[4] = sizeof(record) - 5;
7406 memcpy(record + 5, in, sizeof(in));
7407 #else
7408 // Extract key material from |server|.
7409 static const size_t kKeyLen = 32;
7410 static const size_t kNonceLen = 12;
7411 ASSERT_EQ(2u * (kKeyLen + kNonceLen), SSL_get_key_block_len(server.get()));
7412 uint8_t key_block[2u * (kKeyLen + kNonceLen)];
7413 ASSERT_TRUE(
7414 SSL_generate_key_block(server.get(), key_block, sizeof(key_block)));
7415 Span<uint8_t> key = MakeSpan(key_block + kKeyLen, kKeyLen);
7416 Span<uint8_t> nonce =
7417 MakeSpan(key_block + kKeyLen + kKeyLen + kNonceLen, kNonceLen);
7418
7419 uint8_t ad[13];
7420 uint64_t seq = SSL_get_write_sequence(server.get());
7421 for (size_t i = 0; i < 8; i++) {
7422 // The nonce is XORed with the sequence number.
7423 nonce[11 - i] ^= uint8_t(seq);
7424 ad[7 - i] = uint8_t(seq);
7425 seq >>= 8;
7426 }
7427
7428 ad[8] = SSL3_RT_HANDSHAKE;
7429 ad[9] = 3;
7430 ad[10] = 3; // TLS 1.2
7431 ad[11] = 0;
7432 ad[12] = sizeof(in);
7433
7434 uint8_t record[5 + sizeof(in) + 16];
7435 record[0] = SSL3_RT_HANDSHAKE;
7436 record[1] = 3;
7437 record[2] = 3; // TLS 1.2
7438 record[3] = 0;
7439 record[4] = sizeof(record) - 5;
7440
7441 ScopedEVP_AEAD_CTX aead;
7442 ASSERT_TRUE(EVP_AEAD_CTX_init(aead.get(), EVP_aead_chacha20_poly1305(),
7443 key.data(), key.size(),
7444 EVP_AEAD_DEFAULT_TAG_LENGTH, nullptr));
7445 size_t len;
7446 ASSERT_TRUE(EVP_AEAD_CTX_seal(aead.get(), record + 5, &len,
7447 sizeof(record) - 5, nonce.data(), nonce.size(),
7448 in, sizeof(in), ad, sizeof(ad)));
7449 ASSERT_EQ(sizeof(record) - 5, len);
7450 #endif // BORINGSSL_UNSAFE_FUZZER_MODE
7451
7452 ASSERT_EQ(int(sizeof(record)),
7453 BIO_write(SSL_get_wbio(server.get()), record, sizeof(record)));
7454
7455 // |SSL_read| should pick up the HelloRequest.
7456 uint8_t byte;
7457 ASSERT_EQ(-1, SSL_read(client.get(), &byte, 1));
7458 ASSERT_EQ(SSL_ERROR_WANT_RENEGOTIATE, SSL_get_error(client.get(), -1));
7459
7460 // Drain the data from the |client|.
7461 uint8_t buf[sizeof(kInput)];
7462 for (size_t i = 0; i < num_writes; i++) {
7463 ASSERT_EQ(int(sizeof(buf)), SSL_read(server.get(), buf, sizeof(buf)));
7464 EXPECT_EQ(Bytes(buf), Bytes(kInput));
7465 }
7466
7467 // |client| should be able to finish the pending write and continue to write,
7468 // despite the paused HelloRequest.
7469 ASSERT_EQ(int(sizeof(kInput)),
7470 SSL_write(client.get(), kInput, sizeof(kInput)));
7471 ASSERT_EQ(int(sizeof(buf)), SSL_read(server.get(), buf, sizeof(buf)));
7472 EXPECT_EQ(Bytes(buf), Bytes(kInput));
7473
7474 ASSERT_EQ(int(sizeof(kInput)),
7475 SSL_write(client.get(), kInput, sizeof(kInput)));
7476 ASSERT_EQ(int(sizeof(buf)), SSL_read(server.get(), buf, sizeof(buf)));
7477 EXPECT_EQ(Bytes(buf), Bytes(kInput));
7478
7479 // |SSL_read| is stuck until we acknowledge the HelloRequest.
7480 ASSERT_EQ(-1, SSL_read(client.get(), &byte, 1));
7481 ASSERT_EQ(SSL_ERROR_WANT_RENEGOTIATE, SSL_get_error(client.get(), -1));
7482
7483 ASSERT_TRUE(SSL_renegotiate(client.get()));
7484 ASSERT_EQ(-1, SSL_read(client.get(), &byte, 1));
7485 ASSERT_EQ(SSL_ERROR_WANT_READ, SSL_get_error(client.get(), -1));
7486
7487 // We never renegotiate as a server.
7488 ASSERT_EQ(-1, SSL_read(server.get(), buf, sizeof(buf)));
7489 ASSERT_EQ(SSL_ERROR_SSL, SSL_get_error(server.get(), -1));
7490 uint32_t err = ERR_get_error();
7491 EXPECT_EQ(ERR_LIB_SSL, ERR_GET_LIB(err));
7492 EXPECT_EQ(SSL_R_NO_RENEGOTIATION, ERR_GET_REASON(err));
7493 }
7494
7495
TEST(SSLTest,CopyWithoutEarlyData)7496 TEST(SSLTest, CopyWithoutEarlyData) {
7497 bssl::UniquePtr<SSL_CTX> client_ctx(SSL_CTX_new(TLS_method()));
7498 bssl::UniquePtr<SSL_CTX> server_ctx(
7499 CreateContextWithTestCertificate(TLS_method()));
7500 ASSERT_TRUE(client_ctx);
7501 ASSERT_TRUE(server_ctx);
7502
7503 SSL_CTX_set_session_cache_mode(client_ctx.get(), SSL_SESS_CACHE_BOTH);
7504 SSL_CTX_set_session_cache_mode(server_ctx.get(), SSL_SESS_CACHE_BOTH);
7505 SSL_CTX_set_early_data_enabled(client_ctx.get(), 1);
7506 SSL_CTX_set_early_data_enabled(server_ctx.get(), 1);
7507
7508 bssl::UniquePtr<SSL_SESSION> session =
7509 CreateClientSession(client_ctx.get(), server_ctx.get());
7510 ASSERT_TRUE(session);
7511
7512 // The client should attempt early data with |session|.
7513 bssl::UniquePtr<SSL> client, server;
7514 ASSERT_TRUE(CreateClientAndServer(&client, &server, client_ctx.get(),
7515 server_ctx.get()));
7516 SSL_set_session(client.get(), session.get());
7517 SSL_set_early_data_enabled(client.get(), 1);
7518 ASSERT_EQ(1, SSL_do_handshake(client.get()));
7519 EXPECT_TRUE(SSL_in_early_data(client.get()));
7520
7521 // |SSL_SESSION_copy_without_early_data| should disable early data but
7522 // still resume the session.
7523 bssl::UniquePtr<SSL_SESSION> session2(
7524 SSL_SESSION_copy_without_early_data(session.get()));
7525 ASSERT_TRUE(session2);
7526 EXPECT_NE(session.get(), session2.get());
7527 ASSERT_TRUE(CreateClientAndServer(&client, &server, client_ctx.get(),
7528 server_ctx.get()));
7529 SSL_set_session(client.get(), session2.get());
7530 SSL_set_early_data_enabled(client.get(), 1);
7531 EXPECT_TRUE(CompleteHandshakes(client.get(), server.get()));
7532 EXPECT_TRUE(SSL_session_reused(client.get()));
7533 EXPECT_EQ(ssl_early_data_unsupported_for_session,
7534 SSL_get_early_data_reason(client.get()));
7535
7536 // |SSL_SESSION_copy_without_early_data| should be a reference count increase
7537 // when passed an early-data-incapable session.
7538 bssl::UniquePtr<SSL_SESSION> session3(
7539 SSL_SESSION_copy_without_early_data(session2.get()));
7540 EXPECT_EQ(session2.get(), session3.get());
7541 }
7542
TEST(SSLTest,ProcessTLS13NewSessionTicket)7543 TEST(SSLTest, ProcessTLS13NewSessionTicket) {
7544 // Configure client and server to negotiate TLS 1.3 only.
7545 bssl::UniquePtr<SSL_CTX> client_ctx(SSL_CTX_new(TLS_method()));
7546 bssl::UniquePtr<SSL_CTX> server_ctx(
7547 CreateContextWithTestCertificate(TLS_method()));
7548 ASSERT_TRUE(client_ctx);
7549 ASSERT_TRUE(server_ctx);
7550 ASSERT_TRUE(SSL_CTX_set_min_proto_version(client_ctx.get(), TLS1_3_VERSION));
7551 ASSERT_TRUE(SSL_CTX_set_min_proto_version(server_ctx.get(), TLS1_3_VERSION));
7552 ASSERT_TRUE(SSL_CTX_set_max_proto_version(client_ctx.get(), TLS1_3_VERSION));
7553 ASSERT_TRUE(SSL_CTX_set_max_proto_version(server_ctx.get(), TLS1_3_VERSION));
7554
7555 bssl::UniquePtr<SSL> client, server;
7556 ASSERT_TRUE(ConnectClientAndServer(&client, &server, client_ctx.get(),
7557 server_ctx.get()));
7558 EXPECT_EQ(TLS1_3_VERSION, SSL_version(client.get()));
7559
7560 // Process a TLS 1.3 NewSessionTicket.
7561 static const uint8_t kTicket[] = {
7562 0x04, 0x00, 0x00, 0xb2, 0x00, 0x02, 0xa3, 0x00, 0x04, 0x03, 0x02, 0x01,
7563 0x01, 0x00, 0x00, 0xa0, 0x01, 0x06, 0x09, 0x11, 0x16, 0x19, 0x21, 0x26,
7564 0x29, 0x31, 0x36, 0x39, 0x41, 0x46, 0x49, 0x51, 0x03, 0x06, 0x09, 0x13,
7565 0x16, 0x19, 0x23, 0x26, 0x29, 0x33, 0x36, 0x39, 0x43, 0x46, 0x49, 0x53,
7566 0xf7, 0x00, 0x29, 0xec, 0xf2, 0xc4, 0xa4, 0x41, 0xfc, 0x30, 0x17, 0x2e,
7567 0x9f, 0x7c, 0xa8, 0xaf, 0x75, 0x70, 0xf0, 0x1f, 0xc7, 0x98, 0xf7, 0xcf,
7568 0x5a, 0x5a, 0x6b, 0x5b, 0xfe, 0xf1, 0xe7, 0x3a, 0xe8, 0xf7, 0x6c, 0xd2,
7569 0xa8, 0xa6, 0x92, 0x5b, 0x96, 0x8d, 0xde, 0xdb, 0xd3, 0x20, 0x6a, 0xcb,
7570 0x69, 0x06, 0xf4, 0x91, 0x85, 0x2e, 0xe6, 0x5e, 0x0c, 0x59, 0xf2, 0x9e,
7571 0x9b, 0x79, 0x91, 0x24, 0x7e, 0x4a, 0x32, 0x3d, 0xbe, 0x4b, 0x80, 0x70,
7572 0xaf, 0xd0, 0x1d, 0xe2, 0xca, 0x05, 0x35, 0x09, 0x09, 0x05, 0x0f, 0xbb,
7573 0xc4, 0xae, 0xd7, 0xc4, 0xed, 0xd7, 0xae, 0x35, 0xc8, 0x73, 0x63, 0x78,
7574 0x64, 0xc9, 0x7a, 0x1f, 0xed, 0x7a, 0x9a, 0x47, 0x44, 0xfd, 0x50, 0xf7,
7575 0xb7, 0xe0, 0x64, 0xa9, 0x02, 0xc1, 0x5c, 0x23, 0x18, 0x3f, 0xc4, 0xcf,
7576 0x72, 0x02, 0x59, 0x2d, 0xe1, 0xaa, 0x61, 0x72, 0x00, 0x04, 0x5a, 0x5a,
7577 0x00, 0x00,
7578 };
7579 bssl::UniquePtr<SSL_SESSION> session(SSL_process_tls13_new_session_ticket(
7580 client.get(), kTicket, sizeof(kTicket)));
7581 ASSERT_TRUE(session);
7582 ASSERT_TRUE(SSL_SESSION_has_ticket(session.get()));
7583
7584 uint8_t *session_buf = nullptr;
7585 size_t session_length = 0;
7586 ASSERT_TRUE(
7587 SSL_SESSION_to_bytes(session.get(), &session_buf, &session_length));
7588 bssl::UniquePtr<uint8_t> session_buf_free(session_buf);
7589 ASSERT_TRUE(session_buf);
7590 ASSERT_GT(session_length, 0u);
7591
7592 // Servers cannot call |SSL_process_tls13_new_session_ticket|.
7593 ASSERT_FALSE(SSL_process_tls13_new_session_ticket(server.get(), kTicket,
7594 sizeof(kTicket)));
7595
7596 // Clients cannot call |SSL_process_tls13_new_session_ticket| before the
7597 // handshake completes.
7598 bssl::UniquePtr<SSL> client2(SSL_new(client_ctx.get()));
7599 ASSERT_TRUE(client2);
7600 SSL_set_connect_state(client2.get());
7601 ASSERT_FALSE(SSL_process_tls13_new_session_ticket(client2.get(), kTicket,
7602 sizeof(kTicket)));
7603 }
7604
TEST(SSLTest,BIO)7605 TEST(SSLTest, BIO) {
7606 bssl::UniquePtr<SSL_CTX> client_ctx(SSL_CTX_new(TLS_method()));
7607 bssl::UniquePtr<SSL_CTX> server_ctx(
7608 CreateContextWithTestCertificate(TLS_method()));
7609 ASSERT_TRUE(client_ctx);
7610 ASSERT_TRUE(server_ctx);
7611
7612 for (bool take_ownership : {true, false}) {
7613 // For simplicity, get the handshake out of the way first.
7614 bssl::UniquePtr<SSL> client, server;
7615 ASSERT_TRUE(ConnectClientAndServer(&client, &server, client_ctx.get(),
7616 server_ctx.get()));
7617
7618 // Wrap |client| in an SSL BIO.
7619 bssl::UniquePtr<BIO> client_bio(BIO_new(BIO_f_ssl()));
7620 ASSERT_TRUE(client_bio);
7621 ASSERT_EQ(1, BIO_set_ssl(client_bio.get(), client.get(), take_ownership));
7622 if (take_ownership) {
7623 client.release();
7624 }
7625
7626 // Flushing the BIO should not crash.
7627 EXPECT_EQ(1, BIO_flush(client_bio.get()));
7628
7629 // Exchange some data.
7630 EXPECT_EQ(5, BIO_write(client_bio.get(), "hello", 5));
7631 uint8_t buf[5];
7632 ASSERT_EQ(5, SSL_read(server.get(), buf, sizeof(buf)));
7633 EXPECT_EQ(Bytes("hello"), Bytes(buf));
7634
7635 EXPECT_EQ(5, SSL_write(server.get(), "world", 5));
7636 ASSERT_EQ(5, BIO_read(client_bio.get(), buf, sizeof(buf)));
7637 EXPECT_EQ(Bytes("world"), Bytes(buf));
7638
7639 // |BIO_should_read| should work.
7640 EXPECT_EQ(-1, BIO_read(client_bio.get(), buf, sizeof(buf)));
7641 EXPECT_TRUE(BIO_should_read(client_bio.get()));
7642
7643 // Writing data should eventually exceed the buffer size and fail, reporting
7644 // |BIO_should_write|.
7645 int ret;
7646 for (int i = 0; i < 1024; i++) {
7647 std::vector<uint8_t> buffer(1024);
7648 ret = BIO_write(client_bio.get(), buffer.data(), buffer.size());
7649 if (ret <= 0) {
7650 break;
7651 }
7652 }
7653 EXPECT_EQ(-1, ret);
7654 EXPECT_TRUE(BIO_should_write(client_bio.get()));
7655 }
7656 }
7657
TEST(SSLTest,ALPNConfig)7658 TEST(SSLTest, ALPNConfig) {
7659 bssl::UniquePtr<SSL_CTX> ctx(SSL_CTX_new(TLS_method()));
7660 ASSERT_TRUE(ctx);
7661 bssl::UniquePtr<X509> cert = GetTestCertificate();
7662 bssl::UniquePtr<EVP_PKEY> key = GetTestKey();
7663 ASSERT_TRUE(cert);
7664 ASSERT_TRUE(key);
7665 ASSERT_TRUE(SSL_CTX_use_certificate(ctx.get(), cert.get()));
7666 ASSERT_TRUE(SSL_CTX_use_PrivateKey(ctx.get(), key.get()));
7667
7668 // Set up some machinery to check the configured ALPN against what is actually
7669 // sent over the wire. Note that the ALPN callback is only called when the
7670 // client offers ALPN.
7671 std::vector<uint8_t> observed_alpn;
7672 SSL_CTX_set_alpn_select_cb(
7673 ctx.get(),
7674 [](SSL *ssl, const uint8_t **out, uint8_t *out_len, const uint8_t *in,
7675 unsigned in_len, void *arg) -> int {
7676 std::vector<uint8_t> *observed_alpn_ptr =
7677 static_cast<std::vector<uint8_t> *>(arg);
7678 observed_alpn_ptr->assign(in, in + in_len);
7679 return SSL_TLSEXT_ERR_NOACK;
7680 },
7681 &observed_alpn);
7682 auto check_alpn_proto = [&](Span<const uint8_t> expected) {
7683 observed_alpn.clear();
7684 bssl::UniquePtr<SSL> client, server;
7685 EXPECT_TRUE(ConnectClientAndServer(&client, &server, ctx.get(), ctx.get()));
7686 EXPECT_EQ(Bytes(expected), Bytes(observed_alpn));
7687 };
7688
7689 // Note that |SSL_CTX_set_alpn_protos|'s return value is reversed.
7690 static const uint8_t kValidList[] = {0x03, 'f', 'o', 'o',
7691 0x03, 'b', 'a', 'r'};
7692 EXPECT_EQ(0,
7693 SSL_CTX_set_alpn_protos(ctx.get(), kValidList, sizeof(kValidList)));
7694 check_alpn_proto(kValidList);
7695
7696 // Invalid lists are rejected.
7697 static const uint8_t kInvalidList[] = {0x04, 'f', 'o', 'o'};
7698 EXPECT_EQ(1, SSL_CTX_set_alpn_protos(ctx.get(), kInvalidList,
7699 sizeof(kInvalidList)));
7700
7701 // Empty lists are valid and are interpreted as disabling ALPN.
7702 EXPECT_EQ(0, SSL_CTX_set_alpn_protos(ctx.get(), nullptr, 0));
7703 check_alpn_proto({});
7704 }
7705
7706 // Test that the key usage checker can correctly handle issuerUID and
7707 // subjectUID. See https://crbug.com/1199744.
TEST(SSLTest,KeyUsageWithUIDs)7708 TEST(SSLTest, KeyUsageWithUIDs) {
7709 static const char kGoodKeyUsage[] = R"(
7710 -----BEGIN CERTIFICATE-----
7711 MIIB7DCCAZOgAwIBAgIJANlMBNpJfb/rMAoGCCqGSM49BAMCMEUxCzAJBgNVBAYT
7712 AkFVMRMwEQYDVQQIDApTb21lLVN0YXRlMSEwHwYDVQQKDBhJbnRlcm5ldCBXaWRn
7713 aXRzIFB0eSBMdGQwHhcNMTQwNDIzMjMyMTU3WhcNMTQwNTIzMjMyMTU3WjBFMQsw
7714 CQYDVQQGEwJBVTETMBEGA1UECAwKU29tZS1TdGF0ZTEhMB8GA1UECgwYSW50ZXJu
7715 ZXQgV2lkZ2l0cyBQdHkgTHRkMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE5itp
7716 4r9ln5e+Lx4NlIpM1Zdrt6keDUb73ampHp3culoB59aXqAoY+cPEox5W4nyDSNsW
7717 Ghz1HX7xlC1Lz3IiwYEEABI0VoIEABI0VqNgMF4wHQYDVR0OBBYEFKuE0qyrlfCC
7718 ThZ4B1VXX+QmjYLRMB8GA1UdIwQYMBaAFKuE0qyrlfCCThZ4B1VXX+QmjYLRMA4G
7719 A1UdDwEB/wQEAwIHgDAMBgNVHRMEBTADAQH/MAoGCCqGSM49BAMCA0cAMEQCIEWJ
7720 34EcqW5MHwLIA1hZ2Tj/jV2QjN02KLxis9mFsqDKAiAMlMTkzsM51vVs9Ohqa+Rc
7721 4Z7qDhjIhiF4dM0uEDYRVA==
7722 -----END CERTIFICATE-----
7723 )";
7724 static const char kBadKeyUsage[] = R"(
7725 -----BEGIN CERTIFICATE-----
7726 MIIB7jCCAZOgAwIBAgIJANlMBNpJfb/rMAoGCCqGSM49BAMCMEUxCzAJBgNVBAYT
7727 AkFVMRMwEQYDVQQIDApTb21lLVN0YXRlMSEwHwYDVQQKDBhJbnRlcm5ldCBXaWRn
7728 aXRzIFB0eSBMdGQwHhcNMTQwNDIzMjMyMTU3WhcNMTQwNTIzMjMyMTU3WjBFMQsw
7729 CQYDVQQGEwJBVTETMBEGA1UECAwKU29tZS1TdGF0ZTEhMB8GA1UECgwYSW50ZXJu
7730 ZXQgV2lkZ2l0cyBQdHkgTHRkMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE5itp
7731 4r9ln5e+Lx4NlIpM1Zdrt6keDUb73ampHp3culoB59aXqAoY+cPEox5W4nyDSNsW
7732 Ghz1HX7xlC1Lz3IiwYEEABI0VoIEABI0VqNgMF4wHQYDVR0OBBYEFKuE0qyrlfCC
7733 ThZ4B1VXX+QmjYLRMB8GA1UdIwQYMBaAFKuE0qyrlfCCThZ4B1VXX+QmjYLRMA4G
7734 A1UdDwEB/wQEAwIDCDAMBgNVHRMEBTADAQH/MAoGCCqGSM49BAMCA0kAMEYCIQC6
7735 taYBUDu2gcZC6EMk79FBHArYI0ucF+kzvETegZCbBAIhANtObFec5gtso/47moPD
7736 RHrQbWsFUakETXL9QMlegh5t
7737 -----END CERTIFICATE-----
7738 )";
7739
7740 bssl::UniquePtr<X509> good = CertFromPEM(kGoodKeyUsage);
7741 ASSERT_TRUE(good);
7742 bssl::UniquePtr<X509> bad = CertFromPEM(kBadKeyUsage);
7743 ASSERT_TRUE(bad);
7744
7745 // We check key usage when configuring EC certificates to distinguish ECDSA
7746 // and ECDH.
7747 bssl::UniquePtr<SSL_CTX> ctx(SSL_CTX_new(TLS_method()));
7748 ASSERT_TRUE(ctx);
7749 EXPECT_TRUE(SSL_CTX_use_certificate(ctx.get(), good.get()));
7750 EXPECT_FALSE(SSL_CTX_use_certificate(ctx.get(), bad.get()));
7751 }
7752
7753 // Test that |SSL_can_release_private_key| reports true as early as expected.
7754 // The internal asserts in the library check we do not report true too early.
TEST(SSLTest,CanReleasePrivateKey)7755 TEST(SSLTest, CanReleasePrivateKey) {
7756 bssl::UniquePtr<SSL_CTX> client_ctx =
7757 CreateContextWithTestCertificate(TLS_method());
7758 ASSERT_TRUE(client_ctx);
7759 SSL_CTX_set_session_cache_mode(client_ctx.get(), SSL_SESS_CACHE_BOTH);
7760
7761 // Note this assumes the transport buffer is large enough to fit the client
7762 // and server first flights. We check this with |SSL_ERROR_WANT_READ|. If the
7763 // transport buffer was too small it would return |SSL_ERROR_WANT_WRITE|.
7764 auto check_first_server_round_trip = [&](SSL *client, SSL *server) {
7765 // Write the ClientHello.
7766 ASSERT_EQ(-1, SSL_do_handshake(client));
7767 ASSERT_EQ(SSL_ERROR_WANT_READ, SSL_get_error(client, -1));
7768
7769 // Consume the ClientHello and write the server flight.
7770 ASSERT_EQ(-1, SSL_do_handshake(server));
7771 ASSERT_EQ(SSL_ERROR_WANT_READ, SSL_get_error(server, -1));
7772
7773 EXPECT_TRUE(SSL_can_release_private_key(server));
7774 };
7775
7776 {
7777 SCOPED_TRACE("TLS 1.2 ECDHE");
7778 bssl::UniquePtr<SSL_CTX> server_ctx(
7779 CreateContextWithTestCertificate(TLS_method()));
7780 ASSERT_TRUE(server_ctx);
7781 ASSERT_TRUE(
7782 SSL_CTX_set_max_proto_version(server_ctx.get(), TLS1_2_VERSION));
7783 ASSERT_TRUE(SSL_CTX_set_strict_cipher_list(
7784 server_ctx.get(), "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256"));
7785 // Configure the server to request client certificates, so we can also test
7786 // the client half.
7787 SSL_CTX_set_custom_verify(
7788 server_ctx.get(), SSL_VERIFY_PEER,
7789 [](SSL *ssl, uint8_t *out_alert) { return ssl_verify_ok; });
7790 bssl::UniquePtr<SSL> client, server;
7791 ASSERT_TRUE(CreateClientAndServer(&client, &server, client_ctx.get(),
7792 server_ctx.get()));
7793 check_first_server_round_trip(client.get(), server.get());
7794
7795 // Consume the server flight and write the client response. The client still
7796 // has a Finished message to consume but can also release its key early.
7797 ASSERT_EQ(-1, SSL_do_handshake(client.get()));
7798 ASSERT_EQ(SSL_ERROR_WANT_READ, SSL_get_error(client.get(), -1));
7799 EXPECT_TRUE(SSL_can_release_private_key(client.get()));
7800
7801 // However, a client that has not disabled renegotiation can never release
7802 // the key.
7803 ASSERT_TRUE(CreateClientAndServer(&client, &server, client_ctx.get(),
7804 server_ctx.get()));
7805 SSL_set_renegotiate_mode(client.get(), ssl_renegotiate_freely);
7806 check_first_server_round_trip(client.get(), server.get());
7807 ASSERT_EQ(-1, SSL_do_handshake(client.get()));
7808 ASSERT_EQ(SSL_ERROR_WANT_READ, SSL_get_error(client.get(), -1));
7809 EXPECT_FALSE(SSL_can_release_private_key(client.get()));
7810 }
7811
7812 {
7813 SCOPED_TRACE("TLS 1.2 resumption");
7814 bssl::UniquePtr<SSL_CTX> server_ctx(
7815 CreateContextWithTestCertificate(TLS_method()));
7816 ASSERT_TRUE(server_ctx);
7817 ASSERT_TRUE(
7818 SSL_CTX_set_max_proto_version(server_ctx.get(), TLS1_2_VERSION));
7819 bssl::UniquePtr<SSL_SESSION> session =
7820 CreateClientSession(client_ctx.get(), server_ctx.get());
7821 ASSERT_TRUE(session);
7822 bssl::UniquePtr<SSL> client, server;
7823 ASSERT_TRUE(CreateClientAndServer(&client, &server, client_ctx.get(),
7824 server_ctx.get()));
7825 SSL_set_session(client.get(), session.get());
7826 check_first_server_round_trip(client.get(), server.get());
7827 }
7828
7829 {
7830 SCOPED_TRACE("TLS 1.3 1-RTT");
7831 bssl::UniquePtr<SSL_CTX> server_ctx(
7832 CreateContextWithTestCertificate(TLS_method()));
7833 ASSERT_TRUE(server_ctx);
7834 ASSERT_TRUE(
7835 SSL_CTX_set_max_proto_version(server_ctx.get(), TLS1_3_VERSION));
7836 bssl::UniquePtr<SSL> client, server;
7837 ASSERT_TRUE(CreateClientAndServer(&client, &server, client_ctx.get(),
7838 server_ctx.get()));
7839 check_first_server_round_trip(client.get(), server.get());
7840 }
7841
7842 {
7843 SCOPED_TRACE("TLS 1.3 resumption");
7844 bssl::UniquePtr<SSL_CTX> server_ctx(
7845 CreateContextWithTestCertificate(TLS_method()));
7846 ASSERT_TRUE(server_ctx);
7847 ASSERT_TRUE(
7848 SSL_CTX_set_max_proto_version(server_ctx.get(), TLS1_3_VERSION));
7849 bssl::UniquePtr<SSL_SESSION> session =
7850 CreateClientSession(client_ctx.get(), server_ctx.get());
7851 ASSERT_TRUE(session);
7852 bssl::UniquePtr<SSL> client, server;
7853 ASSERT_TRUE(CreateClientAndServer(&client, &server, client_ctx.get(),
7854 server_ctx.get()));
7855 SSL_set_session(client.get(), session.get());
7856 check_first_server_round_trip(client.get(), server.get());
7857 }
7858 }
7859
7860 // GetExtensionOrder sets |*out| to the list of extensions a client attached to
7861 // |ctx| will send in the ClientHello. If |ech_keys| is non-null, the client
7862 // will offer ECH with the public component. If |decrypt_ech| is true, |*out|
7863 // will be set to the ClientHelloInner's extensions, rather than
7864 // ClientHelloOuter.
GetExtensionOrder(SSL_CTX * client_ctx,std::vector<uint16_t> * out,SSL_ECH_KEYS * ech_keys,bool decrypt_ech)7865 static bool GetExtensionOrder(SSL_CTX *client_ctx, std::vector<uint16_t> *out,
7866 SSL_ECH_KEYS *ech_keys, bool decrypt_ech) {
7867 struct AppData {
7868 std::vector<uint16_t> *out;
7869 bool decrypt_ech;
7870 bool callback_done = false;
7871 };
7872 AppData app_data;
7873 app_data.out = out;
7874 app_data.decrypt_ech = decrypt_ech;
7875
7876 bssl::UniquePtr<SSL_CTX> server_ctx =
7877 CreateContextWithTestCertificate(TLS_method());
7878 if (!server_ctx || //
7879 !SSL_CTX_set_app_data(server_ctx.get(), &app_data) ||
7880 (decrypt_ech && !SSL_CTX_set1_ech_keys(server_ctx.get(), ech_keys))) {
7881 return false;
7882 }
7883
7884 // Configure the server to record the ClientHello extension order. We use a
7885 // server rather than |GetClientHello| so it can decrypt ClientHelloInner.
7886 SSL_CTX_set_select_certificate_cb(
7887 server_ctx.get(),
7888 [](const SSL_CLIENT_HELLO *client_hello) -> ssl_select_cert_result_t {
7889 AppData *app_data_ptr = static_cast<AppData *>(
7890 SSL_CTX_get_app_data(SSL_get_SSL_CTX(client_hello->ssl)));
7891 EXPECT_EQ(app_data_ptr->decrypt_ech ? 1 : 0,
7892 SSL_ech_accepted(client_hello->ssl));
7893
7894 app_data_ptr->out->clear();
7895 CBS extensions;
7896 CBS_init(&extensions, client_hello->extensions,
7897 client_hello->extensions_len);
7898 while (CBS_len(&extensions)) {
7899 uint16_t type;
7900 CBS body;
7901 if (!CBS_get_u16(&extensions, &type) ||
7902 !CBS_get_u16_length_prefixed(&extensions, &body)) {
7903 return ssl_select_cert_error;
7904 }
7905 app_data_ptr->out->push_back(type);
7906 }
7907
7908 // Don't bother completing the handshake.
7909 app_data_ptr->callback_done = true;
7910 return ssl_select_cert_error;
7911 });
7912
7913 bssl::UniquePtr<SSL> client, server;
7914 if (!CreateClientAndServer(&client, &server, client_ctx, server_ctx.get()) ||
7915 (ech_keys != nullptr && !InstallECHConfigList(client.get(), ech_keys))) {
7916 return false;
7917 }
7918
7919 // Run the handshake far enough to process the ClientHello.
7920 SSL_do_handshake(client.get());
7921 SSL_do_handshake(server.get());
7922 return app_data.callback_done;
7923 }
7924
7925 // Test that, when extension permutation is enabled, the ClientHello extension
7926 // order changes, both with and without ECH, and in both ClientHelloInner and
7927 // ClientHelloOuter.
TEST(SSLTest,PermuteExtensions)7928 TEST(SSLTest, PermuteExtensions) {
7929 bssl::UniquePtr<SSL_ECH_KEYS> keys = MakeTestECHKeys();
7930 ASSERT_TRUE(keys);
7931 for (bool offer_ech : {false, true}) {
7932 SCOPED_TRACE(offer_ech);
7933 SSL_ECH_KEYS *maybe_keys = offer_ech ? keys.get() : nullptr;
7934 for (bool decrypt_ech : {false, true}) {
7935 SCOPED_TRACE(decrypt_ech);
7936 if (!offer_ech && decrypt_ech) {
7937 continue;
7938 }
7939
7940 // When extension permutation is disabled, the order should be consistent.
7941 bssl::UniquePtr<SSL_CTX> ctx(SSL_CTX_new(TLS_method()));
7942 ASSERT_TRUE(ctx);
7943 std::vector<uint16_t> order1, order2;
7944 ASSERT_TRUE(
7945 GetExtensionOrder(ctx.get(), &order1, maybe_keys, decrypt_ech));
7946 ASSERT_TRUE(
7947 GetExtensionOrder(ctx.get(), &order2, maybe_keys, decrypt_ech));
7948 EXPECT_EQ(order1, order2);
7949
7950 ctx.reset(SSL_CTX_new(TLS_method()));
7951 ASSERT_TRUE(ctx);
7952 SSL_CTX_set_permute_extensions(ctx.get(), 1);
7953
7954 // When extension permutation is enabled, each ClientHello should have a
7955 // different order.
7956 //
7957 // This test is inherently flaky, so we run it multiple times. We send at
7958 // least five extensions by default from TLS 1.3: supported_versions,
7959 // key_share, supported_groups, psk_key_exchange_modes, and
7960 // signature_algorithms. That means the probability of a false negative is
7961 // at most 1/120. Repeating the test 14 times lowers false negative rate
7962 // to under 2^-96.
7963 ASSERT_TRUE(
7964 GetExtensionOrder(ctx.get(), &order1, maybe_keys, decrypt_ech));
7965 EXPECT_GE(order1.size(), 5u);
7966 static const int kNumIterations = 14;
7967 bool passed = false;
7968 for (int i = 0; i < kNumIterations; i++) {
7969 ASSERT_TRUE(
7970 GetExtensionOrder(ctx.get(), &order2, maybe_keys, decrypt_ech));
7971 if (order1 != order2) {
7972 passed = true;
7973 break;
7974 }
7975 }
7976 EXPECT_TRUE(passed) << "Extensions were not permuted";
7977 }
7978 }
7979 }
7980
7981 } // namespace
7982 BSSL_NAMESPACE_END
7983