1 /* Copyright (c) 2014, Google Inc.
2 *
3 * Permission to use, copy, modify, and/or distribute this software for any
4 * purpose with or without fee is hereby granted, provided that the above
5 * copyright notice and this permission notice appear in all copies.
6 *
7 * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
8 * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
9 * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY
10 * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
11 * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION
12 * OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN
13 * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */
14
15 #if !defined(__STDC_FORMAT_MACROS)
16 #define __STDC_FORMAT_MACROS
17 #endif
18
19 #include <openssl/base.h>
20
21 #if !defined(OPENSSL_WINDOWS)
22 #include <arpa/inet.h>
23 #include <netinet/in.h>
24 #include <netinet/tcp.h>
25 #include <signal.h>
26 #include <sys/socket.h>
27 #include <sys/time.h>
28 #include <unistd.h>
29 #else
30 #include <io.h>
31 OPENSSL_MSVC_PRAGMA(warning(push, 3))
32 #include <winsock2.h>
33 #include <ws2tcpip.h>
34 OPENSSL_MSVC_PRAGMA(warning(pop))
35
36 OPENSSL_MSVC_PRAGMA(comment(lib, "Ws2_32.lib"))
37 #endif
38
39 #include <assert.h>
40 #include <inttypes.h>
41 #include <string.h>
42
43 #include <openssl/aead.h>
44 #include <openssl/bio.h>
45 #include <openssl/buf.h>
46 #include <openssl/bytestring.h>
47 #include <openssl/cipher.h>
48 #include <openssl/crypto.h>
49 #include <openssl/dh.h>
50 #include <openssl/digest.h>
51 #include <openssl/err.h>
52 #include <openssl/evp.h>
53 #include <openssl/hmac.h>
54 #include <openssl/nid.h>
55 #include <openssl/rand.h>
56 #include <openssl/ssl.h>
57 #include <openssl/x509.h>
58
59 #include <memory>
60 #include <string>
61 #include <vector>
62
63 #include "../../crypto/internal.h"
64 #include "async_bio.h"
65 #include "packeted_bio.h"
66 #include "test_config.h"
67
68
69 static CRYPTO_BUFFER_POOL *g_pool = nullptr;
70
71 #if !defined(OPENSSL_WINDOWS)
closesocket(int sock)72 static int closesocket(int sock) {
73 return close(sock);
74 }
75
PrintSocketError(const char * func)76 static void PrintSocketError(const char *func) {
77 perror(func);
78 }
79 #else
PrintSocketError(const char * func)80 static void PrintSocketError(const char *func) {
81 fprintf(stderr, "%s: %d\n", func, WSAGetLastError());
82 }
83 #endif
84
Usage(const char * program)85 static int Usage(const char *program) {
86 fprintf(stderr, "Usage: %s [flags...]\n", program);
87 return 1;
88 }
89
90 struct TestState {
91 // async_bio is async BIO which pauses reads and writes.
92 BIO *async_bio = nullptr;
93 // packeted_bio is the packeted BIO which simulates read timeouts.
94 BIO *packeted_bio = nullptr;
95 bssl::UniquePtr<EVP_PKEY> channel_id;
96 bool cert_ready = false;
97 bssl::UniquePtr<SSL_SESSION> session;
98 bssl::UniquePtr<SSL_SESSION> pending_session;
99 bool early_callback_called = false;
100 bool handshake_done = false;
101 // private_key is the underlying private key used when testing custom keys.
102 bssl::UniquePtr<EVP_PKEY> private_key;
103 std::vector<uint8_t> private_key_result;
104 // private_key_retries is the number of times an asynchronous private key
105 // operation has been retried.
106 unsigned private_key_retries = 0;
107 bool got_new_session = false;
108 bssl::UniquePtr<SSL_SESSION> new_session;
109 bool ticket_decrypt_done = false;
110 bool alpn_select_done = false;
111 bool is_resume = false;
112 bool early_callback_ready = false;
113 };
114
TestStateExFree(void * parent,void * ptr,CRYPTO_EX_DATA * ad,int index,long argl,void * argp)115 static void TestStateExFree(void *parent, void *ptr, CRYPTO_EX_DATA *ad,
116 int index, long argl, void *argp) {
117 delete ((TestState *)ptr);
118 }
119
120 static int g_config_index = 0;
121 static int g_state_index = 0;
122
SetTestConfig(SSL * ssl,const TestConfig * config)123 static bool SetTestConfig(SSL *ssl, const TestConfig *config) {
124 return SSL_set_ex_data(ssl, g_config_index, (void *)config) == 1;
125 }
126
GetTestConfig(const SSL * ssl)127 static const TestConfig *GetTestConfig(const SSL *ssl) {
128 return (const TestConfig *)SSL_get_ex_data(ssl, g_config_index);
129 }
130
SetTestState(SSL * ssl,std::unique_ptr<TestState> state)131 static bool SetTestState(SSL *ssl, std::unique_ptr<TestState> state) {
132 // |SSL_set_ex_data| takes ownership of |state| only on success.
133 if (SSL_set_ex_data(ssl, g_state_index, state.get()) == 1) {
134 state.release();
135 return true;
136 }
137 return false;
138 }
139
GetTestState(const SSL * ssl)140 static TestState *GetTestState(const SSL *ssl) {
141 return (TestState *)SSL_get_ex_data(ssl, g_state_index);
142 }
143
LoadCertificate(bssl::UniquePtr<X509> * out_x509,bssl::UniquePtr<STACK_OF (X509)> * out_chain,const std::string & file)144 static bool LoadCertificate(bssl::UniquePtr<X509> *out_x509,
145 bssl::UniquePtr<STACK_OF(X509)> *out_chain,
146 const std::string &file) {
147 bssl::UniquePtr<BIO> bio(BIO_new(BIO_s_file()));
148 if (!bio || !BIO_read_filename(bio.get(), file.c_str())) {
149 return false;
150 }
151
152 out_x509->reset(PEM_read_bio_X509(bio.get(), nullptr, nullptr, nullptr));
153 if (!*out_x509) {
154 return false;
155 }
156
157 out_chain->reset(sk_X509_new_null());
158 if (!*out_chain) {
159 return false;
160 }
161
162 // Keep reading the certificate chain.
163 for (;;) {
164 bssl::UniquePtr<X509> cert(
165 PEM_read_bio_X509(bio.get(), nullptr, nullptr, nullptr));
166 if (!cert) {
167 break;
168 }
169
170 if (!sk_X509_push(out_chain->get(), cert.get())) {
171 return false;
172 }
173 cert.release(); // sk_X509_push takes ownership.
174 }
175
176 uint32_t err = ERR_peek_last_error();
177 if (ERR_GET_LIB(err) != ERR_LIB_PEM ||
178 ERR_GET_REASON(err) != PEM_R_NO_START_LINE) {
179 return false;
180 }
181
182 ERR_clear_error();
183 return true;
184 }
185
LoadPrivateKey(const std::string & file)186 static bssl::UniquePtr<EVP_PKEY> LoadPrivateKey(const std::string &file) {
187 bssl::UniquePtr<BIO> bio(BIO_new(BIO_s_file()));
188 if (!bio || !BIO_read_filename(bio.get(), file.c_str())) {
189 return nullptr;
190 }
191 return bssl::UniquePtr<EVP_PKEY>(
192 PEM_read_bio_PrivateKey(bio.get(), NULL, NULL, NULL));
193 }
194
FromHexDigit(uint8_t * out,char c)195 static bool FromHexDigit(uint8_t *out, char c) {
196 if ('0' <= c && c <= '9') {
197 *out = c - '0';
198 return true;
199 }
200 if ('a' <= c && c <= 'f') {
201 *out = c - 'a' + 10;
202 return true;
203 }
204 if ('A' <= c && c <= 'F') {
205 *out = c - 'A' + 10;
206 return true;
207 }
208 return false;
209 }
210
HexDecode(std::string * out,const std::string & in)211 static bool HexDecode(std::string *out, const std::string &in) {
212 if ((in.size() & 1) != 0) {
213 return false;
214 }
215
216 std::unique_ptr<uint8_t[]> buf(new uint8_t[in.size() / 2]);
217 for (size_t i = 0; i < in.size() / 2; i++) {
218 uint8_t high, low;
219 if (!FromHexDigit(&high, in[i*2]) ||
220 !FromHexDigit(&low, in[i*2+1])) {
221 return false;
222 }
223 buf[i] = (high << 4) | low;
224 }
225
226 out->assign(reinterpret_cast<const char *>(buf.get()), in.size() / 2);
227 return true;
228 }
229
SplitParts(const std::string & in,const char delim)230 static std::vector<std::string> SplitParts(const std::string &in,
231 const char delim) {
232 std::vector<std::string> ret;
233 size_t start = 0;
234
235 for (size_t i = 0; i < in.size(); i++) {
236 if (in[i] == delim) {
237 ret.push_back(in.substr(start, i - start));
238 start = i + 1;
239 }
240 }
241
242 ret.push_back(in.substr(start, std::string::npos));
243 return ret;
244 }
245
DecodeHexStrings(const std::string & hex_strings)246 static std::vector<std::string> DecodeHexStrings(
247 const std::string &hex_strings) {
248 std::vector<std::string> ret;
249 const std::vector<std::string> parts = SplitParts(hex_strings, ',');
250
251 for (const auto &part : parts) {
252 std::string binary;
253 if (!HexDecode(&binary, part)) {
254 fprintf(stderr, "Bad hex string: %s\n", part.c_str());
255 return ret;
256 }
257
258 ret.push_back(binary);
259 }
260
261 return ret;
262 }
263
DecodeHexX509Names(const std::string & hex_names)264 static bssl::UniquePtr<STACK_OF(X509_NAME)> DecodeHexX509Names(
265 const std::string &hex_names) {
266 const std::vector<std::string> der_names = DecodeHexStrings(hex_names);
267 bssl::UniquePtr<STACK_OF(X509_NAME)> ret(sk_X509_NAME_new_null());
268
269 for (const auto &der_name : der_names) {
270 const uint8_t *const data =
271 reinterpret_cast<const uint8_t *>(der_name.data());
272 const uint8_t *derp = data;
273 bssl::UniquePtr<X509_NAME> name(
274 d2i_X509_NAME(nullptr, &derp, der_name.size()));
275 if (!name || derp != data + der_name.size()) {
276 fprintf(stderr, "Failed to parse X509_NAME.\n");
277 return nullptr;
278 }
279
280 if (!sk_X509_NAME_push(ret.get(), name.get())) {
281 return nullptr;
282 }
283 name.release();
284 }
285
286 return ret;
287 }
288
AsyncPrivateKeyType(SSL * ssl)289 static int AsyncPrivateKeyType(SSL *ssl) {
290 EVP_PKEY *key = GetTestState(ssl)->private_key.get();
291 switch (EVP_PKEY_id(key)) {
292 case EVP_PKEY_RSA:
293 return NID_rsaEncryption;
294 case EVP_PKEY_EC:
295 return EC_GROUP_get_curve_name(
296 EC_KEY_get0_group(EVP_PKEY_get0_EC_KEY(key)));
297 default:
298 return NID_undef;
299 }
300 }
301
AsyncPrivateKeyMaxSignatureLen(SSL * ssl)302 static size_t AsyncPrivateKeyMaxSignatureLen(SSL *ssl) {
303 return EVP_PKEY_size(GetTestState(ssl)->private_key.get());
304 }
305
AsyncPrivateKeySign(SSL * ssl,uint8_t * out,size_t * out_len,size_t max_out,uint16_t signature_algorithm,const uint8_t * in,size_t in_len)306 static ssl_private_key_result_t AsyncPrivateKeySign(
307 SSL *ssl, uint8_t *out, size_t *out_len, size_t max_out,
308 uint16_t signature_algorithm, const uint8_t *in, size_t in_len) {
309 TestState *test_state = GetTestState(ssl);
310 if (!test_state->private_key_result.empty()) {
311 fprintf(stderr, "AsyncPrivateKeySign called with operation pending.\n");
312 abort();
313 }
314
315 // Determine the hash.
316 const EVP_MD *md;
317 switch (signature_algorithm) {
318 case SSL_SIGN_RSA_PKCS1_SHA1:
319 case SSL_SIGN_ECDSA_SHA1:
320 md = EVP_sha1();
321 break;
322 case SSL_SIGN_RSA_PKCS1_SHA256:
323 case SSL_SIGN_ECDSA_SECP256R1_SHA256:
324 case SSL_SIGN_RSA_PSS_SHA256:
325 md = EVP_sha256();
326 break;
327 case SSL_SIGN_RSA_PKCS1_SHA384:
328 case SSL_SIGN_ECDSA_SECP384R1_SHA384:
329 case SSL_SIGN_RSA_PSS_SHA384:
330 md = EVP_sha384();
331 break;
332 case SSL_SIGN_RSA_PKCS1_SHA512:
333 case SSL_SIGN_ECDSA_SECP521R1_SHA512:
334 case SSL_SIGN_RSA_PSS_SHA512:
335 md = EVP_sha512();
336 break;
337 case SSL_SIGN_RSA_PKCS1_MD5_SHA1:
338 md = EVP_md5_sha1();
339 break;
340 default:
341 fprintf(stderr, "Unknown signature algorithm %04x.\n",
342 signature_algorithm);
343 return ssl_private_key_failure;
344 }
345
346 bssl::ScopedEVP_MD_CTX ctx;
347 EVP_PKEY_CTX *pctx;
348 if (!EVP_DigestSignInit(ctx.get(), &pctx, md, nullptr,
349 test_state->private_key.get())) {
350 return ssl_private_key_failure;
351 }
352
353 // Configure additional signature parameters.
354 switch (signature_algorithm) {
355 case SSL_SIGN_RSA_PSS_SHA256:
356 case SSL_SIGN_RSA_PSS_SHA384:
357 case SSL_SIGN_RSA_PSS_SHA512:
358 if (!EVP_PKEY_CTX_set_rsa_padding(pctx, RSA_PKCS1_PSS_PADDING) ||
359 !EVP_PKEY_CTX_set_rsa_pss_saltlen(pctx,
360 -1 /* salt len = hash len */)) {
361 return ssl_private_key_failure;
362 }
363 }
364
365 // Write the signature into |test_state|.
366 size_t len = 0;
367 if (!EVP_DigestSignUpdate(ctx.get(), in, in_len) ||
368 !EVP_DigestSignFinal(ctx.get(), nullptr, &len)) {
369 return ssl_private_key_failure;
370 }
371 test_state->private_key_result.resize(len);
372 if (!EVP_DigestSignFinal(ctx.get(), test_state->private_key_result.data(),
373 &len)) {
374 return ssl_private_key_failure;
375 }
376 test_state->private_key_result.resize(len);
377
378 // The signature will be released asynchronously in |AsyncPrivateKeyComplete|.
379 return ssl_private_key_retry;
380 }
381
AsyncPrivateKeyDecrypt(SSL * ssl,uint8_t * out,size_t * out_len,size_t max_out,const uint8_t * in,size_t in_len)382 static ssl_private_key_result_t AsyncPrivateKeyDecrypt(
383 SSL *ssl, uint8_t *out, size_t *out_len, size_t max_out,
384 const uint8_t *in, size_t in_len) {
385 TestState *test_state = GetTestState(ssl);
386 if (!test_state->private_key_result.empty()) {
387 fprintf(stderr,
388 "AsyncPrivateKeyDecrypt called with operation pending.\n");
389 abort();
390 }
391
392 RSA *rsa = EVP_PKEY_get0_RSA(test_state->private_key.get());
393 if (rsa == NULL) {
394 fprintf(stderr,
395 "AsyncPrivateKeyDecrypt called with incorrect key type.\n");
396 abort();
397 }
398 test_state->private_key_result.resize(RSA_size(rsa));
399 if (!RSA_decrypt(rsa, out_len, test_state->private_key_result.data(),
400 RSA_size(rsa), in, in_len, RSA_NO_PADDING)) {
401 return ssl_private_key_failure;
402 }
403
404 test_state->private_key_result.resize(*out_len);
405
406 // The decryption will be released asynchronously in |AsyncPrivateComplete|.
407 return ssl_private_key_retry;
408 }
409
AsyncPrivateKeyComplete(SSL * ssl,uint8_t * out,size_t * out_len,size_t max_out)410 static ssl_private_key_result_t AsyncPrivateKeyComplete(
411 SSL *ssl, uint8_t *out, size_t *out_len, size_t max_out) {
412 TestState *test_state = GetTestState(ssl);
413 if (test_state->private_key_result.empty()) {
414 fprintf(stderr,
415 "AsyncPrivateKeyComplete called without operation pending.\n");
416 abort();
417 }
418
419 if (test_state->private_key_retries < 2) {
420 // Only return the decryption on the second attempt, to test both incomplete
421 // |decrypt| and |decrypt_complete|.
422 return ssl_private_key_retry;
423 }
424
425 if (max_out < test_state->private_key_result.size()) {
426 fprintf(stderr, "Output buffer too small.\n");
427 return ssl_private_key_failure;
428 }
429 OPENSSL_memcpy(out, test_state->private_key_result.data(),
430 test_state->private_key_result.size());
431 *out_len = test_state->private_key_result.size();
432
433 test_state->private_key_result.clear();
434 test_state->private_key_retries = 0;
435 return ssl_private_key_success;
436 }
437
438 static const SSL_PRIVATE_KEY_METHOD g_async_private_key_method = {
439 AsyncPrivateKeyType,
440 AsyncPrivateKeyMaxSignatureLen,
441 AsyncPrivateKeySign,
442 nullptr /* sign_digest */,
443 AsyncPrivateKeyDecrypt,
444 AsyncPrivateKeyComplete,
445 };
446
447 template<typename T>
448 struct Free {
operator ()Free449 void operator()(T *buf) {
450 free(buf);
451 }
452 };
453
GetCertificate(SSL * ssl,bssl::UniquePtr<X509> * out_x509,bssl::UniquePtr<STACK_OF (X509)> * out_chain,bssl::UniquePtr<EVP_PKEY> * out_pkey)454 static bool GetCertificate(SSL *ssl, bssl::UniquePtr<X509> *out_x509,
455 bssl::UniquePtr<STACK_OF(X509)> *out_chain,
456 bssl::UniquePtr<EVP_PKEY> *out_pkey) {
457 const TestConfig *config = GetTestConfig(ssl);
458
459 if (!config->digest_prefs.empty()) {
460 std::unique_ptr<char, Free<char>> digest_prefs(
461 strdup(config->digest_prefs.c_str()));
462 std::vector<int> digest_list;
463
464 for (;;) {
465 char *token =
466 strtok(digest_list.empty() ? digest_prefs.get() : nullptr, ",");
467 if (token == nullptr) {
468 break;
469 }
470
471 digest_list.push_back(EVP_MD_type(EVP_get_digestbyname(token)));
472 }
473
474 if (!SSL_set_private_key_digest_prefs(ssl, digest_list.data(),
475 digest_list.size())) {
476 return false;
477 }
478 }
479
480 if (!config->signing_prefs.empty()) {
481 std::vector<uint16_t> u16s(config->signing_prefs.begin(),
482 config->signing_prefs.end());
483 if (!SSL_set_signing_algorithm_prefs(ssl, u16s.data(), u16s.size())) {
484 return false;
485 }
486 }
487
488 if (!config->key_file.empty()) {
489 *out_pkey = LoadPrivateKey(config->key_file.c_str());
490 if (!*out_pkey) {
491 return false;
492 }
493 }
494 if (!config->cert_file.empty() &&
495 !LoadCertificate(out_x509, out_chain, config->cert_file.c_str())) {
496 return false;
497 }
498 if (!config->ocsp_response.empty() &&
499 !SSL_set_ocsp_response(ssl, (const uint8_t *)config->ocsp_response.data(),
500 config->ocsp_response.size())) {
501 return false;
502 }
503 return true;
504 }
505
InstallCertificate(SSL * ssl)506 static bool InstallCertificate(SSL *ssl) {
507 bssl::UniquePtr<X509> x509;
508 bssl::UniquePtr<STACK_OF(X509)> chain;
509 bssl::UniquePtr<EVP_PKEY> pkey;
510 if (!GetCertificate(ssl, &x509, &chain, &pkey)) {
511 return false;
512 }
513
514 if (pkey) {
515 TestState *test_state = GetTestState(ssl);
516 const TestConfig *config = GetTestConfig(ssl);
517 if (config->async) {
518 test_state->private_key = std::move(pkey);
519 SSL_set_private_key_method(ssl, &g_async_private_key_method);
520 } else if (!SSL_use_PrivateKey(ssl, pkey.get())) {
521 return false;
522 }
523 }
524
525 if (x509 && !SSL_use_certificate(ssl, x509.get())) {
526 return false;
527 }
528
529 if (sk_X509_num(chain.get()) > 0 &&
530 !SSL_set1_chain(ssl, chain.get())) {
531 return false;
532 }
533
534 return true;
535 }
536
SelectCertificateCallback(const SSL_CLIENT_HELLO * client_hello)537 static enum ssl_select_cert_result_t SelectCertificateCallback(
538 const SSL_CLIENT_HELLO *client_hello) {
539 const TestConfig *config = GetTestConfig(client_hello->ssl);
540 GetTestState(client_hello->ssl)->early_callback_called = true;
541
542 if (!config->expected_server_name.empty()) {
543 const uint8_t *extension_data;
544 size_t extension_len;
545 CBS extension, server_name_list, host_name;
546 uint8_t name_type;
547
548 if (!SSL_early_callback_ctx_extension_get(
549 client_hello, TLSEXT_TYPE_server_name, &extension_data,
550 &extension_len)) {
551 fprintf(stderr, "Could not find server_name extension.\n");
552 return ssl_select_cert_error;
553 }
554
555 CBS_init(&extension, extension_data, extension_len);
556 if (!CBS_get_u16_length_prefixed(&extension, &server_name_list) ||
557 CBS_len(&extension) != 0 ||
558 !CBS_get_u8(&server_name_list, &name_type) ||
559 name_type != TLSEXT_NAMETYPE_host_name ||
560 !CBS_get_u16_length_prefixed(&server_name_list, &host_name) ||
561 CBS_len(&server_name_list) != 0) {
562 fprintf(stderr, "Could not decode server_name extension.\n");
563 return ssl_select_cert_error;
564 }
565
566 if (!CBS_mem_equal(&host_name,
567 (const uint8_t*)config->expected_server_name.data(),
568 config->expected_server_name.size())) {
569 fprintf(stderr, "Server name mismatch.\n");
570 }
571 }
572
573 if (config->fail_early_callback) {
574 return ssl_select_cert_error;
575 }
576
577 // Install the certificate in the early callback.
578 if (config->use_early_callback) {
579 bool early_callback_ready =
580 GetTestState(client_hello->ssl)->early_callback_ready;
581 if (config->async && !early_callback_ready) {
582 // Install the certificate asynchronously.
583 return ssl_select_cert_retry;
584 }
585 if (!InstallCertificate(client_hello->ssl)) {
586 return ssl_select_cert_error;
587 }
588 }
589 return ssl_select_cert_success;
590 }
591
CheckCertificateRequest(SSL * ssl)592 static bool CheckCertificateRequest(SSL *ssl) {
593 const TestConfig *config = GetTestConfig(ssl);
594
595 if (!config->expected_certificate_types.empty()) {
596 const uint8_t *certificate_types;
597 size_t certificate_types_len =
598 SSL_get0_certificate_types(ssl, &certificate_types);
599 if (certificate_types_len != config->expected_certificate_types.size() ||
600 OPENSSL_memcmp(certificate_types,
601 config->expected_certificate_types.data(),
602 certificate_types_len) != 0) {
603 fprintf(stderr, "certificate types mismatch\n");
604 return false;
605 }
606 }
607
608 if (!config->expected_client_ca_list.empty()) {
609 bssl::UniquePtr<STACK_OF(X509_NAME)> expected =
610 DecodeHexX509Names(config->expected_client_ca_list);
611 const size_t num_expected = sk_X509_NAME_num(expected.get());
612
613 const STACK_OF(X509_NAME) *received = SSL_get_client_CA_list(ssl);
614 const size_t num_received = sk_X509_NAME_num(received);
615
616 if (num_received != num_expected) {
617 fprintf(stderr, "expected %u names in CertificateRequest but got %u\n",
618 static_cast<unsigned>(num_expected),
619 static_cast<unsigned>(num_received));
620 return false;
621 }
622
623 for (size_t i = 0; i < num_received; i++) {
624 if (X509_NAME_cmp(sk_X509_NAME_value(received, i),
625 sk_X509_NAME_value(expected.get(), i)) != 0) {
626 fprintf(stderr, "names in CertificateRequest differ at index #%d\n",
627 static_cast<unsigned>(i));
628 return false;
629 }
630 }
631
632 STACK_OF(CRYPTO_BUFFER) *buffers = SSL_get0_server_requested_CAs(ssl);
633 if (sk_CRYPTO_BUFFER_num(buffers) != num_received) {
634 fprintf(stderr,
635 "Mismatch between SSL_get_server_requested_CAs and "
636 "SSL_get_client_CA_list.\n");
637 return false;
638 }
639 }
640
641 return true;
642 }
643
ClientCertCallback(SSL * ssl,X509 ** out_x509,EVP_PKEY ** out_pkey)644 static int ClientCertCallback(SSL *ssl, X509 **out_x509, EVP_PKEY **out_pkey) {
645 if (!CheckCertificateRequest(ssl)) {
646 return -1;
647 }
648
649 if (GetTestConfig(ssl)->async && !GetTestState(ssl)->cert_ready) {
650 return -1;
651 }
652
653 bssl::UniquePtr<X509> x509;
654 bssl::UniquePtr<STACK_OF(X509)> chain;
655 bssl::UniquePtr<EVP_PKEY> pkey;
656 if (!GetCertificate(ssl, &x509, &chain, &pkey)) {
657 return -1;
658 }
659
660 // Return zero for no certificate.
661 if (!x509) {
662 return 0;
663 }
664
665 // Chains and asynchronous private keys are not supported with client_cert_cb.
666 *out_x509 = x509.release();
667 *out_pkey = pkey.release();
668 return 1;
669 }
670
CertCallback(SSL * ssl,void * arg)671 static int CertCallback(SSL *ssl, void *arg) {
672 const TestConfig *config = GetTestConfig(ssl);
673
674 // Check the CertificateRequest metadata is as expected.
675 if (!SSL_is_server(ssl) && !CheckCertificateRequest(ssl)) {
676 return -1;
677 }
678
679 if (config->fail_cert_callback) {
680 return 0;
681 }
682
683 // The certificate will be installed via other means.
684 if (!config->async || config->use_early_callback) {
685 return 1;
686 }
687
688 if (!GetTestState(ssl)->cert_ready) {
689 return -1;
690 }
691 if (!InstallCertificate(ssl)) {
692 return 0;
693 }
694 return 1;
695 }
696
VerifySucceed(X509_STORE_CTX * store_ctx,void * arg)697 static int VerifySucceed(X509_STORE_CTX *store_ctx, void *arg) {
698 SSL* ssl = (SSL*)X509_STORE_CTX_get_ex_data(store_ctx,
699 SSL_get_ex_data_X509_STORE_CTX_idx());
700 const TestConfig *config = GetTestConfig(ssl);
701
702 if (!config->expected_ocsp_response.empty()) {
703 const uint8_t *data;
704 size_t len;
705 SSL_get0_ocsp_response(ssl, &data, &len);
706 if (len == 0) {
707 fprintf(stderr, "OCSP response not available in verify callback\n");
708 return 0;
709 }
710 }
711
712 return 1;
713 }
714
VerifyFail(X509_STORE_CTX * store_ctx,void * arg)715 static int VerifyFail(X509_STORE_CTX *store_ctx, void *arg) {
716 store_ctx->error = X509_V_ERR_APPLICATION_VERIFICATION;
717 return 0;
718 }
719
NextProtosAdvertisedCallback(SSL * ssl,const uint8_t ** out,unsigned int * out_len,void * arg)720 static int NextProtosAdvertisedCallback(SSL *ssl, const uint8_t **out,
721 unsigned int *out_len, void *arg) {
722 const TestConfig *config = GetTestConfig(ssl);
723 if (config->advertise_npn.empty()) {
724 return SSL_TLSEXT_ERR_NOACK;
725 }
726
727 *out = (const uint8_t*)config->advertise_npn.data();
728 *out_len = config->advertise_npn.size();
729 return SSL_TLSEXT_ERR_OK;
730 }
731
NextProtoSelectCallback(SSL * ssl,uint8_t ** out,uint8_t * outlen,const uint8_t * in,unsigned inlen,void * arg)732 static int NextProtoSelectCallback(SSL* ssl, uint8_t** out, uint8_t* outlen,
733 const uint8_t* in, unsigned inlen, void* arg) {
734 const TestConfig *config = GetTestConfig(ssl);
735 if (config->select_next_proto.empty()) {
736 return SSL_TLSEXT_ERR_NOACK;
737 }
738
739 *out = (uint8_t*)config->select_next_proto.data();
740 *outlen = config->select_next_proto.size();
741 return SSL_TLSEXT_ERR_OK;
742 }
743
AlpnSelectCallback(SSL * ssl,const uint8_t ** out,uint8_t * outlen,const uint8_t * in,unsigned inlen,void * arg)744 static int AlpnSelectCallback(SSL* ssl, const uint8_t** out, uint8_t* outlen,
745 const uint8_t* in, unsigned inlen, void* arg) {
746 if (GetTestState(ssl)->alpn_select_done) {
747 fprintf(stderr, "AlpnSelectCallback called after completion.\n");
748 exit(1);
749 }
750
751 GetTestState(ssl)->alpn_select_done = true;
752
753 const TestConfig *config = GetTestConfig(ssl);
754 if (config->decline_alpn) {
755 return SSL_TLSEXT_ERR_NOACK;
756 }
757
758 if (!config->expected_advertised_alpn.empty() &&
759 (config->expected_advertised_alpn.size() != inlen ||
760 OPENSSL_memcmp(config->expected_advertised_alpn.data(), in, inlen) !=
761 0)) {
762 fprintf(stderr, "bad ALPN select callback inputs\n");
763 exit(1);
764 }
765
766 *out = (const uint8_t*)config->select_alpn.data();
767 *outlen = config->select_alpn.size();
768 if (GetTestState(ssl)->is_resume && config->select_resume_alpn.size() > 0) {
769 *out = (const uint8_t*)config->select_resume_alpn.data();
770 *outlen = config->select_resume_alpn.size();
771 }
772 return SSL_TLSEXT_ERR_OK;
773 }
774
PskClientCallback(SSL * ssl,const char * hint,char * out_identity,unsigned max_identity_len,uint8_t * out_psk,unsigned max_psk_len)775 static unsigned PskClientCallback(SSL *ssl, const char *hint,
776 char *out_identity,
777 unsigned max_identity_len,
778 uint8_t *out_psk, unsigned max_psk_len) {
779 const TestConfig *config = GetTestConfig(ssl);
780
781 if (config->psk_identity.empty()) {
782 if (hint != nullptr) {
783 fprintf(stderr, "Server PSK hint was non-null.\n");
784 return 0;
785 }
786 } else if (hint == nullptr ||
787 strcmp(hint, config->psk_identity.c_str()) != 0) {
788 fprintf(stderr, "Server PSK hint did not match.\n");
789 return 0;
790 }
791
792 // Account for the trailing '\0' for the identity.
793 if (config->psk_identity.size() >= max_identity_len ||
794 config->psk.size() > max_psk_len) {
795 fprintf(stderr, "PSK buffers too small\n");
796 return 0;
797 }
798
799 BUF_strlcpy(out_identity, config->psk_identity.c_str(),
800 max_identity_len);
801 OPENSSL_memcpy(out_psk, config->psk.data(), config->psk.size());
802 return config->psk.size();
803 }
804
PskServerCallback(SSL * ssl,const char * identity,uint8_t * out_psk,unsigned max_psk_len)805 static unsigned PskServerCallback(SSL *ssl, const char *identity,
806 uint8_t *out_psk, unsigned max_psk_len) {
807 const TestConfig *config = GetTestConfig(ssl);
808
809 if (strcmp(identity, config->psk_identity.c_str()) != 0) {
810 fprintf(stderr, "Client PSK identity did not match.\n");
811 return 0;
812 }
813
814 if (config->psk.size() > max_psk_len) {
815 fprintf(stderr, "PSK buffers too small\n");
816 return 0;
817 }
818
819 OPENSSL_memcpy(out_psk, config->psk.data(), config->psk.size());
820 return config->psk.size();
821 }
822
823 static timeval g_clock;
824
CurrentTimeCallback(const SSL * ssl,timeval * out_clock)825 static void CurrentTimeCallback(const SSL *ssl, timeval *out_clock) {
826 *out_clock = g_clock;
827 }
828
ChannelIdCallback(SSL * ssl,EVP_PKEY ** out_pkey)829 static void ChannelIdCallback(SSL *ssl, EVP_PKEY **out_pkey) {
830 *out_pkey = GetTestState(ssl)->channel_id.release();
831 }
832
GetSessionCallback(SSL * ssl,uint8_t * data,int len,int * copy)833 static SSL_SESSION *GetSessionCallback(SSL *ssl, uint8_t *data, int len,
834 int *copy) {
835 TestState *async_state = GetTestState(ssl);
836 if (async_state->session) {
837 *copy = 0;
838 return async_state->session.release();
839 } else if (async_state->pending_session) {
840 return SSL_magic_pending_session_ptr();
841 } else {
842 return NULL;
843 }
844 }
845
DDoSCallback(const SSL_CLIENT_HELLO * client_hello)846 static int DDoSCallback(const SSL_CLIENT_HELLO *client_hello) {
847 const TestConfig *config = GetTestConfig(client_hello->ssl);
848 static int callback_num = 0;
849
850 callback_num++;
851 if (config->fail_ddos_callback ||
852 (config->fail_second_ddos_callback && callback_num == 2)) {
853 return 0;
854 }
855 return 1;
856 }
857
InfoCallback(const SSL * ssl,int type,int val)858 static void InfoCallback(const SSL *ssl, int type, int val) {
859 if (type == SSL_CB_HANDSHAKE_DONE) {
860 if (GetTestConfig(ssl)->handshake_never_done) {
861 fprintf(stderr, "Handshake unexpectedly completed.\n");
862 // Abort before any expected error code is printed, to ensure the overall
863 // test fails.
864 abort();
865 }
866 GetTestState(ssl)->handshake_done = true;
867
868 // Callbacks may be called again on a new handshake.
869 GetTestState(ssl)->ticket_decrypt_done = false;
870 GetTestState(ssl)->alpn_select_done = false;
871 }
872 }
873
NewSessionCallback(SSL * ssl,SSL_SESSION * session)874 static int NewSessionCallback(SSL *ssl, SSL_SESSION *session) {
875 GetTestState(ssl)->got_new_session = true;
876 GetTestState(ssl)->new_session.reset(session);
877 return 1;
878 }
879
TicketKeyCallback(SSL * ssl,uint8_t * key_name,uint8_t * iv,EVP_CIPHER_CTX * ctx,HMAC_CTX * hmac_ctx,int encrypt)880 static int TicketKeyCallback(SSL *ssl, uint8_t *key_name, uint8_t *iv,
881 EVP_CIPHER_CTX *ctx, HMAC_CTX *hmac_ctx,
882 int encrypt) {
883 if (!encrypt) {
884 if (GetTestState(ssl)->ticket_decrypt_done) {
885 fprintf(stderr, "TicketKeyCallback called after completion.\n");
886 return -1;
887 }
888
889 GetTestState(ssl)->ticket_decrypt_done = true;
890 }
891
892 // This is just test code, so use the all-zeros key.
893 static const uint8_t kZeros[16] = {0};
894
895 if (encrypt) {
896 OPENSSL_memcpy(key_name, kZeros, sizeof(kZeros));
897 RAND_bytes(iv, 16);
898 } else if (OPENSSL_memcmp(key_name, kZeros, 16) != 0) {
899 return 0;
900 }
901
902 if (!HMAC_Init_ex(hmac_ctx, kZeros, sizeof(kZeros), EVP_sha256(), NULL) ||
903 !EVP_CipherInit_ex(ctx, EVP_aes_128_cbc(), NULL, kZeros, iv, encrypt)) {
904 return -1;
905 }
906
907 if (!encrypt) {
908 return GetTestConfig(ssl)->renew_ticket ? 2 : 1;
909 }
910 return 1;
911 }
912
913 // kCustomExtensionValue is the extension value that the custom extension
914 // callbacks will add.
915 static const uint16_t kCustomExtensionValue = 1234;
916 static void *const kCustomExtensionAddArg =
917 reinterpret_cast<void *>(kCustomExtensionValue);
918 static void *const kCustomExtensionParseArg =
919 reinterpret_cast<void *>(kCustomExtensionValue + 1);
920 static const char kCustomExtensionContents[] = "custom extension";
921
CustomExtensionAddCallback(SSL * ssl,unsigned extension_value,const uint8_t ** out,size_t * out_len,int * out_alert_value,void * add_arg)922 static int CustomExtensionAddCallback(SSL *ssl, unsigned extension_value,
923 const uint8_t **out, size_t *out_len,
924 int *out_alert_value, void *add_arg) {
925 if (extension_value != kCustomExtensionValue ||
926 add_arg != kCustomExtensionAddArg) {
927 abort();
928 }
929
930 if (GetTestConfig(ssl)->custom_extension_skip) {
931 return 0;
932 }
933 if (GetTestConfig(ssl)->custom_extension_fail_add) {
934 return -1;
935 }
936
937 *out = reinterpret_cast<const uint8_t*>(kCustomExtensionContents);
938 *out_len = sizeof(kCustomExtensionContents) - 1;
939
940 return 1;
941 }
942
CustomExtensionFreeCallback(SSL * ssl,unsigned extension_value,const uint8_t * out,void * add_arg)943 static void CustomExtensionFreeCallback(SSL *ssl, unsigned extension_value,
944 const uint8_t *out, void *add_arg) {
945 if (extension_value != kCustomExtensionValue ||
946 add_arg != kCustomExtensionAddArg ||
947 out != reinterpret_cast<const uint8_t *>(kCustomExtensionContents)) {
948 abort();
949 }
950 }
951
CustomExtensionParseCallback(SSL * ssl,unsigned extension_value,const uint8_t * contents,size_t contents_len,int * out_alert_value,void * parse_arg)952 static int CustomExtensionParseCallback(SSL *ssl, unsigned extension_value,
953 const uint8_t *contents,
954 size_t contents_len,
955 int *out_alert_value, void *parse_arg) {
956 if (extension_value != kCustomExtensionValue ||
957 parse_arg != kCustomExtensionParseArg) {
958 abort();
959 }
960
961 if (contents_len != sizeof(kCustomExtensionContents) - 1 ||
962 OPENSSL_memcmp(contents, kCustomExtensionContents, contents_len) != 0) {
963 *out_alert_value = SSL_AD_DECODE_ERROR;
964 return 0;
965 }
966
967 return 1;
968 }
969
ServerNameCallback(SSL * ssl,int * out_alert,void * arg)970 static int ServerNameCallback(SSL *ssl, int *out_alert, void *arg) {
971 // SNI must be accessible from the SNI callback.
972 const TestConfig *config = GetTestConfig(ssl);
973 const char *server_name = SSL_get_servername(ssl, TLSEXT_NAMETYPE_host_name);
974 if (server_name == nullptr ||
975 std::string(server_name) != config->expected_server_name) {
976 fprintf(stderr, "servername mismatch (got %s; want %s)\n", server_name,
977 config->expected_server_name.c_str());
978 return SSL_TLSEXT_ERR_ALERT_FATAL;
979 }
980
981 return SSL_TLSEXT_ERR_OK;
982 }
983
984 // Connect returns a new socket connected to localhost on |port| or -1 on
985 // error.
Connect(uint16_t port)986 static int Connect(uint16_t port) {
987 int sock = socket(AF_INET, SOCK_STREAM, 0);
988 if (sock == -1) {
989 PrintSocketError("socket");
990 return -1;
991 }
992 int nodelay = 1;
993 if (setsockopt(sock, IPPROTO_TCP, TCP_NODELAY,
994 reinterpret_cast<const char*>(&nodelay), sizeof(nodelay)) != 0) {
995 PrintSocketError("setsockopt");
996 closesocket(sock);
997 return -1;
998 }
999 sockaddr_in sin;
1000 OPENSSL_memset(&sin, 0, sizeof(sin));
1001 sin.sin_family = AF_INET;
1002 sin.sin_port = htons(port);
1003 if (!inet_pton(AF_INET, "127.0.0.1", &sin.sin_addr)) {
1004 PrintSocketError("inet_pton");
1005 closesocket(sock);
1006 return -1;
1007 }
1008 if (connect(sock, reinterpret_cast<const sockaddr*>(&sin),
1009 sizeof(sin)) != 0) {
1010 PrintSocketError("connect");
1011 closesocket(sock);
1012 return -1;
1013 }
1014 return sock;
1015 }
1016
1017 class SocketCloser {
1018 public:
SocketCloser(int sock)1019 explicit SocketCloser(int sock) : sock_(sock) {}
~SocketCloser()1020 ~SocketCloser() {
1021 // Half-close and drain the socket before releasing it. This seems to be
1022 // necessary for graceful shutdown on Windows. It will also avoid write
1023 // failures in the test runner.
1024 #if defined(OPENSSL_WINDOWS)
1025 shutdown(sock_, SD_SEND);
1026 #else
1027 shutdown(sock_, SHUT_WR);
1028 #endif
1029 while (true) {
1030 char buf[1024];
1031 if (recv(sock_, buf, sizeof(buf), 0) <= 0) {
1032 break;
1033 }
1034 }
1035 closesocket(sock_);
1036 }
1037
1038 private:
1039 const int sock_;
1040 };
1041
SetupCtx(const TestConfig * config)1042 static bssl::UniquePtr<SSL_CTX> SetupCtx(const TestConfig *config) {
1043 bssl::UniquePtr<SSL_CTX> ssl_ctx(SSL_CTX_new(
1044 config->is_dtls ? DTLS_method() : TLS_method()));
1045 if (!ssl_ctx) {
1046 return nullptr;
1047 }
1048
1049 SSL_CTX_set0_buffer_pool(ssl_ctx.get(), g_pool);
1050
1051 // Enable TLS 1.3 for tests.
1052 if (!config->is_dtls &&
1053 !SSL_CTX_set_max_proto_version(ssl_ctx.get(), TLS1_3_VERSION)) {
1054 return nullptr;
1055 }
1056
1057 std::string cipher_list = "ALL";
1058 if (!config->cipher.empty()) {
1059 cipher_list = config->cipher;
1060 SSL_CTX_set_options(ssl_ctx.get(), SSL_OP_CIPHER_SERVER_PREFERENCE);
1061 }
1062 if (!SSL_CTX_set_strict_cipher_list(ssl_ctx.get(), cipher_list.c_str())) {
1063 return nullptr;
1064 }
1065
1066 bssl::UniquePtr<DH> dh(DH_get_2048_256(NULL));
1067 if (!dh) {
1068 return nullptr;
1069 }
1070
1071 if (config->use_sparse_dh_prime) {
1072 // This prime number is 2^1024 + 643 – a value just above a power of two.
1073 // Because of its form, values modulo it are essentially certain to be one
1074 // byte shorter. This is used to test padding of these values.
1075 if (BN_hex2bn(
1076 &dh->p,
1077 "1000000000000000000000000000000000000000000000000000000000000000"
1078 "0000000000000000000000000000000000000000000000000000000000000000"
1079 "0000000000000000000000000000000000000000000000000000000000000000"
1080 "0000000000000000000000000000000000000000000000000000000000000028"
1081 "3") == 0 ||
1082 !BN_set_word(dh->g, 2)) {
1083 return nullptr;
1084 }
1085 BN_free(dh->q);
1086 dh->q = NULL;
1087 dh->priv_length = 0;
1088 }
1089
1090 if (!SSL_CTX_set_tmp_dh(ssl_ctx.get(), dh.get())) {
1091 return nullptr;
1092 }
1093
1094 if (config->async && config->is_server) {
1095 // Disable the internal session cache. To test asynchronous session lookup,
1096 // we use an external session cache.
1097 SSL_CTX_set_session_cache_mode(
1098 ssl_ctx.get(), SSL_SESS_CACHE_BOTH | SSL_SESS_CACHE_NO_INTERNAL);
1099 SSL_CTX_sess_set_get_cb(ssl_ctx.get(), GetSessionCallback);
1100 } else {
1101 SSL_CTX_set_session_cache_mode(ssl_ctx.get(), SSL_SESS_CACHE_BOTH);
1102 }
1103
1104 SSL_CTX_set_select_certificate_cb(ssl_ctx.get(), SelectCertificateCallback);
1105
1106 if (config->use_old_client_cert_callback) {
1107 SSL_CTX_set_client_cert_cb(ssl_ctx.get(), ClientCertCallback);
1108 }
1109
1110 SSL_CTX_set_next_protos_advertised_cb(
1111 ssl_ctx.get(), NextProtosAdvertisedCallback, NULL);
1112 if (!config->select_next_proto.empty()) {
1113 SSL_CTX_set_next_proto_select_cb(ssl_ctx.get(), NextProtoSelectCallback,
1114 NULL);
1115 }
1116
1117 if (!config->select_alpn.empty() || !config->select_resume_alpn.empty() ||
1118 config->decline_alpn) {
1119 SSL_CTX_set_alpn_select_cb(ssl_ctx.get(), AlpnSelectCallback, NULL);
1120 }
1121
1122 SSL_CTX_set_channel_id_cb(ssl_ctx.get(), ChannelIdCallback);
1123
1124 SSL_CTX_set_current_time_cb(ssl_ctx.get(), CurrentTimeCallback);
1125
1126 SSL_CTX_set_info_callback(ssl_ctx.get(), InfoCallback);
1127 SSL_CTX_sess_set_new_cb(ssl_ctx.get(), NewSessionCallback);
1128
1129 if (config->use_ticket_callback) {
1130 SSL_CTX_set_tlsext_ticket_key_cb(ssl_ctx.get(), TicketKeyCallback);
1131 }
1132
1133 if (config->enable_client_custom_extension &&
1134 !SSL_CTX_add_client_custom_ext(
1135 ssl_ctx.get(), kCustomExtensionValue, CustomExtensionAddCallback,
1136 CustomExtensionFreeCallback, kCustomExtensionAddArg,
1137 CustomExtensionParseCallback, kCustomExtensionParseArg)) {
1138 return nullptr;
1139 }
1140
1141 if (config->enable_server_custom_extension &&
1142 !SSL_CTX_add_server_custom_ext(
1143 ssl_ctx.get(), kCustomExtensionValue, CustomExtensionAddCallback,
1144 CustomExtensionFreeCallback, kCustomExtensionAddArg,
1145 CustomExtensionParseCallback, kCustomExtensionParseArg)) {
1146 return nullptr;
1147 }
1148
1149 if (config->verify_fail) {
1150 SSL_CTX_set_cert_verify_callback(ssl_ctx.get(), VerifyFail, NULL);
1151 } else {
1152 SSL_CTX_set_cert_verify_callback(ssl_ctx.get(), VerifySucceed, NULL);
1153 }
1154
1155 if (!config->signed_cert_timestamps.empty() &&
1156 !SSL_CTX_set_signed_cert_timestamp_list(
1157 ssl_ctx.get(), (const uint8_t *)config->signed_cert_timestamps.data(),
1158 config->signed_cert_timestamps.size())) {
1159 return nullptr;
1160 }
1161
1162 if (!config->use_client_ca_list.empty()) {
1163 if (config->use_client_ca_list == "<NULL>") {
1164 SSL_CTX_set_client_CA_list(ssl_ctx.get(), nullptr);
1165 } else {
1166 bssl::UniquePtr<STACK_OF(X509_NAME)> names =
1167 DecodeHexX509Names(config->use_client_ca_list);
1168 SSL_CTX_set_client_CA_list(ssl_ctx.get(), names.release());
1169 }
1170 }
1171
1172 if (config->enable_grease) {
1173 SSL_CTX_set_grease_enabled(ssl_ctx.get(), 1);
1174 }
1175
1176 if (!config->expected_server_name.empty()) {
1177 SSL_CTX_set_tlsext_servername_callback(ssl_ctx.get(), ServerNameCallback);
1178 }
1179
1180 if (!config->ticket_key.empty() &&
1181 !SSL_CTX_set_tlsext_ticket_keys(ssl_ctx.get(), config->ticket_key.data(),
1182 config->ticket_key.size())) {
1183 return nullptr;
1184 }
1185
1186 if (config->enable_early_data) {
1187 SSL_CTX_set_early_data_enabled(ssl_ctx.get(), 1);
1188 }
1189
1190 return ssl_ctx;
1191 }
1192
1193 // RetryAsync is called after a failed operation on |ssl| with return code
1194 // |ret|. If the operation should be retried, it simulates one asynchronous
1195 // event and returns true. Otherwise it returns false.
RetryAsync(SSL * ssl,int ret)1196 static bool RetryAsync(SSL *ssl, int ret) {
1197 // No error; don't retry.
1198 if (ret >= 0) {
1199 return false;
1200 }
1201
1202 TestState *test_state = GetTestState(ssl);
1203 assert(GetTestConfig(ssl)->async);
1204
1205 if (test_state->packeted_bio != nullptr &&
1206 PacketedBioAdvanceClock(test_state->packeted_bio)) {
1207 // The DTLS retransmit logic silently ignores write failures. So the test
1208 // may progress, allow writes through synchronously.
1209 AsyncBioEnforceWriteQuota(test_state->async_bio, false);
1210 int timeout_ret = DTLSv1_handle_timeout(ssl);
1211 AsyncBioEnforceWriteQuota(test_state->async_bio, true);
1212
1213 if (timeout_ret < 0) {
1214 fprintf(stderr, "Error retransmitting.\n");
1215 return false;
1216 }
1217 return true;
1218 }
1219
1220 // See if we needed to read or write more. If so, allow one byte through on
1221 // the appropriate end to maximally stress the state machine.
1222 switch (SSL_get_error(ssl, ret)) {
1223 case SSL_ERROR_WANT_READ:
1224 AsyncBioAllowRead(test_state->async_bio, 1);
1225 return true;
1226 case SSL_ERROR_WANT_WRITE:
1227 AsyncBioAllowWrite(test_state->async_bio, 1);
1228 return true;
1229 case SSL_ERROR_WANT_CHANNEL_ID_LOOKUP: {
1230 bssl::UniquePtr<EVP_PKEY> pkey =
1231 LoadPrivateKey(GetTestConfig(ssl)->send_channel_id);
1232 if (!pkey) {
1233 return false;
1234 }
1235 test_state->channel_id = std::move(pkey);
1236 return true;
1237 }
1238 case SSL_ERROR_WANT_X509_LOOKUP:
1239 test_state->cert_ready = true;
1240 return true;
1241 case SSL_ERROR_PENDING_SESSION:
1242 test_state->session = std::move(test_state->pending_session);
1243 return true;
1244 case SSL_ERROR_PENDING_CERTIFICATE:
1245 test_state->early_callback_ready = true;
1246 return true;
1247 case SSL_ERROR_WANT_PRIVATE_KEY_OPERATION:
1248 test_state->private_key_retries++;
1249 return true;
1250 default:
1251 return false;
1252 }
1253 }
1254
1255 // DoRead reads from |ssl|, resolving any asynchronous operations. It returns
1256 // the result value of the final |SSL_read| call.
DoRead(SSL * ssl,uint8_t * out,size_t max_out)1257 static int DoRead(SSL *ssl, uint8_t *out, size_t max_out) {
1258 const TestConfig *config = GetTestConfig(ssl);
1259 TestState *test_state = GetTestState(ssl);
1260 int ret;
1261 do {
1262 if (config->async) {
1263 // The DTLS retransmit logic silently ignores write failures. So the test
1264 // may progress, allow writes through synchronously. |SSL_read| may
1265 // trigger a retransmit, so disconnect the write quota.
1266 AsyncBioEnforceWriteQuota(test_state->async_bio, false);
1267 }
1268 ret = config->peek_then_read ? SSL_peek(ssl, out, max_out)
1269 : SSL_read(ssl, out, max_out);
1270 if (config->async) {
1271 AsyncBioEnforceWriteQuota(test_state->async_bio, true);
1272 }
1273
1274 // Run the exporter after each read. This is to test that the exporter fails
1275 // during a renegotiation.
1276 if (config->use_exporter_between_reads) {
1277 uint8_t buf;
1278 if (!SSL_export_keying_material(ssl, &buf, 1, NULL, 0, NULL, 0, 0)) {
1279 fprintf(stderr, "failed to export keying material\n");
1280 return -1;
1281 }
1282 }
1283 } while (config->async && RetryAsync(ssl, ret));
1284
1285 if (config->peek_then_read && ret > 0) {
1286 std::unique_ptr<uint8_t[]> buf(new uint8_t[static_cast<size_t>(ret)]);
1287
1288 // SSL_peek should synchronously return the same data.
1289 int ret2 = SSL_peek(ssl, buf.get(), ret);
1290 if (ret2 != ret ||
1291 OPENSSL_memcmp(buf.get(), out, ret) != 0) {
1292 fprintf(stderr, "First and second SSL_peek did not match.\n");
1293 return -1;
1294 }
1295
1296 // SSL_read should synchronously return the same data and consume it.
1297 ret2 = SSL_read(ssl, buf.get(), ret);
1298 if (ret2 != ret ||
1299 OPENSSL_memcmp(buf.get(), out, ret) != 0) {
1300 fprintf(stderr, "SSL_peek and SSL_read did not match.\n");
1301 return -1;
1302 }
1303 }
1304
1305 return ret;
1306 }
1307
1308 // WriteAll writes |in_len| bytes from |in| to |ssl|, resolving any asynchronous
1309 // operations. It returns the result of the final |SSL_write| call.
WriteAll(SSL * ssl,const uint8_t * in,size_t in_len)1310 static int WriteAll(SSL *ssl, const uint8_t *in, size_t in_len) {
1311 const TestConfig *config = GetTestConfig(ssl);
1312 int ret;
1313 do {
1314 ret = SSL_write(ssl, in, in_len);
1315 if (ret > 0) {
1316 in += ret;
1317 in_len -= ret;
1318 }
1319 } while ((config->async && RetryAsync(ssl, ret)) || (ret > 0 && in_len > 0));
1320 return ret;
1321 }
1322
1323 // DoShutdown calls |SSL_shutdown|, resolving any asynchronous operations. It
1324 // returns the result of the final |SSL_shutdown| call.
DoShutdown(SSL * ssl)1325 static int DoShutdown(SSL *ssl) {
1326 const TestConfig *config = GetTestConfig(ssl);
1327 int ret;
1328 do {
1329 ret = SSL_shutdown(ssl);
1330 } while (config->async && RetryAsync(ssl, ret));
1331 return ret;
1332 }
1333
1334 // DoSendFatalAlert calls |SSL_send_fatal_alert|, resolving any asynchronous
1335 // operations. It returns the result of the final |SSL_send_fatal_alert| call.
DoSendFatalAlert(SSL * ssl,uint8_t alert)1336 static int DoSendFatalAlert(SSL *ssl, uint8_t alert) {
1337 const TestConfig *config = GetTestConfig(ssl);
1338 int ret;
1339 do {
1340 ret = SSL_send_fatal_alert(ssl, alert);
1341 } while (config->async && RetryAsync(ssl, ret));
1342 return ret;
1343 }
1344
GetProtocolVersion(const SSL * ssl)1345 static uint16_t GetProtocolVersion(const SSL *ssl) {
1346 uint16_t version = SSL_version(ssl);
1347 if (!SSL_is_dtls(ssl)) {
1348 return version;
1349 }
1350 return 0x0201 + ~version;
1351 }
1352
1353 // CheckHandshakeProperties checks, immediately after |ssl| completes its
1354 // initial handshake (or False Starts), whether all the properties are
1355 // consistent with the test configuration and invariants.
CheckHandshakeProperties(SSL * ssl,bool is_resume)1356 static bool CheckHandshakeProperties(SSL *ssl, bool is_resume) {
1357 const TestConfig *config = GetTestConfig(ssl);
1358
1359 if (SSL_get_current_cipher(ssl) == nullptr) {
1360 fprintf(stderr, "null cipher after handshake\n");
1361 return false;
1362 }
1363
1364 if (is_resume &&
1365 (!!SSL_session_reused(ssl) == config->expect_session_miss)) {
1366 fprintf(stderr, "session was%s reused\n",
1367 SSL_session_reused(ssl) ? "" : " not");
1368 return false;
1369 }
1370
1371 bool expect_handshake_done =
1372 (is_resume || !config->false_start) &&
1373 !(config->is_server && SSL_early_data_accepted(ssl));
1374 if (expect_handshake_done != GetTestState(ssl)->handshake_done) {
1375 fprintf(stderr, "handshake was%s completed\n",
1376 GetTestState(ssl)->handshake_done ? "" : " not");
1377 return false;
1378 }
1379
1380 if (expect_handshake_done && !config->is_server) {
1381 bool expect_new_session =
1382 !config->expect_no_session &&
1383 (!SSL_session_reused(ssl) || config->expect_ticket_renewal) &&
1384 // Session tickets are sent post-handshake in TLS 1.3.
1385 GetProtocolVersion(ssl) < TLS1_3_VERSION;
1386 if (expect_new_session != GetTestState(ssl)->got_new_session) {
1387 fprintf(stderr,
1388 "new session was%s cached, but we expected the opposite\n",
1389 GetTestState(ssl)->got_new_session ? "" : " not");
1390 return false;
1391 }
1392 }
1393
1394 if (!is_resume) {
1395 if (config->expect_session_id && !GetTestState(ssl)->got_new_session) {
1396 fprintf(stderr, "session was not cached on the server.\n");
1397 return false;
1398 }
1399 if (config->expect_no_session_id && GetTestState(ssl)->got_new_session) {
1400 fprintf(stderr, "session was unexpectedly cached on the server.\n");
1401 return false;
1402 }
1403 }
1404
1405 if (config->is_server && !GetTestState(ssl)->early_callback_called) {
1406 fprintf(stderr, "early callback not called\n");
1407 return false;
1408 }
1409
1410 if (!config->expected_server_name.empty()) {
1411 const char *server_name =
1412 SSL_get_servername(ssl, TLSEXT_NAMETYPE_host_name);
1413 if (server_name == nullptr ||
1414 server_name != config->expected_server_name) {
1415 fprintf(stderr, "servername mismatch (got %s; want %s)\n",
1416 server_name, config->expected_server_name.c_str());
1417 return false;
1418 }
1419 }
1420
1421 if (!config->expected_next_proto.empty()) {
1422 const uint8_t *next_proto;
1423 unsigned next_proto_len;
1424 SSL_get0_next_proto_negotiated(ssl, &next_proto, &next_proto_len);
1425 if (next_proto_len != config->expected_next_proto.size() ||
1426 OPENSSL_memcmp(next_proto, config->expected_next_proto.data(),
1427 next_proto_len) != 0) {
1428 fprintf(stderr, "negotiated next proto mismatch\n");
1429 return false;
1430 }
1431 }
1432
1433 std::string expected_alpn = config->expected_alpn;
1434 if (is_resume && !config->expected_resume_alpn.empty()) {
1435 expected_alpn = config->expected_resume_alpn;
1436 }
1437 bool expect_no_alpn = (!is_resume && config->expect_no_alpn) ||
1438 (is_resume && config->expect_no_resume_alpn);
1439 if (expect_no_alpn) {
1440 expected_alpn.clear();
1441 }
1442
1443 if (!expected_alpn.empty() || expect_no_alpn) {
1444 const uint8_t *alpn_proto;
1445 unsigned alpn_proto_len;
1446 SSL_get0_alpn_selected(ssl, &alpn_proto, &alpn_proto_len);
1447 if (alpn_proto_len != expected_alpn.size() ||
1448 OPENSSL_memcmp(alpn_proto, expected_alpn.data(), alpn_proto_len) != 0) {
1449 fprintf(stderr, "negotiated alpn proto mismatch\n");
1450 return false;
1451 }
1452 }
1453
1454 if (!config->expected_channel_id.empty()) {
1455 uint8_t channel_id[64];
1456 if (!SSL_get_tls_channel_id(ssl, channel_id, sizeof(channel_id))) {
1457 fprintf(stderr, "no channel id negotiated\n");
1458 return false;
1459 }
1460 if (config->expected_channel_id.size() != 64 ||
1461 OPENSSL_memcmp(config->expected_channel_id.data(), channel_id, 64) !=
1462 0) {
1463 fprintf(stderr, "channel id mismatch\n");
1464 return false;
1465 }
1466 }
1467
1468 if (config->expect_extended_master_secret && !SSL_get_extms_support(ssl)) {
1469 fprintf(stderr, "No EMS for connection when expected\n");
1470 return false;
1471 }
1472
1473 if (config->expect_secure_renegotiation &&
1474 !SSL_get_secure_renegotiation_support(ssl)) {
1475 fprintf(stderr, "No secure renegotiation for connection when expected\n");
1476 return false;
1477 }
1478
1479 if (config->expect_no_secure_renegotiation &&
1480 SSL_get_secure_renegotiation_support(ssl)) {
1481 fprintf(stderr,
1482 "Secure renegotiation unexpectedly negotiated for connection\n");
1483 return false;
1484 }
1485
1486 if (!config->expected_ocsp_response.empty()) {
1487 const uint8_t *data;
1488 size_t len;
1489 SSL_get0_ocsp_response(ssl, &data, &len);
1490 if (config->expected_ocsp_response.size() != len ||
1491 OPENSSL_memcmp(config->expected_ocsp_response.data(), data, len) != 0) {
1492 fprintf(stderr, "OCSP response mismatch\n");
1493 return false;
1494 }
1495 }
1496
1497 if (!config->expected_signed_cert_timestamps.empty()) {
1498 const uint8_t *data;
1499 size_t len;
1500 SSL_get0_signed_cert_timestamp_list(ssl, &data, &len);
1501 if (config->expected_signed_cert_timestamps.size() != len ||
1502 OPENSSL_memcmp(config->expected_signed_cert_timestamps.data(), data,
1503 len) != 0) {
1504 fprintf(stderr, "SCT list mismatch\n");
1505 return false;
1506 }
1507 }
1508
1509 if (config->expect_verify_result) {
1510 int expected_verify_result = config->verify_fail ?
1511 X509_V_ERR_APPLICATION_VERIFICATION :
1512 X509_V_OK;
1513
1514 if (SSL_get_verify_result(ssl) != expected_verify_result) {
1515 fprintf(stderr, "Wrong certificate verification result\n");
1516 return false;
1517 }
1518 }
1519
1520 if (config->expect_peer_signature_algorithm != 0 &&
1521 config->expect_peer_signature_algorithm !=
1522 SSL_get_peer_signature_algorithm(ssl)) {
1523 fprintf(stderr, "Peer signature algorithm was %04x, wanted %04x.\n",
1524 SSL_get_peer_signature_algorithm(ssl),
1525 config->expect_peer_signature_algorithm);
1526 return false;
1527 }
1528
1529 int expect_curve_id = config->expect_curve_id;
1530 if (is_resume && config->expect_resume_curve_id != 0) {
1531 expect_curve_id = config->expect_resume_curve_id;
1532 }
1533 if (expect_curve_id != 0) {
1534 uint16_t curve_id = SSL_get_curve_id(ssl);
1535 if (static_cast<uint16_t>(expect_curve_id) != curve_id) {
1536 fprintf(stderr, "curve_id was %04x, wanted %04x\n", curve_id,
1537 static_cast<uint16_t>(expect_curve_id));
1538 return false;
1539 }
1540 }
1541
1542 uint16_t cipher_id =
1543 static_cast<uint16_t>(SSL_CIPHER_get_id(SSL_get_current_cipher(ssl)));
1544 if (config->expect_cipher_aes != 0 &&
1545 EVP_has_aes_hardware() &&
1546 static_cast<uint16_t>(config->expect_cipher_aes) != cipher_id) {
1547 fprintf(stderr, "Cipher ID was %04x, wanted %04x (has AES hardware)\n",
1548 cipher_id, static_cast<uint16_t>(config->expect_cipher_aes));
1549 return false;
1550 }
1551
1552 if (config->expect_cipher_no_aes != 0 &&
1553 !EVP_has_aes_hardware() &&
1554 static_cast<uint16_t>(config->expect_cipher_no_aes) != cipher_id) {
1555 fprintf(stderr, "Cipher ID was %04x, wanted %04x (no AES hardware)\n",
1556 cipher_id, static_cast<uint16_t>(config->expect_cipher_no_aes));
1557 return false;
1558 }
1559
1560 if (is_resume) {
1561 if ((config->expect_accept_early_data && !SSL_early_data_accepted(ssl)) ||
1562 (config->expect_reject_early_data && SSL_early_data_accepted(ssl))) {
1563 fprintf(stderr,
1564 "Early data was%s accepted, but we expected the opposite\n",
1565 SSL_early_data_accepted(ssl) ? "" : " not");
1566 return false;
1567 }
1568 }
1569
1570 if (!config->psk.empty()) {
1571 if (SSL_get_peer_cert_chain(ssl) != nullptr) {
1572 fprintf(stderr, "Received peer certificate on a PSK cipher.\n");
1573 return false;
1574 }
1575 } else if (!config->is_server || config->require_any_client_certificate) {
1576 if (SSL_get_peer_cert_chain(ssl) == nullptr) {
1577 fprintf(stderr, "Received no peer certificate but expected one.\n");
1578 return false;
1579 }
1580 }
1581
1582 if (!config->expect_peer_cert_file.empty()) {
1583 bssl::UniquePtr<X509> expect_leaf;
1584 bssl::UniquePtr<STACK_OF(X509)> expect_chain;
1585 if (!LoadCertificate(&expect_leaf, &expect_chain,
1586 config->expect_peer_cert_file)) {
1587 return false;
1588 }
1589
1590 // For historical reasons, clients report a chain with a leaf and servers
1591 // without.
1592 if (!config->is_server) {
1593 if (!sk_X509_insert(expect_chain.get(), expect_leaf.get(), 0)) {
1594 return false;
1595 }
1596 X509_up_ref(expect_leaf.get()); // sk_X509_push takes ownership.
1597 }
1598
1599 bssl::UniquePtr<X509> leaf(SSL_get_peer_certificate(ssl));
1600 STACK_OF(X509) *chain = SSL_get_peer_cert_chain(ssl);
1601 if (X509_cmp(leaf.get(), expect_leaf.get()) != 0) {
1602 fprintf(stderr, "Received a different leaf certificate than expected.\n");
1603 return false;
1604 }
1605
1606 if (sk_X509_num(chain) != sk_X509_num(expect_chain.get())) {
1607 fprintf(stderr, "Received a chain of length %zu instead of %zu.\n",
1608 sk_X509_num(chain), sk_X509_num(expect_chain.get()));
1609 return false;
1610 }
1611
1612 for (size_t i = 0; i < sk_X509_num(chain); i++) {
1613 if (X509_cmp(sk_X509_value(chain, i),
1614 sk_X509_value(expect_chain.get(), i)) != 0) {
1615 fprintf(stderr, "Chain certificate %zu did not match.\n",
1616 i + 1);
1617 return false;
1618 }
1619 }
1620 }
1621
1622 bool expected_sha256_client_cert = config->expect_sha256_client_cert_initial;
1623 if (is_resume) {
1624 expected_sha256_client_cert = config->expect_sha256_client_cert_resume;
1625 }
1626
1627 if (SSL_get_session(ssl)->peer_sha256_valid != expected_sha256_client_cert) {
1628 fprintf(stderr,
1629 "Unexpected SHA-256 client cert state: expected:%d is_resume:%d.\n",
1630 expected_sha256_client_cert, is_resume);
1631 return false;
1632 }
1633
1634 if (expected_sha256_client_cert &&
1635 SSL_get_session(ssl)->certs != nullptr) {
1636 fprintf(stderr, "Have both client cert and SHA-256 hash: is_resume:%d.\n",
1637 is_resume);
1638 return false;
1639 }
1640
1641 if (is_resume && config->expect_ticket_age_skew != 0 &&
1642 SSL_get_ticket_age_skew(ssl) != config->expect_ticket_age_skew) {
1643 fprintf(stderr, "Ticket age skew was %" PRId32 ", wanted %d\n",
1644 SSL_get_ticket_age_skew(ssl), config->expect_ticket_age_skew);
1645 return false;
1646 }
1647
1648 return true;
1649 }
1650
1651 // DoExchange runs a test SSL exchange against the peer. On success, it returns
1652 // true and sets |*out_session| to the negotiated SSL session. If the test is a
1653 // resumption attempt, |is_resume| is true and |session| is the session from the
1654 // previous exchange.
DoExchange(bssl::UniquePtr<SSL_SESSION> * out_session,SSL_CTX * ssl_ctx,const TestConfig * config,bool is_resume,SSL_SESSION * session)1655 static bool DoExchange(bssl::UniquePtr<SSL_SESSION> *out_session,
1656 SSL_CTX *ssl_ctx, const TestConfig *config,
1657 bool is_resume, SSL_SESSION *session) {
1658 if (is_resume && config->enable_resume_early_data) {
1659 SSL_CTX_set_early_data_enabled(ssl_ctx, 1);
1660 }
1661
1662 bssl::UniquePtr<SSL> ssl(SSL_new(ssl_ctx));
1663 if (!ssl) {
1664 return false;
1665 }
1666
1667 if (!SetTestConfig(ssl.get(), config) ||
1668 !SetTestState(ssl.get(), std::unique_ptr<TestState>(new TestState))) {
1669 return false;
1670 }
1671
1672 GetTestState(ssl.get())->is_resume = is_resume;
1673
1674 if (config->fallback_scsv &&
1675 !SSL_set_mode(ssl.get(), SSL_MODE_SEND_FALLBACK_SCSV)) {
1676 return false;
1677 }
1678 // Install the certificate synchronously if nothing else will handle it.
1679 if (!config->use_early_callback &&
1680 !config->use_old_client_cert_callback &&
1681 !config->async &&
1682 !InstallCertificate(ssl.get())) {
1683 return false;
1684 }
1685 if (!config->use_old_client_cert_callback) {
1686 SSL_set_cert_cb(ssl.get(), CertCallback, nullptr);
1687 }
1688 if (config->require_any_client_certificate) {
1689 SSL_set_verify(ssl.get(), SSL_VERIFY_PEER|SSL_VERIFY_FAIL_IF_NO_PEER_CERT,
1690 NULL);
1691 }
1692 if (config->verify_peer) {
1693 SSL_set_verify(ssl.get(), SSL_VERIFY_PEER, NULL);
1694 }
1695 if (config->false_start) {
1696 SSL_set_mode(ssl.get(), SSL_MODE_ENABLE_FALSE_START);
1697 }
1698 if (config->cbc_record_splitting) {
1699 SSL_set_mode(ssl.get(), SSL_MODE_CBC_RECORD_SPLITTING);
1700 }
1701 if (config->partial_write) {
1702 SSL_set_mode(ssl.get(), SSL_MODE_ENABLE_PARTIAL_WRITE);
1703 }
1704 if (config->no_tls13) {
1705 SSL_set_options(ssl.get(), SSL_OP_NO_TLSv1_3);
1706 }
1707 if (config->no_tls12) {
1708 SSL_set_options(ssl.get(), SSL_OP_NO_TLSv1_2);
1709 }
1710 if (config->no_tls11) {
1711 SSL_set_options(ssl.get(), SSL_OP_NO_TLSv1_1);
1712 }
1713 if (config->no_tls1) {
1714 SSL_set_options(ssl.get(), SSL_OP_NO_TLSv1);
1715 }
1716 if (config->no_ssl3) {
1717 SSL_set_options(ssl.get(), SSL_OP_NO_SSLv3);
1718 }
1719 if (!config->expected_channel_id.empty() ||
1720 config->enable_channel_id) {
1721 SSL_set_tls_channel_id_enabled(ssl.get(), 1);
1722 }
1723 if (!config->send_channel_id.empty()) {
1724 SSL_set_tls_channel_id_enabled(ssl.get(), 1);
1725 if (!config->async) {
1726 // The async case will be supplied by |ChannelIdCallback|.
1727 bssl::UniquePtr<EVP_PKEY> pkey = LoadPrivateKey(config->send_channel_id);
1728 if (!pkey || !SSL_set1_tls_channel_id(ssl.get(), pkey.get())) {
1729 return false;
1730 }
1731 }
1732 }
1733 if (!config->host_name.empty() &&
1734 !SSL_set_tlsext_host_name(ssl.get(), config->host_name.c_str())) {
1735 return false;
1736 }
1737 if (!config->advertise_alpn.empty() &&
1738 SSL_set_alpn_protos(ssl.get(),
1739 (const uint8_t *)config->advertise_alpn.data(),
1740 config->advertise_alpn.size()) != 0) {
1741 return false;
1742 }
1743 if (!config->psk.empty()) {
1744 SSL_set_psk_client_callback(ssl.get(), PskClientCallback);
1745 SSL_set_psk_server_callback(ssl.get(), PskServerCallback);
1746 }
1747 if (!config->psk_identity.empty() &&
1748 !SSL_use_psk_identity_hint(ssl.get(), config->psk_identity.c_str())) {
1749 return false;
1750 }
1751 if (!config->srtp_profiles.empty() &&
1752 !SSL_set_srtp_profiles(ssl.get(), config->srtp_profiles.c_str())) {
1753 return false;
1754 }
1755 if (config->enable_ocsp_stapling) {
1756 SSL_enable_ocsp_stapling(ssl.get());
1757 }
1758 if (config->enable_signed_cert_timestamps) {
1759 SSL_enable_signed_cert_timestamps(ssl.get());
1760 }
1761 if (config->min_version != 0 &&
1762 !SSL_set_min_proto_version(ssl.get(), (uint16_t)config->min_version)) {
1763 return false;
1764 }
1765 if (config->max_version != 0 &&
1766 !SSL_set_max_proto_version(ssl.get(), (uint16_t)config->max_version)) {
1767 return false;
1768 }
1769 if (config->mtu != 0) {
1770 SSL_set_options(ssl.get(), SSL_OP_NO_QUERY_MTU);
1771 SSL_set_mtu(ssl.get(), config->mtu);
1772 }
1773 if (config->install_ddos_callback) {
1774 SSL_CTX_set_dos_protection_cb(ssl_ctx, DDoSCallback);
1775 }
1776 if (config->renegotiate_once) {
1777 SSL_set_renegotiate_mode(ssl.get(), ssl_renegotiate_once);
1778 }
1779 if (config->renegotiate_freely) {
1780 SSL_set_renegotiate_mode(ssl.get(), ssl_renegotiate_freely);
1781 }
1782 if (config->renegotiate_ignore) {
1783 SSL_set_renegotiate_mode(ssl.get(), ssl_renegotiate_ignore);
1784 }
1785 if (!config->check_close_notify) {
1786 SSL_set_quiet_shutdown(ssl.get(), 1);
1787 }
1788 if (config->p384_only) {
1789 int nid = NID_secp384r1;
1790 if (!SSL_set1_curves(ssl.get(), &nid, 1)) {
1791 return false;
1792 }
1793 }
1794 if (config->enable_all_curves) {
1795 static const int kAllCurves[] = {
1796 NID_X9_62_prime256v1, NID_secp384r1, NID_secp521r1, NID_X25519,
1797 };
1798 if (!SSL_set1_curves(ssl.get(), kAllCurves,
1799 OPENSSL_ARRAY_SIZE(kAllCurves))) {
1800 return false;
1801 }
1802 }
1803 if (config->initial_timeout_duration_ms > 0) {
1804 DTLSv1_set_initial_timeout_duration(ssl.get(),
1805 config->initial_timeout_duration_ms);
1806 }
1807 if (config->max_cert_list > 0) {
1808 SSL_set_max_cert_list(ssl.get(), config->max_cert_list);
1809 }
1810 if (!is_resume && config->retain_only_sha256_client_cert_initial) {
1811 SSL_set_retain_only_sha256_of_client_certs(ssl.get(), 1);
1812 }
1813 if (is_resume && config->retain_only_sha256_client_cert_resume) {
1814 SSL_set_retain_only_sha256_of_client_certs(ssl.get(), 1);
1815 }
1816 if (config->max_send_fragment > 0) {
1817 SSL_set_max_send_fragment(ssl.get(), config->max_send_fragment);
1818 }
1819
1820 int sock = Connect(config->port);
1821 if (sock == -1) {
1822 return false;
1823 }
1824 SocketCloser closer(sock);
1825
1826 bssl::UniquePtr<BIO> bio(BIO_new_socket(sock, BIO_NOCLOSE));
1827 if (!bio) {
1828 return false;
1829 }
1830 if (config->is_dtls) {
1831 bssl::UniquePtr<BIO> packeted = PacketedBioCreate(&g_clock);
1832 if (!packeted) {
1833 return false;
1834 }
1835 GetTestState(ssl.get())->packeted_bio = packeted.get();
1836 BIO_push(packeted.get(), bio.release());
1837 bio = std::move(packeted);
1838 }
1839 if (config->async) {
1840 bssl::UniquePtr<BIO> async_scoped =
1841 config->is_dtls ? AsyncBioCreateDatagram() : AsyncBioCreate();
1842 if (!async_scoped) {
1843 return false;
1844 }
1845 BIO_push(async_scoped.get(), bio.release());
1846 GetTestState(ssl.get())->async_bio = async_scoped.get();
1847 bio = std::move(async_scoped);
1848 }
1849 SSL_set_bio(ssl.get(), bio.get(), bio.get());
1850 bio.release(); // SSL_set_bio takes ownership.
1851
1852 if (session != NULL) {
1853 if (!config->is_server) {
1854 if (SSL_set_session(ssl.get(), session) != 1) {
1855 return false;
1856 }
1857 } else if (config->async) {
1858 // The internal session cache is disabled, so install the session
1859 // manually.
1860 SSL_SESSION_up_ref(session);
1861 GetTestState(ssl.get())->pending_session.reset(session);
1862 }
1863 }
1864
1865 if (SSL_get_current_cipher(ssl.get()) != nullptr) {
1866 fprintf(stderr, "non-null cipher before handshake\n");
1867 return false;
1868 }
1869
1870 if (config->is_server) {
1871 SSL_set_accept_state(ssl.get());
1872 } else {
1873 SSL_set_connect_state(ssl.get());
1874 }
1875
1876 int ret;
1877 if (!config->implicit_handshake) {
1878 do {
1879 ret = SSL_do_handshake(ssl.get());
1880 } while (config->async && RetryAsync(ssl.get(), ret));
1881 if (ret != 1 ||
1882 !CheckHandshakeProperties(ssl.get(), is_resume)) {
1883 return false;
1884 }
1885
1886 // Reset the state to assert later that the callback isn't called in
1887 // renegotations.
1888 GetTestState(ssl.get())->got_new_session = false;
1889 }
1890
1891 if (config->export_keying_material > 0) {
1892 std::vector<uint8_t> result(
1893 static_cast<size_t>(config->export_keying_material));
1894 if (!SSL_export_keying_material(
1895 ssl.get(), result.data(), result.size(),
1896 config->export_label.data(), config->export_label.size(),
1897 reinterpret_cast<const uint8_t*>(config->export_context.data()),
1898 config->export_context.size(), config->use_export_context)) {
1899 fprintf(stderr, "failed to export keying material\n");
1900 return false;
1901 }
1902 if (WriteAll(ssl.get(), result.data(), result.size()) < 0) {
1903 return false;
1904 }
1905 }
1906
1907 if (config->tls_unique) {
1908 uint8_t tls_unique[16];
1909 size_t tls_unique_len;
1910 if (!SSL_get_tls_unique(ssl.get(), tls_unique, &tls_unique_len,
1911 sizeof(tls_unique))) {
1912 fprintf(stderr, "failed to get tls-unique\n");
1913 return false;
1914 }
1915
1916 if (tls_unique_len != 12) {
1917 fprintf(stderr, "expected 12 bytes of tls-unique but got %u",
1918 static_cast<unsigned>(tls_unique_len));
1919 return false;
1920 }
1921
1922 if (WriteAll(ssl.get(), tls_unique, tls_unique_len) < 0) {
1923 return false;
1924 }
1925 }
1926
1927 if (config->send_alert) {
1928 if (DoSendFatalAlert(ssl.get(), SSL_AD_DECOMPRESSION_FAILURE) < 0) {
1929 return false;
1930 }
1931 return true;
1932 }
1933
1934 if (config->write_different_record_sizes) {
1935 if (config->is_dtls) {
1936 fprintf(stderr, "write_different_record_sizes not supported for DTLS\n");
1937 return false;
1938 }
1939 // This mode writes a number of different record sizes in an attempt to
1940 // trip up the CBC record splitting code.
1941 static const size_t kBufLen = 32769;
1942 std::unique_ptr<uint8_t[]> buf(new uint8_t[kBufLen]);
1943 OPENSSL_memset(buf.get(), 0x42, kBufLen);
1944 static const size_t kRecordSizes[] = {
1945 0, 1, 255, 256, 257, 16383, 16384, 16385, 32767, 32768, 32769};
1946 for (size_t i = 0; i < OPENSSL_ARRAY_SIZE(kRecordSizes); i++) {
1947 const size_t len = kRecordSizes[i];
1948 if (len > kBufLen) {
1949 fprintf(stderr, "Bad kRecordSizes value.\n");
1950 return false;
1951 }
1952 if (WriteAll(ssl.get(), buf.get(), len) < 0) {
1953 return false;
1954 }
1955 }
1956 } else {
1957 if (config->read_with_unfinished_write) {
1958 if (!config->async) {
1959 fprintf(stderr, "-read-with-unfinished-write requires -async.\n");
1960 return false;
1961 }
1962
1963 int write_ret = SSL_write(ssl.get(),
1964 reinterpret_cast<const uint8_t *>("unfinished"), 10);
1965 if (SSL_get_error(ssl.get(), write_ret) != SSL_ERROR_WANT_WRITE) {
1966 fprintf(stderr, "Failed to leave unfinished write.\n");
1967 return false;
1968 }
1969 }
1970 if (config->shim_writes_first) {
1971 if (WriteAll(ssl.get(), reinterpret_cast<const uint8_t *>("hello"),
1972 5) < 0) {
1973 return false;
1974 }
1975 }
1976 if (!config->shim_shuts_down) {
1977 for (;;) {
1978 // Read only 512 bytes at a time in TLS to ensure records may be
1979 // returned in multiple reads.
1980 size_t read_size = config->is_dtls ? 16384 : 512;
1981 if (config->read_size > 0) {
1982 read_size = config->read_size;
1983 }
1984 std::unique_ptr<uint8_t[]> buf(new uint8_t[read_size]);
1985
1986 int n = DoRead(ssl.get(), buf.get(), read_size);
1987 int err = SSL_get_error(ssl.get(), n);
1988 if (err == SSL_ERROR_ZERO_RETURN ||
1989 (n == 0 && err == SSL_ERROR_SYSCALL)) {
1990 if (n != 0) {
1991 fprintf(stderr, "Invalid SSL_get_error output\n");
1992 return false;
1993 }
1994 // Stop on either clean or unclean shutdown.
1995 break;
1996 } else if (err != SSL_ERROR_NONE) {
1997 if (n > 0) {
1998 fprintf(stderr, "Invalid SSL_get_error output\n");
1999 return false;
2000 }
2001 return false;
2002 }
2003 // Successfully read data.
2004 if (n <= 0) {
2005 fprintf(stderr, "Invalid SSL_get_error output\n");
2006 return false;
2007 }
2008
2009 // After a successful read, with or without False Start, the handshake
2010 // must be complete unless we are doing early data.
2011 if (!GetTestState(ssl.get())->handshake_done &&
2012 !SSL_early_data_accepted(ssl.get())) {
2013 fprintf(stderr, "handshake was not completed after SSL_read\n");
2014 return false;
2015 }
2016
2017 for (int i = 0; i < n; i++) {
2018 buf[i] ^= 0xff;
2019 }
2020 if (WriteAll(ssl.get(), buf.get(), n) < 0) {
2021 return false;
2022 }
2023 }
2024 }
2025 }
2026
2027 if (!config->is_server && !config->false_start &&
2028 !config->implicit_handshake &&
2029 // Session tickets are sent post-handshake in TLS 1.3.
2030 GetProtocolVersion(ssl.get()) < TLS1_3_VERSION &&
2031 GetTestState(ssl.get())->got_new_session) {
2032 fprintf(stderr, "new session was established after the handshake\n");
2033 return false;
2034 }
2035
2036 if (GetProtocolVersion(ssl.get()) >= TLS1_3_VERSION && !config->is_server) {
2037 bool expect_new_session =
2038 !config->expect_no_session && !config->shim_shuts_down;
2039 if (expect_new_session != GetTestState(ssl.get())->got_new_session) {
2040 fprintf(stderr,
2041 "new session was%s cached, but we expected the opposite\n",
2042 GetTestState(ssl.get())->got_new_session ? "" : " not");
2043 return false;
2044 }
2045
2046 if (expect_new_session) {
2047 bool got_early_data_info =
2048 GetTestState(ssl.get())->new_session->ticket_max_early_data != 0;
2049 if (config->expect_early_data_info != got_early_data_info) {
2050 fprintf(
2051 stderr,
2052 "new session did%s include ticket_early_data_info, but we expected "
2053 "the opposite\n",
2054 got_early_data_info ? "" : " not");
2055 return false;
2056 }
2057 }
2058 }
2059
2060 if (out_session) {
2061 *out_session = std::move(GetTestState(ssl.get())->new_session);
2062 }
2063
2064 ret = DoShutdown(ssl.get());
2065
2066 if (config->shim_shuts_down && config->check_close_notify) {
2067 // We initiate shutdown, so |SSL_shutdown| will return in two stages. First
2068 // it returns zero when our close_notify is sent, then one when the peer's
2069 // is received.
2070 if (ret != 0) {
2071 fprintf(stderr, "Unexpected SSL_shutdown result: %d != 0\n", ret);
2072 return false;
2073 }
2074 ret = DoShutdown(ssl.get());
2075 }
2076
2077 if (ret != 1) {
2078 fprintf(stderr, "Unexpected SSL_shutdown result: %d != 1\n", ret);
2079 return false;
2080 }
2081
2082 if (SSL_total_renegotiations(ssl.get()) !=
2083 config->expect_total_renegotiations) {
2084 fprintf(stderr, "Expected %d renegotiations, got %d\n",
2085 config->expect_total_renegotiations,
2086 SSL_total_renegotiations(ssl.get()));
2087 return false;
2088 }
2089
2090 return true;
2091 }
2092
2093 class StderrDelimiter {
2094 public:
~StderrDelimiter()2095 ~StderrDelimiter() { fprintf(stderr, "--- DONE ---\n"); }
2096 };
2097
main(int argc,char ** argv)2098 int main(int argc, char **argv) {
2099 // To distinguish ASan's output from ours, add a trailing message to stderr.
2100 // Anything following this line will be considered an error.
2101 StderrDelimiter delimiter;
2102
2103 #if defined(OPENSSL_WINDOWS)
2104 /* Initialize Winsock. */
2105 WORD wsa_version = MAKEWORD(2, 2);
2106 WSADATA wsa_data;
2107 int wsa_err = WSAStartup(wsa_version, &wsa_data);
2108 if (wsa_err != 0) {
2109 fprintf(stderr, "WSAStartup failed: %d\n", wsa_err);
2110 return 1;
2111 }
2112 if (wsa_data.wVersion != wsa_version) {
2113 fprintf(stderr, "Didn't get expected version: %x\n", wsa_data.wVersion);
2114 return 1;
2115 }
2116 #else
2117 signal(SIGPIPE, SIG_IGN);
2118 #endif
2119
2120 CRYPTO_library_init();
2121 g_config_index = SSL_get_ex_new_index(0, NULL, NULL, NULL, NULL);
2122 g_state_index = SSL_get_ex_new_index(0, NULL, NULL, NULL, TestStateExFree);
2123 if (g_config_index < 0 || g_state_index < 0) {
2124 return 1;
2125 }
2126
2127 TestConfig config;
2128 if (!ParseConfig(argc - 1, argv + 1, &config)) {
2129 return Usage(argv[0]);
2130 }
2131
2132 g_pool = CRYPTO_BUFFER_POOL_new();
2133
2134 // Some code treats the zero time special, so initialize the clock to a
2135 // non-zero time.
2136 g_clock.tv_sec = 1234;
2137 g_clock.tv_usec = 1234;
2138
2139 bssl::UniquePtr<SSL_CTX> ssl_ctx = SetupCtx(&config);
2140 if (!ssl_ctx) {
2141 ERR_print_errors_fp(stderr);
2142 return 1;
2143 }
2144
2145 bssl::UniquePtr<SSL_SESSION> session;
2146 for (int i = 0; i < config.resume_count + 1; i++) {
2147 bool is_resume = i > 0;
2148 if (is_resume && !config.is_server && !session) {
2149 fprintf(stderr, "No session to offer.\n");
2150 return 1;
2151 }
2152
2153 bssl::UniquePtr<SSL_SESSION> offer_session = std::move(session);
2154 if (!DoExchange(&session, ssl_ctx.get(), &config, is_resume,
2155 offer_session.get())) {
2156 fprintf(stderr, "Connection %d failed.\n", i + 1);
2157 ERR_print_errors_fp(stderr);
2158 return 1;
2159 }
2160
2161 if (config.resumption_delay != 0) {
2162 g_clock.tv_sec += config.resumption_delay;
2163 }
2164 }
2165
2166 return 0;
2167 }
2168