1/* Copyright (c) 2014, Google Inc. 2 * 3 * Permission to use, copy, modify, and/or distribute this software for any 4 * purpose with or without fee is hereby granted, provided that the above 5 * copyright notice and this permission notice appear in all copies. 6 * 7 * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES 8 * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF 9 * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY 10 * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES 11 * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION 12 * OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN 13 * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */ 14 15#include <stdio.h> 16#include <string.h> 17#include <time.h> 18 19#include <algorithm> 20#include <string> 21#include <utility> 22#include <vector> 23 24#include <gtest/gtest.h> 25 26#include <openssl/base64.h> 27#include <openssl/bio.h> 28#include <openssl/cipher.h> 29#include <openssl/crypto.h> 30#include <openssl/err.h> 31#include <openssl/hmac.h> 32#include <openssl/pem.h> 33#include <openssl/sha.h> 34#include <openssl/ssl.h> 35#include <openssl/rand.h> 36#include <openssl/x509.h> 37 38#include "internal.h" 39#include "../crypto/internal.h" 40#include "../crypto/test/test_util.h" 41 42#if defined(OPENSSL_WINDOWS) 43/* Windows defines struct timeval in winsock2.h. */ 44OPENSSL_MSVC_PRAGMA(warning(push, 3)) 45#include <winsock2.h> 46OPENSSL_MSVC_PRAGMA(warning(pop)) 47#else 48#include <sys/time.h> 49#endif 50 51 52struct ExpectedCipher { 53 unsigned long id; 54 int in_group_flag; 55}; 56 57struct CipherTest { 58 // The rule string to apply. 59 const char *rule; 60 // The list of expected ciphers, in order. 61 std::vector<ExpectedCipher> expected; 62 // True if this cipher list should fail in strict mode. 63 bool strict_fail; 64}; 65 66struct CurveTest { 67 // The rule string to apply. 68 const char *rule; 69 // The list of expected curves, in order. 70 std::vector<uint16_t> expected; 71}; 72 73static const CipherTest kCipherTests[] = { 74 // Selecting individual ciphers should work. 75 { 76 "ECDHE-ECDSA-CHACHA20-POLY1305:" 77 "ECDHE-RSA-CHACHA20-POLY1305:" 78 "ECDHE-ECDSA-AES128-GCM-SHA256:" 79 "ECDHE-RSA-AES128-GCM-SHA256", 80 { 81 {TLS1_CK_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256, 0}, 82 {TLS1_CK_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256, 0}, 83 {TLS1_CK_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, 0}, 84 {TLS1_CK_ECDHE_RSA_WITH_AES_128_GCM_SHA256, 0}, 85 }, 86 false, 87 }, 88 // + reorders selected ciphers to the end, keeping their relative order. 89 { 90 "ECDHE-ECDSA-CHACHA20-POLY1305:" 91 "ECDHE-RSA-CHACHA20-POLY1305:" 92 "ECDHE-ECDSA-AES128-GCM-SHA256:" 93 "ECDHE-RSA-AES128-GCM-SHA256:" 94 "+aRSA", 95 { 96 {TLS1_CK_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256, 0}, 97 {TLS1_CK_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, 0}, 98 {TLS1_CK_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256, 0}, 99 {TLS1_CK_ECDHE_RSA_WITH_AES_128_GCM_SHA256, 0}, 100 }, 101 false, 102 }, 103 // ! banishes ciphers from future selections. 104 { 105 "!aRSA:" 106 "ECDHE-ECDSA-CHACHA20-POLY1305:" 107 "ECDHE-RSA-CHACHA20-POLY1305:" 108 "ECDHE-ECDSA-AES128-GCM-SHA256:" 109 "ECDHE-RSA-AES128-GCM-SHA256", 110 { 111 {TLS1_CK_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256, 0}, 112 {TLS1_CK_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, 0}, 113 }, 114 false, 115 }, 116 // Multiple masks can be ANDed in a single rule. 117 { 118 "kRSA+AESGCM+AES128", 119 { 120 {TLS1_CK_RSA_WITH_AES_128_GCM_SHA256, 0}, 121 }, 122 false, 123 }, 124 // - removes selected ciphers, but preserves their order for future 125 // selections. Select AES_128_GCM, but order the key exchanges RSA, 126 // ECDHE_RSA. 127 { 128 "ALL:-kECDHE:" 129#ifdef BORINGSSL_ENABLE_DHE_TLS 130 "-kDHE:" 131#endif 132 "-kRSA:-ALL:" 133 "AESGCM+AES128+aRSA", 134 { 135 {TLS1_CK_RSA_WITH_AES_128_GCM_SHA256, 0}, 136#ifdef BORINGSSL_ENABLE_DHE_TLS 137 {TLS1_CK_DHE_RSA_WITH_AES_128_GCM_SHA256, 0}, 138#endif 139 {TLS1_CK_ECDHE_RSA_WITH_AES_128_GCM_SHA256, 0}, 140 }, 141 false, 142 }, 143 // Unknown selectors are no-ops, except in strict mode. 144 { 145 "ECDHE-ECDSA-CHACHA20-POLY1305:" 146 "ECDHE-RSA-CHACHA20-POLY1305:" 147 "ECDHE-ECDSA-AES128-GCM-SHA256:" 148 "ECDHE-RSA-AES128-GCM-SHA256:" 149 "BOGUS1", 150 { 151 {TLS1_CK_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256, 0}, 152 {TLS1_CK_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256, 0}, 153 {TLS1_CK_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, 0}, 154 {TLS1_CK_ECDHE_RSA_WITH_AES_128_GCM_SHA256, 0}, 155 }, 156 true, 157 }, 158 // Unknown selectors are no-ops, except in strict mode. 159 { 160 "ECDHE-ECDSA-CHACHA20-POLY1305:" 161 "ECDHE-RSA-CHACHA20-POLY1305:" 162 "ECDHE-ECDSA-AES128-GCM-SHA256:" 163 "ECDHE-RSA-AES128-GCM-SHA256:" 164 "-BOGUS2:+BOGUS3:!BOGUS4", 165 { 166 {TLS1_CK_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256, 0}, 167 {TLS1_CK_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256, 0}, 168 {TLS1_CK_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, 0}, 169 {TLS1_CK_ECDHE_RSA_WITH_AES_128_GCM_SHA256, 0}, 170 }, 171 true, 172 }, 173 // Square brackets specify equi-preference groups. 174 { 175 "[ECDHE-ECDSA-CHACHA20-POLY1305|ECDHE-ECDSA-AES128-GCM-SHA256]:" 176 "[ECDHE-RSA-CHACHA20-POLY1305]:" 177 "ECDHE-RSA-AES128-GCM-SHA256", 178 { 179 {TLS1_CK_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256, 1}, 180 {TLS1_CK_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, 0}, 181 {TLS1_CK_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256, 0}, 182 {TLS1_CK_ECDHE_RSA_WITH_AES_128_GCM_SHA256, 0}, 183 }, 184 false, 185 }, 186 // @STRENGTH performs a stable strength-sort of the selected ciphers and 187 // only the selected ciphers. 188 { 189 // To simplify things, banish all but {ECDHE_RSA,RSA} x 190 // {CHACHA20,AES_256_CBC,AES_128_CBC} x SHA1. 191#ifdef BORINGSSL_ENABLE_DHE_TLS 192 "!kEDH:" 193#endif 194 "!AESGCM:!3DES:!SHA256:!SHA384:" 195 // Order some ciphers backwards by strength. 196 "ALL:-CHACHA20:-AES256:-AES128:-ALL:" 197 // Select ECDHE ones and sort them by strength. Ties should resolve 198 // based on the order above. 199 "kECDHE:@STRENGTH:-ALL:" 200 // Now bring back everything uses RSA. ECDHE_RSA should be first, sorted 201 // by strength. Then RSA, backwards by strength. 202 "aRSA", 203 { 204 {TLS1_CK_ECDHE_RSA_WITH_AES_256_CBC_SHA, 0}, 205 {TLS1_CK_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256, 0}, 206 {TLS1_CK_ECDHE_RSA_WITH_AES_128_CBC_SHA, 0}, 207 {TLS1_CK_RSA_WITH_AES_128_SHA, 0}, 208 {TLS1_CK_RSA_WITH_AES_256_SHA, 0}, 209 }, 210 false, 211 }, 212 // Exact ciphers may not be used in multi-part rules; they are treated 213 // as unknown aliases. 214 { 215 "ECDHE-ECDSA-AES128-GCM-SHA256:" 216 "ECDHE-RSA-AES128-GCM-SHA256:" 217 "!ECDHE-RSA-AES128-GCM-SHA256+RSA:" 218 "!ECDSA+ECDHE-ECDSA-AES128-GCM-SHA256", 219 { 220 {TLS1_CK_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, 0}, 221 {TLS1_CK_ECDHE_RSA_WITH_AES_128_GCM_SHA256, 0}, 222 }, 223 true, 224 }, 225 // SSLv3 matches everything that existed before TLS 1.2. 226 { 227 "AES128-SHA:AES128-SHA256:!SSLv3", 228 { 229 {TLS1_CK_RSA_WITH_AES_128_SHA256, 0}, 230 }, 231 false, 232 }, 233 // TLSv1.2 matches everything added in TLS 1.2. 234 { 235 "AES128-SHA:AES128-SHA256:!TLSv1.2", 236 { 237 {TLS1_CK_RSA_WITH_AES_128_SHA, 0}, 238 }, 239 false, 240 }, 241 // The two directives have no intersection. But each component is valid, so 242 // even in strict mode it is accepted. 243 { 244 "AES128-SHA:AES128-SHA256:!TLSv1.2+SSLv3", 245 { 246 {TLS1_CK_RSA_WITH_AES_128_SHA, 0}, 247 {TLS1_CK_RSA_WITH_AES_128_SHA256, 0}, 248 }, 249 false, 250 }, 251}; 252 253static const char *kBadRules[] = { 254 // Invalid brackets. 255 "[ECDHE-RSA-CHACHA20-POLY1305|ECDHE-RSA-AES128-GCM-SHA256", 256 "RSA]", 257 "[[RSA]]", 258 // Operators inside brackets. 259 "[+RSA]", 260 // Unknown directive. 261 "@BOGUS", 262 // Empty cipher lists error at SSL_CTX_set_cipher_list. 263 "", 264 "BOGUS", 265 // COMPLEMENTOFDEFAULT is empty. 266 "COMPLEMENTOFDEFAULT", 267 // Invalid command. 268 "?BAR", 269 // Special operators are not allowed if groups are used. 270 "[ECDHE-RSA-CHACHA20-POLY1305|ECDHE-RSA-AES128-GCM-SHA256]:+FOO", 271 "[ECDHE-RSA-CHACHA20-POLY1305|ECDHE-RSA-AES128-GCM-SHA256]:!FOO", 272 "[ECDHE-RSA-CHACHA20-POLY1305|ECDHE-RSA-AES128-GCM-SHA256]:-FOO", 273 "[ECDHE-RSA-CHACHA20-POLY1305|ECDHE-RSA-AES128-GCM-SHA256]:@STRENGTH", 274 // Opcode supplied, but missing selector. 275 "+", 276}; 277 278static const char *kMustNotIncludeNull[] = { 279 "ALL", 280 "DEFAULT", 281 "HIGH", 282 "FIPS", 283 "SHA", 284 "SHA1", 285 "RSA", 286 "SSLv3", 287 "TLSv1", 288 "TLSv1.2", 289}; 290 291static const CurveTest kCurveTests[] = { 292 { 293 "P-256", 294 { SSL_CURVE_SECP256R1 }, 295 }, 296 { 297 "P-256:P-384:P-521:X25519", 298 { 299 SSL_CURVE_SECP256R1, 300 SSL_CURVE_SECP384R1, 301 SSL_CURVE_SECP521R1, 302 SSL_CURVE_X25519, 303 }, 304 }, 305}; 306 307static const char *kBadCurvesLists[] = { 308 "", 309 ":", 310 "::", 311 "P-256::X25519", 312 "RSA:P-256", 313 "P-256:RSA", 314 "X25519:P-256:", 315 ":X25519:P-256", 316}; 317 318static void PrintCipherPreferenceList(ssl_cipher_preference_list_st *list) { 319 bool in_group = false; 320 for (size_t i = 0; i < sk_SSL_CIPHER_num(list->ciphers); i++) { 321 const SSL_CIPHER *cipher = sk_SSL_CIPHER_value(list->ciphers, i); 322 if (!in_group && list->in_group_flags[i]) { 323 fprintf(stderr, "\t[\n"); 324 in_group = true; 325 } 326 fprintf(stderr, "\t"); 327 if (in_group) { 328 fprintf(stderr, " "); 329 } 330 fprintf(stderr, "%s\n", SSL_CIPHER_get_name(cipher)); 331 if (in_group && !list->in_group_flags[i]) { 332 fprintf(stderr, "\t]\n"); 333 in_group = false; 334 } 335 } 336} 337 338static bool TestCipherRule(const CipherTest &t) { 339 bssl::UniquePtr<SSL_CTX> ctx(SSL_CTX_new(TLS_method())); 340 if (!ctx) { 341 return false; 342 } 343 344 if (!SSL_CTX_set_cipher_list(ctx.get(), t.rule)) { 345 fprintf(stderr, "Error testing cipher rule '%s'\n", t.rule); 346 return false; 347 } 348 349 if (!SSL_CTX_set_strict_cipher_list(ctx.get(), t.rule) != t.strict_fail) { 350 fprintf(stderr, "Unexpected strict failure result testing cipher rule '%s':" 351 " expected %d\n", t.rule, t.strict_fail); 352 return false; 353 } 354 355 // Compare the two lists. 356 if (sk_SSL_CIPHER_num(ctx->cipher_list->ciphers) != t.expected.size()) { 357 fprintf(stderr, "Error: cipher rule '%s' evaluated to:\n", t.rule); 358 PrintCipherPreferenceList(ctx->cipher_list); 359 return false; 360 } 361 362 for (size_t i = 0; i < t.expected.size(); i++) { 363 const SSL_CIPHER *cipher = 364 sk_SSL_CIPHER_value(ctx->cipher_list->ciphers, i); 365 if (t.expected[i].id != SSL_CIPHER_get_id(cipher) || 366 t.expected[i].in_group_flag != ctx->cipher_list->in_group_flags[i]) { 367 fprintf(stderr, "Error: cipher rule '%s' evaluated to:\n", t.rule); 368 PrintCipherPreferenceList(ctx->cipher_list); 369 return false; 370 } 371 } 372 373 return true; 374} 375 376static bool TestRuleDoesNotIncludeNull(const char *rule) { 377 bssl::UniquePtr<SSL_CTX> ctx(SSL_CTX_new(SSLv23_server_method())); 378 if (!ctx) { 379 return false; 380 } 381 if (!SSL_CTX_set_strict_cipher_list(ctx.get(), rule)) { 382 fprintf(stderr, "Error: cipher rule '%s' failed\n", rule); 383 return false; 384 } 385 for (size_t i = 0; i < sk_SSL_CIPHER_num(ctx->cipher_list->ciphers); i++) { 386 if (SSL_CIPHER_is_NULL(sk_SSL_CIPHER_value(ctx->cipher_list->ciphers, i))) { 387 fprintf(stderr, "Error: cipher rule '%s' includes NULL\n",rule); 388 return false; 389 } 390 } 391 return true; 392} 393 394static bool TestCipherRules() { 395 for (const CipherTest &test : kCipherTests) { 396 if (!TestCipherRule(test)) { 397 return false; 398 } 399 } 400 401 for (const char *rule : kBadRules) { 402 bssl::UniquePtr<SSL_CTX> ctx(SSL_CTX_new(SSLv23_server_method())); 403 if (!ctx) { 404 return false; 405 } 406 if (SSL_CTX_set_cipher_list(ctx.get(), rule)) { 407 fprintf(stderr, "Cipher rule '%s' unexpectedly succeeded\n", rule); 408 return false; 409 } 410 ERR_clear_error(); 411 } 412 413 for (const char *rule : kMustNotIncludeNull) { 414 if (!TestRuleDoesNotIncludeNull(rule)) { 415 return false; 416 } 417 } 418 419 return true; 420} 421 422static bool TestCurveRule(const CurveTest &t) { 423 bssl::UniquePtr<SSL_CTX> ctx(SSL_CTX_new(TLS_method())); 424 if (!ctx) { 425 return false; 426 } 427 428 if (!SSL_CTX_set1_curves_list(ctx.get(), t.rule)) { 429 fprintf(stderr, "Error testing curves list '%s'\n", t.rule); 430 return false; 431 } 432 433 // Compare the two lists. 434 if (ctx->supported_group_list_len != t.expected.size()) { 435 fprintf(stderr, "Error testing curves list '%s': length\n", t.rule); 436 return false; 437 } 438 439 for (size_t i = 0; i < t.expected.size(); i++) { 440 if (t.expected[i] != ctx->supported_group_list[i]) { 441 fprintf(stderr, "Error testing curves list '%s': mismatch\n", t.rule); 442 return false; 443 } 444 } 445 446 return true; 447} 448 449static bool TestCurveRules() { 450 for (const CurveTest &test : kCurveTests) { 451 if (!TestCurveRule(test)) { 452 return false; 453 } 454 } 455 456 for (const char *rule : kBadCurvesLists) { 457 bssl::UniquePtr<SSL_CTX> ctx(SSL_CTX_new(SSLv23_server_method())); 458 if (!ctx) { 459 return false; 460 } 461 if (SSL_CTX_set1_curves_list(ctx.get(), rule)) { 462 fprintf(stderr, "Curves list '%s' unexpectedly succeeded\n", rule); 463 return false; 464 } 465 ERR_clear_error(); 466 } 467 468 return true; 469} 470 471// kOpenSSLSession is a serialized SSL_SESSION. 472static const char kOpenSSLSession[] = 473 "MIIFqgIBAQICAwMEAsAvBCAG5Q1ndq4Yfmbeo1zwLkNRKmCXGdNgWvGT3cskV0yQ" 474 "kAQwJlrlzkAWBOWiLj/jJ76D7l+UXoizP2KI2C7I2FccqMmIfFmmkUy32nIJ0mZH" 475 "IWoJoQYCBFRDO46iBAICASyjggR6MIIEdjCCA16gAwIBAgIIK9dUvsPWSlUwDQYJ" 476 "KoZIhvcNAQEFBQAwSTELMAkGA1UEBhMCVVMxEzARBgNVBAoTCkdvb2dsZSBJbmMx" 477 "JTAjBgNVBAMTHEdvb2dsZSBJbnRlcm5ldCBBdXRob3JpdHkgRzIwHhcNMTQxMDA4" 478 "MTIwNzU3WhcNMTUwMTA2MDAwMDAwWjBoMQswCQYDVQQGEwJVUzETMBEGA1UECAwK" 479 "Q2FsaWZvcm5pYTEWMBQGA1UEBwwNTW91bnRhaW4gVmlldzETMBEGA1UECgwKR29v" 480 "Z2xlIEluYzEXMBUGA1UEAwwOd3d3Lmdvb2dsZS5jb20wggEiMA0GCSqGSIb3DQEB" 481 "AQUAA4IBDwAwggEKAoIBAQCcKeLrplAC+Lofy8t/wDwtB6eu72CVp0cJ4V3lknN6" 482 "huH9ct6FFk70oRIh/VBNBBz900jYy+7111Jm1b8iqOTQ9aT5C7SEhNcQFJvqzH3e" 483 "MPkb6ZSWGm1yGF7MCQTGQXF20Sk/O16FSjAynU/b3oJmOctcycWYkY0ytS/k3LBu" 484 "Id45PJaoMqjB0WypqvNeJHC3q5JjCB4RP7Nfx5jjHSrCMhw8lUMW4EaDxjaR9KDh" 485 "PLgjsk+LDIySRSRDaCQGhEOWLJZVLzLo4N6/UlctCHEllpBUSvEOyFga52qroGjg" 486 "rf3WOQ925MFwzd6AK+Ich0gDRg8sQfdLH5OuP1cfLfU1AgMBAAGjggFBMIIBPTAd" 487 "BgNVHSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwGQYDVR0RBBIwEIIOd3d3Lmdv" 488 "b2dsZS5jb20waAYIKwYBBQUHAQEEXDBaMCsGCCsGAQUFBzAChh9odHRwOi8vcGtp" 489 "Lmdvb2dsZS5jb20vR0lBRzIuY3J0MCsGCCsGAQUFBzABhh9odHRwOi8vY2xpZW50" 490 "czEuZ29vZ2xlLmNvbS9vY3NwMB0GA1UdDgQWBBQ7a+CcxsZByOpc+xpYFcIbnUMZ" 491 "hTAMBgNVHRMBAf8EAjAAMB8GA1UdIwQYMBaAFErdBhYbvPZotXb1gba7Yhq6WoEv" 492 "MBcGA1UdIAQQMA4wDAYKKwYBBAHWeQIFATAwBgNVHR8EKTAnMCWgI6Ahhh9odHRw" 493 "Oi8vcGtpLmdvb2dsZS5jb20vR0lBRzIuY3JsMA0GCSqGSIb3DQEBBQUAA4IBAQCa" 494 "OXCBdoqUy5bxyq+Wrh1zsyyCFim1PH5VU2+yvDSWrgDY8ibRGJmfff3r4Lud5kal" 495 "dKs9k8YlKD3ITG7P0YT/Rk8hLgfEuLcq5cc0xqmE42xJ+Eo2uzq9rYorc5emMCxf" 496 "5L0TJOXZqHQpOEcuptZQ4OjdYMfSxk5UzueUhA3ogZKRcRkdB3WeWRp+nYRhx4St" 497 "o2rt2A0MKmY9165GHUqMK9YaaXHDXqBu7Sefr1uSoAP9gyIJKeihMivsGqJ1TD6Z" 498 "cc6LMe+dN2P8cZEQHtD1y296ul4Mivqk3jatUVL8/hCwgch9A8O4PGZq9WqBfEWm" 499 "IyHh1dPtbg1lOXdYCWtjpAIEAKUDAgEUqQUCAwGJwKqBpwSBpBwUQvoeOk0Kg36S" 500 "YTcLEkXqKwOBfF9vE4KX0NxeLwjcDTpsuh3qXEaZ992r1N38VDcyS6P7I6HBYN9B" 501 "sNHM362zZnY27GpTw+Kwd751CLoXFPoaMOe57dbBpXoro6Pd3BTbf/Tzr88K06yE" 502 "OTDKPNj3+inbMaVigtK4PLyPq+Topyzvx9USFgRvyuoxn0Hgb+R0A3j6SLRuyOdA" 503 "i4gv7Y5oliyntgMBAQA="; 504 505// kCustomSession is a custom serialized SSL_SESSION generated by 506// filling in missing fields from |kOpenSSLSession|. This includes 507// providing |peer_sha256|, so |peer| is not serialized. 508static const char kCustomSession[] = 509 "MIIBdgIBAQICAwMEAsAvBCAG5Q1ndq4Yfmbeo1zwLkNRKmCXGdNgWvGT3cskV0yQ" 510 "kAQwJlrlzkAWBOWiLj/jJ76D7l+UXoizP2KI2C7I2FccqMmIfFmmkUy32nIJ0mZH" 511 "IWoJoQYCBFRDO46iBAICASykAwQBAqUDAgEUphAEDnd3dy5nb29nbGUuY29tqAcE" 512 "BXdvcmxkqQUCAwGJwKqBpwSBpBwUQvoeOk0Kg36SYTcLEkXqKwOBfF9vE4KX0Nxe" 513 "LwjcDTpsuh3qXEaZ992r1N38VDcyS6P7I6HBYN9BsNHM362zZnY27GpTw+Kwd751" 514 "CLoXFPoaMOe57dbBpXoro6Pd3BTbf/Tzr88K06yEOTDKPNj3+inbMaVigtK4PLyP" 515 "q+Topyzvx9USFgRvyuoxn0Hgb+R0A3j6SLRuyOdAi4gv7Y5oliynrSIEIAYGBgYG" 516 "BgYGBgYGBgYGBgYGBgYGBgYGBgYGBgYGBgYGrgMEAQevAwQBBLADBAEF"; 517 518// kBoringSSLSession is a serialized SSL_SESSION generated from bssl client. 519static const char kBoringSSLSession[] = 520 "MIIRwQIBAQICAwMEAsAvBCDdoGxGK26mR+8lM0uq6+k9xYuxPnwAjpcF9n0Yli9R" 521 "kQQwbyshfWhdi5XQ1++7n2L1qqrcVlmHBPpr6yknT/u4pUrpQB5FZ7vqvNn8MdHf" 522 "9rWgoQYCBFXgs7uiBAICHCCjggR6MIIEdjCCA16gAwIBAgIIf+yfD7Y6UicwDQYJ" 523 "KoZIhvcNAQELBQAwSTELMAkGA1UEBhMCVVMxEzARBgNVBAoTCkdvb2dsZSBJbmMx" 524 "JTAjBgNVBAMTHEdvb2dsZSBJbnRlcm5ldCBBdXRob3JpdHkgRzIwHhcNMTUwODEy" 525 "MTQ1MzE1WhcNMTUxMTEwMDAwMDAwWjBoMQswCQYDVQQGEwJVUzETMBEGA1UECAwK" 526 "Q2FsaWZvcm5pYTEWMBQGA1UEBwwNTW91bnRhaW4gVmlldzETMBEGA1UECgwKR29v" 527 "Z2xlIEluYzEXMBUGA1UEAwwOd3d3Lmdvb2dsZS5jb20wggEiMA0GCSqGSIb3DQEB" 528 "AQUAA4IBDwAwggEKAoIBAQC0MeG5YGQ0t+IeJeoneP/PrhEaieibeKYkbKVLNZpo" 529 "PLuBinvhkXZo3DC133NpCBpy6ZktBwamqyixAyuk/NU6OjgXqwwxfQ7di1AInLIU" 530 "792c7hFyNXSUCG7At8Ifi3YwBX9Ba6u/1d6rWTGZJrdCq3QU11RkKYyTq2KT5mce" 531 "Tv9iGKqSkSTlp8puy/9SZ/3DbU3U+BuqCFqeSlz7zjwFmk35acdCilpJlVDDN5C/" 532 "RCh8/UKc8PaL+cxlt531qoTENvYrflBno14YEZlCBZsPiFeUSILpKEj3Ccwhy0eL" 533 "EucWQ72YZU8mUzXBoXGn0zA0crFl5ci/2sTBBGZsylNBAgMBAAGjggFBMIIBPTAd" 534 "BgNVHSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwGQYDVR0RBBIwEIIOd3d3Lmdv" 535 "b2dsZS5jb20waAYIKwYBBQUHAQEEXDBaMCsGCCsGAQUFBzAChh9odHRwOi8vcGtp" 536 "Lmdvb2dsZS5jb20vR0lBRzIuY3J0MCsGCCsGAQUFBzABhh9odHRwOi8vY2xpZW50" 537 "czEuZ29vZ2xlLmNvbS9vY3NwMB0GA1UdDgQWBBS/bzHxcE73Q4j3slC4BLbMtLjG" 538 "GjAMBgNVHRMBAf8EAjAAMB8GA1UdIwQYMBaAFErdBhYbvPZotXb1gba7Yhq6WoEv" 539 "MBcGA1UdIAQQMA4wDAYKKwYBBAHWeQIFATAwBgNVHR8EKTAnMCWgI6Ahhh9odHRw" 540 "Oi8vcGtpLmdvb2dsZS5jb20vR0lBRzIuY3JsMA0GCSqGSIb3DQEBCwUAA4IBAQAb" 541 "qdWPZEHk0X7iKPCTHL6S3w6q1eR67goxZGFSM1lk1hjwyu7XcLJuvALVV9uY3ovE" 542 "kQZSHwT+pyOPWQhsSjO+1GyjvCvK/CAwiUmBX+bQRGaqHsRcio7xSbdVcajQ3bXd" 543 "X+s0WdbOpn6MStKAiBVloPlSxEI8pxY6x/BBCnTIk/+DMB17uZlOjG3vbAnkDkP+" 544 "n0OTucD9sHV7EVj9XUxi51nOfNBCN/s7lpUjDS/NJ4k3iwOtbCPswiot8vLO779a" 545 "f07vR03r349Iz/KTzk95rlFtX0IU+KYNxFNsanIXZ+C9FYGRXkwhHcvFb4qMUB1y" 546 "TTlM80jBMOwyjZXmjRAhpAIEAKUDAgEUqQUCAwGJwKqBpwSBpOgebbmn9NRUtMWH" 547 "+eJpqA5JLMFSMCChOsvKey3toBaCNGU7HfAEiiXNuuAdCBoK262BjQc2YYfqFzqH" 548 "zuppopXCvhohx7j/tnCNZIMgLYt/O9SXK2RYI5z8FhCCHvB4CbD5G0LGl5EFP27s" 549 "Jb6S3aTTYPkQe8yZSlxevg6NDwmTogLO9F7UUkaYmVcMQhzssEE2ZRYNwSOU6KjE" 550 "0Yj+8fAiBtbQriIEIN2L8ZlpaVrdN5KFNdvcmOxJu81P8q53X55xQyGTnGWwsgMC" 551 "ARezggvvMIIEdjCCA16gAwIBAgIIf+yfD7Y6UicwDQYJKoZIhvcNAQELBQAwSTEL" 552 "MAkGA1UEBhMCVVMxEzARBgNVBAoTCkdvb2dsZSBJbmMxJTAjBgNVBAMTHEdvb2ds" 553 "ZSBJbnRlcm5ldCBBdXRob3JpdHkgRzIwHhcNMTUwODEyMTQ1MzE1WhcNMTUxMTEw" 554 "MDAwMDAwWjBoMQswCQYDVQQGEwJVUzETMBEGA1UECAwKQ2FsaWZvcm5pYTEWMBQG" 555 "A1UEBwwNTW91bnRhaW4gVmlldzETMBEGA1UECgwKR29vZ2xlIEluYzEXMBUGA1UE" 556 "AwwOd3d3Lmdvb2dsZS5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIB" 557 "AQC0MeG5YGQ0t+IeJeoneP/PrhEaieibeKYkbKVLNZpoPLuBinvhkXZo3DC133Np" 558 "CBpy6ZktBwamqyixAyuk/NU6OjgXqwwxfQ7di1AInLIU792c7hFyNXSUCG7At8If" 559 "i3YwBX9Ba6u/1d6rWTGZJrdCq3QU11RkKYyTq2KT5mceTv9iGKqSkSTlp8puy/9S" 560 "Z/3DbU3U+BuqCFqeSlz7zjwFmk35acdCilpJlVDDN5C/RCh8/UKc8PaL+cxlt531" 561 "qoTENvYrflBno14YEZlCBZsPiFeUSILpKEj3Ccwhy0eLEucWQ72YZU8mUzXBoXGn" 562 "0zA0crFl5ci/2sTBBGZsylNBAgMBAAGjggFBMIIBPTAdBgNVHSUEFjAUBggrBgEF" 563 "BQcDAQYIKwYBBQUHAwIwGQYDVR0RBBIwEIIOd3d3Lmdvb2dsZS5jb20waAYIKwYB" 564 "BQUHAQEEXDBaMCsGCCsGAQUFBzAChh9odHRwOi8vcGtpLmdvb2dsZS5jb20vR0lB" 565 "RzIuY3J0MCsGCCsGAQUFBzABhh9odHRwOi8vY2xpZW50czEuZ29vZ2xlLmNvbS9v" 566 "Y3NwMB0GA1UdDgQWBBS/bzHxcE73Q4j3slC4BLbMtLjGGjAMBgNVHRMBAf8EAjAA" 567 "MB8GA1UdIwQYMBaAFErdBhYbvPZotXb1gba7Yhq6WoEvMBcGA1UdIAQQMA4wDAYK" 568 "KwYBBAHWeQIFATAwBgNVHR8EKTAnMCWgI6Ahhh9odHRwOi8vcGtpLmdvb2dsZS5j" 569 "b20vR0lBRzIuY3JsMA0GCSqGSIb3DQEBCwUAA4IBAQAbqdWPZEHk0X7iKPCTHL6S" 570 "3w6q1eR67goxZGFSM1lk1hjwyu7XcLJuvALVV9uY3ovEkQZSHwT+pyOPWQhsSjO+" 571 "1GyjvCvK/CAwiUmBX+bQRGaqHsRcio7xSbdVcajQ3bXdX+s0WdbOpn6MStKAiBVl" 572 "oPlSxEI8pxY6x/BBCnTIk/+DMB17uZlOjG3vbAnkDkP+n0OTucD9sHV7EVj9XUxi" 573 "51nOfNBCN/s7lpUjDS/NJ4k3iwOtbCPswiot8vLO779af07vR03r349Iz/KTzk95" 574 "rlFtX0IU+KYNxFNsanIXZ+C9FYGRXkwhHcvFb4qMUB1yTTlM80jBMOwyjZXmjRAh" 575 "MIID8DCCAtigAwIBAgIDAjqDMA0GCSqGSIb3DQEBCwUAMEIxCzAJBgNVBAYTAlVT" 576 "MRYwFAYDVQQKEw1HZW9UcnVzdCBJbmMuMRswGQYDVQQDExJHZW9UcnVzdCBHbG9i" 577 "YWwgQ0EwHhcNMTMwNDA1MTUxNTU2WhcNMTYxMjMxMjM1OTU5WjBJMQswCQYDVQQG" 578 "EwJVUzETMBEGA1UEChMKR29vZ2xlIEluYzElMCMGA1UEAxMcR29vZ2xlIEludGVy" 579 "bmV0IEF1dGhvcml0eSBHMjCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEB" 580 "AJwqBHdc2FCROgajguDYUEi8iT/xGXAaiEZ+4I/F8YnOIe5a/mENtzJEiaB0C1NP" 581 "VaTOgmKV7utZX8bhBYASxF6UP7xbSDj0U/ck5vuR6RXEz/RTDfRK/J9U3n2+oGtv" 582 "h8DQUB8oMANA2ghzUWx//zo8pzcGjr1LEQTrfSTe5vn8MXH7lNVg8y5Kr0LSy+rE" 583 "ahqyzFPdFUuLH8gZYR/Nnag+YyuENWllhMgZxUYi+FOVvuOAShDGKuy6lyARxzmZ" 584 "EASg8GF6lSWMTlJ14rbtCMoU/M4iarNOz0YDl5cDfsCx3nuvRTPPuj5xt970JSXC" 585 "DTWJnZ37DhF5iR43xa+OcmkCAwEAAaOB5zCB5DAfBgNVHSMEGDAWgBTAephojYn7" 586 "qwVkDBF9qn1luMrMTjAdBgNVHQ4EFgQUSt0GFhu89mi1dvWBtrtiGrpagS8wDgYD" 587 "VR0PAQH/BAQDAgEGMC4GCCsGAQUFBwEBBCIwIDAeBggrBgEFBQcwAYYSaHR0cDov" 588 "L2cuc3ltY2QuY29tMBIGA1UdEwEB/wQIMAYBAf8CAQAwNQYDVR0fBC4wLDAqoCig" 589 "JoYkaHR0cDovL2cuc3ltY2IuY29tL2NybHMvZ3RnbG9iYWwuY3JsMBcGA1UdIAQQ" 590 "MA4wDAYKKwYBBAHWeQIFATANBgkqhkiG9w0BAQsFAAOCAQEAqvqpIM1qZ4PtXtR+" 591 "3h3Ef+AlBgDFJPupyC1tft6dgmUsgWM0Zj7pUsIItMsv91+ZOmqcUHqFBYx90SpI" 592 "hNMJbHzCzTWf84LuUt5oX+QAihcglvcpjZpNy6jehsgNb1aHA30DP9z6eX0hGfnI" 593 "Oi9RdozHQZJxjyXON/hKTAAj78Q1EK7gI4BzfE00LshukNYQHpmEcxpw8u1VDu4X" 594 "Bupn7jLrLN1nBz/2i8Jw3lsA5rsb0zYaImxssDVCbJAJPZPpZAkiDoUGn8JzIdPm" 595 "X4DkjYUiOnMDsWCOrmji9D6X52ASCWg23jrW4kOVWzeBkoEfu43XrVJkFleW2V40" 596 "fsg12DCCA30wggLmoAMCAQICAxK75jANBgkqhkiG9w0BAQUFADBOMQswCQYDVQQG" 597 "EwJVUzEQMA4GA1UEChMHRXF1aWZheDEtMCsGA1UECxMkRXF1aWZheCBTZWN1cmUg" 598 "Q2VydGlmaWNhdGUgQXV0aG9yaXR5MB4XDTAyMDUyMTA0MDAwMFoXDTE4MDgyMTA0" 599 "MDAwMFowQjELMAkGA1UEBhMCVVMxFjAUBgNVBAoTDUdlb1RydXN0IEluYy4xGzAZ" 600 "BgNVBAMTEkdlb1RydXN0IEdsb2JhbCBDQTCCASIwDQYJKoZIhvcNAQEBBQADggEP" 601 "ADCCAQoCggEBANrMGGMw/fQXIxpWflvfPGw45HG3eJHUvKHYTPioQ7YD6U0hBwiI" 602 "2lgvZjkpvQV4i5046AW3an5xpObEYKaw74DkiSgPniXW7YPzraaRx5jJQhg1FJ2t" 603 "mEaSLk/K8YdDwRaVVy1Q74ktgHpXrfLuX2vSAI25FPgUFTXZwEaje3LIkb/JVSvN" 604 "0Jc+nCZkzN/Ogxlxyk7m1NV7qRnNVd7I7NJeOFPlXE+MLf5QIzb8ZubLjqQ5GQC3" 605 "lQI5kQsO/jgu0R0FmvZNPm8PBx2vLB6PYDni+jZTEznUXiYr2z2oFL0y6xgDKFIE" 606 "ceWrMz3hOLsHNoRinHnqFjD0X8Ar6HFr5PkCAwEAAaOB8DCB7TAfBgNVHSMEGDAW" 607 "gBRI5mj5K9KylddH2CMgEE8zmJCf1DAdBgNVHQ4EFgQUwHqYaI2J+6sFZAwRfap9" 608 "ZbjKzE4wDwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMCAQYwOgYDVR0fBDMw" 609 "MTAvoC2gK4YpaHR0cDovL2NybC5nZW90cnVzdC5jb20vY3Jscy9zZWN1cmVjYS5j" 610 "cmwwTgYDVR0gBEcwRTBDBgRVHSAAMDswOQYIKwYBBQUHAgEWLWh0dHBzOi8vd3d3" 611 "Lmdlb3RydXN0LmNvbS9yZXNvdXJjZXMvcmVwb3NpdG9yeTANBgkqhkiG9w0BAQUF" 612 "AAOBgQB24RJuTksWEoYwBrKBCM/wCMfHcX5m7sLt1Dsf//DwyE7WQziwuTB9GNBV" 613 "g6JqyzYRnOhIZqNtf7gT1Ef+i1pcc/yu2RsyGTirlzQUqpbS66McFAhJtrvlke+D" 614 "NusdVm/K2rxzY5Dkf3s+Iss9B+1fOHSc4wNQTqGvmO5h8oQ/Eg=="; 615 616// kBadSessionExtraField is a custom serialized SSL_SESSION generated by replacing 617// the final (optional) element of |kCustomSession| with tag number 30. 618static const char kBadSessionExtraField[] = 619 "MIIBdgIBAQICAwMEAsAvBCAG5Q1ndq4Yfmbeo1zwLkNRKmCXGdNgWvGT3cskV0yQ" 620 "kAQwJlrlzkAWBOWiLj/jJ76D7l+UXoizP2KI2C7I2FccqMmIfFmmkUy32nIJ0mZH" 621 "IWoJoQYCBFRDO46iBAICASykAwQBAqUDAgEUphAEDnd3dy5nb29nbGUuY29tqAcE" 622 "BXdvcmxkqQUCAwGJwKqBpwSBpBwUQvoeOk0Kg36SYTcLEkXqKwOBfF9vE4KX0Nxe" 623 "LwjcDTpsuh3qXEaZ992r1N38VDcyS6P7I6HBYN9BsNHM362zZnY27GpTw+Kwd751" 624 "CLoXFPoaMOe57dbBpXoro6Pd3BTbf/Tzr88K06yEOTDKPNj3+inbMaVigtK4PLyP" 625 "q+Topyzvx9USFgRvyuoxn0Hgb+R0A3j6SLRuyOdAi4gv7Y5oliynrSIEIAYGBgYG" 626 "BgYGBgYGBgYGBgYGBgYGBgYGBgYGBgYGBgYGrgMEAQevAwQBBL4DBAEF"; 627 628// kBadSessionVersion is a custom serialized SSL_SESSION generated by replacing 629// the version of |kCustomSession| with 2. 630static const char kBadSessionVersion[] = 631 "MIIBdgIBAgICAwMEAsAvBCAG5Q1ndq4Yfmbeo1zwLkNRKmCXGdNgWvGT3cskV0yQ" 632 "kAQwJlrlzkAWBOWiLj/jJ76D7l+UXoizP2KI2C7I2FccqMmIfFmmkUy32nIJ0mZH" 633 "IWoJoQYCBFRDO46iBAICASykAwQBAqUDAgEUphAEDnd3dy5nb29nbGUuY29tqAcE" 634 "BXdvcmxkqQUCAwGJwKqBpwSBpBwUQvoeOk0Kg36SYTcLEkXqKwOBfF9vE4KX0Nxe" 635 "LwjcDTpsuh3qXEaZ992r1N38VDcyS6P7I6HBYN9BsNHM362zZnY27GpTw+Kwd751" 636 "CLoXFPoaMOe57dbBpXoro6Pd3BTbf/Tzr88K06yEOTDKPNj3+inbMaVigtK4PLyP" 637 "q+Topyzvx9USFgRvyuoxn0Hgb+R0A3j6SLRuyOdAi4gv7Y5oliynrSIEIAYGBgYG" 638 "BgYGBgYGBgYGBgYGBgYGBgYGBgYGBgYGBgYGrgMEAQevAwQBBLADBAEF"; 639 640// kBadSessionTrailingData is a custom serialized SSL_SESSION with trailing data 641// appended. 642static const char kBadSessionTrailingData[] = 643 "MIIBdgIBAQICAwMEAsAvBCAG5Q1ndq4Yfmbeo1zwLkNRKmCXGdNgWvGT3cskV0yQ" 644 "kAQwJlrlzkAWBOWiLj/jJ76D7l+UXoizP2KI2C7I2FccqMmIfFmmkUy32nIJ0mZH" 645 "IWoJoQYCBFRDO46iBAICASykAwQBAqUDAgEUphAEDnd3dy5nb29nbGUuY29tqAcE" 646 "BXdvcmxkqQUCAwGJwKqBpwSBpBwUQvoeOk0Kg36SYTcLEkXqKwOBfF9vE4KX0Nxe" 647 "LwjcDTpsuh3qXEaZ992r1N38VDcyS6P7I6HBYN9BsNHM362zZnY27GpTw+Kwd751" 648 "CLoXFPoaMOe57dbBpXoro6Pd3BTbf/Tzr88K06yEOTDKPNj3+inbMaVigtK4PLyP" 649 "q+Topyzvx9USFgRvyuoxn0Hgb+R0A3j6SLRuyOdAi4gv7Y5oliynrSIEIAYGBgYG" 650 "BgYGBgYGBgYGBgYGBgYGBgYGBgYGBgYGBgYGrgMEAQevAwQBBLADBAEFAAAA"; 651 652static bool DecodeBase64(std::vector<uint8_t> *out, const char *in) { 653 size_t len; 654 if (!EVP_DecodedLength(&len, strlen(in))) { 655 fprintf(stderr, "EVP_DecodedLength failed\n"); 656 return false; 657 } 658 659 out->resize(len); 660 if (!EVP_DecodeBase64(out->data(), &len, len, (const uint8_t *)in, 661 strlen(in))) { 662 fprintf(stderr, "EVP_DecodeBase64 failed\n"); 663 return false; 664 } 665 out->resize(len); 666 return true; 667} 668 669static bool TestSSL_SESSIONEncoding(const char *input_b64) { 670 const uint8_t *cptr; 671 uint8_t *ptr; 672 673 // Decode the input. 674 std::vector<uint8_t> input; 675 if (!DecodeBase64(&input, input_b64)) { 676 return false; 677 } 678 679 // Verify the SSL_SESSION decodes. 680 bssl::UniquePtr<SSL_CTX> ssl_ctx(SSL_CTX_new(TLS_method())); 681 if (!ssl_ctx) { 682 return false; 683 } 684 bssl::UniquePtr<SSL_SESSION> session( 685 SSL_SESSION_from_bytes(input.data(), input.size(), ssl_ctx.get())); 686 if (!session) { 687 fprintf(stderr, "SSL_SESSION_from_bytes failed\n"); 688 return false; 689 } 690 691 // Verify the SSL_SESSION encoding round-trips. 692 size_t encoded_len; 693 bssl::UniquePtr<uint8_t> encoded; 694 uint8_t *encoded_raw; 695 if (!SSL_SESSION_to_bytes(session.get(), &encoded_raw, &encoded_len)) { 696 fprintf(stderr, "SSL_SESSION_to_bytes failed\n"); 697 return false; 698 } 699 encoded.reset(encoded_raw); 700 if (encoded_len != input.size() || 701 OPENSSL_memcmp(input.data(), encoded.get(), input.size()) != 0) { 702 fprintf(stderr, "SSL_SESSION_to_bytes did not round-trip\n"); 703 hexdump(stderr, "Before: ", input.data(), input.size()); 704 hexdump(stderr, "After: ", encoded_raw, encoded_len); 705 return false; 706 } 707 708 // Verify the SSL_SESSION also decodes with the legacy API. 709 cptr = input.data(); 710 session.reset(d2i_SSL_SESSION(NULL, &cptr, input.size())); 711 if (!session || cptr != input.data() + input.size()) { 712 fprintf(stderr, "d2i_SSL_SESSION failed\n"); 713 return false; 714 } 715 716 // Verify the SSL_SESSION encoding round-trips via the legacy API. 717 int len = i2d_SSL_SESSION(session.get(), NULL); 718 if (len < 0 || (size_t)len != input.size()) { 719 fprintf(stderr, "i2d_SSL_SESSION(NULL) returned invalid length\n"); 720 return false; 721 } 722 723 encoded.reset((uint8_t *)OPENSSL_malloc(input.size())); 724 if (!encoded) { 725 fprintf(stderr, "malloc failed\n"); 726 return false; 727 } 728 729 ptr = encoded.get(); 730 len = i2d_SSL_SESSION(session.get(), &ptr); 731 if (len < 0 || (size_t)len != input.size()) { 732 fprintf(stderr, "i2d_SSL_SESSION returned invalid length\n"); 733 return false; 734 } 735 if (ptr != encoded.get() + input.size()) { 736 fprintf(stderr, "i2d_SSL_SESSION did not advance ptr correctly\n"); 737 return false; 738 } 739 if (OPENSSL_memcmp(input.data(), encoded.get(), input.size()) != 0) { 740 fprintf(stderr, "i2d_SSL_SESSION did not round-trip\n"); 741 return false; 742 } 743 744 return true; 745} 746 747static bool TestBadSSL_SESSIONEncoding(const char *input_b64) { 748 std::vector<uint8_t> input; 749 if (!DecodeBase64(&input, input_b64)) { 750 return false; 751 } 752 753 // Verify that the SSL_SESSION fails to decode. 754 bssl::UniquePtr<SSL_CTX> ssl_ctx(SSL_CTX_new(TLS_method())); 755 if (!ssl_ctx) { 756 return false; 757 } 758 bssl::UniquePtr<SSL_SESSION> session( 759 SSL_SESSION_from_bytes(input.data(), input.size(), ssl_ctx.get())); 760 if (session) { 761 fprintf(stderr, "SSL_SESSION_from_bytes unexpectedly succeeded\n"); 762 return false; 763 } 764 ERR_clear_error(); 765 return true; 766} 767 768static bool TestDefaultVersion(uint16_t min_version, uint16_t max_version, 769 const SSL_METHOD *(*method)(void)) { 770 bssl::UniquePtr<SSL_CTX> ctx(SSL_CTX_new(method())); 771 if (!ctx) { 772 return false; 773 } 774 if (ctx->min_version != min_version || ctx->max_version != max_version) { 775 fprintf(stderr, "Got min %04x, max %04x; wanted min %04x, max %04x\n", 776 ctx->min_version, ctx->max_version, min_version, max_version); 777 return false; 778 } 779 return true; 780} 781 782static bool CipherGetRFCName(std::string *out, uint16_t value) { 783 const SSL_CIPHER *cipher = SSL_get_cipher_by_value(value); 784 if (cipher == NULL) { 785 return false; 786 } 787 bssl::UniquePtr<char> rfc_name(SSL_CIPHER_get_rfc_name(cipher)); 788 if (!rfc_name) { 789 return false; 790 } 791 out->assign(rfc_name.get()); 792 return true; 793} 794 795typedef struct { 796 int id; 797 const char *rfc_name; 798} CIPHER_RFC_NAME_TEST; 799 800static const CIPHER_RFC_NAME_TEST kCipherRFCNameTests[] = { 801 {SSL3_CK_RSA_DES_192_CBC3_SHA, "TLS_RSA_WITH_3DES_EDE_CBC_SHA"}, 802 {TLS1_CK_RSA_WITH_AES_128_SHA, "TLS_RSA_WITH_AES_128_CBC_SHA"}, 803#ifdef BORINGSSL_ENABLE_DHE_TLS 804 {TLS1_CK_DHE_RSA_WITH_AES_256_SHA, "TLS_DHE_RSA_WITH_AES_256_CBC_SHA"}, 805 {TLS1_CK_DHE_RSA_WITH_AES_256_SHA256, 806 "TLS_DHE_RSA_WITH_AES_256_CBC_SHA256"}, 807#endif 808 {TLS1_CK_ECDHE_RSA_WITH_AES_128_SHA256, 809 "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256"}, 810 {TLS1_CK_ECDHE_RSA_WITH_AES_256_SHA384, 811 "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384"}, 812 {TLS1_CK_ECDHE_RSA_WITH_AES_128_GCM_SHA256, 813 "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256"}, 814 {TLS1_CK_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, 815 "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256"}, 816 {TLS1_CK_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, 817 "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384"}, 818 {TLS1_CK_ECDHE_PSK_WITH_AES_128_CBC_SHA, 819 "TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA"}, 820 {TLS1_CK_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256, 821 "TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256"}, 822 {TLS1_CK_AES_256_GCM_SHA384, "TLS_AES_256_GCM_SHA384"}, 823 {TLS1_CK_AES_128_GCM_SHA256, "TLS_AES_128_GCM_SHA256"}, 824 {TLS1_CK_CHACHA20_POLY1305_SHA256, "TLS_CHACHA20_POLY1305_SHA256"}, 825}; 826 827static bool TestCipherGetRFCName(void) { 828 for (size_t i = 0; 829 i < OPENSSL_ARRAY_SIZE(kCipherRFCNameTests); i++) { 830 const CIPHER_RFC_NAME_TEST *test = &kCipherRFCNameTests[i]; 831 std::string rfc_name; 832 if (!CipherGetRFCName(&rfc_name, test->id & 0xffff)) { 833 fprintf(stderr, "SSL_CIPHER_get_rfc_name failed\n"); 834 return false; 835 } 836 if (rfc_name != test->rfc_name) { 837 fprintf(stderr, "SSL_CIPHER_get_rfc_name: got '%s', wanted '%s'\n", 838 rfc_name.c_str(), test->rfc_name); 839 return false; 840 } 841 } 842 return true; 843} 844 845// CreateSessionWithTicket returns a sample |SSL_SESSION| with the specified 846// version and ticket length or nullptr on failure. 847static bssl::UniquePtr<SSL_SESSION> CreateSessionWithTicket(uint16_t version, 848 size_t ticket_len) { 849 std::vector<uint8_t> der; 850 if (!DecodeBase64(&der, kOpenSSLSession)) { 851 return nullptr; 852 } 853 854 bssl::UniquePtr<SSL_CTX> ssl_ctx(SSL_CTX_new(TLS_method())); 855 if (!ssl_ctx) { 856 return nullptr; 857 } 858 bssl::UniquePtr<SSL_SESSION> session( 859 SSL_SESSION_from_bytes(der.data(), der.size(), ssl_ctx.get())); 860 if (!session) { 861 return nullptr; 862 } 863 864 session->ssl_version = version; 865 866 // Swap out the ticket for a garbage one. 867 OPENSSL_free(session->tlsext_tick); 868 session->tlsext_tick = reinterpret_cast<uint8_t*>(OPENSSL_malloc(ticket_len)); 869 if (session->tlsext_tick == nullptr) { 870 return nullptr; 871 } 872 OPENSSL_memset(session->tlsext_tick, 'a', ticket_len); 873 session->tlsext_ticklen = ticket_len; 874 875 // Fix up the timeout. 876#if defined(BORINGSSL_UNSAFE_DETERMINISTIC_MODE) 877 session->time = 1234; 878#else 879 session->time = time(NULL); 880#endif 881 return session; 882} 883 884static bool GetClientHello(SSL *ssl, std::vector<uint8_t> *out) { 885 bssl::UniquePtr<BIO> bio(BIO_new(BIO_s_mem())); 886 if (!bio) { 887 return false; 888 } 889 // Do not configure a reading BIO, but record what's written to a memory BIO. 890 BIO_up_ref(bio.get()); 891 SSL_set_bio(ssl, nullptr /* rbio */, bio.get()); 892 int ret = SSL_connect(ssl); 893 if (ret > 0) { 894 // SSL_connect should fail without a BIO to write to. 895 return false; 896 } 897 ERR_clear_error(); 898 899 const uint8_t *client_hello; 900 size_t client_hello_len; 901 if (!BIO_mem_contents(bio.get(), &client_hello, &client_hello_len)) { 902 return false; 903 } 904 *out = std::vector<uint8_t>(client_hello, client_hello + client_hello_len); 905 return true; 906} 907 908// GetClientHelloLen creates a client SSL connection with the specified version 909// and ticket length. It returns the length of the ClientHello, not including 910// the record header, on success and zero on error. 911static size_t GetClientHelloLen(uint16_t max_version, uint16_t session_version, 912 size_t ticket_len) { 913 bssl::UniquePtr<SSL_CTX> ctx(SSL_CTX_new(TLS_method())); 914 bssl::UniquePtr<SSL_SESSION> session = 915 CreateSessionWithTicket(session_version, ticket_len); 916 if (!ctx || !session) { 917 return 0; 918 } 919 920 // Set a one-element cipher list so the baseline ClientHello is unpadded. 921 bssl::UniquePtr<SSL> ssl(SSL_new(ctx.get())); 922 if (!ssl || !SSL_set_session(ssl.get(), session.get()) || 923 !SSL_set_strict_cipher_list(ssl.get(), "ECDHE-RSA-AES128-GCM-SHA256") || 924 !SSL_set_max_proto_version(ssl.get(), max_version)) { 925 return 0; 926 } 927 928 std::vector<uint8_t> client_hello; 929 if (!GetClientHello(ssl.get(), &client_hello) || 930 client_hello.size() <= SSL3_RT_HEADER_LENGTH) { 931 return 0; 932 } 933 934 return client_hello.size() - SSL3_RT_HEADER_LENGTH; 935} 936 937struct PaddingTest { 938 size_t input_len, padded_len; 939}; 940 941static const PaddingTest kPaddingTests[] = { 942 // ClientHellos of length below 0x100 do not require padding. 943 {0xfe, 0xfe}, 944 {0xff, 0xff}, 945 // ClientHellos of length 0x100 through 0x1fb are padded up to 0x200. 946 {0x100, 0x200}, 947 {0x123, 0x200}, 948 {0x1fb, 0x200}, 949 // ClientHellos of length 0x1fc through 0x1ff get padded beyond 0x200. The 950 // padding extension takes a minimum of four bytes plus one required content 951 // byte. (To work around yet more server bugs, we avoid empty final 952 // extensions.) 953 {0x1fc, 0x201}, 954 {0x1fd, 0x202}, 955 {0x1fe, 0x203}, 956 {0x1ff, 0x204}, 957 // Finally, larger ClientHellos need no padding. 958 {0x200, 0x200}, 959 {0x201, 0x201}, 960}; 961 962static bool TestPaddingExtension(uint16_t max_version, 963 uint16_t session_version) { 964 // Sample a baseline length. 965 size_t base_len = GetClientHelloLen(max_version, session_version, 1); 966 if (base_len == 0) { 967 return false; 968 } 969 970 for (const PaddingTest &test : kPaddingTests) { 971 if (base_len > test.input_len) { 972 fprintf(stderr, 973 "Baseline ClientHello too long (max_version = %04x, " 974 "session_version = %04x).\n", 975 max_version, session_version); 976 return false; 977 } 978 979 size_t padded_len = GetClientHelloLen(max_version, session_version, 980 1 + test.input_len - base_len); 981 if (padded_len != test.padded_len) { 982 fprintf(stderr, 983 "%u-byte ClientHello padded to %u bytes, not %u (max_version = " 984 "%04x, session_version = %04x).\n", 985 static_cast<unsigned>(test.input_len), 986 static_cast<unsigned>(padded_len), 987 static_cast<unsigned>(test.padded_len), max_version, 988 session_version); 989 return false; 990 } 991 } 992 993 return true; 994} 995 996// Test that |SSL_get_client_CA_list| echoes back the configured parameter even 997// before configuring as a server. 998TEST(SSLTest, ClientCAList) { 999 bssl::UniquePtr<SSL_CTX> ctx(SSL_CTX_new(TLS_method())); 1000 ASSERT_TRUE(ctx); 1001 bssl::UniquePtr<SSL> ssl(SSL_new(ctx.get())); 1002 ASSERT_TRUE(ssl); 1003 1004 bssl::UniquePtr<X509_NAME> name(X509_NAME_new()); 1005 ASSERT_TRUE(name); 1006 1007 bssl::UniquePtr<X509_NAME> name_dup(X509_NAME_dup(name.get())); 1008 ASSERT_TRUE(name_dup); 1009 1010 bssl::UniquePtr<STACK_OF(X509_NAME)> stack(sk_X509_NAME_new_null()); 1011 ASSERT_TRUE(stack); 1012 1013 ASSERT_TRUE(sk_X509_NAME_push(stack.get(), name_dup.get())); 1014 name_dup.release(); 1015 1016 // |SSL_set_client_CA_list| takes ownership. 1017 SSL_set_client_CA_list(ssl.get(), stack.release()); 1018 1019 STACK_OF(X509_NAME) *result = SSL_get_client_CA_list(ssl.get()); 1020 ASSERT_TRUE(result); 1021 ASSERT_EQ(1u, sk_X509_NAME_num(result)); 1022 EXPECT_EQ(0, X509_NAME_cmp(sk_X509_NAME_value(result, 0), name.get())); 1023} 1024 1025static void AppendSession(SSL_SESSION *session, void *arg) { 1026 std::vector<SSL_SESSION*> *out = 1027 reinterpret_cast<std::vector<SSL_SESSION*>*>(arg); 1028 out->push_back(session); 1029} 1030 1031// ExpectCache returns true if |ctx|'s session cache consists of |expected|, in 1032// order. 1033static bool ExpectCache(SSL_CTX *ctx, 1034 const std::vector<SSL_SESSION*> &expected) { 1035 // Check the linked list. 1036 SSL_SESSION *ptr = ctx->session_cache_head; 1037 for (SSL_SESSION *session : expected) { 1038 if (ptr != session) { 1039 return false; 1040 } 1041 // TODO(davidben): This is an absurd way to denote the end of the list. 1042 if (ptr->next == 1043 reinterpret_cast<SSL_SESSION *>(&ctx->session_cache_tail)) { 1044 ptr = nullptr; 1045 } else { 1046 ptr = ptr->next; 1047 } 1048 } 1049 if (ptr != nullptr) { 1050 return false; 1051 } 1052 1053 // Check the hash table. 1054 std::vector<SSL_SESSION*> actual, expected_copy; 1055 lh_SSL_SESSION_doall_arg(SSL_CTX_sessions(ctx), AppendSession, &actual); 1056 expected_copy = expected; 1057 1058 std::sort(actual.begin(), actual.end()); 1059 std::sort(expected_copy.begin(), expected_copy.end()); 1060 1061 return actual == expected_copy; 1062} 1063 1064static bssl::UniquePtr<SSL_SESSION> CreateTestSession(uint32_t number) { 1065 bssl::UniquePtr<SSL_CTX> ssl_ctx(SSL_CTX_new(TLS_method())); 1066 if (!ssl_ctx) { 1067 return nullptr; 1068 } 1069 bssl::UniquePtr<SSL_SESSION> ret(SSL_SESSION_new(ssl_ctx.get())); 1070 if (!ret) { 1071 return nullptr; 1072 } 1073 1074 ret->session_id_length = SSL3_SSL_SESSION_ID_LENGTH; 1075 OPENSSL_memset(ret->session_id, 0, ret->session_id_length); 1076 OPENSSL_memcpy(ret->session_id, &number, sizeof(number)); 1077 return ret; 1078} 1079 1080// Test that the internal session cache behaves as expected. 1081static bool TestInternalSessionCache() { 1082 bssl::UniquePtr<SSL_CTX> ctx(SSL_CTX_new(TLS_method())); 1083 if (!ctx) { 1084 return false; 1085 } 1086 1087 // Prepare 10 test sessions. 1088 std::vector<bssl::UniquePtr<SSL_SESSION>> sessions; 1089 for (int i = 0; i < 10; i++) { 1090 bssl::UniquePtr<SSL_SESSION> session = CreateTestSession(i); 1091 if (!session) { 1092 return false; 1093 } 1094 sessions.push_back(std::move(session)); 1095 } 1096 1097 SSL_CTX_sess_set_cache_size(ctx.get(), 5); 1098 1099 // Insert all the test sessions. 1100 for (const auto &session : sessions) { 1101 if (!SSL_CTX_add_session(ctx.get(), session.get())) { 1102 return false; 1103 } 1104 } 1105 1106 // Only the last five should be in the list. 1107 std::vector<SSL_SESSION*> expected = { 1108 sessions[9].get(), 1109 sessions[8].get(), 1110 sessions[7].get(), 1111 sessions[6].get(), 1112 sessions[5].get(), 1113 }; 1114 if (!ExpectCache(ctx.get(), expected)) { 1115 return false; 1116 } 1117 1118 // Inserting an element already in the cache should fail. 1119 if (SSL_CTX_add_session(ctx.get(), sessions[7].get()) || 1120 !ExpectCache(ctx.get(), expected)) { 1121 return false; 1122 } 1123 1124 // Although collisions should be impossible (256-bit session IDs), the cache 1125 // must handle them gracefully. 1126 bssl::UniquePtr<SSL_SESSION> collision(CreateTestSession(7)); 1127 if (!collision || !SSL_CTX_add_session(ctx.get(), collision.get())) { 1128 return false; 1129 } 1130 expected = { 1131 collision.get(), 1132 sessions[9].get(), 1133 sessions[8].get(), 1134 sessions[6].get(), 1135 sessions[5].get(), 1136 }; 1137 if (!ExpectCache(ctx.get(), expected)) { 1138 return false; 1139 } 1140 1141 // Removing sessions behaves correctly. 1142 if (!SSL_CTX_remove_session(ctx.get(), sessions[6].get())) { 1143 return false; 1144 } 1145 expected = { 1146 collision.get(), 1147 sessions[9].get(), 1148 sessions[8].get(), 1149 sessions[5].get(), 1150 }; 1151 if (!ExpectCache(ctx.get(), expected)) { 1152 return false; 1153 } 1154 1155 // Removing sessions requires an exact match. 1156 if (SSL_CTX_remove_session(ctx.get(), sessions[0].get()) || 1157 SSL_CTX_remove_session(ctx.get(), sessions[7].get()) || 1158 !ExpectCache(ctx.get(), expected)) { 1159 return false; 1160 } 1161 1162 return true; 1163} 1164 1165static uint16_t EpochFromSequence(uint64_t seq) { 1166 return static_cast<uint16_t>(seq >> 48); 1167} 1168 1169static bssl::UniquePtr<X509> GetTestCertificate() { 1170 static const char kCertPEM[] = 1171 "-----BEGIN CERTIFICATE-----\n" 1172 "MIICWDCCAcGgAwIBAgIJAPuwTC6rEJsMMA0GCSqGSIb3DQEBBQUAMEUxCzAJBgNV\n" 1173 "BAYTAkFVMRMwEQYDVQQIDApTb21lLVN0YXRlMSEwHwYDVQQKDBhJbnRlcm5ldCBX\n" 1174 "aWRnaXRzIFB0eSBMdGQwHhcNMTQwNDIzMjA1MDQwWhcNMTcwNDIyMjA1MDQwWjBF\n" 1175 "MQswCQYDVQQGEwJBVTETMBEGA1UECAwKU29tZS1TdGF0ZTEhMB8GA1UECgwYSW50\n" 1176 "ZXJuZXQgV2lkZ2l0cyBQdHkgTHRkMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKB\n" 1177 "gQDYK8imMuRi/03z0K1Zi0WnvfFHvwlYeyK9Na6XJYaUoIDAtB92kWdGMdAQhLci\n" 1178 "HnAjkXLI6W15OoV3gA/ElRZ1xUpxTMhjP6PyY5wqT5r6y8FxbiiFKKAnHmUcrgfV\n" 1179 "W28tQ+0rkLGMryRtrukXOgXBv7gcrmU7G1jC2a7WqmeI8QIDAQABo1AwTjAdBgNV\n" 1180 "HQ4EFgQUi3XVrMsIvg4fZbf6Vr5sp3Xaha8wHwYDVR0jBBgwFoAUi3XVrMsIvg4f\n" 1181 "Zbf6Vr5sp3Xaha8wDAYDVR0TBAUwAwEB/zANBgkqhkiG9w0BAQUFAAOBgQA76Hht\n" 1182 "ldY9avcTGSwbwoiuIqv0jTL1fHFnzy3RHMLDh+Lpvolc5DSrSJHCP5WuK0eeJXhr\n" 1183 "T5oQpHL9z/cCDLAKCKRa4uV0fhEdOWBqyR9p8y5jJtye72t6CuFUV5iqcpF4BH4f\n" 1184 "j2VNHwsSrJwkD4QUGlUtH7vwnQmyCFxZMmWAJg==\n" 1185 "-----END CERTIFICATE-----\n"; 1186 bssl::UniquePtr<BIO> bio(BIO_new_mem_buf(kCertPEM, strlen(kCertPEM))); 1187 return bssl::UniquePtr<X509>( 1188 PEM_read_bio_X509(bio.get(), nullptr, nullptr, nullptr)); 1189} 1190 1191static bssl::UniquePtr<EVP_PKEY> GetTestKey() { 1192 static const char kKeyPEM[] = 1193 "-----BEGIN RSA PRIVATE KEY-----\n" 1194 "MIICXgIBAAKBgQDYK8imMuRi/03z0K1Zi0WnvfFHvwlYeyK9Na6XJYaUoIDAtB92\n" 1195 "kWdGMdAQhLciHnAjkXLI6W15OoV3gA/ElRZ1xUpxTMhjP6PyY5wqT5r6y8FxbiiF\n" 1196 "KKAnHmUcrgfVW28tQ+0rkLGMryRtrukXOgXBv7gcrmU7G1jC2a7WqmeI8QIDAQAB\n" 1197 "AoGBAIBy09Fd4DOq/Ijp8HeKuCMKTHqTW1xGHshLQ6jwVV2vWZIn9aIgmDsvkjCe\n" 1198 "i6ssZvnbjVcwzSoByhjN8ZCf/i15HECWDFFh6gt0P5z0MnChwzZmvatV/FXCT0j+\n" 1199 "WmGNB/gkehKjGXLLcjTb6dRYVJSCZhVuOLLcbWIV10gggJQBAkEA8S8sGe4ezyyZ\n" 1200 "m4e9r95g6s43kPqtj5rewTsUxt+2n4eVodD+ZUlCULWVNAFLkYRTBCASlSrm9Xhj\n" 1201 "QpmWAHJUkQJBAOVzQdFUaewLtdOJoPCtpYoY1zd22eae8TQEmpGOR11L6kbxLQsk\n" 1202 "aMly/DOnOaa82tqAGTdqDEZgSNmCeKKknmECQAvpnY8GUOVAubGR6c+W90iBuQLj\n" 1203 "LtFp/9ihd2w/PoDwrHZaoUYVcT4VSfJQog/k7kjE4MYXYWL8eEKg3WTWQNECQQDk\n" 1204 "104Wi91Umd1PzF0ijd2jXOERJU1wEKe6XLkYYNHWQAe5l4J4MWj9OdxFXAxIuuR/\n" 1205 "tfDwbqkta4xcux67//khAkEAvvRXLHTaa6VFzTaiiO8SaFsHV3lQyXOtMrBpB5jd\n" 1206 "moZWgjHvB2W9Ckn7sDqsPB+U2tyX0joDdQEyuiMECDY8oQ==\n" 1207 "-----END RSA PRIVATE KEY-----\n"; 1208 bssl::UniquePtr<BIO> bio(BIO_new_mem_buf(kKeyPEM, strlen(kKeyPEM))); 1209 return bssl::UniquePtr<EVP_PKEY>( 1210 PEM_read_bio_PrivateKey(bio.get(), nullptr, nullptr, nullptr)); 1211} 1212 1213static bssl::UniquePtr<X509> GetECDSATestCertificate() { 1214 static const char kCertPEM[] = 1215 "-----BEGIN CERTIFICATE-----\n" 1216 "MIIBzzCCAXagAwIBAgIJANlMBNpJfb/rMAkGByqGSM49BAEwRTELMAkGA1UEBhMC\n" 1217 "QVUxEzARBgNVBAgMClNvbWUtU3RhdGUxITAfBgNVBAoMGEludGVybmV0IFdpZGdp\n" 1218 "dHMgUHR5IEx0ZDAeFw0xNDA0MjMyMzIxNTdaFw0xNDA1MjMyMzIxNTdaMEUxCzAJ\n" 1219 "BgNVBAYTAkFVMRMwEQYDVQQIDApTb21lLVN0YXRlMSEwHwYDVQQKDBhJbnRlcm5l\n" 1220 "dCBXaWRnaXRzIFB0eSBMdGQwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAATmK2ni\n" 1221 "v2Wfl74vHg2UikzVl2u3qR4NRvvdqakendy6WgHn1peoChj5w8SjHlbifINI2xYa\n" 1222 "HPUdfvGULUvPciLBo1AwTjAdBgNVHQ4EFgQUq4TSrKuV8IJOFngHVVdf5CaNgtEw\n" 1223 "HwYDVR0jBBgwFoAUq4TSrKuV8IJOFngHVVdf5CaNgtEwDAYDVR0TBAUwAwEB/zAJ\n" 1224 "BgcqhkjOPQQBA0gAMEUCIQDyoDVeUTo2w4J5m+4nUIWOcAZ0lVfSKXQA9L4Vh13E\n" 1225 "BwIgfB55FGohg/B6dGh5XxSZmmi08cueFV7mHzJSYV51yRQ=\n" 1226 "-----END CERTIFICATE-----\n"; 1227 bssl::UniquePtr<BIO> bio(BIO_new_mem_buf(kCertPEM, strlen(kCertPEM))); 1228 return bssl::UniquePtr<X509>(PEM_read_bio_X509(bio.get(), nullptr, nullptr, nullptr)); 1229} 1230 1231static bssl::UniquePtr<EVP_PKEY> GetECDSATestKey() { 1232 static const char kKeyPEM[] = 1233 "-----BEGIN PRIVATE KEY-----\n" 1234 "MIGHAgEAMBMGByqGSM49AgEGCCqGSM49AwEHBG0wawIBAQQgBw8IcnrUoEqc3VnJ\n" 1235 "TYlodwi1b8ldMHcO6NHJzgqLtGqhRANCAATmK2niv2Wfl74vHg2UikzVl2u3qR4N\n" 1236 "Rvvdqakendy6WgHn1peoChj5w8SjHlbifINI2xYaHPUdfvGULUvPciLB\n" 1237 "-----END PRIVATE KEY-----\n"; 1238 bssl::UniquePtr<BIO> bio(BIO_new_mem_buf(kKeyPEM, strlen(kKeyPEM))); 1239 return bssl::UniquePtr<EVP_PKEY>( 1240 PEM_read_bio_PrivateKey(bio.get(), nullptr, nullptr, nullptr)); 1241} 1242 1243static bssl::UniquePtr<CRYPTO_BUFFER> BufferFromPEM(const char *pem) { 1244 bssl::UniquePtr<BIO> bio(BIO_new_mem_buf(pem, strlen(pem))); 1245 char *name, *header; 1246 uint8_t *data; 1247 long data_len; 1248 if (!PEM_read_bio(bio.get(), &name, &header, &data, 1249 &data_len)) { 1250 return nullptr; 1251 } 1252 OPENSSL_free(name); 1253 OPENSSL_free(header); 1254 1255 auto ret = bssl::UniquePtr<CRYPTO_BUFFER>( 1256 CRYPTO_BUFFER_new(data, data_len, nullptr)); 1257 OPENSSL_free(data); 1258 return ret; 1259} 1260 1261static bssl::UniquePtr<CRYPTO_BUFFER> GetChainTestCertificateBuffer() { 1262 static const char kCertPEM[] = 1263 "-----BEGIN CERTIFICATE-----\n" 1264 "MIIC0jCCAbqgAwIBAgICEAAwDQYJKoZIhvcNAQELBQAwDzENMAsGA1UEAwwEQiBD\n" 1265 "QTAeFw0xNjAyMjgyMDI3MDNaFw0yNjAyMjUyMDI3MDNaMBgxFjAUBgNVBAMMDUNs\n" 1266 "aWVudCBDZXJ0IEEwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDRvaz8\n" 1267 "CC/cshpCafJo4jLkHEoBqDLhdgFelJoAiQUyIqyWl2O7YHPnpJH+TgR7oelzNzt/\n" 1268 "kLRcH89M/TszB6zqyLTC4aqmvzKL0peD/jL2LWBucR0WXIvjA3zoRuF/x86+rYH3\n" 1269 "tHb+xs2PSs8EGL/Ev+ss+qTzTGEn26fuGNHkNw6tOwPpc+o8+wUtzf/kAthamo+c\n" 1270 "IDs2rQ+lP7+aLZTLeU/q4gcLutlzcK5imex5xy2jPkweq48kijK0kIzl1cPlA5d1\n" 1271 "z7C8jU50Pj9X9sQDJTN32j7UYRisJeeYQF8GaaN8SbrDI6zHgKzrRLyxDt/KQa9V\n" 1272 "iLeXANgZi+Xx9KgfAgMBAAGjLzAtMAwGA1UdEwEB/wQCMAAwHQYDVR0lBBYwFAYI\n" 1273 "KwYBBQUHAwEGCCsGAQUFBwMCMA0GCSqGSIb3DQEBCwUAA4IBAQBFEVbmYl+2RtNw\n" 1274 "rDftRDF1v2QUbcN2ouSnQDHxeDQdSgasLzT3ui8iYu0Rw2WWcZ0DV5e0ztGPhWq7\n" 1275 "AO0B120aFRMOY+4+bzu9Q2FFkQqc7/fKTvTDzIJI5wrMnFvUfzzvxh3OHWMYSs/w\n" 1276 "giq33hTKeHEq6Jyk3btCny0Ycecyc3yGXH10sizUfiHlhviCkDuESk8mFDwDDzqW\n" 1277 "ZF0IipzFbEDHoIxLlm3GQxpiLoEV4k8KYJp3R5KBLFyxM6UGPz8h72mIPCJp2RuK\n" 1278 "MYgF91UDvVzvnYm6TfseM2+ewKirC00GOrZ7rEcFvtxnKSqYf4ckqfNdSU1Y+RRC\n" 1279 "1ngWZ7Ih\n" 1280 "-----END CERTIFICATE-----\n"; 1281 return BufferFromPEM(kCertPEM); 1282} 1283 1284static bssl::UniquePtr<X509> X509FromBuffer( 1285 bssl::UniquePtr<CRYPTO_BUFFER> buffer) { 1286 if (!buffer) { 1287 return nullptr; 1288 } 1289 const uint8_t *derp = CRYPTO_BUFFER_data(buffer.get()); 1290 return bssl::UniquePtr<X509>( 1291 d2i_X509(NULL, &derp, CRYPTO_BUFFER_len(buffer.get()))); 1292} 1293 1294static bssl::UniquePtr<X509> GetChainTestCertificate() { 1295 return X509FromBuffer(GetChainTestCertificateBuffer()); 1296} 1297 1298static bssl::UniquePtr<CRYPTO_BUFFER> GetChainTestIntermediateBuffer() { 1299 static const char kCertPEM[] = 1300 "-----BEGIN CERTIFICATE-----\n" 1301 "MIICwjCCAaqgAwIBAgICEAEwDQYJKoZIhvcNAQELBQAwFDESMBAGA1UEAwwJQyBS\n" 1302 "b290IENBMB4XDTE2MDIyODIwMjcwM1oXDTI2MDIyNTIwMjcwM1owDzENMAsGA1UE\n" 1303 "AwwEQiBDQTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALsSCYmDip2D\n" 1304 "GkjFxw7ykz26JSjELkl6ArlYjFJ3aT/SCh8qbS4gln7RH8CPBd78oFdfhIKQrwtZ\n" 1305 "3/q21ykD9BAS3qHe2YdcJfm8/kWAy5DvXk6NXU4qX334KofBAEpgdA/igEFq1P1l\n" 1306 "HAuIfZCpMRfT+i5WohVsGi8f/NgpRvVaMONLNfgw57mz1lbtFeBEISmX0kbsuJxF\n" 1307 "Qj/Bwhi5/0HAEXG8e7zN4cEx0yPRvmOATRdVb/8dW2pwOHRJq9R5M0NUkIsTSnL7\n" 1308 "6N/z8hRAHMsV3IudC5Yd7GXW1AGu9a+iKU+Q4xcZCoj0DC99tL4VKujrV1kAeqsM\n" 1309 "cz5/dKzi6+cCAwEAAaMjMCEwDwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMC\n" 1310 "AQYwDQYJKoZIhvcNAQELBQADggEBAIIeZiEeNhWWQ8Y4D+AGDwqUUeG8NjCbKrXQ\n" 1311 "BlHg5wZ8xftFaiP1Dp/UAezmx2LNazdmuwrYB8lm3FVTyaPDTKEGIPS4wJKHgqH1\n" 1312 "QPDhqNm85ey7TEtI9oYjsNim/Rb+iGkIAMXaxt58SzxbjvP0kMr1JfJIZbic9vye\n" 1313 "NwIspMFIpP3FB8ywyu0T0hWtCQgL4J47nigCHpOu58deP88fS/Nyz/fyGVWOZ76b\n" 1314 "WhWwgM3P3X95fQ3d7oFPR/bVh0YV+Cf861INwplokXgXQ3/TCQ+HNXeAMWn3JLWv\n" 1315 "XFwk8owk9dq/kQGdndGgy3KTEW4ctPX5GNhf3LJ9Q7dLji4ReQ4=\n" 1316 "-----END CERTIFICATE-----\n"; 1317 return BufferFromPEM(kCertPEM); 1318} 1319 1320static bssl::UniquePtr<X509> GetChainTestIntermediate() { 1321 return X509FromBuffer(GetChainTestIntermediateBuffer()); 1322} 1323 1324static bssl::UniquePtr<EVP_PKEY> GetChainTestKey() { 1325 static const char kKeyPEM[] = 1326 "-----BEGIN PRIVATE KEY-----\n" 1327 "MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQDRvaz8CC/cshpC\n" 1328 "afJo4jLkHEoBqDLhdgFelJoAiQUyIqyWl2O7YHPnpJH+TgR7oelzNzt/kLRcH89M\n" 1329 "/TszB6zqyLTC4aqmvzKL0peD/jL2LWBucR0WXIvjA3zoRuF/x86+rYH3tHb+xs2P\n" 1330 "Ss8EGL/Ev+ss+qTzTGEn26fuGNHkNw6tOwPpc+o8+wUtzf/kAthamo+cIDs2rQ+l\n" 1331 "P7+aLZTLeU/q4gcLutlzcK5imex5xy2jPkweq48kijK0kIzl1cPlA5d1z7C8jU50\n" 1332 "Pj9X9sQDJTN32j7UYRisJeeYQF8GaaN8SbrDI6zHgKzrRLyxDt/KQa9ViLeXANgZ\n" 1333 "i+Xx9KgfAgMBAAECggEBAK0VjSJzkyPaamcyTVSWjo7GdaBGcK60lk657RjR+lK0\n" 1334 "YJ7pkej4oM2hdsVZFsP8Cs4E33nXLa/0pDsRov/qrp0WQm2skwqGMC1I/bZ0WRPk\n" 1335 "wHaDrBBfESWnJDX/AGpVtlyOjPmgmK6J2usMPihQUDkKdAYrVWJePrMIxt1q6BMe\n" 1336 "iczs3qriMmtY3bUc4UyUwJ5fhDLjshHvfuIpYQyI6EXZM6dZksn9LylXJnigY6QJ\n" 1337 "HxOYO0BDwOsZ8yQ8J8afLk88i0GizEkgE1z3REtQUwgWfxr1WV/ud+T6/ZhSAgH9\n" 1338 "042mQvSFZnIUSEsmCvjhWuAunfxHKCTcAoYISWfzWpkCgYEA7gpf3HHU5Tn+CgUn\n" 1339 "1X5uGpG3DmcMgfeGgs2r2f/IIg/5Ac1dfYILiybL1tN9zbyLCJfcbFpWBc9hJL6f\n" 1340 "CPc5hUiwWFJqBJewxQkC1Ae/HakHbip+IZ+Jr0842O4BAArvixk4Lb7/N2Ct9sTE\n" 1341 "NJO6RtK9lbEZ5uK61DglHy8CS2UCgYEA4ZC1o36kPAMQBggajgnucb2yuUEelk0f\n" 1342 "AEr+GI32MGE+93xMr7rAhBoqLg4AITyIfEnOSQ5HwagnIHonBbv1LV/Gf9ursx8Z\n" 1343 "YOGbvT8zzzC+SU1bkDzdjAYnFQVGIjMtKOBJ3K07++ypwX1fr4QsQ8uKL8WSOWwt\n" 1344 "Z3Bym6XiZzMCgYADnhy+2OwHX85AkLt+PyGlPbmuelpyTzS4IDAQbBa6jcuW/2wA\n" 1345 "UE2km75VUXmD+u2R/9zVuLm99NzhFhSMqlUxdV1YukfqMfP5yp1EY6m/5aW7QuIP\n" 1346 "2MDa7TVL9rIFMiVZ09RKvbBbQxjhuzPQKL6X/PPspnhiTefQ+dl2k9xREQKBgHDS\n" 1347 "fMfGNEeAEKezrfSVqxphE9/tXms3L+ZpnCaT+yu/uEr5dTIAawKoQ6i9f/sf1/Sy\n" 1348 "xedsqR+IB+oKrzIDDWMgoJybN4pkZ8E5lzhVQIjFjKgFdWLzzqyW9z1gYfABQPlN\n" 1349 "FiS20WX0vgP1vcKAjdNrHzc9zyHBpgQzDmAj3NZZAoGBAI8vKCKdH7w3aL5CNkZQ\n" 1350 "2buIeWNA2HZazVwAGG5F2TU/LmXfRKnG6dX5bkU+AkBZh56jNZy//hfFSewJB4Kk\n" 1351 "buB7ERSdaNbO21zXt9FEA3+z0RfMd/Zv2vlIWOSB5nzl/7UKti3sribK6s9ZVLfi\n" 1352 "SxpiPQ8d/hmSGwn4ksrWUsJD\n" 1353 "-----END PRIVATE KEY-----\n"; 1354 bssl::UniquePtr<BIO> bio(BIO_new_mem_buf(kKeyPEM, strlen(kKeyPEM))); 1355 return bssl::UniquePtr<EVP_PKEY>( 1356 PEM_read_bio_PrivateKey(bio.get(), nullptr, nullptr, nullptr)); 1357} 1358 1359static bool CompleteHandshakes(SSL *client, SSL *server) { 1360 // Drive both their handshakes to completion. 1361 for (;;) { 1362 int client_ret = SSL_do_handshake(client); 1363 int client_err = SSL_get_error(client, client_ret); 1364 if (client_err != SSL_ERROR_NONE && 1365 client_err != SSL_ERROR_WANT_READ && 1366 client_err != SSL_ERROR_WANT_WRITE && 1367 client_err != SSL_ERROR_PENDING_TICKET) { 1368 fprintf(stderr, "Client error: %d\n", client_err); 1369 return false; 1370 } 1371 1372 int server_ret = SSL_do_handshake(server); 1373 int server_err = SSL_get_error(server, server_ret); 1374 if (server_err != SSL_ERROR_NONE && 1375 server_err != SSL_ERROR_WANT_READ && 1376 server_err != SSL_ERROR_WANT_WRITE && 1377 server_err != SSL_ERROR_PENDING_TICKET) { 1378 fprintf(stderr, "Server error: %d\n", server_err); 1379 return false; 1380 } 1381 1382 if (client_ret == 1 && server_ret == 1) { 1383 break; 1384 } 1385 } 1386 1387 return true; 1388} 1389 1390static bool ConnectClientAndServer(bssl::UniquePtr<SSL> *out_client, 1391 bssl::UniquePtr<SSL> *out_server, 1392 SSL_CTX *client_ctx, SSL_CTX *server_ctx, 1393 SSL_SESSION *session) { 1394 bssl::UniquePtr<SSL> client(SSL_new(client_ctx)), server(SSL_new(server_ctx)); 1395 if (!client || !server) { 1396 return false; 1397 } 1398 SSL_set_connect_state(client.get()); 1399 SSL_set_accept_state(server.get()); 1400 1401 SSL_set_session(client.get(), session); 1402 1403 BIO *bio1, *bio2; 1404 if (!BIO_new_bio_pair(&bio1, 0, &bio2, 0)) { 1405 return false; 1406 } 1407 // SSL_set_bio takes ownership. 1408 SSL_set_bio(client.get(), bio1, bio1); 1409 SSL_set_bio(server.get(), bio2, bio2); 1410 1411 if (!CompleteHandshakes(client.get(), server.get())) { 1412 return false; 1413 } 1414 1415 *out_client = std::move(client); 1416 *out_server = std::move(server); 1417 return true; 1418} 1419 1420static bool TestSequenceNumber(bool is_dtls, const SSL_METHOD *method, 1421 uint16_t version) { 1422 bssl::UniquePtr<SSL_CTX> client_ctx(SSL_CTX_new(method)); 1423 bssl::UniquePtr<SSL_CTX> server_ctx(SSL_CTX_new(method)); 1424 if (!server_ctx || !client_ctx || 1425 !SSL_CTX_set_min_proto_version(client_ctx.get(), version) || 1426 !SSL_CTX_set_max_proto_version(client_ctx.get(), version) || 1427 !SSL_CTX_set_min_proto_version(server_ctx.get(), version) || 1428 !SSL_CTX_set_max_proto_version(server_ctx.get(), version)) { 1429 return false; 1430 } 1431 1432 bssl::UniquePtr<X509> cert = GetTestCertificate(); 1433 bssl::UniquePtr<EVP_PKEY> key = GetTestKey(); 1434 if (!cert || !key || !SSL_CTX_use_certificate(server_ctx.get(), cert.get()) || 1435 !SSL_CTX_use_PrivateKey(server_ctx.get(), key.get())) { 1436 return false; 1437 } 1438 1439 bssl::UniquePtr<SSL> client, server; 1440 if (!ConnectClientAndServer(&client, &server, client_ctx.get(), 1441 server_ctx.get(), nullptr /* no session */)) { 1442 return false; 1443 } 1444 1445 // Drain any post-handshake messages to ensure there are no unread records 1446 // on either end. 1447 uint8_t byte = 0; 1448 if (SSL_read(client.get(), &byte, 1) > 0 || 1449 SSL_read(server.get(), &byte, 1) > 0) { 1450 fprintf(stderr, "Received unexpected data.\n"); 1451 return false; 1452 } 1453 1454 uint64_t client_read_seq = SSL_get_read_sequence(client.get()); 1455 uint64_t client_write_seq = SSL_get_write_sequence(client.get()); 1456 uint64_t server_read_seq = SSL_get_read_sequence(server.get()); 1457 uint64_t server_write_seq = SSL_get_write_sequence(server.get()); 1458 1459 if (is_dtls) { 1460 // Both client and server must be at epoch 1. 1461 if (EpochFromSequence(client_read_seq) != 1 || 1462 EpochFromSequence(client_write_seq) != 1 || 1463 EpochFromSequence(server_read_seq) != 1 || 1464 EpochFromSequence(server_write_seq) != 1) { 1465 fprintf(stderr, "Bad epochs.\n"); 1466 return false; 1467 } 1468 1469 // The next record to be written should exceed the largest received. 1470 if (client_write_seq <= server_read_seq || 1471 server_write_seq <= client_read_seq) { 1472 fprintf(stderr, "Inconsistent sequence numbers.\n"); 1473 return false; 1474 } 1475 } else { 1476 // The next record to be written should equal the next to be received. 1477 if (client_write_seq != server_read_seq || 1478 server_write_seq != client_read_seq) { 1479 fprintf(stderr, "Inconsistent sequence numbers.\n"); 1480 return false; 1481 } 1482 } 1483 1484 // Send a record from client to server. 1485 if (SSL_write(client.get(), &byte, 1) != 1 || 1486 SSL_read(server.get(), &byte, 1) != 1) { 1487 fprintf(stderr, "Could not send byte.\n"); 1488 return false; 1489 } 1490 1491 // The client write and server read sequence numbers should have 1492 // incremented. 1493 if (client_write_seq + 1 != SSL_get_write_sequence(client.get()) || 1494 server_read_seq + 1 != SSL_get_read_sequence(server.get())) { 1495 fprintf(stderr, "Sequence numbers did not increment.\n"); 1496 return false; 1497 } 1498 1499 return true; 1500} 1501 1502static bool TestOneSidedShutdown(bool is_dtls, const SSL_METHOD *method, 1503 uint16_t version) { 1504 // SSL_shutdown is a no-op in DTLS. 1505 if (is_dtls) { 1506 return true; 1507 } 1508 1509 bssl::UniquePtr<SSL_CTX> client_ctx(SSL_CTX_new(method)); 1510 bssl::UniquePtr<SSL_CTX> server_ctx(SSL_CTX_new(method)); 1511 bssl::UniquePtr<X509> cert = GetTestCertificate(); 1512 bssl::UniquePtr<EVP_PKEY> key = GetTestKey(); 1513 if (!client_ctx || !server_ctx || !cert || !key || 1514 !SSL_CTX_set_min_proto_version(server_ctx.get(), version) || 1515 !SSL_CTX_set_max_proto_version(server_ctx.get(), version) || 1516 !SSL_CTX_set_min_proto_version(client_ctx.get(), version) || 1517 !SSL_CTX_set_max_proto_version(client_ctx.get(), version) || 1518 !SSL_CTX_use_certificate(server_ctx.get(), cert.get()) || 1519 !SSL_CTX_use_PrivateKey(server_ctx.get(), key.get())) { 1520 return false; 1521 } 1522 1523 bssl::UniquePtr<SSL> client, server; 1524 if (!ConnectClientAndServer(&client, &server, client_ctx.get(), 1525 server_ctx.get(), nullptr /* no session */)) { 1526 return false; 1527 } 1528 1529 // Shut down half the connection. SSL_shutdown will return 0 to signal only 1530 // one side has shut down. 1531 if (SSL_shutdown(client.get()) != 0) { 1532 fprintf(stderr, "Could not shutdown.\n"); 1533 return false; 1534 } 1535 1536 // Reading from the server should consume the EOF. 1537 uint8_t byte; 1538 if (SSL_read(server.get(), &byte, 1) != 0 || 1539 SSL_get_error(server.get(), 0) != SSL_ERROR_ZERO_RETURN) { 1540 fprintf(stderr, "Connection was not shut down cleanly.\n"); 1541 return false; 1542 } 1543 1544 // However, the server may continue to write data and then shut down the 1545 // connection. 1546 byte = 42; 1547 if (SSL_write(server.get(), &byte, 1) != 1 || 1548 SSL_read(client.get(), &byte, 1) != 1 || 1549 byte != 42) { 1550 fprintf(stderr, "Could not send byte.\n"); 1551 return false; 1552 } 1553 1554 // The server may then shutdown the connection. 1555 if (SSL_shutdown(server.get()) != 1 || 1556 SSL_shutdown(client.get()) != 1) { 1557 fprintf(stderr, "Could not complete shutdown.\n"); 1558 return false; 1559 } 1560 1561 return true; 1562} 1563 1564TEST(SSLTest, SessionDuplication) { 1565 bssl::UniquePtr<SSL_CTX> client_ctx(SSL_CTX_new(TLS_method())); 1566 bssl::UniquePtr<SSL_CTX> server_ctx(SSL_CTX_new(TLS_method())); 1567 ASSERT_TRUE(client_ctx); 1568 ASSERT_TRUE(server_ctx); 1569 1570 bssl::UniquePtr<X509> cert = GetTestCertificate(); 1571 bssl::UniquePtr<EVP_PKEY> key = GetTestKey(); 1572 ASSERT_TRUE(cert); 1573 ASSERT_TRUE(key); 1574 ASSERT_TRUE(SSL_CTX_use_certificate(server_ctx.get(), cert.get())); 1575 ASSERT_TRUE(SSL_CTX_use_PrivateKey(server_ctx.get(), key.get())); 1576 1577 bssl::UniquePtr<SSL> client, server; 1578 ASSERT_TRUE(ConnectClientAndServer(&client, &server, client_ctx.get(), 1579 server_ctx.get(), 1580 nullptr /* no session */)); 1581 1582 SSL_SESSION *session0 = SSL_get_session(client.get()); 1583 bssl::UniquePtr<SSL_SESSION> session1( 1584 SSL_SESSION_dup(session0, SSL_SESSION_DUP_ALL)); 1585 ASSERT_TRUE(session1); 1586 1587 session1->not_resumable = 0; 1588 1589 uint8_t *s0_bytes, *s1_bytes; 1590 size_t s0_len, s1_len; 1591 1592 ASSERT_TRUE(SSL_SESSION_to_bytes(session0, &s0_bytes, &s0_len)); 1593 bssl::UniquePtr<uint8_t> free_s0(s0_bytes); 1594 1595 ASSERT_TRUE(SSL_SESSION_to_bytes(session1.get(), &s1_bytes, &s1_len)); 1596 bssl::UniquePtr<uint8_t> free_s1(s1_bytes); 1597 1598 EXPECT_EQ(Bytes(s0_bytes, s0_len), Bytes(s1_bytes, s1_len)); 1599} 1600 1601static void ExpectFDs(const SSL *ssl, int rfd, int wfd) { 1602 EXPECT_EQ(rfd, SSL_get_rfd(ssl)); 1603 EXPECT_EQ(wfd, SSL_get_wfd(ssl)); 1604 1605 // The wrapper BIOs are always equal when fds are equal, even if set 1606 // individually. 1607 if (rfd == wfd) { 1608 EXPECT_EQ(SSL_get_rbio(ssl), SSL_get_wbio(ssl)); 1609 } 1610} 1611 1612TEST(SSLTest, SetFD) { 1613 bssl::UniquePtr<SSL_CTX> ctx(SSL_CTX_new(TLS_method())); 1614 ASSERT_TRUE(ctx); 1615 1616 // Test setting different read and write FDs. 1617 bssl::UniquePtr<SSL> ssl(SSL_new(ctx.get())); 1618 ASSERT_TRUE(ssl); 1619 EXPECT_TRUE(SSL_set_rfd(ssl.get(), 1)); 1620 EXPECT_TRUE(SSL_set_wfd(ssl.get(), 2)); 1621 ExpectFDs(ssl.get(), 1, 2); 1622 1623 // Test setting the same FD. 1624 ssl.reset(SSL_new(ctx.get())); 1625 ASSERT_TRUE(ssl); 1626 EXPECT_TRUE(SSL_set_fd(ssl.get(), 1)); 1627 ExpectFDs(ssl.get(), 1, 1); 1628 1629 // Test setting the same FD one side at a time. 1630 ssl.reset(SSL_new(ctx.get())); 1631 ASSERT_TRUE(ssl); 1632 EXPECT_TRUE(SSL_set_rfd(ssl.get(), 1)); 1633 EXPECT_TRUE(SSL_set_wfd(ssl.get(), 1)); 1634 ExpectFDs(ssl.get(), 1, 1); 1635 1636 // Test setting the same FD in the other order. 1637 ssl.reset(SSL_new(ctx.get())); 1638 ASSERT_TRUE(ssl); 1639 EXPECT_TRUE(SSL_set_wfd(ssl.get(), 1)); 1640 EXPECT_TRUE(SSL_set_rfd(ssl.get(), 1)); 1641 ExpectFDs(ssl.get(), 1, 1); 1642 1643 // Test changing the read FD partway through. 1644 ssl.reset(SSL_new(ctx.get())); 1645 ASSERT_TRUE(ssl); 1646 EXPECT_TRUE(SSL_set_fd(ssl.get(), 1)); 1647 EXPECT_TRUE(SSL_set_rfd(ssl.get(), 2)); 1648 ExpectFDs(ssl.get(), 2, 1); 1649 1650 // Test changing the write FD partway through. 1651 ssl.reset(SSL_new(ctx.get())); 1652 ASSERT_TRUE(ssl); 1653 EXPECT_TRUE(SSL_set_fd(ssl.get(), 1)); 1654 EXPECT_TRUE(SSL_set_wfd(ssl.get(), 2)); 1655 ExpectFDs(ssl.get(), 1, 2); 1656 1657 // Test a no-op change to the read FD partway through. 1658 ssl.reset(SSL_new(ctx.get())); 1659 ASSERT_TRUE(ssl); 1660 EXPECT_TRUE(SSL_set_fd(ssl.get(), 1)); 1661 EXPECT_TRUE(SSL_set_rfd(ssl.get(), 1)); 1662 ExpectFDs(ssl.get(), 1, 1); 1663 1664 // Test a no-op change to the write FD partway through. 1665 ssl.reset(SSL_new(ctx.get())); 1666 ASSERT_TRUE(ssl); 1667 EXPECT_TRUE(SSL_set_fd(ssl.get(), 1)); 1668 EXPECT_TRUE(SSL_set_wfd(ssl.get(), 1)); 1669 ExpectFDs(ssl.get(), 1, 1); 1670 1671 // ASan builds will implicitly test that the internal |BIO| reference-counting 1672 // is correct. 1673} 1674 1675TEST(SSLTest, SetBIO) { 1676 bssl::UniquePtr<SSL_CTX> ctx(SSL_CTX_new(TLS_method())); 1677 ASSERT_TRUE(ctx); 1678 1679 bssl::UniquePtr<SSL> ssl(SSL_new(ctx.get())); 1680 bssl::UniquePtr<BIO> bio1(BIO_new(BIO_s_mem())), bio2(BIO_new(BIO_s_mem())), 1681 bio3(BIO_new(BIO_s_mem())); 1682 ASSERT_TRUE(ssl); 1683 ASSERT_TRUE(bio1); 1684 ASSERT_TRUE(bio2); 1685 ASSERT_TRUE(bio3); 1686 1687 // SSL_set_bio takes one reference when the parameters are the same. 1688 BIO_up_ref(bio1.get()); 1689 SSL_set_bio(ssl.get(), bio1.get(), bio1.get()); 1690 1691 // Repeating the call does nothing. 1692 SSL_set_bio(ssl.get(), bio1.get(), bio1.get()); 1693 1694 // It takes one reference each when the parameters are different. 1695 BIO_up_ref(bio2.get()); 1696 BIO_up_ref(bio3.get()); 1697 SSL_set_bio(ssl.get(), bio2.get(), bio3.get()); 1698 1699 // Repeating the call does nothing. 1700 SSL_set_bio(ssl.get(), bio2.get(), bio3.get()); 1701 1702 // It takes one reference when changing only wbio. 1703 BIO_up_ref(bio1.get()); 1704 SSL_set_bio(ssl.get(), bio2.get(), bio1.get()); 1705 1706 // It takes one reference when changing only rbio and the two are different. 1707 BIO_up_ref(bio3.get()); 1708 SSL_set_bio(ssl.get(), bio3.get(), bio1.get()); 1709 1710 // If setting wbio to rbio, it takes no additional references. 1711 SSL_set_bio(ssl.get(), bio3.get(), bio3.get()); 1712 1713 // From there, wbio may be switched to something else. 1714 BIO_up_ref(bio1.get()); 1715 SSL_set_bio(ssl.get(), bio3.get(), bio1.get()); 1716 1717 // If setting rbio to wbio, it takes no additional references. 1718 SSL_set_bio(ssl.get(), bio1.get(), bio1.get()); 1719 1720 // From there, rbio may be switched to something else, but, for historical 1721 // reasons, it takes a reference to both parameters. 1722 BIO_up_ref(bio1.get()); 1723 BIO_up_ref(bio2.get()); 1724 SSL_set_bio(ssl.get(), bio2.get(), bio1.get()); 1725 1726 // ASAN builds will implicitly test that the internal |BIO| reference-counting 1727 // is correct. 1728} 1729 1730static int VerifySucceed(X509_STORE_CTX *store_ctx, void *arg) { return 1; } 1731 1732static bool TestGetPeerCertificate(bool is_dtls, const SSL_METHOD *method, 1733 uint16_t version) { 1734 bssl::UniquePtr<X509> cert = GetTestCertificate(); 1735 bssl::UniquePtr<EVP_PKEY> key = GetTestKey(); 1736 if (!cert || !key) { 1737 return false; 1738 } 1739 1740 // Configure both client and server to accept any certificate. 1741 bssl::UniquePtr<SSL_CTX> ctx(SSL_CTX_new(method)); 1742 if (!ctx || 1743 !SSL_CTX_use_certificate(ctx.get(), cert.get()) || 1744 !SSL_CTX_use_PrivateKey(ctx.get(), key.get()) || 1745 !SSL_CTX_set_min_proto_version(ctx.get(), version) || 1746 !SSL_CTX_set_max_proto_version(ctx.get(), version)) { 1747 return false; 1748 } 1749 SSL_CTX_set_verify( 1750 ctx.get(), SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT, nullptr); 1751 SSL_CTX_set_cert_verify_callback(ctx.get(), VerifySucceed, NULL); 1752 1753 bssl::UniquePtr<SSL> client, server; 1754 if (!ConnectClientAndServer(&client, &server, ctx.get(), ctx.get(), 1755 nullptr /* no session */)) { 1756 return false; 1757 } 1758 1759 // Client and server should both see the leaf certificate. 1760 bssl::UniquePtr<X509> peer(SSL_get_peer_certificate(server.get())); 1761 if (!peer || X509_cmp(cert.get(), peer.get()) != 0) { 1762 fprintf(stderr, "Server peer certificate did not match.\n"); 1763 return false; 1764 } 1765 1766 peer.reset(SSL_get_peer_certificate(client.get())); 1767 if (!peer || X509_cmp(cert.get(), peer.get()) != 0) { 1768 fprintf(stderr, "Client peer certificate did not match.\n"); 1769 return false; 1770 } 1771 1772 // However, for historical reasons, the chain includes the leaf on the 1773 // client, but does not on the server. 1774 if (sk_X509_num(SSL_get_peer_cert_chain(client.get())) != 1) { 1775 fprintf(stderr, "Client peer chain was incorrect.\n"); 1776 return false; 1777 } 1778 1779 if (sk_X509_num(SSL_get_peer_cert_chain(server.get())) != 0) { 1780 fprintf(stderr, "Server peer chain was incorrect.\n"); 1781 return false; 1782 } 1783 1784 return true; 1785} 1786 1787static bool TestRetainOnlySHA256OfCerts(bool is_dtls, const SSL_METHOD *method, 1788 uint16_t version) { 1789 bssl::UniquePtr<X509> cert = GetTestCertificate(); 1790 bssl::UniquePtr<EVP_PKEY> key = GetTestKey(); 1791 if (!cert || !key) { 1792 return false; 1793 } 1794 1795 uint8_t *cert_der = NULL; 1796 int cert_der_len = i2d_X509(cert.get(), &cert_der); 1797 if (cert_der_len < 0) { 1798 return false; 1799 } 1800 bssl::UniquePtr<uint8_t> free_cert_der(cert_der); 1801 1802 uint8_t cert_sha256[SHA256_DIGEST_LENGTH]; 1803 SHA256(cert_der, cert_der_len, cert_sha256); 1804 1805 // Configure both client and server to accept any certificate, but the 1806 // server must retain only the SHA-256 of the peer. 1807 bssl::UniquePtr<SSL_CTX> ctx(SSL_CTX_new(method)); 1808 if (!ctx || 1809 !SSL_CTX_use_certificate(ctx.get(), cert.get()) || 1810 !SSL_CTX_use_PrivateKey(ctx.get(), key.get()) || 1811 !SSL_CTX_set_min_proto_version(ctx.get(), version) || 1812 !SSL_CTX_set_max_proto_version(ctx.get(), version)) { 1813 return false; 1814 } 1815 SSL_CTX_set_verify( 1816 ctx.get(), SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT, nullptr); 1817 SSL_CTX_set_cert_verify_callback(ctx.get(), VerifySucceed, NULL); 1818 SSL_CTX_set_retain_only_sha256_of_client_certs(ctx.get(), 1); 1819 1820 bssl::UniquePtr<SSL> client, server; 1821 if (!ConnectClientAndServer(&client, &server, ctx.get(), ctx.get(), 1822 nullptr /* no session */)) { 1823 return false; 1824 } 1825 1826 // The peer certificate has been dropped. 1827 bssl::UniquePtr<X509> peer(SSL_get_peer_certificate(server.get())); 1828 if (peer) { 1829 fprintf(stderr, "Peer certificate was retained.\n"); 1830 return false; 1831 } 1832 1833 SSL_SESSION *session = SSL_get_session(server.get()); 1834 if (!session->peer_sha256_valid) { 1835 fprintf(stderr, "peer_sha256_valid was not set.\n"); 1836 return false; 1837 } 1838 1839 if (OPENSSL_memcmp(cert_sha256, session->peer_sha256, SHA256_DIGEST_LENGTH) != 1840 0) { 1841 fprintf(stderr, "peer_sha256 did not match.\n"); 1842 return false; 1843 } 1844 1845 return true; 1846} 1847 1848static bool ClientHelloMatches(uint16_t version, const uint8_t *expected, 1849 size_t expected_len) { 1850 bssl::UniquePtr<SSL_CTX> ctx(SSL_CTX_new(TLS_method())); 1851 // Our default cipher list varies by CPU capabilities, so manually place the 1852 // ChaCha20 ciphers in front. 1853 const char* cipher_list = 1854#ifdef BORINGSSL_ENABLE_DHE_TLS 1855 "!DHE:CHACHA20:ALL"; 1856#else 1857 "CHACHA20:ALL"; 1858#endif 1859 if (!ctx || 1860 !SSL_CTX_set_max_proto_version(ctx.get(), version) || 1861 !SSL_CTX_set_strict_cipher_list(ctx.get(), cipher_list)) { 1862 return false; 1863 } 1864 1865 bssl::UniquePtr<SSL> ssl(SSL_new(ctx.get())); 1866 if (!ssl) { 1867 return false; 1868 } 1869 std::vector<uint8_t> client_hello; 1870 if (!GetClientHello(ssl.get(), &client_hello)) { 1871 return false; 1872 } 1873 1874 // Zero the client_random. 1875 constexpr size_t kRandomOffset = 1 + 2 + 2 + // record header 1876 1 + 3 + // handshake message header 1877 2; // client_version 1878 if (client_hello.size() < kRandomOffset + SSL3_RANDOM_SIZE) { 1879 fprintf(stderr, "ClientHello for version %04x too short.\n", version); 1880 return false; 1881 } 1882 OPENSSL_memset(client_hello.data() + kRandomOffset, 0, SSL3_RANDOM_SIZE); 1883 1884 if (client_hello.size() != expected_len || 1885 OPENSSL_memcmp(client_hello.data(), expected, expected_len) != 0) { 1886 fprintf(stderr, "ClientHello for version %04x did not match:\n", version); 1887 fprintf(stderr, "Got:\n\t"); 1888 for (size_t i = 0; i < client_hello.size(); i++) { 1889 fprintf(stderr, "0x%02x, ", client_hello[i]); 1890 } 1891 fprintf(stderr, "\nWanted:\n\t"); 1892 for (size_t i = 0; i < expected_len; i++) { 1893 fprintf(stderr, "0x%02x, ", expected[i]); 1894 } 1895 fprintf(stderr, "\n"); 1896 return false; 1897 } 1898 1899 return true; 1900} 1901 1902// Tests that our ClientHellos do not change unexpectedly. 1903static bool TestClientHello() { 1904 static const uint8_t kSSL3ClientHello[] = { 1905 0x16, 1906 0x03, 0x00, 1907 0x00, 0x3b, 1908 0x01, 1909 0x00, 0x00, 0x37, 1910 0x03, 0x00, 1911 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 1912 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 1913 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 1914 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 1915 0x00, 1916 0x00, 0x10, 1917 0xc0, 0x09, 1918 0xc0, 0x13, 1919 0xc0, 0x0a, 1920 0xc0, 0x14, 1921 0x00, 0x2f, 1922 0x00, 0x35, 1923 0x00, 0x0a, 1924 0x00, 0xff, 0x01, 0x00, 1925 }; 1926 if (!ClientHelloMatches(SSL3_VERSION, kSSL3ClientHello, 1927 sizeof(kSSL3ClientHello))) { 1928 return false; 1929 } 1930 1931 static const uint8_t kTLS1ClientHello[] = { 1932 0x16, 1933 0x03, 0x01, 1934 0x00, 0x5a, 1935 0x01, 1936 0x00, 0x00, 0x56, 1937 0x03, 0x01, 1938 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 1939 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 1940 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 1941 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 1942 0x00, 1943 0x00, 0x0e, 1944 0xc0, 0x09, 1945 0xc0, 0x13, 1946 0xc0, 0x0a, 1947 0xc0, 0x14, 1948 0x00, 0x2f, 1949 0x00, 0x35, 1950 0x00, 0x0a, 1951 0x01, 0x00, 0x00, 0x1f, 0xff, 0x01, 0x00, 0x01, 0x00, 0x00, 0x17, 0x00, 1952 0x00, 0x00, 0x23, 0x00, 0x00, 0x00, 0x0b, 0x00, 0x02, 0x01, 0x00, 0x00, 1953 0x0a, 0x00, 0x08, 0x00, 0x06, 0x00, 0x1d, 0x00, 0x17, 0x00, 0x18, 1954 }; 1955 if (!ClientHelloMatches(TLS1_VERSION, kTLS1ClientHello, 1956 sizeof(kTLS1ClientHello))) { 1957 return false; 1958 } 1959 1960 static const uint8_t kTLS11ClientHello[] = { 1961 0x16, 1962 0x03, 0x01, 1963 0x00, 0x5a, 1964 0x01, 1965 0x00, 0x00, 0x56, 1966 0x03, 0x02, 1967 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 1968 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 1969 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 1970 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 1971 0x00, 1972 0x00, 0x0e, 1973 0xc0, 0x09, 1974 0xc0, 0x13, 1975 0xc0, 0x0a, 1976 0xc0, 0x14, 1977 0x00, 0x2f, 1978 0x00, 0x35, 1979 0x00, 0x0a, 1980 0x01, 0x00, 0x00, 0x1f, 0xff, 0x01, 0x00, 0x01, 0x00, 0x00, 0x17, 0x00, 1981 0x00, 0x00, 0x23, 0x00, 0x00, 0x00, 0x0b, 0x00, 0x02, 0x01, 0x00, 0x00, 1982 0x0a, 0x00, 0x08, 0x00, 0x06, 0x00, 0x1d, 0x00, 0x17, 0x00, 0x18, 1983 }; 1984 if (!ClientHelloMatches(TLS1_1_VERSION, kTLS11ClientHello, 1985 sizeof(kTLS11ClientHello))) { 1986 return false; 1987 } 1988 1989 // kTLS12ClientHello assumes RSA-PSS, which is disabled for Android system 1990 // builds. 1991#if defined(BORINGSSL_ANDROID_SYSTEM) 1992 return true; 1993#endif 1994 1995 static const uint8_t kTLS12ClientHello[] = { 1996 0x16, 1997 0x03, 0x01, 1998 0x00, 0x8e, 1999 0x01, 2000 0x00, 0x00, 0x8a, 2001 0x03, 0x03, 2002 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 2003 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 2004 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 2005 0x00, 0x2a, 2006 0xcc, 0xa9, 2007 0xcc, 0xa8, 2008 0xc0, 0x2b, 2009 0xc0, 0x2f, 2010 0xc0, 0x2c, 2011 0xc0, 0x30, 2012 0xc0, 0x09, 2013 0xc0, 0x23, 2014 0xc0, 0x13, 2015 0xc0, 0x27, 2016 0xc0, 0x0a, 2017 0xc0, 0x24, 2018 0xc0, 0x14, 2019 0xc0, 0x28, 2020 0x00, 0x9c, 2021 0x00, 0x9d, 2022 0x00, 0x2f, 2023 0x00, 0x3c, 2024 0x00, 0x35, 2025 0x00, 0x3d, 2026 0x00, 0x0a, 2027 0x01, 0x00, 0x00, 0x37, 0xff, 0x01, 0x00, 0x01, 0x00, 0x00, 0x17, 0x00, 2028 0x00, 0x00, 0x23, 0x00, 0x00, 0x00, 0x0d, 0x00, 0x14, 0x00, 0x12, 0x04, 2029 0x03, 0x08, 0x04, 0x04, 0x01, 0x05, 0x03, 0x08, 0x05, 0x05, 0x01, 0x08, 2030 0x06, 0x06, 0x01, 0x02, 0x01, 0x00, 0x0b, 0x00, 0x02, 0x01, 0x00, 0x00, 2031 0x0a, 0x00, 0x08, 0x00, 0x06, 0x00, 0x1d, 0x00, 0x17, 0x00, 0x18, 2032 }; 2033 if (!ClientHelloMatches(TLS1_2_VERSION, kTLS12ClientHello, 2034 sizeof(kTLS12ClientHello))) { 2035 return false; 2036 } 2037 2038 // TODO(davidben): Add a change detector for TLS 1.3 once the spec and our 2039 // implementation has settled enough that it won't change. 2040 2041 return true; 2042} 2043 2044static bssl::UniquePtr<SSL_SESSION> g_last_session; 2045 2046static int SaveLastSession(SSL *ssl, SSL_SESSION *session) { 2047 // Save the most recent session. 2048 g_last_session.reset(session); 2049 return 1; 2050} 2051 2052static bssl::UniquePtr<SSL_SESSION> CreateClientSession(SSL_CTX *client_ctx, 2053 SSL_CTX *server_ctx) { 2054 g_last_session = nullptr; 2055 SSL_CTX_sess_set_new_cb(client_ctx, SaveLastSession); 2056 2057 // Connect client and server to get a session. 2058 bssl::UniquePtr<SSL> client, server; 2059 if (!ConnectClientAndServer(&client, &server, client_ctx, server_ctx, 2060 nullptr /* no session */)) { 2061 fprintf(stderr, "Failed to connect client and server.\n"); 2062 return nullptr; 2063 } 2064 2065 // Run the read loop to account for post-handshake tickets in TLS 1.3. 2066 SSL_read(client.get(), nullptr, 0); 2067 2068 SSL_CTX_sess_set_new_cb(client_ctx, nullptr); 2069 2070 if (!g_last_session) { 2071 fprintf(stderr, "Client did not receive a session.\n"); 2072 return nullptr; 2073 } 2074 return std::move(g_last_session); 2075} 2076 2077static bool ExpectSessionReused(SSL_CTX *client_ctx, SSL_CTX *server_ctx, 2078 SSL_SESSION *session, 2079 bool reused) { 2080 bssl::UniquePtr<SSL> client, server; 2081 if (!ConnectClientAndServer(&client, &server, client_ctx, 2082 server_ctx, session)) { 2083 fprintf(stderr, "Failed to connect client and server.\n"); 2084 return false; 2085 } 2086 2087 if (SSL_session_reused(client.get()) != SSL_session_reused(server.get())) { 2088 fprintf(stderr, "Client and server were inconsistent.\n"); 2089 return false; 2090 } 2091 2092 bool was_reused = !!SSL_session_reused(client.get()); 2093 if (was_reused != reused) { 2094 fprintf(stderr, "Session was%s reused, but we expected the opposite.\n", 2095 was_reused ? "" : " not"); 2096 return false; 2097 } 2098 2099 return true; 2100} 2101 2102static bssl::UniquePtr<SSL_SESSION> ExpectSessionRenewed(SSL_CTX *client_ctx, 2103 SSL_CTX *server_ctx, 2104 SSL_SESSION *session) { 2105 g_last_session = nullptr; 2106 SSL_CTX_sess_set_new_cb(client_ctx, SaveLastSession); 2107 2108 bssl::UniquePtr<SSL> client, server; 2109 if (!ConnectClientAndServer(&client, &server, client_ctx, 2110 server_ctx, session)) { 2111 fprintf(stderr, "Failed to connect client and server.\n"); 2112 return nullptr; 2113 } 2114 2115 if (SSL_session_reused(client.get()) != SSL_session_reused(server.get())) { 2116 fprintf(stderr, "Client and server were inconsistent.\n"); 2117 return nullptr; 2118 } 2119 2120 if (!SSL_session_reused(client.get())) { 2121 fprintf(stderr, "Session was not reused.\n"); 2122 return nullptr; 2123 } 2124 2125 // Run the read loop to account for post-handshake tickets in TLS 1.3. 2126 SSL_read(client.get(), nullptr, 0); 2127 2128 SSL_CTX_sess_set_new_cb(client_ctx, nullptr); 2129 2130 if (!g_last_session) { 2131 fprintf(stderr, "Client did not receive a renewed session.\n"); 2132 return nullptr; 2133 } 2134 return std::move(g_last_session); 2135} 2136 2137static int SwitchSessionIDContextSNI(SSL *ssl, int *out_alert, void *arg) { 2138 static const uint8_t kContext[] = {3}; 2139 2140 if (!SSL_set_session_id_context(ssl, kContext, sizeof(kContext))) { 2141 return SSL_TLSEXT_ERR_ALERT_FATAL; 2142 } 2143 2144 return SSL_TLSEXT_ERR_OK; 2145} 2146 2147static bool TestSessionIDContext(bool is_dtls, const SSL_METHOD *method, 2148 uint16_t version) { 2149 bssl::UniquePtr<X509> cert = GetTestCertificate(); 2150 bssl::UniquePtr<EVP_PKEY> key = GetTestKey(); 2151 if (!cert || !key) { 2152 return false; 2153 } 2154 2155 static const uint8_t kContext1[] = {1}; 2156 static const uint8_t kContext2[] = {2}; 2157 2158 bssl::UniquePtr<SSL_CTX> server_ctx(SSL_CTX_new(method)); 2159 bssl::UniquePtr<SSL_CTX> client_ctx(SSL_CTX_new(method)); 2160 if (!server_ctx || !client_ctx || 2161 !SSL_CTX_use_certificate(server_ctx.get(), cert.get()) || 2162 !SSL_CTX_use_PrivateKey(server_ctx.get(), key.get()) || 2163 !SSL_CTX_set_session_id_context(server_ctx.get(), kContext1, 2164 sizeof(kContext1)) || 2165 !SSL_CTX_set_min_proto_version(client_ctx.get(), version) || 2166 !SSL_CTX_set_max_proto_version(client_ctx.get(), version) || 2167 !SSL_CTX_set_min_proto_version(server_ctx.get(), version) || 2168 !SSL_CTX_set_max_proto_version(server_ctx.get(), version)) { 2169 return false; 2170 } 2171 2172 SSL_CTX_set_session_cache_mode(client_ctx.get(), SSL_SESS_CACHE_BOTH); 2173 SSL_CTX_set_session_cache_mode(server_ctx.get(), SSL_SESS_CACHE_BOTH); 2174 2175 bssl::UniquePtr<SSL_SESSION> session = 2176 CreateClientSession(client_ctx.get(), server_ctx.get()); 2177 if (!session) { 2178 fprintf(stderr, "Error getting session.\n"); 2179 return false; 2180 } 2181 2182 if (!ExpectSessionReused(client_ctx.get(), server_ctx.get(), session.get(), 2183 true /* expect session reused */)) { 2184 fprintf(stderr, "Error resuming session.\n"); 2185 return false; 2186 } 2187 2188 // Change the session ID context. 2189 if (!SSL_CTX_set_session_id_context(server_ctx.get(), kContext2, 2190 sizeof(kContext2))) { 2191 return false; 2192 } 2193 2194 if (!ExpectSessionReused(client_ctx.get(), server_ctx.get(), session.get(), 2195 false /* expect session not reused */)) { 2196 fprintf(stderr, "Error connecting with a different context.\n"); 2197 return false; 2198 } 2199 2200 // Change the session ID context back and install an SNI callback to switch 2201 // it. 2202 if (!SSL_CTX_set_session_id_context(server_ctx.get(), kContext1, 2203 sizeof(kContext1))) { 2204 return false; 2205 } 2206 2207 SSL_CTX_set_tlsext_servername_callback(server_ctx.get(), 2208 SwitchSessionIDContextSNI); 2209 2210 if (!ExpectSessionReused(client_ctx.get(), server_ctx.get(), session.get(), 2211 false /* expect session not reused */)) { 2212 fprintf(stderr, "Error connecting with a context switch on SNI callback.\n"); 2213 return false; 2214 } 2215 2216 // Switch the session ID context with the early callback instead. 2217 SSL_CTX_set_tlsext_servername_callback(server_ctx.get(), nullptr); 2218 SSL_CTX_set_select_certificate_cb( 2219 server_ctx.get(), 2220 [](const SSL_CLIENT_HELLO *client_hello) -> ssl_select_cert_result_t { 2221 static const uint8_t kContext[] = {3}; 2222 2223 if (!SSL_set_session_id_context(client_hello->ssl, kContext, 2224 sizeof(kContext))) { 2225 return ssl_select_cert_error; 2226 } 2227 2228 return ssl_select_cert_success; 2229 }); 2230 2231 if (!ExpectSessionReused(client_ctx.get(), server_ctx.get(), session.get(), 2232 false /* expect session not reused */)) { 2233 fprintf(stderr, 2234 "Error connecting with a context switch on early callback.\n"); 2235 return false; 2236 } 2237 2238 return true; 2239} 2240 2241static timeval g_current_time; 2242 2243static void CurrentTimeCallback(const SSL *ssl, timeval *out_clock) { 2244 *out_clock = g_current_time; 2245} 2246 2247static void FrozenTimeCallback(const SSL *ssl, timeval *out_clock) { 2248 out_clock->tv_sec = 1000; 2249 out_clock->tv_usec = 0; 2250} 2251 2252static int RenewTicketCallback(SSL *ssl, uint8_t *key_name, uint8_t *iv, 2253 EVP_CIPHER_CTX *ctx, HMAC_CTX *hmac_ctx, 2254 int encrypt) { 2255 static const uint8_t kZeros[16] = {0}; 2256 2257 if (encrypt) { 2258 OPENSSL_memcpy(key_name, kZeros, sizeof(kZeros)); 2259 RAND_bytes(iv, 16); 2260 } else if (OPENSSL_memcmp(key_name, kZeros, 16) != 0) { 2261 return 0; 2262 } 2263 2264 if (!HMAC_Init_ex(hmac_ctx, kZeros, sizeof(kZeros), EVP_sha256(), NULL) || 2265 !EVP_CipherInit_ex(ctx, EVP_aes_128_cbc(), NULL, kZeros, iv, encrypt)) { 2266 return -1; 2267 } 2268 2269 // Returning two from the callback in decrypt mode renews the 2270 // session in TLS 1.2 and below. 2271 return encrypt ? 1 : 2; 2272} 2273 2274static bool GetServerTicketTime(long *out, const SSL_SESSION *session) { 2275 if (session->tlsext_ticklen < 16 + 16 + SHA256_DIGEST_LENGTH) { 2276 return false; 2277 } 2278 2279 const uint8_t *ciphertext = session->tlsext_tick + 16 + 16; 2280 size_t len = session->tlsext_ticklen - 16 - 16 - SHA256_DIGEST_LENGTH; 2281 std::unique_ptr<uint8_t[]> plaintext(new uint8_t[len]); 2282 2283#if defined(BORINGSSL_UNSAFE_FUZZER_MODE) 2284 // Fuzzer-mode tickets are unencrypted. 2285 OPENSSL_memcpy(plaintext.get(), ciphertext, len); 2286#else 2287 static const uint8_t kZeros[16] = {0}; 2288 const uint8_t *iv = session->tlsext_tick + 16; 2289 bssl::ScopedEVP_CIPHER_CTX ctx; 2290 int len1, len2; 2291 if (!EVP_DecryptInit_ex(ctx.get(), EVP_aes_128_cbc(), nullptr, kZeros, iv) || 2292 !EVP_DecryptUpdate(ctx.get(), plaintext.get(), &len1, ciphertext, len) || 2293 !EVP_DecryptFinal_ex(ctx.get(), plaintext.get() + len1, &len2)) { 2294 return false; 2295 } 2296 2297 len = static_cast<size_t>(len1 + len2); 2298#endif 2299 2300 bssl::UniquePtr<SSL_CTX> ssl_ctx(SSL_CTX_new(TLS_method())); 2301 if (!ssl_ctx) { 2302 return false; 2303 } 2304 bssl::UniquePtr<SSL_SESSION> server_session( 2305 SSL_SESSION_from_bytes(plaintext.get(), len, ssl_ctx.get())); 2306 if (!server_session) { 2307 return false; 2308 } 2309 2310 *out = server_session->time; 2311 return true; 2312} 2313 2314static bool TestSessionTimeout(bool is_dtls, const SSL_METHOD *method, 2315 uint16_t version) { 2316 bssl::UniquePtr<X509> cert = GetTestCertificate(); 2317 bssl::UniquePtr<EVP_PKEY> key = GetTestKey(); 2318 if (!cert || !key) { 2319 return false; 2320 } 2321 2322 for (bool server_test : std::vector<bool>{false, true}) { 2323 static const time_t kStartTime = 1000; 2324 g_current_time.tv_sec = kStartTime; 2325 2326 // We are willing to use a longer lifetime for TLS 1.3 sessions as 2327 // resumptions still perform ECDHE. 2328 const time_t timeout = version == TLS1_3_VERSION 2329 ? SSL_DEFAULT_SESSION_PSK_DHE_TIMEOUT 2330 : SSL_DEFAULT_SESSION_TIMEOUT; 2331 2332 bssl::UniquePtr<SSL_CTX> server_ctx(SSL_CTX_new(method)); 2333 bssl::UniquePtr<SSL_CTX> client_ctx(SSL_CTX_new(method)); 2334 if (!server_ctx || !client_ctx || 2335 !SSL_CTX_use_certificate(server_ctx.get(), cert.get()) || 2336 !SSL_CTX_use_PrivateKey(server_ctx.get(), key.get()) || 2337 !SSL_CTX_set_min_proto_version(client_ctx.get(), version) || 2338 !SSL_CTX_set_max_proto_version(client_ctx.get(), version) || 2339 !SSL_CTX_set_min_proto_version(server_ctx.get(), version) || 2340 !SSL_CTX_set_max_proto_version(server_ctx.get(), version)) { 2341 return false; 2342 } 2343 2344 SSL_CTX_set_session_cache_mode(client_ctx.get(), SSL_SESS_CACHE_BOTH); 2345 SSL_CTX_set_session_cache_mode(server_ctx.get(), SSL_SESS_CACHE_BOTH); 2346 2347 // Both client and server must enforce session timeouts. We configure the 2348 // other side with a frozen clock so it never expires tickets. 2349 if (server_test) { 2350 SSL_CTX_set_current_time_cb(client_ctx.get(), FrozenTimeCallback); 2351 SSL_CTX_set_current_time_cb(server_ctx.get(), CurrentTimeCallback); 2352 } else { 2353 SSL_CTX_set_current_time_cb(client_ctx.get(), CurrentTimeCallback); 2354 SSL_CTX_set_current_time_cb(server_ctx.get(), FrozenTimeCallback); 2355 } 2356 2357 // Configure a ticket callback which renews tickets. 2358 SSL_CTX_set_tlsext_ticket_key_cb(server_ctx.get(), RenewTicketCallback); 2359 2360 bssl::UniquePtr<SSL_SESSION> session = 2361 CreateClientSession(client_ctx.get(), server_ctx.get()); 2362 if (!session) { 2363 fprintf(stderr, "Error getting session.\n"); 2364 return false; 2365 } 2366 2367 // Advance the clock just behind the timeout. 2368 g_current_time.tv_sec += timeout - 1; 2369 2370 if (!ExpectSessionReused(client_ctx.get(), server_ctx.get(), session.get(), 2371 true /* expect session reused */)) { 2372 fprintf(stderr, "Error resuming session.\n"); 2373 return false; 2374 } 2375 2376 // Advance the clock one more second. 2377 g_current_time.tv_sec++; 2378 2379 if (!ExpectSessionReused(client_ctx.get(), server_ctx.get(), session.get(), 2380 false /* expect session not reused */)) { 2381 fprintf(stderr, "Error resuming session.\n"); 2382 return false; 2383 } 2384 2385 // Rewind the clock to before the session was minted. 2386 g_current_time.tv_sec = kStartTime - 1; 2387 2388 if (!ExpectSessionReused(client_ctx.get(), server_ctx.get(), session.get(), 2389 false /* expect session not reused */)) { 2390 fprintf(stderr, "Error resuming session.\n"); 2391 return false; 2392 } 2393 2394 // SSL 3.0 cannot renew sessions. 2395 if (version == SSL3_VERSION) { 2396 continue; 2397 } 2398 2399 // Renew the session 10 seconds before expiration. 2400 time_t new_start_time = kStartTime + timeout - 10; 2401 g_current_time.tv_sec = new_start_time; 2402 bssl::UniquePtr<SSL_SESSION> new_session = 2403 ExpectSessionRenewed(client_ctx.get(), server_ctx.get(), session.get()); 2404 if (!new_session) { 2405 fprintf(stderr, "Error renewing session.\n"); 2406 return false; 2407 } 2408 2409 // This new session is not the same object as before. 2410 if (session.get() == new_session.get()) { 2411 fprintf(stderr, "New and old sessions alias.\n"); 2412 return false; 2413 } 2414 2415 // Check the sessions have timestamps measured from issuance. 2416 long session_time = 0; 2417 if (server_test) { 2418 if (!GetServerTicketTime(&session_time, new_session.get())) { 2419 fprintf(stderr, "Failed to decode session ticket.\n"); 2420 return false; 2421 } 2422 } else { 2423 session_time = new_session->time; 2424 } 2425 2426 if (session_time != g_current_time.tv_sec) { 2427 fprintf(stderr, "New session is not measured from issuance.\n"); 2428 return false; 2429 } 2430 2431 if (version == TLS1_3_VERSION) { 2432 // Renewal incorporates fresh key material in TLS 1.3, so we extend the 2433 // lifetime TLS 1.3. 2434 g_current_time.tv_sec = new_start_time + timeout - 1; 2435 if (!ExpectSessionReused(client_ctx.get(), server_ctx.get(), 2436 new_session.get(), 2437 true /* expect session reused */)) { 2438 fprintf(stderr, "Error resuming renewed session.\n"); 2439 return false; 2440 } 2441 2442 // The new session expires after the new timeout. 2443 g_current_time.tv_sec = new_start_time + timeout + 1; 2444 if (!ExpectSessionReused(client_ctx.get(), server_ctx.get(), 2445 new_session.get(), 2446 false /* expect session ot reused */)) { 2447 fprintf(stderr, "Renewed session's lifetime is too long.\n"); 2448 return false; 2449 } 2450 2451 // Renew the session until it begins just past the auth timeout. 2452 time_t auth_end_time = kStartTime + SSL_DEFAULT_SESSION_AUTH_TIMEOUT; 2453 while (new_start_time < auth_end_time - 1000) { 2454 // Get as close as possible to target start time. 2455 new_start_time = 2456 std::min(auth_end_time - 1000, new_start_time + timeout - 1); 2457 g_current_time.tv_sec = new_start_time; 2458 new_session = ExpectSessionRenewed(client_ctx.get(), server_ctx.get(), 2459 new_session.get()); 2460 if (!new_session) { 2461 fprintf(stderr, "Error renewing session.\n"); 2462 return false; 2463 } 2464 } 2465 2466 // Now the session's lifetime is bound by the auth timeout. 2467 g_current_time.tv_sec = auth_end_time - 1; 2468 if (!ExpectSessionReused(client_ctx.get(), server_ctx.get(), 2469 new_session.get(), 2470 true /* expect session reused */)) { 2471 fprintf(stderr, "Error resuming renewed session.\n"); 2472 return false; 2473 } 2474 2475 g_current_time.tv_sec = auth_end_time + 1; 2476 if (!ExpectSessionReused(client_ctx.get(), server_ctx.get(), 2477 new_session.get(), 2478 false /* expect session ot reused */)) { 2479 fprintf(stderr, "Renewed session's lifetime is too long.\n"); 2480 return false; 2481 } 2482 } else { 2483 // The new session is usable just before the old expiration. 2484 g_current_time.tv_sec = kStartTime + timeout - 1; 2485 if (!ExpectSessionReused(client_ctx.get(), server_ctx.get(), 2486 new_session.get(), 2487 true /* expect session reused */)) { 2488 fprintf(stderr, "Error resuming renewed session.\n"); 2489 return false; 2490 } 2491 2492 // Renewal does not extend the lifetime, so it is not usable beyond the 2493 // old expiration. 2494 g_current_time.tv_sec = kStartTime + timeout + 1; 2495 if (!ExpectSessionReused(client_ctx.get(), server_ctx.get(), 2496 new_session.get(), 2497 false /* expect session not reused */)) { 2498 fprintf(stderr, "Renewed session's lifetime is too long.\n"); 2499 return false; 2500 } 2501 } 2502 } 2503 2504 return true; 2505} 2506 2507static int SwitchContext(SSL *ssl, int *out_alert, void *arg) { 2508 SSL_CTX *ctx = reinterpret_cast<SSL_CTX*>(arg); 2509 SSL_set_SSL_CTX(ssl, ctx); 2510 return SSL_TLSEXT_ERR_OK; 2511} 2512 2513static bool TestSNICallback(bool is_dtls, const SSL_METHOD *method, 2514 uint16_t version) { 2515 // SSL 3.0 lacks extensions. 2516 if (version == SSL3_VERSION) { 2517 return true; 2518 } 2519 2520 bssl::UniquePtr<X509> cert = GetTestCertificate(); 2521 bssl::UniquePtr<EVP_PKEY> key = GetTestKey(); 2522 bssl::UniquePtr<X509> cert2 = GetECDSATestCertificate(); 2523 bssl::UniquePtr<EVP_PKEY> key2 = GetECDSATestKey(); 2524 if (!cert || !key || !cert2 || !key2) { 2525 return false; 2526 } 2527 2528 // Test that switching the |SSL_CTX| at the SNI callback behaves correctly. 2529 static const uint16_t kECDSAWithSHA256 = SSL_SIGN_ECDSA_SECP256R1_SHA256; 2530 2531 static const uint8_t kSCTList[] = {0, 6, 0, 4, 5, 6, 7, 8}; 2532 static const uint8_t kOCSPResponse[] = {1, 2, 3, 4}; 2533 2534 bssl::UniquePtr<SSL_CTX> server_ctx(SSL_CTX_new(method)); 2535 bssl::UniquePtr<SSL_CTX> server_ctx2(SSL_CTX_new(method)); 2536 bssl::UniquePtr<SSL_CTX> client_ctx(SSL_CTX_new(method)); 2537 if (!server_ctx || !server_ctx2 || !client_ctx || 2538 !SSL_CTX_use_certificate(server_ctx.get(), cert.get()) || 2539 !SSL_CTX_use_PrivateKey(server_ctx.get(), key.get()) || 2540 !SSL_CTX_use_certificate(server_ctx2.get(), cert2.get()) || 2541 !SSL_CTX_use_PrivateKey(server_ctx2.get(), key2.get()) || 2542 !SSL_CTX_set_signed_cert_timestamp_list(server_ctx2.get(), kSCTList, 2543 sizeof(kSCTList)) || 2544 !SSL_CTX_set_ocsp_response(server_ctx2.get(), kOCSPResponse, 2545 sizeof(kOCSPResponse)) || 2546 // Historically signing preferences would be lost in some cases with the 2547 // SNI callback, which triggers the TLS 1.2 SHA-1 default. To ensure 2548 // this doesn't happen when |version| is TLS 1.2, configure the private 2549 // key to only sign SHA-256. 2550 !SSL_CTX_set_signing_algorithm_prefs(server_ctx2.get(), &kECDSAWithSHA256, 2551 1) || 2552 !SSL_CTX_set_min_proto_version(client_ctx.get(), version) || 2553 !SSL_CTX_set_max_proto_version(client_ctx.get(), version) || 2554 !SSL_CTX_set_min_proto_version(server_ctx.get(), version) || 2555 !SSL_CTX_set_max_proto_version(server_ctx.get(), version) || 2556 !SSL_CTX_set_min_proto_version(server_ctx2.get(), version) || 2557 !SSL_CTX_set_max_proto_version(server_ctx2.get(), version)) { 2558 return false; 2559 } 2560 2561 SSL_CTX_set_tlsext_servername_callback(server_ctx.get(), SwitchContext); 2562 SSL_CTX_set_tlsext_servername_arg(server_ctx.get(), server_ctx2.get()); 2563 2564 SSL_CTX_enable_signed_cert_timestamps(client_ctx.get()); 2565 SSL_CTX_enable_ocsp_stapling(client_ctx.get()); 2566 2567 bssl::UniquePtr<SSL> client, server; 2568 if (!ConnectClientAndServer(&client, &server, client_ctx.get(), 2569 server_ctx.get(), nullptr)) { 2570 fprintf(stderr, "Handshake failed.\n"); 2571 return false; 2572 } 2573 2574 // The client should have received |cert2|. 2575 bssl::UniquePtr<X509> peer(SSL_get_peer_certificate(client.get())); 2576 if (!peer || X509_cmp(peer.get(), cert2.get()) != 0) { 2577 fprintf(stderr, "Incorrect certificate received.\n"); 2578 return false; 2579 } 2580 2581 // The client should have received |server_ctx2|'s SCT list. 2582 const uint8_t *data; 2583 size_t len; 2584 SSL_get0_signed_cert_timestamp_list(client.get(), &data, &len); 2585 if (Bytes(kSCTList) != Bytes(data, len)) { 2586 fprintf(stderr, "Incorrect SCT list received.\n"); 2587 return false; 2588 } 2589 2590 // The client should have received |server_ctx2|'s OCSP response. 2591 SSL_get0_ocsp_response(client.get(), &data, &len); 2592 if (Bytes(kOCSPResponse) != Bytes(data, len)) { 2593 fprintf(stderr, "Incorrect OCSP response received.\n"); 2594 return false; 2595 } 2596 2597 return true; 2598} 2599 2600// Test that the early callback can swap the maximum version. 2601TEST(SSLTest, EarlyCallbackVersionSwitch) { 2602 bssl::UniquePtr<X509> cert = GetTestCertificate(); 2603 bssl::UniquePtr<EVP_PKEY> key = GetTestKey(); 2604 bssl::UniquePtr<SSL_CTX> server_ctx(SSL_CTX_new(TLS_method())); 2605 bssl::UniquePtr<SSL_CTX> client_ctx(SSL_CTX_new(TLS_method())); 2606 ASSERT_TRUE(cert); 2607 ASSERT_TRUE(key); 2608 ASSERT_TRUE(server_ctx); 2609 ASSERT_TRUE(client_ctx); 2610 ASSERT_TRUE(SSL_CTX_use_certificate(server_ctx.get(), cert.get())); 2611 ASSERT_TRUE(SSL_CTX_use_PrivateKey(server_ctx.get(), key.get())); 2612 ASSERT_TRUE(SSL_CTX_set_max_proto_version(client_ctx.get(), TLS1_3_VERSION)); 2613 ASSERT_TRUE(SSL_CTX_set_max_proto_version(server_ctx.get(), TLS1_3_VERSION)); 2614 2615 SSL_CTX_set_select_certificate_cb( 2616 server_ctx.get(), 2617 [](const SSL_CLIENT_HELLO *client_hello) -> ssl_select_cert_result_t { 2618 if (!SSL_set_max_proto_version(client_hello->ssl, TLS1_2_VERSION)) { 2619 return ssl_select_cert_error; 2620 } 2621 2622 return ssl_select_cert_success; 2623 }); 2624 2625 bssl::UniquePtr<SSL> client, server; 2626 ASSERT_TRUE(ConnectClientAndServer(&client, &server, client_ctx.get(), 2627 server_ctx.get(), nullptr)); 2628 EXPECT_EQ(TLS1_2_VERSION, SSL_version(client.get())); 2629} 2630 2631TEST(SSLTest, SetVersion) { 2632 bssl::UniquePtr<SSL_CTX> ctx(SSL_CTX_new(TLS_method())); 2633 ASSERT_TRUE(ctx); 2634 2635 // Set valid TLS versions. 2636 EXPECT_TRUE(SSL_CTX_set_max_proto_version(ctx.get(), TLS1_VERSION)); 2637 EXPECT_TRUE(SSL_CTX_set_max_proto_version(ctx.get(), TLS1_1_VERSION)); 2638 EXPECT_TRUE(SSL_CTX_set_min_proto_version(ctx.get(), TLS1_VERSION)); 2639 EXPECT_TRUE(SSL_CTX_set_min_proto_version(ctx.get(), TLS1_1_VERSION)); 2640 2641 // Invalid TLS versions are rejected. 2642 EXPECT_FALSE(SSL_CTX_set_max_proto_version(ctx.get(), DTLS1_VERSION)); 2643 EXPECT_FALSE(SSL_CTX_set_max_proto_version(ctx.get(), 0x0200)); 2644 EXPECT_FALSE(SSL_CTX_set_max_proto_version(ctx.get(), 0x1234)); 2645 EXPECT_FALSE(SSL_CTX_set_min_proto_version(ctx.get(), DTLS1_VERSION)); 2646 EXPECT_FALSE(SSL_CTX_set_min_proto_version(ctx.get(), 0x0200)); 2647 EXPECT_FALSE(SSL_CTX_set_min_proto_version(ctx.get(), 0x1234)); 2648 2649 // Zero is the default version. 2650 EXPECT_TRUE(SSL_CTX_set_max_proto_version(ctx.get(), 0)); 2651 EXPECT_EQ(TLS1_2_VERSION, ctx->max_version); 2652 EXPECT_TRUE(SSL_CTX_set_min_proto_version(ctx.get(), 0)); 2653 EXPECT_EQ(SSL3_VERSION, ctx->min_version); 2654 2655 ctx.reset(SSL_CTX_new(DTLS_method())); 2656 ASSERT_TRUE(ctx); 2657 2658 EXPECT_TRUE(SSL_CTX_set_max_proto_version(ctx.get(), DTLS1_VERSION)); 2659 EXPECT_TRUE(SSL_CTX_set_max_proto_version(ctx.get(), DTLS1_2_VERSION)); 2660 EXPECT_TRUE(SSL_CTX_set_min_proto_version(ctx.get(), DTLS1_VERSION)); 2661 EXPECT_TRUE(SSL_CTX_set_min_proto_version(ctx.get(), DTLS1_2_VERSION)); 2662 2663 EXPECT_FALSE(SSL_CTX_set_max_proto_version(ctx.get(), TLS1_VERSION)); 2664 EXPECT_FALSE(SSL_CTX_set_max_proto_version(ctx.get(), 0xfefe /* DTLS 1.1 */)); 2665 EXPECT_FALSE(SSL_CTX_set_max_proto_version(ctx.get(), 0xfffe /* DTLS 0.1 */)); 2666 EXPECT_FALSE(SSL_CTX_set_max_proto_version(ctx.get(), 0x1234)); 2667 EXPECT_FALSE(SSL_CTX_set_min_proto_version(ctx.get(), TLS1_VERSION)); 2668 EXPECT_FALSE(SSL_CTX_set_min_proto_version(ctx.get(), 0xfefe /* DTLS 1.1 */)); 2669 EXPECT_FALSE(SSL_CTX_set_min_proto_version(ctx.get(), 0xfffe /* DTLS 0.1 */)); 2670 EXPECT_FALSE(SSL_CTX_set_min_proto_version(ctx.get(), 0x1234)); 2671 2672 EXPECT_TRUE(SSL_CTX_set_max_proto_version(ctx.get(), 0)); 2673 EXPECT_EQ(TLS1_2_VERSION, ctx->max_version); 2674 EXPECT_TRUE(SSL_CTX_set_min_proto_version(ctx.get(), 0)); 2675 EXPECT_EQ(TLS1_1_VERSION, ctx->min_version); 2676} 2677 2678static const char *GetVersionName(uint16_t version) { 2679 switch (version) { 2680 case SSL3_VERSION: 2681 return "SSLv3"; 2682 case TLS1_VERSION: 2683 return "TLSv1"; 2684 case TLS1_1_VERSION: 2685 return "TLSv1.1"; 2686 case TLS1_2_VERSION: 2687 return "TLSv1.2"; 2688 case TLS1_3_VERSION: 2689 return "TLSv1.3"; 2690 case DTLS1_VERSION: 2691 return "DTLSv1"; 2692 case DTLS1_2_VERSION: 2693 return "DTLSv1.2"; 2694 default: 2695 return "???"; 2696 } 2697} 2698 2699static bool TestVersion(bool is_dtls, const SSL_METHOD *method, 2700 uint16_t version) { 2701 bssl::UniquePtr<X509> cert = GetTestCertificate(); 2702 bssl::UniquePtr<EVP_PKEY> key = GetTestKey(); 2703 if (!cert || !key) { 2704 return false; 2705 } 2706 2707 bssl::UniquePtr<SSL_CTX> server_ctx(SSL_CTX_new(method)); 2708 bssl::UniquePtr<SSL_CTX> client_ctx(SSL_CTX_new(method)); 2709 bssl::UniquePtr<SSL> client, server; 2710 if (!server_ctx || !client_ctx || 2711 !SSL_CTX_use_certificate(server_ctx.get(), cert.get()) || 2712 !SSL_CTX_use_PrivateKey(server_ctx.get(), key.get()) || 2713 !SSL_CTX_set_min_proto_version(client_ctx.get(), version) || 2714 !SSL_CTX_set_max_proto_version(client_ctx.get(), version) || 2715 !SSL_CTX_set_min_proto_version(server_ctx.get(), version) || 2716 !SSL_CTX_set_max_proto_version(server_ctx.get(), version) || 2717 !ConnectClientAndServer(&client, &server, client_ctx.get(), 2718 server_ctx.get(), nullptr /* no session */)) { 2719 fprintf(stderr, "Failed to connect.\n"); 2720 return false; 2721 } 2722 2723 if (SSL_version(client.get()) != version || 2724 SSL_version(server.get()) != version) { 2725 fprintf(stderr, "Version mismatch. Got %04x and %04x, wanted %04x.\n", 2726 SSL_version(client.get()), SSL_version(server.get()), version); 2727 return false; 2728 } 2729 2730 // Test the version name is reported as expected. 2731 const char *version_name = GetVersionName(version); 2732 if (strcmp(version_name, SSL_get_version(client.get())) != 0 || 2733 strcmp(version_name, SSL_get_version(server.get())) != 0) { 2734 fprintf(stderr, "Version name mismatch. Got '%s' and '%s', wanted '%s'.\n", 2735 SSL_get_version(client.get()), SSL_get_version(server.get()), 2736 version_name); 2737 return false; 2738 } 2739 2740 // Test SSL_SESSION reports the same name. 2741 const char *client_name = 2742 SSL_SESSION_get_version(SSL_get_session(client.get())); 2743 const char *server_name = 2744 SSL_SESSION_get_version(SSL_get_session(server.get())); 2745 if (strcmp(version_name, client_name) != 0 || 2746 strcmp(version_name, server_name) != 0) { 2747 fprintf(stderr, 2748 "Session version name mismatch. Got '%s' and '%s', wanted '%s'.\n", 2749 client_name, server_name, version_name); 2750 return false; 2751 } 2752 2753 return true; 2754} 2755 2756// Tests that that |SSL_get_pending_cipher| is available during the ALPN 2757// selection callback. 2758static bool TestALPNCipherAvailable(bool is_dtls, const SSL_METHOD *method, 2759 uint16_t version) { 2760 // SSL 3.0 lacks extensions. 2761 if (version == SSL3_VERSION) { 2762 return true; 2763 } 2764 2765 static const uint8_t kALPNProtos[] = {0x03, 'f', 'o', 'o'}; 2766 2767 bssl::UniquePtr<X509> cert = GetTestCertificate(); 2768 bssl::UniquePtr<EVP_PKEY> key = GetTestKey(); 2769 if (!cert || !key) { 2770 return false; 2771 } 2772 2773 bssl::UniquePtr<SSL_CTX> ctx(SSL_CTX_new(method)); 2774 if (!ctx || !SSL_CTX_use_certificate(ctx.get(), cert.get()) || 2775 !SSL_CTX_use_PrivateKey(ctx.get(), key.get()) || 2776 !SSL_CTX_set_min_proto_version(ctx.get(), version) || 2777 !SSL_CTX_set_max_proto_version(ctx.get(), version) || 2778 SSL_CTX_set_alpn_protos(ctx.get(), kALPNProtos, sizeof(kALPNProtos)) != 2779 0) { 2780 return false; 2781 } 2782 2783 // The ALPN callback does not fail the handshake on error, so have the 2784 // callback write a boolean. 2785 std::pair<uint16_t, bool> callback_state(version, false); 2786 SSL_CTX_set_alpn_select_cb( 2787 ctx.get(), 2788 [](SSL *ssl, const uint8_t **out, uint8_t *out_len, const uint8_t *in, 2789 unsigned in_len, void *arg) -> int { 2790 auto state = reinterpret_cast<std::pair<uint16_t, bool> *>(arg); 2791 if (SSL_get_pending_cipher(ssl) != nullptr && 2792 SSL_version(ssl) == state->first) { 2793 state->second = true; 2794 } 2795 return SSL_TLSEXT_ERR_NOACK; 2796 }, 2797 &callback_state); 2798 2799 bssl::UniquePtr<SSL> client, server; 2800 if (!ConnectClientAndServer(&client, &server, ctx.get(), ctx.get(), 2801 nullptr /* no session */)) { 2802 return false; 2803 } 2804 2805 if (!callback_state.second) { 2806 fprintf(stderr, "The pending cipher was not known in the ALPN callback.\n"); 2807 return false; 2808 } 2809 2810 return true; 2811} 2812 2813static bool TestSSLClearSessionResumption(bool is_dtls, 2814 const SSL_METHOD *method, 2815 uint16_t version) { 2816 // Skip this for TLS 1.3. TLS 1.3's ticket mechanism is incompatible with this 2817 // API pattern. 2818 if (version == TLS1_3_VERSION) { 2819 return true; 2820 } 2821 2822 bssl::UniquePtr<X509> cert = GetTestCertificate(); 2823 bssl::UniquePtr<EVP_PKEY> key = GetTestKey(); 2824 bssl::UniquePtr<SSL_CTX> server_ctx(SSL_CTX_new(method)); 2825 bssl::UniquePtr<SSL_CTX> client_ctx(SSL_CTX_new(method)); 2826 if (!cert || !key || !server_ctx || !client_ctx || 2827 !SSL_CTX_use_certificate(server_ctx.get(), cert.get()) || 2828 !SSL_CTX_use_PrivateKey(server_ctx.get(), key.get()) || 2829 !SSL_CTX_set_min_proto_version(client_ctx.get(), version) || 2830 !SSL_CTX_set_max_proto_version(client_ctx.get(), version) || 2831 !SSL_CTX_set_min_proto_version(server_ctx.get(), version) || 2832 !SSL_CTX_set_max_proto_version(server_ctx.get(), version)) { 2833 return false; 2834 } 2835 2836 // Connect a client and a server. 2837 bssl::UniquePtr<SSL> client, server; 2838 if (!ConnectClientAndServer(&client, &server, client_ctx.get(), 2839 server_ctx.get(), nullptr /* no session */)) { 2840 return false; 2841 } 2842 2843 if (SSL_session_reused(client.get()) || 2844 SSL_session_reused(server.get())) { 2845 fprintf(stderr, "Session unexpectedly reused.\n"); 2846 return false; 2847 } 2848 2849 // Reset everything. 2850 if (!SSL_clear(client.get()) || 2851 !SSL_clear(server.get())) { 2852 fprintf(stderr, "SSL_clear failed.\n"); 2853 return false; 2854 } 2855 2856 // Attempt to connect a second time. 2857 if (!CompleteHandshakes(client.get(), server.get())) { 2858 fprintf(stderr, "Could not reuse SSL objects.\n"); 2859 return false; 2860 } 2861 2862 // |SSL_clear| should implicitly offer the previous session to the server. 2863 if (!SSL_session_reused(client.get()) || 2864 !SSL_session_reused(server.get())) { 2865 fprintf(stderr, "Session was not reused in second try.\n"); 2866 return false; 2867 } 2868 2869 return true; 2870} 2871 2872static bool ChainsEqual(STACK_OF(X509) *chain, 2873 const std::vector<X509 *> &expected) { 2874 if (sk_X509_num(chain) != expected.size()) { 2875 return false; 2876 } 2877 2878 for (size_t i = 0; i < expected.size(); i++) { 2879 if (X509_cmp(sk_X509_value(chain, i), expected[i]) != 0) { 2880 return false; 2881 } 2882 } 2883 2884 return true; 2885} 2886 2887static bool TestAutoChain(bool is_dtls, const SSL_METHOD *method, 2888 uint16_t version) { 2889 bssl::UniquePtr<X509> cert = GetChainTestCertificate(); 2890 bssl::UniquePtr<X509> intermediate = GetChainTestIntermediate(); 2891 bssl::UniquePtr<EVP_PKEY> key = GetChainTestKey(); 2892 if (!cert || !intermediate || !key) { 2893 return false; 2894 } 2895 2896 // Configure both client and server to accept any certificate. Add 2897 // |intermediate| to the cert store. 2898 bssl::UniquePtr<SSL_CTX> ctx(SSL_CTX_new(method)); 2899 if (!ctx || 2900 !SSL_CTX_use_certificate(ctx.get(), cert.get()) || 2901 !SSL_CTX_use_PrivateKey(ctx.get(), key.get()) || 2902 !SSL_CTX_set_min_proto_version(ctx.get(), version) || 2903 !SSL_CTX_set_max_proto_version(ctx.get(), version) || 2904 !X509_STORE_add_cert(SSL_CTX_get_cert_store(ctx.get()), 2905 intermediate.get())) { 2906 return false; 2907 } 2908 SSL_CTX_set_verify( 2909 ctx.get(), SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT, nullptr); 2910 SSL_CTX_set_cert_verify_callback(ctx.get(), VerifySucceed, NULL); 2911 2912 // By default, the client and server should each only send the leaf. 2913 bssl::UniquePtr<SSL> client, server; 2914 if (!ConnectClientAndServer(&client, &server, ctx.get(), ctx.get(), 2915 nullptr /* no session */)) { 2916 return false; 2917 } 2918 2919 if (!ChainsEqual(SSL_get_peer_full_cert_chain(client.get()), {cert.get()})) { 2920 fprintf(stderr, "Client-received chain did not match.\n"); 2921 return false; 2922 } 2923 2924 if (!ChainsEqual(SSL_get_peer_full_cert_chain(server.get()), {cert.get()})) { 2925 fprintf(stderr, "Server-received chain did not match.\n"); 2926 return false; 2927 } 2928 2929 // If auto-chaining is enabled, then the intermediate is sent. 2930 SSL_CTX_clear_mode(ctx.get(), SSL_MODE_NO_AUTO_CHAIN); 2931 if (!ConnectClientAndServer(&client, &server, ctx.get(), ctx.get(), 2932 nullptr /* no session */)) { 2933 return false; 2934 } 2935 2936 if (!ChainsEqual(SSL_get_peer_full_cert_chain(client.get()), 2937 {cert.get(), intermediate.get()})) { 2938 fprintf(stderr, "Client-received chain did not match (auto-chaining).\n"); 2939 return false; 2940 } 2941 2942 if (!ChainsEqual(SSL_get_peer_full_cert_chain(server.get()), 2943 {cert.get(), intermediate.get()})) { 2944 fprintf(stderr, "Server-received chain did not match (auto-chaining).\n"); 2945 return false; 2946 } 2947 2948 // Auto-chaining does not override explicitly-configured intermediates. 2949 if (!SSL_CTX_add1_chain_cert(ctx.get(), cert.get()) || 2950 !ConnectClientAndServer(&client, &server, ctx.get(), ctx.get(), 2951 nullptr /* no session */)) { 2952 return false; 2953 } 2954 2955 if (!ChainsEqual(SSL_get_peer_full_cert_chain(client.get()), 2956 {cert.get(), cert.get()})) { 2957 fprintf(stderr, 2958 "Client-received chain did not match (auto-chaining, explicit " 2959 "intermediate).\n"); 2960 return false; 2961 } 2962 2963 if (!ChainsEqual(SSL_get_peer_full_cert_chain(server.get()), 2964 {cert.get(), cert.get()})) { 2965 fprintf(stderr, 2966 "Server-received chain did not match (auto-chaining, explicit " 2967 "intermediate).\n"); 2968 return false; 2969 } 2970 2971 return true; 2972} 2973 2974static bool ExpectBadWriteRetry() { 2975 int err = ERR_get_error(); 2976 if (ERR_GET_LIB(err) != ERR_LIB_SSL || 2977 ERR_GET_REASON(err) != SSL_R_BAD_WRITE_RETRY) { 2978 char buf[ERR_ERROR_STRING_BUF_LEN]; 2979 ERR_error_string_n(err, buf, sizeof(buf)); 2980 fprintf(stderr, "Wanted SSL_R_BAD_WRITE_RETRY, got: %s.\n", buf); 2981 return false; 2982 } 2983 2984 if (ERR_peek_error() != 0) { 2985 fprintf(stderr, "Unexpected error following SSL_R_BAD_WRITE_RETRY.\n"); 2986 return false; 2987 } 2988 2989 return true; 2990} 2991 2992static bool TestSSLWriteRetry(bool is_dtls, const SSL_METHOD *method, 2993 uint16_t version) { 2994 if (is_dtls) { 2995 return true; 2996 } 2997 2998 for (bool enable_partial_write : std::vector<bool>{false, true}) { 2999 // Connect a client and server. 3000 bssl::UniquePtr<X509> cert = GetTestCertificate(); 3001 bssl::UniquePtr<EVP_PKEY> key = GetTestKey(); 3002 bssl::UniquePtr<SSL_CTX> ctx(SSL_CTX_new(method)); 3003 bssl::UniquePtr<SSL> client, server; 3004 if (!cert || !key || !ctx || 3005 !SSL_CTX_use_certificate(ctx.get(), cert.get()) || 3006 !SSL_CTX_use_PrivateKey(ctx.get(), key.get()) || 3007 !SSL_CTX_set_min_proto_version(ctx.get(), version) || 3008 !SSL_CTX_set_max_proto_version(ctx.get(), version) || 3009 !ConnectClientAndServer(&client, &server, ctx.get(), ctx.get(), 3010 nullptr /* no session */)) { 3011 return false; 3012 } 3013 3014 if (enable_partial_write) { 3015 SSL_set_mode(client.get(), SSL_MODE_ENABLE_PARTIAL_WRITE); 3016 } 3017 3018 // Write without reading until the buffer is full and we have an unfinished 3019 // write. Keep a count so we may reread it again later. "hello!" will be 3020 // written in two chunks, "hello" and "!". 3021 char data[] = "hello!"; 3022 static const int kChunkLen = 5; // The length of "hello". 3023 unsigned count = 0; 3024 for (;;) { 3025 int ret = SSL_write(client.get(), data, kChunkLen); 3026 if (ret <= 0) { 3027 int err = SSL_get_error(client.get(), ret); 3028 if (SSL_get_error(client.get(), ret) == SSL_ERROR_WANT_WRITE) { 3029 break; 3030 } 3031 fprintf(stderr, "SSL_write failed in unexpected way: %d\n", err); 3032 return false; 3033 } 3034 3035 if (ret != 5) { 3036 fprintf(stderr, "SSL_write wrote %d bytes, expected 5.\n", ret); 3037 return false; 3038 } 3039 3040 count++; 3041 } 3042 3043 // Retrying with the same parameters is legal. 3044 if (SSL_get_error(client.get(), SSL_write(client.get(), data, kChunkLen)) != 3045 SSL_ERROR_WANT_WRITE) { 3046 fprintf(stderr, "SSL_write retry unexpectedly failed.\n"); 3047 return false; 3048 } 3049 3050 // Retrying with the same buffer but shorter length is not legal. 3051 if (SSL_get_error(client.get(), 3052 SSL_write(client.get(), data, kChunkLen - 1)) != 3053 SSL_ERROR_SSL || 3054 !ExpectBadWriteRetry()) { 3055 fprintf(stderr, "SSL_write retry did not fail as expected.\n"); 3056 return false; 3057 } 3058 3059 // Retrying with a different buffer pointer is not legal. 3060 char data2[] = "hello"; 3061 if (SSL_get_error(client.get(), SSL_write(client.get(), data2, 3062 kChunkLen)) != SSL_ERROR_SSL || 3063 !ExpectBadWriteRetry()) { 3064 fprintf(stderr, "SSL_write retry did not fail as expected.\n"); 3065 return false; 3066 } 3067 3068 // With |SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER|, the buffer may move. 3069 SSL_set_mode(client.get(), SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER); 3070 if (SSL_get_error(client.get(), 3071 SSL_write(client.get(), data2, kChunkLen)) != 3072 SSL_ERROR_WANT_WRITE) { 3073 fprintf(stderr, "SSL_write retry unexpectedly failed.\n"); 3074 return false; 3075 } 3076 3077 // |SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER| does not disable length checks. 3078 if (SSL_get_error(client.get(), 3079 SSL_write(client.get(), data2, kChunkLen - 1)) != 3080 SSL_ERROR_SSL || 3081 !ExpectBadWriteRetry()) { 3082 fprintf(stderr, "SSL_write retry did not fail as expected.\n"); 3083 return false; 3084 } 3085 3086 // Retrying with a larger buffer is legal. 3087 if (SSL_get_error(client.get(), 3088 SSL_write(client.get(), data, kChunkLen + 1)) != 3089 SSL_ERROR_WANT_WRITE) { 3090 fprintf(stderr, "SSL_write retry unexpectedly failed.\n"); 3091 return false; 3092 } 3093 3094 // Drain the buffer. 3095 char buf[20]; 3096 for (unsigned i = 0; i < count; i++) { 3097 if (SSL_read(server.get(), buf, sizeof(buf)) != kChunkLen || 3098 OPENSSL_memcmp(buf, "hello", kChunkLen) != 0) { 3099 fprintf(stderr, "Failed to read initial records.\n"); 3100 return false; 3101 } 3102 } 3103 3104 // Now that there is space, a retry with a larger buffer should flush the 3105 // pending record, skip over that many bytes of input (on assumption they 3106 // are the same), and write the remainder. If SSL_MODE_ENABLE_PARTIAL_WRITE 3107 // is set, this will complete in two steps. 3108 char data3[] = "_____!"; 3109 if (enable_partial_write) { 3110 if (SSL_write(client.get(), data3, kChunkLen + 1) != kChunkLen || 3111 SSL_write(client.get(), data3 + kChunkLen, 1) != 1) { 3112 fprintf(stderr, "SSL_write retry failed.\n"); 3113 return false; 3114 } 3115 } else if (SSL_write(client.get(), data3, kChunkLen + 1) != kChunkLen + 1) { 3116 fprintf(stderr, "SSL_write retry failed.\n"); 3117 return false; 3118 } 3119 3120 // Check the last write was correct. The data will be spread over two 3121 // records, so SSL_read returns twice. 3122 if (SSL_read(server.get(), buf, sizeof(buf)) != kChunkLen || 3123 OPENSSL_memcmp(buf, "hello", kChunkLen) != 0 || 3124 SSL_read(server.get(), buf, sizeof(buf)) != 1 || 3125 buf[0] != '!') { 3126 fprintf(stderr, "Failed to read write retry.\n"); 3127 return false; 3128 } 3129 } 3130 3131 return true; 3132} 3133 3134static bool ForEachVersion(bool (*test_func)(bool is_dtls, 3135 const SSL_METHOD *method, 3136 uint16_t version)) { 3137 static uint16_t kTLSVersions[] = { 3138 SSL3_VERSION, 3139 TLS1_VERSION, 3140 TLS1_1_VERSION, 3141 TLS1_2_VERSION, 3142// TLS 1.3 requires RSA-PSS, which is disabled for Android system builds. 3143#if !defined(BORINGSSL_ANDROID_SYSTEM) 3144 TLS1_3_VERSION, 3145#endif 3146 }; 3147 3148 static uint16_t kDTLSVersions[] = { 3149 DTLS1_VERSION, DTLS1_2_VERSION, 3150 }; 3151 3152 for (uint16_t version : kTLSVersions) { 3153 if (!test_func(false, TLS_method(), version)) { 3154 fprintf(stderr, "Test failed at TLS version %04x.\n", version); 3155 return false; 3156 } 3157 } 3158 3159 for (uint16_t version : kDTLSVersions) { 3160 if (!test_func(true, DTLS_method(), version)) { 3161 fprintf(stderr, "Test failed at DTLS version %04x.\n", version); 3162 return false; 3163 } 3164 } 3165 3166 return true; 3167} 3168 3169TEST(SSLTest, AddChainCertHack) { 3170 // Ensure that we don't accidently break the hack that we have in place to 3171 // keep curl and serf happy when they use an |X509| even after transfering 3172 // ownership. 3173 3174 bssl::UniquePtr<SSL_CTX> ctx(SSL_CTX_new(TLS_method())); 3175 ASSERT_TRUE(ctx); 3176 X509 *cert = GetTestCertificate().release(); 3177 ASSERT_TRUE(cert); 3178 SSL_CTX_add0_chain_cert(ctx.get(), cert); 3179 3180 // This should not trigger a use-after-free. 3181 X509_cmp(cert, cert); 3182} 3183 3184TEST(SSLTest, GetCertificate) { 3185 bssl::UniquePtr<SSL_CTX> ctx(SSL_CTX_new(TLS_method())); 3186 ASSERT_TRUE(ctx); 3187 bssl::UniquePtr<X509> cert = GetTestCertificate(); 3188 ASSERT_TRUE(cert); 3189 ASSERT_TRUE(SSL_CTX_use_certificate(ctx.get(), cert.get())); 3190 bssl::UniquePtr<SSL> ssl(SSL_new(ctx.get())); 3191 ASSERT_TRUE(ssl); 3192 3193 X509 *cert2 = SSL_CTX_get0_certificate(ctx.get()); 3194 ASSERT_TRUE(cert2); 3195 X509 *cert3 = SSL_get_certificate(ssl.get()); 3196 ASSERT_TRUE(cert3); 3197 3198 // The old and new certificates must be identical. 3199 EXPECT_EQ(0, X509_cmp(cert.get(), cert2)); 3200 EXPECT_EQ(0, X509_cmp(cert.get(), cert3)); 3201 3202 uint8_t *der = nullptr; 3203 long der_len = i2d_X509(cert.get(), &der); 3204 ASSERT_LT(0, der_len); 3205 bssl::UniquePtr<uint8_t> free_der(der); 3206 3207 uint8_t *der2 = nullptr; 3208 long der2_len = i2d_X509(cert2, &der2); 3209 ASSERT_LT(0, der2_len); 3210 bssl::UniquePtr<uint8_t> free_der2(der2); 3211 3212 uint8_t *der3 = nullptr; 3213 long der3_len = i2d_X509(cert3, &der3); 3214 ASSERT_LT(0, der3_len); 3215 bssl::UniquePtr<uint8_t> free_der3(der3); 3216 3217 // They must also encode identically. 3218 EXPECT_EQ(Bytes(der, der_len), Bytes(der2, der2_len)); 3219 EXPECT_EQ(Bytes(der, der_len), Bytes(der3, der3_len)); 3220} 3221 3222TEST(SSLTest, SetChainAndKeyMismatch) { 3223 bssl::UniquePtr<SSL_CTX> ctx(SSL_CTX_new(TLS_with_buffers_method())); 3224 ASSERT_TRUE(ctx); 3225 3226 bssl::UniquePtr<EVP_PKEY> key = GetTestKey(); 3227 ASSERT_TRUE(key); 3228 bssl::UniquePtr<CRYPTO_BUFFER> leaf = GetChainTestCertificateBuffer(); 3229 ASSERT_TRUE(leaf); 3230 std::vector<CRYPTO_BUFFER*> chain = { 3231 leaf.get(), 3232 }; 3233 3234 // Should fail because |GetTestKey| doesn't match the chain-test certificate. 3235 ASSERT_FALSE(SSL_CTX_set_chain_and_key(ctx.get(), &chain[0], chain.size(), 3236 key.get(), nullptr)); 3237 ERR_clear_error(); 3238} 3239 3240TEST(SSLTest, SetChainAndKey) { 3241 bssl::UniquePtr<SSL_CTX> client_ctx(SSL_CTX_new(TLS_with_buffers_method())); 3242 ASSERT_TRUE(client_ctx); 3243 bssl::UniquePtr<SSL_CTX> server_ctx(SSL_CTX_new(TLS_with_buffers_method())); 3244 ASSERT_TRUE(server_ctx); 3245 3246 bssl::UniquePtr<EVP_PKEY> key = GetChainTestKey(); 3247 ASSERT_TRUE(key); 3248 bssl::UniquePtr<CRYPTO_BUFFER> leaf = GetChainTestCertificateBuffer(); 3249 ASSERT_TRUE(leaf); 3250 bssl::UniquePtr<CRYPTO_BUFFER> intermediate = 3251 GetChainTestIntermediateBuffer(); 3252 ASSERT_TRUE(intermediate); 3253 std::vector<CRYPTO_BUFFER*> chain = { 3254 leaf.get(), intermediate.get(), 3255 }; 3256 ASSERT_TRUE(SSL_CTX_set_chain_and_key(server_ctx.get(), &chain[0], 3257 chain.size(), key.get(), nullptr)); 3258 3259 SSL_CTX_i_promise_to_verify_certs_after_the_handshake(client_ctx.get()); 3260 3261 bssl::UniquePtr<SSL> client, server; 3262 ASSERT_TRUE(ConnectClientAndServer(&client, &server, client_ctx.get(), 3263 server_ctx.get(), 3264 nullptr /* no session */)); 3265} 3266 3267// Configuring the empty cipher list, though an error, should still modify the 3268// configuration. 3269TEST(SSLTest, EmptyCipherList) { 3270 bssl::UniquePtr<SSL_CTX> ctx(SSL_CTX_new(TLS_method())); 3271 ASSERT_TRUE(ctx); 3272 3273 // Initially, the cipher list is not empty. 3274 EXPECT_NE(0u, sk_SSL_CIPHER_num(SSL_CTX_get_ciphers(ctx.get()))); 3275 3276 // Configuring the empty cipher list fails. 3277 EXPECT_FALSE(SSL_CTX_set_cipher_list(ctx.get(), "")); 3278 ERR_clear_error(); 3279 3280 // But the cipher list is still updated to empty. 3281 EXPECT_EQ(0u, sk_SSL_CIPHER_num(SSL_CTX_get_ciphers(ctx.get()))); 3282} 3283 3284// ssl_test_ticket_aead_failure_mode enumerates the possible ways in which the 3285// test |SSL_TICKET_AEAD_METHOD| can fail. 3286enum ssl_test_ticket_aead_failure_mode { 3287 ssl_test_ticket_aead_ok = 0, 3288 ssl_test_ticket_aead_seal_fail, 3289 ssl_test_ticket_aead_open_soft_fail, 3290 ssl_test_ticket_aead_open_hard_fail, 3291}; 3292 3293struct ssl_test_ticket_aead_state { 3294 unsigned retry_count; 3295 ssl_test_ticket_aead_failure_mode failure_mode; 3296}; 3297 3298static int ssl_test_ticket_aead_ex_index_dup(CRYPTO_EX_DATA *to, 3299 const CRYPTO_EX_DATA *from, 3300 void **from_d, int index, 3301 long argl, void *argp) { 3302 abort(); 3303} 3304 3305static void ssl_test_ticket_aead_ex_index_free(void *parent, void *ptr, 3306 CRYPTO_EX_DATA *ad, int index, 3307 long argl, void *argp) { 3308 auto state = reinterpret_cast<ssl_test_ticket_aead_state*>(ptr); 3309 if (state == nullptr) { 3310 return; 3311 } 3312 3313 OPENSSL_free(state); 3314} 3315 3316static CRYPTO_once_t g_ssl_test_ticket_aead_ex_index_once = CRYPTO_ONCE_INIT; 3317static int g_ssl_test_ticket_aead_ex_index; 3318 3319static int ssl_test_ticket_aead_get_ex_index() { 3320 CRYPTO_once(&g_ssl_test_ticket_aead_ex_index_once, [] { 3321 g_ssl_test_ticket_aead_ex_index = SSL_get_ex_new_index( 3322 0, nullptr, nullptr, ssl_test_ticket_aead_ex_index_dup, 3323 ssl_test_ticket_aead_ex_index_free); 3324 }); 3325 return g_ssl_test_ticket_aead_ex_index; 3326} 3327 3328static size_t ssl_test_ticket_aead_max_overhead(SSL *ssl) { 3329 return 1; 3330} 3331 3332static int ssl_test_ticket_aead_seal(SSL *ssl, uint8_t *out, size_t *out_len, 3333 size_t max_out_len, const uint8_t *in, 3334 size_t in_len) { 3335 auto state = reinterpret_cast<ssl_test_ticket_aead_state *>( 3336 SSL_get_ex_data(ssl, ssl_test_ticket_aead_get_ex_index())); 3337 3338 if (state->failure_mode == ssl_test_ticket_aead_seal_fail || 3339 max_out_len < in_len + 1) { 3340 return 0; 3341 } 3342 3343 OPENSSL_memmove(out, in, in_len); 3344 out[in_len] = 0xff; 3345 *out_len = in_len + 1; 3346 3347 return 1; 3348} 3349 3350static ssl_ticket_aead_result_t ssl_test_ticket_aead_open( 3351 SSL *ssl, uint8_t *out, size_t *out_len, size_t max_out_len, 3352 const uint8_t *in, size_t in_len) { 3353 auto state = reinterpret_cast<ssl_test_ticket_aead_state *>( 3354 SSL_get_ex_data(ssl, ssl_test_ticket_aead_get_ex_index())); 3355 3356 if (state->retry_count > 0) { 3357 state->retry_count--; 3358 return ssl_ticket_aead_retry; 3359 } 3360 3361 switch (state->failure_mode) { 3362 case ssl_test_ticket_aead_ok: 3363 break; 3364 case ssl_test_ticket_aead_seal_fail: 3365 // If |seal| failed then there shouldn't be any ticket to try and 3366 // decrypt. 3367 abort(); 3368 break; 3369 case ssl_test_ticket_aead_open_soft_fail: 3370 return ssl_ticket_aead_ignore_ticket; 3371 case ssl_test_ticket_aead_open_hard_fail: 3372 return ssl_ticket_aead_error; 3373 } 3374 3375 if (in_len == 0 || in[in_len - 1] != 0xff) { 3376 return ssl_ticket_aead_ignore_ticket; 3377 } 3378 3379 if (max_out_len < in_len - 1) { 3380 return ssl_ticket_aead_error; 3381 } 3382 3383 OPENSSL_memmove(out, in, in_len - 1); 3384 *out_len = in_len - 1; 3385 return ssl_ticket_aead_success; 3386} 3387 3388static const SSL_TICKET_AEAD_METHOD kSSLTestTicketMethod = { 3389 ssl_test_ticket_aead_max_overhead, 3390 ssl_test_ticket_aead_seal, 3391 ssl_test_ticket_aead_open, 3392}; 3393 3394static void ConnectClientAndServerWithTicketMethod( 3395 bssl::UniquePtr<SSL> *out_client, bssl::UniquePtr<SSL> *out_server, 3396 SSL_CTX *client_ctx, SSL_CTX *server_ctx, unsigned retry_count, 3397 ssl_test_ticket_aead_failure_mode failure_mode, SSL_SESSION *session) { 3398 bssl::UniquePtr<SSL> client(SSL_new(client_ctx)), server(SSL_new(server_ctx)); 3399 ASSERT_TRUE(client); 3400 ASSERT_TRUE(server); 3401 SSL_set_connect_state(client.get()); 3402 SSL_set_accept_state(server.get()); 3403 3404 auto state = reinterpret_cast<ssl_test_ticket_aead_state *>( 3405 OPENSSL_malloc(sizeof(ssl_test_ticket_aead_state))); 3406 ASSERT_TRUE(state); 3407 OPENSSL_memset(state, 0, sizeof(ssl_test_ticket_aead_state)); 3408 state->retry_count = retry_count; 3409 state->failure_mode = failure_mode; 3410 3411 ASSERT_TRUE(SSL_set_ex_data(server.get(), ssl_test_ticket_aead_get_ex_index(), 3412 state)); 3413 3414 SSL_set_session(client.get(), session); 3415 3416 BIO *bio1, *bio2; 3417 ASSERT_TRUE(BIO_new_bio_pair(&bio1, 0, &bio2, 0)); 3418 3419 // SSL_set_bio takes ownership. 3420 SSL_set_bio(client.get(), bio1, bio1); 3421 SSL_set_bio(server.get(), bio2, bio2); 3422 3423 if (CompleteHandshakes(client.get(), server.get())) { 3424 *out_client = std::move(client); 3425 *out_server = std::move(server); 3426 } else { 3427 out_client->reset(); 3428 out_server->reset(); 3429 } 3430} 3431 3432class TicketAEADMethodTest 3433 : public ::testing::TestWithParam<testing::tuple< 3434 uint16_t, unsigned, ssl_test_ticket_aead_failure_mode>> {}; 3435 3436TEST_P(TicketAEADMethodTest, Resume) { 3437 bssl::UniquePtr<X509> cert = GetTestCertificate(); 3438 ASSERT_TRUE(cert); 3439 bssl::UniquePtr<EVP_PKEY> key = GetTestKey(); 3440 ASSERT_TRUE(key); 3441 3442 bssl::UniquePtr<SSL_CTX> server_ctx(SSL_CTX_new(TLS_method())); 3443 ASSERT_TRUE(server_ctx); 3444 bssl::UniquePtr<SSL_CTX> client_ctx(SSL_CTX_new(TLS_method())); 3445 ASSERT_TRUE(client_ctx); 3446 3447 const uint16_t version = testing::get<0>(GetParam()); 3448 const unsigned retry_count = testing::get<1>(GetParam()); 3449 const ssl_test_ticket_aead_failure_mode failure_mode = 3450 testing::get<2>(GetParam()); 3451 3452 ASSERT_TRUE(SSL_CTX_use_certificate(server_ctx.get(), cert.get())); 3453 ASSERT_TRUE(SSL_CTX_use_PrivateKey(server_ctx.get(), key.get())); 3454 ASSERT_TRUE(SSL_CTX_set_min_proto_version(client_ctx.get(), version)); 3455 ASSERT_TRUE(SSL_CTX_set_max_proto_version(client_ctx.get(), version)); 3456 ASSERT_TRUE(SSL_CTX_set_min_proto_version(server_ctx.get(), version)); 3457 ASSERT_TRUE(SSL_CTX_set_max_proto_version(server_ctx.get(), version)); 3458 3459 SSL_CTX_set_session_cache_mode(client_ctx.get(), SSL_SESS_CACHE_BOTH); 3460 SSL_CTX_set_session_cache_mode(server_ctx.get(), SSL_SESS_CACHE_BOTH); 3461 SSL_CTX_set_current_time_cb(client_ctx.get(), FrozenTimeCallback); 3462 SSL_CTX_set_current_time_cb(server_ctx.get(), FrozenTimeCallback); 3463 SSL_CTX_sess_set_new_cb(client_ctx.get(), SaveLastSession); 3464 3465 SSL_CTX_set_ticket_aead_method(server_ctx.get(), &kSSLTestTicketMethod); 3466 3467 bssl::UniquePtr<SSL> client, server; 3468 ConnectClientAndServerWithTicketMethod(&client, &server, client_ctx.get(), 3469 server_ctx.get(), retry_count, 3470 failure_mode, nullptr); 3471 switch (failure_mode) { 3472 case ssl_test_ticket_aead_ok: 3473 case ssl_test_ticket_aead_open_hard_fail: 3474 case ssl_test_ticket_aead_open_soft_fail: 3475 ASSERT_TRUE(client); 3476 break; 3477 case ssl_test_ticket_aead_seal_fail: 3478 EXPECT_FALSE(client); 3479 return; 3480 } 3481 EXPECT_FALSE(SSL_session_reused(client.get())); 3482 EXPECT_FALSE(SSL_session_reused(server.get())); 3483 3484 // Run the read loop to account for post-handshake tickets in TLS 1.3. 3485 SSL_read(client.get(), nullptr, 0); 3486 3487 bssl::UniquePtr<SSL_SESSION> session = std::move(g_last_session); 3488 ConnectClientAndServerWithTicketMethod(&client, &server, client_ctx.get(), 3489 server_ctx.get(), retry_count, 3490 failure_mode, session.get()); 3491 switch (failure_mode) { 3492 case ssl_test_ticket_aead_ok: 3493 ASSERT_TRUE(client); 3494 EXPECT_TRUE(SSL_session_reused(client.get())); 3495 EXPECT_TRUE(SSL_session_reused(server.get())); 3496 break; 3497 case ssl_test_ticket_aead_seal_fail: 3498 abort(); 3499 break; 3500 case ssl_test_ticket_aead_open_hard_fail: 3501 EXPECT_FALSE(client); 3502 break; 3503 case ssl_test_ticket_aead_open_soft_fail: 3504 ASSERT_TRUE(client); 3505 EXPECT_FALSE(SSL_session_reused(client.get())); 3506 EXPECT_FALSE(SSL_session_reused(server.get())); 3507 } 3508} 3509 3510INSTANTIATE_TEST_CASE_P( 3511 TicketAEADMethodTests, TicketAEADMethodTest, 3512 testing::Combine( 3513 testing::Values(TLS1_2_VERSION, TLS1_3_VERSION), 3514 testing::Values(0, 1, 2), 3515 testing::Values(ssl_test_ticket_aead_ok, 3516 ssl_test_ticket_aead_seal_fail, 3517 ssl_test_ticket_aead_open_soft_fail, 3518 ssl_test_ticket_aead_open_hard_fail))); 3519 3520// TODO(davidben): Convert this file to GTest properly. 3521TEST(SSLTest, AllTests) { 3522 if (!TestCipherRules() || 3523 !TestCurveRules() || 3524 !TestSSL_SESSIONEncoding(kOpenSSLSession) || 3525 !TestSSL_SESSIONEncoding(kCustomSession) || 3526 !TestSSL_SESSIONEncoding(kBoringSSLSession) || 3527 !TestBadSSL_SESSIONEncoding(kBadSessionExtraField) || 3528 !TestBadSSL_SESSIONEncoding(kBadSessionVersion) || 3529 !TestBadSSL_SESSIONEncoding(kBadSessionTrailingData) || 3530 // TODO(svaldez): Update this when TLS 1.3 is enabled by default. 3531 !TestDefaultVersion(SSL3_VERSION, TLS1_2_VERSION, &TLS_method) || 3532 !TestDefaultVersion(SSL3_VERSION, SSL3_VERSION, &SSLv3_method) || 3533 !TestDefaultVersion(TLS1_VERSION, TLS1_VERSION, &TLSv1_method) || 3534 !TestDefaultVersion(TLS1_1_VERSION, TLS1_1_VERSION, &TLSv1_1_method) || 3535 !TestDefaultVersion(TLS1_2_VERSION, TLS1_2_VERSION, &TLSv1_2_method) || 3536 !TestDefaultVersion(TLS1_1_VERSION, TLS1_2_VERSION, &DTLS_method) || 3537 !TestDefaultVersion(TLS1_1_VERSION, TLS1_1_VERSION, &DTLSv1_method) || 3538 !TestDefaultVersion(TLS1_2_VERSION, TLS1_2_VERSION, &DTLSv1_2_method) || 3539 !TestCipherGetRFCName() || 3540 // Test the padding extension at TLS 1.2. 3541 !TestPaddingExtension(TLS1_2_VERSION, TLS1_2_VERSION) || 3542 // Test the padding extension at TLS 1.3 with a TLS 1.2 session, so there 3543 // will be no PSK binder after the padding extension. 3544 !TestPaddingExtension(TLS1_3_VERSION, TLS1_2_VERSION) || 3545 // Test the padding extension at TLS 1.3 with a TLS 1.3 session, so there 3546 // will be a PSK binder after the padding extension. 3547 !TestPaddingExtension(TLS1_3_VERSION, TLS1_3_DRAFT_VERSION) || 3548 !TestInternalSessionCache() || 3549 !ForEachVersion(TestSequenceNumber) || 3550 !ForEachVersion(TestOneSidedShutdown) || 3551 !ForEachVersion(TestGetPeerCertificate) || 3552 !ForEachVersion(TestRetainOnlySHA256OfCerts) || 3553 !TestClientHello() || 3554 !ForEachVersion(TestSessionIDContext) || 3555 !ForEachVersion(TestSessionTimeout) || 3556 !ForEachVersion(TestSNICallback) || 3557 !ForEachVersion(TestVersion) || 3558 !ForEachVersion(TestALPNCipherAvailable) || 3559 !ForEachVersion(TestSSLClearSessionResumption) || 3560 !ForEachVersion(TestAutoChain) || 3561 !ForEachVersion(TestSSLWriteRetry)) { 3562 ADD_FAILURE() << "Tests failed"; 3563 } 3564} 3565