1 /* Copyright (c) 2014, Google Inc.
2 *
3 * Permission to use, copy, modify, and/or distribute this software for any
4 * purpose with or without fee is hereby granted, provided that the above
5 * copyright notice and this permission notice appear in all copies.
6 *
7 * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
8 * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
9 * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY
10 * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
11 * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION
12 * OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN
13 * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */
14
15 #include <limits.h>
16 #include <stdio.h>
17 #include <string.h>
18 #include <time.h>
19
20 #include <algorithm>
21 #include <limits>
22 #include <string>
23 #include <utility>
24 #include <vector>
25
26 #include <gmock/gmock.h>
27 #include <gtest/gtest.h>
28
29 #include <openssl/aead.h>
30 #include <openssl/base64.h>
31 #include <openssl/bytestring.h>
32 #include <openssl/bio.h>
33 #include <openssl/cipher.h>
34 #include <openssl/crypto.h>
35 #include <openssl/curve25519.h>
36 #include <openssl/err.h>
37 #include <openssl/hmac.h>
38 #include <openssl/hpke.h>
39 #include <openssl/pem.h>
40 #include <openssl/sha.h>
41 #include <openssl/ssl.h>
42 #include <openssl/rand.h>
43 #include <openssl/x509.h>
44
45 #include "internal.h"
46 #include "../crypto/internal.h"
47 #include "../crypto/test/file_util.h"
48 #include "../crypto/test/test_util.h"
49
50 #if defined(OPENSSL_WINDOWS)
51 // Windows defines struct timeval in winsock2.h.
52 OPENSSL_MSVC_PRAGMA(warning(push, 3))
53 #include <winsock2.h>
54 OPENSSL_MSVC_PRAGMA(warning(pop))
55 #else
56 #include <sys/time.h>
57 #endif
58
59 #if defined(OPENSSL_THREADS)
60 #include <thread>
61 #endif
62
63
64 using testing::ElementsAre;
65 using testing::Key;
66
67 BSSL_NAMESPACE_BEGIN
68
69 namespace {
70
71 #define TRACED_CALL(code) \
72 do { \
73 SCOPED_TRACE("<- called from here"); \
74 code; \
75 if (::testing::Test::HasFatalFailure()) { \
76 return; \
77 } \
78 } while (false)
79
80 struct VersionParam {
81 uint16_t version;
82 enum { is_tls, is_dtls } ssl_method;
83 const char name[8];
84 };
85
86 static const size_t kTicketKeyLen = 48;
87
88 static const VersionParam kAllVersions[] = {
89 {TLS1_VERSION, VersionParam::is_tls, "TLS1"},
90 {TLS1_1_VERSION, VersionParam::is_tls, "TLS1_1"},
91 {TLS1_2_VERSION, VersionParam::is_tls, "TLS1_2"},
92 {TLS1_3_VERSION, VersionParam::is_tls, "TLS1_3"},
93 {DTLS1_VERSION, VersionParam::is_dtls, "DTLS1"},
94 {DTLS1_2_VERSION, VersionParam::is_dtls, "DTLS1_2"},
95 };
96
97 struct ExpectedCipher {
98 unsigned long id;
99 int in_group_flag;
100 };
101
102 struct CipherTest {
103 // The rule string to apply.
104 const char *rule;
105 // The list of expected ciphers, in order.
106 std::vector<ExpectedCipher> expected;
107 // True if this cipher list should fail in strict mode.
108 bool strict_fail;
109 };
110
111 struct CurveTest {
112 // The rule string to apply.
113 const char *rule;
114 // The list of expected curves, in order.
115 std::vector<uint16_t> expected;
116 };
117
118 template <typename T>
119 class UnownedSSLExData {
120 public:
UnownedSSLExData()121 UnownedSSLExData() {
122 index_ = SSL_get_ex_new_index(0, nullptr, nullptr, nullptr, nullptr);
123 }
124
Get(const SSL * ssl)125 T *Get(const SSL *ssl) {
126 return index_ < 0 ? nullptr
127 : static_cast<T *>(SSL_get_ex_data(ssl, index_));
128 }
129
Set(SSL * ssl,T * t)130 bool Set(SSL *ssl, T *t) {
131 return index_ >= 0 && SSL_set_ex_data(ssl, index_, t);
132 }
133
134 private:
135 int index_;
136 };
137
138 static const CipherTest kCipherTests[] = {
139 // Selecting individual ciphers should work.
140 {
141 "ECDHE-ECDSA-CHACHA20-POLY1305:"
142 "ECDHE-RSA-CHACHA20-POLY1305:"
143 "ECDHE-ECDSA-AES128-GCM-SHA256:"
144 "ECDHE-RSA-AES128-GCM-SHA256",
145 {
146 {TLS1_CK_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256, 0},
147 {TLS1_CK_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256, 0},
148 {TLS1_CK_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, 0},
149 {TLS1_CK_ECDHE_RSA_WITH_AES_128_GCM_SHA256, 0},
150 },
151 false,
152 },
153 // + reorders selected ciphers to the end, keeping their relative order.
154 {
155 "ECDHE-ECDSA-CHACHA20-POLY1305:"
156 "ECDHE-RSA-CHACHA20-POLY1305:"
157 "ECDHE-ECDSA-AES128-GCM-SHA256:"
158 "ECDHE-RSA-AES128-GCM-SHA256:"
159 "+aRSA",
160 {
161 {TLS1_CK_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256, 0},
162 {TLS1_CK_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, 0},
163 {TLS1_CK_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256, 0},
164 {TLS1_CK_ECDHE_RSA_WITH_AES_128_GCM_SHA256, 0},
165 },
166 false,
167 },
168 // ! banishes ciphers from future selections.
169 {
170 "!aRSA:"
171 "ECDHE-ECDSA-CHACHA20-POLY1305:"
172 "ECDHE-RSA-CHACHA20-POLY1305:"
173 "ECDHE-ECDSA-AES128-GCM-SHA256:"
174 "ECDHE-RSA-AES128-GCM-SHA256",
175 {
176 {TLS1_CK_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256, 0},
177 {TLS1_CK_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, 0},
178 },
179 false,
180 },
181 // Multiple masks can be ANDed in a single rule.
182 {
183 "kRSA+AESGCM+AES128",
184 {
185 {TLS1_CK_RSA_WITH_AES_128_GCM_SHA256, 0},
186 },
187 false,
188 },
189 // - removes selected ciphers, but preserves their order for future
190 // selections. Select AES_128_GCM, but order the key exchanges RSA,
191 // ECDHE_RSA.
192 {
193 "ALL:-kECDHE:"
194 "-kRSA:-ALL:"
195 "AESGCM+AES128+aRSA",
196 {
197 {TLS1_CK_RSA_WITH_AES_128_GCM_SHA256, 0},
198 {TLS1_CK_ECDHE_RSA_WITH_AES_128_GCM_SHA256, 0},
199 },
200 false,
201 },
202 // Unknown selectors are no-ops, except in strict mode.
203 {
204 "ECDHE-ECDSA-CHACHA20-POLY1305:"
205 "ECDHE-RSA-CHACHA20-POLY1305:"
206 "ECDHE-ECDSA-AES128-GCM-SHA256:"
207 "ECDHE-RSA-AES128-GCM-SHA256:"
208 "BOGUS1",
209 {
210 {TLS1_CK_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256, 0},
211 {TLS1_CK_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256, 0},
212 {TLS1_CK_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, 0},
213 {TLS1_CK_ECDHE_RSA_WITH_AES_128_GCM_SHA256, 0},
214 },
215 true,
216 },
217 // Unknown selectors are no-ops, except in strict mode.
218 {
219 "ECDHE-ECDSA-CHACHA20-POLY1305:"
220 "ECDHE-RSA-CHACHA20-POLY1305:"
221 "ECDHE-ECDSA-AES128-GCM-SHA256:"
222 "ECDHE-RSA-AES128-GCM-SHA256:"
223 "-BOGUS2:+BOGUS3:!BOGUS4",
224 {
225 {TLS1_CK_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256, 0},
226 {TLS1_CK_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256, 0},
227 {TLS1_CK_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, 0},
228 {TLS1_CK_ECDHE_RSA_WITH_AES_128_GCM_SHA256, 0},
229 },
230 true,
231 },
232 // Square brackets specify equi-preference groups.
233 {
234 "[ECDHE-ECDSA-CHACHA20-POLY1305|ECDHE-ECDSA-AES128-GCM-SHA256]:"
235 "[ECDHE-RSA-CHACHA20-POLY1305]:"
236 "ECDHE-RSA-AES128-GCM-SHA256",
237 {
238 {TLS1_CK_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256, 1},
239 {TLS1_CK_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, 0},
240 {TLS1_CK_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256, 0},
241 {TLS1_CK_ECDHE_RSA_WITH_AES_128_GCM_SHA256, 0},
242 },
243 false,
244 },
245 // Standard names may be used instead of OpenSSL names.
246 {
247 "[TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256|"
248 "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256]:"
249 "[TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256]:"
250 "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",
251 {
252 {TLS1_CK_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256, 1},
253 {TLS1_CK_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, 0},
254 {TLS1_CK_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256, 0},
255 {TLS1_CK_ECDHE_RSA_WITH_AES_128_GCM_SHA256, 0},
256 },
257 false,
258 },
259 // @STRENGTH performs a stable strength-sort of the selected ciphers and
260 // only the selected ciphers.
261 {
262 // To simplify things, banish all but {ECDHE_RSA,RSA} x
263 // {CHACHA20,AES_256_CBC,AES_128_CBC} x SHA1.
264 "!AESGCM:!3DES:"
265 // Order some ciphers backwards by strength.
266 "ALL:-CHACHA20:-AES256:-AES128:-ALL:"
267 // Select ECDHE ones and sort them by strength. Ties should resolve
268 // based on the order above.
269 "kECDHE:@STRENGTH:-ALL:"
270 // Now bring back everything uses RSA. ECDHE_RSA should be first, sorted
271 // by strength. Then RSA, backwards by strength.
272 "aRSA",
273 {
274 {TLS1_CK_ECDHE_RSA_WITH_AES_256_CBC_SHA, 0},
275 {TLS1_CK_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256, 0},
276 {TLS1_CK_ECDHE_RSA_WITH_AES_128_CBC_SHA, 0},
277 {TLS1_CK_RSA_WITH_AES_128_SHA, 0},
278 {TLS1_CK_RSA_WITH_AES_256_SHA, 0},
279 },
280 false,
281 },
282 // Additional masks after @STRENGTH get silently discarded.
283 //
284 // TODO(davidben): Make this an error. If not silently discarded, they get
285 // interpreted as + opcodes which are very different.
286 {
287 "ECDHE-RSA-AES128-GCM-SHA256:"
288 "ECDHE-RSA-AES256-GCM-SHA384:"
289 "@STRENGTH+AES256",
290 {
291 {TLS1_CK_ECDHE_RSA_WITH_AES_256_GCM_SHA384, 0},
292 {TLS1_CK_ECDHE_RSA_WITH_AES_128_GCM_SHA256, 0},
293 },
294 false,
295 },
296 {
297 "ECDHE-RSA-AES128-GCM-SHA256:"
298 "ECDHE-RSA-AES256-GCM-SHA384:"
299 "@STRENGTH+AES256:"
300 "ECDHE-RSA-CHACHA20-POLY1305",
301 {
302 {TLS1_CK_ECDHE_RSA_WITH_AES_256_GCM_SHA384, 0},
303 {TLS1_CK_ECDHE_RSA_WITH_AES_128_GCM_SHA256, 0},
304 {TLS1_CK_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256, 0},
305 },
306 false,
307 },
308 // Exact ciphers may not be used in multi-part rules; they are treated
309 // as unknown aliases.
310 {
311 "ECDHE-ECDSA-AES128-GCM-SHA256:"
312 "ECDHE-RSA-AES128-GCM-SHA256:"
313 "!ECDHE-RSA-AES128-GCM-SHA256+RSA:"
314 "!ECDSA+ECDHE-ECDSA-AES128-GCM-SHA256",
315 {
316 {TLS1_CK_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, 0},
317 {TLS1_CK_ECDHE_RSA_WITH_AES_128_GCM_SHA256, 0},
318 },
319 true,
320 },
321 // SSLv3 matches everything that existed before TLS 1.2.
322 {
323 "AES128-SHA:ECDHE-RSA-AES128-GCM-SHA256:!SSLv3",
324 {
325 {TLS1_CK_ECDHE_RSA_WITH_AES_128_GCM_SHA256, 0},
326 },
327 false,
328 },
329 // TLSv1.2 matches everything added in TLS 1.2.
330 {
331 "AES128-SHA:ECDHE-RSA-AES128-GCM-SHA256:!TLSv1.2",
332 {
333 {TLS1_CK_RSA_WITH_AES_128_SHA, 0},
334 },
335 false,
336 },
337 // The two directives have no intersection. But each component is valid, so
338 // even in strict mode it is accepted.
339 {
340 "AES128-SHA:ECDHE-RSA-AES128-GCM-SHA256:!TLSv1.2+SSLv3",
341 {
342 {TLS1_CK_RSA_WITH_AES_128_SHA, 0},
343 {TLS1_CK_ECDHE_RSA_WITH_AES_128_GCM_SHA256, 0},
344 },
345 false,
346 },
347 // Spaces, semi-colons and commas are separators.
348 {
349 "AES128-SHA: ECDHE-RSA-AES128-GCM-SHA256 AES256-SHA ,ECDHE-ECDSA-AES128-GCM-SHA256 ; AES128-GCM-SHA256",
350 {
351 {TLS1_CK_RSA_WITH_AES_128_SHA, 0},
352 {TLS1_CK_ECDHE_RSA_WITH_AES_128_GCM_SHA256, 0},
353 {TLS1_CK_RSA_WITH_AES_256_SHA, 0},
354 {TLS1_CK_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, 0},
355 {TLS1_CK_RSA_WITH_AES_128_GCM_SHA256, 0},
356 },
357 // …but not in strict mode.
358 true,
359 },
360 // 3DES ciphers are disabled by default.
361 {
362 "RSA",
363 {
364 {TLS1_CK_RSA_WITH_AES_128_GCM_SHA256, 0},
365 {TLS1_CK_RSA_WITH_AES_256_GCM_SHA384, 0},
366 {TLS1_CK_RSA_WITH_AES_128_SHA, 0},
367 {TLS1_CK_RSA_WITH_AES_256_SHA, 0},
368 },
369 false,
370 },
371 // But 3DES ciphers may be specified by name.
372 {
373 "TLS_RSA_WITH_3DES_EDE_CBC_SHA",
374 {
375 {SSL3_CK_RSA_DES_192_CBC3_SHA, 0},
376 },
377 false,
378 },
379 {
380 "DES-CBC3-SHA",
381 {
382 {SSL3_CK_RSA_DES_192_CBC3_SHA, 0},
383 },
384 false,
385 },
386 // Or by a selector that specifically includes deprecated ciphers.
387 {
388 "3DES",
389 {
390 {SSL3_CK_RSA_DES_192_CBC3_SHA, 0},
391 },
392 false,
393 },
394 // Such selectors may be combined with other selectors that would otherwise
395 // not allow deprecated ciphers.
396 {
397 "RSA+3DES",
398 {
399 {SSL3_CK_RSA_DES_192_CBC3_SHA, 0},
400 },
401 false,
402 },
403 // The cipher must still match all combined selectors, however. "ECDHE+3DES"
404 // matches nothing because we do not implement
405 // TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA. (The test includes
406 // TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 so the final list is not empty.)
407 {
408 "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256:ECDHE+3DES",
409 {
410 {TLS1_CK_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, 0},
411 },
412 false,
413 },
414 // Although alises like "RSA" do not match 3DES when adding ciphers, they do
415 // match it when removing ciphers.
416 {
417 "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256:RSA:RSA+3DES:!RSA",
418 {
419 {TLS1_CK_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, 0},
420 },
421 false,
422 },
423 // 3DES still participates in strength sorting.
424 {
425 "RSA:3DES:@STRENGTH",
426 {
427 {TLS1_CK_RSA_WITH_AES_256_GCM_SHA384, 0},
428 {TLS1_CK_RSA_WITH_AES_256_SHA, 0},
429 {TLS1_CK_RSA_WITH_AES_128_GCM_SHA256, 0},
430 {TLS1_CK_RSA_WITH_AES_128_SHA, 0},
431 {SSL3_CK_RSA_DES_192_CBC3_SHA, 0},
432 },
433 false,
434 },
435 };
436
437 static const char *kBadRules[] = {
438 // Invalid brackets.
439 "[ECDHE-RSA-CHACHA20-POLY1305|ECDHE-RSA-AES128-GCM-SHA256",
440 "RSA]",
441 "[[RSA]]",
442 // Operators inside brackets.
443 "[+RSA]",
444 // Unknown directive.
445 "@BOGUS",
446 // Empty cipher lists error at SSL_CTX_set_cipher_list.
447 "",
448 "BOGUS",
449 // COMPLEMENTOFDEFAULT is empty.
450 "COMPLEMENTOFDEFAULT",
451 // Invalid command.
452 "?BAR",
453 // Special operators are not allowed if equi-preference groups are used.
454 "[ECDHE-RSA-CHACHA20-POLY1305|ECDHE-RSA-AES128-GCM-SHA256]:+FOO",
455 "[ECDHE-RSA-CHACHA20-POLY1305|ECDHE-RSA-AES128-GCM-SHA256]:!FOO",
456 "[ECDHE-RSA-CHACHA20-POLY1305|ECDHE-RSA-AES128-GCM-SHA256]:-FOO",
457 "[ECDHE-RSA-CHACHA20-POLY1305|ECDHE-RSA-AES128-GCM-SHA256]:@STRENGTH",
458 // Opcode supplied, but missing selector.
459 "+",
460 // Spaces are forbidden in equal-preference groups.
461 "[AES128-SHA | AES128-SHA256]",
462 };
463
464 static const char *kMustNotIncludeDeprecated[] = {
465 "ALL",
466 "DEFAULT",
467 "HIGH",
468 "FIPS",
469 "SHA",
470 "SHA1",
471 "RSA",
472 "SSLv3",
473 "TLSv1",
474 "TLSv1.2",
475 };
476
477 static const char* kShouldIncludeCBCSHA256[] = {
478 "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256",
479 "ALL:TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256",
480 };
481
482 static const CurveTest kCurveTests[] = {
483 {
484 "P-256",
485 { SSL_GROUP_SECP256R1 },
486 },
487 {
488 "P-256:X25519Kyber768Draft00",
489 { SSL_GROUP_SECP256R1, SSL_GROUP_X25519_KYBER768_DRAFT00 },
490 },
491
492 {
493 "P-256:P-384:P-521:X25519",
494 {
495 SSL_GROUP_SECP256R1,
496 SSL_GROUP_SECP384R1,
497 SSL_GROUP_SECP521R1,
498 SSL_GROUP_X25519,
499 },
500 },
501 {
502 "prime256v1:secp384r1:secp521r1:x25519",
503 {
504 SSL_GROUP_SECP256R1,
505 SSL_GROUP_SECP384R1,
506 SSL_GROUP_SECP521R1,
507 SSL_GROUP_X25519,
508 },
509 },
510 };
511
512 static const char *kBadCurvesLists[] = {
513 "",
514 ":",
515 "::",
516 "P-256::X25519",
517 "RSA:P-256",
518 "P-256:RSA",
519 "X25519:P-256:",
520 ":X25519:P-256",
521 };
522
CipherListToString(SSL_CTX * ctx)523 static std::string CipherListToString(SSL_CTX *ctx) {
524 bool in_group = false;
525 std::string ret;
526 const STACK_OF(SSL_CIPHER) *ciphers = SSL_CTX_get_ciphers(ctx);
527 for (size_t i = 0; i < sk_SSL_CIPHER_num(ciphers); i++) {
528 const SSL_CIPHER *cipher = sk_SSL_CIPHER_value(ciphers, i);
529 if (!in_group && SSL_CTX_cipher_in_group(ctx, i)) {
530 ret += "\t[\n";
531 in_group = true;
532 }
533 ret += "\t";
534 if (in_group) {
535 ret += " ";
536 }
537 ret += SSL_CIPHER_get_name(cipher);
538 ret += "\n";
539 if (in_group && !SSL_CTX_cipher_in_group(ctx, i)) {
540 ret += "\t]\n";
541 in_group = false;
542 }
543 }
544 return ret;
545 }
546
CipherListsEqual(SSL_CTX * ctx,const std::vector<ExpectedCipher> & expected)547 static bool CipherListsEqual(SSL_CTX *ctx,
548 const std::vector<ExpectedCipher> &expected) {
549 const STACK_OF(SSL_CIPHER) *ciphers = SSL_CTX_get_ciphers(ctx);
550 if (sk_SSL_CIPHER_num(ciphers) != expected.size()) {
551 return false;
552 }
553
554 for (size_t i = 0; i < expected.size(); i++) {
555 const SSL_CIPHER *cipher = sk_SSL_CIPHER_value(ciphers, i);
556 if (expected[i].id != SSL_CIPHER_get_id(cipher) ||
557 expected[i].in_group_flag != !!SSL_CTX_cipher_in_group(ctx, i)) {
558 return false;
559 }
560 }
561
562 return true;
563 }
564
TEST(GrowableArrayTest,Resize)565 TEST(GrowableArrayTest, Resize) {
566 GrowableArray<size_t> array;
567 ASSERT_TRUE(array.empty());
568 EXPECT_EQ(array.size(), 0u);
569
570 ASSERT_TRUE(array.Push(42));
571 ASSERT_TRUE(!array.empty());
572 EXPECT_EQ(array.size(), 1u);
573
574 // Force a resize operation to occur
575 for (size_t i = 0; i < 16; i++) {
576 ASSERT_TRUE(array.Push(i + 1));
577 }
578
579 EXPECT_EQ(array.size(), 17u);
580
581 // Verify that expected values are still contained in array
582 for (size_t i = 0; i < array.size(); i++) {
583 EXPECT_EQ(array[i], i == 0 ? 42 : i);
584 }
585 }
586
TEST(GrowableArrayTest,MoveConstructor)587 TEST(GrowableArrayTest, MoveConstructor) {
588 GrowableArray<size_t> array;
589 for (size_t i = 0; i < 100; i++) {
590 ASSERT_TRUE(array.Push(i));
591 }
592
593 GrowableArray<size_t> array_moved(std::move(array));
594 for (size_t i = 0; i < 100; i++) {
595 EXPECT_EQ(array_moved[i], i);
596 }
597 }
598
TEST(GrowableArrayTest,GrowableArrayContainingGrowableArrays)599 TEST(GrowableArrayTest, GrowableArrayContainingGrowableArrays) {
600 // Representative example of a struct that contains a GrowableArray.
601 struct TagAndArray {
602 size_t tag;
603 GrowableArray<size_t> array;
604 };
605
606 GrowableArray<TagAndArray> array;
607 for (size_t i = 0; i < 100; i++) {
608 TagAndArray elem;
609 elem.tag = i;
610 for (size_t j = 0; j < i; j++) {
611 ASSERT_TRUE(elem.array.Push(j));
612 }
613 ASSERT_TRUE(array.Push(std::move(elem)));
614 }
615 EXPECT_EQ(array.size(), static_cast<size_t>(100));
616
617 GrowableArray<TagAndArray> array_moved(std::move(array));
618 EXPECT_EQ(array_moved.size(), static_cast<size_t>(100));
619 size_t count = 0;
620 for (const TagAndArray &elem : array_moved) {
621 // Test the square bracket operator returns the same value as iteration.
622 EXPECT_EQ(&elem, &array_moved[count]);
623
624 EXPECT_EQ(elem.tag, count);
625 EXPECT_EQ(elem.array.size(), count);
626 for (size_t j = 0; j < count; j++) {
627 EXPECT_EQ(elem.array[j], j);
628 }
629 count++;
630 }
631 }
632
TEST(SSLTest,CipherRules)633 TEST(SSLTest, CipherRules) {
634 for (const CipherTest &t : kCipherTests) {
635 SCOPED_TRACE(t.rule);
636 bssl::UniquePtr<SSL_CTX> ctx(SSL_CTX_new(TLS_method()));
637 ASSERT_TRUE(ctx);
638
639 // Test lax mode.
640 ASSERT_TRUE(SSL_CTX_set_cipher_list(ctx.get(), t.rule));
641 EXPECT_TRUE(CipherListsEqual(ctx.get(), t.expected))
642 << "Cipher rule evaluated to:\n"
643 << CipherListToString(ctx.get());
644
645 // Test strict mode.
646 if (t.strict_fail) {
647 EXPECT_FALSE(SSL_CTX_set_strict_cipher_list(ctx.get(), t.rule));
648 } else {
649 ASSERT_TRUE(SSL_CTX_set_strict_cipher_list(ctx.get(), t.rule));
650 EXPECT_TRUE(CipherListsEqual(ctx.get(), t.expected))
651 << "Cipher rule evaluated to:\n"
652 << CipherListToString(ctx.get());
653 }
654 }
655
656 for (const char *rule : kBadRules) {
657 SCOPED_TRACE(rule);
658 bssl::UniquePtr<SSL_CTX> ctx(SSL_CTX_new(TLS_method()));
659 ASSERT_TRUE(ctx);
660
661 EXPECT_FALSE(SSL_CTX_set_cipher_list(ctx.get(), rule));
662 ERR_clear_error();
663 }
664
665 for (const char *rule : kMustNotIncludeDeprecated) {
666 SCOPED_TRACE(rule);
667 bssl::UniquePtr<SSL_CTX> ctx(SSL_CTX_new(TLS_method()));
668 ASSERT_TRUE(ctx);
669
670 ASSERT_TRUE(SSL_CTX_set_strict_cipher_list(ctx.get(), rule));
671 for (const SSL_CIPHER *cipher : SSL_CTX_get_ciphers(ctx.get())) {
672 EXPECT_NE(NID_undef, SSL_CIPHER_get_cipher_nid(cipher));
673 EXPECT_FALSE(ssl_cipher_is_deprecated(cipher));
674 }
675 }
676
677 {
678 for (const char *rule : kShouldIncludeCBCSHA256) {
679 bssl::UniquePtr<SSL_CTX> ctx(SSL_CTX_new(TLS_method()));
680 ASSERT_TRUE(ctx);
681 ASSERT_TRUE(SSL_CTX_set_strict_cipher_list(ctx.get(), rule));
682
683 bool found = false;
684 for (const SSL_CIPHER *cipher : SSL_CTX_get_ciphers(ctx.get())) {
685 if ((TLS1_CK_ECDHE_RSA_WITH_AES_128_CBC_SHA256 & 0xffff) ==
686 SSL_CIPHER_get_protocol_id(cipher)) {
687 found = true;
688 break;
689 }
690 }
691 EXPECT_TRUE(found);
692 }
693 }
694 }
695
TEST(SSLTest,CurveRules)696 TEST(SSLTest, CurveRules) {
697 for (const CurveTest &t : kCurveTests) {
698 SCOPED_TRACE(t.rule);
699 bssl::UniquePtr<SSL_CTX> ctx(SSL_CTX_new(TLS_method()));
700 ASSERT_TRUE(ctx);
701
702 ASSERT_TRUE(SSL_CTX_set1_groups_list(ctx.get(), t.rule));
703 ASSERT_EQ(t.expected.size(), ctx->supported_group_list.size());
704 for (size_t i = 0; i < t.expected.size(); i++) {
705 EXPECT_EQ(t.expected[i], ctx->supported_group_list[i]);
706 }
707 }
708
709 for (const char *rule : kBadCurvesLists) {
710 SCOPED_TRACE(rule);
711 bssl::UniquePtr<SSL_CTX> ctx(SSL_CTX_new(TLS_method()));
712 ASSERT_TRUE(ctx);
713
714 EXPECT_FALSE(SSL_CTX_set1_groups_list(ctx.get(), rule));
715 ERR_clear_error();
716 }
717 }
718
719 // kOpenSSLSession is a serialized SSL_SESSION.
720 static const char kOpenSSLSession[] =
721 "MIIFqgIBAQICAwMEAsAvBCAG5Q1ndq4Yfmbeo1zwLkNRKmCXGdNgWvGT3cskV0yQ"
722 "kAQwJlrlzkAWBOWiLj/jJ76D7l+UXoizP2KI2C7I2FccqMmIfFmmkUy32nIJ0mZH"
723 "IWoJoQYCBFRDO46iBAICASyjggR6MIIEdjCCA16gAwIBAgIIK9dUvsPWSlUwDQYJ"
724 "KoZIhvcNAQEFBQAwSTELMAkGA1UEBhMCVVMxEzARBgNVBAoTCkdvb2dsZSBJbmMx"
725 "JTAjBgNVBAMTHEdvb2dsZSBJbnRlcm5ldCBBdXRob3JpdHkgRzIwHhcNMTQxMDA4"
726 "MTIwNzU3WhcNMTUwMTA2MDAwMDAwWjBoMQswCQYDVQQGEwJVUzETMBEGA1UECAwK"
727 "Q2FsaWZvcm5pYTEWMBQGA1UEBwwNTW91bnRhaW4gVmlldzETMBEGA1UECgwKR29v"
728 "Z2xlIEluYzEXMBUGA1UEAwwOd3d3Lmdvb2dsZS5jb20wggEiMA0GCSqGSIb3DQEB"
729 "AQUAA4IBDwAwggEKAoIBAQCcKeLrplAC+Lofy8t/wDwtB6eu72CVp0cJ4V3lknN6"
730 "huH9ct6FFk70oRIh/VBNBBz900jYy+7111Jm1b8iqOTQ9aT5C7SEhNcQFJvqzH3e"
731 "MPkb6ZSWGm1yGF7MCQTGQXF20Sk/O16FSjAynU/b3oJmOctcycWYkY0ytS/k3LBu"
732 "Id45PJaoMqjB0WypqvNeJHC3q5JjCB4RP7Nfx5jjHSrCMhw8lUMW4EaDxjaR9KDh"
733 "PLgjsk+LDIySRSRDaCQGhEOWLJZVLzLo4N6/UlctCHEllpBUSvEOyFga52qroGjg"
734 "rf3WOQ925MFwzd6AK+Ich0gDRg8sQfdLH5OuP1cfLfU1AgMBAAGjggFBMIIBPTAd"
735 "BgNVHSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwGQYDVR0RBBIwEIIOd3d3Lmdv"
736 "b2dsZS5jb20waAYIKwYBBQUHAQEEXDBaMCsGCCsGAQUFBzAChh9odHRwOi8vcGtp"
737 "Lmdvb2dsZS5jb20vR0lBRzIuY3J0MCsGCCsGAQUFBzABhh9odHRwOi8vY2xpZW50"
738 "czEuZ29vZ2xlLmNvbS9vY3NwMB0GA1UdDgQWBBQ7a+CcxsZByOpc+xpYFcIbnUMZ"
739 "hTAMBgNVHRMBAf8EAjAAMB8GA1UdIwQYMBaAFErdBhYbvPZotXb1gba7Yhq6WoEv"
740 "MBcGA1UdIAQQMA4wDAYKKwYBBAHWeQIFATAwBgNVHR8EKTAnMCWgI6Ahhh9odHRw"
741 "Oi8vcGtpLmdvb2dsZS5jb20vR0lBRzIuY3JsMA0GCSqGSIb3DQEBBQUAA4IBAQCa"
742 "OXCBdoqUy5bxyq+Wrh1zsyyCFim1PH5VU2+yvDSWrgDY8ibRGJmfff3r4Lud5kal"
743 "dKs9k8YlKD3ITG7P0YT/Rk8hLgfEuLcq5cc0xqmE42xJ+Eo2uzq9rYorc5emMCxf"
744 "5L0TJOXZqHQpOEcuptZQ4OjdYMfSxk5UzueUhA3ogZKRcRkdB3WeWRp+nYRhx4St"
745 "o2rt2A0MKmY9165GHUqMK9YaaXHDXqBu7Sefr1uSoAP9gyIJKeihMivsGqJ1TD6Z"
746 "cc6LMe+dN2P8cZEQHtD1y296ul4Mivqk3jatUVL8/hCwgch9A8O4PGZq9WqBfEWm"
747 "IyHh1dPtbg1lOXdYCWtjpAIEAKUDAgEUqQUCAwGJwKqBpwSBpBwUQvoeOk0Kg36S"
748 "YTcLEkXqKwOBfF9vE4KX0NxeLwjcDTpsuh3qXEaZ992r1N38VDcyS6P7I6HBYN9B"
749 "sNHM362zZnY27GpTw+Kwd751CLoXFPoaMOe57dbBpXoro6Pd3BTbf/Tzr88K06yE"
750 "OTDKPNj3+inbMaVigtK4PLyPq+Topyzvx9USFgRvyuoxn0Hgb+R0A3j6SLRuyOdA"
751 "i4gv7Y5oliyntgMBAQA=";
752
753 // kCustomSession is a custom serialized SSL_SESSION generated by
754 // filling in missing fields from |kOpenSSLSession|. This includes
755 // providing |peer_sha256|, so |peer| is not serialized.
756 static const char kCustomSession[] =
757 "MIIBZAIBAQICAwMEAsAvBCAG5Q1ndq4Yfmbeo1zwLkNRKmCXGdNgWvGT3cskV0yQ"
758 "kAQwJlrlzkAWBOWiLj/jJ76D7l+UXoizP2KI2C7I2FccqMmIfFmmkUy32nIJ0mZH"
759 "IWoJoQYCBFRDO46iBAICASykAwQBAqUDAgEUqAcEBXdvcmxkqQUCAwGJwKqBpwSB"
760 "pBwUQvoeOk0Kg36SYTcLEkXqKwOBfF9vE4KX0NxeLwjcDTpsuh3qXEaZ992r1N38"
761 "VDcyS6P7I6HBYN9BsNHM362zZnY27GpTw+Kwd751CLoXFPoaMOe57dbBpXoro6Pd"
762 "3BTbf/Tzr88K06yEOTDKPNj3+inbMaVigtK4PLyPq+Topyzvx9USFgRvyuoxn0Hg"
763 "b+R0A3j6SLRuyOdAi4gv7Y5oliynrSIEIAYGBgYGBgYGBgYGBgYGBgYGBgYGBgYG"
764 "BgYGBgYGBgYGrgMEAQevAwQBBLADBAEF";
765
766 // kBoringSSLSession is a serialized SSL_SESSION generated from bssl client.
767 static const char kBoringSSLSession[] =
768 "MIIRwQIBAQICAwMEAsAvBCDdoGxGK26mR+8lM0uq6+k9xYuxPnwAjpcF9n0Yli9R"
769 "kQQwbyshfWhdi5XQ1++7n2L1qqrcVlmHBPpr6yknT/u4pUrpQB5FZ7vqvNn8MdHf"
770 "9rWgoQYCBFXgs7uiBAICHCCjggR6MIIEdjCCA16gAwIBAgIIf+yfD7Y6UicwDQYJ"
771 "KoZIhvcNAQELBQAwSTELMAkGA1UEBhMCVVMxEzARBgNVBAoTCkdvb2dsZSBJbmMx"
772 "JTAjBgNVBAMTHEdvb2dsZSBJbnRlcm5ldCBBdXRob3JpdHkgRzIwHhcNMTUwODEy"
773 "MTQ1MzE1WhcNMTUxMTEwMDAwMDAwWjBoMQswCQYDVQQGEwJVUzETMBEGA1UECAwK"
774 "Q2FsaWZvcm5pYTEWMBQGA1UEBwwNTW91bnRhaW4gVmlldzETMBEGA1UECgwKR29v"
775 "Z2xlIEluYzEXMBUGA1UEAwwOd3d3Lmdvb2dsZS5jb20wggEiMA0GCSqGSIb3DQEB"
776 "AQUAA4IBDwAwggEKAoIBAQC0MeG5YGQ0t+IeJeoneP/PrhEaieibeKYkbKVLNZpo"
777 "PLuBinvhkXZo3DC133NpCBpy6ZktBwamqyixAyuk/NU6OjgXqwwxfQ7di1AInLIU"
778 "792c7hFyNXSUCG7At8Ifi3YwBX9Ba6u/1d6rWTGZJrdCq3QU11RkKYyTq2KT5mce"
779 "Tv9iGKqSkSTlp8puy/9SZ/3DbU3U+BuqCFqeSlz7zjwFmk35acdCilpJlVDDN5C/"
780 "RCh8/UKc8PaL+cxlt531qoTENvYrflBno14YEZlCBZsPiFeUSILpKEj3Ccwhy0eL"
781 "EucWQ72YZU8mUzXBoXGn0zA0crFl5ci/2sTBBGZsylNBAgMBAAGjggFBMIIBPTAd"
782 "BgNVHSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwGQYDVR0RBBIwEIIOd3d3Lmdv"
783 "b2dsZS5jb20waAYIKwYBBQUHAQEEXDBaMCsGCCsGAQUFBzAChh9odHRwOi8vcGtp"
784 "Lmdvb2dsZS5jb20vR0lBRzIuY3J0MCsGCCsGAQUFBzABhh9odHRwOi8vY2xpZW50"
785 "czEuZ29vZ2xlLmNvbS9vY3NwMB0GA1UdDgQWBBS/bzHxcE73Q4j3slC4BLbMtLjG"
786 "GjAMBgNVHRMBAf8EAjAAMB8GA1UdIwQYMBaAFErdBhYbvPZotXb1gba7Yhq6WoEv"
787 "MBcGA1UdIAQQMA4wDAYKKwYBBAHWeQIFATAwBgNVHR8EKTAnMCWgI6Ahhh9odHRw"
788 "Oi8vcGtpLmdvb2dsZS5jb20vR0lBRzIuY3JsMA0GCSqGSIb3DQEBCwUAA4IBAQAb"
789 "qdWPZEHk0X7iKPCTHL6S3w6q1eR67goxZGFSM1lk1hjwyu7XcLJuvALVV9uY3ovE"
790 "kQZSHwT+pyOPWQhsSjO+1GyjvCvK/CAwiUmBX+bQRGaqHsRcio7xSbdVcajQ3bXd"
791 "X+s0WdbOpn6MStKAiBVloPlSxEI8pxY6x/BBCnTIk/+DMB17uZlOjG3vbAnkDkP+"
792 "n0OTucD9sHV7EVj9XUxi51nOfNBCN/s7lpUjDS/NJ4k3iwOtbCPswiot8vLO779a"
793 "f07vR03r349Iz/KTzk95rlFtX0IU+KYNxFNsanIXZ+C9FYGRXkwhHcvFb4qMUB1y"
794 "TTlM80jBMOwyjZXmjRAhpAIEAKUDAgEUqQUCAwGJwKqBpwSBpOgebbmn9NRUtMWH"
795 "+eJpqA5JLMFSMCChOsvKey3toBaCNGU7HfAEiiXNuuAdCBoK262BjQc2YYfqFzqH"
796 "zuppopXCvhohx7j/tnCNZIMgLYt/O9SXK2RYI5z8FhCCHvB4CbD5G0LGl5EFP27s"
797 "Jb6S3aTTYPkQe8yZSlxevg6NDwmTogLO9F7UUkaYmVcMQhzssEE2ZRYNwSOU6KjE"
798 "0Yj+8fAiBtbQriIEIN2L8ZlpaVrdN5KFNdvcmOxJu81P8q53X55xQyGTnGWwsgMC"
799 "ARezggvvMIIEdjCCA16gAwIBAgIIf+yfD7Y6UicwDQYJKoZIhvcNAQELBQAwSTEL"
800 "MAkGA1UEBhMCVVMxEzARBgNVBAoTCkdvb2dsZSBJbmMxJTAjBgNVBAMTHEdvb2ds"
801 "ZSBJbnRlcm5ldCBBdXRob3JpdHkgRzIwHhcNMTUwODEyMTQ1MzE1WhcNMTUxMTEw"
802 "MDAwMDAwWjBoMQswCQYDVQQGEwJVUzETMBEGA1UECAwKQ2FsaWZvcm5pYTEWMBQG"
803 "A1UEBwwNTW91bnRhaW4gVmlldzETMBEGA1UECgwKR29vZ2xlIEluYzEXMBUGA1UE"
804 "AwwOd3d3Lmdvb2dsZS5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIB"
805 "AQC0MeG5YGQ0t+IeJeoneP/PrhEaieibeKYkbKVLNZpoPLuBinvhkXZo3DC133Np"
806 "CBpy6ZktBwamqyixAyuk/NU6OjgXqwwxfQ7di1AInLIU792c7hFyNXSUCG7At8If"
807 "i3YwBX9Ba6u/1d6rWTGZJrdCq3QU11RkKYyTq2KT5mceTv9iGKqSkSTlp8puy/9S"
808 "Z/3DbU3U+BuqCFqeSlz7zjwFmk35acdCilpJlVDDN5C/RCh8/UKc8PaL+cxlt531"
809 "qoTENvYrflBno14YEZlCBZsPiFeUSILpKEj3Ccwhy0eLEucWQ72YZU8mUzXBoXGn"
810 "0zA0crFl5ci/2sTBBGZsylNBAgMBAAGjggFBMIIBPTAdBgNVHSUEFjAUBggrBgEF"
811 "BQcDAQYIKwYBBQUHAwIwGQYDVR0RBBIwEIIOd3d3Lmdvb2dsZS5jb20waAYIKwYB"
812 "BQUHAQEEXDBaMCsGCCsGAQUFBzAChh9odHRwOi8vcGtpLmdvb2dsZS5jb20vR0lB"
813 "RzIuY3J0MCsGCCsGAQUFBzABhh9odHRwOi8vY2xpZW50czEuZ29vZ2xlLmNvbS9v"
814 "Y3NwMB0GA1UdDgQWBBS/bzHxcE73Q4j3slC4BLbMtLjGGjAMBgNVHRMBAf8EAjAA"
815 "MB8GA1UdIwQYMBaAFErdBhYbvPZotXb1gba7Yhq6WoEvMBcGA1UdIAQQMA4wDAYK"
816 "KwYBBAHWeQIFATAwBgNVHR8EKTAnMCWgI6Ahhh9odHRwOi8vcGtpLmdvb2dsZS5j"
817 "b20vR0lBRzIuY3JsMA0GCSqGSIb3DQEBCwUAA4IBAQAbqdWPZEHk0X7iKPCTHL6S"
818 "3w6q1eR67goxZGFSM1lk1hjwyu7XcLJuvALVV9uY3ovEkQZSHwT+pyOPWQhsSjO+"
819 "1GyjvCvK/CAwiUmBX+bQRGaqHsRcio7xSbdVcajQ3bXdX+s0WdbOpn6MStKAiBVl"
820 "oPlSxEI8pxY6x/BBCnTIk/+DMB17uZlOjG3vbAnkDkP+n0OTucD9sHV7EVj9XUxi"
821 "51nOfNBCN/s7lpUjDS/NJ4k3iwOtbCPswiot8vLO779af07vR03r349Iz/KTzk95"
822 "rlFtX0IU+KYNxFNsanIXZ+C9FYGRXkwhHcvFb4qMUB1yTTlM80jBMOwyjZXmjRAh"
823 "MIID8DCCAtigAwIBAgIDAjqDMA0GCSqGSIb3DQEBCwUAMEIxCzAJBgNVBAYTAlVT"
824 "MRYwFAYDVQQKEw1HZW9UcnVzdCBJbmMuMRswGQYDVQQDExJHZW9UcnVzdCBHbG9i"
825 "YWwgQ0EwHhcNMTMwNDA1MTUxNTU2WhcNMTYxMjMxMjM1OTU5WjBJMQswCQYDVQQG"
826 "EwJVUzETMBEGA1UEChMKR29vZ2xlIEluYzElMCMGA1UEAxMcR29vZ2xlIEludGVy"
827 "bmV0IEF1dGhvcml0eSBHMjCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEB"
828 "AJwqBHdc2FCROgajguDYUEi8iT/xGXAaiEZ+4I/F8YnOIe5a/mENtzJEiaB0C1NP"
829 "VaTOgmKV7utZX8bhBYASxF6UP7xbSDj0U/ck5vuR6RXEz/RTDfRK/J9U3n2+oGtv"
830 "h8DQUB8oMANA2ghzUWx//zo8pzcGjr1LEQTrfSTe5vn8MXH7lNVg8y5Kr0LSy+rE"
831 "ahqyzFPdFUuLH8gZYR/Nnag+YyuENWllhMgZxUYi+FOVvuOAShDGKuy6lyARxzmZ"
832 "EASg8GF6lSWMTlJ14rbtCMoU/M4iarNOz0YDl5cDfsCx3nuvRTPPuj5xt970JSXC"
833 "DTWJnZ37DhF5iR43xa+OcmkCAwEAAaOB5zCB5DAfBgNVHSMEGDAWgBTAephojYn7"
834 "qwVkDBF9qn1luMrMTjAdBgNVHQ4EFgQUSt0GFhu89mi1dvWBtrtiGrpagS8wDgYD"
835 "VR0PAQH/BAQDAgEGMC4GCCsGAQUFBwEBBCIwIDAeBggrBgEFBQcwAYYSaHR0cDov"
836 "L2cuc3ltY2QuY29tMBIGA1UdEwEB/wQIMAYBAf8CAQAwNQYDVR0fBC4wLDAqoCig"
837 "JoYkaHR0cDovL2cuc3ltY2IuY29tL2NybHMvZ3RnbG9iYWwuY3JsMBcGA1UdIAQQ"
838 "MA4wDAYKKwYBBAHWeQIFATANBgkqhkiG9w0BAQsFAAOCAQEAqvqpIM1qZ4PtXtR+"
839 "3h3Ef+AlBgDFJPupyC1tft6dgmUsgWM0Zj7pUsIItMsv91+ZOmqcUHqFBYx90SpI"
840 "hNMJbHzCzTWf84LuUt5oX+QAihcglvcpjZpNy6jehsgNb1aHA30DP9z6eX0hGfnI"
841 "Oi9RdozHQZJxjyXON/hKTAAj78Q1EK7gI4BzfE00LshukNYQHpmEcxpw8u1VDu4X"
842 "Bupn7jLrLN1nBz/2i8Jw3lsA5rsb0zYaImxssDVCbJAJPZPpZAkiDoUGn8JzIdPm"
843 "X4DkjYUiOnMDsWCOrmji9D6X52ASCWg23jrW4kOVWzeBkoEfu43XrVJkFleW2V40"
844 "fsg12DCCA30wggLmoAMCAQICAxK75jANBgkqhkiG9w0BAQUFADBOMQswCQYDVQQG"
845 "EwJVUzEQMA4GA1UEChMHRXF1aWZheDEtMCsGA1UECxMkRXF1aWZheCBTZWN1cmUg"
846 "Q2VydGlmaWNhdGUgQXV0aG9yaXR5MB4XDTAyMDUyMTA0MDAwMFoXDTE4MDgyMTA0"
847 "MDAwMFowQjELMAkGA1UEBhMCVVMxFjAUBgNVBAoTDUdlb1RydXN0IEluYy4xGzAZ"
848 "BgNVBAMTEkdlb1RydXN0IEdsb2JhbCBDQTCCASIwDQYJKoZIhvcNAQEBBQADggEP"
849 "ADCCAQoCggEBANrMGGMw/fQXIxpWflvfPGw45HG3eJHUvKHYTPioQ7YD6U0hBwiI"
850 "2lgvZjkpvQV4i5046AW3an5xpObEYKaw74DkiSgPniXW7YPzraaRx5jJQhg1FJ2t"
851 "mEaSLk/K8YdDwRaVVy1Q74ktgHpXrfLuX2vSAI25FPgUFTXZwEaje3LIkb/JVSvN"
852 "0Jc+nCZkzN/Ogxlxyk7m1NV7qRnNVd7I7NJeOFPlXE+MLf5QIzb8ZubLjqQ5GQC3"
853 "lQI5kQsO/jgu0R0FmvZNPm8PBx2vLB6PYDni+jZTEznUXiYr2z2oFL0y6xgDKFIE"
854 "ceWrMz3hOLsHNoRinHnqFjD0X8Ar6HFr5PkCAwEAAaOB8DCB7TAfBgNVHSMEGDAW"
855 "gBRI5mj5K9KylddH2CMgEE8zmJCf1DAdBgNVHQ4EFgQUwHqYaI2J+6sFZAwRfap9"
856 "ZbjKzE4wDwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMCAQYwOgYDVR0fBDMw"
857 "MTAvoC2gK4YpaHR0cDovL2NybC5nZW90cnVzdC5jb20vY3Jscy9zZWN1cmVjYS5j"
858 "cmwwTgYDVR0gBEcwRTBDBgRVHSAAMDswOQYIKwYBBQUHAgEWLWh0dHBzOi8vd3d3"
859 "Lmdlb3RydXN0LmNvbS9yZXNvdXJjZXMvcmVwb3NpdG9yeTANBgkqhkiG9w0BAQUF"
860 "AAOBgQB24RJuTksWEoYwBrKBCM/wCMfHcX5m7sLt1Dsf//DwyE7WQziwuTB9GNBV"
861 "g6JqyzYRnOhIZqNtf7gT1Ef+i1pcc/yu2RsyGTirlzQUqpbS66McFAhJtrvlke+D"
862 "NusdVm/K2rxzY5Dkf3s+Iss9B+1fOHSc4wNQTqGvmO5h8oQ/Eg==";
863
864 // kBadSessionExtraField is a custom serialized SSL_SESSION generated by replacing
865 // the final (optional) element of |kCustomSession| with tag number 99.
866 static const char kBadSessionExtraField[] =
867 "MIIBdgIBAQICAwMEAsAvBCAG5Q1ndq4Yfmbeo1zwLkNRKmCXGdNgWvGT3cskV0yQ"
868 "kAQwJlrlzkAWBOWiLj/jJ76D7l+UXoizP2KI2C7I2FccqMmIfFmmkUy32nIJ0mZH"
869 "IWoJoQYCBFRDO46iBAICASykAwQBAqUDAgEUphAEDnd3dy5nb29nbGUuY29tqAcE"
870 "BXdvcmxkqQUCAwGJwKqBpwSBpBwUQvoeOk0Kg36SYTcLEkXqKwOBfF9vE4KX0Nxe"
871 "LwjcDTpsuh3qXEaZ992r1N38VDcyS6P7I6HBYN9BsNHM362zZnY27GpTw+Kwd751"
872 "CLoXFPoaMOe57dbBpXoro6Pd3BTbf/Tzr88K06yEOTDKPNj3+inbMaVigtK4PLyP"
873 "q+Topyzvx9USFgRvyuoxn0Hgb+R0A3j6SLRuyOdAi4gv7Y5oliynrSIEIAYGBgYG"
874 "BgYGBgYGBgYGBgYGBgYGBgYGBgYGBgYGBgYGrgMEAQevAwQBBOMDBAEF";
875
876 // kBadSessionVersion is a custom serialized SSL_SESSION generated by replacing
877 // the version of |kCustomSession| with 2.
878 static const char kBadSessionVersion[] =
879 "MIIBdgIBAgICAwMEAsAvBCAG5Q1ndq4Yfmbeo1zwLkNRKmCXGdNgWvGT3cskV0yQ"
880 "kAQwJlrlzkAWBOWiLj/jJ76D7l+UXoizP2KI2C7I2FccqMmIfFmmkUy32nIJ0mZH"
881 "IWoJoQYCBFRDO46iBAICASykAwQBAqUDAgEUphAEDnd3dy5nb29nbGUuY29tqAcE"
882 "BXdvcmxkqQUCAwGJwKqBpwSBpBwUQvoeOk0Kg36SYTcLEkXqKwOBfF9vE4KX0Nxe"
883 "LwjcDTpsuh3qXEaZ992r1N38VDcyS6P7I6HBYN9BsNHM362zZnY27GpTw+Kwd751"
884 "CLoXFPoaMOe57dbBpXoro6Pd3BTbf/Tzr88K06yEOTDKPNj3+inbMaVigtK4PLyP"
885 "q+Topyzvx9USFgRvyuoxn0Hgb+R0A3j6SLRuyOdAi4gv7Y5oliynrSIEIAYGBgYG"
886 "BgYGBgYGBgYGBgYGBgYGBgYGBgYGBgYGBgYGrgMEAQevAwQBBLADBAEF";
887
888 // kBadSessionTrailingData is a custom serialized SSL_SESSION with trailing data
889 // appended.
890 static const char kBadSessionTrailingData[] =
891 "MIIBdgIBAQICAwMEAsAvBCAG5Q1ndq4Yfmbeo1zwLkNRKmCXGdNgWvGT3cskV0yQ"
892 "kAQwJlrlzkAWBOWiLj/jJ76D7l+UXoizP2KI2C7I2FccqMmIfFmmkUy32nIJ0mZH"
893 "IWoJoQYCBFRDO46iBAICASykAwQBAqUDAgEUphAEDnd3dy5nb29nbGUuY29tqAcE"
894 "BXdvcmxkqQUCAwGJwKqBpwSBpBwUQvoeOk0Kg36SYTcLEkXqKwOBfF9vE4KX0Nxe"
895 "LwjcDTpsuh3qXEaZ992r1N38VDcyS6P7I6HBYN9BsNHM362zZnY27GpTw+Kwd751"
896 "CLoXFPoaMOe57dbBpXoro6Pd3BTbf/Tzr88K06yEOTDKPNj3+inbMaVigtK4PLyP"
897 "q+Topyzvx9USFgRvyuoxn0Hgb+R0A3j6SLRuyOdAi4gv7Y5oliynrSIEIAYGBgYG"
898 "BgYGBgYGBgYGBgYGBgYGBgYGBgYGBgYGBgYGrgMEAQevAwQBBLADBAEFAAAA";
899
DecodeBase64(std::vector<uint8_t> * out,const char * in)900 static bool DecodeBase64(std::vector<uint8_t> *out, const char *in) {
901 size_t len;
902 if (!EVP_DecodedLength(&len, strlen(in))) {
903 fprintf(stderr, "EVP_DecodedLength failed\n");
904 return false;
905 }
906
907 out->resize(len);
908 if (!EVP_DecodeBase64(out->data(), &len, len, (const uint8_t *)in,
909 strlen(in))) {
910 fprintf(stderr, "EVP_DecodeBase64 failed\n");
911 return false;
912 }
913 out->resize(len);
914 return true;
915 }
916
DecodeLowerHex(std::vector<uint8_t> * out,bssl::Span<const char> in)917 static bool DecodeLowerHex(std::vector<uint8_t> *out,
918 bssl::Span<const char> in) {
919 if (in.size() % 2 != 0) {
920 return false;
921 }
922 out->resize(in.size() / 2);
923 for (size_t i = 0; i < out->size(); i++) {
924 char hi = in[2 * i], lo = in[2 * i + 1];
925 uint8_t b = 0;
926 if ('0' <= hi && hi <= '9') {
927 b |= hi - '0';
928 } else if ('a' <= hi && hi <= 'f') {
929 b |= hi - 'a' + 10;
930 } else {
931 return false;
932 }
933 b <<= 4;
934 if ('0' <= lo && lo <= '9') {
935 b |= lo - '0';
936 } else if ('a' <= lo && lo <= 'f') {
937 b |= lo - 'a' + 10;
938 } else {
939 return false;
940 }
941 (*out)[i] = b;
942 }
943 return true;
944 }
945
TEST(SSLTest,SessionEncoding)946 TEST(SSLTest, SessionEncoding) {
947 for (const char *input_b64 : {
948 kOpenSSLSession,
949 kCustomSession,
950 kBoringSSLSession,
951 }) {
952 SCOPED_TRACE(std::string(input_b64));
953 // Decode the input.
954 std::vector<uint8_t> input;
955 ASSERT_TRUE(DecodeBase64(&input, input_b64));
956
957 // Verify the SSL_SESSION decodes.
958 bssl::UniquePtr<SSL_CTX> ssl_ctx(SSL_CTX_new(TLS_method()));
959 ASSERT_TRUE(ssl_ctx);
960 bssl::UniquePtr<SSL_SESSION> session(
961 SSL_SESSION_from_bytes(input.data(), input.size(), ssl_ctx.get()));
962 ASSERT_TRUE(session) << "SSL_SESSION_from_bytes failed";
963
964 // Verify the SSL_SESSION encoding round-trips.
965 size_t encoded_len;
966 bssl::UniquePtr<uint8_t> encoded;
967 uint8_t *encoded_raw;
968 ASSERT_TRUE(SSL_SESSION_to_bytes(session.get(), &encoded_raw, &encoded_len))
969 << "SSL_SESSION_to_bytes failed";
970 encoded.reset(encoded_raw);
971 EXPECT_EQ(Bytes(encoded.get(), encoded_len), Bytes(input))
972 << "SSL_SESSION_to_bytes did not round-trip";
973
974 // Verify the SSL_SESSION also decodes with the legacy API.
975 const uint8_t *cptr = input.data();
976 session.reset(d2i_SSL_SESSION(NULL, &cptr, input.size()));
977 ASSERT_TRUE(session) << "d2i_SSL_SESSION failed";
978 EXPECT_EQ(cptr, input.data() + input.size());
979
980 // Verify the SSL_SESSION encoding round-trips via the legacy API.
981 int len = i2d_SSL_SESSION(session.get(), NULL);
982 ASSERT_GT(len, 0) << "i2d_SSL_SESSION failed";
983 ASSERT_EQ(static_cast<size_t>(len), input.size())
984 << "i2d_SSL_SESSION(NULL) returned invalid length";
985
986 encoded.reset((uint8_t *)OPENSSL_malloc(input.size()));
987 ASSERT_TRUE(encoded);
988
989 uint8_t *ptr = encoded.get();
990 len = i2d_SSL_SESSION(session.get(), &ptr);
991 ASSERT_GT(len, 0) << "i2d_SSL_SESSION failed";
992 ASSERT_EQ(static_cast<size_t>(len), input.size())
993 << "i2d_SSL_SESSION(NULL) returned invalid length";
994 ASSERT_EQ(ptr, encoded.get() + input.size())
995 << "i2d_SSL_SESSION did not advance ptr correctly";
996 EXPECT_EQ(Bytes(encoded.get(), encoded_len), Bytes(input))
997 << "SSL_SESSION_to_bytes did not round-trip";
998 }
999
1000 for (const char *input_b64 : {
1001 kBadSessionExtraField,
1002 kBadSessionVersion,
1003 kBadSessionTrailingData,
1004 }) {
1005 SCOPED_TRACE(std::string(input_b64));
1006 std::vector<uint8_t> input;
1007 ASSERT_TRUE(DecodeBase64(&input, input_b64));
1008
1009 // Verify that the SSL_SESSION fails to decode.
1010 bssl::UniquePtr<SSL_CTX> ssl_ctx(SSL_CTX_new(TLS_method()));
1011 ASSERT_TRUE(ssl_ctx);
1012 bssl::UniquePtr<SSL_SESSION> session(
1013 SSL_SESSION_from_bytes(input.data(), input.size(), ssl_ctx.get()));
1014 EXPECT_FALSE(session) << "SSL_SESSION_from_bytes unexpectedly succeeded";
1015 ERR_clear_error();
1016 }
1017 }
1018
ExpectDefaultVersion(uint16_t min_version,uint16_t max_version,const SSL_METHOD * (* method)(void))1019 static void ExpectDefaultVersion(uint16_t min_version, uint16_t max_version,
1020 const SSL_METHOD *(*method)(void)) {
1021 bssl::UniquePtr<SSL_CTX> ctx(SSL_CTX_new(method()));
1022 ASSERT_TRUE(ctx);
1023 EXPECT_EQ(min_version, SSL_CTX_get_min_proto_version(ctx.get()));
1024 EXPECT_EQ(max_version, SSL_CTX_get_max_proto_version(ctx.get()));
1025 }
1026
TEST(SSLTest,DefaultVersion)1027 TEST(SSLTest, DefaultVersion) {
1028 ExpectDefaultVersion(TLS1_2_VERSION, TLS1_3_VERSION, &TLS_method);
1029 ExpectDefaultVersion(TLS1_VERSION, TLS1_VERSION, &TLSv1_method);
1030 ExpectDefaultVersion(TLS1_1_VERSION, TLS1_1_VERSION, &TLSv1_1_method);
1031 ExpectDefaultVersion(TLS1_2_VERSION, TLS1_2_VERSION, &TLSv1_2_method);
1032 ExpectDefaultVersion(DTLS1_2_VERSION, DTLS1_2_VERSION, &DTLS_method);
1033 ExpectDefaultVersion(DTLS1_VERSION, DTLS1_VERSION, &DTLSv1_method);
1034 ExpectDefaultVersion(DTLS1_2_VERSION, DTLS1_2_VERSION, &DTLSv1_2_method);
1035 }
1036
TEST(SSLTest,CipherProperties)1037 TEST(SSLTest, CipherProperties) {
1038 static const struct {
1039 int id;
1040 const char *standard_name;
1041 int cipher_nid;
1042 int digest_nid;
1043 int kx_nid;
1044 int auth_nid;
1045 int prf_nid;
1046 } kTests[] = {
1047 {
1048 SSL3_CK_RSA_DES_192_CBC3_SHA,
1049 "TLS_RSA_WITH_3DES_EDE_CBC_SHA",
1050 NID_des_ede3_cbc,
1051 NID_sha1,
1052 NID_kx_rsa,
1053 NID_auth_rsa,
1054 NID_md5_sha1,
1055 },
1056 {
1057 TLS1_CK_RSA_WITH_AES_128_SHA,
1058 "TLS_RSA_WITH_AES_128_CBC_SHA",
1059 NID_aes_128_cbc,
1060 NID_sha1,
1061 NID_kx_rsa,
1062 NID_auth_rsa,
1063 NID_md5_sha1,
1064 },
1065 {
1066 TLS1_CK_PSK_WITH_AES_256_CBC_SHA,
1067 "TLS_PSK_WITH_AES_256_CBC_SHA",
1068 NID_aes_256_cbc,
1069 NID_sha1,
1070 NID_kx_psk,
1071 NID_auth_psk,
1072 NID_md5_sha1,
1073 },
1074 {
1075 TLS1_CK_ECDHE_RSA_WITH_AES_128_CBC_SHA,
1076 "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA",
1077 NID_aes_128_cbc,
1078 NID_sha1,
1079 NID_kx_ecdhe,
1080 NID_auth_rsa,
1081 NID_md5_sha1,
1082 },
1083 {
1084 TLS1_CK_ECDHE_RSA_WITH_AES_256_CBC_SHA,
1085 "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA",
1086 NID_aes_256_cbc,
1087 NID_sha1,
1088 NID_kx_ecdhe,
1089 NID_auth_rsa,
1090 NID_md5_sha1,
1091 },
1092 {
1093 TLS1_CK_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
1094 "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",
1095 NID_aes_128_gcm,
1096 NID_undef,
1097 NID_kx_ecdhe,
1098 NID_auth_rsa,
1099 NID_sha256,
1100 },
1101 {
1102 TLS1_CK_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
1103 "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256",
1104 NID_aes_128_gcm,
1105 NID_undef,
1106 NID_kx_ecdhe,
1107 NID_auth_ecdsa,
1108 NID_sha256,
1109 },
1110 {
1111 TLS1_CK_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
1112 "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384",
1113 NID_aes_256_gcm,
1114 NID_undef,
1115 NID_kx_ecdhe,
1116 NID_auth_ecdsa,
1117 NID_sha384,
1118 },
1119 {
1120 TLS1_CK_ECDHE_PSK_WITH_AES_128_CBC_SHA,
1121 "TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA",
1122 NID_aes_128_cbc,
1123 NID_sha1,
1124 NID_kx_ecdhe,
1125 NID_auth_psk,
1126 NID_md5_sha1,
1127 },
1128 {
1129 TLS1_CK_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256,
1130 "TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256",
1131 NID_chacha20_poly1305,
1132 NID_undef,
1133 NID_kx_ecdhe,
1134 NID_auth_rsa,
1135 NID_sha256,
1136 },
1137 {
1138 TLS1_3_CK_AES_256_GCM_SHA384,
1139 "TLS_AES_256_GCM_SHA384",
1140 NID_aes_256_gcm,
1141 NID_undef,
1142 NID_kx_any,
1143 NID_auth_any,
1144 NID_sha384,
1145 },
1146 {
1147 TLS1_3_CK_AES_128_GCM_SHA256,
1148 "TLS_AES_128_GCM_SHA256",
1149 NID_aes_128_gcm,
1150 NID_undef,
1151 NID_kx_any,
1152 NID_auth_any,
1153 NID_sha256,
1154 },
1155 {
1156 TLS1_3_CK_CHACHA20_POLY1305_SHA256,
1157 "TLS_CHACHA20_POLY1305_SHA256",
1158 NID_chacha20_poly1305,
1159 NID_undef,
1160 NID_kx_any,
1161 NID_auth_any,
1162 NID_sha256,
1163 },
1164 };
1165
1166 for (const auto &t : kTests) {
1167 SCOPED_TRACE(t.standard_name);
1168
1169 const SSL_CIPHER *cipher = SSL_get_cipher_by_value(t.id & 0xffff);
1170 ASSERT_TRUE(cipher);
1171 EXPECT_STREQ(t.standard_name, SSL_CIPHER_standard_name(cipher));
1172
1173 EXPECT_EQ(t.cipher_nid, SSL_CIPHER_get_cipher_nid(cipher));
1174 EXPECT_EQ(t.digest_nid, SSL_CIPHER_get_digest_nid(cipher));
1175 EXPECT_EQ(t.kx_nid, SSL_CIPHER_get_kx_nid(cipher));
1176 EXPECT_EQ(t.auth_nid, SSL_CIPHER_get_auth_nid(cipher));
1177 EXPECT_EQ(t.prf_nid, EVP_MD_nid(SSL_CIPHER_get_handshake_digest(cipher)));
1178 EXPECT_EQ(t.prf_nid, SSL_CIPHER_get_prf_nid(cipher));
1179 }
1180 }
1181
1182 // CreateSessionWithTicket returns a sample |SSL_SESSION| with the specified
1183 // version and ticket length or nullptr on failure.
CreateSessionWithTicket(uint16_t version,size_t ticket_len)1184 static bssl::UniquePtr<SSL_SESSION> CreateSessionWithTicket(uint16_t version,
1185 size_t ticket_len) {
1186 std::vector<uint8_t> der;
1187 if (!DecodeBase64(&der, kOpenSSLSession)) {
1188 return nullptr;
1189 }
1190
1191 bssl::UniquePtr<SSL_CTX> ssl_ctx(SSL_CTX_new(TLS_method()));
1192 if (!ssl_ctx) {
1193 return nullptr;
1194 }
1195 // Use a garbage ticket.
1196 std::vector<uint8_t> ticket(ticket_len, 'a');
1197 bssl::UniquePtr<SSL_SESSION> session(
1198 SSL_SESSION_from_bytes(der.data(), der.size(), ssl_ctx.get()));
1199 if (!session ||
1200 !SSL_SESSION_set_protocol_version(session.get(), version) ||
1201 !SSL_SESSION_set_ticket(session.get(), ticket.data(), ticket.size())) {
1202 return nullptr;
1203 }
1204 // Fix up the timeout.
1205 #if defined(BORINGSSL_UNSAFE_DETERMINISTIC_MODE)
1206 SSL_SESSION_set_time(session.get(), 1234);
1207 #else
1208 SSL_SESSION_set_time(session.get(), time(nullptr));
1209 #endif
1210 return session;
1211 }
1212
GetClientHello(SSL * ssl,std::vector<uint8_t> * out)1213 static bool GetClientHello(SSL *ssl, std::vector<uint8_t> *out) {
1214 bssl::UniquePtr<BIO> bio(BIO_new(BIO_s_mem()));
1215 if (!bio) {
1216 return false;
1217 }
1218 // Do not configure a reading BIO, but record what's written to a memory BIO.
1219 BIO_up_ref(bio.get());
1220 SSL_set_bio(ssl, nullptr /* rbio */, bio.get());
1221 int ret = SSL_connect(ssl);
1222 if (ret > 0) {
1223 // SSL_connect should fail without a BIO to write to.
1224 return false;
1225 }
1226 ERR_clear_error();
1227
1228 const uint8_t *client_hello;
1229 size_t client_hello_len;
1230 if (!BIO_mem_contents(bio.get(), &client_hello, &client_hello_len)) {
1231 return false;
1232 }
1233
1234 // We did not get far enough to write a ClientHello.
1235 if (client_hello_len == 0) {
1236 return false;
1237 }
1238
1239 *out = std::vector<uint8_t>(client_hello, client_hello + client_hello_len);
1240 return true;
1241 }
1242
1243 // GetClientHelloLen creates a client SSL connection with the specified version
1244 // and ticket length. It returns the length of the ClientHello, not including
1245 // the record header, on success and zero on error.
GetClientHelloLen(uint16_t max_version,uint16_t session_version,size_t ticket_len)1246 static size_t GetClientHelloLen(uint16_t max_version, uint16_t session_version,
1247 size_t ticket_len) {
1248 bssl::UniquePtr<SSL_CTX> ctx(SSL_CTX_new(TLS_method()));
1249 bssl::UniquePtr<SSL_SESSION> session =
1250 CreateSessionWithTicket(session_version, ticket_len);
1251 if (!ctx || !session) {
1252 return 0;
1253 }
1254
1255 // Set a one-element cipher list so the baseline ClientHello is unpadded.
1256 bssl::UniquePtr<SSL> ssl(SSL_new(ctx.get()));
1257 if (!ssl || !SSL_set_session(ssl.get(), session.get()) ||
1258 !SSL_set_strict_cipher_list(ssl.get(), "ECDHE-RSA-AES128-GCM-SHA256") ||
1259 !SSL_set_max_proto_version(ssl.get(), max_version)) {
1260 return 0;
1261 }
1262
1263 std::vector<uint8_t> client_hello;
1264 if (!GetClientHello(ssl.get(), &client_hello) ||
1265 client_hello.size() <= SSL3_RT_HEADER_LENGTH) {
1266 return 0;
1267 }
1268
1269 return client_hello.size() - SSL3_RT_HEADER_LENGTH;
1270 }
1271
TEST(SSLTest,Padding)1272 TEST(SSLTest, Padding) {
1273 struct PaddingVersions {
1274 uint16_t max_version, session_version;
1275 };
1276 static const PaddingVersions kPaddingVersions[] = {
1277 // Test the padding extension at TLS 1.2.
1278 {TLS1_2_VERSION, TLS1_2_VERSION},
1279 // Test the padding extension at TLS 1.3 with a TLS 1.2 session, so there
1280 // will be no PSK binder after the padding extension.
1281 {TLS1_3_VERSION, TLS1_2_VERSION},
1282 // Test the padding extension at TLS 1.3 with a TLS 1.3 session, so there
1283 // will be a PSK binder after the padding extension.
1284 {TLS1_3_VERSION, TLS1_3_VERSION},
1285
1286 };
1287
1288 struct PaddingTest {
1289 size_t input_len, padded_len;
1290 };
1291 static const PaddingTest kPaddingTests[] = {
1292 // ClientHellos of length below 0x100 do not require padding.
1293 {0xfe, 0xfe},
1294 {0xff, 0xff},
1295 // ClientHellos of length 0x100 through 0x1fb are padded up to 0x200.
1296 {0x100, 0x200},
1297 {0x123, 0x200},
1298 {0x1fb, 0x200},
1299 // ClientHellos of length 0x1fc through 0x1ff get padded beyond 0x200. The
1300 // padding extension takes a minimum of four bytes plus one required
1301 // content
1302 // byte. (To work around yet more server bugs, we avoid empty final
1303 // extensions.)
1304 {0x1fc, 0x201},
1305 {0x1fd, 0x202},
1306 {0x1fe, 0x203},
1307 {0x1ff, 0x204},
1308 // Finally, larger ClientHellos need no padding.
1309 {0x200, 0x200},
1310 {0x201, 0x201},
1311 };
1312
1313 for (const PaddingVersions &versions : kPaddingVersions) {
1314 SCOPED_TRACE(versions.max_version);
1315 SCOPED_TRACE(versions.session_version);
1316
1317 // Sample a baseline length.
1318 size_t base_len =
1319 GetClientHelloLen(versions.max_version, versions.session_version, 1);
1320 ASSERT_NE(base_len, 0u) << "Baseline length could not be sampled";
1321
1322 for (const PaddingTest &test : kPaddingTests) {
1323 SCOPED_TRACE(test.input_len);
1324 ASSERT_LE(base_len, test.input_len) << "Baseline ClientHello too long";
1325
1326 size_t padded_len =
1327 GetClientHelloLen(versions.max_version, versions.session_version,
1328 1 + test.input_len - base_len);
1329 EXPECT_EQ(padded_len, test.padded_len)
1330 << "ClientHello was not padded to expected length";
1331 }
1332 }
1333 }
1334
CertFromPEM(const char * pem)1335 static bssl::UniquePtr<X509> CertFromPEM(const char *pem) {
1336 bssl::UniquePtr<BIO> bio(BIO_new_mem_buf(pem, strlen(pem)));
1337 if (!bio) {
1338 return nullptr;
1339 }
1340 return bssl::UniquePtr<X509>(
1341 PEM_read_bio_X509(bio.get(), nullptr, nullptr, nullptr));
1342 }
1343
KeyFromPEM(const char * pem)1344 static bssl::UniquePtr<EVP_PKEY> KeyFromPEM(const char *pem) {
1345 bssl::UniquePtr<BIO> bio(BIO_new_mem_buf(pem, strlen(pem)));
1346 if (!bio) {
1347 return nullptr;
1348 }
1349 return bssl::UniquePtr<EVP_PKEY>(
1350 PEM_read_bio_PrivateKey(bio.get(), nullptr, nullptr, nullptr));
1351 }
1352
BufferFromPEM(const char * pem)1353 static bssl::UniquePtr<CRYPTO_BUFFER> BufferFromPEM(const char *pem) {
1354 bssl::UniquePtr<BIO> bio(BIO_new_mem_buf(pem, strlen(pem)));
1355 char *name, *header;
1356 uint8_t *data;
1357 long data_len;
1358 if (!PEM_read_bio(bio.get(), &name, &header, &data,
1359 &data_len)) {
1360 return nullptr;
1361 }
1362 OPENSSL_free(name);
1363 OPENSSL_free(header);
1364
1365 auto ret = bssl::UniquePtr<CRYPTO_BUFFER>(
1366 CRYPTO_BUFFER_new(data, data_len, nullptr));
1367 OPENSSL_free(data);
1368 return ret;
1369 }
1370
X509FromBuffer(bssl::UniquePtr<CRYPTO_BUFFER> buffer)1371 static bssl::UniquePtr<X509> X509FromBuffer(
1372 bssl::UniquePtr<CRYPTO_BUFFER> buffer) {
1373 if (!buffer) {
1374 return nullptr;
1375 }
1376 const uint8_t *derp = CRYPTO_BUFFER_data(buffer.get());
1377 return bssl::UniquePtr<X509>(
1378 d2i_X509(NULL, &derp, CRYPTO_BUFFER_len(buffer.get())));
1379 }
1380
GetTestCertificate()1381 static bssl::UniquePtr<X509> GetTestCertificate() {
1382 static const char kCertPEM[] =
1383 "-----BEGIN CERTIFICATE-----\n"
1384 "MIICWDCCAcGgAwIBAgIJAPuwTC6rEJsMMA0GCSqGSIb3DQEBBQUAMEUxCzAJBgNV\n"
1385 "BAYTAkFVMRMwEQYDVQQIDApTb21lLVN0YXRlMSEwHwYDVQQKDBhJbnRlcm5ldCBX\n"
1386 "aWRnaXRzIFB0eSBMdGQwHhcNMTQwNDIzMjA1MDQwWhcNMTcwNDIyMjA1MDQwWjBF\n"
1387 "MQswCQYDVQQGEwJBVTETMBEGA1UECAwKU29tZS1TdGF0ZTEhMB8GA1UECgwYSW50\n"
1388 "ZXJuZXQgV2lkZ2l0cyBQdHkgTHRkMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKB\n"
1389 "gQDYK8imMuRi/03z0K1Zi0WnvfFHvwlYeyK9Na6XJYaUoIDAtB92kWdGMdAQhLci\n"
1390 "HnAjkXLI6W15OoV3gA/ElRZ1xUpxTMhjP6PyY5wqT5r6y8FxbiiFKKAnHmUcrgfV\n"
1391 "W28tQ+0rkLGMryRtrukXOgXBv7gcrmU7G1jC2a7WqmeI8QIDAQABo1AwTjAdBgNV\n"
1392 "HQ4EFgQUi3XVrMsIvg4fZbf6Vr5sp3Xaha8wHwYDVR0jBBgwFoAUi3XVrMsIvg4f\n"
1393 "Zbf6Vr5sp3Xaha8wDAYDVR0TBAUwAwEB/zANBgkqhkiG9w0BAQUFAAOBgQA76Hht\n"
1394 "ldY9avcTGSwbwoiuIqv0jTL1fHFnzy3RHMLDh+Lpvolc5DSrSJHCP5WuK0eeJXhr\n"
1395 "T5oQpHL9z/cCDLAKCKRa4uV0fhEdOWBqyR9p8y5jJtye72t6CuFUV5iqcpF4BH4f\n"
1396 "j2VNHwsSrJwkD4QUGlUtH7vwnQmyCFxZMmWAJg==\n"
1397 "-----END CERTIFICATE-----\n";
1398 return CertFromPEM(kCertPEM);
1399 }
1400
GetTestKey()1401 static bssl::UniquePtr<EVP_PKEY> GetTestKey() {
1402 static const char kKeyPEM[] =
1403 "-----BEGIN RSA PRIVATE KEY-----\n"
1404 "MIICXgIBAAKBgQDYK8imMuRi/03z0K1Zi0WnvfFHvwlYeyK9Na6XJYaUoIDAtB92\n"
1405 "kWdGMdAQhLciHnAjkXLI6W15OoV3gA/ElRZ1xUpxTMhjP6PyY5wqT5r6y8FxbiiF\n"
1406 "KKAnHmUcrgfVW28tQ+0rkLGMryRtrukXOgXBv7gcrmU7G1jC2a7WqmeI8QIDAQAB\n"
1407 "AoGBAIBy09Fd4DOq/Ijp8HeKuCMKTHqTW1xGHshLQ6jwVV2vWZIn9aIgmDsvkjCe\n"
1408 "i6ssZvnbjVcwzSoByhjN8ZCf/i15HECWDFFh6gt0P5z0MnChwzZmvatV/FXCT0j+\n"
1409 "WmGNB/gkehKjGXLLcjTb6dRYVJSCZhVuOLLcbWIV10gggJQBAkEA8S8sGe4ezyyZ\n"
1410 "m4e9r95g6s43kPqtj5rewTsUxt+2n4eVodD+ZUlCULWVNAFLkYRTBCASlSrm9Xhj\n"
1411 "QpmWAHJUkQJBAOVzQdFUaewLtdOJoPCtpYoY1zd22eae8TQEmpGOR11L6kbxLQsk\n"
1412 "aMly/DOnOaa82tqAGTdqDEZgSNmCeKKknmECQAvpnY8GUOVAubGR6c+W90iBuQLj\n"
1413 "LtFp/9ihd2w/PoDwrHZaoUYVcT4VSfJQog/k7kjE4MYXYWL8eEKg3WTWQNECQQDk\n"
1414 "104Wi91Umd1PzF0ijd2jXOERJU1wEKe6XLkYYNHWQAe5l4J4MWj9OdxFXAxIuuR/\n"
1415 "tfDwbqkta4xcux67//khAkEAvvRXLHTaa6VFzTaiiO8SaFsHV3lQyXOtMrBpB5jd\n"
1416 "moZWgjHvB2W9Ckn7sDqsPB+U2tyX0joDdQEyuiMECDY8oQ==\n"
1417 "-----END RSA PRIVATE KEY-----\n";
1418 return KeyFromPEM(kKeyPEM);
1419 }
1420
CreateContextWithTestCertificate(const SSL_METHOD * method)1421 static bssl::UniquePtr<SSL_CTX> CreateContextWithTestCertificate(
1422 const SSL_METHOD *method) {
1423 bssl::UniquePtr<SSL_CTX> ctx(SSL_CTX_new(TLS_method()));
1424 bssl::UniquePtr<X509> cert = GetTestCertificate();
1425 bssl::UniquePtr<EVP_PKEY> key = GetTestKey();
1426 if (!ctx || !cert || !key ||
1427 !SSL_CTX_use_certificate(ctx.get(), cert.get()) ||
1428 !SSL_CTX_use_PrivateKey(ctx.get(), key.get())) {
1429 return nullptr;
1430 }
1431 return ctx;
1432 }
1433
GetECDSATestCertificateBuffer()1434 static bssl::UniquePtr<CRYPTO_BUFFER> GetECDSATestCertificateBuffer() {
1435 static const char kCertPEM[] =
1436 "-----BEGIN CERTIFICATE-----\n"
1437 "MIIBzzCCAXagAwIBAgIJANlMBNpJfb/rMAkGByqGSM49BAEwRTELMAkGA1UEBhMC\n"
1438 "QVUxEzARBgNVBAgMClNvbWUtU3RhdGUxITAfBgNVBAoMGEludGVybmV0IFdpZGdp\n"
1439 "dHMgUHR5IEx0ZDAeFw0xNDA0MjMyMzIxNTdaFw0xNDA1MjMyMzIxNTdaMEUxCzAJ\n"
1440 "BgNVBAYTAkFVMRMwEQYDVQQIDApTb21lLVN0YXRlMSEwHwYDVQQKDBhJbnRlcm5l\n"
1441 "dCBXaWRnaXRzIFB0eSBMdGQwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAATmK2ni\n"
1442 "v2Wfl74vHg2UikzVl2u3qR4NRvvdqakendy6WgHn1peoChj5w8SjHlbifINI2xYa\n"
1443 "HPUdfvGULUvPciLBo1AwTjAdBgNVHQ4EFgQUq4TSrKuV8IJOFngHVVdf5CaNgtEw\n"
1444 "HwYDVR0jBBgwFoAUq4TSrKuV8IJOFngHVVdf5CaNgtEwDAYDVR0TBAUwAwEB/zAJ\n"
1445 "BgcqhkjOPQQBA0gAMEUCIQDyoDVeUTo2w4J5m+4nUIWOcAZ0lVfSKXQA9L4Vh13E\n"
1446 "BwIgfB55FGohg/B6dGh5XxSZmmi08cueFV7mHzJSYV51yRQ=\n"
1447 "-----END CERTIFICATE-----\n";
1448 return BufferFromPEM(kCertPEM);
1449 }
1450
GetECDSATestCertificate()1451 static bssl::UniquePtr<X509> GetECDSATestCertificate() {
1452 return X509FromBuffer(GetECDSATestCertificateBuffer());
1453 }
1454
1455
GetECDSATestKey()1456 static bssl::UniquePtr<EVP_PKEY> GetECDSATestKey() {
1457 static const char kKeyPEM[] =
1458 "-----BEGIN PRIVATE KEY-----\n"
1459 "MIGHAgEAMBMGByqGSM49AgEGCCqGSM49AwEHBG0wawIBAQQgBw8IcnrUoEqc3VnJ\n"
1460 "TYlodwi1b8ldMHcO6NHJzgqLtGqhRANCAATmK2niv2Wfl74vHg2UikzVl2u3qR4N\n"
1461 "Rvvdqakendy6WgHn1peoChj5w8SjHlbifINI2xYaHPUdfvGULUvPciLB\n"
1462 "-----END PRIVATE KEY-----\n";
1463 return KeyFromPEM(kKeyPEM);
1464 }
1465
GetChainTestCertificateBuffer()1466 static bssl::UniquePtr<CRYPTO_BUFFER> GetChainTestCertificateBuffer() {
1467 static const char kCertPEM[] =
1468 "-----BEGIN CERTIFICATE-----\n"
1469 "MIIC0jCCAbqgAwIBAgICEAAwDQYJKoZIhvcNAQELBQAwDzENMAsGA1UEAwwEQiBD\n"
1470 "QTAeFw0xNjAyMjgyMDI3MDNaFw0yNjAyMjUyMDI3MDNaMBgxFjAUBgNVBAMMDUNs\n"
1471 "aWVudCBDZXJ0IEEwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDRvaz8\n"
1472 "CC/cshpCafJo4jLkHEoBqDLhdgFelJoAiQUyIqyWl2O7YHPnpJH+TgR7oelzNzt/\n"
1473 "kLRcH89M/TszB6zqyLTC4aqmvzKL0peD/jL2LWBucR0WXIvjA3zoRuF/x86+rYH3\n"
1474 "tHb+xs2PSs8EGL/Ev+ss+qTzTGEn26fuGNHkNw6tOwPpc+o8+wUtzf/kAthamo+c\n"
1475 "IDs2rQ+lP7+aLZTLeU/q4gcLutlzcK5imex5xy2jPkweq48kijK0kIzl1cPlA5d1\n"
1476 "z7C8jU50Pj9X9sQDJTN32j7UYRisJeeYQF8GaaN8SbrDI6zHgKzrRLyxDt/KQa9V\n"
1477 "iLeXANgZi+Xx9KgfAgMBAAGjLzAtMAwGA1UdEwEB/wQCMAAwHQYDVR0lBBYwFAYI\n"
1478 "KwYBBQUHAwEGCCsGAQUFBwMCMA0GCSqGSIb3DQEBCwUAA4IBAQBFEVbmYl+2RtNw\n"
1479 "rDftRDF1v2QUbcN2ouSnQDHxeDQdSgasLzT3ui8iYu0Rw2WWcZ0DV5e0ztGPhWq7\n"
1480 "AO0B120aFRMOY+4+bzu9Q2FFkQqc7/fKTvTDzIJI5wrMnFvUfzzvxh3OHWMYSs/w\n"
1481 "giq33hTKeHEq6Jyk3btCny0Ycecyc3yGXH10sizUfiHlhviCkDuESk8mFDwDDzqW\n"
1482 "ZF0IipzFbEDHoIxLlm3GQxpiLoEV4k8KYJp3R5KBLFyxM6UGPz8h72mIPCJp2RuK\n"
1483 "MYgF91UDvVzvnYm6TfseM2+ewKirC00GOrZ7rEcFvtxnKSqYf4ckqfNdSU1Y+RRC\n"
1484 "1ngWZ7Ih\n"
1485 "-----END CERTIFICATE-----\n";
1486 return BufferFromPEM(kCertPEM);
1487 }
1488
GetChainTestCertificate()1489 static bssl::UniquePtr<X509> GetChainTestCertificate() {
1490 return X509FromBuffer(GetChainTestCertificateBuffer());
1491 }
1492
GetChainTestIntermediateBuffer()1493 static bssl::UniquePtr<CRYPTO_BUFFER> GetChainTestIntermediateBuffer() {
1494 static const char kCertPEM[] =
1495 "-----BEGIN CERTIFICATE-----\n"
1496 "MIICwjCCAaqgAwIBAgICEAEwDQYJKoZIhvcNAQELBQAwFDESMBAGA1UEAwwJQyBS\n"
1497 "b290IENBMB4XDTE2MDIyODIwMjcwM1oXDTI2MDIyNTIwMjcwM1owDzENMAsGA1UE\n"
1498 "AwwEQiBDQTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALsSCYmDip2D\n"
1499 "GkjFxw7ykz26JSjELkl6ArlYjFJ3aT/SCh8qbS4gln7RH8CPBd78oFdfhIKQrwtZ\n"
1500 "3/q21ykD9BAS3qHe2YdcJfm8/kWAy5DvXk6NXU4qX334KofBAEpgdA/igEFq1P1l\n"
1501 "HAuIfZCpMRfT+i5WohVsGi8f/NgpRvVaMONLNfgw57mz1lbtFeBEISmX0kbsuJxF\n"
1502 "Qj/Bwhi5/0HAEXG8e7zN4cEx0yPRvmOATRdVb/8dW2pwOHRJq9R5M0NUkIsTSnL7\n"
1503 "6N/z8hRAHMsV3IudC5Yd7GXW1AGu9a+iKU+Q4xcZCoj0DC99tL4VKujrV1kAeqsM\n"
1504 "cz5/dKzi6+cCAwEAAaMjMCEwDwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMC\n"
1505 "AQYwDQYJKoZIhvcNAQELBQADggEBAIIeZiEeNhWWQ8Y4D+AGDwqUUeG8NjCbKrXQ\n"
1506 "BlHg5wZ8xftFaiP1Dp/UAezmx2LNazdmuwrYB8lm3FVTyaPDTKEGIPS4wJKHgqH1\n"
1507 "QPDhqNm85ey7TEtI9oYjsNim/Rb+iGkIAMXaxt58SzxbjvP0kMr1JfJIZbic9vye\n"
1508 "NwIspMFIpP3FB8ywyu0T0hWtCQgL4J47nigCHpOu58deP88fS/Nyz/fyGVWOZ76b\n"
1509 "WhWwgM3P3X95fQ3d7oFPR/bVh0YV+Cf861INwplokXgXQ3/TCQ+HNXeAMWn3JLWv\n"
1510 "XFwk8owk9dq/kQGdndGgy3KTEW4ctPX5GNhf3LJ9Q7dLji4ReQ4=\n"
1511 "-----END CERTIFICATE-----\n";
1512 return BufferFromPEM(kCertPEM);
1513 }
1514
GetChainTestIntermediate()1515 static bssl::UniquePtr<X509> GetChainTestIntermediate() {
1516 return X509FromBuffer(GetChainTestIntermediateBuffer());
1517 }
1518
GetChainTestKey()1519 static bssl::UniquePtr<EVP_PKEY> GetChainTestKey() {
1520 static const char kKeyPEM[] =
1521 "-----BEGIN PRIVATE KEY-----\n"
1522 "MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQDRvaz8CC/cshpC\n"
1523 "afJo4jLkHEoBqDLhdgFelJoAiQUyIqyWl2O7YHPnpJH+TgR7oelzNzt/kLRcH89M\n"
1524 "/TszB6zqyLTC4aqmvzKL0peD/jL2LWBucR0WXIvjA3zoRuF/x86+rYH3tHb+xs2P\n"
1525 "Ss8EGL/Ev+ss+qTzTGEn26fuGNHkNw6tOwPpc+o8+wUtzf/kAthamo+cIDs2rQ+l\n"
1526 "P7+aLZTLeU/q4gcLutlzcK5imex5xy2jPkweq48kijK0kIzl1cPlA5d1z7C8jU50\n"
1527 "Pj9X9sQDJTN32j7UYRisJeeYQF8GaaN8SbrDI6zHgKzrRLyxDt/KQa9ViLeXANgZ\n"
1528 "i+Xx9KgfAgMBAAECggEBAK0VjSJzkyPaamcyTVSWjo7GdaBGcK60lk657RjR+lK0\n"
1529 "YJ7pkej4oM2hdsVZFsP8Cs4E33nXLa/0pDsRov/qrp0WQm2skwqGMC1I/bZ0WRPk\n"
1530 "wHaDrBBfESWnJDX/AGpVtlyOjPmgmK6J2usMPihQUDkKdAYrVWJePrMIxt1q6BMe\n"
1531 "iczs3qriMmtY3bUc4UyUwJ5fhDLjshHvfuIpYQyI6EXZM6dZksn9LylXJnigY6QJ\n"
1532 "HxOYO0BDwOsZ8yQ8J8afLk88i0GizEkgE1z3REtQUwgWfxr1WV/ud+T6/ZhSAgH9\n"
1533 "042mQvSFZnIUSEsmCvjhWuAunfxHKCTcAoYISWfzWpkCgYEA7gpf3HHU5Tn+CgUn\n"
1534 "1X5uGpG3DmcMgfeGgs2r2f/IIg/5Ac1dfYILiybL1tN9zbyLCJfcbFpWBc9hJL6f\n"
1535 "CPc5hUiwWFJqBJewxQkC1Ae/HakHbip+IZ+Jr0842O4BAArvixk4Lb7/N2Ct9sTE\n"
1536 "NJO6RtK9lbEZ5uK61DglHy8CS2UCgYEA4ZC1o36kPAMQBggajgnucb2yuUEelk0f\n"
1537 "AEr+GI32MGE+93xMr7rAhBoqLg4AITyIfEnOSQ5HwagnIHonBbv1LV/Gf9ursx8Z\n"
1538 "YOGbvT8zzzC+SU1bkDzdjAYnFQVGIjMtKOBJ3K07++ypwX1fr4QsQ8uKL8WSOWwt\n"
1539 "Z3Bym6XiZzMCgYADnhy+2OwHX85AkLt+PyGlPbmuelpyTzS4IDAQbBa6jcuW/2wA\n"
1540 "UE2km75VUXmD+u2R/9zVuLm99NzhFhSMqlUxdV1YukfqMfP5yp1EY6m/5aW7QuIP\n"
1541 "2MDa7TVL9rIFMiVZ09RKvbBbQxjhuzPQKL6X/PPspnhiTefQ+dl2k9xREQKBgHDS\n"
1542 "fMfGNEeAEKezrfSVqxphE9/tXms3L+ZpnCaT+yu/uEr5dTIAawKoQ6i9f/sf1/Sy\n"
1543 "xedsqR+IB+oKrzIDDWMgoJybN4pkZ8E5lzhVQIjFjKgFdWLzzqyW9z1gYfABQPlN\n"
1544 "FiS20WX0vgP1vcKAjdNrHzc9zyHBpgQzDmAj3NZZAoGBAI8vKCKdH7w3aL5CNkZQ\n"
1545 "2buIeWNA2HZazVwAGG5F2TU/LmXfRKnG6dX5bkU+AkBZh56jNZy//hfFSewJB4Kk\n"
1546 "buB7ERSdaNbO21zXt9FEA3+z0RfMd/Zv2vlIWOSB5nzl/7UKti3sribK6s9ZVLfi\n"
1547 "SxpiPQ8d/hmSGwn4ksrWUsJD\n"
1548 "-----END PRIVATE KEY-----\n";
1549 return KeyFromPEM(kKeyPEM);
1550 }
1551
CompleteHandshakes(SSL * client,SSL * server)1552 static bool CompleteHandshakes(SSL *client, SSL *server) {
1553 // Drive both their handshakes to completion.
1554 for (;;) {
1555 int client_ret = SSL_do_handshake(client);
1556 int client_err = SSL_get_error(client, client_ret);
1557 if (client_err != SSL_ERROR_NONE &&
1558 client_err != SSL_ERROR_WANT_READ &&
1559 client_err != SSL_ERROR_WANT_WRITE &&
1560 client_err != SSL_ERROR_PENDING_TICKET) {
1561 fprintf(stderr, "Client error: %s\n", SSL_error_description(client_err));
1562 return false;
1563 }
1564
1565 int server_ret = SSL_do_handshake(server);
1566 int server_err = SSL_get_error(server, server_ret);
1567 if (server_err != SSL_ERROR_NONE &&
1568 server_err != SSL_ERROR_WANT_READ &&
1569 server_err != SSL_ERROR_WANT_WRITE &&
1570 server_err != SSL_ERROR_PENDING_TICKET) {
1571 fprintf(stderr, "Server error: %s\n", SSL_error_description(server_err));
1572 return false;
1573 }
1574
1575 if (client_ret == 1 && server_ret == 1) {
1576 break;
1577 }
1578 }
1579
1580 return true;
1581 }
1582
FlushNewSessionTickets(SSL * client,SSL * server)1583 static bool FlushNewSessionTickets(SSL *client, SSL *server) {
1584 // NewSessionTickets are deferred on the server to |SSL_write|, and clients do
1585 // not pick them up until |SSL_read|.
1586 for (;;) {
1587 int server_ret = SSL_write(server, nullptr, 0);
1588 int server_err = SSL_get_error(server, server_ret);
1589 // The server may either succeed (|server_ret| is zero) or block on write
1590 // (|server_ret| is -1 and |server_err| is |SSL_ERROR_WANT_WRITE|).
1591 if (server_ret > 0 ||
1592 (server_ret < 0 && server_err != SSL_ERROR_WANT_WRITE)) {
1593 fprintf(stderr, "Unexpected server result: %d %d\n", server_ret,
1594 server_err);
1595 return false;
1596 }
1597
1598 int client_ret = SSL_read(client, nullptr, 0);
1599 int client_err = SSL_get_error(client, client_ret);
1600 // The client must always block on read.
1601 if (client_ret != -1 || client_err != SSL_ERROR_WANT_READ) {
1602 fprintf(stderr, "Unexpected client result: %d %d\n", client_ret,
1603 client_err);
1604 return false;
1605 }
1606
1607 // The server flushed everything it had to write.
1608 if (server_ret == 0) {
1609 return true;
1610 }
1611 }
1612 }
1613
1614 // CreateClientAndServer creates a client and server |SSL| objects whose |BIO|s
1615 // are paired with each other. It does not run the handshake. The caller is
1616 // expected to configure the objects and drive the handshake as needed.
CreateClientAndServer(bssl::UniquePtr<SSL> * out_client,bssl::UniquePtr<SSL> * out_server,SSL_CTX * client_ctx,SSL_CTX * server_ctx)1617 static bool CreateClientAndServer(bssl::UniquePtr<SSL> *out_client,
1618 bssl::UniquePtr<SSL> *out_server,
1619 SSL_CTX *client_ctx, SSL_CTX *server_ctx) {
1620 bssl::UniquePtr<SSL> client(SSL_new(client_ctx)), server(SSL_new(server_ctx));
1621 if (!client || !server) {
1622 return false;
1623 }
1624 SSL_set_connect_state(client.get());
1625 SSL_set_accept_state(server.get());
1626
1627 BIO *bio1, *bio2;
1628 if (!BIO_new_bio_pair(&bio1, 0, &bio2, 0)) {
1629 return false;
1630 }
1631 // SSL_set_bio takes ownership.
1632 SSL_set_bio(client.get(), bio1, bio1);
1633 SSL_set_bio(server.get(), bio2, bio2);
1634
1635 *out_client = std::move(client);
1636 *out_server = std::move(server);
1637 return true;
1638 }
1639
1640 struct ClientConfig {
1641 SSL_SESSION *session = nullptr;
1642 std::string servername;
1643 std::string verify_hostname;
1644 unsigned hostflags = 0;
1645 bool early_data = false;
1646 };
1647
ConnectClientAndServer(bssl::UniquePtr<SSL> * out_client,bssl::UniquePtr<SSL> * out_server,SSL_CTX * client_ctx,SSL_CTX * server_ctx,const ClientConfig & config=ClientConfig (),bool shed_handshake_config=true)1648 static bool ConnectClientAndServer(bssl::UniquePtr<SSL> *out_client,
1649 bssl::UniquePtr<SSL> *out_server,
1650 SSL_CTX *client_ctx, SSL_CTX *server_ctx,
1651 const ClientConfig &config = ClientConfig(),
1652 bool shed_handshake_config = true) {
1653 bssl::UniquePtr<SSL> client, server;
1654 if (!CreateClientAndServer(&client, &server, client_ctx, server_ctx)) {
1655 return false;
1656 }
1657 if (config.early_data) {
1658 SSL_set_early_data_enabled(client.get(), 1);
1659 }
1660 if (config.session) {
1661 SSL_set_session(client.get(), config.session);
1662 }
1663 if (!config.servername.empty() &&
1664 !SSL_set_tlsext_host_name(client.get(), config.servername.c_str())) {
1665 return false;
1666 }
1667 if (!config.verify_hostname.empty()) {
1668 if (!SSL_set1_host(client.get(), config.verify_hostname.c_str())) {
1669 return false;
1670 }
1671 SSL_set_hostflags(client.get(), config.hostflags);
1672 }
1673
1674 SSL_set_shed_handshake_config(client.get(), shed_handshake_config);
1675 SSL_set_shed_handshake_config(server.get(), shed_handshake_config);
1676
1677 if (!CompleteHandshakes(client.get(), server.get())) {
1678 return false;
1679 }
1680
1681 *out_client = std::move(client);
1682 *out_server = std::move(server);
1683 return true;
1684 }
1685
1686 static bssl::UniquePtr<SSL_SESSION> g_last_session;
1687
SaveLastSession(SSL * ssl,SSL_SESSION * session)1688 static int SaveLastSession(SSL *ssl, SSL_SESSION *session) {
1689 // Save the most recent session.
1690 g_last_session.reset(session);
1691 return 1;
1692 }
1693
CreateClientSession(SSL_CTX * client_ctx,SSL_CTX * server_ctx,const ClientConfig & config=ClientConfig ())1694 static bssl::UniquePtr<SSL_SESSION> CreateClientSession(
1695 SSL_CTX *client_ctx, SSL_CTX *server_ctx,
1696 const ClientConfig &config = ClientConfig()) {
1697 g_last_session = nullptr;
1698 SSL_CTX_sess_set_new_cb(client_ctx, SaveLastSession);
1699
1700 // Connect client and server to get a session.
1701 bssl::UniquePtr<SSL> client, server;
1702 if (!ConnectClientAndServer(&client, &server, client_ctx, server_ctx,
1703 config) ||
1704 !FlushNewSessionTickets(client.get(), server.get())) {
1705 fprintf(stderr, "Failed to connect client and server.\n");
1706 return nullptr;
1707 }
1708
1709 SSL_CTX_sess_set_new_cb(client_ctx, nullptr);
1710
1711 if (!g_last_session) {
1712 fprintf(stderr, "Client did not receive a session.\n");
1713 return nullptr;
1714 }
1715 return std::move(g_last_session);
1716 }
1717
SetUpExpectedNewCodePoint(SSL_CTX * ctx)1718 static void SetUpExpectedNewCodePoint(SSL_CTX *ctx) {
1719 SSL_CTX_set_select_certificate_cb(
1720 ctx,
1721 [](const SSL_CLIENT_HELLO *client_hello) -> ssl_select_cert_result_t {
1722 const uint8_t *data;
1723 size_t len;
1724 if (!SSL_early_callback_ctx_extension_get(
1725 client_hello, TLSEXT_TYPE_application_settings, &data,
1726 &len)) {
1727 ADD_FAILURE() << "Could not find alps new codepoint.";
1728 return ssl_select_cert_error;
1729 }
1730 return ssl_select_cert_success;
1731 });
1732 }
1733
SetUpExpectedOldCodePoint(SSL_CTX * ctx)1734 static void SetUpExpectedOldCodePoint(SSL_CTX *ctx) {
1735 SSL_CTX_set_select_certificate_cb(
1736 ctx,
1737 [](const SSL_CLIENT_HELLO *client_hello) -> ssl_select_cert_result_t {
1738 const uint8_t *data;
1739 size_t len;
1740 if (!SSL_early_callback_ctx_extension_get(
1741 client_hello, TLSEXT_TYPE_application_settings_old, &data,
1742 &len)) {
1743 ADD_FAILURE() << "Could not find alps old codepoint.";
1744 return ssl_select_cert_error;
1745 }
1746 return ssl_select_cert_success;
1747 });
1748 }
1749
1750 // Test that |SSL_get_client_CA_list| echoes back the configured parameter even
1751 // before configuring as a server.
TEST(SSLTest,ClientCAList)1752 TEST(SSLTest, ClientCAList) {
1753 bssl::UniquePtr<SSL_CTX> ctx(SSL_CTX_new(TLS_method()));
1754 ASSERT_TRUE(ctx);
1755 bssl::UniquePtr<SSL> ssl(SSL_new(ctx.get()));
1756 ASSERT_TRUE(ssl);
1757
1758 bssl::UniquePtr<X509_NAME> name(X509_NAME_new());
1759 ASSERT_TRUE(name);
1760
1761 bssl::UniquePtr<X509_NAME> name_dup(X509_NAME_dup(name.get()));
1762 ASSERT_TRUE(name_dup);
1763
1764 bssl::UniquePtr<STACK_OF(X509_NAME)> stack(sk_X509_NAME_new_null());
1765 ASSERT_TRUE(stack);
1766 ASSERT_TRUE(PushToStack(stack.get(), std::move(name_dup)));
1767
1768 // |SSL_set_client_CA_list| takes ownership.
1769 SSL_set_client_CA_list(ssl.get(), stack.release());
1770
1771 STACK_OF(X509_NAME) *result = SSL_get_client_CA_list(ssl.get());
1772 ASSERT_TRUE(result);
1773 ASSERT_EQ(1u, sk_X509_NAME_num(result));
1774 EXPECT_EQ(0, X509_NAME_cmp(sk_X509_NAME_value(result, 0), name.get()));
1775 }
1776
TEST(SSLTest,AddClientCA)1777 TEST(SSLTest, AddClientCA) {
1778 bssl::UniquePtr<SSL_CTX> ctx(SSL_CTX_new(TLS_method()));
1779 ASSERT_TRUE(ctx);
1780 bssl::UniquePtr<SSL> ssl(SSL_new(ctx.get()));
1781 ASSERT_TRUE(ssl);
1782
1783 bssl::UniquePtr<X509> cert1 = GetTestCertificate();
1784 bssl::UniquePtr<X509> cert2 = GetChainTestCertificate();
1785 ASSERT_TRUE(cert1 && cert2);
1786 X509_NAME *name1 = X509_get_subject_name(cert1.get());
1787 X509_NAME *name2 = X509_get_subject_name(cert2.get());
1788
1789 EXPECT_EQ(0u, sk_X509_NAME_num(SSL_get_client_CA_list(ssl.get())));
1790
1791 ASSERT_TRUE(SSL_add_client_CA(ssl.get(), cert1.get()));
1792 ASSERT_TRUE(SSL_add_client_CA(ssl.get(), cert2.get()));
1793
1794 STACK_OF(X509_NAME) *list = SSL_get_client_CA_list(ssl.get());
1795 ASSERT_EQ(2u, sk_X509_NAME_num(list));
1796 EXPECT_EQ(0, X509_NAME_cmp(sk_X509_NAME_value(list, 0), name1));
1797 EXPECT_EQ(0, X509_NAME_cmp(sk_X509_NAME_value(list, 1), name2));
1798
1799 ASSERT_TRUE(SSL_add_client_CA(ssl.get(), cert1.get()));
1800
1801 list = SSL_get_client_CA_list(ssl.get());
1802 ASSERT_EQ(3u, sk_X509_NAME_num(list));
1803 EXPECT_EQ(0, X509_NAME_cmp(sk_X509_NAME_value(list, 0), name1));
1804 EXPECT_EQ(0, X509_NAME_cmp(sk_X509_NAME_value(list, 1), name2));
1805 EXPECT_EQ(0, X509_NAME_cmp(sk_X509_NAME_value(list, 2), name1));
1806 }
1807
1808 struct ECHConfigParams {
1809 uint16_t version = TLSEXT_TYPE_encrypted_client_hello;
1810 uint16_t config_id = 1;
1811 std::string public_name = "example.com";
1812 const EVP_HPKE_KEY *key = nullptr;
1813 // kem_id, if zero, takes its value from |key|.
1814 uint16_t kem_id = 0;
1815 // public_key, if empty takes its value from |key|.
1816 std::vector<uint8_t> public_key;
1817 size_t max_name_len = 16;
1818 // cipher_suites is a list of code points which should contain pairs of KDF
1819 // and AEAD IDs.
1820 std::vector<uint16_t> cipher_suites = {EVP_HPKE_HKDF_SHA256,
1821 EVP_HPKE_AES_128_GCM};
1822 std::vector<uint8_t> extensions;
1823 };
1824
1825 // MakeECHConfig serializes an ECHConfig from |params| and writes it to
1826 // |*out|.
MakeECHConfig(std::vector<uint8_t> * out,const ECHConfigParams & params)1827 bool MakeECHConfig(std::vector<uint8_t> *out,
1828 const ECHConfigParams ¶ms) {
1829 uint16_t kem_id = params.kem_id == 0
1830 ? EVP_HPKE_KEM_id(EVP_HPKE_KEY_kem(params.key))
1831 : params.kem_id;
1832 std::vector<uint8_t> public_key = params.public_key;
1833 if (public_key.empty()) {
1834 public_key.resize(EVP_HPKE_MAX_PUBLIC_KEY_LENGTH);
1835 size_t len;
1836 if (!EVP_HPKE_KEY_public_key(params.key, public_key.data(), &len,
1837 public_key.size())) {
1838 return false;
1839 }
1840 public_key.resize(len);
1841 }
1842
1843 bssl::ScopedCBB cbb;
1844 CBB contents, child;
1845 if (!CBB_init(cbb.get(), 64) ||
1846 !CBB_add_u16(cbb.get(), params.version) ||
1847 !CBB_add_u16_length_prefixed(cbb.get(), &contents) ||
1848 !CBB_add_u8(&contents, params.config_id) ||
1849 !CBB_add_u16(&contents, kem_id) ||
1850 !CBB_add_u16_length_prefixed(&contents, &child) ||
1851 !CBB_add_bytes(&child, public_key.data(), public_key.size()) ||
1852 !CBB_add_u16_length_prefixed(&contents, &child)) {
1853 return false;
1854 }
1855 for (uint16_t cipher_suite : params.cipher_suites) {
1856 if (!CBB_add_u16(&child, cipher_suite)) {
1857 return false;
1858 }
1859 }
1860 if (!CBB_add_u8(&contents, params.max_name_len) ||
1861 !CBB_add_u8_length_prefixed(&contents, &child) ||
1862 !CBB_add_bytes(
1863 &child, reinterpret_cast<const uint8_t *>(params.public_name.data()),
1864 params.public_name.size()) ||
1865 !CBB_add_u16_length_prefixed(&contents, &child) ||
1866 !CBB_add_bytes(&child, params.extensions.data(),
1867 params.extensions.size()) ||
1868 !CBB_flush(cbb.get())) {
1869 return false;
1870 }
1871
1872 out->assign(CBB_data(cbb.get()), CBB_data(cbb.get()) + CBB_len(cbb.get()));
1873 return true;
1874 }
1875
MakeTestECHKeys(uint8_t config_id=1)1876 static bssl::UniquePtr<SSL_ECH_KEYS> MakeTestECHKeys(uint8_t config_id = 1) {
1877 bssl::ScopedEVP_HPKE_KEY key;
1878 uint8_t *ech_config;
1879 size_t ech_config_len;
1880 if (!EVP_HPKE_KEY_generate(key.get(), EVP_hpke_x25519_hkdf_sha256()) ||
1881 !SSL_marshal_ech_config(&ech_config, &ech_config_len, config_id,
1882 key.get(), "public.example", 16)) {
1883 return nullptr;
1884 }
1885 bssl::UniquePtr<uint8_t> free_ech_config(ech_config);
1886
1887 // Install a non-retry config.
1888 bssl::UniquePtr<SSL_ECH_KEYS> keys(SSL_ECH_KEYS_new());
1889 if (!keys || !SSL_ECH_KEYS_add(keys.get(), /*is_retry_config=*/1, ech_config,
1890 ech_config_len, key.get())) {
1891 return nullptr;
1892 }
1893 return keys;
1894 }
1895
InstallECHConfigList(SSL * client,const SSL_ECH_KEYS * keys)1896 static bool InstallECHConfigList(SSL *client, const SSL_ECH_KEYS *keys) {
1897 uint8_t *ech_config_list;
1898 size_t ech_config_list_len;
1899 if (!SSL_ECH_KEYS_marshal_retry_configs(keys, &ech_config_list,
1900 &ech_config_list_len)) {
1901 return false;
1902 }
1903 bssl::UniquePtr<uint8_t> free_ech_config_list(ech_config_list);
1904 return SSL_set1_ech_config_list(client, ech_config_list, ech_config_list_len);
1905 }
1906
1907 // Test that |SSL_marshal_ech_config| and |SSL_ECH_KEYS_marshal_retry_configs|
1908 // output values as expected.
TEST(SSLTest,MarshalECHConfig)1909 TEST(SSLTest, MarshalECHConfig) {
1910 static const uint8_t kPrivateKey[X25519_PRIVATE_KEY_LEN] = {
1911 0xbc, 0xb5, 0x51, 0x29, 0x31, 0x10, 0x30, 0xc9, 0xed, 0x26, 0xde,
1912 0xd4, 0xb3, 0xdf, 0x3a, 0xce, 0x06, 0x8a, 0xee, 0x17, 0xab, 0xce,
1913 0xd7, 0xdb, 0xf3, 0x11, 0xe5, 0xa8, 0xf3, 0xb1, 0x8e, 0x24};
1914 bssl::ScopedEVP_HPKE_KEY key;
1915 ASSERT_TRUE(EVP_HPKE_KEY_init(key.get(), EVP_hpke_x25519_hkdf_sha256(),
1916 kPrivateKey, sizeof(kPrivateKey)));
1917
1918 static const uint8_t kECHConfig[] = {
1919 // version
1920 0xfe, 0x0d,
1921 // length
1922 0x00, 0x41,
1923 // contents.config_id
1924 0x01,
1925 // contents.kem_id
1926 0x00, 0x20,
1927 // contents.public_key
1928 0x00, 0x20, 0xa6, 0x9a, 0x41, 0x48, 0x5d, 0x32, 0x96, 0xa4, 0xe0, 0xc3,
1929 0x6a, 0xee, 0xf6, 0x63, 0x0f, 0x59, 0x32, 0x6f, 0xdc, 0xff, 0x81, 0x29,
1930 0x59, 0xa5, 0x85, 0xd3, 0x9b, 0x3b, 0xde, 0x98, 0x55, 0x5c,
1931 // contents.cipher_suites
1932 0x00, 0x08, 0x00, 0x01, 0x00, 0x01, 0x00, 0x01, 0x00, 0x03,
1933 // contents.maximum_name_length
1934 0x10,
1935 // contents.public_name
1936 0x0e, 0x70, 0x75, 0x62, 0x6c, 0x69, 0x63, 0x2e, 0x65, 0x78, 0x61, 0x6d,
1937 0x70, 0x6c, 0x65,
1938 // contents.extensions
1939 0x00, 0x00};
1940 uint8_t *ech_config;
1941 size_t ech_config_len;
1942 ASSERT_TRUE(SSL_marshal_ech_config(&ech_config, &ech_config_len,
1943 /*config_id=*/1, key.get(),
1944 "public.example", 16));
1945 bssl::UniquePtr<uint8_t> free_ech_config(ech_config);
1946 EXPECT_EQ(Bytes(kECHConfig), Bytes(ech_config, ech_config_len));
1947
1948 // Generate a second ECHConfig.
1949 bssl::ScopedEVP_HPKE_KEY key2;
1950 ASSERT_TRUE(EVP_HPKE_KEY_generate(key2.get(), EVP_hpke_x25519_hkdf_sha256()));
1951 uint8_t *ech_config2;
1952 size_t ech_config2_len;
1953 ASSERT_TRUE(SSL_marshal_ech_config(&ech_config2, &ech_config2_len,
1954 /*config_id=*/2, key2.get(),
1955 "public.example", 16));
1956 bssl::UniquePtr<uint8_t> free_ech_config2(ech_config2);
1957
1958 // Install both ECHConfigs in an |SSL_ECH_KEYS|.
1959 bssl::UniquePtr<SSL_ECH_KEYS> keys(SSL_ECH_KEYS_new());
1960 ASSERT_TRUE(keys);
1961 ASSERT_TRUE(SSL_ECH_KEYS_add(keys.get(), /*is_retry_config=*/1, ech_config,
1962 ech_config_len, key.get()));
1963 ASSERT_TRUE(SSL_ECH_KEYS_add(keys.get(), /*is_retry_config=*/1, ech_config2,
1964 ech_config2_len, key2.get()));
1965
1966 // The ECHConfigList should be correctly serialized.
1967 uint8_t *ech_config_list;
1968 size_t ech_config_list_len;
1969 ASSERT_TRUE(SSL_ECH_KEYS_marshal_retry_configs(keys.get(), &ech_config_list,
1970 &ech_config_list_len));
1971 bssl::UniquePtr<uint8_t> free_ech_config_list(ech_config_list);
1972
1973 // ECHConfigList is just the concatenation with a length prefix.
1974 size_t len = ech_config_len + ech_config2_len;
1975 std::vector<uint8_t> expected = {uint8_t(len >> 8), uint8_t(len)};
1976 expected.insert(expected.end(), ech_config, ech_config + ech_config_len);
1977 expected.insert(expected.end(), ech_config2, ech_config2 + ech_config2_len);
1978 EXPECT_EQ(Bytes(expected), Bytes(ech_config_list, ech_config_list_len));
1979 }
1980
TEST(SSLTest,ECHHasDuplicateConfigID)1981 TEST(SSLTest, ECHHasDuplicateConfigID) {
1982 const struct {
1983 std::vector<uint8_t> ids;
1984 bool has_duplicate;
1985 } kTests[] = {
1986 {{}, false},
1987 {{1}, false},
1988 {{1, 2, 3, 255}, false},
1989 {{1, 2, 3, 1}, true},
1990 };
1991 for (const auto &test : kTests) {
1992 bssl::UniquePtr<SSL_ECH_KEYS> keys(SSL_ECH_KEYS_new());
1993 ASSERT_TRUE(keys);
1994 for (const uint8_t id : test.ids) {
1995 bssl::ScopedEVP_HPKE_KEY key;
1996 ASSERT_TRUE(
1997 EVP_HPKE_KEY_generate(key.get(), EVP_hpke_x25519_hkdf_sha256()));
1998 uint8_t *ech_config;
1999 size_t ech_config_len;
2000 ASSERT_TRUE(SSL_marshal_ech_config(&ech_config, &ech_config_len, id,
2001 key.get(), "public.example", 16));
2002 bssl::UniquePtr<uint8_t> free_ech_config(ech_config);
2003 ASSERT_TRUE(SSL_ECH_KEYS_add(keys.get(), /*is_retry_config=*/1,
2004 ech_config, ech_config_len, key.get()));
2005 }
2006
2007 EXPECT_EQ(test.has_duplicate ? 1 : 0,
2008 SSL_ECH_KEYS_has_duplicate_config_id(keys.get()));
2009 }
2010 }
2011
2012 // Test that |SSL_ECH_KEYS_add| checks consistency between the public and
2013 // private key.
TEST(SSLTest,ECHKeyConsistency)2014 TEST(SSLTest, ECHKeyConsistency) {
2015 bssl::UniquePtr<SSL_ECH_KEYS> keys(SSL_ECH_KEYS_new());
2016 ASSERT_TRUE(keys);
2017 bssl::ScopedEVP_HPKE_KEY key;
2018 ASSERT_TRUE(EVP_HPKE_KEY_generate(key.get(), EVP_hpke_x25519_hkdf_sha256()));
2019 uint8_t public_key[EVP_HPKE_MAX_PUBLIC_KEY_LENGTH];
2020 size_t public_key_len;
2021 ASSERT_TRUE(EVP_HPKE_KEY_public_key(key.get(), public_key, &public_key_len,
2022 sizeof(public_key)));
2023
2024 // Adding an ECHConfig with the matching public key succeeds.
2025 ECHConfigParams params;
2026 params.key = key.get();
2027 std::vector<uint8_t> ech_config;
2028 ASSERT_TRUE(MakeECHConfig(&ech_config, params));
2029 EXPECT_TRUE(SSL_ECH_KEYS_add(keys.get(), /*is_retry_config=*/1,
2030 ech_config.data(), ech_config.size(),
2031 key.get()));
2032
2033 // Adding an ECHConfig with the wrong public key is an error.
2034 bssl::ScopedEVP_HPKE_KEY wrong_key;
2035 ASSERT_TRUE(
2036 EVP_HPKE_KEY_generate(wrong_key.get(), EVP_hpke_x25519_hkdf_sha256()));
2037 EXPECT_FALSE(SSL_ECH_KEYS_add(keys.get(), /*is_retry_config=*/1,
2038 ech_config.data(), ech_config.size(),
2039 wrong_key.get()));
2040
2041 // Adding an ECHConfig with a truncated public key is an error.
2042 ECHConfigParams truncated;
2043 truncated.key = key.get();
2044 truncated.public_key.assign(public_key, public_key + public_key_len - 1);
2045 ASSERT_TRUE(MakeECHConfig(&ech_config, truncated));
2046 EXPECT_FALSE(SSL_ECH_KEYS_add(keys.get(), /*is_retry_config=*/1,
2047 ech_config.data(), ech_config.size(), key.get()));
2048
2049 // Adding an ECHConfig with the right public key, but wrong KEM ID, is an
2050 // error.
2051 ECHConfigParams wrong_kem;
2052 wrong_kem.key = key.get();
2053 wrong_kem.kem_id = 0x0010; // DHKEM(P-256, HKDF-SHA256)
2054 ASSERT_TRUE(MakeECHConfig(&ech_config, wrong_kem));
2055 EXPECT_FALSE(SSL_ECH_KEYS_add(keys.get(), /*is_retry_config=*/1,
2056 ech_config.data(), ech_config.size(),
2057 key.get()));
2058 }
2059
2060 // Test that |SSL_CTX_set1_ech_keys| fails when the config list
2061 // has no retry configs.
TEST(SSLTest,ECHServerConfigsWithoutRetryConfigs)2062 TEST(SSLTest, ECHServerConfigsWithoutRetryConfigs) {
2063 bssl::ScopedEVP_HPKE_KEY key;
2064 ASSERT_TRUE(EVP_HPKE_KEY_generate(key.get(), EVP_hpke_x25519_hkdf_sha256()));
2065 uint8_t *ech_config;
2066 size_t ech_config_len;
2067 ASSERT_TRUE(SSL_marshal_ech_config(&ech_config, &ech_config_len,
2068 /*config_id=*/1, key.get(),
2069 "public.example", 16));
2070 bssl::UniquePtr<uint8_t> free_ech_config(ech_config);
2071
2072 // Install a non-retry config.
2073 bssl::UniquePtr<SSL_ECH_KEYS> keys(SSL_ECH_KEYS_new());
2074 ASSERT_TRUE(keys);
2075 ASSERT_TRUE(SSL_ECH_KEYS_add(keys.get(), /*is_retry_config=*/0, ech_config,
2076 ech_config_len, key.get()));
2077
2078 // |keys| has no retry configs.
2079 bssl::UniquePtr<SSL_CTX> ctx(SSL_CTX_new(TLS_method()));
2080 ASSERT_TRUE(ctx);
2081 EXPECT_FALSE(SSL_CTX_set1_ech_keys(ctx.get(), keys.get()));
2082
2083 // Add the same ECHConfig to the list, but this time mark it as a retry
2084 // config.
2085 ASSERT_TRUE(SSL_ECH_KEYS_add(keys.get(), /*is_retry_config=*/1, ech_config,
2086 ech_config_len, key.get()));
2087 EXPECT_TRUE(SSL_CTX_set1_ech_keys(ctx.get(), keys.get()));
2088 }
2089
2090 // Test that the server APIs reject ECHConfigs with unsupported features.
TEST(SSLTest,UnsupportedECHConfig)2091 TEST(SSLTest, UnsupportedECHConfig) {
2092 bssl::UniquePtr<SSL_ECH_KEYS> keys(SSL_ECH_KEYS_new());
2093 ASSERT_TRUE(keys);
2094 bssl::ScopedEVP_HPKE_KEY key;
2095 ASSERT_TRUE(EVP_HPKE_KEY_generate(key.get(), EVP_hpke_x25519_hkdf_sha256()));
2096
2097 // Unsupported versions are rejected.
2098 ECHConfigParams unsupported_version;
2099 unsupported_version.version = 0xffff;
2100 unsupported_version.key = key.get();
2101 std::vector<uint8_t> ech_config;
2102 ASSERT_TRUE(MakeECHConfig(&ech_config, unsupported_version));
2103 EXPECT_FALSE(SSL_ECH_KEYS_add(keys.get(), /*is_retry_config=*/1,
2104 ech_config.data(), ech_config.size(),
2105 key.get()));
2106
2107 // Unsupported cipher suites are rejected. (We only support HKDF-SHA256.)
2108 ECHConfigParams unsupported_kdf;
2109 unsupported_kdf.key = key.get();
2110 unsupported_kdf.cipher_suites = {0x002 /* HKDF-SHA384 */,
2111 EVP_HPKE_AES_128_GCM};
2112 ASSERT_TRUE(MakeECHConfig(&ech_config, unsupported_kdf));
2113 EXPECT_FALSE(SSL_ECH_KEYS_add(keys.get(), /*is_retry_config=*/1,
2114 ech_config.data(), ech_config.size(),
2115 key.get()));
2116 ECHConfigParams unsupported_aead;
2117 unsupported_aead.key = key.get();
2118 unsupported_aead.cipher_suites = {EVP_HPKE_HKDF_SHA256, 0xffff};
2119 ASSERT_TRUE(MakeECHConfig(&ech_config, unsupported_aead));
2120 EXPECT_FALSE(SSL_ECH_KEYS_add(keys.get(), /*is_retry_config=*/1,
2121 ech_config.data(), ech_config.size(),
2122 key.get()));
2123
2124
2125 // Unsupported extensions are rejected.
2126 ECHConfigParams extensions;
2127 extensions.key = key.get();
2128 extensions.extensions = {0x00, 0x01, 0x00, 0x00};
2129 ASSERT_TRUE(MakeECHConfig(&ech_config, extensions));
2130 EXPECT_FALSE(SSL_ECH_KEYS_add(keys.get(), /*is_retry_config=*/1,
2131 ech_config.data(), ech_config.size(),
2132 key.get()));
2133
2134 // Invalid public names are rejected.
2135 ECHConfigParams invalid_public_name;
2136 invalid_public_name.key = key.get();
2137 invalid_public_name.public_name = "dns_names_have_no_underscores.example";
2138 ASSERT_TRUE(MakeECHConfig(&ech_config, invalid_public_name));
2139 EXPECT_FALSE(SSL_ECH_KEYS_add(keys.get(), /*is_retry_config=*/1,
2140 ech_config.data(), ech_config.size(),
2141 key.get()));
2142 }
2143
2144 // Test that |SSL_get_client_random| reports the correct value on both client
2145 // and server in ECH. The client sends two different random values. When ECH is
2146 // accepted, we should report the inner one.
TEST(SSLTest,ECHClientRandomsMatch)2147 TEST(SSLTest, ECHClientRandomsMatch) {
2148 bssl::UniquePtr<SSL_CTX> server_ctx =
2149 CreateContextWithTestCertificate(TLS_method());
2150 ASSERT_TRUE(server_ctx);
2151 bssl::UniquePtr<SSL_ECH_KEYS> keys = MakeTestECHKeys();
2152 ASSERT_TRUE(keys);
2153 ASSERT_TRUE(SSL_CTX_set1_ech_keys(server_ctx.get(), keys.get()));
2154
2155 bssl::UniquePtr<SSL_CTX> client_ctx(SSL_CTX_new(TLS_method()));
2156 ASSERT_TRUE(client_ctx);
2157 bssl::UniquePtr<SSL> client, server;
2158 ASSERT_TRUE(CreateClientAndServer(&client, &server, client_ctx.get(),
2159 server_ctx.get()));
2160 ASSERT_TRUE(InstallECHConfigList(client.get(), keys.get()));
2161 ASSERT_TRUE(CompleteHandshakes(client.get(), server.get()));
2162
2163 EXPECT_TRUE(SSL_ech_accepted(client.get()));
2164 EXPECT_TRUE(SSL_ech_accepted(server.get()));
2165
2166 // An ECH server will fairly naturally record the inner ClientHello random,
2167 // but an ECH client may forget to update the random once ClientHelloInner is
2168 // selected.
2169 uint8_t client_random1[SSL3_RANDOM_SIZE];
2170 uint8_t client_random2[SSL3_RANDOM_SIZE];
2171 ASSERT_EQ(sizeof(client_random1),
2172 SSL_get_client_random(client.get(), client_random1,
2173 sizeof(client_random1)));
2174 ASSERT_EQ(sizeof(client_random2),
2175 SSL_get_client_random(server.get(), client_random2,
2176 sizeof(client_random2)));
2177 EXPECT_EQ(Bytes(client_random1), Bytes(client_random2));
2178 }
2179
2180 // GetECHLength sets |*out_client_hello_len| and |*out_ech_len| to the lengths
2181 // of the ClientHello and ECH extension, respectively, when a client created
2182 // from |ctx| constructs a ClientHello with name |name| and an ECHConfig with
2183 // maximum name length |max_name_len|.
GetECHLength(SSL_CTX * ctx,size_t * out_client_hello_len,size_t * out_ech_len,size_t max_name_len,const char * name)2184 static bool GetECHLength(SSL_CTX *ctx, size_t *out_client_hello_len,
2185 size_t *out_ech_len, size_t max_name_len,
2186 const char *name) {
2187 bssl::ScopedEVP_HPKE_KEY key;
2188 uint8_t *ech_config;
2189 size_t ech_config_len;
2190 if (!EVP_HPKE_KEY_generate(key.get(), EVP_hpke_x25519_hkdf_sha256()) ||
2191 !SSL_marshal_ech_config(&ech_config, &ech_config_len,
2192 /*config_id=*/1, key.get(), "public.example",
2193 max_name_len)) {
2194 return false;
2195 }
2196 bssl::UniquePtr<uint8_t> free_ech_config(ech_config);
2197
2198 bssl::UniquePtr<SSL_ECH_KEYS> keys(SSL_ECH_KEYS_new());
2199 if (!keys || !SSL_ECH_KEYS_add(keys.get(), /*is_retry_config=*/1, ech_config,
2200 ech_config_len, key.get())) {
2201 return false;
2202 }
2203
2204 bssl::UniquePtr<SSL> ssl(SSL_new(ctx));
2205 if (!ssl || !InstallECHConfigList(ssl.get(), keys.get()) ||
2206 (name != nullptr && !SSL_set_tlsext_host_name(ssl.get(), name))) {
2207 return false;
2208 }
2209 SSL_set_connect_state(ssl.get());
2210
2211 std::vector<uint8_t> client_hello;
2212 SSL_CLIENT_HELLO parsed;
2213 const uint8_t *unused;
2214 if (!GetClientHello(ssl.get(), &client_hello) ||
2215 !ssl_client_hello_init(
2216 ssl.get(), &parsed,
2217 // Skip record and handshake headers. This assumes the ClientHello
2218 // fits in one record.
2219 MakeConstSpan(client_hello)
2220 .subspan(SSL3_RT_HEADER_LENGTH + SSL3_HM_HEADER_LENGTH)) ||
2221 !SSL_early_callback_ctx_extension_get(
2222 &parsed, TLSEXT_TYPE_encrypted_client_hello, &unused, out_ech_len)) {
2223 return false;
2224 }
2225 *out_client_hello_len = client_hello.size();
2226 return true;
2227 }
2228
TEST(SSLTest,ECHPadding)2229 TEST(SSLTest, ECHPadding) {
2230 bssl::UniquePtr<SSL_CTX> ctx(SSL_CTX_new(TLS_method()));
2231 ASSERT_TRUE(ctx);
2232
2233 // Sample lengths with max_name_len = 128 as baseline.
2234 size_t client_hello_len_baseline, ech_len_baseline;
2235 ASSERT_TRUE(GetECHLength(ctx.get(), &client_hello_len_baseline,
2236 &ech_len_baseline, 128, "example.com"));
2237
2238 // Check that all name lengths under the server's maximum look the same.
2239 for (size_t name_len : {1, 2, 32, 64, 127, 128}) {
2240 SCOPED_TRACE(name_len);
2241 size_t client_hello_len, ech_len;
2242 ASSERT_TRUE(GetECHLength(ctx.get(), &client_hello_len, &ech_len, 128,
2243 std::string(name_len, 'a').c_str()));
2244 EXPECT_EQ(client_hello_len, client_hello_len_baseline);
2245 EXPECT_EQ(ech_len, ech_len_baseline);
2246 }
2247
2248 // When sending no SNI, we must still pad as if we are sending one.
2249 size_t client_hello_len, ech_len;
2250 ASSERT_TRUE(
2251 GetECHLength(ctx.get(), &client_hello_len, &ech_len, 128, nullptr));
2252 EXPECT_EQ(client_hello_len, client_hello_len_baseline);
2253 EXPECT_EQ(ech_len, ech_len_baseline);
2254
2255 // Name lengths above the maximum do not get named-based padding, but the
2256 // overall input is padded to a multiple of 32.
2257 size_t client_hello_len_baseline2, ech_len_baseline2;
2258 ASSERT_TRUE(GetECHLength(ctx.get(), &client_hello_len_baseline2,
2259 &ech_len_baseline2, 128,
2260 std::string(128 + 32, 'a').c_str()));
2261 EXPECT_EQ(ech_len_baseline2, ech_len_baseline + 32);
2262 // The ClientHello lengths may match if we are still under the threshold for
2263 // padding extension.
2264 EXPECT_GE(client_hello_len_baseline2, client_hello_len_baseline);
2265
2266 for (size_t name_len = 128 + 1; name_len < 128 + 32; name_len++) {
2267 SCOPED_TRACE(name_len);
2268 ASSERT_TRUE(GetECHLength(ctx.get(), &client_hello_len, &ech_len, 128,
2269 std::string(name_len, 'a').c_str()));
2270 EXPECT_TRUE(ech_len == ech_len_baseline || ech_len == ech_len_baseline2)
2271 << ech_len;
2272 EXPECT_TRUE(client_hello_len == client_hello_len_baseline ||
2273 client_hello_len == client_hello_len_baseline2)
2274 << client_hello_len;
2275 }
2276 }
2277
TEST(SSLTest,ECHPublicName)2278 TEST(SSLTest, ECHPublicName) {
2279 auto str_to_span = [](const char *str) -> Span<const uint8_t> {
2280 return MakeConstSpan(reinterpret_cast<const uint8_t *>(str), strlen(str));
2281 };
2282
2283 EXPECT_FALSE(ssl_is_valid_ech_public_name(str_to_span("")));
2284 EXPECT_TRUE(ssl_is_valid_ech_public_name(str_to_span("example.com")));
2285 EXPECT_FALSE(ssl_is_valid_ech_public_name(str_to_span(".example.com")));
2286 EXPECT_FALSE(ssl_is_valid_ech_public_name(str_to_span("example.com.")));
2287 EXPECT_FALSE(ssl_is_valid_ech_public_name(str_to_span("example..com")));
2288 EXPECT_FALSE(ssl_is_valid_ech_public_name(str_to_span("www.-example.com")));
2289 EXPECT_FALSE(ssl_is_valid_ech_public_name(str_to_span("www.example-.com")));
2290 EXPECT_FALSE(
2291 ssl_is_valid_ech_public_name(str_to_span("no_underscores.example")));
2292 EXPECT_FALSE(ssl_is_valid_ech_public_name(
2293 str_to_span("invalid_chars.\x01.example")));
2294 EXPECT_FALSE(ssl_is_valid_ech_public_name(
2295 str_to_span("invalid_chars.\xff.example")));
2296 static const uint8_t kWithNUL[] = {'t', 'e', 's', 't', 0};
2297 EXPECT_FALSE(ssl_is_valid_ech_public_name(kWithNUL));
2298
2299 // Test an LDH label with every character and the maximum length.
2300 EXPECT_TRUE(ssl_is_valid_ech_public_name(str_to_span(
2301 "abcdefhijklmnopqrstuvwxyz-ABCDEFGHIJKLMNOPQRSTUVWXYZ-0123456789")));
2302 EXPECT_FALSE(ssl_is_valid_ech_public_name(str_to_span(
2303 "abcdefhijklmnopqrstuvwxyz-ABCDEFGHIJKLMNOPQRSTUVWXYZ-01234567899")));
2304
2305 // Inputs with trailing numeric components are rejected.
2306 EXPECT_FALSE(ssl_is_valid_ech_public_name(str_to_span("127.0.0.1")));
2307 EXPECT_FALSE(ssl_is_valid_ech_public_name(str_to_span("example.1")));
2308 EXPECT_FALSE(ssl_is_valid_ech_public_name(str_to_span("example.01")));
2309 EXPECT_FALSE(ssl_is_valid_ech_public_name(str_to_span("example.0x01")));
2310 EXPECT_FALSE(ssl_is_valid_ech_public_name(str_to_span("example.0X01")));
2311 // Leading zeros and values that overflow |uint32_t| are still rejected.
2312 EXPECT_FALSE(ssl_is_valid_ech_public_name(
2313 str_to_span("example.123456789000000000000000")));
2314 EXPECT_FALSE(ssl_is_valid_ech_public_name(
2315 str_to_span("example.012345678900000000000000")));
2316 EXPECT_FALSE(ssl_is_valid_ech_public_name(
2317 str_to_span("example.0x123456789abcdefABCDEF0")));
2318 EXPECT_FALSE(ssl_is_valid_ech_public_name(
2319 str_to_span("example.0x0123456789abcdefABCDEF")));
2320 // Adding a non-digit or non-hex character makes it a valid DNS name again.
2321 // Single-component numbers are rejected.
2322 EXPECT_TRUE(ssl_is_valid_ech_public_name(
2323 str_to_span("example.1234567890a")));
2324 EXPECT_TRUE(ssl_is_valid_ech_public_name(
2325 str_to_span("example.01234567890a")));
2326 EXPECT_TRUE(ssl_is_valid_ech_public_name(
2327 str_to_span("example.0x123456789abcdefg")));
2328 EXPECT_FALSE(ssl_is_valid_ech_public_name(str_to_span("1")));
2329 EXPECT_FALSE(ssl_is_valid_ech_public_name(str_to_span("01")));
2330 EXPECT_FALSE(ssl_is_valid_ech_public_name(str_to_span("0x01")));
2331 EXPECT_FALSE(ssl_is_valid_ech_public_name(str_to_span("0X01")));
2332 // Numbers with trailing dots are rejected. (They are already rejected by the
2333 // LDH label rules, but the WHATWG URL parser additionally rejects them.)
2334 EXPECT_FALSE(ssl_is_valid_ech_public_name(str_to_span("1.")));
2335 EXPECT_FALSE(ssl_is_valid_ech_public_name(str_to_span("01.")));
2336 EXPECT_FALSE(ssl_is_valid_ech_public_name(str_to_span("0x01.")));
2337 EXPECT_FALSE(ssl_is_valid_ech_public_name(str_to_span("0X01.")));
2338 }
2339
2340 // When using the built-in verifier, test that |SSL_get0_ech_name_override| is
2341 // applied automatically.
TEST(SSLTest,ECHBuiltinVerifier)2342 TEST(SSLTest, ECHBuiltinVerifier) {
2343 // These test certificates generated with the following Go program.
2344 /* clang-format off
2345 func main() {
2346 notBefore := time.Date(2000, time.January, 1, 0, 0, 0, 0, time.UTC)
2347 notAfter := time.Date(2099, time.January, 1, 0, 0, 0, 0, time.UTC)
2348 rootKey, _ := ecdsa.GenerateKey(elliptic.P256(), rand.Reader)
2349 rootTemplate := &x509.Certificate{
2350 SerialNumber: big.NewInt(1),
2351 Subject: pkix.Name{CommonName: "Test CA"},
2352 NotBefore: notBefore,
2353 NotAfter: notAfter,
2354 BasicConstraintsValid: true,
2355 IsCA: true,
2356 }
2357 rootDER, _ := x509.CreateCertificate(rand.Reader, rootTemplate, rootTemplate, &rootKey.PublicKey, rootKey)
2358 root, _ := x509.ParseCertificate(rootDER)
2359 pem.Encode(os.Stdout, &pem.Block{Type: "CERTIFICATE", Bytes: rootDER})
2360 leafKey, _ := ecdsa.GenerateKey(elliptic.P256(), rand.Reader)
2361 leafKeyDER, _ := x509.MarshalPKCS8PrivateKey(leafKey)
2362 pem.Encode(os.Stdout, &pem.Block{Type: "PRIVATE KEY", Bytes: leafKeyDER})
2363 for i, name := range []string{"public.example", "secret.example"} {
2364 leafTemplate := &x509.Certificate{
2365 SerialNumber: big.NewInt(int64(i) + 2),
2366 Subject: pkix.Name{CommonName: name},
2367 NotBefore: notBefore,
2368 NotAfter: notAfter,
2369 BasicConstraintsValid: true,
2370 DNSNames: []string{name},
2371 }
2372 leafDER, _ := x509.CreateCertificate(rand.Reader, leafTemplate, root, &leafKey.PublicKey, rootKey)
2373 pem.Encode(os.Stdout, &pem.Block{Type: "CERTIFICATE", Bytes: leafDER})
2374 }
2375 }
2376 clang-format on */
2377 bssl::UniquePtr<X509> root = CertFromPEM(R"(
2378 -----BEGIN CERTIFICATE-----
2379 MIIBRzCB7aADAgECAgEBMAoGCCqGSM49BAMCMBIxEDAOBgNVBAMTB1Rlc3QgQ0Ew
2380 IBcNMDAwMTAxMDAwMDAwWhgPMjA5OTAxMDEwMDAwMDBaMBIxEDAOBgNVBAMTB1Rl
2381 c3QgQ0EwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAAT5JUjrI1DAxSpEl88UkmJw
2382 tAJqxo/YrSFo9V3MkcNkfTixi5p6MUtO8DazhEgekBcd2+tBAWtl7dy0qpvTqx92
2383 ozIwMDAPBgNVHRMBAf8EBTADAQH/MB0GA1UdDgQWBBTw6ftkexAI6o4r5FntJIfL
2384 GU5F4zAKBggqhkjOPQQDAgNJADBGAiEAiiNowddQeHZaZFIygwe6RW5/WG4sUXWC
2385 dkyl9CQzRaYCIQCFS1EvwZbZtMny27fYm1eeYciY0TkJTEi34H1KwyzzIA==
2386 -----END CERTIFICATE-----
2387 )");
2388 ASSERT_TRUE(root);
2389 bssl::UniquePtr<EVP_PKEY> leaf_key = KeyFromPEM(R"(
2390 -----BEGIN PRIVATE KEY-----
2391 MIGHAgEAMBMGByqGSM49AgEGCCqGSM49AwEHBG0wawIBAQQgj5WKHwHnziiyPauf
2392 7QukxTwtTyGZkk8qNdms4puJfxqhRANCAARNrkhxabALDlJrHtvkuDwvCWUF/oVC
2393 hr6PDITHi1lDlJzvVT4aXBH87sH2n2UV5zpx13NHkq1bIC8eRT8eOIe0
2394 -----END PRIVATE KEY-----
2395 )");
2396 ASSERT_TRUE(leaf_key);
2397 bssl::UniquePtr<X509> leaf_public = CertFromPEM(R"(
2398 -----BEGIN CERTIFICATE-----
2399 MIIBaDCCAQ6gAwIBAgIBAjAKBggqhkjOPQQDAjASMRAwDgYDVQQDEwdUZXN0IENB
2400 MCAXDTAwMDEwMTAwMDAwMFoYDzIwOTkwMTAxMDAwMDAwWjAZMRcwFQYDVQQDEw5w
2401 dWJsaWMuZXhhbXBsZTBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABE2uSHFpsAsO
2402 Umse2+S4PC8JZQX+hUKGvo8MhMeLWUOUnO9VPhpcEfzuwfafZRXnOnHXc0eSrVsg
2403 Lx5FPx44h7SjTDBKMAwGA1UdEwEB/wQCMAAwHwYDVR0jBBgwFoAU8On7ZHsQCOqO
2404 K+RZ7SSHyxlOReMwGQYDVR0RBBIwEIIOcHVibGljLmV4YW1wbGUwCgYIKoZIzj0E
2405 AwIDSAAwRQIhANqZRhDR/+QL05hsWXMYEwaiHifd9iakKoFEhKFchcF3AiBRAeXw
2406 wRGGT6+iPmTYM6N5/IDyAb5B9Ke38O6lLEsUwA==
2407 -----END CERTIFICATE-----
2408 )");
2409 ASSERT_TRUE(leaf_public);
2410 bssl::UniquePtr<X509> leaf_secret = CertFromPEM(R"(
2411 -----BEGIN CERTIFICATE-----
2412 MIIBaTCCAQ6gAwIBAgIBAzAKBggqhkjOPQQDAjASMRAwDgYDVQQDEwdUZXN0IENB
2413 MCAXDTAwMDEwMTAwMDAwMFoYDzIwOTkwMTAxMDAwMDAwWjAZMRcwFQYDVQQDEw5z
2414 ZWNyZXQuZXhhbXBsZTBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABE2uSHFpsAsO
2415 Umse2+S4PC8JZQX+hUKGvo8MhMeLWUOUnO9VPhpcEfzuwfafZRXnOnHXc0eSrVsg
2416 Lx5FPx44h7SjTDBKMAwGA1UdEwEB/wQCMAAwHwYDVR0jBBgwFoAU8On7ZHsQCOqO
2417 K+RZ7SSHyxlOReMwGQYDVR0RBBIwEIIOc2VjcmV0LmV4YW1wbGUwCgYIKoZIzj0E
2418 AwIDSQAwRgIhAPQdIz1xCFkc9WuSkxOxJDpywZiEp9SnKcxJ9nwrlRp3AiEA+O3+
2419 XRqE7XFhHL+7TNC2a9OOAjQsEF137YPWo+rhgko=
2420 -----END CERTIFICATE-----
2421 )");
2422 ASSERT_TRUE(leaf_secret);
2423
2424 // Use different config IDs so that fuzzer mode, which breaks trial
2425 // decryption, will observe the key mismatch.
2426 bssl::UniquePtr<SSL_ECH_KEYS> keys = MakeTestECHKeys(/*config_id=*/1);
2427 ASSERT_TRUE(keys);
2428 bssl::UniquePtr<SSL_ECH_KEYS> wrong_keys = MakeTestECHKeys(/*config_id=*/2);
2429 ASSERT_TRUE(wrong_keys);
2430 bssl::UniquePtr<SSL_CTX> server_ctx =
2431 CreateContextWithTestCertificate(TLS_method());
2432 ASSERT_TRUE(server_ctx);
2433 bssl::UniquePtr<SSL_CTX> client_ctx(SSL_CTX_new(TLS_method()));
2434 ASSERT_TRUE(client_ctx);
2435
2436 // Configure the client to verify certificates and expect the secret name.
2437 // This is the name the client is trying to connect to. If ECH is rejected,
2438 // BoringSSL will internally override this setting with the public name.
2439 bssl::UniquePtr<X509_STORE> store(X509_STORE_new());
2440 ASSERT_TRUE(store);
2441 ASSERT_TRUE(X509_STORE_add_cert(store.get(), root.get()));
2442 SSL_CTX_set_cert_store(client_ctx.get(), store.release());
2443 SSL_CTX_set_verify(client_ctx.get(), SSL_VERIFY_PEER, nullptr);
2444 X509_VERIFY_PARAM_set_flags(SSL_CTX_get0_param(client_ctx.get()),
2445 X509_V_FLAG_NO_CHECK_TIME);
2446 static const char kSecretName[] = "secret.example";
2447 ASSERT_TRUE(X509_VERIFY_PARAM_set1_host(SSL_CTX_get0_param(client_ctx.get()),
2448 kSecretName, strlen(kSecretName)));
2449
2450 // For simplicity, we only run through a pair of representative scenarios here
2451 // and rely on runner.go to verify that |SSL_get0_ech_name_override| behaves
2452 // correctly.
2453 for (bool accept_ech : {false, true}) {
2454 SCOPED_TRACE(accept_ech);
2455 for (bool use_leaf_secret : {false, true}) {
2456 SCOPED_TRACE(use_leaf_secret);
2457
2458 // The server will reject ECH when configured with the wrong keys.
2459 ASSERT_TRUE(SSL_CTX_set1_ech_keys(
2460 server_ctx.get(), accept_ech ? keys.get() : wrong_keys.get()));
2461
2462 bssl::UniquePtr<SSL> client, server;
2463 ASSERT_TRUE(CreateClientAndServer(&client, &server, client_ctx.get(),
2464 server_ctx.get()));
2465 ASSERT_TRUE(InstallECHConfigList(client.get(), keys.get()));
2466
2467 // Configure the server with the selected certificate.
2468 ASSERT_TRUE(SSL_use_certificate(server.get(), use_leaf_secret
2469 ? leaf_secret.get()
2470 : leaf_public.get()));
2471 ASSERT_TRUE(SSL_use_PrivateKey(server.get(), leaf_key.get()));
2472
2473 // The handshake may fail due to name mismatch or ECH reject. We check
2474 // |SSL_get_verify_result| to confirm the handshake got far enough.
2475 CompleteHandshakes(client.get(), server.get());
2476 EXPECT_EQ(accept_ech == use_leaf_secret ? X509_V_OK
2477 : X509_V_ERR_HOSTNAME_MISMATCH,
2478 SSL_get_verify_result(client.get()));
2479 }
2480 }
2481 }
2482
2483 #if defined(OPENSSL_THREADS)
2484 // Test that the server ECH config can be swapped out while the |SSL_CTX| is
2485 // in use on other threads. This test is intended to be run with TSan.
TEST(SSLTest,ECHThreads)2486 TEST(SSLTest, ECHThreads) {
2487 // Generate a pair of ECHConfigs.
2488 bssl::ScopedEVP_HPKE_KEY key1;
2489 ASSERT_TRUE(EVP_HPKE_KEY_generate(key1.get(), EVP_hpke_x25519_hkdf_sha256()));
2490 uint8_t *ech_config1;
2491 size_t ech_config1_len;
2492 ASSERT_TRUE(SSL_marshal_ech_config(&ech_config1, &ech_config1_len,
2493 /*config_id=*/1, key1.get(),
2494 "public.example", 16));
2495 bssl::UniquePtr<uint8_t> free_ech_config1(ech_config1);
2496 bssl::ScopedEVP_HPKE_KEY key2;
2497 ASSERT_TRUE(EVP_HPKE_KEY_generate(key2.get(), EVP_hpke_x25519_hkdf_sha256()));
2498 uint8_t *ech_config2;
2499 size_t ech_config2_len;
2500 ASSERT_TRUE(SSL_marshal_ech_config(&ech_config2, &ech_config2_len,
2501 /*config_id=*/2, key2.get(),
2502 "public.example", 16));
2503 bssl::UniquePtr<uint8_t> free_ech_config2(ech_config2);
2504
2505 // |keys1| contains the first config. |keys12| contains both.
2506 bssl::UniquePtr<SSL_ECH_KEYS> keys1(SSL_ECH_KEYS_new());
2507 ASSERT_TRUE(keys1);
2508 ASSERT_TRUE(SSL_ECH_KEYS_add(keys1.get(), /*is_retry_config=*/1, ech_config1,
2509 ech_config1_len, key1.get()));
2510 bssl::UniquePtr<SSL_ECH_KEYS> keys12(SSL_ECH_KEYS_new());
2511 ASSERT_TRUE(keys12);
2512 ASSERT_TRUE(SSL_ECH_KEYS_add(keys12.get(), /*is_retry_config=*/1, ech_config2,
2513 ech_config2_len, key2.get()));
2514 ASSERT_TRUE(SSL_ECH_KEYS_add(keys12.get(), /*is_retry_config=*/0, ech_config1,
2515 ech_config1_len, key1.get()));
2516
2517 bssl::UniquePtr<SSL_CTX> server_ctx =
2518 CreateContextWithTestCertificate(TLS_method());
2519 ASSERT_TRUE(server_ctx);
2520 ASSERT_TRUE(SSL_CTX_set1_ech_keys(server_ctx.get(), keys1.get()));
2521
2522 bssl::UniquePtr<SSL_CTX> client_ctx(SSL_CTX_new(TLS_method()));
2523 ASSERT_TRUE(client_ctx);
2524 bssl::UniquePtr<SSL> client, server;
2525 ASSERT_TRUE(CreateClientAndServer(&client, &server, client_ctx.get(),
2526 server_ctx.get()));
2527 ASSERT_TRUE(InstallECHConfigList(client.get(), keys1.get()));
2528
2529 // In parallel, complete the connection and reconfigure the ECHConfig. Note
2530 // |keys12| supports all the keys in |keys1|, so the handshake should complete
2531 // the same whichever the server uses.
2532 std::vector<std::thread> threads;
2533 threads.emplace_back([&] {
2534 ASSERT_TRUE(CompleteHandshakes(client.get(), server.get()));
2535 EXPECT_TRUE(SSL_ech_accepted(client.get()));
2536 EXPECT_TRUE(SSL_ech_accepted(server.get()));
2537 });
2538 threads.emplace_back([&] {
2539 EXPECT_TRUE(SSL_CTX_set1_ech_keys(server_ctx.get(), keys12.get()));
2540 });
2541 for (auto &thread : threads) {
2542 thread.join();
2543 }
2544 }
2545 #endif // OPENSSL_THREADS
2546
TEST(SSLTest,TLS13ExporterAvailability)2547 TEST(SSLTest, TLS13ExporterAvailability) {
2548 bssl::UniquePtr<SSL_CTX> client_ctx(SSL_CTX_new(TLS_method()));
2549 bssl::UniquePtr<SSL_CTX> server_ctx =
2550 CreateContextWithTestCertificate(TLS_method());
2551 ASSERT_TRUE(client_ctx);
2552 ASSERT_TRUE(server_ctx);
2553 // Configure only TLS 1.3.
2554 ASSERT_TRUE(SSL_CTX_set_min_proto_version(client_ctx.get(), TLS1_3_VERSION));
2555 ASSERT_TRUE(SSL_CTX_set_max_proto_version(client_ctx.get(), TLS1_3_VERSION));
2556
2557 bssl::UniquePtr<SSL> client, server;
2558 ASSERT_TRUE(CreateClientAndServer(&client, &server, client_ctx.get(),
2559 server_ctx.get()));
2560
2561 std::vector<uint8_t> buffer(32);
2562 const char *label = "EXPORTER-test-label";
2563
2564 // The exporters are not available before the handshake starts.
2565 EXPECT_FALSE(SSL_export_keying_material(client.get(), buffer.data(),
2566 buffer.size(), label, strlen(label),
2567 nullptr, 0, 0));
2568 EXPECT_FALSE(SSL_export_keying_material(server.get(), buffer.data(),
2569 buffer.size(), label, strlen(label),
2570 nullptr, 0, 0));
2571
2572 // Send the client's first flight of handshake messages.
2573 int client_ret = SSL_do_handshake(client.get());
2574 EXPECT_EQ(SSL_get_error(client.get(), client_ret), SSL_ERROR_WANT_READ);
2575
2576 // The handshake isn't far enough for the exporters to work.
2577 EXPECT_FALSE(SSL_export_keying_material(client.get(), buffer.data(),
2578 buffer.size(), label, strlen(label),
2579 nullptr, 0, 0));
2580 EXPECT_FALSE(SSL_export_keying_material(server.get(), buffer.data(),
2581 buffer.size(), label, strlen(label),
2582 nullptr, 0, 0));
2583
2584 // Send all the server's handshake messages.
2585 int server_ret = SSL_do_handshake(server.get());
2586 EXPECT_EQ(SSL_get_error(server.get(), server_ret), SSL_ERROR_WANT_READ);
2587
2588 // At this point in the handshake, the server should have the exporter key
2589 // derived since it's sent its Finished message. The client hasn't yet
2590 // processed the server's handshake messages, so the exporter shouldn't be
2591 // available to the client.
2592 EXPECT_FALSE(SSL_export_keying_material(client.get(), buffer.data(),
2593 buffer.size(), label, strlen(label),
2594 nullptr, 0, 0));
2595 EXPECT_TRUE(SSL_export_keying_material(server.get(), buffer.data(),
2596 buffer.size(), label, strlen(label),
2597 nullptr, 0, 0));
2598
2599 // Finish the handshake on the client.
2600 EXPECT_EQ(SSL_do_handshake(client.get()), 1);
2601
2602 // The exporter should be available on both endpoints.
2603 EXPECT_TRUE(SSL_export_keying_material(client.get(), buffer.data(),
2604 buffer.size(), label, strlen(label),
2605 nullptr, 0, 0));
2606 EXPECT_TRUE(SSL_export_keying_material(server.get(), buffer.data(),
2607 buffer.size(), label, strlen(label),
2608 nullptr, 0, 0));
2609
2610 // Finish the handshake on the server.
2611 EXPECT_EQ(SSL_do_handshake(server.get()), 1);
2612
2613 // The exporter should still be available on both endpoints.
2614 EXPECT_TRUE(SSL_export_keying_material(client.get(), buffer.data(),
2615 buffer.size(), label, strlen(label),
2616 nullptr, 0, 0));
2617 EXPECT_TRUE(SSL_export_keying_material(server.get(), buffer.data(),
2618 buffer.size(), label, strlen(label),
2619 nullptr, 0, 0));
2620 }
2621
AppendSession(SSL_SESSION * session,void * arg)2622 static void AppendSession(SSL_SESSION *session, void *arg) {
2623 std::vector<SSL_SESSION*> *out =
2624 reinterpret_cast<std::vector<SSL_SESSION*>*>(arg);
2625 out->push_back(session);
2626 }
2627
2628 // CacheEquals returns true if |ctx|'s session cache consists of |expected|, in
2629 // order.
CacheEquals(SSL_CTX * ctx,const std::vector<SSL_SESSION * > & expected)2630 static bool CacheEquals(SSL_CTX *ctx,
2631 const std::vector<SSL_SESSION*> &expected) {
2632 // Check the linked list.
2633 SSL_SESSION *ptr = ctx->session_cache_head;
2634 for (SSL_SESSION *session : expected) {
2635 if (ptr != session) {
2636 return false;
2637 }
2638 // TODO(davidben): This is an absurd way to denote the end of the list.
2639 if (ptr->next ==
2640 reinterpret_cast<SSL_SESSION *>(&ctx->session_cache_tail)) {
2641 ptr = nullptr;
2642 } else {
2643 ptr = ptr->next;
2644 }
2645 }
2646 if (ptr != nullptr) {
2647 return false;
2648 }
2649
2650 // Check the hash table.
2651 std::vector<SSL_SESSION*> actual, expected_copy;
2652 lh_SSL_SESSION_doall_arg(ctx->sessions, AppendSession, &actual);
2653 expected_copy = expected;
2654
2655 std::sort(actual.begin(), actual.end());
2656 std::sort(expected_copy.begin(), expected_copy.end());
2657
2658 return actual == expected_copy;
2659 }
2660
CreateTestSession(uint32_t number)2661 static bssl::UniquePtr<SSL_SESSION> CreateTestSession(uint32_t number) {
2662 bssl::UniquePtr<SSL_CTX> ssl_ctx(SSL_CTX_new(TLS_method()));
2663 if (!ssl_ctx) {
2664 return nullptr;
2665 }
2666 bssl::UniquePtr<SSL_SESSION> ret(SSL_SESSION_new(ssl_ctx.get()));
2667 if (!ret) {
2668 return nullptr;
2669 }
2670
2671 uint8_t id[SSL3_SSL_SESSION_ID_LENGTH] = {0};
2672 OPENSSL_memcpy(id, &number, sizeof(number));
2673 if (!SSL_SESSION_set1_id(ret.get(), id, sizeof(id))) {
2674 return nullptr;
2675 }
2676 return ret;
2677 }
2678
2679 // Test that the internal session cache behaves as expected.
TEST(SSLTest,InternalSessionCache)2680 TEST(SSLTest, InternalSessionCache) {
2681 bssl::UniquePtr<SSL_CTX> ctx(SSL_CTX_new(TLS_method()));
2682 ASSERT_TRUE(ctx);
2683
2684 // Prepare 10 test sessions.
2685 std::vector<bssl::UniquePtr<SSL_SESSION>> sessions;
2686 for (int i = 0; i < 10; i++) {
2687 bssl::UniquePtr<SSL_SESSION> session = CreateTestSession(i);
2688 ASSERT_TRUE(session);
2689 sessions.push_back(std::move(session));
2690 }
2691
2692 SSL_CTX_sess_set_cache_size(ctx.get(), 5);
2693
2694 // Insert all the test sessions.
2695 for (const auto &session : sessions) {
2696 ASSERT_TRUE(SSL_CTX_add_session(ctx.get(), session.get()));
2697 }
2698
2699 // Only the last five should be in the list.
2700 ASSERT_TRUE(CacheEquals(
2701 ctx.get(), {sessions[9].get(), sessions[8].get(), sessions[7].get(),
2702 sessions[6].get(), sessions[5].get()}));
2703
2704 // Inserting an element already in the cache should fail and leave the cache
2705 // unchanged.
2706 ASSERT_FALSE(SSL_CTX_add_session(ctx.get(), sessions[7].get()));
2707 ASSERT_TRUE(CacheEquals(
2708 ctx.get(), {sessions[9].get(), sessions[8].get(), sessions[7].get(),
2709 sessions[6].get(), sessions[5].get()}));
2710
2711 // Although collisions should be impossible (256-bit session IDs), the cache
2712 // must handle them gracefully.
2713 bssl::UniquePtr<SSL_SESSION> collision(CreateTestSession(7));
2714 ASSERT_TRUE(collision);
2715 ASSERT_TRUE(SSL_CTX_add_session(ctx.get(), collision.get()));
2716 ASSERT_TRUE(CacheEquals(
2717 ctx.get(), {collision.get(), sessions[9].get(), sessions[8].get(),
2718 sessions[6].get(), sessions[5].get()}));
2719
2720 // Removing sessions behaves correctly.
2721 ASSERT_TRUE(SSL_CTX_remove_session(ctx.get(), sessions[6].get()));
2722 ASSERT_TRUE(CacheEquals(ctx.get(), {collision.get(), sessions[9].get(),
2723 sessions[8].get(), sessions[5].get()}));
2724
2725 // Removing sessions requires an exact match.
2726 ASSERT_FALSE(SSL_CTX_remove_session(ctx.get(), sessions[0].get()));
2727 ASSERT_FALSE(SSL_CTX_remove_session(ctx.get(), sessions[7].get()));
2728
2729 // The cache remains unchanged.
2730 ASSERT_TRUE(CacheEquals(ctx.get(), {collision.get(), sessions[9].get(),
2731 sessions[8].get(), sessions[5].get()}));
2732 }
2733
EpochFromSequence(uint64_t seq)2734 static uint16_t EpochFromSequence(uint64_t seq) {
2735 return static_cast<uint16_t>(seq >> 48);
2736 }
2737
2738 static const uint8_t kTestName[] = {
2739 0x30, 0x45, 0x31, 0x0b, 0x30, 0x09, 0x06, 0x03, 0x55, 0x04, 0x06, 0x13,
2740 0x02, 0x41, 0x55, 0x31, 0x13, 0x30, 0x11, 0x06, 0x03, 0x55, 0x04, 0x08,
2741 0x0c, 0x0a, 0x53, 0x6f, 0x6d, 0x65, 0x2d, 0x53, 0x74, 0x61, 0x74, 0x65,
2742 0x31, 0x21, 0x30, 0x1f, 0x06, 0x03, 0x55, 0x04, 0x0a, 0x0c, 0x18, 0x49,
2743 0x6e, 0x74, 0x65, 0x72, 0x6e, 0x65, 0x74, 0x20, 0x57, 0x69, 0x64, 0x67,
2744 0x69, 0x74, 0x73, 0x20, 0x50, 0x74, 0x79, 0x20, 0x4c, 0x74, 0x64,
2745 };
2746
2747 // SSLVersionTest executes its test cases under all available protocol versions.
2748 // Test cases call |Connect| to create a connection using context objects with
2749 // the protocol version fixed to the current version under test.
2750 class SSLVersionTest : public ::testing::TestWithParam<VersionParam> {
2751 protected:
SSLVersionTest()2752 SSLVersionTest() : cert_(GetTestCertificate()), key_(GetTestKey()) {}
2753
SetUp()2754 void SetUp() { ResetContexts(); }
2755
CreateContext() const2756 bssl::UniquePtr<SSL_CTX> CreateContext() const {
2757 const SSL_METHOD *method = is_dtls() ? DTLS_method() : TLS_method();
2758 bssl::UniquePtr<SSL_CTX> ctx(SSL_CTX_new(method));
2759 if (!ctx || !SSL_CTX_set_min_proto_version(ctx.get(), version()) ||
2760 !SSL_CTX_set_max_proto_version(ctx.get(), version())) {
2761 return nullptr;
2762 }
2763 return ctx;
2764 }
2765
ResetContexts()2766 void ResetContexts() {
2767 ASSERT_TRUE(cert_);
2768 ASSERT_TRUE(key_);
2769 client_ctx_ = CreateContext();
2770 ASSERT_TRUE(client_ctx_);
2771 server_ctx_ = CreateContext();
2772 ASSERT_TRUE(server_ctx_);
2773 // Set up a server cert. Client certs can be set up explicitly.
2774 ASSERT_TRUE(UseCertAndKey(server_ctx_.get()));
2775 }
2776
UseCertAndKey(SSL_CTX * ctx) const2777 bool UseCertAndKey(SSL_CTX *ctx) const {
2778 return SSL_CTX_use_certificate(ctx, cert_.get()) &&
2779 SSL_CTX_use_PrivateKey(ctx, key_.get());
2780 }
2781
Connect(const ClientConfig & config=ClientConfig ())2782 bool Connect(const ClientConfig &config = ClientConfig()) {
2783 return ConnectClientAndServer(&client_, &server_, client_ctx_.get(),
2784 server_ctx_.get(), config,
2785 shed_handshake_config_);
2786 }
2787
version() const2788 uint16_t version() const { return GetParam().version; }
2789
is_dtls() const2790 bool is_dtls() const {
2791 return GetParam().ssl_method == VersionParam::is_dtls;
2792 }
2793
2794 bool shed_handshake_config_ = true;
2795 bssl::UniquePtr<SSL> client_, server_;
2796 bssl::UniquePtr<SSL_CTX> server_ctx_, client_ctx_;
2797 bssl::UniquePtr<X509> cert_;
2798 bssl::UniquePtr<EVP_PKEY> key_;
2799 };
2800
2801 INSTANTIATE_TEST_SUITE_P(WithVersion, SSLVersionTest,
2802 testing::ValuesIn(kAllVersions),
__anon018734c60a02(const testing::TestParamInfo<VersionParam> &i) 2803 [](const testing::TestParamInfo<VersionParam> &i) {
2804 return i.param.name;
2805 });
2806
TEST_P(SSLVersionTest,SequenceNumber)2807 TEST_P(SSLVersionTest, SequenceNumber) {
2808 ASSERT_TRUE(Connect());
2809
2810 // Drain any post-handshake messages to ensure there are no unread records
2811 // on either end.
2812 ASSERT_TRUE(FlushNewSessionTickets(client_.get(), server_.get()));
2813
2814 uint64_t client_read_seq = SSL_get_read_sequence(client_.get());
2815 uint64_t client_write_seq = SSL_get_write_sequence(client_.get());
2816 uint64_t server_read_seq = SSL_get_read_sequence(server_.get());
2817 uint64_t server_write_seq = SSL_get_write_sequence(server_.get());
2818
2819 if (is_dtls()) {
2820 // Both client and server must be at epoch 1.
2821 EXPECT_EQ(EpochFromSequence(client_read_seq), 1);
2822 EXPECT_EQ(EpochFromSequence(client_write_seq), 1);
2823 EXPECT_EQ(EpochFromSequence(server_read_seq), 1);
2824 EXPECT_EQ(EpochFromSequence(server_write_seq), 1);
2825
2826 // The next record to be written should exceed the largest received.
2827 EXPECT_GT(client_write_seq, server_read_seq);
2828 EXPECT_GT(server_write_seq, client_read_seq);
2829 } else {
2830 // The next record to be written should equal the next to be received.
2831 EXPECT_EQ(client_write_seq, server_read_seq);
2832 EXPECT_EQ(server_write_seq, client_read_seq);
2833 }
2834
2835 // Send a record from client to server.
2836 uint8_t byte = 0;
2837 EXPECT_EQ(SSL_write(client_.get(), &byte, 1), 1);
2838 EXPECT_EQ(SSL_read(server_.get(), &byte, 1), 1);
2839
2840 // The client write and server read sequence numbers should have
2841 // incremented.
2842 EXPECT_EQ(client_write_seq + 1, SSL_get_write_sequence(client_.get()));
2843 EXPECT_EQ(server_read_seq + 1, SSL_get_read_sequence(server_.get()));
2844 }
2845
TEST_P(SSLVersionTest,OneSidedShutdown)2846 TEST_P(SSLVersionTest, OneSidedShutdown) {
2847 // SSL_shutdown is a no-op in DTLS.
2848 if (is_dtls()) {
2849 return;
2850 }
2851 ASSERT_TRUE(Connect());
2852
2853 // Shut down half the connection. |SSL_shutdown| will return 0 to signal only
2854 // one side has shut down.
2855 ASSERT_EQ(SSL_shutdown(client_.get()), 0);
2856
2857 // Reading from the server should consume the EOF.
2858 uint8_t byte;
2859 ASSERT_EQ(SSL_read(server_.get(), &byte, 1), 0);
2860 ASSERT_EQ(SSL_get_error(server_.get(), 0), SSL_ERROR_ZERO_RETURN);
2861
2862 // However, the server may continue to write data and then shut down the
2863 // connection.
2864 byte = 42;
2865 ASSERT_EQ(SSL_write(server_.get(), &byte, 1), 1);
2866 ASSERT_EQ(SSL_read(client_.get(), &byte, 1), 1);
2867 ASSERT_EQ(byte, 42);
2868
2869 // The server may then shutdown the connection.
2870 EXPECT_EQ(SSL_shutdown(server_.get()), 1);
2871 EXPECT_EQ(SSL_shutdown(client_.get()), 1);
2872 }
2873
2874 // Test that, after calling |SSL_shutdown|, |SSL_write| fails.
TEST_P(SSLVersionTest,WriteAfterShutdown)2875 TEST_P(SSLVersionTest, WriteAfterShutdown) {
2876 ASSERT_TRUE(Connect());
2877
2878 for (SSL *ssl : {client_.get(), server_.get()}) {
2879 SCOPED_TRACE(SSL_is_server(ssl) ? "server" : "client");
2880
2881 bssl::UniquePtr<BIO> mem(BIO_new(BIO_s_mem()));
2882 ASSERT_TRUE(mem);
2883 SSL_set0_wbio(ssl, bssl::UpRef(mem).release());
2884
2885 // Shut down half the connection. |SSL_shutdown| will return 0 to signal
2886 // only one side has shut down.
2887 ASSERT_EQ(SSL_shutdown(ssl), 0);
2888
2889 // |ssl| should have written an alert to the transport.
2890 const uint8_t *unused;
2891 size_t len;
2892 ASSERT_TRUE(BIO_mem_contents(mem.get(), &unused, &len));
2893 EXPECT_NE(0u, len);
2894 EXPECT_TRUE(BIO_reset(mem.get()));
2895
2896 // Writing should fail.
2897 EXPECT_EQ(-1, SSL_write(ssl, "a", 1));
2898
2899 // Nothing should be written to the transport.
2900 ASSERT_TRUE(BIO_mem_contents(mem.get(), &unused, &len));
2901 EXPECT_EQ(0u, len);
2902 }
2903 }
2904
2905 // Test that, after sending a fatal alert in a failed |SSL_read|, |SSL_write|
2906 // fails.
TEST_P(SSLVersionTest,WriteAfterReadSentFatalAlert)2907 TEST_P(SSLVersionTest, WriteAfterReadSentFatalAlert) {
2908 // Decryption failures are not fatal in DTLS.
2909 if (is_dtls()) {
2910 return;
2911 }
2912
2913 ASSERT_TRUE(Connect());
2914
2915 // Save the write |BIO|s as the test will overwrite them.
2916 bssl::UniquePtr<BIO> client_wbio = bssl::UpRef(SSL_get_wbio(client_.get()));
2917 bssl::UniquePtr<BIO> server_wbio = bssl::UpRef(SSL_get_wbio(server_.get()));
2918
2919 for (bool test_server : {false, true}) {
2920 SCOPED_TRACE(test_server ? "server" : "client");
2921 SSL *ssl = test_server ? server_.get() : client_.get();
2922 BIO *other_wbio = test_server ? client_wbio.get() : server_wbio.get();
2923
2924 bssl::UniquePtr<BIO> mem(BIO_new(BIO_s_mem()));
2925 ASSERT_TRUE(mem);
2926 SSL_set0_wbio(ssl, bssl::UpRef(mem).release());
2927
2928 // Read an invalid record from the peer.
2929 static const uint8_t kInvalidRecord[] = "invalid record";
2930 EXPECT_EQ(int{sizeof(kInvalidRecord)},
2931 BIO_write(other_wbio, kInvalidRecord, sizeof(kInvalidRecord)));
2932 char buf[256];
2933 EXPECT_EQ(-1, SSL_read(ssl, buf, sizeof(buf)));
2934
2935 // |ssl| should have written an alert to the transport.
2936 const uint8_t *unused;
2937 size_t len;
2938 ASSERT_TRUE(BIO_mem_contents(mem.get(), &unused, &len));
2939 EXPECT_NE(0u, len);
2940 EXPECT_TRUE(BIO_reset(mem.get()));
2941
2942 // Writing should fail.
2943 EXPECT_EQ(-1, SSL_write(ssl, "a", 1));
2944
2945 // Nothing should be written to the transport.
2946 ASSERT_TRUE(BIO_mem_contents(mem.get(), &unused, &len));
2947 EXPECT_EQ(0u, len);
2948 }
2949 }
2950
2951 // Test that, after sending a fatal alert from the handshake, |SSL_write| fails.
TEST_P(SSLVersionTest,WriteAfterHandshakeSentFatalAlert)2952 TEST_P(SSLVersionTest, WriteAfterHandshakeSentFatalAlert) {
2953 for (bool test_server : {false, true}) {
2954 SCOPED_TRACE(test_server ? "server" : "client");
2955
2956 bssl::UniquePtr<SSL> ssl(
2957 SSL_new(test_server ? server_ctx_.get() : client_ctx_.get()));
2958 ASSERT_TRUE(ssl);
2959 if (test_server) {
2960 SSL_set_accept_state(ssl.get());
2961 } else {
2962 SSL_set_connect_state(ssl.get());
2963 }
2964
2965 std::vector<uint8_t> invalid;
2966 if (is_dtls()) {
2967 // In DTLS, invalid records are discarded. To cause the handshake to fail,
2968 // use a valid handshake record with invalid contents.
2969 invalid.push_back(SSL3_RT_HANDSHAKE);
2970 invalid.push_back(DTLS1_VERSION >> 8);
2971 invalid.push_back(DTLS1_VERSION & 0xff);
2972 // epoch and sequence_number
2973 for (int i = 0; i < 8; i++) {
2974 invalid.push_back(0);
2975 }
2976 // A one-byte fragment is invalid.
2977 invalid.push_back(0);
2978 invalid.push_back(1);
2979 // Arbitrary contents.
2980 invalid.push_back(0);
2981 } else {
2982 invalid = {'i', 'n', 'v', 'a', 'l', 'i', 'd'};
2983 }
2984 bssl::UniquePtr<BIO> rbio(
2985 BIO_new_mem_buf(invalid.data(), invalid.size()));
2986 ASSERT_TRUE(rbio);
2987 SSL_set0_rbio(ssl.get(), rbio.release());
2988
2989 bssl::UniquePtr<BIO> mem(BIO_new(BIO_s_mem()));
2990 ASSERT_TRUE(mem);
2991 SSL_set0_wbio(ssl.get(), bssl::UpRef(mem).release());
2992
2993 // The handshake should fail.
2994 EXPECT_EQ(-1, SSL_do_handshake(ssl.get()));
2995 EXPECT_EQ(SSL_ERROR_SSL, SSL_get_error(ssl.get(), -1));
2996 uint32_t err = ERR_get_error();
2997
2998 // |ssl| should have written an alert (and, in the client's case, a
2999 // ClientHello) to the transport.
3000 const uint8_t *unused;
3001 size_t len;
3002 ASSERT_TRUE(BIO_mem_contents(mem.get(), &unused, &len));
3003 EXPECT_NE(0u, len);
3004 EXPECT_TRUE(BIO_reset(mem.get()));
3005
3006 // Writing should fail, with the same error as the handshake.
3007 EXPECT_EQ(-1, SSL_write(ssl.get(), "a", 1));
3008 EXPECT_EQ(SSL_ERROR_SSL, SSL_get_error(ssl.get(), -1));
3009 EXPECT_EQ(err, ERR_get_error());
3010
3011 // Nothing should be written to the transport.
3012 ASSERT_TRUE(BIO_mem_contents(mem.get(), &unused, &len));
3013 EXPECT_EQ(0u, len);
3014 }
3015 }
3016
3017 // Test that, after seeing TLS 1.2 in response to early data, |SSL_write|
3018 // continues to report |SSL_R_WRONG_VERSION_ON_EARLY_DATA|. See
3019 // https://crbug.com/1078515.
TEST(SSLTest,WriteAfterWrongVersionOnEarlyData)3020 TEST(SSLTest, WriteAfterWrongVersionOnEarlyData) {
3021 // Set up some 0-RTT-enabled contexts.
3022 bssl::UniquePtr<SSL_CTX> client_ctx(SSL_CTX_new(TLS_method()));
3023 bssl::UniquePtr<SSL_CTX> server_ctx =
3024 CreateContextWithTestCertificate(TLS_method());
3025 ASSERT_TRUE(client_ctx);
3026 ASSERT_TRUE(server_ctx);
3027 SSL_CTX_set_early_data_enabled(client_ctx.get(), 1);
3028 SSL_CTX_set_early_data_enabled(server_ctx.get(), 1);
3029 SSL_CTX_set_session_cache_mode(client_ctx.get(), SSL_SESS_CACHE_BOTH);
3030 SSL_CTX_set_session_cache_mode(server_ctx.get(), SSL_SESS_CACHE_BOTH);
3031
3032 // Get an early-data-capable session.
3033 bssl::UniquePtr<SSL_SESSION> session =
3034 CreateClientSession(client_ctx.get(), server_ctx.get());
3035 ASSERT_TRUE(session);
3036 EXPECT_TRUE(SSL_SESSION_early_data_capable(session.get()));
3037
3038 // Offer the session to the server, but now the server speaks TLS 1.2.
3039 bssl::UniquePtr<SSL> client, server;
3040 ASSERT_TRUE(CreateClientAndServer(&client, &server, client_ctx.get(),
3041 server_ctx.get()));
3042 SSL_set_session(client.get(), session.get());
3043 EXPECT_TRUE(SSL_set_max_proto_version(server.get(), TLS1_2_VERSION));
3044
3045 // The client handshake initially succeeds in the early data state.
3046 EXPECT_EQ(1, SSL_do_handshake(client.get()));
3047 EXPECT_TRUE(SSL_in_early_data(client.get()));
3048
3049 // The server processes the ClientHello and negotiates TLS 1.2.
3050 EXPECT_EQ(-1, SSL_do_handshake(server.get()));
3051 EXPECT_EQ(SSL_ERROR_WANT_READ, SSL_get_error(server.get(), -1));
3052 EXPECT_EQ(TLS1_2_VERSION, SSL_version(server.get()));
3053
3054 // Capture the client's output.
3055 bssl::UniquePtr<BIO> mem(BIO_new(BIO_s_mem()));
3056 ASSERT_TRUE(mem);
3057 SSL_set0_wbio(client.get(), bssl::UpRef(mem).release());
3058
3059 // The client processes the ServerHello and fails.
3060 EXPECT_EQ(-1, SSL_do_handshake(client.get()));
3061 EXPECT_EQ(SSL_ERROR_SSL, SSL_get_error(client.get(), -1));
3062 EXPECT_TRUE(ErrorEquals(ERR_get_error(), ERR_LIB_SSL,
3063 SSL_R_WRONG_VERSION_ON_EARLY_DATA));
3064
3065 // The client should have written an alert to the transport.
3066 const uint8_t *unused;
3067 size_t len;
3068 ASSERT_TRUE(BIO_mem_contents(mem.get(), &unused, &len));
3069 EXPECT_NE(0u, len);
3070 EXPECT_TRUE(BIO_reset(mem.get()));
3071
3072 // Writing should fail, with the same error as the handshake.
3073 EXPECT_EQ(-1, SSL_write(client.get(), "a", 1));
3074 EXPECT_EQ(SSL_ERROR_SSL, SSL_get_error(client.get(), -1));
3075 EXPECT_TRUE(ErrorEquals(ERR_get_error(), ERR_LIB_SSL,
3076 SSL_R_WRONG_VERSION_ON_EARLY_DATA));
3077
3078 // Nothing should be written to the transport.
3079 ASSERT_TRUE(BIO_mem_contents(mem.get(), &unused, &len));
3080 EXPECT_EQ(0u, len);
3081 }
3082
TEST(SSLTest,SessionDuplication)3083 TEST(SSLTest, SessionDuplication) {
3084 bssl::UniquePtr<SSL_CTX> client_ctx(SSL_CTX_new(TLS_method()));
3085 bssl::UniquePtr<SSL_CTX> server_ctx =
3086 CreateContextWithTestCertificate(TLS_method());
3087 ASSERT_TRUE(client_ctx);
3088 ASSERT_TRUE(server_ctx);
3089
3090 bssl::UniquePtr<SSL> client, server;
3091 ASSERT_TRUE(ConnectClientAndServer(&client, &server, client_ctx.get(),
3092 server_ctx.get()));
3093
3094 SSL_SESSION *session0 = SSL_get_session(client.get());
3095 bssl::UniquePtr<SSL_SESSION> session1 =
3096 bssl::SSL_SESSION_dup(session0, SSL_SESSION_DUP_ALL);
3097 ASSERT_TRUE(session1);
3098
3099 session1->not_resumable = false;
3100
3101 uint8_t *s0_bytes, *s1_bytes;
3102 size_t s0_len, s1_len;
3103
3104 ASSERT_TRUE(SSL_SESSION_to_bytes(session0, &s0_bytes, &s0_len));
3105 bssl::UniquePtr<uint8_t> free_s0(s0_bytes);
3106
3107 ASSERT_TRUE(SSL_SESSION_to_bytes(session1.get(), &s1_bytes, &s1_len));
3108 bssl::UniquePtr<uint8_t> free_s1(s1_bytes);
3109
3110 EXPECT_EQ(Bytes(s0_bytes, s0_len), Bytes(s1_bytes, s1_len));
3111 }
3112
ExpectFDs(const SSL * ssl,int rfd,int wfd)3113 static void ExpectFDs(const SSL *ssl, int rfd, int wfd) {
3114 EXPECT_EQ(rfd, SSL_get_fd(ssl));
3115 EXPECT_EQ(rfd, SSL_get_rfd(ssl));
3116 EXPECT_EQ(wfd, SSL_get_wfd(ssl));
3117
3118 // The wrapper BIOs are always equal when fds are equal, even if set
3119 // individually.
3120 if (rfd == wfd) {
3121 EXPECT_EQ(SSL_get_rbio(ssl), SSL_get_wbio(ssl));
3122 }
3123 }
3124
TEST(SSLTest,SetFD)3125 TEST(SSLTest, SetFD) {
3126 bssl::UniquePtr<SSL_CTX> ctx(SSL_CTX_new(TLS_method()));
3127 ASSERT_TRUE(ctx);
3128
3129 // Test setting different read and write FDs.
3130 bssl::UniquePtr<SSL> ssl(SSL_new(ctx.get()));
3131 ASSERT_TRUE(ssl);
3132 EXPECT_TRUE(SSL_set_rfd(ssl.get(), 1));
3133 EXPECT_TRUE(SSL_set_wfd(ssl.get(), 2));
3134 ExpectFDs(ssl.get(), 1, 2);
3135
3136 // Test setting the same FD.
3137 ssl.reset(SSL_new(ctx.get()));
3138 ASSERT_TRUE(ssl);
3139 EXPECT_TRUE(SSL_set_fd(ssl.get(), 1));
3140 ExpectFDs(ssl.get(), 1, 1);
3141
3142 // Test setting the same FD one side at a time.
3143 ssl.reset(SSL_new(ctx.get()));
3144 ASSERT_TRUE(ssl);
3145 EXPECT_TRUE(SSL_set_rfd(ssl.get(), 1));
3146 EXPECT_TRUE(SSL_set_wfd(ssl.get(), 1));
3147 ExpectFDs(ssl.get(), 1, 1);
3148
3149 // Test setting the same FD in the other order.
3150 ssl.reset(SSL_new(ctx.get()));
3151 ASSERT_TRUE(ssl);
3152 EXPECT_TRUE(SSL_set_wfd(ssl.get(), 1));
3153 EXPECT_TRUE(SSL_set_rfd(ssl.get(), 1));
3154 ExpectFDs(ssl.get(), 1, 1);
3155
3156 // Test changing the read FD partway through.
3157 ssl.reset(SSL_new(ctx.get()));
3158 ASSERT_TRUE(ssl);
3159 EXPECT_TRUE(SSL_set_fd(ssl.get(), 1));
3160 EXPECT_TRUE(SSL_set_rfd(ssl.get(), 2));
3161 ExpectFDs(ssl.get(), 2, 1);
3162
3163 // Test changing the write FD partway through.
3164 ssl.reset(SSL_new(ctx.get()));
3165 ASSERT_TRUE(ssl);
3166 EXPECT_TRUE(SSL_set_fd(ssl.get(), 1));
3167 EXPECT_TRUE(SSL_set_wfd(ssl.get(), 2));
3168 ExpectFDs(ssl.get(), 1, 2);
3169
3170 // Test a no-op change to the read FD partway through.
3171 ssl.reset(SSL_new(ctx.get()));
3172 ASSERT_TRUE(ssl);
3173 EXPECT_TRUE(SSL_set_fd(ssl.get(), 1));
3174 EXPECT_TRUE(SSL_set_rfd(ssl.get(), 1));
3175 ExpectFDs(ssl.get(), 1, 1);
3176
3177 // Test a no-op change to the write FD partway through.
3178 ssl.reset(SSL_new(ctx.get()));
3179 ASSERT_TRUE(ssl);
3180 EXPECT_TRUE(SSL_set_fd(ssl.get(), 1));
3181 EXPECT_TRUE(SSL_set_wfd(ssl.get(), 1));
3182 ExpectFDs(ssl.get(), 1, 1);
3183
3184 // ASan builds will implicitly test that the internal |BIO| reference-counting
3185 // is correct.
3186 }
3187
TEST(SSLTest,SetBIO)3188 TEST(SSLTest, SetBIO) {
3189 bssl::UniquePtr<SSL_CTX> ctx(SSL_CTX_new(TLS_method()));
3190 ASSERT_TRUE(ctx);
3191
3192 bssl::UniquePtr<SSL> ssl(SSL_new(ctx.get()));
3193 bssl::UniquePtr<BIO> bio1(BIO_new(BIO_s_mem())), bio2(BIO_new(BIO_s_mem())),
3194 bio3(BIO_new(BIO_s_mem()));
3195 ASSERT_TRUE(ssl);
3196 ASSERT_TRUE(bio1);
3197 ASSERT_TRUE(bio2);
3198 ASSERT_TRUE(bio3);
3199
3200 // SSL_set_bio takes one reference when the parameters are the same.
3201 BIO_up_ref(bio1.get());
3202 SSL_set_bio(ssl.get(), bio1.get(), bio1.get());
3203
3204 // Repeating the call does nothing.
3205 SSL_set_bio(ssl.get(), bio1.get(), bio1.get());
3206
3207 // It takes one reference each when the parameters are different.
3208 BIO_up_ref(bio2.get());
3209 BIO_up_ref(bio3.get());
3210 SSL_set_bio(ssl.get(), bio2.get(), bio3.get());
3211
3212 // Repeating the call does nothing.
3213 SSL_set_bio(ssl.get(), bio2.get(), bio3.get());
3214
3215 // It takes one reference when changing only wbio.
3216 BIO_up_ref(bio1.get());
3217 SSL_set_bio(ssl.get(), bio2.get(), bio1.get());
3218
3219 // It takes one reference when changing only rbio and the two are different.
3220 BIO_up_ref(bio3.get());
3221 SSL_set_bio(ssl.get(), bio3.get(), bio1.get());
3222
3223 // If setting wbio to rbio, it takes no additional references.
3224 SSL_set_bio(ssl.get(), bio3.get(), bio3.get());
3225
3226 // From there, wbio may be switched to something else.
3227 BIO_up_ref(bio1.get());
3228 SSL_set_bio(ssl.get(), bio3.get(), bio1.get());
3229
3230 // If setting rbio to wbio, it takes no additional references.
3231 SSL_set_bio(ssl.get(), bio1.get(), bio1.get());
3232
3233 // From there, rbio may be switched to something else, but, for historical
3234 // reasons, it takes a reference to both parameters.
3235 BIO_up_ref(bio1.get());
3236 BIO_up_ref(bio2.get());
3237 SSL_set_bio(ssl.get(), bio2.get(), bio1.get());
3238
3239 // ASAN builds will implicitly test that the internal |BIO| reference-counting
3240 // is correct.
3241 }
3242
VerifySucceed(X509_STORE_CTX * store_ctx,void * arg)3243 static int VerifySucceed(X509_STORE_CTX *store_ctx, void *arg) { return 1; }
3244
TEST_P(SSLVersionTest,GetPeerCertificate)3245 TEST_P(SSLVersionTest, GetPeerCertificate) {
3246 ASSERT_TRUE(UseCertAndKey(client_ctx_.get()));
3247
3248 // Configure both client and server to accept any certificate.
3249 SSL_CTX_set_verify(client_ctx_.get(),
3250 SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT,
3251 nullptr);
3252 SSL_CTX_set_cert_verify_callback(client_ctx_.get(), VerifySucceed, NULL);
3253 SSL_CTX_set_verify(server_ctx_.get(),
3254 SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT,
3255 nullptr);
3256 SSL_CTX_set_cert_verify_callback(server_ctx_.get(), VerifySucceed, NULL);
3257
3258 ASSERT_TRUE(Connect());
3259
3260 // Client and server should both see the leaf certificate.
3261 bssl::UniquePtr<X509> peer(SSL_get_peer_certificate(server_.get()));
3262 ASSERT_TRUE(peer);
3263 ASSERT_EQ(X509_cmp(cert_.get(), peer.get()), 0);
3264
3265 peer.reset(SSL_get_peer_certificate(client_.get()));
3266 ASSERT_TRUE(peer);
3267 ASSERT_EQ(X509_cmp(cert_.get(), peer.get()), 0);
3268
3269 // However, for historical reasons, the X509 chain includes the leaf on the
3270 // client, but does not on the server.
3271 EXPECT_EQ(sk_X509_num(SSL_get_peer_cert_chain(client_.get())), 1u);
3272 EXPECT_EQ(sk_CRYPTO_BUFFER_num(SSL_get0_peer_certificates(client_.get())),
3273 1u);
3274
3275 EXPECT_EQ(sk_X509_num(SSL_get_peer_cert_chain(server_.get())), 0u);
3276 EXPECT_EQ(sk_CRYPTO_BUFFER_num(SSL_get0_peer_certificates(server_.get())),
3277 1u);
3278 }
3279
TEST_P(SSLVersionTest,NoPeerCertificate)3280 TEST_P(SSLVersionTest, NoPeerCertificate) {
3281 SSL_CTX_set_verify(server_ctx_.get(), SSL_VERIFY_PEER, nullptr);
3282 SSL_CTX_set_cert_verify_callback(server_ctx_.get(), VerifySucceed, NULL);
3283 SSL_CTX_set_cert_verify_callback(client_ctx_.get(), VerifySucceed, NULL);
3284
3285 ASSERT_TRUE(Connect());
3286
3287 // Server should not see a peer certificate.
3288 bssl::UniquePtr<X509> peer(SSL_get_peer_certificate(server_.get()));
3289 ASSERT_FALSE(peer);
3290 ASSERT_FALSE(SSL_get0_peer_certificates(server_.get()));
3291 }
3292
TEST_P(SSLVersionTest,RetainOnlySHA256OfCerts)3293 TEST_P(SSLVersionTest, RetainOnlySHA256OfCerts) {
3294 uint8_t *cert_der = NULL;
3295 int cert_der_len = i2d_X509(cert_.get(), &cert_der);
3296 ASSERT_GE(cert_der_len, 0);
3297 bssl::UniquePtr<uint8_t> free_cert_der(cert_der);
3298
3299 uint8_t cert_sha256[SHA256_DIGEST_LENGTH];
3300 SHA256(cert_der, cert_der_len, cert_sha256);
3301
3302 ASSERT_TRUE(UseCertAndKey(client_ctx_.get()));
3303
3304 // Configure both client and server to accept any certificate, but the
3305 // server must retain only the SHA-256 of the peer.
3306 SSL_CTX_set_verify(client_ctx_.get(),
3307 SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT,
3308 nullptr);
3309 SSL_CTX_set_verify(server_ctx_.get(),
3310 SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT,
3311 nullptr);
3312 SSL_CTX_set_cert_verify_callback(client_ctx_.get(), VerifySucceed, NULL);
3313 SSL_CTX_set_cert_verify_callback(server_ctx_.get(), VerifySucceed, NULL);
3314 SSL_CTX_set_retain_only_sha256_of_client_certs(server_ctx_.get(), 1);
3315
3316 ASSERT_TRUE(Connect());
3317
3318 // The peer certificate has been dropped.
3319 bssl::UniquePtr<X509> peer(SSL_get_peer_certificate(server_.get()));
3320 EXPECT_FALSE(peer);
3321
3322 SSL_SESSION *session = SSL_get_session(server_.get());
3323 EXPECT_TRUE(SSL_SESSION_has_peer_sha256(session));
3324
3325 const uint8_t *peer_sha256;
3326 size_t peer_sha256_len;
3327 SSL_SESSION_get0_peer_sha256(session, &peer_sha256, &peer_sha256_len);
3328 EXPECT_EQ(Bytes(cert_sha256), Bytes(peer_sha256, peer_sha256_len));
3329 }
3330
3331 // Tests that our ClientHellos do not change unexpectedly. These are purely
3332 // change detection tests. If they fail as part of an intentional ClientHello
3333 // change, update the test vector.
TEST(SSLTest,ClientHello)3334 TEST(SSLTest, ClientHello) {
3335 struct {
3336 uint16_t max_version;
3337 std::vector<uint8_t> expected;
3338 } kTests[] = {
3339 {TLS1_VERSION,
3340 {0x16, 0x03, 0x01, 0x00, 0x58, 0x01, 0x00, 0x00, 0x54, 0x03, 0x01, 0x00,
3341 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
3342 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
3343 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x0c, 0xc0, 0x09,
3344 0xc0, 0x13, 0xc0, 0x0a, 0xc0, 0x14, 0x00, 0x2f, 0x00, 0x35, 0x01, 0x00,
3345 0x00, 0x1f, 0x00, 0x17, 0x00, 0x00, 0xff, 0x01, 0x00, 0x01, 0x00, 0x00,
3346 0x0a, 0x00, 0x08, 0x00, 0x06, 0x00, 0x1d, 0x00, 0x17, 0x00, 0x18, 0x00,
3347 0x0b, 0x00, 0x02, 0x01, 0x00, 0x00, 0x23, 0x00, 0x00}},
3348 {TLS1_1_VERSION,
3349 {0x16, 0x03, 0x01, 0x00, 0x58, 0x01, 0x00, 0x00, 0x54, 0x03, 0x02, 0x00,
3350 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
3351 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
3352 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x0c, 0xc0, 0x09,
3353 0xc0, 0x13, 0xc0, 0x0a, 0xc0, 0x14, 0x00, 0x2f, 0x00, 0x35, 0x01, 0x00,
3354 0x00, 0x1f, 0x00, 0x17, 0x00, 0x00, 0xff, 0x01, 0x00, 0x01, 0x00, 0x00,
3355 0x0a, 0x00, 0x08, 0x00, 0x06, 0x00, 0x1d, 0x00, 0x17, 0x00, 0x18, 0x00,
3356 0x0b, 0x00, 0x02, 0x01, 0x00, 0x00, 0x23, 0x00, 0x00}},
3357 {TLS1_2_VERSION,
3358 {0x16, 0x03, 0x01, 0x00, 0x80, 0x01, 0x00, 0x00, 0x7c, 0x03, 0x03, 0x00,
3359 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
3360 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
3361 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x1c, 0xcc, 0xa9,
3362 0xcc, 0xa8, 0xc0, 0x2b, 0xc0, 0x2f, 0xc0, 0x2c, 0xc0, 0x30, 0xc0, 0x09,
3363 0xc0, 0x13, 0xc0, 0x0a, 0xc0, 0x14, 0x00, 0x9c, 0x00, 0x9d, 0x00, 0x2f,
3364 0x00, 0x35, 0x01, 0x00, 0x00, 0x37, 0x00, 0x17, 0x00, 0x00, 0xff, 0x01,
3365 0x00, 0x01, 0x00, 0x00, 0x0a, 0x00, 0x08, 0x00, 0x06, 0x00, 0x1d, 0x00,
3366 0x17, 0x00, 0x18, 0x00, 0x0b, 0x00, 0x02, 0x01, 0x00, 0x00, 0x23, 0x00,
3367 0x00, 0x00, 0x0d, 0x00, 0x14, 0x00, 0x12, 0x04, 0x03, 0x08, 0x04, 0x04,
3368 0x01, 0x05, 0x03, 0x08, 0x05, 0x05, 0x01, 0x08, 0x06, 0x06, 0x01, 0x02,
3369 0x01}},
3370 // TODO(davidben): Add a change detector for TLS 1.3 once the spec and our
3371 // implementation has settled enough that it won't change.
3372 };
3373
3374 for (const auto &t : kTests) {
3375 SCOPED_TRACE(t.max_version);
3376
3377 bssl::UniquePtr<SSL_CTX> ctx(SSL_CTX_new(TLS_method()));
3378 ASSERT_TRUE(ctx);
3379 // Our default cipher list varies by CPU capabilities, so manually place the
3380 // ChaCha20 ciphers in front.
3381 const char *cipher_list = "CHACHA20:ALL";
3382 ASSERT_TRUE(SSL_CTX_set_min_proto_version(ctx.get(), TLS1_VERSION));
3383 ASSERT_TRUE(SSL_CTX_set_max_proto_version(ctx.get(), t.max_version));
3384 ASSERT_TRUE(SSL_CTX_set_strict_cipher_list(ctx.get(), cipher_list));
3385
3386 bssl::UniquePtr<SSL> ssl(SSL_new(ctx.get()));
3387 ASSERT_TRUE(ssl);
3388 std::vector<uint8_t> client_hello;
3389 ASSERT_TRUE(GetClientHello(ssl.get(), &client_hello));
3390
3391 // Zero the client_random.
3392 constexpr size_t kRandomOffset = 1 + 2 + 2 + // record header
3393 1 + 3 + // handshake message header
3394 2; // client_version
3395 ASSERT_GE(client_hello.size(), kRandomOffset + SSL3_RANDOM_SIZE);
3396 OPENSSL_memset(client_hello.data() + kRandomOffset, 0, SSL3_RANDOM_SIZE);
3397
3398 if (client_hello != t.expected) {
3399 ADD_FAILURE() << "ClientHellos did not match.";
3400 // Print the value manually so it is easier to update the test vector.
3401 for (size_t i = 0; i < client_hello.size(); i += 12) {
3402 printf(" %c", i == 0 ? '{' : ' ');
3403 for (size_t j = i; j < client_hello.size() && j < i + 12; j++) {
3404 if (j > i) {
3405 printf(" ");
3406 }
3407 printf("0x%02x", client_hello[j]);
3408 if (j < client_hello.size() - 1) {
3409 printf(",");
3410 }
3411 }
3412 if (i + 12 >= client_hello.size()) {
3413 printf("}},");
3414 }
3415 printf("\n");
3416 }
3417 }
3418 }
3419 }
3420
ExpectSessionReused(SSL_CTX * client_ctx,SSL_CTX * server_ctx,SSL_SESSION * session,bool want_reused)3421 static void ExpectSessionReused(SSL_CTX *client_ctx, SSL_CTX *server_ctx,
3422 SSL_SESSION *session, bool want_reused) {
3423 bssl::UniquePtr<SSL> client, server;
3424 ClientConfig config;
3425 config.session = session;
3426 ASSERT_TRUE(
3427 ConnectClientAndServer(&client, &server, client_ctx, server_ctx, config));
3428
3429 EXPECT_EQ(SSL_session_reused(client.get()), SSL_session_reused(server.get()));
3430
3431 bool was_reused = !!SSL_session_reused(client.get());
3432 EXPECT_EQ(was_reused, want_reused);
3433 }
3434
ExpectSessionRenewed(SSL_CTX * client_ctx,SSL_CTX * server_ctx,SSL_SESSION * session)3435 static bssl::UniquePtr<SSL_SESSION> ExpectSessionRenewed(SSL_CTX *client_ctx,
3436 SSL_CTX *server_ctx,
3437 SSL_SESSION *session) {
3438 g_last_session = nullptr;
3439 SSL_CTX_sess_set_new_cb(client_ctx, SaveLastSession);
3440
3441 bssl::UniquePtr<SSL> client, server;
3442 ClientConfig config;
3443 config.session = session;
3444 if (!ConnectClientAndServer(&client, &server, client_ctx, server_ctx,
3445 config) ||
3446 !FlushNewSessionTickets(client.get(), server.get())) {
3447 fprintf(stderr, "Failed to connect client and server.\n");
3448 return nullptr;
3449 }
3450
3451 if (SSL_session_reused(client.get()) != SSL_session_reused(server.get())) {
3452 fprintf(stderr, "Client and server were inconsistent.\n");
3453 return nullptr;
3454 }
3455
3456 if (!SSL_session_reused(client.get())) {
3457 fprintf(stderr, "Session was not reused.\n");
3458 return nullptr;
3459 }
3460
3461 SSL_CTX_sess_set_new_cb(client_ctx, nullptr);
3462
3463 if (!g_last_session) {
3464 fprintf(stderr, "Client did not receive a renewed session.\n");
3465 return nullptr;
3466 }
3467 return std::move(g_last_session);
3468 }
3469
ExpectTicketKeyChanged(SSL_CTX * ctx,uint8_t * inout_key,bool changed)3470 static void ExpectTicketKeyChanged(SSL_CTX *ctx, uint8_t *inout_key,
3471 bool changed) {
3472 uint8_t new_key[kTicketKeyLen];
3473 // May return 0, 1 or 48.
3474 ASSERT_EQ(SSL_CTX_get_tlsext_ticket_keys(ctx, new_key, kTicketKeyLen), 1);
3475 if (changed) {
3476 ASSERT_NE(Bytes(inout_key, kTicketKeyLen), Bytes(new_key));
3477 } else {
3478 ASSERT_EQ(Bytes(inout_key, kTicketKeyLen), Bytes(new_key));
3479 }
3480 OPENSSL_memcpy(inout_key, new_key, kTicketKeyLen);
3481 }
3482
SwitchSessionIDContextSNI(SSL * ssl,int * out_alert,void * arg)3483 static int SwitchSessionIDContextSNI(SSL *ssl, int *out_alert, void *arg) {
3484 static const uint8_t kContext[] = {3};
3485
3486 if (!SSL_set_session_id_context(ssl, kContext, sizeof(kContext))) {
3487 return SSL_TLSEXT_ERR_ALERT_FATAL;
3488 }
3489
3490 return SSL_TLSEXT_ERR_OK;
3491 }
3492
TEST_P(SSLVersionTest,SessionIDContext)3493 TEST_P(SSLVersionTest, SessionIDContext) {
3494 static const uint8_t kContext1[] = {1};
3495 static const uint8_t kContext2[] = {2};
3496
3497 ASSERT_TRUE(SSL_CTX_set_session_id_context(server_ctx_.get(), kContext1,
3498 sizeof(kContext1)));
3499
3500 SSL_CTX_set_session_cache_mode(client_ctx_.get(), SSL_SESS_CACHE_BOTH);
3501 SSL_CTX_set_session_cache_mode(server_ctx_.get(), SSL_SESS_CACHE_BOTH);
3502
3503 bssl::UniquePtr<SSL_SESSION> session =
3504 CreateClientSession(client_ctx_.get(), server_ctx_.get());
3505 ASSERT_TRUE(session);
3506
3507 TRACED_CALL(ExpectSessionReused(client_ctx_.get(), server_ctx_.get(),
3508 session.get(),
3509 true /* expect session reused */));
3510
3511 // Change the session ID context.
3512 ASSERT_TRUE(SSL_CTX_set_session_id_context(server_ctx_.get(), kContext2,
3513 sizeof(kContext2)));
3514
3515 TRACED_CALL(ExpectSessionReused(client_ctx_.get(), server_ctx_.get(),
3516 session.get(),
3517 false /* expect session not reused */));
3518
3519 // Change the session ID context back and install an SNI callback to switch
3520 // it.
3521 ASSERT_TRUE(SSL_CTX_set_session_id_context(server_ctx_.get(), kContext1,
3522 sizeof(kContext1)));
3523
3524 SSL_CTX_set_tlsext_servername_callback(server_ctx_.get(),
3525 SwitchSessionIDContextSNI);
3526
3527 TRACED_CALL(ExpectSessionReused(client_ctx_.get(), server_ctx_.get(),
3528 session.get(),
3529 false /* expect session not reused */));
3530
3531 // Switch the session ID context with the early callback instead.
3532 SSL_CTX_set_tlsext_servername_callback(server_ctx_.get(), nullptr);
3533 SSL_CTX_set_select_certificate_cb(
3534 server_ctx_.get(),
3535 [](const SSL_CLIENT_HELLO *client_hello) -> ssl_select_cert_result_t {
3536 static const uint8_t kContext[] = {3};
3537
3538 if (!SSL_set_session_id_context(client_hello->ssl, kContext,
3539 sizeof(kContext))) {
3540 return ssl_select_cert_error;
3541 }
3542
3543 return ssl_select_cert_success;
3544 });
3545
3546 TRACED_CALL(ExpectSessionReused(client_ctx_.get(), server_ctx_.get(),
3547 session.get(),
3548 false /* expect session not reused */));
3549 }
3550
3551 static timeval g_current_time;
3552
CurrentTimeCallback(const SSL * ssl,timeval * out_clock)3553 static void CurrentTimeCallback(const SSL *ssl, timeval *out_clock) {
3554 *out_clock = g_current_time;
3555 }
3556
FrozenTimeCallback(const SSL * ssl,timeval * out_clock)3557 static void FrozenTimeCallback(const SSL *ssl, timeval *out_clock) {
3558 out_clock->tv_sec = 1000;
3559 out_clock->tv_usec = 0;
3560 }
3561
RenewTicketCallback(SSL * ssl,uint8_t * key_name,uint8_t * iv,EVP_CIPHER_CTX * ctx,HMAC_CTX * hmac_ctx,int encrypt)3562 static int RenewTicketCallback(SSL *ssl, uint8_t *key_name, uint8_t *iv,
3563 EVP_CIPHER_CTX *ctx, HMAC_CTX *hmac_ctx,
3564 int encrypt) {
3565 static const uint8_t kZeros[16] = {0};
3566
3567 if (encrypt) {
3568 OPENSSL_memcpy(key_name, kZeros, sizeof(kZeros));
3569 RAND_bytes(iv, 16);
3570 } else if (OPENSSL_memcmp(key_name, kZeros, 16) != 0) {
3571 return 0;
3572 }
3573
3574 if (!HMAC_Init_ex(hmac_ctx, kZeros, sizeof(kZeros), EVP_sha256(), NULL) ||
3575 !EVP_CipherInit_ex(ctx, EVP_aes_128_cbc(), NULL, kZeros, iv, encrypt)) {
3576 return -1;
3577 }
3578
3579 // Returning two from the callback in decrypt mode renews the
3580 // session in TLS 1.2 and below.
3581 return encrypt ? 1 : 2;
3582 }
3583
GetServerTicketTime(long * out,const SSL_SESSION * session)3584 static bool GetServerTicketTime(long *out, const SSL_SESSION *session) {
3585 const uint8_t *ticket;
3586 size_t ticket_len;
3587 SSL_SESSION_get0_ticket(session, &ticket, &ticket_len);
3588 if (ticket_len < 16 + 16 + SHA256_DIGEST_LENGTH) {
3589 return false;
3590 }
3591
3592 const uint8_t *ciphertext = ticket + 16 + 16;
3593 size_t len = ticket_len - 16 - 16 - SHA256_DIGEST_LENGTH;
3594 auto plaintext = std::make_unique<uint8_t[]>(len);
3595
3596 #if defined(BORINGSSL_UNSAFE_FUZZER_MODE)
3597 // Fuzzer-mode tickets are unencrypted.
3598 OPENSSL_memcpy(plaintext.get(), ciphertext, len);
3599 #else
3600 static const uint8_t kZeros[16] = {0};
3601 const uint8_t *iv = ticket + 16;
3602 bssl::ScopedEVP_CIPHER_CTX ctx;
3603 int len1, len2;
3604 if (len > INT_MAX ||
3605 !EVP_DecryptInit_ex(ctx.get(), EVP_aes_128_cbc(), nullptr, kZeros, iv) ||
3606 !EVP_DecryptUpdate(ctx.get(), plaintext.get(), &len1, ciphertext,
3607 static_cast<int>(len)) ||
3608 !EVP_DecryptFinal_ex(ctx.get(), plaintext.get() + len1, &len2)) {
3609 return false;
3610 }
3611
3612 len = static_cast<size_t>(len1 + len2);
3613 #endif
3614
3615 bssl::UniquePtr<SSL_CTX> ssl_ctx(SSL_CTX_new(TLS_method()));
3616 if (!ssl_ctx) {
3617 return false;
3618 }
3619 bssl::UniquePtr<SSL_SESSION> server_session(
3620 SSL_SESSION_from_bytes(plaintext.get(), len, ssl_ctx.get()));
3621 if (!server_session) {
3622 return false;
3623 }
3624
3625 *out = SSL_SESSION_get_time(server_session.get());
3626 return true;
3627 }
3628
TEST_P(SSLVersionTest,SessionTimeout)3629 TEST_P(SSLVersionTest, SessionTimeout) {
3630 for (bool server_test : {false, true}) {
3631 SCOPED_TRACE(server_test);
3632
3633 ASSERT_NO_FATAL_FAILURE(ResetContexts());
3634 SSL_CTX_set_session_cache_mode(client_ctx_.get(), SSL_SESS_CACHE_BOTH);
3635 SSL_CTX_set_session_cache_mode(server_ctx_.get(), SSL_SESS_CACHE_BOTH);
3636
3637 static const time_t kStartTime = 1000;
3638 g_current_time.tv_sec = kStartTime;
3639
3640 // We are willing to use a longer lifetime for TLS 1.3 sessions as
3641 // resumptions still perform ECDHE.
3642 const time_t timeout = version() == TLS1_3_VERSION
3643 ? SSL_DEFAULT_SESSION_PSK_DHE_TIMEOUT
3644 : SSL_DEFAULT_SESSION_TIMEOUT;
3645
3646 // Both client and server must enforce session timeouts. We configure the
3647 // other side with a frozen clock so it never expires tickets.
3648 if (server_test) {
3649 SSL_CTX_set_current_time_cb(client_ctx_.get(), FrozenTimeCallback);
3650 SSL_CTX_set_current_time_cb(server_ctx_.get(), CurrentTimeCallback);
3651 } else {
3652 SSL_CTX_set_current_time_cb(client_ctx_.get(), CurrentTimeCallback);
3653 SSL_CTX_set_current_time_cb(server_ctx_.get(), FrozenTimeCallback);
3654 }
3655
3656 // Configure a ticket callback which renews tickets.
3657 SSL_CTX_set_tlsext_ticket_key_cb(server_ctx_.get(), RenewTicketCallback);
3658
3659 bssl::UniquePtr<SSL_SESSION> session =
3660 CreateClientSession(client_ctx_.get(), server_ctx_.get());
3661 ASSERT_TRUE(session);
3662
3663 // Advance the clock just behind the timeout.
3664 g_current_time.tv_sec += timeout - 1;
3665
3666 TRACED_CALL(ExpectSessionReused(client_ctx_.get(), server_ctx_.get(),
3667 session.get(),
3668 true /* expect session reused */));
3669
3670 // Advance the clock one more second.
3671 g_current_time.tv_sec++;
3672
3673 TRACED_CALL(ExpectSessionReused(client_ctx_.get(), server_ctx_.get(),
3674 session.get(),
3675 false /* expect session not reused */));
3676
3677 // Rewind the clock to before the session was minted.
3678 g_current_time.tv_sec = kStartTime - 1;
3679
3680 TRACED_CALL(ExpectSessionReused(client_ctx_.get(), server_ctx_.get(),
3681 session.get(),
3682 false /* expect session not reused */));
3683
3684 // Renew the session 10 seconds before expiration.
3685 time_t new_start_time = kStartTime + timeout - 10;
3686 g_current_time.tv_sec = new_start_time;
3687 bssl::UniquePtr<SSL_SESSION> new_session = ExpectSessionRenewed(
3688 client_ctx_.get(), server_ctx_.get(), session.get());
3689 ASSERT_TRUE(new_session);
3690
3691 // This new session is not the same object as before.
3692 EXPECT_NE(session.get(), new_session.get());
3693
3694 // Check the sessions have timestamps measured from issuance.
3695 long session_time = 0;
3696 if (server_test) {
3697 ASSERT_TRUE(GetServerTicketTime(&session_time, new_session.get()));
3698 } else {
3699 session_time = SSL_SESSION_get_time(new_session.get());
3700 }
3701
3702 ASSERT_EQ(session_time, g_current_time.tv_sec);
3703
3704 if (version() == TLS1_3_VERSION) {
3705 // Renewal incorporates fresh key material in TLS 1.3, so we extend the
3706 // lifetime TLS 1.3.
3707 g_current_time.tv_sec = new_start_time + timeout - 1;
3708 TRACED_CALL(ExpectSessionReused(client_ctx_.get(), server_ctx_.get(),
3709 new_session.get(),
3710 true /* expect session reused */));
3711
3712 // The new session expires after the new timeout.
3713 g_current_time.tv_sec = new_start_time + timeout + 1;
3714 TRACED_CALL(ExpectSessionReused(client_ctx_.get(), server_ctx_.get(),
3715 new_session.get(),
3716 false /* expect session ot reused */));
3717
3718 // Renew the session until it begins just past the auth timeout.
3719 time_t auth_end_time = kStartTime + SSL_DEFAULT_SESSION_AUTH_TIMEOUT;
3720 while (new_start_time < auth_end_time - 1000) {
3721 // Get as close as possible to target start time.
3722 new_start_time =
3723 std::min(auth_end_time - 1000, new_start_time + timeout - 1);
3724 g_current_time.tv_sec = new_start_time;
3725 new_session = ExpectSessionRenewed(client_ctx_.get(), server_ctx_.get(),
3726 new_session.get());
3727 ASSERT_TRUE(new_session);
3728 }
3729
3730 // Now the session's lifetime is bound by the auth timeout.
3731 g_current_time.tv_sec = auth_end_time - 1;
3732 TRACED_CALL(ExpectSessionReused(client_ctx_.get(), server_ctx_.get(),
3733 new_session.get(),
3734 true /* expect session reused */));
3735
3736 g_current_time.tv_sec = auth_end_time + 1;
3737 TRACED_CALL(ExpectSessionReused(client_ctx_.get(), server_ctx_.get(),
3738 new_session.get(),
3739 false /* expect session ot reused */));
3740 } else {
3741 // The new session is usable just before the old expiration.
3742 g_current_time.tv_sec = kStartTime + timeout - 1;
3743 TRACED_CALL(ExpectSessionReused(client_ctx_.get(), server_ctx_.get(),
3744 new_session.get(),
3745 true /* expect session reused */));
3746
3747 // Renewal does not extend the lifetime, so it is not usable beyond the
3748 // old expiration.
3749 g_current_time.tv_sec = kStartTime + timeout + 1;
3750 TRACED_CALL(ExpectSessionReused(client_ctx_.get(), server_ctx_.get(),
3751 new_session.get(),
3752 false /* expect session not reused */));
3753 }
3754 }
3755 }
3756
TEST_P(SSLVersionTest,DefaultTicketKeyInitialization)3757 TEST_P(SSLVersionTest, DefaultTicketKeyInitialization) {
3758 static const uint8_t kZeroKey[kTicketKeyLen] = {};
3759 uint8_t ticket_key[kTicketKeyLen];
3760 ASSERT_EQ(1, SSL_CTX_get_tlsext_ticket_keys(server_ctx_.get(), ticket_key,
3761 kTicketKeyLen));
3762 ASSERT_NE(0, OPENSSL_memcmp(ticket_key, kZeroKey, kTicketKeyLen));
3763 }
3764
TEST_P(SSLVersionTest,DefaultTicketKeyRotation)3765 TEST_P(SSLVersionTest, DefaultTicketKeyRotation) {
3766 static const time_t kStartTime = 1001;
3767 g_current_time.tv_sec = kStartTime;
3768
3769 // We use session reuse as a proxy for ticket decryption success, hence
3770 // disable session timeouts.
3771 SSL_CTX_set_timeout(server_ctx_.get(), std::numeric_limits<uint32_t>::max());
3772 SSL_CTX_set_session_psk_dhe_timeout(server_ctx_.get(),
3773 std::numeric_limits<uint32_t>::max());
3774
3775 SSL_CTX_set_current_time_cb(client_ctx_.get(), FrozenTimeCallback);
3776 SSL_CTX_set_current_time_cb(server_ctx_.get(), CurrentTimeCallback);
3777
3778 SSL_CTX_set_session_cache_mode(client_ctx_.get(), SSL_SESS_CACHE_BOTH);
3779 SSL_CTX_set_session_cache_mode(server_ctx_.get(), SSL_SESS_CACHE_OFF);
3780
3781 // Initialize ticket_key with the current key and check that it was
3782 // initialized to something, not all zeros.
3783 uint8_t ticket_key[kTicketKeyLen] = {0};
3784 TRACED_CALL(ExpectTicketKeyChanged(server_ctx_.get(), ticket_key,
3785 true /* changed */));
3786
3787 // Verify ticket resumption actually works.
3788 bssl::UniquePtr<SSL> client, server;
3789 bssl::UniquePtr<SSL_SESSION> session =
3790 CreateClientSession(client_ctx_.get(), server_ctx_.get());
3791 ASSERT_TRUE(session);
3792 TRACED_CALL(ExpectSessionReused(client_ctx_.get(), server_ctx_.get(),
3793 session.get(), true /* reused */));
3794
3795 // Advance time to just before key rotation.
3796 g_current_time.tv_sec += SSL_DEFAULT_TICKET_KEY_ROTATION_INTERVAL - 1;
3797 TRACED_CALL(ExpectSessionReused(client_ctx_.get(), server_ctx_.get(),
3798 session.get(), true /* reused */));
3799 TRACED_CALL(ExpectTicketKeyChanged(server_ctx_.get(), ticket_key,
3800 false /* NOT changed */));
3801
3802 // Force key rotation.
3803 g_current_time.tv_sec += 1;
3804 bssl::UniquePtr<SSL_SESSION> new_session =
3805 CreateClientSession(client_ctx_.get(), server_ctx_.get());
3806 TRACED_CALL(ExpectTicketKeyChanged(server_ctx_.get(), ticket_key,
3807 true /* changed */));
3808
3809 // Resumption with both old and new ticket should work.
3810 TRACED_CALL(ExpectSessionReused(client_ctx_.get(), server_ctx_.get(),
3811 session.get(), true /* reused */));
3812 TRACED_CALL(ExpectSessionReused(client_ctx_.get(), server_ctx_.get(),
3813 new_session.get(), true /* reused */));
3814 TRACED_CALL(ExpectTicketKeyChanged(server_ctx_.get(), ticket_key,
3815 false /* NOT changed */));
3816
3817 // Force key rotation again. Resumption with the old ticket now fails.
3818 g_current_time.tv_sec += SSL_DEFAULT_TICKET_KEY_ROTATION_INTERVAL;
3819 TRACED_CALL(ExpectSessionReused(client_ctx_.get(), server_ctx_.get(),
3820 session.get(), false /* NOT reused */));
3821 TRACED_CALL(ExpectTicketKeyChanged(server_ctx_.get(), ticket_key,
3822 true /* changed */));
3823
3824 // But resumption with the newer session still works.
3825 TRACED_CALL(ExpectSessionReused(client_ctx_.get(), server_ctx_.get(),
3826 new_session.get(), true /* reused */));
3827 }
3828
SwitchContext(SSL * ssl,int * out_alert,void * arg)3829 static int SwitchContext(SSL *ssl, int *out_alert, void *arg) {
3830 SSL_CTX *ctx = reinterpret_cast<SSL_CTX *>(arg);
3831 SSL_set_SSL_CTX(ssl, ctx);
3832 return SSL_TLSEXT_ERR_OK;
3833 }
3834
TEST_P(SSLVersionTest,SNICallback)3835 TEST_P(SSLVersionTest, SNICallback) {
3836 bssl::UniquePtr<X509> cert2 = GetECDSATestCertificate();
3837 ASSERT_TRUE(cert2);
3838 bssl::UniquePtr<EVP_PKEY> key2 = GetECDSATestKey();
3839 ASSERT_TRUE(key2);
3840
3841 // Test that switching the |SSL_CTX| at the SNI callback behaves correctly.
3842 static const uint16_t kECDSAWithSHA256 = SSL_SIGN_ECDSA_SECP256R1_SHA256;
3843
3844 static const uint8_t kSCTList[] = {0, 6, 0, 4, 5, 6, 7, 8};
3845 static const uint8_t kOCSPResponse[] = {1, 2, 3, 4};
3846
3847 bssl::UniquePtr<SSL_CTX> server_ctx2 = CreateContext();
3848 ASSERT_TRUE(server_ctx2);
3849 ASSERT_TRUE(SSL_CTX_use_certificate(server_ctx2.get(), cert2.get()));
3850 ASSERT_TRUE(SSL_CTX_use_PrivateKey(server_ctx2.get(), key2.get()));
3851 ASSERT_TRUE(SSL_CTX_set_signed_cert_timestamp_list(
3852 server_ctx2.get(), kSCTList, sizeof(kSCTList)));
3853 ASSERT_TRUE(SSL_CTX_set_ocsp_response(server_ctx2.get(), kOCSPResponse,
3854 sizeof(kOCSPResponse)));
3855 // Historically signing preferences would be lost in some cases with the
3856 // SNI callback, which triggers the TLS 1.2 SHA-1 default. To ensure
3857 // this doesn't happen when |version| is TLS 1.2, configure the private
3858 // key to only sign SHA-256.
3859 ASSERT_TRUE(SSL_CTX_set_signing_algorithm_prefs(server_ctx2.get(),
3860 &kECDSAWithSHA256, 1));
3861
3862 SSL_CTX_set_tlsext_servername_callback(server_ctx_.get(), SwitchContext);
3863 SSL_CTX_set_tlsext_servername_arg(server_ctx_.get(), server_ctx2.get());
3864
3865 SSL_CTX_enable_signed_cert_timestamps(client_ctx_.get());
3866 SSL_CTX_enable_ocsp_stapling(client_ctx_.get());
3867
3868 ASSERT_TRUE(Connect());
3869
3870 // The client should have received |cert2|.
3871 bssl::UniquePtr<X509> peer(SSL_get_peer_certificate(client_.get()));
3872 ASSERT_TRUE(peer);
3873 EXPECT_EQ(X509_cmp(peer.get(), cert2.get()), 0);
3874
3875 // The client should have received |server_ctx2|'s SCT list.
3876 const uint8_t *data;
3877 size_t len;
3878 SSL_get0_signed_cert_timestamp_list(client_.get(), &data, &len);
3879 EXPECT_EQ(Bytes(kSCTList), Bytes(data, len));
3880
3881 // The client should have received |server_ctx2|'s OCSP response.
3882 SSL_get0_ocsp_response(client_.get(), &data, &len);
3883 EXPECT_EQ(Bytes(kOCSPResponse), Bytes(data, len));
3884 }
3885
3886 // Test that the early callback can swap the maximum version.
TEST(SSLTest,EarlyCallbackVersionSwitch)3887 TEST(SSLTest, EarlyCallbackVersionSwitch) {
3888 bssl::UniquePtr<SSL_CTX> server_ctx =
3889 CreateContextWithTestCertificate(TLS_method());
3890 bssl::UniquePtr<SSL_CTX> client_ctx(SSL_CTX_new(TLS_method()));
3891 ASSERT_TRUE(server_ctx);
3892 ASSERT_TRUE(client_ctx);
3893 ASSERT_TRUE(SSL_CTX_set_max_proto_version(client_ctx.get(), TLS1_3_VERSION));
3894 ASSERT_TRUE(SSL_CTX_set_max_proto_version(server_ctx.get(), TLS1_3_VERSION));
3895
3896 SSL_CTX_set_select_certificate_cb(
3897 server_ctx.get(),
3898 [](const SSL_CLIENT_HELLO *client_hello) -> ssl_select_cert_result_t {
3899 if (!SSL_set_max_proto_version(client_hello->ssl, TLS1_2_VERSION)) {
3900 return ssl_select_cert_error;
3901 }
3902
3903 return ssl_select_cert_success;
3904 });
3905
3906 bssl::UniquePtr<SSL> client, server;
3907 ASSERT_TRUE(ConnectClientAndServer(&client, &server, client_ctx.get(),
3908 server_ctx.get()));
3909 EXPECT_EQ(TLS1_2_VERSION, SSL_version(client.get()));
3910 }
3911
TEST(SSLTest,SetVersion)3912 TEST(SSLTest, SetVersion) {
3913 bssl::UniquePtr<SSL_CTX> ctx(SSL_CTX_new(TLS_method()));
3914 ASSERT_TRUE(ctx);
3915
3916 // Set valid TLS versions.
3917 for (const auto &vers : kAllVersions) {
3918 SCOPED_TRACE(vers.name);
3919 if (vers.ssl_method == VersionParam::is_tls) {
3920 EXPECT_TRUE(SSL_CTX_set_max_proto_version(ctx.get(), vers.version));
3921 EXPECT_EQ(SSL_CTX_get_max_proto_version(ctx.get()), vers.version);
3922 EXPECT_TRUE(SSL_CTX_set_min_proto_version(ctx.get(), vers.version));
3923 EXPECT_EQ(SSL_CTX_get_min_proto_version(ctx.get()), vers.version);
3924 }
3925 }
3926
3927 // Invalid TLS versions are rejected.
3928 EXPECT_FALSE(SSL_CTX_set_max_proto_version(ctx.get(), DTLS1_VERSION));
3929 EXPECT_FALSE(SSL_CTX_set_max_proto_version(ctx.get(), 0x0200));
3930 EXPECT_FALSE(SSL_CTX_set_max_proto_version(ctx.get(), 0x1234));
3931 EXPECT_FALSE(SSL_CTX_set_min_proto_version(ctx.get(), DTLS1_VERSION));
3932 EXPECT_FALSE(SSL_CTX_set_min_proto_version(ctx.get(), 0x0200));
3933 EXPECT_FALSE(SSL_CTX_set_min_proto_version(ctx.get(), 0x1234));
3934
3935 // Zero is the default version.
3936 EXPECT_TRUE(SSL_CTX_set_max_proto_version(ctx.get(), 0));
3937 EXPECT_EQ(TLS1_3_VERSION, SSL_CTX_get_max_proto_version(ctx.get()));
3938 EXPECT_TRUE(SSL_CTX_set_min_proto_version(ctx.get(), 0));
3939 EXPECT_EQ(TLS1_2_VERSION, SSL_CTX_get_min_proto_version(ctx.get()));
3940
3941 // SSL 3.0 is not available.
3942 EXPECT_FALSE(SSL_CTX_set_min_proto_version(ctx.get(), SSL3_VERSION));
3943
3944 ctx.reset(SSL_CTX_new(DTLS_method()));
3945 ASSERT_TRUE(ctx);
3946
3947 // Set valid DTLS versions.
3948 for (const auto &vers : kAllVersions) {
3949 SCOPED_TRACE(vers.name);
3950 if (vers.ssl_method == VersionParam::is_dtls) {
3951 EXPECT_TRUE(SSL_CTX_set_max_proto_version(ctx.get(), vers.version));
3952 EXPECT_EQ(SSL_CTX_get_max_proto_version(ctx.get()), vers.version);
3953 EXPECT_TRUE(SSL_CTX_set_min_proto_version(ctx.get(), vers.version));
3954 EXPECT_EQ(SSL_CTX_get_min_proto_version(ctx.get()), vers.version);
3955 }
3956 }
3957
3958 // Invalid DTLS versions are rejected.
3959 EXPECT_FALSE(SSL_CTX_set_max_proto_version(ctx.get(), TLS1_VERSION));
3960 EXPECT_FALSE(SSL_CTX_set_max_proto_version(ctx.get(), 0xfefe /* DTLS 1.1 */));
3961 EXPECT_FALSE(SSL_CTX_set_max_proto_version(ctx.get(), 0xfffe /* DTLS 0.1 */));
3962 EXPECT_FALSE(SSL_CTX_set_max_proto_version(ctx.get(), 0x1234));
3963 EXPECT_FALSE(SSL_CTX_set_min_proto_version(ctx.get(), TLS1_VERSION));
3964 EXPECT_FALSE(SSL_CTX_set_min_proto_version(ctx.get(), 0xfefe /* DTLS 1.1 */));
3965 EXPECT_FALSE(SSL_CTX_set_min_proto_version(ctx.get(), 0xfffe /* DTLS 0.1 */));
3966 EXPECT_FALSE(SSL_CTX_set_min_proto_version(ctx.get(), 0x1234));
3967
3968 // Zero is the default version.
3969 EXPECT_TRUE(SSL_CTX_set_max_proto_version(ctx.get(), 0));
3970 EXPECT_EQ(DTLS1_2_VERSION, SSL_CTX_get_max_proto_version(ctx.get()));
3971 EXPECT_TRUE(SSL_CTX_set_min_proto_version(ctx.get(), 0));
3972 EXPECT_EQ(DTLS1_2_VERSION, SSL_CTX_get_min_proto_version(ctx.get()));
3973 }
3974
GetVersionName(uint16_t version)3975 static const char *GetVersionName(uint16_t version) {
3976 switch (version) {
3977 case TLS1_VERSION:
3978 return "TLSv1";
3979 case TLS1_1_VERSION:
3980 return "TLSv1.1";
3981 case TLS1_2_VERSION:
3982 return "TLSv1.2";
3983 case TLS1_3_VERSION:
3984 return "TLSv1.3";
3985 case DTLS1_VERSION:
3986 return "DTLSv1";
3987 case DTLS1_2_VERSION:
3988 return "DTLSv1.2";
3989 default:
3990 return "???";
3991 }
3992 }
3993
TEST_P(SSLVersionTest,Version)3994 TEST_P(SSLVersionTest, Version) {
3995 ASSERT_TRUE(Connect());
3996
3997 EXPECT_EQ(SSL_version(client_.get()), version());
3998 EXPECT_EQ(SSL_version(server_.get()), version());
3999
4000 // Test the version name is reported as expected.
4001 const char *version_name = GetVersionName(version());
4002 EXPECT_EQ(strcmp(version_name, SSL_get_version(client_.get())), 0);
4003 EXPECT_EQ(strcmp(version_name, SSL_get_version(server_.get())), 0);
4004
4005 // Test SSL_SESSION reports the same name.
4006 const char *client_name =
4007 SSL_SESSION_get_version(SSL_get_session(client_.get()));
4008 const char *server_name =
4009 SSL_SESSION_get_version(SSL_get_session(server_.get()));
4010 EXPECT_EQ(strcmp(version_name, client_name), 0);
4011 EXPECT_EQ(strcmp(version_name, server_name), 0);
4012 }
4013
4014 // Tests that that |SSL_get_pending_cipher| is available during the ALPN
4015 // selection callback.
TEST_P(SSLVersionTest,ALPNCipherAvailable)4016 TEST_P(SSLVersionTest, ALPNCipherAvailable) {
4017 ASSERT_TRUE(UseCertAndKey(client_ctx_.get()));
4018
4019 static const uint8_t kALPNProtos[] = {0x03, 'f', 'o', 'o'};
4020 ASSERT_EQ(SSL_CTX_set_alpn_protos(client_ctx_.get(), kALPNProtos,
4021 sizeof(kALPNProtos)),
4022 0);
4023
4024 // The ALPN callback does not fail the handshake on error, so have the
4025 // callback write a boolean.
4026 std::pair<uint16_t, bool> callback_state(version(), false);
4027 SSL_CTX_set_alpn_select_cb(
4028 server_ctx_.get(),
4029 [](SSL *ssl, const uint8_t **out, uint8_t *out_len, const uint8_t *in,
4030 unsigned in_len, void *arg) -> int {
4031 auto state = reinterpret_cast<std::pair<uint16_t, bool> *>(arg);
4032 if (SSL_get_pending_cipher(ssl) != nullptr &&
4033 SSL_version(ssl) == state->first) {
4034 state->second = true;
4035 }
4036 return SSL_TLSEXT_ERR_NOACK;
4037 },
4038 &callback_state);
4039
4040 ASSERT_TRUE(Connect());
4041
4042 ASSERT_TRUE(callback_state.second);
4043 }
4044
TEST_P(SSLVersionTest,SSLClearSessionResumption)4045 TEST_P(SSLVersionTest, SSLClearSessionResumption) {
4046 // Skip this for TLS 1.3. TLS 1.3's ticket mechanism is incompatible with this
4047 // API pattern.
4048 if (version() == TLS1_3_VERSION) {
4049 return;
4050 }
4051
4052 shed_handshake_config_ = false;
4053 ASSERT_TRUE(Connect());
4054
4055 EXPECT_FALSE(SSL_session_reused(client_.get()));
4056 EXPECT_FALSE(SSL_session_reused(server_.get()));
4057
4058 // Reset everything.
4059 ASSERT_TRUE(SSL_clear(client_.get()));
4060 ASSERT_TRUE(SSL_clear(server_.get()));
4061
4062 // Attempt to connect a second time.
4063 ASSERT_TRUE(CompleteHandshakes(client_.get(), server_.get()));
4064
4065 // |SSL_clear| should implicitly offer the previous session to the server.
4066 EXPECT_TRUE(SSL_session_reused(client_.get()));
4067 EXPECT_TRUE(SSL_session_reused(server_.get()));
4068 }
4069
TEST_P(SSLVersionTest,SSLClearFailsWithShedding)4070 TEST_P(SSLVersionTest, SSLClearFailsWithShedding) {
4071 shed_handshake_config_ = false;
4072 ASSERT_TRUE(Connect());
4073 ASSERT_TRUE(CompleteHandshakes(client_.get(), server_.get()));
4074
4075 // Reset everything.
4076 ASSERT_TRUE(SSL_clear(client_.get()));
4077 ASSERT_TRUE(SSL_clear(server_.get()));
4078
4079 // Now enable shedding, and connect a second time.
4080 shed_handshake_config_ = true;
4081 ASSERT_TRUE(Connect());
4082 ASSERT_TRUE(CompleteHandshakes(client_.get(), server_.get()));
4083
4084 // |SSL_clear| should now fail.
4085 ASSERT_FALSE(SSL_clear(client_.get()));
4086 ASSERT_FALSE(SSL_clear(server_.get()));
4087 }
4088
ChainsEqual(const STACK_OF (X509)* chain,const std::vector<X509 * > & expected)4089 static bool ChainsEqual(const STACK_OF(X509) *chain,
4090 const std::vector<X509 *> &expected) {
4091 if (sk_X509_num(chain) != expected.size()) {
4092 return false;
4093 }
4094
4095 for (size_t i = 0; i < expected.size(); i++) {
4096 if (X509_cmp(sk_X509_value(chain, i), expected[i]) != 0) {
4097 return false;
4098 }
4099 }
4100
4101 return true;
4102 }
4103
BuffersEqual(const STACK_OF (CRYPTO_BUFFER)* chain,const std::vector<CRYPTO_BUFFER * > & expected)4104 static bool BuffersEqual(const STACK_OF(CRYPTO_BUFFER) *chain,
4105 const std::vector<CRYPTO_BUFFER *> &expected) {
4106 if (sk_CRYPTO_BUFFER_num(chain) != expected.size()) {
4107 return false;
4108 }
4109
4110 for (size_t i = 0; i < expected.size(); i++) {
4111 const CRYPTO_BUFFER *buf = sk_CRYPTO_BUFFER_value(chain, i);
4112 if (Bytes(CRYPTO_BUFFER_data(buf), CRYPTO_BUFFER_len(buf)) !=
4113 Bytes(CRYPTO_BUFFER_data(expected[i]),
4114 CRYPTO_BUFFER_len(expected[i]))) {
4115 return false;
4116 }
4117 }
4118
4119 return true;
4120 }
4121
TEST_P(SSLVersionTest,AutoChain)4122 TEST_P(SSLVersionTest, AutoChain) {
4123 cert_ = GetChainTestCertificate();
4124 ASSERT_TRUE(cert_);
4125 key_ = GetChainTestKey();
4126 ASSERT_TRUE(key_);
4127 bssl::UniquePtr<X509> intermediate = GetChainTestIntermediate();
4128 ASSERT_TRUE(intermediate);
4129
4130 ASSERT_TRUE(UseCertAndKey(client_ctx_.get()));
4131 ASSERT_TRUE(UseCertAndKey(server_ctx_.get()));
4132
4133 // Configure both client and server to accept any certificate. Add
4134 // |intermediate| to the cert store.
4135 ASSERT_TRUE(X509_STORE_add_cert(SSL_CTX_get_cert_store(client_ctx_.get()),
4136 intermediate.get()));
4137 ASSERT_TRUE(X509_STORE_add_cert(SSL_CTX_get_cert_store(server_ctx_.get()),
4138 intermediate.get()));
4139 SSL_CTX_set_verify(client_ctx_.get(),
4140 SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT,
4141 nullptr);
4142 SSL_CTX_set_verify(server_ctx_.get(),
4143 SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT,
4144 nullptr);
4145 SSL_CTX_set_cert_verify_callback(client_ctx_.get(), VerifySucceed, NULL);
4146 SSL_CTX_set_cert_verify_callback(server_ctx_.get(), VerifySucceed, NULL);
4147
4148 // By default, the client and server should each only send the leaf.
4149 ASSERT_TRUE(Connect());
4150
4151 EXPECT_TRUE(
4152 ChainsEqual(SSL_get_peer_full_cert_chain(client_.get()), {cert_.get()}));
4153 EXPECT_TRUE(
4154 ChainsEqual(SSL_get_peer_full_cert_chain(server_.get()), {cert_.get()}));
4155
4156 // If auto-chaining is enabled, then the intermediate is sent.
4157 SSL_CTX_clear_mode(client_ctx_.get(), SSL_MODE_NO_AUTO_CHAIN);
4158 SSL_CTX_clear_mode(server_ctx_.get(), SSL_MODE_NO_AUTO_CHAIN);
4159 ASSERT_TRUE(Connect());
4160
4161 EXPECT_TRUE(ChainsEqual(SSL_get_peer_full_cert_chain(client_.get()),
4162 {cert_.get(), intermediate.get()}));
4163 EXPECT_TRUE(ChainsEqual(SSL_get_peer_full_cert_chain(server_.get()),
4164 {cert_.get(), intermediate.get()}));
4165
4166 // Auto-chaining does not override explicitly-configured intermediates.
4167 ASSERT_TRUE(SSL_CTX_add1_chain_cert(client_ctx_.get(), cert_.get()));
4168 ASSERT_TRUE(SSL_CTX_add1_chain_cert(server_ctx_.get(), cert_.get()));
4169 ASSERT_TRUE(Connect());
4170
4171 EXPECT_TRUE(ChainsEqual(SSL_get_peer_full_cert_chain(client_.get()),
4172 {cert_.get(), cert_.get()}));
4173
4174 EXPECT_TRUE(ChainsEqual(SSL_get_peer_full_cert_chain(server_.get()),
4175 {cert_.get(), cert_.get()}));
4176 }
4177
ExpectSingleError(int lib,int reason)4178 static bool ExpectSingleError(int lib, int reason) {
4179 const char *expected = ERR_reason_error_string(ERR_PACK(lib, reason));
4180 int err = ERR_get_error();
4181 if (ERR_GET_LIB(err) != lib || ERR_GET_REASON(err) != reason) {
4182 char buf[ERR_ERROR_STRING_BUF_LEN];
4183 ERR_error_string_n(err, buf, sizeof(buf));
4184 fprintf(stderr, "Wanted %s, got: %s.\n", expected, buf);
4185 return false;
4186 }
4187
4188 if (ERR_peek_error() != 0) {
4189 fprintf(stderr, "Unexpected error following %s.\n", expected);
4190 return false;
4191 }
4192
4193 return true;
4194 }
4195
TEST_P(SSLVersionTest,SSLWriteRetry)4196 TEST_P(SSLVersionTest, SSLWriteRetry) {
4197 if (is_dtls()) {
4198 return;
4199 }
4200
4201 for (bool enable_partial_write : {false, true}) {
4202 SCOPED_TRACE(enable_partial_write);
4203
4204 // Connect a client and server.
4205 ASSERT_TRUE(Connect());
4206
4207 if (enable_partial_write) {
4208 SSL_set_mode(client_.get(), SSL_MODE_ENABLE_PARTIAL_WRITE);
4209 }
4210
4211 // Write without reading until the buffer is full and we have an unfinished
4212 // write. Keep a count so we may reread it again later. "hello!" will be
4213 // written in two chunks, "hello" and "!".
4214 char data[] = "hello!";
4215 static const int kChunkLen = 5; // The length of "hello".
4216 unsigned count = 0;
4217 for (;;) {
4218 int ret = SSL_write(client_.get(), data, kChunkLen);
4219 if (ret <= 0) {
4220 ASSERT_EQ(SSL_get_error(client_.get(), ret), SSL_ERROR_WANT_WRITE);
4221 break;
4222 }
4223 ASSERT_EQ(ret, 5);
4224 count++;
4225 }
4226
4227 // Retrying with the same parameters is legal.
4228 ASSERT_EQ(
4229 SSL_get_error(client_.get(), SSL_write(client_.get(), data, kChunkLen)),
4230 SSL_ERROR_WANT_WRITE);
4231
4232 // Retrying with the same buffer but shorter length is not legal.
4233 ASSERT_EQ(SSL_get_error(client_.get(),
4234 SSL_write(client_.get(), data, kChunkLen - 1)),
4235 SSL_ERROR_SSL);
4236 ASSERT_TRUE(ExpectSingleError(ERR_LIB_SSL, SSL_R_BAD_WRITE_RETRY));
4237
4238 // Retrying with a different buffer pointer is not legal.
4239 char data2[] = "hello";
4240 ASSERT_EQ(SSL_get_error(client_.get(),
4241 SSL_write(client_.get(), data2, kChunkLen)),
4242 SSL_ERROR_SSL);
4243 ASSERT_TRUE(ExpectSingleError(ERR_LIB_SSL, SSL_R_BAD_WRITE_RETRY));
4244
4245 // With |SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER|, the buffer may move.
4246 SSL_set_mode(client_.get(), SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER);
4247 ASSERT_EQ(SSL_get_error(client_.get(),
4248 SSL_write(client_.get(), data2, kChunkLen)),
4249 SSL_ERROR_WANT_WRITE);
4250
4251 // |SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER| does not disable length checks.
4252 ASSERT_EQ(SSL_get_error(client_.get(),
4253 SSL_write(client_.get(), data2, kChunkLen - 1)),
4254 SSL_ERROR_SSL);
4255 ASSERT_TRUE(ExpectSingleError(ERR_LIB_SSL, SSL_R_BAD_WRITE_RETRY));
4256
4257 // Retrying with a larger buffer is legal.
4258 ASSERT_EQ(SSL_get_error(client_.get(),
4259 SSL_write(client_.get(), data, kChunkLen + 1)),
4260 SSL_ERROR_WANT_WRITE);
4261
4262 // Drain the buffer.
4263 char buf[20];
4264 for (unsigned i = 0; i < count; i++) {
4265 ASSERT_EQ(SSL_read(server_.get(), buf, sizeof(buf)), kChunkLen);
4266 ASSERT_EQ(OPENSSL_memcmp(buf, "hello", kChunkLen), 0);
4267 }
4268
4269 // Now that there is space, a retry with a larger buffer should flush the
4270 // pending record, skip over that many bytes of input (on assumption they
4271 // are the same), and write the remainder. If SSL_MODE_ENABLE_PARTIAL_WRITE
4272 // is set, this will complete in two steps.
4273 char data_longer[] = "_____!!!!!";
4274 if (enable_partial_write) {
4275 ASSERT_EQ(SSL_write(client_.get(), data_longer, 2 * kChunkLen),
4276 kChunkLen);
4277 ASSERT_EQ(SSL_write(client_.get(), data_longer + kChunkLen, kChunkLen),
4278 kChunkLen);
4279 } else {
4280 ASSERT_EQ(SSL_write(client_.get(), data_longer, 2 * kChunkLen),
4281 2 * kChunkLen);
4282 }
4283
4284 // Check the last write was correct. The data will be spread over two
4285 // records, so SSL_read returns twice.
4286 ASSERT_EQ(SSL_read(server_.get(), buf, sizeof(buf)), kChunkLen);
4287 ASSERT_EQ(OPENSSL_memcmp(buf, "hello", kChunkLen), 0);
4288 ASSERT_EQ(SSL_read(server_.get(), buf, sizeof(buf)), kChunkLen);
4289 ASSERT_EQ(OPENSSL_memcmp(buf, "!!!!!", kChunkLen), 0);
4290
4291 // Fill the transport buffer again. This time only leave room for one
4292 // record.
4293 count = 0;
4294 for (;;) {
4295 int ret = SSL_write(client_.get(), data, kChunkLen);
4296 if (ret <= 0) {
4297 ASSERT_EQ(SSL_get_error(client_.get(), ret), SSL_ERROR_WANT_WRITE);
4298 break;
4299 }
4300 ASSERT_EQ(ret, 5);
4301 count++;
4302 }
4303 ASSERT_EQ(SSL_read(server_.get(), buf, sizeof(buf)), kChunkLen);
4304 ASSERT_EQ(OPENSSL_memcmp(buf, "hello", kChunkLen), 0);
4305 count--;
4306
4307 // Retry the last write, with a longer input. The first half is the most
4308 // recently failed write, from filling the buffer. |SSL_write| should write
4309 // that to the transport, and then attempt to write the second half.
4310 int ret = SSL_write(client_.get(), data_longer, 2 * kChunkLen);
4311 if (enable_partial_write) {
4312 // If partial writes are allowed, the write will succeed partially.
4313 ASSERT_EQ(ret, kChunkLen);
4314
4315 // Check the first half and make room for another record.
4316 ASSERT_EQ(SSL_read(server_.get(), buf, sizeof(buf)), kChunkLen);
4317 ASSERT_EQ(OPENSSL_memcmp(buf, "hello", kChunkLen), 0);
4318 count--;
4319
4320 // Finish writing the input.
4321 ASSERT_EQ(SSL_write(client_.get(), data_longer + kChunkLen, kChunkLen),
4322 kChunkLen);
4323 } else {
4324 // Otherwise, although the first half made it to the transport, the second
4325 // half is blocked.
4326 ASSERT_EQ(ret, -1);
4327 ASSERT_EQ(SSL_get_error(client_.get(), -1), SSL_ERROR_WANT_WRITE);
4328
4329 // Check the first half and make room for another record.
4330 ASSERT_EQ(SSL_read(server_.get(), buf, sizeof(buf)), kChunkLen);
4331 ASSERT_EQ(OPENSSL_memcmp(buf, "hello", kChunkLen), 0);
4332 count--;
4333
4334 // Retrying with fewer bytes than previously attempted is an error. If the
4335 // input length is less than the number of bytes successfully written, the
4336 // check happens at a different point, with a different error.
4337 //
4338 // TODO(davidben): Should these cases use the same error?
4339 ASSERT_EQ(
4340 SSL_get_error(client_.get(),
4341 SSL_write(client_.get(), data_longer, kChunkLen - 1)),
4342 SSL_ERROR_SSL);
4343 ASSERT_TRUE(ExpectSingleError(ERR_LIB_SSL, SSL_R_BAD_LENGTH));
4344
4345 // Complete the write with the correct retry.
4346 ASSERT_EQ(SSL_write(client_.get(), data_longer, 2 * kChunkLen),
4347 2 * kChunkLen);
4348 }
4349
4350 // Drain the input and ensure everything was written correctly.
4351 for (unsigned i = 0; i < count; i++) {
4352 ASSERT_EQ(SSL_read(server_.get(), buf, sizeof(buf)), kChunkLen);
4353 ASSERT_EQ(OPENSSL_memcmp(buf, "hello", kChunkLen), 0);
4354 }
4355
4356 // The final write is spread over two records.
4357 ASSERT_EQ(SSL_read(server_.get(), buf, sizeof(buf)), kChunkLen);
4358 ASSERT_EQ(OPENSSL_memcmp(buf, "hello", kChunkLen), 0);
4359 ASSERT_EQ(SSL_read(server_.get(), buf, sizeof(buf)), kChunkLen);
4360 ASSERT_EQ(OPENSSL_memcmp(buf, "!!!!!", kChunkLen), 0);
4361 }
4362 }
4363
TEST_P(SSLVersionTest,RecordCallback)4364 TEST_P(SSLVersionTest, RecordCallback) {
4365 for (bool test_server : {true, false}) {
4366 SCOPED_TRACE(test_server);
4367 ASSERT_NO_FATAL_FAILURE(ResetContexts());
4368
4369 bool read_seen = false;
4370 bool write_seen = false;
4371 auto cb = [&](int is_write, int cb_version, int cb_type, const void *buf,
4372 size_t len, SSL *ssl) {
4373 if (cb_type != SSL3_RT_HEADER) {
4374 return;
4375 }
4376
4377 // The callback does not report a version for records.
4378 EXPECT_EQ(0, cb_version);
4379
4380 if (is_write) {
4381 write_seen = true;
4382 } else {
4383 read_seen = true;
4384 }
4385
4386 // Sanity-check that the record header is plausible.
4387 CBS cbs;
4388 CBS_init(&cbs, reinterpret_cast<const uint8_t *>(buf), len);
4389 uint8_t type;
4390 uint16_t record_version, length;
4391 ASSERT_TRUE(CBS_get_u8(&cbs, &type));
4392 ASSERT_TRUE(CBS_get_u16(&cbs, &record_version));
4393 EXPECT_EQ(record_version & 0xff00, version() & 0xff00);
4394 if (is_dtls()) {
4395 uint16_t epoch;
4396 ASSERT_TRUE(CBS_get_u16(&cbs, &epoch));
4397 EXPECT_TRUE(epoch == 0 || epoch == 1) << "Invalid epoch: " << epoch;
4398 ASSERT_TRUE(CBS_skip(&cbs, 6));
4399 }
4400 ASSERT_TRUE(CBS_get_u16(&cbs, &length));
4401 EXPECT_EQ(0u, CBS_len(&cbs));
4402 };
4403 using CallbackType = decltype(cb);
4404 SSL_CTX *ctx = test_server ? server_ctx_.get() : client_ctx_.get();
4405 SSL_CTX_set_msg_callback(
4406 ctx, [](int is_write, int cb_version, int cb_type, const void *buf,
4407 size_t len, SSL *ssl, void *arg) {
4408 CallbackType *cb_ptr = reinterpret_cast<CallbackType *>(arg);
4409 (*cb_ptr)(is_write, cb_version, cb_type, buf, len, ssl);
4410 });
4411 SSL_CTX_set_msg_callback_arg(ctx, &cb);
4412
4413 ASSERT_TRUE(Connect());
4414
4415 EXPECT_TRUE(read_seen);
4416 EXPECT_TRUE(write_seen);
4417 }
4418 }
4419
TEST_P(SSLVersionTest,GetServerName)4420 TEST_P(SSLVersionTest, GetServerName) {
4421 ClientConfig config;
4422 config.servername = "host1";
4423
4424 SSL_CTX_set_tlsext_servername_callback(
4425 server_ctx_.get(), [](SSL *ssl, int *out_alert, void *arg) -> int {
4426 // During the handshake, |SSL_get_servername| must match |config|.
4427 ClientConfig *config_p = reinterpret_cast<ClientConfig *>(arg);
4428 EXPECT_STREQ(config_p->servername.c_str(),
4429 SSL_get_servername(ssl, TLSEXT_NAMETYPE_host_name));
4430 return SSL_TLSEXT_ERR_OK;
4431 });
4432 SSL_CTX_set_tlsext_servername_arg(server_ctx_.get(), &config);
4433
4434 ASSERT_TRUE(Connect(config));
4435 // After the handshake, it must also be available.
4436 EXPECT_STREQ(config.servername.c_str(),
4437 SSL_get_servername(server_.get(), TLSEXT_NAMETYPE_host_name));
4438
4439 // Establish a session under host1.
4440 SSL_CTX_set_session_cache_mode(client_ctx_.get(), SSL_SESS_CACHE_BOTH);
4441 SSL_CTX_set_session_cache_mode(server_ctx_.get(), SSL_SESS_CACHE_BOTH);
4442 bssl::UniquePtr<SSL_SESSION> session =
4443 CreateClientSession(client_ctx_.get(), server_ctx_.get(), config);
4444
4445 // If the client resumes a session with a different name, |SSL_get_servername|
4446 // must return the new name.
4447 ASSERT_TRUE(session);
4448 config.session = session.get();
4449 config.servername = "host2";
4450 ASSERT_TRUE(Connect(config));
4451 EXPECT_STREQ(config.servername.c_str(),
4452 SSL_get_servername(server_.get(), TLSEXT_NAMETYPE_host_name));
4453 }
4454
4455 // Test that session cache mode bits are honored in the client session callback.
TEST_P(SSLVersionTest,ClientSessionCacheMode)4456 TEST_P(SSLVersionTest, ClientSessionCacheMode) {
4457 SSL_CTX_set_session_cache_mode(client_ctx_.get(), SSL_SESS_CACHE_OFF);
4458 EXPECT_FALSE(CreateClientSession(client_ctx_.get(), server_ctx_.get()));
4459
4460 SSL_CTX_set_session_cache_mode(client_ctx_.get(), SSL_SESS_CACHE_CLIENT);
4461 EXPECT_TRUE(CreateClientSession(client_ctx_.get(), server_ctx_.get()));
4462
4463 SSL_CTX_set_session_cache_mode(client_ctx_.get(), SSL_SESS_CACHE_SERVER);
4464 EXPECT_FALSE(CreateClientSession(client_ctx_.get(), server_ctx_.get()));
4465 }
4466
4467 // Test that all versions survive tiny write buffers. In particular, TLS 1.3
4468 // NewSessionTickets are written post-handshake. Servers that block
4469 // |SSL_do_handshake| on writing them will deadlock if clients are not draining
4470 // the buffer. Test that we do not do this.
TEST_P(SSLVersionTest,SmallBuffer)4471 TEST_P(SSLVersionTest, SmallBuffer) {
4472 // DTLS is a datagram protocol and requires packet-sized buffers.
4473 if (is_dtls()) {
4474 return;
4475 }
4476
4477 // Test both flushing NewSessionTickets with a zero-sized write and
4478 // non-zero-sized write.
4479 for (bool use_zero_write : {false, true}) {
4480 SCOPED_TRACE(use_zero_write);
4481
4482 g_last_session = nullptr;
4483 SSL_CTX_set_session_cache_mode(client_ctx_.get(), SSL_SESS_CACHE_BOTH);
4484 SSL_CTX_sess_set_new_cb(client_ctx_.get(), SaveLastSession);
4485
4486 bssl::UniquePtr<SSL> client(SSL_new(client_ctx_.get())),
4487 server(SSL_new(server_ctx_.get()));
4488 ASSERT_TRUE(client);
4489 ASSERT_TRUE(server);
4490 SSL_set_connect_state(client.get());
4491 SSL_set_accept_state(server.get());
4492
4493 // Use a tiny buffer.
4494 BIO *bio1, *bio2;
4495 ASSERT_TRUE(BIO_new_bio_pair(&bio1, 1, &bio2, 1));
4496
4497 // SSL_set_bio takes ownership.
4498 SSL_set_bio(client.get(), bio1, bio1);
4499 SSL_set_bio(server.get(), bio2, bio2);
4500
4501 ASSERT_TRUE(CompleteHandshakes(client.get(), server.get()));
4502 if (version() >= TLS1_3_VERSION) {
4503 // The post-handshake ticket should not have been processed yet.
4504 EXPECT_FALSE(g_last_session);
4505 }
4506
4507 if (use_zero_write) {
4508 ASSERT_TRUE(FlushNewSessionTickets(client.get(), server.get()));
4509 EXPECT_TRUE(g_last_session);
4510 }
4511
4512 // Send some data from server to client. If |use_zero_write| is false, this
4513 // will also flush the NewSessionTickets.
4514 static const char kMessage[] = "hello world";
4515 char buf[sizeof(kMessage)];
4516 for (;;) {
4517 int server_ret = SSL_write(server.get(), kMessage, sizeof(kMessage));
4518 int server_err = SSL_get_error(server.get(), server_ret);
4519 int client_ret = SSL_read(client.get(), buf, sizeof(buf));
4520 int client_err = SSL_get_error(client.get(), client_ret);
4521
4522 // The server will write a single record, so every iteration should see
4523 // |SSL_ERROR_WANT_WRITE| and |SSL_ERROR_WANT_READ|, until the final
4524 // iteration, where both will complete.
4525 if (server_ret > 0) {
4526 EXPECT_EQ(server_ret, static_cast<int>(sizeof(kMessage)));
4527 EXPECT_EQ(client_ret, static_cast<int>(sizeof(kMessage)));
4528 EXPECT_EQ(Bytes(buf), Bytes(kMessage));
4529 break;
4530 }
4531
4532 ASSERT_EQ(server_ret, -1);
4533 ASSERT_EQ(server_err, SSL_ERROR_WANT_WRITE);
4534 ASSERT_EQ(client_ret, -1);
4535 ASSERT_EQ(client_err, SSL_ERROR_WANT_READ);
4536 }
4537
4538 // The NewSessionTickets should have been flushed and processed.
4539 EXPECT_TRUE(g_last_session);
4540 }
4541 }
4542
TEST(SSLTest,AddChainCertHack)4543 TEST(SSLTest, AddChainCertHack) {
4544 // Ensure that we don't accidently break the hack that we have in place to
4545 // keep curl and serf happy when they use an |X509| even after transfering
4546 // ownership.
4547
4548 bssl::UniquePtr<SSL_CTX> ctx(SSL_CTX_new(TLS_method()));
4549 ASSERT_TRUE(ctx);
4550 X509 *cert = GetTestCertificate().release();
4551 ASSERT_TRUE(cert);
4552 SSL_CTX_add0_chain_cert(ctx.get(), cert);
4553
4554 // This should not trigger a use-after-free.
4555 X509_cmp(cert, cert);
4556 }
4557
TEST(SSLTest,GetCertificate)4558 TEST(SSLTest, GetCertificate) {
4559 bssl::UniquePtr<SSL_CTX> ctx(SSL_CTX_new(TLS_method()));
4560 ASSERT_TRUE(ctx);
4561 bssl::UniquePtr<X509> cert = GetTestCertificate();
4562 ASSERT_TRUE(cert);
4563 ASSERT_TRUE(SSL_CTX_use_certificate(ctx.get(), cert.get()));
4564 bssl::UniquePtr<SSL> ssl(SSL_new(ctx.get()));
4565 ASSERT_TRUE(ssl);
4566
4567 X509 *cert2 = SSL_CTX_get0_certificate(ctx.get());
4568 ASSERT_TRUE(cert2);
4569 X509 *cert3 = SSL_get_certificate(ssl.get());
4570 ASSERT_TRUE(cert3);
4571
4572 // The old and new certificates must be identical.
4573 EXPECT_EQ(0, X509_cmp(cert.get(), cert2));
4574 EXPECT_EQ(0, X509_cmp(cert.get(), cert3));
4575
4576 uint8_t *der = nullptr;
4577 long der_len = i2d_X509(cert.get(), &der);
4578 ASSERT_LT(0, der_len);
4579 bssl::UniquePtr<uint8_t> free_der(der);
4580
4581 uint8_t *der2 = nullptr;
4582 long der2_len = i2d_X509(cert2, &der2);
4583 ASSERT_LT(0, der2_len);
4584 bssl::UniquePtr<uint8_t> free_der2(der2);
4585
4586 uint8_t *der3 = nullptr;
4587 long der3_len = i2d_X509(cert3, &der3);
4588 ASSERT_LT(0, der3_len);
4589 bssl::UniquePtr<uint8_t> free_der3(der3);
4590
4591 // They must also encode identically.
4592 EXPECT_EQ(Bytes(der, der_len), Bytes(der2, der2_len));
4593 EXPECT_EQ(Bytes(der, der_len), Bytes(der3, der3_len));
4594 }
4595
TEST(SSLTest,SetChainAndKeyMismatch)4596 TEST(SSLTest, SetChainAndKeyMismatch) {
4597 bssl::UniquePtr<SSL_CTX> ctx(SSL_CTX_new(TLS_with_buffers_method()));
4598 ASSERT_TRUE(ctx);
4599
4600 bssl::UniquePtr<EVP_PKEY> key = GetTestKey();
4601 ASSERT_TRUE(key);
4602 bssl::UniquePtr<CRYPTO_BUFFER> leaf = GetChainTestCertificateBuffer();
4603 ASSERT_TRUE(leaf);
4604 std::vector<CRYPTO_BUFFER*> chain = {
4605 leaf.get(),
4606 };
4607
4608 // Should fail because |GetTestKey| doesn't match the chain-test certificate.
4609 ASSERT_FALSE(SSL_CTX_set_chain_and_key(ctx.get(), chain.data(), chain.size(),
4610 key.get(), nullptr));
4611 ERR_clear_error();
4612 }
4613
TEST(SSLTest,CertThenKeyMismatch)4614 TEST(SSLTest, CertThenKeyMismatch) {
4615 bssl::UniquePtr<SSL_CTX> ctx(SSL_CTX_new(TLS_method()));
4616 ASSERT_TRUE(ctx);
4617
4618 bssl::UniquePtr<EVP_PKEY> key = GetTestKey();
4619 ASSERT_TRUE(key);
4620 bssl::UniquePtr<X509> leaf = GetChainTestCertificate();
4621 ASSERT_TRUE(leaf);
4622
4623 // There is no key or certificate, so |SSL_CTX_check_private_key| fails.
4624 EXPECT_FALSE(SSL_CTX_check_private_key(ctx.get()));
4625
4626 // With only a certificate, |SSL_CTX_check_private_key| still fails.
4627 ASSERT_TRUE(SSL_CTX_use_certificate(ctx.get(), leaf.get()));
4628 EXPECT_FALSE(SSL_CTX_check_private_key(ctx.get()));
4629
4630 // The private key does not match the certificate, so it should fail.
4631 EXPECT_FALSE(SSL_CTX_use_PrivateKey(ctx.get(), key.get()));
4632
4633 // Checking the private key fails, but this is really because there is still
4634 // no private key.
4635 EXPECT_FALSE(SSL_CTX_check_private_key(ctx.get()));
4636 EXPECT_EQ(nullptr, SSL_CTX_get0_privatekey(ctx.get()));
4637 }
4638
TEST(SSLTest,KeyThenCertMismatch)4639 TEST(SSLTest, KeyThenCertMismatch) {
4640 bssl::UniquePtr<SSL_CTX> ctx(SSL_CTX_new(TLS_method()));
4641 ASSERT_TRUE(ctx);
4642
4643 bssl::UniquePtr<EVP_PKEY> key = GetTestKey();
4644 ASSERT_TRUE(key);
4645 bssl::UniquePtr<X509> leaf = GetChainTestCertificate();
4646 ASSERT_TRUE(leaf);
4647
4648 // There is no key or certificate, so |SSL_CTX_check_private_key| fails.
4649 EXPECT_FALSE(SSL_CTX_check_private_key(ctx.get()));
4650
4651 // With only a key, |SSL_CTX_check_private_key| still fails.
4652 ASSERT_TRUE(SSL_CTX_use_PrivateKey(ctx.get(), key.get()));
4653 EXPECT_FALSE(SSL_CTX_check_private_key(ctx.get()));
4654
4655 // If configuring a certificate that doesn't match the key, configuration
4656 // actually succeeds. We just silently drop the private key.
4657 ASSERT_TRUE(SSL_CTX_use_certificate(ctx.get(), leaf.get()));
4658 EXPECT_EQ(nullptr, SSL_CTX_get0_privatekey(ctx.get()));
4659
4660 // Some callers configure the private key, then the certificate, and then
4661 // expect |SSL_CTX_check_private_key| to check consistency. It does, but only
4662 // by way of noticing there is no private key. The actual consistency check
4663 // happened in |SSL_CTX_use_certificate|.
4664 EXPECT_FALSE(SSL_CTX_check_private_key(ctx.get()));
4665 }
4666
TEST(SSLTest,OverrideCertAndKey)4667 TEST(SSLTest, OverrideCertAndKey) {
4668 // It is possible to override an existing certificate by configuring
4669 // certificate, then key, due to |SSL_CTX_use_certificate|'s above silent
4670 // dropping behavior.
4671 bssl::UniquePtr<SSL_CTX> ctx(SSL_CTX_new(TLS_method()));
4672 ASSERT_TRUE(ctx);
4673
4674 bssl::UniquePtr<EVP_PKEY> key = GetTestKey();
4675 ASSERT_TRUE(key);
4676 bssl::UniquePtr<X509> leaf = GetTestCertificate();
4677 ASSERT_TRUE(leaf);
4678 bssl::UniquePtr<EVP_PKEY> key2 = GetChainTestKey();
4679 ASSERT_TRUE(key2);
4680 bssl::UniquePtr<X509> leaf2 = GetChainTestCertificate();
4681 ASSERT_TRUE(leaf2);
4682
4683 ASSERT_TRUE(SSL_CTX_use_certificate(ctx.get(), leaf.get()));
4684 ASSERT_TRUE(SSL_CTX_use_PrivateKey(ctx.get(), key.get()));
4685
4686 ASSERT_TRUE(SSL_CTX_use_certificate(ctx.get(), leaf2.get()));
4687 ASSERT_TRUE(SSL_CTX_use_PrivateKey(ctx.get(), key2.get()));
4688 }
4689
TEST(SSLTest,OverrideKeyMethodWithKey)4690 TEST(SSLTest, OverrideKeyMethodWithKey) {
4691 // Make an SSL_PRIVATE_KEY_METHOD that should never be called.
4692 static const SSL_PRIVATE_KEY_METHOD kErrorMethod = {
4693 [](SSL *ssl, uint8_t *out, size_t *out_len, size_t max_out,
4694 uint16_t signature_algorithm, const uint8_t *in,
4695 size_t in_len) { return ssl_private_key_failure; },
4696 [](SSL *ssl, uint8_t *out, size_t *out_len, size_t max_out,
4697 const uint8_t *in, size_t in_len) { return ssl_private_key_failure; },
4698 [](SSL *ssl, uint8_t *out, size_t *out_len, size_t max_oun) {
4699 return ssl_private_key_failure;
4700 },
4701 };
4702
4703 bssl::UniquePtr<EVP_PKEY> key = GetTestKey();
4704 ASSERT_TRUE(key);
4705 bssl::UniquePtr<X509> leaf = GetTestCertificate();
4706 ASSERT_TRUE(leaf);
4707
4708 bssl::UniquePtr<SSL_CTX> ctx(SSL_CTX_new(TLS_method()));
4709 ASSERT_TRUE(ctx);
4710 ASSERT_TRUE(SSL_CTX_use_certificate(ctx.get(), leaf.get()));
4711
4712 // Configuring an |SSL_PRIVATE_KEY_METHOD| and then overwriting it with an
4713 // |EVP_PKEY| should clear the |SSL_PRIVATE_KEY_METHOD|.
4714 SSL_CTX_set_private_key_method(ctx.get(), &kErrorMethod);
4715 ASSERT_TRUE(SSL_CTX_use_PrivateKey(ctx.get(), key.get()));
4716
4717 bssl::UniquePtr<SSL> client, server;
4718 ASSERT_TRUE(ConnectClientAndServer(&client, &server, ctx.get(), ctx.get()));
4719 }
4720
4721 // Configuring a chain and then overwriting it with a different chain should
4722 // clear the old one.
TEST(SSLTest,OverrideChain)4723 TEST(SSLTest, OverrideChain) {
4724 bssl::UniquePtr<EVP_PKEY> key = GetChainTestKey();
4725 ASSERT_TRUE(key);
4726 bssl::UniquePtr<X509> leaf = GetChainTestCertificate();
4727 ASSERT_TRUE(leaf);
4728 bssl::UniquePtr<X509> ca = GetChainTestIntermediate();
4729 ASSERT_TRUE(ca);
4730
4731 bssl::UniquePtr<STACK_OF(X509)> chain(sk_X509_new_null());
4732 ASSERT_TRUE(chain);
4733 ASSERT_TRUE(bssl::PushToStack(chain.get(), bssl::UpRef(ca)));
4734
4735 bssl::UniquePtr<STACK_OF(X509)> wrong_chain(sk_X509_new_null());
4736 ASSERT_TRUE(wrong_chain);
4737 ASSERT_TRUE(bssl::PushToStack(wrong_chain.get(), bssl::UpRef(leaf)));
4738 ASSERT_TRUE(bssl::PushToStack(wrong_chain.get(), bssl::UpRef(leaf)));
4739
4740 bssl::UniquePtr<SSL_CTX> ctx(SSL_CTX_new(TLS_method()));
4741 ASSERT_TRUE(ctx);
4742 ASSERT_TRUE(SSL_CTX_use_certificate(ctx.get(), leaf.get()));
4743 ASSERT_TRUE(SSL_CTX_use_PrivateKey(ctx.get(), key.get()));
4744
4745 // Configure one chain, then replace it with another. Note this API considers
4746 // the chain to exclude the leaf.
4747 ASSERT_TRUE(SSL_CTX_set1_chain(ctx.get(), wrong_chain.get()));
4748 ASSERT_TRUE(SSL_CTX_set1_chain(ctx.get(), chain.get()));
4749
4750 bssl::UniquePtr<SSL> client, server;
4751 ASSERT_TRUE(ConnectClientAndServer(&client, &server, ctx.get(), ctx.get()));
4752 EXPECT_TRUE(ChainsEqual(SSL_get_peer_full_cert_chain(client.get()),
4753 {leaf.get(), ca.get()}));
4754 }
4755
TEST(SSLTest,OverrideChainAndKey)4756 TEST(SSLTest, OverrideChainAndKey) {
4757 bssl::UniquePtr<EVP_PKEY> key1 = GetChainTestKey();
4758 ASSERT_TRUE(key1);
4759 bssl::UniquePtr<CRYPTO_BUFFER> leaf1 = GetChainTestCertificateBuffer();
4760 ASSERT_TRUE(leaf1);
4761 bssl::UniquePtr<CRYPTO_BUFFER> ca1 = GetChainTestIntermediateBuffer();
4762 ASSERT_TRUE(ca1);
4763 bssl::UniquePtr<EVP_PKEY> key2 = GetECDSATestKey();
4764 ASSERT_TRUE(key2);
4765 bssl::UniquePtr<CRYPTO_BUFFER> leaf2 = GetECDSATestCertificateBuffer();
4766 ASSERT_TRUE(leaf2);
4767
4768 bssl::UniquePtr<SSL_CTX> ctx(SSL_CTX_new(TLS_method()));
4769 ASSERT_TRUE(ctx);
4770
4771 // Configure one cert and key pair, then replace it with noather.
4772 std::vector<CRYPTO_BUFFER *> certs = {leaf1.get(), ca1.get()};
4773 ASSERT_TRUE(SSL_CTX_set_chain_and_key(ctx.get(), certs.data(), certs.size(),
4774 key1.get(), nullptr));
4775 certs = {leaf2.get()};
4776 ASSERT_TRUE(SSL_CTX_set_chain_and_key(ctx.get(), certs.data(), certs.size(),
4777 key2.get(), nullptr));
4778
4779 bssl::UniquePtr<SSL> client, server;
4780 ASSERT_TRUE(ConnectClientAndServer(&client, &server, ctx.get(), ctx.get()));
4781 EXPECT_TRUE(
4782 BuffersEqual(SSL_get0_peer_certificates(client.get()), {leaf2.get()}));
4783 }
4784
TEST(SSLTest,OverrideCredentialChain)4785 TEST(SSLTest, OverrideCredentialChain) {
4786 bssl::UniquePtr<EVP_PKEY> key = GetChainTestKey();
4787 ASSERT_TRUE(key);
4788 bssl::UniquePtr<CRYPTO_BUFFER> leaf = GetChainTestCertificateBuffer();
4789 ASSERT_TRUE(leaf);
4790 bssl::UniquePtr<CRYPTO_BUFFER> ca = GetChainTestIntermediateBuffer();
4791 ASSERT_TRUE(ca);
4792
4793 std::vector<CRYPTO_BUFFER *> chain = {leaf.get(), ca.get()};
4794 std::vector<CRYPTO_BUFFER *> wrong_chain = {leaf.get(), leaf.get(),
4795 leaf.get()};
4796
4797 bssl::UniquePtr<SSL_CTX> ctx(SSL_CTX_new(TLS_method()));
4798 ASSERT_TRUE(ctx);
4799 bssl::UniquePtr<SSL_CREDENTIAL> cred(SSL_CREDENTIAL_new_x509());
4800 ASSERT_TRUE(cred);
4801
4802 // Configure one chain (including the leaf), then replace it with another.
4803 ASSERT_TRUE(SSL_CREDENTIAL_set1_cert_chain(cred.get(), wrong_chain.data(),
4804 wrong_chain.size()));
4805 ASSERT_TRUE(
4806 SSL_CREDENTIAL_set1_cert_chain(cred.get(), chain.data(), chain.size()));
4807
4808 ASSERT_TRUE(SSL_CREDENTIAL_set1_private_key(cred.get(), key.get()));
4809 ASSERT_TRUE(SSL_CTX_add1_credential(ctx.get(), cred.get()));
4810
4811 bssl::UniquePtr<SSL> client, server;
4812 ASSERT_TRUE(ConnectClientAndServer(&client, &server, ctx.get(), ctx.get()));
4813 EXPECT_TRUE(BuffersEqual(SSL_get0_peer_certificates(client.get()),
4814 {leaf.get(), ca.get()}));
4815 }
4816
TEST(SSLTest,SetChainAndKeyCtx)4817 TEST(SSLTest, SetChainAndKeyCtx) {
4818 bssl::UniquePtr<SSL_CTX> client_ctx(SSL_CTX_new(TLS_with_buffers_method()));
4819 ASSERT_TRUE(client_ctx);
4820 bssl::UniquePtr<SSL_CTX> server_ctx(SSL_CTX_new(TLS_with_buffers_method()));
4821 ASSERT_TRUE(server_ctx);
4822
4823 ASSERT_EQ(nullptr, SSL_CTX_get0_chain(server_ctx.get()));
4824
4825 bssl::UniquePtr<EVP_PKEY> key = GetChainTestKey();
4826 ASSERT_TRUE(key);
4827 bssl::UniquePtr<CRYPTO_BUFFER> leaf = GetChainTestCertificateBuffer();
4828 ASSERT_TRUE(leaf);
4829 bssl::UniquePtr<CRYPTO_BUFFER> intermediate =
4830 GetChainTestIntermediateBuffer();
4831 ASSERT_TRUE(intermediate);
4832 std::vector<CRYPTO_BUFFER*> chain = {
4833 leaf.get(), intermediate.get(),
4834 };
4835 ASSERT_TRUE(SSL_CTX_set_chain_and_key(server_ctx.get(), chain.data(),
4836 chain.size(), key.get(), nullptr));
4837
4838 ASSERT_EQ(chain.size(),
4839 sk_CRYPTO_BUFFER_num(SSL_CTX_get0_chain(server_ctx.get())));
4840
4841 SSL_CTX_set_custom_verify(
4842 client_ctx.get(), SSL_VERIFY_PEER,
4843 [](SSL *ssl, uint8_t *out_alert) -> ssl_verify_result_t {
4844 return ssl_verify_ok;
4845 });
4846
4847 bssl::UniquePtr<SSL> client, server;
4848 ASSERT_TRUE(ConnectClientAndServer(&client, &server, client_ctx.get(),
4849 server_ctx.get()));
4850 }
4851
TEST(SSLTest,SetChainAndKeySSL)4852 TEST(SSLTest, SetChainAndKeySSL) {
4853 bssl::UniquePtr<SSL_CTX> client_ctx(SSL_CTX_new(TLS_with_buffers_method()));
4854 ASSERT_TRUE(client_ctx);
4855 bssl::UniquePtr<SSL_CTX> server_ctx(SSL_CTX_new(TLS_with_buffers_method()));
4856 ASSERT_TRUE(server_ctx);
4857
4858 bssl::UniquePtr<SSL> client, server;
4859 ASSERT_TRUE(CreateClientAndServer(&client, &server, client_ctx.get(),
4860 server_ctx.get()));
4861 SSL_set_shed_handshake_config(client.get(), true);
4862 SSL_set_shed_handshake_config(server.get(), true);
4863
4864 ASSERT_EQ(nullptr, SSL_get0_chain(server.get()));
4865
4866 bssl::UniquePtr<EVP_PKEY> key = GetChainTestKey();
4867 ASSERT_TRUE(key);
4868 bssl::UniquePtr<CRYPTO_BUFFER> leaf = GetChainTestCertificateBuffer();
4869 ASSERT_TRUE(leaf);
4870 bssl::UniquePtr<CRYPTO_BUFFER> intermediate =
4871 GetChainTestIntermediateBuffer();
4872 ASSERT_TRUE(intermediate);
4873 std::vector<CRYPTO_BUFFER*> chain = {
4874 leaf.get(), intermediate.get(),
4875 };
4876 ASSERT_TRUE(SSL_set_chain_and_key(server.get(), chain.data(),
4877 chain.size(), key.get(), nullptr));
4878
4879 ASSERT_EQ(chain.size(),
4880 sk_CRYPTO_BUFFER_num(SSL_get0_chain(server.get())));
4881
4882 SSL_set_custom_verify(
4883 client.get(), SSL_VERIFY_PEER,
4884 [](SSL *ssl, uint8_t *out_alert) -> ssl_verify_result_t {
4885 return ssl_verify_ok;
4886 });
4887
4888 ASSERT_TRUE(CompleteHandshakes(client.get(), server.get()));
4889
4890 // The server is configured to shed handshake config, so the certificate is no
4891 // longer available after the handshake.
4892 ASSERT_EQ(nullptr, SSL_get0_chain(server.get()));
4893 }
4894
TEST(SSLTest,BuffersFailWithoutCustomVerify)4895 TEST(SSLTest, BuffersFailWithoutCustomVerify) {
4896 bssl::UniquePtr<SSL_CTX> client_ctx(SSL_CTX_new(TLS_with_buffers_method()));
4897 ASSERT_TRUE(client_ctx);
4898 bssl::UniquePtr<SSL_CTX> server_ctx(SSL_CTX_new(TLS_with_buffers_method()));
4899 ASSERT_TRUE(server_ctx);
4900
4901 bssl::UniquePtr<EVP_PKEY> key = GetChainTestKey();
4902 ASSERT_TRUE(key);
4903 bssl::UniquePtr<CRYPTO_BUFFER> leaf = GetChainTestCertificateBuffer();
4904 ASSERT_TRUE(leaf);
4905 std::vector<CRYPTO_BUFFER*> chain = { leaf.get() };
4906 ASSERT_TRUE(SSL_CTX_set_chain_and_key(server_ctx.get(), chain.data(),
4907 chain.size(), key.get(), nullptr));
4908
4909 // Without SSL_CTX_set_custom_verify(), i.e. with everything in the default
4910 // configuration, certificate verification should fail.
4911 bssl::UniquePtr<SSL> client, server;
4912 ASSERT_FALSE(ConnectClientAndServer(&client, &server, client_ctx.get(),
4913 server_ctx.get()));
4914
4915 // Whereas with a verifier, the connection should succeed.
4916 SSL_CTX_set_custom_verify(
4917 client_ctx.get(), SSL_VERIFY_PEER,
4918 [](SSL *ssl, uint8_t *out_alert) -> ssl_verify_result_t {
4919 return ssl_verify_ok;
4920 });
4921 ASSERT_TRUE(ConnectClientAndServer(&client, &server, client_ctx.get(),
4922 server_ctx.get()));
4923 }
4924
TEST(SSLTest,CustomVerify)4925 TEST(SSLTest, CustomVerify) {
4926 bssl::UniquePtr<SSL_CTX> client_ctx(SSL_CTX_new(TLS_with_buffers_method()));
4927 ASSERT_TRUE(client_ctx);
4928 bssl::UniquePtr<SSL_CTX> server_ctx(SSL_CTX_new(TLS_with_buffers_method()));
4929 ASSERT_TRUE(server_ctx);
4930
4931 bssl::UniquePtr<EVP_PKEY> key = GetChainTestKey();
4932 ASSERT_TRUE(key);
4933 bssl::UniquePtr<CRYPTO_BUFFER> leaf = GetChainTestCertificateBuffer();
4934 ASSERT_TRUE(leaf);
4935 std::vector<CRYPTO_BUFFER*> chain = { leaf.get() };
4936 ASSERT_TRUE(SSL_CTX_set_chain_and_key(server_ctx.get(), chain.data(),
4937 chain.size(), key.get(), nullptr));
4938
4939 SSL_CTX_set_custom_verify(
4940 client_ctx.get(), SSL_VERIFY_PEER,
4941 [](SSL *ssl, uint8_t *out_alert) -> ssl_verify_result_t {
4942 return ssl_verify_ok;
4943 });
4944
4945 bssl::UniquePtr<SSL> client, server;
4946 ASSERT_TRUE(ConnectClientAndServer(&client, &server, client_ctx.get(),
4947 server_ctx.get()));
4948
4949 // With SSL_VERIFY_PEER, ssl_verify_invalid should result in a dropped
4950 // connection.
4951 SSL_CTX_set_custom_verify(
4952 client_ctx.get(), SSL_VERIFY_PEER,
4953 [](SSL *ssl, uint8_t *out_alert) -> ssl_verify_result_t {
4954 return ssl_verify_invalid;
4955 });
4956
4957 ASSERT_FALSE(ConnectClientAndServer(&client, &server, client_ctx.get(),
4958 server_ctx.get()));
4959
4960 // But with SSL_VERIFY_NONE, ssl_verify_invalid should not cause a dropped
4961 // connection.
4962 SSL_CTX_set_custom_verify(
4963 client_ctx.get(), SSL_VERIFY_NONE,
4964 [](SSL *ssl, uint8_t *out_alert) -> ssl_verify_result_t {
4965 return ssl_verify_invalid;
4966 });
4967
4968 ASSERT_TRUE(ConnectClientAndServer(&client, &server, client_ctx.get(),
4969 server_ctx.get()));
4970 }
4971
TEST(SSLTest,ClientCABuffers)4972 TEST(SSLTest, ClientCABuffers) {
4973 bssl::UniquePtr<SSL_CTX> client_ctx(SSL_CTX_new(TLS_with_buffers_method()));
4974 ASSERT_TRUE(client_ctx);
4975 bssl::UniquePtr<SSL_CTX> server_ctx(SSL_CTX_new(TLS_with_buffers_method()));
4976 ASSERT_TRUE(server_ctx);
4977
4978 bssl::UniquePtr<EVP_PKEY> key = GetChainTestKey();
4979 ASSERT_TRUE(key);
4980 bssl::UniquePtr<CRYPTO_BUFFER> leaf = GetChainTestCertificateBuffer();
4981 ASSERT_TRUE(leaf);
4982 bssl::UniquePtr<CRYPTO_BUFFER> intermediate =
4983 GetChainTestIntermediateBuffer();
4984 ASSERT_TRUE(intermediate);
4985 std::vector<CRYPTO_BUFFER *> chain = {
4986 leaf.get(),
4987 intermediate.get(),
4988 };
4989 ASSERT_TRUE(SSL_CTX_set_chain_and_key(server_ctx.get(), chain.data(),
4990 chain.size(), key.get(), nullptr));
4991
4992 bssl::UniquePtr<CRYPTO_BUFFER> ca_name(
4993 CRYPTO_BUFFER_new(kTestName, sizeof(kTestName), nullptr));
4994 ASSERT_TRUE(ca_name);
4995 bssl::UniquePtr<STACK_OF(CRYPTO_BUFFER)> ca_names(
4996 sk_CRYPTO_BUFFER_new_null());
4997 ASSERT_TRUE(ca_names);
4998 ASSERT_TRUE(PushToStack(ca_names.get(), std::move(ca_name)));
4999 SSL_CTX_set0_client_CAs(server_ctx.get(), ca_names.release());
5000
5001 // Configure client and server to accept all certificates.
5002 SSL_CTX_set_custom_verify(
5003 client_ctx.get(), SSL_VERIFY_PEER,
5004 [](SSL *ssl, uint8_t *out_alert) -> ssl_verify_result_t {
5005 return ssl_verify_ok;
5006 });
5007 SSL_CTX_set_custom_verify(
5008 server_ctx.get(), SSL_VERIFY_PEER,
5009 [](SSL *ssl, uint8_t *out_alert) -> ssl_verify_result_t {
5010 return ssl_verify_ok;
5011 });
5012
5013 bool cert_cb_called = false;
5014 SSL_CTX_set_cert_cb(
5015 client_ctx.get(),
5016 [](SSL *ssl, void *arg) -> int {
5017 const STACK_OF(CRYPTO_BUFFER) *peer_names =
5018 SSL_get0_server_requested_CAs(ssl);
5019 EXPECT_EQ(1u, sk_CRYPTO_BUFFER_num(peer_names));
5020 CRYPTO_BUFFER *peer_name = sk_CRYPTO_BUFFER_value(peer_names, 0);
5021 EXPECT_EQ(Bytes(kTestName), Bytes(CRYPTO_BUFFER_data(peer_name),
5022 CRYPTO_BUFFER_len(peer_name)));
5023 *reinterpret_cast<bool *>(arg) = true;
5024 return 1;
5025 },
5026 &cert_cb_called);
5027
5028 bssl::UniquePtr<SSL> client, server;
5029 ASSERT_TRUE(ConnectClientAndServer(&client, &server, client_ctx.get(),
5030 server_ctx.get()));
5031 EXPECT_TRUE(cert_cb_called);
5032 }
5033
5034 // Configuring the empty cipher list, though an error, should still modify the
5035 // configuration.
TEST(SSLTest,EmptyCipherList)5036 TEST(SSLTest, EmptyCipherList) {
5037 bssl::UniquePtr<SSL_CTX> ctx(SSL_CTX_new(TLS_method()));
5038 ASSERT_TRUE(ctx);
5039
5040 // Initially, the cipher list is not empty.
5041 EXPECT_NE(0u, sk_SSL_CIPHER_num(SSL_CTX_get_ciphers(ctx.get())));
5042
5043 // Configuring the empty cipher list fails.
5044 EXPECT_FALSE(SSL_CTX_set_cipher_list(ctx.get(), ""));
5045 ERR_clear_error();
5046
5047 // But the cipher list is still updated to empty.
5048 EXPECT_EQ(0u, sk_SSL_CIPHER_num(SSL_CTX_get_ciphers(ctx.get())));
5049 }
5050
5051 // ssl_test_ticket_aead_failure_mode enumerates the possible ways in which the
5052 // test |SSL_TICKET_AEAD_METHOD| can fail.
5053 enum ssl_test_ticket_aead_failure_mode {
5054 ssl_test_ticket_aead_ok = 0,
5055 ssl_test_ticket_aead_seal_fail,
5056 ssl_test_ticket_aead_open_soft_fail,
5057 ssl_test_ticket_aead_open_hard_fail,
5058 };
5059
5060 struct ssl_test_ticket_aead_state {
5061 unsigned retry_count = 0;
5062 ssl_test_ticket_aead_failure_mode failure_mode = ssl_test_ticket_aead_ok;
5063 };
5064
ssl_test_ticket_aead_ex_index_dup(CRYPTO_EX_DATA * to,const CRYPTO_EX_DATA * from,void ** from_d,int index,long argl,void * argp)5065 static int ssl_test_ticket_aead_ex_index_dup(CRYPTO_EX_DATA *to,
5066 const CRYPTO_EX_DATA *from,
5067 void **from_d, int index,
5068 long argl, void *argp) {
5069 abort();
5070 }
5071
ssl_test_ticket_aead_ex_index_free(void * parent,void * ptr,CRYPTO_EX_DATA * ad,int index,long argl,void * argp)5072 static void ssl_test_ticket_aead_ex_index_free(void *parent, void *ptr,
5073 CRYPTO_EX_DATA *ad, int index,
5074 long argl, void *argp) {
5075 delete reinterpret_cast<ssl_test_ticket_aead_state*>(ptr);
5076 }
5077
5078 static CRYPTO_once_t g_ssl_test_ticket_aead_ex_index_once = CRYPTO_ONCE_INIT;
5079 static int g_ssl_test_ticket_aead_ex_index;
5080
ssl_test_ticket_aead_get_ex_index()5081 static int ssl_test_ticket_aead_get_ex_index() {
5082 CRYPTO_once(&g_ssl_test_ticket_aead_ex_index_once, [] {
5083 g_ssl_test_ticket_aead_ex_index = SSL_get_ex_new_index(
5084 0, nullptr, nullptr, ssl_test_ticket_aead_ex_index_dup,
5085 ssl_test_ticket_aead_ex_index_free);
5086 });
5087 return g_ssl_test_ticket_aead_ex_index;
5088 }
5089
ssl_test_ticket_aead_max_overhead(SSL * ssl)5090 static size_t ssl_test_ticket_aead_max_overhead(SSL *ssl) {
5091 return 1;
5092 }
5093
ssl_test_ticket_aead_seal(SSL * ssl,uint8_t * out,size_t * out_len,size_t max_out_len,const uint8_t * in,size_t in_len)5094 static int ssl_test_ticket_aead_seal(SSL *ssl, uint8_t *out, size_t *out_len,
5095 size_t max_out_len, const uint8_t *in,
5096 size_t in_len) {
5097 auto state = reinterpret_cast<ssl_test_ticket_aead_state *>(
5098 SSL_get_ex_data(ssl, ssl_test_ticket_aead_get_ex_index()));
5099
5100 if (state->failure_mode == ssl_test_ticket_aead_seal_fail ||
5101 max_out_len < in_len + 1) {
5102 return 0;
5103 }
5104
5105 OPENSSL_memmove(out, in, in_len);
5106 out[in_len] = 0xff;
5107 *out_len = in_len + 1;
5108
5109 return 1;
5110 }
5111
ssl_test_ticket_aead_open(SSL * ssl,uint8_t * out,size_t * out_len,size_t max_out_len,const uint8_t * in,size_t in_len)5112 static ssl_ticket_aead_result_t ssl_test_ticket_aead_open(
5113 SSL *ssl, uint8_t *out, size_t *out_len, size_t max_out_len,
5114 const uint8_t *in, size_t in_len) {
5115 auto state = reinterpret_cast<ssl_test_ticket_aead_state *>(
5116 SSL_get_ex_data(ssl, ssl_test_ticket_aead_get_ex_index()));
5117
5118 if (state->retry_count > 0) {
5119 state->retry_count--;
5120 return ssl_ticket_aead_retry;
5121 }
5122
5123 switch (state->failure_mode) {
5124 case ssl_test_ticket_aead_ok:
5125 break;
5126 case ssl_test_ticket_aead_seal_fail:
5127 // If |seal| failed then there shouldn't be any ticket to try and
5128 // decrypt.
5129 abort();
5130 break;
5131 case ssl_test_ticket_aead_open_soft_fail:
5132 return ssl_ticket_aead_ignore_ticket;
5133 case ssl_test_ticket_aead_open_hard_fail:
5134 return ssl_ticket_aead_error;
5135 }
5136
5137 if (in_len == 0 || in[in_len - 1] != 0xff) {
5138 return ssl_ticket_aead_ignore_ticket;
5139 }
5140
5141 if (max_out_len < in_len - 1) {
5142 return ssl_ticket_aead_error;
5143 }
5144
5145 OPENSSL_memmove(out, in, in_len - 1);
5146 *out_len = in_len - 1;
5147 return ssl_ticket_aead_success;
5148 }
5149
5150 static const SSL_TICKET_AEAD_METHOD kSSLTestTicketMethod = {
5151 ssl_test_ticket_aead_max_overhead,
5152 ssl_test_ticket_aead_seal,
5153 ssl_test_ticket_aead_open,
5154 };
5155
ConnectClientAndServerWithTicketMethod(bssl::UniquePtr<SSL> * out_client,bssl::UniquePtr<SSL> * out_server,SSL_CTX * client_ctx,SSL_CTX * server_ctx,unsigned retry_count,ssl_test_ticket_aead_failure_mode failure_mode,SSL_SESSION * session)5156 static void ConnectClientAndServerWithTicketMethod(
5157 bssl::UniquePtr<SSL> *out_client, bssl::UniquePtr<SSL> *out_server,
5158 SSL_CTX *client_ctx, SSL_CTX *server_ctx, unsigned retry_count,
5159 ssl_test_ticket_aead_failure_mode failure_mode, SSL_SESSION *session) {
5160 bssl::UniquePtr<SSL> client(SSL_new(client_ctx)), server(SSL_new(server_ctx));
5161 ASSERT_TRUE(client);
5162 ASSERT_TRUE(server);
5163 SSL_set_connect_state(client.get());
5164 SSL_set_accept_state(server.get());
5165
5166 auto state = new ssl_test_ticket_aead_state;
5167 state->retry_count = retry_count;
5168 state->failure_mode = failure_mode;
5169
5170 ASSERT_GE(ssl_test_ticket_aead_get_ex_index(), 0);
5171 ASSERT_TRUE(SSL_set_ex_data(server.get(), ssl_test_ticket_aead_get_ex_index(),
5172 state));
5173
5174 SSL_set_session(client.get(), session);
5175
5176 BIO *bio1, *bio2;
5177 ASSERT_TRUE(BIO_new_bio_pair(&bio1, 0, &bio2, 0));
5178
5179 // SSL_set_bio takes ownership.
5180 SSL_set_bio(client.get(), bio1, bio1);
5181 SSL_set_bio(server.get(), bio2, bio2);
5182
5183 if (CompleteHandshakes(client.get(), server.get())) {
5184 *out_client = std::move(client);
5185 *out_server = std::move(server);
5186 } else {
5187 out_client->reset();
5188 out_server->reset();
5189 }
5190 }
5191
5192 using TicketAEADMethodParam =
5193 testing::tuple<uint16_t, unsigned, ssl_test_ticket_aead_failure_mode>;
5194
5195 class TicketAEADMethodTest
5196 : public ::testing::TestWithParam<TicketAEADMethodParam> {};
5197
TEST_P(TicketAEADMethodTest,Resume)5198 TEST_P(TicketAEADMethodTest, Resume) {
5199 bssl::UniquePtr<SSL_CTX> server_ctx =
5200 CreateContextWithTestCertificate(TLS_method());
5201 ASSERT_TRUE(server_ctx);
5202 bssl::UniquePtr<SSL_CTX> client_ctx(SSL_CTX_new(TLS_method()));
5203 ASSERT_TRUE(client_ctx);
5204
5205 const uint16_t version = testing::get<0>(GetParam());
5206 const unsigned retry_count = testing::get<1>(GetParam());
5207 const ssl_test_ticket_aead_failure_mode failure_mode =
5208 testing::get<2>(GetParam());
5209
5210 ASSERT_TRUE(SSL_CTX_set_min_proto_version(client_ctx.get(), version));
5211 ASSERT_TRUE(SSL_CTX_set_max_proto_version(client_ctx.get(), version));
5212 ASSERT_TRUE(SSL_CTX_set_min_proto_version(server_ctx.get(), version));
5213 ASSERT_TRUE(SSL_CTX_set_max_proto_version(server_ctx.get(), version));
5214
5215 SSL_CTX_set_session_cache_mode(client_ctx.get(), SSL_SESS_CACHE_BOTH);
5216 SSL_CTX_set_session_cache_mode(server_ctx.get(), SSL_SESS_CACHE_BOTH);
5217 SSL_CTX_set_current_time_cb(client_ctx.get(), FrozenTimeCallback);
5218 SSL_CTX_set_current_time_cb(server_ctx.get(), FrozenTimeCallback);
5219 SSL_CTX_sess_set_new_cb(client_ctx.get(), SaveLastSession);
5220
5221 SSL_CTX_set_ticket_aead_method(server_ctx.get(), &kSSLTestTicketMethod);
5222
5223 bssl::UniquePtr<SSL> client, server;
5224 ASSERT_NO_FATAL_FAILURE(ConnectClientAndServerWithTicketMethod(
5225 &client, &server, client_ctx.get(), server_ctx.get(), retry_count,
5226 failure_mode, nullptr));
5227 switch (failure_mode) {
5228 case ssl_test_ticket_aead_ok:
5229 case ssl_test_ticket_aead_open_hard_fail:
5230 case ssl_test_ticket_aead_open_soft_fail:
5231 ASSERT_TRUE(client);
5232 break;
5233 case ssl_test_ticket_aead_seal_fail:
5234 EXPECT_FALSE(client);
5235 return;
5236 }
5237 EXPECT_FALSE(SSL_session_reused(client.get()));
5238 EXPECT_FALSE(SSL_session_reused(server.get()));
5239
5240 ASSERT_TRUE(FlushNewSessionTickets(client.get(), server.get()));
5241 bssl::UniquePtr<SSL_SESSION> session = std::move(g_last_session);
5242 ASSERT_NO_FATAL_FAILURE(ConnectClientAndServerWithTicketMethod(
5243 &client, &server, client_ctx.get(), server_ctx.get(), retry_count,
5244 failure_mode, session.get()));
5245 switch (failure_mode) {
5246 case ssl_test_ticket_aead_ok:
5247 ASSERT_TRUE(client);
5248 EXPECT_TRUE(SSL_session_reused(client.get()));
5249 EXPECT_TRUE(SSL_session_reused(server.get()));
5250 break;
5251 case ssl_test_ticket_aead_seal_fail:
5252 abort();
5253 break;
5254 case ssl_test_ticket_aead_open_hard_fail:
5255 EXPECT_FALSE(client);
5256 break;
5257 case ssl_test_ticket_aead_open_soft_fail:
5258 ASSERT_TRUE(client);
5259 EXPECT_FALSE(SSL_session_reused(client.get()));
5260 EXPECT_FALSE(SSL_session_reused(server.get()));
5261 }
5262 }
5263
TicketAEADMethodParamToString(const testing::TestParamInfo<TicketAEADMethodParam> & params)5264 std::string TicketAEADMethodParamToString(
5265 const testing::TestParamInfo<TicketAEADMethodParam> ¶ms) {
5266 std::string ret = GetVersionName(std::get<0>(params.param));
5267 // GTest only allows alphanumeric characters and '_' in the parameter
5268 // string. Additionally filter out the 'v' to get "TLS13" over "TLSv13".
5269 for (auto it = ret.begin(); it != ret.end();) {
5270 if (*it == '.' || *it == 'v') {
5271 it = ret.erase(it);
5272 } else {
5273 ++it;
5274 }
5275 }
5276 char retry_count[256];
5277 snprintf(retry_count, sizeof(retry_count), "%u", std::get<1>(params.param));
5278 ret += "_";
5279 ret += retry_count;
5280 ret += "Retries_";
5281 switch (std::get<2>(params.param)) {
5282 case ssl_test_ticket_aead_ok:
5283 ret += "OK";
5284 break;
5285 case ssl_test_ticket_aead_seal_fail:
5286 ret += "SealFail";
5287 break;
5288 case ssl_test_ticket_aead_open_soft_fail:
5289 ret += "OpenSoftFail";
5290 break;
5291 case ssl_test_ticket_aead_open_hard_fail:
5292 ret += "OpenHardFail";
5293 break;
5294 }
5295 return ret;
5296 }
5297
5298 INSTANTIATE_TEST_SUITE_P(
5299 TicketAEADMethodTests, TicketAEADMethodTest,
5300 testing::Combine(testing::Values(TLS1_2_VERSION, TLS1_3_VERSION),
5301 testing::Values(0, 1, 2),
5302 testing::Values(ssl_test_ticket_aead_ok,
5303 ssl_test_ticket_aead_seal_fail,
5304 ssl_test_ticket_aead_open_soft_fail,
5305 ssl_test_ticket_aead_open_hard_fail)),
5306 TicketAEADMethodParamToString);
5307
TEST(SSLTest,SelectNextProto)5308 TEST(SSLTest, SelectNextProto) {
5309 uint8_t *result;
5310 uint8_t result_len;
5311
5312 // If there is an overlap, it should be returned.
5313 EXPECT_EQ(OPENSSL_NPN_NEGOTIATED,
5314 SSL_select_next_proto(&result, &result_len,
5315 (const uint8_t *)"\1a\2bb\3ccc", 9,
5316 (const uint8_t *)"\1x\1y\1a\1z", 8));
5317 EXPECT_EQ(Bytes("a"), Bytes(result, result_len));
5318
5319 EXPECT_EQ(OPENSSL_NPN_NEGOTIATED,
5320 SSL_select_next_proto(&result, &result_len,
5321 (const uint8_t *)"\1a\2bb\3ccc", 9,
5322 (const uint8_t *)"\1x\1y\2bb\1z", 9));
5323 EXPECT_EQ(Bytes("bb"), Bytes(result, result_len));
5324
5325 EXPECT_EQ(OPENSSL_NPN_NEGOTIATED,
5326 SSL_select_next_proto(&result, &result_len,
5327 (const uint8_t *)"\1a\2bb\3ccc", 9,
5328 (const uint8_t *)"\1x\1y\3ccc\1z", 10));
5329 EXPECT_EQ(Bytes("ccc"), Bytes(result, result_len));
5330
5331 // Peer preference order takes precedence over local.
5332 EXPECT_EQ(OPENSSL_NPN_NEGOTIATED,
5333 SSL_select_next_proto(&result, &result_len,
5334 (const uint8_t *)"\1a\2bb\3ccc", 9,
5335 (const uint8_t *)"\3ccc\2bb\1a", 9));
5336 EXPECT_EQ(Bytes("a"), Bytes(result, result_len));
5337
5338 // If there is no overlap, opportunistically select the first local protocol.
5339 // ALPN callers should ignore this, but NPN callers may use this per
5340 // draft-agl-tls-nextprotoneg-03, section 6.
5341 EXPECT_EQ(OPENSSL_NPN_NO_OVERLAP,
5342 SSL_select_next_proto(&result, &result_len,
5343 (const uint8_t *)"\1a\2bb\3ccc", 9,
5344 (const uint8_t *)"\1x\2yy\3zzz", 9));
5345 EXPECT_EQ(Bytes("x"), Bytes(result, result_len));
5346
5347 // The peer preference order may be empty in NPN. This should be treated as no
5348 // overlap and continue to select an opportunistic protocol.
5349 EXPECT_EQ(OPENSSL_NPN_NO_OVERLAP,
5350 SSL_select_next_proto(&result, &result_len, nullptr, 0,
5351 (const uint8_t *)"\1x\2yy\3zzz", 9));
5352 EXPECT_EQ(Bytes("x"), Bytes(result, result_len));
5353
5354 // Although calling this function with no local protocols is a caller error,
5355 // it should cleanly return an empty protocol.
5356 EXPECT_EQ(
5357 OPENSSL_NPN_NO_OVERLAP,
5358 SSL_select_next_proto(&result, &result_len,
5359 (const uint8_t *)"\1a\2bb\3ccc", 9, nullptr, 0));
5360 EXPECT_EQ(Bytes(""), Bytes(result, result_len));
5361
5362 // Syntax errors are similarly caller errors.
5363 EXPECT_EQ(
5364 OPENSSL_NPN_NO_OVERLAP,
5365 SSL_select_next_proto(&result, &result_len, (const uint8_t *)"\4aaa", 4,
5366 (const uint8_t *)"\1a\2bb\3ccc", 9));
5367 EXPECT_EQ(Bytes(""), Bytes(result, result_len));
5368 EXPECT_EQ(OPENSSL_NPN_NO_OVERLAP,
5369 SSL_select_next_proto(&result, &result_len,
5370 (const uint8_t *)"\1a\2bb\3ccc", 9,
5371 (const uint8_t *)"\4aaa", 4));
5372 EXPECT_EQ(Bytes(""), Bytes(result, result_len));
5373
5374 // Protocols in protocol lists may not be empty.
5375 EXPECT_EQ(OPENSSL_NPN_NO_OVERLAP,
5376 SSL_select_next_proto(&result, &result_len,
5377 (const uint8_t *)"\0\2bb\3ccc", 8,
5378 (const uint8_t *)"\1a\2bb\3ccc", 9));
5379 EXPECT_EQ(OPENSSL_NPN_NO_OVERLAP,
5380 SSL_select_next_proto(&result, &result_len,
5381 (const uint8_t *)"\1a\2bb\3ccc", 9,
5382 (const uint8_t *)"\0\2bb\3ccc", 8));
5383 EXPECT_EQ(Bytes(""), Bytes(result, result_len));
5384 }
5385
5386 // The client should gracefully handle no suitable ciphers being enabled.
TEST(SSLTest,NoCiphersAvailable)5387 TEST(SSLTest, NoCiphersAvailable) {
5388 bssl::UniquePtr<SSL_CTX> ctx(SSL_CTX_new(TLS_method()));
5389 ASSERT_TRUE(ctx);
5390
5391 // Configure |client_ctx| with a cipher list that does not intersect with its
5392 // version configuration.
5393 ASSERT_TRUE(SSL_CTX_set_strict_cipher_list(
5394 ctx.get(), "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256"));
5395 ASSERT_TRUE(SSL_CTX_set_min_proto_version(ctx.get(), TLS1_1_VERSION));
5396 ASSERT_TRUE(SSL_CTX_set_max_proto_version(ctx.get(), TLS1_1_VERSION));
5397
5398 bssl::UniquePtr<SSL> ssl(SSL_new(ctx.get()));
5399 ASSERT_TRUE(ssl);
5400 SSL_set_connect_state(ssl.get());
5401
5402 UniquePtr<BIO> rbio(BIO_new(BIO_s_mem())), wbio(BIO_new(BIO_s_mem()));
5403 ASSERT_TRUE(rbio);
5404 ASSERT_TRUE(wbio);
5405 SSL_set0_rbio(ssl.get(), rbio.release());
5406 SSL_set0_wbio(ssl.get(), wbio.release());
5407
5408 int ret = SSL_do_handshake(ssl.get());
5409 EXPECT_EQ(-1, ret);
5410 EXPECT_EQ(SSL_ERROR_SSL, SSL_get_error(ssl.get(), ret));
5411 EXPECT_TRUE(
5412 ErrorEquals(ERR_get_error(), ERR_LIB_SSL, SSL_R_NO_CIPHERS_AVAILABLE));
5413 }
5414
TEST_P(SSLVersionTest,SessionVersion)5415 TEST_P(SSLVersionTest, SessionVersion) {
5416 SSL_CTX_set_session_cache_mode(client_ctx_.get(), SSL_SESS_CACHE_BOTH);
5417 SSL_CTX_set_session_cache_mode(server_ctx_.get(), SSL_SESS_CACHE_BOTH);
5418
5419 bssl::UniquePtr<SSL_SESSION> session =
5420 CreateClientSession(client_ctx_.get(), server_ctx_.get());
5421 ASSERT_TRUE(session);
5422 EXPECT_EQ(version(), SSL_SESSION_get_protocol_version(session.get()));
5423
5424 // Sessions in TLS 1.3 and later should be single-use.
5425 EXPECT_EQ(version() == TLS1_3_VERSION,
5426 !!SSL_SESSION_should_be_single_use(session.get()));
5427
5428 // Making fake sessions for testing works.
5429 session.reset(SSL_SESSION_new(client_ctx_.get()));
5430 ASSERT_TRUE(session);
5431 ASSERT_TRUE(SSL_SESSION_set_protocol_version(session.get(), version()));
5432 EXPECT_EQ(version(), SSL_SESSION_get_protocol_version(session.get()));
5433 }
5434
TEST_P(SSLVersionTest,SSLPending)5435 TEST_P(SSLVersionTest, SSLPending) {
5436 UniquePtr<SSL> ssl(SSL_new(client_ctx_.get()));
5437 ASSERT_TRUE(ssl);
5438 EXPECT_EQ(0, SSL_pending(ssl.get()));
5439
5440 ASSERT_TRUE(Connect());
5441 EXPECT_EQ(0, SSL_pending(client_.get()));
5442 EXPECT_EQ(0, SSL_has_pending(client_.get()));
5443
5444 ASSERT_EQ(5, SSL_write(server_.get(), "hello", 5));
5445 ASSERT_EQ(5, SSL_write(server_.get(), "world", 5));
5446 EXPECT_EQ(0, SSL_pending(client_.get()));
5447 EXPECT_EQ(0, SSL_has_pending(client_.get()));
5448
5449 char buf[10];
5450 ASSERT_EQ(1, SSL_peek(client_.get(), buf, 1));
5451 EXPECT_EQ(5, SSL_pending(client_.get()));
5452 EXPECT_EQ(1, SSL_has_pending(client_.get()));
5453
5454 ASSERT_EQ(1, SSL_read(client_.get(), buf, 1));
5455 EXPECT_EQ(4, SSL_pending(client_.get()));
5456 EXPECT_EQ(1, SSL_has_pending(client_.get()));
5457
5458 ASSERT_EQ(4, SSL_read(client_.get(), buf, 10));
5459 EXPECT_EQ(0, SSL_pending(client_.get()));
5460 if (is_dtls()) {
5461 // In DTLS, the two records would have been read as a single datagram and
5462 // buffered inside |client_|. Thus, |SSL_has_pending| should return true.
5463 //
5464 // This test is slightly unrealistic. It relies on |ConnectClientAndServer|
5465 // using a |BIO| pair, which does not preserve datagram boundaries. Reading
5466 // 1 byte, then 4 bytes, from the first record also relies on
5467 // https://crbug.com/boringssl/65. But it does test the codepaths. When
5468 // fixing either of these bugs, this test may need to be redone.
5469 EXPECT_EQ(1, SSL_has_pending(client_.get()));
5470 } else {
5471 // In TLS, we do not overread, so |SSL_has_pending| should report no data is
5472 // buffered.
5473 EXPECT_EQ(0, SSL_has_pending(client_.get()));
5474 }
5475
5476 ASSERT_EQ(2, SSL_read(client_.get(), buf, 2));
5477 EXPECT_EQ(3, SSL_pending(client_.get()));
5478 EXPECT_EQ(1, SSL_has_pending(client_.get()));
5479 }
5480
5481 // Test that post-handshake tickets consumed by |SSL_shutdown| are ignored.
TEST(SSLTest,ShutdownIgnoresTickets)5482 TEST(SSLTest, ShutdownIgnoresTickets) {
5483 bssl::UniquePtr<SSL_CTX> ctx(CreateContextWithTestCertificate(TLS_method()));
5484 ASSERT_TRUE(ctx);
5485 ASSERT_TRUE(SSL_CTX_set_min_proto_version(ctx.get(), TLS1_3_VERSION));
5486 ASSERT_TRUE(SSL_CTX_set_max_proto_version(ctx.get(), TLS1_3_VERSION));
5487
5488 SSL_CTX_set_session_cache_mode(ctx.get(), SSL_SESS_CACHE_BOTH);
5489
5490 bssl::UniquePtr<SSL> client, server;
5491 ASSERT_TRUE(ConnectClientAndServer(&client, &server, ctx.get(), ctx.get()));
5492
5493 SSL_CTX_sess_set_new_cb(ctx.get(), [](SSL *ssl, SSL_SESSION *session) -> int {
5494 ADD_FAILURE() << "New session callback called during SSL_shutdown";
5495 return 0;
5496 });
5497
5498 // Send close_notify.
5499 EXPECT_EQ(0, SSL_shutdown(server.get()));
5500 EXPECT_EQ(0, SSL_shutdown(client.get()));
5501
5502 // Receive close_notify.
5503 EXPECT_EQ(1, SSL_shutdown(server.get()));
5504 EXPECT_EQ(1, SSL_shutdown(client.get()));
5505 }
5506
TEST(SSLTest,SignatureAlgorithmProperties)5507 TEST(SSLTest, SignatureAlgorithmProperties) {
5508 EXPECT_EQ(EVP_PKEY_NONE, SSL_get_signature_algorithm_key_type(0x1234));
5509 EXPECT_EQ(nullptr, SSL_get_signature_algorithm_digest(0x1234));
5510 EXPECT_FALSE(SSL_is_signature_algorithm_rsa_pss(0x1234));
5511
5512 EXPECT_EQ(EVP_PKEY_RSA,
5513 SSL_get_signature_algorithm_key_type(SSL_SIGN_RSA_PKCS1_MD5_SHA1));
5514 EXPECT_EQ(EVP_md5_sha1(),
5515 SSL_get_signature_algorithm_digest(SSL_SIGN_RSA_PKCS1_MD5_SHA1));
5516 EXPECT_FALSE(SSL_is_signature_algorithm_rsa_pss(SSL_SIGN_RSA_PKCS1_MD5_SHA1));
5517
5518 EXPECT_EQ(EVP_PKEY_EC, SSL_get_signature_algorithm_key_type(
5519 SSL_SIGN_ECDSA_SECP256R1_SHA256));
5520 EXPECT_EQ(EVP_sha256(), SSL_get_signature_algorithm_digest(
5521 SSL_SIGN_ECDSA_SECP256R1_SHA256));
5522 EXPECT_FALSE(
5523 SSL_is_signature_algorithm_rsa_pss(SSL_SIGN_ECDSA_SECP256R1_SHA256));
5524
5525 EXPECT_EQ(EVP_PKEY_RSA,
5526 SSL_get_signature_algorithm_key_type(SSL_SIGN_RSA_PSS_RSAE_SHA384));
5527 EXPECT_EQ(EVP_sha384(),
5528 SSL_get_signature_algorithm_digest(SSL_SIGN_RSA_PSS_RSAE_SHA384));
5529 EXPECT_TRUE(SSL_is_signature_algorithm_rsa_pss(SSL_SIGN_RSA_PSS_RSAE_SHA384));
5530 }
5531
XORCompressFunc(SSL * ssl,CBB * out,const uint8_t * in,size_t in_len)5532 static int XORCompressFunc(SSL *ssl, CBB *out, const uint8_t *in,
5533 size_t in_len) {
5534 for (size_t i = 0; i < in_len; i++) {
5535 if (!CBB_add_u8(out, in[i] ^ 0x55)) {
5536 return 0;
5537 }
5538 }
5539
5540 SSL_set_app_data(ssl, XORCompressFunc);
5541
5542 return 1;
5543 }
5544
XORDecompressFunc(SSL * ssl,CRYPTO_BUFFER ** out,size_t uncompressed_len,const uint8_t * in,size_t in_len)5545 static int XORDecompressFunc(SSL *ssl, CRYPTO_BUFFER **out,
5546 size_t uncompressed_len, const uint8_t *in,
5547 size_t in_len) {
5548 if (in_len != uncompressed_len) {
5549 return 0;
5550 }
5551
5552 uint8_t *data;
5553 *out = CRYPTO_BUFFER_alloc(&data, uncompressed_len);
5554 if (*out == nullptr) {
5555 return 0;
5556 }
5557
5558 for (size_t i = 0; i < in_len; i++) {
5559 data[i] = in[i] ^ 0x55;
5560 }
5561
5562 SSL_set_app_data(ssl, XORDecompressFunc);
5563
5564 return 1;
5565 }
5566
TEST(SSLTest,CertCompression)5567 TEST(SSLTest, CertCompression) {
5568 bssl::UniquePtr<SSL_CTX> client_ctx(SSL_CTX_new(TLS_method()));
5569 bssl::UniquePtr<SSL_CTX> server_ctx(
5570 CreateContextWithTestCertificate(TLS_method()));
5571 ASSERT_TRUE(client_ctx);
5572 ASSERT_TRUE(server_ctx);
5573
5574 ASSERT_TRUE(SSL_CTX_set_max_proto_version(client_ctx.get(), TLS1_3_VERSION));
5575 ASSERT_TRUE(SSL_CTX_set_max_proto_version(server_ctx.get(), TLS1_3_VERSION));
5576 ASSERT_TRUE(SSL_CTX_add_cert_compression_alg(
5577 client_ctx.get(), 0x1234, XORCompressFunc, XORDecompressFunc));
5578 ASSERT_TRUE(SSL_CTX_add_cert_compression_alg(
5579 server_ctx.get(), 0x1234, XORCompressFunc, XORDecompressFunc));
5580
5581 bssl::UniquePtr<SSL> client, server;
5582 ASSERT_TRUE(ConnectClientAndServer(&client, &server, client_ctx.get(),
5583 server_ctx.get()));
5584
5585 EXPECT_TRUE(SSL_get_app_data(client.get()) == XORDecompressFunc);
5586 EXPECT_TRUE(SSL_get_app_data(server.get()) == XORCompressFunc);
5587 }
5588
MoveBIOs(SSL * dest,SSL * src)5589 void MoveBIOs(SSL *dest, SSL *src) {
5590 BIO *rbio = SSL_get_rbio(src);
5591 BIO_up_ref(rbio);
5592 SSL_set0_rbio(dest, rbio);
5593
5594 BIO *wbio = SSL_get_wbio(src);
5595 BIO_up_ref(wbio);
5596 SSL_set0_wbio(dest, wbio);
5597
5598 SSL_set0_rbio(src, nullptr);
5599 SSL_set0_wbio(src, nullptr);
5600 }
5601
VerifyHandoff(bool use_new_alps_codepoint)5602 void VerifyHandoff(bool use_new_alps_codepoint) {
5603 static const uint8_t alpn[] = {0x03, 'f', 'o', 'o'};
5604 static const uint8_t proto[] = {'f', 'o', 'o'};
5605 static const uint8_t alps[] = {0x04, 'a', 'l', 'p', 's'};
5606
5607 bssl::UniquePtr<SSL_CTX> client_ctx(SSL_CTX_new(TLS_method()));
5608 bssl::UniquePtr<SSL_CTX> server_ctx(SSL_CTX_new(TLS_method()));
5609 bssl::UniquePtr<SSL_CTX> handshaker_ctx(
5610 CreateContextWithTestCertificate(TLS_method()));
5611 ASSERT_TRUE(client_ctx);
5612 ASSERT_TRUE(server_ctx);
5613 ASSERT_TRUE(handshaker_ctx);
5614
5615 if (!use_new_alps_codepoint) {
5616 SetUpExpectedOldCodePoint(server_ctx.get());
5617 } else {
5618 SetUpExpectedNewCodePoint(server_ctx.get());
5619 }
5620
5621 SSL_CTX_set_session_cache_mode(client_ctx.get(), SSL_SESS_CACHE_CLIENT);
5622 SSL_CTX_sess_set_new_cb(client_ctx.get(), SaveLastSession);
5623 SSL_CTX_set_handoff_mode(server_ctx.get(), true);
5624 uint8_t keys[48];
5625 SSL_CTX_get_tlsext_ticket_keys(server_ctx.get(), &keys, sizeof(keys));
5626 SSL_CTX_set_tlsext_ticket_keys(handshaker_ctx.get(), &keys, sizeof(keys));
5627
5628 for (bool early_data : {false, true}) {
5629 SCOPED_TRACE(early_data);
5630 for (bool is_resume : {false, true}) {
5631 SCOPED_TRACE(is_resume);
5632 bssl::UniquePtr<SSL> client, server;
5633 ASSERT_TRUE(CreateClientAndServer(&client, &server, client_ctx.get(),
5634 server_ctx.get()));
5635 SSL_set_early_data_enabled(client.get(), early_data);
5636
5637 // Set up client ALPS settings.
5638 SSL_set_alps_use_new_codepoint(client.get(), use_new_alps_codepoint);
5639 ASSERT_TRUE(SSL_set_alpn_protos(client.get(), alpn, sizeof(alpn)) == 0);
5640 ASSERT_TRUE(SSL_add_application_settings(client.get(), proto,
5641 sizeof(proto), nullptr, 0));
5642 if (is_resume) {
5643 ASSERT_TRUE(g_last_session);
5644 SSL_set_session(client.get(), g_last_session.get());
5645 if (early_data) {
5646 EXPECT_GT(g_last_session->ticket_max_early_data, 0u);
5647 }
5648 }
5649
5650
5651 int client_ret = SSL_do_handshake(client.get());
5652 int client_err = SSL_get_error(client.get(), client_ret);
5653
5654 uint8_t byte_written;
5655 if (early_data && is_resume) {
5656 ASSERT_EQ(client_err, 0);
5657 EXPECT_TRUE(SSL_in_early_data(client.get()));
5658 // Attempt to write early data.
5659 byte_written = 43;
5660 EXPECT_EQ(SSL_write(client.get(), &byte_written, 1), 1);
5661 } else {
5662 ASSERT_EQ(client_err, SSL_ERROR_WANT_READ);
5663 }
5664
5665 int server_ret = SSL_do_handshake(server.get());
5666 int server_err = SSL_get_error(server.get(), server_ret);
5667 ASSERT_EQ(server_err, SSL_ERROR_HANDOFF);
5668
5669 ScopedCBB cbb;
5670 Array<uint8_t> handoff;
5671 SSL_CLIENT_HELLO hello;
5672 ASSERT_TRUE(CBB_init(cbb.get(), 256));
5673 ASSERT_TRUE(SSL_serialize_handoff(server.get(), cbb.get(), &hello));
5674 ASSERT_TRUE(CBBFinishArray(cbb.get(), &handoff));
5675
5676 bssl::UniquePtr<SSL> handshaker(SSL_new(handshaker_ctx.get()));
5677 ASSERT_TRUE(handshaker);
5678 // Note split handshakes determines 0-RTT support, for both the current
5679 // handshake and newly-issued tickets, entirely by |handshaker|. There is
5680 // no need to call |SSL_set_early_data_enabled| on |server|.
5681 SSL_set_early_data_enabled(handshaker.get(), 1);
5682
5683 // Set up handshaker ALPS settings.
5684 SSL_set_alps_use_new_codepoint(handshaker.get(), use_new_alps_codepoint);
5685 SSL_CTX_set_alpn_select_cb(
5686 handshaker_ctx.get(),
5687 [](SSL *ssl, const uint8_t **out, uint8_t *out_len, const uint8_t *in,
5688 unsigned in_len, void *arg) -> int {
5689 return SSL_select_next_proto(
5690 const_cast<uint8_t **>(out), out_len, in, in_len,
5691 alpn, sizeof(alpn)) == OPENSSL_NPN_NEGOTIATED
5692 ? SSL_TLSEXT_ERR_OK
5693 : SSL_TLSEXT_ERR_NOACK;
5694 },
5695 nullptr);
5696 ASSERT_TRUE(SSL_add_application_settings(handshaker.get(), proto,
5697 sizeof(proto), alps, sizeof(alps)));
5698
5699 ASSERT_TRUE(SSL_apply_handoff(handshaker.get(), handoff));
5700
5701 MoveBIOs(handshaker.get(), server.get());
5702
5703 int handshake_ret = SSL_do_handshake(handshaker.get());
5704 int handshake_err = SSL_get_error(handshaker.get(), handshake_ret);
5705 ASSERT_EQ(handshake_err, SSL_ERROR_HANDBACK);
5706
5707 // Double-check that additional calls to |SSL_do_handshake| continue
5708 // to get |SSL_ERROR_HANDBACK|.
5709 handshake_ret = SSL_do_handshake(handshaker.get());
5710 handshake_err = SSL_get_error(handshaker.get(), handshake_ret);
5711 ASSERT_EQ(handshake_err, SSL_ERROR_HANDBACK);
5712
5713 ScopedCBB cbb_handback;
5714 Array<uint8_t> handback;
5715 ASSERT_TRUE(CBB_init(cbb_handback.get(), 1024));
5716 ASSERT_TRUE(SSL_serialize_handback(handshaker.get(), cbb_handback.get()));
5717 ASSERT_TRUE(CBBFinishArray(cbb_handback.get(), &handback));
5718
5719 bssl::UniquePtr<SSL> server2(SSL_new(server_ctx.get()));
5720 ASSERT_TRUE(server2);
5721 ASSERT_TRUE(SSL_apply_handback(server2.get(), handback));
5722
5723 MoveBIOs(server2.get(), handshaker.get());
5724 ASSERT_TRUE(CompleteHandshakes(client.get(), server2.get()));
5725 EXPECT_EQ(is_resume, SSL_session_reused(client.get()));
5726 // Verify application settings.
5727 ASSERT_TRUE(SSL_has_application_settings(client.get()));
5728
5729 if (early_data && is_resume) {
5730 // In this case, one byte of early data has already been written above.
5731 EXPECT_TRUE(SSL_early_data_accepted(client.get()));
5732 } else {
5733 byte_written = 42;
5734 EXPECT_EQ(SSL_write(client.get(), &byte_written, 1), 1);
5735 }
5736 uint8_t byte;
5737 EXPECT_EQ(SSL_read(server2.get(), &byte, 1), 1);
5738 EXPECT_EQ(byte_written, byte);
5739
5740 byte = 44;
5741 EXPECT_EQ(SSL_write(server2.get(), &byte, 1), 1);
5742 EXPECT_EQ(SSL_read(client.get(), &byte, 1), 1);
5743 EXPECT_EQ(44, byte);
5744 }
5745 }
5746 }
5747
TEST(SSLTest,Handoff)5748 TEST(SSLTest, Handoff) {
5749 for (bool use_new_alps_codepoint : {false, true}) {
5750 SCOPED_TRACE(use_new_alps_codepoint);
5751 VerifyHandoff(use_new_alps_codepoint);
5752 }
5753 }
5754
TEST(SSLTest,HandoffDeclined)5755 TEST(SSLTest, HandoffDeclined) {
5756 bssl::UniquePtr<SSL_CTX> client_ctx(SSL_CTX_new(TLS_method()));
5757 bssl::UniquePtr<SSL_CTX> server_ctx(
5758 CreateContextWithTestCertificate(TLS_method()));
5759 ASSERT_TRUE(client_ctx);
5760 ASSERT_TRUE(server_ctx);
5761
5762 SSL_CTX_set_handoff_mode(server_ctx.get(), true);
5763 ASSERT_TRUE(SSL_CTX_set_max_proto_version(server_ctx.get(), TLS1_2_VERSION));
5764
5765 bssl::UniquePtr<SSL> client, server;
5766 ASSERT_TRUE(CreateClientAndServer(&client, &server, client_ctx.get(),
5767 server_ctx.get()));
5768
5769 int client_ret = SSL_do_handshake(client.get());
5770 int client_err = SSL_get_error(client.get(), client_ret);
5771 ASSERT_EQ(client_err, SSL_ERROR_WANT_READ);
5772
5773 int server_ret = SSL_do_handshake(server.get());
5774 int server_err = SSL_get_error(server.get(), server_ret);
5775 ASSERT_EQ(server_err, SSL_ERROR_HANDOFF);
5776
5777 ScopedCBB cbb;
5778 SSL_CLIENT_HELLO hello;
5779 ASSERT_TRUE(CBB_init(cbb.get(), 256));
5780 ASSERT_TRUE(SSL_serialize_handoff(server.get(), cbb.get(), &hello));
5781
5782 ASSERT_TRUE(SSL_decline_handoff(server.get()));
5783
5784 ASSERT_TRUE(CompleteHandshakes(client.get(), server.get()));
5785
5786 uint8_t byte = 42;
5787 EXPECT_EQ(SSL_write(client.get(), &byte, 1), 1);
5788 EXPECT_EQ(SSL_read(server.get(), &byte, 1), 1);
5789 EXPECT_EQ(42, byte);
5790
5791 byte = 43;
5792 EXPECT_EQ(SSL_write(server.get(), &byte, 1), 1);
5793 EXPECT_EQ(SSL_read(client.get(), &byte, 1), 1);
5794 EXPECT_EQ(43, byte);
5795 }
5796
SigAlgsToString(Span<const uint16_t> sigalgs)5797 static std::string SigAlgsToString(Span<const uint16_t> sigalgs) {
5798 std::string ret = "{";
5799
5800 for (uint16_t v : sigalgs) {
5801 if (ret.size() > 1) {
5802 ret += ", ";
5803 }
5804
5805 char buf[8];
5806 snprintf(buf, sizeof(buf) - 1, "0x%02x", v);
5807 buf[sizeof(buf)-1] = 0;
5808 ret += std::string(buf);
5809 }
5810
5811 ret += "}";
5812 return ret;
5813 }
5814
ExpectSigAlgsEqual(Span<const uint16_t> expected,Span<const uint16_t> actual)5815 void ExpectSigAlgsEqual(Span<const uint16_t> expected,
5816 Span<const uint16_t> actual) {
5817 bool matches = false;
5818 if (expected.size() == actual.size()) {
5819 matches = true;
5820
5821 for (size_t i = 0; i < expected.size(); i++) {
5822 if (expected[i] != actual[i]) {
5823 matches = false;
5824 break;
5825 }
5826 }
5827 }
5828
5829 if (!matches) {
5830 ADD_FAILURE() << "expected: " << SigAlgsToString(expected)
5831 << " got: " << SigAlgsToString(actual);
5832 }
5833 }
5834
TEST(SSLTest,SigAlgs)5835 TEST(SSLTest, SigAlgs) {
5836 static const struct {
5837 std::vector<int> input;
5838 bool ok;
5839 std::vector<uint16_t> expected;
5840 } kTests[] = {
5841 {{}, true, {}},
5842 {{1}, false, {}},
5843 {{1, 2, 3}, false, {}},
5844 {{NID_sha256, EVP_PKEY_ED25519}, false, {}},
5845 {{NID_sha256, EVP_PKEY_RSA, NID_sha256, EVP_PKEY_RSA}, false, {}},
5846
5847 {{NID_sha256, EVP_PKEY_RSA}, true, {SSL_SIGN_RSA_PKCS1_SHA256}},
5848 {{NID_sha512, EVP_PKEY_RSA}, true, {SSL_SIGN_RSA_PKCS1_SHA512}},
5849 {{NID_sha256, EVP_PKEY_RSA_PSS}, true, {SSL_SIGN_RSA_PSS_RSAE_SHA256}},
5850 {{NID_undef, EVP_PKEY_ED25519}, true, {SSL_SIGN_ED25519}},
5851 {{NID_undef, EVP_PKEY_ED25519, NID_sha384, EVP_PKEY_EC},
5852 true,
5853 {SSL_SIGN_ED25519, SSL_SIGN_ECDSA_SECP384R1_SHA384}},
5854 };
5855
5856 UniquePtr<SSL_CTX> ctx(SSL_CTX_new(TLS_method()));
5857 ASSERT_TRUE(ctx);
5858
5859 unsigned n = 1;
5860 for (const auto &test : kTests) {
5861 SCOPED_TRACE(n++);
5862
5863 const bool ok =
5864 SSL_CTX_set1_sigalgs(ctx.get(), test.input.data(), test.input.size());
5865 EXPECT_EQ(ok, test.ok);
5866
5867 if (!ok) {
5868 ERR_clear_error();
5869 }
5870
5871 if (!test.ok) {
5872 continue;
5873 }
5874
5875 ExpectSigAlgsEqual(test.expected, ctx->cert->default_credential->sigalgs);
5876 }
5877 }
5878
TEST(SSLTest,SigAlgsList)5879 TEST(SSLTest, SigAlgsList) {
5880 static const struct {
5881 const char *input;
5882 bool ok;
5883 std::vector<uint16_t> expected;
5884 } kTests[] = {
5885 {"", false, {}},
5886 {":", false, {}},
5887 {"+", false, {}},
5888 {"RSA", false, {}},
5889 {"RSA+", false, {}},
5890 {"RSA+SHA256:", false, {}},
5891 {":RSA+SHA256:", false, {}},
5892 {":RSA+SHA256+:", false, {}},
5893 {"!", false, {}},
5894 {"\x01", false, {}},
5895 {"RSA+SHA256:RSA+SHA384:RSA+SHA256", false, {}},
5896 {"RSA-PSS+SHA256:rsa_pss_rsae_sha256", false, {}},
5897
5898 {"RSA+SHA256", true, {SSL_SIGN_RSA_PKCS1_SHA256}},
5899 {"RSA+SHA256:ed25519",
5900 true,
5901 {SSL_SIGN_RSA_PKCS1_SHA256, SSL_SIGN_ED25519}},
5902 {"ECDSA+SHA256:RSA+SHA512",
5903 true,
5904 {SSL_SIGN_ECDSA_SECP256R1_SHA256, SSL_SIGN_RSA_PKCS1_SHA512}},
5905 {"ecdsa_secp256r1_sha256:rsa_pss_rsae_sha256",
5906 true,
5907 {SSL_SIGN_ECDSA_SECP256R1_SHA256, SSL_SIGN_RSA_PSS_RSAE_SHA256}},
5908 {"RSA-PSS+SHA256", true, {SSL_SIGN_RSA_PSS_RSAE_SHA256}},
5909 {"PSS+SHA256", true, {SSL_SIGN_RSA_PSS_RSAE_SHA256}},
5910 };
5911
5912 UniquePtr<SSL_CTX> ctx(SSL_CTX_new(TLS_method()));
5913 ASSERT_TRUE(ctx);
5914
5915 unsigned n = 1;
5916 for (const auto &test : kTests) {
5917 SCOPED_TRACE(n++);
5918
5919 const bool ok = SSL_CTX_set1_sigalgs_list(ctx.get(), test.input);
5920 EXPECT_EQ(ok, test.ok);
5921
5922 if (!ok) {
5923 if (test.ok) {
5924 ERR_print_errors_fp(stderr);
5925 }
5926 ERR_clear_error();
5927 }
5928
5929 if (!test.ok) {
5930 continue;
5931 }
5932
5933 ExpectSigAlgsEqual(test.expected, ctx->cert->default_credential->sigalgs);
5934 }
5935 }
5936
TEST(SSLTest,ApplyHandoffRemovesUnsupportedCiphers)5937 TEST(SSLTest, ApplyHandoffRemovesUnsupportedCiphers) {
5938 bssl::UniquePtr<SSL_CTX> server_ctx(SSL_CTX_new(TLS_method()));
5939 ASSERT_TRUE(server_ctx);
5940 bssl::UniquePtr<SSL> server(SSL_new(server_ctx.get()));
5941 ASSERT_TRUE(server);
5942
5943 // handoff is a handoff message that has been artificially modified to pretend
5944 // that only TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (0xc02f) is supported. When
5945 // it is applied to |server|, all ciphers but that one should be removed.
5946 //
5947 // To make a new one of these, try sticking this in the |Handoff| test above:
5948 //
5949 // hexdump(stderr, "", handoff.data(), handoff.size());
5950 // sed -e 's/\(..\)/0x\1, /g'
5951 //
5952 // and modify serialize_features() to emit only cipher 0x0A.
5953
5954 uint8_t handoff[] = {
5955 0x30, 0x81, 0x9a, 0x02, 0x01, 0x00, 0x04, 0x00, 0x04, 0x81, 0x82, 0x01,
5956 0x00, 0x00, 0x7e, 0x03, 0x03, 0x30, 0x8e, 0x8f, 0x79, 0xd2, 0x87, 0x39,
5957 0xc2, 0x23, 0x23, 0x13, 0xca, 0x3c, 0x80, 0x44, 0xfd, 0x80, 0x83, 0x62,
5958 0x3c, 0xcc, 0xf8, 0x76, 0xd3, 0x62, 0xbb, 0x54, 0xe3, 0xc4, 0x39, 0x24,
5959 0xa5, 0x00, 0x00, 0x1e, 0xc0, 0x2b, 0xc0, 0x2f, 0xc0, 0x2c, 0xc0, 0x30,
5960 0xcc, 0xa9, 0xcc, 0xa8, 0xc0, 0x09, 0xc0, 0x13, 0xc0, 0x0a, 0xc0, 0x14,
5961 0x00, 0x9c, 0x00, 0x9d, 0x00, 0x2f, 0x00, 0x35, 0x00, 0x0a, 0x01, 0x00,
5962 0x00, 0x37, 0x00, 0x17, 0x00, 0x00, 0xff, 0x01, 0x00, 0x01, 0x00, 0x00,
5963 0x0a, 0x00, 0x08, 0x00, 0x06, 0x00, 0x1d, 0x00, 0x17, 0x00, 0x18, 0x00,
5964 0x0b, 0x00, 0x02, 0x01, 0x00, 0x00, 0x23, 0x00, 0x00, 0x00, 0x0d, 0x00,
5965 0x14, 0x00, 0x12, 0x04, 0x03, 0x08, 0x04, 0x04, 0x01, 0x05, 0x03, 0x08,
5966 0x05, 0x05, 0x01, 0x08, 0x06, 0x06, 0x01, 0x02, 0x01, 0x04, 0x02, 0xc0,
5967 0x2f, 0x04, 0x0a, 0x00, 0x15, 0x00, 0x17, 0x00, 0x18, 0x00, 0x19, 0x00,
5968 0x1d,
5969 };
5970
5971 EXPECT_LT(1u, sk_SSL_CIPHER_num(SSL_get_ciphers(server.get())));
5972 ASSERT_TRUE(
5973 SSL_apply_handoff(server.get(), {handoff, OPENSSL_ARRAY_SIZE(handoff)}));
5974 EXPECT_EQ(1u, sk_SSL_CIPHER_num(SSL_get_ciphers(server.get())));
5975 }
5976
TEST(SSLTest,ApplyHandoffRemovesUnsupportedCurves)5977 TEST(SSLTest, ApplyHandoffRemovesUnsupportedCurves) {
5978 bssl::UniquePtr<SSL_CTX> server_ctx(SSL_CTX_new(TLS_method()));
5979 ASSERT_TRUE(server_ctx);
5980 bssl::UniquePtr<SSL> server(SSL_new(server_ctx.get()));
5981 ASSERT_TRUE(server);
5982
5983 // handoff is a handoff message that has been artificially modified to pretend
5984 // that only one ECDH group is supported. When it is applied to |server|, all
5985 // groups but that one should be removed.
5986 //
5987 // See |ApplyHandoffRemovesUnsupportedCiphers| for how to make a new one of
5988 // these.
5989 uint8_t handoff[] = {
5990 0x30, 0x81, 0xc0, 0x02, 0x01, 0x00, 0x04, 0x00, 0x04, 0x81, 0x82, 0x01,
5991 0x00, 0x00, 0x7e, 0x03, 0x03, 0x98, 0x30, 0xce, 0xd9, 0xb0, 0xdf, 0x5f,
5992 0x82, 0x05, 0x4a, 0x43, 0x67, 0x7e, 0xdb, 0x6a, 0x4f, 0x21, 0x18, 0x4e,
5993 0x0d, 0x94, 0x63, 0x18, 0x8b, 0x54, 0x89, 0xdb, 0x8b, 0x1d, 0x84, 0xbc,
5994 0x09, 0x00, 0x00, 0x1e, 0xc0, 0x2b, 0xc0, 0x2f, 0xc0, 0x2c, 0xc0, 0x30,
5995 0xcc, 0xa9, 0xcc, 0xa8, 0xc0, 0x09, 0xc0, 0x13, 0xc0, 0x0a, 0xc0, 0x14,
5996 0x00, 0x9c, 0x00, 0x9d, 0x00, 0x2f, 0x00, 0x35, 0x00, 0x0a, 0x01, 0x00,
5997 0x00, 0x37, 0x00, 0x17, 0x00, 0x00, 0xff, 0x01, 0x00, 0x01, 0x00, 0x00,
5998 0x0a, 0x00, 0x08, 0x00, 0x06, 0x00, 0x1d, 0x00, 0x17, 0x00, 0x18, 0x00,
5999 0x0b, 0x00, 0x02, 0x01, 0x00, 0x00, 0x23, 0x00, 0x00, 0x00, 0x0d, 0x00,
6000 0x14, 0x00, 0x12, 0x04, 0x03, 0x08, 0x04, 0x04, 0x01, 0x05, 0x03, 0x08,
6001 0x05, 0x05, 0x01, 0x08, 0x06, 0x06, 0x01, 0x02, 0x01, 0x04, 0x30, 0x00,
6002 0x02, 0x00, 0x0a, 0x00, 0x2f, 0x00, 0x35, 0x00, 0x8c, 0x00, 0x8d, 0x00,
6003 0x9c, 0x00, 0x9d, 0x13, 0x01, 0x13, 0x02, 0x13, 0x03, 0xc0, 0x09, 0xc0,
6004 0x0a, 0xc0, 0x13, 0xc0, 0x14, 0xc0, 0x2b, 0xc0, 0x2c, 0xc0, 0x2f, 0xc0,
6005 0x30, 0xc0, 0x35, 0xc0, 0x36, 0xcc, 0xa8, 0xcc, 0xa9, 0xcc, 0xac, 0x04,
6006 0x02, 0x00, 0x17,
6007 };
6008
6009 // The zero length means that the default list of groups is used.
6010 EXPECT_EQ(0u, server->config->supported_group_list.size());
6011 ASSERT_TRUE(
6012 SSL_apply_handoff(server.get(), {handoff, OPENSSL_ARRAY_SIZE(handoff)}));
6013 EXPECT_EQ(1u, server->config->supported_group_list.size());
6014 }
6015
TEST(SSLTest,ZeroSizedWiteFlushesHandshakeMessages)6016 TEST(SSLTest, ZeroSizedWiteFlushesHandshakeMessages) {
6017 // If there are pending handshake mesages, an |SSL_write| of zero bytes should
6018 // flush them.
6019 bssl::UniquePtr<SSL_CTX> server_ctx(
6020 CreateContextWithTestCertificate(TLS_method()));
6021 ASSERT_TRUE(server_ctx);
6022 EXPECT_TRUE(SSL_CTX_set_max_proto_version(server_ctx.get(), TLS1_3_VERSION));
6023 EXPECT_TRUE(SSL_CTX_set_min_proto_version(server_ctx.get(), TLS1_3_VERSION));
6024
6025 bssl::UniquePtr<SSL_CTX> client_ctx(SSL_CTX_new(TLS_method()));
6026 ASSERT_TRUE(client_ctx);
6027 EXPECT_TRUE(SSL_CTX_set_max_proto_version(client_ctx.get(), TLS1_3_VERSION));
6028 EXPECT_TRUE(SSL_CTX_set_min_proto_version(client_ctx.get(), TLS1_3_VERSION));
6029
6030 bssl::UniquePtr<SSL> client, server;
6031 ASSERT_TRUE(ConnectClientAndServer(&client, &server, client_ctx.get(),
6032 server_ctx.get()));
6033
6034 BIO *client_wbio = SSL_get_wbio(client.get());
6035 EXPECT_EQ(0u, BIO_wpending(client_wbio));
6036 EXPECT_TRUE(SSL_key_update(client.get(), SSL_KEY_UPDATE_NOT_REQUESTED));
6037 EXPECT_EQ(0u, BIO_wpending(client_wbio));
6038 EXPECT_EQ(0, SSL_write(client.get(), nullptr, 0));
6039 EXPECT_NE(0u, BIO_wpending(client_wbio));
6040 }
6041
TEST_P(SSLVersionTest,VerifyBeforeCertRequest)6042 TEST_P(SSLVersionTest, VerifyBeforeCertRequest) {
6043 // Configure the server to request client certificates.
6044 SSL_CTX_set_custom_verify(
6045 server_ctx_.get(), SSL_VERIFY_PEER,
6046 [](SSL *ssl, uint8_t *out_alert) { return ssl_verify_ok; });
6047
6048 // Configure the client to reject the server certificate.
6049 SSL_CTX_set_custom_verify(
6050 client_ctx_.get(), SSL_VERIFY_PEER,
6051 [](SSL *ssl, uint8_t *out_alert) { return ssl_verify_invalid; });
6052
6053 // cert_cb should not be called. Verification should fail first.
6054 SSL_CTX_set_cert_cb(client_ctx_.get(),
6055 [](SSL *ssl, void *arg) {
6056 ADD_FAILURE() << "cert_cb unexpectedly called";
6057 return 0;
6058 },
6059 nullptr);
6060
6061 bssl::UniquePtr<SSL> client, server;
6062 EXPECT_FALSE(ConnectClientAndServer(&client, &server, client_ctx_.get(),
6063 server_ctx_.get()));
6064 }
6065
6066 // Test that ticket-based sessions on the client get fake session IDs.
TEST_P(SSLVersionTest,FakeIDsForTickets)6067 TEST_P(SSLVersionTest, FakeIDsForTickets) {
6068 SSL_CTX_set_session_cache_mode(client_ctx_.get(), SSL_SESS_CACHE_BOTH);
6069 SSL_CTX_set_session_cache_mode(server_ctx_.get(), SSL_SESS_CACHE_BOTH);
6070
6071 bssl::UniquePtr<SSL_SESSION> session =
6072 CreateClientSession(client_ctx_.get(), server_ctx_.get());
6073 ASSERT_TRUE(session);
6074
6075 EXPECT_TRUE(SSL_SESSION_has_ticket(session.get()));
6076 unsigned session_id_length;
6077 SSL_SESSION_get_id(session.get(), &session_id_length);
6078 EXPECT_NE(session_id_length, 0u);
6079 }
6080
6081 // These tests test multi-threaded behavior. They are intended to run with
6082 // ThreadSanitizer.
6083 #if defined(OPENSSL_THREADS)
TEST_P(SSLVersionTest,SessionCacheThreads)6084 TEST_P(SSLVersionTest, SessionCacheThreads) {
6085 SSL_CTX_set_options(server_ctx_.get(), SSL_OP_NO_TICKET);
6086 SSL_CTX_set_session_cache_mode(client_ctx_.get(), SSL_SESS_CACHE_BOTH);
6087 SSL_CTX_set_session_cache_mode(server_ctx_.get(), SSL_SESS_CACHE_BOTH);
6088
6089 if (version() == TLS1_3_VERSION) {
6090 // Our TLS 1.3 implementation does not support stateful resumption.
6091 ASSERT_FALSE(CreateClientSession(client_ctx_.get(), server_ctx_.get()));
6092 return;
6093 }
6094
6095 // Establish two client sessions to test with.
6096 bssl::UniquePtr<SSL_SESSION> session1 =
6097 CreateClientSession(client_ctx_.get(), server_ctx_.get());
6098 ASSERT_TRUE(session1);
6099 bssl::UniquePtr<SSL_SESSION> session2 =
6100 CreateClientSession(client_ctx_.get(), server_ctx_.get());
6101 ASSERT_TRUE(session2);
6102
6103 auto connect_with_session = [&](SSL_SESSION *session) {
6104 ClientConfig config;
6105 config.session = session;
6106 UniquePtr<SSL> client, server;
6107 ASSERT_TRUE(ConnectClientAndServer(&client, &server, client_ctx_.get(),
6108 server_ctx_.get(), config));
6109 };
6110
6111 // Resume sessions in parallel with establishing new ones.
6112 {
6113 std::vector<std::thread> threads;
6114 threads.emplace_back([&] { connect_with_session(nullptr); });
6115 threads.emplace_back([&] { connect_with_session(nullptr); });
6116 threads.emplace_back([&] { connect_with_session(session1.get()); });
6117 threads.emplace_back([&] { connect_with_session(session1.get()); });
6118 threads.emplace_back([&] { connect_with_session(session2.get()); });
6119 threads.emplace_back([&] { connect_with_session(session2.get()); });
6120 for (auto &thread : threads) {
6121 thread.join();
6122 }
6123 }
6124
6125 // Hit the maximum session cache size across multiple threads, to test the
6126 // size enforcement logic.
6127 size_t limit = SSL_CTX_sess_number(server_ctx_.get()) + 2;
6128 SSL_CTX_sess_set_cache_size(server_ctx_.get(), limit);
6129 {
6130 std::vector<std::thread> threads;
6131 for (int i = 0; i < 4; i++) {
6132 threads.emplace_back([&]() {
6133 connect_with_session(nullptr);
6134 EXPECT_LE(SSL_CTX_sess_number(server_ctx_.get()), limit);
6135 });
6136 }
6137 for (auto &thread : threads) {
6138 thread.join();
6139 }
6140 EXPECT_EQ(SSL_CTX_sess_number(server_ctx_.get()), limit);
6141 }
6142
6143 // Reset the session cache, this time with a mock clock.
6144 ASSERT_NO_FATAL_FAILURE(ResetContexts());
6145 SSL_CTX_set_options(server_ctx_.get(), SSL_OP_NO_TICKET);
6146 SSL_CTX_set_session_cache_mode(client_ctx_.get(), SSL_SESS_CACHE_BOTH);
6147 SSL_CTX_set_session_cache_mode(server_ctx_.get(), SSL_SESS_CACHE_BOTH);
6148 SSL_CTX_set_current_time_cb(server_ctx_.get(), CurrentTimeCallback);
6149
6150 // Make some sessions at an arbitrary start time. Then expire them.
6151 g_current_time.tv_sec = 1000;
6152 bssl::UniquePtr<SSL_SESSION> expired_session1 =
6153 CreateClientSession(client_ctx_.get(), server_ctx_.get());
6154 ASSERT_TRUE(expired_session1);
6155 bssl::UniquePtr<SSL_SESSION> expired_session2 =
6156 CreateClientSession(client_ctx_.get(), server_ctx_.get());
6157 ASSERT_TRUE(expired_session2);
6158 g_current_time.tv_sec += 100 * SSL_DEFAULT_SESSION_TIMEOUT;
6159
6160 session1 = CreateClientSession(client_ctx_.get(), server_ctx_.get());
6161 ASSERT_TRUE(session1);
6162
6163 // Every 256 connections, we flush stale sessions from the session cache. Test
6164 // this logic is correctly synchronized with other connection attempts.
6165 static const int kNumConnections = 256;
6166 {
6167 std::vector<std::thread> threads;
6168 threads.emplace_back([&] {
6169 for (int i = 0; i < kNumConnections; i++) {
6170 connect_with_session(nullptr);
6171 }
6172 });
6173 threads.emplace_back([&] {
6174 for (int i = 0; i < kNumConnections; i++) {
6175 connect_with_session(nullptr);
6176 }
6177 });
6178 threads.emplace_back([&] {
6179 // Never connect with |expired_session2|. The session cache eagerly
6180 // removes expired sessions when it sees them. Leaving |expired_session2|
6181 // untouched ensures it is instead cleared by periodic flushing.
6182 for (int i = 0; i < kNumConnections; i++) {
6183 connect_with_session(expired_session1.get());
6184 }
6185 });
6186 threads.emplace_back([&] {
6187 for (int i = 0; i < kNumConnections; i++) {
6188 connect_with_session(session1.get());
6189 }
6190 });
6191 for (auto &thread : threads) {
6192 thread.join();
6193 }
6194 }
6195 }
6196
TEST_P(SSLVersionTest,SessionTicketThreads)6197 TEST_P(SSLVersionTest, SessionTicketThreads) {
6198 for (bool renew_ticket : {false, true}) {
6199 SCOPED_TRACE(renew_ticket);
6200 ASSERT_NO_FATAL_FAILURE(ResetContexts());
6201 SSL_CTX_set_session_cache_mode(client_ctx_.get(), SSL_SESS_CACHE_BOTH);
6202 SSL_CTX_set_session_cache_mode(server_ctx_.get(), SSL_SESS_CACHE_BOTH);
6203 if (renew_ticket) {
6204 SSL_CTX_set_tlsext_ticket_key_cb(server_ctx_.get(), RenewTicketCallback);
6205 }
6206
6207 // Establish two client sessions to test with.
6208 bssl::UniquePtr<SSL_SESSION> session1 =
6209 CreateClientSession(client_ctx_.get(), server_ctx_.get());
6210 ASSERT_TRUE(session1);
6211 bssl::UniquePtr<SSL_SESSION> session2 =
6212 CreateClientSession(client_ctx_.get(), server_ctx_.get());
6213 ASSERT_TRUE(session2);
6214
6215 auto connect_with_session = [&](SSL_SESSION *session) {
6216 ClientConfig config;
6217 config.session = session;
6218 UniquePtr<SSL> client, server;
6219 ASSERT_TRUE(ConnectClientAndServer(&client, &server, client_ctx_.get(),
6220 server_ctx_.get(), config));
6221 };
6222
6223 // Resume sessions in parallel with establishing new ones.
6224 {
6225 std::vector<std::thread> threads;
6226 threads.emplace_back([&] { connect_with_session(nullptr); });
6227 threads.emplace_back([&] { connect_with_session(nullptr); });
6228 threads.emplace_back([&] { connect_with_session(session1.get()); });
6229 threads.emplace_back([&] { connect_with_session(session1.get()); });
6230 threads.emplace_back([&] { connect_with_session(session2.get()); });
6231 threads.emplace_back([&] { connect_with_session(session2.get()); });
6232 for (auto &thread : threads) {
6233 thread.join();
6234 }
6235 }
6236 }
6237 }
6238
6239 // SSL_CTX_get0_certificate needs to lock internally. Test this works.
TEST(SSLTest,GetCertificateThreads)6240 TEST(SSLTest, GetCertificateThreads) {
6241 bssl::UniquePtr<SSL_CTX> ctx(SSL_CTX_new(TLS_method()));
6242 ASSERT_TRUE(ctx);
6243 bssl::UniquePtr<X509> cert = GetTestCertificate();
6244 ASSERT_TRUE(cert);
6245 ASSERT_TRUE(SSL_CTX_use_certificate(ctx.get(), cert.get()));
6246
6247 // Existing code expects |SSL_CTX_get0_certificate| to be callable from two
6248 // threads concurrently. It originally was an immutable operation. Now we
6249 // implement it with a thread-safe cache, so it is worth testing.
6250 X509 *cert2_thread;
6251 std::thread thread(
6252 [&] { cert2_thread = SSL_CTX_get0_certificate(ctx.get()); });
6253 X509 *cert2 = SSL_CTX_get0_certificate(ctx.get());
6254 thread.join();
6255
6256 ASSERT_TRUE(cert2);
6257 ASSERT_TRUE(cert2_thread);
6258 EXPECT_EQ(cert2, cert2_thread);
6259 EXPECT_EQ(0, X509_cmp(cert.get(), cert2));
6260 }
6261
6262 // Functions which access properties on the negotiated session are thread-safe
6263 // where needed. Prior to TLS 1.3, clients resuming sessions and servers
6264 // performing stateful resumption will share an underlying SSL_SESSION object,
6265 // potentially across threads.
TEST_P(SSLVersionTest,SessionPropertiesThreads)6266 TEST_P(SSLVersionTest, SessionPropertiesThreads) {
6267 if (version() == TLS1_3_VERSION) {
6268 // Our TLS 1.3 implementation does not support stateful resumption.
6269 ASSERT_FALSE(CreateClientSession(client_ctx_.get(), server_ctx_.get()));
6270 return;
6271 }
6272
6273 SSL_CTX_set_options(server_ctx_.get(), SSL_OP_NO_TICKET);
6274 SSL_CTX_set_session_cache_mode(client_ctx_.get(), SSL_SESS_CACHE_BOTH);
6275 SSL_CTX_set_session_cache_mode(server_ctx_.get(), SSL_SESS_CACHE_BOTH);
6276
6277 ASSERT_TRUE(UseCertAndKey(client_ctx_.get()));
6278 ASSERT_TRUE(UseCertAndKey(server_ctx_.get()));
6279
6280 // Configure mutual authentication, so we have more session state.
6281 SSL_CTX_set_custom_verify(
6282 client_ctx_.get(), SSL_VERIFY_PEER,
6283 [](SSL *ssl, uint8_t *out_alert) { return ssl_verify_ok; });
6284 SSL_CTX_set_custom_verify(
6285 server_ctx_.get(), SSL_VERIFY_PEER,
6286 [](SSL *ssl, uint8_t *out_alert) { return ssl_verify_ok; });
6287
6288 // Establish a client session to test with.
6289 bssl::UniquePtr<SSL_SESSION> session =
6290 CreateClientSession(client_ctx_.get(), server_ctx_.get());
6291 ASSERT_TRUE(session);
6292
6293 // Resume with it twice.
6294 UniquePtr<SSL> ssls[4];
6295 ClientConfig config;
6296 config.session = session.get();
6297 ASSERT_TRUE(ConnectClientAndServer(&ssls[0], &ssls[1], client_ctx_.get(),
6298 server_ctx_.get(), config));
6299 ASSERT_TRUE(ConnectClientAndServer(&ssls[2], &ssls[3], client_ctx_.get(),
6300 server_ctx_.get(), config));
6301
6302 // Read properties in parallel.
6303 auto read_properties = [](const SSL *ssl) {
6304 EXPECT_TRUE(SSL_get_peer_cert_chain(ssl));
6305 bssl::UniquePtr<X509> peer(SSL_get_peer_certificate(ssl));
6306 EXPECT_TRUE(peer);
6307 EXPECT_TRUE(SSL_get_current_cipher(ssl));
6308 EXPECT_TRUE(SSL_get_group_id(ssl));
6309 };
6310
6311 std::vector<std::thread> threads;
6312 for (const auto &ssl_ptr : ssls) {
6313 const SSL *ssl = ssl_ptr.get();
6314 threads.emplace_back([=] { read_properties(ssl); });
6315 }
6316 for (auto &thread : threads) {
6317 thread.join();
6318 }
6319 }
6320
SetValueOnFree(void * parent,void * ptr,CRYPTO_EX_DATA * ad,int index,long argl,void * argp)6321 static void SetValueOnFree(void *parent, void *ptr, CRYPTO_EX_DATA *ad,
6322 int index, long argl, void *argp) {
6323 if (ptr != nullptr) {
6324 *static_cast<long *>(ptr) = argl;
6325 }
6326 }
6327
6328 // Test that one thread can register ex_data while another thread is destroying
6329 // an object that uses it.
TEST(SSLTest,ExDataThreads)6330 TEST(SSLTest, ExDataThreads) {
6331 static bool already_run = false;
6332 if (already_run) {
6333 GTEST_SKIP() << "This test consumes process-global resources and can only "
6334 "be run once in a process. It is not compatible with "
6335 "--gtest_repeat.";
6336 }
6337 already_run = true;
6338
6339 bssl::UniquePtr<SSL_CTX> ctx(SSL_CTX_new(TLS_method()));
6340 ASSERT_TRUE(ctx);
6341
6342 // Register an initial index, so the threads can exercise having any ex_data.
6343 int first_index =
6344 SSL_get_ex_new_index(-1, nullptr, nullptr, nullptr, SetValueOnFree);
6345 ASSERT_GE(first_index, 0);
6346
6347 // Callers may register indices concurrently with using other indices. This
6348 // may happen if one part of an application is initializing while another part
6349 // is already running.
6350 static constexpr int kNumIndices = 3;
6351 static constexpr int kNumSSLs = 10;
6352 int index[kNumIndices];
6353 long values[kNumSSLs];
6354 std::fill(std::begin(values), std::end(values), -2);
6355 std::vector<std::thread> threads;
6356 for (size_t i = 0; i < kNumIndices; i++) {
6357 threads.emplace_back([&, i] {
6358 index[i] = SSL_get_ex_new_index(static_cast<long>(i), nullptr, nullptr,
6359 nullptr, SetValueOnFree);
6360 ASSERT_GE(index[i], 0);
6361 });
6362 }
6363 for (size_t i = 0; i < kNumSSLs; i++) {
6364 threads.emplace_back([&, i] {
6365 bssl::UniquePtr<SSL> ssl(SSL_new(ctx.get()));
6366 ASSERT_TRUE(ssl);
6367 ASSERT_TRUE(SSL_set_ex_data(ssl.get(), first_index, &values[i]));
6368 });
6369 }
6370 for (auto &thread : threads) {
6371 thread.join();
6372 }
6373
6374 // Each of the SSL threads should have set their flag via ex_data.
6375 for (size_t i = 0; i < kNumSSLs; i++) {
6376 EXPECT_EQ(values[i], -1);
6377 }
6378
6379 // Each of the newly-registered indices should be distinct and work correctly.
6380 static_assert(kNumIndices <= kNumSSLs, "values buffer too small");
6381 std::fill(std::begin(values), std::end(values), -2);
6382 bssl::UniquePtr<SSL> ssl(SSL_new(ctx.get()));
6383 ASSERT_TRUE(ssl);
6384 for (size_t i = 0; i < kNumIndices; i++) {
6385 for (size_t j = 0; j < i; j++) {
6386 EXPECT_NE(index[i], index[j]);
6387 }
6388 ASSERT_TRUE(SSL_set_ex_data(ssl.get(), index[i], &values[i]));
6389 }
6390 ssl = nullptr;
6391 for (size_t i = 0; i < kNumIndices; i++) {
6392 EXPECT_EQ(values[i], static_cast<long>(i));
6393 }
6394 }
6395 #endif // OPENSSL_THREADS
6396
6397 constexpr size_t kNumQUICLevels = 4;
6398 static_assert(ssl_encryption_initial < kNumQUICLevels,
6399 "kNumQUICLevels is wrong");
6400 static_assert(ssl_encryption_early_data < kNumQUICLevels,
6401 "kNumQUICLevels is wrong");
6402 static_assert(ssl_encryption_handshake < kNumQUICLevels,
6403 "kNumQUICLevels is wrong");
6404 static_assert(ssl_encryption_application < kNumQUICLevels,
6405 "kNumQUICLevels is wrong");
6406
LevelToString(ssl_encryption_level_t level)6407 const char *LevelToString(ssl_encryption_level_t level) {
6408 switch (level) {
6409 case ssl_encryption_initial:
6410 return "initial";
6411 case ssl_encryption_early_data:
6412 return "early data";
6413 case ssl_encryption_handshake:
6414 return "handshake";
6415 case ssl_encryption_application:
6416 return "application";
6417 }
6418 return "<unknown>";
6419 }
6420
6421 class MockQUICTransport {
6422 public:
6423 enum class Role { kClient, kServer };
6424
MockQUICTransport(Role role)6425 explicit MockQUICTransport(Role role) : role_(role) {
6426 // The caller is expected to configure initial secrets.
6427 levels_[ssl_encryption_initial].write_secret = {1};
6428 levels_[ssl_encryption_initial].read_secret = {1};
6429 }
6430
set_peer(MockQUICTransport * peer)6431 void set_peer(MockQUICTransport *peer) { peer_ = peer; }
6432
has_alert() const6433 bool has_alert() const { return has_alert_; }
alert_level() const6434 ssl_encryption_level_t alert_level() const { return alert_level_; }
alert() const6435 uint8_t alert() const { return alert_; }
6436
PeerSecretsMatch(ssl_encryption_level_t level) const6437 bool PeerSecretsMatch(ssl_encryption_level_t level) const {
6438 return levels_[level].write_secret == peer_->levels_[level].read_secret &&
6439 levels_[level].read_secret == peer_->levels_[level].write_secret &&
6440 levels_[level].cipher == peer_->levels_[level].cipher;
6441 }
6442
HasReadSecret(ssl_encryption_level_t level) const6443 bool HasReadSecret(ssl_encryption_level_t level) const {
6444 return !levels_[level].read_secret.empty();
6445 }
6446
HasWriteSecret(ssl_encryption_level_t level) const6447 bool HasWriteSecret(ssl_encryption_level_t level) const {
6448 return !levels_[level].write_secret.empty();
6449 }
6450
AllowOutOfOrderWrites()6451 void AllowOutOfOrderWrites() { allow_out_of_order_writes_ = true; }
6452
SetReadSecret(ssl_encryption_level_t level,const SSL_CIPHER * cipher,Span<const uint8_t> secret)6453 bool SetReadSecret(ssl_encryption_level_t level, const SSL_CIPHER *cipher,
6454 Span<const uint8_t> secret) {
6455 if (HasReadSecret(level)) {
6456 ADD_FAILURE() << LevelToString(level) << " read secret configured twice";
6457 return false;
6458 }
6459
6460 if (role_ == Role::kClient && level == ssl_encryption_early_data) {
6461 ADD_FAILURE() << "Unexpected early data read secret";
6462 return false;
6463 }
6464
6465 ssl_encryption_level_t ack_level =
6466 level == ssl_encryption_early_data ? ssl_encryption_application : level;
6467 if (!HasWriteSecret(ack_level)) {
6468 ADD_FAILURE() << LevelToString(level)
6469 << " read secret configured before ACK write secret";
6470 return false;
6471 }
6472
6473 if (cipher == nullptr) {
6474 ADD_FAILURE() << "Unexpected null cipher";
6475 return false;
6476 }
6477
6478 if (level != ssl_encryption_early_data &&
6479 SSL_CIPHER_get_id(cipher) != levels_[level].cipher) {
6480 ADD_FAILURE() << "Cipher suite inconsistent";
6481 return false;
6482 }
6483
6484 levels_[level].read_secret.assign(secret.begin(), secret.end());
6485 levels_[level].cipher = SSL_CIPHER_get_id(cipher);
6486 return true;
6487 }
6488
SetWriteSecret(ssl_encryption_level_t level,const SSL_CIPHER * cipher,Span<const uint8_t> secret)6489 bool SetWriteSecret(ssl_encryption_level_t level, const SSL_CIPHER *cipher,
6490 Span<const uint8_t> secret) {
6491 if (HasWriteSecret(level)) {
6492 ADD_FAILURE() << LevelToString(level) << " write secret configured twice";
6493 return false;
6494 }
6495
6496 if (role_ == Role::kServer && level == ssl_encryption_early_data) {
6497 ADD_FAILURE() << "Unexpected early data write secret";
6498 return false;
6499 }
6500
6501 if (cipher == nullptr) {
6502 ADD_FAILURE() << "Unexpected null cipher";
6503 return false;
6504 }
6505
6506 levels_[level].write_secret.assign(secret.begin(), secret.end());
6507 levels_[level].cipher = SSL_CIPHER_get_id(cipher);
6508 return true;
6509 }
6510
WriteHandshakeData(ssl_encryption_level_t level,Span<const uint8_t> data)6511 bool WriteHandshakeData(ssl_encryption_level_t level,
6512 Span<const uint8_t> data) {
6513 if (levels_[level].write_secret.empty()) {
6514 ADD_FAILURE() << LevelToString(level)
6515 << " write secret not yet configured";
6516 return false;
6517 }
6518
6519 // Although the levels are conceptually separate, BoringSSL finishes writing
6520 // data from a previous level before installing keys for the next level.
6521 if (!allow_out_of_order_writes_) {
6522 switch (level) {
6523 case ssl_encryption_early_data:
6524 ADD_FAILURE() << "unexpected handshake data at early data level";
6525 return false;
6526 case ssl_encryption_initial:
6527 if (!levels_[ssl_encryption_handshake].write_secret.empty()) {
6528 ADD_FAILURE()
6529 << LevelToString(level)
6530 << " handshake data written after handshake keys installed";
6531 return false;
6532 }
6533 OPENSSL_FALLTHROUGH;
6534 case ssl_encryption_handshake:
6535 if (!levels_[ssl_encryption_application].write_secret.empty()) {
6536 ADD_FAILURE()
6537 << LevelToString(level)
6538 << " handshake data written after application keys installed";
6539 return false;
6540 }
6541 OPENSSL_FALLTHROUGH;
6542 case ssl_encryption_application:
6543 break;
6544 }
6545 }
6546
6547 levels_[level].write_data.insert(levels_[level].write_data.end(),
6548 data.begin(), data.end());
6549 return true;
6550 }
6551
SendAlert(ssl_encryption_level_t level,uint8_t alert_value)6552 bool SendAlert(ssl_encryption_level_t level, uint8_t alert_value) {
6553 if (has_alert_) {
6554 ADD_FAILURE() << "duplicate alert sent";
6555 return false;
6556 }
6557
6558 if (levels_[level].write_secret.empty()) {
6559 ADD_FAILURE() << LevelToString(level)
6560 << " write secret not yet configured";
6561 return false;
6562 }
6563
6564 has_alert_ = true;
6565 alert_level_ = level;
6566 alert_ = alert_value;
6567 return true;
6568 }
6569
ReadHandshakeData(std::vector<uint8_t> * out,ssl_encryption_level_t level,size_t num=std::numeric_limits<size_t>::max ())6570 bool ReadHandshakeData(std::vector<uint8_t> *out,
6571 ssl_encryption_level_t level,
6572 size_t num = std::numeric_limits<size_t>::max()) {
6573 if (levels_[level].read_secret.empty()) {
6574 ADD_FAILURE() << "data read before keys configured in level " << level;
6575 return false;
6576 }
6577 // The peer may not have configured any keys yet.
6578 if (peer_->levels_[level].write_secret.empty()) {
6579 out->clear();
6580 return true;
6581 }
6582 // Check the peer computed the same key.
6583 if (peer_->levels_[level].write_secret != levels_[level].read_secret) {
6584 ADD_FAILURE() << "peer write key does not match read key in level "
6585 << level;
6586 return false;
6587 }
6588 if (peer_->levels_[level].cipher != levels_[level].cipher) {
6589 ADD_FAILURE() << "peer cipher does not match in level " << level;
6590 return false;
6591 }
6592 std::vector<uint8_t> *peer_data = &peer_->levels_[level].write_data;
6593 num = std::min(num, peer_data->size());
6594 out->assign(peer_data->begin(), peer_data->begin() + num);
6595 peer_data->erase(peer_data->begin(), peer_data->begin() + num);
6596 return true;
6597 }
6598
6599 private:
6600 Role role_;
6601 MockQUICTransport *peer_ = nullptr;
6602
6603 bool allow_out_of_order_writes_ = false;
6604 bool has_alert_ = false;
6605 ssl_encryption_level_t alert_level_ = ssl_encryption_initial;
6606 uint8_t alert_ = 0;
6607
6608 struct Level {
6609 std::vector<uint8_t> write_data;
6610 std::vector<uint8_t> write_secret;
6611 std::vector<uint8_t> read_secret;
6612 uint32_t cipher = 0;
6613 };
6614 Level levels_[kNumQUICLevels];
6615 };
6616
6617 class MockQUICTransportPair {
6618 public:
MockQUICTransportPair()6619 MockQUICTransportPair()
6620 : client_(MockQUICTransport::Role::kClient),
6621 server_(MockQUICTransport::Role::kServer) {
6622 client_.set_peer(&server_);
6623 server_.set_peer(&client_);
6624 }
6625
~MockQUICTransportPair()6626 ~MockQUICTransportPair() {
6627 client_.set_peer(nullptr);
6628 server_.set_peer(nullptr);
6629 }
6630
client()6631 MockQUICTransport *client() { return &client_; }
server()6632 MockQUICTransport *server() { return &server_; }
6633
SecretsMatch(ssl_encryption_level_t level) const6634 bool SecretsMatch(ssl_encryption_level_t level) const {
6635 // We only need to check |HasReadSecret| and |HasWriteSecret| on |client_|.
6636 // |PeerSecretsMatch| checks that |server_| is analogously configured.
6637 return client_.PeerSecretsMatch(level) &&
6638 client_.HasWriteSecret(level) &&
6639 (level == ssl_encryption_early_data || client_.HasReadSecret(level));
6640 }
6641
6642 private:
6643 MockQUICTransport client_;
6644 MockQUICTransport server_;
6645 };
6646
6647 class QUICMethodTest : public testing::Test {
6648 protected:
SetUp()6649 void SetUp() override {
6650 client_ctx_.reset(SSL_CTX_new(TLS_method()));
6651 server_ctx_ = CreateContextWithTestCertificate(TLS_method());
6652 ASSERT_TRUE(client_ctx_);
6653 ASSERT_TRUE(server_ctx_);
6654
6655 SSL_CTX_set_min_proto_version(server_ctx_.get(), TLS1_3_VERSION);
6656 SSL_CTX_set_max_proto_version(server_ctx_.get(), TLS1_3_VERSION);
6657 SSL_CTX_set_min_proto_version(client_ctx_.get(), TLS1_3_VERSION);
6658 SSL_CTX_set_max_proto_version(client_ctx_.get(), TLS1_3_VERSION);
6659
6660 static const uint8_t kALPNProtos[] = {0x03, 'f', 'o', 'o'};
6661 ASSERT_EQ(SSL_CTX_set_alpn_protos(client_ctx_.get(), kALPNProtos,
6662 sizeof(kALPNProtos)),
6663 0);
6664 SSL_CTX_set_alpn_select_cb(
6665 server_ctx_.get(),
6666 [](SSL *ssl, const uint8_t **out, uint8_t *out_len, const uint8_t *in,
6667 unsigned in_len, void *arg) -> int {
6668 return SSL_select_next_proto(
6669 const_cast<uint8_t **>(out), out_len, in, in_len,
6670 kALPNProtos, sizeof(kALPNProtos)) == OPENSSL_NPN_NEGOTIATED
6671 ? SSL_TLSEXT_ERR_OK
6672 : SSL_TLSEXT_ERR_NOACK;
6673 },
6674 nullptr);
6675 }
6676
TransportFromSSL(const SSL * ssl)6677 static MockQUICTransport *TransportFromSSL(const SSL *ssl) {
6678 return ex_data_.Get(ssl);
6679 }
6680
ProvideHandshakeData(SSL * ssl,size_t num=std::numeric_limits<size_t>::max ())6681 static bool ProvideHandshakeData(
6682 SSL *ssl, size_t num = std::numeric_limits<size_t>::max()) {
6683 MockQUICTransport *transport = TransportFromSSL(ssl);
6684 ssl_encryption_level_t level = SSL_quic_read_level(ssl);
6685 std::vector<uint8_t> data;
6686 return transport->ReadHandshakeData(&data, level, num) &&
6687 SSL_provide_quic_data(ssl, level, data.data(), data.size());
6688 }
6689
AllowOutOfOrderWrites()6690 void AllowOutOfOrderWrites() {
6691 allow_out_of_order_writes_ = true;
6692 }
6693
CreateClientAndServer()6694 bool CreateClientAndServer() {
6695 client_.reset(SSL_new(client_ctx_.get()));
6696 server_.reset(SSL_new(server_ctx_.get()));
6697 if (!client_ || !server_) {
6698 return false;
6699 }
6700
6701 SSL_set_connect_state(client_.get());
6702 SSL_set_accept_state(server_.get());
6703
6704 transport_ = std::make_unique<MockQUICTransportPair>();
6705 if (!ex_data_.Set(client_.get(), transport_->client()) ||
6706 !ex_data_.Set(server_.get(), transport_->server())) {
6707 return false;
6708 }
6709 if (allow_out_of_order_writes_) {
6710 transport_->client()->AllowOutOfOrderWrites();
6711 transport_->server()->AllowOutOfOrderWrites();
6712 }
6713 static const uint8_t client_transport_params[] = {0};
6714 if (!SSL_set_quic_transport_params(client_.get(), client_transport_params,
6715 sizeof(client_transport_params)) ||
6716 !SSL_set_quic_transport_params(server_.get(),
6717 server_transport_params_.data(),
6718 server_transport_params_.size()) ||
6719 !SSL_set_quic_early_data_context(
6720 server_.get(), server_quic_early_data_context_.data(),
6721 server_quic_early_data_context_.size())) {
6722 return false;
6723 }
6724 return true;
6725 }
6726
6727 enum class ExpectedError {
6728 kNoError,
6729 kClientError,
6730 kServerError,
6731 };
6732
6733 // CompleteHandshakesForQUIC runs |SSL_do_handshake| on |client_| and
6734 // |server_| until each completes once. It returns true on success and false
6735 // on failure.
CompleteHandshakesForQUIC()6736 bool CompleteHandshakesForQUIC() {
6737 return RunQUICHandshakesAndExpectError(ExpectedError::kNoError);
6738 }
6739
6740 // Runs |SSL_do_handshake| on |client_| and |server_| until each completes
6741 // once. If |expect_client_error| is true, it will return true only if the
6742 // client handshake failed. Otherwise, it returns true if both handshakes
6743 // succeed and false otherwise.
RunQUICHandshakesAndExpectError(ExpectedError expected_error)6744 bool RunQUICHandshakesAndExpectError(ExpectedError expected_error) {
6745 bool client_done = false, server_done = false;
6746 while (!client_done || !server_done) {
6747 if (!client_done) {
6748 if (!ProvideHandshakeData(client_.get())) {
6749 ADD_FAILURE() << "ProvideHandshakeData(client_) failed";
6750 return false;
6751 }
6752 int client_ret = SSL_do_handshake(client_.get());
6753 int client_err = SSL_get_error(client_.get(), client_ret);
6754 if (client_ret == 1) {
6755 client_done = true;
6756 } else if (client_ret != -1 || client_err != SSL_ERROR_WANT_READ) {
6757 if (expected_error == ExpectedError::kClientError) {
6758 return true;
6759 }
6760 ADD_FAILURE() << "Unexpected client output: " << client_ret << " "
6761 << client_err;
6762 return false;
6763 }
6764 }
6765
6766 if (!server_done) {
6767 if (!ProvideHandshakeData(server_.get())) {
6768 ADD_FAILURE() << "ProvideHandshakeData(server_) failed";
6769 return false;
6770 }
6771 int server_ret = SSL_do_handshake(server_.get());
6772 int server_err = SSL_get_error(server_.get(), server_ret);
6773 if (server_ret == 1) {
6774 server_done = true;
6775 } else if (server_ret != -1 || server_err != SSL_ERROR_WANT_READ) {
6776 if (expected_error == ExpectedError::kServerError) {
6777 return true;
6778 }
6779 ADD_FAILURE() << "Unexpected server output: " << server_ret << " "
6780 << server_err;
6781 return false;
6782 }
6783 }
6784 }
6785 return expected_error == ExpectedError::kNoError;
6786 }
6787
CreateClientSessionForQUIC()6788 bssl::UniquePtr<SSL_SESSION> CreateClientSessionForQUIC() {
6789 g_last_session = nullptr;
6790 SSL_CTX_sess_set_new_cb(client_ctx_.get(), SaveLastSession);
6791 if (!CreateClientAndServer() ||
6792 !CompleteHandshakesForQUIC()) {
6793 return nullptr;
6794 }
6795
6796 // The server sent NewSessionTicket messages in the handshake.
6797 if (!ProvideHandshakeData(client_.get()) ||
6798 !SSL_process_quic_post_handshake(client_.get())) {
6799 return nullptr;
6800 }
6801
6802 return std::move(g_last_session);
6803 }
6804
ExpectHandshakeSuccess()6805 void ExpectHandshakeSuccess() {
6806 EXPECT_TRUE(transport_->SecretsMatch(ssl_encryption_application));
6807 EXPECT_EQ(ssl_encryption_application, SSL_quic_read_level(client_.get()));
6808 EXPECT_EQ(ssl_encryption_application, SSL_quic_write_level(client_.get()));
6809 EXPECT_EQ(ssl_encryption_application, SSL_quic_read_level(server_.get()));
6810 EXPECT_EQ(ssl_encryption_application, SSL_quic_write_level(server_.get()));
6811 EXPECT_FALSE(transport_->client()->has_alert());
6812 EXPECT_FALSE(transport_->server()->has_alert());
6813
6814 // SSL_do_handshake is now idempotent.
6815 EXPECT_EQ(SSL_do_handshake(client_.get()), 1);
6816 EXPECT_EQ(SSL_do_handshake(server_.get()), 1);
6817 }
6818
6819 // Returns a default SSL_QUIC_METHOD. Individual methods may be overwritten by
6820 // the test.
DefaultQUICMethod()6821 SSL_QUIC_METHOD DefaultQUICMethod() {
6822 return SSL_QUIC_METHOD{
6823 SetReadSecretCallback, SetWriteSecretCallback, AddHandshakeDataCallback,
6824 FlushFlightCallback, SendAlertCallback,
6825 };
6826 }
6827
SetReadSecretCallback(SSL * ssl,ssl_encryption_level_t level,const SSL_CIPHER * cipher,const uint8_t * secret,size_t secret_len)6828 static int SetReadSecretCallback(SSL *ssl, ssl_encryption_level_t level,
6829 const SSL_CIPHER *cipher,
6830 const uint8_t *secret, size_t secret_len) {
6831 return TransportFromSSL(ssl)->SetReadSecret(
6832 level, cipher, MakeConstSpan(secret, secret_len));
6833 }
6834
SetWriteSecretCallback(SSL * ssl,ssl_encryption_level_t level,const SSL_CIPHER * cipher,const uint8_t * secret,size_t secret_len)6835 static int SetWriteSecretCallback(SSL *ssl, ssl_encryption_level_t level,
6836 const SSL_CIPHER *cipher,
6837 const uint8_t *secret, size_t secret_len) {
6838 return TransportFromSSL(ssl)->SetWriteSecret(
6839 level, cipher, MakeConstSpan(secret, secret_len));
6840 }
6841
AddHandshakeDataCallback(SSL * ssl,enum ssl_encryption_level_t level,const uint8_t * data,size_t len)6842 static int AddHandshakeDataCallback(SSL *ssl,
6843 enum ssl_encryption_level_t level,
6844 const uint8_t *data, size_t len) {
6845 EXPECT_EQ(level, SSL_quic_write_level(ssl));
6846 return TransportFromSSL(ssl)->WriteHandshakeData(level,
6847 MakeConstSpan(data, len));
6848 }
6849
FlushFlightCallback(SSL * ssl)6850 static int FlushFlightCallback(SSL *ssl) { return 1; }
6851
SendAlertCallback(SSL * ssl,ssl_encryption_level_t level,uint8_t alert)6852 static int SendAlertCallback(SSL *ssl, ssl_encryption_level_t level,
6853 uint8_t alert) {
6854 EXPECT_EQ(level, SSL_quic_write_level(ssl));
6855 return TransportFromSSL(ssl)->SendAlert(level, alert);
6856 }
6857
6858 bssl::UniquePtr<SSL_CTX> client_ctx_;
6859 bssl::UniquePtr<SSL_CTX> server_ctx_;
6860
6861 static UnownedSSLExData<MockQUICTransport> ex_data_;
6862 std::unique_ptr<MockQUICTransportPair> transport_;
6863
6864 bssl::UniquePtr<SSL> client_;
6865 bssl::UniquePtr<SSL> server_;
6866
6867 std::vector<uint8_t> server_transport_params_ = {1};
6868 std::vector<uint8_t> server_quic_early_data_context_ = {2};
6869
6870 bool allow_out_of_order_writes_ = false;
6871 };
6872
6873 UnownedSSLExData<MockQUICTransport> QUICMethodTest::ex_data_;
6874
6875 // Test a full handshake and resumption work.
TEST_F(QUICMethodTest,Basic)6876 TEST_F(QUICMethodTest, Basic) {
6877 const SSL_QUIC_METHOD quic_method = DefaultQUICMethod();
6878
6879 g_last_session = nullptr;
6880
6881 SSL_CTX_set_session_cache_mode(client_ctx_.get(), SSL_SESS_CACHE_BOTH);
6882 SSL_CTX_sess_set_new_cb(client_ctx_.get(), SaveLastSession);
6883 ASSERT_TRUE(SSL_CTX_set_quic_method(client_ctx_.get(), &quic_method));
6884 ASSERT_TRUE(SSL_CTX_set_quic_method(server_ctx_.get(), &quic_method));
6885
6886 ASSERT_TRUE(CreateClientAndServer());
6887 ASSERT_TRUE(CompleteHandshakesForQUIC());
6888
6889 ExpectHandshakeSuccess();
6890 EXPECT_FALSE(SSL_session_reused(client_.get()));
6891 EXPECT_FALSE(SSL_session_reused(server_.get()));
6892
6893 // The server sent NewSessionTicket messages in the handshake.
6894 EXPECT_FALSE(g_last_session);
6895 ASSERT_TRUE(ProvideHandshakeData(client_.get()));
6896 EXPECT_EQ(SSL_process_quic_post_handshake(client_.get()), 1);
6897 EXPECT_TRUE(g_last_session);
6898
6899 // Create a second connection to verify resumption works.
6900 ASSERT_TRUE(CreateClientAndServer());
6901 bssl::UniquePtr<SSL_SESSION> session = std::move(g_last_session);
6902 SSL_set_session(client_.get(), session.get());
6903
6904 ASSERT_TRUE(CompleteHandshakesForQUIC());
6905
6906 ExpectHandshakeSuccess();
6907 EXPECT_TRUE(SSL_session_reused(client_.get()));
6908 EXPECT_TRUE(SSL_session_reused(server_.get()));
6909 }
6910
6911 // Test that HelloRetryRequest in QUIC works.
TEST_F(QUICMethodTest,HelloRetryRequest)6912 TEST_F(QUICMethodTest, HelloRetryRequest) {
6913 const SSL_QUIC_METHOD quic_method = DefaultQUICMethod();
6914
6915 ASSERT_TRUE(SSL_CTX_set_quic_method(client_ctx_.get(), &quic_method));
6916 ASSERT_TRUE(SSL_CTX_set_quic_method(server_ctx_.get(), &quic_method));
6917
6918 // BoringSSL predicts the most preferred ECDH group, so using different
6919 // preferences will trigger HelloRetryRequest.
6920 static const int kClientPrefs[] = {NID_X25519, NID_X9_62_prime256v1};
6921 ASSERT_TRUE(SSL_CTX_set1_groups(client_ctx_.get(), kClientPrefs,
6922 OPENSSL_ARRAY_SIZE(kClientPrefs)));
6923 static const int kServerPrefs[] = {NID_X9_62_prime256v1, NID_X25519};
6924 ASSERT_TRUE(SSL_CTX_set1_groups(server_ctx_.get(), kServerPrefs,
6925 OPENSSL_ARRAY_SIZE(kServerPrefs)));
6926
6927 ASSERT_TRUE(CreateClientAndServer());
6928 ASSERT_TRUE(CompleteHandshakesForQUIC());
6929 ExpectHandshakeSuccess();
6930 }
6931
6932 // Test that the client does not send a legacy_session_id in the ClientHello.
TEST_F(QUICMethodTest,NoLegacySessionId)6933 TEST_F(QUICMethodTest, NoLegacySessionId) {
6934 const SSL_QUIC_METHOD quic_method = DefaultQUICMethod();
6935
6936 ASSERT_TRUE(SSL_CTX_set_quic_method(client_ctx_.get(), &quic_method));
6937 ASSERT_TRUE(SSL_CTX_set_quic_method(server_ctx_.get(), &quic_method));
6938 // Check that the session ID length is 0 in an early callback.
6939 SSL_CTX_set_select_certificate_cb(
6940 server_ctx_.get(),
6941 [](const SSL_CLIENT_HELLO *client_hello) -> ssl_select_cert_result_t {
6942 EXPECT_EQ(client_hello->session_id_len, 0u);
6943 return ssl_select_cert_success;
6944 });
6945
6946 ASSERT_TRUE(CreateClientAndServer());
6947 ASSERT_TRUE(CompleteHandshakesForQUIC());
6948
6949 ExpectHandshakeSuccess();
6950 }
6951
6952 // Test that, even in a 1-RTT handshake, the server installs keys at the right
6953 // time. Half-RTT keys are available early, but 1-RTT read keys are deferred.
TEST_F(QUICMethodTest,HalfRTTKeys)6954 TEST_F(QUICMethodTest, HalfRTTKeys) {
6955 const SSL_QUIC_METHOD quic_method = DefaultQUICMethod();
6956
6957 ASSERT_TRUE(SSL_CTX_set_quic_method(client_ctx_.get(), &quic_method));
6958 ASSERT_TRUE(SSL_CTX_set_quic_method(server_ctx_.get(), &quic_method));
6959 ASSERT_TRUE(CreateClientAndServer());
6960
6961 // The client sends ClientHello.
6962 ASSERT_EQ(SSL_do_handshake(client_.get()), -1);
6963 ASSERT_EQ(SSL_ERROR_WANT_READ, SSL_get_error(client_.get(), -1));
6964
6965 // The server reads ClientHello and sends ServerHello..Finished.
6966 ASSERT_TRUE(ProvideHandshakeData(server_.get()));
6967 ASSERT_EQ(SSL_do_handshake(server_.get()), -1);
6968 ASSERT_EQ(SSL_ERROR_WANT_READ, SSL_get_error(server_.get(), -1));
6969
6970 // At this point, the server has half-RTT write keys, but it cannot access
6971 // 1-RTT read keys until client Finished.
6972 EXPECT_TRUE(transport_->server()->HasWriteSecret(ssl_encryption_application));
6973 EXPECT_FALSE(transport_->server()->HasReadSecret(ssl_encryption_application));
6974
6975 // Finish up the client and server handshakes.
6976 ASSERT_TRUE(CompleteHandshakesForQUIC());
6977
6978 // Both sides can now exchange 1-RTT data.
6979 ExpectHandshakeSuccess();
6980 }
6981
TEST_F(QUICMethodTest,ZeroRTTAccept)6982 TEST_F(QUICMethodTest, ZeroRTTAccept) {
6983 const SSL_QUIC_METHOD quic_method = DefaultQUICMethod();
6984
6985 SSL_CTX_set_session_cache_mode(client_ctx_.get(), SSL_SESS_CACHE_BOTH);
6986 SSL_CTX_set_early_data_enabled(client_ctx_.get(), 1);
6987 SSL_CTX_set_early_data_enabled(server_ctx_.get(), 1);
6988 ASSERT_TRUE(SSL_CTX_set_quic_method(client_ctx_.get(), &quic_method));
6989 ASSERT_TRUE(SSL_CTX_set_quic_method(server_ctx_.get(), &quic_method));
6990
6991 bssl::UniquePtr<SSL_SESSION> session = CreateClientSessionForQUIC();
6992 ASSERT_TRUE(session);
6993
6994 ASSERT_TRUE(CreateClientAndServer());
6995 SSL_set_session(client_.get(), session.get());
6996
6997 // The client handshake should return immediately into the early data state.
6998 ASSERT_EQ(SSL_do_handshake(client_.get()), 1);
6999 EXPECT_TRUE(SSL_in_early_data(client_.get()));
7000 // The transport should have keys for sending 0-RTT data.
7001 EXPECT_TRUE(transport_->client()->HasWriteSecret(ssl_encryption_early_data));
7002
7003 // The server will consume the ClientHello and also enter the early data
7004 // state.
7005 ASSERT_TRUE(ProvideHandshakeData(server_.get()));
7006 ASSERT_EQ(SSL_do_handshake(server_.get()), 1);
7007 EXPECT_TRUE(SSL_in_early_data(server_.get()));
7008 EXPECT_TRUE(transport_->SecretsMatch(ssl_encryption_early_data));
7009 // At this point, the server has half-RTT write keys, but it cannot access
7010 // 1-RTT read keys until client Finished.
7011 EXPECT_TRUE(transport_->server()->HasWriteSecret(ssl_encryption_application));
7012 EXPECT_FALSE(transport_->server()->HasReadSecret(ssl_encryption_application));
7013
7014 // Finish up the client and server handshakes.
7015 ASSERT_TRUE(CompleteHandshakesForQUIC());
7016
7017 // Both sides can now exchange 1-RTT data.
7018 ExpectHandshakeSuccess();
7019 EXPECT_TRUE(SSL_session_reused(client_.get()));
7020 EXPECT_TRUE(SSL_session_reused(server_.get()));
7021 EXPECT_FALSE(SSL_in_early_data(client_.get()));
7022 EXPECT_FALSE(SSL_in_early_data(server_.get()));
7023 EXPECT_TRUE(SSL_early_data_accepted(client_.get()));
7024 EXPECT_TRUE(SSL_early_data_accepted(server_.get()));
7025
7026 // Finish handling post-handshake messages after the first 0-RTT resumption.
7027 EXPECT_TRUE(ProvideHandshakeData(client_.get()));
7028 EXPECT_TRUE(SSL_process_quic_post_handshake(client_.get()));
7029
7030 // Perform a second 0-RTT resumption attempt, and confirm that 0-RTT is
7031 // accepted again.
7032 ASSERT_TRUE(CreateClientAndServer());
7033 SSL_set_session(client_.get(), g_last_session.get());
7034
7035 // The client handshake should return immediately into the early data state.
7036 ASSERT_EQ(SSL_do_handshake(client_.get()), 1);
7037 EXPECT_TRUE(SSL_in_early_data(client_.get()));
7038 // The transport should have keys for sending 0-RTT data.
7039 EXPECT_TRUE(transport_->client()->HasWriteSecret(ssl_encryption_early_data));
7040
7041 // The server will consume the ClientHello and also enter the early data
7042 // state.
7043 ASSERT_TRUE(ProvideHandshakeData(server_.get()));
7044 ASSERT_EQ(SSL_do_handshake(server_.get()), 1);
7045 EXPECT_TRUE(SSL_in_early_data(server_.get()));
7046 EXPECT_TRUE(transport_->SecretsMatch(ssl_encryption_early_data));
7047 // At this point, the server has half-RTT write keys, but it cannot access
7048 // 1-RTT read keys until client Finished.
7049 EXPECT_TRUE(transport_->server()->HasWriteSecret(ssl_encryption_application));
7050 EXPECT_FALSE(transport_->server()->HasReadSecret(ssl_encryption_application));
7051
7052 // Finish up the client and server handshakes.
7053 ASSERT_TRUE(CompleteHandshakesForQUIC());
7054
7055 // Both sides can now exchange 1-RTT data.
7056 ExpectHandshakeSuccess();
7057 EXPECT_TRUE(SSL_session_reused(client_.get()));
7058 EXPECT_TRUE(SSL_session_reused(server_.get()));
7059 EXPECT_FALSE(SSL_in_early_data(client_.get()));
7060 EXPECT_FALSE(SSL_in_early_data(server_.get()));
7061 EXPECT_TRUE(SSL_early_data_accepted(client_.get()));
7062 EXPECT_TRUE(SSL_early_data_accepted(server_.get()));
7063 EXPECT_EQ(SSL_get_early_data_reason(client_.get()), ssl_early_data_accepted);
7064 EXPECT_EQ(SSL_get_early_data_reason(server_.get()), ssl_early_data_accepted);
7065 }
7066
TEST_F(QUICMethodTest,ZeroRTTRejectMismatchedParameters)7067 TEST_F(QUICMethodTest, ZeroRTTRejectMismatchedParameters) {
7068 const SSL_QUIC_METHOD quic_method = DefaultQUICMethod();
7069
7070 SSL_CTX_set_session_cache_mode(client_ctx_.get(), SSL_SESS_CACHE_BOTH);
7071 SSL_CTX_set_early_data_enabled(client_ctx_.get(), 1);
7072 SSL_CTX_set_early_data_enabled(server_ctx_.get(), 1);
7073 ASSERT_TRUE(SSL_CTX_set_quic_method(client_ctx_.get(), &quic_method));
7074 ASSERT_TRUE(SSL_CTX_set_quic_method(server_ctx_.get(), &quic_method));
7075
7076
7077 bssl::UniquePtr<SSL_SESSION> session = CreateClientSessionForQUIC();
7078 ASSERT_TRUE(session);
7079
7080 ASSERT_TRUE(CreateClientAndServer());
7081 static const uint8_t new_context[] = {4};
7082 ASSERT_TRUE(SSL_set_quic_early_data_context(server_.get(), new_context,
7083 sizeof(new_context)));
7084 SSL_set_session(client_.get(), session.get());
7085
7086 // The client handshake should return immediately into the early data
7087 // state.
7088 ASSERT_EQ(SSL_do_handshake(client_.get()), 1);
7089 EXPECT_TRUE(SSL_in_early_data(client_.get()));
7090 // The transport should have keys for sending 0-RTT data.
7091 EXPECT_TRUE(transport_->client()->HasWriteSecret(ssl_encryption_early_data));
7092
7093 // The server will consume the ClientHello, but it will not accept 0-RTT.
7094 ASSERT_TRUE(ProvideHandshakeData(server_.get()));
7095 ASSERT_EQ(SSL_do_handshake(server_.get()), -1);
7096 ASSERT_EQ(SSL_ERROR_WANT_READ, SSL_get_error(server_.get(), -1));
7097 EXPECT_FALSE(SSL_in_early_data(server_.get()));
7098 EXPECT_FALSE(transport_->server()->HasReadSecret(ssl_encryption_early_data));
7099
7100 // The client consumes the server response and signals 0-RTT rejection.
7101 for (;;) {
7102 ASSERT_TRUE(ProvideHandshakeData(client_.get()));
7103 ASSERT_EQ(-1, SSL_do_handshake(client_.get()));
7104 int err = SSL_get_error(client_.get(), -1);
7105 if (err == SSL_ERROR_EARLY_DATA_REJECTED) {
7106 break;
7107 }
7108 ASSERT_EQ(SSL_ERROR_WANT_READ, err);
7109 }
7110
7111 // As in TLS over TCP, 0-RTT rejection is sticky.
7112 ASSERT_EQ(-1, SSL_do_handshake(client_.get()));
7113 ASSERT_EQ(SSL_ERROR_EARLY_DATA_REJECTED, SSL_get_error(client_.get(), -1));
7114
7115 // Finish up the client and server handshakes.
7116 SSL_reset_early_data_reject(client_.get());
7117 ASSERT_TRUE(CompleteHandshakesForQUIC());
7118
7119 // Both sides can now exchange 1-RTT data.
7120 ExpectHandshakeSuccess();
7121 EXPECT_TRUE(SSL_session_reused(client_.get()));
7122 EXPECT_TRUE(SSL_session_reused(server_.get()));
7123 EXPECT_FALSE(SSL_in_early_data(client_.get()));
7124 EXPECT_FALSE(SSL_in_early_data(server_.get()));
7125 EXPECT_FALSE(SSL_early_data_accepted(client_.get()));
7126 EXPECT_FALSE(SSL_early_data_accepted(server_.get()));
7127 }
7128
TEST_F(QUICMethodTest,NoZeroRTTTicketWithoutEarlyDataContext)7129 TEST_F(QUICMethodTest, NoZeroRTTTicketWithoutEarlyDataContext) {
7130 server_quic_early_data_context_ = {};
7131 const SSL_QUIC_METHOD quic_method = DefaultQUICMethod();
7132
7133 SSL_CTX_set_session_cache_mode(client_ctx_.get(), SSL_SESS_CACHE_BOTH);
7134 SSL_CTX_set_early_data_enabled(client_ctx_.get(), 1);
7135 SSL_CTX_set_early_data_enabled(server_ctx_.get(), 1);
7136 ASSERT_TRUE(SSL_CTX_set_quic_method(client_ctx_.get(), &quic_method));
7137 ASSERT_TRUE(SSL_CTX_set_quic_method(server_ctx_.get(), &quic_method));
7138
7139 bssl::UniquePtr<SSL_SESSION> session = CreateClientSessionForQUIC();
7140 ASSERT_TRUE(session);
7141 EXPECT_FALSE(SSL_SESSION_early_data_capable(session.get()));
7142 }
7143
TEST_F(QUICMethodTest,ZeroRTTReject)7144 TEST_F(QUICMethodTest, ZeroRTTReject) {
7145 const SSL_QUIC_METHOD quic_method = DefaultQUICMethod();
7146
7147 SSL_CTX_set_session_cache_mode(client_ctx_.get(), SSL_SESS_CACHE_BOTH);
7148 SSL_CTX_set_early_data_enabled(client_ctx_.get(), 1);
7149 SSL_CTX_set_early_data_enabled(server_ctx_.get(), 1);
7150 ASSERT_TRUE(SSL_CTX_set_quic_method(client_ctx_.get(), &quic_method));
7151 ASSERT_TRUE(SSL_CTX_set_quic_method(server_ctx_.get(), &quic_method));
7152
7153 bssl::UniquePtr<SSL_SESSION> session = CreateClientSessionForQUIC();
7154 ASSERT_TRUE(session);
7155
7156 for (bool reject_hrr : {false, true}) {
7157 SCOPED_TRACE(reject_hrr);
7158
7159 ASSERT_TRUE(CreateClientAndServer());
7160 if (reject_hrr) {
7161 // Configure the server to prefer P-256, which will reject 0-RTT via
7162 // HelloRetryRequest.
7163 int p256 = NID_X9_62_prime256v1;
7164 ASSERT_TRUE(SSL_set1_groups(server_.get(), &p256, 1));
7165 } else {
7166 // Disable 0-RTT on the server, so it will reject it.
7167 SSL_set_early_data_enabled(server_.get(), 0);
7168 }
7169 SSL_set_session(client_.get(), session.get());
7170
7171 // The client handshake should return immediately into the early data state.
7172 ASSERT_EQ(SSL_do_handshake(client_.get()), 1);
7173 EXPECT_TRUE(SSL_in_early_data(client_.get()));
7174 // The transport should have keys for sending 0-RTT data.
7175 EXPECT_TRUE(
7176 transport_->client()->HasWriteSecret(ssl_encryption_early_data));
7177
7178 // The server will consume the ClientHello, but it will not accept 0-RTT.
7179 ASSERT_TRUE(ProvideHandshakeData(server_.get()));
7180 ASSERT_EQ(SSL_do_handshake(server_.get()), -1);
7181 ASSERT_EQ(SSL_ERROR_WANT_READ, SSL_get_error(server_.get(), -1));
7182 EXPECT_FALSE(SSL_in_early_data(server_.get()));
7183 EXPECT_FALSE(
7184 transport_->server()->HasReadSecret(ssl_encryption_early_data));
7185
7186 // The client consumes the server response and signals 0-RTT rejection.
7187 for (;;) {
7188 ASSERT_TRUE(ProvideHandshakeData(client_.get()));
7189 ASSERT_EQ(-1, SSL_do_handshake(client_.get()));
7190 int err = SSL_get_error(client_.get(), -1);
7191 if (err == SSL_ERROR_EARLY_DATA_REJECTED) {
7192 break;
7193 }
7194 ASSERT_EQ(SSL_ERROR_WANT_READ, err);
7195 }
7196
7197 // As in TLS over TCP, 0-RTT rejection is sticky.
7198 ASSERT_EQ(-1, SSL_do_handshake(client_.get()));
7199 ASSERT_EQ(SSL_ERROR_EARLY_DATA_REJECTED, SSL_get_error(client_.get(), -1));
7200
7201 // Finish up the client and server handshakes.
7202 SSL_reset_early_data_reject(client_.get());
7203 ASSERT_TRUE(CompleteHandshakesForQUIC());
7204
7205 // Both sides can now exchange 1-RTT data.
7206 ExpectHandshakeSuccess();
7207 EXPECT_TRUE(SSL_session_reused(client_.get()));
7208 EXPECT_TRUE(SSL_session_reused(server_.get()));
7209 EXPECT_FALSE(SSL_in_early_data(client_.get()));
7210 EXPECT_FALSE(SSL_in_early_data(server_.get()));
7211 EXPECT_FALSE(SSL_early_data_accepted(client_.get()));
7212 EXPECT_FALSE(SSL_early_data_accepted(server_.get()));
7213 }
7214 }
7215
TEST_F(QUICMethodTest,NoZeroRTTKeysBeforeReverify)7216 TEST_F(QUICMethodTest, NoZeroRTTKeysBeforeReverify) {
7217 const SSL_QUIC_METHOD quic_method = DefaultQUICMethod();
7218
7219 SSL_CTX_set_session_cache_mode(client_ctx_.get(), SSL_SESS_CACHE_BOTH);
7220 SSL_CTX_set_early_data_enabled(client_ctx_.get(), 1);
7221 SSL_CTX_set_reverify_on_resume(client_ctx_.get(), 1);
7222 SSL_CTX_set_early_data_enabled(server_ctx_.get(), 1);
7223 ASSERT_TRUE(SSL_CTX_set_quic_method(client_ctx_.get(), &quic_method));
7224 ASSERT_TRUE(SSL_CTX_set_quic_method(server_ctx_.get(), &quic_method));
7225
7226 bssl::UniquePtr<SSL_SESSION> session = CreateClientSessionForQUIC();
7227 ASSERT_TRUE(session);
7228
7229 ASSERT_TRUE(CreateClientAndServer());
7230 SSL_set_session(client_.get(), session.get());
7231
7232 // Configure the certificate (re)verification to never complete. The client
7233 // handshake should pause.
7234 SSL_set_custom_verify(
7235 client_.get(), SSL_VERIFY_PEER,
7236 [](SSL *ssl, uint8_t *out_alert) -> ssl_verify_result_t {
7237 return ssl_verify_retry;
7238 });
7239 ASSERT_EQ(SSL_do_handshake(client_.get()), -1);
7240 ASSERT_EQ(SSL_get_error(client_.get(), -1),
7241 SSL_ERROR_WANT_CERTIFICATE_VERIFY);
7242
7243 // The early data keys have not yet been released.
7244 EXPECT_FALSE(transport_->client()->HasWriteSecret(ssl_encryption_early_data));
7245
7246 // After the verification completes, the handshake progresses to the 0-RTT
7247 // point and releases keys.
7248 SSL_set_custom_verify(
7249 client_.get(), SSL_VERIFY_PEER,
7250 [](SSL *ssl, uint8_t *out_alert) -> ssl_verify_result_t {
7251 return ssl_verify_ok;
7252 });
7253 ASSERT_EQ(SSL_do_handshake(client_.get()), 1);
7254 EXPECT_TRUE(SSL_in_early_data(client_.get()));
7255 EXPECT_TRUE(transport_->client()->HasWriteSecret(ssl_encryption_early_data));
7256 }
7257
7258 // Test only releasing data to QUIC one byte at a time on request, to maximize
7259 // state machine pauses. Additionally, test that existing asynchronous callbacks
7260 // still work.
TEST_F(QUICMethodTest,Async)7261 TEST_F(QUICMethodTest, Async) {
7262 const SSL_QUIC_METHOD quic_method = DefaultQUICMethod();
7263
7264 ASSERT_TRUE(SSL_CTX_set_quic_method(client_ctx_.get(), &quic_method));
7265 ASSERT_TRUE(SSL_CTX_set_quic_method(server_ctx_.get(), &quic_method));
7266 ASSERT_TRUE(CreateClientAndServer());
7267
7268 // Install an asynchronous certificate callback.
7269 bool cert_cb_ok = false;
7270 SSL_set_cert_cb(server_.get(),
7271 [](SSL *, void *arg) -> int {
7272 return *static_cast<bool *>(arg) ? 1 : -1;
7273 },
7274 &cert_cb_ok);
7275
7276 for (;;) {
7277 int client_ret = SSL_do_handshake(client_.get());
7278 if (client_ret != 1) {
7279 ASSERT_EQ(client_ret, -1);
7280 ASSERT_EQ(SSL_get_error(client_.get(), client_ret), SSL_ERROR_WANT_READ);
7281 ASSERT_TRUE(ProvideHandshakeData(client_.get(), 1));
7282 }
7283
7284 int server_ret = SSL_do_handshake(server_.get());
7285 if (server_ret != 1) {
7286 ASSERT_EQ(server_ret, -1);
7287 int ssl_err = SSL_get_error(server_.get(), server_ret);
7288 switch (ssl_err) {
7289 case SSL_ERROR_WANT_READ:
7290 ASSERT_TRUE(ProvideHandshakeData(server_.get(), 1));
7291 break;
7292 case SSL_ERROR_WANT_X509_LOOKUP:
7293 ASSERT_FALSE(cert_cb_ok);
7294 cert_cb_ok = true;
7295 break;
7296 default:
7297 FAIL() << "Unexpected SSL_get_error result: " << ssl_err;
7298 }
7299 }
7300
7301 if (client_ret == 1 && server_ret == 1) {
7302 break;
7303 }
7304 }
7305
7306 ExpectHandshakeSuccess();
7307 }
7308
7309 // Test buffering write data until explicit flushes.
TEST_F(QUICMethodTest,Buffered)7310 TEST_F(QUICMethodTest, Buffered) {
7311 AllowOutOfOrderWrites();
7312
7313 struct BufferedFlight {
7314 std::vector<uint8_t> data[kNumQUICLevels];
7315 };
7316 static UnownedSSLExData<BufferedFlight> buffered_flights;
7317
7318 auto add_handshake_data = [](SSL *ssl, enum ssl_encryption_level_t level,
7319 const uint8_t *data, size_t len) -> int {
7320 BufferedFlight *flight = buffered_flights.Get(ssl);
7321 flight->data[level].insert(flight->data[level].end(), data, data + len);
7322 return 1;
7323 };
7324
7325 auto flush_flight = [](SSL *ssl) -> int {
7326 BufferedFlight *flight = buffered_flights.Get(ssl);
7327 for (size_t level = 0; level < kNumQUICLevels; level++) {
7328 if (!flight->data[level].empty()) {
7329 if (!TransportFromSSL(ssl)->WriteHandshakeData(
7330 static_cast<ssl_encryption_level_t>(level),
7331 flight->data[level])) {
7332 return 0;
7333 }
7334 flight->data[level].clear();
7335 }
7336 }
7337 return 1;
7338 };
7339
7340 SSL_QUIC_METHOD quic_method = DefaultQUICMethod();
7341 quic_method.add_handshake_data = add_handshake_data;
7342 quic_method.flush_flight = flush_flight;
7343
7344 ASSERT_TRUE(SSL_CTX_set_quic_method(client_ctx_.get(), &quic_method));
7345 ASSERT_TRUE(SSL_CTX_set_quic_method(server_ctx_.get(), &quic_method));
7346 ASSERT_TRUE(CreateClientAndServer());
7347
7348 BufferedFlight client_flight, server_flight;
7349 ASSERT_TRUE(buffered_flights.Set(client_.get(), &client_flight));
7350 ASSERT_TRUE(buffered_flights.Set(server_.get(), &server_flight));
7351
7352 ASSERT_TRUE(CompleteHandshakesForQUIC());
7353
7354 ExpectHandshakeSuccess();
7355 }
7356
7357 // Test that excess data at one level is rejected. That is, if a single
7358 // |SSL_provide_quic_data| call included both ServerHello and
7359 // EncryptedExtensions in a single chunk, BoringSSL notices and rejects this on
7360 // key change.
TEST_F(QUICMethodTest,ExcessProvidedData)7361 TEST_F(QUICMethodTest, ExcessProvidedData) {
7362 AllowOutOfOrderWrites();
7363
7364 auto add_handshake_data = [](SSL *ssl, enum ssl_encryption_level_t level,
7365 const uint8_t *data, size_t len) -> int {
7366 // Switch everything to the initial level.
7367 return TransportFromSSL(ssl)->WriteHandshakeData(ssl_encryption_initial,
7368 MakeConstSpan(data, len));
7369 };
7370
7371 SSL_QUIC_METHOD quic_method = DefaultQUICMethod();
7372 quic_method.add_handshake_data = add_handshake_data;
7373
7374 ASSERT_TRUE(SSL_CTX_set_quic_method(client_ctx_.get(), &quic_method));
7375 ASSERT_TRUE(SSL_CTX_set_quic_method(server_ctx_.get(), &quic_method));
7376 ASSERT_TRUE(CreateClientAndServer());
7377
7378 // Send the ClientHello and ServerHello through Finished.
7379 ASSERT_EQ(SSL_do_handshake(client_.get()), -1);
7380 ASSERT_EQ(SSL_get_error(client_.get(), -1), SSL_ERROR_WANT_READ);
7381 ASSERT_TRUE(ProvideHandshakeData(server_.get()));
7382 ASSERT_EQ(SSL_do_handshake(server_.get()), -1);
7383 ASSERT_EQ(SSL_get_error(server_.get(), -1), SSL_ERROR_WANT_READ);
7384
7385 // The client is still waiting for the ServerHello at initial
7386 // encryption.
7387 ASSERT_EQ(ssl_encryption_initial, SSL_quic_read_level(client_.get()));
7388
7389 // |add_handshake_data| incorrectly wrote everything at the initial level, so
7390 // this queues up ServerHello through Finished in one chunk.
7391 ASSERT_TRUE(ProvideHandshakeData(client_.get()));
7392
7393 // The client reads ServerHello successfully, but then rejects the buffered
7394 // EncryptedExtensions on key change.
7395 ASSERT_EQ(SSL_do_handshake(client_.get()), -1);
7396 ASSERT_EQ(SSL_get_error(client_.get(), -1), SSL_ERROR_SSL);
7397 EXPECT_TRUE(
7398 ErrorEquals(ERR_get_error(), ERR_LIB_SSL, SSL_R_EXCESS_HANDSHAKE_DATA));
7399
7400 // The client sends an alert in response to this. The alert is sent at
7401 // handshake level because we install write secrets before read secrets and
7402 // the error is discovered when installing the read secret. (How to send
7403 // alerts on protocol syntax errors near key changes is ambiguous in general.)
7404 ASSERT_TRUE(transport_->client()->has_alert());
7405 EXPECT_EQ(transport_->client()->alert_level(), ssl_encryption_handshake);
7406 EXPECT_EQ(transport_->client()->alert(), SSL_AD_UNEXPECTED_MESSAGE);
7407
7408 // Sanity-check handshake secrets. The error is discovered while setting the
7409 // read secret, so only the write secret has been installed.
7410 EXPECT_TRUE(transport_->client()->HasWriteSecret(ssl_encryption_handshake));
7411 EXPECT_FALSE(transport_->client()->HasReadSecret(ssl_encryption_handshake));
7412 }
7413
7414 // Test that |SSL_provide_quic_data| will reject data at the wrong level.
TEST_F(QUICMethodTest,ProvideWrongLevel)7415 TEST_F(QUICMethodTest, ProvideWrongLevel) {
7416 const SSL_QUIC_METHOD quic_method = DefaultQUICMethod();
7417
7418 ASSERT_TRUE(SSL_CTX_set_quic_method(client_ctx_.get(), &quic_method));
7419 ASSERT_TRUE(SSL_CTX_set_quic_method(server_ctx_.get(), &quic_method));
7420 ASSERT_TRUE(CreateClientAndServer());
7421
7422 // Send the ClientHello and ServerHello through Finished.
7423 ASSERT_EQ(SSL_do_handshake(client_.get()), -1);
7424 ASSERT_EQ(SSL_get_error(client_.get(), -1), SSL_ERROR_WANT_READ);
7425 ASSERT_TRUE(ProvideHandshakeData(server_.get()));
7426 ASSERT_EQ(SSL_do_handshake(server_.get()), -1);
7427 ASSERT_EQ(SSL_get_error(server_.get(), -1), SSL_ERROR_WANT_READ);
7428
7429 // The client is still waiting for the ServerHello at initial
7430 // encryption.
7431 ASSERT_EQ(ssl_encryption_initial, SSL_quic_read_level(client_.get()));
7432
7433 // Data cannot be provided at the next level.
7434 std::vector<uint8_t> data;
7435 ASSERT_TRUE(
7436 transport_->client()->ReadHandshakeData(&data, ssl_encryption_initial));
7437 ASSERT_FALSE(SSL_provide_quic_data(client_.get(), ssl_encryption_handshake,
7438 data.data(), data.size()));
7439 ERR_clear_error();
7440
7441 // Progress to EncryptedExtensions.
7442 ASSERT_TRUE(SSL_provide_quic_data(client_.get(), ssl_encryption_initial,
7443 data.data(), data.size()));
7444 ASSERT_EQ(SSL_do_handshake(client_.get()), -1);
7445 ASSERT_EQ(SSL_get_error(client_.get(), -1), SSL_ERROR_WANT_READ);
7446 ASSERT_EQ(ssl_encryption_handshake, SSL_quic_read_level(client_.get()));
7447
7448 // Data cannot be provided at the previous level.
7449 ASSERT_TRUE(
7450 transport_->client()->ReadHandshakeData(&data, ssl_encryption_handshake));
7451 ASSERT_FALSE(SSL_provide_quic_data(client_.get(), ssl_encryption_initial,
7452 data.data(), data.size()));
7453 }
7454
TEST_F(QUICMethodTest,TooMuchData)7455 TEST_F(QUICMethodTest, TooMuchData) {
7456 const SSL_QUIC_METHOD quic_method = DefaultQUICMethod();
7457
7458 ASSERT_TRUE(SSL_CTX_set_quic_method(client_ctx_.get(), &quic_method));
7459 ASSERT_TRUE(SSL_CTX_set_quic_method(server_ctx_.get(), &quic_method));
7460 ASSERT_TRUE(CreateClientAndServer());
7461
7462 size_t limit =
7463 SSL_quic_max_handshake_flight_len(client_.get(), ssl_encryption_initial);
7464 uint8_t b = 0;
7465 for (size_t i = 0; i < limit; i++) {
7466 ASSERT_TRUE(
7467 SSL_provide_quic_data(client_.get(), ssl_encryption_initial, &b, 1));
7468 }
7469
7470 EXPECT_FALSE(
7471 SSL_provide_quic_data(client_.get(), ssl_encryption_initial, &b, 1));
7472 }
7473
7474 // Provide invalid post-handshake data.
TEST_F(QUICMethodTest,BadPostHandshake)7475 TEST_F(QUICMethodTest, BadPostHandshake) {
7476 const SSL_QUIC_METHOD quic_method = DefaultQUICMethod();
7477
7478 g_last_session = nullptr;
7479
7480 SSL_CTX_set_session_cache_mode(client_ctx_.get(), SSL_SESS_CACHE_BOTH);
7481 SSL_CTX_sess_set_new_cb(client_ctx_.get(), SaveLastSession);
7482 ASSERT_TRUE(SSL_CTX_set_quic_method(client_ctx_.get(), &quic_method));
7483 ASSERT_TRUE(SSL_CTX_set_quic_method(server_ctx_.get(), &quic_method));
7484 ASSERT_TRUE(CreateClientAndServer());
7485 ASSERT_TRUE(CompleteHandshakesForQUIC());
7486
7487 EXPECT_EQ(SSL_do_handshake(client_.get()), 1);
7488 EXPECT_EQ(SSL_do_handshake(server_.get()), 1);
7489 EXPECT_TRUE(transport_->SecretsMatch(ssl_encryption_application));
7490 EXPECT_FALSE(transport_->client()->has_alert());
7491 EXPECT_FALSE(transport_->server()->has_alert());
7492
7493 // Junk sent as part of post-handshake data should cause an error.
7494 uint8_t kJunk[] = {0x17, 0x0, 0x0, 0x4, 0xB, 0xE, 0xE, 0xF};
7495 ASSERT_TRUE(SSL_provide_quic_data(client_.get(), ssl_encryption_application,
7496 kJunk, sizeof(kJunk)));
7497 EXPECT_EQ(SSL_process_quic_post_handshake(client_.get()), 0);
7498 }
7499
ExpectReceivedTransportParamsEqual(const SSL * ssl,Span<const uint8_t> expected)7500 static void ExpectReceivedTransportParamsEqual(const SSL *ssl,
7501 Span<const uint8_t> expected) {
7502 const uint8_t *received;
7503 size_t received_len;
7504 SSL_get_peer_quic_transport_params(ssl, &received, &received_len);
7505 ASSERT_EQ(received_len, expected.size());
7506 EXPECT_EQ(Bytes(received, received_len), Bytes(expected));
7507 }
7508
TEST_F(QUICMethodTest,SetTransportParameters)7509 TEST_F(QUICMethodTest, SetTransportParameters) {
7510 const SSL_QUIC_METHOD quic_method = DefaultQUICMethod();
7511 ASSERT_TRUE(SSL_CTX_set_quic_method(client_ctx_.get(), &quic_method));
7512 ASSERT_TRUE(SSL_CTX_set_quic_method(server_ctx_.get(), &quic_method));
7513
7514 ASSERT_TRUE(CreateClientAndServer());
7515 uint8_t kClientParams[] = {1, 2, 3, 4};
7516 uint8_t kServerParams[] = {5, 6, 7};
7517 ASSERT_TRUE(SSL_set_quic_transport_params(client_.get(), kClientParams,
7518 sizeof(kClientParams)));
7519 ASSERT_TRUE(SSL_set_quic_transport_params(server_.get(), kServerParams,
7520 sizeof(kServerParams)));
7521
7522 ASSERT_TRUE(CompleteHandshakesForQUIC());
7523 ExpectReceivedTransportParamsEqual(client_.get(), kServerParams);
7524 ExpectReceivedTransportParamsEqual(server_.get(), kClientParams);
7525 }
7526
TEST_F(QUICMethodTest,SetTransportParamsInCallback)7527 TEST_F(QUICMethodTest, SetTransportParamsInCallback) {
7528 const SSL_QUIC_METHOD quic_method = DefaultQUICMethod();
7529 ASSERT_TRUE(SSL_CTX_set_quic_method(client_ctx_.get(), &quic_method));
7530 ASSERT_TRUE(SSL_CTX_set_quic_method(server_ctx_.get(), &quic_method));
7531
7532 ASSERT_TRUE(CreateClientAndServer());
7533 uint8_t kClientParams[] = {1, 2, 3, 4};
7534 static uint8_t kServerParams[] = {5, 6, 7};
7535 ASSERT_TRUE(SSL_set_quic_transport_params(client_.get(), kClientParams,
7536 sizeof(kClientParams)));
7537 SSL_CTX_set_tlsext_servername_callback(
7538 server_ctx_.get(), [](SSL *ssl, int *out_alert, void *arg) -> int {
7539 EXPECT_TRUE(SSL_set_quic_transport_params(ssl, kServerParams,
7540 sizeof(kServerParams)));
7541 return SSL_TLSEXT_ERR_OK;
7542 });
7543
7544 ASSERT_TRUE(CompleteHandshakesForQUIC());
7545 ExpectReceivedTransportParamsEqual(client_.get(), kServerParams);
7546 ExpectReceivedTransportParamsEqual(server_.get(), kClientParams);
7547 }
7548
TEST_F(QUICMethodTest,ForbidCrossProtocolResumptionClient)7549 TEST_F(QUICMethodTest, ForbidCrossProtocolResumptionClient) {
7550 const SSL_QUIC_METHOD quic_method = DefaultQUICMethod();
7551
7552 g_last_session = nullptr;
7553
7554 SSL_CTX_set_session_cache_mode(client_ctx_.get(), SSL_SESS_CACHE_BOTH);
7555 SSL_CTX_sess_set_new_cb(client_ctx_.get(), SaveLastSession);
7556 ASSERT_TRUE(SSL_CTX_set_quic_method(client_ctx_.get(), &quic_method));
7557 ASSERT_TRUE(SSL_CTX_set_quic_method(server_ctx_.get(), &quic_method));
7558
7559 ASSERT_TRUE(CreateClientAndServer());
7560 ASSERT_TRUE(CompleteHandshakesForQUIC());
7561
7562 ExpectHandshakeSuccess();
7563 EXPECT_FALSE(SSL_session_reused(client_.get()));
7564 EXPECT_FALSE(SSL_session_reused(server_.get()));
7565
7566 // The server sent NewSessionTicket messages in the handshake.
7567 EXPECT_FALSE(g_last_session);
7568 ASSERT_TRUE(ProvideHandshakeData(client_.get()));
7569 EXPECT_EQ(SSL_process_quic_post_handshake(client_.get()), 1);
7570 ASSERT_TRUE(g_last_session);
7571
7572 // Pretend that g_last_session came from a TLS-over-TCP connection.
7573 g_last_session->is_quic = false;
7574
7575 // Create a second connection and verify that resumption does not occur with
7576 // a session from a non-QUIC connection. This tests that the client does not
7577 // offer over QUIC a session believed to be received over TCP. The server
7578 // believes this is a QUIC session, so if the client offered the session, the
7579 // server would have resumed it.
7580 ASSERT_TRUE(CreateClientAndServer());
7581 bssl::UniquePtr<SSL_SESSION> session = std::move(g_last_session);
7582 SSL_set_session(client_.get(), session.get());
7583
7584 ASSERT_TRUE(CompleteHandshakesForQUIC());
7585 ExpectHandshakeSuccess();
7586 EXPECT_FALSE(SSL_session_reused(client_.get()));
7587 EXPECT_FALSE(SSL_session_reused(server_.get()));
7588 }
7589
TEST_F(QUICMethodTest,ForbidCrossProtocolResumptionServer)7590 TEST_F(QUICMethodTest, ForbidCrossProtocolResumptionServer) {
7591 const SSL_QUIC_METHOD quic_method = DefaultQUICMethod();
7592
7593 g_last_session = nullptr;
7594
7595 SSL_CTX_set_session_cache_mode(client_ctx_.get(), SSL_SESS_CACHE_BOTH);
7596 SSL_CTX_sess_set_new_cb(client_ctx_.get(), SaveLastSession);
7597 ASSERT_TRUE(SSL_CTX_set_quic_method(client_ctx_.get(), &quic_method));
7598 ASSERT_TRUE(SSL_CTX_set_quic_method(server_ctx_.get(), &quic_method));
7599
7600 ASSERT_TRUE(CreateClientAndServer());
7601 ASSERT_TRUE(CompleteHandshakesForQUIC());
7602
7603 ExpectHandshakeSuccess();
7604 EXPECT_FALSE(SSL_session_reused(client_.get()));
7605 EXPECT_FALSE(SSL_session_reused(server_.get()));
7606
7607 // The server sent NewSessionTicket messages in the handshake.
7608 EXPECT_FALSE(g_last_session);
7609 ASSERT_TRUE(ProvideHandshakeData(client_.get()));
7610 EXPECT_EQ(SSL_process_quic_post_handshake(client_.get()), 1);
7611 ASSERT_TRUE(g_last_session);
7612
7613 // Attempt a resumption with g_last_session using TLS_method.
7614 bssl::UniquePtr<SSL_CTX> client_ctx(SSL_CTX_new(TLS_method()));
7615 ASSERT_TRUE(client_ctx);
7616
7617 ASSERT_TRUE(SSL_CTX_set_quic_method(server_ctx_.get(), nullptr));
7618
7619 bssl::UniquePtr<SSL> client(SSL_new(client_ctx.get())),
7620 server(SSL_new(server_ctx_.get()));
7621 ASSERT_TRUE(client);
7622 ASSERT_TRUE(server);
7623 SSL_set_connect_state(client.get());
7624 SSL_set_accept_state(server.get());
7625
7626 // The TLS-over-TCP client will refuse to resume with a quic session, so
7627 // mark is_quic = false to bypass the client check to test the server check.
7628 g_last_session->is_quic = false;
7629 SSL_set_session(client.get(), g_last_session.get());
7630
7631 BIO *bio1, *bio2;
7632 ASSERT_TRUE(BIO_new_bio_pair(&bio1, 0, &bio2, 0));
7633
7634 // SSL_set_bio takes ownership.
7635 SSL_set_bio(client.get(), bio1, bio1);
7636 SSL_set_bio(server.get(), bio2, bio2);
7637 ASSERT_TRUE(CompleteHandshakes(client.get(), server.get()));
7638
7639 EXPECT_FALSE(SSL_session_reused(client.get()));
7640 EXPECT_FALSE(SSL_session_reused(server.get()));
7641 }
7642
TEST_F(QUICMethodTest,ClientRejectsMissingTransportParams)7643 TEST_F(QUICMethodTest, ClientRejectsMissingTransportParams) {
7644 const SSL_QUIC_METHOD quic_method = DefaultQUICMethod();
7645 ASSERT_TRUE(SSL_CTX_set_quic_method(client_ctx_.get(), &quic_method));
7646 ASSERT_TRUE(SSL_CTX_set_quic_method(server_ctx_.get(), &quic_method));
7647
7648 ASSERT_TRUE(CreateClientAndServer());
7649 ASSERT_TRUE(SSL_set_quic_transport_params(server_.get(), nullptr, 0));
7650 ASSERT_TRUE(RunQUICHandshakesAndExpectError(ExpectedError::kServerError));
7651 }
7652
TEST_F(QUICMethodTest,ServerRejectsMissingTransportParams)7653 TEST_F(QUICMethodTest, ServerRejectsMissingTransportParams) {
7654 const SSL_QUIC_METHOD quic_method = DefaultQUICMethod();
7655 ASSERT_TRUE(SSL_CTX_set_quic_method(client_ctx_.get(), &quic_method));
7656 ASSERT_TRUE(SSL_CTX_set_quic_method(server_ctx_.get(), &quic_method));
7657
7658 ASSERT_TRUE(CreateClientAndServer());
7659 ASSERT_TRUE(SSL_set_quic_transport_params(client_.get(), nullptr, 0));
7660 ASSERT_TRUE(RunQUICHandshakesAndExpectError(ExpectedError::kClientError));
7661 }
7662
TEST_F(QUICMethodTest,QuicLegacyCodepointEnabled)7663 TEST_F(QUICMethodTest, QuicLegacyCodepointEnabled) {
7664 const SSL_QUIC_METHOD quic_method = DefaultQUICMethod();
7665 ASSERT_TRUE(SSL_CTX_set_quic_method(client_ctx_.get(), &quic_method));
7666 ASSERT_TRUE(SSL_CTX_set_quic_method(server_ctx_.get(), &quic_method));
7667
7668 ASSERT_TRUE(CreateClientAndServer());
7669 uint8_t kClientParams[] = {1, 2, 3, 4};
7670 uint8_t kServerParams[] = {5, 6, 7};
7671 SSL_set_quic_use_legacy_codepoint(client_.get(), 1);
7672 SSL_set_quic_use_legacy_codepoint(server_.get(), 1);
7673 ASSERT_TRUE(SSL_set_quic_transport_params(client_.get(), kClientParams,
7674 sizeof(kClientParams)));
7675 ASSERT_TRUE(SSL_set_quic_transport_params(server_.get(), kServerParams,
7676 sizeof(kServerParams)));
7677
7678 ASSERT_TRUE(CompleteHandshakesForQUIC());
7679 ExpectReceivedTransportParamsEqual(client_.get(), kServerParams);
7680 ExpectReceivedTransportParamsEqual(server_.get(), kClientParams);
7681 }
7682
TEST_F(QUICMethodTest,QuicLegacyCodepointDisabled)7683 TEST_F(QUICMethodTest, QuicLegacyCodepointDisabled) {
7684 const SSL_QUIC_METHOD quic_method = DefaultQUICMethod();
7685 ASSERT_TRUE(SSL_CTX_set_quic_method(client_ctx_.get(), &quic_method));
7686 ASSERT_TRUE(SSL_CTX_set_quic_method(server_ctx_.get(), &quic_method));
7687
7688 ASSERT_TRUE(CreateClientAndServer());
7689 uint8_t kClientParams[] = {1, 2, 3, 4};
7690 uint8_t kServerParams[] = {5, 6, 7};
7691 SSL_set_quic_use_legacy_codepoint(client_.get(), 0);
7692 SSL_set_quic_use_legacy_codepoint(server_.get(), 0);
7693 ASSERT_TRUE(SSL_set_quic_transport_params(client_.get(), kClientParams,
7694 sizeof(kClientParams)));
7695 ASSERT_TRUE(SSL_set_quic_transport_params(server_.get(), kServerParams,
7696 sizeof(kServerParams)));
7697
7698 ASSERT_TRUE(CompleteHandshakesForQUIC());
7699 ExpectReceivedTransportParamsEqual(client_.get(), kServerParams);
7700 ExpectReceivedTransportParamsEqual(server_.get(), kClientParams);
7701 }
7702
TEST_F(QUICMethodTest,QuicLegacyCodepointClientOnly)7703 TEST_F(QUICMethodTest, QuicLegacyCodepointClientOnly) {
7704 const SSL_QUIC_METHOD quic_method = DefaultQUICMethod();
7705 ASSERT_TRUE(SSL_CTX_set_quic_method(client_ctx_.get(), &quic_method));
7706 ASSERT_TRUE(SSL_CTX_set_quic_method(server_ctx_.get(), &quic_method));
7707
7708 ASSERT_TRUE(CreateClientAndServer());
7709 uint8_t kClientParams[] = {1, 2, 3, 4};
7710 uint8_t kServerParams[] = {5, 6, 7};
7711 SSL_set_quic_use_legacy_codepoint(client_.get(), 1);
7712 SSL_set_quic_use_legacy_codepoint(server_.get(), 0);
7713 ASSERT_TRUE(SSL_set_quic_transport_params(client_.get(), kClientParams,
7714 sizeof(kClientParams)));
7715 ASSERT_TRUE(SSL_set_quic_transport_params(server_.get(), kServerParams,
7716 sizeof(kServerParams)));
7717
7718 ASSERT_TRUE(RunQUICHandshakesAndExpectError(ExpectedError::kServerError));
7719 }
7720
TEST_F(QUICMethodTest,QuicLegacyCodepointServerOnly)7721 TEST_F(QUICMethodTest, QuicLegacyCodepointServerOnly) {
7722 const SSL_QUIC_METHOD quic_method = DefaultQUICMethod();
7723 ASSERT_TRUE(SSL_CTX_set_quic_method(client_ctx_.get(), &quic_method));
7724 ASSERT_TRUE(SSL_CTX_set_quic_method(server_ctx_.get(), &quic_method));
7725
7726 ASSERT_TRUE(CreateClientAndServer());
7727 uint8_t kClientParams[] = {1, 2, 3, 4};
7728 uint8_t kServerParams[] = {5, 6, 7};
7729 SSL_set_quic_use_legacy_codepoint(client_.get(), 0);
7730 SSL_set_quic_use_legacy_codepoint(server_.get(), 1);
7731 ASSERT_TRUE(SSL_set_quic_transport_params(client_.get(), kClientParams,
7732 sizeof(kClientParams)));
7733 ASSERT_TRUE(SSL_set_quic_transport_params(server_.get(), kServerParams,
7734 sizeof(kServerParams)));
7735
7736 ASSERT_TRUE(RunQUICHandshakesAndExpectError(ExpectedError::kServerError));
7737 }
7738
7739 // Test that the default QUIC code point is consistent with
7740 // |TLSEXT_TYPE_quic_transport_parameters|. This test ensures we remember to
7741 // update the two values together.
TEST_F(QUICMethodTest,QuicCodePointDefault)7742 TEST_F(QUICMethodTest, QuicCodePointDefault) {
7743 const SSL_QUIC_METHOD quic_method = DefaultQUICMethod();
7744 ASSERT_TRUE(SSL_CTX_set_quic_method(client_ctx_.get(), &quic_method));
7745 ASSERT_TRUE(SSL_CTX_set_quic_method(server_ctx_.get(), &quic_method));
7746 SSL_CTX_set_select_certificate_cb(
7747 server_ctx_.get(),
7748 [](const SSL_CLIENT_HELLO *client_hello) -> ssl_select_cert_result_t {
7749 const uint8_t *data;
7750 size_t len;
7751 if (!SSL_early_callback_ctx_extension_get(
7752 client_hello, TLSEXT_TYPE_quic_transport_parameters, &data,
7753 &len)) {
7754 ADD_FAILURE() << "Could not find quic_transport_parameters extension";
7755 return ssl_select_cert_error;
7756 }
7757 return ssl_select_cert_success;
7758 });
7759
7760 ASSERT_TRUE(CreateClientAndServer());
7761 ASSERT_TRUE(CompleteHandshakesForQUIC());
7762 }
7763
7764 extern "C" {
7765 int BORINGSSL_enum_c_type_test(void);
7766 }
7767
TEST(SSLTest,EnumTypes)7768 TEST(SSLTest, EnumTypes) {
7769 EXPECT_EQ(sizeof(int), sizeof(ssl_private_key_result_t));
7770 EXPECT_EQ(1, BORINGSSL_enum_c_type_test());
7771 }
7772
TEST_P(SSLVersionTest,DoubleSSLError)7773 TEST_P(SSLVersionTest, DoubleSSLError) {
7774 // Connect the inner SSL connections.
7775 ASSERT_TRUE(Connect());
7776
7777 // Make a pair of |BIO|s which wrap |client_| and |server_|.
7778 UniquePtr<BIO_METHOD> bio_method(BIO_meth_new(0, nullptr));
7779 ASSERT_TRUE(bio_method);
7780 ASSERT_TRUE(BIO_meth_set_read(
7781 bio_method.get(), [](BIO *bio, char *out, int len) -> int {
7782 SSL *ssl = static_cast<SSL *>(BIO_get_data(bio));
7783 int ret = SSL_read(ssl, out, len);
7784 int ssl_ret = SSL_get_error(ssl, ret);
7785 if (ssl_ret == SSL_ERROR_WANT_READ) {
7786 BIO_set_retry_read(bio);
7787 }
7788 return ret;
7789 }));
7790 ASSERT_TRUE(BIO_meth_set_write(
7791 bio_method.get(), [](BIO *bio, const char *in, int len) -> int {
7792 SSL *ssl = static_cast<SSL *>(BIO_get_data(bio));
7793 int ret = SSL_write(ssl, in, len);
7794 int ssl_ret = SSL_get_error(ssl, ret);
7795 if (ssl_ret == SSL_ERROR_WANT_WRITE) {
7796 BIO_set_retry_write(bio);
7797 }
7798 return ret;
7799 }));
7800 ASSERT_TRUE(BIO_meth_set_ctrl(
7801 bio_method.get(), [](BIO *bio, int cmd, long larg, void *parg) -> long {
7802 // |SSL| objects require |BIO_flush| support.
7803 if (cmd == BIO_CTRL_FLUSH) {
7804 return 1;
7805 }
7806 return 0;
7807 }));
7808
7809 UniquePtr<BIO> client_bio(BIO_new(bio_method.get()));
7810 ASSERT_TRUE(client_bio);
7811 BIO_set_data(client_bio.get(), client_.get());
7812 BIO_set_init(client_bio.get(), 1);
7813
7814 UniquePtr<BIO> server_bio(BIO_new(bio_method.get()));
7815 ASSERT_TRUE(server_bio);
7816 BIO_set_data(server_bio.get(), server_.get());
7817 BIO_set_init(server_bio.get(), 1);
7818
7819 // Wrap the inner connections in another layer of SSL.
7820 UniquePtr<SSL> client_outer(SSL_new(client_ctx_.get()));
7821 ASSERT_TRUE(client_outer);
7822 SSL_set_connect_state(client_outer.get());
7823 SSL_set_bio(client_outer.get(), client_bio.get(), client_bio.get());
7824 client_bio.release(); // |SSL_set_bio| takes ownership.
7825
7826 UniquePtr<SSL> server_outer(SSL_new(server_ctx_.get()));
7827 ASSERT_TRUE(server_outer);
7828 SSL_set_accept_state(server_outer.get());
7829 SSL_set_bio(server_outer.get(), server_bio.get(), server_bio.get());
7830 server_bio.release(); // |SSL_set_bio| takes ownership.
7831
7832 // Configure |client_outer| to reject the server certificate.
7833 SSL_set_custom_verify(
7834 client_outer.get(), SSL_VERIFY_PEER,
7835 [](SSL *ssl, uint8_t *out_alert) -> ssl_verify_result_t {
7836 return ssl_verify_invalid;
7837 });
7838
7839 for (;;) {
7840 int client_ret = SSL_do_handshake(client_outer.get());
7841 int client_err = SSL_get_error(client_outer.get(), client_ret);
7842 if (client_err != SSL_ERROR_WANT_READ &&
7843 client_err != SSL_ERROR_WANT_WRITE) {
7844 // The client handshake should terminate on a certificate verification
7845 // error.
7846 EXPECT_EQ(SSL_ERROR_SSL, client_err);
7847 EXPECT_TRUE(ErrorEquals(ERR_peek_error(), ERR_LIB_SSL,
7848 SSL_R_CERTIFICATE_VERIFY_FAILED));
7849 break;
7850 }
7851
7852 // Run the server handshake and continue.
7853 int server_ret = SSL_do_handshake(server_outer.get());
7854 int server_err = SSL_get_error(server_outer.get(), server_ret);
7855 ASSERT_TRUE(server_err == SSL_ERROR_NONE ||
7856 server_err == SSL_ERROR_WANT_READ ||
7857 server_err == SSL_ERROR_WANT_WRITE);
7858 }
7859 }
7860
TEST_P(SSLVersionTest,SameKeyResume)7861 TEST_P(SSLVersionTest, SameKeyResume) {
7862 uint8_t key[48];
7863 RAND_bytes(key, sizeof(key));
7864
7865 bssl::UniquePtr<SSL_CTX> server_ctx2 = CreateContext();
7866 ASSERT_TRUE(server_ctx2);
7867 ASSERT_TRUE(UseCertAndKey(server_ctx2.get()));
7868 ASSERT_TRUE(
7869 SSL_CTX_set_tlsext_ticket_keys(server_ctx_.get(), key, sizeof(key)));
7870 ASSERT_TRUE(
7871 SSL_CTX_set_tlsext_ticket_keys(server_ctx2.get(), key, sizeof(key)));
7872
7873 SSL_CTX_set_session_cache_mode(client_ctx_.get(), SSL_SESS_CACHE_BOTH);
7874 SSL_CTX_set_session_cache_mode(server_ctx_.get(), SSL_SESS_CACHE_BOTH);
7875 SSL_CTX_set_session_cache_mode(server_ctx2.get(), SSL_SESS_CACHE_BOTH);
7876
7877 // Establish a session for |server_ctx_|.
7878 bssl::UniquePtr<SSL_SESSION> session =
7879 CreateClientSession(client_ctx_.get(), server_ctx_.get());
7880 ASSERT_TRUE(session);
7881 ClientConfig config;
7882 config.session = session.get();
7883
7884 // Resuming with |server_ctx_| again works.
7885 bssl::UniquePtr<SSL> client, server;
7886 ASSERT_TRUE(ConnectClientAndServer(&client, &server, client_ctx_.get(),
7887 server_ctx_.get(), config));
7888 EXPECT_TRUE(SSL_session_reused(client.get()));
7889 EXPECT_TRUE(SSL_session_reused(server.get()));
7890
7891 // Resuming with |server_ctx2| also works.
7892 ASSERT_TRUE(ConnectClientAndServer(&client, &server, client_ctx_.get(),
7893 server_ctx2.get(), config));
7894 EXPECT_TRUE(SSL_session_reused(client.get()));
7895 EXPECT_TRUE(SSL_session_reused(server.get()));
7896 }
7897
TEST_P(SSLVersionTest,DifferentKeyNoResume)7898 TEST_P(SSLVersionTest, DifferentKeyNoResume) {
7899 uint8_t key1[48], key2[48];
7900 RAND_bytes(key1, sizeof(key1));
7901 RAND_bytes(key2, sizeof(key2));
7902
7903 bssl::UniquePtr<SSL_CTX> server_ctx2 = CreateContext();
7904 ASSERT_TRUE(server_ctx2);
7905 ASSERT_TRUE(UseCertAndKey(server_ctx2.get()));
7906 ASSERT_TRUE(
7907 SSL_CTX_set_tlsext_ticket_keys(server_ctx_.get(), key1, sizeof(key1)));
7908 ASSERT_TRUE(
7909 SSL_CTX_set_tlsext_ticket_keys(server_ctx2.get(), key2, sizeof(key2)));
7910
7911 SSL_CTX_set_session_cache_mode(client_ctx_.get(), SSL_SESS_CACHE_BOTH);
7912 SSL_CTX_set_session_cache_mode(server_ctx_.get(), SSL_SESS_CACHE_BOTH);
7913 SSL_CTX_set_session_cache_mode(server_ctx2.get(), SSL_SESS_CACHE_BOTH);
7914
7915 // Establish a session for |server_ctx_|.
7916 bssl::UniquePtr<SSL_SESSION> session =
7917 CreateClientSession(client_ctx_.get(), server_ctx_.get());
7918 ASSERT_TRUE(session);
7919 ClientConfig config;
7920 config.session = session.get();
7921
7922 // Resuming with |server_ctx_| again works.
7923 bssl::UniquePtr<SSL> client, server;
7924 ASSERT_TRUE(ConnectClientAndServer(&client, &server, client_ctx_.get(),
7925 server_ctx_.get(), config));
7926 EXPECT_TRUE(SSL_session_reused(client.get()));
7927 EXPECT_TRUE(SSL_session_reused(server.get()));
7928
7929 // Resuming with |server_ctx2| does not work.
7930 ASSERT_TRUE(ConnectClientAndServer(&client, &server, client_ctx_.get(),
7931 server_ctx2.get(), config));
7932 EXPECT_FALSE(SSL_session_reused(client.get()));
7933 EXPECT_FALSE(SSL_session_reused(server.get()));
7934 }
7935
TEST_P(SSLVersionTest,UnrelatedServerNoResume)7936 TEST_P(SSLVersionTest, UnrelatedServerNoResume) {
7937 bssl::UniquePtr<SSL_CTX> server_ctx2 = CreateContext();
7938 ASSERT_TRUE(server_ctx2);
7939 ASSERT_TRUE(UseCertAndKey(server_ctx2.get()));
7940
7941 SSL_CTX_set_session_cache_mode(client_ctx_.get(), SSL_SESS_CACHE_BOTH);
7942 SSL_CTX_set_session_cache_mode(server_ctx_.get(), SSL_SESS_CACHE_BOTH);
7943 SSL_CTX_set_session_cache_mode(server_ctx2.get(), SSL_SESS_CACHE_BOTH);
7944
7945 // Establish a session for |server_ctx_|.
7946 bssl::UniquePtr<SSL_SESSION> session =
7947 CreateClientSession(client_ctx_.get(), server_ctx_.get());
7948 ASSERT_TRUE(session);
7949 ClientConfig config;
7950 config.session = session.get();
7951
7952 // Resuming with |server_ctx_| again works.
7953 bssl::UniquePtr<SSL> client, server;
7954 ASSERT_TRUE(ConnectClientAndServer(&client, &server, client_ctx_.get(),
7955 server_ctx_.get(), config));
7956 EXPECT_TRUE(SSL_session_reused(client.get()));
7957 EXPECT_TRUE(SSL_session_reused(server.get()));
7958
7959 // Resuming with |server_ctx2| does not work.
7960 ASSERT_TRUE(ConnectClientAndServer(&client, &server, client_ctx_.get(),
7961 server_ctx2.get(), config));
7962 EXPECT_FALSE(SSL_session_reused(client.get()));
7963 EXPECT_FALSE(SSL_session_reused(server.get()));
7964 }
7965
SessionIDOf(const SSL * ssl)7966 Span<const uint8_t> SessionIDOf(const SSL* ssl) {
7967 const SSL_SESSION *session = SSL_get_session(ssl);
7968 unsigned len;
7969 const uint8_t *data = SSL_SESSION_get_id(session, &len);
7970 return MakeConstSpan(data, len);
7971 }
7972
TEST_P(SSLVersionTest,TicketSessionIDsMatch)7973 TEST_P(SSLVersionTest, TicketSessionIDsMatch) {
7974 // This checks that the session IDs at client and server match after a ticket
7975 // resumption. It's unclear whether this should be true, but Envoy depends
7976 // on it in their tests so this will give an early signal if we break it.
7977 SSL_CTX_set_session_cache_mode(client_ctx_.get(), SSL_SESS_CACHE_BOTH);
7978 SSL_CTX_set_session_cache_mode(server_ctx_.get(), SSL_SESS_CACHE_BOTH);
7979
7980 bssl::UniquePtr<SSL_SESSION> session =
7981 CreateClientSession(client_ctx_.get(), server_ctx_.get());
7982
7983 bssl::UniquePtr<SSL> client, server;
7984 ClientConfig config;
7985 config.session = session.get();
7986 ASSERT_TRUE(ConnectClientAndServer(&client, &server, client_ctx_.get(),
7987 server_ctx_.get(), config));
7988 EXPECT_TRUE(SSL_session_reused(client.get()));
7989 EXPECT_TRUE(SSL_session_reused(server.get()));
7990
7991 EXPECT_EQ(Bytes(SessionIDOf(client.get())), Bytes(SessionIDOf(server.get())));
7992 }
7993
WriteHelloRequest(SSL * server)7994 static void WriteHelloRequest(SSL *server) {
7995 // This function assumes TLS 1.2 with ChaCha20-Poly1305.
7996 ASSERT_EQ(SSL_version(server), TLS1_2_VERSION);
7997 ASSERT_EQ(SSL_CIPHER_get_cipher_nid(SSL_get_current_cipher(server)),
7998 NID_chacha20_poly1305);
7999
8000 // Encrypt a HelloRequest.
8001 uint8_t in[] = {SSL3_MT_HELLO_REQUEST, 0, 0, 0};
8002 #if defined(BORINGSSL_UNSAFE_FUZZER_MODE)
8003 // Fuzzer-mode records are unencrypted.
8004 uint8_t record[5 + sizeof(in)];
8005 record[0] = SSL3_RT_HANDSHAKE;
8006 record[1] = 3;
8007 record[2] = 3; // TLS 1.2
8008 record[3] = 0;
8009 record[4] = sizeof(record) - 5;
8010 memcpy(record + 5, in, sizeof(in));
8011 #else
8012 // Extract key material from |server|.
8013 static const size_t kKeyLen = 32;
8014 static const size_t kNonceLen = 12;
8015 ASSERT_EQ(2u * (kKeyLen + kNonceLen), SSL_get_key_block_len(server));
8016 uint8_t key_block[2u * (kKeyLen + kNonceLen)];
8017 ASSERT_TRUE(SSL_generate_key_block(server, key_block, sizeof(key_block)));
8018 Span<uint8_t> key = MakeSpan(key_block + kKeyLen, kKeyLen);
8019 Span<uint8_t> nonce =
8020 MakeSpan(key_block + kKeyLen + kKeyLen + kNonceLen, kNonceLen);
8021
8022 uint8_t ad[13];
8023 uint64_t seq = SSL_get_write_sequence(server);
8024 for (size_t i = 0; i < 8; i++) {
8025 // The nonce is XORed with the sequence number.
8026 nonce[11 - i] ^= uint8_t(seq);
8027 ad[7 - i] = uint8_t(seq);
8028 seq >>= 8;
8029 }
8030
8031 ad[8] = SSL3_RT_HANDSHAKE;
8032 ad[9] = 3;
8033 ad[10] = 3; // TLS 1.2
8034 ad[11] = 0;
8035 ad[12] = sizeof(in);
8036
8037 uint8_t record[5 + sizeof(in) + 16];
8038 record[0] = SSL3_RT_HANDSHAKE;
8039 record[1] = 3;
8040 record[2] = 3; // TLS 1.2
8041 record[3] = 0;
8042 record[4] = sizeof(record) - 5;
8043
8044 ScopedEVP_AEAD_CTX aead;
8045 ASSERT_TRUE(EVP_AEAD_CTX_init(aead.get(), EVP_aead_chacha20_poly1305(),
8046 key.data(), key.size(),
8047 EVP_AEAD_DEFAULT_TAG_LENGTH, nullptr));
8048 size_t len;
8049 ASSERT_TRUE(EVP_AEAD_CTX_seal(aead.get(), record + 5, &len,
8050 sizeof(record) - 5, nonce.data(), nonce.size(),
8051 in, sizeof(in), ad, sizeof(ad)));
8052 ASSERT_EQ(sizeof(record) - 5, len);
8053 #endif // BORINGSSL_UNSAFE_FUZZER_MODE
8054
8055 ASSERT_EQ(int(sizeof(record)),
8056 BIO_write(SSL_get_wbio(server), record, sizeof(record)));
8057 }
8058
TEST(SSLTest,WriteWhileExplicitRenegotiate)8059 TEST(SSLTest, WriteWhileExplicitRenegotiate) {
8060 bssl::UniquePtr<SSL_CTX> ctx(CreateContextWithTestCertificate(TLS_method()));
8061 ASSERT_TRUE(ctx);
8062
8063 ASSERT_TRUE(SSL_CTX_set_min_proto_version(ctx.get(), TLS1_2_VERSION));
8064 ASSERT_TRUE(SSL_CTX_set_max_proto_version(ctx.get(), TLS1_2_VERSION));
8065 ASSERT_TRUE(SSL_CTX_set_strict_cipher_list(
8066 ctx.get(), "TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256"));
8067
8068 bssl::UniquePtr<SSL> client, server;
8069 ASSERT_TRUE(CreateClientAndServer(&client, &server, ctx.get(), ctx.get()));
8070 SSL_set_renegotiate_mode(client.get(), ssl_renegotiate_explicit);
8071 ASSERT_TRUE(CompleteHandshakes(client.get(), server.get()));
8072
8073 static const uint8_t kInput[] = {'h', 'e', 'l', 'l', 'o'};
8074
8075 // Write "hello" until the buffer is full, so |client| has a pending write.
8076 size_t num_writes = 0;
8077 for (;;) {
8078 int ret = SSL_write(client.get(), kInput, sizeof(kInput));
8079 if (ret != int(sizeof(kInput))) {
8080 ASSERT_EQ(-1, ret);
8081 ASSERT_EQ(SSL_ERROR_WANT_WRITE, SSL_get_error(client.get(), ret));
8082 break;
8083 }
8084 num_writes++;
8085 }
8086
8087 ASSERT_NO_FATAL_FAILURE(WriteHelloRequest(server.get()));
8088
8089 // |SSL_read| should pick up the HelloRequest.
8090 uint8_t byte;
8091 ASSERT_EQ(-1, SSL_read(client.get(), &byte, 1));
8092 ASSERT_EQ(SSL_ERROR_WANT_RENEGOTIATE, SSL_get_error(client.get(), -1));
8093
8094 // Drain the data from the |client|.
8095 uint8_t buf[sizeof(kInput)];
8096 for (size_t i = 0; i < num_writes; i++) {
8097 ASSERT_EQ(int(sizeof(buf)), SSL_read(server.get(), buf, sizeof(buf)));
8098 EXPECT_EQ(Bytes(buf), Bytes(kInput));
8099 }
8100
8101 // |client| should be able to finish the pending write and continue to write,
8102 // despite the paused HelloRequest.
8103 ASSERT_EQ(int(sizeof(kInput)),
8104 SSL_write(client.get(), kInput, sizeof(kInput)));
8105 ASSERT_EQ(int(sizeof(buf)), SSL_read(server.get(), buf, sizeof(buf)));
8106 EXPECT_EQ(Bytes(buf), Bytes(kInput));
8107
8108 ASSERT_EQ(int(sizeof(kInput)),
8109 SSL_write(client.get(), kInput, sizeof(kInput)));
8110 ASSERT_EQ(int(sizeof(buf)), SSL_read(server.get(), buf, sizeof(buf)));
8111 EXPECT_EQ(Bytes(buf), Bytes(kInput));
8112
8113 // |SSL_read| is stuck until we acknowledge the HelloRequest.
8114 ASSERT_EQ(-1, SSL_read(client.get(), &byte, 1));
8115 ASSERT_EQ(SSL_ERROR_WANT_RENEGOTIATE, SSL_get_error(client.get(), -1));
8116
8117 ASSERT_TRUE(SSL_renegotiate(client.get()));
8118 ASSERT_EQ(-1, SSL_read(client.get(), &byte, 1));
8119 ASSERT_EQ(SSL_ERROR_WANT_READ, SSL_get_error(client.get(), -1));
8120
8121 // We never renegotiate as a server.
8122 ASSERT_EQ(-1, SSL_read(server.get(), buf, sizeof(buf)));
8123 ASSERT_EQ(SSL_ERROR_SSL, SSL_get_error(server.get(), -1));
8124 EXPECT_TRUE(
8125 ErrorEquals(ERR_get_error(), ERR_LIB_SSL, SSL_R_NO_RENEGOTIATION));
8126 }
8127
TEST(SSLTest,ConnectionPropertiesDuringRenegotiate)8128 TEST(SSLTest, ConnectionPropertiesDuringRenegotiate) {
8129 // Configure known connection properties, so we can check against them.
8130 bssl::UniquePtr<SSL_CTX> ctx(SSL_CTX_new(TLS_method()));
8131 ASSERT_TRUE(ctx);
8132 bssl::UniquePtr<X509> cert = GetTestCertificate();
8133 ASSERT_TRUE(cert);
8134 bssl::UniquePtr<EVP_PKEY> key = GetTestKey();
8135 ASSERT_TRUE(key);
8136 ASSERT_TRUE(SSL_CTX_use_certificate(ctx.get(), cert.get()));
8137 ASSERT_TRUE(SSL_CTX_use_PrivateKey(ctx.get(), key.get()));
8138 ASSERT_TRUE(SSL_CTX_set_min_proto_version(ctx.get(), TLS1_2_VERSION));
8139 ASSERT_TRUE(SSL_CTX_set_max_proto_version(ctx.get(), TLS1_2_VERSION));
8140 ASSERT_TRUE(SSL_CTX_set_strict_cipher_list(
8141 ctx.get(), "TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256"));
8142 ASSERT_TRUE(SSL_CTX_set1_groups_list(ctx.get(), "X25519"));
8143 ASSERT_TRUE(SSL_CTX_set1_sigalgs_list(ctx.get(), "rsa_pkcs1_sha256"));
8144
8145 // Connect a client and server that accept renegotiation.
8146 bssl::UniquePtr<SSL> client, server;
8147 ASSERT_TRUE(CreateClientAndServer(&client, &server, ctx.get(), ctx.get()));
8148 SSL_set_renegotiate_mode(client.get(), ssl_renegotiate_freely);
8149 ASSERT_TRUE(CompleteHandshakes(client.get(), server.get()));
8150
8151 auto check_properties = [&] {
8152 EXPECT_EQ(SSL_version(client.get()), TLS1_2_VERSION);
8153 const SSL_CIPHER *cipher = SSL_get_current_cipher(client.get());
8154 ASSERT_TRUE(cipher);
8155 EXPECT_EQ(SSL_CIPHER_get_id(cipher),
8156 uint32_t{TLS1_CK_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256});
8157 EXPECT_EQ(SSL_get_group_id(client.get()), SSL_GROUP_X25519);
8158 EXPECT_EQ(SSL_get_negotiated_group(client.get()), NID_X25519);
8159 EXPECT_EQ(SSL_get_peer_signature_algorithm(client.get()),
8160 SSL_SIGN_RSA_PKCS1_SHA256);
8161 bssl::UniquePtr<X509> peer(SSL_get_peer_certificate(client.get()));
8162 ASSERT_TRUE(peer);
8163 EXPECT_EQ(X509_cmp(cert.get(), peer.get()), 0);
8164 };
8165 check_properties();
8166
8167 // The server sends a HelloRequest.
8168 ASSERT_NO_FATAL_FAILURE(WriteHelloRequest(server.get()));
8169
8170 // Reading from the client will consume the HelloRequest, start a
8171 // renegotiation, and then block on a ServerHello from the server.
8172 uint8_t byte;
8173 ASSERT_EQ(-1, SSL_read(client.get(), &byte, 1));
8174 ASSERT_EQ(SSL_ERROR_WANT_READ, SSL_get_error(client.get(), -1));
8175
8176 // Connection properties should continue to report values from the original
8177 // handshake.
8178 check_properties();
8179 }
8180
TEST(SSLTest,CopyWithoutEarlyData)8181 TEST(SSLTest, CopyWithoutEarlyData) {
8182 bssl::UniquePtr<SSL_CTX> client_ctx(SSL_CTX_new(TLS_method()));
8183 bssl::UniquePtr<SSL_CTX> server_ctx(
8184 CreateContextWithTestCertificate(TLS_method()));
8185 ASSERT_TRUE(client_ctx);
8186 ASSERT_TRUE(server_ctx);
8187
8188 SSL_CTX_set_session_cache_mode(client_ctx.get(), SSL_SESS_CACHE_BOTH);
8189 SSL_CTX_set_session_cache_mode(server_ctx.get(), SSL_SESS_CACHE_BOTH);
8190 SSL_CTX_set_early_data_enabled(client_ctx.get(), 1);
8191 SSL_CTX_set_early_data_enabled(server_ctx.get(), 1);
8192
8193 bssl::UniquePtr<SSL_SESSION> session =
8194 CreateClientSession(client_ctx.get(), server_ctx.get());
8195 ASSERT_TRUE(session);
8196
8197 // The client should attempt early data with |session|.
8198 bssl::UniquePtr<SSL> client, server;
8199 ASSERT_TRUE(CreateClientAndServer(&client, &server, client_ctx.get(),
8200 server_ctx.get()));
8201 SSL_set_session(client.get(), session.get());
8202 SSL_set_early_data_enabled(client.get(), 1);
8203 ASSERT_EQ(1, SSL_do_handshake(client.get()));
8204 EXPECT_TRUE(SSL_in_early_data(client.get()));
8205
8206 // |SSL_SESSION_copy_without_early_data| should disable early data but
8207 // still resume the session.
8208 bssl::UniquePtr<SSL_SESSION> session2(
8209 SSL_SESSION_copy_without_early_data(session.get()));
8210 ASSERT_TRUE(session2);
8211 EXPECT_NE(session.get(), session2.get());
8212 ASSERT_TRUE(CreateClientAndServer(&client, &server, client_ctx.get(),
8213 server_ctx.get()));
8214 SSL_set_session(client.get(), session2.get());
8215 SSL_set_early_data_enabled(client.get(), 1);
8216 EXPECT_TRUE(CompleteHandshakes(client.get(), server.get()));
8217 EXPECT_TRUE(SSL_session_reused(client.get()));
8218 EXPECT_EQ(ssl_early_data_unsupported_for_session,
8219 SSL_get_early_data_reason(client.get()));
8220
8221 // |SSL_SESSION_copy_without_early_data| should be a reference count increase
8222 // when passed an early-data-incapable session.
8223 bssl::UniquePtr<SSL_SESSION> session3(
8224 SSL_SESSION_copy_without_early_data(session2.get()));
8225 EXPECT_EQ(session2.get(), session3.get());
8226 }
8227
TEST(SSLTest,ProcessTLS13NewSessionTicket)8228 TEST(SSLTest, ProcessTLS13NewSessionTicket) {
8229 // Configure client and server to negotiate TLS 1.3 only.
8230 bssl::UniquePtr<SSL_CTX> client_ctx(SSL_CTX_new(TLS_method()));
8231 bssl::UniquePtr<SSL_CTX> server_ctx(
8232 CreateContextWithTestCertificate(TLS_method()));
8233 ASSERT_TRUE(client_ctx);
8234 ASSERT_TRUE(server_ctx);
8235 ASSERT_TRUE(SSL_CTX_set_min_proto_version(client_ctx.get(), TLS1_3_VERSION));
8236 ASSERT_TRUE(SSL_CTX_set_min_proto_version(server_ctx.get(), TLS1_3_VERSION));
8237 ASSERT_TRUE(SSL_CTX_set_max_proto_version(client_ctx.get(), TLS1_3_VERSION));
8238 ASSERT_TRUE(SSL_CTX_set_max_proto_version(server_ctx.get(), TLS1_3_VERSION));
8239
8240 bssl::UniquePtr<SSL> client, server;
8241 ASSERT_TRUE(ConnectClientAndServer(&client, &server, client_ctx.get(),
8242 server_ctx.get()));
8243 EXPECT_EQ(TLS1_3_VERSION, SSL_version(client.get()));
8244
8245 // Process a TLS 1.3 NewSessionTicket.
8246 static const uint8_t kTicket[] = {
8247 0x04, 0x00, 0x00, 0xb2, 0x00, 0x02, 0xa3, 0x00, 0x04, 0x03, 0x02, 0x01,
8248 0x01, 0x00, 0x00, 0xa0, 0x01, 0x06, 0x09, 0x11, 0x16, 0x19, 0x21, 0x26,
8249 0x29, 0x31, 0x36, 0x39, 0x41, 0x46, 0x49, 0x51, 0x03, 0x06, 0x09, 0x13,
8250 0x16, 0x19, 0x23, 0x26, 0x29, 0x33, 0x36, 0x39, 0x43, 0x46, 0x49, 0x53,
8251 0xf7, 0x00, 0x29, 0xec, 0xf2, 0xc4, 0xa4, 0x41, 0xfc, 0x30, 0x17, 0x2e,
8252 0x9f, 0x7c, 0xa8, 0xaf, 0x75, 0x70, 0xf0, 0x1f, 0xc7, 0x98, 0xf7, 0xcf,
8253 0x5a, 0x5a, 0x6b, 0x5b, 0xfe, 0xf1, 0xe7, 0x3a, 0xe8, 0xf7, 0x6c, 0xd2,
8254 0xa8, 0xa6, 0x92, 0x5b, 0x96, 0x8d, 0xde, 0xdb, 0xd3, 0x20, 0x6a, 0xcb,
8255 0x69, 0x06, 0xf4, 0x91, 0x85, 0x2e, 0xe6, 0x5e, 0x0c, 0x59, 0xf2, 0x9e,
8256 0x9b, 0x79, 0x91, 0x24, 0x7e, 0x4a, 0x32, 0x3d, 0xbe, 0x4b, 0x80, 0x70,
8257 0xaf, 0xd0, 0x1d, 0xe2, 0xca, 0x05, 0x35, 0x09, 0x09, 0x05, 0x0f, 0xbb,
8258 0xc4, 0xae, 0xd7, 0xc4, 0xed, 0xd7, 0xae, 0x35, 0xc8, 0x73, 0x63, 0x78,
8259 0x64, 0xc9, 0x7a, 0x1f, 0xed, 0x7a, 0x9a, 0x47, 0x44, 0xfd, 0x50, 0xf7,
8260 0xb7, 0xe0, 0x64, 0xa9, 0x02, 0xc1, 0x5c, 0x23, 0x18, 0x3f, 0xc4, 0xcf,
8261 0x72, 0x02, 0x59, 0x2d, 0xe1, 0xaa, 0x61, 0x72, 0x00, 0x04, 0x5a, 0x5a,
8262 0x00, 0x00,
8263 };
8264 bssl::UniquePtr<SSL_SESSION> session(SSL_process_tls13_new_session_ticket(
8265 client.get(), kTicket, sizeof(kTicket)));
8266 ASSERT_TRUE(session);
8267 ASSERT_TRUE(SSL_SESSION_has_ticket(session.get()));
8268
8269 uint8_t *session_buf = nullptr;
8270 size_t session_length = 0;
8271 ASSERT_TRUE(
8272 SSL_SESSION_to_bytes(session.get(), &session_buf, &session_length));
8273 bssl::UniquePtr<uint8_t> session_buf_free(session_buf);
8274 ASSERT_TRUE(session_buf);
8275 ASSERT_GT(session_length, 0u);
8276
8277 // Servers cannot call |SSL_process_tls13_new_session_ticket|.
8278 ASSERT_FALSE(SSL_process_tls13_new_session_ticket(server.get(), kTicket,
8279 sizeof(kTicket)));
8280
8281 // Clients cannot call |SSL_process_tls13_new_session_ticket| before the
8282 // handshake completes.
8283 bssl::UniquePtr<SSL> client2(SSL_new(client_ctx.get()));
8284 ASSERT_TRUE(client2);
8285 SSL_set_connect_state(client2.get());
8286 ASSERT_FALSE(SSL_process_tls13_new_session_ticket(client2.get(), kTicket,
8287 sizeof(kTicket)));
8288 }
8289
TEST(SSLTest,BIO)8290 TEST(SSLTest, BIO) {
8291 bssl::UniquePtr<SSL_CTX> client_ctx(SSL_CTX_new(TLS_method()));
8292 bssl::UniquePtr<SSL_CTX> server_ctx(
8293 CreateContextWithTestCertificate(TLS_method()));
8294 ASSERT_TRUE(client_ctx);
8295 ASSERT_TRUE(server_ctx);
8296
8297 for (bool take_ownership : {true, false}) {
8298 // For simplicity, get the handshake out of the way first.
8299 bssl::UniquePtr<SSL> client, server;
8300 ASSERT_TRUE(ConnectClientAndServer(&client, &server, client_ctx.get(),
8301 server_ctx.get()));
8302
8303 // Wrap |client| in an SSL BIO.
8304 bssl::UniquePtr<BIO> client_bio(BIO_new(BIO_f_ssl()));
8305 ASSERT_TRUE(client_bio);
8306 ASSERT_EQ(1, BIO_set_ssl(client_bio.get(), client.get(), take_ownership));
8307 if (take_ownership) {
8308 client.release();
8309 }
8310
8311 // Flushing the BIO should not crash.
8312 EXPECT_EQ(1, BIO_flush(client_bio.get()));
8313
8314 // Exchange some data.
8315 EXPECT_EQ(5, BIO_write(client_bio.get(), "hello", 5));
8316 uint8_t buf[5];
8317 ASSERT_EQ(5, SSL_read(server.get(), buf, sizeof(buf)));
8318 EXPECT_EQ(Bytes("hello"), Bytes(buf));
8319
8320 EXPECT_EQ(5, SSL_write(server.get(), "world", 5));
8321 ASSERT_EQ(5, BIO_read(client_bio.get(), buf, sizeof(buf)));
8322 EXPECT_EQ(Bytes("world"), Bytes(buf));
8323
8324 // |BIO_should_read| should work.
8325 EXPECT_EQ(-1, BIO_read(client_bio.get(), buf, sizeof(buf)));
8326 EXPECT_TRUE(BIO_should_read(client_bio.get()));
8327
8328 // Writing data should eventually exceed the buffer size and fail, reporting
8329 // |BIO_should_write|.
8330 int ret;
8331 for (int i = 0; i < 1024; i++) {
8332 const uint8_t kZeros[1024] = {0};
8333 ret = BIO_write(client_bio.get(), kZeros, sizeof(kZeros));
8334 if (ret <= 0) {
8335 break;
8336 }
8337 }
8338 EXPECT_EQ(-1, ret);
8339 EXPECT_TRUE(BIO_should_write(client_bio.get()));
8340 }
8341 }
8342
TEST(SSLTest,ALPNConfig)8343 TEST(SSLTest, ALPNConfig) {
8344 bssl::UniquePtr<SSL_CTX> ctx(SSL_CTX_new(TLS_method()));
8345 ASSERT_TRUE(ctx);
8346 bssl::UniquePtr<X509> cert = GetTestCertificate();
8347 bssl::UniquePtr<EVP_PKEY> key = GetTestKey();
8348 ASSERT_TRUE(cert);
8349 ASSERT_TRUE(key);
8350 ASSERT_TRUE(SSL_CTX_use_certificate(ctx.get(), cert.get()));
8351 ASSERT_TRUE(SSL_CTX_use_PrivateKey(ctx.get(), key.get()));
8352
8353 // Set up some machinery to check the configured ALPN against what is actually
8354 // sent over the wire. Note that the ALPN callback is only called when the
8355 // client offers ALPN.
8356 std::vector<uint8_t> observed_alpn;
8357 SSL_CTX_set_alpn_select_cb(
8358 ctx.get(),
8359 [](SSL *ssl, const uint8_t **out, uint8_t *out_len, const uint8_t *in,
8360 unsigned in_len, void *arg) -> int {
8361 std::vector<uint8_t> *observed_alpn_ptr =
8362 static_cast<std::vector<uint8_t> *>(arg);
8363 observed_alpn_ptr->assign(in, in + in_len);
8364 return SSL_TLSEXT_ERR_NOACK;
8365 },
8366 &observed_alpn);
8367 auto check_alpn_proto = [&](Span<const uint8_t> expected) {
8368 observed_alpn.clear();
8369 bssl::UniquePtr<SSL> client, server;
8370 ASSERT_TRUE(ConnectClientAndServer(&client, &server, ctx.get(), ctx.get()));
8371 EXPECT_EQ(Bytes(expected), Bytes(observed_alpn));
8372 };
8373
8374 // Note that |SSL_CTX_set_alpn_protos|'s return value is reversed.
8375 static const uint8_t kValidList[] = {0x03, 'f', 'o', 'o',
8376 0x03, 'b', 'a', 'r'};
8377 EXPECT_EQ(0,
8378 SSL_CTX_set_alpn_protos(ctx.get(), kValidList, sizeof(kValidList)));
8379 check_alpn_proto(kValidList);
8380
8381 // Invalid lists are rejected.
8382 static const uint8_t kInvalidList[] = {0x04, 'f', 'o', 'o'};
8383 EXPECT_EQ(1, SSL_CTX_set_alpn_protos(ctx.get(), kInvalidList,
8384 sizeof(kInvalidList)));
8385
8386 // Empty lists are valid and are interpreted as disabling ALPN.
8387 EXPECT_EQ(0, SSL_CTX_set_alpn_protos(ctx.get(), nullptr, 0));
8388 check_alpn_proto({});
8389 }
8390
8391 // This is a basic unit-test class to verify completing handshake successfully,
8392 // sending the correct codepoint extension and having correct application
8393 // setting on different combination of ALPS codepoint settings. More integration
8394 // tests on runner.go.
8395 class AlpsNewCodepointTest : public testing::Test {
8396 protected:
SetUp()8397 void SetUp() override {
8398 client_ctx_.reset(SSL_CTX_new(TLS_method()));
8399 server_ctx_ = CreateContextWithTestCertificate(TLS_method());
8400 ASSERT_TRUE(client_ctx_);
8401 ASSERT_TRUE(server_ctx_);
8402 }
8403
SetUpApplicationSetting()8404 void SetUpApplicationSetting() {
8405 static const uint8_t alpn[] = {0x03, 'f', 'o', 'o'};
8406 static const uint8_t proto[] = {'f', 'o', 'o'};
8407 static const uint8_t alps[] = {0x04, 'a', 'l', 'p', 's'};
8408 // SSL_set_alpn_protos's return value is backwards. It returns zero on
8409 // success and one on failure.
8410 ASSERT_FALSE(SSL_set_alpn_protos(client_.get(), alpn, sizeof(alpn)));
8411 SSL_CTX_set_alpn_select_cb(
8412 server_ctx_.get(),
8413 [](SSL *ssl, const uint8_t **out, uint8_t *out_len, const uint8_t *in,
8414 unsigned in_len, void *arg) -> int {
8415 return SSL_select_next_proto(
8416 const_cast<uint8_t **>(out), out_len, in, in_len,
8417 alpn, sizeof(alpn)) == OPENSSL_NPN_NEGOTIATED
8418 ? SSL_TLSEXT_ERR_OK
8419 : SSL_TLSEXT_ERR_NOACK;
8420 },
8421 nullptr);
8422 ASSERT_TRUE(SSL_add_application_settings(client_.get(), proto,
8423 sizeof(proto), nullptr, 0));
8424 ASSERT_TRUE(SSL_add_application_settings(server_.get(), proto,
8425 sizeof(proto), alps, sizeof(alps)));
8426 }
8427
8428 bssl::UniquePtr<SSL_CTX> client_ctx_;
8429 bssl::UniquePtr<SSL_CTX> server_ctx_;
8430
8431 bssl::UniquePtr<SSL> client_;
8432 bssl::UniquePtr<SSL> server_;
8433 };
8434
TEST_F(AlpsNewCodepointTest,Enabled)8435 TEST_F(AlpsNewCodepointTest, Enabled) {
8436 SetUpExpectedNewCodePoint(server_ctx_.get());
8437
8438 ASSERT_TRUE(CreateClientAndServer(&client_, &server_, client_ctx_.get(),
8439 server_ctx_.get()));
8440
8441 SSL_set_alps_use_new_codepoint(client_.get(), 1);
8442 SSL_set_alps_use_new_codepoint(server_.get(), 1);
8443
8444 SetUpApplicationSetting();
8445 ASSERT_TRUE(CompleteHandshakes(client_.get(), server_.get()));
8446 ASSERT_TRUE(SSL_has_application_settings(client_.get()));
8447 }
8448
TEST_F(AlpsNewCodepointTest,Disabled)8449 TEST_F(AlpsNewCodepointTest, Disabled) {
8450 // Both client and server disable alps new codepoint.
8451 SetUpExpectedOldCodePoint(server_ctx_.get());
8452
8453 ASSERT_TRUE(CreateClientAndServer(&client_, &server_, client_ctx_.get(),
8454 server_ctx_.get()));
8455
8456 SSL_set_alps_use_new_codepoint(client_.get(), 0);
8457 SSL_set_alps_use_new_codepoint(server_.get(), 0);
8458
8459 SetUpApplicationSetting();
8460 ASSERT_TRUE(CompleteHandshakes(client_.get(), server_.get()));
8461 ASSERT_TRUE(SSL_has_application_settings(client_.get()));
8462 }
8463
TEST_F(AlpsNewCodepointTest,ClientOnly)8464 TEST_F(AlpsNewCodepointTest, ClientOnly) {
8465 // If client set new codepoint but server doesn't set, server ignores it.
8466 SetUpExpectedNewCodePoint(server_ctx_.get());
8467
8468 ASSERT_TRUE(CreateClientAndServer(&client_, &server_, client_ctx_.get(),
8469 server_ctx_.get()));
8470
8471 SSL_set_alps_use_new_codepoint(client_.get(), 1);
8472 SSL_set_alps_use_new_codepoint(server_.get(), 0);
8473
8474 SetUpApplicationSetting();
8475 ASSERT_TRUE(CompleteHandshakes(client_.get(), server_.get()));
8476 ASSERT_FALSE(SSL_has_application_settings(client_.get()));
8477 }
8478
TEST_F(AlpsNewCodepointTest,ServerOnly)8479 TEST_F(AlpsNewCodepointTest, ServerOnly) {
8480 // If client doesn't set new codepoint, while server set.
8481 SetUpExpectedOldCodePoint(server_ctx_.get());
8482
8483 ASSERT_TRUE(CreateClientAndServer(&client_, &server_, client_ctx_.get(),
8484 server_ctx_.get()));
8485
8486 SSL_set_alps_use_new_codepoint(client_.get(), 0);
8487 SSL_set_alps_use_new_codepoint(server_.get(), 1);
8488
8489 SetUpApplicationSetting();
8490 ASSERT_TRUE(CompleteHandshakes(client_.get(), server_.get()));
8491 ASSERT_FALSE(SSL_has_application_settings(client_.get()));
8492 }
8493
8494 // Test that the key usage checker can correctly handle issuerUID and
8495 // subjectUID. See https://crbug.com/1199744.
TEST(SSLTest,KeyUsageWithUIDs)8496 TEST(SSLTest, KeyUsageWithUIDs) {
8497 static const char kGoodKeyUsage[] = R"(
8498 -----BEGIN CERTIFICATE-----
8499 MIIB7DCCAZOgAwIBAgIJANlMBNpJfb/rMAoGCCqGSM49BAMCMEUxCzAJBgNVBAYT
8500 AkFVMRMwEQYDVQQIDApTb21lLVN0YXRlMSEwHwYDVQQKDBhJbnRlcm5ldCBXaWRn
8501 aXRzIFB0eSBMdGQwHhcNMTQwNDIzMjMyMTU3WhcNMTQwNTIzMjMyMTU3WjBFMQsw
8502 CQYDVQQGEwJBVTETMBEGA1UECAwKU29tZS1TdGF0ZTEhMB8GA1UECgwYSW50ZXJu
8503 ZXQgV2lkZ2l0cyBQdHkgTHRkMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE5itp
8504 4r9ln5e+Lx4NlIpM1Zdrt6keDUb73ampHp3culoB59aXqAoY+cPEox5W4nyDSNsW
8505 Ghz1HX7xlC1Lz3IiwYEEABI0VoIEABI0VqNgMF4wHQYDVR0OBBYEFKuE0qyrlfCC
8506 ThZ4B1VXX+QmjYLRMB8GA1UdIwQYMBaAFKuE0qyrlfCCThZ4B1VXX+QmjYLRMA4G
8507 A1UdDwEB/wQEAwIHgDAMBgNVHRMEBTADAQH/MAoGCCqGSM49BAMCA0cAMEQCIEWJ
8508 34EcqW5MHwLIA1hZ2Tj/jV2QjN02KLxis9mFsqDKAiAMlMTkzsM51vVs9Ohqa+Rc
8509 4Z7qDhjIhiF4dM0uEDYRVA==
8510 -----END CERTIFICATE-----
8511 )";
8512 static const char kBadKeyUsage[] = R"(
8513 -----BEGIN CERTIFICATE-----
8514 MIIB7jCCAZOgAwIBAgIJANlMBNpJfb/rMAoGCCqGSM49BAMCMEUxCzAJBgNVBAYT
8515 AkFVMRMwEQYDVQQIDApTb21lLVN0YXRlMSEwHwYDVQQKDBhJbnRlcm5ldCBXaWRn
8516 aXRzIFB0eSBMdGQwHhcNMTQwNDIzMjMyMTU3WhcNMTQwNTIzMjMyMTU3WjBFMQsw
8517 CQYDVQQGEwJBVTETMBEGA1UECAwKU29tZS1TdGF0ZTEhMB8GA1UECgwYSW50ZXJu
8518 ZXQgV2lkZ2l0cyBQdHkgTHRkMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE5itp
8519 4r9ln5e+Lx4NlIpM1Zdrt6keDUb73ampHp3culoB59aXqAoY+cPEox5W4nyDSNsW
8520 Ghz1HX7xlC1Lz3IiwYEEABI0VoIEABI0VqNgMF4wHQYDVR0OBBYEFKuE0qyrlfCC
8521 ThZ4B1VXX+QmjYLRMB8GA1UdIwQYMBaAFKuE0qyrlfCCThZ4B1VXX+QmjYLRMA4G
8522 A1UdDwEB/wQEAwIDCDAMBgNVHRMEBTADAQH/MAoGCCqGSM49BAMCA0kAMEYCIQC6
8523 taYBUDu2gcZC6EMk79FBHArYI0ucF+kzvETegZCbBAIhANtObFec5gtso/47moPD
8524 RHrQbWsFUakETXL9QMlegh5t
8525 -----END CERTIFICATE-----
8526 )";
8527
8528 bssl::UniquePtr<X509> good = CertFromPEM(kGoodKeyUsage);
8529 ASSERT_TRUE(good);
8530 bssl::UniquePtr<X509> bad = CertFromPEM(kBadKeyUsage);
8531 ASSERT_TRUE(bad);
8532
8533 // We check key usage when configuring EC certificates to distinguish ECDSA
8534 // and ECDH.
8535 bssl::UniquePtr<SSL_CTX> ctx(SSL_CTX_new(TLS_method()));
8536 ASSERT_TRUE(ctx);
8537 EXPECT_TRUE(SSL_CTX_use_certificate(ctx.get(), good.get()));
8538 EXPECT_FALSE(SSL_CTX_use_certificate(ctx.get(), bad.get()));
8539 }
8540
8541 // Test that |SSL_can_release_private_key| reports true as early as expected.
8542 // The internal asserts in the library check we do not report true too early.
TEST(SSLTest,CanReleasePrivateKey)8543 TEST(SSLTest, CanReleasePrivateKey) {
8544 bssl::UniquePtr<SSL_CTX> client_ctx =
8545 CreateContextWithTestCertificate(TLS_method());
8546 ASSERT_TRUE(client_ctx);
8547 SSL_CTX_set_session_cache_mode(client_ctx.get(), SSL_SESS_CACHE_BOTH);
8548
8549 // Note this assumes the transport buffer is large enough to fit the client
8550 // and server first flights. We check this with |SSL_ERROR_WANT_READ|. If the
8551 // transport buffer was too small it would return |SSL_ERROR_WANT_WRITE|.
8552 auto check_first_server_round_trip = [&](SSL *client, SSL *server) {
8553 // Write the ClientHello.
8554 ASSERT_EQ(-1, SSL_do_handshake(client));
8555 ASSERT_EQ(SSL_ERROR_WANT_READ, SSL_get_error(client, -1));
8556
8557 // Consume the ClientHello and write the server flight.
8558 ASSERT_EQ(-1, SSL_do_handshake(server));
8559 ASSERT_EQ(SSL_ERROR_WANT_READ, SSL_get_error(server, -1));
8560
8561 EXPECT_TRUE(SSL_can_release_private_key(server));
8562 };
8563
8564 {
8565 SCOPED_TRACE("TLS 1.2 ECDHE");
8566 bssl::UniquePtr<SSL_CTX> server_ctx(
8567 CreateContextWithTestCertificate(TLS_method()));
8568 ASSERT_TRUE(server_ctx);
8569 ASSERT_TRUE(
8570 SSL_CTX_set_max_proto_version(server_ctx.get(), TLS1_2_VERSION));
8571 ASSERT_TRUE(SSL_CTX_set_strict_cipher_list(
8572 server_ctx.get(), "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256"));
8573 // Configure the server to request client certificates, so we can also test
8574 // the client half.
8575 SSL_CTX_set_custom_verify(
8576 server_ctx.get(), SSL_VERIFY_PEER,
8577 [](SSL *ssl, uint8_t *out_alert) { return ssl_verify_ok; });
8578 bssl::UniquePtr<SSL> client, server;
8579 ASSERT_TRUE(CreateClientAndServer(&client, &server, client_ctx.get(),
8580 server_ctx.get()));
8581 check_first_server_round_trip(client.get(), server.get());
8582
8583 // Consume the server flight and write the client response. The client still
8584 // has a Finished message to consume but can also release its key early.
8585 ASSERT_EQ(-1, SSL_do_handshake(client.get()));
8586 ASSERT_EQ(SSL_ERROR_WANT_READ, SSL_get_error(client.get(), -1));
8587 EXPECT_TRUE(SSL_can_release_private_key(client.get()));
8588
8589 // However, a client that has not disabled renegotiation can never release
8590 // the key.
8591 ASSERT_TRUE(CreateClientAndServer(&client, &server, client_ctx.get(),
8592 server_ctx.get()));
8593 SSL_set_renegotiate_mode(client.get(), ssl_renegotiate_freely);
8594 check_first_server_round_trip(client.get(), server.get());
8595 ASSERT_EQ(-1, SSL_do_handshake(client.get()));
8596 ASSERT_EQ(SSL_ERROR_WANT_READ, SSL_get_error(client.get(), -1));
8597 EXPECT_FALSE(SSL_can_release_private_key(client.get()));
8598 }
8599
8600 {
8601 SCOPED_TRACE("TLS 1.2 resumption");
8602 bssl::UniquePtr<SSL_CTX> server_ctx(
8603 CreateContextWithTestCertificate(TLS_method()));
8604 ASSERT_TRUE(server_ctx);
8605 ASSERT_TRUE(
8606 SSL_CTX_set_max_proto_version(server_ctx.get(), TLS1_2_VERSION));
8607 bssl::UniquePtr<SSL_SESSION> session =
8608 CreateClientSession(client_ctx.get(), server_ctx.get());
8609 ASSERT_TRUE(session);
8610 bssl::UniquePtr<SSL> client, server;
8611 ASSERT_TRUE(CreateClientAndServer(&client, &server, client_ctx.get(),
8612 server_ctx.get()));
8613 SSL_set_session(client.get(), session.get());
8614 check_first_server_round_trip(client.get(), server.get());
8615 }
8616
8617 {
8618 SCOPED_TRACE("TLS 1.3 1-RTT");
8619 bssl::UniquePtr<SSL_CTX> server_ctx(
8620 CreateContextWithTestCertificate(TLS_method()));
8621 ASSERT_TRUE(server_ctx);
8622 ASSERT_TRUE(
8623 SSL_CTX_set_max_proto_version(server_ctx.get(), TLS1_3_VERSION));
8624 bssl::UniquePtr<SSL> client, server;
8625 ASSERT_TRUE(CreateClientAndServer(&client, &server, client_ctx.get(),
8626 server_ctx.get()));
8627 check_first_server_round_trip(client.get(), server.get());
8628 }
8629
8630 {
8631 SCOPED_TRACE("TLS 1.3 resumption");
8632 bssl::UniquePtr<SSL_CTX> server_ctx(
8633 CreateContextWithTestCertificate(TLS_method()));
8634 ASSERT_TRUE(server_ctx);
8635 ASSERT_TRUE(
8636 SSL_CTX_set_max_proto_version(server_ctx.get(), TLS1_3_VERSION));
8637 bssl::UniquePtr<SSL_SESSION> session =
8638 CreateClientSession(client_ctx.get(), server_ctx.get());
8639 ASSERT_TRUE(session);
8640 bssl::UniquePtr<SSL> client, server;
8641 ASSERT_TRUE(CreateClientAndServer(&client, &server, client_ctx.get(),
8642 server_ctx.get()));
8643 SSL_set_session(client.get(), session.get());
8644 check_first_server_round_trip(client.get(), server.get());
8645 }
8646 }
8647
8648 // GetExtensionOrder sets |*out| to the list of extensions a client attached to
8649 // |ctx| will send in the ClientHello. If |ech_keys| is non-null, the client
8650 // will offer ECH with the public component. If |decrypt_ech| is true, |*out|
8651 // will be set to the ClientHelloInner's extensions, rather than
8652 // ClientHelloOuter.
GetExtensionOrder(SSL_CTX * client_ctx,std::vector<uint16_t> * out,SSL_ECH_KEYS * ech_keys,bool decrypt_ech)8653 static bool GetExtensionOrder(SSL_CTX *client_ctx, std::vector<uint16_t> *out,
8654 SSL_ECH_KEYS *ech_keys, bool decrypt_ech) {
8655 struct AppData {
8656 std::vector<uint16_t> *out;
8657 bool decrypt_ech;
8658 bool callback_done = false;
8659 };
8660 AppData app_data;
8661 app_data.out = out;
8662 app_data.decrypt_ech = decrypt_ech;
8663
8664 bssl::UniquePtr<SSL_CTX> server_ctx =
8665 CreateContextWithTestCertificate(TLS_method());
8666 if (!server_ctx || //
8667 !SSL_CTX_set_app_data(server_ctx.get(), &app_data) ||
8668 (decrypt_ech && !SSL_CTX_set1_ech_keys(server_ctx.get(), ech_keys))) {
8669 return false;
8670 }
8671
8672 // Configure the server to record the ClientHello extension order. We use a
8673 // server rather than |GetClientHello| so it can decrypt ClientHelloInner.
8674 SSL_CTX_set_select_certificate_cb(
8675 server_ctx.get(),
8676 [](const SSL_CLIENT_HELLO *client_hello) -> ssl_select_cert_result_t {
8677 AppData *app_data_ptr = static_cast<AppData *>(
8678 SSL_CTX_get_app_data(SSL_get_SSL_CTX(client_hello->ssl)));
8679 EXPECT_EQ(app_data_ptr->decrypt_ech ? 1 : 0,
8680 SSL_ech_accepted(client_hello->ssl));
8681
8682 app_data_ptr->out->clear();
8683 CBS extensions;
8684 CBS_init(&extensions, client_hello->extensions,
8685 client_hello->extensions_len);
8686 while (CBS_len(&extensions)) {
8687 uint16_t type;
8688 CBS body;
8689 if (!CBS_get_u16(&extensions, &type) ||
8690 !CBS_get_u16_length_prefixed(&extensions, &body)) {
8691 return ssl_select_cert_error;
8692 }
8693 app_data_ptr->out->push_back(type);
8694 }
8695
8696 // Don't bother completing the handshake.
8697 app_data_ptr->callback_done = true;
8698 return ssl_select_cert_error;
8699 });
8700
8701 bssl::UniquePtr<SSL> client, server;
8702 if (!CreateClientAndServer(&client, &server, client_ctx, server_ctx.get()) ||
8703 (ech_keys != nullptr && !InstallECHConfigList(client.get(), ech_keys))) {
8704 return false;
8705 }
8706
8707 // Run the handshake far enough to process the ClientHello.
8708 SSL_do_handshake(client.get());
8709 SSL_do_handshake(server.get());
8710 return app_data.callback_done;
8711 }
8712
8713 // Test that, when extension permutation is enabled, the ClientHello extension
8714 // order changes, both with and without ECH, and in both ClientHelloInner and
8715 // ClientHelloOuter.
TEST(SSLTest,PermuteExtensions)8716 TEST(SSLTest, PermuteExtensions) {
8717 bssl::UniquePtr<SSL_ECH_KEYS> keys = MakeTestECHKeys();
8718 ASSERT_TRUE(keys);
8719 for (bool offer_ech : {false, true}) {
8720 SCOPED_TRACE(offer_ech);
8721 SSL_ECH_KEYS *maybe_keys = offer_ech ? keys.get() : nullptr;
8722 for (bool decrypt_ech : {false, true}) {
8723 SCOPED_TRACE(decrypt_ech);
8724 if (!offer_ech && decrypt_ech) {
8725 continue;
8726 }
8727
8728 // When extension permutation is disabled, the order should be consistent.
8729 bssl::UniquePtr<SSL_CTX> ctx(SSL_CTX_new(TLS_method()));
8730 ASSERT_TRUE(ctx);
8731 std::vector<uint16_t> order1, order2;
8732 ASSERT_TRUE(
8733 GetExtensionOrder(ctx.get(), &order1, maybe_keys, decrypt_ech));
8734 ASSERT_TRUE(
8735 GetExtensionOrder(ctx.get(), &order2, maybe_keys, decrypt_ech));
8736 EXPECT_EQ(order1, order2);
8737
8738 ctx.reset(SSL_CTX_new(TLS_method()));
8739 ASSERT_TRUE(ctx);
8740 SSL_CTX_set_permute_extensions(ctx.get(), 1);
8741
8742 // When extension permutation is enabled, each ClientHello should have a
8743 // different order.
8744 //
8745 // This test is inherently flaky, so we run it multiple times. We send at
8746 // least five extensions by default from TLS 1.3: supported_versions,
8747 // key_share, supported_groups, psk_key_exchange_modes, and
8748 // signature_algorithms. That means the probability of a false negative is
8749 // at most 1/120. Repeating the test 14 times lowers false negative rate
8750 // to under 2^-96.
8751 ASSERT_TRUE(
8752 GetExtensionOrder(ctx.get(), &order1, maybe_keys, decrypt_ech));
8753 EXPECT_GE(order1.size(), 5u);
8754 static const int kNumIterations = 14;
8755 bool passed = false;
8756 for (int i = 0; i < kNumIterations; i++) {
8757 ASSERT_TRUE(
8758 GetExtensionOrder(ctx.get(), &order2, maybe_keys, decrypt_ech));
8759 if (order1 != order2) {
8760 passed = true;
8761 break;
8762 }
8763 }
8764 EXPECT_TRUE(passed) << "Extensions were not permuted";
8765 }
8766 }
8767 }
8768
TEST(SSLTest,HostMatching)8769 TEST(SSLTest, HostMatching) {
8770 static const char kCertPEM[] = R"(
8771 -----BEGIN CERTIFICATE-----
8772 MIIB9jCCAZ2gAwIBAgIQeudG9R61BOxUvWkeVhU5DTAKBggqhkjOPQQDAjApMRAw
8773 DgYDVQQKEwdBY21lIENvMRUwEwYDVQQDEwxleGFtcGxlMy5jb20wHhcNMjExMjA2
8774 MjA1NjU2WhcNMjIxMjA2MjA1NjU2WjApMRAwDgYDVQQKEwdBY21lIENvMRUwEwYD
8775 VQQDEwxleGFtcGxlMy5jb20wWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAAS7l2VO
8776 Bl2TjVm9WfGk24+hMbVFUNB+RVHWbCvFvNZAoWiIJ2z34RLGInyZvCZ8xLAvsuaW
8777 ULDDaoeDl1M0t4Hmo4GmMIGjMA4GA1UdDwEB/wQEAwIChDATBgNVHSUEDDAKBggr
8778 BgEFBQcDATAPBgNVHRMBAf8EBTADAQH/MB0GA1UdDgQWBBTTJWurcc1t+VPQBko3
8779 Gsw6cbcWSTBMBgNVHREERTBDggxleGFtcGxlMS5jb22CDGV4YW1wbGUyLmNvbYIP
8780 YSouZXhhbXBsZTQuY29tgg4qLmV4YW1wbGU1LmNvbYcEAQIDBDAKBggqhkjOPQQD
8781 AgNHADBEAiAAv0ljHJGrgyzZDkG6XvNZ5ewxRfnXcZuD0Y7E4giCZgIgNK1qjilu
8782 5DyVbfKeeJhOCtGxqE1dWLXyJBnoRomSYBY=
8783 -----END CERTIFICATE-----
8784 )";
8785 bssl::UniquePtr<X509> cert(CertFromPEM(kCertPEM));
8786 ASSERT_TRUE(cert);
8787 static const char kCertNoSANsPEM[] = R"(
8788 -----BEGIN CERTIFICATE-----
8789 MIIBqzCCAVGgAwIBAgIQeudG9R61BOxUvWkeVhU5DTAKBggqhkjOPQQDAjArMRIw
8790 EAYDVQQKEwlBY21lIENvIDIxFTATBgNVBAMTDGV4YW1wbGUzLmNvbTAeFw0yMTEy
8791 MDYyMDU2NTZaFw0yMjEyMDYyMDU2NTZaMCsxEjAQBgNVBAoTCUFjbWUgQ28gMjEV
8792 MBMGA1UEAxMMZXhhbXBsZTMuY29tMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE
8793 u5dlTgZdk41ZvVnxpNuPoTG1RVDQfkVR1mwrxbzWQKFoiCds9+ESxiJ8mbwmfMSw
8794 L7LmllCww2qHg5dTNLeB5qNXMFUwDgYDVR0PAQH/BAQDAgKEMBMGA1UdJQQMMAoG
8795 CCsGAQUFBwMBMA8GA1UdEwEB/wQFMAMBAf8wHQYDVR0OBBYEFNMla6txzW35U9AG
8796 SjcazDpxtxZJMAoGCCqGSM49BAMCA0gAMEUCIG3YWGWtpVhbcGV7wFKQwTfmvwHW
8797 pw4qCFZlool4hCwsAiEA+2fc6NfSbNpFEtQkDOMJW2ANiScAVEmImNqPfb2klz4=
8798 -----END CERTIFICATE-----
8799 )";
8800 bssl::UniquePtr<X509> cert_no_sans(CertFromPEM(kCertNoSANsPEM));
8801 ASSERT_TRUE(cert_no_sans);
8802
8803 static const char kKeyPEM[] = R"(
8804 -----BEGIN PRIVATE KEY-----
8805 MIGHAgEAMBMGByqGSM49AgEGCCqGSM49AwEHBG0wawIBAQQghsaSZhUzZAcQlLyJ
8806 MDuy7WPdyqNsAX9rmEP650LF/q2hRANCAAS7l2VOBl2TjVm9WfGk24+hMbVFUNB+
8807 RVHWbCvFvNZAoWiIJ2z34RLGInyZvCZ8xLAvsuaWULDDaoeDl1M0t4Hm
8808 -----END PRIVATE KEY-----
8809 )";
8810 bssl::UniquePtr<EVP_PKEY> key(KeyFromPEM(kKeyPEM));
8811 ASSERT_TRUE(key);
8812
8813 bssl::UniquePtr<SSL_CTX> client_ctx(SSL_CTX_new(TLS_method()));
8814 ASSERT_TRUE(client_ctx);
8815 ASSERT_TRUE(X509_STORE_add_cert(SSL_CTX_get_cert_store(client_ctx.get()),
8816 cert.get()));
8817 ASSERT_TRUE(X509_STORE_add_cert(SSL_CTX_get_cert_store(client_ctx.get()),
8818 cert_no_sans.get()));
8819 SSL_CTX_set_verify(client_ctx.get(),
8820 SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT,
8821 nullptr);
8822 X509_VERIFY_PARAM_set_flags(SSL_CTX_get0_param(client_ctx.get()),
8823 X509_V_FLAG_NO_CHECK_TIME);
8824
8825 struct TestCase {
8826 X509 *cert;
8827 std::string hostname;
8828 unsigned flags;
8829 bool should_match;
8830 };
8831 std::vector<TestCase> kTests = {
8832 // These two names are present as SANs in the certificate.
8833 {cert.get(), "example1.com", 0, true},
8834 {cert.get(), "example2.com", 0, true},
8835 // This is the CN of the certificate, but that shouldn't matter if a SAN
8836 // extension is present.
8837 {cert.get(), "example3.com", 0, false},
8838 // If the SAN is not present, we, for now, look for DNS names in the CN.
8839 {cert_no_sans.get(), "example3.com", 0, true},
8840 // ... but this can be turned off.
8841 {cert_no_sans.get(), "example3.com", X509_CHECK_FLAG_NEVER_CHECK_SUBJECT,
8842 false},
8843 // a*.example4.com is a SAN, but is invalid.
8844 {cert.get(), "abc.example4.com", 0, false},
8845 // *.example5.com is a SAN in the certificate, which is a normal and valid
8846 // wildcard.
8847 {cert.get(), "abc.example5.com", 0, true},
8848 // This name is not present.
8849 {cert.get(), "notexample1.com", 0, false},
8850 // The IPv4 address 1.2.3.4 is a SAN, but that shouldn't match against a
8851 // hostname that happens to be its textual representation.
8852 {cert.get(), "1.2.3.4", 0, false},
8853 };
8854
8855 for (const TestCase &test : kTests) {
8856 SCOPED_TRACE(test.hostname);
8857
8858 bssl::UniquePtr<SSL_CTX> server_ctx(SSL_CTX_new(TLS_method()));
8859 ASSERT_TRUE(server_ctx);
8860 ASSERT_TRUE(SSL_CTX_use_certificate(server_ctx.get(), test.cert));
8861 ASSERT_TRUE(SSL_CTX_use_PrivateKey(server_ctx.get(), key.get()));
8862
8863 ClientConfig config;
8864 bssl::UniquePtr<SSL> client, server;
8865 config.verify_hostname = test.hostname;
8866 config.hostflags = test.flags;
8867 EXPECT_EQ(test.should_match,
8868 ConnectClientAndServer(&client, &server, client_ctx.get(),
8869 server_ctx.get(), config));
8870 }
8871 }
8872
TEST(SSLTest,NumTickets)8873 TEST(SSLTest, NumTickets) {
8874 bssl::UniquePtr<SSL_CTX> server_ctx(SSL_CTX_new(TLS_method()));
8875 ASSERT_TRUE(server_ctx);
8876 bssl::UniquePtr<SSL_CTX> client_ctx(SSL_CTX_new(TLS_method()));
8877 ASSERT_TRUE(client_ctx);
8878 bssl::UniquePtr<X509> cert = GetTestCertificate();
8879 ASSERT_TRUE(cert);
8880 bssl::UniquePtr<EVP_PKEY> key = GetTestKey();
8881 ASSERT_TRUE(key);
8882 ASSERT_TRUE(SSL_CTX_use_certificate(server_ctx.get(), cert.get()));
8883 ASSERT_TRUE(SSL_CTX_use_PrivateKey(server_ctx.get(), key.get()));
8884 SSL_CTX_set_session_cache_mode(server_ctx.get(), SSL_SESS_CACHE_BOTH);
8885
8886 SSL_CTX_set_session_cache_mode(client_ctx.get(), SSL_SESS_CACHE_BOTH);
8887 static size_t ticket_count;
8888 SSL_CTX_sess_set_new_cb(client_ctx.get(), [](SSL *, SSL_SESSION *) -> int {
8889 ticket_count++;
8890 return 0;
8891 });
8892
8893 auto count_tickets = [&]() -> size_t {
8894 ticket_count = 0;
8895 bssl::UniquePtr<SSL> client, server;
8896 if (!ConnectClientAndServer(&client, &server, client_ctx.get(),
8897 server_ctx.get()) ||
8898 !FlushNewSessionTickets(client.get(), server.get())) {
8899 ADD_FAILURE() << "Could not run handshake";
8900 return 0;
8901 }
8902 return ticket_count;
8903 };
8904
8905 // By default, we should send two tickets.
8906 EXPECT_EQ(count_tickets(), 2u);
8907
8908 for (size_t num_tickets : {0, 1, 2, 3, 4, 5}) {
8909 SCOPED_TRACE(num_tickets);
8910 ASSERT_TRUE(SSL_CTX_set_num_tickets(server_ctx.get(), num_tickets));
8911 EXPECT_EQ(SSL_CTX_get_num_tickets(server_ctx.get()), num_tickets);
8912 EXPECT_EQ(count_tickets(), num_tickets);
8913 }
8914
8915 // Configuring too many tickets causes us to stop at some point.
8916 ASSERT_TRUE(SSL_CTX_set_num_tickets(server_ctx.get(), 100000));
8917 EXPECT_EQ(SSL_CTX_get_num_tickets(server_ctx.get()), 16u);
8918 EXPECT_EQ(count_tickets(), 16u);
8919 }
8920
TEST(SSLTest,CertSubjectsToStack)8921 TEST(SSLTest, CertSubjectsToStack) {
8922 const std::string kCert1 = R"(
8923 -----BEGIN CERTIFICATE-----
8924 MIIBzzCCAXagAwIBAgIJANlMBNpJfb/rMAkGByqGSM49BAEwRTELMAkGA1UEBhMC
8925 QVUxEzARBgNVBAgMClNvbWUtU3RhdGUxITAfBgNVBAoMGEludGVybmV0IFdpZGdp
8926 dHMgUHR5IEx0ZDAeFw0xNDA0MjMyMzIxNTdaFw0xNDA1MjMyMzIxNTdaMEUxCzAJ
8927 BgNVBAYTAkFVMRMwEQYDVQQIDApTb21lLVN0YXRlMSEwHwYDVQQKDBhJbnRlcm5l
8928 dCBXaWRnaXRzIFB0eSBMdGQwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAATmK2ni
8929 v2Wfl74vHg2UikzVl2u3qR4NRvvdqakendy6WgHn1peoChj5w8SjHlbifINI2xYa
8930 HPUdfvGULUvPciLBo1AwTjAdBgNVHQ4EFgQUq4TSrKuV8IJOFngHVVdf5CaNgtEw
8931 HwYDVR0jBBgwFoAUq4TSrKuV8IJOFngHVVdf5CaNgtEwDAYDVR0TBAUwAwEB/zAJ
8932 BgcqhkjOPQQBA0gAMEUCIQDyoDVeUTo2w4J5m+4nUIWOcAZ0lVfSKXQA9L4Vh13E
8933 BwIgfB55FGohg/B6dGh5XxSZmmi08cueFV7mHzJSYV51yRQ=
8934 -----END CERTIFICATE-----
8935 )";
8936 const std::vector<uint8_t> kName1 = {
8937 0x30, 0x45, 0x31, 0x0b, 0x30, 0x09, 0x06, 0x03, 0x55, 0x04, 0x06, 0x13,
8938 0x02, 0x41, 0x55, 0x31, 0x13, 0x30, 0x11, 0x06, 0x03, 0x55, 0x04, 0x08,
8939 0x0c, 0x0a, 0x53, 0x6f, 0x6d, 0x65, 0x2d, 0x53, 0x74, 0x61, 0x74, 0x65,
8940 0x31, 0x21, 0x30, 0x1f, 0x06, 0x03, 0x55, 0x04, 0x0a, 0x0c, 0x18, 0x49,
8941 0x6e, 0x74, 0x65, 0x72, 0x6e, 0x65, 0x74, 0x20, 0x57, 0x69, 0x64, 0x67,
8942 0x69, 0x74, 0x73, 0x20, 0x50, 0x74, 0x79, 0x20, 0x4c, 0x74, 0x64};
8943 const std::string kCert2 = R"(
8944 -----BEGIN CERTIFICATE-----
8945 MIICXjCCAcegAwIBAgIIWjO48ufpunYwDQYJKoZIhvcNAQELBQAwNjEaMBgGA1UE
8946 ChMRQm9yaW5nU1NMIFRFU1RJTkcxGDAWBgNVBAMTD0ludGVybWVkaWF0ZSBDQTAg
8947 Fw0xNTAxMDEwMDAwMDBaGA8yMTAwMDEwMTAwMDAwMFowMjEaMBgGA1UEChMRQm9y
8948 aW5nU1NMIFRFU1RJTkcxFDASBgNVBAMTC2V4YW1wbGUuY29tMIGfMA0GCSqGSIb3
8949 DQEBAQUAA4GNADCBiQKBgQDD0U0ZYgqShJ7oOjsyNKyVXEHqeafmk/bAoPqY/h1c
8950 oPw2E8KmeqiUSoTPjG5IXSblOxcqpbAXgnjPzo8DI3GNMhAf8SYNYsoH7gc7Uy7j
8951 5x8bUrisGnuTHqkqH6d4/e7ETJ7i3CpR8bvK16DggEvQTudLipz8FBHtYhFakfdh
8952 TwIDAQABo3cwdTAOBgNVHQ8BAf8EBAMCBaAwHQYDVR0lBBYwFAYIKwYBBQUHAwEG
8953 CCsGAQUFBwMCMAwGA1UdEwEB/wQCMAAwGQYDVR0OBBIEEKN5pvbur7mlXjeMEYA0
8954 4nUwGwYDVR0jBBQwEoAQjBpoqLV2211Xex+NFLIGozANBgkqhkiG9w0BAQsFAAOB
8955 gQBj/p+JChp//LnXWC1k121LM/ii7hFzQzMrt70bny406SGz9jAjaPOX4S3gt38y
8956 rhjpPukBlSzgQXFg66y6q5qp1nQTD1Cw6NkKBe9WuBlY3iYfmsf7WT8nhlT1CttU
8957 xNCwyMX9mtdXdQicOfNjIGUCD5OLV5PgHFPRKiHHioBAhg==
8958 -----END CERTIFICATE-----
8959 )";
8960 const std::vector<uint8_t> kName2 = {
8961 0x30, 0x32, 0x31, 0x1a, 0x30, 0x18, 0x06, 0x03, 0x55, 0x04, 0x0a,
8962 0x13, 0x11, 0x42, 0x6f, 0x72, 0x69, 0x6e, 0x67, 0x53, 0x53, 0x4c,
8963 0x20, 0x54, 0x45, 0x53, 0x54, 0x49, 0x4e, 0x47, 0x31, 0x14, 0x30,
8964 0x12, 0x06, 0x03, 0x55, 0x04, 0x03, 0x13, 0x0b, 0x65, 0x78, 0x61,
8965 0x6d, 0x70, 0x6c, 0x65, 0x2e, 0x63, 0x6f, 0x6d};
8966
8967 const struct {
8968 std::vector<std::vector<uint8_t>> existing;
8969 std::string pem;
8970 std::vector<std::vector<uint8_t>> expected;
8971 } kTests[] = {
8972 // Do nothing.
8973 {{}, "", {}},
8974 // Append to an empty list, skipping duplicates.
8975 {{}, kCert1 + kCert2 + kCert1, {kName1, kName2}},
8976 // One of the names was already present.
8977 {{kName1}, kCert1 + kCert2, {kName1, kName2}},
8978 // Both names were already present.
8979 {{kName1, kName2}, kCert1 + kCert2, {kName1, kName2}},
8980 // Preserve existing duplicates.
8981 {{kName1, kName2, kName2}, kCert1 + kCert2, {kName1, kName2, kName2}},
8982 };
8983 for (size_t i = 0; i < OPENSSL_ARRAY_SIZE(kTests); i++) {
8984 SCOPED_TRACE(i);
8985 const auto &t = kTests[i];
8986
8987 bssl::UniquePtr<STACK_OF(X509_NAME)> stack(sk_X509_NAME_new_null());
8988 ASSERT_TRUE(stack);
8989 for (const auto& name : t.existing) {
8990 const uint8_t *inp = name.data();
8991 bssl::UniquePtr<X509_NAME> name_obj(
8992 d2i_X509_NAME(nullptr, &inp, name.size()));
8993 ASSERT_TRUE(name_obj);
8994 EXPECT_EQ(inp, name.data() + name.size());
8995 ASSERT_TRUE(bssl::PushToStack(stack.get(), std::move(name_obj)));
8996 }
8997
8998 bssl::UniquePtr<BIO> bio(BIO_new_mem_buf(t.pem.data(), t.pem.size()));
8999 ASSERT_TRUE(bio);
9000 ASSERT_TRUE(SSL_add_bio_cert_subjects_to_stack(stack.get(), bio.get()));
9001
9002 // The function should have left |stack|'s comparison function alone.
9003 EXPECT_EQ(nullptr, sk_X509_NAME_set_cmp_func(stack.get(), nullptr));
9004
9005 std::vector<std::vector<uint8_t>> expected = t.expected, result;
9006 for (X509_NAME *name : stack.get()) {
9007 uint8_t *der = nullptr;
9008 int der_len = i2d_X509_NAME(name, &der);
9009 ASSERT_GE(der_len, 0);
9010 result.push_back(std::vector<uint8_t>(der, der + der_len));
9011 OPENSSL_free(der);
9012 }
9013
9014 // |SSL_add_bio_cert_subjects_to_stack| does not return the output in a
9015 // well-defined order.
9016 std::sort(expected.begin(), expected.end());
9017 std::sort(result.begin(), result.end());
9018 EXPECT_EQ(result, expected);
9019 }
9020 }
9021
TEST(SSLTest,EmptyClientCAList)9022 TEST(SSLTest, EmptyClientCAList) {
9023 if (SkipTempFileTests()) {
9024 GTEST_SKIP();
9025 }
9026
9027 TemporaryFile empty;
9028 ASSERT_TRUE(empty.Init());
9029 bssl::UniquePtr<STACK_OF(X509_NAME)> names(
9030 SSL_load_client_CA_file(empty.path().c_str()));
9031 EXPECT_FALSE(names);
9032 }
9033
TEST(SSLTest,EmptyWriteBlockedOnHandshakeData)9034 TEST(SSLTest, EmptyWriteBlockedOnHandshakeData) {
9035 bssl::UniquePtr<SSL_CTX> client_ctx(SSL_CTX_new(TLS_method()));
9036 bssl::UniquePtr<SSL_CTX> server_ctx =
9037 CreateContextWithTestCertificate(TLS_method());
9038 ASSERT_TRUE(client_ctx);
9039 ASSERT_TRUE(server_ctx);
9040 // Configure only TLS 1.3. This test requires post-handshake NewSessionTicket.
9041 ASSERT_TRUE(SSL_CTX_set_min_proto_version(client_ctx.get(), TLS1_3_VERSION));
9042 ASSERT_TRUE(SSL_CTX_set_max_proto_version(client_ctx.get(), TLS1_3_VERSION));
9043
9044 // Connect a client and server with tiny buffer between the two.
9045 bssl::UniquePtr<SSL> client(SSL_new(client_ctx.get())),
9046 server(SSL_new(server_ctx.get()));
9047 ASSERT_TRUE(client);
9048 ASSERT_TRUE(server);
9049 SSL_set_connect_state(client.get());
9050 SSL_set_accept_state(server.get());
9051 BIO *bio1, *bio2;
9052 ASSERT_TRUE(BIO_new_bio_pair(&bio1, 1, &bio2, 1));
9053 SSL_set_bio(client.get(), bio1, bio1);
9054 SSL_set_bio(server.get(), bio2, bio2);
9055 ASSERT_TRUE(CompleteHandshakes(client.get(), server.get()));
9056
9057 // We defer NewSessionTicket to the first write, so the server has a pending
9058 // NewSessionTicket. See https://boringssl-review.googlesource.com/34948. This
9059 // means an empty write will flush the ticket. However, the transport only
9060 // allows one byte through, so this will fail with |SSL_ERROR_WANT_WRITE|.
9061 int ret = SSL_write(server.get(), nullptr, 0);
9062 ASSERT_EQ(ret, -1);
9063 ASSERT_EQ(SSL_get_error(server.get(), ret), SSL_ERROR_WANT_WRITE);
9064
9065 // Attempting to write non-zero data should not trip |SSL_R_BAD_WRITE_RETRY|.
9066 const uint8_t kData[] = {'h', 'e', 'l', 'l', 'o'};
9067 ret = SSL_write(server.get(), kData, sizeof(kData));
9068 ASSERT_EQ(ret, -1);
9069 ASSERT_EQ(SSL_get_error(server.get(), ret), SSL_ERROR_WANT_WRITE);
9070
9071 // Byte by byte, the data should eventually get through.
9072 uint8_t buf[sizeof(kData)];
9073 for (;;) {
9074 ret = SSL_read(client.get(), buf, sizeof(buf));
9075 ASSERT_EQ(ret, -1);
9076 ASSERT_EQ(SSL_get_error(client.get(), ret), SSL_ERROR_WANT_READ);
9077
9078 ret = SSL_write(server.get(), kData, sizeof(kData));
9079 if (ret > 0) {
9080 ASSERT_EQ(ret, 5);
9081 break;
9082 }
9083 ASSERT_EQ(ret, -1);
9084 ASSERT_EQ(SSL_get_error(server.get(), ret), SSL_ERROR_WANT_WRITE);
9085 }
9086
9087 ret = SSL_read(client.get(), buf, sizeof(buf));
9088 ASSERT_EQ(ret, static_cast<int>(sizeof(kData)));
9089 ASSERT_EQ(Bytes(buf, ret), Bytes(kData));
9090 }
9091
9092 // Test that |SSL_ERROR_SYSCALL| continues to work after a close_notify.
TEST(SSLTest,ErrorSyscallAfterCloseNotify)9093 TEST(SSLTest, ErrorSyscallAfterCloseNotify) {
9094 // Make a custom |BIO| where writes fail, but without pushing to the error
9095 // queue.
9096 bssl::UniquePtr<BIO_METHOD> method(BIO_meth_new(0, nullptr));
9097 ASSERT_TRUE(method);
9098 BIO_meth_set_create(method.get(), [](BIO *b) -> int {
9099 BIO_set_init(b, 1);
9100 return 1;
9101 });
9102 static bool write_failed = false;
9103 BIO_meth_set_write(method.get(), [](BIO *, const char *, int) -> int {
9104 // Fail the operation and don't add to the error queue.
9105 write_failed = true;
9106 return -1;
9107 });
9108 bssl::UniquePtr<BIO> wbio_silent_error(BIO_new(method.get()));
9109 ASSERT_TRUE(wbio_silent_error);
9110
9111 bssl::UniquePtr<SSL_CTX> client_ctx(SSL_CTX_new(TLS_method()));
9112 bssl::UniquePtr<SSL_CTX> server_ctx =
9113 CreateContextWithTestCertificate(TLS_method());
9114 ASSERT_TRUE(client_ctx);
9115 ASSERT_TRUE(server_ctx);
9116 bssl::UniquePtr<SSL> client, server;
9117 ASSERT_TRUE(ConnectClientAndServer(&client, &server, client_ctx.get(),
9118 server_ctx.get()));
9119
9120 // Replace the write |BIO| with |wbio_silent_error|.
9121 SSL_set0_wbio(client.get(), wbio_silent_error.release());
9122
9123 // Writes should fail. There is nothing in the error queue, so
9124 // |SSL_ERROR_SYSCALL| indicates the caller needs to check out-of-band.
9125 const uint8_t data[1] = {0};
9126 int ret = SSL_write(client.get(), data, sizeof(data));
9127 EXPECT_EQ(ret, -1);
9128 EXPECT_EQ(SSL_get_error(client.get(), ret), SSL_ERROR_SYSCALL);
9129 EXPECT_TRUE(write_failed);
9130 write_failed = false;
9131
9132 // Send a close_notify from the server. It should return 0 because
9133 // close_notify was sent, but not received. Confusingly, this is a success
9134 // output for |SSL_shutdown|'s API.
9135 EXPECT_EQ(SSL_shutdown(server.get()), 0);
9136
9137 // Read the close_notify on the client.
9138 uint8_t buf[1];
9139 ret = SSL_read(client.get(), buf, sizeof(buf));
9140 EXPECT_EQ(ret, 0);
9141 EXPECT_EQ(SSL_get_error(client.get(), ret), SSL_ERROR_ZERO_RETURN);
9142
9143 // Further calls to |SSL_read| continue to report |SSL_ERROR_ZERO_RETURN|.
9144 ret = SSL_read(client.get(), buf, sizeof(buf));
9145 EXPECT_EQ(ret, 0);
9146 EXPECT_EQ(SSL_get_error(client.get(), ret), SSL_ERROR_ZERO_RETURN);
9147
9148 // Although the client has seen close_notify, it should continue to report
9149 // |SSL_ERROR_SYSCALL| when its writes fail.
9150 ret = SSL_write(client.get(), data, sizeof(data));
9151 EXPECT_EQ(ret, -1);
9152 EXPECT_EQ(SSL_get_error(client.get(), ret), SSL_ERROR_SYSCALL);
9153 EXPECT_TRUE(write_failed);
9154 write_failed = false;
9155
9156 // Cause |BIO_write| to fail with a return value of zero instead.
9157 // |SSL_get_error| should not misinterpret this as a close_notify.
9158 //
9159 // This is not actually a correct implementation of |BIO_write|, but the rest
9160 // of the code treats zero from |BIO_write| as an error, so ensure it does so
9161 // correctly. Fixing https://crbug.com/boringssl/503 will make this case moot.
9162 BIO_meth_set_write(method.get(), [](BIO *, const char *, int) -> int {
9163 write_failed = true;
9164 return 0;
9165 });
9166 ret = SSL_write(client.get(), data, sizeof(data));
9167 EXPECT_EQ(ret, 0);
9168 EXPECT_EQ(SSL_get_error(client.get(), ret), SSL_ERROR_SYSCALL);
9169 EXPECT_TRUE(write_failed);
9170 write_failed = false;
9171 }
9172
9173 // Test that |SSL_shutdown|, when quiet shutdown is enabled, simulates receiving
9174 // a close_notify, down to |SSL_read| reporting |SSL_ERROR_ZERO_RETURN|.
TEST(SSLTest,QuietShutdown)9175 TEST(SSLTest, QuietShutdown) {
9176 bssl::UniquePtr<SSL_CTX> client_ctx(SSL_CTX_new(TLS_method()));
9177 bssl::UniquePtr<SSL_CTX> server_ctx =
9178 CreateContextWithTestCertificate(TLS_method());
9179 ASSERT_TRUE(client_ctx);
9180 ASSERT_TRUE(server_ctx);
9181 SSL_CTX_set_quiet_shutdown(server_ctx.get(), 1);
9182 bssl::UniquePtr<SSL> client, server;
9183 ASSERT_TRUE(ConnectClientAndServer(&client, &server, client_ctx.get(),
9184 server_ctx.get()));
9185
9186 // Quiet shutdown is enabled, so |SSL_shutdown| on the server should
9187 // immediately return that bidirectional shutdown "completed".
9188 EXPECT_EQ(SSL_shutdown(server.get()), 1);
9189
9190 // Shut down writes so the client gets an EOF.
9191 EXPECT_TRUE(BIO_shutdown_wr(SSL_get_wbio(server.get())));
9192
9193 // Confirm no close notify was actually sent. Client reads should report a
9194 // transport EOF, not a close_notify. (Both have zero return, but
9195 // |SSL_get_error| is different.)
9196 char buf[1];
9197 int ret = SSL_read(client.get(), buf, sizeof(buf));
9198 EXPECT_EQ(ret, 0);
9199 EXPECT_EQ(SSL_get_error(client.get(), ret), SSL_ERROR_SYSCALL);
9200
9201 // The server believes bidirectional shutdown completed, so reads should
9202 // replay the (simulated) close_notify.
9203 ret = SSL_read(server.get(), buf, sizeof(buf));
9204 EXPECT_EQ(ret, 0);
9205 EXPECT_EQ(SSL_get_error(server.get(), ret), SSL_ERROR_ZERO_RETURN);
9206 }
9207
TEST(SSLTest,InvalidSignatureAlgorithm)9208 TEST(SSLTest, InvalidSignatureAlgorithm) {
9209 bssl::UniquePtr<SSL_CTX> ctx(SSL_CTX_new(TLS_method()));
9210 ASSERT_TRUE(ctx);
9211
9212 static const uint16_t kInvalidPrefs[] = {1234};
9213 EXPECT_FALSE(SSL_CTX_set_signing_algorithm_prefs(
9214 ctx.get(), kInvalidPrefs, OPENSSL_ARRAY_SIZE(kInvalidPrefs)));
9215 EXPECT_FALSE(SSL_CTX_set_verify_algorithm_prefs(
9216 ctx.get(), kInvalidPrefs, OPENSSL_ARRAY_SIZE(kInvalidPrefs)));
9217
9218 static const uint16_t kDuplicatePrefs[] = {SSL_SIGN_RSA_PKCS1_SHA256,
9219 SSL_SIGN_RSA_PKCS1_SHA256};
9220 EXPECT_FALSE(SSL_CTX_set_signing_algorithm_prefs(
9221 ctx.get(), kDuplicatePrefs, OPENSSL_ARRAY_SIZE(kDuplicatePrefs)));
9222 EXPECT_FALSE(SSL_CTX_set_verify_algorithm_prefs(
9223 ctx.get(), kDuplicatePrefs, OPENSSL_ARRAY_SIZE(kDuplicatePrefs)));
9224 }
9225
TEST(SSLTest,InvalidGroups)9226 TEST(SSLTest, InvalidGroups) {
9227 bssl::UniquePtr<SSL_CTX> ctx(SSL_CTX_new(TLS_method()));
9228 ASSERT_TRUE(ctx);
9229
9230 static const uint16_t kInvalidIDs[] = {1234};
9231 EXPECT_FALSE(SSL_CTX_set1_group_ids(
9232 ctx.get(), kInvalidIDs, OPENSSL_ARRAY_SIZE(kInvalidIDs)));
9233
9234 // This is a valid NID, but it is not a valid group.
9235 static const int kInvalidNIDs[] = {NID_rsaEncryption};
9236 EXPECT_FALSE(SSL_CTX_set1_groups(
9237 ctx.get(), kInvalidNIDs, OPENSSL_ARRAY_SIZE(kInvalidNIDs)));
9238 }
9239
TEST(SSLTest,NameLists)9240 TEST(SSLTest, NameLists) {
9241 struct {
9242 size_t (*func)(const char **, size_t);
9243 std::vector<std::string> expected;
9244 } kTests[] = {
9245 {SSL_get_all_version_names, {"TLSv1.3", "DTLSv1.2", "unknown"}},
9246 {SSL_get_all_standard_cipher_names,
9247 {"TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256", "TLS_AES_128_GCM_SHA256"}},
9248 {SSL_get_all_cipher_names,
9249 {"ECDHE-ECDSA-AES128-GCM-SHA256", "TLS_AES_128_GCM_SHA256", "(NONE)"}},
9250 {SSL_get_all_group_names, {"P-256", "X25519"}},
9251 {SSL_get_all_signature_algorithm_names,
9252 {"rsa_pkcs1_sha256", "ecdsa_secp256r1_sha256", "ecdsa_sha256"}},
9253 };
9254 for (const auto &t : kTests) {
9255 size_t num = t.func(nullptr, 0);
9256 EXPECT_GT(num, 0u);
9257
9258 std::vector<const char*> list(num);
9259 EXPECT_EQ(num, t.func(list.data(), list.size()));
9260
9261 // Check the expected values are in the list.
9262 for (const auto &s : t.expected) {
9263 EXPECT_NE(list.end(), std::find(list.begin(), list.end(), s))
9264 << "Could not find " << s;
9265 }
9266
9267 // Passing in a larger buffer should leave excess space alone.
9268 std::vector<const char *> list2(num + 1, "placeholder");
9269 EXPECT_EQ(num, t.func(list2.data(), list2.size()));
9270 for (size_t i = 0; i < num; i++) {
9271 EXPECT_STREQ(list[i], list2[i]);
9272 }
9273 EXPECT_STREQ(list2.back(), "placeholder");
9274
9275 // Passing in a shorter buffer should truncate the list.
9276 for (size_t l = 0; l < num; l++) {
9277 SCOPED_TRACE(l);
9278 list2.resize(l);
9279 EXPECT_EQ(num, t.func(list2.data(), list2.size()));
9280 for (size_t i = 0; i < l; i++) {
9281 EXPECT_STREQ(list[i], list2[i]);
9282 }
9283 }
9284 }
9285 }
9286
9287 // Test that it is possible for the certificate to be configured on a mix of
9288 // SSL_CTX and SSL. This ensures that we do not inadvertently overshare objects
9289 // in SSL_new.
TEST(SSLTest,MixContextAndConnection)9290 TEST(SSLTest, MixContextAndConnection) {
9291 bssl::UniquePtr<SSL_CTX> ctx(SSL_CTX_new(TLS_method()));
9292 ASSERT_TRUE(ctx);
9293 bssl::UniquePtr<X509> cert = GetTestCertificate();
9294 ASSERT_TRUE(cert);
9295 bssl::UniquePtr<EVP_PKEY> key = GetTestKey();
9296 ASSERT_TRUE(key);
9297
9298 // Configure the certificate, but not the private key, on the context.
9299 ASSERT_TRUE(SSL_CTX_use_certificate(ctx.get(), cert.get()));
9300
9301 bssl::UniquePtr<SSL> ssl1(SSL_new(ctx.get()));
9302 ASSERT_TRUE(ssl1.get());
9303 bssl::UniquePtr<SSL> ssl2(SSL_new(ctx.get()));
9304 ASSERT_TRUE(ssl2.get());
9305
9306 // There is no private key configured yet.
9307 EXPECT_FALSE(SSL_CTX_get0_privatekey(ctx.get()));
9308 EXPECT_FALSE(SSL_get_privatekey(ssl1.get()));
9309 EXPECT_FALSE(SSL_get_privatekey(ssl2.get()));
9310
9311 // Configuring the private key on |ssl1| works.
9312 ASSERT_TRUE(SSL_use_PrivateKey(ssl1.get(), key.get()));
9313 EXPECT_TRUE(SSL_get_privatekey(ssl1.get()));
9314
9315 // It does not impact the other connection or the context.
9316 EXPECT_FALSE(SSL_CTX_get0_privatekey(ctx.get()));
9317 EXPECT_FALSE(SSL_get_privatekey(ssl2.get()));
9318 }
9319
9320 // Test that the server handshake cleanly fails if it had no certificate
9321 // configured, at all versions.
TEST_P(SSLVersionTest,NoCertOrKey)9322 TEST_P(SSLVersionTest, NoCertOrKey) {
9323 bssl::UniquePtr<X509> cert = GetChainTestCertificate();
9324 ASSERT_TRUE(cert);
9325 bssl::UniquePtr<EVP_PKEY> key = GetChainTestKey();
9326 ASSERT_TRUE(key);
9327 bssl::UniquePtr<X509> intermediate = GetChainTestIntermediate();
9328 ASSERT_TRUE(intermediate);
9329 bssl::UniquePtr<STACK_OF(X509)> chain(sk_X509_new_null());
9330 ASSERT_TRUE(chain);
9331 ASSERT_TRUE(bssl::PushToStack(chain.get(), std::move(intermediate)));
9332
9333 const struct {
9334 bool has_cert;
9335 bool has_key;
9336 bool has_chain;
9337 } kTests[] = {
9338 // If nothing is configured, there is unambiguously no certificate.
9339 {/*has_cert=*/false, /*has_key=*/false, /*has_chain=*/false},
9340
9341 // If only one of the key and certificate is configured, it is still treated
9342 // as if there is no certificate.
9343 {/*has_cert=*/true, /*has_key=*/false, /*has_chain=*/false},
9344 {/*has_cert=*/false, /*has_key=*/true, /*has_chain=*/false},
9345
9346 // The key and intermediates may be configured, but without a leaf there is
9347 // no certificate. This case is interesting because we internally store the
9348 // chain with a somewhat fragile null fist entry.
9349 {/*has_cert=*/false, /*has_key=*/true, /*has_chain=*/true},
9350 };
9351 for (const auto &t : kTests) {
9352 SCOPED_TRACE(testing::Message() << "has_cert = " << t.has_cert);
9353 SCOPED_TRACE(testing::Message() << "has_key = " << t.has_key);
9354 SCOPED_TRACE(testing::Message() << "has_chain = " << t.has_chain);
9355 for (bool client : {false, true}) {
9356 SCOPED_TRACE(testing::Message() << "client = " << client);
9357
9358 EXPECT_NO_FATAL_FAILURE(ResetContexts());
9359 if (client) {
9360 // Request client certificates from the server.
9361 SSL_CTX_set_verify(server_ctx_.get(), SSL_VERIFY_PEER, nullptr);
9362 SSL_CTX_set_cert_verify_callback(client_ctx_.get(), VerifySucceed,
9363 nullptr);
9364 } else {
9365 // Recreate the server context. ResetContexts automatically adds server
9366 // certificates.
9367 server_ctx_ = CreateContext();
9368 ASSERT_TRUE(server_ctx_);
9369 }
9370
9371 SSL_CTX *ctx = client ? client_ctx_.get() : server_ctx_.get();
9372 if (t.has_cert) {
9373 ASSERT_TRUE(SSL_CTX_use_certificate(ctx, cert.get()));
9374 }
9375 if (t.has_key) {
9376 ASSERT_TRUE(SSL_CTX_use_PrivateKey(ctx, key.get()));
9377 }
9378 if (t.has_chain) {
9379 ASSERT_TRUE(SSL_CTX_set1_chain(ctx, chain.get()));
9380 }
9381
9382 // In each of these cases, |SSL_CTX_check_private_key| should report the
9383 // certificate was not configured.
9384 EXPECT_FALSE(SSL_CTX_check_private_key(ctx));
9385 ERR_clear_error();
9386
9387 if (client) {
9388 // The client should cleanly handshake without asserting a certificate.
9389 EXPECT_TRUE(Connect());
9390 EXPECT_FALSE(SSL_get0_peer_certificates(server_.get()));
9391 } else {
9392 // Servers cannot be anonymous. The connection should fail.
9393 EXPECT_FALSE(Connect());
9394 // Depending on the TLS version, this should either appear as
9395 // NO_SHARED_CIPHER (TLS 1.2) or NO_CERTIFICATE_SET (TLS 1.3).
9396 uint32_t err = ERR_get_error();
9397 if (!ErrorEquals(err, ERR_LIB_SSL, SSL_R_NO_SHARED_CIPHER)) {
9398 EXPECT_TRUE(ErrorEquals(err, ERR_LIB_SSL, SSL_R_NO_CERTIFICATE_SET));
9399 }
9400 }
9401 }
9402 }
9403 }
9404
TEST_P(SSLVersionTest,KeyLog)9405 TEST_P(SSLVersionTest, KeyLog) {
9406 using KeyLog = std::map<std::string, std::vector<uint8_t>>;
9407 KeyLog client_log, server_log;
9408
9409 SSL_CTX_set_app_data(client_ctx_.get(), &client_log);
9410 SSL_CTX_set_app_data(server_ctx_.get(), &server_log);
9411
9412 auto keylog_callback = [](const SSL *ssl, const char *line) {
9413 SSL_CTX *ctx = SSL_get_SSL_CTX(ssl);
9414 KeyLog *log = static_cast<KeyLog *>(SSL_CTX_get_app_data(ctx));
9415 ASSERT_TRUE(log);
9416
9417 const char *space1 = strchr(line, ' ');
9418 ASSERT_TRUE(space1);
9419 std::string name(line, space1 - line);
9420 space1++;
9421 const char *space2 = strchr(space1, ' ');
9422 ASSERT_TRUE(space2);
9423 bssl::Span<const char> client_random_hex(space1, space2 - space1);
9424 space2++;
9425 bssl::Span<const char> secret_hex(space2, strlen(space2));
9426
9427 std::vector<uint8_t> client_random, secret;
9428 ASSERT_TRUE(DecodeLowerHex(&client_random, client_random_hex));
9429 ASSERT_TRUE(DecodeLowerHex(&secret, secret_hex));
9430
9431 // The client_random field identifies the connection. Check it matches
9432 // the connection.
9433 uint8_t expected_random[SSL3_RANDOM_SIZE];
9434 ASSERT_EQ(
9435 sizeof(expected_random),
9436 SSL_get_client_random(ssl, expected_random, sizeof(expected_random)));
9437 ASSERT_EQ(Bytes(expected_random), Bytes(client_random));
9438
9439 ASSERT_EQ(log->count(name), 0u) << "duplicate name " << name;
9440 log->emplace(std::move(name), std::move(secret));
9441 };
9442 SSL_CTX_set_keylog_callback(client_ctx_.get(), keylog_callback);
9443 SSL_CTX_set_keylog_callback(server_ctx_.get(), keylog_callback);
9444
9445 // Connect and capture the various secrets.
9446 ASSERT_TRUE(Connect());
9447
9448 // Check that we logged the secrets we expected to log.
9449 if (version() == TLS1_3_VERSION) {
9450 EXPECT_THAT(client_log, ElementsAre(Key("CLIENT_HANDSHAKE_TRAFFIC_SECRET"),
9451 Key("CLIENT_TRAFFIC_SECRET_0"),
9452 Key("EXPORTER_SECRET"),
9453 Key("SERVER_HANDSHAKE_TRAFFIC_SECRET"),
9454 Key("SERVER_TRAFFIC_SECRET_0")));
9455
9456 // Ideally we'd check the other values, but those are harder to check
9457 // without actually decrypting the records.
9458 Span<const uint8_t> read_secret, write_secret;
9459 ASSERT_TRUE(bssl::SSL_get_traffic_secrets(client_.get(), &read_secret,
9460 &write_secret));
9461 EXPECT_EQ(Bytes(read_secret), Bytes(client_log["SERVER_TRAFFIC_SECRET_0"]));
9462 EXPECT_EQ(Bytes(write_secret),
9463 Bytes(client_log["CLIENT_TRAFFIC_SECRET_0"]));
9464 } else {
9465 EXPECT_THAT(client_log, ElementsAre(Key("CLIENT_RANDOM")));
9466
9467 size_t len =
9468 SSL_SESSION_get_master_key(SSL_get0_session(client_.get()), nullptr, 0);
9469 std::vector<uint8_t> expected(len);
9470 ASSERT_EQ(SSL_SESSION_get_master_key(SSL_get0_session(client_.get()),
9471 expected.data(), expected.size()),
9472 expected.size());
9473 EXPECT_EQ(Bytes(expected), Bytes(client_log["CLIENT_RANDOM"]));
9474 }
9475
9476 // The server should have logged the same secrets as the client.
9477 EXPECT_EQ(client_log, server_log);
9478 }
9479
9480 } // namespace
9481 BSSL_NAMESPACE_END
9482