1 /* Copyright (c) 2014, Google Inc.
2 *
3 * Permission to use, copy, modify, and/or distribute this software for any
4 * purpose with or without fee is hereby granted, provided that the above
5 * copyright notice and this permission notice appear in all copies.
6 *
7 * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
8 * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
9 * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY
10 * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
11 * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION
12 * OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN
13 * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */
14
15 #include <stdio.h>
16 #include <string.h>
17 #include <time.h>
18
19 #include <algorithm>
20 #include <string>
21 #include <utility>
22 #include <vector>
23
24 #include <gtest/gtest.h>
25
26 #include <openssl/base64.h>
27 #include <openssl/bio.h>
28 #include <openssl/cipher.h>
29 #include <openssl/crypto.h>
30 #include <openssl/err.h>
31 #include <openssl/hmac.h>
32 #include <openssl/pem.h>
33 #include <openssl/sha.h>
34 #include <openssl/ssl.h>
35 #include <openssl/rand.h>
36 #include <openssl/x509.h>
37
38 #include "internal.h"
39 #include "../crypto/internal.h"
40 #include "../crypto/test/test_util.h"
41
42 #if defined(OPENSSL_WINDOWS)
43 /* Windows defines struct timeval in winsock2.h. */
44 OPENSSL_MSVC_PRAGMA(warning(push, 3))
45 #include <winsock2.h>
46 OPENSSL_MSVC_PRAGMA(warning(pop))
47 #else
48 #include <sys/time.h>
49 #endif
50
51
52 struct ExpectedCipher {
53 unsigned long id;
54 int in_group_flag;
55 };
56
57 struct CipherTest {
58 // The rule string to apply.
59 const char *rule;
60 // The list of expected ciphers, in order.
61 std::vector<ExpectedCipher> expected;
62 // True if this cipher list should fail in strict mode.
63 bool strict_fail;
64 };
65
66 struct CurveTest {
67 // The rule string to apply.
68 const char *rule;
69 // The list of expected curves, in order.
70 std::vector<uint16_t> expected;
71 };
72
73 static const CipherTest kCipherTests[] = {
74 // Selecting individual ciphers should work.
75 {
76 "ECDHE-ECDSA-CHACHA20-POLY1305:"
77 "ECDHE-RSA-CHACHA20-POLY1305:"
78 "ECDHE-ECDSA-AES128-GCM-SHA256:"
79 "ECDHE-RSA-AES128-GCM-SHA256",
80 {
81 {TLS1_CK_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256, 0},
82 {TLS1_CK_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256, 0},
83 {TLS1_CK_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, 0},
84 {TLS1_CK_ECDHE_RSA_WITH_AES_128_GCM_SHA256, 0},
85 },
86 false,
87 },
88 // + reorders selected ciphers to the end, keeping their relative order.
89 {
90 "ECDHE-ECDSA-CHACHA20-POLY1305:"
91 "ECDHE-RSA-CHACHA20-POLY1305:"
92 "ECDHE-ECDSA-AES128-GCM-SHA256:"
93 "ECDHE-RSA-AES128-GCM-SHA256:"
94 "+aRSA",
95 {
96 {TLS1_CK_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256, 0},
97 {TLS1_CK_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, 0},
98 {TLS1_CK_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256, 0},
99 {TLS1_CK_ECDHE_RSA_WITH_AES_128_GCM_SHA256, 0},
100 },
101 false,
102 },
103 // ! banishes ciphers from future selections.
104 {
105 "!aRSA:"
106 "ECDHE-ECDSA-CHACHA20-POLY1305:"
107 "ECDHE-RSA-CHACHA20-POLY1305:"
108 "ECDHE-ECDSA-AES128-GCM-SHA256:"
109 "ECDHE-RSA-AES128-GCM-SHA256",
110 {
111 {TLS1_CK_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256, 0},
112 {TLS1_CK_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, 0},
113 },
114 false,
115 },
116 // Multiple masks can be ANDed in a single rule.
117 {
118 "kRSA+AESGCM+AES128",
119 {
120 {TLS1_CK_RSA_WITH_AES_128_GCM_SHA256, 0},
121 },
122 false,
123 },
124 // - removes selected ciphers, but preserves their order for future
125 // selections. Select AES_128_GCM, but order the key exchanges RSA,
126 // ECDHE_RSA.
127 {
128 "ALL:-kECDHE:"
129 #ifdef BORINGSSL_ENABLE_DHE_TLS
130 "-kDHE:"
131 #endif
132 "-kRSA:-ALL:"
133 "AESGCM+AES128+aRSA",
134 {
135 {TLS1_CK_RSA_WITH_AES_128_GCM_SHA256, 0},
136 #ifdef BORINGSSL_ENABLE_DHE_TLS
137 {TLS1_CK_DHE_RSA_WITH_AES_128_GCM_SHA256, 0},
138 #endif
139 {TLS1_CK_ECDHE_RSA_WITH_AES_128_GCM_SHA256, 0},
140 },
141 false,
142 },
143 // Unknown selectors are no-ops, except in strict mode.
144 {
145 "ECDHE-ECDSA-CHACHA20-POLY1305:"
146 "ECDHE-RSA-CHACHA20-POLY1305:"
147 "ECDHE-ECDSA-AES128-GCM-SHA256:"
148 "ECDHE-RSA-AES128-GCM-SHA256:"
149 "BOGUS1",
150 {
151 {TLS1_CK_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256, 0},
152 {TLS1_CK_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256, 0},
153 {TLS1_CK_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, 0},
154 {TLS1_CK_ECDHE_RSA_WITH_AES_128_GCM_SHA256, 0},
155 },
156 true,
157 },
158 // Unknown selectors are no-ops, except in strict mode.
159 {
160 "ECDHE-ECDSA-CHACHA20-POLY1305:"
161 "ECDHE-RSA-CHACHA20-POLY1305:"
162 "ECDHE-ECDSA-AES128-GCM-SHA256:"
163 "ECDHE-RSA-AES128-GCM-SHA256:"
164 "-BOGUS2:+BOGUS3:!BOGUS4",
165 {
166 {TLS1_CK_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256, 0},
167 {TLS1_CK_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256, 0},
168 {TLS1_CK_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, 0},
169 {TLS1_CK_ECDHE_RSA_WITH_AES_128_GCM_SHA256, 0},
170 },
171 true,
172 },
173 // Square brackets specify equi-preference groups.
174 {
175 "[ECDHE-ECDSA-CHACHA20-POLY1305|ECDHE-ECDSA-AES128-GCM-SHA256]:"
176 "[ECDHE-RSA-CHACHA20-POLY1305]:"
177 "ECDHE-RSA-AES128-GCM-SHA256",
178 {
179 {TLS1_CK_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256, 1},
180 {TLS1_CK_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, 0},
181 {TLS1_CK_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256, 0},
182 {TLS1_CK_ECDHE_RSA_WITH_AES_128_GCM_SHA256, 0},
183 },
184 false,
185 },
186 // @STRENGTH performs a stable strength-sort of the selected ciphers and
187 // only the selected ciphers.
188 {
189 // To simplify things, banish all but {ECDHE_RSA,RSA} x
190 // {CHACHA20,AES_256_CBC,AES_128_CBC} x SHA1.
191 #ifdef BORINGSSL_ENABLE_DHE_TLS
192 "!kEDH:"
193 #endif
194 "!AESGCM:!3DES:!SHA256:!SHA384:"
195 // Order some ciphers backwards by strength.
196 "ALL:-CHACHA20:-AES256:-AES128:-ALL:"
197 // Select ECDHE ones and sort them by strength. Ties should resolve
198 // based on the order above.
199 "kECDHE:@STRENGTH:-ALL:"
200 // Now bring back everything uses RSA. ECDHE_RSA should be first, sorted
201 // by strength. Then RSA, backwards by strength.
202 "aRSA",
203 {
204 {TLS1_CK_ECDHE_RSA_WITH_AES_256_CBC_SHA, 0},
205 {TLS1_CK_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256, 0},
206 {TLS1_CK_ECDHE_RSA_WITH_AES_128_CBC_SHA, 0},
207 {TLS1_CK_RSA_WITH_AES_128_SHA, 0},
208 {TLS1_CK_RSA_WITH_AES_256_SHA, 0},
209 },
210 false,
211 },
212 // Exact ciphers may not be used in multi-part rules; they are treated
213 // as unknown aliases.
214 {
215 "ECDHE-ECDSA-AES128-GCM-SHA256:"
216 "ECDHE-RSA-AES128-GCM-SHA256:"
217 "!ECDHE-RSA-AES128-GCM-SHA256+RSA:"
218 "!ECDSA+ECDHE-ECDSA-AES128-GCM-SHA256",
219 {
220 {TLS1_CK_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, 0},
221 {TLS1_CK_ECDHE_RSA_WITH_AES_128_GCM_SHA256, 0},
222 },
223 true,
224 },
225 // SSLv3 matches everything that existed before TLS 1.2.
226 {
227 "AES128-SHA:AES128-SHA256:!SSLv3",
228 {
229 {TLS1_CK_RSA_WITH_AES_128_SHA256, 0},
230 },
231 false,
232 },
233 // TLSv1.2 matches everything added in TLS 1.2.
234 {
235 "AES128-SHA:AES128-SHA256:!TLSv1.2",
236 {
237 {TLS1_CK_RSA_WITH_AES_128_SHA, 0},
238 },
239 false,
240 },
241 // The two directives have no intersection. But each component is valid, so
242 // even in strict mode it is accepted.
243 {
244 "AES128-SHA:AES128-SHA256:!TLSv1.2+SSLv3",
245 {
246 {TLS1_CK_RSA_WITH_AES_128_SHA, 0},
247 {TLS1_CK_RSA_WITH_AES_128_SHA256, 0},
248 },
249 false,
250 },
251 };
252
253 static const char *kBadRules[] = {
254 // Invalid brackets.
255 "[ECDHE-RSA-CHACHA20-POLY1305|ECDHE-RSA-AES128-GCM-SHA256",
256 "RSA]",
257 "[[RSA]]",
258 // Operators inside brackets.
259 "[+RSA]",
260 // Unknown directive.
261 "@BOGUS",
262 // Empty cipher lists error at SSL_CTX_set_cipher_list.
263 "",
264 "BOGUS",
265 // COMPLEMENTOFDEFAULT is empty.
266 "COMPLEMENTOFDEFAULT",
267 // Invalid command.
268 "?BAR",
269 // Special operators are not allowed if groups are used.
270 "[ECDHE-RSA-CHACHA20-POLY1305|ECDHE-RSA-AES128-GCM-SHA256]:+FOO",
271 "[ECDHE-RSA-CHACHA20-POLY1305|ECDHE-RSA-AES128-GCM-SHA256]:!FOO",
272 "[ECDHE-RSA-CHACHA20-POLY1305|ECDHE-RSA-AES128-GCM-SHA256]:-FOO",
273 "[ECDHE-RSA-CHACHA20-POLY1305|ECDHE-RSA-AES128-GCM-SHA256]:@STRENGTH",
274 // Opcode supplied, but missing selector.
275 "+",
276 };
277
278 static const char *kMustNotIncludeNull[] = {
279 "ALL",
280 "DEFAULT",
281 "HIGH",
282 "FIPS",
283 "SHA",
284 "SHA1",
285 "RSA",
286 "SSLv3",
287 "TLSv1",
288 "TLSv1.2",
289 };
290
291 static const CurveTest kCurveTests[] = {
292 {
293 "P-256",
294 { SSL_CURVE_SECP256R1 },
295 },
296 {
297 "P-256:P-384:P-521:X25519",
298 {
299 SSL_CURVE_SECP256R1,
300 SSL_CURVE_SECP384R1,
301 SSL_CURVE_SECP521R1,
302 SSL_CURVE_X25519,
303 },
304 },
305 };
306
307 static const char *kBadCurvesLists[] = {
308 "",
309 ":",
310 "::",
311 "P-256::X25519",
312 "RSA:P-256",
313 "P-256:RSA",
314 "X25519:P-256:",
315 ":X25519:P-256",
316 };
317
PrintCipherPreferenceList(ssl_cipher_preference_list_st * list)318 static void PrintCipherPreferenceList(ssl_cipher_preference_list_st *list) {
319 bool in_group = false;
320 for (size_t i = 0; i < sk_SSL_CIPHER_num(list->ciphers); i++) {
321 const SSL_CIPHER *cipher = sk_SSL_CIPHER_value(list->ciphers, i);
322 if (!in_group && list->in_group_flags[i]) {
323 fprintf(stderr, "\t[\n");
324 in_group = true;
325 }
326 fprintf(stderr, "\t");
327 if (in_group) {
328 fprintf(stderr, " ");
329 }
330 fprintf(stderr, "%s\n", SSL_CIPHER_get_name(cipher));
331 if (in_group && !list->in_group_flags[i]) {
332 fprintf(stderr, "\t]\n");
333 in_group = false;
334 }
335 }
336 }
337
TestCipherRule(const CipherTest & t)338 static bool TestCipherRule(const CipherTest &t) {
339 bssl::UniquePtr<SSL_CTX> ctx(SSL_CTX_new(TLS_method()));
340 if (!ctx) {
341 return false;
342 }
343
344 if (!SSL_CTX_set_cipher_list(ctx.get(), t.rule)) {
345 fprintf(stderr, "Error testing cipher rule '%s'\n", t.rule);
346 return false;
347 }
348
349 if (!SSL_CTX_set_strict_cipher_list(ctx.get(), t.rule) != t.strict_fail) {
350 fprintf(stderr, "Unexpected strict failure result testing cipher rule '%s':"
351 " expected %d\n", t.rule, t.strict_fail);
352 return false;
353 }
354
355 // Compare the two lists.
356 if (sk_SSL_CIPHER_num(ctx->cipher_list->ciphers) != t.expected.size()) {
357 fprintf(stderr, "Error: cipher rule '%s' evaluated to:\n", t.rule);
358 PrintCipherPreferenceList(ctx->cipher_list);
359 return false;
360 }
361
362 for (size_t i = 0; i < t.expected.size(); i++) {
363 const SSL_CIPHER *cipher =
364 sk_SSL_CIPHER_value(ctx->cipher_list->ciphers, i);
365 if (t.expected[i].id != SSL_CIPHER_get_id(cipher) ||
366 t.expected[i].in_group_flag != ctx->cipher_list->in_group_flags[i]) {
367 fprintf(stderr, "Error: cipher rule '%s' evaluated to:\n", t.rule);
368 PrintCipherPreferenceList(ctx->cipher_list);
369 return false;
370 }
371 }
372
373 return true;
374 }
375
TestRuleDoesNotIncludeNull(const char * rule)376 static bool TestRuleDoesNotIncludeNull(const char *rule) {
377 bssl::UniquePtr<SSL_CTX> ctx(SSL_CTX_new(SSLv23_server_method()));
378 if (!ctx) {
379 return false;
380 }
381 if (!SSL_CTX_set_strict_cipher_list(ctx.get(), rule)) {
382 fprintf(stderr, "Error: cipher rule '%s' failed\n", rule);
383 return false;
384 }
385 for (size_t i = 0; i < sk_SSL_CIPHER_num(ctx->cipher_list->ciphers); i++) {
386 if (SSL_CIPHER_is_NULL(sk_SSL_CIPHER_value(ctx->cipher_list->ciphers, i))) {
387 fprintf(stderr, "Error: cipher rule '%s' includes NULL\n",rule);
388 return false;
389 }
390 }
391 return true;
392 }
393
TestCipherRules()394 static bool TestCipherRules() {
395 for (const CipherTest &test : kCipherTests) {
396 if (!TestCipherRule(test)) {
397 return false;
398 }
399 }
400
401 for (const char *rule : kBadRules) {
402 bssl::UniquePtr<SSL_CTX> ctx(SSL_CTX_new(SSLv23_server_method()));
403 if (!ctx) {
404 return false;
405 }
406 if (SSL_CTX_set_cipher_list(ctx.get(), rule)) {
407 fprintf(stderr, "Cipher rule '%s' unexpectedly succeeded\n", rule);
408 return false;
409 }
410 ERR_clear_error();
411 }
412
413 for (const char *rule : kMustNotIncludeNull) {
414 if (!TestRuleDoesNotIncludeNull(rule)) {
415 return false;
416 }
417 }
418
419 return true;
420 }
421
TestCurveRule(const CurveTest & t)422 static bool TestCurveRule(const CurveTest &t) {
423 bssl::UniquePtr<SSL_CTX> ctx(SSL_CTX_new(TLS_method()));
424 if (!ctx) {
425 return false;
426 }
427
428 if (!SSL_CTX_set1_curves_list(ctx.get(), t.rule)) {
429 fprintf(stderr, "Error testing curves list '%s'\n", t.rule);
430 return false;
431 }
432
433 // Compare the two lists.
434 if (ctx->supported_group_list_len != t.expected.size()) {
435 fprintf(stderr, "Error testing curves list '%s': length\n", t.rule);
436 return false;
437 }
438
439 for (size_t i = 0; i < t.expected.size(); i++) {
440 if (t.expected[i] != ctx->supported_group_list[i]) {
441 fprintf(stderr, "Error testing curves list '%s': mismatch\n", t.rule);
442 return false;
443 }
444 }
445
446 return true;
447 }
448
TestCurveRules()449 static bool TestCurveRules() {
450 for (const CurveTest &test : kCurveTests) {
451 if (!TestCurveRule(test)) {
452 return false;
453 }
454 }
455
456 for (const char *rule : kBadCurvesLists) {
457 bssl::UniquePtr<SSL_CTX> ctx(SSL_CTX_new(SSLv23_server_method()));
458 if (!ctx) {
459 return false;
460 }
461 if (SSL_CTX_set1_curves_list(ctx.get(), rule)) {
462 fprintf(stderr, "Curves list '%s' unexpectedly succeeded\n", rule);
463 return false;
464 }
465 ERR_clear_error();
466 }
467
468 return true;
469 }
470
471 // kOpenSSLSession is a serialized SSL_SESSION.
472 static const char kOpenSSLSession[] =
473 "MIIFqgIBAQICAwMEAsAvBCAG5Q1ndq4Yfmbeo1zwLkNRKmCXGdNgWvGT3cskV0yQ"
474 "kAQwJlrlzkAWBOWiLj/jJ76D7l+UXoizP2KI2C7I2FccqMmIfFmmkUy32nIJ0mZH"
475 "IWoJoQYCBFRDO46iBAICASyjggR6MIIEdjCCA16gAwIBAgIIK9dUvsPWSlUwDQYJ"
476 "KoZIhvcNAQEFBQAwSTELMAkGA1UEBhMCVVMxEzARBgNVBAoTCkdvb2dsZSBJbmMx"
477 "JTAjBgNVBAMTHEdvb2dsZSBJbnRlcm5ldCBBdXRob3JpdHkgRzIwHhcNMTQxMDA4"
478 "MTIwNzU3WhcNMTUwMTA2MDAwMDAwWjBoMQswCQYDVQQGEwJVUzETMBEGA1UECAwK"
479 "Q2FsaWZvcm5pYTEWMBQGA1UEBwwNTW91bnRhaW4gVmlldzETMBEGA1UECgwKR29v"
480 "Z2xlIEluYzEXMBUGA1UEAwwOd3d3Lmdvb2dsZS5jb20wggEiMA0GCSqGSIb3DQEB"
481 "AQUAA4IBDwAwggEKAoIBAQCcKeLrplAC+Lofy8t/wDwtB6eu72CVp0cJ4V3lknN6"
482 "huH9ct6FFk70oRIh/VBNBBz900jYy+7111Jm1b8iqOTQ9aT5C7SEhNcQFJvqzH3e"
483 "MPkb6ZSWGm1yGF7MCQTGQXF20Sk/O16FSjAynU/b3oJmOctcycWYkY0ytS/k3LBu"
484 "Id45PJaoMqjB0WypqvNeJHC3q5JjCB4RP7Nfx5jjHSrCMhw8lUMW4EaDxjaR9KDh"
485 "PLgjsk+LDIySRSRDaCQGhEOWLJZVLzLo4N6/UlctCHEllpBUSvEOyFga52qroGjg"
486 "rf3WOQ925MFwzd6AK+Ich0gDRg8sQfdLH5OuP1cfLfU1AgMBAAGjggFBMIIBPTAd"
487 "BgNVHSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwGQYDVR0RBBIwEIIOd3d3Lmdv"
488 "b2dsZS5jb20waAYIKwYBBQUHAQEEXDBaMCsGCCsGAQUFBzAChh9odHRwOi8vcGtp"
489 "Lmdvb2dsZS5jb20vR0lBRzIuY3J0MCsGCCsGAQUFBzABhh9odHRwOi8vY2xpZW50"
490 "czEuZ29vZ2xlLmNvbS9vY3NwMB0GA1UdDgQWBBQ7a+CcxsZByOpc+xpYFcIbnUMZ"
491 "hTAMBgNVHRMBAf8EAjAAMB8GA1UdIwQYMBaAFErdBhYbvPZotXb1gba7Yhq6WoEv"
492 "MBcGA1UdIAQQMA4wDAYKKwYBBAHWeQIFATAwBgNVHR8EKTAnMCWgI6Ahhh9odHRw"
493 "Oi8vcGtpLmdvb2dsZS5jb20vR0lBRzIuY3JsMA0GCSqGSIb3DQEBBQUAA4IBAQCa"
494 "OXCBdoqUy5bxyq+Wrh1zsyyCFim1PH5VU2+yvDSWrgDY8ibRGJmfff3r4Lud5kal"
495 "dKs9k8YlKD3ITG7P0YT/Rk8hLgfEuLcq5cc0xqmE42xJ+Eo2uzq9rYorc5emMCxf"
496 "5L0TJOXZqHQpOEcuptZQ4OjdYMfSxk5UzueUhA3ogZKRcRkdB3WeWRp+nYRhx4St"
497 "o2rt2A0MKmY9165GHUqMK9YaaXHDXqBu7Sefr1uSoAP9gyIJKeihMivsGqJ1TD6Z"
498 "cc6LMe+dN2P8cZEQHtD1y296ul4Mivqk3jatUVL8/hCwgch9A8O4PGZq9WqBfEWm"
499 "IyHh1dPtbg1lOXdYCWtjpAIEAKUDAgEUqQUCAwGJwKqBpwSBpBwUQvoeOk0Kg36S"
500 "YTcLEkXqKwOBfF9vE4KX0NxeLwjcDTpsuh3qXEaZ992r1N38VDcyS6P7I6HBYN9B"
501 "sNHM362zZnY27GpTw+Kwd751CLoXFPoaMOe57dbBpXoro6Pd3BTbf/Tzr88K06yE"
502 "OTDKPNj3+inbMaVigtK4PLyPq+Topyzvx9USFgRvyuoxn0Hgb+R0A3j6SLRuyOdA"
503 "i4gv7Y5oliyntgMBAQA=";
504
505 // kCustomSession is a custom serialized SSL_SESSION generated by
506 // filling in missing fields from |kOpenSSLSession|. This includes
507 // providing |peer_sha256|, so |peer| is not serialized.
508 static const char kCustomSession[] =
509 "MIIBdgIBAQICAwMEAsAvBCAG5Q1ndq4Yfmbeo1zwLkNRKmCXGdNgWvGT3cskV0yQ"
510 "kAQwJlrlzkAWBOWiLj/jJ76D7l+UXoizP2KI2C7I2FccqMmIfFmmkUy32nIJ0mZH"
511 "IWoJoQYCBFRDO46iBAICASykAwQBAqUDAgEUphAEDnd3dy5nb29nbGUuY29tqAcE"
512 "BXdvcmxkqQUCAwGJwKqBpwSBpBwUQvoeOk0Kg36SYTcLEkXqKwOBfF9vE4KX0Nxe"
513 "LwjcDTpsuh3qXEaZ992r1N38VDcyS6P7I6HBYN9BsNHM362zZnY27GpTw+Kwd751"
514 "CLoXFPoaMOe57dbBpXoro6Pd3BTbf/Tzr88K06yEOTDKPNj3+inbMaVigtK4PLyP"
515 "q+Topyzvx9USFgRvyuoxn0Hgb+R0A3j6SLRuyOdAi4gv7Y5oliynrSIEIAYGBgYG"
516 "BgYGBgYGBgYGBgYGBgYGBgYGBgYGBgYGBgYGrgMEAQevAwQBBLADBAEF";
517
518 // kBoringSSLSession is a serialized SSL_SESSION generated from bssl client.
519 static const char kBoringSSLSession[] =
520 "MIIRwQIBAQICAwMEAsAvBCDdoGxGK26mR+8lM0uq6+k9xYuxPnwAjpcF9n0Yli9R"
521 "kQQwbyshfWhdi5XQ1++7n2L1qqrcVlmHBPpr6yknT/u4pUrpQB5FZ7vqvNn8MdHf"
522 "9rWgoQYCBFXgs7uiBAICHCCjggR6MIIEdjCCA16gAwIBAgIIf+yfD7Y6UicwDQYJ"
523 "KoZIhvcNAQELBQAwSTELMAkGA1UEBhMCVVMxEzARBgNVBAoTCkdvb2dsZSBJbmMx"
524 "JTAjBgNVBAMTHEdvb2dsZSBJbnRlcm5ldCBBdXRob3JpdHkgRzIwHhcNMTUwODEy"
525 "MTQ1MzE1WhcNMTUxMTEwMDAwMDAwWjBoMQswCQYDVQQGEwJVUzETMBEGA1UECAwK"
526 "Q2FsaWZvcm5pYTEWMBQGA1UEBwwNTW91bnRhaW4gVmlldzETMBEGA1UECgwKR29v"
527 "Z2xlIEluYzEXMBUGA1UEAwwOd3d3Lmdvb2dsZS5jb20wggEiMA0GCSqGSIb3DQEB"
528 "AQUAA4IBDwAwggEKAoIBAQC0MeG5YGQ0t+IeJeoneP/PrhEaieibeKYkbKVLNZpo"
529 "PLuBinvhkXZo3DC133NpCBpy6ZktBwamqyixAyuk/NU6OjgXqwwxfQ7di1AInLIU"
530 "792c7hFyNXSUCG7At8Ifi3YwBX9Ba6u/1d6rWTGZJrdCq3QU11RkKYyTq2KT5mce"
531 "Tv9iGKqSkSTlp8puy/9SZ/3DbU3U+BuqCFqeSlz7zjwFmk35acdCilpJlVDDN5C/"
532 "RCh8/UKc8PaL+cxlt531qoTENvYrflBno14YEZlCBZsPiFeUSILpKEj3Ccwhy0eL"
533 "EucWQ72YZU8mUzXBoXGn0zA0crFl5ci/2sTBBGZsylNBAgMBAAGjggFBMIIBPTAd"
534 "BgNVHSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwGQYDVR0RBBIwEIIOd3d3Lmdv"
535 "b2dsZS5jb20waAYIKwYBBQUHAQEEXDBaMCsGCCsGAQUFBzAChh9odHRwOi8vcGtp"
536 "Lmdvb2dsZS5jb20vR0lBRzIuY3J0MCsGCCsGAQUFBzABhh9odHRwOi8vY2xpZW50"
537 "czEuZ29vZ2xlLmNvbS9vY3NwMB0GA1UdDgQWBBS/bzHxcE73Q4j3slC4BLbMtLjG"
538 "GjAMBgNVHRMBAf8EAjAAMB8GA1UdIwQYMBaAFErdBhYbvPZotXb1gba7Yhq6WoEv"
539 "MBcGA1UdIAQQMA4wDAYKKwYBBAHWeQIFATAwBgNVHR8EKTAnMCWgI6Ahhh9odHRw"
540 "Oi8vcGtpLmdvb2dsZS5jb20vR0lBRzIuY3JsMA0GCSqGSIb3DQEBCwUAA4IBAQAb"
541 "qdWPZEHk0X7iKPCTHL6S3w6q1eR67goxZGFSM1lk1hjwyu7XcLJuvALVV9uY3ovE"
542 "kQZSHwT+pyOPWQhsSjO+1GyjvCvK/CAwiUmBX+bQRGaqHsRcio7xSbdVcajQ3bXd"
543 "X+s0WdbOpn6MStKAiBVloPlSxEI8pxY6x/BBCnTIk/+DMB17uZlOjG3vbAnkDkP+"
544 "n0OTucD9sHV7EVj9XUxi51nOfNBCN/s7lpUjDS/NJ4k3iwOtbCPswiot8vLO779a"
545 "f07vR03r349Iz/KTzk95rlFtX0IU+KYNxFNsanIXZ+C9FYGRXkwhHcvFb4qMUB1y"
546 "TTlM80jBMOwyjZXmjRAhpAIEAKUDAgEUqQUCAwGJwKqBpwSBpOgebbmn9NRUtMWH"
547 "+eJpqA5JLMFSMCChOsvKey3toBaCNGU7HfAEiiXNuuAdCBoK262BjQc2YYfqFzqH"
548 "zuppopXCvhohx7j/tnCNZIMgLYt/O9SXK2RYI5z8FhCCHvB4CbD5G0LGl5EFP27s"
549 "Jb6S3aTTYPkQe8yZSlxevg6NDwmTogLO9F7UUkaYmVcMQhzssEE2ZRYNwSOU6KjE"
550 "0Yj+8fAiBtbQriIEIN2L8ZlpaVrdN5KFNdvcmOxJu81P8q53X55xQyGTnGWwsgMC"
551 "ARezggvvMIIEdjCCA16gAwIBAgIIf+yfD7Y6UicwDQYJKoZIhvcNAQELBQAwSTEL"
552 "MAkGA1UEBhMCVVMxEzARBgNVBAoTCkdvb2dsZSBJbmMxJTAjBgNVBAMTHEdvb2ds"
553 "ZSBJbnRlcm5ldCBBdXRob3JpdHkgRzIwHhcNMTUwODEyMTQ1MzE1WhcNMTUxMTEw"
554 "MDAwMDAwWjBoMQswCQYDVQQGEwJVUzETMBEGA1UECAwKQ2FsaWZvcm5pYTEWMBQG"
555 "A1UEBwwNTW91bnRhaW4gVmlldzETMBEGA1UECgwKR29vZ2xlIEluYzEXMBUGA1UE"
556 "AwwOd3d3Lmdvb2dsZS5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIB"
557 "AQC0MeG5YGQ0t+IeJeoneP/PrhEaieibeKYkbKVLNZpoPLuBinvhkXZo3DC133Np"
558 "CBpy6ZktBwamqyixAyuk/NU6OjgXqwwxfQ7di1AInLIU792c7hFyNXSUCG7At8If"
559 "i3YwBX9Ba6u/1d6rWTGZJrdCq3QU11RkKYyTq2KT5mceTv9iGKqSkSTlp8puy/9S"
560 "Z/3DbU3U+BuqCFqeSlz7zjwFmk35acdCilpJlVDDN5C/RCh8/UKc8PaL+cxlt531"
561 "qoTENvYrflBno14YEZlCBZsPiFeUSILpKEj3Ccwhy0eLEucWQ72YZU8mUzXBoXGn"
562 "0zA0crFl5ci/2sTBBGZsylNBAgMBAAGjggFBMIIBPTAdBgNVHSUEFjAUBggrBgEF"
563 "BQcDAQYIKwYBBQUHAwIwGQYDVR0RBBIwEIIOd3d3Lmdvb2dsZS5jb20waAYIKwYB"
564 "BQUHAQEEXDBaMCsGCCsGAQUFBzAChh9odHRwOi8vcGtpLmdvb2dsZS5jb20vR0lB"
565 "RzIuY3J0MCsGCCsGAQUFBzABhh9odHRwOi8vY2xpZW50czEuZ29vZ2xlLmNvbS9v"
566 "Y3NwMB0GA1UdDgQWBBS/bzHxcE73Q4j3slC4BLbMtLjGGjAMBgNVHRMBAf8EAjAA"
567 "MB8GA1UdIwQYMBaAFErdBhYbvPZotXb1gba7Yhq6WoEvMBcGA1UdIAQQMA4wDAYK"
568 "KwYBBAHWeQIFATAwBgNVHR8EKTAnMCWgI6Ahhh9odHRwOi8vcGtpLmdvb2dsZS5j"
569 "b20vR0lBRzIuY3JsMA0GCSqGSIb3DQEBCwUAA4IBAQAbqdWPZEHk0X7iKPCTHL6S"
570 "3w6q1eR67goxZGFSM1lk1hjwyu7XcLJuvALVV9uY3ovEkQZSHwT+pyOPWQhsSjO+"
571 "1GyjvCvK/CAwiUmBX+bQRGaqHsRcio7xSbdVcajQ3bXdX+s0WdbOpn6MStKAiBVl"
572 "oPlSxEI8pxY6x/BBCnTIk/+DMB17uZlOjG3vbAnkDkP+n0OTucD9sHV7EVj9XUxi"
573 "51nOfNBCN/s7lpUjDS/NJ4k3iwOtbCPswiot8vLO779af07vR03r349Iz/KTzk95"
574 "rlFtX0IU+KYNxFNsanIXZ+C9FYGRXkwhHcvFb4qMUB1yTTlM80jBMOwyjZXmjRAh"
575 "MIID8DCCAtigAwIBAgIDAjqDMA0GCSqGSIb3DQEBCwUAMEIxCzAJBgNVBAYTAlVT"
576 "MRYwFAYDVQQKEw1HZW9UcnVzdCBJbmMuMRswGQYDVQQDExJHZW9UcnVzdCBHbG9i"
577 "YWwgQ0EwHhcNMTMwNDA1MTUxNTU2WhcNMTYxMjMxMjM1OTU5WjBJMQswCQYDVQQG"
578 "EwJVUzETMBEGA1UEChMKR29vZ2xlIEluYzElMCMGA1UEAxMcR29vZ2xlIEludGVy"
579 "bmV0IEF1dGhvcml0eSBHMjCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEB"
580 "AJwqBHdc2FCROgajguDYUEi8iT/xGXAaiEZ+4I/F8YnOIe5a/mENtzJEiaB0C1NP"
581 "VaTOgmKV7utZX8bhBYASxF6UP7xbSDj0U/ck5vuR6RXEz/RTDfRK/J9U3n2+oGtv"
582 "h8DQUB8oMANA2ghzUWx//zo8pzcGjr1LEQTrfSTe5vn8MXH7lNVg8y5Kr0LSy+rE"
583 "ahqyzFPdFUuLH8gZYR/Nnag+YyuENWllhMgZxUYi+FOVvuOAShDGKuy6lyARxzmZ"
584 "EASg8GF6lSWMTlJ14rbtCMoU/M4iarNOz0YDl5cDfsCx3nuvRTPPuj5xt970JSXC"
585 "DTWJnZ37DhF5iR43xa+OcmkCAwEAAaOB5zCB5DAfBgNVHSMEGDAWgBTAephojYn7"
586 "qwVkDBF9qn1luMrMTjAdBgNVHQ4EFgQUSt0GFhu89mi1dvWBtrtiGrpagS8wDgYD"
587 "VR0PAQH/BAQDAgEGMC4GCCsGAQUFBwEBBCIwIDAeBggrBgEFBQcwAYYSaHR0cDov"
588 "L2cuc3ltY2QuY29tMBIGA1UdEwEB/wQIMAYBAf8CAQAwNQYDVR0fBC4wLDAqoCig"
589 "JoYkaHR0cDovL2cuc3ltY2IuY29tL2NybHMvZ3RnbG9iYWwuY3JsMBcGA1UdIAQQ"
590 "MA4wDAYKKwYBBAHWeQIFATANBgkqhkiG9w0BAQsFAAOCAQEAqvqpIM1qZ4PtXtR+"
591 "3h3Ef+AlBgDFJPupyC1tft6dgmUsgWM0Zj7pUsIItMsv91+ZOmqcUHqFBYx90SpI"
592 "hNMJbHzCzTWf84LuUt5oX+QAihcglvcpjZpNy6jehsgNb1aHA30DP9z6eX0hGfnI"
593 "Oi9RdozHQZJxjyXON/hKTAAj78Q1EK7gI4BzfE00LshukNYQHpmEcxpw8u1VDu4X"
594 "Bupn7jLrLN1nBz/2i8Jw3lsA5rsb0zYaImxssDVCbJAJPZPpZAkiDoUGn8JzIdPm"
595 "X4DkjYUiOnMDsWCOrmji9D6X52ASCWg23jrW4kOVWzeBkoEfu43XrVJkFleW2V40"
596 "fsg12DCCA30wggLmoAMCAQICAxK75jANBgkqhkiG9w0BAQUFADBOMQswCQYDVQQG"
597 "EwJVUzEQMA4GA1UEChMHRXF1aWZheDEtMCsGA1UECxMkRXF1aWZheCBTZWN1cmUg"
598 "Q2VydGlmaWNhdGUgQXV0aG9yaXR5MB4XDTAyMDUyMTA0MDAwMFoXDTE4MDgyMTA0"
599 "MDAwMFowQjELMAkGA1UEBhMCVVMxFjAUBgNVBAoTDUdlb1RydXN0IEluYy4xGzAZ"
600 "BgNVBAMTEkdlb1RydXN0IEdsb2JhbCBDQTCCASIwDQYJKoZIhvcNAQEBBQADggEP"
601 "ADCCAQoCggEBANrMGGMw/fQXIxpWflvfPGw45HG3eJHUvKHYTPioQ7YD6U0hBwiI"
602 "2lgvZjkpvQV4i5046AW3an5xpObEYKaw74DkiSgPniXW7YPzraaRx5jJQhg1FJ2t"
603 "mEaSLk/K8YdDwRaVVy1Q74ktgHpXrfLuX2vSAI25FPgUFTXZwEaje3LIkb/JVSvN"
604 "0Jc+nCZkzN/Ogxlxyk7m1NV7qRnNVd7I7NJeOFPlXE+MLf5QIzb8ZubLjqQ5GQC3"
605 "lQI5kQsO/jgu0R0FmvZNPm8PBx2vLB6PYDni+jZTEznUXiYr2z2oFL0y6xgDKFIE"
606 "ceWrMz3hOLsHNoRinHnqFjD0X8Ar6HFr5PkCAwEAAaOB8DCB7TAfBgNVHSMEGDAW"
607 "gBRI5mj5K9KylddH2CMgEE8zmJCf1DAdBgNVHQ4EFgQUwHqYaI2J+6sFZAwRfap9"
608 "ZbjKzE4wDwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMCAQYwOgYDVR0fBDMw"
609 "MTAvoC2gK4YpaHR0cDovL2NybC5nZW90cnVzdC5jb20vY3Jscy9zZWN1cmVjYS5j"
610 "cmwwTgYDVR0gBEcwRTBDBgRVHSAAMDswOQYIKwYBBQUHAgEWLWh0dHBzOi8vd3d3"
611 "Lmdlb3RydXN0LmNvbS9yZXNvdXJjZXMvcmVwb3NpdG9yeTANBgkqhkiG9w0BAQUF"
612 "AAOBgQB24RJuTksWEoYwBrKBCM/wCMfHcX5m7sLt1Dsf//DwyE7WQziwuTB9GNBV"
613 "g6JqyzYRnOhIZqNtf7gT1Ef+i1pcc/yu2RsyGTirlzQUqpbS66McFAhJtrvlke+D"
614 "NusdVm/K2rxzY5Dkf3s+Iss9B+1fOHSc4wNQTqGvmO5h8oQ/Eg==";
615
616 // kBadSessionExtraField is a custom serialized SSL_SESSION generated by replacing
617 // the final (optional) element of |kCustomSession| with tag number 30.
618 static const char kBadSessionExtraField[] =
619 "MIIBdgIBAQICAwMEAsAvBCAG5Q1ndq4Yfmbeo1zwLkNRKmCXGdNgWvGT3cskV0yQ"
620 "kAQwJlrlzkAWBOWiLj/jJ76D7l+UXoizP2KI2C7I2FccqMmIfFmmkUy32nIJ0mZH"
621 "IWoJoQYCBFRDO46iBAICASykAwQBAqUDAgEUphAEDnd3dy5nb29nbGUuY29tqAcE"
622 "BXdvcmxkqQUCAwGJwKqBpwSBpBwUQvoeOk0Kg36SYTcLEkXqKwOBfF9vE4KX0Nxe"
623 "LwjcDTpsuh3qXEaZ992r1N38VDcyS6P7I6HBYN9BsNHM362zZnY27GpTw+Kwd751"
624 "CLoXFPoaMOe57dbBpXoro6Pd3BTbf/Tzr88K06yEOTDKPNj3+inbMaVigtK4PLyP"
625 "q+Topyzvx9USFgRvyuoxn0Hgb+R0A3j6SLRuyOdAi4gv7Y5oliynrSIEIAYGBgYG"
626 "BgYGBgYGBgYGBgYGBgYGBgYGBgYGBgYGBgYGrgMEAQevAwQBBL4DBAEF";
627
628 // kBadSessionVersion is a custom serialized SSL_SESSION generated by replacing
629 // the version of |kCustomSession| with 2.
630 static const char kBadSessionVersion[] =
631 "MIIBdgIBAgICAwMEAsAvBCAG5Q1ndq4Yfmbeo1zwLkNRKmCXGdNgWvGT3cskV0yQ"
632 "kAQwJlrlzkAWBOWiLj/jJ76D7l+UXoizP2KI2C7I2FccqMmIfFmmkUy32nIJ0mZH"
633 "IWoJoQYCBFRDO46iBAICASykAwQBAqUDAgEUphAEDnd3dy5nb29nbGUuY29tqAcE"
634 "BXdvcmxkqQUCAwGJwKqBpwSBpBwUQvoeOk0Kg36SYTcLEkXqKwOBfF9vE4KX0Nxe"
635 "LwjcDTpsuh3qXEaZ992r1N38VDcyS6P7I6HBYN9BsNHM362zZnY27GpTw+Kwd751"
636 "CLoXFPoaMOe57dbBpXoro6Pd3BTbf/Tzr88K06yEOTDKPNj3+inbMaVigtK4PLyP"
637 "q+Topyzvx9USFgRvyuoxn0Hgb+R0A3j6SLRuyOdAi4gv7Y5oliynrSIEIAYGBgYG"
638 "BgYGBgYGBgYGBgYGBgYGBgYGBgYGBgYGBgYGrgMEAQevAwQBBLADBAEF";
639
640 // kBadSessionTrailingData is a custom serialized SSL_SESSION with trailing data
641 // appended.
642 static const char kBadSessionTrailingData[] =
643 "MIIBdgIBAQICAwMEAsAvBCAG5Q1ndq4Yfmbeo1zwLkNRKmCXGdNgWvGT3cskV0yQ"
644 "kAQwJlrlzkAWBOWiLj/jJ76D7l+UXoizP2KI2C7I2FccqMmIfFmmkUy32nIJ0mZH"
645 "IWoJoQYCBFRDO46iBAICASykAwQBAqUDAgEUphAEDnd3dy5nb29nbGUuY29tqAcE"
646 "BXdvcmxkqQUCAwGJwKqBpwSBpBwUQvoeOk0Kg36SYTcLEkXqKwOBfF9vE4KX0Nxe"
647 "LwjcDTpsuh3qXEaZ992r1N38VDcyS6P7I6HBYN9BsNHM362zZnY27GpTw+Kwd751"
648 "CLoXFPoaMOe57dbBpXoro6Pd3BTbf/Tzr88K06yEOTDKPNj3+inbMaVigtK4PLyP"
649 "q+Topyzvx9USFgRvyuoxn0Hgb+R0A3j6SLRuyOdAi4gv7Y5oliynrSIEIAYGBgYG"
650 "BgYGBgYGBgYGBgYGBgYGBgYGBgYGBgYGBgYGrgMEAQevAwQBBLADBAEFAAAA";
651
DecodeBase64(std::vector<uint8_t> * out,const char * in)652 static bool DecodeBase64(std::vector<uint8_t> *out, const char *in) {
653 size_t len;
654 if (!EVP_DecodedLength(&len, strlen(in))) {
655 fprintf(stderr, "EVP_DecodedLength failed\n");
656 return false;
657 }
658
659 out->resize(len);
660 if (!EVP_DecodeBase64(out->data(), &len, len, (const uint8_t *)in,
661 strlen(in))) {
662 fprintf(stderr, "EVP_DecodeBase64 failed\n");
663 return false;
664 }
665 out->resize(len);
666 return true;
667 }
668
TestSSL_SESSIONEncoding(const char * input_b64)669 static bool TestSSL_SESSIONEncoding(const char *input_b64) {
670 const uint8_t *cptr;
671 uint8_t *ptr;
672
673 // Decode the input.
674 std::vector<uint8_t> input;
675 if (!DecodeBase64(&input, input_b64)) {
676 return false;
677 }
678
679 // Verify the SSL_SESSION decodes.
680 bssl::UniquePtr<SSL_CTX> ssl_ctx(SSL_CTX_new(TLS_method()));
681 if (!ssl_ctx) {
682 return false;
683 }
684 bssl::UniquePtr<SSL_SESSION> session(
685 SSL_SESSION_from_bytes(input.data(), input.size(), ssl_ctx.get()));
686 if (!session) {
687 fprintf(stderr, "SSL_SESSION_from_bytes failed\n");
688 return false;
689 }
690
691 // Verify the SSL_SESSION encoding round-trips.
692 size_t encoded_len;
693 bssl::UniquePtr<uint8_t> encoded;
694 uint8_t *encoded_raw;
695 if (!SSL_SESSION_to_bytes(session.get(), &encoded_raw, &encoded_len)) {
696 fprintf(stderr, "SSL_SESSION_to_bytes failed\n");
697 return false;
698 }
699 encoded.reset(encoded_raw);
700 if (encoded_len != input.size() ||
701 OPENSSL_memcmp(input.data(), encoded.get(), input.size()) != 0) {
702 fprintf(stderr, "SSL_SESSION_to_bytes did not round-trip\n");
703 hexdump(stderr, "Before: ", input.data(), input.size());
704 hexdump(stderr, "After: ", encoded_raw, encoded_len);
705 return false;
706 }
707
708 // Verify the SSL_SESSION also decodes with the legacy API.
709 cptr = input.data();
710 session.reset(d2i_SSL_SESSION(NULL, &cptr, input.size()));
711 if (!session || cptr != input.data() + input.size()) {
712 fprintf(stderr, "d2i_SSL_SESSION failed\n");
713 return false;
714 }
715
716 // Verify the SSL_SESSION encoding round-trips via the legacy API.
717 int len = i2d_SSL_SESSION(session.get(), NULL);
718 if (len < 0 || (size_t)len != input.size()) {
719 fprintf(stderr, "i2d_SSL_SESSION(NULL) returned invalid length\n");
720 return false;
721 }
722
723 encoded.reset((uint8_t *)OPENSSL_malloc(input.size()));
724 if (!encoded) {
725 fprintf(stderr, "malloc failed\n");
726 return false;
727 }
728
729 ptr = encoded.get();
730 len = i2d_SSL_SESSION(session.get(), &ptr);
731 if (len < 0 || (size_t)len != input.size()) {
732 fprintf(stderr, "i2d_SSL_SESSION returned invalid length\n");
733 return false;
734 }
735 if (ptr != encoded.get() + input.size()) {
736 fprintf(stderr, "i2d_SSL_SESSION did not advance ptr correctly\n");
737 return false;
738 }
739 if (OPENSSL_memcmp(input.data(), encoded.get(), input.size()) != 0) {
740 fprintf(stderr, "i2d_SSL_SESSION did not round-trip\n");
741 return false;
742 }
743
744 return true;
745 }
746
TestBadSSL_SESSIONEncoding(const char * input_b64)747 static bool TestBadSSL_SESSIONEncoding(const char *input_b64) {
748 std::vector<uint8_t> input;
749 if (!DecodeBase64(&input, input_b64)) {
750 return false;
751 }
752
753 // Verify that the SSL_SESSION fails to decode.
754 bssl::UniquePtr<SSL_CTX> ssl_ctx(SSL_CTX_new(TLS_method()));
755 if (!ssl_ctx) {
756 return false;
757 }
758 bssl::UniquePtr<SSL_SESSION> session(
759 SSL_SESSION_from_bytes(input.data(), input.size(), ssl_ctx.get()));
760 if (session) {
761 fprintf(stderr, "SSL_SESSION_from_bytes unexpectedly succeeded\n");
762 return false;
763 }
764 ERR_clear_error();
765 return true;
766 }
767
TestDefaultVersion(uint16_t min_version,uint16_t max_version,const SSL_METHOD * (* method)(void))768 static bool TestDefaultVersion(uint16_t min_version, uint16_t max_version,
769 const SSL_METHOD *(*method)(void)) {
770 bssl::UniquePtr<SSL_CTX> ctx(SSL_CTX_new(method()));
771 if (!ctx) {
772 return false;
773 }
774 if (ctx->min_version != min_version || ctx->max_version != max_version) {
775 fprintf(stderr, "Got min %04x, max %04x; wanted min %04x, max %04x\n",
776 ctx->min_version, ctx->max_version, min_version, max_version);
777 return false;
778 }
779 return true;
780 }
781
CipherGetRFCName(std::string * out,uint16_t value)782 static bool CipherGetRFCName(std::string *out, uint16_t value) {
783 const SSL_CIPHER *cipher = SSL_get_cipher_by_value(value);
784 if (cipher == NULL) {
785 return false;
786 }
787 bssl::UniquePtr<char> rfc_name(SSL_CIPHER_get_rfc_name(cipher));
788 if (!rfc_name) {
789 return false;
790 }
791 out->assign(rfc_name.get());
792 return true;
793 }
794
795 typedef struct {
796 int id;
797 const char *rfc_name;
798 } CIPHER_RFC_NAME_TEST;
799
800 static const CIPHER_RFC_NAME_TEST kCipherRFCNameTests[] = {
801 {SSL3_CK_RSA_DES_192_CBC3_SHA, "TLS_RSA_WITH_3DES_EDE_CBC_SHA"},
802 {TLS1_CK_RSA_WITH_AES_128_SHA, "TLS_RSA_WITH_AES_128_CBC_SHA"},
803 #ifdef BORINGSSL_ENABLE_DHE_TLS
804 {TLS1_CK_DHE_RSA_WITH_AES_256_SHA, "TLS_DHE_RSA_WITH_AES_256_CBC_SHA"},
805 {TLS1_CK_DHE_RSA_WITH_AES_256_SHA256,
806 "TLS_DHE_RSA_WITH_AES_256_CBC_SHA256"},
807 #endif
808 {TLS1_CK_ECDHE_RSA_WITH_AES_128_SHA256,
809 "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256"},
810 {TLS1_CK_ECDHE_RSA_WITH_AES_256_SHA384,
811 "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384"},
812 {TLS1_CK_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
813 "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256"},
814 {TLS1_CK_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
815 "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256"},
816 {TLS1_CK_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
817 "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384"},
818 {TLS1_CK_ECDHE_PSK_WITH_AES_128_CBC_SHA,
819 "TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA"},
820 {TLS1_CK_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256,
821 "TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256"},
822 {TLS1_CK_AES_256_GCM_SHA384, "TLS_AES_256_GCM_SHA384"},
823 {TLS1_CK_AES_128_GCM_SHA256, "TLS_AES_128_GCM_SHA256"},
824 {TLS1_CK_CHACHA20_POLY1305_SHA256, "TLS_CHACHA20_POLY1305_SHA256"},
825 };
826
TestCipherGetRFCName(void)827 static bool TestCipherGetRFCName(void) {
828 for (size_t i = 0;
829 i < OPENSSL_ARRAY_SIZE(kCipherRFCNameTests); i++) {
830 const CIPHER_RFC_NAME_TEST *test = &kCipherRFCNameTests[i];
831 std::string rfc_name;
832 if (!CipherGetRFCName(&rfc_name, test->id & 0xffff)) {
833 fprintf(stderr, "SSL_CIPHER_get_rfc_name failed\n");
834 return false;
835 }
836 if (rfc_name != test->rfc_name) {
837 fprintf(stderr, "SSL_CIPHER_get_rfc_name: got '%s', wanted '%s'\n",
838 rfc_name.c_str(), test->rfc_name);
839 return false;
840 }
841 }
842 return true;
843 }
844
845 // CreateSessionWithTicket returns a sample |SSL_SESSION| with the specified
846 // version and ticket length or nullptr on failure.
CreateSessionWithTicket(uint16_t version,size_t ticket_len)847 static bssl::UniquePtr<SSL_SESSION> CreateSessionWithTicket(uint16_t version,
848 size_t ticket_len) {
849 std::vector<uint8_t> der;
850 if (!DecodeBase64(&der, kOpenSSLSession)) {
851 return nullptr;
852 }
853
854 bssl::UniquePtr<SSL_CTX> ssl_ctx(SSL_CTX_new(TLS_method()));
855 if (!ssl_ctx) {
856 return nullptr;
857 }
858 bssl::UniquePtr<SSL_SESSION> session(
859 SSL_SESSION_from_bytes(der.data(), der.size(), ssl_ctx.get()));
860 if (!session) {
861 return nullptr;
862 }
863
864 session->ssl_version = version;
865
866 // Swap out the ticket for a garbage one.
867 OPENSSL_free(session->tlsext_tick);
868 session->tlsext_tick = reinterpret_cast<uint8_t*>(OPENSSL_malloc(ticket_len));
869 if (session->tlsext_tick == nullptr) {
870 return nullptr;
871 }
872 OPENSSL_memset(session->tlsext_tick, 'a', ticket_len);
873 session->tlsext_ticklen = ticket_len;
874
875 // Fix up the timeout.
876 #if defined(BORINGSSL_UNSAFE_DETERMINISTIC_MODE)
877 session->time = 1234;
878 #else
879 session->time = time(NULL);
880 #endif
881 return session;
882 }
883
GetClientHello(SSL * ssl,std::vector<uint8_t> * out)884 static bool GetClientHello(SSL *ssl, std::vector<uint8_t> *out) {
885 bssl::UniquePtr<BIO> bio(BIO_new(BIO_s_mem()));
886 if (!bio) {
887 return false;
888 }
889 // Do not configure a reading BIO, but record what's written to a memory BIO.
890 BIO_up_ref(bio.get());
891 SSL_set_bio(ssl, nullptr /* rbio */, bio.get());
892 int ret = SSL_connect(ssl);
893 if (ret > 0) {
894 // SSL_connect should fail without a BIO to write to.
895 return false;
896 }
897 ERR_clear_error();
898
899 const uint8_t *client_hello;
900 size_t client_hello_len;
901 if (!BIO_mem_contents(bio.get(), &client_hello, &client_hello_len)) {
902 return false;
903 }
904 *out = std::vector<uint8_t>(client_hello, client_hello + client_hello_len);
905 return true;
906 }
907
908 // GetClientHelloLen creates a client SSL connection with the specified version
909 // and ticket length. It returns the length of the ClientHello, not including
910 // the record header, on success and zero on error.
GetClientHelloLen(uint16_t max_version,uint16_t session_version,size_t ticket_len)911 static size_t GetClientHelloLen(uint16_t max_version, uint16_t session_version,
912 size_t ticket_len) {
913 bssl::UniquePtr<SSL_CTX> ctx(SSL_CTX_new(TLS_method()));
914 bssl::UniquePtr<SSL_SESSION> session =
915 CreateSessionWithTicket(session_version, ticket_len);
916 if (!ctx || !session) {
917 return 0;
918 }
919
920 // Set a one-element cipher list so the baseline ClientHello is unpadded.
921 bssl::UniquePtr<SSL> ssl(SSL_new(ctx.get()));
922 if (!ssl || !SSL_set_session(ssl.get(), session.get()) ||
923 !SSL_set_strict_cipher_list(ssl.get(), "ECDHE-RSA-AES128-GCM-SHA256") ||
924 !SSL_set_max_proto_version(ssl.get(), max_version)) {
925 return 0;
926 }
927
928 std::vector<uint8_t> client_hello;
929 if (!GetClientHello(ssl.get(), &client_hello) ||
930 client_hello.size() <= SSL3_RT_HEADER_LENGTH) {
931 return 0;
932 }
933
934 return client_hello.size() - SSL3_RT_HEADER_LENGTH;
935 }
936
937 struct PaddingTest {
938 size_t input_len, padded_len;
939 };
940
941 static const PaddingTest kPaddingTests[] = {
942 // ClientHellos of length below 0x100 do not require padding.
943 {0xfe, 0xfe},
944 {0xff, 0xff},
945 // ClientHellos of length 0x100 through 0x1fb are padded up to 0x200.
946 {0x100, 0x200},
947 {0x123, 0x200},
948 {0x1fb, 0x200},
949 // ClientHellos of length 0x1fc through 0x1ff get padded beyond 0x200. The
950 // padding extension takes a minimum of four bytes plus one required content
951 // byte. (To work around yet more server bugs, we avoid empty final
952 // extensions.)
953 {0x1fc, 0x201},
954 {0x1fd, 0x202},
955 {0x1fe, 0x203},
956 {0x1ff, 0x204},
957 // Finally, larger ClientHellos need no padding.
958 {0x200, 0x200},
959 {0x201, 0x201},
960 };
961
TestPaddingExtension(uint16_t max_version,uint16_t session_version)962 static bool TestPaddingExtension(uint16_t max_version,
963 uint16_t session_version) {
964 // Sample a baseline length.
965 size_t base_len = GetClientHelloLen(max_version, session_version, 1);
966 if (base_len == 0) {
967 return false;
968 }
969
970 for (const PaddingTest &test : kPaddingTests) {
971 if (base_len > test.input_len) {
972 fprintf(stderr,
973 "Baseline ClientHello too long (max_version = %04x, "
974 "session_version = %04x).\n",
975 max_version, session_version);
976 return false;
977 }
978
979 size_t padded_len = GetClientHelloLen(max_version, session_version,
980 1 + test.input_len - base_len);
981 if (padded_len != test.padded_len) {
982 fprintf(stderr,
983 "%u-byte ClientHello padded to %u bytes, not %u (max_version = "
984 "%04x, session_version = %04x).\n",
985 static_cast<unsigned>(test.input_len),
986 static_cast<unsigned>(padded_len),
987 static_cast<unsigned>(test.padded_len), max_version,
988 session_version);
989 return false;
990 }
991 }
992
993 return true;
994 }
995
996 // Test that |SSL_get_client_CA_list| echoes back the configured parameter even
997 // before configuring as a server.
TEST(SSLTest,ClientCAList)998 TEST(SSLTest, ClientCAList) {
999 bssl::UniquePtr<SSL_CTX> ctx(SSL_CTX_new(TLS_method()));
1000 ASSERT_TRUE(ctx);
1001 bssl::UniquePtr<SSL> ssl(SSL_new(ctx.get()));
1002 ASSERT_TRUE(ssl);
1003
1004 bssl::UniquePtr<X509_NAME> name(X509_NAME_new());
1005 ASSERT_TRUE(name);
1006
1007 bssl::UniquePtr<X509_NAME> name_dup(X509_NAME_dup(name.get()));
1008 ASSERT_TRUE(name_dup);
1009
1010 bssl::UniquePtr<STACK_OF(X509_NAME)> stack(sk_X509_NAME_new_null());
1011 ASSERT_TRUE(stack);
1012
1013 ASSERT_TRUE(sk_X509_NAME_push(stack.get(), name_dup.get()));
1014 name_dup.release();
1015
1016 // |SSL_set_client_CA_list| takes ownership.
1017 SSL_set_client_CA_list(ssl.get(), stack.release());
1018
1019 STACK_OF(X509_NAME) *result = SSL_get_client_CA_list(ssl.get());
1020 ASSERT_TRUE(result);
1021 ASSERT_EQ(1u, sk_X509_NAME_num(result));
1022 EXPECT_EQ(0, X509_NAME_cmp(sk_X509_NAME_value(result, 0), name.get()));
1023 }
1024
AppendSession(SSL_SESSION * session,void * arg)1025 static void AppendSession(SSL_SESSION *session, void *arg) {
1026 std::vector<SSL_SESSION*> *out =
1027 reinterpret_cast<std::vector<SSL_SESSION*>*>(arg);
1028 out->push_back(session);
1029 }
1030
1031 // ExpectCache returns true if |ctx|'s session cache consists of |expected|, in
1032 // order.
ExpectCache(SSL_CTX * ctx,const std::vector<SSL_SESSION * > & expected)1033 static bool ExpectCache(SSL_CTX *ctx,
1034 const std::vector<SSL_SESSION*> &expected) {
1035 // Check the linked list.
1036 SSL_SESSION *ptr = ctx->session_cache_head;
1037 for (SSL_SESSION *session : expected) {
1038 if (ptr != session) {
1039 return false;
1040 }
1041 // TODO(davidben): This is an absurd way to denote the end of the list.
1042 if (ptr->next ==
1043 reinterpret_cast<SSL_SESSION *>(&ctx->session_cache_tail)) {
1044 ptr = nullptr;
1045 } else {
1046 ptr = ptr->next;
1047 }
1048 }
1049 if (ptr != nullptr) {
1050 return false;
1051 }
1052
1053 // Check the hash table.
1054 std::vector<SSL_SESSION*> actual, expected_copy;
1055 lh_SSL_SESSION_doall_arg(SSL_CTX_sessions(ctx), AppendSession, &actual);
1056 expected_copy = expected;
1057
1058 std::sort(actual.begin(), actual.end());
1059 std::sort(expected_copy.begin(), expected_copy.end());
1060
1061 return actual == expected_copy;
1062 }
1063
CreateTestSession(uint32_t number)1064 static bssl::UniquePtr<SSL_SESSION> CreateTestSession(uint32_t number) {
1065 bssl::UniquePtr<SSL_CTX> ssl_ctx(SSL_CTX_new(TLS_method()));
1066 if (!ssl_ctx) {
1067 return nullptr;
1068 }
1069 bssl::UniquePtr<SSL_SESSION> ret(SSL_SESSION_new(ssl_ctx.get()));
1070 if (!ret) {
1071 return nullptr;
1072 }
1073
1074 ret->session_id_length = SSL3_SSL_SESSION_ID_LENGTH;
1075 OPENSSL_memset(ret->session_id, 0, ret->session_id_length);
1076 OPENSSL_memcpy(ret->session_id, &number, sizeof(number));
1077 return ret;
1078 }
1079
1080 // Test that the internal session cache behaves as expected.
TestInternalSessionCache()1081 static bool TestInternalSessionCache() {
1082 bssl::UniquePtr<SSL_CTX> ctx(SSL_CTX_new(TLS_method()));
1083 if (!ctx) {
1084 return false;
1085 }
1086
1087 // Prepare 10 test sessions.
1088 std::vector<bssl::UniquePtr<SSL_SESSION>> sessions;
1089 for (int i = 0; i < 10; i++) {
1090 bssl::UniquePtr<SSL_SESSION> session = CreateTestSession(i);
1091 if (!session) {
1092 return false;
1093 }
1094 sessions.push_back(std::move(session));
1095 }
1096
1097 SSL_CTX_sess_set_cache_size(ctx.get(), 5);
1098
1099 // Insert all the test sessions.
1100 for (const auto &session : sessions) {
1101 if (!SSL_CTX_add_session(ctx.get(), session.get())) {
1102 return false;
1103 }
1104 }
1105
1106 // Only the last five should be in the list.
1107 std::vector<SSL_SESSION*> expected = {
1108 sessions[9].get(),
1109 sessions[8].get(),
1110 sessions[7].get(),
1111 sessions[6].get(),
1112 sessions[5].get(),
1113 };
1114 if (!ExpectCache(ctx.get(), expected)) {
1115 return false;
1116 }
1117
1118 // Inserting an element already in the cache should fail.
1119 if (SSL_CTX_add_session(ctx.get(), sessions[7].get()) ||
1120 !ExpectCache(ctx.get(), expected)) {
1121 return false;
1122 }
1123
1124 // Although collisions should be impossible (256-bit session IDs), the cache
1125 // must handle them gracefully.
1126 bssl::UniquePtr<SSL_SESSION> collision(CreateTestSession(7));
1127 if (!collision || !SSL_CTX_add_session(ctx.get(), collision.get())) {
1128 return false;
1129 }
1130 expected = {
1131 collision.get(),
1132 sessions[9].get(),
1133 sessions[8].get(),
1134 sessions[6].get(),
1135 sessions[5].get(),
1136 };
1137 if (!ExpectCache(ctx.get(), expected)) {
1138 return false;
1139 }
1140
1141 // Removing sessions behaves correctly.
1142 if (!SSL_CTX_remove_session(ctx.get(), sessions[6].get())) {
1143 return false;
1144 }
1145 expected = {
1146 collision.get(),
1147 sessions[9].get(),
1148 sessions[8].get(),
1149 sessions[5].get(),
1150 };
1151 if (!ExpectCache(ctx.get(), expected)) {
1152 return false;
1153 }
1154
1155 // Removing sessions requires an exact match.
1156 if (SSL_CTX_remove_session(ctx.get(), sessions[0].get()) ||
1157 SSL_CTX_remove_session(ctx.get(), sessions[7].get()) ||
1158 !ExpectCache(ctx.get(), expected)) {
1159 return false;
1160 }
1161
1162 return true;
1163 }
1164
EpochFromSequence(uint64_t seq)1165 static uint16_t EpochFromSequence(uint64_t seq) {
1166 return static_cast<uint16_t>(seq >> 48);
1167 }
1168
GetTestCertificate()1169 static bssl::UniquePtr<X509> GetTestCertificate() {
1170 static const char kCertPEM[] =
1171 "-----BEGIN CERTIFICATE-----\n"
1172 "MIICWDCCAcGgAwIBAgIJAPuwTC6rEJsMMA0GCSqGSIb3DQEBBQUAMEUxCzAJBgNV\n"
1173 "BAYTAkFVMRMwEQYDVQQIDApTb21lLVN0YXRlMSEwHwYDVQQKDBhJbnRlcm5ldCBX\n"
1174 "aWRnaXRzIFB0eSBMdGQwHhcNMTQwNDIzMjA1MDQwWhcNMTcwNDIyMjA1MDQwWjBF\n"
1175 "MQswCQYDVQQGEwJBVTETMBEGA1UECAwKU29tZS1TdGF0ZTEhMB8GA1UECgwYSW50\n"
1176 "ZXJuZXQgV2lkZ2l0cyBQdHkgTHRkMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKB\n"
1177 "gQDYK8imMuRi/03z0K1Zi0WnvfFHvwlYeyK9Na6XJYaUoIDAtB92kWdGMdAQhLci\n"
1178 "HnAjkXLI6W15OoV3gA/ElRZ1xUpxTMhjP6PyY5wqT5r6y8FxbiiFKKAnHmUcrgfV\n"
1179 "W28tQ+0rkLGMryRtrukXOgXBv7gcrmU7G1jC2a7WqmeI8QIDAQABo1AwTjAdBgNV\n"
1180 "HQ4EFgQUi3XVrMsIvg4fZbf6Vr5sp3Xaha8wHwYDVR0jBBgwFoAUi3XVrMsIvg4f\n"
1181 "Zbf6Vr5sp3Xaha8wDAYDVR0TBAUwAwEB/zANBgkqhkiG9w0BAQUFAAOBgQA76Hht\n"
1182 "ldY9avcTGSwbwoiuIqv0jTL1fHFnzy3RHMLDh+Lpvolc5DSrSJHCP5WuK0eeJXhr\n"
1183 "T5oQpHL9z/cCDLAKCKRa4uV0fhEdOWBqyR9p8y5jJtye72t6CuFUV5iqcpF4BH4f\n"
1184 "j2VNHwsSrJwkD4QUGlUtH7vwnQmyCFxZMmWAJg==\n"
1185 "-----END CERTIFICATE-----\n";
1186 bssl::UniquePtr<BIO> bio(BIO_new_mem_buf(kCertPEM, strlen(kCertPEM)));
1187 return bssl::UniquePtr<X509>(
1188 PEM_read_bio_X509(bio.get(), nullptr, nullptr, nullptr));
1189 }
1190
GetTestKey()1191 static bssl::UniquePtr<EVP_PKEY> GetTestKey() {
1192 static const char kKeyPEM[] =
1193 "-----BEGIN RSA PRIVATE KEY-----\n"
1194 "MIICXgIBAAKBgQDYK8imMuRi/03z0K1Zi0WnvfFHvwlYeyK9Na6XJYaUoIDAtB92\n"
1195 "kWdGMdAQhLciHnAjkXLI6W15OoV3gA/ElRZ1xUpxTMhjP6PyY5wqT5r6y8FxbiiF\n"
1196 "KKAnHmUcrgfVW28tQ+0rkLGMryRtrukXOgXBv7gcrmU7G1jC2a7WqmeI8QIDAQAB\n"
1197 "AoGBAIBy09Fd4DOq/Ijp8HeKuCMKTHqTW1xGHshLQ6jwVV2vWZIn9aIgmDsvkjCe\n"
1198 "i6ssZvnbjVcwzSoByhjN8ZCf/i15HECWDFFh6gt0P5z0MnChwzZmvatV/FXCT0j+\n"
1199 "WmGNB/gkehKjGXLLcjTb6dRYVJSCZhVuOLLcbWIV10gggJQBAkEA8S8sGe4ezyyZ\n"
1200 "m4e9r95g6s43kPqtj5rewTsUxt+2n4eVodD+ZUlCULWVNAFLkYRTBCASlSrm9Xhj\n"
1201 "QpmWAHJUkQJBAOVzQdFUaewLtdOJoPCtpYoY1zd22eae8TQEmpGOR11L6kbxLQsk\n"
1202 "aMly/DOnOaa82tqAGTdqDEZgSNmCeKKknmECQAvpnY8GUOVAubGR6c+W90iBuQLj\n"
1203 "LtFp/9ihd2w/PoDwrHZaoUYVcT4VSfJQog/k7kjE4MYXYWL8eEKg3WTWQNECQQDk\n"
1204 "104Wi91Umd1PzF0ijd2jXOERJU1wEKe6XLkYYNHWQAe5l4J4MWj9OdxFXAxIuuR/\n"
1205 "tfDwbqkta4xcux67//khAkEAvvRXLHTaa6VFzTaiiO8SaFsHV3lQyXOtMrBpB5jd\n"
1206 "moZWgjHvB2W9Ckn7sDqsPB+U2tyX0joDdQEyuiMECDY8oQ==\n"
1207 "-----END RSA PRIVATE KEY-----\n";
1208 bssl::UniquePtr<BIO> bio(BIO_new_mem_buf(kKeyPEM, strlen(kKeyPEM)));
1209 return bssl::UniquePtr<EVP_PKEY>(
1210 PEM_read_bio_PrivateKey(bio.get(), nullptr, nullptr, nullptr));
1211 }
1212
GetECDSATestCertificate()1213 static bssl::UniquePtr<X509> GetECDSATestCertificate() {
1214 static const char kCertPEM[] =
1215 "-----BEGIN CERTIFICATE-----\n"
1216 "MIIBzzCCAXagAwIBAgIJANlMBNpJfb/rMAkGByqGSM49BAEwRTELMAkGA1UEBhMC\n"
1217 "QVUxEzARBgNVBAgMClNvbWUtU3RhdGUxITAfBgNVBAoMGEludGVybmV0IFdpZGdp\n"
1218 "dHMgUHR5IEx0ZDAeFw0xNDA0MjMyMzIxNTdaFw0xNDA1MjMyMzIxNTdaMEUxCzAJ\n"
1219 "BgNVBAYTAkFVMRMwEQYDVQQIDApTb21lLVN0YXRlMSEwHwYDVQQKDBhJbnRlcm5l\n"
1220 "dCBXaWRnaXRzIFB0eSBMdGQwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAATmK2ni\n"
1221 "v2Wfl74vHg2UikzVl2u3qR4NRvvdqakendy6WgHn1peoChj5w8SjHlbifINI2xYa\n"
1222 "HPUdfvGULUvPciLBo1AwTjAdBgNVHQ4EFgQUq4TSrKuV8IJOFngHVVdf5CaNgtEw\n"
1223 "HwYDVR0jBBgwFoAUq4TSrKuV8IJOFngHVVdf5CaNgtEwDAYDVR0TBAUwAwEB/zAJ\n"
1224 "BgcqhkjOPQQBA0gAMEUCIQDyoDVeUTo2w4J5m+4nUIWOcAZ0lVfSKXQA9L4Vh13E\n"
1225 "BwIgfB55FGohg/B6dGh5XxSZmmi08cueFV7mHzJSYV51yRQ=\n"
1226 "-----END CERTIFICATE-----\n";
1227 bssl::UniquePtr<BIO> bio(BIO_new_mem_buf(kCertPEM, strlen(kCertPEM)));
1228 return bssl::UniquePtr<X509>(PEM_read_bio_X509(bio.get(), nullptr, nullptr, nullptr));
1229 }
1230
GetECDSATestKey()1231 static bssl::UniquePtr<EVP_PKEY> GetECDSATestKey() {
1232 static const char kKeyPEM[] =
1233 "-----BEGIN PRIVATE KEY-----\n"
1234 "MIGHAgEAMBMGByqGSM49AgEGCCqGSM49AwEHBG0wawIBAQQgBw8IcnrUoEqc3VnJ\n"
1235 "TYlodwi1b8ldMHcO6NHJzgqLtGqhRANCAATmK2niv2Wfl74vHg2UikzVl2u3qR4N\n"
1236 "Rvvdqakendy6WgHn1peoChj5w8SjHlbifINI2xYaHPUdfvGULUvPciLB\n"
1237 "-----END PRIVATE KEY-----\n";
1238 bssl::UniquePtr<BIO> bio(BIO_new_mem_buf(kKeyPEM, strlen(kKeyPEM)));
1239 return bssl::UniquePtr<EVP_PKEY>(
1240 PEM_read_bio_PrivateKey(bio.get(), nullptr, nullptr, nullptr));
1241 }
1242
BufferFromPEM(const char * pem)1243 static bssl::UniquePtr<CRYPTO_BUFFER> BufferFromPEM(const char *pem) {
1244 bssl::UniquePtr<BIO> bio(BIO_new_mem_buf(pem, strlen(pem)));
1245 char *name, *header;
1246 uint8_t *data;
1247 long data_len;
1248 if (!PEM_read_bio(bio.get(), &name, &header, &data,
1249 &data_len)) {
1250 return nullptr;
1251 }
1252 OPENSSL_free(name);
1253 OPENSSL_free(header);
1254
1255 auto ret = bssl::UniquePtr<CRYPTO_BUFFER>(
1256 CRYPTO_BUFFER_new(data, data_len, nullptr));
1257 OPENSSL_free(data);
1258 return ret;
1259 }
1260
GetChainTestCertificateBuffer()1261 static bssl::UniquePtr<CRYPTO_BUFFER> GetChainTestCertificateBuffer() {
1262 static const char kCertPEM[] =
1263 "-----BEGIN CERTIFICATE-----\n"
1264 "MIIC0jCCAbqgAwIBAgICEAAwDQYJKoZIhvcNAQELBQAwDzENMAsGA1UEAwwEQiBD\n"
1265 "QTAeFw0xNjAyMjgyMDI3MDNaFw0yNjAyMjUyMDI3MDNaMBgxFjAUBgNVBAMMDUNs\n"
1266 "aWVudCBDZXJ0IEEwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDRvaz8\n"
1267 "CC/cshpCafJo4jLkHEoBqDLhdgFelJoAiQUyIqyWl2O7YHPnpJH+TgR7oelzNzt/\n"
1268 "kLRcH89M/TszB6zqyLTC4aqmvzKL0peD/jL2LWBucR0WXIvjA3zoRuF/x86+rYH3\n"
1269 "tHb+xs2PSs8EGL/Ev+ss+qTzTGEn26fuGNHkNw6tOwPpc+o8+wUtzf/kAthamo+c\n"
1270 "IDs2rQ+lP7+aLZTLeU/q4gcLutlzcK5imex5xy2jPkweq48kijK0kIzl1cPlA5d1\n"
1271 "z7C8jU50Pj9X9sQDJTN32j7UYRisJeeYQF8GaaN8SbrDI6zHgKzrRLyxDt/KQa9V\n"
1272 "iLeXANgZi+Xx9KgfAgMBAAGjLzAtMAwGA1UdEwEB/wQCMAAwHQYDVR0lBBYwFAYI\n"
1273 "KwYBBQUHAwEGCCsGAQUFBwMCMA0GCSqGSIb3DQEBCwUAA4IBAQBFEVbmYl+2RtNw\n"
1274 "rDftRDF1v2QUbcN2ouSnQDHxeDQdSgasLzT3ui8iYu0Rw2WWcZ0DV5e0ztGPhWq7\n"
1275 "AO0B120aFRMOY+4+bzu9Q2FFkQqc7/fKTvTDzIJI5wrMnFvUfzzvxh3OHWMYSs/w\n"
1276 "giq33hTKeHEq6Jyk3btCny0Ycecyc3yGXH10sizUfiHlhviCkDuESk8mFDwDDzqW\n"
1277 "ZF0IipzFbEDHoIxLlm3GQxpiLoEV4k8KYJp3R5KBLFyxM6UGPz8h72mIPCJp2RuK\n"
1278 "MYgF91UDvVzvnYm6TfseM2+ewKirC00GOrZ7rEcFvtxnKSqYf4ckqfNdSU1Y+RRC\n"
1279 "1ngWZ7Ih\n"
1280 "-----END CERTIFICATE-----\n";
1281 return BufferFromPEM(kCertPEM);
1282 }
1283
X509FromBuffer(bssl::UniquePtr<CRYPTO_BUFFER> buffer)1284 static bssl::UniquePtr<X509> X509FromBuffer(
1285 bssl::UniquePtr<CRYPTO_BUFFER> buffer) {
1286 if (!buffer) {
1287 return nullptr;
1288 }
1289 const uint8_t *derp = CRYPTO_BUFFER_data(buffer.get());
1290 return bssl::UniquePtr<X509>(
1291 d2i_X509(NULL, &derp, CRYPTO_BUFFER_len(buffer.get())));
1292 }
1293
GetChainTestCertificate()1294 static bssl::UniquePtr<X509> GetChainTestCertificate() {
1295 return X509FromBuffer(GetChainTestCertificateBuffer());
1296 }
1297
GetChainTestIntermediateBuffer()1298 static bssl::UniquePtr<CRYPTO_BUFFER> GetChainTestIntermediateBuffer() {
1299 static const char kCertPEM[] =
1300 "-----BEGIN CERTIFICATE-----\n"
1301 "MIICwjCCAaqgAwIBAgICEAEwDQYJKoZIhvcNAQELBQAwFDESMBAGA1UEAwwJQyBS\n"
1302 "b290IENBMB4XDTE2MDIyODIwMjcwM1oXDTI2MDIyNTIwMjcwM1owDzENMAsGA1UE\n"
1303 "AwwEQiBDQTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALsSCYmDip2D\n"
1304 "GkjFxw7ykz26JSjELkl6ArlYjFJ3aT/SCh8qbS4gln7RH8CPBd78oFdfhIKQrwtZ\n"
1305 "3/q21ykD9BAS3qHe2YdcJfm8/kWAy5DvXk6NXU4qX334KofBAEpgdA/igEFq1P1l\n"
1306 "HAuIfZCpMRfT+i5WohVsGi8f/NgpRvVaMONLNfgw57mz1lbtFeBEISmX0kbsuJxF\n"
1307 "Qj/Bwhi5/0HAEXG8e7zN4cEx0yPRvmOATRdVb/8dW2pwOHRJq9R5M0NUkIsTSnL7\n"
1308 "6N/z8hRAHMsV3IudC5Yd7GXW1AGu9a+iKU+Q4xcZCoj0DC99tL4VKujrV1kAeqsM\n"
1309 "cz5/dKzi6+cCAwEAAaMjMCEwDwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMC\n"
1310 "AQYwDQYJKoZIhvcNAQELBQADggEBAIIeZiEeNhWWQ8Y4D+AGDwqUUeG8NjCbKrXQ\n"
1311 "BlHg5wZ8xftFaiP1Dp/UAezmx2LNazdmuwrYB8lm3FVTyaPDTKEGIPS4wJKHgqH1\n"
1312 "QPDhqNm85ey7TEtI9oYjsNim/Rb+iGkIAMXaxt58SzxbjvP0kMr1JfJIZbic9vye\n"
1313 "NwIspMFIpP3FB8ywyu0T0hWtCQgL4J47nigCHpOu58deP88fS/Nyz/fyGVWOZ76b\n"
1314 "WhWwgM3P3X95fQ3d7oFPR/bVh0YV+Cf861INwplokXgXQ3/TCQ+HNXeAMWn3JLWv\n"
1315 "XFwk8owk9dq/kQGdndGgy3KTEW4ctPX5GNhf3LJ9Q7dLji4ReQ4=\n"
1316 "-----END CERTIFICATE-----\n";
1317 return BufferFromPEM(kCertPEM);
1318 }
1319
GetChainTestIntermediate()1320 static bssl::UniquePtr<X509> GetChainTestIntermediate() {
1321 return X509FromBuffer(GetChainTestIntermediateBuffer());
1322 }
1323
GetChainTestKey()1324 static bssl::UniquePtr<EVP_PKEY> GetChainTestKey() {
1325 static const char kKeyPEM[] =
1326 "-----BEGIN PRIVATE KEY-----\n"
1327 "MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQDRvaz8CC/cshpC\n"
1328 "afJo4jLkHEoBqDLhdgFelJoAiQUyIqyWl2O7YHPnpJH+TgR7oelzNzt/kLRcH89M\n"
1329 "/TszB6zqyLTC4aqmvzKL0peD/jL2LWBucR0WXIvjA3zoRuF/x86+rYH3tHb+xs2P\n"
1330 "Ss8EGL/Ev+ss+qTzTGEn26fuGNHkNw6tOwPpc+o8+wUtzf/kAthamo+cIDs2rQ+l\n"
1331 "P7+aLZTLeU/q4gcLutlzcK5imex5xy2jPkweq48kijK0kIzl1cPlA5d1z7C8jU50\n"
1332 "Pj9X9sQDJTN32j7UYRisJeeYQF8GaaN8SbrDI6zHgKzrRLyxDt/KQa9ViLeXANgZ\n"
1333 "i+Xx9KgfAgMBAAECggEBAK0VjSJzkyPaamcyTVSWjo7GdaBGcK60lk657RjR+lK0\n"
1334 "YJ7pkej4oM2hdsVZFsP8Cs4E33nXLa/0pDsRov/qrp0WQm2skwqGMC1I/bZ0WRPk\n"
1335 "wHaDrBBfESWnJDX/AGpVtlyOjPmgmK6J2usMPihQUDkKdAYrVWJePrMIxt1q6BMe\n"
1336 "iczs3qriMmtY3bUc4UyUwJ5fhDLjshHvfuIpYQyI6EXZM6dZksn9LylXJnigY6QJ\n"
1337 "HxOYO0BDwOsZ8yQ8J8afLk88i0GizEkgE1z3REtQUwgWfxr1WV/ud+T6/ZhSAgH9\n"
1338 "042mQvSFZnIUSEsmCvjhWuAunfxHKCTcAoYISWfzWpkCgYEA7gpf3HHU5Tn+CgUn\n"
1339 "1X5uGpG3DmcMgfeGgs2r2f/IIg/5Ac1dfYILiybL1tN9zbyLCJfcbFpWBc9hJL6f\n"
1340 "CPc5hUiwWFJqBJewxQkC1Ae/HakHbip+IZ+Jr0842O4BAArvixk4Lb7/N2Ct9sTE\n"
1341 "NJO6RtK9lbEZ5uK61DglHy8CS2UCgYEA4ZC1o36kPAMQBggajgnucb2yuUEelk0f\n"
1342 "AEr+GI32MGE+93xMr7rAhBoqLg4AITyIfEnOSQ5HwagnIHonBbv1LV/Gf9ursx8Z\n"
1343 "YOGbvT8zzzC+SU1bkDzdjAYnFQVGIjMtKOBJ3K07++ypwX1fr4QsQ8uKL8WSOWwt\n"
1344 "Z3Bym6XiZzMCgYADnhy+2OwHX85AkLt+PyGlPbmuelpyTzS4IDAQbBa6jcuW/2wA\n"
1345 "UE2km75VUXmD+u2R/9zVuLm99NzhFhSMqlUxdV1YukfqMfP5yp1EY6m/5aW7QuIP\n"
1346 "2MDa7TVL9rIFMiVZ09RKvbBbQxjhuzPQKL6X/PPspnhiTefQ+dl2k9xREQKBgHDS\n"
1347 "fMfGNEeAEKezrfSVqxphE9/tXms3L+ZpnCaT+yu/uEr5dTIAawKoQ6i9f/sf1/Sy\n"
1348 "xedsqR+IB+oKrzIDDWMgoJybN4pkZ8E5lzhVQIjFjKgFdWLzzqyW9z1gYfABQPlN\n"
1349 "FiS20WX0vgP1vcKAjdNrHzc9zyHBpgQzDmAj3NZZAoGBAI8vKCKdH7w3aL5CNkZQ\n"
1350 "2buIeWNA2HZazVwAGG5F2TU/LmXfRKnG6dX5bkU+AkBZh56jNZy//hfFSewJB4Kk\n"
1351 "buB7ERSdaNbO21zXt9FEA3+z0RfMd/Zv2vlIWOSB5nzl/7UKti3sribK6s9ZVLfi\n"
1352 "SxpiPQ8d/hmSGwn4ksrWUsJD\n"
1353 "-----END PRIVATE KEY-----\n";
1354 bssl::UniquePtr<BIO> bio(BIO_new_mem_buf(kKeyPEM, strlen(kKeyPEM)));
1355 return bssl::UniquePtr<EVP_PKEY>(
1356 PEM_read_bio_PrivateKey(bio.get(), nullptr, nullptr, nullptr));
1357 }
1358
CompleteHandshakes(SSL * client,SSL * server)1359 static bool CompleteHandshakes(SSL *client, SSL *server) {
1360 // Drive both their handshakes to completion.
1361 for (;;) {
1362 int client_ret = SSL_do_handshake(client);
1363 int client_err = SSL_get_error(client, client_ret);
1364 if (client_err != SSL_ERROR_NONE &&
1365 client_err != SSL_ERROR_WANT_READ &&
1366 client_err != SSL_ERROR_WANT_WRITE &&
1367 client_err != SSL_ERROR_PENDING_TICKET) {
1368 fprintf(stderr, "Client error: %d\n", client_err);
1369 return false;
1370 }
1371
1372 int server_ret = SSL_do_handshake(server);
1373 int server_err = SSL_get_error(server, server_ret);
1374 if (server_err != SSL_ERROR_NONE &&
1375 server_err != SSL_ERROR_WANT_READ &&
1376 server_err != SSL_ERROR_WANT_WRITE &&
1377 server_err != SSL_ERROR_PENDING_TICKET) {
1378 fprintf(stderr, "Server error: %d\n", server_err);
1379 return false;
1380 }
1381
1382 if (client_ret == 1 && server_ret == 1) {
1383 break;
1384 }
1385 }
1386
1387 return true;
1388 }
1389
ConnectClientAndServer(bssl::UniquePtr<SSL> * out_client,bssl::UniquePtr<SSL> * out_server,SSL_CTX * client_ctx,SSL_CTX * server_ctx,SSL_SESSION * session)1390 static bool ConnectClientAndServer(bssl::UniquePtr<SSL> *out_client,
1391 bssl::UniquePtr<SSL> *out_server,
1392 SSL_CTX *client_ctx, SSL_CTX *server_ctx,
1393 SSL_SESSION *session) {
1394 bssl::UniquePtr<SSL> client(SSL_new(client_ctx)), server(SSL_new(server_ctx));
1395 if (!client || !server) {
1396 return false;
1397 }
1398 SSL_set_connect_state(client.get());
1399 SSL_set_accept_state(server.get());
1400
1401 SSL_set_session(client.get(), session);
1402
1403 BIO *bio1, *bio2;
1404 if (!BIO_new_bio_pair(&bio1, 0, &bio2, 0)) {
1405 return false;
1406 }
1407 // SSL_set_bio takes ownership.
1408 SSL_set_bio(client.get(), bio1, bio1);
1409 SSL_set_bio(server.get(), bio2, bio2);
1410
1411 if (!CompleteHandshakes(client.get(), server.get())) {
1412 return false;
1413 }
1414
1415 *out_client = std::move(client);
1416 *out_server = std::move(server);
1417 return true;
1418 }
1419
TestSequenceNumber(bool is_dtls,const SSL_METHOD * method,uint16_t version)1420 static bool TestSequenceNumber(bool is_dtls, const SSL_METHOD *method,
1421 uint16_t version) {
1422 bssl::UniquePtr<SSL_CTX> client_ctx(SSL_CTX_new(method));
1423 bssl::UniquePtr<SSL_CTX> server_ctx(SSL_CTX_new(method));
1424 if (!server_ctx || !client_ctx ||
1425 !SSL_CTX_set_min_proto_version(client_ctx.get(), version) ||
1426 !SSL_CTX_set_max_proto_version(client_ctx.get(), version) ||
1427 !SSL_CTX_set_min_proto_version(server_ctx.get(), version) ||
1428 !SSL_CTX_set_max_proto_version(server_ctx.get(), version)) {
1429 return false;
1430 }
1431
1432 bssl::UniquePtr<X509> cert = GetTestCertificate();
1433 bssl::UniquePtr<EVP_PKEY> key = GetTestKey();
1434 if (!cert || !key || !SSL_CTX_use_certificate(server_ctx.get(), cert.get()) ||
1435 !SSL_CTX_use_PrivateKey(server_ctx.get(), key.get())) {
1436 return false;
1437 }
1438
1439 bssl::UniquePtr<SSL> client, server;
1440 if (!ConnectClientAndServer(&client, &server, client_ctx.get(),
1441 server_ctx.get(), nullptr /* no session */)) {
1442 return false;
1443 }
1444
1445 // Drain any post-handshake messages to ensure there are no unread records
1446 // on either end.
1447 uint8_t byte = 0;
1448 if (SSL_read(client.get(), &byte, 1) > 0 ||
1449 SSL_read(server.get(), &byte, 1) > 0) {
1450 fprintf(stderr, "Received unexpected data.\n");
1451 return false;
1452 }
1453
1454 uint64_t client_read_seq = SSL_get_read_sequence(client.get());
1455 uint64_t client_write_seq = SSL_get_write_sequence(client.get());
1456 uint64_t server_read_seq = SSL_get_read_sequence(server.get());
1457 uint64_t server_write_seq = SSL_get_write_sequence(server.get());
1458
1459 if (is_dtls) {
1460 // Both client and server must be at epoch 1.
1461 if (EpochFromSequence(client_read_seq) != 1 ||
1462 EpochFromSequence(client_write_seq) != 1 ||
1463 EpochFromSequence(server_read_seq) != 1 ||
1464 EpochFromSequence(server_write_seq) != 1) {
1465 fprintf(stderr, "Bad epochs.\n");
1466 return false;
1467 }
1468
1469 // The next record to be written should exceed the largest received.
1470 if (client_write_seq <= server_read_seq ||
1471 server_write_seq <= client_read_seq) {
1472 fprintf(stderr, "Inconsistent sequence numbers.\n");
1473 return false;
1474 }
1475 } else {
1476 // The next record to be written should equal the next to be received.
1477 if (client_write_seq != server_read_seq ||
1478 server_write_seq != client_read_seq) {
1479 fprintf(stderr, "Inconsistent sequence numbers.\n");
1480 return false;
1481 }
1482 }
1483
1484 // Send a record from client to server.
1485 if (SSL_write(client.get(), &byte, 1) != 1 ||
1486 SSL_read(server.get(), &byte, 1) != 1) {
1487 fprintf(stderr, "Could not send byte.\n");
1488 return false;
1489 }
1490
1491 // The client write and server read sequence numbers should have
1492 // incremented.
1493 if (client_write_seq + 1 != SSL_get_write_sequence(client.get()) ||
1494 server_read_seq + 1 != SSL_get_read_sequence(server.get())) {
1495 fprintf(stderr, "Sequence numbers did not increment.\n");
1496 return false;
1497 }
1498
1499 return true;
1500 }
1501
TestOneSidedShutdown(bool is_dtls,const SSL_METHOD * method,uint16_t version)1502 static bool TestOneSidedShutdown(bool is_dtls, const SSL_METHOD *method,
1503 uint16_t version) {
1504 // SSL_shutdown is a no-op in DTLS.
1505 if (is_dtls) {
1506 return true;
1507 }
1508
1509 bssl::UniquePtr<SSL_CTX> client_ctx(SSL_CTX_new(method));
1510 bssl::UniquePtr<SSL_CTX> server_ctx(SSL_CTX_new(method));
1511 bssl::UniquePtr<X509> cert = GetTestCertificate();
1512 bssl::UniquePtr<EVP_PKEY> key = GetTestKey();
1513 if (!client_ctx || !server_ctx || !cert || !key ||
1514 !SSL_CTX_set_min_proto_version(server_ctx.get(), version) ||
1515 !SSL_CTX_set_max_proto_version(server_ctx.get(), version) ||
1516 !SSL_CTX_set_min_proto_version(client_ctx.get(), version) ||
1517 !SSL_CTX_set_max_proto_version(client_ctx.get(), version) ||
1518 !SSL_CTX_use_certificate(server_ctx.get(), cert.get()) ||
1519 !SSL_CTX_use_PrivateKey(server_ctx.get(), key.get())) {
1520 return false;
1521 }
1522
1523 bssl::UniquePtr<SSL> client, server;
1524 if (!ConnectClientAndServer(&client, &server, client_ctx.get(),
1525 server_ctx.get(), nullptr /* no session */)) {
1526 return false;
1527 }
1528
1529 // Shut down half the connection. SSL_shutdown will return 0 to signal only
1530 // one side has shut down.
1531 if (SSL_shutdown(client.get()) != 0) {
1532 fprintf(stderr, "Could not shutdown.\n");
1533 return false;
1534 }
1535
1536 // Reading from the server should consume the EOF.
1537 uint8_t byte;
1538 if (SSL_read(server.get(), &byte, 1) != 0 ||
1539 SSL_get_error(server.get(), 0) != SSL_ERROR_ZERO_RETURN) {
1540 fprintf(stderr, "Connection was not shut down cleanly.\n");
1541 return false;
1542 }
1543
1544 // However, the server may continue to write data and then shut down the
1545 // connection.
1546 byte = 42;
1547 if (SSL_write(server.get(), &byte, 1) != 1 ||
1548 SSL_read(client.get(), &byte, 1) != 1 ||
1549 byte != 42) {
1550 fprintf(stderr, "Could not send byte.\n");
1551 return false;
1552 }
1553
1554 // The server may then shutdown the connection.
1555 if (SSL_shutdown(server.get()) != 1 ||
1556 SSL_shutdown(client.get()) != 1) {
1557 fprintf(stderr, "Could not complete shutdown.\n");
1558 return false;
1559 }
1560
1561 return true;
1562 }
1563
TEST(SSLTest,SessionDuplication)1564 TEST(SSLTest, SessionDuplication) {
1565 bssl::UniquePtr<SSL_CTX> client_ctx(SSL_CTX_new(TLS_method()));
1566 bssl::UniquePtr<SSL_CTX> server_ctx(SSL_CTX_new(TLS_method()));
1567 ASSERT_TRUE(client_ctx);
1568 ASSERT_TRUE(server_ctx);
1569
1570 bssl::UniquePtr<X509> cert = GetTestCertificate();
1571 bssl::UniquePtr<EVP_PKEY> key = GetTestKey();
1572 ASSERT_TRUE(cert);
1573 ASSERT_TRUE(key);
1574 ASSERT_TRUE(SSL_CTX_use_certificate(server_ctx.get(), cert.get()));
1575 ASSERT_TRUE(SSL_CTX_use_PrivateKey(server_ctx.get(), key.get()));
1576
1577 bssl::UniquePtr<SSL> client, server;
1578 ASSERT_TRUE(ConnectClientAndServer(&client, &server, client_ctx.get(),
1579 server_ctx.get(),
1580 nullptr /* no session */));
1581
1582 SSL_SESSION *session0 = SSL_get_session(client.get());
1583 bssl::UniquePtr<SSL_SESSION> session1(
1584 SSL_SESSION_dup(session0, SSL_SESSION_DUP_ALL));
1585 ASSERT_TRUE(session1);
1586
1587 session1->not_resumable = 0;
1588
1589 uint8_t *s0_bytes, *s1_bytes;
1590 size_t s0_len, s1_len;
1591
1592 ASSERT_TRUE(SSL_SESSION_to_bytes(session0, &s0_bytes, &s0_len));
1593 bssl::UniquePtr<uint8_t> free_s0(s0_bytes);
1594
1595 ASSERT_TRUE(SSL_SESSION_to_bytes(session1.get(), &s1_bytes, &s1_len));
1596 bssl::UniquePtr<uint8_t> free_s1(s1_bytes);
1597
1598 EXPECT_EQ(Bytes(s0_bytes, s0_len), Bytes(s1_bytes, s1_len));
1599 }
1600
ExpectFDs(const SSL * ssl,int rfd,int wfd)1601 static void ExpectFDs(const SSL *ssl, int rfd, int wfd) {
1602 EXPECT_EQ(rfd, SSL_get_rfd(ssl));
1603 EXPECT_EQ(wfd, SSL_get_wfd(ssl));
1604
1605 // The wrapper BIOs are always equal when fds are equal, even if set
1606 // individually.
1607 if (rfd == wfd) {
1608 EXPECT_EQ(SSL_get_rbio(ssl), SSL_get_wbio(ssl));
1609 }
1610 }
1611
TEST(SSLTest,SetFD)1612 TEST(SSLTest, SetFD) {
1613 bssl::UniquePtr<SSL_CTX> ctx(SSL_CTX_new(TLS_method()));
1614 ASSERT_TRUE(ctx);
1615
1616 // Test setting different read and write FDs.
1617 bssl::UniquePtr<SSL> ssl(SSL_new(ctx.get()));
1618 ASSERT_TRUE(ssl);
1619 EXPECT_TRUE(SSL_set_rfd(ssl.get(), 1));
1620 EXPECT_TRUE(SSL_set_wfd(ssl.get(), 2));
1621 ExpectFDs(ssl.get(), 1, 2);
1622
1623 // Test setting the same FD.
1624 ssl.reset(SSL_new(ctx.get()));
1625 ASSERT_TRUE(ssl);
1626 EXPECT_TRUE(SSL_set_fd(ssl.get(), 1));
1627 ExpectFDs(ssl.get(), 1, 1);
1628
1629 // Test setting the same FD one side at a time.
1630 ssl.reset(SSL_new(ctx.get()));
1631 ASSERT_TRUE(ssl);
1632 EXPECT_TRUE(SSL_set_rfd(ssl.get(), 1));
1633 EXPECT_TRUE(SSL_set_wfd(ssl.get(), 1));
1634 ExpectFDs(ssl.get(), 1, 1);
1635
1636 // Test setting the same FD in the other order.
1637 ssl.reset(SSL_new(ctx.get()));
1638 ASSERT_TRUE(ssl);
1639 EXPECT_TRUE(SSL_set_wfd(ssl.get(), 1));
1640 EXPECT_TRUE(SSL_set_rfd(ssl.get(), 1));
1641 ExpectFDs(ssl.get(), 1, 1);
1642
1643 // Test changing the read FD partway through.
1644 ssl.reset(SSL_new(ctx.get()));
1645 ASSERT_TRUE(ssl);
1646 EXPECT_TRUE(SSL_set_fd(ssl.get(), 1));
1647 EXPECT_TRUE(SSL_set_rfd(ssl.get(), 2));
1648 ExpectFDs(ssl.get(), 2, 1);
1649
1650 // Test changing the write FD partway through.
1651 ssl.reset(SSL_new(ctx.get()));
1652 ASSERT_TRUE(ssl);
1653 EXPECT_TRUE(SSL_set_fd(ssl.get(), 1));
1654 EXPECT_TRUE(SSL_set_wfd(ssl.get(), 2));
1655 ExpectFDs(ssl.get(), 1, 2);
1656
1657 // Test a no-op change to the read FD partway through.
1658 ssl.reset(SSL_new(ctx.get()));
1659 ASSERT_TRUE(ssl);
1660 EXPECT_TRUE(SSL_set_fd(ssl.get(), 1));
1661 EXPECT_TRUE(SSL_set_rfd(ssl.get(), 1));
1662 ExpectFDs(ssl.get(), 1, 1);
1663
1664 // Test a no-op change to the write FD partway through.
1665 ssl.reset(SSL_new(ctx.get()));
1666 ASSERT_TRUE(ssl);
1667 EXPECT_TRUE(SSL_set_fd(ssl.get(), 1));
1668 EXPECT_TRUE(SSL_set_wfd(ssl.get(), 1));
1669 ExpectFDs(ssl.get(), 1, 1);
1670
1671 // ASan builds will implicitly test that the internal |BIO| reference-counting
1672 // is correct.
1673 }
1674
TEST(SSLTest,SetBIO)1675 TEST(SSLTest, SetBIO) {
1676 bssl::UniquePtr<SSL_CTX> ctx(SSL_CTX_new(TLS_method()));
1677 ASSERT_TRUE(ctx);
1678
1679 bssl::UniquePtr<SSL> ssl(SSL_new(ctx.get()));
1680 bssl::UniquePtr<BIO> bio1(BIO_new(BIO_s_mem())), bio2(BIO_new(BIO_s_mem())),
1681 bio3(BIO_new(BIO_s_mem()));
1682 ASSERT_TRUE(ssl);
1683 ASSERT_TRUE(bio1);
1684 ASSERT_TRUE(bio2);
1685 ASSERT_TRUE(bio3);
1686
1687 // SSL_set_bio takes one reference when the parameters are the same.
1688 BIO_up_ref(bio1.get());
1689 SSL_set_bio(ssl.get(), bio1.get(), bio1.get());
1690
1691 // Repeating the call does nothing.
1692 SSL_set_bio(ssl.get(), bio1.get(), bio1.get());
1693
1694 // It takes one reference each when the parameters are different.
1695 BIO_up_ref(bio2.get());
1696 BIO_up_ref(bio3.get());
1697 SSL_set_bio(ssl.get(), bio2.get(), bio3.get());
1698
1699 // Repeating the call does nothing.
1700 SSL_set_bio(ssl.get(), bio2.get(), bio3.get());
1701
1702 // It takes one reference when changing only wbio.
1703 BIO_up_ref(bio1.get());
1704 SSL_set_bio(ssl.get(), bio2.get(), bio1.get());
1705
1706 // It takes one reference when changing only rbio and the two are different.
1707 BIO_up_ref(bio3.get());
1708 SSL_set_bio(ssl.get(), bio3.get(), bio1.get());
1709
1710 // If setting wbio to rbio, it takes no additional references.
1711 SSL_set_bio(ssl.get(), bio3.get(), bio3.get());
1712
1713 // From there, wbio may be switched to something else.
1714 BIO_up_ref(bio1.get());
1715 SSL_set_bio(ssl.get(), bio3.get(), bio1.get());
1716
1717 // If setting rbio to wbio, it takes no additional references.
1718 SSL_set_bio(ssl.get(), bio1.get(), bio1.get());
1719
1720 // From there, rbio may be switched to something else, but, for historical
1721 // reasons, it takes a reference to both parameters.
1722 BIO_up_ref(bio1.get());
1723 BIO_up_ref(bio2.get());
1724 SSL_set_bio(ssl.get(), bio2.get(), bio1.get());
1725
1726 // ASAN builds will implicitly test that the internal |BIO| reference-counting
1727 // is correct.
1728 }
1729
VerifySucceed(X509_STORE_CTX * store_ctx,void * arg)1730 static int VerifySucceed(X509_STORE_CTX *store_ctx, void *arg) { return 1; }
1731
TestGetPeerCertificate(bool is_dtls,const SSL_METHOD * method,uint16_t version)1732 static bool TestGetPeerCertificate(bool is_dtls, const SSL_METHOD *method,
1733 uint16_t version) {
1734 bssl::UniquePtr<X509> cert = GetTestCertificate();
1735 bssl::UniquePtr<EVP_PKEY> key = GetTestKey();
1736 if (!cert || !key) {
1737 return false;
1738 }
1739
1740 // Configure both client and server to accept any certificate.
1741 bssl::UniquePtr<SSL_CTX> ctx(SSL_CTX_new(method));
1742 if (!ctx ||
1743 !SSL_CTX_use_certificate(ctx.get(), cert.get()) ||
1744 !SSL_CTX_use_PrivateKey(ctx.get(), key.get()) ||
1745 !SSL_CTX_set_min_proto_version(ctx.get(), version) ||
1746 !SSL_CTX_set_max_proto_version(ctx.get(), version)) {
1747 return false;
1748 }
1749 SSL_CTX_set_verify(
1750 ctx.get(), SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT, nullptr);
1751 SSL_CTX_set_cert_verify_callback(ctx.get(), VerifySucceed, NULL);
1752
1753 bssl::UniquePtr<SSL> client, server;
1754 if (!ConnectClientAndServer(&client, &server, ctx.get(), ctx.get(),
1755 nullptr /* no session */)) {
1756 return false;
1757 }
1758
1759 // Client and server should both see the leaf certificate.
1760 bssl::UniquePtr<X509> peer(SSL_get_peer_certificate(server.get()));
1761 if (!peer || X509_cmp(cert.get(), peer.get()) != 0) {
1762 fprintf(stderr, "Server peer certificate did not match.\n");
1763 return false;
1764 }
1765
1766 peer.reset(SSL_get_peer_certificate(client.get()));
1767 if (!peer || X509_cmp(cert.get(), peer.get()) != 0) {
1768 fprintf(stderr, "Client peer certificate did not match.\n");
1769 return false;
1770 }
1771
1772 // However, for historical reasons, the chain includes the leaf on the
1773 // client, but does not on the server.
1774 if (sk_X509_num(SSL_get_peer_cert_chain(client.get())) != 1) {
1775 fprintf(stderr, "Client peer chain was incorrect.\n");
1776 return false;
1777 }
1778
1779 if (sk_X509_num(SSL_get_peer_cert_chain(server.get())) != 0) {
1780 fprintf(stderr, "Server peer chain was incorrect.\n");
1781 return false;
1782 }
1783
1784 return true;
1785 }
1786
TestRetainOnlySHA256OfCerts(bool is_dtls,const SSL_METHOD * method,uint16_t version)1787 static bool TestRetainOnlySHA256OfCerts(bool is_dtls, const SSL_METHOD *method,
1788 uint16_t version) {
1789 bssl::UniquePtr<X509> cert = GetTestCertificate();
1790 bssl::UniquePtr<EVP_PKEY> key = GetTestKey();
1791 if (!cert || !key) {
1792 return false;
1793 }
1794
1795 uint8_t *cert_der = NULL;
1796 int cert_der_len = i2d_X509(cert.get(), &cert_der);
1797 if (cert_der_len < 0) {
1798 return false;
1799 }
1800 bssl::UniquePtr<uint8_t> free_cert_der(cert_der);
1801
1802 uint8_t cert_sha256[SHA256_DIGEST_LENGTH];
1803 SHA256(cert_der, cert_der_len, cert_sha256);
1804
1805 // Configure both client and server to accept any certificate, but the
1806 // server must retain only the SHA-256 of the peer.
1807 bssl::UniquePtr<SSL_CTX> ctx(SSL_CTX_new(method));
1808 if (!ctx ||
1809 !SSL_CTX_use_certificate(ctx.get(), cert.get()) ||
1810 !SSL_CTX_use_PrivateKey(ctx.get(), key.get()) ||
1811 !SSL_CTX_set_min_proto_version(ctx.get(), version) ||
1812 !SSL_CTX_set_max_proto_version(ctx.get(), version)) {
1813 return false;
1814 }
1815 SSL_CTX_set_verify(
1816 ctx.get(), SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT, nullptr);
1817 SSL_CTX_set_cert_verify_callback(ctx.get(), VerifySucceed, NULL);
1818 SSL_CTX_set_retain_only_sha256_of_client_certs(ctx.get(), 1);
1819
1820 bssl::UniquePtr<SSL> client, server;
1821 if (!ConnectClientAndServer(&client, &server, ctx.get(), ctx.get(),
1822 nullptr /* no session */)) {
1823 return false;
1824 }
1825
1826 // The peer certificate has been dropped.
1827 bssl::UniquePtr<X509> peer(SSL_get_peer_certificate(server.get()));
1828 if (peer) {
1829 fprintf(stderr, "Peer certificate was retained.\n");
1830 return false;
1831 }
1832
1833 SSL_SESSION *session = SSL_get_session(server.get());
1834 if (!session->peer_sha256_valid) {
1835 fprintf(stderr, "peer_sha256_valid was not set.\n");
1836 return false;
1837 }
1838
1839 if (OPENSSL_memcmp(cert_sha256, session->peer_sha256, SHA256_DIGEST_LENGTH) !=
1840 0) {
1841 fprintf(stderr, "peer_sha256 did not match.\n");
1842 return false;
1843 }
1844
1845 return true;
1846 }
1847
ClientHelloMatches(uint16_t version,const uint8_t * expected,size_t expected_len)1848 static bool ClientHelloMatches(uint16_t version, const uint8_t *expected,
1849 size_t expected_len) {
1850 bssl::UniquePtr<SSL_CTX> ctx(SSL_CTX_new(TLS_method()));
1851 // Our default cipher list varies by CPU capabilities, so manually place the
1852 // ChaCha20 ciphers in front.
1853 const char* cipher_list =
1854 #ifdef BORINGSSL_ENABLE_DHE_TLS
1855 "!DHE:CHACHA20:ALL";
1856 #else
1857 "CHACHA20:ALL";
1858 #endif
1859 if (!ctx ||
1860 !SSL_CTX_set_max_proto_version(ctx.get(), version) ||
1861 !SSL_CTX_set_strict_cipher_list(ctx.get(), cipher_list)) {
1862 return false;
1863 }
1864
1865 bssl::UniquePtr<SSL> ssl(SSL_new(ctx.get()));
1866 if (!ssl) {
1867 return false;
1868 }
1869 std::vector<uint8_t> client_hello;
1870 if (!GetClientHello(ssl.get(), &client_hello)) {
1871 return false;
1872 }
1873
1874 // Zero the client_random.
1875 constexpr size_t kRandomOffset = 1 + 2 + 2 + // record header
1876 1 + 3 + // handshake message header
1877 2; // client_version
1878 if (client_hello.size() < kRandomOffset + SSL3_RANDOM_SIZE) {
1879 fprintf(stderr, "ClientHello for version %04x too short.\n", version);
1880 return false;
1881 }
1882 OPENSSL_memset(client_hello.data() + kRandomOffset, 0, SSL3_RANDOM_SIZE);
1883
1884 if (client_hello.size() != expected_len ||
1885 OPENSSL_memcmp(client_hello.data(), expected, expected_len) != 0) {
1886 fprintf(stderr, "ClientHello for version %04x did not match:\n", version);
1887 fprintf(stderr, "Got:\n\t");
1888 for (size_t i = 0; i < client_hello.size(); i++) {
1889 fprintf(stderr, "0x%02x, ", client_hello[i]);
1890 }
1891 fprintf(stderr, "\nWanted:\n\t");
1892 for (size_t i = 0; i < expected_len; i++) {
1893 fprintf(stderr, "0x%02x, ", expected[i]);
1894 }
1895 fprintf(stderr, "\n");
1896 return false;
1897 }
1898
1899 return true;
1900 }
1901
1902 // Tests that our ClientHellos do not change unexpectedly.
TestClientHello()1903 static bool TestClientHello() {
1904 static const uint8_t kSSL3ClientHello[] = {
1905 0x16,
1906 0x03, 0x00,
1907 0x00, 0x3b,
1908 0x01,
1909 0x00, 0x00, 0x37,
1910 0x03, 0x00,
1911 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1912 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1913 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1914 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1915 0x00,
1916 0x00, 0x10,
1917 0xc0, 0x09,
1918 0xc0, 0x13,
1919 0xc0, 0x0a,
1920 0xc0, 0x14,
1921 0x00, 0x2f,
1922 0x00, 0x35,
1923 0x00, 0x0a,
1924 0x00, 0xff, 0x01, 0x00,
1925 };
1926 if (!ClientHelloMatches(SSL3_VERSION, kSSL3ClientHello,
1927 sizeof(kSSL3ClientHello))) {
1928 return false;
1929 }
1930
1931 static const uint8_t kTLS1ClientHello[] = {
1932 0x16,
1933 0x03, 0x01,
1934 0x00, 0x5a,
1935 0x01,
1936 0x00, 0x00, 0x56,
1937 0x03, 0x01,
1938 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1939 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1940 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1941 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1942 0x00,
1943 0x00, 0x0e,
1944 0xc0, 0x09,
1945 0xc0, 0x13,
1946 0xc0, 0x0a,
1947 0xc0, 0x14,
1948 0x00, 0x2f,
1949 0x00, 0x35,
1950 0x00, 0x0a,
1951 0x01, 0x00, 0x00, 0x1f, 0xff, 0x01, 0x00, 0x01, 0x00, 0x00, 0x17, 0x00,
1952 0x00, 0x00, 0x23, 0x00, 0x00, 0x00, 0x0b, 0x00, 0x02, 0x01, 0x00, 0x00,
1953 0x0a, 0x00, 0x08, 0x00, 0x06, 0x00, 0x1d, 0x00, 0x17, 0x00, 0x18,
1954 };
1955 if (!ClientHelloMatches(TLS1_VERSION, kTLS1ClientHello,
1956 sizeof(kTLS1ClientHello))) {
1957 return false;
1958 }
1959
1960 static const uint8_t kTLS11ClientHello[] = {
1961 0x16,
1962 0x03, 0x01,
1963 0x00, 0x5a,
1964 0x01,
1965 0x00, 0x00, 0x56,
1966 0x03, 0x02,
1967 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1968 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1969 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1970 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1971 0x00,
1972 0x00, 0x0e,
1973 0xc0, 0x09,
1974 0xc0, 0x13,
1975 0xc0, 0x0a,
1976 0xc0, 0x14,
1977 0x00, 0x2f,
1978 0x00, 0x35,
1979 0x00, 0x0a,
1980 0x01, 0x00, 0x00, 0x1f, 0xff, 0x01, 0x00, 0x01, 0x00, 0x00, 0x17, 0x00,
1981 0x00, 0x00, 0x23, 0x00, 0x00, 0x00, 0x0b, 0x00, 0x02, 0x01, 0x00, 0x00,
1982 0x0a, 0x00, 0x08, 0x00, 0x06, 0x00, 0x1d, 0x00, 0x17, 0x00, 0x18,
1983 };
1984 if (!ClientHelloMatches(TLS1_1_VERSION, kTLS11ClientHello,
1985 sizeof(kTLS11ClientHello))) {
1986 return false;
1987 }
1988
1989 // kTLS12ClientHello assumes RSA-PSS, which is disabled for Android system
1990 // builds.
1991 #if defined(BORINGSSL_ANDROID_SYSTEM)
1992 return true;
1993 #endif
1994
1995 static const uint8_t kTLS12ClientHello[] = {
1996 0x16,
1997 0x03, 0x01,
1998 0x00, 0x8e,
1999 0x01,
2000 0x00, 0x00, 0x8a,
2001 0x03, 0x03,
2002 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2003 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2004 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2005 0x00, 0x2a,
2006 0xcc, 0xa9,
2007 0xcc, 0xa8,
2008 0xc0, 0x2b,
2009 0xc0, 0x2f,
2010 0xc0, 0x2c,
2011 0xc0, 0x30,
2012 0xc0, 0x09,
2013 0xc0, 0x23,
2014 0xc0, 0x13,
2015 0xc0, 0x27,
2016 0xc0, 0x0a,
2017 0xc0, 0x24,
2018 0xc0, 0x14,
2019 0xc0, 0x28,
2020 0x00, 0x9c,
2021 0x00, 0x9d,
2022 0x00, 0x2f,
2023 0x00, 0x3c,
2024 0x00, 0x35,
2025 0x00, 0x3d,
2026 0x00, 0x0a,
2027 0x01, 0x00, 0x00, 0x37, 0xff, 0x01, 0x00, 0x01, 0x00, 0x00, 0x17, 0x00,
2028 0x00, 0x00, 0x23, 0x00, 0x00, 0x00, 0x0d, 0x00, 0x14, 0x00, 0x12, 0x04,
2029 0x03, 0x08, 0x04, 0x04, 0x01, 0x05, 0x03, 0x08, 0x05, 0x05, 0x01, 0x08,
2030 0x06, 0x06, 0x01, 0x02, 0x01, 0x00, 0x0b, 0x00, 0x02, 0x01, 0x00, 0x00,
2031 0x0a, 0x00, 0x08, 0x00, 0x06, 0x00, 0x1d, 0x00, 0x17, 0x00, 0x18,
2032 };
2033 if (!ClientHelloMatches(TLS1_2_VERSION, kTLS12ClientHello,
2034 sizeof(kTLS12ClientHello))) {
2035 return false;
2036 }
2037
2038 // TODO(davidben): Add a change detector for TLS 1.3 once the spec and our
2039 // implementation has settled enough that it won't change.
2040
2041 return true;
2042 }
2043
2044 static bssl::UniquePtr<SSL_SESSION> g_last_session;
2045
SaveLastSession(SSL * ssl,SSL_SESSION * session)2046 static int SaveLastSession(SSL *ssl, SSL_SESSION *session) {
2047 // Save the most recent session.
2048 g_last_session.reset(session);
2049 return 1;
2050 }
2051
CreateClientSession(SSL_CTX * client_ctx,SSL_CTX * server_ctx)2052 static bssl::UniquePtr<SSL_SESSION> CreateClientSession(SSL_CTX *client_ctx,
2053 SSL_CTX *server_ctx) {
2054 g_last_session = nullptr;
2055 SSL_CTX_sess_set_new_cb(client_ctx, SaveLastSession);
2056
2057 // Connect client and server to get a session.
2058 bssl::UniquePtr<SSL> client, server;
2059 if (!ConnectClientAndServer(&client, &server, client_ctx, server_ctx,
2060 nullptr /* no session */)) {
2061 fprintf(stderr, "Failed to connect client and server.\n");
2062 return nullptr;
2063 }
2064
2065 // Run the read loop to account for post-handshake tickets in TLS 1.3.
2066 SSL_read(client.get(), nullptr, 0);
2067
2068 SSL_CTX_sess_set_new_cb(client_ctx, nullptr);
2069
2070 if (!g_last_session) {
2071 fprintf(stderr, "Client did not receive a session.\n");
2072 return nullptr;
2073 }
2074 return std::move(g_last_session);
2075 }
2076
ExpectSessionReused(SSL_CTX * client_ctx,SSL_CTX * server_ctx,SSL_SESSION * session,bool reused)2077 static bool ExpectSessionReused(SSL_CTX *client_ctx, SSL_CTX *server_ctx,
2078 SSL_SESSION *session,
2079 bool reused) {
2080 bssl::UniquePtr<SSL> client, server;
2081 if (!ConnectClientAndServer(&client, &server, client_ctx,
2082 server_ctx, session)) {
2083 fprintf(stderr, "Failed to connect client and server.\n");
2084 return false;
2085 }
2086
2087 if (SSL_session_reused(client.get()) != SSL_session_reused(server.get())) {
2088 fprintf(stderr, "Client and server were inconsistent.\n");
2089 return false;
2090 }
2091
2092 bool was_reused = !!SSL_session_reused(client.get());
2093 if (was_reused != reused) {
2094 fprintf(stderr, "Session was%s reused, but we expected the opposite.\n",
2095 was_reused ? "" : " not");
2096 return false;
2097 }
2098
2099 return true;
2100 }
2101
ExpectSessionRenewed(SSL_CTX * client_ctx,SSL_CTX * server_ctx,SSL_SESSION * session)2102 static bssl::UniquePtr<SSL_SESSION> ExpectSessionRenewed(SSL_CTX *client_ctx,
2103 SSL_CTX *server_ctx,
2104 SSL_SESSION *session) {
2105 g_last_session = nullptr;
2106 SSL_CTX_sess_set_new_cb(client_ctx, SaveLastSession);
2107
2108 bssl::UniquePtr<SSL> client, server;
2109 if (!ConnectClientAndServer(&client, &server, client_ctx,
2110 server_ctx, session)) {
2111 fprintf(stderr, "Failed to connect client and server.\n");
2112 return nullptr;
2113 }
2114
2115 if (SSL_session_reused(client.get()) != SSL_session_reused(server.get())) {
2116 fprintf(stderr, "Client and server were inconsistent.\n");
2117 return nullptr;
2118 }
2119
2120 if (!SSL_session_reused(client.get())) {
2121 fprintf(stderr, "Session was not reused.\n");
2122 return nullptr;
2123 }
2124
2125 // Run the read loop to account for post-handshake tickets in TLS 1.3.
2126 SSL_read(client.get(), nullptr, 0);
2127
2128 SSL_CTX_sess_set_new_cb(client_ctx, nullptr);
2129
2130 if (!g_last_session) {
2131 fprintf(stderr, "Client did not receive a renewed session.\n");
2132 return nullptr;
2133 }
2134 return std::move(g_last_session);
2135 }
2136
SwitchSessionIDContextSNI(SSL * ssl,int * out_alert,void * arg)2137 static int SwitchSessionIDContextSNI(SSL *ssl, int *out_alert, void *arg) {
2138 static const uint8_t kContext[] = {3};
2139
2140 if (!SSL_set_session_id_context(ssl, kContext, sizeof(kContext))) {
2141 return SSL_TLSEXT_ERR_ALERT_FATAL;
2142 }
2143
2144 return SSL_TLSEXT_ERR_OK;
2145 }
2146
TestSessionIDContext(bool is_dtls,const SSL_METHOD * method,uint16_t version)2147 static bool TestSessionIDContext(bool is_dtls, const SSL_METHOD *method,
2148 uint16_t version) {
2149 bssl::UniquePtr<X509> cert = GetTestCertificate();
2150 bssl::UniquePtr<EVP_PKEY> key = GetTestKey();
2151 if (!cert || !key) {
2152 return false;
2153 }
2154
2155 static const uint8_t kContext1[] = {1};
2156 static const uint8_t kContext2[] = {2};
2157
2158 bssl::UniquePtr<SSL_CTX> server_ctx(SSL_CTX_new(method));
2159 bssl::UniquePtr<SSL_CTX> client_ctx(SSL_CTX_new(method));
2160 if (!server_ctx || !client_ctx ||
2161 !SSL_CTX_use_certificate(server_ctx.get(), cert.get()) ||
2162 !SSL_CTX_use_PrivateKey(server_ctx.get(), key.get()) ||
2163 !SSL_CTX_set_session_id_context(server_ctx.get(), kContext1,
2164 sizeof(kContext1)) ||
2165 !SSL_CTX_set_min_proto_version(client_ctx.get(), version) ||
2166 !SSL_CTX_set_max_proto_version(client_ctx.get(), version) ||
2167 !SSL_CTX_set_min_proto_version(server_ctx.get(), version) ||
2168 !SSL_CTX_set_max_proto_version(server_ctx.get(), version)) {
2169 return false;
2170 }
2171
2172 SSL_CTX_set_session_cache_mode(client_ctx.get(), SSL_SESS_CACHE_BOTH);
2173 SSL_CTX_set_session_cache_mode(server_ctx.get(), SSL_SESS_CACHE_BOTH);
2174
2175 bssl::UniquePtr<SSL_SESSION> session =
2176 CreateClientSession(client_ctx.get(), server_ctx.get());
2177 if (!session) {
2178 fprintf(stderr, "Error getting session.\n");
2179 return false;
2180 }
2181
2182 if (!ExpectSessionReused(client_ctx.get(), server_ctx.get(), session.get(),
2183 true /* expect session reused */)) {
2184 fprintf(stderr, "Error resuming session.\n");
2185 return false;
2186 }
2187
2188 // Change the session ID context.
2189 if (!SSL_CTX_set_session_id_context(server_ctx.get(), kContext2,
2190 sizeof(kContext2))) {
2191 return false;
2192 }
2193
2194 if (!ExpectSessionReused(client_ctx.get(), server_ctx.get(), session.get(),
2195 false /* expect session not reused */)) {
2196 fprintf(stderr, "Error connecting with a different context.\n");
2197 return false;
2198 }
2199
2200 // Change the session ID context back and install an SNI callback to switch
2201 // it.
2202 if (!SSL_CTX_set_session_id_context(server_ctx.get(), kContext1,
2203 sizeof(kContext1))) {
2204 return false;
2205 }
2206
2207 SSL_CTX_set_tlsext_servername_callback(server_ctx.get(),
2208 SwitchSessionIDContextSNI);
2209
2210 if (!ExpectSessionReused(client_ctx.get(), server_ctx.get(), session.get(),
2211 false /* expect session not reused */)) {
2212 fprintf(stderr, "Error connecting with a context switch on SNI callback.\n");
2213 return false;
2214 }
2215
2216 // Switch the session ID context with the early callback instead.
2217 SSL_CTX_set_tlsext_servername_callback(server_ctx.get(), nullptr);
2218 SSL_CTX_set_select_certificate_cb(
2219 server_ctx.get(),
2220 [](const SSL_CLIENT_HELLO *client_hello) -> ssl_select_cert_result_t {
2221 static const uint8_t kContext[] = {3};
2222
2223 if (!SSL_set_session_id_context(client_hello->ssl, kContext,
2224 sizeof(kContext))) {
2225 return ssl_select_cert_error;
2226 }
2227
2228 return ssl_select_cert_success;
2229 });
2230
2231 if (!ExpectSessionReused(client_ctx.get(), server_ctx.get(), session.get(),
2232 false /* expect session not reused */)) {
2233 fprintf(stderr,
2234 "Error connecting with a context switch on early callback.\n");
2235 return false;
2236 }
2237
2238 return true;
2239 }
2240
2241 static timeval g_current_time;
2242
CurrentTimeCallback(const SSL * ssl,timeval * out_clock)2243 static void CurrentTimeCallback(const SSL *ssl, timeval *out_clock) {
2244 *out_clock = g_current_time;
2245 }
2246
FrozenTimeCallback(const SSL * ssl,timeval * out_clock)2247 static void FrozenTimeCallback(const SSL *ssl, timeval *out_clock) {
2248 out_clock->tv_sec = 1000;
2249 out_clock->tv_usec = 0;
2250 }
2251
RenewTicketCallback(SSL * ssl,uint8_t * key_name,uint8_t * iv,EVP_CIPHER_CTX * ctx,HMAC_CTX * hmac_ctx,int encrypt)2252 static int RenewTicketCallback(SSL *ssl, uint8_t *key_name, uint8_t *iv,
2253 EVP_CIPHER_CTX *ctx, HMAC_CTX *hmac_ctx,
2254 int encrypt) {
2255 static const uint8_t kZeros[16] = {0};
2256
2257 if (encrypt) {
2258 OPENSSL_memcpy(key_name, kZeros, sizeof(kZeros));
2259 RAND_bytes(iv, 16);
2260 } else if (OPENSSL_memcmp(key_name, kZeros, 16) != 0) {
2261 return 0;
2262 }
2263
2264 if (!HMAC_Init_ex(hmac_ctx, kZeros, sizeof(kZeros), EVP_sha256(), NULL) ||
2265 !EVP_CipherInit_ex(ctx, EVP_aes_128_cbc(), NULL, kZeros, iv, encrypt)) {
2266 return -1;
2267 }
2268
2269 // Returning two from the callback in decrypt mode renews the
2270 // session in TLS 1.2 and below.
2271 return encrypt ? 1 : 2;
2272 }
2273
GetServerTicketTime(long * out,const SSL_SESSION * session)2274 static bool GetServerTicketTime(long *out, const SSL_SESSION *session) {
2275 if (session->tlsext_ticklen < 16 + 16 + SHA256_DIGEST_LENGTH) {
2276 return false;
2277 }
2278
2279 const uint8_t *ciphertext = session->tlsext_tick + 16 + 16;
2280 size_t len = session->tlsext_ticklen - 16 - 16 - SHA256_DIGEST_LENGTH;
2281 std::unique_ptr<uint8_t[]> plaintext(new uint8_t[len]);
2282
2283 #if defined(BORINGSSL_UNSAFE_FUZZER_MODE)
2284 // Fuzzer-mode tickets are unencrypted.
2285 OPENSSL_memcpy(plaintext.get(), ciphertext, len);
2286 #else
2287 static const uint8_t kZeros[16] = {0};
2288 const uint8_t *iv = session->tlsext_tick + 16;
2289 bssl::ScopedEVP_CIPHER_CTX ctx;
2290 int len1, len2;
2291 if (!EVP_DecryptInit_ex(ctx.get(), EVP_aes_128_cbc(), nullptr, kZeros, iv) ||
2292 !EVP_DecryptUpdate(ctx.get(), plaintext.get(), &len1, ciphertext, len) ||
2293 !EVP_DecryptFinal_ex(ctx.get(), plaintext.get() + len1, &len2)) {
2294 return false;
2295 }
2296
2297 len = static_cast<size_t>(len1 + len2);
2298 #endif
2299
2300 bssl::UniquePtr<SSL_CTX> ssl_ctx(SSL_CTX_new(TLS_method()));
2301 if (!ssl_ctx) {
2302 return false;
2303 }
2304 bssl::UniquePtr<SSL_SESSION> server_session(
2305 SSL_SESSION_from_bytes(plaintext.get(), len, ssl_ctx.get()));
2306 if (!server_session) {
2307 return false;
2308 }
2309
2310 *out = server_session->time;
2311 return true;
2312 }
2313
TestSessionTimeout(bool is_dtls,const SSL_METHOD * method,uint16_t version)2314 static bool TestSessionTimeout(bool is_dtls, const SSL_METHOD *method,
2315 uint16_t version) {
2316 bssl::UniquePtr<X509> cert = GetTestCertificate();
2317 bssl::UniquePtr<EVP_PKEY> key = GetTestKey();
2318 if (!cert || !key) {
2319 return false;
2320 }
2321
2322 for (bool server_test : std::vector<bool>{false, true}) {
2323 static const time_t kStartTime = 1000;
2324 g_current_time.tv_sec = kStartTime;
2325
2326 // We are willing to use a longer lifetime for TLS 1.3 sessions as
2327 // resumptions still perform ECDHE.
2328 const time_t timeout = version == TLS1_3_VERSION
2329 ? SSL_DEFAULT_SESSION_PSK_DHE_TIMEOUT
2330 : SSL_DEFAULT_SESSION_TIMEOUT;
2331
2332 bssl::UniquePtr<SSL_CTX> server_ctx(SSL_CTX_new(method));
2333 bssl::UniquePtr<SSL_CTX> client_ctx(SSL_CTX_new(method));
2334 if (!server_ctx || !client_ctx ||
2335 !SSL_CTX_use_certificate(server_ctx.get(), cert.get()) ||
2336 !SSL_CTX_use_PrivateKey(server_ctx.get(), key.get()) ||
2337 !SSL_CTX_set_min_proto_version(client_ctx.get(), version) ||
2338 !SSL_CTX_set_max_proto_version(client_ctx.get(), version) ||
2339 !SSL_CTX_set_min_proto_version(server_ctx.get(), version) ||
2340 !SSL_CTX_set_max_proto_version(server_ctx.get(), version)) {
2341 return false;
2342 }
2343
2344 SSL_CTX_set_session_cache_mode(client_ctx.get(), SSL_SESS_CACHE_BOTH);
2345 SSL_CTX_set_session_cache_mode(server_ctx.get(), SSL_SESS_CACHE_BOTH);
2346
2347 // Both client and server must enforce session timeouts. We configure the
2348 // other side with a frozen clock so it never expires tickets.
2349 if (server_test) {
2350 SSL_CTX_set_current_time_cb(client_ctx.get(), FrozenTimeCallback);
2351 SSL_CTX_set_current_time_cb(server_ctx.get(), CurrentTimeCallback);
2352 } else {
2353 SSL_CTX_set_current_time_cb(client_ctx.get(), CurrentTimeCallback);
2354 SSL_CTX_set_current_time_cb(server_ctx.get(), FrozenTimeCallback);
2355 }
2356
2357 // Configure a ticket callback which renews tickets.
2358 SSL_CTX_set_tlsext_ticket_key_cb(server_ctx.get(), RenewTicketCallback);
2359
2360 bssl::UniquePtr<SSL_SESSION> session =
2361 CreateClientSession(client_ctx.get(), server_ctx.get());
2362 if (!session) {
2363 fprintf(stderr, "Error getting session.\n");
2364 return false;
2365 }
2366
2367 // Advance the clock just behind the timeout.
2368 g_current_time.tv_sec += timeout - 1;
2369
2370 if (!ExpectSessionReused(client_ctx.get(), server_ctx.get(), session.get(),
2371 true /* expect session reused */)) {
2372 fprintf(stderr, "Error resuming session.\n");
2373 return false;
2374 }
2375
2376 // Advance the clock one more second.
2377 g_current_time.tv_sec++;
2378
2379 if (!ExpectSessionReused(client_ctx.get(), server_ctx.get(), session.get(),
2380 false /* expect session not reused */)) {
2381 fprintf(stderr, "Error resuming session.\n");
2382 return false;
2383 }
2384
2385 // Rewind the clock to before the session was minted.
2386 g_current_time.tv_sec = kStartTime - 1;
2387
2388 if (!ExpectSessionReused(client_ctx.get(), server_ctx.get(), session.get(),
2389 false /* expect session not reused */)) {
2390 fprintf(stderr, "Error resuming session.\n");
2391 return false;
2392 }
2393
2394 // SSL 3.0 cannot renew sessions.
2395 if (version == SSL3_VERSION) {
2396 continue;
2397 }
2398
2399 // Renew the session 10 seconds before expiration.
2400 time_t new_start_time = kStartTime + timeout - 10;
2401 g_current_time.tv_sec = new_start_time;
2402 bssl::UniquePtr<SSL_SESSION> new_session =
2403 ExpectSessionRenewed(client_ctx.get(), server_ctx.get(), session.get());
2404 if (!new_session) {
2405 fprintf(stderr, "Error renewing session.\n");
2406 return false;
2407 }
2408
2409 // This new session is not the same object as before.
2410 if (session.get() == new_session.get()) {
2411 fprintf(stderr, "New and old sessions alias.\n");
2412 return false;
2413 }
2414
2415 // Check the sessions have timestamps measured from issuance.
2416 long session_time = 0;
2417 if (server_test) {
2418 if (!GetServerTicketTime(&session_time, new_session.get())) {
2419 fprintf(stderr, "Failed to decode session ticket.\n");
2420 return false;
2421 }
2422 } else {
2423 session_time = new_session->time;
2424 }
2425
2426 if (session_time != g_current_time.tv_sec) {
2427 fprintf(stderr, "New session is not measured from issuance.\n");
2428 return false;
2429 }
2430
2431 if (version == TLS1_3_VERSION) {
2432 // Renewal incorporates fresh key material in TLS 1.3, so we extend the
2433 // lifetime TLS 1.3.
2434 g_current_time.tv_sec = new_start_time + timeout - 1;
2435 if (!ExpectSessionReused(client_ctx.get(), server_ctx.get(),
2436 new_session.get(),
2437 true /* expect session reused */)) {
2438 fprintf(stderr, "Error resuming renewed session.\n");
2439 return false;
2440 }
2441
2442 // The new session expires after the new timeout.
2443 g_current_time.tv_sec = new_start_time + timeout + 1;
2444 if (!ExpectSessionReused(client_ctx.get(), server_ctx.get(),
2445 new_session.get(),
2446 false /* expect session ot reused */)) {
2447 fprintf(stderr, "Renewed session's lifetime is too long.\n");
2448 return false;
2449 }
2450
2451 // Renew the session until it begins just past the auth timeout.
2452 time_t auth_end_time = kStartTime + SSL_DEFAULT_SESSION_AUTH_TIMEOUT;
2453 while (new_start_time < auth_end_time - 1000) {
2454 // Get as close as possible to target start time.
2455 new_start_time =
2456 std::min(auth_end_time - 1000, new_start_time + timeout - 1);
2457 g_current_time.tv_sec = new_start_time;
2458 new_session = ExpectSessionRenewed(client_ctx.get(), server_ctx.get(),
2459 new_session.get());
2460 if (!new_session) {
2461 fprintf(stderr, "Error renewing session.\n");
2462 return false;
2463 }
2464 }
2465
2466 // Now the session's lifetime is bound by the auth timeout.
2467 g_current_time.tv_sec = auth_end_time - 1;
2468 if (!ExpectSessionReused(client_ctx.get(), server_ctx.get(),
2469 new_session.get(),
2470 true /* expect session reused */)) {
2471 fprintf(stderr, "Error resuming renewed session.\n");
2472 return false;
2473 }
2474
2475 g_current_time.tv_sec = auth_end_time + 1;
2476 if (!ExpectSessionReused(client_ctx.get(), server_ctx.get(),
2477 new_session.get(),
2478 false /* expect session ot reused */)) {
2479 fprintf(stderr, "Renewed session's lifetime is too long.\n");
2480 return false;
2481 }
2482 } else {
2483 // The new session is usable just before the old expiration.
2484 g_current_time.tv_sec = kStartTime + timeout - 1;
2485 if (!ExpectSessionReused(client_ctx.get(), server_ctx.get(),
2486 new_session.get(),
2487 true /* expect session reused */)) {
2488 fprintf(stderr, "Error resuming renewed session.\n");
2489 return false;
2490 }
2491
2492 // Renewal does not extend the lifetime, so it is not usable beyond the
2493 // old expiration.
2494 g_current_time.tv_sec = kStartTime + timeout + 1;
2495 if (!ExpectSessionReused(client_ctx.get(), server_ctx.get(),
2496 new_session.get(),
2497 false /* expect session not reused */)) {
2498 fprintf(stderr, "Renewed session's lifetime is too long.\n");
2499 return false;
2500 }
2501 }
2502 }
2503
2504 return true;
2505 }
2506
SwitchContext(SSL * ssl,int * out_alert,void * arg)2507 static int SwitchContext(SSL *ssl, int *out_alert, void *arg) {
2508 SSL_CTX *ctx = reinterpret_cast<SSL_CTX*>(arg);
2509 SSL_set_SSL_CTX(ssl, ctx);
2510 return SSL_TLSEXT_ERR_OK;
2511 }
2512
TestSNICallback(bool is_dtls,const SSL_METHOD * method,uint16_t version)2513 static bool TestSNICallback(bool is_dtls, const SSL_METHOD *method,
2514 uint16_t version) {
2515 // SSL 3.0 lacks extensions.
2516 if (version == SSL3_VERSION) {
2517 return true;
2518 }
2519
2520 bssl::UniquePtr<X509> cert = GetTestCertificate();
2521 bssl::UniquePtr<EVP_PKEY> key = GetTestKey();
2522 bssl::UniquePtr<X509> cert2 = GetECDSATestCertificate();
2523 bssl::UniquePtr<EVP_PKEY> key2 = GetECDSATestKey();
2524 if (!cert || !key || !cert2 || !key2) {
2525 return false;
2526 }
2527
2528 // Test that switching the |SSL_CTX| at the SNI callback behaves correctly.
2529 static const uint16_t kECDSAWithSHA256 = SSL_SIGN_ECDSA_SECP256R1_SHA256;
2530
2531 static const uint8_t kSCTList[] = {0, 6, 0, 4, 5, 6, 7, 8};
2532 static const uint8_t kOCSPResponse[] = {1, 2, 3, 4};
2533
2534 bssl::UniquePtr<SSL_CTX> server_ctx(SSL_CTX_new(method));
2535 bssl::UniquePtr<SSL_CTX> server_ctx2(SSL_CTX_new(method));
2536 bssl::UniquePtr<SSL_CTX> client_ctx(SSL_CTX_new(method));
2537 if (!server_ctx || !server_ctx2 || !client_ctx ||
2538 !SSL_CTX_use_certificate(server_ctx.get(), cert.get()) ||
2539 !SSL_CTX_use_PrivateKey(server_ctx.get(), key.get()) ||
2540 !SSL_CTX_use_certificate(server_ctx2.get(), cert2.get()) ||
2541 !SSL_CTX_use_PrivateKey(server_ctx2.get(), key2.get()) ||
2542 !SSL_CTX_set_signed_cert_timestamp_list(server_ctx2.get(), kSCTList,
2543 sizeof(kSCTList)) ||
2544 !SSL_CTX_set_ocsp_response(server_ctx2.get(), kOCSPResponse,
2545 sizeof(kOCSPResponse)) ||
2546 // Historically signing preferences would be lost in some cases with the
2547 // SNI callback, which triggers the TLS 1.2 SHA-1 default. To ensure
2548 // this doesn't happen when |version| is TLS 1.2, configure the private
2549 // key to only sign SHA-256.
2550 !SSL_CTX_set_signing_algorithm_prefs(server_ctx2.get(), &kECDSAWithSHA256,
2551 1) ||
2552 !SSL_CTX_set_min_proto_version(client_ctx.get(), version) ||
2553 !SSL_CTX_set_max_proto_version(client_ctx.get(), version) ||
2554 !SSL_CTX_set_min_proto_version(server_ctx.get(), version) ||
2555 !SSL_CTX_set_max_proto_version(server_ctx.get(), version) ||
2556 !SSL_CTX_set_min_proto_version(server_ctx2.get(), version) ||
2557 !SSL_CTX_set_max_proto_version(server_ctx2.get(), version)) {
2558 return false;
2559 }
2560
2561 SSL_CTX_set_tlsext_servername_callback(server_ctx.get(), SwitchContext);
2562 SSL_CTX_set_tlsext_servername_arg(server_ctx.get(), server_ctx2.get());
2563
2564 SSL_CTX_enable_signed_cert_timestamps(client_ctx.get());
2565 SSL_CTX_enable_ocsp_stapling(client_ctx.get());
2566
2567 bssl::UniquePtr<SSL> client, server;
2568 if (!ConnectClientAndServer(&client, &server, client_ctx.get(),
2569 server_ctx.get(), nullptr)) {
2570 fprintf(stderr, "Handshake failed.\n");
2571 return false;
2572 }
2573
2574 // The client should have received |cert2|.
2575 bssl::UniquePtr<X509> peer(SSL_get_peer_certificate(client.get()));
2576 if (!peer || X509_cmp(peer.get(), cert2.get()) != 0) {
2577 fprintf(stderr, "Incorrect certificate received.\n");
2578 return false;
2579 }
2580
2581 // The client should have received |server_ctx2|'s SCT list.
2582 const uint8_t *data;
2583 size_t len;
2584 SSL_get0_signed_cert_timestamp_list(client.get(), &data, &len);
2585 if (Bytes(kSCTList) != Bytes(data, len)) {
2586 fprintf(stderr, "Incorrect SCT list received.\n");
2587 return false;
2588 }
2589
2590 // The client should have received |server_ctx2|'s OCSP response.
2591 SSL_get0_ocsp_response(client.get(), &data, &len);
2592 if (Bytes(kOCSPResponse) != Bytes(data, len)) {
2593 fprintf(stderr, "Incorrect OCSP response received.\n");
2594 return false;
2595 }
2596
2597 return true;
2598 }
2599
2600 // Test that the early callback can swap the maximum version.
TEST(SSLTest,EarlyCallbackVersionSwitch)2601 TEST(SSLTest, EarlyCallbackVersionSwitch) {
2602 bssl::UniquePtr<X509> cert = GetTestCertificate();
2603 bssl::UniquePtr<EVP_PKEY> key = GetTestKey();
2604 bssl::UniquePtr<SSL_CTX> server_ctx(SSL_CTX_new(TLS_method()));
2605 bssl::UniquePtr<SSL_CTX> client_ctx(SSL_CTX_new(TLS_method()));
2606 ASSERT_TRUE(cert);
2607 ASSERT_TRUE(key);
2608 ASSERT_TRUE(server_ctx);
2609 ASSERT_TRUE(client_ctx);
2610 ASSERT_TRUE(SSL_CTX_use_certificate(server_ctx.get(), cert.get()));
2611 ASSERT_TRUE(SSL_CTX_use_PrivateKey(server_ctx.get(), key.get()));
2612 ASSERT_TRUE(SSL_CTX_set_max_proto_version(client_ctx.get(), TLS1_3_VERSION));
2613 ASSERT_TRUE(SSL_CTX_set_max_proto_version(server_ctx.get(), TLS1_3_VERSION));
2614
2615 SSL_CTX_set_select_certificate_cb(
2616 server_ctx.get(),
2617 [](const SSL_CLIENT_HELLO *client_hello) -> ssl_select_cert_result_t {
2618 if (!SSL_set_max_proto_version(client_hello->ssl, TLS1_2_VERSION)) {
2619 return ssl_select_cert_error;
2620 }
2621
2622 return ssl_select_cert_success;
2623 });
2624
2625 bssl::UniquePtr<SSL> client, server;
2626 ASSERT_TRUE(ConnectClientAndServer(&client, &server, client_ctx.get(),
2627 server_ctx.get(), nullptr));
2628 EXPECT_EQ(TLS1_2_VERSION, SSL_version(client.get()));
2629 }
2630
TEST(SSLTest,SetVersion)2631 TEST(SSLTest, SetVersion) {
2632 bssl::UniquePtr<SSL_CTX> ctx(SSL_CTX_new(TLS_method()));
2633 ASSERT_TRUE(ctx);
2634
2635 // Set valid TLS versions.
2636 EXPECT_TRUE(SSL_CTX_set_max_proto_version(ctx.get(), TLS1_VERSION));
2637 EXPECT_TRUE(SSL_CTX_set_max_proto_version(ctx.get(), TLS1_1_VERSION));
2638 EXPECT_TRUE(SSL_CTX_set_min_proto_version(ctx.get(), TLS1_VERSION));
2639 EXPECT_TRUE(SSL_CTX_set_min_proto_version(ctx.get(), TLS1_1_VERSION));
2640
2641 // Invalid TLS versions are rejected.
2642 EXPECT_FALSE(SSL_CTX_set_max_proto_version(ctx.get(), DTLS1_VERSION));
2643 EXPECT_FALSE(SSL_CTX_set_max_proto_version(ctx.get(), 0x0200));
2644 EXPECT_FALSE(SSL_CTX_set_max_proto_version(ctx.get(), 0x1234));
2645 EXPECT_FALSE(SSL_CTX_set_min_proto_version(ctx.get(), DTLS1_VERSION));
2646 EXPECT_FALSE(SSL_CTX_set_min_proto_version(ctx.get(), 0x0200));
2647 EXPECT_FALSE(SSL_CTX_set_min_proto_version(ctx.get(), 0x1234));
2648
2649 // Zero is the default version.
2650 EXPECT_TRUE(SSL_CTX_set_max_proto_version(ctx.get(), 0));
2651 EXPECT_EQ(TLS1_2_VERSION, ctx->max_version);
2652 EXPECT_TRUE(SSL_CTX_set_min_proto_version(ctx.get(), 0));
2653 EXPECT_EQ(SSL3_VERSION, ctx->min_version);
2654
2655 ctx.reset(SSL_CTX_new(DTLS_method()));
2656 ASSERT_TRUE(ctx);
2657
2658 EXPECT_TRUE(SSL_CTX_set_max_proto_version(ctx.get(), DTLS1_VERSION));
2659 EXPECT_TRUE(SSL_CTX_set_max_proto_version(ctx.get(), DTLS1_2_VERSION));
2660 EXPECT_TRUE(SSL_CTX_set_min_proto_version(ctx.get(), DTLS1_VERSION));
2661 EXPECT_TRUE(SSL_CTX_set_min_proto_version(ctx.get(), DTLS1_2_VERSION));
2662
2663 EXPECT_FALSE(SSL_CTX_set_max_proto_version(ctx.get(), TLS1_VERSION));
2664 EXPECT_FALSE(SSL_CTX_set_max_proto_version(ctx.get(), 0xfefe /* DTLS 1.1 */));
2665 EXPECT_FALSE(SSL_CTX_set_max_proto_version(ctx.get(), 0xfffe /* DTLS 0.1 */));
2666 EXPECT_FALSE(SSL_CTX_set_max_proto_version(ctx.get(), 0x1234));
2667 EXPECT_FALSE(SSL_CTX_set_min_proto_version(ctx.get(), TLS1_VERSION));
2668 EXPECT_FALSE(SSL_CTX_set_min_proto_version(ctx.get(), 0xfefe /* DTLS 1.1 */));
2669 EXPECT_FALSE(SSL_CTX_set_min_proto_version(ctx.get(), 0xfffe /* DTLS 0.1 */));
2670 EXPECT_FALSE(SSL_CTX_set_min_proto_version(ctx.get(), 0x1234));
2671
2672 EXPECT_TRUE(SSL_CTX_set_max_proto_version(ctx.get(), 0));
2673 EXPECT_EQ(TLS1_2_VERSION, ctx->max_version);
2674 EXPECT_TRUE(SSL_CTX_set_min_proto_version(ctx.get(), 0));
2675 EXPECT_EQ(TLS1_1_VERSION, ctx->min_version);
2676 }
2677
GetVersionName(uint16_t version)2678 static const char *GetVersionName(uint16_t version) {
2679 switch (version) {
2680 case SSL3_VERSION:
2681 return "SSLv3";
2682 case TLS1_VERSION:
2683 return "TLSv1";
2684 case TLS1_1_VERSION:
2685 return "TLSv1.1";
2686 case TLS1_2_VERSION:
2687 return "TLSv1.2";
2688 case TLS1_3_VERSION:
2689 return "TLSv1.3";
2690 case DTLS1_VERSION:
2691 return "DTLSv1";
2692 case DTLS1_2_VERSION:
2693 return "DTLSv1.2";
2694 default:
2695 return "???";
2696 }
2697 }
2698
TestVersion(bool is_dtls,const SSL_METHOD * method,uint16_t version)2699 static bool TestVersion(bool is_dtls, const SSL_METHOD *method,
2700 uint16_t version) {
2701 bssl::UniquePtr<X509> cert = GetTestCertificate();
2702 bssl::UniquePtr<EVP_PKEY> key = GetTestKey();
2703 if (!cert || !key) {
2704 return false;
2705 }
2706
2707 bssl::UniquePtr<SSL_CTX> server_ctx(SSL_CTX_new(method));
2708 bssl::UniquePtr<SSL_CTX> client_ctx(SSL_CTX_new(method));
2709 bssl::UniquePtr<SSL> client, server;
2710 if (!server_ctx || !client_ctx ||
2711 !SSL_CTX_use_certificate(server_ctx.get(), cert.get()) ||
2712 !SSL_CTX_use_PrivateKey(server_ctx.get(), key.get()) ||
2713 !SSL_CTX_set_min_proto_version(client_ctx.get(), version) ||
2714 !SSL_CTX_set_max_proto_version(client_ctx.get(), version) ||
2715 !SSL_CTX_set_min_proto_version(server_ctx.get(), version) ||
2716 !SSL_CTX_set_max_proto_version(server_ctx.get(), version) ||
2717 !ConnectClientAndServer(&client, &server, client_ctx.get(),
2718 server_ctx.get(), nullptr /* no session */)) {
2719 fprintf(stderr, "Failed to connect.\n");
2720 return false;
2721 }
2722
2723 if (SSL_version(client.get()) != version ||
2724 SSL_version(server.get()) != version) {
2725 fprintf(stderr, "Version mismatch. Got %04x and %04x, wanted %04x.\n",
2726 SSL_version(client.get()), SSL_version(server.get()), version);
2727 return false;
2728 }
2729
2730 // Test the version name is reported as expected.
2731 const char *version_name = GetVersionName(version);
2732 if (strcmp(version_name, SSL_get_version(client.get())) != 0 ||
2733 strcmp(version_name, SSL_get_version(server.get())) != 0) {
2734 fprintf(stderr, "Version name mismatch. Got '%s' and '%s', wanted '%s'.\n",
2735 SSL_get_version(client.get()), SSL_get_version(server.get()),
2736 version_name);
2737 return false;
2738 }
2739
2740 // Test SSL_SESSION reports the same name.
2741 const char *client_name =
2742 SSL_SESSION_get_version(SSL_get_session(client.get()));
2743 const char *server_name =
2744 SSL_SESSION_get_version(SSL_get_session(server.get()));
2745 if (strcmp(version_name, client_name) != 0 ||
2746 strcmp(version_name, server_name) != 0) {
2747 fprintf(stderr,
2748 "Session version name mismatch. Got '%s' and '%s', wanted '%s'.\n",
2749 client_name, server_name, version_name);
2750 return false;
2751 }
2752
2753 return true;
2754 }
2755
2756 // Tests that that |SSL_get_pending_cipher| is available during the ALPN
2757 // selection callback.
TestALPNCipherAvailable(bool is_dtls,const SSL_METHOD * method,uint16_t version)2758 static bool TestALPNCipherAvailable(bool is_dtls, const SSL_METHOD *method,
2759 uint16_t version) {
2760 // SSL 3.0 lacks extensions.
2761 if (version == SSL3_VERSION) {
2762 return true;
2763 }
2764
2765 static const uint8_t kALPNProtos[] = {0x03, 'f', 'o', 'o'};
2766
2767 bssl::UniquePtr<X509> cert = GetTestCertificate();
2768 bssl::UniquePtr<EVP_PKEY> key = GetTestKey();
2769 if (!cert || !key) {
2770 return false;
2771 }
2772
2773 bssl::UniquePtr<SSL_CTX> ctx(SSL_CTX_new(method));
2774 if (!ctx || !SSL_CTX_use_certificate(ctx.get(), cert.get()) ||
2775 !SSL_CTX_use_PrivateKey(ctx.get(), key.get()) ||
2776 !SSL_CTX_set_min_proto_version(ctx.get(), version) ||
2777 !SSL_CTX_set_max_proto_version(ctx.get(), version) ||
2778 SSL_CTX_set_alpn_protos(ctx.get(), kALPNProtos, sizeof(kALPNProtos)) !=
2779 0) {
2780 return false;
2781 }
2782
2783 // The ALPN callback does not fail the handshake on error, so have the
2784 // callback write a boolean.
2785 std::pair<uint16_t, bool> callback_state(version, false);
2786 SSL_CTX_set_alpn_select_cb(
2787 ctx.get(),
2788 [](SSL *ssl, const uint8_t **out, uint8_t *out_len, const uint8_t *in,
2789 unsigned in_len, void *arg) -> int {
2790 auto state = reinterpret_cast<std::pair<uint16_t, bool> *>(arg);
2791 if (SSL_get_pending_cipher(ssl) != nullptr &&
2792 SSL_version(ssl) == state->first) {
2793 state->second = true;
2794 }
2795 return SSL_TLSEXT_ERR_NOACK;
2796 },
2797 &callback_state);
2798
2799 bssl::UniquePtr<SSL> client, server;
2800 if (!ConnectClientAndServer(&client, &server, ctx.get(), ctx.get(),
2801 nullptr /* no session */)) {
2802 return false;
2803 }
2804
2805 if (!callback_state.second) {
2806 fprintf(stderr, "The pending cipher was not known in the ALPN callback.\n");
2807 return false;
2808 }
2809
2810 return true;
2811 }
2812
TestSSLClearSessionResumption(bool is_dtls,const SSL_METHOD * method,uint16_t version)2813 static bool TestSSLClearSessionResumption(bool is_dtls,
2814 const SSL_METHOD *method,
2815 uint16_t version) {
2816 // Skip this for TLS 1.3. TLS 1.3's ticket mechanism is incompatible with this
2817 // API pattern.
2818 if (version == TLS1_3_VERSION) {
2819 return true;
2820 }
2821
2822 bssl::UniquePtr<X509> cert = GetTestCertificate();
2823 bssl::UniquePtr<EVP_PKEY> key = GetTestKey();
2824 bssl::UniquePtr<SSL_CTX> server_ctx(SSL_CTX_new(method));
2825 bssl::UniquePtr<SSL_CTX> client_ctx(SSL_CTX_new(method));
2826 if (!cert || !key || !server_ctx || !client_ctx ||
2827 !SSL_CTX_use_certificate(server_ctx.get(), cert.get()) ||
2828 !SSL_CTX_use_PrivateKey(server_ctx.get(), key.get()) ||
2829 !SSL_CTX_set_min_proto_version(client_ctx.get(), version) ||
2830 !SSL_CTX_set_max_proto_version(client_ctx.get(), version) ||
2831 !SSL_CTX_set_min_proto_version(server_ctx.get(), version) ||
2832 !SSL_CTX_set_max_proto_version(server_ctx.get(), version)) {
2833 return false;
2834 }
2835
2836 // Connect a client and a server.
2837 bssl::UniquePtr<SSL> client, server;
2838 if (!ConnectClientAndServer(&client, &server, client_ctx.get(),
2839 server_ctx.get(), nullptr /* no session */)) {
2840 return false;
2841 }
2842
2843 if (SSL_session_reused(client.get()) ||
2844 SSL_session_reused(server.get())) {
2845 fprintf(stderr, "Session unexpectedly reused.\n");
2846 return false;
2847 }
2848
2849 // Reset everything.
2850 if (!SSL_clear(client.get()) ||
2851 !SSL_clear(server.get())) {
2852 fprintf(stderr, "SSL_clear failed.\n");
2853 return false;
2854 }
2855
2856 // Attempt to connect a second time.
2857 if (!CompleteHandshakes(client.get(), server.get())) {
2858 fprintf(stderr, "Could not reuse SSL objects.\n");
2859 return false;
2860 }
2861
2862 // |SSL_clear| should implicitly offer the previous session to the server.
2863 if (!SSL_session_reused(client.get()) ||
2864 !SSL_session_reused(server.get())) {
2865 fprintf(stderr, "Session was not reused in second try.\n");
2866 return false;
2867 }
2868
2869 return true;
2870 }
2871
ChainsEqual(STACK_OF (X509)* chain,const std::vector<X509 * > & expected)2872 static bool ChainsEqual(STACK_OF(X509) *chain,
2873 const std::vector<X509 *> &expected) {
2874 if (sk_X509_num(chain) != expected.size()) {
2875 return false;
2876 }
2877
2878 for (size_t i = 0; i < expected.size(); i++) {
2879 if (X509_cmp(sk_X509_value(chain, i), expected[i]) != 0) {
2880 return false;
2881 }
2882 }
2883
2884 return true;
2885 }
2886
TestAutoChain(bool is_dtls,const SSL_METHOD * method,uint16_t version)2887 static bool TestAutoChain(bool is_dtls, const SSL_METHOD *method,
2888 uint16_t version) {
2889 bssl::UniquePtr<X509> cert = GetChainTestCertificate();
2890 bssl::UniquePtr<X509> intermediate = GetChainTestIntermediate();
2891 bssl::UniquePtr<EVP_PKEY> key = GetChainTestKey();
2892 if (!cert || !intermediate || !key) {
2893 return false;
2894 }
2895
2896 // Configure both client and server to accept any certificate. Add
2897 // |intermediate| to the cert store.
2898 bssl::UniquePtr<SSL_CTX> ctx(SSL_CTX_new(method));
2899 if (!ctx ||
2900 !SSL_CTX_use_certificate(ctx.get(), cert.get()) ||
2901 !SSL_CTX_use_PrivateKey(ctx.get(), key.get()) ||
2902 !SSL_CTX_set_min_proto_version(ctx.get(), version) ||
2903 !SSL_CTX_set_max_proto_version(ctx.get(), version) ||
2904 !X509_STORE_add_cert(SSL_CTX_get_cert_store(ctx.get()),
2905 intermediate.get())) {
2906 return false;
2907 }
2908 SSL_CTX_set_verify(
2909 ctx.get(), SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT, nullptr);
2910 SSL_CTX_set_cert_verify_callback(ctx.get(), VerifySucceed, NULL);
2911
2912 // By default, the client and server should each only send the leaf.
2913 bssl::UniquePtr<SSL> client, server;
2914 if (!ConnectClientAndServer(&client, &server, ctx.get(), ctx.get(),
2915 nullptr /* no session */)) {
2916 return false;
2917 }
2918
2919 if (!ChainsEqual(SSL_get_peer_full_cert_chain(client.get()), {cert.get()})) {
2920 fprintf(stderr, "Client-received chain did not match.\n");
2921 return false;
2922 }
2923
2924 if (!ChainsEqual(SSL_get_peer_full_cert_chain(server.get()), {cert.get()})) {
2925 fprintf(stderr, "Server-received chain did not match.\n");
2926 return false;
2927 }
2928
2929 // If auto-chaining is enabled, then the intermediate is sent.
2930 SSL_CTX_clear_mode(ctx.get(), SSL_MODE_NO_AUTO_CHAIN);
2931 if (!ConnectClientAndServer(&client, &server, ctx.get(), ctx.get(),
2932 nullptr /* no session */)) {
2933 return false;
2934 }
2935
2936 if (!ChainsEqual(SSL_get_peer_full_cert_chain(client.get()),
2937 {cert.get(), intermediate.get()})) {
2938 fprintf(stderr, "Client-received chain did not match (auto-chaining).\n");
2939 return false;
2940 }
2941
2942 if (!ChainsEqual(SSL_get_peer_full_cert_chain(server.get()),
2943 {cert.get(), intermediate.get()})) {
2944 fprintf(stderr, "Server-received chain did not match (auto-chaining).\n");
2945 return false;
2946 }
2947
2948 // Auto-chaining does not override explicitly-configured intermediates.
2949 if (!SSL_CTX_add1_chain_cert(ctx.get(), cert.get()) ||
2950 !ConnectClientAndServer(&client, &server, ctx.get(), ctx.get(),
2951 nullptr /* no session */)) {
2952 return false;
2953 }
2954
2955 if (!ChainsEqual(SSL_get_peer_full_cert_chain(client.get()),
2956 {cert.get(), cert.get()})) {
2957 fprintf(stderr,
2958 "Client-received chain did not match (auto-chaining, explicit "
2959 "intermediate).\n");
2960 return false;
2961 }
2962
2963 if (!ChainsEqual(SSL_get_peer_full_cert_chain(server.get()),
2964 {cert.get(), cert.get()})) {
2965 fprintf(stderr,
2966 "Server-received chain did not match (auto-chaining, explicit "
2967 "intermediate).\n");
2968 return false;
2969 }
2970
2971 return true;
2972 }
2973
ExpectBadWriteRetry()2974 static bool ExpectBadWriteRetry() {
2975 int err = ERR_get_error();
2976 if (ERR_GET_LIB(err) != ERR_LIB_SSL ||
2977 ERR_GET_REASON(err) != SSL_R_BAD_WRITE_RETRY) {
2978 char buf[ERR_ERROR_STRING_BUF_LEN];
2979 ERR_error_string_n(err, buf, sizeof(buf));
2980 fprintf(stderr, "Wanted SSL_R_BAD_WRITE_RETRY, got: %s.\n", buf);
2981 return false;
2982 }
2983
2984 if (ERR_peek_error() != 0) {
2985 fprintf(stderr, "Unexpected error following SSL_R_BAD_WRITE_RETRY.\n");
2986 return false;
2987 }
2988
2989 return true;
2990 }
2991
TestSSLWriteRetry(bool is_dtls,const SSL_METHOD * method,uint16_t version)2992 static bool TestSSLWriteRetry(bool is_dtls, const SSL_METHOD *method,
2993 uint16_t version) {
2994 if (is_dtls) {
2995 return true;
2996 }
2997
2998 for (bool enable_partial_write : std::vector<bool>{false, true}) {
2999 // Connect a client and server.
3000 bssl::UniquePtr<X509> cert = GetTestCertificate();
3001 bssl::UniquePtr<EVP_PKEY> key = GetTestKey();
3002 bssl::UniquePtr<SSL_CTX> ctx(SSL_CTX_new(method));
3003 bssl::UniquePtr<SSL> client, server;
3004 if (!cert || !key || !ctx ||
3005 !SSL_CTX_use_certificate(ctx.get(), cert.get()) ||
3006 !SSL_CTX_use_PrivateKey(ctx.get(), key.get()) ||
3007 !SSL_CTX_set_min_proto_version(ctx.get(), version) ||
3008 !SSL_CTX_set_max_proto_version(ctx.get(), version) ||
3009 !ConnectClientAndServer(&client, &server, ctx.get(), ctx.get(),
3010 nullptr /* no session */)) {
3011 return false;
3012 }
3013
3014 if (enable_partial_write) {
3015 SSL_set_mode(client.get(), SSL_MODE_ENABLE_PARTIAL_WRITE);
3016 }
3017
3018 // Write without reading until the buffer is full and we have an unfinished
3019 // write. Keep a count so we may reread it again later. "hello!" will be
3020 // written in two chunks, "hello" and "!".
3021 char data[] = "hello!";
3022 static const int kChunkLen = 5; // The length of "hello".
3023 unsigned count = 0;
3024 for (;;) {
3025 int ret = SSL_write(client.get(), data, kChunkLen);
3026 if (ret <= 0) {
3027 int err = SSL_get_error(client.get(), ret);
3028 if (SSL_get_error(client.get(), ret) == SSL_ERROR_WANT_WRITE) {
3029 break;
3030 }
3031 fprintf(stderr, "SSL_write failed in unexpected way: %d\n", err);
3032 return false;
3033 }
3034
3035 if (ret != 5) {
3036 fprintf(stderr, "SSL_write wrote %d bytes, expected 5.\n", ret);
3037 return false;
3038 }
3039
3040 count++;
3041 }
3042
3043 // Retrying with the same parameters is legal.
3044 if (SSL_get_error(client.get(), SSL_write(client.get(), data, kChunkLen)) !=
3045 SSL_ERROR_WANT_WRITE) {
3046 fprintf(stderr, "SSL_write retry unexpectedly failed.\n");
3047 return false;
3048 }
3049
3050 // Retrying with the same buffer but shorter length is not legal.
3051 if (SSL_get_error(client.get(),
3052 SSL_write(client.get(), data, kChunkLen - 1)) !=
3053 SSL_ERROR_SSL ||
3054 !ExpectBadWriteRetry()) {
3055 fprintf(stderr, "SSL_write retry did not fail as expected.\n");
3056 return false;
3057 }
3058
3059 // Retrying with a different buffer pointer is not legal.
3060 char data2[] = "hello";
3061 if (SSL_get_error(client.get(), SSL_write(client.get(), data2,
3062 kChunkLen)) != SSL_ERROR_SSL ||
3063 !ExpectBadWriteRetry()) {
3064 fprintf(stderr, "SSL_write retry did not fail as expected.\n");
3065 return false;
3066 }
3067
3068 // With |SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER|, the buffer may move.
3069 SSL_set_mode(client.get(), SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER);
3070 if (SSL_get_error(client.get(),
3071 SSL_write(client.get(), data2, kChunkLen)) !=
3072 SSL_ERROR_WANT_WRITE) {
3073 fprintf(stderr, "SSL_write retry unexpectedly failed.\n");
3074 return false;
3075 }
3076
3077 // |SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER| does not disable length checks.
3078 if (SSL_get_error(client.get(),
3079 SSL_write(client.get(), data2, kChunkLen - 1)) !=
3080 SSL_ERROR_SSL ||
3081 !ExpectBadWriteRetry()) {
3082 fprintf(stderr, "SSL_write retry did not fail as expected.\n");
3083 return false;
3084 }
3085
3086 // Retrying with a larger buffer is legal.
3087 if (SSL_get_error(client.get(),
3088 SSL_write(client.get(), data, kChunkLen + 1)) !=
3089 SSL_ERROR_WANT_WRITE) {
3090 fprintf(stderr, "SSL_write retry unexpectedly failed.\n");
3091 return false;
3092 }
3093
3094 // Drain the buffer.
3095 char buf[20];
3096 for (unsigned i = 0; i < count; i++) {
3097 if (SSL_read(server.get(), buf, sizeof(buf)) != kChunkLen ||
3098 OPENSSL_memcmp(buf, "hello", kChunkLen) != 0) {
3099 fprintf(stderr, "Failed to read initial records.\n");
3100 return false;
3101 }
3102 }
3103
3104 // Now that there is space, a retry with a larger buffer should flush the
3105 // pending record, skip over that many bytes of input (on assumption they
3106 // are the same), and write the remainder. If SSL_MODE_ENABLE_PARTIAL_WRITE
3107 // is set, this will complete in two steps.
3108 char data3[] = "_____!";
3109 if (enable_partial_write) {
3110 if (SSL_write(client.get(), data3, kChunkLen + 1) != kChunkLen ||
3111 SSL_write(client.get(), data3 + kChunkLen, 1) != 1) {
3112 fprintf(stderr, "SSL_write retry failed.\n");
3113 return false;
3114 }
3115 } else if (SSL_write(client.get(), data3, kChunkLen + 1) != kChunkLen + 1) {
3116 fprintf(stderr, "SSL_write retry failed.\n");
3117 return false;
3118 }
3119
3120 // Check the last write was correct. The data will be spread over two
3121 // records, so SSL_read returns twice.
3122 if (SSL_read(server.get(), buf, sizeof(buf)) != kChunkLen ||
3123 OPENSSL_memcmp(buf, "hello", kChunkLen) != 0 ||
3124 SSL_read(server.get(), buf, sizeof(buf)) != 1 ||
3125 buf[0] != '!') {
3126 fprintf(stderr, "Failed to read write retry.\n");
3127 return false;
3128 }
3129 }
3130
3131 return true;
3132 }
3133
ForEachVersion(bool (* test_func)(bool is_dtls,const SSL_METHOD * method,uint16_t version))3134 static bool ForEachVersion(bool (*test_func)(bool is_dtls,
3135 const SSL_METHOD *method,
3136 uint16_t version)) {
3137 static uint16_t kTLSVersions[] = {
3138 SSL3_VERSION,
3139 TLS1_VERSION,
3140 TLS1_1_VERSION,
3141 TLS1_2_VERSION,
3142 // TLS 1.3 requires RSA-PSS, which is disabled for Android system builds.
3143 #if !defined(BORINGSSL_ANDROID_SYSTEM)
3144 TLS1_3_VERSION,
3145 #endif
3146 };
3147
3148 static uint16_t kDTLSVersions[] = {
3149 DTLS1_VERSION, DTLS1_2_VERSION,
3150 };
3151
3152 for (uint16_t version : kTLSVersions) {
3153 if (!test_func(false, TLS_method(), version)) {
3154 fprintf(stderr, "Test failed at TLS version %04x.\n", version);
3155 return false;
3156 }
3157 }
3158
3159 for (uint16_t version : kDTLSVersions) {
3160 if (!test_func(true, DTLS_method(), version)) {
3161 fprintf(stderr, "Test failed at DTLS version %04x.\n", version);
3162 return false;
3163 }
3164 }
3165
3166 return true;
3167 }
3168
TEST(SSLTest,AddChainCertHack)3169 TEST(SSLTest, AddChainCertHack) {
3170 // Ensure that we don't accidently break the hack that we have in place to
3171 // keep curl and serf happy when they use an |X509| even after transfering
3172 // ownership.
3173
3174 bssl::UniquePtr<SSL_CTX> ctx(SSL_CTX_new(TLS_method()));
3175 ASSERT_TRUE(ctx);
3176 X509 *cert = GetTestCertificate().release();
3177 ASSERT_TRUE(cert);
3178 SSL_CTX_add0_chain_cert(ctx.get(), cert);
3179
3180 // This should not trigger a use-after-free.
3181 X509_cmp(cert, cert);
3182 }
3183
TEST(SSLTest,GetCertificate)3184 TEST(SSLTest, GetCertificate) {
3185 bssl::UniquePtr<SSL_CTX> ctx(SSL_CTX_new(TLS_method()));
3186 ASSERT_TRUE(ctx);
3187 bssl::UniquePtr<X509> cert = GetTestCertificate();
3188 ASSERT_TRUE(cert);
3189 ASSERT_TRUE(SSL_CTX_use_certificate(ctx.get(), cert.get()));
3190 bssl::UniquePtr<SSL> ssl(SSL_new(ctx.get()));
3191 ASSERT_TRUE(ssl);
3192
3193 X509 *cert2 = SSL_CTX_get0_certificate(ctx.get());
3194 ASSERT_TRUE(cert2);
3195 X509 *cert3 = SSL_get_certificate(ssl.get());
3196 ASSERT_TRUE(cert3);
3197
3198 // The old and new certificates must be identical.
3199 EXPECT_EQ(0, X509_cmp(cert.get(), cert2));
3200 EXPECT_EQ(0, X509_cmp(cert.get(), cert3));
3201
3202 uint8_t *der = nullptr;
3203 long der_len = i2d_X509(cert.get(), &der);
3204 ASSERT_LT(0, der_len);
3205 bssl::UniquePtr<uint8_t> free_der(der);
3206
3207 uint8_t *der2 = nullptr;
3208 long der2_len = i2d_X509(cert2, &der2);
3209 ASSERT_LT(0, der2_len);
3210 bssl::UniquePtr<uint8_t> free_der2(der2);
3211
3212 uint8_t *der3 = nullptr;
3213 long der3_len = i2d_X509(cert3, &der3);
3214 ASSERT_LT(0, der3_len);
3215 bssl::UniquePtr<uint8_t> free_der3(der3);
3216
3217 // They must also encode identically.
3218 EXPECT_EQ(Bytes(der, der_len), Bytes(der2, der2_len));
3219 EXPECT_EQ(Bytes(der, der_len), Bytes(der3, der3_len));
3220 }
3221
TEST(SSLTest,SetChainAndKeyMismatch)3222 TEST(SSLTest, SetChainAndKeyMismatch) {
3223 bssl::UniquePtr<SSL_CTX> ctx(SSL_CTX_new(TLS_with_buffers_method()));
3224 ASSERT_TRUE(ctx);
3225
3226 bssl::UniquePtr<EVP_PKEY> key = GetTestKey();
3227 ASSERT_TRUE(key);
3228 bssl::UniquePtr<CRYPTO_BUFFER> leaf = GetChainTestCertificateBuffer();
3229 ASSERT_TRUE(leaf);
3230 std::vector<CRYPTO_BUFFER*> chain = {
3231 leaf.get(),
3232 };
3233
3234 // Should fail because |GetTestKey| doesn't match the chain-test certificate.
3235 ASSERT_FALSE(SSL_CTX_set_chain_and_key(ctx.get(), &chain[0], chain.size(),
3236 key.get(), nullptr));
3237 ERR_clear_error();
3238 }
3239
TEST(SSLTest,SetChainAndKey)3240 TEST(SSLTest, SetChainAndKey) {
3241 bssl::UniquePtr<SSL_CTX> client_ctx(SSL_CTX_new(TLS_with_buffers_method()));
3242 ASSERT_TRUE(client_ctx);
3243 bssl::UniquePtr<SSL_CTX> server_ctx(SSL_CTX_new(TLS_with_buffers_method()));
3244 ASSERT_TRUE(server_ctx);
3245
3246 bssl::UniquePtr<EVP_PKEY> key = GetChainTestKey();
3247 ASSERT_TRUE(key);
3248 bssl::UniquePtr<CRYPTO_BUFFER> leaf = GetChainTestCertificateBuffer();
3249 ASSERT_TRUE(leaf);
3250 bssl::UniquePtr<CRYPTO_BUFFER> intermediate =
3251 GetChainTestIntermediateBuffer();
3252 ASSERT_TRUE(intermediate);
3253 std::vector<CRYPTO_BUFFER*> chain = {
3254 leaf.get(), intermediate.get(),
3255 };
3256 ASSERT_TRUE(SSL_CTX_set_chain_and_key(server_ctx.get(), &chain[0],
3257 chain.size(), key.get(), nullptr));
3258
3259 SSL_CTX_i_promise_to_verify_certs_after_the_handshake(client_ctx.get());
3260
3261 bssl::UniquePtr<SSL> client, server;
3262 ASSERT_TRUE(ConnectClientAndServer(&client, &server, client_ctx.get(),
3263 server_ctx.get(),
3264 nullptr /* no session */));
3265 }
3266
3267 // Configuring the empty cipher list, though an error, should still modify the
3268 // configuration.
TEST(SSLTest,EmptyCipherList)3269 TEST(SSLTest, EmptyCipherList) {
3270 bssl::UniquePtr<SSL_CTX> ctx(SSL_CTX_new(TLS_method()));
3271 ASSERT_TRUE(ctx);
3272
3273 // Initially, the cipher list is not empty.
3274 EXPECT_NE(0u, sk_SSL_CIPHER_num(SSL_CTX_get_ciphers(ctx.get())));
3275
3276 // Configuring the empty cipher list fails.
3277 EXPECT_FALSE(SSL_CTX_set_cipher_list(ctx.get(), ""));
3278 ERR_clear_error();
3279
3280 // But the cipher list is still updated to empty.
3281 EXPECT_EQ(0u, sk_SSL_CIPHER_num(SSL_CTX_get_ciphers(ctx.get())));
3282 }
3283
3284 // ssl_test_ticket_aead_failure_mode enumerates the possible ways in which the
3285 // test |SSL_TICKET_AEAD_METHOD| can fail.
3286 enum ssl_test_ticket_aead_failure_mode {
3287 ssl_test_ticket_aead_ok = 0,
3288 ssl_test_ticket_aead_seal_fail,
3289 ssl_test_ticket_aead_open_soft_fail,
3290 ssl_test_ticket_aead_open_hard_fail,
3291 };
3292
3293 struct ssl_test_ticket_aead_state {
3294 unsigned retry_count;
3295 ssl_test_ticket_aead_failure_mode failure_mode;
3296 };
3297
ssl_test_ticket_aead_ex_index_dup(CRYPTO_EX_DATA * to,const CRYPTO_EX_DATA * from,void ** from_d,int index,long argl,void * argp)3298 static int ssl_test_ticket_aead_ex_index_dup(CRYPTO_EX_DATA *to,
3299 const CRYPTO_EX_DATA *from,
3300 void **from_d, int index,
3301 long argl, void *argp) {
3302 abort();
3303 }
3304
ssl_test_ticket_aead_ex_index_free(void * parent,void * ptr,CRYPTO_EX_DATA * ad,int index,long argl,void * argp)3305 static void ssl_test_ticket_aead_ex_index_free(void *parent, void *ptr,
3306 CRYPTO_EX_DATA *ad, int index,
3307 long argl, void *argp) {
3308 auto state = reinterpret_cast<ssl_test_ticket_aead_state*>(ptr);
3309 if (state == nullptr) {
3310 return;
3311 }
3312
3313 OPENSSL_free(state);
3314 }
3315
3316 static CRYPTO_once_t g_ssl_test_ticket_aead_ex_index_once = CRYPTO_ONCE_INIT;
3317 static int g_ssl_test_ticket_aead_ex_index;
3318
ssl_test_ticket_aead_get_ex_index()3319 static int ssl_test_ticket_aead_get_ex_index() {
3320 CRYPTO_once(&g_ssl_test_ticket_aead_ex_index_once, [] {
3321 g_ssl_test_ticket_aead_ex_index = SSL_get_ex_new_index(
3322 0, nullptr, nullptr, ssl_test_ticket_aead_ex_index_dup,
3323 ssl_test_ticket_aead_ex_index_free);
3324 });
3325 return g_ssl_test_ticket_aead_ex_index;
3326 }
3327
ssl_test_ticket_aead_max_overhead(SSL * ssl)3328 static size_t ssl_test_ticket_aead_max_overhead(SSL *ssl) {
3329 return 1;
3330 }
3331
ssl_test_ticket_aead_seal(SSL * ssl,uint8_t * out,size_t * out_len,size_t max_out_len,const uint8_t * in,size_t in_len)3332 static int ssl_test_ticket_aead_seal(SSL *ssl, uint8_t *out, size_t *out_len,
3333 size_t max_out_len, const uint8_t *in,
3334 size_t in_len) {
3335 auto state = reinterpret_cast<ssl_test_ticket_aead_state *>(
3336 SSL_get_ex_data(ssl, ssl_test_ticket_aead_get_ex_index()));
3337
3338 if (state->failure_mode == ssl_test_ticket_aead_seal_fail ||
3339 max_out_len < in_len + 1) {
3340 return 0;
3341 }
3342
3343 OPENSSL_memmove(out, in, in_len);
3344 out[in_len] = 0xff;
3345 *out_len = in_len + 1;
3346
3347 return 1;
3348 }
3349
ssl_test_ticket_aead_open(SSL * ssl,uint8_t * out,size_t * out_len,size_t max_out_len,const uint8_t * in,size_t in_len)3350 static ssl_ticket_aead_result_t ssl_test_ticket_aead_open(
3351 SSL *ssl, uint8_t *out, size_t *out_len, size_t max_out_len,
3352 const uint8_t *in, size_t in_len) {
3353 auto state = reinterpret_cast<ssl_test_ticket_aead_state *>(
3354 SSL_get_ex_data(ssl, ssl_test_ticket_aead_get_ex_index()));
3355
3356 if (state->retry_count > 0) {
3357 state->retry_count--;
3358 return ssl_ticket_aead_retry;
3359 }
3360
3361 switch (state->failure_mode) {
3362 case ssl_test_ticket_aead_ok:
3363 break;
3364 case ssl_test_ticket_aead_seal_fail:
3365 // If |seal| failed then there shouldn't be any ticket to try and
3366 // decrypt.
3367 abort();
3368 break;
3369 case ssl_test_ticket_aead_open_soft_fail:
3370 return ssl_ticket_aead_ignore_ticket;
3371 case ssl_test_ticket_aead_open_hard_fail:
3372 return ssl_ticket_aead_error;
3373 }
3374
3375 if (in_len == 0 || in[in_len - 1] != 0xff) {
3376 return ssl_ticket_aead_ignore_ticket;
3377 }
3378
3379 if (max_out_len < in_len - 1) {
3380 return ssl_ticket_aead_error;
3381 }
3382
3383 OPENSSL_memmove(out, in, in_len - 1);
3384 *out_len = in_len - 1;
3385 return ssl_ticket_aead_success;
3386 }
3387
3388 static const SSL_TICKET_AEAD_METHOD kSSLTestTicketMethod = {
3389 ssl_test_ticket_aead_max_overhead,
3390 ssl_test_ticket_aead_seal,
3391 ssl_test_ticket_aead_open,
3392 };
3393
ConnectClientAndServerWithTicketMethod(bssl::UniquePtr<SSL> * out_client,bssl::UniquePtr<SSL> * out_server,SSL_CTX * client_ctx,SSL_CTX * server_ctx,unsigned retry_count,ssl_test_ticket_aead_failure_mode failure_mode,SSL_SESSION * session)3394 static void ConnectClientAndServerWithTicketMethod(
3395 bssl::UniquePtr<SSL> *out_client, bssl::UniquePtr<SSL> *out_server,
3396 SSL_CTX *client_ctx, SSL_CTX *server_ctx, unsigned retry_count,
3397 ssl_test_ticket_aead_failure_mode failure_mode, SSL_SESSION *session) {
3398 bssl::UniquePtr<SSL> client(SSL_new(client_ctx)), server(SSL_new(server_ctx));
3399 ASSERT_TRUE(client);
3400 ASSERT_TRUE(server);
3401 SSL_set_connect_state(client.get());
3402 SSL_set_accept_state(server.get());
3403
3404 auto state = reinterpret_cast<ssl_test_ticket_aead_state *>(
3405 OPENSSL_malloc(sizeof(ssl_test_ticket_aead_state)));
3406 ASSERT_TRUE(state);
3407 OPENSSL_memset(state, 0, sizeof(ssl_test_ticket_aead_state));
3408 state->retry_count = retry_count;
3409 state->failure_mode = failure_mode;
3410
3411 ASSERT_TRUE(SSL_set_ex_data(server.get(), ssl_test_ticket_aead_get_ex_index(),
3412 state));
3413
3414 SSL_set_session(client.get(), session);
3415
3416 BIO *bio1, *bio2;
3417 ASSERT_TRUE(BIO_new_bio_pair(&bio1, 0, &bio2, 0));
3418
3419 // SSL_set_bio takes ownership.
3420 SSL_set_bio(client.get(), bio1, bio1);
3421 SSL_set_bio(server.get(), bio2, bio2);
3422
3423 if (CompleteHandshakes(client.get(), server.get())) {
3424 *out_client = std::move(client);
3425 *out_server = std::move(server);
3426 } else {
3427 out_client->reset();
3428 out_server->reset();
3429 }
3430 }
3431
3432 class TicketAEADMethodTest
3433 : public ::testing::TestWithParam<testing::tuple<
3434 uint16_t, unsigned, ssl_test_ticket_aead_failure_mode>> {};
3435
TEST_P(TicketAEADMethodTest,Resume)3436 TEST_P(TicketAEADMethodTest, Resume) {
3437 bssl::UniquePtr<X509> cert = GetTestCertificate();
3438 ASSERT_TRUE(cert);
3439 bssl::UniquePtr<EVP_PKEY> key = GetTestKey();
3440 ASSERT_TRUE(key);
3441
3442 bssl::UniquePtr<SSL_CTX> server_ctx(SSL_CTX_new(TLS_method()));
3443 ASSERT_TRUE(server_ctx);
3444 bssl::UniquePtr<SSL_CTX> client_ctx(SSL_CTX_new(TLS_method()));
3445 ASSERT_TRUE(client_ctx);
3446
3447 const uint16_t version = testing::get<0>(GetParam());
3448 const unsigned retry_count = testing::get<1>(GetParam());
3449 const ssl_test_ticket_aead_failure_mode failure_mode =
3450 testing::get<2>(GetParam());
3451
3452 ASSERT_TRUE(SSL_CTX_use_certificate(server_ctx.get(), cert.get()));
3453 ASSERT_TRUE(SSL_CTX_use_PrivateKey(server_ctx.get(), key.get()));
3454 ASSERT_TRUE(SSL_CTX_set_min_proto_version(client_ctx.get(), version));
3455 ASSERT_TRUE(SSL_CTX_set_max_proto_version(client_ctx.get(), version));
3456 ASSERT_TRUE(SSL_CTX_set_min_proto_version(server_ctx.get(), version));
3457 ASSERT_TRUE(SSL_CTX_set_max_proto_version(server_ctx.get(), version));
3458
3459 SSL_CTX_set_session_cache_mode(client_ctx.get(), SSL_SESS_CACHE_BOTH);
3460 SSL_CTX_set_session_cache_mode(server_ctx.get(), SSL_SESS_CACHE_BOTH);
3461 SSL_CTX_set_current_time_cb(client_ctx.get(), FrozenTimeCallback);
3462 SSL_CTX_set_current_time_cb(server_ctx.get(), FrozenTimeCallback);
3463 SSL_CTX_sess_set_new_cb(client_ctx.get(), SaveLastSession);
3464
3465 SSL_CTX_set_ticket_aead_method(server_ctx.get(), &kSSLTestTicketMethod);
3466
3467 bssl::UniquePtr<SSL> client, server;
3468 ConnectClientAndServerWithTicketMethod(&client, &server, client_ctx.get(),
3469 server_ctx.get(), retry_count,
3470 failure_mode, nullptr);
3471 switch (failure_mode) {
3472 case ssl_test_ticket_aead_ok:
3473 case ssl_test_ticket_aead_open_hard_fail:
3474 case ssl_test_ticket_aead_open_soft_fail:
3475 ASSERT_TRUE(client);
3476 break;
3477 case ssl_test_ticket_aead_seal_fail:
3478 EXPECT_FALSE(client);
3479 return;
3480 }
3481 EXPECT_FALSE(SSL_session_reused(client.get()));
3482 EXPECT_FALSE(SSL_session_reused(server.get()));
3483
3484 // Run the read loop to account for post-handshake tickets in TLS 1.3.
3485 SSL_read(client.get(), nullptr, 0);
3486
3487 bssl::UniquePtr<SSL_SESSION> session = std::move(g_last_session);
3488 ConnectClientAndServerWithTicketMethod(&client, &server, client_ctx.get(),
3489 server_ctx.get(), retry_count,
3490 failure_mode, session.get());
3491 switch (failure_mode) {
3492 case ssl_test_ticket_aead_ok:
3493 ASSERT_TRUE(client);
3494 EXPECT_TRUE(SSL_session_reused(client.get()));
3495 EXPECT_TRUE(SSL_session_reused(server.get()));
3496 break;
3497 case ssl_test_ticket_aead_seal_fail:
3498 abort();
3499 break;
3500 case ssl_test_ticket_aead_open_hard_fail:
3501 EXPECT_FALSE(client);
3502 break;
3503 case ssl_test_ticket_aead_open_soft_fail:
3504 ASSERT_TRUE(client);
3505 EXPECT_FALSE(SSL_session_reused(client.get()));
3506 EXPECT_FALSE(SSL_session_reused(server.get()));
3507 }
3508 }
3509
3510 INSTANTIATE_TEST_CASE_P(
3511 TicketAEADMethodTests, TicketAEADMethodTest,
3512 testing::Combine(
3513 testing::Values(TLS1_2_VERSION, TLS1_3_VERSION),
3514 testing::Values(0, 1, 2),
3515 testing::Values(ssl_test_ticket_aead_ok,
3516 ssl_test_ticket_aead_seal_fail,
3517 ssl_test_ticket_aead_open_soft_fail,
3518 ssl_test_ticket_aead_open_hard_fail)));
3519
3520 // TODO(davidben): Convert this file to GTest properly.
TEST(SSLTest,AllTests)3521 TEST(SSLTest, AllTests) {
3522 if (!TestCipherRules() ||
3523 !TestCurveRules() ||
3524 !TestSSL_SESSIONEncoding(kOpenSSLSession) ||
3525 !TestSSL_SESSIONEncoding(kCustomSession) ||
3526 !TestSSL_SESSIONEncoding(kBoringSSLSession) ||
3527 !TestBadSSL_SESSIONEncoding(kBadSessionExtraField) ||
3528 !TestBadSSL_SESSIONEncoding(kBadSessionVersion) ||
3529 !TestBadSSL_SESSIONEncoding(kBadSessionTrailingData) ||
3530 // TODO(svaldez): Update this when TLS 1.3 is enabled by default.
3531 !TestDefaultVersion(SSL3_VERSION, TLS1_2_VERSION, &TLS_method) ||
3532 !TestDefaultVersion(SSL3_VERSION, SSL3_VERSION, &SSLv3_method) ||
3533 !TestDefaultVersion(TLS1_VERSION, TLS1_VERSION, &TLSv1_method) ||
3534 !TestDefaultVersion(TLS1_1_VERSION, TLS1_1_VERSION, &TLSv1_1_method) ||
3535 !TestDefaultVersion(TLS1_2_VERSION, TLS1_2_VERSION, &TLSv1_2_method) ||
3536 !TestDefaultVersion(TLS1_1_VERSION, TLS1_2_VERSION, &DTLS_method) ||
3537 !TestDefaultVersion(TLS1_1_VERSION, TLS1_1_VERSION, &DTLSv1_method) ||
3538 !TestDefaultVersion(TLS1_2_VERSION, TLS1_2_VERSION, &DTLSv1_2_method) ||
3539 !TestCipherGetRFCName() ||
3540 // Test the padding extension at TLS 1.2.
3541 !TestPaddingExtension(TLS1_2_VERSION, TLS1_2_VERSION) ||
3542 // Test the padding extension at TLS 1.3 with a TLS 1.2 session, so there
3543 // will be no PSK binder after the padding extension.
3544 !TestPaddingExtension(TLS1_3_VERSION, TLS1_2_VERSION) ||
3545 // Test the padding extension at TLS 1.3 with a TLS 1.3 session, so there
3546 // will be a PSK binder after the padding extension.
3547 !TestPaddingExtension(TLS1_3_VERSION, TLS1_3_DRAFT_VERSION) ||
3548 !TestInternalSessionCache() ||
3549 !ForEachVersion(TestSequenceNumber) ||
3550 !ForEachVersion(TestOneSidedShutdown) ||
3551 !ForEachVersion(TestGetPeerCertificate) ||
3552 !ForEachVersion(TestRetainOnlySHA256OfCerts) ||
3553 !TestClientHello() ||
3554 !ForEachVersion(TestSessionIDContext) ||
3555 !ForEachVersion(TestSessionTimeout) ||
3556 !ForEachVersion(TestSNICallback) ||
3557 !ForEachVersion(TestVersion) ||
3558 !ForEachVersion(TestALPNCipherAvailable) ||
3559 !ForEachVersion(TestSSLClearSessionResumption) ||
3560 !ForEachVersion(TestAutoChain) ||
3561 !ForEachVersion(TestSSLWriteRetry)) {
3562 ADD_FAILURE() << "Tests failed";
3563 }
3564 }
3565