1 /* 2 * Copyright 2016-2025 The OpenSSL Project Authors. All Rights Reserved. 3 * 4 * Licensed under the Apache License 2.0 (the "License"). You may not use 5 * this file except in compliance with the License. You can obtain a copy 6 * in the file LICENSE in the source distribution or at 7 * https://www.openssl.org/source/license.html 8 */ 9 10 #include <string.h> 11 12 #include <openssl/bio.h> 13 #include <openssl/x509_vfy.h> 14 #include <openssl/ssl.h> 15 #include <openssl/core_names.h> 16 17 #include "../../ssl/ssl_local.h" 18 #include "internal/ssl_unwrap.h" 19 #include "internal/sockets.h" 20 #include "internal/nelem.h" 21 #include "handshake.h" 22 #include "../testutil.h" 23 24 #if !defined(OPENSSL_NO_SCTP) && !defined(OPENSSL_NO_SOCK) 25 #include <netinet/sctp.h> 26 #endif 27 28 HANDSHAKE_RESULT *HANDSHAKE_RESULT_new(void) 29 { 30 HANDSHAKE_RESULT *ret; 31 32 TEST_ptr(ret = OPENSSL_zalloc(sizeof(*ret))); 33 return ret; 34 } 35 36 void HANDSHAKE_RESULT_free(HANDSHAKE_RESULT *result) 37 { 38 if (result == NULL) 39 return; 40 OPENSSL_free(result->client_npn_negotiated); 41 OPENSSL_free(result->server_npn_negotiated); 42 OPENSSL_free(result->client_alpn_negotiated); 43 OPENSSL_free(result->server_alpn_negotiated); 44 OPENSSL_free(result->result_session_ticket_app_data); 45 sk_X509_NAME_pop_free(result->server_ca_names, X509_NAME_free); 46 sk_X509_NAME_pop_free(result->client_ca_names, X509_NAME_free); 47 OPENSSL_free(result->cipher); 48 OPENSSL_free(result); 49 } 50 51 /* 52 * Since there appears to be no way to extract the sent/received alert 53 * from the SSL object directly, we use the info callback and stash 54 * the result in ex_data. 55 */ 56 typedef struct handshake_ex_data_st { 57 int alert_sent; 58 int num_fatal_alerts_sent; 59 int alert_received; 60 int session_ticket_do_not_call; 61 ssl_servername_t servername; 62 } HANDSHAKE_EX_DATA; 63 64 /* |ctx_data| itself is stack-allocated. */ 65 static void ctx_data_free_data(CTX_DATA *ctx_data) 66 { 67 OPENSSL_free(ctx_data->npn_protocols); 68 ctx_data->npn_protocols = NULL; 69 OPENSSL_free(ctx_data->alpn_protocols); 70 ctx_data->alpn_protocols = NULL; 71 OPENSSL_free(ctx_data->srp_user); 72 ctx_data->srp_user = NULL; 73 OPENSSL_free(ctx_data->srp_password); 74 ctx_data->srp_password = NULL; 75 OPENSSL_free(ctx_data->session_ticket_app_data); 76 ctx_data->session_ticket_app_data = NULL; 77 } 78 79 static int ex_data_idx; 80 81 static void info_cb(const SSL *s, int where, int ret) 82 { 83 if (where & SSL_CB_ALERT) { 84 HANDSHAKE_EX_DATA *ex_data = (HANDSHAKE_EX_DATA *)(SSL_get_ex_data(s, ex_data_idx)); 85 if (where & SSL_CB_WRITE) { 86 ex_data->alert_sent = ret; 87 if (strcmp(SSL_alert_type_string(ret), "F") == 0 88 || strcmp(SSL_alert_desc_string(ret), "CN") == 0) 89 ex_data->num_fatal_alerts_sent++; 90 } else { 91 ex_data->alert_received = ret; 92 } 93 } 94 } 95 96 /* Select the appropriate server CTX. 97 * Returns SSL_TLSEXT_ERR_OK if a match was found. 98 * If |ignore| is 1, returns SSL_TLSEXT_ERR_NOACK on mismatch. 99 * Otherwise, returns SSL_TLSEXT_ERR_ALERT_FATAL on mismatch. 100 * An empty SNI extension also returns SSL_TSLEXT_ERR_NOACK. 101 */ 102 static int select_server_ctx(SSL *s, void *arg, int ignore) 103 { 104 const char *servername = SSL_get_servername(s, TLSEXT_NAMETYPE_host_name); 105 HANDSHAKE_EX_DATA *ex_data = (HANDSHAKE_EX_DATA *)(SSL_get_ex_data(s, ex_data_idx)); 106 107 if (servername == NULL) { 108 ex_data->servername = SSL_TEST_SERVERNAME_SERVER1; 109 return SSL_TLSEXT_ERR_NOACK; 110 } 111 112 if (strcmp(servername, "server2") == 0) { 113 SSL_CTX *new_ctx = (SSL_CTX *)arg; 114 SSL_set_SSL_CTX(s, new_ctx); 115 /* 116 * Copy over all the SSL_CTX options - reasonable behavior 117 * allows testing of cases where the options between two 118 * contexts differ/conflict 119 */ 120 SSL_clear_options(s, 0xFFFFFFFFL); 121 SSL_set_options(s, SSL_CTX_get_options(new_ctx)); 122 123 ex_data->servername = SSL_TEST_SERVERNAME_SERVER2; 124 return SSL_TLSEXT_ERR_OK; 125 } else if (strcmp(servername, "server1") == 0) { 126 ex_data->servername = SSL_TEST_SERVERNAME_SERVER1; 127 return SSL_TLSEXT_ERR_OK; 128 } else if (ignore) { 129 ex_data->servername = SSL_TEST_SERVERNAME_SERVER1; 130 return SSL_TLSEXT_ERR_NOACK; 131 } else { 132 /* Don't set an explicit alert, to test library defaults. */ 133 return SSL_TLSEXT_ERR_ALERT_FATAL; 134 } 135 } 136 137 static int client_hello_select_server_ctx(SSL *s, void *arg, int ignore) 138 { 139 const char *servername; 140 const unsigned char *p; 141 size_t len, remaining; 142 HANDSHAKE_EX_DATA *ex_data = (HANDSHAKE_EX_DATA *)(SSL_get_ex_data(s, ex_data_idx)); 143 144 /* 145 * The server_name extension was given too much extensibility when it 146 * was written, so parsing the normal case is a bit complex. 147 */ 148 if (!SSL_client_hello_get0_ext(s, TLSEXT_TYPE_server_name, &p, 149 &remaining) 150 || remaining <= 2) 151 return 0; 152 /* Extract the length of the supplied list of names. */ 153 len = (*(p++) << 8); 154 len += *(p++); 155 if (len + 2 != remaining) 156 return 0; 157 remaining = len; 158 /* 159 * The list in practice only has a single element, so we only consider 160 * the first one. 161 */ 162 if (remaining == 0 || *p++ != TLSEXT_NAMETYPE_host_name) 163 return 0; 164 remaining--; 165 /* Now we can finally pull out the byte array with the actual hostname. */ 166 if (remaining <= 2) 167 return 0; 168 len = (*(p++) << 8); 169 len += *(p++); 170 if (len + 2 > remaining) 171 return 0; 172 remaining = len; 173 servername = (const char *)p; 174 175 if (len == strlen("server2") && HAS_PREFIX(servername, "server2")) { 176 SSL_CTX *new_ctx = arg; 177 SSL_set_SSL_CTX(s, new_ctx); 178 /* 179 * Copy over all the SSL_CTX options - reasonable behavior 180 * allows testing of cases where the options between two 181 * contexts differ/conflict 182 */ 183 SSL_clear_options(s, 0xFFFFFFFFL); 184 SSL_set_options(s, SSL_CTX_get_options(new_ctx)); 185 186 ex_data->servername = SSL_TEST_SERVERNAME_SERVER2; 187 return 1; 188 } else if (len == strlen("server1") && HAS_PREFIX(servername, "server1")) { 189 ex_data->servername = SSL_TEST_SERVERNAME_SERVER1; 190 return 1; 191 } else if (ignore) { 192 ex_data->servername = SSL_TEST_SERVERNAME_SERVER1; 193 return 1; 194 } 195 return 0; 196 } 197 /* 198 * (RFC 6066): 199 * If the server understood the ClientHello extension but 200 * does not recognize the server name, the server SHOULD take one of two 201 * actions: either abort the handshake by sending a fatal-level 202 * unrecognized_name(112) alert or continue the handshake. 203 * 204 * This behaviour is up to the application to configure; we test both 205 * configurations to ensure the state machine propagates the result 206 * correctly. 207 */ 208 static int servername_ignore_cb(SSL *s, int *ad, void *arg) 209 { 210 return select_server_ctx(s, arg, 1); 211 } 212 213 static int servername_reject_cb(SSL *s, int *ad, void *arg) 214 { 215 return select_server_ctx(s, arg, 0); 216 } 217 218 static int client_hello_ignore_cb(SSL *s, int *al, void *arg) 219 { 220 if (!client_hello_select_server_ctx(s, arg, 1)) { 221 *al = SSL_AD_UNRECOGNIZED_NAME; 222 return SSL_CLIENT_HELLO_ERROR; 223 } 224 return SSL_CLIENT_HELLO_SUCCESS; 225 } 226 227 static int client_hello_reject_cb(SSL *s, int *al, void *arg) 228 { 229 if (!client_hello_select_server_ctx(s, arg, 0)) { 230 *al = SSL_AD_UNRECOGNIZED_NAME; 231 return SSL_CLIENT_HELLO_ERROR; 232 } 233 return SSL_CLIENT_HELLO_SUCCESS; 234 } 235 236 static int client_hello_nov12_cb(SSL *s, int *al, void *arg) 237 { 238 int ret; 239 unsigned int v; 240 const unsigned char *p; 241 242 v = SSL_client_hello_get0_legacy_version(s); 243 if (v > TLS1_2_VERSION || v < SSL3_VERSION) { 244 *al = SSL_AD_PROTOCOL_VERSION; 245 return SSL_CLIENT_HELLO_ERROR; 246 } 247 (void)SSL_client_hello_get0_session_id(s, &p); 248 if (p == NULL || SSL_client_hello_get0_random(s, &p) == 0 || SSL_client_hello_get0_ciphers(s, &p) == 0 || SSL_client_hello_get0_compression_methods(s, &p) == 0) { 249 *al = SSL_AD_INTERNAL_ERROR; 250 return SSL_CLIENT_HELLO_ERROR; 251 } 252 ret = client_hello_select_server_ctx(s, arg, 0); 253 SSL_set_max_proto_version(s, TLS1_1_VERSION); 254 if (!ret) { 255 *al = SSL_AD_UNRECOGNIZED_NAME; 256 return SSL_CLIENT_HELLO_ERROR; 257 } 258 return SSL_CLIENT_HELLO_SUCCESS; 259 } 260 261 static unsigned char dummy_ocsp_resp_good_val = 0xff; 262 static unsigned char dummy_ocsp_resp_bad_val = 0xfe; 263 264 static int server_ocsp_cb(SSL *s, void *arg) 265 { 266 unsigned char *resp; 267 268 resp = OPENSSL_malloc(1); 269 if (resp == NULL) 270 return SSL_TLSEXT_ERR_ALERT_FATAL; 271 /* 272 * For the purposes of testing we just send back a dummy OCSP response 273 */ 274 *resp = *(unsigned char *)arg; 275 if (!SSL_set_tlsext_status_ocsp_resp(s, resp, 1)) { 276 OPENSSL_free(resp); 277 return SSL_TLSEXT_ERR_ALERT_FATAL; 278 } 279 280 return SSL_TLSEXT_ERR_OK; 281 } 282 283 static int client_ocsp_cb(SSL *s, void *arg) 284 { 285 const unsigned char *resp; 286 int len; 287 288 len = SSL_get_tlsext_status_ocsp_resp(s, &resp); 289 if (len != 1 || *resp != dummy_ocsp_resp_good_val) 290 return 0; 291 292 return 1; 293 } 294 295 static int verify_reject_cb(X509_STORE_CTX *ctx, void *arg) 296 { 297 X509_STORE_CTX_set_error(ctx, X509_V_ERR_APPLICATION_VERIFICATION); 298 return 0; 299 } 300 301 static int n_retries = 0; 302 static int verify_retry_cb(X509_STORE_CTX *ctx, void *arg) 303 { 304 int idx = SSL_get_ex_data_X509_STORE_CTX_idx(); 305 SSL *ssl; 306 307 /* this should not happen but check anyway */ 308 if (idx < 0 309 || (ssl = X509_STORE_CTX_get_ex_data(ctx, idx)) == NULL) 310 return 0; 311 312 if (--n_retries < 0) 313 return 1; 314 315 return SSL_set_retry_verify(ssl); 316 } 317 318 static int verify_accept_cb(X509_STORE_CTX *ctx, void *arg) 319 { 320 return 1; 321 } 322 323 static int broken_session_ticket_cb(SSL *s, unsigned char *key_name, 324 unsigned char *iv, EVP_CIPHER_CTX *ctx, 325 EVP_MAC_CTX *hctx, int enc) 326 { 327 return 0; 328 } 329 330 static int do_not_call_session_ticket_cb(SSL *s, unsigned char *key_name, 331 unsigned char *iv, 332 EVP_CIPHER_CTX *ctx, 333 EVP_MAC_CTX *hctx, int enc) 334 { 335 HANDSHAKE_EX_DATA *ex_data = (HANDSHAKE_EX_DATA *)(SSL_get_ex_data(s, ex_data_idx)); 336 ex_data->session_ticket_do_not_call = 1; 337 return 0; 338 } 339 340 /* Parse the comma-separated list into TLS format. */ 341 static int parse_protos(const char *protos, unsigned char **out, size_t *outlen) 342 { 343 size_t len, i, prefix; 344 345 len = strlen(protos); 346 347 if (len == 0) { 348 *out = NULL; 349 *outlen = 0; 350 return 1; 351 } 352 353 /* Should never have reuse. */ 354 if (!TEST_ptr_null(*out) 355 /* Test values are small, so we omit length limit checks. */ 356 || !TEST_ptr(*out = OPENSSL_malloc(len + 1))) 357 return 0; 358 *outlen = len + 1; 359 360 /* 361 * foo => '3', 'f', 'o', 'o' 362 * foo,bar => '3', 'f', 'o', 'o', '3', 'b', 'a', 'r' 363 */ 364 memcpy(*out + 1, protos, len); 365 366 prefix = 0; 367 i = prefix + 1; 368 while (i <= len) { 369 if ((*out)[i] == ',') { 370 if (!TEST_int_gt(i - 1, prefix)) 371 goto err; 372 (*out)[prefix] = (unsigned char)(i - 1 - prefix); 373 prefix = i; 374 } 375 i++; 376 } 377 if (!TEST_int_gt(len, prefix)) 378 goto err; 379 (*out)[prefix] = (unsigned char)(len - prefix); 380 return 1; 381 382 err: 383 OPENSSL_free(*out); 384 *out = NULL; 385 return 0; 386 } 387 388 #ifndef OPENSSL_NO_NEXTPROTONEG 389 /* 390 * The client SHOULD select the first protocol advertised by the server that it 391 * also supports. In the event that the client doesn't support any of server's 392 * protocols, or the server doesn't advertise any, it SHOULD select the first 393 * protocol that it supports. 394 */ 395 static int client_npn_cb(SSL *s, unsigned char **out, unsigned char *outlen, 396 const unsigned char *in, unsigned int inlen, 397 void *arg) 398 { 399 CTX_DATA *ctx_data = (CTX_DATA *)(arg); 400 int ret; 401 402 ret = SSL_select_next_proto(out, outlen, in, inlen, 403 ctx_data->npn_protocols, 404 ctx_data->npn_protocols_len); 405 /* Accept both OPENSSL_NPN_NEGOTIATED and OPENSSL_NPN_NO_OVERLAP. */ 406 return TEST_true(ret == OPENSSL_NPN_NEGOTIATED || ret == OPENSSL_NPN_NO_OVERLAP) 407 ? SSL_TLSEXT_ERR_OK 408 : SSL_TLSEXT_ERR_ALERT_FATAL; 409 } 410 411 static int server_npn_cb(SSL *s, const unsigned char **data, 412 unsigned int *len, void *arg) 413 { 414 CTX_DATA *ctx_data = (CTX_DATA *)(arg); 415 *data = ctx_data->npn_protocols; 416 *len = ctx_data->npn_protocols_len; 417 return SSL_TLSEXT_ERR_OK; 418 } 419 #endif 420 421 /* 422 * The server SHOULD select the most highly preferred protocol that it supports 423 * and that is also advertised by the client. In the event that the server 424 * supports no protocols that the client advertises, then the server SHALL 425 * respond with a fatal "no_application_protocol" alert. 426 */ 427 static int server_alpn_cb(SSL *s, const unsigned char **out, 428 unsigned char *outlen, const unsigned char *in, 429 unsigned int inlen, void *arg) 430 { 431 CTX_DATA *ctx_data = (CTX_DATA *)(arg); 432 int ret; 433 434 /* SSL_select_next_proto isn't const-correct... */ 435 unsigned char *tmp_out; 436 437 /* 438 * The result points either to |in| or to |ctx_data->alpn_protocols|. 439 * The callback is allowed to point to |in| or to a long-lived buffer, 440 * so we can return directly without storing a copy. 441 */ 442 ret = SSL_select_next_proto(&tmp_out, outlen, 443 ctx_data->alpn_protocols, 444 ctx_data->alpn_protocols_len, in, inlen); 445 446 *out = tmp_out; 447 /* Unlike NPN, we don't tolerate a mismatch. */ 448 return ret == OPENSSL_NPN_NEGOTIATED ? SSL_TLSEXT_ERR_OK 449 : SSL_TLSEXT_ERR_ALERT_FATAL; 450 } 451 452 static int generate_session_ticket_cb(SSL *s, void *arg) 453 { 454 CTX_DATA *server_ctx_data = arg; 455 SSL_SESSION *ss = SSL_get_session(s); 456 char *app_data = server_ctx_data->session_ticket_app_data; 457 458 if (ss == NULL || app_data == NULL) 459 return 0; 460 461 return SSL_SESSION_set1_ticket_appdata(ss, app_data, strlen(app_data)); 462 } 463 464 static int decrypt_session_ticket_cb(SSL *s, SSL_SESSION *ss, 465 const unsigned char *keyname, 466 size_t keyname_len, 467 SSL_TICKET_STATUS status, 468 void *arg) 469 { 470 switch (status) { 471 case SSL_TICKET_EMPTY: 472 case SSL_TICKET_NO_DECRYPT: 473 return SSL_TICKET_RETURN_IGNORE_RENEW; 474 case SSL_TICKET_SUCCESS: 475 return SSL_TICKET_RETURN_USE; 476 case SSL_TICKET_SUCCESS_RENEW: 477 return SSL_TICKET_RETURN_USE_RENEW; 478 default: 479 break; 480 } 481 return SSL_TICKET_RETURN_ABORT; 482 } 483 484 /* 485 * Configure callbacks and other properties that can't be set directly 486 * in the server/client CONF. 487 */ 488 static int configure_handshake_ctx(SSL_CTX *server_ctx, SSL_CTX *server2_ctx, 489 SSL_CTX *client_ctx, 490 const SSL_TEST_CTX *test, 491 const SSL_TEST_EXTRA_CONF *extra, 492 CTX_DATA *server_ctx_data, 493 CTX_DATA *server2_ctx_data, 494 CTX_DATA *client_ctx_data) 495 { 496 unsigned char *ticket_keys; 497 size_t ticket_key_len; 498 499 if (!TEST_int_eq(SSL_CTX_set_max_send_fragment(server_ctx, 500 test->max_fragment_size), 501 1)) 502 goto err; 503 if (server2_ctx != NULL) { 504 if (!TEST_int_eq(SSL_CTX_set_max_send_fragment(server2_ctx, 505 test->max_fragment_size), 506 1)) 507 goto err; 508 } 509 if (!TEST_int_eq(SSL_CTX_set_max_send_fragment(client_ctx, 510 test->max_fragment_size), 511 1)) 512 goto err; 513 514 switch (extra->client.verify_callback) { 515 case SSL_TEST_VERIFY_ACCEPT_ALL: 516 SSL_CTX_set_cert_verify_callback(client_ctx, &verify_accept_cb, NULL); 517 break; 518 case SSL_TEST_VERIFY_RETRY_ONCE: 519 n_retries = 1; 520 SSL_CTX_set_cert_verify_callback(client_ctx, &verify_retry_cb, NULL); 521 break; 522 case SSL_TEST_VERIFY_REJECT_ALL: 523 SSL_CTX_set_cert_verify_callback(client_ctx, &verify_reject_cb, NULL); 524 break; 525 case SSL_TEST_VERIFY_NONE: 526 break; 527 } 528 529 switch (extra->client.max_fragment_len_mode) { 530 case TLSEXT_max_fragment_length_512: 531 case TLSEXT_max_fragment_length_1024: 532 case TLSEXT_max_fragment_length_2048: 533 case TLSEXT_max_fragment_length_4096: 534 case TLSEXT_max_fragment_length_DISABLED: 535 SSL_CTX_set_tlsext_max_fragment_length( 536 client_ctx, extra->client.max_fragment_len_mode); 537 break; 538 } 539 540 /* 541 * Link the two contexts for SNI purposes. 542 * Also do ClientHello callbacks here, as setting both ClientHello and SNI 543 * is bad. 544 */ 545 switch (extra->server.servername_callback) { 546 case SSL_TEST_SERVERNAME_IGNORE_MISMATCH: 547 SSL_CTX_set_tlsext_servername_callback(server_ctx, servername_ignore_cb); 548 SSL_CTX_set_tlsext_servername_arg(server_ctx, server2_ctx); 549 break; 550 case SSL_TEST_SERVERNAME_REJECT_MISMATCH: 551 SSL_CTX_set_tlsext_servername_callback(server_ctx, servername_reject_cb); 552 SSL_CTX_set_tlsext_servername_arg(server_ctx, server2_ctx); 553 break; 554 case SSL_TEST_SERVERNAME_CB_NONE: 555 break; 556 case SSL_TEST_SERVERNAME_CLIENT_HELLO_IGNORE_MISMATCH: 557 SSL_CTX_set_client_hello_cb(server_ctx, client_hello_ignore_cb, server2_ctx); 558 break; 559 case SSL_TEST_SERVERNAME_CLIENT_HELLO_REJECT_MISMATCH: 560 SSL_CTX_set_client_hello_cb(server_ctx, client_hello_reject_cb, server2_ctx); 561 break; 562 case SSL_TEST_SERVERNAME_CLIENT_HELLO_NO_V12: 563 SSL_CTX_set_client_hello_cb(server_ctx, client_hello_nov12_cb, server2_ctx); 564 } 565 566 if (extra->server.cert_status != SSL_TEST_CERT_STATUS_NONE) { 567 SSL_CTX_set_tlsext_status_type(client_ctx, TLSEXT_STATUSTYPE_ocsp); 568 SSL_CTX_set_tlsext_status_cb(client_ctx, client_ocsp_cb); 569 SSL_CTX_set_tlsext_status_arg(client_ctx, NULL); 570 SSL_CTX_set_tlsext_status_cb(server_ctx, server_ocsp_cb); 571 SSL_CTX_set_tlsext_status_arg(server_ctx, 572 ((extra->server.cert_status == SSL_TEST_CERT_STATUS_GOOD_RESPONSE) 573 ? &dummy_ocsp_resp_good_val 574 : &dummy_ocsp_resp_bad_val)); 575 } 576 577 /* 578 * The initial_ctx/session_ctx always handles the encrypt/decrypt of the 579 * session ticket. This ticket_key callback is assigned to the second 580 * session (assigned via SNI), and should never be invoked 581 */ 582 if (server2_ctx != NULL) 583 SSL_CTX_set_tlsext_ticket_key_evp_cb(server2_ctx, 584 do_not_call_session_ticket_cb); 585 586 if (extra->server.broken_session_ticket) { 587 SSL_CTX_set_tlsext_ticket_key_evp_cb(server_ctx, 588 broken_session_ticket_cb); 589 } 590 #ifndef OPENSSL_NO_NEXTPROTONEG 591 if (extra->server.npn_protocols != NULL) { 592 if (!TEST_true(parse_protos(extra->server.npn_protocols, 593 &server_ctx_data->npn_protocols, 594 &server_ctx_data->npn_protocols_len))) 595 goto err; 596 SSL_CTX_set_npn_advertised_cb(server_ctx, server_npn_cb, 597 server_ctx_data); 598 } 599 if (extra->server2.npn_protocols != NULL) { 600 if (!TEST_true(parse_protos(extra->server2.npn_protocols, 601 &server2_ctx_data->npn_protocols, 602 &server2_ctx_data->npn_protocols_len)) 603 || !TEST_ptr(server2_ctx)) 604 goto err; 605 SSL_CTX_set_npn_advertised_cb(server2_ctx, server_npn_cb, 606 server2_ctx_data); 607 } 608 if (extra->client.npn_protocols != NULL) { 609 if (!TEST_true(parse_protos(extra->client.npn_protocols, 610 &client_ctx_data->npn_protocols, 611 &client_ctx_data->npn_protocols_len))) 612 goto err; 613 SSL_CTX_set_next_proto_select_cb(client_ctx, client_npn_cb, 614 client_ctx_data); 615 } 616 #endif 617 if (extra->server.alpn_protocols != NULL) { 618 if (!TEST_true(parse_protos(extra->server.alpn_protocols, 619 &server_ctx_data->alpn_protocols, 620 &server_ctx_data->alpn_protocols_len))) 621 goto err; 622 SSL_CTX_set_alpn_select_cb(server_ctx, server_alpn_cb, server_ctx_data); 623 } 624 if (extra->server2.alpn_protocols != NULL) { 625 if (!TEST_ptr(server2_ctx) 626 || !TEST_true(parse_protos(extra->server2.alpn_protocols, 627 &server2_ctx_data->alpn_protocols, 628 &server2_ctx_data->alpn_protocols_len))) 629 goto err; 630 SSL_CTX_set_alpn_select_cb(server2_ctx, server_alpn_cb, 631 server2_ctx_data); 632 } 633 if (extra->client.alpn_protocols != NULL) { 634 unsigned char *alpn_protos = NULL; 635 size_t alpn_protos_len = 0; 636 637 if (!TEST_true(parse_protos(extra->client.alpn_protocols, 638 &alpn_protos, &alpn_protos_len)) 639 /* Reversed return value convention... */ 640 || !TEST_int_eq(SSL_CTX_set_alpn_protos(client_ctx, alpn_protos, 641 alpn_protos_len), 642 0)) 643 goto err; 644 OPENSSL_free(alpn_protos); 645 } 646 647 if (extra->server.session_ticket_app_data != NULL) { 648 server_ctx_data->session_ticket_app_data = OPENSSL_strdup(extra->server.session_ticket_app_data); 649 if (!TEST_ptr(server_ctx_data->session_ticket_app_data)) 650 goto err; 651 SSL_CTX_set_session_ticket_cb(server_ctx, generate_session_ticket_cb, 652 decrypt_session_ticket_cb, server_ctx_data); 653 } 654 if (extra->server2.session_ticket_app_data != NULL) { 655 if (!TEST_ptr(server2_ctx)) 656 goto err; 657 server2_ctx_data->session_ticket_app_data = OPENSSL_strdup(extra->server2.session_ticket_app_data); 658 if (!TEST_ptr(server2_ctx_data->session_ticket_app_data)) 659 goto err; 660 SSL_CTX_set_session_ticket_cb(server2_ctx, NULL, 661 decrypt_session_ticket_cb, server2_ctx_data); 662 } 663 664 /* 665 * Use fixed session ticket keys so that we can decrypt a ticket created with 666 * one CTX in another CTX. Don't address server2 for the moment. 667 */ 668 ticket_key_len = SSL_CTX_set_tlsext_ticket_keys(server_ctx, NULL, 0); 669 if (!TEST_ptr(ticket_keys = OPENSSL_zalloc(ticket_key_len)) 670 || !TEST_int_eq(SSL_CTX_set_tlsext_ticket_keys(server_ctx, 671 ticket_keys, 672 ticket_key_len), 673 1)) { 674 OPENSSL_free(ticket_keys); 675 goto err; 676 } 677 OPENSSL_free(ticket_keys); 678 679 /* The default log list includes EC keys, so CT can't work without EC. */ 680 #if !defined(OPENSSL_NO_CT) && !defined(OPENSSL_NO_EC) 681 if (!TEST_true(SSL_CTX_set_default_ctlog_list_file(client_ctx))) 682 goto err; 683 switch (extra->client.ct_validation) { 684 case SSL_TEST_CT_VALIDATION_PERMISSIVE: 685 if (!TEST_true(SSL_CTX_enable_ct(client_ctx, 686 SSL_CT_VALIDATION_PERMISSIVE))) 687 goto err; 688 break; 689 case SSL_TEST_CT_VALIDATION_STRICT: 690 if (!TEST_true(SSL_CTX_enable_ct(client_ctx, SSL_CT_VALIDATION_STRICT))) 691 goto err; 692 break; 693 case SSL_TEST_CT_VALIDATION_NONE: 694 break; 695 } 696 #endif 697 #ifndef OPENSSL_NO_SRP 698 if (!configure_handshake_ctx_for_srp(server_ctx, server2_ctx, client_ctx, 699 extra, server_ctx_data, 700 server2_ctx_data, client_ctx_data)) 701 goto err; 702 #endif /* !OPENSSL_NO_SRP */ 703 #ifndef OPENSSL_NO_COMP_ALG 704 if (test->compress_certificates) { 705 if (!TEST_true(SSL_CTX_compress_certs(server_ctx, 0))) 706 goto err; 707 if (server2_ctx != NULL && !TEST_true(SSL_CTX_compress_certs(server2_ctx, 0))) 708 goto err; 709 } 710 #endif 711 return 1; 712 err: 713 return 0; 714 } 715 716 /* Configure per-SSL callbacks and other properties. */ 717 static void configure_handshake_ssl(SSL *server, SSL *client, 718 const SSL_TEST_EXTRA_CONF *extra) 719 { 720 if (extra->client.servername != SSL_TEST_SERVERNAME_NONE) 721 SSL_set_tlsext_host_name(client, 722 ssl_servername_name(extra->client.servername)); 723 if (extra->client.enable_pha) 724 SSL_set_post_handshake_auth(client, 1); 725 } 726 727 /* The status for each connection phase. */ 728 typedef enum { 729 PEER_SUCCESS, 730 PEER_RETRY, 731 PEER_ERROR, 732 PEER_WAITING, 733 PEER_TEST_FAILURE 734 } peer_status_t; 735 736 /* An SSL object and associated read-write buffers. */ 737 typedef struct peer_st { 738 SSL *ssl; 739 /* Buffer lengths are int to match the SSL read/write API. */ 740 unsigned char *write_buf; 741 int write_buf_len; 742 unsigned char *read_buf; 743 int read_buf_len; 744 int bytes_to_write; 745 int bytes_to_read; 746 peer_status_t status; 747 } PEER; 748 749 static int create_peer(PEER *peer, SSL_CTX *ctx) 750 { 751 static const int peer_buffer_size = 64 * 1024; 752 SSL *ssl = NULL; 753 unsigned char *read_buf = NULL, *write_buf = NULL; 754 755 if (!TEST_ptr(ssl = SSL_new(ctx)) 756 || !TEST_ptr(write_buf = OPENSSL_zalloc(peer_buffer_size)) 757 || !TEST_ptr(read_buf = OPENSSL_zalloc(peer_buffer_size))) 758 goto err; 759 760 peer->ssl = ssl; 761 peer->write_buf = write_buf; 762 peer->read_buf = read_buf; 763 peer->write_buf_len = peer->read_buf_len = peer_buffer_size; 764 return 1; 765 err: 766 SSL_free(ssl); 767 OPENSSL_free(write_buf); 768 OPENSSL_free(read_buf); 769 return 0; 770 } 771 772 static void peer_free_data(PEER *peer) 773 { 774 SSL_free(peer->ssl); 775 OPENSSL_free(peer->write_buf); 776 OPENSSL_free(peer->read_buf); 777 } 778 779 /* 780 * Note that we could do the handshake transparently under an SSL_write, 781 * but separating the steps is more helpful for debugging test failures. 782 */ 783 static void do_handshake_step(PEER *peer) 784 { 785 if (!TEST_int_eq(peer->status, PEER_RETRY)) { 786 peer->status = PEER_TEST_FAILURE; 787 } else { 788 int ret = SSL_do_handshake(peer->ssl); 789 790 if (ret == 1) { 791 peer->status = PEER_SUCCESS; 792 } else if (ret == 0) { 793 peer->status = PEER_ERROR; 794 } else { 795 int error = SSL_get_error(peer->ssl, ret); 796 797 /* Memory bios should never block with SSL_ERROR_WANT_WRITE. */ 798 if (error != SSL_ERROR_WANT_READ 799 && error != SSL_ERROR_WANT_RETRY_VERIFY) 800 peer->status = PEER_ERROR; 801 } 802 } 803 } 804 805 /*- 806 * Send/receive some application data. The read-write sequence is 807 * Peer A: (R) W - first read will yield no data 808 * Peer B: R W 809 * ... 810 * Peer A: R W 811 * Peer B: R W 812 * Peer A: R 813 */ 814 static void do_app_data_step(PEER *peer) 815 { 816 int ret = 1, write_bytes; 817 818 if (!TEST_int_eq(peer->status, PEER_RETRY)) { 819 peer->status = PEER_TEST_FAILURE; 820 return; 821 } 822 823 /* We read everything available... */ 824 while (ret > 0 && peer->bytes_to_read) { 825 ret = SSL_read(peer->ssl, peer->read_buf, peer->read_buf_len); 826 if (ret > 0) { 827 if (!TEST_int_le(ret, peer->bytes_to_read)) { 828 peer->status = PEER_TEST_FAILURE; 829 return; 830 } 831 peer->bytes_to_read -= ret; 832 } else if (ret == 0) { 833 peer->status = PEER_ERROR; 834 return; 835 } else { 836 int error = SSL_get_error(peer->ssl, ret); 837 if (error != SSL_ERROR_WANT_READ) { 838 peer->status = PEER_ERROR; 839 return; 840 } /* Else continue with write. */ 841 } 842 } 843 844 /* ... but we only write one write-buffer-full of data. */ 845 write_bytes = peer->bytes_to_write < peer->write_buf_len ? peer->bytes_to_write : peer->write_buf_len; 846 if (write_bytes) { 847 ret = SSL_write(peer->ssl, peer->write_buf, write_bytes); 848 if (ret > 0) { 849 /* SSL_write will only succeed with a complete write. */ 850 if (!TEST_int_eq(ret, write_bytes)) { 851 peer->status = PEER_TEST_FAILURE; 852 return; 853 } 854 peer->bytes_to_write -= ret; 855 } else { 856 /* 857 * We should perhaps check for SSL_ERROR_WANT_READ/WRITE here 858 * but this doesn't yet occur with current app data sizes. 859 */ 860 peer->status = PEER_ERROR; 861 return; 862 } 863 } 864 865 /* 866 * We could simply finish when there was nothing to read, and we have 867 * nothing left to write. But keeping track of the expected number of bytes 868 * to read gives us somewhat better guarantees that all data sent is in fact 869 * received. 870 */ 871 if (peer->bytes_to_write == 0 && peer->bytes_to_read == 0) { 872 peer->status = PEER_SUCCESS; 873 } 874 } 875 876 static void do_reneg_setup_step(const SSL_TEST_CTX *test_ctx, PEER *peer) 877 { 878 int ret; 879 char buf; 880 881 if (peer->status == PEER_SUCCESS) { 882 /* 883 * We are a client that succeeded this step previously, but the server 884 * wanted to retry. Probably there is a no_renegotiation warning alert 885 * waiting for us. Attempt to continue the handshake. 886 */ 887 peer->status = PEER_RETRY; 888 do_handshake_step(peer); 889 return; 890 } 891 892 if (!TEST_int_eq(peer->status, PEER_RETRY) 893 || !TEST_true(test_ctx->handshake_mode 894 == SSL_TEST_HANDSHAKE_RENEG_SERVER 895 || test_ctx->handshake_mode 896 == SSL_TEST_HANDSHAKE_RENEG_CLIENT 897 || test_ctx->handshake_mode 898 == SSL_TEST_HANDSHAKE_KEY_UPDATE_SERVER 899 || test_ctx->handshake_mode 900 == SSL_TEST_HANDSHAKE_KEY_UPDATE_CLIENT 901 || test_ctx->handshake_mode 902 == SSL_TEST_HANDSHAKE_POST_HANDSHAKE_AUTH)) { 903 peer->status = PEER_TEST_FAILURE; 904 return; 905 } 906 907 /* Reset the count of the amount of app data we need to read/write */ 908 peer->bytes_to_write = peer->bytes_to_read = test_ctx->app_data_size; 909 910 /* Check if we are the peer that is going to initiate */ 911 if ((test_ctx->handshake_mode == SSL_TEST_HANDSHAKE_RENEG_SERVER 912 && SSL_is_server(peer->ssl)) 913 || (test_ctx->handshake_mode == SSL_TEST_HANDSHAKE_RENEG_CLIENT 914 && !SSL_is_server(peer->ssl))) { 915 /* 916 * If we already asked for a renegotiation then fall through to the 917 * SSL_read() below. 918 */ 919 if (!SSL_renegotiate_pending(peer->ssl)) { 920 /* 921 * If we are the client we will always attempt to resume the 922 * session. The server may or may not resume dependent on the 923 * setting of SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION 924 */ 925 if (SSL_is_server(peer->ssl)) { 926 ret = SSL_renegotiate(peer->ssl); 927 } else { 928 int full_reneg = 0; 929 930 if (test_ctx->extra.client.no_extms_on_reneg) { 931 SSL_set_options(peer->ssl, SSL_OP_NO_EXTENDED_MASTER_SECRET); 932 full_reneg = 1; 933 } 934 if (test_ctx->extra.client.reneg_ciphers != NULL) { 935 if (!SSL_set_cipher_list(peer->ssl, 936 test_ctx->extra.client.reneg_ciphers)) { 937 peer->status = PEER_ERROR; 938 return; 939 } 940 full_reneg = 1; 941 } 942 if (full_reneg) 943 ret = SSL_renegotiate(peer->ssl); 944 else 945 ret = SSL_renegotiate_abbreviated(peer->ssl); 946 } 947 if (!ret) { 948 peer->status = PEER_ERROR; 949 return; 950 } 951 do_handshake_step(peer); 952 /* 953 * If status is PEER_RETRY it means we're waiting on the peer to 954 * continue the handshake. As far as setting up the renegotiation is 955 * concerned that is a success. The next step will continue the 956 * handshake to its conclusion. 957 * 958 * If status is PEER_SUCCESS then we are the server and we have 959 * successfully sent the HelloRequest. We need to continue to wait 960 * until the handshake arrives from the client. 961 */ 962 if (peer->status == PEER_RETRY) 963 peer->status = PEER_SUCCESS; 964 else if (peer->status == PEER_SUCCESS) 965 peer->status = PEER_RETRY; 966 return; 967 } 968 } else if (test_ctx->handshake_mode == SSL_TEST_HANDSHAKE_KEY_UPDATE_SERVER 969 || test_ctx->handshake_mode 970 == SSL_TEST_HANDSHAKE_KEY_UPDATE_CLIENT) { 971 if (SSL_is_server(peer->ssl) 972 != (test_ctx->handshake_mode 973 == SSL_TEST_HANDSHAKE_KEY_UPDATE_SERVER)) { 974 peer->status = PEER_SUCCESS; 975 return; 976 } 977 978 ret = SSL_key_update(peer->ssl, test_ctx->key_update_type); 979 if (!ret) { 980 peer->status = PEER_ERROR; 981 return; 982 } 983 do_handshake_step(peer); 984 /* 985 * This is a one step handshake. We shouldn't get anything other than 986 * PEER_SUCCESS 987 */ 988 if (peer->status != PEER_SUCCESS) 989 peer->status = PEER_ERROR; 990 return; 991 } else if (test_ctx->handshake_mode == SSL_TEST_HANDSHAKE_POST_HANDSHAKE_AUTH) { 992 if (SSL_is_server(peer->ssl)) { 993 SSL_CONNECTION *sc = SSL_CONNECTION_FROM_SSL_ONLY(peer->ssl); 994 995 if (sc == NULL) { 996 peer->status = PEER_ERROR; 997 return; 998 } 999 /* Make the server believe it's received the extension */ 1000 if (test_ctx->extra.server.force_pha) 1001 sc->post_handshake_auth = SSL_PHA_EXT_RECEIVED; 1002 ret = SSL_verify_client_post_handshake(peer->ssl); 1003 if (!ret) { 1004 peer->status = PEER_ERROR; 1005 return; 1006 } 1007 } 1008 do_handshake_step(peer); 1009 /* 1010 * This is a one step handshake. We shouldn't get anything other than 1011 * PEER_SUCCESS 1012 */ 1013 if (peer->status != PEER_SUCCESS) 1014 peer->status = PEER_ERROR; 1015 return; 1016 } 1017 1018 /* 1019 * The SSL object is still expecting app data, even though it's going to 1020 * get a handshake message. We try to read, and it should fail - after which 1021 * we should be in a handshake 1022 */ 1023 ret = SSL_read(peer->ssl, &buf, sizeof(buf)); 1024 if (ret >= 0) { 1025 /* 1026 * We're not actually expecting data - we're expecting a reneg to 1027 * start 1028 */ 1029 peer->status = PEER_ERROR; 1030 return; 1031 } else { 1032 int error = SSL_get_error(peer->ssl, ret); 1033 if (error != SSL_ERROR_WANT_READ) { 1034 peer->status = PEER_ERROR; 1035 return; 1036 } 1037 /* If we're not in init yet then we're not done with setup yet */ 1038 if (!SSL_in_init(peer->ssl)) 1039 return; 1040 } 1041 1042 peer->status = PEER_SUCCESS; 1043 } 1044 1045 /* 1046 * RFC 5246 says: 1047 * 1048 * Note that as of TLS 1.1, 1049 * failure to properly close a connection no longer requires that a 1050 * session not be resumed. This is a change from TLS 1.0 to conform 1051 * with widespread implementation practice. 1052 * 1053 * However, 1054 * (a) OpenSSL requires that a connection be shutdown for all protocol versions. 1055 * (b) We test lower versions, too. 1056 * So we just implement shutdown. We do a full bidirectional shutdown so that we 1057 * can compare sent and received close_notify alerts and get some test coverage 1058 * for SSL_shutdown as a bonus. 1059 */ 1060 static void do_shutdown_step(PEER *peer) 1061 { 1062 int ret; 1063 1064 if (!TEST_int_eq(peer->status, PEER_RETRY)) { 1065 peer->status = PEER_TEST_FAILURE; 1066 return; 1067 } 1068 ret = SSL_shutdown(peer->ssl); 1069 1070 if (ret == 1) { 1071 peer->status = PEER_SUCCESS; 1072 } else if (ret < 0) { /* On 0, we retry. */ 1073 int error = SSL_get_error(peer->ssl, ret); 1074 1075 if (error != SSL_ERROR_WANT_READ && error != SSL_ERROR_WANT_WRITE) 1076 peer->status = PEER_ERROR; 1077 } 1078 } 1079 1080 typedef enum { 1081 HANDSHAKE, 1082 RENEG_APPLICATION_DATA, 1083 RENEG_SETUP, 1084 RENEG_HANDSHAKE, 1085 APPLICATION_DATA, 1086 SHUTDOWN, 1087 CONNECTION_DONE 1088 } connect_phase_t; 1089 1090 static int renegotiate_op(const SSL_TEST_CTX *test_ctx) 1091 { 1092 switch (test_ctx->handshake_mode) { 1093 case SSL_TEST_HANDSHAKE_RENEG_SERVER: 1094 case SSL_TEST_HANDSHAKE_RENEG_CLIENT: 1095 return 1; 1096 default: 1097 return 0; 1098 } 1099 } 1100 static int post_handshake_op(const SSL_TEST_CTX *test_ctx) 1101 { 1102 switch (test_ctx->handshake_mode) { 1103 case SSL_TEST_HANDSHAKE_KEY_UPDATE_CLIENT: 1104 case SSL_TEST_HANDSHAKE_KEY_UPDATE_SERVER: 1105 case SSL_TEST_HANDSHAKE_POST_HANDSHAKE_AUTH: 1106 return 1; 1107 default: 1108 return 0; 1109 } 1110 } 1111 1112 static connect_phase_t next_phase(const SSL_TEST_CTX *test_ctx, 1113 connect_phase_t phase) 1114 { 1115 switch (phase) { 1116 case HANDSHAKE: 1117 if (renegotiate_op(test_ctx) || post_handshake_op(test_ctx)) 1118 return RENEG_APPLICATION_DATA; 1119 return APPLICATION_DATA; 1120 case RENEG_APPLICATION_DATA: 1121 return RENEG_SETUP; 1122 case RENEG_SETUP: 1123 if (post_handshake_op(test_ctx)) 1124 return APPLICATION_DATA; 1125 return RENEG_HANDSHAKE; 1126 case RENEG_HANDSHAKE: 1127 return APPLICATION_DATA; 1128 case APPLICATION_DATA: 1129 return SHUTDOWN; 1130 case SHUTDOWN: 1131 return CONNECTION_DONE; 1132 case CONNECTION_DONE: 1133 TEST_error("Trying to progress after connection done"); 1134 break; 1135 } 1136 return -1; 1137 } 1138 1139 static void do_connect_step(const SSL_TEST_CTX *test_ctx, PEER *peer, 1140 connect_phase_t phase) 1141 { 1142 switch (phase) { 1143 case HANDSHAKE: 1144 do_handshake_step(peer); 1145 break; 1146 case RENEG_APPLICATION_DATA: 1147 do_app_data_step(peer); 1148 break; 1149 case RENEG_SETUP: 1150 do_reneg_setup_step(test_ctx, peer); 1151 break; 1152 case RENEG_HANDSHAKE: 1153 do_handshake_step(peer); 1154 break; 1155 case APPLICATION_DATA: 1156 do_app_data_step(peer); 1157 break; 1158 case SHUTDOWN: 1159 do_shutdown_step(peer); 1160 break; 1161 case CONNECTION_DONE: 1162 TEST_error("Action after connection done"); 1163 break; 1164 } 1165 } 1166 1167 typedef enum { 1168 /* Both parties succeeded. */ 1169 HANDSHAKE_SUCCESS, 1170 /* Client errored. */ 1171 CLIENT_ERROR, 1172 /* Server errored. */ 1173 SERVER_ERROR, 1174 /* Peers are in inconsistent state. */ 1175 INTERNAL_ERROR, 1176 /* One or both peers not done. */ 1177 HANDSHAKE_RETRY 1178 } handshake_status_t; 1179 1180 /* 1181 * Determine the handshake outcome. 1182 * last_status: the status of the peer to have acted last. 1183 * previous_status: the status of the peer that didn't act last. 1184 * client_spoke_last: 1 if the client went last. 1185 */ 1186 static handshake_status_t handshake_status(peer_status_t last_status, 1187 peer_status_t previous_status, 1188 int client_spoke_last) 1189 { 1190 switch (last_status) { 1191 case PEER_TEST_FAILURE: 1192 return INTERNAL_ERROR; 1193 1194 case PEER_WAITING: 1195 /* Shouldn't ever happen */ 1196 return INTERNAL_ERROR; 1197 1198 case PEER_SUCCESS: 1199 switch (previous_status) { 1200 case PEER_TEST_FAILURE: 1201 return INTERNAL_ERROR; 1202 case PEER_SUCCESS: 1203 /* Both succeeded. */ 1204 return HANDSHAKE_SUCCESS; 1205 case PEER_WAITING: 1206 case PEER_RETRY: 1207 /* Let the first peer finish. */ 1208 return HANDSHAKE_RETRY; 1209 case PEER_ERROR: 1210 /* 1211 * Second peer succeeded despite the fact that the first peer 1212 * already errored. This shouldn't happen. 1213 */ 1214 return INTERNAL_ERROR; 1215 } 1216 break; 1217 1218 case PEER_RETRY: 1219 return HANDSHAKE_RETRY; 1220 1221 case PEER_ERROR: 1222 switch (previous_status) { 1223 case PEER_TEST_FAILURE: 1224 return INTERNAL_ERROR; 1225 case PEER_WAITING: 1226 /* The client failed immediately before sending the ClientHello */ 1227 return client_spoke_last ? CLIENT_ERROR : INTERNAL_ERROR; 1228 case PEER_SUCCESS: 1229 /* First peer succeeded but second peer errored. */ 1230 return client_spoke_last ? CLIENT_ERROR : SERVER_ERROR; 1231 case PEER_RETRY: 1232 /* We errored; let the peer finish. */ 1233 return HANDSHAKE_RETRY; 1234 case PEER_ERROR: 1235 /* Both peers errored. Return the one that errored first. */ 1236 return client_spoke_last ? SERVER_ERROR : CLIENT_ERROR; 1237 } 1238 } 1239 /* Control should never reach here. */ 1240 return INTERNAL_ERROR; 1241 } 1242 1243 /* Convert unsigned char buf's that shouldn't contain any NUL-bytes to char. */ 1244 static char *dup_str(const unsigned char *in, size_t len) 1245 { 1246 char *ret = NULL; 1247 1248 if (len == 0) 1249 return NULL; 1250 1251 /* Assert that the string does not contain NUL-bytes. */ 1252 if (TEST_size_t_eq(OPENSSL_strnlen((const char *)(in), len), len)) 1253 TEST_ptr(ret = OPENSSL_strndup((const char *)(in), len)); 1254 return ret; 1255 } 1256 1257 static int pkey_type(EVP_PKEY *pkey) 1258 { 1259 if (EVP_PKEY_is_a(pkey, "EC")) { 1260 char name[80]; 1261 size_t name_len; 1262 1263 if (!EVP_PKEY_get_group_name(pkey, name, sizeof(name), &name_len)) 1264 return NID_undef; 1265 return OBJ_txt2nid(name); 1266 } 1267 return EVP_PKEY_get_id(pkey); 1268 } 1269 1270 static int peer_pkey_type(SSL *s) 1271 { 1272 X509 *x = SSL_get0_peer_certificate(s); 1273 1274 if (x != NULL) 1275 return pkey_type(X509_get0_pubkey(x)); 1276 return NID_undef; 1277 } 1278 1279 #if !defined(OPENSSL_NO_SCTP) && !defined(OPENSSL_NO_SOCK) 1280 static int set_sock_as_sctp(int sock) 1281 { 1282 struct sctp_assocparams assocparams; 1283 struct sctp_rtoinfo rto_info; 1284 BIO *tmpbio; 1285 1286 /* 1287 * To allow tests to fail fast (within a second or so), reduce the 1288 * retransmission timeouts and the number of retransmissions. 1289 */ 1290 memset(&rto_info, 0, sizeof(struct sctp_rtoinfo)); 1291 rto_info.srto_initial = 100; 1292 rto_info.srto_max = 200; 1293 rto_info.srto_min = 50; 1294 (void)setsockopt(sock, IPPROTO_SCTP, SCTP_RTOINFO, 1295 (const void *)&rto_info, sizeof(struct sctp_rtoinfo)); 1296 memset(&assocparams, 0, sizeof(struct sctp_assocparams)); 1297 assocparams.sasoc_asocmaxrxt = 2; 1298 (void)setsockopt(sock, IPPROTO_SCTP, SCTP_ASSOCINFO, 1299 (const void *)&assocparams, 1300 sizeof(struct sctp_assocparams)); 1301 1302 /* 1303 * For SCTP we have to set various options on the socket prior to 1304 * connecting. This is done automatically by BIO_new_dgram_sctp(). 1305 * We don't actually need the created BIO though so we free it again 1306 * immediately. 1307 */ 1308 tmpbio = BIO_new_dgram_sctp(sock, BIO_NOCLOSE); 1309 1310 if (tmpbio == NULL) 1311 return 0; 1312 BIO_free(tmpbio); 1313 1314 return 1; 1315 } 1316 1317 static int create_sctp_socks(int *ssock, int *csock) 1318 { 1319 BIO_ADDRINFO *res = NULL; 1320 const BIO_ADDRINFO *ai = NULL; 1321 int lsock = INVALID_SOCKET, asock = INVALID_SOCKET; 1322 int consock = INVALID_SOCKET; 1323 int ret = 0; 1324 int family = 0; 1325 1326 if (BIO_sock_init() != 1) 1327 return 0; 1328 1329 /* 1330 * Port is 4463. It could be anything. It will fail if it's already being 1331 * used for some other SCTP service. It seems unlikely though so we don't 1332 * worry about it here. 1333 */ 1334 if (!BIO_lookup_ex(NULL, "4463", BIO_LOOKUP_SERVER, family, SOCK_STREAM, 1335 IPPROTO_SCTP, &res)) 1336 return 0; 1337 1338 for (ai = res; ai != NULL; ai = BIO_ADDRINFO_next(ai)) { 1339 family = BIO_ADDRINFO_family(ai); 1340 lsock = BIO_socket(family, SOCK_STREAM, IPPROTO_SCTP, 0); 1341 if (lsock == INVALID_SOCKET) { 1342 /* Maybe the kernel doesn't support the socket family, even if 1343 * BIO_lookup() added it in the returned result... 1344 */ 1345 continue; 1346 } 1347 1348 if (!set_sock_as_sctp(lsock) 1349 || !BIO_listen(lsock, BIO_ADDRINFO_address(ai), 1350 BIO_SOCK_REUSEADDR)) { 1351 BIO_closesocket(lsock); 1352 lsock = INVALID_SOCKET; 1353 continue; 1354 } 1355 1356 /* Success, don't try any more addresses */ 1357 break; 1358 } 1359 1360 if (lsock == INVALID_SOCKET) 1361 goto err; 1362 1363 BIO_ADDRINFO_free(res); 1364 res = NULL; 1365 1366 if (!BIO_lookup_ex(NULL, "4463", BIO_LOOKUP_CLIENT, family, SOCK_STREAM, 1367 IPPROTO_SCTP, &res)) 1368 goto err; 1369 1370 consock = BIO_socket(family, SOCK_STREAM, IPPROTO_SCTP, 0); 1371 if (consock == INVALID_SOCKET) 1372 goto err; 1373 1374 if (!set_sock_as_sctp(consock) 1375 || !BIO_connect(consock, BIO_ADDRINFO_address(res), 0) 1376 || !BIO_socket_nbio(consock, 1)) 1377 goto err; 1378 1379 asock = BIO_accept_ex(lsock, NULL, BIO_SOCK_NONBLOCK); 1380 if (asock == INVALID_SOCKET) 1381 goto err; 1382 1383 *csock = consock; 1384 *ssock = asock; 1385 consock = asock = INVALID_SOCKET; 1386 ret = 1; 1387 1388 err: 1389 BIO_ADDRINFO_free(res); 1390 if (consock != INVALID_SOCKET) 1391 BIO_closesocket(consock); 1392 if (lsock != INVALID_SOCKET) 1393 BIO_closesocket(lsock); 1394 if (asock != INVALID_SOCKET) 1395 BIO_closesocket(asock); 1396 return ret; 1397 } 1398 #endif 1399 1400 /* 1401 * Note that |extra| points to the correct client/server configuration 1402 * within |test_ctx|. When configuring the handshake, general mode settings 1403 * are taken from |test_ctx|, and client/server-specific settings should be 1404 * taken from |extra|. 1405 * 1406 * The configuration code should never reach into |test_ctx->extra| or 1407 * |test_ctx->resume_extra| directly. 1408 * 1409 * (We could refactor test mode settings into a substructure. This would result 1410 * in cleaner argument passing but would complicate the test configuration 1411 * parsing.) 1412 */ 1413 static HANDSHAKE_RESULT *do_handshake_internal( 1414 SSL_CTX *server_ctx, SSL_CTX *server2_ctx, SSL_CTX *client_ctx, 1415 const SSL_TEST_CTX *test_ctx, const SSL_TEST_EXTRA_CONF *extra, 1416 SSL_SESSION *session_in, SSL_SESSION *serv_sess_in, 1417 SSL_SESSION **session_out, SSL_SESSION **serv_sess_out) 1418 { 1419 PEER server, client; 1420 BIO *client_to_server = NULL, *server_to_client = NULL; 1421 HANDSHAKE_EX_DATA server_ex_data, client_ex_data; 1422 CTX_DATA client_ctx_data, server_ctx_data, server2_ctx_data; 1423 HANDSHAKE_RESULT *ret = HANDSHAKE_RESULT_new(); 1424 int client_turn = 1, client_turn_count = 0, client_wait_count = 0; 1425 connect_phase_t phase = HANDSHAKE; 1426 handshake_status_t status = HANDSHAKE_RETRY; 1427 const unsigned char *tick = NULL; 1428 size_t tick_len = 0; 1429 const unsigned char *sess_id = NULL; 1430 unsigned int sess_id_len = 0; 1431 SSL_SESSION *sess = NULL; 1432 const unsigned char *proto = NULL; 1433 /* API dictates unsigned int rather than size_t. */ 1434 unsigned int proto_len = 0; 1435 EVP_PKEY *tmp_key; 1436 const STACK_OF(X509_NAME) *names; 1437 time_t start; 1438 const char *cipher; 1439 1440 if (ret == NULL) 1441 return NULL; 1442 1443 memset(&server_ctx_data, 0, sizeof(server_ctx_data)); 1444 memset(&server2_ctx_data, 0, sizeof(server2_ctx_data)); 1445 memset(&client_ctx_data, 0, sizeof(client_ctx_data)); 1446 memset(&server, 0, sizeof(server)); 1447 memset(&client, 0, sizeof(client)); 1448 memset(&server_ex_data, 0, sizeof(server_ex_data)); 1449 memset(&client_ex_data, 0, sizeof(client_ex_data)); 1450 1451 if (!configure_handshake_ctx(server_ctx, server2_ctx, client_ctx, 1452 test_ctx, extra, &server_ctx_data, 1453 &server2_ctx_data, &client_ctx_data)) { 1454 TEST_note("configure_handshake_ctx"); 1455 HANDSHAKE_RESULT_free(ret); 1456 return NULL; 1457 } 1458 1459 #if !defined(OPENSSL_NO_SCTP) && !defined(OPENSSL_NO_SOCK) 1460 if (test_ctx->enable_client_sctp_label_bug) 1461 SSL_CTX_set_mode(client_ctx, SSL_MODE_DTLS_SCTP_LABEL_LENGTH_BUG); 1462 if (test_ctx->enable_server_sctp_label_bug) 1463 SSL_CTX_set_mode(server_ctx, SSL_MODE_DTLS_SCTP_LABEL_LENGTH_BUG); 1464 #endif 1465 1466 /* Setup SSL and buffers; additional configuration happens below. */ 1467 if (!create_peer(&server, server_ctx)) { 1468 TEST_note("creating server context"); 1469 goto err; 1470 } 1471 if (!create_peer(&client, client_ctx)) { 1472 TEST_note("creating client context"); 1473 goto err; 1474 } 1475 1476 server.bytes_to_write = client.bytes_to_read = test_ctx->app_data_size; 1477 client.bytes_to_write = server.bytes_to_read = test_ctx->app_data_size; 1478 1479 configure_handshake_ssl(server.ssl, client.ssl, extra); 1480 if (session_in != NULL) { 1481 SSL_SESSION_get_id(serv_sess_in, &sess_id_len); 1482 /* In case we're testing resumption without tickets. */ 1483 if ((sess_id_len > 0 1484 && !TEST_true(SSL_CTX_add_session(server_ctx, 1485 serv_sess_in))) 1486 || !TEST_true(SSL_set_session(client.ssl, session_in))) 1487 goto err; 1488 sess_id_len = 0; 1489 } 1490 1491 ret->result = SSL_TEST_INTERNAL_ERROR; 1492 1493 if (test_ctx->use_sctp) { 1494 #if !defined(OPENSSL_NO_SCTP) && !defined(OPENSSL_NO_SOCK) 1495 int csock, ssock; 1496 1497 if (create_sctp_socks(&ssock, &csock)) { 1498 client_to_server = BIO_new_dgram_sctp(csock, BIO_CLOSE); 1499 server_to_client = BIO_new_dgram_sctp(ssock, BIO_CLOSE); 1500 } 1501 #endif 1502 } else { 1503 client_to_server = BIO_new(BIO_s_mem()); 1504 server_to_client = BIO_new(BIO_s_mem()); 1505 } 1506 1507 if (!TEST_ptr(client_to_server) 1508 || !TEST_ptr(server_to_client)) 1509 goto err; 1510 1511 /* Non-blocking bio. */ 1512 BIO_set_nbio(client_to_server, 1); 1513 BIO_set_nbio(server_to_client, 1); 1514 1515 SSL_set_connect_state(client.ssl); 1516 SSL_set_accept_state(server.ssl); 1517 1518 /* The bios are now owned by the SSL object. */ 1519 if (test_ctx->use_sctp) { 1520 SSL_set_bio(client.ssl, client_to_server, client_to_server); 1521 SSL_set_bio(server.ssl, server_to_client, server_to_client); 1522 } else { 1523 SSL_set_bio(client.ssl, server_to_client, client_to_server); 1524 if (!TEST_int_gt(BIO_up_ref(server_to_client), 0) 1525 || !TEST_int_gt(BIO_up_ref(client_to_server), 0)) 1526 goto err; 1527 SSL_set_bio(server.ssl, client_to_server, server_to_client); 1528 } 1529 1530 ex_data_idx = SSL_get_ex_new_index(0, "ex data", NULL, NULL, NULL); 1531 if (!TEST_int_ge(ex_data_idx, 0) 1532 || !TEST_int_eq(SSL_set_ex_data(server.ssl, ex_data_idx, &server_ex_data), 1) 1533 || !TEST_int_eq(SSL_set_ex_data(client.ssl, ex_data_idx, &client_ex_data), 1)) 1534 goto err; 1535 1536 SSL_set_info_callback(server.ssl, &info_cb); 1537 SSL_set_info_callback(client.ssl, &info_cb); 1538 1539 client.status = PEER_RETRY; 1540 server.status = PEER_WAITING; 1541 1542 start = time(NULL); 1543 1544 /* 1545 * Half-duplex handshake loop. 1546 * Client and server speak to each other synchronously in the same process. 1547 * We use non-blocking BIOs, so whenever one peer blocks for read, it 1548 * returns PEER_RETRY to indicate that it's the other peer's turn to write. 1549 * The handshake succeeds once both peers have succeeded. If one peer 1550 * errors out, we also let the other peer retry (and presumably fail). 1551 */ 1552 for (;;) { 1553 if (client_turn) { 1554 do_connect_step(test_ctx, &client, phase); 1555 status = handshake_status(client.status, server.status, 1556 1 /* client went last */); 1557 if (server.status == PEER_WAITING) 1558 server.status = PEER_RETRY; 1559 } else { 1560 do_connect_step(test_ctx, &server, phase); 1561 status = handshake_status(server.status, client.status, 1562 0 /* server went last */); 1563 } 1564 1565 switch (status) { 1566 case HANDSHAKE_SUCCESS: 1567 client_turn_count = 0; 1568 phase = next_phase(test_ctx, phase); 1569 if (phase == CONNECTION_DONE) { 1570 ret->result = SSL_TEST_SUCCESS; 1571 goto err; 1572 } else { 1573 client.status = server.status = PEER_RETRY; 1574 /* 1575 * For now, client starts each phase. Since each phase is 1576 * started separately, we can later control this more 1577 * precisely, for example, to test client-initiated and 1578 * server-initiated shutdown. 1579 */ 1580 client_turn = 1; 1581 break; 1582 } 1583 case CLIENT_ERROR: 1584 ret->result = SSL_TEST_CLIENT_FAIL; 1585 goto err; 1586 case SERVER_ERROR: 1587 ret->result = SSL_TEST_SERVER_FAIL; 1588 goto err; 1589 case INTERNAL_ERROR: 1590 ret->result = SSL_TEST_INTERNAL_ERROR; 1591 goto err; 1592 case HANDSHAKE_RETRY: 1593 if (test_ctx->use_sctp) { 1594 if (time(NULL) - start > 3) { 1595 /* 1596 * We've waited for too long. Give up. 1597 */ 1598 ret->result = SSL_TEST_INTERNAL_ERROR; 1599 goto err; 1600 } 1601 /* 1602 * With "real" sockets we only swap to processing the peer 1603 * if they are expecting to retry. Otherwise we just retry the 1604 * same endpoint again. 1605 */ 1606 if ((client_turn && server.status == PEER_RETRY) 1607 || (!client_turn && client.status == PEER_RETRY)) 1608 client_turn ^= 1; 1609 } else { 1610 if (client_turn_count++ >= 2000) { 1611 /* 1612 * At this point, there's been so many PEER_RETRY in a row 1613 * that it's likely both sides are stuck waiting for a read. 1614 * It's time to give up. 1615 */ 1616 ret->result = SSL_TEST_INTERNAL_ERROR; 1617 goto err; 1618 } 1619 if (client_turn && server.status == PEER_SUCCESS) { 1620 /* 1621 * The server may finish before the client because the 1622 * client spends some turns processing NewSessionTickets. 1623 */ 1624 if (client_wait_count++ >= 2) { 1625 ret->result = SSL_TEST_INTERNAL_ERROR; 1626 goto err; 1627 } 1628 } else { 1629 /* Continue. */ 1630 client_turn ^= 1; 1631 } 1632 } 1633 break; 1634 } 1635 } 1636 err: 1637 ret->server_alert_sent = server_ex_data.alert_sent; 1638 ret->server_num_fatal_alerts_sent = server_ex_data.num_fatal_alerts_sent; 1639 ret->server_alert_received = client_ex_data.alert_received; 1640 ret->client_alert_sent = client_ex_data.alert_sent; 1641 ret->client_num_fatal_alerts_sent = client_ex_data.num_fatal_alerts_sent; 1642 ret->client_alert_received = server_ex_data.alert_received; 1643 ret->server_protocol = SSL_version(server.ssl); 1644 ret->client_protocol = SSL_version(client.ssl); 1645 ret->servername = server_ex_data.servername; 1646 if ((sess = SSL_get0_session(client.ssl)) != NULL) { 1647 SSL_SESSION_get0_ticket(sess, &tick, &tick_len); 1648 sess_id = SSL_SESSION_get_id(sess, &sess_id_len); 1649 } 1650 if (tick == NULL || tick_len == 0) 1651 ret->session_ticket = SSL_TEST_SESSION_TICKET_NO; 1652 else 1653 ret->session_ticket = SSL_TEST_SESSION_TICKET_YES; 1654 ret->compression = (SSL_get_current_compression(client.ssl) == NULL) 1655 ? SSL_TEST_COMPRESSION_NO 1656 : SSL_TEST_COMPRESSION_YES; 1657 if (sess_id == NULL || sess_id_len == 0) 1658 ret->session_id = SSL_TEST_SESSION_ID_NO; 1659 else 1660 ret->session_id = SSL_TEST_SESSION_ID_YES; 1661 ret->session_ticket_do_not_call = server_ex_data.session_ticket_do_not_call; 1662 1663 if (extra->client.verify_callback == SSL_TEST_VERIFY_RETRY_ONCE 1664 && n_retries != -1) 1665 ret->result = SSL_TEST_SERVER_FAIL; 1666 1667 #ifndef OPENSSL_NO_NEXTPROTONEG 1668 SSL_get0_next_proto_negotiated(client.ssl, &proto, &proto_len); 1669 ret->client_npn_negotiated = dup_str(proto, proto_len); 1670 1671 SSL_get0_next_proto_negotiated(server.ssl, &proto, &proto_len); 1672 ret->server_npn_negotiated = dup_str(proto, proto_len); 1673 #endif 1674 1675 SSL_get0_alpn_selected(client.ssl, &proto, &proto_len); 1676 ret->client_alpn_negotiated = dup_str(proto, proto_len); 1677 1678 SSL_get0_alpn_selected(server.ssl, &proto, &proto_len); 1679 ret->server_alpn_negotiated = dup_str(proto, proto_len); 1680 1681 if ((sess = SSL_get0_session(server.ssl)) != NULL) { 1682 SSL_SESSION_get0_ticket_appdata(sess, (void **)&tick, &tick_len); 1683 ret->result_session_ticket_app_data = OPENSSL_strndup((const char *)tick, tick_len); 1684 } 1685 1686 ret->client_resumed = SSL_session_reused(client.ssl); 1687 ret->server_resumed = SSL_session_reused(server.ssl); 1688 1689 cipher = SSL_CIPHER_get_name(SSL_get_current_cipher(client.ssl)); 1690 ret->cipher = dup_str((const unsigned char *)cipher, strlen(cipher)); 1691 1692 if (session_out != NULL) 1693 *session_out = SSL_get1_session(client.ssl); 1694 if (serv_sess_out != NULL) { 1695 SSL_SESSION *tmp = SSL_get_session(server.ssl); 1696 1697 /* 1698 * We create a fresh copy that is not in the server session ctx linked 1699 * list. 1700 */ 1701 if (tmp != NULL) 1702 *serv_sess_out = SSL_SESSION_dup(tmp); 1703 } 1704 1705 if (SSL_get_peer_tmp_key(client.ssl, &tmp_key)) { 1706 ret->tmp_key_type = pkey_type(tmp_key); 1707 EVP_PKEY_free(tmp_key); 1708 } 1709 1710 SSL_get_peer_signature_nid(client.ssl, &ret->server_sign_hash); 1711 SSL_get_peer_signature_nid(server.ssl, &ret->client_sign_hash); 1712 1713 SSL_get_peer_signature_type_nid(client.ssl, &ret->server_sign_type); 1714 SSL_get_peer_signature_type_nid(server.ssl, &ret->client_sign_type); 1715 1716 names = SSL_get0_peer_CA_list(client.ssl); 1717 if (names == NULL) 1718 ret->client_ca_names = NULL; 1719 else 1720 ret->client_ca_names = SSL_dup_CA_list(names); 1721 1722 names = SSL_get0_peer_CA_list(server.ssl); 1723 if (names == NULL) 1724 ret->server_ca_names = NULL; 1725 else 1726 ret->server_ca_names = SSL_dup_CA_list(names); 1727 1728 ret->server_cert_type = peer_pkey_type(client.ssl); 1729 ret->client_cert_type = peer_pkey_type(server.ssl); 1730 1731 ctx_data_free_data(&server_ctx_data); 1732 ctx_data_free_data(&server2_ctx_data); 1733 ctx_data_free_data(&client_ctx_data); 1734 1735 peer_free_data(&server); 1736 peer_free_data(&client); 1737 return ret; 1738 } 1739 1740 HANDSHAKE_RESULT *do_handshake(SSL_CTX *server_ctx, SSL_CTX *server2_ctx, 1741 SSL_CTX *client_ctx, SSL_CTX *resume_server_ctx, 1742 SSL_CTX *resume_client_ctx, 1743 const SSL_TEST_CTX *test_ctx) 1744 { 1745 HANDSHAKE_RESULT *result; 1746 SSL_SESSION *session = NULL, *serv_sess = NULL; 1747 1748 result = do_handshake_internal(server_ctx, server2_ctx, client_ctx, 1749 test_ctx, &test_ctx->extra, 1750 NULL, NULL, &session, &serv_sess); 1751 if (result == NULL 1752 || test_ctx->handshake_mode != SSL_TEST_HANDSHAKE_RESUME 1753 || result->result == SSL_TEST_INTERNAL_ERROR) 1754 goto end; 1755 1756 if (result->result != SSL_TEST_SUCCESS) { 1757 result->result = SSL_TEST_FIRST_HANDSHAKE_FAILED; 1758 goto end; 1759 } 1760 1761 HANDSHAKE_RESULT_free(result); 1762 /* We don't support SNI on second handshake yet, so server2_ctx is NULL. */ 1763 result = do_handshake_internal(resume_server_ctx, NULL, resume_client_ctx, 1764 test_ctx, &test_ctx->resume_extra, 1765 session, serv_sess, NULL, NULL); 1766 end: 1767 SSL_SESSION_free(session); 1768 SSL_SESSION_free(serv_sess); 1769 return result; 1770 } 1771
Indexes created Sat Feb 28 05:31:39 UTC 2026