1 /* 2 * Copyright 2016-2020 The OpenSSL Project Authors. All Rights Reserved. 3 * 4 * Licensed under the OpenSSL license (the "License"). You may not use 5 * this file except in compliance with the License. You can obtain a copy 6 * in the file LICENSE in the source distribution or at 7 * https://www.openssl.org/source/license.html 8 */ 9 10 #include <string.h> 11 12 #include <openssl/bio.h> 13 #include <openssl/x509_vfy.h> 14 #include <openssl/ssl.h> 15 #ifndef OPENSSL_NO_SRP 16 #include <openssl/srp.h> 17 #endif 18 19 #include "../ssl/ssl_local.h" 20 #include "internal/sockets.h" 21 #include "internal/nelem.h" 22 #include "handshake_helper.h" 23 #include "testutil.h" 24 25 #if !defined(OPENSSL_NO_SCTP) && !defined(OPENSSL_NO_SOCK) 26 #include <netinet/sctp.h> 27 #endif 28 29 HANDSHAKE_RESULT *HANDSHAKE_RESULT_new(void) 30 { 31 HANDSHAKE_RESULT *ret; 32 33 TEST_ptr(ret = OPENSSL_zalloc(sizeof(*ret))); 34 return ret; 35 } 36 37 void HANDSHAKE_RESULT_free(HANDSHAKE_RESULT *result) 38 { 39 if (result == NULL) 40 return; 41 OPENSSL_free(result->client_npn_negotiated); 42 OPENSSL_free(result->server_npn_negotiated); 43 OPENSSL_free(result->client_alpn_negotiated); 44 OPENSSL_free(result->server_alpn_negotiated); 45 OPENSSL_free(result->result_session_ticket_app_data); 46 sk_X509_NAME_pop_free(result->server_ca_names, X509_NAME_free); 47 sk_X509_NAME_pop_free(result->client_ca_names, X509_NAME_free); 48 OPENSSL_free(result->cipher); 49 OPENSSL_free(result); 50 } 51 52 /* 53 * Since there appears to be no way to extract the sent/received alert 54 * from the SSL object directly, we use the info callback and stash 55 * the result in ex_data. 56 */ 57 typedef struct handshake_ex_data_st { 58 int alert_sent; 59 int num_fatal_alerts_sent; 60 int alert_received; 61 int session_ticket_do_not_call; 62 ssl_servername_t servername; 63 } HANDSHAKE_EX_DATA; 64 65 typedef struct ctx_data_st { 66 unsigned char *npn_protocols; 67 size_t npn_protocols_len; 68 unsigned char *alpn_protocols; 69 size_t alpn_protocols_len; 70 char *srp_user; 71 char *srp_password; 72 char *session_ticket_app_data; 73 } CTX_DATA; 74 75 /* |ctx_data| itself is stack-allocated. */ 76 static void ctx_data_free_data(CTX_DATA *ctx_data) 77 { 78 OPENSSL_free(ctx_data->npn_protocols); 79 ctx_data->npn_protocols = NULL; 80 OPENSSL_free(ctx_data->alpn_protocols); 81 ctx_data->alpn_protocols = NULL; 82 OPENSSL_free(ctx_data->srp_user); 83 ctx_data->srp_user = NULL; 84 OPENSSL_free(ctx_data->srp_password); 85 ctx_data->srp_password = NULL; 86 OPENSSL_free(ctx_data->session_ticket_app_data); 87 ctx_data->session_ticket_app_data = NULL; 88 } 89 90 static int ex_data_idx; 91 92 static void info_cb(const SSL *s, int where, int ret) 93 { 94 if (where & SSL_CB_ALERT) { 95 HANDSHAKE_EX_DATA *ex_data = 96 (HANDSHAKE_EX_DATA*)(SSL_get_ex_data(s, ex_data_idx)); 97 if (where & SSL_CB_WRITE) { 98 ex_data->alert_sent = ret; 99 if (strcmp(SSL_alert_type_string(ret), "F") == 0 100 || strcmp(SSL_alert_desc_string(ret), "CN") == 0) 101 ex_data->num_fatal_alerts_sent++; 102 } else { 103 ex_data->alert_received = ret; 104 } 105 } 106 } 107 108 /* Select the appropriate server CTX. 109 * Returns SSL_TLSEXT_ERR_OK if a match was found. 110 * If |ignore| is 1, returns SSL_TLSEXT_ERR_NOACK on mismatch. 111 * Otherwise, returns SSL_TLSEXT_ERR_ALERT_FATAL on mismatch. 112 * An empty SNI extension also returns SSL_TSLEXT_ERR_NOACK. 113 */ 114 static int select_server_ctx(SSL *s, void *arg, int ignore) 115 { 116 const char *servername = SSL_get_servername(s, TLSEXT_NAMETYPE_host_name); 117 HANDSHAKE_EX_DATA *ex_data = 118 (HANDSHAKE_EX_DATA*)(SSL_get_ex_data(s, ex_data_idx)); 119 120 if (servername == NULL) { 121 ex_data->servername = SSL_TEST_SERVERNAME_SERVER1; 122 return SSL_TLSEXT_ERR_NOACK; 123 } 124 125 if (strcmp(servername, "server2") == 0) { 126 SSL_CTX *new_ctx = (SSL_CTX*)arg; 127 SSL_set_SSL_CTX(s, new_ctx); 128 /* 129 * Copy over all the SSL_CTX options - reasonable behavior 130 * allows testing of cases where the options between two 131 * contexts differ/conflict 132 */ 133 SSL_clear_options(s, 0xFFFFFFFFL); 134 SSL_set_options(s, SSL_CTX_get_options(new_ctx)); 135 136 ex_data->servername = SSL_TEST_SERVERNAME_SERVER2; 137 return SSL_TLSEXT_ERR_OK; 138 } else if (strcmp(servername, "server1") == 0) { 139 ex_data->servername = SSL_TEST_SERVERNAME_SERVER1; 140 return SSL_TLSEXT_ERR_OK; 141 } else if (ignore) { 142 ex_data->servername = SSL_TEST_SERVERNAME_SERVER1; 143 return SSL_TLSEXT_ERR_NOACK; 144 } else { 145 /* Don't set an explicit alert, to test library defaults. */ 146 return SSL_TLSEXT_ERR_ALERT_FATAL; 147 } 148 } 149 150 static int client_hello_select_server_ctx(SSL *s, void *arg, int ignore) 151 { 152 const char *servername; 153 const unsigned char *p; 154 size_t len, remaining; 155 HANDSHAKE_EX_DATA *ex_data = 156 (HANDSHAKE_EX_DATA*)(SSL_get_ex_data(s, ex_data_idx)); 157 158 /* 159 * The server_name extension was given too much extensibility when it 160 * was written, so parsing the normal case is a bit complex. 161 */ 162 if (!SSL_client_hello_get0_ext(s, TLSEXT_TYPE_server_name, &p, 163 &remaining) || 164 remaining <= 2) 165 return 0; 166 /* Extract the length of the supplied list of names. */ 167 len = (*(p++) << 8); 168 len += *(p++); 169 if (len + 2 != remaining) 170 return 0; 171 remaining = len; 172 /* 173 * The list in practice only has a single element, so we only consider 174 * the first one. 175 */ 176 if (remaining == 0 || *p++ != TLSEXT_NAMETYPE_host_name) 177 return 0; 178 remaining--; 179 /* Now we can finally pull out the byte array with the actual hostname. */ 180 if (remaining <= 2) 181 return 0; 182 len = (*(p++) << 8); 183 len += *(p++); 184 if (len + 2 > remaining) 185 return 0; 186 remaining = len; 187 servername = (const char *)p; 188 189 if (len == strlen("server2") && strncmp(servername, "server2", len) == 0) { 190 SSL_CTX *new_ctx = arg; 191 SSL_set_SSL_CTX(s, new_ctx); 192 /* 193 * Copy over all the SSL_CTX options - reasonable behavior 194 * allows testing of cases where the options between two 195 * contexts differ/conflict 196 */ 197 SSL_clear_options(s, 0xFFFFFFFFL); 198 SSL_set_options(s, SSL_CTX_get_options(new_ctx)); 199 200 ex_data->servername = SSL_TEST_SERVERNAME_SERVER2; 201 return 1; 202 } else if (len == strlen("server1") && 203 strncmp(servername, "server1", len) == 0) { 204 ex_data->servername = SSL_TEST_SERVERNAME_SERVER1; 205 return 1; 206 } else if (ignore) { 207 ex_data->servername = SSL_TEST_SERVERNAME_SERVER1; 208 return 1; 209 } 210 return 0; 211 } 212 /* 213 * (RFC 6066): 214 * If the server understood the ClientHello extension but 215 * does not recognize the server name, the server SHOULD take one of two 216 * actions: either abort the handshake by sending a fatal-level 217 * unrecognized_name(112) alert or continue the handshake. 218 * 219 * This behaviour is up to the application to configure; we test both 220 * configurations to ensure the state machine propagates the result 221 * correctly. 222 */ 223 static int servername_ignore_cb(SSL *s, int *ad, void *arg) 224 { 225 return select_server_ctx(s, arg, 1); 226 } 227 228 static int servername_reject_cb(SSL *s, int *ad, void *arg) 229 { 230 return select_server_ctx(s, arg, 0); 231 } 232 233 static int client_hello_ignore_cb(SSL *s, int *al, void *arg) 234 { 235 if (!client_hello_select_server_ctx(s, arg, 1)) { 236 *al = SSL_AD_UNRECOGNIZED_NAME; 237 return SSL_CLIENT_HELLO_ERROR; 238 } 239 return SSL_CLIENT_HELLO_SUCCESS; 240 } 241 242 static int client_hello_reject_cb(SSL *s, int *al, void *arg) 243 { 244 if (!client_hello_select_server_ctx(s, arg, 0)) { 245 *al = SSL_AD_UNRECOGNIZED_NAME; 246 return SSL_CLIENT_HELLO_ERROR; 247 } 248 return SSL_CLIENT_HELLO_SUCCESS; 249 } 250 251 static int client_hello_nov12_cb(SSL *s, int *al, void *arg) 252 { 253 int ret; 254 unsigned int v; 255 const unsigned char *p; 256 257 v = SSL_client_hello_get0_legacy_version(s); 258 if (v > TLS1_2_VERSION || v < SSL3_VERSION) { 259 *al = SSL_AD_PROTOCOL_VERSION; 260 return SSL_CLIENT_HELLO_ERROR; 261 } 262 (void)SSL_client_hello_get0_session_id(s, &p); 263 if (p == NULL || 264 SSL_client_hello_get0_random(s, &p) == 0 || 265 SSL_client_hello_get0_ciphers(s, &p) == 0 || 266 SSL_client_hello_get0_compression_methods(s, &p) == 0) { 267 *al = SSL_AD_INTERNAL_ERROR; 268 return SSL_CLIENT_HELLO_ERROR; 269 } 270 ret = client_hello_select_server_ctx(s, arg, 0); 271 SSL_set_max_proto_version(s, TLS1_1_VERSION); 272 if (!ret) { 273 *al = SSL_AD_UNRECOGNIZED_NAME; 274 return SSL_CLIENT_HELLO_ERROR; 275 } 276 return SSL_CLIENT_HELLO_SUCCESS; 277 } 278 279 static unsigned char dummy_ocsp_resp_good_val = 0xff; 280 static unsigned char dummy_ocsp_resp_bad_val = 0xfe; 281 282 static int server_ocsp_cb(SSL *s, void *arg) 283 { 284 unsigned char *resp; 285 286 resp = OPENSSL_malloc(1); 287 if (resp == NULL) 288 return SSL_TLSEXT_ERR_ALERT_FATAL; 289 /* 290 * For the purposes of testing we just send back a dummy OCSP response 291 */ 292 *resp = *(unsigned char *)arg; 293 if (!SSL_set_tlsext_status_ocsp_resp(s, resp, 1)) 294 return SSL_TLSEXT_ERR_ALERT_FATAL; 295 296 return SSL_TLSEXT_ERR_OK; 297 } 298 299 static int client_ocsp_cb(SSL *s, void *arg) 300 { 301 const unsigned char *resp; 302 int len; 303 304 len = SSL_get_tlsext_status_ocsp_resp(s, &resp); 305 if (len != 1 || *resp != dummy_ocsp_resp_good_val) 306 return 0; 307 308 return 1; 309 } 310 311 static int verify_reject_cb(X509_STORE_CTX *ctx, void *arg) { 312 X509_STORE_CTX_set_error(ctx, X509_V_ERR_APPLICATION_VERIFICATION); 313 return 0; 314 } 315 316 static int verify_accept_cb(X509_STORE_CTX *ctx, void *arg) { 317 return 1; 318 } 319 320 static int broken_session_ticket_cb(SSL *s, unsigned char *key_name, unsigned char *iv, 321 EVP_CIPHER_CTX *ctx, HMAC_CTX *hctx, int enc) 322 { 323 return 0; 324 } 325 326 static int do_not_call_session_ticket_cb(SSL *s, unsigned char *key_name, 327 unsigned char *iv, 328 EVP_CIPHER_CTX *ctx, 329 HMAC_CTX *hctx, int enc) 330 { 331 HANDSHAKE_EX_DATA *ex_data = 332 (HANDSHAKE_EX_DATA*)(SSL_get_ex_data(s, ex_data_idx)); 333 ex_data->session_ticket_do_not_call = 1; 334 return 0; 335 } 336 337 /* Parse the comma-separated list into TLS format. */ 338 static int parse_protos(const char *protos, unsigned char **out, size_t *outlen) 339 { 340 size_t len, i, prefix; 341 342 len = strlen(protos); 343 344 /* Should never have reuse. */ 345 if (!TEST_ptr_null(*out) 346 /* Test values are small, so we omit length limit checks. */ 347 || !TEST_ptr(*out = OPENSSL_malloc(len + 1))) 348 return 0; 349 *outlen = len + 1; 350 351 /* 352 * foo => '3', 'f', 'o', 'o' 353 * foo,bar => '3', 'f', 'o', 'o', '3', 'b', 'a', 'r' 354 */ 355 memcpy(*out + 1, protos, len); 356 357 prefix = 0; 358 i = prefix + 1; 359 while (i <= len) { 360 if ((*out)[i] == ',') { 361 if (!TEST_int_gt(i - 1, prefix)) 362 goto err; 363 (*out)[prefix] = (unsigned char)(i - 1 - prefix); 364 prefix = i; 365 } 366 i++; 367 } 368 if (!TEST_int_gt(len, prefix)) 369 goto err; 370 (*out)[prefix] = (unsigned char)(len - prefix); 371 return 1; 372 373 err: 374 OPENSSL_free(*out); 375 *out = NULL; 376 return 0; 377 } 378 379 #ifndef OPENSSL_NO_NEXTPROTONEG 380 /* 381 * The client SHOULD select the first protocol advertised by the server that it 382 * also supports. In the event that the client doesn't support any of server's 383 * protocols, or the server doesn't advertise any, it SHOULD select the first 384 * protocol that it supports. 385 */ 386 static int client_npn_cb(SSL *s, unsigned char **out, unsigned char *outlen, 387 const unsigned char *in, unsigned int inlen, 388 void *arg) 389 { 390 CTX_DATA *ctx_data = (CTX_DATA*)(arg); 391 int ret; 392 393 ret = SSL_select_next_proto(out, outlen, in, inlen, 394 ctx_data->npn_protocols, 395 ctx_data->npn_protocols_len); 396 /* Accept both OPENSSL_NPN_NEGOTIATED and OPENSSL_NPN_NO_OVERLAP. */ 397 return TEST_true(ret == OPENSSL_NPN_NEGOTIATED || ret == OPENSSL_NPN_NO_OVERLAP) 398 ? SSL_TLSEXT_ERR_OK : SSL_TLSEXT_ERR_ALERT_FATAL; 399 } 400 401 static int server_npn_cb(SSL *s, const unsigned char **data, 402 unsigned int *len, void *arg) 403 { 404 CTX_DATA *ctx_data = (CTX_DATA*)(arg); 405 *data = ctx_data->npn_protocols; 406 *len = ctx_data->npn_protocols_len; 407 return SSL_TLSEXT_ERR_OK; 408 } 409 #endif 410 411 /* 412 * The server SHOULD select the most highly preferred protocol that it supports 413 * and that is also advertised by the client. In the event that the server 414 * supports no protocols that the client advertises, then the server SHALL 415 * respond with a fatal "no_application_protocol" alert. 416 */ 417 static int server_alpn_cb(SSL *s, const unsigned char **out, 418 unsigned char *outlen, const unsigned char *in, 419 unsigned int inlen, void *arg) 420 { 421 CTX_DATA *ctx_data = (CTX_DATA*)(arg); 422 int ret; 423 424 /* SSL_select_next_proto isn't const-correct... */ 425 unsigned char *tmp_out; 426 427 /* 428 * The result points either to |in| or to |ctx_data->alpn_protocols|. 429 * The callback is allowed to point to |in| or to a long-lived buffer, 430 * so we can return directly without storing a copy. 431 */ 432 ret = SSL_select_next_proto(&tmp_out, outlen, 433 ctx_data->alpn_protocols, 434 ctx_data->alpn_protocols_len, in, inlen); 435 436 *out = tmp_out; 437 /* Unlike NPN, we don't tolerate a mismatch. */ 438 return ret == OPENSSL_NPN_NEGOTIATED ? SSL_TLSEXT_ERR_OK 439 : SSL_TLSEXT_ERR_ALERT_FATAL; 440 } 441 442 #ifndef OPENSSL_NO_SRP 443 static char *client_srp_cb(SSL *s, void *arg) 444 { 445 CTX_DATA *ctx_data = (CTX_DATA*)(arg); 446 return OPENSSL_strdup(ctx_data->srp_password); 447 } 448 449 static int server_srp_cb(SSL *s, int *ad, void *arg) 450 { 451 CTX_DATA *ctx_data = (CTX_DATA*)(arg); 452 if (strcmp(ctx_data->srp_user, SSL_get_srp_username(s)) != 0) 453 return SSL3_AL_FATAL; 454 if (SSL_set_srp_server_param_pw(s, ctx_data->srp_user, 455 ctx_data->srp_password, 456 "2048" /* known group */) < 0) { 457 *ad = SSL_AD_INTERNAL_ERROR; 458 return SSL3_AL_FATAL; 459 } 460 return SSL_ERROR_NONE; 461 } 462 #endif /* !OPENSSL_NO_SRP */ 463 464 static int generate_session_ticket_cb(SSL *s, void *arg) 465 { 466 CTX_DATA *server_ctx_data = arg; 467 SSL_SESSION *ss = SSL_get_session(s); 468 char *app_data = server_ctx_data->session_ticket_app_data; 469 470 if (ss == NULL || app_data == NULL) 471 return 0; 472 473 return SSL_SESSION_set1_ticket_appdata(ss, app_data, strlen(app_data)); 474 } 475 476 static int decrypt_session_ticket_cb(SSL *s, SSL_SESSION *ss, 477 const unsigned char *keyname, 478 size_t keyname_len, 479 SSL_TICKET_STATUS status, 480 void *arg) 481 { 482 switch (status) { 483 case SSL_TICKET_EMPTY: 484 case SSL_TICKET_NO_DECRYPT: 485 return SSL_TICKET_RETURN_IGNORE_RENEW; 486 case SSL_TICKET_SUCCESS: 487 return SSL_TICKET_RETURN_USE; 488 case SSL_TICKET_SUCCESS_RENEW: 489 return SSL_TICKET_RETURN_USE_RENEW; 490 default: 491 break; 492 } 493 return SSL_TICKET_RETURN_ABORT; 494 } 495 496 /* 497 * Configure callbacks and other properties that can't be set directly 498 * in the server/client CONF. 499 */ 500 static int configure_handshake_ctx(SSL_CTX *server_ctx, SSL_CTX *server2_ctx, 501 SSL_CTX *client_ctx, 502 const SSL_TEST_CTX *test, 503 const SSL_TEST_EXTRA_CONF *extra, 504 CTX_DATA *server_ctx_data, 505 CTX_DATA *server2_ctx_data, 506 CTX_DATA *client_ctx_data) 507 { 508 unsigned char *ticket_keys; 509 size_t ticket_key_len; 510 511 if (!TEST_int_eq(SSL_CTX_set_max_send_fragment(server_ctx, 512 test->max_fragment_size), 1)) 513 goto err; 514 if (server2_ctx != NULL) { 515 if (!TEST_int_eq(SSL_CTX_set_max_send_fragment(server2_ctx, 516 test->max_fragment_size), 517 1)) 518 goto err; 519 } 520 if (!TEST_int_eq(SSL_CTX_set_max_send_fragment(client_ctx, 521 test->max_fragment_size), 1)) 522 goto err; 523 524 switch (extra->client.verify_callback) { 525 case SSL_TEST_VERIFY_ACCEPT_ALL: 526 SSL_CTX_set_cert_verify_callback(client_ctx, &verify_accept_cb, NULL); 527 break; 528 case SSL_TEST_VERIFY_REJECT_ALL: 529 SSL_CTX_set_cert_verify_callback(client_ctx, &verify_reject_cb, NULL); 530 break; 531 case SSL_TEST_VERIFY_NONE: 532 break; 533 } 534 535 switch (extra->client.max_fragment_len_mode) { 536 case TLSEXT_max_fragment_length_512: 537 case TLSEXT_max_fragment_length_1024: 538 case TLSEXT_max_fragment_length_2048: 539 case TLSEXT_max_fragment_length_4096: 540 case TLSEXT_max_fragment_length_DISABLED: 541 SSL_CTX_set_tlsext_max_fragment_length( 542 client_ctx, extra->client.max_fragment_len_mode); 543 break; 544 } 545 546 /* 547 * Link the two contexts for SNI purposes. 548 * Also do ClientHello callbacks here, as setting both ClientHello and SNI 549 * is bad. 550 */ 551 switch (extra->server.servername_callback) { 552 case SSL_TEST_SERVERNAME_IGNORE_MISMATCH: 553 SSL_CTX_set_tlsext_servername_callback(server_ctx, servername_ignore_cb); 554 SSL_CTX_set_tlsext_servername_arg(server_ctx, server2_ctx); 555 break; 556 case SSL_TEST_SERVERNAME_REJECT_MISMATCH: 557 SSL_CTX_set_tlsext_servername_callback(server_ctx, servername_reject_cb); 558 SSL_CTX_set_tlsext_servername_arg(server_ctx, server2_ctx); 559 break; 560 case SSL_TEST_SERVERNAME_CB_NONE: 561 break; 562 case SSL_TEST_SERVERNAME_CLIENT_HELLO_IGNORE_MISMATCH: 563 SSL_CTX_set_client_hello_cb(server_ctx, client_hello_ignore_cb, server2_ctx); 564 break; 565 case SSL_TEST_SERVERNAME_CLIENT_HELLO_REJECT_MISMATCH: 566 SSL_CTX_set_client_hello_cb(server_ctx, client_hello_reject_cb, server2_ctx); 567 break; 568 case SSL_TEST_SERVERNAME_CLIENT_HELLO_NO_V12: 569 SSL_CTX_set_client_hello_cb(server_ctx, client_hello_nov12_cb, server2_ctx); 570 } 571 572 if (extra->server.cert_status != SSL_TEST_CERT_STATUS_NONE) { 573 SSL_CTX_set_tlsext_status_type(client_ctx, TLSEXT_STATUSTYPE_ocsp); 574 SSL_CTX_set_tlsext_status_cb(client_ctx, client_ocsp_cb); 575 SSL_CTX_set_tlsext_status_arg(client_ctx, NULL); 576 SSL_CTX_set_tlsext_status_cb(server_ctx, server_ocsp_cb); 577 SSL_CTX_set_tlsext_status_arg(server_ctx, 578 ((extra->server.cert_status == SSL_TEST_CERT_STATUS_GOOD_RESPONSE) 579 ? &dummy_ocsp_resp_good_val : &dummy_ocsp_resp_bad_val)); 580 } 581 582 /* 583 * The initial_ctx/session_ctx always handles the encrypt/decrypt of the 584 * session ticket. This ticket_key callback is assigned to the second 585 * session (assigned via SNI), and should never be invoked 586 */ 587 if (server2_ctx != NULL) 588 SSL_CTX_set_tlsext_ticket_key_cb(server2_ctx, 589 do_not_call_session_ticket_cb); 590 591 if (extra->server.broken_session_ticket) { 592 SSL_CTX_set_tlsext_ticket_key_cb(server_ctx, broken_session_ticket_cb); 593 } 594 #ifndef OPENSSL_NO_NEXTPROTONEG 595 if (extra->server.npn_protocols != NULL) { 596 if (!TEST_true(parse_protos(extra->server.npn_protocols, 597 &server_ctx_data->npn_protocols, 598 &server_ctx_data->npn_protocols_len))) 599 goto err; 600 SSL_CTX_set_npn_advertised_cb(server_ctx, server_npn_cb, 601 server_ctx_data); 602 } 603 if (extra->server2.npn_protocols != NULL) { 604 if (!TEST_true(parse_protos(extra->server2.npn_protocols, 605 &server2_ctx_data->npn_protocols, 606 &server2_ctx_data->npn_protocols_len)) 607 || !TEST_ptr(server2_ctx)) 608 goto err; 609 SSL_CTX_set_npn_advertised_cb(server2_ctx, server_npn_cb, 610 server2_ctx_data); 611 } 612 if (extra->client.npn_protocols != NULL) { 613 if (!TEST_true(parse_protos(extra->client.npn_protocols, 614 &client_ctx_data->npn_protocols, 615 &client_ctx_data->npn_protocols_len))) 616 goto err; 617 SSL_CTX_set_next_proto_select_cb(client_ctx, client_npn_cb, 618 client_ctx_data); 619 } 620 #endif 621 if (extra->server.alpn_protocols != NULL) { 622 if (!TEST_true(parse_protos(extra->server.alpn_protocols, 623 &server_ctx_data->alpn_protocols, 624 &server_ctx_data->alpn_protocols_len))) 625 goto err; 626 SSL_CTX_set_alpn_select_cb(server_ctx, server_alpn_cb, server_ctx_data); 627 } 628 if (extra->server2.alpn_protocols != NULL) { 629 if (!TEST_ptr(server2_ctx) 630 || !TEST_true(parse_protos(extra->server2.alpn_protocols, 631 &server2_ctx_data->alpn_protocols, 632 &server2_ctx_data->alpn_protocols_len 633 ))) 634 goto err; 635 SSL_CTX_set_alpn_select_cb(server2_ctx, server_alpn_cb, 636 server2_ctx_data); 637 } 638 if (extra->client.alpn_protocols != NULL) { 639 unsigned char *alpn_protos = NULL; 640 size_t alpn_protos_len = 0; 641 642 if (!TEST_true(parse_protos(extra->client.alpn_protocols, 643 &alpn_protos, &alpn_protos_len)) 644 /* Reversed return value convention... */ 645 || !TEST_int_eq(SSL_CTX_set_alpn_protos(client_ctx, alpn_protos, 646 alpn_protos_len), 0)) 647 goto err; 648 OPENSSL_free(alpn_protos); 649 } 650 651 if (extra->server.session_ticket_app_data != NULL) { 652 server_ctx_data->session_ticket_app_data = 653 OPENSSL_strdup(extra->server.session_ticket_app_data); 654 SSL_CTX_set_session_ticket_cb(server_ctx, generate_session_ticket_cb, 655 decrypt_session_ticket_cb, server_ctx_data); 656 } 657 if (extra->server2.session_ticket_app_data != NULL) { 658 if (!TEST_ptr(server2_ctx)) 659 goto err; 660 server2_ctx_data->session_ticket_app_data = 661 OPENSSL_strdup(extra->server2.session_ticket_app_data); 662 SSL_CTX_set_session_ticket_cb(server2_ctx, NULL, 663 decrypt_session_ticket_cb, server2_ctx_data); 664 } 665 666 /* 667 * Use fixed session ticket keys so that we can decrypt a ticket created with 668 * one CTX in another CTX. Don't address server2 for the moment. 669 */ 670 ticket_key_len = SSL_CTX_set_tlsext_ticket_keys(server_ctx, NULL, 0); 671 if (!TEST_ptr(ticket_keys = OPENSSL_zalloc(ticket_key_len)) 672 || !TEST_int_eq(SSL_CTX_set_tlsext_ticket_keys(server_ctx, 673 ticket_keys, 674 ticket_key_len), 1)) { 675 OPENSSL_free(ticket_keys); 676 goto err; 677 } 678 OPENSSL_free(ticket_keys); 679 680 /* The default log list includes EC keys, so CT can't work without EC. */ 681 #if !defined(OPENSSL_NO_CT) && !defined(OPENSSL_NO_EC) 682 if (!TEST_true(SSL_CTX_set_default_ctlog_list_file(client_ctx))) 683 goto err; 684 switch (extra->client.ct_validation) { 685 case SSL_TEST_CT_VALIDATION_PERMISSIVE: 686 if (!TEST_true(SSL_CTX_enable_ct(client_ctx, 687 SSL_CT_VALIDATION_PERMISSIVE))) 688 goto err; 689 break; 690 case SSL_TEST_CT_VALIDATION_STRICT: 691 if (!TEST_true(SSL_CTX_enable_ct(client_ctx, SSL_CT_VALIDATION_STRICT))) 692 goto err; 693 break; 694 case SSL_TEST_CT_VALIDATION_NONE: 695 break; 696 } 697 #endif 698 #ifndef OPENSSL_NO_SRP 699 if (extra->server.srp_user != NULL) { 700 SSL_CTX_set_srp_username_callback(server_ctx, server_srp_cb); 701 server_ctx_data->srp_user = OPENSSL_strdup(extra->server.srp_user); 702 server_ctx_data->srp_password = OPENSSL_strdup(extra->server.srp_password); 703 SSL_CTX_set_srp_cb_arg(server_ctx, server_ctx_data); 704 } 705 if (extra->server2.srp_user != NULL) { 706 if (!TEST_ptr(server2_ctx)) 707 goto err; 708 SSL_CTX_set_srp_username_callback(server2_ctx, server_srp_cb); 709 server2_ctx_data->srp_user = OPENSSL_strdup(extra->server2.srp_user); 710 server2_ctx_data->srp_password = OPENSSL_strdup(extra->server2.srp_password); 711 SSL_CTX_set_srp_cb_arg(server2_ctx, server2_ctx_data); 712 } 713 if (extra->client.srp_user != NULL) { 714 if (!TEST_true(SSL_CTX_set_srp_username(client_ctx, 715 extra->client.srp_user))) 716 goto err; 717 SSL_CTX_set_srp_client_pwd_callback(client_ctx, client_srp_cb); 718 client_ctx_data->srp_password = OPENSSL_strdup(extra->client.srp_password); 719 SSL_CTX_set_srp_cb_arg(client_ctx, client_ctx_data); 720 } 721 #endif /* !OPENSSL_NO_SRP */ 722 return 1; 723 err: 724 return 0; 725 } 726 727 /* Configure per-SSL callbacks and other properties. */ 728 static void configure_handshake_ssl(SSL *server, SSL *client, 729 const SSL_TEST_EXTRA_CONF *extra) 730 { 731 if (extra->client.servername != SSL_TEST_SERVERNAME_NONE) 732 SSL_set_tlsext_host_name(client, 733 ssl_servername_name(extra->client.servername)); 734 if (extra->client.enable_pha) 735 SSL_set_post_handshake_auth(client, 1); 736 } 737 738 /* The status for each connection phase. */ 739 typedef enum { 740 PEER_SUCCESS, 741 PEER_RETRY, 742 PEER_ERROR, 743 PEER_WAITING, 744 PEER_TEST_FAILURE 745 } peer_status_t; 746 747 /* An SSL object and associated read-write buffers. */ 748 typedef struct peer_st { 749 SSL *ssl; 750 /* Buffer lengths are int to match the SSL read/write API. */ 751 unsigned char *write_buf; 752 int write_buf_len; 753 unsigned char *read_buf; 754 int read_buf_len; 755 int bytes_to_write; 756 int bytes_to_read; 757 peer_status_t status; 758 } PEER; 759 760 static int create_peer(PEER *peer, SSL_CTX *ctx) 761 { 762 static const int peer_buffer_size = 64 * 1024; 763 SSL *ssl = NULL; 764 unsigned char *read_buf = NULL, *write_buf = NULL; 765 766 if (!TEST_ptr(ssl = SSL_new(ctx)) 767 || !TEST_ptr(write_buf = OPENSSL_zalloc(peer_buffer_size)) 768 || !TEST_ptr(read_buf = OPENSSL_zalloc(peer_buffer_size))) 769 goto err; 770 771 peer->ssl = ssl; 772 peer->write_buf = write_buf; 773 peer->read_buf = read_buf; 774 peer->write_buf_len = peer->read_buf_len = peer_buffer_size; 775 return 1; 776 err: 777 SSL_free(ssl); 778 OPENSSL_free(write_buf); 779 OPENSSL_free(read_buf); 780 return 0; 781 } 782 783 static void peer_free_data(PEER *peer) 784 { 785 SSL_free(peer->ssl); 786 OPENSSL_free(peer->write_buf); 787 OPENSSL_free(peer->read_buf); 788 } 789 790 /* 791 * Note that we could do the handshake transparently under an SSL_write, 792 * but separating the steps is more helpful for debugging test failures. 793 */ 794 static void do_handshake_step(PEER *peer) 795 { 796 if (!TEST_int_eq(peer->status, PEER_RETRY)) { 797 peer->status = PEER_TEST_FAILURE; 798 } else { 799 int ret = SSL_do_handshake(peer->ssl); 800 801 if (ret == 1) { 802 peer->status = PEER_SUCCESS; 803 } else if (ret == 0) { 804 peer->status = PEER_ERROR; 805 } else { 806 int error = SSL_get_error(peer->ssl, ret); 807 /* Memory bios should never block with SSL_ERROR_WANT_WRITE. */ 808 if (error != SSL_ERROR_WANT_READ) 809 peer->status = PEER_ERROR; 810 } 811 } 812 } 813 814 /*- 815 * Send/receive some application data. The read-write sequence is 816 * Peer A: (R) W - first read will yield no data 817 * Peer B: R W 818 * ... 819 * Peer A: R W 820 * Peer B: R W 821 * Peer A: R 822 */ 823 static void do_app_data_step(PEER *peer) 824 { 825 int ret = 1, write_bytes; 826 827 if (!TEST_int_eq(peer->status, PEER_RETRY)) { 828 peer->status = PEER_TEST_FAILURE; 829 return; 830 } 831 832 /* We read everything available... */ 833 while (ret > 0 && peer->bytes_to_read) { 834 ret = SSL_read(peer->ssl, peer->read_buf, peer->read_buf_len); 835 if (ret > 0) { 836 if (!TEST_int_le(ret, peer->bytes_to_read)) { 837 peer->status = PEER_TEST_FAILURE; 838 return; 839 } 840 peer->bytes_to_read -= ret; 841 } else if (ret == 0) { 842 peer->status = PEER_ERROR; 843 return; 844 } else { 845 int error = SSL_get_error(peer->ssl, ret); 846 if (error != SSL_ERROR_WANT_READ) { 847 peer->status = PEER_ERROR; 848 return; 849 } /* Else continue with write. */ 850 } 851 } 852 853 /* ... but we only write one write-buffer-full of data. */ 854 write_bytes = peer->bytes_to_write < peer->write_buf_len ? peer->bytes_to_write : 855 peer->write_buf_len; 856 if (write_bytes) { 857 ret = SSL_write(peer->ssl, peer->write_buf, write_bytes); 858 if (ret > 0) { 859 /* SSL_write will only succeed with a complete write. */ 860 if (!TEST_int_eq(ret, write_bytes)) { 861 peer->status = PEER_TEST_FAILURE; 862 return; 863 } 864 peer->bytes_to_write -= ret; 865 } else { 866 /* 867 * We should perhaps check for SSL_ERROR_WANT_READ/WRITE here 868 * but this doesn't yet occur with current app data sizes. 869 */ 870 peer->status = PEER_ERROR; 871 return; 872 } 873 } 874 875 /* 876 * We could simply finish when there was nothing to read, and we have 877 * nothing left to write. But keeping track of the expected number of bytes 878 * to read gives us somewhat better guarantees that all data sent is in fact 879 * received. 880 */ 881 if (!peer->bytes_to_write && !peer->bytes_to_read) { 882 peer->status = PEER_SUCCESS; 883 } 884 } 885 886 static void do_reneg_setup_step(const SSL_TEST_CTX *test_ctx, PEER *peer) 887 { 888 int ret; 889 char buf; 890 891 if (peer->status == PEER_SUCCESS) { 892 /* 893 * We are a client that succeeded this step previously, but the server 894 * wanted to retry. Probably there is a no_renegotiation warning alert 895 * waiting for us. Attempt to continue the handshake. 896 */ 897 peer->status = PEER_RETRY; 898 do_handshake_step(peer); 899 return; 900 } 901 902 if (!TEST_int_eq(peer->status, PEER_RETRY) 903 || !TEST_true(test_ctx->handshake_mode 904 == SSL_TEST_HANDSHAKE_RENEG_SERVER 905 || test_ctx->handshake_mode 906 == SSL_TEST_HANDSHAKE_RENEG_CLIENT 907 || test_ctx->handshake_mode 908 == SSL_TEST_HANDSHAKE_KEY_UPDATE_SERVER 909 || test_ctx->handshake_mode 910 == SSL_TEST_HANDSHAKE_KEY_UPDATE_CLIENT 911 || test_ctx->handshake_mode 912 == SSL_TEST_HANDSHAKE_POST_HANDSHAKE_AUTH)) { 913 peer->status = PEER_TEST_FAILURE; 914 return; 915 } 916 917 /* Reset the count of the amount of app data we need to read/write */ 918 peer->bytes_to_write = peer->bytes_to_read = test_ctx->app_data_size; 919 920 /* Check if we are the peer that is going to initiate */ 921 if ((test_ctx->handshake_mode == SSL_TEST_HANDSHAKE_RENEG_SERVER 922 && SSL_is_server(peer->ssl)) 923 || (test_ctx->handshake_mode == SSL_TEST_HANDSHAKE_RENEG_CLIENT 924 && !SSL_is_server(peer->ssl))) { 925 /* 926 * If we already asked for a renegotiation then fall through to the 927 * SSL_read() below. 928 */ 929 if (!SSL_renegotiate_pending(peer->ssl)) { 930 /* 931 * If we are the client we will always attempt to resume the 932 * session. The server may or may not resume dependent on the 933 * setting of SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION 934 */ 935 if (SSL_is_server(peer->ssl)) { 936 ret = SSL_renegotiate(peer->ssl); 937 } else { 938 if (test_ctx->extra.client.reneg_ciphers != NULL) { 939 if (!SSL_set_cipher_list(peer->ssl, 940 test_ctx->extra.client.reneg_ciphers)) { 941 peer->status = PEER_ERROR; 942 return; 943 } 944 ret = SSL_renegotiate(peer->ssl); 945 } else { 946 ret = SSL_renegotiate_abbreviated(peer->ssl); 947 } 948 } 949 if (!ret) { 950 peer->status = PEER_ERROR; 951 return; 952 } 953 do_handshake_step(peer); 954 /* 955 * If status is PEER_RETRY it means we're waiting on the peer to 956 * continue the handshake. As far as setting up the renegotiation is 957 * concerned that is a success. The next step will continue the 958 * handshake to its conclusion. 959 * 960 * If status is PEER_SUCCESS then we are the server and we have 961 * successfully sent the HelloRequest. We need to continue to wait 962 * until the handshake arrives from the client. 963 */ 964 if (peer->status == PEER_RETRY) 965 peer->status = PEER_SUCCESS; 966 else if (peer->status == PEER_SUCCESS) 967 peer->status = PEER_RETRY; 968 return; 969 } 970 } else if (test_ctx->handshake_mode == SSL_TEST_HANDSHAKE_KEY_UPDATE_SERVER 971 || test_ctx->handshake_mode 972 == SSL_TEST_HANDSHAKE_KEY_UPDATE_CLIENT) { 973 if (SSL_is_server(peer->ssl) 974 != (test_ctx->handshake_mode 975 == SSL_TEST_HANDSHAKE_KEY_UPDATE_SERVER)) { 976 peer->status = PEER_SUCCESS; 977 return; 978 } 979 980 ret = SSL_key_update(peer->ssl, test_ctx->key_update_type); 981 if (!ret) { 982 peer->status = PEER_ERROR; 983 return; 984 } 985 do_handshake_step(peer); 986 /* 987 * This is a one step handshake. We shouldn't get anything other than 988 * PEER_SUCCESS 989 */ 990 if (peer->status != PEER_SUCCESS) 991 peer->status = PEER_ERROR; 992 return; 993 } else if (test_ctx->handshake_mode == SSL_TEST_HANDSHAKE_POST_HANDSHAKE_AUTH) { 994 if (SSL_is_server(peer->ssl)) { 995 /* Make the server believe it's received the extension */ 996 if (test_ctx->extra.server.force_pha) 997 peer->ssl->post_handshake_auth = SSL_PHA_EXT_RECEIVED; 998 ret = SSL_verify_client_post_handshake(peer->ssl); 999 if (!ret) { 1000 peer->status = PEER_ERROR; 1001 return; 1002 } 1003 } 1004 do_handshake_step(peer); 1005 /* 1006 * This is a one step handshake. We shouldn't get anything other than 1007 * PEER_SUCCESS 1008 */ 1009 if (peer->status != PEER_SUCCESS) 1010 peer->status = PEER_ERROR; 1011 return; 1012 } 1013 1014 /* 1015 * The SSL object is still expecting app data, even though it's going to 1016 * get a handshake message. We try to read, and it should fail - after which 1017 * we should be in a handshake 1018 */ 1019 ret = SSL_read(peer->ssl, &buf, sizeof(buf)); 1020 if (ret >= 0) { 1021 /* 1022 * We're not actually expecting data - we're expecting a reneg to 1023 * start 1024 */ 1025 peer->status = PEER_ERROR; 1026 return; 1027 } else { 1028 int error = SSL_get_error(peer->ssl, ret); 1029 if (error != SSL_ERROR_WANT_READ) { 1030 peer->status = PEER_ERROR; 1031 return; 1032 } 1033 /* If we're not in init yet then we're not done with setup yet */ 1034 if (!SSL_in_init(peer->ssl)) 1035 return; 1036 } 1037 1038 peer->status = PEER_SUCCESS; 1039 } 1040 1041 1042 /* 1043 * RFC 5246 says: 1044 * 1045 * Note that as of TLS 1.1, 1046 * failure to properly close a connection no longer requires that a 1047 * session not be resumed. This is a change from TLS 1.0 to conform 1048 * with widespread implementation practice. 1049 * 1050 * However, 1051 * (a) OpenSSL requires that a connection be shutdown for all protocol versions. 1052 * (b) We test lower versions, too. 1053 * So we just implement shutdown. We do a full bidirectional shutdown so that we 1054 * can compare sent and received close_notify alerts and get some test coverage 1055 * for SSL_shutdown as a bonus. 1056 */ 1057 static void do_shutdown_step(PEER *peer) 1058 { 1059 int ret; 1060 1061 if (!TEST_int_eq(peer->status, PEER_RETRY)) { 1062 peer->status = PEER_TEST_FAILURE; 1063 return; 1064 } 1065 ret = SSL_shutdown(peer->ssl); 1066 1067 if (ret == 1) { 1068 peer->status = PEER_SUCCESS; 1069 } else if (ret < 0) { /* On 0, we retry. */ 1070 int error = SSL_get_error(peer->ssl, ret); 1071 1072 if (error != SSL_ERROR_WANT_READ && error != SSL_ERROR_WANT_WRITE) 1073 peer->status = PEER_ERROR; 1074 } 1075 } 1076 1077 typedef enum { 1078 HANDSHAKE, 1079 RENEG_APPLICATION_DATA, 1080 RENEG_SETUP, 1081 RENEG_HANDSHAKE, 1082 APPLICATION_DATA, 1083 SHUTDOWN, 1084 CONNECTION_DONE 1085 } connect_phase_t; 1086 1087 1088 static int renegotiate_op(const SSL_TEST_CTX *test_ctx) 1089 { 1090 switch (test_ctx->handshake_mode) { 1091 case SSL_TEST_HANDSHAKE_RENEG_SERVER: 1092 case SSL_TEST_HANDSHAKE_RENEG_CLIENT: 1093 return 1; 1094 default: 1095 return 0; 1096 } 1097 } 1098 static int post_handshake_op(const SSL_TEST_CTX *test_ctx) 1099 { 1100 switch (test_ctx->handshake_mode) { 1101 case SSL_TEST_HANDSHAKE_KEY_UPDATE_CLIENT: 1102 case SSL_TEST_HANDSHAKE_KEY_UPDATE_SERVER: 1103 case SSL_TEST_HANDSHAKE_POST_HANDSHAKE_AUTH: 1104 return 1; 1105 default: 1106 return 0; 1107 } 1108 } 1109 1110 static connect_phase_t next_phase(const SSL_TEST_CTX *test_ctx, 1111 connect_phase_t phase) 1112 { 1113 switch (phase) { 1114 case HANDSHAKE: 1115 if (renegotiate_op(test_ctx) || post_handshake_op(test_ctx)) 1116 return RENEG_APPLICATION_DATA; 1117 return APPLICATION_DATA; 1118 case RENEG_APPLICATION_DATA: 1119 return RENEG_SETUP; 1120 case RENEG_SETUP: 1121 if (post_handshake_op(test_ctx)) 1122 return APPLICATION_DATA; 1123 return RENEG_HANDSHAKE; 1124 case RENEG_HANDSHAKE: 1125 return APPLICATION_DATA; 1126 case APPLICATION_DATA: 1127 return SHUTDOWN; 1128 case SHUTDOWN: 1129 return CONNECTION_DONE; 1130 case CONNECTION_DONE: 1131 TEST_error("Trying to progress after connection done"); 1132 break; 1133 } 1134 return -1; 1135 } 1136 1137 static void do_connect_step(const SSL_TEST_CTX *test_ctx, PEER *peer, 1138 connect_phase_t phase) 1139 { 1140 switch (phase) { 1141 case HANDSHAKE: 1142 do_handshake_step(peer); 1143 break; 1144 case RENEG_APPLICATION_DATA: 1145 do_app_data_step(peer); 1146 break; 1147 case RENEG_SETUP: 1148 do_reneg_setup_step(test_ctx, peer); 1149 break; 1150 case RENEG_HANDSHAKE: 1151 do_handshake_step(peer); 1152 break; 1153 case APPLICATION_DATA: 1154 do_app_data_step(peer); 1155 break; 1156 case SHUTDOWN: 1157 do_shutdown_step(peer); 1158 break; 1159 case CONNECTION_DONE: 1160 TEST_error("Action after connection done"); 1161 break; 1162 } 1163 } 1164 1165 typedef enum { 1166 /* Both parties succeeded. */ 1167 HANDSHAKE_SUCCESS, 1168 /* Client errored. */ 1169 CLIENT_ERROR, 1170 /* Server errored. */ 1171 SERVER_ERROR, 1172 /* Peers are in inconsistent state. */ 1173 INTERNAL_ERROR, 1174 /* One or both peers not done. */ 1175 HANDSHAKE_RETRY 1176 } handshake_status_t; 1177 1178 /* 1179 * Determine the handshake outcome. 1180 * last_status: the status of the peer to have acted last. 1181 * previous_status: the status of the peer that didn't act last. 1182 * client_spoke_last: 1 if the client went last. 1183 */ 1184 static handshake_status_t handshake_status(peer_status_t last_status, 1185 peer_status_t previous_status, 1186 int client_spoke_last) 1187 { 1188 switch (last_status) { 1189 case PEER_TEST_FAILURE: 1190 return INTERNAL_ERROR; 1191 1192 case PEER_WAITING: 1193 /* Shouldn't ever happen */ 1194 return INTERNAL_ERROR; 1195 1196 case PEER_SUCCESS: 1197 switch (previous_status) { 1198 case PEER_TEST_FAILURE: 1199 return INTERNAL_ERROR; 1200 case PEER_SUCCESS: 1201 /* Both succeeded. */ 1202 return HANDSHAKE_SUCCESS; 1203 case PEER_WAITING: 1204 case PEER_RETRY: 1205 /* Let the first peer finish. */ 1206 return HANDSHAKE_RETRY; 1207 case PEER_ERROR: 1208 /* 1209 * Second peer succeeded despite the fact that the first peer 1210 * already errored. This shouldn't happen. 1211 */ 1212 return INTERNAL_ERROR; 1213 } 1214 break; 1215 1216 case PEER_RETRY: 1217 return HANDSHAKE_RETRY; 1218 1219 case PEER_ERROR: 1220 switch (previous_status) { 1221 case PEER_TEST_FAILURE: 1222 return INTERNAL_ERROR; 1223 case PEER_WAITING: 1224 /* The client failed immediately before sending the ClientHello */ 1225 return client_spoke_last ? CLIENT_ERROR : INTERNAL_ERROR; 1226 case PEER_SUCCESS: 1227 /* 1228 * First peer succeeded but second peer errored. 1229 * TODO(emilia): we should be able to continue here (with some 1230 * application data?) to ensure the first peer receives the 1231 * alert / close_notify. 1232 * (No tests currently exercise this branch.) 1233 */ 1234 return client_spoke_last ? CLIENT_ERROR : SERVER_ERROR; 1235 case PEER_RETRY: 1236 /* We errored; let the peer finish. */ 1237 return HANDSHAKE_RETRY; 1238 case PEER_ERROR: 1239 /* Both peers errored. Return the one that errored first. */ 1240 return client_spoke_last ? SERVER_ERROR : CLIENT_ERROR; 1241 } 1242 } 1243 /* Control should never reach here. */ 1244 return INTERNAL_ERROR; 1245 } 1246 1247 /* Convert unsigned char buf's that shouldn't contain any NUL-bytes to char. */ 1248 static char *dup_str(const unsigned char *in, size_t len) 1249 { 1250 char *ret = NULL; 1251 1252 if (len == 0) 1253 return NULL; 1254 1255 /* Assert that the string does not contain NUL-bytes. */ 1256 if (TEST_size_t_eq(OPENSSL_strnlen((const char*)(in), len), len)) 1257 TEST_ptr(ret = OPENSSL_strndup((const char*)(in), len)); 1258 return ret; 1259 } 1260 1261 static int pkey_type(EVP_PKEY *pkey) 1262 { 1263 int nid = EVP_PKEY_id(pkey); 1264 1265 #ifndef OPENSSL_NO_EC 1266 if (nid == EVP_PKEY_EC) { 1267 const EC_KEY *ec = EVP_PKEY_get0_EC_KEY(pkey); 1268 return EC_GROUP_get_curve_name(EC_KEY_get0_group(ec)); 1269 } 1270 #endif 1271 return nid; 1272 } 1273 1274 static int peer_pkey_type(SSL *s) 1275 { 1276 X509 *x = SSL_get_peer_certificate(s); 1277 1278 if (x != NULL) { 1279 int nid = pkey_type(X509_get0_pubkey(x)); 1280 1281 X509_free(x); 1282 return nid; 1283 } 1284 return NID_undef; 1285 } 1286 1287 #if !defined(OPENSSL_NO_SCTP) && !defined(OPENSSL_NO_SOCK) 1288 static int set_sock_as_sctp(int sock) 1289 { 1290 struct sctp_assocparams assocparams; 1291 struct sctp_rtoinfo rto_info; 1292 BIO *tmpbio; 1293 1294 /* 1295 * To allow tests to fail fast (within a second or so), reduce the 1296 * retransmission timeouts and the number of retransmissions. 1297 */ 1298 memset(&rto_info, 0, sizeof(struct sctp_rtoinfo)); 1299 rto_info.srto_initial = 100; 1300 rto_info.srto_max = 200; 1301 rto_info.srto_min = 50; 1302 (void)setsockopt(sock, IPPROTO_SCTP, SCTP_RTOINFO, 1303 (const void *)&rto_info, sizeof(struct sctp_rtoinfo)); 1304 memset(&assocparams, 0, sizeof(struct sctp_assocparams)); 1305 assocparams.sasoc_asocmaxrxt = 2; 1306 (void)setsockopt(sock, IPPROTO_SCTP, SCTP_ASSOCINFO, 1307 (const void *)&assocparams, 1308 sizeof(struct sctp_assocparams)); 1309 1310 /* 1311 * For SCTP we have to set various options on the socket prior to 1312 * connecting. This is done automatically by BIO_new_dgram_sctp(). 1313 * We don't actually need the created BIO though so we free it again 1314 * immediately. 1315 */ 1316 tmpbio = BIO_new_dgram_sctp(sock, BIO_NOCLOSE); 1317 1318 if (tmpbio == NULL) 1319 return 0; 1320 BIO_free(tmpbio); 1321 1322 return 1; 1323 } 1324 1325 static int create_sctp_socks(int *ssock, int *csock) 1326 { 1327 BIO_ADDRINFO *res = NULL; 1328 const BIO_ADDRINFO *ai = NULL; 1329 int lsock = INVALID_SOCKET, asock = INVALID_SOCKET; 1330 int consock = INVALID_SOCKET; 1331 int ret = 0; 1332 int family = 0; 1333 1334 if (BIO_sock_init() != 1) 1335 return 0; 1336 1337 /* 1338 * Port is 4463. It could be anything. It will fail if it's already being 1339 * used for some other SCTP service. It seems unlikely though so we don't 1340 * worry about it here. 1341 */ 1342 if (!BIO_lookup_ex(NULL, "4463", BIO_LOOKUP_SERVER, family, SOCK_STREAM, 1343 IPPROTO_SCTP, &res)) 1344 return 0; 1345 1346 for (ai = res; ai != NULL; ai = BIO_ADDRINFO_next(ai)) { 1347 family = BIO_ADDRINFO_family(ai); 1348 lsock = BIO_socket(family, SOCK_STREAM, IPPROTO_SCTP, 0); 1349 if (lsock == INVALID_SOCKET) { 1350 /* Maybe the kernel doesn't support the socket family, even if 1351 * BIO_lookup() added it in the returned result... 1352 */ 1353 continue; 1354 } 1355 1356 if (!set_sock_as_sctp(lsock) 1357 || !BIO_listen(lsock, BIO_ADDRINFO_address(ai), 1358 BIO_SOCK_REUSEADDR)) { 1359 BIO_closesocket(lsock); 1360 lsock = INVALID_SOCKET; 1361 continue; 1362 } 1363 1364 /* Success, don't try any more addresses */ 1365 break; 1366 } 1367 1368 if (lsock == INVALID_SOCKET) 1369 goto err; 1370 1371 BIO_ADDRINFO_free(res); 1372 res = NULL; 1373 1374 if (!BIO_lookup_ex(NULL, "4463", BIO_LOOKUP_CLIENT, family, SOCK_STREAM, 1375 IPPROTO_SCTP, &res)) 1376 goto err; 1377 1378 consock = BIO_socket(family, SOCK_STREAM, IPPROTO_SCTP, 0); 1379 if (consock == INVALID_SOCKET) 1380 goto err; 1381 1382 if (!set_sock_as_sctp(consock) 1383 || !BIO_connect(consock, BIO_ADDRINFO_address(res), 0) 1384 || !BIO_socket_nbio(consock, 1)) 1385 goto err; 1386 1387 asock = BIO_accept_ex(lsock, NULL, BIO_SOCK_NONBLOCK); 1388 if (asock == INVALID_SOCKET) 1389 goto err; 1390 1391 *csock = consock; 1392 *ssock = asock; 1393 consock = asock = INVALID_SOCKET; 1394 ret = 1; 1395 1396 err: 1397 BIO_ADDRINFO_free(res); 1398 if (consock != INVALID_SOCKET) 1399 BIO_closesocket(consock); 1400 if (lsock != INVALID_SOCKET) 1401 BIO_closesocket(lsock); 1402 if (asock != INVALID_SOCKET) 1403 BIO_closesocket(asock); 1404 return ret; 1405 } 1406 #endif 1407 1408 /* 1409 * Note that |extra| points to the correct client/server configuration 1410 * within |test_ctx|. When configuring the handshake, general mode settings 1411 * are taken from |test_ctx|, and client/server-specific settings should be 1412 * taken from |extra|. 1413 * 1414 * The configuration code should never reach into |test_ctx->extra| or 1415 * |test_ctx->resume_extra| directly. 1416 * 1417 * (We could refactor test mode settings into a substructure. This would result 1418 * in cleaner argument passing but would complicate the test configuration 1419 * parsing.) 1420 */ 1421 static HANDSHAKE_RESULT *do_handshake_internal( 1422 SSL_CTX *server_ctx, SSL_CTX *server2_ctx, SSL_CTX *client_ctx, 1423 const SSL_TEST_CTX *test_ctx, const SSL_TEST_EXTRA_CONF *extra, 1424 SSL_SESSION *session_in, SSL_SESSION *serv_sess_in, 1425 SSL_SESSION **session_out, SSL_SESSION **serv_sess_out) 1426 { 1427 PEER server, client; 1428 BIO *client_to_server = NULL, *server_to_client = NULL; 1429 HANDSHAKE_EX_DATA server_ex_data, client_ex_data; 1430 CTX_DATA client_ctx_data, server_ctx_data, server2_ctx_data; 1431 HANDSHAKE_RESULT *ret = HANDSHAKE_RESULT_new(); 1432 int client_turn = 1, client_turn_count = 0, client_wait_count = 0; 1433 connect_phase_t phase = HANDSHAKE; 1434 handshake_status_t status = HANDSHAKE_RETRY; 1435 const unsigned char* tick = NULL; 1436 size_t tick_len = 0; 1437 const unsigned char* sess_id = NULL; 1438 unsigned int sess_id_len = 0; 1439 SSL_SESSION* sess = NULL; 1440 const unsigned char *proto = NULL; 1441 /* API dictates unsigned int rather than size_t. */ 1442 unsigned int proto_len = 0; 1443 EVP_PKEY *tmp_key; 1444 const STACK_OF(X509_NAME) *names; 1445 time_t start; 1446 const char* cipher; 1447 1448 if (ret == NULL) 1449 return NULL; 1450 1451 memset(&server_ctx_data, 0, sizeof(server_ctx_data)); 1452 memset(&server2_ctx_data, 0, sizeof(server2_ctx_data)); 1453 memset(&client_ctx_data, 0, sizeof(client_ctx_data)); 1454 memset(&server, 0, sizeof(server)); 1455 memset(&client, 0, sizeof(client)); 1456 memset(&server_ex_data, 0, sizeof(server_ex_data)); 1457 memset(&client_ex_data, 0, sizeof(client_ex_data)); 1458 1459 if (!configure_handshake_ctx(server_ctx, server2_ctx, client_ctx, 1460 test_ctx, extra, &server_ctx_data, 1461 &server2_ctx_data, &client_ctx_data)) { 1462 TEST_note("configure_handshake_ctx"); 1463 return NULL; 1464 } 1465 1466 #if !defined(OPENSSL_NO_SCTP) && !defined(OPENSSL_NO_SOCK) 1467 if (test_ctx->enable_client_sctp_label_bug) 1468 SSL_CTX_set_mode(client_ctx, SSL_MODE_DTLS_SCTP_LABEL_LENGTH_BUG); 1469 if (test_ctx->enable_server_sctp_label_bug) 1470 SSL_CTX_set_mode(server_ctx, SSL_MODE_DTLS_SCTP_LABEL_LENGTH_BUG); 1471 #endif 1472 1473 /* Setup SSL and buffers; additional configuration happens below. */ 1474 if (!create_peer(&server, server_ctx)) { 1475 TEST_note("creating server context"); 1476 goto err; 1477 } 1478 if (!create_peer(&client, client_ctx)) { 1479 TEST_note("creating client context"); 1480 goto err; 1481 } 1482 1483 server.bytes_to_write = client.bytes_to_read = test_ctx->app_data_size; 1484 client.bytes_to_write = server.bytes_to_read = test_ctx->app_data_size; 1485 1486 configure_handshake_ssl(server.ssl, client.ssl, extra); 1487 if (session_in != NULL) { 1488 SSL_SESSION_get_id(serv_sess_in, &sess_id_len); 1489 /* In case we're testing resumption without tickets. */ 1490 if ((sess_id_len > 0 1491 && !TEST_true(SSL_CTX_add_session(server_ctx, 1492 serv_sess_in))) 1493 || !TEST_true(SSL_set_session(client.ssl, session_in))) 1494 goto err; 1495 sess_id_len = 0; 1496 } 1497 1498 ret->result = SSL_TEST_INTERNAL_ERROR; 1499 1500 if (test_ctx->use_sctp) { 1501 #if !defined(OPENSSL_NO_SCTP) && !defined(OPENSSL_NO_SOCK) 1502 int csock, ssock; 1503 1504 if (create_sctp_socks(&ssock, &csock)) { 1505 client_to_server = BIO_new_dgram_sctp(csock, BIO_CLOSE); 1506 server_to_client = BIO_new_dgram_sctp(ssock, BIO_CLOSE); 1507 } 1508 #endif 1509 } else { 1510 client_to_server = BIO_new(BIO_s_mem()); 1511 server_to_client = BIO_new(BIO_s_mem()); 1512 } 1513 1514 if (!TEST_ptr(client_to_server) 1515 || !TEST_ptr(server_to_client)) 1516 goto err; 1517 1518 /* Non-blocking bio. */ 1519 BIO_set_nbio(client_to_server, 1); 1520 BIO_set_nbio(server_to_client, 1); 1521 1522 SSL_set_connect_state(client.ssl); 1523 SSL_set_accept_state(server.ssl); 1524 1525 /* The bios are now owned by the SSL object. */ 1526 if (test_ctx->use_sctp) { 1527 SSL_set_bio(client.ssl, client_to_server, client_to_server); 1528 SSL_set_bio(server.ssl, server_to_client, server_to_client); 1529 } else { 1530 SSL_set_bio(client.ssl, server_to_client, client_to_server); 1531 if (!TEST_int_gt(BIO_up_ref(server_to_client), 0) 1532 || !TEST_int_gt(BIO_up_ref(client_to_server), 0)) 1533 goto err; 1534 SSL_set_bio(server.ssl, client_to_server, server_to_client); 1535 } 1536 1537 ex_data_idx = SSL_get_ex_new_index(0, "ex data", NULL, NULL, NULL); 1538 if (!TEST_int_ge(ex_data_idx, 0) 1539 || !TEST_int_eq(SSL_set_ex_data(server.ssl, ex_data_idx, &server_ex_data), 1) 1540 || !TEST_int_eq(SSL_set_ex_data(client.ssl, ex_data_idx, &client_ex_data), 1)) 1541 goto err; 1542 1543 SSL_set_info_callback(server.ssl, &info_cb); 1544 SSL_set_info_callback(client.ssl, &info_cb); 1545 1546 client.status = PEER_RETRY; 1547 server.status = PEER_WAITING; 1548 1549 start = time(NULL); 1550 1551 /* 1552 * Half-duplex handshake loop. 1553 * Client and server speak to each other synchronously in the same process. 1554 * We use non-blocking BIOs, so whenever one peer blocks for read, it 1555 * returns PEER_RETRY to indicate that it's the other peer's turn to write. 1556 * The handshake succeeds once both peers have succeeded. If one peer 1557 * errors out, we also let the other peer retry (and presumably fail). 1558 */ 1559 for(;;) { 1560 if (client_turn) { 1561 do_connect_step(test_ctx, &client, phase); 1562 status = handshake_status(client.status, server.status, 1563 1 /* client went last */); 1564 if (server.status == PEER_WAITING) 1565 server.status = PEER_RETRY; 1566 } else { 1567 do_connect_step(test_ctx, &server, phase); 1568 status = handshake_status(server.status, client.status, 1569 0 /* server went last */); 1570 } 1571 1572 switch (status) { 1573 case HANDSHAKE_SUCCESS: 1574 client_turn_count = 0; 1575 phase = next_phase(test_ctx, phase); 1576 if (phase == CONNECTION_DONE) { 1577 ret->result = SSL_TEST_SUCCESS; 1578 goto err; 1579 } else { 1580 client.status = server.status = PEER_RETRY; 1581 /* 1582 * For now, client starts each phase. Since each phase is 1583 * started separately, we can later control this more 1584 * precisely, for example, to test client-initiated and 1585 * server-initiated shutdown. 1586 */ 1587 client_turn = 1; 1588 break; 1589 } 1590 case CLIENT_ERROR: 1591 ret->result = SSL_TEST_CLIENT_FAIL; 1592 goto err; 1593 case SERVER_ERROR: 1594 ret->result = SSL_TEST_SERVER_FAIL; 1595 goto err; 1596 case INTERNAL_ERROR: 1597 ret->result = SSL_TEST_INTERNAL_ERROR; 1598 goto err; 1599 case HANDSHAKE_RETRY: 1600 if (test_ctx->use_sctp) { 1601 if (time(NULL) - start > 3) { 1602 /* 1603 * We've waited for too long. Give up. 1604 */ 1605 ret->result = SSL_TEST_INTERNAL_ERROR; 1606 goto err; 1607 } 1608 /* 1609 * With "real" sockets we only swap to processing the peer 1610 * if they are expecting to retry. Otherwise we just retry the 1611 * same endpoint again. 1612 */ 1613 if ((client_turn && server.status == PEER_RETRY) 1614 || (!client_turn && client.status == PEER_RETRY)) 1615 client_turn ^= 1; 1616 } else { 1617 if (client_turn_count++ >= 2000) { 1618 /* 1619 * At this point, there's been so many PEER_RETRY in a row 1620 * that it's likely both sides are stuck waiting for a read. 1621 * It's time to give up. 1622 */ 1623 ret->result = SSL_TEST_INTERNAL_ERROR; 1624 goto err; 1625 } 1626 if (client_turn && server.status == PEER_SUCCESS) { 1627 /* 1628 * The server may finish before the client because the 1629 * client spends some turns processing NewSessionTickets. 1630 */ 1631 if (client_wait_count++ >= 2) { 1632 ret->result = SSL_TEST_INTERNAL_ERROR; 1633 goto err; 1634 } 1635 } else { 1636 /* Continue. */ 1637 client_turn ^= 1; 1638 } 1639 } 1640 break; 1641 } 1642 } 1643 err: 1644 ret->server_alert_sent = server_ex_data.alert_sent; 1645 ret->server_num_fatal_alerts_sent = server_ex_data.num_fatal_alerts_sent; 1646 ret->server_alert_received = client_ex_data.alert_received; 1647 ret->client_alert_sent = client_ex_data.alert_sent; 1648 ret->client_num_fatal_alerts_sent = client_ex_data.num_fatal_alerts_sent; 1649 ret->client_alert_received = server_ex_data.alert_received; 1650 ret->server_protocol = SSL_version(server.ssl); 1651 ret->client_protocol = SSL_version(client.ssl); 1652 ret->servername = server_ex_data.servername; 1653 if ((sess = SSL_get0_session(client.ssl)) != NULL) { 1654 SSL_SESSION_get0_ticket(sess, &tick, &tick_len); 1655 sess_id = SSL_SESSION_get_id(sess, &sess_id_len); 1656 } 1657 if (tick == NULL || tick_len == 0) 1658 ret->session_ticket = SSL_TEST_SESSION_TICKET_NO; 1659 else 1660 ret->session_ticket = SSL_TEST_SESSION_TICKET_YES; 1661 ret->compression = (SSL_get_current_compression(client.ssl) == NULL) 1662 ? SSL_TEST_COMPRESSION_NO 1663 : SSL_TEST_COMPRESSION_YES; 1664 if (sess_id == NULL || sess_id_len == 0) 1665 ret->session_id = SSL_TEST_SESSION_ID_NO; 1666 else 1667 ret->session_id = SSL_TEST_SESSION_ID_YES; 1668 ret->session_ticket_do_not_call = server_ex_data.session_ticket_do_not_call; 1669 1670 #ifndef OPENSSL_NO_NEXTPROTONEG 1671 SSL_get0_next_proto_negotiated(client.ssl, &proto, &proto_len); 1672 ret->client_npn_negotiated = dup_str(proto, proto_len); 1673 1674 SSL_get0_next_proto_negotiated(server.ssl, &proto, &proto_len); 1675 ret->server_npn_negotiated = dup_str(proto, proto_len); 1676 #endif 1677 1678 SSL_get0_alpn_selected(client.ssl, &proto, &proto_len); 1679 ret->client_alpn_negotiated = dup_str(proto, proto_len); 1680 1681 SSL_get0_alpn_selected(server.ssl, &proto, &proto_len); 1682 ret->server_alpn_negotiated = dup_str(proto, proto_len); 1683 1684 if ((sess = SSL_get0_session(server.ssl)) != NULL) { 1685 SSL_SESSION_get0_ticket_appdata(sess, (void**)&tick, &tick_len); 1686 ret->result_session_ticket_app_data = OPENSSL_strndup((const char*)tick, tick_len); 1687 } 1688 1689 ret->client_resumed = SSL_session_reused(client.ssl); 1690 ret->server_resumed = SSL_session_reused(server.ssl); 1691 1692 cipher = SSL_CIPHER_get_name(SSL_get_current_cipher(client.ssl)); 1693 ret->cipher = dup_str((const unsigned char*)cipher, strlen(cipher)); 1694 1695 if (session_out != NULL) 1696 *session_out = SSL_get1_session(client.ssl); 1697 if (serv_sess_out != NULL) { 1698 SSL_SESSION *tmp = SSL_get_session(server.ssl); 1699 1700 /* 1701 * We create a fresh copy that is not in the server session ctx linked 1702 * list. 1703 */ 1704 if (tmp != NULL) 1705 *serv_sess_out = SSL_SESSION_dup(tmp); 1706 } 1707 1708 if (SSL_get_peer_tmp_key(client.ssl, &tmp_key)) { 1709 ret->tmp_key_type = pkey_type(tmp_key); 1710 EVP_PKEY_free(tmp_key); 1711 } 1712 1713 SSL_get_peer_signature_nid(client.ssl, &ret->server_sign_hash); 1714 SSL_get_peer_signature_nid(server.ssl, &ret->client_sign_hash); 1715 1716 SSL_get_peer_signature_type_nid(client.ssl, &ret->server_sign_type); 1717 SSL_get_peer_signature_type_nid(server.ssl, &ret->client_sign_type); 1718 1719 names = SSL_get0_peer_CA_list(client.ssl); 1720 if (names == NULL) 1721 ret->client_ca_names = NULL; 1722 else 1723 ret->client_ca_names = SSL_dup_CA_list(names); 1724 1725 names = SSL_get0_peer_CA_list(server.ssl); 1726 if (names == NULL) 1727 ret->server_ca_names = NULL; 1728 else 1729 ret->server_ca_names = SSL_dup_CA_list(names); 1730 1731 ret->server_cert_type = peer_pkey_type(client.ssl); 1732 ret->client_cert_type = peer_pkey_type(server.ssl); 1733 1734 ctx_data_free_data(&server_ctx_data); 1735 ctx_data_free_data(&server2_ctx_data); 1736 ctx_data_free_data(&client_ctx_data); 1737 1738 peer_free_data(&server); 1739 peer_free_data(&client); 1740 return ret; 1741 } 1742 1743 HANDSHAKE_RESULT *do_handshake(SSL_CTX *server_ctx, SSL_CTX *server2_ctx, 1744 SSL_CTX *client_ctx, SSL_CTX *resume_server_ctx, 1745 SSL_CTX *resume_client_ctx, 1746 const SSL_TEST_CTX *test_ctx) 1747 { 1748 HANDSHAKE_RESULT *result; 1749 SSL_SESSION *session = NULL, *serv_sess = NULL; 1750 1751 result = do_handshake_internal(server_ctx, server2_ctx, client_ctx, 1752 test_ctx, &test_ctx->extra, 1753 NULL, NULL, &session, &serv_sess); 1754 if (result == NULL 1755 || test_ctx->handshake_mode != SSL_TEST_HANDSHAKE_RESUME 1756 || result->result == SSL_TEST_INTERNAL_ERROR) 1757 goto end; 1758 1759 if (result->result != SSL_TEST_SUCCESS) { 1760 result->result = SSL_TEST_FIRST_HANDSHAKE_FAILED; 1761 goto end; 1762 } 1763 1764 HANDSHAKE_RESULT_free(result); 1765 /* We don't support SNI on second handshake yet, so server2_ctx is NULL. */ 1766 result = do_handshake_internal(resume_server_ctx, NULL, resume_client_ctx, 1767 test_ctx, &test_ctx->resume_extra, 1768 session, serv_sess, NULL, NULL); 1769 end: 1770 SSL_SESSION_free(session); 1771 SSL_SESSION_free(serv_sess); 1772 return result; 1773 } 1774
Indexes created Sat Feb 28 05:31:39 UTC 2026