xref: /freebsd/crypto/openssl/test/cert_comp_test.c (revision e7be843b4a162e68651d3911f0357ed464915629) 
1 /*
2  * Copyright 2016-2025 The OpenSSL Project Authors. All Rights Reserved.
3  *
4  * Licensed under the Apache License 2.0 (the "License").  You may not use
5  * this file except in compliance with the License.  You can obtain a copy
6  * in the file LICENSE in the source distribution or at
7  * https://www.openssl.org/source/license.html
8  */
9 
10 /*
11  * We need access to the deprecated low level HMAC APIs for legacy purposes
12  * when the deprecated calls are not hidden
13  */
14 #ifndef OPENSSL_NO_DEPRECATED_3_0
15 # define OPENSSL_SUPPRESS_DEPRECATED
16 #endif
17 
18 #include <openssl/ssl.h>
19 #include "internal/nelem.h"
20 #include "internal/ssl_unwrap.h"
21 #include "helpers/ssltestlib.h"
22 #include "testutil.h"
23 #include "../ssl/ssl_local.h"
24 
25 #undef OSSL_NO_USABLE_TLS1_3
26 #if defined(OPENSSL_NO_TLS1_3) \
27     || (defined(OPENSSL_NO_EC) && defined(OPENSSL_NO_DH))
28 /*
29  * If we don't have ec or dh then there are no built-in groups that are usable
30  * with TLSv1.3
31  */
32 # define OSSL_NO_USABLE_TLS1_3
33 #endif
34 
35 #if !defined(OSSL_NO_USEABLE_TLS1_3)
36 
37 static char *certsdir = NULL;
38 static char *cert = NULL;
39 static char *privkey = NULL;
40 
client_cert_cb(SSL * ssl,X509 ** x509,EVP_PKEY ** pkey)41 static int client_cert_cb(SSL *ssl, X509 **x509, EVP_PKEY **pkey)
42 {
43     X509 *xcert;
44     EVP_PKEY *privpkey;
45     BIO *in = NULL;
46     BIO *priv_in = NULL;
47 
48     /* Check that SSL_get0_peer_certificate() returns something sensible */
49     if (!TEST_ptr(SSL_get0_peer_certificate(ssl)))
50         return 0;
51 
52     in = BIO_new_file(cert, "r");
53     if (!TEST_ptr(in))
54         return 0;
55 
56     if (!TEST_ptr(xcert = X509_new_ex(NULL, NULL))
57             || !TEST_ptr(PEM_read_bio_X509(in, &xcert, NULL, NULL))
58             || !TEST_ptr(priv_in = BIO_new_file(privkey, "r"))
59             || !TEST_ptr(privpkey = PEM_read_bio_PrivateKey_ex(priv_in, NULL,
60                                                                NULL, NULL,
61                                                                NULL, NULL)))
62         goto err;
63 
64     *x509 = xcert;
65     *pkey = privpkey;
66 
67     BIO_free(in);
68     BIO_free(priv_in);
69     return 1;
70 err:
71     X509_free(xcert);
72     BIO_free(in);
73     BIO_free(priv_in);
74     return 0;
75 }
76 
verify_cb(int preverify_ok,X509_STORE_CTX * x509_ctx)77 static int verify_cb(int preverify_ok, X509_STORE_CTX *x509_ctx)
78 {
79     return 1;
80 }
81 
82 /*
83  * Test 0 = app pre-compresses certificate in SSL
84  * Test 1 = app pre-compresses certificate in SSL_CTX
85  * Test 2 = app pre-compresses certificate in SSL_CTX, client authentication
86  * Test 3 = app pre-compresses certificate in SSL_CTX, but it's unused due to prefs
87  */
88 /* Compression helper */
ssl_comp_cert(SSL * ssl,int alg)89 static int ssl_comp_cert(SSL *ssl, int alg)
90 {
91     unsigned char *comp_data = NULL;
92     size_t comp_len = 0;
93     size_t orig_len = 0;
94     int retval = 0;
95 
96     if (!TEST_size_t_gt(comp_len = SSL_get1_compressed_cert(ssl, alg, &comp_data, &orig_len), 0))
97         goto err;
98 
99     if (!TEST_true(SSL_set1_compressed_cert(ssl, alg, comp_data, comp_len, orig_len)))
100         goto err;
101     retval = alg;
102 
103  err:
104     OPENSSL_free(comp_data);
105     return retval;
106 }
107 
cert_comp_info_cb(const SSL * s,int where,int ret)108 static void cert_comp_info_cb(const SSL *s, int where, int ret)
109 {
110     int *seen = (int*)SSL_get_app_data(s);
111 
112     if (SSL_is_server(s)) {
113         /* TLS_ST_SR_COMP_CERT */
114         if (!strcmp(SSL_state_string(s), "TRCCC") && seen != NULL)
115             *seen = 1;
116     } else {
117         /* TLS_ST_CR_COMP_CERT */
118         if (!strcmp(SSL_state_string(s), "TRSCC") && seen != NULL)
119             *seen = 1;
120     }
121 }
122 
test_ssl_cert_comp(int test)123 static int test_ssl_cert_comp(int test)
124 {
125     SSL_CTX *cctx = NULL, *sctx = NULL;
126     SSL *clientssl = NULL, *serverssl = NULL;
127     int testresult = 0;
128     int expected_client = TLSEXT_comp_cert_none;
129     int expected_server = TLSEXT_comp_cert_none;
130     int client_seen = 0;
131     int server_seen = 0;
132     /* reverse default order */
133     int server_pref[] = { TLSEXT_comp_cert_zstd, TLSEXT_comp_cert_zlib, TLSEXT_comp_cert_brotli };
134     /* default order */
135     int client_pref[] = { TLSEXT_comp_cert_brotli, TLSEXT_comp_cert_zlib, TLSEXT_comp_cert_zstd };
136 
137     /* one of these *must* be defined! */
138 #ifndef OPENSSL_NO_BROTLI
139     expected_server = TLSEXT_comp_cert_brotli;
140     expected_client = TLSEXT_comp_cert_brotli;
141 #endif
142 #ifndef OPENSSL_NO_ZLIB
143     expected_server = TLSEXT_comp_cert_zlib;
144     if (expected_client == TLSEXT_comp_cert_none)
145         expected_client = TLSEXT_comp_cert_zlib;
146 #endif
147 #ifndef OPENSSL_NO_ZSTD
148     expected_server = TLSEXT_comp_cert_zstd;
149     if (expected_client == TLSEXT_comp_cert_none)
150         expected_client = TLSEXT_comp_cert_zstd;
151 #endif
152     /*
153      * If there's only one comp algorithm, pref won't do much
154      * Coverity can get confused in this case, and consider test == 3
155      * to be DEADCODE
156      */
157     if (test == 3 && expected_client == expected_server) {
158         TEST_info("Only one compression algorithm configured");
159         return 1;
160     }
161 
162     if (!TEST_true(create_ssl_ctx_pair(NULL, TLS_server_method(),
163                                        TLS_client_method(),
164                                        TLS1_3_VERSION, 0,
165                                        &sctx, &cctx, cert, privkey)))
166         goto end;
167     if (test == 3) {
168         /* coverity[deadcode] */
169         server_pref[0] = expected_server;
170         server_pref[1] = expected_client;
171         if (!TEST_true(SSL_CTX_set1_cert_comp_preference(sctx, server_pref, 2)))
172             goto end;
173         client_pref[0] = expected_client;
174         if (!TEST_true(SSL_CTX_set1_cert_comp_preference(cctx, client_pref, 1)))
175             goto end;
176     } else {
177         if (!TEST_true(SSL_CTX_set1_cert_comp_preference(sctx, server_pref, OSSL_NELEM(server_pref))))
178             goto end;
179         if (!TEST_true(SSL_CTX_set1_cert_comp_preference(cctx, client_pref, OSSL_NELEM(client_pref))))
180             goto end;
181     }
182     if (test == 2) {
183         /* Use callbacks from test_client_cert_cb() */
184         SSL_CTX_set_client_cert_cb(cctx, client_cert_cb);
185         SSL_CTX_set_verify(sctx, SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT, verify_cb);
186     }
187 
188     if (test == 1 || test== 2 || test == 3) {
189         if (!TEST_true(SSL_CTX_compress_certs(sctx, expected_server)))
190             goto end;
191     }
192 
193     if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
194                                       NULL, NULL)))
195         goto end;
196 
197     if (!TEST_true(SSL_set_app_data(clientssl, &client_seen)))
198         goto end;
199     if (!TEST_true(SSL_set_app_data(serverssl, &server_seen)))
200         goto end;
201     SSL_set_info_callback(clientssl, cert_comp_info_cb);
202     SSL_set_info_callback(serverssl, cert_comp_info_cb);
203 
204     if (test == 0) {
205         if (!TEST_int_eq(ssl_comp_cert(serverssl, expected_server), expected_server))
206             goto end;
207     }
208 
209     if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
210         goto end;
211     if (test == 3) {
212         /* coverity[deadcode] */
213         SSL_CONNECTION *sc = SSL_CONNECTION_FROM_SSL(serverssl);
214 
215         /* expect that the pre-compressed cert won't be used */
216         if (!TEST_int_eq(sc->cert->key->cert_comp_used, 0))
217             goto end;
218 
219         if (!TEST_false(*(int*)SSL_get_app_data(clientssl)))
220             goto end;
221     } else {
222         SSL_CONNECTION *sc = SSL_CONNECTION_FROM_SSL(serverssl);
223 
224         if (!TEST_int_gt(sc->cert->key->cert_comp_used, 0))
225             goto end;
226 
227         if (!TEST_true(*(int*)SSL_get_app_data(clientssl)))
228             goto end;
229     }
230 
231     if (test == 2) {
232         /* Only for client auth */
233         if (!TEST_true(*(int*)SSL_get_app_data(serverssl)))
234             goto end;
235     }
236 
237     testresult = 1;
238 
239  end:
240     SSL_free(serverssl);
241     SSL_free(clientssl);
242     SSL_CTX_free(sctx);
243     SSL_CTX_free(cctx);
244 
245     return testresult;
246 }
247 #endif
248 
249 OPT_TEST_DECLARE_USAGE("certdir\n")
250 
setup_tests(void)251 int setup_tests(void)
252 {
253 #if !defined(OSSL_NO_USEABLE_TLS1_3)
254     if (!test_skip_common_options()) {
255         TEST_error("Error parsing test options\n");
256         return 0;
257     }
258 
259     if (!TEST_ptr(certsdir = test_get_argument(0)))
260         return 0;
261 
262     cert = test_mk_file_path(certsdir, "servercert.pem");
263     if (cert == NULL)
264         goto err;
265 
266     privkey = test_mk_file_path(certsdir, "serverkey.pem");
267     if (privkey == NULL)
268         goto err;
269 
270     ADD_ALL_TESTS(test_ssl_cert_comp, 4);
271     return 1;
272 
273  err:
274     OPENSSL_free(cert);
275     OPENSSL_free(privkey);
276     return 0;
277 #else
278     return 1;
279 #endif
280 }
281 
cleanup_tests(void)282 void cleanup_tests(void)
283 {
284 #if !defined(OSSL_NO_USEABLE_TLS1_3)
285     OPENSSL_free(cert);
286     OPENSSL_free(privkey);
287 #endif
288 }
289