1 /* 2 * Copyright 2016-2024 The OpenSSL Project Authors. All Rights Reserved. 3 * 4 * Licensed under the Apache License 2.0 (the "License"). You may not use 5 * this file except in compliance with the License. You can obtain a copy 6 * in the file LICENSE in the source distribution or at 7 * https://www.openssl.org/source/license.html 8 */ 9 10 #include <string.h> 11 12 #include <openssl/bio.h> 13 #include <openssl/x509_vfy.h> 14 #include <openssl/ssl.h> 15 #include <openssl/core_names.h> 16 17 #include "../../ssl/ssl_local.h" 18 #include "internal/sockets.h" 19 #include "internal/nelem.h" 20 #include "handshake.h" 21 #include "../testutil.h" 22 23 #if !defined(OPENSSL_NO_SCTP) && !defined(OPENSSL_NO_SOCK) 24 #include <netinet/sctp.h> 25 #endif 26 27 HANDSHAKE_RESULT *HANDSHAKE_RESULT_new(void) 28 { 29 HANDSHAKE_RESULT *ret; 30 31 TEST_ptr(ret = OPENSSL_zalloc(sizeof(*ret))); 32 return ret; 33 } 34 35 void HANDSHAKE_RESULT_free(HANDSHAKE_RESULT *result) 36 { 37 if (result == NULL) 38 return; 39 OPENSSL_free(result->client_npn_negotiated); 40 OPENSSL_free(result->server_npn_negotiated); 41 OPENSSL_free(result->client_alpn_negotiated); 42 OPENSSL_free(result->server_alpn_negotiated); 43 OPENSSL_free(result->result_session_ticket_app_data); 44 sk_X509_NAME_pop_free(result->server_ca_names, X509_NAME_free); 45 sk_X509_NAME_pop_free(result->client_ca_names, X509_NAME_free); 46 OPENSSL_free(result->cipher); 47 OPENSSL_free(result); 48 } 49 50 /* 51 * Since there appears to be no way to extract the sent/received alert 52 * from the SSL object directly, we use the info callback and stash 53 * the result in ex_data. 54 */ 55 typedef struct handshake_ex_data_st { 56 int alert_sent; 57 int num_fatal_alerts_sent; 58 int alert_received; 59 int session_ticket_do_not_call; 60 ssl_servername_t servername; 61 } HANDSHAKE_EX_DATA; 62 63 /* |ctx_data| itself is stack-allocated. */ 64 static void ctx_data_free_data(CTX_DATA *ctx_data) 65 { 66 OPENSSL_free(ctx_data->npn_protocols); 67 ctx_data->npn_protocols = NULL; 68 OPENSSL_free(ctx_data->alpn_protocols); 69 ctx_data->alpn_protocols = NULL; 70 OPENSSL_free(ctx_data->srp_user); 71 ctx_data->srp_user = NULL; 72 OPENSSL_free(ctx_data->srp_password); 73 ctx_data->srp_password = NULL; 74 OPENSSL_free(ctx_data->session_ticket_app_data); 75 ctx_data->session_ticket_app_data = NULL; 76 } 77 78 static int ex_data_idx; 79 80 static void info_cb(const SSL *s, int where, int ret) 81 { 82 if (where & SSL_CB_ALERT) { 83 HANDSHAKE_EX_DATA *ex_data = 84 (HANDSHAKE_EX_DATA*)(SSL_get_ex_data(s, ex_data_idx)); 85 if (where & SSL_CB_WRITE) { 86 ex_data->alert_sent = ret; 87 if (strcmp(SSL_alert_type_string(ret), "F") == 0 88 || strcmp(SSL_alert_desc_string(ret), "CN") == 0) 89 ex_data->num_fatal_alerts_sent++; 90 } else { 91 ex_data->alert_received = ret; 92 } 93 } 94 } 95 96 /* Select the appropriate server CTX. 97 * Returns SSL_TLSEXT_ERR_OK if a match was found. 98 * If |ignore| is 1, returns SSL_TLSEXT_ERR_NOACK on mismatch. 99 * Otherwise, returns SSL_TLSEXT_ERR_ALERT_FATAL on mismatch. 100 * An empty SNI extension also returns SSL_TSLEXT_ERR_NOACK. 101 */ 102 static int select_server_ctx(SSL *s, void *arg, int ignore) 103 { 104 const char *servername = SSL_get_servername(s, TLSEXT_NAMETYPE_host_name); 105 HANDSHAKE_EX_DATA *ex_data = 106 (HANDSHAKE_EX_DATA*)(SSL_get_ex_data(s, ex_data_idx)); 107 108 if (servername == NULL) { 109 ex_data->servername = SSL_TEST_SERVERNAME_SERVER1; 110 return SSL_TLSEXT_ERR_NOACK; 111 } 112 113 if (strcmp(servername, "server2") == 0) { 114 SSL_CTX *new_ctx = (SSL_CTX*)arg; 115 SSL_set_SSL_CTX(s, new_ctx); 116 /* 117 * Copy over all the SSL_CTX options - reasonable behavior 118 * allows testing of cases where the options between two 119 * contexts differ/conflict 120 */ 121 SSL_clear_options(s, 0xFFFFFFFFL); 122 SSL_set_options(s, SSL_CTX_get_options(new_ctx)); 123 124 ex_data->servername = SSL_TEST_SERVERNAME_SERVER2; 125 return SSL_TLSEXT_ERR_OK; 126 } else if (strcmp(servername, "server1") == 0) { 127 ex_data->servername = SSL_TEST_SERVERNAME_SERVER1; 128 return SSL_TLSEXT_ERR_OK; 129 } else if (ignore) { 130 ex_data->servername = SSL_TEST_SERVERNAME_SERVER1; 131 return SSL_TLSEXT_ERR_NOACK; 132 } else { 133 /* Don't set an explicit alert, to test library defaults. */ 134 return SSL_TLSEXT_ERR_ALERT_FATAL; 135 } 136 } 137 138 static int client_hello_select_server_ctx(SSL *s, void *arg, int ignore) 139 { 140 const char *servername; 141 const unsigned char *p; 142 size_t len, remaining; 143 HANDSHAKE_EX_DATA *ex_data = 144 (HANDSHAKE_EX_DATA*)(SSL_get_ex_data(s, ex_data_idx)); 145 146 /* 147 * The server_name extension was given too much extensibility when it 148 * was written, so parsing the normal case is a bit complex. 149 */ 150 if (!SSL_client_hello_get0_ext(s, TLSEXT_TYPE_server_name, &p, 151 &remaining) || 152 remaining <= 2) 153 return 0; 154 /* Extract the length of the supplied list of names. */ 155 len = (*(p++) << 8); 156 len += *(p++); 157 if (len + 2 != remaining) 158 return 0; 159 remaining = len; 160 /* 161 * The list in practice only has a single element, so we only consider 162 * the first one. 163 */ 164 if (remaining == 0 || *p++ != TLSEXT_NAMETYPE_host_name) 165 return 0; 166 remaining--; 167 /* Now we can finally pull out the byte array with the actual hostname. */ 168 if (remaining <= 2) 169 return 0; 170 len = (*(p++) << 8); 171 len += *(p++); 172 if (len + 2 > remaining) 173 return 0; 174 remaining = len; 175 servername = (const char *)p; 176 177 if (len == strlen("server2") && strncmp(servername, "server2", len) == 0) { 178 SSL_CTX *new_ctx = arg; 179 SSL_set_SSL_CTX(s, new_ctx); 180 /* 181 * Copy over all the SSL_CTX options - reasonable behavior 182 * allows testing of cases where the options between two 183 * contexts differ/conflict 184 */ 185 SSL_clear_options(s, 0xFFFFFFFFL); 186 SSL_set_options(s, SSL_CTX_get_options(new_ctx)); 187 188 ex_data->servername = SSL_TEST_SERVERNAME_SERVER2; 189 return 1; 190 } else if (len == strlen("server1") && 191 strncmp(servername, "server1", len) == 0) { 192 ex_data->servername = SSL_TEST_SERVERNAME_SERVER1; 193 return 1; 194 } else if (ignore) { 195 ex_data->servername = SSL_TEST_SERVERNAME_SERVER1; 196 return 1; 197 } 198 return 0; 199 } 200 /* 201 * (RFC 6066): 202 * If the server understood the ClientHello extension but 203 * does not recognize the server name, the server SHOULD take one of two 204 * actions: either abort the handshake by sending a fatal-level 205 * unrecognized_name(112) alert or continue the handshake. 206 * 207 * This behaviour is up to the application to configure; we test both 208 * configurations to ensure the state machine propagates the result 209 * correctly. 210 */ 211 static int servername_ignore_cb(SSL *s, int *ad, void *arg) 212 { 213 return select_server_ctx(s, arg, 1); 214 } 215 216 static int servername_reject_cb(SSL *s, int *ad, void *arg) 217 { 218 return select_server_ctx(s, arg, 0); 219 } 220 221 static int client_hello_ignore_cb(SSL *s, int *al, void *arg) 222 { 223 if (!client_hello_select_server_ctx(s, arg, 1)) { 224 *al = SSL_AD_UNRECOGNIZED_NAME; 225 return SSL_CLIENT_HELLO_ERROR; 226 } 227 return SSL_CLIENT_HELLO_SUCCESS; 228 } 229 230 static int client_hello_reject_cb(SSL *s, int *al, void *arg) 231 { 232 if (!client_hello_select_server_ctx(s, arg, 0)) { 233 *al = SSL_AD_UNRECOGNIZED_NAME; 234 return SSL_CLIENT_HELLO_ERROR; 235 } 236 return SSL_CLIENT_HELLO_SUCCESS; 237 } 238 239 static int client_hello_nov12_cb(SSL *s, int *al, void *arg) 240 { 241 int ret; 242 unsigned int v; 243 const unsigned char *p; 244 245 v = SSL_client_hello_get0_legacy_version(s); 246 if (v > TLS1_2_VERSION || v < SSL3_VERSION) { 247 *al = SSL_AD_PROTOCOL_VERSION; 248 return SSL_CLIENT_HELLO_ERROR; 249 } 250 (void)SSL_client_hello_get0_session_id(s, &p); 251 if (p == NULL || 252 SSL_client_hello_get0_random(s, &p) == 0 || 253 SSL_client_hello_get0_ciphers(s, &p) == 0 || 254 SSL_client_hello_get0_compression_methods(s, &p) == 0) { 255 *al = SSL_AD_INTERNAL_ERROR; 256 return SSL_CLIENT_HELLO_ERROR; 257 } 258 ret = client_hello_select_server_ctx(s, arg, 0); 259 SSL_set_max_proto_version(s, TLS1_1_VERSION); 260 if (!ret) { 261 *al = SSL_AD_UNRECOGNIZED_NAME; 262 return SSL_CLIENT_HELLO_ERROR; 263 } 264 return SSL_CLIENT_HELLO_SUCCESS; 265 } 266 267 static unsigned char dummy_ocsp_resp_good_val = 0xff; 268 static unsigned char dummy_ocsp_resp_bad_val = 0xfe; 269 270 static int server_ocsp_cb(SSL *s, void *arg) 271 { 272 unsigned char *resp; 273 274 resp = OPENSSL_malloc(1); 275 if (resp == NULL) 276 return SSL_TLSEXT_ERR_ALERT_FATAL; 277 /* 278 * For the purposes of testing we just send back a dummy OCSP response 279 */ 280 *resp = *(unsigned char *)arg; 281 if (!SSL_set_tlsext_status_ocsp_resp(s, resp, 1)) { 282 OPENSSL_free(resp); 283 return SSL_TLSEXT_ERR_ALERT_FATAL; 284 } 285 286 return SSL_TLSEXT_ERR_OK; 287 } 288 289 static int client_ocsp_cb(SSL *s, void *arg) 290 { 291 const unsigned char *resp; 292 int len; 293 294 len = SSL_get_tlsext_status_ocsp_resp(s, &resp); 295 if (len != 1 || *resp != dummy_ocsp_resp_good_val) 296 return 0; 297 298 return 1; 299 } 300 301 static int verify_reject_cb(X509_STORE_CTX *ctx, void *arg) { 302 X509_STORE_CTX_set_error(ctx, X509_V_ERR_APPLICATION_VERIFICATION); 303 return 0; 304 } 305 306 static int n_retries = 0; 307 static int verify_retry_cb(X509_STORE_CTX *ctx, void *arg) { 308 int idx = SSL_get_ex_data_X509_STORE_CTX_idx(); 309 SSL *ssl; 310 311 /* this should not happen but check anyway */ 312 if (idx < 0 313 || (ssl = X509_STORE_CTX_get_ex_data(ctx, idx)) == NULL) 314 return 0; 315 316 if (--n_retries < 0) 317 return 1; 318 319 return SSL_set_retry_verify(ssl); 320 } 321 322 static int verify_accept_cb(X509_STORE_CTX *ctx, void *arg) { 323 return 1; 324 } 325 326 static int broken_session_ticket_cb(SSL *s, unsigned char *key_name, 327 unsigned char *iv, EVP_CIPHER_CTX *ctx, 328 EVP_MAC_CTX *hctx, int enc) 329 { 330 return 0; 331 } 332 333 static int do_not_call_session_ticket_cb(SSL *s, unsigned char *key_name, 334 unsigned char *iv, 335 EVP_CIPHER_CTX *ctx, 336 EVP_MAC_CTX *hctx, int enc) 337 { 338 HANDSHAKE_EX_DATA *ex_data = 339 (HANDSHAKE_EX_DATA*)(SSL_get_ex_data(s, ex_data_idx)); 340 ex_data->session_ticket_do_not_call = 1; 341 return 0; 342 } 343 344 /* Parse the comma-separated list into TLS format. */ 345 static int parse_protos(const char *protos, unsigned char **out, size_t *outlen) 346 { 347 size_t len, i, prefix; 348 349 len = strlen(protos); 350 351 if (len == 0) { 352 *out = NULL; 353 *outlen = 0; 354 return 1; 355 } 356 357 /* Should never have reuse. */ 358 if (!TEST_ptr_null(*out) 359 /* Test values are small, so we omit length limit checks. */ 360 || !TEST_ptr(*out = OPENSSL_malloc(len + 1))) 361 return 0; 362 *outlen = len + 1; 363 364 /* 365 * foo => '3', 'f', 'o', 'o' 366 * foo,bar => '3', 'f', 'o', 'o', '3', 'b', 'a', 'r' 367 */ 368 memcpy(*out + 1, protos, len); 369 370 prefix = 0; 371 i = prefix + 1; 372 while (i <= len) { 373 if ((*out)[i] == ',') { 374 if (!TEST_int_gt(i - 1, prefix)) 375 goto err; 376 (*out)[prefix] = (unsigned char)(i - 1 - prefix); 377 prefix = i; 378 } 379 i++; 380 } 381 if (!TEST_int_gt(len, prefix)) 382 goto err; 383 (*out)[prefix] = (unsigned char)(len - prefix); 384 return 1; 385 386 err: 387 OPENSSL_free(*out); 388 *out = NULL; 389 return 0; 390 } 391 392 #ifndef OPENSSL_NO_NEXTPROTONEG 393 /* 394 * The client SHOULD select the first protocol advertised by the server that it 395 * also supports. In the event that the client doesn't support any of server's 396 * protocols, or the server doesn't advertise any, it SHOULD select the first 397 * protocol that it supports. 398 */ 399 static int client_npn_cb(SSL *s, unsigned char **out, unsigned char *outlen, 400 const unsigned char *in, unsigned int inlen, 401 void *arg) 402 { 403 CTX_DATA *ctx_data = (CTX_DATA*)(arg); 404 int ret; 405 406 ret = SSL_select_next_proto(out, outlen, in, inlen, 407 ctx_data->npn_protocols, 408 ctx_data->npn_protocols_len); 409 /* Accept both OPENSSL_NPN_NEGOTIATED and OPENSSL_NPN_NO_OVERLAP. */ 410 return TEST_true(ret == OPENSSL_NPN_NEGOTIATED || ret == OPENSSL_NPN_NO_OVERLAP) 411 ? SSL_TLSEXT_ERR_OK : SSL_TLSEXT_ERR_ALERT_FATAL; 412 } 413 414 static int server_npn_cb(SSL *s, const unsigned char **data, 415 unsigned int *len, void *arg) 416 { 417 CTX_DATA *ctx_data = (CTX_DATA*)(arg); 418 *data = ctx_data->npn_protocols; 419 *len = ctx_data->npn_protocols_len; 420 return SSL_TLSEXT_ERR_OK; 421 } 422 #endif 423 424 /* 425 * The server SHOULD select the most highly preferred protocol that it supports 426 * and that is also advertised by the client. In the event that the server 427 * supports no protocols that the client advertises, then the server SHALL 428 * respond with a fatal "no_application_protocol" alert. 429 */ 430 static int server_alpn_cb(SSL *s, const unsigned char **out, 431 unsigned char *outlen, const unsigned char *in, 432 unsigned int inlen, void *arg) 433 { 434 CTX_DATA *ctx_data = (CTX_DATA*)(arg); 435 int ret; 436 437 /* SSL_select_next_proto isn't const-correct... */ 438 unsigned char *tmp_out; 439 440 /* 441 * The result points either to |in| or to |ctx_data->alpn_protocols|. 442 * The callback is allowed to point to |in| or to a long-lived buffer, 443 * so we can return directly without storing a copy. 444 */ 445 ret = SSL_select_next_proto(&tmp_out, outlen, 446 ctx_data->alpn_protocols, 447 ctx_data->alpn_protocols_len, in, inlen); 448 449 *out = tmp_out; 450 /* Unlike NPN, we don't tolerate a mismatch. */ 451 return ret == OPENSSL_NPN_NEGOTIATED ? SSL_TLSEXT_ERR_OK 452 : SSL_TLSEXT_ERR_ALERT_FATAL; 453 } 454 455 static int generate_session_ticket_cb(SSL *s, void *arg) 456 { 457 CTX_DATA *server_ctx_data = arg; 458 SSL_SESSION *ss = SSL_get_session(s); 459 char *app_data = server_ctx_data->session_ticket_app_data; 460 461 if (ss == NULL || app_data == NULL) 462 return 0; 463 464 return SSL_SESSION_set1_ticket_appdata(ss, app_data, strlen(app_data)); 465 } 466 467 static int decrypt_session_ticket_cb(SSL *s, SSL_SESSION *ss, 468 const unsigned char *keyname, 469 size_t keyname_len, 470 SSL_TICKET_STATUS status, 471 void *arg) 472 { 473 switch (status) { 474 case SSL_TICKET_EMPTY: 475 case SSL_TICKET_NO_DECRYPT: 476 return SSL_TICKET_RETURN_IGNORE_RENEW; 477 case SSL_TICKET_SUCCESS: 478 return SSL_TICKET_RETURN_USE; 479 case SSL_TICKET_SUCCESS_RENEW: 480 return SSL_TICKET_RETURN_USE_RENEW; 481 default: 482 break; 483 } 484 return SSL_TICKET_RETURN_ABORT; 485 } 486 487 /* 488 * Configure callbacks and other properties that can't be set directly 489 * in the server/client CONF. 490 */ 491 static int configure_handshake_ctx(SSL_CTX *server_ctx, SSL_CTX *server2_ctx, 492 SSL_CTX *client_ctx, 493 const SSL_TEST_CTX *test, 494 const SSL_TEST_EXTRA_CONF *extra, 495 CTX_DATA *server_ctx_data, 496 CTX_DATA *server2_ctx_data, 497 CTX_DATA *client_ctx_data) 498 { 499 unsigned char *ticket_keys; 500 size_t ticket_key_len; 501 502 if (!TEST_int_eq(SSL_CTX_set_max_send_fragment(server_ctx, 503 test->max_fragment_size), 1)) 504 goto err; 505 if (server2_ctx != NULL) { 506 if (!TEST_int_eq(SSL_CTX_set_max_send_fragment(server2_ctx, 507 test->max_fragment_size), 508 1)) 509 goto err; 510 } 511 if (!TEST_int_eq(SSL_CTX_set_max_send_fragment(client_ctx, 512 test->max_fragment_size), 1)) 513 goto err; 514 515 switch (extra->client.verify_callback) { 516 case SSL_TEST_VERIFY_ACCEPT_ALL: 517 SSL_CTX_set_cert_verify_callback(client_ctx, &verify_accept_cb, NULL); 518 break; 519 case SSL_TEST_VERIFY_RETRY_ONCE: 520 n_retries = 1; 521 SSL_CTX_set_cert_verify_callback(client_ctx, &verify_retry_cb, NULL); 522 break; 523 case SSL_TEST_VERIFY_REJECT_ALL: 524 SSL_CTX_set_cert_verify_callback(client_ctx, &verify_reject_cb, NULL); 525 break; 526 case SSL_TEST_VERIFY_NONE: 527 break; 528 } 529 530 switch (extra->client.max_fragment_len_mode) { 531 case TLSEXT_max_fragment_length_512: 532 case TLSEXT_max_fragment_length_1024: 533 case TLSEXT_max_fragment_length_2048: 534 case TLSEXT_max_fragment_length_4096: 535 case TLSEXT_max_fragment_length_DISABLED: 536 SSL_CTX_set_tlsext_max_fragment_length( 537 client_ctx, extra->client.max_fragment_len_mode); 538 break; 539 } 540 541 /* 542 * Link the two contexts for SNI purposes. 543 * Also do ClientHello callbacks here, as setting both ClientHello and SNI 544 * is bad. 545 */ 546 switch (extra->server.servername_callback) { 547 case SSL_TEST_SERVERNAME_IGNORE_MISMATCH: 548 SSL_CTX_set_tlsext_servername_callback(server_ctx, servername_ignore_cb); 549 SSL_CTX_set_tlsext_servername_arg(server_ctx, server2_ctx); 550 break; 551 case SSL_TEST_SERVERNAME_REJECT_MISMATCH: 552 SSL_CTX_set_tlsext_servername_callback(server_ctx, servername_reject_cb); 553 SSL_CTX_set_tlsext_servername_arg(server_ctx, server2_ctx); 554 break; 555 case SSL_TEST_SERVERNAME_CB_NONE: 556 break; 557 case SSL_TEST_SERVERNAME_CLIENT_HELLO_IGNORE_MISMATCH: 558 SSL_CTX_set_client_hello_cb(server_ctx, client_hello_ignore_cb, server2_ctx); 559 break; 560 case SSL_TEST_SERVERNAME_CLIENT_HELLO_REJECT_MISMATCH: 561 SSL_CTX_set_client_hello_cb(server_ctx, client_hello_reject_cb, server2_ctx); 562 break; 563 case SSL_TEST_SERVERNAME_CLIENT_HELLO_NO_V12: 564 SSL_CTX_set_client_hello_cb(server_ctx, client_hello_nov12_cb, server2_ctx); 565 } 566 567 if (extra->server.cert_status != SSL_TEST_CERT_STATUS_NONE) { 568 SSL_CTX_set_tlsext_status_type(client_ctx, TLSEXT_STATUSTYPE_ocsp); 569 SSL_CTX_set_tlsext_status_cb(client_ctx, client_ocsp_cb); 570 SSL_CTX_set_tlsext_status_arg(client_ctx, NULL); 571 SSL_CTX_set_tlsext_status_cb(server_ctx, server_ocsp_cb); 572 SSL_CTX_set_tlsext_status_arg(server_ctx, 573 ((extra->server.cert_status == SSL_TEST_CERT_STATUS_GOOD_RESPONSE) 574 ? &dummy_ocsp_resp_good_val : &dummy_ocsp_resp_bad_val)); 575 } 576 577 /* 578 * The initial_ctx/session_ctx always handles the encrypt/decrypt of the 579 * session ticket. This ticket_key callback is assigned to the second 580 * session (assigned via SNI), and should never be invoked 581 */ 582 if (server2_ctx != NULL) 583 SSL_CTX_set_tlsext_ticket_key_evp_cb(server2_ctx, 584 do_not_call_session_ticket_cb); 585 586 if (extra->server.broken_session_ticket) { 587 SSL_CTX_set_tlsext_ticket_key_evp_cb(server_ctx, 588 broken_session_ticket_cb); 589 } 590 #ifndef OPENSSL_NO_NEXTPROTONEG 591 if (extra->server.npn_protocols != NULL) { 592 if (!TEST_true(parse_protos(extra->server.npn_protocols, 593 &server_ctx_data->npn_protocols, 594 &server_ctx_data->npn_protocols_len))) 595 goto err; 596 SSL_CTX_set_npn_advertised_cb(server_ctx, server_npn_cb, 597 server_ctx_data); 598 } 599 if (extra->server2.npn_protocols != NULL) { 600 if (!TEST_true(parse_protos(extra->server2.npn_protocols, 601 &server2_ctx_data->npn_protocols, 602 &server2_ctx_data->npn_protocols_len)) 603 || !TEST_ptr(server2_ctx)) 604 goto err; 605 SSL_CTX_set_npn_advertised_cb(server2_ctx, server_npn_cb, 606 server2_ctx_data); 607 } 608 if (extra->client.npn_protocols != NULL) { 609 if (!TEST_true(parse_protos(extra->client.npn_protocols, 610 &client_ctx_data->npn_protocols, 611 &client_ctx_data->npn_protocols_len))) 612 goto err; 613 SSL_CTX_set_next_proto_select_cb(client_ctx, client_npn_cb, 614 client_ctx_data); 615 } 616 #endif 617 if (extra->server.alpn_protocols != NULL) { 618 if (!TEST_true(parse_protos(extra->server.alpn_protocols, 619 &server_ctx_data->alpn_protocols, 620 &server_ctx_data->alpn_protocols_len))) 621 goto err; 622 SSL_CTX_set_alpn_select_cb(server_ctx, server_alpn_cb, server_ctx_data); 623 } 624 if (extra->server2.alpn_protocols != NULL) { 625 if (!TEST_ptr(server2_ctx) 626 || !TEST_true(parse_protos(extra->server2.alpn_protocols, 627 &server2_ctx_data->alpn_protocols, 628 &server2_ctx_data->alpn_protocols_len 629 ))) 630 goto err; 631 SSL_CTX_set_alpn_select_cb(server2_ctx, server_alpn_cb, 632 server2_ctx_data); 633 } 634 if (extra->client.alpn_protocols != NULL) { 635 unsigned char *alpn_protos = NULL; 636 size_t alpn_protos_len = 0; 637 638 if (!TEST_true(parse_protos(extra->client.alpn_protocols, 639 &alpn_protos, &alpn_protos_len)) 640 /* Reversed return value convention... */ 641 || !TEST_int_eq(SSL_CTX_set_alpn_protos(client_ctx, alpn_protos, 642 alpn_protos_len), 0)) 643 goto err; 644 OPENSSL_free(alpn_protos); 645 } 646 647 if (extra->server.session_ticket_app_data != NULL) { 648 server_ctx_data->session_ticket_app_data = 649 OPENSSL_strdup(extra->server.session_ticket_app_data); 650 SSL_CTX_set_session_ticket_cb(server_ctx, generate_session_ticket_cb, 651 decrypt_session_ticket_cb, server_ctx_data); 652 } 653 if (extra->server2.session_ticket_app_data != NULL) { 654 if (!TEST_ptr(server2_ctx)) 655 goto err; 656 server2_ctx_data->session_ticket_app_data = 657 OPENSSL_strdup(extra->server2.session_ticket_app_data); 658 SSL_CTX_set_session_ticket_cb(server2_ctx, NULL, 659 decrypt_session_ticket_cb, server2_ctx_data); 660 } 661 662 /* 663 * Use fixed session ticket keys so that we can decrypt a ticket created with 664 * one CTX in another CTX. Don't address server2 for the moment. 665 */ 666 ticket_key_len = SSL_CTX_set_tlsext_ticket_keys(server_ctx, NULL, 0); 667 if (!TEST_ptr(ticket_keys = OPENSSL_zalloc(ticket_key_len)) 668 || !TEST_int_eq(SSL_CTX_set_tlsext_ticket_keys(server_ctx, 669 ticket_keys, 670 ticket_key_len), 1)) { 671 OPENSSL_free(ticket_keys); 672 goto err; 673 } 674 OPENSSL_free(ticket_keys); 675 676 /* The default log list includes EC keys, so CT can't work without EC. */ 677 #if !defined(OPENSSL_NO_CT) && !defined(OPENSSL_NO_EC) 678 if (!TEST_true(SSL_CTX_set_default_ctlog_list_file(client_ctx))) 679 goto err; 680 switch (extra->client.ct_validation) { 681 case SSL_TEST_CT_VALIDATION_PERMISSIVE: 682 if (!TEST_true(SSL_CTX_enable_ct(client_ctx, 683 SSL_CT_VALIDATION_PERMISSIVE))) 684 goto err; 685 break; 686 case SSL_TEST_CT_VALIDATION_STRICT: 687 if (!TEST_true(SSL_CTX_enable_ct(client_ctx, SSL_CT_VALIDATION_STRICT))) 688 goto err; 689 break; 690 case SSL_TEST_CT_VALIDATION_NONE: 691 break; 692 } 693 #endif 694 #ifndef OPENSSL_NO_SRP 695 if (!configure_handshake_ctx_for_srp(server_ctx, server2_ctx, client_ctx, 696 extra, server_ctx_data, 697 server2_ctx_data, client_ctx_data)) 698 goto err; 699 #endif /* !OPENSSL_NO_SRP */ 700 return 1; 701 err: 702 return 0; 703 } 704 705 /* Configure per-SSL callbacks and other properties. */ 706 static void configure_handshake_ssl(SSL *server, SSL *client, 707 const SSL_TEST_EXTRA_CONF *extra) 708 { 709 if (extra->client.servername != SSL_TEST_SERVERNAME_NONE) 710 SSL_set_tlsext_host_name(client, 711 ssl_servername_name(extra->client.servername)); 712 if (extra->client.enable_pha) 713 SSL_set_post_handshake_auth(client, 1); 714 } 715 716 /* The status for each connection phase. */ 717 typedef enum { 718 PEER_SUCCESS, 719 PEER_RETRY, 720 PEER_ERROR, 721 PEER_WAITING, 722 PEER_TEST_FAILURE 723 } peer_status_t; 724 725 /* An SSL object and associated read-write buffers. */ 726 typedef struct peer_st { 727 SSL *ssl; 728 /* Buffer lengths are int to match the SSL read/write API. */ 729 unsigned char *write_buf; 730 int write_buf_len; 731 unsigned char *read_buf; 732 int read_buf_len; 733 int bytes_to_write; 734 int bytes_to_read; 735 peer_status_t status; 736 } PEER; 737 738 static int create_peer(PEER *peer, SSL_CTX *ctx) 739 { 740 static const int peer_buffer_size = 64 * 1024; 741 SSL *ssl = NULL; 742 unsigned char *read_buf = NULL, *write_buf = NULL; 743 744 if (!TEST_ptr(ssl = SSL_new(ctx)) 745 || !TEST_ptr(write_buf = OPENSSL_zalloc(peer_buffer_size)) 746 || !TEST_ptr(read_buf = OPENSSL_zalloc(peer_buffer_size))) 747 goto err; 748 749 peer->ssl = ssl; 750 peer->write_buf = write_buf; 751 peer->read_buf = read_buf; 752 peer->write_buf_len = peer->read_buf_len = peer_buffer_size; 753 return 1; 754 err: 755 SSL_free(ssl); 756 OPENSSL_free(write_buf); 757 OPENSSL_free(read_buf); 758 return 0; 759 } 760 761 static void peer_free_data(PEER *peer) 762 { 763 SSL_free(peer->ssl); 764 OPENSSL_free(peer->write_buf); 765 OPENSSL_free(peer->read_buf); 766 } 767 768 /* 769 * Note that we could do the handshake transparently under an SSL_write, 770 * but separating the steps is more helpful for debugging test failures. 771 */ 772 static void do_handshake_step(PEER *peer) 773 { 774 if (!TEST_int_eq(peer->status, PEER_RETRY)) { 775 peer->status = PEER_TEST_FAILURE; 776 } else { 777 int ret = SSL_do_handshake(peer->ssl); 778 779 if (ret == 1) { 780 peer->status = PEER_SUCCESS; 781 } else if (ret == 0) { 782 peer->status = PEER_ERROR; 783 } else { 784 int error = SSL_get_error(peer->ssl, ret); 785 786 /* Memory bios should never block with SSL_ERROR_WANT_WRITE. */ 787 if (error != SSL_ERROR_WANT_READ 788 && error != SSL_ERROR_WANT_RETRY_VERIFY) 789 peer->status = PEER_ERROR; 790 } 791 } 792 } 793 794 /*- 795 * Send/receive some application data. The read-write sequence is 796 * Peer A: (R) W - first read will yield no data 797 * Peer B: R W 798 * ... 799 * Peer A: R W 800 * Peer B: R W 801 * Peer A: R 802 */ 803 static void do_app_data_step(PEER *peer) 804 { 805 int ret = 1, write_bytes; 806 807 if (!TEST_int_eq(peer->status, PEER_RETRY)) { 808 peer->status = PEER_TEST_FAILURE; 809 return; 810 } 811 812 /* We read everything available... */ 813 while (ret > 0 && peer->bytes_to_read) { 814 ret = SSL_read(peer->ssl, peer->read_buf, peer->read_buf_len); 815 if (ret > 0) { 816 if (!TEST_int_le(ret, peer->bytes_to_read)) { 817 peer->status = PEER_TEST_FAILURE; 818 return; 819 } 820 peer->bytes_to_read -= ret; 821 } else if (ret == 0) { 822 peer->status = PEER_ERROR; 823 return; 824 } else { 825 int error = SSL_get_error(peer->ssl, ret); 826 if (error != SSL_ERROR_WANT_READ) { 827 peer->status = PEER_ERROR; 828 return; 829 } /* Else continue with write. */ 830 } 831 } 832 833 /* ... but we only write one write-buffer-full of data. */ 834 write_bytes = peer->bytes_to_write < peer->write_buf_len ? peer->bytes_to_write : 835 peer->write_buf_len; 836 if (write_bytes) { 837 ret = SSL_write(peer->ssl, peer->write_buf, write_bytes); 838 if (ret > 0) { 839 /* SSL_write will only succeed with a complete write. */ 840 if (!TEST_int_eq(ret, write_bytes)) { 841 peer->status = PEER_TEST_FAILURE; 842 return; 843 } 844 peer->bytes_to_write -= ret; 845 } else { 846 /* 847 * We should perhaps check for SSL_ERROR_WANT_READ/WRITE here 848 * but this doesn't yet occur with current app data sizes. 849 */ 850 peer->status = PEER_ERROR; 851 return; 852 } 853 } 854 855 /* 856 * We could simply finish when there was nothing to read, and we have 857 * nothing left to write. But keeping track of the expected number of bytes 858 * to read gives us somewhat better guarantees that all data sent is in fact 859 * received. 860 */ 861 if (peer->bytes_to_write == 0 && peer->bytes_to_read == 0) { 862 peer->status = PEER_SUCCESS; 863 } 864 } 865 866 static void do_reneg_setup_step(const SSL_TEST_CTX *test_ctx, PEER *peer) 867 { 868 int ret; 869 char buf; 870 871 if (peer->status == PEER_SUCCESS) { 872 /* 873 * We are a client that succeeded this step previously, but the server 874 * wanted to retry. Probably there is a no_renegotiation warning alert 875 * waiting for us. Attempt to continue the handshake. 876 */ 877 peer->status = PEER_RETRY; 878 do_handshake_step(peer); 879 return; 880 } 881 882 if (!TEST_int_eq(peer->status, PEER_RETRY) 883 || !TEST_true(test_ctx->handshake_mode 884 == SSL_TEST_HANDSHAKE_RENEG_SERVER 885 || test_ctx->handshake_mode 886 == SSL_TEST_HANDSHAKE_RENEG_CLIENT 887 || test_ctx->handshake_mode 888 == SSL_TEST_HANDSHAKE_KEY_UPDATE_SERVER 889 || test_ctx->handshake_mode 890 == SSL_TEST_HANDSHAKE_KEY_UPDATE_CLIENT 891 || test_ctx->handshake_mode 892 == SSL_TEST_HANDSHAKE_POST_HANDSHAKE_AUTH)) { 893 peer->status = PEER_TEST_FAILURE; 894 return; 895 } 896 897 /* Reset the count of the amount of app data we need to read/write */ 898 peer->bytes_to_write = peer->bytes_to_read = test_ctx->app_data_size; 899 900 /* Check if we are the peer that is going to initiate */ 901 if ((test_ctx->handshake_mode == SSL_TEST_HANDSHAKE_RENEG_SERVER 902 && SSL_is_server(peer->ssl)) 903 || (test_ctx->handshake_mode == SSL_TEST_HANDSHAKE_RENEG_CLIENT 904 && !SSL_is_server(peer->ssl))) { 905 /* 906 * If we already asked for a renegotiation then fall through to the 907 * SSL_read() below. 908 */ 909 if (!SSL_renegotiate_pending(peer->ssl)) { 910 /* 911 * If we are the client we will always attempt to resume the 912 * session. The server may or may not resume dependent on the 913 * setting of SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION 914 */ 915 if (SSL_is_server(peer->ssl)) { 916 ret = SSL_renegotiate(peer->ssl); 917 } else { 918 int full_reneg = 0; 919 920 if (test_ctx->extra.client.no_extms_on_reneg) { 921 SSL_set_options(peer->ssl, SSL_OP_NO_EXTENDED_MASTER_SECRET); 922 full_reneg = 1; 923 } 924 if (test_ctx->extra.client.reneg_ciphers != NULL) { 925 if (!SSL_set_cipher_list(peer->ssl, 926 test_ctx->extra.client.reneg_ciphers)) { 927 peer->status = PEER_ERROR; 928 return; 929 } 930 full_reneg = 1; 931 } 932 if (full_reneg) 933 ret = SSL_renegotiate(peer->ssl); 934 else 935 ret = SSL_renegotiate_abbreviated(peer->ssl); 936 } 937 if (!ret) { 938 peer->status = PEER_ERROR; 939 return; 940 } 941 do_handshake_step(peer); 942 /* 943 * If status is PEER_RETRY it means we're waiting on the peer to 944 * continue the handshake. As far as setting up the renegotiation is 945 * concerned that is a success. The next step will continue the 946 * handshake to its conclusion. 947 * 948 * If status is PEER_SUCCESS then we are the server and we have 949 * successfully sent the HelloRequest. We need to continue to wait 950 * until the handshake arrives from the client. 951 */ 952 if (peer->status == PEER_RETRY) 953 peer->status = PEER_SUCCESS; 954 else if (peer->status == PEER_SUCCESS) 955 peer->status = PEER_RETRY; 956 return; 957 } 958 } else if (test_ctx->handshake_mode == SSL_TEST_HANDSHAKE_KEY_UPDATE_SERVER 959 || test_ctx->handshake_mode 960 == SSL_TEST_HANDSHAKE_KEY_UPDATE_CLIENT) { 961 if (SSL_is_server(peer->ssl) 962 != (test_ctx->handshake_mode 963 == SSL_TEST_HANDSHAKE_KEY_UPDATE_SERVER)) { 964 peer->status = PEER_SUCCESS; 965 return; 966 } 967 968 ret = SSL_key_update(peer->ssl, test_ctx->key_update_type); 969 if (!ret) { 970 peer->status = PEER_ERROR; 971 return; 972 } 973 do_handshake_step(peer); 974 /* 975 * This is a one step handshake. We shouldn't get anything other than 976 * PEER_SUCCESS 977 */ 978 if (peer->status != PEER_SUCCESS) 979 peer->status = PEER_ERROR; 980 return; 981 } else if (test_ctx->handshake_mode == SSL_TEST_HANDSHAKE_POST_HANDSHAKE_AUTH) { 982 if (SSL_is_server(peer->ssl)) { 983 /* Make the server believe it's received the extension */ 984 if (test_ctx->extra.server.force_pha) 985 peer->ssl->post_handshake_auth = SSL_PHA_EXT_RECEIVED; 986 ret = SSL_verify_client_post_handshake(peer->ssl); 987 if (!ret) { 988 peer->status = PEER_ERROR; 989 return; 990 } 991 } 992 do_handshake_step(peer); 993 /* 994 * This is a one step handshake. We shouldn't get anything other than 995 * PEER_SUCCESS 996 */ 997 if (peer->status != PEER_SUCCESS) 998 peer->status = PEER_ERROR; 999 return; 1000 } 1001 1002 /* 1003 * The SSL object is still expecting app data, even though it's going to 1004 * get a handshake message. We try to read, and it should fail - after which 1005 * we should be in a handshake 1006 */ 1007 ret = SSL_read(peer->ssl, &buf, sizeof(buf)); 1008 if (ret >= 0) { 1009 /* 1010 * We're not actually expecting data - we're expecting a reneg to 1011 * start 1012 */ 1013 peer->status = PEER_ERROR; 1014 return; 1015 } else { 1016 int error = SSL_get_error(peer->ssl, ret); 1017 if (error != SSL_ERROR_WANT_READ) { 1018 peer->status = PEER_ERROR; 1019 return; 1020 } 1021 /* If we're not in init yet then we're not done with setup yet */ 1022 if (!SSL_in_init(peer->ssl)) 1023 return; 1024 } 1025 1026 peer->status = PEER_SUCCESS; 1027 } 1028 1029 1030 /* 1031 * RFC 5246 says: 1032 * 1033 * Note that as of TLS 1.1, 1034 * failure to properly close a connection no longer requires that a 1035 * session not be resumed. This is a change from TLS 1.0 to conform 1036 * with widespread implementation practice. 1037 * 1038 * However, 1039 * (a) OpenSSL requires that a connection be shutdown for all protocol versions. 1040 * (b) We test lower versions, too. 1041 * So we just implement shutdown. We do a full bidirectional shutdown so that we 1042 * can compare sent and received close_notify alerts and get some test coverage 1043 * for SSL_shutdown as a bonus. 1044 */ 1045 static void do_shutdown_step(PEER *peer) 1046 { 1047 int ret; 1048 1049 if (!TEST_int_eq(peer->status, PEER_RETRY)) { 1050 peer->status = PEER_TEST_FAILURE; 1051 return; 1052 } 1053 ret = SSL_shutdown(peer->ssl); 1054 1055 if (ret == 1) { 1056 peer->status = PEER_SUCCESS; 1057 } else if (ret < 0) { /* On 0, we retry. */ 1058 int error = SSL_get_error(peer->ssl, ret); 1059 1060 if (error != SSL_ERROR_WANT_READ && error != SSL_ERROR_WANT_WRITE) 1061 peer->status = PEER_ERROR; 1062 } 1063 } 1064 1065 typedef enum { 1066 HANDSHAKE, 1067 RENEG_APPLICATION_DATA, 1068 RENEG_SETUP, 1069 RENEG_HANDSHAKE, 1070 APPLICATION_DATA, 1071 SHUTDOWN, 1072 CONNECTION_DONE 1073 } connect_phase_t; 1074 1075 1076 static int renegotiate_op(const SSL_TEST_CTX *test_ctx) 1077 { 1078 switch (test_ctx->handshake_mode) { 1079 case SSL_TEST_HANDSHAKE_RENEG_SERVER: 1080 case SSL_TEST_HANDSHAKE_RENEG_CLIENT: 1081 return 1; 1082 default: 1083 return 0; 1084 } 1085 } 1086 static int post_handshake_op(const SSL_TEST_CTX *test_ctx) 1087 { 1088 switch (test_ctx->handshake_mode) { 1089 case SSL_TEST_HANDSHAKE_KEY_UPDATE_CLIENT: 1090 case SSL_TEST_HANDSHAKE_KEY_UPDATE_SERVER: 1091 case SSL_TEST_HANDSHAKE_POST_HANDSHAKE_AUTH: 1092 return 1; 1093 default: 1094 return 0; 1095 } 1096 } 1097 1098 static connect_phase_t next_phase(const SSL_TEST_CTX *test_ctx, 1099 connect_phase_t phase) 1100 { 1101 switch (phase) { 1102 case HANDSHAKE: 1103 if (renegotiate_op(test_ctx) || post_handshake_op(test_ctx)) 1104 return RENEG_APPLICATION_DATA; 1105 return APPLICATION_DATA; 1106 case RENEG_APPLICATION_DATA: 1107 return RENEG_SETUP; 1108 case RENEG_SETUP: 1109 if (post_handshake_op(test_ctx)) 1110 return APPLICATION_DATA; 1111 return RENEG_HANDSHAKE; 1112 case RENEG_HANDSHAKE: 1113 return APPLICATION_DATA; 1114 case APPLICATION_DATA: 1115 return SHUTDOWN; 1116 case SHUTDOWN: 1117 return CONNECTION_DONE; 1118 case CONNECTION_DONE: 1119 TEST_error("Trying to progress after connection done"); 1120 break; 1121 } 1122 return -1; 1123 } 1124 1125 static void do_connect_step(const SSL_TEST_CTX *test_ctx, PEER *peer, 1126 connect_phase_t phase) 1127 { 1128 switch (phase) { 1129 case HANDSHAKE: 1130 do_handshake_step(peer); 1131 break; 1132 case RENEG_APPLICATION_DATA: 1133 do_app_data_step(peer); 1134 break; 1135 case RENEG_SETUP: 1136 do_reneg_setup_step(test_ctx, peer); 1137 break; 1138 case RENEG_HANDSHAKE: 1139 do_handshake_step(peer); 1140 break; 1141 case APPLICATION_DATA: 1142 do_app_data_step(peer); 1143 break; 1144 case SHUTDOWN: 1145 do_shutdown_step(peer); 1146 break; 1147 case CONNECTION_DONE: 1148 TEST_error("Action after connection done"); 1149 break; 1150 } 1151 } 1152 1153 typedef enum { 1154 /* Both parties succeeded. */ 1155 HANDSHAKE_SUCCESS, 1156 /* Client errored. */ 1157 CLIENT_ERROR, 1158 /* Server errored. */ 1159 SERVER_ERROR, 1160 /* Peers are in inconsistent state. */ 1161 INTERNAL_ERROR, 1162 /* One or both peers not done. */ 1163 HANDSHAKE_RETRY 1164 } handshake_status_t; 1165 1166 /* 1167 * Determine the handshake outcome. 1168 * last_status: the status of the peer to have acted last. 1169 * previous_status: the status of the peer that didn't act last. 1170 * client_spoke_last: 1 if the client went last. 1171 */ 1172 static handshake_status_t handshake_status(peer_status_t last_status, 1173 peer_status_t previous_status, 1174 int client_spoke_last) 1175 { 1176 switch (last_status) { 1177 case PEER_TEST_FAILURE: 1178 return INTERNAL_ERROR; 1179 1180 case PEER_WAITING: 1181 /* Shouldn't ever happen */ 1182 return INTERNAL_ERROR; 1183 1184 case PEER_SUCCESS: 1185 switch (previous_status) { 1186 case PEER_TEST_FAILURE: 1187 return INTERNAL_ERROR; 1188 case PEER_SUCCESS: 1189 /* Both succeeded. */ 1190 return HANDSHAKE_SUCCESS; 1191 case PEER_WAITING: 1192 case PEER_RETRY: 1193 /* Let the first peer finish. */ 1194 return HANDSHAKE_RETRY; 1195 case PEER_ERROR: 1196 /* 1197 * Second peer succeeded despite the fact that the first peer 1198 * already errored. This shouldn't happen. 1199 */ 1200 return INTERNAL_ERROR; 1201 } 1202 break; 1203 1204 case PEER_RETRY: 1205 return HANDSHAKE_RETRY; 1206 1207 case PEER_ERROR: 1208 switch (previous_status) { 1209 case PEER_TEST_FAILURE: 1210 return INTERNAL_ERROR; 1211 case PEER_WAITING: 1212 /* The client failed immediately before sending the ClientHello */ 1213 return client_spoke_last ? CLIENT_ERROR : INTERNAL_ERROR; 1214 case PEER_SUCCESS: 1215 /* First peer succeeded but second peer errored. */ 1216 return client_spoke_last ? CLIENT_ERROR : SERVER_ERROR; 1217 case PEER_RETRY: 1218 /* We errored; let the peer finish. */ 1219 return HANDSHAKE_RETRY; 1220 case PEER_ERROR: 1221 /* Both peers errored. Return the one that errored first. */ 1222 return client_spoke_last ? SERVER_ERROR : CLIENT_ERROR; 1223 } 1224 } 1225 /* Control should never reach here. */ 1226 return INTERNAL_ERROR; 1227 } 1228 1229 /* Convert unsigned char buf's that shouldn't contain any NUL-bytes to char. */ 1230 static char *dup_str(const unsigned char *in, size_t len) 1231 { 1232 char *ret = NULL; 1233 1234 if (len == 0) 1235 return NULL; 1236 1237 /* Assert that the string does not contain NUL-bytes. */ 1238 if (TEST_size_t_eq(OPENSSL_strnlen((const char*)(in), len), len)) 1239 TEST_ptr(ret = OPENSSL_strndup((const char*)(in), len)); 1240 return ret; 1241 } 1242 1243 static int pkey_type(EVP_PKEY *pkey) 1244 { 1245 if (EVP_PKEY_is_a(pkey, "EC")) { 1246 char name[80]; 1247 size_t name_len; 1248 1249 if (!EVP_PKEY_get_group_name(pkey, name, sizeof(name), &name_len)) 1250 return NID_undef; 1251 return OBJ_txt2nid(name); 1252 } 1253 return EVP_PKEY_get_id(pkey); 1254 } 1255 1256 static int peer_pkey_type(SSL *s) 1257 { 1258 X509 *x = SSL_get0_peer_certificate(s); 1259 1260 if (x != NULL) 1261 return pkey_type(X509_get0_pubkey(x)); 1262 return NID_undef; 1263 } 1264 1265 #if !defined(OPENSSL_NO_SCTP) && !defined(OPENSSL_NO_SOCK) 1266 static int set_sock_as_sctp(int sock) 1267 { 1268 struct sctp_assocparams assocparams; 1269 struct sctp_rtoinfo rto_info; 1270 BIO *tmpbio; 1271 1272 /* 1273 * To allow tests to fail fast (within a second or so), reduce the 1274 * retransmission timeouts and the number of retransmissions. 1275 */ 1276 memset(&rto_info, 0, sizeof(struct sctp_rtoinfo)); 1277 rto_info.srto_initial = 100; 1278 rto_info.srto_max = 200; 1279 rto_info.srto_min = 50; 1280 (void)setsockopt(sock, IPPROTO_SCTP, SCTP_RTOINFO, 1281 (const void *)&rto_info, sizeof(struct sctp_rtoinfo)); 1282 memset(&assocparams, 0, sizeof(struct sctp_assocparams)); 1283 assocparams.sasoc_asocmaxrxt = 2; 1284 (void)setsockopt(sock, IPPROTO_SCTP, SCTP_ASSOCINFO, 1285 (const void *)&assocparams, 1286 sizeof(struct sctp_assocparams)); 1287 1288 /* 1289 * For SCTP we have to set various options on the socket prior to 1290 * connecting. This is done automatically by BIO_new_dgram_sctp(). 1291 * We don't actually need the created BIO though so we free it again 1292 * immediately. 1293 */ 1294 tmpbio = BIO_new_dgram_sctp(sock, BIO_NOCLOSE); 1295 1296 if (tmpbio == NULL) 1297 return 0; 1298 BIO_free(tmpbio); 1299 1300 return 1; 1301 } 1302 1303 static int create_sctp_socks(int *ssock, int *csock) 1304 { 1305 BIO_ADDRINFO *res = NULL; 1306 const BIO_ADDRINFO *ai = NULL; 1307 int lsock = INVALID_SOCKET, asock = INVALID_SOCKET; 1308 int consock = INVALID_SOCKET; 1309 int ret = 0; 1310 int family = 0; 1311 1312 if (BIO_sock_init() != 1) 1313 return 0; 1314 1315 /* 1316 * Port is 4463. It could be anything. It will fail if it's already being 1317 * used for some other SCTP service. It seems unlikely though so we don't 1318 * worry about it here. 1319 */ 1320 if (!BIO_lookup_ex(NULL, "4463", BIO_LOOKUP_SERVER, family, SOCK_STREAM, 1321 IPPROTO_SCTP, &res)) 1322 return 0; 1323 1324 for (ai = res; ai != NULL; ai = BIO_ADDRINFO_next(ai)) { 1325 family = BIO_ADDRINFO_family(ai); 1326 lsock = BIO_socket(family, SOCK_STREAM, IPPROTO_SCTP, 0); 1327 if (lsock == INVALID_SOCKET) { 1328 /* Maybe the kernel doesn't support the socket family, even if 1329 * BIO_lookup() added it in the returned result... 1330 */ 1331 continue; 1332 } 1333 1334 if (!set_sock_as_sctp(lsock) 1335 || !BIO_listen(lsock, BIO_ADDRINFO_address(ai), 1336 BIO_SOCK_REUSEADDR)) { 1337 BIO_closesocket(lsock); 1338 lsock = INVALID_SOCKET; 1339 continue; 1340 } 1341 1342 /* Success, don't try any more addresses */ 1343 break; 1344 } 1345 1346 if (lsock == INVALID_SOCKET) 1347 goto err; 1348 1349 BIO_ADDRINFO_free(res); 1350 res = NULL; 1351 1352 if (!BIO_lookup_ex(NULL, "4463", BIO_LOOKUP_CLIENT, family, SOCK_STREAM, 1353 IPPROTO_SCTP, &res)) 1354 goto err; 1355 1356 consock = BIO_socket(family, SOCK_STREAM, IPPROTO_SCTP, 0); 1357 if (consock == INVALID_SOCKET) 1358 goto err; 1359 1360 if (!set_sock_as_sctp(consock) 1361 || !BIO_connect(consock, BIO_ADDRINFO_address(res), 0) 1362 || !BIO_socket_nbio(consock, 1)) 1363 goto err; 1364 1365 asock = BIO_accept_ex(lsock, NULL, BIO_SOCK_NONBLOCK); 1366 if (asock == INVALID_SOCKET) 1367 goto err; 1368 1369 *csock = consock; 1370 *ssock = asock; 1371 consock = asock = INVALID_SOCKET; 1372 ret = 1; 1373 1374 err: 1375 BIO_ADDRINFO_free(res); 1376 if (consock != INVALID_SOCKET) 1377 BIO_closesocket(consock); 1378 if (lsock != INVALID_SOCKET) 1379 BIO_closesocket(lsock); 1380 if (asock != INVALID_SOCKET) 1381 BIO_closesocket(asock); 1382 return ret; 1383 } 1384 #endif 1385 1386 /* 1387 * Note that |extra| points to the correct client/server configuration 1388 * within |test_ctx|. When configuring the handshake, general mode settings 1389 * are taken from |test_ctx|, and client/server-specific settings should be 1390 * taken from |extra|. 1391 * 1392 * The configuration code should never reach into |test_ctx->extra| or 1393 * |test_ctx->resume_extra| directly. 1394 * 1395 * (We could refactor test mode settings into a substructure. This would result 1396 * in cleaner argument passing but would complicate the test configuration 1397 * parsing.) 1398 */ 1399 static HANDSHAKE_RESULT *do_handshake_internal( 1400 SSL_CTX *server_ctx, SSL_CTX *server2_ctx, SSL_CTX *client_ctx, 1401 const SSL_TEST_CTX *test_ctx, const SSL_TEST_EXTRA_CONF *extra, 1402 SSL_SESSION *session_in, SSL_SESSION *serv_sess_in, 1403 SSL_SESSION **session_out, SSL_SESSION **serv_sess_out) 1404 { 1405 PEER server, client; 1406 BIO *client_to_server = NULL, *server_to_client = NULL; 1407 HANDSHAKE_EX_DATA server_ex_data, client_ex_data; 1408 CTX_DATA client_ctx_data, server_ctx_data, server2_ctx_data; 1409 HANDSHAKE_RESULT *ret = HANDSHAKE_RESULT_new(); 1410 int client_turn = 1, client_turn_count = 0, client_wait_count = 0; 1411 connect_phase_t phase = HANDSHAKE; 1412 handshake_status_t status = HANDSHAKE_RETRY; 1413 const unsigned char* tick = NULL; 1414 size_t tick_len = 0; 1415 const unsigned char* sess_id = NULL; 1416 unsigned int sess_id_len = 0; 1417 SSL_SESSION* sess = NULL; 1418 const unsigned char *proto = NULL; 1419 /* API dictates unsigned int rather than size_t. */ 1420 unsigned int proto_len = 0; 1421 EVP_PKEY *tmp_key; 1422 const STACK_OF(X509_NAME) *names; 1423 time_t start; 1424 const char* cipher; 1425 1426 if (ret == NULL) 1427 return NULL; 1428 1429 memset(&server_ctx_data, 0, sizeof(server_ctx_data)); 1430 memset(&server2_ctx_data, 0, sizeof(server2_ctx_data)); 1431 memset(&client_ctx_data, 0, sizeof(client_ctx_data)); 1432 memset(&server, 0, sizeof(server)); 1433 memset(&client, 0, sizeof(client)); 1434 memset(&server_ex_data, 0, sizeof(server_ex_data)); 1435 memset(&client_ex_data, 0, sizeof(client_ex_data)); 1436 1437 if (!configure_handshake_ctx(server_ctx, server2_ctx, client_ctx, 1438 test_ctx, extra, &server_ctx_data, 1439 &server2_ctx_data, &client_ctx_data)) { 1440 TEST_note("configure_handshake_ctx"); 1441 HANDSHAKE_RESULT_free(ret); 1442 return NULL; 1443 } 1444 1445 #if !defined(OPENSSL_NO_SCTP) && !defined(OPENSSL_NO_SOCK) 1446 if (test_ctx->enable_client_sctp_label_bug) 1447 SSL_CTX_set_mode(client_ctx, SSL_MODE_DTLS_SCTP_LABEL_LENGTH_BUG); 1448 if (test_ctx->enable_server_sctp_label_bug) 1449 SSL_CTX_set_mode(server_ctx, SSL_MODE_DTLS_SCTP_LABEL_LENGTH_BUG); 1450 #endif 1451 1452 /* Setup SSL and buffers; additional configuration happens below. */ 1453 if (!create_peer(&server, server_ctx)) { 1454 TEST_note("creating server context"); 1455 goto err; 1456 } 1457 if (!create_peer(&client, client_ctx)) { 1458 TEST_note("creating client context"); 1459 goto err; 1460 } 1461 1462 server.bytes_to_write = client.bytes_to_read = test_ctx->app_data_size; 1463 client.bytes_to_write = server.bytes_to_read = test_ctx->app_data_size; 1464 1465 configure_handshake_ssl(server.ssl, client.ssl, extra); 1466 if (session_in != NULL) { 1467 SSL_SESSION_get_id(serv_sess_in, &sess_id_len); 1468 /* In case we're testing resumption without tickets. */ 1469 if ((sess_id_len > 0 1470 && !TEST_true(SSL_CTX_add_session(server_ctx, 1471 serv_sess_in))) 1472 || !TEST_true(SSL_set_session(client.ssl, session_in))) 1473 goto err; 1474 sess_id_len = 0; 1475 } 1476 1477 ret->result = SSL_TEST_INTERNAL_ERROR; 1478 1479 if (test_ctx->use_sctp) { 1480 #if !defined(OPENSSL_NO_SCTP) && !defined(OPENSSL_NO_SOCK) 1481 int csock, ssock; 1482 1483 if (create_sctp_socks(&ssock, &csock)) { 1484 client_to_server = BIO_new_dgram_sctp(csock, BIO_CLOSE); 1485 server_to_client = BIO_new_dgram_sctp(ssock, BIO_CLOSE); 1486 } 1487 #endif 1488 } else { 1489 client_to_server = BIO_new(BIO_s_mem()); 1490 server_to_client = BIO_new(BIO_s_mem()); 1491 } 1492 1493 if (!TEST_ptr(client_to_server) 1494 || !TEST_ptr(server_to_client)) 1495 goto err; 1496 1497 /* Non-blocking bio. */ 1498 BIO_set_nbio(client_to_server, 1); 1499 BIO_set_nbio(server_to_client, 1); 1500 1501 SSL_set_connect_state(client.ssl); 1502 SSL_set_accept_state(server.ssl); 1503 1504 /* The bios are now owned by the SSL object. */ 1505 if (test_ctx->use_sctp) { 1506 SSL_set_bio(client.ssl, client_to_server, client_to_server); 1507 SSL_set_bio(server.ssl, server_to_client, server_to_client); 1508 } else { 1509 SSL_set_bio(client.ssl, server_to_client, client_to_server); 1510 if (!TEST_int_gt(BIO_up_ref(server_to_client), 0) 1511 || !TEST_int_gt(BIO_up_ref(client_to_server), 0)) 1512 goto err; 1513 SSL_set_bio(server.ssl, client_to_server, server_to_client); 1514 } 1515 1516 ex_data_idx = SSL_get_ex_new_index(0, "ex data", NULL, NULL, NULL); 1517 if (!TEST_int_ge(ex_data_idx, 0) 1518 || !TEST_int_eq(SSL_set_ex_data(server.ssl, ex_data_idx, &server_ex_data), 1) 1519 || !TEST_int_eq(SSL_set_ex_data(client.ssl, ex_data_idx, &client_ex_data), 1)) 1520 goto err; 1521 1522 SSL_set_info_callback(server.ssl, &info_cb); 1523 SSL_set_info_callback(client.ssl, &info_cb); 1524 1525 client.status = PEER_RETRY; 1526 server.status = PEER_WAITING; 1527 1528 start = time(NULL); 1529 1530 /* 1531 * Half-duplex handshake loop. 1532 * Client and server speak to each other synchronously in the same process. 1533 * We use non-blocking BIOs, so whenever one peer blocks for read, it 1534 * returns PEER_RETRY to indicate that it's the other peer's turn to write. 1535 * The handshake succeeds once both peers have succeeded. If one peer 1536 * errors out, we also let the other peer retry (and presumably fail). 1537 */ 1538 for(;;) { 1539 if (client_turn) { 1540 do_connect_step(test_ctx, &client, phase); 1541 status = handshake_status(client.status, server.status, 1542 1 /* client went last */); 1543 if (server.status == PEER_WAITING) 1544 server.status = PEER_RETRY; 1545 } else { 1546 do_connect_step(test_ctx, &server, phase); 1547 status = handshake_status(server.status, client.status, 1548 0 /* server went last */); 1549 } 1550 1551 switch (status) { 1552 case HANDSHAKE_SUCCESS: 1553 client_turn_count = 0; 1554 phase = next_phase(test_ctx, phase); 1555 if (phase == CONNECTION_DONE) { 1556 ret->result = SSL_TEST_SUCCESS; 1557 goto err; 1558 } else { 1559 client.status = server.status = PEER_RETRY; 1560 /* 1561 * For now, client starts each phase. Since each phase is 1562 * started separately, we can later control this more 1563 * precisely, for example, to test client-initiated and 1564 * server-initiated shutdown. 1565 */ 1566 client_turn = 1; 1567 break; 1568 } 1569 case CLIENT_ERROR: 1570 ret->result = SSL_TEST_CLIENT_FAIL; 1571 goto err; 1572 case SERVER_ERROR: 1573 ret->result = SSL_TEST_SERVER_FAIL; 1574 goto err; 1575 case INTERNAL_ERROR: 1576 ret->result = SSL_TEST_INTERNAL_ERROR; 1577 goto err; 1578 case HANDSHAKE_RETRY: 1579 if (test_ctx->use_sctp) { 1580 if (time(NULL) - start > 3) { 1581 /* 1582 * We've waited for too long. Give up. 1583 */ 1584 ret->result = SSL_TEST_INTERNAL_ERROR; 1585 goto err; 1586 } 1587 /* 1588 * With "real" sockets we only swap to processing the peer 1589 * if they are expecting to retry. Otherwise we just retry the 1590 * same endpoint again. 1591 */ 1592 if ((client_turn && server.status == PEER_RETRY) 1593 || (!client_turn && client.status == PEER_RETRY)) 1594 client_turn ^= 1; 1595 } else { 1596 if (client_turn_count++ >= 2000) { 1597 /* 1598 * At this point, there's been so many PEER_RETRY in a row 1599 * that it's likely both sides are stuck waiting for a read. 1600 * It's time to give up. 1601 */ 1602 ret->result = SSL_TEST_INTERNAL_ERROR; 1603 goto err; 1604 } 1605 if (client_turn && server.status == PEER_SUCCESS) { 1606 /* 1607 * The server may finish before the client because the 1608 * client spends some turns processing NewSessionTickets. 1609 */ 1610 if (client_wait_count++ >= 2) { 1611 ret->result = SSL_TEST_INTERNAL_ERROR; 1612 goto err; 1613 } 1614 } else { 1615 /* Continue. */ 1616 client_turn ^= 1; 1617 } 1618 } 1619 break; 1620 } 1621 } 1622 err: 1623 ret->server_alert_sent = server_ex_data.alert_sent; 1624 ret->server_num_fatal_alerts_sent = server_ex_data.num_fatal_alerts_sent; 1625 ret->server_alert_received = client_ex_data.alert_received; 1626 ret->client_alert_sent = client_ex_data.alert_sent; 1627 ret->client_num_fatal_alerts_sent = client_ex_data.num_fatal_alerts_sent; 1628 ret->client_alert_received = server_ex_data.alert_received; 1629 ret->server_protocol = SSL_version(server.ssl); 1630 ret->client_protocol = SSL_version(client.ssl); 1631 ret->servername = server_ex_data.servername; 1632 if ((sess = SSL_get0_session(client.ssl)) != NULL) { 1633 SSL_SESSION_get0_ticket(sess, &tick, &tick_len); 1634 sess_id = SSL_SESSION_get_id(sess, &sess_id_len); 1635 } 1636 if (tick == NULL || tick_len == 0) 1637 ret->session_ticket = SSL_TEST_SESSION_TICKET_NO; 1638 else 1639 ret->session_ticket = SSL_TEST_SESSION_TICKET_YES; 1640 ret->compression = (SSL_get_current_compression(client.ssl) == NULL) 1641 ? SSL_TEST_COMPRESSION_NO 1642 : SSL_TEST_COMPRESSION_YES; 1643 if (sess_id == NULL || sess_id_len == 0) 1644 ret->session_id = SSL_TEST_SESSION_ID_NO; 1645 else 1646 ret->session_id = SSL_TEST_SESSION_ID_YES; 1647 ret->session_ticket_do_not_call = server_ex_data.session_ticket_do_not_call; 1648 1649 if (extra->client.verify_callback == SSL_TEST_VERIFY_RETRY_ONCE 1650 && n_retries != -1) 1651 ret->result = SSL_TEST_SERVER_FAIL; 1652 1653 #ifndef OPENSSL_NO_NEXTPROTONEG 1654 SSL_get0_next_proto_negotiated(client.ssl, &proto, &proto_len); 1655 ret->client_npn_negotiated = dup_str(proto, proto_len); 1656 1657 SSL_get0_next_proto_negotiated(server.ssl, &proto, &proto_len); 1658 ret->server_npn_negotiated = dup_str(proto, proto_len); 1659 #endif 1660 1661 SSL_get0_alpn_selected(client.ssl, &proto, &proto_len); 1662 ret->client_alpn_negotiated = dup_str(proto, proto_len); 1663 1664 SSL_get0_alpn_selected(server.ssl, &proto, &proto_len); 1665 ret->server_alpn_negotiated = dup_str(proto, proto_len); 1666 1667 if ((sess = SSL_get0_session(server.ssl)) != NULL) { 1668 SSL_SESSION_get0_ticket_appdata(sess, (void**)&tick, &tick_len); 1669 ret->result_session_ticket_app_data = OPENSSL_strndup((const char*)tick, tick_len); 1670 } 1671 1672 ret->client_resumed = SSL_session_reused(client.ssl); 1673 ret->server_resumed = SSL_session_reused(server.ssl); 1674 1675 cipher = SSL_CIPHER_get_name(SSL_get_current_cipher(client.ssl)); 1676 ret->cipher = dup_str((const unsigned char*)cipher, strlen(cipher)); 1677 1678 if (session_out != NULL) 1679 *session_out = SSL_get1_session(client.ssl); 1680 if (serv_sess_out != NULL) { 1681 SSL_SESSION *tmp = SSL_get_session(server.ssl); 1682 1683 /* 1684 * We create a fresh copy that is not in the server session ctx linked 1685 * list. 1686 */ 1687 if (tmp != NULL) 1688 *serv_sess_out = SSL_SESSION_dup(tmp); 1689 } 1690 1691 if (SSL_get_peer_tmp_key(client.ssl, &tmp_key)) { 1692 ret->tmp_key_type = pkey_type(tmp_key); 1693 EVP_PKEY_free(tmp_key); 1694 } 1695 1696 SSL_get_peer_signature_nid(client.ssl, &ret->server_sign_hash); 1697 SSL_get_peer_signature_nid(server.ssl, &ret->client_sign_hash); 1698 1699 SSL_get_peer_signature_type_nid(client.ssl, &ret->server_sign_type); 1700 SSL_get_peer_signature_type_nid(server.ssl, &ret->client_sign_type); 1701 1702 names = SSL_get0_peer_CA_list(client.ssl); 1703 if (names == NULL) 1704 ret->client_ca_names = NULL; 1705 else 1706 ret->client_ca_names = SSL_dup_CA_list(names); 1707 1708 names = SSL_get0_peer_CA_list(server.ssl); 1709 if (names == NULL) 1710 ret->server_ca_names = NULL; 1711 else 1712 ret->server_ca_names = SSL_dup_CA_list(names); 1713 1714 ret->server_cert_type = peer_pkey_type(client.ssl); 1715 ret->client_cert_type = peer_pkey_type(server.ssl); 1716 1717 ctx_data_free_data(&server_ctx_data); 1718 ctx_data_free_data(&server2_ctx_data); 1719 ctx_data_free_data(&client_ctx_data); 1720 1721 peer_free_data(&server); 1722 peer_free_data(&client); 1723 return ret; 1724 } 1725 1726 HANDSHAKE_RESULT *do_handshake(SSL_CTX *server_ctx, SSL_CTX *server2_ctx, 1727 SSL_CTX *client_ctx, SSL_CTX *resume_server_ctx, 1728 SSL_CTX *resume_client_ctx, 1729 const SSL_TEST_CTX *test_ctx) 1730 { 1731 HANDSHAKE_RESULT *result; 1732 SSL_SESSION *session = NULL, *serv_sess = NULL; 1733 1734 result = do_handshake_internal(server_ctx, server2_ctx, client_ctx, 1735 test_ctx, &test_ctx->extra, 1736 NULL, NULL, &session, &serv_sess); 1737 if (result == NULL 1738 || test_ctx->handshake_mode != SSL_TEST_HANDSHAKE_RESUME 1739 || result->result == SSL_TEST_INTERNAL_ERROR) 1740 goto end; 1741 1742 if (result->result != SSL_TEST_SUCCESS) { 1743 result->result = SSL_TEST_FIRST_HANDSHAKE_FAILED; 1744 goto end; 1745 } 1746 1747 HANDSHAKE_RESULT_free(result); 1748 /* We don't support SNI on second handshake yet, so server2_ctx is NULL. */ 1749 result = do_handshake_internal(resume_server_ctx, NULL, resume_client_ctx, 1750 test_ctx, &test_ctx->resume_extra, 1751 session, serv_sess, NULL, NULL); 1752 end: 1753 SSL_SESSION_free(session); 1754 SSL_SESSION_free(serv_sess); 1755 return result; 1756 } 1757