1 /* 2 * Copyright 2016-2022 The OpenSSL Project Authors. All Rights Reserved. 3 * 4 * Licensed under the Apache License 2.0 (the "License"). You may not use 5 * this file except in compliance with the License. You can obtain a copy 6 * in the file LICENSE in the source distribution or at 7 * https://www.openssl.org/source/license.html 8 */ 9 10 #include <string.h> 11 12 #include <openssl/bio.h> 13 #include <openssl/x509_vfy.h> 14 #include <openssl/ssl.h> 15 #include <openssl/core_names.h> 16 17 #include "../../ssl/ssl_local.h" 18 #include "internal/sockets.h" 19 #include "internal/nelem.h" 20 #include "handshake.h" 21 #include "../testutil.h" 22 23 #if !defined(OPENSSL_NO_SCTP) && !defined(OPENSSL_NO_SOCK) 24 #include <netinet/sctp.h> 25 #endif 26 27 HANDSHAKE_RESULT *HANDSHAKE_RESULT_new(void) 28 { 29 HANDSHAKE_RESULT *ret; 30 31 TEST_ptr(ret = OPENSSL_zalloc(sizeof(*ret))); 32 return ret; 33 } 34 35 void HANDSHAKE_RESULT_free(HANDSHAKE_RESULT *result) 36 { 37 if (result == NULL) 38 return; 39 OPENSSL_free(result->client_npn_negotiated); 40 OPENSSL_free(result->server_npn_negotiated); 41 OPENSSL_free(result->client_alpn_negotiated); 42 OPENSSL_free(result->server_alpn_negotiated); 43 OPENSSL_free(result->result_session_ticket_app_data); 44 sk_X509_NAME_pop_free(result->server_ca_names, X509_NAME_free); 45 sk_X509_NAME_pop_free(result->client_ca_names, X509_NAME_free); 46 OPENSSL_free(result->cipher); 47 OPENSSL_free(result); 48 } 49 50 /* 51 * Since there appears to be no way to extract the sent/received alert 52 * from the SSL object directly, we use the info callback and stash 53 * the result in ex_data. 54 */ 55 typedef struct handshake_ex_data_st { 56 int alert_sent; 57 int num_fatal_alerts_sent; 58 int alert_received; 59 int session_ticket_do_not_call; 60 ssl_servername_t servername; 61 } HANDSHAKE_EX_DATA; 62 63 /* |ctx_data| itself is stack-allocated. */ 64 static void ctx_data_free_data(CTX_DATA *ctx_data) 65 { 66 OPENSSL_free(ctx_data->npn_protocols); 67 ctx_data->npn_protocols = NULL; 68 OPENSSL_free(ctx_data->alpn_protocols); 69 ctx_data->alpn_protocols = NULL; 70 OPENSSL_free(ctx_data->srp_user); 71 ctx_data->srp_user = NULL; 72 OPENSSL_free(ctx_data->srp_password); 73 ctx_data->srp_password = NULL; 74 OPENSSL_free(ctx_data->session_ticket_app_data); 75 ctx_data->session_ticket_app_data = NULL; 76 } 77 78 static int ex_data_idx; 79 80 static void info_cb(const SSL *s, int where, int ret) 81 { 82 if (where & SSL_CB_ALERT) { 83 HANDSHAKE_EX_DATA *ex_data = 84 (HANDSHAKE_EX_DATA*)(SSL_get_ex_data(s, ex_data_idx)); 85 if (where & SSL_CB_WRITE) { 86 ex_data->alert_sent = ret; 87 if (strcmp(SSL_alert_type_string(ret), "F") == 0 88 || strcmp(SSL_alert_desc_string(ret), "CN") == 0) 89 ex_data->num_fatal_alerts_sent++; 90 } else { 91 ex_data->alert_received = ret; 92 } 93 } 94 } 95 96 /* Select the appropriate server CTX. 97 * Returns SSL_TLSEXT_ERR_OK if a match was found. 98 * If |ignore| is 1, returns SSL_TLSEXT_ERR_NOACK on mismatch. 99 * Otherwise, returns SSL_TLSEXT_ERR_ALERT_FATAL on mismatch. 100 * An empty SNI extension also returns SSL_TSLEXT_ERR_NOACK. 101 */ 102 static int select_server_ctx(SSL *s, void *arg, int ignore) 103 { 104 const char *servername = SSL_get_servername(s, TLSEXT_NAMETYPE_host_name); 105 HANDSHAKE_EX_DATA *ex_data = 106 (HANDSHAKE_EX_DATA*)(SSL_get_ex_data(s, ex_data_idx)); 107 108 if (servername == NULL) { 109 ex_data->servername = SSL_TEST_SERVERNAME_SERVER1; 110 return SSL_TLSEXT_ERR_NOACK; 111 } 112 113 if (strcmp(servername, "server2") == 0) { 114 SSL_CTX *new_ctx = (SSL_CTX*)arg; 115 SSL_set_SSL_CTX(s, new_ctx); 116 /* 117 * Copy over all the SSL_CTX options - reasonable behavior 118 * allows testing of cases where the options between two 119 * contexts differ/conflict 120 */ 121 SSL_clear_options(s, 0xFFFFFFFFL); 122 SSL_set_options(s, SSL_CTX_get_options(new_ctx)); 123 124 ex_data->servername = SSL_TEST_SERVERNAME_SERVER2; 125 return SSL_TLSEXT_ERR_OK; 126 } else if (strcmp(servername, "server1") == 0) { 127 ex_data->servername = SSL_TEST_SERVERNAME_SERVER1; 128 return SSL_TLSEXT_ERR_OK; 129 } else if (ignore) { 130 ex_data->servername = SSL_TEST_SERVERNAME_SERVER1; 131 return SSL_TLSEXT_ERR_NOACK; 132 } else { 133 /* Don't set an explicit alert, to test library defaults. */ 134 return SSL_TLSEXT_ERR_ALERT_FATAL; 135 } 136 } 137 138 static int client_hello_select_server_ctx(SSL *s, void *arg, int ignore) 139 { 140 const char *servername; 141 const unsigned char *p; 142 size_t len, remaining; 143 HANDSHAKE_EX_DATA *ex_data = 144 (HANDSHAKE_EX_DATA*)(SSL_get_ex_data(s, ex_data_idx)); 145 146 /* 147 * The server_name extension was given too much extensibility when it 148 * was written, so parsing the normal case is a bit complex. 149 */ 150 if (!SSL_client_hello_get0_ext(s, TLSEXT_TYPE_server_name, &p, 151 &remaining) || 152 remaining <= 2) 153 return 0; 154 /* Extract the length of the supplied list of names. */ 155 len = (*(p++) << 8); 156 len += *(p++); 157 if (len + 2 != remaining) 158 return 0; 159 remaining = len; 160 /* 161 * The list in practice only has a single element, so we only consider 162 * the first one. 163 */ 164 if (remaining == 0 || *p++ != TLSEXT_NAMETYPE_host_name) 165 return 0; 166 remaining--; 167 /* Now we can finally pull out the byte array with the actual hostname. */ 168 if (remaining <= 2) 169 return 0; 170 len = (*(p++) << 8); 171 len += *(p++); 172 if (len + 2 > remaining) 173 return 0; 174 remaining = len; 175 servername = (const char *)p; 176 177 if (len == strlen("server2") && strncmp(servername, "server2", len) == 0) { 178 SSL_CTX *new_ctx = arg; 179 SSL_set_SSL_CTX(s, new_ctx); 180 /* 181 * Copy over all the SSL_CTX options - reasonable behavior 182 * allows testing of cases where the options between two 183 * contexts differ/conflict 184 */ 185 SSL_clear_options(s, 0xFFFFFFFFL); 186 SSL_set_options(s, SSL_CTX_get_options(new_ctx)); 187 188 ex_data->servername = SSL_TEST_SERVERNAME_SERVER2; 189 return 1; 190 } else if (len == strlen("server1") && 191 strncmp(servername, "server1", len) == 0) { 192 ex_data->servername = SSL_TEST_SERVERNAME_SERVER1; 193 return 1; 194 } else if (ignore) { 195 ex_data->servername = SSL_TEST_SERVERNAME_SERVER1; 196 return 1; 197 } 198 return 0; 199 } 200 /* 201 * (RFC 6066): 202 * If the server understood the ClientHello extension but 203 * does not recognize the server name, the server SHOULD take one of two 204 * actions: either abort the handshake by sending a fatal-level 205 * unrecognized_name(112) alert or continue the handshake. 206 * 207 * This behaviour is up to the application to configure; we test both 208 * configurations to ensure the state machine propagates the result 209 * correctly. 210 */ 211 static int servername_ignore_cb(SSL *s, int *ad, void *arg) 212 { 213 return select_server_ctx(s, arg, 1); 214 } 215 216 static int servername_reject_cb(SSL *s, int *ad, void *arg) 217 { 218 return select_server_ctx(s, arg, 0); 219 } 220 221 static int client_hello_ignore_cb(SSL *s, int *al, void *arg) 222 { 223 if (!client_hello_select_server_ctx(s, arg, 1)) { 224 *al = SSL_AD_UNRECOGNIZED_NAME; 225 return SSL_CLIENT_HELLO_ERROR; 226 } 227 return SSL_CLIENT_HELLO_SUCCESS; 228 } 229 230 static int client_hello_reject_cb(SSL *s, int *al, void *arg) 231 { 232 if (!client_hello_select_server_ctx(s, arg, 0)) { 233 *al = SSL_AD_UNRECOGNIZED_NAME; 234 return SSL_CLIENT_HELLO_ERROR; 235 } 236 return SSL_CLIENT_HELLO_SUCCESS; 237 } 238 239 static int client_hello_nov12_cb(SSL *s, int *al, void *arg) 240 { 241 int ret; 242 unsigned int v; 243 const unsigned char *p; 244 245 v = SSL_client_hello_get0_legacy_version(s); 246 if (v > TLS1_2_VERSION || v < SSL3_VERSION) { 247 *al = SSL_AD_PROTOCOL_VERSION; 248 return SSL_CLIENT_HELLO_ERROR; 249 } 250 (void)SSL_client_hello_get0_session_id(s, &p); 251 if (p == NULL || 252 SSL_client_hello_get0_random(s, &p) == 0 || 253 SSL_client_hello_get0_ciphers(s, &p) == 0 || 254 SSL_client_hello_get0_compression_methods(s, &p) == 0) { 255 *al = SSL_AD_INTERNAL_ERROR; 256 return SSL_CLIENT_HELLO_ERROR; 257 } 258 ret = client_hello_select_server_ctx(s, arg, 0); 259 SSL_set_max_proto_version(s, TLS1_1_VERSION); 260 if (!ret) { 261 *al = SSL_AD_UNRECOGNIZED_NAME; 262 return SSL_CLIENT_HELLO_ERROR; 263 } 264 return SSL_CLIENT_HELLO_SUCCESS; 265 } 266 267 static unsigned char dummy_ocsp_resp_good_val = 0xff; 268 static unsigned char dummy_ocsp_resp_bad_val = 0xfe; 269 270 static int server_ocsp_cb(SSL *s, void *arg) 271 { 272 unsigned char *resp; 273 274 resp = OPENSSL_malloc(1); 275 if (resp == NULL) 276 return SSL_TLSEXT_ERR_ALERT_FATAL; 277 /* 278 * For the purposes of testing we just send back a dummy OCSP response 279 */ 280 *resp = *(unsigned char *)arg; 281 if (!SSL_set_tlsext_status_ocsp_resp(s, resp, 1)) { 282 OPENSSL_free(resp); 283 return SSL_TLSEXT_ERR_ALERT_FATAL; 284 } 285 286 return SSL_TLSEXT_ERR_OK; 287 } 288 289 static int client_ocsp_cb(SSL *s, void *arg) 290 { 291 const unsigned char *resp; 292 int len; 293 294 len = SSL_get_tlsext_status_ocsp_resp(s, &resp); 295 if (len != 1 || *resp != dummy_ocsp_resp_good_val) 296 return 0; 297 298 return 1; 299 } 300 301 static int verify_reject_cb(X509_STORE_CTX *ctx, void *arg) { 302 X509_STORE_CTX_set_error(ctx, X509_V_ERR_APPLICATION_VERIFICATION); 303 return 0; 304 } 305 306 static int n_retries = 0; 307 static int verify_retry_cb(X509_STORE_CTX *ctx, void *arg) { 308 int idx = SSL_get_ex_data_X509_STORE_CTX_idx(); 309 SSL *ssl; 310 311 /* this should not happen but check anyway */ 312 if (idx < 0 313 || (ssl = X509_STORE_CTX_get_ex_data(ctx, idx)) == NULL) 314 return 0; 315 316 if (--n_retries < 0) 317 return 1; 318 319 return SSL_set_retry_verify(ssl); 320 } 321 322 static int verify_accept_cb(X509_STORE_CTX *ctx, void *arg) { 323 return 1; 324 } 325 326 static int broken_session_ticket_cb(SSL *s, unsigned char *key_name, 327 unsigned char *iv, EVP_CIPHER_CTX *ctx, 328 EVP_MAC_CTX *hctx, int enc) 329 { 330 return 0; 331 } 332 333 static int do_not_call_session_ticket_cb(SSL *s, unsigned char *key_name, 334 unsigned char *iv, 335 EVP_CIPHER_CTX *ctx, 336 EVP_MAC_CTX *hctx, int enc) 337 { 338 HANDSHAKE_EX_DATA *ex_data = 339 (HANDSHAKE_EX_DATA*)(SSL_get_ex_data(s, ex_data_idx)); 340 ex_data->session_ticket_do_not_call = 1; 341 return 0; 342 } 343 344 /* Parse the comma-separated list into TLS format. */ 345 static int parse_protos(const char *protos, unsigned char **out, size_t *outlen) 346 { 347 size_t len, i, prefix; 348 349 len = strlen(protos); 350 351 /* Should never have reuse. */ 352 if (!TEST_ptr_null(*out) 353 /* Test values are small, so we omit length limit checks. */ 354 || !TEST_ptr(*out = OPENSSL_malloc(len + 1))) 355 return 0; 356 *outlen = len + 1; 357 358 /* 359 * foo => '3', 'f', 'o', 'o' 360 * foo,bar => '3', 'f', 'o', 'o', '3', 'b', 'a', 'r' 361 */ 362 memcpy(*out + 1, protos, len); 363 364 prefix = 0; 365 i = prefix + 1; 366 while (i <= len) { 367 if ((*out)[i] == ',') { 368 if (!TEST_int_gt(i - 1, prefix)) 369 goto err; 370 (*out)[prefix] = (unsigned char)(i - 1 - prefix); 371 prefix = i; 372 } 373 i++; 374 } 375 if (!TEST_int_gt(len, prefix)) 376 goto err; 377 (*out)[prefix] = (unsigned char)(len - prefix); 378 return 1; 379 380 err: 381 OPENSSL_free(*out); 382 *out = NULL; 383 return 0; 384 } 385 386 #ifndef OPENSSL_NO_NEXTPROTONEG 387 /* 388 * The client SHOULD select the first protocol advertised by the server that it 389 * also supports. In the event that the client doesn't support any of server's 390 * protocols, or the server doesn't advertise any, it SHOULD select the first 391 * protocol that it supports. 392 */ 393 static int client_npn_cb(SSL *s, unsigned char **out, unsigned char *outlen, 394 const unsigned char *in, unsigned int inlen, 395 void *arg) 396 { 397 CTX_DATA *ctx_data = (CTX_DATA*)(arg); 398 int ret; 399 400 ret = SSL_select_next_proto(out, outlen, in, inlen, 401 ctx_data->npn_protocols, 402 ctx_data->npn_protocols_len); 403 /* Accept both OPENSSL_NPN_NEGOTIATED and OPENSSL_NPN_NO_OVERLAP. */ 404 return TEST_true(ret == OPENSSL_NPN_NEGOTIATED || ret == OPENSSL_NPN_NO_OVERLAP) 405 ? SSL_TLSEXT_ERR_OK : SSL_TLSEXT_ERR_ALERT_FATAL; 406 } 407 408 static int server_npn_cb(SSL *s, const unsigned char **data, 409 unsigned int *len, void *arg) 410 { 411 CTX_DATA *ctx_data = (CTX_DATA*)(arg); 412 *data = ctx_data->npn_protocols; 413 *len = ctx_data->npn_protocols_len; 414 return SSL_TLSEXT_ERR_OK; 415 } 416 #endif 417 418 /* 419 * The server SHOULD select the most highly preferred protocol that it supports 420 * and that is also advertised by the client. In the event that the server 421 * supports no protocols that the client advertises, then the server SHALL 422 * respond with a fatal "no_application_protocol" alert. 423 */ 424 static int server_alpn_cb(SSL *s, const unsigned char **out, 425 unsigned char *outlen, const unsigned char *in, 426 unsigned int inlen, void *arg) 427 { 428 CTX_DATA *ctx_data = (CTX_DATA*)(arg); 429 int ret; 430 431 /* SSL_select_next_proto isn't const-correct... */ 432 unsigned char *tmp_out; 433 434 /* 435 * The result points either to |in| or to |ctx_data->alpn_protocols|. 436 * The callback is allowed to point to |in| or to a long-lived buffer, 437 * so we can return directly without storing a copy. 438 */ 439 ret = SSL_select_next_proto(&tmp_out, outlen, 440 ctx_data->alpn_protocols, 441 ctx_data->alpn_protocols_len, in, inlen); 442 443 *out = tmp_out; 444 /* Unlike NPN, we don't tolerate a mismatch. */ 445 return ret == OPENSSL_NPN_NEGOTIATED ? SSL_TLSEXT_ERR_OK 446 : SSL_TLSEXT_ERR_ALERT_FATAL; 447 } 448 449 static int generate_session_ticket_cb(SSL *s, void *arg) 450 { 451 CTX_DATA *server_ctx_data = arg; 452 SSL_SESSION *ss = SSL_get_session(s); 453 char *app_data = server_ctx_data->session_ticket_app_data; 454 455 if (ss == NULL || app_data == NULL) 456 return 0; 457 458 return SSL_SESSION_set1_ticket_appdata(ss, app_data, strlen(app_data)); 459 } 460 461 static int decrypt_session_ticket_cb(SSL *s, SSL_SESSION *ss, 462 const unsigned char *keyname, 463 size_t keyname_len, 464 SSL_TICKET_STATUS status, 465 void *arg) 466 { 467 switch (status) { 468 case SSL_TICKET_EMPTY: 469 case SSL_TICKET_NO_DECRYPT: 470 return SSL_TICKET_RETURN_IGNORE_RENEW; 471 case SSL_TICKET_SUCCESS: 472 return SSL_TICKET_RETURN_USE; 473 case SSL_TICKET_SUCCESS_RENEW: 474 return SSL_TICKET_RETURN_USE_RENEW; 475 default: 476 break; 477 } 478 return SSL_TICKET_RETURN_ABORT; 479 } 480 481 /* 482 * Configure callbacks and other properties that can't be set directly 483 * in the server/client CONF. 484 */ 485 static int configure_handshake_ctx(SSL_CTX *server_ctx, SSL_CTX *server2_ctx, 486 SSL_CTX *client_ctx, 487 const SSL_TEST_CTX *test, 488 const SSL_TEST_EXTRA_CONF *extra, 489 CTX_DATA *server_ctx_data, 490 CTX_DATA *server2_ctx_data, 491 CTX_DATA *client_ctx_data) 492 { 493 unsigned char *ticket_keys; 494 size_t ticket_key_len; 495 496 if (!TEST_int_eq(SSL_CTX_set_max_send_fragment(server_ctx, 497 test->max_fragment_size), 1)) 498 goto err; 499 if (server2_ctx != NULL) { 500 if (!TEST_int_eq(SSL_CTX_set_max_send_fragment(server2_ctx, 501 test->max_fragment_size), 502 1)) 503 goto err; 504 } 505 if (!TEST_int_eq(SSL_CTX_set_max_send_fragment(client_ctx, 506 test->max_fragment_size), 1)) 507 goto err; 508 509 switch (extra->client.verify_callback) { 510 case SSL_TEST_VERIFY_ACCEPT_ALL: 511 SSL_CTX_set_cert_verify_callback(client_ctx, &verify_accept_cb, NULL); 512 break; 513 case SSL_TEST_VERIFY_RETRY_ONCE: 514 n_retries = 1; 515 SSL_CTX_set_cert_verify_callback(client_ctx, &verify_retry_cb, NULL); 516 break; 517 case SSL_TEST_VERIFY_REJECT_ALL: 518 SSL_CTX_set_cert_verify_callback(client_ctx, &verify_reject_cb, NULL); 519 break; 520 case SSL_TEST_VERIFY_NONE: 521 break; 522 } 523 524 switch (extra->client.max_fragment_len_mode) { 525 case TLSEXT_max_fragment_length_512: 526 case TLSEXT_max_fragment_length_1024: 527 case TLSEXT_max_fragment_length_2048: 528 case TLSEXT_max_fragment_length_4096: 529 case TLSEXT_max_fragment_length_DISABLED: 530 SSL_CTX_set_tlsext_max_fragment_length( 531 client_ctx, extra->client.max_fragment_len_mode); 532 break; 533 } 534 535 /* 536 * Link the two contexts for SNI purposes. 537 * Also do ClientHello callbacks here, as setting both ClientHello and SNI 538 * is bad. 539 */ 540 switch (extra->server.servername_callback) { 541 case SSL_TEST_SERVERNAME_IGNORE_MISMATCH: 542 SSL_CTX_set_tlsext_servername_callback(server_ctx, servername_ignore_cb); 543 SSL_CTX_set_tlsext_servername_arg(server_ctx, server2_ctx); 544 break; 545 case SSL_TEST_SERVERNAME_REJECT_MISMATCH: 546 SSL_CTX_set_tlsext_servername_callback(server_ctx, servername_reject_cb); 547 SSL_CTX_set_tlsext_servername_arg(server_ctx, server2_ctx); 548 break; 549 case SSL_TEST_SERVERNAME_CB_NONE: 550 break; 551 case SSL_TEST_SERVERNAME_CLIENT_HELLO_IGNORE_MISMATCH: 552 SSL_CTX_set_client_hello_cb(server_ctx, client_hello_ignore_cb, server2_ctx); 553 break; 554 case SSL_TEST_SERVERNAME_CLIENT_HELLO_REJECT_MISMATCH: 555 SSL_CTX_set_client_hello_cb(server_ctx, client_hello_reject_cb, server2_ctx); 556 break; 557 case SSL_TEST_SERVERNAME_CLIENT_HELLO_NO_V12: 558 SSL_CTX_set_client_hello_cb(server_ctx, client_hello_nov12_cb, server2_ctx); 559 } 560 561 if (extra->server.cert_status != SSL_TEST_CERT_STATUS_NONE) { 562 SSL_CTX_set_tlsext_status_type(client_ctx, TLSEXT_STATUSTYPE_ocsp); 563 SSL_CTX_set_tlsext_status_cb(client_ctx, client_ocsp_cb); 564 SSL_CTX_set_tlsext_status_arg(client_ctx, NULL); 565 SSL_CTX_set_tlsext_status_cb(server_ctx, server_ocsp_cb); 566 SSL_CTX_set_tlsext_status_arg(server_ctx, 567 ((extra->server.cert_status == SSL_TEST_CERT_STATUS_GOOD_RESPONSE) 568 ? &dummy_ocsp_resp_good_val : &dummy_ocsp_resp_bad_val)); 569 } 570 571 /* 572 * The initial_ctx/session_ctx always handles the encrypt/decrypt of the 573 * session ticket. This ticket_key callback is assigned to the second 574 * session (assigned via SNI), and should never be invoked 575 */ 576 if (server2_ctx != NULL) 577 SSL_CTX_set_tlsext_ticket_key_evp_cb(server2_ctx, 578 do_not_call_session_ticket_cb); 579 580 if (extra->server.broken_session_ticket) { 581 SSL_CTX_set_tlsext_ticket_key_evp_cb(server_ctx, 582 broken_session_ticket_cb); 583 } 584 #ifndef OPENSSL_NO_NEXTPROTONEG 585 if (extra->server.npn_protocols != NULL) { 586 if (!TEST_true(parse_protos(extra->server.npn_protocols, 587 &server_ctx_data->npn_protocols, 588 &server_ctx_data->npn_protocols_len))) 589 goto err; 590 SSL_CTX_set_npn_advertised_cb(server_ctx, server_npn_cb, 591 server_ctx_data); 592 } 593 if (extra->server2.npn_protocols != NULL) { 594 if (!TEST_true(parse_protos(extra->server2.npn_protocols, 595 &server2_ctx_data->npn_protocols, 596 &server2_ctx_data->npn_protocols_len)) 597 || !TEST_ptr(server2_ctx)) 598 goto err; 599 SSL_CTX_set_npn_advertised_cb(server2_ctx, server_npn_cb, 600 server2_ctx_data); 601 } 602 if (extra->client.npn_protocols != NULL) { 603 if (!TEST_true(parse_protos(extra->client.npn_protocols, 604 &client_ctx_data->npn_protocols, 605 &client_ctx_data->npn_protocols_len))) 606 goto err; 607 SSL_CTX_set_next_proto_select_cb(client_ctx, client_npn_cb, 608 client_ctx_data); 609 } 610 #endif 611 if (extra->server.alpn_protocols != NULL) { 612 if (!TEST_true(parse_protos(extra->server.alpn_protocols, 613 &server_ctx_data->alpn_protocols, 614 &server_ctx_data->alpn_protocols_len))) 615 goto err; 616 SSL_CTX_set_alpn_select_cb(server_ctx, server_alpn_cb, server_ctx_data); 617 } 618 if (extra->server2.alpn_protocols != NULL) { 619 if (!TEST_ptr(server2_ctx) 620 || !TEST_true(parse_protos(extra->server2.alpn_protocols, 621 &server2_ctx_data->alpn_protocols, 622 &server2_ctx_data->alpn_protocols_len 623 ))) 624 goto err; 625 SSL_CTX_set_alpn_select_cb(server2_ctx, server_alpn_cb, 626 server2_ctx_data); 627 } 628 if (extra->client.alpn_protocols != NULL) { 629 unsigned char *alpn_protos = NULL; 630 size_t alpn_protos_len = 0; 631 632 if (!TEST_true(parse_protos(extra->client.alpn_protocols, 633 &alpn_protos, &alpn_protos_len)) 634 /* Reversed return value convention... */ 635 || !TEST_int_eq(SSL_CTX_set_alpn_protos(client_ctx, alpn_protos, 636 alpn_protos_len), 0)) 637 goto err; 638 OPENSSL_free(alpn_protos); 639 } 640 641 if (extra->server.session_ticket_app_data != NULL) { 642 server_ctx_data->session_ticket_app_data = 643 OPENSSL_strdup(extra->server.session_ticket_app_data); 644 SSL_CTX_set_session_ticket_cb(server_ctx, generate_session_ticket_cb, 645 decrypt_session_ticket_cb, server_ctx_data); 646 } 647 if (extra->server2.session_ticket_app_data != NULL) { 648 if (!TEST_ptr(server2_ctx)) 649 goto err; 650 server2_ctx_data->session_ticket_app_data = 651 OPENSSL_strdup(extra->server2.session_ticket_app_data); 652 SSL_CTX_set_session_ticket_cb(server2_ctx, NULL, 653 decrypt_session_ticket_cb, server2_ctx_data); 654 } 655 656 /* 657 * Use fixed session ticket keys so that we can decrypt a ticket created with 658 * one CTX in another CTX. Don't address server2 for the moment. 659 */ 660 ticket_key_len = SSL_CTX_set_tlsext_ticket_keys(server_ctx, NULL, 0); 661 if (!TEST_ptr(ticket_keys = OPENSSL_zalloc(ticket_key_len)) 662 || !TEST_int_eq(SSL_CTX_set_tlsext_ticket_keys(server_ctx, 663 ticket_keys, 664 ticket_key_len), 1)) { 665 OPENSSL_free(ticket_keys); 666 goto err; 667 } 668 OPENSSL_free(ticket_keys); 669 670 /* The default log list includes EC keys, so CT can't work without EC. */ 671 #if !defined(OPENSSL_NO_CT) && !defined(OPENSSL_NO_EC) 672 if (!TEST_true(SSL_CTX_set_default_ctlog_list_file(client_ctx))) 673 goto err; 674 switch (extra->client.ct_validation) { 675 case SSL_TEST_CT_VALIDATION_PERMISSIVE: 676 if (!TEST_true(SSL_CTX_enable_ct(client_ctx, 677 SSL_CT_VALIDATION_PERMISSIVE))) 678 goto err; 679 break; 680 case SSL_TEST_CT_VALIDATION_STRICT: 681 if (!TEST_true(SSL_CTX_enable_ct(client_ctx, SSL_CT_VALIDATION_STRICT))) 682 goto err; 683 break; 684 case SSL_TEST_CT_VALIDATION_NONE: 685 break; 686 } 687 #endif 688 #ifndef OPENSSL_NO_SRP 689 if (!configure_handshake_ctx_for_srp(server_ctx, server2_ctx, client_ctx, 690 extra, server_ctx_data, 691 server2_ctx_data, client_ctx_data)) 692 goto err; 693 #endif /* !OPENSSL_NO_SRP */ 694 return 1; 695 err: 696 return 0; 697 } 698 699 /* Configure per-SSL callbacks and other properties. */ 700 static void configure_handshake_ssl(SSL *server, SSL *client, 701 const SSL_TEST_EXTRA_CONF *extra) 702 { 703 if (extra->client.servername != SSL_TEST_SERVERNAME_NONE) 704 SSL_set_tlsext_host_name(client, 705 ssl_servername_name(extra->client.servername)); 706 if (extra->client.enable_pha) 707 SSL_set_post_handshake_auth(client, 1); 708 } 709 710 /* The status for each connection phase. */ 711 typedef enum { 712 PEER_SUCCESS, 713 PEER_RETRY, 714 PEER_ERROR, 715 PEER_WAITING, 716 PEER_TEST_FAILURE 717 } peer_status_t; 718 719 /* An SSL object and associated read-write buffers. */ 720 typedef struct peer_st { 721 SSL *ssl; 722 /* Buffer lengths are int to match the SSL read/write API. */ 723 unsigned char *write_buf; 724 int write_buf_len; 725 unsigned char *read_buf; 726 int read_buf_len; 727 int bytes_to_write; 728 int bytes_to_read; 729 peer_status_t status; 730 } PEER; 731 732 static int create_peer(PEER *peer, SSL_CTX *ctx) 733 { 734 static const int peer_buffer_size = 64 * 1024; 735 SSL *ssl = NULL; 736 unsigned char *read_buf = NULL, *write_buf = NULL; 737 738 if (!TEST_ptr(ssl = SSL_new(ctx)) 739 || !TEST_ptr(write_buf = OPENSSL_zalloc(peer_buffer_size)) 740 || !TEST_ptr(read_buf = OPENSSL_zalloc(peer_buffer_size))) 741 goto err; 742 743 peer->ssl = ssl; 744 peer->write_buf = write_buf; 745 peer->read_buf = read_buf; 746 peer->write_buf_len = peer->read_buf_len = peer_buffer_size; 747 return 1; 748 err: 749 SSL_free(ssl); 750 OPENSSL_free(write_buf); 751 OPENSSL_free(read_buf); 752 return 0; 753 } 754 755 static void peer_free_data(PEER *peer) 756 { 757 SSL_free(peer->ssl); 758 OPENSSL_free(peer->write_buf); 759 OPENSSL_free(peer->read_buf); 760 } 761 762 /* 763 * Note that we could do the handshake transparently under an SSL_write, 764 * but separating the steps is more helpful for debugging test failures. 765 */ 766 static void do_handshake_step(PEER *peer) 767 { 768 if (!TEST_int_eq(peer->status, PEER_RETRY)) { 769 peer->status = PEER_TEST_FAILURE; 770 } else { 771 int ret = SSL_do_handshake(peer->ssl); 772 773 if (ret == 1) { 774 peer->status = PEER_SUCCESS; 775 } else if (ret == 0) { 776 peer->status = PEER_ERROR; 777 } else { 778 int error = SSL_get_error(peer->ssl, ret); 779 780 /* Memory bios should never block with SSL_ERROR_WANT_WRITE. */ 781 if (error != SSL_ERROR_WANT_READ 782 && error != SSL_ERROR_WANT_RETRY_VERIFY) 783 peer->status = PEER_ERROR; 784 } 785 } 786 } 787 788 /*- 789 * Send/receive some application data. The read-write sequence is 790 * Peer A: (R) W - first read will yield no data 791 * Peer B: R W 792 * ... 793 * Peer A: R W 794 * Peer B: R W 795 * Peer A: R 796 */ 797 static void do_app_data_step(PEER *peer) 798 { 799 int ret = 1, write_bytes; 800 801 if (!TEST_int_eq(peer->status, PEER_RETRY)) { 802 peer->status = PEER_TEST_FAILURE; 803 return; 804 } 805 806 /* We read everything available... */ 807 while (ret > 0 && peer->bytes_to_read) { 808 ret = SSL_read(peer->ssl, peer->read_buf, peer->read_buf_len); 809 if (ret > 0) { 810 if (!TEST_int_le(ret, peer->bytes_to_read)) { 811 peer->status = PEER_TEST_FAILURE; 812 return; 813 } 814 peer->bytes_to_read -= ret; 815 } else if (ret == 0) { 816 peer->status = PEER_ERROR; 817 return; 818 } else { 819 int error = SSL_get_error(peer->ssl, ret); 820 if (error != SSL_ERROR_WANT_READ) { 821 peer->status = PEER_ERROR; 822 return; 823 } /* Else continue with write. */ 824 } 825 } 826 827 /* ... but we only write one write-buffer-full of data. */ 828 write_bytes = peer->bytes_to_write < peer->write_buf_len ? peer->bytes_to_write : 829 peer->write_buf_len; 830 if (write_bytes) { 831 ret = SSL_write(peer->ssl, peer->write_buf, write_bytes); 832 if (ret > 0) { 833 /* SSL_write will only succeed with a complete write. */ 834 if (!TEST_int_eq(ret, write_bytes)) { 835 peer->status = PEER_TEST_FAILURE; 836 return; 837 } 838 peer->bytes_to_write -= ret; 839 } else { 840 /* 841 * We should perhaps check for SSL_ERROR_WANT_READ/WRITE here 842 * but this doesn't yet occur with current app data sizes. 843 */ 844 peer->status = PEER_ERROR; 845 return; 846 } 847 } 848 849 /* 850 * We could simply finish when there was nothing to read, and we have 851 * nothing left to write. But keeping track of the expected number of bytes 852 * to read gives us somewhat better guarantees that all data sent is in fact 853 * received. 854 */ 855 if (peer->bytes_to_write == 0 && peer->bytes_to_read == 0) { 856 peer->status = PEER_SUCCESS; 857 } 858 } 859 860 static void do_reneg_setup_step(const SSL_TEST_CTX *test_ctx, PEER *peer) 861 { 862 int ret; 863 char buf; 864 865 if (peer->status == PEER_SUCCESS) { 866 /* 867 * We are a client that succeeded this step previously, but the server 868 * wanted to retry. Probably there is a no_renegotiation warning alert 869 * waiting for us. Attempt to continue the handshake. 870 */ 871 peer->status = PEER_RETRY; 872 do_handshake_step(peer); 873 return; 874 } 875 876 if (!TEST_int_eq(peer->status, PEER_RETRY) 877 || !TEST_true(test_ctx->handshake_mode 878 == SSL_TEST_HANDSHAKE_RENEG_SERVER 879 || test_ctx->handshake_mode 880 == SSL_TEST_HANDSHAKE_RENEG_CLIENT 881 || test_ctx->handshake_mode 882 == SSL_TEST_HANDSHAKE_KEY_UPDATE_SERVER 883 || test_ctx->handshake_mode 884 == SSL_TEST_HANDSHAKE_KEY_UPDATE_CLIENT 885 || test_ctx->handshake_mode 886 == SSL_TEST_HANDSHAKE_POST_HANDSHAKE_AUTH)) { 887 peer->status = PEER_TEST_FAILURE; 888 return; 889 } 890 891 /* Reset the count of the amount of app data we need to read/write */ 892 peer->bytes_to_write = peer->bytes_to_read = test_ctx->app_data_size; 893 894 /* Check if we are the peer that is going to initiate */ 895 if ((test_ctx->handshake_mode == SSL_TEST_HANDSHAKE_RENEG_SERVER 896 && SSL_is_server(peer->ssl)) 897 || (test_ctx->handshake_mode == SSL_TEST_HANDSHAKE_RENEG_CLIENT 898 && !SSL_is_server(peer->ssl))) { 899 /* 900 * If we already asked for a renegotiation then fall through to the 901 * SSL_read() below. 902 */ 903 if (!SSL_renegotiate_pending(peer->ssl)) { 904 /* 905 * If we are the client we will always attempt to resume the 906 * session. The server may or may not resume dependent on the 907 * setting of SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION 908 */ 909 if (SSL_is_server(peer->ssl)) { 910 ret = SSL_renegotiate(peer->ssl); 911 } else { 912 int full_reneg = 0; 913 914 if (test_ctx->extra.client.no_extms_on_reneg) { 915 SSL_set_options(peer->ssl, SSL_OP_NO_EXTENDED_MASTER_SECRET); 916 full_reneg = 1; 917 } 918 if (test_ctx->extra.client.reneg_ciphers != NULL) { 919 if (!SSL_set_cipher_list(peer->ssl, 920 test_ctx->extra.client.reneg_ciphers)) { 921 peer->status = PEER_ERROR; 922 return; 923 } 924 full_reneg = 1; 925 } 926 if (full_reneg) 927 ret = SSL_renegotiate(peer->ssl); 928 else 929 ret = SSL_renegotiate_abbreviated(peer->ssl); 930 } 931 if (!ret) { 932 peer->status = PEER_ERROR; 933 return; 934 } 935 do_handshake_step(peer); 936 /* 937 * If status is PEER_RETRY it means we're waiting on the peer to 938 * continue the handshake. As far as setting up the renegotiation is 939 * concerned that is a success. The next step will continue the 940 * handshake to its conclusion. 941 * 942 * If status is PEER_SUCCESS then we are the server and we have 943 * successfully sent the HelloRequest. We need to continue to wait 944 * until the handshake arrives from the client. 945 */ 946 if (peer->status == PEER_RETRY) 947 peer->status = PEER_SUCCESS; 948 else if (peer->status == PEER_SUCCESS) 949 peer->status = PEER_RETRY; 950 return; 951 } 952 } else if (test_ctx->handshake_mode == SSL_TEST_HANDSHAKE_KEY_UPDATE_SERVER 953 || test_ctx->handshake_mode 954 == SSL_TEST_HANDSHAKE_KEY_UPDATE_CLIENT) { 955 if (SSL_is_server(peer->ssl) 956 != (test_ctx->handshake_mode 957 == SSL_TEST_HANDSHAKE_KEY_UPDATE_SERVER)) { 958 peer->status = PEER_SUCCESS; 959 return; 960 } 961 962 ret = SSL_key_update(peer->ssl, test_ctx->key_update_type); 963 if (!ret) { 964 peer->status = PEER_ERROR; 965 return; 966 } 967 do_handshake_step(peer); 968 /* 969 * This is a one step handshake. We shouldn't get anything other than 970 * PEER_SUCCESS 971 */ 972 if (peer->status != PEER_SUCCESS) 973 peer->status = PEER_ERROR; 974 return; 975 } else if (test_ctx->handshake_mode == SSL_TEST_HANDSHAKE_POST_HANDSHAKE_AUTH) { 976 if (SSL_is_server(peer->ssl)) { 977 /* Make the server believe it's received the extension */ 978 if (test_ctx->extra.server.force_pha) 979 peer->ssl->post_handshake_auth = SSL_PHA_EXT_RECEIVED; 980 ret = SSL_verify_client_post_handshake(peer->ssl); 981 if (!ret) { 982 peer->status = PEER_ERROR; 983 return; 984 } 985 } 986 do_handshake_step(peer); 987 /* 988 * This is a one step handshake. We shouldn't get anything other than 989 * PEER_SUCCESS 990 */ 991 if (peer->status != PEER_SUCCESS) 992 peer->status = PEER_ERROR; 993 return; 994 } 995 996 /* 997 * The SSL object is still expecting app data, even though it's going to 998 * get a handshake message. We try to read, and it should fail - after which 999 * we should be in a handshake 1000 */ 1001 ret = SSL_read(peer->ssl, &buf, sizeof(buf)); 1002 if (ret >= 0) { 1003 /* 1004 * We're not actually expecting data - we're expecting a reneg to 1005 * start 1006 */ 1007 peer->status = PEER_ERROR; 1008 return; 1009 } else { 1010 int error = SSL_get_error(peer->ssl, ret); 1011 if (error != SSL_ERROR_WANT_READ) { 1012 peer->status = PEER_ERROR; 1013 return; 1014 } 1015 /* If we're not in init yet then we're not done with setup yet */ 1016 if (!SSL_in_init(peer->ssl)) 1017 return; 1018 } 1019 1020 peer->status = PEER_SUCCESS; 1021 } 1022 1023 1024 /* 1025 * RFC 5246 says: 1026 * 1027 * Note that as of TLS 1.1, 1028 * failure to properly close a connection no longer requires that a 1029 * session not be resumed. This is a change from TLS 1.0 to conform 1030 * with widespread implementation practice. 1031 * 1032 * However, 1033 * (a) OpenSSL requires that a connection be shutdown for all protocol versions. 1034 * (b) We test lower versions, too. 1035 * So we just implement shutdown. We do a full bidirectional shutdown so that we 1036 * can compare sent and received close_notify alerts and get some test coverage 1037 * for SSL_shutdown as a bonus. 1038 */ 1039 static void do_shutdown_step(PEER *peer) 1040 { 1041 int ret; 1042 1043 if (!TEST_int_eq(peer->status, PEER_RETRY)) { 1044 peer->status = PEER_TEST_FAILURE; 1045 return; 1046 } 1047 ret = SSL_shutdown(peer->ssl); 1048 1049 if (ret == 1) { 1050 peer->status = PEER_SUCCESS; 1051 } else if (ret < 0) { /* On 0, we retry. */ 1052 int error = SSL_get_error(peer->ssl, ret); 1053 1054 if (error != SSL_ERROR_WANT_READ && error != SSL_ERROR_WANT_WRITE) 1055 peer->status = PEER_ERROR; 1056 } 1057 } 1058 1059 typedef enum { 1060 HANDSHAKE, 1061 RENEG_APPLICATION_DATA, 1062 RENEG_SETUP, 1063 RENEG_HANDSHAKE, 1064 APPLICATION_DATA, 1065 SHUTDOWN, 1066 CONNECTION_DONE 1067 } connect_phase_t; 1068 1069 1070 static int renegotiate_op(const SSL_TEST_CTX *test_ctx) 1071 { 1072 switch (test_ctx->handshake_mode) { 1073 case SSL_TEST_HANDSHAKE_RENEG_SERVER: 1074 case SSL_TEST_HANDSHAKE_RENEG_CLIENT: 1075 return 1; 1076 default: 1077 return 0; 1078 } 1079 } 1080 static int post_handshake_op(const SSL_TEST_CTX *test_ctx) 1081 { 1082 switch (test_ctx->handshake_mode) { 1083 case SSL_TEST_HANDSHAKE_KEY_UPDATE_CLIENT: 1084 case SSL_TEST_HANDSHAKE_KEY_UPDATE_SERVER: 1085 case SSL_TEST_HANDSHAKE_POST_HANDSHAKE_AUTH: 1086 return 1; 1087 default: 1088 return 0; 1089 } 1090 } 1091 1092 static connect_phase_t next_phase(const SSL_TEST_CTX *test_ctx, 1093 connect_phase_t phase) 1094 { 1095 switch (phase) { 1096 case HANDSHAKE: 1097 if (renegotiate_op(test_ctx) || post_handshake_op(test_ctx)) 1098 return RENEG_APPLICATION_DATA; 1099 return APPLICATION_DATA; 1100 case RENEG_APPLICATION_DATA: 1101 return RENEG_SETUP; 1102 case RENEG_SETUP: 1103 if (post_handshake_op(test_ctx)) 1104 return APPLICATION_DATA; 1105 return RENEG_HANDSHAKE; 1106 case RENEG_HANDSHAKE: 1107 return APPLICATION_DATA; 1108 case APPLICATION_DATA: 1109 return SHUTDOWN; 1110 case SHUTDOWN: 1111 return CONNECTION_DONE; 1112 case CONNECTION_DONE: 1113 TEST_error("Trying to progress after connection done"); 1114 break; 1115 } 1116 return -1; 1117 } 1118 1119 static void do_connect_step(const SSL_TEST_CTX *test_ctx, PEER *peer, 1120 connect_phase_t phase) 1121 { 1122 switch (phase) { 1123 case HANDSHAKE: 1124 do_handshake_step(peer); 1125 break; 1126 case RENEG_APPLICATION_DATA: 1127 do_app_data_step(peer); 1128 break; 1129 case RENEG_SETUP: 1130 do_reneg_setup_step(test_ctx, peer); 1131 break; 1132 case RENEG_HANDSHAKE: 1133 do_handshake_step(peer); 1134 break; 1135 case APPLICATION_DATA: 1136 do_app_data_step(peer); 1137 break; 1138 case SHUTDOWN: 1139 do_shutdown_step(peer); 1140 break; 1141 case CONNECTION_DONE: 1142 TEST_error("Action after connection done"); 1143 break; 1144 } 1145 } 1146 1147 typedef enum { 1148 /* Both parties succeeded. */ 1149 HANDSHAKE_SUCCESS, 1150 /* Client errored. */ 1151 CLIENT_ERROR, 1152 /* Server errored. */ 1153 SERVER_ERROR, 1154 /* Peers are in inconsistent state. */ 1155 INTERNAL_ERROR, 1156 /* One or both peers not done. */ 1157 HANDSHAKE_RETRY 1158 } handshake_status_t; 1159 1160 /* 1161 * Determine the handshake outcome. 1162 * last_status: the status of the peer to have acted last. 1163 * previous_status: the status of the peer that didn't act last. 1164 * client_spoke_last: 1 if the client went last. 1165 */ 1166 static handshake_status_t handshake_status(peer_status_t last_status, 1167 peer_status_t previous_status, 1168 int client_spoke_last) 1169 { 1170 switch (last_status) { 1171 case PEER_TEST_FAILURE: 1172 return INTERNAL_ERROR; 1173 1174 case PEER_WAITING: 1175 /* Shouldn't ever happen */ 1176 return INTERNAL_ERROR; 1177 1178 case PEER_SUCCESS: 1179 switch (previous_status) { 1180 case PEER_TEST_FAILURE: 1181 return INTERNAL_ERROR; 1182 case PEER_SUCCESS: 1183 /* Both succeeded. */ 1184 return HANDSHAKE_SUCCESS; 1185 case PEER_WAITING: 1186 case PEER_RETRY: 1187 /* Let the first peer finish. */ 1188 return HANDSHAKE_RETRY; 1189 case PEER_ERROR: 1190 /* 1191 * Second peer succeeded despite the fact that the first peer 1192 * already errored. This shouldn't happen. 1193 */ 1194 return INTERNAL_ERROR; 1195 } 1196 break; 1197 1198 case PEER_RETRY: 1199 return HANDSHAKE_RETRY; 1200 1201 case PEER_ERROR: 1202 switch (previous_status) { 1203 case PEER_TEST_FAILURE: 1204 return INTERNAL_ERROR; 1205 case PEER_WAITING: 1206 /* The client failed immediately before sending the ClientHello */ 1207 return client_spoke_last ? CLIENT_ERROR : INTERNAL_ERROR; 1208 case PEER_SUCCESS: 1209 /* First peer succeeded but second peer errored. */ 1210 return client_spoke_last ? CLIENT_ERROR : SERVER_ERROR; 1211 case PEER_RETRY: 1212 /* We errored; let the peer finish. */ 1213 return HANDSHAKE_RETRY; 1214 case PEER_ERROR: 1215 /* Both peers errored. Return the one that errored first. */ 1216 return client_spoke_last ? SERVER_ERROR : CLIENT_ERROR; 1217 } 1218 } 1219 /* Control should never reach here. */ 1220 return INTERNAL_ERROR; 1221 } 1222 1223 /* Convert unsigned char buf's that shouldn't contain any NUL-bytes to char. */ 1224 static char *dup_str(const unsigned char *in, size_t len) 1225 { 1226 char *ret = NULL; 1227 1228 if (len == 0) 1229 return NULL; 1230 1231 /* Assert that the string does not contain NUL-bytes. */ 1232 if (TEST_size_t_eq(OPENSSL_strnlen((const char*)(in), len), len)) 1233 TEST_ptr(ret = OPENSSL_strndup((const char*)(in), len)); 1234 return ret; 1235 } 1236 1237 static int pkey_type(EVP_PKEY *pkey) 1238 { 1239 if (EVP_PKEY_is_a(pkey, "EC")) { 1240 char name[80]; 1241 size_t name_len; 1242 1243 if (!EVP_PKEY_get_group_name(pkey, name, sizeof(name), &name_len)) 1244 return NID_undef; 1245 return OBJ_txt2nid(name); 1246 } 1247 return EVP_PKEY_get_id(pkey); 1248 } 1249 1250 static int peer_pkey_type(SSL *s) 1251 { 1252 X509 *x = SSL_get0_peer_certificate(s); 1253 1254 if (x != NULL) 1255 return pkey_type(X509_get0_pubkey(x)); 1256 return NID_undef; 1257 } 1258 1259 #if !defined(OPENSSL_NO_SCTP) && !defined(OPENSSL_NO_SOCK) 1260 static int set_sock_as_sctp(int sock) 1261 { 1262 struct sctp_assocparams assocparams; 1263 struct sctp_rtoinfo rto_info; 1264 BIO *tmpbio; 1265 1266 /* 1267 * To allow tests to fail fast (within a second or so), reduce the 1268 * retransmission timeouts and the number of retransmissions. 1269 */ 1270 memset(&rto_info, 0, sizeof(struct sctp_rtoinfo)); 1271 rto_info.srto_initial = 100; 1272 rto_info.srto_max = 200; 1273 rto_info.srto_min = 50; 1274 (void)setsockopt(sock, IPPROTO_SCTP, SCTP_RTOINFO, 1275 (const void *)&rto_info, sizeof(struct sctp_rtoinfo)); 1276 memset(&assocparams, 0, sizeof(struct sctp_assocparams)); 1277 assocparams.sasoc_asocmaxrxt = 2; 1278 (void)setsockopt(sock, IPPROTO_SCTP, SCTP_ASSOCINFO, 1279 (const void *)&assocparams, 1280 sizeof(struct sctp_assocparams)); 1281 1282 /* 1283 * For SCTP we have to set various options on the socket prior to 1284 * connecting. This is done automatically by BIO_new_dgram_sctp(). 1285 * We don't actually need the created BIO though so we free it again 1286 * immediately. 1287 */ 1288 tmpbio = BIO_new_dgram_sctp(sock, BIO_NOCLOSE); 1289 1290 if (tmpbio == NULL) 1291 return 0; 1292 BIO_free(tmpbio); 1293 1294 return 1; 1295 } 1296 1297 static int create_sctp_socks(int *ssock, int *csock) 1298 { 1299 BIO_ADDRINFO *res = NULL; 1300 const BIO_ADDRINFO *ai = NULL; 1301 int lsock = INVALID_SOCKET, asock = INVALID_SOCKET; 1302 int consock = INVALID_SOCKET; 1303 int ret = 0; 1304 int family = 0; 1305 1306 if (BIO_sock_init() != 1) 1307 return 0; 1308 1309 /* 1310 * Port is 4463. It could be anything. It will fail if it's already being 1311 * used for some other SCTP service. It seems unlikely though so we don't 1312 * worry about it here. 1313 */ 1314 if (!BIO_lookup_ex(NULL, "4463", BIO_LOOKUP_SERVER, family, SOCK_STREAM, 1315 IPPROTO_SCTP, &res)) 1316 return 0; 1317 1318 for (ai = res; ai != NULL; ai = BIO_ADDRINFO_next(ai)) { 1319 family = BIO_ADDRINFO_family(ai); 1320 lsock = BIO_socket(family, SOCK_STREAM, IPPROTO_SCTP, 0); 1321 if (lsock == INVALID_SOCKET) { 1322 /* Maybe the kernel doesn't support the socket family, even if 1323 * BIO_lookup() added it in the returned result... 1324 */ 1325 continue; 1326 } 1327 1328 if (!set_sock_as_sctp(lsock) 1329 || !BIO_listen(lsock, BIO_ADDRINFO_address(ai), 1330 BIO_SOCK_REUSEADDR)) { 1331 BIO_closesocket(lsock); 1332 lsock = INVALID_SOCKET; 1333 continue; 1334 } 1335 1336 /* Success, don't try any more addresses */ 1337 break; 1338 } 1339 1340 if (lsock == INVALID_SOCKET) 1341 goto err; 1342 1343 BIO_ADDRINFO_free(res); 1344 res = NULL; 1345 1346 if (!BIO_lookup_ex(NULL, "4463", BIO_LOOKUP_CLIENT, family, SOCK_STREAM, 1347 IPPROTO_SCTP, &res)) 1348 goto err; 1349 1350 consock = BIO_socket(family, SOCK_STREAM, IPPROTO_SCTP, 0); 1351 if (consock == INVALID_SOCKET) 1352 goto err; 1353 1354 if (!set_sock_as_sctp(consock) 1355 || !BIO_connect(consock, BIO_ADDRINFO_address(res), 0) 1356 || !BIO_socket_nbio(consock, 1)) 1357 goto err; 1358 1359 asock = BIO_accept_ex(lsock, NULL, BIO_SOCK_NONBLOCK); 1360 if (asock == INVALID_SOCKET) 1361 goto err; 1362 1363 *csock = consock; 1364 *ssock = asock; 1365 consock = asock = INVALID_SOCKET; 1366 ret = 1; 1367 1368 err: 1369 BIO_ADDRINFO_free(res); 1370 if (consock != INVALID_SOCKET) 1371 BIO_closesocket(consock); 1372 if (lsock != INVALID_SOCKET) 1373 BIO_closesocket(lsock); 1374 if (asock != INVALID_SOCKET) 1375 BIO_closesocket(asock); 1376 return ret; 1377 } 1378 #endif 1379 1380 /* 1381 * Note that |extra| points to the correct client/server configuration 1382 * within |test_ctx|. When configuring the handshake, general mode settings 1383 * are taken from |test_ctx|, and client/server-specific settings should be 1384 * taken from |extra|. 1385 * 1386 * The configuration code should never reach into |test_ctx->extra| or 1387 * |test_ctx->resume_extra| directly. 1388 * 1389 * (We could refactor test mode settings into a substructure. This would result 1390 * in cleaner argument passing but would complicate the test configuration 1391 * parsing.) 1392 */ 1393 static HANDSHAKE_RESULT *do_handshake_internal( 1394 SSL_CTX *server_ctx, SSL_CTX *server2_ctx, SSL_CTX *client_ctx, 1395 const SSL_TEST_CTX *test_ctx, const SSL_TEST_EXTRA_CONF *extra, 1396 SSL_SESSION *session_in, SSL_SESSION *serv_sess_in, 1397 SSL_SESSION **session_out, SSL_SESSION **serv_sess_out) 1398 { 1399 PEER server, client; 1400 BIO *client_to_server = NULL, *server_to_client = NULL; 1401 HANDSHAKE_EX_DATA server_ex_data, client_ex_data; 1402 CTX_DATA client_ctx_data, server_ctx_data, server2_ctx_data; 1403 HANDSHAKE_RESULT *ret = HANDSHAKE_RESULT_new(); 1404 int client_turn = 1, client_turn_count = 0, client_wait_count = 0; 1405 connect_phase_t phase = HANDSHAKE; 1406 handshake_status_t status = HANDSHAKE_RETRY; 1407 const unsigned char* tick = NULL; 1408 size_t tick_len = 0; 1409 const unsigned char* sess_id = NULL; 1410 unsigned int sess_id_len = 0; 1411 SSL_SESSION* sess = NULL; 1412 const unsigned char *proto = NULL; 1413 /* API dictates unsigned int rather than size_t. */ 1414 unsigned int proto_len = 0; 1415 EVP_PKEY *tmp_key; 1416 const STACK_OF(X509_NAME) *names; 1417 time_t start; 1418 const char* cipher; 1419 1420 if (ret == NULL) 1421 return NULL; 1422 1423 memset(&server_ctx_data, 0, sizeof(server_ctx_data)); 1424 memset(&server2_ctx_data, 0, sizeof(server2_ctx_data)); 1425 memset(&client_ctx_data, 0, sizeof(client_ctx_data)); 1426 memset(&server, 0, sizeof(server)); 1427 memset(&client, 0, sizeof(client)); 1428 memset(&server_ex_data, 0, sizeof(server_ex_data)); 1429 memset(&client_ex_data, 0, sizeof(client_ex_data)); 1430 1431 if (!configure_handshake_ctx(server_ctx, server2_ctx, client_ctx, 1432 test_ctx, extra, &server_ctx_data, 1433 &server2_ctx_data, &client_ctx_data)) { 1434 TEST_note("configure_handshake_ctx"); 1435 HANDSHAKE_RESULT_free(ret); 1436 return NULL; 1437 } 1438 1439 #if !defined(OPENSSL_NO_SCTP) && !defined(OPENSSL_NO_SOCK) 1440 if (test_ctx->enable_client_sctp_label_bug) 1441 SSL_CTX_set_mode(client_ctx, SSL_MODE_DTLS_SCTP_LABEL_LENGTH_BUG); 1442 if (test_ctx->enable_server_sctp_label_bug) 1443 SSL_CTX_set_mode(server_ctx, SSL_MODE_DTLS_SCTP_LABEL_LENGTH_BUG); 1444 #endif 1445 1446 /* Setup SSL and buffers; additional configuration happens below. */ 1447 if (!create_peer(&server, server_ctx)) { 1448 TEST_note("creating server context"); 1449 goto err; 1450 } 1451 if (!create_peer(&client, client_ctx)) { 1452 TEST_note("creating client context"); 1453 goto err; 1454 } 1455 1456 server.bytes_to_write = client.bytes_to_read = test_ctx->app_data_size; 1457 client.bytes_to_write = server.bytes_to_read = test_ctx->app_data_size; 1458 1459 configure_handshake_ssl(server.ssl, client.ssl, extra); 1460 if (session_in != NULL) { 1461 SSL_SESSION_get_id(serv_sess_in, &sess_id_len); 1462 /* In case we're testing resumption without tickets. */ 1463 if ((sess_id_len > 0 1464 && !TEST_true(SSL_CTX_add_session(server_ctx, 1465 serv_sess_in))) 1466 || !TEST_true(SSL_set_session(client.ssl, session_in))) 1467 goto err; 1468 sess_id_len = 0; 1469 } 1470 1471 ret->result = SSL_TEST_INTERNAL_ERROR; 1472 1473 if (test_ctx->use_sctp) { 1474 #if !defined(OPENSSL_NO_SCTP) && !defined(OPENSSL_NO_SOCK) 1475 int csock, ssock; 1476 1477 if (create_sctp_socks(&ssock, &csock)) { 1478 client_to_server = BIO_new_dgram_sctp(csock, BIO_CLOSE); 1479 server_to_client = BIO_new_dgram_sctp(ssock, BIO_CLOSE); 1480 } 1481 #endif 1482 } else { 1483 client_to_server = BIO_new(BIO_s_mem()); 1484 server_to_client = BIO_new(BIO_s_mem()); 1485 } 1486 1487 if (!TEST_ptr(client_to_server) 1488 || !TEST_ptr(server_to_client)) 1489 goto err; 1490 1491 /* Non-blocking bio. */ 1492 BIO_set_nbio(client_to_server, 1); 1493 BIO_set_nbio(server_to_client, 1); 1494 1495 SSL_set_connect_state(client.ssl); 1496 SSL_set_accept_state(server.ssl); 1497 1498 /* The bios are now owned by the SSL object. */ 1499 if (test_ctx->use_sctp) { 1500 SSL_set_bio(client.ssl, client_to_server, client_to_server); 1501 SSL_set_bio(server.ssl, server_to_client, server_to_client); 1502 } else { 1503 SSL_set_bio(client.ssl, server_to_client, client_to_server); 1504 if (!TEST_int_gt(BIO_up_ref(server_to_client), 0) 1505 || !TEST_int_gt(BIO_up_ref(client_to_server), 0)) 1506 goto err; 1507 SSL_set_bio(server.ssl, client_to_server, server_to_client); 1508 } 1509 1510 ex_data_idx = SSL_get_ex_new_index(0, "ex data", NULL, NULL, NULL); 1511 if (!TEST_int_ge(ex_data_idx, 0) 1512 || !TEST_int_eq(SSL_set_ex_data(server.ssl, ex_data_idx, &server_ex_data), 1) 1513 || !TEST_int_eq(SSL_set_ex_data(client.ssl, ex_data_idx, &client_ex_data), 1)) 1514 goto err; 1515 1516 SSL_set_info_callback(server.ssl, &info_cb); 1517 SSL_set_info_callback(client.ssl, &info_cb); 1518 1519 client.status = PEER_RETRY; 1520 server.status = PEER_WAITING; 1521 1522 start = time(NULL); 1523 1524 /* 1525 * Half-duplex handshake loop. 1526 * Client and server speak to each other synchronously in the same process. 1527 * We use non-blocking BIOs, so whenever one peer blocks for read, it 1528 * returns PEER_RETRY to indicate that it's the other peer's turn to write. 1529 * The handshake succeeds once both peers have succeeded. If one peer 1530 * errors out, we also let the other peer retry (and presumably fail). 1531 */ 1532 for(;;) { 1533 if (client_turn) { 1534 do_connect_step(test_ctx, &client, phase); 1535 status = handshake_status(client.status, server.status, 1536 1 /* client went last */); 1537 if (server.status == PEER_WAITING) 1538 server.status = PEER_RETRY; 1539 } else { 1540 do_connect_step(test_ctx, &server, phase); 1541 status = handshake_status(server.status, client.status, 1542 0 /* server went last */); 1543 } 1544 1545 switch (status) { 1546 case HANDSHAKE_SUCCESS: 1547 client_turn_count = 0; 1548 phase = next_phase(test_ctx, phase); 1549 if (phase == CONNECTION_DONE) { 1550 ret->result = SSL_TEST_SUCCESS; 1551 goto err; 1552 } else { 1553 client.status = server.status = PEER_RETRY; 1554 /* 1555 * For now, client starts each phase. Since each phase is 1556 * started separately, we can later control this more 1557 * precisely, for example, to test client-initiated and 1558 * server-initiated shutdown. 1559 */ 1560 client_turn = 1; 1561 break; 1562 } 1563 case CLIENT_ERROR: 1564 ret->result = SSL_TEST_CLIENT_FAIL; 1565 goto err; 1566 case SERVER_ERROR: 1567 ret->result = SSL_TEST_SERVER_FAIL; 1568 goto err; 1569 case INTERNAL_ERROR: 1570 ret->result = SSL_TEST_INTERNAL_ERROR; 1571 goto err; 1572 case HANDSHAKE_RETRY: 1573 if (test_ctx->use_sctp) { 1574 if (time(NULL) - start > 3) { 1575 /* 1576 * We've waited for too long. Give up. 1577 */ 1578 ret->result = SSL_TEST_INTERNAL_ERROR; 1579 goto err; 1580 } 1581 /* 1582 * With "real" sockets we only swap to processing the peer 1583 * if they are expecting to retry. Otherwise we just retry the 1584 * same endpoint again. 1585 */ 1586 if ((client_turn && server.status == PEER_RETRY) 1587 || (!client_turn && client.status == PEER_RETRY)) 1588 client_turn ^= 1; 1589 } else { 1590 if (client_turn_count++ >= 2000) { 1591 /* 1592 * At this point, there's been so many PEER_RETRY in a row 1593 * that it's likely both sides are stuck waiting for a read. 1594 * It's time to give up. 1595 */ 1596 ret->result = SSL_TEST_INTERNAL_ERROR; 1597 goto err; 1598 } 1599 if (client_turn && server.status == PEER_SUCCESS) { 1600 /* 1601 * The server may finish before the client because the 1602 * client spends some turns processing NewSessionTickets. 1603 */ 1604 if (client_wait_count++ >= 2) { 1605 ret->result = SSL_TEST_INTERNAL_ERROR; 1606 goto err; 1607 } 1608 } else { 1609 /* Continue. */ 1610 client_turn ^= 1; 1611 } 1612 } 1613 break; 1614 } 1615 } 1616 err: 1617 ret->server_alert_sent = server_ex_data.alert_sent; 1618 ret->server_num_fatal_alerts_sent = server_ex_data.num_fatal_alerts_sent; 1619 ret->server_alert_received = client_ex_data.alert_received; 1620 ret->client_alert_sent = client_ex_data.alert_sent; 1621 ret->client_num_fatal_alerts_sent = client_ex_data.num_fatal_alerts_sent; 1622 ret->client_alert_received = server_ex_data.alert_received; 1623 ret->server_protocol = SSL_version(server.ssl); 1624 ret->client_protocol = SSL_version(client.ssl); 1625 ret->servername = server_ex_data.servername; 1626 if ((sess = SSL_get0_session(client.ssl)) != NULL) { 1627 SSL_SESSION_get0_ticket(sess, &tick, &tick_len); 1628 sess_id = SSL_SESSION_get_id(sess, &sess_id_len); 1629 } 1630 if (tick == NULL || tick_len == 0) 1631 ret->session_ticket = SSL_TEST_SESSION_TICKET_NO; 1632 else 1633 ret->session_ticket = SSL_TEST_SESSION_TICKET_YES; 1634 ret->compression = (SSL_get_current_compression(client.ssl) == NULL) 1635 ? SSL_TEST_COMPRESSION_NO 1636 : SSL_TEST_COMPRESSION_YES; 1637 if (sess_id == NULL || sess_id_len == 0) 1638 ret->session_id = SSL_TEST_SESSION_ID_NO; 1639 else 1640 ret->session_id = SSL_TEST_SESSION_ID_YES; 1641 ret->session_ticket_do_not_call = server_ex_data.session_ticket_do_not_call; 1642 1643 if (extra->client.verify_callback == SSL_TEST_VERIFY_RETRY_ONCE 1644 && n_retries != -1) 1645 ret->result = SSL_TEST_SERVER_FAIL; 1646 1647 #ifndef OPENSSL_NO_NEXTPROTONEG 1648 SSL_get0_next_proto_negotiated(client.ssl, &proto, &proto_len); 1649 ret->client_npn_negotiated = dup_str(proto, proto_len); 1650 1651 SSL_get0_next_proto_negotiated(server.ssl, &proto, &proto_len); 1652 ret->server_npn_negotiated = dup_str(proto, proto_len); 1653 #endif 1654 1655 SSL_get0_alpn_selected(client.ssl, &proto, &proto_len); 1656 ret->client_alpn_negotiated = dup_str(proto, proto_len); 1657 1658 SSL_get0_alpn_selected(server.ssl, &proto, &proto_len); 1659 ret->server_alpn_negotiated = dup_str(proto, proto_len); 1660 1661 if ((sess = SSL_get0_session(server.ssl)) != NULL) { 1662 SSL_SESSION_get0_ticket_appdata(sess, (void**)&tick, &tick_len); 1663 ret->result_session_ticket_app_data = OPENSSL_strndup((const char*)tick, tick_len); 1664 } 1665 1666 ret->client_resumed = SSL_session_reused(client.ssl); 1667 ret->server_resumed = SSL_session_reused(server.ssl); 1668 1669 cipher = SSL_CIPHER_get_name(SSL_get_current_cipher(client.ssl)); 1670 ret->cipher = dup_str((const unsigned char*)cipher, strlen(cipher)); 1671 1672 if (session_out != NULL) 1673 *session_out = SSL_get1_session(client.ssl); 1674 if (serv_sess_out != NULL) { 1675 SSL_SESSION *tmp = SSL_get_session(server.ssl); 1676 1677 /* 1678 * We create a fresh copy that is not in the server session ctx linked 1679 * list. 1680 */ 1681 if (tmp != NULL) 1682 *serv_sess_out = SSL_SESSION_dup(tmp); 1683 } 1684 1685 if (SSL_get_peer_tmp_key(client.ssl, &tmp_key)) { 1686 ret->tmp_key_type = pkey_type(tmp_key); 1687 EVP_PKEY_free(tmp_key); 1688 } 1689 1690 SSL_get_peer_signature_nid(client.ssl, &ret->server_sign_hash); 1691 SSL_get_peer_signature_nid(server.ssl, &ret->client_sign_hash); 1692 1693 SSL_get_peer_signature_type_nid(client.ssl, &ret->server_sign_type); 1694 SSL_get_peer_signature_type_nid(server.ssl, &ret->client_sign_type); 1695 1696 names = SSL_get0_peer_CA_list(client.ssl); 1697 if (names == NULL) 1698 ret->client_ca_names = NULL; 1699 else 1700 ret->client_ca_names = SSL_dup_CA_list(names); 1701 1702 names = SSL_get0_peer_CA_list(server.ssl); 1703 if (names == NULL) 1704 ret->server_ca_names = NULL; 1705 else 1706 ret->server_ca_names = SSL_dup_CA_list(names); 1707 1708 ret->server_cert_type = peer_pkey_type(client.ssl); 1709 ret->client_cert_type = peer_pkey_type(server.ssl); 1710 1711 ctx_data_free_data(&server_ctx_data); 1712 ctx_data_free_data(&server2_ctx_data); 1713 ctx_data_free_data(&client_ctx_data); 1714 1715 peer_free_data(&server); 1716 peer_free_data(&client); 1717 return ret; 1718 } 1719 1720 HANDSHAKE_RESULT *do_handshake(SSL_CTX *server_ctx, SSL_CTX *server2_ctx, 1721 SSL_CTX *client_ctx, SSL_CTX *resume_server_ctx, 1722 SSL_CTX *resume_client_ctx, 1723 const SSL_TEST_CTX *test_ctx) 1724 { 1725 HANDSHAKE_RESULT *result; 1726 SSL_SESSION *session = NULL, *serv_sess = NULL; 1727 1728 result = do_handshake_internal(server_ctx, server2_ctx, client_ctx, 1729 test_ctx, &test_ctx->extra, 1730 NULL, NULL, &session, &serv_sess); 1731 if (result == NULL 1732 || test_ctx->handshake_mode != SSL_TEST_HANDSHAKE_RESUME 1733 || result->result == SSL_TEST_INTERNAL_ERROR) 1734 goto end; 1735 1736 if (result->result != SSL_TEST_SUCCESS) { 1737 result->result = SSL_TEST_FIRST_HANDSHAKE_FAILED; 1738 goto end; 1739 } 1740 1741 HANDSHAKE_RESULT_free(result); 1742 /* We don't support SNI on second handshake yet, so server2_ctx is NULL. */ 1743 result = do_handshake_internal(resume_server_ctx, NULL, resume_client_ctx, 1744 test_ctx, &test_ctx->resume_extra, 1745 session, serv_sess, NULL, NULL); 1746 end: 1747 SSL_SESSION_free(session); 1748 SSL_SESSION_free(serv_sess); 1749 return result; 1750 } 1751