1 /* 2 * Copyright 2016-2025 The OpenSSL Project Authors. All Rights Reserved. 3 * 4 * Licensed under the Apache License 2.0 (the "License"). You may not use 5 * this file except in compliance with the License. You can obtain a copy 6 * in the file LICENSE in the source distribution or at 7 * https://www.openssl.org/source/license.html 8 */ 9 10 #include <string.h> 11 12 #include <openssl/bio.h> 13 #include <openssl/x509_vfy.h> 14 #include <openssl/ssl.h> 15 #include <openssl/core_names.h> 16 17 #include "../../ssl/ssl_local.h" 18 #include "internal/ssl_unwrap.h" 19 #include "internal/sockets.h" 20 #include "internal/nelem.h" 21 #include "handshake.h" 22 #include "../testutil.h" 23 24 #if !defined(OPENSSL_NO_SCTP) && !defined(OPENSSL_NO_SOCK) 25 #include <netinet/sctp.h> 26 #endif 27 28 HANDSHAKE_RESULT *HANDSHAKE_RESULT_new(void) 29 { 30 HANDSHAKE_RESULT *ret; 31 32 TEST_ptr(ret = OPENSSL_zalloc(sizeof(*ret))); 33 return ret; 34 } 35 36 void HANDSHAKE_RESULT_free(HANDSHAKE_RESULT *result) 37 { 38 if (result == NULL) 39 return; 40 OPENSSL_free(result->client_npn_negotiated); 41 OPENSSL_free(result->server_npn_negotiated); 42 OPENSSL_free(result->client_alpn_negotiated); 43 OPENSSL_free(result->server_alpn_negotiated); 44 OPENSSL_free(result->result_session_ticket_app_data); 45 sk_X509_NAME_pop_free(result->server_ca_names, X509_NAME_free); 46 sk_X509_NAME_pop_free(result->client_ca_names, X509_NAME_free); 47 OPENSSL_free(result->cipher); 48 OPENSSL_free(result); 49 } 50 51 /* 52 * Since there appears to be no way to extract the sent/received alert 53 * from the SSL object directly, we use the info callback and stash 54 * the result in ex_data. 55 */ 56 typedef struct handshake_ex_data_st { 57 int alert_sent; 58 int num_fatal_alerts_sent; 59 int alert_received; 60 int session_ticket_do_not_call; 61 ssl_servername_t servername; 62 } HANDSHAKE_EX_DATA; 63 64 /* |ctx_data| itself is stack-allocated. */ 65 static void ctx_data_free_data(CTX_DATA *ctx_data) 66 { 67 OPENSSL_free(ctx_data->npn_protocols); 68 ctx_data->npn_protocols = NULL; 69 OPENSSL_free(ctx_data->alpn_protocols); 70 ctx_data->alpn_protocols = NULL; 71 OPENSSL_free(ctx_data->srp_user); 72 ctx_data->srp_user = NULL; 73 OPENSSL_free(ctx_data->srp_password); 74 ctx_data->srp_password = NULL; 75 OPENSSL_free(ctx_data->session_ticket_app_data); 76 ctx_data->session_ticket_app_data = NULL; 77 } 78 79 static int ex_data_idx; 80 81 static void info_cb(const SSL *s, int where, int ret) 82 { 83 if (where & SSL_CB_ALERT) { 84 HANDSHAKE_EX_DATA *ex_data = 85 (HANDSHAKE_EX_DATA*)(SSL_get_ex_data(s, ex_data_idx)); 86 if (where & SSL_CB_WRITE) { 87 ex_data->alert_sent = ret; 88 if (strcmp(SSL_alert_type_string(ret), "F") == 0 89 || strcmp(SSL_alert_desc_string(ret), "CN") == 0) 90 ex_data->num_fatal_alerts_sent++; 91 } else { 92 ex_data->alert_received = ret; 93 } 94 } 95 } 96 97 /* Select the appropriate server CTX. 98 * Returns SSL_TLSEXT_ERR_OK if a match was found. 99 * If |ignore| is 1, returns SSL_TLSEXT_ERR_NOACK on mismatch. 100 * Otherwise, returns SSL_TLSEXT_ERR_ALERT_FATAL on mismatch. 101 * An empty SNI extension also returns SSL_TSLEXT_ERR_NOACK. 102 */ 103 static int select_server_ctx(SSL *s, void *arg, int ignore) 104 { 105 const char *servername = SSL_get_servername(s, TLSEXT_NAMETYPE_host_name); 106 HANDSHAKE_EX_DATA *ex_data = 107 (HANDSHAKE_EX_DATA*)(SSL_get_ex_data(s, ex_data_idx)); 108 109 if (servername == NULL) { 110 ex_data->servername = SSL_TEST_SERVERNAME_SERVER1; 111 return SSL_TLSEXT_ERR_NOACK; 112 } 113 114 if (strcmp(servername, "server2") == 0) { 115 SSL_CTX *new_ctx = (SSL_CTX*)arg; 116 SSL_set_SSL_CTX(s, new_ctx); 117 /* 118 * Copy over all the SSL_CTX options - reasonable behavior 119 * allows testing of cases where the options between two 120 * contexts differ/conflict 121 */ 122 SSL_clear_options(s, 0xFFFFFFFFL); 123 SSL_set_options(s, SSL_CTX_get_options(new_ctx)); 124 125 ex_data->servername = SSL_TEST_SERVERNAME_SERVER2; 126 return SSL_TLSEXT_ERR_OK; 127 } else if (strcmp(servername, "server1") == 0) { 128 ex_data->servername = SSL_TEST_SERVERNAME_SERVER1; 129 return SSL_TLSEXT_ERR_OK; 130 } else if (ignore) { 131 ex_data->servername = SSL_TEST_SERVERNAME_SERVER1; 132 return SSL_TLSEXT_ERR_NOACK; 133 } else { 134 /* Don't set an explicit alert, to test library defaults. */ 135 return SSL_TLSEXT_ERR_ALERT_FATAL; 136 } 137 } 138 139 static int client_hello_select_server_ctx(SSL *s, void *arg, int ignore) 140 { 141 const char *servername; 142 const unsigned char *p; 143 size_t len, remaining; 144 HANDSHAKE_EX_DATA *ex_data = 145 (HANDSHAKE_EX_DATA*)(SSL_get_ex_data(s, ex_data_idx)); 146 147 /* 148 * The server_name extension was given too much extensibility when it 149 * was written, so parsing the normal case is a bit complex. 150 */ 151 if (!SSL_client_hello_get0_ext(s, TLSEXT_TYPE_server_name, &p, 152 &remaining) || 153 remaining <= 2) 154 return 0; 155 /* Extract the length of the supplied list of names. */ 156 len = (*(p++) << 8); 157 len += *(p++); 158 if (len + 2 != remaining) 159 return 0; 160 remaining = len; 161 /* 162 * The list in practice only has a single element, so we only consider 163 * the first one. 164 */ 165 if (remaining == 0 || *p++ != TLSEXT_NAMETYPE_host_name) 166 return 0; 167 remaining--; 168 /* Now we can finally pull out the byte array with the actual hostname. */ 169 if (remaining <= 2) 170 return 0; 171 len = (*(p++) << 8); 172 len += *(p++); 173 if (len + 2 > remaining) 174 return 0; 175 remaining = len; 176 servername = (const char *)p; 177 178 if (len == strlen("server2") && HAS_PREFIX(servername, "server2")) { 179 SSL_CTX *new_ctx = arg; 180 SSL_set_SSL_CTX(s, new_ctx); 181 /* 182 * Copy over all the SSL_CTX options - reasonable behavior 183 * allows testing of cases where the options between two 184 * contexts differ/conflict 185 */ 186 SSL_clear_options(s, 0xFFFFFFFFL); 187 SSL_set_options(s, SSL_CTX_get_options(new_ctx)); 188 189 ex_data->servername = SSL_TEST_SERVERNAME_SERVER2; 190 return 1; 191 } else if (len == strlen("server1") && 192 HAS_PREFIX(servername, "server1")) { 193 ex_data->servername = SSL_TEST_SERVERNAME_SERVER1; 194 return 1; 195 } else if (ignore) { 196 ex_data->servername = SSL_TEST_SERVERNAME_SERVER1; 197 return 1; 198 } 199 return 0; 200 } 201 /* 202 * (RFC 6066): 203 * If the server understood the ClientHello extension but 204 * does not recognize the server name, the server SHOULD take one of two 205 * actions: either abort the handshake by sending a fatal-level 206 * unrecognized_name(112) alert or continue the handshake. 207 * 208 * This behaviour is up to the application to configure; we test both 209 * configurations to ensure the state machine propagates the result 210 * correctly. 211 */ 212 static int servername_ignore_cb(SSL *s, int *ad, void *arg) 213 { 214 return select_server_ctx(s, arg, 1); 215 } 216 217 static int servername_reject_cb(SSL *s, int *ad, void *arg) 218 { 219 return select_server_ctx(s, arg, 0); 220 } 221 222 static int client_hello_ignore_cb(SSL *s, int *al, void *arg) 223 { 224 if (!client_hello_select_server_ctx(s, arg, 1)) { 225 *al = SSL_AD_UNRECOGNIZED_NAME; 226 return SSL_CLIENT_HELLO_ERROR; 227 } 228 return SSL_CLIENT_HELLO_SUCCESS; 229 } 230 231 static int client_hello_reject_cb(SSL *s, int *al, void *arg) 232 { 233 if (!client_hello_select_server_ctx(s, arg, 0)) { 234 *al = SSL_AD_UNRECOGNIZED_NAME; 235 return SSL_CLIENT_HELLO_ERROR; 236 } 237 return SSL_CLIENT_HELLO_SUCCESS; 238 } 239 240 static int client_hello_nov12_cb(SSL *s, int *al, void *arg) 241 { 242 int ret; 243 unsigned int v; 244 const unsigned char *p; 245 246 v = SSL_client_hello_get0_legacy_version(s); 247 if (v > TLS1_2_VERSION || v < SSL3_VERSION) { 248 *al = SSL_AD_PROTOCOL_VERSION; 249 return SSL_CLIENT_HELLO_ERROR; 250 } 251 (void)SSL_client_hello_get0_session_id(s, &p); 252 if (p == NULL || 253 SSL_client_hello_get0_random(s, &p) == 0 || 254 SSL_client_hello_get0_ciphers(s, &p) == 0 || 255 SSL_client_hello_get0_compression_methods(s, &p) == 0) { 256 *al = SSL_AD_INTERNAL_ERROR; 257 return SSL_CLIENT_HELLO_ERROR; 258 } 259 ret = client_hello_select_server_ctx(s, arg, 0); 260 SSL_set_max_proto_version(s, TLS1_1_VERSION); 261 if (!ret) { 262 *al = SSL_AD_UNRECOGNIZED_NAME; 263 return SSL_CLIENT_HELLO_ERROR; 264 } 265 return SSL_CLIENT_HELLO_SUCCESS; 266 } 267 268 static unsigned char dummy_ocsp_resp_good_val = 0xff; 269 static unsigned char dummy_ocsp_resp_bad_val = 0xfe; 270 271 static int server_ocsp_cb(SSL *s, void *arg) 272 { 273 unsigned char *resp; 274 275 resp = OPENSSL_malloc(1); 276 if (resp == NULL) 277 return SSL_TLSEXT_ERR_ALERT_FATAL; 278 /* 279 * For the purposes of testing we just send back a dummy OCSP response 280 */ 281 *resp = *(unsigned char *)arg; 282 if (!SSL_set_tlsext_status_ocsp_resp(s, resp, 1)) { 283 OPENSSL_free(resp); 284 return SSL_TLSEXT_ERR_ALERT_FATAL; 285 } 286 287 return SSL_TLSEXT_ERR_OK; 288 } 289 290 static int client_ocsp_cb(SSL *s, void *arg) 291 { 292 const unsigned char *resp; 293 int len; 294 295 len = SSL_get_tlsext_status_ocsp_resp(s, &resp); 296 if (len != 1 || *resp != dummy_ocsp_resp_good_val) 297 return 0; 298 299 return 1; 300 } 301 302 static int verify_reject_cb(X509_STORE_CTX *ctx, void *arg) { 303 X509_STORE_CTX_set_error(ctx, X509_V_ERR_APPLICATION_VERIFICATION); 304 return 0; 305 } 306 307 static int n_retries = 0; 308 static int verify_retry_cb(X509_STORE_CTX *ctx, void *arg) { 309 int idx = SSL_get_ex_data_X509_STORE_CTX_idx(); 310 SSL *ssl; 311 312 /* this should not happen but check anyway */ 313 if (idx < 0 314 || (ssl = X509_STORE_CTX_get_ex_data(ctx, idx)) == NULL) 315 return 0; 316 317 if (--n_retries < 0) 318 return 1; 319 320 return SSL_set_retry_verify(ssl); 321 } 322 323 static int verify_accept_cb(X509_STORE_CTX *ctx, void *arg) { 324 return 1; 325 } 326 327 static int broken_session_ticket_cb(SSL *s, unsigned char *key_name, 328 unsigned char *iv, EVP_CIPHER_CTX *ctx, 329 EVP_MAC_CTX *hctx, int enc) 330 { 331 return 0; 332 } 333 334 static int do_not_call_session_ticket_cb(SSL *s, unsigned char *key_name, 335 unsigned char *iv, 336 EVP_CIPHER_CTX *ctx, 337 EVP_MAC_CTX *hctx, int enc) 338 { 339 HANDSHAKE_EX_DATA *ex_data = 340 (HANDSHAKE_EX_DATA*)(SSL_get_ex_data(s, ex_data_idx)); 341 ex_data->session_ticket_do_not_call = 1; 342 return 0; 343 } 344 345 /* Parse the comma-separated list into TLS format. */ 346 static int parse_protos(const char *protos, unsigned char **out, size_t *outlen) 347 { 348 size_t len, i, prefix; 349 350 len = strlen(protos); 351 352 if (len == 0) { 353 *out = NULL; 354 *outlen = 0; 355 return 1; 356 } 357 358 /* Should never have reuse. */ 359 if (!TEST_ptr_null(*out) 360 /* Test values are small, so we omit length limit checks. */ 361 || !TEST_ptr(*out = OPENSSL_malloc(len + 1))) 362 return 0; 363 *outlen = len + 1; 364 365 /* 366 * foo => '3', 'f', 'o', 'o' 367 * foo,bar => '3', 'f', 'o', 'o', '3', 'b', 'a', 'r' 368 */ 369 memcpy(*out + 1, protos, len); 370 371 prefix = 0; 372 i = prefix + 1; 373 while (i <= len) { 374 if ((*out)[i] == ',') { 375 if (!TEST_int_gt(i - 1, prefix)) 376 goto err; 377 (*out)[prefix] = (unsigned char)(i - 1 - prefix); 378 prefix = i; 379 } 380 i++; 381 } 382 if (!TEST_int_gt(len, prefix)) 383 goto err; 384 (*out)[prefix] = (unsigned char)(len - prefix); 385 return 1; 386 387 err: 388 OPENSSL_free(*out); 389 *out = NULL; 390 return 0; 391 } 392 393 #ifndef OPENSSL_NO_NEXTPROTONEG 394 /* 395 * The client SHOULD select the first protocol advertised by the server that it 396 * also supports. In the event that the client doesn't support any of server's 397 * protocols, or the server doesn't advertise any, it SHOULD select the first 398 * protocol that it supports. 399 */ 400 static int client_npn_cb(SSL *s, unsigned char **out, unsigned char *outlen, 401 const unsigned char *in, unsigned int inlen, 402 void *arg) 403 { 404 CTX_DATA *ctx_data = (CTX_DATA*)(arg); 405 int ret; 406 407 ret = SSL_select_next_proto(out, outlen, in, inlen, 408 ctx_data->npn_protocols, 409 ctx_data->npn_protocols_len); 410 /* Accept both OPENSSL_NPN_NEGOTIATED and OPENSSL_NPN_NO_OVERLAP. */ 411 return TEST_true(ret == OPENSSL_NPN_NEGOTIATED || ret == OPENSSL_NPN_NO_OVERLAP) 412 ? SSL_TLSEXT_ERR_OK : SSL_TLSEXT_ERR_ALERT_FATAL; 413 } 414 415 static int server_npn_cb(SSL *s, const unsigned char **data, 416 unsigned int *len, void *arg) 417 { 418 CTX_DATA *ctx_data = (CTX_DATA*)(arg); 419 *data = ctx_data->npn_protocols; 420 *len = ctx_data->npn_protocols_len; 421 return SSL_TLSEXT_ERR_OK; 422 } 423 #endif 424 425 /* 426 * The server SHOULD select the most highly preferred protocol that it supports 427 * and that is also advertised by the client. In the event that the server 428 * supports no protocols that the client advertises, then the server SHALL 429 * respond with a fatal "no_application_protocol" alert. 430 */ 431 static int server_alpn_cb(SSL *s, const unsigned char **out, 432 unsigned char *outlen, const unsigned char *in, 433 unsigned int inlen, void *arg) 434 { 435 CTX_DATA *ctx_data = (CTX_DATA*)(arg); 436 int ret; 437 438 /* SSL_select_next_proto isn't const-correct... */ 439 unsigned char *tmp_out; 440 441 /* 442 * The result points either to |in| or to |ctx_data->alpn_protocols|. 443 * The callback is allowed to point to |in| or to a long-lived buffer, 444 * so we can return directly without storing a copy. 445 */ 446 ret = SSL_select_next_proto(&tmp_out, outlen, 447 ctx_data->alpn_protocols, 448 ctx_data->alpn_protocols_len, in, inlen); 449 450 *out = tmp_out; 451 /* Unlike NPN, we don't tolerate a mismatch. */ 452 return ret == OPENSSL_NPN_NEGOTIATED ? SSL_TLSEXT_ERR_OK 453 : SSL_TLSEXT_ERR_ALERT_FATAL; 454 } 455 456 static int generate_session_ticket_cb(SSL *s, void *arg) 457 { 458 CTX_DATA *server_ctx_data = arg; 459 SSL_SESSION *ss = SSL_get_session(s); 460 char *app_data = server_ctx_data->session_ticket_app_data; 461 462 if (ss == NULL || app_data == NULL) 463 return 0; 464 465 return SSL_SESSION_set1_ticket_appdata(ss, app_data, strlen(app_data)); 466 } 467 468 static int decrypt_session_ticket_cb(SSL *s, SSL_SESSION *ss, 469 const unsigned char *keyname, 470 size_t keyname_len, 471 SSL_TICKET_STATUS status, 472 void *arg) 473 { 474 switch (status) { 475 case SSL_TICKET_EMPTY: 476 case SSL_TICKET_NO_DECRYPT: 477 return SSL_TICKET_RETURN_IGNORE_RENEW; 478 case SSL_TICKET_SUCCESS: 479 return SSL_TICKET_RETURN_USE; 480 case SSL_TICKET_SUCCESS_RENEW: 481 return SSL_TICKET_RETURN_USE_RENEW; 482 default: 483 break; 484 } 485 return SSL_TICKET_RETURN_ABORT; 486 } 487 488 /* 489 * Configure callbacks and other properties that can't be set directly 490 * in the server/client CONF. 491 */ 492 static int configure_handshake_ctx(SSL_CTX *server_ctx, SSL_CTX *server2_ctx, 493 SSL_CTX *client_ctx, 494 const SSL_TEST_CTX *test, 495 const SSL_TEST_EXTRA_CONF *extra, 496 CTX_DATA *server_ctx_data, 497 CTX_DATA *server2_ctx_data, 498 CTX_DATA *client_ctx_data) 499 { 500 unsigned char *ticket_keys; 501 size_t ticket_key_len; 502 503 if (!TEST_int_eq(SSL_CTX_set_max_send_fragment(server_ctx, 504 test->max_fragment_size), 1)) 505 goto err; 506 if (server2_ctx != NULL) { 507 if (!TEST_int_eq(SSL_CTX_set_max_send_fragment(server2_ctx, 508 test->max_fragment_size), 509 1)) 510 goto err; 511 } 512 if (!TEST_int_eq(SSL_CTX_set_max_send_fragment(client_ctx, 513 test->max_fragment_size), 1)) 514 goto err; 515 516 switch (extra->client.verify_callback) { 517 case SSL_TEST_VERIFY_ACCEPT_ALL: 518 SSL_CTX_set_cert_verify_callback(client_ctx, &verify_accept_cb, NULL); 519 break; 520 case SSL_TEST_VERIFY_RETRY_ONCE: 521 n_retries = 1; 522 SSL_CTX_set_cert_verify_callback(client_ctx, &verify_retry_cb, NULL); 523 break; 524 case SSL_TEST_VERIFY_REJECT_ALL: 525 SSL_CTX_set_cert_verify_callback(client_ctx, &verify_reject_cb, NULL); 526 break; 527 case SSL_TEST_VERIFY_NONE: 528 break; 529 } 530 531 switch (extra->client.max_fragment_len_mode) { 532 case TLSEXT_max_fragment_length_512: 533 case TLSEXT_max_fragment_length_1024: 534 case TLSEXT_max_fragment_length_2048: 535 case TLSEXT_max_fragment_length_4096: 536 case TLSEXT_max_fragment_length_DISABLED: 537 SSL_CTX_set_tlsext_max_fragment_length( 538 client_ctx, extra->client.max_fragment_len_mode); 539 break; 540 } 541 542 /* 543 * Link the two contexts for SNI purposes. 544 * Also do ClientHello callbacks here, as setting both ClientHello and SNI 545 * is bad. 546 */ 547 switch (extra->server.servername_callback) { 548 case SSL_TEST_SERVERNAME_IGNORE_MISMATCH: 549 SSL_CTX_set_tlsext_servername_callback(server_ctx, servername_ignore_cb); 550 SSL_CTX_set_tlsext_servername_arg(server_ctx, server2_ctx); 551 break; 552 case SSL_TEST_SERVERNAME_REJECT_MISMATCH: 553 SSL_CTX_set_tlsext_servername_callback(server_ctx, servername_reject_cb); 554 SSL_CTX_set_tlsext_servername_arg(server_ctx, server2_ctx); 555 break; 556 case SSL_TEST_SERVERNAME_CB_NONE: 557 break; 558 case SSL_TEST_SERVERNAME_CLIENT_HELLO_IGNORE_MISMATCH: 559 SSL_CTX_set_client_hello_cb(server_ctx, client_hello_ignore_cb, server2_ctx); 560 break; 561 case SSL_TEST_SERVERNAME_CLIENT_HELLO_REJECT_MISMATCH: 562 SSL_CTX_set_client_hello_cb(server_ctx, client_hello_reject_cb, server2_ctx); 563 break; 564 case SSL_TEST_SERVERNAME_CLIENT_HELLO_NO_V12: 565 SSL_CTX_set_client_hello_cb(server_ctx, client_hello_nov12_cb, server2_ctx); 566 } 567 568 if (extra->server.cert_status != SSL_TEST_CERT_STATUS_NONE) { 569 SSL_CTX_set_tlsext_status_type(client_ctx, TLSEXT_STATUSTYPE_ocsp); 570 SSL_CTX_set_tlsext_status_cb(client_ctx, client_ocsp_cb); 571 SSL_CTX_set_tlsext_status_arg(client_ctx, NULL); 572 SSL_CTX_set_tlsext_status_cb(server_ctx, server_ocsp_cb); 573 SSL_CTX_set_tlsext_status_arg(server_ctx, 574 ((extra->server.cert_status == SSL_TEST_CERT_STATUS_GOOD_RESPONSE) 575 ? &dummy_ocsp_resp_good_val : &dummy_ocsp_resp_bad_val)); 576 } 577 578 /* 579 * The initial_ctx/session_ctx always handles the encrypt/decrypt of the 580 * session ticket. This ticket_key callback is assigned to the second 581 * session (assigned via SNI), and should never be invoked 582 */ 583 if (server2_ctx != NULL) 584 SSL_CTX_set_tlsext_ticket_key_evp_cb(server2_ctx, 585 do_not_call_session_ticket_cb); 586 587 if (extra->server.broken_session_ticket) { 588 SSL_CTX_set_tlsext_ticket_key_evp_cb(server_ctx, 589 broken_session_ticket_cb); 590 } 591 #ifndef OPENSSL_NO_NEXTPROTONEG 592 if (extra->server.npn_protocols != NULL) { 593 if (!TEST_true(parse_protos(extra->server.npn_protocols, 594 &server_ctx_data->npn_protocols, 595 &server_ctx_data->npn_protocols_len))) 596 goto err; 597 SSL_CTX_set_npn_advertised_cb(server_ctx, server_npn_cb, 598 server_ctx_data); 599 } 600 if (extra->server2.npn_protocols != NULL) { 601 if (!TEST_true(parse_protos(extra->server2.npn_protocols, 602 &server2_ctx_data->npn_protocols, 603 &server2_ctx_data->npn_protocols_len)) 604 || !TEST_ptr(server2_ctx)) 605 goto err; 606 SSL_CTX_set_npn_advertised_cb(server2_ctx, server_npn_cb, 607 server2_ctx_data); 608 } 609 if (extra->client.npn_protocols != NULL) { 610 if (!TEST_true(parse_protos(extra->client.npn_protocols, 611 &client_ctx_data->npn_protocols, 612 &client_ctx_data->npn_protocols_len))) 613 goto err; 614 SSL_CTX_set_next_proto_select_cb(client_ctx, client_npn_cb, 615 client_ctx_data); 616 } 617 #endif 618 if (extra->server.alpn_protocols != NULL) { 619 if (!TEST_true(parse_protos(extra->server.alpn_protocols, 620 &server_ctx_data->alpn_protocols, 621 &server_ctx_data->alpn_protocols_len))) 622 goto err; 623 SSL_CTX_set_alpn_select_cb(server_ctx, server_alpn_cb, server_ctx_data); 624 } 625 if (extra->server2.alpn_protocols != NULL) { 626 if (!TEST_ptr(server2_ctx) 627 || !TEST_true(parse_protos(extra->server2.alpn_protocols, 628 &server2_ctx_data->alpn_protocols, 629 &server2_ctx_data->alpn_protocols_len 630 ))) 631 goto err; 632 SSL_CTX_set_alpn_select_cb(server2_ctx, server_alpn_cb, 633 server2_ctx_data); 634 } 635 if (extra->client.alpn_protocols != NULL) { 636 unsigned char *alpn_protos = NULL; 637 size_t alpn_protos_len = 0; 638 639 if (!TEST_true(parse_protos(extra->client.alpn_protocols, 640 &alpn_protos, &alpn_protos_len)) 641 /* Reversed return value convention... */ 642 || !TEST_int_eq(SSL_CTX_set_alpn_protos(client_ctx, alpn_protos, 643 alpn_protos_len), 0)) 644 goto err; 645 OPENSSL_free(alpn_protos); 646 } 647 648 if (extra->server.session_ticket_app_data != NULL) { 649 server_ctx_data->session_ticket_app_data = 650 OPENSSL_strdup(extra->server.session_ticket_app_data); 651 if (!TEST_ptr(server_ctx_data->session_ticket_app_data)) 652 goto err; 653 SSL_CTX_set_session_ticket_cb(server_ctx, generate_session_ticket_cb, 654 decrypt_session_ticket_cb, server_ctx_data); 655 } 656 if (extra->server2.session_ticket_app_data != NULL) { 657 if (!TEST_ptr(server2_ctx)) 658 goto err; 659 server2_ctx_data->session_ticket_app_data = 660 OPENSSL_strdup(extra->server2.session_ticket_app_data); 661 if (!TEST_ptr(server2_ctx_data->session_ticket_app_data)) 662 goto err; 663 SSL_CTX_set_session_ticket_cb(server2_ctx, NULL, 664 decrypt_session_ticket_cb, server2_ctx_data); 665 } 666 667 /* 668 * Use fixed session ticket keys so that we can decrypt a ticket created with 669 * one CTX in another CTX. Don't address server2 for the moment. 670 */ 671 ticket_key_len = SSL_CTX_set_tlsext_ticket_keys(server_ctx, NULL, 0); 672 if (!TEST_ptr(ticket_keys = OPENSSL_zalloc(ticket_key_len)) 673 || !TEST_int_eq(SSL_CTX_set_tlsext_ticket_keys(server_ctx, 674 ticket_keys, 675 ticket_key_len), 1)) { 676 OPENSSL_free(ticket_keys); 677 goto err; 678 } 679 OPENSSL_free(ticket_keys); 680 681 /* The default log list includes EC keys, so CT can't work without EC. */ 682 #if !defined(OPENSSL_NO_CT) && !defined(OPENSSL_NO_EC) 683 if (!TEST_true(SSL_CTX_set_default_ctlog_list_file(client_ctx))) 684 goto err; 685 switch (extra->client.ct_validation) { 686 case SSL_TEST_CT_VALIDATION_PERMISSIVE: 687 if (!TEST_true(SSL_CTX_enable_ct(client_ctx, 688 SSL_CT_VALIDATION_PERMISSIVE))) 689 goto err; 690 break; 691 case SSL_TEST_CT_VALIDATION_STRICT: 692 if (!TEST_true(SSL_CTX_enable_ct(client_ctx, SSL_CT_VALIDATION_STRICT))) 693 goto err; 694 break; 695 case SSL_TEST_CT_VALIDATION_NONE: 696 break; 697 } 698 #endif 699 #ifndef OPENSSL_NO_SRP 700 if (!configure_handshake_ctx_for_srp(server_ctx, server2_ctx, client_ctx, 701 extra, server_ctx_data, 702 server2_ctx_data, client_ctx_data)) 703 goto err; 704 #endif /* !OPENSSL_NO_SRP */ 705 #ifndef OPENSSL_NO_COMP_ALG 706 if (test->compress_certificates) { 707 if (!TEST_true(SSL_CTX_compress_certs(server_ctx, 0))) 708 goto err; 709 if (server2_ctx != NULL && !TEST_true(SSL_CTX_compress_certs(server2_ctx, 0))) 710 goto err; 711 } 712 #endif 713 return 1; 714 err: 715 return 0; 716 } 717 718 /* Configure per-SSL callbacks and other properties. */ 719 static void configure_handshake_ssl(SSL *server, SSL *client, 720 const SSL_TEST_EXTRA_CONF *extra) 721 { 722 if (extra->client.servername != SSL_TEST_SERVERNAME_NONE) 723 SSL_set_tlsext_host_name(client, 724 ssl_servername_name(extra->client.servername)); 725 if (extra->client.enable_pha) 726 SSL_set_post_handshake_auth(client, 1); 727 } 728 729 /* The status for each connection phase. */ 730 typedef enum { 731 PEER_SUCCESS, 732 PEER_RETRY, 733 PEER_ERROR, 734 PEER_WAITING, 735 PEER_TEST_FAILURE 736 } peer_status_t; 737 738 /* An SSL object and associated read-write buffers. */ 739 typedef struct peer_st { 740 SSL *ssl; 741 /* Buffer lengths are int to match the SSL read/write API. */ 742 unsigned char *write_buf; 743 int write_buf_len; 744 unsigned char *read_buf; 745 int read_buf_len; 746 int bytes_to_write; 747 int bytes_to_read; 748 peer_status_t status; 749 } PEER; 750 751 static int create_peer(PEER *peer, SSL_CTX *ctx) 752 { 753 static const int peer_buffer_size = 64 * 1024; 754 SSL *ssl = NULL; 755 unsigned char *read_buf = NULL, *write_buf = NULL; 756 757 if (!TEST_ptr(ssl = SSL_new(ctx)) 758 || !TEST_ptr(write_buf = OPENSSL_zalloc(peer_buffer_size)) 759 || !TEST_ptr(read_buf = OPENSSL_zalloc(peer_buffer_size))) 760 goto err; 761 762 peer->ssl = ssl; 763 peer->write_buf = write_buf; 764 peer->read_buf = read_buf; 765 peer->write_buf_len = peer->read_buf_len = peer_buffer_size; 766 return 1; 767 err: 768 SSL_free(ssl); 769 OPENSSL_free(write_buf); 770 OPENSSL_free(read_buf); 771 return 0; 772 } 773 774 static void peer_free_data(PEER *peer) 775 { 776 SSL_free(peer->ssl); 777 OPENSSL_free(peer->write_buf); 778 OPENSSL_free(peer->read_buf); 779 } 780 781 /* 782 * Note that we could do the handshake transparently under an SSL_write, 783 * but separating the steps is more helpful for debugging test failures. 784 */ 785 static void do_handshake_step(PEER *peer) 786 { 787 if (!TEST_int_eq(peer->status, PEER_RETRY)) { 788 peer->status = PEER_TEST_FAILURE; 789 } else { 790 int ret = SSL_do_handshake(peer->ssl); 791 792 if (ret == 1) { 793 peer->status = PEER_SUCCESS; 794 } else if (ret == 0) { 795 peer->status = PEER_ERROR; 796 } else { 797 int error = SSL_get_error(peer->ssl, ret); 798 799 /* Memory bios should never block with SSL_ERROR_WANT_WRITE. */ 800 if (error != SSL_ERROR_WANT_READ 801 && error != SSL_ERROR_WANT_RETRY_VERIFY) 802 peer->status = PEER_ERROR; 803 } 804 } 805 } 806 807 /*- 808 * Send/receive some application data. The read-write sequence is 809 * Peer A: (R) W - first read will yield no data 810 * Peer B: R W 811 * ... 812 * Peer A: R W 813 * Peer B: R W 814 * Peer A: R 815 */ 816 static void do_app_data_step(PEER *peer) 817 { 818 int ret = 1, write_bytes; 819 820 if (!TEST_int_eq(peer->status, PEER_RETRY)) { 821 peer->status = PEER_TEST_FAILURE; 822 return; 823 } 824 825 /* We read everything available... */ 826 while (ret > 0 && peer->bytes_to_read) { 827 ret = SSL_read(peer->ssl, peer->read_buf, peer->read_buf_len); 828 if (ret > 0) { 829 if (!TEST_int_le(ret, peer->bytes_to_read)) { 830 peer->status = PEER_TEST_FAILURE; 831 return; 832 } 833 peer->bytes_to_read -= ret; 834 } else if (ret == 0) { 835 peer->status = PEER_ERROR; 836 return; 837 } else { 838 int error = SSL_get_error(peer->ssl, ret); 839 if (error != SSL_ERROR_WANT_READ) { 840 peer->status = PEER_ERROR; 841 return; 842 } /* Else continue with write. */ 843 } 844 } 845 846 /* ... but we only write one write-buffer-full of data. */ 847 write_bytes = peer->bytes_to_write < peer->write_buf_len ? peer->bytes_to_write : 848 peer->write_buf_len; 849 if (write_bytes) { 850 ret = SSL_write(peer->ssl, peer->write_buf, write_bytes); 851 if (ret > 0) { 852 /* SSL_write will only succeed with a complete write. */ 853 if (!TEST_int_eq(ret, write_bytes)) { 854 peer->status = PEER_TEST_FAILURE; 855 return; 856 } 857 peer->bytes_to_write -= ret; 858 } else { 859 /* 860 * We should perhaps check for SSL_ERROR_WANT_READ/WRITE here 861 * but this doesn't yet occur with current app data sizes. 862 */ 863 peer->status = PEER_ERROR; 864 return; 865 } 866 } 867 868 /* 869 * We could simply finish when there was nothing to read, and we have 870 * nothing left to write. But keeping track of the expected number of bytes 871 * to read gives us somewhat better guarantees that all data sent is in fact 872 * received. 873 */ 874 if (peer->bytes_to_write == 0 && peer->bytes_to_read == 0) { 875 peer->status = PEER_SUCCESS; 876 } 877 } 878 879 static void do_reneg_setup_step(const SSL_TEST_CTX *test_ctx, PEER *peer) 880 { 881 int ret; 882 char buf; 883 884 if (peer->status == PEER_SUCCESS) { 885 /* 886 * We are a client that succeeded this step previously, but the server 887 * wanted to retry. Probably there is a no_renegotiation warning alert 888 * waiting for us. Attempt to continue the handshake. 889 */ 890 peer->status = PEER_RETRY; 891 do_handshake_step(peer); 892 return; 893 } 894 895 if (!TEST_int_eq(peer->status, PEER_RETRY) 896 || !TEST_true(test_ctx->handshake_mode 897 == SSL_TEST_HANDSHAKE_RENEG_SERVER 898 || test_ctx->handshake_mode 899 == SSL_TEST_HANDSHAKE_RENEG_CLIENT 900 || test_ctx->handshake_mode 901 == SSL_TEST_HANDSHAKE_KEY_UPDATE_SERVER 902 || test_ctx->handshake_mode 903 == SSL_TEST_HANDSHAKE_KEY_UPDATE_CLIENT 904 || test_ctx->handshake_mode 905 == SSL_TEST_HANDSHAKE_POST_HANDSHAKE_AUTH)) { 906 peer->status = PEER_TEST_FAILURE; 907 return; 908 } 909 910 /* Reset the count of the amount of app data we need to read/write */ 911 peer->bytes_to_write = peer->bytes_to_read = test_ctx->app_data_size; 912 913 /* Check if we are the peer that is going to initiate */ 914 if ((test_ctx->handshake_mode == SSL_TEST_HANDSHAKE_RENEG_SERVER 915 && SSL_is_server(peer->ssl)) 916 || (test_ctx->handshake_mode == SSL_TEST_HANDSHAKE_RENEG_CLIENT 917 && !SSL_is_server(peer->ssl))) { 918 /* 919 * If we already asked for a renegotiation then fall through to the 920 * SSL_read() below. 921 */ 922 if (!SSL_renegotiate_pending(peer->ssl)) { 923 /* 924 * If we are the client we will always attempt to resume the 925 * session. The server may or may not resume dependent on the 926 * setting of SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION 927 */ 928 if (SSL_is_server(peer->ssl)) { 929 ret = SSL_renegotiate(peer->ssl); 930 } else { 931 int full_reneg = 0; 932 933 if (test_ctx->extra.client.no_extms_on_reneg) { 934 SSL_set_options(peer->ssl, SSL_OP_NO_EXTENDED_MASTER_SECRET); 935 full_reneg = 1; 936 } 937 if (test_ctx->extra.client.reneg_ciphers != NULL) { 938 if (!SSL_set_cipher_list(peer->ssl, 939 test_ctx->extra.client.reneg_ciphers)) { 940 peer->status = PEER_ERROR; 941 return; 942 } 943 full_reneg = 1; 944 } 945 if (full_reneg) 946 ret = SSL_renegotiate(peer->ssl); 947 else 948 ret = SSL_renegotiate_abbreviated(peer->ssl); 949 } 950 if (!ret) { 951 peer->status = PEER_ERROR; 952 return; 953 } 954 do_handshake_step(peer); 955 /* 956 * If status is PEER_RETRY it means we're waiting on the peer to 957 * continue the handshake. As far as setting up the renegotiation is 958 * concerned that is a success. The next step will continue the 959 * handshake to its conclusion. 960 * 961 * If status is PEER_SUCCESS then we are the server and we have 962 * successfully sent the HelloRequest. We need to continue to wait 963 * until the handshake arrives from the client. 964 */ 965 if (peer->status == PEER_RETRY) 966 peer->status = PEER_SUCCESS; 967 else if (peer->status == PEER_SUCCESS) 968 peer->status = PEER_RETRY; 969 return; 970 } 971 } else if (test_ctx->handshake_mode == SSL_TEST_HANDSHAKE_KEY_UPDATE_SERVER 972 || test_ctx->handshake_mode 973 == SSL_TEST_HANDSHAKE_KEY_UPDATE_CLIENT) { 974 if (SSL_is_server(peer->ssl) 975 != (test_ctx->handshake_mode 976 == SSL_TEST_HANDSHAKE_KEY_UPDATE_SERVER)) { 977 peer->status = PEER_SUCCESS; 978 return; 979 } 980 981 ret = SSL_key_update(peer->ssl, test_ctx->key_update_type); 982 if (!ret) { 983 peer->status = PEER_ERROR; 984 return; 985 } 986 do_handshake_step(peer); 987 /* 988 * This is a one step handshake. We shouldn't get anything other than 989 * PEER_SUCCESS 990 */ 991 if (peer->status != PEER_SUCCESS) 992 peer->status = PEER_ERROR; 993 return; 994 } else if (test_ctx->handshake_mode == SSL_TEST_HANDSHAKE_POST_HANDSHAKE_AUTH) { 995 if (SSL_is_server(peer->ssl)) { 996 SSL_CONNECTION *sc = SSL_CONNECTION_FROM_SSL_ONLY(peer->ssl); 997 998 if (sc == NULL) { 999 peer->status = PEER_ERROR; 1000 return; 1001 } 1002 /* Make the server believe it's received the extension */ 1003 if (test_ctx->extra.server.force_pha) 1004 sc->post_handshake_auth = SSL_PHA_EXT_RECEIVED; 1005 ret = SSL_verify_client_post_handshake(peer->ssl); 1006 if (!ret) { 1007 peer->status = PEER_ERROR; 1008 return; 1009 } 1010 } 1011 do_handshake_step(peer); 1012 /* 1013 * This is a one step handshake. We shouldn't get anything other than 1014 * PEER_SUCCESS 1015 */ 1016 if (peer->status != PEER_SUCCESS) 1017 peer->status = PEER_ERROR; 1018 return; 1019 } 1020 1021 /* 1022 * The SSL object is still expecting app data, even though it's going to 1023 * get a handshake message. We try to read, and it should fail - after which 1024 * we should be in a handshake 1025 */ 1026 ret = SSL_read(peer->ssl, &buf, sizeof(buf)); 1027 if (ret >= 0) { 1028 /* 1029 * We're not actually expecting data - we're expecting a reneg to 1030 * start 1031 */ 1032 peer->status = PEER_ERROR; 1033 return; 1034 } else { 1035 int error = SSL_get_error(peer->ssl, ret); 1036 if (error != SSL_ERROR_WANT_READ) { 1037 peer->status = PEER_ERROR; 1038 return; 1039 } 1040 /* If we're not in init yet then we're not done with setup yet */ 1041 if (!SSL_in_init(peer->ssl)) 1042 return; 1043 } 1044 1045 peer->status = PEER_SUCCESS; 1046 } 1047 1048 1049 /* 1050 * RFC 5246 says: 1051 * 1052 * Note that as of TLS 1.1, 1053 * failure to properly close a connection no longer requires that a 1054 * session not be resumed. This is a change from TLS 1.0 to conform 1055 * with widespread implementation practice. 1056 * 1057 * However, 1058 * (a) OpenSSL requires that a connection be shutdown for all protocol versions. 1059 * (b) We test lower versions, too. 1060 * So we just implement shutdown. We do a full bidirectional shutdown so that we 1061 * can compare sent and received close_notify alerts and get some test coverage 1062 * for SSL_shutdown as a bonus. 1063 */ 1064 static void do_shutdown_step(PEER *peer) 1065 { 1066 int ret; 1067 1068 if (!TEST_int_eq(peer->status, PEER_RETRY)) { 1069 peer->status = PEER_TEST_FAILURE; 1070 return; 1071 } 1072 ret = SSL_shutdown(peer->ssl); 1073 1074 if (ret == 1) { 1075 peer->status = PEER_SUCCESS; 1076 } else if (ret < 0) { /* On 0, we retry. */ 1077 int error = SSL_get_error(peer->ssl, ret); 1078 1079 if (error != SSL_ERROR_WANT_READ && error != SSL_ERROR_WANT_WRITE) 1080 peer->status = PEER_ERROR; 1081 } 1082 } 1083 1084 typedef enum { 1085 HANDSHAKE, 1086 RENEG_APPLICATION_DATA, 1087 RENEG_SETUP, 1088 RENEG_HANDSHAKE, 1089 APPLICATION_DATA, 1090 SHUTDOWN, 1091 CONNECTION_DONE 1092 } connect_phase_t; 1093 1094 1095 static int renegotiate_op(const SSL_TEST_CTX *test_ctx) 1096 { 1097 switch (test_ctx->handshake_mode) { 1098 case SSL_TEST_HANDSHAKE_RENEG_SERVER: 1099 case SSL_TEST_HANDSHAKE_RENEG_CLIENT: 1100 return 1; 1101 default: 1102 return 0; 1103 } 1104 } 1105 static int post_handshake_op(const SSL_TEST_CTX *test_ctx) 1106 { 1107 switch (test_ctx->handshake_mode) { 1108 case SSL_TEST_HANDSHAKE_KEY_UPDATE_CLIENT: 1109 case SSL_TEST_HANDSHAKE_KEY_UPDATE_SERVER: 1110 case SSL_TEST_HANDSHAKE_POST_HANDSHAKE_AUTH: 1111 return 1; 1112 default: 1113 return 0; 1114 } 1115 } 1116 1117 static connect_phase_t next_phase(const SSL_TEST_CTX *test_ctx, 1118 connect_phase_t phase) 1119 { 1120 switch (phase) { 1121 case HANDSHAKE: 1122 if (renegotiate_op(test_ctx) || post_handshake_op(test_ctx)) 1123 return RENEG_APPLICATION_DATA; 1124 return APPLICATION_DATA; 1125 case RENEG_APPLICATION_DATA: 1126 return RENEG_SETUP; 1127 case RENEG_SETUP: 1128 if (post_handshake_op(test_ctx)) 1129 return APPLICATION_DATA; 1130 return RENEG_HANDSHAKE; 1131 case RENEG_HANDSHAKE: 1132 return APPLICATION_DATA; 1133 case APPLICATION_DATA: 1134 return SHUTDOWN; 1135 case SHUTDOWN: 1136 return CONNECTION_DONE; 1137 case CONNECTION_DONE: 1138 TEST_error("Trying to progress after connection done"); 1139 break; 1140 } 1141 return -1; 1142 } 1143 1144 static void do_connect_step(const SSL_TEST_CTX *test_ctx, PEER *peer, 1145 connect_phase_t phase) 1146 { 1147 switch (phase) { 1148 case HANDSHAKE: 1149 do_handshake_step(peer); 1150 break; 1151 case RENEG_APPLICATION_DATA: 1152 do_app_data_step(peer); 1153 break; 1154 case RENEG_SETUP: 1155 do_reneg_setup_step(test_ctx, peer); 1156 break; 1157 case RENEG_HANDSHAKE: 1158 do_handshake_step(peer); 1159 break; 1160 case APPLICATION_DATA: 1161 do_app_data_step(peer); 1162 break; 1163 case SHUTDOWN: 1164 do_shutdown_step(peer); 1165 break; 1166 case CONNECTION_DONE: 1167 TEST_error("Action after connection done"); 1168 break; 1169 } 1170 } 1171 1172 typedef enum { 1173 /* Both parties succeeded. */ 1174 HANDSHAKE_SUCCESS, 1175 /* Client errored. */ 1176 CLIENT_ERROR, 1177 /* Server errored. */ 1178 SERVER_ERROR, 1179 /* Peers are in inconsistent state. */ 1180 INTERNAL_ERROR, 1181 /* One or both peers not done. */ 1182 HANDSHAKE_RETRY 1183 } handshake_status_t; 1184 1185 /* 1186 * Determine the handshake outcome. 1187 * last_status: the status of the peer to have acted last. 1188 * previous_status: the status of the peer that didn't act last. 1189 * client_spoke_last: 1 if the client went last. 1190 */ 1191 static handshake_status_t handshake_status(peer_status_t last_status, 1192 peer_status_t previous_status, 1193 int client_spoke_last) 1194 { 1195 switch (last_status) { 1196 case PEER_TEST_FAILURE: 1197 return INTERNAL_ERROR; 1198 1199 case PEER_WAITING: 1200 /* Shouldn't ever happen */ 1201 return INTERNAL_ERROR; 1202 1203 case PEER_SUCCESS: 1204 switch (previous_status) { 1205 case PEER_TEST_FAILURE: 1206 return INTERNAL_ERROR; 1207 case PEER_SUCCESS: 1208 /* Both succeeded. */ 1209 return HANDSHAKE_SUCCESS; 1210 case PEER_WAITING: 1211 case PEER_RETRY: 1212 /* Let the first peer finish. */ 1213 return HANDSHAKE_RETRY; 1214 case PEER_ERROR: 1215 /* 1216 * Second peer succeeded despite the fact that the first peer 1217 * already errored. This shouldn't happen. 1218 */ 1219 return INTERNAL_ERROR; 1220 } 1221 break; 1222 1223 case PEER_RETRY: 1224 return HANDSHAKE_RETRY; 1225 1226 case PEER_ERROR: 1227 switch (previous_status) { 1228 case PEER_TEST_FAILURE: 1229 return INTERNAL_ERROR; 1230 case PEER_WAITING: 1231 /* The client failed immediately before sending the ClientHello */ 1232 return client_spoke_last ? CLIENT_ERROR : INTERNAL_ERROR; 1233 case PEER_SUCCESS: 1234 /* First peer succeeded but second peer errored. */ 1235 return client_spoke_last ? CLIENT_ERROR : SERVER_ERROR; 1236 case PEER_RETRY: 1237 /* We errored; let the peer finish. */ 1238 return HANDSHAKE_RETRY; 1239 case PEER_ERROR: 1240 /* Both peers errored. Return the one that errored first. */ 1241 return client_spoke_last ? SERVER_ERROR : CLIENT_ERROR; 1242 } 1243 } 1244 /* Control should never reach here. */ 1245 return INTERNAL_ERROR; 1246 } 1247 1248 /* Convert unsigned char buf's that shouldn't contain any NUL-bytes to char. */ 1249 static char *dup_str(const unsigned char *in, size_t len) 1250 { 1251 char *ret = NULL; 1252 1253 if (len == 0) 1254 return NULL; 1255 1256 /* Assert that the string does not contain NUL-bytes. */ 1257 if (TEST_size_t_eq(OPENSSL_strnlen((const char*)(in), len), len)) 1258 TEST_ptr(ret = OPENSSL_strndup((const char*)(in), len)); 1259 return ret; 1260 } 1261 1262 static int pkey_type(EVP_PKEY *pkey) 1263 { 1264 if (EVP_PKEY_is_a(pkey, "EC")) { 1265 char name[80]; 1266 size_t name_len; 1267 1268 if (!EVP_PKEY_get_group_name(pkey, name, sizeof(name), &name_len)) 1269 return NID_undef; 1270 return OBJ_txt2nid(name); 1271 } 1272 return EVP_PKEY_get_id(pkey); 1273 } 1274 1275 static int peer_pkey_type(SSL *s) 1276 { 1277 X509 *x = SSL_get0_peer_certificate(s); 1278 1279 if (x != NULL) 1280 return pkey_type(X509_get0_pubkey(x)); 1281 return NID_undef; 1282 } 1283 1284 #if !defined(OPENSSL_NO_SCTP) && !defined(OPENSSL_NO_SOCK) 1285 static int set_sock_as_sctp(int sock) 1286 { 1287 struct sctp_assocparams assocparams; 1288 struct sctp_rtoinfo rto_info; 1289 BIO *tmpbio; 1290 1291 /* 1292 * To allow tests to fail fast (within a second or so), reduce the 1293 * retransmission timeouts and the number of retransmissions. 1294 */ 1295 memset(&rto_info, 0, sizeof(struct sctp_rtoinfo)); 1296 rto_info.srto_initial = 100; 1297 rto_info.srto_max = 200; 1298 rto_info.srto_min = 50; 1299 (void)setsockopt(sock, IPPROTO_SCTP, SCTP_RTOINFO, 1300 (const void *)&rto_info, sizeof(struct sctp_rtoinfo)); 1301 memset(&assocparams, 0, sizeof(struct sctp_assocparams)); 1302 assocparams.sasoc_asocmaxrxt = 2; 1303 (void)setsockopt(sock, IPPROTO_SCTP, SCTP_ASSOCINFO, 1304 (const void *)&assocparams, 1305 sizeof(struct sctp_assocparams)); 1306 1307 /* 1308 * For SCTP we have to set various options on the socket prior to 1309 * connecting. This is done automatically by BIO_new_dgram_sctp(). 1310 * We don't actually need the created BIO though so we free it again 1311 * immediately. 1312 */ 1313 tmpbio = BIO_new_dgram_sctp(sock, BIO_NOCLOSE); 1314 1315 if (tmpbio == NULL) 1316 return 0; 1317 BIO_free(tmpbio); 1318 1319 return 1; 1320 } 1321 1322 static int create_sctp_socks(int *ssock, int *csock) 1323 { 1324 BIO_ADDRINFO *res = NULL; 1325 const BIO_ADDRINFO *ai = NULL; 1326 int lsock = INVALID_SOCKET, asock = INVALID_SOCKET; 1327 int consock = INVALID_SOCKET; 1328 int ret = 0; 1329 int family = 0; 1330 1331 if (BIO_sock_init() != 1) 1332 return 0; 1333 1334 /* 1335 * Port is 4463. It could be anything. It will fail if it's already being 1336 * used for some other SCTP service. It seems unlikely though so we don't 1337 * worry about it here. 1338 */ 1339 if (!BIO_lookup_ex(NULL, "4463", BIO_LOOKUP_SERVER, family, SOCK_STREAM, 1340 IPPROTO_SCTP, &res)) 1341 return 0; 1342 1343 for (ai = res; ai != NULL; ai = BIO_ADDRINFO_next(ai)) { 1344 family = BIO_ADDRINFO_family(ai); 1345 lsock = BIO_socket(family, SOCK_STREAM, IPPROTO_SCTP, 0); 1346 if (lsock == INVALID_SOCKET) { 1347 /* Maybe the kernel doesn't support the socket family, even if 1348 * BIO_lookup() added it in the returned result... 1349 */ 1350 continue; 1351 } 1352 1353 if (!set_sock_as_sctp(lsock) 1354 || !BIO_listen(lsock, BIO_ADDRINFO_address(ai), 1355 BIO_SOCK_REUSEADDR)) { 1356 BIO_closesocket(lsock); 1357 lsock = INVALID_SOCKET; 1358 continue; 1359 } 1360 1361 /* Success, don't try any more addresses */ 1362 break; 1363 } 1364 1365 if (lsock == INVALID_SOCKET) 1366 goto err; 1367 1368 BIO_ADDRINFO_free(res); 1369 res = NULL; 1370 1371 if (!BIO_lookup_ex(NULL, "4463", BIO_LOOKUP_CLIENT, family, SOCK_STREAM, 1372 IPPROTO_SCTP, &res)) 1373 goto err; 1374 1375 consock = BIO_socket(family, SOCK_STREAM, IPPROTO_SCTP, 0); 1376 if (consock == INVALID_SOCKET) 1377 goto err; 1378 1379 if (!set_sock_as_sctp(consock) 1380 || !BIO_connect(consock, BIO_ADDRINFO_address(res), 0) 1381 || !BIO_socket_nbio(consock, 1)) 1382 goto err; 1383 1384 asock = BIO_accept_ex(lsock, NULL, BIO_SOCK_NONBLOCK); 1385 if (asock == INVALID_SOCKET) 1386 goto err; 1387 1388 *csock = consock; 1389 *ssock = asock; 1390 consock = asock = INVALID_SOCKET; 1391 ret = 1; 1392 1393 err: 1394 BIO_ADDRINFO_free(res); 1395 if (consock != INVALID_SOCKET) 1396 BIO_closesocket(consock); 1397 if (lsock != INVALID_SOCKET) 1398 BIO_closesocket(lsock); 1399 if (asock != INVALID_SOCKET) 1400 BIO_closesocket(asock); 1401 return ret; 1402 } 1403 #endif 1404 1405 /* 1406 * Note that |extra| points to the correct client/server configuration 1407 * within |test_ctx|. When configuring the handshake, general mode settings 1408 * are taken from |test_ctx|, and client/server-specific settings should be 1409 * taken from |extra|. 1410 * 1411 * The configuration code should never reach into |test_ctx->extra| or 1412 * |test_ctx->resume_extra| directly. 1413 * 1414 * (We could refactor test mode settings into a substructure. This would result 1415 * in cleaner argument passing but would complicate the test configuration 1416 * parsing.) 1417 */ 1418 static HANDSHAKE_RESULT *do_handshake_internal( 1419 SSL_CTX *server_ctx, SSL_CTX *server2_ctx, SSL_CTX *client_ctx, 1420 const SSL_TEST_CTX *test_ctx, const SSL_TEST_EXTRA_CONF *extra, 1421 SSL_SESSION *session_in, SSL_SESSION *serv_sess_in, 1422 SSL_SESSION **session_out, SSL_SESSION **serv_sess_out) 1423 { 1424 PEER server, client; 1425 BIO *client_to_server = NULL, *server_to_client = NULL; 1426 HANDSHAKE_EX_DATA server_ex_data, client_ex_data; 1427 CTX_DATA client_ctx_data, server_ctx_data, server2_ctx_data; 1428 HANDSHAKE_RESULT *ret = HANDSHAKE_RESULT_new(); 1429 int client_turn = 1, client_turn_count = 0, client_wait_count = 0; 1430 connect_phase_t phase = HANDSHAKE; 1431 handshake_status_t status = HANDSHAKE_RETRY; 1432 const unsigned char* tick = NULL; 1433 size_t tick_len = 0; 1434 const unsigned char* sess_id = NULL; 1435 unsigned int sess_id_len = 0; 1436 SSL_SESSION* sess = NULL; 1437 const unsigned char *proto = NULL; 1438 /* API dictates unsigned int rather than size_t. */ 1439 unsigned int proto_len = 0; 1440 EVP_PKEY *tmp_key; 1441 const STACK_OF(X509_NAME) *names; 1442 time_t start; 1443 const char* cipher; 1444 1445 if (ret == NULL) 1446 return NULL; 1447 1448 memset(&server_ctx_data, 0, sizeof(server_ctx_data)); 1449 memset(&server2_ctx_data, 0, sizeof(server2_ctx_data)); 1450 memset(&client_ctx_data, 0, sizeof(client_ctx_data)); 1451 memset(&server, 0, sizeof(server)); 1452 memset(&client, 0, sizeof(client)); 1453 memset(&server_ex_data, 0, sizeof(server_ex_data)); 1454 memset(&client_ex_data, 0, sizeof(client_ex_data)); 1455 1456 if (!configure_handshake_ctx(server_ctx, server2_ctx, client_ctx, 1457 test_ctx, extra, &server_ctx_data, 1458 &server2_ctx_data, &client_ctx_data)) { 1459 TEST_note("configure_handshake_ctx"); 1460 HANDSHAKE_RESULT_free(ret); 1461 return NULL; 1462 } 1463 1464 #if !defined(OPENSSL_NO_SCTP) && !defined(OPENSSL_NO_SOCK) 1465 if (test_ctx->enable_client_sctp_label_bug) 1466 SSL_CTX_set_mode(client_ctx, SSL_MODE_DTLS_SCTP_LABEL_LENGTH_BUG); 1467 if (test_ctx->enable_server_sctp_label_bug) 1468 SSL_CTX_set_mode(server_ctx, SSL_MODE_DTLS_SCTP_LABEL_LENGTH_BUG); 1469 #endif 1470 1471 /* Setup SSL and buffers; additional configuration happens below. */ 1472 if (!create_peer(&server, server_ctx)) { 1473 TEST_note("creating server context"); 1474 goto err; 1475 } 1476 if (!create_peer(&client, client_ctx)) { 1477 TEST_note("creating client context"); 1478 goto err; 1479 } 1480 1481 server.bytes_to_write = client.bytes_to_read = test_ctx->app_data_size; 1482 client.bytes_to_write = server.bytes_to_read = test_ctx->app_data_size; 1483 1484 configure_handshake_ssl(server.ssl, client.ssl, extra); 1485 if (session_in != NULL) { 1486 SSL_SESSION_get_id(serv_sess_in, &sess_id_len); 1487 /* In case we're testing resumption without tickets. */ 1488 if ((sess_id_len > 0 1489 && !TEST_true(SSL_CTX_add_session(server_ctx, 1490 serv_sess_in))) 1491 || !TEST_true(SSL_set_session(client.ssl, session_in))) 1492 goto err; 1493 sess_id_len = 0; 1494 } 1495 1496 ret->result = SSL_TEST_INTERNAL_ERROR; 1497 1498 if (test_ctx->use_sctp) { 1499 #if !defined(OPENSSL_NO_SCTP) && !defined(OPENSSL_NO_SOCK) 1500 int csock, ssock; 1501 1502 if (create_sctp_socks(&ssock, &csock)) { 1503 client_to_server = BIO_new_dgram_sctp(csock, BIO_CLOSE); 1504 server_to_client = BIO_new_dgram_sctp(ssock, BIO_CLOSE); 1505 } 1506 #endif 1507 } else { 1508 client_to_server = BIO_new(BIO_s_mem()); 1509 server_to_client = BIO_new(BIO_s_mem()); 1510 } 1511 1512 if (!TEST_ptr(client_to_server) 1513 || !TEST_ptr(server_to_client)) 1514 goto err; 1515 1516 /* Non-blocking bio. */ 1517 BIO_set_nbio(client_to_server, 1); 1518 BIO_set_nbio(server_to_client, 1); 1519 1520 SSL_set_connect_state(client.ssl); 1521 SSL_set_accept_state(server.ssl); 1522 1523 /* The bios are now owned by the SSL object. */ 1524 if (test_ctx->use_sctp) { 1525 SSL_set_bio(client.ssl, client_to_server, client_to_server); 1526 SSL_set_bio(server.ssl, server_to_client, server_to_client); 1527 } else { 1528 SSL_set_bio(client.ssl, server_to_client, client_to_server); 1529 if (!TEST_int_gt(BIO_up_ref(server_to_client), 0) 1530 || !TEST_int_gt(BIO_up_ref(client_to_server), 0)) 1531 goto err; 1532 SSL_set_bio(server.ssl, client_to_server, server_to_client); 1533 } 1534 1535 ex_data_idx = SSL_get_ex_new_index(0, "ex data", NULL, NULL, NULL); 1536 if (!TEST_int_ge(ex_data_idx, 0) 1537 || !TEST_int_eq(SSL_set_ex_data(server.ssl, ex_data_idx, &server_ex_data), 1) 1538 || !TEST_int_eq(SSL_set_ex_data(client.ssl, ex_data_idx, &client_ex_data), 1)) 1539 goto err; 1540 1541 SSL_set_info_callback(server.ssl, &info_cb); 1542 SSL_set_info_callback(client.ssl, &info_cb); 1543 1544 client.status = PEER_RETRY; 1545 server.status = PEER_WAITING; 1546 1547 start = time(NULL); 1548 1549 /* 1550 * Half-duplex handshake loop. 1551 * Client and server speak to each other synchronously in the same process. 1552 * We use non-blocking BIOs, so whenever one peer blocks for read, it 1553 * returns PEER_RETRY to indicate that it's the other peer's turn to write. 1554 * The handshake succeeds once both peers have succeeded. If one peer 1555 * errors out, we also let the other peer retry (and presumably fail). 1556 */ 1557 for (;;) { 1558 if (client_turn) { 1559 do_connect_step(test_ctx, &client, phase); 1560 status = handshake_status(client.status, server.status, 1561 1 /* client went last */); 1562 if (server.status == PEER_WAITING) 1563 server.status = PEER_RETRY; 1564 } else { 1565 do_connect_step(test_ctx, &server, phase); 1566 status = handshake_status(server.status, client.status, 1567 0 /* server went last */); 1568 } 1569 1570 switch (status) { 1571 case HANDSHAKE_SUCCESS: 1572 client_turn_count = 0; 1573 phase = next_phase(test_ctx, phase); 1574 if (phase == CONNECTION_DONE) { 1575 ret->result = SSL_TEST_SUCCESS; 1576 goto err; 1577 } else { 1578 client.status = server.status = PEER_RETRY; 1579 /* 1580 * For now, client starts each phase. Since each phase is 1581 * started separately, we can later control this more 1582 * precisely, for example, to test client-initiated and 1583 * server-initiated shutdown. 1584 */ 1585 client_turn = 1; 1586 break; 1587 } 1588 case CLIENT_ERROR: 1589 ret->result = SSL_TEST_CLIENT_FAIL; 1590 goto err; 1591 case SERVER_ERROR: 1592 ret->result = SSL_TEST_SERVER_FAIL; 1593 goto err; 1594 case INTERNAL_ERROR: 1595 ret->result = SSL_TEST_INTERNAL_ERROR; 1596 goto err; 1597 case HANDSHAKE_RETRY: 1598 if (test_ctx->use_sctp) { 1599 if (time(NULL) - start > 3) { 1600 /* 1601 * We've waited for too long. Give up. 1602 */ 1603 ret->result = SSL_TEST_INTERNAL_ERROR; 1604 goto err; 1605 } 1606 /* 1607 * With "real" sockets we only swap to processing the peer 1608 * if they are expecting to retry. Otherwise we just retry the 1609 * same endpoint again. 1610 */ 1611 if ((client_turn && server.status == PEER_RETRY) 1612 || (!client_turn && client.status == PEER_RETRY)) 1613 client_turn ^= 1; 1614 } else { 1615 if (client_turn_count++ >= 2000) { 1616 /* 1617 * At this point, there's been so many PEER_RETRY in a row 1618 * that it's likely both sides are stuck waiting for a read. 1619 * It's time to give up. 1620 */ 1621 ret->result = SSL_TEST_INTERNAL_ERROR; 1622 goto err; 1623 } 1624 if (client_turn && server.status == PEER_SUCCESS) { 1625 /* 1626 * The server may finish before the client because the 1627 * client spends some turns processing NewSessionTickets. 1628 */ 1629 if (client_wait_count++ >= 2) { 1630 ret->result = SSL_TEST_INTERNAL_ERROR; 1631 goto err; 1632 } 1633 } else { 1634 /* Continue. */ 1635 client_turn ^= 1; 1636 } 1637 } 1638 break; 1639 } 1640 } 1641 err: 1642 ret->server_alert_sent = server_ex_data.alert_sent; 1643 ret->server_num_fatal_alerts_sent = server_ex_data.num_fatal_alerts_sent; 1644 ret->server_alert_received = client_ex_data.alert_received; 1645 ret->client_alert_sent = client_ex_data.alert_sent; 1646 ret->client_num_fatal_alerts_sent = client_ex_data.num_fatal_alerts_sent; 1647 ret->client_alert_received = server_ex_data.alert_received; 1648 ret->server_protocol = SSL_version(server.ssl); 1649 ret->client_protocol = SSL_version(client.ssl); 1650 ret->servername = server_ex_data.servername; 1651 if ((sess = SSL_get0_session(client.ssl)) != NULL) { 1652 SSL_SESSION_get0_ticket(sess, &tick, &tick_len); 1653 sess_id = SSL_SESSION_get_id(sess, &sess_id_len); 1654 } 1655 if (tick == NULL || tick_len == 0) 1656 ret->session_ticket = SSL_TEST_SESSION_TICKET_NO; 1657 else 1658 ret->session_ticket = SSL_TEST_SESSION_TICKET_YES; 1659 ret->compression = (SSL_get_current_compression(client.ssl) == NULL) 1660 ? SSL_TEST_COMPRESSION_NO 1661 : SSL_TEST_COMPRESSION_YES; 1662 if (sess_id == NULL || sess_id_len == 0) 1663 ret->session_id = SSL_TEST_SESSION_ID_NO; 1664 else 1665 ret->session_id = SSL_TEST_SESSION_ID_YES; 1666 ret->session_ticket_do_not_call = server_ex_data.session_ticket_do_not_call; 1667 1668 if (extra->client.verify_callback == SSL_TEST_VERIFY_RETRY_ONCE 1669 && n_retries != -1) 1670 ret->result = SSL_TEST_SERVER_FAIL; 1671 1672 #ifndef OPENSSL_NO_NEXTPROTONEG 1673 SSL_get0_next_proto_negotiated(client.ssl, &proto, &proto_len); 1674 ret->client_npn_negotiated = dup_str(proto, proto_len); 1675 1676 SSL_get0_next_proto_negotiated(server.ssl, &proto, &proto_len); 1677 ret->server_npn_negotiated = dup_str(proto, proto_len); 1678 #endif 1679 1680 SSL_get0_alpn_selected(client.ssl, &proto, &proto_len); 1681 ret->client_alpn_negotiated = dup_str(proto, proto_len); 1682 1683 SSL_get0_alpn_selected(server.ssl, &proto, &proto_len); 1684 ret->server_alpn_negotiated = dup_str(proto, proto_len); 1685 1686 if ((sess = SSL_get0_session(server.ssl)) != NULL) { 1687 SSL_SESSION_get0_ticket_appdata(sess, (void**)&tick, &tick_len); 1688 ret->result_session_ticket_app_data = OPENSSL_strndup((const char*)tick, tick_len); 1689 } 1690 1691 ret->client_resumed = SSL_session_reused(client.ssl); 1692 ret->server_resumed = SSL_session_reused(server.ssl); 1693 1694 cipher = SSL_CIPHER_get_name(SSL_get_current_cipher(client.ssl)); 1695 ret->cipher = dup_str((const unsigned char*)cipher, strlen(cipher)); 1696 1697 if (session_out != NULL) 1698 *session_out = SSL_get1_session(client.ssl); 1699 if (serv_sess_out != NULL) { 1700 SSL_SESSION *tmp = SSL_get_session(server.ssl); 1701 1702 /* 1703 * We create a fresh copy that is not in the server session ctx linked 1704 * list. 1705 */ 1706 if (tmp != NULL) 1707 *serv_sess_out = SSL_SESSION_dup(tmp); 1708 } 1709 1710 if (SSL_get_peer_tmp_key(client.ssl, &tmp_key)) { 1711 ret->tmp_key_type = pkey_type(tmp_key); 1712 EVP_PKEY_free(tmp_key); 1713 } 1714 1715 SSL_get_peer_signature_nid(client.ssl, &ret->server_sign_hash); 1716 SSL_get_peer_signature_nid(server.ssl, &ret->client_sign_hash); 1717 1718 SSL_get_peer_signature_type_nid(client.ssl, &ret->server_sign_type); 1719 SSL_get_peer_signature_type_nid(server.ssl, &ret->client_sign_type); 1720 1721 names = SSL_get0_peer_CA_list(client.ssl); 1722 if (names == NULL) 1723 ret->client_ca_names = NULL; 1724 else 1725 ret->client_ca_names = SSL_dup_CA_list(names); 1726 1727 names = SSL_get0_peer_CA_list(server.ssl); 1728 if (names == NULL) 1729 ret->server_ca_names = NULL; 1730 else 1731 ret->server_ca_names = SSL_dup_CA_list(names); 1732 1733 ret->server_cert_type = peer_pkey_type(client.ssl); 1734 ret->client_cert_type = peer_pkey_type(server.ssl); 1735 1736 ctx_data_free_data(&server_ctx_data); 1737 ctx_data_free_data(&server2_ctx_data); 1738 ctx_data_free_data(&client_ctx_data); 1739 1740 peer_free_data(&server); 1741 peer_free_data(&client); 1742 return ret; 1743 } 1744 1745 HANDSHAKE_RESULT *do_handshake(SSL_CTX *server_ctx, SSL_CTX *server2_ctx, 1746 SSL_CTX *client_ctx, SSL_CTX *resume_server_ctx, 1747 SSL_CTX *resume_client_ctx, 1748 const SSL_TEST_CTX *test_ctx) 1749 { 1750 HANDSHAKE_RESULT *result; 1751 SSL_SESSION *session = NULL, *serv_sess = NULL; 1752 1753 result = do_handshake_internal(server_ctx, server2_ctx, client_ctx, 1754 test_ctx, &test_ctx->extra, 1755 NULL, NULL, &session, &serv_sess); 1756 if (result == NULL 1757 || test_ctx->handshake_mode != SSL_TEST_HANDSHAKE_RESUME 1758 || result->result == SSL_TEST_INTERNAL_ERROR) 1759 goto end; 1760 1761 if (result->result != SSL_TEST_SUCCESS) { 1762 result->result = SSL_TEST_FIRST_HANDSHAKE_FAILED; 1763 goto end; 1764 } 1765 1766 HANDSHAKE_RESULT_free(result); 1767 /* We don't support SNI on second handshake yet, so server2_ctx is NULL. */ 1768 result = do_handshake_internal(resume_server_ctx, NULL, resume_client_ctx, 1769 test_ctx, &test_ctx->resume_extra, 1770 session, serv_sess, NULL, NULL); 1771 end: 1772 SSL_SESSION_free(session); 1773 SSL_SESSION_free(serv_sess); 1774 return result; 1775 } 1776