1 /* $OpenBSD: tlsexttest.c,v 1.92 2024/09/11 15:04:16 tb Exp $ */
2 /*
3 * Copyright (c) 2017 Joel Sing <jsing@openbsd.org>
4 * Copyright (c) 2017 Doug Hogan <doug@openbsd.org>
5 * Copyright (c) 2019 Bob Beck <beck@openbsd.org>
6 * Copyright (c) 2022 Theo Buehler <tb@openbsd.org>
7 *
8 * Permission to use, copy, modify, and distribute this software for any
9 * purpose with or without fee is hereby granted, provided that the above
10 * copyright notice and this permission notice appear in all copies.
11 *
12 * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
13 * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
14 * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
15 * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
16 * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
17 * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
18 * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
19 */
20
21 #include <err.h>
22
23 #include <openssl/tls1.h>
24
25 #include "ssl_local.h"
26
27 #include "bytestring.h"
28 #include "ssl_tlsext.h"
29
30 struct tls_extension_funcs {
31 int (*needs)(SSL *s, uint16_t msg_type);
32 int (*build)(SSL *s, uint16_t msg_type, CBB *cbb);
33 int (*process)(SSL *s, uint16_t msg_type, CBS *cbs, int *alert);
34 };
35
36 uint16_t tls_extension_type(const struct tls_extension *);
37 const struct tls_extension *tls_extension_find(uint16_t, size_t *);
38 const struct tls_extension_funcs *tlsext_funcs(const struct tls_extension *,
39 int);
40 int tlsext_linearize_build_order(SSL *);
41
42 static int
tls_extension_funcs(int type,const struct tls_extension_funcs ** client_funcs,const struct tls_extension_funcs ** server_funcs)43 tls_extension_funcs(int type, const struct tls_extension_funcs **client_funcs,
44 const struct tls_extension_funcs **server_funcs)
45 {
46 const struct tls_extension *ext;
47 size_t idx;
48
49 if ((ext = tls_extension_find(type, &idx)) == NULL)
50 return 0;
51
52 if ((*client_funcs = tlsext_funcs(ext, 0)) == NULL)
53 return 0;
54
55 if ((*server_funcs = tlsext_funcs(ext, 1)) == NULL)
56 return 0;
57
58 return 1;
59 }
60
61 static void
hexdump(const unsigned char * buf,size_t len)62 hexdump(const unsigned char *buf, size_t len)
63 {
64 size_t i;
65
66 for (i = 1; i <= len; i++)
67 fprintf(stderr, " 0x%02hhx,%s", buf[i - 1], i % 8 ? "" : "\n");
68
69 fprintf(stderr, "\n");
70 }
71
72 static void
hexdump2(const uint16_t * buf,size_t len)73 hexdump2(const uint16_t *buf, size_t len)
74 {
75 size_t i;
76
77 for (i = 1; i <= len / 2; i++)
78 fprintf(stderr, " 0x%04hx,%s", buf[i - 1], i % 8 ? "" : "\n");
79
80 fprintf(stderr, "\n");
81 }
82
83 static void
compare_data(const uint8_t * recv,size_t recv_len,const uint8_t * expect,size_t expect_len)84 compare_data(const uint8_t *recv, size_t recv_len, const uint8_t *expect,
85 size_t expect_len)
86 {
87 fprintf(stderr, "received:\n");
88 hexdump(recv, recv_len);
89
90 fprintf(stderr, "test data:\n");
91 hexdump(expect, expect_len);
92 }
93
94 static void
compare_data2(const uint16_t * recv,size_t recv_len,const uint16_t * expect,size_t expect_len)95 compare_data2(const uint16_t *recv, size_t recv_len, const uint16_t *expect,
96 size_t expect_len)
97 {
98 fprintf(stderr, "received:\n");
99 hexdump2(recv, recv_len);
100
101 fprintf(stderr, "test data:\n");
102 hexdump2(expect, expect_len);
103 }
104
105 #define FAIL(msg, ...) \
106 do { \
107 fprintf(stderr, "[%s:%d] FAIL: ", __FILE__, __LINE__); \
108 fprintf(stderr, msg, ##__VA_ARGS__); \
109 } while(0)
110
111 /*
112 * Supported Application-Layer Protocol Negotiation - RFC 7301
113 *
114 * There are already extensive unit tests for this so this just
115 * tests the state info.
116 */
117
118 const uint8_t tlsext_alpn_multiple_protos_val[] = {
119 /* opaque ProtocolName<1..2^8-1> -- 'http/1.1' */
120 0x08, /* len */
121 0x68, 0x74, 0x74, 0x70, 0x2f, 0x31, 0x2e, 0x31,
122 /* opaque ProtocolName<1..2^8-1> -- 'stun.nat' */
123 0x09, /* len */
124 0x73, 0x74, 0x75, 0x6e, 0x2e, 0x74, 0x75, 0x72, 0x6e
125 };
126
127 const uint8_t tlsext_alpn_multiple_protos[] = {
128 /* ProtocolName protocol_name_list<2..2^16-1> -- ALPN names */
129 0x00, 0x13, /* len of all names */
130 /* opaque ProtocolName<1..2^8-1> -- 'http/1.1' */
131 0x08, /* len */
132 0x68, 0x74, 0x74, 0x70, 0x2f, 0x31, 0x2e, 0x31,
133 /* opaque ProtocolName<1..2^8-1> -- 'stun.nat' */
134 0x09, /* len */
135 0x73, 0x74, 0x75, 0x6e, 0x2e, 0x74, 0x75, 0x72, 0x6e
136 };
137
138 const uint8_t tlsext_alpn_single_proto_val[] = {
139 /* opaque ProtocolName<1..2^8-1> -- 'http/1.1' */
140 0x08, /* len */
141 0x68, 0x74, 0x74, 0x70, 0x2f, 0x31, 0x2e, 0x31
142 };
143
144 const uint8_t tlsext_alpn_single_proto_name[] = {
145 0x68, 0x74, 0x74, 0x70, 0x2f, 0x31, 0x2e, 0x31 /* 'http/1.1' */
146 };
147
148 const uint8_t tlsext_alpn_single_proto[] = {
149 /* ProtocolName protocol_name_list<2..2^16-1> -- ALPN names */
150 0x00, 0x09, /* len of all names */
151 /* opaque ProtocolName<1..2^8-1> -- 'http/1.1' */
152 0x08, /* len */
153 0x68, 0x74, 0x74, 0x70, 0x2f, 0x31, 0x2e, 0x31
154 };
155
156 #define TLSEXT_TYPE_alpn TLSEXT_TYPE_application_layer_protocol_negotiation
157
158 static int
test_tlsext_alpn_client(void)159 test_tlsext_alpn_client(void)
160 {
161 SSL_CTX *ssl_ctx = NULL;
162 SSL *ssl = NULL;
163 const struct tls_extension_funcs *client_funcs;
164 const struct tls_extension_funcs *server_funcs;
165 uint8_t *data = NULL;
166 CBB cbb;
167 CBS cbs;
168 int failure, alert;
169 size_t dlen;
170
171 failure = 1;
172
173 if (!CBB_init(&cbb, 0))
174 errx(1, "Failed to create CBB");
175
176 if ((ssl_ctx = SSL_CTX_new(TLS_client_method())) == NULL)
177 errx(1, "failed to create SSL_CTX");
178 if ((ssl = SSL_new(ssl_ctx)) == NULL)
179 errx(1, "failed to create SSL");
180
181 if (!tls_extension_funcs(TLSEXT_TYPE_alpn, &client_funcs, &server_funcs))
182 errx(1, "failed to fetch ALPN funcs");
183
184 /* By default, we don't need this */
185 if (client_funcs->needs(ssl, SSL_TLSEXT_MSG_CH)) {
186 FAIL("client should not need ALPN by default\n");
187 goto err;
188 }
189
190 /*
191 * Prereqs:
192 * 1) Set s->alpn_client_proto_list
193 * - Using SSL_set_alpn_protos()
194 * 2) We have not finished or renegotiated.
195 * - s->s3->tmp.finish_md_len == 0
196 */
197 if (SSL_set_alpn_protos(ssl, tlsext_alpn_single_proto_val,
198 sizeof(tlsext_alpn_single_proto_val)) != 0) {
199 FAIL("should be able to set ALPN to http/1.1\n");
200 goto err;
201 }
202 if (!client_funcs->needs(ssl, SSL_TLSEXT_MSG_CH)) {
203 FAIL("client should need ALPN by default\n");
204 goto err;
205 }
206
207 /* Make sure we can build the client with a single proto. */
208
209 if (!client_funcs->build(ssl, SSL_TLSEXT_MSG_CH, &cbb)) {
210 FAIL("client failed to build ALPN\n");
211 goto err;
212 }
213 if (!CBB_finish(&cbb, &data, &dlen))
214 errx(1, "failed to finish CBB");
215
216 if (dlen != sizeof(tlsext_alpn_single_proto)) {
217 FAIL("got client ALPN with length %zu, "
218 "want length %zu\n", dlen,
219 sizeof(tlsext_alpn_single_proto));
220 compare_data(data, dlen, tlsext_alpn_single_proto,
221 sizeof(tlsext_alpn_single_proto));
222 goto err;
223 }
224 if (memcmp(data, tlsext_alpn_single_proto, dlen) != 0) {
225 FAIL("client ALPN differs:\n");
226 compare_data(data, dlen, tlsext_alpn_single_proto,
227 sizeof(tlsext_alpn_single_proto));
228 goto err;
229 }
230
231 CBB_cleanup(&cbb);
232 if (!CBB_init(&cbb, 0))
233 errx(1, "Failed to create CBB");
234 free(data);
235 data = NULL;
236
237 /* Make sure we can parse the single proto. */
238
239 CBS_init(&cbs, tlsext_alpn_single_proto,
240 sizeof(tlsext_alpn_single_proto));
241 if (!server_funcs->process(ssl, SSL_TLSEXT_MSG_CH, &cbs, &alert)) {
242 FAIL("failed to parse ALPN\n");
243 goto err;
244 }
245 if (CBS_len(&cbs) != 0) {
246 FAIL("extension data remaining\n");
247 goto err;
248 }
249
250 if (ssl->alpn_client_proto_list_len !=
251 sizeof(tlsext_alpn_single_proto_val)) {
252 FAIL("got client ALPN with length %zu, "
253 "want length %zu\n", dlen,
254 sizeof(tlsext_alpn_single_proto_val));
255 compare_data(ssl->alpn_client_proto_list,
256 ssl->alpn_client_proto_list_len,
257 tlsext_alpn_single_proto_val,
258 sizeof(tlsext_alpn_single_proto_val));
259 goto err;
260 }
261 if (memcmp(ssl->alpn_client_proto_list,
262 tlsext_alpn_single_proto_val,
263 sizeof(tlsext_alpn_single_proto_val)) != 0) {
264 FAIL("client ALPN differs:\n");
265 compare_data(data, dlen, tlsext_alpn_single_proto_val,
266 sizeof(tlsext_alpn_single_proto_val));
267 goto err;
268 }
269
270 /* Make sure we can build the clienthello with multiple entries. */
271
272 if (SSL_set_alpn_protos(ssl, tlsext_alpn_multiple_protos_val,
273 sizeof(tlsext_alpn_multiple_protos_val)) != 0) {
274 FAIL("should be able to set ALPN to http/1.1\n");
275 goto err;
276 }
277 if (!client_funcs->needs(ssl, SSL_TLSEXT_MSG_CH)) {
278 FAIL("client should need ALPN by now\n");
279 goto err;
280 }
281
282 if (!client_funcs->build(ssl, SSL_TLSEXT_MSG_CH, &cbb)) {
283 FAIL("client failed to build ALPN\n");
284 goto err;
285 }
286 if (!CBB_finish(&cbb, &data, &dlen))
287 errx(1, "failed to finish CBB");
288
289 if (dlen != sizeof(tlsext_alpn_multiple_protos)) {
290 FAIL("got client ALPN with length %zu, "
291 "want length %zu\n", dlen,
292 sizeof(tlsext_alpn_multiple_protos));
293 compare_data(data, dlen, tlsext_alpn_multiple_protos,
294 sizeof(tlsext_alpn_multiple_protos));
295 goto err;
296 }
297 if (memcmp(data, tlsext_alpn_multiple_protos, dlen) != 0) {
298 FAIL("client ALPN differs:\n");
299 compare_data(data, dlen, tlsext_alpn_multiple_protos,
300 sizeof(tlsext_alpn_multiple_protos));
301 goto err;
302 }
303
304 /* Make sure we can parse multiple protos */
305
306 CBS_init(&cbs, tlsext_alpn_multiple_protos,
307 sizeof(tlsext_alpn_multiple_protos));
308 if (!server_funcs->process(ssl, SSL_TLSEXT_MSG_CH, &cbs, &alert)) {
309 FAIL("failed to parse ALPN\n");
310 goto err;
311 }
312 if (CBS_len(&cbs) != 0) {
313 FAIL("extension data remaining\n");
314 goto err;
315 }
316
317 if (ssl->alpn_client_proto_list_len !=
318 sizeof(tlsext_alpn_multiple_protos_val)) {
319 FAIL("got client ALPN with length %zu, "
320 "want length %zu\n", dlen,
321 sizeof(tlsext_alpn_multiple_protos_val));
322 compare_data(ssl->alpn_client_proto_list,
323 ssl->alpn_client_proto_list_len,
324 tlsext_alpn_multiple_protos_val,
325 sizeof(tlsext_alpn_multiple_protos_val));
326 goto err;
327 }
328 if (memcmp(ssl->alpn_client_proto_list,
329 tlsext_alpn_multiple_protos_val,
330 sizeof(tlsext_alpn_multiple_protos_val)) != 0) {
331 FAIL("client ALPN differs:\n");
332 compare_data(data, dlen, tlsext_alpn_multiple_protos_val,
333 sizeof(tlsext_alpn_multiple_protos_val));
334 goto err;
335 }
336
337 /* Make sure we can remove the list and avoid ALPN */
338
339 free(ssl->alpn_client_proto_list);
340 ssl->alpn_client_proto_list = NULL;
341 ssl->alpn_client_proto_list_len = 0;
342
343 if (client_funcs->needs(ssl, SSL_TLSEXT_MSG_CH)) {
344 FAIL("client should need ALPN by default\n");
345 goto err;
346 }
347
348 failure = 0;
349
350 err:
351 CBB_cleanup(&cbb);
352 SSL_CTX_free(ssl_ctx);
353 SSL_free(ssl);
354 free(data);
355
356 return (failure);
357 }
358
359 static int
test_tlsext_alpn_server(void)360 test_tlsext_alpn_server(void)
361 {
362 SSL_CTX *ssl_ctx = NULL;
363 SSL *ssl = NULL;
364 const struct tls_extension_funcs *client_funcs;
365 const struct tls_extension_funcs *server_funcs;
366 uint8_t *data = NULL;
367 CBB cbb;
368 CBS cbs;
369 int failure, alert;
370 size_t dlen;
371
372 failure = 1;
373
374 if (!CBB_init(&cbb, 0))
375 errx(1, "Failed to create CBB");
376
377 if ((ssl_ctx = SSL_CTX_new(TLS_server_method())) == NULL)
378 errx(1, "failed to create SSL_CTX");
379 if ((ssl = SSL_new(ssl_ctx)) == NULL)
380 errx(1, "failed to create SSL");
381
382 if (!tls_extension_funcs(TLSEXT_TYPE_alpn, &client_funcs, &server_funcs))
383 errx(1, "failed to fetch ALPN funcs");
384
385 /* By default, ALPN isn't needed. */
386 if (server_funcs->needs(ssl, SSL_TLSEXT_MSG_SH)) {
387 FAIL("server should not need ALPN by default\n");
388 goto err;
389 }
390
391 /*
392 * The server has a single ALPN selection which is set by
393 * SSL_CTX_set_alpn_select_cb() and calls SSL_select_next_proto().
394 *
395 * This will be a plain name and separate length.
396 */
397 if ((ssl->s3->alpn_selected = malloc(sizeof(tlsext_alpn_single_proto_name))) == NULL) {
398 errx(1, "failed to malloc");
399 }
400 memcpy(ssl->s3->alpn_selected, tlsext_alpn_single_proto_name,
401 sizeof(tlsext_alpn_single_proto_name));
402 ssl->s3->alpn_selected_len = sizeof(tlsext_alpn_single_proto_name);
403
404 if (!server_funcs->needs(ssl, SSL_TLSEXT_MSG_SH)) {
405 FAIL("server should need ALPN after a protocol is selected\n");
406 goto err;
407 }
408
409 /* Make sure we can build a server with one protocol */
410
411 if (!server_funcs->build(ssl, SSL_TLSEXT_MSG_SH, &cbb)) {
412 FAIL("server should be able to build a response\n");
413 goto err;
414 }
415 if (!CBB_finish(&cbb, &data, &dlen))
416 errx(1, "failed to finish CBB");
417
418 if (dlen != sizeof(tlsext_alpn_single_proto)) {
419 FAIL("got client ALPN with length %zu, "
420 "want length %zu\n", dlen,
421 sizeof(tlsext_alpn_single_proto));
422 compare_data(data, dlen, tlsext_alpn_single_proto,
423 sizeof(tlsext_alpn_single_proto));
424 goto err;
425 }
426 if (memcmp(data, tlsext_alpn_single_proto, dlen) != 0) {
427 FAIL("client ALPN differs:\n");
428 compare_data(data, dlen, tlsext_alpn_single_proto,
429 sizeof(tlsext_alpn_single_proto));
430 goto err;
431 }
432
433 CBB_cleanup(&cbb);
434 if (!CBB_init(&cbb, 0))
435 errx(1, "Failed to create CBB");
436 free(data);
437 data = NULL;
438
439 /* Make sure we can parse the single proto. */
440
441 CBS_init(&cbs, tlsext_alpn_single_proto,
442 sizeof(tlsext_alpn_single_proto));
443
444 /* Shouldn't be able to parse without requesting */
445 if (client_funcs->process(ssl, SSL_TLSEXT_MSG_SH, &cbs, &alert)) {
446 FAIL("Should only parse server if we requested it\n");
447 goto err;
448 }
449
450 /* Should be able to parse once requested. */
451 if (SSL_set_alpn_protos(ssl, tlsext_alpn_single_proto_val,
452 sizeof(tlsext_alpn_single_proto_val)) != 0) {
453 FAIL("should be able to set ALPN to http/1.1\n");
454 goto err;
455 }
456 if (!client_funcs->process(ssl, SSL_TLSEXT_MSG_SH, &cbs, &alert)) {
457 FAIL("Should be able to parse server when we request it\n");
458 goto err;
459 }
460 if (CBS_len(&cbs) != 0) {
461 FAIL("extension data remaining\n");
462 goto err;
463 }
464
465 if (ssl->s3->alpn_selected_len !=
466 sizeof(tlsext_alpn_single_proto_name)) {
467 FAIL("got server ALPN with length %zu, "
468 "want length %zu\n", dlen,
469 sizeof(tlsext_alpn_single_proto_name));
470 compare_data(ssl->s3->alpn_selected,
471 ssl->s3->alpn_selected_len,
472 tlsext_alpn_single_proto_name,
473 sizeof(tlsext_alpn_single_proto_name));
474 goto err;
475 }
476 if (memcmp(ssl->s3->alpn_selected,
477 tlsext_alpn_single_proto_name,
478 sizeof(tlsext_alpn_single_proto_name)) != 0) {
479 FAIL("server ALPN differs:\n");
480 compare_data(ssl->s3->alpn_selected,
481 ssl->s3->alpn_selected_len,
482 tlsext_alpn_single_proto_name,
483 sizeof(tlsext_alpn_single_proto_name));
484 goto err;
485 }
486
487 /*
488 * We should NOT be able to build a server with multiple
489 * protocol names. However, the existing code did not check for this
490 * case because it is passed in as an encoded value.
491 */
492
493 /* Make sure we can remove the list and avoid ALPN */
494
495 free(ssl->s3->alpn_selected);
496 ssl->s3->alpn_selected = NULL;
497 ssl->s3->alpn_selected_len = 0;
498
499 if (server_funcs->needs(ssl, SSL_TLSEXT_MSG_SH)) {
500 FAIL("server should not need ALPN by default\n");
501 goto err;
502 }
503
504 failure = 0;
505
506 err:
507 CBB_cleanup(&cbb);
508 SSL_CTX_free(ssl_ctx);
509 SSL_free(ssl);
510 free(data);
511
512 return (failure);
513
514 }
515
516 /*
517 * Supported Elliptic Curves - RFC 4492 section 5.1.1.
518 *
519 * This extension is only used by the client.
520 */
521
522 static const uint8_t tlsext_supportedgroups_client_default[] = {
523 0x00, 0x08,
524 0x00, 0x1d, /* X25519 (29) */
525 0x00, 0x17, /* secp256r1 (23) */
526 0x00, 0x18, /* secp384r1 (24) */
527 0x00, 0x19, /* secp521r1 (25) */
528 };
529
530 static const uint16_t tlsext_supportedgroups_client_secp384r1_val[] = {
531 0x0018 /* tls1_ec_nid2group_id(NID_secp384r1) */
532 };
533 static const uint8_t tlsext_supportedgroups_client_secp384r1[] = {
534 0x00, 0x02,
535 0x00, 0x18 /* secp384r1 (24) */
536 };
537
538 /* Example from RFC 4492 section 5.1.1 */
539 static const uint16_t tlsext_supportedgroups_client_nistp192and224_val[] = {
540 0x0013, /* tls1_ec_nid2group_id(NID_X9_62_prime192v1) */
541 0x0015 /* tls1_ec_nid2group_id(NID_secp224r1) */
542 };
543 static const uint8_t tlsext_supportedgroups_client_nistp192and224[] = {
544 0x00, 0x04,
545 0x00, 0x13, /* secp192r1 aka NIST P-192 */
546 0x00, 0x15 /* secp224r1 aka NIST P-224 */
547 };
548
549 static int
test_tlsext_supportedgroups_client(void)550 test_tlsext_supportedgroups_client(void)
551 {
552 unsigned char *data = NULL;
553 SSL_CTX *ssl_ctx = NULL;
554 SSL *ssl = NULL;
555 const struct tls_extension_funcs *client_funcs;
556 const struct tls_extension_funcs *server_funcs;
557 size_t dlen;
558 int failure, alert;
559 CBB cbb;
560 CBS cbs;
561
562 failure = 1;
563
564 if (!CBB_init(&cbb, 0))
565 errx(1, "failed to create CBB");
566
567 if ((ssl_ctx = SSL_CTX_new(TLS_client_method())) == NULL)
568 errx(1, "failed to create SSL_CTX");
569 if ((ssl = SSL_new(ssl_ctx)) == NULL)
570 errx(1, "failed to create SSL");
571
572 if (!tls_extension_funcs(TLSEXT_TYPE_supported_groups, &client_funcs,
573 &server_funcs))
574 errx(1, "failed to fetch supported groups funcs");
575
576 /*
577 * Default ciphers include EC so we need it by default.
578 */
579 if (!client_funcs->needs(ssl, SSL_TLSEXT_MSG_CH)) {
580 FAIL("client should need Ellipticcurves for default "
581 "ciphers\n");
582 goto err;
583 }
584
585 /*
586 * Exclude cipher suites so we can test not including it.
587 */
588 if (!SSL_set_cipher_list(ssl, "TLSv1.2:!ECDHE:!ECDSA")) {
589 FAIL("client should be able to set cipher list\n");
590 goto err;
591 }
592 if (client_funcs->needs(ssl, SSL_TLSEXT_MSG_CH)) {
593 FAIL("client should not need Ellipticcurves\n");
594 goto err;
595 }
596
597 /*
598 * Use libtls default for the rest of the testing
599 */
600 if (!SSL_set_cipher_list(ssl, "TLSv1.2+AEAD+ECDHE")) {
601 FAIL("client should be able to set cipher list\n");
602 goto err;
603 }
604 if (!client_funcs->needs(ssl, SSL_TLSEXT_MSG_CH)) {
605 FAIL("client should need Ellipticcurves\n");
606 goto err;
607 }
608
609 /*
610 * Test with a session secp384r1. The default is used instead.
611 */
612 if ((ssl->session = SSL_SESSION_new()) == NULL)
613 errx(1, "failed to create session");
614
615 if ((ssl->session->tlsext_supportedgroups = malloc(sizeof(uint16_t)))
616 == NULL) {
617 FAIL("client could not malloc\n");
618 goto err;
619 }
620 if (!tls1_ec_nid2group_id(NID_secp384r1,
621 &ssl->session->tlsext_supportedgroups[0]))
622 goto err;
623 ssl->session->tlsext_supportedgroups_length = 1;
624
625 if (!client_funcs->needs(ssl, SSL_TLSEXT_MSG_CH)) {
626 FAIL("client should need Ellipticcurves\n");
627 goto err;
628 }
629
630 if (!client_funcs->build(ssl, SSL_TLSEXT_MSG_CH, &cbb)) {
631 FAIL("client failed to build Ellipticcurves\n");
632 goto err;
633 }
634
635 if (!CBB_finish(&cbb, &data, &dlen))
636 errx(1, "failed to finish CBB");
637
638 if (dlen != sizeof(tlsext_supportedgroups_client_default)) {
639 FAIL("got client Ellipticcurves with length %zu, "
640 "want length %zu\n", dlen,
641 sizeof(tlsext_supportedgroups_client_default));
642 compare_data(data, dlen, tlsext_supportedgroups_client_default,
643 sizeof(tlsext_supportedgroups_client_default));
644 goto err;
645 }
646
647 if (memcmp(data, tlsext_supportedgroups_client_default, dlen) != 0) {
648 FAIL("client Ellipticcurves differs:\n");
649 compare_data(data, dlen, tlsext_supportedgroups_client_default,
650 sizeof(tlsext_supportedgroups_client_default));
651 goto err;
652 }
653
654 /*
655 * Test parsing secp384r1
656 */
657 CBB_cleanup(&cbb);
658 if (!CBB_init(&cbb, 0))
659 errx(1, "Failed to create CBB");
660 free(data);
661 data = NULL;
662
663 SSL_SESSION_free(ssl->session);
664 if ((ssl->session = SSL_SESSION_new()) == NULL)
665 errx(1, "failed to create session");
666
667 CBS_init(&cbs, tlsext_supportedgroups_client_secp384r1,
668 sizeof(tlsext_supportedgroups_client_secp384r1));
669 if (!server_funcs->process(ssl, SSL_TLSEXT_MSG_CH, &cbs, &alert)) {
670 FAIL("failed to parse client Ellipticcurves\n");
671 goto err;
672 }
673 if (CBS_len(&cbs) != 0) {
674 FAIL("extension data remaining\n");
675 goto err;
676 }
677
678 if (ssl->session->tlsext_supportedgroups_length !=
679 sizeof(tlsext_supportedgroups_client_secp384r1_val) / sizeof(uint16_t)) {
680 FAIL("no tlsext_ellipticcurves from client "
681 "Ellipticcurves\n");
682 goto err;
683 }
684
685 if (memcmp(ssl->session->tlsext_supportedgroups,
686 tlsext_supportedgroups_client_secp384r1_val,
687 sizeof(tlsext_supportedgroups_client_secp384r1_val)) != 0) {
688 FAIL("client had an incorrect Ellipticcurves "
689 "entry\n");
690 compare_data2(ssl->session->tlsext_supportedgroups,
691 ssl->session->tlsext_supportedgroups_length * 2,
692 tlsext_supportedgroups_client_secp384r1_val,
693 sizeof(tlsext_supportedgroups_client_secp384r1_val));
694 goto err;
695 }
696
697 /*
698 * Use a custom order.
699 */
700 CBB_cleanup(&cbb);
701 if (!CBB_init(&cbb, 0))
702 errx(1, "Failed to create CBB");
703
704 SSL_SESSION_free(ssl->session);
705 if ((ssl->session = SSL_SESSION_new()) == NULL)
706 errx(1, "failed to create session");
707
708 if ((ssl->tlsext_supportedgroups = malloc(sizeof(uint16_t) * 2)) == NULL) {
709 FAIL("client could not malloc\n");
710 goto err;
711 }
712 if (!tls1_ec_nid2group_id(NID_X9_62_prime192v1,
713 &ssl->tlsext_supportedgroups[0]))
714 goto err;
715 if (!tls1_ec_nid2group_id(NID_secp224r1,
716 &ssl->tlsext_supportedgroups[1]))
717 goto err;
718 ssl->tlsext_supportedgroups_length = 2;
719
720 if (!client_funcs->needs(ssl, SSL_TLSEXT_MSG_CH)) {
721 FAIL("client should need Ellipticcurves\n");
722 goto err;
723 }
724
725 if (!client_funcs->build(ssl, SSL_TLSEXT_MSG_CH, &cbb)) {
726 FAIL("client failed to build Ellipticcurves\n");
727 goto err;
728 }
729
730 if (!CBB_finish(&cbb, &data, &dlen))
731 errx(1, "failed to finish CBB");
732
733 if (dlen != sizeof(tlsext_supportedgroups_client_nistp192and224)) {
734 FAIL("got client Ellipticcurves with length %zu, "
735 "want length %zu\n", dlen,
736 sizeof(tlsext_supportedgroups_client_nistp192and224));
737 fprintf(stderr, "received:\n");
738 hexdump(data, dlen);
739 fprintf(stderr, "test data:\n");
740 hexdump(tlsext_supportedgroups_client_nistp192and224,
741 sizeof(tlsext_supportedgroups_client_nistp192and224));
742 goto err;
743 }
744
745 if (memcmp(data, tlsext_supportedgroups_client_nistp192and224, dlen) != 0) {
746 FAIL("client Ellipticcurves differs:\n");
747 fprintf(stderr, "received:\n");
748 hexdump(data, dlen);
749 fprintf(stderr, "test data:\n");
750 hexdump(tlsext_supportedgroups_client_nistp192and224,
751 sizeof(tlsext_supportedgroups_client_nistp192and224));
752 goto err;
753 }
754
755 /*
756 * Parse non-default curves to session.
757 */
758 CBB_cleanup(&cbb);
759 if (!CBB_init(&cbb, 0))
760 errx(1, "Failed to create CBB");
761 free(data);
762 data = NULL;
763
764 SSL_SESSION_free(ssl->session);
765 if ((ssl->session = SSL_SESSION_new()) == NULL)
766 errx(1, "failed to create session");
767
768 /* Reset back to the default list. */
769 free(ssl->tlsext_supportedgroups);
770 ssl->tlsext_supportedgroups = NULL;
771 ssl->tlsext_supportedgroups_length = 0;
772
773 CBS_init(&cbs, tlsext_supportedgroups_client_nistp192and224,
774 sizeof(tlsext_supportedgroups_client_nistp192and224));
775 if (!server_funcs->process(ssl, SSL_TLSEXT_MSG_CH, &cbs, &alert)) {
776 FAIL("failed to parse client Ellipticcurves\n");
777 goto err;
778 }
779 if (CBS_len(&cbs) != 0) {
780 FAIL("extension data remaining\n");
781 goto err;
782 }
783
784 if (ssl->session->tlsext_supportedgroups_length !=
785 sizeof(tlsext_supportedgroups_client_nistp192and224_val) / sizeof(uint16_t)) {
786 FAIL("no tlsext_ellipticcurves from client Ellipticcurves\n");
787 goto err;
788 }
789
790 if (memcmp(ssl->session->tlsext_supportedgroups,
791 tlsext_supportedgroups_client_nistp192and224_val,
792 sizeof(tlsext_supportedgroups_client_nistp192and224_val)) != 0) {
793 FAIL("client had an incorrect Ellipticcurves entry\n");
794 compare_data2(ssl->session->tlsext_supportedgroups,
795 ssl->session->tlsext_supportedgroups_length * 2,
796 tlsext_supportedgroups_client_nistp192and224_val,
797 sizeof(tlsext_supportedgroups_client_nistp192and224_val));
798 goto err;
799 }
800
801 failure = 0;
802
803 err:
804 CBB_cleanup(&cbb);
805 SSL_CTX_free(ssl_ctx);
806 SSL_free(ssl);
807 free(data);
808
809 return (failure);
810 }
811
812
813 /* elliptic_curves is only used by the client so this doesn't test much. */
814 static int
test_tlsext_supportedgroups_server(void)815 test_tlsext_supportedgroups_server(void)
816 {
817 SSL_CTX *ssl_ctx = NULL;
818 SSL *ssl = NULL;
819 const struct tls_extension_funcs *client_funcs;
820 const struct tls_extension_funcs *server_funcs;
821 int failure;
822
823 failure = 1;
824
825 if ((ssl_ctx = SSL_CTX_new(TLS_server_method())) == NULL)
826 errx(1, "failed to create SSL_CTX");
827 if ((ssl = SSL_new(ssl_ctx)) == NULL)
828 errx(1, "failed to create SSL");
829
830 if (!tls_extension_funcs(TLSEXT_TYPE_supported_groups, &client_funcs,
831 &server_funcs))
832 errx(1, "failed to fetch supported groups funcs");
833
834 if (server_funcs->needs(ssl, SSL_TLSEXT_MSG_SH)) {
835 FAIL("server should not need elliptic_curves\n");
836 goto err;
837 }
838
839 if ((ssl->session = SSL_SESSION_new()) == NULL)
840 errx(1, "failed to create session");
841
842 if (server_funcs->needs(ssl, SSL_TLSEXT_MSG_SH)) {
843 FAIL("server should not need elliptic_curves\n");
844 goto err;
845 }
846
847 failure = 0;
848
849 err:
850 SSL_CTX_free(ssl_ctx);
851 SSL_free(ssl);
852
853 return (failure);
854
855 }
856
857 /*
858 * Supported Point Formats - RFC 4492 section 5.1.2.
859 *
860 * Examples are from the RFC. Both client and server have the same build and
861 * parse but the needs differ.
862 */
863
864 static const uint8_t tlsext_ecpf_hello_uncompressed_val[] = {
865 TLSEXT_ECPOINTFORMAT_uncompressed
866 };
867 static const uint8_t tlsext_ecpf_hello_uncompressed[] = {
868 0x01,
869 0x00 /* TLSEXT_ECPOINTFORMAT_uncompressed */
870 };
871
872 static const uint8_t tlsext_ecpf_hello_prime[] = {
873 0x01,
874 0x01 /* TLSEXT_ECPOINTFORMAT_ansiX962_compressed_prime */
875 };
876
877 static const uint8_t tlsext_ecpf_hello_prefer_order_val[] = {
878 TLSEXT_ECPOINTFORMAT_ansiX962_compressed_prime,
879 TLSEXT_ECPOINTFORMAT_uncompressed,
880 TLSEXT_ECPOINTFORMAT_ansiX962_compressed_char2
881 };
882 static const uint8_t tlsext_ecpf_hello_prefer_order[] = {
883 0x03,
884 0x01, /* TLSEXT_ECPOINTFORMAT_ansiX962_compressed_prime */
885 0x00, /* TLSEXT_ECPOINTFORMAT_uncompressed */
886 0x02 /* TLSEXT_ECPOINTFORMAT_ansiX962_compressed_char2 */
887 };
888
889 static int
test_tlsext_ecpf_client(void)890 test_tlsext_ecpf_client(void)
891 {
892 uint8_t *data = NULL;
893 SSL_CTX *ssl_ctx = NULL;
894 SSL *ssl = NULL;
895 const struct tls_extension_funcs *client_funcs;
896 const struct tls_extension_funcs *server_funcs;
897 size_t dlen;
898 int failure, alert;
899 CBB cbb;
900 CBS cbs;
901
902 failure = 1;
903
904 if (!CBB_init(&cbb, 0))
905 errx(1, "Failed to create CBB");
906
907 if ((ssl_ctx = SSL_CTX_new(TLS_client_method())) == NULL)
908 errx(1, "failed to create SSL_CTX");
909 if ((ssl = SSL_new(ssl_ctx)) == NULL)
910 errx(1, "failed to create SSL");
911
912 if (!tls_extension_funcs(TLSEXT_TYPE_ec_point_formats, &client_funcs,
913 &server_funcs))
914 errx(1, "failed to fetch ecpf funcs");
915
916 /*
917 * Default ciphers include EC so we need it by default.
918 */
919 if (!client_funcs->needs(ssl, SSL_TLSEXT_MSG_CH)) {
920 FAIL("client should need ECPointFormats for default "
921 "ciphers\n");
922 goto err;
923 }
924
925 /*
926 * Exclude EC cipher suites so we can test not including it.
927 */
928 if (!SSL_set_cipher_list(ssl, "ALL:!ECDHE:!ECDH")) {
929 FAIL("client should be able to set cipher list\n");
930 goto err;
931 }
932 if (client_funcs->needs(ssl, SSL_TLSEXT_MSG_CH)) {
933 FAIL("client should not need ECPointFormats\n");
934 goto err;
935 }
936
937 /*
938 * Use libtls default for the rest of the testing
939 */
940 if (!SSL_set_cipher_list(ssl, "TLSv1.2+AEAD+ECDHE")) {
941 FAIL("client should be able to set cipher list\n");
942 goto err;
943 }
944 if (!client_funcs->needs(ssl, SSL_TLSEXT_MSG_CH)) {
945 FAIL("client should need ECPointFormats\n");
946 goto err;
947 }
948
949 /*
950 * The default ECPointFormats should only have uncompressed
951 */
952 if ((ssl->session = SSL_SESSION_new()) == NULL)
953 errx(1, "failed to create session");
954
955 if (!client_funcs->build(ssl, SSL_TLSEXT_MSG_CH, &cbb)) {
956 FAIL("client failed to build ECPointFormats\n");
957 goto err;
958 }
959
960 if (!CBB_finish(&cbb, &data, &dlen))
961 errx(1, "failed to finish CBB");
962
963 if (dlen != sizeof(tlsext_ecpf_hello_uncompressed)) {
964 FAIL("got client ECPointFormats with length %zu, "
965 "want length %zu\n", dlen,
966 sizeof(tlsext_ecpf_hello_uncompressed));
967 compare_data(data, dlen, tlsext_ecpf_hello_uncompressed,
968 sizeof(tlsext_ecpf_hello_uncompressed));
969 goto err;
970 }
971
972 if (memcmp(data, tlsext_ecpf_hello_uncompressed, dlen) != 0) {
973 FAIL("client ECPointFormats differs:\n");
974 compare_data(data, dlen, tlsext_ecpf_hello_uncompressed,
975 sizeof(tlsext_ecpf_hello_uncompressed));
976 goto err;
977 }
978
979 /*
980 * Make sure we can parse the default.
981 */
982 CBB_cleanup(&cbb);
983 if (!CBB_init(&cbb, 0))
984 errx(1, "Failed to create CBB");
985 free(data);
986 data = NULL;
987
988 SSL_SESSION_free(ssl->session);
989 if ((ssl->session = SSL_SESSION_new()) == NULL)
990 errx(1, "failed to create session");
991
992 CBS_init(&cbs, tlsext_ecpf_hello_uncompressed,
993 sizeof(tlsext_ecpf_hello_uncompressed));
994 if (!server_funcs->process(ssl, SSL_TLSEXT_MSG_CH, &cbs, &alert)) {
995 FAIL("failed to parse client ECPointFormats\n");
996 goto err;
997 }
998 if (CBS_len(&cbs) != 0) {
999 FAIL("extension data remaining\n");
1000 goto err;
1001 }
1002
1003 if (ssl->session->tlsext_ecpointformatlist_length !=
1004 sizeof(tlsext_ecpf_hello_uncompressed_val)) {
1005 FAIL("no tlsext_ecpointformats from client "
1006 "ECPointFormats\n");
1007 goto err;
1008 }
1009
1010 if (memcmp(ssl->session->tlsext_ecpointformatlist,
1011 tlsext_ecpf_hello_uncompressed_val,
1012 sizeof(tlsext_ecpf_hello_uncompressed_val)) != 0) {
1013 FAIL("client had an incorrect ECPointFormats entry\n");
1014 goto err;
1015 }
1016
1017 /*
1018 * Test with a custom order.
1019 */
1020 CBB_cleanup(&cbb);
1021 if (!CBB_init(&cbb, 0))
1022 errx(1, "Failed to create CBB");
1023 free(data);
1024 data = NULL;
1025
1026 SSL_SESSION_free(ssl->session);
1027 if ((ssl->session = SSL_SESSION_new()) == NULL)
1028 errx(1, "failed to create session");
1029
1030 if ((ssl->tlsext_ecpointformatlist = malloc(sizeof(uint8_t) * 3)) == NULL) {
1031 FAIL("client could not malloc\n");
1032 goto err;
1033 }
1034 ssl->tlsext_ecpointformatlist[0] = TLSEXT_ECPOINTFORMAT_ansiX962_compressed_prime;
1035 ssl->tlsext_ecpointformatlist[1] = TLSEXT_ECPOINTFORMAT_uncompressed;
1036 ssl->tlsext_ecpointformatlist[2] = TLSEXT_ECPOINTFORMAT_ansiX962_compressed_char2;
1037 ssl->tlsext_ecpointformatlist_length = 3;
1038
1039 if (!client_funcs->needs(ssl, SSL_TLSEXT_MSG_CH)) {
1040 FAIL("client should need ECPointFormats with a custom "
1041 "format\n");
1042 goto err;
1043 }
1044
1045 if (!client_funcs->build(ssl, SSL_TLSEXT_MSG_CH, &cbb)) {
1046 FAIL("client failed to build ECPointFormats\n");
1047 goto err;
1048 }
1049
1050 if (!CBB_finish(&cbb, &data, &dlen))
1051 errx(1, "failed to finish CBB");
1052
1053 if (dlen != sizeof(tlsext_ecpf_hello_prefer_order)) {
1054 FAIL("got client ECPointFormats with length %zu, "
1055 "want length %zu\n", dlen,
1056 sizeof(tlsext_ecpf_hello_prefer_order));
1057 compare_data(data, dlen, tlsext_ecpf_hello_prefer_order,
1058 sizeof(tlsext_ecpf_hello_prefer_order));
1059 goto err;
1060 }
1061
1062 if (memcmp(data, tlsext_ecpf_hello_prefer_order, dlen) != 0) {
1063 FAIL("client ECPointFormats differs:\n");
1064 compare_data(data, dlen, tlsext_ecpf_hello_prefer_order,
1065 sizeof(tlsext_ecpf_hello_prefer_order));
1066 goto err;
1067 }
1068
1069 /*
1070 * Make sure that we can parse this custom order.
1071 */
1072 CBB_cleanup(&cbb);
1073 if (!CBB_init(&cbb, 0))
1074 errx(1, "Failed to create CBB");
1075 free(data);
1076 data = NULL;
1077
1078 SSL_SESSION_free(ssl->session);
1079 if ((ssl->session = SSL_SESSION_new()) == NULL)
1080 errx(1, "failed to create session");
1081
1082 /* Reset the custom list so we go back to the default uncompressed. */
1083 free(ssl->tlsext_ecpointformatlist);
1084 ssl->tlsext_ecpointformatlist = NULL;
1085 ssl->tlsext_ecpointformatlist_length = 0;
1086
1087 CBS_init(&cbs, tlsext_ecpf_hello_prefer_order,
1088 sizeof(tlsext_ecpf_hello_prefer_order));
1089 if (!server_funcs->process(ssl, SSL_TLSEXT_MSG_CH, &cbs, &alert)) {
1090 FAIL("failed to parse client ECPointFormats\n");
1091 goto err;
1092 }
1093 if (CBS_len(&cbs) != 0) {
1094 FAIL("extension data remaining\n");
1095 goto err;
1096 }
1097
1098 if (ssl->session->tlsext_ecpointformatlist_length !=
1099 sizeof(tlsext_ecpf_hello_prefer_order_val)) {
1100 FAIL("no tlsext_ecpointformats from client "
1101 "ECPointFormats\n");
1102 goto err;
1103 }
1104
1105 if (memcmp(ssl->session->tlsext_ecpointformatlist,
1106 tlsext_ecpf_hello_prefer_order_val,
1107 sizeof(tlsext_ecpf_hello_prefer_order_val)) != 0) {
1108 FAIL("client had an incorrect ECPointFormats entry\n");
1109 goto err;
1110 }
1111
1112 failure = 0;
1113
1114 err:
1115 CBB_cleanup(&cbb);
1116 SSL_CTX_free(ssl_ctx);
1117 SSL_free(ssl);
1118 free(data);
1119
1120 return (failure);
1121 }
1122
1123 static int
test_tlsext_ecpf_server(void)1124 test_tlsext_ecpf_server(void)
1125 {
1126 uint8_t *data = NULL;
1127 SSL_CTX *ssl_ctx = NULL;
1128 SSL *ssl = NULL;
1129 const struct tls_extension_funcs *client_funcs;
1130 const struct tls_extension_funcs *server_funcs;
1131 size_t dlen;
1132 int failure, alert;
1133 CBB cbb;
1134 CBS cbs;
1135
1136 failure = 1;
1137
1138 if (!CBB_init(&cbb, 0))
1139 errx(1, "Failed to create CBB");
1140
1141 if ((ssl_ctx = SSL_CTX_new(TLS_server_method())) == NULL)
1142 errx(1, "failed to create SSL_CTX");
1143 if ((ssl = SSL_new(ssl_ctx)) == NULL)
1144 errx(1, "failed to create SSL");
1145
1146 if (!tls_extension_funcs(TLSEXT_TYPE_ec_point_formats, &client_funcs,
1147 &server_funcs))
1148 errx(1, "failed to fetch ecpf funcs");
1149
1150 if ((ssl->session = SSL_SESSION_new()) == NULL)
1151 errx(1, "failed to create session");
1152
1153 /* Setup the state so we can call needs. */
1154 if ((ssl->s3->hs.cipher = ssl3_get_cipher_by_value(0xcca9)) == NULL) {
1155 FAIL("server cannot find cipher\n");
1156 goto err;
1157 }
1158 if ((ssl->session->tlsext_ecpointformatlist = malloc(sizeof(uint8_t)))
1159 == NULL) {
1160 FAIL("server could not malloc\n");
1161 goto err;
1162 }
1163 ssl->session->tlsext_ecpointformatlist[0] = TLSEXT_ECPOINTFORMAT_ansiX962_compressed_prime;
1164 ssl->session->tlsext_ecpointformatlist_length = 1;
1165
1166 if (!server_funcs->needs(ssl, SSL_TLSEXT_MSG_SH)) {
1167 FAIL("server should need ECPointFormats now\n");
1168 goto err;
1169 }
1170
1171 /*
1172 * The server will ignore the session list and use either a custom
1173 * list or the default (uncompressed).
1174 */
1175 if (!server_funcs->build(ssl, SSL_TLSEXT_MSG_SH, &cbb)) {
1176 FAIL("server failed to build ECPointFormats\n");
1177 goto err;
1178 }
1179
1180 if (!CBB_finish(&cbb, &data, &dlen))
1181 errx(1, "failed to finish CBB");
1182
1183 if (dlen != sizeof(tlsext_ecpf_hello_uncompressed)) {
1184 FAIL("got server ECPointFormats with length %zu, "
1185 "want length %zu\n", dlen,
1186 sizeof(tlsext_ecpf_hello_uncompressed));
1187 compare_data(data, dlen, tlsext_ecpf_hello_uncompressed,
1188 sizeof(tlsext_ecpf_hello_uncompressed));
1189 goto err;
1190 }
1191
1192 if (memcmp(data, tlsext_ecpf_hello_uncompressed, dlen) != 0) {
1193 FAIL("server ECPointFormats differs:\n");
1194 compare_data(data, dlen, tlsext_ecpf_hello_uncompressed,
1195 sizeof(tlsext_ecpf_hello_uncompressed));
1196 goto err;
1197 }
1198
1199 /*
1200 * Cannot parse a non-default list without at least uncompressed.
1201 */
1202 CBB_cleanup(&cbb);
1203 if (!CBB_init(&cbb, 0))
1204 errx(1, "Failed to create CBB");
1205 free(data);
1206 data = NULL;
1207
1208 SSL_SESSION_free(ssl->session);
1209 if ((ssl->session = SSL_SESSION_new()) == NULL)
1210 errx(1, "failed to create session");
1211
1212 CBS_init(&cbs, tlsext_ecpf_hello_prime,
1213 sizeof(tlsext_ecpf_hello_prime));
1214 if (client_funcs->process(ssl, SSL_TLSEXT_MSG_SH, &cbs, &alert)) {
1215 FAIL("must include uncompressed in server ECPointFormats\n");
1216 goto err;
1217 }
1218 if (CBS_len(&cbs) != 0) {
1219 FAIL("extension data remaining\n");
1220 goto err;
1221 }
1222
1223 /*
1224 * Test with a custom order that replaces the default uncompressed.
1225 */
1226 CBB_cleanup(&cbb);
1227 if (!CBB_init(&cbb, 0))
1228 errx(1, "Failed to create CBB");
1229 free(data);
1230 data = NULL;
1231
1232 SSL_SESSION_free(ssl->session);
1233 if ((ssl->session = SSL_SESSION_new()) == NULL)
1234 errx(1, "failed to create session");
1235
1236 /* Add a session list even though it will be ignored. */
1237 if ((ssl->session->tlsext_ecpointformatlist = malloc(sizeof(uint8_t)))
1238 == NULL) {
1239 FAIL("server could not malloc\n");
1240 goto err;
1241 }
1242 ssl->session->tlsext_ecpointformatlist[0] = TLSEXT_ECPOINTFORMAT_ansiX962_compressed_char2;
1243 ssl->session->tlsext_ecpointformatlist_length = 1;
1244
1245 /* Replace the default list with a custom one. */
1246 if ((ssl->tlsext_ecpointformatlist = malloc(sizeof(uint8_t) * 3)) == NULL) {
1247 FAIL("server could not malloc\n");
1248 goto err;
1249 }
1250 ssl->tlsext_ecpointformatlist[0] = TLSEXT_ECPOINTFORMAT_ansiX962_compressed_prime;
1251 ssl->tlsext_ecpointformatlist[1] = TLSEXT_ECPOINTFORMAT_uncompressed;
1252 ssl->tlsext_ecpointformatlist[2] = TLSEXT_ECPOINTFORMAT_ansiX962_compressed_char2;
1253 ssl->tlsext_ecpointformatlist_length = 3;
1254
1255 if (!server_funcs->needs(ssl, SSL_TLSEXT_MSG_SH)) {
1256 FAIL("server should need ECPointFormats\n");
1257 goto err;
1258 }
1259
1260 if (!server_funcs->build(ssl, SSL_TLSEXT_MSG_SH, &cbb)) {
1261 FAIL("server failed to build ECPointFormats\n");
1262 goto err;
1263 }
1264
1265 if (!CBB_finish(&cbb, &data, &dlen))
1266 errx(1, "failed to finish CBB");
1267
1268 if (dlen != sizeof(tlsext_ecpf_hello_prefer_order)) {
1269 FAIL("got server ECPointFormats with length %zu, "
1270 "want length %zu\n", dlen,
1271 sizeof(tlsext_ecpf_hello_prefer_order));
1272 compare_data(data, dlen, tlsext_ecpf_hello_prefer_order,
1273 sizeof(tlsext_ecpf_hello_prefer_order));
1274 goto err;
1275 }
1276
1277 if (memcmp(data, tlsext_ecpf_hello_prefer_order, dlen) != 0) {
1278 FAIL("server ECPointFormats differs:\n");
1279 compare_data(data, dlen, tlsext_ecpf_hello_prefer_order,
1280 sizeof(tlsext_ecpf_hello_prefer_order));
1281 goto err;
1282 }
1283
1284 /*
1285 * Should be able to parse the custom list into a session list.
1286 */
1287 CBB_cleanup(&cbb);
1288 if (!CBB_init(&cbb, 0))
1289 errx(1, "Failed to create CBB");
1290 free(data);
1291 data = NULL;
1292
1293 SSL_SESSION_free(ssl->session);
1294 if ((ssl->session = SSL_SESSION_new()) == NULL)
1295 errx(1, "failed to create session");
1296
1297 /* Reset back to the default (uncompressed) */
1298 free(ssl->tlsext_ecpointformatlist);
1299 ssl->tlsext_ecpointformatlist = NULL;
1300 ssl->tlsext_ecpointformatlist_length = 0;
1301
1302 CBS_init(&cbs, tlsext_ecpf_hello_prefer_order,
1303 sizeof(tlsext_ecpf_hello_prefer_order));
1304 if (!client_funcs->process(ssl, SSL_TLSEXT_MSG_SH, &cbs, &alert)) {
1305 FAIL("failed to parse server ECPointFormats\n");
1306 goto err;
1307 }
1308 if (CBS_len(&cbs) != 0) {
1309 FAIL("extension data remaining\n");
1310 goto err;
1311 }
1312
1313 if (ssl->session->tlsext_ecpointformatlist_length !=
1314 sizeof(tlsext_ecpf_hello_prefer_order_val)) {
1315 FAIL("no tlsext_ecpointformats from server "
1316 "ECPointFormats\n");
1317 goto err;
1318 }
1319
1320 if (memcmp(ssl->session->tlsext_ecpointformatlist,
1321 tlsext_ecpf_hello_prefer_order_val,
1322 sizeof(tlsext_ecpf_hello_prefer_order_val)) != 0) {
1323 FAIL("server had an incorrect ECPointFormats entry\n");
1324 goto err;
1325 }
1326
1327 failure = 0;
1328
1329 err:
1330 CBB_cleanup(&cbb);
1331 SSL_CTX_free(ssl_ctx);
1332 SSL_free(ssl);
1333 free(data);
1334
1335 return (failure);
1336 }
1337
1338 /*
1339 * Renegotiation Indication - RFC 5746.
1340 */
1341
1342 static const unsigned char tlsext_ri_prev_client[] = {
1343 0x00, 0x11, 0x22, 0x33, 0x44, 0x55, 0x66, 0x77,
1344 0x88, 0x99, 0xaa, 0xbb, 0xcc, 0xdd, 0xee, 0xff,
1345 };
1346
1347 static const unsigned char tlsext_ri_prev_server[] = {
1348 0xff, 0xee, 0xdd, 0xcc, 0xbb, 0xaa, 0x99, 0x88,
1349 0x77, 0x66, 0x55, 0x44, 0x33, 0x22, 0x11, 0x00,
1350 };
1351
1352 static const unsigned char tlsext_ri_client[] = {
1353 0x10,
1354 0x00, 0x11, 0x22, 0x33, 0x44, 0x55, 0x66, 0x77,
1355 0x88, 0x99, 0xaa, 0xbb, 0xcc, 0xdd, 0xee, 0xff,
1356 };
1357
1358 static const unsigned char tlsext_ri_server[] = {
1359 0x20,
1360 0x00, 0x11, 0x22, 0x33, 0x44, 0x55, 0x66, 0x77,
1361 0x88, 0x99, 0xaa, 0xbb, 0xcc, 0xdd, 0xee, 0xff,
1362 0xff, 0xee, 0xdd, 0xcc, 0xbb, 0xaa, 0x99, 0x88,
1363 0x77, 0x66, 0x55, 0x44, 0x33, 0x22, 0x11, 0x00,
1364 };
1365
1366 static int
test_tlsext_ri_client(void)1367 test_tlsext_ri_client(void)
1368 {
1369 unsigned char *data = NULL;
1370 SSL_CTX *ssl_ctx = NULL;
1371 SSL *ssl = NULL;
1372 const struct tls_extension_funcs *client_funcs;
1373 const struct tls_extension_funcs *server_funcs;
1374 int failure;
1375 size_t dlen;
1376 int alert;
1377 CBB cbb;
1378 CBS cbs;
1379
1380 failure = 1;
1381
1382 if (!CBB_init(&cbb, 0))
1383 errx(1, "Failed to create CBB");
1384
1385 if ((ssl_ctx = SSL_CTX_new(TLSv1_2_client_method())) == NULL)
1386 errx(1, "failed to create SSL_CTX");
1387 if ((ssl = SSL_new(ssl_ctx)) == NULL)
1388 errx(1, "failed to create SSL");
1389
1390 if (!tls_extension_funcs(TLSEXT_TYPE_renegotiate, &client_funcs,
1391 &server_funcs))
1392 errx(1, "failed to fetch ri funcs");
1393
1394 if (client_funcs->needs(ssl, SSL_TLSEXT_MSG_CH)) {
1395 FAIL("client should not need RI\n");
1396 goto err;
1397 }
1398
1399 if (!SSL_renegotiate(ssl)) {
1400 FAIL("client failed to set renegotiate\n");
1401 goto err;
1402 }
1403
1404 if (!client_funcs->needs(ssl, SSL_TLSEXT_MSG_CH)) {
1405 FAIL("client should need RI\n");
1406 goto err;
1407 }
1408
1409 memcpy(ssl->s3->previous_client_finished, tlsext_ri_prev_client,
1410 sizeof(tlsext_ri_prev_client));
1411 ssl->s3->previous_client_finished_len = sizeof(tlsext_ri_prev_client);
1412
1413 ssl->s3->renegotiate_seen = 0;
1414
1415 if (!client_funcs->build(ssl, SSL_TLSEXT_MSG_CH, &cbb)) {
1416 FAIL("client failed to build RI\n");
1417 goto err;
1418 }
1419
1420 if (!CBB_finish(&cbb, &data, &dlen))
1421 errx(1, "failed to finish CBB");
1422
1423 if (dlen != sizeof(tlsext_ri_client)) {
1424 FAIL("got client RI with length %zu, "
1425 "want length %zu\n", dlen, sizeof(tlsext_ri_client));
1426 goto err;
1427 }
1428
1429 if (memcmp(data, tlsext_ri_client, dlen) != 0) {
1430 FAIL("client RI differs:\n");
1431 fprintf(stderr, "received:\n");
1432 hexdump(data, dlen);
1433 fprintf(stderr, "test data:\n");
1434 hexdump(tlsext_ri_client, sizeof(tlsext_ri_client));
1435 goto err;
1436 }
1437
1438 CBS_init(&cbs, tlsext_ri_client, sizeof(tlsext_ri_client));
1439 if (!server_funcs->process(ssl, SSL_TLSEXT_MSG_CH, &cbs, &alert)) {
1440 FAIL("failed to parse client RI\n");
1441 goto err;
1442 }
1443 if (CBS_len(&cbs) != 0) {
1444 FAIL("extension data remaining\n");
1445 goto err;
1446 }
1447
1448 if (ssl->s3->renegotiate_seen != 1) {
1449 FAIL("renegotiate seen not set\n");
1450 goto err;
1451 }
1452 if (ssl->s3->send_connection_binding != 1) {
1453 FAIL("send connection binding not set\n");
1454 goto err;
1455 }
1456
1457 memset(ssl->s3->previous_client_finished, 0,
1458 sizeof(ssl->s3->previous_client_finished));
1459
1460 ssl->s3->renegotiate_seen = 0;
1461
1462 CBS_init(&cbs, tlsext_ri_client, sizeof(tlsext_ri_client));
1463 if (server_funcs->process(ssl, SSL_TLSEXT_MSG_CH, &cbs, &alert)) {
1464 FAIL("parsed invalid client RI\n");
1465 goto err;
1466 }
1467
1468 if (ssl->s3->renegotiate_seen == 1) {
1469 FAIL("renegotiate seen set\n");
1470 goto err;
1471 }
1472
1473 failure = 0;
1474
1475 err:
1476 CBB_cleanup(&cbb);
1477 SSL_CTX_free(ssl_ctx);
1478 SSL_free(ssl);
1479 free(data);
1480
1481 return (failure);
1482 }
1483
1484 static int
test_tlsext_ri_server(void)1485 test_tlsext_ri_server(void)
1486 {
1487 unsigned char *data = NULL;
1488 SSL_CTX *ssl_ctx = NULL;
1489 SSL *ssl = NULL;
1490 const struct tls_extension_funcs *client_funcs;
1491 const struct tls_extension_funcs *server_funcs;
1492 int failure;
1493 size_t dlen;
1494 int alert;
1495 CBB cbb;
1496 CBS cbs;
1497
1498 failure = 1;
1499
1500 if (!CBB_init(&cbb, 0))
1501 errx(1, "Failed to create CBB");
1502
1503 if ((ssl_ctx = SSL_CTX_new(TLS_server_method())) == NULL)
1504 errx(1, "failed to create SSL_CTX");
1505 if ((ssl = SSL_new(ssl_ctx)) == NULL)
1506 errx(1, "failed to create SSL");
1507
1508 if (!tls_extension_funcs(TLSEXT_TYPE_renegotiate, &client_funcs,
1509 &server_funcs))
1510 errx(1, "failed to fetch ri funcs");
1511
1512 ssl->version = TLS1_2_VERSION;
1513 if (server_funcs->needs(ssl, SSL_TLSEXT_MSG_SH)) {
1514 FAIL("server should not need RI\n");
1515 goto err;
1516 }
1517
1518 ssl->s3->send_connection_binding = 1;
1519
1520 if (!server_funcs->needs(ssl, SSL_TLSEXT_MSG_SH)) {
1521 FAIL("server should need RI\n");
1522 goto err;
1523 }
1524
1525 memcpy(ssl->s3->previous_client_finished, tlsext_ri_prev_client,
1526 sizeof(tlsext_ri_prev_client));
1527 ssl->s3->previous_client_finished_len = sizeof(tlsext_ri_prev_client);
1528
1529 memcpy(ssl->s3->previous_server_finished, tlsext_ri_prev_server,
1530 sizeof(tlsext_ri_prev_server));
1531 ssl->s3->previous_server_finished_len = sizeof(tlsext_ri_prev_server);
1532
1533 ssl->s3->renegotiate_seen = 0;
1534
1535 if (!server_funcs->build(ssl, SSL_TLSEXT_MSG_SH, &cbb)) {
1536 FAIL("server failed to build RI\n");
1537 goto err;
1538 }
1539
1540 if (!CBB_finish(&cbb, &data, &dlen))
1541 errx(1, "failed to finish CBB");
1542
1543 if (dlen != sizeof(tlsext_ri_server)) {
1544 FAIL("got server RI with length %zu, "
1545 "want length %zu\n", dlen, sizeof(tlsext_ri_server));
1546 goto err;
1547 }
1548
1549 if (memcmp(data, tlsext_ri_server, dlen) != 0) {
1550 FAIL("server RI differs:\n");
1551 fprintf(stderr, "received:\n");
1552 hexdump(data, dlen);
1553 fprintf(stderr, "test data:\n");
1554 hexdump(tlsext_ri_server, sizeof(tlsext_ri_server));
1555 goto err;
1556 }
1557
1558 CBS_init(&cbs, tlsext_ri_server, sizeof(tlsext_ri_server));
1559 if (!client_funcs->process(ssl, SSL_TLSEXT_MSG_SH, &cbs, &alert)) {
1560 FAIL("failed to parse server RI\n");
1561 goto err;
1562 }
1563 if (CBS_len(&cbs) != 0) {
1564 FAIL("extension data remaining\n");
1565 goto err;
1566 }
1567
1568 if (ssl->s3->renegotiate_seen != 1) {
1569 FAIL("renegotiate seen not set\n");
1570 goto err;
1571 }
1572 if (ssl->s3->send_connection_binding != 1) {
1573 FAIL("send connection binding not set\n");
1574 goto err;
1575 }
1576
1577 memset(ssl->s3->previous_client_finished, 0,
1578 sizeof(ssl->s3->previous_client_finished));
1579 memset(ssl->s3->previous_server_finished, 0,
1580 sizeof(ssl->s3->previous_server_finished));
1581
1582 ssl->s3->renegotiate_seen = 0;
1583
1584 CBS_init(&cbs, tlsext_ri_server, sizeof(tlsext_ri_server));
1585 if (client_funcs->process(ssl, SSL_TLSEXT_MSG_SH, &cbs, &alert)) {
1586 FAIL("parsed invalid server RI\n");
1587 goto err;
1588 }
1589
1590 if (ssl->s3->renegotiate_seen == 1) {
1591 FAIL("renegotiate seen set\n");
1592 goto err;
1593 }
1594
1595 failure = 0;
1596
1597 err:
1598 CBB_cleanup(&cbb);
1599 SSL_CTX_free(ssl_ctx);
1600 SSL_free(ssl);
1601 free(data);
1602
1603 return (failure);
1604 }
1605
1606 /*
1607 * Signature Algorithms - RFC 5246 section 7.4.1.4.1.
1608 */
1609
1610 static const unsigned char tlsext_sigalgs_client[] = {
1611 0x00, 0x16, 0x08, 0x06, 0x06, 0x01, 0x06, 0x03,
1612 0x08, 0x05, 0x05, 0x01, 0x05, 0x03, 0x08, 0x04,
1613 0x04, 0x01, 0x04, 0x03, 0x02, 0x01, 0x02, 0x03,
1614 };
1615
1616 static int
test_tlsext_sigalgs_client(void)1617 test_tlsext_sigalgs_client(void)
1618 {
1619 unsigned char *data = NULL;
1620 SSL_CTX *ssl_ctx = NULL;
1621 SSL *ssl = NULL;
1622 const struct tls_extension_funcs *client_funcs;
1623 const struct tls_extension_funcs *server_funcs;
1624 int failure;
1625 size_t dlen;
1626 int alert;
1627 CBB cbb;
1628 CBS cbs;
1629
1630 failure = 1;
1631
1632 if (!CBB_init(&cbb, 0))
1633 errx(1, "Failed to create CBB");
1634
1635 if ((ssl_ctx = SSL_CTX_new(TLS_client_method())) == NULL)
1636 errx(1, "failed to create SSL_CTX");
1637 if ((ssl = SSL_new(ssl_ctx)) == NULL)
1638 errx(1, "failed to create SSL");
1639
1640 if (!tls_extension_funcs(TLSEXT_TYPE_signature_algorithms,
1641 &client_funcs, &server_funcs))
1642 errx(1, "failed to fetch sigalgs funcs");
1643
1644 ssl->s3->hs.our_max_tls_version = TLS1_1_VERSION;
1645
1646 if (client_funcs->needs(ssl, SSL_TLSEXT_MSG_CH)) {
1647 FAIL("client should not need sigalgs\n");
1648 goto done;
1649 }
1650
1651 ssl->s3->hs.our_max_tls_version = TLS1_2_VERSION;
1652
1653 if (!client_funcs->needs(ssl, SSL_TLSEXT_MSG_CH)) {
1654 FAIL("client should need sigalgs\n");
1655 goto done;
1656 }
1657
1658 if (!client_funcs->build(ssl, SSL_TLSEXT_MSG_CH, &cbb)) {
1659 FAIL("client failed to build sigalgs\n");
1660 goto done;
1661 }
1662
1663 if (!CBB_finish(&cbb, &data, &dlen))
1664 errx(1, "failed to finish CBB");
1665
1666 if (dlen != sizeof(tlsext_sigalgs_client)) {
1667 FAIL("got client sigalgs length %zu, "
1668 "want length %zu\n", dlen, sizeof(tlsext_sigalgs_client));
1669 goto done;
1670 }
1671
1672 if (memcmp(data, tlsext_sigalgs_client, dlen) != 0) {
1673 FAIL("client SNI differs:\n");
1674 fprintf(stderr, "received:\n");
1675 hexdump(data, dlen);
1676 fprintf(stderr, "test data:\n");
1677 hexdump(tlsext_sigalgs_client, sizeof(tlsext_sigalgs_client));
1678 goto done;
1679 }
1680
1681 CBS_init(&cbs, tlsext_sigalgs_client, sizeof(tlsext_sigalgs_client));
1682 if (!server_funcs->process(ssl, SSL_TLSEXT_MSG_CH, &cbs, &alert)) {
1683 FAIL("failed to parse client SNI\n");
1684 goto done;
1685 }
1686 if (CBS_len(&cbs) != 0) {
1687 FAIL("extension data remaining\n");
1688 goto done;
1689 }
1690
1691 failure = 0;
1692
1693 done:
1694 CBB_cleanup(&cbb);
1695 SSL_CTX_free(ssl_ctx);
1696 SSL_free(ssl);
1697 free(data);
1698
1699 return (failure);
1700 }
1701
1702 #if 0
1703 static int
1704 test_tlsext_sigalgs_server(void)
1705 {
1706 unsigned char *data = NULL;
1707 SSL_CTX *ssl_ctx = NULL;
1708 SSL *ssl = NULL;
1709 const struct tls_extension_funcs *client_funcs;
1710 const struct tls_extension_funcs *server_funcs;
1711 int failure;
1712 size_t dlen;
1713 int alert;
1714 CBB cbb;
1715 CBS cbs;
1716
1717 failure = 1;
1718
1719 if (!CBB_init(&cbb, 0))
1720 errx(1, "Failed to create CBB");
1721
1722 if ((ssl_ctx = SSL_CTX_new(TLS_server_method())) == NULL)
1723 errx(1, "failed to create SSL_CTX");
1724 if ((ssl = SSL_new(ssl_ctx)) == NULL)
1725 errx(1, "failed to create SSL");
1726
1727 if (!tls_extension_funcs(TLSEXT_TYPE_server_name, &client_funcs,
1728 &server_funcs))
1729 errx(1, "failed to fetch sigalgs funcs");
1730
1731 if (server_funcs->needs(ssl, SSL_TLSEXT_MSG_SH)) {
1732 FAIL("server should not need sigalgs\n");
1733 goto done;
1734 }
1735
1736 if (server_funcs->build(ssl, SSL_TLSEXT_MSG_SH, &cbb)) {
1737 FAIL("server should not build sigalgs\n");
1738 goto done;
1739 }
1740
1741 if (!CBB_finish(&cbb, &data, &dlen))
1742 errx(1, "failed to finish CBB");
1743
1744 CBS_init(&cbs, tlsext_sigalgs_client, sizeof(tlsext_sigalgs_client));
1745 if (!client_funcs->process(ssl, SSL_TLSEXT_MSG_SH, &cbs, &alert)) {
1746 FAIL("server should not parse sigalgs\n");
1747 goto done;
1748 }
1749
1750 failure = 0;
1751
1752 done:
1753 CBB_cleanup(&cbb);
1754 SSL_CTX_free(ssl_ctx);
1755 SSL_free(ssl);
1756 free(data);
1757
1758 return (failure);
1759 }
1760 #endif
1761
1762 /*
1763 * Server Name Indication - RFC 6066 section 3.
1764 */
1765
1766 #define TEST_SNI_SERVERNAME "www.libressl.org"
1767
1768 static const unsigned char tlsext_sni_client[] = {
1769 0x00, 0x13, 0x00, 0x00, 0x10, 0x77, 0x77, 0x77,
1770 0x2e, 0x6c, 0x69, 0x62, 0x72, 0x65, 0x73, 0x73,
1771 0x6c, 0x2e, 0x6f, 0x72, 0x67,
1772 };
1773
1774 /* An empty array is an incomplete type and sizeof() is undefined. */
1775 static const unsigned char tlsext_sni_server[] = {
1776 0x00,
1777 };
1778 static size_t tlsext_sni_server_len = 0;
1779
1780 static int
test_tlsext_sni_client(void)1781 test_tlsext_sni_client(void)
1782 {
1783 unsigned char *data = NULL;
1784 SSL_CTX *ssl_ctx = NULL;
1785 SSL *ssl = NULL;
1786 const struct tls_extension_funcs *client_funcs;
1787 const struct tls_extension_funcs *server_funcs;
1788 int failure;
1789 size_t dlen;
1790 int alert;
1791 CBB cbb;
1792 CBS cbs;
1793
1794 failure = 1;
1795
1796 if (!CBB_init(&cbb, 0))
1797 errx(1, "Failed to create CBB");
1798
1799 if ((ssl_ctx = SSL_CTX_new(TLS_client_method())) == NULL)
1800 errx(1, "failed to create SSL_CTX");
1801 if ((ssl = SSL_new(ssl_ctx)) == NULL)
1802 errx(1, "failed to create SSL");
1803
1804 if (!tls_extension_funcs(TLSEXT_TYPE_server_name, &client_funcs,
1805 &server_funcs))
1806 errx(1, "failed to fetch sni funcs");
1807
1808 if (client_funcs->needs(ssl, SSL_TLSEXT_MSG_CH)) {
1809 FAIL("client should not need SNI\n");
1810 goto err;
1811 }
1812
1813 if (!SSL_set_tlsext_host_name(ssl, TEST_SNI_SERVERNAME)) {
1814 FAIL("client failed to set server name\n");
1815 goto err;
1816 }
1817
1818 if (!client_funcs->needs(ssl, SSL_TLSEXT_MSG_CH)) {
1819 FAIL("client should need SNI\n");
1820 goto err;
1821 }
1822
1823 if (!client_funcs->build(ssl, SSL_TLSEXT_MSG_CH, &cbb)) {
1824 FAIL("client failed to build SNI\n");
1825 goto err;
1826 }
1827
1828 if (!CBB_finish(&cbb, &data, &dlen)) {
1829 FAIL("failed to finish CBB");
1830 goto err;
1831 }
1832
1833 if (dlen != sizeof(tlsext_sni_client)) {
1834 FAIL("got client SNI with length %zu, "
1835 "want length %zu\n", dlen, sizeof(tlsext_sni_client));
1836 goto err;
1837 }
1838
1839 if (memcmp(data, tlsext_sni_client, dlen) != 0) {
1840 FAIL("client SNI differs:\n");
1841 fprintf(stderr, "received:\n");
1842 hexdump(data, dlen);
1843 fprintf(stderr, "test data:\n");
1844 hexdump(tlsext_sni_client, sizeof(tlsext_sni_client));
1845 goto err;
1846 }
1847
1848 /*
1849 * SSL_set_tlsext_host_name() may be called with a NULL host name to
1850 * disable SNI.
1851 */
1852 if (!SSL_set_tlsext_host_name(ssl, NULL)) {
1853 FAIL("cannot set host name to NULL");
1854 goto err;
1855 }
1856
1857 if (client_funcs->needs(ssl, SSL_TLSEXT_MSG_CH)) {
1858 FAIL("client should not need SNI\n");
1859 goto err;
1860 }
1861
1862 if ((ssl->session = SSL_SESSION_new()) == NULL) {
1863 FAIL("failed to create session");
1864 goto err;
1865 }
1866
1867 ssl->hit = 0;
1868
1869 CBS_init(&cbs, tlsext_sni_client, sizeof(tlsext_sni_client));
1870 if (!server_funcs->process(ssl, SSL_TLSEXT_MSG_CH, &cbs, &alert)) {
1871 FAIL("failed to parse client SNI\n");
1872 goto err;
1873 }
1874 if (CBS_len(&cbs) != 0) {
1875 FAIL("extension data remaining\n");
1876 goto err;
1877 }
1878
1879 if (ssl->session->tlsext_hostname == NULL) {
1880 FAIL("no tlsext_hostname from client SNI\n");
1881 goto err;
1882 }
1883
1884 if (strlen(ssl->session->tlsext_hostname) != strlen(TEST_SNI_SERVERNAME) ||
1885 strncmp(ssl->session->tlsext_hostname, TEST_SNI_SERVERNAME,
1886 strlen(TEST_SNI_SERVERNAME)) != 0) {
1887 FAIL("got tlsext_hostname `%s', want `%s'\n",
1888 ssl->session->tlsext_hostname, TEST_SNI_SERVERNAME);
1889 goto err;
1890 }
1891
1892 ssl->hit = 1;
1893
1894 free(ssl->session->tlsext_hostname);
1895 if ((ssl->session->tlsext_hostname = strdup("notthesame.libressl.org")) ==
1896 NULL) {
1897 FAIL("failed to strdup tlsext_hostname");
1898 goto err;
1899 }
1900
1901 CBS_init(&cbs, tlsext_sni_client, sizeof(tlsext_sni_client));
1902 if (server_funcs->process(ssl, SSL_TLSEXT_MSG_CH, &cbs, &alert)) {
1903 FAIL("parsed client with mismatched SNI\n");
1904 goto err;
1905 }
1906
1907 failure = 0;
1908
1909 err:
1910 CBB_cleanup(&cbb);
1911 SSL_CTX_free(ssl_ctx);
1912 SSL_free(ssl);
1913 free(data);
1914
1915 return (failure);
1916 }
1917
1918 static int
test_tlsext_sni_server(void)1919 test_tlsext_sni_server(void)
1920 {
1921 unsigned char *data = NULL;
1922 SSL_CTX *ssl_ctx = NULL;
1923 SSL *ssl = NULL;
1924 const struct tls_extension_funcs *client_funcs;
1925 const struct tls_extension_funcs *server_funcs;
1926 int failure;
1927 size_t dlen;
1928 int alert;
1929 CBB cbb;
1930 CBS cbs;
1931
1932 failure = 1;
1933
1934 if (!CBB_init(&cbb, 0))
1935 errx(1, "Failed to create CBB");
1936
1937 if ((ssl_ctx = SSL_CTX_new(TLS_server_method())) == NULL)
1938 errx(1, "failed to create SSL_CTX");
1939 if ((ssl = SSL_new(ssl_ctx)) == NULL)
1940 errx(1, "failed to create SSL");
1941
1942 if (!tls_extension_funcs(TLSEXT_TYPE_server_name, &client_funcs,
1943 &server_funcs))
1944 errx(1, "failed to fetch sni funcs");
1945
1946 if ((ssl->session = SSL_SESSION_new()) == NULL)
1947 errx(1, "failed to create session");
1948
1949 if (server_funcs->needs(ssl, SSL_TLSEXT_MSG_SH)) {
1950 FAIL("server should not need SNI\n");
1951 goto err;
1952 }
1953
1954 if (!SSL_set_tlsext_host_name(ssl, TEST_SNI_SERVERNAME)) {
1955 FAIL("client failed to set server name\n");
1956 goto err;
1957 }
1958
1959 if ((ssl->session->tlsext_hostname = strdup(TEST_SNI_SERVERNAME)) ==
1960 NULL)
1961 errx(1, "failed to strdup tlsext_hostname");
1962
1963 if (!server_funcs->needs(ssl, SSL_TLSEXT_MSG_SH)) {
1964 FAIL("server should need SNI\n");
1965 goto err;
1966 }
1967
1968 if (!server_funcs->build(ssl, SSL_TLSEXT_MSG_SH, &cbb)) {
1969 FAIL("server failed to build SNI\n");
1970 goto err;
1971 }
1972
1973 if (!CBB_finish(&cbb, &data, &dlen))
1974 errx(1, "failed to finish CBB");
1975
1976 if (dlen != tlsext_sni_server_len) {
1977 FAIL("got server SNI with length %zu, "
1978 "want length %zu\n", dlen, tlsext_sni_server_len);
1979 goto err;
1980 }
1981
1982 if (memcmp(data, tlsext_sni_server, dlen) != 0) {
1983 FAIL("server SNI differs:\n");
1984 fprintf(stderr, "received:\n");
1985 hexdump(data, dlen);
1986 fprintf(stderr, "test data:\n");
1987 hexdump(tlsext_sni_server, tlsext_sni_server_len);
1988 goto err;
1989 }
1990
1991 free(ssl->session->tlsext_hostname);
1992 ssl->session->tlsext_hostname = NULL;
1993
1994 CBS_init(&cbs, tlsext_sni_server, tlsext_sni_server_len);
1995 if (!client_funcs->process(ssl, SSL_TLSEXT_MSG_SH, &cbs, &alert)) {
1996 FAIL("failed to parse server SNI\n");
1997 goto err;
1998 }
1999 if (CBS_len(&cbs) != 0) {
2000 FAIL("extension data remaining\n");
2001 goto err;
2002 }
2003
2004 if (ssl->session->tlsext_hostname == NULL) {
2005 FAIL("no tlsext_hostname after server SNI\n");
2006 goto err;
2007 }
2008
2009 if (strlen(ssl->session->tlsext_hostname) != strlen(TEST_SNI_SERVERNAME) ||
2010 strncmp(ssl->session->tlsext_hostname, TEST_SNI_SERVERNAME,
2011 strlen(TEST_SNI_SERVERNAME)) != 0) {
2012 FAIL("got tlsext_hostname `%s', want `%s'\n",
2013 ssl->session->tlsext_hostname, TEST_SNI_SERVERNAME);
2014 goto err;
2015 }
2016
2017 failure = 0;
2018
2019 err:
2020 CBB_cleanup(&cbb);
2021 SSL_CTX_free(ssl_ctx);
2022 SSL_free(ssl);
2023 free(data);
2024
2025 return (failure);
2026 }
2027
2028
2029 /*
2030 * QUIC transport parameters extension - RFC 90210 :)
2031 */
2032
2033 static const unsigned char tlsext_quic_transport_data[] = {
2034 0x30, 0x31, 0x32, 0x33, 0x34, 0x35, 0x36, 0x37,
2035 0x38, 0x39, 0x61, 0x62, 0x63, 0x64, 0x65, 0x66,
2036 };
2037
2038 static int
test_tlsext_quic_transport_parameters_client(void)2039 test_tlsext_quic_transport_parameters_client(void)
2040 {
2041 const SSL_QUIC_METHOD quic_method = {0};
2042 unsigned char *data = NULL;
2043 SSL_CTX *ssl_ctx = NULL;
2044 SSL *ssl = NULL;
2045 const struct tls_extension_funcs *client_funcs;
2046 const struct tls_extension_funcs *server_funcs;
2047 int failure;
2048 size_t dlen;
2049 CBB cbb;
2050 CBS cbs;
2051 int alert;
2052 const uint8_t *out_bytes;
2053 size_t out_bytes_len;
2054
2055 failure = 1;
2056
2057 if (!CBB_init(&cbb, 0))
2058 errx(1, "Failed to create CBB");
2059
2060 if ((ssl_ctx = SSL_CTX_new(TLS_client_method())) == NULL)
2061 errx(1, "failed to create SSL_CTX");
2062 if ((ssl = SSL_new(ssl_ctx)) == NULL)
2063 errx(1, "failed to create SSL");
2064
2065 if (!tls_extension_funcs(TLSEXT_TYPE_quic_transport_parameters,
2066 &client_funcs, &server_funcs))
2067 errx(1, "failed to fetch quic transport parameter funcs");
2068
2069 if (client_funcs->needs(ssl, SSL_TLSEXT_MSG_CH)) {
2070 FAIL("client should not need QUIC\n");
2071 goto err;
2072 }
2073
2074 if (!SSL_set_quic_transport_params(ssl,
2075 tlsext_quic_transport_data, sizeof(tlsext_quic_transport_data))) {
2076 FAIL("client failed to set QUIC parameters\n");
2077 goto err;
2078 }
2079
2080 if (client_funcs->needs(ssl, SSL_TLSEXT_MSG_CH)) {
2081 FAIL("client should not need QUIC\n");
2082 goto err;
2083 }
2084
2085 ssl->s3->hs.our_max_tls_version = TLS1_3_VERSION;
2086 ssl->s3->hs.negotiated_tls_version = TLS1_3_VERSION;
2087
2088 if (client_funcs->needs(ssl, SSL_TLSEXT_MSG_CH)) {
2089 FAIL("client should not need QUIC\n");
2090 goto err;
2091 }
2092
2093 ssl->quic_method = &quic_method;
2094
2095 if (!client_funcs->needs(ssl, SSL_TLSEXT_MSG_CH)) {
2096 FAIL("client should need QUIC\n");
2097 goto err;
2098 }
2099
2100 if (!client_funcs->build(ssl, SSL_TLSEXT_MSG_CH, &cbb)) {
2101 FAIL("client failed to build QUIC\n");
2102 goto err;
2103 }
2104
2105 if (!CBB_finish(&cbb, &data, &dlen)) {
2106 FAIL("failed to finish CBB");
2107 goto err;
2108 }
2109
2110 if (dlen != sizeof(tlsext_quic_transport_data)) {
2111 FAIL("got client QUIC with length %zu, "
2112 "want length %zu\n", dlen,
2113 sizeof(tlsext_quic_transport_data));
2114 goto err;
2115 }
2116
2117 if (memcmp(data, tlsext_quic_transport_data, dlen) != 0) {
2118 FAIL("client QUIC differs:\n");
2119 fprintf(stderr, "received:\n");
2120 hexdump(data, dlen);
2121 fprintf(stderr, "test data:\n");
2122 hexdump(tlsext_quic_transport_data,
2123 sizeof(tlsext_quic_transport_data));
2124 goto err;
2125 }
2126
2127 CBS_init(&cbs, tlsext_quic_transport_data,
2128 sizeof(tlsext_quic_transport_data));
2129 if (!server_funcs->process(ssl, SSL_TLSEXT_MSG_SH, &cbs, &alert)) {
2130 FAIL("server_parse of QUIC from server failed\n");
2131 goto err;
2132 }
2133 if (CBS_len(&cbs) != 0) {
2134 FAIL("extension data remaining\n");
2135 goto err;
2136 }
2137
2138 SSL_get_peer_quic_transport_params(ssl, &out_bytes, &out_bytes_len);
2139
2140 if (out_bytes_len != sizeof(tlsext_quic_transport_data)) {
2141 FAIL("server_parse QUIC length differs, got %zu want %zu\n",
2142 out_bytes_len,
2143 sizeof(tlsext_quic_transport_data));
2144 goto err;
2145 }
2146
2147 if (memcmp(out_bytes, tlsext_quic_transport_data,
2148 out_bytes_len) != 0) {
2149 FAIL("server_parse QUIC differs from sent:\n");
2150 fprintf(stderr, "received:\n");
2151 hexdump(data, dlen);
2152 fprintf(stderr, "test data:\n");
2153 hexdump(tlsext_quic_transport_data,
2154 sizeof(tlsext_quic_transport_data));
2155 goto err;
2156 }
2157
2158 failure = 0;
2159
2160 err:
2161 CBB_cleanup(&cbb);
2162 SSL_CTX_free(ssl_ctx);
2163 SSL_free(ssl);
2164 free(data);
2165
2166 return (failure);
2167 }
2168
2169 static int
test_tlsext_quic_transport_parameters_server(void)2170 test_tlsext_quic_transport_parameters_server(void)
2171 {
2172 const SSL_QUIC_METHOD quic_method = {0};
2173 unsigned char *data = NULL;
2174 SSL_CTX *ssl_ctx = NULL;
2175 SSL *ssl = NULL;
2176 const struct tls_extension_funcs *client_funcs;
2177 const struct tls_extension_funcs *server_funcs;
2178 int failure;
2179 size_t dlen;
2180 int alert;
2181 CBB cbb;
2182 CBS cbs;
2183 const uint8_t *out_bytes;
2184 size_t out_bytes_len;
2185
2186 failure = 1;
2187
2188 if (!CBB_init(&cbb, 0))
2189 errx(1, "Failed to create CBB");
2190
2191 if ((ssl_ctx = SSL_CTX_new(TLS_server_method())) == NULL)
2192 errx(1, "failed to create SSL_CTX");
2193 if ((ssl = SSL_new(ssl_ctx)) == NULL)
2194 errx(1, "failed to create SSL");
2195
2196 if (!tls_extension_funcs(TLSEXT_TYPE_quic_transport_parameters,
2197 &client_funcs, &server_funcs))
2198 errx(1, "failed to fetch quic transport parameter funcs");
2199
2200 if (server_funcs->needs(ssl, SSL_TLSEXT_MSG_SH)) {
2201 FAIL("server should not need QUIC\n");
2202 goto err;
2203 }
2204
2205 if (!SSL_set_quic_transport_params(ssl,
2206 tlsext_quic_transport_data, sizeof(tlsext_quic_transport_data))) {
2207 FAIL("server failed to set QUIC parametes\n");
2208 goto err;
2209 }
2210
2211 if (server_funcs->needs(ssl, SSL_TLSEXT_MSG_EE)) {
2212 FAIL("server should not need QUIC\n");
2213 goto err;
2214 }
2215
2216 ssl->quic_method = &quic_method;
2217
2218 if (!server_funcs->needs(ssl, SSL_TLSEXT_MSG_EE)) {
2219 FAIL("server should need QUIC\n");
2220 goto err;
2221 }
2222
2223 if (!server_funcs->build(ssl, SSL_TLSEXT_MSG_EE, &cbb)) {
2224 FAIL("server failed to build QUIC\n");
2225 goto err;
2226 }
2227
2228 if (!CBB_finish(&cbb, &data, &dlen))
2229 errx(1, "failed to finish CBB");
2230
2231 if (dlen != sizeof(tlsext_quic_transport_data)) {
2232 FAIL("got server QUIC with length %zu, want length %zu\n",
2233 dlen, sizeof(tlsext_quic_transport_data));
2234 goto err;
2235 }
2236
2237 if (memcmp(data, tlsext_quic_transport_data, dlen) != 0) {
2238 FAIL("saved server QUIC differs:\n");
2239 fprintf(stderr, "received:\n");
2240 hexdump(data, dlen);
2241 fprintf(stderr, "test data:\n");
2242 hexdump(tlsext_quic_transport_data,
2243 sizeof(tlsext_quic_transport_data));
2244 goto err;
2245 }
2246
2247 CBS_init(&cbs, tlsext_quic_transport_data,
2248 sizeof(tlsext_quic_transport_data));
2249
2250 ssl->quic_method = NULL;
2251
2252 if (client_funcs->process(ssl, SSL_TLSEXT_MSG_EE, &cbs, &alert)) {
2253 FAIL("QUIC parse should have failed!\n");
2254 goto err;
2255 }
2256
2257 ssl->quic_method = &quic_method;
2258
2259 if (!client_funcs->process(ssl, SSL_TLSEXT_MSG_SH, &cbs, &alert)) {
2260 FAIL("client_parse of QUIC from server failed\n");
2261 goto err;
2262 }
2263 if (CBS_len(&cbs) != 0) {
2264 FAIL("extension data remaining\n");
2265 goto err;
2266 }
2267
2268 SSL_get_peer_quic_transport_params(ssl, &out_bytes, &out_bytes_len);
2269
2270 if (out_bytes_len != sizeof(tlsext_quic_transport_data)) {
2271 FAIL("client QUIC length differs, got %zu want %zu\n",
2272 out_bytes_len,
2273 sizeof(tlsext_quic_transport_data));
2274 goto err;
2275 }
2276
2277 if (memcmp(out_bytes, tlsext_quic_transport_data, out_bytes_len) != 0) {
2278 FAIL("client QUIC differs from sent:\n");
2279 fprintf(stderr, "received:\n");
2280 hexdump(data, dlen);
2281 fprintf(stderr, "test data:\n");
2282 hexdump(tlsext_quic_transport_data,
2283 sizeof(tlsext_quic_transport_data));
2284 goto err;
2285 }
2286
2287 failure = 0;
2288
2289 err:
2290 CBB_cleanup(&cbb);
2291 SSL_CTX_free(ssl_ctx);
2292 SSL_free(ssl);
2293 free(data);
2294
2295 return (failure);
2296 }
2297
2298 static const unsigned char tls_ocsp_client_default[] = {
2299 0x01, 0x00, 0x00, 0x00, 0x00
2300 };
2301
2302 static int
test_tlsext_ocsp_client(void)2303 test_tlsext_ocsp_client(void)
2304 {
2305 unsigned char *data = NULL;
2306 SSL_CTX *ssl_ctx = NULL;
2307 SSL *ssl = NULL;
2308 const struct tls_extension_funcs *client_funcs;
2309 const struct tls_extension_funcs *server_funcs;
2310 size_t dlen;
2311 int failure;
2312 int alert;
2313 CBB cbb;
2314 CBS cbs;
2315
2316 failure = 1;
2317
2318 if (!CBB_init(&cbb, 0))
2319 errx(1, "Failed to create CBB");
2320
2321 if ((ssl_ctx = SSL_CTX_new(TLS_client_method())) == NULL)
2322 errx(1, "failed to create SSL_CTX");
2323 if ((ssl = SSL_new(ssl_ctx)) == NULL)
2324 errx(1, "failed to create SSL");
2325
2326 if (!tls_extension_funcs(TLSEXT_TYPE_status_request, &client_funcs,
2327 &server_funcs))
2328 errx(1, "failed to fetch ocsp funcs");
2329
2330 if (client_funcs->needs(ssl, SSL_TLSEXT_MSG_CH)) {
2331 FAIL("client should not need TLSEXT_TYPE_status_request\n");
2332 goto err;
2333 }
2334 SSL_set_tlsext_status_type(ssl, TLSEXT_STATUSTYPE_ocsp);
2335
2336 if (!client_funcs->needs(ssl, SSL_TLSEXT_MSG_CH)) {
2337 FAIL("client should need TLSEXT_TYPE_status_request\n");
2338 goto err;
2339 }
2340 if (!client_funcs->build(ssl, SSL_TLSEXT_MSG_CH, &cbb)) {
2341 FAIL("client failed to build SNI\n");
2342 goto err;
2343 }
2344 if (!CBB_finish(&cbb, &data, &dlen))
2345 errx(1, "failed to finish CBB");
2346
2347 if (dlen != sizeof(tls_ocsp_client_default)) {
2348 FAIL("got TLSEXT_TYPE_status_request client with length %zu, "
2349 "want length %zu\n", dlen,
2350 sizeof(tls_ocsp_client_default));
2351 goto err;
2352 }
2353 if (memcmp(data, tls_ocsp_client_default, dlen) != 0) {
2354 FAIL("TLSEXT_TYPE_status_request client differs:\n");
2355 fprintf(stderr, "received:\n");
2356 hexdump(data, dlen);
2357 fprintf(stderr, "test data:\n");
2358 hexdump(tls_ocsp_client_default,
2359 sizeof(tls_ocsp_client_default));
2360 goto err;
2361 }
2362 CBS_init(&cbs, tls_ocsp_client_default,
2363 sizeof(tls_ocsp_client_default));
2364 if (!server_funcs->process(ssl, SSL_TLSEXT_MSG_CH, &cbs, &alert)) {
2365 FAIL("failed to parse TLSEXT_TYPE_status_request client\n");
2366 goto err;
2367 }
2368 if (CBS_len(&cbs) != 0) {
2369 FAIL("extension data remaining\n");
2370 goto err;
2371 }
2372
2373 failure = 0;
2374
2375 err:
2376 CBB_cleanup(&cbb);
2377 SSL_CTX_free(ssl_ctx);
2378 SSL_free(ssl);
2379 free(data);
2380
2381 return (failure);
2382 }
2383
2384 static int
test_tlsext_ocsp_server(void)2385 test_tlsext_ocsp_server(void)
2386 {
2387 unsigned char *data = NULL;
2388 SSL_CTX *ssl_ctx = NULL;
2389 SSL *ssl = NULL;
2390 const struct tls_extension_funcs *client_funcs;
2391 const struct tls_extension_funcs *server_funcs;
2392 size_t dlen;
2393 int failure;
2394 CBB cbb;
2395
2396 failure = 1;
2397
2398 if (!CBB_init(&cbb, 0))
2399 errx(1, "Failed to create CBB");
2400
2401 if ((ssl_ctx = SSL_CTX_new(TLS_client_method())) == NULL)
2402 errx(1, "failed to create SSL_CTX");
2403 if ((ssl = SSL_new(ssl_ctx)) == NULL)
2404 errx(1, "failed to create SSL");
2405
2406 if (!tls_extension_funcs(TLSEXT_TYPE_status_request, &client_funcs,
2407 &server_funcs))
2408 errx(1, "failed to fetch ocsp funcs");
2409
2410 if (server_funcs->needs(ssl, SSL_TLSEXT_MSG_SH)) {
2411 FAIL("server should not need TLSEXT_TYPE_status_request\n");
2412 goto err;
2413 }
2414
2415 ssl->tlsext_status_expected = 1;
2416
2417 if (!server_funcs->needs(ssl, SSL_TLSEXT_MSG_SH)) {
2418 FAIL("server should need TLSEXT_TYPE_status_request\n");
2419 goto err;
2420 }
2421 if (!server_funcs->build(ssl, SSL_TLSEXT_MSG_SH, &cbb)) {
2422 FAIL("server failed to build TLSEXT_TYPE_status_request\n");
2423 goto err;
2424 }
2425
2426 if (!CBB_finish(&cbb, &data, &dlen))
2427 errx(1, "failed to finish CBB");
2428
2429 failure = 0;
2430
2431 err:
2432 CBB_cleanup(&cbb);
2433 SSL_CTX_free(ssl_ctx);
2434 SSL_free(ssl);
2435 free(data);
2436
2437 return (failure);
2438 }
2439
2440 /*
2441 * Session ticket - RFC 5077 since no known implementations use 4507.
2442 *
2443 * Session tickets can be length 0 (special case) to 2^16-1.
2444 *
2445 * The state is encrypted by the server so it is opaque to the client.
2446 */
2447 static uint8_t tlsext_sessionticket_hello_min[1];
2448 static uint8_t tlsext_sessionticket_hello_max[65535];
2449
2450 static int
test_tlsext_sessionticket_client(void)2451 test_tlsext_sessionticket_client(void)
2452 {
2453 unsigned char *data = NULL;
2454 SSL_CTX *ssl_ctx = NULL;
2455 SSL *ssl = NULL;
2456 const struct tls_extension_funcs *client_funcs;
2457 const struct tls_extension_funcs *server_funcs;
2458 int failure;
2459 CBB cbb;
2460 size_t dlen;
2461 uint8_t dummy[1234];
2462
2463 failure = 1;
2464
2465 if (!CBB_init(&cbb, 0))
2466 errx(1, "Failed to create CBB");
2467
2468 /* Create fake session tickets with random data. */
2469 arc4random_buf(tlsext_sessionticket_hello_min,
2470 sizeof(tlsext_sessionticket_hello_min));
2471 arc4random_buf(tlsext_sessionticket_hello_max,
2472 sizeof(tlsext_sessionticket_hello_max));
2473
2474 if ((ssl_ctx = SSL_CTX_new(TLS_client_method())) == NULL)
2475 errx(1, "failed to create SSL_CTX");
2476 if ((ssl = SSL_new(ssl_ctx)) == NULL)
2477 errx(1, "failed to create SSL");
2478
2479 if (!tls_extension_funcs(TLSEXT_TYPE_session_ticket, &client_funcs,
2480 &server_funcs))
2481 errx(1, "failed to fetch session ticket funcs");
2482
2483 /* Should need a ticket by default. */
2484 if (!client_funcs->needs(ssl, SSL_TLSEXT_MSG_CH)) {
2485 FAIL("client should need Sessionticket for default "
2486 "ciphers\n");
2487 goto err;
2488 }
2489
2490 /* Test disabling tickets. */
2491 if ((SSL_set_options(ssl, SSL_OP_NO_TICKET) & SSL_OP_NO_TICKET) == 0) {
2492 FAIL("Cannot disable tickets in the TLS connection\n");
2493 goto err;
2494 }
2495 if (client_funcs->needs(ssl, SSL_TLSEXT_MSG_CH)) {
2496 FAIL("client should not need SessionTicket if it was disabled\n");
2497 goto err;
2498 }
2499
2500 /* Test re-enabling tickets. */
2501 if ((SSL_clear_options(ssl, SSL_OP_NO_TICKET) & SSL_OP_NO_TICKET) != 0) {
2502 FAIL("Cannot re-enable tickets in the TLS connection\n");
2503 goto err;
2504 }
2505 if (!client_funcs->needs(ssl, SSL_TLSEXT_MSG_CH)) {
2506 FAIL("client should need SessionTicket if it was disabled\n");
2507 goto err;
2508 }
2509
2510 /* Since we don't have a session, we should build an empty ticket. */
2511 if (!client_funcs->build(ssl, SSL_TLSEXT_MSG_CH, &cbb)) {
2512 FAIL("Cannot build a ticket\n");
2513 goto err;
2514 }
2515 if (!CBB_finish(&cbb, &data, &dlen)) {
2516 FAIL("Cannot finish CBB\n");
2517 goto err;
2518 }
2519 if (dlen != 0) {
2520 FAIL("Expected 0 length but found %zu\n", dlen);
2521 goto err;
2522 }
2523
2524 CBB_cleanup(&cbb);
2525 if (!CBB_init(&cbb, 0))
2526 errx(1, "Failed to create CBB");
2527 free(data);
2528 data = NULL;
2529
2530 /* With a new session (but no ticket), we should still have 0 length */
2531 if ((ssl->session = SSL_SESSION_new()) == NULL)
2532 errx(1, "failed to create session");
2533 if (!client_funcs->needs(ssl, SSL_TLSEXT_MSG_CH)) {
2534 FAIL("Should still want a session ticket with a new session\n");
2535 goto err;
2536 }
2537 if (!client_funcs->build(ssl, SSL_TLSEXT_MSG_CH, &cbb)) {
2538 FAIL("Cannot build a ticket\n");
2539 goto err;
2540 }
2541 if (!CBB_finish(&cbb, &data, &dlen)) {
2542 FAIL("Cannot finish CBB\n");
2543 goto err;
2544 }
2545 if (dlen != 0) {
2546 FAIL("Expected 0 length but found %zu\n", dlen);
2547 goto err;
2548 }
2549
2550 CBB_cleanup(&cbb);
2551 if (!CBB_init(&cbb, 0))
2552 errx(1, "Failed to create CBB");
2553 free(data);
2554 data = NULL;
2555
2556 /* With a new session (and ticket), we should use that ticket */
2557 SSL_SESSION_free(ssl->session);
2558 if ((ssl->session = SSL_SESSION_new()) == NULL)
2559 errx(1, "failed to create session");
2560
2561 arc4random_buf(&dummy, sizeof(dummy));
2562 if ((ssl->session->tlsext_tick = malloc(sizeof(dummy))) == NULL) {
2563 errx(1, "failed to malloc");
2564 }
2565 memcpy(ssl->session->tlsext_tick, dummy, sizeof(dummy));
2566 ssl->session->tlsext_ticklen = sizeof(dummy);
2567
2568 if (!client_funcs->needs(ssl, SSL_TLSEXT_MSG_CH)) {
2569 FAIL("Should still want a session ticket with a new session\n");
2570 goto err;
2571 }
2572 if (!client_funcs->build(ssl, SSL_TLSEXT_MSG_CH, &cbb)) {
2573 FAIL("Cannot build a ticket\n");
2574 goto err;
2575 }
2576 if (!CBB_finish(&cbb, &data, &dlen)) {
2577 FAIL("Cannot finish CBB\n");
2578 goto err;
2579 }
2580 if (dlen != sizeof(dummy)) {
2581 FAIL("Expected %zu length but found %zu\n", sizeof(dummy), dlen);
2582 goto err;
2583 }
2584 if (memcmp(data, dummy, dlen) != 0) {
2585 FAIL("server SNI differs:\n");
2586 compare_data(data, dlen,
2587 dummy, sizeof(dummy));
2588 goto err;
2589 }
2590
2591 CBB_cleanup(&cbb);
2592 if (!CBB_init(&cbb, 0))
2593 errx(1, "Failed to create CBB");
2594 free(data);
2595 data = NULL;
2596 free(ssl->session->tlsext_tick);
2597 ssl->session->tlsext_tick = NULL;
2598 ssl->session->tlsext_ticklen = 0;
2599
2600 /*
2601 * Send in NULL to disable session tickets at runtime without going
2602 * through SSL_set_options().
2603 */
2604 if (!SSL_set_session_ticket_ext(ssl, NULL, 0)) {
2605 FAIL("Could not set a NULL custom ticket\n");
2606 goto err;
2607 }
2608 /* Should not need a ticket in this case */
2609 if (client_funcs->needs(ssl, SSL_TLSEXT_MSG_CH)) {
2610 FAIL("Should not want to use session tickets with a NULL custom\n");
2611 goto err;
2612 }
2613
2614 /*
2615 * If you want to remove the tlsext_session_ticket behavior, you have
2616 * to do it manually.
2617 */
2618 free(ssl->tlsext_session_ticket);
2619 ssl->tlsext_session_ticket = NULL;
2620
2621 if (!client_funcs->needs(ssl, SSL_TLSEXT_MSG_CH)) {
2622 FAIL("Should need a session ticket again when the custom one is removed\n");
2623 goto err;
2624 }
2625
2626 /* Test a custom session ticket (not recommended in practice) */
2627 if (!SSL_set_session_ticket_ext(ssl, tlsext_sessionticket_hello_max,
2628 sizeof(tlsext_sessionticket_hello_max))) {
2629 FAIL("Should be able to set a custom ticket\n");
2630 goto err;
2631 }
2632 if (!client_funcs->needs(ssl, SSL_TLSEXT_MSG_CH)) {
2633 FAIL("Should need a session ticket again when the custom one is not empty\n");
2634 goto err;
2635 }
2636 if (!client_funcs->build(ssl, SSL_TLSEXT_MSG_CH, &cbb)) {
2637 FAIL("Cannot build a ticket with a max length random payload\n");
2638 goto err;
2639 }
2640 if (!CBB_finish(&cbb, &data, &dlen)) {
2641 FAIL("Cannot finish CBB\n");
2642 goto err;
2643 }
2644 if (dlen != sizeof(tlsext_sessionticket_hello_max)) {
2645 FAIL("Expected %zu length but found %zu\n",
2646 sizeof(tlsext_sessionticket_hello_max), dlen);
2647 goto err;
2648 }
2649 if (memcmp(data, tlsext_sessionticket_hello_max,
2650 sizeof(tlsext_sessionticket_hello_max)) != 0) {
2651 FAIL("Expected to get what we passed in\n");
2652 compare_data(data, dlen,
2653 tlsext_sessionticket_hello_max,
2654 sizeof(tlsext_sessionticket_hello_max));
2655 goto err;
2656 }
2657
2658 failure = 0;
2659
2660 err:
2661 CBB_cleanup(&cbb);
2662 SSL_CTX_free(ssl_ctx);
2663 SSL_free(ssl);
2664 free(data);
2665
2666 return (failure);
2667 }
2668
2669
2670 static int
test_tlsext_sessionticket_server(void)2671 test_tlsext_sessionticket_server(void)
2672 {
2673 SSL_CTX *ssl_ctx = NULL;
2674 SSL *ssl = NULL;
2675 const struct tls_extension_funcs *client_funcs;
2676 const struct tls_extension_funcs *server_funcs;
2677 int failure;
2678 uint8_t *data = NULL;
2679 size_t dlen;
2680 CBB cbb;
2681
2682 failure = 1;
2683
2684 if (!CBB_init(&cbb, 0))
2685 errx(1, "Failed to create CBB");
2686
2687 if ((ssl_ctx = SSL_CTX_new(TLS_server_method())) == NULL)
2688 errx(1, "failed to create SSL_CTX");
2689 if ((ssl = SSL_new(ssl_ctx)) == NULL)
2690 errx(1, "failed to create SSL");
2691
2692 if (!tls_extension_funcs(TLSEXT_TYPE_session_ticket, &client_funcs,
2693 &server_funcs))
2694 errx(1, "failed to fetch session ticket funcs");
2695
2696 /*
2697 * By default, should not need a session ticket since the ticket
2698 * is not yet expected.
2699 */
2700 if (server_funcs->needs(ssl, SSL_TLSEXT_MSG_SH)) {
2701 FAIL("server should not need SessionTicket by default\n");
2702 goto err;
2703 }
2704
2705 /* Test disabling tickets. */
2706 if ((SSL_set_options(ssl, SSL_OP_NO_TICKET) & SSL_OP_NO_TICKET) == 0) {
2707 FAIL("Cannot disable tickets in the TLS connection\n");
2708 goto err;
2709 }
2710 if (server_funcs->needs(ssl, SSL_TLSEXT_MSG_SH)) {
2711 FAIL("server should not need SessionTicket if it was disabled\n");
2712 goto err;
2713 }
2714
2715 /* Test re-enabling tickets. */
2716 if ((SSL_clear_options(ssl, SSL_OP_NO_TICKET) & SSL_OP_NO_TICKET) != 0) {
2717 FAIL("Cannot re-enable tickets in the TLS connection\n");
2718 goto err;
2719 }
2720 if (server_funcs->needs(ssl, SSL_TLSEXT_MSG_SH)) {
2721 FAIL("server should not need SessionTicket yet\n");
2722 goto err;
2723 }
2724
2725 /* Set expected to require it. */
2726 ssl->tlsext_ticket_expected = 1;
2727 if (!server_funcs->needs(ssl, SSL_TLSEXT_MSG_SH)) {
2728 FAIL("server should now be required for SessionTicket\n");
2729 goto err;
2730 }
2731
2732 /* server hello's session ticket should always be 0 length payload. */
2733 if (!server_funcs->build(ssl, SSL_TLSEXT_MSG_SH, &cbb)) {
2734 FAIL("Cannot build a ticket with a max length random payload\n");
2735 goto err;
2736 }
2737 if (!CBB_finish(&cbb, &data, &dlen)) {
2738 FAIL("Cannot finish CBB\n");
2739 goto err;
2740 }
2741 if (dlen != 0) {
2742 FAIL("Expected 0 length but found %zu\n", dlen);
2743 goto err;
2744 }
2745
2746 failure = 0;
2747
2748 err:
2749 CBB_cleanup(&cbb);
2750 SSL_CTX_free(ssl_ctx);
2751 SSL_free(ssl);
2752 free(data);
2753
2754 return (failure);
2755 }
2756
2757 #ifndef OPENSSL_NO_SRTP
2758 /*
2759 * Supported Secure Real-time Transport Protocol (RFC 5764 section 4.1.1)
2760 */
2761
2762 /* Colon separated string values */
2763 const char *tlsext_srtp_single_profile = "SRTP_AES128_CM_SHA1_80";
2764 const char *tlsext_srtp_multiple_profiles = "SRTP_AES128_CM_SHA1_80:SRTP_AES128_CM_SHA1_32";
2765
2766 const char *tlsext_srtp_aes128cmsha80 = "SRTP_AES128_CM_SHA1_80";
2767 const char *tlsext_srtp_aes128cmsha32 = "SRTP_AES128_CM_SHA1_32";
2768
2769 const uint8_t tlsext_srtp_single[] = {
2770 /* SRTPProtectionProfile SRTPProtectionProfiles<2..2^16-1> */
2771 0x00, 0x02, /* len */
2772 0x00, 0x01, /* SRTP_AES128_CM_SHA1_80 */
2773 0x00 /* opaque srtp_mki<0..255> */
2774 };
2775
2776 const uint8_t tlsext_srtp_multiple[] = {
2777 /* SRTPProtectionProfile SRTPProtectionProfiles<2..2^16-1> */
2778 0x00, 0x04, /* len */
2779 0x00, 0x01, /* SRTP_AES128_CM_SHA1_80 */
2780 0x00, 0x02, /* SRTP_AES128_CM_SHA1_32 */
2781 0x00 /* opaque srtp_mki<0..255> */
2782 };
2783
2784 const uint8_t tlsext_srtp_multiple_invalid[] = {
2785 /* SRTPProtectionProfile SRTPProtectionProfiles<2..2^16-1> */
2786 0x00, 0x04, /* len */
2787 0x00, 0x08, /* arbitrary value not found in known profiles */
2788 0x00, 0x09, /* arbitrary value not found in known profiles */
2789 0x00 /* opaque srtp_mki<0..255> */
2790 };
2791
2792 const uint8_t tlsext_srtp_single_invalid[] = {
2793 /* SRTPProtectionProfile SRTPProtectionProfiles<2..2^16-1> */
2794 0x00, 0x02, /* len */
2795 0x00, 0x08, /* arbitrary value not found in known profiles */
2796 0x00 /* opaque srtp_mki<0..255> */
2797 };
2798
2799 const uint8_t tlsext_srtp_multiple_one_valid[] = {
2800 /* SRTPProtectionProfile SRTPProtectionProfiles<2..2^16-1> */
2801 0x00, 0x04, /* len */
2802 0x00, 0x08, /* arbitrary value not found in known profiles */
2803 0x00, 0x02, /* SRTP_AES128_CM_SHA1_32 */
2804 0x00 /* opaque srtp_mki<0..255> */
2805 };
2806
2807 static int
test_tlsext_srtp_client(void)2808 test_tlsext_srtp_client(void)
2809 {
2810 SRTP_PROTECTION_PROFILE *prof;
2811 SSL_CTX *ssl_ctx = NULL;
2812 SSL *ssl = NULL;
2813 const struct tls_extension_funcs *client_funcs;
2814 const struct tls_extension_funcs *server_funcs;
2815 uint8_t *data = NULL;
2816 CBB cbb;
2817 CBS cbs;
2818 int failure, alert;
2819 size_t dlen;
2820
2821 failure = 1;
2822
2823 if (!CBB_init(&cbb, 0))
2824 errx(1, "Failed to create CBB");
2825
2826 /* SRTP is for DTLS */
2827 if ((ssl_ctx = SSL_CTX_new(DTLSv1_client_method())) == NULL)
2828 errx(1, "failed to create SSL_CTX");
2829 if ((ssl = SSL_new(ssl_ctx)) == NULL)
2830 errx(1, "failed to create SSL");
2831
2832 if (!tls_extension_funcs(TLSEXT_TYPE_use_srtp, &client_funcs,
2833 &server_funcs))
2834 errx(1, "failed to fetch srtp funcs");
2835
2836 /* By default, we don't need this */
2837 if (client_funcs->needs(ssl, SSL_TLSEXT_MSG_CH)) {
2838 FAIL("client should not need SRTP by default\n");
2839 goto err;
2840 }
2841
2842 if (SSL_set_tlsext_use_srtp(ssl, tlsext_srtp_single_profile) != 0) {
2843 FAIL("should be able to set a single SRTP\n");
2844 goto err;
2845 }
2846 if (!client_funcs->needs(ssl, SSL_TLSEXT_MSG_CH)) {
2847 FAIL("client should need SRTP\n");
2848 goto err;
2849 }
2850
2851 /* Make sure we can build the client with a single profile. */
2852
2853 if (!client_funcs->build(ssl, SSL_TLSEXT_MSG_CH, &cbb)) {
2854 FAIL("client failed to build SRTP\n");
2855 goto err;
2856 }
2857 if (!CBB_finish(&cbb, &data, &dlen))
2858 errx(1, "failed to finish CBB");
2859
2860 if (dlen != sizeof(tlsext_srtp_single)) {
2861 FAIL("got client SRTP with length %zu, "
2862 "want length %zu\n", dlen,
2863 sizeof(tlsext_srtp_single));
2864 compare_data(data, dlen, tlsext_srtp_single,
2865 sizeof(tlsext_srtp_single));
2866 goto err;
2867 }
2868 if (memcmp(data, tlsext_srtp_single, dlen) != 0) {
2869 FAIL("client SRTP differs:\n");
2870 compare_data(data, dlen, tlsext_srtp_single,
2871 sizeof(tlsext_srtp_single));
2872 goto err;
2873 }
2874
2875 CBB_cleanup(&cbb);
2876 if (!CBB_init(&cbb, 0))
2877 errx(1, "Failed to create CBB");
2878 free(data);
2879 data = NULL;
2880
2881 /* Make sure we can parse the single profile. */
2882
2883 if (SSL_get_selected_srtp_profile(ssl) != NULL) {
2884 FAIL("SRTP profile should not be set yet\n");
2885 goto err;
2886 }
2887
2888 CBS_init(&cbs, tlsext_srtp_single, sizeof(tlsext_srtp_single));
2889 if (!server_funcs->process(ssl, SSL_TLSEXT_MSG_CH, &cbs, &alert)) {
2890 FAIL("failed to parse SRTP\n");
2891 goto err;
2892 }
2893 if (CBS_len(&cbs) != 0) {
2894 FAIL("extension data remaining\n");
2895 goto err;
2896 }
2897
2898 if ((prof = SSL_get_selected_srtp_profile(ssl)) == NULL) {
2899 FAIL("SRTP profile should be set now\n");
2900 goto err;
2901 }
2902 if (strcmp(prof->name, tlsext_srtp_aes128cmsha80) != 0) {
2903 FAIL("SRTP profile was not set properly\n");
2904 goto err;
2905 }
2906
2907 if (!server_funcs->needs(ssl, SSL_TLSEXT_MSG_CH)) {
2908 FAIL("should send server extension when profile selected\n");
2909 goto err;
2910 }
2911
2912 /* Make sure we can build the clienthello with multiple entries. */
2913
2914 if (SSL_set_tlsext_use_srtp(ssl, tlsext_srtp_multiple_profiles) != 0) {
2915 FAIL("should be able to set SRTP to multiple profiles\n");
2916 goto err;
2917 }
2918 if (!client_funcs->needs(ssl, SSL_TLSEXT_MSG_CH)) {
2919 FAIL("client should need SRTP by now\n");
2920 goto err;
2921 }
2922
2923 if (!client_funcs->build(ssl, SSL_TLSEXT_MSG_CH, &cbb)) {
2924 FAIL("client failed to build SRTP\n");
2925 goto err;
2926 }
2927 if (!CBB_finish(&cbb, &data, &dlen))
2928 errx(1, "failed to finish CBB");
2929
2930 if (dlen != sizeof(tlsext_srtp_multiple)) {
2931 FAIL("got client SRTP with length %zu, "
2932 "want length %zu\n", dlen,
2933 sizeof(tlsext_srtp_multiple));
2934 compare_data(data, dlen, tlsext_srtp_multiple,
2935 sizeof(tlsext_srtp_multiple));
2936 goto err;
2937 }
2938 if (memcmp(data, tlsext_srtp_multiple, dlen) != 0) {
2939 FAIL("client SRTP differs:\n");
2940 compare_data(data, dlen, tlsext_srtp_multiple,
2941 sizeof(tlsext_srtp_multiple));
2942 goto err;
2943 }
2944
2945 CBB_cleanup(&cbb);
2946 if (!CBB_init(&cbb, 0))
2947 errx(1, "Failed to create CBB");
2948 free(data);
2949 data = NULL;
2950
2951 /* Make sure we can parse multiple profiles (selects server preferred) */
2952
2953 ssl->srtp_profile = NULL;
2954
2955 CBS_init(&cbs, tlsext_srtp_multiple,
2956 sizeof(tlsext_srtp_multiple));
2957 if (!server_funcs->process(ssl, SSL_TLSEXT_MSG_CH, &cbs, &alert)) {
2958 FAIL("failed to parse SRTP\n");
2959 goto err;
2960 }
2961 if (CBS_len(&cbs) != 0) {
2962 FAIL("extension data remaining\n");
2963 goto err;
2964 }
2965
2966 if ((prof = SSL_get_selected_srtp_profile(ssl)) == NULL) {
2967 FAIL("SRTP profile should be set now\n");
2968 goto err;
2969 }
2970 if (strcmp(prof->name, tlsext_srtp_aes128cmsha80) != 0) {
2971 FAIL("SRTP profile was not set properly\n");
2972 goto err;
2973 }
2974
2975 if (!server_funcs->needs(ssl, SSL_TLSEXT_MSG_CH)) {
2976 FAIL("should send server extension when profile selected\n");
2977 goto err;
2978 }
2979
2980 /*
2981 * Make sure we can parse the clienthello with multiple entries
2982 * where one is unknown.
2983 */
2984 ssl->srtp_profile = NULL;
2985
2986 CBS_init(&cbs, tlsext_srtp_multiple_one_valid,
2987 sizeof(tlsext_srtp_multiple_one_valid));
2988 if (!server_funcs->process(ssl, SSL_TLSEXT_MSG_CH, &cbs, &alert)) {
2989 FAIL("failed to parse SRTP\n");
2990 goto err;
2991 }
2992 if (CBS_len(&cbs) != 0) {
2993 FAIL("extension data remaining\n");
2994 goto err;
2995 }
2996
2997 if ((prof = SSL_get_selected_srtp_profile(ssl)) == NULL) {
2998 FAIL("SRTP profile should be set now\n");
2999 goto err;
3000 }
3001 if (strcmp(prof->name, tlsext_srtp_aes128cmsha32) != 0) {
3002 FAIL("SRTP profile was not set properly\n");
3003 goto err;
3004 }
3005
3006 if (!server_funcs->needs(ssl, SSL_TLSEXT_MSG_CH)) {
3007 FAIL("should send server extension when profile selected\n");
3008 goto err;
3009 }
3010
3011 /* Make sure we fall back to negotiated when none work. */
3012
3013 ssl->srtp_profile = NULL;
3014
3015 CBS_init(&cbs, tlsext_srtp_multiple_invalid,
3016 sizeof(tlsext_srtp_multiple_invalid));
3017 if (!server_funcs->process(ssl, SSL_TLSEXT_MSG_CH, &cbs, &alert)) {
3018 FAIL("should be able to fall back to negotiated\n");
3019 goto err;
3020 }
3021 if (CBS_len(&cbs) != 0) {
3022 FAIL("extension data remaining\n");
3023 goto err;
3024 }
3025
3026 /* If we fallback, the server should NOT send the extension. */
3027 if (SSL_get_selected_srtp_profile(ssl) != NULL) {
3028 FAIL("should not have selected a profile when none found\n");
3029 goto err;
3030 }
3031 if (server_funcs->needs(ssl, SSL_TLSEXT_MSG_CH)) {
3032 FAIL("should not send server tlsext when no profile found\n");
3033 goto err;
3034 }
3035
3036 failure = 0;
3037
3038 err:
3039 CBB_cleanup(&cbb);
3040 SSL_CTX_free(ssl_ctx);
3041 SSL_free(ssl);
3042 free(data);
3043
3044 return (failure);
3045 }
3046
3047 static int
test_tlsext_srtp_server(void)3048 test_tlsext_srtp_server(void)
3049 {
3050 const SRTP_PROTECTION_PROFILE *prof;
3051 SSL_CTX *ssl_ctx = NULL;
3052 SSL *ssl = NULL;
3053 const struct tls_extension_funcs *client_funcs;
3054 const struct tls_extension_funcs *server_funcs;
3055 uint8_t *data = NULL;
3056 CBB cbb;
3057 CBS cbs;
3058 int failure, alert;
3059 size_t dlen;
3060
3061 failure = 1;
3062
3063 if (!CBB_init(&cbb, 0))
3064 errx(1, "Failed to create CBB");
3065
3066 /* SRTP is for DTLS */
3067 if ((ssl_ctx = SSL_CTX_new(DTLSv1_client_method())) == NULL)
3068 errx(1, "failed to create SSL_CTX");
3069 if ((ssl = SSL_new(ssl_ctx)) == NULL)
3070 errx(1, "failed to create SSL");
3071
3072 if (!tls_extension_funcs(TLSEXT_TYPE_use_srtp, &client_funcs,
3073 &server_funcs))
3074 errx(1, "failed to fetch srtp funcs");
3075
3076 /* By default, we don't need this */
3077 if (server_funcs->needs(ssl, SSL_TLSEXT_MSG_SH)) {
3078 FAIL("server should not need SRTP by default\n");
3079 goto err;
3080 }
3081
3082 if (srtp_find_profile_by_name(tlsext_srtp_aes128cmsha80, &prof,
3083 strlen(tlsext_srtp_aes128cmsha80))) {
3084 FAIL("should be able to find the given profile\n");
3085 goto err;
3086 }
3087 ssl->srtp_profile = prof;
3088 if (!server_funcs->needs(ssl, SSL_TLSEXT_MSG_SH)) {
3089 FAIL("server should need SRTP by now\n");
3090 goto err;
3091 }
3092
3093 /* Make sure we can build the server with a single profile. */
3094
3095 if (!server_funcs->build(ssl, SSL_TLSEXT_MSG_SH, &cbb)) {
3096 FAIL("server failed to build SRTP\n");
3097 goto err;
3098 }
3099 if (!CBB_finish(&cbb, &data, &dlen))
3100 errx(1, "failed to finish CBB");
3101
3102 if (dlen != sizeof(tlsext_srtp_single)) {
3103 FAIL("got server SRTP with length %zu, "
3104 "want length %zu\n", dlen,
3105 sizeof(tlsext_srtp_single));
3106 compare_data(data, dlen, tlsext_srtp_single,
3107 sizeof(tlsext_srtp_single));
3108 goto err;
3109 }
3110 if (memcmp(data, tlsext_srtp_single, dlen) != 0) {
3111 FAIL("server SRTP differs:\n");
3112 compare_data(data, dlen, tlsext_srtp_single,
3113 sizeof(tlsext_srtp_single));
3114 goto err;
3115 }
3116
3117 CBB_cleanup(&cbb);
3118 if (!CBB_init(&cbb, 0))
3119 errx(1, "Failed to create CBB");
3120 free(data);
3121 data = NULL;
3122
3123 /* Make sure we can parse the single profile. */
3124 ssl->srtp_profile = NULL;
3125
3126 if (SSL_get_selected_srtp_profile(ssl) != NULL) {
3127 FAIL("SRTP profile should not be set yet\n");
3128 goto err;
3129 }
3130
3131 /* Setup the environment as if a client sent a list of profiles. */
3132 if (SSL_set_tlsext_use_srtp(ssl, tlsext_srtp_multiple_profiles) != 0) {
3133 FAIL("should be able to set multiple profiles in SRTP\n");
3134 goto err;
3135 }
3136
3137 CBS_init(&cbs, tlsext_srtp_single, sizeof(tlsext_srtp_single));
3138 if (!client_funcs->process(ssl, SSL_TLSEXT_MSG_SH, &cbs, &alert)) {
3139 FAIL("failed to parse SRTP\n");
3140 goto err;
3141 }
3142 if (CBS_len(&cbs) != 0) {
3143 FAIL("extension data remaining\n");
3144 goto err;
3145 }
3146
3147 if ((prof = SSL_get_selected_srtp_profile(ssl)) == NULL) {
3148 FAIL("SRTP profile should be set now\n");
3149 goto err;
3150 }
3151 if (strcmp(prof->name, tlsext_srtp_aes128cmsha80) != 0) {
3152 FAIL("SRTP profile was not set properly\n");
3153 goto err;
3154 }
3155
3156 /* Make sure we cannot parse multiple profiles */
3157 ssl->srtp_profile = NULL;
3158
3159 CBS_init(&cbs, tlsext_srtp_multiple,
3160 sizeof(tlsext_srtp_multiple));
3161 if (client_funcs->process(ssl, SSL_TLSEXT_MSG_SH, &cbs, &alert)) {
3162 FAIL("should not find multiple entries from the server\n");
3163 goto err;
3164 }
3165
3166 /* Make sure we cannot parse a server with unknown profile */
3167 ssl->srtp_profile = NULL;
3168
3169 CBS_init(&cbs, tlsext_srtp_single_invalid,
3170 sizeof(tlsext_srtp_single_invalid));
3171 if (client_funcs->process(ssl, SSL_TLSEXT_MSG_SH, &cbs, &alert)) {
3172 FAIL("should not be able to parse this\n");
3173 goto err;
3174 }
3175
3176 failure = 0;
3177
3178 err:
3179 CBB_cleanup(&cbb);
3180 SSL_CTX_free(ssl_ctx);
3181 SSL_free(ssl);
3182 free(data);
3183
3184 return (failure);
3185 }
3186 #endif /* OPENSSL_NO_SRTP */
3187
3188 static const unsigned char tlsext_clienthello_default[] = {
3189 0x00, 0x34, 0x00, 0x0a, 0x00, 0x0a, 0x00, 0x08,
3190 0x00, 0x1d, 0x00, 0x17, 0x00, 0x18, 0x00, 0x19,
3191 0x00, 0x0b, 0x00, 0x02, 0x01, 0x00, 0x00, 0x23,
3192 0x00, 0x00, 0x00, 0x0d, 0x00, 0x18, 0x00, 0x16,
3193 0x08, 0x06, 0x06, 0x01, 0x06, 0x03, 0x08, 0x05,
3194 0x05, 0x01, 0x05, 0x03, 0x08, 0x04, 0x04, 0x01,
3195 0x04, 0x03, 0x02, 0x01, 0x02, 0x03,
3196 };
3197
3198 /* An empty array is an incomplete type and sizeof() is undefined. */
3199 static const unsigned char tlsext_clienthello_disabled[] = {
3200 0x00,
3201 };
3202 static size_t tlsext_clienthello_disabled_len = 0;
3203
3204 static int
test_tlsext_clienthello_build(void)3205 test_tlsext_clienthello_build(void)
3206 {
3207 unsigned char *data = NULL;
3208 SSL_CTX *ssl_ctx = NULL;
3209 SSL *ssl = NULL;
3210 const struct tls_extension_funcs *client_funcs;
3211 const struct tls_extension_funcs *server_funcs;
3212 size_t dlen;
3213 int failure;
3214 CBB cbb;
3215
3216 failure = 1;
3217
3218 if (!CBB_init(&cbb, 0))
3219 errx(1, "failed to create CBB");
3220
3221 if ((ssl_ctx = SSL_CTX_new(TLS_client_method())) == NULL) {
3222 FAIL("failed to create SSL_CTX");
3223 goto err;
3224 }
3225
3226 if ((ssl = SSL_new(ssl_ctx)) == NULL) {
3227 FAIL("failed to create SSL");
3228 goto err;
3229 }
3230
3231 if (!tlsext_linearize_build_order(ssl)) {
3232 FAIL("failed to linearize build order");
3233 goto err;
3234 }
3235
3236 if (!tls_extension_funcs(TLSEXT_TYPE_supported_versions, &client_funcs,
3237 &server_funcs))
3238 errx(1, "failed to fetch supported versions funcs");
3239
3240 ssl->s3->hs.our_min_tls_version = TLS1_VERSION;
3241 ssl->s3->hs.our_max_tls_version = TLS1_2_VERSION;
3242
3243 if (!tlsext_client_build(ssl, SSL_TLSEXT_MSG_CH, &cbb)) {
3244 FAIL("failed to build clienthello extensions\n");
3245 goto err;
3246 }
3247 if (!CBB_finish(&cbb, &data, &dlen)) {
3248 FAIL("failed to finish CBB");
3249 goto err;
3250 }
3251
3252 if (dlen != sizeof(tlsext_clienthello_default)) {
3253 FAIL("got clienthello extensions with length %zu, "
3254 "want length %zu\n", dlen,
3255 sizeof(tlsext_clienthello_default));
3256 compare_data(data, dlen, tlsext_clienthello_default,
3257 sizeof(tlsext_clienthello_default));
3258 goto err;
3259 }
3260 if (memcmp(data, tlsext_clienthello_default, dlen) != 0) {
3261 FAIL("clienthello extensions differs:\n");
3262 compare_data(data, dlen, tlsext_clienthello_default,
3263 sizeof(tlsext_clienthello_default));
3264 goto err;
3265 }
3266
3267 free(data);
3268 data = NULL;
3269 CBB_cleanup(&cbb);
3270 if (!CBB_init(&cbb, 0))
3271 errx(1, "Failed to create CBB");
3272
3273 /* Switch to TLSv1.1, disable EC ciphers and session tickets. */
3274 ssl->s3->hs.our_max_tls_version = TLS1_1_VERSION;
3275 if (!SSL_set_cipher_list(ssl, "TLSv1.2:!ECDHE:!ECDSA")) {
3276 FAIL("failed to set cipher list\n");
3277 goto err;
3278 }
3279 if ((SSL_set_options(ssl, SSL_OP_NO_TICKET) & SSL_OP_NO_TICKET) == 0) {
3280 FAIL("failed to disable session tickets\n");
3281 goto err;
3282 }
3283
3284 if (!tlsext_client_build(ssl, SSL_TLSEXT_MSG_CH, &cbb)) {
3285 FAIL("failed to build clienthello extensions\n");
3286 goto err;
3287 }
3288 if (!CBB_finish(&cbb, &data, &dlen)) {
3289 FAIL("failed to finish CBB");
3290 goto err;
3291 }
3292
3293 if (dlen != tlsext_clienthello_disabled_len) {
3294 FAIL("got clienthello extensions with length %zu, "
3295 "want length %zu\n", dlen,
3296 tlsext_clienthello_disabled_len);
3297 compare_data(data, dlen, tlsext_clienthello_disabled,
3298 tlsext_clienthello_disabled_len);
3299 goto err;
3300 }
3301 if (memcmp(data, tlsext_clienthello_disabled, dlen) != 0) {
3302 FAIL("clienthello extensions differs:\n");
3303 compare_data(data, dlen, tlsext_clienthello_disabled,
3304 tlsext_clienthello_disabled_len);
3305 goto err;
3306 }
3307
3308 failure = 0;
3309
3310 err:
3311 CBB_cleanup(&cbb);
3312 SSL_CTX_free(ssl_ctx);
3313 SSL_free(ssl);
3314 free(data);
3315
3316 return (failure);
3317 }
3318
3319 unsigned char tlsext_serverhello_default[] = {
3320 0x00, 0x06, 0x00, 0x2b, 0x00, 0x02, 0x03, 0x04,
3321 };
3322
3323 unsigned char tlsext_serverhello_enabled[] = {
3324 0x00, 0x10, 0x00, 0x2b, 0x00, 0x02, 0x03, 0x04,
3325 0x00, 0x0b, 0x00, 0x02, 0x01, 0x00, 0x00, 0x23,
3326 0x00, 0x00,
3327 };
3328
3329 static int
test_tlsext_serverhello_build(void)3330 test_tlsext_serverhello_build(void)
3331 {
3332 unsigned char *data = NULL;
3333 SSL_CTX *ssl_ctx = NULL;
3334 SSL *ssl = NULL;
3335 size_t dlen;
3336 int failure;
3337 CBB cbb;
3338
3339 failure = 1;
3340
3341 if (!CBB_init(&cbb, 0))
3342 errx(1, "failed to create CBB");
3343
3344 if ((ssl_ctx = SSL_CTX_new(TLS_server_method())) == NULL) {
3345 FAIL("failed to create SSL_CTX");
3346 goto err;
3347 }
3348 if ((ssl = SSL_new(ssl_ctx)) == NULL) {
3349 FAIL("failed to create SSL");
3350 goto err;
3351 }
3352 if (!tlsext_linearize_build_order(ssl)) {
3353 FAIL("failed to linearize build order");
3354 goto err;
3355 }
3356 if ((ssl->session = SSL_SESSION_new()) == NULL) {
3357 FAIL("failed to create session");
3358 goto err;
3359 }
3360
3361 ssl->s3->hs.our_max_tls_version = TLS1_3_VERSION;
3362 ssl->s3->hs.negotiated_tls_version = TLS1_3_VERSION;
3363 ssl->s3->hs.cipher = ssl3_get_cipher_by_value(0x003c);
3364
3365 if (!tlsext_server_build(ssl, SSL_TLSEXT_MSG_SH, &cbb)) {
3366 FAIL("failed to build serverhello extensions\n");
3367 goto err;
3368 }
3369 if (!CBB_finish(&cbb, &data, &dlen)) {
3370 FAIL("failed to finish CBB");
3371 goto err;
3372 }
3373
3374 if (dlen != sizeof(tlsext_serverhello_default)) {
3375 FAIL("got serverhello extensions with length %zu, "
3376 "want length %zu\n", dlen,
3377 sizeof(tlsext_serverhello_default));
3378 compare_data(data, dlen, tlsext_serverhello_default,
3379 sizeof(tlsext_serverhello_default));
3380 goto err;
3381 }
3382 if (memcmp(data, tlsext_serverhello_default, dlen) != 0) {
3383 FAIL("serverhello extensions differs:\n");
3384 compare_data(data, dlen, tlsext_serverhello_default,
3385 sizeof(tlsext_serverhello_default));
3386 goto err;
3387 }
3388
3389 CBB_cleanup(&cbb);
3390 free(data);
3391 data = NULL;
3392 if (!CBB_init(&cbb, 0))
3393 errx(1, "Failed to create CBB");
3394
3395 /* Turn a few things on so we get extensions... */
3396 ssl->s3->send_connection_binding = 1;
3397 ssl->s3->hs.cipher = ssl3_get_cipher_by_value(0xc027);
3398 ssl->tlsext_status_expected = 1;
3399 ssl->tlsext_ticket_expected = 1;
3400 if ((ssl->session->tlsext_ecpointformatlist = malloc(1)) == NULL) {
3401 FAIL("malloc failed");
3402 goto err;
3403 }
3404 ssl->session->tlsext_ecpointformatlist_length = 1;
3405 ssl->session->tlsext_ecpointformatlist[0] =
3406 TLSEXT_ECPOINTFORMAT_uncompressed;
3407
3408 if (!tlsext_server_build(ssl, SSL_TLSEXT_MSG_SH, &cbb)) {
3409 FAIL("failed to build serverhello extensions\n");
3410 goto err;
3411 }
3412 if (!CBB_finish(&cbb, &data, &dlen)) {
3413 FAIL("failed to finish CBB");
3414 goto err;
3415 }
3416
3417 if (dlen != sizeof(tlsext_serverhello_enabled)) {
3418 FAIL("got serverhello extensions with length %zu, "
3419 "want length %zu\n", dlen,
3420 sizeof(tlsext_serverhello_enabled));
3421 compare_data(data, dlen, tlsext_serverhello_enabled,
3422 sizeof(tlsext_serverhello_enabled));
3423 goto err;
3424 }
3425 if (memcmp(data, tlsext_serverhello_enabled, dlen) != 0) {
3426 FAIL("serverhello extensions differs:\n");
3427 compare_data(data, dlen, tlsext_serverhello_enabled,
3428 sizeof(tlsext_serverhello_enabled));
3429 goto err;
3430 }
3431
3432 failure = 0;
3433
3434 err:
3435 CBB_cleanup(&cbb);
3436 SSL_CTX_free(ssl_ctx);
3437 SSL_free(ssl);
3438 free(data);
3439
3440 return (failure);
3441 }
3442
3443 const unsigned char tlsext_versions_client[] = {
3444 0x08, 0x03, 0x04, 0x03, 0x03, 0x03,
3445 0x02, 0x03, 0x01,
3446 };
3447
3448 const unsigned char tlsext_versions_server[] = {
3449 0x03, 0x04,
3450 };
3451
3452 static int
test_tlsext_versions_client(void)3453 test_tlsext_versions_client(void)
3454 {
3455 unsigned char *data = NULL;
3456 SSL_CTX *ssl_ctx = NULL;
3457 SSL *ssl = NULL;
3458 const struct tls_extension_funcs *client_funcs;
3459 const struct tls_extension_funcs *server_funcs;
3460 int failure;
3461 size_t dlen;
3462 int alert;
3463 CBB cbb;
3464 CBS cbs;
3465
3466 failure = 1;
3467
3468 if (!CBB_init(&cbb, 0))
3469 errx(1, "Failed to create CBB");
3470
3471 if ((ssl_ctx = SSL_CTX_new(TLS_client_method())) == NULL)
3472 errx(1, "failed to create SSL_CTX");
3473 if ((ssl = SSL_new(ssl_ctx)) == NULL)
3474 errx(1, "failed to create SSL");
3475
3476 if (!tls_extension_funcs(TLSEXT_TYPE_supported_versions, &client_funcs,
3477 &server_funcs))
3478 errx(1, "failed to fetch supported versions funcs");
3479
3480 ssl->s3->hs.our_max_tls_version = TLS1_1_VERSION;
3481
3482 if (client_funcs->needs(ssl, SSL_TLSEXT_MSG_CH)) {
3483 FAIL("client should not need versions\n");
3484 goto done;
3485 }
3486
3487 ssl->s3->hs.our_max_tls_version = TLS1_2_VERSION;
3488
3489 if (client_funcs->needs(ssl, SSL_TLSEXT_MSG_CH)) {
3490 FAIL("client should not need versions\n");
3491 goto done;
3492 }
3493
3494 ssl->s3->hs.our_max_tls_version = TLS1_3_VERSION;
3495
3496 if (!client_funcs->needs(ssl, SSL_TLSEXT_MSG_CH)) {
3497 FAIL("client should need versions\n");
3498 goto done;
3499 }
3500
3501 ssl->s3->hs.our_min_tls_version = TLS1_VERSION;
3502 ssl->s3->hs.our_max_tls_version = TLS1_3_VERSION;
3503
3504 if (!client_funcs->build(ssl, SSL_TLSEXT_MSG_CH, &cbb)) {
3505 FAIL("client should have built versions\n");
3506 goto done;
3507 }
3508
3509 if (!CBB_finish(&cbb, &data, &dlen)) {
3510 FAIL("failed to finish CBB\n");
3511 goto done;
3512 }
3513
3514 if (dlen != sizeof(tlsext_versions_client)) {
3515 FAIL("got versions with length %zu, "
3516 "want length %zu\n", dlen, sizeof(tlsext_versions_client));
3517 goto done;
3518 }
3519
3520 CBS_init(&cbs, data, dlen);
3521 if (!server_funcs->process(ssl, SSL_TLSEXT_MSG_CH, &cbs, &alert)) {
3522 FAIL("failed to parse client versions\n");
3523 goto done;
3524 }
3525 if (CBS_len(&cbs) != 0) {
3526 FAIL("extension data remaining\n");
3527 goto done;
3528 }
3529
3530 failure = 0;
3531
3532 done:
3533 CBB_cleanup(&cbb);
3534 SSL_CTX_free(ssl_ctx);
3535 SSL_free(ssl);
3536 free(data);
3537
3538 return (failure);
3539 }
3540
3541 static int
test_tlsext_versions_server(void)3542 test_tlsext_versions_server(void)
3543 {
3544 unsigned char *data = NULL;
3545 SSL_CTX *ssl_ctx = NULL;
3546 SSL *ssl = NULL;
3547 const struct tls_extension_funcs *client_funcs;
3548 const struct tls_extension_funcs *server_funcs;
3549 int failure;
3550 size_t dlen;
3551 int alert;
3552 CBB cbb;
3553 CBS cbs;
3554
3555 failure = 1;
3556
3557 if (!CBB_init(&cbb, 0))
3558 errx(1, "Failed to create CBB");
3559
3560 if ((ssl_ctx = SSL_CTX_new(TLS_client_method())) == NULL)
3561 errx(1, "failed to create SSL_CTX");
3562 if ((ssl = SSL_new(ssl_ctx)) == NULL)
3563 errx(1, "failed to create SSL");
3564
3565 if (!tls_extension_funcs(TLSEXT_TYPE_supported_versions, &client_funcs,
3566 &server_funcs))
3567 errx(1, "failed to fetch supported versions funcs");
3568
3569 ssl->s3->hs.negotiated_tls_version = TLS1_2_VERSION;
3570
3571 if (server_funcs->needs(ssl, SSL_TLSEXT_MSG_SH)) {
3572 FAIL("server should not need versions\n");
3573 goto done;
3574 }
3575
3576 ssl->s3->hs.negotiated_tls_version = TLS1_3_VERSION;
3577
3578 if (!server_funcs->needs(ssl, SSL_TLSEXT_MSG_SH)) {
3579 FAIL("server should need versions\n");
3580 goto done;
3581 }
3582
3583 if (!server_funcs->build(ssl, SSL_TLSEXT_MSG_SH, &cbb)) {
3584 FAIL("server should have built versions\n");
3585 goto done;
3586 }
3587
3588 if (!CBB_finish(&cbb, &data, &dlen)) {
3589 FAIL("failed to finish CBB\n");
3590 goto done;
3591 }
3592
3593 if (dlen != sizeof(tlsext_versions_server)) {
3594 FAIL("got versions with length %zu, "
3595 "want length %zu\n", dlen, sizeof(tlsext_versions_server));
3596 goto done;
3597 }
3598
3599 CBS_init(&cbs, data, dlen);
3600 if (!client_funcs->process(ssl, SSL_TLSEXT_MSG_SH, &cbs, &alert)) {
3601 FAIL("failed to parse client versions\n");
3602 goto done;
3603 }
3604 if (CBS_len(&cbs) != 0) {
3605 FAIL("extension data remaining\n");
3606 goto done;
3607 }
3608
3609 failure = 0;
3610
3611 done:
3612 CBB_cleanup(&cbb);
3613 SSL_CTX_free(ssl_ctx);
3614 SSL_free(ssl);
3615 free(data);
3616
3617 return (failure);
3618 }
3619
3620 const unsigned char tlsext_keyshare_client[] = {
3621 0x00, 0x24, 0x00, 0x1d, 0x00, 0x20, 0xba, 0x83,
3622 0x2e, 0x4a, 0x18, 0xbe, 0x96, 0xd2, 0x71, 0x70,
3623 0x18, 0x04, 0xf9, 0x9d, 0x76, 0x98, 0xef, 0xe8,
3624 0x4f, 0x8b, 0x85, 0x41, 0xa4, 0xd9, 0x61, 0x57,
3625 0xad, 0x5b, 0xa4, 0xe9, 0x8b, 0x6b,
3626 };
3627
3628 const unsigned char tlsext_keyshare_server[] = {
3629 0x00, 0x1d, 0x00, 0x20, 0xe5, 0xe8, 0x5a, 0xb9,
3630 0x7e, 0x12, 0x62, 0xe3, 0xd8, 0x7f, 0x6e, 0x3c,
3631 0xec, 0xa6, 0x8b, 0x99, 0x45, 0x77, 0x8e, 0x11,
3632 0xb3, 0xb9, 0x12, 0xb6, 0xbe, 0x35, 0xca, 0x51,
3633 0x76, 0x1e, 0xe8, 0x22
3634 };
3635
3636 static int
test_tlsext_keyshare_client(void)3637 test_tlsext_keyshare_client(void)
3638 {
3639 unsigned char *data = NULL;
3640 SSL_CTX *ssl_ctx = NULL;
3641 SSL *ssl = NULL;
3642 const struct tls_extension_funcs *client_funcs;
3643 const struct tls_extension_funcs *server_funcs;
3644 int failure;
3645 size_t dlen;
3646 size_t idx;
3647 int alert;
3648 CBB cbb;
3649 CBS cbs;
3650
3651 failure = 1;
3652
3653 if (!CBB_init(&cbb, 0))
3654 errx(1, "Failed to create CBB");
3655
3656 if ((ssl_ctx = SSL_CTX_new(TLS_client_method())) == NULL)
3657 errx(1, "failed to create SSL_CTX");
3658 if ((ssl = SSL_new(ssl_ctx)) == NULL)
3659 errx(1, "failed to create SSL");
3660
3661 if (!tls_extension_funcs(TLSEXT_TYPE_key_share, &client_funcs,
3662 &server_funcs))
3663 errx(1, "failed to fetch keyshare funcs");
3664
3665 if ((ssl->s3->hs.key_share =
3666 tls_key_share_new_nid(NID_X25519)) == NULL)
3667 errx(1, "failed to create key share");
3668 if (!tls_key_share_generate(ssl->s3->hs.key_share))
3669 errx(1, "failed to generate key share");
3670
3671 ssl->s3->hs.our_max_tls_version = TLS1_2_VERSION;
3672 if (client_funcs->needs(ssl, SSL_TLSEXT_MSG_CH)) {
3673 FAIL("client should not need keyshare\n");
3674 goto done;
3675 }
3676
3677 ssl->s3->hs.our_max_tls_version = TLS1_3_VERSION;
3678 if (!client_funcs->needs(ssl, SSL_TLSEXT_MSG_CH)) {
3679 FAIL("client should need keyshare\n");
3680 goto done;
3681 }
3682
3683 ssl->s3->hs.our_max_tls_version = TLS1_3_VERSION;
3684 if (!client_funcs->build(ssl, SSL_TLSEXT_MSG_CH, &cbb)) {
3685 FAIL("client should have built keyshare\n");
3686 goto done;
3687 }
3688
3689 if (!CBB_finish(&cbb, &data, &dlen)) {
3690 FAIL("failed to finish CBB\n");
3691 goto done;
3692 }
3693
3694 if (dlen != sizeof(tlsext_keyshare_client)) {
3695 FAIL("got client keyshare with length %zu, "
3696 "want length %zu\n", dlen, (size_t) sizeof(tlsext_keyshare_client));
3697 goto done;
3698 }
3699
3700 ssl->version = TLS1_3_VERSION;
3701
3702 /* Fake up the ssl enough so the key share can process */
3703 tls_key_share_free(ssl->s3->hs.key_share);
3704 ssl->session = SSL_SESSION_new();
3705 if (ssl->session == NULL) {
3706 FAIL("malloc");
3707 goto done;
3708 }
3709 memset(ssl->s3, 0, sizeof(*ssl->s3));
3710 ssl->session->tlsext_supportedgroups = calloc(4,
3711 sizeof(unsigned short));
3712 if (ssl->session->tlsext_supportedgroups == NULL) {
3713 FAIL("malloc");
3714 goto done;
3715 }
3716 ssl->session->tlsext_supportedgroups[0] = 29;
3717 ssl->session->tlsext_supportedgroups[1] = 23;
3718 ssl->session->tlsext_supportedgroups[2] = 24;
3719 ssl->session->tlsext_supportedgroups[3] = 25;
3720 ssl->session->tlsext_supportedgroups_length = 4;
3721 tls_extension_find(TLSEXT_TYPE_supported_groups, &idx);
3722 ssl->s3->hs.extensions_processed |= (1 << idx);
3723 ssl->s3->hs.extensions_seen |= (1 << idx);
3724 ssl->s3->hs.our_max_tls_version = TLS1_3_VERSION;
3725
3726 /*
3727 * We should select the key share for group 29, when group 29
3728 * is the most preferred group
3729 */
3730 CBS_init(&cbs, data, dlen);
3731 if (!server_funcs->process(ssl, SSL_TLSEXT_MSG_CH, &cbs, &alert)) {
3732 FAIL("failed to process client keyshare\n");
3733 goto done;
3734 }
3735 if (CBS_len(&cbs) != 0) {
3736 FAIL("extension data remaining\n");
3737 goto done;
3738 }
3739 if (ssl->s3->hs.key_share == NULL) {
3740 FAIL("Did not select a key share");
3741 goto done;
3742 }
3743
3744 /*
3745 * Pretend the client did not send the supported groups extension. We
3746 * should fail to process.
3747 */
3748 ssl->s3->hs.extensions_seen = 0;
3749 tls_key_share_free(ssl->s3->hs.key_share);
3750 ssl->s3->hs.key_share = NULL;
3751 CBS_init(&cbs, data, dlen);
3752 if (server_funcs->process(ssl, SSL_TLSEXT_MSG_CH, &cbs, &alert)) {
3753 FAIL("Processed key share when supported groups not provided");
3754 goto done;
3755 }
3756 ssl->s3->hs.extensions_seen |= (1 << idx);
3757
3758 /*
3759 * Pretend supported groups did not get processed. We should fail to
3760 * process
3761 */
3762 ssl->s3->hs.extensions_processed = 0;
3763 ssl->s3->hs.key_share = NULL;
3764 CBS_init(&cbs, data, dlen);
3765 if (server_funcs->process(ssl, SSL_TLSEXT_MSG_CH, &cbs, &alert)) {
3766 FAIL("Processed key share when supported groups unprocesed");
3767 goto done;
3768 }
3769 ssl->s3->hs.extensions_processed |= (1 << idx);
3770
3771 /*
3772 * Remove group 29 by making it 0xbeef, meaning 29 has not been sent in
3773 * supported groups. This should fail to process.
3774 */
3775 ssl->session->tlsext_supportedgroups[0] = 0xbeef;
3776 ssl->s3->hs.key_share = NULL;
3777 CBS_init(&cbs, data, dlen);
3778 if (server_funcs->process(ssl, SSL_TLSEXT_MSG_CH, &cbs, &alert)) {
3779 FAIL("Processed key share with invalid group!");
3780 goto done;
3781 }
3782
3783 /*
3784 * Make 29 least preferred, while server supports both 29 and 25.
3785 * Client key share is for 29 but it prefers 25. We should successfully
3786 * process, but should not select this key share.
3787 */
3788 ssl->session->tlsext_supportedgroups[0] = 25;
3789 ssl->session->tlsext_supportedgroups[3] = 29;
3790 ssl->s3->hs.key_share = NULL;
3791 CBS_init(&cbs, data, dlen);
3792 if (!server_funcs->process(ssl, SSL_TLSEXT_MSG_CH, &cbs, &alert)) {
3793 FAIL("failed to process client keyshare\n");
3794 goto done;
3795 }
3796 if (CBS_len(&cbs) != 0) {
3797 FAIL("extension data remaining\n");
3798 goto done;
3799 }
3800 if (ssl->s3->hs.key_share != NULL) {
3801 FAIL("Selected a key share when I should not have!");
3802 goto done;
3803 }
3804 ssl->session->tlsext_supportedgroups[0] = 29;
3805 ssl->session->tlsext_supportedgroups[3] = 25;
3806
3807 failure = 0;
3808
3809 done:
3810 CBB_cleanup(&cbb);
3811 SSL_CTX_free(ssl_ctx);
3812 SSL_free(ssl);
3813 free(data);
3814
3815 return (failure);
3816 }
3817
3818 static const uint8_t bogokey[] = {
3819 0xe5, 0xe8, 0x5a, 0xb9, 0x7e, 0x12, 0x62, 0xe3,
3820 0xd8, 0x7f, 0x6e, 0x3c, 0xec, 0xa6, 0x8b, 0x99,
3821 0x45, 0x77, 0x8e, 0x11, 0xb3, 0xb9, 0x12, 0xb6,
3822 0xbe, 0x35, 0xca, 0x51, 0x76, 0x1e, 0xe8, 0x22,
3823 };
3824
3825 static int
test_tlsext_keyshare_server(void)3826 test_tlsext_keyshare_server(void)
3827 {
3828 unsigned char *data = NULL;
3829 SSL_CTX *ssl_ctx = NULL;
3830 SSL *ssl = NULL;
3831 const struct tls_extension_funcs *client_funcs;
3832 const struct tls_extension_funcs *server_funcs;
3833 int decode_error;
3834 int failure;
3835 size_t dlen, idx;
3836 int alert;
3837 CBB cbb;
3838 CBS cbs;
3839
3840 failure = 1;
3841
3842 if (!CBB_init(&cbb, 0))
3843 errx(1, "Failed to create CBB");
3844
3845 if ((ssl_ctx = SSL_CTX_new(TLS_client_method())) == NULL)
3846 errx(1, "failed to create SSL_CTX");
3847 if ((ssl = SSL_new(ssl_ctx)) == NULL)
3848 errx(1, "failed to create SSL");
3849
3850 if (!tls_extension_funcs(TLSEXT_TYPE_key_share, &client_funcs,
3851 &server_funcs))
3852 errx(1, "failed to fetch keyshare funcs");
3853
3854 ssl->s3->hs.negotiated_tls_version = TLS1_2_VERSION;
3855 if (server_funcs->needs(ssl, SSL_TLSEXT_MSG_SH)) {
3856 FAIL("server should not need keyshare\n");
3857 goto done;
3858 }
3859
3860 ssl->s3->hs.negotiated_tls_version = TLS1_3_VERSION;
3861 if (server_funcs->needs(ssl, SSL_TLSEXT_MSG_SH)) {
3862 FAIL("client should not need keyshare\n");
3863 goto done;
3864 }
3865
3866 if (tls_extension_find(TLSEXT_TYPE_key_share, &idx) == NULL) {
3867 FAIL("failed to find keyshare extension\n");
3868 goto done;
3869 }
3870 ssl->s3->hs.extensions_seen |= (1 << idx);
3871
3872 if (!server_funcs->needs(ssl, SSL_TLSEXT_MSG_SH)) {
3873 FAIL("server should need keyshare\n");
3874 goto done;
3875 }
3876
3877 if (server_funcs->build(ssl, SSL_TLSEXT_MSG_SH, &cbb)) {
3878 FAIL("server should not have built a keyshare response\n");
3879 goto done;
3880 }
3881
3882 if ((ssl->s3->hs.key_share =
3883 tls_key_share_new_nid(NID_X25519)) == NULL) {
3884 FAIL("failed to create key share");
3885 goto done;
3886 }
3887
3888 if (!tls_key_share_generate(ssl->s3->hs.key_share)) {
3889 FAIL("failed to generate key share");
3890 goto done;
3891 }
3892
3893 CBS_init(&cbs, bogokey, sizeof(bogokey));
3894
3895 if (!tls_key_share_peer_public(ssl->s3->hs.key_share, &cbs,
3896 &decode_error, NULL)) {
3897 FAIL("failed to load peer public key\n");
3898 goto done;
3899 }
3900
3901 if (!server_funcs->build(ssl, SSL_TLSEXT_MSG_SH, &cbb)) {
3902 FAIL("server should be able to build a keyshare response\n");
3903 goto done;
3904 }
3905
3906 if (!CBB_finish(&cbb, &data, &dlen)) {
3907 FAIL("failed to finish CBB\n");
3908 goto done;
3909 }
3910
3911 if (dlen != sizeof(tlsext_keyshare_server)) {
3912 FAIL("got server keyshare with length %zu, "
3913 "want length %zu\n", dlen, sizeof(tlsext_keyshare_server));
3914 goto done;
3915 }
3916
3917 tls_key_share_free(ssl->s3->hs.key_share);
3918
3919 if ((ssl->s3->hs.key_share =
3920 tls_key_share_new_nid(NID_X25519)) == NULL) {
3921 FAIL("failed to create key share");
3922 goto done;
3923 }
3924 if (!tls_key_share_generate(ssl->s3->hs.key_share)) {
3925 FAIL("failed to generate key share");
3926 goto done;
3927 }
3928
3929 CBS_init(&cbs, data, dlen);
3930
3931 if (!client_funcs->process(ssl, SSL_TLSEXT_MSG_SH, &cbs, &alert)) {
3932 FAIL("failed to parse server keyshare\n");
3933 goto done;
3934 }
3935
3936 if (CBS_len(&cbs) != 0) {
3937 FAIL("extension data remaining\n");
3938 goto done;
3939 }
3940
3941 failure = 0;
3942
3943 done:
3944 CBB_cleanup(&cbb);
3945 SSL_CTX_free(ssl_ctx);
3946 SSL_free(ssl);
3947 free(data);
3948
3949 return (failure);
3950 }
3951
3952 /* One day I hope to be the only Muppet in this codebase */
3953 const uint8_t cookie[] = "\n"
3954 " (o)(o) \n"
3955 " m' 'm \n"
3956 " M -****- M \n"
3957 " 'm m' \n"
3958 " m''''''''''m \n"
3959 " M M BB \n";
3960
3961 static int
test_tlsext_cookie_client(void)3962 test_tlsext_cookie_client(void)
3963 {
3964 unsigned char *data = NULL;
3965 SSL_CTX *ssl_ctx = NULL;
3966 SSL *ssl = NULL;
3967 const struct tls_extension_funcs *client_funcs;
3968 const struct tls_extension_funcs *server_funcs;
3969 int failure;
3970 size_t dlen;
3971 int alert;
3972 CBB cbb;
3973 CBS cbs;
3974
3975 failure = 1;
3976
3977 if (!CBB_init(&cbb, 0))
3978 errx(1, "Failed to create CBB");
3979
3980 if ((ssl_ctx = SSL_CTX_new(TLS_client_method())) == NULL)
3981 errx(1, "failed to create SSL_CTX");
3982 if ((ssl = SSL_new(ssl_ctx)) == NULL)
3983 errx(1, "failed to create SSL");
3984
3985 if (!tls_extension_funcs(TLSEXT_TYPE_cookie, &client_funcs,
3986 &server_funcs))
3987 errx(1, "failed to fetch cookie funcs");
3988
3989 ssl->s3->hs.our_max_tls_version = TLS1_2_VERSION;
3990 if (client_funcs->needs(ssl, SSL_TLSEXT_MSG_CH)) {
3991 FAIL("client should not need cookie\n");
3992 goto done;
3993 }
3994
3995
3996 ssl->s3->hs.our_max_tls_version = TLS1_3_VERSION;
3997 if (client_funcs->needs(ssl, SSL_TLSEXT_MSG_CH)) {
3998 FAIL("client should not need cookie\n");
3999 goto done;
4000 }
4001
4002 /* Normally would be set by receiving a server cookie in an HRR */
4003 ssl->s3->hs.tls13.cookie = strdup(cookie);
4004 ssl->s3->hs.tls13.cookie_len = strlen(cookie);
4005
4006 if (!client_funcs->needs(ssl, SSL_TLSEXT_MSG_CH)) {
4007 FAIL("client should need cookie\n");
4008 goto done;
4009 }
4010
4011 if (!client_funcs->build(ssl, SSL_TLSEXT_MSG_CH, &cbb)) {
4012 FAIL("client should have built a cookie response\n");
4013 goto done;
4014 }
4015
4016 if (!CBB_finish(&cbb, &data, &dlen)) {
4017 FAIL("failed to finish CBB\n");
4018 goto done;
4019 }
4020
4021 if (dlen != strlen(cookie) + sizeof(uint16_t)) {
4022 FAIL("got cookie with length %zu, "
4023 "want length %zu\n", dlen, strlen(cookie) +
4024 sizeof(uint16_t));
4025 goto done;
4026 }
4027
4028 CBS_init(&cbs, data, dlen);
4029
4030 /* Checks cookie against what's in the hs.tls13 */
4031 if (!server_funcs->process(ssl, SSL_TLSEXT_MSG_CH, &cbs, &alert)) {
4032 FAIL("failed to parse client cookie\n");
4033 goto done;
4034 }
4035
4036 if (CBS_len(&cbs) != 0) {
4037 FAIL("extension data remaining\n");
4038 goto done;
4039 }
4040
4041 failure = 0;
4042
4043 done:
4044 CBB_cleanup(&cbb);
4045 SSL_CTX_free(ssl_ctx);
4046 SSL_free(ssl);
4047 free(data);
4048
4049 return (failure);
4050 }
4051
4052 static int
test_tlsext_cookie_server(void)4053 test_tlsext_cookie_server(void)
4054 {
4055 unsigned char *data = NULL;
4056 SSL_CTX *ssl_ctx = NULL;
4057 SSL *ssl = NULL;
4058 const struct tls_extension_funcs *client_funcs;
4059 const struct tls_extension_funcs *server_funcs;
4060 int failure;
4061 size_t dlen;
4062 int alert;
4063 CBB cbb;
4064 CBS cbs;
4065
4066 failure = 1;
4067
4068 if (!CBB_init(&cbb, 0))
4069 errx(1, "Failed to create CBB");
4070
4071 if ((ssl_ctx = SSL_CTX_new(TLS_client_method())) == NULL)
4072 errx(1, "failed to create SSL_CTX");
4073 if ((ssl = SSL_new(ssl_ctx)) == NULL)
4074 errx(1, "failed to create SSL");
4075
4076 if (!tls_extension_funcs(TLSEXT_TYPE_cookie, &client_funcs,
4077 &server_funcs))
4078 errx(1, "failed to fetch cookie funcs");
4079
4080 ssl->s3->hs.our_max_tls_version = TLS1_2_VERSION;
4081 if (server_funcs->needs(ssl, SSL_TLSEXT_MSG_SH)) {
4082 FAIL("server should not need cookie\n");
4083 goto done;
4084 }
4085
4086 ssl->s3->hs.our_max_tls_version = TLS1_3_VERSION;
4087 if (server_funcs->needs(ssl, SSL_TLSEXT_MSG_SH)) {
4088 FAIL("server should not need cookie\n");
4089 goto done;
4090 }
4091
4092 /* Normally would be set by server before sending HRR */
4093 ssl->s3->hs.tls13.cookie = strdup(cookie);
4094 ssl->s3->hs.tls13.cookie_len = strlen(cookie);
4095
4096 if (!server_funcs->needs(ssl, SSL_TLSEXT_MSG_HRR)) {
4097 FAIL("server should need cookie\n");
4098 goto done;
4099 }
4100
4101 if (!server_funcs->build(ssl, SSL_TLSEXT_MSG_HRR, &cbb)) {
4102 FAIL("server should have built a cookie response\n");
4103 goto done;
4104 }
4105
4106 if (!CBB_finish(&cbb, &data, &dlen)) {
4107 FAIL("failed to finish CBB\n");
4108 goto done;
4109 }
4110
4111 if (dlen != strlen(cookie) + sizeof(uint16_t)) {
4112 FAIL("got cookie with length %zu, "
4113 "want length %zu\n", dlen, strlen(cookie) +
4114 sizeof(uint16_t));
4115 goto done;
4116 }
4117
4118 CBS_init(&cbs, data, dlen);
4119
4120 if (client_funcs->process(ssl, SSL_TLSEXT_MSG_SH, &cbs, &alert)) {
4121 FAIL("client should not have parsed server cookie\n");
4122 goto done;
4123 }
4124
4125 freezero(ssl->s3->hs.tls13.cookie, ssl->s3->hs.tls13.cookie_len);
4126 ssl->s3->hs.tls13.cookie = NULL;
4127 ssl->s3->hs.tls13.cookie_len = 0;
4128
4129 if (!client_funcs->process(ssl, SSL_TLSEXT_MSG_SH, &cbs, &alert)) {
4130 FAIL("failed to parse server cookie\n");
4131 goto done;
4132 }
4133
4134 if (memcmp(cookie, ssl->s3->hs.tls13.cookie,
4135 ssl->s3->hs.tls13.cookie_len) != 0) {
4136 FAIL("parsed server cookie does not match sent cookie\n");
4137 goto done;
4138 }
4139
4140 if (CBS_len(&cbs) != 0) {
4141 FAIL("extension data remaining\n");
4142 goto done;
4143 }
4144
4145 failure = 0;
4146
4147 done:
4148 CBB_cleanup(&cbb);
4149 SSL_CTX_free(ssl_ctx);
4150 SSL_free(ssl);
4151 free(data);
4152
4153 return (failure);
4154 }
4155
4156 const uint8_t tlsext_default_psk_modes[] = {
4157 0x01, 0x01,
4158 };
4159
4160 const uint8_t tlsext_psk_only_mode[] = {
4161 0x01, 0x00,
4162 };
4163
4164 const uint8_t tlsext_psk_both_modes[] = {
4165 0x02, 0x00, 0x01,
4166 };
4167
4168 static int
test_tlsext_psk_modes_client(void)4169 test_tlsext_psk_modes_client(void)
4170 {
4171 SSL_CTX *ssl_ctx = NULL;
4172 SSL *ssl = NULL;
4173 const struct tls_extension_funcs *client_funcs;
4174 const struct tls_extension_funcs *server_funcs;
4175 int failure;
4176 uint8_t *data = NULL;
4177 size_t dlen;
4178 CBB cbb;
4179 CBS cbs;
4180 int alert;
4181
4182 failure = 1;
4183
4184 if (!CBB_init(&cbb, 0))
4185 errx(1, "Failed to create CBB");
4186
4187 if ((ssl_ctx = SSL_CTX_new(TLS_client_method())) == NULL)
4188 errx(1, "failed to create SSL_CTX");
4189 if ((ssl = SSL_new(ssl_ctx)) == NULL)
4190 errx(1, "failed to create SSL");
4191
4192 if (!tls_extension_funcs(TLSEXT_TYPE_psk_kex_modes, &client_funcs,
4193 &server_funcs))
4194 errx(1, "failed to fetch psk funcs");
4195
4196 /* Disabled by default. */
4197 if (client_funcs->needs(ssl, SSL_TLSEXT_MSG_CH)) {
4198 FAIL("client should not need psk kex modes by default\n");
4199 goto err;
4200 }
4201
4202 /*
4203 * Prerequisites: use_psk_dhe_ke flag is set and
4204 * our_max_tls_version >= TLSv1.3.
4205 */
4206
4207 ssl->s3->hs.tls13.use_psk_dhe_ke = 1;
4208 ssl->s3->hs.our_max_tls_version = TLS1_2_VERSION;
4209
4210 if (client_funcs->needs(ssl, SSL_TLSEXT_MSG_CH)) {
4211 FAIL("client should not need psk kex modes with TLSv1.2\n");
4212 goto err;
4213 }
4214
4215 ssl->s3->hs.tls13.use_psk_dhe_ke = 0;
4216 ssl->s3->hs.our_max_tls_version = TLS1_3_VERSION;
4217
4218 if (client_funcs->needs(ssl, SSL_TLSEXT_MSG_CH)) {
4219 FAIL("client should not need psk kex modes without "
4220 "use_psk_dhe_ke\n");
4221 goto err;
4222 }
4223
4224 ssl->s3->hs.tls13.use_psk_dhe_ke = 1;
4225 ssl->s3->hs.our_max_tls_version = TLS1_3_VERSION;
4226
4227 if (!client_funcs->needs(ssl, SSL_TLSEXT_MSG_CH)) {
4228 FAIL("client should need psk kex modes with TLSv1.3\n");
4229 goto err;
4230 }
4231
4232 /* Make sure we can build psk modes with DHE key establishment. */
4233
4234 if (!client_funcs->build(ssl, SSL_TLSEXT_MSG_CH, &cbb)) {
4235 FAIL("client failed to build psk kex modes\n");
4236 goto err;
4237 }
4238
4239 if (!CBB_finish(&cbb, &data, &dlen))
4240 errx(1, "failed to finish psk kex CBB");
4241
4242 if (dlen != sizeof(tlsext_default_psk_modes)) {
4243 FAIL("got client psk kex modes with length %zu, "
4244 "want length %zu\n", dlen,
4245 sizeof(tlsext_default_psk_modes));
4246 compare_data(data, dlen, tlsext_default_psk_modes,
4247 sizeof(tlsext_default_psk_modes));
4248 goto err;
4249 }
4250 if (memcmp(data, tlsext_default_psk_modes, dlen) != 0) {
4251 FAIL("client psk kex modes differ:\n");
4252 compare_data(data, dlen, tlsext_default_psk_modes,
4253 sizeof(tlsext_default_psk_modes));
4254 goto err;
4255 }
4256
4257 CBB_cleanup(&cbb);
4258 free(data);
4259 data = NULL;
4260
4261 /*
4262 * Make sure we can parse the default psk modes and that use_psk_dhe_ke
4263 * is set after parsing.
4264 */
4265
4266 ssl->s3->hs.tls13.use_psk_dhe_ke = 0;
4267
4268 CBS_init(&cbs, tlsext_default_psk_modes,
4269 sizeof(tlsext_default_psk_modes));
4270 if (!server_funcs->process(ssl, SSL_TLSEXT_MSG_CH, &cbs, &alert)) {
4271 FAIL("failed to parse psk kex modes\n");
4272 goto err;
4273 }
4274 if (CBS_len(&cbs) != 0) {
4275 FAIL("extension data remaining\n");
4276 goto err;
4277 }
4278
4279 if (ssl->s3->hs.tls13.use_psk_dhe_ke != 1) {
4280 FAIL("should have set use_psk_dhe_ke\n");
4281 goto err;
4282 }
4283
4284 /*
4285 * Make sure we can parse the psk-only mode and that use_psk_dhe_ke
4286 * is still not set after parsing.
4287 */
4288
4289 ssl->s3->hs.tls13.use_psk_dhe_ke = 0;
4290
4291 CBS_init(&cbs, tlsext_psk_only_mode, sizeof(tlsext_psk_only_mode));
4292 if (!server_funcs->process(ssl, SSL_TLSEXT_MSG_CH, &cbs, &alert)) {
4293 FAIL("failed to parse psk kex modes\n");
4294 goto err;
4295 }
4296 if (CBS_len(&cbs) != 0) {
4297 FAIL("extension data remaining\n");
4298 goto err;
4299 }
4300
4301 if (ssl->s3->hs.tls13.use_psk_dhe_ke != 0) {
4302 FAIL("should not have set use_psk_dhe_ke\n");
4303 goto err;
4304 }
4305
4306 /*
4307 * Make sure we can parse the extension indicating both modes and that
4308 * use_psk_dhe_ke is set after parsing.
4309 */
4310
4311 ssl->s3->hs.tls13.use_psk_dhe_ke = 0;
4312
4313 CBS_init(&cbs, tlsext_psk_both_modes, sizeof(tlsext_psk_both_modes));
4314 if (!server_funcs->process(ssl, SSL_TLSEXT_MSG_CH, &cbs, &alert)) {
4315 FAIL("failed to parse psk kex modes\n");
4316 goto err;
4317 }
4318 if (CBS_len(&cbs) != 0) {
4319 FAIL("extension data remaining\n");
4320 goto err;
4321 }
4322
4323 if (ssl->s3->hs.tls13.use_psk_dhe_ke != 1) {
4324 FAIL("should have set use_psk_dhe_ke\n");
4325 goto err;
4326 }
4327
4328 failure = 0;
4329
4330 err:
4331 CBB_cleanup(&cbb);
4332 SSL_CTX_free(ssl_ctx);
4333 SSL_free(ssl);
4334 free(data);
4335
4336 return failure;
4337 }
4338
4339 static int
test_tlsext_psk_modes_server(void)4340 test_tlsext_psk_modes_server(void)
4341 {
4342 SSL_CTX *ssl_ctx = NULL;
4343 SSL *ssl = NULL;
4344 const struct tls_extension_funcs *client_funcs;
4345 const struct tls_extension_funcs *server_funcs;
4346 int failure;
4347
4348 failure = 1;
4349
4350 if ((ssl_ctx = SSL_CTX_new(TLS_server_method())) == NULL)
4351 errx(1, "failed to create SSL_CTX");
4352 if ((ssl = SSL_new(ssl_ctx)) == NULL)
4353 errx(1, "failed to create SSL");
4354
4355 if (!tls_extension_funcs(TLSEXT_TYPE_psk_kex_modes, &client_funcs,
4356 &server_funcs))
4357 errx(1, "failed to fetch psk funcs");
4358
4359 if (server_funcs->needs(ssl, SSL_TLSEXT_MSG_SH)) {
4360 FAIL("server should not need psk kex modes\n");
4361 goto err;
4362 }
4363
4364 failure = 0;
4365
4366 err:
4367 SSL_CTX_free(ssl_ctx);
4368 SSL_free(ssl);
4369
4370 return failure;
4371 }
4372
4373 struct tls_sni_test {
4374 const char *hostname;
4375 int is_ip;
4376 int valid;
4377 };
4378
4379 static const struct tls_sni_test tls_sni_tests[] = {
4380 {
4381 .hostname = "openbsd.org",
4382 .valid = 1,
4383 },
4384 {
4385 .hostname = "op3nbsd.org",
4386 .valid = 1,
4387 },
4388 {
4389 .hostname = "org",
4390 .valid = 1,
4391 },
4392 {
4393 .hostname = "3openbsd.com",
4394 .valid = 1,
4395 },
4396 {
4397 .hostname = "3-0penb-d.c-m",
4398 .valid = 1,
4399 },
4400 {
4401 .hostname = "a",
4402 .valid = 1,
4403 },
4404 {
4405 .hostname =
4406 "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa.com",
4407 .valid = 1,
4408 },
4409 {
4410 .hostname =
4411 "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa."
4412 "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa."
4413 "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa."
4414 "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa",
4415 .valid = 1,
4416 },
4417 {
4418 .hostname = "openbsd.org.",
4419 .valid = 0,
4420 },
4421 {
4422 .hostname = "openbsd..org",
4423 .valid = 0,
4424 },
4425 {
4426 .hostname = "openbsd.org-",
4427 .valid = 0,
4428 },
4429 {
4430 .hostname =
4431 "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa.com",
4432 .valid = 0,
4433 },
4434 {
4435 .hostname =
4436 "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa."
4437 "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa."
4438 "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa."
4439 "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa.a",
4440 .valid = 0,
4441 },
4442 {
4443 .hostname = "-p3nbsd.org",
4444 .valid = 0,
4445 },
4446 {
4447 .hostname = "openbs-.org",
4448 .valid = 0,
4449 },
4450 {
4451 .hostname = "openbsd\n.org",
4452 .valid = 0,
4453 },
4454 {
4455 .hostname = "open_bsd.org",
4456 .valid = 0,
4457 },
4458 {
4459 .hostname = "open\177bsd.org",
4460 .valid = 0,
4461 },
4462 {
4463 .hostname = "open\255bsd.org",
4464 .valid = 0,
4465 },
4466 {
4467 .hostname = "dead::beef",
4468 .is_ip = 1,
4469 .valid = 0,
4470 },
4471 {
4472 .hostname = "192.168.0.1",
4473 .is_ip = 1,
4474 .valid = 0,
4475 },
4476 };
4477
4478 #define N_TLS_SNI_TESTS (sizeof(tls_sni_tests) / sizeof(*tls_sni_tests))
4479
4480 static int
test_tlsext_is_valid_hostname(const struct tls_sni_test * tst)4481 test_tlsext_is_valid_hostname(const struct tls_sni_test *tst)
4482 {
4483 int failure;
4484 int is_ip;
4485 CBS cbs;
4486
4487 failure = 1;
4488
4489 CBS_init(&cbs, tst->hostname, strlen(tst->hostname));
4490 if (tlsext_sni_is_valid_hostname(&cbs, &is_ip) != tst->valid) {
4491 if (tst->valid) {
4492 FAIL("Valid hostname '%s' rejected\n",
4493 tst->hostname);
4494 } else {
4495 FAIL("Invalid hostname '%s' accepted\n",
4496 tst->hostname);
4497 }
4498 goto done;
4499 }
4500 if (tst->is_ip != is_ip) {
4501 if (tst->is_ip) {
4502 FAIL("Hostname '%s' is an IP literal but not "
4503 "identified as one\n", tst->hostname);
4504 } else {
4505 FAIL("Hostname '%s' is not an IP literal but is "
4506 "identified as one\n", tst->hostname);
4507 }
4508 goto done;
4509 }
4510
4511 if (tst->valid) {
4512 CBS_init(&cbs, tst->hostname,
4513 strlen(tst->hostname) + 1);
4514 if (tlsext_sni_is_valid_hostname(&cbs, &is_ip)) {
4515 FAIL("hostname with NUL byte accepted\n");
4516 goto done;
4517 }
4518 }
4519
4520 failure = 0;
4521
4522 done:
4523
4524 return failure;
4525 }
4526
4527 static int
test_tlsext_valid_hostnames(void)4528 test_tlsext_valid_hostnames(void)
4529 {
4530 const struct tls_sni_test *tst;
4531 int failure = 0;
4532 size_t i;
4533
4534 for (i = 0; i < N_TLS_SNI_TESTS; i++) {
4535 tst = &tls_sni_tests[i];
4536 failure |= test_tlsext_is_valid_hostname(tst);
4537 }
4538
4539 return failure;
4540 }
4541
4542 #define N_TLSEXT_RANDOMIZATION_TESTS 1000
4543
4544 static int
test_tlsext_check_extension_order(SSL * ssl)4545 test_tlsext_check_extension_order(SSL *ssl)
4546 {
4547 const struct tls_extension *ext;
4548 uint16_t type;
4549 size_t alpn_idx, sni_idx;
4550 size_t i;
4551
4552 if (ssl->tlsext_build_order_len == 0) {
4553 FAIL("Unexpected zero build order length");
4554 return 1;
4555 }
4556
4557 ext = ssl->tlsext_build_order[ssl->tlsext_build_order_len - 1];
4558 if ((type = tls_extension_type(ext)) != TLSEXT_TYPE_psk) {
4559 FAIL("last extension is %u, want %u\n", type, TLSEXT_TYPE_psk);
4560 return 1;
4561 }
4562
4563 if (ssl->server)
4564 return 0;
4565
4566 alpn_idx = sni_idx = ssl->tlsext_build_order_len;
4567 for (i = 0; i < ssl->tlsext_build_order_len; i++) {
4568 ext = ssl->tlsext_build_order[i];
4569 if (tls_extension_type(ext) == TLSEXT_TYPE_alpn)
4570 alpn_idx = i;
4571 if (tls_extension_type(ext) == TLSEXT_TYPE_server_name)
4572 sni_idx = i;
4573 }
4574
4575 if (alpn_idx == ssl->tlsext_build_order_len) {
4576 FAIL("could not find alpn extension\n");
4577 return 1;
4578 }
4579
4580 if (sni_idx == ssl->tlsext_build_order_len) {
4581 FAIL("could not find alpn extension\n");
4582 return 1;
4583 }
4584
4585 if (sni_idx >= alpn_idx) {
4586 FAIL("sni does not precede alpn: %zu >= %zu\n",
4587 sni_idx, alpn_idx);
4588 return 1;
4589 }
4590
4591 return 0;
4592 }
4593
4594 static int
test_tlsext_randomized_extensions(SSL * ssl)4595 test_tlsext_randomized_extensions(SSL *ssl)
4596 {
4597 size_t i;
4598 int failed = 0;
4599
4600 for (i = 0; i < N_TLSEXT_RANDOMIZATION_TESTS; i++) {
4601 if (!tlsext_randomize_build_order(ssl))
4602 errx(1, "failed to randomize extensions");
4603 failed |= test_tlsext_check_extension_order(ssl);
4604 }
4605
4606 return failed;
4607 }
4608
4609 static int
test_tlsext_extension_order(void)4610 test_tlsext_extension_order(void)
4611 {
4612 SSL_CTX *ssl_ctx = NULL;
4613 SSL *ssl = NULL;
4614 int failure;
4615
4616 failure = 0;
4617
4618 if ((ssl_ctx = SSL_CTX_new(TLS_client_method())) == NULL)
4619 errx(1, "failed to create SSL_CTX");
4620 if ((ssl = SSL_new(ssl_ctx)) == NULL)
4621 errx(1, "failed to create SSL");
4622
4623 failure |= test_tlsext_randomized_extensions(ssl);
4624
4625 SSL_CTX_free(ssl_ctx);
4626 SSL_free(ssl);
4627
4628 if ((ssl_ctx = SSL_CTX_new(TLS_server_method())) == NULL)
4629 errx(1, "failed to create SSL_CTX");
4630 if ((ssl = SSL_new(ssl_ctx)) == NULL)
4631 errx(1, "failed to create SSL");
4632
4633 failure |= test_tlsext_randomized_extensions(ssl);
4634
4635 SSL_CTX_free(ssl_ctx);
4636 SSL_free(ssl);
4637
4638 return failure;
4639 }
4640
4641 int
main(int argc,char ** argv)4642 main(int argc, char **argv)
4643 {
4644 int failed = 0;
4645
4646 SSL_library_init();
4647 SSL_load_error_strings();
4648
4649 failed |= test_tlsext_alpn_client();
4650 failed |= test_tlsext_alpn_server();
4651
4652 failed |= test_tlsext_supportedgroups_client();
4653 failed |= test_tlsext_supportedgroups_server();
4654
4655 failed |= test_tlsext_ecpf_client();
4656 failed |= test_tlsext_ecpf_server();
4657
4658 failed |= test_tlsext_ri_client();
4659 failed |= test_tlsext_ri_server();
4660
4661 failed |= test_tlsext_sigalgs_client();
4662
4663 failed |= test_tlsext_sni_client();
4664 failed |= test_tlsext_sni_server();
4665
4666 failed |= test_tlsext_ocsp_client();
4667 failed |= test_tlsext_ocsp_server();
4668
4669 failed |= test_tlsext_sessionticket_client();
4670 failed |= test_tlsext_sessionticket_server();
4671
4672 failed |= test_tlsext_versions_client();
4673 failed |= test_tlsext_versions_server();
4674
4675 failed |= test_tlsext_keyshare_client();
4676 failed |= test_tlsext_keyshare_server();
4677
4678 failed |= test_tlsext_cookie_client();
4679 failed |= test_tlsext_cookie_server();
4680
4681 #ifndef OPENSSL_NO_SRTP
4682 failed |= test_tlsext_srtp_client();
4683 failed |= test_tlsext_srtp_server();
4684 #else
4685 fprintf(stderr, "Skipping SRTP tests due to OPENSSL_NO_SRTP\n");
4686 #endif
4687
4688 failed |= test_tlsext_psk_modes_client();
4689 failed |= test_tlsext_psk_modes_server();
4690
4691 failed |= test_tlsext_clienthello_build();
4692 failed |= test_tlsext_serverhello_build();
4693
4694 failed |= test_tlsext_valid_hostnames();
4695
4696 failed |= test_tlsext_quic_transport_parameters_client();
4697 failed |= test_tlsext_quic_transport_parameters_server();
4698
4699 failed |= test_tlsext_extension_order();
4700
4701 return (failed);
4702 }
4703