1166435Sjhb/* 2173228Sjhb * Copyright 2016-2022 The OpenSSL Project Authors. All Rights Reserved. 3166435Sjhb * 4173228Sjhb * Licensed under the Apache License 2.0 (the "License"). You may not use 5166435Sjhb * this file except in compliance with the License. You can obtain a copy 6166435Sjhb * in the file LICENSE in the source distribution or at 7166435Sjhb * https://www.openssl.org/source/license.html 8166435Sjhb */ 9166435Sjhb 10166435Sjhb#include <string.h> 11166435Sjhb 12166435Sjhb#include <openssl/bio.h> 13166435Sjhb#include <openssl/x509_vfy.h> 14166435Sjhb#include <openssl/ssl.h> 15166435Sjhb#include <openssl/core_names.h> 16166435Sjhb 17166435Sjhb#include "../../ssl/ssl_local.h" 18166435Sjhb#include "internal/sockets.h" 19166435Sjhb#include "internal/nelem.h" 20166435Sjhb#include "handshake.h" 21166435Sjhb#include "../testutil.h" 22166435Sjhb 23166435Sjhb#if !defined(OPENSSL_NO_SCTP) && !defined(OPENSSL_NO_SOCK) 24166435Sjhb#include <netinet/sctp.h> 25166435Sjhb#endif 26166435Sjhb 27166435SjhbHANDSHAKE_RESULT *HANDSHAKE_RESULT_new(void) 28166435Sjhb{ 29166435Sjhb HANDSHAKE_RESULT *ret; 30166435Sjhb 31166435Sjhb TEST_ptr(ret = OPENSSL_zalloc(sizeof(*ret))); 32166435Sjhb return ret; 33166435Sjhb} 34166435Sjhb 35166435Sjhbvoid HANDSHAKE_RESULT_free(HANDSHAKE_RESULT *result) 36166435Sjhb{ 37166435Sjhb if (result == NULL) 38166435Sjhb return; 39166435Sjhb OPENSSL_free(result->client_npn_negotiated); 40166435Sjhb OPENSSL_free(result->server_npn_negotiated); 41166435Sjhb OPENSSL_free(result->client_alpn_negotiated); 42166435Sjhb OPENSSL_free(result->server_alpn_negotiated); 43173576Sjb OPENSSL_free(result->result_session_ticket_app_data); 44166435Sjhb sk_X509_NAME_pop_free(result->server_ca_names, X509_NAME_free); 45166435Sjhb sk_X509_NAME_pop_free(result->client_ca_names, X509_NAME_free); 46166435Sjhb OPENSSL_free(result->cipher); 47166435Sjhb OPENSSL_free(result); 48212326Sjhb} 49212326Sjhb 50166435Sjhb/* 51166435Sjhb * Since there appears to be no way to extract the sent/received alert 52166435Sjhb * from the SSL object directly, we use the info callback and stash 53166435Sjhb * the result in ex_data. 54166435Sjhb */ 55166435Sjhbtypedef struct handshake_ex_data_st { 56166435Sjhb int alert_sent; 57166435Sjhb int num_fatal_alerts_sent; 58166435Sjhb int alert_received; 59166435Sjhb int session_ticket_do_not_call; 60166435Sjhb ssl_servername_t servername; 61166435Sjhb} HANDSHAKE_EX_DATA; 62166435Sjhb 63166435Sjhb/* |ctx_data| itself is stack-allocated. */ 64166435Sjhbstatic void ctx_data_free_data(CTX_DATA *ctx_data) 65166435Sjhb{ 66166435Sjhb OPENSSL_free(ctx_data->npn_protocols); 67166435Sjhb ctx_data->npn_protocols = NULL; 68166435Sjhb OPENSSL_free(ctx_data->alpn_protocols); 69166435Sjhb ctx_data->alpn_protocols = NULL; 70166435Sjhb OPENSSL_free(ctx_data->srp_user); 71166435Sjhb ctx_data->srp_user = NULL; 72166435Sjhb OPENSSL_free(ctx_data->srp_password); 73166435Sjhb ctx_data->srp_password = NULL; 74166435Sjhb OPENSSL_free(ctx_data->session_ticket_app_data); 75166435Sjhb ctx_data->session_ticket_app_data = NULL; 76166435Sjhb} 77166435Sjhb 78166435Sjhbstatic int ex_data_idx; 79166435Sjhb 80166435Sjhbstatic void info_cb(const SSL *s, int where, int ret) 81166435Sjhb{ 82166435Sjhb if (where & SSL_CB_ALERT) { 83166435Sjhb HANDSHAKE_EX_DATA *ex_data = 84166435Sjhb (HANDSHAKE_EX_DATA*)(SSL_get_ex_data(s, ex_data_idx)); 85166435Sjhb if (where & SSL_CB_WRITE) { 86166435Sjhb ex_data->alert_sent = ret; 87166435Sjhb if (strcmp(SSL_alert_type_string(ret), "F") == 0 88166435Sjhb || strcmp(SSL_alert_desc_string(ret), "CN") == 0) 89166435Sjhb ex_data->num_fatal_alerts_sent++; 90166435Sjhb } else { 91166435Sjhb ex_data->alert_received = ret; 92166435Sjhb } 93166435Sjhb } 94166435Sjhb} 95166435Sjhb 96166435Sjhb/* Select the appropriate server CTX. 97166435Sjhb * Returns SSL_TLSEXT_ERR_OK if a match was found. 98166435Sjhb * If |ignore| is 1, returns SSL_TLSEXT_ERR_NOACK on mismatch. 99166435Sjhb * Otherwise, returns SSL_TLSEXT_ERR_ALERT_FATAL on mismatch. 100166435Sjhb * An empty SNI extension also returns SSL_TSLEXT_ERR_NOACK. 101166435Sjhb */ 102166435Sjhbstatic int select_server_ctx(SSL *s, void *arg, int ignore) 103166435Sjhb{ 104166435Sjhb const char *servername = SSL_get_servername(s, TLSEXT_NAMETYPE_host_name); 105166435Sjhb HANDSHAKE_EX_DATA *ex_data = 106166435Sjhb (HANDSHAKE_EX_DATA*)(SSL_get_ex_data(s, ex_data_idx)); 107166435Sjhb 108166435Sjhb if (servername == NULL) { 109166435Sjhb ex_data->servername = SSL_TEST_SERVERNAME_SERVER1; 110166435Sjhb return SSL_TLSEXT_ERR_NOACK; 111166435Sjhb } 112166435Sjhb 113166435Sjhb if (strcmp(servername, "server2") == 0) { 114166435Sjhb SSL_CTX *new_ctx = (SSL_CTX*)arg; 115166435Sjhb SSL_set_SSL_CTX(s, new_ctx); 116166435Sjhb /* 117166435Sjhb * Copy over all the SSL_CTX options - reasonable behavior 118166435Sjhb * allows testing of cases where the options between two 119166435Sjhb * contexts differ/conflict 120166435Sjhb */ 121166435Sjhb SSL_clear_options(s, 0xFFFFFFFFL); 122166435Sjhb SSL_set_options(s, SSL_CTX_get_options(new_ctx)); 123166435Sjhb 124166435Sjhb ex_data->servername = SSL_TEST_SERVERNAME_SERVER2; 125166435Sjhb return SSL_TLSEXT_ERR_OK; 126166435Sjhb } else if (strcmp(servername, "server1") == 0) { 127166435Sjhb ex_data->servername = SSL_TEST_SERVERNAME_SERVER1; 128166435Sjhb return SSL_TLSEXT_ERR_OK; 129166435Sjhb } else if (ignore) { 130166435Sjhb ex_data->servername = SSL_TEST_SERVERNAME_SERVER1; 131166435Sjhb return SSL_TLSEXT_ERR_NOACK; 132166435Sjhb } else { 133166435Sjhb /* Don't set an explicit alert, to test library defaults. */ 134166435Sjhb return SSL_TLSEXT_ERR_ALERT_FATAL; 135166435Sjhb } 136166435Sjhb} 137166435Sjhb 138166435Sjhbstatic int client_hello_select_server_ctx(SSL *s, void *arg, int ignore) 139166435Sjhb{ 140166435Sjhb const char *servername; 141166435Sjhb const unsigned char *p; 142166435Sjhb size_t len, remaining; 143166435Sjhb HANDSHAKE_EX_DATA *ex_data = 144166435Sjhb (HANDSHAKE_EX_DATA*)(SSL_get_ex_data(s, ex_data_idx)); 145166435Sjhb 146166435Sjhb /* 147166435Sjhb * The server_name extension was given too much extensibility when it 148166435Sjhb * was written, so parsing the normal case is a bit complex. 149166435Sjhb */ 150166435Sjhb if (!SSL_client_hello_get0_ext(s, TLSEXT_TYPE_server_name, &p, 151166435Sjhb &remaining) || 152166435Sjhb remaining <= 2) 153166435Sjhb return 0; 154166435Sjhb /* Extract the length of the supplied list of names. */ 155166435Sjhb len = (*(p++) << 8); 156191222Sjhb len += *(p++); 157191222Sjhb if (len + 2 != remaining) 158191222Sjhb return 0; 159166435Sjhb remaining = len; 160166435Sjhb /* 161166435Sjhb * The list in practice only has a single element, so we only consider 162166435Sjhb * the first one. 163166435Sjhb */ 164166435Sjhb if (remaining == 0 || *p++ != TLSEXT_NAMETYPE_host_name) 165166435Sjhb return 0; 166166435Sjhb remaining--; 167166435Sjhb /* Now we can finally pull out the byte array with the actual hostname. */ 168166435Sjhb if (remaining <= 2) 169166435Sjhb return 0; 170166435Sjhb len = (*(p++) << 8); 171166435Sjhb len += *(p++); 172166435Sjhb if (len + 2 > remaining) 173166435Sjhb return 0; 174166435Sjhb remaining = len; 175166435Sjhb servername = (const char *)p; 176166435Sjhb 177166435Sjhb if (len == strlen("server2") && strncmp(servername, "server2", len) == 0) { 178166435Sjhb SSL_CTX *new_ctx = arg; 179166435Sjhb SSL_set_SSL_CTX(s, new_ctx); 180166435Sjhb /* 181166435Sjhb * Copy over all the SSL_CTX options - reasonable behavior 182166435Sjhb * allows testing of cases where the options between two 183166435Sjhb * contexts differ/conflict 184166435Sjhb */ 185166435Sjhb SSL_clear_options(s, 0xFFFFFFFFL); 186166435Sjhb SSL_set_options(s, SSL_CTX_get_options(new_ctx)); 187166435Sjhb 188166435Sjhb ex_data->servername = SSL_TEST_SERVERNAME_SERVER2; 189166435Sjhb return 1; 190166435Sjhb } else if (len == strlen("server1") && 191166435Sjhb strncmp(servername, "server1", len) == 0) { 192166435Sjhb ex_data->servername = SSL_TEST_SERVERNAME_SERVER1; 193166435Sjhb return 1; 194166435Sjhb } else if (ignore) { 195166435Sjhb ex_data->servername = SSL_TEST_SERVERNAME_SERVER1; 196166435Sjhb return 1; 197166435Sjhb } 198166435Sjhb return 0; 199166435Sjhb} 200166435Sjhb/* 201166435Sjhb * (RFC 6066): 202166435Sjhb * If the server understood the ClientHello extension but 203166435Sjhb * does not recognize the server name, the server SHOULD take one of two 204166435Sjhb * actions: either abort the handshake by sending a fatal-level 205166435Sjhb * unrecognized_name(112) alert or continue the handshake. 206166435Sjhb * 207166435Sjhb * This behaviour is up to the application to configure; we test both 208166435Sjhb * configurations to ensure the state machine propagates the result 209166435Sjhb * correctly. 210166435Sjhb */ 211166435Sjhbstatic int servername_ignore_cb(SSL *s, int *ad, void *arg) 212166435Sjhb{ 213166435Sjhb return select_server_ctx(s, arg, 1); 214166435Sjhb} 215166435Sjhb 216166435Sjhbstatic int servername_reject_cb(SSL *s, int *ad, void *arg) 217166435Sjhb{ 218166435Sjhb return select_server_ctx(s, arg, 0); 219166435Sjhb} 220166435Sjhb 221166435Sjhbstatic int client_hello_ignore_cb(SSL *s, int *al, void *arg) 222166435Sjhb{ 223166435Sjhb if (!client_hello_select_server_ctx(s, arg, 1)) { 224166435Sjhb *al = SSL_AD_UNRECOGNIZED_NAME; 225166435Sjhb return SSL_CLIENT_HELLO_ERROR; 226166435Sjhb } 227166435Sjhb return SSL_CLIENT_HELLO_SUCCESS; 228166435Sjhb} 229166435Sjhb 230166435Sjhbstatic int client_hello_reject_cb(SSL *s, int *al, void *arg) 231166435Sjhb{ 232166435Sjhb if (!client_hello_select_server_ctx(s, arg, 0)) { 233166435Sjhb *al = SSL_AD_UNRECOGNIZED_NAME; 234166435Sjhb return SSL_CLIENT_HELLO_ERROR; 235166435Sjhb } 236166435Sjhb return SSL_CLIENT_HELLO_SUCCESS; 237166435Sjhb} 238166435Sjhb 239166435Sjhbstatic int client_hello_nov12_cb(SSL *s, int *al, void *arg) 240166435Sjhb{ 241166435Sjhb int ret; 242166435Sjhb unsigned int v; 243166435Sjhb const unsigned char *p; 244166435Sjhb 245166435Sjhb v = SSL_client_hello_get0_legacy_version(s); 246166435Sjhb if (v > TLS1_2_VERSION || v < SSL3_VERSION) { 247166435Sjhb *al = SSL_AD_PROTOCOL_VERSION; 248166435Sjhb return SSL_CLIENT_HELLO_ERROR; 249166435Sjhb } 250166435Sjhb (void)SSL_client_hello_get0_session_id(s, &p); 251169037Sjhb if (p == NULL || 252169037Sjhb SSL_client_hello_get0_random(s, &p) == 0 || 253166435Sjhb SSL_client_hello_get0_ciphers(s, &p) == 0 || 254166435Sjhb SSL_client_hello_get0_compression_methods(s, &p) == 0) { 255169037Sjhb *al = SSL_AD_INTERNAL_ERROR; 256169037Sjhb return SSL_CLIENT_HELLO_ERROR; 257169037Sjhb } 258169037Sjhb ret = client_hello_select_server_ctx(s, arg, 0); 259169037Sjhb SSL_set_max_proto_version(s, TLS1_1_VERSION); 260169037Sjhb if (!ret) { 261169037Sjhb *al = SSL_AD_UNRECOGNIZED_NAME; 262169037Sjhb return SSL_CLIENT_HELLO_ERROR; 263169037Sjhb } 264166435Sjhb return SSL_CLIENT_HELLO_SUCCESS; 265169037Sjhb} 266166435Sjhb 267166435Sjhbstatic unsigned char dummy_ocsp_resp_good_val = 0xff; 268166435Sjhbstatic unsigned char dummy_ocsp_resp_bad_val = 0xfe; 269166435Sjhb 270166435Sjhbstatic int server_ocsp_cb(SSL *s, void *arg) 271166435Sjhb{ 272166435Sjhb unsigned char *resp; 273166435Sjhb 274166435Sjhb resp = OPENSSL_malloc(1); 275166435Sjhb if (resp == NULL) 276173059Sjhb return SSL_TLSEXT_ERR_ALERT_FATAL; 277173059Sjhb /* 278173059Sjhb * For the purposes of testing we just send back a dummy OCSP response 279166435Sjhb */ 280166435Sjhb *resp = *(unsigned char *)arg; 281166435Sjhb if (!SSL_set_tlsext_status_ocsp_resp(s, resp, 1)) { 282166435Sjhb OPENSSL_free(resp); 283166435Sjhb return SSL_TLSEXT_ERR_ALERT_FATAL; 284166435Sjhb } 285166435Sjhb 286166435Sjhb return SSL_TLSEXT_ERR_OK; 287166435Sjhb} 288166435Sjhb 289166435Sjhbstatic int client_ocsp_cb(SSL *s, void *arg) 290166435Sjhb{ 291166435Sjhb const unsigned char *resp; 292166435Sjhb int len; 293166435Sjhb 294166435Sjhb len = SSL_get_tlsext_status_ocsp_resp(s, &resp); 295166435Sjhb if (len != 1 || *resp != dummy_ocsp_resp_good_val) 296166435Sjhb return 0; 297166435Sjhb 298166435Sjhb return 1; 299166435Sjhb} 300166435Sjhb 301166435Sjhbstatic int verify_reject_cb(X509_STORE_CTX *ctx, void *arg) { 302166435Sjhb X509_STORE_CTX_set_error(ctx, X509_V_ERR_APPLICATION_VERIFICATION); 303166435Sjhb return 0; 304166435Sjhb} 305166435Sjhb 306166435Sjhbstatic int n_retries = 0; 307166435Sjhbstatic int verify_retry_cb(X509_STORE_CTX *ctx, void *arg) { 308166435Sjhb int idx = SSL_get_ex_data_X509_STORE_CTX_idx(); 309166435Sjhb SSL *ssl; 310166435Sjhb 311166435Sjhb /* this should not happen but check anyway */ 312166435Sjhb if (idx < 0 313166435Sjhb || (ssl = X509_STORE_CTX_get_ex_data(ctx, idx)) == NULL) 314166435Sjhb return 0; 315166435Sjhb 316166435Sjhb if (--n_retries < 0) 317166435Sjhb return 1; 318166435Sjhb 319166435Sjhb return SSL_set_retry_verify(ssl); 320166435Sjhb} 321166435Sjhb 322166435Sjhbstatic int verify_accept_cb(X509_STORE_CTX *ctx, void *arg) { 323166435Sjhb return 1; 324166435Sjhb} 325166435Sjhb 326166435Sjhbstatic int broken_session_ticket_cb(SSL *s, unsigned char *key_name, 327166435Sjhb unsigned char *iv, EVP_CIPHER_CTX *ctx, 328166435Sjhb EVP_MAC_CTX *hctx, int enc) 329166435Sjhb{ 330166435Sjhb return 0; 331166435Sjhb} 332166435Sjhb 333166435Sjhbstatic int do_not_call_session_ticket_cb(SSL *s, unsigned char *key_name, 334166435Sjhb unsigned char *iv, 335166435Sjhb EVP_CIPHER_CTX *ctx, 336166435Sjhb EVP_MAC_CTX *hctx, int enc) 337166435Sjhb{ 338166435Sjhb HANDSHAKE_EX_DATA *ex_data = 339166435Sjhb (HANDSHAKE_EX_DATA*)(SSL_get_ex_data(s, ex_data_idx)); 340166435Sjhb ex_data->session_ticket_do_not_call = 1; 341166435Sjhb return 0; 342166435Sjhb} 343166435Sjhb 344166435Sjhb/* Parse the comma-separated list into TLS format. */ 345166435Sjhbstatic int parse_protos(const char *protos, unsigned char **out, size_t *outlen) 346166435Sjhb{ 347166435Sjhb size_t len, i, prefix; 348166435Sjhb 349166435Sjhb len = strlen(protos); 350166435Sjhb 351166435Sjhb /* Should never have reuse. */ 352166435Sjhb if (!TEST_ptr_null(*out) 353166435Sjhb /* Test values are small, so we omit length limit checks. */ 354166435Sjhb || !TEST_ptr(*out = OPENSSL_malloc(len + 1))) 355166435Sjhb return 0; 356166435Sjhb *outlen = len + 1; 357166435Sjhb 358166435Sjhb /* 359166435Sjhb * foo => '3', 'f', 'o', 'o' 360166435Sjhb * foo,bar => '3', 'f', 'o', 'o', '3', 'b', 'a', 'r' 361166435Sjhb */ 362166435Sjhb memcpy(*out + 1, protos, len); 363166435Sjhb 364191222Sjhb prefix = 0; 365191222Sjhb i = prefix + 1; 366166435Sjhb while (i <= len) { 367166435Sjhb if ((*out)[i] == ',') { 368166435Sjhb if (!TEST_int_gt(i - 1, prefix)) 369191222Sjhb goto err; 370166435Sjhb (*out)[prefix] = (unsigned char)(i - 1 - prefix); 371166435Sjhb prefix = i; 372240680Sgavin } 373240680Sgavin i++; 374240680Sgavin } 375240680Sgavin if (!TEST_int_gt(len, prefix)) 376166435Sjhb goto err; 377166435Sjhb (*out)[prefix] = (unsigned char)(len - prefix); 378240680Sgavin return 1; 379166435Sjhb 380166435Sjhberr: 381240680Sgavin OPENSSL_free(*out); 382166435Sjhb *out = NULL; 383166435Sjhb return 0; 384240680Sgavin} 385166435Sjhb 386166435Sjhb#ifndef OPENSSL_NO_NEXTPROTONEG 387240680Sgavin/* 388166435Sjhb * The client SHOULD select the first protocol advertised by the server that it 389166435Sjhb * also supports. In the event that the client doesn't support any of server's 390240680Sgavin * protocols, or the server doesn't advertise any, it SHOULD select the first 391166435Sjhb * protocol that it supports. 392166435Sjhb */ 393240680Sgavinstatic int client_npn_cb(SSL *s, unsigned char **out, unsigned char *outlen, 394191222Sjhb const unsigned char *in, unsigned int inlen, 395191222Sjhb void *arg) 396240680Sgavin{ 397191222Sjhb CTX_DATA *ctx_data = (CTX_DATA*)(arg); 398191222Sjhb int ret; 399240680Sgavin 400191222Sjhb ret = SSL_select_next_proto(out, outlen, in, inlen, 401191222Sjhb ctx_data->npn_protocols, 402166435Sjhb ctx_data->npn_protocols_len); 403240680Sgavin /* Accept both OPENSSL_NPN_NEGOTIATED and OPENSSL_NPN_NO_OVERLAP. */ 404166435Sjhb return TEST_true(ret == OPENSSL_NPN_NEGOTIATED || ret == OPENSSL_NPN_NO_OVERLAP) 405166435Sjhb ? SSL_TLSEXT_ERR_OK : SSL_TLSEXT_ERR_ALERT_FATAL; 406240680Sgavin} 407240146Sgavin 408240680Sgavinstatic int server_npn_cb(SSL *s, const unsigned char **data, 409240680Sgavin unsigned int *len, void *arg) 410240680Sgavin{ 411240680Sgavin CTX_DATA *ctx_data = (CTX_DATA*)(arg); 412191222Sjhb *data = ctx_data->npn_protocols; 413240680Sgavin *len = ctx_data->npn_protocols_len; 414240680Sgavin return SSL_TLSEXT_ERR_OK; 415240680Sgavin} 416240474Sjhb#endif 417240680Sgavin 418240680Sgavin/* 419240680Sgavin * The server SHOULD select the most highly preferred protocol that it supports 420240680Sgavin * and that is also advertised by the client. In the event that the server 421166435Sjhb * supports no protocols that the client advertises, then the server SHALL 422166435Sjhb * respond with a fatal "no_application_protocol" alert. 423166435Sjhb */ 424166435Sjhbstatic int server_alpn_cb(SSL *s, const unsigned char **out, 425166435Sjhb unsigned char *outlen, const unsigned char *in, 426166435Sjhb unsigned int inlen, void *arg) 427166435Sjhb{ 428166435Sjhb CTX_DATA *ctx_data = (CTX_DATA*)(arg); 429166435Sjhb int ret; 430166435Sjhb 431166435Sjhb /* SSL_select_next_proto isn't const-correct... */ 432166435Sjhb unsigned char *tmp_out; 433166435Sjhb 434166435Sjhb /* 435166435Sjhb * The result points either to |in| or to |ctx_data->alpn_protocols|. 436166435Sjhb * The callback is allowed to point to |in| or to a long-lived buffer, 437166435Sjhb * so we can return directly without storing a copy. 438166435Sjhb */ 439166435Sjhb ret = SSL_select_next_proto(&tmp_out, outlen, 440166435Sjhb ctx_data->alpn_protocols, 441166435Sjhb ctx_data->alpn_protocols_len, in, inlen); 442166435Sjhb 443166435Sjhb *out = tmp_out; 444166435Sjhb /* Unlike NPN, we don't tolerate a mismatch. */ 445166435Sjhb return ret == OPENSSL_NPN_NEGOTIATED ? SSL_TLSEXT_ERR_OK 446188640Smav : SSL_TLSEXT_ERR_ALERT_FATAL; 447188640Smav} 448188640Smav 449188640Smavstatic int generate_session_ticket_cb(SSL *s, void *arg) 450188640Smav{ 451188640Smav CTX_DATA *server_ctx_data = arg; 452188640Smav SSL_SESSION *ss = SSL_get_session(s); 453188640Smav char *app_data = server_ctx_data->session_ticket_app_data; 454188640Smav 455188640Smav if (ss == NULL || app_data == NULL) 456188640Smav return 0; 457188640Smav 458188640Smav return SSL_SESSION_set1_ticket_appdata(ss, app_data, strlen(app_data)); 459188641Smav} 460188641Smav 461188641Smavstatic int decrypt_session_ticket_cb(SSL *s, SSL_SESSION *ss, 462188640Smav const unsigned char *keyname, 463188640Smav size_t keyname_len, 464166435Sjhb SSL_TICKET_STATUS status, 465166435Sjhb void *arg) 466166435Sjhb{ 467212749Sjhb switch (status) { 468212369Sjhb case SSL_TICKET_EMPTY: 469166435Sjhb case SSL_TICKET_NO_DECRYPT: 470166435Sjhb return SSL_TICKET_RETURN_IGNORE_RENEW; 471166435Sjhb case SSL_TICKET_SUCCESS: 472212369Sjhb return SSL_TICKET_RETURN_USE; 473212369Sjhb case SSL_TICKET_SUCCESS_RENEW: 474166435Sjhb return SSL_TICKET_RETURN_USE_RENEW; 475166435Sjhb default: 476166435Sjhb break; 477212369Sjhb } 478212369Sjhb return SSL_TICKET_RETURN_ABORT; 479166435Sjhb} 480166435Sjhb 481212369Sjhb/* 482166435Sjhb * Configure callbacks and other properties that can't be set directly 483166435Sjhb * in the server/client CONF. 484166435Sjhb */ 485166435Sjhbstatic int configure_handshake_ctx(SSL_CTX *server_ctx, SSL_CTX *server2_ctx, 486166435Sjhb SSL_CTX *client_ctx, 487166435Sjhb const SSL_TEST_CTX *test, 488166435Sjhb const SSL_TEST_EXTRA_CONF *extra, 489212749Sjhb CTX_DATA *server_ctx_data, 490166435Sjhb CTX_DATA *server2_ctx_data, 491166435Sjhb CTX_DATA *client_ctx_data) 492166435Sjhb{ 493166435Sjhb unsigned char *ticket_keys; 494166435Sjhb size_t ticket_key_len; 495166435Sjhb 496166435Sjhb if (!TEST_int_eq(SSL_CTX_set_max_send_fragment(server_ctx, 497166435Sjhb test->max_fragment_size), 1)) 498166435Sjhb goto err; 499166435Sjhb if (server2_ctx != NULL) { 500166435Sjhb if (!TEST_int_eq(SSL_CTX_set_max_send_fragment(server2_ctx, 501166435Sjhb test->max_fragment_size), 502166435Sjhb 1)) 503166435Sjhb goto err; 504166435Sjhb } 505166435Sjhb if (!TEST_int_eq(SSL_CTX_set_max_send_fragment(client_ctx, 506166435Sjhb test->max_fragment_size), 1)) 507166435Sjhb goto err; 508166435Sjhb 509166435Sjhb switch (extra->client.verify_callback) { 510166435Sjhb case SSL_TEST_VERIFY_ACCEPT_ALL: 511166435Sjhb SSL_CTX_set_cert_verify_callback(client_ctx, &verify_accept_cb, NULL); 512166435Sjhb break; 513166435Sjhb case SSL_TEST_VERIFY_RETRY_ONCE: 514166435Sjhb n_retries = 1; 515166435Sjhb SSL_CTX_set_cert_verify_callback(client_ctx, &verify_retry_cb, NULL); 516166435Sjhb break; 517166435Sjhb case SSL_TEST_VERIFY_REJECT_ALL: 518166435Sjhb SSL_CTX_set_cert_verify_callback(client_ctx, &verify_reject_cb, NULL); 519166435Sjhb break; 520166435Sjhb case SSL_TEST_VERIFY_NONE: 521166435Sjhb break; 522166435Sjhb } 523212749Sjhb 524166435Sjhb switch (extra->client.max_fragment_len_mode) { 525166435Sjhb case TLSEXT_max_fragment_length_512: 526166435Sjhb case TLSEXT_max_fragment_length_1024: 527166435Sjhb case TLSEXT_max_fragment_length_2048: 528166435Sjhb case TLSEXT_max_fragment_length_4096: 529188640Smav case TLSEXT_max_fragment_length_DISABLED: 530188640Smav SSL_CTX_set_tlsext_max_fragment_length( 531188640Smav client_ctx, extra->client.max_fragment_len_mode); 532188640Smav break; 533188640Smav } 534188640Smav 535166435Sjhb /* 536166435Sjhb * Link the two contexts for SNI purposes. 537166435Sjhb * Also do ClientHello callbacks here, as setting both ClientHello and SNI 538166435Sjhb * is bad. 539166435Sjhb */ 540166435Sjhb switch (extra->server.servername_callback) { 541166435Sjhb case SSL_TEST_SERVERNAME_IGNORE_MISMATCH: 542212326Sjhb SSL_CTX_set_tlsext_servername_callback(server_ctx, servername_ignore_cb); 543212749Sjhb SSL_CTX_set_tlsext_servername_arg(server_ctx, server2_ctx); 544212749Sjhb break; 545166435Sjhb case SSL_TEST_SERVERNAME_REJECT_MISMATCH: 546212326Sjhb SSL_CTX_set_tlsext_servername_callback(server_ctx, servername_reject_cb); 547212326Sjhb SSL_CTX_set_tlsext_servername_arg(server_ctx, server2_ctx); 548212326Sjhb break; 549212326Sjhb case SSL_TEST_SERVERNAME_CB_NONE: 550212326Sjhb break; 551212326Sjhb case SSL_TEST_SERVERNAME_CLIENT_HELLO_IGNORE_MISMATCH: 552212326Sjhb SSL_CTX_set_client_hello_cb(server_ctx, client_hello_ignore_cb, server2_ctx); 553212326Sjhb break; 554212326Sjhb case SSL_TEST_SERVERNAME_CLIENT_HELLO_REJECT_MISMATCH: 555212326Sjhb SSL_CTX_set_client_hello_cb(server_ctx, client_hello_reject_cb, server2_ctx); 556212326Sjhb break; 557212326Sjhb case SSL_TEST_SERVERNAME_CLIENT_HELLO_NO_V12: 558212326Sjhb SSL_CTX_set_client_hello_cb(server_ctx, client_hello_nov12_cb, server2_ctx); 559212326Sjhb } 560212326Sjhb 561212326Sjhb if (extra->server.cert_status != SSL_TEST_CERT_STATUS_NONE) { 562212326Sjhb SSL_CTX_set_tlsext_status_type(client_ctx, TLSEXT_STATUSTYPE_ocsp); 563212326Sjhb SSL_CTX_set_tlsext_status_cb(client_ctx, client_ocsp_cb); 564212326Sjhb SSL_CTX_set_tlsext_status_arg(client_ctx, NULL); 565212326Sjhb SSL_CTX_set_tlsext_status_cb(server_ctx, server_ocsp_cb); 566240474Sjhb SSL_CTX_set_tlsext_status_arg(server_ctx, 567212326Sjhb ((extra->server.cert_status == SSL_TEST_CERT_STATUS_GOOD_RESPONSE) 568212326Sjhb ? &dummy_ocsp_resp_good_val : &dummy_ocsp_resp_bad_val)); 569212326Sjhb } 570212326Sjhb 571212326Sjhb /* 572212326Sjhb * The initial_ctx/session_ctx always handles the encrypt/decrypt of the 573212326Sjhb * session ticket. This ticket_key callback is assigned to the second 574212326Sjhb * session (assigned via SNI), and should never be invoked 575212326Sjhb */ 576212326Sjhb if (server2_ctx != NULL) 577212326Sjhb SSL_CTX_set_tlsext_ticket_key_evp_cb(server2_ctx, 578212326Sjhb do_not_call_session_ticket_cb); 579212326Sjhb 580212326Sjhb if (extra->server.broken_session_ticket) { 581212326Sjhb SSL_CTX_set_tlsext_ticket_key_evp_cb(server_ctx, 582240474Sjhb broken_session_ticket_cb); 583212326Sjhb } 584212326Sjhb#ifndef OPENSSL_NO_NEXTPROTONEG 585212326Sjhb if (extra->server.npn_protocols != NULL) { 586212326Sjhb if (!TEST_true(parse_protos(extra->server.npn_protocols, 587212326Sjhb &server_ctx_data->npn_protocols, 588212326Sjhb &server_ctx_data->npn_protocols_len))) 589212326Sjhb goto err; 590212326Sjhb SSL_CTX_set_npn_advertised_cb(server_ctx, server_npn_cb, 591212326Sjhb server_ctx_data); 592212326Sjhb } 593212326Sjhb if (extra->server2.npn_protocols != NULL) { 594212326Sjhb if (!TEST_true(parse_protos(extra->server2.npn_protocols, 595212326Sjhb &server2_ctx_data->npn_protocols, 596212326Sjhb &server2_ctx_data->npn_protocols_len)) 597240474Sjhb || !TEST_ptr(server2_ctx)) 598212326Sjhb goto err; 599212326Sjhb SSL_CTX_set_npn_advertised_cb(server2_ctx, server_npn_cb, 600212326Sjhb server2_ctx_data); 601212326Sjhb } 602212326Sjhb if (extra->client.npn_protocols != NULL) { 603212326Sjhb if (!TEST_true(parse_protos(extra->client.npn_protocols, 604212326Sjhb &client_ctx_data->npn_protocols, 605240474Sjhb &client_ctx_data->npn_protocols_len))) 606240474Sjhb goto err; 607240474Sjhb SSL_CTX_set_next_proto_select_cb(client_ctx, client_npn_cb, 608240474Sjhb client_ctx_data); 609240474Sjhb } 610240474Sjhb#endif 611240474Sjhb if (extra->server.alpn_protocols != NULL) { 612240474Sjhb if (!TEST_true(parse_protos(extra->server.alpn_protocols, 613240474Sjhb &server_ctx_data->alpn_protocols, 614240474Sjhb &server_ctx_data->alpn_protocols_len))) 615240474Sjhb goto err; 616240474Sjhb SSL_CTX_set_alpn_select_cb(server_ctx, server_alpn_cb, server_ctx_data); 617240474Sjhb } 618240474Sjhb if (extra->server2.alpn_protocols != NULL) { 619240474Sjhb if (!TEST_ptr(server2_ctx) 620240474Sjhb || !TEST_true(parse_protos(extra->server2.alpn_protocols, 621240474Sjhb &server2_ctx_data->alpn_protocols, 622240474Sjhb &server2_ctx_data->alpn_protocols_len 623240474Sjhb ))) 624240474Sjhb goto err; 625240474Sjhb SSL_CTX_set_alpn_select_cb(server2_ctx, server_alpn_cb, 626240474Sjhb server2_ctx_data); 627240474Sjhb } 628240474Sjhb if (extra->client.alpn_protocols != NULL) { 629240474Sjhb unsigned char *alpn_protos = NULL; 630240474Sjhb size_t alpn_protos_len = 0; 631240474Sjhb 632240474Sjhb if (!TEST_true(parse_protos(extra->client.alpn_protocols, 633240474Sjhb &alpn_protos, &alpn_protos_len)) 634240474Sjhb /* Reversed return value convention... */ 635240474Sjhb || !TEST_int_eq(SSL_CTX_set_alpn_protos(client_ctx, alpn_protos, 636240474Sjhb alpn_protos_len), 0)) 637240474Sjhb goto err; 638240474Sjhb OPENSSL_free(alpn_protos); 639240474Sjhb } 640240474Sjhb 641240474Sjhb if (extra->server.session_ticket_app_data != NULL) { 642240474Sjhb server_ctx_data->session_ticket_app_data = 643240474Sjhb OPENSSL_strdup(extra->server.session_ticket_app_data); 644240474Sjhb SSL_CTX_set_session_ticket_cb(server_ctx, generate_session_ticket_cb, 645240474Sjhb decrypt_session_ticket_cb, server_ctx_data); 646240474Sjhb } 647240474Sjhb if (extra->server2.session_ticket_app_data != NULL) { 648240474Sjhb if (!TEST_ptr(server2_ctx)) 649240474Sjhb goto err; 650240474Sjhb server2_ctx_data->session_ticket_app_data = 651212326Sjhb OPENSSL_strdup(extra->server2.session_ticket_app_data); 652212326Sjhb SSL_CTX_set_session_ticket_cb(server2_ctx, NULL, 653240474Sjhb decrypt_session_ticket_cb, server2_ctx_data); 654212326Sjhb } 655212326Sjhb 656240474Sjhb /* 657212326Sjhb * Use fixed session ticket keys so that we can decrypt a ticket created with 658212326Sjhb * one CTX in another CTX. Don't address server2 for the moment. 659212326Sjhb */ 660212326Sjhb ticket_key_len = SSL_CTX_set_tlsext_ticket_keys(server_ctx, NULL, 0); 661212326Sjhb if (!TEST_ptr(ticket_keys = OPENSSL_zalloc(ticket_key_len)) 662212326Sjhb || !TEST_int_eq(SSL_CTX_set_tlsext_ticket_keys(server_ctx, 663241757Simp ticket_keys, 664212326Sjhb ticket_key_len), 1)) { 665212326Sjhb OPENSSL_free(ticket_keys); 666212326Sjhb goto err; 667212326Sjhb } 668212326Sjhb OPENSSL_free(ticket_keys); 669212326Sjhb 670212326Sjhb /* The default log list includes EC keys, so CT can't work without EC. */ 671212326Sjhb#if !defined(OPENSSL_NO_CT) && !defined(OPENSSL_NO_EC) 672212326Sjhb if (!TEST_true(SSL_CTX_set_default_ctlog_list_file(client_ctx))) 673212326Sjhb goto err; 674240474Sjhb switch (extra->client.ct_validation) { 675240474Sjhb case SSL_TEST_CT_VALIDATION_PERMISSIVE: 676240474Sjhb if (!TEST_true(SSL_CTX_enable_ct(client_ctx, 677240474Sjhb SSL_CT_VALIDATION_PERMISSIVE))) 678240474Sjhb goto err; 679240474Sjhb break; 680212326Sjhb case SSL_TEST_CT_VALIDATION_STRICT: 681240474Sjhb if (!TEST_true(SSL_CTX_enable_ct(client_ctx, SSL_CT_VALIDATION_STRICT))) 682240474Sjhb goto err; 683240474Sjhb break; 684240474Sjhb case SSL_TEST_CT_VALIDATION_NONE: 685240474Sjhb break; 686240474Sjhb } 687240474Sjhb#endif 688212326Sjhb#ifndef OPENSSL_NO_SRP 689212326Sjhb if (!configure_handshake_ctx_for_srp(server_ctx, server2_ctx, client_ctx, 690212326Sjhb extra, server_ctx_data, 691212326Sjhb server2_ctx_data, client_ctx_data)) 692212326Sjhb goto err; 693212326Sjhb#endif /* !OPENSSL_NO_SRP */ 694212326Sjhb return 1; 695212326Sjhberr: 696212326Sjhb return 0; 697236415Sjhb} 698236415Sjhb 699236415Sjhb/* Configure per-SSL callbacks and other properties. */ 700236415Sjhbstatic void configure_handshake_ssl(SSL *server, SSL *client, 701236415Sjhb const SSL_TEST_EXTRA_CONF *extra) 702236415Sjhb{ 703236415Sjhb if (extra->client.servername != SSL_TEST_SERVERNAME_NONE) 704236415Sjhb SSL_set_tlsext_host_name(client, 705236415Sjhb ssl_servername_name(extra->client.servername)); 706236415Sjhb if (extra->client.enable_pha) 707236415Sjhb SSL_set_post_handshake_auth(client, 1); 708236415Sjhb} 709236415Sjhb 710236415Sjhb/* The status for each connection phase. */ 711236415Sjhbtypedef enum { 712236415Sjhb PEER_SUCCESS, 713236415Sjhb PEER_RETRY, 714236415Sjhb PEER_ERROR, 715236415Sjhb PEER_WAITING, 716236415Sjhb PEER_TEST_FAILURE 717236415Sjhb} peer_status_t; 718236415Sjhb 719236415Sjhb/* An SSL object and associated read-write buffers. */ 720236415Sjhbtypedef struct peer_st { 721236415Sjhb SSL *ssl; 722236415Sjhb /* Buffer lengths are int to match the SSL read/write API. */ 723236415Sjhb unsigned char *write_buf; 724236415Sjhb int write_buf_len; 725236415Sjhb unsigned char *read_buf; 726236415Sjhb int read_buf_len; 727236415Sjhb int bytes_to_write; 728236415Sjhb int bytes_to_read; 729236415Sjhb peer_status_t status; 730236415Sjhb} PEER; 731236415Sjhb 732236415Sjhbstatic int create_peer(PEER *peer, SSL_CTX *ctx) 733236415Sjhb{ 734236415Sjhb static const int peer_buffer_size = 64 * 1024; 735236415Sjhb SSL *ssl = NULL; 736236415Sjhb unsigned char *read_buf = NULL, *write_buf = NULL; 737236415Sjhb 738236415Sjhb if (!TEST_ptr(ssl = SSL_new(ctx)) 739236415Sjhb || !TEST_ptr(write_buf = OPENSSL_zalloc(peer_buffer_size)) 740236415Sjhb || !TEST_ptr(read_buf = OPENSSL_zalloc(peer_buffer_size))) 741236415Sjhb goto err; 742236415Sjhb 743236415Sjhb peer->ssl = ssl; 744236415Sjhb peer->write_buf = write_buf; 745236415Sjhb peer->read_buf = read_buf; 746236415Sjhb peer->write_buf_len = peer->read_buf_len = peer_buffer_size; 747236415Sjhb return 1; 748236415Sjhberr: 749236415Sjhb SSL_free(ssl); 750236415Sjhb OPENSSL_free(write_buf); 751236415Sjhb OPENSSL_free(read_buf); 752236415Sjhb return 0; 753} 754 755static void peer_free_data(PEER *peer) 756{ 757 SSL_free(peer->ssl); 758 OPENSSL_free(peer->write_buf); 759 OPENSSL_free(peer->read_buf); 760} 761 762/* 763 * Note that we could do the handshake transparently under an SSL_write, 764 * but separating the steps is more helpful for debugging test failures. 765 */ 766static void do_handshake_step(PEER *peer) 767{ 768 if (!TEST_int_eq(peer->status, PEER_RETRY)) { 769 peer->status = PEER_TEST_FAILURE; 770 } else { 771 int ret = SSL_do_handshake(peer->ssl); 772 773 if (ret == 1) { 774 peer->status = PEER_SUCCESS; 775 } else if (ret == 0) { 776 peer->status = PEER_ERROR; 777 } else { 778 int error = SSL_get_error(peer->ssl, ret); 779 780 /* Memory bios should never block with SSL_ERROR_WANT_WRITE. */ 781 if (error != SSL_ERROR_WANT_READ 782 && error != SSL_ERROR_WANT_RETRY_VERIFY) 783 peer->status = PEER_ERROR; 784 } 785 } 786} 787 788/*- 789 * Send/receive some application data. The read-write sequence is 790 * Peer A: (R) W - first read will yield no data 791 * Peer B: R W 792 * ... 793 * Peer A: R W 794 * Peer B: R W 795 * Peer A: R 796 */ 797static void do_app_data_step(PEER *peer) 798{ 799 int ret = 1, write_bytes; 800 801 if (!TEST_int_eq(peer->status, PEER_RETRY)) { 802 peer->status = PEER_TEST_FAILURE; 803 return; 804 } 805 806 /* We read everything available... */ 807 while (ret > 0 && peer->bytes_to_read) { 808 ret = SSL_read(peer->ssl, peer->read_buf, peer->read_buf_len); 809 if (ret > 0) { 810 if (!TEST_int_le(ret, peer->bytes_to_read)) { 811 peer->status = PEER_TEST_FAILURE; 812 return; 813 } 814 peer->bytes_to_read -= ret; 815 } else if (ret == 0) { 816 peer->status = PEER_ERROR; 817 return; 818 } else { 819 int error = SSL_get_error(peer->ssl, ret); 820 if (error != SSL_ERROR_WANT_READ) { 821 peer->status = PEER_ERROR; 822 return; 823 } /* Else continue with write. */ 824 } 825 } 826 827 /* ... but we only write one write-buffer-full of data. */ 828 write_bytes = peer->bytes_to_write < peer->write_buf_len ? peer->bytes_to_write : 829 peer->write_buf_len; 830 if (write_bytes) { 831 ret = SSL_write(peer->ssl, peer->write_buf, write_bytes); 832 if (ret > 0) { 833 /* SSL_write will only succeed with a complete write. */ 834 if (!TEST_int_eq(ret, write_bytes)) { 835 peer->status = PEER_TEST_FAILURE; 836 return; 837 } 838 peer->bytes_to_write -= ret; 839 } else { 840 /* 841 * We should perhaps check for SSL_ERROR_WANT_READ/WRITE here 842 * but this doesn't yet occur with current app data sizes. 843 */ 844 peer->status = PEER_ERROR; 845 return; 846 } 847 } 848 849 /* 850 * We could simply finish when there was nothing to read, and we have 851 * nothing left to write. But keeping track of the expected number of bytes 852 * to read gives us somewhat better guarantees that all data sent is in fact 853 * received. 854 */ 855 if (peer->bytes_to_write == 0 && peer->bytes_to_read == 0) { 856 peer->status = PEER_SUCCESS; 857 } 858} 859 860static void do_reneg_setup_step(const SSL_TEST_CTX *test_ctx, PEER *peer) 861{ 862 int ret; 863 char buf; 864 865 if (peer->status == PEER_SUCCESS) { 866 /* 867 * We are a client that succeeded this step previously, but the server 868 * wanted to retry. Probably there is a no_renegotiation warning alert 869 * waiting for us. Attempt to continue the handshake. 870 */ 871 peer->status = PEER_RETRY; 872 do_handshake_step(peer); 873 return; 874 } 875 876 if (!TEST_int_eq(peer->status, PEER_RETRY) 877 || !TEST_true(test_ctx->handshake_mode 878 == SSL_TEST_HANDSHAKE_RENEG_SERVER 879 || test_ctx->handshake_mode 880 == SSL_TEST_HANDSHAKE_RENEG_CLIENT 881 || test_ctx->handshake_mode 882 == SSL_TEST_HANDSHAKE_KEY_UPDATE_SERVER 883 || test_ctx->handshake_mode 884 == SSL_TEST_HANDSHAKE_KEY_UPDATE_CLIENT 885 || test_ctx->handshake_mode 886 == SSL_TEST_HANDSHAKE_POST_HANDSHAKE_AUTH)) { 887 peer->status = PEER_TEST_FAILURE; 888 return; 889 } 890 891 /* Reset the count of the amount of app data we need to read/write */ 892 peer->bytes_to_write = peer->bytes_to_read = test_ctx->app_data_size; 893 894 /* Check if we are the peer that is going to initiate */ 895 if ((test_ctx->handshake_mode == SSL_TEST_HANDSHAKE_RENEG_SERVER 896 && SSL_is_server(peer->ssl)) 897 || (test_ctx->handshake_mode == SSL_TEST_HANDSHAKE_RENEG_CLIENT 898 && !SSL_is_server(peer->ssl))) { 899 /* 900 * If we already asked for a renegotiation then fall through to the 901 * SSL_read() below. 902 */ 903 if (!SSL_renegotiate_pending(peer->ssl)) { 904 /* 905 * If we are the client we will always attempt to resume the 906 * session. The server may or may not resume dependent on the 907 * setting of SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION 908 */ 909 if (SSL_is_server(peer->ssl)) { 910 ret = SSL_renegotiate(peer->ssl); 911 } else { 912 int full_reneg = 0; 913 914 if (test_ctx->extra.client.no_extms_on_reneg) { 915 SSL_set_options(peer->ssl, SSL_OP_NO_EXTENDED_MASTER_SECRET); 916 full_reneg = 1; 917 } 918 if (test_ctx->extra.client.reneg_ciphers != NULL) { 919 if (!SSL_set_cipher_list(peer->ssl, 920 test_ctx->extra.client.reneg_ciphers)) { 921 peer->status = PEER_ERROR; 922 return; 923 } 924 full_reneg = 1; 925 } 926 if (full_reneg) 927 ret = SSL_renegotiate(peer->ssl); 928 else 929 ret = SSL_renegotiate_abbreviated(peer->ssl); 930 } 931 if (!ret) { 932 peer->status = PEER_ERROR; 933 return; 934 } 935 do_handshake_step(peer); 936 /* 937 * If status is PEER_RETRY it means we're waiting on the peer to 938 * continue the handshake. As far as setting up the renegotiation is 939 * concerned that is a success. The next step will continue the 940 * handshake to its conclusion. 941 * 942 * If status is PEER_SUCCESS then we are the server and we have 943 * successfully sent the HelloRequest. We need to continue to wait 944 * until the handshake arrives from the client. 945 */ 946 if (peer->status == PEER_RETRY) 947 peer->status = PEER_SUCCESS; 948 else if (peer->status == PEER_SUCCESS) 949 peer->status = PEER_RETRY; 950 return; 951 } 952 } else if (test_ctx->handshake_mode == SSL_TEST_HANDSHAKE_KEY_UPDATE_SERVER 953 || test_ctx->handshake_mode 954 == SSL_TEST_HANDSHAKE_KEY_UPDATE_CLIENT) { 955 if (SSL_is_server(peer->ssl) 956 != (test_ctx->handshake_mode 957 == SSL_TEST_HANDSHAKE_KEY_UPDATE_SERVER)) { 958 peer->status = PEER_SUCCESS; 959 return; 960 } 961 962 ret = SSL_key_update(peer->ssl, test_ctx->key_update_type); 963 if (!ret) { 964 peer->status = PEER_ERROR; 965 return; 966 } 967 do_handshake_step(peer); 968 /* 969 * This is a one step handshake. We shouldn't get anything other than 970 * PEER_SUCCESS 971 */ 972 if (peer->status != PEER_SUCCESS) 973 peer->status = PEER_ERROR; 974 return; 975 } else if (test_ctx->handshake_mode == SSL_TEST_HANDSHAKE_POST_HANDSHAKE_AUTH) { 976 if (SSL_is_server(peer->ssl)) { 977 /* Make the server believe it's received the extension */ 978 if (test_ctx->extra.server.force_pha) 979 peer->ssl->post_handshake_auth = SSL_PHA_EXT_RECEIVED; 980 ret = SSL_verify_client_post_handshake(peer->ssl); 981 if (!ret) { 982 peer->status = PEER_ERROR; 983 return; 984 } 985 } 986 do_handshake_step(peer); 987 /* 988 * This is a one step handshake. We shouldn't get anything other than 989 * PEER_SUCCESS 990 */ 991 if (peer->status != PEER_SUCCESS) 992 peer->status = PEER_ERROR; 993 return; 994 } 995 996 /* 997 * The SSL object is still expecting app data, even though it's going to 998 * get a handshake message. We try to read, and it should fail - after which 999 * we should be in a handshake 1000 */ 1001 ret = SSL_read(peer->ssl, &buf, sizeof(buf)); 1002 if (ret >= 0) { 1003 /* 1004 * We're not actually expecting data - we're expecting a reneg to 1005 * start 1006 */ 1007 peer->status = PEER_ERROR; 1008 return; 1009 } else { 1010 int error = SSL_get_error(peer->ssl, ret); 1011 if (error != SSL_ERROR_WANT_READ) { 1012 peer->status = PEER_ERROR; 1013 return; 1014 } 1015 /* If we're not in init yet then we're not done with setup yet */ 1016 if (!SSL_in_init(peer->ssl)) 1017 return; 1018 } 1019 1020 peer->status = PEER_SUCCESS; 1021} 1022 1023 1024/* 1025 * RFC 5246 says: 1026 * 1027 * Note that as of TLS 1.1, 1028 * failure to properly close a connection no longer requires that a 1029 * session not be resumed. This is a change from TLS 1.0 to conform 1030 * with widespread implementation practice. 1031 * 1032 * However, 1033 * (a) OpenSSL requires that a connection be shutdown for all protocol versions. 1034 * (b) We test lower versions, too. 1035 * So we just implement shutdown. We do a full bidirectional shutdown so that we 1036 * can compare sent and received close_notify alerts and get some test coverage 1037 * for SSL_shutdown as a bonus. 1038 */ 1039static void do_shutdown_step(PEER *peer) 1040{ 1041 int ret; 1042 1043 if (!TEST_int_eq(peer->status, PEER_RETRY)) { 1044 peer->status = PEER_TEST_FAILURE; 1045 return; 1046 } 1047 ret = SSL_shutdown(peer->ssl); 1048 1049 if (ret == 1) { 1050 peer->status = PEER_SUCCESS; 1051 } else if (ret < 0) { /* On 0, we retry. */ 1052 int error = SSL_get_error(peer->ssl, ret); 1053 1054 if (error != SSL_ERROR_WANT_READ && error != SSL_ERROR_WANT_WRITE) 1055 peer->status = PEER_ERROR; 1056 } 1057} 1058 1059typedef enum { 1060 HANDSHAKE, 1061 RENEG_APPLICATION_DATA, 1062 RENEG_SETUP, 1063 RENEG_HANDSHAKE, 1064 APPLICATION_DATA, 1065 SHUTDOWN, 1066 CONNECTION_DONE 1067} connect_phase_t; 1068 1069 1070static int renegotiate_op(const SSL_TEST_CTX *test_ctx) 1071{ 1072 switch (test_ctx->handshake_mode) { 1073 case SSL_TEST_HANDSHAKE_RENEG_SERVER: 1074 case SSL_TEST_HANDSHAKE_RENEG_CLIENT: 1075 return 1; 1076 default: 1077 return 0; 1078 } 1079} 1080static int post_handshake_op(const SSL_TEST_CTX *test_ctx) 1081{ 1082 switch (test_ctx->handshake_mode) { 1083 case SSL_TEST_HANDSHAKE_KEY_UPDATE_CLIENT: 1084 case SSL_TEST_HANDSHAKE_KEY_UPDATE_SERVER: 1085 case SSL_TEST_HANDSHAKE_POST_HANDSHAKE_AUTH: 1086 return 1; 1087 default: 1088 return 0; 1089 } 1090} 1091 1092static connect_phase_t next_phase(const SSL_TEST_CTX *test_ctx, 1093 connect_phase_t phase) 1094{ 1095 switch (phase) { 1096 case HANDSHAKE: 1097 if (renegotiate_op(test_ctx) || post_handshake_op(test_ctx)) 1098 return RENEG_APPLICATION_DATA; 1099 return APPLICATION_DATA; 1100 case RENEG_APPLICATION_DATA: 1101 return RENEG_SETUP; 1102 case RENEG_SETUP: 1103 if (post_handshake_op(test_ctx)) 1104 return APPLICATION_DATA; 1105 return RENEG_HANDSHAKE; 1106 case RENEG_HANDSHAKE: 1107 return APPLICATION_DATA; 1108 case APPLICATION_DATA: 1109 return SHUTDOWN; 1110 case SHUTDOWN: 1111 return CONNECTION_DONE; 1112 case CONNECTION_DONE: 1113 TEST_error("Trying to progress after connection done"); 1114 break; 1115 } 1116 return -1; 1117} 1118 1119static void do_connect_step(const SSL_TEST_CTX *test_ctx, PEER *peer, 1120 connect_phase_t phase) 1121{ 1122 switch (phase) { 1123 case HANDSHAKE: 1124 do_handshake_step(peer); 1125 break; 1126 case RENEG_APPLICATION_DATA: 1127 do_app_data_step(peer); 1128 break; 1129 case RENEG_SETUP: 1130 do_reneg_setup_step(test_ctx, peer); 1131 break; 1132 case RENEG_HANDSHAKE: 1133 do_handshake_step(peer); 1134 break; 1135 case APPLICATION_DATA: 1136 do_app_data_step(peer); 1137 break; 1138 case SHUTDOWN: 1139 do_shutdown_step(peer); 1140 break; 1141 case CONNECTION_DONE: 1142 TEST_error("Action after connection done"); 1143 break; 1144 } 1145} 1146 1147typedef enum { 1148 /* Both parties succeeded. */ 1149 HANDSHAKE_SUCCESS, 1150 /* Client errored. */ 1151 CLIENT_ERROR, 1152 /* Server errored. */ 1153 SERVER_ERROR, 1154 /* Peers are in inconsistent state. */ 1155 INTERNAL_ERROR, 1156 /* One or both peers not done. */ 1157 HANDSHAKE_RETRY 1158} handshake_status_t; 1159 1160/* 1161 * Determine the handshake outcome. 1162 * last_status: the status of the peer to have acted last. 1163 * previous_status: the status of the peer that didn't act last. 1164 * client_spoke_last: 1 if the client went last. 1165 */ 1166static handshake_status_t handshake_status(peer_status_t last_status, 1167 peer_status_t previous_status, 1168 int client_spoke_last) 1169{ 1170 switch (last_status) { 1171 case PEER_TEST_FAILURE: 1172 return INTERNAL_ERROR; 1173 1174 case PEER_WAITING: 1175 /* Shouldn't ever happen */ 1176 return INTERNAL_ERROR; 1177 1178 case PEER_SUCCESS: 1179 switch (previous_status) { 1180 case PEER_TEST_FAILURE: 1181 return INTERNAL_ERROR; 1182 case PEER_SUCCESS: 1183 /* Both succeeded. */ 1184 return HANDSHAKE_SUCCESS; 1185 case PEER_WAITING: 1186 case PEER_RETRY: 1187 /* Let the first peer finish. */ 1188 return HANDSHAKE_RETRY; 1189 case PEER_ERROR: 1190 /* 1191 * Second peer succeeded despite the fact that the first peer 1192 * already errored. This shouldn't happen. 1193 */ 1194 return INTERNAL_ERROR; 1195 } 1196 break; 1197 1198 case PEER_RETRY: 1199 return HANDSHAKE_RETRY; 1200 1201 case PEER_ERROR: 1202 switch (previous_status) { 1203 case PEER_TEST_FAILURE: 1204 return INTERNAL_ERROR; 1205 case PEER_WAITING: 1206 /* The client failed immediately before sending the ClientHello */ 1207 return client_spoke_last ? CLIENT_ERROR : INTERNAL_ERROR; 1208 case PEER_SUCCESS: 1209 /* First peer succeeded but second peer errored. */ 1210 return client_spoke_last ? CLIENT_ERROR : SERVER_ERROR; 1211 case PEER_RETRY: 1212 /* We errored; let the peer finish. */ 1213 return HANDSHAKE_RETRY; 1214 case PEER_ERROR: 1215 /* Both peers errored. Return the one that errored first. */ 1216 return client_spoke_last ? SERVER_ERROR : CLIENT_ERROR; 1217 } 1218 } 1219 /* Control should never reach here. */ 1220 return INTERNAL_ERROR; 1221} 1222 1223/* Convert unsigned char buf's that shouldn't contain any NUL-bytes to char. */ 1224static char *dup_str(const unsigned char *in, size_t len) 1225{ 1226 char *ret = NULL; 1227 1228 if (len == 0) 1229 return NULL; 1230 1231 /* Assert that the string does not contain NUL-bytes. */ 1232 if (TEST_size_t_eq(OPENSSL_strnlen((const char*)(in), len), len)) 1233 TEST_ptr(ret = OPENSSL_strndup((const char*)(in), len)); 1234 return ret; 1235} 1236 1237static int pkey_type(EVP_PKEY *pkey) 1238{ 1239 if (EVP_PKEY_is_a(pkey, "EC")) { 1240 char name[80]; 1241 size_t name_len; 1242 1243 if (!EVP_PKEY_get_group_name(pkey, name, sizeof(name), &name_len)) 1244 return NID_undef; 1245 return OBJ_txt2nid(name); 1246 } 1247 return EVP_PKEY_get_id(pkey); 1248} 1249 1250static int peer_pkey_type(SSL *s) 1251{ 1252 X509 *x = SSL_get0_peer_certificate(s); 1253 1254 if (x != NULL) 1255 return pkey_type(X509_get0_pubkey(x)); 1256 return NID_undef; 1257} 1258 1259#if !defined(OPENSSL_NO_SCTP) && !defined(OPENSSL_NO_SOCK) 1260static int set_sock_as_sctp(int sock) 1261{ 1262 struct sctp_assocparams assocparams; 1263 struct sctp_rtoinfo rto_info; 1264 BIO *tmpbio; 1265 1266 /* 1267 * To allow tests to fail fast (within a second or so), reduce the 1268 * retransmission timeouts and the number of retransmissions. 1269 */ 1270 memset(&rto_info, 0, sizeof(struct sctp_rtoinfo)); 1271 rto_info.srto_initial = 100; 1272 rto_info.srto_max = 200; 1273 rto_info.srto_min = 50; 1274 (void)setsockopt(sock, IPPROTO_SCTP, SCTP_RTOINFO, 1275 (const void *)&rto_info, sizeof(struct sctp_rtoinfo)); 1276 memset(&assocparams, 0, sizeof(struct sctp_assocparams)); 1277 assocparams.sasoc_asocmaxrxt = 2; 1278 (void)setsockopt(sock, IPPROTO_SCTP, SCTP_ASSOCINFO, 1279 (const void *)&assocparams, 1280 sizeof(struct sctp_assocparams)); 1281 1282 /* 1283 * For SCTP we have to set various options on the socket prior to 1284 * connecting. This is done automatically by BIO_new_dgram_sctp(). 1285 * We don't actually need the created BIO though so we free it again 1286 * immediately. 1287 */ 1288 tmpbio = BIO_new_dgram_sctp(sock, BIO_NOCLOSE); 1289 1290 if (tmpbio == NULL) 1291 return 0; 1292 BIO_free(tmpbio); 1293 1294 return 1; 1295} 1296 1297static int create_sctp_socks(int *ssock, int *csock) 1298{ 1299 BIO_ADDRINFO *res = NULL; 1300 const BIO_ADDRINFO *ai = NULL; 1301 int lsock = INVALID_SOCKET, asock = INVALID_SOCKET; 1302 int consock = INVALID_SOCKET; 1303 int ret = 0; 1304 int family = 0; 1305 1306 if (BIO_sock_init() != 1) 1307 return 0; 1308 1309 /* 1310 * Port is 4463. It could be anything. It will fail if it's already being 1311 * used for some other SCTP service. It seems unlikely though so we don't 1312 * worry about it here. 1313 */ 1314 if (!BIO_lookup_ex(NULL, "4463", BIO_LOOKUP_SERVER, family, SOCK_STREAM, 1315 IPPROTO_SCTP, &res)) 1316 return 0; 1317 1318 for (ai = res; ai != NULL; ai = BIO_ADDRINFO_next(ai)) { 1319 family = BIO_ADDRINFO_family(ai); 1320 lsock = BIO_socket(family, SOCK_STREAM, IPPROTO_SCTP, 0); 1321 if (lsock == INVALID_SOCKET) { 1322 /* Maybe the kernel doesn't support the socket family, even if 1323 * BIO_lookup() added it in the returned result... 1324 */ 1325 continue; 1326 } 1327 1328 if (!set_sock_as_sctp(lsock) 1329 || !BIO_listen(lsock, BIO_ADDRINFO_address(ai), 1330 BIO_SOCK_REUSEADDR)) { 1331 BIO_closesocket(lsock); 1332 lsock = INVALID_SOCKET; 1333 continue; 1334 } 1335 1336 /* Success, don't try any more addresses */ 1337 break; 1338 } 1339 1340 if (lsock == INVALID_SOCKET) 1341 goto err; 1342 1343 BIO_ADDRINFO_free(res); 1344 res = NULL; 1345 1346 if (!BIO_lookup_ex(NULL, "4463", BIO_LOOKUP_CLIENT, family, SOCK_STREAM, 1347 IPPROTO_SCTP, &res)) 1348 goto err; 1349 1350 consock = BIO_socket(family, SOCK_STREAM, IPPROTO_SCTP, 0); 1351 if (consock == INVALID_SOCKET) 1352 goto err; 1353 1354 if (!set_sock_as_sctp(consock) 1355 || !BIO_connect(consock, BIO_ADDRINFO_address(res), 0) 1356 || !BIO_socket_nbio(consock, 1)) 1357 goto err; 1358 1359 asock = BIO_accept_ex(lsock, NULL, BIO_SOCK_NONBLOCK); 1360 if (asock == INVALID_SOCKET) 1361 goto err; 1362 1363 *csock = consock; 1364 *ssock = asock; 1365 consock = asock = INVALID_SOCKET; 1366 ret = 1; 1367 1368 err: 1369 BIO_ADDRINFO_free(res); 1370 if (consock != INVALID_SOCKET) 1371 BIO_closesocket(consock); 1372 if (lsock != INVALID_SOCKET) 1373 BIO_closesocket(lsock); 1374 if (asock != INVALID_SOCKET) 1375 BIO_closesocket(asock); 1376 return ret; 1377} 1378#endif 1379 1380/* 1381 * Note that |extra| points to the correct client/server configuration 1382 * within |test_ctx|. When configuring the handshake, general mode settings 1383 * are taken from |test_ctx|, and client/server-specific settings should be 1384 * taken from |extra|. 1385 * 1386 * The configuration code should never reach into |test_ctx->extra| or 1387 * |test_ctx->resume_extra| directly. 1388 * 1389 * (We could refactor test mode settings into a substructure. This would result 1390 * in cleaner argument passing but would complicate the test configuration 1391 * parsing.) 1392 */ 1393static HANDSHAKE_RESULT *do_handshake_internal( 1394 SSL_CTX *server_ctx, SSL_CTX *server2_ctx, SSL_CTX *client_ctx, 1395 const SSL_TEST_CTX *test_ctx, const SSL_TEST_EXTRA_CONF *extra, 1396 SSL_SESSION *session_in, SSL_SESSION *serv_sess_in, 1397 SSL_SESSION **session_out, SSL_SESSION **serv_sess_out) 1398{ 1399 PEER server, client; 1400 BIO *client_to_server = NULL, *server_to_client = NULL; 1401 HANDSHAKE_EX_DATA server_ex_data, client_ex_data; 1402 CTX_DATA client_ctx_data, server_ctx_data, server2_ctx_data; 1403 HANDSHAKE_RESULT *ret = HANDSHAKE_RESULT_new(); 1404 int client_turn = 1, client_turn_count = 0, client_wait_count = 0; 1405 connect_phase_t phase = HANDSHAKE; 1406 handshake_status_t status = HANDSHAKE_RETRY; 1407 const unsigned char* tick = NULL; 1408 size_t tick_len = 0; 1409 const unsigned char* sess_id = NULL; 1410 unsigned int sess_id_len = 0; 1411 SSL_SESSION* sess = NULL; 1412 const unsigned char *proto = NULL; 1413 /* API dictates unsigned int rather than size_t. */ 1414 unsigned int proto_len = 0; 1415 EVP_PKEY *tmp_key; 1416 const STACK_OF(X509_NAME) *names; 1417 time_t start; 1418 const char* cipher; 1419 1420 if (ret == NULL) 1421 return NULL; 1422 1423 memset(&server_ctx_data, 0, sizeof(server_ctx_data)); 1424 memset(&server2_ctx_data, 0, sizeof(server2_ctx_data)); 1425 memset(&client_ctx_data, 0, sizeof(client_ctx_data)); 1426 memset(&server, 0, sizeof(server)); 1427 memset(&client, 0, sizeof(client)); 1428 memset(&server_ex_data, 0, sizeof(server_ex_data)); 1429 memset(&client_ex_data, 0, sizeof(client_ex_data)); 1430 1431 if (!configure_handshake_ctx(server_ctx, server2_ctx, client_ctx, 1432 test_ctx, extra, &server_ctx_data, 1433 &server2_ctx_data, &client_ctx_data)) { 1434 TEST_note("configure_handshake_ctx"); 1435 HANDSHAKE_RESULT_free(ret); 1436 return NULL; 1437 } 1438 1439#if !defined(OPENSSL_NO_SCTP) && !defined(OPENSSL_NO_SOCK) 1440 if (test_ctx->enable_client_sctp_label_bug) 1441 SSL_CTX_set_mode(client_ctx, SSL_MODE_DTLS_SCTP_LABEL_LENGTH_BUG); 1442 if (test_ctx->enable_server_sctp_label_bug) 1443 SSL_CTX_set_mode(server_ctx, SSL_MODE_DTLS_SCTP_LABEL_LENGTH_BUG); 1444#endif 1445 1446 /* Setup SSL and buffers; additional configuration happens below. */ 1447 if (!create_peer(&server, server_ctx)) { 1448 TEST_note("creating server context"); 1449 goto err; 1450 } 1451 if (!create_peer(&client, client_ctx)) { 1452 TEST_note("creating client context"); 1453 goto err; 1454 } 1455 1456 server.bytes_to_write = client.bytes_to_read = test_ctx->app_data_size; 1457 client.bytes_to_write = server.bytes_to_read = test_ctx->app_data_size; 1458 1459 configure_handshake_ssl(server.ssl, client.ssl, extra); 1460 if (session_in != NULL) { 1461 SSL_SESSION_get_id(serv_sess_in, &sess_id_len); 1462 /* In case we're testing resumption without tickets. */ 1463 if ((sess_id_len > 0 1464 && !TEST_true(SSL_CTX_add_session(server_ctx, 1465 serv_sess_in))) 1466 || !TEST_true(SSL_set_session(client.ssl, session_in))) 1467 goto err; 1468 sess_id_len = 0; 1469 } 1470 1471 ret->result = SSL_TEST_INTERNAL_ERROR; 1472 1473 if (test_ctx->use_sctp) { 1474#if !defined(OPENSSL_NO_SCTP) && !defined(OPENSSL_NO_SOCK) 1475 int csock, ssock; 1476 1477 if (create_sctp_socks(&ssock, &csock)) { 1478 client_to_server = BIO_new_dgram_sctp(csock, BIO_CLOSE); 1479 server_to_client = BIO_new_dgram_sctp(ssock, BIO_CLOSE); 1480 } 1481#endif 1482 } else { 1483 client_to_server = BIO_new(BIO_s_mem()); 1484 server_to_client = BIO_new(BIO_s_mem()); 1485 } 1486 1487 if (!TEST_ptr(client_to_server) 1488 || !TEST_ptr(server_to_client)) 1489 goto err; 1490 1491 /* Non-blocking bio. */ 1492 BIO_set_nbio(client_to_server, 1); 1493 BIO_set_nbio(server_to_client, 1); 1494 1495 SSL_set_connect_state(client.ssl); 1496 SSL_set_accept_state(server.ssl); 1497 1498 /* The bios are now owned by the SSL object. */ 1499 if (test_ctx->use_sctp) { 1500 SSL_set_bio(client.ssl, client_to_server, client_to_server); 1501 SSL_set_bio(server.ssl, server_to_client, server_to_client); 1502 } else { 1503 SSL_set_bio(client.ssl, server_to_client, client_to_server); 1504 if (!TEST_int_gt(BIO_up_ref(server_to_client), 0) 1505 || !TEST_int_gt(BIO_up_ref(client_to_server), 0)) 1506 goto err; 1507 SSL_set_bio(server.ssl, client_to_server, server_to_client); 1508 } 1509 1510 ex_data_idx = SSL_get_ex_new_index(0, "ex data", NULL, NULL, NULL); 1511 if (!TEST_int_ge(ex_data_idx, 0) 1512 || !TEST_int_eq(SSL_set_ex_data(server.ssl, ex_data_idx, &server_ex_data), 1) 1513 || !TEST_int_eq(SSL_set_ex_data(client.ssl, ex_data_idx, &client_ex_data), 1)) 1514 goto err; 1515 1516 SSL_set_info_callback(server.ssl, &info_cb); 1517 SSL_set_info_callback(client.ssl, &info_cb); 1518 1519 client.status = PEER_RETRY; 1520 server.status = PEER_WAITING; 1521 1522 start = time(NULL); 1523 1524 /* 1525 * Half-duplex handshake loop. 1526 * Client and server speak to each other synchronously in the same process. 1527 * We use non-blocking BIOs, so whenever one peer blocks for read, it 1528 * returns PEER_RETRY to indicate that it's the other peer's turn to write. 1529 * The handshake succeeds once both peers have succeeded. If one peer 1530 * errors out, we also let the other peer retry (and presumably fail). 1531 */ 1532 for(;;) { 1533 if (client_turn) { 1534 do_connect_step(test_ctx, &client, phase); 1535 status = handshake_status(client.status, server.status, 1536 1 /* client went last */); 1537 if (server.status == PEER_WAITING) 1538 server.status = PEER_RETRY; 1539 } else { 1540 do_connect_step(test_ctx, &server, phase); 1541 status = handshake_status(server.status, client.status, 1542 0 /* server went last */); 1543 } 1544 1545 switch (status) { 1546 case HANDSHAKE_SUCCESS: 1547 client_turn_count = 0; 1548 phase = next_phase(test_ctx, phase); 1549 if (phase == CONNECTION_DONE) { 1550 ret->result = SSL_TEST_SUCCESS; 1551 goto err; 1552 } else { 1553 client.status = server.status = PEER_RETRY; 1554 /* 1555 * For now, client starts each phase. Since each phase is 1556 * started separately, we can later control this more 1557 * precisely, for example, to test client-initiated and 1558 * server-initiated shutdown. 1559 */ 1560 client_turn = 1; 1561 break; 1562 } 1563 case CLIENT_ERROR: 1564 ret->result = SSL_TEST_CLIENT_FAIL; 1565 goto err; 1566 case SERVER_ERROR: 1567 ret->result = SSL_TEST_SERVER_FAIL; 1568 goto err; 1569 case INTERNAL_ERROR: 1570 ret->result = SSL_TEST_INTERNAL_ERROR; 1571 goto err; 1572 case HANDSHAKE_RETRY: 1573 if (test_ctx->use_sctp) { 1574 if (time(NULL) - start > 3) { 1575 /* 1576 * We've waited for too long. Give up. 1577 */ 1578 ret->result = SSL_TEST_INTERNAL_ERROR; 1579 goto err; 1580 } 1581 /* 1582 * With "real" sockets we only swap to processing the peer 1583 * if they are expecting to retry. Otherwise we just retry the 1584 * same endpoint again. 1585 */ 1586 if ((client_turn && server.status == PEER_RETRY) 1587 || (!client_turn && client.status == PEER_RETRY)) 1588 client_turn ^= 1; 1589 } else { 1590 if (client_turn_count++ >= 2000) { 1591 /* 1592 * At this point, there's been so many PEER_RETRY in a row 1593 * that it's likely both sides are stuck waiting for a read. 1594 * It's time to give up. 1595 */ 1596 ret->result = SSL_TEST_INTERNAL_ERROR; 1597 goto err; 1598 } 1599 if (client_turn && server.status == PEER_SUCCESS) { 1600 /* 1601 * The server may finish before the client because the 1602 * client spends some turns processing NewSessionTickets. 1603 */ 1604 if (client_wait_count++ >= 2) { 1605 ret->result = SSL_TEST_INTERNAL_ERROR; 1606 goto err; 1607 } 1608 } else { 1609 /* Continue. */ 1610 client_turn ^= 1; 1611 } 1612 } 1613 break; 1614 } 1615 } 1616 err: 1617 ret->server_alert_sent = server_ex_data.alert_sent; 1618 ret->server_num_fatal_alerts_sent = server_ex_data.num_fatal_alerts_sent; 1619 ret->server_alert_received = client_ex_data.alert_received; 1620 ret->client_alert_sent = client_ex_data.alert_sent; 1621 ret->client_num_fatal_alerts_sent = client_ex_data.num_fatal_alerts_sent; 1622 ret->client_alert_received = server_ex_data.alert_received; 1623 ret->server_protocol = SSL_version(server.ssl); 1624 ret->client_protocol = SSL_version(client.ssl); 1625 ret->servername = server_ex_data.servername; 1626 if ((sess = SSL_get0_session(client.ssl)) != NULL) { 1627 SSL_SESSION_get0_ticket(sess, &tick, &tick_len); 1628 sess_id = SSL_SESSION_get_id(sess, &sess_id_len); 1629 } 1630 if (tick == NULL || tick_len == 0) 1631 ret->session_ticket = SSL_TEST_SESSION_TICKET_NO; 1632 else 1633 ret->session_ticket = SSL_TEST_SESSION_TICKET_YES; 1634 ret->compression = (SSL_get_current_compression(client.ssl) == NULL) 1635 ? SSL_TEST_COMPRESSION_NO 1636 : SSL_TEST_COMPRESSION_YES; 1637 if (sess_id == NULL || sess_id_len == 0) 1638 ret->session_id = SSL_TEST_SESSION_ID_NO; 1639 else 1640 ret->session_id = SSL_TEST_SESSION_ID_YES; 1641 ret->session_ticket_do_not_call = server_ex_data.session_ticket_do_not_call; 1642 1643 if (extra->client.verify_callback == SSL_TEST_VERIFY_RETRY_ONCE 1644 && n_retries != -1) 1645 ret->result = SSL_TEST_SERVER_FAIL; 1646 1647#ifndef OPENSSL_NO_NEXTPROTONEG 1648 SSL_get0_next_proto_negotiated(client.ssl, &proto, &proto_len); 1649 ret->client_npn_negotiated = dup_str(proto, proto_len); 1650 1651 SSL_get0_next_proto_negotiated(server.ssl, &proto, &proto_len); 1652 ret->server_npn_negotiated = dup_str(proto, proto_len); 1653#endif 1654 1655 SSL_get0_alpn_selected(client.ssl, &proto, &proto_len); 1656 ret->client_alpn_negotiated = dup_str(proto, proto_len); 1657 1658 SSL_get0_alpn_selected(server.ssl, &proto, &proto_len); 1659 ret->server_alpn_negotiated = dup_str(proto, proto_len); 1660 1661 if ((sess = SSL_get0_session(server.ssl)) != NULL) { 1662 SSL_SESSION_get0_ticket_appdata(sess, (void**)&tick, &tick_len); 1663 ret->result_session_ticket_app_data = OPENSSL_strndup((const char*)tick, tick_len); 1664 } 1665 1666 ret->client_resumed = SSL_session_reused(client.ssl); 1667 ret->server_resumed = SSL_session_reused(server.ssl); 1668 1669 cipher = SSL_CIPHER_get_name(SSL_get_current_cipher(client.ssl)); 1670 ret->cipher = dup_str((const unsigned char*)cipher, strlen(cipher)); 1671 1672 if (session_out != NULL) 1673 *session_out = SSL_get1_session(client.ssl); 1674 if (serv_sess_out != NULL) { 1675 SSL_SESSION *tmp = SSL_get_session(server.ssl); 1676 1677 /* 1678 * We create a fresh copy that is not in the server session ctx linked 1679 * list. 1680 */ 1681 if (tmp != NULL) 1682 *serv_sess_out = SSL_SESSION_dup(tmp); 1683 } 1684 1685 if (SSL_get_peer_tmp_key(client.ssl, &tmp_key)) { 1686 ret->tmp_key_type = pkey_type(tmp_key); 1687 EVP_PKEY_free(tmp_key); 1688 } 1689 1690 SSL_get_peer_signature_nid(client.ssl, &ret->server_sign_hash); 1691 SSL_get_peer_signature_nid(server.ssl, &ret->client_sign_hash); 1692 1693 SSL_get_peer_signature_type_nid(client.ssl, &ret->server_sign_type); 1694 SSL_get_peer_signature_type_nid(server.ssl, &ret->client_sign_type); 1695 1696 names = SSL_get0_peer_CA_list(client.ssl); 1697 if (names == NULL) 1698 ret->client_ca_names = NULL; 1699 else 1700 ret->client_ca_names = SSL_dup_CA_list(names); 1701 1702 names = SSL_get0_peer_CA_list(server.ssl); 1703 if (names == NULL) 1704 ret->server_ca_names = NULL; 1705 else 1706 ret->server_ca_names = SSL_dup_CA_list(names); 1707 1708 ret->server_cert_type = peer_pkey_type(client.ssl); 1709 ret->client_cert_type = peer_pkey_type(server.ssl); 1710 1711 ctx_data_free_data(&server_ctx_data); 1712 ctx_data_free_data(&server2_ctx_data); 1713 ctx_data_free_data(&client_ctx_data); 1714 1715 peer_free_data(&server); 1716 peer_free_data(&client); 1717 return ret; 1718} 1719 1720HANDSHAKE_RESULT *do_handshake(SSL_CTX *server_ctx, SSL_CTX *server2_ctx, 1721 SSL_CTX *client_ctx, SSL_CTX *resume_server_ctx, 1722 SSL_CTX *resume_client_ctx, 1723 const SSL_TEST_CTX *test_ctx) 1724{ 1725 HANDSHAKE_RESULT *result; 1726 SSL_SESSION *session = NULL, *serv_sess = NULL; 1727 1728 result = do_handshake_internal(server_ctx, server2_ctx, client_ctx, 1729 test_ctx, &test_ctx->extra, 1730 NULL, NULL, &session, &serv_sess); 1731 if (result == NULL 1732 || test_ctx->handshake_mode != SSL_TEST_HANDSHAKE_RESUME 1733 || result->result == SSL_TEST_INTERNAL_ERROR) 1734 goto end; 1735 1736 if (result->result != SSL_TEST_SUCCESS) { 1737 result->result = SSL_TEST_FIRST_HANDSHAKE_FAILED; 1738 goto end; 1739 } 1740 1741 HANDSHAKE_RESULT_free(result); 1742 /* We don't support SNI on second handshake yet, so server2_ctx is NULL. */ 1743 result = do_handshake_internal(resume_server_ctx, NULL, resume_client_ctx, 1744 test_ctx, &test_ctx->resume_extra, 1745 session, serv_sess, NULL, NULL); 1746 end: 1747 SSL_SESSION_free(session); 1748 SSL_SESSION_free(serv_sess); 1749 return result; 1750} 1751