1 /* Copyright (c) 2014, Google Inc.
2 *
3 * Permission to use, copy, modify, and/or distribute this software for any
4 * purpose with or without fee is hereby granted, provided that the above
5 * copyright notice and this permission notice appear in all copies.
6 *
7 * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
8 * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
9 * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY
10 * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
11 * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION
12 * OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN
13 * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */
14
15 #include "test_config.h"
16
17 #include <assert.h>
18 #include <ctype.h>
19 #include <errno.h>
20 #include <limits.h>
21 #include <stdio.h>
22 #include <stdlib.h>
23 #include <string.h>
24
25 #include <algorithm>
26 #include <functional>
27 #include <limits>
28 #include <memory>
29 #include <type_traits>
30
31 #include <openssl/base64.h>
32 #include <openssl/hmac.h>
33 #include <openssl/hpke.h>
34 #include <openssl/rand.h>
35 #include <openssl/span.h>
36 #include <openssl/ssl.h>
37
38 #include "../../crypto/internal.h"
39 #include "../internal.h"
40 #include "handshake_util.h"
41 #include "mock_quic_transport.h"
42 #include "test_state.h"
43
44 namespace {
45
46 template <typename Config>
47 struct Flag {
48 const char *name;
49 bool has_param;
50 // skip_handshaker, if true, causes this flag to be skipped when
51 // forwarding flags to the handshaker. This should be used with flags
52 // that only impact connecting to the runner.
53 bool skip_handshaker;
54 // If |has_param| is false, |param| will be nullptr.
55 std::function<bool(Config *config, const char *param)> set_param;
56 };
57
58 template <typename Config>
BoolFlag(const char * name,bool Config::* field,bool skip_handshaker=false)59 Flag<Config> BoolFlag(const char *name, bool Config::*field,
60 bool skip_handshaker = false) {
61 return Flag<Config>{name, false, skip_handshaker,
62 [=](Config *config, const char *) -> bool {
63 config->*field = true;
64 return true;
65 }};
66 }
67
68 template <typename T>
StringToInt(T * out,const char * str)69 bool StringToInt(T *out, const char *str) {
70 static_assert(std::is_integral<T>::value, "not an integral type");
71
72 // |strtoull| allows leading '-' with wraparound. Additionally, both
73 // functions accept empty strings and leading whitespace.
74 if (!OPENSSL_isdigit(static_cast<unsigned char>(*str)) &&
75 (!std::is_signed<T>::value || *str != '-')) {
76 return false;
77 }
78
79 errno = 0;
80 char *end;
81 if (std::is_signed<T>::value) {
82 static_assert(sizeof(T) <= sizeof(long long),
83 "type too large for long long");
84 long long value = strtoll(str, &end, 10);
85 if (value < static_cast<long long>(std::numeric_limits<T>::min()) ||
86 value > static_cast<long long>(std::numeric_limits<T>::max())) {
87 return false;
88 }
89 *out = static_cast<T>(value);
90 } else {
91 static_assert(sizeof(T) <= sizeof(unsigned long long),
92 "type too large for unsigned long long");
93 unsigned long long value = strtoull(str, &end, 10);
94 if (value >
95 static_cast<unsigned long long>(std::numeric_limits<T>::max())) {
96 return false;
97 }
98 *out = static_cast<T>(value);
99 }
100
101 // Check for overflow and that the whole input was consumed.
102 return errno != ERANGE && *end == '\0';
103 }
104
105 template <typename Config, typename T>
IntFlag(const char * name,T Config::* field,bool skip_handshaker=false)106 Flag<Config> IntFlag(const char *name, T Config::*field,
107 bool skip_handshaker = false) {
108 return Flag<Config>{name, true, skip_handshaker,
109 [=](Config *config, const char *param) -> bool {
110 return StringToInt(&(config->*field), param);
111 }};
112 }
113
114 template <typename Config, typename T>
IntVectorFlag(const char * name,std::vector<T> Config::* field,bool skip_handshaker=false)115 Flag<Config> IntVectorFlag(const char *name, std::vector<T> Config::*field,
116 bool skip_handshaker = false) {
117 return Flag<Config>{name, true, skip_handshaker,
118 [=](Config *config, const char *param) -> bool {
119 T value;
120 if (!StringToInt(&value, param)) {
121 return false;
122 }
123 (config->*field).push_back(value);
124 return true;
125 }};
126 }
127
128 template <typename Config>
StringFlag(const char * name,std::string Config::* field,bool skip_handshaker=false)129 Flag<Config> StringFlag(const char *name, std::string Config::*field,
130 bool skip_handshaker = false) {
131 return Flag<Config>{name, true, skip_handshaker,
132 [=](Config *config, const char *param) -> bool {
133 config->*field = param;
134 return true;
135 }};
136 }
137
138 // TODO(davidben): When we can depend on C++17 or Abseil, switch this to
139 // std::optional or absl::optional.
140 template <typename Config>
OptionalStringFlag(const char * name,std::unique_ptr<std::string> Config::* field,bool skip_handshaker=false)141 Flag<Config> OptionalStringFlag(const char *name,
142 std::unique_ptr<std::string> Config::*field,
143 bool skip_handshaker = false) {
144 return Flag<Config>{name, true, skip_handshaker,
145 [=](Config *config, const char *param) -> bool {
146 (config->*field) = std::make_unique<std::string>(param);
147 return true;
148 }};
149 }
150
DecodeBase64(std::string * out,const std::string & in)151 bool DecodeBase64(std::string *out, const std::string &in) {
152 size_t len;
153 if (!EVP_DecodedLength(&len, in.size())) {
154 fprintf(stderr, "Invalid base64: %s.\n", in.c_str());
155 return false;
156 }
157 std::vector<uint8_t> buf(len);
158 if (!EVP_DecodeBase64(buf.data(), &len, buf.size(),
159 reinterpret_cast<const uint8_t *>(in.data()),
160 in.size())) {
161 fprintf(stderr, "Invalid base64: %s.\n", in.c_str());
162 return false;
163 }
164 out->assign(reinterpret_cast<const char *>(buf.data()), len);
165 return true;
166 }
167
168 template <typename Config>
Base64Flag(const char * name,std::string Config::* field,bool skip_handshaker=false)169 Flag<Config> Base64Flag(const char *name, std::string Config::*field,
170 bool skip_handshaker = false) {
171 return Flag<Config>{name, true, skip_handshaker,
172 [=](Config *config, const char *param) -> bool {
173 return DecodeBase64(&(config->*field), param);
174 }};
175 }
176
177 template <typename Config>
Base64VectorFlag(const char * name,std::vector<std::string> Config::* field,bool skip_handshaker=false)178 Flag<Config> Base64VectorFlag(const char *name,
179 std::vector<std::string> Config::*field,
180 bool skip_handshaker = false) {
181 return Flag<Config>{name, true, skip_handshaker,
182 [=](Config *config, const char *param) -> bool {
183 std::string value;
184 if (!DecodeBase64(&value, param)) {
185 return false;
186 }
187 (config->*field).push_back(std::move(value));
188 return true;
189 }};
190 }
191
192 template <typename Config>
StringPairVectorFlag(const char * name,std::vector<std::pair<std::string,std::string>> Config::* field,bool skip_handshaker=false)193 Flag<Config> StringPairVectorFlag(
194 const char *name,
195 std::vector<std::pair<std::string, std::string>> Config::*field,
196 bool skip_handshaker = false) {
197 return Flag<Config>{
198 name, true, skip_handshaker,
199 [=](Config *config, const char *param) -> bool {
200 const char *comma = strchr(param, ',');
201 if (!comma) {
202 return false;
203 }
204 (config->*field)
205 .push_back(std::make_pair(std::string(param, comma - param),
206 std::string(comma + 1)));
207 return true;
208 }};
209 }
210
NewCredentialFlag(const char * name,CredentialConfigType type)211 Flag<TestConfig> NewCredentialFlag(const char *name,
212 CredentialConfigType type) {
213 return Flag<TestConfig>{name, /*has_param=*/false, /*skip_handshaker=*/false,
214 [=](TestConfig *config, const char *param) -> bool {
215 config->credentials.emplace_back();
216 config->credentials.back().type = type;
217 return true;
218 }};
219 }
220
CredentialFlagWithDefault(Flag<TestConfig> default_flag,Flag<CredentialConfig> flag)221 Flag<TestConfig> CredentialFlagWithDefault(Flag<TestConfig> default_flag,
222 Flag<CredentialConfig> flag) {
223 BSSL_CHECK(strcmp(default_flag.name, flag.name) == 0);
224 BSSL_CHECK(default_flag.has_param == flag.has_param);
225 return Flag<TestConfig>{flag.name, flag.has_param, /*skip_handshaker=*/false,
226 [=](TestConfig *config, const char *param) -> bool {
227 if (config->credentials.empty()) {
228 return default_flag.set_param(config, param);
229 }
230 return flag.set_param(&config->credentials.back(),
231 param);
232 }};
233 }
234
CredentialFlag(Flag<CredentialConfig> flag)235 Flag<TestConfig> CredentialFlag(Flag<CredentialConfig> flag) {
236 return Flag<TestConfig>{flag.name, flag.has_param, /*skip_handshaker=*/false,
237 [=](TestConfig *config, const char *param) -> bool {
238 if (config->credentials.empty()) {
239 fprintf(stderr, "No credentials configured.\n");
240 return false;
241 }
242 return flag.set_param(&config->credentials.back(),
243 param);
244 }};
245 }
246
247 struct FlagNameComparator {
248 template <typename Config>
operator ()__anon76e192590111::FlagNameComparator249 bool operator()(const Flag<Config> &flag1, const Flag<Config> &flag2) const {
250 return strcmp(flag1.name, flag2.name) < 0;
251 }
252
253 template <typename Config>
operator ()__anon76e192590111::FlagNameComparator254 bool operator()(const Flag<Config> &flag, const char *name) const {
255 return strcmp(flag.name, name) < 0;
256 }
257 };
258
FindFlag(const char * name)259 const Flag<TestConfig> *FindFlag(const char *name) {
260 static const std::vector<Flag<TestConfig>> flags = [] {
261 std::vector<Flag<TestConfig>> ret = {
262 IntFlag("-port", &TestConfig::port, /*skip_handshaker=*/true),
263 BoolFlag("-ipv6", &TestConfig::ipv6, /*skip_handshaker=*/true),
264 IntFlag("-shim-id", &TestConfig::shim_id, /*skip_handshaker=*/true),
265 BoolFlag("-server", &TestConfig::is_server),
266 BoolFlag("-dtls", &TestConfig::is_dtls),
267 BoolFlag("-quic", &TestConfig::is_quic),
268 IntFlag("-resume-count", &TestConfig::resume_count),
269 StringFlag("-write-settings", &TestConfig::write_settings),
270 BoolFlag("-fallback-scsv", &TestConfig::fallback_scsv),
271 IntVectorFlag("-verify-prefs", &TestConfig::verify_prefs),
272 IntVectorFlag("-expect-peer-verify-pref",
273 &TestConfig::expect_peer_verify_prefs),
274 IntVectorFlag("-curves", &TestConfig::curves),
275 StringFlag("-trust-cert", &TestConfig::trust_cert),
276 StringFlag("-expect-server-name", &TestConfig::expect_server_name),
277 BoolFlag("-enable-ech-grease", &TestConfig::enable_ech_grease),
278 Base64VectorFlag("-ech-server-config", &TestConfig::ech_server_configs),
279 Base64VectorFlag("-ech-server-key", &TestConfig::ech_server_keys),
280 IntVectorFlag("-ech-is-retry-config", &TestConfig::ech_is_retry_config),
281 BoolFlag("-expect-ech-accept", &TestConfig::expect_ech_accept),
282 StringFlag("-expect-ech-name-override",
283 &TestConfig::expect_ech_name_override),
284 BoolFlag("-expect-no-ech-name-override",
285 &TestConfig::expect_no_ech_name_override),
286 Base64Flag("-expect-ech-retry-configs",
287 &TestConfig::expect_ech_retry_configs),
288 BoolFlag("-expect-no-ech-retry-configs",
289 &TestConfig::expect_no_ech_retry_configs),
290 Base64Flag("-ech-config-list", &TestConfig::ech_config_list),
291 Base64Flag("-expect-certificate-types",
292 &TestConfig::expect_certificate_types),
293 BoolFlag("-require-any-client-certificate",
294 &TestConfig::require_any_client_certificate),
295 StringFlag("-advertise-npn", &TestConfig::advertise_npn),
296 BoolFlag("-advertise-empty-npn", &TestConfig::advertise_empty_npn),
297 StringFlag("-expect-next-proto", &TestConfig::expect_next_proto),
298 BoolFlag("-expect-no-next-proto", &TestConfig::expect_no_next_proto),
299 BoolFlag("-false-start", &TestConfig::false_start),
300 StringFlag("-select-next-proto", &TestConfig::select_next_proto),
301 BoolFlag("-select-empty-next-proto",
302 &TestConfig::select_empty_next_proto),
303 BoolFlag("-async", &TestConfig::async),
304 BoolFlag("-write-different-record-sizes",
305 &TestConfig::write_different_record_sizes),
306 BoolFlag("-cbc-record-splitting", &TestConfig::cbc_record_splitting),
307 BoolFlag("-partial-write", &TestConfig::partial_write),
308 BoolFlag("-no-tls13", &TestConfig::no_tls13),
309 BoolFlag("-no-tls12", &TestConfig::no_tls12),
310 BoolFlag("-no-tls11", &TestConfig::no_tls11),
311 BoolFlag("-no-tls1", &TestConfig::no_tls1),
312 BoolFlag("-no-ticket", &TestConfig::no_ticket),
313 Base64Flag("-expect-channel-id", &TestConfig::expect_channel_id),
314 BoolFlag("-enable-channel-id", &TestConfig::enable_channel_id),
315 StringFlag("-send-channel-id", &TestConfig::send_channel_id),
316 BoolFlag("-shim-writes-first", &TestConfig::shim_writes_first),
317 StringFlag("-host-name", &TestConfig::host_name),
318 StringFlag("-advertise-alpn", &TestConfig::advertise_alpn),
319 StringFlag("-expect-alpn", &TestConfig::expect_alpn),
320 StringFlag("-expect-advertised-alpn",
321 &TestConfig::expect_advertised_alpn),
322 StringFlag("-select-alpn", &TestConfig::select_alpn),
323 BoolFlag("-decline-alpn", &TestConfig::decline_alpn),
324 BoolFlag("-reject-alpn", &TestConfig::reject_alpn),
325 BoolFlag("-select-empty-alpn", &TestConfig::select_empty_alpn),
326 BoolFlag("-defer-alps", &TestConfig::defer_alps),
327 StringPairVectorFlag("-application-settings",
328 &TestConfig::application_settings),
329 OptionalStringFlag("-expect-peer-application-settings",
330 &TestConfig::expect_peer_application_settings),
331 BoolFlag("-alps-use-new-codepoint",
332 &TestConfig::alps_use_new_codepoint),
333 Base64Flag("-quic-transport-params",
334 &TestConfig::quic_transport_params),
335 Base64Flag("-expect-quic-transport-params",
336 &TestConfig::expect_quic_transport_params),
337 IntFlag("-quic-use-legacy-codepoint",
338 &TestConfig::quic_use_legacy_codepoint),
339 BoolFlag("-expect-session-miss", &TestConfig::expect_session_miss),
340 BoolFlag("-expect-extended-master-secret",
341 &TestConfig::expect_extended_master_secret),
342 StringFlag("-psk", &TestConfig::psk),
343 StringFlag("-psk-identity", &TestConfig::psk_identity),
344 StringFlag("-srtp-profiles", &TestConfig::srtp_profiles),
345 BoolFlag("-enable-ocsp-stapling", &TestConfig::enable_ocsp_stapling),
346 BoolFlag("-enable-signed-cert-timestamps",
347 &TestConfig::enable_signed_cert_timestamps),
348 Base64Flag("-expect-signed-cert-timestamps",
349 &TestConfig::expect_signed_cert_timestamps),
350 IntFlag("-min-version", &TestConfig::min_version),
351 IntFlag("-max-version", &TestConfig::max_version),
352 IntFlag("-expect-version", &TestConfig::expect_version),
353 IntFlag("-mtu", &TestConfig::mtu),
354 BoolFlag("-implicit-handshake", &TestConfig::implicit_handshake),
355 BoolFlag("-use-early-callback", &TestConfig::use_early_callback),
356 BoolFlag("-fail-early-callback", &TestConfig::fail_early_callback),
357 BoolFlag("-fail-early-callback-ech-rewind", &TestConfig::fail_early_callback_ech_rewind),
358 BoolFlag("-install-ddos-callback", &TestConfig::install_ddos_callback),
359 BoolFlag("-fail-ddos-callback", &TestConfig::fail_ddos_callback),
360 BoolFlag("-fail-cert-callback", &TestConfig::fail_cert_callback),
361 StringFlag("-cipher", &TestConfig::cipher),
362 BoolFlag("-handshake-never-done", &TestConfig::handshake_never_done),
363 IntFlag("-export-keying-material", &TestConfig::export_keying_material),
364 StringFlag("-export-label", &TestConfig::export_label),
365 StringFlag("-export-context", &TestConfig::export_context),
366 BoolFlag("-use-export-context", &TestConfig::use_export_context),
367 BoolFlag("-tls-unique", &TestConfig::tls_unique),
368 BoolFlag("-expect-ticket-renewal", &TestConfig::expect_ticket_renewal),
369 BoolFlag("-expect-no-session", &TestConfig::expect_no_session),
370 BoolFlag("-expect-ticket-supports-early-data",
371 &TestConfig::expect_ticket_supports_early_data),
372 BoolFlag("-expect-accept-early-data",
373 &TestConfig::expect_accept_early_data),
374 BoolFlag("-expect-reject-early-data",
375 &TestConfig::expect_reject_early_data),
376 BoolFlag("-expect-no-offer-early-data",
377 &TestConfig::expect_no_offer_early_data),
378 BoolFlag("-expect-no-server-name",
379 &TestConfig::expect_no_server_name),
380 BoolFlag("-use-ticket-callback", &TestConfig::use_ticket_callback),
381 BoolFlag("-renew-ticket", &TestConfig::renew_ticket),
382 BoolFlag("-enable-early-data", &TestConfig::enable_early_data),
383 Base64Flag("-expect-ocsp-response", &TestConfig::expect_ocsp_response),
384 BoolFlag("-check-close-notify", &TestConfig::check_close_notify),
385 BoolFlag("-shim-shuts-down", &TestConfig::shim_shuts_down),
386 BoolFlag("-verify-fail", &TestConfig::verify_fail),
387 BoolFlag("-verify-peer", &TestConfig::verify_peer),
388 BoolFlag("-verify-peer-if-no-obc", &TestConfig::verify_peer_if_no_obc),
389 BoolFlag("-expect-verify-result", &TestConfig::expect_verify_result),
390 IntFlag("-expect-total-renegotiations",
391 &TestConfig::expect_total_renegotiations),
392 BoolFlag("-renegotiate-once", &TestConfig::renegotiate_once),
393 BoolFlag("-renegotiate-freely", &TestConfig::renegotiate_freely),
394 BoolFlag("-renegotiate-ignore", &TestConfig::renegotiate_ignore),
395 BoolFlag("-renegotiate-explicit", &TestConfig::renegotiate_explicit),
396 BoolFlag("-forbid-renegotiation-after-handshake",
397 &TestConfig::forbid_renegotiation_after_handshake),
398 IntFlag("-expect-peer-signature-algorithm",
399 &TestConfig::expect_peer_signature_algorithm),
400 IntFlag("-expect-curve-id", &TestConfig::expect_curve_id),
401 BoolFlag("-use-old-client-cert-callback",
402 &TestConfig::use_old_client_cert_callback),
403 IntFlag("-initial-timeout-duration-ms",
404 &TestConfig::initial_timeout_duration_ms),
405 StringFlag("-use-client-ca-list", &TestConfig::use_client_ca_list),
406 StringFlag("-expect-client-ca-list",
407 &TestConfig::expect_client_ca_list),
408 BoolFlag("-send-alert", &TestConfig::send_alert),
409 BoolFlag("-peek-then-read", &TestConfig::peek_then_read),
410 BoolFlag("-enable-grease", &TestConfig::enable_grease),
411 BoolFlag("-permute-extensions", &TestConfig::permute_extensions),
412 IntFlag("-max-cert-list", &TestConfig::max_cert_list),
413 Base64Flag("-ticket-key", &TestConfig::ticket_key),
414 BoolFlag("-use-exporter-between-reads",
415 &TestConfig::use_exporter_between_reads),
416 IntFlag("-expect-cipher-aes", &TestConfig::expect_cipher_aes),
417 IntFlag("-expect-cipher-no-aes", &TestConfig::expect_cipher_no_aes),
418 IntFlag("-expect-cipher", &TestConfig::expect_cipher),
419 StringFlag("-expect-peer-cert-file",
420 &TestConfig::expect_peer_cert_file),
421 IntFlag("-resumption-delay", &TestConfig::resumption_delay),
422 BoolFlag("-retain-only-sha256-client-cert",
423 &TestConfig::retain_only_sha256_client_cert),
424 BoolFlag("-expect-sha256-client-cert",
425 &TestConfig::expect_sha256_client_cert),
426 BoolFlag("-read-with-unfinished-write",
427 &TestConfig::read_with_unfinished_write),
428 BoolFlag("-expect-secure-renegotiation",
429 &TestConfig::expect_secure_renegotiation),
430 BoolFlag("-expect-no-secure-renegotiation",
431 &TestConfig::expect_no_secure_renegotiation),
432 IntFlag("-max-send-fragment", &TestConfig::max_send_fragment),
433 IntFlag("-read-size", &TestConfig::read_size),
434 BoolFlag("-expect-session-id", &TestConfig::expect_session_id),
435 BoolFlag("-expect-no-session-id", &TestConfig::expect_no_session_id),
436 IntFlag("-expect-ticket-age-skew", &TestConfig::expect_ticket_age_skew),
437 BoolFlag("-no-op-extra-handshake", &TestConfig::no_op_extra_handshake),
438 BoolFlag("-handshake-twice", &TestConfig::handshake_twice),
439 BoolFlag("-allow-unknown-alpn-protos",
440 &TestConfig::allow_unknown_alpn_protos),
441 BoolFlag("-use-custom-verify-callback",
442 &TestConfig::use_custom_verify_callback),
443 StringFlag("-expect-msg-callback", &TestConfig::expect_msg_callback),
444 BoolFlag("-allow-false-start-without-alpn",
445 &TestConfig::allow_false_start_without_alpn),
446 BoolFlag("-handoff", &TestConfig::handoff),
447 BoolFlag("-handshake-hints", &TestConfig::handshake_hints),
448 BoolFlag("-allow-hint-mismatch", &TestConfig::allow_hint_mismatch),
449 BoolFlag("-use-ocsp-callback", &TestConfig::use_ocsp_callback),
450 BoolFlag("-set-ocsp-in-callback", &TestConfig::set_ocsp_in_callback),
451 BoolFlag("-decline-ocsp-callback", &TestConfig::decline_ocsp_callback),
452 BoolFlag("-fail-ocsp-callback", &TestConfig::fail_ocsp_callback),
453 BoolFlag("-install-cert-compression-algs",
454 &TestConfig::install_cert_compression_algs),
455 IntFlag("-install-one-cert-compression-alg",
456 &TestConfig::install_one_cert_compression_alg),
457 BoolFlag("-reverify-on-resume", &TestConfig::reverify_on_resume),
458 BoolFlag("-ignore-rsa-key-usage", &TestConfig::ignore_rsa_key_usage),
459 BoolFlag("-expect-key-usage-invalid",
460 &TestConfig::expect_key_usage_invalid),
461 BoolFlag("-is-handshaker-supported",
462 &TestConfig::is_handshaker_supported),
463 BoolFlag("-handshaker-resume", &TestConfig::handshaker_resume),
464 StringFlag("-handshaker-path", &TestConfig::handshaker_path),
465 BoolFlag("-jdk11-workaround", &TestConfig::jdk11_workaround),
466 BoolFlag("-server-preference", &TestConfig::server_preference),
467 BoolFlag("-export-traffic-secrets",
468 &TestConfig::export_traffic_secrets),
469 BoolFlag("-key-update", &TestConfig::key_update),
470 StringFlag("-expect-early-data-reason",
471 &TestConfig::expect_early_data_reason),
472 BoolFlag("-expect-hrr", &TestConfig::expect_hrr),
473 BoolFlag("-expect-no-hrr", &TestConfig::expect_no_hrr),
474 BoolFlag("-wait-for-debugger", &TestConfig::wait_for_debugger),
475 StringFlag("-quic-early-data-context",
476 &TestConfig::quic_early_data_context),
477 IntFlag("-early-write-after-message",
478 &TestConfig::early_write_after_message),
479 BoolFlag("-fips-202205", &TestConfig::fips_202205),
480 BoolFlag("-wpa-202304", &TestConfig::wpa_202304),
481 BoolFlag("-no-check-client-certificate-type",
482 &TestConfig::no_check_client_certificate_type),
483 BoolFlag("-no-check-ecdsa-curve", &TestConfig::no_check_ecdsa_curve),
484 IntFlag("-expect-selected-credential",
485 &TestConfig::expect_selected_credential),
486 // Credential flags are stateful. First, use one of the
487 // -new-*-credential flags to introduce a new credential. Then the flags
488 // below switch from acting on the default credential to the newly-added
489 // one. Repeat this process to continue adding them.
490 NewCredentialFlag("-new-x509-credential", CredentialConfigType::kX509),
491 NewCredentialFlag("-new-delegated-credential",
492 CredentialConfigType::kDelegated),
493 CredentialFlagWithDefault(
494 StringFlag("-cert-file", &TestConfig::cert_file),
495 StringFlag("-cert-file", &CredentialConfig::cert_file)),
496 CredentialFlagWithDefault(
497 StringFlag("-key-file", &TestConfig::key_file),
498 StringFlag("-key-file", &CredentialConfig::key_file)),
499 CredentialFlagWithDefault(
500 IntVectorFlag("-signing-prefs", &TestConfig::signing_prefs),
501 IntVectorFlag("-signing-prefs", &CredentialConfig::signing_prefs)),
502 CredentialFlag(Base64Flag("-delegated-credential",
503 &CredentialConfig::delegated_credential)),
504 CredentialFlagWithDefault(
505 Base64Flag("-ocsp-response", &TestConfig::ocsp_response),
506 Base64Flag("-ocsp-response", &CredentialConfig::ocsp_response)),
507 CredentialFlagWithDefault(
508 Base64Flag("-signed-cert-timestamps",
509 &TestConfig::signed_cert_timestamps),
510 Base64Flag("-signed-cert-timestamps",
511 &CredentialConfig::signed_cert_timestamps)),
512 };
513 std::sort(ret.begin(), ret.end(), FlagNameComparator{});
514 return ret;
515 }();
516 auto iter =
517 std::lower_bound(flags.begin(), flags.end(), name, FlagNameComparator{});
518 if (iter == flags.end() || strcmp(iter->name, name) != 0) {
519 return nullptr;
520 }
521 return &*iter;
522 }
523
524 // RemovePrefix checks if |*str| begins with |prefix| + "-". If so, it advances
525 // |*str| past |prefix| (but not past the "-") and returns true. Otherwise, it
526 // returns false and leaves |*str| unmodified.
RemovePrefix(const char ** str,const char * prefix)527 bool RemovePrefix(const char **str, const char *prefix) {
528 size_t prefix_len = strlen(prefix);
529 if (strncmp(*str, prefix, strlen(prefix)) == 0 && (*str)[prefix_len] == '-') {
530 *str += strlen(prefix);
531 return true;
532 }
533 return false;
534 }
535
536 } // namespace
537
ParseConfig(int argc,char ** argv,bool is_shim,TestConfig * out_initial,TestConfig * out_resume,TestConfig * out_retry)538 bool ParseConfig(int argc, char **argv, bool is_shim,
539 TestConfig *out_initial,
540 TestConfig *out_resume,
541 TestConfig *out_retry) {
542 for (int i = 0; i < argc; i++) {
543 bool skip = false;
544 const char *arg = argv[i];
545 const char *name = arg;
546
547 // -on-shim and -on-handshaker prefixes enable flags only on the shim or
548 // handshaker.
549 if (RemovePrefix(&name, "-on-shim")) {
550 if (!is_shim) {
551 skip = true;
552 }
553 } else if (RemovePrefix(&name, "-on-handshaker")) {
554 if (is_shim) {
555 skip = true;
556 }
557 }
558
559 // The following prefixes allow different configurations for each of the
560 // initial, resumption, and 0-RTT retry handshakes.
561 TestConfig *out = nullptr;
562 if (RemovePrefix(&name, "-on-initial")) {
563 out = out_initial;
564 } else if (RemovePrefix(&name, "-on-resume")) {
565 out = out_resume;
566 } else if (RemovePrefix(&name, "-on-retry")) {
567 out = out_retry;
568 }
569
570 const Flag<TestConfig> *flag = FindFlag(name);
571 if (flag == nullptr) {
572 fprintf(stderr, "Unrecognized flag: %s\n", name);
573 return false;
574 }
575
576 const char *param = nullptr;
577 if (flag->has_param) {
578 if (i >= argc) {
579 fprintf(stderr, "Missing parameter for %s\n", name);
580 return false;
581 }
582 i++;
583 param = argv[i];
584 }
585
586 if (!flag->skip_handshaker) {
587 out_initial->handshaker_args.push_back(arg);
588 if (flag->has_param) {
589 out_initial->handshaker_args.push_back(param);
590 }
591 }
592
593 if (!skip) {
594 if (out != nullptr) {
595 if (!flag->set_param(out, param)) {
596 fprintf(stderr, "Invalid parameter for %s: %s\n", name, param);
597 return false;
598 }
599 } else {
600 // Unprefixed flags apply to all three.
601 if (!flag->set_param(out_initial, param) ||
602 !flag->set_param(out_resume, param) ||
603 !flag->set_param(out_retry, param)) {
604 fprintf(stderr, "Invalid parameter for %s: %s\n", name, param);
605 return false;
606 }
607 }
608 }
609 }
610
611 out_resume->handshaker_args = out_initial->handshaker_args;
612 out_retry->handshaker_args = out_initial->handshaker_args;
613 return true;
614 }
615
BufferPool()616 static CRYPTO_BUFFER_POOL *BufferPool() {
617 static CRYPTO_BUFFER_POOL *pool = [&] {
618 OPENSSL_disable_malloc_failures_for_testing();
619 CRYPTO_BUFFER_POOL *ret = CRYPTO_BUFFER_POOL_new();
620 BSSL_CHECK(ret != nullptr);
621 OPENSSL_enable_malloc_failures_for_testing();
622 return ret;
623 }();
624 return pool;
625 }
626
TestConfigExDataIndex()627 static int TestConfigExDataIndex() {
628 static int index = [&] {
629 OPENSSL_disable_malloc_failures_for_testing();
630 int ret = SSL_get_ex_new_index(0, nullptr, nullptr, nullptr, nullptr);
631 BSSL_CHECK(ret >= 0);
632 OPENSSL_enable_malloc_failures_for_testing();
633 return ret;
634 }();
635 return index;
636 }
637
SetTestConfig(SSL * ssl,const TestConfig * config)638 bool SetTestConfig(SSL *ssl, const TestConfig *config) {
639 return SSL_set_ex_data(ssl, TestConfigExDataIndex(), (void *)config) == 1;
640 }
641
GetTestConfig(const SSL * ssl)642 const TestConfig *GetTestConfig(const SSL *ssl) {
643 return static_cast<const TestConfig *>(
644 SSL_get_ex_data(ssl, TestConfigExDataIndex()));
645 }
646
647 struct CredentialInfo {
648 int number = -1;
649 bssl::UniquePtr<EVP_PKEY> private_key;
650 };
651
CredentialInfoExDataFree(void * parent,void * ptr,CRYPTO_EX_DATA * ad,int index,long argl,void * argp)652 static void CredentialInfoExDataFree(void *parent, void *ptr,
653 CRYPTO_EX_DATA *ad, int index, long argl,
654 void *argp) {
655 delete static_cast<CredentialInfo*>(ptr);
656 }
657
CredentialInfoExDataIndex()658 static int CredentialInfoExDataIndex() {
659 static int index = [&] {
660 OPENSSL_disable_malloc_failures_for_testing();
661 int ret = SSL_CREDENTIAL_get_ex_new_index(0, nullptr, nullptr, nullptr,
662 CredentialInfoExDataFree);
663 BSSL_CHECK(ret >= 0);
664 OPENSSL_enable_malloc_failures_for_testing();
665 return ret;
666 }();
667 return index;
668 }
669
GetCredentialInfo(const SSL_CREDENTIAL * cred)670 static const CredentialInfo *GetCredentialInfo(const SSL_CREDENTIAL *cred) {
671 return static_cast<const CredentialInfo *>(
672 SSL_CREDENTIAL_get_ex_data(cred, CredentialInfoExDataIndex()));
673 }
674
SetCredentialInfo(SSL_CREDENTIAL * cred,std::unique_ptr<CredentialInfo> info)675 static bool SetCredentialInfo(SSL_CREDENTIAL *cred,
676 std::unique_ptr<CredentialInfo> info) {
677 if (!SSL_CREDENTIAL_set_ex_data(cred, CredentialInfoExDataIndex(),
678 info.get())) {
679 return false;
680 }
681 info.release(); // |cred| takes ownership on success.
682 return true;
683 }
684
LegacyOCSPCallback(SSL * ssl,void * arg)685 static int LegacyOCSPCallback(SSL *ssl, void *arg) {
686 const TestConfig *config = GetTestConfig(ssl);
687 if (!SSL_is_server(ssl)) {
688 return !config->fail_ocsp_callback;
689 }
690
691 if (!config->ocsp_response.empty() && config->set_ocsp_in_callback &&
692 !SSL_set_ocsp_response(ssl, (const uint8_t *)config->ocsp_response.data(),
693 config->ocsp_response.size())) {
694 return SSL_TLSEXT_ERR_ALERT_FATAL;
695 }
696 if (config->fail_ocsp_callback) {
697 return SSL_TLSEXT_ERR_ALERT_FATAL;
698 }
699 if (config->decline_ocsp_callback) {
700 return SSL_TLSEXT_ERR_NOACK;
701 }
702 return SSL_TLSEXT_ERR_OK;
703 }
704
ServerNameCallback(SSL * ssl,int * out_alert,void * arg)705 static int ServerNameCallback(SSL *ssl, int *out_alert, void *arg) {
706 // SNI must be accessible from the SNI callback.
707 const TestConfig *config = GetTestConfig(ssl);
708 const char *server_name = SSL_get_servername(ssl, TLSEXT_NAMETYPE_host_name);
709 if (server_name == nullptr ||
710 std::string(server_name) != config->expect_server_name) {
711 fprintf(stderr, "servername mismatch (got %s; want %s).\n", server_name,
712 config->expect_server_name.c_str());
713 return SSL_TLSEXT_ERR_ALERT_FATAL;
714 }
715
716 return SSL_TLSEXT_ERR_OK;
717 }
718
NextProtoSelectCallback(SSL * ssl,uint8_t ** out,uint8_t * outlen,const uint8_t * in,unsigned inlen,void * arg)719 static int NextProtoSelectCallback(SSL *ssl, uint8_t **out, uint8_t *outlen,
720 const uint8_t *in, unsigned inlen,
721 void *arg) {
722 const TestConfig *config = GetTestConfig(ssl);
723 *out = (uint8_t *)config->select_next_proto.data();
724 *outlen = config->select_next_proto.size();
725 return SSL_TLSEXT_ERR_OK;
726 }
727
NextProtosAdvertisedCallback(SSL * ssl,const uint8_t ** out,unsigned int * out_len,void * arg)728 static int NextProtosAdvertisedCallback(SSL *ssl, const uint8_t **out,
729 unsigned int *out_len, void *arg) {
730 const TestConfig *config = GetTestConfig(ssl);
731 if (config->advertise_npn.empty() && !config->advertise_empty_npn) {
732 return SSL_TLSEXT_ERR_NOACK;
733 }
734
735 if (config->advertise_npn.size() > UINT_MAX) {
736 fprintf(stderr, "NPN value too large.\n");
737 return SSL_TLSEXT_ERR_ALERT_FATAL;
738 }
739
740 *out = reinterpret_cast<const uint8_t *>(config->advertise_npn.data());
741 *out_len = static_cast<unsigned>(config->advertise_npn.size());
742 return SSL_TLSEXT_ERR_OK;
743 }
744
MessageCallback(int is_write,int version,int content_type,const void * buf,size_t len,SSL * ssl,void * arg)745 static void MessageCallback(int is_write, int version, int content_type,
746 const void *buf, size_t len, SSL *ssl, void *arg) {
747 const uint8_t *buf_u8 = reinterpret_cast<const uint8_t *>(buf);
748 const TestConfig *config = GetTestConfig(ssl);
749 TestState *state = GetTestState(ssl);
750 if (!state->msg_callback_ok) {
751 return;
752 }
753
754 if (content_type == SSL3_RT_HEADER) {
755 if (config->is_dtls) {
756 if (len > DTLS1_RT_MAX_HEADER_LENGTH) {
757 fprintf(stderr, "DTLS record header is too long: %zu.\n", len);
758 }
759 return;
760 }
761 if (len != SSL3_RT_HEADER_LENGTH) {
762 fprintf(stderr, "Incorrect length for record header: %zu.\n", len);
763 state->msg_callback_ok = false;
764 }
765 return;
766 }
767
768 state->msg_callback_text += is_write ? "write " : "read ";
769 switch (content_type) {
770 case 0:
771 if (version != SSL2_VERSION) {
772 fprintf(stderr, "Incorrect version for V2ClientHello: %x.\n",
773 static_cast<unsigned>(version));
774 state->msg_callback_ok = false;
775 return;
776 }
777 state->msg_callback_text += "v2clienthello\n";
778 return;
779
780 case SSL3_RT_CLIENT_HELLO_INNER:
781 case SSL3_RT_HANDSHAKE: {
782 CBS cbs;
783 CBS_init(&cbs, buf_u8, len);
784 uint8_t type;
785 uint32_t msg_len;
786 if (!CBS_get_u8(&cbs, &type) ||
787 // TODO(davidben): Reporting on entire messages would be more
788 // consistent than fragments.
789 (config->is_dtls &&
790 !CBS_skip(&cbs, 3 /* total */ + 2 /* seq */ + 3 /* frag_off */)) ||
791 !CBS_get_u24(&cbs, &msg_len) || !CBS_skip(&cbs, msg_len) ||
792 CBS_len(&cbs) != 0) {
793 fprintf(stderr, "Could not parse handshake message.\n");
794 state->msg_callback_ok = false;
795 return;
796 }
797 char text[16];
798 if (content_type == SSL3_RT_CLIENT_HELLO_INNER) {
799 if (type != SSL3_MT_CLIENT_HELLO) {
800 fprintf(stderr, "Invalid header for ClientHelloInner.\n");
801 state->msg_callback_ok = false;
802 return;
803 }
804 state->msg_callback_text += "clienthelloinner\n";
805 } else {
806 snprintf(text, sizeof(text), "hs %d\n", type);
807 state->msg_callback_text += text;
808 if (!is_write) {
809 state->last_message_received = type;
810 }
811 }
812 return;
813 }
814
815 case SSL3_RT_CHANGE_CIPHER_SPEC:
816 if (len != 1 || buf_u8[0] != 1) {
817 fprintf(stderr, "Invalid ChangeCipherSpec.\n");
818 state->msg_callback_ok = false;
819 return;
820 }
821 state->msg_callback_text += "ccs\n";
822 return;
823
824 case SSL3_RT_ALERT:
825 if (len != 2) {
826 fprintf(stderr, "Invalid alert.\n");
827 state->msg_callback_ok = false;
828 return;
829 }
830 char text[16];
831 snprintf(text, sizeof(text), "alert %d %d\n", buf_u8[0], buf_u8[1]);
832 state->msg_callback_text += text;
833 return;
834
835 default:
836 fprintf(stderr, "Invalid content_type: %d.\n", content_type);
837 state->msg_callback_ok = false;
838 }
839 }
840
TicketKeyCallback(SSL * ssl,uint8_t * key_name,uint8_t * iv,EVP_CIPHER_CTX * ctx,HMAC_CTX * hmac_ctx,int encrypt)841 static int TicketKeyCallback(SSL *ssl, uint8_t *key_name, uint8_t *iv,
842 EVP_CIPHER_CTX *ctx, HMAC_CTX *hmac_ctx,
843 int encrypt) {
844 if (!encrypt) {
845 if (GetTestState(ssl)->ticket_decrypt_done) {
846 fprintf(stderr, "TicketKeyCallback called after completion.\n");
847 return -1;
848 }
849
850 GetTestState(ssl)->ticket_decrypt_done = true;
851 }
852
853 // This is just test code, so use the all-zeros key.
854 static const uint8_t kZeros[16] = {0};
855
856 if (encrypt) {
857 OPENSSL_memcpy(key_name, kZeros, sizeof(kZeros));
858 RAND_bytes(iv, 16);
859 } else if (OPENSSL_memcmp(key_name, kZeros, 16) != 0) {
860 return 0;
861 }
862
863 if (!HMAC_Init_ex(hmac_ctx, kZeros, sizeof(kZeros), EVP_sha256(), NULL) ||
864 !EVP_CipherInit_ex(ctx, EVP_aes_128_cbc(), NULL, kZeros, iv, encrypt)) {
865 return -1;
866 }
867
868 if (!encrypt) {
869 return GetTestConfig(ssl)->renew_ticket ? 2 : 1;
870 }
871 return 1;
872 }
873
NewSessionCallback(SSL * ssl,SSL_SESSION * session)874 static int NewSessionCallback(SSL *ssl, SSL_SESSION *session) {
875 // This callback is called as the handshake completes. |SSL_get_session|
876 // must continue to work and, historically, |SSL_in_init| returned false at
877 // this point.
878 if (SSL_in_init(ssl) || SSL_get_session(ssl) == nullptr) {
879 fprintf(stderr, "Invalid state for NewSessionCallback.\n");
880 abort();
881 }
882
883 GetTestState(ssl)->got_new_session = true;
884 GetTestState(ssl)->new_session.reset(session);
885 return 1;
886 }
887
InfoCallback(const SSL * ssl,int type,int val)888 static void InfoCallback(const SSL *ssl, int type, int val) {
889 if (type == SSL_CB_HANDSHAKE_DONE) {
890 if (GetTestConfig(ssl)->handshake_never_done) {
891 fprintf(stderr, "Handshake unexpectedly completed.\n");
892 // Abort before any expected error code is printed, to ensure the overall
893 // test fails.
894 abort();
895 }
896
897 // This callback is called when the handshake completes. |SSL_get_session|
898 // must continue to work and |SSL_in_init| must return false.
899 if (SSL_in_init(ssl) || SSL_get_session(ssl) == nullptr) {
900 fprintf(stderr, "Invalid state for SSL_CB_HANDSHAKE_DONE.\n");
901 abort();
902 }
903
904 TestState *test_state = GetTestState(ssl);
905 test_state->handshake_done = true;
906
907 // Save the selected credential for the tests to assert on.
908 const SSL_CREDENTIAL *cred = SSL_get0_selected_credential(ssl);
909 const CredentialInfo *cred_info =
910 cred != nullptr ? GetCredentialInfo(cred) : nullptr;
911 test_state->selected_credential =
912 cred_info != nullptr ? cred_info->number : -1;
913 }
914 }
915
GetSessionCallback(SSL * ssl,const uint8_t * data,int len,int * copy)916 static SSL_SESSION *GetSessionCallback(SSL *ssl, const uint8_t *data, int len,
917 int *copy) {
918 TestState *async_state = GetTestState(ssl);
919 if (async_state->session) {
920 *copy = 0;
921 return async_state->session.release();
922 } else if (async_state->pending_session) {
923 return SSL_magic_pending_session_ptr();
924 } else {
925 return NULL;
926 }
927 }
928
CurrentTimeCallback(const SSL * ssl,timeval * out_clock)929 static void CurrentTimeCallback(const SSL *ssl, timeval *out_clock) {
930 *out_clock = *GetClock();
931 }
932
AlpnSelectCallback(SSL * ssl,const uint8_t ** out,uint8_t * outlen,const uint8_t * in,unsigned inlen,void * arg)933 static int AlpnSelectCallback(SSL *ssl, const uint8_t **out, uint8_t *outlen,
934 const uint8_t *in, unsigned inlen, void *arg) {
935 if (GetTestState(ssl)->alpn_select_done) {
936 fprintf(stderr, "AlpnSelectCallback called after completion.\n");
937 exit(1);
938 }
939
940 GetTestState(ssl)->alpn_select_done = true;
941
942 const TestConfig *config = GetTestConfig(ssl);
943 if (config->decline_alpn) {
944 return SSL_TLSEXT_ERR_NOACK;
945 }
946 if (config->reject_alpn) {
947 return SSL_TLSEXT_ERR_ALERT_FATAL;
948 }
949
950 if (!config->expect_advertised_alpn.empty() &&
951 (config->expect_advertised_alpn.size() != inlen ||
952 OPENSSL_memcmp(config->expect_advertised_alpn.data(), in, inlen) !=
953 0)) {
954 fprintf(stderr, "bad ALPN select callback inputs.\n");
955 exit(1);
956 }
957
958 if (config->defer_alps) {
959 for (const auto &pair : config->application_settings) {
960 if (!SSL_add_application_settings(
961 ssl, reinterpret_cast<const uint8_t *>(pair.first.data()),
962 pair.first.size(),
963 reinterpret_cast<const uint8_t *>(pair.second.data()),
964 pair.second.size())) {
965 fprintf(stderr, "error configuring ALPS.\n");
966 exit(1);
967 }
968 }
969 }
970
971 assert(config->select_alpn.empty() || !config->select_empty_alpn);
972 *out = (const uint8_t *)config->select_alpn.data();
973 *outlen = config->select_alpn.size();
974 return SSL_TLSEXT_ERR_OK;
975 }
976
CheckVerifyCallback(SSL * ssl)977 static bool CheckVerifyCallback(SSL *ssl) {
978 const TestConfig *config = GetTestConfig(ssl);
979 if (!config->expect_ocsp_response.empty()) {
980 const uint8_t *data;
981 size_t len;
982 SSL_get0_ocsp_response(ssl, &data, &len);
983 if (len == 0) {
984 fprintf(stderr, "OCSP response not available in verify callback.\n");
985 return false;
986 }
987 }
988
989 const char *name_override;
990 size_t name_override_len;
991 SSL_get0_ech_name_override(ssl, &name_override, &name_override_len);
992 if (config->expect_no_ech_name_override && name_override_len != 0) {
993 fprintf(stderr, "Unexpected ECH name override.\n");
994 return false;
995 }
996 if (!config->expect_ech_name_override.empty() &&
997 config->expect_ech_name_override !=
998 std::string(name_override, name_override_len)) {
999 fprintf(stderr, "ECH name did not match expected value.\n");
1000 return false;
1001 }
1002
1003 if (GetTestState(ssl)->cert_verified) {
1004 fprintf(stderr, "Certificate verified twice.\n");
1005 return false;
1006 }
1007
1008 return true;
1009 }
1010
CertVerifyCallback(X509_STORE_CTX * store_ctx,void * arg)1011 static int CertVerifyCallback(X509_STORE_CTX *store_ctx, void *arg) {
1012 SSL *ssl = (SSL *)X509_STORE_CTX_get_ex_data(
1013 store_ctx, SSL_get_ex_data_X509_STORE_CTX_idx());
1014 const TestConfig *config = GetTestConfig(ssl);
1015 if (!CheckVerifyCallback(ssl)) {
1016 return 0;
1017 }
1018
1019 GetTestState(ssl)->cert_verified = true;
1020 if (config->verify_fail) {
1021 X509_STORE_CTX_set_error(store_ctx, X509_V_ERR_APPLICATION_VERIFICATION);
1022 return 0;
1023 }
1024
1025 return 1;
1026 }
1027
LoadCertificate(bssl::UniquePtr<X509> * out_x509,bssl::UniquePtr<STACK_OF (X509)> * out_chain,const std::string & file)1028 bool LoadCertificate(bssl::UniquePtr<X509> *out_x509,
1029 bssl::UniquePtr<STACK_OF(X509)> *out_chain,
1030 const std::string &file) {
1031 bssl::UniquePtr<BIO> bio(BIO_new(BIO_s_file()));
1032 if (!bio || !BIO_read_filename(bio.get(), file.c_str())) {
1033 return false;
1034 }
1035
1036 out_x509->reset(PEM_read_bio_X509(bio.get(), nullptr, nullptr, nullptr));
1037 if (!*out_x509) {
1038 return false;
1039 }
1040
1041 out_chain->reset(sk_X509_new_null());
1042 if (!*out_chain) {
1043 return false;
1044 }
1045
1046 // Keep reading the certificate chain.
1047 for (;;) {
1048 bssl::UniquePtr<X509> cert(
1049 PEM_read_bio_X509(bio.get(), nullptr, nullptr, nullptr));
1050 if (!cert) {
1051 break;
1052 }
1053
1054 if (!bssl::PushToStack(out_chain->get(), std::move(cert))) {
1055 return false;
1056 }
1057 }
1058
1059 uint32_t err = ERR_peek_last_error();
1060 if (ERR_GET_LIB(err) != ERR_LIB_PEM ||
1061 ERR_GET_REASON(err) != PEM_R_NO_START_LINE) {
1062 return false;
1063 }
1064
1065 ERR_clear_error();
1066 return true;
1067 }
1068
LoadPrivateKey(const std::string & file)1069 bssl::UniquePtr<EVP_PKEY> LoadPrivateKey(const std::string &file) {
1070 bssl::UniquePtr<BIO> bio(BIO_new(BIO_s_file()));
1071 if (!bio || !BIO_read_filename(bio.get(), file.c_str())) {
1072 return nullptr;
1073 }
1074 return bssl::UniquePtr<EVP_PKEY>(
1075 PEM_read_bio_PrivateKey(bio.get(), NULL, NULL, NULL));
1076 }
1077
X509ToBuffer(X509 * x509)1078 static bssl::UniquePtr<CRYPTO_BUFFER> X509ToBuffer(X509 *x509) {
1079 uint8_t *der = nullptr;
1080 int der_len = i2d_X509(x509, &der);
1081 if (der_len < 0) {
1082 return nullptr;
1083 }
1084 bssl::UniquePtr<uint8_t> free_der(der);
1085 return bssl::UniquePtr<CRYPTO_BUFFER>(
1086 CRYPTO_BUFFER_new(der, der_len, nullptr));
1087 }
1088
1089
1090 static ssl_private_key_result_t AsyncPrivateKeyComplete(SSL *ssl, uint8_t *out,
1091 size_t *out_len,
1092 size_t max_out);
1093
GetPrivateKey(SSL * ssl)1094 static EVP_PKEY *GetPrivateKey(SSL *ssl) {
1095 const CredentialInfo *cred_info =
1096 GetCredentialInfo(SSL_get0_selected_credential(ssl));
1097 if (cred_info != nullptr) {
1098 return cred_info->private_key.get();
1099 }
1100
1101 return GetTestState(ssl)->private_key.get();
1102 }
1103
AsyncPrivateKeySign(SSL * ssl,uint8_t * out,size_t * out_len,size_t max_out,uint16_t signature_algorithm,const uint8_t * in,size_t in_len)1104 static ssl_private_key_result_t AsyncPrivateKeySign(
1105 SSL *ssl, uint8_t *out, size_t *out_len, size_t max_out,
1106 uint16_t signature_algorithm, const uint8_t *in, size_t in_len) {
1107 TestState *test_state = GetTestState(ssl);
1108 test_state->used_private_key = true;
1109 if (!test_state->private_key_result.empty()) {
1110 fprintf(stderr, "AsyncPrivateKeySign called with operation pending.\n");
1111 abort();
1112 }
1113
1114 EVP_PKEY *private_key = GetPrivateKey(ssl);
1115 if (EVP_PKEY_id(private_key) !=
1116 SSL_get_signature_algorithm_key_type(signature_algorithm)) {
1117 fprintf(stderr, "Key type does not match signature algorithm.\n");
1118 abort();
1119 }
1120
1121 // Determine the hash.
1122 const EVP_MD *md = SSL_get_signature_algorithm_digest(signature_algorithm);
1123 bssl::ScopedEVP_MD_CTX ctx;
1124 EVP_PKEY_CTX *pctx;
1125 if (!EVP_DigestSignInit(ctx.get(), &pctx, md, nullptr, private_key)) {
1126 return ssl_private_key_failure;
1127 }
1128
1129 // Configure additional signature parameters.
1130 if (SSL_is_signature_algorithm_rsa_pss(signature_algorithm)) {
1131 if (!EVP_PKEY_CTX_set_rsa_padding(pctx, RSA_PKCS1_PSS_PADDING) ||
1132 !EVP_PKEY_CTX_set_rsa_pss_saltlen(pctx, -1 /* salt len = hash len */)) {
1133 return ssl_private_key_failure;
1134 }
1135 }
1136
1137 // Write the signature into |test_state|.
1138 size_t len = 0;
1139 if (!EVP_DigestSign(ctx.get(), nullptr, &len, in, in_len)) {
1140 return ssl_private_key_failure;
1141 }
1142 test_state->private_key_result.resize(len);
1143 if (!EVP_DigestSign(ctx.get(), test_state->private_key_result.data(), &len,
1144 in, in_len)) {
1145 return ssl_private_key_failure;
1146 }
1147 test_state->private_key_result.resize(len);
1148
1149 return AsyncPrivateKeyComplete(ssl, out, out_len, max_out);
1150 }
1151
AsyncPrivateKeyDecrypt(SSL * ssl,uint8_t * out,size_t * out_len,size_t max_out,const uint8_t * in,size_t in_len)1152 static ssl_private_key_result_t AsyncPrivateKeyDecrypt(SSL *ssl, uint8_t *out,
1153 size_t *out_len,
1154 size_t max_out,
1155 const uint8_t *in,
1156 size_t in_len) {
1157 TestState *test_state = GetTestState(ssl);
1158 test_state->used_private_key = true;
1159 if (!test_state->private_key_result.empty()) {
1160 fprintf(stderr, "AsyncPrivateKeyDecrypt called with operation pending.\n");
1161 abort();
1162 }
1163
1164 EVP_PKEY *private_key = GetPrivateKey(ssl);
1165 RSA *rsa = EVP_PKEY_get0_RSA(private_key);
1166 if (rsa == NULL) {
1167 fprintf(stderr, "AsyncPrivateKeyDecrypt called with incorrect key type.\n");
1168 abort();
1169 }
1170 test_state->private_key_result.resize(RSA_size(rsa));
1171 if (!RSA_decrypt(rsa, out_len, test_state->private_key_result.data(),
1172 RSA_size(rsa), in, in_len, RSA_NO_PADDING)) {
1173 return ssl_private_key_failure;
1174 }
1175
1176 test_state->private_key_result.resize(*out_len);
1177
1178 return AsyncPrivateKeyComplete(ssl, out, out_len, max_out);
1179 }
1180
AsyncPrivateKeyComplete(SSL * ssl,uint8_t * out,size_t * out_len,size_t max_out)1181 static ssl_private_key_result_t AsyncPrivateKeyComplete(SSL *ssl, uint8_t *out,
1182 size_t *out_len,
1183 size_t max_out) {
1184 TestState *test_state = GetTestState(ssl);
1185 if (test_state->private_key_result.empty()) {
1186 fprintf(stderr,
1187 "AsyncPrivateKeyComplete called without operation pending.\n");
1188 abort();
1189 }
1190
1191 if (GetTestConfig(ssl)->async && test_state->private_key_retries < 2) {
1192 // Only return the decryption on the second attempt, to test both incomplete
1193 // |sign|/|decrypt| and |complete|.
1194 return ssl_private_key_retry;
1195 }
1196
1197 if (max_out < test_state->private_key_result.size()) {
1198 fprintf(stderr, "Output buffer too small.\n");
1199 return ssl_private_key_failure;
1200 }
1201 OPENSSL_memcpy(out, test_state->private_key_result.data(),
1202 test_state->private_key_result.size());
1203 *out_len = test_state->private_key_result.size();
1204
1205 test_state->private_key_result.clear();
1206 test_state->private_key_retries = 0;
1207 return ssl_private_key_success;
1208 }
1209
1210 static const SSL_PRIVATE_KEY_METHOD g_async_private_key_method = {
1211 AsyncPrivateKeySign,
1212 AsyncPrivateKeyDecrypt,
1213 AsyncPrivateKeyComplete,
1214 };
1215
CredentialFromConfig(const TestConfig & config,const CredentialConfig & cred_config,int number)1216 static bssl::UniquePtr<SSL_CREDENTIAL> CredentialFromConfig(
1217 const TestConfig &config, const CredentialConfig &cred_config, int number) {
1218 bssl::UniquePtr<SSL_CREDENTIAL> cred;
1219 switch (cred_config.type) {
1220 case CredentialConfigType::kX509:
1221 cred.reset(SSL_CREDENTIAL_new_x509());
1222 break;
1223 case CredentialConfigType::kDelegated:
1224 cred.reset(SSL_CREDENTIAL_new_delegated());
1225 break;
1226 }
1227 if (cred == nullptr) {
1228 return nullptr;
1229 }
1230
1231 auto info = std::make_unique<CredentialInfo>();
1232 info->number = number;
1233
1234 if (!cred_config.cert_file.empty()) {
1235 bssl::UniquePtr<X509> x509;
1236 bssl::UniquePtr<STACK_OF(X509)> chain;
1237 if (!LoadCertificate(&x509, &chain, cred_config.cert_file.c_str())) {
1238 return nullptr;
1239 }
1240 std::vector<bssl::UniquePtr<CRYPTO_BUFFER>> buffers;
1241 buffers.push_back(X509ToBuffer(x509.get()));
1242 if (buffers.back() == nullptr) {
1243 return nullptr;
1244 }
1245 for (X509 *cert : chain.get()) {
1246 buffers.push_back(X509ToBuffer(cert));
1247 if (buffers.back() == nullptr) {
1248 return nullptr;
1249 }
1250 }
1251 std::vector<CRYPTO_BUFFER *> buffers_raw;
1252 for (const auto &buffer : buffers) {
1253 buffers_raw.push_back(buffer.get());
1254 }
1255 if (!SSL_CREDENTIAL_set1_cert_chain(cred.get(), buffers_raw.data(),
1256 buffers_raw.size())) {
1257 return nullptr;
1258 }
1259 }
1260
1261 if (!cred_config.key_file.empty()) {
1262 bssl::UniquePtr<EVP_PKEY> pkey =
1263 LoadPrivateKey(cred_config.key_file.c_str());
1264 if (pkey == nullptr) {
1265 return nullptr;
1266 }
1267 if (config.async || config.handshake_hints) {
1268 info->private_key = std::move(pkey);
1269 if (!SSL_CREDENTIAL_set_private_key_method(cred.get(),
1270 &g_async_private_key_method)) {
1271 return nullptr;
1272 }
1273 } else {
1274 if (!SSL_CREDENTIAL_set1_private_key(cred.get(), pkey.get())) {
1275 return nullptr;
1276 }
1277 }
1278 }
1279
1280 if (!cred_config.signing_prefs.empty() &&
1281 !SSL_CREDENTIAL_set1_signing_algorithm_prefs(
1282 cred.get(), cred_config.signing_prefs.data(),
1283 cred_config.signing_prefs.size())) {
1284 return nullptr;
1285 }
1286
1287 if (!cred_config.delegated_credential.empty()) {
1288 bssl::UniquePtr<CRYPTO_BUFFER> buf(
1289 CRYPTO_BUFFER_new(reinterpret_cast<const uint8_t *>(
1290 cred_config.delegated_credential.data()),
1291 cred_config.delegated_credential.size(), nullptr));
1292 if (buf == nullptr ||
1293 !SSL_CREDENTIAL_set1_delegated_credential(cred.get(), buf.get())) {
1294 return nullptr;
1295 }
1296 }
1297
1298 if (!cred_config.ocsp_response.empty()) {
1299 bssl::UniquePtr<CRYPTO_BUFFER> buf(CRYPTO_BUFFER_new(
1300 reinterpret_cast<const uint8_t *>(cred_config.ocsp_response.data()),
1301 cred_config.ocsp_response.size(), nullptr));
1302 if (buf == nullptr ||
1303 !SSL_CREDENTIAL_set1_ocsp_response(cred.get(), buf.get())) {
1304 return nullptr;
1305 }
1306 }
1307
1308 if (!cred_config.signed_cert_timestamps.empty()) {
1309 bssl::UniquePtr<CRYPTO_BUFFER> buf(
1310 CRYPTO_BUFFER_new(reinterpret_cast<const uint8_t *>(
1311 cred_config.signed_cert_timestamps.data()),
1312 cred_config.signed_cert_timestamps.size(), nullptr));
1313 if (buf == nullptr || !SSL_CREDENTIAL_set1_signed_cert_timestamp_list(
1314 cred.get(), buf.get())) {
1315 return nullptr;
1316 }
1317 }
1318
1319 if (!SetCredentialInfo(cred.get(), std::move(info))) {
1320 return nullptr;
1321 }
1322
1323 return cred;
1324 }
1325
GetCertificate(SSL * ssl,bssl::UniquePtr<X509> * out_x509,bssl::UniquePtr<STACK_OF (X509)> * out_chain,bssl::UniquePtr<EVP_PKEY> * out_pkey)1326 static bool GetCertificate(SSL *ssl, bssl::UniquePtr<X509> *out_x509,
1327 bssl::UniquePtr<STACK_OF(X509)> *out_chain,
1328 bssl::UniquePtr<EVP_PKEY> *out_pkey) {
1329 const TestConfig *config = GetTestConfig(ssl);
1330
1331 if (!config->signing_prefs.empty()) {
1332 if (!SSL_set_signing_algorithm_prefs(ssl, config->signing_prefs.data(),
1333 config->signing_prefs.size())) {
1334 return false;
1335 }
1336 }
1337
1338 if (!config->key_file.empty()) {
1339 *out_pkey = LoadPrivateKey(config->key_file.c_str());
1340 if (!*out_pkey) {
1341 return false;
1342 }
1343 }
1344 if (!config->cert_file.empty() &&
1345 !LoadCertificate(out_x509, out_chain, config->cert_file.c_str())) {
1346 return false;
1347 }
1348 if (!config->ocsp_response.empty() && !config->set_ocsp_in_callback &&
1349 !SSL_set_ocsp_response(ssl, (const uint8_t *)config->ocsp_response.data(),
1350 config->ocsp_response.size())) {
1351 return false;
1352 }
1353
1354 for (size_t i = 0; i < config->credentials.size(); i++) {
1355 bssl::UniquePtr<SSL_CREDENTIAL> cred = CredentialFromConfig(
1356 *config, config->credentials[i], static_cast<int>(i));
1357 if (cred == nullptr || !SSL_add1_credential(ssl, cred.get())) {
1358 return false;
1359 }
1360 }
1361
1362 return true;
1363 }
1364
HexDecode(std::string * out,const std::string & in)1365 static bool HexDecode(std::string *out, const std::string &in) {
1366 if ((in.size() & 1) != 0) {
1367 return false;
1368 }
1369
1370 auto buf = std::make_unique<uint8_t[]>(in.size() / 2);
1371 for (size_t i = 0; i < in.size() / 2; i++) {
1372 uint8_t high, low;
1373 if (!OPENSSL_fromxdigit(&high, in[i * 2]) ||
1374 !OPENSSL_fromxdigit(&low, in[i * 2 + 1])) {
1375 return false;
1376 }
1377 buf[i] = (high << 4) | low;
1378 }
1379
1380 out->assign(reinterpret_cast<const char *>(buf.get()), in.size() / 2);
1381 return true;
1382 }
1383
SplitParts(const std::string & in,const char delim)1384 static std::vector<std::string> SplitParts(const std::string &in,
1385 const char delim) {
1386 std::vector<std::string> ret;
1387 size_t start = 0;
1388
1389 for (size_t i = 0; i < in.size(); i++) {
1390 if (in[i] == delim) {
1391 ret.push_back(in.substr(start, i - start));
1392 start = i + 1;
1393 }
1394 }
1395
1396 ret.push_back(in.substr(start, std::string::npos));
1397 return ret;
1398 }
1399
DecodeHexStrings(const std::string & hex_strings)1400 static std::vector<std::string> DecodeHexStrings(
1401 const std::string &hex_strings) {
1402 std::vector<std::string> ret;
1403 const std::vector<std::string> parts = SplitParts(hex_strings, ',');
1404
1405 for (const auto &part : parts) {
1406 std::string binary;
1407 if (!HexDecode(&binary, part)) {
1408 fprintf(stderr, "Bad hex string: %s.\n", part.c_str());
1409 return ret;
1410 }
1411
1412 ret.push_back(binary);
1413 }
1414
1415 return ret;
1416 }
1417
DecodeHexX509Names(const std::string & hex_names)1418 static bssl::UniquePtr<STACK_OF(X509_NAME)> DecodeHexX509Names(
1419 const std::string &hex_names) {
1420 const std::vector<std::string> der_names = DecodeHexStrings(hex_names);
1421 bssl::UniquePtr<STACK_OF(X509_NAME)> ret(sk_X509_NAME_new_null());
1422 if (!ret) {
1423 return nullptr;
1424 }
1425
1426 for (const auto &der_name : der_names) {
1427 const uint8_t *const data =
1428 reinterpret_cast<const uint8_t *>(der_name.data());
1429 const uint8_t *derp = data;
1430 bssl::UniquePtr<X509_NAME> name(
1431 d2i_X509_NAME(nullptr, &derp, der_name.size()));
1432 if (!name || derp != data + der_name.size()) {
1433 fprintf(stderr, "Failed to parse X509_NAME.\n");
1434 return nullptr;
1435 }
1436
1437 if (!bssl::PushToStack(ret.get(), std::move(name))) {
1438 return nullptr;
1439 }
1440 }
1441
1442 return ret;
1443 }
1444
CheckPeerVerifyPrefs(SSL * ssl)1445 static bool CheckPeerVerifyPrefs(SSL *ssl) {
1446 const TestConfig *config = GetTestConfig(ssl);
1447 if (!config->expect_peer_verify_prefs.empty()) {
1448 const uint16_t *peer_sigalgs;
1449 size_t num_peer_sigalgs =
1450 SSL_get0_peer_verify_algorithms(ssl, &peer_sigalgs);
1451 if (config->expect_peer_verify_prefs.size() != num_peer_sigalgs) {
1452 fprintf(stderr,
1453 "peer verify preferences length mismatch (got %zu, wanted %zu)\n",
1454 num_peer_sigalgs, config->expect_peer_verify_prefs.size());
1455 return false;
1456 }
1457 for (size_t i = 0; i < num_peer_sigalgs; i++) {
1458 if (peer_sigalgs[i] != config->expect_peer_verify_prefs[i]) {
1459 fprintf(stderr,
1460 "peer verify preference %zu mismatch (got %04x, wanted %04x\n",
1461 i, peer_sigalgs[i], config->expect_peer_verify_prefs[i]);
1462 return false;
1463 }
1464 }
1465 }
1466 return true;
1467 }
1468
CheckCertificateRequest(SSL * ssl)1469 static bool CheckCertificateRequest(SSL *ssl) {
1470 const TestConfig *config = GetTestConfig(ssl);
1471
1472 if (!CheckPeerVerifyPrefs(ssl)) {
1473 return false;
1474 }
1475
1476 if (!config->expect_certificate_types.empty()) {
1477 const uint8_t *certificate_types;
1478 size_t certificate_types_len =
1479 SSL_get0_certificate_types(ssl, &certificate_types);
1480 if (certificate_types_len != config->expect_certificate_types.size() ||
1481 OPENSSL_memcmp(certificate_types,
1482 config->expect_certificate_types.data(),
1483 certificate_types_len) != 0) {
1484 fprintf(stderr, "certificate types mismatch.\n");
1485 return false;
1486 }
1487 }
1488
1489 if (!config->expect_client_ca_list.empty()) {
1490 bssl::UniquePtr<STACK_OF(X509_NAME)> expected =
1491 DecodeHexX509Names(config->expect_client_ca_list);
1492 const size_t num_expected = sk_X509_NAME_num(expected.get());
1493
1494 const STACK_OF(X509_NAME) *received = SSL_get_client_CA_list(ssl);
1495 const size_t num_received = sk_X509_NAME_num(received);
1496
1497 if (num_received != num_expected) {
1498 fprintf(stderr, "expected %zu names in CertificateRequest but got %zu.\n",
1499 num_expected, num_received);
1500 return false;
1501 }
1502
1503 for (size_t i = 0; i < num_received; i++) {
1504 if (X509_NAME_cmp(sk_X509_NAME_value(received, i),
1505 sk_X509_NAME_value(expected.get(), i)) != 0) {
1506 fprintf(stderr, "names in CertificateRequest differ at index #%zu.\n",
1507 i);
1508 return false;
1509 }
1510 }
1511
1512 const STACK_OF(CRYPTO_BUFFER) *buffers = SSL_get0_server_requested_CAs(ssl);
1513 if (sk_CRYPTO_BUFFER_num(buffers) != num_received) {
1514 fprintf(stderr,
1515 "Mismatch between SSL_get_server_requested_CAs and "
1516 "SSL_get_client_CA_list.\n");
1517 return false;
1518 }
1519 }
1520
1521 return true;
1522 }
1523
ClientCertCallback(SSL * ssl,X509 ** out_x509,EVP_PKEY ** out_pkey)1524 static int ClientCertCallback(SSL *ssl, X509 **out_x509, EVP_PKEY **out_pkey) {
1525 if (!CheckCertificateRequest(ssl)) {
1526 return -1;
1527 }
1528
1529 if (GetTestConfig(ssl)->async && !GetTestState(ssl)->cert_ready) {
1530 return -1;
1531 }
1532
1533 bssl::UniquePtr<X509> x509;
1534 bssl::UniquePtr<STACK_OF(X509)> chain;
1535 bssl::UniquePtr<EVP_PKEY> pkey;
1536 if (!GetCertificate(ssl, &x509, &chain, &pkey)) {
1537 return -1;
1538 }
1539
1540 // Return zero for no certificate.
1541 if (!x509) {
1542 return 0;
1543 }
1544
1545 // Chains and asynchronous private keys are not supported with client_cert_cb.
1546 *out_x509 = x509.release();
1547 *out_pkey = pkey.release();
1548 return 1;
1549 }
1550
InstallCertificate(SSL * ssl)1551 static bool InstallCertificate(SSL *ssl) {
1552 bssl::UniquePtr<X509> x509;
1553 bssl::UniquePtr<STACK_OF(X509)> chain;
1554 bssl::UniquePtr<EVP_PKEY> pkey;
1555 if (!GetCertificate(ssl, &x509, &chain, &pkey)) {
1556 return false;
1557 }
1558
1559 if (pkey) {
1560 TestState *test_state = GetTestState(ssl);
1561 const TestConfig *config = GetTestConfig(ssl);
1562 if (config->async || config->handshake_hints) {
1563 // Install a custom private key if testing asynchronous callbacks, or if
1564 // testing handshake hints. In the handshake hints case, we wish to check
1565 // that hints only mismatch when allowed.
1566 test_state->private_key = std::move(pkey);
1567 SSL_set_private_key_method(ssl, &g_async_private_key_method);
1568 } else if (!SSL_use_PrivateKey(ssl, pkey.get())) {
1569 return false;
1570 }
1571 }
1572
1573 if (x509 && !SSL_use_certificate(ssl, x509.get())) {
1574 return false;
1575 }
1576
1577 if (sk_X509_num(chain.get()) > 0 && !SSL_set1_chain(ssl, chain.get())) {
1578 return false;
1579 }
1580
1581 return true;
1582 }
1583
SelectCertificateCallback(const SSL_CLIENT_HELLO * client_hello)1584 static enum ssl_select_cert_result_t SelectCertificateCallback(
1585 const SSL_CLIENT_HELLO *client_hello) {
1586 SSL *ssl = client_hello->ssl;
1587 const TestConfig *config = GetTestConfig(ssl);
1588 TestState *test_state = GetTestState(ssl);
1589 test_state->early_callback_called = true;
1590
1591 // Invoke the rewind before we sanity check SNI because we will
1592 // end up calling the select_cert_cb twice with two different SNIs.
1593 if (SSL_ech_accepted(ssl) && config->fail_early_callback_ech_rewind) {
1594 return ssl_select_cert_disable_ech;
1595 }
1596
1597 const char *server_name =
1598 SSL_get_servername(ssl, TLSEXT_NAMETYPE_host_name);
1599
1600 if (config->expect_no_server_name && server_name != nullptr) {
1601 fprintf(stderr,
1602 "Expected no server name but got %s.\n",
1603 server_name);
1604 return ssl_select_cert_error;
1605 }
1606
1607 if (!config->expect_server_name.empty()) {
1608 if (server_name == nullptr ||
1609 std::string(server_name) != config->expect_server_name) {
1610 fprintf(stderr,
1611 "Server name mismatch in early callback (got %s; want %s).\n",
1612 server_name, config->expect_server_name.c_str());
1613 return ssl_select_cert_error;
1614 }
1615 }
1616
1617 if (config->fail_early_callback) {
1618 return ssl_select_cert_error;
1619 }
1620
1621 // Simulate some asynchronous work in the early callback.
1622 if ((config->use_early_callback || test_state->get_handshake_hints_cb) &&
1623 config->async && !test_state->early_callback_ready) {
1624 return ssl_select_cert_retry;
1625 }
1626
1627 if (test_state->get_handshake_hints_cb &&
1628 !test_state->get_handshake_hints_cb(client_hello)) {
1629 return ssl_select_cert_error;
1630 }
1631
1632 if (config->use_early_callback && !InstallCertificate(ssl)) {
1633 return ssl_select_cert_error;
1634 }
1635
1636 return ssl_select_cert_success;
1637 }
1638
SetQuicReadSecret(SSL * ssl,enum ssl_encryption_level_t level,const SSL_CIPHER * cipher,const uint8_t * secret,size_t secret_len)1639 static int SetQuicReadSecret(SSL *ssl, enum ssl_encryption_level_t level,
1640 const SSL_CIPHER *cipher, const uint8_t *secret,
1641 size_t secret_len) {
1642 MockQuicTransport *quic_transport = GetTestState(ssl)->quic_transport.get();
1643 if (quic_transport == nullptr) {
1644 fprintf(stderr, "No QUIC transport.\n");
1645 return 0;
1646 }
1647 return quic_transport->SetReadSecret(level, cipher, secret, secret_len);
1648 }
1649
SetQuicWriteSecret(SSL * ssl,enum ssl_encryption_level_t level,const SSL_CIPHER * cipher,const uint8_t * secret,size_t secret_len)1650 static int SetQuicWriteSecret(SSL *ssl, enum ssl_encryption_level_t level,
1651 const SSL_CIPHER *cipher, const uint8_t *secret,
1652 size_t secret_len) {
1653 MockQuicTransport *quic_transport = GetTestState(ssl)->quic_transport.get();
1654 if (quic_transport == nullptr) {
1655 fprintf(stderr, "No QUIC transport.\n");
1656 return 0;
1657 }
1658 return quic_transport->SetWriteSecret(level, cipher, secret, secret_len);
1659 }
1660
AddQuicHandshakeData(SSL * ssl,enum ssl_encryption_level_t level,const uint8_t * data,size_t len)1661 static int AddQuicHandshakeData(SSL *ssl, enum ssl_encryption_level_t level,
1662 const uint8_t *data, size_t len) {
1663 MockQuicTransport *quic_transport = GetTestState(ssl)->quic_transport.get();
1664 if (quic_transport == nullptr) {
1665 fprintf(stderr, "No QUIC transport.\n");
1666 return 0;
1667 }
1668 return quic_transport->WriteHandshakeData(level, data, len);
1669 }
1670
FlushQuicFlight(SSL * ssl)1671 static int FlushQuicFlight(SSL *ssl) {
1672 MockQuicTransport *quic_transport = GetTestState(ssl)->quic_transport.get();
1673 if (quic_transport == nullptr) {
1674 fprintf(stderr, "No QUIC transport.\n");
1675 return 0;
1676 }
1677 return quic_transport->Flush();
1678 }
1679
SendQuicAlert(SSL * ssl,enum ssl_encryption_level_t level,uint8_t alert)1680 static int SendQuicAlert(SSL *ssl, enum ssl_encryption_level_t level,
1681 uint8_t alert) {
1682 MockQuicTransport *quic_transport = GetTestState(ssl)->quic_transport.get();
1683 if (quic_transport == nullptr) {
1684 fprintf(stderr, "No QUIC transport.\n");
1685 return 0;
1686 }
1687 return quic_transport->SendAlert(level, alert);
1688 }
1689
1690 static const SSL_QUIC_METHOD g_quic_method = {
1691 SetQuicReadSecret,
1692 SetQuicWriteSecret,
1693 AddQuicHandshakeData,
1694 FlushQuicFlight,
1695 SendQuicAlert,
1696 };
1697
MaybeInstallCertCompressionAlg(const TestConfig * config,SSL_CTX * ssl_ctx,uint16_t alg,ssl_cert_compression_func_t compress,ssl_cert_decompression_func_t decompress)1698 static bool MaybeInstallCertCompressionAlg(
1699 const TestConfig *config, SSL_CTX *ssl_ctx, uint16_t alg,
1700 ssl_cert_compression_func_t compress,
1701 ssl_cert_decompression_func_t decompress) {
1702 if (!config->install_cert_compression_algs &&
1703 config->install_one_cert_compression_alg != alg) {
1704 return true;
1705 }
1706 return SSL_CTX_add_cert_compression_alg(ssl_ctx, alg, compress, decompress);
1707 }
1708
SetupCtx(SSL_CTX * old_ctx) const1709 bssl::UniquePtr<SSL_CTX> TestConfig::SetupCtx(SSL_CTX *old_ctx) const {
1710 bssl::UniquePtr<SSL_CTX> ssl_ctx(
1711 SSL_CTX_new(is_dtls ? DTLS_method() : TLS_method()));
1712 if (!ssl_ctx) {
1713 return nullptr;
1714 }
1715
1716 SSL_CTX_set0_buffer_pool(ssl_ctx.get(), BufferPool());
1717
1718 std::string cipher_list = "ALL:TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256";
1719 if (!cipher.empty()) {
1720 cipher_list = cipher;
1721 SSL_CTX_set_options(ssl_ctx.get(), SSL_OP_CIPHER_SERVER_PREFERENCE);
1722 }
1723 if (!SSL_CTX_set_strict_cipher_list(ssl_ctx.get(), cipher_list.c_str())) {
1724 return nullptr;
1725 }
1726
1727 if (async && is_server) {
1728 // Disable the internal session cache. To test asynchronous session lookup,
1729 // we use an external session cache.
1730 SSL_CTX_set_session_cache_mode(
1731 ssl_ctx.get(), SSL_SESS_CACHE_BOTH | SSL_SESS_CACHE_NO_INTERNAL);
1732 SSL_CTX_sess_set_get_cb(ssl_ctx.get(), GetSessionCallback);
1733 } else {
1734 SSL_CTX_set_session_cache_mode(ssl_ctx.get(), SSL_SESS_CACHE_BOTH);
1735 }
1736
1737 SSL_CTX_set_select_certificate_cb(ssl_ctx.get(), SelectCertificateCallback);
1738
1739 if (use_old_client_cert_callback) {
1740 SSL_CTX_set_client_cert_cb(ssl_ctx.get(), ClientCertCallback);
1741 }
1742
1743 SSL_CTX_set_next_protos_advertised_cb(ssl_ctx.get(),
1744 NextProtosAdvertisedCallback, NULL);
1745 if (!select_next_proto.empty() || select_empty_next_proto) {
1746 SSL_CTX_set_next_proto_select_cb(ssl_ctx.get(), NextProtoSelectCallback,
1747 NULL);
1748 }
1749
1750 if (!select_alpn.empty() || decline_alpn || reject_alpn ||
1751 select_empty_alpn) {
1752 SSL_CTX_set_alpn_select_cb(ssl_ctx.get(), AlpnSelectCallback, NULL);
1753 }
1754
1755 SSL_CTX_set_current_time_cb(ssl_ctx.get(), CurrentTimeCallback);
1756
1757 SSL_CTX_set_info_callback(ssl_ctx.get(), InfoCallback);
1758 SSL_CTX_sess_set_new_cb(ssl_ctx.get(), NewSessionCallback);
1759
1760 if (use_ticket_callback || handshake_hints) {
1761 // If using handshake hints, always enable the ticket callback, so we can
1762 // check that hints only mismatch when allowed. The ticket callback also
1763 // uses a constant key, which simplifies the test.
1764 SSL_CTX_set_tlsext_ticket_key_cb(ssl_ctx.get(), TicketKeyCallback);
1765 }
1766
1767 if (!use_custom_verify_callback) {
1768 SSL_CTX_set_cert_verify_callback(ssl_ctx.get(), CertVerifyCallback, NULL);
1769 }
1770
1771 if (!signed_cert_timestamps.empty() &&
1772 !SSL_CTX_set_signed_cert_timestamp_list(
1773 ssl_ctx.get(), (const uint8_t *)signed_cert_timestamps.data(),
1774 signed_cert_timestamps.size())) {
1775 return nullptr;
1776 }
1777
1778 if (!use_client_ca_list.empty()) {
1779 if (use_client_ca_list == "<NULL>") {
1780 SSL_CTX_set_client_CA_list(ssl_ctx.get(), nullptr);
1781 } else if (use_client_ca_list == "<EMPTY>") {
1782 bssl::UniquePtr<STACK_OF(X509_NAME)> names;
1783 SSL_CTX_set_client_CA_list(ssl_ctx.get(), names.release());
1784 } else {
1785 bssl::UniquePtr<STACK_OF(X509_NAME)> names =
1786 DecodeHexX509Names(use_client_ca_list);
1787 SSL_CTX_set_client_CA_list(ssl_ctx.get(), names.release());
1788 }
1789 }
1790
1791 if (enable_grease) {
1792 SSL_CTX_set_grease_enabled(ssl_ctx.get(), 1);
1793 }
1794
1795 if (permute_extensions) {
1796 SSL_CTX_set_permute_extensions(ssl_ctx.get(), 1);
1797 }
1798
1799 if (!expect_server_name.empty()) {
1800 SSL_CTX_set_tlsext_servername_callback(ssl_ctx.get(), ServerNameCallback);
1801 }
1802
1803 if (enable_early_data) {
1804 SSL_CTX_set_early_data_enabled(ssl_ctx.get(), 1);
1805 }
1806
1807 if (allow_unknown_alpn_protos) {
1808 SSL_CTX_set_allow_unknown_alpn_protos(ssl_ctx.get(), 1);
1809 }
1810
1811 if (!verify_prefs.empty()) {
1812 if (!SSL_CTX_set_verify_algorithm_prefs(ssl_ctx.get(), verify_prefs.data(),
1813 verify_prefs.size())) {
1814 return nullptr;
1815 }
1816 }
1817
1818 SSL_CTX_set_msg_callback(ssl_ctx.get(), MessageCallback);
1819
1820 if (allow_false_start_without_alpn) {
1821 SSL_CTX_set_false_start_allowed_without_alpn(ssl_ctx.get(), 1);
1822 }
1823
1824 if (use_ocsp_callback) {
1825 SSL_CTX_set_tlsext_status_cb(ssl_ctx.get(), LegacyOCSPCallback);
1826 }
1827
1828 if (old_ctx) {
1829 uint8_t keys[48];
1830 if (!SSL_CTX_get_tlsext_ticket_keys(old_ctx, &keys, sizeof(keys)) ||
1831 !SSL_CTX_set_tlsext_ticket_keys(ssl_ctx.get(), keys, sizeof(keys))) {
1832 return nullptr;
1833 }
1834 CopySessions(ssl_ctx.get(), old_ctx);
1835 } else if (!ticket_key.empty() &&
1836 !SSL_CTX_set_tlsext_ticket_keys(ssl_ctx.get(), ticket_key.data(),
1837 ticket_key.size())) {
1838 return nullptr;
1839 }
1840
1841 // These mock compression algorithms match the corresponding ones in
1842 // |addCertCompressionTests|.
1843 if (!MaybeInstallCertCompressionAlg(
1844 this, ssl_ctx.get(), 0xff02,
1845 [](SSL *ssl, CBB *out, const uint8_t *in, size_t in_len) -> int {
1846 if (!CBB_add_u8(out, 1) || !CBB_add_u8(out, 2) ||
1847 !CBB_add_u8(out, 3) || !CBB_add_u8(out, 4) ||
1848 !CBB_add_bytes(out, in, in_len)) {
1849 return 0;
1850 }
1851 return 1;
1852 },
1853 [](SSL *ssl, CRYPTO_BUFFER **out, size_t uncompressed_len,
1854 const uint8_t *in, size_t in_len) -> int {
1855 if (in_len < 4 || in[0] != 1 || in[1] != 2 || in[2] != 3 ||
1856 in[3] != 4 || uncompressed_len != in_len - 4) {
1857 return 0;
1858 }
1859 const bssl::Span<const uint8_t> uncompressed(in + 4, in_len - 4);
1860 *out = CRYPTO_BUFFER_new(uncompressed.data(), uncompressed.size(),
1861 nullptr);
1862 return *out != nullptr;
1863 }) ||
1864 !MaybeInstallCertCompressionAlg(
1865 this, ssl_ctx.get(), 0xff01,
1866 [](SSL *ssl, CBB *out, const uint8_t *in, size_t in_len) -> int {
1867 if (in_len < 2 || in[0] != 0 || in[1] != 0) {
1868 return 0;
1869 }
1870 return CBB_add_bytes(out, in + 2, in_len - 2);
1871 },
1872 [](SSL *ssl, CRYPTO_BUFFER **out, size_t uncompressed_len,
1873 const uint8_t *in, size_t in_len) -> int {
1874 if (uncompressed_len != 2 + in_len) {
1875 return 0;
1876 }
1877 auto buf = std::make_unique<uint8_t[]>(2 + in_len);
1878 buf[0] = 0;
1879 buf[1] = 0;
1880 OPENSSL_memcpy(&buf[2], in, in_len);
1881 *out = CRYPTO_BUFFER_new(buf.get(), 2 + in_len, nullptr);
1882 return *out != nullptr;
1883 }) ||
1884 !MaybeInstallCertCompressionAlg(
1885 this, ssl_ctx.get(), 0xff03,
1886 [](SSL *ssl, CBB *out, const uint8_t *in, size_t in_len) -> int {
1887 uint8_t byte;
1888 return RAND_bytes(&byte, 1) && //
1889 CBB_add_u8(out, byte) && //
1890 CBB_add_bytes(out, in, in_len);
1891 },
1892 [](SSL *ssl, CRYPTO_BUFFER **out, size_t uncompressed_len,
1893 const uint8_t *in, size_t in_len) -> int {
1894 if (uncompressed_len + 1 != in_len) {
1895 return 0;
1896 }
1897 *out = CRYPTO_BUFFER_new(in + 1, in_len - 1, nullptr);
1898 return *out != nullptr;
1899 })) {
1900 fprintf(stderr, "SSL_CTX_add_cert_compression_alg failed.\n");
1901 abort();
1902 }
1903
1904 if (server_preference) {
1905 SSL_CTX_set_options(ssl_ctx.get(), SSL_OP_CIPHER_SERVER_PREFERENCE);
1906 }
1907
1908 if (is_quic) {
1909 SSL_CTX_set_quic_method(ssl_ctx.get(), &g_quic_method);
1910 }
1911
1912 return ssl_ctx;
1913 }
1914
DDoSCallback(const SSL_CLIENT_HELLO * client_hello)1915 static int DDoSCallback(const SSL_CLIENT_HELLO *client_hello) {
1916 const TestConfig *config = GetTestConfig(client_hello->ssl);
1917 return config->fail_ddos_callback ? 0 : 1;
1918 }
1919
PskClientCallback(SSL * ssl,const char * hint,char * out_identity,unsigned max_identity_len,uint8_t * out_psk,unsigned max_psk_len)1920 static unsigned PskClientCallback(SSL *ssl, const char *hint,
1921 char *out_identity, unsigned max_identity_len,
1922 uint8_t *out_psk, unsigned max_psk_len) {
1923 const TestConfig *config = GetTestConfig(ssl);
1924
1925 if (config->psk_identity.empty()) {
1926 if (hint != nullptr) {
1927 fprintf(stderr, "Server PSK hint was non-null.\n");
1928 return 0;
1929 }
1930 } else if (hint == nullptr ||
1931 strcmp(hint, config->psk_identity.c_str()) != 0) {
1932 fprintf(stderr, "Server PSK hint did not match.\n");
1933 return 0;
1934 }
1935
1936 // Account for the trailing '\0' for the identity.
1937 if (config->psk_identity.size() >= max_identity_len ||
1938 config->psk.size() > max_psk_len) {
1939 fprintf(stderr, "PSK buffers too small.\n");
1940 return 0;
1941 }
1942
1943 OPENSSL_strlcpy(out_identity, config->psk_identity.c_str(), max_identity_len);
1944 OPENSSL_memcpy(out_psk, config->psk.data(), config->psk.size());
1945 return static_cast<unsigned>(config->psk.size());
1946 }
1947
PskServerCallback(SSL * ssl,const char * identity,uint8_t * out_psk,unsigned max_psk_len)1948 static unsigned PskServerCallback(SSL *ssl, const char *identity,
1949 uint8_t *out_psk, unsigned max_psk_len) {
1950 const TestConfig *config = GetTestConfig(ssl);
1951
1952 if (strcmp(identity, config->psk_identity.c_str()) != 0) {
1953 fprintf(stderr, "Client PSK identity did not match.\n");
1954 return 0;
1955 }
1956
1957 if (config->psk.size() > max_psk_len) {
1958 fprintf(stderr, "PSK buffers too small.\n");
1959 return 0;
1960 }
1961
1962 OPENSSL_memcpy(out_psk, config->psk.data(), config->psk.size());
1963 return static_cast<unsigned>(config->psk.size());
1964 }
1965
CustomVerifyCallback(SSL * ssl,uint8_t * out_alert)1966 static ssl_verify_result_t CustomVerifyCallback(SSL *ssl, uint8_t *out_alert) {
1967 const TestConfig *config = GetTestConfig(ssl);
1968 if (!CheckVerifyCallback(ssl)) {
1969 return ssl_verify_invalid;
1970 }
1971
1972 if (config->async && !GetTestState(ssl)->custom_verify_ready) {
1973 return ssl_verify_retry;
1974 }
1975
1976 GetTestState(ssl)->cert_verified = true;
1977 if (config->verify_fail) {
1978 return ssl_verify_invalid;
1979 }
1980
1981 return ssl_verify_ok;
1982 }
1983
CertCallback(SSL * ssl,void * arg)1984 static int CertCallback(SSL *ssl, void *arg) {
1985 const TestConfig *config = GetTestConfig(ssl);
1986
1987 // Check the peer certificate metadata is as expected.
1988 if ((!SSL_is_server(ssl) && !CheckCertificateRequest(ssl)) ||
1989 !CheckPeerVerifyPrefs(ssl)) {
1990 return -1;
1991 }
1992
1993 if (config->fail_cert_callback) {
1994 return 0;
1995 }
1996
1997 // The certificate will be installed via other means.
1998 if (!config->async || config->use_early_callback) {
1999 return 1;
2000 }
2001
2002 if (!GetTestState(ssl)->cert_ready) {
2003 return -1;
2004 }
2005 if (!InstallCertificate(ssl)) {
2006 return 0;
2007 }
2008 return 1;
2009 }
2010
NewSSL(SSL_CTX * ssl_ctx,SSL_SESSION * session,std::unique_ptr<TestState> test_state) const2011 bssl::UniquePtr<SSL> TestConfig::NewSSL(
2012 SSL_CTX *ssl_ctx, SSL_SESSION *session,
2013 std::unique_ptr<TestState> test_state) const {
2014 bssl::UniquePtr<SSL> ssl(SSL_new(ssl_ctx));
2015 if (!ssl) {
2016 return nullptr;
2017 }
2018
2019 if (!SetTestConfig(ssl.get(), this)) {
2020 return nullptr;
2021 }
2022 if (test_state != nullptr) {
2023 if (!SetTestState(ssl.get(), std::move(test_state))) {
2024 return nullptr;
2025 }
2026 }
2027
2028 if (fallback_scsv && !SSL_set_mode(ssl.get(), SSL_MODE_SEND_FALLBACK_SCSV)) {
2029 return nullptr;
2030 }
2031 // Install the certificate synchronously if nothing else will handle it.
2032 if (!use_early_callback && !use_old_client_cert_callback && !async &&
2033 !InstallCertificate(ssl.get())) {
2034 return nullptr;
2035 }
2036 if (!use_old_client_cert_callback) {
2037 SSL_set_cert_cb(ssl.get(), CertCallback, nullptr);
2038 }
2039 int mode = SSL_VERIFY_NONE;
2040 if (require_any_client_certificate) {
2041 mode = SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT;
2042 }
2043 if (verify_peer) {
2044 mode = SSL_VERIFY_PEER;
2045 }
2046 if (verify_peer_if_no_obc) {
2047 // Set SSL_VERIFY_FAIL_IF_NO_PEER_CERT so testing whether client
2048 // certificates were requested is easy.
2049 mode = SSL_VERIFY_PEER | SSL_VERIFY_PEER_IF_NO_OBC |
2050 SSL_VERIFY_FAIL_IF_NO_PEER_CERT;
2051 }
2052 if (use_custom_verify_callback) {
2053 SSL_set_custom_verify(ssl.get(), mode, CustomVerifyCallback);
2054 } else if (mode != SSL_VERIFY_NONE) {
2055 SSL_set_verify(ssl.get(), mode, NULL);
2056 }
2057 if (false_start) {
2058 SSL_set_mode(ssl.get(), SSL_MODE_ENABLE_FALSE_START);
2059 }
2060 if (cbc_record_splitting) {
2061 SSL_set_mode(ssl.get(), SSL_MODE_CBC_RECORD_SPLITTING);
2062 }
2063 if (partial_write) {
2064 SSL_set_mode(ssl.get(), SSL_MODE_ENABLE_PARTIAL_WRITE);
2065 }
2066 if (reverify_on_resume) {
2067 SSL_CTX_set_reverify_on_resume(ssl_ctx, 1);
2068 }
2069 if (ignore_rsa_key_usage) {
2070 SSL_set_enforce_rsa_key_usage(ssl.get(), 0);
2071 }
2072 if (no_check_client_certificate_type) {
2073 SSL_set_check_client_certificate_type(ssl.get(), 0);
2074 }
2075 if (no_check_ecdsa_curve) {
2076 SSL_set_check_ecdsa_curve(ssl.get(), 0);
2077 }
2078 if (no_tls13) {
2079 SSL_set_options(ssl.get(), SSL_OP_NO_TLSv1_3);
2080 }
2081 if (no_tls12) {
2082 SSL_set_options(ssl.get(), SSL_OP_NO_TLSv1_2);
2083 }
2084 if (no_tls11) {
2085 SSL_set_options(ssl.get(), SSL_OP_NO_TLSv1_1);
2086 }
2087 if (no_tls1) {
2088 SSL_set_options(ssl.get(), SSL_OP_NO_TLSv1);
2089 }
2090 if (no_ticket) {
2091 SSL_set_options(ssl.get(), SSL_OP_NO_TICKET);
2092 }
2093 if (!expect_channel_id.empty() || enable_channel_id) {
2094 SSL_set_tls_channel_id_enabled(ssl.get(), 1);
2095 }
2096 if (enable_ech_grease) {
2097 SSL_set_enable_ech_grease(ssl.get(), 1);
2098 }
2099 if (static_cast<int>(fips_202205) + static_cast<int>(wpa_202304) > 1) {
2100 fprintf(stderr, "Multiple policy options given\n");
2101 return nullptr;
2102 }
2103 if (fips_202205 && !SSL_set_compliance_policy(
2104 ssl.get(), ssl_compliance_policy_fips_202205)) {
2105 fprintf(stderr, "SSL_set_compliance_policy failed\n");
2106 return nullptr;
2107 }
2108 if (wpa_202304 && !SSL_set_compliance_policy(
2109 ssl.get(), ssl_compliance_policy_wpa3_192_202304)) {
2110 fprintf(stderr, "SSL_set_compliance_policy failed\n");
2111 return nullptr;
2112 }
2113 if (!ech_config_list.empty() &&
2114 !SSL_set1_ech_config_list(
2115 ssl.get(), reinterpret_cast<const uint8_t *>(ech_config_list.data()),
2116 ech_config_list.size())) {
2117 return nullptr;
2118 }
2119 if (ech_server_configs.size() != ech_server_keys.size() ||
2120 ech_server_configs.size() != ech_is_retry_config.size()) {
2121 fprintf(stderr,
2122 "-ech-server-config, -ech-server-key, and -ech-is-retry-config "
2123 "flags must match.\n");
2124 return nullptr;
2125 }
2126 if (!ech_server_configs.empty()) {
2127 bssl::UniquePtr<SSL_ECH_KEYS> keys(SSL_ECH_KEYS_new());
2128 if (!keys) {
2129 return nullptr;
2130 }
2131 for (size_t i = 0; i < ech_server_configs.size(); i++) {
2132 const std::string &ech_config = ech_server_configs[i];
2133 const std::string &ech_private_key = ech_server_keys[i];
2134 const int is_retry_config = ech_is_retry_config[i];
2135 bssl::ScopedEVP_HPKE_KEY key;
2136 if (!EVP_HPKE_KEY_init(
2137 key.get(), EVP_hpke_x25519_hkdf_sha256(),
2138 reinterpret_cast<const uint8_t *>(ech_private_key.data()),
2139 ech_private_key.size()) ||
2140 !SSL_ECH_KEYS_add(
2141 keys.get(), is_retry_config,
2142 reinterpret_cast<const uint8_t *>(ech_config.data()),
2143 ech_config.size(), key.get())) {
2144 return nullptr;
2145 }
2146 }
2147 if (!SSL_CTX_set1_ech_keys(ssl_ctx, keys.get())) {
2148 return nullptr;
2149 }
2150 }
2151 if (!send_channel_id.empty()) {
2152 bssl::UniquePtr<EVP_PKEY> pkey = LoadPrivateKey(send_channel_id);
2153 if (!pkey || !SSL_set1_tls_channel_id(ssl.get(), pkey.get())) {
2154 return nullptr;
2155 }
2156 }
2157 if (!host_name.empty() &&
2158 !SSL_set_tlsext_host_name(ssl.get(), host_name.c_str())) {
2159 return nullptr;
2160 }
2161 if (!advertise_alpn.empty() &&
2162 SSL_set_alpn_protos(
2163 ssl.get(), reinterpret_cast<const uint8_t *>(advertise_alpn.data()),
2164 advertise_alpn.size()) != 0) {
2165 return nullptr;
2166 }
2167 if (!defer_alps) {
2168 for (const auto &pair : application_settings) {
2169 if (!SSL_add_application_settings(
2170 ssl.get(), reinterpret_cast<const uint8_t *>(pair.first.data()),
2171 pair.first.size(),
2172 reinterpret_cast<const uint8_t *>(pair.second.data()),
2173 pair.second.size())) {
2174 return nullptr;
2175 }
2176 }
2177 }
2178 if (!psk.empty()) {
2179 SSL_set_psk_client_callback(ssl.get(), PskClientCallback);
2180 SSL_set_psk_server_callback(ssl.get(), PskServerCallback);
2181 }
2182 if (!psk_identity.empty() &&
2183 !SSL_use_psk_identity_hint(ssl.get(), psk_identity.c_str())) {
2184 return nullptr;
2185 }
2186 if (!srtp_profiles.empty() &&
2187 !SSL_set_srtp_profiles(ssl.get(), srtp_profiles.c_str())) {
2188 return nullptr;
2189 }
2190 if (enable_ocsp_stapling) {
2191 SSL_enable_ocsp_stapling(ssl.get());
2192 }
2193 if (enable_signed_cert_timestamps) {
2194 SSL_enable_signed_cert_timestamps(ssl.get());
2195 }
2196 // (D)TLS 1.0 and 1.1 are disabled by default, but the runner expects them to
2197 // be enabled.
2198 // TODO(davidben): Update the tests to explicitly enable the versions they
2199 // need.
2200 if (!SSL_set_min_proto_version(
2201 ssl.get(), SSL_is_dtls(ssl.get()) ? DTLS1_VERSION : TLS1_VERSION)) {
2202 return nullptr;
2203 }
2204 if (min_version != 0 &&
2205 !SSL_set_min_proto_version(ssl.get(), min_version)) {
2206 return nullptr;
2207 }
2208 if (max_version != 0 &&
2209 !SSL_set_max_proto_version(ssl.get(), max_version)) {
2210 return nullptr;
2211 }
2212 if (mtu != 0) {
2213 SSL_set_options(ssl.get(), SSL_OP_NO_QUERY_MTU);
2214 SSL_set_mtu(ssl.get(), mtu);
2215 }
2216 if (install_ddos_callback) {
2217 SSL_CTX_set_dos_protection_cb(ssl_ctx, DDoSCallback);
2218 }
2219 SSL_set_shed_handshake_config(ssl.get(), true);
2220 if (renegotiate_once) {
2221 SSL_set_renegotiate_mode(ssl.get(), ssl_renegotiate_once);
2222 }
2223 if (renegotiate_freely || forbid_renegotiation_after_handshake) {
2224 // |forbid_renegotiation_after_handshake| will disable renegotiation later.
2225 SSL_set_renegotiate_mode(ssl.get(), ssl_renegotiate_freely);
2226 }
2227 if (renegotiate_ignore) {
2228 SSL_set_renegotiate_mode(ssl.get(), ssl_renegotiate_ignore);
2229 }
2230 if (renegotiate_explicit) {
2231 SSL_set_renegotiate_mode(ssl.get(), ssl_renegotiate_explicit);
2232 }
2233 if (!check_close_notify) {
2234 SSL_set_quiet_shutdown(ssl.get(), 1);
2235 }
2236 if (!curves.empty() &&
2237 !SSL_set1_group_ids(ssl.get(), curves.data(), curves.size())) {
2238 return nullptr;
2239 }
2240 if (initial_timeout_duration_ms > 0) {
2241 DTLSv1_set_initial_timeout_duration(ssl.get(), initial_timeout_duration_ms);
2242 }
2243 if (max_cert_list > 0) {
2244 SSL_set_max_cert_list(ssl.get(), max_cert_list);
2245 }
2246 if (retain_only_sha256_client_cert) {
2247 SSL_set_retain_only_sha256_of_client_certs(ssl.get(), 1);
2248 }
2249 if (max_send_fragment > 0) {
2250 SSL_set_max_send_fragment(ssl.get(), max_send_fragment);
2251 }
2252 if (alps_use_new_codepoint) {
2253 SSL_set_alps_use_new_codepoint(ssl.get(), 1);
2254 }
2255 if (quic_use_legacy_codepoint != -1) {
2256 SSL_set_quic_use_legacy_codepoint(ssl.get(), quic_use_legacy_codepoint);
2257 }
2258 if (!quic_transport_params.empty()) {
2259 if (!SSL_set_quic_transport_params(
2260 ssl.get(),
2261 reinterpret_cast<const uint8_t *>(quic_transport_params.data()),
2262 quic_transport_params.size())) {
2263 return nullptr;
2264 }
2265 }
2266 if (jdk11_workaround) {
2267 SSL_set_jdk11_workaround(ssl.get(), 1);
2268 }
2269
2270 if (session != NULL) {
2271 if (!is_server) {
2272 if (SSL_set_session(ssl.get(), session) != 1) {
2273 return nullptr;
2274 }
2275 } else if (async) {
2276 // The internal session cache is disabled, so install the session
2277 // manually.
2278 SSL_SESSION_up_ref(session);
2279 GetTestState(ssl.get())->pending_session.reset(session);
2280 }
2281 }
2282
2283 if (!quic_early_data_context.empty() &&
2284 !SSL_set_quic_early_data_context(
2285 ssl.get(),
2286 reinterpret_cast<const uint8_t *>(quic_early_data_context.data()),
2287 quic_early_data_context.size())) {
2288 return nullptr;
2289 }
2290
2291 return ssl;
2292 }
2293