libtls: add basic regress for ALPN

This currently only tests the behavior for successful protocol negotiations since the test expects all handshakes to complete.
author: tb <> 2025-06-04 10:28:00 +0000
committer: tb <> 2025-06-04 10:28:00 +0000
commit: 1ada8decb2076b5bdee513d8dbfd81ff1cbd1dc3 (patch)
tree: 39f1254f9903b40433e835b966abb934a9cb6a66 /src
parent: 2237cbfc7bb81e07c1a424f450cd6e0946803679 (diff)
download: openbsd-1ada8decb2076b5bdee513d8dbfd81ff1cbd1dc3.tar.gz
openbsd-1ada8decb2076b5bdee513d8dbfd81ff1cbd1dc3.tar.bz2
openbsd-1ada8decb2076b5bdee513d8dbfd81ff1cbd1dc3.zip
1 files changed, 138 insertions, 1 deletions
diff --git a/src/regress/lib/libtls/tls/tlstest.c b/src/regress/lib/libtls/tls/tlstest.c
index b675c798b4..d52156128d 100644
--- a/src/regress/lib/libtls/tls/tlstest.c
+++ b/src/regress/lib/libtls/tls/tlstest.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: tlstest.c,v 1.16 2024/08/02 15:02:22 tb Exp $ */
+/* $OpenBSD: tlstest.c,v 1.17 2025/06/04 10:28:00 tb Exp $ */
 /*
 * Copyright (c) 2017 Joel Sing <jsing@openbsd.org>
 *
@@ -531,6 +531,142 @@ do_tls_version_tests(void)
        return failure;
 }
+static int
+test_tls_alpn(const char *client_alpn, const char *server_alpn,
+    const char *selected)
+{
+        struct tls_config *client_cfg, *server_cfg;
+        struct tls *client, *server, *server_cctx;
+        const char *got_server, *got_client;
+        int failed = 1;
+        if ((client = tls_client()) == NULL)
+                errx(1, "failed to create tls client");
+        if ((client_cfg = tls_config_new()) == NULL)
+                errx(1, "failed to create tls client config");
+        tls_config_insecure_noverifyname(client_cfg);
+        if (tls_config_set_alpn(client_cfg, client_alpn) == -1)
+                errx(1, "failed to set alpn: %s", tls_config_error(client_cfg));
+        if (tls_config_set_ca_file(client_cfg, cafile) == -1)
+                errx(1, "failed to set ca: %s", tls_config_error(client_cfg));
+        if ((server = tls_server()) == NULL)
+                errx(1, "failed to create tls server");
+        if ((server_cfg = tls_config_new()) == NULL)
+                errx(1, "failed to create tls server config");
+        if (tls_config_set_alpn(server_cfg, server_alpn) == -1)
+                errx(1, "failed to set alpn: %s", tls_config_error(server_cfg));
+        if (tls_config_set_keypair_file(server_cfg, certfile, keyfile) == -1)
+                errx(1, "failed to set keypair: %s",
+                    tls_config_error(server_cfg));
+        if (tls_configure(client, client_cfg) == -1)
+                errx(1, "failed to configure client: %s", tls_error(client));
+        tls_reset(server);
+        if (tls_configure(server, server_cfg) == -1)
+                errx(1, "failed to configure server: %s", tls_error(server));
+        tls_config_free(client_cfg);
+        tls_config_free(server_cfg);
+        circular_init();
+        if (tls_accept_cbs(server, &server_cctx, server_read, server_write,
+            NULL) == -1)
+                errx(1, "failed to accept: %s", tls_error(server));
+        if (tls_connect_cbs(client, client_read, client_write, NULL,
+            "test") == -1)
+                errx(1, "failed to connect: %s", tls_error(client));
+        if (do_client_server_test("alpn", client, server_cctx) != 0)
+                goto fail;
+        got_server = tls_conn_alpn_selected(server_cctx);
+        got_client = tls_conn_alpn_selected(client);
+        if (got_server == NULL || got_client == NULL) {
+                printf("FAIL: expected ALPN for server and client, got "
+                    "server: %p, client %p\n", got_server, got_client);
+                goto fail;
+        }
+        if (strcmp(got_server, got_client) != 0) {
+                printf("FAIL: ALPN mismatch: server %s, client %s\n",
+                    got_server, got_client);
+                goto fail;
+        }
+        if (strcmp(selected, got_server) != 0) {
+                printf("FAIL: ALPN mismatch: want %s, got %s\n",
+                    selected, got_server);
+                goto fail;
+        }
+        failed = 0;
+ fail:
+        tls_free(client);
+        tls_free(server);
+        tls_free(server_cctx);
+        return (failed);
+}
+static const struct test_alpn {
+        const char *client;
+        const char *server;
+        const char *selected;
+} tls_test_alpn[] = {
+        {
+                .client = "http/2,http/1.1",
+                .server = "http/1.1",
+                .selected = "http/1.1",
+        },
+        {
+                .client = "http/2,http/1.1",
+                .server = "http/2,http/1.1",
+                .selected = "http/2",
+        },
+        {
+                .client = "http/1.1,http/2",
+                .server = "http/2,http/1.1",
+                .selected = "http/2",
+        },
+        {
+                .client = "http/2,http/1.1",
+                .server = "http/1.1,http/2",
+                .selected = "http/1.1",
+        },
+        {
+                .client = "http/1.1",
+                .server = "http/2,http/1.1",
+                .selected = "http/1.1",
+        },
+};
+#define N_TLS_ALPN_TESTS (sizeof(tls_test_alpn) / sizeof(tls_test_alpn[0]))
+static int
+do_tls_alpn_tests(void)
+{
+        const struct test_alpn *ta;
+        int failure = 0;
+        size_t i;
+        printf("== TLS alpn tests ==\n");
+        for (i = 0; i < N_TLS_ALPN_TESTS; i++) {
+                ta = &tls_test_alpn[i];
+                printf("INFO: alpn test %zu - client alpn '%s' "
+                    "and server alpn '%s'\n", i, ta->client, ta->server);
+                failure |= test_tls_alpn(ta->client, ta->server, ta->selected);
+                printf("\n");
+        }
+        return failure;
+}
 int
 main(int argc, char **argv)
 {
@@ -549,6 +685,7 @@ main(int argc, char **argv)
        failure |= do_tls_tests();
        failure |= do_tls_ordering_tests();
        failure |= do_tls_version_tests();
+        failure |= do_tls_alpn_tests();
        return (failure);
 }
author	tb <>	2025-06-04 10:28:00 +0000
committer	tb <>	2025-06-04 10:28:00 +0000
commit	1ada8decb2076b5bdee513d8dbfd81ff1cbd1dc3 (patch)
tree	39f1254f9903b40433e835b966abb934a9cb6a66 /src
parent	2237cbfc7bb81e07c1a424f450cd6e0946803679 (diff)
download	openbsd-1ada8decb2076b5bdee513d8dbfd81ff1cbd1dc3.tar.gz openbsd-1ada8decb2076b5bdee513d8dbfd81ff1cbd1dc3.tar.bz2 openbsd-1ada8decb2076b5bdee513d8dbfd81ff1cbd1dc3.zip

diff --git a/src/regress/lib/libtls/tls/tlstest.c b/src/regress/lib/libtls/tls/tlstest.c index b675c798b4..d52156128d 100644 --- a/src/regress/lib/libtls/tls/tlstest.c +++ b/src/regress/lib/libtls/tls/tlstest.c
@@ -1,4 +1,4 @@
1	/* $OpenBSD: tlstest.c,v 1.16 2024/08/02 15:02:22 tb Exp $ */	1	/* $OpenBSD: tlstest.c,v 1.17 2025/06/04 10:28:00 tb Exp $ */
2	/*	2	/*
3	* Copyright (c) 2017 Joel Sing <jsing@openbsd.org>	3	* Copyright (c) 2017 Joel Sing <jsing@openbsd.org>
4	*	4	*
@@ -531,6 +531,142 @@ do_tls_version_tests(void)
531	return failure;	531	return failure;
532	}	532	}
533		533
		534	static int
		535	test_tls_alpn(const char client_alpn, const char server_alpn,
		536	const char *selected)
		537	{
		538	struct tls_config client_cfg, server_cfg;
		539	struct tls client, server, *server_cctx;
		540	const char got_server, got_client;
		541	int failed = 1;
		542
		543	if ((client = tls_client()) == NULL)
		544	errx(1, "failed to create tls client");
		545	if ((client_cfg = tls_config_new()) == NULL)
		546	errx(1, "failed to create tls client config");
		547	tls_config_insecure_noverifyname(client_cfg);
		548	if (tls_config_set_alpn(client_cfg, client_alpn) == -1)
		549	errx(1, "failed to set alpn: %s", tls_config_error(client_cfg));
		550	if (tls_config_set_ca_file(client_cfg, cafile) == -1)
		551	errx(1, "failed to set ca: %s", tls_config_error(client_cfg));
		552
		553	if ((server = tls_server()) == NULL)
		554	errx(1, "failed to create tls server");
		555	if ((server_cfg = tls_config_new()) == NULL)
		556	errx(1, "failed to create tls server config");
		557	if (tls_config_set_alpn(server_cfg, server_alpn) == -1)
		558	errx(1, "failed to set alpn: %s", tls_config_error(server_cfg));
		559	if (tls_config_set_keypair_file(server_cfg, certfile, keyfile) == -1)
		560	errx(1, "failed to set keypair: %s",
		561	tls_config_error(server_cfg));
		562
		563	if (tls_configure(client, client_cfg) == -1)
		564	errx(1, "failed to configure client: %s", tls_error(client));
		565	tls_reset(server);
		566	if (tls_configure(server, server_cfg) == -1)
		567	errx(1, "failed to configure server: %s", tls_error(server));
		568
		569	tls_config_free(client_cfg);
		570	tls_config_free(server_cfg);
		571
		572	circular_init();
		573
		574	if (tls_accept_cbs(server, &server_cctx, server_read, server_write,
		575	NULL) == -1)
		576	errx(1, "failed to accept: %s", tls_error(server));
		577
		578	if (tls_connect_cbs(client, client_read, client_write, NULL,
		579	"test") == -1)
		580	errx(1, "failed to connect: %s", tls_error(client));
		581
		582	if (do_client_server_test("alpn", client, server_cctx) != 0)
		583	goto fail;
		584
		585	got_server = tls_conn_alpn_selected(server_cctx);
		586	got_client = tls_conn_alpn_selected(client);
		587
		588	if (got_server == NULL \|\| got_client == NULL) {
		589	printf("FAIL: expected ALPN for server and client, got "
		590	"server: %p, client %p\n", got_server, got_client);
		591	goto fail;
		592	}
		593
		594	if (strcmp(got_server, got_client) != 0) {
		595	printf("FAIL: ALPN mismatch: server %s, client %s\n",
		596	got_server, got_client);
		597	goto fail;
		598	}
		599
		600	if (strcmp(selected, got_server) != 0) {
		601	printf("FAIL: ALPN mismatch: want %s, got %s\n",
		602	selected, got_server);
		603	goto fail;
		604	}
		605
		606	failed = 0;
		607
		608	fail:
		609	tls_free(client);
		610	tls_free(server);
		611	tls_free(server_cctx);
		612
		613	return (failed);
		614	}
		615
		616	static const struct test_alpn {
		617	const char *client;
		618	const char *server;
		619	const char *selected;
		620	} tls_test_alpn[] = {
		621	{
		622	.client = "http/2,http/1.1",
		623	.server = "http/1.1",
		624	.selected = "http/1.1",
		625	},
		626	{
		627	.client = "http/2,http/1.1",
		628	.server = "http/2,http/1.1",
		629	.selected = "http/2",
		630	},
		631	{
		632	.client = "http/1.1,http/2",
		633	.server = "http/2,http/1.1",
		634	.selected = "http/2",
		635	},
		636	{
		637	.client = "http/2,http/1.1",
		638	.server = "http/1.1,http/2",
		639	.selected = "http/1.1",
		640	},
		641	{
		642	.client = "http/1.1",
		643	.server = "http/2,http/1.1",
		644	.selected = "http/1.1",
		645	},
		646	};
		647
		648	#define N_TLS_ALPN_TESTS (sizeof(tls_test_alpn) / sizeof(tls_test_alpn[0]))
		649
		650	static int
		651	do_tls_alpn_tests(void)
		652	{
		653	const struct test_alpn *ta;
		654	int failure = 0;
		655	size_t i;
		656
		657	printf("== TLS alpn tests ==\n");
		658
		659	for (i = 0; i < N_TLS_ALPN_TESTS; i++) {
		660	ta = &tls_test_alpn[i];
		661	printf("INFO: alpn test %zu - client alpn '%s' "
		662	"and server alpn '%s'\n", i, ta->client, ta->server);
		663	failure \|= test_tls_alpn(ta->client, ta->server, ta->selected);
		664	printf("\n");
		665	}
		666
		667	return failure;
		668	}
		669
534	int	670	int
535	main(int argc, char **argv)	671	main(int argc, char **argv)
536	{	672	{
@@ -549,6 +685,7 @@ main(int argc, char **argv)
549	failure \|= do_tls_tests();	685	failure \|= do_tls_tests();
550	failure \|= do_tls_ordering_tests();	686	failure \|= do_tls_ordering_tests();
551	failure \|= do_tls_version_tests();	687	failure \|= do_tls_version_tests();
		688	failure \|= do_tls_alpn_tests();
552		689
553	return (failure);	690	return (failure);
554	}	691	}