summaryrefslogtreecommitdiff
path: root/src/regress/lib/libssl/tlsext/tlsexttest.c
diff options
context:
space:
mode:
Diffstat (limited to 'src/regress/lib/libssl/tlsext/tlsexttest.c')
-rw-r--r--src/regress/lib/libssl/tlsext/tlsexttest.c3650
1 files changed, 0 insertions, 3650 deletions
diff --git a/src/regress/lib/libssl/tlsext/tlsexttest.c b/src/regress/lib/libssl/tlsext/tlsexttest.c
deleted file mode 100644
index 4d7d22de8e..0000000000
--- a/src/regress/lib/libssl/tlsext/tlsexttest.c
+++ /dev/null
@@ -1,3650 +0,0 @@
1/* $OpenBSD: tlsexttest.c,v 1.49 2021/03/24 21:36:26 tb Exp $ */
2/*
3 * Copyright (c) 2017 Joel Sing <jsing@openbsd.org>
4 * Copyright (c) 2017 Doug Hogan <doug@openbsd.org>
5 * Copyright (c) 2019 Bob Beck <beck@openbsd.org>
6 *
7 * Permission to use, copy, modify, and distribute this software for any
8 * purpose with or without fee is hereby granted, provided that the above
9 * copyright notice and this permission notice appear in all copies.
10 *
11 * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
12 * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
13 * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
14 * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
15 * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
16 * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
17 * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
18 */
19
20#include <err.h>
21
22#include "ssl_locl.h"
23
24#include "bytestring.h"
25#include "ssl_tlsext.h"
26
27static void
28hexdump(const unsigned char *buf, size_t len)
29{
30 size_t i;
31
32 for (i = 1; i <= len; i++)
33 fprintf(stderr, " 0x%02hhx,%s", buf[i - 1], i % 8 ? "" : "\n");
34
35 fprintf(stderr, "\n");
36}
37
38static void
39hexdump2(const uint16_t *buf, size_t len)
40{
41 size_t i;
42
43 for (i = 1; i <= len / 2; i++)
44 fprintf(stderr, " 0x%04hx,%s", buf[i - 1], i % 8 ? "" : "\n");
45
46 fprintf(stderr, "\n");
47}
48
49static void
50compare_data(const uint8_t *recv, size_t recv_len, const uint8_t *expect,
51 size_t expect_len)
52{
53 fprintf(stderr, "received:\n");
54 hexdump(recv, recv_len);
55
56 fprintf(stderr, "test data:\n");
57 hexdump(expect, expect_len);
58}
59
60static void
61compare_data2(const uint16_t *recv, size_t recv_len, const uint16_t *expect,
62 size_t expect_len)
63{
64 fprintf(stderr, "received:\n");
65 hexdump2(recv, recv_len);
66
67 fprintf(stderr, "test data:\n");
68 hexdump2(expect, expect_len);
69}
70
71#define FAIL(msg, ...) \
72do { \
73 fprintf(stderr, "[%s:%d] FAIL: ", __FILE__, __LINE__); \
74 fprintf(stderr, msg, ##__VA_ARGS__); \
75} while(0)
76
77/*
78 * Supported Application-Layer Protocol Negotiation - RFC 7301
79 *
80 * There are already extensive unit tests for this so this just
81 * tests the state info.
82 */
83
84const uint8_t tlsext_alpn_multiple_protos_val[] = {
85 /* opaque ProtocolName<1..2^8-1> -- 'http/1.1' */
86 0x08, /* len */
87 0x68, 0x74, 0x74, 0x70, 0x2f, 0x31, 0x2e, 0x31,
88 /* opaque ProtocolName<1..2^8-1> -- 'stun.nat' */
89 0x09, /* len */
90 0x73, 0x74, 0x75, 0x6e, 0x2e, 0x74, 0x75, 0x72, 0x6e
91};
92
93const uint8_t tlsext_alpn_multiple_protos[] = {
94 /* ProtocolName protocol_name_list<2..2^16-1> -- ALPN names */
95 0x00, 0x13, /* len of all names */
96 /* opaque ProtocolName<1..2^8-1> -- 'http/1.1' */
97 0x08, /* len */
98 0x68, 0x74, 0x74, 0x70, 0x2f, 0x31, 0x2e, 0x31,
99 /* opaque ProtocolName<1..2^8-1> -- 'stun.nat' */
100 0x09, /* len */
101 0x73, 0x74, 0x75, 0x6e, 0x2e, 0x74, 0x75, 0x72, 0x6e
102};
103
104const uint8_t tlsext_alpn_single_proto_val[] = {
105 /* opaque ProtocolName<1..2^8-1> -- 'http/1.1' */
106 0x08, /* len */
107 0x68, 0x74, 0x74, 0x70, 0x2f, 0x31, 0x2e, 0x31
108};
109
110const uint8_t tlsext_alpn_single_proto_name[] = {
111 0x68, 0x74, 0x74, 0x70, 0x2f, 0x31, 0x2e, 0x31 /* 'http/1.1' */
112};
113
114const uint8_t tlsext_alpn_single_proto[] = {
115 /* ProtocolName protocol_name_list<2..2^16-1> -- ALPN names */
116 0x00, 0x09, /* len of all names */
117 /* opaque ProtocolName<1..2^8-1> -- 'http/1.1' */
118 0x08, /* len */
119 0x68, 0x74, 0x74, 0x70, 0x2f, 0x31, 0x2e, 0x31
120};
121
122static int
123test_tlsext_alpn_client(void)
124{
125 SSL_CTX *ssl_ctx = NULL;
126 SSL *ssl = NULL;
127 uint8_t *data = NULL;
128 CBB cbb;
129 CBS cbs;
130 int failure, alert;
131 size_t dlen;
132
133 CBB_init(&cbb, 0);
134
135 failure = 1;
136
137 if ((ssl_ctx = SSL_CTX_new(TLS_client_method())) == NULL)
138 errx(1, "failed to create SSL_CTX");
139 if ((ssl = SSL_new(ssl_ctx)) == NULL)
140 errx(1, "failed to create SSL");
141
142 /* By default, we don't need this */
143 if (tlsext_alpn_client_needs(ssl, SSL_TLSEXT_MSG_CH)) {
144 FAIL("client should not need ALPN by default\n");
145 goto err;
146 }
147
148 /*
149 * Prereqs:
150 * 1) Set s->internal->alpn_client_proto_list
151 * - Using SSL_set_alpn_protos()
152 * 2) We have not finished or renegotiated.
153 * - S3I(s)->tmp.finish_md_len == 0
154 */
155 if (SSL_set_alpn_protos(ssl, tlsext_alpn_single_proto_val,
156 sizeof(tlsext_alpn_single_proto_val)) != 0) {
157 FAIL("should be able to set ALPN to http/1.1\n");
158 goto err;
159 }
160 if (!tlsext_alpn_client_needs(ssl, SSL_TLSEXT_MSG_CH)) {
161 FAIL("client should need ALPN by now\n");
162 goto err;
163 }
164
165 /* Make sure we can build the client with a single proto. */
166
167 if (!tlsext_alpn_client_build(ssl, SSL_TLSEXT_MSG_CH, &cbb)) {
168 FAIL("client failed to build ALPN\n");
169 goto err;
170 }
171 if (!CBB_finish(&cbb, &data, &dlen))
172 errx(1, "failed to finish CBB");
173
174 if (dlen != sizeof(tlsext_alpn_single_proto)) {
175 FAIL("got client ALPN with length %zu, "
176 "want length %zu\n", dlen,
177 sizeof(tlsext_alpn_single_proto));
178 compare_data(data, dlen, tlsext_alpn_single_proto,
179 sizeof(tlsext_alpn_single_proto));
180 goto err;
181 }
182 if (memcmp(data, tlsext_alpn_single_proto, dlen) != 0) {
183 FAIL("client ALPN differs:\n");
184 compare_data(data, dlen, tlsext_alpn_single_proto,
185 sizeof(tlsext_alpn_single_proto));
186 goto err;
187 }
188
189 CBB_cleanup(&cbb);
190 CBB_init(&cbb, 0);
191 free(data);
192 data = NULL;
193
194 /* Make sure we can parse the single proto. */
195
196 CBS_init(&cbs, tlsext_alpn_single_proto,
197 sizeof(tlsext_alpn_single_proto));
198 if (!tlsext_alpn_server_parse(ssl, SSL_TLSEXT_MSG_CH, &cbs, &alert)) {
199 FAIL("failed to parse ALPN\n");
200 goto err;
201 }
202 if (CBS_len(&cbs) != 0) {
203 FAIL("extension data remaining\n");
204 goto err;
205 }
206
207 if (ssl->internal->alpn_client_proto_list_len !=
208 sizeof(tlsext_alpn_single_proto_val)) {
209 FAIL("got client ALPN with length %zu, "
210 "want length %zu\n", dlen,
211 sizeof(tlsext_alpn_single_proto_val));
212 compare_data(ssl->internal->alpn_client_proto_list,
213 ssl->internal->alpn_client_proto_list_len,
214 tlsext_alpn_single_proto_val,
215 sizeof(tlsext_alpn_single_proto_val));
216 goto err;
217 }
218 if (memcmp(ssl->internal->alpn_client_proto_list,
219 tlsext_alpn_single_proto_val,
220 sizeof(tlsext_alpn_single_proto_val)) != 0) {
221 FAIL("client ALPN differs:\n");
222 compare_data(data, dlen, tlsext_alpn_single_proto_val,
223 sizeof(tlsext_alpn_single_proto_val));
224 goto err;
225 }
226
227 /* Make sure we can build the clienthello with multiple entries. */
228
229 if (SSL_set_alpn_protos(ssl, tlsext_alpn_multiple_protos_val,
230 sizeof(tlsext_alpn_multiple_protos_val)) != 0) {
231 FAIL("should be able to set ALPN to http/1.1\n");
232 goto err;
233 }
234 if (!tlsext_alpn_client_needs(ssl, SSL_TLSEXT_MSG_CH)) {
235 FAIL("client should need ALPN by now\n");
236 goto err;
237 }
238
239 if (!tlsext_alpn_client_build(ssl, SSL_TLSEXT_MSG_CH, &cbb)) {
240 FAIL("client failed to build ALPN\n");
241 goto err;
242 }
243 if (!CBB_finish(&cbb, &data, &dlen))
244 errx(1, "failed to finish CBB");
245
246 if (dlen != sizeof(tlsext_alpn_multiple_protos)) {
247 FAIL("got client ALPN with length %zu, "
248 "want length %zu\n", dlen,
249 sizeof(tlsext_alpn_multiple_protos));
250 compare_data(data, dlen, tlsext_alpn_multiple_protos,
251 sizeof(tlsext_alpn_multiple_protos));
252 goto err;
253 }
254 if (memcmp(data, tlsext_alpn_multiple_protos, dlen) != 0) {
255 FAIL("client ALPN differs:\n");
256 compare_data(data, dlen, tlsext_alpn_multiple_protos,
257 sizeof(tlsext_alpn_multiple_protos));
258 goto err;
259 }
260
261 /* Make sure we can parse multiple protos */
262
263 CBS_init(&cbs, tlsext_alpn_multiple_protos,
264 sizeof(tlsext_alpn_multiple_protos));
265 if (!tlsext_alpn_server_parse(ssl, SSL_TLSEXT_MSG_CH, &cbs, &alert)) {
266 FAIL("failed to parse ALPN\n");
267 goto err;
268 }
269 if (CBS_len(&cbs) != 0) {
270 FAIL("extension data remaining\n");
271 goto err;
272 }
273
274 if (ssl->internal->alpn_client_proto_list_len !=
275 sizeof(tlsext_alpn_multiple_protos_val)) {
276 FAIL("got client ALPN with length %zu, "
277 "want length %zu\n", dlen,
278 sizeof(tlsext_alpn_multiple_protos_val));
279 compare_data(ssl->internal->alpn_client_proto_list,
280 ssl->internal->alpn_client_proto_list_len,
281 tlsext_alpn_multiple_protos_val,
282 sizeof(tlsext_alpn_multiple_protos_val));
283 goto err;
284 }
285 if (memcmp(ssl->internal->alpn_client_proto_list,
286 tlsext_alpn_multiple_protos_val,
287 sizeof(tlsext_alpn_multiple_protos_val)) != 0) {
288 FAIL("client ALPN differs:\n");
289 compare_data(data, dlen, tlsext_alpn_multiple_protos_val,
290 sizeof(tlsext_alpn_multiple_protos_val));
291 goto err;
292 }
293
294 /* Make sure we can remove the list and avoid ALPN */
295
296 free(ssl->internal->alpn_client_proto_list);
297 ssl->internal->alpn_client_proto_list = NULL;
298 ssl->internal->alpn_client_proto_list_len = 0;
299
300 if (tlsext_alpn_client_needs(ssl, SSL_TLSEXT_MSG_CH)) {
301 FAIL("client should need ALPN by default\n");
302 goto err;
303 }
304
305 failure = 0;
306
307 err:
308 CBB_cleanup(&cbb);
309 SSL_CTX_free(ssl_ctx);
310 SSL_free(ssl);
311 free(data);
312
313 return (failure);
314}
315
316static int
317test_tlsext_alpn_server(void)
318{
319 SSL_CTX *ssl_ctx = NULL;
320 SSL *ssl = NULL;
321 uint8_t *data = NULL;
322 CBB cbb;
323 CBS cbs;
324 int failure, alert;
325 size_t dlen;
326
327 CBB_init(&cbb, 0);
328
329 failure = 1;
330
331 if ((ssl_ctx = SSL_CTX_new(TLS_server_method())) == NULL)
332 errx(1, "failed to create SSL_CTX");
333 if ((ssl = SSL_new(ssl_ctx)) == NULL)
334 errx(1, "failed to create SSL");
335
336 /* By default, ALPN isn't needed. */
337 if (tlsext_alpn_server_needs(ssl, SSL_TLSEXT_MSG_SH)) {
338 FAIL("server should not need ALPN by default\n");
339 goto err;
340 }
341
342 /*
343 * The server has a single ALPN selection which is set by
344 * SSL_CTX_set_alpn_select_cb() and calls SSL_select_next_proto().
345 *
346 * This will be a plain name and separate length.
347 */
348 if ((S3I(ssl)->alpn_selected = malloc(sizeof(tlsext_alpn_single_proto_name))) == NULL) {
349 errx(1, "failed to malloc");
350 }
351 memcpy(S3I(ssl)->alpn_selected, tlsext_alpn_single_proto_name,
352 sizeof(tlsext_alpn_single_proto_name));
353 S3I(ssl)->alpn_selected_len = sizeof(tlsext_alpn_single_proto_name);
354
355 if (!tlsext_alpn_server_needs(ssl, SSL_TLSEXT_MSG_SH)) {
356 FAIL("server should need ALPN after a protocol is selected\n");
357 goto err;
358 }
359
360 /* Make sure we can build a server with one protocol */
361
362 if (!tlsext_alpn_server_build(ssl, SSL_TLSEXT_MSG_SH, &cbb)) {
363 FAIL("server should be able to build a response\n");
364 goto err;
365 }
366 if (!CBB_finish(&cbb, &data, &dlen))
367 errx(1, "failed to finish CBB");
368
369 if (dlen != sizeof(tlsext_alpn_single_proto)) {
370 FAIL("got client ALPN with length %zu, "
371 "want length %zu\n", dlen,
372 sizeof(tlsext_alpn_single_proto));
373 compare_data(data, dlen, tlsext_alpn_single_proto,
374 sizeof(tlsext_alpn_single_proto));
375 goto err;
376 }
377 if (memcmp(data, tlsext_alpn_single_proto, dlen) != 0) {
378 FAIL("client ALPN differs:\n");
379 compare_data(data, dlen, tlsext_alpn_single_proto,
380 sizeof(tlsext_alpn_single_proto));
381 goto err;
382 }
383
384 CBB_cleanup(&cbb);
385 CBB_init(&cbb, 0);
386 free(data);
387 data = NULL;
388
389 /* Make sure we can parse the single proto. */
390
391 CBS_init(&cbs, tlsext_alpn_single_proto,
392 sizeof(tlsext_alpn_single_proto));
393
394 /* Shouldn't be able to parse without requesting */
395 if (tlsext_alpn_client_parse(ssl, SSL_TLSEXT_MSG_SH, &cbs, &alert)) {
396 FAIL("Should only parse server if we requested it\n");
397 goto err;
398 }
399
400 /* Should be able to parse once requested. */
401 if (SSL_set_alpn_protos(ssl, tlsext_alpn_single_proto_val,
402 sizeof(tlsext_alpn_single_proto_val)) != 0) {
403 FAIL("should be able to set ALPN to http/1.1\n");
404 goto err;
405 }
406 if (!tlsext_alpn_server_parse(ssl, SSL_TLSEXT_MSG_SH, &cbs, &alert)) {
407 FAIL("Should be able to parse server when we request it\n");
408 goto err;
409 }
410 if (CBS_len(&cbs) != 0) {
411 FAIL("extension data remaining\n");
412 goto err;
413 }
414
415 if (S3I(ssl)->alpn_selected_len !=
416 sizeof(tlsext_alpn_single_proto_name)) {
417 FAIL("got server ALPN with length %zu, "
418 "want length %zu\n", dlen,
419 sizeof(tlsext_alpn_single_proto_name));
420 compare_data(S3I(ssl)->alpn_selected,
421 S3I(ssl)->alpn_selected_len,
422 tlsext_alpn_single_proto_name,
423 sizeof(tlsext_alpn_single_proto_name));
424 goto err;
425 }
426 if (memcmp(S3I(ssl)->alpn_selected,
427 tlsext_alpn_single_proto_name,
428 sizeof(tlsext_alpn_single_proto_name)) != 0) {
429 FAIL("server ALPN differs:\n");
430 compare_data(S3I(ssl)->alpn_selected,
431 S3I(ssl)->alpn_selected_len,
432 tlsext_alpn_single_proto_name,
433 sizeof(tlsext_alpn_single_proto_name));
434 goto err;
435 }
436
437 /*
438 * We should NOT be able to build a server with multiple
439 * protocol names. However, the existing code did not check for this
440 * case because it is passed in as an encoded value.
441 */
442
443 /* Make sure we can remove the list and avoid ALPN */
444
445 free(S3I(ssl)->alpn_selected);
446 S3I(ssl)->alpn_selected = NULL;
447 S3I(ssl)->alpn_selected_len = 0;
448
449 if (tlsext_alpn_server_needs(ssl, SSL_TLSEXT_MSG_SH)) {
450 FAIL("server should need ALPN by default\n");
451 goto err;
452 }
453
454 failure = 0;
455
456 err:
457 CBB_cleanup(&cbb);
458 SSL_CTX_free(ssl_ctx);
459 SSL_free(ssl);
460 free(data);
461
462 return (failure);
463
464}
465
466/*
467 * Supported Elliptic Curves - RFC 4492 section 5.1.1.
468 *
469 * This extension is only used by the client.
470 */
471
472static uint8_t tlsext_supportedgroups_client_default[] = {
473 0x00, 0x08,
474 0x00, 0x1d, /* X25519 (29) */
475 0x00, 0x17, /* secp256r1 (23) */
476 0x00, 0x18, /* secp384r1 (24) */
477 0x00, 0x19, /* secp521r1 (25) */
478};
479
480static uint16_t tlsext_supportedgroups_client_secp384r1_val[] = {
481 0x0018 /* tls1_ec_nid2curve_id(NID_secp384r1) */
482};
483static uint8_t tlsext_supportedgroups_client_secp384r1[] = {
484 0x00, 0x02,
485 0x00, 0x18 /* secp384r1 (24) */
486};
487
488/* Example from RFC 4492 section 5.1.1 */
489static uint16_t tlsext_supportedgroups_client_nistp192and224_val[] = {
490 0x0013, /* tls1_ec_nid2curve_id(NID_X9_62_prime192v1) */
491 0x0015 /* tls1_ec_nid2curve_id(NID_secp224r1) */
492};
493static uint8_t tlsext_supportedgroups_client_nistp192and224[] = {
494 0x00, 0x04,
495 0x00, 0x13, /* secp192r1 aka NIST P-192 */
496 0x00, 0x15 /* secp224r1 aka NIST P-224 */
497};
498
499static int
500test_tlsext_supportedgroups_client(void)
501{
502 unsigned char *data = NULL;
503 SSL_CTX *ssl_ctx = NULL;
504 SSL *ssl = NULL;
505 size_t dlen;
506 int failure, alert;
507 CBB cbb;
508 CBS cbs;
509
510 failure = 1;
511
512 if (!CBB_init(&cbb, 0))
513 errx(1, "failed to create CBB");
514
515 if ((ssl_ctx = SSL_CTX_new(TLS_client_method())) == NULL)
516 errx(1, "failed to create SSL_CTX");
517 if ((ssl = SSL_new(ssl_ctx)) == NULL)
518 errx(1, "failed to create SSL");
519
520 /*
521 * Default ciphers include EC so we need it by default.
522 */
523 if (!tlsext_supportedgroups_client_needs(ssl, SSL_TLSEXT_MSG_CH)) {
524 FAIL("client should need Ellipticcurves for default "
525 "ciphers\n");
526 goto err;
527 }
528
529 /*
530 * Exclude cipher suites so we can test not including it.
531 */
532 if (!SSL_set_cipher_list(ssl, "TLSv1.2:!ECDHE:!ECDSA")) {
533 FAIL("client should be able to set cipher list\n");
534 goto err;
535 }
536 if (tlsext_supportedgroups_client_needs(ssl, SSL_TLSEXT_MSG_CH)) {
537 FAIL("client should not need Ellipticcurves\n");
538 goto err;
539 }
540
541 /*
542 * Use libtls default for the rest of the testing
543 */
544 if (!SSL_set_cipher_list(ssl, "TLSv1.2+AEAD+ECDHE")) {
545 FAIL("client should be able to set cipher list\n");
546 goto err;
547 }
548 if (!tlsext_supportedgroups_client_needs(ssl, SSL_TLSEXT_MSG_CH)) {
549 FAIL("client should need Ellipticcurves\n");
550 goto err;
551 }
552
553 /*
554 * Test with a session secp384r1. The default is used instead.
555 */
556 if ((ssl->session = SSL_SESSION_new()) == NULL)
557 errx(1, "failed to create session");
558
559 if ((SSI(ssl)->tlsext_supportedgroups = malloc(sizeof(uint16_t)))
560 == NULL) {
561 FAIL("client could not malloc\n");
562 goto err;
563 }
564 SSI(ssl)->tlsext_supportedgroups[0] = tls1_ec_nid2curve_id(NID_secp384r1);
565 SSI(ssl)->tlsext_supportedgroups_length = 1;
566
567 if (!tlsext_supportedgroups_client_needs(ssl, SSL_TLSEXT_MSG_CH)) {
568 FAIL("client should need Ellipticcurves\n");
569 goto err;
570 }
571
572 if (!tlsext_supportedgroups_client_build(ssl, SSL_TLSEXT_MSG_CH, &cbb)) {
573 FAIL("client failed to build Ellipticcurves\n");
574 goto err;
575 }
576
577 if (!CBB_finish(&cbb, &data, &dlen))
578 errx(1, "failed to finish CBB");
579
580 if (dlen != sizeof(tlsext_supportedgroups_client_default)) {
581 FAIL("got client Ellipticcurves with length %zu, "
582 "want length %zu\n", dlen,
583 sizeof(tlsext_supportedgroups_client_default));
584 compare_data(data, dlen, tlsext_supportedgroups_client_default,
585 sizeof(tlsext_supportedgroups_client_default));
586 goto err;
587 }
588
589 if (memcmp(data, tlsext_supportedgroups_client_default, dlen) != 0) {
590 FAIL("client Ellipticcurves differs:\n");
591 compare_data(data, dlen, tlsext_supportedgroups_client_default,
592 sizeof(tlsext_supportedgroups_client_default));
593 goto err;
594 }
595
596 /*
597 * Test parsing secp384r1
598 */
599 CBB_cleanup(&cbb);
600 CBB_init(&cbb, 0);
601 free(data);
602 data = NULL;
603
604 SSL_SESSION_free(ssl->session);
605 if ((ssl->session = SSL_SESSION_new()) == NULL)
606 errx(1, "failed to create session");
607
608 CBS_init(&cbs, tlsext_supportedgroups_client_secp384r1,
609 sizeof(tlsext_supportedgroups_client_secp384r1));
610 if (!tlsext_supportedgroups_server_parse(ssl, SSL_TLSEXT_MSG_CH, &cbs, &alert)) {
611 FAIL("failed to parse client Ellipticcurves\n");
612 goto err;
613 }
614 if (CBS_len(&cbs) != 0) {
615 FAIL("extension data remaining\n");
616 goto err;
617 }
618
619 if (SSI(ssl)->tlsext_supportedgroups_length !=
620 sizeof(tlsext_supportedgroups_client_secp384r1_val) / sizeof(uint16_t)) {
621 FAIL("no tlsext_ellipticcurves from client "
622 "Ellipticcurves\n");
623 goto err;
624 }
625
626 if (memcmp(SSI(ssl)->tlsext_supportedgroups,
627 tlsext_supportedgroups_client_secp384r1_val,
628 sizeof(tlsext_supportedgroups_client_secp384r1_val)) != 0) {
629 FAIL("client had an incorrect Ellipticcurves "
630 "entry\n");
631 compare_data2(SSI(ssl)->tlsext_supportedgroups,
632 SSI(ssl)->tlsext_supportedgroups_length * 2,
633 tlsext_supportedgroups_client_secp384r1_val,
634 sizeof(tlsext_supportedgroups_client_secp384r1_val));
635 goto err;
636 }
637
638 /*
639 * Use a custom order.
640 */
641 CBB_cleanup(&cbb);
642 CBB_init(&cbb, 0);
643
644 SSL_SESSION_free(ssl->session);
645 if ((ssl->session = SSL_SESSION_new()) == NULL)
646 errx(1, "failed to create session");
647
648 if ((ssl->internal->tlsext_supportedgroups = malloc(sizeof(uint16_t) * 2)) == NULL) {
649 FAIL("client could not malloc\n");
650 goto err;
651 }
652 ssl->internal->tlsext_supportedgroups[0] = tls1_ec_nid2curve_id(NID_X9_62_prime192v1);
653 ssl->internal->tlsext_supportedgroups[1] = tls1_ec_nid2curve_id(NID_secp224r1);
654 ssl->internal->tlsext_supportedgroups_length = 2;
655
656 if (!tlsext_supportedgroups_client_needs(ssl, SSL_TLSEXT_MSG_CH)) {
657 FAIL("client should need Ellipticcurves\n");
658 goto err;
659 }
660
661 if (!tlsext_supportedgroups_client_build(ssl, SSL_TLSEXT_MSG_CH, &cbb)) {
662 FAIL("client failed to build Ellipticcurves\n");
663 goto err;
664 }
665
666 if (!CBB_finish(&cbb, &data, &dlen))
667 errx(1, "failed to finish CBB");
668
669 if (dlen != sizeof(tlsext_supportedgroups_client_nistp192and224)) {
670 FAIL("got client Ellipticcurves with length %zu, "
671 "want length %zu\n", dlen,
672 sizeof(tlsext_supportedgroups_client_nistp192and224));
673 fprintf(stderr, "received:\n");
674 hexdump(data, dlen);
675 fprintf(stderr, "test data:\n");
676 hexdump(tlsext_supportedgroups_client_nistp192and224,
677 sizeof(tlsext_supportedgroups_client_nistp192and224));
678 goto err;
679 }
680
681 if (memcmp(data, tlsext_supportedgroups_client_nistp192and224, dlen) != 0) {
682 FAIL("client Ellipticcurves differs:\n");
683 fprintf(stderr, "received:\n");
684 hexdump(data, dlen);
685 fprintf(stderr, "test data:\n");
686 hexdump(tlsext_supportedgroups_client_nistp192and224,
687 sizeof(tlsext_supportedgroups_client_nistp192and224));
688 goto err;
689 }
690
691 /*
692 * Parse non-default curves to session.
693 */
694 CBB_cleanup(&cbb);
695 CBB_init(&cbb, 0);
696 free(data);
697 data = NULL;
698
699 SSL_SESSION_free(ssl->session);
700 if ((ssl->session = SSL_SESSION_new()) == NULL)
701 errx(1, "failed to create session");
702
703 /* Reset back to the default list. */
704 free(ssl->internal->tlsext_supportedgroups);
705 ssl->internal->tlsext_supportedgroups = NULL;
706 ssl->internal->tlsext_supportedgroups_length = 0;
707
708 CBS_init(&cbs, tlsext_supportedgroups_client_nistp192and224,
709 sizeof(tlsext_supportedgroups_client_nistp192and224));
710 if (!tlsext_supportedgroups_server_parse(ssl, SSL_TLSEXT_MSG_CH, &cbs, &alert)) {
711 FAIL("failed to parse client Ellipticcurves\n");
712 goto err;
713 }
714 if (CBS_len(&cbs) != 0) {
715 FAIL("extension data remaining\n");
716 goto err;
717 }
718
719 if (SSI(ssl)->tlsext_supportedgroups_length !=
720 sizeof(tlsext_supportedgroups_client_nistp192and224_val) / sizeof(uint16_t)) {
721 FAIL("no tlsext_ellipticcurves from client Ellipticcurves\n");
722 goto err;
723 }
724
725 if (memcmp(SSI(ssl)->tlsext_supportedgroups,
726 tlsext_supportedgroups_client_nistp192and224_val,
727 sizeof(tlsext_supportedgroups_client_nistp192and224_val)) != 0) {
728 FAIL("client had an incorrect Ellipticcurves entry\n");
729 compare_data2(SSI(ssl)->tlsext_supportedgroups,
730 SSI(ssl)->tlsext_supportedgroups_length * 2,
731 tlsext_supportedgroups_client_nistp192and224_val,
732 sizeof(tlsext_supportedgroups_client_nistp192and224_val));
733 goto err;
734 }
735
736 failure = 0;
737
738 err:
739 CBB_cleanup(&cbb);
740 SSL_CTX_free(ssl_ctx);
741 SSL_free(ssl);
742 free(data);
743
744 return (failure);
745}
746
747
748/* elliptic_curves is only used by the client so this doesn't test much. */
749static int
750test_tlsext_supportedgroups_server(void)
751{
752 SSL_CTX *ssl_ctx = NULL;
753 SSL *ssl = NULL;
754 int failure;
755
756 failure = 1;
757
758 if ((ssl_ctx = SSL_CTX_new(TLS_server_method())) == NULL)
759 errx(1, "failed to create SSL_CTX");
760 if ((ssl = SSL_new(ssl_ctx)) == NULL)
761 errx(1, "failed to create SSL");
762
763 if (tlsext_supportedgroups_server_needs(ssl, SSL_TLSEXT_MSG_SH)) {
764 FAIL("server should not need elliptic_curves\n");
765 goto err;
766 }
767
768 if ((ssl->session = SSL_SESSION_new()) == NULL)
769 errx(1, "failed to create session");
770
771 if (tlsext_supportedgroups_server_needs(ssl, SSL_TLSEXT_MSG_SH)) {
772 FAIL("server should not need elliptic_curves\n");
773 goto err;
774 }
775
776 failure = 0;
777
778 err:
779 SSL_CTX_free(ssl_ctx);
780 SSL_free(ssl);
781
782 return (failure);
783
784}
785
786/*
787 * Supported Point Formats - RFC 4492 section 5.1.2.
788 *
789 * Examples are from the RFC. Both client and server have the same build and
790 * parse but the needs differ.
791 */
792
793static uint8_t tlsext_ecpf_hello_uncompressed_val[] = {
794 TLSEXT_ECPOINTFORMAT_uncompressed
795};
796static uint8_t tlsext_ecpf_hello_uncompressed[] = {
797 0x01,
798 0x00 /* TLSEXT_ECPOINTFORMAT_uncompressed */
799};
800
801static uint8_t tlsext_ecpf_hello_prime[] = {
802 0x01,
803 0x01 /* TLSEXT_ECPOINTFORMAT_ansiX962_compressed_prime */
804};
805
806static uint8_t tlsext_ecpf_hello_prefer_order_val[] = {
807 TLSEXT_ECPOINTFORMAT_ansiX962_compressed_prime,
808 TLSEXT_ECPOINTFORMAT_uncompressed,
809 TLSEXT_ECPOINTFORMAT_ansiX962_compressed_char2
810};
811static uint8_t tlsext_ecpf_hello_prefer_order[] = {
812 0x03,
813 0x01, /* TLSEXT_ECPOINTFORMAT_ansiX962_compressed_prime */
814 0x00, /* TLSEXT_ECPOINTFORMAT_uncompressed */
815 0x02 /* TLSEXT_ECPOINTFORMAT_ansiX962_compressed_char2 */
816};
817
818static int
819test_tlsext_ecpf_client(void)
820{
821 uint8_t *data = NULL;
822 SSL_CTX *ssl_ctx = NULL;
823 SSL *ssl = NULL;
824 size_t dlen;
825 int failure, alert;
826 CBB cbb;
827 CBS cbs;
828
829 failure = 1;
830
831 CBB_init(&cbb, 0);
832
833 if ((ssl_ctx = SSL_CTX_new(TLS_client_method())) == NULL)
834 errx(1, "failed to create SSL_CTX");
835 if ((ssl = SSL_new(ssl_ctx)) == NULL)
836 errx(1, "failed to create SSL");
837
838 /*
839 * Default ciphers include EC so we need it by default.
840 */
841 if (!tlsext_ecpf_client_needs(ssl, SSL_TLSEXT_MSG_CH)) {
842 FAIL("client should need ECPointFormats for default "
843 "ciphers\n");
844 goto err;
845 }
846
847 /*
848 * Exclude EC cipher suites so we can test not including it.
849 */
850 if (!SSL_set_cipher_list(ssl, "ALL:!ECDHE:!ECDH")) {
851 FAIL("client should be able to set cipher list\n");
852 goto err;
853 }
854 if (tlsext_ecpf_client_needs(ssl, SSL_TLSEXT_MSG_CH)) {
855 FAIL("client should not need ECPointFormats\n");
856 goto err;
857 }
858
859 /*
860 * Use libtls default for the rest of the testing
861 */
862 if (!SSL_set_cipher_list(ssl, "TLSv1.2+AEAD+ECDHE")) {
863 FAIL("client should be able to set cipher list\n");
864 goto err;
865 }
866 if (!tlsext_ecpf_client_needs(ssl, SSL_TLSEXT_MSG_CH)) {
867 FAIL("client should need ECPointFormats\n");
868 goto err;
869 }
870
871 /*
872 * The default ECPointFormats should only have uncompressed
873 */
874 if ((ssl->session = SSL_SESSION_new()) == NULL)
875 errx(1, "failed to create session");
876
877 if (!tlsext_ecpf_client_build(ssl, SSL_TLSEXT_MSG_CH, &cbb)) {
878 FAIL("client failed to build ECPointFormats\n");
879 goto err;
880 }
881
882 if (!CBB_finish(&cbb, &data, &dlen))
883 errx(1, "failed to finish CBB");
884
885 if (dlen != sizeof(tlsext_ecpf_hello_uncompressed)) {
886 FAIL("got client ECPointFormats with length %zu, "
887 "want length %zu\n", dlen,
888 sizeof(tlsext_ecpf_hello_uncompressed));
889 compare_data(data, dlen, tlsext_ecpf_hello_uncompressed,
890 sizeof(tlsext_ecpf_hello_uncompressed));
891 goto err;
892 }
893
894 if (memcmp(data, tlsext_ecpf_hello_uncompressed, dlen) != 0) {
895 FAIL("client ECPointFormats differs:\n");
896 compare_data(data, dlen, tlsext_ecpf_hello_uncompressed,
897 sizeof(tlsext_ecpf_hello_uncompressed));
898 goto err;
899 }
900
901 /*
902 * Make sure we can parse the default.
903 */
904 CBB_cleanup(&cbb);
905 CBB_init(&cbb, 0);
906 free(data);
907 data = NULL;
908
909 SSL_SESSION_free(ssl->session);
910 if ((ssl->session = SSL_SESSION_new()) == NULL)
911 errx(1, "failed to create session");
912
913 CBS_init(&cbs, tlsext_ecpf_hello_uncompressed,
914 sizeof(tlsext_ecpf_hello_uncompressed));
915 if (!tlsext_ecpf_server_parse(ssl, SSL_TLSEXT_MSG_CH, &cbs, &alert)) {
916 FAIL("failed to parse client ECPointFormats\n");
917 goto err;
918 }
919 if (CBS_len(&cbs) != 0) {
920 FAIL("extension data remaining\n");
921 goto err;
922 }
923
924 if (SSI(ssl)->tlsext_ecpointformatlist_length !=
925 sizeof(tlsext_ecpf_hello_uncompressed_val)) {
926 FAIL("no tlsext_ecpointformats from client "
927 "ECPointFormats\n");
928 goto err;
929 }
930
931 if (memcmp(SSI(ssl)->tlsext_ecpointformatlist,
932 tlsext_ecpf_hello_uncompressed_val,
933 sizeof(tlsext_ecpf_hello_uncompressed_val)) != 0) {
934 FAIL("client had an incorrect ECPointFormats entry\n");
935 goto err;
936 }
937
938 /*
939 * Test with a custom order.
940 */
941 CBB_cleanup(&cbb);
942 CBB_init(&cbb, 0);
943 free(data);
944 data = NULL;
945
946 SSL_SESSION_free(ssl->session);
947 if ((ssl->session = SSL_SESSION_new()) == NULL)
948 errx(1, "failed to create session");
949
950 if ((ssl->internal->tlsext_ecpointformatlist = malloc(sizeof(uint8_t) * 3)) == NULL) {
951 FAIL("client could not malloc\n");
952 goto err;
953 }
954 ssl->internal->tlsext_ecpointformatlist[0] = TLSEXT_ECPOINTFORMAT_ansiX962_compressed_prime;
955 ssl->internal->tlsext_ecpointformatlist[1] = TLSEXT_ECPOINTFORMAT_uncompressed;
956 ssl->internal->tlsext_ecpointformatlist[2] = TLSEXT_ECPOINTFORMAT_ansiX962_compressed_char2;
957 ssl->internal->tlsext_ecpointformatlist_length = 3;
958
959 if (!tlsext_ecpf_client_needs(ssl, SSL_TLSEXT_MSG_CH)) {
960 FAIL("client should need ECPointFormats with a custom "
961 "format\n");
962 goto err;
963 }
964
965 if (!tlsext_ecpf_client_build(ssl, SSL_TLSEXT_MSG_CH, &cbb)) {
966 FAIL("client failed to build ECPointFormats\n");
967 goto err;
968 }
969
970 if (!CBB_finish(&cbb, &data, &dlen))
971 errx(1, "failed to finish CBB");
972
973 if (dlen != sizeof(tlsext_ecpf_hello_prefer_order)) {
974 FAIL("got client ECPointFormats with length %zu, "
975 "want length %zu\n", dlen,
976 sizeof(tlsext_ecpf_hello_prefer_order));
977 compare_data(data, dlen, tlsext_ecpf_hello_prefer_order,
978 sizeof(tlsext_ecpf_hello_prefer_order));
979 goto err;
980 }
981
982 if (memcmp(data, tlsext_ecpf_hello_prefer_order, dlen) != 0) {
983 FAIL("client ECPointFormats differs:\n");
984 compare_data(data, dlen, tlsext_ecpf_hello_prefer_order,
985 sizeof(tlsext_ecpf_hello_prefer_order));
986 goto err;
987 }
988
989 /*
990 * Make sure that we can parse this custom order.
991 */
992 CBB_cleanup(&cbb);
993 CBB_init(&cbb, 0);
994 free(data);
995 data = NULL;
996
997 SSL_SESSION_free(ssl->session);
998 if ((ssl->session = SSL_SESSION_new()) == NULL)
999 errx(1, "failed to create session");
1000
1001 /* Reset the custom list so we go back to the default uncompressed. */
1002 free(ssl->internal->tlsext_ecpointformatlist);
1003 ssl->internal->tlsext_ecpointformatlist = NULL;
1004 ssl->internal->tlsext_ecpointformatlist_length = 0;
1005
1006 CBS_init(&cbs, tlsext_ecpf_hello_prefer_order,
1007 sizeof(tlsext_ecpf_hello_prefer_order));
1008 if (!tlsext_ecpf_server_parse(ssl, SSL_TLSEXT_MSG_CH, &cbs, &alert)) {
1009 FAIL("failed to parse client ECPointFormats\n");
1010 goto err;
1011 }
1012 if (CBS_len(&cbs) != 0) {
1013 FAIL("extension data remaining\n");
1014 goto err;
1015 }
1016
1017 if (SSI(ssl)->tlsext_ecpointformatlist_length !=
1018 sizeof(tlsext_ecpf_hello_prefer_order_val)) {
1019 FAIL("no tlsext_ecpointformats from client "
1020 "ECPointFormats\n");
1021 goto err;
1022 }
1023
1024 if (memcmp(SSI(ssl)->tlsext_ecpointformatlist,
1025 tlsext_ecpf_hello_prefer_order_val,
1026 sizeof(tlsext_ecpf_hello_prefer_order_val)) != 0) {
1027 FAIL("client had an incorrect ECPointFormats entry\n");
1028 goto err;
1029 }
1030
1031
1032 failure = 0;
1033
1034 err:
1035 CBB_cleanup(&cbb);
1036 SSL_CTX_free(ssl_ctx);
1037 SSL_free(ssl);
1038 free(data);
1039
1040 return (failure);
1041}
1042
1043static int
1044test_tlsext_ecpf_server(void)
1045{
1046 uint8_t *data = NULL;
1047 SSL_CTX *ssl_ctx = NULL;
1048 SSL *ssl = NULL;
1049 size_t dlen;
1050 int failure, alert;
1051 CBB cbb;
1052 CBS cbs;
1053
1054 failure = 1;
1055
1056 CBB_init(&cbb, 0);
1057
1058 if ((ssl_ctx = SSL_CTX_new(TLS_server_method())) == NULL)
1059 errx(1, "failed to create SSL_CTX");
1060 if ((ssl = SSL_new(ssl_ctx)) == NULL)
1061 errx(1, "failed to create SSL");
1062
1063 if ((ssl->session = SSL_SESSION_new()) == NULL)
1064 errx(1, "failed to create session");
1065
1066 /* Setup the state so we can call needs. */
1067 if ((S3I(ssl)->hs.cipher =
1068 ssl3_get_cipher_by_id(TLS1_CK_ECDHE_ECDSA_CHACHA20_POLY1305))
1069 == NULL) {
1070 FAIL("server cannot find cipher\n");
1071 goto err;
1072 }
1073 if ((SSI(ssl)->tlsext_ecpointformatlist = malloc(sizeof(uint8_t)))
1074 == NULL) {
1075 FAIL("server could not malloc\n");
1076 goto err;
1077 }
1078 SSI(ssl)->tlsext_ecpointformatlist[0] = TLSEXT_ECPOINTFORMAT_ansiX962_compressed_prime;
1079 SSI(ssl)->tlsext_ecpointformatlist_length = 1;
1080
1081 if (!tlsext_ecpf_server_needs(ssl, SSL_TLSEXT_MSG_SH)) {
1082 FAIL("server should need ECPointFormats now\n");
1083 goto err;
1084 }
1085
1086 /*
1087 * The server will ignore the session list and use either a custom
1088 * list or the default (uncompressed).
1089 */
1090 if (!tlsext_ecpf_server_build(ssl, SSL_TLSEXT_MSG_SH, &cbb)) {
1091 FAIL("server failed to build ECPointFormats\n");
1092 goto err;
1093 }
1094
1095 if (!CBB_finish(&cbb, &data, &dlen))
1096 errx(1, "failed to finish CBB");
1097
1098 if (dlen != sizeof(tlsext_ecpf_hello_uncompressed)) {
1099 FAIL("got server ECPointFormats with length %zu, "
1100 "want length %zu\n", dlen,
1101 sizeof(tlsext_ecpf_hello_uncompressed));
1102 compare_data(data, dlen, tlsext_ecpf_hello_uncompressed,
1103 sizeof(tlsext_ecpf_hello_uncompressed));
1104 goto err;
1105 }
1106
1107 if (memcmp(data, tlsext_ecpf_hello_uncompressed, dlen) != 0) {
1108 FAIL("server ECPointFormats differs:\n");
1109 compare_data(data, dlen, tlsext_ecpf_hello_uncompressed,
1110 sizeof(tlsext_ecpf_hello_uncompressed));
1111 goto err;
1112 }
1113
1114 /*
1115 * Cannot parse a non-default list without at least uncompressed.
1116 */
1117 CBB_cleanup(&cbb);
1118 CBB_init(&cbb, 0);
1119 free(data);
1120 data = NULL;
1121
1122 SSL_SESSION_free(ssl->session);
1123 if ((ssl->session = SSL_SESSION_new()) == NULL)
1124 errx(1, "failed to create session");
1125
1126 CBS_init(&cbs, tlsext_ecpf_hello_prime,
1127 sizeof(tlsext_ecpf_hello_prime));
1128 if (tlsext_ecpf_client_parse(ssl, SSL_TLSEXT_MSG_SH, &cbs, &alert)) {
1129 FAIL("must include uncompressed in server ECPointFormats\n");
1130 goto err;
1131 }
1132 if (CBS_len(&cbs) != 0) {
1133 FAIL("extension data remaining\n");
1134 goto err;
1135 }
1136
1137 /*
1138 * Test with a custom order that replaces the default uncompressed.
1139 */
1140 CBB_cleanup(&cbb);
1141 CBB_init(&cbb, 0);
1142 free(data);
1143 data = NULL;
1144
1145 SSL_SESSION_free(ssl->session);
1146 if ((ssl->session = SSL_SESSION_new()) == NULL)
1147 errx(1, "failed to create session");
1148
1149 /* Add a session list even though it will be ignored. */
1150 if ((SSI(ssl)->tlsext_ecpointformatlist = malloc(sizeof(uint8_t)))
1151 == NULL) {
1152 FAIL("server could not malloc\n");
1153 goto err;
1154 }
1155 SSI(ssl)->tlsext_ecpointformatlist[0] = TLSEXT_ECPOINTFORMAT_ansiX962_compressed_char2;
1156 SSI(ssl)->tlsext_ecpointformatlist_length = 1;
1157
1158 /* Replace the default list with a custom one. */
1159 if ((ssl->internal->tlsext_ecpointformatlist = malloc(sizeof(uint8_t) * 3)) == NULL) {
1160 FAIL("server could not malloc\n");
1161 goto err;
1162 }
1163 ssl->internal->tlsext_ecpointformatlist[0] = TLSEXT_ECPOINTFORMAT_ansiX962_compressed_prime;
1164 ssl->internal->tlsext_ecpointformatlist[1] = TLSEXT_ECPOINTFORMAT_uncompressed;
1165 ssl->internal->tlsext_ecpointformatlist[2] = TLSEXT_ECPOINTFORMAT_ansiX962_compressed_char2;
1166 ssl->internal->tlsext_ecpointformatlist_length = 3;
1167
1168 if (!tlsext_ecpf_server_needs(ssl, SSL_TLSEXT_MSG_SH)) {
1169 FAIL("server should need ECPointFormats\n");
1170 goto err;
1171 }
1172
1173 if (!tlsext_ecpf_server_build(ssl, SSL_TLSEXT_MSG_SH, &cbb)) {
1174 FAIL("server failed to build ECPointFormats\n");
1175 goto err;
1176 }
1177
1178 if (!CBB_finish(&cbb, &data, &dlen))
1179 errx(1, "failed to finish CBB");
1180
1181 if (dlen != sizeof(tlsext_ecpf_hello_prefer_order)) {
1182 FAIL("got server ECPointFormats with length %zu, "
1183 "want length %zu\n", dlen,
1184 sizeof(tlsext_ecpf_hello_prefer_order));
1185 compare_data(data, dlen, tlsext_ecpf_hello_prefer_order,
1186 sizeof(tlsext_ecpf_hello_prefer_order));
1187 goto err;
1188 }
1189
1190 if (memcmp(data, tlsext_ecpf_hello_prefer_order, dlen) != 0) {
1191 FAIL("server ECPointFormats differs:\n");
1192 compare_data(data, dlen, tlsext_ecpf_hello_prefer_order,
1193 sizeof(tlsext_ecpf_hello_prefer_order));
1194 goto err;
1195 }
1196
1197 /*
1198 * Should be able to parse the custom list into a session list.
1199 */
1200 CBB_cleanup(&cbb);
1201 CBB_init(&cbb, 0);
1202 free(data);
1203 data = NULL;
1204
1205 SSL_SESSION_free(ssl->session);
1206 if ((ssl->session = SSL_SESSION_new()) == NULL)
1207 errx(1, "failed to create session");
1208
1209 /* Reset back to the default (uncompressed) */
1210 free(ssl->internal->tlsext_ecpointformatlist);
1211 ssl->internal->tlsext_ecpointformatlist = NULL;
1212 ssl->internal->tlsext_ecpointformatlist_length = 0;
1213
1214 CBS_init(&cbs, tlsext_ecpf_hello_prefer_order,
1215 sizeof(tlsext_ecpf_hello_prefer_order));
1216 if (!tlsext_ecpf_client_parse(ssl, SSL_TLSEXT_MSG_SH, &cbs, &alert)) {
1217 FAIL("failed to parse server ECPointFormats\n");
1218 goto err;
1219 }
1220 if (CBS_len(&cbs) != 0) {
1221 FAIL("extension data remaining\n");
1222 goto err;
1223 }
1224
1225 if (SSI(ssl)->tlsext_ecpointformatlist_length !=
1226 sizeof(tlsext_ecpf_hello_prefer_order_val)) {
1227 FAIL("no tlsext_ecpointformats from server "
1228 "ECPointFormats\n");
1229 goto err;
1230 }
1231
1232 if (memcmp(SSI(ssl)->tlsext_ecpointformatlist,
1233 tlsext_ecpf_hello_prefer_order_val,
1234 sizeof(tlsext_ecpf_hello_prefer_order_val)) != 0) {
1235 FAIL("server had an incorrect ECPointFormats entry\n");
1236 goto err;
1237 }
1238
1239 failure = 0;
1240
1241 err:
1242 CBB_cleanup(&cbb);
1243 SSL_CTX_free(ssl_ctx);
1244 SSL_free(ssl);
1245 free(data);
1246
1247 return (failure);
1248}
1249
1250/*
1251 * Renegotiation Indication - RFC 5746.
1252 */
1253
1254static unsigned char tlsext_ri_prev_client[] = {
1255 0x00, 0x11, 0x22, 0x33, 0x44, 0x55, 0x66, 0x77,
1256 0x88, 0x99, 0xaa, 0xbb, 0xcc, 0xdd, 0xee, 0xff,
1257};
1258
1259static unsigned char tlsext_ri_prev_server[] = {
1260 0xff, 0xee, 0xdd, 0xcc, 0xbb, 0xaa, 0x99, 0x88,
1261 0x77, 0x66, 0x55, 0x44, 0x33, 0x22, 0x11, 0x00,
1262};
1263
1264static unsigned char tlsext_ri_client[] = {
1265 0x10,
1266 0x00, 0x11, 0x22, 0x33, 0x44, 0x55, 0x66, 0x77,
1267 0x88, 0x99, 0xaa, 0xbb, 0xcc, 0xdd, 0xee, 0xff,
1268};
1269
1270static unsigned char tlsext_ri_server[] = {
1271 0x20,
1272 0x00, 0x11, 0x22, 0x33, 0x44, 0x55, 0x66, 0x77,
1273 0x88, 0x99, 0xaa, 0xbb, 0xcc, 0xdd, 0xee, 0xff,
1274 0xff, 0xee, 0xdd, 0xcc, 0xbb, 0xaa, 0x99, 0x88,
1275 0x77, 0x66, 0x55, 0x44, 0x33, 0x22, 0x11, 0x00,
1276};
1277
1278static int
1279test_tlsext_ri_client(void)
1280{
1281 unsigned char *data = NULL;
1282 SSL_CTX *ssl_ctx = NULL;
1283 SSL *ssl = NULL;
1284 int failure;
1285 size_t dlen;
1286 int alert;
1287 CBB cbb;
1288 CBS cbs;
1289
1290 failure = 1;
1291
1292 CBB_init(&cbb, 0);
1293
1294 if ((ssl_ctx = SSL_CTX_new(TLSv1_2_client_method())) == NULL)
1295 errx(1, "failed to create SSL_CTX");
1296 if ((ssl = SSL_new(ssl_ctx)) == NULL)
1297 errx(1, "failed to create SSL");
1298
1299 if (tlsext_ri_client_needs(ssl, SSL_TLSEXT_MSG_CH)) {
1300 FAIL("client should not need RI\n");
1301 goto err;
1302 }
1303
1304 if (!SSL_renegotiate(ssl)) {
1305 FAIL("client failed to set renegotiate\n");
1306 goto err;
1307 }
1308
1309 if (!tlsext_ri_client_needs(ssl, SSL_TLSEXT_MSG_CH)) {
1310 FAIL("client should need RI\n");
1311 goto err;
1312 }
1313
1314 memcpy(S3I(ssl)->previous_client_finished, tlsext_ri_prev_client,
1315 sizeof(tlsext_ri_prev_client));
1316 S3I(ssl)->previous_client_finished_len = sizeof(tlsext_ri_prev_client);
1317
1318 S3I(ssl)->renegotiate_seen = 0;
1319
1320 if (!tlsext_ri_client_build(ssl, SSL_TLSEXT_MSG_CH, &cbb)) {
1321 FAIL("client failed to build RI\n");
1322 goto err;
1323 }
1324
1325 if (!CBB_finish(&cbb, &data, &dlen))
1326 errx(1, "failed to finish CBB");
1327
1328 if (dlen != sizeof(tlsext_ri_client)) {
1329 FAIL("got client RI with length %zu, "
1330 "want length %zu\n", dlen, sizeof(tlsext_ri_client));
1331 goto err;
1332 }
1333
1334 if (memcmp(data, tlsext_ri_client, dlen) != 0) {
1335 FAIL("client RI differs:\n");
1336 fprintf(stderr, "received:\n");
1337 hexdump(data, dlen);
1338 fprintf(stderr, "test data:\n");
1339 hexdump(tlsext_ri_client, sizeof(tlsext_ri_client));
1340 goto err;
1341 }
1342
1343 CBS_init(&cbs, tlsext_ri_client, sizeof(tlsext_ri_client));
1344 if (!tlsext_ri_server_parse(ssl, SSL_TLSEXT_MSG_CH, &cbs, &alert)) {
1345 FAIL("failed to parse client RI\n");
1346 goto err;
1347 }
1348 if (CBS_len(&cbs) != 0) {
1349 FAIL("extension data remaining\n");
1350 goto err;
1351 }
1352
1353 if (S3I(ssl)->renegotiate_seen != 1) {
1354 FAIL("renegotiate seen not set\n");
1355 goto err;
1356 }
1357 if (S3I(ssl)->send_connection_binding != 1) {
1358 FAIL("send connection binding not set\n");
1359 goto err;
1360 }
1361
1362 memset(S3I(ssl)->previous_client_finished, 0,
1363 sizeof(S3I(ssl)->previous_client_finished));
1364
1365 S3I(ssl)->renegotiate_seen = 0;
1366
1367 CBS_init(&cbs, tlsext_ri_client, sizeof(tlsext_ri_client));
1368 if (tlsext_ri_server_parse(ssl, SSL_TLSEXT_MSG_CH, &cbs, &alert)) {
1369 FAIL("parsed invalid client RI\n");
1370 failure = 1;
1371 goto err;
1372 }
1373
1374 if (S3I(ssl)->renegotiate_seen == 1) {
1375 FAIL("renegotiate seen set\n");
1376 goto err;
1377 }
1378
1379 failure = 0;
1380
1381 err:
1382 CBB_cleanup(&cbb);
1383 SSL_CTX_free(ssl_ctx);
1384 SSL_free(ssl);
1385 free(data);
1386
1387 return (failure);
1388}
1389
1390static int
1391test_tlsext_ri_server(void)
1392{
1393 unsigned char *data = NULL;
1394 SSL_CTX *ssl_ctx = NULL;
1395 SSL *ssl = NULL;
1396 int failure;
1397 size_t dlen;
1398 int alert;
1399 CBB cbb;
1400 CBS cbs;
1401
1402 failure = 1;
1403
1404 CBB_init(&cbb, 0);
1405
1406 if ((ssl_ctx = SSL_CTX_new(TLS_server_method())) == NULL)
1407 errx(1, "failed to create SSL_CTX");
1408 if ((ssl = SSL_new(ssl_ctx)) == NULL)
1409 errx(1, "failed to create SSL");
1410
1411 ssl->version = TLS1_2_VERSION;
1412 if (tlsext_ri_server_needs(ssl, SSL_TLSEXT_MSG_SH)) {
1413 FAIL("server should not need RI\n");
1414 goto err;
1415 }
1416
1417 S3I(ssl)->send_connection_binding = 1;
1418
1419 if (!tlsext_ri_server_needs(ssl, SSL_TLSEXT_MSG_SH)) {
1420 FAIL("server should need RI\n");
1421 goto err;
1422 }
1423
1424 memcpy(S3I(ssl)->previous_client_finished, tlsext_ri_prev_client,
1425 sizeof(tlsext_ri_prev_client));
1426 S3I(ssl)->previous_client_finished_len = sizeof(tlsext_ri_prev_client);
1427
1428 memcpy(S3I(ssl)->previous_server_finished, tlsext_ri_prev_server,
1429 sizeof(tlsext_ri_prev_server));
1430 S3I(ssl)->previous_server_finished_len = sizeof(tlsext_ri_prev_server);
1431
1432 S3I(ssl)->renegotiate_seen = 0;
1433
1434 if (!tlsext_ri_server_build(ssl, SSL_TLSEXT_MSG_SH, &cbb)) {
1435 FAIL("server failed to build RI\n");
1436 goto err;
1437 }
1438
1439 if (!CBB_finish(&cbb, &data, &dlen))
1440 errx(1, "failed to finish CBB");
1441
1442 if (dlen != sizeof(tlsext_ri_server)) {
1443 FAIL("got server RI with length %zu, "
1444 "want length %zu\n", dlen, sizeof(tlsext_ri_server));
1445 goto err;
1446 }
1447
1448 if (memcmp(data, tlsext_ri_server, dlen) != 0) {
1449 FAIL("server RI differs:\n");
1450 fprintf(stderr, "received:\n");
1451 hexdump(data, dlen);
1452 fprintf(stderr, "test data:\n");
1453 hexdump(tlsext_ri_server, sizeof(tlsext_ri_server));
1454 goto err;
1455 }
1456
1457 CBS_init(&cbs, tlsext_ri_server, sizeof(tlsext_ri_server));
1458 if (!tlsext_ri_client_parse(ssl, SSL_TLSEXT_MSG_SH, &cbs, &alert)) {
1459 FAIL("failed to parse server RI\n");
1460 goto err;
1461 }
1462 if (CBS_len(&cbs) != 0) {
1463 FAIL("extension data remaining\n");
1464 goto err;
1465 }
1466
1467 if (S3I(ssl)->renegotiate_seen != 1) {
1468 FAIL("renegotiate seen not set\n");
1469 goto err;
1470 }
1471 if (S3I(ssl)->send_connection_binding != 1) {
1472 FAIL("send connection binding not set\n");
1473 goto err;
1474 }
1475
1476 memset(S3I(ssl)->previous_client_finished, 0,
1477 sizeof(S3I(ssl)->previous_client_finished));
1478 memset(S3I(ssl)->previous_server_finished, 0,
1479 sizeof(S3I(ssl)->previous_server_finished));
1480
1481 S3I(ssl)->renegotiate_seen = 0;
1482
1483 CBS_init(&cbs, tlsext_ri_server, sizeof(tlsext_ri_server));
1484 if (tlsext_ri_client_parse(ssl, SSL_TLSEXT_MSG_SH, &cbs, &alert)) {
1485 FAIL("parsed invalid server RI\n");
1486 goto err;
1487 }
1488
1489 if (S3I(ssl)->renegotiate_seen == 1) {
1490 FAIL("renegotiate seen set\n");
1491 goto err;
1492 }
1493
1494 failure = 0;
1495
1496 err:
1497 CBB_cleanup(&cbb);
1498 SSL_CTX_free(ssl_ctx);
1499 SSL_free(ssl);
1500 free(data);
1501
1502 return (failure);
1503}
1504
1505/*
1506 * Signature Algorithms - RFC 5246 section 7.4.1.4.1.
1507 */
1508
1509static unsigned char tlsext_sigalgs_client[] = {
1510 0x00, 0x16, 0x08, 0x06, 0x06, 0x01, 0x06, 0x03,
1511 0x08, 0x05, 0x05, 0x01, 0x05, 0x03, 0x08, 0x04,
1512 0x04, 0x01, 0x04, 0x03, 0x02, 0x01, 0x02, 0x03,
1513};
1514
1515static int
1516test_tlsext_sigalgs_client(void)
1517{
1518 unsigned char *data = NULL;
1519 SSL_CTX *ssl_ctx = NULL;
1520 SSL *ssl = NULL;
1521 int failure = 0;
1522 size_t dlen;
1523 int alert;
1524 CBB cbb;
1525 CBS cbs;
1526
1527 CBB_init(&cbb, 0);
1528
1529 if ((ssl_ctx = SSL_CTX_new(TLS_client_method())) == NULL)
1530 errx(1, "failed to create SSL_CTX");
1531 if ((ssl = SSL_new(ssl_ctx)) == NULL)
1532 errx(1, "failed to create SSL");
1533
1534 S3I(ssl)->hs.our_max_tls_version = TLS1_1_VERSION;
1535
1536 if (tlsext_sigalgs_client_needs(ssl, SSL_TLSEXT_MSG_CH)) {
1537 fprintf(stderr, "FAIL: client should not need sigalgs\n");
1538 failure = 1;
1539 goto done;
1540 }
1541
1542 S3I(ssl)->hs.our_max_tls_version = TLS1_2_VERSION;
1543
1544 if (!tlsext_sigalgs_client_needs(ssl, SSL_TLSEXT_MSG_CH)) {
1545 fprintf(stderr, "FAIL: client should need sigalgs\n");
1546 failure = 1;
1547 goto done;
1548 }
1549
1550 if (!tlsext_sigalgs_client_build(ssl, SSL_TLSEXT_MSG_CH, &cbb)) {
1551 fprintf(stderr, "FAIL: client failed to build sigalgs\n");
1552 failure = 1;
1553 goto done;
1554 }
1555
1556 if (!CBB_finish(&cbb, &data, &dlen))
1557 errx(1, "failed to finish CBB");
1558
1559 if (dlen != sizeof(tlsext_sigalgs_client)) {
1560 fprintf(stderr, "FAIL: got client sigalgs with length %zu, "
1561 "want length %zu\n", dlen, sizeof(tlsext_sigalgs_client));
1562 failure = 1;
1563 goto done;
1564 }
1565
1566 if (memcmp(data, tlsext_sigalgs_client, dlen) != 0) {
1567 fprintf(stderr, "FAIL: client SNI differs:\n");
1568 fprintf(stderr, "received:\n");
1569 hexdump(data, dlen);
1570 fprintf(stderr, "test data:\n");
1571 hexdump(tlsext_sigalgs_client, sizeof(tlsext_sigalgs_client));
1572 failure = 1;
1573 goto done;
1574 }
1575
1576 CBS_init(&cbs, tlsext_sigalgs_client, sizeof(tlsext_sigalgs_client));
1577 if (!tlsext_sigalgs_server_parse(ssl, SSL_TLSEXT_MSG_CH, &cbs, &alert)) {
1578 fprintf(stderr, "FAIL: failed to parse client SNI\n");
1579 failure = 1;
1580 goto done;
1581 }
1582 if (CBS_len(&cbs) != 0) {
1583 FAIL("extension data remaining\n");
1584 goto done;
1585 }
1586
1587 done:
1588 CBB_cleanup(&cbb);
1589 SSL_CTX_free(ssl_ctx);
1590 SSL_free(ssl);
1591 free(data);
1592
1593 return (failure);
1594}
1595
1596#if 0
1597static int
1598test_tlsext_sigalgs_server(void)
1599{
1600 unsigned char *data = NULL;
1601 SSL_CTX *ssl_ctx = NULL;
1602 SSL *ssl = NULL;
1603 int failure = 0;
1604 size_t dlen;
1605 int alert;
1606 CBB cbb;
1607 CBS cbs;
1608
1609 CBB_init(&cbb, 0);
1610
1611 if ((ssl_ctx = SSL_CTX_new(TLS_server_method())) == NULL)
1612 errx(1, "failed to create SSL_CTX");
1613 if ((ssl = SSL_new(ssl_ctx)) == NULL)
1614 errx(1, "failed to create SSL");
1615
1616 if (tlsext_sigalgs_server_needs(ssl, SSL_TLSEXT_MSG_SH)) {
1617 fprintf(stderr, "FAIL: server should not need sigalgs\n");
1618 failure = 1;
1619 goto done;
1620 }
1621
1622 if (tlsext_sigalgs_server_build(ssl, SSL_TLSEXT_MSG_SH, &cbb)) {
1623 fprintf(stderr, "FAIL: server should not build sigalgs\n");
1624 failure = 1;
1625 goto done;
1626 }
1627
1628 if (!CBB_finish(&cbb, &data, &dlen))
1629 errx(1, "failed to finish CBB");
1630
1631 CBS_init(&cbs, tlsext_sigalgs_client, sizeof(tlsext_sigalgs_client));
1632 if (tlsext_sigalgs_client_parse(ssl, SSL_TLSEXT_MSG_SH, &cbs, &alert)) {
1633 fprintf(stderr, "FAIL: server should not parse sigalgs\n");
1634 failure = 1;
1635 goto done;
1636 }
1637
1638 done:
1639 CBB_cleanup(&cbb);
1640 SSL_CTX_free(ssl_ctx);
1641 SSL_free(ssl);
1642 free(data);
1643
1644 return (failure);
1645}
1646#endif
1647
1648/*
1649 * Server Name Indication - RFC 6066 section 3.
1650 */
1651
1652#define TEST_SNI_SERVERNAME "www.libressl.org"
1653
1654static unsigned char tlsext_sni_client[] = {
1655 0x00, 0x13, 0x00, 0x00, 0x10, 0x77, 0x77, 0x77,
1656 0x2e, 0x6c, 0x69, 0x62, 0x72, 0x65, 0x73, 0x73,
1657 0x6c, 0x2e, 0x6f, 0x72, 0x67,
1658};
1659
1660static unsigned char tlsext_sni_server[] = {
1661};
1662
1663static int
1664test_tlsext_sni_client(void)
1665{
1666 unsigned char *data = NULL;
1667 SSL_CTX *ssl_ctx = NULL;
1668 SSL *ssl = NULL;
1669 int failure;
1670 size_t dlen;
1671 int alert;
1672 CBB cbb;
1673 CBS cbs;
1674
1675 failure = 1;
1676
1677 CBB_init(&cbb, 0);
1678
1679 if ((ssl_ctx = SSL_CTX_new(TLS_client_method())) == NULL)
1680 errx(1, "failed to create SSL_CTX");
1681 if ((ssl = SSL_new(ssl_ctx)) == NULL)
1682 errx(1, "failed to create SSL");
1683
1684 if (tlsext_sni_client_needs(ssl, SSL_TLSEXT_MSG_CH)) {
1685 FAIL("client should not need SNI\n");
1686 goto err;
1687 }
1688
1689 if (!SSL_set_tlsext_host_name(ssl, TEST_SNI_SERVERNAME)) {
1690 FAIL("client failed to set server name\n");
1691 goto err;
1692 }
1693
1694 if (!tlsext_sni_client_needs(ssl, SSL_TLSEXT_MSG_CH)) {
1695 FAIL("client should need SNI\n");
1696 goto err;
1697 }
1698
1699 if (!tlsext_sni_client_build(ssl, SSL_TLSEXT_MSG_CH, &cbb)) {
1700 FAIL("client failed to build SNI\n");
1701 goto err;
1702 }
1703
1704 if (!CBB_finish(&cbb, &data, &dlen))
1705 errx(1, "failed to finish CBB");
1706
1707 if (dlen != sizeof(tlsext_sni_client)) {
1708 FAIL("got client SNI with length %zu, "
1709 "want length %zu\n", dlen, sizeof(tlsext_sni_client));
1710 goto err;
1711 }
1712
1713 if (memcmp(data, tlsext_sni_client, dlen) != 0) {
1714 FAIL("client SNI differs:\n");
1715 fprintf(stderr, "received:\n");
1716 hexdump(data, dlen);
1717 fprintf(stderr, "test data:\n");
1718 hexdump(tlsext_sni_client, sizeof(tlsext_sni_client));
1719 goto err;
1720 }
1721
1722 if ((ssl->session = SSL_SESSION_new()) == NULL)
1723 errx(1, "failed to create session");
1724
1725 ssl->internal->hit = 0;
1726
1727 CBS_init(&cbs, tlsext_sni_client, sizeof(tlsext_sni_client));
1728 if (!tlsext_sni_server_parse(ssl, SSL_TLSEXT_MSG_CH, &cbs, &alert)) {
1729 FAIL("failed to parse client SNI\n");
1730 goto err;
1731 }
1732 if (CBS_len(&cbs) != 0) {
1733 FAIL("extension data remaining\n");
1734 goto err;
1735 }
1736
1737 if (ssl->session->tlsext_hostname == NULL) {
1738 FAIL("no tlsext_hostname from client SNI\n");
1739 goto err;
1740 }
1741
1742 if (strlen(ssl->session->tlsext_hostname) != strlen(TEST_SNI_SERVERNAME) ||
1743 strncmp(ssl->session->tlsext_hostname, TEST_SNI_SERVERNAME,
1744 strlen(TEST_SNI_SERVERNAME)) != 0) {
1745 FAIL("got tlsext_hostname `%s', want `%s'\n",
1746 ssl->session->tlsext_hostname, TEST_SNI_SERVERNAME);
1747 goto err;
1748 }
1749
1750 ssl->internal->hit = 1;
1751
1752 if ((ssl->session->tlsext_hostname = strdup("notthesame.libressl.org")) ==
1753 NULL)
1754 errx(1, "failed to strdup tlsext_hostname");
1755
1756 CBS_init(&cbs, tlsext_sni_client, sizeof(tlsext_sni_client));
1757 if (tlsext_sni_server_parse(ssl, SSL_TLSEXT_MSG_CH, &cbs, &alert)) {
1758 FAIL("parsed client with mismatched SNI\n");
1759 goto err;
1760 }
1761
1762 failure = 0;
1763
1764 err:
1765 CBB_cleanup(&cbb);
1766 SSL_CTX_free(ssl_ctx);
1767 SSL_free(ssl);
1768 free(data);
1769
1770 return (failure);
1771}
1772
1773static int
1774test_tlsext_sni_server(void)
1775{
1776 unsigned char *data = NULL;
1777 SSL_CTX *ssl_ctx = NULL;
1778 SSL *ssl = NULL;
1779 int failure;
1780 size_t dlen;
1781 int alert;
1782 CBB cbb;
1783 CBS cbs;
1784
1785 failure = 1;
1786
1787 CBB_init(&cbb, 0);
1788
1789 if ((ssl_ctx = SSL_CTX_new(TLS_server_method())) == NULL)
1790 errx(1, "failed to create SSL_CTX");
1791 if ((ssl = SSL_new(ssl_ctx)) == NULL)
1792 errx(1, "failed to create SSL");
1793
1794 if ((ssl->session = SSL_SESSION_new()) == NULL)
1795 errx(1, "failed to create session");
1796
1797 if (tlsext_sni_server_needs(ssl, SSL_TLSEXT_MSG_SH)) {
1798 FAIL("server should not need SNI\n");
1799 goto err;
1800 }
1801
1802 if (!SSL_set_tlsext_host_name(ssl, TEST_SNI_SERVERNAME)) {
1803 FAIL("client failed to set server name\n");
1804 goto err;
1805 }
1806
1807 if ((ssl->session->tlsext_hostname = strdup(TEST_SNI_SERVERNAME)) ==
1808 NULL)
1809 errx(1, "failed to strdup tlsext_hostname");
1810
1811 if (!tlsext_sni_server_needs(ssl, SSL_TLSEXT_MSG_SH)) {
1812 FAIL("server should need SNI\n");
1813 goto err;
1814 }
1815
1816 if (!tlsext_sni_server_build(ssl, SSL_TLSEXT_MSG_SH, &cbb)) {
1817 FAIL("server failed to build SNI\n");
1818 goto err;
1819 }
1820
1821 if (!CBB_finish(&cbb, &data, &dlen))
1822 errx(1, "failed to finish CBB");
1823
1824 if (dlen != sizeof(tlsext_sni_server)) {
1825 FAIL("got server SNI with length %zu, "
1826 "want length %zu\n", dlen, sizeof(tlsext_sni_server));
1827 goto err;
1828 }
1829
1830 if (memcmp(data, tlsext_sni_server, dlen) != 0) {
1831 FAIL("server SNI differs:\n");
1832 fprintf(stderr, "received:\n");
1833 hexdump(data, dlen);
1834 fprintf(stderr, "test data:\n");
1835 hexdump(tlsext_sni_server, sizeof(tlsext_sni_server));
1836 goto err;
1837 }
1838
1839 free(ssl->session->tlsext_hostname);
1840 ssl->session->tlsext_hostname = NULL;
1841
1842 CBS_init(&cbs, tlsext_sni_server, sizeof(tlsext_sni_server));
1843 if (!tlsext_sni_client_parse(ssl, SSL_TLSEXT_MSG_SH, &cbs, &alert)) {
1844 FAIL("failed to parse server SNI\n");
1845 goto err;
1846 }
1847 if (CBS_len(&cbs) != 0) {
1848 FAIL("extension data remaining\n");
1849 goto err;
1850 }
1851
1852 if (ssl->session->tlsext_hostname == NULL) {
1853 FAIL("no tlsext_hostname after server SNI\n");
1854 goto err;
1855 }
1856
1857 if (strlen(ssl->session->tlsext_hostname) != strlen(TEST_SNI_SERVERNAME) ||
1858 strncmp(ssl->session->tlsext_hostname, TEST_SNI_SERVERNAME,
1859 strlen(TEST_SNI_SERVERNAME)) != 0) {
1860 FAIL("got tlsext_hostname `%s', want `%s'\n",
1861 ssl->session->tlsext_hostname, TEST_SNI_SERVERNAME);
1862 goto err;
1863 }
1864
1865 failure = 0;
1866
1867 err:
1868 CBB_cleanup(&cbb);
1869 SSL_CTX_free(ssl_ctx);
1870 SSL_free(ssl);
1871 free(data);
1872
1873 return (failure);
1874}
1875
1876static unsigned char tls_ocsp_client_default[] = {
1877 0x01, 0x00, 0x00, 0x00, 0x00
1878};
1879
1880static int
1881test_tlsext_ocsp_client(void)
1882{
1883 unsigned char *data = NULL;
1884 SSL_CTX *ssl_ctx = NULL;
1885 SSL *ssl = NULL;
1886 size_t dlen;
1887 int failure;
1888 int alert;
1889 CBB cbb;
1890 CBS cbs;
1891
1892 failure = 1;
1893
1894 CBB_init(&cbb, 0);
1895
1896 if ((ssl_ctx = SSL_CTX_new(TLS_client_method())) == NULL)
1897 errx(1, "failed to create SSL_CTX");
1898 if ((ssl = SSL_new(ssl_ctx)) == NULL)
1899 errx(1, "failed to create SSL");
1900
1901 if (tlsext_ocsp_client_needs(ssl, SSL_TLSEXT_MSG_CH)) {
1902 FAIL("client should not need ocsp\n");
1903 goto err;
1904 }
1905 SSL_set_tlsext_status_type(ssl, TLSEXT_STATUSTYPE_ocsp);
1906
1907 if (!tlsext_ocsp_client_needs(ssl, SSL_TLSEXT_MSG_CH)) {
1908 FAIL("client should need ocsp\n");
1909 goto err;
1910 }
1911 if (!tlsext_ocsp_client_build(ssl, SSL_TLSEXT_MSG_CH, &cbb)) {
1912 FAIL("client failed to build SNI\n");
1913 goto err;
1914 }
1915 if (!CBB_finish(&cbb, &data, &dlen))
1916 errx(1, "failed to finish CBB");
1917
1918 if (dlen != sizeof(tls_ocsp_client_default)) {
1919 FAIL("got ocsp client with length %zu, "
1920 "want length %zu\n", dlen,
1921 sizeof(tls_ocsp_client_default));
1922 goto err;
1923 }
1924 if (memcmp(data, tls_ocsp_client_default, dlen) != 0) {
1925 FAIL("ocsp client differs:\n");
1926 fprintf(stderr, "received:\n");
1927 hexdump(data, dlen);
1928 fprintf(stderr, "test data:\n");
1929 hexdump(tls_ocsp_client_default,
1930 sizeof(tls_ocsp_client_default));
1931 goto err;
1932 }
1933 CBS_init(&cbs, tls_ocsp_client_default,
1934 sizeof(tls_ocsp_client_default));
1935 if (!tlsext_ocsp_server_parse(ssl, SSL_TLSEXT_MSG_CH, &cbs, &alert)) {
1936 FAIL("failed to parse ocsp client\n");
1937 goto err;
1938 }
1939 if (CBS_len(&cbs) != 0) {
1940 FAIL("extension data remaining\n");
1941 goto err;
1942 }
1943
1944 failure = 0;
1945
1946 err:
1947 CBB_cleanup(&cbb);
1948 SSL_CTX_free(ssl_ctx);
1949 SSL_free(ssl);
1950 free(data);
1951
1952 return (failure);
1953}
1954
1955static int
1956test_tlsext_ocsp_server(void)
1957{
1958 unsigned char *data = NULL;
1959 SSL_CTX *ssl_ctx = NULL;
1960 SSL *ssl = NULL;
1961 size_t dlen;
1962 int failure;
1963 CBB cbb;
1964
1965 failure = 1;
1966
1967 CBB_init(&cbb, 0);
1968
1969 if ((ssl_ctx = SSL_CTX_new(TLS_client_method())) == NULL)
1970 errx(1, "failed to create SSL_CTX");
1971 if ((ssl = SSL_new(ssl_ctx)) == NULL)
1972 errx(1, "failed to create SSL");
1973
1974 if (tlsext_ocsp_server_needs(ssl, SSL_TLSEXT_MSG_SH)) {
1975 FAIL("server should not need ocsp\n");
1976 goto err;
1977 }
1978
1979 ssl->internal->tlsext_status_expected = 1;
1980
1981 if (!tlsext_ocsp_server_needs(ssl, SSL_TLSEXT_MSG_SH)) {
1982 FAIL("server should need ocsp\n");
1983 goto err;
1984 }
1985 if (!tlsext_ocsp_server_build(ssl, SSL_TLSEXT_MSG_SH, &cbb)) {
1986 FAIL("server failed to build ocsp\n");
1987 goto err;
1988 }
1989
1990 if (!CBB_finish(&cbb, &data, &dlen))
1991 errx(1, "failed to finish CBB");
1992
1993 failure = 0;
1994
1995 err:
1996 CBB_cleanup(&cbb);
1997 SSL_CTX_free(ssl_ctx);
1998 SSL_free(ssl);
1999 free(data);
2000
2001 return (failure);
2002}
2003
2004/*
2005 * Session ticket - RFC 5077 since no known implementations use 4507.
2006 *
2007 * Session tickets can be length 0 (special case) to 2^16-1.
2008 *
2009 * The state is encrypted by the server so it is opaque to the client.
2010 */
2011static uint8_t tlsext_sessionticket_hello_min[1];
2012static uint8_t tlsext_sessionticket_hello_max[65535];
2013
2014static int
2015test_tlsext_sessionticket_client(void)
2016{
2017 unsigned char *data = NULL;
2018 SSL_CTX *ssl_ctx = NULL;
2019 SSL *ssl = NULL;
2020 int failure;
2021 CBB cbb;
2022 size_t dlen;
2023 uint8_t dummy[1234];
2024
2025 failure = 1;
2026
2027 CBB_init(&cbb, 0);
2028
2029 /* Create fake session tickets with random data. */
2030 arc4random_buf(tlsext_sessionticket_hello_min,
2031 sizeof(tlsext_sessionticket_hello_min));
2032 arc4random_buf(tlsext_sessionticket_hello_max,
2033 sizeof(tlsext_sessionticket_hello_max));
2034
2035 if ((ssl_ctx = SSL_CTX_new(TLS_client_method())) == NULL)
2036 errx(1, "failed to create SSL_CTX");
2037 if ((ssl = SSL_new(ssl_ctx)) == NULL)
2038 errx(1, "failed to create SSL");
2039
2040 /* Should need a ticket by default. */
2041 if (!tlsext_sessionticket_client_needs(ssl, SSL_TLSEXT_MSG_CH)) {
2042 FAIL("client should need Sessionticket for default "
2043 "ciphers\n");
2044 goto err;
2045 }
2046
2047 /* Test disabling tickets. */
2048 if ((SSL_set_options(ssl, SSL_OP_NO_TICKET) & SSL_OP_NO_TICKET) == 0) {
2049 FAIL("Cannot disable tickets in the TLS connection\n");
2050 return 0;
2051 }
2052 if (tlsext_sessionticket_client_needs(ssl, SSL_TLSEXT_MSG_CH)) {
2053 FAIL("client should not need SessionTicket if it was disabled\n");
2054 goto err;
2055 }
2056
2057 /* Test re-enabling tickets. */
2058 if ((SSL_clear_options(ssl, SSL_OP_NO_TICKET) & SSL_OP_NO_TICKET) != 0) {
2059 FAIL("Cannot re-enable tickets in the TLS connection\n");
2060 return 0;
2061 }
2062 if (!tlsext_sessionticket_client_needs(ssl, SSL_TLSEXT_MSG_CH)) {
2063 FAIL("client should need SessionTicket if it was disabled\n");
2064 goto err;
2065 }
2066
2067 /* Since we don't have a session, we should build an empty ticket. */
2068 if (!tlsext_sessionticket_client_build(ssl, SSL_TLSEXT_MSG_CH, &cbb)) {
2069 FAIL("Cannot build a ticket\n");
2070 goto err;
2071 }
2072 if (!CBB_finish(&cbb, &data, &dlen)) {
2073 FAIL("Cannot finish CBB\n");
2074 goto err;
2075 }
2076 if (dlen != 0) {
2077 FAIL("Expected 0 length but found %zu\n", dlen);
2078 goto err;
2079 }
2080
2081 CBB_cleanup(&cbb);
2082 CBB_init(&cbb, 0);
2083 free(data);
2084 data = NULL;
2085
2086 /* With a new session (but no ticket), we should still have 0 length */
2087 if ((ssl->session = SSL_SESSION_new()) == NULL)
2088 errx(1, "failed to create session");
2089 if (!tlsext_sessionticket_client_needs(ssl, SSL_TLSEXT_MSG_CH)) {
2090 FAIL("Should still want a session ticket with a new session\n");
2091 goto err;
2092 }
2093 if (!tlsext_sessionticket_client_build(ssl, SSL_TLSEXT_MSG_CH, &cbb)) {
2094 FAIL("Cannot build a ticket\n");
2095 goto err;
2096 }
2097 if (!CBB_finish(&cbb, &data, &dlen)) {
2098 FAIL("Cannot finish CBB\n");
2099 goto err;
2100 }
2101 if (dlen != 0) {
2102 FAIL("Expected 0 length but found %zu\n", dlen);
2103 goto err;
2104 }
2105
2106 CBB_cleanup(&cbb);
2107 CBB_init(&cbb, 0);
2108 free(data);
2109 data = NULL;
2110
2111 /* With a new session (and ticket), we should use that ticket */
2112 SSL_SESSION_free(ssl->session);
2113 if ((ssl->session = SSL_SESSION_new()) == NULL)
2114 errx(1, "failed to create session");
2115
2116 arc4random_buf(&dummy, sizeof(dummy));
2117 if ((ssl->session->tlsext_tick = malloc(sizeof(dummy))) == NULL) {
2118 errx(1, "failed to malloc");
2119 }
2120 memcpy(ssl->session->tlsext_tick, dummy, sizeof(dummy));
2121 ssl->session->tlsext_ticklen = sizeof(dummy);
2122
2123 if (!tlsext_sessionticket_client_needs(ssl, SSL_TLSEXT_MSG_CH)) {
2124 FAIL("Should still want a session ticket with a new session\n");
2125 goto err;
2126 }
2127 if (!tlsext_sessionticket_client_build(ssl, SSL_TLSEXT_MSG_CH, &cbb)) {
2128 FAIL("Cannot build a ticket\n");
2129 goto err;
2130 }
2131 if (!CBB_finish(&cbb, &data, &dlen)) {
2132 FAIL("Cannot finish CBB\n");
2133 goto err;
2134 }
2135 if (dlen != sizeof(dummy)) {
2136 FAIL("Expected %zu length but found %zu\n", sizeof(dummy), dlen);
2137 goto err;
2138 }
2139 if (memcmp(data, dummy, dlen) != 0) {
2140 FAIL("server SNI differs:\n");
2141 compare_data(data, dlen,
2142 dummy, sizeof(dummy));
2143 goto err;
2144 }
2145
2146 CBB_cleanup(&cbb);
2147 CBB_init(&cbb, 0);
2148 free(data);
2149 data = NULL;
2150 free(ssl->session->tlsext_tick);
2151 ssl->session->tlsext_tick = NULL;
2152 ssl->session->tlsext_ticklen = 0;
2153
2154 /*
2155 * Send in NULL to disable session tickets at runtime without going
2156 * through SSL_set_options().
2157 */
2158 if (!SSL_set_session_ticket_ext(ssl, NULL, 0)) {
2159 FAIL("Could not set a NULL custom ticket\n");
2160 goto err;
2161 }
2162 /* Should not need a ticket in this case */
2163 if (tlsext_sessionticket_client_needs(ssl, SSL_TLSEXT_MSG_CH)) {
2164 FAIL("Should not want to use session tickets with a NULL custom\n");
2165 goto err;
2166 }
2167
2168 /*
2169 * If you want to remove the tlsext_session_ticket behavior, you have
2170 * to do it manually.
2171 */
2172 free(ssl->internal->tlsext_session_ticket);
2173 ssl->internal->tlsext_session_ticket = NULL;
2174
2175 if (!tlsext_sessionticket_client_needs(ssl, SSL_TLSEXT_MSG_CH)) {
2176 FAIL("Should need a session ticket again when the custom one is removed\n");
2177 goto err;
2178 }
2179
2180 /* Test a custom session ticket (not recommended in practice) */
2181 if (!SSL_set_session_ticket_ext(ssl, tlsext_sessionticket_hello_max,
2182 sizeof(tlsext_sessionticket_hello_max))) {
2183 FAIL("Should be able to set a custom ticket\n");
2184 goto err;
2185 }
2186 if (!tlsext_sessionticket_client_needs(ssl, SSL_TLSEXT_MSG_CH)) {
2187 FAIL("Should need a session ticket again when the custom one is not empty\n");
2188 goto err;
2189 }
2190 if (!tlsext_sessionticket_client_build(ssl, SSL_TLSEXT_MSG_CH, &cbb)) {
2191 FAIL("Cannot build a ticket with a max length random payload\n");
2192 goto err;
2193 }
2194 if (!CBB_finish(&cbb, &data, &dlen)) {
2195 FAIL("Cannot finish CBB\n");
2196 goto err;
2197 }
2198 if (dlen != sizeof(tlsext_sessionticket_hello_max)) {
2199 FAIL("Expected %zu length but found %zu\n",
2200 sizeof(tlsext_sessionticket_hello_max), dlen);
2201 goto err;
2202 }
2203 if (memcmp(data, tlsext_sessionticket_hello_max,
2204 sizeof(tlsext_sessionticket_hello_max)) != 0) {
2205 FAIL("Expected to get what we passed in\n");
2206 compare_data(data, dlen,
2207 tlsext_sessionticket_hello_max,
2208 sizeof(tlsext_sessionticket_hello_max));
2209 goto err;
2210 }
2211
2212 failure = 0;
2213
2214 err:
2215 CBB_cleanup(&cbb);
2216 SSL_CTX_free(ssl_ctx);
2217 SSL_free(ssl);
2218 free(data);
2219
2220 return (failure);
2221}
2222
2223
2224static int
2225test_tlsext_sessionticket_server(void)
2226{
2227 SSL_CTX *ssl_ctx = NULL;
2228 SSL *ssl = NULL;
2229 int failure;
2230 uint8_t *data;
2231 size_t dlen;
2232 CBB cbb;
2233
2234 CBB_init(&cbb, 0);
2235
2236 failure = 1;
2237
2238 if ((ssl_ctx = SSL_CTX_new(TLS_server_method())) == NULL)
2239 errx(1, "failed to create SSL_CTX");
2240 if ((ssl = SSL_new(ssl_ctx)) == NULL)
2241 errx(1, "failed to create SSL");
2242
2243 /*
2244 * By default, should not need a session ticket since the ticket
2245 * is not yet expected.
2246 */
2247 if (tlsext_sessionticket_server_needs(ssl, SSL_TLSEXT_MSG_SH)) {
2248 FAIL("server should not need SessionTicket by default\n");
2249 goto err;
2250 }
2251
2252 /* Test disabling tickets. */
2253 if ((SSL_set_options(ssl, SSL_OP_NO_TICKET) & SSL_OP_NO_TICKET) == 0) {
2254 FAIL("Cannot disable tickets in the TLS connection\n");
2255 return 0;
2256 }
2257 if (tlsext_sessionticket_server_needs(ssl, SSL_TLSEXT_MSG_SH)) {
2258 FAIL("server should not need SessionTicket if it was disabled\n");
2259 goto err;
2260 }
2261
2262 /* Test re-enabling tickets. */
2263 if ((SSL_clear_options(ssl, SSL_OP_NO_TICKET) & SSL_OP_NO_TICKET) != 0) {
2264 FAIL("Cannot re-enable tickets in the TLS connection\n");
2265 return 0;
2266 }
2267 if (tlsext_sessionticket_server_needs(ssl, SSL_TLSEXT_MSG_SH)) {
2268 FAIL("server should not need SessionTicket yet\n");
2269 goto err;
2270 }
2271
2272 /* Set expected to require it. */
2273 ssl->internal->tlsext_ticket_expected = 1;
2274 if (!tlsext_sessionticket_server_needs(ssl, SSL_TLSEXT_MSG_SH)) {
2275 FAIL("server should now be required for SessionTicket\n");
2276 goto err;
2277 }
2278
2279 /* server hello's session ticket should always be 0 length payload. */
2280 if (!tlsext_sessionticket_server_build(ssl, SSL_TLSEXT_MSG_SH, &cbb)) {
2281 FAIL("Cannot build a ticket with a max length random payload\n");
2282 goto err;
2283 }
2284 if (!CBB_finish(&cbb, &data, &dlen)) {
2285 FAIL("Cannot finish CBB\n");
2286 goto err;
2287 }
2288 if (dlen != 0) {
2289 FAIL("Expected 0 length but found %zu\n", dlen);
2290 goto err;
2291 }
2292
2293 failure = 0;
2294
2295 err:
2296 SSL_CTX_free(ssl_ctx);
2297 SSL_free(ssl);
2298
2299 return (failure);
2300}
2301
2302#ifndef OPENSSL_NO_SRTP
2303/*
2304 * Supported Secure Real-time Transport Protocol (RFC 5764 section 4.1.1)
2305 */
2306
2307/* Colon separated string values */
2308const char *tlsext_srtp_single_profile = "SRTP_AES128_CM_SHA1_80";
2309const char *tlsext_srtp_multiple_profiles = "SRTP_AES128_CM_SHA1_80:SRTP_AES128_CM_SHA1_32";
2310
2311const char *tlsext_srtp_aes128cmsha80 = "SRTP_AES128_CM_SHA1_80";
2312const char *tlsext_srtp_aes128cmsha32 = "SRTP_AES128_CM_SHA1_32";
2313
2314const uint8_t tlsext_srtp_single[] = {
2315 /* SRTPProtectionProfile SRTPProtectionProfiles<2..2^16-1> */
2316 0x00, 0x02, /* len */
2317 0x00, 0x01, /* SRTP_AES128_CM_SHA1_80 */
2318 0x00 /* opaque srtp_mki<0..255> */
2319};
2320
2321const uint8_t tlsext_srtp_multiple[] = {
2322 /* SRTPProtectionProfile SRTPProtectionProfiles<2..2^16-1> */
2323 0x00, 0x04, /* len */
2324 0x00, 0x01, /* SRTP_AES128_CM_SHA1_80 */
2325 0x00, 0x02, /* SRTP_AES128_CM_SHA1_32 */
2326 0x00 /* opaque srtp_mki<0..255> */
2327};
2328
2329const uint8_t tlsext_srtp_multiple_invalid[] = {
2330 /* SRTPProtectionProfile SRTPProtectionProfiles<2..2^16-1> */
2331 0x00, 0x04, /* len */
2332 0x00, 0x08, /* arbitrary value not found in known profiles */
2333 0x00, 0x09, /* arbitrary value not found in known profiles */
2334 0x00 /* opaque srtp_mki<0..255> */
2335};
2336
2337const uint8_t tlsext_srtp_single_invalid[] = {
2338 /* SRTPProtectionProfile SRTPProtectionProfiles<2..2^16-1> */
2339 0x00, 0x02, /* len */
2340 0x00, 0x08, /* arbitrary value not found in known profiles */
2341 0x00 /* opaque srtp_mki<0..255> */
2342};
2343
2344const uint8_t tlsext_srtp_multiple_one_valid[] = {
2345 /* SRTPProtectionProfile SRTPProtectionProfiles<2..2^16-1> */
2346 0x00, 0x04, /* len */
2347 0x00, 0x08, /* arbitrary value not found in known profiles */
2348 0x00, 0x02, /* SRTP_AES128_CM_SHA1_32 */
2349 0x00 /* opaque srtp_mki<0..255> */
2350};
2351
2352static int
2353test_tlsext_srtp_client(void)
2354{
2355 SRTP_PROTECTION_PROFILE *prof;
2356 SSL_CTX *ssl_ctx = NULL;
2357 SSL *ssl = NULL;
2358 uint8_t *data = NULL;
2359 CBB cbb;
2360 CBS cbs;
2361 int failure, alert;
2362 size_t dlen;
2363
2364 CBB_init(&cbb, 0);
2365
2366 failure = 1;
2367
2368 /* SRTP is for DTLS */
2369 if ((ssl_ctx = SSL_CTX_new(DTLSv1_client_method())) == NULL)
2370 errx(1, "failed to create SSL_CTX");
2371 if ((ssl = SSL_new(ssl_ctx)) == NULL)
2372 errx(1, "failed to create SSL");
2373
2374 /* By default, we don't need this */
2375 if (tlsext_srtp_client_needs(ssl, SSL_TLSEXT_MSG_CH)) {
2376 FAIL("client should not need SRTP by default\n");
2377 goto err;
2378 }
2379
2380 if (SSL_set_tlsext_use_srtp(ssl, tlsext_srtp_single_profile) != 0) {
2381 FAIL("should be able to set a single SRTP\n");
2382 goto err;
2383 }
2384 if (!tlsext_srtp_client_needs(ssl, SSL_TLSEXT_MSG_CH)) {
2385 FAIL("client should need SRTP\n");
2386 goto err;
2387 }
2388
2389 /* Make sure we can build the client with a single profile. */
2390
2391 if (!tlsext_srtp_client_build(ssl, SSL_TLSEXT_MSG_CH, &cbb)) {
2392 FAIL("client failed to build SRTP\n");
2393 goto err;
2394 }
2395 if (!CBB_finish(&cbb, &data, &dlen))
2396 errx(1, "failed to finish CBB");
2397
2398 if (dlen != sizeof(tlsext_srtp_single)) {
2399 FAIL("got client SRTP with length %zu, "
2400 "want length %zu\n", dlen,
2401 sizeof(tlsext_srtp_single));
2402 compare_data(data, dlen, tlsext_srtp_single,
2403 sizeof(tlsext_srtp_single));
2404 goto err;
2405 }
2406 if (memcmp(data, tlsext_srtp_single, dlen) != 0) {
2407 FAIL("client SRTP differs:\n");
2408 compare_data(data, dlen, tlsext_srtp_single,
2409 sizeof(tlsext_srtp_single));
2410 goto err;
2411 }
2412
2413 CBB_cleanup(&cbb);
2414 CBB_init(&cbb, 0);
2415 free(data);
2416 data = NULL;
2417
2418 /* Make sure we can parse the single profile. */
2419
2420 if (SSL_get_selected_srtp_profile(ssl) != NULL) {
2421 FAIL("SRTP profile should not be set yet\n");
2422 goto err;
2423 }
2424
2425 CBS_init(&cbs, tlsext_srtp_single, sizeof(tlsext_srtp_single));
2426 if (!tlsext_srtp_server_parse(ssl, SSL_TLSEXT_MSG_CH, &cbs, &alert)) {
2427 FAIL("failed to parse SRTP\n");
2428 goto err;
2429 }
2430 if (CBS_len(&cbs) != 0) {
2431 FAIL("extension data remaining\n");
2432 goto err;
2433 }
2434
2435 if ((prof = SSL_get_selected_srtp_profile(ssl)) == NULL) {
2436 FAIL("SRTP profile should be set now\n");
2437 goto err;
2438 }
2439 if (strcmp(prof->name, tlsext_srtp_aes128cmsha80) != 0) {
2440 FAIL("SRTP profile was not set properly\n");
2441 goto err;
2442 }
2443
2444 if (!tlsext_srtp_server_needs(ssl, SSL_TLSEXT_MSG_CH)) {
2445 FAIL("should send server extension when profile selected\n");
2446 goto err;
2447 }
2448
2449 /* Make sure we can build the clienthello with multiple entries. */
2450
2451 if (SSL_set_tlsext_use_srtp(ssl, tlsext_srtp_multiple_profiles) != 0) {
2452 FAIL("should be able to set SRTP to multiple profiles\n");
2453 goto err;
2454 }
2455 if (!tlsext_srtp_client_needs(ssl, SSL_TLSEXT_MSG_CH)) {
2456 FAIL("client should need SRTP by now\n");
2457 goto err;
2458 }
2459
2460 if (!tlsext_srtp_client_build(ssl, SSL_TLSEXT_MSG_CH, &cbb)) {
2461 FAIL("client failed to build SRTP\n");
2462 goto err;
2463 }
2464 if (!CBB_finish(&cbb, &data, &dlen))
2465 errx(1, "failed to finish CBB");
2466
2467 if (dlen != sizeof(tlsext_srtp_multiple)) {
2468 FAIL("got client SRTP with length %zu, "
2469 "want length %zu\n", dlen,
2470 sizeof(tlsext_srtp_multiple));
2471 compare_data(data, dlen, tlsext_srtp_multiple,
2472 sizeof(tlsext_srtp_multiple));
2473 goto err;
2474 }
2475 if (memcmp(data, tlsext_srtp_multiple, dlen) != 0) {
2476 FAIL("client SRTP differs:\n");
2477 compare_data(data, dlen, tlsext_srtp_multiple,
2478 sizeof(tlsext_srtp_multiple));
2479 goto err;
2480 }
2481
2482 CBB_cleanup(&cbb);
2483 CBB_init(&cbb, 0);
2484 free(data);
2485 data = NULL;
2486
2487 /* Make sure we can parse multiple profiles (selects server preferred) */
2488
2489 ssl->internal->srtp_profile = NULL;
2490
2491 CBS_init(&cbs, tlsext_srtp_multiple,
2492 sizeof(tlsext_srtp_multiple));
2493 if (!tlsext_srtp_server_parse(ssl, SSL_TLSEXT_MSG_CH, &cbs, &alert)) {
2494 FAIL("failed to parse SRTP\n");
2495 goto err;
2496 }
2497 if (CBS_len(&cbs) != 0) {
2498 FAIL("extension data remaining\n");
2499 goto err;
2500 }
2501
2502 if ((prof = SSL_get_selected_srtp_profile(ssl)) == NULL) {
2503 FAIL("SRTP profile should be set now\n");
2504 goto err;
2505 }
2506 if (strcmp(prof->name, tlsext_srtp_aes128cmsha80) != 0) {
2507 FAIL("SRTP profile was not set properly\n");
2508 goto err;
2509 }
2510
2511 if (!tlsext_srtp_server_needs(ssl, SSL_TLSEXT_MSG_CH)) {
2512 FAIL("should send server extension when profile selected\n");
2513 goto err;
2514 }
2515
2516 /*
2517 * Make sure we can parse the clienthello with multiple entries
2518 * where one is unknown.
2519 */
2520 ssl->internal->srtp_profile = NULL;
2521
2522 CBS_init(&cbs, tlsext_srtp_multiple_one_valid,
2523 sizeof(tlsext_srtp_multiple_one_valid));
2524 if (!tlsext_srtp_server_parse(ssl, SSL_TLSEXT_MSG_CH, &cbs, &alert)) {
2525 FAIL("failed to parse SRTP\n");
2526 goto err;
2527 }
2528 if (CBS_len(&cbs) != 0) {
2529 FAIL("extension data remaining\n");
2530 goto err;
2531 }
2532
2533 if ((prof = SSL_get_selected_srtp_profile(ssl)) == NULL) {
2534 FAIL("SRTP profile should be set now\n");
2535 goto err;
2536 }
2537 if (strcmp(prof->name, tlsext_srtp_aes128cmsha32) != 0) {
2538 FAIL("SRTP profile was not set properly\n");
2539 goto err;
2540 }
2541
2542 if (!tlsext_srtp_server_needs(ssl, SSL_TLSEXT_MSG_CH)) {
2543 FAIL("should send server extension when profile selected\n");
2544 goto err;
2545 }
2546
2547 /* Make sure we fall back to negotiated when none work. */
2548
2549 ssl->internal->srtp_profile = NULL;
2550
2551 CBS_init(&cbs, tlsext_srtp_multiple_invalid,
2552 sizeof(tlsext_srtp_multiple_invalid));
2553 if (!tlsext_srtp_server_parse(ssl, SSL_TLSEXT_MSG_CH, &cbs, &alert)) {
2554 FAIL("should be able to fall back to negotiated\n");
2555 goto err;
2556 }
2557 if (CBS_len(&cbs) != 0) {
2558 FAIL("extension data remaining\n");
2559 goto err;
2560 }
2561
2562 /* If we fallback, the server should NOT send the extension. */
2563 if (SSL_get_selected_srtp_profile(ssl) != NULL) {
2564 FAIL("should not have selected a profile when none found\n");
2565 goto err;
2566 }
2567 if (tlsext_srtp_server_needs(ssl, SSL_TLSEXT_MSG_CH)) {
2568 FAIL("should not send server tlsext when no profile found\n");
2569 goto err;
2570 }
2571
2572 failure = 0;
2573
2574 err:
2575 CBB_cleanup(&cbb);
2576 SSL_CTX_free(ssl_ctx);
2577 SSL_free(ssl);
2578 free(data);
2579
2580 return (failure);
2581}
2582
2583static int
2584test_tlsext_srtp_server(void)
2585{
2586 const SRTP_PROTECTION_PROFILE *prof;
2587 SSL_CTX *ssl_ctx = NULL;
2588 SSL *ssl = NULL;
2589 uint8_t *data = NULL;
2590 CBB cbb;
2591 CBS cbs;
2592 int failure, alert;
2593 size_t dlen;
2594
2595 CBB_init(&cbb, 0);
2596
2597 failure = 1;
2598
2599 /* SRTP is for DTLS */
2600 if ((ssl_ctx = SSL_CTX_new(DTLSv1_client_method())) == NULL)
2601 errx(1, "failed to create SSL_CTX");
2602 if ((ssl = SSL_new(ssl_ctx)) == NULL)
2603 errx(1, "failed to create SSL");
2604
2605 /* By default, we don't need this */
2606 if (tlsext_srtp_server_needs(ssl, SSL_TLSEXT_MSG_SH)) {
2607 FAIL("server should not need SRTP by default\n");
2608 goto err;
2609 }
2610
2611 if (srtp_find_profile_by_name(tlsext_srtp_aes128cmsha80, &prof,
2612 strlen(tlsext_srtp_aes128cmsha80))) {
2613 FAIL("should be able to find the given profile\n");
2614 goto err;
2615 }
2616 ssl->internal->srtp_profile = prof;
2617 if (!tlsext_srtp_server_needs(ssl, SSL_TLSEXT_MSG_SH)) {
2618 FAIL("server should need SRTP by now\n");
2619 goto err;
2620 }
2621
2622 /* Make sure we can build the server with a single profile. */
2623
2624 if (!tlsext_srtp_server_build(ssl, SSL_TLSEXT_MSG_SH, &cbb)) {
2625 FAIL("server failed to build SRTP\n");
2626 goto err;
2627 }
2628 if (!CBB_finish(&cbb, &data, &dlen))
2629 errx(1, "failed to finish CBB");
2630
2631 if (dlen != sizeof(tlsext_srtp_single)) {
2632 FAIL("got server SRTP with length %zu, "
2633 "want length %zu\n", dlen,
2634 sizeof(tlsext_srtp_single));
2635 compare_data(data, dlen, tlsext_srtp_single,
2636 sizeof(tlsext_srtp_single));
2637 goto err;
2638 }
2639 if (memcmp(data, tlsext_srtp_single, dlen) != 0) {
2640 FAIL("server SRTP differs:\n");
2641 compare_data(data, dlen, tlsext_srtp_single,
2642 sizeof(tlsext_srtp_single));
2643 goto err;
2644 }
2645
2646 CBB_cleanup(&cbb);
2647 CBB_init(&cbb, 0);
2648 free(data);
2649 data = NULL;
2650
2651 /* Make sure we can parse the single profile. */
2652 ssl->internal->srtp_profile = NULL;
2653
2654 if (SSL_get_selected_srtp_profile(ssl) != NULL) {
2655 FAIL("SRTP profile should not be set yet\n");
2656 goto err;
2657 }
2658
2659 /* Setup the environment as if a client sent a list of profiles. */
2660 if (SSL_set_tlsext_use_srtp(ssl, tlsext_srtp_multiple_profiles) != 0) {
2661 FAIL("should be able to set multiple profiles in SRTP\n");
2662 goto err;
2663 }
2664
2665 CBS_init(&cbs, tlsext_srtp_single, sizeof(tlsext_srtp_single));
2666 if (!tlsext_srtp_client_parse(ssl, SSL_TLSEXT_MSG_SH, &cbs, &alert)) {
2667 FAIL("failed to parse SRTP\n");
2668 goto err;
2669 }
2670 if (CBS_len(&cbs) != 0) {
2671 FAIL("extension data remaining\n");
2672 goto err;
2673 }
2674
2675 if ((prof = SSL_get_selected_srtp_profile(ssl)) == NULL) {
2676 FAIL("SRTP profile should be set now\n");
2677 goto err;
2678 }
2679 if (strcmp(prof->name, tlsext_srtp_aes128cmsha80) != 0) {
2680 FAIL("SRTP profile was not set properly\n");
2681 goto err;
2682 }
2683
2684 /* Make sure we cannot parse multiple profiles */
2685 ssl->internal->srtp_profile = NULL;
2686
2687 CBS_init(&cbs, tlsext_srtp_multiple,
2688 sizeof(tlsext_srtp_multiple));
2689 if (tlsext_srtp_client_parse(ssl, SSL_TLSEXT_MSG_SH, &cbs, &alert)) {
2690 FAIL("should not find multiple entries from the server\n");
2691 goto err;
2692 }
2693
2694 /* Make sure we cannot parse a server with unknown profile */
2695 ssl->internal->srtp_profile = NULL;
2696
2697 CBS_init(&cbs, tlsext_srtp_single_invalid,
2698 sizeof(tlsext_srtp_single_invalid));
2699 if (tlsext_srtp_client_parse(ssl, SSL_TLSEXT_MSG_SH, &cbs, &alert)) {
2700 FAIL("should not be able to parse this\n");
2701 goto err;
2702 }
2703
2704 failure = 0;
2705
2706 err:
2707 CBB_cleanup(&cbb);
2708 SSL_CTX_free(ssl_ctx);
2709 SSL_free(ssl);
2710 free(data);
2711
2712 return (failure);
2713}
2714#endif /* OPENSSL_NO_SRTP */
2715
2716unsigned char tlsext_clienthello_default[] = {
2717 0x00, 0x34, 0x00, 0x0b, 0x00, 0x02, 0x01, 0x00,
2718 0x00, 0x0a, 0x00, 0x0a, 0x00, 0x08, 0x00, 0x1d,
2719 0x00, 0x17, 0x00, 0x18, 0x00, 0x19, 0x00, 0x23,
2720 0x00, 0x00, 0x00, 0x0d, 0x00, 0x18, 0x00, 0x16,
2721 0x08, 0x06, 0x06, 0x01, 0x06, 0x03, 0x08, 0x05,
2722 0x05, 0x01, 0x05, 0x03, 0x08, 0x04, 0x04, 0x01,
2723 0x04, 0x03, 0x02, 0x01, 0x02, 0x03,
2724};
2725
2726unsigned char tlsext_clienthello_disabled[] = {};
2727
2728static int
2729test_tlsext_clienthello_build(void)
2730{
2731 unsigned char *data = NULL;
2732 SSL_CTX *ssl_ctx = NULL;
2733 SSL *ssl = NULL;
2734 size_t dlen;
2735 int failure;
2736 CBB cbb;
2737
2738 failure = 1;
2739
2740 if (!CBB_init(&cbb, 0))
2741 errx(1, "failed to create CBB");
2742
2743 if ((ssl_ctx = SSL_CTX_new(TLS_client_method())) == NULL)
2744 errx(1, "failed to create SSL_CTX");
2745 if ((ssl = SSL_new(ssl_ctx)) == NULL)
2746 errx(1, "failed to create SSL");
2747
2748 S3I(ssl)->hs.our_min_tls_version = TLS1_VERSION;
2749 S3I(ssl)->hs.our_max_tls_version = TLS1_2_VERSION;
2750
2751 if (!tlsext_client_build(ssl, SSL_TLSEXT_MSG_CH, &cbb)) {
2752 FAIL("failed to build clienthello extensions\n");
2753 goto err;
2754 }
2755 if (!CBB_finish(&cbb, &data, &dlen))
2756 errx(1, "failed to finish CBB");
2757
2758 if (dlen != sizeof(tlsext_clienthello_default)) {
2759 FAIL("got clienthello extensions with length %zu, "
2760 "want length %zu\n", dlen,
2761 sizeof(tlsext_clienthello_default));
2762 compare_data(data, dlen, tlsext_clienthello_default,
2763 sizeof(tlsext_clienthello_default));
2764 goto err;
2765 }
2766 if (memcmp(data, tlsext_clienthello_default, dlen) != 0) {
2767 FAIL("clienthello extensions differs:\n");
2768 compare_data(data, dlen, tlsext_clienthello_default,
2769 sizeof(tlsext_clienthello_default));
2770 goto err;
2771 }
2772
2773 CBB_cleanup(&cbb);
2774 CBB_init(&cbb, 0);
2775
2776 /* Switch to TLSv1.1, disable EC ciphers and session tickets. */
2777 S3I(ssl)->hs.our_max_tls_version = TLS1_1_VERSION;
2778 if (!SSL_set_cipher_list(ssl, "TLSv1.2:!ECDHE:!ECDSA")) {
2779 FAIL("failed to set cipher list\n");
2780 goto err;
2781 }
2782 if ((SSL_set_options(ssl, SSL_OP_NO_TICKET) & SSL_OP_NO_TICKET) == 0) {
2783 FAIL("failed to disable session tickets\n");
2784 return 0;
2785 }
2786
2787 if (!tlsext_client_build(ssl, SSL_TLSEXT_MSG_CH, &cbb)) {
2788 FAIL("failed to build clienthello extensions\n");
2789 goto err;
2790 }
2791 if (!CBB_finish(&cbb, &data, &dlen))
2792 errx(1, "failed to finish CBB");
2793
2794 if (dlen != sizeof(tlsext_clienthello_disabled)) {
2795 FAIL("got clienthello extensions with length %zu, "
2796 "want length %zu\n", dlen,
2797 sizeof(tlsext_clienthello_disabled));
2798 compare_data(data, dlen, tlsext_clienthello_disabled,
2799 sizeof(tlsext_clienthello_disabled));
2800 goto err;
2801 }
2802 if (memcmp(data, tlsext_clienthello_disabled, dlen) != 0) {
2803 FAIL("clienthello extensions differs:\n");
2804 compare_data(data, dlen, tlsext_clienthello_disabled,
2805 sizeof(tlsext_clienthello_disabled));
2806 goto err;
2807 }
2808
2809 failure = 0;
2810
2811 err:
2812 CBB_cleanup(&cbb);
2813 SSL_CTX_free(ssl_ctx);
2814 SSL_free(ssl);
2815 free(data);
2816
2817 return (failure);
2818}
2819
2820unsigned char tlsext_serverhello_default[] = {
2821 0x00, 0x06, 0x00, 0x2b, 0x00, 0x02, 0x03, 0x04,
2822};
2823
2824unsigned char tlsext_serverhello_enabled[] = {
2825 0x00, 0x10, 0x00, 0x2b, 0x00, 0x02, 0x03, 0x04,
2826 0x00, 0x0b, 0x00, 0x02, 0x01, 0x00, 0x00, 0x23,
2827 0x00, 0x00,
2828};
2829
2830static int
2831test_tlsext_serverhello_build(void)
2832{
2833 unsigned char *data = NULL;
2834 SSL_CTX *ssl_ctx = NULL;
2835 SSL *ssl = NULL;
2836 size_t dlen;
2837 int failure;
2838 CBB cbb;
2839
2840 failure = 1;
2841
2842 if (!CBB_init(&cbb, 0))
2843 errx(1, "failed to create CBB");
2844
2845 if ((ssl_ctx = SSL_CTX_new(TLS_server_method())) == NULL)
2846 errx(1, "failed to create SSL_CTX");
2847 if ((ssl = SSL_new(ssl_ctx)) == NULL)
2848 errx(1, "failed to create SSL");
2849 if ((ssl->session = SSL_SESSION_new()) == NULL)
2850 errx(1, "failed to create session");
2851
2852 S3I(ssl)->hs.our_max_tls_version = TLS1_3_VERSION;
2853 S3I(ssl)->hs.negotiated_tls_version = TLS1_3_VERSION;
2854 S3I(ssl)->hs.cipher =
2855 ssl3_get_cipher_by_id(TLS1_CK_RSA_WITH_AES_128_SHA256);
2856
2857 if (!tlsext_server_build(ssl, SSL_TLSEXT_MSG_SH, &cbb)) {
2858 FAIL("failed to build serverhello extensions\n");
2859 goto err;
2860 }
2861 if (!CBB_finish(&cbb, &data, &dlen))
2862 errx(1, "failed to finish CBB");
2863
2864 if (dlen != sizeof(tlsext_serverhello_default)) {
2865 FAIL("got serverhello extensions with length %zu, "
2866 "want length %zu\n", dlen,
2867 sizeof(tlsext_serverhello_default));
2868 compare_data(data, dlen, tlsext_serverhello_default,
2869 sizeof(tlsext_serverhello_default));
2870 goto err;
2871 }
2872 if (memcmp(data, tlsext_serverhello_default, dlen) != 0) {
2873 FAIL("serverhello extensions differs:\n");
2874 compare_data(data, dlen, tlsext_serverhello_default,
2875 sizeof(tlsext_serverhello_default));
2876 goto err;
2877 }
2878
2879 CBB_cleanup(&cbb);
2880 CBB_init(&cbb, 0);
2881
2882 /* Turn a few things on so we get extensions... */
2883 S3I(ssl)->send_connection_binding = 1;
2884 S3I(ssl)->hs.cipher =
2885 ssl3_get_cipher_by_id(TLS1_CK_ECDHE_RSA_WITH_AES_128_SHA256);
2886 ssl->internal->tlsext_status_expected = 1;
2887 ssl->internal->tlsext_ticket_expected = 1;
2888 if ((SSI(ssl)->tlsext_ecpointformatlist = malloc(1)) == NULL)
2889 errx(1, "malloc failed");
2890 SSI(ssl)->tlsext_ecpointformatlist_length = 1;
2891 SSI(ssl)->tlsext_ecpointformatlist[0] =
2892 TLSEXT_ECPOINTFORMAT_uncompressed;
2893
2894 if (!tlsext_server_build(ssl, SSL_TLSEXT_MSG_SH, &cbb)) {
2895 FAIL("failed to build serverhello extensions\n");
2896 goto err;
2897 }
2898 if (!CBB_finish(&cbb, &data, &dlen))
2899 errx(1, "failed to finish CBB");
2900
2901 if (dlen != sizeof(tlsext_serverhello_enabled)) {
2902 FAIL("got serverhello extensions with length %zu, "
2903 "want length %zu\n", dlen,
2904 sizeof(tlsext_serverhello_enabled));
2905 compare_data(data, dlen, tlsext_serverhello_enabled,
2906 sizeof(tlsext_serverhello_enabled));
2907 goto err;
2908 }
2909 if (memcmp(data, tlsext_serverhello_enabled, dlen) != 0) {
2910 FAIL("serverhello extensions differs:\n");
2911 compare_data(data, dlen, tlsext_serverhello_enabled,
2912 sizeof(tlsext_serverhello_enabled));
2913 goto err;
2914 }
2915
2916 failure = 0;
2917
2918 err:
2919 CBB_cleanup(&cbb);
2920 SSL_CTX_free(ssl_ctx);
2921 SSL_free(ssl);
2922 free(data);
2923
2924 return (failure);
2925}
2926
2927const unsigned char tlsext_versions_client[] = {
2928 0x08, 0x03, 0x04, 0x03, 0x03, 0x03,
2929 0x02, 0x03, 0x01,
2930};
2931
2932const unsigned char tlsext_versions_server[] = {
2933 0x03, 0x04,
2934};
2935
2936static int
2937test_tlsext_versions_client(void)
2938{
2939 unsigned char *data = NULL;
2940 SSL_CTX *ssl_ctx = NULL;
2941 SSL *ssl = NULL;
2942 int failure = 0;
2943 size_t dlen;
2944 int alert;
2945 CBB cbb;
2946 CBS cbs;
2947
2948 CBB_init(&cbb, 0);
2949
2950 if ((ssl_ctx = SSL_CTX_new(TLS_client_method())) == NULL)
2951 errx(1, "failed to create SSL_CTX");
2952 if ((ssl = SSL_new(ssl_ctx)) == NULL)
2953 errx(1, "failed to create SSL");
2954
2955 S3I(ssl)->hs.our_max_tls_version = TLS1_1_VERSION;
2956
2957 if (tlsext_versions_client_needs(ssl, SSL_TLSEXT_MSG_CH)) {
2958 FAIL("client should not need versions\n");
2959 failure = 1;
2960 goto done;
2961 }
2962
2963 S3I(ssl)->hs.our_max_tls_version = TLS1_2_VERSION;
2964
2965 if (tlsext_versions_client_needs(ssl, SSL_TLSEXT_MSG_CH)) {
2966 FAIL("client should not need versions\n");
2967 failure = 1;
2968 goto done;
2969 }
2970
2971 S3I(ssl)->hs.our_max_tls_version = TLS1_3_VERSION;
2972
2973 if (!tlsext_versions_client_needs(ssl, SSL_TLSEXT_MSG_CH)) {
2974 FAIL("client should need versions\n");
2975 failure = 1;
2976 goto done;
2977 }
2978
2979 S3I(ssl)->hs.our_min_tls_version = TLS1_VERSION;
2980 S3I(ssl)->hs.our_max_tls_version = TLS1_3_VERSION;
2981
2982 if (!tlsext_versions_client_build(ssl, SSL_TLSEXT_MSG_CH, &cbb)) {
2983 FAIL("client should have built versions\n");
2984 failure = 1;
2985 goto done;
2986 }
2987
2988 if (!CBB_finish(&cbb, &data, &dlen)) {
2989 FAIL("failed to finish CBB\n");
2990 failure = 1;
2991 goto done;
2992 }
2993
2994 if (dlen != sizeof(tlsext_versions_client)) {
2995 FAIL("got versions with length %zu, "
2996 "want length %zu\n", dlen, sizeof(tlsext_versions_client));
2997 failure = 1;
2998 goto done;
2999 }
3000
3001 CBS_init(&cbs, data, dlen);
3002 if (!tlsext_versions_server_parse(ssl, SSL_TLSEXT_MSG_CH, &cbs, &alert)) {
3003 FAIL("failed to parse client versions\n");
3004 failure = 1;
3005 goto done;
3006 }
3007 if (CBS_len(&cbs) != 0) {
3008 FAIL("extension data remaining\n");
3009 failure = 1;
3010 goto done;
3011 }
3012 done:
3013 CBB_cleanup(&cbb);
3014 SSL_CTX_free(ssl_ctx);
3015 SSL_free(ssl);
3016 free(data);
3017
3018 return (failure);
3019}
3020
3021
3022static int
3023test_tlsext_versions_server(void)
3024{
3025 unsigned char *data = NULL;
3026 SSL_CTX *ssl_ctx = NULL;
3027 SSL *ssl = NULL;
3028 int failure = 0;
3029 size_t dlen;
3030 int alert;
3031 CBB cbb;
3032 CBS cbs;
3033
3034 CBB_init(&cbb, 0);
3035
3036 if ((ssl_ctx = SSL_CTX_new(TLS_client_method())) == NULL)
3037 errx(1, "failed to create SSL_CTX");
3038 if ((ssl = SSL_new(ssl_ctx)) == NULL)
3039 errx(1, "failed to create SSL");
3040
3041 S3I(ssl)->hs.negotiated_tls_version = TLS1_2_VERSION;
3042
3043 if (tlsext_versions_server_needs(ssl, SSL_TLSEXT_MSG_SH)) {
3044 FAIL("server should not need versions\n");
3045 failure = 1;
3046 goto done;
3047 }
3048
3049 S3I(ssl)->hs.negotiated_tls_version = TLS1_3_VERSION;
3050
3051 if (!tlsext_versions_server_needs(ssl, SSL_TLSEXT_MSG_SH)) {
3052 FAIL("server should need versions\n");
3053 failure = 1;
3054 goto done;
3055 }
3056
3057 if (!tlsext_versions_server_build(ssl, SSL_TLSEXT_MSG_SH, &cbb)) {
3058 FAIL("server should have built versions\n");
3059 failure = 1;
3060 goto done;
3061 }
3062
3063 if (!CBB_finish(&cbb, &data, &dlen)) {
3064 FAIL("failed to finish CBB\n");
3065 failure = 1;
3066 goto done;
3067 }
3068
3069 if (dlen != sizeof(tlsext_versions_server)) {
3070 FAIL("got versions with length %zu, "
3071 "want length %zu\n", dlen, sizeof(tlsext_versions_server));
3072 failure = 1;
3073 goto done;
3074 }
3075
3076 CBS_init(&cbs, data, dlen);
3077 if (!tlsext_versions_client_parse(ssl, SSL_TLSEXT_MSG_SH, &cbs, &alert)) {
3078 FAIL("failed to parse client versions\n");
3079 failure = 1;
3080 goto done;
3081 }
3082 if (CBS_len(&cbs) != 0) {
3083 FAIL("extension data remaining\n");
3084 failure = 1;
3085 goto done;
3086 }
3087 done:
3088 CBB_cleanup(&cbb);
3089 SSL_CTX_free(ssl_ctx);
3090 SSL_free(ssl);
3091 free(data);
3092
3093 return (failure);
3094}
3095
3096const unsigned char tlsext_keyshare_client[] = {
3097 0x00, 0x24, 0x00, 0x1d, 0x00, 0x20, 0xba, 0x83,
3098 0x2e, 0x4a, 0x18, 0xbe, 0x96, 0xd2, 0x71, 0x70,
3099 0x18, 0x04, 0xf9, 0x9d, 0x76, 0x98, 0xef, 0xe8,
3100 0x4f, 0x8b, 0x85, 0x41, 0xa4, 0xd9, 0x61, 0x57,
3101 0xad, 0x5b, 0xa4, 0xe9, 0x8b, 0x6b,
3102};
3103
3104const unsigned char tlsext_keyshare_server[] = {
3105 0x00, 0x1d, 0x00, 0x20, 0xe5, 0xe8, 0x5a, 0xb9,
3106 0x7e, 0x12, 0x62, 0xe3, 0xd8, 0x7f, 0x6e, 0x3c,
3107 0xec, 0xa6, 0x8b, 0x99, 0x45, 0x77, 0x8e, 0x11,
3108 0xb3, 0xb9, 0x12, 0xb6, 0xbe, 0x35, 0xca, 0x51,
3109 0x76, 0x1e, 0xe8, 0x22
3110};
3111
3112static int
3113test_tlsext_keyshare_client(void)
3114{
3115 unsigned char *data = NULL;
3116 SSL_CTX *ssl_ctx = NULL;
3117 SSL *ssl = NULL;
3118 int failure = 0;
3119 size_t dlen;
3120 int alert;
3121 CBB cbb;
3122 CBS cbs;
3123
3124 CBB_init(&cbb, 0);
3125
3126 if ((ssl_ctx = SSL_CTX_new(TLS_client_method())) == NULL)
3127 errx(1, "failed to create SSL_CTX");
3128 if ((ssl = SSL_new(ssl_ctx)) == NULL)
3129 errx(1, "failed to create SSL");
3130
3131 if ((S3I(ssl)->hs.tls13.key_share =
3132 tls13_key_share_new_nid(NID_X25519)) == NULL)
3133 errx(1, "failed to create key share");
3134 if (!tls13_key_share_generate(S3I(ssl)->hs.tls13.key_share))
3135 errx(1, "failed to generate key share");
3136
3137 S3I(ssl)->hs.our_max_tls_version = TLS1_2_VERSION;
3138 if (tlsext_keyshare_client_needs(ssl, SSL_TLSEXT_MSG_CH)) {
3139 FAIL("client should not need keyshare\n");
3140 failure = 1;
3141 goto done;
3142 }
3143
3144 S3I(ssl)->hs.our_max_tls_version = TLS1_3_VERSION;
3145 if (!tlsext_keyshare_client_needs(ssl, SSL_TLSEXT_MSG_CH)) {
3146 FAIL("client should need keyshare\n");
3147 failure = 1;
3148 goto done;
3149 }
3150
3151 S3I(ssl)->hs.our_max_tls_version = TLS1_3_VERSION;
3152 if (!tlsext_keyshare_client_build(ssl, SSL_TLSEXT_MSG_CH, &cbb)) {
3153 FAIL("client should have built keyshare\n");
3154 failure = 1;
3155 goto done;
3156 }
3157
3158 if (!CBB_finish(&cbb, &data, &dlen)) {
3159 FAIL("failed to finish CBB\n");
3160 failure = 1;
3161 goto done;
3162 }
3163
3164 if (dlen != sizeof(tlsext_keyshare_client)) {
3165 FAIL("got client keyshare with length %zu, "
3166 "want length %zu\n", dlen, (size_t) sizeof(tlsext_keyshare_client));
3167 failure = 1;
3168 goto done;
3169 }
3170
3171 (ssl)->version = TLS1_3_VERSION;
3172 CBS_init(&cbs, data, dlen);
3173
3174 if (!tlsext_keyshare_server_parse(ssl, SSL_TLSEXT_MSG_CH, &cbs, &alert)) {
3175 FAIL("failed to parse client keyshare\n");
3176 failure = 1;
3177 goto done;
3178 }
3179
3180 if (CBS_len(&cbs) != 0) {
3181 FAIL("extension data remaining\n");
3182 failure = 1;
3183 goto done;
3184 }
3185
3186
3187 done:
3188 CBB_cleanup(&cbb);
3189 SSL_CTX_free(ssl_ctx);
3190 SSL_free(ssl);
3191 free(data);
3192
3193 return (failure);
3194}
3195
3196static int
3197test_tlsext_keyshare_server(void)
3198{
3199 unsigned char *data = NULL;
3200 SSL_CTX *ssl_ctx = NULL;
3201 SSL *ssl = NULL;
3202 int failure = 0;
3203 size_t dlen, idx;
3204 int alert;
3205 CBB cbb;
3206 CBS cbs;
3207 uint8_t bogokey[] = {
3208 0xe5, 0xe8, 0x5a, 0xb9, 0x7e, 0x12, 0x62, 0xe3,
3209 0xd8, 0x7f, 0x6e, 0x3c, 0xec, 0xa6, 0x8b, 0x99,
3210 0x45, 0x77, 0x8e, 0x11, 0xb3, 0xb9, 0x12, 0xb6,
3211 0xbe, 0x35, 0xca, 0x51, 0x76, 0x1e, 0xe8, 0x22,
3212 };
3213
3214 CBB_init(&cbb, 0);
3215
3216 if ((ssl_ctx = SSL_CTX_new(TLS_client_method())) == NULL)
3217 errx(1, "failed to create SSL_CTX");
3218 if ((ssl = SSL_new(ssl_ctx)) == NULL)
3219 errx(1, "failed to create SSL");
3220
3221 S3I(ssl)->hs.negotiated_tls_version = TLS1_2_VERSION;
3222 if (tlsext_keyshare_server_needs(ssl, SSL_TLSEXT_MSG_SH)) {
3223 FAIL("server should not need keyshare\n");
3224 failure = 1;
3225 goto done;
3226 }
3227
3228 S3I(ssl)->hs.negotiated_tls_version = TLS1_3_VERSION;
3229 if (tlsext_keyshare_server_needs(ssl, SSL_TLSEXT_MSG_SH)) {
3230 FAIL("client should not need keyshare\n");
3231 failure = 1;
3232 goto done;
3233 }
3234
3235 if (tls_extension_find(TLSEXT_TYPE_key_share, &idx) == NULL) {
3236 FAIL("failed to find keyshare extension\n");
3237 failure = 1;
3238 goto done;
3239 }
3240 S3I(ssl)->hs.extensions_seen |= (1 << idx);
3241
3242 if (!tlsext_keyshare_server_needs(ssl, SSL_TLSEXT_MSG_SH)) {
3243 FAIL("server should need keyshare\n");
3244 failure = 1;
3245 goto done;
3246 }
3247
3248 if (tlsext_keyshare_server_build(ssl, SSL_TLSEXT_MSG_SH, &cbb)) {
3249 FAIL("server should not have built a keyshare response\n");
3250 failure = 1;
3251 goto done;
3252 }
3253
3254 if ((S3I(ssl)->hs.tls13.key_share =
3255 tls13_key_share_new_nid(NID_X25519)) == NULL)
3256 errx(1, "failed to create key share");
3257 if (!tls13_key_share_generate(S3I(ssl)->hs.tls13.key_share))
3258 errx(1, "failed to generate key share");
3259
3260 CBS_init(&cbs, bogokey, sizeof(bogokey));
3261 if (!tls13_key_share_peer_public(S3I(ssl)->hs.tls13.key_share,
3262 0x001d, &cbs)) {
3263 FAIL("failed to load peer public key\n");
3264 failure = 1;
3265 goto done;
3266 }
3267
3268 if (!tlsext_keyshare_server_build(ssl, SSL_TLSEXT_MSG_SH, &cbb)) {
3269 FAIL("server should be able to build a keyshare response\n");
3270 failure = 1;
3271 goto done;
3272 }
3273
3274 if (!CBB_finish(&cbb, &data, &dlen)) {
3275 FAIL("failed to finish CBB\n");
3276 failure = 1;
3277 goto done;
3278 }
3279
3280 if (dlen != sizeof(tlsext_keyshare_server)) {
3281 FAIL("got server keyshare with length %zu, "
3282 "want length %zu\n", dlen, sizeof(tlsext_keyshare_server));
3283 failure = 1;
3284 goto done;
3285 }
3286
3287 if ((S3I(ssl)->hs.tls13.key_share =
3288 tls13_key_share_new_nid(NID_X25519)) == NULL)
3289 errx(1, "failed to create key share");
3290 if (!tls13_key_share_generate(S3I(ssl)->hs.tls13.key_share))
3291 errx(1, "failed to generate key share");
3292
3293 CBS_init(&cbs, data, dlen);
3294
3295 if (!tlsext_keyshare_client_parse(ssl, SSL_TLSEXT_MSG_SH, &cbs, &alert)) {
3296 FAIL("failed to parse server keyshare\n");
3297 failure = 1;
3298 goto done;
3299 }
3300
3301 if (CBS_len(&cbs) != 0) {
3302 FAIL("extension data remaining\n");
3303 failure = 1;
3304 goto done;
3305 }
3306
3307done:
3308 CBB_cleanup(&cbb);
3309 SSL_CTX_free(ssl_ctx);
3310 SSL_free(ssl);
3311 free(data);
3312
3313 return (failure);
3314}
3315
3316/* One day I hope to be the only Muppet in this codebase */
3317const uint8_t cookie[] = "\n"
3318 " (o)(o) \n"
3319 " m' 'm \n"
3320 " M -****- M \n"
3321 " 'm m' \n"
3322 " m''''''''''m \n"
3323 " M M BB \n";
3324
3325static int
3326test_tlsext_cookie_client(void)
3327{
3328 unsigned char *data = NULL;
3329 SSL_CTX *ssl_ctx = NULL;
3330 SSL *ssl = NULL;
3331 int failure = 0;
3332 size_t dlen;
3333 int alert;
3334 CBB cbb;
3335 CBS cbs;
3336
3337 CBB_init(&cbb, 0);
3338
3339 if ((ssl_ctx = SSL_CTX_new(TLS_client_method())) == NULL)
3340 errx(1, "failed to create SSL_CTX");
3341 if ((ssl = SSL_new(ssl_ctx)) == NULL)
3342 errx(1, "failed to create SSL");
3343
3344 S3I(ssl)->hs.our_max_tls_version = TLS1_2_VERSION;
3345 if (tlsext_cookie_client_needs(ssl, SSL_TLSEXT_MSG_CH)) {
3346 FAIL("client should not need cookie\n");
3347 failure = 1;
3348 goto done;
3349 }
3350
3351
3352 S3I(ssl)->hs.our_max_tls_version = TLS1_3_VERSION;
3353 if (tlsext_cookie_client_needs(ssl, SSL_TLSEXT_MSG_CH)) {
3354 FAIL("client should not need cookie\n");
3355 failure = 1;
3356 goto done;
3357 }
3358
3359 /* Normally would be set by receiving a server cookie in an HRR */
3360 S3I(ssl)->hs.tls13.cookie = strdup(cookie);
3361 S3I(ssl)->hs.tls13.cookie_len = strlen(cookie);
3362
3363 if (!tlsext_cookie_client_needs(ssl, SSL_TLSEXT_MSG_CH)) {
3364 FAIL("client should need cookie\n");
3365 failure = 1;
3366 goto done;
3367 }
3368
3369 if (!tlsext_cookie_client_build(ssl, SSL_TLSEXT_MSG_CH, &cbb)) {
3370 FAIL("client should have built a cookie response\n");
3371 failure = 1;
3372 goto done;
3373 }
3374
3375 if (!CBB_finish(&cbb, &data, &dlen)) {
3376 FAIL("failed to finish CBB\n");
3377 failure = 1;
3378 goto done;
3379 }
3380
3381 if (dlen != strlen(cookie) + sizeof(uint16_t)) {
3382 FAIL("got cookie with length %zu, "
3383 "want length %zu\n", dlen, strlen(cookie) +
3384 sizeof(uint16_t));
3385 failure = 1;
3386 goto done;
3387 }
3388
3389 CBS_init(&cbs, data, dlen);
3390
3391 /* Checks cookie against what's in the hs.tls13 */
3392 if (!tlsext_cookie_server_parse(ssl, SSL_TLSEXT_MSG_CH, &cbs, &alert)) {
3393 FAIL("failed to parse client cookie\n");
3394 failure = 1;
3395 goto done;
3396 }
3397
3398 if (CBS_len(&cbs) != 0) {
3399 FAIL("extension data remaining\n");
3400 failure = 1;
3401 goto done;
3402 }
3403
3404 done:
3405 CBB_cleanup(&cbb);
3406 SSL_CTX_free(ssl_ctx);
3407 SSL_free(ssl);
3408 free(data);
3409
3410 return (failure);
3411}
3412
3413static int
3414test_tlsext_cookie_server(void)
3415{
3416 unsigned char *data = NULL;
3417 SSL_CTX *ssl_ctx = NULL;
3418 SSL *ssl = NULL;
3419 int failure = 0;
3420 size_t dlen;
3421 int alert;
3422 CBB cbb;
3423 CBS cbs;
3424
3425 CBB_init(&cbb, 0);
3426
3427 if ((ssl_ctx = SSL_CTX_new(TLS_client_method())) == NULL)
3428 errx(1, "failed to create SSL_CTX");
3429 if ((ssl = SSL_new(ssl_ctx)) == NULL)
3430 errx(1, "failed to create SSL");
3431
3432 S3I(ssl)->hs.our_max_tls_version = TLS1_2_VERSION;
3433 if (tlsext_cookie_server_needs(ssl, SSL_TLSEXT_MSG_SH)) {
3434 FAIL("server should not need cookie\n");
3435 failure = 1;
3436 goto done;
3437 }
3438
3439 S3I(ssl)->hs.our_max_tls_version = TLS1_3_VERSION;
3440 if (tlsext_cookie_server_needs(ssl, SSL_TLSEXT_MSG_SH)) {
3441 FAIL("server should not need cookie\n");
3442 failure = 1;
3443 goto done;
3444 }
3445
3446 /* Normally would be set by server before sending HRR */
3447 S3I(ssl)->hs.tls13.cookie = strdup(cookie);
3448 S3I(ssl)->hs.tls13.cookie_len = strlen(cookie);
3449
3450 if (!tlsext_cookie_server_needs(ssl, SSL_TLSEXT_MSG_HRR)) {
3451 FAIL("server should need cookie\n");
3452 failure = 1;
3453 goto done;
3454 }
3455
3456 if (!tlsext_cookie_server_build(ssl, SSL_TLSEXT_MSG_HRR, &cbb)) {
3457 FAIL("server should have built a cookie response\n");
3458 failure = 1;
3459 goto done;
3460 }
3461
3462 if (!CBB_finish(&cbb, &data, &dlen)) {
3463 FAIL("failed to finish CBB\n");
3464 failure = 1;
3465 goto done;
3466 }
3467
3468 if (dlen != strlen(cookie) + sizeof(uint16_t)) {
3469 FAIL("got cookie with length %zu, "
3470 "want length %zu\n", dlen, strlen(cookie) +
3471 sizeof(uint16_t));
3472 failure = 1;
3473 goto done;
3474 }
3475
3476 CBS_init(&cbs, data, dlen);
3477
3478 if (tlsext_cookie_client_parse(ssl, SSL_TLSEXT_MSG_SH, &cbs, &alert)) {
3479 FAIL("client should not have parsed server cookie\n");
3480 failure = 1;
3481 goto done;
3482 }
3483
3484 freezero(S3I(ssl)->hs.tls13.cookie, S3I(ssl)->hs.tls13.cookie_len);
3485 S3I(ssl)->hs.tls13.cookie = NULL;
3486 S3I(ssl)->hs.tls13.cookie_len = 0;
3487
3488 if (!tlsext_cookie_client_parse(ssl, SSL_TLSEXT_MSG_SH, &cbs, &alert)) {
3489 FAIL("failed to parse server cookie\n");
3490 failure = 1;
3491 goto done;
3492 }
3493
3494 if (memcmp(cookie, S3I(ssl)->hs.tls13.cookie,
3495 S3I(ssl)->hs.tls13.cookie_len) != 0) {
3496 FAIL("parsed server cookie does not match sent cookie\n");
3497 failure = 1;
3498 goto done;
3499 }
3500
3501 if (CBS_len(&cbs) != 0) {
3502 FAIL("extension data remaining\n");
3503 failure = 1;
3504 goto done;
3505 }
3506
3507done:
3508 CBB_cleanup(&cbb);
3509 SSL_CTX_free(ssl_ctx);
3510 SSL_free(ssl);
3511 free(data);
3512
3513 return (failure);
3514}
3515
3516unsigned char *valid_hostnames[] = {
3517 "openbsd.org",
3518 "op3nbsd.org",
3519 "org",
3520 "3openbsd.com",
3521 "3-0penb-d.c-m",
3522 "a",
3523 "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa.com",
3524 "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa."
3525 "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa."
3526 "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa."
3527 "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa",
3528 NULL,
3529};
3530
3531static int
3532test_tlsext_valid_hostnames(void)
3533{
3534 int i, failure = 0;
3535
3536 for (i = 0; valid_hostnames[i] != NULL; i++) {
3537 CBS cbs;
3538 CBS_init(&cbs, valid_hostnames[i], strlen(valid_hostnames[i]));
3539 if (!tlsext_sni_is_valid_hostname(&cbs)) {
3540 FAIL("Valid hostname '%s' rejected\n",
3541 valid_hostnames[i]);
3542 failure = 1;
3543 goto done;
3544 }
3545 }
3546 done:
3547 return failure;
3548}
3549
3550unsigned char *invalid_hostnames[] = {
3551 "openbsd.org.",
3552 "openbsd..org",
3553 "openbsd.org-",
3554 "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa.com",
3555 "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa."
3556 "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa."
3557 "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa."
3558 "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa.a",
3559 "-p3nbsd.org",
3560 "openbs-.org",
3561 "openbsd\n.org",
3562 "open_bsd.org",
3563 "open\178bsd.org",
3564 "open\255bsd.org",
3565 NULL,
3566};
3567
3568static int
3569test_tlsext_invalid_hostnames(void)
3570{
3571 int i, failure = 0;
3572 CBS cbs;
3573
3574 for (i = 0; invalid_hostnames[i] != NULL; i++) {
3575 CBS_init(&cbs, invalid_hostnames[i],
3576 strlen(invalid_hostnames[i]));
3577 if (tlsext_sni_is_valid_hostname(&cbs)) {
3578 FAIL("Invalid hostname '%s' accepted\n",
3579 invalid_hostnames[i]);
3580 failure = 1;
3581 goto done;
3582 }
3583 }
3584 CBS_init(&cbs, valid_hostnames[0],
3585 strlen(valid_hostnames[0]) + 1);
3586 if (tlsext_sni_is_valid_hostname(&cbs)) {
3587 FAIL("hostname with NUL byte accepted\n");
3588 failure = 1;
3589 goto done;
3590 }
3591 done:
3592 return failure;
3593}
3594
3595
3596int
3597main(int argc, char **argv)
3598{
3599 int failed = 0;
3600
3601 SSL_library_init();
3602 SSL_load_error_strings();
3603
3604 failed |= test_tlsext_alpn_client();
3605 failed |= test_tlsext_alpn_server();
3606
3607 failed |= test_tlsext_supportedgroups_client();
3608 failed |= test_tlsext_supportedgroups_server();
3609
3610 failed |= test_tlsext_ecpf_client();
3611 failed |= test_tlsext_ecpf_server();
3612
3613 failed |= test_tlsext_ri_client();
3614 failed |= test_tlsext_ri_server();
3615
3616 failed |= test_tlsext_sigalgs_client();
3617
3618 failed |= test_tlsext_sni_client();
3619 failed |= test_tlsext_sni_server();
3620
3621 failed |= test_tlsext_ocsp_client();
3622 failed |= test_tlsext_ocsp_server();
3623
3624 failed |= test_tlsext_sessionticket_client();
3625 failed |= test_tlsext_sessionticket_server();
3626
3627 failed |= test_tlsext_versions_client();
3628 failed |= test_tlsext_versions_server();
3629
3630 failed |= test_tlsext_keyshare_client();
3631 failed |= test_tlsext_keyshare_server();
3632
3633 failed |= test_tlsext_cookie_client();
3634 failed |= test_tlsext_cookie_server();
3635
3636#ifndef OPENSSL_NO_SRTP
3637 failed |= test_tlsext_srtp_client();
3638 failed |= test_tlsext_srtp_server();
3639#else
3640 fprintf(stderr, "Skipping SRTP tests due to OPENSSL_NO_SRTP\n");
3641#endif
3642
3643 failed |= test_tlsext_clienthello_build();
3644 failed |= test_tlsext_serverhello_build();
3645
3646 failed |= test_tlsext_valid_hostnames();
3647 failed |= test_tlsext_invalid_hostnames();
3648
3649 return (failed);
3650}
generated by cgit v1.2.3-55-g6feb (git 2.39.1) at 2026-02-09 21:08:18 +0000