1 files changed, 257 insertions, 1 deletions
diff --git a/src/regress/lib/libssl/tlsext/tlsexttest.c b/src/regress/lib/libssl/tlsext/tlsexttest.c
index 297aff2441..8166b883b8 100644
--- a/src/regress/lib/libssl/tlsext/tlsexttest.c
+++ b/src/regress/lib/libssl/tlsext/tlsexttest.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: tlsexttest.c,v 1.63 2022/06/06 06:11:04 tb Exp $ */
+/* $OpenBSD: tlsexttest.c,v 1.64 2022/06/29 17:39:21 beck Exp $ */
 /*
 * Copyright (c) 2017 Joel Sing <jsing@openbsd.org>
 * Copyright (c) 2017 Doug Hogan <doug@openbsd.org>
@@ -1896,6 +1896,259 @@ test_tlsext_sni_server(void)
        return (failure);
 }
+/*
+ * QUIC transport parameters extenstion - RFC 90210 :)
+ */
+#define TEST_QUIC_TRANSPORT_DATA "0123456789abcdef"
+static unsigned char tlsext_quic_transport_data[] = {
+        0x00, 0x10, 0x30, 0x31, 0x32, 0x33, 0x34, 0x35,
+        0x36, 0x37, 0x38, 0x39, 0x61, 0x62, 0x63, 0x64,
+        0x65, 0x66,
+};
+static int
+test_tlsext_quic_transport_parameters_client(void)
+{
+        unsigned char *data = NULL;
+        SSL_CTX *ssl_ctx = NULL;
+        SSL *ssl = NULL;
+        int failure;
+        size_t dlen;
+        CBB cbb;
+        CBS cbs;
+        int alert;
+        const uint8_t *out_bytes;
+        size_t out_bytes_len;
+        failure = 1;
+        if ((ssl_ctx = SSL_CTX_new(TLS_client_method())) == NULL)
+                errx(1, "failed to create SSL_CTX");
+        if ((ssl = SSL_new(ssl_ctx)) == NULL)
+                errx(1, "failed to create SSL");
+        CBB_init(&cbb, 0);
+        if (tlsext_quic_transport_parameters_client_needs(ssl,
+            SSL_TLSEXT_MSG_CH)) {
+                FAIL("client should not need QUIC\n");
+                goto err;
+        }
+        if (!SSL_set_quic_transport_params(ssl,
+            TEST_QUIC_TRANSPORT_DATA, strlen(TEST_QUIC_TRANSPORT_DATA))) {
+                FAIL("client failed to set QUIC parametes\n");
+                goto err;
+        }
+        if (tlsext_quic_transport_parameters_client_needs(ssl,
+            SSL_TLSEXT_MSG_CH)) {
+                FAIL("client should not need QUIC\n");
+                goto err;
+        }
+        ssl->s3->hs.our_max_tls_version = TLS1_3_VERSION;
+        ssl->s3->hs.negotiated_tls_version = TLS1_3_VERSION;
+        if (!tlsext_quic_transport_parameters_client_needs(ssl,
+            SSL_TLSEXT_MSG_CH)) {
+                FAIL("client should not need QUIC\n");
+                goto err;
+        }
+        if (!tlsext_quic_transport_parameters_client_build(ssl,
+            SSL_TLSEXT_MSG_CH, &cbb)) {
+                FAIL("client failed to build QUIC\n");
+                goto err;
+        }
+        if (!CBB_finish(&cbb, &data, &dlen)) {
+                FAIL("failed to finish CBB");
+                goto err;
+        }
+        if (dlen != sizeof(tlsext_quic_transport_data)) {
+                FAIL("got client QUIC with length %zu, "
+                    "want length %zu\n", dlen,
+                    sizeof(tlsext_quic_transport_data));
+                goto err;
+        }
+        if (memcmp(data, tlsext_quic_transport_data, dlen) != 0) {
+                FAIL("client QUIC differs:\n");
+                fprintf(stderr, "received:\n");
+                hexdump(data, dlen);
+                fprintf(stderr, "test data:\n");
+                hexdump(tlsext_quic_transport_data,
+                    sizeof(tlsext_quic_transport_data));
+                goto err;
+        }
+        CBS_init(&cbs, tlsext_quic_transport_data,
+            sizeof(tlsext_quic_transport_data));
+        if (!tlsext_quic_transport_parameters_server_parse(ssl,
+            SSL_TLSEXT_MSG_SH, &cbs, &alert)) {
+                FAIL("server_parse of QUIC from server failed\n");
+                goto err;
+        }
+        if (CBS_len(&cbs) != 0) {
+                FAIL("extension data remaining\n");
+                goto err;
+        }
+        SSL_get_peer_quic_transport_params(ssl, &out_bytes, &out_bytes_len);
+        if (out_bytes_len != strlen(TEST_QUIC_TRANSPORT_DATA)) {
+                FAIL("server_parse QUIC length differs, got %zu want %zu\n",
+                    out_bytes_len,
+                    sizeof(tlsext_quic_transport_data));
+                goto err;
+        }
+        if (memcmp(out_bytes, TEST_QUIC_TRANSPORT_DATA,
+            out_bytes_len) != 0) {
+                FAIL("server_parse QUIC differs from sent:\n");
+                fprintf(stderr, "received:\n");
+                hexdump(data, dlen);
+                fprintf(stderr, "test data:\n");
+                hexdump(tlsext_quic_transport_data,
+                    sizeof(tlsext_quic_transport_data));
+                goto err;
+        }
+        failure = 0;
+ err:
+        CBB_cleanup(&cbb);
+        SSL_CTX_free(ssl_ctx);
+        SSL_free(ssl);
+        free(data);
+        return (failure);
+}
+static int
+test_tlsext_quic_transport_parameters_server(void)
+{
+        unsigned char *data = NULL;
+        SSL_CTX *ssl_ctx = NULL;
+        SSL *ssl = NULL;
+        int failure;
+        size_t dlen;
+        int alert;
+        CBB cbb;
+        CBS cbs;
+        const uint8_t *out_bytes;
+        size_t out_bytes_len;
+        failure = 1;
+        CBB_init(&cbb, 0);
+        if ((ssl_ctx = SSL_CTX_new(TLS_server_method())) == NULL)
+                errx(1, "failed to create SSL_CTX");
+        if ((ssl = SSL_new(ssl_ctx)) == NULL)
+                errx(1, "failed to create SSL");
+        if (tlsext_quic_transport_parameters_server_needs(ssl, SSL_TLSEXT_MSG_SH)) {
+                FAIL("server should not need QUIC\n");
+                goto err;
+        }
+        if (!SSL_set_quic_transport_params(ssl,
+            TEST_QUIC_TRANSPORT_DATA, strlen(TEST_QUIC_TRANSPORT_DATA))) {
+                FAIL("server failed to set QUIC parametes\n");
+                goto err;
+        }
+        if (!tlsext_quic_transport_parameters_server_needs(ssl, SSL_TLSEXT_MSG_SH)) {
+                FAIL("server should need QUIC\n");
+                goto err;
+        }
+        if (!tlsext_quic_transport_parameters_server_build(ssl,
+            SSL_TLSEXT_MSG_SH, &cbb)) {
+                FAIL("server failed to build QUIC\n");
+                goto err;
+        }
+        if (!CBB_finish(&cbb, &data, &dlen))
+                errx(1, "failed to finish CBB");
+        if (dlen != sizeof(tlsext_quic_transport_data)) {
+                FAIL("got server QUIC with length %zu, "
+                    "want length %zu\n", dlen,
+                    sizeof(tlsext_quic_transport_data));
+                goto err;
+        }
+        if (memcmp(data, tlsext_quic_transport_data, dlen) != 0) {
+                FAIL("saved server QUIC differs:\n");
+                fprintf(stderr, "received:\n");
+                hexdump(data, dlen);
+                fprintf(stderr, "test data:\n");
+                hexdump(tlsext_quic_transport_data,
+                    sizeof(tlsext_quic_transport_data));
+                goto err;
+        }
+        CBS_init(&cbs, tlsext_quic_transport_data,
+            sizeof(tlsext_quic_transport_data));
+        if (tlsext_quic_transport_parameters_client_parse(ssl,
+            SSL_TLSEXT_MSG_SH, &cbs, &alert)) {
+                FAIL("QUIC parse should have failed!\n");
+                goto err;
+        }
+        ssl->s3->hs.our_max_tls_version = TLS1_3_VERSION;
+        ssl->s3->hs.negotiated_tls_version = TLS1_3_VERSION;
+        if (!tlsext_quic_transport_parameters_client_parse(ssl,
+            SSL_TLSEXT_MSG_SH, &cbs, &alert)) {
+                FAIL("client_parse of QUIC from server failed\n");
+                goto err;
+        }
+        if (CBS_len(&cbs) != 0) {
+                FAIL("extension data remaining\n");
+                goto err;
+        }
+        SSL_get_peer_quic_transport_params(ssl, &out_bytes, &out_bytes_len);
+        if (out_bytes_len != strlen(TEST_QUIC_TRANSPORT_DATA)) {
+                FAIL("client QUIC length differs, got %zu want %zu\n",
+                    out_bytes_len,
+                    sizeof(tlsext_quic_transport_data));
+                goto err;
+        }
+        if (memcmp(out_bytes, TEST_QUIC_TRANSPORT_DATA,
+            out_bytes_len) != 0) {
+                FAIL("client QUIC differs from sent:\n");
+                fprintf(stderr, "received:\n");
+                hexdump(data, dlen);
+                fprintf(stderr, "test data:\n");
+                hexdump(tlsext_quic_transport_data,
+                    sizeof(tlsext_quic_transport_data));
+                goto err;
+        }
+        failure = 0;
+ err:
+        CBB_cleanup(&cbb);
+        SSL_CTX_free(ssl_ctx);
+        SSL_free(ssl);
+        free(data);
+        return (failure);
+}
 static unsigned char tls_ocsp_client_default[] = {
        0x01, 0x00, 0x00, 0x00, 0x00
 };
@@ -3991,5 +4244,8 @@ main(int argc, char **argv)
        failed |= test_tlsext_valid_hostnames();
+        failed |= test_tlsext_quic_transport_parameters_client();
+        failed |= test_tlsext_quic_transport_parameters_server();
        return (failed);
 }

diff --git a/src/regress/lib/libssl/tlsext/tlsexttest.c b/src/regress/lib/libssl/tlsext/tlsexttest.c index 297aff2441..8166b883b8 100644 --- a/src/regress/lib/libssl/tlsext/tlsexttest.c +++ b/src/regress/lib/libssl/tlsext/tlsexttest.c
@@ -1,4 +1,4 @@
1	/* $OpenBSD: tlsexttest.c,v 1.63 2022/06/06 06:11:04 tb Exp $ */	1	/* $OpenBSD: tlsexttest.c,v 1.64 2022/06/29 17:39:21 beck Exp $ */
2	/*	2	/*
3	* Copyright (c) 2017 Joel Sing <jsing@openbsd.org>	3	* Copyright (c) 2017 Joel Sing <jsing@openbsd.org>
4	* Copyright (c) 2017 Doug Hogan <doug@openbsd.org>	4	* Copyright (c) 2017 Doug Hogan <doug@openbsd.org>
@@ -1896,6 +1896,259 @@ test_tlsext_sni_server(void)
1896	return (failure);	1896	return (failure);
1897	}	1897	}
1898		1898
		1899
		1900	/*
		1901	* QUIC transport parameters extenstion - RFC 90210 :)
		1902	*/
		1903
		1904	#define TEST_QUIC_TRANSPORT_DATA "0123456789abcdef"
		1905
		1906	static unsigned char tlsext_quic_transport_data[] = {
		1907	0x00, 0x10, 0x30, 0x31, 0x32, 0x33, 0x34, 0x35,
		1908	0x36, 0x37, 0x38, 0x39, 0x61, 0x62, 0x63, 0x64,
		1909	0x65, 0x66,
		1910	};
		1911
		1912	static int
		1913	test_tlsext_quic_transport_parameters_client(void)
		1914	{
		1915	unsigned char *data = NULL;
		1916	SSL_CTX *ssl_ctx = NULL;
		1917	SSL *ssl = NULL;
		1918	int failure;
		1919	size_t dlen;
		1920	CBB cbb;
		1921	CBS cbs;
		1922	int alert;
		1923	const uint8_t *out_bytes;
		1924	size_t out_bytes_len;
		1925
		1926	failure = 1;
		1927
		1928	if ((ssl_ctx = SSL_CTX_new(TLS_client_method())) == NULL)
		1929	errx(1, "failed to create SSL_CTX");
		1930	if ((ssl = SSL_new(ssl_ctx)) == NULL)
		1931	errx(1, "failed to create SSL");
		1932
		1933	CBB_init(&cbb, 0);
		1934
		1935	if (tlsext_quic_transport_parameters_client_needs(ssl,
		1936	SSL_TLSEXT_MSG_CH)) {
		1937	FAIL("client should not need QUIC\n");
		1938	goto err;
		1939	}
		1940
		1941	if (!SSL_set_quic_transport_params(ssl,
		1942	TEST_QUIC_TRANSPORT_DATA, strlen(TEST_QUIC_TRANSPORT_DATA))) {
		1943	FAIL("client failed to set QUIC parametes\n");
		1944	goto err;
		1945	}
		1946
		1947	if (tlsext_quic_transport_parameters_client_needs(ssl,
		1948	SSL_TLSEXT_MSG_CH)) {
		1949	FAIL("client should not need QUIC\n");
		1950	goto err;
		1951	}
		1952
		1953	ssl->s3->hs.our_max_tls_version = TLS1_3_VERSION;
		1954	ssl->s3->hs.negotiated_tls_version = TLS1_3_VERSION;
		1955
		1956	if (!tlsext_quic_transport_parameters_client_needs(ssl,
		1957	SSL_TLSEXT_MSG_CH)) {
		1958	FAIL("client should not need QUIC\n");
		1959	goto err;
		1960	}
		1961
		1962	if (!tlsext_quic_transport_parameters_client_build(ssl,
		1963	SSL_TLSEXT_MSG_CH, &cbb)) {
		1964	FAIL("client failed to build QUIC\n");
		1965	goto err;
		1966	}
		1967
		1968	if (!CBB_finish(&cbb, &data, &dlen)) {
		1969	FAIL("failed to finish CBB");
		1970	goto err;
		1971	}
		1972
		1973	if (dlen != sizeof(tlsext_quic_transport_data)) {
		1974	FAIL("got client QUIC with length %zu, "
		1975	"want length %zu\n", dlen,
		1976	sizeof(tlsext_quic_transport_data));
		1977	goto err;
		1978	}
		1979
		1980	if (memcmp(data, tlsext_quic_transport_data, dlen) != 0) {
		1981	FAIL("client QUIC differs:\n");
		1982	fprintf(stderr, "received:\n");
		1983	hexdump(data, dlen);
		1984	fprintf(stderr, "test data:\n");
		1985	hexdump(tlsext_quic_transport_data,
		1986	sizeof(tlsext_quic_transport_data));
		1987	goto err;
		1988	}
		1989
		1990	CBS_init(&cbs, tlsext_quic_transport_data,
		1991	sizeof(tlsext_quic_transport_data));
		1992
		1993	if (!tlsext_quic_transport_parameters_server_parse(ssl,
		1994	SSL_TLSEXT_MSG_SH, &cbs, &alert)) {
		1995	FAIL("server_parse of QUIC from server failed\n");
		1996	goto err;
		1997	}
		1998	if (CBS_len(&cbs) != 0) {
		1999	FAIL("extension data remaining\n");
		2000	goto err;
		2001	}
		2002
		2003	SSL_get_peer_quic_transport_params(ssl, &out_bytes, &out_bytes_len);
		2004
		2005	if (out_bytes_len != strlen(TEST_QUIC_TRANSPORT_DATA)) {
		2006	FAIL("server_parse QUIC length differs, got %zu want %zu\n",
		2007	out_bytes_len,
		2008	sizeof(tlsext_quic_transport_data));
		2009	goto err;
		2010	}
		2011
		2012	if (memcmp(out_bytes, TEST_QUIC_TRANSPORT_DATA,
		2013	out_bytes_len) != 0) {
		2014	FAIL("server_parse QUIC differs from sent:\n");
		2015	fprintf(stderr, "received:\n");
		2016	hexdump(data, dlen);
		2017	fprintf(stderr, "test data:\n");
		2018	hexdump(tlsext_quic_transport_data,
		2019	sizeof(tlsext_quic_transport_data));
		2020	goto err;
		2021	}
		2022
		2023	failure = 0;
		2024
		2025	err:
		2026	CBB_cleanup(&cbb);
		2027	SSL_CTX_free(ssl_ctx);
		2028	SSL_free(ssl);
		2029	free(data);
		2030
		2031	return (failure);
		2032	}
		2033
		2034	static int
		2035	test_tlsext_quic_transport_parameters_server(void)
		2036	{
		2037	unsigned char *data = NULL;
		2038	SSL_CTX *ssl_ctx = NULL;
		2039	SSL *ssl = NULL;
		2040	int failure;
		2041	size_t dlen;
		2042	int alert;
		2043	CBB cbb;
		2044	CBS cbs;
		2045	const uint8_t *out_bytes;
		2046	size_t out_bytes_len;
		2047
		2048	failure = 1;
		2049
		2050	CBB_init(&cbb, 0);
		2051
		2052	if ((ssl_ctx = SSL_CTX_new(TLS_server_method())) == NULL)
		2053	errx(1, "failed to create SSL_CTX");
		2054	if ((ssl = SSL_new(ssl_ctx)) == NULL)
		2055	errx(1, "failed to create SSL");
		2056
		2057	if (tlsext_quic_transport_parameters_server_needs(ssl, SSL_TLSEXT_MSG_SH)) {
		2058	FAIL("server should not need QUIC\n");
		2059	goto err;
		2060	}
		2061
		2062	if (!SSL_set_quic_transport_params(ssl,
		2063	TEST_QUIC_TRANSPORT_DATA, strlen(TEST_QUIC_TRANSPORT_DATA))) {
		2064	FAIL("server failed to set QUIC parametes\n");
		2065	goto err;
		2066	}
		2067
		2068	if (!tlsext_quic_transport_parameters_server_needs(ssl, SSL_TLSEXT_MSG_SH)) {
		2069	FAIL("server should need QUIC\n");
		2070	goto err;
		2071	}
		2072
		2073	if (!tlsext_quic_transport_parameters_server_build(ssl,
		2074	SSL_TLSEXT_MSG_SH, &cbb)) {
		2075	FAIL("server failed to build QUIC\n");
		2076	goto err;
		2077	}
		2078
		2079	if (!CBB_finish(&cbb, &data, &dlen))
		2080	errx(1, "failed to finish CBB");
		2081
		2082	if (dlen != sizeof(tlsext_quic_transport_data)) {
		2083	FAIL("got server QUIC with length %zu, "
		2084	"want length %zu\n", dlen,
		2085	sizeof(tlsext_quic_transport_data));
		2086	goto err;
		2087	}
		2088
		2089	if (memcmp(data, tlsext_quic_transport_data, dlen) != 0) {
		2090	FAIL("saved server QUIC differs:\n");
		2091	fprintf(stderr, "received:\n");
		2092	hexdump(data, dlen);
		2093	fprintf(stderr, "test data:\n");
		2094	hexdump(tlsext_quic_transport_data,
		2095	sizeof(tlsext_quic_transport_data));
		2096	goto err;
		2097	}
		2098
		2099	CBS_init(&cbs, tlsext_quic_transport_data,
		2100	sizeof(tlsext_quic_transport_data));
		2101
		2102	if (tlsext_quic_transport_parameters_client_parse(ssl,
		2103	SSL_TLSEXT_MSG_SH, &cbs, &alert)) {
		2104	FAIL("QUIC parse should have failed!\n");
		2105	goto err;
		2106	}
		2107
		2108	ssl->s3->hs.our_max_tls_version = TLS1_3_VERSION;
		2109	ssl->s3->hs.negotiated_tls_version = TLS1_3_VERSION;
		2110
		2111	if (!tlsext_quic_transport_parameters_client_parse(ssl,
		2112	SSL_TLSEXT_MSG_SH, &cbs, &alert)) {
		2113	FAIL("client_parse of QUIC from server failed\n");
		2114	goto err;
		2115	}
		2116	if (CBS_len(&cbs) != 0) {
		2117	FAIL("extension data remaining\n");
		2118	goto err;
		2119	}
		2120
		2121	SSL_get_peer_quic_transport_params(ssl, &out_bytes, &out_bytes_len);
		2122
		2123	if (out_bytes_len != strlen(TEST_QUIC_TRANSPORT_DATA)) {
		2124	FAIL("client QUIC length differs, got %zu want %zu\n",
		2125	out_bytes_len,
		2126	sizeof(tlsext_quic_transport_data));
		2127	goto err;
		2128	}
		2129
		2130	if (memcmp(out_bytes, TEST_QUIC_TRANSPORT_DATA,
		2131	out_bytes_len) != 0) {
		2132	FAIL("client QUIC differs from sent:\n");
		2133	fprintf(stderr, "received:\n");
		2134	hexdump(data, dlen);
		2135	fprintf(stderr, "test data:\n");
		2136	hexdump(tlsext_quic_transport_data,
		2137	sizeof(tlsext_quic_transport_data));
		2138	goto err;
		2139	}
		2140
		2141	failure = 0;
		2142
		2143	err:
		2144	CBB_cleanup(&cbb);
		2145	SSL_CTX_free(ssl_ctx);
		2146	SSL_free(ssl);
		2147	free(data);
		2148
		2149	return (failure);
		2150	}
		2151
1899	static unsigned char tls_ocsp_client_default[] = {	2152	static unsigned char tls_ocsp_client_default[] = {
1900	0x01, 0x00, 0x00, 0x00, 0x00	2153	0x01, 0x00, 0x00, 0x00, 0x00
1901	};	2154	};
@@ -3991,5 +4244,8 @@ main(int argc, char **argv)
3991		4244
3992	failed \|= test_tlsext_valid_hostnames();	4245	failed \|= test_tlsext_valid_hostnames();
3993		4246
		4247	failed \|= test_tlsext_quic_transport_parameters_client();
		4248	failed \|= test_tlsext_quic_transport_parameters_server();
		4249
3994	return (failed);	4250	return (failed);
3995	}	4251	}