3 files changed, 256 insertions, 0 deletions
diff --git a/src/regress/lib/libssl/unit/Makefile b/src/regress/lib/libssl/unit/Makefile
new file mode 100644
index 0000000000..c014615900
--- /dev/null
+++ b/src/regress/lib/libssl/unit/Makefile
@@ -0,0 +1,20 @@
+#       $OpenBSD: Makefile,v 1.1 2015/06/27 23:35:52 doug Exp $
+TEST_CASES+= cipher_list
+REGRESS_TARGETS= all_tests
+LDADD=  -lcrypto -lssl
+DPADD=  ${LIBCRYPTO} ${LIBSSL}
+WARNINGS=       Yes
+LDFLAGS+=       -lcrypto -lssl
+CFLAGS+=        -DLIBRESSL_INTERNAL -Wall -Wundef -Werror -I../../../../lib/libssl/src/ssl
+CLEANFILES+= ${TEST_CASES}
+all_tests: ${TEST_CASES}
+        @for test in $>; do \
+                ./$$test; \
+        done
+.include <bsd.regress.mk>
diff --git a/src/regress/lib/libssl/unit/cipher_list.c b/src/regress/lib/libssl/unit/cipher_list.c
new file mode 100644
index 0000000000..b513007771
--- /dev/null
+++ b/src/regress/lib/libssl/unit/cipher_list.c
@@ -0,0 +1,192 @@
+/*      $OpenBSD: cipher_list.c,v 1.1 2015/06/27 23:35:52 doug Exp $    */
+/*
+ * Copyright (c) 2015 Doug Hogan <doug@openbsd.org>
+ * Copyright (c) 2015 Joel Sing <jsing@openbsd.org>
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
+ * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+ * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
+ * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+ * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
+ * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+ */
+/*
+ * Test TLS ssl bytes (aka cipher suites) to cipher list and back.
+ *
+ * TLSv1.0 - RFC 2246 section 7.4.1.2 (ClientHello struct)
+ * TLSv1.1 - RFC 4346 section 7.4.1.2 (ClientHello struct)
+ * TLSv1.2 - RFC 5246 section 7.4.1.2 (ClientHello struct)
+ *
+ * In all of these standards, the relevant structures are:
+ *
+ * uint8 CipherSuite[2];
+ *
+ * struct {
+ *    ...
+ *    CipherSuite cipher_suites<2..2^16-2>
+ *    ...
+ * } ClientHello;
+ */
+#include <openssl/ssl.h>
+#include <stdio.h>
+#include <string.h>
+#include "tests.h"
+static uint8_t cipher_bytes[] = {
+        0xcc, 0x14,     /* ECDHE-ECDSA-CHACHA20-POLY1305 */
+        0xcc, 0x13,     /* ECDHE-RSA-CHACHA20-POLY1305 */
+        0xcc, 0x15,     /* DHE-RSA-CHACHA20-POLY1305 */
+        0x00, 0x9c,     /* AES128-GCM-SHA256 */
+        0x00, 0x3d,     /* AES256-SHA256 */
+        0x00, 0x09,     /* DES-CBC-SHA */
+};
+static uint16_t cipher_values[] = {
+        0xcc14,         /* ECDHE-ECDSA-CHACHA20-POLY1305 */
+        0xcc13,         /* ECDHE-RSA-CHACHA20-POLY1305 */
+        0xcc15,         /* DHE-RSA-CHACHA20-POLY1305 */
+        0x009c,         /* AES128-GCM-SHA256 */
+        0x003d,         /* AES256-SHA256 */
+        0x0009,         /* DES-CBC-SHA */
+};
+#define N_CIPHERS (sizeof(cipher_bytes) / 2)
+extern STACK_OF(SSL_CIPHER) *ssl_bytes_to_cipher_list(SSL *s,
+    const unsigned char *p, int num);
+extern int ssl_cipher_list_to_bytes(SSL *s, STACK_OF(SSL_CIPHER) *sk,
+    unsigned char *p);
+static int
+ssl_bytes_to_list_alloc(SSL *s, STACK_OF(SSL_CIPHER) **ciphers)
+{
+        SSL_CIPHER *cipher;
+        uint16_t value;
+        int i;
+        *ciphers = ssl_bytes_to_cipher_list(s, cipher_bytes,
+            sizeof(cipher_bytes));
+        CHECK(*ciphers != NULL);
+        CHECK(sk_SSL_CIPHER_num(*ciphers) == N_CIPHERS);
+        for (i = 0; i < sk_SSL_CIPHER_num(*ciphers); i++) {
+                cipher = sk_SSL_CIPHER_value(*ciphers, i);
+                CHECK(cipher != NULL);
+                value = SSL_CIPHER_get_value(cipher);
+                CHECK(value == cipher_values[i]);
+        }
+        return 1;
+}
+static int
+ssl_list_to_bytes_scsv(SSL *s, STACK_OF(SSL_CIPHER) **ciphers)
+{
+        unsigned char *buf = NULL;
+        size_t buflen;
+        int len;
+        int ret = 0;
+        /* Space for cipher bytes, plus reneg SCSV and two spare bytes. */
+        CHECK(sk_SSL_CIPHER_num(*ciphers) == N_CIPHERS);
+        buflen = sizeof(cipher_bytes) + 2 + 2;
+        CHECK((buf = calloc(1, buflen)) != NULL);
+        len = ssl_cipher_list_to_bytes(s, *ciphers, buf);
+        CHECK_GOTO(len > 0 && (size_t)len == buflen - 2);
+        CHECK_GOTO(memcmp(buf, cipher_bytes, sizeof(cipher_bytes)) == 0);
+        CHECK_GOTO(buf[buflen - 4] == 0x00 && buf[buflen - 3] == 0xff);
+        CHECK_GOTO(buf[buflen - 2] == 0x00 && buf[buflen - 1] == 0x00);
+        ret = 1;
+err:
+        free(buf);
+        return ret;
+}
+static int
+ssl_list_to_bytes_no_scsv(SSL *s, STACK_OF(SSL_CIPHER) **ciphers)
+{
+        unsigned char *buf = NULL;
+        size_t buflen;
+        int len;
+        int ret = 0;
+        /* Space for cipher bytes and two spare bytes */
+        CHECK(sk_SSL_CIPHER_num(*ciphers) == N_CIPHERS);
+        buflen = sizeof(cipher_bytes) + 2;
+        CHECK((buf = calloc(1, buflen)) != NULL);
+        buf[buflen - 2] = 0xfe;
+        buf[buflen - 1] = 0xab;
+        /* Set renegotiate so it doesn't add SCSV */
+        s->renegotiate = 1;
+        len = ssl_cipher_list_to_bytes(s, *ciphers, buf);
+        CHECK_GOTO(len > 0 && (size_t)len == buflen - 2);
+        CHECK_GOTO(memcmp(buf, cipher_bytes, sizeof(cipher_bytes)) == 0);
+        CHECK_GOTO(buf[buflen - 2] == 0xfe && buf[buflen - 1] == 0xab);
+        ret = 1;
+err:
+        free(buf);
+        return ret;
+}
+static int
+ssl_bytes_to_list_invalid(SSL *s, STACK_OF(SSL_CIPHER) **ciphers)
+{
+        sk_SSL_CIPHER_free(*ciphers);
+        /* Invalid length: CipherSuite is 2 bytes so it must be even */
+        *ciphers = ssl_bytes_to_cipher_list(s, cipher_bytes,
+            sizeof(cipher_bytes) - 1);
+        CHECK(*ciphers == NULL);
+        return 1;
+}
+int
+main(void)
+{
+        STACK_OF(SSL_CIPHER) *ciphers = NULL;
+        SSL_CTX *ctx = NULL;
+        SSL *s = NULL;
+        int rv = 1;
+        SSL_library_init();
+        /* Use TLSv1.2 client to get all ciphers. */
+        CHECK_GOTO((ctx = SSL_CTX_new(TLSv1_2_client_method())) != NULL);
+        CHECK_GOTO((s = SSL_new(ctx)) != NULL);
+        if (!ssl_bytes_to_list_alloc(s, &ciphers))
+                goto err;
+        if (!ssl_list_to_bytes_scsv(s, &ciphers))
+                goto err;
+        if (!ssl_list_to_bytes_no_scsv(s, &ciphers))
+                goto err;
+        if (!ssl_bytes_to_list_invalid(s, &ciphers))
+                goto err;
+        rv = 0;
+err:
+        sk_SSL_CIPHER_free(ciphers);
+        SSL_CTX_free(ctx);
+        SSL_free(s);
+        if (!rv)
+                printf("PASS %s\n", __FILE__);
+        return rv;
+}
diff --git a/src/regress/lib/libssl/unit/tests.h b/src/regress/lib/libssl/unit/tests.h
new file mode 100644
index 0000000000..287816946a
--- /dev/null
+++ b/src/regress/lib/libssl/unit/tests.h
@@ -0,0 +1,44 @@
+/*      $OpenBSD: tests.h,v 1.1 2015/06/27 23:35:52 doug Exp $  */
+/*
+ * Copyright (c) 2015 Doug Hogan <doug@openbsd.org>
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
+ * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+ * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
+ * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+ * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
+ * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+ */
+#ifndef LIBRESSL_REGRESS_TESTS_H__
+#define LIBRESSL_REGRESS_TESTS_H__ 1
+/* Ugly macros that are useful for regression tests. */
+#define SKIP(a) do {                                                    \
+        printf("Skipping test in %s [%s:%d]\n", __func__, __FILE__,     \
+            __LINE__);                                                  \
+} while (0)
+#define CHECK(a) do {                                                   \
+        if (!(a)) {                                                     \
+                printf("Error in %s [%s:%d]\n", __func__, __FILE__,     \
+                    __LINE__);                                          \
+                return 0;                                               \
+        }                                                               \
+} while (0)
+#define CHECK_GOTO(a) do {                                              \
+        if (!(a)) {                                                     \
+                printf("Error in %s [%s:%d]\n", __func__, __FILE__,     \
+                    __LINE__);                                          \
+                goto err;                                               \
+        }                                                               \
+} while (0)
+#endif /* LIBRESSL_REGRESS_TESTS_H__ */

diff --git a/src/regress/lib/libssl/unit/Makefile b/src/regress/lib/libssl/unit/Makefile new file mode 100644 index 0000000000..c014615900 --- /dev/null +++ b/src/regress/lib/libssl/unit/Makefile
@@ -0,0 +1,20 @@
	1	# $OpenBSD: Makefile,v 1.1 2015/06/27 23:35:52 doug Exp $
	2
	3	TEST_CASES+= cipher_list
	4
	5	REGRESS_TARGETS= all_tests
	6
	7	LDADD= -lcrypto -lssl
	8	DPADD= ${LIBCRYPTO} ${LIBSSL}
	9	WARNINGS= Yes
	10	LDFLAGS+= -lcrypto -lssl
	11	CFLAGS+= -DLIBRESSL_INTERNAL -Wall -Wundef -Werror -I../../../../lib/libssl/src/ssl
	12
	13	CLEANFILES+= ${TEST_CASES}
	14
	15	all_tests: ${TEST_CASES}
	16	@for test in $>; do \
	17	./$$test; \
	18	done
	19
	20	.include <bsd.regress.mk>


diff --git a/src/regress/lib/libssl/unit/cipher_list.c b/src/regress/lib/libssl/unit/cipher_list.c new file mode 100644 index 0000000000..b513007771 --- /dev/null +++ b/src/regress/lib/libssl/unit/cipher_list.c
@@ -0,0 +1,192 @@
	1	/* $OpenBSD: cipher_list.c,v 1.1 2015/06/27 23:35:52 doug Exp $ */
	2	/*
	3	* Copyright (c) 2015 Doug Hogan <doug@openbsd.org>
	4	* Copyright (c) 2015 Joel Sing <jsing@openbsd.org>
	5	*
	6	* Permission to use, copy, modify, and distribute this software for any
	7	* purpose with or without fee is hereby granted, provided that the above
	8	* copyright notice and this permission notice appear in all copies.
	9	*
	10	* THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
	11	* WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
	12	* MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
	13	* ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
	14	* WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
	15	* ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
	16	* OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
	17	*/
	18
	19	/*
	20	* Test TLS ssl bytes (aka cipher suites) to cipher list and back.
	21	*
	22	* TLSv1.0 - RFC 2246 section 7.4.1.2 (ClientHello struct)
	23	* TLSv1.1 - RFC 4346 section 7.4.1.2 (ClientHello struct)
	24	* TLSv1.2 - RFC 5246 section 7.4.1.2 (ClientHello struct)
	25	*
	26	* In all of these standards, the relevant structures are:
	27	*
	28	* uint8 CipherSuite[2];
	29	*
	30	* struct {
	31	* ...
	32	* CipherSuite cipher_suites<2..2^16-2>
	33	* ...
	34	* } ClientHello;
	35	*/
	36
	37	#include <openssl/ssl.h>
	38
	39	#include <stdio.h>
	40	#include <string.h>
	41
	42	#include "tests.h"
	43
	44	static uint8_t cipher_bytes[] = {
	45	0xcc, 0x14, /* ECDHE-ECDSA-CHACHA20-POLY1305 */
	46	0xcc, 0x13, /* ECDHE-RSA-CHACHA20-POLY1305 */
	47	0xcc, 0x15, /* DHE-RSA-CHACHA20-POLY1305 */
	48	0x00, 0x9c, /* AES128-GCM-SHA256 */
	49	0x00, 0x3d, /* AES256-SHA256 */
	50	0x00, 0x09, /* DES-CBC-SHA */
	51	};
	52
	53	static uint16_t cipher_values[] = {
	54	0xcc14, /* ECDHE-ECDSA-CHACHA20-POLY1305 */
	55	0xcc13, /* ECDHE-RSA-CHACHA20-POLY1305 */
	56	0xcc15, /* DHE-RSA-CHACHA20-POLY1305 */
	57	0x009c, /* AES128-GCM-SHA256 */
	58	0x003d, /* AES256-SHA256 */
	59	0x0009, /* DES-CBC-SHA */
	60	};
	61
	62	#define N_CIPHERS (sizeof(cipher_bytes) / 2)
	63
	64	extern STACK_OF(SSL_CIPHER) ssl_bytes_to_cipher_list(SSL s,
	65	const unsigned char *p, int num);
	66	extern int ssl_cipher_list_to_bytes(SSL s, STACK_OF(SSL_CIPHER) sk,
	67	unsigned char *p);
	68
	69	static int
	70	ssl_bytes_to_list_alloc(SSL s, STACK_OF(SSL_CIPHER) *ciphers)
	71	{
	72	SSL_CIPHER *cipher;
	73	uint16_t value;
	74	int i;
	75
	76	*ciphers = ssl_bytes_to_cipher_list(s, cipher_bytes,
	77	sizeof(cipher_bytes));
	78	CHECK(*ciphers != NULL);
	79	CHECK(sk_SSL_CIPHER_num(*ciphers) == N_CIPHERS);
	80	for (i = 0; i < sk_SSL_CIPHER_num(*ciphers); i++) {
	81	cipher = sk_SSL_CIPHER_value(*ciphers, i);
	82	CHECK(cipher != NULL);
	83	value = SSL_CIPHER_get_value(cipher);
	84	CHECK(value == cipher_values[i]);
	85	}
	86
	87	return 1;
	88	}
	89
	90	static int
	91	ssl_list_to_bytes_scsv(SSL s, STACK_OF(SSL_CIPHER) *ciphers)
	92	{
	93	unsigned char *buf = NULL;
	94	size_t buflen;
	95	int len;
	96	int ret = 0;
	97
	98	/* Space for cipher bytes, plus reneg SCSV and two spare bytes. */
	99	CHECK(sk_SSL_CIPHER_num(*ciphers) == N_CIPHERS);
	100	buflen = sizeof(cipher_bytes) + 2 + 2;
	101	CHECK((buf = calloc(1, buflen)) != NULL);
	102
	103	len = ssl_cipher_list_to_bytes(s, *ciphers, buf);
	104	CHECK_GOTO(len > 0 && (size_t)len == buflen - 2);
	105	CHECK_GOTO(memcmp(buf, cipher_bytes, sizeof(cipher_bytes)) == 0);
	106	CHECK_GOTO(buf[buflen - 4] == 0x00 && buf[buflen - 3] == 0xff);
	107	CHECK_GOTO(buf[buflen - 2] == 0x00 && buf[buflen - 1] == 0x00);
	108
	109	ret = 1;
	110
	111	err:
	112	free(buf);
	113	return ret;
	114	}
	115
	116	static int
	117	ssl_list_to_bytes_no_scsv(SSL s, STACK_OF(SSL_CIPHER) *ciphers)
	118	{
	119	unsigned char *buf = NULL;
	120	size_t buflen;
	121	int len;
	122	int ret = 0;
	123
	124	/* Space for cipher bytes and two spare bytes */
	125	CHECK(sk_SSL_CIPHER_num(*ciphers) == N_CIPHERS);
	126	buflen = sizeof(cipher_bytes) + 2;
	127	CHECK((buf = calloc(1, buflen)) != NULL);
	128	buf[buflen - 2] = 0xfe;
	129	buf[buflen - 1] = 0xab;
	130
	131	/* Set renegotiate so it doesn't add SCSV */
	132	s->renegotiate = 1;
	133
	134	len = ssl_cipher_list_to_bytes(s, *ciphers, buf);
	135	CHECK_GOTO(len > 0 && (size_t)len == buflen - 2);
	136	CHECK_GOTO(memcmp(buf, cipher_bytes, sizeof(cipher_bytes)) == 0);
	137	CHECK_GOTO(buf[buflen - 2] == 0xfe && buf[buflen - 1] == 0xab);
	138
	139	ret = 1;
	140
	141	err:
	142	free(buf);
	143	return ret;
	144	}
	145
	146	static int
	147	ssl_bytes_to_list_invalid(SSL s, STACK_OF(SSL_CIPHER) *ciphers)
	148	{
	149	sk_SSL_CIPHER_free(*ciphers);
	150
	151	/* Invalid length: CipherSuite is 2 bytes so it must be even */
	152	*ciphers = ssl_bytes_to_cipher_list(s, cipher_bytes,
	153	sizeof(cipher_bytes) - 1);
	154	CHECK(*ciphers == NULL);
	155
	156	return 1;
	157	}
	158
	159	int
	160	main(void)
	161	{
	162	STACK_OF(SSL_CIPHER) *ciphers = NULL;
	163	SSL_CTX *ctx = NULL;
	164	SSL *s = NULL;
	165	int rv = 1;
	166
	167	SSL_library_init();
	168
	169	/* Use TLSv1.2 client to get all ciphers. */
	170	CHECK_GOTO((ctx = SSL_CTX_new(TLSv1_2_client_method())) != NULL);
	171	CHECK_GOTO((s = SSL_new(ctx)) != NULL);
	172
	173	if (!ssl_bytes_to_list_alloc(s, &ciphers))
	174	goto err;
	175	if (!ssl_list_to_bytes_scsv(s, &ciphers))
	176	goto err;
	177	if (!ssl_list_to_bytes_no_scsv(s, &ciphers))
	178	goto err;
	179	if (!ssl_bytes_to_list_invalid(s, &ciphers))
	180	goto err;
	181
	182	rv = 0;
	183
	184	err:
	185	sk_SSL_CIPHER_free(ciphers);
	186	SSL_CTX_free(ctx);
	187	SSL_free(s);
	188
	189	if (!rv)
	190	printf("PASS %s\n", __FILE__);
	191	return rv;
	192	}


diff --git a/src/regress/lib/libssl/unit/tests.h b/src/regress/lib/libssl/unit/tests.h new file mode 100644 index 0000000000..287816946a --- /dev/null +++ b/src/regress/lib/libssl/unit/tests.h
@@ -0,0 +1,44 @@
	1	/* $OpenBSD: tests.h,v 1.1 2015/06/27 23:35:52 doug Exp $ */
	2	/*
	3	* Copyright (c) 2015 Doug Hogan <doug@openbsd.org>
	4	*
	5	* Permission to use, copy, modify, and distribute this software for any
	6	* purpose with or without fee is hereby granted, provided that the above
	7	* copyright notice and this permission notice appear in all copies.
	8	*
	9	* THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
	10	* WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
	11	* MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
	12	* ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
	13	* WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
	14	* ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
	15	* OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
	16	*/
	17
	18	#ifndef LIBRESSL_REGRESS_TESTS_H__
	19	#define LIBRESSL_REGRESS_TESTS_H__ 1
	20
	21	/* Ugly macros that are useful for regression tests. */
	22
	23	#define SKIP(a) do { \
	24	printf("Skipping test in %s [%s:%d]\n", __func__, __FILE__, \
	25	__LINE__); \
	26	} while (0)
	27
	28	#define CHECK(a) do { \
	29	if (!(a)) { \
	30	printf("Error in %s [%s:%d]\n", __func__, __FILE__, \
	31	__LINE__); \
	32	return 0; \
	33	} \
	34	} while (0)
	35
	36	#define CHECK_GOTO(a) do { \
	37	if (!(a)) { \
	38	printf("Error in %s [%s:%d]\n", __func__, __FILE__, \
	39	__LINE__); \
	40	goto err; \
	41	} \
	42	} while (0)
	43
	44	#endif /* LIBRESSL_REGRESS_TESTS_H__ */