From 4192f5457954534fbfd22f2b04a5407172f87b04 Mon Sep 17 00:00:00 2001
From: jsing <>
Date: Sat, 1 Feb 2025 12:21:52 +0000
Subject: Add regress coverage for TLS renegotiation.

---
 src/regress/lib/libssl/renegotiation/Makefile      |  18 +
 .../lib/libssl/renegotiation/renegotiation_test.c  | 542 +++++++++++++++++++++
 2 files changed, 560 insertions(+)
 create mode 100644 src/regress/lib/libssl/renegotiation/Makefile
 create mode 100644 src/regress/lib/libssl/renegotiation/renegotiation_test.c

diff --git a/src/regress/lib/libssl/renegotiation/Makefile b/src/regress/lib/libssl/renegotiation/Makefile
new file mode 100644
index 0000000000..dd1eaa3ab9
--- /dev/null
+++ b/src/regress/lib/libssl/renegotiation/Makefile
@@ -0,0 +1,18 @@
+#	$OpenBSD: Makefile,v 1.1 2025/02/01 12:21:52 jsing Exp $
+
+PROG=	renegotiation_test
+LDADD=	-lssl -lcrypto
+DPADD=	${LIBSSL} ${LIBCRYPTO}
+WARNINGS=	Yes
+CFLAGS+=	-DLIBRESSL_INTERNAL -Werror
+
+REGRESS_TARGETS= \
+	regress-renegotiation-test
+
+regress-renegotiation-test: ${PROG}
+	./renegotiation_test \
+	    ${.CURDIR}/../../libssl/certs/server.pem \
+	    ${.CURDIR}/../../libssl/certs/server.pem \
+	    ${.CURDIR}/../../libssl/certs/ca.pem
+
+.include <bsd.regress.mk>
diff --git a/src/regress/lib/libssl/renegotiation/renegotiation_test.c b/src/regress/lib/libssl/renegotiation/renegotiation_test.c
new file mode 100644
index 0000000000..4a80ef61ea
--- /dev/null
+++ b/src/regress/lib/libssl/renegotiation/renegotiation_test.c
@@ -0,0 +1,542 @@
+/* $OpenBSD: renegotiation_test.c,v 1.1 2025/02/01 12:21:52 jsing Exp $ */
+/*
+ * Copyright (c) 2020,2025 Joel Sing <jsing@openbsd.org>
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
+ * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+ * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
+ * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+ * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
+ * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+ */
+
+#include <err.h>
+
+#include <openssl/bio.h>
+#include <openssl/err.h>
+#include <openssl/ssl.h>
+
+const char *server_ca_file;
+const char *server_cert_file;
+const char *server_key_file;
+
+int debug = 0;
+
+int tls_client_alert;
+
+static void
+hexdump(const unsigned char *buf, size_t len)
+{
+	size_t i;
+
+	for (i = 1; i <= len; i++)
+		fprintf(stderr, " 0x%02hhx,%s", buf[i - 1], i % 8 ? "" : "\n");
+
+	if (len % 8)
+		fprintf(stderr, "\n");
+}
+
+static SSL *
+tls_client(BIO *rbio, BIO *wbio)
+{
+	SSL_CTX *ssl_ctx = NULL;
+	SSL *ssl = NULL;
+
+	if ((ssl_ctx = SSL_CTX_new(TLS_method())) == NULL)
+		errx(1, "client context");
+
+	if ((ssl = SSL_new(ssl_ctx)) == NULL)
+		errx(1, "client ssl");
+
+	BIO_up_ref(rbio);
+	BIO_up_ref(wbio);
+
+	SSL_set_bio(ssl, rbio, wbio);
+
+	SSL_CTX_free(ssl_ctx);
+
+	return ssl;
+}
+
+static SSL *
+tls_server(BIO *rbio, BIO *wbio)
+{
+	SSL_CTX *ssl_ctx = NULL;
+	SSL *ssl = NULL;
+
+	if ((ssl_ctx = SSL_CTX_new(TLS_method())) == NULL)
+		errx(1, "server context");
+
+	SSL_CTX_set_dh_auto(ssl_ctx, 2);
+
+	if (SSL_CTX_use_certificate_file(ssl_ctx, server_cert_file,
+	    SSL_FILETYPE_PEM) != 1) {
+		fprintf(stderr, "FAIL: Failed to load server certificate");
+		goto failure;
+	}
+	if (SSL_CTX_use_PrivateKey_file(ssl_ctx, server_key_file,
+	    SSL_FILETYPE_PEM) != 1) {
+		fprintf(stderr, "FAIL: Failed to load server private key");
+		goto failure;
+	}
+
+	if ((ssl = SSL_new(ssl_ctx)) == NULL)
+		errx(1, "server ssl");
+
+	BIO_up_ref(rbio);
+	BIO_up_ref(wbio);
+
+	SSL_set_bio(ssl, rbio, wbio);
+
+ failure:
+	SSL_CTX_free(ssl_ctx);
+
+	return ssl;
+}
+
+static int
+ssl_error(SSL *ssl, const char *name, const char *desc, int ssl_ret)
+{
+	int ssl_err;
+
+	ssl_err = SSL_get_error(ssl, ssl_ret);
+
+	if (ssl_err == SSL_ERROR_WANT_READ) {
+		return 1;
+	} else if (ssl_err == SSL_ERROR_WANT_WRITE) {
+		return 1;
+	} else if (ssl_err == SSL_ERROR_SYSCALL && errno == 0) {
+		/* Yup, this is apparently a thing... */
+	} else {
+		if (tls_client_alert != 0 &&
+		    ERR_GET_REASON(ERR_peek_error()) >= SSL_AD_REASON_OFFSET)
+			return 0;
+		fprintf(stderr, "FAIL: %s %s failed - ssl err = %d, errno = %d\n",
+		    name, desc, ssl_err, errno);
+		ERR_print_errors_fp(stderr);
+		return 0;
+	}
+
+	return 1;
+}
+
+static int
+do_connect(SSL *ssl, const char *name, int *done)
+{
+	int ssl_ret;
+
+	if ((ssl_ret = SSL_connect(ssl)) == 1) {
+		fprintf(stderr, "INFO: %s connect done\n", name);
+		*done = 1;
+		return 1;
+	}
+
+	return ssl_error(ssl, name, "connect", ssl_ret);
+}
+
+static int
+do_accept(SSL *ssl, const char *name, int *done)
+{
+	int ssl_ret;
+
+	if ((ssl_ret = SSL_accept(ssl)) == 1) {
+		fprintf(stderr, "INFO: %s accept done\n", name);
+		*done = 1;
+		return 1;
+	}
+
+	return ssl_error(ssl, name, "accept", ssl_ret);
+}
+
+static int
+do_read(SSL *ssl, const char *name, int *done)
+{
+	uint8_t buf[512];
+	int ssl_ret;
+
+	if ((ssl_ret = SSL_read(ssl, buf, sizeof(buf))) > 0) {
+		fprintf(stderr, "INFO: %s read done\n", name);
+		if (debug > 1)
+			hexdump(buf, ssl_ret);
+		*done = 1;
+		return 1;
+	}
+
+	return ssl_error(ssl, name, "read", ssl_ret);
+}
+
+static int
+do_write(SSL *ssl, const char *name, int *done)
+{
+	const uint8_t buf[] = "Hello, World!\n";
+	int ssl_ret;
+
+	if ((ssl_ret = SSL_write(ssl, buf, sizeof(buf))) > 0) {
+		fprintf(stderr, "INFO: %s write done\n", name);
+		*done = 1;
+		return 1;
+	}
+
+	return ssl_error(ssl, name, "write", ssl_ret);
+}
+
+static int
+do_shutdown(SSL *ssl, const char *name, int *done)
+{
+	int ssl_ret;
+
+	ssl_ret = SSL_shutdown(ssl);
+	if (ssl_ret == 1) {
+		fprintf(stderr, "INFO: %s shutdown done\n", name);
+		*done = 1;
+		return 1;
+	}
+	return ssl_error(ssl, name, "shutdown", ssl_ret);
+}
+
+typedef int (*ssl_func)(SSL *ssl, const char *name, int *done);
+
+static int
+do_client_server_loop(SSL *client, ssl_func client_func, SSL *server,
+    ssl_func server_func)
+{
+	int client_done = 0, server_done = 0;
+	int i = 0;
+
+	do {
+		if (!client_done) {
+			if (debug)
+				fprintf(stderr, "DEBUG: client loop\n");
+			if (!client_func(client, "client", &client_done))
+				return 0;
+		}
+		if (!server_done) {
+			if (debug)
+				fprintf(stderr, "DEBUG: server loop\n");
+			if (!server_func(server, "server", &server_done))
+				return 0;
+		}
+	} while (i++ < 100 && (!client_done || !server_done));
+
+	if (!client_done || !server_done)
+		fprintf(stderr, "FAIL: gave up\n");
+
+	return client_done && server_done;
+}
+
+struct tls_reneg_test {
+	const unsigned char *desc;
+	int ssl_max_proto_version;
+	long ssl_client_options;
+	long ssl_server_options;
+	int renegotiate_client;
+	int renegotiate_server;
+	int want_alert;
+	int want_failure;
+};
+
+static const struct tls_reneg_test tls_reneg_tests[] = {
+	{
+		.desc = "TLSv1.2 - Renegotiation permitted, no renegotiation",
+		.ssl_max_proto_version = TLS1_2_VERSION,
+	},
+	{
+		.desc = "TLSv1.2 - Renegotiation permitted, server initiated "
+		    "renegotiation",
+		.ssl_max_proto_version = TLS1_2_VERSION,
+		.renegotiate_server = 1,
+	},
+	{
+		.desc = "TLSv1.2 - Renegotiation permitted, client initiated "
+		    "renegotiation",
+		.ssl_max_proto_version = TLS1_2_VERSION,
+		.renegotiate_client = 1,
+	},
+	{
+		.desc = "TLSv1.2 - Renegotiation permitted, server and client "
+		    "initiated renegotiation",
+		.ssl_max_proto_version = TLS1_2_VERSION,
+		.renegotiate_client = 1,
+		.renegotiate_server = 1,
+	},
+	{
+		.desc = "TLSv1.2 - Client renegotiation not permitted, server "
+		    "initiated renegotiation",
+		.ssl_max_proto_version = TLS1_2_VERSION,
+		.ssl_server_options = SSL_OP_NO_CLIENT_RENEGOTIATION,
+		.renegotiate_server = 1,
+		.want_alert = 1,
+	},
+	{
+		.desc = "TLSv1.2 - Client renegotiation not permitted, client "
+		    "initiated renegotiation",
+		.ssl_max_proto_version = TLS1_2_VERSION,
+		.ssl_server_options = SSL_OP_NO_CLIENT_RENEGOTIATION,
+		.renegotiate_client = 1,
+		.want_alert = 1,
+	},
+	{
+		.desc = "TLSv1.3 - No renegotiation supported, no renegotiation",
+		.ssl_max_proto_version = TLS1_3_VERSION,
+	},
+	{
+		.desc = "TLSv1.3 - No renegotiation supported, server "
+		    "initiated renegotiation",
+		.ssl_max_proto_version = TLS1_3_VERSION,
+		.renegotiate_server = 1,
+		.want_failure = 1,
+	},
+	{
+		.desc = "TLSv1.3 - No renegotiation supported, client "
+		    "initiated renegotiation",
+		.ssl_max_proto_version = TLS1_3_VERSION,
+		.renegotiate_client = 1,
+		.want_failure = 1,
+	},
+};
+
+#define N_TLS_RENEG_TESTS (sizeof(tls_reneg_tests) / sizeof(*tls_reneg_tests))
+
+static void
+tls_client_info_callback(const SSL *ssl, int where, int value)
+{
+	if (where == SSL_CB_READ_ALERT) {
+		fprintf(stderr, "INFO: client read %s alert - %s\n",
+		    SSL_alert_type_string_long(value),
+		    SSL_alert_desc_string_long(value));
+		tls_client_alert = value;
+	}
+}
+
+static int
+tls_check_reneg(SSL *client, SSL *server, int client_pending,
+    int server_pending, long client_num_reneg, long server_num_reneg)
+{
+	if (debug) {
+		fprintf(stderr, "DEBUG: client - pending = %d, num reneg = %ld\n",
+		    SSL_renegotiate_pending(client), SSL_num_renegotiations(client));
+		fprintf(stderr, "DEBUG: server - pending = %d, num reneg = %ld\n",
+		    SSL_renegotiate_pending(server), SSL_num_renegotiations(server));
+	}
+
+	if (SSL_renegotiate_pending(client) != client_pending) {
+		fprintf(stderr, "FAIL: client SSL_renegotiate_pending() = %d, want %d\n",
+		    SSL_renegotiate_pending(client), client_pending);
+		return 0;
+	}
+	if (SSL_renegotiate_pending(server) != server_pending) {
+		fprintf(stderr, "FAIL: server SSL_renegotiate_pending() = %d, want %d\n",
+		    SSL_renegotiate_pending(server), server_pending);
+		return 0;
+	}
+	if (SSL_num_renegotiations(client) != client_num_reneg) {
+		fprintf(stderr, "FAIL: client SSL_num_renegotiations() = %ld, want %ld\n",
+		    SSL_num_renegotiations(client), client_num_reneg);
+		return 0;
+	}
+	if (SSL_num_renegotiations(server) != server_num_reneg) {
+		fprintf(stderr, "FAIL: server SSL_num_renegotiations() = %ld, want %ld\n",
+		    SSL_num_renegotiations(server), server_num_reneg);
+		return 0;
+	}
+	return 1;
+}
+
+static int
+tls_reneg_test(const struct tls_reneg_test *trt)
+{
+	BIO *client_wbio = NULL, *server_wbio = NULL;
+	SSL *client = NULL, *server = NULL;
+	int failed = 1;
+
+	fprintf(stderr, "\n== Testing %s... ==\n", trt->desc);
+
+	if ((client_wbio = BIO_new(BIO_s_mem())) == NULL)
+		goto failure;
+	if (BIO_set_mem_eof_return(client_wbio, -1) <= 0)
+		goto failure;
+
+	if ((server_wbio = BIO_new(BIO_s_mem())) == NULL)
+		goto failure;
+	if (BIO_set_mem_eof_return(server_wbio, -1) <= 0)
+		goto failure;
+
+	if ((client = tls_client(server_wbio, client_wbio)) == NULL)
+		goto failure;
+
+	SSL_set_options(client, trt->ssl_client_options);
+
+	if ((server = tls_server(client_wbio, server_wbio)) == NULL)
+		goto failure;
+
+	SSL_set_options(server, trt->ssl_server_options);
+	if (!SSL_set_max_proto_version(server, trt->ssl_max_proto_version))
+		goto failure;
+
+	SSL_set_info_callback(client, tls_client_info_callback);
+
+	if (!do_client_server_loop(client, do_connect, server, do_accept)) {
+		fprintf(stderr, "FAIL: client and server handshake failed\n");
+		goto failure;
+	}
+
+	if (!do_client_server_loop(client, do_write, server, do_read)) {
+		fprintf(stderr, "FAIL: client write and server read failed\n");
+		goto failure;
+	}
+
+	if (!do_client_server_loop(client, do_read, server, do_write)) {
+		fprintf(stderr, "FAIL: client read and server write failed\n");
+		goto failure;
+	}
+
+	if (!tls_check_reneg(client, server, 0, 0, 0, 0))
+		goto failure;
+
+	if (trt->renegotiate_server) {
+		/*
+		 * Trigger renegotiation from the server - this results in the
+		 * server sending a HelloRequest, then waiting for the client to
+		 * respond with a ClientHello.
+		 */
+		if (!SSL_renegotiate(server)) {
+			if (!trt->want_failure) {
+				fprintf(stderr, "FAIL: server renegotiation failed\n");
+				goto failure;
+			}
+			goto done;
+		}
+		if (trt->want_failure) {
+			fprintf(stderr, "FAIL: server renegotiation should have failed\n");
+			goto failure;
+		}
+
+		if (!tls_check_reneg(client, server, 0, 1, 0, 0))
+			goto failure;
+
+		if (!do_client_server_loop(client, do_read, server, do_write)) {
+			fprintf(stderr, "FAIL: client read and server write failed\n");
+			goto failure;
+		}
+
+		if (!tls_check_reneg(client, server, 1, 1, 1, 1))
+			goto failure;
+
+		if (!do_client_server_loop(client, do_write, server, do_read)) {
+			if (!trt->want_alert) {
+				fprintf(stderr, "FAIL: client write and server read failed\n");
+				goto failure;
+			}
+			if (tls_client_alert != (SSL3_AL_FATAL << 8 |
+			    SSL_AD_NO_RENEGOTIATION)) {
+				fprintf(stderr, "FAIL: client alert = %x, want %x\n",
+				    tls_client_alert, SSL3_AL_FATAL << 8 |
+				    SSL_AD_NO_RENEGOTIATION);
+			}
+			goto done;
+		}
+		if (trt->want_alert) {
+			fprintf(stderr, "FAIL: server renegotiation should have alerted\n");
+			goto failure;
+		}
+
+		if (!tls_check_reneg(client, server, 0, 0, 1, 1))
+			goto failure;
+	}
+
+	SSL_clear_num_renegotiations(client);
+	SSL_clear_num_renegotiations(server);
+
+	if (trt->renegotiate_client) {
+		/*
+		 * Trigger renegotiation from the client - this results in the
+		 * client sending a ClientHello.
+		 */
+		if (!SSL_renegotiate(client)) {
+			if (!trt->want_failure) {
+				fprintf(stderr, "FAIL: client renegotiation failed\n");
+				goto failure;
+			}
+			goto done;
+		}
+		if (trt->want_failure) {
+			fprintf(stderr, "FAIL: client renegotiation should have failed\n");
+			goto failure;
+		}
+
+		if (!do_client_server_loop(client, do_read, server, do_write)) {
+			fprintf(stderr, "FAIL: client read and server write failed\n");
+			goto failure;
+		}
+
+		if (!tls_check_reneg(client, server, 1, 0, 1, 0))
+			goto failure;
+
+		if (!do_client_server_loop(client, do_write, server, do_read)) {
+			if (!trt->want_alert) {
+				fprintf(stderr, "FAIL: client write and server read failed\n");
+				goto failure;
+			}
+			if (tls_client_alert != (SSL3_AL_FATAL << 8 |
+			    SSL_AD_NO_RENEGOTIATION)) {
+				fprintf(stderr, "FAIL: client alert = %x, want %x\n",
+				    tls_client_alert, SSL3_AL_FATAL << 8 |
+				    SSL_AD_NO_RENEGOTIATION);
+			}
+			goto done;
+		}
+		if (trt->want_alert) {
+			fprintf(stderr, "FAIL: server renegotiation should have alerted\n");
+			goto failure;
+		}
+
+		if (!tls_check_reneg(client, server, 0, 0, 1, 0))
+			goto failure;
+	}
+
+	if (!do_client_server_loop(client, do_shutdown, server, do_shutdown)) {
+		fprintf(stderr, "FAIL: client and server shutdown failed\n");
+		goto failure;
+	}
+
+ done:
+	fprintf(stderr, "INFO: Done!\n");
+
+	failed = 0;
+
+ failure:
+	BIO_free(client_wbio);
+	BIO_free(server_wbio);
+
+	SSL_free(client);
+	SSL_free(server);
+
+	return failed;
+}
+
+int
+main(int argc, char **argv)
+{
+	int failed = 0;
+	size_t i;
+
+	if (argc != 4) {
+		fprintf(stderr, "usage: %s keyfile certfile cafile\n",
+		    argv[0]);
+		exit(1);
+	}
+
+	server_key_file = argv[1];
+	server_cert_file = argv[2];
+	server_ca_file = argv[3];
+
+	for (i = 0; i < N_TLS_RENEG_TESTS; i++)
+		failed |= tls_reneg_test(&tls_reneg_tests[i]);
+
+	return failed;
+}
-- 
cgit v1.2.3-55-g6feb