From eb8dd9dca1228af0cd132f515509051ecfabf6f6 Mon Sep 17 00:00:00 2001 From: cvs2svn Date: Mon, 14 Apr 2025 17:32:06 +0000 Subject: This commit was manufactured by cvs2git to create tag 'tb_20250414'. --- src/regress/lib/libssl/unit/Makefile | 21 - src/regress/lib/libssl/unit/cipher_list.c | 231 ------ .../lib/libssl/unit/ssl_get_shared_ciphers.c | 478 ----------- src/regress/lib/libssl/unit/ssl_methods.c | 267 ------ src/regress/lib/libssl/unit/ssl_set_alpn_protos.c | 470 ----------- src/regress/lib/libssl/unit/ssl_verify_param.c | 99 --- src/regress/lib/libssl/unit/ssl_versions.c | 922 --------------------- src/regress/lib/libssl/unit/tests.h | 44 - src/regress/lib/libssl/unit/tls_ext_alpn.c | 442 ---------- src/regress/lib/libssl/unit/tls_prf.c | 182 ---- 10 files changed, 3156 deletions(-) delete mode 100644 src/regress/lib/libssl/unit/Makefile delete mode 100644 src/regress/lib/libssl/unit/cipher_list.c delete mode 100644 src/regress/lib/libssl/unit/ssl_get_shared_ciphers.c delete mode 100644 src/regress/lib/libssl/unit/ssl_methods.c delete mode 100644 src/regress/lib/libssl/unit/ssl_set_alpn_protos.c delete mode 100644 src/regress/lib/libssl/unit/ssl_verify_param.c delete mode 100644 src/regress/lib/libssl/unit/ssl_versions.c delete mode 100644 src/regress/lib/libssl/unit/tests.h delete mode 100644 src/regress/lib/libssl/unit/tls_ext_alpn.c delete mode 100644 src/regress/lib/libssl/unit/tls_prf.c (limited to 'src/regress/lib/libssl/unit') diff --git a/src/regress/lib/libssl/unit/Makefile b/src/regress/lib/libssl/unit/Makefile deleted file mode 100644 index 6a925069ca..0000000000 --- a/src/regress/lib/libssl/unit/Makefile +++ /dev/null @@ -1,21 +0,0 @@ -# $OpenBSD: Makefile,v 1.16 2023/05/24 09:15:14 tb Exp $ - -PROGS += cipher_list -PROGS += ssl_get_shared_ciphers -PROGS += ssl_methods -PROGS += ssl_set_alpn_protos -PROGS += ssl_verify_param -PROGS += ssl_versions -PROGS += tls_ext_alpn -PROGS += tls_prf - -WARNINGS= Yes -LDADD = ${SSL_INT} -lcrypto -DPADD = ${LIBSSL} ${LIBCRYPTO} -CFLAGS+= -DLIBRESSL_INTERNAL -Wall -Wundef -Werror -CFLAGS+= -DCERTSDIR=\"${.CURDIR}/../certs\" -CFLAGS+= -I${.CURDIR}/../../../../lib/libssl - -LDADD_ssl_verify_param = ${LIBSSL} ${CRYPTO_INT} - -.include diff --git a/src/regress/lib/libssl/unit/cipher_list.c b/src/regress/lib/libssl/unit/cipher_list.c deleted file mode 100644 index c715f60e0b..0000000000 --- a/src/regress/lib/libssl/unit/cipher_list.c +++ /dev/null @@ -1,231 +0,0 @@ -/* $OpenBSD: cipher_list.c,v 1.14 2022/12/17 16:05:28 jsing Exp $ */ -/* - * Copyright (c) 2015 Doug Hogan - * Copyright (c) 2015 Joel Sing - * - * Permission to use, copy, modify, and distribute this software for any - * purpose with or without fee is hereby granted, provided that the above - * copyright notice and this permission notice appear in all copies. - * - * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES - * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF - * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR - * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES - * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN - * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF - * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. - */ - -/* - * Test TLS ssl bytes (aka cipher suites) to cipher list and back. - * - * TLSv1.0 - RFC 2246 section 7.4.1.2 (ClientHello struct) - * TLSv1.1 - RFC 4346 section 7.4.1.2 (ClientHello struct) - * TLSv1.2 - RFC 5246 section 7.4.1.2 (ClientHello struct) - * - * In all of these standards, the relevant structures are: - * - * uint8 CipherSuite[2]; - * - * struct { - * ... - * CipherSuite cipher_suites<2..2^16-2> - * ... - * } ClientHello; - */ - -#include - -#include -#include - -#include "ssl_local.h" - -#include "tests.h" - -static uint8_t cipher_bytes[] = { - 0xcc, 0xa8, /* ECDHE-ECDSA-CHACHA20-POLY1305 */ - 0xcc, 0xa9, /* ECDHE-RSA-CHACHA20-POLY1305 */ - 0xcc, 0xaa, /* DHE-RSA-CHACHA20-POLY1305 */ - 0x00, 0x9c, /* AES128-GCM-SHA256 */ - 0x00, 0x3d, /* AES256-SHA256 */ -}; - -static uint8_t cipher_bytes_seclevel3[] = { - 0xcc, 0xa8, /* ECDHE-ECDSA-CHACHA20-POLY1305 */ - 0xcc, 0xa9, /* ECDHE-RSA-CHACHA20-POLY1305 */ - 0xcc, 0xaa, /* DHE-RSA-CHACHA20-POLY1305 */ -}; - -static uint16_t cipher_values[] = { - 0xcca8, /* ECDHE-ECDSA-CHACHA20-POLY1305 */ - 0xcca9, /* ECDHE-RSA-CHACHA20-POLY1305 */ - 0xccaa, /* DHE-RSA-CHACHA20-POLY1305 */ - 0x009c, /* AES128-GCM-SHA256 */ - 0x003d, /* AES256-SHA256 */ -}; - -#define N_CIPHERS (sizeof(cipher_bytes) / 2) - -static int -ssl_bytes_to_list_alloc(SSL *s, STACK_OF(SSL_CIPHER) **ciphers) -{ - SSL_CIPHER *cipher; - uint16_t value; - CBS cbs; - int i; - - CBS_init(&cbs, cipher_bytes, sizeof(cipher_bytes)); - - *ciphers = ssl_bytes_to_cipher_list(s, &cbs); - CHECK(*ciphers != NULL); - CHECK(sk_SSL_CIPHER_num(*ciphers) == N_CIPHERS); - for (i = 0; i < sk_SSL_CIPHER_num(*ciphers); i++) { - cipher = sk_SSL_CIPHER_value(*ciphers, i); - CHECK(cipher != NULL); - value = SSL_CIPHER_get_value(cipher); - CHECK(value == cipher_values[i]); - } - - return 1; -} - -static int -ssl_list_to_bytes_scsv(SSL *s, STACK_OF(SSL_CIPHER) **ciphers, - const uint8_t *cb, size_t cb_len) -{ - CBB cbb; - unsigned char *buf = NULL; - size_t buflen, outlen; - int ret = 0; - - /* Space for cipher bytes, plus reneg SCSV and two spare bytes. */ - CHECK(sk_SSL_CIPHER_num(*ciphers) == N_CIPHERS); - buflen = cb_len + 2 + 2; - CHECK((buf = calloc(1, buflen)) != NULL); - - /* Clear renegotiate so it adds SCSV */ - s->renegotiate = 0; - - CHECK_GOTO(CBB_init_fixed(&cbb, buf, buflen)); - CHECK_GOTO(ssl_cipher_list_to_bytes(s, *ciphers, &cbb)); - CHECK_GOTO(CBB_finish(&cbb, NULL, &outlen)); - - CHECK_GOTO(outlen > 0 && outlen == cb_len + 2); - CHECK_GOTO(memcmp(buf, cb, cb_len) == 0); - CHECK_GOTO(buf[buflen - 4] == 0x00 && buf[buflen - 3] == 0xff); - CHECK_GOTO(buf[buflen - 2] == 0x00 && buf[buflen - 1] == 0x00); - - ret = 1; - - err: - free(buf); - return ret; -} - -static int -ssl_list_to_bytes_no_scsv(SSL *s, STACK_OF(SSL_CIPHER) **ciphers, - const uint8_t *cb, size_t cb_len) -{ - CBB cbb; - unsigned char *buf = NULL; - size_t buflen, outlen; - int ret = 0; - - /* Space for cipher bytes and two spare bytes */ - CHECK(sk_SSL_CIPHER_num(*ciphers) == N_CIPHERS); - buflen = cb_len + 2; - CHECK((buf = calloc(1, buflen)) != NULL); - buf[buflen - 2] = 0xfe; - buf[buflen - 1] = 0xab; - - /* Set renegotiate so it doesn't add SCSV */ - s->renegotiate = 1; - - CHECK_GOTO(CBB_init_fixed(&cbb, buf, buflen)); - CHECK_GOTO(ssl_cipher_list_to_bytes(s, *ciphers, &cbb)); - CHECK_GOTO(CBB_finish(&cbb, NULL, &outlen)); - - CHECK_GOTO(outlen > 0 && outlen == cb_len); - CHECK_GOTO(memcmp(buf, cb, cb_len) == 0); - CHECK_GOTO(buf[buflen - 2] == 0xfe && buf[buflen - 1] == 0xab); - - ret = 1; - - err: - free(buf); - return ret; -} - -static int -ssl_bytes_to_list_invalid(SSL *s, STACK_OF(SSL_CIPHER) **ciphers) -{ - uint8_t empty_cipher_bytes[] = {0}; - CBS cbs; - - sk_SSL_CIPHER_free(*ciphers); - - /* Invalid length: CipherSuite is 2 bytes so it must be even */ - CBS_init(&cbs, cipher_bytes, sizeof(cipher_bytes) - 1); - *ciphers = ssl_bytes_to_cipher_list(s, &cbs); - CHECK(*ciphers == NULL); - - /* Invalid length: cipher_suites must be at least 2 */ - CBS_init(&cbs, empty_cipher_bytes, sizeof(empty_cipher_bytes)); - *ciphers = ssl_bytes_to_cipher_list(s, &cbs); - CHECK(*ciphers == NULL); - - return 1; -} - -int -main(void) -{ - STACK_OF(SSL_CIPHER) *ciphers = NULL; - SSL_CTX *ctx = NULL; - SSL *s = NULL; - int rv = 1; - - SSL_library_init(); - - /* Use TLSv1.2 client to get all ciphers. */ - CHECK_GOTO((ctx = SSL_CTX_new(TLSv1_2_client_method())) != NULL); - CHECK_GOTO((s = SSL_new(ctx)) != NULL); - SSL_set_security_level(s, 2); - - if (!ssl_bytes_to_list_alloc(s, &ciphers)) - goto err; - if (!ssl_list_to_bytes_scsv(s, &ciphers, cipher_bytes, - sizeof(cipher_bytes))) - goto err; - if (!ssl_list_to_bytes_no_scsv(s, &ciphers, cipher_bytes, - sizeof(cipher_bytes))) - goto err; - if (!ssl_bytes_to_list_invalid(s, &ciphers)) - goto err; - - sk_SSL_CIPHER_free(ciphers); - ciphers = NULL; - - SSL_set_security_level(s, 3); - if (!ssl_bytes_to_list_alloc(s, &ciphers)) - goto err; - if (!ssl_list_to_bytes_scsv(s, &ciphers, cipher_bytes_seclevel3, - sizeof(cipher_bytes_seclevel3))) - goto err; - if (!ssl_list_to_bytes_no_scsv(s, &ciphers, cipher_bytes_seclevel3, - sizeof(cipher_bytes_seclevel3))) - goto err; - - rv = 0; - - err: - sk_SSL_CIPHER_free(ciphers); - SSL_CTX_free(ctx); - SSL_free(s); - - if (!rv) - printf("PASS %s\n", __FILE__); - - return rv; -} diff --git a/src/regress/lib/libssl/unit/ssl_get_shared_ciphers.c b/src/regress/lib/libssl/unit/ssl_get_shared_ciphers.c deleted file mode 100644 index e26f614e53..0000000000 --- a/src/regress/lib/libssl/unit/ssl_get_shared_ciphers.c +++ /dev/null @@ -1,478 +0,0 @@ -/* $OpenBSD: ssl_get_shared_ciphers.c,v 1.13 2024/08/31 12:47:24 jsing Exp $ */ -/* - * Copyright (c) 2021 Theo Buehler - * - * Permission to use, copy, modify, and distribute this software for any - * purpose with or without fee is hereby granted, provided that the above - * copyright notice and this permission notice appear in all copies. - * - * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES - * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF - * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR - * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES - * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN - * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF - * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. - */ - -#include -#include -#include -#include - -#include -#include -#include -#include - -struct peer_config { - const char *name; - int server; - uint16_t max_version; - uint16_t min_version; - const char *ciphers; -}; - -struct ssl_shared_ciphers_test_data { - const char *description; - struct peer_config client_config; - struct peer_config server_config; - const char *shared_ciphers; - const char *shared_ciphers_without_aesni; -}; - -char *server_cert; -char *server_key; - -static const struct ssl_shared_ciphers_test_data ssl_shared_ciphers_tests[] = { - { - .description = "TLSv1.3 defaults", - .client_config = { - .name = "client", - .server = 0, - .max_version = TLS1_3_VERSION, - .min_version = TLS1_3_VERSION, - .ciphers = - "TLS_AES_256_GCM_SHA384:" - "TLS_CHACHA20_POLY1305_SHA256:" - "TLS_AES_128_GCM_SHA256", - }, - .server_config = { - .name = "server", - .server = 1, - .max_version = TLS1_3_VERSION, - .min_version = TLS1_3_VERSION, - .ciphers = - "TLS_AES_256_GCM_SHA384:" - "TLS_CHACHA20_POLY1305_SHA256:" - "TLS_AES_128_GCM_SHA256", - }, - .shared_ciphers = - "TLS_AES_256_GCM_SHA384:" - "TLS_CHACHA20_POLY1305_SHA256:" - "TLS_AES_128_GCM_SHA256", - }, - - { - .description = "TLSv1.3, client without ChaCha", - .client_config = { - .name = "client", - .server = 0, - .max_version = TLS1_3_VERSION, - .min_version = TLS1_3_VERSION, - .ciphers = - "TLS_AES_256_GCM_SHA384:" - "TLS_AES_128_GCM_SHA256", - }, - .server_config = { - .name = "server", - .server = 1, - .max_version = TLS1_3_VERSION, - .min_version = TLS1_3_VERSION, - .ciphers = - "TLS_AES_256_GCM_SHA384:" - "TLS_CHACHA20_POLY1305_SHA256:" - "TLS_AES_128_GCM_SHA256", - }, - .shared_ciphers = - "TLS_AES_256_GCM_SHA384:" - "TLS_AES_128_GCM_SHA256", - }, - - { - .description = "TLSv1.2", - .client_config = { - .name = "client", - .server = 0, - .max_version = TLS1_2_VERSION, - .min_version = TLS1_2_VERSION, - .ciphers = - "ECDHE-RSA-AES256-GCM-SHA384:" - "ECDHE-ECDSA-AES256-GCM-SHA384:" - "ECDHE-RSA-AES256-SHA384:" - "ECDHE-ECDSA-AES256-SHA384:" - "ECDHE-RSA-AES256-SHA:" - "ECDHE-ECDSA-AES256-SHA", - }, - .server_config = { - .name = "server", - .server = 1, - .max_version = TLS1_2_VERSION, - .min_version = TLS1_2_VERSION, - .ciphers = - "ECDHE-RSA-AES256-GCM-SHA384:" - "ECDHE-ECDSA-AES256-GCM-SHA384:" - "ECDHE-RSA-AES256-SHA384:" - "ECDHE-ECDSA-AES256-SHA384:" - "ECDHE-RSA-AES256-SHA:" - "ECDHE-ECDSA-AES256-SHA", - }, - .shared_ciphers = - "ECDHE-RSA-AES256-GCM-SHA384:" - "ECDHE-ECDSA-AES256-GCM-SHA384:" - "ECDHE-RSA-AES256-SHA384:" - "ECDHE-ECDSA-AES256-SHA384:" - "ECDHE-RSA-AES256-SHA:" - "ECDHE-ECDSA-AES256-SHA", - }, - - { - .description = "TLSv1.2, server without ECDSA", - .client_config = { - .name = "client", - .server = 0, - .max_version = TLS1_2_VERSION, - .min_version = TLS1_2_VERSION, - .ciphers = - "ECDHE-RSA-AES256-GCM-SHA384:" - "ECDHE-ECDSA-AES256-GCM-SHA384:" - "ECDHE-RSA-AES256-SHA384:" - "ECDHE-ECDSA-AES256-SHA384:" - "ECDHE-RSA-AES256-SHA:" - "ECDHE-ECDSA-AES256-SHA", - }, - .server_config = { - .name = "server", - .server = 1, - .max_version = TLS1_2_VERSION, - .min_version = TLS1_2_VERSION, - .ciphers = - "ECDHE-RSA-AES256-GCM-SHA384:" - "ECDHE-RSA-AES256-SHA384:" - "ECDHE-RSA-AES256-SHA", - }, - .shared_ciphers = - "ECDHE-RSA-AES256-GCM-SHA384:" - "ECDHE-RSA-AES256-SHA384:" - "ECDHE-RSA-AES256-SHA", - }, - - { - .description = "TLSv1.3 ciphers are prepended", - .client_config = { - .name = "client", - .server = 0, - .max_version = TLS1_3_VERSION, - .min_version = TLS1_2_VERSION, - .ciphers = - "ECDHE-RSA-AES256-GCM-SHA384", - }, - .server_config = { - .name = "server", - .server = 1, - .max_version = TLS1_3_VERSION, - .min_version = TLS1_2_VERSION, - .ciphers = - "ECDHE-RSA-AES256-GCM-SHA384", - }, - .shared_ciphers = - "TLS_AES_256_GCM_SHA384:" - "TLS_CHACHA20_POLY1305_SHA256:" - "TLS_AES_128_GCM_SHA256:" - "ECDHE-RSA-AES256-GCM-SHA384", - .shared_ciphers_without_aesni = - "TLS_CHACHA20_POLY1305_SHA256:" - "TLS_AES_256_GCM_SHA384:" - "TLS_AES_128_GCM_SHA256:" - "ECDHE-RSA-AES256-GCM-SHA384", - }, -}; - -static const size_t N_SHARED_CIPHERS_TESTS = - sizeof(ssl_shared_ciphers_tests) / sizeof(ssl_shared_ciphers_tests[0]); - -static SSL_CTX * -peer_config_to_ssl_ctx(const struct peer_config *config) -{ - SSL_CTX *ctx; - - if ((ctx = SSL_CTX_new(TLS_method())) == NULL) { - fprintf(stderr, "SSL_CTX_new(%s) failed\n", config->name); - goto err; - } - if (!SSL_CTX_set_max_proto_version(ctx, config->max_version)) { - fprintf(stderr, "max_proto_version(%s) failed\n", config->name); - goto err; - } - if (!SSL_CTX_set_min_proto_version(ctx, config->min_version)) { - fprintf(stderr, "min_proto_version(%s) failed\n", config->name); - goto err; - } - if (!SSL_CTX_set_cipher_list(ctx, config->ciphers)) { - fprintf(stderr, "set_cipher_list(%s) failed\n", config->name); - goto err; - } - - if (config->server) { - if (!SSL_CTX_use_certificate_file(ctx, server_cert, - SSL_FILETYPE_PEM)) { - fprintf(stderr, "use_certificate_file(%s) failed\n", - config->name); - goto err; - } - if (!SSL_CTX_use_PrivateKey_file(ctx, server_key, - SSL_FILETYPE_PEM)) { - fprintf(stderr, "use_PrivateKey_file(%s) failed\n", - config->name); - goto err; - } - } - - return ctx; - - err: - SSL_CTX_free(ctx); - return NULL; -} - -/* Connect client and server via a pair of "nonblocking" memory BIOs. */ -static int -connect_peers(SSL *client_ssl, SSL *server_ssl, const char *description) -{ - BIO *client_wbio = NULL, *server_wbio = NULL; - int ret = 0; - - if ((client_wbio = BIO_new(BIO_s_mem())) == NULL) { - fprintf(stderr, "%s: failed to create client BIO\n", - description); - goto err; - } - if ((server_wbio = BIO_new(BIO_s_mem())) == NULL) { - fprintf(stderr, "%s: failed to create server BIO\n", - description); - goto err; - } - if (BIO_set_mem_eof_return(client_wbio, -1) <= 0) { - fprintf(stderr, "%s: failed to set client eof return\n", - description); - goto err; - } - if (BIO_set_mem_eof_return(server_wbio, -1) <= 0) { - fprintf(stderr, "%s: failed to set server eof return\n", - description); - goto err; - } - - /* Avoid double free. SSL_set_bio() takes ownership of the BIOs. */ - BIO_up_ref(client_wbio); - BIO_up_ref(server_wbio); - - SSL_set_bio(client_ssl, server_wbio, client_wbio); - SSL_set_bio(server_ssl, client_wbio, server_wbio); - client_wbio = NULL; - server_wbio = NULL; - - ret = 1; - - err: - BIO_free(client_wbio); - BIO_free(server_wbio); - - return ret; -} - -static int -push_data_to_peer(SSL *ssl, int *ret, int (*func)(SSL *), const char *func_name, - const char *description) -{ - int ssl_err = 0; - - if (*ret == 1) - return 1; - - /* - * Do SSL_connect/SSL_accept/SSL_shutdown once and loop while hitting - * WANT_WRITE. If done or on WANT_READ hand off to peer. - */ - - do { - if ((*ret = func(ssl)) <= 0) - ssl_err = SSL_get_error(ssl, *ret); - } while (*ret <= 0 && ssl_err == SSL_ERROR_WANT_WRITE); - - /* Ignore erroneous error - see SSL_shutdown(3)... */ - if (func == SSL_shutdown && ssl_err == SSL_ERROR_SYSCALL) - return 1; - - if (*ret <= 0 && ssl_err != SSL_ERROR_WANT_READ) { - fprintf(stderr, "%s: %s failed\n", description, func_name); - ERR_print_errors_fp(stderr); - return 0; - } - - return 1; -} - -/* - * Alternate between loops of SSL_connect() and SSL_accept() as long as only - * WANT_READ and WANT_WRITE situations are encountered. A function is repeated - * until WANT_READ is returned or it succeeds, then it's the other function's - * turn to make progress. Succeeds if SSL_connect() and SSL_accept() return 1. - */ -static int -handshake(SSL *client_ssl, SSL *server_ssl, const char *description) -{ - int loops = 0, client_ret = 0, server_ret = 0; - - while (loops++ < 10 && (client_ret <= 0 || server_ret <= 0)) { - if (!push_data_to_peer(client_ssl, &client_ret, SSL_connect, - "SSL_connect", description)) - return 0; - - if (!push_data_to_peer(server_ssl, &server_ret, SSL_accept, - "SSL_accept", description)) - return 0; - } - - if (client_ret != 1 || server_ret != 1) { - fprintf(stderr, "%s: failed\n", __func__); - return 0; - } - - return 1; -} - -static int -shutdown_peers(SSL *client_ssl, SSL *server_ssl, const char *description) -{ - int loops = 0, client_ret = 0, server_ret = 0; - - while (loops++ < 10 && (client_ret <= 0 || server_ret <= 0)) { - if (!push_data_to_peer(client_ssl, &client_ret, SSL_shutdown, - "client shutdown", description)) - return 0; - - if (!push_data_to_peer(server_ssl, &server_ret, SSL_shutdown, - "server shutdown", description)) - return 0; - } - - if (client_ret != 1 || server_ret != 1) { - fprintf(stderr, "%s: failed\n", __func__); - return 0; - } - - return 1; -} - -/* from ssl_ciph.c */ -static inline int -ssl_aes_is_accelerated(void) -{ - return (OPENSSL_cpu_caps() & CRYPTO_CPU_CAPS_ACCELERATED_AES) != 0; -} - -static int -check_shared_ciphers(const struct ssl_shared_ciphers_test_data *test, - const char *got) -{ - const char *want = test->shared_ciphers; - int failed; - - if (!ssl_aes_is_accelerated() && - test->shared_ciphers_without_aesni != NULL) - want = test->shared_ciphers_without_aesni; - - failed = strcmp(want, got); - - if (failed) - fprintf(stderr, "%s: want \"%s\", got \"%s\"\n", - test->description, want, got); - - return failed; -} - -static int -test_get_shared_ciphers(const struct ssl_shared_ciphers_test_data *test) -{ - SSL_CTX *client_ctx = NULL, *server_ctx = NULL; - SSL *client_ssl = NULL, *server_ssl = NULL; - char buf[4096]; - int failed = 1; - - if ((client_ctx = peer_config_to_ssl_ctx(&test->client_config)) == NULL) - goto err; - if ((server_ctx = peer_config_to_ssl_ctx(&test->server_config)) == NULL) - goto err; - - if ((client_ssl = SSL_new(client_ctx)) == NULL) { - fprintf(stderr, "%s: failed to create client SSL\n", - test->description); - goto err; - } - if ((server_ssl = SSL_new(server_ctx)) == NULL) { - fprintf(stderr, "%s: failed to create server SSL\n", - test->description); - goto err; - } - - if (!connect_peers(client_ssl, server_ssl, test->description)) - goto err; - - if (!handshake(client_ssl, server_ssl, test->description)) - goto err; - - if (SSL_get_shared_ciphers(server_ssl, buf, sizeof(buf)) == NULL) { - fprintf(stderr, "%s: failed to get shared ciphers\n", - test->description); - goto err; - } - - if (!shutdown_peers(client_ssl, server_ssl, test->description)) - goto err; - - failed = check_shared_ciphers(test, buf); - - err: - SSL_CTX_free(client_ctx); - SSL_CTX_free(server_ctx); - SSL_free(client_ssl); - SSL_free(server_ssl); - - return failed; -} - -int -main(int argc, char **argv) -{ - size_t i; - int failed = 0; - - if (asprintf(&server_cert, "%s/server1-rsa.pem", CERTSDIR) == -1) { - fprintf(stderr, "asprintf server_cert failed\n"); - failed = 1; - goto err; - } - server_key = server_cert; - - for (i = 0; i < N_SHARED_CIPHERS_TESTS; i++) - failed |= test_get_shared_ciphers(&ssl_shared_ciphers_tests[i]); - - if (failed == 0) - printf("PASS %s\n", __FILE__); - - err: - free(server_cert); - - return failed; -} diff --git a/src/regress/lib/libssl/unit/ssl_methods.c b/src/regress/lib/libssl/unit/ssl_methods.c deleted file mode 100644 index 0fc33a406c..0000000000 --- a/src/regress/lib/libssl/unit/ssl_methods.c +++ /dev/null @@ -1,267 +0,0 @@ -/* $OpenBSD: ssl_methods.c,v 1.4 2021/04/04 20:21:43 tb Exp $ */ -/* - * Copyright (c) 2020 Theo Buehler - * - * Permission to use, copy, modify, and distribute this software for any - * purpose with or without fee is hereby granted, provided that the above - * copyright notice and this permission notice appear in all copies. - * - * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES - * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF - * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR - * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES - * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN - * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF - * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. - */ - -#include - -#include - -struct ssl_method_test_data { - const SSL_METHOD *(*method)(void); - const char *name; - int server; - int dtls; -}; - -struct ssl_method_test_data ssl_method_tests[] = { - { - .method = SSLv23_method, - .name = "SSLv23_method", - .server = 1, - .dtls = 0, - }, - { - .method = SSLv23_server_method, - .name = "SSLv23_server_method", - .server = 1, - .dtls = 0, - }, - { - .method = SSLv23_client_method, - .name = "SSLv23_client_method", - .server = 0, - .dtls = 0, - }, - - { - .method = TLSv1_method, - .name = "TLSv1_method", - .server = 1, - .dtls = 0, - }, - { - .method = TLSv1_server_method, - .name = "TLSv1_server_method", - .server = 1, - .dtls = 0, - }, - { - .method = TLSv1_client_method, - .name = "TLSv1_client_method", - .server = 0, - .dtls = 0, - }, - - { - .method = TLSv1_1_method, - .name = "TLSv1_1_method", - .server = 1, - .dtls = 0, - }, - { - .method = TLSv1_1_server_method, - .name = "TLSv1_1_server_method", - .server = 1, - .dtls = 0, - }, - { - .method = TLSv1_1_client_method, - .name = "TLSv1_1_client_method", - .server = 0, - .dtls = 0, - }, - - { - .method = TLSv1_2_method, - .name = "TLSv1_2_method", - .server = 1, - .dtls = 0, - }, - { - .method = TLSv1_2_server_method, - .name = "TLSv1_2_server_method", - .server = 1, - .dtls = 0, - }, - { - .method = TLSv1_2_client_method, - .name = "TLSv1_2_client_method", - .server = 0, - .dtls = 0, - }, - - { - .method = TLS_method, - .name = "TLS_method", - .server = 1, - .dtls = 0, - }, - { - .method = TLS_server_method, - .name = "TLS_server_method", - .server = 1, - .dtls = 0, - }, - { - .method = TLS_client_method, - .name = "TLS_client_method", - .server = 0, - .dtls = 0, - }, - - { - .method = DTLSv1_method, - .name = "DTLSv1_method", - .server = 1, - .dtls = 1, - }, - { - .method = DTLSv1_server_method, - .name = "DTLSv1_server_method", - .server = 1, - .dtls = 1, - }, - { - .method = DTLSv1_client_method, - .name = "DTLSv1_client_method", - .server = 0, - .dtls = 1, - }, - - { - .method = DTLSv1_2_method, - .name = "DTLSv1_2_method", - .server = 1, - .dtls = 1, - }, - { - .method = DTLSv1_2_server_method, - .name = "DTLSv1_2_server_method", - .server = 1, - .dtls = 1, - }, - { - .method = DTLSv1_2_client_method, - .name = "DTLSv1_2_client_method", - .server = 0, - .dtls = 1, - }, - - { - .method = DTLS_method, - .name = "DTLS_method", - .server = 1, - .dtls = 1, - }, - { - .method = DTLS_server_method, - .name = "DTLS_server_method", - .server = 1, - .dtls = 1, - }, - { - .method = DTLS_client_method, - .name = "DTLS_client_method", - .server = 0, - .dtls = 1, - }, -}; - -#define N_METHOD_TESTS (sizeof(ssl_method_tests) / sizeof(ssl_method_tests[0])) - -int test_client_or_server_method(struct ssl_method_test_data *); -int test_dtls_method(struct ssl_method_test_data *); - -int -test_client_or_server_method(struct ssl_method_test_data *testcase) -{ - SSL_CTX *ssl_ctx; - SSL *ssl = NULL; - int failed = 1; - - if ((ssl_ctx = SSL_CTX_new(testcase->method())) == NULL) { - fprintf(stderr, "SSL_CTX_new returned NULL\n"); - goto err; - } - - if ((ssl = SSL_new(ssl_ctx)) == NULL) { - fprintf(stderr, "SSL_new returned NULL\n"); - goto err; - } - - if (SSL_is_server(ssl) != testcase->server) { - fprintf(stderr, "%s: SSL_is_server: want %d, got %d\n", - testcase->name, testcase->server, SSL_is_server(ssl)); - goto err; - } - - failed = 0; - - err: - SSL_free(ssl); - SSL_CTX_free(ssl_ctx); - - return failed; -} - -int -test_dtls_method(struct ssl_method_test_data *testcase) -{ - SSL_CTX *ssl_ctx; - SSL *ssl = NULL; - int failed = 1; - - if ((ssl_ctx = SSL_CTX_new(testcase->method())) == NULL) { - fprintf(stderr, "SSL_CTX_new returned NULL\n"); - goto err; - } - - if ((ssl = SSL_new(ssl_ctx)) == NULL) { - fprintf(stderr, "SSL_new returned NULL\n"); - goto err; - } - - if (SSL_is_dtls(ssl) != testcase->dtls) { - fprintf(stderr, "%s: SSL_is_dtls: want %d, got %d\n", - testcase->name, testcase->dtls, SSL_is_dtls(ssl)); - goto err; - } - - failed = 0; - - err: - SSL_free(ssl); - SSL_CTX_free(ssl_ctx); - - return failed; -} - -int -main(int argc, char **argv) -{ - size_t i; - int failed = 0; - - for (i = 0; i < N_METHOD_TESTS; i++) { - failed |= test_client_or_server_method(&ssl_method_tests[i]); - failed |= test_dtls_method(&ssl_method_tests[i]); - } - - if (failed == 0) - printf("PASS %s\n", __FILE__); - - return failed; -} diff --git a/src/regress/lib/libssl/unit/ssl_set_alpn_protos.c b/src/regress/lib/libssl/unit/ssl_set_alpn_protos.c deleted file mode 100644 index d8447c8999..0000000000 --- a/src/regress/lib/libssl/unit/ssl_set_alpn_protos.c +++ /dev/null @@ -1,470 +0,0 @@ -/* $OpenBSD: ssl_set_alpn_protos.c,v 1.4 2024/07/11 13:51:47 tb Exp $ */ -/* - * Copyright (c) 2022 Theo Buehler - * - * Permission to use, copy, modify, and distribute this software for any - * purpose with or without fee is hereby granted, provided that the above - * copyright notice and this permission notice appear in all copies. - * - * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES - * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF - * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR - * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES - * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN - * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF - * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. - */ - -#include -#include - -#include - -static void -hexdump(const unsigned char *buf, size_t len) -{ - size_t i; - - if (buf == NULL) { - fprintf(stderr, "(null), len %zu\n", len); - return; - } - for (i = 1; i <= len; i++) - fprintf(stderr, " 0x%02hhx,%s", buf[i - 1], i % 8 ? "" : "\n"); - if (len % 8) - fprintf(stderr, "\n"); -} - -struct alpn_test { - const char *description; - const uint8_t protocols[24]; - size_t protocols_len; - int ret; -}; - -static const struct alpn_test alpn_tests[] = { - { - .description = "valid protocol list", - .protocols = { - 6, 's', 'p', 'd', 'y', '/', '1', - 8, 'h', 't', 't', 'p', '/', '1', '.', '1', - }, - .protocols_len = 16, - .ret = 0, - }, - { - .description = "zero length protocol", - .protocols = { - 0, - }, - .protocols_len = 1, - .ret = 1, - }, - { - .description = "zero length protocol at start", - .protocols = { - 0, - 8, 'h', 't', 't', 'p', '/', '1', '.', '1', - 6, 's', 'p', 'd', 'y', '/', '1', - }, - .protocols_len = 17, - .ret = 1, - }, - { - .description = "zero length protocol embedded", - .protocols = { - 8, 'h', 't', 't', 'p', '/', '1', '.', '1', - 0, - 6, 's', 'p', 'd', 'y', '/', '1', - }, - .protocols_len = 17, - .ret = 1, - }, - { - .description = "zero length protocol at end", - .protocols = { - 8, 'h', 't', 't', 'p', '/', '1', '.', '1', - 6, 's', 'p', 'd', 'y', '/', '1', - 0, - }, - .protocols_len = 17, - .ret = 1, - }, - { - .description = "protocol length too short", - .protocols = { - 6, 'h', 't', 't', 'p', '/', '1', '.', '1', - }, - .protocols_len = 9, - .ret = 1, - }, - { - .description = "protocol length too long", - .protocols = { - 8, 's', 'p', 'd', 'y', '/', '1', - }, - .protocols_len = 7, - .ret = 1, - }, -}; - -static const size_t N_ALPN_TESTS = sizeof(alpn_tests) / sizeof(alpn_tests[0]); - -static int -test_ssl_set_alpn_protos(const struct alpn_test *tc) -{ - SSL_CTX *ctx; - SSL *ssl; - int ret; - int failed = 0; - - if ((ctx = SSL_CTX_new(TLS_client_method())) == NULL) - errx(1, "SSL_CTX_new"); - - ret = SSL_CTX_set_alpn_protos(ctx, tc->protocols, tc->protocols_len); - if (ret != tc->ret) { - warnx("%s: setting on SSL_CTX: want %d, got %d", - tc->description, tc->ret, ret); - failed = 1; - } - - if ((ssl = SSL_new(ctx)) == NULL) - errx(1, "SSL_new"); - - ret = SSL_set_alpn_protos(ssl, tc->protocols, tc->protocols_len); - if (ret != tc->ret) { - warnx("%s: setting on SSL: want %d, got %d", - tc->description, tc->ret, ret); - failed = 1; - } - - SSL_CTX_free(ctx); - SSL_free(ssl); - - return failed; -} - -static int -test_ssl_set_alpn_protos_edge_cases(void) -{ - SSL_CTX *ctx; - SSL *ssl; - const uint8_t valid[] = { - 6, 's', 'p', 'd', 'y', '/', '3', - 8, 'h', 't', 't', 'p', '/', '1', '.', '1', - }; - int failed = 0; - - if ((ctx = SSL_CTX_new(TLS_client_method())) == NULL) - errx(1, "SSL_CTX_new"); - - if (SSL_CTX_set_alpn_protos(ctx, valid, sizeof(valid)) != 0) { - warnx("setting valid protocols on SSL_CTX failed"); - failed = 1; - } - if (SSL_CTX_set_alpn_protos(ctx, NULL, 0) != 0) { - warnx("setting 'NULL, 0' on SSL_CTX failed"); - failed = 1; - } - if (SSL_CTX_set_alpn_protos(ctx, valid, 0) != 0) { - warnx("setting 'valid, 0' on SSL_CTX failed"); - failed = 1; - } - if (SSL_CTX_set_alpn_protos(ctx, NULL, 43) != 0) { - warnx("setting 'NULL, 43' on SSL_CTX failed"); - failed = 1; - } - - if ((ssl = SSL_new(ctx)) == NULL) - errx(1, "SSL_new"); - - if (SSL_set_alpn_protos(ssl, valid, sizeof(valid)) != 0) { - warnx("setting valid protocols on SSL failed"); - failed = 1; - } - if (SSL_set_alpn_protos(ssl, NULL, 0) != 0) { - warnx("setting 'NULL, 0' on SSL failed"); - failed = 1; - } - if (SSL_set_alpn_protos(ssl, valid, 0) != 0) { - warnx("setting 'valid, 0' on SSL failed"); - failed = 1; - } - if (SSL_set_alpn_protos(ssl, NULL, 43) != 0) { - warnx("setting 'NULL, 43' on SSL failed"); - failed = 1; - } - - SSL_CTX_free(ctx); - SSL_free(ssl); - - return failed; -} - -static const struct select_next_proto_test { - const unsigned char *peer_list; - size_t peer_list_len; - const unsigned char *supported_list; - size_t supported_list_len; - int want_ret; - const unsigned char *want_out; - unsigned char want_out_len; /* yes, unsigned char */ -} select_next_proto_tests[] = { - { - .peer_list = "\x01" "a" "\x01" "b" "\x01" "c", - .peer_list_len = 6, - .supported_list = "\x01" "a", - .supported_list_len = 2, - .want_ret = OPENSSL_NPN_NEGOTIATED, - .want_out = "a", - .want_out_len = 1, - }, - { - .peer_list = "\x01" "a" "\x01" "b" "\x01" "c", - .peer_list_len = 6, - .supported_list = "\x02" "aa" "\x01" "b" "\x01" "c", - .supported_list_len = 7, - .want_ret = OPENSSL_NPN_NEGOTIATED, - .want_out = "b", - .want_out_len = 1, - }, - { - /* Use peer preference. */ - .peer_list = "\x01" "a" "\x01" "b" "\x01" "c", - .peer_list_len = 6, - .supported_list = "\x01" "c" "\x01" "b" "\x01" "a", - .supported_list_len = 6, - .want_ret = OPENSSL_NPN_NEGOTIATED, - .want_out = "a", - .want_out_len = 1, - }, - { - /* Again peer preference wins. */ - .peer_list = "\x01" "a" "\x03" "bbb" "\x02" "cc", - .peer_list_len = 9, - .supported_list = "\x01" "z" "\x02" "cc" "\x03" "bbb", - .supported_list_len = 9, - .want_ret = OPENSSL_NPN_NEGOTIATED, - .want_out = "bbb", - .want_out_len = 3, - }, - { - /* No overlap fails with first supported protocol. */ - .peer_list = "\x01" "a" "\x01" "b" "\x01" "c", - .peer_list_len = 6, - .supported_list = "\x01" "z" "\x01" "y", - .supported_list_len = 4, - .want_ret = OPENSSL_NPN_NO_OVERLAP, - .want_out = "z", - .want_out_len = 1, - }, - { - /* No peer protocols fails cleanly. */ - .peer_list = "", - .peer_list_len = 0, - .supported_list = "\x01" "a" "\x01" "b" "\x01" "c", - .supported_list_len = 6, - .want_out = "a", - .want_out_len = 1, - .want_ret = OPENSSL_NPN_NO_OVERLAP, - }, - { - /* NULL peer protocols fails cleanly. */ - .peer_list = NULL, - .peer_list_len = 0, - .supported_list = "\x01" "a" "\x01" "b" "\x01" "c", - .supported_list_len = 6, - .want_out = "a", - .want_out_len = 1, - .want_ret = OPENSSL_NPN_NO_OVERLAP, - }, - { - /* Malformed peer protocols fails cleanly. */ - .peer_list = "\x00", - .peer_list_len = 1, - .supported_list = "\x01" "a" "\x01" "b" "\x01" "c", - .supported_list_len = 6, - .want_out = "a", - .want_out_len = 1, - .want_ret = OPENSSL_NPN_NO_OVERLAP, - }, - { - /* Malformed peer protocols fails cleanly. */ - .peer_list = "\x01" "a" "\x03" "bb", - .peer_list_len = 5, - .supported_list = "\x01" "a" "\x01" "b" "\x01" "c", - .supported_list_len = 6, - .want_out = "a", - .want_out_len = 1, - .want_ret = OPENSSL_NPN_NO_OVERLAP, - }, - { - /* Empty supported list fails cleanly. */ - .peer_list = "\x01" "a", - .peer_list_len = 2, - .supported_list = "", - .supported_list_len = 0, - .want_out = NULL, - .want_out_len = 0, - .want_ret = OPENSSL_NPN_NO_OVERLAP, - }, - { - /* NULL supported list fails cleanly. */ - .peer_list = "\x01" "a", - .peer_list_len = 2, - .supported_list = NULL, - .supported_list_len = 0, - .want_out = NULL, - .want_out_len = 0, - .want_ret = OPENSSL_NPN_NO_OVERLAP, - }, - { - /* Malformed supported list fails cleanly. */ - .peer_list = "\x01" "a", - .peer_list_len = 2, - .supported_list = "\x01" "a" "\x02" "bb" "\x03" "cc" "\x04" "ddd", - .supported_list_len = 12, - .want_out = NULL, - .want_out_len = 0, - .want_ret = OPENSSL_NPN_NO_OVERLAP, - }, - { - /* Malformed client list fails cleanly. */ - .peer_list = "\x01" "a", - .peer_list_len = 2, - .supported_list = "\x01" "a" "\x02" "bb" "\x00" "\x03" "ddd", - .supported_list_len = 10, - .want_out = NULL, - .want_out_len = 0, - .want_ret = OPENSSL_NPN_NO_OVERLAP, - }, - - /* - * Some non-toy examples. - */ - - { - .peer_list = "\x08" "http/1.1" "\x06" "spdy/1", - .peer_list_len = 16, - .supported_list = "\x08" "http/2.0" "\x08" "http/1.1", - .supported_list_len = 18, - .want_out = "http/1.1", - .want_out_len = 8, - .want_ret = OPENSSL_NPN_NEGOTIATED, - }, - { - .peer_list = "\x08" "http/2.0" "\x06" "spdy/1", - .peer_list_len = 16, - .supported_list = "\x08" "http/1.0" "\x08" "http/1.1", - .supported_list_len = 18, - .want_out = "http/1.0", - .want_out_len = 8, - .want_ret = OPENSSL_NPN_NO_OVERLAP, - }, - { - .peer_list = "\x08" "http/1.1" "\x08" "http/1.0", - .peer_list_len = 18, - .supported_list = "\x08" "http/1.0" "\x08" "http/1.1", - .supported_list_len = 18, - .want_out = "http/1.1", - .want_out_len = 8, - .want_ret = OPENSSL_NPN_NEGOTIATED, - }, - { - /* Peer list malformed. */ - .peer_list = "\x08" "http/1.1" "\x07" "http/1.0", - .peer_list_len = 18, - .supported_list = "\x08" "http/1.0" "\x08" "http/1.1", - .supported_list_len = 18, - .want_out = "http/1.0", - .want_out_len = 8, - .want_ret = OPENSSL_NPN_NO_OVERLAP, - }, - { - /* Peer list malformed. */ - .peer_list = "\x07" "http/1.1" "\x08" "http/1.0", - .peer_list_len = 18, - .supported_list = "\x08" "http/1.0" "\x08" "http/1.1", - .supported_list_len = 18, - .want_out = "http/1.0", - .want_out_len = 8, - .want_ret = OPENSSL_NPN_NO_OVERLAP, - }, - { - /* Supported list has trailing bytes. */ - .peer_list = "\x08" "http/1.1" "\x08" "http/1.0", - .peer_list_len = 18, - .supported_list = "\x08" "http/1.0" "\x07" "http/1.1", - .supported_list_len = 18, - .want_out = NULL, - .want_out_len = 0, - .want_ret = OPENSSL_NPN_NO_OVERLAP, - }, -}; - -#define N_SELECT_NEXT_PROTO_TESTS \ - (sizeof(select_next_proto_tests) / sizeof(select_next_proto_tests[0])) - -static int -select_next_proto_testcase(const struct select_next_proto_test *test) -{ - unsigned char *out; - unsigned char out_len; - int ret; - int failed = 0; - - ret = SSL_select_next_proto(&out, &out_len, test->peer_list, - test->peer_list_len, test->supported_list, test->supported_list_len); - - if (ret != test->want_ret || out_len != test->want_out_len || - (out == NULL && test->want_out != NULL) || - (out != NULL && test->want_out == NULL) || - (out != NULL && test->want_out != NULL && - memcmp(out, test->want_out, out_len) != 0)) { - fprintf(stderr, "FAIL: ret: %u (want %u), out_len: %u (want %u)\n", - ret, test->want_ret, out_len, test->want_out_len); - fprintf(stderr, "\ngot:\n"); - hexdump(out, out_len); - fprintf(stderr, "\nwant:\n"); - hexdump(test->want_out, test->want_out_len); - fprintf(stderr, "\nserver:\n"); - hexdump(test->peer_list, test->peer_list_len); - fprintf(stderr, "\nclient:\n"); - hexdump(test->supported_list, test->supported_list_len); - fprintf(stderr, "\n"); - failed = 1; - } - - return failed; -} - -static int -test_ssl_select_next_proto(void) -{ - size_t i; - int failed = 0; - - for (i = 0; i < N_SELECT_NEXT_PROTO_TESTS; i++) - failed |= select_next_proto_testcase(&select_next_proto_tests[i]); - - return failed; -} - -int -main(void) -{ - size_t i; - int failed = 0; - - for (i = 0; i < N_ALPN_TESTS; i++) - failed |= test_ssl_set_alpn_protos(&alpn_tests[i]); - - failed |= test_ssl_set_alpn_protos_edge_cases(); - - failed |= test_ssl_select_next_proto(); - - if (!failed) - printf("PASS %s\n", __FILE__); - - return failed; -} diff --git a/src/regress/lib/libssl/unit/ssl_verify_param.c b/src/regress/lib/libssl/unit/ssl_verify_param.c deleted file mode 100644 index cdb52c56a8..0000000000 --- a/src/regress/lib/libssl/unit/ssl_verify_param.c +++ /dev/null @@ -1,99 +0,0 @@ -/* $OpenBSD: ssl_verify_param.c,v 1.1 2023/05/24 08:54:59 tb Exp $ */ - -/* - * Copyright (c) 2023 Theo Buehler - * - * Permission to use, copy, modify, and distribute this software for any - * purpose with or without fee is hereby granted, provided that the above - * copyright notice and this permission notice appear in all copies. - * - * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES - * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF - * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR - * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES - * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN - * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF - * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. - */ - -#include -#include - -#include -#include - -unsigned int X509_VERIFY_PARAM_get_hostflags(X509_VERIFY_PARAM *param); - -static int -ssl_verify_param_flags_inherited(void) -{ - SSL_CTX *ssl_ctx = NULL; - SSL *ssl = NULL; - X509_VERIFY_PARAM *param; - unsigned int defaultflags = 0; - unsigned int newflags = X509_CHECK_FLAG_NEVER_CHECK_SUBJECT; - unsigned int flags; - int failed = 1; - - if ((ssl_ctx = SSL_CTX_new(TLS_method())) == NULL) - errx(1, "SSL_CTX_new"); - - if ((param = SSL_CTX_get0_param(ssl_ctx)) == NULL) { - fprintf(stderr, "FAIL: no verify param on ssl_ctx\n"); - goto failure; - } - - if ((flags = X509_VERIFY_PARAM_get_hostflags(param)) != defaultflags) { - fprintf(stderr, "FAIL: SSL_CTX default hostflags, " - "want: %x, got: %x\n", defaultflags, flags); - goto failure; - } - - X509_VERIFY_PARAM_set_hostflags(param, newflags); - - if ((flags = X509_VERIFY_PARAM_get_hostflags(param)) != newflags) { - fprintf(stderr, "FAIL: SSL_CTX new hostflags, " - "want: %x, got: %x\n", newflags, flags); - goto failure; - } - - if ((ssl = SSL_new(ssl_ctx)) == NULL) - errx(1, "SSL_new"); - - if ((param = SSL_get0_param(ssl)) == NULL) { - fprintf(stderr, "FAIL: no verify param on ssl\n"); - goto failure; - } - - if ((flags = X509_VERIFY_PARAM_get_hostflags(param)) != newflags) { - fprintf(stderr, "FAIL: SSL inherited hostflags, " - "want: %x, got: %x\n", newflags, flags); - goto failure; - } - - SSL_set_hostflags(ssl, defaultflags); - - if ((flags = X509_VERIFY_PARAM_get_hostflags(param)) != defaultflags) { - fprintf(stderr, "FAIL: SSL set hostflags, " - "want: %x, got: %x\n", defaultflags, flags); - goto failure; - } - - failed = 0; - - failure: - SSL_CTX_free(ssl_ctx); - SSL_free(ssl); - - return failed; -} - -int -main(void) -{ - int failed = 0; - - failed |= ssl_verify_param_flags_inherited(); - - return failed; -} diff --git a/src/regress/lib/libssl/unit/ssl_versions.c b/src/regress/lib/libssl/unit/ssl_versions.c deleted file mode 100644 index ebfe8d2c28..0000000000 --- a/src/regress/lib/libssl/unit/ssl_versions.c +++ /dev/null @@ -1,922 +0,0 @@ -/* $OpenBSD: ssl_versions.c,v 1.20 2023/07/02 17:21:33 beck Exp $ */ -/* - * Copyright (c) 2016, 2017 Joel Sing - * - * Permission to use, copy, modify, and distribute this software for any - * purpose with or without fee is hereby granted, provided that the above - * copyright notice and this permission notice appear in all copies. - * - * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES - * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF - * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR - * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES - * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN - * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF - * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. - */ - -#include - -#include "ssl_local.h" - -struct version_range_test { - const long options; - const uint16_t minver; - const uint16_t maxver; - const uint16_t want_minver; - const uint16_t want_maxver; -}; - -static struct version_range_test version_range_tests[] = { - { - .options = 0, - .minver = TLS1_VERSION, - .maxver = TLS1_3_VERSION, - .want_minver = TLS1_2_VERSION, - .want_maxver = TLS1_3_VERSION, - }, - { - .options = 0, - .minver = TLS1_VERSION, - .maxver = TLS1_2_VERSION, - .want_minver = TLS1_2_VERSION, - .want_maxver = TLS1_2_VERSION, - }, - { - .options = SSL_OP_NO_TLSv1, - .minver = TLS1_VERSION, - .maxver = TLS1_2_VERSION, - .want_minver = TLS1_2_VERSION, - .want_maxver = TLS1_2_VERSION, - }, - { - .options = SSL_OP_NO_TLSv1_3, - .minver = TLS1_VERSION, - .maxver = TLS1_3_VERSION, - .want_minver = TLS1_2_VERSION, - .want_maxver = TLS1_2_VERSION, - }, - { - .options = SSL_OP_NO_TLSv1_2, - .minver = TLS1_VERSION, - .maxver = TLS1_2_VERSION, - .want_minver = 0, - .want_maxver = 0, - }, - { - .options = SSL_OP_NO_TLSv1_1, - .minver = TLS1_VERSION, - .maxver = TLS1_2_VERSION, - .want_minver = TLS1_2_VERSION, - .want_maxver = TLS1_2_VERSION, - }, - { - .options = SSL_OP_NO_TLSv1 | SSL_OP_NO_TLSv1_1, - .minver = TLS1_VERSION, - .maxver = TLS1_2_VERSION, - .want_minver = TLS1_2_VERSION, - .want_maxver = TLS1_2_VERSION, - }, - { - .options = SSL_OP_NO_TLSv1_1 | SSL_OP_NO_TLSv1_2, - .minver = TLS1_VERSION, - .maxver = TLS1_2_VERSION, - .want_minver = 0, - .want_maxver = 0, - }, - { - .options = SSL_OP_NO_TLSv1 | SSL_OP_NO_TLSv1_2, - .minver = TLS1_VERSION, - .maxver = TLS1_2_VERSION, - .want_minver = 0, - .want_maxver = 0, - }, - { - .options = SSL_OP_NO_TLSv1 | SSL_OP_NO_TLSv1_1 | - SSL_OP_NO_TLSv1_2, - .minver = TLS1_VERSION, - .maxver = TLS1_2_VERSION, - .want_minver = 0, - .want_maxver = 0, - }, - { - .options = SSL_OP_NO_TLSv1 | SSL_OP_NO_TLSv1_1 | - SSL_OP_NO_TLSv1_2, - .minver = TLS1_VERSION, - .maxver = TLS1_3_VERSION, - .want_minver = TLS1_3_VERSION, - .want_maxver = TLS1_3_VERSION, - }, - { - .options = SSL_OP_NO_TLSv1 | SSL_OP_NO_TLSv1_1 | - SSL_OP_NO_TLSv1_2 | SSL_OP_NO_TLSv1_3, - .minver = TLS1_VERSION, - .maxver = TLS1_3_VERSION, - .want_minver = 0, - .want_maxver = 0, - }, - { - .options = 0, - .minver = TLS1_VERSION, - .maxver = TLS1_2_VERSION, - .want_minver = TLS1_2_VERSION, - .want_maxver = TLS1_2_VERSION, - }, - { - .options = 0, - .minver = TLS1_1_VERSION, - .maxver = TLS1_2_VERSION, - .want_minver = TLS1_2_VERSION, - .want_maxver = TLS1_2_VERSION, - }, - { - .options = 0, - .minver = TLS1_2_VERSION, - .maxver = TLS1_2_VERSION, - .want_minver = TLS1_2_VERSION, - .want_maxver = TLS1_2_VERSION, - }, - { - .options = 0, - .minver = TLS1_VERSION, - .maxver = TLS1_3_VERSION, - .want_minver = TLS1_2_VERSION, - .want_maxver = TLS1_3_VERSION, - }, - { - .options = 0, - .minver = TLS1_1_VERSION, - .maxver = TLS1_3_VERSION, - .want_minver = TLS1_2_VERSION, - .want_maxver = TLS1_3_VERSION, - }, - { - .options = 0, - .minver = TLS1_2_VERSION, - .maxver = TLS1_3_VERSION, - .want_minver = TLS1_2_VERSION, - .want_maxver = TLS1_3_VERSION, - }, - { - .options = 0, - .minver = TLS1_3_VERSION, - .maxver = TLS1_3_VERSION, - .want_minver = TLS1_3_VERSION, - .want_maxver = TLS1_3_VERSION, - }, - { - .options = 0, - .minver = TLS1_VERSION, - .maxver = TLS1_1_VERSION, - .want_minver = 0, - .want_maxver = 0, - }, - { - .options = 0, - .minver = TLS1_VERSION, - .maxver = TLS1_VERSION, - .want_minver = 0, - .want_maxver = 0, - }, -}; - -#define N_VERSION_RANGE_TESTS \ - (sizeof(version_range_tests) / sizeof(*version_range_tests)) - -static int -test_ssl_enabled_version_range(void) -{ - struct version_range_test *vrt; - uint16_t minver, maxver; - SSL_CTX *ssl_ctx = NULL; - SSL *ssl = NULL; - int failed = 1; - size_t i; - - fprintf(stderr, "INFO: starting enabled version range tests...\n"); - - if ((ssl_ctx = SSL_CTX_new(TLS_method())) == NULL) { - fprintf(stderr, "SSL_CTX_new() returned NULL\n"); - goto failure; - } - if ((ssl = SSL_new(ssl_ctx)) == NULL) { - fprintf(stderr, "SSL_new() returned NULL\n"); - goto failure; - } - - failed = 0; - - for (i = 0; i < N_VERSION_RANGE_TESTS; i++) { - vrt = &version_range_tests[i]; - - SSL_clear_options(ssl, SSL_OP_NO_TLSv1 | SSL_OP_NO_TLSv1_1 | - SSL_OP_NO_TLSv1_2 | SSL_OP_NO_TLSv1_3); - SSL_set_options(ssl, vrt->options); - - minver = maxver = 0xffff; - ssl->min_tls_version = vrt->minver; - ssl->max_tls_version = vrt->maxver; - - if (ssl_enabled_tls_version_range(ssl, &minver, &maxver) != 1) { - if (vrt->want_minver != 0 || vrt->want_maxver != 0) { - fprintf(stderr, "FAIL: test %zu - failed but " - "wanted non-zero versions\n", i); - failed++; - } - continue; - } - if (minver != vrt->want_minver) { - fprintf(stderr, "FAIL: test %zu - got minver %x, " - "want %x\n", i, minver, vrt->want_minver); - failed++; - } - if (maxver != vrt->want_maxver) { - fprintf(stderr, "FAIL: test %zu - got maxver %x, " - "want %x\n", i, maxver, vrt->want_maxver); - failed++; - } - } - - failure: - SSL_CTX_free(ssl_ctx); - SSL_free(ssl); - - return (failed); -} - -struct shared_version_test { - const SSL_METHOD *(*ssl_method)(void); - const long options; - const uint16_t minver; - const uint16_t maxver; - const uint16_t peerver; - const uint16_t want_maxver; -}; - -static struct shared_version_test shared_version_tests[] = { - { - .ssl_method = TLS_method, - .options = 0, - .minver = TLS1_VERSION, - .maxver = TLS1_2_VERSION, - .peerver = SSL2_VERSION, - .want_maxver = 0, - }, - { - .ssl_method = TLS_method, - .options = 0, - .minver = TLS1_VERSION, - .maxver = TLS1_2_VERSION, - .peerver = SSL3_VERSION, - .want_maxver = 0, - }, - { - .ssl_method = TLS_method, - .options = 0, - .minver = TLS1_VERSION, - .maxver = TLS1_2_VERSION, - .peerver = TLS1_VERSION, - .want_maxver = 0, - }, - { - .ssl_method = TLS_method, - .options = 0, - .minver = TLS1_VERSION, - .maxver = TLS1_2_VERSION, - .peerver = TLS1_1_VERSION, - .want_maxver = 0, - }, - { - .ssl_method = TLS_method, - .options = 0, - .minver = TLS1_VERSION, - .maxver = TLS1_2_VERSION, - .peerver = TLS1_2_VERSION, - .want_maxver = TLS1_2_VERSION, - }, - { - .ssl_method = TLS_method, - .options = 0, - .minver = TLS1_VERSION, - .maxver = TLS1_2_VERSION, - .peerver = TLS1_3_VERSION, - .want_maxver = TLS1_2_VERSION, - }, - { - .ssl_method = TLS_method, - .options = 0, - .minver = TLS1_VERSION, - .maxver = TLS1_2_VERSION, - .peerver = 0x7f12, - .want_maxver = TLS1_2_VERSION, - }, - { - .ssl_method = TLS_method, - .options = SSL_OP_NO_TLSv1_2, - .minver = TLS1_VERSION, - .maxver = TLS1_2_VERSION, - .peerver = TLS1_2_VERSION, - .want_maxver = 0, - }, - { - .ssl_method = TLS_method, - .options = SSL_OP_NO_TLSv1_1 | SSL_OP_NO_TLSv1_2, - .minver = TLS1_VERSION, - .maxver = TLS1_2_VERSION, - .peerver = TLS1_2_VERSION, - .want_maxver = 0, - }, - { - .ssl_method = TLS_method, - .options = SSL_OP_NO_TLSv1 | SSL_OP_NO_TLSv1_1 | SSL_OP_NO_TLSv1_2, - .minver = TLS1_VERSION, - .maxver = TLS1_2_VERSION, - .peerver = TLS1_2_VERSION, - .want_maxver = 0, - }, - { - .ssl_method = TLS_method, - .options = SSL_OP_NO_TLSv1, - .minver = TLS1_VERSION, - .maxver = TLS1_2_VERSION, - .peerver = TLS1_1_VERSION, - .want_maxver = 0, - }, - { - .ssl_method = TLS_method, - .options = SSL_OP_NO_TLSv1 | SSL_OP_NO_TLSv1_1, - .minver = TLS1_VERSION, - .maxver = TLS1_2_VERSION, - .peerver = TLS1_1_VERSION, - .want_maxver = 0, - }, - { - .ssl_method = TLS_method, - .options = SSL_OP_NO_TLSv1_1 | SSL_OP_NO_TLSv1_2, - .minver = TLS1_VERSION, - .maxver = TLS1_2_VERSION, - .peerver = TLS1_1_VERSION, - .want_maxver = 0, - }, - { - .ssl_method = TLS_method, - .options = SSL_OP_NO_TLSv1, - .minver = TLS1_VERSION, - .maxver = TLS1_2_VERSION, - .peerver = TLS1_VERSION, - .want_maxver = 0, - }, - { - .ssl_method = TLS_method, - .options = 0, - .minver = TLS1_VERSION, - .maxver = TLS1_1_VERSION, - .peerver = TLS1_2_VERSION, - .want_maxver = 0, - }, - { - .ssl_method = TLS_method, - .options = 0, - .minver = TLS1_VERSION, - .maxver = TLS1_VERSION, - .peerver = TLS1_2_VERSION, - .want_maxver = 0, - }, - { - .ssl_method = TLSv1_method, - .options = 0, - .minver = TLS1_VERSION, - .maxver = TLS1_2_VERSION, - .peerver = TLS1_VERSION, - .want_maxver = 0, - }, - { - .ssl_method = TLSv1_method, - .options = 0, - .minver = TLS1_1_VERSION, - .maxver = TLS1_2_VERSION, - .peerver = TLS1_VERSION, - .want_maxver = 0, - }, - { - .ssl_method = TLSv1_1_method, - .options = 0, - .minver = TLS1_VERSION, - .maxver = TLS1_2_VERSION, - .peerver = TLS1_1_VERSION, - .want_maxver = 0, - }, - { - .ssl_method = DTLS_method, - .options = 0, - .minver = TLS1_1_VERSION, - .maxver = TLS1_2_VERSION, - .peerver = DTLS1_VERSION, - .want_maxver = 0, - }, - { - .ssl_method = DTLS_method, - .options = 0, - .minver = TLS1_1_VERSION, - .maxver = TLS1_2_VERSION, - .peerver = DTLS1_2_VERSION, - .want_maxver = DTLS1_2_VERSION, - }, - { - .ssl_method = DTLS_method, - .options = 0, - .minver = TLS1_1_VERSION, - .maxver = TLS1_2_VERSION, - .peerver = 0xfefc, /* DTLSv1.3, probably. */ - .want_maxver = DTLS1_2_VERSION, - }, - { - .ssl_method = DTLSv1_method, - .options = 0, - .minver = TLS1_1_VERSION, - .maxver = TLS1_1_VERSION, - .peerver = DTLS1_2_VERSION, - .want_maxver = 0, - }, - { - .ssl_method = DTLSv1_2_method, - .options = 0, - .minver = TLS1_2_VERSION, - .maxver = TLS1_2_VERSION, - .peerver = DTLS1_2_VERSION, - .want_maxver = DTLS1_2_VERSION, - }, - { - .ssl_method = DTLSv1_method, - .options = 0, - .minver = TLS1_1_VERSION, - .maxver = TLS1_1_VERSION, - .peerver = TLS1_2_VERSION, - .want_maxver = 0, - }, - { - .ssl_method = DTLS_method, - .options = SSL_OP_NO_DTLSv1, - .minver = TLS1_1_VERSION, - .maxver = TLS1_2_VERSION, - .peerver = DTLS1_VERSION, - .want_maxver = 0, - }, - { - .ssl_method = DTLS_method, - .options = SSL_OP_NO_DTLSv1, - .minver = TLS1_1_VERSION, - .maxver = TLS1_2_VERSION, - .peerver = DTLS1_2_VERSION, - .want_maxver = DTLS1_2_VERSION, - }, - { - .ssl_method = DTLS_method, - .options = SSL_OP_NO_DTLSv1_2, - .minver = TLS1_1_VERSION, - .maxver = TLS1_2_VERSION, - .peerver = DTLS1_2_VERSION, - .want_maxver = 0, - }, -}; - -#define N_SHARED_VERSION_TESTS \ - (sizeof(shared_version_tests) / sizeof(*shared_version_tests)) - -static int -test_ssl_max_shared_version(void) -{ - struct shared_version_test *svt; - SSL_CTX *ssl_ctx = NULL; - SSL *ssl = NULL; - uint16_t maxver; - int failed = 0; - size_t i; - - failed = 0; - - fprintf(stderr, "INFO: starting max shared version tests...\n"); - - for (i = 0; i < N_SHARED_VERSION_TESTS; i++) { - svt = &shared_version_tests[i]; - - if ((ssl_ctx = SSL_CTX_new(svt->ssl_method())) == NULL) { - fprintf(stderr, "SSL_CTX_new() returned NULL\n"); - failed++; - goto err; - } - if ((ssl = SSL_new(ssl_ctx)) == NULL) { - fprintf(stderr, "SSL_new() returned NULL\n"); - failed++; - goto err; - } - - SSL_clear_options(ssl, SSL_OP_NO_TLSv1 | SSL_OP_NO_TLSv1_1 | - SSL_OP_NO_TLSv1_2 | SSL_OP_NO_TLSv1_3); - SSL_set_options(ssl, svt->options); - - maxver = 0; - ssl->min_tls_version = svt->minver; - ssl->max_tls_version = svt->maxver; - - if (!ssl_max_shared_version(ssl, svt->peerver, &maxver)) { - if (svt->want_maxver != 0) { - fprintf(stderr, "FAIL: test %zu - failed but " - "wanted non-zero shared version (peer %x)\n", - i, svt->peerver); - failed++; - } - SSL_CTX_free(ssl_ctx); - SSL_free(ssl); - ssl_ctx = NULL; - ssl = NULL; - continue; - } - if (maxver != svt->want_maxver) { - fprintf(stderr, "FAIL: test %zu - got shared " - "version %x, want %x\n", i, maxver, - svt->want_maxver); - failed++; - } - - SSL_CTX_free(ssl_ctx); - SSL_free(ssl); - ssl_ctx = NULL; - ssl = NULL; - } - - err: - SSL_CTX_free(ssl_ctx); - SSL_free(ssl); - - return (failed); -} - -struct min_max_version_test { - const SSL_METHOD *(*ssl_method)(void); - const uint16_t minver; - const uint16_t maxver; - const uint16_t want_minver; - const uint16_t want_maxver; - const int want_min_fail; - const int want_max_fail; -}; - -static struct min_max_version_test min_max_version_tests[] = { - { - .ssl_method = TLS_method, - .minver = 0, - .maxver = 0, - .want_minver = 0, - .want_maxver = 0, - }, - { - .ssl_method = TLS_method, - .minver = TLS1_VERSION, - .maxver = 0, - .want_minver = TLS1_VERSION, - .want_maxver = 0, - }, - { - .ssl_method = TLS_method, - .minver = 0, - .maxver = TLS1_2_VERSION, - .want_minver = 0, - .want_maxver = TLS1_2_VERSION, - }, - { - .ssl_method = TLS_method, - .minver = 0, - .maxver = TLS1_3_VERSION, - .want_minver = 0, - .want_maxver = TLS1_3_VERSION, - }, - { - .ssl_method = TLS_method, - .minver = TLS1_VERSION, - .maxver = TLS1_2_VERSION, - .want_minver = TLS1_VERSION, - .want_maxver = TLS1_2_VERSION, - }, - { - .ssl_method = TLS_method, - .minver = TLS1_1_VERSION, - .maxver = 0, - .want_minver = TLS1_1_VERSION, - .want_maxver = 0, - }, - { - .ssl_method = TLS_method, - .minver = TLS1_2_VERSION, - .maxver = 0, - .want_minver = TLS1_2_VERSION, - .want_maxver = 0, - }, - { - .ssl_method = TLS_method, - .minver = 0x0300, - .maxver = 0, - .want_minver = TLS1_VERSION, - .want_maxver = 0, - }, - { - .ssl_method = TLS_method, - .minver = 0x0305, - .maxver = 0, - .want_min_fail = 1, - }, - { - .ssl_method = TLS_method, - .minver = 0, - .maxver = 0x0305, - .want_minver = 0, - .want_maxver = TLS1_3_VERSION, - }, - { - .ssl_method = TLS_method, - .minver = 0, - .maxver = TLS1_1_VERSION, - .want_minver = 0, - .want_maxver = TLS1_1_VERSION, - }, - { - .ssl_method = TLS_method, - .minver = 0, - .maxver = TLS1_VERSION, - .want_minver = 0, - .want_maxver = TLS1_VERSION, - }, - { - .ssl_method = TLS_method, - .minver = 0, - .maxver = 0x0300, - .want_max_fail = 1, - }, - { - .ssl_method = TLS_method, - .minver = TLS1_2_VERSION, - .maxver = TLS1_1_VERSION, - .want_minver = TLS1_2_VERSION, - .want_maxver = 0, - .want_max_fail = 1, - }, - { - .ssl_method = TLSv1_1_method, - .minver = 0, - .maxver = 0, - .want_minver = 0, - .want_maxver = 0, - }, - { - .ssl_method = TLSv1_1_method, - .minver = TLS1_VERSION, - .maxver = TLS1_2_VERSION, - .want_minver = TLS1_1_VERSION, - .want_maxver = TLS1_1_VERSION, - }, - { - .ssl_method = TLSv1_1_method, - .minver = TLS1_2_VERSION, - .maxver = 0, - .want_minver = 0, - .want_maxver = 0, - .want_min_fail = 1, - }, - { - .ssl_method = TLSv1_1_method, - .minver = 0, - .maxver = TLS1_VERSION, - .want_minver = 0, - .want_maxver = 0, - .want_max_fail = 1, - }, - { - .ssl_method = DTLS_method, - .minver = 0, - .maxver = 0, - .want_minver = 0, - .want_maxver = 0, - }, - { - .ssl_method = DTLS_method, - .minver = 0, - .maxver = DTLS1_VERSION, - .want_minver = 0, - .want_maxver = DTLS1_VERSION, - }, - { - .ssl_method = DTLS_method, - .minver = DTLS1_VERSION, - .maxver = 0, - .want_minver = DTLS1_VERSION, - .want_maxver = 0, - }, - { - .ssl_method = DTLS_method, - .minver = DTLS1_VERSION, - .maxver = DTLS1_2_VERSION, - .want_minver = DTLS1_VERSION, - .want_maxver = DTLS1_2_VERSION, - }, - { - .ssl_method = DTLSv1_method, - .minver = 0, - .maxver = 0, - .want_minver = 0, - .want_maxver = 0, - }, - { - .ssl_method = DTLSv1_method, - .minver = DTLS1_VERSION, - .maxver = 0, - .want_minver = DTLS1_VERSION, - .want_maxver = 0, - }, - { - .ssl_method = DTLSv1_method, - .minver = 0, - .maxver = DTLS1_VERSION, - .want_minver = 0, - .want_maxver = DTLS1_VERSION, - }, - { - .ssl_method = DTLSv1_method, - .minver = 0, - .maxver = DTLS1_2_VERSION, - .want_minver = 0, - .want_maxver = DTLS1_VERSION, - }, - { - .ssl_method = DTLSv1_method, - .minver = TLS1_VERSION, - .maxver = TLS1_2_VERSION, - .want_minver = 0, - .want_maxver = 0, - .want_min_fail = 1, - .want_max_fail = 1, - }, -}; - -#define N_MIN_MAX_VERSION_TESTS \ - (sizeof(min_max_version_tests) / sizeof(*min_max_version_tests)) - -static int -test_ssl_min_max_version(void) -{ - struct min_max_version_test *mmvt; - SSL_CTX *ssl_ctx = NULL; - SSL *ssl = NULL; - int failed = 0; - size_t i; - - failed = 0; - - fprintf(stderr, "INFO: starting min max version tests...\n"); - - for (i = 0; i < N_MIN_MAX_VERSION_TESTS; i++) { - mmvt = &min_max_version_tests[i]; - - if ((ssl_ctx = SSL_CTX_new(mmvt->ssl_method())) == NULL) { - fprintf(stderr, "SSL_CTX_new() returned NULL\n"); - return 1; - } - - if (!SSL_CTX_set_min_proto_version(ssl_ctx, mmvt->minver)) { - if (!mmvt->want_min_fail) { - fprintf(stderr, "FAIL: test %zu - failed to set " - "SSL_CTX min version\n", i); - failed++; - } - goto next; - } - if (!SSL_CTX_set_max_proto_version(ssl_ctx, mmvt->maxver)) { - if (!mmvt->want_max_fail) { - fprintf(stderr, "FAIL: test %zu - failed to set " - "SSL_CTX min version\n", i); - failed++; - } - goto next; - } - - if (mmvt->want_min_fail) { - fprintf(stderr, "FAIL: test %zu - successfully set " - "SSL_CTX min version, should have failed\n", i); - failed++; - goto next; - } - if (mmvt->want_max_fail) { - fprintf(stderr, "FAIL: test %zu - successfully set " - "SSL_CTX max version, should have failed\n", i); - failed++; - goto next; - } - - if (SSL_CTX_get_min_proto_version(ssl_ctx) != mmvt->want_minver) { - fprintf(stderr, "FAIL: test %zu - got SSL_CTX min " - "version 0x%x, want 0x%x\n", i, - SSL_CTX_get_min_proto_version(ssl_ctx), mmvt->want_minver); - failed++; - goto next; - } - if (SSL_CTX_get_max_proto_version(ssl_ctx) != mmvt->want_maxver) { - fprintf(stderr, "FAIL: test %zu - got SSL_CTX max " - "version 0x%x, want 0x%x\n", i, - SSL_CTX_get_max_proto_version(ssl_ctx), mmvt->want_maxver); - failed++; - goto next; - } - - if ((ssl = SSL_new(ssl_ctx)) == NULL) { - fprintf(stderr, "SSL_new() returned NULL\n"); - return 1; - } - - if (SSL_get_min_proto_version(ssl) != mmvt->want_minver) { - fprintf(stderr, "FAIL: test %zu - initial SSL min " - "version 0x%x, want 0x%x\n", i, - SSL_get_min_proto_version(ssl), mmvt->want_minver); - failed++; - goto next; - } - if (SSL_get_max_proto_version(ssl) != mmvt->want_maxver) { - fprintf(stderr, "FAIL: test %zu - initial SSL max " - "version 0x%x, want 0x%x\n", i, - SSL_get_max_proto_version(ssl), mmvt->want_maxver); - failed++; - goto next; - } - - if (!SSL_set_min_proto_version(ssl, mmvt->minver)) { - if (mmvt->want_min_fail) { - fprintf(stderr, "FAIL: test %zu - failed to set " - "SSL min version\n", i); - failed++; - } - goto next; - } - if (!SSL_set_max_proto_version(ssl, mmvt->maxver)) { - if (mmvt->want_max_fail) { - fprintf(stderr, "FAIL: test %zu - failed to set " - "SSL min version\n", i); - failed++; - } - goto next; - } - - if (mmvt->want_min_fail) { - fprintf(stderr, "FAIL: test %zu - successfully set SSL " - "min version, should have failed\n", i); - failed++; - goto next; - } - if (mmvt->want_max_fail) { - fprintf(stderr, "FAIL: test %zu - successfully set SSL " - "max version, should have failed\n", i); - failed++; - goto next; - } - - if (SSL_get_min_proto_version(ssl) != mmvt->want_minver) { - fprintf(stderr, "FAIL: test %zu - got SSL min " - "version 0x%x, want 0x%x\n", i, - SSL_get_min_proto_version(ssl), mmvt->want_minver); - failed++; - goto next; - } - if (SSL_get_max_proto_version(ssl) != mmvt->want_maxver) { - fprintf(stderr, "FAIL: test %zu - got SSL max " - "version 0x%x, want 0x%x\n", i, - SSL_get_max_proto_version(ssl), mmvt->want_maxver); - failed++; - goto next; - } - - next: - SSL_CTX_free(ssl_ctx); - SSL_free(ssl); - - ssl_ctx = NULL; - ssl = NULL; - } - - return (failed); -} - -int -main(int argc, char **argv) -{ - int failed = 0; - - SSL_library_init(); - - /* XXX - Test ssl_supported_version_range() */ - - failed |= test_ssl_enabled_version_range(); - failed |= test_ssl_max_shared_version(); - failed |= test_ssl_min_max_version(); - - if (failed == 0) - printf("PASS %s\n", __FILE__); - - return (failed); -} diff --git a/src/regress/lib/libssl/unit/tests.h b/src/regress/lib/libssl/unit/tests.h deleted file mode 100644 index 287816946a..0000000000 --- a/src/regress/lib/libssl/unit/tests.h +++ /dev/null @@ -1,44 +0,0 @@ -/* $OpenBSD: tests.h,v 1.1 2015/06/27 23:35:52 doug Exp $ */ -/* - * Copyright (c) 2015 Doug Hogan - * - * Permission to use, copy, modify, and distribute this software for any - * purpose with or without fee is hereby granted, provided that the above - * copyright notice and this permission notice appear in all copies. - * - * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES - * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF - * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR - * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES - * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN - * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF - * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. - */ - -#ifndef LIBRESSL_REGRESS_TESTS_H__ -#define LIBRESSL_REGRESS_TESTS_H__ 1 - -/* Ugly macros that are useful for regression tests. */ - -#define SKIP(a) do { \ - printf("Skipping test in %s [%s:%d]\n", __func__, __FILE__, \ - __LINE__); \ -} while (0) - -#define CHECK(a) do { \ - if (!(a)) { \ - printf("Error in %s [%s:%d]\n", __func__, __FILE__, \ - __LINE__); \ - return 0; \ - } \ -} while (0) - -#define CHECK_GOTO(a) do { \ - if (!(a)) { \ - printf("Error in %s [%s:%d]\n", __func__, __FILE__, \ - __LINE__); \ - goto err; \ - } \ -} while (0) - -#endif /* LIBRESSL_REGRESS_TESTS_H__ */ diff --git a/src/regress/lib/libssl/unit/tls_ext_alpn.c b/src/regress/lib/libssl/unit/tls_ext_alpn.c deleted file mode 100644 index d00f3efb5f..0000000000 --- a/src/regress/lib/libssl/unit/tls_ext_alpn.c +++ /dev/null @@ -1,442 +0,0 @@ -/* $OpenBSD: tls_ext_alpn.c,v 1.9 2022/11/26 16:08:57 tb Exp $ */ -/* - * Copyright (c) 2015 Doug Hogan - * - * Permission to use, copy, modify, and distribute this software for any - * purpose with or without fee is hereby granted, provided that the above - * copyright notice and this permission notice appear in all copies. - * - * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES - * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF - * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR - * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES - * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN - * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF - * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. - */ - -/* - * Test TLS extension Application-Layer Protocol Negotiation (RFC 7301). - */ -#include -#include - -#include "ssl_local.h" -#include "ssl_tlsext.h" - -#include "tests.h" - -/* - * In the ProtocolNameList, ProtocolNames must not include empty strings and - * byte strings must not be truncated. - * - * This uses some of the IANA approved protocol names from: - * http://www.iana.org/assignments/tls-extensiontype-values/tls-extensiontype-values.xhtml - */ - -/* Valid for client and server since it only has one name. */ -static uint8_t proto_single[] = { - /* Extension extensions<0..2^16-1> -- All TLS extensions */ - 0x00, 0x0f, /* len */ - /* ExtensionType extension_type */ - 0x00, 0x10, /* ALPN */ - /* opaque extension_data<0..2^16-1> */ - 0x00, 0x0b, /* len */ - /* ProtocolName protocol_name_list<2..2^16-1> -- ALPN names */ - 0x00, 0x09, /* len of all names */ - /* opaque ProtocolName<1..2^8-1> -- 'http/1.1' */ - 0x08, /* len */ - 0x68, 0x74, 0x74, 0x70, 0x2f, 0x31, 0x2e, 0x31 -}; - -/* Valid for client, but NOT server. Server must have exactly one name. */ -static uint8_t proto_multiple1[] = { - /* Extension extensions<0..2^16-1> -- All TLS extensions */ - 0x00, 0x19, /* len */ - /* ExtensionType extension_type */ - 0x00, 0x10, /* ALPN */ - /* opaque extension_data<0..2^16-1> */ - 0x00, 0x15, /* len */ - /* ProtocolName protocol_name_list<2..2^16-1> -- ALPN names */ - 0x00, 0x13, /* len of all names */ - /* opaque ProtocolName<1..2^8-1> -- 'http/1.1' */ - 0x08, /* len */ - 0x68, 0x74, 0x74, 0x70, 0x2f, 0x31, 0x2e, 0x31, - /* opaque ProtocolName<1..2^8-1> -- 'stun.nat' */ - 0x09, /* len */ - 0x73, 0x74, 0x75, 0x6e, 0x2e, 0x74, 0x75, 0x72, 0x6e -}; - -/* Valid for client, but NOT server. Server must have exactly one name. */ -static uint8_t proto_multiple2[] = { - /* Extension extensions<0..2^16-1> -- All TLS extensions */ - 0x00, 0x1c, /* len */ - /* ExtensionType extension_type */ - 0x00, 0x10, /* ALPN */ - /* opaque extension_data<0..2^16-1> */ - 0x00, 0x18, /* len */ - /* ProtocolName protocol_name_list<2..2^16-1> -- ALPN names */ - 0x00, 0x16, /* len of all names */ - /* opaque ProtocolName<1..2^8-1> -- 'http/1.1' */ - 0x08, /* len */ - 0x68, 0x74, 0x74, 0x70, 0x2f, 0x31, 0x2e, 0x31, - /* opaque ProtocolName<1..2^8-1> -- 'h2' */ - 0x02, /* len */ - 0x68, 0x32, - /* opaque ProtocolName<1..2^8-1> -- 'stun.nat' */ - 0x09, /* len */ - 0x73, 0x74, 0x75, 0x6e, 0x2e, 0x74, 0x75, 0x72, 0x6e -}; - -/* Valid for client, but NOT server. Server must have exactly one name. */ -static uint8_t proto_multiple3[] = { - /* Extension extensions<0..2^16-1> -- All TLS extensions */ - 0x00, 0x20, /* len */ - /* ExtensionType extension_type */ - 0x00, 0x10, /* ALPN */ - /* opaque extension_data<0..2^16-1> */ - 0x00, 0x1c, /* len */ - /* ProtocolName protocol_name_list<2..2^16-1> -- ALPN names */ - 0x00, 0x1a, /* len of all names */ - /* opaque ProtocolName<1..2^8-1> -- 'http/1.1' */ - 0x08, /* len */ - 0x68, 0x74, 0x74, 0x70, 0x2f, 0x31, 0x2e, 0x31, - /* opaque ProtocolName<1..2^8-1> -- 'h2' */ - 0x02, /* len */ - 0x68, 0x32, - /* opaque ProtocolName<1..2^8-1> -- 'stun.nat' */ - 0x09, /* len */ - 0x73, 0x74, 0x75, 0x6e, 0x2e, 0x74, 0x75, 0x72, 0x6e, - /* opaque ProtocolName<1..2^8-1> -- 'h2c' */ - 0x03, /* len */ - 0x68, 0x32, 0x63 -}; - -static uint8_t proto_empty[] = { - /* Extension extensions<0..2^16-1> -- All TLS extensions. */ - 0x00, 0x00, /* none present. */ -}; - -/* Invalid for both client and server. Length is wrong. */ -static uint8_t proto_invalid_len1[] = { - /* Extension extensions<0..2^16-1> -- All TLS extensions */ - 0x00, 0x0a, /* len */ - /* ExtensionType extension_type */ - 0x00, 0x10, /* ALPN */ - /* opaque extension_data<0..2^16-1> */ - 0x00, 0x06, /* len */ - /* ProtocolName protocol_name_list<2..2^16-1> -- ALPN names */ - 0x00, 0x04, /* len of all names */ - /* opaque ProtocolName<1..2^8-1> -- 'h2c' */ - 0x04, /* XXX len too large */ - 0x68, 0x32, 0x63 -}; -static uint8_t proto_invalid_len2[] = { - /* Extension extensions<0..2^16-1> -- All TLS extensions */ - 0x00, 0x0a, /* len */ - /* ExtensionType extension_type */ - 0x00, 0x10, /* ALPN */ - /* opaque extension_data<0..2^16-1> */ - 0x00, 0x06, /* len */ - /* ProtocolName protocol_name_list<2..2^16-1> -- ALPN names */ - 0x00, 0x04, /* len of all names */ - /* opaque ProtocolName<1..2^8-1> -- 'h2c' */ - 0x02, /* XXX len too small */ - 0x68, 0x32, 0x63 -}; -static uint8_t proto_invalid_len3[] = { - /* Extension extensions<0..2^16-1> -- All TLS extensions */ - 0x00, 0x0a, /* len */ - /* ExtensionType extension_type */ - 0x00, 0x10, /* ALPN */ - /* opaque extension_data<0..2^16-1> */ - 0x00, 0x06, /* len */ - /* ProtocolName protocol_name_list<2..2^16-1> -- ALPN names */ - 0x00, 0x03, /* XXX len too small */ - /* opaque ProtocolName<1..2^8-1> -- 'h2c' */ - 0x03, /* len */ - 0x68, 0x32, 0x63 -}; -static uint8_t proto_invalid_len4[] = { - /* Extension extensions<0..2^16-1> -- All TLS extensions */ - 0x00, 0x0a, /* len */ - /* ExtensionType extension_type */ - 0x00, 0x10, /* ALPN */ - /* opaque extension_data<0..2^16-1> */ - 0x00, 0x06, /* len */ - /* ProtocolName protocol_name_list<2..2^16-1> -- ALPN names */ - 0x00, 0x06, /* XXX len too large */ - /* opaque ProtocolName<1..2^8-1> -- 'h2c' */ - 0x03, /* len */ - 0x68, 0x32, 0x63 -}; -static uint8_t proto_invalid_len5[] = { - /* Extension extensions<0..2^16-1> -- All TLS extensions */ - 0x00, 0x0a, /* len */ - /* ExtensionType extension_type */ - 0x00, 0x10, /* ALPN */ - /* opaque extension_data<0..2^16-1> */ - 0x01, 0x08, /* XXX len too large */ - /* ProtocolName protocol_name_list<2..2^16-1> -- ALPN names */ - 0x00, 0x04, /* len */ - /* opaque ProtocolName<1..2^8-1> -- 'h2c' */ - 0x03, /* len */ - 0x68, 0x32, 0x63 -}; -static uint8_t proto_invalid_len6[] = { - /* Extension extensions<0..2^16-1> -- All TLS extensions */ - 0x00, 0x0a, /* len */ - /* ExtensionType extension_type */ - 0x00, 0x10, /* ALPN */ - /* opaque extension_data<0..2^16-1> */ - 0x00, 0x05, /* XXX len too small */ - /* ProtocolName protocol_name_list<2..2^16-1> -- ALPN names */ - 0x00, 0x04, /* len */ - /* opaque ProtocolName<1..2^8-1> -- 'h2c' */ - 0x03, /* len */ - 0x68, 0x32, 0x63 -}; -static uint8_t proto_invalid_len7[] = { - /* Extension extensions<0..2^16-1> -- All TLS extensions */ - 0x00, 0x06, /* XXX len too small */ - /* ExtensionType extension_type */ - 0x00, 0x10, /* ALPN */ - /* opaque extension_data<0..2^16-1> */ - 0x00, 0x06, /* len */ - /* ProtocolName protocol_name_list<2..2^16-1> -- ALPN names */ - 0x00, 0x04, /* len */ - /* opaque ProtocolName<1..2^8-1> -- 'h2c' */ - 0x03, /* len */ - 0x68, 0x32, 0x63 -}; -static uint8_t proto_invalid_len8[] = { - /* Extension extensions<0..2^16-1> -- All TLS extensions */ - 0x00, 0x0b, /* XXX len too large */ - /* ExtensionType extension_type */ - 0x00, 0x10, /* ALPN */ - /* opaque extension_data<0..2^16-1> */ - 0x00, 0x06, /* len */ - /* ProtocolName protocol_name_list<2..2^16-1> -- ALPN names */ - 0x00, 0x04, /* len */ - /* opaque ProtocolName<1..2^8-1> -- 'h2c' */ - 0x03, /* len */ - 0x68, 0x32, 0x63 -}; - -/* Invalid for client and server since it is missing data. */ -static uint8_t proto_invalid_missing1[] = { - /* Extension extensions<0..2^16-1> -- All TLS extensions */ - 0x00, 0x0a, /* len */ - /* ExtensionType extension_type */ - 0x00, 0x10, /* ALPN */ - /* opaque extension_data<0..2^16-1> */ - 0x00, 0x06, /* len */ - /* ProtocolName protocol_name_list<2..2^16-1> -- ALPN names */ - 0x00, 0x04, /* len of all names */ - /* opaque ProtocolName<1..2^8-1> -- 'h2c' */ - /* XXX missing */ -}; -static uint8_t proto_invalid_missing2[] = { - /* Extension extensions<0..2^16-1> -- All TLS extensions */ - 0x00, 0x0a, /* len */ - /* ExtensionType extension_type */ - 0x00, 0x10, /* ALPN */ - /* opaque extension_data<0..2^16-1> */ - 0x00, 0x00, /* XXX missing name list */ - /* ProtocolName protocol_name_list<2..2^16-1> -- ALPN names */ -}; -static uint8_t proto_invalid_missing3[] = { - /* Extension extensions<0..2^16-1> -- All TLS extensions */ - 0x00, 0x0a, /* len */ - /* ExtensionType extension_type */ - 0x00, 0x10, /* ALPN */ - /* opaque extension_data<0..2^16-1> */ - 0x00, 0x02, /* XXX size is sufficient but missing data for name list */ - /* ProtocolName protocol_name_list<2..2^16-1> -- ALPN names */ -}; -static uint8_t proto_invalid_missing4[] = { - /* Extension extensions<0..2^16-1> -- All TLS extensions */ - 0x00, 0x0a, /* len */ - /* ExtensionType extension_type */ - 0x00, 0x10, /* ALPN */ - /* opaque extension_data<0..2^16-1> */ - /* XXX missing */ -}; -static uint8_t proto_invalid_missing5[] = { - /* Extension extensions<0..2^16-1> -- All TLS extensions */ - 0x00, 0x1c, /* len */ - /* ExtensionType extension_type */ - 0x00, 0x10, /* ALPN */ - /* opaque extension_data<0..2^16-1> */ - 0x00, 0x18, /* len */ - /* ProtocolName protocol_name_list<2..2^16-1> -- ALPN names */ - 0x00, 0x16, /* len of all names */ - /* opaque ProtocolName<1..2^8-1> -- 'http/1.1' */ - 0x08, /* len */ - 0x68, 0x74, 0x74, 0x70, 0x2f, 0x31, 0x2e, 0x31, - /* opaque ProtocolName<1..2^8-1> -- 'h2' */ - 0x02, /* len */ - 0x68, 0x32, - /* XXX missing name */ -}; -static uint8_t proto_invalid_missing6[] = { - /* Extension extensions<0..2^16-1> -- All TLS extensions */ - 0x00, 0x07, /* len */ - /* ExtensionType extension_type */ - 0x00, 0x10, /* ALPN */ - /* opaque extension_data<0..2^16-1> */ - 0x00, 0x03, /* len */ - /* ProtocolName protocol_name_list<2..2^16-1> -- ALPN names */ - 0x00, 0x01, /* XXX len must be at least 2 */ - /* opaque ProtocolName<1..2^8-1> -- 'http/1.1' */ - 0x00, /* XXX len cannot be 0 */ -}; -static uint8_t proto_invalid_missing7[] = { - /* Extension extensions<0..2^16-1> -- All TLS extensions */ - 0x00, 0x07, /* len */ - /* ExtensionType extension_type */ - 0x00, 0x10, /* ALPN */ - /* opaque extension_data<0..2^16-1> */ - 0x00, 0x03, /* len */ - /* ProtocolName protocol_name_list<2..2^16-1> -- ALPN names */ - 0x00, 0x02, /* XXX len is at least 2 but not correct. */ - /* opaque ProtocolName<1..2^8-1> -- 'http/1.1' */ - 0x00, /* XXX len cannot be 0 */ -}; -static uint8_t proto_invalid_missing8[] = { - /* Extension extensions<0..2^16-1> -- All TLS extensions */ - 0x00, 0x01, /* len */ - /* ExtensionType extension_type */ - 0x00, /* XXX need a 2 byte type */ -}; -static uint8_t proto_invalid_missing9[] = { - /* Extension extensions<0..2^16-1> -- All TLS extensions */ - 0x0a, /* XXX need a 2 byte len */ -}; - - -#define CHECK_BOTH(c_val, s_val, proto) do { \ - { \ - CBS cbs; \ - int al; \ - \ - CBS_init(&cbs, proto, sizeof(proto)); \ - CHECK(c_val == tlsext_server_parse(s, SSL_TLSEXT_MSG_CH, &cbs, &al)); \ - CBS_init(&cbs, proto, sizeof(proto)); \ - CHECK(s_val == tlsext_client_parse(s, SSL_TLSEXT_MSG_SH, &cbs, &al)); \ - } \ -} while (0) - -static int dummy_alpn_cb(SSL *ssl, const unsigned char **out, - unsigned char *outlen, const unsigned char *in, unsigned int inlen, - void *arg); - -static int -check_valid_alpn(SSL *s) -{ - const uint8_t str[] = { - 0x08, /* len */ - 0x68, 0x74, 0x74, 0x70, 0x2f, 0x31, 0x2e, 0x31 /* http/1.1 */ - }; - - /* Setup in order to test ALPN. */ - CHECK(! SSL_set_alpn_protos(s, str, 9)); - SSL_CTX_set_alpn_select_cb(s->ctx, dummy_alpn_cb, NULL); - - /* Prerequisites to test these. */ - CHECK(s->alpn_client_proto_list != NULL); - CHECK(s->ctx->alpn_select_cb != NULL); - //CHECK(s->s3->tmp.finish_md_len == 0); - - CHECK_BOTH(1, 1, proto_single); - CHECK_BOTH(1, 1, proto_empty); - - /* Multiple protocol names are only valid for client */ - CHECK_BOTH(1, 0, proto_multiple1); - CHECK_BOTH(1, 0, proto_multiple2); - CHECK_BOTH(1, 0, proto_multiple3); - - return 1; -} - -/* - * Some of the IANA approved IDs from: - * http://www.iana.org/assignments/tls-extensiontype-values/tls-extensiontype-values.xhtml - */ -static int -check_invalid_alpn(SSL *s) -{ - const uint8_t str[] = { - 0x08, /* len */ - 0x68, 0x74, 0x74, 0x70, 0x2f, 0x31, 0x2e, 0x31 /* http/1.1 */ - }; - - /* Setup in order to test ALPN. */ - CHECK(! SSL_set_alpn_protos(s, str, 9)); - SSL_CTX_set_alpn_select_cb(s->ctx, dummy_alpn_cb, NULL); - - /* Prerequisites to test these. */ - CHECK(s->alpn_client_proto_list != NULL); - CHECK(s->ctx->alpn_select_cb != NULL); - //CHECK(s->s3->tmp.finish_md_len == 0); - - /* None of these are valid for client or server */ - CHECK_BOTH(0, 0, proto_invalid_len1); - CHECK_BOTH(0, 0, proto_invalid_len2); - CHECK_BOTH(0, 0, proto_invalid_len3); - CHECK_BOTH(0, 0, proto_invalid_len4); - CHECK_BOTH(0, 0, proto_invalid_len5); - CHECK_BOTH(0, 0, proto_invalid_len6); - CHECK_BOTH(0, 0, proto_invalid_len7); - CHECK_BOTH(0, 0, proto_invalid_len8); - CHECK_BOTH(0, 0, proto_invalid_missing1); - CHECK_BOTH(0, 0, proto_invalid_missing2); - CHECK_BOTH(0, 0, proto_invalid_missing3); - CHECK_BOTH(0, 0, proto_invalid_missing4); - CHECK_BOTH(0, 0, proto_invalid_missing5); - CHECK_BOTH(0, 0, proto_invalid_missing6); - CHECK_BOTH(0, 0, proto_invalid_missing7); - CHECK_BOTH(0, 0, proto_invalid_missing8); - CHECK_BOTH(0, 0, proto_invalid_missing9); - - return 1; -} - -int -dummy_alpn_cb(SSL *ssl __attribute__((unused)), const unsigned char **out, - unsigned char *outlen, const unsigned char *in, unsigned int inlen, - void *arg __attribute__((unused))) -{ - *out = in; - *outlen = (unsigned char)inlen; - - return 0; -} - -int -main(void) -{ - SSL_CTX *ctx = NULL; - SSL *s = NULL; - int rv = 1; - - SSL_library_init(); - - CHECK_GOTO((ctx = SSL_CTX_new(TLSv1_2_client_method())) != NULL); - CHECK_GOTO((s = SSL_new(ctx)) != NULL); - - if (!check_valid_alpn(s)) - goto err; - if (!check_invalid_alpn(s)) - goto err; - - rv = 0; - -err: - SSL_CTX_free(ctx); - SSL_free(s); - - if (!rv) - printf("PASS %s\n", __FILE__); - return rv; -} diff --git a/src/regress/lib/libssl/unit/tls_prf.c b/src/regress/lib/libssl/unit/tls_prf.c deleted file mode 100644 index 8cb17cb057..0000000000 --- a/src/regress/lib/libssl/unit/tls_prf.c +++ /dev/null @@ -1,182 +0,0 @@ -/* $OpenBSD: tls_prf.c,v 1.11 2024/07/16 14:38:59 jsing Exp $ */ -/* - * Copyright (c) 2017 Joel Sing - * - * Permission to use, copy, modify, and distribute this software for any - * purpose with or without fee is hereby granted, provided that the above - * copyright notice and this permission notice appear in all copies. - * - * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES - * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF - * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR - * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES - * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN - * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF - * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. - */ - -#include - -#include "ssl_local.h" - -int tls1_PRF(SSL *s, const unsigned char *secret, size_t secret_len, - const void *seed1, size_t seed1_len, const void *seed2, size_t seed2_len, - const void *seed3, size_t seed3_len, const void *seed4, size_t seed4_len, - const void *seed5, size_t seed5_len, unsigned char *out, size_t out_len); - -#define TLS_PRF_OUT_LEN 128 - -struct tls_prf_test { - const unsigned char *desc; - const SSL_METHOD *(*ssl_method)(void); - const uint16_t cipher_value; - const unsigned char out[TLS_PRF_OUT_LEN]; -}; - -static const struct tls_prf_test tls_prf_tests[] = { - { - .desc = "SHA256", - .ssl_method = TLSv1_2_method, - .cipher_value = 0x0033, - .out = { - 0x37, 0xa7, 0x06, 0x71, 0x6e, 0x19, 0x19, 0xda, - 0x23, 0x8c, 0xcc, 0xb4, 0x2f, 0x31, 0x64, 0x9d, - 0x05, 0x29, 0x1c, 0x33, 0x7e, 0x09, 0x1b, 0x0c, - 0x0e, 0x23, 0xc1, 0xb0, 0x40, 0xcc, 0x31, 0xf7, - 0x55, 0x66, 0x68, 0xd9, 0xa8, 0xae, 0x74, 0x75, - 0xf3, 0x46, 0xe9, 0x3a, 0x54, 0x9d, 0xe0, 0x8b, - 0x7e, 0x6c, 0x63, 0x1c, 0xfa, 0x2f, 0xfd, 0xc9, - 0xd3, 0xf1, 0xd3, 0xfe, 0x7b, 0x9e, 0x14, 0x95, - 0xb5, 0xd0, 0xad, 0x9b, 0xee, 0x78, 0x8c, 0x83, - 0x18, 0x58, 0x7e, 0xa2, 0x23, 0xc1, 0x8b, 0x62, - 0x94, 0x12, 0xcb, 0xb6, 0x60, 0x69, 0x32, 0xfe, - 0x98, 0x0e, 0x93, 0xb0, 0x8e, 0x5c, 0xfb, 0x6e, - 0xdb, 0x9a, 0xc2, 0x9f, 0x8c, 0x5c, 0x43, 0x19, - 0xeb, 0x4a, 0x52, 0xad, 0x62, 0x2b, 0xdd, 0x9f, - 0xa3, 0x74, 0xa6, 0x96, 0x61, 0x4d, 0x98, 0x40, - 0x63, 0xa6, 0xd4, 0xbb, 0x17, 0x11, 0x75, 0xed, - }, - }, - { - .desc = "SHA384", - .ssl_method = TLSv1_2_method, - .cipher_value = 0x009d, - .out = { - 0x00, 0x93, 0xc3, 0xfd, 0xa7, 0xbb, 0xdc, 0x5b, - 0x13, 0x3a, 0xe6, 0x8b, 0x1b, 0xac, 0xf3, 0xfb, - 0x3c, 0x9a, 0x78, 0xf6, 0x19, 0xf0, 0x13, 0x0f, - 0x0d, 0x01, 0x9d, 0xdf, 0x0a, 0x28, 0x38, 0xce, - 0x1a, 0x9b, 0x43, 0xbe, 0x56, 0x12, 0xa7, 0x16, - 0x58, 0xe1, 0x8a, 0xe4, 0xc5, 0xbb, 0x10, 0x4c, - 0x3a, 0xf3, 0x7f, 0xd3, 0xdb, 0xe4, 0xe0, 0x3d, - 0xcc, 0x83, 0xca, 0xf0, 0xf9, 0x69, 0xcc, 0x70, - 0x83, 0x32, 0xf6, 0xfc, 0x81, 0x80, 0x02, 0xe8, - 0x31, 0x1e, 0x7c, 0x3b, 0x34, 0xf7, 0x34, 0xd1, - 0xcf, 0x2a, 0xc4, 0x36, 0x2f, 0xe9, 0xaa, 0x7f, - 0x6d, 0x1f, 0x5e, 0x0e, 0x39, 0x05, 0x15, 0xe1, - 0xa2, 0x9a, 0x4d, 0x97, 0x8c, 0x62, 0x46, 0xf1, - 0x87, 0x65, 0xd8, 0xe9, 0x14, 0x11, 0xa6, 0x48, - 0xd7, 0x0e, 0x6e, 0x70, 0xad, 0xfb, 0x3f, 0x36, - 0x05, 0x76, 0x4b, 0xe4, 0x28, 0x50, 0x4a, 0xf2, - }, - }, -}; - -#define N_TLS_PRF_TESTS \ - (sizeof(tls_prf_tests) / sizeof(*tls_prf_tests)) - -#define TLS_PRF_SEED1 "tls prf seed 1" -#define TLS_PRF_SEED2 "tls prf seed 2" -#define TLS_PRF_SEED3 "tls prf seed 3" -#define TLS_PRF_SEED4 "tls prf seed 4" -#define TLS_PRF_SEED5 "tls prf seed 5" -#define TLS_PRF_SECRET "tls prf secretz" - -static void -hexdump(const unsigned char *buf, size_t len) -{ - size_t i; - - for (i = 1; i <= len; i++) - fprintf(stderr, " 0x%02hhx,%s", buf[i - 1], i % 8 ? "" : "\n"); - - fprintf(stderr, "\n"); -} - -static int -do_tls_prf_test(int test_no, const struct tls_prf_test *tpt) -{ - unsigned char *out = NULL; - const SSL_CIPHER *cipher; - SSL_CTX *ssl_ctx = NULL; - SSL *ssl = NULL; - int failure = 1; - int len; - - fprintf(stderr, "Test %d - %s\n", test_no, tpt->desc); - - if ((out = malloc(TLS_PRF_OUT_LEN)) == NULL) - errx(1, "failed to allocate out"); - - if ((ssl_ctx = SSL_CTX_new(tpt->ssl_method())) == NULL) - errx(1, "failed to create SSL context"); - if ((ssl = SSL_new(ssl_ctx)) == NULL) - errx(1, "failed to create SSL context"); - - if ((cipher = ssl3_get_cipher_by_value(tpt->cipher_value)) == NULL) { - fprintf(stderr, "FAIL: no cipher %hx\n", tpt->cipher_value); - goto failure; - } - - ssl->s3->hs.cipher = cipher; - - for (len = 1; len <= TLS_PRF_OUT_LEN; len++) { - memset(out, 'A', TLS_PRF_OUT_LEN); - - if (tls1_PRF(ssl, TLS_PRF_SECRET, sizeof(TLS_PRF_SECRET), - TLS_PRF_SEED1, sizeof(TLS_PRF_SEED1), TLS_PRF_SEED2, - sizeof(TLS_PRF_SEED2), TLS_PRF_SEED3, sizeof(TLS_PRF_SEED3), - TLS_PRF_SEED4, sizeof(TLS_PRF_SEED4), TLS_PRF_SEED5, - sizeof(TLS_PRF_SEED5), out, len) != 1) { - fprintf(stderr, "FAIL: tls_PRF failed for len %d\n", - len); - goto failure; - } - - if (memcmp(out, tpt->out, len) != 0) { - fprintf(stderr, "FAIL: tls_PRF output differs for " - "len %d\n", len); - fprintf(stderr, "output:\n"); - hexdump(out, TLS_PRF_OUT_LEN); - fprintf(stderr, "test data:\n"); - hexdump(tpt->out, TLS_PRF_OUT_LEN); - fprintf(stderr, "\n"); - goto failure; - } - } - - failure = 0; - - failure: - SSL_free(ssl); - SSL_CTX_free(ssl_ctx); - - free(out); - - return failure; -} - -int -main(int argc, char **argv) -{ - int failed = 0; - size_t i; - - SSL_library_init(); - SSL_load_error_strings(); - - for (i = 0; i < N_TLS_PRF_TESTS; i++) - failed |= do_tls_prf_test(i, &tls_prf_tests[i]); - - return failed; -} -- cgit v1.2.3-55-g6feb