From eb8dd9dca1228af0cd132f515509051ecfabf6f6 Mon Sep 17 00:00:00 2001 From: cvs2svn Date: Mon, 14 Apr 2025 17:32:06 +0000 Subject: This commit was manufactured by cvs2git to create tag 'tb_20250414'. --- src/regress/lib/libssl/Makefile | 36 - src/regress/lib/libssl/Makefile.inc | 4 - src/regress/lib/libssl/api/Makefile | 10 - src/regress/lib/libssl/api/apitest.c | 374 -- src/regress/lib/libssl/asn1/Makefile | 11 - src/regress/lib/libssl/asn1/asn1test.c | 478 -- src/regress/lib/libssl/buffer/Makefile | 10 - src/regress/lib/libssl/buffer/buffertest.c | 364 -- src/regress/lib/libssl/bytestring/Makefile | 10 - src/regress/lib/libssl/bytestring/bytestringtest.c | 968 ---- src/regress/lib/libssl/certs/ca-int-ecdsa.crl | 8 - src/regress/lib/libssl/certs/ca-int-ecdsa.pem | 13 - src/regress/lib/libssl/certs/ca-int-rsa.crl | 11 - src/regress/lib/libssl/certs/ca-int-rsa.pem | 22 - src/regress/lib/libssl/certs/ca-root-ecdsa.pem | 13 - src/regress/lib/libssl/certs/ca-root-rsa.pem | 22 - .../lib/libssl/certs/client1-ecdsa-chain.pem | 27 - src/regress/lib/libssl/certs/client1-ecdsa.pem | 19 - src/regress/lib/libssl/certs/client1-rsa-chain.pem | 44 - src/regress/lib/libssl/certs/client1-rsa.pem | 50 - .../lib/libssl/certs/client2-ecdsa-chain.pem | 26 - src/regress/lib/libssl/certs/client2-ecdsa.pem | 18 - src/regress/lib/libssl/certs/client2-rsa-chain.pem | 44 - src/regress/lib/libssl/certs/client2-rsa.pem | 50 - .../lib/libssl/certs/client3-ecdsa-chain.pem | 26 - src/regress/lib/libssl/certs/client3-ecdsa.pem | 18 - src/regress/lib/libssl/certs/client3-rsa-chain.pem | 44 - src/regress/lib/libssl/certs/client3-rsa.pem | 50 - src/regress/lib/libssl/certs/make-certs.sh | 263 -- .../lib/libssl/certs/server1-ecdsa-chain.pem | 26 - src/regress/lib/libssl/certs/server1-ecdsa.pem | 18 - src/regress/lib/libssl/certs/server1-rsa-chain.pem | 44 - src/regress/lib/libssl/certs/server1-rsa.pem | 50 - .../lib/libssl/certs/server2-ecdsa-chain.pem | 26 - src/regress/lib/libssl/certs/server2-ecdsa.pem | 18 - src/regress/lib/libssl/certs/server2-rsa-chain.pem | 44 - src/regress/lib/libssl/certs/server2-rsa.pem | 50 - .../lib/libssl/certs/server3-ecdsa-chain.pem | 26 - src/regress/lib/libssl/certs/server3-ecdsa.pem | 18 - src/regress/lib/libssl/certs/server3-rsa-chain.pem | 44 - src/regress/lib/libssl/certs/server3-rsa.pem | 50 - src/regress/lib/libssl/ciphers/Makefile | 9 - src/regress/lib/libssl/ciphers/cipherstest.c | 1209 ----- src/regress/lib/libssl/client/Makefile | 9 - src/regress/lib/libssl/client/clienttest.c | 744 ---- src/regress/lib/libssl/dtls/Makefile | 21 - src/regress/lib/libssl/dtls/dtlstest.c | 1077 ----- src/regress/lib/libssl/exporter/Makefile | 10 - src/regress/lib/libssl/exporter/exportertest.c | 667 --- src/regress/lib/libssl/handshake/Makefile | 34 - src/regress/lib/libssl/handshake/handshake_table.c | 550 --- .../libssl/handshake/valid_handshakes_terminate.c | 54 - src/regress/lib/libssl/interop/LICENSE | 15 - src/regress/lib/libssl/interop/Makefile | 19 - src/regress/lib/libssl/interop/Makefile.inc | 83 - src/regress/lib/libssl/interop/README | 18 - src/regress/lib/libssl/interop/botan/Makefile | 84 - src/regress/lib/libssl/interop/botan/client.cpp | 228 - src/regress/lib/libssl/interop/cert/Makefile | 98 - src/regress/lib/libssl/interop/cipher/Makefile | 159 - src/regress/lib/libssl/interop/client.c | 285 -- src/regress/lib/libssl/interop/libressl/Makefile | 34 - src/regress/lib/libssl/interop/netcat/Makefile | 84 - src/regress/lib/libssl/interop/openssl33/Makefile | 44 - src/regress/lib/libssl/interop/openssl34/Makefile | 44 - src/regress/lib/libssl/interop/server.c | 321 -- src/regress/lib/libssl/interop/session/Makefile | 43 - src/regress/lib/libssl/interop/util.c | 145 - src/regress/lib/libssl/interop/util.h | 23 - src/regress/lib/libssl/interop/version/Makefile | 110 - src/regress/lib/libssl/key_schedule/Makefile | 10 - src/regress/lib/libssl/key_schedule/key_schedule.c | 317 -- src/regress/lib/libssl/openssl-ruby/Makefile | 87 - src/regress/lib/libssl/pqueue/Makefile | 17 - src/regress/lib/libssl/pqueue/expected.txt | 3 - src/regress/lib/libssl/pqueue/pq_test.c | 118 - src/regress/lib/libssl/quic/Makefile | 19 - src/regress/lib/libssl/quic/quictest.c | 339 -- src/regress/lib/libssl/record/Makefile | 10 - src/regress/lib/libssl/record/recordtest.c | 555 --- src/regress/lib/libssl/record_layer/Makefile | 10 - .../lib/libssl/record_layer/record_layer_test.c | 306 -- src/regress/lib/libssl/renegotiation/Makefile | 18 - .../lib/libssl/renegotiation/renegotiation_test.c | 650 --- src/regress/lib/libssl/rust-openssl/Cargo.toml | 9 - src/regress/lib/libssl/rust-openssl/Makefile | 58 - src/regress/lib/libssl/rust-openssl/config.toml | 6 - src/regress/lib/libssl/server/Makefile | 18 - src/regress/lib/libssl/server/servertest.c | 209 - src/regress/lib/libssl/shutdown/Makefile | 18 - src/regress/lib/libssl/shutdown/shutdowntest.c | 656 --- src/regress/lib/libssl/ssl/Makefile | 17 - src/regress/lib/libssl/ssl/ssltest.c | 1528 ------- src/regress/lib/libssl/ssl/testssl | 162 - src/regress/lib/libssl/symbols/Makefile | 22 - src/regress/lib/libssl/symbols/symbols.awk | 58 - src/regress/lib/libssl/tls/Makefile | 18 - src/regress/lib/libssl/tls/tlstest.c | 400 -- src/regress/lib/libssl/tlsext/Makefile | 10 - src/regress/lib/libssl/tlsext/tlsexttest.c | 4702 -------------------- src/regress/lib/libssl/tlsfuzzer/Makefile | 51 - src/regress/lib/libssl/tlsfuzzer/tlsfuzzer.py | 935 ---- src/regress/lib/libssl/tlslegacy/Makefile | 9 - src/regress/lib/libssl/tlslegacy/tlslegacytest.c | 625 --- src/regress/lib/libssl/unit/Makefile | 21 - src/regress/lib/libssl/unit/cipher_list.c | 231 - .../lib/libssl/unit/ssl_get_shared_ciphers.c | 478 -- src/regress/lib/libssl/unit/ssl_methods.c | 267 -- src/regress/lib/libssl/unit/ssl_set_alpn_protos.c | 470 -- src/regress/lib/libssl/unit/ssl_verify_param.c | 99 - src/regress/lib/libssl/unit/ssl_versions.c | 922 ---- src/regress/lib/libssl/unit/tests.h | 44 - src/regress/lib/libssl/unit/tls_ext_alpn.c | 442 -- src/regress/lib/libssl/unit/tls_prf.c | 182 - src/regress/lib/libssl/verify/Makefile | 37 - .../libssl/verify/create-libressl-test-certs.pl | 111 - src/regress/lib/libssl/verify/verify.c | 373 -- 117 files changed, 25315 deletions(-) delete mode 100644 src/regress/lib/libssl/Makefile delete mode 100644 src/regress/lib/libssl/Makefile.inc delete mode 100644 src/regress/lib/libssl/api/Makefile delete mode 100644 src/regress/lib/libssl/api/apitest.c delete mode 100644 src/regress/lib/libssl/asn1/Makefile delete mode 100644 src/regress/lib/libssl/asn1/asn1test.c delete mode 100644 src/regress/lib/libssl/buffer/Makefile delete mode 100644 src/regress/lib/libssl/buffer/buffertest.c delete mode 100644 src/regress/lib/libssl/bytestring/Makefile delete mode 100644 src/regress/lib/libssl/bytestring/bytestringtest.c delete mode 100644 src/regress/lib/libssl/certs/ca-int-ecdsa.crl delete mode 100644 src/regress/lib/libssl/certs/ca-int-ecdsa.pem delete mode 100644 src/regress/lib/libssl/certs/ca-int-rsa.crl delete mode 100644 src/regress/lib/libssl/certs/ca-int-rsa.pem delete mode 100644 src/regress/lib/libssl/certs/ca-root-ecdsa.pem delete mode 100644 src/regress/lib/libssl/certs/ca-root-rsa.pem delete mode 100644 src/regress/lib/libssl/certs/client1-ecdsa-chain.pem delete mode 100644 src/regress/lib/libssl/certs/client1-ecdsa.pem delete mode 100644 src/regress/lib/libssl/certs/client1-rsa-chain.pem delete mode 100644 src/regress/lib/libssl/certs/client1-rsa.pem delete mode 100644 src/regress/lib/libssl/certs/client2-ecdsa-chain.pem delete mode 100644 src/regress/lib/libssl/certs/client2-ecdsa.pem delete mode 100644 src/regress/lib/libssl/certs/client2-rsa-chain.pem delete mode 100644 src/regress/lib/libssl/certs/client2-rsa.pem delete mode 100644 src/regress/lib/libssl/certs/client3-ecdsa-chain.pem delete mode 100644 src/regress/lib/libssl/certs/client3-ecdsa.pem delete mode 100644 src/regress/lib/libssl/certs/client3-rsa-chain.pem delete mode 100644 src/regress/lib/libssl/certs/client3-rsa.pem delete mode 100755 src/regress/lib/libssl/certs/make-certs.sh delete mode 100644 src/regress/lib/libssl/certs/server1-ecdsa-chain.pem delete mode 100644 src/regress/lib/libssl/certs/server1-ecdsa.pem delete mode 100644 src/regress/lib/libssl/certs/server1-rsa-chain.pem delete mode 100644 src/regress/lib/libssl/certs/server1-rsa.pem delete mode 100644 src/regress/lib/libssl/certs/server2-ecdsa-chain.pem delete mode 100644 src/regress/lib/libssl/certs/server2-ecdsa.pem delete mode 100644 src/regress/lib/libssl/certs/server2-rsa-chain.pem delete mode 100644 src/regress/lib/libssl/certs/server2-rsa.pem delete mode 100644 src/regress/lib/libssl/certs/server3-ecdsa-chain.pem delete mode 100644 src/regress/lib/libssl/certs/server3-ecdsa.pem delete mode 100644 src/regress/lib/libssl/certs/server3-rsa-chain.pem delete mode 100644 src/regress/lib/libssl/certs/server3-rsa.pem delete mode 100644 src/regress/lib/libssl/ciphers/Makefile delete mode 100644 src/regress/lib/libssl/ciphers/cipherstest.c delete mode 100644 src/regress/lib/libssl/client/Makefile delete mode 100644 src/regress/lib/libssl/client/clienttest.c delete mode 100644 src/regress/lib/libssl/dtls/Makefile delete mode 100644 src/regress/lib/libssl/dtls/dtlstest.c delete mode 100644 src/regress/lib/libssl/exporter/Makefile delete mode 100644 src/regress/lib/libssl/exporter/exportertest.c delete mode 100644 src/regress/lib/libssl/handshake/Makefile delete mode 100644 src/regress/lib/libssl/handshake/handshake_table.c delete mode 100644 src/regress/lib/libssl/handshake/valid_handshakes_terminate.c delete mode 100644 src/regress/lib/libssl/interop/LICENSE delete mode 100644 src/regress/lib/libssl/interop/Makefile delete mode 100644 src/regress/lib/libssl/interop/Makefile.inc delete mode 100644 src/regress/lib/libssl/interop/README delete mode 100644 src/regress/lib/libssl/interop/botan/Makefile delete mode 100644 src/regress/lib/libssl/interop/botan/client.cpp delete mode 100644 src/regress/lib/libssl/interop/cert/Makefile delete mode 100644 src/regress/lib/libssl/interop/cipher/Makefile delete mode 100644 src/regress/lib/libssl/interop/client.c delete mode 100644 src/regress/lib/libssl/interop/libressl/Makefile delete mode 100644 src/regress/lib/libssl/interop/netcat/Makefile delete mode 100644 src/regress/lib/libssl/interop/openssl33/Makefile delete mode 100644 src/regress/lib/libssl/interop/openssl34/Makefile delete mode 100644 src/regress/lib/libssl/interop/server.c delete mode 100644 src/regress/lib/libssl/interop/session/Makefile delete mode 100644 src/regress/lib/libssl/interop/util.c delete mode 100644 src/regress/lib/libssl/interop/util.h delete mode 100644 src/regress/lib/libssl/interop/version/Makefile delete mode 100644 src/regress/lib/libssl/key_schedule/Makefile delete mode 100644 src/regress/lib/libssl/key_schedule/key_schedule.c delete mode 100644 src/regress/lib/libssl/openssl-ruby/Makefile delete mode 100644 src/regress/lib/libssl/pqueue/Makefile delete mode 100644 src/regress/lib/libssl/pqueue/expected.txt delete mode 100644 src/regress/lib/libssl/pqueue/pq_test.c delete mode 100644 src/regress/lib/libssl/quic/Makefile delete mode 100644 src/regress/lib/libssl/quic/quictest.c delete mode 100644 src/regress/lib/libssl/record/Makefile delete mode 100644 src/regress/lib/libssl/record/recordtest.c delete mode 100644 src/regress/lib/libssl/record_layer/Makefile delete mode 100644 src/regress/lib/libssl/record_layer/record_layer_test.c delete mode 100644 src/regress/lib/libssl/renegotiation/Makefile delete mode 100644 src/regress/lib/libssl/renegotiation/renegotiation_test.c delete mode 100644 src/regress/lib/libssl/rust-openssl/Cargo.toml delete mode 100644 src/regress/lib/libssl/rust-openssl/Makefile delete mode 100644 src/regress/lib/libssl/rust-openssl/config.toml delete mode 100644 src/regress/lib/libssl/server/Makefile delete mode 100644 src/regress/lib/libssl/server/servertest.c delete mode 100644 src/regress/lib/libssl/shutdown/Makefile delete mode 100644 src/regress/lib/libssl/shutdown/shutdowntest.c delete mode 100644 src/regress/lib/libssl/ssl/Makefile delete mode 100644 src/regress/lib/libssl/ssl/ssltest.c delete mode 100644 src/regress/lib/libssl/ssl/testssl delete mode 100644 src/regress/lib/libssl/symbols/Makefile delete mode 100644 src/regress/lib/libssl/symbols/symbols.awk delete mode 100644 src/regress/lib/libssl/tls/Makefile delete mode 100644 src/regress/lib/libssl/tls/tlstest.c delete mode 100644 src/regress/lib/libssl/tlsext/Makefile delete mode 100644 src/regress/lib/libssl/tlsext/tlsexttest.c delete mode 100644 src/regress/lib/libssl/tlsfuzzer/Makefile delete mode 100644 src/regress/lib/libssl/tlsfuzzer/tlsfuzzer.py delete mode 100644 src/regress/lib/libssl/tlslegacy/Makefile delete mode 100644 src/regress/lib/libssl/tlslegacy/tlslegacytest.c delete mode 100644 src/regress/lib/libssl/unit/Makefile delete mode 100644 src/regress/lib/libssl/unit/cipher_list.c delete mode 100644 src/regress/lib/libssl/unit/ssl_get_shared_ciphers.c delete mode 100644 src/regress/lib/libssl/unit/ssl_methods.c delete mode 100644 src/regress/lib/libssl/unit/ssl_set_alpn_protos.c delete mode 100644 src/regress/lib/libssl/unit/ssl_verify_param.c delete mode 100644 src/regress/lib/libssl/unit/ssl_versions.c delete mode 100644 src/regress/lib/libssl/unit/tests.h delete mode 100644 src/regress/lib/libssl/unit/tls_ext_alpn.c delete mode 100644 src/regress/lib/libssl/unit/tls_prf.c delete mode 100644 src/regress/lib/libssl/verify/Makefile delete mode 100644 src/regress/lib/libssl/verify/create-libressl-test-certs.pl delete mode 100644 src/regress/lib/libssl/verify/verify.c (limited to 'src/regress/lib/libssl') diff --git a/src/regress/lib/libssl/Makefile b/src/regress/lib/libssl/Makefile deleted file mode 100644 index e0813b40b3..0000000000 --- a/src/regress/lib/libssl/Makefile +++ /dev/null @@ -1,36 +0,0 @@ -# $OpenBSD: Makefile,v 1.58 2025/02/01 12:27:11 jsing Exp $ - -SUBDIR += api -SUBDIR += asn1 -SUBDIR += buffer -SUBDIR += bytestring -SUBDIR += ciphers -SUBDIR += client -SUBDIR += dtls -SUBDIR += exporter -SUBDIR += handshake -SUBDIR += pqueue -SUBDIR += quic -SUBDIR += record -SUBDIR += record_layer -SUBDIR += renegotiation -SUBDIR += server -SUBDIR += shutdown -SUBDIR += ssl -SUBDIR += symbols -SUBDIR += tls -SUBDIR += tlsext -SUBDIR += tlslegacy -SUBDIR += key_schedule -SUBDIR += unit -SUBDIR += verify - -# Things that take a long time should go below here. -SUBDIR += openssl-ruby -SUBDIR += rust-openssl -SUBDIR += tlsfuzzer -SUBDIR += interop - -install: - -.include diff --git a/src/regress/lib/libssl/Makefile.inc b/src/regress/lib/libssl/Makefile.inc deleted file mode 100644 index cc8ad18394..0000000000 --- a/src/regress/lib/libssl/Makefile.inc +++ /dev/null @@ -1,4 +0,0 @@ -# Use this variable when the test needs internal symbols from libcrypto -CRYPTO_INT= -Wl,-Bstatic -lcrypto -Wl,-Bdynamic -# Use this variable when the test needs internal symbols from libssl -SSL_INT= -Wl,-Bstatic -lssl -Wl,-Bdynamic diff --git a/src/regress/lib/libssl/api/Makefile b/src/regress/lib/libssl/api/Makefile deleted file mode 100644 index 7f745518eb..0000000000 --- a/src/regress/lib/libssl/api/Makefile +++ /dev/null @@ -1,10 +0,0 @@ -# $OpenBSD: Makefile,v 1.2 2023/04/14 12:38:30 tb Exp $ - -PROG= apitest -LDADD= -lssl -lcrypto -DPADD= ${LIBSSL} ${LIBCRYPTO} -WARNINGS= Yes -CFLAGS+= -DLIBRESSL_INTERNAL -Werror -CFLAGS+= -DCERTSDIR=\"${.CURDIR}/../../libssl/certs\" - -.include diff --git a/src/regress/lib/libssl/api/apitest.c b/src/regress/lib/libssl/api/apitest.c deleted file mode 100644 index 37adb0c06f..0000000000 --- a/src/regress/lib/libssl/api/apitest.c +++ /dev/null @@ -1,374 +0,0 @@ -/* $OpenBSD: apitest.c,v 1.3 2024/09/07 16:39:29 tb Exp $ */ -/* - * Copyright (c) 2020, 2021 Joel Sing - * - * Permission to use, copy, modify, and distribute this software for any - * purpose with or without fee is hereby granted, provided that the above - * copyright notice and this permission notice appear in all copies. - * - * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES - * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF - * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR - * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES - * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN - * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF - * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. - */ - -#include - -#include -#include -#include - -#ifndef CERTSDIR -#define CERTSDIR "." -#endif - -const char *certs_path = CERTSDIR; - -int debug = 0; - -static int -ssl_ctx_use_ca_file(SSL_CTX *ssl_ctx, const char *ca_file) -{ - char *ca_path = NULL; - int ret = 0; - - if (asprintf(&ca_path, "%s/%s", certs_path, ca_file) == -1) - goto err; - if (!SSL_CTX_load_verify_locations(ssl_ctx, ca_path, NULL)) { - fprintf(stderr, "load_verify_locations(%s) failed\n", ca_path); - goto err; - } - - ret = 1; - - err: - free(ca_path); - - return ret; -} - -static int -ssl_ctx_use_keypair(SSL_CTX *ssl_ctx, const char *chain_file, - const char *key_file) -{ - char *chain_path = NULL, *key_path = NULL; - int ret = 0; - - if (asprintf(&chain_path, "%s/%s", certs_path, chain_file) == -1) - goto err; - if (SSL_CTX_use_certificate_chain_file(ssl_ctx, chain_path) != 1) { - fprintf(stderr, "FAIL: Failed to load certificates\n"); - goto err; - } - if (asprintf(&key_path, "%s/%s", certs_path, key_file) == -1) - goto err; - if (SSL_CTX_use_PrivateKey_file(ssl_ctx, key_path, - SSL_FILETYPE_PEM) != 1) { - fprintf(stderr, "FAIL: Failed to load private key\n"); - goto err; - } - - ret = 1; - - err: - free(chain_path); - free(key_path); - - return ret; -} - -static SSL * -tls_client(BIO *rbio, BIO *wbio) -{ - SSL_CTX *ssl_ctx = NULL; - SSL *ssl = NULL; - - if ((ssl_ctx = SSL_CTX_new(TLS_method())) == NULL) - errx(1, "client context"); - - SSL_CTX_set_verify(ssl_ctx, SSL_VERIFY_PEER, NULL); - - if (!ssl_ctx_use_ca_file(ssl_ctx, "ca-root-rsa.pem")) - goto failure; - if (!ssl_ctx_use_keypair(ssl_ctx, "client1-rsa-chain.pem", - "client1-rsa.pem")) - goto failure; - - if ((ssl = SSL_new(ssl_ctx)) == NULL) - errx(1, "client ssl"); - - BIO_up_ref(rbio); - BIO_up_ref(wbio); - - SSL_set_bio(ssl, rbio, wbio); - - failure: - SSL_CTX_free(ssl_ctx); - - return ssl; -} - -static SSL * -tls_server(BIO *rbio, BIO *wbio) -{ - SSL_CTX *ssl_ctx = NULL; - SSL *ssl = NULL; - - if ((ssl_ctx = SSL_CTX_new(TLS_method())) == NULL) - errx(1, "server context"); - - SSL_CTX_set_dh_auto(ssl_ctx, 2); - - SSL_CTX_set_verify(ssl_ctx, - SSL_VERIFY_PEER|SSL_VERIFY_FAIL_IF_NO_PEER_CERT, NULL); - - if (!ssl_ctx_use_ca_file(ssl_ctx, "ca-root-rsa.pem")) - goto failure; - if (!ssl_ctx_use_keypair(ssl_ctx, "server1-rsa-chain.pem", - "server1-rsa.pem")) - goto failure; - - if ((ssl = SSL_new(ssl_ctx)) == NULL) - errx(1, "server ssl"); - - BIO_up_ref(rbio); - BIO_up_ref(wbio); - - SSL_set_bio(ssl, rbio, wbio); - - failure: - SSL_CTX_free(ssl_ctx); - - return ssl; -} - -static int -ssl_error(SSL *ssl, const char *name, const char *desc, int ssl_ret) -{ - int ssl_err; - - ssl_err = SSL_get_error(ssl, ssl_ret); - - if (ssl_err == SSL_ERROR_WANT_READ) { - return 1; - } else if (ssl_err == SSL_ERROR_WANT_WRITE) { - return 1; - } else if (ssl_err == SSL_ERROR_SYSCALL && errno == 0) { - /* Yup, this is apparently a thing... */ - } else { - fprintf(stderr, "FAIL: %s %s failed - ssl err = %d, errno = %d\n", - name, desc, ssl_err, errno); - ERR_print_errors_fp(stderr); - return 0; - } - - return 1; -} - -static int -do_connect(SSL *ssl, const char *name, int *done) -{ - int ssl_ret; - - if ((ssl_ret = SSL_connect(ssl)) == 1) { - fprintf(stderr, "INFO: %s connect done\n", name); - *done = 1; - return 1; - } - - return ssl_error(ssl, name, "connect", ssl_ret); -} - -static int -do_accept(SSL *ssl, const char *name, int *done) -{ - int ssl_ret; - - if ((ssl_ret = SSL_accept(ssl)) == 1) { - fprintf(stderr, "INFO: %s accept done\n", name); - *done = 1; - return 1; - } - - return ssl_error(ssl, name, "accept", ssl_ret); -} - -typedef int (*ssl_func)(SSL *ssl, const char *name, int *done); - -static int -do_client_server_loop(SSL *client, ssl_func client_func, SSL *server, - ssl_func server_func) -{ - int client_done = 0, server_done = 0; - int i = 0; - - do { - if (!client_done) { - if (debug) - fprintf(stderr, "DEBUG: client loop\n"); - if (!client_func(client, "client", &client_done)) - return 0; - } - if (!server_done) { - if (debug) - fprintf(stderr, "DEBUG: server loop\n"); - if (!server_func(server, "server", &server_done)) - return 0; - } - } while (i++ < 100 && (!client_done || !server_done)); - - if (!client_done || !server_done) - fprintf(stderr, "FAIL: gave up\n"); - - return client_done && server_done; -} - -static int -ssl_get_peer_cert_chain_test(uint16_t tls_version) -{ - STACK_OF(X509) *peer_chain; - X509 *peer_cert; - BIO *client_wbio = NULL, *server_wbio = NULL; - SSL *client = NULL, *server = NULL; - int failed = 1; - - if ((client_wbio = BIO_new(BIO_s_mem())) == NULL) - goto failure; - if (BIO_set_mem_eof_return(client_wbio, -1) <= 0) - goto failure; - - if ((server_wbio = BIO_new(BIO_s_mem())) == NULL) - goto failure; - if (BIO_set_mem_eof_return(server_wbio, -1) <= 0) - goto failure; - - if ((client = tls_client(server_wbio, client_wbio)) == NULL) - goto failure; - if (tls_version != 0) { - if (!SSL_set_min_proto_version(client, tls_version)) - goto failure; - if (!SSL_set_max_proto_version(client, tls_version)) - goto failure; - } - - if ((server = tls_server(client_wbio, server_wbio)) == NULL) - goto failure; - if (tls_version != 0) { - if (!SSL_set_min_proto_version(server, tls_version)) - goto failure; - if (!SSL_set_max_proto_version(server, tls_version)) - goto failure; - } - - if (!do_client_server_loop(client, do_connect, server, do_accept)) { - fprintf(stderr, "FAIL: client and server handshake failed\n"); - goto failure; - } - - if (tls_version != 0) { - if (SSL_version(client) != tls_version) { - fprintf(stderr, "FAIL: client got TLS version %x, " - "want %x\n", SSL_version(client), tls_version); - goto failure; - } - if (SSL_version(server) != tls_version) { - fprintf(stderr, "FAIL: server got TLS version %x, " - "want %x\n", SSL_version(server), tls_version); - goto failure; - } - } - - /* - * Due to the wonders of API inconsistency, SSL_get_peer_cert_chain() - * includes the peer's leaf certificate when called by the client, - * however it does not when called by the server. Furthermore, the - * certificate returned by SSL_get_peer_certificate() has already - * had its reference count incremented and must be freed, where as - * the certificates returned from SSL_get_peer_cert_chain() must - * not be freed... *sigh* - */ - peer_cert = SSL_get_peer_certificate(client); - peer_chain = SSL_get_peer_cert_chain(client); - X509_free(peer_cert); - - if (peer_cert == NULL) { - fprintf(stderr, "FAIL: client got no peer cert\n"); - goto failure; - } - if (sk_X509_num(peer_chain) != 2) { - fprintf(stderr, "FAIL: client got peer cert chain with %d " - "certificates, want 2\n", sk_X509_num(peer_chain)); - goto failure; - } - if (X509_cmp(peer_cert, sk_X509_value(peer_chain, 0)) != 0) { - fprintf(stderr, "FAIL: client got peer cert chain without peer " - "certificate\n"); - goto failure; - } - - peer_cert = SSL_get_peer_certificate(server); - peer_chain = SSL_get_peer_cert_chain(server); - X509_free(peer_cert); - - if (peer_cert == NULL) { - fprintf(stderr, "FAIL: server got no peer cert\n"); - goto failure; - } - if (sk_X509_num(peer_chain) != 1) { - fprintf(stderr, "FAIL: server got peer cert chain with %d " - "certificates, want 1\n", sk_X509_num(peer_chain)); - goto failure; - } - if (X509_cmp(peer_cert, sk_X509_value(peer_chain, 0)) == 0) { - fprintf(stderr, "FAIL: server got peer cert chain with peer " - "certificate\n"); - goto failure; - } - - fprintf(stderr, "INFO: Done!\n"); - - failed = 0; - - failure: - BIO_free(client_wbio); - BIO_free(server_wbio); - - SSL_free(client); - SSL_free(server); - - return failed; -} - -static int -ssl_get_peer_cert_chain_tests(void) -{ - int failed = 0; - - fprintf(stderr, "\n== Testing SSL_get_peer_cert_chain()... ==\n"); - - failed |= ssl_get_peer_cert_chain_test(0); - failed |= ssl_get_peer_cert_chain_test(TLS1_3_VERSION); - failed |= ssl_get_peer_cert_chain_test(TLS1_2_VERSION); - - return failed; -} - -int -main(int argc, char **argv) -{ - int failed = 0; - - if (argc > 2) { - fprintf(stderr, "usage: %s [certspath]\n", argv[0]); - exit(1); - } - if (argc == 2) - certs_path = argv[1]; - - failed |= ssl_get_peer_cert_chain_tests(); - - return failed; -} diff --git a/src/regress/lib/libssl/asn1/Makefile b/src/regress/lib/libssl/asn1/Makefile deleted file mode 100644 index 16fca9f6ca..0000000000 --- a/src/regress/lib/libssl/asn1/Makefile +++ /dev/null @@ -1,11 +0,0 @@ -# $OpenBSD: Makefile,v 1.2 2021/06/30 18:09:46 jsing Exp $ - -PROG= asn1test -LDADD= -lcrypto -lssl -DPADD= ${LIBCRYPTO} ${LIBSSL} - -WARNINGS= Yes -CFLAGS+= -DLIBRESSL_INTERNAL -Werror -CFLAGS+= -I${.CURDIR}/../../../../lib/libssl - -.include diff --git a/src/regress/lib/libssl/asn1/asn1test.c b/src/regress/lib/libssl/asn1/asn1test.c deleted file mode 100644 index a81c502655..0000000000 --- a/src/regress/lib/libssl/asn1/asn1test.c +++ /dev/null @@ -1,478 +0,0 @@ -/* $OpenBSD: asn1test.c,v 1.13 2024/07/22 14:50:45 jsing Exp $ */ -/* - * Copyright (c) 2014, 2016 Joel Sing - * - * Permission to use, copy, modify, and distribute this software for any - * purpose with or without fee is hereby granted, provided that the above - * copyright notice and this permission notice appear in all copies. - * - * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES - * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF - * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR - * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES - * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN - * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF - * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. - */ - -#include -#include - -#include -#include -#include -#include - -#include "ssl_local.h" - -int i2d_SSL_SESSION(SSL_SESSION *in, unsigned char **pp); -SSL_SESSION *d2i_SSL_SESSION(SSL_SESSION **a, const unsigned char **pp, - long length); - -X509 *peer_cert; - -unsigned char *peer_cert_pem = - "-----BEGIN CERTIFICATE-----\n" - "MIIBcTCCARugAwIBAgIJAPYhaZJAvUuUMA0GCSqGSIb3DQEBBQUAMBQxEjAQBgNV\n" - "BAoMCVRlc3QgUGVlcjAeFw0xNjEyMjYxNDQ3NDdaFw0yNjEyMjQxNDQ3NDdaMBQx\n" - "EjAQBgNVBAoMCVRlc3QgUGVlcjBcMA0GCSqGSIb3DQEBAQUAA0sAMEgCQQCyhAdJ\n" - "wojHv/uKONh8MbmR2U2+VF1HQusnLfSfHPqkJfvDzLWJ41TG7QcXkx2rIJVtAFrO\n" - "U9yNdFYJLA/hsrbjAgMBAAGjUDBOMB0GA1UdDgQWBBS3bZOw7fvaortdsdE2TPMq\n" - "IRXFRzAfBgNVHSMEGDAWgBS3bZOw7fvaortdsdE2TPMqIRXFRzAMBgNVHRMEBTAD\n" - "AQH/MA0GCSqGSIb3DQEBBQUAA0EAHsxNS+rNUZbopeDMhVIviOfUmelDjJrT56Rc\n" - "VJoFN3Gc1cV8nQAHm9aJs71uksC+MN04Pzh0WqmYX9XXrnYPcg==\n" - "-----END CERTIFICATE-----\n"; - -struct ssl_asn1_test { - SSL_SESSION session; - int peer_cert; - const unsigned char asn1[1024]; - int asn1_len; -}; - -unsigned char tlsext_tick[] = { - 0x43, 0x56, 0x45, 0x2d, 0x32, 0x30, 0x31, 0x34, - 0x2d, 0x30, 0x31, 0x36, 0x30, 0x3a, 0x20, 0x37, - 0x74, 0x68, 0x20, 0x41, 0x70, 0x72, 0x69, 0x6c, - 0x20, 0x32, 0x30, 0x31, 0x34, 0x0a, 0x43, 0x56, - 0x45, 0x2d, 0x32, 0x30, 0x31, 0x30, 0x2d, 0x35, - 0x32, 0x39, 0x38, 0x3a, 0x20, 0x38, 0x74, 0x68, - 0x20, 0x41, 0x70, 0x72, 0x69, 0x6c, 0x20, 0x32, - 0x30, 0x31, 0x34, 0x0a, 0x43, 0x56, 0x45, 0x2d, - 0x32, 0x30, 0x31, 0x34, 0x2d, 0x30, 0x31, 0x39, - 0x38, 0x3a, 0x20, 0x32, 0x31, 0x73, 0x74, 0x20, - 0x41, 0x70, 0x72, 0x69, 0x6c, 0x20, 0x32, 0x30, - 0x31, 0x34, 0x0a, 0x43, 0x56, 0x45, 0x2d, 0x32, - 0x30, 0x31, 0x34, 0x2d, 0x33, 0x34, 0x37, 0x30, - 0x3a, 0x20, 0x33, 0x30, 0x74, 0x68, 0x20, 0x4d, - 0x61, 0x79, 0x20, 0x32, 0x30, 0x31, 0x34, 0x0a, - 0x43, 0x56, 0x45, 0x2d, 0x32, 0x30, 0x31, 0x34, - 0x2d, 0x30, 0x31, 0x39, 0x35, 0x3a, 0x20, 0x35, - 0x74, 0x68, 0x20, 0x4a, 0x75, 0x6e, 0x65, 0x20, - 0x32, 0x30, 0x31, 0x34, 0x0a, 0x43, 0x56, 0x45, - 0x2d, 0x32, 0x30, 0x31, 0x34, 0x2d, 0x30, 0x32, - 0x32, 0x31, 0x3a, 0x20, 0x35, 0x74, 0x68, 0x20, - 0x4a, 0x75, 0x6e, 0x65, 0x20, 0x32, 0x30, 0x31, - 0x34, 0x0a, 0x43, 0x56, 0x45, 0x2d, 0x32, 0x30, - 0x31, 0x34, 0x2d, 0x30, 0x32, 0x32, 0x34, 0x3a, - 0x20, 0x35, 0x74, 0x68, 0x20, 0x4a, 0x75, 0x6e, - 0x65, 0x20, 0x32, 0x30, 0x31, 0x34, 0x0a, -}; - -struct ssl_asn1_test ssl_asn1_tests[] = { - { - .session = { - .cipher_value = 1, - .ssl_version = TLS1_2_VERSION, - }, - .asn1 = { - 0x30, 0x13, 0x02, 0x01, 0x01, 0x02, 0x02, 0x03, - 0x03, 0x04, 0x02, 0x00, 0x01, 0x04, 0x00, 0x04, - 0x00, 0xa4, 0x02, 0x04, 0x00, - }, - .asn1_len = 21, - }, - { - .session = { - .cipher_value = 1, - .ssl_version = TLS1_2_VERSION, - .master_key_length = 26, - .session_id = "0123456789", - .session_id_length = 10, - .sid_ctx = "abcdefghijklmnopqrstuvwxyz", - .sid_ctx_length = 26, - }, - .asn1 = { - 0x30, 0x51, 0x02, 0x01, 0x01, 0x02, 0x02, 0x03, - 0x03, 0x04, 0x02, 0x00, 0x01, 0x04, 0x0a, 0x30, - 0x31, 0x32, 0x33, 0x34, 0x35, 0x36, 0x37, 0x38, - 0x39, 0x04, 0x1a, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0xa4, 0x1c, 0x04, - 0x1a, 0x61, 0x62, 0x63, 0x64, 0x65, 0x66, 0x67, - 0x68, 0x69, 0x6a, 0x6b, 0x6c, 0x6d, 0x6e, 0x6f, - 0x70, 0x71, 0x72, 0x73, 0x74, 0x75, 0x76, 0x77, - 0x78, 0x79, 0x7a, - }, - .asn1_len = 83, - }, - { - .session = { - .cipher_value = 1, - .ssl_version = TLS1_2_VERSION, - .master_key_length = 26, - .session_id = "0123456789", - .session_id_length = 10, - .sid_ctx = "abcdefghijklmnopqrstuvwxyz", - .sid_ctx_length = 26, - .time = 1405266069, - .timeout = 5, - .verify_result = 42, - .tlsext_hostname = "libressl.openbsd.org", - .tlsext_tick_lifetime_hint = 0x7abbccdd, - .tlsext_tick = tlsext_tick, - .tlsext_ticklen = sizeof(tlsext_tick), - }, - .peer_cert = 1, - .asn1 = { - 0x30, 0x82, 0x02, 0xd1, 0x02, 0x01, 0x01, 0x02, - 0x02, 0x03, 0x03, 0x04, 0x02, 0x00, 0x01, 0x04, - 0x0a, 0x30, 0x31, 0x32, 0x33, 0x34, 0x35, 0x36, - 0x37, 0x38, 0x39, 0x04, 0x1a, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xa1, - 0x06, 0x02, 0x04, 0x53, 0xc2, 0xa8, 0x95, 0xa2, - 0x03, 0x02, 0x01, 0x05, 0xa3, 0x82, 0x01, 0x75, - 0x30, 0x82, 0x01, 0x71, 0x30, 0x82, 0x01, 0x1b, - 0xa0, 0x03, 0x02, 0x01, 0x02, 0x02, 0x09, 0x00, - 0xf6, 0x21, 0x69, 0x92, 0x40, 0xbd, 0x4b, 0x94, - 0x30, 0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, - 0xf7, 0x0d, 0x01, 0x01, 0x05, 0x05, 0x00, 0x30, - 0x14, 0x31, 0x12, 0x30, 0x10, 0x06, 0x03, 0x55, - 0x04, 0x0a, 0x0c, 0x09, 0x54, 0x65, 0x73, 0x74, - 0x20, 0x50, 0x65, 0x65, 0x72, 0x30, 0x1e, 0x17, - 0x0d, 0x31, 0x36, 0x31, 0x32, 0x32, 0x36, 0x31, - 0x34, 0x34, 0x37, 0x34, 0x37, 0x5a, 0x17, 0x0d, - 0x32, 0x36, 0x31, 0x32, 0x32, 0x34, 0x31, 0x34, - 0x34, 0x37, 0x34, 0x37, 0x5a, 0x30, 0x14, 0x31, - 0x12, 0x30, 0x10, 0x06, 0x03, 0x55, 0x04, 0x0a, - 0x0c, 0x09, 0x54, 0x65, 0x73, 0x74, 0x20, 0x50, - 0x65, 0x65, 0x72, 0x30, 0x5c, 0x30, 0x0d, 0x06, - 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, - 0x01, 0x01, 0x05, 0x00, 0x03, 0x4b, 0x00, 0x30, - 0x48, 0x02, 0x41, 0x00, 0xb2, 0x84, 0x07, 0x49, - 0xc2, 0x88, 0xc7, 0xbf, 0xfb, 0x8a, 0x38, 0xd8, - 0x7c, 0x31, 0xb9, 0x91, 0xd9, 0x4d, 0xbe, 0x54, - 0x5d, 0x47, 0x42, 0xeb, 0x27, 0x2d, 0xf4, 0x9f, - 0x1c, 0xfa, 0xa4, 0x25, 0xfb, 0xc3, 0xcc, 0xb5, - 0x89, 0xe3, 0x54, 0xc6, 0xed, 0x07, 0x17, 0x93, - 0x1d, 0xab, 0x20, 0x95, 0x6d, 0x00, 0x5a, 0xce, - 0x53, 0xdc, 0x8d, 0x74, 0x56, 0x09, 0x2c, 0x0f, - 0xe1, 0xb2, 0xb6, 0xe3, 0x02, 0x03, 0x01, 0x00, - 0x01, 0xa3, 0x50, 0x30, 0x4e, 0x30, 0x1d, 0x06, - 0x03, 0x55, 0x1d, 0x0e, 0x04, 0x16, 0x04, 0x14, - 0xb7, 0x6d, 0x93, 0xb0, 0xed, 0xfb, 0xda, 0xa2, - 0xbb, 0x5d, 0xb1, 0xd1, 0x36, 0x4c, 0xf3, 0x2a, - 0x21, 0x15, 0xc5, 0x47, 0x30, 0x1f, 0x06, 0x03, - 0x55, 0x1d, 0x23, 0x04, 0x18, 0x30, 0x16, 0x80, - 0x14, 0xb7, 0x6d, 0x93, 0xb0, 0xed, 0xfb, 0xda, - 0xa2, 0xbb, 0x5d, 0xb1, 0xd1, 0x36, 0x4c, 0xf3, - 0x2a, 0x21, 0x15, 0xc5, 0x47, 0x30, 0x0c, 0x06, - 0x03, 0x55, 0x1d, 0x13, 0x04, 0x05, 0x30, 0x03, - 0x01, 0x01, 0xff, 0x30, 0x0d, 0x06, 0x09, 0x2a, - 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x05, - 0x05, 0x00, 0x03, 0x41, 0x00, 0x1e, 0xcc, 0x4d, - 0x4b, 0xea, 0xcd, 0x51, 0x96, 0xe8, 0xa5, 0xe0, - 0xcc, 0x85, 0x52, 0x2f, 0x88, 0xe7, 0xd4, 0x99, - 0xe9, 0x43, 0x8c, 0x9a, 0xd3, 0xe7, 0xa4, 0x5c, - 0x54, 0x9a, 0x05, 0x37, 0x71, 0x9c, 0xd5, 0xc5, - 0x7c, 0x9d, 0x00, 0x07, 0x9b, 0xd6, 0x89, 0xb3, - 0xbd, 0x6e, 0x92, 0xc0, 0xbe, 0x30, 0xdd, 0x38, - 0x3f, 0x38, 0x74, 0x5a, 0xa9, 0x98, 0x5f, 0xd5, - 0xd7, 0xae, 0x76, 0x0f, 0x72, 0xa4, 0x1c, 0x04, - 0x1a, 0x61, 0x62, 0x63, 0x64, 0x65, 0x66, 0x67, - 0x68, 0x69, 0x6a, 0x6b, 0x6c, 0x6d, 0x6e, 0x6f, - 0x70, 0x71, 0x72, 0x73, 0x74, 0x75, 0x76, 0x77, - 0x78, 0x79, 0x7a, 0xa5, 0x03, 0x02, 0x01, 0x2a, - 0xa6, 0x16, 0x04, 0x14, 0x6c, 0x69, 0x62, 0x72, - 0x65, 0x73, 0x73, 0x6c, 0x2e, 0x6f, 0x70, 0x65, - 0x6e, 0x62, 0x73, 0x64, 0x2e, 0x6f, 0x72, 0x67, - 0xa9, 0x06, 0x02, 0x04, 0x7a, 0xbb, 0xcc, 0xdd, - 0xaa, 0x81, 0xd2, 0x04, 0x81, 0xcf, 0x43, 0x56, - 0x45, 0x2d, 0x32, 0x30, 0x31, 0x34, 0x2d, 0x30, - 0x31, 0x36, 0x30, 0x3a, 0x20, 0x37, 0x74, 0x68, - 0x20, 0x41, 0x70, 0x72, 0x69, 0x6c, 0x20, 0x32, - 0x30, 0x31, 0x34, 0x0a, 0x43, 0x56, 0x45, 0x2d, - 0x32, 0x30, 0x31, 0x30, 0x2d, 0x35, 0x32, 0x39, - 0x38, 0x3a, 0x20, 0x38, 0x74, 0x68, 0x20, 0x41, - 0x70, 0x72, 0x69, 0x6c, 0x20, 0x32, 0x30, 0x31, - 0x34, 0x0a, 0x43, 0x56, 0x45, 0x2d, 0x32, 0x30, - 0x31, 0x34, 0x2d, 0x30, 0x31, 0x39, 0x38, 0x3a, - 0x20, 0x32, 0x31, 0x73, 0x74, 0x20, 0x41, 0x70, - 0x72, 0x69, 0x6c, 0x20, 0x32, 0x30, 0x31, 0x34, - 0x0a, 0x43, 0x56, 0x45, 0x2d, 0x32, 0x30, 0x31, - 0x34, 0x2d, 0x33, 0x34, 0x37, 0x30, 0x3a, 0x20, - 0x33, 0x30, 0x74, 0x68, 0x20, 0x4d, 0x61, 0x79, - 0x20, 0x32, 0x30, 0x31, 0x34, 0x0a, 0x43, 0x56, - 0x45, 0x2d, 0x32, 0x30, 0x31, 0x34, 0x2d, 0x30, - 0x31, 0x39, 0x35, 0x3a, 0x20, 0x35, 0x74, 0x68, - 0x20, 0x4a, 0x75, 0x6e, 0x65, 0x20, 0x32, 0x30, - 0x31, 0x34, 0x0a, 0x43, 0x56, 0x45, 0x2d, 0x32, - 0x30, 0x31, 0x34, 0x2d, 0x30, 0x32, 0x32, 0x31, - 0x3a, 0x20, 0x35, 0x74, 0x68, 0x20, 0x4a, 0x75, - 0x6e, 0x65, 0x20, 0x32, 0x30, 0x31, 0x34, 0x0a, - 0x43, 0x56, 0x45, 0x2d, 0x32, 0x30, 0x31, 0x34, - 0x2d, 0x30, 0x32, 0x32, 0x34, 0x3a, 0x20, 0x35, - 0x74, 0x68, 0x20, 0x4a, 0x75, 0x6e, 0x65, 0x20, - 0x32, 0x30, 0x31, 0x34, 0x0a, - }, - .asn1_len = 725, - }, - { - .session = { - .cipher_value = 1, - .ssl_version = TLS1_2_VERSION, - .timeout = -1, - }, - .asn1 = { - 0x0, - }, - .asn1_len = -1, - }, - { - .session = { - .cipher_value = 1, - .ssl_version = TLS1_2_VERSION, - .time = -1, - }, - .asn1 = { - 0x0, - }, - .asn1_len = -1, - }, -}; - -#define N_SSL_ASN1_TESTS \ - (sizeof(ssl_asn1_tests) / sizeof(*ssl_asn1_tests)) - -static int -session_strcmp(const unsigned char *o1, const unsigned char *o2, size_t len) -{ - if (o1 == NULL && o2 == NULL) - return (0); - if (o1 == NULL || o2 == NULL) - return (1); - return memcmp(o1, o2, len); -} - -static int -session_cmp(SSL_SESSION *s1, SSL_SESSION *s2) -{ - /* Compare the ASN.1 encoded values from two sessions. */ - if (s1->ssl_version != s2->ssl_version) { - fprintf(stderr, "ssl_version differs: %d != %d\n", - s1->ssl_version, s2->ssl_version); - return (1); - } - if (s1->cipher_value != s2->cipher_value) { - fprintf(stderr, "cipher_value differs: %d != %d\n", - s1->cipher_value, s2->cipher_value); - return (1); - } - - if (s1->master_key_length != s2->master_key_length) { - fprintf(stderr, "master_key_length differs: %zu != %zu\n", - s1->master_key_length, s2->master_key_length); - return (1); - } - if (session_strcmp(s1->master_key, s2->master_key, - s1->master_key_length) != 0) { - fprintf(stderr, "master_key differs\n"); - return (1); - } - - if (s1->session_id_length != s2->session_id_length) { - fprintf(stderr, "session_id_length differs: %zu != %zu\n", - s1->session_id_length, s2->session_id_length); - return (1); - } - if (session_strcmp(s1->session_id, s2->session_id, - s1->session_id_length) != 0) { - fprintf(stderr, "session_id differs\n"); - return (1); - } - - if (s1->sid_ctx_length != s2->sid_ctx_length) { - fprintf(stderr, "sid_ctx_length differs: %zu != %zu\n", - s1->sid_ctx_length, s2->sid_ctx_length); - return (1); - } - if (session_strcmp(s1->sid_ctx, s2->sid_ctx, - s1->sid_ctx_length) != 0) { - fprintf(stderr, "sid_ctx differs\n"); - return (1); - } - - /* d2i_SSL_SESSION uses the current time if decoding a zero value. */ - if ((s1->time != s2->time) && s1->time != 0 && s2->time != 0) { - fprintf(stderr, "time differs: %lld != %lld\n", - (long long)s1->time, (long long)s2->time); - return (1); - } - /* d2i_SSL_SESSION uses a timeout of 3 if decoding a zero value. */ - if ((s1->timeout != s2->timeout) && - s1->timeout != 3 && s2->timeout != 3) { - fprintf(stderr, "timeout differs: %ld != %ld\n", - s1->timeout, s2->timeout); - return (1); - } - - /* Ensure that a certificate is or is not present in both. */ - if ((s1->peer_cert != NULL || s2->peer_cert != NULL) && - (s1->peer_cert == NULL || s2->peer_cert == NULL || - X509_cmp(s1->peer_cert, s2->peer_cert) != 0)) { - fprintf(stderr, "peer_cert differs\n"); - return (1); - } - - if (s1->verify_result != s2->verify_result) { - fprintf(stderr, "verify_result differs: %ld != %ld\n", - s1->verify_result, s2->verify_result); - return (1); - } - - if (session_strcmp(s1->tlsext_hostname, s2->tlsext_hostname, - (s1->tlsext_hostname ? strlen(s1->tlsext_hostname) : 0)) != 0) { - fprintf(stderr, "sid_ctx differs\n"); - return (1); - } - if (s1->tlsext_tick_lifetime_hint != s2->tlsext_tick_lifetime_hint) { - fprintf(stderr, "tlsext_tick_lifetime_hint differs: " - "%u != %u\n", s1->tlsext_tick_lifetime_hint, - s2->tlsext_tick_lifetime_hint); - return (1); - } - if (s1->tlsext_ticklen != s2->tlsext_ticklen) { - fprintf(stderr, "tlsext_ticklen differs: %zu != %zu\n", - s1->tlsext_ticklen, s2->tlsext_ticklen); - return (1); - } - if (session_strcmp(s1->tlsext_tick, s2->tlsext_tick, - s1->tlsext_ticklen) != 0) { - fprintf(stderr, "tlsext_tick differs\n"); - return (1); - } - - return (0); -} - -static int -do_ssl_asn1_test(int test_no, struct ssl_asn1_test *sat) -{ - SSL_SESSION *sp = NULL; - unsigned char *ap, *asn1 = NULL; - const unsigned char *pp; - int i, len, rv = 1; - - if (sat->peer_cert) - sat->session.peer_cert = peer_cert; - - len = i2d_SSL_SESSION(&sat->session, NULL); - if (len != sat->asn1_len) { - fprintf(stderr, "FAIL: test %d returned ASN1 length %d, " - "want %d\n", test_no, len, sat->asn1_len); - goto failed; - } - - /* See if the test is expected to fail... */ - if (sat->asn1_len == -1) - return (0); - - if ((asn1 = malloc(len)) == NULL) - errx(1, "failed to allocate memory"); - - ap = asn1; - len = i2d_SSL_SESSION(&sat->session, &ap); - - /* Check the length again since the code path is different. */ - if (len != sat->asn1_len) { - fprintf(stderr, "FAIL: test %d returned ASN1 length %d, " - "want %d\n", test_no, len, sat->asn1_len); - goto failed; - } - /* ap should now point at the end of the buffer. */ - if (ap - asn1 != len) { - fprintf(stderr, "FAIL: test %d pointer increment does not " - "match length (%d != %d)\n", test_no, (int)(ap - asn1), len); - goto failed; - } - - if (memcmp(asn1, &sat->asn1, len) != 0) { - fprintf(stderr, "FAIL: test %d - encoding differs:\n", test_no); - fprintf(stderr, "encoding:\n"); - for (i = 1; i <= len; i++) { - fprintf(stderr, " 0x%02hhx,", asn1[i - 1]); - if (i % 8 == 0) - fprintf(stderr, "\n"); - } - fprintf(stderr, "\n"); - fprintf(stderr, "test data:\n"); - for (i = 1; i <= sat->asn1_len; i++) { - fprintf(stderr, " 0x%02hhx,", sat->asn1[i - 1]); - if (i % 8 == 0) - fprintf(stderr, "\n"); - } - fprintf(stderr, "\n"); - goto failed; - } - - pp = sat->asn1; - - if ((sp = d2i_SSL_SESSION(NULL, &pp, sat->asn1_len)) == NULL) { - fprintf(stderr, "FAIL: test %d - decoding failed\n", test_no); - goto failed; - } - - if (session_cmp(sp, &sat->session) != 0) { - fprintf(stderr, "FAIL: test %d - decoding differs\n", test_no); - goto failed; - } - - rv = 0; - - failed: - ERR_print_errors_fp(stderr); - SSL_SESSION_free(sp); - free(asn1); - - return (rv); -} - -int -main(int argc, char **argv) -{ - BIO *bio = NULL; - int failed = 0; - size_t i; - - SSL_library_init(); - SSL_load_error_strings(); - - bio = BIO_new_mem_buf(peer_cert_pem, -1); - if (bio == NULL) - errx(1, "failed to create bio"); - - peer_cert = PEM_read_bio_X509(bio, NULL, NULL, NULL); - if (peer_cert == NULL) - errx(1, "failed to read peer cert"); - - for (i = 0; i < N_SSL_ASN1_TESTS; i++) - failed += do_ssl_asn1_test(i, &ssl_asn1_tests[i]); - - X509_free(peer_cert); - BIO_free(bio); - - return (failed); -} diff --git a/src/regress/lib/libssl/buffer/Makefile b/src/regress/lib/libssl/buffer/Makefile deleted file mode 100644 index 64ed46fa90..0000000000 --- a/src/regress/lib/libssl/buffer/Makefile +++ /dev/null @@ -1,10 +0,0 @@ -# $OpenBSD: Makefile,v 1.1 2019/01/17 06:46:10 jsing Exp $ - -PROG= buffertest -LDADD= ${SSL_INT} -lcrypto -DPADD= ${LIBSSL} ${LIBCRYPTO} -WARNINGS= Yes -CFLAGS+= -DLIBRESSL_INTERNAL -Wall -Wundef -Werror -CFLAGS+= -I${.CURDIR}/../../../../lib/libssl - -.include diff --git a/src/regress/lib/libssl/buffer/buffertest.c b/src/regress/lib/libssl/buffer/buffertest.c deleted file mode 100644 index 3dfad7c44f..0000000000 --- a/src/regress/lib/libssl/buffer/buffertest.c +++ /dev/null @@ -1,364 +0,0 @@ -/* $OpenBSD: buffertest.c,v 1.6 2022/07/22 19:34:55 jsing Exp $ */ -/* - * Copyright (c) 2019, 2022 Joel Sing - * - * Permission to use, copy, modify, and distribute this software for any - * purpose with or without fee is hereby granted, provided that the above - * copyright notice and this permission notice appear in all copies. - * - * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES - * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF - * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR - * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES - * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN - * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF - * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. - */ - -#include -#include -#include -#include - -#include "tls_internal.h" - -uint8_t testdata[] = { - 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, - 0x08, 0x09, 0x0a, 0x0b, 0x0c, 0x0d, 0x0e, 0x0f, -}; - -struct read_state { - uint8_t *buf; - size_t len; - size_t offset; -}; - -static ssize_t -read_cb(void *buf, size_t buflen, void *cb_arg) -{ - struct read_state *rs = cb_arg; - ssize_t n; - - if (rs->offset > rs->len) - return TLS_IO_EOF; - - if ((size_t)(n = buflen) > (rs->len - rs->offset)) - n = rs->len - rs->offset; - - if (n == 0) - return TLS_IO_WANT_POLLIN; - - memcpy(buf, &rs->buf[rs->offset], n); - rs->offset += n; - - return n; -} - -struct extend_test { - size_t extend_len; - size_t read_len; - ssize_t want_ret; -}; - -const struct extend_test extend_tests[] = { - { - .extend_len = 4, - .read_len = 0, - .want_ret = TLS_IO_WANT_POLLIN, - }, - { - .extend_len = 4, - .read_len = 8, - .want_ret = 4, - }, - { - .extend_len = 12, - .read_len = 8, - .want_ret = TLS_IO_WANT_POLLIN, - }, - { - .extend_len = 12, - .read_len = 10, - .want_ret = TLS_IO_WANT_POLLIN, - }, - { - .extend_len = 12, - .read_len = 12, - .want_ret = 12, - }, - { - .extend_len = 16, - .read_len = 16, - .want_ret = 16, - }, - { - .extend_len = 20, - .read_len = 1, - .want_ret = TLS_IO_EOF, - }, -}; - -#define N_EXTEND_TESTS (sizeof(extend_tests) / sizeof(extend_tests[0])) - -static int -tls_buffer_extend_test(void) -{ - const struct extend_test *et; - struct tls_buffer *buf; - struct read_state rs; - uint8_t *data = NULL; - size_t i, data_len; - ssize_t ret; - CBS cbs; - int failed = 1; - - rs.buf = testdata; - rs.offset = 0; - - if ((buf = tls_buffer_new(0)) == NULL) - errx(1, "tls_buffer_new"); - - for (i = 0; i < N_EXTEND_TESTS; i++) { - et = &extend_tests[i]; - rs.len = et->read_len; - - ret = tls_buffer_extend(buf, et->extend_len, read_cb, &rs); - if (ret != extend_tests[i].want_ret) { - fprintf(stderr, "FAIL: Test %zd - extend returned %zd, " - "want %zd\n", i, ret, et->want_ret); - goto failed; - } - - if (!tls_buffer_data(buf, &cbs)) { - fprintf(stderr, "FAIL: Test %zd - failed to get data\n", - i); - goto failed; - } - - if (!CBS_mem_equal(&cbs, testdata, CBS_len(&cbs))) { - fprintf(stderr, "FAIL: Test %zd - extend buffer " - "mismatch", i); - goto failed; - } - } - - if (!tls_buffer_finish(buf, &data, &data_len)) { - fprintf(stderr, "FAIL: failed to finish\n"); - goto failed; - } - - tls_buffer_free(buf); - buf = NULL; - - if (data_len != sizeof(testdata)) { - fprintf(stderr, "FAIL: got data length %zu, want %zu\n", - data_len, sizeof(testdata)); - goto failed; - } - if (memcmp(data, testdata, data_len) != 0) { - fprintf(stderr, "FAIL: data mismatch\n"); - goto failed; - } - - failed = 0; - - failed: - tls_buffer_free(buf); - free(data); - - return failed; -} - -struct read_write_test { - uint8_t pattern; - size_t read; - size_t write; - size_t append; - ssize_t want; -}; - -const struct read_write_test read_write_tests[] = { - { - .read = 2048, - .want = TLS_IO_WANT_POLLIN, - }, - { - .pattern = 0xdb, - .write = 2048, - .want = 2048, - }, - { - .pattern = 0xbd, - .append = 2048, - .want = 1, - }, - { - .pattern = 0xdb, - .read = 2048, - .want = 2048, - }, - { - .pattern = 0xfe, - .append = 1024, - .want = 1, - }, - { - .pattern = 0xbd, - .read = 1000, - .want = 1000, - }, - { - .pattern = 0xbd, - .read = 1048, - .want = 1048, - }, - { - .pattern = 0xdb, - .write = 2048, - .want = 2048, - }, - { - .pattern = 0xbd, - .append = 1024, - .want = 1, - }, - { - .pattern = 0xee, - .append = 4096, - .want = 1, - }, - { - .pattern = 0xfe, - .append = 1, - .want = 0, - }, - { - .pattern = 0xfe, - .write = 1, - .want = TLS_IO_FAILURE, - }, - { - .pattern = 0xfe, - .read = 1024, - .want = 1024, - }, - { - .pattern = 0xdb, - .read = 2048, - .want = 2048, - }, - { - .pattern = 0xbd, - .read = 1024, - .want = 1024, - }, - { - .pattern = 0xee, - .read = 1024, - .want = 1024, - }, - { - .pattern = 0xee, - .read = 4096, - .want = 3072, - }, - { - .read = 2048, - .want = TLS_IO_WANT_POLLIN, - }, -}; - -#define N_READ_WRITE_TESTS (sizeof(read_write_tests) / sizeof(read_write_tests[0])) - -static int -tls_buffer_read_write_test(void) -{ - const struct read_write_test *rwt; - struct tls_buffer *buf = NULL; - uint8_t *rbuf = NULL, *wbuf = NULL; - ssize_t n; - size_t i; - int ret; - int failed = 1; - - if ((buf = tls_buffer_new(0)) == NULL) - errx(1, "tls_buffer_new"); - - tls_buffer_set_capacity_limit(buf, 8192); - - for (i = 0; i < N_READ_WRITE_TESTS; i++) { - rwt = &read_write_tests[i]; - - if (rwt->append > 0) { - free(wbuf); - if ((wbuf = malloc(rwt->append)) == NULL) - errx(1, "malloc"); - memset(wbuf, rwt->pattern, rwt->append); - if ((ret = tls_buffer_append(buf, wbuf, rwt->append)) != - rwt->want) { - fprintf(stderr, "FAIL: test %zu - " - "tls_buffer_append() = %d, want %zu\n", - i, ret, rwt->want); - goto failed; - } - } - - if (rwt->write > 0) { - free(wbuf); - if ((wbuf = malloc(rwt->write)) == NULL) - errx(1, "malloc"); - memset(wbuf, rwt->pattern, rwt->write); - if ((n = tls_buffer_write(buf, wbuf, rwt->write)) != - rwt->want) { - fprintf(stderr, "FAIL: test %zu - " - "tls_buffer_write() = %zi, want %zu\n", - i, n, rwt->want); - goto failed; - } - } - - if (rwt->read > 0) { - free(rbuf); - if ((rbuf = calloc(1, rwt->read)) == NULL) - errx(1, "malloc"); - if ((n = tls_buffer_read(buf, rbuf, rwt->read)) != - rwt->want) { - fprintf(stderr, "FAIL: test %zu - " - "tls_buffer_read() = %zi, want %zu\n", - i, n, rwt->want); - goto failed; - } - if (rwt->want > 0) { - free(wbuf); - if ((wbuf = malloc(rwt->want)) == NULL) - errx(1, "malloc"); - memset(wbuf, rwt->pattern, rwt->want); - if (memcmp(rbuf, wbuf, rwt->want) != 0) { - fprintf(stderr, "FAIL: test %zu - " - "read byte mismatch\n", i); - goto failed; - } - } - } - } - - failed = 0; - - failed: - tls_buffer_free(buf); - free(rbuf); - free(wbuf); - - return failed; -} - -int -main(int argc, char **argv) -{ - int failed = 0; - - failed |= tls_buffer_extend_test(); - failed |= tls_buffer_read_write_test(); - - return failed; -} diff --git a/src/regress/lib/libssl/bytestring/Makefile b/src/regress/lib/libssl/bytestring/Makefile deleted file mode 100644 index 91b3fea902..0000000000 --- a/src/regress/lib/libssl/bytestring/Makefile +++ /dev/null @@ -1,10 +0,0 @@ -# $OpenBSD: Makefile,v 1.6 2022/06/29 15:06:18 tb Exp $ - -PROG= bytestringtest -LDADD= ${SSL_INT} -lcrypto -DPADD= ${LIBCRYPTO} ${LIBSSL} -WARNINGS= Yes -CFLAGS+= -DLIBRESSL_INTERNAL -Wundef -Werror -CFLAGS+= -I${.CURDIR}/../../../../lib/libssl - -.include diff --git a/src/regress/lib/libssl/bytestring/bytestringtest.c b/src/regress/lib/libssl/bytestring/bytestringtest.c deleted file mode 100644 index 36f45c4bdc..0000000000 --- a/src/regress/lib/libssl/bytestring/bytestringtest.c +++ /dev/null @@ -1,968 +0,0 @@ -/* $OpenBSD: bytestringtest.c,v 1.17 2023/01/01 17:43:04 miod Exp $ */ -/* - * Copyright (c) 2014, Google Inc. - * - * Permission to use, copy, modify, and/or distribute this software for any - * purpose with or without fee is hereby granted, provided that the above - * copyright notice and this permission notice appear in all copies. - * - * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES - * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF - * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY - * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES - * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION - * OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN - * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */ - -#include -#include -#include - -#include - -#include "bytestring.h" - -/* This is from in boringssl */ -#define OPENSSL_U64(x) x##ULL - -#define PRINT_ERROR printf("Error in %s [%s:%d]\n", __func__, __FILE__, \ - __LINE__) - -#define CHECK(a) do { \ - if (!(a)) { \ - PRINT_ERROR; \ - return 0; \ - } \ -} while (0) - -#define CHECK_GOTO(a) do { \ - if (!(a)) { \ - PRINT_ERROR; \ - goto err; \ - } \ -} while (0) - -static int -test_skip(void) -{ - static const uint8_t kData[] = {1, 2, 3}; - CBS data; - - CBS_init(&data, kData, sizeof(kData)); - - CHECK(CBS_len(&data) == 3); - CHECK(CBS_skip(&data, 1)); - CHECK(CBS_len(&data) == 2); - CHECK(CBS_skip(&data, 2)); - CHECK(CBS_len(&data) == 0); - CHECK(!CBS_skip(&data, 1)); - - return 1; -} - -static int -test_get_u(void) -{ - static const uint8_t kData[] = { - 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, - 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, - }; - uint8_t u8; - uint16_t u16; - uint32_t u32; - uint64_t u64; - CBS data; - - CBS_init(&data, kData, sizeof(kData)); - - CHECK(CBS_get_u8(&data, &u8)); - CHECK(u8 == 1); - CHECK(CBS_get_u16(&data, &u16)); - CHECK(u16 == 0x203); - CHECK(CBS_get_u24(&data, &u32)); - CHECK(u32 == 0x40506); - CHECK(CBS_get_u32(&data, &u32)); - CHECK(u32 == 0x708090a); - CHECK(CBS_get_u64(&data, &u64)); - CHECK(u64 == 0x0b0c0d0e0f101112ULL); - CHECK(CBS_get_last_u8(&data, &u8)); - CHECK(u8 == 20); - CHECK(CBS_get_last_u8(&data, &u8)); - CHECK(u8 == 19); - CHECK(!CBS_get_u8(&data, &u8)); - CHECK(!CBS_get_last_u8(&data, &u8)); - - return 1; -} - -static int -test_get_prefixed(void) -{ - static const uint8_t kData[] = {1, 2, 0, 2, 3, 4, 0, 0, 3, 3, 2, 1}; - uint8_t u8; - uint16_t u16; - uint32_t u32; - CBS data, prefixed; - - CBS_init(&data, kData, sizeof(kData)); - - CHECK(CBS_get_u8_length_prefixed(&data, &prefixed)); - CHECK(CBS_len(&prefixed) == 1); - CHECK(CBS_get_u8(&prefixed, &u8)); - CHECK(u8 == 2); - CHECK(CBS_get_u16_length_prefixed(&data, &prefixed)); - CHECK(CBS_len(&prefixed) == 2); - CHECK(CBS_get_u16(&prefixed, &u16)); - CHECK(u16 == 0x304); - CHECK(CBS_get_u24_length_prefixed(&data, &prefixed)); - CHECK(CBS_len(&prefixed) == 3); - CHECK(CBS_get_u24(&prefixed, &u32)); - CHECK(u32 == 0x30201); - - return 1; -} - -static int -test_get_prefixed_bad(void) -{ - static const uint8_t kData1[] = {2, 1}; - static const uint8_t kData2[] = {0, 2, 1}; - static const uint8_t kData3[] = {0, 0, 2, 1}; - CBS data, prefixed; - - CBS_init(&data, kData1, sizeof(kData1)); - CHECK(!CBS_get_u8_length_prefixed(&data, &prefixed)); - - CBS_init(&data, kData2, sizeof(kData2)); - CHECK(!CBS_get_u16_length_prefixed(&data, &prefixed)); - - CBS_init(&data, kData3, sizeof(kData3)); - CHECK(!CBS_get_u24_length_prefixed(&data, &prefixed)); - - return 1; -} - -static int -test_peek_u(void) -{ - static const uint8_t kData[] = { - 1, 2, 3, 4, 5, 6, 7, 8, 9, - }; - uint8_t u8; - uint16_t u16; - uint32_t u32; - CBS data; - - CBS_init(&data, kData, sizeof(kData)); - - CHECK(CBS_peek_u8(&data, &u8)); - CHECK(u8 == 1); - CHECK(CBS_peek_u16(&data, &u16)); - CHECK(u16 == 0x102); - CHECK(CBS_peek_u24(&data, &u32)); - CHECK(u32 == 0x10203); - CHECK(CBS_peek_u32(&data, &u32)); - CHECK(u32 == 0x1020304); - CHECK(CBS_get_u32(&data, &u32)); - CHECK(u32 == 0x1020304); - CHECK(CBS_peek_last_u8(&data, &u8)); - CHECK(u8 == 9); - CHECK(CBS_peek_u32(&data, &u32)); - CHECK(u32 == 0x5060708); - CHECK(CBS_get_u32(&data, &u32)); - CHECK(u32 == 0x5060708); - CHECK(CBS_get_u8(&data, &u8)); - CHECK(u8 == 9); - CHECK(!CBS_get_u8(&data, &u8)); - - return 1; -} - -static int -test_get_asn1(void) -{ - static const uint8_t kData1[] = {0x30, 2, 1, 2}; - static const uint8_t kData2[] = {0x30, 3, 1, 2}; - static const uint8_t kData3[] = {0x30, 0x80}; - static const uint8_t kData4[] = {0x30, 0x81, 1, 1}; - static const uint8_t kData5[4 + 0x80] = {0x30, 0x82, 0, 0x80}; - static const uint8_t kData6[] = {0xa1, 3, 0x4, 1, 1}; - static const uint8_t kData7[] = {0xa1, 3, 0x4, 2, 1}; - static const uint8_t kData8[] = {0xa1, 3, 0x2, 1, 1}; - static const uint8_t kData9[] = {0xa1, 3, 0x2, 1, 0xff}; - - CBS data, contents; - int present; - uint64_t value; - - CBS_init(&data, kData1, sizeof(kData1)); - - CHECK(!CBS_peek_asn1_tag(&data, 0x1)); - CHECK(CBS_peek_asn1_tag(&data, 0x30)); - - CHECK(CBS_get_asn1(&data, &contents, 0x30)); - CHECK(CBS_len(&contents) == 2); - CHECK(memcmp(CBS_data(&contents), "\x01\x02", 2) == 0); - - CBS_init(&data, kData2, sizeof(kData2)); - /* data is truncated */ - CHECK(!CBS_get_asn1(&data, &contents, 0x30)); - - CBS_init(&data, kData3, sizeof(kData3)); - /* zero byte length of length */ - CHECK(!CBS_get_asn1(&data, &contents, 0x30)); - - CBS_init(&data, kData4, sizeof(kData4)); - /* long form mistakenly used. */ - CHECK(!CBS_get_asn1(&data, &contents, 0x30)); - - CBS_init(&data, kData5, sizeof(kData5)); - /* length takes too many bytes. */ - CHECK(!CBS_get_asn1(&data, &contents, 0x30)); - - CBS_init(&data, kData1, sizeof(kData1)); - /* wrong tag. */ - CHECK(!CBS_get_asn1(&data, &contents, 0x31)); - - CBS_init(&data, NULL, 0); - /* peek at empty data. */ - CHECK(!CBS_peek_asn1_tag(&data, 0x30)); - - CBS_init(&data, NULL, 0); - /* optional elements at empty data. */ - CHECK(CBS_get_optional_asn1(&data, &contents, &present, 0xa0)); - CHECK(!present); - CHECK(CBS_get_optional_asn1_octet_string(&data, &contents, &present, - 0xa0)); - CHECK(!present); - CHECK(CBS_len(&contents) == 0); - CHECK(CBS_get_optional_asn1_octet_string(&data, &contents, NULL, 0xa0)); - CHECK(CBS_len(&contents) == 0); - CHECK(CBS_get_optional_asn1_uint64(&data, &value, 0xa0, 42)); - CHECK(value == 42); - - CBS_init(&data, kData6, sizeof(kData6)); - /* optional element. */ - CHECK(CBS_get_optional_asn1(&data, &contents, &present, 0xa0)); - CHECK(!present); - CHECK(CBS_get_optional_asn1(&data, &contents, &present, 0xa1)); - CHECK(present); - CHECK(CBS_len(&contents) == 3); - CHECK(memcmp(CBS_data(&contents), "\x04\x01\x01", 3) == 0); - - CBS_init(&data, kData6, sizeof(kData6)); - /* optional octet string. */ - CHECK(CBS_get_optional_asn1_octet_string(&data, &contents, &present, - 0xa0)); - CHECK(!present); - CHECK(CBS_len(&contents) == 0); - CHECK(CBS_get_optional_asn1_octet_string(&data, &contents, &present, - 0xa1)); - CHECK(present); - CHECK(CBS_len(&contents) == 1); - CHECK(CBS_data(&contents)[0] == 1); - - CBS_init(&data, kData7, sizeof(kData7)); - /* invalid optional octet string. */ - CHECK(!CBS_get_optional_asn1_octet_string(&data, &contents, &present, - 0xa1)); - - CBS_init(&data, kData8, sizeof(kData8)); - /* optional octet string. */ - CHECK(CBS_get_optional_asn1_uint64(&data, &value, 0xa0, 42)); - CHECK(value == 42); - CHECK(CBS_get_optional_asn1_uint64(&data, &value, 0xa1, 42)); - CHECK(value == 1); - - CBS_init(&data, kData9, sizeof(kData9)); - /* invalid optional integer. */ - CHECK(!CBS_get_optional_asn1_uint64(&data, &value, 0xa1, 42)); - - return 1; -} - -static int -test_get_optional_asn1_bool(void) -{ - CBS data; - int val; - - static const uint8_t kTrue[] = {0x0a, 3, CBS_ASN1_BOOLEAN, 1, 0xff}; - static const uint8_t kFalse[] = {0x0a, 3, CBS_ASN1_BOOLEAN, 1, 0x00}; - static const uint8_t kInvalid[] = {0x0a, 3, CBS_ASN1_BOOLEAN, 1, 0x01}; - - CBS_init(&data, NULL, 0); - val = 2; - CHECK(CBS_get_optional_asn1_bool(&data, &val, 0x0a, 0)); - CHECK(val == 0); - - CBS_init(&data, kTrue, sizeof(kTrue)); - val = 2; - CHECK(CBS_get_optional_asn1_bool(&data, &val, 0x0a, 0)); - CHECK(val == 1); - - CBS_init(&data, kFalse, sizeof(kFalse)); - val = 2; - CHECK(CBS_get_optional_asn1_bool(&data, &val, 0x0a, 1)); - CHECK(val == 0); - - CBS_init(&data, kInvalid, sizeof(kInvalid)); - CHECK(!CBS_get_optional_asn1_bool(&data, &val, 0x0a, 1)); - - return 1; -} - -static int -test_cbb_basic(void) -{ - static const uint8_t kExpected[] = { - 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, - 13, 14, 15, 16, 17, 18, 19, 20, - }; - uint8_t *buf = NULL; - size_t buf_len; - int ret = 0; - CBB cbb; - - CHECK(CBB_init(&cbb, 100)); - - CBB_cleanup(&cbb); - - CHECK(CBB_init(&cbb, 0)); - CHECK_GOTO(CBB_add_u8(&cbb, 1)); - CHECK_GOTO(CBB_add_u16(&cbb, 0x203)); - CHECK_GOTO(CBB_add_u24(&cbb, 0x40506)); - CHECK_GOTO(CBB_add_u32(&cbb, 0x708090a)); - CHECK_GOTO(CBB_add_bytes(&cbb, (const uint8_t*) "\x0b\x0c", 2)); - CHECK_GOTO(CBB_add_u64(&cbb, 0xd0e0f1011121314LL)); - CHECK_GOTO(CBB_finish(&cbb, &buf, &buf_len)); - - ret = (buf_len == sizeof(kExpected) - && memcmp(buf, kExpected, buf_len) == 0); - - if (0) { -err: - CBB_cleanup(&cbb); - } - free(buf); - return ret; -} - -static int -test_cbb_add_space(void) -{ - static const uint8_t kExpected[] = {1, 2, 0, 0, 0, 0, 7, 8}; - uint8_t *buf = NULL; - size_t buf_len; - uint8_t *data; - int ret = 0; - CBB cbb; - - CHECK(CBB_init(&cbb, 100)); - - CHECK_GOTO(CBB_add_u16(&cbb, 0x102)); - CHECK_GOTO(CBB_add_space(&cbb, &data, 4)); - CHECK_GOTO(CBB_add_u16(&cbb, 0x708)); - CHECK_GOTO(CBB_finish(&cbb, &buf, &buf_len)); - - ret |= (buf_len == sizeof(kExpected) - && memcmp(buf, kExpected, buf_len) == 0); - - memset(buf, 0xa5, buf_len); - CHECK(CBB_init_fixed(&cbb, buf, buf_len)); - - CHECK_GOTO(CBB_add_u16(&cbb, 0x102)); - CHECK_GOTO(CBB_add_space(&cbb, &data, 4)); - CHECK_GOTO(CBB_add_u16(&cbb, 0x708)); - CHECK_GOTO(CBB_finish(&cbb, NULL, NULL)); - - ret |= (buf_len == sizeof(kExpected) - && memcmp(buf, kExpected, buf_len) == 0); - - if (0) { -err: - CBB_cleanup(&cbb); - } - free(buf); - return ret; -} - -static int -test_cbb_fixed(void) -{ - CBB cbb; - uint8_t buf[1]; - uint8_t *out_buf = NULL; - size_t out_size; - int ret = 0; - - CHECK(CBB_init_fixed(&cbb, NULL, 0)); - CHECK_GOTO(!CBB_add_u8(&cbb, 1)); - CHECK_GOTO(CBB_finish(&cbb, &out_buf, &out_size)); - CHECK(out_buf == NULL && out_size == 0); - - CHECK(CBB_init_fixed(&cbb, buf, 1)); - CHECK_GOTO(CBB_add_u8(&cbb, 1)); - CHECK_GOTO(!CBB_add_u8(&cbb, 2)); - CHECK_GOTO(CBB_finish(&cbb, &out_buf, &out_size)); - - ret = (out_buf == buf && out_size == 1 && buf[0] == 1); - - if (0) { -err: - CBB_cleanup(&cbb); - } - - return ret; -} - -static int -test_cbb_finish_child(void) -{ - CBB cbb, child; - uint8_t *out_buf = NULL; - size_t out_size; - int ret = 0; - - CHECK(CBB_init(&cbb, 16)); - CHECK_GOTO(CBB_add_u8_length_prefixed(&cbb, &child)); - CHECK_GOTO(!CBB_finish(&child, &out_buf, &out_size)); - CHECK_GOTO(CBB_finish(&cbb, &out_buf, &out_size)); - - ret = (out_size == 1 && out_buf[0] == 0); - -err: - free(out_buf); - return ret; -} - -static int -test_cbb_prefixed(void) -{ - static const uint8_t kExpected[] = {0, 1, 1, 0, 2, 2, 3, 0, 0, 3, - 4, 5, 6, 5, 4, 1, 0, 1, 2}; - CBB cbb, contents, inner_contents, inner_inner_contents; - uint8_t *buf = NULL; - size_t buf_len; - int ret = 0; - - CHECK(CBB_init(&cbb, 0)); - CHECK_GOTO(CBB_add_u8_length_prefixed(&cbb, &contents)); - CHECK_GOTO(CBB_add_u8_length_prefixed(&cbb, &contents)); - CHECK_GOTO(CBB_add_u8(&contents, 1)); - CHECK_GOTO(CBB_add_u16_length_prefixed(&cbb, &contents)); - CHECK_GOTO(CBB_add_u16(&contents, 0x203)); - CHECK_GOTO(CBB_add_u24_length_prefixed(&cbb, &contents)); - CHECK_GOTO(CBB_add_u24(&contents, 0x40506)); - CHECK_GOTO(CBB_add_u8_length_prefixed(&cbb, &contents)); - CHECK_GOTO(CBB_add_u8_length_prefixed(&contents, &inner_contents)); - CHECK_GOTO(CBB_add_u8(&inner_contents, 1)); - CHECK_GOTO(CBB_add_u16_length_prefixed(&inner_contents, - &inner_inner_contents)); - CHECK_GOTO(CBB_add_u8(&inner_inner_contents, 2)); - CHECK_GOTO(CBB_finish(&cbb, &buf, &buf_len)); - - ret = (buf_len == sizeof(kExpected) - && memcmp(buf, kExpected, buf_len) == 0); - - if (0) { -err: - CBB_cleanup(&cbb); - } - free(buf); - return ret; -} - -static int -test_cbb_discard_child(void) -{ - static const uint8_t kExpected[] = { - 0xaa, - 0, - 1, 0xbb, - 0, 2, 0xcc, 0xcc, - 0, 0, 3, 0xdd, 0xdd, 0xdd, - 1, 0xff, - }; - CBB cbb, contents, inner_contents, inner_inner_contents; - uint8_t *buf = NULL; - size_t buf_len; - int ret = 0; - - CHECK(CBB_init(&cbb, 0)); - CHECK_GOTO(CBB_add_u8(&cbb, 0xaa)); - - // Discarding |cbb|'s children preserves the byte written. - CBB_discard_child(&cbb); - - CHECK_GOTO(CBB_add_u8_length_prefixed(&cbb, &contents)); - CHECK_GOTO(CBB_add_u8_length_prefixed(&cbb, &contents)); - CHECK_GOTO(CBB_add_u8(&contents, 0xbb)); - CHECK_GOTO(CBB_add_u16_length_prefixed(&cbb, &contents)); - CHECK_GOTO(CBB_add_u16(&contents, 0xcccc)); - CHECK_GOTO(CBB_add_u24_length_prefixed(&cbb, &contents)); - CHECK_GOTO(CBB_add_u24(&contents, 0xdddddd)); - CHECK_GOTO(CBB_add_u8_length_prefixed(&cbb, &contents)); - CHECK_GOTO(CBB_add_u8(&contents, 0xff)); - CHECK_GOTO(CBB_add_u8_length_prefixed(&contents, &inner_contents)); - CHECK_GOTO(CBB_add_u8(&inner_contents, 0x42)); - CHECK_GOTO(CBB_add_u16_length_prefixed(&inner_contents, - &inner_inner_contents)); - CHECK_GOTO(CBB_add_u8(&inner_inner_contents, 0x99)); - - // Discard everything from |inner_contents| down. - CBB_discard_child(&contents); - - CHECK_GOTO(CBB_finish(&cbb, &buf, &buf_len)); - - ret = (buf_len == sizeof(kExpected) - && memcmp(buf, kExpected, buf_len) == 0); - - if (0) { -err: - CBB_cleanup(&cbb); - } - free(buf); - return ret; -} - -static int -test_cbb_misuse(void) -{ - CBB cbb, child, contents; - uint8_t *buf = NULL; - size_t buf_len; - int ret = 0; - - CHECK(CBB_init(&cbb, 0)); - CHECK_GOTO(CBB_add_u8_length_prefixed(&cbb, &child)); - CHECK_GOTO(CBB_add_u8(&child, 1)); - CHECK_GOTO(CBB_add_u8(&cbb, 2)); - - /* - * Since we wrote to |cbb|, |child| is now invalid and attempts to write - * to it should fail. - */ - CHECK_GOTO(!CBB_add_u8(&child, 1)); - CHECK_GOTO(!CBB_add_u16(&child, 1)); - CHECK_GOTO(!CBB_add_u24(&child, 1)); - CHECK_GOTO(!CBB_add_u8_length_prefixed(&child, &contents)); - CHECK_GOTO(!CBB_add_u16_length_prefixed(&child, &contents)); - CHECK_GOTO(!CBB_add_asn1(&child, &contents, 1)); - CHECK_GOTO(!CBB_add_bytes(&child, (const uint8_t*) "a", 1)); - CHECK_GOTO(CBB_finish(&cbb, &buf, &buf_len)); - - ret = (buf_len == 3 && memcmp(buf, "\x01\x01\x02", 3) == 0); - - if (0) { -err: - CBB_cleanup(&cbb); - } - free(buf); - return ret; -} - -static int -test_cbb_asn1(void) -{ - static const uint8_t kExpected[] = {0x30, 3, 1, 2, 3}; - uint8_t *buf = NULL, *test_data = NULL; - size_t buf_len; - CBB cbb, contents, inner_contents; - int ret = 0; - int alloc = 0; - - CHECK_GOTO(CBB_init(&cbb, 0)); - alloc = 1; - CHECK_GOTO(CBB_add_asn1(&cbb, &contents, 0x30)); - CHECK_GOTO(CBB_add_bytes(&contents, (const uint8_t*) "\x01\x02\x03", - 3)); - CHECK_GOTO(CBB_finish(&cbb, &buf, &buf_len)); - alloc = 0; - - CHECK_GOTO(buf_len == sizeof(kExpected)); - CHECK_GOTO(memcmp(buf, kExpected, buf_len) == 0); - - free(buf); - buf = NULL; - - CHECK_GOTO(((test_data = malloc(100000)) != NULL)); - memset(test_data, 0x42, 100000); - - CHECK_GOTO(CBB_init(&cbb, 0)); - alloc = 1; - CHECK_GOTO(CBB_add_asn1(&cbb, &contents, 0x30)); - CHECK_GOTO(CBB_add_bytes(&contents, test_data, 130)); - CHECK_GOTO(CBB_finish(&cbb, &buf, &buf_len)); - alloc = 0; - - CHECK_GOTO(buf_len == 3 + 130); - CHECK_GOTO(memcmp(buf, "\x30\x81\x82", 3) == 0); - CHECK_GOTO(memcmp(buf + 3, test_data, 130) == 0); - - free(buf); - buf = NULL; - - CHECK_GOTO(CBB_init(&cbb, 0)); - alloc = 1; - CHECK_GOTO(CBB_add_asn1(&cbb, &contents, 0x30)); - CHECK_GOTO(CBB_add_bytes(&contents, test_data, 1000)); - CHECK_GOTO(CBB_finish(&cbb, &buf, &buf_len)); - alloc = 0; - - CHECK_GOTO(buf_len == 4 + 1000); - CHECK_GOTO(memcmp(buf, "\x30\x82\x03\xe8", 4) == 0); - CHECK_GOTO(!memcmp(buf + 4, test_data, 1000)); - - free(buf); - buf = NULL; - - CHECK_GOTO(CBB_init(&cbb, 0)); - alloc = 1; - CHECK_GOTO(CBB_add_asn1(&cbb, &contents, 0x30)); - CHECK_GOTO(CBB_add_asn1(&contents, &inner_contents, 0x30)); - CHECK_GOTO(CBB_add_bytes(&inner_contents, test_data, 100000)); - CHECK_GOTO(CBB_finish(&cbb, &buf, &buf_len)); - alloc = 0; - - CHECK_GOTO(buf_len == 5 + 5 + 100000); - CHECK_GOTO(memcmp(buf, "\x30\x83\x01\x86\xa5\x30\x83\x01\x86\xa0", 10) - == 0); - CHECK_GOTO(!memcmp(buf + 10, test_data, 100000)); - - ret = 1; - - if (0) { -err: - if (alloc) - CBB_cleanup(&cbb); - } - free(buf); - free(test_data); - return ret; -} - -static int -do_indefinite_convert(const char *name, const uint8_t *definite_expected, - size_t definite_len, const uint8_t *indefinite, size_t indefinite_len) -{ - CBS in; - uint8_t *out = NULL; - size_t out_len; - int ret = 0; - - CBS_init(&in, indefinite, indefinite_len); - - CHECK_GOTO(CBS_asn1_indefinite_to_definite(&in, &out, &out_len)); - - if (out == NULL) { - - if (indefinite_len != definite_len || - memcmp(definite_expected, indefinite, indefinite_len) != 0) { - PRINT_ERROR; - goto err; - } - - return 1; - } - - if (out_len != definite_len || - memcmp(out, definite_expected, definite_len) != 0) { - PRINT_ERROR; - goto err; - } - - ret = 1; -err: - free(out); - return ret; -} - -static int -test_indefinite_convert(void) -{ - static const uint8_t kSimpleBER[] = {0x01, 0x01, 0x00}; - - /* kIndefBER contains a SEQUENCE with an indefinite length. */ - static const uint8_t kIndefBER[] = {0x30, 0x80, 0x01, 0x01, 0x02, 0x00, - 0x00}; - static const uint8_t kIndefDER[] = {0x30, 0x03, 0x01, 0x01, 0x02}; - - /* - * kOctetStringBER contains an indefinite length OCTETSTRING with two - * parts. These parts need to be concatenated in DER form. - */ - static const uint8_t kOctetStringBER[] = {0x24, 0x80, 0x04, 0x02, 0, - 1, 0x04, 0x02, 2, 3, 0x00, 0x00}; - static const uint8_t kOctetStringDER[] = {0x04, 0x04, 0, 1, 2, 3}; - - /* - * kNSSBER is part of a PKCS#12 message generated by NSS that uses - * indefinite length elements extensively. - */ - static const uint8_t kNSSBER[] = { - 0x30, 0x80, 0x02, 0x01, 0x03, 0x30, 0x80, 0x06, 0x09, 0x2a, 0x86, - 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x07, 0x01, 0xa0, 0x80, 0x24, 0x80, - 0x04, 0x04, 0x01, 0x02, 0x03, 0x04, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x30, 0x39, 0x30, 0x21, 0x30, 0x09, 0x06, 0x05, 0x2b, 0x0e, - 0x03, 0x02, 0x1a, 0x05, 0x00, 0x04, 0x14, 0x84, 0x98, 0xfc, 0x66, - 0x33, 0xee, 0xba, 0xe7, 0x90, 0xc1, 0xb6, 0xe8, 0x8f, 0xfe, 0x1d, - 0xc5, 0xa5, 0x97, 0x93, 0x3e, 0x04, 0x10, 0x38, 0x62, 0xc6, 0x44, - 0x12, 0xd5, 0x30, 0x00, 0xf8, 0xf2, 0x1b, 0xf0, 0x6e, 0x10, 0x9b, - 0xb8, 0x02, 0x02, 0x07, 0xd0, 0x00, 0x00, - }; - - static const uint8_t kNSSDER[] = { - 0x30, 0x53, 0x02, 0x01, 0x03, 0x30, 0x13, 0x06, 0x09, 0x2a, 0x86, - 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x07, 0x01, 0xa0, 0x06, 0x04, 0x04, - 0x01, 0x02, 0x03, 0x04, 0x30, 0x39, 0x30, 0x21, 0x30, 0x09, 0x06, - 0x05, 0x2b, 0x0e, 0x03, 0x02, 0x1a, 0x05, 0x00, 0x04, 0x14, 0x84, - 0x98, 0xfc, 0x66, 0x33, 0xee, 0xba, 0xe7, 0x90, 0xc1, 0xb6, 0xe8, - 0x8f, 0xfe, 0x1d, 0xc5, 0xa5, 0x97, 0x93, 0x3e, 0x04, 0x10, 0x38, - 0x62, 0xc6, 0x44, 0x12, 0xd5, 0x30, 0x00, 0xf8, 0xf2, 0x1b, 0xf0, - 0x6e, 0x10, 0x9b, 0xb8, 0x02, 0x02, 0x07, 0xd0, - }; - - CHECK(do_indefinite_convert("kSimpleBER", kSimpleBER, sizeof(kSimpleBER), - kSimpleBER, sizeof(kSimpleBER))); - CHECK(do_indefinite_convert("kIndefBER", kIndefDER, sizeof(kIndefDER), - kIndefBER, sizeof(kIndefBER))); - CHECK(do_indefinite_convert("kOctetStringBER", kOctetStringDER, - sizeof(kOctetStringDER), kOctetStringBER, - sizeof(kOctetStringBER))); - CHECK(do_indefinite_convert("kNSSBER", kNSSDER, sizeof(kNSSDER), kNSSBER, - sizeof(kNSSBER))); - - return 1; -} - -typedef struct { - uint64_t value; - const char *encoding; - size_t encoding_len; -} ASN1_UINT64_TEST; - -static const ASN1_UINT64_TEST kAsn1Uint64Tests[] = { - {0, "\x02\x01\x00", 3}, - {1, "\x02\x01\x01", 3}, - {127, "\x02\x01\x7f", 3}, - {128, "\x02\x02\x00\x80", 4}, - {0xdeadbeef, "\x02\x05\x00\xde\xad\xbe\xef", 7}, - {OPENSSL_U64(0x0102030405060708), - "\x02\x08\x01\x02\x03\x04\x05\x06\x07\x08", 10}, - {OPENSSL_U64(0xffffffffffffffff), - "\x02\x09\x00\xff\xff\xff\xff\xff\xff\xff\xff", 11}, -}; - -typedef struct { - const char *encoding; - size_t encoding_len; -} ASN1_INVALID_UINT64_TEST; - -static const ASN1_INVALID_UINT64_TEST kAsn1InvalidUint64Tests[] = { - /* Bad tag. */ - {"\x03\x01\x00", 3}, - /* Empty contents. */ - {"\x02\x00", 2}, - /* Negative number. */ - {"\x02\x01\x80", 3}, - /* Overflow. */ - {"\x02\x09\x01\x00\x00\x00\x00\x00\x00\x00\x00", 11}, - /* Leading zeros. */ - {"\x02\x02\x00\x01", 4}, -}; - -static int -test_asn1_uint64(void) -{ - CBB cbb; - uint8_t *out = NULL; - size_t i; - int ret = 0; - int alloc = 0; - - for (i = 0; i < sizeof(kAsn1Uint64Tests) / sizeof(kAsn1Uint64Tests[0]); - i++) { - const ASN1_UINT64_TEST *test = &kAsn1Uint64Tests[i]; - CBS cbs; - uint64_t value; - size_t len; - - CBS_init(&cbs, (const uint8_t *)test->encoding, - test->encoding_len); - - CHECK(CBS_get_asn1_uint64(&cbs, &value)); - CHECK(CBS_len(&cbs) == 0); - CHECK(value == test->value); - - CHECK(CBB_init(&cbb, 0)); - alloc = 1; - CHECK_GOTO(CBB_add_asn1_uint64(&cbb, test->value)); - CHECK_GOTO(CBB_finish(&cbb, &out, &len)); - alloc = 0; - - CHECK_GOTO(len == test->encoding_len); - CHECK_GOTO(memcmp(out, test->encoding, len) == 0); - free(out); - out = NULL; - } - - for (i = 0; i < sizeof(kAsn1InvalidUint64Tests) - / sizeof(kAsn1InvalidUint64Tests[0]); i++) { - const ASN1_INVALID_UINT64_TEST *test = - &kAsn1InvalidUint64Tests[i]; - CBS cbs; - uint64_t value; - - CBS_init(&cbs, (const uint8_t *)test->encoding, - test->encoding_len); - CHECK(!CBS_get_asn1_uint64(&cbs, &value)); - } - - ret = 1; - - if (0) { -err: - if (alloc) - CBB_cleanup(&cbb); - } - free(out); - - return ret; -} - -static int -test_offset(void) -{ - uint8_t v; - static const uint8_t input[] = {1, 2, 3, 4, 5}; - CBS data; - - CBS_init(&data, input, sizeof(input)); - CHECK(sizeof(input) == 5); - CHECK(CBS_len(&data) == 5); - CHECK(CBS_offset(&data) == 0); - CHECK(CBS_get_u8(&data, &v)); - CHECK(v == 1); - CHECK(CBS_len(&data) == 4); - CHECK(CBS_offset(&data) == 1); - CHECK(CBS_skip(&data, 2)); - CHECK(CBS_len(&data) == 2); - CHECK(CBS_offset(&data) == 3); - CHECK(CBS_get_u8(&data, &v)); - CHECK(v == 4); - CHECK(CBS_get_u8(&data, &v)); - CHECK(v == 5); - CHECK(CBS_len(&data) == 0); - CHECK(CBS_offset(&data) == 5); - CHECK(!CBS_skip(&data, 1)); - - CBS_init(&data, input, sizeof(input)); - CHECK(CBS_skip(&data, 2)); - CHECK(CBS_len(&data) == 3); - CHECK(CBS_offset(&data) == 2); - CHECK(CBS_skip(&data, 3)); - CHECK(CBS_len(&data) == 0); - CHECK(CBS_offset(&data) == 5); - CHECK(!CBS_get_u8(&data, &v)); - - return 1; -} - -static int -test_write_bytes(void) -{ - int ret = 0; - uint8_t v; - size_t len; - static const uint8_t input[] = {'f', 'o', 'o', 'b', 'a', 'r'}; - CBS data; - uint8_t *tmp = NULL; - - CHECK_GOTO((tmp = malloc(sizeof(input))) != NULL); - memset(tmp, 100, sizeof(input)); - - CBS_init(&data, input, sizeof(input)); - CHECK_GOTO(CBS_len(&data) == 6); - CHECK_GOTO(CBS_offset(&data) == 0); - CHECK_GOTO(CBS_get_u8(&data, &v)); - CHECK_GOTO(v == 102 /* f */); - CHECK_GOTO(CBS_skip(&data, 1)); - CHECK_GOTO(!CBS_skip(&data, 15)); - CHECK_GOTO(CBS_write_bytes(&data, tmp, sizeof(input), &len)); - CHECK_GOTO(len == 4); - CHECK_GOTO(memcmp(input + 2, tmp, len) == 0); - CHECK_GOTO(tmp[4] == 100 && tmp[5] == 100); - - ret = 1; - -err: - free(tmp); - return ret; -} - -static int -test_cbs_dup(void) -{ - CBS data, check; - static const uint8_t input[] = {'f', 'o', 'o', 'b', 'a', 'r'}; - - CBS_init(&data, input, sizeof(input)); - CHECK(CBS_len(&data) == 6); - CBS_dup(&data, &check); - CHECK(CBS_len(&check) == 6); - CHECK(CBS_data(&data) == CBS_data(&check)); - CHECK(CBS_skip(&data, 1)); - CHECK(CBS_len(&data) == 5); - CHECK(CBS_len(&check) == 6); - CHECK(CBS_data(&data) == CBS_data(&check) + 1); - CHECK(CBS_skip(&check, 1)); - CHECK(CBS_len(&data) == 5); - CHECK(CBS_len(&check) == 5); - CHECK(CBS_data(&data) == CBS_data(&check)); - CHECK(CBS_offset(&data) == 1); - CHECK(CBS_offset(&check) == 1); - - CBS_init(&data, input, sizeof(input)); - CHECK(CBS_skip(&data, 5)); - CBS_dup(&data, &check); - CHECK(CBS_len(&data) == 1); - CHECK(CBS_len(&check) == 1); - CHECK(CBS_data(&data) == input + 5); - CHECK(CBS_data(&data) == CBS_data(&check)); - CHECK(CBS_offset(&data) == 5); - CHECK(CBS_offset(&check) == 5); - - return 1; -} - -int -main(void) -{ - int failed = 0; - - failed |= !test_skip(); - failed |= !test_get_u(); - failed |= !test_get_prefixed(); - failed |= !test_get_prefixed_bad(); - failed |= !test_peek_u(); - failed |= !test_get_asn1(); - failed |= !test_cbb_basic(); - failed |= !test_cbb_add_space(); - failed |= !test_cbb_fixed(); - failed |= !test_cbb_finish_child(); - failed |= !test_cbb_discard_child(); - failed |= !test_cbb_misuse(); - failed |= !test_cbb_prefixed(); - failed |= !test_cbb_asn1(); - failed |= !test_indefinite_convert(); - failed |= !test_asn1_uint64(); - failed |= !test_get_optional_asn1_bool(); - failed |= !test_offset(); - failed |= !test_write_bytes(); - failed |= !test_cbs_dup(); - - if (!failed) - printf("PASS\n"); - return failed; -} diff --git a/src/regress/lib/libssl/certs/ca-int-ecdsa.crl b/src/regress/lib/libssl/certs/ca-int-ecdsa.crl deleted file mode 100644 index b904de3ef0..0000000000 --- a/src/regress/lib/libssl/certs/ca-int-ecdsa.crl +++ /dev/null @@ -1,8 +0,0 @@ ------BEGIN X509 CRL----- -MIHuMIGUMAoGCCqGSM49BAMCMC4xLDAqBgNVBAMMI0xpYnJlU1NMIFRlc3QgSW50 -ZXJtZWRpYXRlIENBIEVDRFNBFw0yMTEyMjcxNDQwNDBaFw0yMjAxMjYxNDQwNDBa -MDgwGgIJAOVssaaTYoH5Fw0yMTEyMjcxNDQwNDBaMBoCCQDlbLGmk2KB+xcNMjEx -MjI3MTQ0MDQwWjAKBggqhkjOPQQDAgNJADBGAiEA9FWkenCgh+6Rz0/nuS7DaiUR -J5imCs0Wx6TiG3YUL3oCIQDfTT+54eKAEFXeYN2oToZtHbTHh5YUici5GA/PDmOG -Ig== ------END X509 CRL----- diff --git a/src/regress/lib/libssl/certs/ca-int-ecdsa.pem b/src/regress/lib/libssl/certs/ca-int-ecdsa.pem deleted file mode 100644 index fa1db8638a..0000000000 --- a/src/regress/lib/libssl/certs/ca-int-ecdsa.pem +++ /dev/null @@ -1,13 +0,0 @@ -subject= CN = LibreSSL Test Intermediate CA ECDSA -issuer= CN = LibreSSL Test Root CA ECDSA ------BEGIN CERTIFICATE----- -MIIBrDCCAVOgAwIBAgIJAOVssaaTYoH3MAkGByqGSM49BAEwJjEkMCIGA1UEAwwb -TGlicmVTU0wgVGVzdCBSb290IENBIEVDRFNBMB4XDTIxMTIyNzE0NDA0MFoXDTMx -MTIyNTE0NDA0MFowLjEsMCoGA1UEAwwjTGlicmVTU0wgVGVzdCBJbnRlcm1lZGlh -dGUgQ0EgRUNEU0EwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAATWRQbJh4aHPzHq -LOAmosW/o83bTpm3Sj1VxM44StmG7c1nnFM/+gS8rp2bVSgjWZQzRtZqGVGJgzbk -7/M1m3x3o2MwYTAdBgNVHQ4EFgQUF1Y9b/xKVxI5QsoCcoGrUA3kwggwHwYDVR0j -BBgwFoAUtvkat4UdcUEipt6L/PBgEFYH6AwwDwYDVR0TAQH/BAUwAwEB/zAOBgNV -HQ8BAf8EBAMCAQYwCQYHKoZIzj0EAQNIADBFAiBE4NiOdv/XRN3WWMnkE5QccvC6 -VThoIQRyBf4I97cRPQIhAK18dvwrLuOOfbhWMdkpNCddMkWZHxS7traw/8+s7OUU ------END CERTIFICATE----- diff --git a/src/regress/lib/libssl/certs/ca-int-rsa.crl b/src/regress/lib/libssl/certs/ca-int-rsa.crl deleted file mode 100644 index 481886ae57..0000000000 --- a/src/regress/lib/libssl/certs/ca-int-rsa.crl +++ /dev/null @@ -1,11 +0,0 @@ ------BEGIN X509 CRL----- -MIIBrDCBlTANBgkqhkiG9w0BAQsFADAsMSowKAYDVQQDDCFMaWJyZVNTTCBUZXN0 -IEludGVybWVkaWF0ZSBDQSBSU0EXDTIxMTIyNzE0NDAzOFoXDTIyMDEyNjE0NDAz -OFowODAaAgkA5WyxppNigfQXDTIxMTIyNzE0NDAzN1owGgIJAOVssaaTYoH2Fw0y -MTEyMjcxNDQwMzhaMA0GCSqGSIb3DQEBCwUAA4IBAQCGMtlhTlaOK7fK2OHXgoAf -lDr1FQfqfNo5ZNE2+VqOvjYfgwdOgfxIsIuUoNp9/NhzO3e4KNe6P/33axwIsy7o -RofbGYFSlHIYPEf1LyvH8z5mT2L2LAQAi+p+QMFizH6KNc74Oftygyi1bcJlN3CJ -dP9LyvACdJSna7dEh7Snu2hy8tEDAO/RxUrryOZca0+5I4aaD8QCdFwdicDQ8U1s -gTJ5w1gxkEWKv/J/AjCjRAVoAjE2/sUC1PPOJnZy7b0sS2Fv7zV7UAWSzO0KEYv+ -vav3UekGIgw0A5PDdWmUqCxE7aK71iy4EmlzMyVNULVcF1qX6qBQT5OpXr0Eo6WR ------END X509 CRL----- diff --git a/src/regress/lib/libssl/certs/ca-int-rsa.pem b/src/regress/lib/libssl/certs/ca-int-rsa.pem deleted file mode 100644 index b457ad6f9a..0000000000 --- a/src/regress/lib/libssl/certs/ca-int-rsa.pem +++ /dev/null @@ -1,22 +0,0 @@ -subject= CN = LibreSSL Test Intermediate CA RSA -issuer= CN = LibreSSL Test Root CA RSA ------BEGIN CERTIFICATE----- -MIIDNjCCAh6gAwIBAgIJAOVssaaTYoHyMA0GCSqGSIb3DQEBCwUAMCQxIjAgBgNV -BAMMGUxpYnJlU1NMIFRlc3QgUm9vdCBDQSBSU0EwHhcNMjExMjI3MTQ0MDM3WhcN -MzExMjI1MTQ0MDM3WjAsMSowKAYDVQQDDCFMaWJyZVNTTCBUZXN0IEludGVybWVk -aWF0ZSBDQSBSU0EwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQD151AI -I+W9MrEP3dO0PEjg6L9E1R6+CG6u0LT3Jobc/rG2RXqKLasEaXoBWYiJoTImVxFT -wtrY+IDDTaEV4/4RGII1fY8Js7v5NpwoEh15jCoJ6/qDjKd4y1s1M48PlWYNNRmv -OBKRIu3Fz7scUa1RSBCp1bZeHbq/V5SzG419nDq2xpyuUrwmfBhDZTH+kUwBNGn8 -XVRFCRJQVP3qEAH02Zai2emSVj13KrhEWMtNyA8fa34GIuV23Q40RKW3jUgGBF+D -5jPNN8EZCj34nvvbjCCBs7cxZvD4F/MzGbatKpNmNOKXKibeg/xCq8B/F1uzHcl3 -IzJuViNtQ3RjQ/1pAgMBAAGjYzBhMB0GA1UdDgQWBBQ2oaFa//6a3ZNBNV0NlN3n -A9jiZjAfBgNVHSMEGDAWgBQ+S/x79Kw0KqURKAHyiOhdj/8V0TAPBgNVHRMBAf8E -BTADAQH/MA4GA1UdDwEB/wQEAwIBBjANBgkqhkiG9w0BAQsFAAOCAQEAcok2oSct -BOkm75qA8+4eUilGxTaqFPCqY8fk8MKNRKNNzaqirPaLJW62mZaxRHOn1Bw9uzL3 -jgz2PaTwA7n5GpKs3r5JLk8BdtRyeqMLmqJVJKKuu4GtJLCA8jhQm+XNA1Z324hg -kVeBHLPpLKvQxb+0lmbRBORq/OtMirq2yK8OlF2USrfQx0jmhSvvLpWyA0hhAXRS -gg1ds9aL57dELvk6gR7Unob+J0O2Xq3FRwz2O1k9fF86a0qrWUkxcnAjobC2BczC -7Fe5B194LgrX2U4IIrzwgJ19kmtrb1Qol2okECxomTYsbQY36sBs+LOKxSuiagu6 -ZgJtfcNeVMglYQ== ------END CERTIFICATE----- diff --git a/src/regress/lib/libssl/certs/ca-root-ecdsa.pem b/src/regress/lib/libssl/certs/ca-root-ecdsa.pem deleted file mode 100644 index c7862da58a..0000000000 --- a/src/regress/lib/libssl/certs/ca-root-ecdsa.pem +++ /dev/null @@ -1,13 +0,0 @@ -subject= CN = LibreSSL Test Root CA ECDSA -issuer= CN = LibreSSL Test Root CA ECDSA ------BEGIN CERTIFICATE----- -MIIBpjCCAUygAwIBAgIJALqTupYRbYuwMAoGCCqGSM49BAMCMCYxJDAiBgNVBAMM -G0xpYnJlU1NMIFRlc3QgUm9vdCBDQSBFQ0RTQTAeFw0yMTEyMjcxNDQwNDBaFw0z -MTEyMjUxNDQwNDBaMCYxJDAiBgNVBAMMG0xpYnJlU1NMIFRlc3QgUm9vdCBDQSBF -Q0RTQTBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABIxQjA3Gp+4irgwEumPY1/EG -lVy6/olnAc+4elWkj0SqqdjfWanQqO8wHFY0qICKq8lHKhcyw2v9oyOsNVXZj8Kj -YzBhMB0GA1UdDgQWBBS2+Rq3hR1xQSKm3ov88GAQVgfoDDAfBgNVHSMEGDAWgBS2 -+Rq3hR1xQSKm3ov88GAQVgfoDDAPBgNVHRMBAf8EBTADAQH/MA4GA1UdDwEB/wQE -AwIBBjAKBggqhkjOPQQDAgNIADBFAiAqAN8RFQOAIXeJcxCHUCN1n3sUBuYF/XkS -VnTsAEU/kwIhANNk/xjGq9O2YeLEFT1InoltVlwM5P8oa7krPnPbFnwY ------END CERTIFICATE----- diff --git a/src/regress/lib/libssl/certs/ca-root-rsa.pem b/src/regress/lib/libssl/certs/ca-root-rsa.pem deleted file mode 100644 index daf3407a93..0000000000 --- a/src/regress/lib/libssl/certs/ca-root-rsa.pem +++ /dev/null @@ -1,22 +0,0 @@ -subject= CN = LibreSSL Test Root CA RSA -issuer= CN = LibreSSL Test Root CA RSA ------BEGIN CERTIFICATE----- -MIIDLjCCAhagAwIBAgIJAIuM+uV8F+LtMA0GCSqGSIb3DQEBCwUAMCQxIjAgBgNV -BAMMGUxpYnJlU1NMIFRlc3QgUm9vdCBDQSBSU0EwHhcNMjExMjI3MTQ0MDM3WhcN -MzExMjI1MTQ0MDM3WjAkMSIwIAYDVQQDDBlMaWJyZVNTTCBUZXN0IFJvb3QgQ0Eg -UlNBMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAnvrj8h5JmJ+7V33R -wloqhM0nLvmidkmk1sqJaOi0GNXoMLnaut90+2TnRiFDbsblzAjTijQC6PEfaJTB -AEFBgNSQKdhVruYTL5HHhw/XHTjxqftizvJj1FsZh2n6gkTG/QOgbaDMCx+yFF88 -wro7Br32TZF+BuDuyzVcSPJUajYT+C9bWSq9jX8Fhvl5M3IOG7olg3gAMmU+E8SY -TaKhoJ7KGLHDEQP9NJknJusV8T72lY/TzacVDDOxEUxpuYtJ1Kayytflhs1065Ua -PkiIReoFnhK/tRAgyxz3bc6HDDmTz4FpyGPcAsSRtEbn1n1417hzH4Neq5eioVmx -hX1HTwIDAQABo2MwYTAdBgNVHQ4EFgQUPkv8e/SsNCqlESgB8ojoXY//FdEwHwYD -VR0jBBgwFoAUPkv8e/SsNCqlESgB8ojoXY//FdEwDwYDVR0TAQH/BAUwAwEB/zAO -BgNVHQ8BAf8EBAMCAQYwDQYJKoZIhvcNAQELBQADggEBAEYi6O+l7SS14myiZydm -eP0hS8+ABWz/xqzu81W5Uxo7XD3sNfz5hkhA3S2FrBg5xpDScAzsM9Og6VRuQA7/ -StWLc2gLvLI6cZNdOCOH/O4K6IYRGR0kXG7WA4MpBiDrPXZKXI3WcUNyTHM36Un4 -ZATRkO+xMLKFpnxHCkY5U9kp8xX5boNxtQsGkWfuG+fm7GVBaQapnvN+WRY4QXKQ -jF10CFUcIUNGG81XTEhQwpcP0b0ruZK6JBah4VG7lUHbJ6/WoYiGYXCToK09ohIX -PuWiVTiT9LH90U58No3NfinQPbE55mJju+YNNqLU4Wk3ub5rYpp0WFmo6T9kXL/z -fO8= ------END CERTIFICATE----- diff --git a/src/regress/lib/libssl/certs/client1-ecdsa-chain.pem b/src/regress/lib/libssl/certs/client1-ecdsa-chain.pem deleted file mode 100644 index 7a6883db94..0000000000 --- a/src/regress/lib/libssl/certs/client1-ecdsa-chain.pem +++ /dev/null @@ -1,27 +0,0 @@ -subject= CN = LibreSSL Test Client 1 ECDSA -issuer= CN = LibreSSL Test Intermediate CA ECDSA ------BEGIN CERTIFICATE----- -MIIBrTCCAVKgAwIBAgIJAOVssaaTYoH6MAoGCCqGSM49BAMCMC4xLDAqBgNVBAMM -I0xpYnJlU1NMIFRlc3QgSW50ZXJtZWRpYXRlIENBIEVDRFNBMB4XDTIxMTIyNzE0 -NDA0MFoXDTMxMTIyNTE0NDA0MFowJzElMCMGA1UEAwwcTGlicmVTU0wgVGVzdCBD -bGllbnQgMSBFQ0RTQTBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABMnRxZ9SVIjF -eygaoub4qyo/tQlHXpQ2U66mhwKhchXD02w3viqOW0qklPSRhwV4nFKsdkVTogCg -Y8AJokxKDU6jYDBeMB0GA1UdDgQWBBTikUU9S7ASdWw7fhaYVdDqUAyH+DAfBgNV -HSMEGDAWgBQXVj1v/EpXEjlCygJygatQDeTCCDAMBgNVHRMBAf8EAjAAMA4GA1Ud -DwEB/wQEAwIHgDAKBggqhkjOPQQDAgNJADBGAiEA+Aal+cjgT+pknsmAPbivSHY+ -9clFV0Ree1c+nPbBz8cCIQCZDS2G/X8QthK7hZwV2mYhwvd6M/8kwet4u39qJYx8 -eA== ------END CERTIFICATE----- -subject= CN = LibreSSL Test Intermediate CA ECDSA -issuer= CN = LibreSSL Test Root CA ECDSA ------BEGIN CERTIFICATE----- -MIIBrDCCAVOgAwIBAgIJAOVssaaTYoH3MAkGByqGSM49BAEwJjEkMCIGA1UEAwwb -TGlicmVTU0wgVGVzdCBSb290IENBIEVDRFNBMB4XDTIxMTIyNzE0NDA0MFoXDTMx -MTIyNTE0NDA0MFowLjEsMCoGA1UEAwwjTGlicmVTU0wgVGVzdCBJbnRlcm1lZGlh -dGUgQ0EgRUNEU0EwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAATWRQbJh4aHPzHq -LOAmosW/o83bTpm3Sj1VxM44StmG7c1nnFM/+gS8rp2bVSgjWZQzRtZqGVGJgzbk -7/M1m3x3o2MwYTAdBgNVHQ4EFgQUF1Y9b/xKVxI5QsoCcoGrUA3kwggwHwYDVR0j -BBgwFoAUtvkat4UdcUEipt6L/PBgEFYH6AwwDwYDVR0TAQH/BAUwAwEB/zAOBgNV -HQ8BAf8EBAMCAQYwCQYHKoZIzj0EAQNIADBFAiBE4NiOdv/XRN3WWMnkE5QccvC6 -VThoIQRyBf4I97cRPQIhAK18dvwrLuOOfbhWMdkpNCddMkWZHxS7traw/8+s7OUU ------END CERTIFICATE----- diff --git a/src/regress/lib/libssl/certs/client1-ecdsa.pem b/src/regress/lib/libssl/certs/client1-ecdsa.pem deleted file mode 100644 index 7d1b2cfc00..0000000000 --- a/src/regress/lib/libssl/certs/client1-ecdsa.pem +++ /dev/null @@ -1,19 +0,0 @@ -subject= CN = LibreSSL Test Client 1 ECDSA -issuer= CN = LibreSSL Test Intermediate CA ECDSA ------BEGIN CERTIFICATE----- -MIIBrTCCAVKgAwIBAgIJAOVssaaTYoH6MAoGCCqGSM49BAMCMC4xLDAqBgNVBAMM -I0xpYnJlU1NMIFRlc3QgSW50ZXJtZWRpYXRlIENBIEVDRFNBMB4XDTIxMTIyNzE0 -NDA0MFoXDTMxMTIyNTE0NDA0MFowJzElMCMGA1UEAwwcTGlicmVTU0wgVGVzdCBD -bGllbnQgMSBFQ0RTQTBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABMnRxZ9SVIjF -eygaoub4qyo/tQlHXpQ2U66mhwKhchXD02w3viqOW0qklPSRhwV4nFKsdkVTogCg -Y8AJokxKDU6jYDBeMB0GA1UdDgQWBBTikUU9S7ASdWw7fhaYVdDqUAyH+DAfBgNV -HSMEGDAWgBQXVj1v/EpXEjlCygJygatQDeTCCDAMBgNVHRMBAf8EAjAAMA4GA1Ud -DwEB/wQEAwIHgDAKBggqhkjOPQQDAgNJADBGAiEA+Aal+cjgT+pknsmAPbivSHY+ -9clFV0Ree1c+nPbBz8cCIQCZDS2G/X8QthK7hZwV2mYhwvd6M/8kwet4u39qJYx8 -eA== ------END CERTIFICATE----- ------BEGIN PRIVATE KEY----- -MIGHAgEAMBMGByqGSM49AgEGCCqGSM49AwEHBG0wawIBAQQghOgzNmZV/rLf5+I5 -pnOXJ3N6W8QE5biANh/RVNNmNImhRANCAATJ0cWfUlSIxXsoGqLm+KsqP7UJR16U -NlOupocCoXIVw9NsN74qjltKpJT0kYcFeJxSrHZFU6IAoGPACaJMSg1O ------END PRIVATE KEY----- diff --git a/src/regress/lib/libssl/certs/client1-rsa-chain.pem b/src/regress/lib/libssl/certs/client1-rsa-chain.pem deleted file mode 100644 index e5267eb346..0000000000 --- a/src/regress/lib/libssl/certs/client1-rsa-chain.pem +++ /dev/null @@ -1,44 +0,0 @@ -subject= CN = LibreSSL Test Client 1 RSA -issuer= CN = LibreSSL Test Intermediate CA RSA ------BEGIN CERTIFICATE----- -MIIDNDCCAhygAwIBAgIJAOVssaaTYoH1MA0GCSqGSIb3DQEBCwUAMCwxKjAoBgNV -BAMMIUxpYnJlU1NMIFRlc3QgSW50ZXJtZWRpYXRlIENBIFJTQTAeFw0yMTEyMjcx -NDQwMzhaFw0zMTEyMjUxNDQwMzhaMCUxIzAhBgNVBAMMGkxpYnJlU1NMIFRlc3Qg -Q2xpZW50IDEgUlNBMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAyct5 -l3L4GIzbFPszUioY0/+W9IGnQqOlBtFJQSzJtM96/UcJ/9MEkz08UUaf07CTYWy/ -Qbwl3DizPV9yymiae64oe9RBc2Hh/Z88473Q6UZvPrdoexoVb159tTdvF8IDfIER -HEB2VAtssFvszERa04ndpDqS8tHfBcLGUCu2kZQ0FSCKbNSDLLwoQmyNgnWo8PDY -XshJGdABaTmnhpkrhJq2zeYiUResoWo8z08iVn7vLgjRNTi9mtXr5eC4L0DfEuZB -exaC8frQXH2rXKvojFrFwJ67QLwCOiUKbGlUQBeKS6iahgDL/dRprHqbNZFI7in4 -QiokqixjfzYSmALFqwIDAQABo2AwXjAdBgNVHQ4EFgQUNRNEZs+zkqBu6va5XyGv -UfzSKZQwHwYDVR0jBBgwFoAUNqGhWv/+mt2TQTVdDZTd5wPY4mYwDAYDVR0TAQH/ -BAIwADAOBgNVHQ8BAf8EBAMCB4AwDQYJKoZIhvcNAQELBQADggEBACmIu0ppKw1T -hzGAoyjxK0y1ffbIDvObcwAMtXSHprMNhkdk7jyQBiXpx4ngEg1LhalUUDkp9Yt1 -qUVjyM4cphJL7ni3N/SyoUtuYWY4s8mqIhloT5adaUJ24kHJ2eFzNBLDuno5wen4 -dXKevTZPNqkkNohbVHrrFewsqS8CYw+rfiNerOJYZzSMbueWK5Pck0od05STZlAE -/B2zesXgd3ZmRKM8jrlZS6gan1FaJOzwErccP7jWnrOeW9uLysRg0ww26/H8Q9xS -dm0L8IXjzmE/yodk/nrt9G72mJnUITt4uHW/1ibMi4+iUR0Ff4oeqrBHQAbRawMK -XKRzXhtI9sI= ------END CERTIFICATE----- -subject= CN = LibreSSL Test Intermediate CA RSA -issuer= CN = LibreSSL Test Root CA RSA ------BEGIN CERTIFICATE----- -MIIDNjCCAh6gAwIBAgIJAOVssaaTYoHyMA0GCSqGSIb3DQEBCwUAMCQxIjAgBgNV -BAMMGUxpYnJlU1NMIFRlc3QgUm9vdCBDQSBSU0EwHhcNMjExMjI3MTQ0MDM3WhcN -MzExMjI1MTQ0MDM3WjAsMSowKAYDVQQDDCFMaWJyZVNTTCBUZXN0IEludGVybWVk -aWF0ZSBDQSBSU0EwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQD151AI -I+W9MrEP3dO0PEjg6L9E1R6+CG6u0LT3Jobc/rG2RXqKLasEaXoBWYiJoTImVxFT -wtrY+IDDTaEV4/4RGII1fY8Js7v5NpwoEh15jCoJ6/qDjKd4y1s1M48PlWYNNRmv -OBKRIu3Fz7scUa1RSBCp1bZeHbq/V5SzG419nDq2xpyuUrwmfBhDZTH+kUwBNGn8 -XVRFCRJQVP3qEAH02Zai2emSVj13KrhEWMtNyA8fa34GIuV23Q40RKW3jUgGBF+D -5jPNN8EZCj34nvvbjCCBs7cxZvD4F/MzGbatKpNmNOKXKibeg/xCq8B/F1uzHcl3 -IzJuViNtQ3RjQ/1pAgMBAAGjYzBhMB0GA1UdDgQWBBQ2oaFa//6a3ZNBNV0NlN3n -A9jiZjAfBgNVHSMEGDAWgBQ+S/x79Kw0KqURKAHyiOhdj/8V0TAPBgNVHRMBAf8E -BTADAQH/MA4GA1UdDwEB/wQEAwIBBjANBgkqhkiG9w0BAQsFAAOCAQEAcok2oSct -BOkm75qA8+4eUilGxTaqFPCqY8fk8MKNRKNNzaqirPaLJW62mZaxRHOn1Bw9uzL3 -jgz2PaTwA7n5GpKs3r5JLk8BdtRyeqMLmqJVJKKuu4GtJLCA8jhQm+XNA1Z324hg -kVeBHLPpLKvQxb+0lmbRBORq/OtMirq2yK8OlF2USrfQx0jmhSvvLpWyA0hhAXRS -gg1ds9aL57dELvk6gR7Unob+J0O2Xq3FRwz2O1k9fF86a0qrWUkxcnAjobC2BczC -7Fe5B194LgrX2U4IIrzwgJ19kmtrb1Qol2okECxomTYsbQY36sBs+LOKxSuiagu6 -ZgJtfcNeVMglYQ== ------END CERTIFICATE----- diff --git a/src/regress/lib/libssl/certs/client1-rsa.pem b/src/regress/lib/libssl/certs/client1-rsa.pem deleted file mode 100644 index 7e0c47cc46..0000000000 --- a/src/regress/lib/libssl/certs/client1-rsa.pem +++ /dev/null @@ -1,50 +0,0 @@ -subject= CN = LibreSSL Test Client 1 RSA -issuer= CN = LibreSSL Test Intermediate CA RSA ------BEGIN CERTIFICATE----- -MIIDNDCCAhygAwIBAgIJAOVssaaTYoH1MA0GCSqGSIb3DQEBCwUAMCwxKjAoBgNV -BAMMIUxpYnJlU1NMIFRlc3QgSW50ZXJtZWRpYXRlIENBIFJTQTAeFw0yMTEyMjcx -NDQwMzhaFw0zMTEyMjUxNDQwMzhaMCUxIzAhBgNVBAMMGkxpYnJlU1NMIFRlc3Qg -Q2xpZW50IDEgUlNBMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAyct5 -l3L4GIzbFPszUioY0/+W9IGnQqOlBtFJQSzJtM96/UcJ/9MEkz08UUaf07CTYWy/ -Qbwl3DizPV9yymiae64oe9RBc2Hh/Z88473Q6UZvPrdoexoVb159tTdvF8IDfIER -HEB2VAtssFvszERa04ndpDqS8tHfBcLGUCu2kZQ0FSCKbNSDLLwoQmyNgnWo8PDY -XshJGdABaTmnhpkrhJq2zeYiUResoWo8z08iVn7vLgjRNTi9mtXr5eC4L0DfEuZB -exaC8frQXH2rXKvojFrFwJ67QLwCOiUKbGlUQBeKS6iahgDL/dRprHqbNZFI7in4 -QiokqixjfzYSmALFqwIDAQABo2AwXjAdBgNVHQ4EFgQUNRNEZs+zkqBu6va5XyGv -UfzSKZQwHwYDVR0jBBgwFoAUNqGhWv/+mt2TQTVdDZTd5wPY4mYwDAYDVR0TAQH/ -BAIwADAOBgNVHQ8BAf8EBAMCB4AwDQYJKoZIhvcNAQELBQADggEBACmIu0ppKw1T -hzGAoyjxK0y1ffbIDvObcwAMtXSHprMNhkdk7jyQBiXpx4ngEg1LhalUUDkp9Yt1 -qUVjyM4cphJL7ni3N/SyoUtuYWY4s8mqIhloT5adaUJ24kHJ2eFzNBLDuno5wen4 -dXKevTZPNqkkNohbVHrrFewsqS8CYw+rfiNerOJYZzSMbueWK5Pck0od05STZlAE -/B2zesXgd3ZmRKM8jrlZS6gan1FaJOzwErccP7jWnrOeW9uLysRg0ww26/H8Q9xS -dm0L8IXjzmE/yodk/nrt9G72mJnUITt4uHW/1ibMi4+iUR0Ff4oeqrBHQAbRawMK -XKRzXhtI9sI= ------END CERTIFICATE----- ------BEGIN PRIVATE KEY----- -MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQDJy3mXcvgYjNsU -+zNSKhjT/5b0gadCo6UG0UlBLMm0z3r9Rwn/0wSTPTxRRp/TsJNhbL9BvCXcOLM9 -X3LKaJp7rih71EFzYeH9nzzjvdDpRm8+t2h7GhVvXn21N28XwgN8gREcQHZUC2yw -W+zMRFrTid2kOpLy0d8FwsZQK7aRlDQVIIps1IMsvChCbI2Cdajw8NheyEkZ0AFp -OaeGmSuEmrbN5iJRF6yhajzPTyJWfu8uCNE1OL2a1evl4LgvQN8S5kF7FoLx+tBc -fatcq+iMWsXAnrtAvAI6JQpsaVRAF4pLqJqGAMv91Gmseps1kUjuKfhCKiSqLGN/ -NhKYAsWrAgMBAAECggEAahMtnXDv/We9mi/Z8Gz0lCwcm/azh5IiI41MJph2hzcx -fYYkOXghRYzA8jBfv5VoQ6Q4fUN722Fqxu4vlzqZSj5oRX9z0EU52GomRcj30kgW -Hi+nGl7BucM/7Uxwd1qjHoVyCxnPmapPvfz0YwPjgqNMARJRQJcV1x9lw6rW03rW -qvoQKwnQ5vZRYldFnvYXRM0VUu8GdruaidWJ2Ra6FUFbEH+I77oIIoyWgXniq9jq -h0VJNRVCLwV4rFzmMkOAz1yxvJ+4UG9/wHYsZVhJDkyos1FVf0klKipKTS7Z87Em -aFlZ01JrM//kS/qdgohllCU8Xt1uVtvsYmJY9T6IEQKBgQD1IJzdopCI+BL7PfWf -qSpyUOgp+8J50CnIJ42ZdBWDhPZSbBqWmqbgBlnXEyPwkKVOhHde6td9DtxRVOiE -Zfy0gpUp4xWUxFdMKyW0+JmsmXiUJKIck6LxqfYDZUTzD2wp1/AhLGJ2M/J5e4IP -umr6IQ4BbDfKGp2NiHEQElCmdwKBgQDSvtOy71EhewJQ9slazR+10skSBbc5Ks9W -cy1fZKcnNB/dPenak5i8Gr04nPhhNvgAwmtDGb9hH1mwjHCUz/TaoPsbTKvtTN2N -MxFzQEsE9F803ULOvFOppe5YEy/M2OaDLHVil1bMwbrg3pGKD4TUfy5cE2NfCDi3 -JwlKk6uDbQKBgQCLAQ9zb7hes66v4pbjD18OrGq7RBUoVq8a3bMijf2VM1UrsDnz -pYd0CqXvnN8IkD3tpJi8rpe8Ry0QwgGI8vy2sEY+FpQqZJzMiLs9QKyEgBMsjwmP -Avmn6SWlD0xmORyxLc7yQOUk+phJ44wBt0jqxsvWarPIXAd0NydGYdxySQKBgAWo -B4iS8cuDQLGpngfo34QCz1DDhIJtSrlYSAx6aB4eQQiwI7mxInVSBmghlm0Ni6SB -k11usHtL2x1o95CW8Ex566N08FxjJsMmbr54KEtOv8tscOGZnmk8QeRtR2gpHi7B -H7lwtGy0em6UqrVY60jEzRq9jno7f0IzMwWkZwMVAoGAL9mQ8xVIaDNyhK477NvD -ZF2AWrHHLXDeTfwdI+HTCUdeDC208kgTx4Z/AX1cN7KQtWZfKIW0bWtCDnKsIwbK -zheDR2AjuDEbT9HWLtYgQvx5/fEc/yxJqtQk+n4CTrDY+rNeow51kziBKWFnu8Je -m38SJSK7uNLz5ZWNgj3XIUE= ------END PRIVATE KEY----- diff --git a/src/regress/lib/libssl/certs/client2-ecdsa-chain.pem b/src/regress/lib/libssl/certs/client2-ecdsa-chain.pem deleted file mode 100644 index 0cba867b7f..0000000000 --- a/src/regress/lib/libssl/certs/client2-ecdsa-chain.pem +++ /dev/null @@ -1,26 +0,0 @@ -subject= CN = LibreSSL Test Client 2 ECDSA -issuer= CN = LibreSSL Test Intermediate CA ECDSA ------BEGIN CERTIFICATE----- -MIIBpjCCAUygAwIBAgIDEAACMAoGCCqGSM49BAMCMC4xLDAqBgNVBAMMI0xpYnJl -U1NMIFRlc3QgSW50ZXJtZWRpYXRlIENBIEVDRFNBMB4XDTEwMDEwMTAwMDAwMFoX -DTIwMDEwMTAwMDAwMFowJzElMCMGA1UEAwwcTGlicmVTU0wgVGVzdCBDbGllbnQg -MiBFQ0RTQTBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABL7oVxdDfyspO7ozwbv+ -2QKCXR8Z1+JWKj6lLmAkN6GY/gXPYcCAtXOWRoVt5yg4YrH0eOJalah7yGjAeHLq -EHijYDBeMB0GA1UdDgQWBBRO8eCtJ/+3xfn+3qY31gP3Ch5JvDAfBgNVHSMEGDAW -gBQXVj1v/EpXEjlCygJygatQDeTCCDAMBgNVHRMBAf8EAjAAMA4GA1UdDwEB/wQE -AwIHgDAKBggqhkjOPQQDAgNIADBFAiEA10kcAL7I/Y0KVNryJGrfVa1er0uiUXxS -2GmnKWFCQKECID9PY+LK4+DNvxyn4ld47AGJZjdolx6mwLFHK8RvtLo9 ------END CERTIFICATE----- -subject= CN = LibreSSL Test Intermediate CA ECDSA -issuer= CN = LibreSSL Test Root CA ECDSA ------BEGIN CERTIFICATE----- -MIIBrDCCAVOgAwIBAgIJAOVssaaTYoH3MAkGByqGSM49BAEwJjEkMCIGA1UEAwwb -TGlicmVTU0wgVGVzdCBSb290IENBIEVDRFNBMB4XDTIxMTIyNzE0NDA0MFoXDTMx -MTIyNTE0NDA0MFowLjEsMCoGA1UEAwwjTGlicmVTU0wgVGVzdCBJbnRlcm1lZGlh -dGUgQ0EgRUNEU0EwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAATWRQbJh4aHPzHq -LOAmosW/o83bTpm3Sj1VxM44StmG7c1nnFM/+gS8rp2bVSgjWZQzRtZqGVGJgzbk -7/M1m3x3o2MwYTAdBgNVHQ4EFgQUF1Y9b/xKVxI5QsoCcoGrUA3kwggwHwYDVR0j -BBgwFoAUtvkat4UdcUEipt6L/PBgEFYH6AwwDwYDVR0TAQH/BAUwAwEB/zAOBgNV -HQ8BAf8EBAMCAQYwCQYHKoZIzj0EAQNIADBFAiBE4NiOdv/XRN3WWMnkE5QccvC6 -VThoIQRyBf4I97cRPQIhAK18dvwrLuOOfbhWMdkpNCddMkWZHxS7traw/8+s7OUU ------END CERTIFICATE----- diff --git a/src/regress/lib/libssl/certs/client2-ecdsa.pem b/src/regress/lib/libssl/certs/client2-ecdsa.pem deleted file mode 100644 index f0576e6eb1..0000000000 --- a/src/regress/lib/libssl/certs/client2-ecdsa.pem +++ /dev/null @@ -1,18 +0,0 @@ -subject= CN = LibreSSL Test Client 2 ECDSA -issuer= CN = LibreSSL Test Intermediate CA ECDSA ------BEGIN CERTIFICATE----- -MIIBpjCCAUygAwIBAgIDEAACMAoGCCqGSM49BAMCMC4xLDAqBgNVBAMMI0xpYnJl -U1NMIFRlc3QgSW50ZXJtZWRpYXRlIENBIEVDRFNBMB4XDTEwMDEwMTAwMDAwMFoX -DTIwMDEwMTAwMDAwMFowJzElMCMGA1UEAwwcTGlicmVTU0wgVGVzdCBDbGllbnQg -MiBFQ0RTQTBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABL7oVxdDfyspO7ozwbv+ -2QKCXR8Z1+JWKj6lLmAkN6GY/gXPYcCAtXOWRoVt5yg4YrH0eOJalah7yGjAeHLq -EHijYDBeMB0GA1UdDgQWBBRO8eCtJ/+3xfn+3qY31gP3Ch5JvDAfBgNVHSMEGDAW -gBQXVj1v/EpXEjlCygJygatQDeTCCDAMBgNVHRMBAf8EAjAAMA4GA1UdDwEB/wQE -AwIHgDAKBggqhkjOPQQDAgNIADBFAiEA10kcAL7I/Y0KVNryJGrfVa1er0uiUXxS -2GmnKWFCQKECID9PY+LK4+DNvxyn4ld47AGJZjdolx6mwLFHK8RvtLo9 ------END CERTIFICATE----- ------BEGIN PRIVATE KEY----- -MIGHAgEAMBMGByqGSM49AgEGCCqGSM49AwEHBG0wawIBAQQgGJcFF0AYtzYr190f -tXnGfakMTr5zk0UO1nAfVSLMW2OhRANCAAS+6FcXQ38rKTu6M8G7/tkCgl0fGdfi -Vio+pS5gJDehmP4Fz2HAgLVzlkaFbecoOGKx9HjiWpWoe8howHhy6hB4 ------END PRIVATE KEY----- diff --git a/src/regress/lib/libssl/certs/client2-rsa-chain.pem b/src/regress/lib/libssl/certs/client2-rsa-chain.pem deleted file mode 100644 index bc09c2e059..0000000000 --- a/src/regress/lib/libssl/certs/client2-rsa-chain.pem +++ /dev/null @@ -1,44 +0,0 @@ -subject= CN = LibreSSL Test Client 2 RSA -issuer= CN = LibreSSL Test Intermediate CA RSA ------BEGIN CERTIFICATE----- -MIIDLjCCAhagAwIBAgIDEAACMA0GCSqGSIb3DQEBCwUAMCwxKjAoBgNVBAMMIUxp -YnJlU1NMIFRlc3QgSW50ZXJtZWRpYXRlIENBIFJTQTAeFw0xMDAxMDEwMDAwMDBa -Fw0yMDAxMDEwMDAwMDBaMCUxIzAhBgNVBAMMGkxpYnJlU1NMIFRlc3QgQ2xpZW50 -IDIgUlNBMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA6TPjTtVn4l/2 -3g+XVWUMpxZWu1G3GJ1TY14loqG2lLcyFwHfbxPgjdeUYUXgKw2v3LKdK1xlwohi -7adKmf8ZsqgWYd+SWtvzyoEEEvWQVj5bbs2+EI9CTP4L96lqsiBYZoHxCI+TG3pY -6JOZQT2wmJEL0zeK9cmUXoaV6fQOcEtSmp6m8XWLEEyUZvVHG3OX+7FtcV0snDfz -XrnvpRpu4zolbCC6jysufU46VoJNrrKdPlDu4PbF8PKrJl7jOSULaYHqugIeniMV -V9enkg9t0Bb8bW5sW8/c4vwS52dlRNLHXkwGE7u9+XEVOGDJ+a01eRjVOxQwqptn -qrWTF++D0QIDAQABo2AwXjAdBgNVHQ4EFgQUmUxF57QtRFh9JBPTMx5rUvRjj+4w -HwYDVR0jBBgwFoAUNqGhWv/+mt2TQTVdDZTd5wPY4mYwDAYDVR0TAQH/BAIwADAO -BgNVHQ8BAf8EBAMCB4AwDQYJKoZIhvcNAQELBQADggEBAMAvLchG7tWtNXPK3+Ie -u+htMMPhgJCsHhEC0ssZezD3BfYHaJh7ayQwI1KWKrQOwu9z+oOGWQjoVmhBzoi2 -hmvH9vT4GFVnM5agf68USNLxQvlQiShfnqPZiy3EduwY0q+uNvvNYlHeLTp/Au7F -SesJqWoaMr3130n8QqiO8myNjUj3GVrmBBpFogU5qxQAHkcy2AbpkATjRtfG4Jn2 -DWXR9Yd56KuvmkpdVkw+DScOXbIgXmHyutJ7qDbm6lwXLD3U5ulvbSxXW/MhJpb9 -72UjtpQbhMzcyQwCvNrKnST+QqKMisAdkOOhCdEYTj8flpCbMA5bqwBRX+t+AMeD -4lY= ------END CERTIFICATE----- -subject= CN = LibreSSL Test Intermediate CA RSA -issuer= CN = LibreSSL Test Root CA RSA ------BEGIN CERTIFICATE----- -MIIDNjCCAh6gAwIBAgIJAOVssaaTYoHyMA0GCSqGSIb3DQEBCwUAMCQxIjAgBgNV -BAMMGUxpYnJlU1NMIFRlc3QgUm9vdCBDQSBSU0EwHhcNMjExMjI3MTQ0MDM3WhcN -MzExMjI1MTQ0MDM3WjAsMSowKAYDVQQDDCFMaWJyZVNTTCBUZXN0IEludGVybWVk -aWF0ZSBDQSBSU0EwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQD151AI -I+W9MrEP3dO0PEjg6L9E1R6+CG6u0LT3Jobc/rG2RXqKLasEaXoBWYiJoTImVxFT -wtrY+IDDTaEV4/4RGII1fY8Js7v5NpwoEh15jCoJ6/qDjKd4y1s1M48PlWYNNRmv -OBKRIu3Fz7scUa1RSBCp1bZeHbq/V5SzG419nDq2xpyuUrwmfBhDZTH+kUwBNGn8 -XVRFCRJQVP3qEAH02Zai2emSVj13KrhEWMtNyA8fa34GIuV23Q40RKW3jUgGBF+D -5jPNN8EZCj34nvvbjCCBs7cxZvD4F/MzGbatKpNmNOKXKibeg/xCq8B/F1uzHcl3 -IzJuViNtQ3RjQ/1pAgMBAAGjYzBhMB0GA1UdDgQWBBQ2oaFa//6a3ZNBNV0NlN3n -A9jiZjAfBgNVHSMEGDAWgBQ+S/x79Kw0KqURKAHyiOhdj/8V0TAPBgNVHRMBAf8E -BTADAQH/MA4GA1UdDwEB/wQEAwIBBjANBgkqhkiG9w0BAQsFAAOCAQEAcok2oSct -BOkm75qA8+4eUilGxTaqFPCqY8fk8MKNRKNNzaqirPaLJW62mZaxRHOn1Bw9uzL3 -jgz2PaTwA7n5GpKs3r5JLk8BdtRyeqMLmqJVJKKuu4GtJLCA8jhQm+XNA1Z324hg -kVeBHLPpLKvQxb+0lmbRBORq/OtMirq2yK8OlF2USrfQx0jmhSvvLpWyA0hhAXRS -gg1ds9aL57dELvk6gR7Unob+J0O2Xq3FRwz2O1k9fF86a0qrWUkxcnAjobC2BczC -7Fe5B194LgrX2U4IIrzwgJ19kmtrb1Qol2okECxomTYsbQY36sBs+LOKxSuiagu6 -ZgJtfcNeVMglYQ== ------END CERTIFICATE----- diff --git a/src/regress/lib/libssl/certs/client2-rsa.pem b/src/regress/lib/libssl/certs/client2-rsa.pem deleted file mode 100644 index b4431ce674..0000000000 --- a/src/regress/lib/libssl/certs/client2-rsa.pem +++ /dev/null @@ -1,50 +0,0 @@ -subject= CN = LibreSSL Test Client 2 RSA -issuer= CN = LibreSSL Test Intermediate CA RSA ------BEGIN CERTIFICATE----- -MIIDLjCCAhagAwIBAgIDEAACMA0GCSqGSIb3DQEBCwUAMCwxKjAoBgNVBAMMIUxp -YnJlU1NMIFRlc3QgSW50ZXJtZWRpYXRlIENBIFJTQTAeFw0xMDAxMDEwMDAwMDBa -Fw0yMDAxMDEwMDAwMDBaMCUxIzAhBgNVBAMMGkxpYnJlU1NMIFRlc3QgQ2xpZW50 -IDIgUlNBMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA6TPjTtVn4l/2 -3g+XVWUMpxZWu1G3GJ1TY14loqG2lLcyFwHfbxPgjdeUYUXgKw2v3LKdK1xlwohi -7adKmf8ZsqgWYd+SWtvzyoEEEvWQVj5bbs2+EI9CTP4L96lqsiBYZoHxCI+TG3pY -6JOZQT2wmJEL0zeK9cmUXoaV6fQOcEtSmp6m8XWLEEyUZvVHG3OX+7FtcV0snDfz -XrnvpRpu4zolbCC6jysufU46VoJNrrKdPlDu4PbF8PKrJl7jOSULaYHqugIeniMV -V9enkg9t0Bb8bW5sW8/c4vwS52dlRNLHXkwGE7u9+XEVOGDJ+a01eRjVOxQwqptn -qrWTF++D0QIDAQABo2AwXjAdBgNVHQ4EFgQUmUxF57QtRFh9JBPTMx5rUvRjj+4w -HwYDVR0jBBgwFoAUNqGhWv/+mt2TQTVdDZTd5wPY4mYwDAYDVR0TAQH/BAIwADAO -BgNVHQ8BAf8EBAMCB4AwDQYJKoZIhvcNAQELBQADggEBAMAvLchG7tWtNXPK3+Ie -u+htMMPhgJCsHhEC0ssZezD3BfYHaJh7ayQwI1KWKrQOwu9z+oOGWQjoVmhBzoi2 -hmvH9vT4GFVnM5agf68USNLxQvlQiShfnqPZiy3EduwY0q+uNvvNYlHeLTp/Au7F -SesJqWoaMr3130n8QqiO8myNjUj3GVrmBBpFogU5qxQAHkcy2AbpkATjRtfG4Jn2 -DWXR9Yd56KuvmkpdVkw+DScOXbIgXmHyutJ7qDbm6lwXLD3U5ulvbSxXW/MhJpb9 -72UjtpQbhMzcyQwCvNrKnST+QqKMisAdkOOhCdEYTj8flpCbMA5bqwBRX+t+AMeD -4lY= ------END CERTIFICATE----- ------BEGIN PRIVATE KEY----- -MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQDpM+NO1WfiX/be -D5dVZQynFla7UbcYnVNjXiWiobaUtzIXAd9vE+CN15RhReArDa/csp0rXGXCiGLt -p0qZ/xmyqBZh35Ja2/PKgQQS9ZBWPltuzb4Qj0JM/gv3qWqyIFhmgfEIj5Mbeljo -k5lBPbCYkQvTN4r1yZRehpXp9A5wS1KanqbxdYsQTJRm9Ucbc5f7sW1xXSycN/Ne -ue+lGm7jOiVsILqPKy59TjpWgk2usp0+UO7g9sXw8qsmXuM5JQtpgeq6Ah6eIxVX -16eSD23QFvxtbmxbz9zi/BLnZ2VE0sdeTAYTu735cRU4YMn5rTV5GNU7FDCqm2eq -tZMX74PRAgMBAAECggEAGghk06QXGLpFwLxU1H+XTf+8ZuTUX7cQXANiiCktTKS2 -vsLCwo+hfbQXKFS4lZXNkAGQcgq6gWDgSk9mkJJduAfzl7FxkRsEuBJ29fbbygTk -CBaHpSmY6SdjBp6u/nuF4suWsLH2ZhbeXfg8H4BXenCWtVl59b4vBe5YRemswvQv -DJzV9gVKDf7HnvcjUMBXNKNWk0cLlodKX6bRhpPbq/WNPAubA3z4Z0JZqnW9uuWa -wTd7QPeKxVbQmz5Y5hifKMI4ML5i1+Fo6Xvcdt1TwfeHYy+iPNtB8fEu1VdH25DN -iN5iiMOr7go8MOc4LxCZGsXqIDd6WYOg/DmCEsSiEQKBgQD78UT9ezhI7TLVmUdC -eQd8+oi1qXykHXpMvobCJUrEulF6/iZSICcVVdH/DcvGRPv7A+90QZWGcY2Bzhtz -8C2XFLqLvSyHegSA4P57PbHjBOqowFAWntLTn/gSOb+nYKSM5XzOQq7RQctYX3EO -jZb4GKhPOUwzy2Ugd9zNhqD8gwKBgQDs9VtAYvM2i3ylRLH/UdAu/E+oA05ydxT1 -dt4tK6R54KSZk+E/LM/k8D3p70tyiRbfky6DtGrGZSpyecCPdkNF0FJTRER1eDsb -Au2uH6zP0nn2FUnQnL5fcIkVlclukf8pMox5fbFcoZjIWti9TURIdMTkaQVX9LKf -Gme84UX2GwKBgQCqsJZuKbpDZjinkDZAKeFR4icW9KIWSkZekkKYbE2QpS6o5mEu -CMyR3tfsNfuV84zITq0/lWNpd6tIg0wEK3enwQp1vA/cJWXBry2ab30CcoVNGSXp -fWcWq22VY3yeOJKjRqNc1r671RigYeEl2/WpVoNJUWd4O9fivHJi6FBPYwKBgQDI -3B5y0K27gbex3C5J8A7ZlTTshYj8zGZuwEkK3yC30y2TpV/dDl5XgTHqV9aLixth -f0CBkfCkpeK6UOxib2wNBM6UGJ0zOixX9D6HSABT1eVeLKN6ezOAcUMykdrCqG0z -fc7HuT0b+TsqMp/gr1t/U8QGneNSsHCtH1PqLscAGwKBgFdecOiUhKezd6mReDYc -cBKBN/2EBPNCSKlzuskSGoU/mC0H+2Mj1XX4fx5Wjvjp3hqKEVgs/L8Eth1KYfgF -CaQzGAkavihH03L73to1Wj/K4XineBAKZLtXkdzWdB+kM8zkYJqmagh6h6BlXFun -TJvYJYIK9U3kvhZtsD6w1slZ ------END PRIVATE KEY----- diff --git a/src/regress/lib/libssl/certs/client3-ecdsa-chain.pem b/src/regress/lib/libssl/certs/client3-ecdsa-chain.pem deleted file mode 100644 index a389943eeb..0000000000 --- a/src/regress/lib/libssl/certs/client3-ecdsa-chain.pem +++ /dev/null @@ -1,26 +0,0 @@ -subject= CN = LibreSSL Test Client 3 ECDSA -issuer= CN = LibreSSL Test Intermediate CA ECDSA ------BEGIN CERTIFICATE----- -MIIBqjCCAVGgAwIBAgIJAOVssaaTYoH7MAkGByqGSM49BAEwLjEsMCoGA1UEAwwj -TGlicmVTU0wgVGVzdCBJbnRlcm1lZGlhdGUgQ0EgRUNEU0EwHhcNMjExMjI3MTQ0 -MDQwWhcNMzExMjI1MTQ0MDQwWjAnMSUwIwYDVQQDDBxMaWJyZVNTTCBUZXN0IENs -aWVudCAzIEVDRFNBMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEqlNqEjPuPpw3 -HaWxXbWql6f9g2HPei7RGZRfEAeNrnWT+Y4okVoqcxjeLNBA6dNl3uALWbSmDu6a -kmBSU1aY9KNgMF4wHQYDVR0OBBYEFKxGR7LhwxXUGYyxjqBrxi5RKHamMB8GA1Ud -IwQYMBaAFBdWPW/8SlcSOULKAnKBq1AN5MIIMAwGA1UdEwEB/wQCMAAwDgYDVR0P -AQH/BAQDAgeAMAkGByqGSM49BAEDSAAwRQIhAMFzwaCpvWiXD+zEZ/mUBdbMQq2W -JLELD9Mv11NiBhi6AiAN/QNQjluNEUTkxCH6p9bQiOYCQ3DOnPTxrSly/RQOSQ== ------END CERTIFICATE----- -subject= CN = LibreSSL Test Intermediate CA ECDSA -issuer= CN = LibreSSL Test Root CA ECDSA ------BEGIN CERTIFICATE----- -MIIBrDCCAVOgAwIBAgIJAOVssaaTYoH3MAkGByqGSM49BAEwJjEkMCIGA1UEAwwb -TGlicmVTU0wgVGVzdCBSb290IENBIEVDRFNBMB4XDTIxMTIyNzE0NDA0MFoXDTMx -MTIyNTE0NDA0MFowLjEsMCoGA1UEAwwjTGlicmVTU0wgVGVzdCBJbnRlcm1lZGlh -dGUgQ0EgRUNEU0EwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAATWRQbJh4aHPzHq -LOAmosW/o83bTpm3Sj1VxM44StmG7c1nnFM/+gS8rp2bVSgjWZQzRtZqGVGJgzbk -7/M1m3x3o2MwYTAdBgNVHQ4EFgQUF1Y9b/xKVxI5QsoCcoGrUA3kwggwHwYDVR0j -BBgwFoAUtvkat4UdcUEipt6L/PBgEFYH6AwwDwYDVR0TAQH/BAUwAwEB/zAOBgNV -HQ8BAf8EBAMCAQYwCQYHKoZIzj0EAQNIADBFAiBE4NiOdv/XRN3WWMnkE5QccvC6 -VThoIQRyBf4I97cRPQIhAK18dvwrLuOOfbhWMdkpNCddMkWZHxS7traw/8+s7OUU ------END CERTIFICATE----- diff --git a/src/regress/lib/libssl/certs/client3-ecdsa.pem b/src/regress/lib/libssl/certs/client3-ecdsa.pem deleted file mode 100644 index f42528bfa2..0000000000 --- a/src/regress/lib/libssl/certs/client3-ecdsa.pem +++ /dev/null @@ -1,18 +0,0 @@ -subject= CN = LibreSSL Test Client 3 ECDSA -issuer= CN = LibreSSL Test Intermediate CA ECDSA ------BEGIN CERTIFICATE----- -MIIBqjCCAVGgAwIBAgIJAOVssaaTYoH7MAkGByqGSM49BAEwLjEsMCoGA1UEAwwj -TGlicmVTU0wgVGVzdCBJbnRlcm1lZGlhdGUgQ0EgRUNEU0EwHhcNMjExMjI3MTQ0 -MDQwWhcNMzExMjI1MTQ0MDQwWjAnMSUwIwYDVQQDDBxMaWJyZVNTTCBUZXN0IENs -aWVudCAzIEVDRFNBMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEqlNqEjPuPpw3 -HaWxXbWql6f9g2HPei7RGZRfEAeNrnWT+Y4okVoqcxjeLNBA6dNl3uALWbSmDu6a -kmBSU1aY9KNgMF4wHQYDVR0OBBYEFKxGR7LhwxXUGYyxjqBrxi5RKHamMB8GA1Ud -IwQYMBaAFBdWPW/8SlcSOULKAnKBq1AN5MIIMAwGA1UdEwEB/wQCMAAwDgYDVR0P -AQH/BAQDAgeAMAkGByqGSM49BAEDSAAwRQIhAMFzwaCpvWiXD+zEZ/mUBdbMQq2W -JLELD9Mv11NiBhi6AiAN/QNQjluNEUTkxCH6p9bQiOYCQ3DOnPTxrSly/RQOSQ== ------END CERTIFICATE----- ------BEGIN PRIVATE KEY----- -MIGHAgEAMBMGByqGSM49AgEGCCqGSM49AwEHBG0wawIBAQQgfaMOzQZ+d1yL3ToI -VPcHtdkIVhqatu/rDcJLuJcNnQehRANCAASqU2oSM+4+nDcdpbFdtaqXp/2DYc96 -LtEZlF8QB42udZP5jiiRWipzGN4s0EDp02Xe4AtZtKYO7pqSYFJTVpj0 ------END PRIVATE KEY----- diff --git a/src/regress/lib/libssl/certs/client3-rsa-chain.pem b/src/regress/lib/libssl/certs/client3-rsa-chain.pem deleted file mode 100644 index 251344f934..0000000000 --- a/src/regress/lib/libssl/certs/client3-rsa-chain.pem +++ /dev/null @@ -1,44 +0,0 @@ -subject= CN = LibreSSL Test Client 3 RSA -issuer= CN = LibreSSL Test Intermediate CA RSA ------BEGIN CERTIFICATE----- -MIIDNDCCAhygAwIBAgIJAOVssaaTYoH2MA0GCSqGSIb3DQEBCwUAMCwxKjAoBgNV -BAMMIUxpYnJlU1NMIFRlc3QgSW50ZXJtZWRpYXRlIENBIFJTQTAeFw0yMTEyMjcx -NDQwMzhaFw0zMTEyMjUxNDQwMzhaMCUxIzAhBgNVBAMMGkxpYnJlU1NMIFRlc3Qg -Q2xpZW50IDMgUlNBMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAp1vW -q3L63zPi8RJaJ07LsR05gCBYJ7FrnprqKbo7swLra3HE5WQFTxxOPkzBBnCUEaa2 -tqPtov34mrOmnYTQDBxpljx5u6AzjgMfwJZfh7CtGf893nbbP7T2f3pXAFBR0A32 -xmEvso5afyLNRvmxCsrdr2u73bETmBqFQFgGrhtBpTeGqsixgOegZzKHVF67ZjJi -e+faM24GAtkOiPB7PfVgZFyTfe8HQsqqcMRVtjd7JxuN33k8cFIWqv5i8oqVLBME -mLFM2WFIYNTsMtQ38eA7xieuuK6OPTp+cJKQY6jA3wUJOTRt9UE7pEjxOTumckfM -u/ZE1+AODHkH97FptwIDAQABo2AwXjAdBgNVHQ4EFgQUz44RRa+P1oRBVI6lla3o -VsVQq7swHwYDVR0jBBgwFoAUNqGhWv/+mt2TQTVdDZTd5wPY4mYwDAYDVR0TAQH/ -BAIwADAOBgNVHQ8BAf8EBAMCB4AwDQYJKoZIhvcNAQELBQADggEBAFgL5955qwHN -vFGnAKoHhoszX3qf2h8zc5HvFfnbvZbBbsuRFW1/QGfQPGWDq8YUlb6wu8NjLjSM -qTSYd1CvWXO1s91kr3LM5k7+9x+whOgbzWjGiprloS9pXcZ+ljTunW4o7jE7pPjZ -opk7W2WmD7/dEDg10x0yDZnKbzea5PMpp6kLqNjtENW4SETtcnwBdi/MZ09ApuUC -E+XWK/uKmxbIJ7Rt/Vi5H3BE74w7souq7fMwGGk7NL8Fmha78VQApKvZV/Rsfrio -D0vVU8djTlEJyXCeqFYU2eKWhc0bfiONIFJ6Wtg/1cR6Jn12+6X36J+wW1G3ibMu -ey+V9oVpM2U= ------END CERTIFICATE----- -subject= CN = LibreSSL Test Intermediate CA RSA -issuer= CN = LibreSSL Test Root CA RSA ------BEGIN CERTIFICATE----- -MIIDNjCCAh6gAwIBAgIJAOVssaaTYoHyMA0GCSqGSIb3DQEBCwUAMCQxIjAgBgNV -BAMMGUxpYnJlU1NMIFRlc3QgUm9vdCBDQSBSU0EwHhcNMjExMjI3MTQ0MDM3WhcN -MzExMjI1MTQ0MDM3WjAsMSowKAYDVQQDDCFMaWJyZVNTTCBUZXN0IEludGVybWVk -aWF0ZSBDQSBSU0EwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQD151AI -I+W9MrEP3dO0PEjg6L9E1R6+CG6u0LT3Jobc/rG2RXqKLasEaXoBWYiJoTImVxFT -wtrY+IDDTaEV4/4RGII1fY8Js7v5NpwoEh15jCoJ6/qDjKd4y1s1M48PlWYNNRmv -OBKRIu3Fz7scUa1RSBCp1bZeHbq/V5SzG419nDq2xpyuUrwmfBhDZTH+kUwBNGn8 -XVRFCRJQVP3qEAH02Zai2emSVj13KrhEWMtNyA8fa34GIuV23Q40RKW3jUgGBF+D -5jPNN8EZCj34nvvbjCCBs7cxZvD4F/MzGbatKpNmNOKXKibeg/xCq8B/F1uzHcl3 -IzJuViNtQ3RjQ/1pAgMBAAGjYzBhMB0GA1UdDgQWBBQ2oaFa//6a3ZNBNV0NlN3n -A9jiZjAfBgNVHSMEGDAWgBQ+S/x79Kw0KqURKAHyiOhdj/8V0TAPBgNVHRMBAf8E -BTADAQH/MA4GA1UdDwEB/wQEAwIBBjANBgkqhkiG9w0BAQsFAAOCAQEAcok2oSct -BOkm75qA8+4eUilGxTaqFPCqY8fk8MKNRKNNzaqirPaLJW62mZaxRHOn1Bw9uzL3 -jgz2PaTwA7n5GpKs3r5JLk8BdtRyeqMLmqJVJKKuu4GtJLCA8jhQm+XNA1Z324hg -kVeBHLPpLKvQxb+0lmbRBORq/OtMirq2yK8OlF2USrfQx0jmhSvvLpWyA0hhAXRS -gg1ds9aL57dELvk6gR7Unob+J0O2Xq3FRwz2O1k9fF86a0qrWUkxcnAjobC2BczC -7Fe5B194LgrX2U4IIrzwgJ19kmtrb1Qol2okECxomTYsbQY36sBs+LOKxSuiagu6 -ZgJtfcNeVMglYQ== ------END CERTIFICATE----- diff --git a/src/regress/lib/libssl/certs/client3-rsa.pem b/src/regress/lib/libssl/certs/client3-rsa.pem deleted file mode 100644 index b825391c52..0000000000 --- a/src/regress/lib/libssl/certs/client3-rsa.pem +++ /dev/null @@ -1,50 +0,0 @@ -subject= CN = LibreSSL Test Client 3 RSA -issuer= CN = LibreSSL Test Intermediate CA RSA ------BEGIN CERTIFICATE----- -MIIDNDCCAhygAwIBAgIJAOVssaaTYoH2MA0GCSqGSIb3DQEBCwUAMCwxKjAoBgNV -BAMMIUxpYnJlU1NMIFRlc3QgSW50ZXJtZWRpYXRlIENBIFJTQTAeFw0yMTEyMjcx -NDQwMzhaFw0zMTEyMjUxNDQwMzhaMCUxIzAhBgNVBAMMGkxpYnJlU1NMIFRlc3Qg -Q2xpZW50IDMgUlNBMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAp1vW -q3L63zPi8RJaJ07LsR05gCBYJ7FrnprqKbo7swLra3HE5WQFTxxOPkzBBnCUEaa2 -tqPtov34mrOmnYTQDBxpljx5u6AzjgMfwJZfh7CtGf893nbbP7T2f3pXAFBR0A32 -xmEvso5afyLNRvmxCsrdr2u73bETmBqFQFgGrhtBpTeGqsixgOegZzKHVF67ZjJi -e+faM24GAtkOiPB7PfVgZFyTfe8HQsqqcMRVtjd7JxuN33k8cFIWqv5i8oqVLBME -mLFM2WFIYNTsMtQ38eA7xieuuK6OPTp+cJKQY6jA3wUJOTRt9UE7pEjxOTumckfM -u/ZE1+AODHkH97FptwIDAQABo2AwXjAdBgNVHQ4EFgQUz44RRa+P1oRBVI6lla3o -VsVQq7swHwYDVR0jBBgwFoAUNqGhWv/+mt2TQTVdDZTd5wPY4mYwDAYDVR0TAQH/ -BAIwADAOBgNVHQ8BAf8EBAMCB4AwDQYJKoZIhvcNAQELBQADggEBAFgL5955qwHN -vFGnAKoHhoszX3qf2h8zc5HvFfnbvZbBbsuRFW1/QGfQPGWDq8YUlb6wu8NjLjSM -qTSYd1CvWXO1s91kr3LM5k7+9x+whOgbzWjGiprloS9pXcZ+ljTunW4o7jE7pPjZ -opk7W2WmD7/dEDg10x0yDZnKbzea5PMpp6kLqNjtENW4SETtcnwBdi/MZ09ApuUC -E+XWK/uKmxbIJ7Rt/Vi5H3BE74w7souq7fMwGGk7NL8Fmha78VQApKvZV/Rsfrio -D0vVU8djTlEJyXCeqFYU2eKWhc0bfiONIFJ6Wtg/1cR6Jn12+6X36J+wW1G3ibMu -ey+V9oVpM2U= ------END CERTIFICATE----- ------BEGIN PRIVATE KEY----- -MIIEvwIBADANBgkqhkiG9w0BAQEFAASCBKkwggSlAgEAAoIBAQCnW9arcvrfM+Lx -ElonTsuxHTmAIFgnsWuemuopujuzAutrccTlZAVPHE4+TMEGcJQRpra2o+2i/fia -s6adhNAMHGmWPHm7oDOOAx/All+HsK0Z/z3edts/tPZ/elcAUFHQDfbGYS+yjlp/ -Is1G+bEKyt2va7vdsROYGoVAWAauG0GlN4aqyLGA56BnModUXrtmMmJ759ozbgYC -2Q6I8Hs99WBkXJN97wdCyqpwxFW2N3snG43feTxwUhaq/mLyipUsEwSYsUzZYUhg -1Owy1Dfx4DvGJ664ro49On5wkpBjqMDfBQk5NG31QTukSPE5O6ZyR8y79kTX4A4M -eQf3sWm3AgMBAAECggEBAJV3HddtDsR8sHegbkegxaXeddYKDPEWMQkrTWoK2vpa -5ynEJ5a+p0cp/m8BWXqI3JSPEas36CmjLH3taCZR0QSf82SrigSZZLG19IupQJQM -o+wN2pFuEQ1qbqMW/dBX61kmv3gYn+KV5BibWj3DDeyXlTjvvI6XcOps9QisFPs0 -BqPC7U4B3DaILeK+cLS9ONjXv4WgGi1LB8dpSR3HgT+qKs/bceCWGCcjfi3PQVJw -8Ahv8wce71rwIWxhnh6hcHq8iiGUj2CAtOA9E4qtxgQ5VkhR049pPQ0CkcrFBRT8 -wTDF5ffzSAbU9QRp/cL7k/eeEAiNQg0aL2GUHhmO/KECgYEA1PxATAFTzX6K4nM/ -yRU769vegTiblYjzUB5JL7baMUgSGgXrZ4UomtQQiYZSDhho8bDSEKM7cNzddMTo -BFyKTvV4Won6LtF2R/JiFbUfDxhGS1+uoLXGciAFdB+NABLrmTQ0jp0N3y53UBmr -jwMDz9BqXq+6QoM3lLUsL4V2j08CgYEAySiax4D3pkr3T6iTuEaLqW9vTV58vWUY -sDstNA2YONYTPHUtFMpVfPgMmrraWHl3yNC2LB9W3SjJ+05oRYObUBI1oAg68u9z -T2+jcxM3fN8HFwyFMm5gd3tygawdwGsvCjLPMJaHdtwlbg8lYfHyEl1hJRA+cnKg -Y5hrfWtpJRkCgYEApWeBR4WAX4Z2tYZrcu5aqsEF+7TKn0bMLtxWWgfXS459AFi4 -iJyQ/CzU6vi1oNy0I37+pI0gDHZ6RcTlqv1zK/7WiPm+ob1p7lX+dn1CsaZYcRDN -vWFtzBOyKIyYJAaNkV1Js7eknj6nyj0lTts4ipuBACfYru7Yq1RIDF/Jw2ECgYA9 -qTWwu+at0cL3ZwxI6076VA9BHxqLj8a+lpUnpJcprO1eleiIu/DyirKKZ4ZwomNG -aju9UKn2xv8LCqDJ1iqwo7ROZtdzClVFX0oyBwz2OQNaXFsj91OYrH2QJCtGhVR5 -AtQh57KEi7zpfLkPyfNTD86sZstNl7d0cA9a9abYWQKBgQCPESj1LojjkEvGKtiD -9w+ZMaDf+mYK+RYQnjEthUMpAPI+mhm9cAl8mMJu3FaNgviOX9oB1/1XGl1Pj5od -KWej9CF1ltoW/PcjsSTeeRFye5jvXn9BLr3w6iUl9pwyo4sVyLHgMzZpiQvGoRNy -u80tjy6bVP3dGa5VHm36pENC4Q== ------END PRIVATE KEY----- diff --git a/src/regress/lib/libssl/certs/make-certs.sh b/src/regress/lib/libssl/certs/make-certs.sh deleted file mode 100755 index c90b7c8ff3..0000000000 --- a/src/regress/lib/libssl/certs/make-certs.sh +++ /dev/null @@ -1,263 +0,0 @@ -#!/bin/ksh - -# -# Copyright (c) 2020, 2021 Joel Sing -# -# Permission to use, copy, modify, and distribute this software for any -# purpose with or without fee is hereby granted, provided that the above -# copyright notice and this permission notice appear in all copies. -# -# THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES -# WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF -# MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR -# ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES -# WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN -# ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF -# OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. -# - -set -e -set -u -set -x - -readonly SUBJECT="/CN=LibreSSL Test" - -readonly TMPDIR=$(mktemp -d) - -cleanup() { - rm -rf "${TMPDIR}" -} - -trap cleanup EXIT INT - -reset() { - echo '100001' > ${TMPDIR}/certserial - cat /dev/null > ${TMPDIR}/certindex -} - -setup() { - reset - - cat > ${TMPDIR}/openssl.cnf <&2 - exit 1 - fi -} - -create_root() { - local name=$1 file=$2 key_type=$3 - - key_args=$(key_type_to_args "${key_type}") - - openssl req -new -days 3650 -nodes ${key_args} -sha256 -x509 \ - -subj "${SUBJECT} ${name}" -keyout "${TMPDIR}/${file}.key" \ - -config ${TMPDIR}/openssl.cnf -extensions v3_ca_root \ - -out "${TMPDIR}/${file}.crt" -} - -create_intermediate() { - local name=$1 file=$2 issuer_file=$3 key_type=$4 - - key_args=$(key_type_to_args "${key_type}") - - openssl req -new -days 3650 -nodes ${key_args} -sha256 \ - -subj "${SUBJECT} ${name}" -keyout "${TMPDIR}/${file}.key" \ - -out "${TMPDIR}/${file}.csr" - openssl x509 -req -days 3650 -CA "${TMPDIR}/${issuer_file}.crt" \ - -CAkey "${TMPDIR}/${issuer_file}.key" -CAcreateserial \ - -extfile ${TMPDIR}/openssl.cnf -extensions v3_ca_int \ - -in "${TMPDIR}/${file}.csr" -out "${TMPDIR}/${file}.crt" -} - -create_leaf() { - local name=$1 file=$2 issuer_file=$3 key_type=$4 - - key_args=$(key_type_to_args "${key_type}") - - openssl req -new -days 3650 -nodes ${key_args} -sha256 \ - -subj "${SUBJECT} ${name}" -keyout "${TMPDIR}/${file}.key" \ - -out "${TMPDIR}/${file}.csr" - openssl x509 -req -days 3650 -CA "${TMPDIR}/${issuer_file}.crt" \ - -CAkey "${TMPDIR}/${issuer_file}.key" -CAcreateserial -sha256 \ - -extfile ${TMPDIR}/openssl.cnf -extensions v3_other \ - -in "${TMPDIR}/${file}.csr" -out "${TMPDIR}/${file}.crt" -} - -create_expired_leaf() { - local name=$1 file=$2 issuer_file=$3 key_type=$4 - - key_args=$(key_type_to_args "${key_type}") - - openssl req -new -days 3650 -nodes ${key_args} -sha256 \ - -subj "${SUBJECT} ${name}" -keyout "${TMPDIR}/${file}.key" \ - -out "${TMPDIR}/${file}.csr" - openssl ca -batch -notext -cert "${TMPDIR}/${issuer_file}.crt" \ - -keyfile "${TMPDIR}/${issuer_file}.key" \ - -config ${TMPDIR}/openssl.cnf -extensions v3_other \ - -startdate 20100101000000Z -enddate 20200101000000Z \ - -in "${TMPDIR}/${file}.csr" -out "${TMPDIR}/${file}.crt" -} - -create_revoked_leaf() { - local name=$1 file=$2 issuer_file=$3 key_type=$4 - - key_args=$(key_type_to_args "${key_type}") - - openssl req -new -days 3650 -nodes ${key_args} -sha256 \ - -subj "${SUBJECT} ${name}" -keyout "${TMPDIR}/${file}.key" \ - -out "${TMPDIR}/${file}.csr" - openssl x509 -req -days 3650 -CA "${TMPDIR}/${issuer_file}.crt" \ - -CAkey "${TMPDIR}/${issuer_file}.key" -CAcreateserial \ - -extfile ${TMPDIR}/openssl.cnf -extensions v3_other \ - -in "${TMPDIR}/${file}.csr" -out "${TMPDIR}/${file}.crt" - openssl ca -cert "${TMPDIR}/${issuer_file}.crt" \ - -keyfile "${TMPDIR}/${issuer_file}.key" \ - -config "${TMPDIR}/openssl.cnf" -extensions v3_other \ - -revoke "${TMPDIR}/${file}.crt" - openssl ca -gencrl -cert "${TMPDIR}/${issuer_file}.crt" \ - -keyfile "${TMPDIR}/${issuer_file}.key" \ - -config "${TMPDIR}/openssl.cnf" -extensions v3_other \ - -crldays 30 -out "${TMPDIR}/${issuer_file}.crl" -} - -create_bundle() { - local bundle_file=$1 - shift - - mkdir -p $(dirname ${bundle_file}) - cat /dev/null > ${bundle_file} - - for _cert_file in $@; do - openssl x509 -nameopt oneline -subject -issuer \ - -in "${TMPDIR}/${_cert_file}.crt" >> ${bundle_file} - done -} - -create_bundle_with_key() { - local bundle_file=$1 - shift - - mkdir -p $(dirname ${bundle_file}) - cat /dev/null > ${bundle_file} - - for _cert_file in $@; do - openssl x509 -nameopt oneline -subject -issuer -noout \ - -in "${TMPDIR}/${_cert_file}.crt" >> ${bundle_file} - done - for _cert_file in $@; do - cat "${TMPDIR}/${_cert_file}.crt" >> ${bundle_file} - done - for _key_file in $@; do - cat "${TMPDIR}/${_key_file}.key" >> ${bundle_file} - done -} - -setup - -reset -create_root "Root CA RSA" "ca-root-rsa" "rsa:2048" -create_intermediate "Intermediate CA RSA" "ca-int-rsa" "ca-root-rsa" "rsa:2048" -create_leaf "Server 1 RSA" "server-1-rsa" "ca-int-rsa" "rsa:2048" -create_expired_leaf "Server 2 RSA" "server-2-rsa" "ca-int-rsa" "rsa:2048" -create_revoked_leaf "Server 3 RSA" "server-3-rsa" "ca-int-rsa" "rsa:2048" -create_leaf "Client 1 RSA" "client-1-rsa" "ca-int-rsa" "rsa:2048" -create_expired_leaf "Client 2 RSA" "client-2-rsa" "ca-int-rsa" "rsa:2048" -create_revoked_leaf "Client 3 RSA" "client-3-rsa" "ca-int-rsa" "rsa:2048" - -create_bundle "./ca-root-rsa.pem" "ca-root-rsa" -create_bundle "./ca-int-rsa.pem" "ca-int-rsa" -cp "${TMPDIR}/ca-int-rsa.crl" "./ca-int-rsa.crl" -create_bundle_with_key "./server1-rsa.pem" "server-1-rsa" -create_bundle "./server1-rsa-chain.pem" "server-1-rsa" "ca-int-rsa" -create_bundle_with_key "./server2-rsa.pem" "server-2-rsa" -create_bundle "./server2-rsa-chain.pem" "server-2-rsa" "ca-int-rsa" -create_bundle_with_key "./server3-rsa.pem" "server-3-rsa" -create_bundle "./server3-rsa-chain.pem" "server-3-rsa" "ca-int-rsa" -create_bundle_with_key "./client1-rsa.pem" "client-1-rsa" -create_bundle "./client1-rsa-chain.pem" "client-1-rsa" "ca-int-rsa" -create_bundle_with_key "./client2-rsa.pem" "client-2-rsa" -create_bundle "./client2-rsa-chain.pem" "client-2-rsa" "ca-int-rsa" -create_bundle_with_key "./client3-rsa.pem" "client-3-rsa" -create_bundle "./client3-rsa-chain.pem" "client-3-rsa" "ca-int-rsa" - -reset -create_root "Root CA ECDSA" "ca-root-ecdsa" "ec:prime256v1" -create_intermediate "Intermediate CA ECDSA" "ca-int-ecdsa" "ca-root-ecdsa" "ec:prime256v1" -create_leaf "Server 1 ECDSA" "server-1-ecdsa" "ca-int-ecdsa" "ec:prime256v1" -create_expired_leaf "Server 2 ECDSA" "server-2-ecdsa" "ca-int-ecdsa" "ec:prime256v1" -create_revoked_leaf "Server 3 ECDSA" "server-3-ecdsa" "ca-int-ecdsa" "ec:prime256v1" -create_leaf "Client 1 ECDSA" "client-1-ecdsa" "ca-int-ecdsa" "ec:prime256v1" -create_expired_leaf "Client 2 ECDSA" "client-2-ecdsa" "ca-int-ecdsa" "ec:prime256v1" -create_revoked_leaf "Client 3 ECDSA" "client-3-ecdsa" "ca-int-ecdsa" "ec:prime256v1" - -create_bundle "./ca-root-ecdsa.pem" "ca-root-ecdsa" -create_bundle "./ca-int-ecdsa.pem" "ca-int-ecdsa" -cp "${TMPDIR}/ca-int-ecdsa.crl" "./ca-int-ecdsa.crl" -create_bundle_with_key "./server1-ecdsa.pem" "server-1-ecdsa" -create_bundle "./server1-ecdsa-chain.pem" "server-1-ecdsa" "ca-int-ecdsa" -create_bundle_with_key "./server2-ecdsa.pem" "server-2-ecdsa" -create_bundle "./server2-ecdsa-chain.pem" "server-2-ecdsa" "ca-int-ecdsa" -create_bundle_with_key "./server3-ecdsa.pem" "server-3-ecdsa" -create_bundle "./server3-ecdsa-chain.pem" "server-3-ecdsa" "ca-int-ecdsa" -create_bundle_with_key "./client1-ecdsa.pem" "client-1-ecdsa" -create_bundle "./client1-ecdsa-chain.pem" "client-1-ecdsa" "ca-int-ecdsa" -create_bundle_with_key "./client2-ecdsa.pem" "client-2-ecdsa" -create_bundle "./client2-ecdsa-chain.pem" "client-2-ecdsa" "ca-int-ecdsa" -create_bundle_with_key "./client3-ecdsa.pem" "client-3-ecdsa" -create_bundle "./client3-ecdsa-chain.pem" "client-3-ecdsa" "ca-int-ecdsa" diff --git a/src/regress/lib/libssl/certs/server1-ecdsa-chain.pem b/src/regress/lib/libssl/certs/server1-ecdsa-chain.pem deleted file mode 100644 index 46add4d11c..0000000000 --- a/src/regress/lib/libssl/certs/server1-ecdsa-chain.pem +++ /dev/null @@ -1,26 +0,0 @@ -subject= CN = LibreSSL Test Server 1 ECDSA -issuer= CN = LibreSSL Test Intermediate CA ECDSA ------BEGIN CERTIFICATE----- -MIIBqzCCAVKgAwIBAgIJAOVssaaTYoH4MAoGCCqGSM49BAMCMC4xLDAqBgNVBAMM -I0xpYnJlU1NMIFRlc3QgSW50ZXJtZWRpYXRlIENBIEVDRFNBMB4XDTIxMTIyNzE0 -NDA0MFoXDTMxMTIyNTE0NDA0MFowJzElMCMGA1UEAwwcTGlicmVTU0wgVGVzdCBT -ZXJ2ZXIgMSBFQ0RTQTBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABLCfzrwjvJ6V -m2Jog48gtuDNYupHd8TKOCVb6J7f1/U3Owwy2//ZVTvM+9uoIC8xxUJAmN0PC+9a -+5TkRWiD1KWjYDBeMB0GA1UdDgQWBBTo776/p89eGJwMmJRNk4k+xGVRPTAfBgNV -HSMEGDAWgBQXVj1v/EpXEjlCygJygatQDeTCCDAMBgNVHRMBAf8EAjAAMA4GA1Ud -DwEB/wQEAwIHgDAKBggqhkjOPQQDAgNHADBEAiAhHPaADQMcGea7iBRbKZWSHUAf -fZSNIWF/nYASNBvKLgIgQXLiuWxt6/a7vxaZwgYXkhP1YfDSC5Kpktxr/3jHcAU= ------END CERTIFICATE----- -subject= CN = LibreSSL Test Intermediate CA ECDSA -issuer= CN = LibreSSL Test Root CA ECDSA ------BEGIN CERTIFICATE----- -MIIBrDCCAVOgAwIBAgIJAOVssaaTYoH3MAkGByqGSM49BAEwJjEkMCIGA1UEAwwb -TGlicmVTU0wgVGVzdCBSb290IENBIEVDRFNBMB4XDTIxMTIyNzE0NDA0MFoXDTMx -MTIyNTE0NDA0MFowLjEsMCoGA1UEAwwjTGlicmVTU0wgVGVzdCBJbnRlcm1lZGlh -dGUgQ0EgRUNEU0EwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAATWRQbJh4aHPzHq -LOAmosW/o83bTpm3Sj1VxM44StmG7c1nnFM/+gS8rp2bVSgjWZQzRtZqGVGJgzbk -7/M1m3x3o2MwYTAdBgNVHQ4EFgQUF1Y9b/xKVxI5QsoCcoGrUA3kwggwHwYDVR0j -BBgwFoAUtvkat4UdcUEipt6L/PBgEFYH6AwwDwYDVR0TAQH/BAUwAwEB/zAOBgNV -HQ8BAf8EBAMCAQYwCQYHKoZIzj0EAQNIADBFAiBE4NiOdv/XRN3WWMnkE5QccvC6 -VThoIQRyBf4I97cRPQIhAK18dvwrLuOOfbhWMdkpNCddMkWZHxS7traw/8+s7OUU ------END CERTIFICATE----- diff --git a/src/regress/lib/libssl/certs/server1-ecdsa.pem b/src/regress/lib/libssl/certs/server1-ecdsa.pem deleted file mode 100644 index 541fed6efe..0000000000 --- a/src/regress/lib/libssl/certs/server1-ecdsa.pem +++ /dev/null @@ -1,18 +0,0 @@ -subject= CN = LibreSSL Test Server 1 ECDSA -issuer= CN = LibreSSL Test Intermediate CA ECDSA ------BEGIN CERTIFICATE----- -MIIBqzCCAVKgAwIBAgIJAOVssaaTYoH4MAoGCCqGSM49BAMCMC4xLDAqBgNVBAMM -I0xpYnJlU1NMIFRlc3QgSW50ZXJtZWRpYXRlIENBIEVDRFNBMB4XDTIxMTIyNzE0 -NDA0MFoXDTMxMTIyNTE0NDA0MFowJzElMCMGA1UEAwwcTGlicmVTU0wgVGVzdCBT -ZXJ2ZXIgMSBFQ0RTQTBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABLCfzrwjvJ6V -m2Jog48gtuDNYupHd8TKOCVb6J7f1/U3Owwy2//ZVTvM+9uoIC8xxUJAmN0PC+9a -+5TkRWiD1KWjYDBeMB0GA1UdDgQWBBTo776/p89eGJwMmJRNk4k+xGVRPTAfBgNV -HSMEGDAWgBQXVj1v/EpXEjlCygJygatQDeTCCDAMBgNVHRMBAf8EAjAAMA4GA1Ud -DwEB/wQEAwIHgDAKBggqhkjOPQQDAgNHADBEAiAhHPaADQMcGea7iBRbKZWSHUAf -fZSNIWF/nYASNBvKLgIgQXLiuWxt6/a7vxaZwgYXkhP1YfDSC5Kpktxr/3jHcAU= ------END CERTIFICATE----- ------BEGIN PRIVATE KEY----- -MIGHAgEAMBMGByqGSM49AgEGCCqGSM49AwEHBG0wawIBAQQgvh2q0Zzqn18tPux2 -csqpbWDtHGialpwtx/r/0ENHeKOhRANCAASwn868I7yelZtiaIOPILbgzWLqR3fE -yjglW+ie39f1NzsMMtv/2VU7zPvbqCAvMcVCQJjdDwvvWvuU5EVog9Sl ------END PRIVATE KEY----- diff --git a/src/regress/lib/libssl/certs/server1-rsa-chain.pem b/src/regress/lib/libssl/certs/server1-rsa-chain.pem deleted file mode 100644 index 57dec7b5b4..0000000000 --- a/src/regress/lib/libssl/certs/server1-rsa-chain.pem +++ /dev/null @@ -1,44 +0,0 @@ -subject= CN = LibreSSL Test Server 1 RSA -issuer= CN = LibreSSL Test Intermediate CA RSA ------BEGIN CERTIFICATE----- -MIIDNDCCAhygAwIBAgIJAOVssaaTYoHzMA0GCSqGSIb3DQEBCwUAMCwxKjAoBgNV -BAMMIUxpYnJlU1NMIFRlc3QgSW50ZXJtZWRpYXRlIENBIFJTQTAeFw0yMTEyMjcx -NDQwMzdaFw0zMTEyMjUxNDQwMzdaMCUxIzAhBgNVBAMMGkxpYnJlU1NMIFRlc3Qg -U2VydmVyIDEgUlNBMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAnvyt -i0uA2qaFltVb8+PElYk84AnjY0WZDcGtKSMCAYTD857fO2V4S/wpJ9ZMt8kBKQ29 -D2Glkkhc/HPpb7wJcAUT++aZ/PbOtuzOHzdxheOolfZ6aw+qCSiVlcflKfMp7VPL -swimqKpm6atl2aSqldKfmGzjhAAPiTXbzUjh9pbTfO8ykdn/6AqP7ju3+4sseMPL -seNq1wstWRdiHm0P/BoJn4lwDe7QTSp1AxMqDTz5BiO+UjCW2oTsOFfo/hhslQf5 -qv7uPLrz/VWiEojQP5RzfcnVwplUgTvtaOkXxZeOH7VkKS1v8W506/h3RIKj0X8Y -JDLuIPqSAPNLWGyH4wIDAQABo2AwXjAdBgNVHQ4EFgQUFJPGTfe+ULC/anJ4fCVz -DXA0JI4wHwYDVR0jBBgwFoAUNqGhWv/+mt2TQTVdDZTd5wPY4mYwDAYDVR0TAQH/ -BAIwADAOBgNVHQ8BAf8EBAMCB4AwDQYJKoZIhvcNAQELBQADggEBAGP5hYyAYzlj -YCV24ApNPb+mNEMHu1SL1MgDXJOTWZMFOvuYcibtmcVIfwpM4+UpC7cRqPRjBEqm -NdLbJi4jGzQDNOcI7OZCCx6oKvAhjMofpb42Iq4bDuBqlhHRXvYnO30y0yRbSGXt -GvKvkNKOSXUnY1UtcBAN5szcyFk30xQK+f/2VqJguvjsTquFV+piqFyq91ICyIeQ -1gjTn1N2/SkmYpwZdyf0HqSjyqJ0FG4xiW6T0HmX1QI651Kux49vLel7ySxzGY+6 -axnPilTYx/7pkciGk5ckLdujpXsDPhC+E2hdoee494c5NvX/uibYhigLU/gHK/ZP -YisY8ihnPl8= ------END CERTIFICATE----- -subject= CN = LibreSSL Test Intermediate CA RSA -issuer= CN = LibreSSL Test Root CA RSA ------BEGIN CERTIFICATE----- -MIIDNjCCAh6gAwIBAgIJAOVssaaTYoHyMA0GCSqGSIb3DQEBCwUAMCQxIjAgBgNV -BAMMGUxpYnJlU1NMIFRlc3QgUm9vdCBDQSBSU0EwHhcNMjExMjI3MTQ0MDM3WhcN -MzExMjI1MTQ0MDM3WjAsMSowKAYDVQQDDCFMaWJyZVNTTCBUZXN0IEludGVybWVk -aWF0ZSBDQSBSU0EwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQD151AI -I+W9MrEP3dO0PEjg6L9E1R6+CG6u0LT3Jobc/rG2RXqKLasEaXoBWYiJoTImVxFT -wtrY+IDDTaEV4/4RGII1fY8Js7v5NpwoEh15jCoJ6/qDjKd4y1s1M48PlWYNNRmv -OBKRIu3Fz7scUa1RSBCp1bZeHbq/V5SzG419nDq2xpyuUrwmfBhDZTH+kUwBNGn8 -XVRFCRJQVP3qEAH02Zai2emSVj13KrhEWMtNyA8fa34GIuV23Q40RKW3jUgGBF+D -5jPNN8EZCj34nvvbjCCBs7cxZvD4F/MzGbatKpNmNOKXKibeg/xCq8B/F1uzHcl3 -IzJuViNtQ3RjQ/1pAgMBAAGjYzBhMB0GA1UdDgQWBBQ2oaFa//6a3ZNBNV0NlN3n -A9jiZjAfBgNVHSMEGDAWgBQ+S/x79Kw0KqURKAHyiOhdj/8V0TAPBgNVHRMBAf8E -BTADAQH/MA4GA1UdDwEB/wQEAwIBBjANBgkqhkiG9w0BAQsFAAOCAQEAcok2oSct -BOkm75qA8+4eUilGxTaqFPCqY8fk8MKNRKNNzaqirPaLJW62mZaxRHOn1Bw9uzL3 -jgz2PaTwA7n5GpKs3r5JLk8BdtRyeqMLmqJVJKKuu4GtJLCA8jhQm+XNA1Z324hg -kVeBHLPpLKvQxb+0lmbRBORq/OtMirq2yK8OlF2USrfQx0jmhSvvLpWyA0hhAXRS -gg1ds9aL57dELvk6gR7Unob+J0O2Xq3FRwz2O1k9fF86a0qrWUkxcnAjobC2BczC -7Fe5B194LgrX2U4IIrzwgJ19kmtrb1Qol2okECxomTYsbQY36sBs+LOKxSuiagu6 -ZgJtfcNeVMglYQ== ------END CERTIFICATE----- diff --git a/src/regress/lib/libssl/certs/server1-rsa.pem b/src/regress/lib/libssl/certs/server1-rsa.pem deleted file mode 100644 index 12e9ac9ec9..0000000000 --- a/src/regress/lib/libssl/certs/server1-rsa.pem +++ /dev/null @@ -1,50 +0,0 @@ -subject= CN = LibreSSL Test Server 1 RSA -issuer= CN = LibreSSL Test Intermediate CA RSA ------BEGIN CERTIFICATE----- -MIIDNDCCAhygAwIBAgIJAOVssaaTYoHzMA0GCSqGSIb3DQEBCwUAMCwxKjAoBgNV -BAMMIUxpYnJlU1NMIFRlc3QgSW50ZXJtZWRpYXRlIENBIFJTQTAeFw0yMTEyMjcx -NDQwMzdaFw0zMTEyMjUxNDQwMzdaMCUxIzAhBgNVBAMMGkxpYnJlU1NMIFRlc3Qg -U2VydmVyIDEgUlNBMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAnvyt -i0uA2qaFltVb8+PElYk84AnjY0WZDcGtKSMCAYTD857fO2V4S/wpJ9ZMt8kBKQ29 -D2Glkkhc/HPpb7wJcAUT++aZ/PbOtuzOHzdxheOolfZ6aw+qCSiVlcflKfMp7VPL -swimqKpm6atl2aSqldKfmGzjhAAPiTXbzUjh9pbTfO8ykdn/6AqP7ju3+4sseMPL -seNq1wstWRdiHm0P/BoJn4lwDe7QTSp1AxMqDTz5BiO+UjCW2oTsOFfo/hhslQf5 -qv7uPLrz/VWiEojQP5RzfcnVwplUgTvtaOkXxZeOH7VkKS1v8W506/h3RIKj0X8Y -JDLuIPqSAPNLWGyH4wIDAQABo2AwXjAdBgNVHQ4EFgQUFJPGTfe+ULC/anJ4fCVz -DXA0JI4wHwYDVR0jBBgwFoAUNqGhWv/+mt2TQTVdDZTd5wPY4mYwDAYDVR0TAQH/ -BAIwADAOBgNVHQ8BAf8EBAMCB4AwDQYJKoZIhvcNAQELBQADggEBAGP5hYyAYzlj -YCV24ApNPb+mNEMHu1SL1MgDXJOTWZMFOvuYcibtmcVIfwpM4+UpC7cRqPRjBEqm -NdLbJi4jGzQDNOcI7OZCCx6oKvAhjMofpb42Iq4bDuBqlhHRXvYnO30y0yRbSGXt -GvKvkNKOSXUnY1UtcBAN5szcyFk30xQK+f/2VqJguvjsTquFV+piqFyq91ICyIeQ -1gjTn1N2/SkmYpwZdyf0HqSjyqJ0FG4xiW6T0HmX1QI651Kux49vLel7ySxzGY+6 -axnPilTYx/7pkciGk5ckLdujpXsDPhC+E2hdoee494c5NvX/uibYhigLU/gHK/ZP -YisY8ihnPl8= ------END CERTIFICATE----- ------BEGIN PRIVATE KEY----- -MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQCe/K2LS4DapoWW -1Vvz48SViTzgCeNjRZkNwa0pIwIBhMPznt87ZXhL/Ckn1ky3yQEpDb0PYaWSSFz8 -c+lvvAlwBRP75pn89s627M4fN3GF46iV9nprD6oJKJWVx+Up8yntU8uzCKaoqmbp -q2XZpKqV0p+YbOOEAA+JNdvNSOH2ltN87zKR2f/oCo/uO7f7iyx4w8ux42rXCy1Z -F2IebQ/8GgmfiXAN7tBNKnUDEyoNPPkGI75SMJbahOw4V+j+GGyVB/mq/u48uvP9 -VaISiNA/lHN9ydXCmVSBO+1o6RfFl44ftWQpLW/xbnTr+HdEgqPRfxgkMu4g+pIA -80tYbIfjAgMBAAECggEBAJDm9PkW6KrfyLPPZA5mUl6EBWKgQInS/gsmsT7j9EkU -C1A4RXcqJTkD6zKuw59h6NfU+LJTKgeoQm+o6WJ3/BYH2s3kwAZpn7/jFn4nFyWT -d6yuR6baUPwl7CfmV3wjbtwqWmajhNoG7OMd3yc9SGhi3iibXcWKFJ7W4q04NxJ5 -txswRddLYMFUeJxPBdImlyibyUIWaYFid4O2kozTQWpyJld5SP4+YQObb6sBJuvN -wR53eaRGb0OaUGppglGlWTahIADBjbhf0zd9YiUjvums/cjx2goHzQqt4rIj1Pid -I3duu/kw7AsuRlvmhk02Cu4Ixr8hljbeo2L7UAP+4BkCgYEAzVq8Fqi/5IVdjl0H -FwvS9NX3HFFzdixtI2p/jCQ721Kxpf73zvRpMG/YZL3vBt4sXT7WpJZZsKrYogL7 -8s/dG7p/GpzSnvJKQfT6Ko+jnv24MEIoqMx+Smd+nJJJ0KzZRvrqzcF+wsicmKnN -y/4t8T1DqSm4WxDyuy/uDozqCP0CgYEAxjJ9GJha40sHlY4sOTaJqapN6va/t70/ -iRj+Mt9Bm1O41PBgu+SMADGukrjL5DYp53QRGhyqb2PWmZsGYvftPZNq5b3pzKPo -8jiP9AxYDt/GLO3x/GppiywOxHD8CV19BDVqWcBkV1ATu2kkmokDbq+g94xnMBzN -nURtfL5Hml8CgYAMeJIrnhvpOOAxoRypHaK2E7hqE9g7OP93wyPz0s9/xknbltxd -ySIKOwCdPZuigyOWlhZa8HaJ8BYv4JaEbHM1F+JYL2XrGTPBRatbolWBdk8VPy9Q -8PpKcnaR86Bf999KHDreO/4CvkQkUUuaM9l+aQYO4+W6QhE7pPGEGLKt0QKBgCL2 -exzgm3/nF3JpfyGknkpA0bf2SUG3b8LWltkQizlEXqGpudbLbWsHWJ1nXghnCaNb -1Tx+/A3kVdIJB+pjhAVNwRjAFMNV0t0P300U9F/DV+lLHFoDx5SWdBBxQfTA+jHI -3nbwuoKwjJqN5LgiHWnkL4gby4QwQJFSpeHQiz8PAoGBAJaur4aFaSlgGAiKJX4/ -Om4AedImBgFsVKf44xx5pDwEcqLeEwRBxa0r5Sftqsrz+Ck60hR/MWCwJEBll5PV -MJtOHBb2bINFhLOqV1WoSkSoKEhtMvFnLbWGBi5gYHC4+lYuyQqD/vu3sxe5IT9C -PKgUgKV32Z7KBpDuFGtGmiDb ------END PRIVATE KEY----- diff --git a/src/regress/lib/libssl/certs/server2-ecdsa-chain.pem b/src/regress/lib/libssl/certs/server2-ecdsa-chain.pem deleted file mode 100644 index 494d2ea209..0000000000 --- a/src/regress/lib/libssl/certs/server2-ecdsa-chain.pem +++ /dev/null @@ -1,26 +0,0 @@ -subject= CN = LibreSSL Test Server 2 ECDSA -issuer= CN = LibreSSL Test Intermediate CA ECDSA ------BEGIN CERTIFICATE----- -MIIBpjCCAUygAwIBAgIDEAABMAoGCCqGSM49BAMCMC4xLDAqBgNVBAMMI0xpYnJl -U1NMIFRlc3QgSW50ZXJtZWRpYXRlIENBIEVDRFNBMB4XDTEwMDEwMTAwMDAwMFoX -DTIwMDEwMTAwMDAwMFowJzElMCMGA1UEAwwcTGlicmVTU0wgVGVzdCBTZXJ2ZXIg -MiBFQ0RTQTBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABJOTftmDhBMSS23a+sRO -3Zr43RUwtdJvNfKhpHKRbBLIttBkbI1wWCgufMLCJXhL6pSpCeT/C9ioFks2JMg7 -CPCjYDBeMB0GA1UdDgQWBBSCtBk04EXYNjiFaaTcJumL0BFylTAfBgNVHSMEGDAW -gBQXVj1v/EpXEjlCygJygatQDeTCCDAMBgNVHRMBAf8EAjAAMA4GA1UdDwEB/wQE -AwIHgDAKBggqhkjOPQQDAgNIADBFAiEAqnQ+TRgMZRys3z3olZysrnP0d6XIdfgv -XvlXRaM0s/QCIHdrTx/IPfJSvo0rDN08CJfbO0NBOc9PFsnDRUKsxJd4 ------END CERTIFICATE----- -subject= CN = LibreSSL Test Intermediate CA ECDSA -issuer= CN = LibreSSL Test Root CA ECDSA ------BEGIN CERTIFICATE----- -MIIBrDCCAVOgAwIBAgIJAOVssaaTYoH3MAkGByqGSM49BAEwJjEkMCIGA1UEAwwb -TGlicmVTU0wgVGVzdCBSb290IENBIEVDRFNBMB4XDTIxMTIyNzE0NDA0MFoXDTMx -MTIyNTE0NDA0MFowLjEsMCoGA1UEAwwjTGlicmVTU0wgVGVzdCBJbnRlcm1lZGlh -dGUgQ0EgRUNEU0EwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAATWRQbJh4aHPzHq -LOAmosW/o83bTpm3Sj1VxM44StmG7c1nnFM/+gS8rp2bVSgjWZQzRtZqGVGJgzbk -7/M1m3x3o2MwYTAdBgNVHQ4EFgQUF1Y9b/xKVxI5QsoCcoGrUA3kwggwHwYDVR0j -BBgwFoAUtvkat4UdcUEipt6L/PBgEFYH6AwwDwYDVR0TAQH/BAUwAwEB/zAOBgNV -HQ8BAf8EBAMCAQYwCQYHKoZIzj0EAQNIADBFAiBE4NiOdv/XRN3WWMnkE5QccvC6 -VThoIQRyBf4I97cRPQIhAK18dvwrLuOOfbhWMdkpNCddMkWZHxS7traw/8+s7OUU ------END CERTIFICATE----- diff --git a/src/regress/lib/libssl/certs/server2-ecdsa.pem b/src/regress/lib/libssl/certs/server2-ecdsa.pem deleted file mode 100644 index 2f49df9931..0000000000 --- a/src/regress/lib/libssl/certs/server2-ecdsa.pem +++ /dev/null @@ -1,18 +0,0 @@ -subject= CN = LibreSSL Test Server 2 ECDSA -issuer= CN = LibreSSL Test Intermediate CA ECDSA ------BEGIN CERTIFICATE----- -MIIBpjCCAUygAwIBAgIDEAABMAoGCCqGSM49BAMCMC4xLDAqBgNVBAMMI0xpYnJl -U1NMIFRlc3QgSW50ZXJtZWRpYXRlIENBIEVDRFNBMB4XDTEwMDEwMTAwMDAwMFoX -DTIwMDEwMTAwMDAwMFowJzElMCMGA1UEAwwcTGlicmVTU0wgVGVzdCBTZXJ2ZXIg -MiBFQ0RTQTBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABJOTftmDhBMSS23a+sRO -3Zr43RUwtdJvNfKhpHKRbBLIttBkbI1wWCgufMLCJXhL6pSpCeT/C9ioFks2JMg7 -CPCjYDBeMB0GA1UdDgQWBBSCtBk04EXYNjiFaaTcJumL0BFylTAfBgNVHSMEGDAW -gBQXVj1v/EpXEjlCygJygatQDeTCCDAMBgNVHRMBAf8EAjAAMA4GA1UdDwEB/wQE -AwIHgDAKBggqhkjOPQQDAgNIADBFAiEAqnQ+TRgMZRys3z3olZysrnP0d6XIdfgv -XvlXRaM0s/QCIHdrTx/IPfJSvo0rDN08CJfbO0NBOc9PFsnDRUKsxJd4 ------END CERTIFICATE----- ------BEGIN PRIVATE KEY----- -MIGHAgEAMBMGByqGSM49AgEGCCqGSM49AwEHBG0wawIBAQQgxkOt2jb6kQC1ZaUa -MLSz0lyS0YQtqChoyAvJ7yQf3FahRANCAASTk37Zg4QTEktt2vrETt2a+N0VMLXS -bzXyoaRykWwSyLbQZGyNcFgoLnzCwiV4S+qUqQnk/wvYqBZLNiTIOwjw ------END PRIVATE KEY----- diff --git a/src/regress/lib/libssl/certs/server2-rsa-chain.pem b/src/regress/lib/libssl/certs/server2-rsa-chain.pem deleted file mode 100644 index 5bb660f45e..0000000000 --- a/src/regress/lib/libssl/certs/server2-rsa-chain.pem +++ /dev/null @@ -1,44 +0,0 @@ -subject= CN = LibreSSL Test Server 2 RSA -issuer= CN = LibreSSL Test Intermediate CA RSA ------BEGIN CERTIFICATE----- -MIIDLjCCAhagAwIBAgIDEAABMA0GCSqGSIb3DQEBCwUAMCwxKjAoBgNVBAMMIUxp -YnJlU1NMIFRlc3QgSW50ZXJtZWRpYXRlIENBIFJTQTAeFw0xMDAxMDEwMDAwMDBa -Fw0yMDAxMDEwMDAwMDBaMCUxIzAhBgNVBAMMGkxpYnJlU1NMIFRlc3QgU2VydmVy -IDIgUlNBMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAu08owc3HqHu2 -+92bKDs/VCVjkGMZSVOrdAXYEKf9WQ6cGxiowjJy391szSd5bW/Yf7hbNhctr29G -8oIj0wsMfz3lxuHDYISt8uAjbjqFiZTNfBeg7PVE9aDWXqaophcq4DT2ygv9O190 -09RxTJD6PdclUtQNYZHr3c7kP2AdeBWWVPAmKISDSEkjXqc0x9LEtm7UA/0WAtKM -NUXUb/ZNBu90j7gRpjN6VyfaqJMdoDR31s7QXivL5hr4x0M0Y1ihN1/cHA5Qjb0s -6t8w6H2b0xtvJgO5N3ZUAVclAO3MsVRqr04aAyxcJ47qOkWPbh9OqaFyZFdl7L2r -UTLloQNkcwIDAQABo2AwXjAdBgNVHQ4EFgQUrDgWmmX6bVZt4Z7SvCSXEfJMoZQw -HwYDVR0jBBgwFoAUNqGhWv/+mt2TQTVdDZTd5wPY4mYwDAYDVR0TAQH/BAIwADAO -BgNVHQ8BAf8EBAMCB4AwDQYJKoZIhvcNAQELBQADggEBANbQG/fAGsV+J+cmEIlg -9i5c44hpr3BAXn5QYMbV9OQ8M9Rq8cZx/EkwNlCfPnQph2PqN2tZNstBnlL90rNq -pOj1Ee+ppemeJrHKFuEncytGHbgqjRLgi9n0vR5RF1I7dJvRlPugpf/FxeMC/7f2 -qDDfdMsvmu/+qWBMb+U5yPLXlibGr7nf7B3t9ZBtku5flP3OOmipIjFpLOmvu06Z -9fac0JHDRvBQCemvIbSIa8Sz6UVJ1hKTjaN+lqc7e5tgbovNqjgFiLx0lQrfBmg9 -tnNhoaEuwwyPNIVLUK3J1Q4lv/m9fX7BVmL5C56AexwtD/jupdXe2utjFx6YXrKG -nxU= ------END CERTIFICATE----- -subject= CN = LibreSSL Test Intermediate CA RSA -issuer= CN = LibreSSL Test Root CA RSA ------BEGIN CERTIFICATE----- -MIIDNjCCAh6gAwIBAgIJAOVssaaTYoHyMA0GCSqGSIb3DQEBCwUAMCQxIjAgBgNV -BAMMGUxpYnJlU1NMIFRlc3QgUm9vdCBDQSBSU0EwHhcNMjExMjI3MTQ0MDM3WhcN -MzExMjI1MTQ0MDM3WjAsMSowKAYDVQQDDCFMaWJyZVNTTCBUZXN0IEludGVybWVk -aWF0ZSBDQSBSU0EwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQD151AI -I+W9MrEP3dO0PEjg6L9E1R6+CG6u0LT3Jobc/rG2RXqKLasEaXoBWYiJoTImVxFT -wtrY+IDDTaEV4/4RGII1fY8Js7v5NpwoEh15jCoJ6/qDjKd4y1s1M48PlWYNNRmv -OBKRIu3Fz7scUa1RSBCp1bZeHbq/V5SzG419nDq2xpyuUrwmfBhDZTH+kUwBNGn8 -XVRFCRJQVP3qEAH02Zai2emSVj13KrhEWMtNyA8fa34GIuV23Q40RKW3jUgGBF+D -5jPNN8EZCj34nvvbjCCBs7cxZvD4F/MzGbatKpNmNOKXKibeg/xCq8B/F1uzHcl3 -IzJuViNtQ3RjQ/1pAgMBAAGjYzBhMB0GA1UdDgQWBBQ2oaFa//6a3ZNBNV0NlN3n -A9jiZjAfBgNVHSMEGDAWgBQ+S/x79Kw0KqURKAHyiOhdj/8V0TAPBgNVHRMBAf8E -BTADAQH/MA4GA1UdDwEB/wQEAwIBBjANBgkqhkiG9w0BAQsFAAOCAQEAcok2oSct -BOkm75qA8+4eUilGxTaqFPCqY8fk8MKNRKNNzaqirPaLJW62mZaxRHOn1Bw9uzL3 -jgz2PaTwA7n5GpKs3r5JLk8BdtRyeqMLmqJVJKKuu4GtJLCA8jhQm+XNA1Z324hg -kVeBHLPpLKvQxb+0lmbRBORq/OtMirq2yK8OlF2USrfQx0jmhSvvLpWyA0hhAXRS -gg1ds9aL57dELvk6gR7Unob+J0O2Xq3FRwz2O1k9fF86a0qrWUkxcnAjobC2BczC -7Fe5B194LgrX2U4IIrzwgJ19kmtrb1Qol2okECxomTYsbQY36sBs+LOKxSuiagu6 -ZgJtfcNeVMglYQ== ------END CERTIFICATE----- diff --git a/src/regress/lib/libssl/certs/server2-rsa.pem b/src/regress/lib/libssl/certs/server2-rsa.pem deleted file mode 100644 index ed7389a430..0000000000 --- a/src/regress/lib/libssl/certs/server2-rsa.pem +++ /dev/null @@ -1,50 +0,0 @@ -subject= CN = LibreSSL Test Server 2 RSA -issuer= CN = LibreSSL Test Intermediate CA RSA ------BEGIN CERTIFICATE----- -MIIDLjCCAhagAwIBAgIDEAABMA0GCSqGSIb3DQEBCwUAMCwxKjAoBgNVBAMMIUxp -YnJlU1NMIFRlc3QgSW50ZXJtZWRpYXRlIENBIFJTQTAeFw0xMDAxMDEwMDAwMDBa -Fw0yMDAxMDEwMDAwMDBaMCUxIzAhBgNVBAMMGkxpYnJlU1NMIFRlc3QgU2VydmVy -IDIgUlNBMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAu08owc3HqHu2 -+92bKDs/VCVjkGMZSVOrdAXYEKf9WQ6cGxiowjJy391szSd5bW/Yf7hbNhctr29G -8oIj0wsMfz3lxuHDYISt8uAjbjqFiZTNfBeg7PVE9aDWXqaophcq4DT2ygv9O190 -09RxTJD6PdclUtQNYZHr3c7kP2AdeBWWVPAmKISDSEkjXqc0x9LEtm7UA/0WAtKM -NUXUb/ZNBu90j7gRpjN6VyfaqJMdoDR31s7QXivL5hr4x0M0Y1ihN1/cHA5Qjb0s -6t8w6H2b0xtvJgO5N3ZUAVclAO3MsVRqr04aAyxcJ47qOkWPbh9OqaFyZFdl7L2r -UTLloQNkcwIDAQABo2AwXjAdBgNVHQ4EFgQUrDgWmmX6bVZt4Z7SvCSXEfJMoZQw -HwYDVR0jBBgwFoAUNqGhWv/+mt2TQTVdDZTd5wPY4mYwDAYDVR0TAQH/BAIwADAO -BgNVHQ8BAf8EBAMCB4AwDQYJKoZIhvcNAQELBQADggEBANbQG/fAGsV+J+cmEIlg -9i5c44hpr3BAXn5QYMbV9OQ8M9Rq8cZx/EkwNlCfPnQph2PqN2tZNstBnlL90rNq -pOj1Ee+ppemeJrHKFuEncytGHbgqjRLgi9n0vR5RF1I7dJvRlPugpf/FxeMC/7f2 -qDDfdMsvmu/+qWBMb+U5yPLXlibGr7nf7B3t9ZBtku5flP3OOmipIjFpLOmvu06Z -9fac0JHDRvBQCemvIbSIa8Sz6UVJ1hKTjaN+lqc7e5tgbovNqjgFiLx0lQrfBmg9 -tnNhoaEuwwyPNIVLUK3J1Q4lv/m9fX7BVmL5C56AexwtD/jupdXe2utjFx6YXrKG -nxU= ------END CERTIFICATE----- ------BEGIN PRIVATE KEY----- -MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQC7TyjBzceoe7b7 -3ZsoOz9UJWOQYxlJU6t0BdgQp/1ZDpwbGKjCMnLf3WzNJ3ltb9h/uFs2Fy2vb0by -giPTCwx/PeXG4cNghK3y4CNuOoWJlM18F6Ds9UT1oNZepqimFyrgNPbKC/07X3TT -1HFMkPo91yVS1A1hkevdzuQ/YB14FZZU8CYohINISSNepzTH0sS2btQD/RYC0ow1 -RdRv9k0G73SPuBGmM3pXJ9qokx2gNHfWztBeK8vmGvjHQzRjWKE3X9wcDlCNvSzq -3zDofZvTG28mA7k3dlQBVyUA7cyxVGqvThoDLFwnjuo6RY9uH06poXJkV2XsvatR -MuWhA2RzAgMBAAECggEAc5ApQzkkv+xkPwzAl5fGQLI4tXKOvVDj7VdVsSEUDAgZ -hBY4uGfLvBau8/wwzLY+yr4BeGPgieaLzT9BvwmIElEsHQJZOolhkQF8mpt8nB+0 -j6U8YjYI78rlt8v3LVIJ3/6NbKbs+96vA6qEpIql+dVtb6bpApO3BEiLRhaU1+ra -pi5YbF56S3XlUFL6H46hpNTUxOqbb6toZ/2rr1nscu4jkQhL8u/KS5Uz1Y7RW3zd -A3U4rbxXnM8SVZrRuWsN1DRL5CpAOdGGiVhew46vAxZU8iX6rODrRaRCp+Gbnoll -x/ubMMrBrE4WpCY5orb41FPb4U6raY9ZZzTGPuC9YQKBgQDs0LrDy8kh3V7wsIwn -6vMT9MD2Olpl6zwSyQJ0C04u+hGNur3L6intg78TSRqZ7ZKK7CspPy9JCGTYztTG -vFbXy2vahCFlI2G3lfZj2nS2D+UNSmo2pdpBtuk/iKj67pFAlaa8C3OQ8MXjldQn -3QPANsCo276t0E9SmFcbJYJVCwKBgQDKe7sfdg0tQr9xsBeDuSxRJQOrtWeTmXm6 -zcPKRX8avWr5Ag6w4/BX/RxGZkD4brV5LaK6Qsbwl8v8aNe8Hv4yBQFdW0IMP8mB -v4kVaNEGxoJE4fnKk1wS22TQvX5fxWPGZhOWQ1sgIqp3Dzvky0nalK7Ru0gRA4gS -Jl0a4Sp/OQKBgQCHwuW/B53n5yPdcij3XW87Go5g2nUmhqPq1QeuBSkuLzhO+yaB -t12QB35MDRXN9u+S6u+XdtyhzskZrgE3aZOTpM/Q9vy6IX2MpNEaz4snMJeMdgPM -DmrAT58KSEsviAMHdoOevCXlitK3tRZqP/89e2YZp9h5hrlizWjqbCd6nwKBgQCS -XFWqLB7iNHlFqE+W+2a5UNQSbhHscue2y71WnF1/6qNEUuRjoJ++OksR6B/Wc8/h -Q8d4c4RxrIfab75hUNXVOiD+ZlSbng/+JYDlZNqS1zKar+1rLJFFYCjDafXLLFcu -teI6n31jASvO28gjXX6I7ShgmctB4ReeZvSt1UxuoQKBgHQ/0fA3owx9kDRA41Hu -a+npibal0F2JOxn0xiwgW3JcH/EkcSIvUELm8Kjl3GBxf0y9Osu0uf3cSqW9K9+z -CRpwZmFq+q3HFN6FYHYI6oVvPKIljDhmkvw9HyexXFLRKNs1z2b7Noz2H7ysE0cb -1sAZitEjace2/eAx/wWr2dq0 ------END PRIVATE KEY----- diff --git a/src/regress/lib/libssl/certs/server3-ecdsa-chain.pem b/src/regress/lib/libssl/certs/server3-ecdsa-chain.pem deleted file mode 100644 index 03f3373d3b..0000000000 --- a/src/regress/lib/libssl/certs/server3-ecdsa-chain.pem +++ /dev/null @@ -1,26 +0,0 @@ -subject= CN = LibreSSL Test Server 3 ECDSA -issuer= CN = LibreSSL Test Intermediate CA ECDSA ------BEGIN CERTIFICATE----- -MIIBqjCCAVGgAwIBAgIJAOVssaaTYoH5MAkGByqGSM49BAEwLjEsMCoGA1UEAwwj -TGlicmVTU0wgVGVzdCBJbnRlcm1lZGlhdGUgQ0EgRUNEU0EwHhcNMjExMjI3MTQ0 -MDQwWhcNMzExMjI1MTQ0MDQwWjAnMSUwIwYDVQQDDBxMaWJyZVNTTCBUZXN0IFNl -cnZlciAzIEVDRFNBMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE0pRqRW+PDenx -cp+5za1pFDdECxXPXZY7LUPoXxens1lPSM2diexVMdLw1kEbVkOZ50s1X32vQnTa -TVpovmwna6NgMF4wHQYDVR0OBBYEFCXbw+Fdv+OWDOU163ujSYbdJZx3MB8GA1Ud -IwQYMBaAFBdWPW/8SlcSOULKAnKBq1AN5MIIMAwGA1UdEwEB/wQCMAAwDgYDVR0P -AQH/BAQDAgeAMAkGByqGSM49BAEDSAAwRQIhAMt01G90LOiCVRIcodKP1nsOg3oY -kX8VHUPk9myD52KZAiBu32mh/fgaWsR/lbo2dyGJQHKkmHNt9Wy8hOQ9eGO91A== ------END CERTIFICATE----- -subject= CN = LibreSSL Test Intermediate CA ECDSA -issuer= CN = LibreSSL Test Root CA ECDSA ------BEGIN CERTIFICATE----- -MIIBrDCCAVOgAwIBAgIJAOVssaaTYoH3MAkGByqGSM49BAEwJjEkMCIGA1UEAwwb -TGlicmVTU0wgVGVzdCBSb290IENBIEVDRFNBMB4XDTIxMTIyNzE0NDA0MFoXDTMx -MTIyNTE0NDA0MFowLjEsMCoGA1UEAwwjTGlicmVTU0wgVGVzdCBJbnRlcm1lZGlh -dGUgQ0EgRUNEU0EwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAATWRQbJh4aHPzHq -LOAmosW/o83bTpm3Sj1VxM44StmG7c1nnFM/+gS8rp2bVSgjWZQzRtZqGVGJgzbk -7/M1m3x3o2MwYTAdBgNVHQ4EFgQUF1Y9b/xKVxI5QsoCcoGrUA3kwggwHwYDVR0j -BBgwFoAUtvkat4UdcUEipt6L/PBgEFYH6AwwDwYDVR0TAQH/BAUwAwEB/zAOBgNV -HQ8BAf8EBAMCAQYwCQYHKoZIzj0EAQNIADBFAiBE4NiOdv/XRN3WWMnkE5QccvC6 -VThoIQRyBf4I97cRPQIhAK18dvwrLuOOfbhWMdkpNCddMkWZHxS7traw/8+s7OUU ------END CERTIFICATE----- diff --git a/src/regress/lib/libssl/certs/server3-ecdsa.pem b/src/regress/lib/libssl/certs/server3-ecdsa.pem deleted file mode 100644 index 98950aabbf..0000000000 --- a/src/regress/lib/libssl/certs/server3-ecdsa.pem +++ /dev/null @@ -1,18 +0,0 @@ -subject= CN = LibreSSL Test Server 3 ECDSA -issuer= CN = LibreSSL Test Intermediate CA ECDSA ------BEGIN CERTIFICATE----- -MIIBqjCCAVGgAwIBAgIJAOVssaaTYoH5MAkGByqGSM49BAEwLjEsMCoGA1UEAwwj -TGlicmVTU0wgVGVzdCBJbnRlcm1lZGlhdGUgQ0EgRUNEU0EwHhcNMjExMjI3MTQ0 -MDQwWhcNMzExMjI1MTQ0MDQwWjAnMSUwIwYDVQQDDBxMaWJyZVNTTCBUZXN0IFNl -cnZlciAzIEVDRFNBMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE0pRqRW+PDenx -cp+5za1pFDdECxXPXZY7LUPoXxens1lPSM2diexVMdLw1kEbVkOZ50s1X32vQnTa -TVpovmwna6NgMF4wHQYDVR0OBBYEFCXbw+Fdv+OWDOU163ujSYbdJZx3MB8GA1Ud -IwQYMBaAFBdWPW/8SlcSOULKAnKBq1AN5MIIMAwGA1UdEwEB/wQCMAAwDgYDVR0P -AQH/BAQDAgeAMAkGByqGSM49BAEDSAAwRQIhAMt01G90LOiCVRIcodKP1nsOg3oY -kX8VHUPk9myD52KZAiBu32mh/fgaWsR/lbo2dyGJQHKkmHNt9Wy8hOQ9eGO91A== ------END CERTIFICATE----- ------BEGIN PRIVATE KEY----- -MIGHAgEAMBMGByqGSM49AgEGCCqGSM49AwEHBG0wawIBAQQgTWRMClyUOn11mX5s -hTTIQT+3BeauAjrTvKMy5RryWtyhRANCAATSlGpFb48N6fFyn7nNrWkUN0QLFc9d -ljstQ+hfF6ezWU9IzZ2J7FUx0vDWQRtWQ5nnSzVffa9CdNpNWmi+bCdr ------END PRIVATE KEY----- diff --git a/src/regress/lib/libssl/certs/server3-rsa-chain.pem b/src/regress/lib/libssl/certs/server3-rsa-chain.pem deleted file mode 100644 index e40c982894..0000000000 --- a/src/regress/lib/libssl/certs/server3-rsa-chain.pem +++ /dev/null @@ -1,44 +0,0 @@ -subject= CN = LibreSSL Test Server 3 RSA -issuer= CN = LibreSSL Test Intermediate CA RSA ------BEGIN CERTIFICATE----- -MIIDNDCCAhygAwIBAgIJAOVssaaTYoH0MA0GCSqGSIb3DQEBCwUAMCwxKjAoBgNV -BAMMIUxpYnJlU1NMIFRlc3QgSW50ZXJtZWRpYXRlIENBIFJTQTAeFw0yMTEyMjcx -NDQwMzdaFw0zMTEyMjUxNDQwMzdaMCUxIzAhBgNVBAMMGkxpYnJlU1NMIFRlc3Qg -U2VydmVyIDMgUlNBMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAyqw4 -GSS7/WAR0VYbqFTltj9Cv17m+RuztM1jiJq+MU0Gscbx59NFPt8UFevNsMzWNmAK -qkioEMVJxXzSUDBjXjLesDt/+VTjR46z16fje3MhGmWa8lDt7hpuHwDF80dg3rZa -kVEcgKvd6LODTucgE7l07DzMb8qAdRp1SDXIFECO0wLJewkf2CihmNukTxQhI0d+ -XPZTYe3cyMelj8KpCXCXOVXKnXI+BWnYMHC1Op4S9z90xiVBNgQ+Vmg2K9NFifzT -ZyKIWsERq80rp1s+JmxmzA/vBRlsbj/Ec0h2kF4IavGtHwvAvdvIPV7AG/dIxwlT -VnHZkPDuLK0H396wmwIDAQABo2AwXjAdBgNVHQ4EFgQUSuP+QN+526Pxw/LGBTqP -WJpWGvwwHwYDVR0jBBgwFoAUNqGhWv/+mt2TQTVdDZTd5wPY4mYwDAYDVR0TAQH/ -BAIwADAOBgNVHQ8BAf8EBAMCB4AwDQYJKoZIhvcNAQELBQADggEBAFBJ0mO7dpSN -euxoh2DJghVfqQB4ladEroDZJkJEDuDkY3SjC+WB/lJowBVPC2QkzjTZt/J4B0Om -6irtKUC8jQ7aqMBfESu/s//GEU4kwlvlJN/Z0nLOh1YEeCwbkavFDy/X62iZ9XvJ -gjLVVzaXKWGrgdJedHx9Di04rU9jME5qfpXZI50u8grZccpUuTTqpZBiGjFRda2j -nJhgPBrn9/ityYaOrif8taR+QM6AETvEpJWo+I/iQ7vATmxHuq6y+0Sza5j9wGH/ -begJs9H890AiwO2bbUi1ehNj7NHZHySWNJlzBerwOQv7Zo8j+kHBop82ABsb/Xet -kgn7bdkfKoI= ------END CERTIFICATE----- -subject= CN = LibreSSL Test Intermediate CA RSA -issuer= CN = LibreSSL Test Root CA RSA ------BEGIN CERTIFICATE----- -MIIDNjCCAh6gAwIBAgIJAOVssaaTYoHyMA0GCSqGSIb3DQEBCwUAMCQxIjAgBgNV -BAMMGUxpYnJlU1NMIFRlc3QgUm9vdCBDQSBSU0EwHhcNMjExMjI3MTQ0MDM3WhcN -MzExMjI1MTQ0MDM3WjAsMSowKAYDVQQDDCFMaWJyZVNTTCBUZXN0IEludGVybWVk -aWF0ZSBDQSBSU0EwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQD151AI -I+W9MrEP3dO0PEjg6L9E1R6+CG6u0LT3Jobc/rG2RXqKLasEaXoBWYiJoTImVxFT -wtrY+IDDTaEV4/4RGII1fY8Js7v5NpwoEh15jCoJ6/qDjKd4y1s1M48PlWYNNRmv -OBKRIu3Fz7scUa1RSBCp1bZeHbq/V5SzG419nDq2xpyuUrwmfBhDZTH+kUwBNGn8 -XVRFCRJQVP3qEAH02Zai2emSVj13KrhEWMtNyA8fa34GIuV23Q40RKW3jUgGBF+D -5jPNN8EZCj34nvvbjCCBs7cxZvD4F/MzGbatKpNmNOKXKibeg/xCq8B/F1uzHcl3 -IzJuViNtQ3RjQ/1pAgMBAAGjYzBhMB0GA1UdDgQWBBQ2oaFa//6a3ZNBNV0NlN3n -A9jiZjAfBgNVHSMEGDAWgBQ+S/x79Kw0KqURKAHyiOhdj/8V0TAPBgNVHRMBAf8E -BTADAQH/MA4GA1UdDwEB/wQEAwIBBjANBgkqhkiG9w0BAQsFAAOCAQEAcok2oSct -BOkm75qA8+4eUilGxTaqFPCqY8fk8MKNRKNNzaqirPaLJW62mZaxRHOn1Bw9uzL3 -jgz2PaTwA7n5GpKs3r5JLk8BdtRyeqMLmqJVJKKuu4GtJLCA8jhQm+XNA1Z324hg -kVeBHLPpLKvQxb+0lmbRBORq/OtMirq2yK8OlF2USrfQx0jmhSvvLpWyA0hhAXRS -gg1ds9aL57dELvk6gR7Unob+J0O2Xq3FRwz2O1k9fF86a0qrWUkxcnAjobC2BczC -7Fe5B194LgrX2U4IIrzwgJ19kmtrb1Qol2okECxomTYsbQY36sBs+LOKxSuiagu6 -ZgJtfcNeVMglYQ== ------END CERTIFICATE----- diff --git a/src/regress/lib/libssl/certs/server3-rsa.pem b/src/regress/lib/libssl/certs/server3-rsa.pem deleted file mode 100644 index 256528ae35..0000000000 --- a/src/regress/lib/libssl/certs/server3-rsa.pem +++ /dev/null @@ -1,50 +0,0 @@ -subject= CN = LibreSSL Test Server 3 RSA -issuer= CN = LibreSSL Test Intermediate CA RSA ------BEGIN CERTIFICATE----- -MIIDNDCCAhygAwIBAgIJAOVssaaTYoH0MA0GCSqGSIb3DQEBCwUAMCwxKjAoBgNV -BAMMIUxpYnJlU1NMIFRlc3QgSW50ZXJtZWRpYXRlIENBIFJTQTAeFw0yMTEyMjcx -NDQwMzdaFw0zMTEyMjUxNDQwMzdaMCUxIzAhBgNVBAMMGkxpYnJlU1NMIFRlc3Qg -U2VydmVyIDMgUlNBMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAyqw4 -GSS7/WAR0VYbqFTltj9Cv17m+RuztM1jiJq+MU0Gscbx59NFPt8UFevNsMzWNmAK -qkioEMVJxXzSUDBjXjLesDt/+VTjR46z16fje3MhGmWa8lDt7hpuHwDF80dg3rZa -kVEcgKvd6LODTucgE7l07DzMb8qAdRp1SDXIFECO0wLJewkf2CihmNukTxQhI0d+ -XPZTYe3cyMelj8KpCXCXOVXKnXI+BWnYMHC1Op4S9z90xiVBNgQ+Vmg2K9NFifzT -ZyKIWsERq80rp1s+JmxmzA/vBRlsbj/Ec0h2kF4IavGtHwvAvdvIPV7AG/dIxwlT -VnHZkPDuLK0H396wmwIDAQABo2AwXjAdBgNVHQ4EFgQUSuP+QN+526Pxw/LGBTqP -WJpWGvwwHwYDVR0jBBgwFoAUNqGhWv/+mt2TQTVdDZTd5wPY4mYwDAYDVR0TAQH/ -BAIwADAOBgNVHQ8BAf8EBAMCB4AwDQYJKoZIhvcNAQELBQADggEBAFBJ0mO7dpSN -euxoh2DJghVfqQB4ladEroDZJkJEDuDkY3SjC+WB/lJowBVPC2QkzjTZt/J4B0Om -6irtKUC8jQ7aqMBfESu/s//GEU4kwlvlJN/Z0nLOh1YEeCwbkavFDy/X62iZ9XvJ -gjLVVzaXKWGrgdJedHx9Di04rU9jME5qfpXZI50u8grZccpUuTTqpZBiGjFRda2j -nJhgPBrn9/ityYaOrif8taR+QM6AETvEpJWo+I/iQ7vATmxHuq6y+0Sza5j9wGH/ -begJs9H890AiwO2bbUi1ehNj7NHZHySWNJlzBerwOQv7Zo8j+kHBop82ABsb/Xet -kgn7bdkfKoI= ------END CERTIFICATE----- ------BEGIN PRIVATE KEY----- -MIIEvAIBADANBgkqhkiG9w0BAQEFAASCBKYwggSiAgEAAoIBAQDKrDgZJLv9YBHR -VhuoVOW2P0K/Xub5G7O0zWOImr4xTQaxxvHn00U+3xQV682wzNY2YAqqSKgQxUnF -fNJQMGNeMt6wO3/5VONHjrPXp+N7cyEaZZryUO3uGm4fAMXzR2DetlqRURyAq93o -s4NO5yATuXTsPMxvyoB1GnVINcgUQI7TAsl7CR/YKKGY26RPFCEjR35c9lNh7dzI -x6WPwqkJcJc5Vcqdcj4FadgwcLU6nhL3P3TGJUE2BD5WaDYr00WJ/NNnIohawRGr -zSunWz4mbGbMD+8FGWxuP8RzSHaQXghq8a0fC8C928g9XsAb90jHCVNWcdmQ8O4s -rQff3rCbAgMBAAECggEAAoOiaoVvI5SGhA9KZosvElS0kkUuHlb+oraNjotE4r2u -4JO0Ooj/aelAiYkUUyYnXiNQ3o3qL9MSuDV1MnN3OBrvckY6rzAjZabaiklV5Bko -hvhNtMXWPcbsKMxMqFjxVbHza6wS63G2XgWkEl2Bo10Am1Ghw51CfLFoVQ39vmqM -8xKqZBZRwRUNk/2ccNhG5crUOX9+wQJSVjZCTgevjCJVVsFX9NLsHsx7G1wtE580 -AuFb9JEe66QNrtpTbKQP61W8YiRKQHT5uAAL0X9o88d2rpjGAcpJ8214aGH5P1HH -oUjL7mZceYuVeWvAMwLFFmPbPZuj3Ricgo1OIkKyyQKBgQDtNNXod5GzJyHOUrFR -rijyHhS81sOeDOhTbc1Cx8eFNH/svGATAU01HqgFRZpeJPHsAVYwVizfyqp/CESk -EFKTkMqRTat8Pkk+BtAGZD5fEBejl1fwRiBF9bTnk+u6q1WvBsQ0Bngf3v1CYGuq -rvb57AvhkCsEMjWs1YplBLwdVwKBgQDauvNslanbFstrWVBJqxV1iEaWmN1Lr//C -fwCFU8rH8VEvp+JJCICu7sE5Te+1TF/ASEs/bCrsW51YXjH30z3De1oFrjFVjwOU -XFMqcaTCX5Fjxv739LmgGuO2MCrItmveQHYkpTzCl6/p/pI4I1QJN0S5a/FaBNcW -x5tV2Ks4XQKBgHCCiBdsZ1pPbFR9moeAkQFOTU3InB5iRuwTf7F2Kue+oBK8wuEg -0+snMFDX08Flyq3DcIsaxMwdR8NbO5uJ9nDx03MaIQWcUYcvGgp+D6ttaZj5lwdr -a7FjOrxAyCXRUKHlFrkKfH25eey66TabKKAgWv5RMGYcHqNs4ejKVyOfAoGALqUf -tFBWYLqDtujdDljFwsLFCuieiL2HtVqQKd6sp+b2gUs0Ho8JokSYQDg2nlsjMEY6 -hdPzc2Q2Mdoknc0WptFvaTa0nqJZCRKHSc3ibPEkeDq/tPEjhNk3JmsvNI5ygnsM -ttPmGTlv8l6vn/kouq5moYQ7fA78L4dxwOTr3qECgYBNuIf4vQq8WEkt0uSTJXom -UQVZglJu61NVGzR//lyukQB7/HrdEMB+JYJfev0o1GxLx1RV8rTVaeDJkUJjwn/h -qpqiLjJKF328oOuQdP3dH6AavH9r7gUOByOuxXgzZNbhtyNCrStAGOfX2xUxRZyZ -l0+QtrqbPtB4VSfZ0j+imw== ------END PRIVATE KEY----- diff --git a/src/regress/lib/libssl/ciphers/Makefile b/src/regress/lib/libssl/ciphers/Makefile deleted file mode 100644 index 2575db4df4..0000000000 --- a/src/regress/lib/libssl/ciphers/Makefile +++ /dev/null @@ -1,9 +0,0 @@ -# $OpenBSD: Makefile,v 1.2 2020/09/13 16:51:30 jsing Exp $ - -PROG= cipherstest -LDADD= ${SSL_INT} -lcrypto -DPADD= ${LIBSSL} ${LIBCRYPTO} -WARNINGS= Yes -CFLAGS+= -DLIBRESSL_INTERNAL -Werror - -.include diff --git a/src/regress/lib/libssl/ciphers/cipherstest.c b/src/regress/lib/libssl/ciphers/cipherstest.c deleted file mode 100644 index 1df335f9f2..0000000000 --- a/src/regress/lib/libssl/ciphers/cipherstest.c +++ /dev/null @@ -1,1209 +0,0 @@ -/* - * Copyright (c) 2015, 2020 Joel Sing - * - * Permission to use, copy, modify, and distribute this software for any - * purpose with or without fee is hereby granted, provided that the above - * copyright notice and this permission notice appear in all copies. - * - * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES - * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF - * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR - * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES - * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN - * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF - * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. - */ - -#include -#include -#include - -#include -#include -#include - -int ssl3_num_ciphers(void); -const SSL_CIPHER *ssl3_get_cipher_by_index(int idx); - -int ssl_parse_ciphersuites(STACK_OF(SSL_CIPHER) **out_ciphers, const char *str); - -static inline int -ssl_aes_is_accelerated(void) -{ - return (OPENSSL_cpu_caps() & CRYPTO_CPU_CAPS_ACCELERATED_AES) != 0; -} - -static int -check_cipher_order(void) -{ - unsigned long id, prev_id = 0; - const SSL_CIPHER *cipher; - int num_ciphers; - int i; - - num_ciphers = ssl3_num_ciphers(); - - for (i = 0; i < num_ciphers; i++) { - if ((cipher = ssl3_get_cipher_by_index(i)) == NULL) { - fprintf(stderr, "FAIL: ssl3_get_cipher(%d) returned " - "NULL\n", i); - return 1; - } - if ((id = SSL_CIPHER_get_id(cipher)) <= prev_id) { - fprintf(stderr, "FAIL: ssl3_ciphers is not sorted by " - "id - cipher %d (%lx) <= cipher %d (%lx)\n", - i, id, i - 1, prev_id); - return 1; - } - prev_id = id; - } - - return 0; -} - -struct ssl_cipher_test { - uint16_t value; - int auth_nid; - int cipher_nid; - int digest_nid; - int handshake_digest_nid; - int kx_nid; - int strength_bits; - int symmetric_bits; - int is_aead; -}; - -static const struct ssl_cipher_test ssl_cipher_tests[] = { - { - .value = 0x0004, - .auth_nid = NID_auth_rsa, - .cipher_nid = NID_rc4, - .digest_nid = NID_md5, - .handshake_digest_nid = NID_sha256, - .kx_nid = NID_kx_rsa, - .strength_bits = 128, - .symmetric_bits = 128, - }, - { - .value = 0x0005, - .auth_nid = NID_auth_rsa, - .cipher_nid = NID_rc4, - .digest_nid = NID_sha1, - .handshake_digest_nid = NID_sha256, - .kx_nid = NID_kx_rsa, - .strength_bits = 128, - .symmetric_bits = 128, - }, - { - .value = 0x000a, - .auth_nid = NID_auth_rsa, - .cipher_nid = NID_des_ede3_cbc, - .digest_nid = NID_sha1, - .handshake_digest_nid = NID_sha256, - .kx_nid = NID_kx_rsa, - .strength_bits = 112, - .symmetric_bits = 168, - }, - { - .value = 0x0016, - .auth_nid = NID_auth_rsa, - .cipher_nid = NID_des_ede3_cbc, - .digest_nid = NID_sha1, - .handshake_digest_nid = NID_sha256, - .kx_nid = NID_kx_dhe, - .strength_bits = 112, - .symmetric_bits = 168, - }, - { - .value = 0x0018, - .auth_nid = NID_auth_null, - .cipher_nid = NID_rc4, - .digest_nid = NID_md5, - .handshake_digest_nid = NID_sha256, - .kx_nid = NID_kx_dhe, - .strength_bits = 128, - .symmetric_bits = 128, - }, - { - .value = 0x001b, - .auth_nid = NID_auth_null, - .cipher_nid = NID_des_ede3_cbc, - .digest_nid = NID_sha1, - .handshake_digest_nid = NID_sha256, - .kx_nid = NID_kx_dhe, - .strength_bits = 112, - .symmetric_bits = 168, - }, - { - .value = 0x002f, - .auth_nid = NID_auth_rsa, - .cipher_nid = NID_aes_128_cbc, - .digest_nid = NID_sha1, - .handshake_digest_nid = NID_sha256, - .kx_nid = NID_kx_rsa, - .strength_bits = 128, - .symmetric_bits = 128, - }, - { - .value = 0x0033, - .auth_nid = NID_auth_rsa, - .cipher_nid = NID_aes_128_cbc, - .digest_nid = NID_sha1, - .handshake_digest_nid = NID_sha256, - .kx_nid = NID_kx_dhe, - .strength_bits = 128, - .symmetric_bits = 128, - }, - { - .value = 0x0034, - .auth_nid = NID_auth_null, - .cipher_nid = NID_aes_128_cbc, - .digest_nid = NID_sha1, - .handshake_digest_nid = NID_sha256, - .kx_nid = NID_kx_dhe, - .strength_bits = 128, - .symmetric_bits = 128, - }, - { - .value = 0x0035, - .auth_nid = NID_auth_rsa, - .cipher_nid = NID_aes_256_cbc, - .digest_nid = NID_sha1, - .handshake_digest_nid = NID_sha256, - .kx_nid = NID_kx_rsa, - .strength_bits = 256, - .symmetric_bits = 256, - }, - { - .value = 0x0039, - .auth_nid = NID_auth_rsa, - .cipher_nid = NID_aes_256_cbc, - .digest_nid = NID_sha1, - .handshake_digest_nid = NID_sha256, - .kx_nid = NID_kx_dhe, - .strength_bits = 256, - .symmetric_bits = 256, - }, - { - .value = 0x003a, - .auth_nid = NID_auth_null, - .cipher_nid = NID_aes_256_cbc, - .digest_nid = NID_sha1, - .handshake_digest_nid = NID_sha256, - .kx_nid = NID_kx_dhe, - .strength_bits = 256, - .symmetric_bits = 256, - }, - { - .value = 0x003c, - .auth_nid = NID_auth_rsa, - .cipher_nid = NID_aes_128_cbc, - .digest_nid = NID_sha256, - .handshake_digest_nid = NID_sha256, - .kx_nid = NID_kx_rsa, - .strength_bits = 128, - .symmetric_bits = 128, - }, - { - .value = 0x003d, - .auth_nid = NID_auth_rsa, - .cipher_nid = NID_aes_256_cbc, - .digest_nid = NID_sha256, - .handshake_digest_nid = NID_sha256, - .kx_nid = NID_kx_rsa, - .strength_bits = 256, - .symmetric_bits = 256, - }, - { - .value = 0x0041, - .auth_nid = NID_auth_rsa, - .cipher_nid = NID_camellia_128_cbc, - .digest_nid = NID_sha1, - .handshake_digest_nid = NID_sha256, - .kx_nid = NID_kx_rsa, - .strength_bits = 128, - .symmetric_bits = 128, - }, - { - .value = 0x0045, - .auth_nid = NID_auth_rsa, - .cipher_nid = NID_camellia_128_cbc, - .digest_nid = NID_sha1, - .handshake_digest_nid = NID_sha256, - .kx_nid = NID_kx_dhe, - .strength_bits = 128, - .symmetric_bits = 128, - }, - { - .value = 0x0046, - .auth_nid = NID_auth_null, - .cipher_nid = NID_camellia_128_cbc, - .digest_nid = NID_sha1, - .handshake_digest_nid = NID_sha256, - .kx_nid = NID_kx_dhe, - .strength_bits = 128, - .symmetric_bits = 128, - }, - { - .value = 0x0067, - .auth_nid = NID_auth_rsa, - .cipher_nid = NID_aes_128_cbc, - .digest_nid = NID_sha256, - .handshake_digest_nid = NID_sha256, - .kx_nid = NID_kx_dhe, - .strength_bits = 128, - .symmetric_bits = 128, - }, - { - .value = 0x006b, - .auth_nid = NID_auth_rsa, - .cipher_nid = NID_aes_256_cbc, - .digest_nid = NID_sha256, - .handshake_digest_nid = NID_sha256, - .kx_nid = NID_kx_dhe, - .strength_bits = 256, - .symmetric_bits = 256, - }, - { - .value = 0x006c, - .auth_nid = NID_auth_null, - .cipher_nid = NID_aes_128_cbc, - .digest_nid = NID_sha256, - .handshake_digest_nid = NID_sha256, - .kx_nid = NID_kx_dhe, - .strength_bits = 128, - .symmetric_bits = 128, - }, - { - .value = 0x006d, - .auth_nid = NID_auth_null, - .cipher_nid = NID_aes_256_cbc, - .digest_nid = NID_sha256, - .handshake_digest_nid = NID_sha256, - .kx_nid = NID_kx_dhe, - .strength_bits = 256, - .symmetric_bits = 256, - }, - { - .value = 0x0084, - .auth_nid = NID_auth_rsa, - .cipher_nid = NID_camellia_256_cbc, - .digest_nid = NID_sha1, - .handshake_digest_nid = NID_sha256, - .kx_nid = NID_kx_rsa, - .strength_bits = 256, - .symmetric_bits = 256, - }, - { - .value = 0x0088, - .auth_nid = NID_auth_rsa, - .cipher_nid = NID_camellia_256_cbc, - .digest_nid = NID_sha1, - .handshake_digest_nid = NID_sha256, - .kx_nid = NID_kx_dhe, - .strength_bits = 256, - .symmetric_bits = 256, - }, - { - .value = 0x0089, - .auth_nid = NID_auth_null, - .cipher_nid = NID_camellia_256_cbc, - .digest_nid = NID_sha1, - .handshake_digest_nid = NID_sha256, - .kx_nid = NID_kx_dhe, - .strength_bits = 256, - .symmetric_bits = 256, - }, - { - .value = 0x009c, - .auth_nid = NID_auth_rsa, - .cipher_nid = NID_aes_128_gcm, - .digest_nid = NID_undef, - .handshake_digest_nid = NID_sha256, - .kx_nid = NID_kx_rsa, - .strength_bits = 128, - .symmetric_bits = 128, - .is_aead = 1, - }, - { - .value = 0x009d, - .auth_nid = NID_auth_rsa, - .cipher_nid = NID_aes_256_gcm, - .digest_nid = NID_undef, - .handshake_digest_nid = NID_sha384, - .kx_nid = NID_kx_rsa, - .strength_bits = 256, - .symmetric_bits = 256, - .is_aead = 1, - }, - { - .value = 0x009e, - .auth_nid = NID_auth_rsa, - .cipher_nid = NID_aes_128_gcm, - .digest_nid = NID_undef, - .handshake_digest_nid = NID_sha256, - .kx_nid = NID_kx_dhe, - .strength_bits = 128, - .symmetric_bits = 128, - .is_aead = 1, - }, - { - .value = 0x009f, - .auth_nid = NID_auth_rsa, - .cipher_nid = NID_aes_256_gcm, - .digest_nid = NID_undef, - .handshake_digest_nid = NID_sha384, - .kx_nid = NID_kx_dhe, - .strength_bits = 256, - .symmetric_bits = 256, - .is_aead = 1, - }, - { - .value = 0x00a6, - .auth_nid = NID_auth_null, - .cipher_nid = NID_aes_128_gcm, - .digest_nid = NID_undef, - .handshake_digest_nid = NID_sha256, - .kx_nid = NID_kx_dhe, - .strength_bits = 128, - .symmetric_bits = 128, - .is_aead = 1, - }, - { - .value = 0x00a7, - .auth_nid = NID_auth_null, - .cipher_nid = NID_aes_256_gcm, - .digest_nid = NID_undef, - .handshake_digest_nid = NID_sha384, - .kx_nid = NID_kx_dhe, - .strength_bits = 256, - .symmetric_bits = 256, - .is_aead = 1, - }, - { - .value = 0x00ba, - .auth_nid = NID_auth_rsa, - .cipher_nid = NID_camellia_128_cbc, - .digest_nid = NID_sha256, - .handshake_digest_nid = NID_sha256, - .kx_nid = NID_kx_rsa, - .strength_bits = 128, - .symmetric_bits = 128, - }, - { - .value = 0x00be, - .auth_nid = NID_auth_rsa, - .cipher_nid = NID_camellia_128_cbc, - .digest_nid = NID_sha256, - .handshake_digest_nid = NID_sha256, - .kx_nid = NID_kx_dhe, - .strength_bits = 128, - .symmetric_bits = 128, - }, - { - .value = 0x00bf, - .auth_nid = NID_auth_null, - .cipher_nid = NID_camellia_128_cbc, - .digest_nid = NID_sha256, - .handshake_digest_nid = NID_sha256, - .kx_nid = NID_kx_dhe, - .strength_bits = 128, - .symmetric_bits = 128, - }, - { - .value = 0x00c0, - .auth_nid = NID_auth_rsa, - .cipher_nid = NID_camellia_256_cbc, - .digest_nid = NID_sha256, - .handshake_digest_nid = NID_sha256, - .kx_nid = NID_kx_rsa, - .strength_bits = 256, - .symmetric_bits = 256, - }, - { - .value = 0x00c4, - .auth_nid = NID_auth_rsa, - .cipher_nid = NID_camellia_256_cbc, - .digest_nid = NID_sha256, - .handshake_digest_nid = NID_sha256, - .kx_nid = NID_kx_dhe, - .strength_bits = 256, - .symmetric_bits = 256, - }, - { - .value = 0x00c5, - .auth_nid = NID_auth_null, - .cipher_nid = NID_camellia_256_cbc, - .digest_nid = NID_sha256, - .handshake_digest_nid = NID_sha256, - .kx_nid = NID_kx_dhe, - .strength_bits = 256, - .symmetric_bits = 256, - }, - { - .value = 0x1301, - .auth_nid = NID_undef, - .cipher_nid = NID_aes_128_gcm, - .digest_nid = NID_undef, - .handshake_digest_nid = NID_sha256, - .kx_nid = NID_undef, - .strength_bits = 128, - .symmetric_bits = 128, - .is_aead = 1, - }, - { - .value = 0x1302, - .auth_nid = NID_undef, - .cipher_nid = NID_aes_256_gcm, - .digest_nid = NID_undef, - .handshake_digest_nid = NID_sha384, - .kx_nid = NID_undef, - .strength_bits = 256, - .symmetric_bits = 256, - .is_aead = 1, - }, - { - .value = 0x1303, - .auth_nid = NID_undef, - .cipher_nid = NID_chacha20_poly1305, - .digest_nid = NID_undef, - .handshake_digest_nid = NID_sha256, - .kx_nid = NID_undef, - .strength_bits = 256, - .symmetric_bits = 256, - .is_aead = 1, - }, - { - .value = 0xc007, - .auth_nid = NID_auth_ecdsa, - .cipher_nid = NID_rc4, - .digest_nid = NID_sha1, - .handshake_digest_nid = NID_sha256, - .kx_nid = NID_kx_ecdhe, - .strength_bits = 128, - .symmetric_bits = 128, - }, - { - .value = 0xc008, - .auth_nid = NID_auth_ecdsa, - .cipher_nid = NID_des_ede3_cbc, - .digest_nid = NID_sha1, - .handshake_digest_nid = NID_sha256, - .kx_nid = NID_kx_ecdhe, - .strength_bits = 112, - .symmetric_bits = 168, - }, - { - .value = 0xc009, - .auth_nid = NID_auth_ecdsa, - .cipher_nid = NID_aes_128_cbc, - .digest_nid = NID_sha1, - .handshake_digest_nid = NID_sha256, - .kx_nid = NID_kx_ecdhe, - .strength_bits = 128, - .symmetric_bits = 128, - }, - { - .value = 0xc00a, - .auth_nid = NID_auth_ecdsa, - .cipher_nid = NID_aes_256_cbc, - .digest_nid = NID_sha1, - .handshake_digest_nid = NID_sha256, - .kx_nid = NID_kx_ecdhe, - .strength_bits = 256, - .symmetric_bits = 256, - }, - { - .value = 0xc011, - .auth_nid = NID_auth_rsa, - .cipher_nid = NID_rc4, - .digest_nid = NID_sha1, - .handshake_digest_nid = NID_sha256, - .kx_nid = NID_kx_ecdhe, - .strength_bits = 128, - .symmetric_bits = 128, - }, - { - .value = 0xc012, - .auth_nid = NID_auth_rsa, - .cipher_nid = NID_des_ede3_cbc, - .digest_nid = NID_sha1, - .handshake_digest_nid = NID_sha256, - .kx_nid = NID_kx_ecdhe, - .strength_bits = 112, - .symmetric_bits = 168, - }, - { - .value = 0xc013, - .auth_nid = NID_auth_rsa, - .cipher_nid = NID_aes_128_cbc, - .digest_nid = NID_sha1, - .handshake_digest_nid = NID_sha256, - .kx_nid = NID_kx_ecdhe, - .strength_bits = 128, - .symmetric_bits = 128, - }, - { - .value = 0xc014, - .auth_nid = NID_auth_rsa, - .cipher_nid = NID_aes_256_cbc, - .digest_nid = NID_sha1, - .handshake_digest_nid = NID_sha256, - .kx_nid = NID_kx_ecdhe, - .strength_bits = 256, - .symmetric_bits = 256, - }, - { - .value = 0xc016, - .auth_nid = NID_auth_null, - .cipher_nid = NID_rc4, - .digest_nid = NID_sha1, - .handshake_digest_nid = NID_sha256, - .kx_nid = NID_kx_ecdhe, - .strength_bits = 128, - .symmetric_bits = 128, - }, - { - .value = 0xc017, - .auth_nid = NID_auth_null, - .cipher_nid = NID_des_ede3_cbc, - .digest_nid = NID_sha1, - .handshake_digest_nid = NID_sha256, - .kx_nid = NID_kx_ecdhe, - .strength_bits = 112, - .symmetric_bits = 168, - }, - { - .value = 0xc018, - .auth_nid = NID_auth_null, - .cipher_nid = NID_aes_128_cbc, - .digest_nid = NID_sha1, - .handshake_digest_nid = NID_sha256, - .kx_nid = NID_kx_ecdhe, - .strength_bits = 128, - .symmetric_bits = 128, - }, - { - .value = 0xc019, - .auth_nid = NID_auth_null, - .cipher_nid = NID_aes_256_cbc, - .digest_nid = NID_sha1, - .handshake_digest_nid = NID_sha256, - .kx_nid = NID_kx_ecdhe, - .strength_bits = 256, - .symmetric_bits = 256, - }, - { - .value = 0xc023, - .auth_nid = NID_auth_ecdsa, - .cipher_nid = NID_aes_128_cbc, - .digest_nid = NID_sha256, - .handshake_digest_nid = NID_sha256, - .kx_nid = NID_kx_ecdhe, - .strength_bits = 128, - .symmetric_bits = 128, - }, - { - .value = 0xc024, - .auth_nid = NID_auth_ecdsa, - .cipher_nid = NID_aes_256_cbc, - .digest_nid = NID_sha384, - .handshake_digest_nid = NID_sha384, - .kx_nid = NID_kx_ecdhe, - .strength_bits = 256, - .symmetric_bits = 256, - }, - { - .value = 0xc027, - .auth_nid = NID_auth_rsa, - .cipher_nid = NID_aes_128_cbc, - .digest_nid = NID_sha256, - .handshake_digest_nid = NID_sha256, - .kx_nid = NID_kx_ecdhe, - .strength_bits = 128, - .symmetric_bits = 128, - }, - { - .value = 0xc028, - .auth_nid = NID_auth_rsa, - .cipher_nid = NID_aes_256_cbc, - .digest_nid = NID_sha384, - .handshake_digest_nid = NID_sha384, - .kx_nid = NID_kx_ecdhe, - .strength_bits = 256, - .symmetric_bits = 256, - }, - { - .value = 0xc02b, - .auth_nid = NID_auth_ecdsa, - .cipher_nid = NID_aes_128_gcm, - .digest_nid = NID_undef, - .handshake_digest_nid = NID_sha256, - .kx_nid = NID_kx_ecdhe, - .strength_bits = 128, - .symmetric_bits = 128, - .is_aead = 1, - }, - { - .value = 0xc02c, - .auth_nid = NID_auth_ecdsa, - .cipher_nid = NID_aes_256_gcm, - .digest_nid = NID_undef, - .handshake_digest_nid = NID_sha384, - .kx_nid = NID_kx_ecdhe, - .strength_bits = 256, - .symmetric_bits = 256, - .is_aead = 1, - }, - { - .value = 0xc02f, - .auth_nid = NID_auth_rsa, - .cipher_nid = NID_aes_128_gcm, - .digest_nid = NID_undef, - .handshake_digest_nid = NID_sha256, - .kx_nid = NID_kx_ecdhe, - .strength_bits = 128, - .symmetric_bits = 128, - .is_aead = 1, - }, - { - .value = 0xc030, - .auth_nid = NID_auth_rsa, - .cipher_nid = NID_aes_256_gcm, - .digest_nid = NID_undef, - .handshake_digest_nid = NID_sha384, - .kx_nid = NID_kx_ecdhe, - .strength_bits = 256, - .symmetric_bits = 256, - .is_aead = 1, - }, - { - .value = 0xcca8, - .auth_nid = NID_auth_rsa, - .cipher_nid = NID_chacha20_poly1305, - .digest_nid = NID_undef, - .handshake_digest_nid = NID_sha256, - .kx_nid = NID_kx_ecdhe, - .strength_bits = 256, - .symmetric_bits = 256, - .is_aead = 1, - }, - { - .value = 0xcca9, - .auth_nid = NID_auth_ecdsa, - .cipher_nid = NID_chacha20_poly1305, - .digest_nid = NID_undef, - .handshake_digest_nid = NID_sha256, - .kx_nid = NID_kx_ecdhe, - .strength_bits = 256, - .symmetric_bits = 256, - .is_aead = 1, - }, - { - .value = 0xccaa, - .auth_nid = NID_auth_rsa, - .cipher_nid = NID_chacha20_poly1305, - .digest_nid = NID_undef, - .handshake_digest_nid = NID_sha256, - .kx_nid = NID_kx_dhe, - .strength_bits = 256, - .symmetric_bits = 256, - .is_aead = 1, - }, -}; - -#define N_SSL_CIPHER_TESTS (sizeof(ssl_cipher_tests) / sizeof(ssl_cipher_tests[0])) - -static int -test_ssl_ciphers(void) -{ - int i, strength_bits, symmetric_bits; - const struct ssl_cipher_test *sct; - STACK_OF(SSL_CIPHER) *ciphers; - const SSL_CIPHER *cipher; - const EVP_MD *digest; - unsigned char buf[2]; - const char *description; - char desc_buf[256]; - SSL_CTX *ssl_ctx = NULL; - SSL *ssl = NULL; - size_t j; - int ret = 1; - - if ((ssl_ctx = SSL_CTX_new(TLS_method())) == NULL) { - fprintf(stderr, "SSL_CTX_new() returned NULL\n"); - goto failure; - } - if ((ssl = SSL_new(ssl_ctx)) == NULL) { - fprintf(stderr, "SSL_new() returned NULL\n"); - goto failure; - } - if (!SSL_set_cipher_list(ssl, "ALL")) { - fprintf(stderr, "SSL_set_cipher_list failed\n"); - goto failure; - } - - if ((ciphers = SSL_get_ciphers(ssl)) == NULL) { - fprintf(stderr, "no ciphers\n"); - goto failure; - } - - if (sk_SSL_CIPHER_num(ciphers) != N_SSL_CIPHER_TESTS) { - fprintf(stderr, "number of ciphers mismatch (%d != %zu)\n", - sk_SSL_CIPHER_num(ciphers), N_SSL_CIPHER_TESTS); - goto failure; - } - - for (i = 0; i < sk_SSL_CIPHER_num(ciphers); i++) { - uint16_t cipher_value; - - cipher = sk_SSL_CIPHER_value(ciphers, i); - cipher_value = SSL_CIPHER_get_value(cipher); - - buf[0] = cipher_value >> 8; - buf[1] = cipher_value & 0xff; - - if ((cipher = SSL_CIPHER_find(ssl, buf)) == NULL) { - fprintf(stderr, "SSL_CIPHER_find() returned NULL for %s\n", - SSL_CIPHER_get_name(cipher)); - goto failure; - } - if (SSL_CIPHER_get_value(cipher) != cipher_value) { - fprintf(stderr, "got cipher with value 0x%04x, want 0x%04x\n", - SSL_CIPHER_get_value(cipher), cipher_value); - goto failure; - } - if (SSL_CIPHER_get_id(cipher) != (0x03000000UL | cipher_value)) { - fprintf(stderr, "got cipher id 0x%08lx, want 0x%08lx\n", - SSL_CIPHER_get_id(cipher), (0x03000000UL | cipher_value)); - goto failure; - } - - sct = NULL; - for (j = 0; j < N_SSL_CIPHER_TESTS; j++) { - if (ssl_cipher_tests[j].value == cipher_value) { - sct = &ssl_cipher_tests[j]; - break; - } - } - if (sct == NULL) { - fprintf(stderr, "cipher '%s' (0x%04x) not found in test " - "table\n", SSL_CIPHER_get_name(cipher), cipher_value); - goto failure; - } - - if (SSL_CIPHER_get_auth_nid(cipher) != sct->auth_nid) { - fprintf(stderr, "cipher '%s' (0x%04x) - got auth nid %d, " - "want %d\n", SSL_CIPHER_get_name(cipher), cipher_value, - SSL_CIPHER_get_auth_nid(cipher), sct->auth_nid); - goto failure; - } - if (SSL_CIPHER_get_cipher_nid(cipher) != sct->cipher_nid) { - fprintf(stderr, "cipher '%s' (0x%04x) - got cipher nid %d, " - "want %d\n", SSL_CIPHER_get_name(cipher), cipher_value, - SSL_CIPHER_get_cipher_nid(cipher), sct->cipher_nid); - goto failure; - } - if (SSL_CIPHER_get_digest_nid(cipher) != sct->digest_nid) { - fprintf(stderr, "cipher '%s' (0x%04x) - got digest nid %d, " - "want %d\n", SSL_CIPHER_get_name(cipher), cipher_value, - SSL_CIPHER_get_digest_nid(cipher), sct->digest_nid); - goto failure; - } - if (SSL_CIPHER_get_kx_nid(cipher) != sct->kx_nid) { - fprintf(stderr, "cipher '%s' (0x%04x) - got kx nid %d, " - "want %d\n", SSL_CIPHER_get_name(cipher), cipher_value, - SSL_CIPHER_get_kx_nid(cipher), sct->kx_nid); - goto failure; - } - - /* Having API consistency is a wonderful thing... */ - digest = SSL_CIPHER_get_handshake_digest(cipher); - if (EVP_MD_nid(digest) != sct->handshake_digest_nid) { - fprintf(stderr, "cipher '%s' (0x%04x) - got handshake " - "digest nid %d, want %d\n", SSL_CIPHER_get_name(cipher), - cipher_value, EVP_MD_nid(digest), sct->handshake_digest_nid); - goto failure; - } - - strength_bits = SSL_CIPHER_get_bits(cipher, &symmetric_bits); - if (strength_bits != sct->strength_bits) { - fprintf(stderr, "cipher '%s' (0x%04x) - got strength bits " - "%d, want %d\n", SSL_CIPHER_get_name(cipher), - cipher_value, strength_bits, sct->strength_bits); - goto failure; - } - if (symmetric_bits != sct->symmetric_bits) { - fprintf(stderr, "cipher '%s' (0x%04x) - got symmetric bits " - "%d, want %d\n", SSL_CIPHER_get_name(cipher), - cipher_value, symmetric_bits, sct->symmetric_bits); - goto failure; - } - if (SSL_CIPHER_is_aead(cipher) != sct->is_aead) { - fprintf(stderr, "cipher '%s' (0x%04x) - got is aead %d, " - "want %d\n", SSL_CIPHER_get_name(cipher), cipher_value, - SSL_CIPHER_is_aead(cipher), sct->is_aead); - goto failure; - } - - if ((description = SSL_CIPHER_description(cipher, desc_buf, - sizeof(desc_buf))) != desc_buf) { - fprintf(stderr, "cipher '%s' (0x%04x) - failed to get " - "description\n", SSL_CIPHER_get_name(cipher), cipher_value); - goto failure; - } - } - - ret = 0; - - failure: - SSL_CTX_free(ssl_ctx); - SSL_free(ssl); - - return (ret); -} - -struct parse_ciphersuites_test { - const char *str; - const int want; - const unsigned long cids[32]; -}; - -struct parse_ciphersuites_test parse_ciphersuites_tests[] = { - { - /* LibreSSL names. */ - .str = "AEAD-AES256-GCM-SHA384:AEAD-CHACHA20-POLY1305-SHA256:AEAD-AES128-GCM-SHA256", - .want = 1, - .cids = { - TLS1_3_CK_AES_256_GCM_SHA384, - TLS1_3_CK_CHACHA20_POLY1305_SHA256, - TLS1_3_CK_AES_128_GCM_SHA256, - }, - }, - { - /* OpenSSL names. */ - .str = "TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256", - .want = 1, - .cids = { - TLS1_3_CK_AES_256_GCM_SHA384, - TLS1_3_CK_CHACHA20_POLY1305_SHA256, - TLS1_3_CK_AES_128_GCM_SHA256, - }, - }, - { - /* Different priority order. */ - .str = "AEAD-AES128-GCM-SHA256:AEAD-AES256-GCM-SHA384:AEAD-CHACHA20-POLY1305-SHA256", - .want = 1, - .cids = { - TLS1_3_CK_AES_128_GCM_SHA256, - TLS1_3_CK_AES_256_GCM_SHA384, - TLS1_3_CK_CHACHA20_POLY1305_SHA256, - }, - }, - { - /* Known but unsupported names. */ - .str = "AEAD-AES256-GCM-SHA384:AEAD-AES128-CCM-SHA256:AEAD-AES128-CCM-8-SHA256", - .want = 1, - .cids = { - TLS1_3_CK_AES_256_GCM_SHA384, - }, - }, - { - /* Empty string means no TLSv1.3 ciphersuites. */ - .str = "", - .want = 1, - .cids = { 0 }, - }, - { - .str = "TLS_CHACHA20_POLY1305_SHA256:TLS_NOT_A_CIPHERSUITE", - .want = 0, - }, - { - .str = "TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256,TLS_AES_128_GCM_SHA256", - .want = 0, - }, -}; - -#define N_PARSE_CIPHERSUITES_TESTS \ - (sizeof(parse_ciphersuites_tests) / sizeof(*parse_ciphersuites_tests)) - -static int -parse_ciphersuites_test(void) -{ - struct parse_ciphersuites_test *pct; - STACK_OF(SSL_CIPHER) *ciphers = NULL; - SSL_CIPHER *cipher; - int failed = 1; - int j, ret; - size_t i; - - for (i = 0; i < N_PARSE_CIPHERSUITES_TESTS; i++) { - pct = &parse_ciphersuites_tests[i]; - - ret = ssl_parse_ciphersuites(&ciphers, pct->str); - if (ret != pct->want) { - fprintf(stderr, "FAIL: test %zu - " - "ssl_parse_ciphersuites returned %d, want %d\n", - i, ret, pct->want); - goto failed; - } - if (ret == 0) - continue; - - for (j = 0; j < sk_SSL_CIPHER_num(ciphers); j++) { - cipher = sk_SSL_CIPHER_value(ciphers, j); - if (SSL_CIPHER_get_id(cipher) == pct->cids[j]) - continue; - fprintf(stderr, "FAIL: test %zu - got cipher %d with " - "id %lx, want %lx\n", i, j, - SSL_CIPHER_get_id(cipher), pct->cids[j]); - goto failed; - } - if (pct->cids[j] != 0) { - fprintf(stderr, "FAIL: test %zu - got %d ciphers, " - "expected more", i, sk_SSL_CIPHER_num(ciphers)); - goto failed; - } - } - - failed = 0; - - failed: - sk_SSL_CIPHER_free(ciphers); - - return failed; -} - -struct cipher_set_test { - int ctx_ciphersuites_first; - const char *ctx_ciphersuites; - const char *ctx_rulestr; - int ssl_ciphersuites_first; - const char *ssl_ciphersuites; - const char *ssl_rulestr; - int cids_aes_accel_fixup; - unsigned long cids[32]; -}; - -struct cipher_set_test cipher_set_tests[] = { - { - .ctx_rulestr = "TLSv1.2+ECDHE+AEAD+AES", - .cids_aes_accel_fixup = 1, - .cids = { - TLS1_3_CK_AES_256_GCM_SHA384, - TLS1_3_CK_CHACHA20_POLY1305_SHA256, - TLS1_3_CK_AES_128_GCM_SHA256, - TLS1_CK_ECDHE_RSA_WITH_AES_256_GCM_SHA384, - TLS1_CK_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, - TLS1_CK_ECDHE_RSA_WITH_AES_128_GCM_SHA256, - TLS1_CK_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, - }, - }, - { - .ssl_rulestr = "TLSv1.2+ECDHE+AEAD+AES", - .cids_aes_accel_fixup = 1, - .cids = { - TLS1_3_CK_AES_256_GCM_SHA384, - TLS1_3_CK_CHACHA20_POLY1305_SHA256, - TLS1_3_CK_AES_128_GCM_SHA256, - TLS1_CK_ECDHE_RSA_WITH_AES_256_GCM_SHA384, - TLS1_CK_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, - TLS1_CK_ECDHE_RSA_WITH_AES_128_GCM_SHA256, - TLS1_CK_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, - }, - }, - { - .ctx_ciphersuites_first = 1, - .ctx_ciphersuites = "AEAD-AES256-GCM-SHA384:AEAD-CHACHA20-POLY1305-SHA256", - .ctx_rulestr = "TLSv1.2+ECDHE+AEAD+AES", - .cids = { - TLS1_3_CK_AES_256_GCM_SHA384, - TLS1_3_CK_CHACHA20_POLY1305_SHA256, - TLS1_CK_ECDHE_RSA_WITH_AES_256_GCM_SHA384, - TLS1_CK_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, - TLS1_CK_ECDHE_RSA_WITH_AES_128_GCM_SHA256, - TLS1_CK_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, - }, - }, - { - .ssl_ciphersuites_first = 1, - .ssl_ciphersuites = "AEAD-AES256-GCM-SHA384:AEAD-CHACHA20-POLY1305-SHA256", - .ssl_rulestr = "TLSv1.2+ECDHE+AEAD+AES", - .cids = { - TLS1_3_CK_AES_256_GCM_SHA384, - TLS1_3_CK_CHACHA20_POLY1305_SHA256, - TLS1_CK_ECDHE_RSA_WITH_AES_256_GCM_SHA384, - TLS1_CK_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, - TLS1_CK_ECDHE_RSA_WITH_AES_128_GCM_SHA256, - TLS1_CK_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, - }, - }, - { - .ctx_ciphersuites_first = 0, - .ctx_ciphersuites = "AEAD-AES256-GCM-SHA384:AEAD-CHACHA20-POLY1305-SHA256", - .ctx_rulestr = "TLSv1.2+ECDHE+AEAD+AES", - .cids = { - TLS1_3_CK_AES_256_GCM_SHA384, - TLS1_3_CK_CHACHA20_POLY1305_SHA256, - TLS1_CK_ECDHE_RSA_WITH_AES_256_GCM_SHA384, - TLS1_CK_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, - TLS1_CK_ECDHE_RSA_WITH_AES_128_GCM_SHA256, - TLS1_CK_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, - }, - }, - { - .ssl_ciphersuites_first = 0, - .ssl_ciphersuites = "AEAD-AES256-GCM-SHA384:AEAD-CHACHA20-POLY1305-SHA256", - .ssl_rulestr = "TLSv1.2+ECDHE+AEAD+AES", - .cids = { - TLS1_3_CK_AES_256_GCM_SHA384, - TLS1_3_CK_CHACHA20_POLY1305_SHA256, - TLS1_CK_ECDHE_RSA_WITH_AES_256_GCM_SHA384, - TLS1_CK_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, - TLS1_CK_ECDHE_RSA_WITH_AES_128_GCM_SHA256, - TLS1_CK_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, - }, - }, - { - .ssl_ciphersuites_first = 1, - .ssl_ciphersuites = "", - .ssl_rulestr = "TLSv1.2+ECDHE+AEAD+AES", - .cids = { - TLS1_CK_ECDHE_RSA_WITH_AES_256_GCM_SHA384, - TLS1_CK_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, - TLS1_CK_ECDHE_RSA_WITH_AES_128_GCM_SHA256, - TLS1_CK_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, - }, - }, - { - .ssl_ciphersuites_first = 0, - .ssl_ciphersuites = "", - .ssl_rulestr = "TLSv1.2+ECDHE+AEAD+AES", - .cids = { - TLS1_CK_ECDHE_RSA_WITH_AES_256_GCM_SHA384, - TLS1_CK_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, - TLS1_CK_ECDHE_RSA_WITH_AES_128_GCM_SHA256, - TLS1_CK_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, - }, - }, - { - .ctx_ciphersuites = "AEAD-AES256-GCM-SHA384:AEAD-CHACHA20-POLY1305-SHA256", - .ssl_rulestr = "TLSv1.2+ECDHE+AEAD+AES", - .cids = { - TLS1_3_CK_AES_256_GCM_SHA384, - TLS1_3_CK_CHACHA20_POLY1305_SHA256, - TLS1_CK_ECDHE_RSA_WITH_AES_256_GCM_SHA384, - TLS1_CK_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, - TLS1_CK_ECDHE_RSA_WITH_AES_128_GCM_SHA256, - TLS1_CK_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, - }, - }, - { - .ctx_rulestr = "TLSv1.2+ECDHE+AEAD+AES", - .ssl_ciphersuites = "AEAD-AES256-GCM-SHA384:AEAD-CHACHA20-POLY1305-SHA256", - .cids = { - TLS1_3_CK_AES_256_GCM_SHA384, - TLS1_3_CK_CHACHA20_POLY1305_SHA256, - TLS1_CK_ECDHE_RSA_WITH_AES_256_GCM_SHA384, - TLS1_CK_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, - TLS1_CK_ECDHE_RSA_WITH_AES_128_GCM_SHA256, - TLS1_CK_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, - }, - }, -}; - -#define N_CIPHER_SET_TESTS \ - (sizeof(cipher_set_tests) / sizeof(*cipher_set_tests)) - -static int -cipher_set_test(void) -{ - struct cipher_set_test *cst; - STACK_OF(SSL_CIPHER) *ciphers = NULL; - SSL_CIPHER *cipher; - SSL_CTX *ctx = NULL; - SSL *ssl = NULL; - int failed = 0; - size_t i; - int j; - - for (i = 0; i < N_CIPHER_SET_TESTS; i++) { - cst = &cipher_set_tests[i]; - - if (!ssl_aes_is_accelerated() && cst->cids_aes_accel_fixup) { - cst->cids[0] = TLS1_3_CK_CHACHA20_POLY1305_SHA256; - cst->cids[1] = TLS1_3_CK_AES_256_GCM_SHA384; - } - - if ((ctx = SSL_CTX_new(TLS_method())) == NULL) - errx(1, "SSL_CTX_new"); - - if (cst->ctx_ciphersuites_first && cst->ctx_ciphersuites != NULL) { - if (!SSL_CTX_set_ciphersuites(ctx, cst->ctx_ciphersuites)) - errx(1, "SSL_CTX_set_ciphersuites"); - } - if (cst->ctx_rulestr != NULL) { - if (!SSL_CTX_set_cipher_list(ctx, cst->ctx_rulestr)) - errx(1, "SSL_CTX_set_cipher_list"); - } - if (!cst->ctx_ciphersuites_first && cst->ctx_ciphersuites != NULL) { - if (!SSL_CTX_set_ciphersuites(ctx, cst->ctx_ciphersuites)) - errx(1, "SSL_CTX_set_ciphersuites"); - } - - /* XXX - check SSL_CTX_get_ciphers(ctx) */ - - if ((ssl = SSL_new(ctx)) == NULL) - errx(1, "SSL_new"); - - if (cst->ssl_ciphersuites_first && cst->ssl_ciphersuites != NULL) { - if (!SSL_set_ciphersuites(ssl, cst->ssl_ciphersuites)) - errx(1, "SSL_set_ciphersuites"); - } - if (cst->ssl_rulestr != NULL) { - if (!SSL_set_cipher_list(ssl, cst->ssl_rulestr)) - errx(1, "SSL_set_cipher_list"); - } - if (!cst->ssl_ciphersuites_first && cst->ssl_ciphersuites != NULL) { - if (!SSL_set_ciphersuites(ssl, cst->ssl_ciphersuites)) - errx(1, "SSL_set_ciphersuites"); - } - - ciphers = SSL_get_ciphers(ssl); - - for (j = 0; j < sk_SSL_CIPHER_num(ciphers); j++) { - cipher = sk_SSL_CIPHER_value(ciphers, j); - if (SSL_CIPHER_get_id(cipher) == cst->cids[j]) - continue; - fprintf(stderr, "FAIL: test %zu - got cipher %d with " - "id %lx, want %lx\n", i, j, - SSL_CIPHER_get_id(cipher), cst->cids[j]); - failed |= 1; - } - if (cst->cids[j] != 0) { - fprintf(stderr, "FAIL: test %zu - got %d ciphers, " - "expected more", i, sk_SSL_CIPHER_num(ciphers)); - failed |= 1; - } - - SSL_CTX_free(ctx); - SSL_free(ssl); - } - - return failed; -} - -int -main(int argc, char **argv) -{ - int failed = 0; - - failed |= check_cipher_order(); - - failed |= test_ssl_ciphers(); - - failed |= parse_ciphersuites_test(); - failed |= cipher_set_test(); - - return (failed); -} diff --git a/src/regress/lib/libssl/client/Makefile b/src/regress/lib/libssl/client/Makefile deleted file mode 100644 index 7e2d7a3ecf..0000000000 --- a/src/regress/lib/libssl/client/Makefile +++ /dev/null @@ -1,9 +0,0 @@ -# $OpenBSD: Makefile,v 1.6 2024/07/20 18:37:38 tb Exp $ - -PROG= clienttest -LDADD= ${SSL_INT} -lcrypto -DPADD= ${LIBSSL} ${LIBCRYPTO} -WARNINGS= Yes -CFLAGS+= -DLIBRESSL_INTERNAL -Werror - -.include diff --git a/src/regress/lib/libssl/client/clienttest.c b/src/regress/lib/libssl/client/clienttest.c deleted file mode 100644 index 7e96944fce..0000000000 --- a/src/regress/lib/libssl/client/clienttest.c +++ /dev/null @@ -1,744 +0,0 @@ -/* $OpenBSD: clienttest.c,v 1.45 2024/08/31 12:47:24 jsing Exp $ */ -/* - * Copyright (c) 2015 Joel Sing - * - * Permission to use, copy, modify, and distribute this software for any - * purpose with or without fee is hereby granted, provided that the above - * copyright notice and this permission notice appear in all copies. - * - * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES - * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF - * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR - * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES - * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN - * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF - * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. - */ - -#include - -#include -#include - -#include -#include -#include - -#define DTLS_HM_OFFSET (DTLS1_RT_HEADER_LENGTH + DTLS1_HM_HEADER_LENGTH) -#define DTLS_RANDOM_OFFSET (DTLS_HM_OFFSET + 2) -#define DTLS_CIPHER_OFFSET (DTLS_HM_OFFSET + 38) - -#define SSL3_HM_OFFSET (SSL3_RT_HEADER_LENGTH + SSL3_HM_HEADER_LENGTH) -#define SSL3_RANDOM_OFFSET (SSL3_HM_OFFSET + 2) -#define SSL3_CIPHER_OFFSET (SSL3_HM_OFFSET + 37) - -#define TLS13_HM_OFFSET (SSL3_RT_HEADER_LENGTH + SSL3_HM_HEADER_LENGTH) -#define TLS13_RANDOM_OFFSET (TLS13_HM_OFFSET + 2) -#define TLS13_SESSION_OFFSET (TLS13_HM_OFFSET + 34) -#define TLS13_CIPHER_OFFSET (TLS13_HM_OFFSET + 69) -#define TLS13_KEY_SHARE_OFFSET (TLS13_HM_OFFSET + 198) -#define TLS13_ONLY_KEY_SHARE_OFFSET (TLS13_HM_OFFSET + 112) - -#define TLS1_3_VERSION_ONLY (TLS1_3_VERSION | 0x10000) - -int tlsext_linearize_build_order(SSL *); - -static const uint8_t cipher_list_dtls1[] = { - 0xc0, 0x14, 0xc0, 0x0a, 0x00, 0x39, 0xff, 0x85, - 0x00, 0x88, 0x00, 0x81, 0x00, 0x35, 0x00, 0x84, - 0xc0, 0x13, 0xc0, 0x09, 0x00, 0x33, 0x00, 0x45, - 0x00, 0x2f, 0x00, 0x41, 0xc0, 0x12, 0xc0, 0x08, - 0x00, 0x16, 0x00, 0x0a, 0x00, 0xff, -}; - -static const uint8_t client_hello_dtls1[] = { - 0x16, 0xfe, 0xff, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x74, 0x01, 0x00, 0x00, - 0x68, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x68, 0xfe, 0xff, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x26, 0xc0, - 0x14, 0xc0, 0x0a, 0x00, 0x39, 0xff, 0x85, 0x00, - 0x88, 0x00, 0x81, 0x00, 0x35, 0x00, 0x84, 0xc0, - 0x13, 0xc0, 0x09, 0x00, 0x33, 0x00, 0x45, 0x00, - 0x2f, 0x00, 0x41, 0xc0, 0x12, 0xc0, 0x08, 0x00, - 0x16, 0x00, 0x0a, 0x00, 0xff, 0x01, 0x00, 0x00, - 0x18, 0x00, 0x0b, 0x00, 0x02, 0x01, 0x00, 0x00, - 0x0a, 0x00, 0x0a, 0x00, 0x08, 0x00, 0x1d, 0x00, - 0x17, 0x00, 0x18, 0x00, 0x19, 0x00, 0x23, 0x00, - 0x00, -}; - -static const uint8_t cipher_list_dtls12_aes[] = { - 0xc0, 0x30, 0xc0, 0x2c, 0xc0, 0x28, 0xc0, 0x24, - 0xc0, 0x14, 0xc0, 0x0a, 0x00, 0x9f, 0x00, 0x6b, - 0x00, 0x39, 0xcc, 0xa9, 0xcc, 0xa8, 0xcc, 0xaa, - 0x00, 0xc4, 0x00, 0x88, 0x00, 0x9d, 0x00, 0x3d, - 0x00, 0x35, 0x00, 0xc0, 0x00, 0x84, 0xc0, 0x2f, - 0xc0, 0x2b, 0xc0, 0x27, 0xc0, 0x23, 0xc0, 0x13, - 0xc0, 0x09, 0x00, 0x9e, 0x00, 0x67, 0x00, 0x33, - 0x00, 0xbe, 0x00, 0x45, 0x00, 0x9c, 0x00, 0x3c, - 0x00, 0x2f, 0x00, 0xba, 0x00, 0x41, 0xc0, 0x12, - 0xc0, 0x08, 0x00, 0x16, 0x00, 0x0a, 0x00, 0xff, -}; - -static const uint8_t cipher_list_dtls12_chacha[] = { - 0xcc, 0xa9, 0xcc, 0xa8, 0xcc, 0xaa, 0xc0, 0x30, - 0xc0, 0x2c, 0xc0, 0x28, 0xc0, 0x24, 0xc0, 0x14, - 0xc0, 0x0a, 0x00, 0x9f, 0x00, 0x6b, 0x00, 0x39, - 0x00, 0xc4, 0x00, 0x88, 0x00, 0x9d, 0x00, 0x3d, - 0x00, 0x35, 0x00, 0xc0, 0x00, 0x84, 0xc0, 0x2f, - 0xc0, 0x2b, 0xc0, 0x27, 0xc0, 0x23, 0xc0, 0x13, - 0xc0, 0x09, 0x00, 0x9e, 0x00, 0x67, 0x00, 0x33, - 0x00, 0xbe, 0x00, 0x45, 0x00, 0x9c, 0x00, 0x3c, - 0x00, 0x2f, 0x00, 0xba, 0x00, 0x41, 0xc0, 0x12, - 0xc0, 0x08, 0x00, 0x16, 0x00, 0x0a, 0x00, 0xff, -}; - -static const uint8_t client_hello_dtls12[] = { - 0x16, 0xfe, 0xfd, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0xba, 0x01, 0x00, 0x00, - 0xae, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0xae, 0xfe, 0xfd, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x50, 0xc0, - 0x30, 0xc0, 0x2c, 0xc0, 0x28, 0xc0, 0x24, 0xc0, - 0x14, 0xc0, 0x0a, 0x00, 0x9f, 0x00, 0x6b, 0x00, - 0x39, 0xcc, 0xa9, 0xcc, 0xa8, 0xcc, 0xaa, 0x00, - 0xc4, 0x00, 0x88, 0x00, 0x9d, 0x00, 0x3d, 0x00, - 0x35, 0x00, 0xc0, 0x00, 0x84, 0xc0, 0x2f, 0xc0, - 0x2b, 0xc0, 0x27, 0xc0, 0x23, 0xc0, 0x13, 0xc0, - 0x09, 0x00, 0x9e, 0x00, 0x67, 0x00, 0x33, 0x00, - 0xbe, 0x00, 0x45, 0x00, 0x9c, 0x00, 0x3c, 0x00, - 0x2f, 0x00, 0xba, 0x00, 0x41, 0xc0, 0x12, 0xc0, - 0x08, 0x00, 0x16, 0x00, 0x0a, 0x00, 0xff, 0x01, - 0x00, 0x00, 0x34, 0x00, 0x0a, 0x00, 0x0a, 0x00, - 0x08, 0x00, 0x1d, 0x00, 0x17, 0x00, 0x18, 0x00, - 0x19, 0x00, 0x0b, 0x00, 0x02, 0x01, 0x00, 0x00, - 0x23, 0x00, 0x00, 0x00, 0x0d, 0x00, 0x18, 0x00, - 0x16, 0x08, 0x06, 0x06, 0x01, 0x06, 0x03, 0x08, - 0x05, 0x05, 0x01, 0x05, 0x03, 0x08, 0x04, 0x04, - 0x01, 0x04, 0x03, 0x02, 0x01, 0x02, 0x03, -}; - -static const uint8_t cipher_list_tls10[] = { - 0xc0, 0x14, 0xc0, 0x0a, 0x00, 0x39, 0xff, 0x85, - 0x00, 0x88, 0x00, 0x81, 0x00, 0x35, 0x00, 0x84, - 0xc0, 0x13, 0xc0, 0x09, 0x00, 0x33, 0x00, 0x45, - 0x00, 0x2f, 0x00, 0x41, 0xc0, 0x11, 0xc0, 0x07, - 0x00, 0x05, 0xc0, 0x12, 0xc0, 0x08, 0x00, 0x16, - 0x00, 0x0a, 0x00, 0xff, -}; - -static const uint8_t client_hello_tls10[] = { - 0x16, 0x03, 0x01, 0x00, 0x71, 0x01, 0x00, 0x00, - 0x6d, 0x03, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x2c, 0xc0, 0x14, - 0xc0, 0x0a, 0x00, 0x39, 0xff, 0x85, 0x00, 0x88, - 0x00, 0x81, 0x00, 0x35, 0x00, 0x84, 0xc0, 0x13, - 0xc0, 0x09, 0x00, 0x33, 0x00, 0x45, 0x00, 0x2f, - 0x00, 0x41, 0xc0, 0x11, 0xc0, 0x07, 0x00, 0x05, - 0xc0, 0x12, 0xc0, 0x08, 0x00, 0x16, 0x00, 0x0a, - 0x00, 0xff, 0x01, 0x00, 0x00, 0x18, 0x00, 0x0b, - 0x00, 0x02, 0x01, 0x00, 0x00, 0x0a, 0x00, 0x0a, - 0x00, 0x08, 0x00, 0x1d, 0x00, 0x17, 0x00, 0x18, - 0x00, 0x19, 0x00, 0x23, 0x00, 0x00, -}; - -static const uint8_t cipher_list_tls11[] = { - 0xc0, 0x14, 0xc0, 0x0a, 0x00, 0x39, 0xff, 0x85, - 0x00, 0x88, 0x00, 0x81, 0x00, 0x35, 0x00, 0x84, - 0xc0, 0x13, 0xc0, 0x09, 0x00, 0x33, 0x00, 0x45, - 0x00, 0x2f, 0x00, 0x41, 0xc0, 0x11, 0xc0, 0x07, - 0x00, 0x05, 0xc0, 0x12, 0xc0, 0x08, 0x00, 0x16, - 0x00, 0x0a, 0x00, 0xff, -}; - -static const uint8_t client_hello_tls11[] = { - 0x16, 0x03, 0x01, 0x00, 0x71, 0x01, 0x00, 0x00, - 0x6d, 0x03, 0x02, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x2c, 0xc0, 0x14, - 0xc0, 0x0a, 0x00, 0x39, 0xff, 0x85, 0x00, 0x88, - 0x00, 0x81, 0x00, 0x35, 0x00, 0x84, 0xc0, 0x13, - 0xc0, 0x09, 0x00, 0x33, 0x00, 0x45, 0x00, 0x2f, - 0x00, 0x41, 0xc0, 0x11, 0xc0, 0x07, 0x00, 0x05, - 0xc0, 0x12, 0xc0, 0x08, 0x00, 0x16, 0x00, 0x0a, - 0x00, 0xff, 0x01, 0x00, 0x00, 0x18, 0x00, 0x0b, - 0x00, 0x02, 0x01, 0x00, 0x00, 0x0a, 0x00, 0x0a, - 0x00, 0x08, 0x00, 0x1d, 0x00, 0x17, 0x00, 0x18, - 0x00, 0x19, 0x00, 0x23, 0x00, 0x00, -}; - -static const uint8_t cipher_list_tls12_aes[] = { - 0xc0, 0x30, 0xc0, 0x2c, 0xc0, 0x28, 0xc0, 0x24, - 0xc0, 0x14, 0xc0, 0x0a, 0x00, 0x9f, 0x00, 0x6b, - 0x00, 0x39, 0xcc, 0xa9, 0xcc, 0xa8, 0xcc, 0xaa, - 0x00, 0xc4, 0x00, 0x88, 0x00, 0x9d, 0x00, 0x3d, - 0x00, 0x35, 0x00, 0xc0, 0x00, 0x84, 0xc0, 0x2f, - 0xc0, 0x2b, 0xc0, 0x27, 0xc0, 0x23, 0xc0, 0x13, - 0xc0, 0x09, 0x00, 0x9e, 0x00, 0x67, 0x00, 0x33, - 0x00, 0xbe, 0x00, 0x45, 0x00, 0x9c, 0x00, 0x3c, - 0x00, 0x2f, 0x00, 0xba, 0x00, 0x41, 0xc0, 0x11, - 0xc0, 0x07, 0x00, 0x05, 0xc0, 0x12, 0xc0, 0x08, - 0x00, 0x16, 0x00, 0x0a, 0x00, 0xff, -}; - -static const uint8_t cipher_list_tls12_chacha[] = { - 0xcc, 0xa9, 0xcc, 0xa8, 0xcc, 0xaa, 0xc0, 0x30, - 0xc0, 0x2c, 0xc0, 0x28, 0xc0, 0x24, 0xc0, 0x14, - 0xc0, 0x0a, 0x00, 0x9f, 0x00, 0x6b, 0x00, 0x39, - 0x00, 0xc4, 0x00, 0x88, 0x00, 0x9d, 0x00, 0x3d, - 0x00, 0x35, 0x00, 0xc0, 0x00, 0x84, 0xc0, 0x2f, - 0xc0, 0x2b, 0xc0, 0x27, 0xc0, 0x23, 0xc0, 0x13, - 0xc0, 0x09, 0x00, 0x9e, 0x00, 0x67, 0x00, 0x33, - 0x00, 0xbe, 0x00, 0x45, 0x00, 0x9c, 0x00, 0x3c, - 0x00, 0x2f, 0x00, 0xba, 0x00, 0x41, 0xc0, 0x11, - 0xc0, 0x07, 0x00, 0x05, 0xc0, 0x12, 0xc0, 0x08, - 0x00, 0x16, 0x00, 0x0a, 0x00, 0xff, -}; - -static const uint8_t client_hello_tls12[] = { - 0x16, 0x03, 0x03, 0x00, 0xb7, 0x01, 0x00, 0x00, - 0xb3, 0x03, 0x03, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x56, 0xc0, 0x30, - 0xc0, 0x2c, 0xc0, 0x28, 0xc0, 0x24, 0xc0, 0x14, - 0xc0, 0x0a, 0x00, 0x9f, 0x00, 0x6b, 0x00, 0x39, - 0xcc, 0xa9, 0xcc, 0xa8, 0xcc, 0xaa, 0x00, 0xc4, - 0x00, 0x88, 0x00, 0x9d, 0x00, 0x3d, 0x00, 0x35, - 0x00, 0xc0, 0x00, 0x84, 0xc0, 0x2f, 0xc0, 0x2b, - 0xc0, 0x27, 0xc0, 0x23, 0xc0, 0x13, 0xc0, 0x09, - 0x00, 0x9e, 0x00, 0x67, 0x00, 0x33, 0x00, 0xbe, - 0x00, 0x45, 0x00, 0x9c, 0x00, 0x3c, 0x00, 0x2f, - 0x00, 0xba, 0x00, 0x41, 0xc0, 0x11, 0xc0, 0x07, - 0x00, 0x05, 0xc0, 0x12, 0xc0, 0x08, 0x00, 0x16, - 0x00, 0x0a, 0x00, 0xff, 0x01, 0x00, 0x00, 0x34, - 0x00, 0x0a, 0x00, 0x0a, 0x00, 0x08, 0x00, 0x1d, - 0x00, 0x17, 0x00, 0x18, 0x00, 0x19, 0x00, 0x0b, - 0x00, 0x02, 0x01, 0x00, 0x00, 0x23, 0x00, 0x00, - 0x00, 0x0d, 0x00, 0x18, 0x00, 0x16, 0x08, 0x06, - 0x06, 0x01, 0x06, 0x03, 0x08, 0x05, 0x05, 0x01, - 0x05, 0x03, 0x08, 0x04, 0x04, 0x01, 0x04, 0x03, - 0x02, 0x01, 0x02, 0x03, -}; - -static const uint8_t cipher_list_tls13_aes[] = { - 0x13, 0x02, 0x13, 0x03, 0x13, 0x01, 0xc0, 0x30, - 0xc0, 0x2c, 0xc0, 0x28, 0xc0, 0x24, 0xc0, 0x14, - 0xc0, 0x0a, 0x00, 0x9f, 0x00, 0x6b, 0x00, 0x39, - 0xcc, 0xa9, 0xcc, 0xa8, 0xcc, 0xaa, 0x00, 0xc4, - 0x00, 0x88, 0x00, 0x9d, 0x00, 0x3d, 0x00, 0x35, - 0x00, 0xc0, 0x00, 0x84, 0xc0, 0x2f, 0xc0, 0x2b, - 0xc0, 0x27, 0xc0, 0x23, 0xc0, 0x13, 0xc0, 0x09, - 0x00, 0x9e, 0x00, 0x67, 0x00, 0x33, 0x00, 0xbe, - 0x00, 0x45, 0x00, 0x9c, 0x00, 0x3c, 0x00, 0x2f, - 0x00, 0xba, 0x00, 0x41, 0xc0, 0x11, 0xc0, 0x07, - 0x00, 0x05, 0xc0, 0x12, 0xc0, 0x08, 0x00, 0x16, - 0x00, 0x0a, 0x00, 0xff, -}; - -static const uint8_t cipher_list_tls13_chacha[] = { - 0x13, 0x03, 0x13, 0x02, 0x13, 0x01, 0xcc, 0xa9, - 0xcc, 0xa8, 0xcc, 0xaa, 0xc0, 0x30, 0xc0, 0x2c, - 0xc0, 0x28, 0xc0, 0x24, 0xc0, 0x14, 0xc0, 0x0a, - 0x00, 0x9f, 0x00, 0x6b, 0x00, 0x39, 0x00, 0xc4, - 0x00, 0x88, 0x00, 0x9d, 0x00, 0x3d, 0x00, 0x35, - 0x00, 0xc0, 0x00, 0x84, 0xc0, 0x2f, 0xc0, 0x2b, - 0xc0, 0x27, 0xc0, 0x23, 0xc0, 0x13, 0xc0, 0x09, - 0x00, 0x9e, 0x00, 0x67, 0x00, 0x33, 0x00, 0xbe, - 0x00, 0x45, 0x00, 0x9c, 0x00, 0x3c, 0x00, 0x2f, - 0x00, 0xba, 0x00, 0x41, 0xc0, 0x11, 0xc0, 0x07, - 0x00, 0x05, 0xc0, 0x12, 0xc0, 0x08, 0x00, 0x16, - 0x00, 0x0a, 0x00, 0xff, -}; - -static const uint8_t client_hello_tls13[] = { - 0x16, 0x03, 0x03, 0x01, 0x10, 0x01, 0x00, 0x01, - 0x0c, 0x03, 0x03, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x20, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x5c, 0x13, 0x03, - 0x13, 0x02, 0x13, 0x01, 0xcc, 0xa9, 0xcc, 0xa8, - 0xcc, 0xaa, 0xc0, 0x30, 0xc0, 0x2c, 0xc0, 0x28, - 0xc0, 0x24, 0xc0, 0x14, 0xc0, 0x0a, 0x00, 0x9f, - 0x00, 0x6b, 0x00, 0x39, 0x00, 0xc4, 0x00, 0x88, - 0x00, 0x81, 0x00, 0x9d, 0x00, 0x3d, 0x00, 0x35, - 0x00, 0xc0, 0x00, 0x84, 0xc0, 0x2f, 0xc0, 0x2b, - 0xc0, 0x27, 0xc0, 0x23, 0xc0, 0x13, 0xc0, 0x09, - 0x00, 0x9e, 0x00, 0x67, 0x00, 0x33, 0x00, 0xbe, - 0x00, 0x45, 0x00, 0x9c, 0x00, 0x3c, 0x00, 0x2f, - 0x00, 0xba, 0x00, 0x41, 0xc0, 0x11, 0xc0, 0x07, - 0x00, 0x05, 0xc0, 0x12, 0xc0, 0x08, 0x00, 0x16, - 0x00, 0x0a, 0x01, 0x00, 0x00, 0x67, 0x00, 0x2b, - 0x00, 0x05, 0x04, 0x03, 0x04, 0x03, 0x03, 0x00, - 0x0a, 0x00, 0x0a, 0x00, 0x08, 0x00, 0x1d, 0x00, - 0x17, 0x00, 0x18, 0x00, 0x19, 0x00, 0x33, 0x00, - 0x26, 0x00, 0x24, 0x00, 0x1d, 0x00, 0x20, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x0b, 0x00, 0x02, 0x01, 0x00, 0x00, 0x23, 0x00, - 0x00, 0x00, 0x0d, 0x00, 0x18, 0x00, 0x16, 0x08, - 0x06, 0x06, 0x01, 0x06, 0x03, 0x08, 0x05, 0x05, - 0x01, 0x05, 0x03, 0x08, 0x04, 0x04, 0x01, 0x04, - 0x03, 0x02, 0x01, 0x02, 0x03, -}; - -static const uint8_t cipher_list_tls13_only_aes[] = { - 0x13, 0x02, 0x13, 0x03, 0x13, 0x01, -}; - -static const uint8_t cipher_list_tls13_only_chacha[] = { - 0x13, 0x03, 0x13, 0x02, 0x13, 0x01, -}; - -static const uint8_t client_hello_tls13_only[] = { - 0x16, 0x03, 0x03, 0x00, 0xb6, 0x01, 0x00, 0x00, - 0xb2, 0x03, 0x03, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x20, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x08, 0x13, 0x03, - 0x13, 0x02, 0x13, 0x01, 0x00, 0xff, 0x01, 0x00, - 0x00, 0x61, 0x00, 0x2b, 0x00, 0x03, 0x02, 0x03, - 0x04, 0x00, 0x0a, 0x00, 0x0a, 0x00, 0x08, 0x00, - 0x1d, 0x00, 0x17, 0x00, 0x18, 0x00, 0x19, 0x00, - 0x33, 0x00, 0x26, 0x00, 0x24, 0x00, 0x1d, 0x00, - 0x20, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x0b, 0x00, 0x02, 0x01, 0x00, 0x00, - 0x23, 0x00, 0x00, 0x00, 0x0d, 0x00, 0x14, 0x00, - 0x12, 0x08, 0x06, 0x06, 0x01, 0x06, 0x03, 0x08, - 0x05, 0x05, 0x01, 0x05, 0x03, 0x08, 0x04, 0x04, - 0x01, 0x04, 0x03, -}; - -struct client_hello_test { - const char *desc; - const int protocol; - const size_t random_start; - const size_t session_start; - const size_t key_share_start; - const SSL_METHOD *(*ssl_method)(void); - const long ssl_options; - int connect_fails; -}; - -static const struct client_hello_test client_hello_tests[] = { - { - .desc = "DTLSv1 client method", - .protocol = DTLS1_VERSION, - .random_start = DTLS_RANDOM_OFFSET, - .ssl_method = DTLSv1_client_method, - .connect_fails = 1, - }, - { - .desc = "DTLSv1.2 client method", - .protocol = DTLS1_2_VERSION, - .random_start = DTLS_RANDOM_OFFSET, - .ssl_method = DTLSv1_2_client_method, - }, - { - .desc = "DTLS client method", - .protocol = DTLS1_2_VERSION, - .random_start = DTLS_RANDOM_OFFSET, - .ssl_method = DTLS_client_method, - }, - { - .desc = "DTLS client method (no DTLSv1.2)", - .protocol = DTLS1_VERSION, - .random_start = DTLS_RANDOM_OFFSET, - .ssl_method = DTLS_client_method, - .ssl_options = SSL_OP_NO_DTLSv1_2, - .connect_fails = 1, - }, - { - .desc = "DTLS client method (no DTLSv1.0)", - .protocol = DTLS1_2_VERSION, - .random_start = DTLS_RANDOM_OFFSET, - .ssl_method = DTLS_client_method, - .ssl_options = SSL_OP_NO_DTLSv1, - }, - { - .desc = "TLSv1 client method", - .protocol = TLS1_VERSION, - .random_start = SSL3_RANDOM_OFFSET, - .ssl_method = TLSv1_client_method, - .connect_fails = 1, - }, - { - .desc = "TLSv1_1 client method", - .protocol = TLS1_1_VERSION, - .random_start = SSL3_RANDOM_OFFSET, - .ssl_method = TLSv1_1_client_method, - .connect_fails = 1, - }, - { - .desc = "TLSv1_2 client method", - .protocol = TLS1_2_VERSION, - .random_start = SSL3_RANDOM_OFFSET, - .ssl_method = TLSv1_2_client_method, - }, - { - .desc = "SSLv23 default", - .protocol = TLS1_3_VERSION, - .random_start = TLS13_RANDOM_OFFSET, - .session_start = TLS13_SESSION_OFFSET, - .key_share_start = TLS13_KEY_SHARE_OFFSET, - .ssl_method = SSLv23_client_method, - .ssl_options = 0, - }, - { - .desc = "SSLv23 default (no TLSv1.3)", - .protocol = TLS1_2_VERSION, - .random_start = SSL3_RANDOM_OFFSET, - .ssl_method = SSLv23_client_method, - .ssl_options = SSL_OP_NO_TLSv1_3, - }, - { - .desc = "SSLv23 (no TLSv1.2)", - .protocol = TLS1_3_VERSION_ONLY, - .random_start = TLS13_RANDOM_OFFSET, - .session_start = TLS13_SESSION_OFFSET, - .key_share_start = TLS13_ONLY_KEY_SHARE_OFFSET, - .ssl_method = SSLv23_client_method, - .ssl_options = SSL_OP_NO_TLSv1_2, - }, - { - .desc = "SSLv23 (no TLSv1.1)", - .protocol = TLS1_3_VERSION, - .random_start = TLS13_RANDOM_OFFSET, - .session_start = TLS13_SESSION_OFFSET, - .key_share_start = TLS13_KEY_SHARE_OFFSET, - .ssl_method = SSLv23_client_method, - .ssl_options = SSL_OP_NO_TLSv1_1, - }, - { - .desc = "TLS default", - .protocol = TLS1_3_VERSION, - .random_start = TLS13_RANDOM_OFFSET, - .session_start = TLS13_SESSION_OFFSET, - .key_share_start = TLS13_KEY_SHARE_OFFSET, - .ssl_method = TLS_client_method, - .ssl_options = 0, - }, - { - .desc = "TLS (no TLSv1.3)", - .protocol = TLS1_2_VERSION, - .random_start = SSL3_RANDOM_OFFSET, - .ssl_method = TLS_client_method, - .ssl_options = SSL_OP_NO_TLSv1_3, - }, - { - .desc = "TLS (no TLSv1.2)", - .protocol = TLS1_3_VERSION_ONLY, - .random_start = TLS13_RANDOM_OFFSET, - .session_start = TLS13_SESSION_OFFSET, - .key_share_start = TLS13_ONLY_KEY_SHARE_OFFSET, - .ssl_method = TLS_client_method, - .ssl_options = SSL_OP_NO_TLSv1_2, - }, - { - .desc = "TLS (no TLSv1.1)", - .protocol = TLS1_3_VERSION, - .random_start = TLS13_RANDOM_OFFSET, - .session_start = TLS13_SESSION_OFFSET, - .key_share_start = TLS13_KEY_SHARE_OFFSET, - .ssl_method = TLS_client_method, - .ssl_options = SSL_OP_NO_TLSv1_1, - }, -#if 0 - /* XXX - build client hello with explicit versions extension. */ - { - .desc = "TLS (no TLSv1.0, no TLSv1.1)", - .protocol = TLS1_3_VERSION, - .random_start = TLS13_RANDOM_OFFSET, - .session_start = TLS13_SESSION_OFFSET, - .key_share_start = TLS13_KEY_SHARE_OFFSET, - .ssl_method = TLS_client_method, - .ssl_options = SSL_OP_NO_TLSv1 | SSL_OP_NO_TLSv1_1, - }, -#endif - { - .desc = "TLS (no TLSv1.0, no TLSv1.1, no TLSv1.2)", - .protocol = TLS1_3_VERSION_ONLY, - .random_start = TLS13_RANDOM_OFFSET, - .session_start = TLS13_SESSION_OFFSET, - .key_share_start = TLS13_ONLY_KEY_SHARE_OFFSET, - .ssl_method = TLS_client_method, - .ssl_options = SSL_OP_NO_TLSv1 | SSL_OP_NO_TLSv1_1 | SSL_OP_NO_TLSv1_2, - }, -}; - -#define N_CLIENT_HELLO_TESTS \ - (sizeof(client_hello_tests) / sizeof(*client_hello_tests)) - -static void -hexdump(const uint8_t *buf, size_t len, const uint8_t *compare) -{ - const char *mark = ""; - size_t i; - - for (i = 1; i <= len; i++) { - if (compare != NULL) - mark = (buf[i - 1] != compare[i - 1]) ? "*" : " "; - fprintf(stderr, " %s0x%02hhx,%s", mark, buf[i - 1], - i % 8 && i != len ? "" : "\n"); - } - fprintf(stderr, "\n"); -} - -static inline int -ssl_aes_is_accelerated(void) -{ - return (OPENSSL_cpu_caps() & CRYPTO_CPU_CAPS_ACCELERATED_AES) != 0; -} - -static int -make_client_hello(int protocol, char **out, size_t *outlen) -{ - size_t client_hello_len, cipher_list_len, cipher_list_offset; - const uint8_t *client_hello, *cipher_list; - char *p; - - *out = NULL; - *outlen = 0; - - switch (protocol) { - case DTLS1_VERSION: - client_hello = client_hello_dtls1; - client_hello_len = sizeof(client_hello_dtls1); - cipher_list = cipher_list_dtls1; - cipher_list_len = sizeof(cipher_list_dtls1); - cipher_list_offset = DTLS_CIPHER_OFFSET; - break; - - case DTLS1_2_VERSION: - client_hello = client_hello_dtls12; - client_hello_len = sizeof(client_hello_dtls12); - cipher_list = cipher_list_dtls12_chacha; - cipher_list_len = sizeof(cipher_list_dtls12_chacha); - if (ssl_aes_is_accelerated()) { - cipher_list = cipher_list_dtls12_aes; - cipher_list_len = sizeof(cipher_list_dtls12_aes); - } - cipher_list_offset = DTLS_CIPHER_OFFSET; - break; - - case TLS1_VERSION: - client_hello = client_hello_tls10; - client_hello_len = sizeof(client_hello_tls10); - cipher_list = cipher_list_tls10; - cipher_list_len = sizeof(cipher_list_tls10); - cipher_list_offset = SSL3_CIPHER_OFFSET; - break; - - case TLS1_1_VERSION: - client_hello = client_hello_tls11; - client_hello_len = sizeof(client_hello_tls11); - cipher_list = cipher_list_tls11; - cipher_list_len = sizeof(cipher_list_tls11); - cipher_list_offset = SSL3_CIPHER_OFFSET; - break; - - case TLS1_2_VERSION: - client_hello = client_hello_tls12; - client_hello_len = sizeof(client_hello_tls12); - cipher_list = cipher_list_tls12_chacha; - cipher_list_len = sizeof(cipher_list_tls12_chacha); - if (ssl_aes_is_accelerated()) { - cipher_list = cipher_list_tls12_aes; - cipher_list_len = sizeof(cipher_list_tls12_aes); - } - cipher_list_offset = SSL3_CIPHER_OFFSET; - break; - - case TLS1_3_VERSION: - client_hello = client_hello_tls13; - client_hello_len = sizeof(client_hello_tls13); - cipher_list = cipher_list_tls13_chacha; - cipher_list_len = sizeof(cipher_list_tls13_chacha); - if (ssl_aes_is_accelerated()) { - cipher_list = cipher_list_tls13_aes; - cipher_list_len = sizeof(cipher_list_tls13_aes); - } - cipher_list_offset = TLS13_CIPHER_OFFSET; - break; - - case TLS1_3_VERSION_ONLY: - client_hello = client_hello_tls13_only; - client_hello_len = sizeof(client_hello_tls13_only); - cipher_list = cipher_list_tls13_only_chacha; - cipher_list_len = sizeof(cipher_list_tls13_only_chacha); - if (ssl_aes_is_accelerated()) { - cipher_list = cipher_list_tls13_only_aes; - cipher_list_len = sizeof(cipher_list_tls13_only_aes); - } - cipher_list_offset = TLS13_CIPHER_OFFSET; - break; - - default: - return (-1); - } - - if ((p = malloc(client_hello_len)) == NULL) - return (-1); - - memcpy(p, client_hello, client_hello_len); - memcpy(p + cipher_list_offset, cipher_list, cipher_list_len); - - *out = p; - *outlen = client_hello_len; - - return (0); -} - -static int -client_hello_test(int testno, const struct client_hello_test *cht) -{ - BIO *rbio = NULL, *wbio = NULL; - SSL_CTX *ssl_ctx = NULL; - SSL *ssl = NULL; - char *client_hello = NULL; - size_t client_hello_len; - size_t session_len; - char *wbuf, rbuf[1]; - int ret = 1; - long len; - - fprintf(stderr, "Test %d - %s\n", testno, cht->desc); - - /* Providing a small buf causes *_get_server_hello() to return. */ - if ((rbio = BIO_new_mem_buf(rbuf, sizeof(rbuf))) == NULL) { - fprintf(stderr, "Failed to setup rbio\n"); - goto failure; - } - if ((wbio = BIO_new(BIO_s_mem())) == NULL) { - fprintf(stderr, "Failed to setup wbio\n"); - goto failure; - } - - if ((ssl_ctx = SSL_CTX_new(cht->ssl_method())) == NULL) { - fprintf(stderr, "SSL_CTX_new() returned NULL\n"); - goto failure; - } - - SSL_CTX_set_options(ssl_ctx, cht->ssl_options); - - if ((ssl = SSL_new(ssl_ctx)) == NULL) { - fprintf(stderr, "SSL_new() returned NULL\n"); - goto failure; - } - - if (!tlsext_linearize_build_order(ssl)) { - fprintf(stderr, "failed to linearize build order"); - goto failure; - } - - BIO_up_ref(rbio); - BIO_up_ref(wbio); - SSL_set_bio(ssl, rbio, wbio); - - if (SSL_connect(ssl) != 0) { - if (cht->connect_fails) - goto done; - fprintf(stderr, "SSL_connect() returned non-zero\n"); - goto failure; - } - - len = BIO_get_mem_data(wbio, &wbuf); - - if (make_client_hello(cht->protocol, &client_hello, - &client_hello_len) != 0) - errx(1, "failed to make client hello"); - - if ((size_t)len != client_hello_len) { - fprintf(stderr, "FAIL: test returned ClientHello length %ld, " - "want %zu\n", len, client_hello_len); - fprintf(stderr, "received:\n"); - hexdump(wbuf, len, NULL); - fprintf(stderr, "test data:\n"); - hexdump(client_hello, client_hello_len, NULL); - fprintf(stderr, "\n"); - goto failure; - } - - /* We expect the client random to differ. */ - if (memcmp(&client_hello[cht->random_start], &wbuf[cht->random_start], - SSL3_RANDOM_SIZE) == 0) { - fprintf(stderr, "FAIL: ClientHello has zeroed random\n"); - goto failure; - } - - memset(&wbuf[cht->random_start], 0, SSL3_RANDOM_SIZE); - - if (cht->session_start > 0) { - session_len = wbuf[cht->session_start]; - if (session_len > 0) - memset(&wbuf[cht->session_start + 1], 0, session_len); - } - if (cht->key_share_start > 0) - memset(&wbuf[cht->key_share_start], 0, 32); - - if (memcmp(client_hello, wbuf, client_hello_len) != 0) { - fprintf(stderr, "FAIL: ClientHello differs:\n"); - fprintf(stderr, "received:\n"); - hexdump(wbuf, len, client_hello); - fprintf(stderr, "test data:\n"); - hexdump(client_hello, client_hello_len, wbuf); - fprintf(stderr, "\n"); - goto failure; - } - - done: - ret = 0; - - failure: - SSL_CTX_free(ssl_ctx); - SSL_free(ssl); - - BIO_free(rbio); - BIO_free(wbio); - - free(client_hello); - - return (ret); -} - -int -main(int argc, char **argv) -{ - int failed = 0; - size_t i; - - SSL_library_init(); - - for (i = 0; i < N_CLIENT_HELLO_TESTS; i++) - failed |= client_hello_test(i, &client_hello_tests[i]); - - return (failed); -} diff --git a/src/regress/lib/libssl/dtls/Makefile b/src/regress/lib/libssl/dtls/Makefile deleted file mode 100644 index b58dae61b6..0000000000 --- a/src/regress/lib/libssl/dtls/Makefile +++ /dev/null @@ -1,21 +0,0 @@ -# $OpenBSD: Makefile,v 1.4 2024/03/20 10:38:05 jsing Exp $ - -PROG= dtlstest -LDADD= ${SSL_INT} -lcrypto -DPADD= ${LIBSSL} ${LIBCRYPTO} -WARNINGS= Yes -CFLAGS+= -DLIBRESSL_INTERNAL -Werror -CFLAGS+= -I${.CURDIR}/../../../../lib/libcrypto/bio -CFLAGS+= -I${.CURDIR}/../../../../lib/libssl - -REGRESS_TARGETS= \ - regress-dtlstest - -# XXX(jsing): use CA root and chain -regress-dtlstest: ${PROG} - ./dtlstest \ - ${.CURDIR}/../../libssl/certs/server1-rsa.pem \ - ${.CURDIR}/../../libssl/certs/server1-rsa.pem \ - ${.CURDIR}/../../libssl/certs/ca-int-rsa.pem - -.include diff --git a/src/regress/lib/libssl/dtls/dtlstest.c b/src/regress/lib/libssl/dtls/dtlstest.c deleted file mode 100644 index a749bcf0ed..0000000000 --- a/src/regress/lib/libssl/dtls/dtlstest.c +++ /dev/null @@ -1,1077 +0,0 @@ -/* $OpenBSD: dtlstest.c,v 1.18 2022/11/26 16:08:56 tb Exp $ */ -/* - * Copyright (c) 2020, 2021 Joel Sing - * - * Permission to use, copy, modify, and distribute this software for any - * purpose with or without fee is hereby granted, provided that the above - * copyright notice and this permission notice appear in all copies. - * - * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES - * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF - * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR - * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES - * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN - * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF - * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. - */ - -#include -#include - -#include -#include -#include -#include - -#include -#include -#include - -#include "bio_local.h" -#include "ssl_local.h" - -const char *server_ca_file; -const char *server_cert_file; -const char *server_key_file; - -char dtls_cookie[32]; - -int debug = 0; - -void tls12_record_layer_set_initial_epoch(struct tls12_record_layer *rl, - uint16_t epoch); - -static void -hexdump(const unsigned char *buf, size_t len) -{ - size_t i; - - for (i = 1; i <= len; i++) - fprintf(stderr, " 0x%02hhx,%s", buf[i - 1], i % 8 ? "" : "\n"); - - if (len % 8) - fprintf(stderr, "\n"); -} - -#define BIO_C_DELAY_COUNT 1000 -#define BIO_C_DELAY_FLUSH 1001 -#define BIO_C_DELAY_PACKET 1002 -#define BIO_C_DROP_PACKET 1003 -#define BIO_C_DROP_RANDOM 1004 - -struct bio_packet_monkey_ctx { - unsigned int delay_count; - unsigned int delay_mask; - unsigned int drop_rand; - unsigned int drop_mask; - uint8_t *delayed_msg; - size_t delayed_msg_len; -}; - -static int -bio_packet_monkey_new(BIO *bio) -{ - struct bio_packet_monkey_ctx *ctx; - - if ((ctx = calloc(1, sizeof(*ctx))) == NULL) - return 0; - - bio->flags = 0; - bio->init = 1; - bio->num = 0; - bio->ptr = ctx; - - return 1; -} - -static int -bio_packet_monkey_free(BIO *bio) -{ - struct bio_packet_monkey_ctx *ctx; - - if (bio == NULL) - return 1; - - ctx = bio->ptr; - free(ctx->delayed_msg); - free(ctx); - - return 1; -} - -static int -bio_packet_monkey_delay_flush(BIO *bio) -{ - struct bio_packet_monkey_ctx *ctx = bio->ptr; - - if (ctx->delayed_msg == NULL) - return 1; - - if (debug) - fprintf(stderr, "DEBUG: flushing delayed packet...\n"); - if (debug > 1) - hexdump(ctx->delayed_msg, ctx->delayed_msg_len); - - BIO_write(bio->next_bio, ctx->delayed_msg, ctx->delayed_msg_len); - - free(ctx->delayed_msg); - ctx->delayed_msg = NULL; - - return BIO_ctrl(bio->next_bio, BIO_CTRL_FLUSH, 0, NULL); -} - -static long -bio_packet_monkey_ctrl(BIO *bio, int cmd, long num, void *ptr) -{ - struct bio_packet_monkey_ctx *ctx; - - ctx = bio->ptr; - - switch (cmd) { - case BIO_C_DELAY_COUNT: - if (num < 1 || num > 31) - return 0; - ctx->delay_count = num; - return 1; - - case BIO_C_DELAY_FLUSH: - return bio_packet_monkey_delay_flush(bio); - - case BIO_C_DELAY_PACKET: - if (num < 1 || num > 31) - return 0; - ctx->delay_mask |= 1 << ((unsigned int)num - 1); - return 1; - - case BIO_C_DROP_PACKET: - if (num < 1 || num > 31) - return 0; - ctx->drop_mask |= 1 << ((unsigned int)num - 1); - return 1; - - case BIO_C_DROP_RANDOM: - if (num < 0 || (size_t)num > UINT_MAX) - return 0; - ctx->drop_rand = (unsigned int)num; - return 1; - } - - if (bio->next_bio == NULL) - return 0; - - return BIO_ctrl(bio->next_bio, cmd, num, ptr); -} - -static int -bio_packet_monkey_read(BIO *bio, char *out, int out_len) -{ - struct bio_packet_monkey_ctx *ctx = bio->ptr; - int ret; - - if (ctx == NULL || bio->next_bio == NULL) - return 0; - - ret = BIO_read(bio->next_bio, out, out_len); - - if (ret > 0) { - if (debug) - fprintf(stderr, "DEBUG: read packet...\n"); - if (debug > 1) - hexdump(out, ret); - } - - BIO_clear_retry_flags(bio); - if (ret <= 0 && BIO_should_retry(bio->next_bio)) - BIO_set_retry_read(bio); - - return ret; -} - -static int -bio_packet_monkey_write(BIO *bio, const char *in, int in_len) -{ - struct bio_packet_monkey_ctx *ctx = bio->ptr; - const char *label = "writing"; - int delay = 0, drop = 0; - int ret; - - if (ctx == NULL || bio->next_bio == NULL) - return 0; - - if (ctx->delayed_msg != NULL && ctx->delay_count > 0) - ctx->delay_count--; - - if (ctx->delayed_msg != NULL && ctx->delay_count == 0) { - if (debug) - fprintf(stderr, "DEBUG: writing delayed packet...\n"); - if (debug > 1) - hexdump(ctx->delayed_msg, ctx->delayed_msg_len); - - ret = BIO_write(bio->next_bio, ctx->delayed_msg, - ctx->delayed_msg_len); - - BIO_clear_retry_flags(bio); - if (ret <= 0 && BIO_should_retry(bio->next_bio)) { - BIO_set_retry_write(bio); - return (ret); - } - - free(ctx->delayed_msg); - ctx->delayed_msg = NULL; - } - - if (ctx->delay_mask > 0) { - delay = ctx->delay_mask & 1; - ctx->delay_mask >>= 1; - } - if (ctx->drop_rand > 0) { - drop = arc4random_uniform(ctx->drop_rand) == 0; - } else if (ctx->drop_mask > 0) { - drop = ctx->drop_mask & 1; - ctx->drop_mask >>= 1; - } - - if (delay) - label = "delaying"; - if (drop) - label = "dropping"; - if (debug) - fprintf(stderr, "DEBUG: %s packet...\n", label); - if (debug > 1) - hexdump(in, in_len); - - if (drop) - return in_len; - - if (delay) { - if (ctx->delayed_msg != NULL) - return 0; - if ((ctx->delayed_msg = calloc(1, in_len)) == NULL) - return 0; - memcpy(ctx->delayed_msg, in, in_len); - ctx->delayed_msg_len = in_len; - return in_len; - } - - ret = BIO_write(bio->next_bio, in, in_len); - - BIO_clear_retry_flags(bio); - if (ret <= 0 && BIO_should_retry(bio->next_bio)) - BIO_set_retry_write(bio); - - return ret; -} - -static int -bio_packet_monkey_puts(BIO *bio, const char *str) -{ - return bio_packet_monkey_write(bio, str, strlen(str)); -} - -static const BIO_METHOD bio_packet_monkey = { - .type = BIO_TYPE_BUFFER, - .name = "packet monkey", - .bread = bio_packet_monkey_read, - .bwrite = bio_packet_monkey_write, - .bputs = bio_packet_monkey_puts, - .ctrl = bio_packet_monkey_ctrl, - .create = bio_packet_monkey_new, - .destroy = bio_packet_monkey_free -}; - -static const BIO_METHOD * -BIO_f_packet_monkey(void) -{ - return &bio_packet_monkey; -} - -static BIO * -BIO_new_packet_monkey(void) -{ - return BIO_new(BIO_f_packet_monkey()); -} - -static int -BIO_packet_monkey_delay(BIO *bio, int num, int count) -{ - if (!BIO_ctrl(bio, BIO_C_DELAY_COUNT, count, NULL)) - return 0; - - return BIO_ctrl(bio, BIO_C_DELAY_PACKET, num, NULL); -} - -static int -BIO_packet_monkey_delay_flush(BIO *bio) -{ - return BIO_ctrl(bio, BIO_C_DELAY_FLUSH, 0, NULL); -} - -static int -BIO_packet_monkey_drop(BIO *bio, int num) -{ - return BIO_ctrl(bio, BIO_C_DROP_PACKET, num, NULL); -} - -#if 0 -static int -BIO_packet_monkey_drop_random(BIO *bio, int num) -{ - return BIO_ctrl(bio, BIO_C_DROP_RANDOM, num, NULL); -} -#endif - -static int -datagram_pair(int *client_sock, int *server_sock, - struct sockaddr_in *server_sin) -{ - struct sockaddr_in sin; - socklen_t sock_len; - int cs = -1, ss = -1; - - memset(&sin, 0, sizeof(sin)); - sin.sin_family = AF_INET; - sin.sin_port = 0; - sin.sin_addr.s_addr = htonl(INADDR_LOOPBACK); - - if ((ss = socket(AF_INET, SOCK_DGRAM, IPPROTO_UDP)) == -1) - err(1, "server socket"); - if (bind(ss, (struct sockaddr *)&sin, sizeof(sin)) == -1) - err(1, "server bind"); - sock_len = sizeof(sin); - if (getsockname(ss, (struct sockaddr *)&sin, &sock_len) == -1) - err(1, "server getsockname"); - - if ((cs = socket(AF_INET, SOCK_DGRAM, IPPROTO_UDP)) == -1) - err(1, "client socket"); - if (connect(cs, (struct sockaddr *)&sin, sizeof(sin)) == -1) - err(1, "client connect"); - - *client_sock = cs; - *server_sock = ss; - memcpy(server_sin, &sin, sizeof(sin)); - - return 1; -} - -static int -poll_timeout(SSL *client, SSL *server) -{ - int client_timeout = 0, server_timeout = 0; - struct timeval timeout; - - if (DTLSv1_get_timeout(client, &timeout)) - client_timeout = timeout.tv_sec * 1000 + timeout.tv_usec / 1000; - - if (DTLSv1_get_timeout(server, &timeout)) - server_timeout = timeout.tv_sec * 1000 + timeout.tv_usec / 1000; - - if (client_timeout < 10) - client_timeout = 10; - if (server_timeout < 10) - server_timeout = 10; - - /* XXX */ - if (client_timeout <= 0) - return server_timeout; - if (client_timeout > 0 && server_timeout <= 0) - return client_timeout; - if (client_timeout < server_timeout) - return client_timeout; - - return server_timeout; -} - -static int -dtls_cookie_generate(SSL *ssl, unsigned char *cookie, - unsigned int *cookie_len) -{ - arc4random_buf(dtls_cookie, sizeof(dtls_cookie)); - memcpy(cookie, dtls_cookie, sizeof(dtls_cookie)); - *cookie_len = sizeof(dtls_cookie); - - return 1; -} - -static int -dtls_cookie_verify(SSL *ssl, const unsigned char *cookie, - unsigned int cookie_len) -{ - return cookie_len == sizeof(dtls_cookie) && - memcmp(cookie, dtls_cookie, sizeof(dtls_cookie)) == 0; -} - -static void -dtls_info_callback(const SSL *ssl, int type, int val) -{ - /* - * Squeals ahead... remove the bbio from the info callback, so we can - * drop specific messages. Ideally this would be an option for the SSL. - */ - if (ssl->wbio == ssl->bbio) - ((SSL *)ssl)->wbio = BIO_pop(ssl->wbio); -} - -static SSL * -dtls_client(int sock, struct sockaddr_in *server_sin, long mtu) -{ - SSL_CTX *ssl_ctx = NULL; - SSL *ssl = NULL; - BIO *bio = NULL; - - if ((bio = BIO_new_dgram(sock, BIO_NOCLOSE)) == NULL) - errx(1, "client bio"); - if (!BIO_socket_nbio(sock, 1)) - errx(1, "client nbio"); - if (!BIO_ctrl_set_connected(bio, 1, server_sin)) - errx(1, "client set connected"); - - if ((ssl_ctx = SSL_CTX_new(DTLS_method())) == NULL) - errx(1, "client context"); - - if ((ssl = SSL_new(ssl_ctx)) == NULL) - errx(1, "client ssl"); - - SSL_set_bio(ssl, bio, bio); - bio = NULL; - - if (mtu > 0) { - SSL_set_options(ssl, SSL_OP_NO_QUERY_MTU); - SSL_set_mtu(ssl, mtu); - } - - SSL_CTX_free(ssl_ctx); - BIO_free(bio); - - return ssl; -} - -static SSL * -dtls_server(int sock, long options, long mtu) -{ - SSL_CTX *ssl_ctx = NULL; - SSL *ssl = NULL; - BIO *bio = NULL; - - if ((bio = BIO_new_dgram(sock, BIO_NOCLOSE)) == NULL) - errx(1, "server bio"); - if (!BIO_socket_nbio(sock, 1)) - errx(1, "server nbio"); - - if ((ssl_ctx = SSL_CTX_new(DTLS_method())) == NULL) - errx(1, "server context"); - - SSL_CTX_set_cookie_generate_cb(ssl_ctx, dtls_cookie_generate); - SSL_CTX_set_cookie_verify_cb(ssl_ctx, dtls_cookie_verify); - SSL_CTX_set_dh_auto(ssl_ctx, 2); - SSL_CTX_set_options(ssl_ctx, options); - - if (SSL_CTX_use_certificate_chain_file(ssl_ctx, server_cert_file) != 1) { - fprintf(stderr, "FAIL: Failed to load server certificate"); - goto failure; - } - if (SSL_CTX_use_PrivateKey_file(ssl_ctx, server_key_file, - SSL_FILETYPE_PEM) != 1) { - fprintf(stderr, "FAIL: Failed to load server private key"); - goto failure; - } - - if ((ssl = SSL_new(ssl_ctx)) == NULL) - errx(1, "server ssl"); - - if (SSL_use_certificate_chain_file(ssl, server_cert_file) != 1) { - fprintf(stderr, "FAIL: Failed to load server certificate"); - goto failure; - } - SSL_set_bio(ssl, bio, bio); - bio = NULL; - - if (mtu > 0) { - SSL_set_options(ssl, SSL_OP_NO_QUERY_MTU); - SSL_set_mtu(ssl, mtu); - } - - failure: - SSL_CTX_free(ssl_ctx); - BIO_free(bio); - - return ssl; -} - -static int -ssl_error(SSL *ssl, const char *name, const char *desc, int ssl_ret, - short *events) -{ - int ssl_err; - - ssl_err = SSL_get_error(ssl, ssl_ret); - - if (ssl_err == SSL_ERROR_WANT_READ) { - *events = POLLIN; - } else if (ssl_err == SSL_ERROR_WANT_WRITE) { - *events = POLLOUT; - } else if (ssl_err == SSL_ERROR_SYSCALL && errno == 0) { - /* Yup, this is apparently a thing... */ - } else { - fprintf(stderr, "FAIL: %s %s failed - ssl err = %d, errno = %d\n", - name, desc, ssl_err, errno); - ERR_print_errors_fp(stderr); - return 0; - } - - return 1; -} - -static int -do_connect(SSL *ssl, const char *name, int *done, short *events) -{ - int ssl_ret; - - if ((ssl_ret = SSL_connect(ssl)) != 1) - return ssl_error(ssl, name, "connect", ssl_ret, events); - - fprintf(stderr, "INFO: %s connect done\n", name); - *done = 1; - - return 1; -} - -static int -do_connect_read(SSL *ssl, const char *name, int *done, short *events) -{ - uint8_t buf[2048]; - int ssl_ret; - int i; - - if ((ssl_ret = SSL_connect(ssl)) != 1) - return ssl_error(ssl, name, "connect", ssl_ret, events); - - fprintf(stderr, "INFO: %s connect done\n", name); - *done = 1; - - for (i = 0; i < 3; i++) { - fprintf(stderr, "INFO: %s reading after connect\n", name); - if ((ssl_ret = SSL_read(ssl, buf, sizeof(buf))) != 3) { - fprintf(stderr, "ERROR: %s read failed\n", name); - return 0; - } - } - - return 1; -} - -static int -do_connect_shutdown(SSL *ssl, const char *name, int *done, short *events) -{ - uint8_t buf[2048]; - int ssl_ret; - - if ((ssl_ret = SSL_connect(ssl)) != 1) - return ssl_error(ssl, name, "connect", ssl_ret, events); - - fprintf(stderr, "INFO: %s connect done\n", name); - *done = 1; - - ssl_ret = SSL_read(ssl, buf, sizeof(buf)); - if (SSL_get_error(ssl, ssl_ret) != SSL_ERROR_ZERO_RETURN) { - fprintf(stderr, "FAIL: %s did not receive close-notify\n", name); - return 0; - } - - fprintf(stderr, "INFO: %s received close-notify\n", name); - - return 1; -} - -static int -do_accept(SSL *ssl, const char *name, int *done, short *events) -{ - int ssl_ret; - - if ((ssl_ret = SSL_accept(ssl)) != 1) - return ssl_error(ssl, name, "accept", ssl_ret, events); - - fprintf(stderr, "INFO: %s accept done\n", name); - *done = 1; - - return 1; -} - -static int -do_accept_write(SSL *ssl, const char *name, int *done, short *events) -{ - int ssl_ret; - BIO *bio; - int i; - - if ((ssl_ret = SSL_accept(ssl)) != 1) - return ssl_error(ssl, name, "accept", ssl_ret, events); - - fprintf(stderr, "INFO: %s accept done\n", name); - - for (i = 0; i < 3; i++) { - fprintf(stderr, "INFO: %s writing after accept\n", name); - if ((ssl_ret = SSL_write(ssl, "abc", 3)) != 3) { - fprintf(stderr, "ERROR: %s write failed\n", name); - return 0; - } - } - - if ((bio = SSL_get_wbio(ssl)) == NULL) - errx(1, "SSL has NULL bio"); - - /* Flush any delayed packets. */ - BIO_packet_monkey_delay_flush(bio); - - *done = 1; - return 1; -} - -static int -do_accept_shutdown(SSL *ssl, const char *name, int *done, short *events) -{ - int ssl_ret; - BIO *bio; - - if ((ssl_ret = SSL_accept(ssl)) != 1) - return ssl_error(ssl, name, "accept", ssl_ret, events); - - fprintf(stderr, "INFO: %s accept done\n", name); - - SSL_shutdown(ssl); - - if ((bio = SSL_get_wbio(ssl)) == NULL) - errx(1, "SSL has NULL bio"); - - /* Flush any delayed packets. */ - BIO_packet_monkey_delay_flush(bio); - - *done = 1; - return 1; -} - -static int -do_read(SSL *ssl, const char *name, int *done, short *events) -{ - uint8_t buf[512]; - int ssl_ret; - - if ((ssl_ret = SSL_read(ssl, buf, sizeof(buf))) > 0) { - fprintf(stderr, "INFO: %s read done\n", name); - if (debug > 1) - hexdump(buf, ssl_ret); - *done = 1; - return 1; - } - - return ssl_error(ssl, name, "read", ssl_ret, events); -} - -static int -do_write(SSL *ssl, const char *name, int *done, short *events) -{ - const uint8_t buf[] = "Hello, World!\n"; - int ssl_ret; - - if ((ssl_ret = SSL_write(ssl, buf, sizeof(buf))) > 0) { - fprintf(stderr, "INFO: %s write done\n", name); - *done = 1; - return 1; - } - - return ssl_error(ssl, name, "write", ssl_ret, events); -} - -static int -do_shutdown(SSL *ssl, const char *name, int *done, short *events) -{ - int ssl_ret; - - ssl_ret = SSL_shutdown(ssl); - if (ssl_ret == 1) { - fprintf(stderr, "INFO: %s shutdown done\n", name); - *done = 1; - return 1; - } - return ssl_error(ssl, name, "shutdown", ssl_ret, events); -} - -typedef int (ssl_func)(SSL *ssl, const char *name, int *done, short *events); - -static int -do_client_server_loop(SSL *client, ssl_func *client_func, SSL *server, - ssl_func *server_func, struct pollfd pfd[2]) -{ - int client_done = 0, server_done = 0; - int i = 0; - - pfd[0].revents = POLLIN; - pfd[1].revents = POLLIN; - - do { - if (!client_done) { - if (debug) - fprintf(stderr, "DEBUG: client loop\n"); - if (DTLSv1_handle_timeout(client) > 0) - fprintf(stderr, "INFO: client timeout\n"); - if (!client_func(client, "client", &client_done, - &pfd[0].events)) - return 0; - if (client_done) - pfd[0].events = 0; - } - if (!server_done) { - if (debug) - fprintf(stderr, "DEBUG: server loop\n"); - if (DTLSv1_handle_timeout(server) > 0) - fprintf(stderr, "INFO: server timeout\n"); - if (!server_func(server, "server", &server_done, - &pfd[1].events)) - return 0; - if (server_done) - pfd[1].events = 0; - } - if (poll(pfd, 2, poll_timeout(client, server)) == -1) - err(1, "poll"); - - } while (i++ < 100 && (!client_done || !server_done)); - - if (!client_done || !server_done) - fprintf(stderr, "FAIL: gave up\n"); - - return client_done && server_done; -} - -#define MAX_PACKET_DELAYS 32 -#define MAX_PACKET_DROPS 32 - -struct dtls_delay { - uint8_t packet; - uint8_t count; -}; - -struct dtls_test { - const unsigned char *desc; - long mtu; - long ssl_options; - int client_bbio_off; - int server_bbio_off; - uint16_t initial_epoch; - int write_after_accept; - int shutdown_after_accept; - struct dtls_delay client_delays[MAX_PACKET_DELAYS]; - struct dtls_delay server_delays[MAX_PACKET_DELAYS]; - uint8_t client_drops[MAX_PACKET_DROPS]; - uint8_t server_drops[MAX_PACKET_DROPS]; -}; - -static const struct dtls_test dtls_tests[] = { - { - .desc = "DTLS without cookies", - .ssl_options = 0, - }, - { - .desc = "DTLS without cookies (initial epoch 0xfffe)", - .ssl_options = 0, - .initial_epoch = 0xfffe, - }, - { - .desc = "DTLS without cookies (initial epoch 0xffff)", - .ssl_options = 0, - .initial_epoch = 0xffff, - }, - { - .desc = "DTLS with cookies", - .ssl_options = SSL_OP_COOKIE_EXCHANGE, - }, - { - .desc = "DTLS with low MTU", - .mtu = 256, - .ssl_options = 0, - }, - { - .desc = "DTLS with low MTU and cookies", - .mtu = 256, - .ssl_options = SSL_OP_COOKIE_EXCHANGE, - }, - { - .desc = "DTLS with dropped server response", - .ssl_options = 0, - .server_drops = { 1 }, - }, - { - .desc = "DTLS with two dropped server responses", - .ssl_options = 0, - .server_drops = { 1, 2 }, - }, - { - .desc = "DTLS with dropped ServerHello", - .ssl_options = SSL_OP_NO_TICKET, - .server_bbio_off = 1, - .server_drops = { 1 }, - }, - { - .desc = "DTLS with dropped server Certificate", - .ssl_options = SSL_OP_NO_TICKET, - .server_bbio_off = 1, - .server_drops = { 2 }, - }, - { - .desc = "DTLS with dropped ServerKeyExchange", - .ssl_options = SSL_OP_NO_TICKET, - .server_bbio_off = 1, - .server_drops = { 3 }, - }, - { - .desc = "DTLS with dropped ServerHelloDone", - .ssl_options = SSL_OP_NO_TICKET, - .server_bbio_off = 1, - .server_drops = { 4 }, - }, -#if 0 - /* - * These two result in the server accept completing and the - * client looping on a timeout. Presumably the server should not - * complete until the client Finished is received... this due to - * a flaw in the DTLSv1.0 specification, which is addressed in - * DTLSv1.2 (see references to "last flight" in RFC 6347 section - * 4.2.4). Our DTLS server code still needs to support this. - */ - { - .desc = "DTLS with dropped server CCS", - .ssl_options = 0, - .server_bbio_off = 1, - .server_drops = { 5 }, - }, - { - .desc = "DTLS with dropped server Finished", - .ssl_options = 0, - .server_bbio_off = 1, - .server_drops = { 6 }, - }, -#endif - { - .desc = "DTLS with dropped ClientKeyExchange", - .ssl_options = 0, - .client_bbio_off = 1, - .client_drops = { 2 }, - }, - { - .desc = "DTLS with dropped client CCS", - .ssl_options = 0, - .client_bbio_off = 1, - .client_drops = { 3 }, - }, - { - .desc = "DTLS with dropped client Finished", - .ssl_options = 0, - .client_bbio_off = 1, - .client_drops = { 4 }, - }, - { - /* Send CCS after client Finished. */ - .desc = "DTLS with delayed client CCS", - .ssl_options = 0, - .client_bbio_off = 1, - .client_delays = { { 3, 2 } }, - }, - { - /* - * Send CCS after server Finished - note app data will be - * dropped if we send the CCS after app data. - */ - .desc = "DTLS with delayed server CCS", - .ssl_options = SSL_OP_NO_TICKET, - .server_bbio_off = 1, - .server_delays = { { 5, 2 } }, - .write_after_accept = 1, - }, - { - .desc = "DTLS with delayed server CCS (initial epoch 0xfffe)", - .ssl_options = SSL_OP_NO_TICKET, - .server_bbio_off = 1, - .initial_epoch = 0xfffe, - .server_delays = { { 5, 2 } }, - .write_after_accept = 1, - }, - { - .desc = "DTLS with delayed server CCS (initial epoch 0xffff)", - .ssl_options = SSL_OP_NO_TICKET, - .server_bbio_off = 1, - .initial_epoch = 0xffff, - .server_delays = { { 5, 2 } }, - .write_after_accept = 1, - }, - { - /* Send Finished after app data - this is currently buffered. */ - .desc = "DTLS with delayed server Finished", - .ssl_options = SSL_OP_NO_TICKET, - .server_bbio_off = 1, - .server_delays = { { 6, 3 } }, - .write_after_accept = 1, - }, - { - /* Send CCS after server finished and close-notify. */ - .desc = "DTLS with delayed server CCS (close-notify)", - .ssl_options = SSL_OP_NO_TICKET, - .server_bbio_off = 1, - .server_delays = { { 5, 3 } }, - .shutdown_after_accept = 1, - }, -}; - -#define N_DTLS_TESTS (sizeof(dtls_tests) / sizeof(*dtls_tests)) - -static void -dtlstest_packet_monkey(SSL *ssl, const struct dtls_delay delays[], - const uint8_t drops[]) -{ - BIO *bio_monkey; - BIO *bio; - int i; - - if ((bio_monkey = BIO_new_packet_monkey()) == NULL) - errx(1, "packet monkey"); - - for (i = 0; i < MAX_PACKET_DELAYS; i++) { - if (delays[i].packet == 0) - break; - if (!BIO_packet_monkey_delay(bio_monkey, delays[i].packet, - delays[i].count)) - errx(1, "delay failure"); - } - - for (i = 0; i < MAX_PACKET_DROPS; i++) { - if (drops[i] == 0) - break; - if (!BIO_packet_monkey_drop(bio_monkey, drops[i])) - errx(1, "drop failure"); - } - - if ((bio = SSL_get_wbio(ssl)) == NULL) - errx(1, "SSL has NULL bio"); - - BIO_up_ref(bio); - bio = BIO_push(bio_monkey, bio); - - SSL_set_bio(ssl, bio, bio); -} - -static int -dtlstest(const struct dtls_test *dt) -{ - SSL *client = NULL, *server = NULL; - ssl_func *connect_func, *accept_func; - struct sockaddr_in server_sin; - struct pollfd pfd[2]; - int client_sock = -1; - int server_sock = -1; - int failed = 1; - - fprintf(stderr, "\n== Testing %s... ==\n", dt->desc); - - if (!datagram_pair(&client_sock, &server_sock, &server_sin)) - goto failure; - - if ((client = dtls_client(client_sock, &server_sin, dt->mtu)) == NULL) - goto failure; - - if ((server = dtls_server(server_sock, dt->ssl_options, dt->mtu)) == NULL) - goto failure; - - tls12_record_layer_set_initial_epoch(client->rl, dt->initial_epoch); - tls12_record_layer_set_initial_epoch(server->rl, dt->initial_epoch); - - if (dt->client_bbio_off) - SSL_set_info_callback(client, dtls_info_callback); - if (dt->server_bbio_off) - SSL_set_info_callback(server, dtls_info_callback); - - dtlstest_packet_monkey(client, dt->client_delays, dt->client_drops); - dtlstest_packet_monkey(server, dt->server_delays, dt->server_drops); - - pfd[0].fd = client_sock; - pfd[0].events = POLLOUT; - pfd[1].fd = server_sock; - pfd[1].events = POLLIN; - - accept_func = do_accept; - connect_func = do_connect; - - if (dt->write_after_accept) { - accept_func = do_accept_write; - connect_func = do_connect_read; - } else if (dt->shutdown_after_accept) { - accept_func = do_accept_shutdown; - connect_func = do_connect_shutdown; - } - - if (!do_client_server_loop(client, connect_func, server, accept_func, pfd)) { - fprintf(stderr, "FAIL: client and server handshake failed\n"); - goto failure; - } - - if (dt->write_after_accept || dt->shutdown_after_accept) - goto done; - - pfd[0].events = POLLIN; - pfd[1].events = POLLOUT; - - if (!do_client_server_loop(client, do_read, server, do_write, pfd)) { - fprintf(stderr, "FAIL: client read and server write I/O failed\n"); - goto failure; - } - - pfd[0].events = POLLOUT; - pfd[1].events = POLLIN; - - if (!do_client_server_loop(client, do_write, server, do_read, pfd)) { - fprintf(stderr, "FAIL: client write and server read I/O failed\n"); - goto failure; - } - - pfd[0].events = POLLOUT; - pfd[1].events = POLLOUT; - - if (!do_client_server_loop(client, do_shutdown, server, do_shutdown, pfd)) { - fprintf(stderr, "FAIL: client and server shutdown failed\n"); - goto failure; - } - - done: - fprintf(stderr, "INFO: Done!\n"); - - failed = 0; - - failure: - if (client_sock != -1) - close(client_sock); - if (server_sock != -1) - close(server_sock); - - SSL_free(client); - SSL_free(server); - - return failed; -} - -int -main(int argc, char **argv) -{ - int failed = 0; - size_t i; - - if (argc != 4) { - fprintf(stderr, "usage: %s keyfile certfile cafile\n", - argv[0]); - exit(1); - } - - server_key_file = argv[1]; - server_cert_file = argv[2]; - server_ca_file = argv[3]; - - for (i = 0; i < N_DTLS_TESTS; i++) - failed |= dtlstest(&dtls_tests[i]); - - return failed; -} diff --git a/src/regress/lib/libssl/exporter/Makefile b/src/regress/lib/libssl/exporter/Makefile deleted file mode 100644 index caeffabb13..0000000000 --- a/src/regress/lib/libssl/exporter/Makefile +++ /dev/null @@ -1,10 +0,0 @@ -# $OpenBSD: Makefile,v 1.1 2022/11/05 21:58:24 jsing Exp $ - -PROG= exportertest -LDADD= ${SSL_INT} -lcrypto -DPADD= ${LIBSSL} ${LIBCRYPTO} -WARNINGS= Yes -CFLAGS+= -DLIBRESSL_INTERNAL -Werror -CFLAGS+= -I${.CURDIR}/../../../../lib/libssl - -.include diff --git a/src/regress/lib/libssl/exporter/exportertest.c b/src/regress/lib/libssl/exporter/exportertest.c deleted file mode 100644 index ee8dbaa909..0000000000 --- a/src/regress/lib/libssl/exporter/exportertest.c +++ /dev/null @@ -1,667 +0,0 @@ -/* $OpenBSD: exportertest.c,v 1.4 2024/03/01 03:46:54 tb Exp $ */ -/* - * Copyright (c) 2022 Joel Sing - * - * Permission to use, copy, modify, and distribute this software for any - * purpose with or without fee is hereby granted, provided that the above - * copyright notice and this permission notice appear in all copies. - * - * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES - * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF - * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR - * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES - * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN - * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF - * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. - */ - -#include -#include - -#include -#include -#include - -#include "ssl_local.h" - -static void -hexdump(const unsigned char *buf, size_t len) -{ - size_t i; - - for (i = 1; i <= len; i++) - fprintf(stderr, " 0x%02hhx,%s", buf[i - 1], i % 8 ? "" : "\n"); - - fprintf(stderr, "\n"); -} - -struct exporter_test { - uint16_t tls_version; - unsigned int cipher_id; - const uint8_t *label; - size_t label_len; - const uint8_t context_value[64]; - size_t context_value_len; - int use_context; - const uint8_t client_random[SSL3_RANDOM_SIZE]; - const uint8_t server_random[SSL3_RANDOM_SIZE]; - const uint8_t master_key[SSL_MAX_MASTER_KEY_LENGTH]; - const uint8_t shared_key[64]; - size_t shared_key_len; - const uint8_t export[64]; - size_t export_len; - int want_error; -}; - -static const struct exporter_test exporter_tests[] = { - { - /* Valid export, no context - 32 bytes. */ - .tls_version = TLS1_2_VERSION, - .cipher_id = TLS1_CK_ECDHE_RSA_CHACHA20_POLY1305, - .label = "EXPERIMENTAL testing", - .label_len = 20, - .use_context = 0, - .client_random = { - 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, - 0x08, 0x09, 0x0a, 0x0b, 0x0c, 0x0d, 0x0e, 0x0f, - 0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17, - 0x18, 0x19, 0x1a, 0x1b, 0x1c, 0x1d, 0x1e, 0x1f, - }, - .server_random = { - 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, - 0x08, 0x09, 0x0a, 0x0b, 0x0c, 0x0d, 0x0e, 0x0f, - 0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17, - 0x18, 0x19, 0x1a, 0x1b, 0x1c, 0x1d, 0x1e, 0x1f, - }, - .master_key = { - 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, - 0x08, 0x09, 0x0a, 0x0b, 0x0c, 0x0d, 0x0e, 0x0f, - 0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17, - 0x18, 0x19, 0x1a, 0x1b, 0x1c, 0x1d, 0x1e, 0x1f, - 0x20, 0x21, 0x22, 0x23, 0x24, 0x25, 0x26, 0x27, - 0x28, 0x29, 0x2a, 0x2b, 0x2c, 0x2d, 0x2e, 0x2f, - }, - .export = { - 0x14, 0x08, 0x00, 0x9e, 0x6a, 0x67, 0x75, 0x4c, - 0xc4, 0xf3, 0x51, 0x57, 0x2f, 0x75, 0x0b, 0xf8, - 0x16, 0xfa, 0x61, 0x74, 0xd2, 0x12, 0x8f, 0x78, - 0x77, 0xf9, 0x8a, 0x3e, 0x58, 0x70, 0xf3, 0xd8, - }, - .export_len = 32, - }, - { - /* Valid export, no context - 32 bytes. */ - .tls_version = TLS1_3_VERSION, - .label = "EXPERIMENTAL testing", - .label_len = 20, - .use_context = 0, - .shared_key = { - 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, - 0x08, 0x09, 0x0a, 0x0b, 0x0c, 0x0d, 0x0e, 0x0f, - 0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17, - 0x18, 0x19, 0x1a, 0x1b, 0x1c, 0x1d, 0x1e, 0x1f, - }, - .shared_key_len = 32, - .export = { - 0x69, 0xf4, 0xac, 0xec, 0x80, 0x67, 0xac, 0x5c, - 0xa6, 0x24, 0x47, 0xb1, 0x0f, 0xc8, 0xa1, 0x13, - 0x3b, 0x91, 0x33, 0x82, 0x97, 0x0a, 0xc0, 0xbf, - 0xac, 0x6d, 0x6b, 0x34, 0x20, 0xd3, 0x3a, 0x02, - }, - .export_len = 32, - }, - { - /* Valid export, no context - 64 bytes. */ - .tls_version = TLS1_2_VERSION, - .cipher_id = TLS1_CK_ECDHE_RSA_CHACHA20_POLY1305, - .label = "EXPERIMENTAL testing", - .label_len = 20, - .use_context = 0, - .client_random = { - 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, - 0x08, 0x09, 0x0a, 0x0b, 0x0c, 0x0d, 0x0e, 0x0f, - 0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17, - 0x18, 0x19, 0x1a, 0x1b, 0x1c, 0x1d, 0x1e, 0x1f, - }, - .server_random = { - 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, - 0x08, 0x09, 0x0a, 0x0b, 0x0c, 0x0d, 0x0e, 0x0f, - 0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17, - 0x18, 0x19, 0x1a, 0x1b, 0x1c, 0x1d, 0x1e, 0x1f, - }, - .master_key = { - 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, - 0x08, 0x09, 0x0a, 0x0b, 0x0c, 0x0d, 0x0e, 0x0f, - 0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17, - 0x18, 0x19, 0x1a, 0x1b, 0x1c, 0x1d, 0x1e, 0x1f, - 0x20, 0x21, 0x22, 0x23, 0x24, 0x25, 0x26, 0x27, - 0x28, 0x29, 0x2a, 0x2b, 0x2c, 0x2d, 0x2e, 0x2f, - }, - .export = { - 0x14, 0x08, 0x00, 0x9e, 0x6a, 0x67, 0x75, 0x4c, - 0xc4, 0xf3, 0x51, 0x57, 0x2f, 0x75, 0x0b, 0xf8, - 0x16, 0xfa, 0x61, 0x74, 0xd2, 0x12, 0x8f, 0x78, - 0x77, 0xf9, 0x8a, 0x3e, 0x58, 0x70, 0xf3, 0xd8, - 0xe8, 0xd2, 0xb7, 0xcd, 0xbc, 0x37, 0xdf, 0x16, - 0x12, 0xf1, 0xe8, 0xb2, 0x62, 0x79, 0x91, 0x45, - 0x77, 0xe0, 0x68, 0x6d, 0xd5, 0x31, 0x54, 0x55, - 0x22, 0x63, 0xc0, 0x36, 0x31, 0x07, 0xda, 0x33, - }, - .export_len = 64, - }, - { - /* Valid export, no context - 64 bytes. */ - .tls_version = TLS1_3_VERSION, - .label = "EXPERIMENTAL testing", - .label_len = 20, - .use_context = 0, - .shared_key = { - 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, - 0x08, 0x09, 0x0a, 0x0b, 0x0c, 0x0d, 0x0e, 0x0f, - 0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17, - 0x18, 0x19, 0x1a, 0x1b, 0x1c, 0x1d, 0x1e, 0x1f, - }, - .shared_key_len = 32, - .export = { - 0x77, 0x15, 0xe2, 0x07, 0x65, 0x64, 0x3b, 0x14, - 0x38, 0xcb, 0x73, 0x93, 0xda, 0x70, 0xfa, 0x86, - 0x2c, 0x34, 0xcc, 0x94, 0x52, 0xc2, 0xd3, 0xb4, - 0x59, 0x2c, 0xc8, 0x05, 0x70, 0xfe, 0x48, 0x61, - 0xd3, 0xea, 0x57, 0x66, 0xa9, 0x66, 0x2f, 0x4a, - 0x35, 0xc9, 0x88, 0x86, 0x28, 0x52, 0xe3, 0x64, - 0x5e, 0xf9, 0x28, 0x53, 0x8a, 0x3a, 0x92, 0x92, - 0x40, 0x8c, 0x89, 0x17, 0x59, 0xd0, 0xd0, 0x82, - }, - .export_len = 64, - }, - { - /* Valid export, zero length context - 32 bytes. */ - .tls_version = TLS1_2_VERSION, - .cipher_id = TLS1_CK_ECDHE_RSA_CHACHA20_POLY1305, - .label = "EXPERIMENTAL testing", - .label_len = 20, - .context_value_len = 0, - .use_context = 1, - .client_random = { - 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, - 0x08, 0x09, 0x0a, 0x0b, 0x0c, 0x0d, 0x0e, 0x0f, - 0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17, - 0x18, 0x19, 0x1a, 0x1b, 0x1c, 0x1d, 0x1e, 0x1f, - }, - .server_random = { - 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, - 0x08, 0x09, 0x0a, 0x0b, 0x0c, 0x0d, 0x0e, 0x0f, - 0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17, - 0x18, 0x19, 0x1a, 0x1b, 0x1c, 0x1d, 0x1e, 0x1f, - }, - .master_key = { - 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, - 0x08, 0x09, 0x0a, 0x0b, 0x0c, 0x0d, 0x0e, 0x0f, - 0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17, - 0x18, 0x19, 0x1a, 0x1b, 0x1c, 0x1d, 0x1e, 0x1f, - 0x20, 0x21, 0x22, 0x23, 0x24, 0x25, 0x26, 0x27, - 0x28, 0x29, 0x2a, 0x2b, 0x2c, 0x2d, 0x2e, 0x2f, - }, - .export = { - 0xdb, 0xc9, 0xdf, 0x7c, 0x04, 0x39, 0xdd, 0x23, - 0xc3, 0x68, 0xdc, 0xf3, 0x04, 0xcf, 0x4c, 0x4d, - 0x86, 0x5b, 0xe6, 0x48, 0xc5, 0x6d, 0xe5, 0x1e, - 0xea, 0xc5, 0xe4, 0x00, 0x27, 0x72, 0xda, 0xb6, - }, - .export_len = 32, - }, - { - /* Valid export, zero length context - 32 bytes. */ - .tls_version = TLS1_3_VERSION, - .label = "EXPERIMENTAL testing", - .label_len = 20, - .context_value_len = 0, - .use_context = 1, - .shared_key = { - 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, - 0x08, 0x09, 0x0a, 0x0b, 0x0c, 0x0d, 0x0e, 0x0f, - 0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17, - 0x18, 0x19, 0x1a, 0x1b, 0x1c, 0x1d, 0x1e, 0x1f, - }, - .shared_key_len = 32, - .export = { - 0x69, 0xf4, 0xac, 0xec, 0x80, 0x67, 0xac, 0x5c, - 0xa6, 0x24, 0x47, 0xb1, 0x0f, 0xc8, 0xa1, 0x13, - 0x3b, 0x91, 0x33, 0x82, 0x97, 0x0a, 0xc0, 0xbf, - 0xac, 0x6d, 0x6b, 0x34, 0x20, 0xd3, 0x3a, 0x02, - }, - .export_len = 32, - }, - { - /* Valid export, with context value - 32 bytes. */ - .tls_version = TLS1_2_VERSION, - .cipher_id = TLS1_CK_ECDHE_RSA_CHACHA20_POLY1305, - .label = "EXPERIMENTAL testing", - .label_len = 20, - .context_value = { - 0xff, 0xfe, 0xfd, 0xfc, 0xfb, 0xfa, 0xf9, 0xf8, - 0xf7, 0xf6, 0xf5, 0xf4, 0xf3, 0xf2, 0xf1, 0xf0, - }, - .context_value_len = 16, - .use_context = 1, - .client_random = { - 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, - 0x08, 0x09, 0x0a, 0x0b, 0x0c, 0x0d, 0x0e, 0x0f, - 0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17, - 0x18, 0x19, 0x1a, 0x1b, 0x1c, 0x1d, 0x1e, 0x1f, - }, - .server_random = { - 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, - 0x08, 0x09, 0x0a, 0x0b, 0x0c, 0x0d, 0x0e, 0x0f, - 0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17, - 0x18, 0x19, 0x1a, 0x1b, 0x1c, 0x1d, 0x1e, 0x1f, - }, - .master_key = { - 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, - 0x08, 0x09, 0x0a, 0x0b, 0x0c, 0x0d, 0x0e, 0x0f, - 0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17, - 0x18, 0x19, 0x1a, 0x1b, 0x1c, 0x1d, 0x1e, 0x1f, - 0x20, 0x21, 0x22, 0x23, 0x24, 0x25, 0x26, 0x27, - 0x28, 0x29, 0x2a, 0x2b, 0x2c, 0x2d, 0x2e, 0x2f, - }, - .export = { - 0x0e, 0xb4, 0xd1, 0x3a, 0x0e, 0x24, 0xab, 0x0d, - 0x4c, 0x48, 0x35, 0x25, 0xf6, 0x4d, 0xa2, 0x9b, - 0xaa, 0x1d, 0xbc, 0x54, 0x7e, 0xb0, 0x3c, 0x4b, - 0x07, 0x04, 0x9c, 0x7c, 0x06, 0xa7, 0xea, 0x70, - }, - .export_len = 32, - }, - { - /* Valid export, with context value - 32 bytes. */ - .tls_version = TLS1_3_VERSION, - .label = "EXPERIMENTAL testing", - .label_len = 20, - .context_value = { - 0xff, 0xfe, 0xfd, 0xfc, 0xfb, 0xfa, 0xf9, 0xf8, - 0xf7, 0xf6, 0xf5, 0xf4, 0xf3, 0xf2, 0xf1, 0xf0, - }, - .context_value_len = 16, - .use_context = 1, - .shared_key = { - 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, - 0x08, 0x09, 0x0a, 0x0b, 0x0c, 0x0d, 0x0e, 0x0f, - 0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17, - 0x18, 0x19, 0x1a, 0x1b, 0x1c, 0x1d, 0x1e, 0x1f, - }, - .shared_key_len = 32, - .export = { - 0x34, 0xb8, 0x00, 0x6a, 0xb2, 0x62, 0xab, 0xea, - 0xc7, 0x2b, 0x15, 0xa0, 0x85, 0xda, 0xaa, 0xa5, - 0x12, 0x85, 0xbf, 0x4a, 0xa4, 0x71, 0x42, 0xc8, - 0xd4, 0xa6, 0x66, 0x18, 0xc6, 0xc9, 0x26, 0x6f, - }, - .export_len = 32, - }, - { - /* Valid export, with different label - 32 bytes. */ - .tls_version = TLS1_2_VERSION, - .cipher_id = TLS1_CK_ECDHE_RSA_CHACHA20_POLY1305, - .label = "EXPERIMENTAL more testing", - .label_len = 20, - .context_value = { - 0xff, 0xfe, 0xfd, 0xfc, 0xfb, 0xfa, 0xf9, 0xf8, - 0xf7, 0xf6, 0xf5, 0xf4, 0xf3, 0xf2, 0xf1, 0xf0, - }, - .context_value_len = 16, - .use_context = 1, - .client_random = { - 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, - 0x08, 0x09, 0x0a, 0x0b, 0x0c, 0x0d, 0x0e, 0x0f, - 0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17, - 0x18, 0x19, 0x1a, 0x1b, 0x1c, 0x1d, 0x1e, 0x1f, - }, - .server_random = { - 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, - 0x08, 0x09, 0x0a, 0x0b, 0x0c, 0x0d, 0x0e, 0x0f, - 0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17, - 0x18, 0x19, 0x1a, 0x1b, 0x1c, 0x1d, 0x1e, 0x1f, - }, - .master_key = { - 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, - 0x08, 0x09, 0x0a, 0x0b, 0x0c, 0x0d, 0x0e, 0x0f, - 0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17, - 0x18, 0x19, 0x1a, 0x1b, 0x1c, 0x1d, 0x1e, 0x1f, - 0x20, 0x21, 0x22, 0x23, 0x24, 0x25, 0x26, 0x27, - 0x28, 0x29, 0x2a, 0x2b, 0x2c, 0x2d, 0x2e, 0x2f, - }, - .export = { - 0xb0, 0xb6, 0x45, 0xdd, 0x30, 0x76, 0xf0, 0x57, - 0x22, 0x31, 0xbb, 0x8d, 0xe1, 0xf9, 0xe3, 0xed, - 0xae, 0x74, 0x6f, 0x40, 0x94, 0xf6, 0xc2, 0xfc, - 0x21, 0xff, 0xf7, 0x00, 0x86, 0x54, 0xb6, 0x06, - }, - .export_len = 32, - }, - { - /* Valid export, with different label - 32 bytes. */ - .tls_version = TLS1_3_VERSION, - .label = "EXPERIMENTAL more testing", - .label_len = 20, - .context_value = { - 0xff, 0xfe, 0xfd, 0xfc, 0xfb, 0xfa, 0xf9, 0xf8, - 0xf7, 0xf6, 0xf5, 0xf4, 0xf3, 0xf2, 0xf1, 0xf0, - }, - .context_value_len = 16, - .use_context = 1, - .shared_key = { - 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, - 0x08, 0x09, 0x0a, 0x0b, 0x0c, 0x0d, 0x0e, 0x0f, - 0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17, - 0x18, 0x19, 0x1a, 0x1b, 0x1c, 0x1d, 0x1e, 0x1f, - }, - .shared_key_len = 32, - .export = { - 0x18, 0x4e, 0x65, 0x3c, 0x91, 0x5d, 0x6a, 0xc3, - 0x25, 0x38, 0xbe, 0x6e, 0xca, 0x12, 0x54, 0x76, - 0x5a, 0x84, 0xf7, 0x19, 0x44, 0x78, 0xec, 0xc0, - 0x83, 0xf6, 0x22, 0xb8, 0x86, 0x31, 0xe9, 0x2e, - }, - .export_len = 32, - }, - { - /* Invalid - illegal label. */ - .tls_version = TLS1_2_VERSION, - .cipher_id = TLS1_CK_ECDHE_RSA_CHACHA20_POLY1305, - .label = TLS_MD_CLIENT_FINISH_CONST, - .label_len = TLS_MD_CLIENT_FINISH_CONST_SIZE, - .use_context = 0, - .client_random = { - 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, - 0x08, 0x09, 0x0a, 0x0b, 0x0c, 0x0d, 0x0e, 0x0f, - 0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17, - 0x18, 0x19, 0x1a, 0x1b, 0x1c, 0x1d, 0x1e, 0x1f, - }, - .server_random = { - 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, - 0x08, 0x09, 0x0a, 0x0b, 0x0c, 0x0d, 0x0e, 0x0f, - 0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17, - 0x18, 0x19, 0x1a, 0x1b, 0x1c, 0x1d, 0x1e, 0x1f, - }, - .master_key = { - 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, - 0x08, 0x09, 0x0a, 0x0b, 0x0c, 0x0d, 0x0e, 0x0f, - 0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17, - 0x18, 0x19, 0x1a, 0x1b, 0x1c, 0x1d, 0x1e, 0x1f, - 0x20, 0x21, 0x22, 0x23, 0x24, 0x25, 0x26, 0x27, - 0x28, 0x29, 0x2a, 0x2b, 0x2c, 0x2d, 0x2e, 0x2f, - }, - .export_len = 32, - .want_error = SSL_R_TLS_ILLEGAL_EXPORTER_LABEL, - }, - { - /* Invalid - illegal label. */ - .tls_version = TLS1_2_VERSION, - .cipher_id = TLS1_CK_ECDHE_RSA_CHACHA20_POLY1305, - .label = TLS_MD_SERVER_FINISH_CONST, - .label_len = TLS_MD_SERVER_FINISH_CONST_SIZE, - .use_context = 0, - .client_random = { - 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, - 0x08, 0x09, 0x0a, 0x0b, 0x0c, 0x0d, 0x0e, 0x0f, - 0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17, - 0x18, 0x19, 0x1a, 0x1b, 0x1c, 0x1d, 0x1e, 0x1f, - }, - .server_random = { - 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, - 0x08, 0x09, 0x0a, 0x0b, 0x0c, 0x0d, 0x0e, 0x0f, - 0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17, - 0x18, 0x19, 0x1a, 0x1b, 0x1c, 0x1d, 0x1e, 0x1f, - }, - .master_key = { - 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, - 0x08, 0x09, 0x0a, 0x0b, 0x0c, 0x0d, 0x0e, 0x0f, - 0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17, - 0x18, 0x19, 0x1a, 0x1b, 0x1c, 0x1d, 0x1e, 0x1f, - 0x20, 0x21, 0x22, 0x23, 0x24, 0x25, 0x26, 0x27, - 0x28, 0x29, 0x2a, 0x2b, 0x2c, 0x2d, 0x2e, 0x2f, - }, - .export_len = 32, - .want_error = SSL_R_TLS_ILLEGAL_EXPORTER_LABEL, - }, - { - /* Invalid - illegal label. */ - .tls_version = TLS1_2_VERSION, - .cipher_id = TLS1_CK_ECDHE_RSA_CHACHA20_POLY1305, - .label = TLS_MD_KEY_EXPANSION_CONST, - .label_len = TLS_MD_KEY_EXPANSION_CONST_SIZE, - .use_context = 0, - .client_random = { - 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, - 0x08, 0x09, 0x0a, 0x0b, 0x0c, 0x0d, 0x0e, 0x0f, - 0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17, - 0x18, 0x19, 0x1a, 0x1b, 0x1c, 0x1d, 0x1e, 0x1f, - }, - .server_random = { - 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, - 0x08, 0x09, 0x0a, 0x0b, 0x0c, 0x0d, 0x0e, 0x0f, - 0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17, - 0x18, 0x19, 0x1a, 0x1b, 0x1c, 0x1d, 0x1e, 0x1f, - }, - .master_key = { - 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, - 0x08, 0x09, 0x0a, 0x0b, 0x0c, 0x0d, 0x0e, 0x0f, - 0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17, - 0x18, 0x19, 0x1a, 0x1b, 0x1c, 0x1d, 0x1e, 0x1f, - 0x20, 0x21, 0x22, 0x23, 0x24, 0x25, 0x26, 0x27, - 0x28, 0x29, 0x2a, 0x2b, 0x2c, 0x2d, 0x2e, 0x2f, - }, - .export_len = 32, - .want_error = SSL_R_TLS_ILLEGAL_EXPORTER_LABEL, - }, - { - /* Invalid - illegal label. */ - .tls_version = TLS1_2_VERSION, - .cipher_id = TLS1_CK_ECDHE_RSA_CHACHA20_POLY1305, - .label = TLS_MD_MASTER_SECRET_CONST, - .label_len = TLS_MD_MASTER_SECRET_CONST_SIZE, - .use_context = 0, - .client_random = { - 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, - 0x08, 0x09, 0x0a, 0x0b, 0x0c, 0x0d, 0x0e, 0x0f, - 0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17, - 0x18, 0x19, 0x1a, 0x1b, 0x1c, 0x1d, 0x1e, 0x1f, - }, - .server_random = { - 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, - 0x08, 0x09, 0x0a, 0x0b, 0x0c, 0x0d, 0x0e, 0x0f, - 0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17, - 0x18, 0x19, 0x1a, 0x1b, 0x1c, 0x1d, 0x1e, 0x1f, - }, - .master_key = { - 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, - 0x08, 0x09, 0x0a, 0x0b, 0x0c, 0x0d, 0x0e, 0x0f, - 0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17, - 0x18, 0x19, 0x1a, 0x1b, 0x1c, 0x1d, 0x1e, 0x1f, - 0x20, 0x21, 0x22, 0x23, 0x24, 0x25, 0x26, 0x27, - 0x28, 0x29, 0x2a, 0x2b, 0x2c, 0x2d, 0x2e, 0x2f, - }, - .export_len = 32, - .want_error = SSL_R_TLS_ILLEGAL_EXPORTER_LABEL, - }, - { - /* Invalid - illegal label, split over label and seed. */ - .tls_version = TLS1_2_VERSION, - .cipher_id = TLS1_CK_ECDHE_RSA_CHACHA20_POLY1305, - .label = "master ", - .label_len = 7, - .use_context = 0, - .client_random = { - 's', 'e', 'c', 'r', 'e', 't', 0x06, 0x07, - 0x08, 0x09, 0x0a, 0x0b, 0x0c, 0x0d, 0x0e, 0x0f, - 0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17, - 0x18, 0x19, 0x1a, 0x1b, 0x1c, 0x1d, 0x1e, 0x1f, - }, - .server_random = { - 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, - 0x08, 0x09, 0x0a, 0x0b, 0x0c, 0x0d, 0x0e, 0x0f, - 0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17, - 0x18, 0x19, 0x1a, 0x1b, 0x1c, 0x1d, 0x1e, 0x1f, - }, - .master_key = { - 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, - 0x08, 0x09, 0x0a, 0x0b, 0x0c, 0x0d, 0x0e, 0x0f, - 0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17, - 0x18, 0x19, 0x1a, 0x1b, 0x1c, 0x1d, 0x1e, 0x1f, - 0x20, 0x21, 0x22, 0x23, 0x24, 0x25, 0x26, 0x27, - 0x28, 0x29, 0x2a, 0x2b, 0x2c, 0x2d, 0x2e, 0x2f, - }, - .export = { - 0x40, 0x70, 0xba, 0xfa, 0xba, 0x44, 0x74, 0x93, - 0xa2, 0x43, 0x18, 0x07, 0xa4, 0x4f, 0x3f, 0xda, - 0x88, 0x7b, 0x0e, 0x79, 0x70, 0xcf, 0xdb, 0x91, - 0xfc, 0x3f, 0x96, 0x78, 0x6b, 0x50, 0xe3, 0xa6, - }, - .export_len = 32, - .want_error = SSL_R_TLS_ILLEGAL_EXPORTER_LABEL, - }, -}; - -#define N_EXPORTER_TESTS (sizeof(exporter_tests) / sizeof(exporter_tests[0])) - -static int -exporter_test(size_t test_no, const struct exporter_test *et) -{ - struct tls13_secret tls13_context = { .data = "", .len = 0 }; - struct tls13_ctx *tls13_ctx; - struct tls13_secrets *tls13_secrets; - SSL_SESSION *ssl_session = NULL; - SSL_CTX *ssl_ctx = NULL; - SSL *ssl = NULL; - uint8_t export[256]; - unsigned char id[2]; - int err, ret; - int failed = 1; - - memset(export, 0, sizeof(export)); - - if ((ssl_ctx = SSL_CTX_new(TLS_method())) == NULL) { - fprintf(stderr, "FAIL: SSL_CTX_new\n"); - goto failure; - } - if ((ssl = SSL_new(ssl_ctx)) == NULL) { - fprintf(stderr, "FAIL: SSL_new\n"); - goto failure; - } - if ((ssl_session = SSL_SESSION_new()) == NULL) { - fprintf(stderr, "FAIL: SSL_SESSION_new\n"); - goto failure; - } - - ssl_session->ssl_version = et->tls_version; - - if (!SSL_set_session(ssl, ssl_session)) { - fprintf(stderr, "FAIL: SSL_set_session\n"); - goto failure; - } - - memcpy(ssl_session->master_key, et->master_key, - sizeof(ssl_session->master_key)); - memcpy(ssl->s3->client_random, et->client_random, - sizeof(ssl->s3->client_random)); - memcpy(ssl->s3->server_random, et->server_random, - sizeof(ssl->s3->server_random)); - - if (et->tls_version >= TLS1_3_VERSION) { - if ((tls13_ctx = tls13_ctx_new(TLS13_HS_CLIENT, ssl)) == NULL) { - fprintf(stderr, "FAIL: tls13_ctx_new\n"); - goto failure; - } - ssl->tls13 = tls13_ctx; - - if ((tls13_secrets = tls13_secrets_create(EVP_sha384(), - 0)) == NULL) { - fprintf(stderr, "FAIL: tls13_secrets_create\n"); - goto failure; - } - ssl->s3->hs.tls13.secrets = tls13_secrets; - - if (!tls13_derive_early_secrets(tls13_secrets, - tls13_secrets->zeros.data, tls13_secrets->zeros.len, - &tls13_context)) { - fprintf(stderr, "FAIL: tls13_derive_early_secrets\n"); - goto failure; - } - if (!tls13_derive_handshake_secrets(tls13_secrets, et->shared_key, - et->shared_key_len, &tls13_context)) { - fprintf(stderr, "FAIL: tls13_derive_handshake_secrets\n"); - goto failure; - } - if (!tls13_derive_application_secrets(tls13_secrets, - &tls13_context)) { - fprintf(stderr, "FAIL: tls13_derive_early_secrets\n"); - goto failure; - } - - tls13_ctx->handshake_completed = 1; - } - - ssl->s3->hs.state = SSL_ST_OK; - ssl->s3->hs.negotiated_tls_version = et->tls_version; - id[0] = (et->cipher_id >> 8) & 0xff; - id[1] = et->cipher_id & 0xff; - ssl->s3->hs.cipher = SSL_CIPHER_find(ssl, id); - - ret = SSL_export_keying_material(ssl, export, et->export_len, et->label, - et->label_len, et->context_value, et->context_value_len, - et->use_context); - - if (et->want_error != 0) { - if (ret) { - fprintf(stderr, "FAIL: test %zu - " - "SSL_export_keying_material() succeeded, want " - "error\n", test_no); - goto failure; - } - - err = ERR_peek_error(); - if (ERR_GET_REASON(err) != et->want_error) { - fprintf(stderr, "FAIL: %zu - got error reason %d, " - "want %d\n", test_no, ERR_GET_REASON(err), - et->want_error); - goto failure; - } - } else { - if (!ret) { - fprintf(stderr, "FAIL: test %zu - " - "SSL_export_keying_material() failed\n", test_no); - ERR_print_errors_fp(stderr); - goto failure; - } - - if (memcmp(et->export, export, et->export_len) != 0) { - fprintf(stderr, "FAIL: test %zu\n", test_no); - fprintf(stderr, "Got export:\n"); - hexdump(export, et->export_len); - fprintf(stderr, "Want export:\n"); - hexdump(et->export, et->export_len); - goto failure; - } - } - - failed = 0; - - failure: - SSL_SESSION_free(ssl_session); - SSL_CTX_free(ssl_ctx); - SSL_free(ssl); - - return failed; -} - -int -main(int argc, char **argv) -{ - int failed = 0; - size_t i; - - for (i = 0; i < N_EXPORTER_TESTS; i++) - failed |= exporter_test(i, &exporter_tests[i]); - - return (failed); -} diff --git a/src/regress/lib/libssl/handshake/Makefile b/src/regress/lib/libssl/handshake/Makefile deleted file mode 100644 index 77e128929f..0000000000 --- a/src/regress/lib/libssl/handshake/Makefile +++ /dev/null @@ -1,34 +0,0 @@ -# $OpenBSD: Makefile,v 1.10 2022/12/02 01:09:04 tb Exp $ - -PROGS += handshake_table -PROGS += valid_handshakes_terminate - -LDADD = ${SSL_INT} -lcrypto -DPADD = ${LIBCRYPTO} ${LIBSSL} -WARNINGS = Yes -CFLAGS += -DLIBRESSL_INTERNAL -Wundef -Werror -CFLAGS+= -I${.CURDIR}/../../../../lib/libssl - -print: handshake_table - @./handshake_table -C - -handshake.gv: handshake_table - ./handshake_table -g > $@.tmp - mv $@.tmp $@ - -CLEANFILES += handshake.gv - -.for _FMT in png ps svg -handshake.${_FMT}: handshake.gv - @if [ ! -x /usr/local/bin/dot ]; then \ - echo "pkg_add graphviz to generate png"; \ - false; \ - fi - dot -T${_FMT} handshake.gv -o $@ - -CLEANFILES += handshake.${_FMT} -.endfor - -.PHONY: print - -.include diff --git a/src/regress/lib/libssl/handshake/handshake_table.c b/src/regress/lib/libssl/handshake/handshake_table.c deleted file mode 100644 index 8ebed9a73e..0000000000 --- a/src/regress/lib/libssl/handshake/handshake_table.c +++ /dev/null @@ -1,550 +0,0 @@ -/* $OpenBSD: handshake_table.c,v 1.18 2022/12/01 13:49:12 tb Exp $ */ -/* - * Copyright (c) 2019 Theo Buehler - * - * Permission to use, copy, modify, and distribute this software for any - * purpose with or without fee is hereby granted, provided that the above - * copyright notice and this permission notice appear in all copies. - * - * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES - * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF - * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR - * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES - * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN - * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF - * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. - */ - -#include -#include -#include -#include -#include - -#include "tls13_handshake.h" - -#define MAX_FLAGS (UINT8_MAX + 1) - -/* - * From RFC 8446: - * - * Appendix A. State Machine - * - * This appendix provides a summary of the legal state transitions for - * the client and server handshakes. State names (in all capitals, - * e.g., START) have no formal meaning but are provided for ease of - * comprehension. Actions which are taken only in certain circumstances - * are indicated in []. The notation "K_{send,recv} = foo" means "set - * the send/recv key to the given key". - * - * A.1. Client - * - * START <----+ - * Send ClientHello | | Recv HelloRetryRequest - * [K_send = early data] | | - * v | - * / WAIT_SH ----+ - * | | Recv ServerHello - * | | K_recv = handshake - * Can | V - * send | WAIT_EE - * early | | Recv EncryptedExtensions - * data | +--------+--------+ - * | Using | | Using certificate - * | PSK | v - * | | WAIT_CERT_CR - * | | Recv | | Recv CertificateRequest - * | | Certificate | v - * | | | WAIT_CERT - * | | | | Recv Certificate - * | | v v - * | | WAIT_CV - * | | | Recv CertificateVerify - * | +> WAIT_FINISHED <+ - * | | Recv Finished - * \ | [Send EndOfEarlyData] - * | K_send = handshake - * | [Send Certificate [+ CertificateVerify]] - * Can send | Send Finished - * app data --> | K_send = K_recv = application - * after here v - * CONNECTED - * - * Note that with the transitions as shown above, clients may send - * alerts that derive from post-ServerHello messages in the clear or - * with the early data keys. If clients need to send such alerts, they - * SHOULD first rekey to the handshake keys if possible. - * - */ - -struct child { - enum tls13_message_type mt; - uint8_t flag; - uint8_t forced; - uint8_t illegal; -}; - -static struct child stateinfo[][TLS13_NUM_MESSAGE_TYPES] = { - [CLIENT_HELLO] = { - { - .mt = SERVER_HELLO_RETRY_REQUEST, - }, - { - .mt = SERVER_HELLO, - .flag = WITHOUT_HRR, - }, - }, - [SERVER_HELLO_RETRY_REQUEST] = { - { - .mt = CLIENT_HELLO_RETRY, - }, - }, - [CLIENT_HELLO_RETRY] = { - { - .mt = SERVER_HELLO, - }, - }, - [SERVER_HELLO] = { - { - .mt = SERVER_ENCRYPTED_EXTENSIONS, - }, - }, - [SERVER_ENCRYPTED_EXTENSIONS] = { - { - .mt = SERVER_CERTIFICATE_REQUEST, - }, - { .mt = SERVER_CERTIFICATE, - .flag = WITHOUT_CR, - }, - { - .mt = SERVER_FINISHED, - .flag = WITH_PSK, - }, - }, - [SERVER_CERTIFICATE_REQUEST] = { - { - .mt = SERVER_CERTIFICATE, - }, - }, - [SERVER_CERTIFICATE] = { - { - .mt = SERVER_CERTIFICATE_VERIFY, - }, - }, - [SERVER_CERTIFICATE_VERIFY] = { - { - .mt = SERVER_FINISHED, - }, - }, - [SERVER_FINISHED] = { - { - .mt = CLIENT_FINISHED, - .forced = WITHOUT_CR | WITH_PSK, - }, - { - .mt = CLIENT_CERTIFICATE, - .illegal = WITHOUT_CR | WITH_PSK, - }, - }, - [CLIENT_CERTIFICATE] = { - { - .mt = CLIENT_FINISHED, - }, - { - .mt = CLIENT_CERTIFICATE_VERIFY, - .flag = WITH_CCV, - }, - }, - [CLIENT_CERTIFICATE_VERIFY] = { - { - .mt = CLIENT_FINISHED, - }, - }, - [CLIENT_FINISHED] = { - { - .mt = APPLICATION_DATA, - }, - }, - [APPLICATION_DATA] = { - { - .mt = 0, - }, - }, -}; - -const size_t stateinfo_count = sizeof(stateinfo) / sizeof(stateinfo[0]); - -void build_table(enum tls13_message_type - table[MAX_FLAGS][TLS13_NUM_MESSAGE_TYPES], - struct child current, struct child end, - struct child path[], uint8_t flags, unsigned int depth); -size_t count_handshakes(void); -void edge(enum tls13_message_type start, - enum tls13_message_type end, uint8_t flag); -const char *flag2str(uint8_t flag); -void flag_label(uint8_t flag); -void forced_edges(enum tls13_message_type start, - enum tls13_message_type end, uint8_t forced); -int generate_graphics(void); -void fprint_entry(FILE *stream, - enum tls13_message_type path[TLS13_NUM_MESSAGE_TYPES], - uint8_t flags); -void fprint_flags(FILE *stream, uint8_t flags); -const char *mt2str(enum tls13_message_type mt); -void usage(void); -int verify_table(enum tls13_message_type - table[MAX_FLAGS][TLS13_NUM_MESSAGE_TYPES], int print); - -const char * -flag2str(uint8_t flag) -{ - const char *ret; - - if (flag & (flag - 1)) - errx(1, "more than one bit is set"); - - switch (flag) { - case INITIAL: - ret = "INITIAL"; - break; - case NEGOTIATED: - ret = "NEGOTIATED"; - break; - case WITHOUT_CR: - ret = "WITHOUT_CR"; - break; - case WITHOUT_HRR: - ret = "WITHOUT_HRR"; - break; - case WITH_PSK: - ret = "WITH_PSK"; - break; - case WITH_CCV: - ret = "WITH_CCV"; - break; - case WITH_0RTT: - ret = "WITH_0RTT"; - break; - default: - ret = "UNKNOWN"; - } - - return ret; -} - -const char * -mt2str(enum tls13_message_type mt) -{ - const char *ret; - - switch (mt) { - case INVALID: - ret = "INVALID"; - break; - case CLIENT_HELLO: - ret = "CLIENT_HELLO"; - break; - case CLIENT_HELLO_RETRY: - ret = "CLIENT_HELLO_RETRY"; - break; - case CLIENT_END_OF_EARLY_DATA: - ret = "CLIENT_END_OF_EARLY_DATA"; - break; - case CLIENT_CERTIFICATE: - ret = "CLIENT_CERTIFICATE"; - break; - case CLIENT_CERTIFICATE_VERIFY: - ret = "CLIENT_CERTIFICATE_VERIFY"; - break; - case CLIENT_FINISHED: - ret = "CLIENT_FINISHED"; - break; - case SERVER_HELLO: - ret = "SERVER_HELLO"; - break; - case SERVER_HELLO_RETRY_REQUEST: - ret = "SERVER_HELLO_RETRY_REQUEST"; - break; - case SERVER_ENCRYPTED_EXTENSIONS: - ret = "SERVER_ENCRYPTED_EXTENSIONS"; - break; - case SERVER_CERTIFICATE: - ret = "SERVER_CERTIFICATE"; - break; - case SERVER_CERTIFICATE_VERIFY: - ret = "SERVER_CERTIFICATE_VERIFY"; - break; - case SERVER_CERTIFICATE_REQUEST: - ret = "SERVER_CERTIFICATE_REQUEST"; - break; - case SERVER_FINISHED: - ret = "SERVER_FINISHED"; - break; - case APPLICATION_DATA: - ret = "APPLICATION_DATA"; - break; - case TLS13_NUM_MESSAGE_TYPES: - ret = "TLS13_NUM_MESSAGE_TYPES"; - break; - default: - ret = "UNKNOWN"; - break; - } - - return ret; -} - -void -fprint_flags(FILE *stream, uint8_t flags) -{ - int first = 1, i; - - if (flags == 0) { - fprintf(stream, "%s", flag2str(flags)); - return; - } - - for (i = 0; i < 8; i++) { - uint8_t set = flags & (1U << i); - - if (set) { - fprintf(stream, "%s%s", first ? "" : " | ", - flag2str(set)); - first = 0; - } - } -} - -void -fprint_entry(FILE *stream, - enum tls13_message_type path[TLS13_NUM_MESSAGE_TYPES], uint8_t flags) -{ - int i; - - fprintf(stream, "\t["); - fprint_flags(stream, flags); - fprintf(stream, "] = {\n"); - - for (i = 0; i < TLS13_NUM_MESSAGE_TYPES; i++) { - if (path[i] == 0) - break; - fprintf(stream, "\t\t%s,\n", mt2str(path[i])); - } - fprintf(stream, "\t},\n"); -} - -void -edge(enum tls13_message_type start, enum tls13_message_type end, - uint8_t flag) -{ - printf("\t%s -> %s", mt2str(start), mt2str(end)); - flag_label(flag); - printf(";\n"); -} - -void -flag_label(uint8_t flag) -{ - if (flag) - printf(" [label=\"%s\"]", flag2str(flag)); -} - -void -forced_edges(enum tls13_message_type start, enum tls13_message_type end, - uint8_t forced) -{ - uint8_t forced_flag, i; - - if (forced == 0) - return; - - for (i = 0; i < 8; i++) { - forced_flag = forced & (1U << i); - if (forced_flag) - edge(start, end, forced_flag); - } -} - -int -generate_graphics(void) -{ - enum tls13_message_type start, end; - unsigned int child; - uint8_t flag; - uint8_t forced; - - printf("digraph G {\n"); - printf("\t%s [shape=box];\n", mt2str(CLIENT_HELLO)); - printf("\t%s [shape=box];\n", mt2str(APPLICATION_DATA)); - - for (start = CLIENT_HELLO; start < APPLICATION_DATA; start++) { - for (child = 0; stateinfo[start][child].mt != 0; child++) { - end = stateinfo[start][child].mt; - flag = stateinfo[start][child].flag; - forced = stateinfo[start][child].forced; - - if (forced == 0) - edge(start, end, flag); - else - forced_edges(start, end, forced); - } - } - - printf("}\n"); - return 0; -} - -extern enum tls13_message_type handshakes[][TLS13_NUM_MESSAGE_TYPES]; -extern size_t handshake_count; - -size_t -count_handshakes(void) -{ - size_t ret = 0, i; - - for (i = 0; i < handshake_count; i++) { - if (handshakes[i][0] != INVALID) - ret++; - } - - return ret; -} - -void -build_table(enum tls13_message_type table[MAX_FLAGS][TLS13_NUM_MESSAGE_TYPES], - struct child current, struct child end, struct child path[], uint8_t flags, - unsigned int depth) -{ - unsigned int i; - - if (depth >= TLS13_NUM_MESSAGE_TYPES - 1) - errx(1, "recursed too deeply"); - - /* Record current node. */ - path[depth++] = current; - flags |= current.flag; - - /* If we haven't reached the end, recurse over the children. */ - if (current.mt != end.mt) { - for (i = 0; stateinfo[current.mt][i].mt != 0; i++) { - struct child child = stateinfo[current.mt][i]; - int forced = stateinfo[current.mt][i].forced; - int illegal = stateinfo[current.mt][i].illegal; - - if ((forced == 0 || (forced & flags)) && - (illegal == 0 || !(illegal & flags))) - build_table(table, child, end, path, flags, - depth); - } - return; - } - - if (flags == 0) - errx(1, "path does not set flags"); - - if (table[flags][0] != 0) - errx(1, "path traversed twice"); - - for (i = 0; i < depth; i++) - table[flags][i] = path[i].mt; -} - -int -verify_table(enum tls13_message_type table[MAX_FLAGS][TLS13_NUM_MESSAGE_TYPES], - int print) -{ - int success = 1, i; - size_t num_valid, num_found = 0; - uint8_t flags = 0; - - do { - if (table[flags][0] == 0) - continue; - - num_found++; - - for (i = 0; i < TLS13_NUM_MESSAGE_TYPES; i++) { - if (table[flags][i] != handshakes[flags][i]) { - fprintf(stderr, - "incorrect entry %d of handshake ", i); - fprint_flags(stderr, flags); - fprintf(stderr, "\n"); - success = 0; - } - } - - if (print) - fprint_entry(stdout, table[flags], flags); - } while(++flags != 0); - - num_valid = count_handshakes(); - if (num_valid != num_found) { - fprintf(stderr, - "incorrect number of handshakes: want %zu, got %zu.\n", - num_valid, num_found); - success = 0; - } - - return success; -} - -void -usage(void) -{ - fprintf(stderr, "usage: handshake_table [-C | -g]\n"); - exit(1); -} - -int -main(int argc, char *argv[]) -{ - static enum tls13_message_type - hs_table[MAX_FLAGS][TLS13_NUM_MESSAGE_TYPES] = { - [INITIAL] = { - CLIENT_HELLO, - SERVER_HELLO_RETRY_REQUEST, - CLIENT_HELLO_RETRY, - SERVER_HELLO, - }, - }; - struct child start = { - .mt = CLIENT_HELLO, - }; - struct child end = { - .mt = APPLICATION_DATA, - }; - struct child path[TLS13_NUM_MESSAGE_TYPES] = {{0}}; - uint8_t flags = NEGOTIATED; - unsigned int depth = 0; - int ch, graphviz = 0, print = 0; - - while ((ch = getopt(argc, argv, "Cg")) != -1) { - switch (ch) { - case 'C': - print = 1; - break; - case 'g': - graphviz = 1; - break; - default: - usage(); - } - } - argc -= optind; - argv += optind; - - if (argc != 0) - usage(); - - if (graphviz && print) - usage(); - - if (graphviz) - return generate_graphics(); - - build_table(hs_table, start, end, path, flags, depth); - if (!verify_table(hs_table, print)) - return 1; - - return 0; -} diff --git a/src/regress/lib/libssl/handshake/valid_handshakes_terminate.c b/src/regress/lib/libssl/handshake/valid_handshakes_terminate.c deleted file mode 100644 index 286b860a7d..0000000000 --- a/src/regress/lib/libssl/handshake/valid_handshakes_terminate.c +++ /dev/null @@ -1,54 +0,0 @@ -/* $OpenBSD: valid_handshakes_terminate.c,v 1.4 2022/12/01 13:49:12 tb Exp $ */ -/* - * Copyright (c) 2019 Theo Buehler - * - * Permission to use, copy, modify, and distribute this software for any - * purpose with or without fee is hereby granted, provided that the above - * copyright notice and this permission notice appear in all copies. - * - * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES - * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF - * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR - * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES - * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN - * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF - * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. - */ - -#include -#include - -#include "tls13_handshake.c" - -int -main(int argc, char *argv[]) -{ - size_t i, j; - int terminates; - int fail = 0; - - for (i = 1; i < handshake_count; i++) { - enum tls13_message_type mt = handshakes[i][0]; - - if (mt == INVALID) - continue; - - terminates = 0; - - for (j = 0; j < TLS13_NUM_MESSAGE_TYPES; j++) { - mt = handshakes[i][j]; - if (state_machine[mt].handshake_complete) { - terminates = 1; - break; - } - } - - if (!terminates) { - fail = 1; - printf("FAIL: handshake_complete never true in " - "handshake %zu\n", i); - } - } - - return fail; -} diff --git a/src/regress/lib/libssl/interop/LICENSE b/src/regress/lib/libssl/interop/LICENSE deleted file mode 100644 index 838e7f45cc..0000000000 --- a/src/regress/lib/libssl/interop/LICENSE +++ /dev/null @@ -1,15 +0,0 @@ -/* - * Copyright (c) 2018-2019 Alexander Bluhm - * - * Permission to use, copy, modify, and distribute this software for any - * purpose with or without fee is hereby granted, provided that the above - * copyright notice and this permission notice appear in all copies. - * - * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES - * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF - * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR - * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES - * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN - * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF - * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. - */ diff --git a/src/regress/lib/libssl/interop/Makefile b/src/regress/lib/libssl/interop/Makefile deleted file mode 100644 index bdc67f627a..0000000000 --- a/src/regress/lib/libssl/interop/Makefile +++ /dev/null @@ -1,19 +0,0 @@ -# $OpenBSD: Makefile,v 1.21 2025/01/15 10:54:17 tb Exp $ - -SUBDIR = libressl openssl33 openssl34 - -# the above binaries must have been built before we can continue -SUBDIR += netcat -SUBDIR += session -SUBDIR += botan - -# What is below takes a long time. -# setting REGRESS_SKIP_SLOW to "yes" in mk.conf -# will skip the tests that do not test libressl -# but do things like test openssl 3.x to openssl 3.y -SUBDIR += version -SUBDIR += cipher -# This takes a really long time. -SUBDIR += cert - -.include diff --git a/src/regress/lib/libssl/interop/Makefile.inc b/src/regress/lib/libssl/interop/Makefile.inc deleted file mode 100644 index fa22fb8514..0000000000 --- a/src/regress/lib/libssl/interop/Makefile.inc +++ /dev/null @@ -1,83 +0,0 @@ -# $OpenBSD: Makefile.inc,v 1.10 2024/02/03 15:58:34 beck Exp $ - -.PATH: ${.CURDIR}/.. - -SRCS_client ?= client.c util.c -SRCS_server ?= server.c util.c -WARNINGS = yes -CLEANFILES += *.out *.fstat - -.for p in ${PROGS} -ldd-$p.out: $p - # programs must be linked with correct libraries - LD_LIBRARY_PATH=${LD_LIBRARY_PATH} ldd $p >$@ -.endfor - -client-self.out server-self.out: run-self-client-server - -run-self-client-server: client server 127.0.0.1.crt - # check that tls client and server work together - LD_LIBRARY_PATH=${LD_LIBRARY_PATH} \ - ./server >server-self.out \ - 127.0.0.1 0 - LD_LIBRARY_PATH=${LD_LIBRARY_PATH} \ - ./client >client-self.out \ - `sed -n 's/listen sock: //p' server-self.out` - # wait for server to terminate - -sed -n 's/listen sock: //p' server-self.out | xargs nc 2>/dev/null - # check that the client run successfully to the end - grep -q '^success$$' client-self.out - # client must have read server greeting - grep -q '^<<< greeting$$' client-self.out - # check that the server child run successfully to the end - grep -q '^success$$' server-self.out - # server must have read client hello - grep -q '^<<< hello$$' server-self.out - -# create certificates for TLS - -CLEANFILES += 127.0.0.1.{crt,key} \ - ca.{crt,key,srl} fake-ca.{crt,key} \ - {client,server}.{req,crt,key} \ - {dsa,ec,rsa}.{key,req,crt} \ - dh.param - -127.0.0.1.crt: - openssl req -batch -new \ - -subj /L=OpenBSD/O=tls-regress/OU=server/CN=${@:R}/ \ - -nodes -newkey rsa -keyout ${@:R}.key -x509 -out $@ - -ca.crt fake-ca.crt: - openssl req -batch -new \ - -subj /L=OpenBSD/O=tls-regress/OU=ca/CN=root/ \ - -nodes -newkey rsa -keyout ${@:R}.key -x509 -out $@ - -client.req server.req: - openssl req -batch -new \ - -subj /L=OpenBSD/O=tls-regress/OU=${@:R}/CN=localhost/ \ - -nodes -newkey rsa -keyout ${@:R}.key -out $@ - -client.crt server.crt: ca.crt ${@:R}.req - openssl x509 -CAcreateserial -CAkey ca.key -CA ca.crt \ - -req -in ${@:R}.req -out $@ - -dh.param: - openssl dhparam -out $@ 1024 - -dsa.key: - openssl dsaparam -genkey -out $@ 2048 - -ec.key: - openssl ecparam -genkey -name secp256r1 -out $@ - -rsa.key: - openssl genrsa -out $@ 2048 - -dsa.req ec.req rsa.req: ${@:R}.key - openssl req -batch -new \ - -subj /L=OpenBSD/O=tls-regress/OU=${@:R}/CN=localhost/ \ - -nodes -key ${@:R}.key -out $@ - -dsa.crt ec.crt rsa.crt: ca.crt ${@:R}.req - openssl x509 -CAcreateserial -CAkey ca.key -CA ca.crt \ - -req -in ${@:R}.req -out $@ diff --git a/src/regress/lib/libssl/interop/README b/src/regress/lib/libssl/interop/README deleted file mode 100644 index 091e63f6fc..0000000000 --- a/src/regress/lib/libssl/interop/README +++ /dev/null @@ -1,18 +0,0 @@ -Test TLS interoperability between LibreSSL and OpenSSL. - -Implement simple SSL client and server in C. Create six binaries -by linking them with LibreSSL or OpenSSL 1.1 or OpenSSL 3.0. This -way API compatibility is tested. - -To self test each SSL library, connect client with server. Check -that the highest available TLS version is selected. LibreSSL TLS -1.3 check has to be enabled when the feature becomes available. - -Connect and accept with netcat to test protocol compatibility with -libtls. Test TLS session reuse multiple times with different library -combinations. The cert subdir is testing all combinations of -certificate validation. Having the three libraries, client and -server certificates, missing or invalid CA or certificates, and -enforcing peer certificate results in 1944 test cases. The cipher -test establishes connections between implementations for each -supported cipher. diff --git a/src/regress/lib/libssl/interop/botan/Makefile b/src/regress/lib/libssl/interop/botan/Makefile deleted file mode 100644 index 85877d4290..0000000000 --- a/src/regress/lib/libssl/interop/botan/Makefile +++ /dev/null @@ -1,84 +0,0 @@ -# $OpenBSD: Makefile,v 1.10 2025/01/15 10:54:17 tb Exp $ - -.include - -.if ! exists(/usr/local/bin/botan) -regress: - # install botan2 from ports for interop tests - @echo 'Run "pkg_add botan2" to run tests against Botan 2' - @echo SKIPPED -.elif (${COMPILER_VERSION:L} != "clang" && ! exists(/usr/local/bin/eg++)) -regress: - # on gcc-archs install g++ from ports for botan2 interop tests - @echo 'Run "pkg_add g++" to run tests against Botan 2 on GCC architectures' - @echo SKIPPED -.else - -# C++11 -.if ${COMPILER_VERSION:L} != "clang" && ${CXX} == "c++" -CXX = /usr/local/bin/eg++ -.endif - -LIBRARIES = libressl -.if exists(/usr/local/bin/eopenssl33) -LIBRARIES += openssl33 -.endif -.if exists(/usr/local/bin/eopenssl34) -LIBRARIES += openssl34 -.endif - -PROGS = client -SRCS_client = client.cpp -CXXFLAGS = -I/usr/local/include/botan-2 -Wall -LDFLAGS = -L/usr/local/lib -LDADD = -lbotan-2 -DPADD = /usr/local/lib/libbotan-2.a - -.for lib in ${LIBRARIES} - -REGRESS_TARGETS += run-client-botan-server-${lib} - -run-client-botan-server-${lib}: client server.crt - LD_LIBRARY_PATH=/usr/local/lib/e${lib} \ - ../${lib}/server >server-${lib}.out \ - -c server.crt -k server.key \ - 127.0.0.1 0 - ./client >client-botan.out \ - -C ca.crt \ - 127.0.0.1 \ - `sed -n 's/listen sock: 127.0.0.1 //p' server-${lib}.out` - # check that the server child run successfully to the end - grep -q '^success$$' server-${lib}.out || \ - { sleep 1; grep -q '^success$$' server-${lib}.out; } - # server must have read client hello - grep -q '^<<< hello$$' server-${lib}.out - # check that the client run successfully to the end - grep -q '^success$$' client-botan.out - # client must have read server greeting - grep -q '^<<< greeting$$' client-botan.out - # currently botan supports TLS 1.2, adapt later - grep -q ' Protocol *: TLSv1.2$$' server-${lib}.out - -.endfor - -server.key ca.key: - /usr/local/bin/botan keygen >$@.tmp - mv $@.tmp $@ - -ca.crt: ${@:R}.key - /usr/local/bin/botan gen_self_signed ${@:R}.key ${@:R} >$@.tmp \ - --organization=tls-regress --ca - mv $@.tmp $@ - -server.req: ${@:R}.key - /usr/local/bin/botan gen_pkcs10 ${@:R}.key localhost >$@.tmp \ - --organization=tls-regress --dns=127.0.0.1 - mv $@.tmp $@ - -server.crt: ca.crt ${@:R}.req - /usr/local/bin/botan sign_cert ca.crt ca.key ${@:R}.req >$@.tmp - mv $@.tmp $@ - -.endif # exists(/usr/local/bin/botan) - -.include diff --git a/src/regress/lib/libssl/interop/botan/client.cpp b/src/regress/lib/libssl/interop/botan/client.cpp deleted file mode 100644 index 2352d7bba2..0000000000 --- a/src/regress/lib/libssl/interop/botan/client.cpp +++ /dev/null @@ -1,228 +0,0 @@ -/* $OpenBSD: client.cpp,v 1.1 2020/09/15 01:45:16 bluhm Exp $ */ -/* - * Copyright (c) 2019-2020 Alexander Bluhm - * - * Permission to use, copy, modify, and distribute this software for any - * purpose with or without fee is hereby granted, provided that the above - * copyright notice and this permission notice appear in all copies. - * - * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES - * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF - * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR - * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES - * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN - * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF - * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. - */ - -#include -#include - -#include -#include -#include - -#include -#include -#include -#include -#include -#include - -#include -#include -using namespace std; - -class Callbacks : public Botan::TLS::Callbacks { -public: - Callbacks(int socket) : - m_socket(socket) - {} - - void print_sockname() - { - struct sockaddr_storage ss; - char host[NI_MAXHOST], port[NI_MAXSERV]; - socklen_t slen; - - slen = sizeof(ss); - if (getsockname(m_socket, (struct sockaddr *)&ss, &slen) == -1) - err(1, "getsockname"); - if (getnameinfo((struct sockaddr *)&ss, ss.ss_len, host, - sizeof(host), port, sizeof(port), - NI_NUMERICHOST | NI_NUMERICSERV)) - errx(1, "getnameinfo"); - cout <<"sock: " < 0) { - ssize_t n; - - n = send(m_socket, data + off, len, 0); - if (n < 0) - err(1, "send"); - off += n; - len -= n; - } - } - - void tls_record_received(uint64_t seq_no, const uint8_t data[], - size_t size) override - { - cout <<"<<< " <>> " <send(str); - m_channel->close(); - } - - void tls_alert(Botan::TLS::Alert alert) override - { - errx(1, "alert: %s", alert.type_string().c_str()); - } - - bool tls_session_established(const Botan::TLS::Session& session) - override - { - cout <<"established" < trusted_certificate_authorities( - const std::string &type, const std::string &context) - override - { - std::vector cs { &m_ca }; - return cs; - } - - void add_certificate_file(const std::string &file) { - Botan::X509_Certificate cert(file); - m_ca.add_certificate(cert); - } -private: - Botan::Certificate_Store_In_Memory m_ca; -}; - -class Policy : public Botan::TLS::Strict_Policy { -public: - bool require_cert_revocation_info() const override { - return false; - } -}; - -void __dead -usage(void) -{ - fprintf(stderr, "usage: client [-C CA] host port\n"); - exit(2); -} - -int -main(int argc, char *argv[]) -{ - struct addrinfo hints, *res; - int ch, s, error; - char buf[256]; - char *cafile = NULL; - char *host, *port; - - while ((ch = getopt(argc, argv, "C:")) != -1) { - switch (ch) { - case 'C': - cafile = optarg; - break; - default: - usage(); - } - } - argc -= optind; - argv += optind; - if (argc == 2) { - host = argv[0]; - port = argv[1]; - } else { - usage(); - } - - memset(&hints, 0, sizeof(hints)); - hints.ai_family = AF_INET; - hints.ai_socktype = SOCK_STREAM; - error = getaddrinfo(host, port, &hints, &res); - if (error) - errx(1, "getaddrinfo: %s", gai_strerror(error)); - if (res == NULL) - errx(1, "getaddrinfo empty"); - s = socket(res->ai_family, res->ai_socktype, res->ai_protocol); - if (s == -1) - err(1, "socket"); - if (connect(s, res->ai_addr, res->ai_addrlen) == -1) - err(1, "connect"); - freeaddrinfo(res); - - { - Callbacks callbacks(s); - Botan::AutoSeeded_RNG rng; - Botan::TLS::Session_Manager_In_Memory session_mgr(rng); - Credentials creds; - if (cafile != NULL) - creds.add_certificate_file(cafile); - Policy policy; - - callbacks.print_sockname(); - callbacks.print_peername(); - Botan::TLS::Client client(callbacks, session_mgr, creds, - policy, rng); - callbacks.set_channel(client); - - while (!client.is_closed()) { - ssize_t n; - - n = recv(s, buf, sizeof(buf), 0); - if (n < 0) - err(1, "recv"); - if (n == 0) - errx(1, "eof"); - client.received_data((uint8_t *)&buf, n); - } - } - - if (close(s) == -1) - err(1, "close"); - - cout <<"success" <${@:S/^run/server/}.out \ - ${sca:S/^noca//:S/^fakeca/-C fake-ca.crt/:S/^ca/-C ca.crt/} \ - ${scert:S/^nocert//:S/^cert/-c server.crt -k server.key/} \ - ${sv:S/^noverify//:S/^verify/-v/:S/^certverify/-vv/} \ - 127.0.0.1 0 - ${FAIL_${cca}_${sca}_${ccert}_${scert}_${cv}_${sv}} \ - LD_LIBRARY_PATH=/usr/local/lib/e${clib} \ - ../${clib}/client >${@:S/^run/client/}.out \ - ${cca:S/^noca//:S/^fakeca/-C fake-ca.crt/:S/^ca/-C ca.crt/} \ - ${ccert:S/^nocert//:S/^cert/-c server.crt -k server.key/} \ - ${cv:S/^noverify//:S/^verify/-v/} \ - `sed -n 's/listen sock: //p' ${@:S/^run/server/}.out` -.if empty(${FAIL_${cca}_${sca}_${ccert}_${scert}_${cv}_${sv}}) - grep '^success$$' ${@:S/^run/server/}.out || \ - { sleep 1; grep '^success$$' ${@:S/^run/server/}.out; } - grep '^success$$' ${@:S/^run/client/}.out -.elif ! ("${sv}" == certverify && "${ccert}" == nocert) || \ - ("${cv}" == verify && "${scert}" != cert) - grep '^verify: fail' ${@:S/^run/client/}.out ${@:S/^run/server/}.out -.endif - -.endfor -.endfor -.endfor -.endfor -.endfor -.endfor -.endfor -.endfor - -.include -REGRESS_SKIP_SLOW ?= no -.if ${REGRESS_SKIP_SLOW:L} != "yes" -REGRESS_TARGETS += ${SLOW_TARGETS} -.endif - -REGRESS_TARGETS += run-bob -run-bob: - @echo Bob, be happy! Tests finished. - -# argument list too long for a single rm * - -clean: _SUBDIRUSE - rm -f client-*.out - rm -f server-*.out - rm -f a.out [Ee]rrs mklog *.core y.tab.h \ - ${PROG} ${PROGS} ${OBJS} ${_LEXINTM} ${_YACCINTM} ${CLEANFILES} - -.include diff --git a/src/regress/lib/libssl/interop/cipher/Makefile b/src/regress/lib/libssl/interop/cipher/Makefile deleted file mode 100644 index fa7e25f9ee..0000000000 --- a/src/regress/lib/libssl/interop/cipher/Makefile +++ /dev/null @@ -1,159 +0,0 @@ -# $OpenBSD: Makefile,v 1.17 2025/01/15 10:54:17 tb Exp $ - -# Connect a client to a server. Both can be current libressl, or -# openssl 1.1 or 3.0. Create lists of supported ciphers -# and pin client and server to one of the ciphers. Use server -# certificate with compatible type. Check that client and server -# have used correct cipher by grepping in their session print out. - -LIBRARIES = libressl -.if exists(/usr/local/bin/eopenssl33) -LIBRARIES += openssl33 -.endif -.if exists(/usr/local/bin/eopenssl34) -LIBRARIES += openssl34 -.endif - -CLEANFILES = *.tmp *.ciphers ciphers.mk - -.for clib in ${LIBRARIES} -client-${clib}.ciphers: - LD_LIBRARY_PATH=/usr/local/lib/e${clib} \ - ../${clib}/client -l ALL -L >$@.tmp - sed -n 's/^cipher //p' <$@.tmp | sort -u >$@ - rm $@.tmp -.endfor -.for slib in ${LIBRARIES} -server-${slib}.ciphers: 127.0.0.1.crt dsa.crt ec.crt rsa.crt - LD_LIBRARY_PATH=/usr/local/lib/e${slib} \ - ../${slib}/server -l ALL -L >$@.tmp - sed -n 's/^cipher //p' <$@.tmp | sort -u >$@ - rm $@.tmp -.endfor - -.for clib in ${LIBRARIES} -.for slib in ${LIBRARIES} -ciphers.mk: client-${clib}-server-${slib}.ciphers -client-${clib}-server-${slib}.ciphers: \ - client-${clib}.ciphers server-${slib}.ciphers client-libressl.ciphers - # get ciphers shared between client and server - sort client-${clib}.ciphers server-${slib}.ciphers >$@.tmp - uniq -d <$@.tmp >$@ - # we are only interested in ciphers supported by libressl - sort $@ client-libressl.ciphers >$@.tmp -. if "${clib}" == "openssl33" || "${slib}" == "openssl33" || \ - "${clib}" == "openssl34" || "${slib}" == "openssl34" - # OpenSSL's SSL_CTX_set_cipher_list doesn't accept TLSv1.3 ciphers - sed -i '/^TLS_/d' $@.tmp -. endif - uniq -d <$@.tmp >$@ - rm $@.tmp -.endfor -.endfor - -ciphers.mk: - rm -f $@ $@.tmp -.for clib in ${LIBRARIES} -.for slib in ${LIBRARIES} - echo 'CIPHERS_${clib}_${slib} =' >>$@.tmp \ - `cat client-${clib}-server-${slib}.ciphers` -.endfor -.endfor - mv $@.tmp $@ - -# hack to convert generated lists into usable make variables -.if exists(ciphers.mk) -.include "ciphers.mk" -.else -regress: ciphers.mk - ${MAKE} -C ${.CURDIR} regress -.endif - -LEVEL_libressl = -LEVEL_openssl33 = ,@SECLEVEL=0 -LEVEL_openssl34 = ,@SECLEVEL=0 - -.for clib in ${LIBRARIES} -.for slib in ${LIBRARIES} -.for cipher in ${CIPHERS_${clib}_${slib}} - -.if "${cipher:M*-DSS-*}" != "" -TYPE_${cipher} = dsa -.elif "${cipher:M*-ECDSA-*}" != "" -TYPE_${cipher} = ec -.elif "${cipher:M*-RSA-*}" != "" -TYPE_${cipher} = rsa -.else -TYPE_${cipher} = 127.0.0.1 -.endif - -DHPARAM_${cipher}_${slib} = - -.if ("${clib}" == "libressl" || "${slib}" == "libressl") -REGRESS_TARGETS += run-cipher-${cipher}-client-${clib}-server-${slib} -.else -# Don't use REGRESS_SLOW_TARGETS since its handling in bsd.regress.mk is slow. -SLOW_TARGETS += run-cipher-${cipher}-client-${clib}-server-${slib} -.endif -run-cipher-${cipher}-client-${clib}-server-${slib} \ -client-cipher-${cipher}-client-${clib}-server-${slib}.out \ -server-cipher-${cipher}-client-${clib}-server-${slib}.out: dh.param \ - 127.0.0.1.crt ${TYPE_${cipher}}.crt ../${clib}/client ../${slib}/server - LD_LIBRARY_PATH=/usr/local/lib/e${slib} \ - ../${slib}/server >${@:S/^run/server/}.out \ - -c ${TYPE_${cipher}}.crt -k ${TYPE_${cipher}}.key \ - -l ${cipher}${LEVEL_${slib}} ${DHPARAM_${cipher}_${slib}} \ - 127.0.0.1 0 - LD_LIBRARY_PATH=/usr/local/lib/e${clib} \ - ../${clib}/client >${@:S/^run/client/}.out \ - -l ${cipher}${LEVEL_${clib}} \ - `sed -n 's/listen sock: //p' ${@:S/^run/server/}.out` - grep -q '^success$$' ${@:S/^run/server/}.out || \ - { sleep 1; grep -q '^success$$' ${@:S/^run/server/}.out; } - grep -q '^success$$' ${@:S/^run/client/}.out - -.if ("${clib}" == "libressl" || "${slib}" == "libressl") -REGRESS_TARGETS += check-cipher-${cipher}-client-${clib}-server-${slib} -.else -# Don't use REGRESS_SLOW_TARGETS since its handling in bsd.regress.mk is slow. -SLOW_TARGETS += check-cipher-${cipher}-client-${clib}-server-${slib} -.endif -check-cipher-${cipher}-client-${clib}-server-${slib}: \ - client-cipher-${cipher}-client-${clib}-server-${slib}.out \ - server-cipher-${cipher}-client-${clib}-server-${slib}.out -.if "${cipher:C/TLS_(AES.*_GCM|CHACHA.*_POLY.*)_SHA.*/TLS1_3/}" != TLS1_3 - # client and server 1.3 capable, not TLS 1.3 cipher -. if "${clib}" == "libressl" - # libressl client may prefer chacha-poly if aes-ni is not supported - egrep -q ' Cipher *: TLS_(AES_256_GCM_SHA384|CHACHA20_POLY1305_SHA256)$$' ${@:S/^check/client/}.out -. else - # openssl 1.1 generic client cipher - grep -q ' Cipher *: TLS_AES_256_GCM_SHA384$$' ${@:S/^check/client/}.out -. endif -. if "${clib}" == "libressl" - # libressl client may prefer chacha-poly if aes-ni is not supported -. if "${slib}" == "openssl33" || "${slib}" == "openssl34" - egrep -q ' Cipher *: TLS_(AES_256_GCM_SHA384|CHACHA20_POLY1305_SHA256)$$' ${@:S/^check/server/}.out -. else - egrep -q ' Cipher *: TLS_(AES_256_GCM_SHA384|CHACHA20_POLY1305_SHA256)$$' ${@:S/^check/server/}.out -. endif -. else - # generic server cipher - grep -q ' Cipher *: TLS_AES_256_GCM_SHA384$$' ${@:S/^check/server/}.out -. endif -.else - grep -q ' Cipher *: ${cipher}$$' ${@:S/^check/client/}.out - grep -q ' Cipher *: ${cipher}$$' ${@:S/^check/server/}.out -.endif - -.endfor -.endfor -.endfor - -.include -REGRESS_SKIP_SLOW ?= no -.if ${REGRESS_SKIP_SLOW:L} != "yes" -REGRESS_TARGETS += ${SLOW_TARGETS} -.endif - -.include diff --git a/src/regress/lib/libssl/interop/client.c b/src/regress/lib/libssl/interop/client.c deleted file mode 100644 index 31a960381e..0000000000 --- a/src/regress/lib/libssl/interop/client.c +++ /dev/null @@ -1,285 +0,0 @@ -/* $OpenBSD: client.c,v 1.11 2022/07/07 13:12:57 tb Exp $ */ -/* - * Copyright (c) 2018-2019 Alexander Bluhm - * - * Permission to use, copy, modify, and distribute this software for any - * purpose with or without fee is hereby granted, provided that the above - * copyright notice and this permission notice appear in all copies. - * - * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES - * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF - * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR - * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES - * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN - * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF - * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. - */ - -#include -#include - -#include -#include -#include -#include -#include - -#include -#include - -#include "util.h" - -void __dead usage(void); - -void __dead -usage(void) -{ - fprintf(stderr, "usage: client [-Lsv] [-C CA] [-c crt -k key] " - "[-l ciphers] [-V version] host port\n"); - exit(2); -} - -int -main(int argc, char *argv[]) -{ - const SSL_METHOD *method; - SSL_CTX *ctx; - SSL *ssl; - BIO *bio; - SSL_SESSION *session = NULL; - int ch, error, listciphers = 0, sessionreuse = 0, verify = 0; - int version = 0; - char buf[256]; - char *ca = NULL, *crt = NULL, *key = NULL, *ciphers = NULL; - char *host_port, *host = "127.0.0.1", *port = "0"; - - while ((ch = getopt(argc, argv, "C:c:k:Ll:p:sV:v")) != -1) { - switch (ch) { - case 'C': - ca = optarg; - break; - case 'c': - crt = optarg; - break; - case 'k': - key = optarg; - break; - case 'L': - listciphers = 1; - break; - case 'l': - ciphers = optarg; - break; - case 's': - /* multiple reueses are possible */ - sessionreuse++; - break; - case 'V': - if (strcmp(optarg, "TLS1") == 0) { - version = TLS1_VERSION; - } else if (strcmp(optarg, "TLS1_1") == 0) { - version = TLS1_1_VERSION; - } else if (strcmp(optarg, "TLS1_2") == 0) { - version = TLS1_2_VERSION; -#ifdef TLS1_3_VERSION - } else if (strcmp(optarg, "TLS1_3") == 0) { - version = TLS1_3_VERSION; -#endif - } else { - errx(1, "unknown protocol version: %s", optarg); - } - break; - case 'v': - verify = 1; - break; - default: - usage(); - } - } - argc -= optind; - argv += optind; - if (argc == 2) { - host = argv[0]; - port = argv[1]; - } else if (!listciphers) { - usage(); - } - if (asprintf(&host_port, strchr(host, ':') ? "[%s]:%s" : "%s:%s", - host, port) == -1) - err(1, "asprintf host port"); - if ((crt == NULL && key != NULL) || (crt != NULL && key == NULL)) - errx(1, "certificate and private key must be used together"); - - SSL_library_init(); - SSL_load_error_strings(); - print_version(); - - /* setup method and context */ -#if OPENSSL_VERSION_NUMBER >= 0x1010000f - method = TLS_client_method(); - if (method == NULL) - err_ssl(1, "TLS_client_method"); -#else - switch (version) { - case TLS1_VERSION: - method = TLSv1_client_method(); - break; - case TLS1_1_VERSION: - method = TLSv1_1_client_method(); - break; - case TLS1_2_VERSION: - method = TLSv1_2_client_method(); - break; -#ifdef TLS1_3_VERSION - case TLS1_3_VERSION: - err(1, "TLS1_3 not supported"); -#endif - default: - method = SSLv23_client_method(); - break; - } - if (method == NULL) - err_ssl(1, "SSLv23_client_method"); -#endif - ctx = SSL_CTX_new(method); - if (ctx == NULL) - err_ssl(1, "SSL_CTX_new"); - -#if OPENSSL_VERSION_NUMBER >= 0x1010000f - if (version) { - if (SSL_CTX_set_min_proto_version(ctx, version) != 1) - err_ssl(1, "SSL_CTX_set_min_proto_version"); - if (SSL_CTX_set_max_proto_version(ctx, version) != 1) - err_ssl(1, "SSL_CTX_set_max_proto_version"); - } -#endif - - /* load client certificate */ - if (crt != NULL) { - if (SSL_CTX_use_certificate_file(ctx, crt, - SSL_FILETYPE_PEM) <= 0) - err_ssl(1, "SSL_CTX_use_certificate_file"); - if (SSL_CTX_use_PrivateKey_file(ctx, key, - SSL_FILETYPE_PEM) <= 0) - err_ssl(1, "SSL_CTX_use_PrivateKey_file"); - if (SSL_CTX_check_private_key(ctx) <= 0) - err_ssl(1, "SSL_CTX_check_private_key"); - } - - /* verify server certificate */ - if (ca != NULL) { - if (SSL_CTX_load_verify_locations(ctx, ca, NULL) <= 0) - err_ssl(1, "SSL_CTX_load_verify_locations"); - } - SSL_CTX_set_verify(ctx, verify ? SSL_VERIFY_PEER : SSL_VERIFY_NONE, - verify_callback); - - if (sessionreuse) { - SSL_CTX_set_session_cache_mode(ctx, SSL_SESS_CACHE_CLIENT); - } - - if (ciphers) { - if (SSL_CTX_set_cipher_list(ctx, ciphers) <= 0) - err_ssl(1, "SSL_CTX_set_cipher_list"); - } - - if (listciphers) { - STACK_OF(SSL_CIPHER) *supported_ciphers; - -#if OPENSSL_VERSION_NUMBER < 0x1010000f -#define SSL_get1_supported_ciphers SSL_get_ciphers -#endif - ssl = SSL_new(ctx); - if (ssl == NULL) - err_ssl(1, "SSL_new"); - supported_ciphers = SSL_get1_supported_ciphers(ssl); - if (supported_ciphers == NULL) - err_ssl(1, "SSL_get1_supported_ciphers"); - print_ciphers(supported_ciphers); - -#if OPENSSL_VERSION_NUMBER >= 0x1010000f - sk_SSL_CIPHER_free(supported_ciphers); -#endif - return 0; - } - - do { - /* setup bio for socket operations */ - bio = BIO_new_connect(host_port); - if (bio == NULL) - err_ssl(1, "BIO_new_connect"); - - /* connect */ - if (BIO_do_connect(bio) <= 0) - err_ssl(1, "BIO_do_connect"); - printf("connect "); - print_sockname(bio); - printf("connect "); - print_peername(bio); - - /* do ssl client handshake */ - ssl = SSL_new(ctx); - if (ssl == NULL) - err_ssl(1, "SSL_new"); - SSL_set_bio(ssl, bio, bio); - /* resuse session if possible */ - if (session != NULL) { - if (SSL_set_session(ssl, session) <= 0) - err_ssl(1, "SSL_set_session"); - } - if ((error = SSL_connect(ssl)) <= 0) - err_ssl(1, "SSL_connect %d", error); - printf("session %d: %s\n", sessionreuse, - SSL_session_reused(ssl) ? "reuse" : "new"); - if (fflush(stdout) != 0) - err(1, "fflush stdout"); - - /* print session statistics */ - if (sessionreuse) { - session = SSL_get1_session(ssl); - if (session == NULL) - err_ssl(1, "SSL1_get_session"); - } else { - session = SSL_get_session(ssl); - if (session == NULL) - err_ssl(1, "SSL_get_session"); - } - if (SSL_SESSION_print_fp(stdout, session) <= 0) - err_ssl(1, "SSL_SESSION_print_fp"); - - /* read server greeting and write client hello over TLS */ - if ((error = SSL_read(ssl, buf, 9)) <= 0) - err_ssl(1, "SSL_read %d", error); - if (error != 9) - errx(1, "read not 9 bytes greeting: %d", error); - buf[9] = '\0'; - printf("<<< %s", buf); - if (fflush(stdout) != 0) - err(1, "fflush stdout"); - strlcpy(buf, "hello\n", sizeof(buf)); - printf(">>> %s", buf); - if (fflush(stdout) != 0) - err(1, "fflush stdout"); - if ((error = SSL_write(ssl, buf, 6)) <= 0) - err_ssl(1, "SSL_write %d", error); - if (error != 6) - errx(1, "write not 6 bytes hello: %d", error); - - /* shutdown connection */ - if ((error = SSL_shutdown(ssl)) < 0) - err_ssl(1, "SSL_shutdown unidirectional %d", error); - if (error <= 0) { - if ((error = SSL_shutdown(ssl)) <= 0) - err_ssl(1, "SSL_shutdown bidirectional %d", - error); - } - - SSL_free(ssl); - } while (sessionreuse--); - - SSL_CTX_free(ctx); - - printf("success\n"); - - return 0; -} diff --git a/src/regress/lib/libssl/interop/libressl/Makefile b/src/regress/lib/libssl/interop/libressl/Makefile deleted file mode 100644 index d8e20ca122..0000000000 --- a/src/regress/lib/libssl/interop/libressl/Makefile +++ /dev/null @@ -1,34 +0,0 @@ -# $OpenBSD: Makefile,v 1.9 2020/12/25 10:50:08 tb Exp $ - -PROGS = client server -CFLAGS += -DLIBRESSL_HAS_TLS1_3 -CPPFLAGS += -LDFLAGS += -LDADD += -lssl -lcrypto -DPADD += ${LIBSSL} ${LIBCRYPTO} -LD_LIBRARY_PATH = -REGRESS_TARGETS = run-self-client-server -.for p in ${PROGS} -REGRESS_TARGETS += run-ldd-$p run-version-$p run-protocol-$p -.endfor - -.for p in ${PROGS} - -run-ldd-$p: ldd-$p.out - # check that $p is linked with LibreSSL - grep -q /usr/lib/libcrypto.so ldd-$p.out - grep -q /usr/lib/libssl.so ldd-$p.out - # check that $p is not linked with OpenSSL - ! grep /usr/local/lib/ ldd-$p.out - -run-version-$p: $p-self.out - # check that runtime version is LibreSSL - grep 'SSLEAY_VERSION: LibreSSL' $p-self.out - -run-protocol-$p: $p-self.out - # check that LibreSSL protocol version is TLS 1.3 - grep 'Protocol *: TLSv1.3' $p-self.out - -.endfor - -.include diff --git a/src/regress/lib/libssl/interop/netcat/Makefile b/src/regress/lib/libssl/interop/netcat/Makefile deleted file mode 100644 index 3b8e3f95be..0000000000 --- a/src/regress/lib/libssl/interop/netcat/Makefile +++ /dev/null @@ -1,84 +0,0 @@ -# $OpenBSD: Makefile,v 1.10 2025/01/15 10:54:17 tb Exp $ - -LIBRARIES = libressl -.if exists(/usr/local/bin/eopenssl33) -LIBRARIES += openssl33 -.endif -.if exists(/usr/local/bin/eopenssl34) -LIBRARIES += openssl34 -.endif - -# run netcat server and connect with test client - -.for clib in ${LIBRARIES} - -REGRESS_TARGETS += run-netcat-client-${clib}-server-nc -REGRESS_TARGETS += run-protocol-client-${clib} - -run-netcat-client-${clib}-server-nc: ../${clib}/client 127.0.0.1.crt - echo "greeting" | \ - nc >${@:S/^run/server/}.out \ - -l -c -C 127.0.0.1.crt -K 127.0.0.1.key \ - 127.0.0.1 0 & \ - for i in `jot 1000`; do fstat -p $$! >netcat.fstat; \ - grep -q ' stream tcp .*:[1-9][0-9]*$$' netcat.fstat && \ - exit 0; done; exit 1 - LD_LIBRARY_PATH=/usr/local/lib/e${clib} \ - ../${clib}/client >${@:S/^run/client/}.out \ - `sed -n 's/.* stream tcp .*:/127.0.0.1 /p' netcat.fstat` - # check that the client run successfully to the end - grep -q '^success$$' ${@:S/^run/client/}.out - # client must have read server greeting - grep -q '^<<< greeting$$' ${@:S/^run/client/}.out - # netstat server must have read client hello - grep -q '^hello$$' ${@:S/^run/server/}.out - -.endfor - -# run test server and connect with netcat client - -.for slib in ${LIBRARIES} - -REGRESS_TARGETS += run-netcat-client-nc-server-${slib} - -run-netcat-client-nc-server-${slib}: ../${slib}/server 127.0.0.1.crt - LD_LIBRARY_PATH=/usr/local/lib/e${slib} \ - ../${slib}/server >${@:S/^run/server/}.out \ - 127.0.0.1 0 - echo "hello" | \ - nc >${@:S/^run/client/}.out \ - -c -R 127.0.0.1.crt \ - `sed -n 's/listen sock: //p' ${@:S/^run/server/}.out` - # check that the server child run successfully to the end - grep -q '^success$$' ${@:S/^run/server/}.out || \ - { sleep 1; grep -q '^success$$' ${@:S/^run/server/}.out; } - # server must have read client hello - grep -q '^<<< hello$$' ${@:S/^run/server/}.out - # client must have read server greeting - grep -q '^greeting$$' ${@:S/^run/client/}.out - -.endfor - -# check the TLS protocol version in client and server logs - -.for clib in ${LIBRARIES} - -REGRESS_TARGETS += run-protocol-client-${clib} - -run-protocol-client-${clib}: client-netcat-client-${clib}-server-nc.out - # check that LibTLS protocol version is TLS 1.2 or TLS 1.3 - grep 'Protocol *: TLSv1.[23]' client-netcat-client-${clib}-server-nc.out - -.endfor - -.for slib in ${LIBRARIES} - -REGRESS_TARGETS += run-protocol-server-${slib} - -run-protocol-server-${slib}: server-netcat-client-nc-server-${slib}.out - # check that LibTLS protocol version is TLS 1.2 or TLS 1.3 - grep 'Protocol *: TLSv1.[23]' server-netcat-client-nc-server-${slib}.out - -.endfor - -.include diff --git a/src/regress/lib/libssl/interop/openssl33/Makefile b/src/regress/lib/libssl/interop/openssl33/Makefile deleted file mode 100644 index eff61704d0..0000000000 --- a/src/regress/lib/libssl/interop/openssl33/Makefile +++ /dev/null @@ -1,44 +0,0 @@ -# $OpenBSD: Makefile,v 1.1 2025/01/15 10:54:17 tb Exp $ - -.if ! exists(/usr/local/bin/eopenssl33) -regress: - # install openssl-3.3 from ports for interop tests - @echo 'Run "pkg_add openssl--%3.3" to run tests against OpenSSL 3.3' - @echo SKIPPED -.else - -PROGS = client server -CFLAGS += -DOPENSSL_SUPPRESS_DEPRECATED -CPPFLAGS = -I /usr/local/include/eopenssl33 -LDFLAGS = -L /usr/local/lib/eopenssl33 -LDADD = -lssl -lcrypto -DPADD = /usr/local/lib/eopenssl33/libssl.a \ - /usr/local/lib/eopenssl33/libcrypto.a -LD_LIBRARY_PATH = /usr/local/lib/eopenssl33 -REGRESS_TARGETS = run-self-client-server -.for p in ${PROGS} -REGRESS_TARGETS += run-ldd-$p run-version-$p run-protocol-$p -.endfor - -.for p in ${PROGS} - -run-ldd-$p: ldd-$p.out - # check that $p is linked with OpenSSL 3.3 - grep -q /usr/local/lib/eopenssl33/libcrypto.so ldd-$p.out - grep -q /usr/local/lib/eopenssl33/libssl.so ldd-$p.out - # check that $p is not linked with LibreSSL - ! grep -v libc.so ldd-$p.out | grep /usr/lib/ - -run-version-$p: $p-self.out - # check that runtime version is OpenSSL 3.3 - grep 'SSLEAY_VERSION: OpenSSL 3.3' $p-self.out - -run-protocol-$p: $p-self.out - # check that OpenSSL 3.3 protocol version is TLS 1.3 - grep 'Protocol *: TLSv1.3' $p-self.out - -.endfor - -.endif # exists(/usr/local/bin/eopenssl33) - -.include diff --git a/src/regress/lib/libssl/interop/openssl34/Makefile b/src/regress/lib/libssl/interop/openssl34/Makefile deleted file mode 100644 index 72246bb621..0000000000 --- a/src/regress/lib/libssl/interop/openssl34/Makefile +++ /dev/null @@ -1,44 +0,0 @@ -# $OpenBSD: Makefile,v 1.1 2025/01/15 10:54:17 tb Exp $ - -.if ! exists(/usr/local/bin/eopenssl34) -regress: - # install openssl-3.4 from ports for interop tests - @echo 'Run "pkg_add openssl--%3.4" to run tests against OpenSSL 3.4' - @echo SKIPPED -.else - -PROGS = client server -CFLAGS += -DOPENSSL_SUPPRESS_DEPRECATED -CPPFLAGS = -I /usr/local/include/eopenssl34 -LDFLAGS = -L /usr/local/lib/eopenssl34 -LDADD = -lssl -lcrypto -DPADD = /usr/local/lib/eopenssl34/libssl.a \ - /usr/local/lib/eopenssl34/libcrypto.a -LD_LIBRARY_PATH = /usr/local/lib/eopenssl34 -REGRESS_TARGETS = run-self-client-server -.for p in ${PROGS} -REGRESS_TARGETS += run-ldd-$p run-version-$p run-protocol-$p -.endfor - -.for p in ${PROGS} - -run-ldd-$p: ldd-$p.out - # check that $p is linked with OpenSSL 3.4 - grep -q /usr/local/lib/eopenssl34/libcrypto.so ldd-$p.out - grep -q /usr/local/lib/eopenssl34/libssl.so ldd-$p.out - # check that $p is not linked with LibreSSL - ! grep -v libc.so ldd-$p.out | grep /usr/lib/ - -run-version-$p: $p-self.out - # check that runtime version is OpenSSL 3.4 - grep 'SSLEAY_VERSION: OpenSSL 3.4' $p-self.out - -run-protocol-$p: $p-self.out - # check that OpenSSL 3.4 protocol version is TLS 1.3 - grep 'Protocol *: TLSv1.3' $p-self.out - -.endfor - -.endif # exists(/usr/local/bin/eopenssl34) - -.include diff --git a/src/regress/lib/libssl/interop/server.c b/src/regress/lib/libssl/interop/server.c deleted file mode 100644 index a634adb43b..0000000000 --- a/src/regress/lib/libssl/interop/server.c +++ /dev/null @@ -1,321 +0,0 @@ -/* $OpenBSD: server.c,v 1.12 2023/02/01 14:39:09 tb Exp $ */ -/* - * Copyright (c) 2018-2019 Alexander Bluhm - * - * Permission to use, copy, modify, and distribute this software for any - * purpose with or without fee is hereby granted, provided that the above - * copyright notice and this permission notice appear in all copies. - * - * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES - * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF - * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR - * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES - * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN - * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF - * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. - */ - -#include -#include - -#include -#include -#include -#include -#include -#include - -#include -#include - -#include "util.h" - -void __dead usage(void); - -void __dead -usage(void) -{ - fprintf(stderr, "usage: server [-Lsvv] [-C CA] [-c crt -k key] " - "[-l ciphers] [-p dhparam] [-V version] [host port]\n"); - exit(2); -} - -int -main(int argc, char *argv[]) -{ - const SSL_METHOD *method; - SSL_CTX *ctx; - SSL *ssl; - BIO *abio, *cbio; - SSL_SESSION *session; - int ch, error, listciphers = 0, sessionreuse = 0, verify = 0; - int version = 0; - char buf[256], *dhparam = NULL; - char *ca = NULL, *crt = NULL, *key = NULL, *ciphers = NULL; - char *host_port, *host = "127.0.0.1", *port = "0"; - - while ((ch = getopt(argc, argv, "C:c:k:Ll:p:sV:v")) != -1) { - switch (ch) { - case 'C': - ca = optarg; - break; - case 'c': - crt = optarg; - break; - case 'k': - key = optarg; - break; - case 'L': - listciphers = 1; - break; - case 'l': - ciphers = optarg; - break; - case 'p': - dhparam = optarg; - break; - case 's': - /* multiple reueses are possible */ - sessionreuse++; - break; - case 'V': - if (strcmp(optarg, "TLS1") == 0) { - version = TLS1_VERSION; - } else if (strcmp(optarg, "TLS1_1") == 0) { - version = TLS1_1_VERSION; - } else if (strcmp(optarg, "TLS1_2") == 0) { - version = TLS1_2_VERSION; - } else if (strcmp(optarg, "TLS1_3") == 0) { - version = TLS1_3_VERSION; - } else { - errx(1, "unknown protocol version: %s", optarg); - } - break; - case 'v': - /* use twice to force client cert */ - verify++; - break; - default: - usage(); - } - } - argc -= optind; - argv += optind; - if (argc == 2) { - host = argv[0]; - port = argv[1]; - } else if (argc != 0 && !listciphers) { - usage(); - } - if (asprintf(&host_port, strchr(host, ':') ? "[%s]:%s" : "%s:%s", - host, port) == -1) - err(1, "asprintf host port"); - if ((crt == NULL && key != NULL) || (crt != NULL && key == NULL)) - errx(1, "certificate and private key must be used together"); - if (crt == NULL && asprintf(&crt, "%s.crt", host) == -1) - err(1, "asprintf crt"); - if (key == NULL && asprintf(&key, "%s.key", host) == -1) - err(1, "asprintf key"); - - SSL_library_init(); - SSL_load_error_strings(); - print_version(); - - /* setup method and context */ -#if OPENSSL_VERSION_NUMBER >= 0x1010000f - method = TLS_server_method(); - if (method == NULL) - err_ssl(1, "TLS_server_method"); -#else - switch (version) { - case TLS1_VERSION: - method = TLSv1_server_method(); - break; - case TLS1_1_VERSION: - method = TLSv1_1_server_method(); - break; - case TLS1_2_VERSION: - method = TLSv1_2_server_method(); - break; -#ifdef TLS1_3_VERSION - case TLS1_3_VERSION: - err(1, "TLS1_3 not supported"); -#endif - default: - method = SSLv23_server_method(); - break; - } - if (method == NULL) - err_ssl(1, "SSLv23_server_method"); -#endif - ctx = SSL_CTX_new(method); - if (ctx == NULL) - err_ssl(1, "SSL_CTX_new"); - -#if OPENSSL_VERSION_NUMBER >= 0x1010000f - if (version) { - if (SSL_CTX_set_min_proto_version(ctx, version) != 1) - err_ssl(1, "SSL_CTX_set_min_proto_version"); - if (SSL_CTX_set_max_proto_version(ctx, version) != 1) - err_ssl(1, "SSL_CTX_set_max_proto_version"); - } -#endif - -#if OPENSSL_VERSION_NUMBER >= 0x10100000 - /* needed to use DHE cipher with libressl */ - if (SSL_CTX_set_dh_auto(ctx, 1) <= 0) - err_ssl(1, "SSL_CTX_set_dh_auto"); -#endif - /* needed to use ADH, EDH, DHE cipher with openssl */ - if (dhparam != NULL) { - DH *dh; - FILE *file; - - file = fopen(dhparam, "r"); - if (file == NULL) - err(1, "fopen %s", dhparam); - dh = PEM_read_DHparams(file, NULL, NULL, NULL); - if (dh == NULL) - err_ssl(1, "PEM_read_DHparams"); - if (SSL_CTX_set_tmp_dh(ctx, dh) <= 0) - err_ssl(1, "SSL_CTX_set_tmp_dh"); - fclose(file); - } - - /* load server certificate */ - if (SSL_CTX_use_certificate_file(ctx, crt, SSL_FILETYPE_PEM) <= 0) - err_ssl(1, "SSL_CTX_use_certificate_file"); - if (SSL_CTX_use_PrivateKey_file(ctx, key, SSL_FILETYPE_PEM) <= 0) - err_ssl(1, "SSL_CTX_use_PrivateKey_file"); - if (SSL_CTX_check_private_key(ctx) <= 0) - err_ssl(1, "SSL_CTX_check_private_key"); - - /* request client certificate and verify it */ - if (ca != NULL) { - STACK_OF(X509_NAME) *x509stack; - - x509stack = SSL_load_client_CA_file(ca); - if (x509stack == NULL) - err_ssl(1, "SSL_load_client_CA_file"); - SSL_CTX_set_client_CA_list(ctx, x509stack); - if (SSL_CTX_load_verify_locations(ctx, ca, NULL) <= 0) - err_ssl(1, "SSL_CTX_load_verify_locations"); - } - SSL_CTX_set_verify(ctx, - verify == 0 ? SSL_VERIFY_NONE : - verify == 1 ? SSL_VERIFY_PEER : - SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT, - verify_callback); - - if (sessionreuse) { - uint32_t context; - - SSL_CTX_set_session_cache_mode(ctx, SSL_SESS_CACHE_SERVER); - context = arc4random(); - if (SSL_CTX_set_session_id_context(ctx, - (unsigned char *)&context, sizeof(context)) <= 0) - err_ssl(1, "SSL_CTX_set_session_id_context"); - } - - if (ciphers) { - if (SSL_CTX_set_cipher_list(ctx, ciphers) <= 0) - err_ssl(1, "SSL_CTX_set_cipher_list"); - } - - if (listciphers) { - STACK_OF(SSL_CIPHER) *supported_ciphers; - - ssl = SSL_new(ctx); - if (ssl == NULL) - err_ssl(1, "SSL_new"); - supported_ciphers = SSL_get1_supported_ciphers(ssl); - if (supported_ciphers == NULL) - err_ssl(1, "SSL_get1_supported_ciphers"); - print_ciphers(supported_ciphers); - - sk_SSL_CIPHER_free(supported_ciphers); - return 0; - } - - /* setup bio for socket operations */ - abio = BIO_new_accept(host_port); - if (abio == NULL) - err_ssl(1, "BIO_new_accept"); - - /* bind, listen */ - if (BIO_do_accept(abio) <= 0) - err_ssl(1, "BIO_do_accept setup"); - printf("listen "); - print_sockname(abio); - - /* fork to background and set timeout */ - if (daemon(1, 1) == -1) - err(1, "daemon"); - alarm(10); - - do { - /* accept connection */ - if (BIO_do_accept(abio) <= 0) - err_ssl(1, "BIO_do_accept wait"); - cbio = BIO_pop(abio); - printf("accept "); - print_sockname(cbio); - printf("accept "); - print_peername(cbio); - - /* do ssl server handshake */ - ssl = SSL_new(ctx); - if (ssl == NULL) - err_ssl(1, "SSL_new"); - SSL_set_bio(ssl, cbio, cbio); - if ((error = SSL_accept(ssl)) <= 0) - err_ssl(1, "SSL_accept %d", error); - printf("session %d: %s\n", sessionreuse, - SSL_session_reused(ssl) ? "reuse" : "new"); - if (fflush(stdout) != 0) - err(1, "fflush stdout"); - - - /* print session statistics */ - session = SSL_get_session(ssl); - if (session == NULL) - err_ssl(1, "SSL_get_session"); - if (SSL_SESSION_print_fp(stdout, session) <= 0) - err_ssl(1, "SSL_SESSION_print_fp"); - - /* write server greeting and read client hello over TLS */ - strlcpy(buf, "greeting\n", sizeof(buf)); - printf(">>> %s", buf); - if (fflush(stdout) != 0) - err(1, "fflush stdout"); - if ((error = SSL_write(ssl, buf, 9)) <= 0) - err_ssl(1, "SSL_write %d", error); - if (error != 9) - errx(1, "write not 9 bytes greeting: %d", error); - if ((error = SSL_read(ssl, buf, 6)) <= 0) - err_ssl(1, "SSL_read %d", error); - if (error != 6) - errx(1, "read not 6 bytes hello: %d", error); - buf[6] = '\0'; - printf("<<< %s", buf); - if (fflush(stdout) != 0) - err(1, "fflush stdout"); - - /* shutdown connection */ - if ((error = SSL_shutdown(ssl)) < 0) - err_ssl(1, "SSL_shutdown unidirectional %d", error); - if (error <= 0) { - if ((error = SSL_shutdown(ssl)) <= 0) - err_ssl(1, "SSL_shutdown bidirectional %d", - error); - } - - SSL_free(ssl); - } while (sessionreuse--); - - SSL_CTX_free(ctx); - - printf("success\n"); - - return 0; -} diff --git a/src/regress/lib/libssl/interop/session/Makefile b/src/regress/lib/libssl/interop/session/Makefile deleted file mode 100644 index e9a353f99e..0000000000 --- a/src/regress/lib/libssl/interop/session/Makefile +++ /dev/null @@ -1,43 +0,0 @@ -# $OpenBSD: Makefile,v 1.12 2025/01/15 10:54:17 tb Exp $ - -LIBRARIES = libressl -.if exists(/usr/local/bin/eopenssl33) -#LIBRARIES += openssl33 -.endif -.if exists(/usr/local/bin/eopenssl34) -#LIBRARIES += openssl34 -.endif - -run-session-client-libressl-server-libressl: - # TLS 1.3 needs some extra setup for session reuse - @echo DISABLED - -.for clib in ${LIBRARIES} -.for slib in ${LIBRARIES} - -REGRESS_TARGETS += run-session-client-${clib}-server-${slib} - -run-session-client-${clib}-server-${slib}: \ - 127.0.0.1.crt ../${clib}/client ../${slib}/server - LD_LIBRARY_PATH=/usr/local/lib/e${slib} \ - ../${slib}/server >${@:S/^run/server/}.out \ - -ss \ - 127.0.0.1 0 - LD_LIBRARY_PATH=/usr/local/lib/e${clib} \ - ../${clib}/client >${@:S/^run/client/}.out \ - -ss \ - `sed -n 's/listen sock: //p' ${@:S/^run/server/}.out` - grep '^success$$' ${@:S/^run/server/}.out || \ - { sleep 1; grep '^success$$' ${@:S/^run/server/}.out; } - grep '^success$$' ${@:S/^run/client/}.out - grep '^session 2: new$$' ${@:S/^run/server/}.out - grep '^session 2: new$$' ${@:S/^run/client/}.out - grep '^session 1: reuse$$' ${@:S/^run/server/}.out - grep '^session 1: reuse$$' ${@:S/^run/client/}.out - grep '^session 0: reuse$$' ${@:S/^run/server/}.out - grep '^session 0: reuse$$' ${@:S/^run/client/}.out - -.endfor -.endfor - -.include diff --git a/src/regress/lib/libssl/interop/util.c b/src/regress/lib/libssl/interop/util.c deleted file mode 100644 index 5190e81828..0000000000 --- a/src/regress/lib/libssl/interop/util.c +++ /dev/null @@ -1,145 +0,0 @@ -/* $OpenBSD: util.c,v 1.3 2018/11/09 06:30:41 bluhm Exp $ */ -/* - * Copyright (c) 2018 Alexander Bluhm - * - * Permission to use, copy, modify, and distribute this software for any - * purpose with or without fee is hereby granted, provided that the above - * copyright notice and this permission notice appear in all copies. - * - * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES - * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF - * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR - * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES - * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN - * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF - * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. - */ - -#include -#include - -#include -#include -#include - -#include -#include -#include -#include - -#include "util.h" - -void -print_version(void) -{ -#ifdef OPENSSL_VERSION_NUMBER - printf("OPENSSL_VERSION_NUMBER: %#08lx\n", OPENSSL_VERSION_NUMBER); -#endif -#ifdef LIBRESSL_VERSION_NUMBER - printf("LIBRESSL_VERSION_NUMBER: %#08lx\n", LIBRESSL_VERSION_NUMBER); -#endif -#ifdef LIBRESSL_VERSION_TEXT - printf("LIBRESSL_VERSION_TEXT: %s\n", LIBRESSL_VERSION_TEXT); -#endif -#if OPENSSL_VERSION_NUMBER >= 0x1010000f - printf("OpenSSL_version_num: %#08lx\n", OpenSSL_version_num()); - printf("OpenSSL_version OPENSSL_VERSION: %s\n", - OpenSSL_version(OPENSSL_VERSION)); - printf("OpenSSL_version OPENSSL_CFLAGS: %s\n", - OpenSSL_version(OPENSSL_CFLAGS)); - printf("OpenSSL_version OPENSSL_BUILT_ON: %s\n", - OpenSSL_version(OPENSSL_BUILT_ON)); - printf("OpenSSL_version OPENSSL_PLATFORM: %s\n", - OpenSSL_version(OPENSSL_PLATFORM)); - printf("OpenSSL_version OPENSSL_DIR: %s\n", - OpenSSL_version(OPENSSL_DIR)); - printf("OpenSSL_version OPENSSL_ENGINES_DIR: %s\n", - OpenSSL_version(OPENSSL_ENGINES_DIR)); -#endif - printf("SSLeay: %#08lx\n", SSLeay()); - printf("SSLeay_version SSLEAY_VERSION: %s\n", - SSLeay_version(SSLEAY_VERSION)); - printf("SSLeay_version SSLEAY_CFLAGS: %s\n", - SSLeay_version(SSLEAY_CFLAGS)); - printf("SSLeay_version SSLEAY_BUILT_ON: %s\n", - SSLeay_version(SSLEAY_BUILT_ON)); - printf("SSLeay_version SSLEAY_PLATFORM: %s\n", - SSLeay_version(SSLEAY_PLATFORM)); - printf("SSLeay_version SSLEAY_DIR: %s\n", - SSLeay_version(SSLEAY_DIR)); -} - -void -print_ciphers(STACK_OF(SSL_CIPHER) *cstack) -{ - const SSL_CIPHER *cipher; - int i; - - for (i = 0; (cipher = sk_SSL_CIPHER_value(cstack, i)) != NULL; i++) - printf("cipher %s\n", SSL_CIPHER_get_name(cipher)); - if (fflush(stdout) != 0) - err(1, "fflush stdout"); -} - -void -print_sockname(BIO *bio) -{ - struct sockaddr_storage ss; - socklen_t slen; - char host[NI_MAXHOST], port[NI_MAXSERV]; - int fd; - - if (BIO_get_fd(bio, &fd) <= 0) - err_ssl(1, "BIO_get_fd"); - slen = sizeof(ss); - if (getsockname(fd, (struct sockaddr *)&ss, &slen) == -1) - err(1, "getsockname"); - if (getnameinfo((struct sockaddr *)&ss, ss.ss_len, host, - sizeof(host), port, sizeof(port), NI_NUMERICHOST | NI_NUMERICSERV)) - errx(1, "getnameinfo"); - printf("sock: %s %s\n", host, port); - if (fflush(stdout) != 0) - err(1, "fflush stdout"); -} - -void -print_peername(BIO *bio) -{ - struct sockaddr_storage ss; - socklen_t slen; - char host[NI_MAXHOST], port[NI_MAXSERV]; - int fd; - - if (BIO_get_fd(bio, &fd) <= 0) - err_ssl(1, "BIO_get_fd"); - slen = sizeof(ss); - if (getpeername(fd, (struct sockaddr *)&ss, &slen) == -1) - err(1, "getpeername"); - if (getnameinfo((struct sockaddr *)&ss, ss.ss_len, host, - sizeof(host), port, sizeof(port), NI_NUMERICHOST | NI_NUMERICSERV)) - errx(1, "getnameinfo"); - printf("peer: %s %s\n", host, port); - if (fflush(stdout) != 0) - err(1, "fflush stdout"); -} - -void -err_ssl(int eval, const char *fmt, ...) -{ - va_list ap; - - ERR_print_errors_fp(stderr); - va_start(ap, fmt); - verrx(eval, fmt, ap); - va_end(ap); -} - -int -verify_callback(int preverify_ok, X509_STORE_CTX *x509_ctx) -{ - printf("verify: %s\n", preverify_ok ? "pass" : "fail"); - if (fflush(stdout) != 0) - err(1, "fflush stdout"); - - return preverify_ok; -} diff --git a/src/regress/lib/libssl/interop/util.h b/src/regress/lib/libssl/interop/util.h deleted file mode 100644 index 7414a037d7..0000000000 --- a/src/regress/lib/libssl/interop/util.h +++ /dev/null @@ -1,23 +0,0 @@ -/* $OpenBSD: util.h,v 1.3 2018/11/09 06:30:41 bluhm Exp $ */ -/* - * Copyright (c) 2018 Alexander Bluhm - * - * Permission to use, copy, modify, and distribute this software for any - * purpose with or without fee is hereby granted, provided that the above - * copyright notice and this permission notice appear in all copies. - * - * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES - * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF - * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR - * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES - * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN - * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF - * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. - */ - -void print_version(void); -void print_ciphers(STACK_OF(SSL_CIPHER) *); -void print_sockname(BIO *); -void print_peername(BIO *); -void err_ssl(int, const char *, ...); -int verify_callback(int, X509_STORE_CTX *); diff --git a/src/regress/lib/libssl/interop/version/Makefile b/src/regress/lib/libssl/interop/version/Makefile deleted file mode 100644 index 605fba252f..0000000000 --- a/src/regress/lib/libssl/interop/version/Makefile +++ /dev/null @@ -1,110 +0,0 @@ -# $OpenBSD: Makefile,v 1.10 2025/01/15 10:54:17 tb Exp $ - -# Connect a client to a server. Both can be current libressl, or -# openssl 1.1 or openssl 3.0. Pin client or server to a fixed TLS -# version number. Incompatible versions must fail. Check that client -# and server have used correct version by grepping in their session -# print out. - -LIBRARIES = libressl -.if exists(/usr/local/bin/eopenssl33) -LIBRARIES += openssl33 -.endif -.if exists(/usr/local/bin/eopenssl34) -LIBRARIES += openssl34 -.endif - -VERSIONS = any TLS1_2 TLS1_3 - -.for cver in ${VERSIONS} -.for sver in ${VERSIONS} - -.if "${cver}" == any || "${sver}" == any || "${cver}" == "${sver}" -FAIL_${cver}_${sver} = -.else -FAIL_${cver}_${sver} = ! -.endif - -.for clib in ${LIBRARIES} -.for slib in ${LIBRARIES} - -.if ("${cver}" != TLS1_3 && "${sver}" != TLS1_3) && \ - ((("${clib}" != openssl33 && "${slib}" != openssl33)) || \ - (("${clib}" != openssl34 && "${slib}" != openssl34)) || \ - (("${cver}" != any && "${sver}" != any) && \ - ("${cver}" != TLS1 && "${sver}" != TLS1) && \ - ("${cver}" != TLS1_1 && "${sver}" != TLS1_1))) - -.if ("${clib}" == "libressl" || "${slib}" == "libressl") -REGRESS_TARGETS += run-version-client-${clib}-${cver}-server-${slib}-${sver} -.else -# Don't use REGRESS_SLOW_TARGETS since its handling in bsd.regress.mk is slow. -SLOW_TARGETS += run-version-client-${clib}-${cver}-server-${slib}-${sver} -.endif - -run-version-client-${clib}-${cver}-server-${slib}-${sver} \ -client-version-client-${clib}-${cver}-server-${slib}-${sver}.out \ -server-version-client-${clib}-${cver}-server-${slib}-${sver}.out: \ - 127.0.0.1.crt ../${clib}/client ../${slib}/server - LD_LIBRARY_PATH=/usr/local/lib/e${slib} \ - ../${slib}/server >${@:S/^run/server/}.out \ - -c 127.0.0.1.crt -k 127.0.0.1.key \ - ${sver:Nany:S/^/-V /} \ - 127.0.0.1 0 - ${FAIL_${cver}_${sver}} \ - LD_LIBRARY_PATH=/usr/local/lib/e${clib} \ - ../${clib}/client >${@:S/^run/client/}.out \ - ${cver:Nany:S/^/-V /} \ - `sed -n 's/listen sock: //p' ${@:S/^run/server/}.out` -.if empty(${FAIL_${cver}_${sver}}) - grep -q '^success$$' ${@:S/^run/server/}.out || \ - { sleep 1; grep -q '^success$$' ${@:S/^run/server/}.out; } - grep -q '^success$$' ${@:S/^run/client/}.out -.endif - -.if empty(${FAIL_${cver}_${sver}}) - -.if ("${clib}" == "libressl" || "${slib}" == "libressl") -REGRESS_TARGETS += check-version-client-${clib}-${cver}-server-${slib}-${sver} -.else -# Don't use REGRESS_SLOW_TARGETS since its handling in bsd.regress.mk is slow. -SLOW_TARGETS += check-version-client-${clib}-${cver}-server-${slib}-${sver} -.endif - -check-version-client-${clib}-${cver}-server-${slib}-${sver}: \ - client-version-client-${clib}-${cver}-server-${slib}-${sver}.out \ - server-version-client-${clib}-${cver}-server-${slib}-${sver}.out - @grep ' Protocol *: ' ${@:S/^check/client/}.out - @grep ' Protocol *: ' ${@:S/^check/server/}.out -.if "${cver}" == any -.if "${sver}" == any - grep -q ' Protocol *: TLSv1.3$$' ${@:S/^check/client/}.out - grep -q ' Protocol *: TLSv1.3$$' ${@:S/^check/server/}.out -.else - grep -q ' Protocol *: ${sver:S/TLS/TLSv/:S/_/./}$$' \ - ${@:S/^check/client/}.out - grep -q ' Protocol *: ${sver:S/TLS/TLSv/:S/_/./}$$' \ - ${@:S/^check/server/}.out -.endif -.else - grep -q ' Protocol *: ${cver:S/TLS/TLSv/:S/_/./}$$' \ - ${@:S/^check/client/}.out - grep -q ' Protocol *: ${cver:S/TLS/TLSv/:S/_/./}$$' \ - ${@:S/^check/server/}.out -.endif -.endif - -.endif - -.endfor -.endfor -.endfor -.endfor - -.include -REGRESS_SKIP_SLOW ?= no -.if ${REGRESS_SKIP_SLOW:L} != "yes" -REGRESS_TARGETS += ${SLOW_TARGETS} -.endif - -.include diff --git a/src/regress/lib/libssl/key_schedule/Makefile b/src/regress/lib/libssl/key_schedule/Makefile deleted file mode 100644 index a8f23a27c5..0000000000 --- a/src/regress/lib/libssl/key_schedule/Makefile +++ /dev/null @@ -1,10 +0,0 @@ -# $OpenBSD: Makefile,v 1.2 2022/06/29 15:06:18 tb Exp $ - -PROG= key_schedule -LDADD= ${SSL_INT} -lcrypto -DPADD= ${LIBCRYPTO} ${LIBSSL} -WARNINGS= Yes -CFLAGS+= -DLIBRESSL_INTERNAL -Wundef -Werror -CFLAGS+= -I${.CURDIR}/../../../../lib/libssl - -.include diff --git a/src/regress/lib/libssl/key_schedule/key_schedule.c b/src/regress/lib/libssl/key_schedule/key_schedule.c deleted file mode 100644 index cbf5ea9df7..0000000000 --- a/src/regress/lib/libssl/key_schedule/key_schedule.c +++ /dev/null @@ -1,317 +0,0 @@ -/* $OpenBSD: key_schedule.c,v 1.11 2024/08/23 12:56:26 anton Exp $ */ -/* - * Copyright (c) 2018-2019 Bob Beck - * - * Permission to use, copy, modify, and distribute this software for any - * purpose with or without fee is hereby granted, provided that the above - * copyright notice and this permission notice appear in all copies. - * - * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES - * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF - * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR - * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES - * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN - * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF - * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. - */ - -#include - -#include "ssl_local.h" - -#include "bytestring.h" -#include "ssl_tlsext.h" -#include "tls13_internal.h" - -static int failures = 0; - -static void -hexdump(const unsigned char *buf, size_t len) -{ - size_t i; - - for (i = 1; i <= len; i++) - fprintf(stderr, " 0x%02hhx,%s", buf[i - 1], i % 8 ? "" : "\n"); - - fprintf(stderr, "\n"); -} - -static void -compare_data(const uint8_t *recv, size_t recv_len, const uint8_t *expect, - size_t expect_len) -{ - fprintf(stderr, "received:\n"); - hexdump(recv, recv_len); - - fprintf(stderr, "test data:\n"); - hexdump(expect, expect_len); -} - -#define FAIL(msg, ...) \ -do { \ - fprintf(stderr, "[%s:%d] FAIL: ", __FILE__, __LINE__); \ - fprintf(stderr, msg, ##__VA_ARGS__); \ - failures++; \ -} while(0) - -/* Hashes and secrets from test vector */ - -uint8_t chello[] = { - 0xe3, 0xb0, 0xc4, 0x42, 0x98, 0xfc, 0x1c, 0x14, - 0x9a, 0xfb, 0xf4, 0xc8, 0x99, 0x6f, 0xb9, 0x24, - 0x27, 0xae, 0x41, 0xe4, 0x64, 0x9b, 0x93, 0x4c, - 0xa4, 0x95, 0x99, 0x1b, 0x78, 0x52, 0xb8, 0x55 -}; -const struct tls13_secret chello_hash = { - .data = chello, - .len = 32, -}; - -uint8_t cshello [] = { - 0x86, 0x0c, 0x06, 0xed, 0xc0, 0x78, 0x58, 0xee, - 0x8e, 0x78, 0xf0, 0xe7, 0x42, 0x8c, 0x58, 0xed, - 0xd6, 0xb4, 0x3f, 0x2c, 0xa3, 0xe6, 0xe9, 0x5f, - 0x02, 0xed, 0x06, 0x3c, 0xf0, 0xe1, 0xca, 0xd8 -}; - -const struct tls13_secret cshello_hash = { - .data = cshello, - .len = 32, -}; - -const uint8_t ecdhe [] = { - 0x8b, 0xd4, 0x05, 0x4f, 0xb5, 0x5b, 0x9d, 0x63, - 0xfd, 0xfb, 0xac, 0xf9, 0xf0, 0x4b, 0x9f, 0x0d, - 0x35, 0xe6, 0xd6, 0x3f, 0x53, 0x75, 0x63, 0xef, - 0xd4, 0x62, 0x72, 0x90, 0x0f, 0x89, 0x49, 0x2d -}; - -uint8_t csfhello [] = { - 0x96, 0x08, 0x10, 0x2a, 0x0f, 0x1c, 0xcc, 0x6d, - 0xb6, 0x25, 0x0b, 0x7b, 0x7e, 0x41, 0x7b, 0x1a, - 0x00, 0x0e, 0xaa, 0xda, 0x3d, 0xaa, 0xe4, 0x77, - 0x7a, 0x76, 0x86, 0xc9, 0xff, 0x83, 0xdf, 0x13 -}; - -const struct tls13_secret csfhello_hash = { - .data = csfhello, - .len = 32, -}; - - -/* Expected Values */ - -uint8_t expected_extracted_early[] = { - 0x33, 0xad, 0x0a, 0x1c, 0x60, 0x7e, 0xc0, 0x3b, - 0x09, 0xe6, 0xcd, 0x98, 0x93, 0x68, 0x0c, 0xe2, - 0x10, 0xad, 0xf3, 0x00, 0xaa, 0x1f, 0x26, 0x60, - 0xe1, 0xb2, 0x2e, 0x10, 0xf1, 0x70, 0xf9, 0x2a -}; -uint8_t expected_derived_early[] = { - 0x6f, 0x26, 0x15, 0xa1, 0x08, 0xc7, 0x02, 0xc5, - 0x67, 0x8f, 0x54, 0xfc, 0x9d, 0xba, 0xb6, 0x97, - 0x16, 0xc0, 0x76, 0x18, 0x9c, 0x48, 0x25, 0x0c, - 0xeb, 0xea, 0xc3, 0x57, 0x6c, 0x36, 0x11, 0xba -}; -uint8_t expected_extracted_handshake[] = { - 0x1d, 0xc8, 0x26, 0xe9, 0x36, 0x06, 0xaa, 0x6f, - 0xdc, 0x0a, 0xad, 0xc1, 0x2f, 0x74, 0x1b, 0x01, - 0x04, 0x6a, 0xa6, 0xb9, 0x9f, 0x69, 0x1e, 0xd2, - 0x21, 0xa9, 0xf0, 0xca, 0x04, 0x3f, 0xbe, 0xac -}; -uint8_t expected_client_handshake_traffic[] = { - 0xb3, 0xed, 0xdb, 0x12, 0x6e, 0x06, 0x7f, 0x35, - 0xa7, 0x80, 0xb3, 0xab, 0xf4, 0x5e, 0x2d, 0x8f, - 0x3b, 0x1a, 0x95, 0x07, 0x38, 0xf5, 0x2e, 0x96, - 0x00, 0x74, 0x6a, 0x0e, 0x27, 0xa5, 0x5a, 0x21 -}; - -uint8_t expected_server_handshake_traffic[] = { - 0xb6, 0x7b, 0x7d, 0x69, 0x0c, 0xc1, 0x6c, 0x4e, - 0x75, 0xe5, 0x42, 0x13, 0xcb, 0x2d, 0x37, 0xb4, - 0xe9, 0xc9, 0x12, 0xbc, 0xde, 0xd9, 0x10, 0x5d, - 0x42, 0xbe, 0xfd, 0x59, 0xd3, 0x91, 0xad, 0x38 -}; - -uint8_t expected_derived_handshake[] = { - 0x43, 0xde, 0x77, 0xe0, 0xc7, 0x77, 0x13, 0x85, - 0x9a, 0x94, 0x4d, 0xb9, 0xdb, 0x25, 0x90, 0xb5, - 0x31, 0x90, 0xa6, 0x5b, 0x3e, 0xe2, 0xe4, 0xf1, - 0x2d, 0xd7, 0xa0, 0xbb, 0x7c, 0xe2, 0x54, 0xb4 -}; - -uint8_t expected_extracted_master[] = { - 0x18, 0xdf, 0x06, 0x84, 0x3d, 0x13, 0xa0, 0x8b, - 0xf2, 0xa4, 0x49, 0x84, 0x4c, 0x5f, 0x8a, 0x47, - 0x80, 0x01, 0xbc, 0x4d, 0x4c, 0x62, 0x79, 0x84, - 0xd5, 0xa4, 0x1d, 0xa8, 0xd0, 0x40, 0x29, 0x19 -}; - -uint8_t expected_server_application_traffic[] = { - 0xa1, 0x1a, 0xf9, 0xf0, 0x55, 0x31, 0xf8, 0x56, - 0xad, 0x47, 0x11, 0x6b, 0x45, 0xa9, 0x50, 0x32, - 0x82, 0x04, 0xb4, 0xf4, 0x4b, 0xfb, 0x6b, 0x3a, - 0x4b, 0x4f, 0x1f, 0x3f, 0xcb, 0x63, 0x16, 0x43 -}; - -uint8_t expected_server_application_traffic_updated[] = { - 0x51, 0x92, 0x1b, 0x8a, 0xa3, 0x00, 0x19, 0x76, - 0xeb, 0x40, 0x1d, 0x0a, 0x43, 0x19, 0xa8, 0x51, - 0x64, 0x16, 0xa6, 0xc5, 0x60, 0x01, 0xa3, 0x57, - 0xe5, 0xd1, 0x62, 0x03, 0x1e, 0x84, 0xf9, 0x16, -}; - -uint8_t expected_client_application_traffic[] = { - 0x9e, 0x40, 0x64, 0x6c, 0xe7, 0x9a, 0x7f, 0x9d, - 0xc0, 0x5a, 0xf8, 0x88, 0x9b, 0xce, 0x65, 0x52, - 0x87, 0x5a, 0xfa, 0x0b, 0x06, 0xdf, 0x00, 0x87, - 0xf7, 0x92, 0xeb, 0xb7, 0xc1, 0x75, 0x04, 0xa5, -}; - -uint8_t expected_client_application_traffic_updated[] = { - 0xfc, 0xdf, 0xcc, 0x72, 0x72, 0x5a, 0xae, 0xe4, - 0x8b, 0xf6, 0x4e, 0x4f, 0xd8, 0xb7, 0x49, 0xcd, - 0xbd, 0xba, 0xb3, 0x9d, 0x90, 0xda, 0x0b, 0x26, - 0xe2, 0x24, 0x5c, 0xa6, 0xea, 0x16, 0x72, 0x07, -}; - -uint8_t expected_exporter_master[] = { - 0xfe, 0x22, 0xf8, 0x81, 0x17, 0x6e, 0xda, 0x18, - 0xeb, 0x8f, 0x44, 0x52, 0x9e, 0x67, 0x92, 0xc5, - 0x0c, 0x9a, 0x3f, 0x89, 0x45, 0x2f, 0x68, 0xd8, - 0xae, 0x31, 0x1b, 0x43, 0x09, 0xd3, 0xcf, 0x50 -}; - -int -main (int argc, char **argv) -{ - struct tls13_secrets *secrets; - - if ((secrets = tls13_secrets_create(EVP_sha256(), 0)) == NULL) - errx(1, "failed to create secrets"); - - secrets->insecure = 1; /* don't explicit_bzero when done */ - - if (tls13_derive_handshake_secrets(secrets, ecdhe, 32, &cshello_hash)) - FAIL("derive_handshake_secrets worked when it shouldn't\n"); - if (tls13_derive_application_secrets(secrets, - &chello_hash)) - FAIL("derive_application_secrets worked when it shouldn't\n"); - - if (!tls13_derive_early_secrets(secrets, - secrets->zeros.data, secrets->zeros.len, &chello_hash)) - FAIL("derive_early_secrets failed\n"); - if (tls13_derive_early_secrets(secrets, - secrets->zeros.data, secrets->zeros.len, &chello_hash)) - FAIL("derive_early_secrets worked when it shouldn't(2)\n"); - - if (!tls13_derive_handshake_secrets(secrets, ecdhe, 32, &cshello_hash)) - FAIL("derive_handshake_secrets failed\n"); - if (tls13_derive_handshake_secrets(secrets, ecdhe, 32, &cshello_hash)) - FAIL("derive_handshake_secrets worked when it shouldn't(2)\n"); - - /* XXX fix hash here once test vector sorted */ - if (!tls13_derive_application_secrets(secrets, &csfhello_hash)) - FAIL("derive_application_secrets failed\n"); - if (tls13_derive_application_secrets(secrets, &csfhello_hash)) - FAIL("derive_application_secrets worked when it " - "shouldn't(2)\n"); - - fprintf(stderr, "extracted_early:\n"); - compare_data(secrets->extracted_early.data, 32, - expected_extracted_early, 32); - if (memcmp(secrets->extracted_early.data, - expected_extracted_early, 32) != 0) - FAIL("extracted_early does not match\n"); - - fprintf(stderr, "derived_early:\n"); - compare_data(secrets->derived_early.data, 32, - expected_derived_early, 32); - if (memcmp(secrets->derived_early.data, - expected_derived_early, 32) != 0) - FAIL("derived_early does not match\n"); - - fprintf(stderr, "extracted_handshake:\n"); - compare_data(secrets->extracted_handshake.data, 32, - expected_extracted_handshake, 32); - if (memcmp(secrets->extracted_handshake.data, - expected_extracted_handshake, 32) != 0) - FAIL("extracted_handshake does not match\n"); - - fprintf(stderr, "client_handshake_traffic:\n"); - compare_data(secrets->client_handshake_traffic.data, 32, - expected_client_handshake_traffic, 32); - if (memcmp(secrets->client_handshake_traffic.data, - expected_client_handshake_traffic, 32) != 0) - FAIL("client_handshake_traffic does not match\n"); - - fprintf(stderr, "server_handshake_traffic:\n"); - compare_data(secrets->server_handshake_traffic.data, 32, - expected_server_handshake_traffic, 32); - if (memcmp(secrets->server_handshake_traffic.data, - expected_server_handshake_traffic, 32) != 0) - FAIL("server_handshake_traffic does not match\n"); - - fprintf(stderr, "derived_early:\n"); - compare_data(secrets->derived_early.data, 32, - expected_derived_early, 32); - if (memcmp(secrets->derived_early.data, - expected_derived_early, 32) != 0) - FAIL("derived_early does not match\n"); - - fprintf(stderr, "derived_handshake:\n"); - compare_data(secrets->derived_handshake.data, 32, - expected_derived_handshake, 32); - if (memcmp(secrets->derived_handshake.data, - expected_derived_handshake, 32) != 0) - FAIL("derived_handshake does not match\n"); - - fprintf(stderr, "extracted_master:\n"); - compare_data(secrets->extracted_master.data, 32, - expected_extracted_master, 32); - if (memcmp(secrets->extracted_master.data, - expected_extracted_master, 32) != 0) - FAIL("extracted_master does not match\n"); - - fprintf(stderr, "server_application_traffic:\n"); - compare_data(secrets->server_application_traffic.data, 32, - expected_server_application_traffic, 32); - if (memcmp(secrets->server_application_traffic.data, - expected_server_application_traffic, 32) != 0) - FAIL("server_application_traffic does not match\n"); - - fprintf(stderr, "client_application_traffic:\n"); - compare_data(secrets->client_application_traffic.data, 32, - expected_client_application_traffic, 32); - if (memcmp(secrets->client_application_traffic.data, - expected_client_application_traffic, 32) != 0) - FAIL("server_application_traffic does not match\n"); - - fprintf(stderr, "exporter_master:\n"); - compare_data(secrets->exporter_master.data, 32, - expected_exporter_master, 32); - if (memcmp(secrets->exporter_master.data, - expected_exporter_master, 32) != 0) - FAIL("exporter_master does not match\n"); - - tls13_update_server_traffic_secret(secrets); - fprintf(stderr, "server_application_traffic after update:\n"); - compare_data(secrets->server_application_traffic.data, 32, - expected_server_application_traffic_updated, 32); - if (memcmp(secrets->server_application_traffic.data, - expected_server_application_traffic_updated, 32) != 0) - FAIL("server_application_traffic does not match after update\n"); - - - tls13_update_client_traffic_secret(secrets); - fprintf(stderr, "client_application_traffic after update:\n"); - compare_data(secrets->client_application_traffic.data, 32, - expected_client_application_traffic_updated, 32); - if (memcmp(secrets->client_application_traffic.data, - expected_client_application_traffic_updated, 32) != 0) - FAIL("client_application_traffic does not match after update\n"); - - tls13_secrets_destroy(secrets); - - return failures; -} diff --git a/src/regress/lib/libssl/openssl-ruby/Makefile b/src/regress/lib/libssl/openssl-ruby/Makefile deleted file mode 100644 index af8083f662..0000000000 --- a/src/regress/lib/libssl/openssl-ruby/Makefile +++ /dev/null @@ -1,87 +0,0 @@ -# $OpenBSD: Makefile,v 1.14 2024/08/31 11:14:58 tb Exp $ - -OPENSSL_RUBY_TESTS = /usr/local/share/openssl-ruby-tests -.if exists(/usr/local/bin/ruby32) -RUBY_BINREV = 32 -.else -RUBY_BINREV = 33 -.endif -RUBY = ruby${RUBY_BINREV} - -# We work in a subdirectory of obj/ since extconf.rb generates a Makefile whose -# name can't be customized in $PWD. An obj/Makefile in turn confuses either make -# or bsd.*.mk. This hurts when things are in an unexpected state after a signal. -BUILDDIR = build - -.if !exists(${OPENSSL_RUBY_TESTS}) -regress: - @echo package openssl-ruby-tests is required for this regress - @echo SKIPPED -.else - -REGRESS_TARGETS += openssl-ruby-test - -openssl-ruby-test: retest - -_BUILDDIR_COOKIE = .builddir -_BUILD_COOKIE = .build -_TEST_COOKIE = .test - -${_BUILDDIR_COOKIE}: - mkdir -p ${BUILDDIR} - touch $@ - -${_BUILD_COOKIE}: ${_BUILDDIR_COOKIE} - cd ${BUILDDIR} && \ - ${RUBY} ${OPENSSL_RUBY_TESTS}/ext/openssl/extconf.rb && \ - make; - touch $@ - -OPENSSL_RUBY_TESTSRC = ${OPENSSL_RUBY_TESTS}/test/openssl/test_*.rb -${_TEST_COOKIE}: ${_BUILD_COOKIE} ${_BUILDDIR_COOKIE} - cd ${BUILDDIR} && \ - env SKIP_EXPECTED_FAILURES=true ${RUBY} -I. \ - -I${OPENSSL_RUBY_TESTS}/test/openssl \ - -I${OPENSSL_RUBY_TESTS}/lib \ - -e 'Dir["${OPENSSL_RUBY_TESTSRC}"].each{|f| require f}' \ - -- --no-use-color --no-show-detail-immediately - touch $@ - -build: ${_BUILD_COOKIE} -test: ${_TEST_COOKIE} - -_MAKE = cd ${.CURDIR} && exec ${.MAKE} - -rebuild: - rm -f ${_BUILD_COOKIE} - ${_MAKE} build - -retest: - rm -f ${_TEST_COOKIE} - ${_MAKE} test - -.for _t in test_client_ca -REGRESS_TARGETS += ${_t} -REGRESS_EXPECTED_FAILURES += ${_t} -${_t}: ${_BUILD_COOKIE} - cd ${BUILDDIR} && \ - ${RUBY} -I. -I${OPENSSL_RUBY_TESTS}/test/openssl \ - -I${OPENSSL_RUBY_TESTS}/lib \ - ${OPENSSL_RUBY_TESTS}/test/openssl/test_ssl.rb \ - -n ${_t} -.endfor - -CLEANFILES += ${_BUILD_COOKIE} ${_TEST_COOKIE} ${_BUILDDIR_COOKIE} - -. if make(clean) || make(cleandir) -. if exists(${BUILDDIR}) -.BEGIN: - rm -r ${BUILDDIR} -. endif -. endif - -.PHONY: build rebuild test retest - -.endif - -.include diff --git a/src/regress/lib/libssl/pqueue/Makefile b/src/regress/lib/libssl/pqueue/Makefile deleted file mode 100644 index 48c2cb7e61..0000000000 --- a/src/regress/lib/libssl/pqueue/Makefile +++ /dev/null @@ -1,17 +0,0 @@ -# $OpenBSD: Makefile,v 1.1 2016/11/04 19:45:12 jsing Exp $ - -PROG= pq_test -SRC= ${.CURDIR}/../../../../lib/libssl -CFLAGS+= -I${SRC} - -LDADD= ${SSL_INT} -lcrypto -DPADD= ${LIBSSL} ${LIBCRYPTO} -WARNINGS= Yes -CFLAGS+= -DLIBRESSL_INTERNAL -Werror - -REGRESS_TARGETS= regress-pq_test - -regress-pq_test: ${PROG} - ${.OBJDIR}/pq_test | cmp -s ${.CURDIR}/expected.txt /dev/stdin - -.include diff --git a/src/regress/lib/libssl/pqueue/expected.txt b/src/regress/lib/libssl/pqueue/expected.txt deleted file mode 100644 index c59d6cd838..0000000000 --- a/src/regress/lib/libssl/pqueue/expected.txt +++ /dev/null @@ -1,3 +0,0 @@ -item 6966726167696c69 -item 7374696365787069 -item 737570657263616c diff --git a/src/regress/lib/libssl/pqueue/pq_test.c b/src/regress/lib/libssl/pqueue/pq_test.c deleted file mode 100644 index a078ba5366..0000000000 --- a/src/regress/lib/libssl/pqueue/pq_test.c +++ /dev/null @@ -1,118 +0,0 @@ -/* crypto/pqueue/pq_test.c */ -/* - * DTLS implementation written by Nagendra Modadugu - * (nagendra@cs.stanford.edu) for the OpenSSL project 2005. - */ -/* ==================================================================== - * Copyright (c) 1999-2005 The OpenSSL Project. All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in - * the documentation and/or other materials provided with the - * distribution. - * - * 3. All advertising materials mentioning features or use of this - * software must display the following acknowledgment: - * "This product includes software developed by the OpenSSL Project - * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)" - * - * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to - * endorse or promote products derived from this software without - * prior written permission. For written permission, please contact - * openssl-core@OpenSSL.org. - * - * 5. Products derived from this software may not be called "OpenSSL" - * nor may "OpenSSL" appear in their names without prior written - * permission of the OpenSSL Project. - * - * 6. Redistributions of any form whatsoever must retain the following - * acknowledgment: - * "This product includes software developed by the OpenSSL Project - * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)" - * - * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY - * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR - * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR - * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, - * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT - * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; - * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, - * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) - * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED - * OF THE POSSIBILITY OF SUCH DAMAGE. - * ==================================================================== - * - * This product includes cryptographic software written by Eric Young - * (eay@cryptsoft.com). This product includes software written by Tim - * Hudson (tjh@cryptsoft.com). - * - */ -#include -#include -#include -#include "pqueue.h" - -/* remember to change expected.txt if you change these values */ -unsigned char prio1[8] = "supercal"; -unsigned char prio2[8] = "ifragili"; -unsigned char prio3[8] = "sticexpi"; - -static void -pqueue_print(pqueue pq) -{ - pitem *iter, *item; - - iter = pqueue_iterator(pq); - for (item = pqueue_next(&iter); item != NULL; - item = pqueue_next(&iter)) { - printf("item\t%02x%02x%02x%02x%02x%02x%02x%02x\n", - item->priority[0], item->priority[1], - item->priority[2], item->priority[3], - item->priority[4], item->priority[5], - item->priority[6], item->priority[7]); - } -} - -int -main(void) -{ - pitem *item; - pqueue pq; - - pq = pqueue_new(); - - item = pitem_new(prio3, NULL); - pqueue_insert(pq, item); - - item = pitem_new(prio1, NULL); - pqueue_insert(pq, item); - - item = pitem_new(prio2, NULL); - pqueue_insert(pq, item); - - item = pqueue_find(pq, prio1); - fprintf(stderr, "found %p\n", item->priority); - - item = pqueue_find(pq, prio2); - fprintf(stderr, "found %p\n", item->priority); - - item = pqueue_find(pq, prio3); - fprintf(stderr, "found %p\n", item ? item->priority: 0); - - pqueue_print(pq); - - for (item = pqueue_pop(pq); item != NULL; item = pqueue_pop(pq)) - pitem_free(item); - - pqueue_free(pq); - return 0; -} diff --git a/src/regress/lib/libssl/quic/Makefile b/src/regress/lib/libssl/quic/Makefile deleted file mode 100644 index 55fef6b257..0000000000 --- a/src/regress/lib/libssl/quic/Makefile +++ /dev/null @@ -1,19 +0,0 @@ -# $OpenBSD: Makefile,v 1.3 2024/03/20 10:38:05 jsing Exp $ - -PROG= quictest -LDADD= -lssl -lcrypto -DPADD= ${LIBSSL} ${LIBCRYPTO} - -WARNINGS= Yes -CFLAGS+= -DLIBRESSL_INTERNAL -Werror - -REGRESS_TARGETS= \ - regress-quictest - -regress-quictest: ${PROG} - ./quictest \ - ${.CURDIR}/../../libssl/certs/server1-rsa.pem \ - ${.CURDIR}/../../libssl/certs/server1-rsa-chain.pem \ - ${.CURDIR}/../../libssl/certs/ca-root-rsa.pem - -.include diff --git a/src/regress/lib/libssl/quic/quictest.c b/src/regress/lib/libssl/quic/quictest.c deleted file mode 100644 index cdd4b2387c..0000000000 --- a/src/regress/lib/libssl/quic/quictest.c +++ /dev/null @@ -1,339 +0,0 @@ -/* $OpenBSD: quictest.c,v 1.1 2022/08/27 09:16:29 jsing Exp $ */ -/* - * Copyright (c) 2020, 2021, 2022 Joel Sing - * - * Permission to use, copy, modify, and distribute this software for any - * purpose with or without fee is hereby granted, provided that the above - * copyright notice and this permission notice appear in all copies. - * - * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES - * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF - * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR - * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES - * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN - * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF - * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. - */ - -#include - -#include -#include -#include - -const char *server_ca_file; -const char *server_cert_file; -const char *server_key_file; - -int debug = 0; - -static void -hexdump(const unsigned char *buf, size_t len) -{ - size_t i; - - for (i = 1; i <= len; i++) - fprintf(stderr, " 0x%02hhx,%s", buf[i - 1], i % 8 ? "" : "\n"); - - if (len % 8) - fprintf(stderr, "\n"); -} - -struct quic_data { - enum ssl_encryption_level_t rlevel; - enum ssl_encryption_level_t wlevel; - BIO *rbio; - BIO *wbio; -}; - -static int -quic_set_read_secret(SSL *ssl, enum ssl_encryption_level_t level, - const SSL_CIPHER *cipher, const uint8_t *secret, size_t secret_len) -{ - struct quic_data *qd = SSL_get_app_data(ssl); - - qd->rlevel = level; - - return 1; -} - -static int -quic_set_write_secret(SSL *ssl, enum ssl_encryption_level_t level, - const SSL_CIPHER *cipher, const uint8_t *secret, size_t secret_len) -{ - struct quic_data *qd = SSL_get_app_data(ssl); - - qd->wlevel = level; - - return 1; -} - -static int -quic_read_handshake_data(SSL *ssl) -{ - struct quic_data *qd = SSL_get_app_data(ssl); - uint8_t buf[2048]; - int ret; - - if ((ret = BIO_read(qd->rbio, buf, sizeof(buf))) > 0) { - if (debug > 1) { - fprintf(stderr, "== quic_read_handshake_data ==\n"); - hexdump(buf, ret); - } - if (!SSL_provide_quic_data(ssl, qd->rlevel, buf, ret)) - return -1; - } - - return 1; -} - -static int -quic_add_handshake_data(SSL *ssl, enum ssl_encryption_level_t level, - const uint8_t *data, size_t len) -{ - struct quic_data *qd = SSL_get_app_data(ssl); - int ret; - - if (debug > 1) { - fprintf(stderr, "== quic_add_handshake_data\n"); - hexdump(data, len); - } - - if ((ret = BIO_write(qd->wbio, data, len)) <= 0) - return 0; - - return (size_t)ret == len; -} - -static int -quic_flush_flight(SSL *ssl) -{ - return 1; -} - -static int -quic_send_alert(SSL *ssl, enum ssl_encryption_level_t level, uint8_t alert) -{ - return 1; -} - -const SSL_QUIC_METHOD quic_method = { - .set_read_secret = quic_set_read_secret, - .set_write_secret = quic_set_write_secret, - .add_handshake_data = quic_add_handshake_data, - .flush_flight = quic_flush_flight, - .send_alert = quic_send_alert, -}; - -static SSL * -quic_client(struct quic_data *data) -{ - SSL_CTX *ssl_ctx = NULL; - SSL *ssl = NULL; - - if ((ssl_ctx = SSL_CTX_new(TLS_method())) == NULL) - errx(1, "client context"); - - if (!SSL_CTX_set_quic_method(ssl_ctx, &quic_method)) { - fprintf(stderr, "FAIL: Failed to set QUIC method\n"); - goto failure; - } - - if ((ssl = SSL_new(ssl_ctx)) == NULL) - errx(1, "client ssl"); - - SSL_set_connect_state(ssl); - SSL_set_app_data(ssl, data); - - failure: - SSL_CTX_free(ssl_ctx); - - return ssl; -} - -static SSL * -quic_server(struct quic_data *data) -{ - SSL_CTX *ssl_ctx = NULL; - SSL *ssl = NULL; - - if ((ssl_ctx = SSL_CTX_new(TLS_method())) == NULL) - errx(1, "server context"); - - SSL_CTX_set_dh_auto(ssl_ctx, 2); - - if (SSL_CTX_use_certificate_file(ssl_ctx, server_cert_file, - SSL_FILETYPE_PEM) != 1) { - fprintf(stderr, "FAIL: Failed to load server certificate\n"); - goto failure; - } - if (SSL_CTX_use_PrivateKey_file(ssl_ctx, server_key_file, - SSL_FILETYPE_PEM) != 1) { - fprintf(stderr, "FAIL: Failed to load server private key\n"); - goto failure; - } - - if (!SSL_CTX_set_quic_method(ssl_ctx, &quic_method)) { - fprintf(stderr, "FAIL: Failed to set QUIC method\n"); - goto failure; - } - - if ((ssl = SSL_new(ssl_ctx)) == NULL) - errx(1, "server ssl"); - - SSL_set_accept_state(ssl); - SSL_set_app_data(ssl, data); - - failure: - SSL_CTX_free(ssl_ctx); - - return ssl; -} - -static int -ssl_error(SSL *ssl, const char *name, const char *desc, int ssl_ret) -{ - int ssl_err; - - ssl_err = SSL_get_error(ssl, ssl_ret); - - if (ssl_err == SSL_ERROR_WANT_READ) { - if (quic_read_handshake_data(ssl) < 0) - return 0; - return 1; - } else if (ssl_err == SSL_ERROR_WANT_WRITE) { - return 1; - } else if (ssl_err == SSL_ERROR_SYSCALL && errno == 0) { - /* Yup, this is apparently a thing... */ - } else { - fprintf(stderr, "FAIL: %s %s failed - ssl err = %d, errno = %d\n", - name, desc, ssl_err, errno); - ERR_print_errors_fp(stderr); - return 0; - } - - return 1; -} - -static int -do_handshake(SSL *ssl, const char *name, int *done) -{ - int ssl_ret; - - if ((ssl_ret = SSL_do_handshake(ssl)) == 1) { - fprintf(stderr, "INFO: %s handshake done\n", name); - *done = 1; - return 1; - } - - return ssl_error(ssl, name, "handshake", ssl_ret); -} - -typedef int (*ssl_func)(SSL *ssl, const char *name, int *done); - -static int -do_client_server_loop(SSL *client, ssl_func client_func, SSL *server, - ssl_func server_func) -{ - int client_done = 0, server_done = 0; - int i = 0; - - do { - if (!client_done) { - if (debug) - fprintf(stderr, "DEBUG: client loop\n"); - if (!client_func(client, "client", &client_done)) - return 0; - } - if (!server_done) { - if (debug) - fprintf(stderr, "DEBUG: server loop\n"); - if (!server_func(server, "server", &server_done)) - return 0; - } - } while (i++ < 100 && (!client_done || !server_done)); - - if (!client_done || !server_done) - fprintf(stderr, "FAIL: gave up\n"); - - return client_done && server_done; -} - -static int -quictest(void) -{ - struct quic_data *client_data = NULL, *server_data = NULL; - BIO *client_wbio = NULL, *server_wbio = NULL; - SSL *client = NULL, *server = NULL; - int failed = 1; - - if ((client_wbio = BIO_new(BIO_s_mem())) == NULL) - goto failure; - if (BIO_set_mem_eof_return(client_wbio, -1) <= 0) - goto failure; - - if ((server_wbio = BIO_new(BIO_s_mem())) == NULL) - goto failure; - if (BIO_set_mem_eof_return(server_wbio, -1) <= 0) - goto failure; - - if ((client_data = calloc(1, sizeof(*client_data))) == NULL) - goto failure; - - client_data->rbio = server_wbio; - client_data->wbio = client_wbio; - - if ((client = quic_client(client_data)) == NULL) - goto failure; - - if ((server_data = calloc(1, sizeof(*server_data))) == NULL) - goto failure; - - server_data->rbio = client_wbio; - server_data->wbio = server_wbio; - - if ((server = quic_server(server_data)) == NULL) - goto failure; - - if (!do_client_server_loop(client, do_handshake, server, do_handshake)) { - fprintf(stderr, "FAIL: client and server handshake failed\n"); - ERR_print_errors_fp(stderr); - goto failure; - } - - fprintf(stderr, "INFO: Done!\n"); - - failed = 0; - - failure: - BIO_free(client_wbio); - BIO_free(server_wbio); - - free(client_data); - free(server_data); - - SSL_free(client); - SSL_free(server); - - return failed; -} - -int -main(int argc, char **argv) -{ - int failed = 0; - - if (argc != 4) { - fprintf(stderr, "usage: %s keyfile certfile cafile\n", - argv[0]); - exit(1); - } - - server_key_file = argv[1]; - server_cert_file = argv[2]; - server_ca_file = argv[3]; - - failed |= quictest(); - - return failed; -} diff --git a/src/regress/lib/libssl/record/Makefile b/src/regress/lib/libssl/record/Makefile deleted file mode 100644 index f0e2bc52a8..0000000000 --- a/src/regress/lib/libssl/record/Makefile +++ /dev/null @@ -1,10 +0,0 @@ -# $OpenBSD: Makefile,v 1.1 2019/01/19 02:57:04 jsing Exp $ - -PROG= recordtest -LDADD= ${SSL_INT} -lcrypto -DPADD= ${LIBSSL} ${LIBCRYPTO} -WARNINGS= Yes -CFLAGS+= -DLIBRESSL_INTERNAL -Wall -Wundef -Werror -CFLAGS+= -I${.CURDIR}/../../../../lib/libssl - -.include diff --git a/src/regress/lib/libssl/record/recordtest.c b/src/regress/lib/libssl/record/recordtest.c deleted file mode 100644 index de9bfd6935..0000000000 --- a/src/regress/lib/libssl/record/recordtest.c +++ /dev/null @@ -1,555 +0,0 @@ -/* $OpenBSD: recordtest.c,v 1.5 2022/06/10 22:00:15 tb Exp $ */ -/* - * Copyright (c) 2019 Joel Sing - * - * Permission to use, copy, modify, and distribute this software for any - * purpose with or without fee is hereby granted, provided that the above - * copyright notice and this permission notice appear in all copies. - * - * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES - * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF - * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR - * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES - * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN - * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF - * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. - */ - -#include -#include - -#include - -#include "tls13_internal.h" -#include "tls13_record.h" - -/* Valid record. */ -static uint8_t test_record_1[] = { - 0x16, 0x03, 0x03, 0x00, 0x7a, 0x02, 0x00, 0x00, - 0x76, 0x03, 0x03, 0x14, 0xae, 0x2b, 0x6d, 0x58, - 0xe9, 0x79, 0x9d, 0xd4, 0x90, 0x52, 0x90, 0x13, - 0x1c, 0x08, 0xaa, 0x3f, 0x5b, 0xfb, 0x64, 0xfe, - 0x9a, 0xca, 0x73, 0x6d, 0x87, 0x8d, 0x8b, 0x3b, - 0x70, 0x14, 0xa3, 0x20, 0xd7, 0x50, 0xa4, 0xe5, - 0x17, 0x42, 0x5d, 0xce, 0xe6, 0xfe, 0x1b, 0x59, - 0x27, 0x6b, 0xff, 0xc8, 0x40, 0xc7, 0xac, 0x16, - 0x32, 0xe6, 0x5b, 0xd2, 0xd9, 0xd4, 0xb5, 0x3f, - 0x8f, 0x74, 0x6e, 0x7d, 0x13, 0x02, 0x00, 0x00, - 0x2e, 0x00, 0x33, 0x00, 0x24, 0x00, 0x1d, 0x00, - 0x20, 0x72, 0xb0, 0xaf, 0x7f, 0xf5, 0x89, 0x0f, - 0xcd, 0x6e, 0x45, 0xb1, 0x51, 0xa0, 0xbd, 0x1e, - 0xee, 0x7e, 0xf1, 0xa5, 0xc5, 0xc6, 0x7e, 0x5f, - 0x6a, 0xca, 0xc9, 0xe4, 0xae, 0xb9, 0x50, 0x76, - 0x0a, 0x00, 0x2b, 0x00, 0x02, 0x03, 0x04, -}; - -/* Truncated record. */ -static uint8_t test_record_2[] = { - 0x17, 0x03, 0x03, 0x41, 0x00, 0x02, 0x00, 0x00, -}; - -/* Oversized and truncated record. */ -static uint8_t test_record_3[] = { - 0x17, 0x03, 0x03, 0x41, 0x01, 0x02, 0x00, 0x00, -}; - -static void -hexdump(const unsigned char *buf, size_t len) -{ - size_t i; - - for (i = 1; i <= len; i++) - fprintf(stderr, " 0x%02x,%s", buf[i - 1], i % 8 ? "" : "\n"); - if (len % 8 != 0) - fprintf(stderr, "\n"); -} - -struct rw_state { - uint8_t *buf; - size_t len; - size_t offset; - uint8_t eof; -}; - -static ssize_t -read_cb(void *buf, size_t buflen, void *cb_arg) -{ - struct rw_state *rs = cb_arg; - ssize_t n; - - if (rs->eof) - return TLS13_IO_EOF; - - if ((size_t)(n = buflen) > (rs->len - rs->offset)) - n = rs->len - rs->offset; - - if (n == 0) - return TLS13_IO_WANT_POLLIN; - - memcpy(buf, &rs->buf[rs->offset], n); - rs->offset += n; - - return n; -} - -static ssize_t -write_cb(const void *buf, size_t buflen, void *cb_arg) -{ - struct rw_state *ws = cb_arg; - ssize_t n; - - if (ws->eof) - return TLS13_IO_EOF; - - if ((size_t)(n = buflen) > (ws->len - ws->offset)) - n = ws->len - ws->offset; - - if (n == 0) - return TLS13_IO_WANT_POLLOUT; - - memcpy(&ws->buf[ws->offset], buf, n); - ws->offset += n; - - return n; -} - -struct record_test { - size_t rw_len; - int eof; - ssize_t want_ret; -}; - -struct record_recv_test { - uint8_t *read_buf; - struct record_test rt[10]; - uint8_t want_content_type; - uint8_t *want_data; - size_t want_len; -}; - -struct record_recv_test record_recv_tests[] = { - { - .read_buf = test_record_1, - .rt = { - { - .rw_len = sizeof(test_record_1), - .want_ret = sizeof(test_record_1), - }, - }, - .want_content_type = SSL3_RT_HANDSHAKE, - .want_data = test_record_1, - .want_len = sizeof(test_record_1), - }, - { - .read_buf = test_record_1, - .rt = { - { - .rw_len = 0, - .want_ret = TLS13_IO_WANT_POLLIN, - }, - { - .rw_len = sizeof(test_record_1), - .want_ret = sizeof(test_record_1), - }, - }, - .want_content_type = SSL3_RT_HANDSHAKE, - .want_data = test_record_1, - .want_len = sizeof(test_record_1), - }, - { - .read_buf = test_record_1, - .rt = { - { - .rw_len = 0, - .want_ret = TLS13_IO_WANT_POLLIN, - }, - { - .rw_len = 5, - .want_ret = TLS13_IO_WANT_POLLIN, - }, - { - .rw_len = sizeof(test_record_1), - .want_ret = sizeof(test_record_1), - }, - }, - .want_content_type = SSL3_RT_HANDSHAKE, - .want_data = test_record_1, - .want_len = sizeof(test_record_1), - }, - { - .read_buf = test_record_1, - .rt = { - { - .rw_len = 0, - .want_ret = TLS13_IO_WANT_POLLIN, - }, - { - .rw_len = 2, - .want_ret = TLS13_IO_WANT_POLLIN, - }, - { - .rw_len = 6, - .want_ret = TLS13_IO_WANT_POLLIN, - }, - { - .rw_len = sizeof(test_record_1), - .want_ret = sizeof(test_record_1), - }, - }, - .want_content_type = SSL3_RT_HANDSHAKE, - .want_data = test_record_1, - .want_len = sizeof(test_record_1), - }, - { - .read_buf = test_record_1, - .rt = { - { - .rw_len = 4, - .want_ret = TLS13_IO_WANT_POLLIN, - }, - { - .eof = 1, - .want_ret = TLS13_IO_EOF, - }, - }, - }, - { - .read_buf = test_record_1, - .rt = { - { - .eof = 1, - .want_ret = TLS13_IO_EOF, - }, - }, - }, - { - .read_buf = test_record_2, - .rt = { - { - .rw_len = sizeof(test_record_2), - .want_ret = TLS13_IO_WANT_POLLIN, - }, - { - .eof = 1, - .want_ret = TLS13_IO_EOF, - }, - }, - .want_content_type = SSL3_RT_APPLICATION_DATA, - }, - { - .read_buf = test_record_3, - .rt = { - { - .rw_len = sizeof(test_record_3), - .want_ret = TLS13_IO_RECORD_OVERFLOW, - }, - }, - }, -}; - -#define N_RECORD_RECV_TESTS (sizeof(record_recv_tests) / sizeof(record_recv_tests[0])) - -struct record_send_test { - uint8_t *data; - size_t data_len; - struct record_test rt[10]; - uint8_t *want_data; - size_t want_len; -}; - -struct record_send_test record_send_tests[] = { - { - .data = test_record_1, - .data_len = sizeof(test_record_1), - .rt = { - { - .rw_len = sizeof(test_record_1), - .want_ret = sizeof(test_record_1), - }, - }, - .want_data = test_record_1, - .want_len = sizeof(test_record_1), - }, - { - .data = test_record_1, - .data_len = sizeof(test_record_1), - .rt = { - { - .rw_len = 0, - .want_ret = TLS13_IO_WANT_POLLOUT, - }, - { - .rw_len = sizeof(test_record_1), - .want_ret = sizeof(test_record_1), - }, - }, - .want_data = test_record_1, - .want_len = sizeof(test_record_1), - }, - { - .data = test_record_1, - .data_len = sizeof(test_record_1), - .rt = { - { - .rw_len = 0, - .want_ret = TLS13_IO_WANT_POLLOUT, - }, - { - .rw_len = 5, - .want_ret = TLS13_IO_WANT_POLLOUT, - }, - { - .rw_len = sizeof(test_record_1), - .want_ret = sizeof(test_record_1), - }, - }, - .want_data = test_record_1, - .want_len = sizeof(test_record_1), - }, - { - .data = test_record_1, - .data_len = sizeof(test_record_1), - .rt = { - { - .rw_len = 0, - .want_ret = TLS13_IO_WANT_POLLOUT, - }, - { - .rw_len = 2, - .want_ret = TLS13_IO_WANT_POLLOUT, - }, - { - .rw_len = 6, - .want_ret = TLS13_IO_WANT_POLLOUT, - }, - { - .rw_len = sizeof(test_record_1), - .want_ret = sizeof(test_record_1), - }, - }, - .want_data = test_record_1, - .want_len = sizeof(test_record_1), - }, - { - .data = test_record_1, - .data_len = sizeof(test_record_1), - .rt = { - { - .rw_len = 4, - .want_ret = TLS13_IO_WANT_POLLOUT, - }, - { - .eof = 1, - .want_ret = TLS13_IO_EOF, - }, - }, - .want_data = test_record_1, - .want_len = 4, - }, - { - .data = test_record_1, - .data_len = sizeof(test_record_1), - .rt = { - { - .rw_len = 0, - .want_ret = TLS13_IO_WANT_POLLOUT, - }, - { - .eof = 1, - .want_ret = TLS13_IO_EOF, - }, - }, - .want_data = NULL, - .want_len = 0, - }, -}; - -#define N_RECORD_SEND_TESTS (sizeof(record_send_tests) / sizeof(record_send_tests[0])) - -static int -test_record_recv(size_t test_no, struct record_recv_test *rrt) -{ - struct tls13_record *rec; - struct rw_state rs; - int failed = 1; - ssize_t ret; - size_t i; - CBS cbs; - - rs.buf = rrt->read_buf; - rs.offset = 0; - - if ((rec = tls13_record_new()) == NULL) - errx(1, "tls13_record_new"); - - for (i = 0; rrt->rt[i].rw_len != 0 || rrt->rt[i].want_ret != 0; i++) { - rs.eof = rrt->rt[i].eof; - rs.len = rrt->rt[i].rw_len; - - ret = tls13_record_recv(rec, read_cb, &rs); - if (ret != rrt->rt[i].want_ret) { - fprintf(stderr, "FAIL: Test %zu/%zu - tls_record_recv " - "returned %zd, want %zd\n", test_no, i, ret, - rrt->rt[i].want_ret); - goto failure; - } - } - - if (tls13_record_content_type(rec) != rrt->want_content_type) { - fprintf(stderr, "FAIL: Test %zu - got content type %u, " - "want %u\n", test_no, tls13_record_content_type(rec), - rrt->want_content_type); - goto failure; - } - - tls13_record_data(rec, &cbs); - if (rrt->want_data == NULL) { - if (CBS_data(&cbs) != NULL || CBS_len(&cbs) != 0) { - fprintf(stderr, "FAIL: Test %zu - got CBS with data, " - "want NULL\n", test_no); - goto failure; - } - goto done; - } - if (!CBS_mem_equal(&cbs, rrt->want_data, rrt->want_len)) { - fprintf(stderr, "FAIL: Test %zu - data mismatch\n", test_no); - fprintf(stderr, "Got record data:\n"); - hexdump(CBS_data(&cbs), CBS_len(&cbs)); - fprintf(stderr, "Want record data:\n"); - hexdump(rrt->want_data, rrt->want_len); - goto failure; - } - - if (!tls13_record_header(rec, &cbs)) { - fprintf(stderr, "FAIL: Test %zu - fail to get record " - "header", test_no); - goto failure; - } - if (!CBS_mem_equal(&cbs, rrt->want_data, TLS13_RECORD_HEADER_LEN)) { - fprintf(stderr, "FAIL: Test %zu - header mismatch\n", test_no); - fprintf(stderr, "Got record header:\n"); - hexdump(CBS_data(&cbs), CBS_len(&cbs)); - fprintf(stderr, "Want record header:\n"); - hexdump(rrt->want_data, rrt->want_len); - goto failure; - } - - if (!tls13_record_content(rec, &cbs)) { - fprintf(stderr, "FAIL: Test %zu - fail to get record " - "content", test_no); - goto failure; - } - if (!CBS_mem_equal(&cbs, rrt->want_data + TLS13_RECORD_HEADER_LEN, - rrt->want_len - TLS13_RECORD_HEADER_LEN)) { - fprintf(stderr, "FAIL: Test %zu - content mismatch\n", test_no); - fprintf(stderr, "Got record content:\n"); - hexdump(CBS_data(&cbs), CBS_len(&cbs)); - fprintf(stderr, "Want record content:\n"); - hexdump(rrt->want_data, rrt->want_len); - goto failure; - } - - done: - failed = 0; - - failure: - tls13_record_free(rec); - - return failed; -} - -static int -test_record_send(size_t test_no, struct record_send_test *rst) -{ - uint8_t *data = NULL; - struct tls13_record *rec; - struct rw_state ws; - int failed = 1; - ssize_t ret; - size_t i; - - if ((ws.buf = malloc(TLS13_RECORD_MAX_LEN)) == NULL) - errx(1, "malloc"); - - ws.offset = 0; - - if ((rec = tls13_record_new()) == NULL) - errx(1, "tls13_record_new"); - - if ((data = malloc(rst->data_len)) == NULL) - errx(1, "malloc"); - memcpy(data, rst->data, rst->data_len); - - if (!tls13_record_set_data(rec, data, rst->data_len)) { - fprintf(stderr, "FAIL: Test %zu - failed to set record data\n", - test_no); - goto failure; - } - data = NULL; - - for (i = 0; rst->rt[i].rw_len != 0 || rst->rt[i].want_ret != 0; i++) { - ws.eof = rst->rt[i].eof; - ws.len = rst->rt[i].rw_len; - - ret = tls13_record_send(rec, write_cb, &ws); - if (ret != rst->rt[i].want_ret) { - fprintf(stderr, "FAIL: Test %zu/%zu - tls_record_send " - "returned %zd, want %zd\n", test_no, i, ret, - rst->rt[i].want_ret); - goto failure; - } - } - - if (rst->want_data != NULL && - memcmp(ws.buf, rst->want_data, rst->want_len) != 0) { - fprintf(stderr, "FAIL: Test %zu - content mismatch\n", test_no); - fprintf(stderr, "Got record data:\n"); - hexdump(rst->data, rst->data_len); - fprintf(stderr, "Want record data:\n"); - hexdump(rst->want_data, rst->want_len); - goto failure; - } - - failed = 0; - - failure: - tls13_record_free(rec); - free(ws.buf); - - return failed; -} - -static int -test_recv_records(void) -{ - int failed = 0; - size_t i; - - for (i = 0; i < N_RECORD_RECV_TESTS; i++) - failed |= test_record_recv(i, &record_recv_tests[i]); - - return failed; -} - -static int -test_send_records(void) -{ - int failed = 0; - size_t i; - - for (i = 0; i < N_RECORD_SEND_TESTS; i++) - failed |= test_record_send(i, &record_send_tests[i]); - - return failed; -} - -int -main(int argc, char **argv) -{ - int failed = 0; - - failed |= test_recv_records(); - failed |= test_send_records(); - - return failed; -} diff --git a/src/regress/lib/libssl/record_layer/Makefile b/src/regress/lib/libssl/record_layer/Makefile deleted file mode 100644 index 66c48dd769..0000000000 --- a/src/regress/lib/libssl/record_layer/Makefile +++ /dev/null @@ -1,10 +0,0 @@ -# $OpenBSD: Makefile,v 1.1 2020/03/13 16:04:31 jsing Exp $ - -PROG= record_layer_test -LDADD= ${SSL_INT} -lcrypto -DPADD= ${LIBSSL} ${LIBCRYPTO} -WARNINGS= Yes -CFLAGS+= -DLIBRESSL_INTERNAL -Wall -Wundef -Werror -CFLAGS+= -I${.CURDIR}/../../../../lib/libssl - -.include diff --git a/src/regress/lib/libssl/record_layer/record_layer_test.c b/src/regress/lib/libssl/record_layer/record_layer_test.c deleted file mode 100644 index 2db0c10f83..0000000000 --- a/src/regress/lib/libssl/record_layer/record_layer_test.c +++ /dev/null @@ -1,306 +0,0 @@ -/* $OpenBSD: record_layer_test.c,v 1.6 2022/11/26 16:08:56 tb Exp $ */ -/* - * Copyright (c) 2019, 2020 Joel Sing - * - * Permission to use, copy, modify, and distribute this software for any - * purpose with or without fee is hereby granted, provided that the above - * copyright notice and this permission notice appear in all copies. - * - * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES - * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF - * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR - * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES - * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN - * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF - * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. - */ - -#include -#include - -#include "ssl_local.h" -#include "tls13_internal.h" -#include "tls13_record.h" - -int tls12_record_layer_inc_seq_num(struct tls12_record_layer *rl, - uint8_t *seq_num); -int tls13_record_layer_inc_seq_num(uint8_t *seq_num); - -static void -hexdump(const unsigned char *buf, size_t len) -{ - size_t i; - - for (i = 1; i <= len; i++) - fprintf(stderr, " 0x%02x,%s", buf[i - 1], i % 8 ? "" : "\n"); - if (len % 8 != 0) - fprintf(stderr, "\n"); -} - -struct seq_num_test { - uint8_t seq_num[TLS13_RECORD_SEQ_NUM_LEN]; - uint8_t want_num[TLS13_RECORD_SEQ_NUM_LEN]; - int want; -}; - -struct seq_num_test seq_num_dtls_tests[] = { - { - .seq_num = {0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}, - .want_num = {0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01}, - .want = 1, - }, - { - .seq_num = {0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01}, - .want_num = {0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02}, - .want = 1, - }, - { - .seq_num = {0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xfe}, - .want_num = {0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xff}, - .want = 1, - }, - { - .seq_num = {0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xff}, - .want_num = {0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01, 0x00}, - .want = 1, - }, - { - .seq_num = {0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01, 0x00}, - .want_num = {0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01, 0x01}, - .want = 1, - }, - { - .seq_num = {0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01, 0xff}, - .want_num = {0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02, 0x00}, - .want = 1, - }, - { - .seq_num = {0xab, 0xcd, 0xef, 0x00, 0xfe, 0xff, 0xff, 0xff}, - .want_num = {0xab, 0xcd, 0xef, 0x00, 0xff, 0x00, 0x00, 0x00}, - .want = 1, - }, - { - .seq_num = {0x00, 0x00, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff}, - .want_num = {0x00, 0x00, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff}, - .want = 0, - }, - { - .seq_num = {0x01, 0xff, 0xfe, 0xff, 0xff, 0xff, 0xff, 0xff}, - .want_num = {0x01, 0xff, 0xff, 0x00, 0x00, 0x00, 0x00, 0x00}, - .want = 1, - }, - { - .seq_num = {0x01, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe}, - .want_num = {0x01, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff}, - .want = 1, - }, - { - .seq_num = {0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}, - .want_num = {0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01}, - .want = 1, - }, - { - .seq_num = {0xfe, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff}, - .want_num = {0xfe, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff}, - .want = 0, - }, - { - .seq_num = {0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe}, - .want_num = {0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff}, - .want = 1, - }, - { - .seq_num = {0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff}, - .want_num = {0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff}, - .want = 0, - }, -}; - -#define N_SEQ_NUM_DTLS_TESTS \ - (sizeof(seq_num_dtls_tests) / sizeof(seq_num_dtls_tests[0])) - -struct seq_num_test seq_num_tls_tests[] = { - { - .seq_num = {0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}, - .want_num = {0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01}, - .want = 1, - }, - { - .seq_num = {0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01}, - .want_num = {0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02}, - .want = 1, - }, - { - .seq_num = {0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xfe}, - .want_num = {0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xff}, - .want = 1, - }, - { - .seq_num = {0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xff}, - .want_num = {0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01, 0x00}, - .want = 1, - }, - { - .seq_num = {0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01, 0x00}, - .want_num = {0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01, 0x01}, - .want = 1, - }, - { - .seq_num = {0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01, 0xff}, - .want_num = {0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02, 0x00}, - .want = 1, - }, - { - .seq_num = {0xab, 0xcd, 0xef, 0x00, 0xfe, 0xff, 0xff, 0xff}, - .want_num = {0xab, 0xcd, 0xef, 0x00, 0xff, 0x00, 0x00, 0x00}, - .want = 1, - }, - { - .seq_num = {0x00, 0x00, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff}, - .want_num = {0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}, - .want = 1, - }, - { - .seq_num = {0x00, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff}, - .want_num = {0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}, - .want = 1, - }, - { - .seq_num = {0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}, - .want_num = {0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01}, - .want = 1, - }, - { - .seq_num = {0xfe, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff}, - .want_num = {0xff, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}, - .want = 1, - }, - { - .seq_num = {0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe}, - .want_num = {0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff}, - .want = 1, - }, - { - .seq_num = {0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff}, - .want_num = {0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff}, - .want = 0, - }, -}; - -#define N_SEQ_NUM_TLS_TESTS \ - (sizeof(seq_num_tls_tests) / sizeof(seq_num_tls_tests[0])) - -#ifndef TLS12_RECORD_SEQ_NUM_LEN -#define TLS12_RECORD_SEQ_NUM_LEN 8 -#endif - -static int -do_seq_num_test_tls12(size_t test_no, int dtls, struct seq_num_test *snt) -{ - uint8_t seq_num[TLS12_RECORD_SEQ_NUM_LEN]; - struct tls12_record_layer *rl; - int failed = 1; - int ret; - - if ((rl = tls12_record_layer_new()) == NULL) - errx(1, "tls12_record_layer_new"); - - if (dtls) - tls12_record_layer_set_version(rl, DTLS1_2_VERSION); - - memcpy(seq_num, snt->seq_num, sizeof(seq_num)); - - if ((ret = tls12_record_layer_inc_seq_num(rl, seq_num)) != snt->want) { - fprintf(stderr, "FAIL: Test %zu - got return %d, want %d\n", - test_no, ret, snt->want); - goto failure; - } - - if (memcmp(seq_num, snt->want_num, sizeof(seq_num)) != 0) { - fprintf(stderr, "FAIL: Test %zu - got sequence number:\n", - test_no); - hexdump(seq_num, sizeof(seq_num)); - fprintf(stderr, "want:\n"); - hexdump(snt->want_num, sizeof(snt->want_num)); - goto failure; - } - - failed = 0; - - failure: - tls12_record_layer_free(rl); - - return failed; -} - -static int -test_seq_num_tls12(void) -{ - int failed = 0; - size_t i; - - fprintf(stderr, "Running TLSv1.2 sequence number tests...\n"); - for (i = 0; i < N_SEQ_NUM_TLS_TESTS; i++) - failed |= do_seq_num_test_tls12(i, 0, &seq_num_tls_tests[i]); - - fprintf(stderr, "Running DTLSv1.2 sequence number tests...\n"); - for (i = 0; i < N_SEQ_NUM_DTLS_TESTS; i++) - failed |= do_seq_num_test_tls12(i, 1, &seq_num_dtls_tests[i]); - - return failed; -} - -static int -do_seq_num_test_tls13(size_t test_no, struct seq_num_test *snt) -{ - uint8_t seq_num[TLS13_RECORD_SEQ_NUM_LEN]; - int failed = 1; - int ret; - - memcpy(seq_num, snt->seq_num, sizeof(seq_num)); - - if ((ret = tls13_record_layer_inc_seq_num(seq_num)) != snt->want) { - fprintf(stderr, "FAIL: Test %zu - got return %d, want %d\n", - test_no, ret, snt->want); - goto failure; - } - - if (memcmp(seq_num, snt->want_num, sizeof(seq_num)) != 0) { - fprintf(stderr, "FAIL: Test %zu - got sequence number:\n", - test_no); - hexdump(seq_num, sizeof(seq_num)); - fprintf(stderr, "want:\n"); - hexdump(snt->want_num, sizeof(snt->want_num)); - goto failure; - } - - failed = 0; - - failure: - return failed; -} - -static int -test_seq_num_tls13(void) -{ - int failed = 0; - size_t i; - - fprintf(stderr, "Running TLSv1.3 sequence number tests...\n"); - - for (i = 0; i < N_SEQ_NUM_TLS_TESTS; i++) - failed |= do_seq_num_test_tls13(i, &seq_num_tls_tests[i]); - - return failed; -} - -int -main(int argc, char **argv) -{ - int failed = 0; - - failed |= test_seq_num_tls12(); - failed |= test_seq_num_tls13(); - - return failed; -} diff --git a/src/regress/lib/libssl/renegotiation/Makefile b/src/regress/lib/libssl/renegotiation/Makefile deleted file mode 100644 index 55f323e158..0000000000 --- a/src/regress/lib/libssl/renegotiation/Makefile +++ /dev/null @@ -1,18 +0,0 @@ -# $OpenBSD: Makefile,v 1.2 2025/02/01 12:26:50 jsing Exp $ - -PROG= renegotiation_test -LDADD= -lssl -lcrypto -DPADD= ${LIBSSL} ${LIBCRYPTO} -WARNINGS= Yes -CFLAGS+= -DLIBRESSL_INTERNAL -Werror - -REGRESS_TARGETS= \ - regress-renegotiation-test - -regress-renegotiation-test: ${PROG} - ./renegotiation_test \ - ${.CURDIR}/../../libssl/certs/server1-rsa.pem \ - ${.CURDIR}/../../libssl/certs/server1-rsa-chain.pem \ - ${.CURDIR}/../../libssl/certs/ca-root-rsa.pem - -.include diff --git a/src/regress/lib/libssl/renegotiation/renegotiation_test.c b/src/regress/lib/libssl/renegotiation/renegotiation_test.c deleted file mode 100644 index 1c9f35237f..0000000000 --- a/src/regress/lib/libssl/renegotiation/renegotiation_test.c +++ /dev/null @@ -1,650 +0,0 @@ -/* $OpenBSD: renegotiation_test.c,v 1.3 2025/03/12 14:07:35 jsing Exp $ */ -/* - * Copyright (c) 2020,2025 Joel Sing - * - * Permission to use, copy, modify, and distribute this software for any - * purpose with or without fee is hereby granted, provided that the above - * copyright notice and this permission notice appear in all copies. - * - * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES - * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF - * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR - * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES - * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN - * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF - * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. - */ - -#include - -#include -#include -#include - -const char *server_ca_file; -const char *server_cert_file; -const char *server_key_file; - -int debug = 0; - -int tls_client_alert; -int tls_server_alert; - -static void -hexdump(const unsigned char *buf, size_t len) -{ - size_t i; - - for (i = 1; i <= len; i++) - fprintf(stderr, " 0x%02hhx,%s", buf[i - 1], i % 8 ? "" : "\n"); - - if (len % 8) - fprintf(stderr, "\n"); -} - -static SSL * -tls_client(BIO *rbio, BIO *wbio) -{ - SSL_CTX *ssl_ctx = NULL; - SSL *ssl = NULL; - - if ((ssl_ctx = SSL_CTX_new(TLS_method())) == NULL) - errx(1, "client context"); - - if ((ssl = SSL_new(ssl_ctx)) == NULL) - errx(1, "client ssl"); - - BIO_up_ref(rbio); - BIO_up_ref(wbio); - - SSL_set_bio(ssl, rbio, wbio); - - SSL_CTX_free(ssl_ctx); - - return ssl; -} - -static SSL * -tls_server(BIO *rbio, BIO *wbio) -{ - SSL_CTX *ssl_ctx = NULL; - SSL *ssl = NULL; - - if ((ssl_ctx = SSL_CTX_new(TLS_method())) == NULL) - errx(1, "server context"); - - SSL_CTX_set_dh_auto(ssl_ctx, 2); - - if (SSL_CTX_use_certificate_file(ssl_ctx, server_cert_file, - SSL_FILETYPE_PEM) != 1) { - fprintf(stderr, "FAIL: Failed to load server certificate"); - goto failure; - } - if (SSL_CTX_use_PrivateKey_file(ssl_ctx, server_key_file, - SSL_FILETYPE_PEM) != 1) { - fprintf(stderr, "FAIL: Failed to load server private key"); - goto failure; - } - - if ((ssl = SSL_new(ssl_ctx)) == NULL) - errx(1, "server ssl"); - - BIO_up_ref(rbio); - BIO_up_ref(wbio); - - SSL_set_bio(ssl, rbio, wbio); - - failure: - SSL_CTX_free(ssl_ctx); - - return ssl; -} - -static int -ssl_error(SSL *ssl, const char *name, const char *desc, int ssl_ret) -{ - int ssl_err; - - ssl_err = SSL_get_error(ssl, ssl_ret); - - if (ssl_err == SSL_ERROR_WANT_READ) { - return 1; - } else if (ssl_err == SSL_ERROR_WANT_WRITE) { - return 1; - } else if (ssl_err == SSL_ERROR_SYSCALL && errno == 0) { - /* Yup, this is apparently a thing... */ - } else { - if (tls_client_alert >> 8 == SSL3_AL_FATAL || - tls_server_alert >> 8 == SSL3_AL_FATAL) { - ERR_clear_error(); - return 0; - } - if (tls_client_alert >> 8 == SSL3_AL_WARNING || - tls_server_alert >> 8 == SSL3_AL_WARNING) { - ERR_clear_error(); - return 1; - } - fprintf(stderr, "FAIL: %s %s failed - ssl err = %d, errno = %d\n", - name, desc, ssl_err, errno); - ERR_print_errors_fp(stderr); - return 0; - } - - return 1; -} - -static int -do_connect(SSL *ssl, const char *name, int *done) -{ - int ssl_ret; - - if ((ssl_ret = SSL_connect(ssl)) == 1) { - fprintf(stderr, "INFO: %s connect done\n", name); - *done = 1; - return 1; - } - - return ssl_error(ssl, name, "connect", ssl_ret); -} - -static int -do_accept(SSL *ssl, const char *name, int *done) -{ - int ssl_ret; - - if ((ssl_ret = SSL_accept(ssl)) == 1) { - fprintf(stderr, "INFO: %s accept done\n", name); - *done = 1; - return 1; - } - - return ssl_error(ssl, name, "accept", ssl_ret); -} - -static int -do_read(SSL *ssl, const char *name, int *done) -{ - uint8_t buf[512]; - int ssl_ret; - - if ((ssl_ret = SSL_read(ssl, buf, sizeof(buf))) > 0) { - fprintf(stderr, "INFO: %s read done\n", name); - if (debug > 1) - hexdump(buf, ssl_ret); - *done = 1; - return 1; - } - - return ssl_error(ssl, name, "read", ssl_ret); -} - -static int -do_write(SSL *ssl, const char *name, int *done) -{ - const uint8_t buf[] = "Hello, World!\n"; - int ssl_ret; - - if ((ssl_ret = SSL_write(ssl, buf, sizeof(buf))) > 0) { - fprintf(stderr, "INFO: %s write done\n", name); - *done = 1; - return 1; - } - - return ssl_error(ssl, name, "write", ssl_ret); -} - -static int -do_shutdown(SSL *ssl, const char *name, int *done) -{ - int ssl_ret; - - ssl_ret = SSL_shutdown(ssl); - if (ssl_ret == 1) { - fprintf(stderr, "INFO: %s shutdown done\n", name); - *done = 1; - return 1; - } - return ssl_error(ssl, name, "shutdown", ssl_ret); -} - -typedef int (*ssl_func)(SSL *ssl, const char *name, int *done); - -static int -do_client_server_loop(SSL *client, ssl_func client_func, SSL *server, - ssl_func server_func) -{ - int client_done = 0, server_done = 0; - int i = 0; - - do { - if (!client_done) { - if (debug) - fprintf(stderr, "DEBUG: client loop\n"); - if (!client_func(client, "client", &client_done)) - return 0; - } - if (!server_done) { - if (debug) - fprintf(stderr, "DEBUG: server loop\n"); - if (!server_func(server, "server", &server_done)) - return 0; - } - } while (i++ < 100 && (!client_done || !server_done)); - - if (!client_done || !server_done) - fprintf(stderr, "FAIL: gave up\n"); - - return client_done && server_done; -} - -struct tls_reneg_test { - const unsigned char *desc; - int ssl_max_proto_version; - long ssl_client_options; - long ssl_server_options; - int renegotiate_client; - int renegotiate_server; - int client_ignored; - int want_client_alert; - int want_server_alert; - int want_failure; -}; - -static const struct tls_reneg_test tls_reneg_tests[] = { - { - .desc = "TLSv1.2 - Renegotiation permitted, no renegotiation", - .ssl_max_proto_version = TLS1_2_VERSION, - }, - { - .desc = "TLSv1.2 - Renegotiation permitted, server initiated " - "renegotiation", - .ssl_max_proto_version = TLS1_2_VERSION, - .renegotiate_server = 1, - }, - { - .desc = "TLSv1.2 - Renegotiation permitted, client initiated " - "renegotiation", - .ssl_max_proto_version = TLS1_2_VERSION, - .renegotiate_client = 1, - }, - { - .desc = "TLSv1.2 - Renegotiation permitted, server and client " - "initiated renegotiation", - .ssl_max_proto_version = TLS1_2_VERSION, - .renegotiate_client = 1, - .renegotiate_server = 1, - }, - { - .desc = "TLSv1.2 - Client renegotiation not permitted, server " - "initiated renegotiation", - .ssl_max_proto_version = TLS1_2_VERSION, - .ssl_server_options = SSL_OP_NO_CLIENT_RENEGOTIATION, - .renegotiate_server = 1, - .want_client_alert = SSL3_AL_FATAL << 8 | SSL_AD_NO_RENEGOTIATION, - }, - { - .desc = "TLSv1.2 - Client renegotiation not permitted, client " - "initiated renegotiation", - .ssl_max_proto_version = TLS1_2_VERSION, - .ssl_server_options = SSL_OP_NO_CLIENT_RENEGOTIATION, - .renegotiate_client = 1, - .want_client_alert = SSL3_AL_FATAL << 8 | SSL_AD_NO_RENEGOTIATION, - }, - { - .desc = "TLSv1.2 - Client renegotiation not permitted, client " - "initiated renegotiation", - .ssl_max_proto_version = TLS1_2_VERSION, - .ssl_server_options = SSL_OP_NO_RENEGOTIATION, - .renegotiate_client = 1, - .want_client_alert = SSL3_AL_FATAL << 8 | SSL_AD_NO_RENEGOTIATION, - }, - { - .desc = "TLSv1.2 - Server renegotiation not permitted, server " - "initiated renegotiation", - .ssl_max_proto_version = TLS1_2_VERSION, - .ssl_client_options = SSL_OP_NO_RENEGOTIATION, - .renegotiate_server = 1, - .client_ignored = 1, - .want_server_alert = SSL3_AL_WARNING << 8 | SSL_AD_NO_RENEGOTIATION, - }, - { - .desc = "TLSv1.2 - Client renegotiation permitted, client " - "initiated renegotiation", - .ssl_max_proto_version = TLS1_2_VERSION, - .ssl_server_options = SSL_OP_NO_RENEGOTIATION | - SSL_OP_ALLOW_CLIENT_RENEGOTIATION, - .renegotiate_client = 1, - }, - { - .desc = "TLSv1.2 - Client renegotiation permitted, server " - "initiated renegotiation", - .ssl_max_proto_version = TLS1_2_VERSION, - .ssl_server_options = SSL_OP_ALLOW_CLIENT_RENEGOTIATION, - .renegotiate_server = 1, - }, - { - .desc = "TLSv1.2 - Client renegotiation permitted, client " - "initiated renegotiation", - .ssl_max_proto_version = TLS1_2_VERSION, - .ssl_server_options = SSL_OP_ALLOW_CLIENT_RENEGOTIATION, - .renegotiate_client = 1, - }, - { - .desc = "TLSv1.2 - Client renegotiation disabled, client " - "initiated renegotiation", - .ssl_max_proto_version = TLS1_2_VERSION, - .ssl_client_options = SSL_OP_NO_RENEGOTIATION, - .renegotiate_client = 1, - .want_failure = 1, - }, - { - .desc = "TLSv1.2 - Server renegotiation disabled, server " - "initiated renegotiation", - .ssl_max_proto_version = TLS1_2_VERSION, - .ssl_server_options = SSL_OP_NO_RENEGOTIATION, - .renegotiate_server = 1, - .want_failure = 1, - }, - { - .desc = "TLSv1.3 - No renegotiation supported, no renegotiation", - .ssl_max_proto_version = TLS1_3_VERSION, - }, - { - .desc = "TLSv1.3 - No renegotiation supported, server " - "initiated renegotiation", - .ssl_max_proto_version = TLS1_3_VERSION, - .renegotiate_server = 1, - .want_failure = 1, - }, - { - .desc = "TLSv1.3 - No renegotiation supported, client " - "initiated renegotiation", - .ssl_max_proto_version = TLS1_3_VERSION, - .renegotiate_client = 1, - .want_failure = 1, - }, -}; - -#define N_TLS_RENEG_TESTS (sizeof(tls_reneg_tests) / sizeof(*tls_reneg_tests)) - -static void -tls_client_info_callback(const SSL *ssl, int where, int value) -{ - if (where == SSL_CB_READ_ALERT) { - fprintf(stderr, "INFO: client read %s alert - %s\n", - SSL_alert_type_string_long(value), - SSL_alert_desc_string_long(value)); - tls_client_alert = value; - } -} - -static void -tls_server_info_callback(const SSL *ssl, int where, int value) -{ - if (where == SSL_CB_READ_ALERT) { - fprintf(stderr, "INFO: server read %s alert - %s\n", - SSL_alert_type_string_long(value), - SSL_alert_desc_string_long(value)); - tls_server_alert = value; - } -} - -static int -tls_check_reneg(SSL *client, SSL *server, int client_pending, - int server_pending, long client_num_reneg, long server_num_reneg) -{ - if (debug) { - fprintf(stderr, "DEBUG: client - pending = %d, num reneg = %ld\n", - SSL_renegotiate_pending(client), SSL_num_renegotiations(client)); - fprintf(stderr, "DEBUG: server - pending = %d, num reneg = %ld\n", - SSL_renegotiate_pending(server), SSL_num_renegotiations(server)); - } - - if (SSL_renegotiate_pending(client) != client_pending) { - fprintf(stderr, "FAIL: client SSL_renegotiate_pending() = %d, want %d\n", - SSL_renegotiate_pending(client), client_pending); - return 0; - } - if (SSL_renegotiate_pending(server) != server_pending) { - fprintf(stderr, "FAIL: server SSL_renegotiate_pending() = %d, want %d\n", - SSL_renegotiate_pending(server), server_pending); - return 0; - } - if (SSL_num_renegotiations(client) != client_num_reneg) { - fprintf(stderr, "FAIL: client SSL_num_renegotiations() = %ld, want %ld\n", - SSL_num_renegotiations(client), client_num_reneg); - return 0; - } - if (SSL_num_renegotiations(server) != server_num_reneg) { - fprintf(stderr, "FAIL: server SSL_num_renegotiations() = %ld, want %ld\n", - SSL_num_renegotiations(server), server_num_reneg); - return 0; - } - return 1; -} - -static int -tls_reneg_test(const struct tls_reneg_test *trt) -{ - BIO *client_wbio = NULL, *server_wbio = NULL; - SSL *client = NULL, *server = NULL; - int failed = 1; - - fprintf(stderr, "\n== Testing %s... ==\n", trt->desc); - - if ((client_wbio = BIO_new(BIO_s_mem())) == NULL) - goto failure; - if (BIO_set_mem_eof_return(client_wbio, -1) <= 0) - goto failure; - - if ((server_wbio = BIO_new(BIO_s_mem())) == NULL) - goto failure; - if (BIO_set_mem_eof_return(server_wbio, -1) <= 0) - goto failure; - - if ((client = tls_client(server_wbio, client_wbio)) == NULL) - goto failure; - - SSL_set_options(client, trt->ssl_client_options); - SSL_set_info_callback(client, tls_client_info_callback); - - if ((server = tls_server(client_wbio, server_wbio)) == NULL) - goto failure; - - SSL_set_options(server, trt->ssl_server_options); - SSL_set_info_callback(server, tls_server_info_callback); - - if (!SSL_set_max_proto_version(server, trt->ssl_max_proto_version)) - goto failure; - - tls_client_alert = 0; - tls_server_alert = 0; - - if (!do_client_server_loop(client, do_connect, server, do_accept)) { - fprintf(stderr, "FAIL: client and server handshake failed\n"); - goto failure; - } - - if (!do_client_server_loop(client, do_write, server, do_read)) { - fprintf(stderr, "FAIL: client write and server read failed\n"); - goto failure; - } - - if (!do_client_server_loop(client, do_read, server, do_write)) { - fprintf(stderr, "FAIL: client read and server write failed\n"); - goto failure; - } - - if (!tls_check_reneg(client, server, 0, 0, 0, 0)) - goto failure; - - if (trt->renegotiate_server) { - /* - * Trigger renegotiation from the server - this results in the - * server sending a HelloRequest, then waiting for the client to - * respond with a ClientHello. - */ - if (!SSL_renegotiate(server)) { - if (!trt->want_failure) { - fprintf(stderr, "FAIL: server renegotiation failed\n"); - goto failure; - } - goto done; - } - if (trt->want_failure) { - fprintf(stderr, "FAIL: server renegotiation should have failed\n"); - goto failure; - } - - if (!tls_check_reneg(client, server, 0, 1, 0, 0)) - goto failure; - - if (!do_client_server_loop(client, do_read, server, do_write)) { - fprintf(stderr, "FAIL: client read and server write failed\n"); - goto failure; - } - - if (!tls_check_reneg(client, server, (trt->client_ignored == 0), 1, - (trt->client_ignored == 0), 1)) - goto failure; - - if (!do_client_server_loop(client, do_write, server, do_read)) { - if (!trt->want_client_alert && !trt->want_server_alert) { - fprintf(stderr, "FAIL: client write and server read failed\n"); - goto failure; - } - if (tls_client_alert != trt->want_client_alert) { - fprintf(stderr, "FAIL: client alert = %x, want %x\n", - tls_client_alert, trt->want_client_alert); - goto failure; - } - if (tls_server_alert != trt->want_server_alert) { - fprintf(stderr, "FAIL: server alert = %x, want %x\n", - tls_server_alert, trt->want_server_alert); - goto failure; - } - goto done; - } - if (tls_client_alert != trt->want_client_alert) { - fprintf(stderr, "FAIL: client alert = %x, want %x\n", - tls_client_alert, trt->want_client_alert); - goto failure; - } - if (tls_server_alert != trt->want_server_alert) { - fprintf(stderr, "FAIL: server alert = %x, want %x\n", - tls_server_alert, trt->want_server_alert); - goto failure; - } - - if (!tls_check_reneg(client, server, 0, (trt->client_ignored != 0), - (trt->client_ignored == 0), 1)) - goto failure; - } - - SSL_clear_num_renegotiations(client); - SSL_clear_num_renegotiations(server); - - tls_client_alert = 0; - tls_server_alert = 0; - - if (trt->renegotiate_client) { - /* - * Trigger renegotiation from the client - this results in the - * client sending a ClientHello. - */ - if (!SSL_renegotiate(client)) { - if (!trt->want_failure) { - fprintf(stderr, "FAIL: client renegotiation failed\n"); - goto failure; - } - goto done; - } - if (trt->want_failure) { - fprintf(stderr, "FAIL: client renegotiation should have failed\n"); - goto failure; - } - - if (!tls_check_reneg(client, server, 1, 0, 0, 0)) - goto failure; - - if (!do_client_server_loop(client, do_read, server, do_write)) { - fprintf(stderr, "FAIL: client read and server write failed\n"); - goto failure; - } - - if (!tls_check_reneg(client, server, 1, 0, 1, 0)) - goto failure; - - if (!do_client_server_loop(client, do_write, server, do_read)) { - if (!trt->want_client_alert && !trt->want_server_alert) { - fprintf(stderr, "FAIL: client write and server read failed\n"); - goto failure; - } - if (tls_client_alert != trt->want_client_alert) { - fprintf(stderr, "FAIL: client alert = %x, want %x\n", - tls_client_alert, trt->want_client_alert); - goto failure; - } - if (tls_server_alert != trt->want_server_alert) { - fprintf(stderr, "FAIL: server alert = %x, want %x\n", - tls_server_alert, trt->want_server_alert); - goto failure; - } - goto done; - } - if (tls_client_alert != trt->want_client_alert) { - fprintf(stderr, "FAIL: client alert = %x, want %x\n", - tls_client_alert, trt->want_client_alert); - goto failure; - } - if (tls_server_alert != trt->want_server_alert) { - fprintf(stderr, "FAIL: server alert = %x, want %x\n", - tls_server_alert, trt->want_server_alert); - goto failure; - } - - if (!tls_check_reneg(client, server, 0, 0, 1, 0)) - goto failure; - } - - if (!do_client_server_loop(client, do_shutdown, server, do_shutdown)) { - fprintf(stderr, "FAIL: client and server shutdown failed\n"); - goto failure; - } - - done: - fprintf(stderr, "INFO: Done!\n"); - - failed = 0; - - failure: - BIO_free(client_wbio); - BIO_free(server_wbio); - - SSL_free(client); - SSL_free(server); - - return failed; -} - -int -main(int argc, char **argv) -{ - int failed = 0; - size_t i; - - if (argc != 4) { - fprintf(stderr, "usage: %s keyfile certfile cafile\n", - argv[0]); - exit(1); - } - - server_key_file = argv[1]; - server_cert_file = argv[2]; - server_ca_file = argv[3]; - - for (i = 0; i < N_TLS_RENEG_TESTS; i++) - failed |= tls_reneg_test(&tls_reneg_tests[i]); - - return failed; -} diff --git a/src/regress/lib/libssl/rust-openssl/Cargo.toml b/src/regress/lib/libssl/rust-openssl/Cargo.toml deleted file mode 100644 index 63194cb3fd..0000000000 --- a/src/regress/lib/libssl/rust-openssl/Cargo.toml +++ /dev/null @@ -1,9 +0,0 @@ -[workspace] -resolver = "2" -members = [ - "openssl", - "openssl-errors", - "openssl-macros", - "openssl-sys", - "systest", -] diff --git a/src/regress/lib/libssl/rust-openssl/Makefile b/src/regress/lib/libssl/rust-openssl/Makefile deleted file mode 100644 index dc17deee61..0000000000 --- a/src/regress/lib/libssl/rust-openssl/Makefile +++ /dev/null @@ -1,58 +0,0 @@ -# $OpenBSD: Makefile,v 1.5 2024/06/23 13:53:21 tb Exp $ - -RUST_OPENSSL_TESTS = /usr/local/share/rust-openssl-tests -CARGO = /usr/local/bin/cargo - -.if !exists(${RUST_OPENSSL_TESTS}) || !exists(${CARGO}) -regress: - @echo packages rust-openssl-tests and rust are required for this regress - @echo SKIPPED -.else - -REGRESS_TARGETS += rust-openssl-test - -WORKSPACE_LINKS = openssl openssl-errors openssl-macros openssl-sys systest - -_WORKSPACE_COOKIE = .workspace - -${_WORKSPACE_COOKIE}: -. if ${.CURDIR} != ${.OBJDIR} - cp ${.CURDIR}/Cargo.toml ${.OBJDIR}/ -. endif - mkdir -p .cargo - cp ${.CURDIR}/config.toml .cargo/ - cd ${.OBJDIR} && ln -sf ${WORKSPACE_LINKS:S,^,${RUST_OPENSSL_TESTS}/,} . - touch $@ - -CLEANFILES += Cargo.lock - -. if ${.CURDIR} != ${.OBJDIR} -CLEANFILES += Cargo.toml -. endif - -# Force use of base-clang on sparc64 since the build with base-gcc fails with: -# error occurred: Command "cc" "-O0" "-ffunction-sections" "-fdata-sections" [...] -# did not execute successfully (status code exit status: 1). -. if "${MACHINE_ARCH}" == sparc64 -CARGO_CC=/usr/bin/clang -. else -CARGO_CC=cc -. endif - -rust-openssl-test: ${_WORKSPACE_COOKIE} - cd ${.OBJDIR} && env CC=${CARGO_CC} \ - cargo test --offline --color=never -- --color=never - -CLEANFILES += ${_WORKSPACE_COOKIE} ${WORKSPACE_LINKS} - -. if make(clean) || make(cleandir) -. if exists(.cargo) || exists(target) -.BEGIN: - rm -rf .cargo - rm -rf target -. endif -. endif - -.endif - -.include diff --git a/src/regress/lib/libssl/rust-openssl/config.toml b/src/regress/lib/libssl/rust-openssl/config.toml deleted file mode 100644 index a47474744d..0000000000 --- a/src/regress/lib/libssl/rust-openssl/config.toml +++ /dev/null @@ -1,6 +0,0 @@ -[net] - offline = true -[source.modcargo] - directory = '/usr/local/share/rust-openssl-tests/modcargo-crates' -[source.crates-io] - replace-with = 'modcargo' diff --git a/src/regress/lib/libssl/server/Makefile b/src/regress/lib/libssl/server/Makefile deleted file mode 100644 index be86dbb1ad..0000000000 --- a/src/regress/lib/libssl/server/Makefile +++ /dev/null @@ -1,18 +0,0 @@ -# $OpenBSD: Makefile,v 1.3 2024/03/20 10:38:05 jsing Exp $ - -PROG= servertest -LDADD= ${SSL_INT} -lcrypto -DPADD= ${LIBSSL} ${LIBCRYPTO} -WARNINGS= Yes -CFLAGS+= -DLIBRESSL_INTERNAL -Werror - -REGRESS_TARGETS= \ - regress-servertest - -regress-servertest: ${PROG} - ./servertest \ - ${.CURDIR}/../../libssl/certs/server1-rsa.pem \ - ${.CURDIR}/../../libssl/certs/server1-rsa-chain.pem \ - ${.CURDIR}/../../libssl/certs/ca-root-rsa.pem - -.include diff --git a/src/regress/lib/libssl/server/servertest.c b/src/regress/lib/libssl/server/servertest.c deleted file mode 100644 index d572d14520..0000000000 --- a/src/regress/lib/libssl/server/servertest.c +++ /dev/null @@ -1,209 +0,0 @@ -/* $OpenBSD: servertest.c,v 1.9 2023/07/11 11:52:35 tb Exp $ */ -/* - * Copyright (c) 2015, 2016, 2017 Joel Sing - * - * Permission to use, copy, modify, and distribute this software for any - * purpose with or without fee is hereby granted, provided that the above - * copyright notice and this permission notice appear in all copies. - * - * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES - * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF - * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR - * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES - * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN - * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF - * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. - */ - -#include - -#include -#include -#include - -#include -#include -#include - -const SSL_METHOD *tls_legacy_method(void); - -char *server_ca_file; -char *server_cert_file; -char *server_key_file; - -static unsigned char sslv2_client_hello_tls10[] = { - 0x80, 0x6a, 0x01, 0x03, 0x01, 0x00, 0x51, 0x00, - 0x00, 0x00, 0x10, 0x00, 0x00, 0x39, 0x00, 0x00, - 0x38, 0x00, 0x00, 0x35, 0x00, 0x00, 0x16, 0x00, - 0x00, 0x13, 0x00, 0x00, 0x0a, 0x00, 0x00, 0x33, - 0x00, 0x00, 0x32, 0x00, 0x00, 0x2f, 0x00, 0x00, - 0x07, 0x00, 0x00, 0x66, 0x00, 0x00, 0x05, 0x00, - 0x00, 0x04, 0x00, 0x00, 0x63, 0x00, 0x00, 0x62, - 0x00, 0x00, 0x61, 0x00, 0x00, 0x15, 0x00, 0x00, - 0x12, 0x00, 0x00, 0x09, 0x00, 0x00, 0x65, 0x00, - 0x00, 0x64, 0x00, 0x00, 0x60, 0x00, 0x00, 0x14, - 0x00, 0x00, 0x11, 0x00, 0x00, 0x08, 0x00, 0x00, - 0x06, 0x00, 0x00, 0x03, 0xdd, 0xb6, 0x59, 0x26, - 0x46, 0xe6, 0x79, 0x77, 0xf4, 0xec, 0x42, 0x76, - 0xc8, 0x73, 0xad, 0x9c, -}; - -static unsigned char sslv2_client_hello_tls12[] = { - 0x80, 0xcb, 0x01, 0x03, 0x03, 0x00, 0xa2, 0x00, - 0x00, 0x00, 0x20, 0x00, 0x00, 0xa5, 0x00, 0x00, - 0xa3, 0x00, 0x00, 0xa1, 0x00, 0x00, 0x9f, 0x00, - 0x00, 0x6b, 0x00, 0x00, 0x6a, 0x00, 0x00, 0x69, - 0x00, 0x00, 0x68, 0x00, 0x00, 0x39, 0x00, 0x00, - 0x38, 0x00, 0x00, 0x37, 0x00, 0x00, 0x36, 0x00, - 0x00, 0x88, 0x00, 0x00, 0x87, 0x00, 0x00, 0x86, - 0x00, 0x00, 0x85, 0x00, 0x00, 0x9d, 0x00, 0x00, - 0x3d, 0x00, 0x00, 0x35, 0x00, 0x00, 0x84, 0x00, - 0x00, 0xa4, 0x00, 0x00, 0xa2, 0x00, 0x00, 0xa0, - 0x00, 0x00, 0x9e, 0x00, 0x00, 0x67, 0x00, 0x00, - 0x40, 0x00, 0x00, 0x3f, 0x00, 0x00, 0x3e, 0x00, - 0x00, 0x33, 0x00, 0x00, 0x32, 0x00, 0x00, 0x31, - 0x00, 0x00, 0x30, 0x00, 0x00, 0x9a, 0x00, 0x00, - 0x99, 0x00, 0x00, 0x98, 0x00, 0x00, 0x97, 0x00, - 0x00, 0x45, 0x00, 0x00, 0x44, 0x00, 0x00, 0x43, - 0x00, 0x00, 0x42, 0x00, 0x00, 0x9c, 0x00, 0x00, - 0x3c, 0x00, 0x00, 0x2f, 0x00, 0x00, 0x96, 0x00, - 0x00, 0x41, 0x00, 0x00, 0x07, 0x00, 0x00, 0x05, - 0x00, 0x00, 0x04, 0x00, 0x00, 0x16, 0x00, 0x00, - 0x13, 0x00, 0x00, 0x10, 0x00, 0x00, 0x0d, 0x00, - 0x00, 0x0a, 0x00, 0x00, 0xff, 0x1d, 0xfd, 0x90, - 0x03, 0x61, 0x3c, 0x5a, 0x22, 0x83, 0xed, 0x11, - 0x85, 0xf4, 0xea, 0x36, 0x59, 0xd9, 0x1b, 0x27, - 0x22, 0x01, 0x14, 0x07, 0x66, 0xb2, 0x24, 0xf5, - 0x4e, 0x7d, 0x9d, 0x9c, 0x52, -}; - -struct server_hello_test { - const unsigned char *desc; - unsigned char *client_hello; - const size_t client_hello_len; - const SSL_METHOD *(*ssl_method)(void); - const long ssl_clear_options; - const long ssl_set_options; - int accept_fails; -}; - -static struct server_hello_test server_hello_tests[] = { - { - .desc = "TLSv1.0 in SSLv2 record", - .client_hello = sslv2_client_hello_tls10, - .client_hello_len = sizeof(sslv2_client_hello_tls10), - .ssl_method = tls_legacy_method, - .ssl_clear_options = SSL_OP_NO_TLSv1 | SSL_OP_NO_TLSv1_1, - .ssl_set_options = 0, - .accept_fails = 1, - }, - { - .desc = "TLSv1.2 in SSLv2 record", - .client_hello = sslv2_client_hello_tls12, - .client_hello_len = sizeof(sslv2_client_hello_tls12), - .ssl_method = tls_legacy_method, - .ssl_clear_options = SSL_OP_NO_TLSv1 | SSL_OP_NO_TLSv1_1, - .ssl_set_options = 0, - .accept_fails = 1, - }, -}; - -#define N_SERVER_HELLO_TESTS \ - (sizeof(server_hello_tests) / sizeof(*server_hello_tests)) - -static int -server_hello_test(int testno, struct server_hello_test *sht) -{ - BIO *rbio = NULL, *wbio = NULL; - SSL_CTX *ssl_ctx = NULL; - SSL *ssl = NULL; - int ret = 1; - - fprintf(stderr, "Test %d - %s\n", testno, sht->desc); - - if ((rbio = BIO_new_mem_buf(sht->client_hello, - sht->client_hello_len)) == NULL) { - fprintf(stderr, "Failed to setup rbio\n"); - goto failure; - } - if ((wbio = BIO_new(BIO_s_mem())) == NULL) { - fprintf(stderr, "Failed to setup wbio\n"); - goto failure; - } - - if ((ssl_ctx = SSL_CTX_new(sht->ssl_method())) == NULL) { - fprintf(stderr, "SSL_CTX_new() returned NULL\n"); - goto failure; - } - - if (SSL_CTX_use_certificate_file(ssl_ctx, server_cert_file, - SSL_FILETYPE_PEM) != 1) { - fprintf(stderr, "Failed to load server certificate"); - goto failure; - } - if (SSL_CTX_use_PrivateKey_file(ssl_ctx, server_key_file, - SSL_FILETYPE_PEM) != 1) { - fprintf(stderr, "Failed to load server private key"); - goto failure; - } - - SSL_CTX_set_dh_auto(ssl_ctx, 1); - SSL_CTX_set_ecdh_auto(ssl_ctx, 1); - - SSL_CTX_clear_options(ssl_ctx, sht->ssl_clear_options); - SSL_CTX_set_options(ssl_ctx, sht->ssl_set_options); - - if ((ssl = SSL_new(ssl_ctx)) == NULL) { - fprintf(stderr, "SSL_new() returned NULL\n"); - goto failure; - } - - BIO_up_ref(rbio); - BIO_up_ref(wbio); - SSL_set_bio(ssl, rbio, wbio); - - if (SSL_accept(ssl) != 0) { - if (sht->accept_fails) - goto done; - fprintf(stderr, "SSL_accept() returned non-zero\n"); - ERR_print_errors_fp(stderr); - goto failure; - } - - done: - ret = 0; - - failure: - SSL_CTX_free(ssl_ctx); - SSL_free(ssl); - - BIO_free(rbio); - BIO_free(wbio); - - return (ret); -} - -int -main(int argc, char **argv) -{ - int failed = 0; - size_t i; - - if (argc != 4) { - fprintf(stderr, "usage: %s keyfile certfile cafile\n", - argv[0]); - exit(1); - } - - server_key_file = argv[1]; - server_cert_file = argv[2]; - server_ca_file = argv[3]; - - SSL_library_init(); - SSL_load_error_strings(); - - for (i = 0; i < N_SERVER_HELLO_TESTS; i++) - failed |= server_hello_test(i, &server_hello_tests[i]); - - return (failed); -} diff --git a/src/regress/lib/libssl/shutdown/Makefile b/src/regress/lib/libssl/shutdown/Makefile deleted file mode 100644 index d6a9a30544..0000000000 --- a/src/regress/lib/libssl/shutdown/Makefile +++ /dev/null @@ -1,18 +0,0 @@ -# $OpenBSD: Makefile,v 1.2 2024/03/20 10:38:05 jsing Exp $ - -PROG= shutdowntest -LDADD= -lssl -lcrypto -DPADD= ${LIBSSL} ${LIBCRYPTO} -WARNINGS= Yes -CFLAGS+= -DLIBRESSL_INTERNAL -Werror - -REGRESS_TARGETS= \ - regress-shutdowntest - -regress-shutdowntest: ${PROG} - ./shutdowntest \ - ${.CURDIR}/../../libssl/certs/server1-rsa.pem \ - ${.CURDIR}/../../libssl/certs/server1-rsa-chain.pem \ - ${.CURDIR}/../../libssl/certs/ca-root-rsa.pem - -.include diff --git a/src/regress/lib/libssl/shutdown/shutdowntest.c b/src/regress/lib/libssl/shutdown/shutdowntest.c deleted file mode 100644 index 5b83add359..0000000000 --- a/src/regress/lib/libssl/shutdown/shutdowntest.c +++ /dev/null @@ -1,656 +0,0 @@ -/* $OpenBSD: shutdowntest.c,v 1.3 2024/01/30 14:46:46 jsing Exp $ */ -/* - * Copyright (c) 2020, 2021, 2024 Joel Sing - * - * Permission to use, copy, modify, and distribute this software for any - * purpose with or without fee is hereby granted, provided that the above - * copyright notice and this permission notice appear in all copies. - * - * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES - * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF - * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR - * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES - * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN - * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF - * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. - */ - -#include - -#include -#include -#include - -const char *server_ca_file; -const char *server_cert_file; -const char *server_key_file; - -int debug = 0; - -static void -hexdump(const unsigned char *buf, size_t len) -{ - size_t i; - - for (i = 1; i <= len; i++) - fprintf(stderr, " 0x%02hhx,%s", buf[i - 1], i % 8 ? "" : "\n"); - - if (len % 8) - fprintf(stderr, "\n"); -} - -static SSL * -tls_client(BIO *rbio, BIO *wbio) -{ - SSL_CTX *ssl_ctx = NULL; - SSL *ssl = NULL; - - if ((ssl_ctx = SSL_CTX_new(TLS_method())) == NULL) - errx(1, "client context"); - - if ((ssl = SSL_new(ssl_ctx)) == NULL) - errx(1, "client ssl"); - - BIO_up_ref(rbio); - BIO_up_ref(wbio); - - SSL_set_bio(ssl, rbio, wbio); - - SSL_CTX_free(ssl_ctx); - - return ssl; -} - -static SSL * -tls_server(BIO *rbio, BIO *wbio) -{ - SSL_CTX *ssl_ctx = NULL; - SSL *ssl = NULL; - - if ((ssl_ctx = SSL_CTX_new(TLS_method())) == NULL) - errx(1, "server context"); - - SSL_CTX_set_dh_auto(ssl_ctx, 2); - - if (SSL_CTX_use_certificate_file(ssl_ctx, server_cert_file, - SSL_FILETYPE_PEM) != 1) { - fprintf(stderr, "FAIL: Failed to load server certificate"); - goto failure; - } - if (SSL_CTX_use_PrivateKey_file(ssl_ctx, server_key_file, - SSL_FILETYPE_PEM) != 1) { - fprintf(stderr, "FAIL: Failed to load server private key"); - goto failure; - } - - if ((ssl = SSL_new(ssl_ctx)) == NULL) - errx(1, "server ssl"); - - BIO_up_ref(rbio); - BIO_up_ref(wbio); - - SSL_set_bio(ssl, rbio, wbio); - - failure: - SSL_CTX_free(ssl_ctx); - - return ssl; -} - -static int -ssl_error(SSL *ssl, const char *name, const char *desc, int ssl_ret) -{ - int ssl_err; - - ssl_err = SSL_get_error(ssl, ssl_ret); - - if (ssl_err == SSL_ERROR_WANT_READ) { - return 1; - } else if (ssl_err == SSL_ERROR_WANT_WRITE) { - return 1; - } else if (ssl_err == SSL_ERROR_SYSCALL && errno == 0) { - /* Yup, this is apparently a thing... */ - return 1; - } else { - fprintf(stderr, "FAIL: %s %s failed - ssl err = %d, errno = %d\n", - name, desc, ssl_err, errno); - ERR_print_errors_fp(stderr); - return 0; - } -} - -static int -do_connect(SSL *ssl, const char *name, int *done) -{ - int ssl_ret; - - if ((ssl_ret = SSL_connect(ssl)) == 1) { - fprintf(stderr, "INFO: %s connect done\n", name); - *done = 1; - return 1; - } - - return ssl_error(ssl, name, "connect", ssl_ret); -} - -static int -do_accept(SSL *ssl, const char *name, int *done) -{ - int ssl_ret; - - if ((ssl_ret = SSL_accept(ssl)) == 1) { - fprintf(stderr, "INFO: %s accept done\n", name); - *done = 1; - return 1; - } - - return ssl_error(ssl, name, "accept", ssl_ret); -} - -static int -do_read(SSL *ssl, const char *name, int *done) -{ - uint8_t buf[512]; - int ssl_ret; - - if ((ssl_ret = SSL_read(ssl, buf, sizeof(buf))) > 0) { - fprintf(stderr, "INFO: %s read done\n", name); - if (debug > 1) - hexdump(buf, ssl_ret); - *done = 1; - return 1; - } - - return ssl_error(ssl, name, "read", ssl_ret); -} - -static int -do_write(SSL *ssl, const char *name, int *done) -{ - const uint8_t buf[] = "Hello, World!\n"; - int ssl_ret; - - if ((ssl_ret = SSL_write(ssl, buf, sizeof(buf))) > 0) { - fprintf(stderr, "INFO: %s write done\n", name); - *done = 1; - return 1; - } - - return ssl_error(ssl, name, "write", ssl_ret); -} - -static int -do_shutdown(SSL *ssl, const char *name, int *done) -{ - int ssl_ret; - - ssl_ret = SSL_shutdown(ssl); - if (ssl_ret == 1) { - fprintf(stderr, "INFO: %s shutdown done\n", name); - *done = 1; - return 1; - } - - /* The astounding EOF condition. */ - if (ssl_ret == -1 && - SSL_get_error(ssl, ssl_ret) == SSL_ERROR_SYSCALL && errno == 0) { - fprintf(stderr, "INFO: %s shutdown encountered EOF\n", name); - *done = 1; - return 1; - } - - return ssl_error(ssl, name, "shutdown", ssl_ret); -} - -typedef int (*ssl_func)(SSL *ssl, const char *name, int *done); - -static int -do_client_server_loop(SSL *client, ssl_func client_func, SSL *server, - ssl_func server_func) -{ - int client_done = 0, server_done = 0; - int i = 0; - - do { - if (!client_done) { - if (debug) - fprintf(stderr, "DEBUG: client loop\n"); - if (!client_func(client, "client", &client_done)) - return 0; - } - if (!server_done) { - if (debug) - fprintf(stderr, "DEBUG: server loop\n"); - if (!server_func(server, "server", &server_done)) - return 0; - } - } while (i++ < 100 && (!client_done || !server_done)); - - if (!client_done || !server_done) - fprintf(stderr, "FAIL: gave up\n"); - - return client_done && server_done; -} - -static int -do_shutdown_loop(SSL *client, SSL *server) -{ - int client_done = 0, server_done = 0; - int i = 0; - - do { - if (!client_done) { - if (debug) - fprintf(stderr, "DEBUG: client loop\n"); - if (!do_shutdown(client, "client", &client_done)) - return 0; - if (client_done) - BIO_set_mem_eof_return(SSL_get_wbio(client), 0); - } - if (!server_done) { - if (debug) - fprintf(stderr, "DEBUG: server loop\n"); - if (!do_shutdown(server, "server", &server_done)) - return 0; - if (server_done) - BIO_set_mem_eof_return(SSL_get_wbio(server), 0); - } - } while (i++ < 100 && (!client_done || !server_done)); - - if (!client_done || !server_done) - fprintf(stderr, "FAIL: gave up\n"); - - return client_done && server_done; -} - -static void -ssl_msg_callback(int is_write, int version, int content_type, const void *buf, - size_t len, SSL *ssl, void *arg) -{ - const uint8_t *msg = buf; - int *close_notify = arg; - - if (is_write || content_type != SSL3_RT_ALERT) - return; - if (len == 2 && msg[0] == SSL3_AL_WARNING && msg[1] == SSL_AD_CLOSE_NOTIFY) - *close_notify = 1; -} - -struct shutdown_test { - const unsigned char *desc; - int client_quiet_shutdown; - int client_set_shutdown; - int want_client_shutdown; - int want_client_close_notify; - int server_quiet_shutdown; - int server_set_shutdown; - int want_server_shutdown; - int want_server_close_notify; -}; - -static const struct shutdown_test shutdown_tests[] = { - { - .desc = "bidirectional shutdown", - .want_client_close_notify = 1, - .want_client_shutdown = SSL_SENT_SHUTDOWN | SSL_RECEIVED_SHUTDOWN, - .want_server_close_notify = 1, - .want_server_shutdown = SSL_SENT_SHUTDOWN | SSL_RECEIVED_SHUTDOWN, - }, - { - .desc = "client quiet shutdown", - .client_quiet_shutdown = 1, - .want_client_shutdown = SSL_SENT_SHUTDOWN | SSL_RECEIVED_SHUTDOWN, - .want_server_shutdown = SSL_SENT_SHUTDOWN, - }, - { - .desc = "server quiet shutdown", - .server_quiet_shutdown = 1, - .want_client_shutdown = SSL_SENT_SHUTDOWN, - .want_server_shutdown = SSL_SENT_SHUTDOWN | SSL_RECEIVED_SHUTDOWN, - }, - { - .desc = "both quiet shutdown", - .client_quiet_shutdown = 1, - .server_quiet_shutdown = 1, - .want_client_shutdown = SSL_SENT_SHUTDOWN | SSL_RECEIVED_SHUTDOWN, - .want_server_shutdown = SSL_SENT_SHUTDOWN | SSL_RECEIVED_SHUTDOWN, - }, - { - .desc = "client set sent shutdown", - .client_set_shutdown = SSL_SENT_SHUTDOWN, - .want_client_close_notify = 1, - .want_client_shutdown = SSL_SENT_SHUTDOWN | SSL_RECEIVED_SHUTDOWN, - .want_server_shutdown = SSL_SENT_SHUTDOWN, - }, - { - .desc = "client set received shutdown", - .client_set_shutdown = SSL_RECEIVED_SHUTDOWN, - .want_client_shutdown = SSL_SENT_SHUTDOWN | SSL_RECEIVED_SHUTDOWN, - .want_server_close_notify = 1, - .want_server_shutdown = SSL_SENT_SHUTDOWN | SSL_RECEIVED_SHUTDOWN, - }, - { - .desc = "client set sent/received shutdown", - .client_set_shutdown = SSL_SENT_SHUTDOWN | SSL_RECEIVED_SHUTDOWN, - .want_client_shutdown = SSL_SENT_SHUTDOWN | SSL_RECEIVED_SHUTDOWN, - .want_server_shutdown = SSL_SENT_SHUTDOWN, - }, - { - .desc = "server set sent shutdown", - .server_set_shutdown = SSL_SENT_SHUTDOWN, - .want_client_shutdown = SSL_SENT_SHUTDOWN, - .want_server_close_notify = 1, - .want_server_shutdown = SSL_SENT_SHUTDOWN | SSL_RECEIVED_SHUTDOWN, - }, - { - .desc = "server set received shutdown", - .server_set_shutdown = SSL_RECEIVED_SHUTDOWN, - .want_client_close_notify = 1, - .want_client_shutdown = SSL_SENT_SHUTDOWN | SSL_RECEIVED_SHUTDOWN, - .want_server_shutdown = SSL_SENT_SHUTDOWN | SSL_RECEIVED_SHUTDOWN, - }, - { - .desc = "server set sent/received shutdown", - .server_set_shutdown = SSL_SENT_SHUTDOWN | SSL_RECEIVED_SHUTDOWN, - .want_client_shutdown = SSL_SENT_SHUTDOWN, - .want_server_shutdown = SSL_SENT_SHUTDOWN | SSL_RECEIVED_SHUTDOWN, - }, -}; - -#define N_TLS_TESTS (sizeof(shutdown_tests) / sizeof(*shutdown_tests)) - -static int -shutdown_test(uint16_t ssl_version, const char *ssl_version_name, - const struct shutdown_test *st) -{ - BIO *client_wbio = NULL, *server_wbio = NULL; - SSL *client = NULL, *server = NULL; - int client_close_notify = 0, server_close_notify = 0; - int shutdown, ssl_err; - int failed = 1; - - fprintf(stderr, "\n== Testing %s, %s... ==\n", ssl_version_name, - st->desc); - - if ((client_wbio = BIO_new(BIO_s_mem())) == NULL) - goto failure; - if (BIO_set_mem_eof_return(client_wbio, -1) <= 0) - goto failure; - - if ((server_wbio = BIO_new(BIO_s_mem())) == NULL) - goto failure; - if (BIO_set_mem_eof_return(server_wbio, -1) <= 0) - goto failure; - - if ((client = tls_client(server_wbio, client_wbio)) == NULL) - goto failure; - if (!SSL_set_min_proto_version(client, ssl_version)) - goto failure; - if (!SSL_set_max_proto_version(client, ssl_version)) - goto failure; - - if ((server = tls_server(client_wbio, server_wbio)) == NULL) - goto failure; - if (!SSL_set_min_proto_version(server, ssl_version)) - goto failure; - if (!SSL_set_max_proto_version(server, ssl_version)) - goto failure; - - if (!do_client_server_loop(client, do_connect, server, do_accept)) { - fprintf(stderr, "FAIL: client and server handshake failed\n"); - goto failure; - } - - if (!do_client_server_loop(client, do_write, server, do_read)) { - fprintf(stderr, "FAIL: client write and server read I/O failed\n"); - goto failure; - } - - if (!do_client_server_loop(client, do_read, server, do_write)) { - fprintf(stderr, "FAIL: client read and server write I/O failed\n"); - goto failure; - } - - /* Seemingly this is the only way to find out about alerts... */ - SSL_set_msg_callback(client, ssl_msg_callback); - SSL_set_msg_callback_arg(client, &client_close_notify); - SSL_set_msg_callback(server, ssl_msg_callback); - SSL_set_msg_callback_arg(server, &server_close_notify); - - SSL_set_shutdown(client, st->client_set_shutdown); - SSL_set_shutdown(server, st->server_set_shutdown); - - SSL_set_quiet_shutdown(client, st->client_quiet_shutdown); - SSL_set_quiet_shutdown(server, st->server_quiet_shutdown); - - if (!do_shutdown_loop(client, server)) { - fprintf(stderr, "FAIL: client and server shutdown failed\n"); - goto failure; - } - - if ((shutdown = SSL_get_shutdown(client)) != st->want_client_shutdown) { - fprintf(stderr, "FAIL: client shutdown flags = %x, want %x\n", - shutdown, st->want_client_shutdown); - goto failure; - } - if ((shutdown = SSL_get_shutdown(server)) != st->want_server_shutdown) { - fprintf(stderr, "FAIL: server shutdown flags = %x, want %x\n", - shutdown, st->want_server_shutdown); - goto failure; - } - - if (client_close_notify != st->want_client_close_notify) { - fprintf(stderr, "FAIL: client close notify = %d, want %d\n", - client_close_notify, st->want_client_close_notify); - goto failure; - } - if (server_close_notify != st->want_server_close_notify) { - fprintf(stderr, "FAIL: server close notify = %d, want %d\n", - server_close_notify, st->want_server_close_notify); - goto failure; - } - - if (st->want_client_close_notify) { - if ((ssl_err = SSL_get_error(client, 0)) != SSL_ERROR_ZERO_RETURN) { - fprintf(stderr, "FAIL: client ssl error = %d, want %d\n", - ssl_err, SSL_ERROR_ZERO_RETURN); - goto failure; - } - } - if (st->want_server_close_notify) { - if ((ssl_err = SSL_get_error(server, 0)) != SSL_ERROR_ZERO_RETURN) { - fprintf(stderr, "FAIL: server ssl error = %d, want %d\n", - ssl_err, SSL_ERROR_ZERO_RETURN); - goto failure; - } - } - - fprintf(stderr, "INFO: Done!\n"); - - failed = 0; - - failure: - BIO_free(client_wbio); - BIO_free(server_wbio); - - SSL_free(client); - SSL_free(server); - - return failed; -} - -static int -shutdown_sequence_test(uint16_t ssl_version, const char *ssl_version_name) -{ - BIO *client_wbio = NULL, *server_wbio = NULL; - SSL *client = NULL, *server = NULL; - int shutdown, ret; - int failed = 1; - - fprintf(stderr, "\n== Testing %s, shutdown sequence... ==\n", - ssl_version_name); - - if ((client_wbio = BIO_new(BIO_s_mem())) == NULL) - goto failure; - if (BIO_set_mem_eof_return(client_wbio, -1) <= 0) - goto failure; - - if ((server_wbio = BIO_new(BIO_s_mem())) == NULL) - goto failure; - if (BIO_set_mem_eof_return(server_wbio, -1) <= 0) - goto failure; - - if ((client = tls_client(server_wbio, client_wbio)) == NULL) - goto failure; - if (!SSL_set_min_proto_version(client, ssl_version)) - goto failure; - if (!SSL_set_max_proto_version(client, ssl_version)) - goto failure; - - if ((server = tls_server(client_wbio, server_wbio)) == NULL) - goto failure; - if (!SSL_set_min_proto_version(server, ssl_version)) - goto failure; - if (!SSL_set_max_proto_version(server, ssl_version)) - goto failure; - - if (!do_client_server_loop(client, do_connect, server, do_accept)) { - fprintf(stderr, "FAIL: client and server handshake failed\n"); - goto failure; - } - - if (!do_client_server_loop(client, do_write, server, do_read)) { - fprintf(stderr, "FAIL: client write and server read I/O failed\n"); - goto failure; - } - - if (!do_client_server_loop(client, do_read, server, do_write)) { - fprintf(stderr, "FAIL: client read and server write I/O failed\n"); - goto failure; - } - - /* - * Shutdown in lock step and check return value and shutdown flags. - * - * It is not documented, however some software relies on SSL_shutdown() - * to only send a close-notify on the first call, then indicate that a - * close-notify was received on a second (or later) call. - */ - - if ((shutdown = SSL_get_shutdown(client)) != 0) { - fprintf(stderr, "FAIL: client shutdown flags = %x, want %x\n", - shutdown, 0); - goto failure; - } - if ((shutdown = SSL_get_shutdown(server)) != 0) { - fprintf(stderr, "FAIL: server shutdown flags = %x, want %x\n", - shutdown, 0); - goto failure; - } - - if ((ret = SSL_shutdown(client)) != 0) { - fprintf(stderr, "FAIL: client SSL_shutdown() = %d, want %d\n", - ret, 0); - goto failure; - } - if ((shutdown = SSL_get_shutdown(client)) != SSL_SENT_SHUTDOWN) { - fprintf(stderr, "FAIL: client shutdown flags = %x, want %x\n", - shutdown, SSL_SENT_SHUTDOWN); - goto failure; - } - - if ((ret = SSL_shutdown(server)) != 0) { - fprintf(stderr, "FAIL: server SSL_shutdown() = %d, want %d\n", - ret, 0); - goto failure; - } - if ((shutdown = SSL_get_shutdown(server)) != SSL_SENT_SHUTDOWN) { - fprintf(stderr, "FAIL: server shutdown flags = %x, want %x\n", - shutdown, SSL_SENT_SHUTDOWN); - goto failure; - } - - if ((ret = SSL_shutdown(client)) != 1) { - fprintf(stderr, "FAIL: client SSL_shutdown() = %d, want %d\n", - ret, 0); - goto failure; - } - if ((shutdown = SSL_get_shutdown(client)) != - (SSL_SENT_SHUTDOWN | SSL_RECEIVED_SHUTDOWN)) { - fprintf(stderr, "FAIL: client shutdown flags = %x, want %x\n", - shutdown, SSL_SENT_SHUTDOWN | SSL_RECEIVED_SHUTDOWN); - goto failure; - } - - if ((ret = SSL_shutdown(server)) != 1) { - fprintf(stderr, "FAIL: server SSL_shutdown() = %d, want %d\n", - ret, 0); - goto failure; - } - if ((shutdown = SSL_get_shutdown(server)) != - (SSL_SENT_SHUTDOWN | SSL_RECEIVED_SHUTDOWN)) { - fprintf(stderr, "FAIL: server shutdown flags = %x, want %x\n", - shutdown, SSL_SENT_SHUTDOWN | SSL_RECEIVED_SHUTDOWN); - goto failure; - } - - fprintf(stderr, "INFO: Done!\n"); - - failed = 0; - - failure: - BIO_free(client_wbio); - BIO_free(server_wbio); - - SSL_free(client); - SSL_free(server); - - return failed; -} - -struct ssl_version { - uint16_t version; - const char *name; -}; - -struct ssl_version ssl_versions[] = { - { - .version = TLS1_2_VERSION, - .name = SSL_TXT_TLSV1_2, - }, - { - .version = TLS1_3_VERSION, - .name = SSL_TXT_TLSV1_3, - }, -}; - -#define N_SSL_VERSIONS (sizeof(ssl_versions) / sizeof(*ssl_versions)) - -int -main(int argc, char **argv) -{ - const struct ssl_version *sv; - int failed = 0; - size_t i, j; - - if (argc != 4) { - fprintf(stderr, "usage: %s keyfile certfile cafile\n", - argv[0]); - exit(1); - } - - server_key_file = argv[1]; - server_cert_file = argv[2]; - server_ca_file = argv[3]; - - for (i = 0; i < N_SSL_VERSIONS; i++) { - sv = &ssl_versions[i]; - for (j = 0; j < N_TLS_TESTS; j++) { - failed |= shutdown_test(sv->version, sv->name, - &shutdown_tests[j]); - } - failed |= shutdown_sequence_test(sv->version, sv->name); - } - - return failed; -} diff --git a/src/regress/lib/libssl/ssl/Makefile b/src/regress/lib/libssl/ssl/Makefile deleted file mode 100644 index 91abaae85e..0000000000 --- a/src/regress/lib/libssl/ssl/Makefile +++ /dev/null @@ -1,17 +0,0 @@ -# $OpenBSD: Makefile,v 1.5 2022/07/07 11:40:17 tb Exp $ - -PROG= ssltest -LDADD= -lcrypto -lssl -DPADD= ${LIBCRYPTO} ${LIBSSL} -WARNINGS= Yes -CFLAGS+= -DLIBRESSL_INTERNAL -Werror -CFLAGS+= -I${.CURDIR}/../../../../lib/libssl - -REGRESS_TARGETS=regress-ssltest - -regress-ssltest: ${PROG} - sh ${.CURDIR}/testssl \ - ${.CURDIR}/../certs/server1-rsa.pem ${.CURDIR}/../certs/server1-rsa-chain.pem \ - ${.CURDIR}/../certs/ca-root-rsa.pem - -.include diff --git a/src/regress/lib/libssl/ssl/ssltest.c b/src/regress/lib/libssl/ssl/ssltest.c deleted file mode 100644 index 27adeeaf17..0000000000 --- a/src/regress/lib/libssl/ssl/ssltest.c +++ /dev/null @@ -1,1528 +0,0 @@ -/* $OpenBSD: ssltest.c,v 1.45 2024/03/01 03:45:16 tb Exp $ */ -/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) - * All rights reserved. - * - * This package is an SSL implementation written - * by Eric Young (eay@cryptsoft.com). - * The implementation was written so as to conform with Netscapes SSL. - * - * This library is free for commercial and non-commercial use as long as - * the following conditions are aheared to. The following conditions - * apply to all code found in this distribution, be it the RC4, RSA, - * lhash, DES, etc., code; not just the SSL code. The SSL documentation - * included with this distribution is covered by the same copyright terms - * except that the holder is Tim Hudson (tjh@cryptsoft.com). - * - * Copyright remains Eric Young's, and as such any Copyright notices in - * the code are not to be removed. - * If this package is used in a product, Eric Young should be given attribution - * as the author of the parts of the library used. - * This can be in the form of a textual message at program startup or - * in documentation (online or textual) provided with the package. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * 1. Redistributions of source code must retain the copyright - * notice, this list of conditions and the following disclaimer. - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * 3. All advertising materials mentioning features or use of this software - * must display the following acknowledgement: - * "This product includes cryptographic software written by - * Eric Young (eay@cryptsoft.com)" - * The word 'cryptographic' can be left out if the rouines from the library - * being used are not cryptographic related :-). - * 4. If you include any Windows specific code (or a derivative thereof) from - * the apps directory (application code) you must include an acknowledgement: - * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)" - * - * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - * - * The licence and distribution terms for any publically available version or - * derivative of this code cannot be changed. i.e. this code cannot simply be - * copied and put under another distribution licence - * [including the GNU Public Licence.] - */ -/* ==================================================================== - * Copyright (c) 1998-2000 The OpenSSL Project. All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in - * the documentation and/or other materials provided with the - * distribution. - * - * 3. All advertising materials mentioning features or use of this - * software must display the following acknowledgment: - * "This product includes software developed by the OpenSSL Project - * for use in the OpenSSL Toolkit. (http://www.openssl.org/)" - * - * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to - * endorse or promote products derived from this software without - * prior written permission. For written permission, please contact - * openssl-core@openssl.org. - * - * 5. Products derived from this software may not be called "OpenSSL" - * nor may "OpenSSL" appear in their names without prior written - * permission of the OpenSSL Project. - * - * 6. Redistributions of any form whatsoever must retain the following - * acknowledgment: - * "This product includes software developed by the OpenSSL Project - * for use in the OpenSSL Toolkit (http://www.openssl.org/)" - * - * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY - * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR - * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR - * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, - * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT - * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; - * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, - * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) - * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED - * OF THE POSSIBILITY OF SUCH DAMAGE. - * ==================================================================== - * - * This product includes cryptographic software written by Eric Young - * (eay@cryptsoft.com). This product includes software written by Tim - * Hudson (tjh@cryptsoft.com). - * - */ -/* ==================================================================== - * Copyright 2002 Sun Microsystems, Inc. ALL RIGHTS RESERVED. - * ECC cipher suite support in OpenSSL originally developed by - * SUN MICROSYSTEMS, INC., and contributed to the OpenSSL project. - */ -/* ==================================================================== - * Copyright 2005 Nokia. All rights reserved. - * - * The portions of the attached software ("Contribution") is developed by - * Nokia Corporation and is licensed pursuant to the OpenSSL open source - * license. - * - * The Contribution, originally written by Mika Kousa and Pasi Eronen of - * Nokia Corporation, consists of the "PSK" (Pre-Shared Key) ciphersuites - * support (see RFC 4279) to OpenSSL. - * - * No patent licenses or other rights except those expressly stated in - * the OpenSSL open source license shall be deemed granted or received - * expressly, by implication, estoppel, or otherwise. - * - * No assurances are provided by Nokia that the Contribution does not - * infringe the patent or other intellectual property rights of any third - * party or that the license provides you with all the necessary rights - * to make use of the Contribution. - * - * THE SOFTWARE IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. IN - * ADDITION TO THE DISCLAIMERS INCLUDED IN THE LICENSE, NOKIA - * SPECIFICALLY DISCLAIMS ANY LIABILITY FOR CLAIMS BROUGHT BY YOU OR ANY - * OTHER ENTITY BASED ON INFRINGEMENT OF INTELLECTUAL PROPERTY RIGHTS OR - * OTHERWISE. - */ - -/* XXX - USE_BIOPAIR code needs updating for BIO_n{read,write}{,0} removal. */ -/* #define USE_BIOPAIR */ - -#define _BSD_SOURCE 1 /* Or gethostname won't be declared properly - on Linux and GNU platforms. */ -#include -#include - -#include - -#include -#include -#include -#include -#include -#include -#include -#include -#include - -#include -#include -#include -#include -#include -#include -#include -#include -#include -#include -#include -#include -#include - -#include "ssl_local.h" - -#define TEST_SERVER_CERT "../apps/server.pem" -#define TEST_CLIENT_CERT "../apps/client.pem" - -static int verify_callback(int ok, X509_STORE_CTX *ctx); -static int app_verify_callback(X509_STORE_CTX *ctx, void *arg); - -static DH *get_dh1024(void); -static DH *get_dh1024dsa(void); - -static BIO *bio_err = NULL; -static BIO *bio_stdout = NULL; - -static const char *alpn_client; -static const char *alpn_server; -static const char *alpn_expected; -static unsigned char *alpn_selected; - -/* - * next_protos_parse parses a comma separated list of strings into a string - * in a format suitable for passing to SSL_CTX_set_next_protos_advertised. - * outlen: (output) set to the length of the resulting buffer on success. - * err: (maybe NULL) on failure, an error message line is written to this BIO. - * in: a NUL terminated string like "abc,def,ghi" - * - * returns: a malloced buffer or NULL on failure. - */ -static unsigned char * -next_protos_parse(unsigned short *outlen, const char *in) -{ - size_t i, len, start = 0; - unsigned char *out; - - len = strlen(in); - if (len >= 65535) - return (NULL); - - if ((out = malloc(strlen(in) + 1)) == NULL) - return (NULL); - - for (i = 0; i <= len; ++i) { - if (i == len || in[i] == ',') { - if (i - start > 255) { - free(out); - return (NULL); - } - out[start] = i - start; - start = i + 1; - } else - out[i+1] = in[i]; - } - *outlen = len + 1; - return (out); -} - -static int -cb_server_alpn(SSL *s, const unsigned char **out, unsigned char *outlen, - const unsigned char *in, unsigned int inlen, void *arg) -{ - unsigned char *protos; - unsigned short protos_len; - - if ((protos = next_protos_parse(&protos_len, alpn_server)) == NULL) { - fprintf(stderr, - "failed to parser ALPN server protocol string: %s\n", - alpn_server); - abort(); - } - - if (SSL_select_next_proto((unsigned char **)out, outlen, protos, - protos_len, in, inlen) != OPENSSL_NPN_NEGOTIATED) { - free(protos); - return (SSL_TLSEXT_ERR_NOACK); - } - - /* - * Make a copy of the selected protocol which will be freed in - * verify_alpn. - */ - free(alpn_selected); - if ((alpn_selected = malloc(*outlen)) == NULL) { - fprintf(stderr, "malloc failed\n"); - abort(); - } - memcpy(alpn_selected, *out, *outlen); - *out = alpn_selected; - free(protos); - - return (SSL_TLSEXT_ERR_OK); -} - -static int -verify_alpn(SSL *client, SSL *server) -{ - const unsigned char *client_proto, *server_proto; - unsigned int client_proto_len = 0, server_proto_len = 0; - - SSL_get0_alpn_selected(client, &client_proto, &client_proto_len); - SSL_get0_alpn_selected(server, &server_proto, &server_proto_len); - - free(alpn_selected); - alpn_selected = NULL; - - if (client_proto_len != server_proto_len || (client_proto_len > 0 && - memcmp(client_proto, server_proto, client_proto_len) != 0)) { - BIO_printf(bio_stdout, "ALPN selected protocols differ!\n"); - goto err; - } - - if (client_proto_len > 0 && alpn_expected == NULL) { - BIO_printf(bio_stdout, "ALPN unexpectedly negotiated\n"); - goto err; - } - - if (alpn_expected != NULL && - (client_proto_len != strlen(alpn_expected) || - memcmp(client_proto, alpn_expected, client_proto_len) != 0)) { - BIO_printf(bio_stdout, "ALPN selected protocols not equal to " - "expected protocol: %s\n", alpn_expected); - goto err; - } - - return (0); - -err: - BIO_printf(bio_stdout, "ALPN results: client: '"); - BIO_write(bio_stdout, client_proto, client_proto_len); - BIO_printf(bio_stdout, "', server: '"); - BIO_write(bio_stdout, server_proto, server_proto_len); - BIO_printf(bio_stdout, "'\n"); - BIO_printf(bio_stdout, "ALPN configured: client: '%s', server: '%s'\n", - alpn_client, alpn_server); - - return (-1); -} - -static char *cipher = NULL; -static int verbose = 0; -static int debug = 0; - -int doit_biopair(SSL *s_ssl, SSL *c_ssl, long bytes, clock_t *s_time, - clock_t *c_time); -int doit(SSL *s_ssl, SSL *c_ssl, long bytes); - -static void -sv_usage(void) -{ - fprintf(stderr, "usage: ssltest [args ...]\n"); - fprintf(stderr, "\n"); - fprintf(stderr, " -server_auth - check server certificate\n"); - fprintf(stderr, " -client_auth - do client authentication\n"); - fprintf(stderr, " -proxy - allow proxy certificates\n"); - fprintf(stderr, " -proxy_auth - set proxy policy rights\n"); - fprintf(stderr, " -proxy_cond - experssion to test proxy policy rights\n"); - fprintf(stderr, " -v - more output\n"); - fprintf(stderr, " -d - debug output\n"); - fprintf(stderr, " -reuse - use session-id reuse\n"); - fprintf(stderr, " -num - number of connections to perform\n"); - fprintf(stderr, " -bytes - number of bytes to swap between client/server\n"); - fprintf(stderr, " -dhe1024dsa - use 1024 bit key (with 160-bit subprime) for DHE\n"); - fprintf(stderr, " -no_dhe - disable DHE\n"); - fprintf(stderr, " -no_ecdhe - disable ECDHE\n"); - fprintf(stderr, " -dtls1_2 - use DTLSv1.2\n"); - fprintf(stderr, " -tls1 - use TLSv1\n"); - fprintf(stderr, " -tls1_2 - use TLSv1.2\n"); - fprintf(stderr, " -CApath arg - PEM format directory of CA's\n"); - fprintf(stderr, " -CAfile arg - PEM format file of CA's\n"); - fprintf(stderr, " -cert arg - Server certificate file\n"); - fprintf(stderr, " -key arg - Server key file (default: same as -cert)\n"); - fprintf(stderr, " -c_cert arg - Client certificate file\n"); - fprintf(stderr, " -c_key arg - Client key file (default: same as -c_cert)\n"); - fprintf(stderr, " -cipher arg - The cipher list\n"); - fprintf(stderr, " -bio_pair - Use BIO pairs\n"); - fprintf(stderr, " -f - Test even cases that can't work\n"); - fprintf(stderr, " -time - measure processor time used by client and server\n"); - fprintf(stderr, " -named_curve arg - Elliptic curve name to use for ephemeral ECDH keys.\n" \ - " Use \"openssl ecparam -list_curves\" for all names\n" \ - " (default is sect163r2).\n"); - fprintf(stderr, " -alpn_client - have client side offer ALPN\n"); - fprintf(stderr, " -alpn_server - have server side offer ALPN\n"); - fprintf(stderr, " -alpn_expected - the ALPN protocol that should be negotiated\n"); -} - -static void -print_details(SSL *c_ssl, const char *prefix) -{ - const SSL_CIPHER *ciph; - X509 *cert = NULL; - EVP_PKEY *pkey; - - ciph = SSL_get_current_cipher(c_ssl); - BIO_printf(bio_stdout, "%s%s, cipher %s %s", - prefix, SSL_get_version(c_ssl), SSL_CIPHER_get_version(ciph), - SSL_CIPHER_get_name(ciph)); - - if ((cert = SSL_get_peer_certificate(c_ssl)) == NULL) - goto out; - if ((pkey = X509_get0_pubkey(cert)) == NULL) - goto out; - if (EVP_PKEY_id(pkey) == EVP_PKEY_RSA) { - RSA *rsa; - - if ((rsa = EVP_PKEY_get0_RSA(pkey)) == NULL) - goto out; - - BIO_printf(bio_stdout, ", %d bit RSA", RSA_bits(rsa)); - } else if (EVP_PKEY_id(pkey) == EVP_PKEY_DSA) { - DSA *dsa; - const BIGNUM *p; - - if ((dsa = EVP_PKEY_get0_DSA(pkey)) == NULL) - goto out; - - DSA_get0_pqg(dsa, &p, NULL, NULL); - - BIO_printf(bio_stdout, ", %d bit DSA", BN_num_bits(p)); - } - - out: - /* - * The SSL API does not allow us to look at temporary RSA/DH keys, - * otherwise we should print their lengths too - */ - BIO_printf(bio_stdout, "\n"); - - X509_free(cert); -} - -int -main(int argc, char *argv[]) -{ - char *CApath = NULL, *CAfile = NULL; - int badop = 0; - int bio_pair = 0; - int force = 0; - int tls1 = 0, tls1_2 = 0, dtls1_2 = 0, ret = 1; - int client_auth = 0; - int server_auth = 0, i; - char *app_verify_arg = "Test Callback Argument"; - char *server_cert = TEST_SERVER_CERT; - char *server_key = NULL; - char *client_cert = TEST_CLIENT_CERT; - char *client_key = NULL; - char *named_curve = NULL; - SSL_CTX *s_ctx = NULL; - SSL_CTX *c_ctx = NULL; - const SSL_METHOD *meth = NULL; - SSL *c_ssl, *s_ssl; - int number = 1, reuse = 0; - int seclevel = 0; - long bytes = 256L; - DH *dh; - int dhe1024dsa = 0; - EC_KEY *ecdh = NULL; - int no_dhe = 0; - int no_ecdhe = 0; - int print_time = 0; - clock_t s_time = 0, c_time = 0; - - verbose = 0; - debug = 0; - cipher = 0; - - bio_err = BIO_new_fp(stderr, BIO_NOCLOSE|BIO_FP_TEXT); - - bio_stdout = BIO_new_fp(stdout, BIO_NOCLOSE|BIO_FP_TEXT); - - argc--; - argv++; - - while (argc >= 1) { - if (!strcmp(*argv, "-F")) { - fprintf(stderr, "not compiled with FIPS support, so exiting without running.\n"); - exit(0); - } else if (strcmp(*argv, "-server_auth") == 0) - server_auth = 1; - else if (strcmp(*argv, "-client_auth") == 0) - client_auth = 1; - else if (strcmp(*argv, "-v") == 0) - verbose = 1; - else if (strcmp(*argv, "-d") == 0) - debug = 1; - else if (strcmp(*argv, "-reuse") == 0) - reuse = 1; - else if (strcmp(*argv, "-dhe1024dsa") == 0) { - dhe1024dsa = 1; - } else if (strcmp(*argv, "-no_dhe") == 0) - no_dhe = 1; - else if (strcmp(*argv, "-no_ecdhe") == 0) - no_ecdhe = 1; - else if (strcmp(*argv, "-dtls1_2") == 0) - dtls1_2 = 1; - else if (strcmp(*argv, "-tls1") == 0) - tls1 = 1; - else if (strcmp(*argv, "-tls1_2") == 0) - tls1_2 = 1; - else if (strncmp(*argv, "-num", 4) == 0) { - if (--argc < 1) - goto bad; - number = atoi(*(++argv)); - if (number == 0) - number = 1; - } else if (strncmp(*argv, "-seclevel", 9) == 0) { - if (--argc < 1) - goto bad; - seclevel = atoi(*(++argv)); - } else if (strcmp(*argv, "-bytes") == 0) { - if (--argc < 1) - goto bad; - bytes = atol(*(++argv)); - if (bytes == 0L) - bytes = 1L; - i = strlen(argv[0]); - if (argv[0][i - 1] == 'k') - bytes*=1024L; - if (argv[0][i - 1] == 'm') - bytes*=1024L*1024L; - } else if (strcmp(*argv, "-cert") == 0) { - if (--argc < 1) - goto bad; - server_cert= *(++argv); - } else if (strcmp(*argv, "-s_cert") == 0) { - if (--argc < 1) - goto bad; - server_cert= *(++argv); - } else if (strcmp(*argv, "-key") == 0) { - if (--argc < 1) - goto bad; - server_key= *(++argv); - } else if (strcmp(*argv, "-s_key") == 0) { - if (--argc < 1) - goto bad; - server_key= *(++argv); - } else if (strcmp(*argv, "-c_cert") == 0) { - if (--argc < 1) - goto bad; - client_cert= *(++argv); - } else if (strcmp(*argv, "-c_key") == 0) { - if (--argc < 1) - goto bad; - client_key= *(++argv); - } else if (strcmp(*argv, "-cipher") == 0) { - if (--argc < 1) - goto bad; - cipher= *(++argv); - } else if (strcmp(*argv, "-CApath") == 0) { - if (--argc < 1) - goto bad; - CApath= *(++argv); - } else if (strcmp(*argv, "-CAfile") == 0) { - if (--argc < 1) - goto bad; - CAfile= *(++argv); - } else if (strcmp(*argv, "-bio_pair") == 0) { - bio_pair = 1; - } else if (strcmp(*argv, "-f") == 0) { - force = 1; - } else if (strcmp(*argv, "-time") == 0) { - print_time = 1; - } else if (strcmp(*argv, "-named_curve") == 0) { - if (--argc < 1) - goto bad; - named_curve = *(++argv); - } else if (strcmp(*argv, "-app_verify") == 0) { - ; - } else if (strcmp(*argv, "-alpn_client") == 0) { - if (--argc < 1) - goto bad; - alpn_client = *(++argv); - } else if (strcmp(*argv, "-alpn_server") == 0) { - if (--argc < 1) - goto bad; - alpn_server = *(++argv); - } else if (strcmp(*argv, "-alpn_expected") == 0) { - if (--argc < 1) - goto bad; - alpn_expected = *(++argv); - } else { - fprintf(stderr, "unknown option %s\n", *argv); - badop = 1; - break; - } - argc--; - argv++; - } - if (badop) { -bad: - sv_usage(); - goto end; - } - - if (!dtls1_2 && !tls1 && !tls1_2 && number > 1 && !reuse && !force) { - fprintf(stderr, - "This case cannot work. Use -f to perform " - "the test anyway (and\n-d to see what happens), " - "or add one of -dtls1, -tls1, -tls1_2, -reuse\n" - "to avoid protocol mismatch.\n"); - exit(1); - } - - if (print_time) { - if (!bio_pair) { - fprintf(stderr, "Using BIO pair (-bio_pair)\n"); - bio_pair = 1; - } - if (number < 50 && !force) - fprintf(stderr, "Warning: For accurate timings, use more connections (e.g. -num 1000)\n"); - } - -/* if (cipher == NULL) cipher=getenv("SSL_CIPHER"); */ - - SSL_library_init(); - SSL_load_error_strings(); - - if (dtls1_2) - meth = DTLSv1_2_method(); - else if (tls1) - meth = TLSv1_method(); - else if (tls1_2) - meth = TLSv1_2_method(); - else - meth = TLS_method(); - - c_ctx = SSL_CTX_new(meth); - s_ctx = SSL_CTX_new(meth); - if ((c_ctx == NULL) || (s_ctx == NULL)) { - ERR_print_errors(bio_err); - goto end; - } - - SSL_CTX_set_security_level(c_ctx, seclevel); - SSL_CTX_set_security_level(s_ctx, seclevel); - - if (cipher != NULL) { - SSL_CTX_set_cipher_list(c_ctx, cipher); - SSL_CTX_set_cipher_list(s_ctx, cipher); - } - - if (!no_dhe) { - if (dhe1024dsa) { - /* use SSL_OP_SINGLE_DH_USE to avoid small subgroup attacks */ - SSL_CTX_set_options(s_ctx, SSL_OP_SINGLE_DH_USE); - dh = get_dh1024dsa(); - } else - dh = get_dh1024(); - SSL_CTX_set_tmp_dh(s_ctx, dh); - DH_free(dh); - } - - if (!no_ecdhe) { - int nid; - - if (named_curve != NULL) { - nid = OBJ_sn2nid(named_curve); - if (nid == 0) { - BIO_printf(bio_err, "unknown curve name (%s)\n", named_curve); - goto end; - } - } else - nid = NID_X9_62_prime256v1; - - ecdh = EC_KEY_new_by_curve_name(nid); - if (ecdh == NULL) { - BIO_printf(bio_err, "unable to create curve\n"); - goto end; - } - - SSL_CTX_set_tmp_ecdh(s_ctx, ecdh); - SSL_CTX_set_options(s_ctx, SSL_OP_SINGLE_ECDH_USE); - EC_KEY_free(ecdh); - } - - if (!SSL_CTX_use_certificate_chain_file(s_ctx, server_cert)) { - ERR_print_errors(bio_err); - } else if (!SSL_CTX_use_PrivateKey_file(s_ctx, - (server_key ? server_key : server_cert), SSL_FILETYPE_PEM)) { - ERR_print_errors(bio_err); - goto end; - } - - if (client_auth) { - SSL_CTX_use_certificate_chain_file(c_ctx, client_cert); - SSL_CTX_use_PrivateKey_file(c_ctx, - (client_key ? client_key : client_cert), - SSL_FILETYPE_PEM); - } - - if ((!SSL_CTX_load_verify_locations(s_ctx, CAfile, CApath)) || - (!SSL_CTX_set_default_verify_paths(s_ctx)) || - (!SSL_CTX_load_verify_locations(c_ctx, CAfile, CApath)) || - (!SSL_CTX_set_default_verify_paths(c_ctx))) { - /* fprintf(stderr,"SSL_load_verify_locations\n"); */ - ERR_print_errors(bio_err); - /* goto end; */ - } - - if (client_auth) { - BIO_printf(bio_err, "client authentication\n"); - SSL_CTX_set_verify(s_ctx, - SSL_VERIFY_PEER|SSL_VERIFY_FAIL_IF_NO_PEER_CERT, - verify_callback); - SSL_CTX_set_cert_verify_callback(s_ctx, app_verify_callback, - app_verify_arg); - } - if (server_auth) { - BIO_printf(bio_err, "server authentication\n"); - SSL_CTX_set_verify(c_ctx, SSL_VERIFY_PEER, - verify_callback); - SSL_CTX_set_cert_verify_callback(c_ctx, app_verify_callback, - app_verify_arg); - } - - { - int session_id_context = 0; - SSL_CTX_set_session_id_context(s_ctx, - (void *)&session_id_context, sizeof(session_id_context)); - } - - if (alpn_server != NULL) - SSL_CTX_set_alpn_select_cb(s_ctx, cb_server_alpn, NULL); - - if (alpn_client != NULL) { - unsigned short alpn_len; - unsigned char *alpn = next_protos_parse(&alpn_len, alpn_client); - - if (alpn == NULL) { - BIO_printf(bio_err, "Error parsing -alpn_client argument\n"); - goto end; - } - SSL_CTX_set_alpn_protos(c_ctx, alpn, alpn_len); - free(alpn); - } - - c_ssl = SSL_new(c_ctx); - s_ssl = SSL_new(s_ctx); - - for (i = 0; i < number; i++) { - if (!reuse) - SSL_set_session(c_ssl, NULL); -#ifdef USE_BIOPAIR - if (bio_pair) - ret = doit_biopair(s_ssl, c_ssl, bytes, &s_time, - &c_time); - else -#endif - ret = doit(s_ssl, c_ssl, bytes); - } - - if (!verbose) { - print_details(c_ssl, ""); - } - if ((number > 1) || (bytes > 1L)) - BIO_printf(bio_stdout, "%d handshakes of %ld bytes done\n", - number, bytes); - if (print_time) { -#ifdef CLOCKS_PER_SEC - /* "To determine the time in seconds, the value returned - * by the clock function should be divided by the value - * of the macro CLOCKS_PER_SEC." - * -- ISO/IEC 9899 */ - BIO_printf(bio_stdout, - "Approximate total server time: %6.2f s\n" - "Approximate total client time: %6.2f s\n", - (double)s_time/CLOCKS_PER_SEC, - (double)c_time/CLOCKS_PER_SEC); -#else - /* "`CLOCKS_PER_SEC' undeclared (first use this function)" - * -- cc on NeXTstep/OpenStep */ - BIO_printf(bio_stdout, - "Approximate total server time: %6.2f units\n" - "Approximate total client time: %6.2f units\n", - (double)s_time, - (double)c_time); -#endif - } - - SSL_free(s_ssl); - SSL_free(c_ssl); - -end: - SSL_CTX_free(s_ctx); - SSL_CTX_free(c_ctx); - BIO_free(bio_stdout); - - CRYPTO_cleanup_all_ex_data(); - ERR_free_strings(); - ERR_remove_thread_state(NULL); - EVP_cleanup(); - BIO_free(bio_err); - - exit(ret); - return ret; -} - -#if USE_BIOPAIR -int -doit_biopair(SSL *s_ssl, SSL *c_ssl, long count, clock_t *s_time, - clock_t *c_time) -{ - long cw_num = count, cr_num = count, sw_num = count, sr_num = count; - BIO *s_ssl_bio = NULL, *c_ssl_bio = NULL; - BIO *server = NULL, *server_io = NULL; - BIO *client = NULL, *client_io = NULL; - int ret = 1; - - size_t bufsiz = 256; /* small buffer for testing */ - - if (!BIO_new_bio_pair(&server, bufsiz, &server_io, bufsiz)) - goto err; - if (!BIO_new_bio_pair(&client, bufsiz, &client_io, bufsiz)) - goto err; - - s_ssl_bio = BIO_new(BIO_f_ssl()); - if (!s_ssl_bio) - goto err; - - c_ssl_bio = BIO_new(BIO_f_ssl()); - if (!c_ssl_bio) - goto err; - - SSL_set_connect_state(c_ssl); - SSL_set_bio(c_ssl, client, client); - (void)BIO_set_ssl(c_ssl_bio, c_ssl, BIO_NOCLOSE); - - SSL_set_accept_state(s_ssl); - SSL_set_bio(s_ssl, server, server); - (void)BIO_set_ssl(s_ssl_bio, s_ssl, BIO_NOCLOSE); - - do { - /* c_ssl_bio: SSL filter BIO - * - * client: pseudo-I/O for SSL library - * - * client_io: client's SSL communication; usually to be - * relayed over some I/O facility, but in this - * test program, we're the server, too: - * - * server_io: server's SSL communication - * - * server: pseudo-I/O for SSL library - * - * s_ssl_bio: SSL filter BIO - * - * The client and the server each employ a "BIO pair": - * client + client_io, server + server_io. - * BIO pairs are symmetric. A BIO pair behaves similar - * to a non-blocking socketpair (but both endpoints must - * be handled by the same thread). - * [Here we could connect client and server to the ends - * of a single BIO pair, but then this code would be less - * suitable as an example for BIO pairs in general.] - * - * Useful functions for querying the state of BIO pair endpoints: - * - * BIO_ctrl_pending(bio) number of bytes we can read now - * BIO_ctrl_get_read_request(bio) number of bytes needed to fulfil - * other side's read attempt - * BIO_ctrl_get_write_guarantee(bio) number of bytes we can write now - * - * ..._read_request is never more than ..._write_guarantee; - * it depends on the application which one you should use. - */ - - /* We have non-blocking behaviour throughout this test program, but - * can be sure that there is *some* progress in each iteration; so - * we don't have to worry about ..._SHOULD_READ or ..._SHOULD_WRITE - * -- we just try everything in each iteration - */ - - { - /* CLIENT */ - - char cbuf[1024*8]; - int i, r; - clock_t c_clock = clock(); - - memset(cbuf, 0, sizeof(cbuf)); - - if (debug) - if (SSL_in_init(c_ssl)) - printf("client waiting in SSL_connect - %s\n", - SSL_state_string_long(c_ssl)); - - if (cw_num > 0) { - /* Write to server. */ - - if (cw_num > (long)sizeof cbuf) - i = sizeof cbuf; - else - i = (int)cw_num; - r = BIO_write(c_ssl_bio, cbuf, i); - if (r < 0) { - if (!BIO_should_retry(c_ssl_bio)) { - fprintf(stderr, "ERROR in CLIENT\n"); - goto err; - } - /* BIO_should_retry(...) can just be ignored here. - * The library expects us to call BIO_write with - * the same arguments again, and that's what we will - * do in the next iteration. */ - } else if (r == 0) { - fprintf(stderr, "SSL CLIENT STARTUP FAILED\n"); - goto err; - } else { - if (debug) - printf("client wrote %d\n", r); - cw_num -= r; - - } - } - - if (cr_num > 0) { - /* Read from server. */ - - r = BIO_read(c_ssl_bio, cbuf, sizeof(cbuf)); - if (r < 0) { - if (!BIO_should_retry(c_ssl_bio)) { - fprintf(stderr, "ERROR in CLIENT\n"); - goto err; - } - /* Again, "BIO_should_retry" can be ignored. */ - } else if (r == 0) { - fprintf(stderr, "SSL CLIENT STARTUP FAILED\n"); - goto err; - } else { - if (debug) - printf("client read %d\n", r); - cr_num -= r; - } - } - - /* c_time and s_time increments will typically be very small - * (depending on machine speed and clock tick intervals), - * but sampling over a large number of connections should - * result in fairly accurate figures. We cannot guarantee - * a lot, however -- if each connection lasts for exactly - * one clock tick, it will be counted only for the client - * or only for the server or even not at all. - */ - *c_time += (clock() - c_clock); - } - - { - /* SERVER */ - - char sbuf[1024*8]; - int i, r; - clock_t s_clock = clock(); - - memset(sbuf, 0, sizeof(sbuf)); - - if (debug) - if (SSL_in_init(s_ssl)) - printf("server waiting in SSL_accept - %s\n", - SSL_state_string_long(s_ssl)); - - if (sw_num > 0) { - /* Write to client. */ - - if (sw_num > (long)sizeof sbuf) - i = sizeof sbuf; - else - i = (int)sw_num; - r = BIO_write(s_ssl_bio, sbuf, i); - if (r < 0) { - if (!BIO_should_retry(s_ssl_bio)) { - fprintf(stderr, "ERROR in SERVER\n"); - goto err; - } - /* Ignore "BIO_should_retry". */ - } else if (r == 0) { - fprintf(stderr, "SSL SERVER STARTUP FAILED\n"); - goto err; - } else { - if (debug) - printf("server wrote %d\n", r); - sw_num -= r; - - } - } - - if (sr_num > 0) { - /* Read from client. */ - - r = BIO_read(s_ssl_bio, sbuf, sizeof(sbuf)); - if (r < 0) { - if (!BIO_should_retry(s_ssl_bio)) { - fprintf(stderr, "ERROR in SERVER\n"); - goto err; - } - /* blah, blah */ - } else if (r == 0) { - fprintf(stderr, "SSL SERVER STARTUP FAILED\n"); - goto err; - } else { - if (debug) - printf("server read %d\n", r); - sr_num -= r; - } - } - - *s_time += (clock() - s_clock); - } - - { - /* "I/O" BETWEEN CLIENT AND SERVER. */ - - size_t r1, r2; - BIO *io1 = server_io, *io2 = client_io; - /* we use the non-copying interface for io1 - * and the standard BIO_write/BIO_read interface for io2 - */ - - static int prev_progress = 1; - int progress = 0; - - /* io1 to io2 */ - do { - size_t num; - int r; - - r1 = BIO_ctrl_pending(io1); - r2 = BIO_ctrl_get_write_guarantee(io2); - - num = r1; - if (r2 < num) - num = r2; - if (num) { - char *dataptr; - - if (INT_MAX < num) /* yeah, right */ - num = INT_MAX; - - r = BIO_nread(io1, &dataptr, (int)num); - assert(r > 0); - assert(r <= (int)num); - /* possibly r < num (non-contiguous data) */ - num = r; - r = BIO_write(io2, dataptr, (int)num); - if (r != (int)num) /* can't happen */ - { - fprintf(stderr, "ERROR: BIO_write could not write " - "BIO_ctrl_get_write_guarantee() bytes"); - goto err; - } - progress = 1; - - if (debug) - printf((io1 == client_io) ? - "C->S relaying: %d bytes\n" : - "S->C relaying: %d bytes\n", - (int)num); - } - } while (r1 && r2); - - /* io2 to io1 */ - { - size_t num; - int r; - - r1 = BIO_ctrl_pending(io2); - r2 = BIO_ctrl_get_read_request(io1); - /* here we could use ..._get_write_guarantee instead of - * ..._get_read_request, but by using the latter - * we test restartability of the SSL implementation - * more thoroughly */ - num = r1; - if (r2 < num) - num = r2; - if (num) { - char *dataptr; - - if (INT_MAX < num) - num = INT_MAX; - - if (num > 1) - --num; /* test restartability even more thoroughly */ - - r = BIO_nwrite0(io1, &dataptr); - assert(r > 0); - if (r < (int)num) - num = r; - r = BIO_read(io2, dataptr, (int)num); - if (r != (int)num) /* can't happen */ - { - fprintf(stderr, "ERROR: BIO_read could not read " - "BIO_ctrl_pending() bytes"); - goto err; - } - progress = 1; - r = BIO_nwrite(io1, &dataptr, (int)num); - if (r != (int)num) /* can't happen */ - { - fprintf(stderr, "ERROR: BIO_nwrite() did not accept " - "BIO_nwrite0() bytes"); - goto err; - } - - if (debug) - printf((io2 == client_io) ? - "C->S relaying: %d bytes\n" : - "S->C relaying: %d bytes\n", - (int)num); - } - } /* no loop, BIO_ctrl_get_read_request now returns 0 anyway */ - - if (!progress && !prev_progress) { - if (cw_num > 0 || cr_num > 0 || sw_num > 0 || sr_num > 0) { - fprintf(stderr, "ERROR: got stuck\n"); - goto err; - } - } - prev_progress = progress; - } - } while (cw_num > 0 || cr_num > 0 || sw_num > 0 || sr_num > 0); - - if (verbose) - print_details(c_ssl, "DONE via BIO pair: "); - - if (verify_alpn(c_ssl, s_ssl) < 0) { - ret = 1; - goto err; - } - - ret = 0; - -err: - ERR_print_errors(bio_err); - - BIO_free(server); - BIO_free(server_io); - BIO_free(client); - BIO_free(client_io); - BIO_free(s_ssl_bio); - BIO_free(c_ssl_bio); - - return ret; -} -#endif - - -#define W_READ 1 -#define W_WRITE 2 -#define C_DONE 1 -#define S_DONE 2 - -int -doit(SSL *s_ssl, SSL *c_ssl, long count) -{ - char cbuf[1024*8], sbuf[1024*8]; - long cw_num = count, cr_num = count; - long sw_num = count, sr_num = count; - int ret = 1; - BIO *c_to_s = NULL; - BIO *s_to_c = NULL; - BIO *c_bio = NULL; - BIO *s_bio = NULL; - int c_r, c_w, s_r, s_w; - int i, j; - int done = 0; - int c_write, s_write; - int do_server = 0, do_client = 0; - - memset(cbuf, 0, sizeof(cbuf)); - memset(sbuf, 0, sizeof(sbuf)); - - c_to_s = BIO_new(BIO_s_mem()); - s_to_c = BIO_new(BIO_s_mem()); - if ((s_to_c == NULL) || (c_to_s == NULL)) { - ERR_print_errors(bio_err); - goto err; - } - - c_bio = BIO_new(BIO_f_ssl()); - s_bio = BIO_new(BIO_f_ssl()); - if ((c_bio == NULL) || (s_bio == NULL)) { - ERR_print_errors(bio_err); - goto err; - } - - SSL_set_connect_state(c_ssl); - SSL_set_bio(c_ssl, s_to_c, c_to_s); - BIO_set_ssl(c_bio, c_ssl, BIO_NOCLOSE); - - SSL_set_accept_state(s_ssl); - SSL_set_bio(s_ssl, c_to_s, s_to_c); - BIO_set_ssl(s_bio, s_ssl, BIO_NOCLOSE); - - c_r = 0; - s_r = 1; - c_w = 1; - s_w = 0; - c_write = 1, s_write = 0; - - /* We can always do writes */ - for (;;) { - do_server = 0; - do_client = 0; - - i = (int)BIO_pending(s_bio); - if ((i && s_r) || s_w) - do_server = 1; - - i = (int)BIO_pending(c_bio); - if ((i && c_r) || c_w) - do_client = 1; - - if (do_server && debug) { - if (SSL_in_init(s_ssl)) - printf("server waiting in SSL_accept - %s\n", - SSL_state_string_long(s_ssl)); - } - - if (do_client && debug) { - if (SSL_in_init(c_ssl)) - printf("client waiting in SSL_connect - %s\n", - SSL_state_string_long(c_ssl)); - } - - if (!do_client && !do_server) { - fprintf(stdout, "ERROR in STARTUP\n"); - ERR_print_errors(bio_err); - goto err; - } - - if (do_client && !(done & C_DONE)) { - if (c_write) { - j = (cw_num > (long)sizeof(cbuf)) ? - (int)sizeof(cbuf) : (int)cw_num; - i = BIO_write(c_bio, cbuf, j); - if (i < 0) { - c_r = 0; - c_w = 0; - if (BIO_should_retry(c_bio)) { - if (BIO_should_read(c_bio)) - c_r = 1; - if (BIO_should_write(c_bio)) - c_w = 1; - } else { - fprintf(stderr, "ERROR in CLIENT\n"); - ERR_print_errors(bio_err); - goto err; - } - } else if (i == 0) { - fprintf(stderr, "SSL CLIENT STARTUP FAILED\n"); - goto err; - } else { - if (debug) - printf("client wrote %d\n", i); - /* ok */ - s_r = 1; - c_write = 0; - cw_num -= i; - } - } else { - i = BIO_read(c_bio, cbuf, sizeof(cbuf)); - if (i < 0) { - c_r = 0; - c_w = 0; - if (BIO_should_retry(c_bio)) { - if (BIO_should_read(c_bio)) - c_r = 1; - if (BIO_should_write(c_bio)) - c_w = 1; - } else { - fprintf(stderr, "ERROR in CLIENT\n"); - ERR_print_errors(bio_err); - goto err; - } - } else if (i == 0) { - fprintf(stderr, "SSL CLIENT STARTUP FAILED\n"); - goto err; - } else { - if (debug) - printf("client read %d\n", i); - cr_num -= i; - if (sw_num > 0) { - s_write = 1; - s_w = 1; - } - if (cr_num <= 0) { - s_write = 1; - s_w = 1; - done = S_DONE|C_DONE; - } - } - } - } - - if (do_server && !(done & S_DONE)) { - if (!s_write) { - i = BIO_read(s_bio, sbuf, sizeof(cbuf)); - if (i < 0) { - s_r = 0; - s_w = 0; - if (BIO_should_retry(s_bio)) { - if (BIO_should_read(s_bio)) - s_r = 1; - if (BIO_should_write(s_bio)) - s_w = 1; - } else { - fprintf(stderr, "ERROR in SERVER\n"); - ERR_print_errors(bio_err); - goto err; - } - } else if (i == 0) { - ERR_print_errors(bio_err); - fprintf(stderr, "SSL SERVER STARTUP FAILED in SSL_read\n"); - goto err; - } else { - if (debug) - printf("server read %d\n", i); - sr_num -= i; - if (cw_num > 0) { - c_write = 1; - c_w = 1; - } - if (sr_num <= 0) { - s_write = 1; - s_w = 1; - c_write = 0; - } - } - } else { - j = (sw_num > (long)sizeof(sbuf)) ? - (int)sizeof(sbuf) : (int)sw_num; - i = BIO_write(s_bio, sbuf, j); - if (i < 0) { - s_r = 0; - s_w = 0; - if (BIO_should_retry(s_bio)) { - if (BIO_should_read(s_bio)) - s_r = 1; - if (BIO_should_write(s_bio)) - s_w = 1; - } else { - fprintf(stderr, "ERROR in SERVER\n"); - ERR_print_errors(bio_err); - goto err; - } - } else if (i == 0) { - ERR_print_errors(bio_err); - fprintf(stderr, "SSL SERVER STARTUP FAILED in SSL_write\n"); - goto err; - } else { - if (debug) - printf("server wrote %d\n", i); - sw_num -= i; - s_write = 0; - c_r = 1; - if (sw_num <= 0) - done |= S_DONE; - } - } - } - - if ((done & S_DONE) && (done & C_DONE)) - break; - } - - if (verbose) - print_details(c_ssl, "DONE: "); - - if (verify_alpn(c_ssl, s_ssl) < 0) { - ret = 1; - goto err; - } - - ret = 0; -err: - /* We have to set the BIO's to NULL otherwise they will be - * free()ed twice. Once when th s_ssl is SSL_free()ed and - * again when c_ssl is SSL_free()ed. - * This is a hack required because s_ssl and c_ssl are sharing the same - * BIO structure and SSL_set_bio() and SSL_free() automatically - * BIO_free non NULL entries. - * You should not normally do this or be required to do this */ - if (s_ssl != NULL) { - s_ssl->rbio = NULL; - s_ssl->wbio = NULL; - } - if (c_ssl != NULL) { - c_ssl->rbio = NULL; - c_ssl->wbio = NULL; - } - - BIO_free(c_to_s); - BIO_free(s_to_c); - BIO_free_all(c_bio); - BIO_free_all(s_bio); - - return (ret); -} - -static int -verify_callback(int ok, X509_STORE_CTX *ctx) -{ - X509 *xs; - char *s, buf[256]; - int error, error_depth; - - xs = X509_STORE_CTX_get_current_cert(ctx); - s = X509_NAME_oneline(X509_get_subject_name(xs), buf, sizeof buf); - error = X509_STORE_CTX_get_error(ctx); - error_depth = X509_STORE_CTX_get_error_depth(ctx); - if (s != NULL) { - if (ok) - fprintf(stderr, "depth=%d %s\n", error_depth, buf); - else { - fprintf(stderr, "depth=%d error=%d %s\n", error_depth, - error, buf); - } - } - - if (ok == 0) { - fprintf(stderr, "Error string: %s\n", - X509_verify_cert_error_string(error)); - switch (error) { - case X509_V_ERR_CERT_NOT_YET_VALID: - case X509_V_ERR_CERT_HAS_EXPIRED: - case X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT: - fprintf(stderr, " ... ignored.\n"); - ok = 1; - } - } - - return (ok); -} - -static int -app_verify_callback(X509_STORE_CTX *ctx, void *arg) -{ - X509 *xs; - char *s = NULL, buf[256]; - const char *cb_arg = arg; - - xs = X509_STORE_CTX_get0_cert(ctx); - fprintf(stderr, "In app_verify_callback, allowing cert. "); - fprintf(stderr, "Arg is: %s\n", cb_arg); - fprintf(stderr, "Finished printing do we have a context? 0x%p a cert? 0x%p\n", - (void *)ctx, (void *)xs); - if (xs) - s = X509_NAME_oneline(X509_get_subject_name(xs), buf, 256); - if (s != NULL) { - fprintf(stderr, "cert depth=%d %s\n", - X509_STORE_CTX_get_error_depth(ctx), buf); - } - - return 1; -} - -/* These DH parameters have been generated as follows: - * $ openssl dhparam -C -noout 1024 - * $ openssl dhparam -C -noout -dsaparam 1024 - * (The second function has been renamed to avoid name conflicts.) - */ -static DH * -get_dh1024(void) -{ - static unsigned char dh1024_p[] = { - 0xF8, 0x81, 0x89, 0x7D, 0x14, 0x24, 0xC5, 0xD1, 0xE6, 0xF7, 0xBF, 0x3A, - 0xE4, 0x90, 0xF4, 0xFC, 0x73, 0xFB, 0x34, 0xB5, 0xFA, 0x4C, 0x56, 0xA2, - 0xEA, 0xA7, 0xE9, 0xC0, 0xC0, 0xCE, 0x89, 0xE1, 0xFA, 0x63, 0x3F, 0xB0, - 0x6B, 0x32, 0x66, 0xF1, 0xD1, 0x7B, 0xB0, 0x00, 0x8F, 0xCA, 0x87, 0xC2, - 0xAE, 0x98, 0x89, 0x26, 0x17, 0xC2, 0x05, 0xD2, 0xEC, 0x08, 0xD0, 0x8C, - 0xFF, 0x17, 0x52, 0x8C, 0xC5, 0x07, 0x93, 0x03, 0xB1, 0xF6, 0x2F, 0xB8, - 0x1C, 0x52, 0x47, 0x27, 0x1B, 0xDB, 0xD1, 0x8D, 0x9D, 0x69, 0x1D, 0x52, - 0x4B, 0x32, 0x81, 0xAA, 0x7F, 0x00, 0xC8, 0xDC, 0xE6, 0xD9, 0xCC, 0xC1, - 0x11, 0x2D, 0x37, 0x34, 0x6C, 0xEA, 0x02, 0x97, 0x4B, 0x0E, 0xBB, 0xB1, - 0x71, 0x33, 0x09, 0x15, 0xFD, 0xDD, 0x23, 0x87, 0x07, 0x5E, 0x89, 0xAB, - 0x6B, 0x7C, 0x5F, 0xEC, 0xA6, 0x24, 0xDC, 0x53, - }; - static unsigned char dh1024_g[] = { - 0x02, - }; - DH *dh; - BIGNUM *dh_p = NULL, *dh_g = NULL; - - if ((dh = DH_new()) == NULL) - return NULL; - - dh_p = BN_bin2bn(dh1024_p, sizeof(dh1024_p), NULL); - dh_g = BN_bin2bn(dh1024_g, sizeof(dh1024_g), NULL); - if (dh_p == NULL || dh_g == NULL) - goto err; - - if (!DH_set0_pqg(dh, dh_p, NULL, dh_g)) - goto err; - - return dh; - - err: - BN_free(dh_p); - BN_free(dh_g); - DH_free(dh); - return NULL; -} - -static DH * -get_dh1024dsa(void) -{ - static unsigned char dh1024_p[] = { - 0xC8, 0x00, 0xF7, 0x08, 0x07, 0x89, 0x4D, 0x90, 0x53, 0xF3, 0xD5, 0x00, - 0x21, 0x1B, 0xF7, 0x31, 0xA6, 0xA2, 0xDA, 0x23, 0x9A, 0xC7, 0x87, 0x19, - 0x3B, 0x47, 0xB6, 0x8C, 0x04, 0x6F, 0xFF, 0xC6, 0x9B, 0xB8, 0x65, 0xD2, - 0xC2, 0x5F, 0x31, 0x83, 0x4A, 0xA7, 0x5F, 0x2F, 0x88, 0x38, 0xB6, 0x55, - 0xCF, 0xD9, 0x87, 0x6D, 0x6F, 0x9F, 0xDA, 0xAC, 0xA6, 0x48, 0xAF, 0xFC, - 0x33, 0x84, 0x37, 0x5B, 0x82, 0x4A, 0x31, 0x5D, 0xE7, 0xBD, 0x52, 0x97, - 0xA1, 0x77, 0xBF, 0x10, 0x9E, 0x37, 0xEA, 0x64, 0xFA, 0xCA, 0x28, 0x8D, - 0x9D, 0x3B, 0xD2, 0x6E, 0x09, 0x5C, 0x68, 0xC7, 0x45, 0x90, 0xFD, 0xBB, - 0x70, 0xC9, 0x3A, 0xBB, 0xDF, 0xD4, 0x21, 0x0F, 0xC4, 0x6A, 0x3C, 0xF6, - 0x61, 0xCF, 0x3F, 0xD6, 0x13, 0xF1, 0x5F, 0xBC, 0xCF, 0xBC, 0x26, 0x9E, - 0xBC, 0x0B, 0xBD, 0xAB, 0x5D, 0xC9, 0x54, 0x39, - }; - static unsigned char dh1024_g[] = { - 0x3B, 0x40, 0x86, 0xE7, 0xF3, 0x6C, 0xDE, 0x67, 0x1C, 0xCC, 0x80, 0x05, - 0x5A, 0xDF, 0xFE, 0xBD, 0x20, 0x27, 0x74, 0x6C, 0x24, 0xC9, 0x03, 0xF3, - 0xE1, 0x8D, 0xC3, 0x7D, 0x98, 0x27, 0x40, 0x08, 0xB8, 0x8C, 0x6A, 0xE9, - 0xBB, 0x1A, 0x3A, 0xD6, 0x86, 0x83, 0x5E, 0x72, 0x41, 0xCE, 0x85, 0x3C, - 0xD2, 0xB3, 0xFC, 0x13, 0xCE, 0x37, 0x81, 0x9E, 0x4C, 0x1C, 0x7B, 0x65, - 0xD3, 0xE6, 0xA6, 0x00, 0xF5, 0x5A, 0x95, 0x43, 0x5E, 0x81, 0xCF, 0x60, - 0xA2, 0x23, 0xFC, 0x36, 0xA7, 0x5D, 0x7A, 0x4C, 0x06, 0x91, 0x6E, 0xF6, - 0x57, 0xEE, 0x36, 0xCB, 0x06, 0xEA, 0xF5, 0x3D, 0x95, 0x49, 0xCB, 0xA7, - 0xDD, 0x81, 0xDF, 0x80, 0x09, 0x4A, 0x97, 0x4D, 0xA8, 0x22, 0x72, 0xA1, - 0x7F, 0xC4, 0x70, 0x56, 0x70, 0xE8, 0x20, 0x10, 0x18, 0x8F, 0x2E, 0x60, - 0x07, 0xE7, 0x68, 0x1A, 0x82, 0x5D, 0x32, 0xA2, - }; - DH *dh; - BIGNUM *dh_p = NULL, *dh_g = NULL; - - if ((dh = DH_new()) == NULL) - return NULL; - - dh_p = BN_bin2bn(dh1024_p, sizeof(dh1024_p), NULL); - dh_g = BN_bin2bn(dh1024_g, sizeof(dh1024_g), NULL); - if (dh_p == NULL || dh_g == NULL) - goto err; - - if (!DH_set0_pqg(dh, dh_p, NULL, dh_g)) - goto err; - - DH_set_length(dh, 160); - - return dh; - - err: - BN_free(dh_p); - BN_free(dh_g); - DH_free(dh); - return NULL; -} diff --git a/src/regress/lib/libssl/ssl/testssl b/src/regress/lib/libssl/ssl/testssl deleted file mode 100644 index 70db1752b7..0000000000 --- a/src/regress/lib/libssl/ssl/testssl +++ /dev/null @@ -1,162 +0,0 @@ -#!/bin/sh - -key="$1" -cert="$2" -CA="-CAfile $3" -ssltest="${4-./ssltest} -key $key -cert $cert -c_key $key -c_cert $cert" -openssl=${5-openssl} -extra="$6" - -$openssl version || exit 1 - -if $openssl x509 -in $cert -text -noout | fgrep 'DSA Public Key' >/dev/null; then - dsa_cert=YES -else - dsa_cert=NO -fi - -############################################################################# - -echo test sslv2/sslv3 -$ssltest $extra || exit 1 - -echo test sslv2/sslv3 with server authentication -$ssltest -server_auth $CA $extra || exit 1 - -echo test sslv2/sslv3 with client authentication -$ssltest -client_auth $CA $extra || exit 1 - -echo test sslv2/sslv3 with both client and server authentication -$ssltest -server_auth -client_auth $CA $extra || exit 1 - -echo test sslv2/sslv3 via BIO pair -$ssltest $extra || exit 1 - -if [ $dsa_cert = NO ]; then - echo 'test sslv2/sslv3 w/o (EC)DHE via BIO pair' - $ssltest -bio_pair -no_dhe -no_ecdhe $extra || exit 1 -fi - -echo test sslv2/sslv3 with 1024bit DHE via BIO pair -$ssltest -bio_pair -dhe1024dsa -v $extra || exit 1 - -echo test sslv2/sslv3 with server authentication -$ssltest -bio_pair -server_auth $CA $extra || exit 1 - -echo test sslv2/sslv3 with client authentication via BIO pair -$ssltest -bio_pair -client_auth $CA $extra || exit 1 - -echo test sslv2/sslv3 with both client and server authentication via BIO pair -$ssltest -bio_pair -server_auth -client_auth $CA $extra || exit 1 - -echo test sslv2/sslv3 with both client and server authentication via BIO pair and app verify -$ssltest -bio_pair -server_auth -client_auth -app_verify $CA $extra || exit 1 - -echo "Testing ciphersuites" -for protocol in SSLv3 TLSv1.2; do - echo "Testing ciphersuites for $protocol" - for cipher in `$openssl ciphers -v "$protocol+aRSA" | - awk "/ $protocol / { print \\$1 }"`; do - echo "Testing $cipher" - $ssltest -cipher $cipher -tls1_2 - if [ $? -ne 0 ] ; then - echo "Failed $cipher" - exit 1 - fi - done -done -for protocol in TLSv1.3; do - echo "Testing ciphersuites for $protocol at security level 2" - for cipher in `$openssl ciphers -v "$protocol" | - awk "/ $protocol / { print \\$1 }"`; do - echo "Testing $cipher" - $ssltest -cipher $cipher -seclevel 2 - if [ $? -ne 0 ] ; then - echo "Failed $cipher" - exit 1 - fi - done -done -for protocol in TLSv1.3; do - echo "Testing ciphersuites for $protocol at security level 3" - for cipher in `$openssl ciphers -v "$protocol" | - awk "/ $protocol / { print \\$1 }"`; do - echo "Testing $cipher" - $ssltest -cipher $cipher -seclevel 3 - if [ $? -eq 0 ] ; then - echo "Failed $cipher should not have succeeded" - exit 1 - fi - done -done - -############################################################################# - -if $openssl no-dh; then - echo skipping anonymous DH tests -else - echo skipping tls1 tests. -fi - -#if $openssl no-rsa; then -# echo skipping RSA tests -#else -# echo 'test tls1 with 1024bit RSA, no (EC)DHE, multiple handshakes' -# ./ssltest -v -bio_pair -tls1 -cert ../apps/server2.pem -no_dhe -no_ecdhe -num 10 -f -time $extra || exit 1 -# -# if $openssl no-dh; then -# echo skipping RSA+DHE tests -# else -# echo test tls1 with 1024bit RSA, 1024bit DHE, multiple handshakes -# ./ssltest -v -bio_pair -tls1 -cert ../apps/server2.pem -dhe1024dsa -num 10 -f -time $extra || exit 1 -# fi -#fi - -# -# DTLS tests -# - -$ssltest -dtls1_2 $extra || exit 1 - -echo test dtlsv1_2 with server authentication -$ssltest -dtls1_2 -server_auth $CA $extra || exit 1 - -echo test dtlsv1_2 with client authentication -$ssltest -dtls1_2 -client_auth $CA $extra || exit 1 - -echo test dtlsv1_2 with both client and server authentication -$ssltest -dtls1_2 -server_auth -client_auth $CA $extra || exit 1 - -echo "Testing DTLS ciphersuites" -for protocol in SSLv3; do - echo "Testing ciphersuites for $protocol" - for cipher in `$openssl ciphers -v "RSA+$protocol" | - awk "/ $protocol / { print \\$1 }" | - grep -v RC4`; do - echo "Testing $cipher" - $ssltest -cipher $cipher -dtls1_2 - if [ $? -ne 0 ] ; then - echo "Failed $cipher" - exit 1 - fi - done -done - -# -# ALPN tests -# -echo "Testing ALPN..." -$ssltest -bio_pair -alpn_client foo -alpn_server bar || exit 1 -$ssltest -bio_pair -alpn_client foo -alpn_server foo \ - -alpn_expected foo || exit 1 -$ssltest -bio_pair -alpn_client foo,bar -alpn_server foo \ - -alpn_expected foo || exit 1 -$ssltest -bio_pair -alpn_client bar,foo -alpn_server foo \ - -alpn_expected foo || exit 1 -$ssltest -bio_pair -alpn_client bar,foo -alpn_server foo,bar \ - -alpn_expected foo || exit 1 -$ssltest -bio_pair -alpn_client bar,foo -alpn_server bar,foo \ - -alpn_expected bar || exit 1 -$ssltest -bio_pair -alpn_client foo,bar -alpn_server bar,foo \ - -alpn_expected bar || exit 1 -$ssltest -bio_pair -alpn_client baz -alpn_server bar,foo || exit 1 diff --git a/src/regress/lib/libssl/symbols/Makefile b/src/regress/lib/libssl/symbols/Makefile deleted file mode 100644 index d500dfcd0a..0000000000 --- a/src/regress/lib/libssl/symbols/Makefile +++ /dev/null @@ -1,22 +0,0 @@ -# $OpenBSD: Makefile,v 1.2 2023/07/15 23:40:46 tb Exp $ - -PROG = symbols - -.include - -DPADD= ${LIBCRYPTO} ${LIBSSL} -LDFLAGS+= -lcrypto -lssl -LDFLAGS+= -Wl,--no-allow-shlib-undefined -CFLAGS+= -Wno-deprecated-declarations - -CLEANFILES+= symbols.c symbols.c.tmp - -symbols.c: symbols.awk ../../../../lib/libssl/Symbols.list - awk -f ${.CURDIR}/symbols.awk \ - < ${BSDSRCDIR}/lib/libssl/Symbols.list > $@.tmp && \ - mv -f $@.tmp $@ - -run-regress-symbols: symbols - ./symbols 2>/dev/null - -.include diff --git a/src/regress/lib/libssl/symbols/symbols.awk b/src/regress/lib/libssl/symbols/symbols.awk deleted file mode 100644 index ecbe25e393..0000000000 --- a/src/regress/lib/libssl/symbols/symbols.awk +++ /dev/null @@ -1,58 +0,0 @@ -# $OpenBSD: symbols.awk,v 1.4 2024/05/08 06:54:43 tb Exp $ - -# Copyright (c) 2018,2020,2023 Theo Buehler -# -# Permission to use, copy, modify, and distribute this software for any -# purpose with or without fee is hereby granted, provided that the above -# copyright notice and this permission notice appear in all copies. -# -# THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES -# WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF -# MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR -# ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES -# WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN -# ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF -# OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. - -# usage: awk -f symbols.awk < Symbols.list > symbols.c - -BEGIN { - printf("#include \n\n") - - printf("#include \n") - printf("#include \n") - printf("#include \n\n") - - printf("#include \n\n") # depends on ssl.h -} - -{ - symbols[$0] = $0 - - # Undefine aliases, so we don't accidentally leave them in Symbols.list. - printf("#ifdef %s\n#undef %s\n#endif\n", $0, $0) -} - -END { - printf("\nint\nmain(void)\n{\n") - printf("\tsize_t i;\n"); - - printf("\tstruct {\n") - printf("\t\tconst char *const name;\n") - printf("\t\tconst void *addr;\n") - printf("\t} symbols[] = {\n") - - for (symbol in symbols) { - printf("\t\t{\n") - printf("\t\t\t.name = \"%s\",\n", symbol) - printf("\t\t\t.addr = &%s,\n", symbol) - printf("\t\t},\n") - } - - printf("\t\};\n\n") - - printf("\tfor (i = 0; i < sizeof(symbols) / sizeof(symbols[0]); i++)\n") - printf("\t\tfprintf(stderr, \"%%s: %%p\\n\", symbols[i].name, symbols[i].addr);\n") - printf("\n\tprintf(\"OK\\n\");\n") - printf("\n\treturn 0;\n}\n") -} diff --git a/src/regress/lib/libssl/tls/Makefile b/src/regress/lib/libssl/tls/Makefile deleted file mode 100644 index 315ac692c3..0000000000 --- a/src/regress/lib/libssl/tls/Makefile +++ /dev/null @@ -1,18 +0,0 @@ -# $OpenBSD: Makefile,v 1.2 2024/03/20 10:38:05 jsing Exp $ - -PROG= tlstest -LDADD= -lssl -lcrypto -DPADD= ${LIBSSL} ${LIBCRYPTO} -WARNINGS= Yes -CFLAGS+= -DLIBRESSL_INTERNAL -Werror - -REGRESS_TARGETS= \ - regress-tlstest - -regress-tlstest: ${PROG} - ./tlstest \ - ${.CURDIR}/../../libssl/certs/server1-rsa.pem \ - ${.CURDIR}/../../libssl/certs/server1-rsa-chain.pem \ - ${.CURDIR}/../../libssl/certs/ca-root-rsa.pem - -.include diff --git a/src/regress/lib/libssl/tls/tlstest.c b/src/regress/lib/libssl/tls/tlstest.c deleted file mode 100644 index 8154e7576c..0000000000 --- a/src/regress/lib/libssl/tls/tlstest.c +++ /dev/null @@ -1,400 +0,0 @@ -/* $OpenBSD: tlstest.c,v 1.2 2023/07/02 17:21:33 beck Exp $ */ -/* - * Copyright (c) 2020, 2021 Joel Sing - * - * Permission to use, copy, modify, and distribute this software for any - * purpose with or without fee is hereby granted, provided that the above - * copyright notice and this permission notice appear in all copies. - * - * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES - * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF - * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR - * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES - * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN - * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF - * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. - */ - -#include - -#include -#include -#include - -const char *server_ca_file; -const char *server_cert_file; -const char *server_key_file; - -int debug = 0; - -static void -hexdump(const unsigned char *buf, size_t len) -{ - size_t i; - - for (i = 1; i <= len; i++) - fprintf(stderr, " 0x%02hhx,%s", buf[i - 1], i % 8 ? "" : "\n"); - - if (len % 8) - fprintf(stderr, "\n"); -} - -static SSL * -tls_client(BIO *rbio, BIO *wbio) -{ - SSL_CTX *ssl_ctx = NULL; - SSL *ssl = NULL; - - if ((ssl_ctx = SSL_CTX_new(TLS_method())) == NULL) - errx(1, "client context"); - - if ((ssl = SSL_new(ssl_ctx)) == NULL) - errx(1, "client ssl"); - - BIO_up_ref(rbio); - BIO_up_ref(wbio); - - SSL_set_bio(ssl, rbio, wbio); - - SSL_CTX_free(ssl_ctx); - - return ssl; -} - -static SSL * -tls_server(BIO *rbio, BIO *wbio) -{ - SSL_CTX *ssl_ctx = NULL; - SSL *ssl = NULL; - - if ((ssl_ctx = SSL_CTX_new(TLS_method())) == NULL) - errx(1, "server context"); - - SSL_CTX_set_dh_auto(ssl_ctx, 2); - - if (SSL_CTX_use_certificate_file(ssl_ctx, server_cert_file, - SSL_FILETYPE_PEM) != 1) { - fprintf(stderr, "FAIL: Failed to load server certificate"); - goto failure; - } - if (SSL_CTX_use_PrivateKey_file(ssl_ctx, server_key_file, - SSL_FILETYPE_PEM) != 1) { - fprintf(stderr, "FAIL: Failed to load server private key"); - goto failure; - } - - if ((ssl = SSL_new(ssl_ctx)) == NULL) - errx(1, "server ssl"); - - BIO_up_ref(rbio); - BIO_up_ref(wbio); - - SSL_set_bio(ssl, rbio, wbio); - - failure: - SSL_CTX_free(ssl_ctx); - - return ssl; -} - -static int -ssl_error(SSL *ssl, const char *name, const char *desc, int ssl_ret) -{ - int ssl_err; - - ssl_err = SSL_get_error(ssl, ssl_ret); - - if (ssl_err == SSL_ERROR_WANT_READ) { - return 1; - } else if (ssl_err == SSL_ERROR_WANT_WRITE) { - return 1; - } else if (ssl_err == SSL_ERROR_SYSCALL && errno == 0) { - /* Yup, this is apparently a thing... */ - } else { - fprintf(stderr, "FAIL: %s %s failed - ssl err = %d, errno = %d\n", - name, desc, ssl_err, errno); - ERR_print_errors_fp(stderr); - return 0; - } - - return 1; -} - -static int -do_connect(SSL *ssl, const char *name, int *done) -{ - int ssl_ret; - - if ((ssl_ret = SSL_connect(ssl)) == 1) { - fprintf(stderr, "INFO: %s connect done\n", name); - *done = 1; - return 1; - } - - return ssl_error(ssl, name, "connect", ssl_ret); -} - -static int -do_accept(SSL *ssl, const char *name, int *done) -{ - int ssl_ret; - - if ((ssl_ret = SSL_accept(ssl)) == 1) { - fprintf(stderr, "INFO: %s accept done\n", name); - *done = 1; - return 1; - } - - return ssl_error(ssl, name, "accept", ssl_ret); -} - -static int -do_read(SSL *ssl, const char *name, int *done) -{ - uint8_t buf[512]; - int ssl_ret; - - if ((ssl_ret = SSL_read(ssl, buf, sizeof(buf))) > 0) { - fprintf(stderr, "INFO: %s read done\n", name); - if (debug > 1) - hexdump(buf, ssl_ret); - *done = 1; - return 1; - } - - return ssl_error(ssl, name, "read", ssl_ret); -} - -static int -do_write(SSL *ssl, const char *name, int *done) -{ - const uint8_t buf[] = "Hello, World!\n"; - int ssl_ret; - - if ((ssl_ret = SSL_write(ssl, buf, sizeof(buf))) > 0) { - fprintf(stderr, "INFO: %s write done\n", name); - *done = 1; - return 1; - } - - return ssl_error(ssl, name, "write", ssl_ret); -} - -static int -do_shutdown(SSL *ssl, const char *name, int *done) -{ - int ssl_ret; - - ssl_ret = SSL_shutdown(ssl); - if (ssl_ret == 1) { - fprintf(stderr, "INFO: %s shutdown done\n", name); - *done = 1; - return 1; - } - return ssl_error(ssl, name, "shutdown", ssl_ret); -} - -typedef int (*ssl_func)(SSL *ssl, const char *name, int *done); - -static int -do_client_server_loop(SSL *client, ssl_func client_func, SSL *server, - ssl_func server_func) -{ - int client_done = 0, server_done = 0; - int i = 0; - - do { - if (!client_done) { - if (debug) - fprintf(stderr, "DEBUG: client loop\n"); - if (!client_func(client, "client", &client_done)) - return 0; - } - if (!server_done) { - if (debug) - fprintf(stderr, "DEBUG: server loop\n"); - if (!server_func(server, "server", &server_done)) - return 0; - } - } while (i++ < 100 && (!client_done || !server_done)); - - if (!client_done || !server_done) - fprintf(stderr, "FAIL: gave up\n"); - - return client_done && server_done; -} - -struct tls_test { - const unsigned char *desc; - const SSL_METHOD *(*client_method)(void); - uint16_t client_min_version; - uint16_t client_max_version; - const char *client_ciphers; - const SSL_METHOD *(*server_method)(void); - uint16_t server_min_version; - uint16_t server_max_version; - const char *server_ciphers; -}; - -static const struct tls_test tls_tests[] = { - { - .desc = "Default client and server", - }, - { - .desc = "Default client and TLSv1.2 server", - .server_max_version = TLS1_2_VERSION, - }, - { - .desc = "Default client and default server with ECDHE KEX", - .server_ciphers = "ECDHE-RSA-AES128-SHA", - }, - { - .desc = "Default client and TLSv1.2 server with ECDHE KEX", - .server_max_version = TLS1_2_VERSION, - .server_ciphers = "ECDHE-RSA-AES128-SHA", - }, - { - .desc = "Default client and default server with DHE KEX", - .server_ciphers = "DHE-RSA-AES128-SHA", - }, - { - .desc = "Default client and TLSv1.2 server with DHE KEX", - .server_max_version = TLS1_2_VERSION, - .server_ciphers = "DHE-RSA-AES128-SHA", - }, - { - .desc = "Default client and default server with RSA KEX", - .server_ciphers = "AES128-SHA", - }, - { - .desc = "Default client and TLSv1.2 server with RSA KEX", - .server_max_version = TLS1_2_VERSION, - .server_ciphers = "AES128-SHA", - }, - { - .desc = "TLSv1.2 client and default server", - .client_max_version = TLS1_2_VERSION, - }, - { - .desc = "TLSv1.2 client and default server with ECDHE KEX", - .client_max_version = TLS1_2_VERSION, - .client_ciphers = "ECDHE-RSA-AES128-SHA", - }, - { - .desc = "TLSv1.2 client and default server with DHE KEX", - .server_max_version = TLS1_2_VERSION, - .client_ciphers = "DHE-RSA-AES128-SHA", - }, - { - .desc = "TLSv1.2 client and default server with RSA KEX", - .client_max_version = TLS1_2_VERSION, - .client_ciphers = "AES128-SHA", - }, -}; - -#define N_TLS_TESTS (sizeof(tls_tests) / sizeof(*tls_tests)) - -static int -tlstest(const struct tls_test *tt) -{ - BIO *client_wbio = NULL, *server_wbio = NULL; - SSL *client = NULL, *server = NULL; - int failed = 1; - - fprintf(stderr, "\n== Testing %s... ==\n", tt->desc); - - if ((client_wbio = BIO_new(BIO_s_mem())) == NULL) - goto failure; - if (BIO_set_mem_eof_return(client_wbio, -1) <= 0) - goto failure; - - if ((server_wbio = BIO_new(BIO_s_mem())) == NULL) - goto failure; - if (BIO_set_mem_eof_return(server_wbio, -1) <= 0) - goto failure; - - if ((client = tls_client(server_wbio, client_wbio)) == NULL) - goto failure; - if (tt->client_min_version != 0) { - if (!SSL_set_min_proto_version(client, tt->client_min_version)) - goto failure; - } - if (tt->client_max_version != 0) { - if (!SSL_set_max_proto_version(client, tt->client_max_version)) - goto failure; - } - if (tt->client_ciphers != NULL) { - if (!SSL_set_cipher_list(client, tt->client_ciphers)) - goto failure; - } - - if ((server = tls_server(client_wbio, server_wbio)) == NULL) - goto failure; - if (tt->server_min_version != 0) { - if (!SSL_set_min_proto_version(server, tt->server_min_version)) - goto failure; - } - if (tt->server_max_version != 0) { - if (!SSL_set_max_proto_version(server, tt->server_max_version)) - goto failure; - } - if (tt->server_ciphers != NULL) { - if (!SSL_set_cipher_list(server, tt->server_ciphers)) - goto failure; - } - - if (!do_client_server_loop(client, do_connect, server, do_accept)) { - fprintf(stderr, "FAIL: client and server handshake failed\n"); - goto failure; - } - - if (!do_client_server_loop(client, do_write, server, do_read)) { - fprintf(stderr, "FAIL: client write and server read I/O failed\n"); - goto failure; - } - - if (!do_client_server_loop(client, do_read, server, do_write)) { - fprintf(stderr, "FAIL: client read and server write I/O failed\n"); - goto failure; - } - - if (!do_client_server_loop(client, do_shutdown, server, do_shutdown)) { - fprintf(stderr, "FAIL: client and server shutdown failed\n"); - goto failure; - } - - fprintf(stderr, "INFO: Done!\n"); - - failed = 0; - - failure: - BIO_free(client_wbio); - BIO_free(server_wbio); - - SSL_free(client); - SSL_free(server); - - return failed; -} - -int -main(int argc, char **argv) -{ - int failed = 0; - size_t i; - - if (argc != 4) { - fprintf(stderr, "usage: %s keyfile certfile cafile\n", - argv[0]); - exit(1); - } - - server_key_file = argv[1]; - server_cert_file = argv[2]; - server_ca_file = argv[3]; - - for (i = 0; i < N_TLS_TESTS; i++) - failed |= tlstest(&tls_tests[i]); - - return failed; -} diff --git a/src/regress/lib/libssl/tlsext/Makefile b/src/regress/lib/libssl/tlsext/Makefile deleted file mode 100644 index 9ff441697f..0000000000 --- a/src/regress/lib/libssl/tlsext/Makefile +++ /dev/null @@ -1,10 +0,0 @@ -# $OpenBSD: Makefile,v 1.2 2022/06/29 15:06:18 tb Exp $ - -PROG= tlsexttest -LDADD= ${SSL_INT} -lcrypto -DPADD= ${LIBCRYPTO} ${LIBSSL} -WARNINGS= Yes -CFLAGS+= -DLIBRESSL_INTERNAL -Wundef -Werror -CFLAGS+= -I${.CURDIR}/../../../../lib/libssl - -.include diff --git a/src/regress/lib/libssl/tlsext/tlsexttest.c b/src/regress/lib/libssl/tlsext/tlsexttest.c deleted file mode 100644 index 4adf27421d..0000000000 --- a/src/regress/lib/libssl/tlsext/tlsexttest.c +++ /dev/null @@ -1,4702 +0,0 @@ -/* $OpenBSD: tlsexttest.c,v 1.92 2024/09/11 15:04:16 tb Exp $ */ -/* - * Copyright (c) 2017 Joel Sing - * Copyright (c) 2017 Doug Hogan - * Copyright (c) 2019 Bob Beck - * Copyright (c) 2022 Theo Buehler - * - * Permission to use, copy, modify, and distribute this software for any - * purpose with or without fee is hereby granted, provided that the above - * copyright notice and this permission notice appear in all copies. - * - * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES - * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF - * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR - * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES - * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN - * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF - * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. - */ - -#include - -#include - -#include "ssl_local.h" - -#include "bytestring.h" -#include "ssl_tlsext.h" - -struct tls_extension_funcs { - int (*needs)(SSL *s, uint16_t msg_type); - int (*build)(SSL *s, uint16_t msg_type, CBB *cbb); - int (*process)(SSL *s, uint16_t msg_type, CBS *cbs, int *alert); -}; - -uint16_t tls_extension_type(const struct tls_extension *); -const struct tls_extension *tls_extension_find(uint16_t, size_t *); -const struct tls_extension_funcs *tlsext_funcs(const struct tls_extension *, - int); -int tlsext_linearize_build_order(SSL *); - -static int -tls_extension_funcs(int type, const struct tls_extension_funcs **client_funcs, - const struct tls_extension_funcs **server_funcs) -{ - const struct tls_extension *ext; - size_t idx; - - if ((ext = tls_extension_find(type, &idx)) == NULL) - return 0; - - if ((*client_funcs = tlsext_funcs(ext, 0)) == NULL) - return 0; - - if ((*server_funcs = tlsext_funcs(ext, 1)) == NULL) - return 0; - - return 1; -} - -static void -hexdump(const unsigned char *buf, size_t len) -{ - size_t i; - - for (i = 1; i <= len; i++) - fprintf(stderr, " 0x%02hhx,%s", buf[i - 1], i % 8 ? "" : "\n"); - - fprintf(stderr, "\n"); -} - -static void -hexdump2(const uint16_t *buf, size_t len) -{ - size_t i; - - for (i = 1; i <= len / 2; i++) - fprintf(stderr, " 0x%04hx,%s", buf[i - 1], i % 8 ? "" : "\n"); - - fprintf(stderr, "\n"); -} - -static void -compare_data(const uint8_t *recv, size_t recv_len, const uint8_t *expect, - size_t expect_len) -{ - fprintf(stderr, "received:\n"); - hexdump(recv, recv_len); - - fprintf(stderr, "test data:\n"); - hexdump(expect, expect_len); -} - -static void -compare_data2(const uint16_t *recv, size_t recv_len, const uint16_t *expect, - size_t expect_len) -{ - fprintf(stderr, "received:\n"); - hexdump2(recv, recv_len); - - fprintf(stderr, "test data:\n"); - hexdump2(expect, expect_len); -} - -#define FAIL(msg, ...) \ -do { \ - fprintf(stderr, "[%s:%d] FAIL: ", __FILE__, __LINE__); \ - fprintf(stderr, msg, ##__VA_ARGS__); \ -} while(0) - -/* - * Supported Application-Layer Protocol Negotiation - RFC 7301 - * - * There are already extensive unit tests for this so this just - * tests the state info. - */ - -const uint8_t tlsext_alpn_multiple_protos_val[] = { - /* opaque ProtocolName<1..2^8-1> -- 'http/1.1' */ - 0x08, /* len */ - 0x68, 0x74, 0x74, 0x70, 0x2f, 0x31, 0x2e, 0x31, - /* opaque ProtocolName<1..2^8-1> -- 'stun.nat' */ - 0x09, /* len */ - 0x73, 0x74, 0x75, 0x6e, 0x2e, 0x74, 0x75, 0x72, 0x6e -}; - -const uint8_t tlsext_alpn_multiple_protos[] = { - /* ProtocolName protocol_name_list<2..2^16-1> -- ALPN names */ - 0x00, 0x13, /* len of all names */ - /* opaque ProtocolName<1..2^8-1> -- 'http/1.1' */ - 0x08, /* len */ - 0x68, 0x74, 0x74, 0x70, 0x2f, 0x31, 0x2e, 0x31, - /* opaque ProtocolName<1..2^8-1> -- 'stun.nat' */ - 0x09, /* len */ - 0x73, 0x74, 0x75, 0x6e, 0x2e, 0x74, 0x75, 0x72, 0x6e -}; - -const uint8_t tlsext_alpn_single_proto_val[] = { - /* opaque ProtocolName<1..2^8-1> -- 'http/1.1' */ - 0x08, /* len */ - 0x68, 0x74, 0x74, 0x70, 0x2f, 0x31, 0x2e, 0x31 -}; - -const uint8_t tlsext_alpn_single_proto_name[] = { - 0x68, 0x74, 0x74, 0x70, 0x2f, 0x31, 0x2e, 0x31 /* 'http/1.1' */ -}; - -const uint8_t tlsext_alpn_single_proto[] = { - /* ProtocolName protocol_name_list<2..2^16-1> -- ALPN names */ - 0x00, 0x09, /* len of all names */ - /* opaque ProtocolName<1..2^8-1> -- 'http/1.1' */ - 0x08, /* len */ - 0x68, 0x74, 0x74, 0x70, 0x2f, 0x31, 0x2e, 0x31 -}; - -#define TLSEXT_TYPE_alpn TLSEXT_TYPE_application_layer_protocol_negotiation - -static int -test_tlsext_alpn_client(void) -{ - SSL_CTX *ssl_ctx = NULL; - SSL *ssl = NULL; - const struct tls_extension_funcs *client_funcs; - const struct tls_extension_funcs *server_funcs; - uint8_t *data = NULL; - CBB cbb; - CBS cbs; - int failure, alert; - size_t dlen; - - failure = 1; - - if (!CBB_init(&cbb, 0)) - errx(1, "Failed to create CBB"); - - if ((ssl_ctx = SSL_CTX_new(TLS_client_method())) == NULL) - errx(1, "failed to create SSL_CTX"); - if ((ssl = SSL_new(ssl_ctx)) == NULL) - errx(1, "failed to create SSL"); - - if (!tls_extension_funcs(TLSEXT_TYPE_alpn, &client_funcs, &server_funcs)) - errx(1, "failed to fetch ALPN funcs"); - - /* By default, we don't need this */ - if (client_funcs->needs(ssl, SSL_TLSEXT_MSG_CH)) { - FAIL("client should not need ALPN by default\n"); - goto err; - } - - /* - * Prereqs: - * 1) Set s->alpn_client_proto_list - * - Using SSL_set_alpn_protos() - * 2) We have not finished or renegotiated. - * - s->s3->tmp.finish_md_len == 0 - */ - if (SSL_set_alpn_protos(ssl, tlsext_alpn_single_proto_val, - sizeof(tlsext_alpn_single_proto_val)) != 0) { - FAIL("should be able to set ALPN to http/1.1\n"); - goto err; - } - if (!client_funcs->needs(ssl, SSL_TLSEXT_MSG_CH)) { - FAIL("client should need ALPN by default\n"); - goto err; - } - - /* Make sure we can build the client with a single proto. */ - - if (!client_funcs->build(ssl, SSL_TLSEXT_MSG_CH, &cbb)) { - FAIL("client failed to build ALPN\n"); - goto err; - } - if (!CBB_finish(&cbb, &data, &dlen)) - errx(1, "failed to finish CBB"); - - if (dlen != sizeof(tlsext_alpn_single_proto)) { - FAIL("got client ALPN with length %zu, " - "want length %zu\n", dlen, - sizeof(tlsext_alpn_single_proto)); - compare_data(data, dlen, tlsext_alpn_single_proto, - sizeof(tlsext_alpn_single_proto)); - goto err; - } - if (memcmp(data, tlsext_alpn_single_proto, dlen) != 0) { - FAIL("client ALPN differs:\n"); - compare_data(data, dlen, tlsext_alpn_single_proto, - sizeof(tlsext_alpn_single_proto)); - goto err; - } - - CBB_cleanup(&cbb); - if (!CBB_init(&cbb, 0)) - errx(1, "Failed to create CBB"); - free(data); - data = NULL; - - /* Make sure we can parse the single proto. */ - - CBS_init(&cbs, tlsext_alpn_single_proto, - sizeof(tlsext_alpn_single_proto)); - if (!server_funcs->process(ssl, SSL_TLSEXT_MSG_CH, &cbs, &alert)) { - FAIL("failed to parse ALPN\n"); - goto err; - } - if (CBS_len(&cbs) != 0) { - FAIL("extension data remaining\n"); - goto err; - } - - if (ssl->alpn_client_proto_list_len != - sizeof(tlsext_alpn_single_proto_val)) { - FAIL("got client ALPN with length %zu, " - "want length %zu\n", dlen, - sizeof(tlsext_alpn_single_proto_val)); - compare_data(ssl->alpn_client_proto_list, - ssl->alpn_client_proto_list_len, - tlsext_alpn_single_proto_val, - sizeof(tlsext_alpn_single_proto_val)); - goto err; - } - if (memcmp(ssl->alpn_client_proto_list, - tlsext_alpn_single_proto_val, - sizeof(tlsext_alpn_single_proto_val)) != 0) { - FAIL("client ALPN differs:\n"); - compare_data(data, dlen, tlsext_alpn_single_proto_val, - sizeof(tlsext_alpn_single_proto_val)); - goto err; - } - - /* Make sure we can build the clienthello with multiple entries. */ - - if (SSL_set_alpn_protos(ssl, tlsext_alpn_multiple_protos_val, - sizeof(tlsext_alpn_multiple_protos_val)) != 0) { - FAIL("should be able to set ALPN to http/1.1\n"); - goto err; - } - if (!client_funcs->needs(ssl, SSL_TLSEXT_MSG_CH)) { - FAIL("client should need ALPN by now\n"); - goto err; - } - - if (!client_funcs->build(ssl, SSL_TLSEXT_MSG_CH, &cbb)) { - FAIL("client failed to build ALPN\n"); - goto err; - } - if (!CBB_finish(&cbb, &data, &dlen)) - errx(1, "failed to finish CBB"); - - if (dlen != sizeof(tlsext_alpn_multiple_protos)) { - FAIL("got client ALPN with length %zu, " - "want length %zu\n", dlen, - sizeof(tlsext_alpn_multiple_protos)); - compare_data(data, dlen, tlsext_alpn_multiple_protos, - sizeof(tlsext_alpn_multiple_protos)); - goto err; - } - if (memcmp(data, tlsext_alpn_multiple_protos, dlen) != 0) { - FAIL("client ALPN differs:\n"); - compare_data(data, dlen, tlsext_alpn_multiple_protos, - sizeof(tlsext_alpn_multiple_protos)); - goto err; - } - - /* Make sure we can parse multiple protos */ - - CBS_init(&cbs, tlsext_alpn_multiple_protos, - sizeof(tlsext_alpn_multiple_protos)); - if (!server_funcs->process(ssl, SSL_TLSEXT_MSG_CH, &cbs, &alert)) { - FAIL("failed to parse ALPN\n"); - goto err; - } - if (CBS_len(&cbs) != 0) { - FAIL("extension data remaining\n"); - goto err; - } - - if (ssl->alpn_client_proto_list_len != - sizeof(tlsext_alpn_multiple_protos_val)) { - FAIL("got client ALPN with length %zu, " - "want length %zu\n", dlen, - sizeof(tlsext_alpn_multiple_protos_val)); - compare_data(ssl->alpn_client_proto_list, - ssl->alpn_client_proto_list_len, - tlsext_alpn_multiple_protos_val, - sizeof(tlsext_alpn_multiple_protos_val)); - goto err; - } - if (memcmp(ssl->alpn_client_proto_list, - tlsext_alpn_multiple_protos_val, - sizeof(tlsext_alpn_multiple_protos_val)) != 0) { - FAIL("client ALPN differs:\n"); - compare_data(data, dlen, tlsext_alpn_multiple_protos_val, - sizeof(tlsext_alpn_multiple_protos_val)); - goto err; - } - - /* Make sure we can remove the list and avoid ALPN */ - - free(ssl->alpn_client_proto_list); - ssl->alpn_client_proto_list = NULL; - ssl->alpn_client_proto_list_len = 0; - - if (client_funcs->needs(ssl, SSL_TLSEXT_MSG_CH)) { - FAIL("client should need ALPN by default\n"); - goto err; - } - - failure = 0; - - err: - CBB_cleanup(&cbb); - SSL_CTX_free(ssl_ctx); - SSL_free(ssl); - free(data); - - return (failure); -} - -static int -test_tlsext_alpn_server(void) -{ - SSL_CTX *ssl_ctx = NULL; - SSL *ssl = NULL; - const struct tls_extension_funcs *client_funcs; - const struct tls_extension_funcs *server_funcs; - uint8_t *data = NULL; - CBB cbb; - CBS cbs; - int failure, alert; - size_t dlen; - - failure = 1; - - if (!CBB_init(&cbb, 0)) - errx(1, "Failed to create CBB"); - - if ((ssl_ctx = SSL_CTX_new(TLS_server_method())) == NULL) - errx(1, "failed to create SSL_CTX"); - if ((ssl = SSL_new(ssl_ctx)) == NULL) - errx(1, "failed to create SSL"); - - if (!tls_extension_funcs(TLSEXT_TYPE_alpn, &client_funcs, &server_funcs)) - errx(1, "failed to fetch ALPN funcs"); - - /* By default, ALPN isn't needed. */ - if (server_funcs->needs(ssl, SSL_TLSEXT_MSG_SH)) { - FAIL("server should not need ALPN by default\n"); - goto err; - } - - /* - * The server has a single ALPN selection which is set by - * SSL_CTX_set_alpn_select_cb() and calls SSL_select_next_proto(). - * - * This will be a plain name and separate length. - */ - if ((ssl->s3->alpn_selected = malloc(sizeof(tlsext_alpn_single_proto_name))) == NULL) { - errx(1, "failed to malloc"); - } - memcpy(ssl->s3->alpn_selected, tlsext_alpn_single_proto_name, - sizeof(tlsext_alpn_single_proto_name)); - ssl->s3->alpn_selected_len = sizeof(tlsext_alpn_single_proto_name); - - if (!server_funcs->needs(ssl, SSL_TLSEXT_MSG_SH)) { - FAIL("server should need ALPN after a protocol is selected\n"); - goto err; - } - - /* Make sure we can build a server with one protocol */ - - if (!server_funcs->build(ssl, SSL_TLSEXT_MSG_SH, &cbb)) { - FAIL("server should be able to build a response\n"); - goto err; - } - if (!CBB_finish(&cbb, &data, &dlen)) - errx(1, "failed to finish CBB"); - - if (dlen != sizeof(tlsext_alpn_single_proto)) { - FAIL("got client ALPN with length %zu, " - "want length %zu\n", dlen, - sizeof(tlsext_alpn_single_proto)); - compare_data(data, dlen, tlsext_alpn_single_proto, - sizeof(tlsext_alpn_single_proto)); - goto err; - } - if (memcmp(data, tlsext_alpn_single_proto, dlen) != 0) { - FAIL("client ALPN differs:\n"); - compare_data(data, dlen, tlsext_alpn_single_proto, - sizeof(tlsext_alpn_single_proto)); - goto err; - } - - CBB_cleanup(&cbb); - if (!CBB_init(&cbb, 0)) - errx(1, "Failed to create CBB"); - free(data); - data = NULL; - - /* Make sure we can parse the single proto. */ - - CBS_init(&cbs, tlsext_alpn_single_proto, - sizeof(tlsext_alpn_single_proto)); - - /* Shouldn't be able to parse without requesting */ - if (client_funcs->process(ssl, SSL_TLSEXT_MSG_SH, &cbs, &alert)) { - FAIL("Should only parse server if we requested it\n"); - goto err; - } - - /* Should be able to parse once requested. */ - if (SSL_set_alpn_protos(ssl, tlsext_alpn_single_proto_val, - sizeof(tlsext_alpn_single_proto_val)) != 0) { - FAIL("should be able to set ALPN to http/1.1\n"); - goto err; - } - if (!client_funcs->process(ssl, SSL_TLSEXT_MSG_SH, &cbs, &alert)) { - FAIL("Should be able to parse server when we request it\n"); - goto err; - } - if (CBS_len(&cbs) != 0) { - FAIL("extension data remaining\n"); - goto err; - } - - if (ssl->s3->alpn_selected_len != - sizeof(tlsext_alpn_single_proto_name)) { - FAIL("got server ALPN with length %zu, " - "want length %zu\n", dlen, - sizeof(tlsext_alpn_single_proto_name)); - compare_data(ssl->s3->alpn_selected, - ssl->s3->alpn_selected_len, - tlsext_alpn_single_proto_name, - sizeof(tlsext_alpn_single_proto_name)); - goto err; - } - if (memcmp(ssl->s3->alpn_selected, - tlsext_alpn_single_proto_name, - sizeof(tlsext_alpn_single_proto_name)) != 0) { - FAIL("server ALPN differs:\n"); - compare_data(ssl->s3->alpn_selected, - ssl->s3->alpn_selected_len, - tlsext_alpn_single_proto_name, - sizeof(tlsext_alpn_single_proto_name)); - goto err; - } - - /* - * We should NOT be able to build a server with multiple - * protocol names. However, the existing code did not check for this - * case because it is passed in as an encoded value. - */ - - /* Make sure we can remove the list and avoid ALPN */ - - free(ssl->s3->alpn_selected); - ssl->s3->alpn_selected = NULL; - ssl->s3->alpn_selected_len = 0; - - if (server_funcs->needs(ssl, SSL_TLSEXT_MSG_SH)) { - FAIL("server should not need ALPN by default\n"); - goto err; - } - - failure = 0; - - err: - CBB_cleanup(&cbb); - SSL_CTX_free(ssl_ctx); - SSL_free(ssl); - free(data); - - return (failure); - -} - -/* - * Supported Elliptic Curves - RFC 4492 section 5.1.1. - * - * This extension is only used by the client. - */ - -static const uint8_t tlsext_supportedgroups_client_default[] = { - 0x00, 0x08, - 0x00, 0x1d, /* X25519 (29) */ - 0x00, 0x17, /* secp256r1 (23) */ - 0x00, 0x18, /* secp384r1 (24) */ - 0x00, 0x19, /* secp521r1 (25) */ -}; - -static const uint16_t tlsext_supportedgroups_client_secp384r1_val[] = { - 0x0018 /* tls1_ec_nid2group_id(NID_secp384r1) */ -}; -static const uint8_t tlsext_supportedgroups_client_secp384r1[] = { - 0x00, 0x02, - 0x00, 0x18 /* secp384r1 (24) */ -}; - -/* Example from RFC 4492 section 5.1.1 */ -static const uint16_t tlsext_supportedgroups_client_nistp192and224_val[] = { - 0x0013, /* tls1_ec_nid2group_id(NID_X9_62_prime192v1) */ - 0x0015 /* tls1_ec_nid2group_id(NID_secp224r1) */ -}; -static const uint8_t tlsext_supportedgroups_client_nistp192and224[] = { - 0x00, 0x04, - 0x00, 0x13, /* secp192r1 aka NIST P-192 */ - 0x00, 0x15 /* secp224r1 aka NIST P-224 */ -}; - -static int -test_tlsext_supportedgroups_client(void) -{ - unsigned char *data = NULL; - SSL_CTX *ssl_ctx = NULL; - SSL *ssl = NULL; - const struct tls_extension_funcs *client_funcs; - const struct tls_extension_funcs *server_funcs; - size_t dlen; - int failure, alert; - CBB cbb; - CBS cbs; - - failure = 1; - - if (!CBB_init(&cbb, 0)) - errx(1, "failed to create CBB"); - - if ((ssl_ctx = SSL_CTX_new(TLS_client_method())) == NULL) - errx(1, "failed to create SSL_CTX"); - if ((ssl = SSL_new(ssl_ctx)) == NULL) - errx(1, "failed to create SSL"); - - if (!tls_extension_funcs(TLSEXT_TYPE_supported_groups, &client_funcs, - &server_funcs)) - errx(1, "failed to fetch supported groups funcs"); - - /* - * Default ciphers include EC so we need it by default. - */ - if (!client_funcs->needs(ssl, SSL_TLSEXT_MSG_CH)) { - FAIL("client should need Ellipticcurves for default " - "ciphers\n"); - goto err; - } - - /* - * Exclude cipher suites so we can test not including it. - */ - if (!SSL_set_cipher_list(ssl, "TLSv1.2:!ECDHE:!ECDSA")) { - FAIL("client should be able to set cipher list\n"); - goto err; - } - if (client_funcs->needs(ssl, SSL_TLSEXT_MSG_CH)) { - FAIL("client should not need Ellipticcurves\n"); - goto err; - } - - /* - * Use libtls default for the rest of the testing - */ - if (!SSL_set_cipher_list(ssl, "TLSv1.2+AEAD+ECDHE")) { - FAIL("client should be able to set cipher list\n"); - goto err; - } - if (!client_funcs->needs(ssl, SSL_TLSEXT_MSG_CH)) { - FAIL("client should need Ellipticcurves\n"); - goto err; - } - - /* - * Test with a session secp384r1. The default is used instead. - */ - if ((ssl->session = SSL_SESSION_new()) == NULL) - errx(1, "failed to create session"); - - if ((ssl->session->tlsext_supportedgroups = malloc(sizeof(uint16_t))) - == NULL) { - FAIL("client could not malloc\n"); - goto err; - } - if (!tls1_ec_nid2group_id(NID_secp384r1, - &ssl->session->tlsext_supportedgroups[0])) - goto err; - ssl->session->tlsext_supportedgroups_length = 1; - - if (!client_funcs->needs(ssl, SSL_TLSEXT_MSG_CH)) { - FAIL("client should need Ellipticcurves\n"); - goto err; - } - - if (!client_funcs->build(ssl, SSL_TLSEXT_MSG_CH, &cbb)) { - FAIL("client failed to build Ellipticcurves\n"); - goto err; - } - - if (!CBB_finish(&cbb, &data, &dlen)) - errx(1, "failed to finish CBB"); - - if (dlen != sizeof(tlsext_supportedgroups_client_default)) { - FAIL("got client Ellipticcurves with length %zu, " - "want length %zu\n", dlen, - sizeof(tlsext_supportedgroups_client_default)); - compare_data(data, dlen, tlsext_supportedgroups_client_default, - sizeof(tlsext_supportedgroups_client_default)); - goto err; - } - - if (memcmp(data, tlsext_supportedgroups_client_default, dlen) != 0) { - FAIL("client Ellipticcurves differs:\n"); - compare_data(data, dlen, tlsext_supportedgroups_client_default, - sizeof(tlsext_supportedgroups_client_default)); - goto err; - } - - /* - * Test parsing secp384r1 - */ - CBB_cleanup(&cbb); - if (!CBB_init(&cbb, 0)) - errx(1, "Failed to create CBB"); - free(data); - data = NULL; - - SSL_SESSION_free(ssl->session); - if ((ssl->session = SSL_SESSION_new()) == NULL) - errx(1, "failed to create session"); - - CBS_init(&cbs, tlsext_supportedgroups_client_secp384r1, - sizeof(tlsext_supportedgroups_client_secp384r1)); - if (!server_funcs->process(ssl, SSL_TLSEXT_MSG_CH, &cbs, &alert)) { - FAIL("failed to parse client Ellipticcurves\n"); - goto err; - } - if (CBS_len(&cbs) != 0) { - FAIL("extension data remaining\n"); - goto err; - } - - if (ssl->session->tlsext_supportedgroups_length != - sizeof(tlsext_supportedgroups_client_secp384r1_val) / sizeof(uint16_t)) { - FAIL("no tlsext_ellipticcurves from client " - "Ellipticcurves\n"); - goto err; - } - - if (memcmp(ssl->session->tlsext_supportedgroups, - tlsext_supportedgroups_client_secp384r1_val, - sizeof(tlsext_supportedgroups_client_secp384r1_val)) != 0) { - FAIL("client had an incorrect Ellipticcurves " - "entry\n"); - compare_data2(ssl->session->tlsext_supportedgroups, - ssl->session->tlsext_supportedgroups_length * 2, - tlsext_supportedgroups_client_secp384r1_val, - sizeof(tlsext_supportedgroups_client_secp384r1_val)); - goto err; - } - - /* - * Use a custom order. - */ - CBB_cleanup(&cbb); - if (!CBB_init(&cbb, 0)) - errx(1, "Failed to create CBB"); - - SSL_SESSION_free(ssl->session); - if ((ssl->session = SSL_SESSION_new()) == NULL) - errx(1, "failed to create session"); - - if ((ssl->tlsext_supportedgroups = malloc(sizeof(uint16_t) * 2)) == NULL) { - FAIL("client could not malloc\n"); - goto err; - } - if (!tls1_ec_nid2group_id(NID_X9_62_prime192v1, - &ssl->tlsext_supportedgroups[0])) - goto err; - if (!tls1_ec_nid2group_id(NID_secp224r1, - &ssl->tlsext_supportedgroups[1])) - goto err; - ssl->tlsext_supportedgroups_length = 2; - - if (!client_funcs->needs(ssl, SSL_TLSEXT_MSG_CH)) { - FAIL("client should need Ellipticcurves\n"); - goto err; - } - - if (!client_funcs->build(ssl, SSL_TLSEXT_MSG_CH, &cbb)) { - FAIL("client failed to build Ellipticcurves\n"); - goto err; - } - - if (!CBB_finish(&cbb, &data, &dlen)) - errx(1, "failed to finish CBB"); - - if (dlen != sizeof(tlsext_supportedgroups_client_nistp192and224)) { - FAIL("got client Ellipticcurves with length %zu, " - "want length %zu\n", dlen, - sizeof(tlsext_supportedgroups_client_nistp192and224)); - fprintf(stderr, "received:\n"); - hexdump(data, dlen); - fprintf(stderr, "test data:\n"); - hexdump(tlsext_supportedgroups_client_nistp192and224, - sizeof(tlsext_supportedgroups_client_nistp192and224)); - goto err; - } - - if (memcmp(data, tlsext_supportedgroups_client_nistp192and224, dlen) != 0) { - FAIL("client Ellipticcurves differs:\n"); - fprintf(stderr, "received:\n"); - hexdump(data, dlen); - fprintf(stderr, "test data:\n"); - hexdump(tlsext_supportedgroups_client_nistp192and224, - sizeof(tlsext_supportedgroups_client_nistp192and224)); - goto err; - } - - /* - * Parse non-default curves to session. - */ - CBB_cleanup(&cbb); - if (!CBB_init(&cbb, 0)) - errx(1, "Failed to create CBB"); - free(data); - data = NULL; - - SSL_SESSION_free(ssl->session); - if ((ssl->session = SSL_SESSION_new()) == NULL) - errx(1, "failed to create session"); - - /* Reset back to the default list. */ - free(ssl->tlsext_supportedgroups); - ssl->tlsext_supportedgroups = NULL; - ssl->tlsext_supportedgroups_length = 0; - - CBS_init(&cbs, tlsext_supportedgroups_client_nistp192and224, - sizeof(tlsext_supportedgroups_client_nistp192and224)); - if (!server_funcs->process(ssl, SSL_TLSEXT_MSG_CH, &cbs, &alert)) { - FAIL("failed to parse client Ellipticcurves\n"); - goto err; - } - if (CBS_len(&cbs) != 0) { - FAIL("extension data remaining\n"); - goto err; - } - - if (ssl->session->tlsext_supportedgroups_length != - sizeof(tlsext_supportedgroups_client_nistp192and224_val) / sizeof(uint16_t)) { - FAIL("no tlsext_ellipticcurves from client Ellipticcurves\n"); - goto err; - } - - if (memcmp(ssl->session->tlsext_supportedgroups, - tlsext_supportedgroups_client_nistp192and224_val, - sizeof(tlsext_supportedgroups_client_nistp192and224_val)) != 0) { - FAIL("client had an incorrect Ellipticcurves entry\n"); - compare_data2(ssl->session->tlsext_supportedgroups, - ssl->session->tlsext_supportedgroups_length * 2, - tlsext_supportedgroups_client_nistp192and224_val, - sizeof(tlsext_supportedgroups_client_nistp192and224_val)); - goto err; - } - - failure = 0; - - err: - CBB_cleanup(&cbb); - SSL_CTX_free(ssl_ctx); - SSL_free(ssl); - free(data); - - return (failure); -} - - -/* elliptic_curves is only used by the client so this doesn't test much. */ -static int -test_tlsext_supportedgroups_server(void) -{ - SSL_CTX *ssl_ctx = NULL; - SSL *ssl = NULL; - const struct tls_extension_funcs *client_funcs; - const struct tls_extension_funcs *server_funcs; - int failure; - - failure = 1; - - if ((ssl_ctx = SSL_CTX_new(TLS_server_method())) == NULL) - errx(1, "failed to create SSL_CTX"); - if ((ssl = SSL_new(ssl_ctx)) == NULL) - errx(1, "failed to create SSL"); - - if (!tls_extension_funcs(TLSEXT_TYPE_supported_groups, &client_funcs, - &server_funcs)) - errx(1, "failed to fetch supported groups funcs"); - - if (server_funcs->needs(ssl, SSL_TLSEXT_MSG_SH)) { - FAIL("server should not need elliptic_curves\n"); - goto err; - } - - if ((ssl->session = SSL_SESSION_new()) == NULL) - errx(1, "failed to create session"); - - if (server_funcs->needs(ssl, SSL_TLSEXT_MSG_SH)) { - FAIL("server should not need elliptic_curves\n"); - goto err; - } - - failure = 0; - - err: - SSL_CTX_free(ssl_ctx); - SSL_free(ssl); - - return (failure); - -} - -/* - * Supported Point Formats - RFC 4492 section 5.1.2. - * - * Examples are from the RFC. Both client and server have the same build and - * parse but the needs differ. - */ - -static const uint8_t tlsext_ecpf_hello_uncompressed_val[] = { - TLSEXT_ECPOINTFORMAT_uncompressed -}; -static const uint8_t tlsext_ecpf_hello_uncompressed[] = { - 0x01, - 0x00 /* TLSEXT_ECPOINTFORMAT_uncompressed */ -}; - -static const uint8_t tlsext_ecpf_hello_prime[] = { - 0x01, - 0x01 /* TLSEXT_ECPOINTFORMAT_ansiX962_compressed_prime */ -}; - -static const uint8_t tlsext_ecpf_hello_prefer_order_val[] = { - TLSEXT_ECPOINTFORMAT_ansiX962_compressed_prime, - TLSEXT_ECPOINTFORMAT_uncompressed, - TLSEXT_ECPOINTFORMAT_ansiX962_compressed_char2 -}; -static const uint8_t tlsext_ecpf_hello_prefer_order[] = { - 0x03, - 0x01, /* TLSEXT_ECPOINTFORMAT_ansiX962_compressed_prime */ - 0x00, /* TLSEXT_ECPOINTFORMAT_uncompressed */ - 0x02 /* TLSEXT_ECPOINTFORMAT_ansiX962_compressed_char2 */ -}; - -static int -test_tlsext_ecpf_client(void) -{ - uint8_t *data = NULL; - SSL_CTX *ssl_ctx = NULL; - SSL *ssl = NULL; - const struct tls_extension_funcs *client_funcs; - const struct tls_extension_funcs *server_funcs; - size_t dlen; - int failure, alert; - CBB cbb; - CBS cbs; - - failure = 1; - - if (!CBB_init(&cbb, 0)) - errx(1, "Failed to create CBB"); - - if ((ssl_ctx = SSL_CTX_new(TLS_client_method())) == NULL) - errx(1, "failed to create SSL_CTX"); - if ((ssl = SSL_new(ssl_ctx)) == NULL) - errx(1, "failed to create SSL"); - - if (!tls_extension_funcs(TLSEXT_TYPE_ec_point_formats, &client_funcs, - &server_funcs)) - errx(1, "failed to fetch ecpf funcs"); - - /* - * Default ciphers include EC so we need it by default. - */ - if (!client_funcs->needs(ssl, SSL_TLSEXT_MSG_CH)) { - FAIL("client should need ECPointFormats for default " - "ciphers\n"); - goto err; - } - - /* - * Exclude EC cipher suites so we can test not including it. - */ - if (!SSL_set_cipher_list(ssl, "ALL:!ECDHE:!ECDH")) { - FAIL("client should be able to set cipher list\n"); - goto err; - } - if (client_funcs->needs(ssl, SSL_TLSEXT_MSG_CH)) { - FAIL("client should not need ECPointFormats\n"); - goto err; - } - - /* - * Use libtls default for the rest of the testing - */ - if (!SSL_set_cipher_list(ssl, "TLSv1.2+AEAD+ECDHE")) { - FAIL("client should be able to set cipher list\n"); - goto err; - } - if (!client_funcs->needs(ssl, SSL_TLSEXT_MSG_CH)) { - FAIL("client should need ECPointFormats\n"); - goto err; - } - - /* - * The default ECPointFormats should only have uncompressed - */ - if ((ssl->session = SSL_SESSION_new()) == NULL) - errx(1, "failed to create session"); - - if (!client_funcs->build(ssl, SSL_TLSEXT_MSG_CH, &cbb)) { - FAIL("client failed to build ECPointFormats\n"); - goto err; - } - - if (!CBB_finish(&cbb, &data, &dlen)) - errx(1, "failed to finish CBB"); - - if (dlen != sizeof(tlsext_ecpf_hello_uncompressed)) { - FAIL("got client ECPointFormats with length %zu, " - "want length %zu\n", dlen, - sizeof(tlsext_ecpf_hello_uncompressed)); - compare_data(data, dlen, tlsext_ecpf_hello_uncompressed, - sizeof(tlsext_ecpf_hello_uncompressed)); - goto err; - } - - if (memcmp(data, tlsext_ecpf_hello_uncompressed, dlen) != 0) { - FAIL("client ECPointFormats differs:\n"); - compare_data(data, dlen, tlsext_ecpf_hello_uncompressed, - sizeof(tlsext_ecpf_hello_uncompressed)); - goto err; - } - - /* - * Make sure we can parse the default. - */ - CBB_cleanup(&cbb); - if (!CBB_init(&cbb, 0)) - errx(1, "Failed to create CBB"); - free(data); - data = NULL; - - SSL_SESSION_free(ssl->session); - if ((ssl->session = SSL_SESSION_new()) == NULL) - errx(1, "failed to create session"); - - CBS_init(&cbs, tlsext_ecpf_hello_uncompressed, - sizeof(tlsext_ecpf_hello_uncompressed)); - if (!server_funcs->process(ssl, SSL_TLSEXT_MSG_CH, &cbs, &alert)) { - FAIL("failed to parse client ECPointFormats\n"); - goto err; - } - if (CBS_len(&cbs) != 0) { - FAIL("extension data remaining\n"); - goto err; - } - - if (ssl->session->tlsext_ecpointformatlist_length != - sizeof(tlsext_ecpf_hello_uncompressed_val)) { - FAIL("no tlsext_ecpointformats from client " - "ECPointFormats\n"); - goto err; - } - - if (memcmp(ssl->session->tlsext_ecpointformatlist, - tlsext_ecpf_hello_uncompressed_val, - sizeof(tlsext_ecpf_hello_uncompressed_val)) != 0) { - FAIL("client had an incorrect ECPointFormats entry\n"); - goto err; - } - - /* - * Test with a custom order. - */ - CBB_cleanup(&cbb); - if (!CBB_init(&cbb, 0)) - errx(1, "Failed to create CBB"); - free(data); - data = NULL; - - SSL_SESSION_free(ssl->session); - if ((ssl->session = SSL_SESSION_new()) == NULL) - errx(1, "failed to create session"); - - if ((ssl->tlsext_ecpointformatlist = malloc(sizeof(uint8_t) * 3)) == NULL) { - FAIL("client could not malloc\n"); - goto err; - } - ssl->tlsext_ecpointformatlist[0] = TLSEXT_ECPOINTFORMAT_ansiX962_compressed_prime; - ssl->tlsext_ecpointformatlist[1] = TLSEXT_ECPOINTFORMAT_uncompressed; - ssl->tlsext_ecpointformatlist[2] = TLSEXT_ECPOINTFORMAT_ansiX962_compressed_char2; - ssl->tlsext_ecpointformatlist_length = 3; - - if (!client_funcs->needs(ssl, SSL_TLSEXT_MSG_CH)) { - FAIL("client should need ECPointFormats with a custom " - "format\n"); - goto err; - } - - if (!client_funcs->build(ssl, SSL_TLSEXT_MSG_CH, &cbb)) { - FAIL("client failed to build ECPointFormats\n"); - goto err; - } - - if (!CBB_finish(&cbb, &data, &dlen)) - errx(1, "failed to finish CBB"); - - if (dlen != sizeof(tlsext_ecpf_hello_prefer_order)) { - FAIL("got client ECPointFormats with length %zu, " - "want length %zu\n", dlen, - sizeof(tlsext_ecpf_hello_prefer_order)); - compare_data(data, dlen, tlsext_ecpf_hello_prefer_order, - sizeof(tlsext_ecpf_hello_prefer_order)); - goto err; - } - - if (memcmp(data, tlsext_ecpf_hello_prefer_order, dlen) != 0) { - FAIL("client ECPointFormats differs:\n"); - compare_data(data, dlen, tlsext_ecpf_hello_prefer_order, - sizeof(tlsext_ecpf_hello_prefer_order)); - goto err; - } - - /* - * Make sure that we can parse this custom order. - */ - CBB_cleanup(&cbb); - if (!CBB_init(&cbb, 0)) - errx(1, "Failed to create CBB"); - free(data); - data = NULL; - - SSL_SESSION_free(ssl->session); - if ((ssl->session = SSL_SESSION_new()) == NULL) - errx(1, "failed to create session"); - - /* Reset the custom list so we go back to the default uncompressed. */ - free(ssl->tlsext_ecpointformatlist); - ssl->tlsext_ecpointformatlist = NULL; - ssl->tlsext_ecpointformatlist_length = 0; - - CBS_init(&cbs, tlsext_ecpf_hello_prefer_order, - sizeof(tlsext_ecpf_hello_prefer_order)); - if (!server_funcs->process(ssl, SSL_TLSEXT_MSG_CH, &cbs, &alert)) { - FAIL("failed to parse client ECPointFormats\n"); - goto err; - } - if (CBS_len(&cbs) != 0) { - FAIL("extension data remaining\n"); - goto err; - } - - if (ssl->session->tlsext_ecpointformatlist_length != - sizeof(tlsext_ecpf_hello_prefer_order_val)) { - FAIL("no tlsext_ecpointformats from client " - "ECPointFormats\n"); - goto err; - } - - if (memcmp(ssl->session->tlsext_ecpointformatlist, - tlsext_ecpf_hello_prefer_order_val, - sizeof(tlsext_ecpf_hello_prefer_order_val)) != 0) { - FAIL("client had an incorrect ECPointFormats entry\n"); - goto err; - } - - failure = 0; - - err: - CBB_cleanup(&cbb); - SSL_CTX_free(ssl_ctx); - SSL_free(ssl); - free(data); - - return (failure); -} - -static int -test_tlsext_ecpf_server(void) -{ - uint8_t *data = NULL; - SSL_CTX *ssl_ctx = NULL; - SSL *ssl = NULL; - const struct tls_extension_funcs *client_funcs; - const struct tls_extension_funcs *server_funcs; - size_t dlen; - int failure, alert; - CBB cbb; - CBS cbs; - - failure = 1; - - if (!CBB_init(&cbb, 0)) - errx(1, "Failed to create CBB"); - - if ((ssl_ctx = SSL_CTX_new(TLS_server_method())) == NULL) - errx(1, "failed to create SSL_CTX"); - if ((ssl = SSL_new(ssl_ctx)) == NULL) - errx(1, "failed to create SSL"); - - if (!tls_extension_funcs(TLSEXT_TYPE_ec_point_formats, &client_funcs, - &server_funcs)) - errx(1, "failed to fetch ecpf funcs"); - - if ((ssl->session = SSL_SESSION_new()) == NULL) - errx(1, "failed to create session"); - - /* Setup the state so we can call needs. */ - if ((ssl->s3->hs.cipher = ssl3_get_cipher_by_value(0xcca9)) == NULL) { - FAIL("server cannot find cipher\n"); - goto err; - } - if ((ssl->session->tlsext_ecpointformatlist = malloc(sizeof(uint8_t))) - == NULL) { - FAIL("server could not malloc\n"); - goto err; - } - ssl->session->tlsext_ecpointformatlist[0] = TLSEXT_ECPOINTFORMAT_ansiX962_compressed_prime; - ssl->session->tlsext_ecpointformatlist_length = 1; - - if (!server_funcs->needs(ssl, SSL_TLSEXT_MSG_SH)) { - FAIL("server should need ECPointFormats now\n"); - goto err; - } - - /* - * The server will ignore the session list and use either a custom - * list or the default (uncompressed). - */ - if (!server_funcs->build(ssl, SSL_TLSEXT_MSG_SH, &cbb)) { - FAIL("server failed to build ECPointFormats\n"); - goto err; - } - - if (!CBB_finish(&cbb, &data, &dlen)) - errx(1, "failed to finish CBB"); - - if (dlen != sizeof(tlsext_ecpf_hello_uncompressed)) { - FAIL("got server ECPointFormats with length %zu, " - "want length %zu\n", dlen, - sizeof(tlsext_ecpf_hello_uncompressed)); - compare_data(data, dlen, tlsext_ecpf_hello_uncompressed, - sizeof(tlsext_ecpf_hello_uncompressed)); - goto err; - } - - if (memcmp(data, tlsext_ecpf_hello_uncompressed, dlen) != 0) { - FAIL("server ECPointFormats differs:\n"); - compare_data(data, dlen, tlsext_ecpf_hello_uncompressed, - sizeof(tlsext_ecpf_hello_uncompressed)); - goto err; - } - - /* - * Cannot parse a non-default list without at least uncompressed. - */ - CBB_cleanup(&cbb); - if (!CBB_init(&cbb, 0)) - errx(1, "Failed to create CBB"); - free(data); - data = NULL; - - SSL_SESSION_free(ssl->session); - if ((ssl->session = SSL_SESSION_new()) == NULL) - errx(1, "failed to create session"); - - CBS_init(&cbs, tlsext_ecpf_hello_prime, - sizeof(tlsext_ecpf_hello_prime)); - if (client_funcs->process(ssl, SSL_TLSEXT_MSG_SH, &cbs, &alert)) { - FAIL("must include uncompressed in server ECPointFormats\n"); - goto err; - } - if (CBS_len(&cbs) != 0) { - FAIL("extension data remaining\n"); - goto err; - } - - /* - * Test with a custom order that replaces the default uncompressed. - */ - CBB_cleanup(&cbb); - if (!CBB_init(&cbb, 0)) - errx(1, "Failed to create CBB"); - free(data); - data = NULL; - - SSL_SESSION_free(ssl->session); - if ((ssl->session = SSL_SESSION_new()) == NULL) - errx(1, "failed to create session"); - - /* Add a session list even though it will be ignored. */ - if ((ssl->session->tlsext_ecpointformatlist = malloc(sizeof(uint8_t))) - == NULL) { - FAIL("server could not malloc\n"); - goto err; - } - ssl->session->tlsext_ecpointformatlist[0] = TLSEXT_ECPOINTFORMAT_ansiX962_compressed_char2; - ssl->session->tlsext_ecpointformatlist_length = 1; - - /* Replace the default list with a custom one. */ - if ((ssl->tlsext_ecpointformatlist = malloc(sizeof(uint8_t) * 3)) == NULL) { - FAIL("server could not malloc\n"); - goto err; - } - ssl->tlsext_ecpointformatlist[0] = TLSEXT_ECPOINTFORMAT_ansiX962_compressed_prime; - ssl->tlsext_ecpointformatlist[1] = TLSEXT_ECPOINTFORMAT_uncompressed; - ssl->tlsext_ecpointformatlist[2] = TLSEXT_ECPOINTFORMAT_ansiX962_compressed_char2; - ssl->tlsext_ecpointformatlist_length = 3; - - if (!server_funcs->needs(ssl, SSL_TLSEXT_MSG_SH)) { - FAIL("server should need ECPointFormats\n"); - goto err; - } - - if (!server_funcs->build(ssl, SSL_TLSEXT_MSG_SH, &cbb)) { - FAIL("server failed to build ECPointFormats\n"); - goto err; - } - - if (!CBB_finish(&cbb, &data, &dlen)) - errx(1, "failed to finish CBB"); - - if (dlen != sizeof(tlsext_ecpf_hello_prefer_order)) { - FAIL("got server ECPointFormats with length %zu, " - "want length %zu\n", dlen, - sizeof(tlsext_ecpf_hello_prefer_order)); - compare_data(data, dlen, tlsext_ecpf_hello_prefer_order, - sizeof(tlsext_ecpf_hello_prefer_order)); - goto err; - } - - if (memcmp(data, tlsext_ecpf_hello_prefer_order, dlen) != 0) { - FAIL("server ECPointFormats differs:\n"); - compare_data(data, dlen, tlsext_ecpf_hello_prefer_order, - sizeof(tlsext_ecpf_hello_prefer_order)); - goto err; - } - - /* - * Should be able to parse the custom list into a session list. - */ - CBB_cleanup(&cbb); - if (!CBB_init(&cbb, 0)) - errx(1, "Failed to create CBB"); - free(data); - data = NULL; - - SSL_SESSION_free(ssl->session); - if ((ssl->session = SSL_SESSION_new()) == NULL) - errx(1, "failed to create session"); - - /* Reset back to the default (uncompressed) */ - free(ssl->tlsext_ecpointformatlist); - ssl->tlsext_ecpointformatlist = NULL; - ssl->tlsext_ecpointformatlist_length = 0; - - CBS_init(&cbs, tlsext_ecpf_hello_prefer_order, - sizeof(tlsext_ecpf_hello_prefer_order)); - if (!client_funcs->process(ssl, SSL_TLSEXT_MSG_SH, &cbs, &alert)) { - FAIL("failed to parse server ECPointFormats\n"); - goto err; - } - if (CBS_len(&cbs) != 0) { - FAIL("extension data remaining\n"); - goto err; - } - - if (ssl->session->tlsext_ecpointformatlist_length != - sizeof(tlsext_ecpf_hello_prefer_order_val)) { - FAIL("no tlsext_ecpointformats from server " - "ECPointFormats\n"); - goto err; - } - - if (memcmp(ssl->session->tlsext_ecpointformatlist, - tlsext_ecpf_hello_prefer_order_val, - sizeof(tlsext_ecpf_hello_prefer_order_val)) != 0) { - FAIL("server had an incorrect ECPointFormats entry\n"); - goto err; - } - - failure = 0; - - err: - CBB_cleanup(&cbb); - SSL_CTX_free(ssl_ctx); - SSL_free(ssl); - free(data); - - return (failure); -} - -/* - * Renegotiation Indication - RFC 5746. - */ - -static const unsigned char tlsext_ri_prev_client[] = { - 0x00, 0x11, 0x22, 0x33, 0x44, 0x55, 0x66, 0x77, - 0x88, 0x99, 0xaa, 0xbb, 0xcc, 0xdd, 0xee, 0xff, -}; - -static const unsigned char tlsext_ri_prev_server[] = { - 0xff, 0xee, 0xdd, 0xcc, 0xbb, 0xaa, 0x99, 0x88, - 0x77, 0x66, 0x55, 0x44, 0x33, 0x22, 0x11, 0x00, -}; - -static const unsigned char tlsext_ri_client[] = { - 0x10, - 0x00, 0x11, 0x22, 0x33, 0x44, 0x55, 0x66, 0x77, - 0x88, 0x99, 0xaa, 0xbb, 0xcc, 0xdd, 0xee, 0xff, -}; - -static const unsigned char tlsext_ri_server[] = { - 0x20, - 0x00, 0x11, 0x22, 0x33, 0x44, 0x55, 0x66, 0x77, - 0x88, 0x99, 0xaa, 0xbb, 0xcc, 0xdd, 0xee, 0xff, - 0xff, 0xee, 0xdd, 0xcc, 0xbb, 0xaa, 0x99, 0x88, - 0x77, 0x66, 0x55, 0x44, 0x33, 0x22, 0x11, 0x00, -}; - -static int -test_tlsext_ri_client(void) -{ - unsigned char *data = NULL; - SSL_CTX *ssl_ctx = NULL; - SSL *ssl = NULL; - const struct tls_extension_funcs *client_funcs; - const struct tls_extension_funcs *server_funcs; - int failure; - size_t dlen; - int alert; - CBB cbb; - CBS cbs; - - failure = 1; - - if (!CBB_init(&cbb, 0)) - errx(1, "Failed to create CBB"); - - if ((ssl_ctx = SSL_CTX_new(TLSv1_2_client_method())) == NULL) - errx(1, "failed to create SSL_CTX"); - if ((ssl = SSL_new(ssl_ctx)) == NULL) - errx(1, "failed to create SSL"); - - if (!tls_extension_funcs(TLSEXT_TYPE_renegotiate, &client_funcs, - &server_funcs)) - errx(1, "failed to fetch ri funcs"); - - if (client_funcs->needs(ssl, SSL_TLSEXT_MSG_CH)) { - FAIL("client should not need RI\n"); - goto err; - } - - if (!SSL_renegotiate(ssl)) { - FAIL("client failed to set renegotiate\n"); - goto err; - } - - if (!client_funcs->needs(ssl, SSL_TLSEXT_MSG_CH)) { - FAIL("client should need RI\n"); - goto err; - } - - memcpy(ssl->s3->previous_client_finished, tlsext_ri_prev_client, - sizeof(tlsext_ri_prev_client)); - ssl->s3->previous_client_finished_len = sizeof(tlsext_ri_prev_client); - - ssl->s3->renegotiate_seen = 0; - - if (!client_funcs->build(ssl, SSL_TLSEXT_MSG_CH, &cbb)) { - FAIL("client failed to build RI\n"); - goto err; - } - - if (!CBB_finish(&cbb, &data, &dlen)) - errx(1, "failed to finish CBB"); - - if (dlen != sizeof(tlsext_ri_client)) { - FAIL("got client RI with length %zu, " - "want length %zu\n", dlen, sizeof(tlsext_ri_client)); - goto err; - } - - if (memcmp(data, tlsext_ri_client, dlen) != 0) { - FAIL("client RI differs:\n"); - fprintf(stderr, "received:\n"); - hexdump(data, dlen); - fprintf(stderr, "test data:\n"); - hexdump(tlsext_ri_client, sizeof(tlsext_ri_client)); - goto err; - } - - CBS_init(&cbs, tlsext_ri_client, sizeof(tlsext_ri_client)); - if (!server_funcs->process(ssl, SSL_TLSEXT_MSG_CH, &cbs, &alert)) { - FAIL("failed to parse client RI\n"); - goto err; - } - if (CBS_len(&cbs) != 0) { - FAIL("extension data remaining\n"); - goto err; - } - - if (ssl->s3->renegotiate_seen != 1) { - FAIL("renegotiate seen not set\n"); - goto err; - } - if (ssl->s3->send_connection_binding != 1) { - FAIL("send connection binding not set\n"); - goto err; - } - - memset(ssl->s3->previous_client_finished, 0, - sizeof(ssl->s3->previous_client_finished)); - - ssl->s3->renegotiate_seen = 0; - - CBS_init(&cbs, tlsext_ri_client, sizeof(tlsext_ri_client)); - if (server_funcs->process(ssl, SSL_TLSEXT_MSG_CH, &cbs, &alert)) { - FAIL("parsed invalid client RI\n"); - goto err; - } - - if (ssl->s3->renegotiate_seen == 1) { - FAIL("renegotiate seen set\n"); - goto err; - } - - failure = 0; - - err: - CBB_cleanup(&cbb); - SSL_CTX_free(ssl_ctx); - SSL_free(ssl); - free(data); - - return (failure); -} - -static int -test_tlsext_ri_server(void) -{ - unsigned char *data = NULL; - SSL_CTX *ssl_ctx = NULL; - SSL *ssl = NULL; - const struct tls_extension_funcs *client_funcs; - const struct tls_extension_funcs *server_funcs; - int failure; - size_t dlen; - int alert; - CBB cbb; - CBS cbs; - - failure = 1; - - if (!CBB_init(&cbb, 0)) - errx(1, "Failed to create CBB"); - - if ((ssl_ctx = SSL_CTX_new(TLS_server_method())) == NULL) - errx(1, "failed to create SSL_CTX"); - if ((ssl = SSL_new(ssl_ctx)) == NULL) - errx(1, "failed to create SSL"); - - if (!tls_extension_funcs(TLSEXT_TYPE_renegotiate, &client_funcs, - &server_funcs)) - errx(1, "failed to fetch ri funcs"); - - ssl->version = TLS1_2_VERSION; - if (server_funcs->needs(ssl, SSL_TLSEXT_MSG_SH)) { - FAIL("server should not need RI\n"); - goto err; - } - - ssl->s3->send_connection_binding = 1; - - if (!server_funcs->needs(ssl, SSL_TLSEXT_MSG_SH)) { - FAIL("server should need RI\n"); - goto err; - } - - memcpy(ssl->s3->previous_client_finished, tlsext_ri_prev_client, - sizeof(tlsext_ri_prev_client)); - ssl->s3->previous_client_finished_len = sizeof(tlsext_ri_prev_client); - - memcpy(ssl->s3->previous_server_finished, tlsext_ri_prev_server, - sizeof(tlsext_ri_prev_server)); - ssl->s3->previous_server_finished_len = sizeof(tlsext_ri_prev_server); - - ssl->s3->renegotiate_seen = 0; - - if (!server_funcs->build(ssl, SSL_TLSEXT_MSG_SH, &cbb)) { - FAIL("server failed to build RI\n"); - goto err; - } - - if (!CBB_finish(&cbb, &data, &dlen)) - errx(1, "failed to finish CBB"); - - if (dlen != sizeof(tlsext_ri_server)) { - FAIL("got server RI with length %zu, " - "want length %zu\n", dlen, sizeof(tlsext_ri_server)); - goto err; - } - - if (memcmp(data, tlsext_ri_server, dlen) != 0) { - FAIL("server RI differs:\n"); - fprintf(stderr, "received:\n"); - hexdump(data, dlen); - fprintf(stderr, "test data:\n"); - hexdump(tlsext_ri_server, sizeof(tlsext_ri_server)); - goto err; - } - - CBS_init(&cbs, tlsext_ri_server, sizeof(tlsext_ri_server)); - if (!client_funcs->process(ssl, SSL_TLSEXT_MSG_SH, &cbs, &alert)) { - FAIL("failed to parse server RI\n"); - goto err; - } - if (CBS_len(&cbs) != 0) { - FAIL("extension data remaining\n"); - goto err; - } - - if (ssl->s3->renegotiate_seen != 1) { - FAIL("renegotiate seen not set\n"); - goto err; - } - if (ssl->s3->send_connection_binding != 1) { - FAIL("send connection binding not set\n"); - goto err; - } - - memset(ssl->s3->previous_client_finished, 0, - sizeof(ssl->s3->previous_client_finished)); - memset(ssl->s3->previous_server_finished, 0, - sizeof(ssl->s3->previous_server_finished)); - - ssl->s3->renegotiate_seen = 0; - - CBS_init(&cbs, tlsext_ri_server, sizeof(tlsext_ri_server)); - if (client_funcs->process(ssl, SSL_TLSEXT_MSG_SH, &cbs, &alert)) { - FAIL("parsed invalid server RI\n"); - goto err; - } - - if (ssl->s3->renegotiate_seen == 1) { - FAIL("renegotiate seen set\n"); - goto err; - } - - failure = 0; - - err: - CBB_cleanup(&cbb); - SSL_CTX_free(ssl_ctx); - SSL_free(ssl); - free(data); - - return (failure); -} - -/* - * Signature Algorithms - RFC 5246 section 7.4.1.4.1. - */ - -static const unsigned char tlsext_sigalgs_client[] = { - 0x00, 0x16, 0x08, 0x06, 0x06, 0x01, 0x06, 0x03, - 0x08, 0x05, 0x05, 0x01, 0x05, 0x03, 0x08, 0x04, - 0x04, 0x01, 0x04, 0x03, 0x02, 0x01, 0x02, 0x03, -}; - -static int -test_tlsext_sigalgs_client(void) -{ - unsigned char *data = NULL; - SSL_CTX *ssl_ctx = NULL; - SSL *ssl = NULL; - const struct tls_extension_funcs *client_funcs; - const struct tls_extension_funcs *server_funcs; - int failure; - size_t dlen; - int alert; - CBB cbb; - CBS cbs; - - failure = 1; - - if (!CBB_init(&cbb, 0)) - errx(1, "Failed to create CBB"); - - if ((ssl_ctx = SSL_CTX_new(TLS_client_method())) == NULL) - errx(1, "failed to create SSL_CTX"); - if ((ssl = SSL_new(ssl_ctx)) == NULL) - errx(1, "failed to create SSL"); - - if (!tls_extension_funcs(TLSEXT_TYPE_signature_algorithms, - &client_funcs, &server_funcs)) - errx(1, "failed to fetch sigalgs funcs"); - - ssl->s3->hs.our_max_tls_version = TLS1_1_VERSION; - - if (client_funcs->needs(ssl, SSL_TLSEXT_MSG_CH)) { - FAIL("client should not need sigalgs\n"); - goto done; - } - - ssl->s3->hs.our_max_tls_version = TLS1_2_VERSION; - - if (!client_funcs->needs(ssl, SSL_TLSEXT_MSG_CH)) { - FAIL("client should need sigalgs\n"); - goto done; - } - - if (!client_funcs->build(ssl, SSL_TLSEXT_MSG_CH, &cbb)) { - FAIL("client failed to build sigalgs\n"); - goto done; - } - - if (!CBB_finish(&cbb, &data, &dlen)) - errx(1, "failed to finish CBB"); - - if (dlen != sizeof(tlsext_sigalgs_client)) { - FAIL("got client sigalgs length %zu, " - "want length %zu\n", dlen, sizeof(tlsext_sigalgs_client)); - goto done; - } - - if (memcmp(data, tlsext_sigalgs_client, dlen) != 0) { - FAIL("client SNI differs:\n"); - fprintf(stderr, "received:\n"); - hexdump(data, dlen); - fprintf(stderr, "test data:\n"); - hexdump(tlsext_sigalgs_client, sizeof(tlsext_sigalgs_client)); - goto done; - } - - CBS_init(&cbs, tlsext_sigalgs_client, sizeof(tlsext_sigalgs_client)); - if (!server_funcs->process(ssl, SSL_TLSEXT_MSG_CH, &cbs, &alert)) { - FAIL("failed to parse client SNI\n"); - goto done; - } - if (CBS_len(&cbs) != 0) { - FAIL("extension data remaining\n"); - goto done; - } - - failure = 0; - - done: - CBB_cleanup(&cbb); - SSL_CTX_free(ssl_ctx); - SSL_free(ssl); - free(data); - - return (failure); -} - -#if 0 -static int -test_tlsext_sigalgs_server(void) -{ - unsigned char *data = NULL; - SSL_CTX *ssl_ctx = NULL; - SSL *ssl = NULL; - const struct tls_extension_funcs *client_funcs; - const struct tls_extension_funcs *server_funcs; - int failure; - size_t dlen; - int alert; - CBB cbb; - CBS cbs; - - failure = 1; - - if (!CBB_init(&cbb, 0)) - errx(1, "Failed to create CBB"); - - if ((ssl_ctx = SSL_CTX_new(TLS_server_method())) == NULL) - errx(1, "failed to create SSL_CTX"); - if ((ssl = SSL_new(ssl_ctx)) == NULL) - errx(1, "failed to create SSL"); - - if (!tls_extension_funcs(TLSEXT_TYPE_server_name, &client_funcs, - &server_funcs)) - errx(1, "failed to fetch sigalgs funcs"); - - if (server_funcs->needs(ssl, SSL_TLSEXT_MSG_SH)) { - FAIL("server should not need sigalgs\n"); - goto done; - } - - if (server_funcs->build(ssl, SSL_TLSEXT_MSG_SH, &cbb)) { - FAIL("server should not build sigalgs\n"); - goto done; - } - - if (!CBB_finish(&cbb, &data, &dlen)) - errx(1, "failed to finish CBB"); - - CBS_init(&cbs, tlsext_sigalgs_client, sizeof(tlsext_sigalgs_client)); - if (!client_funcs->process(ssl, SSL_TLSEXT_MSG_SH, &cbs, &alert)) { - FAIL("server should not parse sigalgs\n"); - goto done; - } - - failure = 0; - - done: - CBB_cleanup(&cbb); - SSL_CTX_free(ssl_ctx); - SSL_free(ssl); - free(data); - - return (failure); -} -#endif - -/* - * Server Name Indication - RFC 6066 section 3. - */ - -#define TEST_SNI_SERVERNAME "www.libressl.org" - -static const unsigned char tlsext_sni_client[] = { - 0x00, 0x13, 0x00, 0x00, 0x10, 0x77, 0x77, 0x77, - 0x2e, 0x6c, 0x69, 0x62, 0x72, 0x65, 0x73, 0x73, - 0x6c, 0x2e, 0x6f, 0x72, 0x67, -}; - -/* An empty array is an incomplete type and sizeof() is undefined. */ -static const unsigned char tlsext_sni_server[] = { - 0x00, -}; -static size_t tlsext_sni_server_len = 0; - -static int -test_tlsext_sni_client(void) -{ - unsigned char *data = NULL; - SSL_CTX *ssl_ctx = NULL; - SSL *ssl = NULL; - const struct tls_extension_funcs *client_funcs; - const struct tls_extension_funcs *server_funcs; - int failure; - size_t dlen; - int alert; - CBB cbb; - CBS cbs; - - failure = 1; - - if (!CBB_init(&cbb, 0)) - errx(1, "Failed to create CBB"); - - if ((ssl_ctx = SSL_CTX_new(TLS_client_method())) == NULL) - errx(1, "failed to create SSL_CTX"); - if ((ssl = SSL_new(ssl_ctx)) == NULL) - errx(1, "failed to create SSL"); - - if (!tls_extension_funcs(TLSEXT_TYPE_server_name, &client_funcs, - &server_funcs)) - errx(1, "failed to fetch sni funcs"); - - if (client_funcs->needs(ssl, SSL_TLSEXT_MSG_CH)) { - FAIL("client should not need SNI\n"); - goto err; - } - - if (!SSL_set_tlsext_host_name(ssl, TEST_SNI_SERVERNAME)) { - FAIL("client failed to set server name\n"); - goto err; - } - - if (!client_funcs->needs(ssl, SSL_TLSEXT_MSG_CH)) { - FAIL("client should need SNI\n"); - goto err; - } - - if (!client_funcs->build(ssl, SSL_TLSEXT_MSG_CH, &cbb)) { - FAIL("client failed to build SNI\n"); - goto err; - } - - if (!CBB_finish(&cbb, &data, &dlen)) { - FAIL("failed to finish CBB"); - goto err; - } - - if (dlen != sizeof(tlsext_sni_client)) { - FAIL("got client SNI with length %zu, " - "want length %zu\n", dlen, sizeof(tlsext_sni_client)); - goto err; - } - - if (memcmp(data, tlsext_sni_client, dlen) != 0) { - FAIL("client SNI differs:\n"); - fprintf(stderr, "received:\n"); - hexdump(data, dlen); - fprintf(stderr, "test data:\n"); - hexdump(tlsext_sni_client, sizeof(tlsext_sni_client)); - goto err; - } - - /* - * SSL_set_tlsext_host_name() may be called with a NULL host name to - * disable SNI. - */ - if (!SSL_set_tlsext_host_name(ssl, NULL)) { - FAIL("cannot set host name to NULL"); - goto err; - } - - if (client_funcs->needs(ssl, SSL_TLSEXT_MSG_CH)) { - FAIL("client should not need SNI\n"); - goto err; - } - - if ((ssl->session = SSL_SESSION_new()) == NULL) { - FAIL("failed to create session"); - goto err; - } - - ssl->hit = 0; - - CBS_init(&cbs, tlsext_sni_client, sizeof(tlsext_sni_client)); - if (!server_funcs->process(ssl, SSL_TLSEXT_MSG_CH, &cbs, &alert)) { - FAIL("failed to parse client SNI\n"); - goto err; - } - if (CBS_len(&cbs) != 0) { - FAIL("extension data remaining\n"); - goto err; - } - - if (ssl->session->tlsext_hostname == NULL) { - FAIL("no tlsext_hostname from client SNI\n"); - goto err; - } - - if (strlen(ssl->session->tlsext_hostname) != strlen(TEST_SNI_SERVERNAME) || - strncmp(ssl->session->tlsext_hostname, TEST_SNI_SERVERNAME, - strlen(TEST_SNI_SERVERNAME)) != 0) { - FAIL("got tlsext_hostname `%s', want `%s'\n", - ssl->session->tlsext_hostname, TEST_SNI_SERVERNAME); - goto err; - } - - ssl->hit = 1; - - free(ssl->session->tlsext_hostname); - if ((ssl->session->tlsext_hostname = strdup("notthesame.libressl.org")) == - NULL) { - FAIL("failed to strdup tlsext_hostname"); - goto err; - } - - CBS_init(&cbs, tlsext_sni_client, sizeof(tlsext_sni_client)); - if (server_funcs->process(ssl, SSL_TLSEXT_MSG_CH, &cbs, &alert)) { - FAIL("parsed client with mismatched SNI\n"); - goto err; - } - - failure = 0; - - err: - CBB_cleanup(&cbb); - SSL_CTX_free(ssl_ctx); - SSL_free(ssl); - free(data); - - return (failure); -} - -static int -test_tlsext_sni_server(void) -{ - unsigned char *data = NULL; - SSL_CTX *ssl_ctx = NULL; - SSL *ssl = NULL; - const struct tls_extension_funcs *client_funcs; - const struct tls_extension_funcs *server_funcs; - int failure; - size_t dlen; - int alert; - CBB cbb; - CBS cbs; - - failure = 1; - - if (!CBB_init(&cbb, 0)) - errx(1, "Failed to create CBB"); - - if ((ssl_ctx = SSL_CTX_new(TLS_server_method())) == NULL) - errx(1, "failed to create SSL_CTX"); - if ((ssl = SSL_new(ssl_ctx)) == NULL) - errx(1, "failed to create SSL"); - - if (!tls_extension_funcs(TLSEXT_TYPE_server_name, &client_funcs, - &server_funcs)) - errx(1, "failed to fetch sni funcs"); - - if ((ssl->session = SSL_SESSION_new()) == NULL) - errx(1, "failed to create session"); - - if (server_funcs->needs(ssl, SSL_TLSEXT_MSG_SH)) { - FAIL("server should not need SNI\n"); - goto err; - } - - if (!SSL_set_tlsext_host_name(ssl, TEST_SNI_SERVERNAME)) { - FAIL("client failed to set server name\n"); - goto err; - } - - if ((ssl->session->tlsext_hostname = strdup(TEST_SNI_SERVERNAME)) == - NULL) - errx(1, "failed to strdup tlsext_hostname"); - - if (!server_funcs->needs(ssl, SSL_TLSEXT_MSG_SH)) { - FAIL("server should need SNI\n"); - goto err; - } - - if (!server_funcs->build(ssl, SSL_TLSEXT_MSG_SH, &cbb)) { - FAIL("server failed to build SNI\n"); - goto err; - } - - if (!CBB_finish(&cbb, &data, &dlen)) - errx(1, "failed to finish CBB"); - - if (dlen != tlsext_sni_server_len) { - FAIL("got server SNI with length %zu, " - "want length %zu\n", dlen, tlsext_sni_server_len); - goto err; - } - - if (memcmp(data, tlsext_sni_server, dlen) != 0) { - FAIL("server SNI differs:\n"); - fprintf(stderr, "received:\n"); - hexdump(data, dlen); - fprintf(stderr, "test data:\n"); - hexdump(tlsext_sni_server, tlsext_sni_server_len); - goto err; - } - - free(ssl->session->tlsext_hostname); - ssl->session->tlsext_hostname = NULL; - - CBS_init(&cbs, tlsext_sni_server, tlsext_sni_server_len); - if (!client_funcs->process(ssl, SSL_TLSEXT_MSG_SH, &cbs, &alert)) { - FAIL("failed to parse server SNI\n"); - goto err; - } - if (CBS_len(&cbs) != 0) { - FAIL("extension data remaining\n"); - goto err; - } - - if (ssl->session->tlsext_hostname == NULL) { - FAIL("no tlsext_hostname after server SNI\n"); - goto err; - } - - if (strlen(ssl->session->tlsext_hostname) != strlen(TEST_SNI_SERVERNAME) || - strncmp(ssl->session->tlsext_hostname, TEST_SNI_SERVERNAME, - strlen(TEST_SNI_SERVERNAME)) != 0) { - FAIL("got tlsext_hostname `%s', want `%s'\n", - ssl->session->tlsext_hostname, TEST_SNI_SERVERNAME); - goto err; - } - - failure = 0; - - err: - CBB_cleanup(&cbb); - SSL_CTX_free(ssl_ctx); - SSL_free(ssl); - free(data); - - return (failure); -} - - -/* - * QUIC transport parameters extension - RFC 90210 :) - */ - -static const unsigned char tlsext_quic_transport_data[] = { - 0x30, 0x31, 0x32, 0x33, 0x34, 0x35, 0x36, 0x37, - 0x38, 0x39, 0x61, 0x62, 0x63, 0x64, 0x65, 0x66, -}; - -static int -test_tlsext_quic_transport_parameters_client(void) -{ - const SSL_QUIC_METHOD quic_method = {0}; - unsigned char *data = NULL; - SSL_CTX *ssl_ctx = NULL; - SSL *ssl = NULL; - const struct tls_extension_funcs *client_funcs; - const struct tls_extension_funcs *server_funcs; - int failure; - size_t dlen; - CBB cbb; - CBS cbs; - int alert; - const uint8_t *out_bytes; - size_t out_bytes_len; - - failure = 1; - - if (!CBB_init(&cbb, 0)) - errx(1, "Failed to create CBB"); - - if ((ssl_ctx = SSL_CTX_new(TLS_client_method())) == NULL) - errx(1, "failed to create SSL_CTX"); - if ((ssl = SSL_new(ssl_ctx)) == NULL) - errx(1, "failed to create SSL"); - - if (!tls_extension_funcs(TLSEXT_TYPE_quic_transport_parameters, - &client_funcs, &server_funcs)) - errx(1, "failed to fetch quic transport parameter funcs"); - - if (client_funcs->needs(ssl, SSL_TLSEXT_MSG_CH)) { - FAIL("client should not need QUIC\n"); - goto err; - } - - if (!SSL_set_quic_transport_params(ssl, - tlsext_quic_transport_data, sizeof(tlsext_quic_transport_data))) { - FAIL("client failed to set QUIC parameters\n"); - goto err; - } - - if (client_funcs->needs(ssl, SSL_TLSEXT_MSG_CH)) { - FAIL("client should not need QUIC\n"); - goto err; - } - - ssl->s3->hs.our_max_tls_version = TLS1_3_VERSION; - ssl->s3->hs.negotiated_tls_version = TLS1_3_VERSION; - - if (client_funcs->needs(ssl, SSL_TLSEXT_MSG_CH)) { - FAIL("client should not need QUIC\n"); - goto err; - } - - ssl->quic_method = &quic_method; - - if (!client_funcs->needs(ssl, SSL_TLSEXT_MSG_CH)) { - FAIL("client should need QUIC\n"); - goto err; - } - - if (!client_funcs->build(ssl, SSL_TLSEXT_MSG_CH, &cbb)) { - FAIL("client failed to build QUIC\n"); - goto err; - } - - if (!CBB_finish(&cbb, &data, &dlen)) { - FAIL("failed to finish CBB"); - goto err; - } - - if (dlen != sizeof(tlsext_quic_transport_data)) { - FAIL("got client QUIC with length %zu, " - "want length %zu\n", dlen, - sizeof(tlsext_quic_transport_data)); - goto err; - } - - if (memcmp(data, tlsext_quic_transport_data, dlen) != 0) { - FAIL("client QUIC differs:\n"); - fprintf(stderr, "received:\n"); - hexdump(data, dlen); - fprintf(stderr, "test data:\n"); - hexdump(tlsext_quic_transport_data, - sizeof(tlsext_quic_transport_data)); - goto err; - } - - CBS_init(&cbs, tlsext_quic_transport_data, - sizeof(tlsext_quic_transport_data)); - if (!server_funcs->process(ssl, SSL_TLSEXT_MSG_SH, &cbs, &alert)) { - FAIL("server_parse of QUIC from server failed\n"); - goto err; - } - if (CBS_len(&cbs) != 0) { - FAIL("extension data remaining\n"); - goto err; - } - - SSL_get_peer_quic_transport_params(ssl, &out_bytes, &out_bytes_len); - - if (out_bytes_len != sizeof(tlsext_quic_transport_data)) { - FAIL("server_parse QUIC length differs, got %zu want %zu\n", - out_bytes_len, - sizeof(tlsext_quic_transport_data)); - goto err; - } - - if (memcmp(out_bytes, tlsext_quic_transport_data, - out_bytes_len) != 0) { - FAIL("server_parse QUIC differs from sent:\n"); - fprintf(stderr, "received:\n"); - hexdump(data, dlen); - fprintf(stderr, "test data:\n"); - hexdump(tlsext_quic_transport_data, - sizeof(tlsext_quic_transport_data)); - goto err; - } - - failure = 0; - - err: - CBB_cleanup(&cbb); - SSL_CTX_free(ssl_ctx); - SSL_free(ssl); - free(data); - - return (failure); -} - -static int -test_tlsext_quic_transport_parameters_server(void) -{ - const SSL_QUIC_METHOD quic_method = {0}; - unsigned char *data = NULL; - SSL_CTX *ssl_ctx = NULL; - SSL *ssl = NULL; - const struct tls_extension_funcs *client_funcs; - const struct tls_extension_funcs *server_funcs; - int failure; - size_t dlen; - int alert; - CBB cbb; - CBS cbs; - const uint8_t *out_bytes; - size_t out_bytes_len; - - failure = 1; - - if (!CBB_init(&cbb, 0)) - errx(1, "Failed to create CBB"); - - if ((ssl_ctx = SSL_CTX_new(TLS_server_method())) == NULL) - errx(1, "failed to create SSL_CTX"); - if ((ssl = SSL_new(ssl_ctx)) == NULL) - errx(1, "failed to create SSL"); - - if (!tls_extension_funcs(TLSEXT_TYPE_quic_transport_parameters, - &client_funcs, &server_funcs)) - errx(1, "failed to fetch quic transport parameter funcs"); - - if (server_funcs->needs(ssl, SSL_TLSEXT_MSG_SH)) { - FAIL("server should not need QUIC\n"); - goto err; - } - - if (!SSL_set_quic_transport_params(ssl, - tlsext_quic_transport_data, sizeof(tlsext_quic_transport_data))) { - FAIL("server failed to set QUIC parametes\n"); - goto err; - } - - if (server_funcs->needs(ssl, SSL_TLSEXT_MSG_EE)) { - FAIL("server should not need QUIC\n"); - goto err; - } - - ssl->quic_method = &quic_method; - - if (!server_funcs->needs(ssl, SSL_TLSEXT_MSG_EE)) { - FAIL("server should need QUIC\n"); - goto err; - } - - if (!server_funcs->build(ssl, SSL_TLSEXT_MSG_EE, &cbb)) { - FAIL("server failed to build QUIC\n"); - goto err; - } - - if (!CBB_finish(&cbb, &data, &dlen)) - errx(1, "failed to finish CBB"); - - if (dlen != sizeof(tlsext_quic_transport_data)) { - FAIL("got server QUIC with length %zu, want length %zu\n", - dlen, sizeof(tlsext_quic_transport_data)); - goto err; - } - - if (memcmp(data, tlsext_quic_transport_data, dlen) != 0) { - FAIL("saved server QUIC differs:\n"); - fprintf(stderr, "received:\n"); - hexdump(data, dlen); - fprintf(stderr, "test data:\n"); - hexdump(tlsext_quic_transport_data, - sizeof(tlsext_quic_transport_data)); - goto err; - } - - CBS_init(&cbs, tlsext_quic_transport_data, - sizeof(tlsext_quic_transport_data)); - - ssl->quic_method = NULL; - - if (client_funcs->process(ssl, SSL_TLSEXT_MSG_EE, &cbs, &alert)) { - FAIL("QUIC parse should have failed!\n"); - goto err; - } - - ssl->quic_method = &quic_method; - - if (!client_funcs->process(ssl, SSL_TLSEXT_MSG_SH, &cbs, &alert)) { - FAIL("client_parse of QUIC from server failed\n"); - goto err; - } - if (CBS_len(&cbs) != 0) { - FAIL("extension data remaining\n"); - goto err; - } - - SSL_get_peer_quic_transport_params(ssl, &out_bytes, &out_bytes_len); - - if (out_bytes_len != sizeof(tlsext_quic_transport_data)) { - FAIL("client QUIC length differs, got %zu want %zu\n", - out_bytes_len, - sizeof(tlsext_quic_transport_data)); - goto err; - } - - if (memcmp(out_bytes, tlsext_quic_transport_data, out_bytes_len) != 0) { - FAIL("client QUIC differs from sent:\n"); - fprintf(stderr, "received:\n"); - hexdump(data, dlen); - fprintf(stderr, "test data:\n"); - hexdump(tlsext_quic_transport_data, - sizeof(tlsext_quic_transport_data)); - goto err; - } - - failure = 0; - - err: - CBB_cleanup(&cbb); - SSL_CTX_free(ssl_ctx); - SSL_free(ssl); - free(data); - - return (failure); -} - -static const unsigned char tls_ocsp_client_default[] = { - 0x01, 0x00, 0x00, 0x00, 0x00 -}; - -static int -test_tlsext_ocsp_client(void) -{ - unsigned char *data = NULL; - SSL_CTX *ssl_ctx = NULL; - SSL *ssl = NULL; - const struct tls_extension_funcs *client_funcs; - const struct tls_extension_funcs *server_funcs; - size_t dlen; - int failure; - int alert; - CBB cbb; - CBS cbs; - - failure = 1; - - if (!CBB_init(&cbb, 0)) - errx(1, "Failed to create CBB"); - - if ((ssl_ctx = SSL_CTX_new(TLS_client_method())) == NULL) - errx(1, "failed to create SSL_CTX"); - if ((ssl = SSL_new(ssl_ctx)) == NULL) - errx(1, "failed to create SSL"); - - if (!tls_extension_funcs(TLSEXT_TYPE_status_request, &client_funcs, - &server_funcs)) - errx(1, "failed to fetch ocsp funcs"); - - if (client_funcs->needs(ssl, SSL_TLSEXT_MSG_CH)) { - FAIL("client should not need TLSEXT_TYPE_status_request\n"); - goto err; - } - SSL_set_tlsext_status_type(ssl, TLSEXT_STATUSTYPE_ocsp); - - if (!client_funcs->needs(ssl, SSL_TLSEXT_MSG_CH)) { - FAIL("client should need TLSEXT_TYPE_status_request\n"); - goto err; - } - if (!client_funcs->build(ssl, SSL_TLSEXT_MSG_CH, &cbb)) { - FAIL("client failed to build SNI\n"); - goto err; - } - if (!CBB_finish(&cbb, &data, &dlen)) - errx(1, "failed to finish CBB"); - - if (dlen != sizeof(tls_ocsp_client_default)) { - FAIL("got TLSEXT_TYPE_status_request client with length %zu, " - "want length %zu\n", dlen, - sizeof(tls_ocsp_client_default)); - goto err; - } - if (memcmp(data, tls_ocsp_client_default, dlen) != 0) { - FAIL("TLSEXT_TYPE_status_request client differs:\n"); - fprintf(stderr, "received:\n"); - hexdump(data, dlen); - fprintf(stderr, "test data:\n"); - hexdump(tls_ocsp_client_default, - sizeof(tls_ocsp_client_default)); - goto err; - } - CBS_init(&cbs, tls_ocsp_client_default, - sizeof(tls_ocsp_client_default)); - if (!server_funcs->process(ssl, SSL_TLSEXT_MSG_CH, &cbs, &alert)) { - FAIL("failed to parse TLSEXT_TYPE_status_request client\n"); - goto err; - } - if (CBS_len(&cbs) != 0) { - FAIL("extension data remaining\n"); - goto err; - } - - failure = 0; - - err: - CBB_cleanup(&cbb); - SSL_CTX_free(ssl_ctx); - SSL_free(ssl); - free(data); - - return (failure); -} - -static int -test_tlsext_ocsp_server(void) -{ - unsigned char *data = NULL; - SSL_CTX *ssl_ctx = NULL; - SSL *ssl = NULL; - const struct tls_extension_funcs *client_funcs; - const struct tls_extension_funcs *server_funcs; - size_t dlen; - int failure; - CBB cbb; - - failure = 1; - - if (!CBB_init(&cbb, 0)) - errx(1, "Failed to create CBB"); - - if ((ssl_ctx = SSL_CTX_new(TLS_client_method())) == NULL) - errx(1, "failed to create SSL_CTX"); - if ((ssl = SSL_new(ssl_ctx)) == NULL) - errx(1, "failed to create SSL"); - - if (!tls_extension_funcs(TLSEXT_TYPE_status_request, &client_funcs, - &server_funcs)) - errx(1, "failed to fetch ocsp funcs"); - - if (server_funcs->needs(ssl, SSL_TLSEXT_MSG_SH)) { - FAIL("server should not need TLSEXT_TYPE_status_request\n"); - goto err; - } - - ssl->tlsext_status_expected = 1; - - if (!server_funcs->needs(ssl, SSL_TLSEXT_MSG_SH)) { - FAIL("server should need TLSEXT_TYPE_status_request\n"); - goto err; - } - if (!server_funcs->build(ssl, SSL_TLSEXT_MSG_SH, &cbb)) { - FAIL("server failed to build TLSEXT_TYPE_status_request\n"); - goto err; - } - - if (!CBB_finish(&cbb, &data, &dlen)) - errx(1, "failed to finish CBB"); - - failure = 0; - - err: - CBB_cleanup(&cbb); - SSL_CTX_free(ssl_ctx); - SSL_free(ssl); - free(data); - - return (failure); -} - -/* - * Session ticket - RFC 5077 since no known implementations use 4507. - * - * Session tickets can be length 0 (special case) to 2^16-1. - * - * The state is encrypted by the server so it is opaque to the client. - */ -static uint8_t tlsext_sessionticket_hello_min[1]; -static uint8_t tlsext_sessionticket_hello_max[65535]; - -static int -test_tlsext_sessionticket_client(void) -{ - unsigned char *data = NULL; - SSL_CTX *ssl_ctx = NULL; - SSL *ssl = NULL; - const struct tls_extension_funcs *client_funcs; - const struct tls_extension_funcs *server_funcs; - int failure; - CBB cbb; - size_t dlen; - uint8_t dummy[1234]; - - failure = 1; - - if (!CBB_init(&cbb, 0)) - errx(1, "Failed to create CBB"); - - /* Create fake session tickets with random data. */ - arc4random_buf(tlsext_sessionticket_hello_min, - sizeof(tlsext_sessionticket_hello_min)); - arc4random_buf(tlsext_sessionticket_hello_max, - sizeof(tlsext_sessionticket_hello_max)); - - if ((ssl_ctx = SSL_CTX_new(TLS_client_method())) == NULL) - errx(1, "failed to create SSL_CTX"); - if ((ssl = SSL_new(ssl_ctx)) == NULL) - errx(1, "failed to create SSL"); - - if (!tls_extension_funcs(TLSEXT_TYPE_session_ticket, &client_funcs, - &server_funcs)) - errx(1, "failed to fetch session ticket funcs"); - - /* Should need a ticket by default. */ - if (!client_funcs->needs(ssl, SSL_TLSEXT_MSG_CH)) { - FAIL("client should need Sessionticket for default " - "ciphers\n"); - goto err; - } - - /* Test disabling tickets. */ - if ((SSL_set_options(ssl, SSL_OP_NO_TICKET) & SSL_OP_NO_TICKET) == 0) { - FAIL("Cannot disable tickets in the TLS connection\n"); - goto err; - } - if (client_funcs->needs(ssl, SSL_TLSEXT_MSG_CH)) { - FAIL("client should not need SessionTicket if it was disabled\n"); - goto err; - } - - /* Test re-enabling tickets. */ - if ((SSL_clear_options(ssl, SSL_OP_NO_TICKET) & SSL_OP_NO_TICKET) != 0) { - FAIL("Cannot re-enable tickets in the TLS connection\n"); - goto err; - } - if (!client_funcs->needs(ssl, SSL_TLSEXT_MSG_CH)) { - FAIL("client should need SessionTicket if it was disabled\n"); - goto err; - } - - /* Since we don't have a session, we should build an empty ticket. */ - if (!client_funcs->build(ssl, SSL_TLSEXT_MSG_CH, &cbb)) { - FAIL("Cannot build a ticket\n"); - goto err; - } - if (!CBB_finish(&cbb, &data, &dlen)) { - FAIL("Cannot finish CBB\n"); - goto err; - } - if (dlen != 0) { - FAIL("Expected 0 length but found %zu\n", dlen); - goto err; - } - - CBB_cleanup(&cbb); - if (!CBB_init(&cbb, 0)) - errx(1, "Failed to create CBB"); - free(data); - data = NULL; - - /* With a new session (but no ticket), we should still have 0 length */ - if ((ssl->session = SSL_SESSION_new()) == NULL) - errx(1, "failed to create session"); - if (!client_funcs->needs(ssl, SSL_TLSEXT_MSG_CH)) { - FAIL("Should still want a session ticket with a new session\n"); - goto err; - } - if (!client_funcs->build(ssl, SSL_TLSEXT_MSG_CH, &cbb)) { - FAIL("Cannot build a ticket\n"); - goto err; - } - if (!CBB_finish(&cbb, &data, &dlen)) { - FAIL("Cannot finish CBB\n"); - goto err; - } - if (dlen != 0) { - FAIL("Expected 0 length but found %zu\n", dlen); - goto err; - } - - CBB_cleanup(&cbb); - if (!CBB_init(&cbb, 0)) - errx(1, "Failed to create CBB"); - free(data); - data = NULL; - - /* With a new session (and ticket), we should use that ticket */ - SSL_SESSION_free(ssl->session); - if ((ssl->session = SSL_SESSION_new()) == NULL) - errx(1, "failed to create session"); - - arc4random_buf(&dummy, sizeof(dummy)); - if ((ssl->session->tlsext_tick = malloc(sizeof(dummy))) == NULL) { - errx(1, "failed to malloc"); - } - memcpy(ssl->session->tlsext_tick, dummy, sizeof(dummy)); - ssl->session->tlsext_ticklen = sizeof(dummy); - - if (!client_funcs->needs(ssl, SSL_TLSEXT_MSG_CH)) { - FAIL("Should still want a session ticket with a new session\n"); - goto err; - } - if (!client_funcs->build(ssl, SSL_TLSEXT_MSG_CH, &cbb)) { - FAIL("Cannot build a ticket\n"); - goto err; - } - if (!CBB_finish(&cbb, &data, &dlen)) { - FAIL("Cannot finish CBB\n"); - goto err; - } - if (dlen != sizeof(dummy)) { - FAIL("Expected %zu length but found %zu\n", sizeof(dummy), dlen); - goto err; - } - if (memcmp(data, dummy, dlen) != 0) { - FAIL("server SNI differs:\n"); - compare_data(data, dlen, - dummy, sizeof(dummy)); - goto err; - } - - CBB_cleanup(&cbb); - if (!CBB_init(&cbb, 0)) - errx(1, "Failed to create CBB"); - free(data); - data = NULL; - free(ssl->session->tlsext_tick); - ssl->session->tlsext_tick = NULL; - ssl->session->tlsext_ticklen = 0; - - /* - * Send in NULL to disable session tickets at runtime without going - * through SSL_set_options(). - */ - if (!SSL_set_session_ticket_ext(ssl, NULL, 0)) { - FAIL("Could not set a NULL custom ticket\n"); - goto err; - } - /* Should not need a ticket in this case */ - if (client_funcs->needs(ssl, SSL_TLSEXT_MSG_CH)) { - FAIL("Should not want to use session tickets with a NULL custom\n"); - goto err; - } - - /* - * If you want to remove the tlsext_session_ticket behavior, you have - * to do it manually. - */ - free(ssl->tlsext_session_ticket); - ssl->tlsext_session_ticket = NULL; - - if (!client_funcs->needs(ssl, SSL_TLSEXT_MSG_CH)) { - FAIL("Should need a session ticket again when the custom one is removed\n"); - goto err; - } - - /* Test a custom session ticket (not recommended in practice) */ - if (!SSL_set_session_ticket_ext(ssl, tlsext_sessionticket_hello_max, - sizeof(tlsext_sessionticket_hello_max))) { - FAIL("Should be able to set a custom ticket\n"); - goto err; - } - if (!client_funcs->needs(ssl, SSL_TLSEXT_MSG_CH)) { - FAIL("Should need a session ticket again when the custom one is not empty\n"); - goto err; - } - if (!client_funcs->build(ssl, SSL_TLSEXT_MSG_CH, &cbb)) { - FAIL("Cannot build a ticket with a max length random payload\n"); - goto err; - } - if (!CBB_finish(&cbb, &data, &dlen)) { - FAIL("Cannot finish CBB\n"); - goto err; - } - if (dlen != sizeof(tlsext_sessionticket_hello_max)) { - FAIL("Expected %zu length but found %zu\n", - sizeof(tlsext_sessionticket_hello_max), dlen); - goto err; - } - if (memcmp(data, tlsext_sessionticket_hello_max, - sizeof(tlsext_sessionticket_hello_max)) != 0) { - FAIL("Expected to get what we passed in\n"); - compare_data(data, dlen, - tlsext_sessionticket_hello_max, - sizeof(tlsext_sessionticket_hello_max)); - goto err; - } - - failure = 0; - - err: - CBB_cleanup(&cbb); - SSL_CTX_free(ssl_ctx); - SSL_free(ssl); - free(data); - - return (failure); -} - - -static int -test_tlsext_sessionticket_server(void) -{ - SSL_CTX *ssl_ctx = NULL; - SSL *ssl = NULL; - const struct tls_extension_funcs *client_funcs; - const struct tls_extension_funcs *server_funcs; - int failure; - uint8_t *data = NULL; - size_t dlen; - CBB cbb; - - failure = 1; - - if (!CBB_init(&cbb, 0)) - errx(1, "Failed to create CBB"); - - if ((ssl_ctx = SSL_CTX_new(TLS_server_method())) == NULL) - errx(1, "failed to create SSL_CTX"); - if ((ssl = SSL_new(ssl_ctx)) == NULL) - errx(1, "failed to create SSL"); - - if (!tls_extension_funcs(TLSEXT_TYPE_session_ticket, &client_funcs, - &server_funcs)) - errx(1, "failed to fetch session ticket funcs"); - - /* - * By default, should not need a session ticket since the ticket - * is not yet expected. - */ - if (server_funcs->needs(ssl, SSL_TLSEXT_MSG_SH)) { - FAIL("server should not need SessionTicket by default\n"); - goto err; - } - - /* Test disabling tickets. */ - if ((SSL_set_options(ssl, SSL_OP_NO_TICKET) & SSL_OP_NO_TICKET) == 0) { - FAIL("Cannot disable tickets in the TLS connection\n"); - goto err; - } - if (server_funcs->needs(ssl, SSL_TLSEXT_MSG_SH)) { - FAIL("server should not need SessionTicket if it was disabled\n"); - goto err; - } - - /* Test re-enabling tickets. */ - if ((SSL_clear_options(ssl, SSL_OP_NO_TICKET) & SSL_OP_NO_TICKET) != 0) { - FAIL("Cannot re-enable tickets in the TLS connection\n"); - goto err; - } - if (server_funcs->needs(ssl, SSL_TLSEXT_MSG_SH)) { - FAIL("server should not need SessionTicket yet\n"); - goto err; - } - - /* Set expected to require it. */ - ssl->tlsext_ticket_expected = 1; - if (!server_funcs->needs(ssl, SSL_TLSEXT_MSG_SH)) { - FAIL("server should now be required for SessionTicket\n"); - goto err; - } - - /* server hello's session ticket should always be 0 length payload. */ - if (!server_funcs->build(ssl, SSL_TLSEXT_MSG_SH, &cbb)) { - FAIL("Cannot build a ticket with a max length random payload\n"); - goto err; - } - if (!CBB_finish(&cbb, &data, &dlen)) { - FAIL("Cannot finish CBB\n"); - goto err; - } - if (dlen != 0) { - FAIL("Expected 0 length but found %zu\n", dlen); - goto err; - } - - failure = 0; - - err: - CBB_cleanup(&cbb); - SSL_CTX_free(ssl_ctx); - SSL_free(ssl); - free(data); - - return (failure); -} - -#ifndef OPENSSL_NO_SRTP -/* - * Supported Secure Real-time Transport Protocol (RFC 5764 section 4.1.1) - */ - -/* Colon separated string values */ -const char *tlsext_srtp_single_profile = "SRTP_AES128_CM_SHA1_80"; -const char *tlsext_srtp_multiple_profiles = "SRTP_AES128_CM_SHA1_80:SRTP_AES128_CM_SHA1_32"; - -const char *tlsext_srtp_aes128cmsha80 = "SRTP_AES128_CM_SHA1_80"; -const char *tlsext_srtp_aes128cmsha32 = "SRTP_AES128_CM_SHA1_32"; - -const uint8_t tlsext_srtp_single[] = { - /* SRTPProtectionProfile SRTPProtectionProfiles<2..2^16-1> */ - 0x00, 0x02, /* len */ - 0x00, 0x01, /* SRTP_AES128_CM_SHA1_80 */ - 0x00 /* opaque srtp_mki<0..255> */ -}; - -const uint8_t tlsext_srtp_multiple[] = { - /* SRTPProtectionProfile SRTPProtectionProfiles<2..2^16-1> */ - 0x00, 0x04, /* len */ - 0x00, 0x01, /* SRTP_AES128_CM_SHA1_80 */ - 0x00, 0x02, /* SRTP_AES128_CM_SHA1_32 */ - 0x00 /* opaque srtp_mki<0..255> */ -}; - -const uint8_t tlsext_srtp_multiple_invalid[] = { - /* SRTPProtectionProfile SRTPProtectionProfiles<2..2^16-1> */ - 0x00, 0x04, /* len */ - 0x00, 0x08, /* arbitrary value not found in known profiles */ - 0x00, 0x09, /* arbitrary value not found in known profiles */ - 0x00 /* opaque srtp_mki<0..255> */ -}; - -const uint8_t tlsext_srtp_single_invalid[] = { - /* SRTPProtectionProfile SRTPProtectionProfiles<2..2^16-1> */ - 0x00, 0x02, /* len */ - 0x00, 0x08, /* arbitrary value not found in known profiles */ - 0x00 /* opaque srtp_mki<0..255> */ -}; - -const uint8_t tlsext_srtp_multiple_one_valid[] = { - /* SRTPProtectionProfile SRTPProtectionProfiles<2..2^16-1> */ - 0x00, 0x04, /* len */ - 0x00, 0x08, /* arbitrary value not found in known profiles */ - 0x00, 0x02, /* SRTP_AES128_CM_SHA1_32 */ - 0x00 /* opaque srtp_mki<0..255> */ -}; - -static int -test_tlsext_srtp_client(void) -{ - SRTP_PROTECTION_PROFILE *prof; - SSL_CTX *ssl_ctx = NULL; - SSL *ssl = NULL; - const struct tls_extension_funcs *client_funcs; - const struct tls_extension_funcs *server_funcs; - uint8_t *data = NULL; - CBB cbb; - CBS cbs; - int failure, alert; - size_t dlen; - - failure = 1; - - if (!CBB_init(&cbb, 0)) - errx(1, "Failed to create CBB"); - - /* SRTP is for DTLS */ - if ((ssl_ctx = SSL_CTX_new(DTLSv1_client_method())) == NULL) - errx(1, "failed to create SSL_CTX"); - if ((ssl = SSL_new(ssl_ctx)) == NULL) - errx(1, "failed to create SSL"); - - if (!tls_extension_funcs(TLSEXT_TYPE_use_srtp, &client_funcs, - &server_funcs)) - errx(1, "failed to fetch srtp funcs"); - - /* By default, we don't need this */ - if (client_funcs->needs(ssl, SSL_TLSEXT_MSG_CH)) { - FAIL("client should not need SRTP by default\n"); - goto err; - } - - if (SSL_set_tlsext_use_srtp(ssl, tlsext_srtp_single_profile) != 0) { - FAIL("should be able to set a single SRTP\n"); - goto err; - } - if (!client_funcs->needs(ssl, SSL_TLSEXT_MSG_CH)) { - FAIL("client should need SRTP\n"); - goto err; - } - - /* Make sure we can build the client with a single profile. */ - - if (!client_funcs->build(ssl, SSL_TLSEXT_MSG_CH, &cbb)) { - FAIL("client failed to build SRTP\n"); - goto err; - } - if (!CBB_finish(&cbb, &data, &dlen)) - errx(1, "failed to finish CBB"); - - if (dlen != sizeof(tlsext_srtp_single)) { - FAIL("got client SRTP with length %zu, " - "want length %zu\n", dlen, - sizeof(tlsext_srtp_single)); - compare_data(data, dlen, tlsext_srtp_single, - sizeof(tlsext_srtp_single)); - goto err; - } - if (memcmp(data, tlsext_srtp_single, dlen) != 0) { - FAIL("client SRTP differs:\n"); - compare_data(data, dlen, tlsext_srtp_single, - sizeof(tlsext_srtp_single)); - goto err; - } - - CBB_cleanup(&cbb); - if (!CBB_init(&cbb, 0)) - errx(1, "Failed to create CBB"); - free(data); - data = NULL; - - /* Make sure we can parse the single profile. */ - - if (SSL_get_selected_srtp_profile(ssl) != NULL) { - FAIL("SRTP profile should not be set yet\n"); - goto err; - } - - CBS_init(&cbs, tlsext_srtp_single, sizeof(tlsext_srtp_single)); - if (!server_funcs->process(ssl, SSL_TLSEXT_MSG_CH, &cbs, &alert)) { - FAIL("failed to parse SRTP\n"); - goto err; - } - if (CBS_len(&cbs) != 0) { - FAIL("extension data remaining\n"); - goto err; - } - - if ((prof = SSL_get_selected_srtp_profile(ssl)) == NULL) { - FAIL("SRTP profile should be set now\n"); - goto err; - } - if (strcmp(prof->name, tlsext_srtp_aes128cmsha80) != 0) { - FAIL("SRTP profile was not set properly\n"); - goto err; - } - - if (!server_funcs->needs(ssl, SSL_TLSEXT_MSG_CH)) { - FAIL("should send server extension when profile selected\n"); - goto err; - } - - /* Make sure we can build the clienthello with multiple entries. */ - - if (SSL_set_tlsext_use_srtp(ssl, tlsext_srtp_multiple_profiles) != 0) { - FAIL("should be able to set SRTP to multiple profiles\n"); - goto err; - } - if (!client_funcs->needs(ssl, SSL_TLSEXT_MSG_CH)) { - FAIL("client should need SRTP by now\n"); - goto err; - } - - if (!client_funcs->build(ssl, SSL_TLSEXT_MSG_CH, &cbb)) { - FAIL("client failed to build SRTP\n"); - goto err; - } - if (!CBB_finish(&cbb, &data, &dlen)) - errx(1, "failed to finish CBB"); - - if (dlen != sizeof(tlsext_srtp_multiple)) { - FAIL("got client SRTP with length %zu, " - "want length %zu\n", dlen, - sizeof(tlsext_srtp_multiple)); - compare_data(data, dlen, tlsext_srtp_multiple, - sizeof(tlsext_srtp_multiple)); - goto err; - } - if (memcmp(data, tlsext_srtp_multiple, dlen) != 0) { - FAIL("client SRTP differs:\n"); - compare_data(data, dlen, tlsext_srtp_multiple, - sizeof(tlsext_srtp_multiple)); - goto err; - } - - CBB_cleanup(&cbb); - if (!CBB_init(&cbb, 0)) - errx(1, "Failed to create CBB"); - free(data); - data = NULL; - - /* Make sure we can parse multiple profiles (selects server preferred) */ - - ssl->srtp_profile = NULL; - - CBS_init(&cbs, tlsext_srtp_multiple, - sizeof(tlsext_srtp_multiple)); - if (!server_funcs->process(ssl, SSL_TLSEXT_MSG_CH, &cbs, &alert)) { - FAIL("failed to parse SRTP\n"); - goto err; - } - if (CBS_len(&cbs) != 0) { - FAIL("extension data remaining\n"); - goto err; - } - - if ((prof = SSL_get_selected_srtp_profile(ssl)) == NULL) { - FAIL("SRTP profile should be set now\n"); - goto err; - } - if (strcmp(prof->name, tlsext_srtp_aes128cmsha80) != 0) { - FAIL("SRTP profile was not set properly\n"); - goto err; - } - - if (!server_funcs->needs(ssl, SSL_TLSEXT_MSG_CH)) { - FAIL("should send server extension when profile selected\n"); - goto err; - } - - /* - * Make sure we can parse the clienthello with multiple entries - * where one is unknown. - */ - ssl->srtp_profile = NULL; - - CBS_init(&cbs, tlsext_srtp_multiple_one_valid, - sizeof(tlsext_srtp_multiple_one_valid)); - if (!server_funcs->process(ssl, SSL_TLSEXT_MSG_CH, &cbs, &alert)) { - FAIL("failed to parse SRTP\n"); - goto err; - } - if (CBS_len(&cbs) != 0) { - FAIL("extension data remaining\n"); - goto err; - } - - if ((prof = SSL_get_selected_srtp_profile(ssl)) == NULL) { - FAIL("SRTP profile should be set now\n"); - goto err; - } - if (strcmp(prof->name, tlsext_srtp_aes128cmsha32) != 0) { - FAIL("SRTP profile was not set properly\n"); - goto err; - } - - if (!server_funcs->needs(ssl, SSL_TLSEXT_MSG_CH)) { - FAIL("should send server extension when profile selected\n"); - goto err; - } - - /* Make sure we fall back to negotiated when none work. */ - - ssl->srtp_profile = NULL; - - CBS_init(&cbs, tlsext_srtp_multiple_invalid, - sizeof(tlsext_srtp_multiple_invalid)); - if (!server_funcs->process(ssl, SSL_TLSEXT_MSG_CH, &cbs, &alert)) { - FAIL("should be able to fall back to negotiated\n"); - goto err; - } - if (CBS_len(&cbs) != 0) { - FAIL("extension data remaining\n"); - goto err; - } - - /* If we fallback, the server should NOT send the extension. */ - if (SSL_get_selected_srtp_profile(ssl) != NULL) { - FAIL("should not have selected a profile when none found\n"); - goto err; - } - if (server_funcs->needs(ssl, SSL_TLSEXT_MSG_CH)) { - FAIL("should not send server tlsext when no profile found\n"); - goto err; - } - - failure = 0; - - err: - CBB_cleanup(&cbb); - SSL_CTX_free(ssl_ctx); - SSL_free(ssl); - free(data); - - return (failure); -} - -static int -test_tlsext_srtp_server(void) -{ - const SRTP_PROTECTION_PROFILE *prof; - SSL_CTX *ssl_ctx = NULL; - SSL *ssl = NULL; - const struct tls_extension_funcs *client_funcs; - const struct tls_extension_funcs *server_funcs; - uint8_t *data = NULL; - CBB cbb; - CBS cbs; - int failure, alert; - size_t dlen; - - failure = 1; - - if (!CBB_init(&cbb, 0)) - errx(1, "Failed to create CBB"); - - /* SRTP is for DTLS */ - if ((ssl_ctx = SSL_CTX_new(DTLSv1_client_method())) == NULL) - errx(1, "failed to create SSL_CTX"); - if ((ssl = SSL_new(ssl_ctx)) == NULL) - errx(1, "failed to create SSL"); - - if (!tls_extension_funcs(TLSEXT_TYPE_use_srtp, &client_funcs, - &server_funcs)) - errx(1, "failed to fetch srtp funcs"); - - /* By default, we don't need this */ - if (server_funcs->needs(ssl, SSL_TLSEXT_MSG_SH)) { - FAIL("server should not need SRTP by default\n"); - goto err; - } - - if (srtp_find_profile_by_name(tlsext_srtp_aes128cmsha80, &prof, - strlen(tlsext_srtp_aes128cmsha80))) { - FAIL("should be able to find the given profile\n"); - goto err; - } - ssl->srtp_profile = prof; - if (!server_funcs->needs(ssl, SSL_TLSEXT_MSG_SH)) { - FAIL("server should need SRTP by now\n"); - goto err; - } - - /* Make sure we can build the server with a single profile. */ - - if (!server_funcs->build(ssl, SSL_TLSEXT_MSG_SH, &cbb)) { - FAIL("server failed to build SRTP\n"); - goto err; - } - if (!CBB_finish(&cbb, &data, &dlen)) - errx(1, "failed to finish CBB"); - - if (dlen != sizeof(tlsext_srtp_single)) { - FAIL("got server SRTP with length %zu, " - "want length %zu\n", dlen, - sizeof(tlsext_srtp_single)); - compare_data(data, dlen, tlsext_srtp_single, - sizeof(tlsext_srtp_single)); - goto err; - } - if (memcmp(data, tlsext_srtp_single, dlen) != 0) { - FAIL("server SRTP differs:\n"); - compare_data(data, dlen, tlsext_srtp_single, - sizeof(tlsext_srtp_single)); - goto err; - } - - CBB_cleanup(&cbb); - if (!CBB_init(&cbb, 0)) - errx(1, "Failed to create CBB"); - free(data); - data = NULL; - - /* Make sure we can parse the single profile. */ - ssl->srtp_profile = NULL; - - if (SSL_get_selected_srtp_profile(ssl) != NULL) { - FAIL("SRTP profile should not be set yet\n"); - goto err; - } - - /* Setup the environment as if a client sent a list of profiles. */ - if (SSL_set_tlsext_use_srtp(ssl, tlsext_srtp_multiple_profiles) != 0) { - FAIL("should be able to set multiple profiles in SRTP\n"); - goto err; - } - - CBS_init(&cbs, tlsext_srtp_single, sizeof(tlsext_srtp_single)); - if (!client_funcs->process(ssl, SSL_TLSEXT_MSG_SH, &cbs, &alert)) { - FAIL("failed to parse SRTP\n"); - goto err; - } - if (CBS_len(&cbs) != 0) { - FAIL("extension data remaining\n"); - goto err; - } - - if ((prof = SSL_get_selected_srtp_profile(ssl)) == NULL) { - FAIL("SRTP profile should be set now\n"); - goto err; - } - if (strcmp(prof->name, tlsext_srtp_aes128cmsha80) != 0) { - FAIL("SRTP profile was not set properly\n"); - goto err; - } - - /* Make sure we cannot parse multiple profiles */ - ssl->srtp_profile = NULL; - - CBS_init(&cbs, tlsext_srtp_multiple, - sizeof(tlsext_srtp_multiple)); - if (client_funcs->process(ssl, SSL_TLSEXT_MSG_SH, &cbs, &alert)) { - FAIL("should not find multiple entries from the server\n"); - goto err; - } - - /* Make sure we cannot parse a server with unknown profile */ - ssl->srtp_profile = NULL; - - CBS_init(&cbs, tlsext_srtp_single_invalid, - sizeof(tlsext_srtp_single_invalid)); - if (client_funcs->process(ssl, SSL_TLSEXT_MSG_SH, &cbs, &alert)) { - FAIL("should not be able to parse this\n"); - goto err; - } - - failure = 0; - - err: - CBB_cleanup(&cbb); - SSL_CTX_free(ssl_ctx); - SSL_free(ssl); - free(data); - - return (failure); -} -#endif /* OPENSSL_NO_SRTP */ - -static const unsigned char tlsext_clienthello_default[] = { - 0x00, 0x34, 0x00, 0x0a, 0x00, 0x0a, 0x00, 0x08, - 0x00, 0x1d, 0x00, 0x17, 0x00, 0x18, 0x00, 0x19, - 0x00, 0x0b, 0x00, 0x02, 0x01, 0x00, 0x00, 0x23, - 0x00, 0x00, 0x00, 0x0d, 0x00, 0x18, 0x00, 0x16, - 0x08, 0x06, 0x06, 0x01, 0x06, 0x03, 0x08, 0x05, - 0x05, 0x01, 0x05, 0x03, 0x08, 0x04, 0x04, 0x01, - 0x04, 0x03, 0x02, 0x01, 0x02, 0x03, -}; - -/* An empty array is an incomplete type and sizeof() is undefined. */ -static const unsigned char tlsext_clienthello_disabled[] = { - 0x00, -}; -static size_t tlsext_clienthello_disabled_len = 0; - -static int -test_tlsext_clienthello_build(void) -{ - unsigned char *data = NULL; - SSL_CTX *ssl_ctx = NULL; - SSL *ssl = NULL; - const struct tls_extension_funcs *client_funcs; - const struct tls_extension_funcs *server_funcs; - size_t dlen; - int failure; - CBB cbb; - - failure = 1; - - if (!CBB_init(&cbb, 0)) - errx(1, "failed to create CBB"); - - if ((ssl_ctx = SSL_CTX_new(TLS_client_method())) == NULL) { - FAIL("failed to create SSL_CTX"); - goto err; - } - - if ((ssl = SSL_new(ssl_ctx)) == NULL) { - FAIL("failed to create SSL"); - goto err; - } - - if (!tlsext_linearize_build_order(ssl)) { - FAIL("failed to linearize build order"); - goto err; - } - - if (!tls_extension_funcs(TLSEXT_TYPE_supported_versions, &client_funcs, - &server_funcs)) - errx(1, "failed to fetch supported versions funcs"); - - ssl->s3->hs.our_min_tls_version = TLS1_VERSION; - ssl->s3->hs.our_max_tls_version = TLS1_2_VERSION; - - if (!tlsext_client_build(ssl, SSL_TLSEXT_MSG_CH, &cbb)) { - FAIL("failed to build clienthello extensions\n"); - goto err; - } - if (!CBB_finish(&cbb, &data, &dlen)) { - FAIL("failed to finish CBB"); - goto err; - } - - if (dlen != sizeof(tlsext_clienthello_default)) { - FAIL("got clienthello extensions with length %zu, " - "want length %zu\n", dlen, - sizeof(tlsext_clienthello_default)); - compare_data(data, dlen, tlsext_clienthello_default, - sizeof(tlsext_clienthello_default)); - goto err; - } - if (memcmp(data, tlsext_clienthello_default, dlen) != 0) { - FAIL("clienthello extensions differs:\n"); - compare_data(data, dlen, tlsext_clienthello_default, - sizeof(tlsext_clienthello_default)); - goto err; - } - - free(data); - data = NULL; - CBB_cleanup(&cbb); - if (!CBB_init(&cbb, 0)) - errx(1, "Failed to create CBB"); - - /* Switch to TLSv1.1, disable EC ciphers and session tickets. */ - ssl->s3->hs.our_max_tls_version = TLS1_1_VERSION; - if (!SSL_set_cipher_list(ssl, "TLSv1.2:!ECDHE:!ECDSA")) { - FAIL("failed to set cipher list\n"); - goto err; - } - if ((SSL_set_options(ssl, SSL_OP_NO_TICKET) & SSL_OP_NO_TICKET) == 0) { - FAIL("failed to disable session tickets\n"); - goto err; - } - - if (!tlsext_client_build(ssl, SSL_TLSEXT_MSG_CH, &cbb)) { - FAIL("failed to build clienthello extensions\n"); - goto err; - } - if (!CBB_finish(&cbb, &data, &dlen)) { - FAIL("failed to finish CBB"); - goto err; - } - - if (dlen != tlsext_clienthello_disabled_len) { - FAIL("got clienthello extensions with length %zu, " - "want length %zu\n", dlen, - tlsext_clienthello_disabled_len); - compare_data(data, dlen, tlsext_clienthello_disabled, - tlsext_clienthello_disabled_len); - goto err; - } - if (memcmp(data, tlsext_clienthello_disabled, dlen) != 0) { - FAIL("clienthello extensions differs:\n"); - compare_data(data, dlen, tlsext_clienthello_disabled, - tlsext_clienthello_disabled_len); - goto err; - } - - failure = 0; - - err: - CBB_cleanup(&cbb); - SSL_CTX_free(ssl_ctx); - SSL_free(ssl); - free(data); - - return (failure); -} - -unsigned char tlsext_serverhello_default[] = { - 0x00, 0x06, 0x00, 0x2b, 0x00, 0x02, 0x03, 0x04, -}; - -unsigned char tlsext_serverhello_enabled[] = { - 0x00, 0x10, 0x00, 0x2b, 0x00, 0x02, 0x03, 0x04, - 0x00, 0x0b, 0x00, 0x02, 0x01, 0x00, 0x00, 0x23, - 0x00, 0x00, -}; - -static int -test_tlsext_serverhello_build(void) -{ - unsigned char *data = NULL; - SSL_CTX *ssl_ctx = NULL; - SSL *ssl = NULL; - size_t dlen; - int failure; - CBB cbb; - - failure = 1; - - if (!CBB_init(&cbb, 0)) - errx(1, "failed to create CBB"); - - if ((ssl_ctx = SSL_CTX_new(TLS_server_method())) == NULL) { - FAIL("failed to create SSL_CTX"); - goto err; - } - if ((ssl = SSL_new(ssl_ctx)) == NULL) { - FAIL("failed to create SSL"); - goto err; - } - if (!tlsext_linearize_build_order(ssl)) { - FAIL("failed to linearize build order"); - goto err; - } - if ((ssl->session = SSL_SESSION_new()) == NULL) { - FAIL("failed to create session"); - goto err; - } - - ssl->s3->hs.our_max_tls_version = TLS1_3_VERSION; - ssl->s3->hs.negotiated_tls_version = TLS1_3_VERSION; - ssl->s3->hs.cipher = ssl3_get_cipher_by_value(0x003c); - - if (!tlsext_server_build(ssl, SSL_TLSEXT_MSG_SH, &cbb)) { - FAIL("failed to build serverhello extensions\n"); - goto err; - } - if (!CBB_finish(&cbb, &data, &dlen)) { - FAIL("failed to finish CBB"); - goto err; - } - - if (dlen != sizeof(tlsext_serverhello_default)) { - FAIL("got serverhello extensions with length %zu, " - "want length %zu\n", dlen, - sizeof(tlsext_serverhello_default)); - compare_data(data, dlen, tlsext_serverhello_default, - sizeof(tlsext_serverhello_default)); - goto err; - } - if (memcmp(data, tlsext_serverhello_default, dlen) != 0) { - FAIL("serverhello extensions differs:\n"); - compare_data(data, dlen, tlsext_serverhello_default, - sizeof(tlsext_serverhello_default)); - goto err; - } - - CBB_cleanup(&cbb); - free(data); - data = NULL; - if (!CBB_init(&cbb, 0)) - errx(1, "Failed to create CBB"); - - /* Turn a few things on so we get extensions... */ - ssl->s3->send_connection_binding = 1; - ssl->s3->hs.cipher = ssl3_get_cipher_by_value(0xc027); - ssl->tlsext_status_expected = 1; - ssl->tlsext_ticket_expected = 1; - if ((ssl->session->tlsext_ecpointformatlist = malloc(1)) == NULL) { - FAIL("malloc failed"); - goto err; - } - ssl->session->tlsext_ecpointformatlist_length = 1; - ssl->session->tlsext_ecpointformatlist[0] = - TLSEXT_ECPOINTFORMAT_uncompressed; - - if (!tlsext_server_build(ssl, SSL_TLSEXT_MSG_SH, &cbb)) { - FAIL("failed to build serverhello extensions\n"); - goto err; - } - if (!CBB_finish(&cbb, &data, &dlen)) { - FAIL("failed to finish CBB"); - goto err; - } - - if (dlen != sizeof(tlsext_serverhello_enabled)) { - FAIL("got serverhello extensions with length %zu, " - "want length %zu\n", dlen, - sizeof(tlsext_serverhello_enabled)); - compare_data(data, dlen, tlsext_serverhello_enabled, - sizeof(tlsext_serverhello_enabled)); - goto err; - } - if (memcmp(data, tlsext_serverhello_enabled, dlen) != 0) { - FAIL("serverhello extensions differs:\n"); - compare_data(data, dlen, tlsext_serverhello_enabled, - sizeof(tlsext_serverhello_enabled)); - goto err; - } - - failure = 0; - - err: - CBB_cleanup(&cbb); - SSL_CTX_free(ssl_ctx); - SSL_free(ssl); - free(data); - - return (failure); -} - -const unsigned char tlsext_versions_client[] = { - 0x08, 0x03, 0x04, 0x03, 0x03, 0x03, - 0x02, 0x03, 0x01, -}; - -const unsigned char tlsext_versions_server[] = { - 0x03, 0x04, -}; - -static int -test_tlsext_versions_client(void) -{ - unsigned char *data = NULL; - SSL_CTX *ssl_ctx = NULL; - SSL *ssl = NULL; - const struct tls_extension_funcs *client_funcs; - const struct tls_extension_funcs *server_funcs; - int failure; - size_t dlen; - int alert; - CBB cbb; - CBS cbs; - - failure = 1; - - if (!CBB_init(&cbb, 0)) - errx(1, "Failed to create CBB"); - - if ((ssl_ctx = SSL_CTX_new(TLS_client_method())) == NULL) - errx(1, "failed to create SSL_CTX"); - if ((ssl = SSL_new(ssl_ctx)) == NULL) - errx(1, "failed to create SSL"); - - if (!tls_extension_funcs(TLSEXT_TYPE_supported_versions, &client_funcs, - &server_funcs)) - errx(1, "failed to fetch supported versions funcs"); - - ssl->s3->hs.our_max_tls_version = TLS1_1_VERSION; - - if (client_funcs->needs(ssl, SSL_TLSEXT_MSG_CH)) { - FAIL("client should not need versions\n"); - goto done; - } - - ssl->s3->hs.our_max_tls_version = TLS1_2_VERSION; - - if (client_funcs->needs(ssl, SSL_TLSEXT_MSG_CH)) { - FAIL("client should not need versions\n"); - goto done; - } - - ssl->s3->hs.our_max_tls_version = TLS1_3_VERSION; - - if (!client_funcs->needs(ssl, SSL_TLSEXT_MSG_CH)) { - FAIL("client should need versions\n"); - goto done; - } - - ssl->s3->hs.our_min_tls_version = TLS1_VERSION; - ssl->s3->hs.our_max_tls_version = TLS1_3_VERSION; - - if (!client_funcs->build(ssl, SSL_TLSEXT_MSG_CH, &cbb)) { - FAIL("client should have built versions\n"); - goto done; - } - - if (!CBB_finish(&cbb, &data, &dlen)) { - FAIL("failed to finish CBB\n"); - goto done; - } - - if (dlen != sizeof(tlsext_versions_client)) { - FAIL("got versions with length %zu, " - "want length %zu\n", dlen, sizeof(tlsext_versions_client)); - goto done; - } - - CBS_init(&cbs, data, dlen); - if (!server_funcs->process(ssl, SSL_TLSEXT_MSG_CH, &cbs, &alert)) { - FAIL("failed to parse client versions\n"); - goto done; - } - if (CBS_len(&cbs) != 0) { - FAIL("extension data remaining\n"); - goto done; - } - - failure = 0; - - done: - CBB_cleanup(&cbb); - SSL_CTX_free(ssl_ctx); - SSL_free(ssl); - free(data); - - return (failure); -} - -static int -test_tlsext_versions_server(void) -{ - unsigned char *data = NULL; - SSL_CTX *ssl_ctx = NULL; - SSL *ssl = NULL; - const struct tls_extension_funcs *client_funcs; - const struct tls_extension_funcs *server_funcs; - int failure; - size_t dlen; - int alert; - CBB cbb; - CBS cbs; - - failure = 1; - - if (!CBB_init(&cbb, 0)) - errx(1, "Failed to create CBB"); - - if ((ssl_ctx = SSL_CTX_new(TLS_client_method())) == NULL) - errx(1, "failed to create SSL_CTX"); - if ((ssl = SSL_new(ssl_ctx)) == NULL) - errx(1, "failed to create SSL"); - - if (!tls_extension_funcs(TLSEXT_TYPE_supported_versions, &client_funcs, - &server_funcs)) - errx(1, "failed to fetch supported versions funcs"); - - ssl->s3->hs.negotiated_tls_version = TLS1_2_VERSION; - - if (server_funcs->needs(ssl, SSL_TLSEXT_MSG_SH)) { - FAIL("server should not need versions\n"); - goto done; - } - - ssl->s3->hs.negotiated_tls_version = TLS1_3_VERSION; - - if (!server_funcs->needs(ssl, SSL_TLSEXT_MSG_SH)) { - FAIL("server should need versions\n"); - goto done; - } - - if (!server_funcs->build(ssl, SSL_TLSEXT_MSG_SH, &cbb)) { - FAIL("server should have built versions\n"); - goto done; - } - - if (!CBB_finish(&cbb, &data, &dlen)) { - FAIL("failed to finish CBB\n"); - goto done; - } - - if (dlen != sizeof(tlsext_versions_server)) { - FAIL("got versions with length %zu, " - "want length %zu\n", dlen, sizeof(tlsext_versions_server)); - goto done; - } - - CBS_init(&cbs, data, dlen); - if (!client_funcs->process(ssl, SSL_TLSEXT_MSG_SH, &cbs, &alert)) { - FAIL("failed to parse client versions\n"); - goto done; - } - if (CBS_len(&cbs) != 0) { - FAIL("extension data remaining\n"); - goto done; - } - - failure = 0; - - done: - CBB_cleanup(&cbb); - SSL_CTX_free(ssl_ctx); - SSL_free(ssl); - free(data); - - return (failure); -} - -const unsigned char tlsext_keyshare_client[] = { - 0x00, 0x24, 0x00, 0x1d, 0x00, 0x20, 0xba, 0x83, - 0x2e, 0x4a, 0x18, 0xbe, 0x96, 0xd2, 0x71, 0x70, - 0x18, 0x04, 0xf9, 0x9d, 0x76, 0x98, 0xef, 0xe8, - 0x4f, 0x8b, 0x85, 0x41, 0xa4, 0xd9, 0x61, 0x57, - 0xad, 0x5b, 0xa4, 0xe9, 0x8b, 0x6b, -}; - -const unsigned char tlsext_keyshare_server[] = { - 0x00, 0x1d, 0x00, 0x20, 0xe5, 0xe8, 0x5a, 0xb9, - 0x7e, 0x12, 0x62, 0xe3, 0xd8, 0x7f, 0x6e, 0x3c, - 0xec, 0xa6, 0x8b, 0x99, 0x45, 0x77, 0x8e, 0x11, - 0xb3, 0xb9, 0x12, 0xb6, 0xbe, 0x35, 0xca, 0x51, - 0x76, 0x1e, 0xe8, 0x22 -}; - -static int -test_tlsext_keyshare_client(void) -{ - unsigned char *data = NULL; - SSL_CTX *ssl_ctx = NULL; - SSL *ssl = NULL; - const struct tls_extension_funcs *client_funcs; - const struct tls_extension_funcs *server_funcs; - int failure; - size_t dlen; - size_t idx; - int alert; - CBB cbb; - CBS cbs; - - failure = 1; - - if (!CBB_init(&cbb, 0)) - errx(1, "Failed to create CBB"); - - if ((ssl_ctx = SSL_CTX_new(TLS_client_method())) == NULL) - errx(1, "failed to create SSL_CTX"); - if ((ssl = SSL_new(ssl_ctx)) == NULL) - errx(1, "failed to create SSL"); - - if (!tls_extension_funcs(TLSEXT_TYPE_key_share, &client_funcs, - &server_funcs)) - errx(1, "failed to fetch keyshare funcs"); - - if ((ssl->s3->hs.key_share = - tls_key_share_new_nid(NID_X25519)) == NULL) - errx(1, "failed to create key share"); - if (!tls_key_share_generate(ssl->s3->hs.key_share)) - errx(1, "failed to generate key share"); - - ssl->s3->hs.our_max_tls_version = TLS1_2_VERSION; - if (client_funcs->needs(ssl, SSL_TLSEXT_MSG_CH)) { - FAIL("client should not need keyshare\n"); - goto done; - } - - ssl->s3->hs.our_max_tls_version = TLS1_3_VERSION; - if (!client_funcs->needs(ssl, SSL_TLSEXT_MSG_CH)) { - FAIL("client should need keyshare\n"); - goto done; - } - - ssl->s3->hs.our_max_tls_version = TLS1_3_VERSION; - if (!client_funcs->build(ssl, SSL_TLSEXT_MSG_CH, &cbb)) { - FAIL("client should have built keyshare\n"); - goto done; - } - - if (!CBB_finish(&cbb, &data, &dlen)) { - FAIL("failed to finish CBB\n"); - goto done; - } - - if (dlen != sizeof(tlsext_keyshare_client)) { - FAIL("got client keyshare with length %zu, " - "want length %zu\n", dlen, (size_t) sizeof(tlsext_keyshare_client)); - goto done; - } - - ssl->version = TLS1_3_VERSION; - - /* Fake up the ssl enough so the key share can process */ - tls_key_share_free(ssl->s3->hs.key_share); - ssl->session = SSL_SESSION_new(); - if (ssl->session == NULL) { - FAIL("malloc"); - goto done; - } - memset(ssl->s3, 0, sizeof(*ssl->s3)); - ssl->session->tlsext_supportedgroups = calloc(4, - sizeof(unsigned short)); - if (ssl->session->tlsext_supportedgroups == NULL) { - FAIL("malloc"); - goto done; - } - ssl->session->tlsext_supportedgroups[0] = 29; - ssl->session->tlsext_supportedgroups[1] = 23; - ssl->session->tlsext_supportedgroups[2] = 24; - ssl->session->tlsext_supportedgroups[3] = 25; - ssl->session->tlsext_supportedgroups_length = 4; - tls_extension_find(TLSEXT_TYPE_supported_groups, &idx); - ssl->s3->hs.extensions_processed |= (1 << idx); - ssl->s3->hs.extensions_seen |= (1 << idx); - ssl->s3->hs.our_max_tls_version = TLS1_3_VERSION; - - /* - * We should select the key share for group 29, when group 29 - * is the most preferred group - */ - CBS_init(&cbs, data, dlen); - if (!server_funcs->process(ssl, SSL_TLSEXT_MSG_CH, &cbs, &alert)) { - FAIL("failed to process client keyshare\n"); - goto done; - } - if (CBS_len(&cbs) != 0) { - FAIL("extension data remaining\n"); - goto done; - } - if (ssl->s3->hs.key_share == NULL) { - FAIL("Did not select a key share"); - goto done; - } - - /* - * Pretend the client did not send the supported groups extension. We - * should fail to process. - */ - ssl->s3->hs.extensions_seen = 0; - tls_key_share_free(ssl->s3->hs.key_share); - ssl->s3->hs.key_share = NULL; - CBS_init(&cbs, data, dlen); - if (server_funcs->process(ssl, SSL_TLSEXT_MSG_CH, &cbs, &alert)) { - FAIL("Processed key share when supported groups not provided"); - goto done; - } - ssl->s3->hs.extensions_seen |= (1 << idx); - - /* - * Pretend supported groups did not get processed. We should fail to - * process - */ - ssl->s3->hs.extensions_processed = 0; - ssl->s3->hs.key_share = NULL; - CBS_init(&cbs, data, dlen); - if (server_funcs->process(ssl, SSL_TLSEXT_MSG_CH, &cbs, &alert)) { - FAIL("Processed key share when supported groups unprocesed"); - goto done; - } - ssl->s3->hs.extensions_processed |= (1 << idx); - - /* - * Remove group 29 by making it 0xbeef, meaning 29 has not been sent in - * supported groups. This should fail to process. - */ - ssl->session->tlsext_supportedgroups[0] = 0xbeef; - ssl->s3->hs.key_share = NULL; - CBS_init(&cbs, data, dlen); - if (server_funcs->process(ssl, SSL_TLSEXT_MSG_CH, &cbs, &alert)) { - FAIL("Processed key share with invalid group!"); - goto done; - } - - /* - * Make 29 least preferred, while server supports both 29 and 25. - * Client key share is for 29 but it prefers 25. We should successfully - * process, but should not select this key share. - */ - ssl->session->tlsext_supportedgroups[0] = 25; - ssl->session->tlsext_supportedgroups[3] = 29; - ssl->s3->hs.key_share = NULL; - CBS_init(&cbs, data, dlen); - if (!server_funcs->process(ssl, SSL_TLSEXT_MSG_CH, &cbs, &alert)) { - FAIL("failed to process client keyshare\n"); - goto done; - } - if (CBS_len(&cbs) != 0) { - FAIL("extension data remaining\n"); - goto done; - } - if (ssl->s3->hs.key_share != NULL) { - FAIL("Selected a key share when I should not have!"); - goto done; - } - ssl->session->tlsext_supportedgroups[0] = 29; - ssl->session->tlsext_supportedgroups[3] = 25; - - failure = 0; - - done: - CBB_cleanup(&cbb); - SSL_CTX_free(ssl_ctx); - SSL_free(ssl); - free(data); - - return (failure); -} - -static const uint8_t bogokey[] = { - 0xe5, 0xe8, 0x5a, 0xb9, 0x7e, 0x12, 0x62, 0xe3, - 0xd8, 0x7f, 0x6e, 0x3c, 0xec, 0xa6, 0x8b, 0x99, - 0x45, 0x77, 0x8e, 0x11, 0xb3, 0xb9, 0x12, 0xb6, - 0xbe, 0x35, 0xca, 0x51, 0x76, 0x1e, 0xe8, 0x22, -}; - -static int -test_tlsext_keyshare_server(void) -{ - unsigned char *data = NULL; - SSL_CTX *ssl_ctx = NULL; - SSL *ssl = NULL; - const struct tls_extension_funcs *client_funcs; - const struct tls_extension_funcs *server_funcs; - int decode_error; - int failure; - size_t dlen, idx; - int alert; - CBB cbb; - CBS cbs; - - failure = 1; - - if (!CBB_init(&cbb, 0)) - errx(1, "Failed to create CBB"); - - if ((ssl_ctx = SSL_CTX_new(TLS_client_method())) == NULL) - errx(1, "failed to create SSL_CTX"); - if ((ssl = SSL_new(ssl_ctx)) == NULL) - errx(1, "failed to create SSL"); - - if (!tls_extension_funcs(TLSEXT_TYPE_key_share, &client_funcs, - &server_funcs)) - errx(1, "failed to fetch keyshare funcs"); - - ssl->s3->hs.negotiated_tls_version = TLS1_2_VERSION; - if (server_funcs->needs(ssl, SSL_TLSEXT_MSG_SH)) { - FAIL("server should not need keyshare\n"); - goto done; - } - - ssl->s3->hs.negotiated_tls_version = TLS1_3_VERSION; - if (server_funcs->needs(ssl, SSL_TLSEXT_MSG_SH)) { - FAIL("client should not need keyshare\n"); - goto done; - } - - if (tls_extension_find(TLSEXT_TYPE_key_share, &idx) == NULL) { - FAIL("failed to find keyshare extension\n"); - goto done; - } - ssl->s3->hs.extensions_seen |= (1 << idx); - - if (!server_funcs->needs(ssl, SSL_TLSEXT_MSG_SH)) { - FAIL("server should need keyshare\n"); - goto done; - } - - if (server_funcs->build(ssl, SSL_TLSEXT_MSG_SH, &cbb)) { - FAIL("server should not have built a keyshare response\n"); - goto done; - } - - if ((ssl->s3->hs.key_share = - tls_key_share_new_nid(NID_X25519)) == NULL) { - FAIL("failed to create key share"); - goto done; - } - - if (!tls_key_share_generate(ssl->s3->hs.key_share)) { - FAIL("failed to generate key share"); - goto done; - } - - CBS_init(&cbs, bogokey, sizeof(bogokey)); - - if (!tls_key_share_peer_public(ssl->s3->hs.key_share, &cbs, - &decode_error, NULL)) { - FAIL("failed to load peer public key\n"); - goto done; - } - - if (!server_funcs->build(ssl, SSL_TLSEXT_MSG_SH, &cbb)) { - FAIL("server should be able to build a keyshare response\n"); - goto done; - } - - if (!CBB_finish(&cbb, &data, &dlen)) { - FAIL("failed to finish CBB\n"); - goto done; - } - - if (dlen != sizeof(tlsext_keyshare_server)) { - FAIL("got server keyshare with length %zu, " - "want length %zu\n", dlen, sizeof(tlsext_keyshare_server)); - goto done; - } - - tls_key_share_free(ssl->s3->hs.key_share); - - if ((ssl->s3->hs.key_share = - tls_key_share_new_nid(NID_X25519)) == NULL) { - FAIL("failed to create key share"); - goto done; - } - if (!tls_key_share_generate(ssl->s3->hs.key_share)) { - FAIL("failed to generate key share"); - goto done; - } - - CBS_init(&cbs, data, dlen); - - if (!client_funcs->process(ssl, SSL_TLSEXT_MSG_SH, &cbs, &alert)) { - FAIL("failed to parse server keyshare\n"); - goto done; - } - - if (CBS_len(&cbs) != 0) { - FAIL("extension data remaining\n"); - goto done; - } - - failure = 0; - -done: - CBB_cleanup(&cbb); - SSL_CTX_free(ssl_ctx); - SSL_free(ssl); - free(data); - - return (failure); -} - -/* One day I hope to be the only Muppet in this codebase */ -const uint8_t cookie[] = "\n" - " (o)(o) \n" - " m' 'm \n" - " M -****- M \n" - " 'm m' \n" - " m''''''''''m \n" - " M M BB \n"; - -static int -test_tlsext_cookie_client(void) -{ - unsigned char *data = NULL; - SSL_CTX *ssl_ctx = NULL; - SSL *ssl = NULL; - const struct tls_extension_funcs *client_funcs; - const struct tls_extension_funcs *server_funcs; - int failure; - size_t dlen; - int alert; - CBB cbb; - CBS cbs; - - failure = 1; - - if (!CBB_init(&cbb, 0)) - errx(1, "Failed to create CBB"); - - if ((ssl_ctx = SSL_CTX_new(TLS_client_method())) == NULL) - errx(1, "failed to create SSL_CTX"); - if ((ssl = SSL_new(ssl_ctx)) == NULL) - errx(1, "failed to create SSL"); - - if (!tls_extension_funcs(TLSEXT_TYPE_cookie, &client_funcs, - &server_funcs)) - errx(1, "failed to fetch cookie funcs"); - - ssl->s3->hs.our_max_tls_version = TLS1_2_VERSION; - if (client_funcs->needs(ssl, SSL_TLSEXT_MSG_CH)) { - FAIL("client should not need cookie\n"); - goto done; - } - - - ssl->s3->hs.our_max_tls_version = TLS1_3_VERSION; - if (client_funcs->needs(ssl, SSL_TLSEXT_MSG_CH)) { - FAIL("client should not need cookie\n"); - goto done; - } - - /* Normally would be set by receiving a server cookie in an HRR */ - ssl->s3->hs.tls13.cookie = strdup(cookie); - ssl->s3->hs.tls13.cookie_len = strlen(cookie); - - if (!client_funcs->needs(ssl, SSL_TLSEXT_MSG_CH)) { - FAIL("client should need cookie\n"); - goto done; - } - - if (!client_funcs->build(ssl, SSL_TLSEXT_MSG_CH, &cbb)) { - FAIL("client should have built a cookie response\n"); - goto done; - } - - if (!CBB_finish(&cbb, &data, &dlen)) { - FAIL("failed to finish CBB\n"); - goto done; - } - - if (dlen != strlen(cookie) + sizeof(uint16_t)) { - FAIL("got cookie with length %zu, " - "want length %zu\n", dlen, strlen(cookie) + - sizeof(uint16_t)); - goto done; - } - - CBS_init(&cbs, data, dlen); - - /* Checks cookie against what's in the hs.tls13 */ - if (!server_funcs->process(ssl, SSL_TLSEXT_MSG_CH, &cbs, &alert)) { - FAIL("failed to parse client cookie\n"); - goto done; - } - - if (CBS_len(&cbs) != 0) { - FAIL("extension data remaining\n"); - goto done; - } - - failure = 0; - - done: - CBB_cleanup(&cbb); - SSL_CTX_free(ssl_ctx); - SSL_free(ssl); - free(data); - - return (failure); -} - -static int -test_tlsext_cookie_server(void) -{ - unsigned char *data = NULL; - SSL_CTX *ssl_ctx = NULL; - SSL *ssl = NULL; - const struct tls_extension_funcs *client_funcs; - const struct tls_extension_funcs *server_funcs; - int failure; - size_t dlen; - int alert; - CBB cbb; - CBS cbs; - - failure = 1; - - if (!CBB_init(&cbb, 0)) - errx(1, "Failed to create CBB"); - - if ((ssl_ctx = SSL_CTX_new(TLS_client_method())) == NULL) - errx(1, "failed to create SSL_CTX"); - if ((ssl = SSL_new(ssl_ctx)) == NULL) - errx(1, "failed to create SSL"); - - if (!tls_extension_funcs(TLSEXT_TYPE_cookie, &client_funcs, - &server_funcs)) - errx(1, "failed to fetch cookie funcs"); - - ssl->s3->hs.our_max_tls_version = TLS1_2_VERSION; - if (server_funcs->needs(ssl, SSL_TLSEXT_MSG_SH)) { - FAIL("server should not need cookie\n"); - goto done; - } - - ssl->s3->hs.our_max_tls_version = TLS1_3_VERSION; - if (server_funcs->needs(ssl, SSL_TLSEXT_MSG_SH)) { - FAIL("server should not need cookie\n"); - goto done; - } - - /* Normally would be set by server before sending HRR */ - ssl->s3->hs.tls13.cookie = strdup(cookie); - ssl->s3->hs.tls13.cookie_len = strlen(cookie); - - if (!server_funcs->needs(ssl, SSL_TLSEXT_MSG_HRR)) { - FAIL("server should need cookie\n"); - goto done; - } - - if (!server_funcs->build(ssl, SSL_TLSEXT_MSG_HRR, &cbb)) { - FAIL("server should have built a cookie response\n"); - goto done; - } - - if (!CBB_finish(&cbb, &data, &dlen)) { - FAIL("failed to finish CBB\n"); - goto done; - } - - if (dlen != strlen(cookie) + sizeof(uint16_t)) { - FAIL("got cookie with length %zu, " - "want length %zu\n", dlen, strlen(cookie) + - sizeof(uint16_t)); - goto done; - } - - CBS_init(&cbs, data, dlen); - - if (client_funcs->process(ssl, SSL_TLSEXT_MSG_SH, &cbs, &alert)) { - FAIL("client should not have parsed server cookie\n"); - goto done; - } - - freezero(ssl->s3->hs.tls13.cookie, ssl->s3->hs.tls13.cookie_len); - ssl->s3->hs.tls13.cookie = NULL; - ssl->s3->hs.tls13.cookie_len = 0; - - if (!client_funcs->process(ssl, SSL_TLSEXT_MSG_SH, &cbs, &alert)) { - FAIL("failed to parse server cookie\n"); - goto done; - } - - if (memcmp(cookie, ssl->s3->hs.tls13.cookie, - ssl->s3->hs.tls13.cookie_len) != 0) { - FAIL("parsed server cookie does not match sent cookie\n"); - goto done; - } - - if (CBS_len(&cbs) != 0) { - FAIL("extension data remaining\n"); - goto done; - } - - failure = 0; - -done: - CBB_cleanup(&cbb); - SSL_CTX_free(ssl_ctx); - SSL_free(ssl); - free(data); - - return (failure); -} - -const uint8_t tlsext_default_psk_modes[] = { - 0x01, 0x01, -}; - -const uint8_t tlsext_psk_only_mode[] = { - 0x01, 0x00, -}; - -const uint8_t tlsext_psk_both_modes[] = { - 0x02, 0x00, 0x01, -}; - -static int -test_tlsext_psk_modes_client(void) -{ - SSL_CTX *ssl_ctx = NULL; - SSL *ssl = NULL; - const struct tls_extension_funcs *client_funcs; - const struct tls_extension_funcs *server_funcs; - int failure; - uint8_t *data = NULL; - size_t dlen; - CBB cbb; - CBS cbs; - int alert; - - failure = 1; - - if (!CBB_init(&cbb, 0)) - errx(1, "Failed to create CBB"); - - if ((ssl_ctx = SSL_CTX_new(TLS_client_method())) == NULL) - errx(1, "failed to create SSL_CTX"); - if ((ssl = SSL_new(ssl_ctx)) == NULL) - errx(1, "failed to create SSL"); - - if (!tls_extension_funcs(TLSEXT_TYPE_psk_kex_modes, &client_funcs, - &server_funcs)) - errx(1, "failed to fetch psk funcs"); - - /* Disabled by default. */ - if (client_funcs->needs(ssl, SSL_TLSEXT_MSG_CH)) { - FAIL("client should not need psk kex modes by default\n"); - goto err; - } - - /* - * Prerequisites: use_psk_dhe_ke flag is set and - * our_max_tls_version >= TLSv1.3. - */ - - ssl->s3->hs.tls13.use_psk_dhe_ke = 1; - ssl->s3->hs.our_max_tls_version = TLS1_2_VERSION; - - if (client_funcs->needs(ssl, SSL_TLSEXT_MSG_CH)) { - FAIL("client should not need psk kex modes with TLSv1.2\n"); - goto err; - } - - ssl->s3->hs.tls13.use_psk_dhe_ke = 0; - ssl->s3->hs.our_max_tls_version = TLS1_3_VERSION; - - if (client_funcs->needs(ssl, SSL_TLSEXT_MSG_CH)) { - FAIL("client should not need psk kex modes without " - "use_psk_dhe_ke\n"); - goto err; - } - - ssl->s3->hs.tls13.use_psk_dhe_ke = 1; - ssl->s3->hs.our_max_tls_version = TLS1_3_VERSION; - - if (!client_funcs->needs(ssl, SSL_TLSEXT_MSG_CH)) { - FAIL("client should need psk kex modes with TLSv1.3\n"); - goto err; - } - - /* Make sure we can build psk modes with DHE key establishment. */ - - if (!client_funcs->build(ssl, SSL_TLSEXT_MSG_CH, &cbb)) { - FAIL("client failed to build psk kex modes\n"); - goto err; - } - - if (!CBB_finish(&cbb, &data, &dlen)) - errx(1, "failed to finish psk kex CBB"); - - if (dlen != sizeof(tlsext_default_psk_modes)) { - FAIL("got client psk kex modes with length %zu, " - "want length %zu\n", dlen, - sizeof(tlsext_default_psk_modes)); - compare_data(data, dlen, tlsext_default_psk_modes, - sizeof(tlsext_default_psk_modes)); - goto err; - } - if (memcmp(data, tlsext_default_psk_modes, dlen) != 0) { - FAIL("client psk kex modes differ:\n"); - compare_data(data, dlen, tlsext_default_psk_modes, - sizeof(tlsext_default_psk_modes)); - goto err; - } - - CBB_cleanup(&cbb); - free(data); - data = NULL; - - /* - * Make sure we can parse the default psk modes and that use_psk_dhe_ke - * is set after parsing. - */ - - ssl->s3->hs.tls13.use_psk_dhe_ke = 0; - - CBS_init(&cbs, tlsext_default_psk_modes, - sizeof(tlsext_default_psk_modes)); - if (!server_funcs->process(ssl, SSL_TLSEXT_MSG_CH, &cbs, &alert)) { - FAIL("failed to parse psk kex modes\n"); - goto err; - } - if (CBS_len(&cbs) != 0) { - FAIL("extension data remaining\n"); - goto err; - } - - if (ssl->s3->hs.tls13.use_psk_dhe_ke != 1) { - FAIL("should have set use_psk_dhe_ke\n"); - goto err; - } - - /* - * Make sure we can parse the psk-only mode and that use_psk_dhe_ke - * is still not set after parsing. - */ - - ssl->s3->hs.tls13.use_psk_dhe_ke = 0; - - CBS_init(&cbs, tlsext_psk_only_mode, sizeof(tlsext_psk_only_mode)); - if (!server_funcs->process(ssl, SSL_TLSEXT_MSG_CH, &cbs, &alert)) { - FAIL("failed to parse psk kex modes\n"); - goto err; - } - if (CBS_len(&cbs) != 0) { - FAIL("extension data remaining\n"); - goto err; - } - - if (ssl->s3->hs.tls13.use_psk_dhe_ke != 0) { - FAIL("should not have set use_psk_dhe_ke\n"); - goto err; - } - - /* - * Make sure we can parse the extension indicating both modes and that - * use_psk_dhe_ke is set after parsing. - */ - - ssl->s3->hs.tls13.use_psk_dhe_ke = 0; - - CBS_init(&cbs, tlsext_psk_both_modes, sizeof(tlsext_psk_both_modes)); - if (!server_funcs->process(ssl, SSL_TLSEXT_MSG_CH, &cbs, &alert)) { - FAIL("failed to parse psk kex modes\n"); - goto err; - } - if (CBS_len(&cbs) != 0) { - FAIL("extension data remaining\n"); - goto err; - } - - if (ssl->s3->hs.tls13.use_psk_dhe_ke != 1) { - FAIL("should have set use_psk_dhe_ke\n"); - goto err; - } - - failure = 0; - - err: - CBB_cleanup(&cbb); - SSL_CTX_free(ssl_ctx); - SSL_free(ssl); - free(data); - - return failure; -} - -static int -test_tlsext_psk_modes_server(void) -{ - SSL_CTX *ssl_ctx = NULL; - SSL *ssl = NULL; - const struct tls_extension_funcs *client_funcs; - const struct tls_extension_funcs *server_funcs; - int failure; - - failure = 1; - - if ((ssl_ctx = SSL_CTX_new(TLS_server_method())) == NULL) - errx(1, "failed to create SSL_CTX"); - if ((ssl = SSL_new(ssl_ctx)) == NULL) - errx(1, "failed to create SSL"); - - if (!tls_extension_funcs(TLSEXT_TYPE_psk_kex_modes, &client_funcs, - &server_funcs)) - errx(1, "failed to fetch psk funcs"); - - if (server_funcs->needs(ssl, SSL_TLSEXT_MSG_SH)) { - FAIL("server should not need psk kex modes\n"); - goto err; - } - - failure = 0; - - err: - SSL_CTX_free(ssl_ctx); - SSL_free(ssl); - - return failure; -} - -struct tls_sni_test { - const char *hostname; - int is_ip; - int valid; -}; - -static const struct tls_sni_test tls_sni_tests[] = { - { - .hostname = "openbsd.org", - .valid = 1, - }, - { - .hostname = "op3nbsd.org", - .valid = 1, - }, - { - .hostname = "org", - .valid = 1, - }, - { - .hostname = "3openbsd.com", - .valid = 1, - }, - { - .hostname = "3-0penb-d.c-m", - .valid = 1, - }, - { - .hostname = "a", - .valid = 1, - }, - { - .hostname = - "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa.com", - .valid = 1, - }, - { - .hostname = - "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa." - "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa." - "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa." - "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa", - .valid = 1, - }, - { - .hostname = "openbsd.org.", - .valid = 0, - }, - { - .hostname = "openbsd..org", - .valid = 0, - }, - { - .hostname = "openbsd.org-", - .valid = 0, - }, - { - .hostname = - "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa.com", - .valid = 0, - }, - { - .hostname = - "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa." - "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa." - "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa." - "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa.a", - .valid = 0, - }, - { - .hostname = "-p3nbsd.org", - .valid = 0, - }, - { - .hostname = "openbs-.org", - .valid = 0, - }, - { - .hostname = "openbsd\n.org", - .valid = 0, - }, - { - .hostname = "open_bsd.org", - .valid = 0, - }, - { - .hostname = "open\177bsd.org", - .valid = 0, - }, - { - .hostname = "open\255bsd.org", - .valid = 0, - }, - { - .hostname = "dead::beef", - .is_ip = 1, - .valid = 0, - }, - { - .hostname = "192.168.0.1", - .is_ip = 1, - .valid = 0, - }, -}; - -#define N_TLS_SNI_TESTS (sizeof(tls_sni_tests) / sizeof(*tls_sni_tests)) - -static int -test_tlsext_is_valid_hostname(const struct tls_sni_test *tst) -{ - int failure; - int is_ip; - CBS cbs; - - failure = 1; - - CBS_init(&cbs, tst->hostname, strlen(tst->hostname)); - if (tlsext_sni_is_valid_hostname(&cbs, &is_ip) != tst->valid) { - if (tst->valid) { - FAIL("Valid hostname '%s' rejected\n", - tst->hostname); - } else { - FAIL("Invalid hostname '%s' accepted\n", - tst->hostname); - } - goto done; - } - if (tst->is_ip != is_ip) { - if (tst->is_ip) { - FAIL("Hostname '%s' is an IP literal but not " - "identified as one\n", tst->hostname); - } else { - FAIL("Hostname '%s' is not an IP literal but is " - "identified as one\n", tst->hostname); - } - goto done; - } - - if (tst->valid) { - CBS_init(&cbs, tst->hostname, - strlen(tst->hostname) + 1); - if (tlsext_sni_is_valid_hostname(&cbs, &is_ip)) { - FAIL("hostname with NUL byte accepted\n"); - goto done; - } - } - - failure = 0; - - done: - - return failure; -} - -static int -test_tlsext_valid_hostnames(void) -{ - const struct tls_sni_test *tst; - int failure = 0; - size_t i; - - for (i = 0; i < N_TLS_SNI_TESTS; i++) { - tst = &tls_sni_tests[i]; - failure |= test_tlsext_is_valid_hostname(tst); - } - - return failure; -} - -#define N_TLSEXT_RANDOMIZATION_TESTS 1000 - -static int -test_tlsext_check_extension_order(SSL *ssl) -{ - const struct tls_extension *ext; - uint16_t type; - size_t alpn_idx, sni_idx; - size_t i; - - if (ssl->tlsext_build_order_len == 0) { - FAIL("Unexpected zero build order length"); - return 1; - } - - ext = ssl->tlsext_build_order[ssl->tlsext_build_order_len - 1]; - if ((type = tls_extension_type(ext)) != TLSEXT_TYPE_psk) { - FAIL("last extension is %u, want %u\n", type, TLSEXT_TYPE_psk); - return 1; - } - - if (ssl->server) - return 0; - - alpn_idx = sni_idx = ssl->tlsext_build_order_len; - for (i = 0; i < ssl->tlsext_build_order_len; i++) { - ext = ssl->tlsext_build_order[i]; - if (tls_extension_type(ext) == TLSEXT_TYPE_alpn) - alpn_idx = i; - if (tls_extension_type(ext) == TLSEXT_TYPE_server_name) - sni_idx = i; - } - - if (alpn_idx == ssl->tlsext_build_order_len) { - FAIL("could not find alpn extension\n"); - return 1; - } - - if (sni_idx == ssl->tlsext_build_order_len) { - FAIL("could not find alpn extension\n"); - return 1; - } - - if (sni_idx >= alpn_idx) { - FAIL("sni does not precede alpn: %zu >= %zu\n", - sni_idx, alpn_idx); - return 1; - } - - return 0; -} - -static int -test_tlsext_randomized_extensions(SSL *ssl) -{ - size_t i; - int failed = 0; - - for (i = 0; i < N_TLSEXT_RANDOMIZATION_TESTS; i++) { - if (!tlsext_randomize_build_order(ssl)) - errx(1, "failed to randomize extensions"); - failed |= test_tlsext_check_extension_order(ssl); - } - - return failed; -} - -static int -test_tlsext_extension_order(void) -{ - SSL_CTX *ssl_ctx = NULL; - SSL *ssl = NULL; - int failure; - - failure = 0; - - if ((ssl_ctx = SSL_CTX_new(TLS_client_method())) == NULL) - errx(1, "failed to create SSL_CTX"); - if ((ssl = SSL_new(ssl_ctx)) == NULL) - errx(1, "failed to create SSL"); - - failure |= test_tlsext_randomized_extensions(ssl); - - SSL_CTX_free(ssl_ctx); - SSL_free(ssl); - - if ((ssl_ctx = SSL_CTX_new(TLS_server_method())) == NULL) - errx(1, "failed to create SSL_CTX"); - if ((ssl = SSL_new(ssl_ctx)) == NULL) - errx(1, "failed to create SSL"); - - failure |= test_tlsext_randomized_extensions(ssl); - - SSL_CTX_free(ssl_ctx); - SSL_free(ssl); - - return failure; -} - -int -main(int argc, char **argv) -{ - int failed = 0; - - SSL_library_init(); - SSL_load_error_strings(); - - failed |= test_tlsext_alpn_client(); - failed |= test_tlsext_alpn_server(); - - failed |= test_tlsext_supportedgroups_client(); - failed |= test_tlsext_supportedgroups_server(); - - failed |= test_tlsext_ecpf_client(); - failed |= test_tlsext_ecpf_server(); - - failed |= test_tlsext_ri_client(); - failed |= test_tlsext_ri_server(); - - failed |= test_tlsext_sigalgs_client(); - - failed |= test_tlsext_sni_client(); - failed |= test_tlsext_sni_server(); - - failed |= test_tlsext_ocsp_client(); - failed |= test_tlsext_ocsp_server(); - - failed |= test_tlsext_sessionticket_client(); - failed |= test_tlsext_sessionticket_server(); - - failed |= test_tlsext_versions_client(); - failed |= test_tlsext_versions_server(); - - failed |= test_tlsext_keyshare_client(); - failed |= test_tlsext_keyshare_server(); - - failed |= test_tlsext_cookie_client(); - failed |= test_tlsext_cookie_server(); - -#ifndef OPENSSL_NO_SRTP - failed |= test_tlsext_srtp_client(); - failed |= test_tlsext_srtp_server(); -#else - fprintf(stderr, "Skipping SRTP tests due to OPENSSL_NO_SRTP\n"); -#endif - - failed |= test_tlsext_psk_modes_client(); - failed |= test_tlsext_psk_modes_server(); - - failed |= test_tlsext_clienthello_build(); - failed |= test_tlsext_serverhello_build(); - - failed |= test_tlsext_valid_hostnames(); - - failed |= test_tlsext_quic_transport_parameters_client(); - failed |= test_tlsext_quic_transport_parameters_server(); - - failed |= test_tlsext_extension_order(); - - return (failed); -} diff --git a/src/regress/lib/libssl/tlsfuzzer/Makefile b/src/regress/lib/libssl/tlsfuzzer/Makefile deleted file mode 100644 index f7d17c2b96..0000000000 --- a/src/regress/lib/libssl/tlsfuzzer/Makefile +++ /dev/null @@ -1,51 +0,0 @@ -# $OpenBSD: Makefile,v 1.7 2024/09/17 08:47:37 tb Exp $ - -.if !exists(/usr/local/share/tlsfuzzer) -regress: - @echo package py3-tlsfuzzer is required for this regress - @echo SKIPPED -.else - -REGRESS_TARGETS=regress-tlsfuzzer - -localhost.key localhost.crt: - openssl req -x509 -newkey rsa -keyout localhost.key -out localhost.crt \ - -subj /CN=localhost -nodes -batch - -certs: localhost.key localhost.crt - -start-server: certs - openssl s_server -accept 4433 -groups X25519:P-256:P-521:P-384 \ - -key localhost.key -cert localhost.crt -www - -CLEANFILES += localhost.key localhost.crt - -PORT ?= 4433 -SLOW = -s -TIMING = # -t -VERBOSE = # -v - -regress-tlsfuzzer: certs - python3 ${.CURDIR}/tlsfuzzer.py ${SLOW} ${TIMING} ${VERBOSE} - -failing: certs - python3 ${.CURDIR}/tlsfuzzer.py -f ${SLOW} ${TIMING} ${VERBOSE} - - -port: certs - python3 ${.CURDIR}/tlsfuzzer.py ${SLOW} ${TIMING} ${VERBOSE} -p ${PORT} - -list: - @python3 ${.CURDIR}/tlsfuzzer.py -l - -list-failing: - @python3 ${.CURDIR}/tlsfuzzer.py -l -f - -missing: - @python3 ${.CURDIR}/tlsfuzzer.py -m - -.PHONY: all certs failing list list-failing missing port start-server - -.endif - -.include diff --git a/src/regress/lib/libssl/tlsfuzzer/tlsfuzzer.py b/src/regress/lib/libssl/tlsfuzzer/tlsfuzzer.py deleted file mode 100644 index 91aedad165..0000000000 --- a/src/regress/lib/libssl/tlsfuzzer/tlsfuzzer.py +++ /dev/null @@ -1,935 +0,0 @@ -# $OpenBSD: tlsfuzzer.py,v 1.56 2024/09/18 19:12:37 tb Exp $ -# -# Copyright (c) 2020 Theo Buehler -# -# Permission to use, copy, modify, and distribute this software for any -# purpose with or without fee is hereby granted, provided that the above -# copyright notice and this permission notice appear in all copies. -# -# THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES -# WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF -# MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR -# ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES -# WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN -# ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF -# OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. - -import getopt -import os -import subprocess -import sys -from timeit import default_timer as timer - -tlsfuzzer_scriptdir = "/usr/local/share/tlsfuzzer/scripts/" - -class Test: - """ - Represents a tlsfuzzer test script. - name: the script's name - args: arguments to feed to the script - tls12_args: override args for a TLSv1.2 server - tls13_args: override args for a TLSv1.3 server - - XXX Add client cert support. - """ - def __init__(self, name="", args=[], tls12_args=[], tls13_args=[]): - self.name = name - self.tls12_args = args - self.tls13_args = args - if tls12_args: - self.tls12_args = tls12_args - if tls13_args: - self.tls13_args = tls13_args - - def args(self, has_tls1_3: True): - if has_tls1_3: - return self.tls13_args - else: - return self.tls12_args - - def __repr__(self): - return "" % ( - self.name, self.tls12_args, self.tls13_args - ) - -class TestGroup: - """ A group of Test objects to be run by TestRunner.""" - def __init__(self, title="Tests", tests=[]): - self.title = title - self.tests = tests - - def __iter__(self): - return iter(self.tests) - -# argument to pass to several tests -tls13_unsupported_ciphers = [ - "-e", "TLS 1.3 with ffdhe2048", - "-e", "TLS 1.3 with ffdhe3072", - "-e", "TLS 1.3 with x448", -] - -def substitute_alert(want, got): - return f"Expected alert description \"{want}\" " \ - + f"does not match received \"{got}\"" - -# test-tls13-finished.py has 70 failing tests that expect a "decode_error" -# instead of the "decrypt_error" sent by tls13_server_finished_recv(). -# Both alerts appear to be reasonable in this context, so work around this -# in the test instead of the library. -def generate_test_tls13_finished_args(): - assertion = substitute_alert("decode_error", "decrypt_error"); - paddings = [ - ("TLS_AES_128_GCM_SHA256", 0, 1), - ("TLS_AES_128_GCM_SHA256", 0, 2), - ("TLS_AES_128_GCM_SHA256", 0, 4), - ("TLS_AES_128_GCM_SHA256", 0, 8), - ("TLS_AES_128_GCM_SHA256", 0, 16), - ("TLS_AES_128_GCM_SHA256", 0, 32), - ("TLS_AES_128_GCM_SHA256", 0, 48), - ("TLS_AES_128_GCM_SHA256", 0, 2**14-4-32), - ("TLS_AES_128_GCM_SHA256", 0, 0x20000), - ("TLS_AES_128_GCM_SHA256", 0, 0x30000), - ("TLS_AES_128_GCM_SHA256", 1, 0), - ("TLS_AES_128_GCM_SHA256", 2, 0), - ("TLS_AES_128_GCM_SHA256", 4, 0), - ("TLS_AES_128_GCM_SHA256", 8, 0), - ("TLS_AES_128_GCM_SHA256", 16, 0), - ("TLS_AES_128_GCM_SHA256", 32, 0), - ("TLS_AES_128_GCM_SHA256", 48, 0), - ("TLS_AES_128_GCM_SHA256", 2**14-4-32, 0), - ("TLS_AES_128_GCM_SHA256", 12, 0), - ("TLS_AES_128_GCM_SHA256", 1, 1), - ("TLS_AES_128_GCM_SHA256", 8, 8), - ("TLS_AES_256_GCM_SHA384", 0, 1), - ("TLS_AES_256_GCM_SHA384", 0, 2), - ("TLS_AES_256_GCM_SHA384", 0, 4), - ("TLS_AES_256_GCM_SHA384", 0, 8), - ("TLS_AES_256_GCM_SHA384", 0, 16), - ("TLS_AES_256_GCM_SHA384", 0, 32), - ("TLS_AES_256_GCM_SHA384", 0, 48), - ("TLS_AES_256_GCM_SHA384", 0, 2**14-4-48), - ("TLS_AES_256_GCM_SHA384", 0, 0x20000), - ("TLS_AES_256_GCM_SHA384", 0, 0x30000), - ("TLS_AES_256_GCM_SHA384", 0, 12), - ("TLS_AES_256_GCM_SHA384", 1, 0), - ("TLS_AES_256_GCM_SHA384", 2, 0), - ("TLS_AES_256_GCM_SHA384", 4, 0), - ("TLS_AES_256_GCM_SHA384", 8, 0), - ("TLS_AES_256_GCM_SHA384", 16, 0), - ("TLS_AES_256_GCM_SHA384", 32, 0), - ("TLS_AES_256_GCM_SHA384", 48, 0), - ("TLS_AES_256_GCM_SHA384", 2**14-4-48, 0), - ("TLS_AES_256_GCM_SHA384", 1, 1), - ("TLS_AES_256_GCM_SHA384", 8, 8), - ] - truncations = [ - ("TLS_AES_128_GCM_SHA256", 0, -1), - ("TLS_AES_128_GCM_SHA256", 0, -2), - ("TLS_AES_128_GCM_SHA256", 0, -4), - ("TLS_AES_128_GCM_SHA256", 0, -8), - ("TLS_AES_128_GCM_SHA256", 0, -16), - ("TLS_AES_128_GCM_SHA256", 0, -32), - ("TLS_AES_128_GCM_SHA256", 0, 12), - ("TLS_AES_128_GCM_SHA256", 1, None), - ("TLS_AES_128_GCM_SHA256", 2, None), - ("TLS_AES_128_GCM_SHA256", 4, None), - ("TLS_AES_128_GCM_SHA256", 8, None), - ("TLS_AES_128_GCM_SHA256", 16, None), - ("TLS_AES_128_GCM_SHA256", 32, None), - ("TLS_AES_256_GCM_SHA384", 0, -1), - ("TLS_AES_256_GCM_SHA384", 0, -2), - ("TLS_AES_256_GCM_SHA384", 0, -4), - ("TLS_AES_256_GCM_SHA384", 0, -8), - ("TLS_AES_256_GCM_SHA384", 0, -16), - ("TLS_AES_256_GCM_SHA384", 0, -32), - ("TLS_AES_256_GCM_SHA384", 0, 12), - ("TLS_AES_256_GCM_SHA384", 1, None), - ("TLS_AES_256_GCM_SHA384", 2, None), - ("TLS_AES_256_GCM_SHA384", 4, None), - ("TLS_AES_256_GCM_SHA384", 8, None), - ("TLS_AES_256_GCM_SHA384", 16, None), - ("TLS_AES_256_GCM_SHA384", 32, None), - ] - - args = [ - "-x", "empty - cipher TLS_AES_128_GCM_SHA256", "-X", assertion, - "-x", "empty - cipher TLS_AES_256_GCM_SHA384", "-X", assertion, - ] - padding_fmt = "padding - cipher %s, pad_byte 0, pad_left %d, pad_right %d" - for padding in paddings: - args += ["-x", padding_fmt % padding, "-X", assertion] - truncation_fmt = "truncation - cipher %s, start %d, end %s" - for truncation in truncations: - args += ["-x", truncation_fmt % truncation, "-X", assertion] - return args - -tls13_tests = TestGroup("TLSv1.3 tests", [ - Test("test-tls13-ccs.py"), - Test("test-tls13-conversation.py"), - Test("test-tls13-count-tickets.py"), - Test("test-tls13-empty-alert.py"), - Test("test-tls13-finished.py", generate_test_tls13_finished_args()), - Test("test-tls13-finished-plaintext.py"), - Test("test-tls13-hrr.py"), - Test("test-tls13-keyshare-omitted.py"), - Test("test-tls13-legacy-version.py"), - Test("test-tls13-nociphers.py"), - Test("test-tls13-record-padding.py"), - # Exclude QUIC transport parameters - Test("test-tls13-shuffled-extentions.py", [ "--exc", "57" ]), - Test("test-tls13-zero-content-type.py"), - - # The skipped tests fail due to a bug in BIO_gets() which masks the retry - # signalled from an SSL_read() failure. Testing with httpd(8) shows we're - # handling these corner cases correctly since tls13_record_layer.c -r1.47. - Test("test-tls13-zero-length-data.py", [ - "-e", "zero-length app data", - "-e", "zero-length app data with large padding", - "-e", "zero-length app data with padding", - ]), - - # We don't currently handle NSTs - Test("test-tls13-connection-abort.py", ["-e", "After NewSessionTicket"]), -]) - -# Tests that take a lot of time (> ~30s on an x280) -tls13_slow_tests = TestGroup("slow TLSv1.3 tests", [ - # XXX: Investigate the occasional message - # "Got shared secret with 1 most significant bytes equal to zero." - Test("test-tls13-dhe-shared-secret-padding.py", tls13_unsupported_ciphers), - - Test("test-tls13-invalid-ciphers.py"), - Test("test-tls13-serverhello-random.py", tls13_unsupported_ciphers), - - # Mark two tests cases as xfail for now. The tests expect an arguably - # correct decode_error while we send a decrypt_error (like fizz/boring). - Test("test-tls13-record-layer-limits.py", [ - "-x", "max size payload (2**14) of Finished msg, with 16348 bytes of left padding, cipher TLS_AES_128_GCM_SHA256", - "-X", substitute_alert("decode_error", "decrypt_error"), - "-x", "max size payload (2**14) of Finished msg, with 16348 bytes of left padding, cipher TLS_CHACHA20_POLY1305_SHA256", - "-X", substitute_alert("decode_error", "decrypt_error"), - ]), - # We don't accept an empty ECPF extension since it must advertise the - # uncompressed point format. Exclude this extension type from the test. - Test( - "test-tls13-large-number-of-extensions.py", - tls13_args = ["--exc", "11"], - ), -]) - -tls13_extra_cert_tests = TestGroup("TLSv1.3 certificate tests", [ - # need to set up client certs to run these - Test("test-tls13-certificate-request.py"), - Test("test-tls13-certificate-verify.py"), - Test("test-tls13-ecdsa-in-certificate-verify.py"), - Test("test-tls13-eddsa-in-certificate-verify.py"), - - # Test expects the server to have installed three certificates: - # with P-256, P-384 and P-521 curve. Also SHA1+ECDSA is verified - # to not work. - Test("test-tls13-ecdsa-support.py"), -]) - -tls13_failing_tests = TestGroup("failing TLSv1.3 tests", [ - # Some tests fail because we fail later than the scripts expect us to. - # With X25519, we accept weak peer public keys and fail when we actually - # compute the keyshare. Other tests seem to indicate that we could be - # stricter about what keyshares we accept. - Test("test-tls13-crfg-curves.py", [ - '-e', 'all zero x448 key share', - '-e', 'empty x448 key share', - '-e', 'sanity x448 with compression ansiX962_compressed_char2', - '-e', 'sanity x448 with compression ansiX962_compressed_prime', - '-e', 'sanity x448 with compression uncompressed', - '-e', 'too big x448 key share', - '-e', 'too small x448 key share', - '-e', 'x448 key share of "1"', - ]), - Test("test-tls13-ecdhe-curves.py", [ - '-e', 'sanity - x448', - '-e', 'x448 - key share from other curve', - '-e', 'x448 - point at infinity', - '-e', 'x448 - right 0-padded key_share', - '-e', 'x448 - right-truncated key_share', - ]), - - # The test sends records with protocol version 0x0300 instead of 0x0303 - # and currently fails with OpenSSL and LibreSSL for this reason. - # We have the logic corresponding to NSS's fix for CVE-2020-25648 - # https://hg.mozilla.org/projects/nss/rev/57bbefa793232586d27cee83e74411171e128361 - # so should not be affected by this issue. - Test("test-tls13-multiple-ccs-messages.py"), - - # https://github.com/openssl/openssl/issues/8369 - Test("test-tls13-obsolete-curves.py"), - - # 3 failing rsa_pss_pss tests - Test("test-tls13-rsa-signatures.py"), - - # The failing tests all expect an ri extension. What's up with that? - Test("test-tls13-version-negotiation.py"), -]) - -tls13_slow_failing_tests = TestGroup("slow, failing TLSv1.3 tests", [ - # Other test failures bugs in keyshare/tlsext negotiation? - Test("test-tls13-unrecognised-groups.py"), # unexpected closure - - # 5 occasional failures: - # 'app data split, conversation with KeyUpdate msg' - # 'fragmented keyupdate msg' - # 'multiple KeyUpdate messages' - # 'post-handshake KeyUpdate msg with update_not_request' - # 'post-handshake KeyUpdate msg with update_request' - Test("test-tls13-keyupdate.py"), - - Test("test-tls13-symetric-ciphers.py"), # unexpected message from peer - - # 6 tests fail: 'rsa_pkcs1_{md5,sha{1,224,256,384,512}} signature' - # We send server hello, but the test expects handshake_failure - Test("test-tls13-pkcs-signature.py"), - # 8 tests fail: 'tls13 signature rsa_pss_{pss,rsae}_sha{256,384,512} - Test("test-tls13-rsapss-signatures.py"), -]) - -tls13_unsupported_tests = TestGroup("TLSv1.3 tests for unsupported features", [ - # Tests for features we don't support - Test("test-tls13-0rtt-garbage.py"), - Test("test-tls13-ffdhe-groups.py"), - Test("test-tls13-ffdhe-sanity.py"), - Test("test-tls13-psk_dhe_ke.py"), - Test("test-tls13-psk_ke.py"), - - # need server to react to HTTP GET for /keyupdate - Test("test-tls13-keyupdate-from-server.py"), - - # needs an echo server - Test("test-tls13-lengths.py"), - - # Weird test: tests servers that don't support 1.3 - Test("test-tls13-non-support.py"), - - # broken test script - # UnboundLocalError: local variable 'cert' referenced before assignment - Test("test-tls13-post-handshake-auth.py"), - - # ExpectNewSessionTicket - Test("test-tls13-session-resumption.py"), - - # Server must be configured to support only rsa_pss_rsae_sha512 - Test("test-tls13-signature-algorithms.py"), -]) - -tls12_exclude_legacy_protocols = [ - # all these have BIO_read timeouts against TLSv1.3 - "-e", "Protocol (3, 0)", - "-e", "Protocol (3, 1)", - "-e", "Protocol (3, 2)", - "-e", "Protocol (3, 0) in SSLv2 compatible ClientHello", - # the following only fail with TLSv1.3 - "-e", "Protocol (3, 1) in SSLv2 compatible ClientHello", - "-e", "Protocol (3, 2) in SSLv2 compatible ClientHello", - "-e", "Protocol (3, 3) in SSLv2 compatible ClientHello", - "-e", "Protocol (3, 1) with x448 group", - "-e", "Protocol (3, 2) with x448 group", - "-e", "Protocol (3, 3) with x448 group", - # These don't work without TLSv1.0 and TLSv1.1 - "-e", "Protocol (3, 1) with secp256r1 group", - "-e", "Protocol (3, 1) with secp384r1 group", - "-e", "Protocol (3, 1) with secp521r1 group", - "-e", "Protocol (3, 1) with x25519 group", - "-e", "Protocol (3, 2) with secp256r1 group", - "-e", "Protocol (3, 2) with secp384r1 group", - "-e", "Protocol (3, 2) with secp521r1 group", - "-e", "Protocol (3, 2) with x25519 group", -] - -tls12_tests = TestGroup("TLSv1.2 tests", [ - # Tests that pass as they are. - Test("test-aes-gcm-nonces.py"), - Test("test-connection-abort.py"), - Test("test-conversation.py"), - Test("test-cve-2016-2107.py"), - Test("test-cve-2016-6309.py"), - Test("test-dhe-rsa-key-exchange.py"), - Test("test-early-application-data.py"), - Test("test-empty-extensions.py"), - Test("test-extensions.py"), - Test("test-fuzzed-MAC.py"), - Test("test-fuzzed-ciphertext.py"), - Test("test-fuzzed-finished.py"), - Test("test-fuzzed-padding.py"), - Test("test-fuzzed-plaintext.py"), # fails once in a while - Test("test-hello-request-by-client.py"), - Test("test-invalid-cipher-suites.py"), - Test("test-invalid-content-type.py"), - Test("test-invalid-session-id.py"), - Test("test-invalid-version.py"), - Test("test-large-number-of-extensions.py"), - Test("test-lucky13.py"), - Test("test-message-skipping.py"), - Test("test-no-heartbeat.py"), - Test("test-record-layer-fragmentation.py"), - Test("test-sslv2-connection.py"), - Test("test-truncating-of-finished.py"), - Test("test-truncating-of-kRSA-client-key-exchange.py"), - Test("test-unsupported-curve-fallback.py"), - Test("test-version-numbers.py"), - Test("test-zero-length-data.py"), - - # Tests that need tweaking for unsupported features and ciphers. - Test( - "test-atypical-padding.py", [ - "-e", "sanity - encrypt then MAC", - "-e", "2^14 bytes of AppData with 256 bytes of padding (SHA1 + Encrypt then MAC)", - ] - ), - Test( - "test-ccs.py", [ - "-x", "two bytes long CCS", - "-X", substitute_alert("unexpected_message", "decode_error"), - ] - ), - Test( - "test-dhe-rsa-key-exchange-signatures.py", [ - "-e", "TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA sha224 signature", - "-e", "TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 sha224 signature", - "-e", "TLS_DHE_RSA_WITH_AES_128_CBC_SHA sha224 signature", - "-e", "TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 sha224 signature", - "-e", "TLS_DHE_RSA_WITH_AES_256_CBC_SHA sha224 signature", - ] - ), - Test("test-dhe-rsa-key-exchange-with-bad-messages.py", [ - "-x", "invalid dh_Yc value - missing", - "-X", substitute_alert("decode_error", "illegal_parameter"), - ]), - Test("test-dhe-key-share-random.py", tls12_exclude_legacy_protocols), - Test("test-export-ciphers-rejected.py", ["--min-ver", "TLSv1.2"]), - Test( - "test-downgrade-protection.py", - tls12_args = ["--server-max-protocol", "TLSv1.2"], - tls13_args = [ - "--server-max-protocol", "TLSv1.3", - "-e", "TLS 1.3 downgrade check for Protocol (3, 1)", - "-e", "TLS 1.3 downgrade check for Protocol (3, 2)", - ] - ), - Test( - "test-fallback-scsv.py", - tls13_args = [ - "--tls-1.3", - "-e", "FALLBACK - hello TLSv1.1 - pos 0", - "-e", "FALLBACK - hello TLSv1.1 - pos 1", - "-e", "FALLBACK - hello TLSv1.1 - pos 2", - "-e", "FALLBACK - record TLSv1.1 hello TLSv1.1 - pos 0", - "-e", "FALLBACK - record TLSv1.1 hello TLSv1.1 - pos 1", - "-e", "FALLBACK - record TLSv1.1 hello TLSv1.1 - pos 2", - "-e", "record TLSv1.1 hello TLSv1.1", - "-e", "sanity - TLSv1.1", - ] - ), - - Test("test-invalid-compression-methods.py", [ - "-x", "invalid compression methods", - "-X", substitute_alert("illegal_parameter", "decode_error"), - "-x", "only deflate compression method", - "-X", substitute_alert("illegal_parameter", "decode_error"), - ]), - - # Skip extended_master_secret test. Since we don't support this - # extension, we don't notice that it was dropped. - Test("test-renegotiation-changed-clienthello.py", [ - "-e", "drop extended_master_secret in renegotiation", - ]), - - Test("test-sessionID-resumption.py", [ - "-x", "Client Hello too long session ID", - "-X", substitute_alert("decode_error", "illegal_parameter"), - ]), - - # Without --sig-algs-drop-ok, two tests fail since we do not currently - # implement the signature_algorithms_cert extension (although we MUST). - Test("test-sig-algs-renegotiation-resumption.py", ["--sig-algs-drop-ok"]), - - Test("test-serverhello-random.py", args = tls12_exclude_legacy_protocols), - - Test("test-chacha20.py", [ "-e", "Chacha20 in TLS1.1" ]), -]) - -tls12_slow_tests = TestGroup("slow TLSv1.2 tests", [ - Test("test-cve-2016-7054.py"), - Test("test-dhe-no-shared-secret-padding.py", tls12_exclude_legacy_protocols), - Test("test-ecdhe-padded-shared-secret.py", tls12_exclude_legacy_protocols), - Test("test-ecdhe-rsa-key-share-random.py", tls12_exclude_legacy_protocols), - # Start at extension number 58 to avoid QUIC transport parameters (57) - Test("test-large-hello.py", [ "-m", "58" ]), -]) - -tls12_failing_tests = TestGroup("failing TLSv1.2 tests", [ - # no shared cipher - Test("test-aesccm.py"), - # need server to set up alpn - Test("test-alpn-negotiation.py"), - # Failing on TLS_RSA_WITH_AES_128_CBC_SHA because server does not support it. - Test("test-bleichenbacher-timing-pregenerate.py"), - # many tests fail due to unexpected server_name extension - Test("test-bleichenbacher-workaround.py"), - - # need client key and cert plus extra server setup - Test("test-certificate-malformed.py"), - Test("test-certificate-request.py"), - Test("test-certificate-verify-malformed-sig.py"), - Test("test-certificate-verify-malformed.py"), - Test("test-certificate-verify.py"), - Test("test-ecdsa-in-certificate-verify.py"), - Test("test-eddsa-in-certificate-verify.py"), - Test("test-renegotiation-disabled-client-cert.py"), - Test("test-rsa-pss-sigs-on-certificate-verify.py"), - Test("test-rsa-sigs-on-certificate-verify.py"), - - # test doesn't expect session ticket - Test("test-client-compatibility.py"), - # abrupt closure - Test("test-client-hello-max-size.py"), - # unknown signature algorithms - Test("test-clienthello-md5.py"), - - # Tests expect an illegal_parameter or a decode_error alert. Should be - # added to ssl3_get_client_key_exchange on kex function failure. - Test("test-ecdhe-rsa-key-exchange-with-bad-messages.py"), - - # We send a handshake_failure due to no shared ciphers while the - # test expects to succeed. - Test("test-ecdhe-rsa-key-exchange.py"), - - # no shared cipher - Test("test-ecdsa-sig-flexibility.py"), - - # Tests expect SH but we send unexpected_message or handshake_failure - # 'Application data inside Client Hello' - # 'Application data inside Client Key Exchange' - # 'Application data inside Finished' - Test("test-interleaved-application-data-and-fragmented-handshakes-in-renegotiation.py"), - # Tests expect SH but we send handshake_failure - # 'Application data before Change Cipher Spec' - # 'Application data before Client Key Exchange' - # 'Application data before Finished' - Test("test-interleaved-application-data-in-renegotiation.py"), - - # broken test script - # TypeError: '<' not supported between instances of 'int' and 'NoneType' - Test("test-invalid-client-hello-w-record-overflow.py"), - - # Lots of failures. abrupt closure - Test("test-invalid-client-hello.py"), - - # abrupt closure - # 'encrypted premaster set to all zero (n)' n in 256 384 512 - Test("test-invalid-rsa-key-exchange-messages.py"), - - # test expects illegal_parameter, we send unrecognized_name (which seems - # correct according to rfc 6066?) - Test("test-invalid-server-name-extension-resumption.py"), - # let through some server names without sending an alert - # again illegal_parameter vs unrecognized_name - Test("test-invalid-server-name-extension.py"), - - # 4 failures: - # 'insecure (legacy) renegotiation with GET after 2nd handshake' - # 'insecure (legacy) renegotiation with incomplete GET' - # 'secure renegotiation with GET after 2nd handshake' - # 'secure renegotiation with incomplete GET' - Test("test-legacy-renegotiation.py"), - - # 1 failure (timeout): we don't send the unexpected_message alert - # 'duplicate change cipher spec after Finished' - Test("test-message-duplication.py"), - - # server should send status_request - Test("test-ocsp-stapling.py"), - - # unexpected closure - Test("test-openssl-3712.py"), - - # failed: 3 (expect an alert, we send AD) - # 'try insecure (legacy) renegotiation with incomplete GET' - # 'try secure renegotiation with GET after 2nd CH' - # 'try secure renegotiation with incomplete GET' - Test("test-renegotiation-disabled.py"), - - # 'resumption of safe session with NULL cipher' - # 'resumption with cipher from old CH but not selected by server' - Test("test-resumption-with-wrong-ciphers.py"), - - # 'session resumption with empty session_id' - # 'session resumption with random session_id' - # 'session resumption with renegotiation' - # AssertionError: Server did not send extension(s): session_ticket - Test("test-session-ticket-resumption.py"), - - # 5 failures: - # 'empty sigalgs' - # 'only undefined sigalgs' - # 'rsa_pss_pss_sha256 only' - # 'rsa_pss_pss_sha384 only' - # 'rsa_pss_pss_sha512 only' - Test("test-sig-algs.py"), - - # 13 failures: - # 'duplicated n non-rsa schemes' for n in 202 2342 8119 23741 32744 - # 'empty list of signature methods' - # 'tolerance n RSA or ECDSA methods' for n in 215 2355 8132 23754 - # 'tolerance 32758 methods with sig_alg_cert' - # 'tolerance max 32744 number of methods with sig_alg_cert' - # 'tolerance max (32760) number of methods' - Test("test-signature-algorithms.py"), - - # times out - Test("test-ssl-death-alert.py"), - - # 17 pass, 13 fail. padding and truncation - Test("test-truncating-of-client-hello.py"), - - # x448 tests need disabling plus x25519 corner cases need sorting out - Test("test-x25519.py"), - - # Needs TLS 1.0 or 1.1 - Test("test-TLSv1_2-rejected-without-TLSv1_2.py"), -]) - -tls12_unsupported_tests = TestGroup("TLSv1.2 for unsupported features", [ - # protocol_version - Test("test-SSLv3-padding.py"), - # we don't do RSA key exchanges - Test("test-bleichenbacher-timing.py"), - # no encrypt-then-mac - Test("test-encrypt-then-mac-renegotiation.py"), - Test("test-encrypt-then-mac.py"), - # no EME support - Test("test-extended-master-secret-extension-with-client-cert.py"), - Test("test-extended-master-secret-extension.py"), - # no ffdhe - Test("test-ffdhe-expected-params.py"), - Test("test-ffdhe-negotiation.py"), - # record_size_limit/max_fragment_length extension (RFC 8449) - Test("test-record-size-limit.py"), - # expects the server to send the heartbeat extension - Test("test-heartbeat.py"), - # needs an echo server - Test("test-lengths.py"), -]) - -# These tests take a ton of time to fail against an 1.3 server, -# so don't run them against 1.3 pending further investigation. -legacy_tests = TestGroup("Legacy protocol tests", [ - Test("test-sslv2-force-cipher-3des.py"), - Test("test-sslv2-force-cipher-non3des.py"), - Test("test-sslv2-force-cipher.py"), - Test("test-sslv2-force-export-cipher.py"), - Test("test-sslv2hello-protocol.py"), -]) - -all_groups = [ - tls13_tests, - tls13_slow_tests, - tls13_extra_cert_tests, - tls13_failing_tests, - tls13_slow_failing_tests, - tls13_unsupported_tests, - tls12_tests, - tls12_slow_tests, - tls12_failing_tests, - tls12_unsupported_tests, - legacy_tests, -] - -failing_groups = [ - tls13_failing_tests, - tls13_slow_failing_tests, - tls12_failing_tests, -] - -class TestRunner: - """ Runs the given tests against a server and displays stats. """ - - def __init__( - self, timing=False, verbose=False, host="localhost", port=4433, - use_tls1_3=True, dry_run=False, tests=[], scriptdir=tlsfuzzer_scriptdir, - ): - self.tests = [] - - self.dryrun = dry_run - self.use_tls1_3 = use_tls1_3 - self.host = host - self.port = str(port) - self.scriptdir = scriptdir - - self.stats = [] - self.failed = [] - self.missing = [] - - self.timing = timing - self.verbose = verbose - - def add(self, title="tests", tests=[]): - # tests.sort(key=lambda test: test.name) - self.tests.append(TestGroup(title, tests)) - - def add_group(self, group): - self.tests.append(group) - - def run_script(self, test): - script = test.name - args = ["-h"] + [self.host] + ["-p"] + [self.port] + test.args(self.use_tls1_3) - - if self.dryrun: - if not self.verbose: - args = [] - print(script , end=' ' if args else '') - print(' '.join([f"\"{arg}\"" for arg in args])) - return - - if self.verbose: - print(script) - else: - print(f"{script[:68]:<72}", end=" ", flush=True) - start = timer() - scriptpath = os.path.join(self.scriptdir, script) - if not os.path.exists(scriptpath): - self.missing.append(script) - print("MISSING") - return - test = subprocess.run( - ["python3", scriptpath] + args, - capture_output=not self.verbose, - text=True, - ) - end = timer() - self.stats.append((script, end - start)) - if test.returncode == 0: - print("OK") - return - print("FAILED") - self.failed.append(script) - - if self.verbose: - return - - print('\n'.join(test.stdout.split("Test end\n", 1)[1:]), end="") - - def run(self): - for group in self: - print(f"Running {group.title} ...") - for test in group: - self.run_script(test) - return not self.failed - - def __iter__(self): - return iter(self.tests) - - def __del__(self): - if self.timing and self.stats: - total = 0.0 - for (script, time) in self.stats: - print(f"{round(time, 2):6.2f} {script}") - total += time - print(f"{round(total, 2):6.2f} total") - - if self.failed: - print("Failed tests:") - print('\n'.join(self.failed)) - - if self.missing: - print("Missing tests (outdated package?):") - print('\n'.join(self.missing)) - -class TlsServer: - """ Spawns an s_server listening on localhost:port if necessary. """ - - def __init__(self, host="localhost", port=4433): - self.spawn = True - # Check whether a server is already listening on localhost:port - self.spawn = subprocess.run( - ["nc", "-c", "-z", "-T", "noverify", host, str(port)], - stderr=subprocess.DEVNULL, - ).returncode != 0 - - if self.spawn: - self.server = subprocess.Popen( - [ - "openssl", - "s_server", - "-accept", - str(port), - "-groups", - "X25519:P-256:P-521:P-384", - "-key", - "localhost.key", - "-cert", - "localhost.crt", - "-www", - ], - stdout=subprocess.DEVNULL, - stderr=subprocess.PIPE, - text=True, - ) - - # Check whether the server talks TLSv1.3 - self.has_tls1_3 = True or subprocess.run( - [ - "nc", - "-c", - "-z", - "-T", - "noverify", - "-T", - "protocols=TLSv1.3", - "localhost", - str(port), - ], - stderr=subprocess.DEVNULL, - ).returncode == 0 - - self.check() - - def check(self): - if self.spawn and self.server.poll() is not None: - print(self.server.stderr.read()) - raise RuntimeError( - f"openssl s_server died. Return code: {self.server.returncode}." - ) - if self.spawn: - self.server.stderr.detach() - - def __del__(self): - if self.spawn: - self.server.terminate() - -# Extract the arguments we pass to script -def defaultargs(script, has_tls1_3): - return next( - (test for group in all_groups for test in group if test.name == script), - Test() - ).args(has_tls1_3) - -def list_or_missing(missing=True): - tests = [test.name for group in all_groups for test in group] - - if missing: - scripts = { - f for f in os.listdir(tlsfuzzer_scriptdir) if f != "__pycache__" - } - missing = scripts - set(tests) - if missing: - print('\n'.join(sorted(missing))) - exit(0) - - tests.sort() - print('\n'.join(tests)) - exit(0) - -def usage(): - print("Usage: python3 tlsfuzzer.py [-flmnstv] [-p port] [script [test...]]") - print(" --help help") - print(" -f run failing tests") - print(" -l list tests") - print(" -m list new tests after package update") - print(" -n do not run tests, but list the ones that would be run") - print(" -p port connect to this port - defaults to 4433") - print(" -s run slow tests") - print(" -t show timing stats at end") - print(" -v verbose output") - exit(0) - -def main(): - failing = False - list = False - missing = False - dryrun = False - host = "localhost" - port = 4433 - slow = False - timing = False - verbose = False - - argv = sys.argv[1:] - opts, args = getopt.getopt(argv, "fh:lmnp:stv", ["help"]) - for opt, arg in opts: - if opt == '--help': - usage() - elif opt == '-f': - failing = True - elif opt == '-h': - host = arg - elif opt == '-l': - list = True - elif opt == '-m': - missing = True - elif opt == '-n': - dryrun = True - elif opt == '-p': - port = int(arg) - elif opt == '-s': - slow = True - elif opt == '-t': - timing = True - elif opt == '-v': - verbose = True - else: - raise ValueError(f"Unknown option: {opt}") - - if not os.path.exists(tlsfuzzer_scriptdir): - print("package py3-tlsfuzzer is required for this regress") - exit(1) - - if list and failing: - failing = [test.name for group in failing_groups for test in group] - failing.sort() - print('\n'.join(failing)) - exit(0) - - if list or missing: - list_or_missing(missing) - - tls_server = TlsServer(host, port) - - tests = TestRunner(timing, verbose, host, port, tls_server.has_tls1_3, dryrun) - - if args: - (dir, script) = os.path.split(args[0]) - if dir and not dir == '.': - tests.scriptdir = dir - - testargs = defaultargs(script, tls_server.has_tls1_3) - - tests.verbose = True - tests.add("test from command line", [Test(script, testargs + args[1:])]) - - exit(not tests.run()) - - if failing: - if tls_server.has_tls1_3: - tests.add_group(tls13_failing_tests) - if slow: - tests.add_group(tls13_slow_failing_tests) - tests.add_group(tls12_failing_tests) - - if tls_server.has_tls1_3: - tests.add_group(tls13_tests) - if slow: - tests.add_group(tls13_slow_tests) - else: - tests.add_group(legacy_tests) - - tests.add_group(tls12_tests) - if slow: - tests.add_group(tls12_slow_tests) - - success = tests.run() - del tests - - if not success: - print("FAILED") - exit(1) - -if __name__ == "__main__": - main() diff --git a/src/regress/lib/libssl/tlslegacy/Makefile b/src/regress/lib/libssl/tlslegacy/Makefile deleted file mode 100644 index c39981f0b8..0000000000 --- a/src/regress/lib/libssl/tlslegacy/Makefile +++ /dev/null @@ -1,9 +0,0 @@ -# $OpenBSD: Makefile,v 1.1 2020/10/07 07:52:17 jsing Exp $ - -PROG= tlslegacytest -LDADD= -lssl -lcrypto -DPADD= ${LIBSSL} ${LIBCRYPTO} -WARNINGS= Yes -CFLAGS+= -DLIBRESSL_INTERNAL -Werror - -.include diff --git a/src/regress/lib/libssl/tlslegacy/tlslegacytest.c b/src/regress/lib/libssl/tlslegacy/tlslegacytest.c deleted file mode 100644 index 59429d716a..0000000000 --- a/src/regress/lib/libssl/tlslegacy/tlslegacytest.c +++ /dev/null @@ -1,625 +0,0 @@ -/* $OpenBSD: tlslegacytest.c,v 1.7 2022/10/02 16:39:39 jsing Exp $ */ -/* - * Copyright (c) 2015, 2016, 2017, 2020 Joel Sing - * - * Permission to use, copy, modify, and distribute this software for any - * purpose with or without fee is hereby granted, provided that the above - * copyright notice and this permission notice appear in all copies. - * - * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES - * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF - * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR - * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES - * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN - * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF - * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. - */ - -#include - -#include -#include -#include - -/* openssl.org:443 */ -static uint8_t tls12_server_response[] = { - 0x16, 0x03, 0x03, 0x00, 0x3d, 0x02, 0x00, 0x00, - 0x39, 0x03, 0x03, 0x62, 0x0c, 0x8a, 0x7e, 0x29, - 0x60, 0xcb, 0x08, 0xd1, 0xb4, 0x95, 0x68, 0x76, - 0xea, 0x4e, 0x0c, 0x94, 0xf2, 0x42, 0x3d, 0xd1, - 0x7a, 0xc2, 0xfe, 0x6c, 0xb3, 0xe6, 0x12, 0x8a, - 0x33, 0x02, 0x92, 0x00, 0xc0, 0x30, 0x00, 0x00, - 0x11, 0xff, 0x01, 0x00, 0x01, 0x00, 0x00, 0x0b, - 0x00, 0x04, 0x03, 0x00, 0x01, 0x02, 0x00, 0x23, - 0x00, 0x00, -}; - -/* - * outlook.office365.com:587 with starttls - this server response includes - * multiple handshake messages contained in a single TLS record. - */ -static uint8_t tls12_server_response_with_cert[] = { - 0x16, 0x03, 0x03, 0x0f, 0x2b, 0x02, 0x00, 0x00, - 0x4d, 0x03, 0x03, 0x5f, 0x7c, 0x69, 0x42, 0xe1, - 0x19, 0xf0, 0x22, 0xfb, 0x71, 0x9a, 0xf1, 0x63, - 0x34, 0xbb, 0x61, 0x46, 0xea, 0x5f, 0x0b, 0x5e, - 0xb1, 0x4e, 0x37, 0x96, 0x67, 0xff, 0x83, 0xea, - 0x0e, 0x16, 0x85, 0x20, 0x3a, 0x1b, 0x00, 0x00, - 0x17, 0xe9, 0xac, 0xca, 0x19, 0x61, 0xaf, 0x70, - 0x28, 0x3b, 0x18, 0xaa, 0x6c, 0xa0, 0x0f, 0x78, - 0xd0, 0x83, 0xfc, 0x5d, 0x78, 0xf9, 0x6d, 0xdb, - 0x16, 0x21, 0x15, 0xa2, 0xc0, 0x30, 0x00, 0x00, - 0x05, 0xff, 0x01, 0x00, 0x01, 0x00, 0x0b, 0x00, - 0x0d, 0x47, 0x00, 0x0d, 0x44, 0x00, 0x08, 0xaf, - 0x30, 0x82, 0x08, 0xab, 0x30, 0x82, 0x07, 0x93, - 0xa0, 0x03, 0x02, 0x01, 0x02, 0x02, 0x0c, 0x6d, - 0xea, 0x0b, 0xe1, 0x97, 0x27, 0x60, 0xa1, 0x59, - 0xb1, 0x85, 0x60, 0x30, 0x0d, 0x06, 0x09, 0x2a, - 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x0b, - 0x05, 0x00, 0x30, 0x66, 0x31, 0x0b, 0x30, 0x09, - 0x06, 0x03, 0x55, 0x04, 0x06, 0x13, 0x02, 0x42, - 0x45, 0x31, 0x19, 0x30, 0x17, 0x06, 0x03, 0x55, - 0x04, 0x0a, 0x13, 0x10, 0x47, 0x6c, 0x6f, 0x62, - 0x61, 0x6c, 0x53, 0x69, 0x67, 0x6e, 0x20, 0x6e, - 0x76, 0x2d, 0x73, 0x61, 0x31, 0x3c, 0x30, 0x3a, - 0x06, 0x03, 0x55, 0x04, 0x03, 0x13, 0x33, 0x47, - 0x6c, 0x6f, 0x62, 0x61, 0x6c, 0x53, 0x69, 0x67, - 0x6e, 0x20, 0x4f, 0x72, 0x67, 0x61, 0x6e, 0x69, - 0x7a, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x20, 0x56, - 0x61, 0x6c, 0x69, 0x64, 0x61, 0x74, 0x69, 0x6f, - 0x6e, 0x20, 0x43, 0x41, 0x20, 0x2d, 0x20, 0x53, - 0x48, 0x41, 0x32, 0x35, 0x36, 0x20, 0x2d, 0x20, - 0x47, 0x33, 0x30, 0x1e, 0x17, 0x0d, 0x32, 0x30, - 0x30, 0x38, 0x31, 0x33, 0x32, 0x33, 0x31, 0x38, - 0x34, 0x39, 0x5a, 0x17, 0x0d, 0x32, 0x32, 0x30, - 0x38, 0x31, 0x34, 0x32, 0x33, 0x31, 0x38, 0x34, - 0x39, 0x5a, 0x30, 0x6a, 0x31, 0x0b, 0x30, 0x09, - 0x06, 0x03, 0x55, 0x04, 0x06, 0x13, 0x02, 0x55, - 0x53, 0x31, 0x13, 0x30, 0x11, 0x06, 0x03, 0x55, - 0x04, 0x08, 0x13, 0x0a, 0x57, 0x61, 0x73, 0x68, - 0x69, 0x6e, 0x67, 0x74, 0x6f, 0x6e, 0x31, 0x10, - 0x30, 0x0e, 0x06, 0x03, 0x55, 0x04, 0x07, 0x13, - 0x07, 0x52, 0x65, 0x64, 0x6d, 0x6f, 0x6e, 0x64, - 0x31, 0x1e, 0x30, 0x1c, 0x06, 0x03, 0x55, 0x04, - 0x0a, 0x13, 0x15, 0x4d, 0x69, 0x63, 0x72, 0x6f, - 0x73, 0x6f, 0x66, 0x74, 0x20, 0x43, 0x6f, 0x72, - 0x70, 0x6f, 0x72, 0x61, 0x74, 0x69, 0x6f, 0x6e, - 0x31, 0x14, 0x30, 0x12, 0x06, 0x03, 0x55, 0x04, - 0x03, 0x13, 0x0b, 0x6f, 0x75, 0x74, 0x6c, 0x6f, - 0x6f, 0x6b, 0x2e, 0x63, 0x6f, 0x6d, 0x30, 0x82, - 0x01, 0x22, 0x30, 0x0d, 0x06, 0x09, 0x2a, 0x86, - 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x01, 0x05, - 0x00, 0x03, 0x82, 0x01, 0x0f, 0x00, 0x30, 0x82, - 0x01, 0x0a, 0x02, 0x82, 0x01, 0x01, 0x00, 0xc9, - 0x20, 0x3f, 0x57, 0xb9, 0xf9, 0x71, 0xaa, 0x3c, - 0x6a, 0x0a, 0x5d, 0x3f, 0xc9, 0x8d, 0x99, 0xa5, - 0x50, 0x26, 0x25, 0x4e, 0xdc, 0x69, 0x52, 0xb3, - 0x33, 0x70, 0xe7, 0x72, 0xa2, 0x83, 0x92, 0x54, - 0xd1, 0xd4, 0x86, 0x15, 0xf2, 0xc4, 0x65, 0xf8, - 0xbc, 0xe5, 0xd2, 0x1e, 0x12, 0x25, 0x9e, 0x75, - 0x8e, 0x77, 0xd2, 0x8e, 0x94, 0xca, 0x03, 0x4b, - 0xf4, 0xc8, 0xca, 0xe3, 0xe3, 0x9b, 0x66, 0xa3, - 0xa1, 0x37, 0x74, 0xcc, 0xfe, 0xc4, 0x1e, 0x64, - 0xdc, 0xe3, 0x18, 0xba, 0xc1, 0x7b, 0x39, 0x5b, - 0xb1, 0x47, 0xe9, 0x11, 0x92, 0xef, 0xee, 0xe6, - 0x08, 0xcd, 0x93, 0x7b, 0x09, 0xc7, 0x39, 0xfe, - 0xe5, 0xe2, 0x47, 0x3f, 0x68, 0x78, 0xa4, 0x17, - 0x78, 0x13, 0xcb, 0x12, 0x38, 0x9d, 0x89, 0x2b, - 0x1f, 0x75, 0x9b, 0x87, 0x5d, 0x53, 0xfc, 0xb0, - 0x2a, 0xaf, 0x2d, 0x86, 0x8a, 0x76, 0x3b, 0xce, - 0x5e, 0xae, 0x43, 0x74, 0x68, 0xc3, 0x28, 0xbf, - 0x10, 0x2f, 0xdd, 0xd9, 0x43, 0x4b, 0x2d, 0xa6, - 0xdc, 0x1f, 0x6d, 0x90, 0xd0, 0xce, 0x14, 0x1e, - 0x6c, 0xdc, 0x7b, 0x06, 0xe4, 0x7b, 0xa9, 0x81, - 0x40, 0xed, 0xde, 0x18, 0xb7, 0xdf, 0x53, 0x61, - 0xbc, 0x18, 0x83, 0x11, 0xc7, 0xb4, 0x1b, 0x99, - 0xef, 0x14, 0xe4, 0x63, 0x39, 0xe3, 0x5c, 0x2f, - 0xe7, 0x89, 0x58, 0x5b, 0xda, 0x03, 0x3a, 0x39, - 0x96, 0x8a, 0xca, 0x4f, 0xd8, 0xe3, 0x6c, 0x7f, - 0x6e, 0xd3, 0xe7, 0x30, 0x34, 0x9c, 0xdb, 0x8b, - 0xe8, 0x6a, 0xa6, 0x08, 0x77, 0x1d, 0x63, 0xd6, - 0x57, 0x9d, 0xcd, 0xa7, 0x47, 0x05, 0x39, 0x96, - 0x7b, 0xfd, 0x9a, 0x09, 0x99, 0xef, 0x49, 0xb1, - 0x89, 0x02, 0xbe, 0x4f, 0xb8, 0xef, 0xa0, 0x04, - 0x29, 0x74, 0xfb, 0x9a, 0x7e, 0x9d, 0xa8, 0x10, - 0xfb, 0x7e, 0xb0, 0x6c, 0x60, 0x4f, 0x57, 0x02, - 0x03, 0x01, 0x00, 0x01, 0xa3, 0x82, 0x05, 0x53, - 0x30, 0x82, 0x05, 0x4f, 0x30, 0x0e, 0x06, 0x03, - 0x55, 0x1d, 0x0f, 0x01, 0x01, 0xff, 0x04, 0x04, - 0x03, 0x02, 0x05, 0xa0, 0x30, 0x81, 0x9e, 0x06, - 0x08, 0x2b, 0x06, 0x01, 0x05, 0x05, 0x07, 0x01, - 0x01, 0x04, 0x81, 0x91, 0x30, 0x81, 0x8e, 0x30, - 0x4b, 0x06, 0x08, 0x2b, 0x06, 0x01, 0x05, 0x05, - 0x07, 0x30, 0x02, 0x86, 0x3f, 0x68, 0x74, 0x74, - 0x70, 0x3a, 0x2f, 0x2f, 0x73, 0x65, 0x63, 0x75, - 0x72, 0x65, 0x2e, 0x67, 0x6c, 0x6f, 0x62, 0x61, - 0x6c, 0x73, 0x69, 0x67, 0x6e, 0x2e, 0x63, 0x6f, - 0x6d, 0x2f, 0x63, 0x61, 0x63, 0x65, 0x72, 0x74, - 0x2f, 0x67, 0x73, 0x6f, 0x72, 0x67, 0x61, 0x6e, - 0x69, 0x7a, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x76, - 0x61, 0x6c, 0x73, 0x68, 0x61, 0x32, 0x67, 0x33, - 0x2e, 0x63, 0x72, 0x74, 0x30, 0x3f, 0x06, 0x08, - 0x2b, 0x06, 0x01, 0x05, 0x05, 0x07, 0x30, 0x01, - 0x86, 0x33, 0x68, 0x74, 0x74, 0x70, 0x3a, 0x2f, - 0x2f, 0x6f, 0x63, 0x73, 0x70, 0x32, 0x2e, 0x67, - 0x6c, 0x6f, 0x62, 0x61, 0x6c, 0x73, 0x69, 0x67, - 0x6e, 0x2e, 0x63, 0x6f, 0x6d, 0x2f, 0x67, 0x73, - 0x6f, 0x72, 0x67, 0x61, 0x6e, 0x69, 0x7a, 0x61, - 0x74, 0x69, 0x6f, 0x6e, 0x76, 0x61, 0x6c, 0x73, - 0x68, 0x61, 0x32, 0x67, 0x33, 0x30, 0x56, 0x06, - 0x03, 0x55, 0x1d, 0x20, 0x04, 0x4f, 0x30, 0x4d, - 0x30, 0x41, 0x06, 0x09, 0x2b, 0x06, 0x01, 0x04, - 0x01, 0xa0, 0x32, 0x01, 0x14, 0x30, 0x34, 0x30, - 0x32, 0x06, 0x08, 0x2b, 0x06, 0x01, 0x05, 0x05, - 0x07, 0x02, 0x01, 0x16, 0x26, 0x68, 0x74, 0x74, - 0x70, 0x73, 0x3a, 0x2f, 0x2f, 0x77, 0x77, 0x77, - 0x2e, 0x67, 0x6c, 0x6f, 0x62, 0x61, 0x6c, 0x73, - 0x69, 0x67, 0x6e, 0x2e, 0x63, 0x6f, 0x6d, 0x2f, - 0x72, 0x65, 0x70, 0x6f, 0x73, 0x69, 0x74, 0x6f, - 0x72, 0x79, 0x2f, 0x30, 0x08, 0x06, 0x06, 0x67, - 0x81, 0x0c, 0x01, 0x02, 0x02, 0x30, 0x09, 0x06, - 0x03, 0x55, 0x1d, 0x13, 0x04, 0x02, 0x30, 0x00, - 0x30, 0x46, 0x06, 0x03, 0x55, 0x1d, 0x1f, 0x04, - 0x3f, 0x30, 0x3d, 0x30, 0x3b, 0xa0, 0x39, 0xa0, - 0x37, 0x86, 0x35, 0x68, 0x74, 0x74, 0x70, 0x3a, - 0x2f, 0x2f, 0x63, 0x72, 0x6c, 0x2e, 0x67, 0x6c, - 0x6f, 0x62, 0x61, 0x6c, 0x73, 0x69, 0x67, 0x6e, - 0x2e, 0x63, 0x6f, 0x6d, 0x2f, 0x67, 0x73, 0x6f, - 0x72, 0x67, 0x61, 0x6e, 0x69, 0x7a, 0x61, 0x74, - 0x69, 0x6f, 0x6e, 0x76, 0x61, 0x6c, 0x73, 0x68, - 0x61, 0x32, 0x67, 0x33, 0x2e, 0x63, 0x72, 0x6c, - 0x30, 0x82, 0x02, 0x10, 0x06, 0x03, 0x55, 0x1d, - 0x11, 0x04, 0x82, 0x02, 0x07, 0x30, 0x82, 0x02, - 0x03, 0x82, 0x0b, 0x6f, 0x75, 0x74, 0x6c, 0x6f, - 0x6f, 0x6b, 0x2e, 0x63, 0x6f, 0x6d, 0x82, 0x16, - 0x2a, 0x2e, 0x63, 0x6c, 0x6f, 0x2e, 0x66, 0x6f, - 0x6f, 0x74, 0x70, 0x72, 0x69, 0x6e, 0x74, 0x64, - 0x6e, 0x73, 0x2e, 0x63, 0x6f, 0x6d, 0x82, 0x0d, - 0x2a, 0x2e, 0x68, 0x6f, 0x74, 0x6d, 0x61, 0x69, - 0x6c, 0x2e, 0x63, 0x6f, 0x6d, 0x82, 0x16, 0x2a, - 0x2e, 0x69, 0x6e, 0x74, 0x65, 0x72, 0x6e, 0x61, - 0x6c, 0x2e, 0x6f, 0x75, 0x74, 0x6c, 0x6f, 0x6f, - 0x6b, 0x2e, 0x63, 0x6f, 0x6d, 0x82, 0x0a, 0x2a, - 0x2e, 0x6c, 0x69, 0x76, 0x65, 0x2e, 0x63, 0x6f, - 0x6d, 0x82, 0x16, 0x2a, 0x2e, 0x6e, 0x72, 0x62, - 0x2e, 0x66, 0x6f, 0x6f, 0x74, 0x70, 0x72, 0x69, - 0x6e, 0x74, 0x64, 0x6e, 0x73, 0x2e, 0x63, 0x6f, - 0x6d, 0x82, 0x0c, 0x2a, 0x2e, 0x6f, 0x66, 0x66, - 0x69, 0x63, 0x65, 0x2e, 0x63, 0x6f, 0x6d, 0x82, - 0x0f, 0x2a, 0x2e, 0x6f, 0x66, 0x66, 0x69, 0x63, - 0x65, 0x33, 0x36, 0x35, 0x2e, 0x63, 0x6f, 0x6d, - 0x82, 0x0d, 0x2a, 0x2e, 0x6f, 0x75, 0x74, 0x6c, - 0x6f, 0x6f, 0x6b, 0x2e, 0x63, 0x6f, 0x6d, 0x82, - 0x17, 0x2a, 0x2e, 0x6f, 0x75, 0x74, 0x6c, 0x6f, - 0x6f, 0x6b, 0x2e, 0x6f, 0x66, 0x66, 0x69, 0x63, - 0x65, 0x33, 0x36, 0x35, 0x2e, 0x63, 0x6f, 0x6d, - 0x82, 0x1b, 0x61, 0x74, 0x74, 0x61, 0x63, 0x68, - 0x6d, 0x65, 0x6e, 0x74, 0x2e, 0x6f, 0x75, 0x74, - 0x6c, 0x6f, 0x6f, 0x6b, 0x2e, 0x6c, 0x69, 0x76, - 0x65, 0x2e, 0x6e, 0x65, 0x74, 0x82, 0x1d, 0x61, - 0x74, 0x74, 0x61, 0x63, 0x68, 0x6d, 0x65, 0x6e, - 0x74, 0x2e, 0x6f, 0x75, 0x74, 0x6c, 0x6f, 0x6f, - 0x6b, 0x2e, 0x6f, 0x66, 0x66, 0x69, 0x63, 0x65, - 0x2e, 0x6e, 0x65, 0x74, 0x82, 0x20, 0x61, 0x74, - 0x74, 0x61, 0x63, 0x68, 0x6d, 0x65, 0x6e, 0x74, - 0x2e, 0x6f, 0x75, 0x74, 0x6c, 0x6f, 0x6f, 0x6b, - 0x2e, 0x6f, 0x66, 0x66, 0x69, 0x63, 0x65, 0x70, - 0x70, 0x65, 0x2e, 0x6e, 0x65, 0x74, 0x82, 0x16, - 0x61, 0x74, 0x74, 0x61, 0x63, 0x68, 0x6d, 0x65, - 0x6e, 0x74, 0x73, 0x2e, 0x6f, 0x66, 0x66, 0x69, - 0x63, 0x65, 0x2e, 0x6e, 0x65, 0x74, 0x82, 0x1a, - 0x61, 0x74, 0x74, 0x61, 0x63, 0x68, 0x6d, 0x65, - 0x6e, 0x74, 0x73, 0x2d, 0x73, 0x64, 0x66, 0x2e, - 0x6f, 0x66, 0x66, 0x69, 0x63, 0x65, 0x2e, 0x6e, - 0x65, 0x74, 0x82, 0x1d, 0x63, 0x63, 0x73, 0x2e, - 0x6c, 0x6f, 0x67, 0x69, 0x6e, 0x2e, 0x6d, 0x69, - 0x63, 0x72, 0x6f, 0x73, 0x6f, 0x66, 0x74, 0x6f, - 0x6e, 0x6c, 0x69, 0x6e, 0x65, 0x2e, 0x63, 0x6f, - 0x6d, 0x82, 0x21, 0x63, 0x63, 0x73, 0x2d, 0x73, - 0x64, 0x66, 0x2e, 0x6c, 0x6f, 0x67, 0x69, 0x6e, - 0x2e, 0x6d, 0x69, 0x63, 0x72, 0x6f, 0x73, 0x6f, - 0x66, 0x74, 0x6f, 0x6e, 0x6c, 0x69, 0x6e, 0x65, - 0x2e, 0x63, 0x6f, 0x6d, 0x82, 0x0b, 0x68, 0x6f, - 0x74, 0x6d, 0x61, 0x69, 0x6c, 0x2e, 0x63, 0x6f, - 0x6d, 0x82, 0x16, 0x6d, 0x61, 0x69, 0x6c, 0x2e, - 0x73, 0x65, 0x72, 0x76, 0x69, 0x63, 0x65, 0x73, - 0x2e, 0x6c, 0x69, 0x76, 0x65, 0x2e, 0x63, 0x6f, - 0x6d, 0x82, 0x0d, 0x6f, 0x66, 0x66, 0x69, 0x63, - 0x65, 0x33, 0x36, 0x35, 0x2e, 0x63, 0x6f, 0x6d, - 0x82, 0x12, 0x6f, 0x75, 0x74, 0x6c, 0x6f, 0x6f, - 0x6b, 0x2e, 0x6f, 0x66, 0x66, 0x69, 0x63, 0x65, - 0x2e, 0x63, 0x6f, 0x6d, 0x82, 0x14, 0x73, 0x75, - 0x62, 0x73, 0x74, 0x72, 0x61, 0x74, 0x65, 0x2e, - 0x6f, 0x66, 0x66, 0x69, 0x63, 0x65, 0x2e, 0x63, - 0x6f, 0x6d, 0x82, 0x18, 0x73, 0x75, 0x62, 0x73, - 0x74, 0x72, 0x61, 0x74, 0x65, 0x2d, 0x73, 0x64, - 0x66, 0x2e, 0x6f, 0x66, 0x66, 0x69, 0x63, 0x65, - 0x2e, 0x63, 0x6f, 0x6d, 0x30, 0x1d, 0x06, 0x03, - 0x55, 0x1d, 0x25, 0x04, 0x16, 0x30, 0x14, 0x06, - 0x08, 0x2b, 0x06, 0x01, 0x05, 0x05, 0x07, 0x03, - 0x01, 0x06, 0x08, 0x2b, 0x06, 0x01, 0x05, 0x05, - 0x07, 0x03, 0x02, 0x30, 0x1f, 0x06, 0x03, 0x55, - 0x1d, 0x23, 0x04, 0x18, 0x30, 0x16, 0x80, 0x14, - 0x68, 0x86, 0xb8, 0x7d, 0x7a, 0xd9, 0x6d, 0x49, - 0x6b, 0x87, 0x2f, 0x18, 0x8b, 0x15, 0x34, 0x6c, - 0xd7, 0xb4, 0x7a, 0x0e, 0x30, 0x1d, 0x06, 0x03, - 0x55, 0x1d, 0x0e, 0x04, 0x16, 0x04, 0x14, 0x8a, - 0x7c, 0x73, 0x44, 0x70, 0xa8, 0x4d, 0x83, 0x25, - 0x6f, 0xa6, 0x53, 0xda, 0x42, 0x52, 0x96, 0xc9, - 0x15, 0x71, 0x21, 0x30, 0x82, 0x01, 0x7c, 0x06, - 0x0a, 0x2b, 0x06, 0x01, 0x04, 0x01, 0xd6, 0x79, - 0x02, 0x04, 0x02, 0x04, 0x82, 0x01, 0x6c, 0x04, - 0x82, 0x01, 0x68, 0x01, 0x66, 0x00, 0x76, 0x00, - 0x22, 0x45, 0x45, 0x07, 0x59, 0x55, 0x24, 0x56, - 0x96, 0x3f, 0xa1, 0x2f, 0xf1, 0xf7, 0x6d, 0x86, - 0xe0, 0x23, 0x26, 0x63, 0xad, 0xc0, 0x4b, 0x7f, - 0x5d, 0xc6, 0x83, 0x5c, 0x6e, 0xe2, 0x0f, 0x02, - 0x00, 0x00, 0x01, 0x73, 0xea, 0x1e, 0x7d, 0x2f, - 0x00, 0x00, 0x04, 0x03, 0x00, 0x47, 0x30, 0x45, - 0x02, 0x21, 0x00, 0xf4, 0x50, 0x8f, 0xe7, 0x38, - 0xc9, 0x7a, 0xd1, 0xf7, 0xf7, 0x69, 0xc5, 0x05, - 0xea, 0x8e, 0x03, 0x80, 0x2c, 0x87, 0x06, 0x03, - 0xb6, 0x9b, 0xe6, 0xa5, 0x83, 0x2f, 0xb9, 0xaf, - 0x7b, 0xb4, 0xac, 0x02, 0x20, 0x51, 0xa6, 0x8f, - 0xe8, 0xe5, 0x6c, 0xa7, 0xff, 0x16, 0x01, 0x7e, - 0x15, 0x42, 0x11, 0x31, 0xdc, 0xdc, 0xc7, 0x37, - 0x7c, 0x64, 0x2c, 0xac, 0xdd, 0x42, 0xbb, 0x3c, - 0x79, 0x31, 0x74, 0xcc, 0x9d, 0x00, 0x75, 0x00, - 0x29, 0x79, 0xbe, 0xf0, 0x9e, 0x39, 0x39, 0x21, - 0xf0, 0x56, 0x73, 0x9f, 0x63, 0xa5, 0x77, 0xe5, - 0xbe, 0x57, 0x7d, 0x9c, 0x60, 0x0a, 0xf8, 0xf9, - 0x4d, 0x5d, 0x26, 0x5c, 0x25, 0x5d, 0xc7, 0x84, - 0x00, 0x00, 0x01, 0x73, 0xea, 0x1e, 0x7a, 0xa7, - 0x00, 0x00, 0x04, 0x03, 0x00, 0x46, 0x30, 0x44, - 0x02, 0x20, 0x03, 0xf1, 0x19, 0xd7, 0x0f, 0x2f, - 0xc4, 0xa9, 0x84, 0xa0, 0x33, 0xd4, 0x76, 0xa6, - 0xee, 0xf1, 0xae, 0xe0, 0x03, 0xe7, 0xae, 0x98, - 0x43, 0x17, 0xb0, 0x0f, 0xfb, 0x12, 0xbb, 0x13, - 0xda, 0x34, 0x02, 0x20, 0x10, 0xe6, 0xa9, 0x1d, - 0x8b, 0x1c, 0x64, 0xd4, 0xc9, 0xf7, 0xc0, 0x3d, - 0x3c, 0x77, 0x49, 0xb1, 0x08, 0x3d, 0x1d, 0x5e, - 0x34, 0xf9, 0xd9, 0x10, 0x7c, 0x74, 0x6b, 0x18, - 0xc6, 0x5e, 0x6d, 0x07, 0x00, 0x75, 0x00, 0x55, - 0x81, 0xd4, 0xc2, 0x16, 0x90, 0x36, 0x01, 0x4a, - 0xea, 0x0b, 0x9b, 0x57, 0x3c, 0x53, 0xf0, 0xc0, - 0xe4, 0x38, 0x78, 0x70, 0x25, 0x08, 0x17, 0x2f, - 0xa3, 0xaa, 0x1d, 0x07, 0x13, 0xd3, 0x0c, 0x00, - 0x00, 0x01, 0x73, 0xea, 0x1e, 0x7d, 0xae, 0x00, - 0x00, 0x04, 0x03, 0x00, 0x46, 0x30, 0x44, 0x02, - 0x20, 0x26, 0x21, 0x64, 0xdb, 0xa6, 0xe2, 0x3d, - 0x32, 0x7d, 0x9f, 0xa8, 0xae, 0xb7, 0x29, 0xb7, - 0x42, 0x9b, 0x49, 0xaa, 0xf5, 0xa5, 0xc0, 0x12, - 0x01, 0xa1, 0xb6, 0xe7, 0xf2, 0x01, 0xd4, 0x2f, - 0x45, 0x02, 0x20, 0x4e, 0x19, 0xba, 0x47, 0x75, - 0x8b, 0x49, 0xd7, 0x4b, 0xba, 0x04, 0x62, 0xdd, - 0xa2, 0xb7, 0x6b, 0x05, 0xd0, 0x01, 0x1f, 0x7c, - 0x36, 0x17, 0x27, 0x29, 0xb2, 0x17, 0x1c, 0x7f, - 0x10, 0x81, 0x8a, 0x30, 0x0d, 0x06, 0x09, 0x2a, - 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x0b, - 0x05, 0x00, 0x03, 0x82, 0x01, 0x01, 0x00, 0x26, - 0xf4, 0xa3, 0x77, 0x1d, 0xdc, 0x9e, 0xc4, 0x1a, - 0x88, 0x23, 0x30, 0x8c, 0xe1, 0x14, 0xf9, 0x62, - 0x0e, 0xbf, 0xad, 0x24, 0xc9, 0xab, 0xab, 0xd0, - 0x68, 0x8b, 0xbc, 0xf1, 0xec, 0x1c, 0xd0, 0x96, - 0xad, 0xf9, 0x5f, 0xdd, 0xe0, 0xee, 0xa8, 0xe0, - 0x2c, 0x3a, 0x19, 0xa5, 0x68, 0x0c, 0x6e, 0xfe, - 0xe6, 0x80, 0xce, 0xa3, 0x3b, 0x6c, 0x00, 0x88, - 0x5c, 0xbf, 0x3c, 0xd8, 0x68, 0x08, 0x36, 0xb9, - 0x9e, 0x84, 0x9b, 0x5f, 0x97, 0xfb, 0x77, 0xea, - 0x72, 0xfb, 0x73, 0x47, 0x00, 0xb0, 0xa8, 0x7c, - 0x64, 0x38, 0xf1, 0xcc, 0xc0, 0x29, 0x71, 0x67, - 0x65, 0x76, 0x4c, 0x80, 0x58, 0x97, 0xc8, 0x62, - 0x63, 0x3e, 0xf1, 0x3e, 0xc0, 0x0e, 0x48, 0x5f, - 0x55, 0x21, 0x8f, 0x96, 0x68, 0xbd, 0x41, 0x14, - 0x7a, 0x0b, 0x8c, 0x31, 0x5b, 0x39, 0xac, 0xa3, - 0xa0, 0x99, 0x58, 0x24, 0xfa, 0xd9, 0x19, 0x32, - 0x1c, 0x9f, 0x2d, 0xa9, 0xed, 0xb9, 0x97, 0xa4, - 0x66, 0x30, 0x29, 0xd8, 0x82, 0xa2, 0xf5, 0xfc, - 0x6d, 0x10, 0xf1, 0xac, 0x1d, 0x3f, 0xfb, 0xde, - 0xa1, 0x0e, 0xb6, 0x84, 0x90, 0xd4, 0x55, 0x5c, - 0x21, 0x1b, 0x1f, 0x21, 0x45, 0x92, 0xc5, 0x9a, - 0x47, 0x05, 0x0f, 0xb8, 0x1c, 0x78, 0x6e, 0xb9, - 0x6b, 0xa3, 0xa9, 0x8d, 0xb1, 0x59, 0xff, 0xf4, - 0xe6, 0x71, 0x77, 0x38, 0x12, 0xfe, 0x41, 0x8f, - 0x04, 0x92, 0x08, 0x3f, 0x32, 0x2a, 0x92, 0x5e, - 0x0a, 0x7b, 0x7e, 0x04, 0xee, 0x24, 0x10, 0x39, - 0xf3, 0xac, 0x5e, 0x04, 0x93, 0x91, 0xa2, 0x8f, - 0x90, 0x04, 0x33, 0x5c, 0x5c, 0x94, 0xb3, 0x80, - 0x2b, 0x43, 0xbf, 0xe3, 0x74, 0x64, 0x20, 0xf4, - 0x00, 0xb2, 0x6c, 0x7b, 0xa8, 0x77, 0xfb, 0x74, - 0x35, 0xce, 0xdd, 0xb6, 0x5f, 0x83, 0x18, 0xc4, - 0xe7, 0x31, 0x1a, 0x8d, 0x30, 0x0d, 0xc4, 0x00, - 0x04, 0x8f, 0x30, 0x82, 0x04, 0x8b, 0x30, 0x82, - 0x03, 0x73, 0xa0, 0x03, 0x02, 0x01, 0x02, 0x02, - 0x0e, 0x47, 0x07, 0xb1, 0x01, 0x9a, 0x0c, 0x57, - 0xad, 0x39, 0xb3, 0xe1, 0x7d, 0xa9, 0xf9, 0x30, - 0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, - 0x0d, 0x01, 0x01, 0x0b, 0x05, 0x00, 0x30, 0x57, - 0x31, 0x0b, 0x30, 0x09, 0x06, 0x03, 0x55, 0x04, - 0x06, 0x13, 0x02, 0x42, 0x45, 0x31, 0x19, 0x30, - 0x17, 0x06, 0x03, 0x55, 0x04, 0x0a, 0x13, 0x10, - 0x47, 0x6c, 0x6f, 0x62, 0x61, 0x6c, 0x53, 0x69, - 0x67, 0x6e, 0x20, 0x6e, 0x76, 0x2d, 0x73, 0x61, - 0x31, 0x10, 0x30, 0x0e, 0x06, 0x03, 0x55, 0x04, - 0x0b, 0x13, 0x07, 0x52, 0x6f, 0x6f, 0x74, 0x20, - 0x43, 0x41, 0x31, 0x1b, 0x30, 0x19, 0x06, 0x03, - 0x55, 0x04, 0x03, 0x13, 0x12, 0x47, 0x6c, 0x6f, - 0x62, 0x61, 0x6c, 0x53, 0x69, 0x67, 0x6e, 0x20, - 0x52, 0x6f, 0x6f, 0x74, 0x20, 0x43, 0x41, 0x30, - 0x1e, 0x17, 0x0d, 0x31, 0x35, 0x30, 0x39, 0x30, - 0x34, 0x30, 0x30, 0x30, 0x30, 0x30, 0x30, 0x5a, - 0x17, 0x0d, 0x32, 0x35, 0x30, 0x39, 0x30, 0x34, - 0x30, 0x30, 0x30, 0x30, 0x30, 0x30, 0x5a, 0x30, - 0x66, 0x31, 0x0b, 0x30, 0x09, 0x06, 0x03, 0x55, - 0x04, 0x06, 0x13, 0x02, 0x42, 0x45, 0x31, 0x19, - 0x30, 0x17, 0x06, 0x03, 0x55, 0x04, 0x0a, 0x13, - 0x10, 0x47, 0x6c, 0x6f, 0x62, 0x61, 0x6c, 0x53, - 0x69, 0x67, 0x6e, 0x20, 0x6e, 0x76, 0x2d, 0x73, - 0x61, 0x31, 0x3c, 0x30, 0x3a, 0x06, 0x03, 0x55, - 0x04, 0x03, 0x13, 0x33, 0x47, 0x6c, 0x6f, 0x62, - 0x61, 0x6c, 0x53, 0x69, 0x67, 0x6e, 0x20, 0x4f, - 0x72, 0x67, 0x61, 0x6e, 0x69, 0x7a, 0x61, 0x74, - 0x69, 0x6f, 0x6e, 0x20, 0x56, 0x61, 0x6c, 0x69, - 0x64, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x20, 0x43, - 0x41, 0x20, 0x2d, 0x20, 0x53, 0x48, 0x41, 0x32, - 0x35, 0x36, 0x20, 0x2d, 0x20, 0x47, 0x33, 0x30, - 0x82, 0x01, 0x22, 0x30, 0x0d, 0x06, 0x09, 0x2a, - 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x01, - 0x05, 0x00, 0x03, 0x82, 0x01, 0x0f, 0x00, 0x30, - 0x82, 0x01, 0x0a, 0x02, 0x82, 0x01, 0x01, 0x00, - 0xc9, 0x86, 0xa2, 0x05, 0x3e, 0xec, 0x77, 0x4d, - 0x79, 0x42, 0x81, 0xf2, 0xc5, 0x46, 0xa9, 0xc2, - 0x9b, 0xf9, 0x57, 0xa9, 0x48, 0xdd, 0x3c, 0x3b, - 0xe2, 0x16, 0x47, 0x83, 0x15, 0x0c, 0x36, 0x88, - 0x61, 0xb3, 0xc8, 0xb9, 0xd5, 0x20, 0x97, 0xb6, - 0xfe, 0x07, 0x30, 0x01, 0x9e, 0x01, 0x3a, 0xf9, - 0x50, 0x87, 0xa0, 0x4f, 0x60, 0xcc, 0x90, 0xf6, - 0xdd, 0x1f, 0xa6, 0xc7, 0x55, 0x00, 0x6c, 0x54, - 0x31, 0x5f, 0x02, 0x9a, 0xf7, 0x7f, 0x07, 0x9a, - 0xd2, 0x22, 0x53, 0x05, 0xcd, 0x9f, 0xc7, 0xbb, - 0x7b, 0x59, 0x3b, 0x8a, 0xb2, 0x93, 0x78, 0x0d, - 0x43, 0x02, 0x92, 0x76, 0xa5, 0x29, 0xf8, 0x7c, - 0x9d, 0x5c, 0x3a, 0xa2, 0xf8, 0x52, 0x72, 0x22, - 0x45, 0x91, 0xfd, 0x90, 0x12, 0x28, 0x4d, 0x75, - 0xe4, 0xdd, 0xaa, 0x79, 0x58, 0x68, 0x6f, 0x2a, - 0x7e, 0x7b, 0xef, 0xd1, 0x9e, 0x7f, 0x52, 0xdc, - 0xcb, 0x1c, 0x48, 0xe2, 0x3e, 0x4d, 0x5c, 0x47, - 0x7a, 0xb4, 0xf1, 0xce, 0xff, 0xd9, 0x60, 0x2b, - 0x77, 0xd1, 0x62, 0x22, 0x2d, 0xa9, 0x5a, 0x06, - 0x16, 0xee, 0x37, 0x6a, 0x51, 0xcf, 0x8e, 0xa5, - 0xd1, 0x6e, 0x70, 0x4a, 0xf0, 0xd8, 0x63, 0x60, - 0x6a, 0x72, 0x55, 0xd7, 0xf1, 0x99, 0x38, 0x86, - 0x44, 0x67, 0x18, 0xe0, 0x71, 0x8e, 0xc1, 0x40, - 0x6d, 0x85, 0xda, 0x4b, 0xdd, 0x31, 0x73, 0xbc, - 0x32, 0xcc, 0x6f, 0x8e, 0x7b, 0xb9, 0x8d, 0x4b, - 0x80, 0xda, 0xb9, 0xc7, 0xc6, 0x24, 0x83, 0x5e, - 0x32, 0xfb, 0x87, 0xe9, 0x8b, 0x61, 0x67, 0xa2, - 0x99, 0x76, 0xdb, 0xa5, 0xaa, 0xb4, 0xe8, 0x6c, - 0x41, 0x9f, 0x5f, 0x2a, 0xb3, 0xd5, 0x7d, 0xd7, - 0x92, 0xc8, 0x27, 0x4b, 0xec, 0x1f, 0xda, 0x05, - 0x6d, 0x88, 0x73, 0x8f, 0x06, 0xb2, 0x38, 0x3d, - 0x03, 0xa2, 0xe1, 0x87, 0x86, 0x3c, 0xc6, 0xa1, - 0x02, 0x03, 0x01, 0x00, 0x01, 0xa3, 0x82, 0x01, - 0x44, 0x30, 0x82, 0x01, 0x40, 0x30, 0x0e, 0x06, - 0x03, 0x55, 0x1d, 0x0f, 0x01, 0x01, 0xff, 0x04, - 0x04, 0x03, 0x02, 0x01, 0x06, 0x30, 0x1d, 0x06, - 0x03, 0x55, 0x1d, 0x25, 0x04, 0x16, 0x30, 0x14, - 0x06, 0x08, 0x2b, 0x06, 0x01, 0x05, 0x05, 0x07, - 0x03, 0x01, 0x06, 0x08, 0x2b, 0x06, 0x01, 0x05, - 0x05, 0x07, 0x03, 0x02, 0x30, 0x12, 0x06, 0x03, - 0x55, 0x1d, 0x13, 0x01, 0x01, 0xff, 0x04, 0x08, - 0x30, 0x06, 0x01, 0x01, 0xff, 0x02, 0x01, 0x00, - 0x30, 0x1d, 0x06, 0x03, 0x55, 0x1d, 0x0e, 0x04, - 0x16, 0x04, 0x14, 0x68, 0x86, 0xb8, 0x7d, 0x7a, - 0xd9, 0x6d, 0x49, 0x6b, 0x87, 0x2f, 0x18, 0x8b, - 0x15, 0x34, 0x6c, 0xd7, 0xb4, 0x7a, 0x0e, 0x30, - 0x1f, 0x06, 0x03, 0x55, 0x1d, 0x23, 0x04, 0x18, - 0x30, 0x16, 0x80, 0x14, 0x60, 0x7b, 0x66, 0x1a, - 0x45, 0x0d, 0x97, 0xca, 0x89, 0x50, 0x2f, 0x7d, - 0x04, 0xcd, 0x34, 0xa8, 0xff, 0xfc, 0xfd, 0x4b, - 0x30, 0x3d, 0x06, 0x08, 0x2b, 0x06, 0x01, 0x05, - 0x05, 0x07, 0x01, 0x01, 0x04, 0x31, 0x30, 0x2f, - 0x30, 0x2d, 0x06, 0x08, 0x2b, 0x06, 0x01, 0x05, - 0x05, 0x07, 0x30, 0x01, 0x86, 0x21, 0x68, 0x74, - 0x74, 0x70, 0x3a, 0x2f, 0x2f, 0x6f, 0x63, 0x73, - 0x70, 0x2e, 0x67, 0x6c, 0x6f, 0x62, 0x61, 0x6c, - 0x73, 0x69, 0x67, 0x6e, 0x2e, 0x63, 0x6f, 0x6d, - 0x2f, 0x72, 0x6f, 0x6f, 0x74, 0x72, 0x31, 0x30, - 0x33, 0x06, 0x03, 0x55, 0x1d, 0x1f, 0x04, 0x2c, - 0x30, 0x2a, 0x30, 0x28, 0xa0, 0x26, 0xa0, 0x24, - 0x86, 0x22, 0x68, 0x74, 0x74, 0x70, 0x3a, 0x2f, - 0x2f, 0x63, 0x72, 0x6c, 0x2e, 0x67, 0x6c, 0x6f, - 0x62, 0x61, 0x6c, 0x73, 0x69, 0x67, 0x6e, 0x2e, - 0x63, 0x6f, 0x6d, 0x2f, 0x72, 0x6f, 0x6f, 0x74, - 0x2e, 0x63, 0x72, 0x6c, 0x30, 0x47, 0x06, 0x03, - 0x55, 0x1d, 0x20, 0x04, 0x40, 0x30, 0x3e, 0x30, - 0x3c, 0x06, 0x04, 0x55, 0x1d, 0x20, 0x00, 0x30, - 0x34, 0x30, 0x32, 0x06, 0x08, 0x2b, 0x06, 0x01, - 0x05, 0x05, 0x07, 0x02, 0x01, 0x16, 0x26, 0x68, - 0x74, 0x74, 0x70, 0x73, 0x3a, 0x2f, 0x2f, 0x77, - 0x77, 0x77, 0x2e, 0x67, 0x6c, 0x6f, 0x62, 0x61, - 0x6c, 0x73, 0x69, 0x67, 0x6e, 0x2e, 0x63, 0x6f, - 0x6d, 0x2f, 0x72, 0x65, 0x70, 0x6f, 0x73, 0x69, - 0x74, 0x6f, 0x72, 0x79, 0x2f, 0x30, 0x0d, 0x06, - 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, - 0x01, 0x0b, 0x05, 0x00, 0x03, 0x82, 0x01, 0x01, - 0x00, 0x9a, 0xb9, 0x82, 0x1c, 0xdd, 0x83, 0x83, - 0x8b, 0x92, 0xc0, 0xc4, 0xed, 0x01, 0xad, 0x84, - 0xfc, 0x4e, 0xee, 0x6d, 0x9c, 0x1d, 0x01, 0xfa, - 0x52, 0x14, 0xdb, 0xd8, 0xc2, 0x10, 0x63, 0x9f, - 0x6b, 0x39, 0x9a, 0xc7, 0x1c, 0x3c, 0xa0, 0xaa, - 0xe3, 0x19, 0x3a, 0xfc, 0x64, 0x46, 0x2a, 0xef, - 0x35, 0x26, 0x03, 0xf6, 0x05, 0x67, 0xfa, 0x6e, - 0x74, 0xe1, 0x46, 0xfb, 0x40, 0xd8, 0x6f, 0xae, - 0x2d, 0x39, 0x21, 0x74, 0x86, 0x9f, 0x00, 0x05, - 0x1a, 0x3f, 0x2f, 0x93, 0x5b, 0xd4, 0xa4, 0x45, - 0xbc, 0x3d, 0x0c, 0x29, 0x17, 0x5a, 0xd3, 0xfb, - 0x68, 0xa6, 0x0f, 0xe0, 0x00, 0x68, 0x79, 0xb0, - 0x4c, 0xb1, 0x45, 0x8b, 0xc8, 0x85, 0x8c, 0x67, - 0x0e, 0x8c, 0x7d, 0x54, 0xf8, 0xb0, 0x75, 0xce, - 0x0a, 0xac, 0x1d, 0xd7, 0x6b, 0x44, 0xac, 0xfe, - 0x1b, 0xd4, 0xa6, 0x98, 0x21, 0x09, 0x3e, 0xa2, - 0x4b, 0x33, 0xba, 0xba, 0x4b, 0x12, 0xa8, 0x6b, - 0x57, 0x27, 0x9d, 0xfa, 0x94, 0x80, 0xb4, 0x68, - 0x4c, 0x77, 0x60, 0xff, 0xd7, 0x29, 0x5a, 0x38, - 0x3d, 0xce, 0x2d, 0x4b, 0x08, 0x56, 0x9f, 0x69, - 0xcb, 0x7b, 0xd8, 0xe2, 0x36, 0xf9, 0x37, 0x69, - 0xc5, 0xce, 0x36, 0x97, 0x1c, 0xba, 0x0d, 0x3f, - 0x15, 0xb3, 0x65, 0xa0, 0xec, 0x74, 0x12, 0xbd, - 0xb3, 0xad, 0xe8, 0xde, 0x9e, 0xa1, 0xec, 0xd3, - 0xbf, 0xa9, 0xe0, 0xa5, 0x91, 0x6d, 0x83, 0x59, - 0x12, 0x56, 0x2f, 0x13, 0xa6, 0x7e, 0x79, 0x73, - 0xa1, 0xa3, 0x89, 0xd5, 0xe1, 0xa5, 0x8c, 0xce, - 0x2d, 0xac, 0x8a, 0xcf, 0x62, 0x16, 0x65, 0xcd, - 0xd9, 0xee, 0xa8, 0xb6, 0x40, 0x08, 0xb5, 0x7c, - 0x50, 0xf9, 0x37, 0x82, 0x7a, 0xa4, 0x0b, 0x34, - 0x66, 0xec, 0xe9, 0x97, 0x57, 0x1f, 0x8a, 0x67, - 0x3e, 0x81, 0xbc, 0x3b, 0x35, 0xd3, 0x2a, 0x48, - 0x0c, 0x0c, 0x00, 0x01, 0x69, 0x03, 0x00, 0x18, - 0x61, 0x04, 0xb7, 0xa9, 0xbd, 0x74, 0x71, 0xd5, - 0x68, 0xbf, 0xd8, 0xa6, 0x84, 0x12, 0xaf, 0x8f, - 0xd4, 0x2c, 0xcf, 0xf9, 0x72, 0x2b, 0x8c, 0x6c, - 0x73, 0xa3, 0x13, 0x74, 0xdb, 0x83, 0x3e, 0xa6, - 0xf4, 0x1b, 0xee, 0xa9, 0x34, 0xe5, 0x65, 0xa7, - 0xaf, 0xef, 0xf2, 0xac, 0xfb, 0x87, 0xb4, 0xdb, - 0x8b, 0x05, 0x4f, 0xe8, 0x25, 0x3d, 0x32, 0x65, - 0xda, 0x47, 0xd8, 0xd2, 0x86, 0xad, 0x9b, 0x37, - 0xbc, 0x45, 0xef, 0xb6, 0x91, 0xa2, 0x71, 0x2f, - 0x13, 0x68, 0xfa, 0xa7, 0x20, 0xe4, 0x8a, 0xa8, - 0x9b, 0xbe, 0xf6, 0x7c, 0xc8, 0x16, 0xd4, 0x50, - 0x9d, 0x63, 0xb3, 0xf4, 0x6e, 0xd3, 0x8f, 0x32, - 0x68, 0x66, 0x04, 0x01, 0x01, 0x00, 0xaa, 0xcb, - 0x90, 0xbd, 0x94, 0x10, 0xab, 0xfc, 0x30, 0x1d, - 0x68, 0x1c, 0xb4, 0x21, 0xcf, 0x73, 0xa5, 0x4b, - 0x20, 0x94, 0xde, 0x66, 0x99, 0x54, 0x3f, 0xba, - 0x40, 0x58, 0x50, 0xe3, 0x64, 0x53, 0x90, 0x9e, - 0xf8, 0x67, 0xcc, 0x85, 0x4a, 0xdc, 0xd8, 0xd7, - 0xc8, 0xb5, 0xe0, 0x92, 0x02, 0x6b, 0xa8, 0x76, - 0x67, 0xc5, 0xae, 0x12, 0x56, 0xff, 0xd1, 0xda, - 0xc0, 0x48, 0x17, 0x99, 0xc9, 0xbe, 0x02, 0xc6, - 0x9e, 0x5c, 0xd9, 0x44, 0x3f, 0x06, 0xbd, 0x98, - 0xe3, 0x4d, 0x46, 0x10, 0xe8, 0x20, 0xed, 0x7b, - 0xcd, 0x73, 0xed, 0x03, 0x6a, 0x4c, 0x49, 0xaf, - 0xbe, 0xa3, 0xe0, 0xab, 0x9a, 0xb8, 0xf8, 0x06, - 0x25, 0x31, 0x8d, 0x32, 0x44, 0xfd, 0xd6, 0xb0, - 0xd4, 0x6c, 0x9a, 0x2a, 0x0f, 0xab, 0xe2, 0x13, - 0x10, 0x6d, 0x41, 0x0b, 0x97, 0x74, 0xa0, 0x04, - 0x16, 0x60, 0xf1, 0x8e, 0x74, 0xf3, 0x91, 0x75, - 0x2b, 0x92, 0x2b, 0xc7, 0x5b, 0x6f, 0x1d, 0x70, - 0xe2, 0xc6, 0x9a, 0x7d, 0x66, 0x55, 0x98, 0x01, - 0x71, 0xb8, 0xdd, 0xf4, 0x70, 0xc9, 0x74, 0x56, - 0xcc, 0xa5, 0x2c, 0x51, 0x70, 0x72, 0xc2, 0x44, - 0xb9, 0x59, 0xc3, 0xc3, 0xf8, 0x29, 0x4e, 0x79, - 0x40, 0x9b, 0x30, 0x35, 0x66, 0xb2, 0xd8, 0x7d, - 0xfe, 0x65, 0x6b, 0xf0, 0x17, 0xa3, 0x13, 0xc7, - 0xc7, 0xc6, 0x48, 0xb2, 0xae, 0x4f, 0x26, 0x0b, - 0x8a, 0x40, 0xaa, 0x06, 0x65, 0x8a, 0x95, 0x00, - 0xc4, 0xc9, 0xfd, 0x69, 0x0a, 0xa9, 0x0a, 0x18, - 0xff, 0x95, 0x40, 0xab, 0x84, 0x75, 0xfe, 0x11, - 0xb1, 0x6f, 0xca, 0x5e, 0xf7, 0xe4, 0x1d, 0x8d, - 0x08, 0x1c, 0xd3, 0x95, 0xf4, 0x9b, 0x17, 0x41, - 0xa8, 0x8f, 0x6e, 0xfa, 0x6c, 0x43, 0x60, 0x39, - 0x0a, 0xa2, 0x7e, 0xdf, 0x3e, 0x74, 0xc2, 0xbf, - 0xaf, 0x96, 0x96, 0xbd, 0x21, 0x4b, 0x0d, 0x00, - 0x00, 0x1a, 0x03, 0x01, 0x02, 0x40, 0x00, 0x12, - 0x04, 0x01, 0x05, 0x01, 0x02, 0x01, 0x04, 0x03, - 0x05, 0x03, 0x02, 0x03, 0x02, 0x02, 0x06, 0x01, - 0x06, 0x03, 0x00, 0x00, 0x0e, 0x00, 0x00, 0x00, -}; - -struct tlslegacy_client_test { - const unsigned char *desc; - unsigned char *server_response; - const size_t server_response_len; - const SSL_METHOD *(*ssl_method)(void); - int want_state; -}; - -static struct tlslegacy_client_test tlslegacy_client_tests[] = { - { - .desc = "TLSv1.2 legacy fallback", - .server_response = tls12_server_response, - .server_response_len = sizeof(tls12_server_response), - .ssl_method = TLS_client_method, - .want_state = SSL3_ST_CR_CERT_A, - }, - { - .desc = "TLSv1.2 legacy fallback with server cert", - .server_response = tls12_server_response_with_cert, - .server_response_len = sizeof(tls12_server_response_with_cert), - .ssl_method = TLS_client_method, - .want_state = SSL3_ST_CR_KEY_EXCH_B, - }, -}; - -#define N_TLSLEGACY_CLIENT_TESTS \ - (sizeof(tlslegacy_client_tests) / sizeof(*tlslegacy_client_tests)) - -static int -tlslegacy_client_test(int testno, struct tlslegacy_client_test *tct) -{ - BIO *rbio = NULL, *wbio = NULL; - SSL_CTX *ssl_ctx = NULL; - SSL *ssl = NULL; - int ret = 1; - - fprintf(stderr, "Test %d - %s\n", testno, tct->desc); - - if ((rbio = BIO_new_mem_buf(tct->server_response, - tct->server_response_len)) == NULL) { - fprintf(stderr, "Failed to setup rbio\n"); - goto failure; - } - if ((wbio = BIO_new(BIO_s_mem())) == NULL) { - fprintf(stderr, "Failed to setup wbio\n"); - goto failure; - } - - if ((ssl_ctx = SSL_CTX_new(tct->ssl_method())) == NULL) { - fprintf(stderr, "SSL_CTX_new() returned NULL\n"); - goto failure; - } - - if ((ssl = SSL_new(ssl_ctx)) == NULL) { - fprintf(stderr, "SSL_new() returned NULL\n"); - goto failure; - } - - BIO_up_ref(rbio); - BIO_up_ref(wbio); - SSL_set_bio(ssl, rbio, wbio); - - if (SSL_connect(ssl) == 1) { - fprintf(stderr, "SSL_connect() succeeded\n"); - goto failure; - } - - if (SSL_state(ssl) != tct->want_state) { - fprintf(stderr, "FAIL: Got SSL state %x, want %x", - SSL_state(ssl), tct->want_state); - goto failure; - } - - ret = 0; - - failure: - SSL_CTX_free(ssl_ctx); - SSL_free(ssl); - - BIO_free(rbio); - BIO_free(wbio); - - return (ret); -} - -int -main(int argc, char **argv) -{ - int failed = 0; - size_t i; - - for (i = 0; i < N_TLSLEGACY_CLIENT_TESTS; i++) - failed |= tlslegacy_client_test(i, &tlslegacy_client_tests[i]); - - return (failed); -} diff --git a/src/regress/lib/libssl/unit/Makefile b/src/regress/lib/libssl/unit/Makefile deleted file mode 100644 index 6a925069ca..0000000000 --- a/src/regress/lib/libssl/unit/Makefile +++ /dev/null @@ -1,21 +0,0 @@ -# $OpenBSD: Makefile,v 1.16 2023/05/24 09:15:14 tb Exp $ - -PROGS += cipher_list -PROGS += ssl_get_shared_ciphers -PROGS += ssl_methods -PROGS += ssl_set_alpn_protos -PROGS += ssl_verify_param -PROGS += ssl_versions -PROGS += tls_ext_alpn -PROGS += tls_prf - -WARNINGS= Yes -LDADD = ${SSL_INT} -lcrypto -DPADD = ${LIBSSL} ${LIBCRYPTO} -CFLAGS+= -DLIBRESSL_INTERNAL -Wall -Wundef -Werror -CFLAGS+= -DCERTSDIR=\"${.CURDIR}/../certs\" -CFLAGS+= -I${.CURDIR}/../../../../lib/libssl - -LDADD_ssl_verify_param = ${LIBSSL} ${CRYPTO_INT} - -.include diff --git a/src/regress/lib/libssl/unit/cipher_list.c b/src/regress/lib/libssl/unit/cipher_list.c deleted file mode 100644 index c715f60e0b..0000000000 --- a/src/regress/lib/libssl/unit/cipher_list.c +++ /dev/null @@ -1,231 +0,0 @@ -/* $OpenBSD: cipher_list.c,v 1.14 2022/12/17 16:05:28 jsing Exp $ */ -/* - * Copyright (c) 2015 Doug Hogan - * Copyright (c) 2015 Joel Sing - * - * Permission to use, copy, modify, and distribute this software for any - * purpose with or without fee is hereby granted, provided that the above - * copyright notice and this permission notice appear in all copies. - * - * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES - * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF - * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR - * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES - * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN - * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF - * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. - */ - -/* - * Test TLS ssl bytes (aka cipher suites) to cipher list and back. - * - * TLSv1.0 - RFC 2246 section 7.4.1.2 (ClientHello struct) - * TLSv1.1 - RFC 4346 section 7.4.1.2 (ClientHello struct) - * TLSv1.2 - RFC 5246 section 7.4.1.2 (ClientHello struct) - * - * In all of these standards, the relevant structures are: - * - * uint8 CipherSuite[2]; - * - * struct { - * ... - * CipherSuite cipher_suites<2..2^16-2> - * ... - * } ClientHello; - */ - -#include - -#include -#include - -#include "ssl_local.h" - -#include "tests.h" - -static uint8_t cipher_bytes[] = { - 0xcc, 0xa8, /* ECDHE-ECDSA-CHACHA20-POLY1305 */ - 0xcc, 0xa9, /* ECDHE-RSA-CHACHA20-POLY1305 */ - 0xcc, 0xaa, /* DHE-RSA-CHACHA20-POLY1305 */ - 0x00, 0x9c, /* AES128-GCM-SHA256 */ - 0x00, 0x3d, /* AES256-SHA256 */ -}; - -static uint8_t cipher_bytes_seclevel3[] = { - 0xcc, 0xa8, /* ECDHE-ECDSA-CHACHA20-POLY1305 */ - 0xcc, 0xa9, /* ECDHE-RSA-CHACHA20-POLY1305 */ - 0xcc, 0xaa, /* DHE-RSA-CHACHA20-POLY1305 */ -}; - -static uint16_t cipher_values[] = { - 0xcca8, /* ECDHE-ECDSA-CHACHA20-POLY1305 */ - 0xcca9, /* ECDHE-RSA-CHACHA20-POLY1305 */ - 0xccaa, /* DHE-RSA-CHACHA20-POLY1305 */ - 0x009c, /* AES128-GCM-SHA256 */ - 0x003d, /* AES256-SHA256 */ -}; - -#define N_CIPHERS (sizeof(cipher_bytes) / 2) - -static int -ssl_bytes_to_list_alloc(SSL *s, STACK_OF(SSL_CIPHER) **ciphers) -{ - SSL_CIPHER *cipher; - uint16_t value; - CBS cbs; - int i; - - CBS_init(&cbs, cipher_bytes, sizeof(cipher_bytes)); - - *ciphers = ssl_bytes_to_cipher_list(s, &cbs); - CHECK(*ciphers != NULL); - CHECK(sk_SSL_CIPHER_num(*ciphers) == N_CIPHERS); - for (i = 0; i < sk_SSL_CIPHER_num(*ciphers); i++) { - cipher = sk_SSL_CIPHER_value(*ciphers, i); - CHECK(cipher != NULL); - value = SSL_CIPHER_get_value(cipher); - CHECK(value == cipher_values[i]); - } - - return 1; -} - -static int -ssl_list_to_bytes_scsv(SSL *s, STACK_OF(SSL_CIPHER) **ciphers, - const uint8_t *cb, size_t cb_len) -{ - CBB cbb; - unsigned char *buf = NULL; - size_t buflen, outlen; - int ret = 0; - - /* Space for cipher bytes, plus reneg SCSV and two spare bytes. */ - CHECK(sk_SSL_CIPHER_num(*ciphers) == N_CIPHERS); - buflen = cb_len + 2 + 2; - CHECK((buf = calloc(1, buflen)) != NULL); - - /* Clear renegotiate so it adds SCSV */ - s->renegotiate = 0; - - CHECK_GOTO(CBB_init_fixed(&cbb, buf, buflen)); - CHECK_GOTO(ssl_cipher_list_to_bytes(s, *ciphers, &cbb)); - CHECK_GOTO(CBB_finish(&cbb, NULL, &outlen)); - - CHECK_GOTO(outlen > 0 && outlen == cb_len + 2); - CHECK_GOTO(memcmp(buf, cb, cb_len) == 0); - CHECK_GOTO(buf[buflen - 4] == 0x00 && buf[buflen - 3] == 0xff); - CHECK_GOTO(buf[buflen - 2] == 0x00 && buf[buflen - 1] == 0x00); - - ret = 1; - - err: - free(buf); - return ret; -} - -static int -ssl_list_to_bytes_no_scsv(SSL *s, STACK_OF(SSL_CIPHER) **ciphers, - const uint8_t *cb, size_t cb_len) -{ - CBB cbb; - unsigned char *buf = NULL; - size_t buflen, outlen; - int ret = 0; - - /* Space for cipher bytes and two spare bytes */ - CHECK(sk_SSL_CIPHER_num(*ciphers) == N_CIPHERS); - buflen = cb_len + 2; - CHECK((buf = calloc(1, buflen)) != NULL); - buf[buflen - 2] = 0xfe; - buf[buflen - 1] = 0xab; - - /* Set renegotiate so it doesn't add SCSV */ - s->renegotiate = 1; - - CHECK_GOTO(CBB_init_fixed(&cbb, buf, buflen)); - CHECK_GOTO(ssl_cipher_list_to_bytes(s, *ciphers, &cbb)); - CHECK_GOTO(CBB_finish(&cbb, NULL, &outlen)); - - CHECK_GOTO(outlen > 0 && outlen == cb_len); - CHECK_GOTO(memcmp(buf, cb, cb_len) == 0); - CHECK_GOTO(buf[buflen - 2] == 0xfe && buf[buflen - 1] == 0xab); - - ret = 1; - - err: - free(buf); - return ret; -} - -static int -ssl_bytes_to_list_invalid(SSL *s, STACK_OF(SSL_CIPHER) **ciphers) -{ - uint8_t empty_cipher_bytes[] = {0}; - CBS cbs; - - sk_SSL_CIPHER_free(*ciphers); - - /* Invalid length: CipherSuite is 2 bytes so it must be even */ - CBS_init(&cbs, cipher_bytes, sizeof(cipher_bytes) - 1); - *ciphers = ssl_bytes_to_cipher_list(s, &cbs); - CHECK(*ciphers == NULL); - - /* Invalid length: cipher_suites must be at least 2 */ - CBS_init(&cbs, empty_cipher_bytes, sizeof(empty_cipher_bytes)); - *ciphers = ssl_bytes_to_cipher_list(s, &cbs); - CHECK(*ciphers == NULL); - - return 1; -} - -int -main(void) -{ - STACK_OF(SSL_CIPHER) *ciphers = NULL; - SSL_CTX *ctx = NULL; - SSL *s = NULL; - int rv = 1; - - SSL_library_init(); - - /* Use TLSv1.2 client to get all ciphers. */ - CHECK_GOTO((ctx = SSL_CTX_new(TLSv1_2_client_method())) != NULL); - CHECK_GOTO((s = SSL_new(ctx)) != NULL); - SSL_set_security_level(s, 2); - - if (!ssl_bytes_to_list_alloc(s, &ciphers)) - goto err; - if (!ssl_list_to_bytes_scsv(s, &ciphers, cipher_bytes, - sizeof(cipher_bytes))) - goto err; - if (!ssl_list_to_bytes_no_scsv(s, &ciphers, cipher_bytes, - sizeof(cipher_bytes))) - goto err; - if (!ssl_bytes_to_list_invalid(s, &ciphers)) - goto err; - - sk_SSL_CIPHER_free(ciphers); - ciphers = NULL; - - SSL_set_security_level(s, 3); - if (!ssl_bytes_to_list_alloc(s, &ciphers)) - goto err; - if (!ssl_list_to_bytes_scsv(s, &ciphers, cipher_bytes_seclevel3, - sizeof(cipher_bytes_seclevel3))) - goto err; - if (!ssl_list_to_bytes_no_scsv(s, &ciphers, cipher_bytes_seclevel3, - sizeof(cipher_bytes_seclevel3))) - goto err; - - rv = 0; - - err: - sk_SSL_CIPHER_free(ciphers); - SSL_CTX_free(ctx); - SSL_free(s); - - if (!rv) - printf("PASS %s\n", __FILE__); - - return rv; -} diff --git a/src/regress/lib/libssl/unit/ssl_get_shared_ciphers.c b/src/regress/lib/libssl/unit/ssl_get_shared_ciphers.c deleted file mode 100644 index e26f614e53..0000000000 --- a/src/regress/lib/libssl/unit/ssl_get_shared_ciphers.c +++ /dev/null @@ -1,478 +0,0 @@ -/* $OpenBSD: ssl_get_shared_ciphers.c,v 1.13 2024/08/31 12:47:24 jsing Exp $ */ -/* - * Copyright (c) 2021 Theo Buehler - * - * Permission to use, copy, modify, and distribute this software for any - * purpose with or without fee is hereby granted, provided that the above - * copyright notice and this permission notice appear in all copies. - * - * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES - * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF - * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR - * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES - * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN - * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF - * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. - */ - -#include -#include -#include -#include - -#include -#include -#include -#include - -struct peer_config { - const char *name; - int server; - uint16_t max_version; - uint16_t min_version; - const char *ciphers; -}; - -struct ssl_shared_ciphers_test_data { - const char *description; - struct peer_config client_config; - struct peer_config server_config; - const char *shared_ciphers; - const char *shared_ciphers_without_aesni; -}; - -char *server_cert; -char *server_key; - -static const struct ssl_shared_ciphers_test_data ssl_shared_ciphers_tests[] = { - { - .description = "TLSv1.3 defaults", - .client_config = { - .name = "client", - .server = 0, - .max_version = TLS1_3_VERSION, - .min_version = TLS1_3_VERSION, - .ciphers = - "TLS_AES_256_GCM_SHA384:" - "TLS_CHACHA20_POLY1305_SHA256:" - "TLS_AES_128_GCM_SHA256", - }, - .server_config = { - .name = "server", - .server = 1, - .max_version = TLS1_3_VERSION, - .min_version = TLS1_3_VERSION, - .ciphers = - "TLS_AES_256_GCM_SHA384:" - "TLS_CHACHA20_POLY1305_SHA256:" - "TLS_AES_128_GCM_SHA256", - }, - .shared_ciphers = - "TLS_AES_256_GCM_SHA384:" - "TLS_CHACHA20_POLY1305_SHA256:" - "TLS_AES_128_GCM_SHA256", - }, - - { - .description = "TLSv1.3, client without ChaCha", - .client_config = { - .name = "client", - .server = 0, - .max_version = TLS1_3_VERSION, - .min_version = TLS1_3_VERSION, - .ciphers = - "TLS_AES_256_GCM_SHA384:" - "TLS_AES_128_GCM_SHA256", - }, - .server_config = { - .name = "server", - .server = 1, - .max_version = TLS1_3_VERSION, - .min_version = TLS1_3_VERSION, - .ciphers = - "TLS_AES_256_GCM_SHA384:" - "TLS_CHACHA20_POLY1305_SHA256:" - "TLS_AES_128_GCM_SHA256", - }, - .shared_ciphers = - "TLS_AES_256_GCM_SHA384:" - "TLS_AES_128_GCM_SHA256", - }, - - { - .description = "TLSv1.2", - .client_config = { - .name = "client", - .server = 0, - .max_version = TLS1_2_VERSION, - .min_version = TLS1_2_VERSION, - .ciphers = - "ECDHE-RSA-AES256-GCM-SHA384:" - "ECDHE-ECDSA-AES256-GCM-SHA384:" - "ECDHE-RSA-AES256-SHA384:" - "ECDHE-ECDSA-AES256-SHA384:" - "ECDHE-RSA-AES256-SHA:" - "ECDHE-ECDSA-AES256-SHA", - }, - .server_config = { - .name = "server", - .server = 1, - .max_version = TLS1_2_VERSION, - .min_version = TLS1_2_VERSION, - .ciphers = - "ECDHE-RSA-AES256-GCM-SHA384:" - "ECDHE-ECDSA-AES256-GCM-SHA384:" - "ECDHE-RSA-AES256-SHA384:" - "ECDHE-ECDSA-AES256-SHA384:" - "ECDHE-RSA-AES256-SHA:" - "ECDHE-ECDSA-AES256-SHA", - }, - .shared_ciphers = - "ECDHE-RSA-AES256-GCM-SHA384:" - "ECDHE-ECDSA-AES256-GCM-SHA384:" - "ECDHE-RSA-AES256-SHA384:" - "ECDHE-ECDSA-AES256-SHA384:" - "ECDHE-RSA-AES256-SHA:" - "ECDHE-ECDSA-AES256-SHA", - }, - - { - .description = "TLSv1.2, server without ECDSA", - .client_config = { - .name = "client", - .server = 0, - .max_version = TLS1_2_VERSION, - .min_version = TLS1_2_VERSION, - .ciphers = - "ECDHE-RSA-AES256-GCM-SHA384:" - "ECDHE-ECDSA-AES256-GCM-SHA384:" - "ECDHE-RSA-AES256-SHA384:" - "ECDHE-ECDSA-AES256-SHA384:" - "ECDHE-RSA-AES256-SHA:" - "ECDHE-ECDSA-AES256-SHA", - }, - .server_config = { - .name = "server", - .server = 1, - .max_version = TLS1_2_VERSION, - .min_version = TLS1_2_VERSION, - .ciphers = - "ECDHE-RSA-AES256-GCM-SHA384:" - "ECDHE-RSA-AES256-SHA384:" - "ECDHE-RSA-AES256-SHA", - }, - .shared_ciphers = - "ECDHE-RSA-AES256-GCM-SHA384:" - "ECDHE-RSA-AES256-SHA384:" - "ECDHE-RSA-AES256-SHA", - }, - - { - .description = "TLSv1.3 ciphers are prepended", - .client_config = { - .name = "client", - .server = 0, - .max_version = TLS1_3_VERSION, - .min_version = TLS1_2_VERSION, - .ciphers = - "ECDHE-RSA-AES256-GCM-SHA384", - }, - .server_config = { - .name = "server", - .server = 1, - .max_version = TLS1_3_VERSION, - .min_version = TLS1_2_VERSION, - .ciphers = - "ECDHE-RSA-AES256-GCM-SHA384", - }, - .shared_ciphers = - "TLS_AES_256_GCM_SHA384:" - "TLS_CHACHA20_POLY1305_SHA256:" - "TLS_AES_128_GCM_SHA256:" - "ECDHE-RSA-AES256-GCM-SHA384", - .shared_ciphers_without_aesni = - "TLS_CHACHA20_POLY1305_SHA256:" - "TLS_AES_256_GCM_SHA384:" - "TLS_AES_128_GCM_SHA256:" - "ECDHE-RSA-AES256-GCM-SHA384", - }, -}; - -static const size_t N_SHARED_CIPHERS_TESTS = - sizeof(ssl_shared_ciphers_tests) / sizeof(ssl_shared_ciphers_tests[0]); - -static SSL_CTX * -peer_config_to_ssl_ctx(const struct peer_config *config) -{ - SSL_CTX *ctx; - - if ((ctx = SSL_CTX_new(TLS_method())) == NULL) { - fprintf(stderr, "SSL_CTX_new(%s) failed\n", config->name); - goto err; - } - if (!SSL_CTX_set_max_proto_version(ctx, config->max_version)) { - fprintf(stderr, "max_proto_version(%s) failed\n", config->name); - goto err; - } - if (!SSL_CTX_set_min_proto_version(ctx, config->min_version)) { - fprintf(stderr, "min_proto_version(%s) failed\n", config->name); - goto err; - } - if (!SSL_CTX_set_cipher_list(ctx, config->ciphers)) { - fprintf(stderr, "set_cipher_list(%s) failed\n", config->name); - goto err; - } - - if (config->server) { - if (!SSL_CTX_use_certificate_file(ctx, server_cert, - SSL_FILETYPE_PEM)) { - fprintf(stderr, "use_certificate_file(%s) failed\n", - config->name); - goto err; - } - if (!SSL_CTX_use_PrivateKey_file(ctx, server_key, - SSL_FILETYPE_PEM)) { - fprintf(stderr, "use_PrivateKey_file(%s) failed\n", - config->name); - goto err; - } - } - - return ctx; - - err: - SSL_CTX_free(ctx); - return NULL; -} - -/* Connect client and server via a pair of "nonblocking" memory BIOs. */ -static int -connect_peers(SSL *client_ssl, SSL *server_ssl, const char *description) -{ - BIO *client_wbio = NULL, *server_wbio = NULL; - int ret = 0; - - if ((client_wbio = BIO_new(BIO_s_mem())) == NULL) { - fprintf(stderr, "%s: failed to create client BIO\n", - description); - goto err; - } - if ((server_wbio = BIO_new(BIO_s_mem())) == NULL) { - fprintf(stderr, "%s: failed to create server BIO\n", - description); - goto err; - } - if (BIO_set_mem_eof_return(client_wbio, -1) <= 0) { - fprintf(stderr, "%s: failed to set client eof return\n", - description); - goto err; - } - if (BIO_set_mem_eof_return(server_wbio, -1) <= 0) { - fprintf(stderr, "%s: failed to set server eof return\n", - description); - goto err; - } - - /* Avoid double free. SSL_set_bio() takes ownership of the BIOs. */ - BIO_up_ref(client_wbio); - BIO_up_ref(server_wbio); - - SSL_set_bio(client_ssl, server_wbio, client_wbio); - SSL_set_bio(server_ssl, client_wbio, server_wbio); - client_wbio = NULL; - server_wbio = NULL; - - ret = 1; - - err: - BIO_free(client_wbio); - BIO_free(server_wbio); - - return ret; -} - -static int -push_data_to_peer(SSL *ssl, int *ret, int (*func)(SSL *), const char *func_name, - const char *description) -{ - int ssl_err = 0; - - if (*ret == 1) - return 1; - - /* - * Do SSL_connect/SSL_accept/SSL_shutdown once and loop while hitting - * WANT_WRITE. If done or on WANT_READ hand off to peer. - */ - - do { - if ((*ret = func(ssl)) <= 0) - ssl_err = SSL_get_error(ssl, *ret); - } while (*ret <= 0 && ssl_err == SSL_ERROR_WANT_WRITE); - - /* Ignore erroneous error - see SSL_shutdown(3)... */ - if (func == SSL_shutdown && ssl_err == SSL_ERROR_SYSCALL) - return 1; - - if (*ret <= 0 && ssl_err != SSL_ERROR_WANT_READ) { - fprintf(stderr, "%s: %s failed\n", description, func_name); - ERR_print_errors_fp(stderr); - return 0; - } - - return 1; -} - -/* - * Alternate between loops of SSL_connect() and SSL_accept() as long as only - * WANT_READ and WANT_WRITE situations are encountered. A function is repeated - * until WANT_READ is returned or it succeeds, then it's the other function's - * turn to make progress. Succeeds if SSL_connect() and SSL_accept() return 1. - */ -static int -handshake(SSL *client_ssl, SSL *server_ssl, const char *description) -{ - int loops = 0, client_ret = 0, server_ret = 0; - - while (loops++ < 10 && (client_ret <= 0 || server_ret <= 0)) { - if (!push_data_to_peer(client_ssl, &client_ret, SSL_connect, - "SSL_connect", description)) - return 0; - - if (!push_data_to_peer(server_ssl, &server_ret, SSL_accept, - "SSL_accept", description)) - return 0; - } - - if (client_ret != 1 || server_ret != 1) { - fprintf(stderr, "%s: failed\n", __func__); - return 0; - } - - return 1; -} - -static int -shutdown_peers(SSL *client_ssl, SSL *server_ssl, const char *description) -{ - int loops = 0, client_ret = 0, server_ret = 0; - - while (loops++ < 10 && (client_ret <= 0 || server_ret <= 0)) { - if (!push_data_to_peer(client_ssl, &client_ret, SSL_shutdown, - "client shutdown", description)) - return 0; - - if (!push_data_to_peer(server_ssl, &server_ret, SSL_shutdown, - "server shutdown", description)) - return 0; - } - - if (client_ret != 1 || server_ret != 1) { - fprintf(stderr, "%s: failed\n", __func__); - return 0; - } - - return 1; -} - -/* from ssl_ciph.c */ -static inline int -ssl_aes_is_accelerated(void) -{ - return (OPENSSL_cpu_caps() & CRYPTO_CPU_CAPS_ACCELERATED_AES) != 0; -} - -static int -check_shared_ciphers(const struct ssl_shared_ciphers_test_data *test, - const char *got) -{ - const char *want = test->shared_ciphers; - int failed; - - if (!ssl_aes_is_accelerated() && - test->shared_ciphers_without_aesni != NULL) - want = test->shared_ciphers_without_aesni; - - failed = strcmp(want, got); - - if (failed) - fprintf(stderr, "%s: want \"%s\", got \"%s\"\n", - test->description, want, got); - - return failed; -} - -static int -test_get_shared_ciphers(const struct ssl_shared_ciphers_test_data *test) -{ - SSL_CTX *client_ctx = NULL, *server_ctx = NULL; - SSL *client_ssl = NULL, *server_ssl = NULL; - char buf[4096]; - int failed = 1; - - if ((client_ctx = peer_config_to_ssl_ctx(&test->client_config)) == NULL) - goto err; - if ((server_ctx = peer_config_to_ssl_ctx(&test->server_config)) == NULL) - goto err; - - if ((client_ssl = SSL_new(client_ctx)) == NULL) { - fprintf(stderr, "%s: failed to create client SSL\n", - test->description); - goto err; - } - if ((server_ssl = SSL_new(server_ctx)) == NULL) { - fprintf(stderr, "%s: failed to create server SSL\n", - test->description); - goto err; - } - - if (!connect_peers(client_ssl, server_ssl, test->description)) - goto err; - - if (!handshake(client_ssl, server_ssl, test->description)) - goto err; - - if (SSL_get_shared_ciphers(server_ssl, buf, sizeof(buf)) == NULL) { - fprintf(stderr, "%s: failed to get shared ciphers\n", - test->description); - goto err; - } - - if (!shutdown_peers(client_ssl, server_ssl, test->description)) - goto err; - - failed = check_shared_ciphers(test, buf); - - err: - SSL_CTX_free(client_ctx); - SSL_CTX_free(server_ctx); - SSL_free(client_ssl); - SSL_free(server_ssl); - - return failed; -} - -int -main(int argc, char **argv) -{ - size_t i; - int failed = 0; - - if (asprintf(&server_cert, "%s/server1-rsa.pem", CERTSDIR) == -1) { - fprintf(stderr, "asprintf server_cert failed\n"); - failed = 1; - goto err; - } - server_key = server_cert; - - for (i = 0; i < N_SHARED_CIPHERS_TESTS; i++) - failed |= test_get_shared_ciphers(&ssl_shared_ciphers_tests[i]); - - if (failed == 0) - printf("PASS %s\n", __FILE__); - - err: - free(server_cert); - - return failed; -} diff --git a/src/regress/lib/libssl/unit/ssl_methods.c b/src/regress/lib/libssl/unit/ssl_methods.c deleted file mode 100644 index 0fc33a406c..0000000000 --- a/src/regress/lib/libssl/unit/ssl_methods.c +++ /dev/null @@ -1,267 +0,0 @@ -/* $OpenBSD: ssl_methods.c,v 1.4 2021/04/04 20:21:43 tb Exp $ */ -/* - * Copyright (c) 2020 Theo Buehler - * - * Permission to use, copy, modify, and distribute this software for any - * purpose with or without fee is hereby granted, provided that the above - * copyright notice and this permission notice appear in all copies. - * - * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES - * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF - * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR - * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES - * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN - * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF - * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. - */ - -#include - -#include - -struct ssl_method_test_data { - const SSL_METHOD *(*method)(void); - const char *name; - int server; - int dtls; -}; - -struct ssl_method_test_data ssl_method_tests[] = { - { - .method = SSLv23_method, - .name = "SSLv23_method", - .server = 1, - .dtls = 0, - }, - { - .method = SSLv23_server_method, - .name = "SSLv23_server_method", - .server = 1, - .dtls = 0, - }, - { - .method = SSLv23_client_method, - .name = "SSLv23_client_method", - .server = 0, - .dtls = 0, - }, - - { - .method = TLSv1_method, - .name = "TLSv1_method", - .server = 1, - .dtls = 0, - }, - { - .method = TLSv1_server_method, - .name = "TLSv1_server_method", - .server = 1, - .dtls = 0, - }, - { - .method = TLSv1_client_method, - .name = "TLSv1_client_method", - .server = 0, - .dtls = 0, - }, - - { - .method = TLSv1_1_method, - .name = "TLSv1_1_method", - .server = 1, - .dtls = 0, - }, - { - .method = TLSv1_1_server_method, - .name = "TLSv1_1_server_method", - .server = 1, - .dtls = 0, - }, - { - .method = TLSv1_1_client_method, - .name = "TLSv1_1_client_method", - .server = 0, - .dtls = 0, - }, - - { - .method = TLSv1_2_method, - .name = "TLSv1_2_method", - .server = 1, - .dtls = 0, - }, - { - .method = TLSv1_2_server_method, - .name = "TLSv1_2_server_method", - .server = 1, - .dtls = 0, - }, - { - .method = TLSv1_2_client_method, - .name = "TLSv1_2_client_method", - .server = 0, - .dtls = 0, - }, - - { - .method = TLS_method, - .name = "TLS_method", - .server = 1, - .dtls = 0, - }, - { - .method = TLS_server_method, - .name = "TLS_server_method", - .server = 1, - .dtls = 0, - }, - { - .method = TLS_client_method, - .name = "TLS_client_method", - .server = 0, - .dtls = 0, - }, - - { - .method = DTLSv1_method, - .name = "DTLSv1_method", - .server = 1, - .dtls = 1, - }, - { - .method = DTLSv1_server_method, - .name = "DTLSv1_server_method", - .server = 1, - .dtls = 1, - }, - { - .method = DTLSv1_client_method, - .name = "DTLSv1_client_method", - .server = 0, - .dtls = 1, - }, - - { - .method = DTLSv1_2_method, - .name = "DTLSv1_2_method", - .server = 1, - .dtls = 1, - }, - { - .method = DTLSv1_2_server_method, - .name = "DTLSv1_2_server_method", - .server = 1, - .dtls = 1, - }, - { - .method = DTLSv1_2_client_method, - .name = "DTLSv1_2_client_method", - .server = 0, - .dtls = 1, - }, - - { - .method = DTLS_method, - .name = "DTLS_method", - .server = 1, - .dtls = 1, - }, - { - .method = DTLS_server_method, - .name = "DTLS_server_method", - .server = 1, - .dtls = 1, - }, - { - .method = DTLS_client_method, - .name = "DTLS_client_method", - .server = 0, - .dtls = 1, - }, -}; - -#define N_METHOD_TESTS (sizeof(ssl_method_tests) / sizeof(ssl_method_tests[0])) - -int test_client_or_server_method(struct ssl_method_test_data *); -int test_dtls_method(struct ssl_method_test_data *); - -int -test_client_or_server_method(struct ssl_method_test_data *testcase) -{ - SSL_CTX *ssl_ctx; - SSL *ssl = NULL; - int failed = 1; - - if ((ssl_ctx = SSL_CTX_new(testcase->method())) == NULL) { - fprintf(stderr, "SSL_CTX_new returned NULL\n"); - goto err; - } - - if ((ssl = SSL_new(ssl_ctx)) == NULL) { - fprintf(stderr, "SSL_new returned NULL\n"); - goto err; - } - - if (SSL_is_server(ssl) != testcase->server) { - fprintf(stderr, "%s: SSL_is_server: want %d, got %d\n", - testcase->name, testcase->server, SSL_is_server(ssl)); - goto err; - } - - failed = 0; - - err: - SSL_free(ssl); - SSL_CTX_free(ssl_ctx); - - return failed; -} - -int -test_dtls_method(struct ssl_method_test_data *testcase) -{ - SSL_CTX *ssl_ctx; - SSL *ssl = NULL; - int failed = 1; - - if ((ssl_ctx = SSL_CTX_new(testcase->method())) == NULL) { - fprintf(stderr, "SSL_CTX_new returned NULL\n"); - goto err; - } - - if ((ssl = SSL_new(ssl_ctx)) == NULL) { - fprintf(stderr, "SSL_new returned NULL\n"); - goto err; - } - - if (SSL_is_dtls(ssl) != testcase->dtls) { - fprintf(stderr, "%s: SSL_is_dtls: want %d, got %d\n", - testcase->name, testcase->dtls, SSL_is_dtls(ssl)); - goto err; - } - - failed = 0; - - err: - SSL_free(ssl); - SSL_CTX_free(ssl_ctx); - - return failed; -} - -int -main(int argc, char **argv) -{ - size_t i; - int failed = 0; - - for (i = 0; i < N_METHOD_TESTS; i++) { - failed |= test_client_or_server_method(&ssl_method_tests[i]); - failed |= test_dtls_method(&ssl_method_tests[i]); - } - - if (failed == 0) - printf("PASS %s\n", __FILE__); - - return failed; -} diff --git a/src/regress/lib/libssl/unit/ssl_set_alpn_protos.c b/src/regress/lib/libssl/unit/ssl_set_alpn_protos.c deleted file mode 100644 index d8447c8999..0000000000 --- a/src/regress/lib/libssl/unit/ssl_set_alpn_protos.c +++ /dev/null @@ -1,470 +0,0 @@ -/* $OpenBSD: ssl_set_alpn_protos.c,v 1.4 2024/07/11 13:51:47 tb Exp $ */ -/* - * Copyright (c) 2022 Theo Buehler - * - * Permission to use, copy, modify, and distribute this software for any - * purpose with or without fee is hereby granted, provided that the above - * copyright notice and this permission notice appear in all copies. - * - * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES - * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF - * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR - * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES - * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN - * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF - * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. - */ - -#include -#include - -#include - -static void -hexdump(const unsigned char *buf, size_t len) -{ - size_t i; - - if (buf == NULL) { - fprintf(stderr, "(null), len %zu\n", len); - return; - } - for (i = 1; i <= len; i++) - fprintf(stderr, " 0x%02hhx,%s", buf[i - 1], i % 8 ? "" : "\n"); - if (len % 8) - fprintf(stderr, "\n"); -} - -struct alpn_test { - const char *description; - const uint8_t protocols[24]; - size_t protocols_len; - int ret; -}; - -static const struct alpn_test alpn_tests[] = { - { - .description = "valid protocol list", - .protocols = { - 6, 's', 'p', 'd', 'y', '/', '1', - 8, 'h', 't', 't', 'p', '/', '1', '.', '1', - }, - .protocols_len = 16, - .ret = 0, - }, - { - .description = "zero length protocol", - .protocols = { - 0, - }, - .protocols_len = 1, - .ret = 1, - }, - { - .description = "zero length protocol at start", - .protocols = { - 0, - 8, 'h', 't', 't', 'p', '/', '1', '.', '1', - 6, 's', 'p', 'd', 'y', '/', '1', - }, - .protocols_len = 17, - .ret = 1, - }, - { - .description = "zero length protocol embedded", - .protocols = { - 8, 'h', 't', 't', 'p', '/', '1', '.', '1', - 0, - 6, 's', 'p', 'd', 'y', '/', '1', - }, - .protocols_len = 17, - .ret = 1, - }, - { - .description = "zero length protocol at end", - .protocols = { - 8, 'h', 't', 't', 'p', '/', '1', '.', '1', - 6, 's', 'p', 'd', 'y', '/', '1', - 0, - }, - .protocols_len = 17, - .ret = 1, - }, - { - .description = "protocol length too short", - .protocols = { - 6, 'h', 't', 't', 'p', '/', '1', '.', '1', - }, - .protocols_len = 9, - .ret = 1, - }, - { - .description = "protocol length too long", - .protocols = { - 8, 's', 'p', 'd', 'y', '/', '1', - }, - .protocols_len = 7, - .ret = 1, - }, -}; - -static const size_t N_ALPN_TESTS = sizeof(alpn_tests) / sizeof(alpn_tests[0]); - -static int -test_ssl_set_alpn_protos(const struct alpn_test *tc) -{ - SSL_CTX *ctx; - SSL *ssl; - int ret; - int failed = 0; - - if ((ctx = SSL_CTX_new(TLS_client_method())) == NULL) - errx(1, "SSL_CTX_new"); - - ret = SSL_CTX_set_alpn_protos(ctx, tc->protocols, tc->protocols_len); - if (ret != tc->ret) { - warnx("%s: setting on SSL_CTX: want %d, got %d", - tc->description, tc->ret, ret); - failed = 1; - } - - if ((ssl = SSL_new(ctx)) == NULL) - errx(1, "SSL_new"); - - ret = SSL_set_alpn_protos(ssl, tc->protocols, tc->protocols_len); - if (ret != tc->ret) { - warnx("%s: setting on SSL: want %d, got %d", - tc->description, tc->ret, ret); - failed = 1; - } - - SSL_CTX_free(ctx); - SSL_free(ssl); - - return failed; -} - -static int -test_ssl_set_alpn_protos_edge_cases(void) -{ - SSL_CTX *ctx; - SSL *ssl; - const uint8_t valid[] = { - 6, 's', 'p', 'd', 'y', '/', '3', - 8, 'h', 't', 't', 'p', '/', '1', '.', '1', - }; - int failed = 0; - - if ((ctx = SSL_CTX_new(TLS_client_method())) == NULL) - errx(1, "SSL_CTX_new"); - - if (SSL_CTX_set_alpn_protos(ctx, valid, sizeof(valid)) != 0) { - warnx("setting valid protocols on SSL_CTX failed"); - failed = 1; - } - if (SSL_CTX_set_alpn_protos(ctx, NULL, 0) != 0) { - warnx("setting 'NULL, 0' on SSL_CTX failed"); - failed = 1; - } - if (SSL_CTX_set_alpn_protos(ctx, valid, 0) != 0) { - warnx("setting 'valid, 0' on SSL_CTX failed"); - failed = 1; - } - if (SSL_CTX_set_alpn_protos(ctx, NULL, 43) != 0) { - warnx("setting 'NULL, 43' on SSL_CTX failed"); - failed = 1; - } - - if ((ssl = SSL_new(ctx)) == NULL) - errx(1, "SSL_new"); - - if (SSL_set_alpn_protos(ssl, valid, sizeof(valid)) != 0) { - warnx("setting valid protocols on SSL failed"); - failed = 1; - } - if (SSL_set_alpn_protos(ssl, NULL, 0) != 0) { - warnx("setting 'NULL, 0' on SSL failed"); - failed = 1; - } - if (SSL_set_alpn_protos(ssl, valid, 0) != 0) { - warnx("setting 'valid, 0' on SSL failed"); - failed = 1; - } - if (SSL_set_alpn_protos(ssl, NULL, 43) != 0) { - warnx("setting 'NULL, 43' on SSL failed"); - failed = 1; - } - - SSL_CTX_free(ctx); - SSL_free(ssl); - - return failed; -} - -static const struct select_next_proto_test { - const unsigned char *peer_list; - size_t peer_list_len; - const unsigned char *supported_list; - size_t supported_list_len; - int want_ret; - const unsigned char *want_out; - unsigned char want_out_len; /* yes, unsigned char */ -} select_next_proto_tests[] = { - { - .peer_list = "\x01" "a" "\x01" "b" "\x01" "c", - .peer_list_len = 6, - .supported_list = "\x01" "a", - .supported_list_len = 2, - .want_ret = OPENSSL_NPN_NEGOTIATED, - .want_out = "a", - .want_out_len = 1, - }, - { - .peer_list = "\x01" "a" "\x01" "b" "\x01" "c", - .peer_list_len = 6, - .supported_list = "\x02" "aa" "\x01" "b" "\x01" "c", - .supported_list_len = 7, - .want_ret = OPENSSL_NPN_NEGOTIATED, - .want_out = "b", - .want_out_len = 1, - }, - { - /* Use peer preference. */ - .peer_list = "\x01" "a" "\x01" "b" "\x01" "c", - .peer_list_len = 6, - .supported_list = "\x01" "c" "\x01" "b" "\x01" "a", - .supported_list_len = 6, - .want_ret = OPENSSL_NPN_NEGOTIATED, - .want_out = "a", - .want_out_len = 1, - }, - { - /* Again peer preference wins. */ - .peer_list = "\x01" "a" "\x03" "bbb" "\x02" "cc", - .peer_list_len = 9, - .supported_list = "\x01" "z" "\x02" "cc" "\x03" "bbb", - .supported_list_len = 9, - .want_ret = OPENSSL_NPN_NEGOTIATED, - .want_out = "bbb", - .want_out_len = 3, - }, - { - /* No overlap fails with first supported protocol. */ - .peer_list = "\x01" "a" "\x01" "b" "\x01" "c", - .peer_list_len = 6, - .supported_list = "\x01" "z" "\x01" "y", - .supported_list_len = 4, - .want_ret = OPENSSL_NPN_NO_OVERLAP, - .want_out = "z", - .want_out_len = 1, - }, - { - /* No peer protocols fails cleanly. */ - .peer_list = "", - .peer_list_len = 0, - .supported_list = "\x01" "a" "\x01" "b" "\x01" "c", - .supported_list_len = 6, - .want_out = "a", - .want_out_len = 1, - .want_ret = OPENSSL_NPN_NO_OVERLAP, - }, - { - /* NULL peer protocols fails cleanly. */ - .peer_list = NULL, - .peer_list_len = 0, - .supported_list = "\x01" "a" "\x01" "b" "\x01" "c", - .supported_list_len = 6, - .want_out = "a", - .want_out_len = 1, - .want_ret = OPENSSL_NPN_NO_OVERLAP, - }, - { - /* Malformed peer protocols fails cleanly. */ - .peer_list = "\x00", - .peer_list_len = 1, - .supported_list = "\x01" "a" "\x01" "b" "\x01" "c", - .supported_list_len = 6, - .want_out = "a", - .want_out_len = 1, - .want_ret = OPENSSL_NPN_NO_OVERLAP, - }, - { - /* Malformed peer protocols fails cleanly. */ - .peer_list = "\x01" "a" "\x03" "bb", - .peer_list_len = 5, - .supported_list = "\x01" "a" "\x01" "b" "\x01" "c", - .supported_list_len = 6, - .want_out = "a", - .want_out_len = 1, - .want_ret = OPENSSL_NPN_NO_OVERLAP, - }, - { - /* Empty supported list fails cleanly. */ - .peer_list = "\x01" "a", - .peer_list_len = 2, - .supported_list = "", - .supported_list_len = 0, - .want_out = NULL, - .want_out_len = 0, - .want_ret = OPENSSL_NPN_NO_OVERLAP, - }, - { - /* NULL supported list fails cleanly. */ - .peer_list = "\x01" "a", - .peer_list_len = 2, - .supported_list = NULL, - .supported_list_len = 0, - .want_out = NULL, - .want_out_len = 0, - .want_ret = OPENSSL_NPN_NO_OVERLAP, - }, - { - /* Malformed supported list fails cleanly. */ - .peer_list = "\x01" "a", - .peer_list_len = 2, - .supported_list = "\x01" "a" "\x02" "bb" "\x03" "cc" "\x04" "ddd", - .supported_list_len = 12, - .want_out = NULL, - .want_out_len = 0, - .want_ret = OPENSSL_NPN_NO_OVERLAP, - }, - { - /* Malformed client list fails cleanly. */ - .peer_list = "\x01" "a", - .peer_list_len = 2, - .supported_list = "\x01" "a" "\x02" "bb" "\x00" "\x03" "ddd", - .supported_list_len = 10, - .want_out = NULL, - .want_out_len = 0, - .want_ret = OPENSSL_NPN_NO_OVERLAP, - }, - - /* - * Some non-toy examples. - */ - - { - .peer_list = "\x08" "http/1.1" "\x06" "spdy/1", - .peer_list_len = 16, - .supported_list = "\x08" "http/2.0" "\x08" "http/1.1", - .supported_list_len = 18, - .want_out = "http/1.1", - .want_out_len = 8, - .want_ret = OPENSSL_NPN_NEGOTIATED, - }, - { - .peer_list = "\x08" "http/2.0" "\x06" "spdy/1", - .peer_list_len = 16, - .supported_list = "\x08" "http/1.0" "\x08" "http/1.1", - .supported_list_len = 18, - .want_out = "http/1.0", - .want_out_len = 8, - .want_ret = OPENSSL_NPN_NO_OVERLAP, - }, - { - .peer_list = "\x08" "http/1.1" "\x08" "http/1.0", - .peer_list_len = 18, - .supported_list = "\x08" "http/1.0" "\x08" "http/1.1", - .supported_list_len = 18, - .want_out = "http/1.1", - .want_out_len = 8, - .want_ret = OPENSSL_NPN_NEGOTIATED, - }, - { - /* Peer list malformed. */ - .peer_list = "\x08" "http/1.1" "\x07" "http/1.0", - .peer_list_len = 18, - .supported_list = "\x08" "http/1.0" "\x08" "http/1.1", - .supported_list_len = 18, - .want_out = "http/1.0", - .want_out_len = 8, - .want_ret = OPENSSL_NPN_NO_OVERLAP, - }, - { - /* Peer list malformed. */ - .peer_list = "\x07" "http/1.1" "\x08" "http/1.0", - .peer_list_len = 18, - .supported_list = "\x08" "http/1.0" "\x08" "http/1.1", - .supported_list_len = 18, - .want_out = "http/1.0", - .want_out_len = 8, - .want_ret = OPENSSL_NPN_NO_OVERLAP, - }, - { - /* Supported list has trailing bytes. */ - .peer_list = "\x08" "http/1.1" "\x08" "http/1.0", - .peer_list_len = 18, - .supported_list = "\x08" "http/1.0" "\x07" "http/1.1", - .supported_list_len = 18, - .want_out = NULL, - .want_out_len = 0, - .want_ret = OPENSSL_NPN_NO_OVERLAP, - }, -}; - -#define N_SELECT_NEXT_PROTO_TESTS \ - (sizeof(select_next_proto_tests) / sizeof(select_next_proto_tests[0])) - -static int -select_next_proto_testcase(const struct select_next_proto_test *test) -{ - unsigned char *out; - unsigned char out_len; - int ret; - int failed = 0; - - ret = SSL_select_next_proto(&out, &out_len, test->peer_list, - test->peer_list_len, test->supported_list, test->supported_list_len); - - if (ret != test->want_ret || out_len != test->want_out_len || - (out == NULL && test->want_out != NULL) || - (out != NULL && test->want_out == NULL) || - (out != NULL && test->want_out != NULL && - memcmp(out, test->want_out, out_len) != 0)) { - fprintf(stderr, "FAIL: ret: %u (want %u), out_len: %u (want %u)\n", - ret, test->want_ret, out_len, test->want_out_len); - fprintf(stderr, "\ngot:\n"); - hexdump(out, out_len); - fprintf(stderr, "\nwant:\n"); - hexdump(test->want_out, test->want_out_len); - fprintf(stderr, "\nserver:\n"); - hexdump(test->peer_list, test->peer_list_len); - fprintf(stderr, "\nclient:\n"); - hexdump(test->supported_list, test->supported_list_len); - fprintf(stderr, "\n"); - failed = 1; - } - - return failed; -} - -static int -test_ssl_select_next_proto(void) -{ - size_t i; - int failed = 0; - - for (i = 0; i < N_SELECT_NEXT_PROTO_TESTS; i++) - failed |= select_next_proto_testcase(&select_next_proto_tests[i]); - - return failed; -} - -int -main(void) -{ - size_t i; - int failed = 0; - - for (i = 0; i < N_ALPN_TESTS; i++) - failed |= test_ssl_set_alpn_protos(&alpn_tests[i]); - - failed |= test_ssl_set_alpn_protos_edge_cases(); - - failed |= test_ssl_select_next_proto(); - - if (!failed) - printf("PASS %s\n", __FILE__); - - return failed; -} diff --git a/src/regress/lib/libssl/unit/ssl_verify_param.c b/src/regress/lib/libssl/unit/ssl_verify_param.c deleted file mode 100644 index cdb52c56a8..0000000000 --- a/src/regress/lib/libssl/unit/ssl_verify_param.c +++ /dev/null @@ -1,99 +0,0 @@ -/* $OpenBSD: ssl_verify_param.c,v 1.1 2023/05/24 08:54:59 tb Exp $ */ - -/* - * Copyright (c) 2023 Theo Buehler - * - * Permission to use, copy, modify, and distribute this software for any - * purpose with or without fee is hereby granted, provided that the above - * copyright notice and this permission notice appear in all copies. - * - * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES - * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF - * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR - * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES - * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN - * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF - * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. - */ - -#include -#include - -#include -#include - -unsigned int X509_VERIFY_PARAM_get_hostflags(X509_VERIFY_PARAM *param); - -static int -ssl_verify_param_flags_inherited(void) -{ - SSL_CTX *ssl_ctx = NULL; - SSL *ssl = NULL; - X509_VERIFY_PARAM *param; - unsigned int defaultflags = 0; - unsigned int newflags = X509_CHECK_FLAG_NEVER_CHECK_SUBJECT; - unsigned int flags; - int failed = 1; - - if ((ssl_ctx = SSL_CTX_new(TLS_method())) == NULL) - errx(1, "SSL_CTX_new"); - - if ((param = SSL_CTX_get0_param(ssl_ctx)) == NULL) { - fprintf(stderr, "FAIL: no verify param on ssl_ctx\n"); - goto failure; - } - - if ((flags = X509_VERIFY_PARAM_get_hostflags(param)) != defaultflags) { - fprintf(stderr, "FAIL: SSL_CTX default hostflags, " - "want: %x, got: %x\n", defaultflags, flags); - goto failure; - } - - X509_VERIFY_PARAM_set_hostflags(param, newflags); - - if ((flags = X509_VERIFY_PARAM_get_hostflags(param)) != newflags) { - fprintf(stderr, "FAIL: SSL_CTX new hostflags, " - "want: %x, got: %x\n", newflags, flags); - goto failure; - } - - if ((ssl = SSL_new(ssl_ctx)) == NULL) - errx(1, "SSL_new"); - - if ((param = SSL_get0_param(ssl)) == NULL) { - fprintf(stderr, "FAIL: no verify param on ssl\n"); - goto failure; - } - - if ((flags = X509_VERIFY_PARAM_get_hostflags(param)) != newflags) { - fprintf(stderr, "FAIL: SSL inherited hostflags, " - "want: %x, got: %x\n", newflags, flags); - goto failure; - } - - SSL_set_hostflags(ssl, defaultflags); - - if ((flags = X509_VERIFY_PARAM_get_hostflags(param)) != defaultflags) { - fprintf(stderr, "FAIL: SSL set hostflags, " - "want: %x, got: %x\n", defaultflags, flags); - goto failure; - } - - failed = 0; - - failure: - SSL_CTX_free(ssl_ctx); - SSL_free(ssl); - - return failed; -} - -int -main(void) -{ - int failed = 0; - - failed |= ssl_verify_param_flags_inherited(); - - return failed; -} diff --git a/src/regress/lib/libssl/unit/ssl_versions.c b/src/regress/lib/libssl/unit/ssl_versions.c deleted file mode 100644 index ebfe8d2c28..0000000000 --- a/src/regress/lib/libssl/unit/ssl_versions.c +++ /dev/null @@ -1,922 +0,0 @@ -/* $OpenBSD: ssl_versions.c,v 1.20 2023/07/02 17:21:33 beck Exp $ */ -/* - * Copyright (c) 2016, 2017 Joel Sing - * - * Permission to use, copy, modify, and distribute this software for any - * purpose with or without fee is hereby granted, provided that the above - * copyright notice and this permission notice appear in all copies. - * - * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES - * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF - * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR - * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES - * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN - * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF - * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. - */ - -#include - -#include "ssl_local.h" - -struct version_range_test { - const long options; - const uint16_t minver; - const uint16_t maxver; - const uint16_t want_minver; - const uint16_t want_maxver; -}; - -static struct version_range_test version_range_tests[] = { - { - .options = 0, - .minver = TLS1_VERSION, - .maxver = TLS1_3_VERSION, - .want_minver = TLS1_2_VERSION, - .want_maxver = TLS1_3_VERSION, - }, - { - .options = 0, - .minver = TLS1_VERSION, - .maxver = TLS1_2_VERSION, - .want_minver = TLS1_2_VERSION, - .want_maxver = TLS1_2_VERSION, - }, - { - .options = SSL_OP_NO_TLSv1, - .minver = TLS1_VERSION, - .maxver = TLS1_2_VERSION, - .want_minver = TLS1_2_VERSION, - .want_maxver = TLS1_2_VERSION, - }, - { - .options = SSL_OP_NO_TLSv1_3, - .minver = TLS1_VERSION, - .maxver = TLS1_3_VERSION, - .want_minver = TLS1_2_VERSION, - .want_maxver = TLS1_2_VERSION, - }, - { - .options = SSL_OP_NO_TLSv1_2, - .minver = TLS1_VERSION, - .maxver = TLS1_2_VERSION, - .want_minver = 0, - .want_maxver = 0, - }, - { - .options = SSL_OP_NO_TLSv1_1, - .minver = TLS1_VERSION, - .maxver = TLS1_2_VERSION, - .want_minver = TLS1_2_VERSION, - .want_maxver = TLS1_2_VERSION, - }, - { - .options = SSL_OP_NO_TLSv1 | SSL_OP_NO_TLSv1_1, - .minver = TLS1_VERSION, - .maxver = TLS1_2_VERSION, - .want_minver = TLS1_2_VERSION, - .want_maxver = TLS1_2_VERSION, - }, - { - .options = SSL_OP_NO_TLSv1_1 | SSL_OP_NO_TLSv1_2, - .minver = TLS1_VERSION, - .maxver = TLS1_2_VERSION, - .want_minver = 0, - .want_maxver = 0, - }, - { - .options = SSL_OP_NO_TLSv1 | SSL_OP_NO_TLSv1_2, - .minver = TLS1_VERSION, - .maxver = TLS1_2_VERSION, - .want_minver = 0, - .want_maxver = 0, - }, - { - .options = SSL_OP_NO_TLSv1 | SSL_OP_NO_TLSv1_1 | - SSL_OP_NO_TLSv1_2, - .minver = TLS1_VERSION, - .maxver = TLS1_2_VERSION, - .want_minver = 0, - .want_maxver = 0, - }, - { - .options = SSL_OP_NO_TLSv1 | SSL_OP_NO_TLSv1_1 | - SSL_OP_NO_TLSv1_2, - .minver = TLS1_VERSION, - .maxver = TLS1_3_VERSION, - .want_minver = TLS1_3_VERSION, - .want_maxver = TLS1_3_VERSION, - }, - { - .options = SSL_OP_NO_TLSv1 | SSL_OP_NO_TLSv1_1 | - SSL_OP_NO_TLSv1_2 | SSL_OP_NO_TLSv1_3, - .minver = TLS1_VERSION, - .maxver = TLS1_3_VERSION, - .want_minver = 0, - .want_maxver = 0, - }, - { - .options = 0, - .minver = TLS1_VERSION, - .maxver = TLS1_2_VERSION, - .want_minver = TLS1_2_VERSION, - .want_maxver = TLS1_2_VERSION, - }, - { - .options = 0, - .minver = TLS1_1_VERSION, - .maxver = TLS1_2_VERSION, - .want_minver = TLS1_2_VERSION, - .want_maxver = TLS1_2_VERSION, - }, - { - .options = 0, - .minver = TLS1_2_VERSION, - .maxver = TLS1_2_VERSION, - .want_minver = TLS1_2_VERSION, - .want_maxver = TLS1_2_VERSION, - }, - { - .options = 0, - .minver = TLS1_VERSION, - .maxver = TLS1_3_VERSION, - .want_minver = TLS1_2_VERSION, - .want_maxver = TLS1_3_VERSION, - }, - { - .options = 0, - .minver = TLS1_1_VERSION, - .maxver = TLS1_3_VERSION, - .want_minver = TLS1_2_VERSION, - .want_maxver = TLS1_3_VERSION, - }, - { - .options = 0, - .minver = TLS1_2_VERSION, - .maxver = TLS1_3_VERSION, - .want_minver = TLS1_2_VERSION, - .want_maxver = TLS1_3_VERSION, - }, - { - .options = 0, - .minver = TLS1_3_VERSION, - .maxver = TLS1_3_VERSION, - .want_minver = TLS1_3_VERSION, - .want_maxver = TLS1_3_VERSION, - }, - { - .options = 0, - .minver = TLS1_VERSION, - .maxver = TLS1_1_VERSION, - .want_minver = 0, - .want_maxver = 0, - }, - { - .options = 0, - .minver = TLS1_VERSION, - .maxver = TLS1_VERSION, - .want_minver = 0, - .want_maxver = 0, - }, -}; - -#define N_VERSION_RANGE_TESTS \ - (sizeof(version_range_tests) / sizeof(*version_range_tests)) - -static int -test_ssl_enabled_version_range(void) -{ - struct version_range_test *vrt; - uint16_t minver, maxver; - SSL_CTX *ssl_ctx = NULL; - SSL *ssl = NULL; - int failed = 1; - size_t i; - - fprintf(stderr, "INFO: starting enabled version range tests...\n"); - - if ((ssl_ctx = SSL_CTX_new(TLS_method())) == NULL) { - fprintf(stderr, "SSL_CTX_new() returned NULL\n"); - goto failure; - } - if ((ssl = SSL_new(ssl_ctx)) == NULL) { - fprintf(stderr, "SSL_new() returned NULL\n"); - goto failure; - } - - failed = 0; - - for (i = 0; i < N_VERSION_RANGE_TESTS; i++) { - vrt = &version_range_tests[i]; - - SSL_clear_options(ssl, SSL_OP_NO_TLSv1 | SSL_OP_NO_TLSv1_1 | - SSL_OP_NO_TLSv1_2 | SSL_OP_NO_TLSv1_3); - SSL_set_options(ssl, vrt->options); - - minver = maxver = 0xffff; - ssl->min_tls_version = vrt->minver; - ssl->max_tls_version = vrt->maxver; - - if (ssl_enabled_tls_version_range(ssl, &minver, &maxver) != 1) { - if (vrt->want_minver != 0 || vrt->want_maxver != 0) { - fprintf(stderr, "FAIL: test %zu - failed but " - "wanted non-zero versions\n", i); - failed++; - } - continue; - } - if (minver != vrt->want_minver) { - fprintf(stderr, "FAIL: test %zu - got minver %x, " - "want %x\n", i, minver, vrt->want_minver); - failed++; - } - if (maxver != vrt->want_maxver) { - fprintf(stderr, "FAIL: test %zu - got maxver %x, " - "want %x\n", i, maxver, vrt->want_maxver); - failed++; - } - } - - failure: - SSL_CTX_free(ssl_ctx); - SSL_free(ssl); - - return (failed); -} - -struct shared_version_test { - const SSL_METHOD *(*ssl_method)(void); - const long options; - const uint16_t minver; - const uint16_t maxver; - const uint16_t peerver; - const uint16_t want_maxver; -}; - -static struct shared_version_test shared_version_tests[] = { - { - .ssl_method = TLS_method, - .options = 0, - .minver = TLS1_VERSION, - .maxver = TLS1_2_VERSION, - .peerver = SSL2_VERSION, - .want_maxver = 0, - }, - { - .ssl_method = TLS_method, - .options = 0, - .minver = TLS1_VERSION, - .maxver = TLS1_2_VERSION, - .peerver = SSL3_VERSION, - .want_maxver = 0, - }, - { - .ssl_method = TLS_method, - .options = 0, - .minver = TLS1_VERSION, - .maxver = TLS1_2_VERSION, - .peerver = TLS1_VERSION, - .want_maxver = 0, - }, - { - .ssl_method = TLS_method, - .options = 0, - .minver = TLS1_VERSION, - .maxver = TLS1_2_VERSION, - .peerver = TLS1_1_VERSION, - .want_maxver = 0, - }, - { - .ssl_method = TLS_method, - .options = 0, - .minver = TLS1_VERSION, - .maxver = TLS1_2_VERSION, - .peerver = TLS1_2_VERSION, - .want_maxver = TLS1_2_VERSION, - }, - { - .ssl_method = TLS_method, - .options = 0, - .minver = TLS1_VERSION, - .maxver = TLS1_2_VERSION, - .peerver = TLS1_3_VERSION, - .want_maxver = TLS1_2_VERSION, - }, - { - .ssl_method = TLS_method, - .options = 0, - .minver = TLS1_VERSION, - .maxver = TLS1_2_VERSION, - .peerver = 0x7f12, - .want_maxver = TLS1_2_VERSION, - }, - { - .ssl_method = TLS_method, - .options = SSL_OP_NO_TLSv1_2, - .minver = TLS1_VERSION, - .maxver = TLS1_2_VERSION, - .peerver = TLS1_2_VERSION, - .want_maxver = 0, - }, - { - .ssl_method = TLS_method, - .options = SSL_OP_NO_TLSv1_1 | SSL_OP_NO_TLSv1_2, - .minver = TLS1_VERSION, - .maxver = TLS1_2_VERSION, - .peerver = TLS1_2_VERSION, - .want_maxver = 0, - }, - { - .ssl_method = TLS_method, - .options = SSL_OP_NO_TLSv1 | SSL_OP_NO_TLSv1_1 | SSL_OP_NO_TLSv1_2, - .minver = TLS1_VERSION, - .maxver = TLS1_2_VERSION, - .peerver = TLS1_2_VERSION, - .want_maxver = 0, - }, - { - .ssl_method = TLS_method, - .options = SSL_OP_NO_TLSv1, - .minver = TLS1_VERSION, - .maxver = TLS1_2_VERSION, - .peerver = TLS1_1_VERSION, - .want_maxver = 0, - }, - { - .ssl_method = TLS_method, - .options = SSL_OP_NO_TLSv1 | SSL_OP_NO_TLSv1_1, - .minver = TLS1_VERSION, - .maxver = TLS1_2_VERSION, - .peerver = TLS1_1_VERSION, - .want_maxver = 0, - }, - { - .ssl_method = TLS_method, - .options = SSL_OP_NO_TLSv1_1 | SSL_OP_NO_TLSv1_2, - .minver = TLS1_VERSION, - .maxver = TLS1_2_VERSION, - .peerver = TLS1_1_VERSION, - .want_maxver = 0, - }, - { - .ssl_method = TLS_method, - .options = SSL_OP_NO_TLSv1, - .minver = TLS1_VERSION, - .maxver = TLS1_2_VERSION, - .peerver = TLS1_VERSION, - .want_maxver = 0, - }, - { - .ssl_method = TLS_method, - .options = 0, - .minver = TLS1_VERSION, - .maxver = TLS1_1_VERSION, - .peerver = TLS1_2_VERSION, - .want_maxver = 0, - }, - { - .ssl_method = TLS_method, - .options = 0, - .minver = TLS1_VERSION, - .maxver = TLS1_VERSION, - .peerver = TLS1_2_VERSION, - .want_maxver = 0, - }, - { - .ssl_method = TLSv1_method, - .options = 0, - .minver = TLS1_VERSION, - .maxver = TLS1_2_VERSION, - .peerver = TLS1_VERSION, - .want_maxver = 0, - }, - { - .ssl_method = TLSv1_method, - .options = 0, - .minver = TLS1_1_VERSION, - .maxver = TLS1_2_VERSION, - .peerver = TLS1_VERSION, - .want_maxver = 0, - }, - { - .ssl_method = TLSv1_1_method, - .options = 0, - .minver = TLS1_VERSION, - .maxver = TLS1_2_VERSION, - .peerver = TLS1_1_VERSION, - .want_maxver = 0, - }, - { - .ssl_method = DTLS_method, - .options = 0, - .minver = TLS1_1_VERSION, - .maxver = TLS1_2_VERSION, - .peerver = DTLS1_VERSION, - .want_maxver = 0, - }, - { - .ssl_method = DTLS_method, - .options = 0, - .minver = TLS1_1_VERSION, - .maxver = TLS1_2_VERSION, - .peerver = DTLS1_2_VERSION, - .want_maxver = DTLS1_2_VERSION, - }, - { - .ssl_method = DTLS_method, - .options = 0, - .minver = TLS1_1_VERSION, - .maxver = TLS1_2_VERSION, - .peerver = 0xfefc, /* DTLSv1.3, probably. */ - .want_maxver = DTLS1_2_VERSION, - }, - { - .ssl_method = DTLSv1_method, - .options = 0, - .minver = TLS1_1_VERSION, - .maxver = TLS1_1_VERSION, - .peerver = DTLS1_2_VERSION, - .want_maxver = 0, - }, - { - .ssl_method = DTLSv1_2_method, - .options = 0, - .minver = TLS1_2_VERSION, - .maxver = TLS1_2_VERSION, - .peerver = DTLS1_2_VERSION, - .want_maxver = DTLS1_2_VERSION, - }, - { - .ssl_method = DTLSv1_method, - .options = 0, - .minver = TLS1_1_VERSION, - .maxver = TLS1_1_VERSION, - .peerver = TLS1_2_VERSION, - .want_maxver = 0, - }, - { - .ssl_method = DTLS_method, - .options = SSL_OP_NO_DTLSv1, - .minver = TLS1_1_VERSION, - .maxver = TLS1_2_VERSION, - .peerver = DTLS1_VERSION, - .want_maxver = 0, - }, - { - .ssl_method = DTLS_method, - .options = SSL_OP_NO_DTLSv1, - .minver = TLS1_1_VERSION, - .maxver = TLS1_2_VERSION, - .peerver = DTLS1_2_VERSION, - .want_maxver = DTLS1_2_VERSION, - }, - { - .ssl_method = DTLS_method, - .options = SSL_OP_NO_DTLSv1_2, - .minver = TLS1_1_VERSION, - .maxver = TLS1_2_VERSION, - .peerver = DTLS1_2_VERSION, - .want_maxver = 0, - }, -}; - -#define N_SHARED_VERSION_TESTS \ - (sizeof(shared_version_tests) / sizeof(*shared_version_tests)) - -static int -test_ssl_max_shared_version(void) -{ - struct shared_version_test *svt; - SSL_CTX *ssl_ctx = NULL; - SSL *ssl = NULL; - uint16_t maxver; - int failed = 0; - size_t i; - - failed = 0; - - fprintf(stderr, "INFO: starting max shared version tests...\n"); - - for (i = 0; i < N_SHARED_VERSION_TESTS; i++) { - svt = &shared_version_tests[i]; - - if ((ssl_ctx = SSL_CTX_new(svt->ssl_method())) == NULL) { - fprintf(stderr, "SSL_CTX_new() returned NULL\n"); - failed++; - goto err; - } - if ((ssl = SSL_new(ssl_ctx)) == NULL) { - fprintf(stderr, "SSL_new() returned NULL\n"); - failed++; - goto err; - } - - SSL_clear_options(ssl, SSL_OP_NO_TLSv1 | SSL_OP_NO_TLSv1_1 | - SSL_OP_NO_TLSv1_2 | SSL_OP_NO_TLSv1_3); - SSL_set_options(ssl, svt->options); - - maxver = 0; - ssl->min_tls_version = svt->minver; - ssl->max_tls_version = svt->maxver; - - if (!ssl_max_shared_version(ssl, svt->peerver, &maxver)) { - if (svt->want_maxver != 0) { - fprintf(stderr, "FAIL: test %zu - failed but " - "wanted non-zero shared version (peer %x)\n", - i, svt->peerver); - failed++; - } - SSL_CTX_free(ssl_ctx); - SSL_free(ssl); - ssl_ctx = NULL; - ssl = NULL; - continue; - } - if (maxver != svt->want_maxver) { - fprintf(stderr, "FAIL: test %zu - got shared " - "version %x, want %x\n", i, maxver, - svt->want_maxver); - failed++; - } - - SSL_CTX_free(ssl_ctx); - SSL_free(ssl); - ssl_ctx = NULL; - ssl = NULL; - } - - err: - SSL_CTX_free(ssl_ctx); - SSL_free(ssl); - - return (failed); -} - -struct min_max_version_test { - const SSL_METHOD *(*ssl_method)(void); - const uint16_t minver; - const uint16_t maxver; - const uint16_t want_minver; - const uint16_t want_maxver; - const int want_min_fail; - const int want_max_fail; -}; - -static struct min_max_version_test min_max_version_tests[] = { - { - .ssl_method = TLS_method, - .minver = 0, - .maxver = 0, - .want_minver = 0, - .want_maxver = 0, - }, - { - .ssl_method = TLS_method, - .minver = TLS1_VERSION, - .maxver = 0, - .want_minver = TLS1_VERSION, - .want_maxver = 0, - }, - { - .ssl_method = TLS_method, - .minver = 0, - .maxver = TLS1_2_VERSION, - .want_minver = 0, - .want_maxver = TLS1_2_VERSION, - }, - { - .ssl_method = TLS_method, - .minver = 0, - .maxver = TLS1_3_VERSION, - .want_minver = 0, - .want_maxver = TLS1_3_VERSION, - }, - { - .ssl_method = TLS_method, - .minver = TLS1_VERSION, - .maxver = TLS1_2_VERSION, - .want_minver = TLS1_VERSION, - .want_maxver = TLS1_2_VERSION, - }, - { - .ssl_method = TLS_method, - .minver = TLS1_1_VERSION, - .maxver = 0, - .want_minver = TLS1_1_VERSION, - .want_maxver = 0, - }, - { - .ssl_method = TLS_method, - .minver = TLS1_2_VERSION, - .maxver = 0, - .want_minver = TLS1_2_VERSION, - .want_maxver = 0, - }, - { - .ssl_method = TLS_method, - .minver = 0x0300, - .maxver = 0, - .want_minver = TLS1_VERSION, - .want_maxver = 0, - }, - { - .ssl_method = TLS_method, - .minver = 0x0305, - .maxver = 0, - .want_min_fail = 1, - }, - { - .ssl_method = TLS_method, - .minver = 0, - .maxver = 0x0305, - .want_minver = 0, - .want_maxver = TLS1_3_VERSION, - }, - { - .ssl_method = TLS_method, - .minver = 0, - .maxver = TLS1_1_VERSION, - .want_minver = 0, - .want_maxver = TLS1_1_VERSION, - }, - { - .ssl_method = TLS_method, - .minver = 0, - .maxver = TLS1_VERSION, - .want_minver = 0, - .want_maxver = TLS1_VERSION, - }, - { - .ssl_method = TLS_method, - .minver = 0, - .maxver = 0x0300, - .want_max_fail = 1, - }, - { - .ssl_method = TLS_method, - .minver = TLS1_2_VERSION, - .maxver = TLS1_1_VERSION, - .want_minver = TLS1_2_VERSION, - .want_maxver = 0, - .want_max_fail = 1, - }, - { - .ssl_method = TLSv1_1_method, - .minver = 0, - .maxver = 0, - .want_minver = 0, - .want_maxver = 0, - }, - { - .ssl_method = TLSv1_1_method, - .minver = TLS1_VERSION, - .maxver = TLS1_2_VERSION, - .want_minver = TLS1_1_VERSION, - .want_maxver = TLS1_1_VERSION, - }, - { - .ssl_method = TLSv1_1_method, - .minver = TLS1_2_VERSION, - .maxver = 0, - .want_minver = 0, - .want_maxver = 0, - .want_min_fail = 1, - }, - { - .ssl_method = TLSv1_1_method, - .minver = 0, - .maxver = TLS1_VERSION, - .want_minver = 0, - .want_maxver = 0, - .want_max_fail = 1, - }, - { - .ssl_method = DTLS_method, - .minver = 0, - .maxver = 0, - .want_minver = 0, - .want_maxver = 0, - }, - { - .ssl_method = DTLS_method, - .minver = 0, - .maxver = DTLS1_VERSION, - .want_minver = 0, - .want_maxver = DTLS1_VERSION, - }, - { - .ssl_method = DTLS_method, - .minver = DTLS1_VERSION, - .maxver = 0, - .want_minver = DTLS1_VERSION, - .want_maxver = 0, - }, - { - .ssl_method = DTLS_method, - .minver = DTLS1_VERSION, - .maxver = DTLS1_2_VERSION, - .want_minver = DTLS1_VERSION, - .want_maxver = DTLS1_2_VERSION, - }, - { - .ssl_method = DTLSv1_method, - .minver = 0, - .maxver = 0, - .want_minver = 0, - .want_maxver = 0, - }, - { - .ssl_method = DTLSv1_method, - .minver = DTLS1_VERSION, - .maxver = 0, - .want_minver = DTLS1_VERSION, - .want_maxver = 0, - }, - { - .ssl_method = DTLSv1_method, - .minver = 0, - .maxver = DTLS1_VERSION, - .want_minver = 0, - .want_maxver = DTLS1_VERSION, - }, - { - .ssl_method = DTLSv1_method, - .minver = 0, - .maxver = DTLS1_2_VERSION, - .want_minver = 0, - .want_maxver = DTLS1_VERSION, - }, - { - .ssl_method = DTLSv1_method, - .minver = TLS1_VERSION, - .maxver = TLS1_2_VERSION, - .want_minver = 0, - .want_maxver = 0, - .want_min_fail = 1, - .want_max_fail = 1, - }, -}; - -#define N_MIN_MAX_VERSION_TESTS \ - (sizeof(min_max_version_tests) / sizeof(*min_max_version_tests)) - -static int -test_ssl_min_max_version(void) -{ - struct min_max_version_test *mmvt; - SSL_CTX *ssl_ctx = NULL; - SSL *ssl = NULL; - int failed = 0; - size_t i; - - failed = 0; - - fprintf(stderr, "INFO: starting min max version tests...\n"); - - for (i = 0; i < N_MIN_MAX_VERSION_TESTS; i++) { - mmvt = &min_max_version_tests[i]; - - if ((ssl_ctx = SSL_CTX_new(mmvt->ssl_method())) == NULL) { - fprintf(stderr, "SSL_CTX_new() returned NULL\n"); - return 1; - } - - if (!SSL_CTX_set_min_proto_version(ssl_ctx, mmvt->minver)) { - if (!mmvt->want_min_fail) { - fprintf(stderr, "FAIL: test %zu - failed to set " - "SSL_CTX min version\n", i); - failed++; - } - goto next; - } - if (!SSL_CTX_set_max_proto_version(ssl_ctx, mmvt->maxver)) { - if (!mmvt->want_max_fail) { - fprintf(stderr, "FAIL: test %zu - failed to set " - "SSL_CTX min version\n", i); - failed++; - } - goto next; - } - - if (mmvt->want_min_fail) { - fprintf(stderr, "FAIL: test %zu - successfully set " - "SSL_CTX min version, should have failed\n", i); - failed++; - goto next; - } - if (mmvt->want_max_fail) { - fprintf(stderr, "FAIL: test %zu - successfully set " - "SSL_CTX max version, should have failed\n", i); - failed++; - goto next; - } - - if (SSL_CTX_get_min_proto_version(ssl_ctx) != mmvt->want_minver) { - fprintf(stderr, "FAIL: test %zu - got SSL_CTX min " - "version 0x%x, want 0x%x\n", i, - SSL_CTX_get_min_proto_version(ssl_ctx), mmvt->want_minver); - failed++; - goto next; - } - if (SSL_CTX_get_max_proto_version(ssl_ctx) != mmvt->want_maxver) { - fprintf(stderr, "FAIL: test %zu - got SSL_CTX max " - "version 0x%x, want 0x%x\n", i, - SSL_CTX_get_max_proto_version(ssl_ctx), mmvt->want_maxver); - failed++; - goto next; - } - - if ((ssl = SSL_new(ssl_ctx)) == NULL) { - fprintf(stderr, "SSL_new() returned NULL\n"); - return 1; - } - - if (SSL_get_min_proto_version(ssl) != mmvt->want_minver) { - fprintf(stderr, "FAIL: test %zu - initial SSL min " - "version 0x%x, want 0x%x\n", i, - SSL_get_min_proto_version(ssl), mmvt->want_minver); - failed++; - goto next; - } - if (SSL_get_max_proto_version(ssl) != mmvt->want_maxver) { - fprintf(stderr, "FAIL: test %zu - initial SSL max " - "version 0x%x, want 0x%x\n", i, - SSL_get_max_proto_version(ssl), mmvt->want_maxver); - failed++; - goto next; - } - - if (!SSL_set_min_proto_version(ssl, mmvt->minver)) { - if (mmvt->want_min_fail) { - fprintf(stderr, "FAIL: test %zu - failed to set " - "SSL min version\n", i); - failed++; - } - goto next; - } - if (!SSL_set_max_proto_version(ssl, mmvt->maxver)) { - if (mmvt->want_max_fail) { - fprintf(stderr, "FAIL: test %zu - failed to set " - "SSL min version\n", i); - failed++; - } - goto next; - } - - if (mmvt->want_min_fail) { - fprintf(stderr, "FAIL: test %zu - successfully set SSL " - "min version, should have failed\n", i); - failed++; - goto next; - } - if (mmvt->want_max_fail) { - fprintf(stderr, "FAIL: test %zu - successfully set SSL " - "max version, should have failed\n", i); - failed++; - goto next; - } - - if (SSL_get_min_proto_version(ssl) != mmvt->want_minver) { - fprintf(stderr, "FAIL: test %zu - got SSL min " - "version 0x%x, want 0x%x\n", i, - SSL_get_min_proto_version(ssl), mmvt->want_minver); - failed++; - goto next; - } - if (SSL_get_max_proto_version(ssl) != mmvt->want_maxver) { - fprintf(stderr, "FAIL: test %zu - got SSL max " - "version 0x%x, want 0x%x\n", i, - SSL_get_max_proto_version(ssl), mmvt->want_maxver); - failed++; - goto next; - } - - next: - SSL_CTX_free(ssl_ctx); - SSL_free(ssl); - - ssl_ctx = NULL; - ssl = NULL; - } - - return (failed); -} - -int -main(int argc, char **argv) -{ - int failed = 0; - - SSL_library_init(); - - /* XXX - Test ssl_supported_version_range() */ - - failed |= test_ssl_enabled_version_range(); - failed |= test_ssl_max_shared_version(); - failed |= test_ssl_min_max_version(); - - if (failed == 0) - printf("PASS %s\n", __FILE__); - - return (failed); -} diff --git a/src/regress/lib/libssl/unit/tests.h b/src/regress/lib/libssl/unit/tests.h deleted file mode 100644 index 287816946a..0000000000 --- a/src/regress/lib/libssl/unit/tests.h +++ /dev/null @@ -1,44 +0,0 @@ -/* $OpenBSD: tests.h,v 1.1 2015/06/27 23:35:52 doug Exp $ */ -/* - * Copyright (c) 2015 Doug Hogan - * - * Permission to use, copy, modify, and distribute this software for any - * purpose with or without fee is hereby granted, provided that the above - * copyright notice and this permission notice appear in all copies. - * - * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES - * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF - * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR - * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES - * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN - * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF - * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. - */ - -#ifndef LIBRESSL_REGRESS_TESTS_H__ -#define LIBRESSL_REGRESS_TESTS_H__ 1 - -/* Ugly macros that are useful for regression tests. */ - -#define SKIP(a) do { \ - printf("Skipping test in %s [%s:%d]\n", __func__, __FILE__, \ - __LINE__); \ -} while (0) - -#define CHECK(a) do { \ - if (!(a)) { \ - printf("Error in %s [%s:%d]\n", __func__, __FILE__, \ - __LINE__); \ - return 0; \ - } \ -} while (0) - -#define CHECK_GOTO(a) do { \ - if (!(a)) { \ - printf("Error in %s [%s:%d]\n", __func__, __FILE__, \ - __LINE__); \ - goto err; \ - } \ -} while (0) - -#endif /* LIBRESSL_REGRESS_TESTS_H__ */ diff --git a/src/regress/lib/libssl/unit/tls_ext_alpn.c b/src/regress/lib/libssl/unit/tls_ext_alpn.c deleted file mode 100644 index d00f3efb5f..0000000000 --- a/src/regress/lib/libssl/unit/tls_ext_alpn.c +++ /dev/null @@ -1,442 +0,0 @@ -/* $OpenBSD: tls_ext_alpn.c,v 1.9 2022/11/26 16:08:57 tb Exp $ */ -/* - * Copyright (c) 2015 Doug Hogan - * - * Permission to use, copy, modify, and distribute this software for any - * purpose with or without fee is hereby granted, provided that the above - * copyright notice and this permission notice appear in all copies. - * - * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES - * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF - * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR - * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES - * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN - * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF - * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. - */ - -/* - * Test TLS extension Application-Layer Protocol Negotiation (RFC 7301). - */ -#include -#include - -#include "ssl_local.h" -#include "ssl_tlsext.h" - -#include "tests.h" - -/* - * In the ProtocolNameList, ProtocolNames must not include empty strings and - * byte strings must not be truncated. - * - * This uses some of the IANA approved protocol names from: - * http://www.iana.org/assignments/tls-extensiontype-values/tls-extensiontype-values.xhtml - */ - -/* Valid for client and server since it only has one name. */ -static uint8_t proto_single[] = { - /* Extension extensions<0..2^16-1> -- All TLS extensions */ - 0x00, 0x0f, /* len */ - /* ExtensionType extension_type */ - 0x00, 0x10, /* ALPN */ - /* opaque extension_data<0..2^16-1> */ - 0x00, 0x0b, /* len */ - /* ProtocolName protocol_name_list<2..2^16-1> -- ALPN names */ - 0x00, 0x09, /* len of all names */ - /* opaque ProtocolName<1..2^8-1> -- 'http/1.1' */ - 0x08, /* len */ - 0x68, 0x74, 0x74, 0x70, 0x2f, 0x31, 0x2e, 0x31 -}; - -/* Valid for client, but NOT server. Server must have exactly one name. */ -static uint8_t proto_multiple1[] = { - /* Extension extensions<0..2^16-1> -- All TLS extensions */ - 0x00, 0x19, /* len */ - /* ExtensionType extension_type */ - 0x00, 0x10, /* ALPN */ - /* opaque extension_data<0..2^16-1> */ - 0x00, 0x15, /* len */ - /* ProtocolName protocol_name_list<2..2^16-1> -- ALPN names */ - 0x00, 0x13, /* len of all names */ - /* opaque ProtocolName<1..2^8-1> -- 'http/1.1' */ - 0x08, /* len */ - 0x68, 0x74, 0x74, 0x70, 0x2f, 0x31, 0x2e, 0x31, - /* opaque ProtocolName<1..2^8-1> -- 'stun.nat' */ - 0x09, /* len */ - 0x73, 0x74, 0x75, 0x6e, 0x2e, 0x74, 0x75, 0x72, 0x6e -}; - -/* Valid for client, but NOT server. Server must have exactly one name. */ -static uint8_t proto_multiple2[] = { - /* Extension extensions<0..2^16-1> -- All TLS extensions */ - 0x00, 0x1c, /* len */ - /* ExtensionType extension_type */ - 0x00, 0x10, /* ALPN */ - /* opaque extension_data<0..2^16-1> */ - 0x00, 0x18, /* len */ - /* ProtocolName protocol_name_list<2..2^16-1> -- ALPN names */ - 0x00, 0x16, /* len of all names */ - /* opaque ProtocolName<1..2^8-1> -- 'http/1.1' */ - 0x08, /* len */ - 0x68, 0x74, 0x74, 0x70, 0x2f, 0x31, 0x2e, 0x31, - /* opaque ProtocolName<1..2^8-1> -- 'h2' */ - 0x02, /* len */ - 0x68, 0x32, - /* opaque ProtocolName<1..2^8-1> -- 'stun.nat' */ - 0x09, /* len */ - 0x73, 0x74, 0x75, 0x6e, 0x2e, 0x74, 0x75, 0x72, 0x6e -}; - -/* Valid for client, but NOT server. Server must have exactly one name. */ -static uint8_t proto_multiple3[] = { - /* Extension extensions<0..2^16-1> -- All TLS extensions */ - 0x00, 0x20, /* len */ - /* ExtensionType extension_type */ - 0x00, 0x10, /* ALPN */ - /* opaque extension_data<0..2^16-1> */ - 0x00, 0x1c, /* len */ - /* ProtocolName protocol_name_list<2..2^16-1> -- ALPN names */ - 0x00, 0x1a, /* len of all names */ - /* opaque ProtocolName<1..2^8-1> -- 'http/1.1' */ - 0x08, /* len */ - 0x68, 0x74, 0x74, 0x70, 0x2f, 0x31, 0x2e, 0x31, - /* opaque ProtocolName<1..2^8-1> -- 'h2' */ - 0x02, /* len */ - 0x68, 0x32, - /* opaque ProtocolName<1..2^8-1> -- 'stun.nat' */ - 0x09, /* len */ - 0x73, 0x74, 0x75, 0x6e, 0x2e, 0x74, 0x75, 0x72, 0x6e, - /* opaque ProtocolName<1..2^8-1> -- 'h2c' */ - 0x03, /* len */ - 0x68, 0x32, 0x63 -}; - -static uint8_t proto_empty[] = { - /* Extension extensions<0..2^16-1> -- All TLS extensions. */ - 0x00, 0x00, /* none present. */ -}; - -/* Invalid for both client and server. Length is wrong. */ -static uint8_t proto_invalid_len1[] = { - /* Extension extensions<0..2^16-1> -- All TLS extensions */ - 0x00, 0x0a, /* len */ - /* ExtensionType extension_type */ - 0x00, 0x10, /* ALPN */ - /* opaque extension_data<0..2^16-1> */ - 0x00, 0x06, /* len */ - /* ProtocolName protocol_name_list<2..2^16-1> -- ALPN names */ - 0x00, 0x04, /* len of all names */ - /* opaque ProtocolName<1..2^8-1> -- 'h2c' */ - 0x04, /* XXX len too large */ - 0x68, 0x32, 0x63 -}; -static uint8_t proto_invalid_len2[] = { - /* Extension extensions<0..2^16-1> -- All TLS extensions */ - 0x00, 0x0a, /* len */ - /* ExtensionType extension_type */ - 0x00, 0x10, /* ALPN */ - /* opaque extension_data<0..2^16-1> */ - 0x00, 0x06, /* len */ - /* ProtocolName protocol_name_list<2..2^16-1> -- ALPN names */ - 0x00, 0x04, /* len of all names */ - /* opaque ProtocolName<1..2^8-1> -- 'h2c' */ - 0x02, /* XXX len too small */ - 0x68, 0x32, 0x63 -}; -static uint8_t proto_invalid_len3[] = { - /* Extension extensions<0..2^16-1> -- All TLS extensions */ - 0x00, 0x0a, /* len */ - /* ExtensionType extension_type */ - 0x00, 0x10, /* ALPN */ - /* opaque extension_data<0..2^16-1> */ - 0x00, 0x06, /* len */ - /* ProtocolName protocol_name_list<2..2^16-1> -- ALPN names */ - 0x00, 0x03, /* XXX len too small */ - /* opaque ProtocolName<1..2^8-1> -- 'h2c' */ - 0x03, /* len */ - 0x68, 0x32, 0x63 -}; -static uint8_t proto_invalid_len4[] = { - /* Extension extensions<0..2^16-1> -- All TLS extensions */ - 0x00, 0x0a, /* len */ - /* ExtensionType extension_type */ - 0x00, 0x10, /* ALPN */ - /* opaque extension_data<0..2^16-1> */ - 0x00, 0x06, /* len */ - /* ProtocolName protocol_name_list<2..2^16-1> -- ALPN names */ - 0x00, 0x06, /* XXX len too large */ - /* opaque ProtocolName<1..2^8-1> -- 'h2c' */ - 0x03, /* len */ - 0x68, 0x32, 0x63 -}; -static uint8_t proto_invalid_len5[] = { - /* Extension extensions<0..2^16-1> -- All TLS extensions */ - 0x00, 0x0a, /* len */ - /* ExtensionType extension_type */ - 0x00, 0x10, /* ALPN */ - /* opaque extension_data<0..2^16-1> */ - 0x01, 0x08, /* XXX len too large */ - /* ProtocolName protocol_name_list<2..2^16-1> -- ALPN names */ - 0x00, 0x04, /* len */ - /* opaque ProtocolName<1..2^8-1> -- 'h2c' */ - 0x03, /* len */ - 0x68, 0x32, 0x63 -}; -static uint8_t proto_invalid_len6[] = { - /* Extension extensions<0..2^16-1> -- All TLS extensions */ - 0x00, 0x0a, /* len */ - /* ExtensionType extension_type */ - 0x00, 0x10, /* ALPN */ - /* opaque extension_data<0..2^16-1> */ - 0x00, 0x05, /* XXX len too small */ - /* ProtocolName protocol_name_list<2..2^16-1> -- ALPN names */ - 0x00, 0x04, /* len */ - /* opaque ProtocolName<1..2^8-1> -- 'h2c' */ - 0x03, /* len */ - 0x68, 0x32, 0x63 -}; -static uint8_t proto_invalid_len7[] = { - /* Extension extensions<0..2^16-1> -- All TLS extensions */ - 0x00, 0x06, /* XXX len too small */ - /* ExtensionType extension_type */ - 0x00, 0x10, /* ALPN */ - /* opaque extension_data<0..2^16-1> */ - 0x00, 0x06, /* len */ - /* ProtocolName protocol_name_list<2..2^16-1> -- ALPN names */ - 0x00, 0x04, /* len */ - /* opaque ProtocolName<1..2^8-1> -- 'h2c' */ - 0x03, /* len */ - 0x68, 0x32, 0x63 -}; -static uint8_t proto_invalid_len8[] = { - /* Extension extensions<0..2^16-1> -- All TLS extensions */ - 0x00, 0x0b, /* XXX len too large */ - /* ExtensionType extension_type */ - 0x00, 0x10, /* ALPN */ - /* opaque extension_data<0..2^16-1> */ - 0x00, 0x06, /* len */ - /* ProtocolName protocol_name_list<2..2^16-1> -- ALPN names */ - 0x00, 0x04, /* len */ - /* opaque ProtocolName<1..2^8-1> -- 'h2c' */ - 0x03, /* len */ - 0x68, 0x32, 0x63 -}; - -/* Invalid for client and server since it is missing data. */ -static uint8_t proto_invalid_missing1[] = { - /* Extension extensions<0..2^16-1> -- All TLS extensions */ - 0x00, 0x0a, /* len */ - /* ExtensionType extension_type */ - 0x00, 0x10, /* ALPN */ - /* opaque extension_data<0..2^16-1> */ - 0x00, 0x06, /* len */ - /* ProtocolName protocol_name_list<2..2^16-1> -- ALPN names */ - 0x00, 0x04, /* len of all names */ - /* opaque ProtocolName<1..2^8-1> -- 'h2c' */ - /* XXX missing */ -}; -static uint8_t proto_invalid_missing2[] = { - /* Extension extensions<0..2^16-1> -- All TLS extensions */ - 0x00, 0x0a, /* len */ - /* ExtensionType extension_type */ - 0x00, 0x10, /* ALPN */ - /* opaque extension_data<0..2^16-1> */ - 0x00, 0x00, /* XXX missing name list */ - /* ProtocolName protocol_name_list<2..2^16-1> -- ALPN names */ -}; -static uint8_t proto_invalid_missing3[] = { - /* Extension extensions<0..2^16-1> -- All TLS extensions */ - 0x00, 0x0a, /* len */ - /* ExtensionType extension_type */ - 0x00, 0x10, /* ALPN */ - /* opaque extension_data<0..2^16-1> */ - 0x00, 0x02, /* XXX size is sufficient but missing data for name list */ - /* ProtocolName protocol_name_list<2..2^16-1> -- ALPN names */ -}; -static uint8_t proto_invalid_missing4[] = { - /* Extension extensions<0..2^16-1> -- All TLS extensions */ - 0x00, 0x0a, /* len */ - /* ExtensionType extension_type */ - 0x00, 0x10, /* ALPN */ - /* opaque extension_data<0..2^16-1> */ - /* XXX missing */ -}; -static uint8_t proto_invalid_missing5[] = { - /* Extension extensions<0..2^16-1> -- All TLS extensions */ - 0x00, 0x1c, /* len */ - /* ExtensionType extension_type */ - 0x00, 0x10, /* ALPN */ - /* opaque extension_data<0..2^16-1> */ - 0x00, 0x18, /* len */ - /* ProtocolName protocol_name_list<2..2^16-1> -- ALPN names */ - 0x00, 0x16, /* len of all names */ - /* opaque ProtocolName<1..2^8-1> -- 'http/1.1' */ - 0x08, /* len */ - 0x68, 0x74, 0x74, 0x70, 0x2f, 0x31, 0x2e, 0x31, - /* opaque ProtocolName<1..2^8-1> -- 'h2' */ - 0x02, /* len */ - 0x68, 0x32, - /* XXX missing name */ -}; -static uint8_t proto_invalid_missing6[] = { - /* Extension extensions<0..2^16-1> -- All TLS extensions */ - 0x00, 0x07, /* len */ - /* ExtensionType extension_type */ - 0x00, 0x10, /* ALPN */ - /* opaque extension_data<0..2^16-1> */ - 0x00, 0x03, /* len */ - /* ProtocolName protocol_name_list<2..2^16-1> -- ALPN names */ - 0x00, 0x01, /* XXX len must be at least 2 */ - /* opaque ProtocolName<1..2^8-1> -- 'http/1.1' */ - 0x00, /* XXX len cannot be 0 */ -}; -static uint8_t proto_invalid_missing7[] = { - /* Extension extensions<0..2^16-1> -- All TLS extensions */ - 0x00, 0x07, /* len */ - /* ExtensionType extension_type */ - 0x00, 0x10, /* ALPN */ - /* opaque extension_data<0..2^16-1> */ - 0x00, 0x03, /* len */ - /* ProtocolName protocol_name_list<2..2^16-1> -- ALPN names */ - 0x00, 0x02, /* XXX len is at least 2 but not correct. */ - /* opaque ProtocolName<1..2^8-1> -- 'http/1.1' */ - 0x00, /* XXX len cannot be 0 */ -}; -static uint8_t proto_invalid_missing8[] = { - /* Extension extensions<0..2^16-1> -- All TLS extensions */ - 0x00, 0x01, /* len */ - /* ExtensionType extension_type */ - 0x00, /* XXX need a 2 byte type */ -}; -static uint8_t proto_invalid_missing9[] = { - /* Extension extensions<0..2^16-1> -- All TLS extensions */ - 0x0a, /* XXX need a 2 byte len */ -}; - - -#define CHECK_BOTH(c_val, s_val, proto) do { \ - { \ - CBS cbs; \ - int al; \ - \ - CBS_init(&cbs, proto, sizeof(proto)); \ - CHECK(c_val == tlsext_server_parse(s, SSL_TLSEXT_MSG_CH, &cbs, &al)); \ - CBS_init(&cbs, proto, sizeof(proto)); \ - CHECK(s_val == tlsext_client_parse(s, SSL_TLSEXT_MSG_SH, &cbs, &al)); \ - } \ -} while (0) - -static int dummy_alpn_cb(SSL *ssl, const unsigned char **out, - unsigned char *outlen, const unsigned char *in, unsigned int inlen, - void *arg); - -static int -check_valid_alpn(SSL *s) -{ - const uint8_t str[] = { - 0x08, /* len */ - 0x68, 0x74, 0x74, 0x70, 0x2f, 0x31, 0x2e, 0x31 /* http/1.1 */ - }; - - /* Setup in order to test ALPN. */ - CHECK(! SSL_set_alpn_protos(s, str, 9)); - SSL_CTX_set_alpn_select_cb(s->ctx, dummy_alpn_cb, NULL); - - /* Prerequisites to test these. */ - CHECK(s->alpn_client_proto_list != NULL); - CHECK(s->ctx->alpn_select_cb != NULL); - //CHECK(s->s3->tmp.finish_md_len == 0); - - CHECK_BOTH(1, 1, proto_single); - CHECK_BOTH(1, 1, proto_empty); - - /* Multiple protocol names are only valid for client */ - CHECK_BOTH(1, 0, proto_multiple1); - CHECK_BOTH(1, 0, proto_multiple2); - CHECK_BOTH(1, 0, proto_multiple3); - - return 1; -} - -/* - * Some of the IANA approved IDs from: - * http://www.iana.org/assignments/tls-extensiontype-values/tls-extensiontype-values.xhtml - */ -static int -check_invalid_alpn(SSL *s) -{ - const uint8_t str[] = { - 0x08, /* len */ - 0x68, 0x74, 0x74, 0x70, 0x2f, 0x31, 0x2e, 0x31 /* http/1.1 */ - }; - - /* Setup in order to test ALPN. */ - CHECK(! SSL_set_alpn_protos(s, str, 9)); - SSL_CTX_set_alpn_select_cb(s->ctx, dummy_alpn_cb, NULL); - - /* Prerequisites to test these. */ - CHECK(s->alpn_client_proto_list != NULL); - CHECK(s->ctx->alpn_select_cb != NULL); - //CHECK(s->s3->tmp.finish_md_len == 0); - - /* None of these are valid for client or server */ - CHECK_BOTH(0, 0, proto_invalid_len1); - CHECK_BOTH(0, 0, proto_invalid_len2); - CHECK_BOTH(0, 0, proto_invalid_len3); - CHECK_BOTH(0, 0, proto_invalid_len4); - CHECK_BOTH(0, 0, proto_invalid_len5); - CHECK_BOTH(0, 0, proto_invalid_len6); - CHECK_BOTH(0, 0, proto_invalid_len7); - CHECK_BOTH(0, 0, proto_invalid_len8); - CHECK_BOTH(0, 0, proto_invalid_missing1); - CHECK_BOTH(0, 0, proto_invalid_missing2); - CHECK_BOTH(0, 0, proto_invalid_missing3); - CHECK_BOTH(0, 0, proto_invalid_missing4); - CHECK_BOTH(0, 0, proto_invalid_missing5); - CHECK_BOTH(0, 0, proto_invalid_missing6); - CHECK_BOTH(0, 0, proto_invalid_missing7); - CHECK_BOTH(0, 0, proto_invalid_missing8); - CHECK_BOTH(0, 0, proto_invalid_missing9); - - return 1; -} - -int -dummy_alpn_cb(SSL *ssl __attribute__((unused)), const unsigned char **out, - unsigned char *outlen, const unsigned char *in, unsigned int inlen, - void *arg __attribute__((unused))) -{ - *out = in; - *outlen = (unsigned char)inlen; - - return 0; -} - -int -main(void) -{ - SSL_CTX *ctx = NULL; - SSL *s = NULL; - int rv = 1; - - SSL_library_init(); - - CHECK_GOTO((ctx = SSL_CTX_new(TLSv1_2_client_method())) != NULL); - CHECK_GOTO((s = SSL_new(ctx)) != NULL); - - if (!check_valid_alpn(s)) - goto err; - if (!check_invalid_alpn(s)) - goto err; - - rv = 0; - -err: - SSL_CTX_free(ctx); - SSL_free(s); - - if (!rv) - printf("PASS %s\n", __FILE__); - return rv; -} diff --git a/src/regress/lib/libssl/unit/tls_prf.c b/src/regress/lib/libssl/unit/tls_prf.c deleted file mode 100644 index 8cb17cb057..0000000000 --- a/src/regress/lib/libssl/unit/tls_prf.c +++ /dev/null @@ -1,182 +0,0 @@ -/* $OpenBSD: tls_prf.c,v 1.11 2024/07/16 14:38:59 jsing Exp $ */ -/* - * Copyright (c) 2017 Joel Sing - * - * Permission to use, copy, modify, and distribute this software for any - * purpose with or without fee is hereby granted, provided that the above - * copyright notice and this permission notice appear in all copies. - * - * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES - * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF - * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR - * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES - * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN - * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF - * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. - */ - -#include - -#include "ssl_local.h" - -int tls1_PRF(SSL *s, const unsigned char *secret, size_t secret_len, - const void *seed1, size_t seed1_len, const void *seed2, size_t seed2_len, - const void *seed3, size_t seed3_len, const void *seed4, size_t seed4_len, - const void *seed5, size_t seed5_len, unsigned char *out, size_t out_len); - -#define TLS_PRF_OUT_LEN 128 - -struct tls_prf_test { - const unsigned char *desc; - const SSL_METHOD *(*ssl_method)(void); - const uint16_t cipher_value; - const unsigned char out[TLS_PRF_OUT_LEN]; -}; - -static const struct tls_prf_test tls_prf_tests[] = { - { - .desc = "SHA256", - .ssl_method = TLSv1_2_method, - .cipher_value = 0x0033, - .out = { - 0x37, 0xa7, 0x06, 0x71, 0x6e, 0x19, 0x19, 0xda, - 0x23, 0x8c, 0xcc, 0xb4, 0x2f, 0x31, 0x64, 0x9d, - 0x05, 0x29, 0x1c, 0x33, 0x7e, 0x09, 0x1b, 0x0c, - 0x0e, 0x23, 0xc1, 0xb0, 0x40, 0xcc, 0x31, 0xf7, - 0x55, 0x66, 0x68, 0xd9, 0xa8, 0xae, 0x74, 0x75, - 0xf3, 0x46, 0xe9, 0x3a, 0x54, 0x9d, 0xe0, 0x8b, - 0x7e, 0x6c, 0x63, 0x1c, 0xfa, 0x2f, 0xfd, 0xc9, - 0xd3, 0xf1, 0xd3, 0xfe, 0x7b, 0x9e, 0x14, 0x95, - 0xb5, 0xd0, 0xad, 0x9b, 0xee, 0x78, 0x8c, 0x83, - 0x18, 0x58, 0x7e, 0xa2, 0x23, 0xc1, 0x8b, 0x62, - 0x94, 0x12, 0xcb, 0xb6, 0x60, 0x69, 0x32, 0xfe, - 0x98, 0x0e, 0x93, 0xb0, 0x8e, 0x5c, 0xfb, 0x6e, - 0xdb, 0x9a, 0xc2, 0x9f, 0x8c, 0x5c, 0x43, 0x19, - 0xeb, 0x4a, 0x52, 0xad, 0x62, 0x2b, 0xdd, 0x9f, - 0xa3, 0x74, 0xa6, 0x96, 0x61, 0x4d, 0x98, 0x40, - 0x63, 0xa6, 0xd4, 0xbb, 0x17, 0x11, 0x75, 0xed, - }, - }, - { - .desc = "SHA384", - .ssl_method = TLSv1_2_method, - .cipher_value = 0x009d, - .out = { - 0x00, 0x93, 0xc3, 0xfd, 0xa7, 0xbb, 0xdc, 0x5b, - 0x13, 0x3a, 0xe6, 0x8b, 0x1b, 0xac, 0xf3, 0xfb, - 0x3c, 0x9a, 0x78, 0xf6, 0x19, 0xf0, 0x13, 0x0f, - 0x0d, 0x01, 0x9d, 0xdf, 0x0a, 0x28, 0x38, 0xce, - 0x1a, 0x9b, 0x43, 0xbe, 0x56, 0x12, 0xa7, 0x16, - 0x58, 0xe1, 0x8a, 0xe4, 0xc5, 0xbb, 0x10, 0x4c, - 0x3a, 0xf3, 0x7f, 0xd3, 0xdb, 0xe4, 0xe0, 0x3d, - 0xcc, 0x83, 0xca, 0xf0, 0xf9, 0x69, 0xcc, 0x70, - 0x83, 0x32, 0xf6, 0xfc, 0x81, 0x80, 0x02, 0xe8, - 0x31, 0x1e, 0x7c, 0x3b, 0x34, 0xf7, 0x34, 0xd1, - 0xcf, 0x2a, 0xc4, 0x36, 0x2f, 0xe9, 0xaa, 0x7f, - 0x6d, 0x1f, 0x5e, 0x0e, 0x39, 0x05, 0x15, 0xe1, - 0xa2, 0x9a, 0x4d, 0x97, 0x8c, 0x62, 0x46, 0xf1, - 0x87, 0x65, 0xd8, 0xe9, 0x14, 0x11, 0xa6, 0x48, - 0xd7, 0x0e, 0x6e, 0x70, 0xad, 0xfb, 0x3f, 0x36, - 0x05, 0x76, 0x4b, 0xe4, 0x28, 0x50, 0x4a, 0xf2, - }, - }, -}; - -#define N_TLS_PRF_TESTS \ - (sizeof(tls_prf_tests) / sizeof(*tls_prf_tests)) - -#define TLS_PRF_SEED1 "tls prf seed 1" -#define TLS_PRF_SEED2 "tls prf seed 2" -#define TLS_PRF_SEED3 "tls prf seed 3" -#define TLS_PRF_SEED4 "tls prf seed 4" -#define TLS_PRF_SEED5 "tls prf seed 5" -#define TLS_PRF_SECRET "tls prf secretz" - -static void -hexdump(const unsigned char *buf, size_t len) -{ - size_t i; - - for (i = 1; i <= len; i++) - fprintf(stderr, " 0x%02hhx,%s", buf[i - 1], i % 8 ? "" : "\n"); - - fprintf(stderr, "\n"); -} - -static int -do_tls_prf_test(int test_no, const struct tls_prf_test *tpt) -{ - unsigned char *out = NULL; - const SSL_CIPHER *cipher; - SSL_CTX *ssl_ctx = NULL; - SSL *ssl = NULL; - int failure = 1; - int len; - - fprintf(stderr, "Test %d - %s\n", test_no, tpt->desc); - - if ((out = malloc(TLS_PRF_OUT_LEN)) == NULL) - errx(1, "failed to allocate out"); - - if ((ssl_ctx = SSL_CTX_new(tpt->ssl_method())) == NULL) - errx(1, "failed to create SSL context"); - if ((ssl = SSL_new(ssl_ctx)) == NULL) - errx(1, "failed to create SSL context"); - - if ((cipher = ssl3_get_cipher_by_value(tpt->cipher_value)) == NULL) { - fprintf(stderr, "FAIL: no cipher %hx\n", tpt->cipher_value); - goto failure; - } - - ssl->s3->hs.cipher = cipher; - - for (len = 1; len <= TLS_PRF_OUT_LEN; len++) { - memset(out, 'A', TLS_PRF_OUT_LEN); - - if (tls1_PRF(ssl, TLS_PRF_SECRET, sizeof(TLS_PRF_SECRET), - TLS_PRF_SEED1, sizeof(TLS_PRF_SEED1), TLS_PRF_SEED2, - sizeof(TLS_PRF_SEED2), TLS_PRF_SEED3, sizeof(TLS_PRF_SEED3), - TLS_PRF_SEED4, sizeof(TLS_PRF_SEED4), TLS_PRF_SEED5, - sizeof(TLS_PRF_SEED5), out, len) != 1) { - fprintf(stderr, "FAIL: tls_PRF failed for len %d\n", - len); - goto failure; - } - - if (memcmp(out, tpt->out, len) != 0) { - fprintf(stderr, "FAIL: tls_PRF output differs for " - "len %d\n", len); - fprintf(stderr, "output:\n"); - hexdump(out, TLS_PRF_OUT_LEN); - fprintf(stderr, "test data:\n"); - hexdump(tpt->out, TLS_PRF_OUT_LEN); - fprintf(stderr, "\n"); - goto failure; - } - } - - failure = 0; - - failure: - SSL_free(ssl); - SSL_CTX_free(ssl_ctx); - - free(out); - - return failure; -} - -int -main(int argc, char **argv) -{ - int failed = 0; - size_t i; - - SSL_library_init(); - SSL_load_error_strings(); - - for (i = 0; i < N_TLS_PRF_TESTS; i++) - failed |= do_tls_prf_test(i, &tls_prf_tests[i]); - - return failed; -} diff --git a/src/regress/lib/libssl/verify/Makefile b/src/regress/lib/libssl/verify/Makefile deleted file mode 100644 index 515b22e07a..0000000000 --- a/src/regress/lib/libssl/verify/Makefile +++ /dev/null @@ -1,37 +0,0 @@ -# $OpenBSD: Makefile,v 1.1.1.1 2021/08/30 17:27:45 tb Exp $ - -.if !(make(clean) || make(cleandir) || make(obj)) -. if !exists(/usr/local/libdata/perl5/site_perl/IO/Socket/SSL.pm) -regress: - @echo "missing package p5-IO-Socket-SSL" - @echo SKIPPED -. endif -.endif -PROGS += verify - -.for p in ${PROGS} -REGRESS_TARGETS += run-$p -.endfor - -LDADD = -lcrypto -lssl -DPADD = ${LIBCRYPTO} ${LIBSSL} -WARNINGS = Yes -CFLAGS += -DLIBRESSL_INTERNAL -Wundef -Werror - -PERL ?= perl - -REGRESS_SETUP_ONCE += create-libressl-test-certs -create-libressl-test-certs: create-libressl-test-certs.pl - ${PERL} ${.CURDIR}/$@.pl - - -CLEANFILES += *.pem *.key - -.for p in ${PROGS} -run-$p: $p - ./$p - -.PHONY: run-$p -.endfor - -.include diff --git a/src/regress/lib/libssl/verify/create-libressl-test-certs.pl b/src/regress/lib/libssl/verify/create-libressl-test-certs.pl deleted file mode 100644 index f38494966e..0000000000 --- a/src/regress/lib/libssl/verify/create-libressl-test-certs.pl +++ /dev/null @@ -1,111 +0,0 @@ -#!/usr/bin/perl - -# Copyright (c) 2021 Steffen Ullrich -# Public Domain - -use strict; -use warnings; -use IO::Socket::SSL::Utils; - -# primitive CA - ROOT -my @ca = cert( - CA => 1, - subject => { CN => 'ROOT' } -); -out('caR.pem', pem(crt => $ca[0])); -out('caR.key', pem(key => $ca[1])); - -# server certificate where SAN contains in-label wildcards, which a -# client MAY choose to accept as per RFC 6125 section 6.4.3. -my @leafcert = cert( - issuer => \@ca, - purpose => 'server', - subject => { CN => 'server.local' }, - subjectAltNames => [ - [ DNS => 'bar.server.local' ], - [ DNS => 'www*.server.local'], - [ DNS => '*.www.server.local'], - [ DNS => 'foo.server.local' ], - [ DNS => 'server.local' ], - ] -); -out('server-unusual-wildcard.pem', pem(@leafcert)); - -@leafcert = cert( - issuer => \@ca, - purpose => 'server', - subject => { CN => 'server.local' }, - subjectAltNames => [ - [ DNS => 'bar.server.local' ], - [ DNS => '*.www.server.local'], - [ DNS => 'foo.server.local' ], - [ DNS => 'server.local' ], - ] -); -out('server-common-wildcard.pem', pem(@leafcert)); - -# alternative CA - OLD_ROOT -my @caO = cert( - CA => 1, - subject => { CN => 'OLD_ROOT' } -); -out('caO.pem', pem(crt => $caO[0])); -out('caO.key', pem(key => $caO[1])); - -# alternative ROOT CA, signed by OLD_ROOT, same key as other ROOT CA -my @caX = cert( - issuer => \@caO, - CA => 1, - subject => { CN => 'ROOT' }, - key => $ca[1], -); -out('caX.pem', pem(crt => $caX[0])); -out('caX.key', pem(key => $caX[1])); - -# subCA below ROOT -my @subcaR = cert( - issuer => \@ca, - CA => 1, - subject => { CN => 'SubCA.of.ROOT' } -); -out('subcaR.pem', pem(crt => $subcaR[0])); -out('subcaR.key', pem(key => $subcaR[1])); -out('chainSX.pem', pem($subcaR[0]), pem($caX[0])); - -@leafcert = cert( - issuer => \@subcaR, - purpose => 'server', - subject => { CN => 'server.subca.local' }, - subjectAltNames => [ - [ DNS => 'server.subca.local' ], - ] -); -out('server-subca.pem', pem(@leafcert)); -out('server-subca-chainSX.pem', pem(@leafcert, $subcaR[0], $caX[0])); -out('server-subca-chainS.pem', pem(@leafcert, $subcaR[0])); - - -sub cert { CERT_create(not_after => 10*365*86400+time(), @_) } -sub pem { - my @default = qw(crt key); - my %m = (key => \&PEM_key2string, crt => \&PEM_cert2string); - my $result = ''; - while (my $f = shift(@_)) { - my $v; - if ($f =~m{^(key|crt)$}) { - $v = shift(@_); - } else { - $v = $f; - $f = shift(@default) || 'crt'; - } - $f = $m{$f} || die "wrong key $f"; - $result .= $f->($v); - } - return $result; -} - -sub out { - my $file = shift; - open(my $fh,'>',"$file") or die "failed to create $file: $!"; - print $fh @_ -} diff --git a/src/regress/lib/libssl/verify/verify.c b/src/regress/lib/libssl/verify/verify.c deleted file mode 100644 index 8784396a79..0000000000 --- a/src/regress/lib/libssl/verify/verify.c +++ /dev/null @@ -1,373 +0,0 @@ -/* $OpenBSD: verify.c,v 1.1.1.1 2021/08/30 17:27:45 tb Exp $ */ -/* - * Copyright (c) 2021 Theo Buehler - * - * Permission to use, copy, modify, and distribute this software for any - * purpose with or without fee is hereby granted, provided that the above - * copyright notice and this permission notice appear in all copies. - * - * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES - * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF - * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR - * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES - * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN - * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF - * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. - */ - -/* Based on https://github.com/noxxi/libressl-tests */ - -#include -#include -#include -#include - -#include -#include -#include -#include -#include - -struct peer_config { - const char *name; - int server; - const char *cert; - const char *key; - const char *ca_file; -}; - -struct ssl_wildcard_test_data { - const char *description; - struct peer_config client_config; - struct peer_config server_config; - long verify_result; -}; - -static const struct ssl_wildcard_test_data ssl_wildcard_tests[] = { - { - .description = "unusual wildcard cert, no CA given to client", - .client_config = { - .name = "client", - .server = 0, - .cert = NULL, - .ca_file = NULL, - }, - .server_config = { - .name = "server", - .server = 1, - .cert = "server-unusual-wildcard.pem", - .key = "server-unusual-wildcard.pem", - }, - /* OpenSSL returns X509_V_ERR_UNABLE_TO_VERIFY_LEAF_SIGNATURE */ - .verify_result = X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY, - }, - - { - .description = "unusual wildcard cert, CA given to client", - .client_config = { - .name = "client", - .server = 0, - .cert = NULL, - .ca_file = "caR.pem", - }, - .server_config = { - .name = "server", - .server = 1, - .cert = "server-unusual-wildcard.pem", - .key = "server-unusual-wildcard.pem", - }, - .verify_result = X509_V_OK, - }, - - { - .description = "common wildcard cert, no CA given to client", - .client_config = { - .name = "client", - .server = 0, - .cert = NULL, - .ca_file = NULL, - }, - .server_config = { - .name = "server", - .server = 1, - .cert = "server-common-wildcard.pem", - .key = "server-common-wildcard.pem", - }, - /* OpenSSL returns X509_V_ERR_UNABLE_TO_VERIFY_LEAF_SIGNATURE */ - .verify_result = X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY, - }, - - { - .description = "common wildcard cert, CA given to client", - .client_config = { - .name = "client", - .server = 0, - .cert = NULL, - .ca_file = "caR.pem", - }, - .server_config = { - .name = "server", - .server = 1, - .cert = "server-common-wildcard.pem", - .key = "server-common-wildcard.pem", - }, - .verify_result = X509_V_OK, - }, - - { - .description = "server sends all chain certificates", - .client_config = { - .name = "client", - .server = 0, - .cert = NULL, - .ca_file = "caR.pem", - }, - .server_config = { - .name = "server", - .server = 1, - .cert = "server-subca-chainS.pem", - .key = "server-subca-chainS.pem", - .ca_file = "subcaR.pem" - }, - .verify_result = X509_V_OK, - }, -}; - -static const size_t N_SSL_WILDCARD_TESTS = - sizeof(ssl_wildcard_tests) / sizeof(ssl_wildcard_tests[0]); - -static SSL_CTX * -peer_config_to_ssl_ctx(const struct peer_config *config) -{ - SSL_CTX *ctx; - - if ((ctx = SSL_CTX_new(TLS_method())) == NULL) { - fprintf(stderr, "SSL_CTX_new(%s) failed\n", config->name); - goto err; - } - - if (config->server) { - if (!SSL_CTX_use_certificate_file(ctx, config->cert, - SSL_FILETYPE_PEM)) { - fprintf(stderr, "use_certificate_file(%s) failed\n", - config->name); - goto err; - } - if (config->key != NULL && !SSL_CTX_use_PrivateKey_file(ctx, - config->key, SSL_FILETYPE_PEM)) { - fprintf(stderr, "use_PrivateKey_file(%s) failed\n", - config->name); - goto err; - } - } - - if (config->ca_file != NULL) { - if (!SSL_CTX_load_verify_locations(ctx, config->ca_file, NULL)) { - fprintf(stderr, "load_verify_locations(%s) failed\n", - config->name); - goto err; - } - } - - return ctx; - - err: - SSL_CTX_free(ctx); - return NULL; -} - -/* Connect client and server via a pair of "nonblocking" memory BIOs. */ -static int -connect_peers(SSL *client_ssl, SSL *server_ssl, const char *description) -{ - BIO *client_wbio = NULL, *server_wbio = NULL; - int ret = 0; - - if ((client_wbio = BIO_new(BIO_s_mem())) == NULL) { - fprintf(stderr, "%s: failed to create client BIO\n", - description); - goto err; - } - if ((server_wbio = BIO_new(BIO_s_mem())) == NULL) { - fprintf(stderr, "%s: failed to create server BIO\n", - description); - goto err; - } - if (BIO_set_mem_eof_return(client_wbio, -1) <= 0) { - fprintf(stderr, "%s: failed to set client eof return\n", - description); - goto err; - } - if (BIO_set_mem_eof_return(server_wbio, -1) <= 0) { - fprintf(stderr, "%s: failed to set server eof return\n", - description); - goto err; - } - - /* Avoid double free. SSL_set_bio() takes ownership of the BIOs. */ - BIO_up_ref(client_wbio); - BIO_up_ref(server_wbio); - - SSL_set_bio(client_ssl, server_wbio, client_wbio); - SSL_set_bio(server_ssl, client_wbio, server_wbio); - client_wbio = NULL; - server_wbio = NULL; - - ret = 1; - - err: - BIO_free(client_wbio); - BIO_free(server_wbio); - - return ret; -} - -static int -push_data_to_peer(SSL *ssl, int *ret, int (*func)(SSL *), const char *func_name, - const char *description) -{ - int ssl_err = 0; - - if (*ret == 1) - return 1; - - /* - * Do SSL_connect/SSL_accept/SSL_shutdown once and loop while hitting - * WANT_WRITE. If done or on WANT_READ hand off to peer. - */ - - do { - if ((*ret = func(ssl)) <= 0) - ssl_err = SSL_get_error(ssl, *ret); - } while (*ret <= 0 && ssl_err == SSL_ERROR_WANT_WRITE); - - /* Ignore erroneous error - see SSL_shutdown(3)... */ - if (func == SSL_shutdown && ssl_err == SSL_ERROR_SYSCALL) - return 1; - - if (*ret <= 0 && ssl_err != SSL_ERROR_WANT_READ) { - fprintf(stderr, "%s: %s failed\n", description, func_name); - ERR_print_errors_fp(stderr); - return 0; - } - - return 1; -} - -/* - * Alternate between loops of SSL_connect() and SSL_accept() as long as only - * WANT_READ and WANT_WRITE situations are encountered. A function is repeated - * until WANT_READ is returned or it succeeds, then it's the other function's - * turn to make progress. Succeeds if SSL_connect() and SSL_accept() return 1. - */ -static int -handshake(SSL *client_ssl, SSL *server_ssl, const char *description) -{ - int loops = 0, client_ret = 0, server_ret = 0; - - while (loops++ < 10 && (client_ret <= 0 || server_ret <= 0)) { - if (!push_data_to_peer(client_ssl, &client_ret, SSL_connect, - "SSL_connect", description)) - return 0; - - if (!push_data_to_peer(server_ssl, &server_ret, SSL_accept, - "SSL_accept", description)) - return 0; - } - - if (client_ret != 1 || server_ret != 1) { - fprintf(stderr, "%s: failed\n", __func__); - return 0; - } - - return 1; -} - -static int -shutdown_peers(SSL *client_ssl, SSL *server_ssl, const char *description) -{ - int loops = 0, client_ret = 0, server_ret = 0; - - while (loops++ < 10 && (client_ret <= 0 || server_ret <= 0)) { - if (!push_data_to_peer(client_ssl, &client_ret, SSL_shutdown, - "client shutdown", description)) - return 0; - - if (!push_data_to_peer(server_ssl, &server_ret, SSL_shutdown, - "server shutdown", description)) - return 0; - } - - if (client_ret != 1 || server_ret != 1) { - fprintf(stderr, "%s: failed\n", __func__); - return 0; - } - - return 1; -} - -static int -test_ssl_wildcards(const struct ssl_wildcard_test_data *test) -{ - SSL_CTX *client_ctx = NULL, *server_ctx = NULL; - SSL *client_ssl = NULL, *server_ssl = NULL; - long verify_result; - int failed = 1; - - if ((client_ctx = peer_config_to_ssl_ctx(&test->client_config)) == NULL) - goto err; - if ((server_ctx = peer_config_to_ssl_ctx(&test->server_config)) == NULL) - goto err; - - if ((client_ssl = SSL_new(client_ctx)) == NULL) { - fprintf(stderr, "%s: failed to create client SSL\n", - test->description); - goto err; - } - if ((server_ssl = SSL_new(server_ctx)) == NULL) { - fprintf(stderr, "%s: failed to create server SSL\n", - test->description); - goto err; - } - - if (!connect_peers(client_ssl, server_ssl, test->description)) - goto err; - - if (!handshake(client_ssl, server_ssl, test->description)) - goto err; - - verify_result = SSL_get_verify_result(client_ssl); - - if (test->verify_result == verify_result) { - failed = 0; - fprintf(stderr, "%s: ok\n", test->description); - } else - fprintf(stderr, "%s: verify_result: want %ld, got %ld\n", - test->description, test->verify_result, verify_result); - - if (!shutdown_peers(client_ssl, server_ssl, test->description)) - goto err; - - err: - SSL_CTX_free(client_ctx); - SSL_CTX_free(server_ctx); - SSL_free(client_ssl); - SSL_free(server_ssl); - - return failed; -} - -int -main(int argc, char **argv) -{ - size_t i; - int failed = 0; - - for (i = 0; i < N_SSL_WILDCARD_TESTS; i++) - failed |= test_ssl_wildcards(&ssl_wildcard_tests[i]); - - if (failed == 0) - printf("PASS %s\n", __FILE__); - - return failed; -} -- cgit v1.2.3-55-g6feb