From: Tomas Mraz Date: Mon, 16 May 2022 16:08:54 +0000 (+0200) Subject: Add a test_ssl_new testcase X-Git-Tag: openssl-3.2.0-alpha1~2566 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=08e4901298df12931b45c7115254a0e159727683;p=thirdparty%2Fopenssl.git Add a test_ssl_new testcase This requires some code being pulled into the empty protocol implementation so the state machinery works. Reviewed-by: Matt Caswell Reviewed-by: Paul Dale (Merged from https://github.com/openssl/openssl/pull/18307) --- diff --git a/ssl/quic/quic_impl.c b/ssl/quic/quic_impl.c index 1c673d23b66..5d0c861c76e 100644 --- a/ssl/quic/quic_impl.c +++ b/ssl/quic/quic_impl.c @@ -28,37 +28,49 @@ int ossl_quic_clear(SSL *s) int ossl_quic_accept(SSL *s) { + s->statem.in_init = 0; return 1; } int ossl_quic_connect(SSL *s) { + s->statem.in_init = 0; return 1; } int ossl_quic_read(SSL *s, void *buf, size_t len, size_t *readbytes) { + int ret; BIO *rbio = SSL_get_rbio(s); if (rbio == NULL) return 0; - return BIO_read_ex(rbio, buf, len, readbytes); + s->rwstate = SSL_READING; + ret = BIO_read_ex(rbio, buf, len, readbytes); + if (ret > 0 || !BIO_should_retry(rbio)) + s->rwstate = SSL_NOTHING; + return ret <= 0 ? -1 : ret; } int ossl_quic_peek(SSL *s, void *buf, size_t len, size_t *readbytes) { - return 1; + return -1; } int ossl_quic_write(SSL *s, const void *buf, size_t len, size_t *written) { BIO *wbio = SSL_get_wbio(s); + int ret; if (wbio == NULL) return 0; - return BIO_write_ex(wbio, buf, len, written); + s->rwstate = SSL_WRITING; + ret = BIO_write_ex(wbio, buf, len, written); + if (ret > 0 || !BIO_should_retry(wbio)) + s->rwstate = SSL_NOTHING; + return ret; } int ossl_quic_shutdown(SSL *s) @@ -68,11 +80,30 @@ int ossl_quic_shutdown(SSL *s) long ossl_quic_ctrl(SSL *s, int cmd, long larg, void *parg) { + switch(cmd) { + case SSL_CTRL_CHAIN: + if (larg) + return ssl_cert_set1_chain(s, NULL, (STACK_OF(X509) *)parg); + else + return ssl_cert_set0_chain(s, NULL, (STACK_OF(X509) *)parg); + } return 0; } -long ossl_quic_ctx_ctrl(SSL_CTX *s, int cmd, long larg, void *parg) +long ossl_quic_ctx_ctrl(SSL_CTX *ctx, int cmd, long larg, void *parg) { + switch(cmd) { + case SSL_CTRL_CHAIN: + if (larg) + return ssl_cert_set1_chain(NULL, ctx, (STACK_OF(X509) *)parg); + else + return ssl_cert_set0_chain(NULL, ctx, (STACK_OF(X509) *)parg); + + case SSL_CTRL_SET_TLSEXT_TICKET_KEYS: + case SSL_CTRL_GET_TLSEXT_TICKET_KEYS: + /* TODO(QUIC): these will have to be implemented properly */ + return 1; + } return 0; } @@ -81,7 +112,7 @@ long ossl_quic_callback_ctrl(SSL *s, int cmd, void (*fp) (void)) return 0; } -long ossl_quic_ctx_callback_ctrl(SSL_CTX *s, int cmd, void (*fp) (void)) +long ossl_quic_ctx_callback_ctrl(SSL_CTX *ctx, int cmd, void (*fp) (void)) { return 0; } @@ -103,7 +134,28 @@ int ossl_quic_num_ciphers(void) const SSL_CIPHER *ossl_quic_get_cipher(unsigned int u) { - static const SSL_CIPHER ciph = { 0 }; + /* + * TODO(QUIC): This is needed so the SSL_CTX_set_cipher_list("DEFAULT"); + * produces at least one valid TLS-1.2 cipher. + * Later we should allow that there are none with QUIC protocol as + * SSL_CTX_set_cipher_list should still allow setting a SECLEVEL. + */ + static const SSL_CIPHER ciph = { + 1, + TLS1_TXT_ECDHE_RSA_WITH_AES_256_GCM_SHA384, + TLS1_RFC_ECDHE_RSA_WITH_AES_256_GCM_SHA384, + TLS1_CK_ECDHE_RSA_WITH_AES_256_GCM_SHA384, + SSL_kECDHE, + SSL_aRSA, + SSL_AES256GCM, + SSL_AEAD, + TLS1_2_VERSION, TLS1_2_VERSION, + DTLS1_2_VERSION, DTLS1_2_VERSION, + SSL_HIGH | SSL_FIPS, + SSL_HANDSHAKE_MAC_SHA384 | TLS1_PRF_SHA384, + 256, + 256 + }; return &ciph; } diff --git a/ssl/quic/quic_local.h b/ssl/quic/quic_local.h index 3b738e541bc..8bd40cf9163 100644 --- a/ssl/quic/quic_local.h +++ b/ssl/quic/quic_local.h @@ -15,8 +15,8 @@ # define OSSL_QUIC_ANY_VERSION 0xFFFFF -# define IMPLEMENT_quic_meth_func(version, func_name, s_accept, \ - s_connect, enc_data) \ +# define IMPLEMENT_quic_meth_func(version, func_name, q_accept, \ + q_connect, enc_data) \ const SSL_METHOD *func_name(void) \ { \ static const SSL_METHOD func_name##_data= { \ @@ -26,8 +26,8 @@ const SSL_METHOD *func_name(void) \ ossl_quic_new, \ ossl_quic_clear, \ ossl_quic_free, \ - s_accept, \ - s_connect, \ + q_accept, \ + q_connect, \ ossl_quic_read, \ ossl_quic_peek, \ ossl_quic_write, \ diff --git a/test/helpers/ssl_test_ctx.c b/test/helpers/ssl_test_ctx.c index a0e2e794c6d..2ce70405d72 100644 --- a/test/helpers/ssl_test_ctx.c +++ b/test/helpers/ssl_test_ctx.c @@ -328,6 +328,7 @@ const char *ssl_session_id_name(ssl_session_id_t server) static const test_enum ssl_test_methods[] = { {"TLS", SSL_TEST_METHOD_TLS}, {"DTLS", SSL_TEST_METHOD_DTLS}, + {"QUIC", SSL_TEST_METHOD_QUIC} }; __owur static int parse_test_method(SSL_TEST_CTX *test_ctx, const char *value) diff --git a/test/helpers/ssl_test_ctx.h b/test/helpers/ssl_test_ctx.h index 7b35dcb998f..c7820d9764b 100644 --- a/test/helpers/ssl_test_ctx.h +++ b/test/helpers/ssl_test_ctx.h @@ -65,7 +65,8 @@ typedef enum { typedef enum { SSL_TEST_METHOD_TLS = 0, /* Default */ - SSL_TEST_METHOD_DTLS + SSL_TEST_METHOD_DTLS, + SSL_TEST_METHOD_QUIC } ssl_test_method_t; typedef enum { diff --git a/test/recipes/80-test_ssl_new.t b/test/recipes/80-test_ssl_new.t index 5b2557d5a19..609f36da032 100644 --- a/test/recipes/80-test_ssl_new.t +++ b/test/recipes/80-test_ssl_new.t @@ -38,7 +38,7 @@ if (defined $ENV{SSL_TESTS}) { @conf_srcs = glob(srctop_file("test", "ssl-tests", "*.cnf.in")); # We hard-code the number of tests to double-check that the globbing above # finds all files as expected. - plan tests => 30; + plan tests => 31; } map { s/;.*// } @conf_srcs if $^O eq "VMS"; my @conf_files = map { basename($_, ".in") } @conf_srcs; @@ -60,6 +60,7 @@ if (!$no_tls && $no_tls_below1_3 && disabled("ec") && disabled("dh")) { } my $no_pre_tls1_3 = alldisabled(@all_pre_tls1_3); my $no_dtls = alldisabled(available_protocols("dtls")); +my $no_quic = disabled("quic"); my $no_npn = disabled("nextprotoneg"); my $no_ct = disabled("ct"); my $no_ec = disabled("ec"); @@ -122,6 +123,7 @@ my %skip = ( "25-cipher.cnf" => disabled("ec") || disabled("tls1_2"), "26-tls13_client_auth.cnf" => disabled("tls1_3") || ($no_ec && $no_dh), "29-dtls-sctp-label-bug.cnf" => disabled("sctp") || disabled("sock"), + "31-quic.cnf" => $no_quic || $no_ec ); foreach my $conf (@conf_files) { diff --git a/test/ssl-tests/31-quic.cnf b/test/ssl-tests/31-quic.cnf new file mode 100644 index 00000000000..0b1766ec176 --- /dev/null +++ b/test/ssl-tests/31-quic.cnf @@ -0,0 +1,29 @@ +# Generated with generate_ssl_tests.pl + +num_tests = 1 + +test-0 = 0-certstatus-good +# =========================================================== + +[0-certstatus-good] +ssl_conf = 0-certstatus-good-ssl + +[0-certstatus-good-ssl] +server = 0-certstatus-good-server +client = 0-certstatus-good-client + +[0-certstatus-good-server] +Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem +CipherString = DEFAULT +PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem + +[0-certstatus-good-client] +CipherString = DEFAULT +VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem +VerifyMode = Peer + +[test-0] +ExpectedResult = Success +Method = QUIC + + diff --git a/test/ssl-tests/31-quic.cnf.in b/test/ssl-tests/31-quic.cnf.in new file mode 100644 index 00000000000..9274d18fd59 --- /dev/null +++ b/test/ssl-tests/31-quic.cnf.in @@ -0,0 +1,28 @@ +# -*- mode: perl; -*- +# Copyright 2022 The OpenSSL Project Authors. All Rights Reserved. +# +# Licensed under the Apache License 2.0 (the "License"). You may not use +# this file except in compliance with the License. You can obtain a copy +# in the file LICENSE in the source distribution or at +# https://www.openssl.org/source/license.html + + +## Basic test of the QUIC protocol + +use strict; +use warnings; + +package ssltests; + + +our @tests = ( + { + name => "certstatus-good", + server => {}, + client => {}, + test => { + "Method" => "QUIC", + "ExpectedResult" => "Success" + } + } +); diff --git a/test/ssl_test.c b/test/ssl_test.c index 4c2553ce27c..eac86ccecf6 100644 --- a/test/ssl_test.c +++ b/test/ssl_test.c @@ -14,6 +14,9 @@ #include #include #include +#ifndef OPENSSL_NO_QUIC +#include +#endif #include "helpers/handshake.h" #include "helpers/ssl_test_ctx.h" @@ -490,6 +493,28 @@ static int test_handshake(int idx) goto err; } } +#ifndef OPENSSL_NO_QUIC + if (test_ctx->method == SSL_TEST_METHOD_QUIC) { + server_ctx = SSL_CTX_new_ex(libctx, NULL, OSSL_QUIC_server_method()); + if (test_ctx->extra.server.servername_callback != + SSL_TEST_SERVERNAME_CB_NONE) { + if (!TEST_ptr(server2_ctx = + SSL_CTX_new_ex(libctx, NULL, + OSSL_QUIC_server_method()))) + goto err; + } + client_ctx = SSL_CTX_new_ex(libctx, NULL, OSSL_QUIC_client_method()); + if (test_ctx->handshake_mode == SSL_TEST_HANDSHAKE_RESUME) { + resume_server_ctx = SSL_CTX_new_ex(libctx, NULL, + OSSL_QUIC_server_method()); + resume_client_ctx = SSL_CTX_new_ex(libctx, NULL, + OSSL_QUIC_client_method()); + if (!TEST_ptr(resume_server_ctx) + || !TEST_ptr(resume_client_ctx)) + goto err; + } + } +#endif #ifdef OPENSSL_NO_AUTOLOAD_CONFIG if (!TEST_true(OPENSSL_init_ssl(OPENSSL_INIT_LOAD_CONFIG, NULL)))