quic.c 50 KB

1234567891011121314151617181920212223242526272829303132333435363738394041424344454647484950515253545556575859606162636465666768697071727374757677787980818283848586878889909192939495969798991001011021031041051061071081091101111121131141151161171181191201211221231241251261271281291301311321331341351361371381391401411421431441451461471481491501511521531541551561571581591601611621631641651661671681691701711721731741751761771781791801811821831841851861871881891901911921931941951961971981992002012022032042052062072082092102112122132142152162172182192202212222232242252262272282292302312322332342352362372382392402412422432442452462472482492502512522532542552562572582592602612622632642652662672682692702712722732742752762772782792802812822832842852862872882892902912922932942952962972982993003013023033043053063073083093103113123133143153163173183193203213223233243253263273283293303313323333343353363373383393403413423433443453463473483493503513523533543553563573583593603613623633643653663673683693703713723733743753763773783793803813823833843853863873883893903913923933943953963973983994004014024034044054064074084094104114124134144154164174184194204214224234244254264274284294304314324334344354364374384394404414424434444454464474484494504514524534544554564574584594604614624634644654664674684694704714724734744754764774784794804814824834844854864874884894904914924934944954964974984995005015025035045055065075085095105115125135145155165175185195205215225235245255265275285295305315325335345355365375385395405415425435445455465475485495505515525535545555565575585595605615625635645655665675685695705715725735745755765775785795805815825835845855865875885895905915925935945955965975985996006016026036046056066076086096106116126136146156166176186196206216226236246256266276286296306316326336346356366376386396406416426436446456466476486496506516526536546556566576586596606616626636646656666676686696706716726736746756766776786796806816826836846856866876886896906916926936946956966976986997007017027037047057067077087097107117127137147157167177187197207217227237247257267277287297307317327337347357367377387397407417427437447457467477487497507517527537547557567577587597607617627637647657667677687697707717727737747757767777787797807817827837847857867877887897907917927937947957967977987998008018028038048058068078088098108118128138148158168178188198208218228238248258268278288298308318328338348358368378388398408418428438448458468478488498508518528538548558568578588598608618628638648658668678688698708718728738748758768778788798808818828838848858868878888898908918928938948958968978988999009019029039049059069079089099109119129139149159169179189199209219229239249259269279289299309319329339349359369379389399409419429439449459469479489499509519529539549559569579589599609619629639649659669679689699709719729739749759769779789799809819829839849859869879889899909919929939949959969979989991000100110021003100410051006100710081009101010111012101310141015101610171018101910201021102210231024102510261027102810291030103110321033103410351036103710381039104010411042104310441045104610471048104910501051105210531054105510561057105810591060106110621063106410651066106710681069107010711072107310741075107610771078107910801081108210831084108510861087108810891090109110921093109410951096109710981099110011011102110311041105110611071108110911101111111211131114111511161117111811191120112111221123112411251126112711281129113011311132113311341135113611371138113911401141114211431144114511461147114811491150115111521153115411551156115711581159116011611162116311641165116611671168116911701171117211731174117511761177117811791180118111821183118411851186118711881189119011911192119311941195119611971198119912001201120212031204120512061207120812091210121112121213121412151216121712181219122012211222122312241225122612271228122912301231123212331234123512361237123812391240124112421243124412451246124712481249125012511252125312541255125612571258125912601261126212631264126512661267126812691270127112721273127412751276127712781279128012811282128312841285128612871288128912901291129212931294129512961297129812991300130113021303130413051306130713081309131013111312131313141315131613171318131913201321132213231324132513261327132813291330133113321333133413351336133713381339134013411342134313441345134613471348134913501351135213531354135513561357135813591360136113621363136413651366136713681369137013711372137313741375137613771378137913801381138213831384138513861387138813891390139113921393
  1. /* quic.c QUIC unit tests
  2. *
  3. * Copyright (C) 2006-2022 wolfSSL Inc.
  4. *
  5. * This file is part of wolfSSL.
  6. *
  7. * wolfSSL is free software; you can redistribute it and/or modify
  8. * it under the terms of the GNU General Public License as published by
  9. * the Free Software Foundation; either version 2 of the License, or
  10. * (at your option) any later version.
  11. *
  12. * wolfSSL is distributed in the hope that it will be useful,
  13. * but WITHOUT ANY WARRANTY; without even the implied warranty of
  14. * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
  15. * GNU General Public License for more details.
  16. *
  17. * You should have received a copy of the GNU General Public License
  18. * along with this program; if not, write to the Free Software
  19. * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1335, USA
  20. */
  21. #ifdef HAVE_CONFIG_H
  22. #include <config.h>
  23. #endif
  24. #include <wolfssl/wolfcrypt/settings.h>
  25. #include <tests/unit.h>
  26. #ifdef WOLFSSL_QUIC
  27. #include <wolfssl/ssl.h>
  28. #include <wolfssl/quic.h>
  29. #ifdef NO_INLINE
  30. #include <wolfssl/wolfcrypt/misc.h>
  31. #else
  32. #define WOLFSSL_MISC_INCLUDED
  33. #include <wolfcrypt/src/misc.c>
  34. #endif
  35. #include <wolfssl/error-ssl.h>
  36. #include <wolfssl/internal.h>
  37. #define testingFmt " %s:"
  38. #define resultFmt " %s\n"
  39. static const char* passed = "passed";
  40. static const char* failed = "failed";
  41. typedef struct {
  42. const char *name;
  43. WOLFSSL_METHOD *method;
  44. int is_server;
  45. } ctx_setups;
  46. static int dummy_set_encryption_secrets(WOLFSSL *ssl, WOLFSSL_ENCRYPTION_LEVEL level,
  47. const uint8_t *read_secret,
  48. const uint8_t *write_secret, size_t secret_len)
  49. {
  50. (void)ssl;
  51. printf("QUIC_set_encryption_secrets(level=%d, length=%d, rx=%s, tx=%s)\n",
  52. level, (int)secret_len, read_secret? "yes" : "no", write_secret? "yes" : "no");
  53. return 1;
  54. }
  55. static int dummy_add_handshake_data(WOLFSSL *ssl, WOLFSSL_ENCRYPTION_LEVEL level,
  56. const uint8_t *data, size_t len)
  57. {
  58. (void)ssl;
  59. (void)data;
  60. printf("QUIC_add_handshake_data(level=%d, length=%d)\n", level, (int)len);
  61. return 1;
  62. }
  63. static int dummy_flush_flight(WOLFSSL *ssl)
  64. {
  65. (void)ssl;
  66. printf("QUIC_flush_flight()\n");
  67. return 1;
  68. }
  69. static int dummy_send_alert(WOLFSSL *ssl, WOLFSSL_ENCRYPTION_LEVEL level, uint8_t err)
  70. {
  71. (void)ssl;
  72. printf("QUIC_send_alert(level=%d, err=%d)\n", level, err);
  73. return 1;
  74. }
  75. static WOLFSSL_QUIC_METHOD dummy_method = {
  76. dummy_set_encryption_secrets,
  77. dummy_add_handshake_data,
  78. dummy_flush_flight,
  79. dummy_send_alert,
  80. };
  81. static WOLFSSL_QUIC_METHOD null_method = {
  82. NULL, NULL, NULL, NULL
  83. };
  84. static int test_set_quic_method(void) {
  85. WOLFSSL_CTX *ctx;
  86. WOLFSSL *ssl;
  87. int ret = 0, i;
  88. const uint8_t *data;
  89. size_t data_len;
  90. ctx_setups valids[] = {
  91. { "TLSv1.3 server", wolfTLSv1_3_server_method(), 1},
  92. { "TLSv1.3 client", wolfTLSv1_3_client_method(), 0},
  93. };
  94. ctx_setups invalids[] = {
  95. { "TLSv1.2 server", wolfTLSv1_2_server_method(), 1},
  96. { "TLSv1.2 client", wolfTLSv1_2_client_method(), 0},
  97. { "TLSv1.1 server", wolfTLSv1_1_server_method(), 1},
  98. { "TLSv1.1 client", wolfTLSv1_1_client_method(), 0},
  99. };
  100. for (i = 0; i < (int)(sizeof(valids)/sizeof(valids[0])); ++i) {
  101. AssertNotNull(ctx = wolfSSL_CTX_new(valids[i].method));
  102. if (valids[i].is_server) {
  103. AssertTrue(wolfSSL_CTX_use_certificate_file(ctx, svrCertFile,
  104. WOLFSSL_FILETYPE_PEM));
  105. AssertTrue(wolfSSL_CTX_use_PrivateKey_file(ctx, svrKeyFile,
  106. WOLFSSL_FILETYPE_PEM));
  107. }
  108. /* ctx does not have quic enabled, so will SSL* derived from it */
  109. AssertNotNull(ssl = wolfSSL_new(ctx));
  110. AssertFalse(wolfSSL_is_quic(ssl));
  111. /* Enable quic on the SSL* */
  112. AssertFalse(wolfSSL_set_quic_method(ssl, &null_method) == WOLFSSL_SUCCESS);
  113. AssertTrue(wolfSSL_set_quic_method(ssl, &dummy_method) == WOLFSSL_SUCCESS);
  114. AssertTrue(wolfSSL_is_quic(ssl));
  115. /* Check some default, initial behaviour */
  116. AssertTrue(wolfSSL_set_quic_transport_params(ssl, NULL, 0) == WOLFSSL_SUCCESS);
  117. wolfSSL_get_peer_quic_transport_params(ssl, &data, &data_len);
  118. AssertNull(data);
  119. AssertTrue(data_len == 0);
  120. AssertTrue(wolfSSL_quic_read_level(ssl) == wolfssl_encryption_initial);
  121. AssertTrue(wolfSSL_quic_write_level(ssl) == wolfssl_encryption_initial);
  122. AssertTrue(wolfSSL_get_quic_transport_version(ssl) == 0);
  123. wolfSSL_set_quic_transport_version(ssl, TLSX_KEY_QUIC_TP_PARAMS);
  124. AssertTrue(wolfSSL_get_quic_transport_version(ssl) == TLSX_KEY_QUIC_TP_PARAMS);
  125. wolfSSL_set_quic_use_legacy_codepoint(ssl, 1);
  126. AssertTrue(wolfSSL_get_quic_transport_version(ssl) == TLSX_KEY_QUIC_TP_PARAMS_DRAFT);
  127. wolfSSL_set_quic_use_legacy_codepoint(ssl, 0);
  128. AssertTrue(wolfSSL_get_quic_transport_version(ssl) == TLSX_KEY_QUIC_TP_PARAMS);
  129. /* max flight len during stages of handhshake, we us 16k initial and on
  130. * app data, and during handshake allow larger for cert exchange. This is
  131. * more advisory for the network code. ngtcp2 has its own ideas, for example.
  132. */
  133. data_len = wolfSSL_quic_max_handshake_flight_len(ssl, wolfssl_encryption_initial);
  134. AssertTrue(data_len == 16*1024);
  135. data_len = wolfSSL_quic_max_handshake_flight_len(ssl, wolfssl_encryption_early_data);
  136. AssertTrue(data_len == 0);
  137. data_len = wolfSSL_quic_max_handshake_flight_len(ssl, wolfssl_encryption_handshake);
  138. AssertTrue(data_len >= 16*1024);
  139. data_len = wolfSSL_quic_max_handshake_flight_len(ssl, wolfssl_encryption_application);
  140. AssertTrue(data_len == 16*1024);
  141. wolfSSL_free(ssl);
  142. /* Enabled quic on the ctx */
  143. AssertTrue(wolfSSL_CTX_set_quic_method(ctx, &dummy_method) == WOLFSSL_SUCCESS);
  144. /* It will be enabled on the SSL* */
  145. AssertNotNull(ssl = wolfSSL_new(ctx));
  146. AssertTrue(wolfSSL_is_quic(ssl));
  147. wolfSSL_free(ssl);
  148. wolfSSL_CTX_free(ctx);
  149. }
  150. for (i = 0; i < (int)(sizeof(invalids)/sizeof(invalids[0])); ++i) {
  151. AssertNotNull(ctx = wolfSSL_CTX_new(invalids[i].method));
  152. AssertTrue(wolfSSL_CTX_use_certificate_file(ctx, svrCertFile,
  153. WOLFSSL_FILETYPE_PEM));
  154. AssertTrue(wolfSSL_CTX_use_PrivateKey_file(ctx, svrKeyFile,
  155. WOLFSSL_FILETYPE_PEM));
  156. AssertFalse(wolfSSL_CTX_set_quic_method(ctx, &dummy_method) == WOLFSSL_SUCCESS);
  157. AssertNotNull(ssl = wolfSSL_new(ctx));
  158. AssertFalse(wolfSSL_set_quic_method(ssl, &dummy_method) == WOLFSSL_SUCCESS);
  159. AssertFalse(wolfSSL_is_quic(ssl));
  160. /* even though not quic, this is the only level we can return */
  161. AssertTrue(wolfSSL_quic_read_level(ssl) == wolfssl_encryption_initial);
  162. AssertTrue(wolfSSL_quic_write_level(ssl) == wolfssl_encryption_initial);
  163. wolfSSL_free(ssl);
  164. wolfSSL_CTX_free(ctx);
  165. }
  166. printf(" test_set_quic_method: %s\n", (ret == 0)? passed : failed);
  167. return ret;
  168. }
  169. static size_t fake_record(byte rtype, word32 rlen, uint8_t *rec)
  170. {
  171. rec[0] = (uint8_t)rtype;
  172. c32to24(rlen, rec+1);
  173. return rlen + 4;
  174. }
  175. static size_t shift_record(uint8_t *rec, size_t len, size_t written)
  176. {
  177. len -= written;
  178. XMEMMOVE(rec, rec+written, len);
  179. return len;
  180. }
  181. static void dump_buffer(const char *name, const byte *p, size_t len, int indent)
  182. {
  183. size_t i = 0;
  184. printf("%s[%d] = {", name, (int)len);
  185. while((p != NULL) && (i < len)) {
  186. if((i % 0x10) == 0) {
  187. printf("\n");
  188. printf("%*s %04X - ", indent, " ", (int)(i / 0x10));
  189. }
  190. else if((i % 0x08) == 0) {
  191. printf(" ");
  192. }
  193. printf("%02X ", p[i]);
  194. i++;
  195. }
  196. printf("\n%*s};\n", indent, " ");
  197. }
  198. static void dump_ssl_buffers(WOLFSSL *ssl, FILE *fp)
  199. {
  200. QuicRecord *qr = ssl->quic.input_head;
  201. fprintf(fp, "SSL quic data buffered: \n");
  202. while (qr) {
  203. fprintf(fp, " - %d-%d/%d (cap %d, level=%d)\n",
  204. qr->start, qr->end, qr->len, qr->capacity, qr->level);
  205. qr = qr->next;
  206. }
  207. if ((qr = ssl->quic.scratch)) {
  208. fprintf(fp, " scratch: %d-%d/%d (cap %d, level=%d)\n",
  209. qr->start, qr->end, qr->len, qr->capacity, qr->level);
  210. }
  211. else {
  212. fprintf(fp, " scratch: -\n");
  213. }
  214. }
  215. static int provide_data(WOLFSSL *ssl, WOLFSSL_ENCRYPTION_LEVEL level,
  216. const uint8_t *data, size_t len, int excpect_fail)
  217. {
  218. int ret;
  219. ret = (wolfSSL_provide_quic_data(ssl, level, data, len) == WOLFSSL_SUCCESS);
  220. if (!!ret != !excpect_fail) {
  221. dump_ssl_buffers(ssl, stdout);
  222. return 0;
  223. }
  224. return 1;
  225. }
  226. static int test_provide_quic_data(void) {
  227. WOLFSSL_CTX *ctx;
  228. WOLFSSL *ssl;
  229. uint8_t lbuffer[16*1024];
  230. size_t len;
  231. int ret = 0;
  232. AssertNotNull(ctx = wolfSSL_CTX_new(wolfTLSv1_3_client_method()));
  233. AssertTrue(wolfSSL_CTX_set_quic_method(ctx, &dummy_method) == WOLFSSL_SUCCESS);
  234. /* provide_quic_data() feeds CRYPTO packets inside a QUIC Frame into
  235. * the TLSv1.3 state machine.
  236. * The data fed is not the QUIC frame, but the TLS record inside it.
  237. * This may be called several times before SSL_do_handshake() is invoked
  238. * to process them.
  239. * During buffering this data, the code checks that:
  240. * - encryption level only ever increases for subsequent TLS records
  241. * - a TLS record is received complete before the encryption level increases
  242. */
  243. AssertNotNull(ssl = wolfSSL_new(ctx));
  244. len = fake_record(1, 100, lbuffer);
  245. AssertTrue(provide_data(ssl, wolfssl_encryption_initial, lbuffer, len, 0));
  246. len = fake_record(2, 1523, lbuffer);
  247. AssertTrue(provide_data(ssl, wolfssl_encryption_handshake, lbuffer, len, 0));
  248. len = fake_record(2, 1, lbuffer);
  249. len += fake_record(3, 190, lbuffer+len);
  250. AssertTrue(provide_data(ssl, wolfssl_encryption_handshake, lbuffer, len, 0));
  251. len = fake_record(5, 2049, lbuffer);
  252. AssertTrue(provide_data(ssl, wolfssl_encryption_application, lbuffer, len, 0));
  253. /* adding another record with decreased level must fail */
  254. len = fake_record(1, 100, lbuffer);
  255. AssertTrue(provide_data(ssl, wolfssl_encryption_initial, lbuffer, len, 1));
  256. wolfSSL_free(ssl);
  257. AssertNotNull(ssl = wolfSSL_new(ctx));
  258. len = fake_record(1, 100, lbuffer);
  259. AssertTrue(provide_data(ssl, wolfssl_encryption_initial, lbuffer, 24, 0));
  260. len = shift_record(lbuffer, len, 24);
  261. len += fake_record(2, 4000, lbuffer+len);
  262. AssertTrue(provide_data(ssl, wolfssl_encryption_initial, lbuffer, len - 99, 0));
  263. len = shift_record(lbuffer, len, len - 99);
  264. len += fake_record(5, 2049, lbuffer+len);
  265. AssertTrue(provide_data(ssl, wolfssl_encryption_initial, lbuffer, len, 0));
  266. /* should be recognized as complete and level increase needs to be accepted */
  267. len = fake_record(2, 1, lbuffer);
  268. len += fake_record(3, 190, lbuffer+len);
  269. AssertTrue(provide_data(ssl, wolfssl_encryption_handshake, lbuffer, len - 10, 0));
  270. len = shift_record(lbuffer, len, len - 10);
  271. /* Change level with incomplete record in lbuffer, needs to fail */
  272. len += fake_record(5, 8102, lbuffer+len);
  273. AssertTrue(provide_data(ssl, wolfssl_encryption_application, lbuffer, len - 10, 1));
  274. wolfSSL_free(ssl);
  275. wolfSSL_CTX_free(ctx);
  276. printf(" test_provide_quic_data: %s\n", (ret == 0)? passed : failed);
  277. return 0;
  278. }
  279. static int test_quic_crypt(void) {
  280. WOLFSSL_CTX *ctx;
  281. WOLFSSL *ssl;
  282. const WOLFSSL_EVP_CIPHER *aead_cipher;
  283. int ret = 0;
  284. AssertNotNull(ctx = wolfSSL_CTX_new(wolfTLSv1_3_client_method()));
  285. AssertTrue(wolfSSL_CTX_set_quic_method(ctx, &dummy_method) == WOLFSSL_SUCCESS);
  286. AssertNotNull(ssl = wolfSSL_new(ctx));
  287. /* don't have an AEAD cipher selected before start */
  288. AssertTrue(wolfSSL_CIPHER_get_id(wolfSSL_get_current_cipher(ssl)) == 0);
  289. AssertNotNull(aead_cipher = wolfSSL_EVP_aes_128_gcm());
  290. AssertTrue(wolfSSL_quic_aead_is_gcm(aead_cipher) != 0);
  291. AssertTrue(wolfSSL_quic_aead_is_ccm(aead_cipher) == 0);
  292. AssertTrue(wolfSSL_quic_aead_is_chacha20(aead_cipher) == 0);
  293. if (1) {
  294. /* check that our enc-/decrypt support in quic rount-trips */
  295. static const uint8_t key[16] = {0x00, 0x11, 0x22, 0x33, 0x44, 0x55, 0x66, 0x77,
  296. 0x88, 0x99, 0xaa, 0xbb, 0xcc, 0xdd, 0xee, 0xff};
  297. static const uint8_t aad[] = {0, 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19};
  298. static const uint8_t iv[] = {20, 21, 22, 23, 24, 25, 26, 27, 28, 29, 30, 31};
  299. static const uint8_t plaintext[] = "hello world\nhello world\nhello world\nhello world\nhello world\nhello world\nhello world\n";
  300. static const uint8_t expected[] = {0xd3, 0xa8, 0x1d, 0x96, 0x4c, 0x9b, 0x02, 0xd7, 0x9a, 0xb0, 0x41, 0x07, 0x4c, 0x8c, 0xe2,
  301. 0xe0, 0x2e, 0x83, 0x54, 0x52, 0x45, 0xcb, 0xd4, 0x68, 0xc8, 0x43, 0x45, 0xca, 0x91, 0xfb,
  302. 0xa3, 0x7a, 0x67, 0xed, 0xe8, 0xd7, 0x5e, 0xe2, 0x33, 0xd1, 0x3e, 0xbf, 0x50, 0xc2, 0x4b,
  303. 0x86, 0x83, 0x55, 0x11, 0xbb, 0x17, 0x4f, 0xf5, 0x78, 0xb8, 0x65, 0xeb, 0x9a, 0x2b, 0x8f,
  304. 0x77, 0x08, 0xa9, 0x60, 0x17, 0x73, 0xc5, 0x07, 0xf3, 0x04, 0xc9, 0x3f, 0x67, 0x4d, 0x12,
  305. 0xa1, 0x02, 0x93, 0xc2, 0x3c, 0xd3, 0xf8, 0x59, 0x33, 0xd5, 0x01, 0xc3, 0xbb, 0xaa, 0xe6,
  306. 0x3f, 0xbb, 0x23, 0x66, 0x94, 0x26, 0x28, 0x43, 0xa5, 0xfd, 0x2f};
  307. WOLFSSL_EVP_CIPHER_CTX *enc_ctx, *dec_ctx;
  308. uint8_t *encrypted, *decrypted;
  309. size_t tag_len, enc_len, dec_len;
  310. AssertTrue((tag_len = wolfSSL_quic_get_aead_tag_len(aead_cipher)) == 16);
  311. dec_len = sizeof(plaintext);
  312. enc_len = dec_len + tag_len;
  313. encrypted = (uint8_t*)XMALLOC(enc_len, NULL, DYNAMIC_TYPE_TMP_BUFFER);
  314. AssertNotNull(encrypted);
  315. decrypted = (uint8_t*)XMALLOC(dec_len, NULL, DYNAMIC_TYPE_TMP_BUFFER);
  316. AssertNotNull(decrypted);
  317. AssertNotNull(enc_ctx = wolfSSL_quic_crypt_new(aead_cipher, key, iv, 1));
  318. AssertTrue(wolfSSL_quic_aead_encrypt(encrypted, enc_ctx,
  319. plaintext, sizeof(plaintext),
  320. NULL, aad, sizeof(aad)) == WOLFSSL_SUCCESS);
  321. AssertTrue(memcmp(expected, encrypted, dec_len) == 0);
  322. AssertTrue(memcmp(expected+dec_len, encrypted+dec_len, tag_len) == 0);
  323. AssertNotNull(dec_ctx = wolfSSL_quic_crypt_new(aead_cipher, key, iv, 0));
  324. AssertTrue(wolfSSL_quic_aead_decrypt(decrypted, dec_ctx,
  325. encrypted, enc_len,
  326. NULL, aad, sizeof(aad)) == WOLFSSL_SUCCESS);
  327. AssertTrue(memcmp(plaintext, decrypted, dec_len) == 0);
  328. XFREE(encrypted, NULL, DYNAMIC_TYPE_TMP_BUFFER);
  329. XFREE(decrypted, NULL, DYNAMIC_TYPE_TMP_BUFFER);
  330. wolfSSL_EVP_CIPHER_CTX_free(enc_ctx);
  331. wolfSSL_EVP_CIPHER_CTX_free(dec_ctx);
  332. }
  333. wolfSSL_free(ssl);
  334. wolfSSL_CTX_free(ctx);
  335. printf(" test_quic_crypt: %s\n", (ret == 0)? passed : failed);
  336. return ret;
  337. }
  338. typedef struct OutputBuffer {
  339. byte data[64*1024];
  340. size_t len;
  341. WOLFSSL_ENCRYPTION_LEVEL level;
  342. struct OutputBuffer *next;
  343. } OutputBuffer;
  344. typedef struct {
  345. const char *name;
  346. WOLFSSL *ssl;
  347. OutputBuffer output;
  348. byte rx_secret[4][1024];
  349. size_t rx_secret_len[4];
  350. byte tx_secret[4][1024];
  351. size_t tx_secret_len[4];
  352. int handshake_done;
  353. int alert_level;
  354. int alert;
  355. int flushed;
  356. int verbose;
  357. byte ticket[16*1024];
  358. word32 ticket_len;
  359. byte session[16*1024];
  360. word32 session_len;
  361. } QuicTestContext;
  362. static int ctx_set_encryption_secrets(WOLFSSL *ssl, WOLFSSL_ENCRYPTION_LEVEL level,
  363. const uint8_t *read_secret,
  364. const uint8_t *write_secret, size_t secret_len);
  365. static int ctx_add_handshake_data(WOLFSSL *ssl, WOLFSSL_ENCRYPTION_LEVEL level,
  366. const uint8_t *data, size_t len);
  367. static int ctx_flush_flight(WOLFSSL *ssl);
  368. static int ctx_send_alert(WOLFSSL *ssl, WOLFSSL_ENCRYPTION_LEVEL level, uint8_t alert);
  369. #ifdef HAVE_SESSION_TICKET
  370. static int ctx_session_ticket_cb(WOLFSSL* ssl,
  371. const unsigned char* ticket, int ticketSz,
  372. void* cb_ctx);
  373. #endif
  374. static WOLFSSL_QUIC_METHOD ctx_method = {
  375. ctx_set_encryption_secrets,
  376. ctx_add_handshake_data,
  377. ctx_flush_flight,
  378. ctx_send_alert,
  379. };
  380. static void QuicTestContext_init(QuicTestContext *tctx, WOLFSSL_CTX *ctx,
  381. const char *name, int verbose)
  382. {
  383. static const byte tp_params_c[] = {0, 1, 2, 3, 4, 5, 6, 7};
  384. static const byte tp_params_s[] = {7, 6, 5, 4, 3, 2, 1, 0, 1};
  385. AssertNotNull(tctx);
  386. memset(tctx, 0, sizeof(*tctx));
  387. tctx->name = name;
  388. AssertNotNull((tctx->ssl = wolfSSL_new(ctx)));
  389. tctx->verbose = verbose;
  390. wolfSSL_set_app_data(tctx->ssl, tctx);
  391. AssertTrue(wolfSSL_set_quic_method(tctx->ssl, &ctx_method) == WOLFSSL_SUCCESS);
  392. wolfSSL_set_verify(tctx->ssl, SSL_VERIFY_NONE, 0);
  393. #ifdef HAVE_SESSION_TICKET
  394. wolfSSL_UseSessionTicket(tctx->ssl);
  395. wolfSSL_set_SessionTicket_cb(tctx->ssl, ctx_session_ticket_cb, NULL);
  396. #endif
  397. if (wolfSSL_is_server(tctx->ssl)) {
  398. wolfSSL_set_quic_transport_version(tctx->ssl, 0);
  399. wolfSSL_set_quic_transport_params(tctx->ssl, tp_params_s, sizeof(tp_params_s));
  400. }
  401. else {
  402. wolfSSL_set_quic_transport_version(tctx->ssl, 0);
  403. wolfSSL_set_quic_transport_params(tctx->ssl, tp_params_c, sizeof(tp_params_c));
  404. }
  405. }
  406. static void QuicTestContext_free(QuicTestContext *tctx)
  407. {
  408. OutputBuffer *out, *n;
  409. if (tctx->ssl) {
  410. wolfSSL_free(tctx->ssl);
  411. tctx->ssl = NULL;
  412. }
  413. out = tctx->output.next;
  414. while (out) {
  415. n = out->next;
  416. free(out);
  417. out = n;
  418. }
  419. }
  420. static int ctx_set_encryption_secrets(WOLFSSL *ssl, WOLFSSL_ENCRYPTION_LEVEL level,
  421. const uint8_t *read_secret,
  422. const uint8_t *write_secret, size_t secret_len)
  423. {
  424. QuicTestContext *ctx = (QuicTestContext*)wolfSSL_get_app_data(ssl);
  425. AssertNotNull(ctx);
  426. AssertTrue(secret_len <= sizeof(ctx->rx_secret[0]));
  427. if (read_secret) {
  428. memcpy(ctx->rx_secret[level], read_secret, secret_len);
  429. ctx->rx_secret_len[level] = secret_len;
  430. }
  431. if (write_secret) {
  432. memcpy(ctx->tx_secret[level], write_secret, secret_len);
  433. ctx->tx_secret_len[level] = secret_len;
  434. }
  435. AssertNotNull(ctx);
  436. return 1;
  437. }
  438. static int ctx_add_handshake_data(WOLFSSL *ssl, WOLFSSL_ENCRYPTION_LEVEL level,
  439. const uint8_t *data, size_t len)
  440. {
  441. QuicTestContext *ctx = (QuicTestContext*)wolfSSL_get_app_data(ssl);
  442. OutputBuffer *out;
  443. AssertNotNull(ctx);
  444. out = &ctx->output;
  445. while (out->next) {
  446. out = out->next;
  447. }
  448. if (out->level != level) {
  449. if (out->len > 0) {
  450. out->next = (OutputBuffer*)calloc(1, sizeof(OutputBuffer));
  451. out = out->next;
  452. AssertNotNull(out);
  453. }
  454. out->level = level;
  455. }
  456. if (ctx->verbose) {
  457. printf("[%s] add_handshake[enc_level=%d]: %d bytes\n", ctx->name, level, (int)len);
  458. /* dump_buffer("add", data, len, 0); */
  459. }
  460. if (len > 0) {
  461. AssertTrue(out->len + len < sizeof(out->data));
  462. memcpy(out->data + out->len, data, len);
  463. out->len += len;
  464. }
  465. return 1;
  466. }
  467. static int ctx_flush_flight(WOLFSSL *ssl)
  468. {
  469. QuicTestContext *ctx = (QuicTestContext*)wolfSSL_get_app_data(ssl);
  470. AssertNotNull(ctx);
  471. ctx->flushed = 1;
  472. return 1;
  473. }
  474. static int ctx_send_alert(WOLFSSL *ssl, WOLFSSL_ENCRYPTION_LEVEL level, uint8_t err)
  475. {
  476. QuicTestContext *ctx = (QuicTestContext*)wolfSSL_get_app_data(ssl);
  477. if (ctx->verbose) {
  478. printf("[%s] send_alert: level=%d, err=%d\n", ctx->name, level, err);
  479. }
  480. AssertNotNull(ctx);
  481. ctx->alert_level = level;
  482. ctx->alert = alert;
  483. return 1;
  484. }
  485. #ifdef HAVE_SESSION_TICKET
  486. static int ctx_session_ticket_cb(WOLFSSL* ssl,
  487. const unsigned char* ticket, int ticketSz,
  488. void* cb_ctx)
  489. {
  490. QuicTestContext *ctx = (QuicTestContext*)wolfSSL_get_app_data(ssl);
  491. (void)cb_ctx;
  492. if (ticketSz < 0 || (size_t)ticketSz > sizeof(ctx->ticket)) {
  493. printf("SESSION TICKET callback: ticket given is too large: %d bytes\n", ticketSz);
  494. return 1;
  495. }
  496. memset(ctx->ticket, 0, sizeof(ctx->ticket));
  497. ctx->ticket_len = (word32)ticketSz;
  498. memcpy(ctx->ticket, ticket, ticketSz);
  499. if (ctx->verbose) {
  500. printf("Session Ticket[%s]: ", ctx->name);
  501. dump_buffer("", ticket, ticketSz, 4);
  502. }
  503. return 0;
  504. }
  505. #endif
  506. static void ctx_dump_output(QuicTestContext *ctx)
  507. {
  508. dump_buffer("Output", ctx->output.data, ctx->output.len, 0);
  509. }
  510. static void check_handshake_record(const byte *data, size_t data_len, int *ptype, size_t *prlen)
  511. {
  512. word32 rlen;
  513. AssertTrue(data_len >= HANDSHAKE_HEADER_SZ);
  514. *ptype = data[0];
  515. c24to32(&data[1], &rlen);
  516. *prlen = rlen + HANDSHAKE_HEADER_SZ;
  517. }
  518. static void ext_dump(const byte *data, size_t data_len, int indent)
  519. {
  520. size_t idx = 0;
  521. word16 len16, etype, i;
  522. printf("%*sextensions:\n", indent, " ");
  523. while (idx < data_len) {
  524. ato16(&data[idx], &etype); /* extension type */
  525. ato16(&data[idx+2], &len16); /* extension length */
  526. printf(" extension: %04x [", etype);
  527. for (i = 0; i < len16; ++i) {
  528. printf("%s0x%02x", (i? ", ": ""), data[idx+4+i]);
  529. }
  530. printf("]\n");
  531. idx += 2 + 2 + len16;
  532. }
  533. }
  534. static const byte *ext_find(const byte *data, size_t data_len, int ext_type)
  535. {
  536. size_t idx = 0;
  537. word16 len16, etype;
  538. while (idx < data_len) {
  539. ato16(&data[idx], &etype); /* extension type */
  540. if (etype == ext_type) {
  541. return data + idx;
  542. }
  543. ato16(&data[idx+2], &len16); /* extension length */
  544. idx += 2 + 2 + len16;
  545. }
  546. return NULL;
  547. }
  548. static int ext_has(const byte *data, size_t data_len, int ext_type)
  549. {
  550. return ext_find(data, data_len,ext_type) != NULL;
  551. }
  552. static void ext_equals(const byte *data, size_t data_len, int ext_type,
  553. const byte *exp_data, size_t exp_len)
  554. {
  555. const byte *ext;
  556. word16 len16;
  557. AssertNotNull(ext = ext_find(data, data_len, ext_type));
  558. ato16(&ext[2], &len16);
  559. AssertTrue(len16 == exp_len);
  560. AssertTrue(memcmp(ext + 4, exp_data, exp_len) == 0);
  561. }
  562. static void check_quic_client_hello(const byte *data, size_t data_len, int verbose, int indent)
  563. {
  564. size_t idx;
  565. word16 len16;
  566. const byte *exts;
  567. size_t exts_len, rec_len;
  568. int rec_type;
  569. static byte ext_sup_version[3] = {0x02, 0x03, 0x04};
  570. check_handshake_record(data, data_len, &rec_type, &rec_len);
  571. AssertIntEQ(rec_type, client_hello);
  572. idx = HANDSHAKE_HEADER_SZ;
  573. /* the client hello arrives alone */
  574. AssertIntEQ(rec_len, data_len);
  575. AssertTrue(data[idx++] == SSLv3_MAJOR);
  576. AssertTrue(data[idx++] == TLSv1_2_MINOR);
  577. idx += 32; /* 32 bytes RANDOM */
  578. AssertIntEQ(data[idx], 0); /* session id length MUST be 0, RFC9001 ch. 8.4 */
  579. idx += 1 + data[idx];
  580. ato16(&data[idx], &len16); /* ciphers length */
  581. AssertTrue(len16 > 0);
  582. idx += 2 + len16;
  583. AssertTrue(data[idx] == 1); /* compressions */
  584. AssertTrue(data[idx+1] == 0); /* no compression */
  585. idx += 2;
  586. ato16(&data[idx], &len16); /* extensions length */
  587. AssertTrue(len16 > 0);
  588. exts_len = len16;
  589. idx += 2;
  590. exts = &data[idx];
  591. idx += exts_len;
  592. AssertTrue(idx <= rec_len); /* should fit */
  593. for (; idx < rec_len; ++idx) {
  594. AssertTrue(data[idx] == 0); /* padding */
  595. }
  596. ext_equals(exts, exts_len, TLSX_SUPPORTED_VERSIONS,
  597. ext_sup_version, sizeof(ext_sup_version));
  598. if (verbose) {
  599. ext_dump(exts, exts_len, indent);
  600. dump_buffer("", data, data_len, indent);
  601. }
  602. }
  603. static void check_quic_client_hello_tp(OutputBuffer *out, int tp_v1, int tp_draft)
  604. {
  605. size_t idx;
  606. word16 len16;
  607. const byte *exts;
  608. size_t exts_len, rec_len;
  609. int rec_type;
  610. check_handshake_record(out->data, out->len, &rec_type, &rec_len);
  611. AssertIntEQ(rec_type, client_hello);
  612. idx = HANDSHAKE_HEADER_SZ;
  613. idx += 2; /* old version */
  614. idx += 32; /* 32 bytes RANDOM */
  615. idx += 1 + out->data[idx]; /* session id */
  616. ato16(&out->data[idx], &len16); /* ciphers length */
  617. idx += 2 + len16;
  618. idx += 2; /* compression */
  619. ato16(&out->data[idx], &len16); /* extensions length */
  620. AssertTrue(len16 > 0);
  621. exts_len = len16;
  622. idx += 2;
  623. exts = &out->data[idx];
  624. AssertTrue(!ext_has(exts, exts_len, TLSX_KEY_QUIC_TP_PARAMS) == !tp_v1);
  625. AssertTrue(!ext_has(exts, exts_len, TLSX_KEY_QUIC_TP_PARAMS_DRAFT) == !tp_draft);
  626. }
  627. static void check_secrets(QuicTestContext *ctx, WOLFSSL_ENCRYPTION_LEVEL level, size_t rx_len, size_t tx_len)
  628. {
  629. int idx = (int)level;
  630. AssertTrue(idx < 4);
  631. AssertIntEQ(ctx->rx_secret_len[idx], rx_len);
  632. AssertIntEQ(ctx->tx_secret_len[idx], tx_len);
  633. }
  634. static void assert_secrets_EQ(QuicTestContext *ctx1, QuicTestContext *ctx2,
  635. WOLFSSL_ENCRYPTION_LEVEL level)
  636. {
  637. int idx = (int)level;
  638. /* rx secrets are the other ones tx secrets */
  639. AssertIntEQ(ctx1->rx_secret_len[idx], ctx2->tx_secret_len[idx]);
  640. AssertIntEQ(ctx1->tx_secret_len[idx], ctx2->rx_secret_len[idx]);
  641. AssertIntEQ(memcmp(ctx1->rx_secret[idx], ctx2->tx_secret[idx], ctx1->rx_secret_len[idx]), 0);
  642. AssertIntEQ(memcmp(ctx1->tx_secret[idx], ctx2->rx_secret[idx], ctx1->tx_secret_len[idx]), 0);
  643. }
  644. static void check_ee(const byte *data, size_t data_len, int verbose, int indent)
  645. {
  646. size_t rec_len, exts_len, idx;
  647. word16 len16;
  648. const byte *exts;
  649. int rec_type;
  650. check_handshake_record(data, data_len, &rec_type, &rec_len);
  651. AssertIntEQ(rec_type, encrypted_extensions);
  652. idx = HANDSHAKE_HEADER_SZ;
  653. ato16(&data[idx], &len16); /* extensions length */
  654. AssertTrue(len16 > 0);
  655. exts_len = len16;
  656. idx += 2;
  657. exts = &data[idx];
  658. if (verbose) {
  659. ext_dump(exts, exts_len, indent);
  660. dump_buffer("", data, data_len, indent);
  661. }
  662. }
  663. static void check_quic_server_hello(const byte *data, size_t data_len, int verbose, int indent)
  664. {
  665. size_t idx;
  666. word16 len16, cipher;
  667. const byte *exts;
  668. size_t exts_len, rec_len;
  669. static byte ext_sup_version[2] = {0x03, 0x04};
  670. int rec_type;
  671. check_handshake_record(data, data_len, &rec_type, &rec_len);
  672. AssertIntEQ(rec_type, server_hello);
  673. idx = HANDSHAKE_HEADER_SZ;
  674. AssertTrue(data[idx++] == SSLv3_MAJOR);
  675. AssertTrue(data[idx++] == TLSv1_2_MINOR);
  676. idx += 32; /* 32 bytes RANDOM */
  677. /* AssertIntEQ(data[idx], 0); session id of len 0 */
  678. idx += 1 + data[idx];
  679. ato16(&data[idx], &cipher); /* cipher selected */
  680. AssertTrue(cipher != 0);
  681. idx += 2;
  682. AssertTrue(data[idx] == 0); /* null compression */
  683. idx += 1;
  684. ato16(&data[idx], &len16); /* extensions length */
  685. AssertTrue(len16 > 0);
  686. exts_len = len16;
  687. idx += 2;
  688. exts = &data[idx];
  689. idx += exts_len;
  690. AssertTrue(idx <= rec_len); /* should fit */
  691. for (; idx < rec_len; ++idx) {
  692. AssertTrue(data[idx] == 0); /* padding */
  693. }
  694. if (verbose) {
  695. ext_dump(exts, exts_len, indent);
  696. dump_buffer("", data, rec_len, indent);
  697. }
  698. ext_equals(exts, exts_len, TLSX_SUPPORTED_VERSIONS,
  699. ext_sup_version, sizeof(ext_sup_version));
  700. }
  701. static void check_crypto_rec(const byte *data, size_t data_len, int verbose, int indent)
  702. {
  703. size_t rec_len;
  704. int rec_type;
  705. check_handshake_record(data, data_len, &rec_type, &rec_len);
  706. if (verbose) {
  707. dump_buffer("", data, rec_len, indent);
  708. }
  709. }
  710. static void check_crypto_records(QuicTestContext *from, OutputBuffer *out, int indent, char *rec_log)
  711. {
  712. const byte *data = out->data;
  713. size_t data_len = out->len;
  714. size_t rec_len;
  715. int rec_type;
  716. const char *rec_name;
  717. char lbuffer[128];
  718. void (*check_rec) (const byte *d, size_t l, int v, int indent);
  719. while (data_len > 0) {
  720. check_handshake_record(data, data_len, &rec_type, &rec_len);
  721. if (rec_len > data_len) {
  722. printf("%*sINCOMPLETE CRYPTO?: ", indent, " ");
  723. dump_buffer("", data, data_len, indent);
  724. }
  725. AssertTrue(rec_len <= data_len);
  726. check_rec = check_crypto_rec;
  727. switch (rec_type) {
  728. case client_hello:
  729. rec_name = "ClientHello";
  730. check_rec = check_quic_client_hello;
  731. break;
  732. case server_hello:
  733. rec_name = "ServerHello";
  734. check_rec = check_quic_server_hello;
  735. break;
  736. case session_ticket:
  737. rec_name = "SessionTicket";
  738. break;
  739. case encrypted_extensions:
  740. rec_name = "EncryptedExtension";
  741. check_rec = check_ee;
  742. break;
  743. case certificate:
  744. rec_name = "Certificate";
  745. break;
  746. case certificate_verify:
  747. rec_name = "CertificateVerify";
  748. break;
  749. case finished:
  750. rec_name = "Finished";
  751. break;
  752. default:
  753. sprintf(lbuffer, "%d", rec_type);
  754. rec_name = lbuffer;
  755. break;
  756. }
  757. if (rec_log) {
  758. if (*rec_log) strcat(rec_log, ":");
  759. strcat(rec_log, rec_name);
  760. }
  761. if (from->verbose) printf("%*sCRYPTO[%s]: ", indent, " ", rec_name);
  762. check_rec(data, rec_len, from->verbose, indent);
  763. if (from->verbose) printf("\n");
  764. data += rec_len;
  765. data_len -= rec_len;
  766. }
  767. }
  768. static void QuicTestContext_forward(QuicTestContext *from, QuicTestContext *to, char *rec_log)
  769. {
  770. int ret;
  771. OutputBuffer *out, *old;
  772. out = &from->output;
  773. while (out->len > 0) {
  774. if (from->verbose) {
  775. printf("[%s -> %s] forward %d bytes at level %d\n",
  776. from->name, to->name, (int)out->len, out->level);
  777. }
  778. if (out->level == wolfssl_encryption_early_data) {
  779. if (from->verbose) dump_buffer("EarlyData", out->data, out->len, 4);
  780. }
  781. else {
  782. check_crypto_records(from, out, 4, rec_log);
  783. }
  784. ret = wolfSSL_provide_quic_data(to->ssl, out->level, out->data, out->len);
  785. out->len = 0;
  786. AssertIntEQ(ret, WOLFSSL_SUCCESS);
  787. if (out->next) {
  788. old = out->next;
  789. memcpy(out, out->next, sizeof(*out));
  790. free(old);
  791. }
  792. }
  793. }
  794. typedef struct {
  795. QuicTestContext *client;
  796. QuicTestContext *server;
  797. int started;
  798. int verbose;
  799. char rec_log[16*1024];
  800. int sent_early_data;
  801. int accept_early_data;
  802. char early_data[16*1024];
  803. size_t early_data_len;
  804. } QuicConversation;
  805. static void QuicConversation_init(QuicConversation *conv,
  806. QuicTestContext *tclient, QuicTestContext *tserver)
  807. {
  808. memset(conv, 0, sizeof(*conv));
  809. conv->client = tclient;
  810. conv->server = tserver;
  811. conv->verbose = tclient->verbose && tserver->verbose;
  812. }
  813. static int QuicConversation_start(QuicConversation *conv, const byte *data,
  814. size_t data_len, size_t *pwritten)
  815. {
  816. int ret;
  817. AssertFalse(conv->started);
  818. if (conv->verbose) {
  819. printf("[%s <-> %s] starting\n", conv->client->name, conv->server->name);
  820. }
  821. if (data && data_len > 0) {
  822. #ifdef WOLFSSL_EARLY_DATA
  823. int written;
  824. ret = wolfSSL_write_early_data(conv->client->ssl, data, (int)data_len, &written);
  825. if (ret < 0) {
  826. int err = wolfSSL_get_error(conv->client->ssl, ret);
  827. char lbuffer[1024];
  828. printf("EARLY DATA ret = %d, error = %d, %s\n", ret, err, wolfSSL_ERR_error_string(err, lbuffer));
  829. AssertTrue(0);
  830. }
  831. *pwritten = (size_t)written;
  832. conv->sent_early_data = 1;
  833. #else
  834. fprintf(stderr, "Cannot send EARLY DATA without feature enabled!\n");
  835. AssertTrue(0);
  836. #endif
  837. }
  838. else {
  839. ret = wolfSSL_connect(conv->client->ssl);
  840. if (ret != WOLFSSL_SUCCESS) {
  841. AssertIntEQ(wolfSSL_get_error(conv->client->ssl, 0), SSL_ERROR_WANT_READ);
  842. }
  843. if (pwritten) *pwritten = 0;
  844. }
  845. conv->started = 1;
  846. return ret;
  847. }
  848. static int QuicConversation_step(QuicConversation *conv)
  849. {
  850. int n;
  851. if (!conv->started) {
  852. AssertTrue(wolfSSL_connect(conv->client->ssl) != WOLFSSL_SUCCESS);
  853. AssertIntEQ(SSL_ERROR_WANT_READ, wolfSSL_get_error(conv->client->ssl, 0));
  854. conv->started = 1;
  855. }
  856. if (conv->server->output.len > 0) {
  857. QuicTestContext_forward(conv->server, conv->client, conv->rec_log);
  858. n = wolfSSL_quic_read_write(conv->client->ssl);
  859. if (n != WOLFSSL_SUCCESS) {
  860. AssertIntEQ(wolfSSL_get_error(conv->client->ssl, 0), SSL_ERROR_WANT_READ);
  861. }
  862. return 1;
  863. }
  864. else if (conv->client->output.len > 0) {
  865. QuicTestContext_forward(conv->client, conv->server, conv->rec_log);
  866. #ifdef WOLFSSL_EARLY_DATA
  867. if (conv->accept_early_data) {
  868. int written;
  869. n = wolfSSL_read_early_data(conv->server->ssl,
  870. conv->early_data + conv->early_data_len,
  871. (int)(sizeof(conv->early_data) - conv->early_data_len),
  872. &written);
  873. if (n < 0) {
  874. AssertIntEQ(wolfSSL_get_error(conv->server->ssl, 0), SSL_ERROR_WANT_READ);
  875. }
  876. else if (n > 0) {
  877. conv->early_data_len += n;
  878. if (conv->verbose)
  879. printf("RECVed early data, len now=%d\n", (int)conv->early_data_len);
  880. }
  881. }
  882. else
  883. #endif /* WOLFSSL_EARLY_DATA */
  884. {
  885. n = wolfSSL_quic_read_write(conv->server->ssl);
  886. if (n != WOLFSSL_SUCCESS) {
  887. AssertIntEQ(wolfSSL_get_error(conv->server->ssl, 0), SSL_ERROR_WANT_READ);
  888. }
  889. }
  890. return 1;
  891. }
  892. return 0;
  893. }
  894. static void QuicConversation_do(QuicConversation *conv)
  895. {
  896. if (!conv->started) {
  897. QuicConversation_start(conv, NULL, 0, NULL);
  898. }
  899. while (1) {
  900. if (!QuicConversation_step(conv)) {
  901. int c_err = wolfSSL_get_error(conv->client->ssl, 0);
  902. int s_err = wolfSSL_get_error(conv->server->ssl, 0);
  903. if (c_err == 0
  904. && (s_err == 0
  905. || (conv->sent_early_data && s_err == SSL_ERROR_WANT_READ))) {
  906. /* Since QUIC does not use EndOfEarlyData messages, we may
  907. * encounter WANT_READ on the server side. QUIC protocol stacks
  908. * detect EOF here differently, so this should be fine. */
  909. break; /* handshake done */
  910. }
  911. printf("Neither tclient nor server have anything to send, "
  912. "but client_error=%d, server_error=%d\n",
  913. c_err, s_err);
  914. AssertFalse(1);
  915. }
  916. }
  917. }
  918. static int test_quic_client_hello(int verbose) {
  919. WOLFSSL_CTX *ctx;
  920. int ret = 0;
  921. QuicTestContext tctx;
  922. (void)ctx_dump_output;
  923. AssertNotNull(ctx = wolfSSL_CTX_new(wolfTLSv1_3_client_method()));
  924. QuicTestContext_init(&tctx, ctx, "client", verbose);
  925. /* Without any QUIC transport params, this needs to fail */
  926. AssertTrue(wolfSSL_set_quic_transport_params(tctx.ssl, NULL, 0) == WOLFSSL_SUCCESS);
  927. AssertTrue(wolfSSL_quic_read_write(tctx.ssl) != 0);
  928. AssertIntEQ(wolfSSL_get_error(tctx.ssl, 0), QUIC_TP_MISSING_E);
  929. QuicTestContext_free(&tctx);
  930. /* Set transport params, expect both extensions */
  931. QuicTestContext_init(&tctx, ctx, "client", verbose);
  932. #ifdef HAVE_SNI
  933. wolfSSL_UseSNI(tctx.ssl, WOLFSSL_SNI_HOST_NAME, "wolfssl.com", sizeof("wolfssl.com")-1);
  934. #endif
  935. AssertTrue(wolfSSL_connect(tctx.ssl) != 0);
  936. AssertIntEQ(wolfSSL_get_error(tctx.ssl, 0), SSL_ERROR_WANT_READ);
  937. check_quic_client_hello_tp(&tctx.output, 1, 1);
  938. QuicTestContext_free(&tctx);
  939. /* Set transport params v1, expect v1 extension */
  940. QuicTestContext_init(&tctx, ctx, "client", verbose);
  941. wolfSSL_set_quic_transport_version(tctx.ssl, TLSX_KEY_QUIC_TP_PARAMS);
  942. AssertTrue(wolfSSL_connect(tctx.ssl) != 0);
  943. check_quic_client_hello_tp(&tctx.output, 1, 0);
  944. QuicTestContext_free(&tctx);
  945. /* Set transport params draft, expect draft extension */
  946. QuicTestContext_init(&tctx, ctx, "client", verbose);
  947. wolfSSL_set_quic_transport_version(tctx.ssl, TLSX_KEY_QUIC_TP_PARAMS_DRAFT);
  948. AssertTrue(wolfSSL_connect(tctx.ssl) != 0);
  949. check_quic_client_hello_tp(&tctx.output, 0, 1);
  950. QuicTestContext_free(&tctx);
  951. /* Set transport params 0, expect both extension */
  952. QuicTestContext_init(&tctx, ctx, "client", verbose);
  953. wolfSSL_set_quic_transport_version(tctx.ssl, 0);
  954. AssertTrue(wolfSSL_connect(tctx.ssl) != 0);
  955. check_quic_client_hello_tp(&tctx.output, 1, 1);
  956. QuicTestContext_free(&tctx);
  957. wolfSSL_CTX_free(ctx);
  958. printf(" test_quic_client_hello: %s\n", (ret == 0)? passed : failed);
  959. return ret;
  960. }
  961. static int test_quic_server_hello(int verbose) {
  962. WOLFSSL_CTX *ctx_c, *ctx_s;
  963. int ret = 0;
  964. QuicTestContext tclient, tserver;
  965. QuicConversation conv;
  966. AssertNotNull(ctx_c = wolfSSL_CTX_new(wolfTLSv1_3_client_method()));
  967. AssertNotNull(ctx_s = wolfSSL_CTX_new(wolfTLSv1_3_server_method()));
  968. AssertTrue(wolfSSL_CTX_use_certificate_file(ctx_s, svrCertFile, WOLFSSL_FILETYPE_PEM));
  969. AssertTrue(wolfSSL_CTX_use_PrivateKey_file(ctx_s, svrKeyFile, WOLFSSL_FILETYPE_PEM));
  970. /* setup ssls */
  971. QuicTestContext_init(&tclient, ctx_c, "client", verbose);
  972. QuicTestContext_init(&tserver, ctx_s, "server", verbose);
  973. /* connect */
  974. QuicConversation_init(&conv, &tclient, &tserver);
  975. QuicConversation_step(&conv);
  976. /* check established/missing secrets */
  977. check_secrets(&tserver, wolfssl_encryption_initial, 0, 0);
  978. check_secrets(&tserver, wolfssl_encryption_handshake, 32, 32);
  979. check_secrets(&tserver, wolfssl_encryption_application, 32, 32);
  980. check_secrets(&tclient, wolfssl_encryption_handshake, 0, 0);
  981. /* feed the server data to the client */
  982. QuicConversation_step(&conv);
  983. /* client has generated handshake secret */
  984. check_secrets(&tclient, wolfssl_encryption_handshake, 32, 32);
  985. /* continue the handshake till done */
  986. conv.started = 1;
  987. /* run till end */
  988. QuicConversation_do(&conv);
  989. AssertIntEQ(tclient.output.len, 0);
  990. AssertIntEQ(tserver.output.len, 0);
  991. /* what have we seen? */
  992. #ifdef HAVE_SESSION_TICKET
  993. AssertStrEQ(conv.rec_log, "ClientHello:ServerHello:EncryptedExtension:Certificate:CertificateVerify:Finished:Finished:SessionTicket");
  994. #else
  995. AssertStrEQ(conv.rec_log, "ClientHello:ServerHello:EncryptedExtension:Certificate:CertificateVerify:Finished:Finished");
  996. #endif
  997. /* we are at application encryption level */
  998. AssertTrue(wolfSSL_quic_read_level(tclient.ssl) == wolfssl_encryption_application);
  999. AssertTrue(wolfSSL_quic_write_level(tclient.ssl) == wolfssl_encryption_application);
  1000. AssertTrue(wolfSSL_quic_read_level(tserver.ssl) == wolfssl_encryption_application);
  1001. AssertTrue(wolfSSL_quic_write_level(tserver.ssl) == wolfssl_encryption_application);
  1002. /* the last client write (FINISHED) was at handshake level */
  1003. AssertTrue(tclient.output.level == wolfssl_encryption_handshake);
  1004. /* we have the app secrets */
  1005. check_secrets(&tclient, wolfssl_encryption_application, 32, 32);
  1006. check_secrets(&tserver, wolfssl_encryption_application, 32, 32);
  1007. /* verify client and server have the same secrets establishd */
  1008. assert_secrets_EQ(&tclient, &tserver, wolfssl_encryption_handshake);
  1009. assert_secrets_EQ(&tclient, &tserver, wolfssl_encryption_application);
  1010. /* AEAD cipher should be known */
  1011. AssertNotNull(wolfSSL_quic_get_aead(tclient.ssl));
  1012. AssertNotNull(wolfSSL_quic_get_aead(tserver.ssl));
  1013. /* What was negiotiated and is it the same? */
  1014. AssertIntEQ(wolfSSL_get_peer_quic_transport_version(tclient.ssl),
  1015. wolfSSL_get_peer_quic_transport_version(tserver.ssl));
  1016. QuicTestContext_free(&tclient);
  1017. QuicTestContext_free(&tserver);
  1018. wolfSSL_CTX_free(ctx_c);
  1019. wolfSSL_CTX_free(ctx_s);
  1020. printf(" test_quic_server_hello: %s\n", (ret == 0)? passed : failed);
  1021. return ret;
  1022. }
  1023. #ifdef HAVE_SESSION_TICKET
  1024. static int test_quic_resumption(int verbose) {
  1025. WOLFSSL_CTX *ctx_c, *ctx_s;
  1026. WOLFSSL_SESSION *session;
  1027. int ret = 0;
  1028. QuicTestContext tclient, tserver;
  1029. QuicConversation conv;
  1030. AssertNotNull(ctx_c = wolfSSL_CTX_new(wolfTLSv1_3_client_method()));
  1031. AssertNotNull(ctx_s = wolfSSL_CTX_new(wolfTLSv1_3_server_method()));
  1032. AssertTrue(wolfSSL_CTX_use_certificate_file(ctx_s, svrCertFile, WOLFSSL_FILETYPE_PEM));
  1033. AssertTrue(wolfSSL_CTX_use_PrivateKey_file(ctx_s, svrKeyFile, WOLFSSL_FILETYPE_PEM));
  1034. /* setup ssls */
  1035. QuicTestContext_init(&tclient, ctx_c, "client", verbose);
  1036. QuicTestContext_init(&tserver, ctx_s, "server", verbose);
  1037. QuicConversation_init(&conv, &tclient, &tserver);
  1038. /* run till end */
  1039. QuicConversation_do(&conv);
  1040. /* what have we seen? */
  1041. AssertStrEQ(conv.rec_log, "ClientHello:ServerHello:EncryptedExtension:Certificate:CertificateVerify:Finished:Finished:SessionTicket");
  1042. /* Should have received a session ticket, save the session */
  1043. AssertTrue(tclient.ticket_len > 0);
  1044. AssertNotNull(session = wolfSSL_get1_session(tclient.ssl));
  1045. QuicTestContext_free(&tserver);
  1046. QuicTestContext_free(&tclient);
  1047. /* Do a Session resumption with the ticket */
  1048. QuicTestContext_init(&tserver, ctx_s, "server", verbose);
  1049. QuicTestContext_init(&tclient, ctx_c, "client_resume", verbose);
  1050. AssertIntEQ(wolfSSL_set_session(tclient.ssl, session), WOLFSSL_SUCCESS);
  1051. /* let them talk */
  1052. QuicConversation_init(&conv, &tclient, &tserver);
  1053. QuicConversation_do(&conv);
  1054. /* this is what should happen. Look Ma, no certificate! */
  1055. AssertStrEQ(conv.rec_log, "ClientHello:ServerHello:EncryptedExtension:Finished:Finished:SessionTicket");
  1056. QuicTestContext_free(&tclient);
  1057. QuicTestContext_free(&tserver);
  1058. wolfSSL_SESSION_free(session);
  1059. wolfSSL_CTX_free(ctx_c);
  1060. wolfSSL_CTX_free(ctx_s);
  1061. printf(" test_quic_resumption: %s\n", (ret == 0)? passed : failed);
  1062. return ret;
  1063. }
  1064. #ifdef WOLFSSL_EARLY_DATA
  1065. static int test_quic_early_data(int verbose) {
  1066. WOLFSSL_CTX *ctx_c, *ctx_s;
  1067. int ret = 0;
  1068. QuicTestContext tclient, tserver;
  1069. QuicConversation conv;
  1070. const byte early_data[] = "Nulla dies sine linea!";
  1071. size_t ed_written;
  1072. WOLFSSL_SESSION *session;
  1073. unsigned int max_early_sz;
  1074. AssertNotNull(ctx_c = wolfSSL_CTX_new(wolfTLSv1_3_client_method()));
  1075. wolfSSL_CTX_UseSessionTicket(ctx_c);
  1076. AssertNotNull(ctx_s = wolfSSL_CTX_new(wolfTLSv1_3_server_method()));
  1077. AssertTrue(wolfSSL_CTX_use_certificate_file(ctx_s, svrCertFile, WOLFSSL_FILETYPE_PEM));
  1078. AssertTrue(wolfSSL_CTX_use_PrivateKey_file(ctx_s, svrKeyFile, WOLFSSL_FILETYPE_PEM));
  1079. /* setup ssls */
  1080. QuicTestContext_init(&tclient, ctx_c, "client", verbose);
  1081. QuicTestContext_init(&tserver, ctx_s, "server", verbose);
  1082. wolfSSL_set_quic_early_data_enabled(tserver.ssl, 1);
  1083. /* QUIC only allows 0xffffffff or 0x0 as values */
  1084. AssertIntEQ(wolfSSL_get_max_early_data(tserver.ssl), UINT32_MAX);
  1085. QuicConversation_init(&conv, &tclient, &tserver);
  1086. /* run till end */
  1087. QuicConversation_do(&conv);
  1088. /* what have we seen? */
  1089. AssertStrEQ(conv.rec_log, "ClientHello:ServerHello:EncryptedExtension:Certificate:CertificateVerify:Finished:Finished:SessionTicket");
  1090. /* Should have received a session ticket, save the session */
  1091. AssertTrue(tclient.ticket_len > 0);
  1092. AssertNotNull(session = wolfSSL_get1_session(tclient.ssl));
  1093. QuicTestContext_free(&tclient);
  1094. QuicTestContext_free(&tserver);
  1095. /* QUIC requires 0 or 0xffffffff as only allowed values.
  1096. * Since we enabled early data in the server that created the session,
  1097. * we need to see it here. */
  1098. max_early_sz = wolfSSL_SESSION_get_max_early_data(session);
  1099. AssertIntEQ(max_early_sz, UINT32_MAX);
  1100. /* Do a Session resumption with the ticket */
  1101. QuicTestContext_init(&tserver, ctx_s, "server", verbose);
  1102. QuicTestContext_init(&tclient, ctx_c, "client", verbose);
  1103. AssertIntEQ(wolfSSL_set_session(tclient.ssl, session), WOLFSSL_SUCCESS);
  1104. /* enable early data -*/
  1105. wolfSSL_set_quic_early_data_enabled(tserver.ssl, 1);
  1106. /* client will send, but server will not receive, since
  1107. * QuicConversation_do() uses wolfSSL_accept() */
  1108. QuicConversation_init(&conv, &tclient, &tserver);
  1109. QuicConversation_start(&conv, early_data, sizeof(early_data), &ed_written);
  1110. QuicConversation_do(&conv);
  1111. AssertIntEQ(wolfSSL_get_early_data_status(tclient.ssl), WOLFSSL_EARLY_DATA_REJECTED);
  1112. QuicTestContext_free(&tclient);
  1113. QuicTestContext_free(&tserver);
  1114. QuicTestContext_init(&tserver, ctx_s, "server", verbose);
  1115. QuicTestContext_init(&tclient, ctx_c, "client", verbose);
  1116. AssertIntEQ(wolfSSL_set_session(tclient.ssl, session), WOLFSSL_SUCCESS);
  1117. /* client will send, and server will receive */
  1118. QuicConversation_init(&conv, &tclient, &tserver);
  1119. /* make QuicConversation_do() use wolfSSL_read_early_data() */
  1120. conv.accept_early_data = 1;
  1121. QuicConversation_start(&conv, early_data, sizeof(early_data), &ed_written);
  1122. QuicConversation_do(&conv);
  1123. AssertIntEQ(wolfSSL_get_early_data_status(tclient.ssl), WOLFSSL_EARLY_DATA_ACCEPTED);
  1124. AssertIntEQ(conv.early_data_len, sizeof(early_data));
  1125. AssertStrEQ(conv.early_data, (const char*)early_data);
  1126. QuicTestContext_free(&tclient);
  1127. QuicTestContext_free(&tserver);
  1128. wolfSSL_SESSION_free(session);
  1129. wolfSSL_CTX_free(ctx_c);
  1130. wolfSSL_CTX_free(ctx_s);
  1131. printf(" test_quic_early_data: %s\n", (ret == 0)? passed : failed);
  1132. return ret;
  1133. }
  1134. #endif /* WOLFSSL_EARLY_DATA */
  1135. static int new_session_cb(WOLFSSL *ssl, WOLFSSL_SESSION *session)
  1136. {
  1137. QuicTestContext *ctx = (QuicTestContext*)wolfSSL_get_app_data(ssl);
  1138. byte *data;
  1139. int ret = 0;
  1140. int sz;
  1141. sz = wolfSSL_i2d_SSL_SESSION(session, NULL);
  1142. if (sz <= 0) {
  1143. printf("[%s] session serialization error: %d <- ", ctx->name, sz);
  1144. return sz;
  1145. }
  1146. if ((size_t)sz > sizeof(ctx->session)) {
  1147. printf("[%s] session serialization too large: %d <- ", ctx->name, sz);
  1148. return -1;
  1149. }
  1150. data = ctx->session;
  1151. ctx->session_len = wolfSSL_i2d_SSL_SESSION(session, &data);
  1152. if (ctx->verbose) {
  1153. printf("[%s]", ctx->name);
  1154. dump_buffer(" new SESSION", ctx->session, ctx->session_len, 4);
  1155. }
  1156. return ret;
  1157. }
  1158. static int test_quic_session_export(int verbose)
  1159. {
  1160. WOLFSSL_CTX *ctx_c, *ctx_s;
  1161. WOLFSSL_SESSION *session = NULL;
  1162. int ret = 0;
  1163. QuicTestContext tclient, tserver;
  1164. QuicConversation conv;
  1165. byte session_data[16*1024];
  1166. const byte *bp;
  1167. word32 session_len;
  1168. AssertNotNull(ctx_c = wolfSSL_CTX_new(wolfTLSv1_3_client_method()));
  1169. AssertNotNull(ctx_s = wolfSSL_CTX_new(wolfTLSv1_3_server_method()));
  1170. AssertTrue(wolfSSL_CTX_use_certificate_file(ctx_s, svrCertFile, WOLFSSL_FILETYPE_PEM));
  1171. AssertTrue(wolfSSL_CTX_use_PrivateKey_file(ctx_s, svrKeyFile, WOLFSSL_FILETYPE_PEM));
  1172. /* Uses CTX session callback for new sessions */
  1173. wolfSSL_CTX_sess_set_new_cb(ctx_c, new_session_cb);
  1174. /* setup ssls */
  1175. QuicTestContext_init(&tclient, ctx_c, "client", verbose);
  1176. QuicTestContext_init(&tserver, ctx_s, "server", verbose);
  1177. QuicConversation_init(&conv, &tclient, &tserver);
  1178. /* run till end */
  1179. QuicConversation_do(&conv);
  1180. /* what have we seen? */
  1181. AssertStrEQ(conv.rec_log, "ClientHello:ServerHello:EncryptedExtension:Certificate:CertificateVerify:Finished:Finished:SessionTicket");
  1182. /* Should have received a session, save it */
  1183. AssertTrue(tclient.session_len > 0);
  1184. memcpy(session_data, tclient.session, tclient.session_len);
  1185. session_len = tclient.session_len;
  1186. if (verbose)
  1187. dump_buffer("copied SESSION", session_data, session_len, 0);
  1188. QuicTestContext_free(&tserver);
  1189. QuicTestContext_free(&tclient);
  1190. /* Do a Session resumption with the ticket */
  1191. QuicTestContext_init(&tserver, ctx_s, "server", verbose);
  1192. QuicTestContext_init(&tclient, ctx_c, "client_resume", verbose);
  1193. bp = session_data;
  1194. AssertNotNull(session = wolfSSL_d2i_SSL_SESSION(NULL, &bp, session_len));
  1195. AssertIntEQ(wolfSSL_set_session(tclient.ssl, session), WOLFSSL_SUCCESS);
  1196. wolfSSL_SESSION_free(session);
  1197. /* let them talk */
  1198. QuicConversation_init(&conv, &tclient, &tserver);
  1199. QuicConversation_do(&conv);
  1200. /* this is what should happen. Look Ma, no certificate! */
  1201. AssertStrEQ(conv.rec_log, "ClientHello:ServerHello:EncryptedExtension:Finished:Finished:SessionTicket");
  1202. QuicTestContext_free(&tclient);
  1203. QuicTestContext_free(&tserver);
  1204. wolfSSL_CTX_free(ctx_c);
  1205. wolfSSL_CTX_free(ctx_s);
  1206. printf(" test_quic_session_export: %s\n", (ret == 0)? passed : failed);
  1207. return ret;
  1208. }
  1209. #endif /* WOLFSSL_SESSION_EXPORT */
  1210. #endif /* WOLFSSL_QUIC */
  1211. int QuicTest(void)
  1212. {
  1213. int ret = 0;
  1214. #ifdef WOLFSSL_QUIC
  1215. int verbose = 0;
  1216. printf(" Begin QUIC Tests\n");
  1217. if ((ret = test_set_quic_method()) != 0) goto leave;
  1218. if ((ret = test_provide_quic_data()) != 0) goto leave;
  1219. if ((ret = test_quic_crypt()) != 0) goto leave;
  1220. if ((ret = test_quic_client_hello(verbose)) != 0) goto leave;
  1221. if ((ret = test_quic_server_hello(verbose)) != 0) goto leave;
  1222. #ifdef HAVE_SESSION_TICKET
  1223. if ((ret = test_quic_resumption(verbose)) != 0) goto leave;
  1224. #ifdef WOLFSSL_EARLY_DATA
  1225. if ((ret = test_quic_early_data(verbose)) != 0) goto leave;
  1226. #endif /* WOLFSSL_EARLY_DATA */
  1227. if ((ret = test_quic_session_export(verbose)) != 0) goto leave;
  1228. #endif /* HAVE_SESSION_TICKET */
  1229. leave:
  1230. if (ret != 0)
  1231. printf(" FAILED: some tests did not pass.\n");
  1232. printf(" End QUIC Tests\n");
  1233. #endif
  1234. return ret;
  1235. }