1
0

quic.c 61 KB

1234567891011121314151617181920212223242526272829303132333435363738394041424344454647484950515253545556575859606162636465666768697071727374757677787980818283848586878889909192939495969798991001011021031041051061071081091101111121131141151161171181191201211221231241251261271281291301311321331341351361371381391401411421431441451461471481491501511521531541551561571581591601611621631641651661671681691701711721731741751761771781791801811821831841851861871881891901911921931941951961971981992002012022032042052062072082092102112122132142152162172182192202212222232242252262272282292302312322332342352362372382392402412422432442452462472482492502512522532542552562572582592602612622632642652662672682692702712722732742752762772782792802812822832842852862872882892902912922932942952962972982993003013023033043053063073083093103113123133143153163173183193203213223233243253263273283293303313323333343353363373383393403413423433443453463473483493503513523533543553563573583593603613623633643653663673683693703713723733743753763773783793803813823833843853863873883893903913923933943953963973983994004014024034044054064074084094104114124134144154164174184194204214224234244254264274284294304314324334344354364374384394404414424434444454464474484494504514524534544554564574584594604614624634644654664674684694704714724734744754764774784794804814824834844854864874884894904914924934944954964974984995005015025035045055065075085095105115125135145155165175185195205215225235245255265275285295305315325335345355365375385395405415425435445455465475485495505515525535545555565575585595605615625635645655665675685695705715725735745755765775785795805815825835845855865875885895905915925935945955965975985996006016026036046056066076086096106116126136146156166176186196206216226236246256266276286296306316326336346356366376386396406416426436446456466476486496506516526536546556566576586596606616626636646656666676686696706716726736746756766776786796806816826836846856866876886896906916926936946956966976986997007017027037047057067077087097107117127137147157167177187197207217227237247257267277287297307317327337347357367377387397407417427437447457467477487497507517527537547557567577587597607617627637647657667677687697707717727737747757767777787797807817827837847857867877887897907917927937947957967977987998008018028038048058068078088098108118128138148158168178188198208218228238248258268278288298308318328338348358368378388398408418428438448458468478488498508518528538548558568578588598608618628638648658668678688698708718728738748758768778788798808818828838848858868878888898908918928938948958968978988999009019029039049059069079089099109119129139149159169179189199209219229239249259269279289299309319329339349359369379389399409419429439449459469479489499509519529539549559569579589599609619629639649659669679689699709719729739749759769779789799809819829839849859869879889899909919929939949959969979989991000100110021003100410051006100710081009101010111012101310141015101610171018101910201021102210231024102510261027102810291030103110321033103410351036103710381039104010411042104310441045104610471048104910501051105210531054105510561057105810591060106110621063106410651066106710681069107010711072107310741075107610771078107910801081108210831084108510861087108810891090109110921093109410951096109710981099110011011102110311041105110611071108110911101111111211131114111511161117111811191120112111221123112411251126112711281129113011311132113311341135113611371138113911401141114211431144114511461147114811491150115111521153115411551156115711581159116011611162116311641165116611671168116911701171117211731174117511761177117811791180118111821183118411851186118711881189119011911192119311941195119611971198119912001201120212031204120512061207120812091210121112121213121412151216121712181219122012211222122312241225122612271228122912301231123212331234123512361237123812391240124112421243124412451246124712481249125012511252125312541255125612571258125912601261126212631264126512661267126812691270127112721273127412751276127712781279128012811282128312841285128612871288128912901291129212931294129512961297129812991300130113021303130413051306130713081309131013111312131313141315131613171318131913201321132213231324132513261327132813291330133113321333133413351336133713381339134013411342134313441345134613471348134913501351135213531354135513561357135813591360136113621363136413651366136713681369137013711372137313741375137613771378137913801381138213831384138513861387138813891390139113921393139413951396139713981399140014011402140314041405140614071408140914101411141214131414141514161417141814191420142114221423142414251426142714281429143014311432143314341435143614371438143914401441144214431444144514461447144814491450145114521453145414551456145714581459146014611462146314641465146614671468146914701471147214731474147514761477147814791480148114821483148414851486148714881489149014911492149314941495149614971498149915001501150215031504150515061507150815091510151115121513151415151516151715181519152015211522152315241525152615271528152915301531153215331534153515361537153815391540154115421543154415451546154715481549155015511552155315541555155615571558155915601561156215631564156515661567156815691570157115721573157415751576157715781579158015811582158315841585158615871588158915901591159215931594159515961597159815991600160116021603160416051606160716081609161016111612161316141615161616171618161916201621162216231624162516261627162816291630163116321633163416351636163716381639164016411642164316441645164616471648164916501651165216531654165516561657165816591660166116621663166416651666166716681669
  1. /* quic.c QUIC unit tests
  2. *
  3. * Copyright (C) 2006-2024 wolfSSL Inc.
  4. *
  5. * This file is part of wolfSSL.
  6. *
  7. * wolfSSL is free software; you can redistribute it and/or modify
  8. * it under the terms of the GNU General Public License as published by
  9. * the Free Software Foundation; either version 2 of the License, or
  10. * (at your option) any later version.
  11. *
  12. * wolfSSL is distributed in the hope that it will be useful,
  13. * but WITHOUT ANY WARRANTY; without even the implied warranty of
  14. * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
  15. * GNU General Public License for more details.
  16. *
  17. * You should have received a copy of the GNU General Public License
  18. * along with this program; if not, write to the Free Software
  19. * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1335, USA
  20. */
  21. #ifdef HAVE_CONFIG_H
  22. #include <config.h>
  23. #endif
  24. #ifndef WOLFSSL_USER_SETTINGS
  25. #include <wolfssl/options.h>
  26. #endif
  27. #include <wolfssl/wolfcrypt/settings.h>
  28. #include <tests/unit.h>
  29. #ifdef WOLFSSL_QUIC
  30. #include <wolfssl/ssl.h>
  31. #include <wolfssl/quic.h>
  32. #ifdef NO_INLINE
  33. #include <wolfssl/wolfcrypt/misc.h>
  34. #else
  35. #define WOLFSSL_MISC_INCLUDED
  36. #include <wolfcrypt/src/misc.c>
  37. #endif
  38. #include <wolfssl/error-ssl.h>
  39. #include <wolfssl/internal.h>
  40. #if defined(WOLFSSL_SHA384) && defined(WOLFSSL_AES_256)
  41. #define DEFAULT_TLS_DIGEST_SZ WC_SHA384_DIGEST_SIZE
  42. #else
  43. #define DEFAULT_TLS_DIGEST_SZ WC_SHA256_DIGEST_SIZE
  44. #endif
  45. #define testingFmt " %s:"
  46. #define resultFmt " %s\n"
  47. static const char* passed = "passed";
  48. static const char* failed = "failed";
  49. typedef struct {
  50. const char *name;
  51. WOLFSSL_METHOD *method;
  52. int is_server;
  53. } ctx_setups;
  54. static int dummy_set_encryption_secrets(WOLFSSL *ssl, WOLFSSL_ENCRYPTION_LEVEL level,
  55. const uint8_t *read_secret,
  56. const uint8_t *write_secret, size_t secret_len)
  57. {
  58. (void)ssl;
  59. printf("QUIC_set_encryption_secrets(level=%d, length=%d, rx=%s, tx=%s)\n",
  60. level, (int)secret_len, read_secret? "yes" : "no", write_secret? "yes" : "no");
  61. return 1;
  62. }
  63. static int dummy_add_handshake_data(WOLFSSL *ssl, WOLFSSL_ENCRYPTION_LEVEL level,
  64. const uint8_t *data, size_t len)
  65. {
  66. (void)ssl;
  67. (void)data;
  68. printf("QUIC_add_handshake_data(level=%d, length=%d)\n", level, (int)len);
  69. return 1;
  70. }
  71. static int dummy_flush_flight(WOLFSSL *ssl)
  72. {
  73. (void)ssl;
  74. printf("QUIC_flush_flight()\n");
  75. return 1;
  76. }
  77. static int dummy_send_alert(WOLFSSL *ssl, WOLFSSL_ENCRYPTION_LEVEL level, uint8_t err)
  78. {
  79. (void)ssl;
  80. printf("QUIC_send_alert(level=%d, err=%d)\n", level, err);
  81. return 1;
  82. }
  83. static WOLFSSL_QUIC_METHOD dummy_method = {
  84. dummy_set_encryption_secrets,
  85. dummy_add_handshake_data,
  86. dummy_flush_flight,
  87. dummy_send_alert,
  88. };
  89. static WOLFSSL_QUIC_METHOD null_method = {
  90. NULL, NULL, NULL, NULL
  91. };
  92. static int test_set_quic_method(void) {
  93. WOLFSSL_CTX *ctx;
  94. WOLFSSL *ssl;
  95. int ret = 0, i;
  96. const uint8_t *data;
  97. size_t data_len;
  98. ctx_setups valids[] = {
  99. #ifdef WOLFSSL_TLS13
  100. { "TLSv1.3 server", wolfTLSv1_3_server_method(), 1},
  101. { "TLSv1.3 client", wolfTLSv1_3_client_method(), 0},
  102. #endif
  103. { NULL, NULL, 0}
  104. };
  105. ctx_setups invalids[] = {
  106. #ifndef WOLFSSL_NO_TLS12
  107. { "TLSv1.2 server", wolfTLSv1_2_server_method(), 1},
  108. { "TLSv1.2 client", wolfTLSv1_2_client_method(), 0},
  109. #endif
  110. #ifndef NO_OLD_TLS
  111. { "TLSv1.1 server", wolfTLSv1_1_server_method(), 1},
  112. { "TLSv1.1 client", wolfTLSv1_1_client_method(), 0},
  113. #endif
  114. { NULL, NULL, 0}
  115. };
  116. for (i = 0; valids[i].name != NULL; ++i) {
  117. AssertNotNull(ctx = wolfSSL_CTX_new(valids[i].method));
  118. if (valids[i].is_server) {
  119. AssertTrue(wolfSSL_CTX_use_certificate_file(ctx, svrCertFile,
  120. WOLFSSL_FILETYPE_PEM));
  121. AssertTrue(wolfSSL_CTX_use_PrivateKey_file(ctx, svrKeyFile,
  122. WOLFSSL_FILETYPE_PEM));
  123. }
  124. /* ctx does not have quic enabled, so will SSL* derived from it */
  125. AssertNotNull(ssl = wolfSSL_new(ctx));
  126. AssertFalse(wolfSSL_is_quic(ssl));
  127. /* Enable quic on the SSL* */
  128. AssertFalse(wolfSSL_set_quic_method(ssl, &null_method) == WOLFSSL_SUCCESS);
  129. AssertTrue(wolfSSL_set_quic_method(ssl, &dummy_method) == WOLFSSL_SUCCESS);
  130. AssertTrue(wolfSSL_is_quic(ssl));
  131. /* Check some default, initial behaviour */
  132. AssertTrue(wolfSSL_set_quic_transport_params(ssl, NULL, 0) == WOLFSSL_SUCCESS);
  133. wolfSSL_get_peer_quic_transport_params(ssl, &data, &data_len);
  134. AssertNull(data);
  135. AssertTrue(data_len == 0);
  136. AssertTrue(wolfSSL_quic_read_level(ssl) == wolfssl_encryption_initial);
  137. AssertTrue(wolfSSL_quic_write_level(ssl) == wolfssl_encryption_initial);
  138. AssertTrue(wolfSSL_get_quic_transport_version(ssl) == 0);
  139. wolfSSL_set_quic_transport_version(ssl, TLSX_KEY_QUIC_TP_PARAMS);
  140. AssertTrue(wolfSSL_get_quic_transport_version(ssl) == TLSX_KEY_QUIC_TP_PARAMS);
  141. wolfSSL_set_quic_use_legacy_codepoint(ssl, 1);
  142. AssertTrue(wolfSSL_get_quic_transport_version(ssl) == TLSX_KEY_QUIC_TP_PARAMS_DRAFT);
  143. wolfSSL_set_quic_use_legacy_codepoint(ssl, 0);
  144. AssertTrue(wolfSSL_get_quic_transport_version(ssl) == TLSX_KEY_QUIC_TP_PARAMS);
  145. /* max flight len during stages of handhshake, we us 16k initial and on
  146. * app data, and during handshake allow larger for cert exchange. This is
  147. * more advisory for the network code. ngtcp2 has its own ideas, for example.
  148. */
  149. data_len = wolfSSL_quic_max_handshake_flight_len(ssl, wolfssl_encryption_initial);
  150. AssertTrue(data_len == 16*1024);
  151. data_len = wolfSSL_quic_max_handshake_flight_len(ssl, wolfssl_encryption_early_data);
  152. AssertTrue(data_len == 0);
  153. data_len = wolfSSL_quic_max_handshake_flight_len(ssl, wolfssl_encryption_handshake);
  154. AssertTrue(data_len >= 16*1024);
  155. data_len = wolfSSL_quic_max_handshake_flight_len(ssl, wolfssl_encryption_application);
  156. AssertTrue(data_len == 16*1024);
  157. wolfSSL_free(ssl);
  158. /* Enabled quic on the ctx */
  159. AssertTrue(wolfSSL_CTX_set_quic_method(ctx, &dummy_method) == WOLFSSL_SUCCESS);
  160. /* It will be enabled on the SSL* */
  161. AssertNotNull(ssl = wolfSSL_new(ctx));
  162. AssertTrue(wolfSSL_is_quic(ssl));
  163. wolfSSL_free(ssl);
  164. wolfSSL_CTX_free(ctx);
  165. }
  166. for (i = 0; invalids[i].name != NULL; ++i) {
  167. AssertNotNull(ctx = wolfSSL_CTX_new(invalids[i].method));
  168. AssertTrue(wolfSSL_CTX_use_certificate_file(ctx, svrCertFile,
  169. WOLFSSL_FILETYPE_PEM));
  170. AssertTrue(wolfSSL_CTX_use_PrivateKey_file(ctx, svrKeyFile,
  171. WOLFSSL_FILETYPE_PEM));
  172. AssertFalse(wolfSSL_CTX_set_quic_method(ctx, &dummy_method) == WOLFSSL_SUCCESS);
  173. AssertNotNull(ssl = wolfSSL_new(ctx));
  174. AssertFalse(wolfSSL_set_quic_method(ssl, &dummy_method) == WOLFSSL_SUCCESS);
  175. AssertFalse(wolfSSL_is_quic(ssl));
  176. /* even though not quic, this is the only level we can return */
  177. AssertTrue(wolfSSL_quic_read_level(ssl) == wolfssl_encryption_initial);
  178. AssertTrue(wolfSSL_quic_write_level(ssl) == wolfssl_encryption_initial);
  179. wolfSSL_free(ssl);
  180. wolfSSL_CTX_free(ctx);
  181. }
  182. printf(" test_set_quic_method: %s\n", (ret == 0)? passed : failed);
  183. return ret;
  184. }
  185. static size_t fake_record(byte rtype, word32 rlen, uint8_t *rec)
  186. {
  187. rec[0] = (uint8_t)rtype;
  188. c32to24(rlen, rec+1);
  189. return rlen + 4;
  190. }
  191. static size_t shift_record(uint8_t *rec, size_t len, size_t written)
  192. {
  193. len -= written;
  194. XMEMMOVE(rec, rec+written, len);
  195. return len;
  196. }
  197. static void dump_buffer(const char *name, const byte *p, size_t len, int indent)
  198. {
  199. size_t i = 0;
  200. printf("%s[%d] = {", name, (int)len);
  201. while((p != NULL) && (i < len)) {
  202. if((i % 0x10) == 0) {
  203. printf("\n");
  204. printf("%*s %04X - ", indent, " ", (int)i);
  205. }
  206. else if((i % 0x08) == 0) {
  207. printf(" ");
  208. }
  209. printf("%02X ", p[i]);
  210. i++;
  211. }
  212. printf("\n%*s};\n", indent, " ");
  213. }
  214. static void dump_ssl_buffers(WOLFSSL *ssl, FILE *fp)
  215. {
  216. QuicRecord *qr = ssl->quic.input_head;
  217. fprintf(fp, "SSL quic data buffered: \n");
  218. while (qr) {
  219. fprintf(fp, " - %d-%d/%d (cap %d, level=%d)\n",
  220. qr->start, qr->end, qr->len, qr->capacity, qr->level);
  221. qr = qr->next;
  222. }
  223. if ((qr = ssl->quic.scratch)) {
  224. fprintf(fp, " scratch: %d-%d/%d (cap %d, level=%d)\n",
  225. qr->start, qr->end, qr->len, qr->capacity, qr->level);
  226. }
  227. else {
  228. fprintf(fp, " scratch: -\n");
  229. }
  230. }
  231. static int provide_data(WOLFSSL *ssl, WOLFSSL_ENCRYPTION_LEVEL level,
  232. const uint8_t *data, size_t len, int excpect_fail)
  233. {
  234. int ret;
  235. ret = (wolfSSL_provide_quic_data(ssl, level, data, len) == WOLFSSL_SUCCESS);
  236. if (!!ret != !excpect_fail) {
  237. dump_ssl_buffers(ssl, stdout);
  238. return 0;
  239. }
  240. return 1;
  241. }
  242. static int test_provide_quic_data(void) {
  243. WOLFSSL_CTX *ctx;
  244. WOLFSSL *ssl;
  245. uint8_t lbuffer[16*1024];
  246. size_t len;
  247. int ret = 0;
  248. AssertNotNull(ctx = wolfSSL_CTX_new(wolfTLSv1_3_client_method()));
  249. AssertTrue(wolfSSL_CTX_set_quic_method(ctx, &dummy_method) == WOLFSSL_SUCCESS);
  250. /* provide_quic_data() feeds CRYPTO packets inside a QUIC Frame into
  251. * the TLSv1.3 state machine.
  252. * The data fed is not the QUIC frame, but the TLS record inside it.
  253. * This may be called several times before SSL_do_handshake() is invoked
  254. * to process them.
  255. * During buffering this data, the code checks that:
  256. * - encryption level only ever increases for subsequent TLS records
  257. * - a TLS record is received complete before the encryption level increases
  258. */
  259. AssertNotNull(ssl = wolfSSL_new(ctx));
  260. len = fake_record(1, 100, lbuffer);
  261. AssertTrue(provide_data(ssl, wolfssl_encryption_initial, lbuffer, len, 0));
  262. len = fake_record(2, 1523, lbuffer);
  263. AssertTrue(provide_data(ssl, wolfssl_encryption_handshake, lbuffer, len, 0));
  264. len = fake_record(2, 1, lbuffer);
  265. len += fake_record(3, 190, lbuffer+len);
  266. AssertTrue(provide_data(ssl, wolfssl_encryption_handshake, lbuffer, len, 0));
  267. len = fake_record(5, 2049, lbuffer);
  268. AssertTrue(provide_data(ssl, wolfssl_encryption_application, lbuffer, len, 0));
  269. /* adding another record with decreased level must fail */
  270. len = fake_record(1, 100, lbuffer);
  271. AssertTrue(provide_data(ssl, wolfssl_encryption_initial, lbuffer, len, 1));
  272. wolfSSL_free(ssl);
  273. AssertNotNull(ssl = wolfSSL_new(ctx));
  274. len = fake_record(1, 100, lbuffer);
  275. AssertTrue(provide_data(ssl, wolfssl_encryption_initial, lbuffer, 24, 0));
  276. len = shift_record(lbuffer, len, 24);
  277. len += fake_record(2, 4000, lbuffer+len);
  278. AssertTrue(provide_data(ssl, wolfssl_encryption_initial, lbuffer, len - 99, 0));
  279. len = shift_record(lbuffer, len, len - 99);
  280. len += fake_record(5, 2049, lbuffer+len);
  281. AssertTrue(provide_data(ssl, wolfssl_encryption_initial, lbuffer, len, 0));
  282. /* should be recognized as complete and level increase needs to be accepted */
  283. len = fake_record(2, 1, lbuffer);
  284. len += fake_record(3, 190, lbuffer+len);
  285. AssertTrue(provide_data(ssl, wolfssl_encryption_handshake, lbuffer, len - 10, 0));
  286. len = shift_record(lbuffer, len, len - 10);
  287. /* Change level with incomplete record in lbuffer, needs to fail */
  288. len += fake_record(5, 8102, lbuffer+len);
  289. AssertTrue(provide_data(ssl, wolfssl_encryption_application, lbuffer, len - 10, 1));
  290. wolfSSL_free(ssl);
  291. wolfSSL_CTX_free(ctx);
  292. printf(" test_provide_quic_data: %s\n", (ret == 0)? passed : failed);
  293. return 0;
  294. }
  295. static int test_quic_crypt(void) {
  296. WOLFSSL_CTX *ctx;
  297. WOLFSSL *ssl;
  298. const WOLFSSL_EVP_CIPHER *aead_cipher;
  299. int ret = 0;
  300. AssertNotNull(ctx = wolfSSL_CTX_new(wolfTLSv1_3_client_method()));
  301. AssertTrue(wolfSSL_CTX_set_quic_method(ctx, &dummy_method) == WOLFSSL_SUCCESS);
  302. AssertNotNull(ssl = wolfSSL_new(ctx));
  303. /* don't have an AEAD cipher selected before start */
  304. AssertTrue(wolfSSL_CIPHER_get_id(wolfSSL_get_current_cipher(ssl)) == 0);
  305. AssertNotNull(aead_cipher = wolfSSL_EVP_aes_128_gcm());
  306. AssertTrue(wolfSSL_quic_aead_is_gcm(aead_cipher) != 0);
  307. AssertTrue(wolfSSL_quic_aead_is_ccm(aead_cipher) == 0);
  308. AssertTrue(wolfSSL_quic_aead_is_chacha20(aead_cipher) == 0);
  309. if (1) {
  310. /* check that our enc-/decrypt support in quic rount-trips */
  311. static const uint8_t key[16] = {0x00, 0x11, 0x22, 0x33, 0x44, 0x55, 0x66, 0x77,
  312. 0x88, 0x99, 0xaa, 0xbb, 0xcc, 0xdd, 0xee, 0xff};
  313. static const uint8_t aad[] = {0, 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19};
  314. static const uint8_t iv[] = {20, 21, 22, 23, 24, 25, 26, 27, 28, 29, 30, 31};
  315. static const uint8_t plaintext[] = "hello world\nhello world\nhello world\nhello world\nhello world\nhello world\nhello world\n";
  316. static const uint8_t expected[] = {0xd3, 0xa8, 0x1d, 0x96, 0x4c, 0x9b, 0x02, 0xd7, 0x9a, 0xb0, 0x41, 0x07, 0x4c, 0x8c, 0xe2,
  317. 0xe0, 0x2e, 0x83, 0x54, 0x52, 0x45, 0xcb, 0xd4, 0x68, 0xc8, 0x43, 0x45, 0xca, 0x91, 0xfb,
  318. 0xa3, 0x7a, 0x67, 0xed, 0xe8, 0xd7, 0x5e, 0xe2, 0x33, 0xd1, 0x3e, 0xbf, 0x50, 0xc2, 0x4b,
  319. 0x86, 0x83, 0x55, 0x11, 0xbb, 0x17, 0x4f, 0xf5, 0x78, 0xb8, 0x65, 0xeb, 0x9a, 0x2b, 0x8f,
  320. 0x77, 0x08, 0xa9, 0x60, 0x17, 0x73, 0xc5, 0x07, 0xf3, 0x04, 0xc9, 0x3f, 0x67, 0x4d, 0x12,
  321. 0xa1, 0x02, 0x93, 0xc2, 0x3c, 0xd3, 0xf8, 0x59, 0x33, 0xd5, 0x01, 0xc3, 0xbb, 0xaa, 0xe6,
  322. 0x3f, 0xbb, 0x23, 0x66, 0x94, 0x26, 0x28, 0x43, 0xa5, 0xfd, 0x2f};
  323. WOLFSSL_EVP_CIPHER_CTX *enc_ctx, *dec_ctx;
  324. uint8_t *encrypted, *decrypted;
  325. size_t tag_len, enc_len, dec_len;
  326. AssertTrue((tag_len = wolfSSL_quic_get_aead_tag_len(aead_cipher)) == 16);
  327. dec_len = sizeof(plaintext);
  328. enc_len = dec_len + tag_len;
  329. encrypted = (uint8_t*)XMALLOC(enc_len, NULL, DYNAMIC_TYPE_TMP_BUFFER);
  330. AssertNotNull(encrypted);
  331. decrypted = (uint8_t*)XMALLOC(dec_len, NULL, DYNAMIC_TYPE_TMP_BUFFER);
  332. AssertNotNull(decrypted);
  333. AssertNotNull(enc_ctx = wolfSSL_quic_crypt_new(aead_cipher, key, iv, 1));
  334. AssertTrue(wolfSSL_quic_aead_encrypt(encrypted, enc_ctx,
  335. plaintext, sizeof(plaintext),
  336. NULL, aad, sizeof(aad)) == WOLFSSL_SUCCESS);
  337. AssertTrue(memcmp(expected, encrypted, dec_len) == 0);
  338. AssertTrue(memcmp(expected+dec_len, encrypted+dec_len, tag_len) == 0);
  339. AssertNotNull(dec_ctx = wolfSSL_quic_crypt_new(aead_cipher, key, iv, 0));
  340. AssertTrue(wolfSSL_quic_aead_decrypt(decrypted, dec_ctx,
  341. encrypted, enc_len,
  342. NULL, aad, sizeof(aad)) == WOLFSSL_SUCCESS);
  343. AssertTrue(memcmp(plaintext, decrypted, dec_len) == 0);
  344. XFREE(encrypted, NULL, DYNAMIC_TYPE_TMP_BUFFER);
  345. XFREE(decrypted, NULL, DYNAMIC_TYPE_TMP_BUFFER);
  346. wolfSSL_EVP_CIPHER_CTX_free(enc_ctx);
  347. wolfSSL_EVP_CIPHER_CTX_free(dec_ctx);
  348. }
  349. wolfSSL_free(ssl);
  350. wolfSSL_CTX_free(ctx);
  351. printf(" test_quic_crypt: %s\n", (ret == 0)? passed : failed);
  352. return ret;
  353. }
  354. typedef struct OutputBuffer {
  355. byte data[64*1024];
  356. size_t len;
  357. WOLFSSL_ENCRYPTION_LEVEL level;
  358. struct OutputBuffer *next;
  359. } OutputBuffer;
  360. typedef struct {
  361. const char *name;
  362. WOLFSSL *ssl;
  363. OutputBuffer output;
  364. byte rx_secret[4][1024];
  365. size_t rx_secret_len[4];
  366. byte tx_secret[4][1024];
  367. size_t tx_secret_len[4];
  368. int handshake_done;
  369. int alert_level;
  370. int alert;
  371. int flushed;
  372. int verbose;
  373. byte ticket[16*1024];
  374. word32 ticket_len;
  375. byte session[16*1024];
  376. word32 session_len;
  377. } QuicTestContext;
  378. static int ctx_set_encryption_secrets(WOLFSSL *ssl, WOLFSSL_ENCRYPTION_LEVEL level,
  379. const uint8_t *read_secret,
  380. const uint8_t *write_secret, size_t secret_len);
  381. static int ctx_add_handshake_data(WOLFSSL *ssl, WOLFSSL_ENCRYPTION_LEVEL level,
  382. const uint8_t *data, size_t len);
  383. static int ctx_flush_flight(WOLFSSL *ssl);
  384. static int ctx_send_alert(WOLFSSL *ssl, WOLFSSL_ENCRYPTION_LEVEL level, uint8_t err);
  385. #ifdef HAVE_SESSION_TICKET
  386. static int ctx_session_ticket_cb(WOLFSSL* ssl,
  387. const unsigned char* ticket, int ticketSz,
  388. void* cb_ctx);
  389. #endif
  390. static WOLFSSL_QUIC_METHOD ctx_method = {
  391. ctx_set_encryption_secrets,
  392. ctx_add_handshake_data,
  393. ctx_flush_flight,
  394. ctx_send_alert,
  395. };
  396. static void QuicTestContext_init(QuicTestContext *tctx, WOLFSSL_CTX *ctx,
  397. const char *name, int verbose)
  398. {
  399. static const byte tp_params_c[] = {0, 1, 2, 3, 4, 5, 6, 7};
  400. static const byte tp_params_s[] = {7, 6, 5, 4, 3, 2, 1, 0, 1};
  401. AssertNotNull(tctx);
  402. memset(tctx, 0, sizeof(*tctx));
  403. tctx->name = name;
  404. AssertNotNull((tctx->ssl = wolfSSL_new(ctx)));
  405. tctx->verbose = verbose;
  406. wolfSSL_set_app_data(tctx->ssl, tctx);
  407. AssertTrue(wolfSSL_set_quic_method(tctx->ssl, &ctx_method) == WOLFSSL_SUCCESS);
  408. wolfSSL_set_verify(tctx->ssl, SSL_VERIFY_NONE, 0);
  409. #ifdef HAVE_SESSION_TICKET
  410. wolfSSL_UseSessionTicket(tctx->ssl);
  411. wolfSSL_set_SessionTicket_cb(tctx->ssl, ctx_session_ticket_cb, NULL);
  412. #endif
  413. if (wolfSSL_is_server(tctx->ssl)) {
  414. wolfSSL_set_quic_transport_version(tctx->ssl, 0);
  415. wolfSSL_set_quic_transport_params(tctx->ssl, tp_params_s, sizeof(tp_params_s));
  416. }
  417. else {
  418. wolfSSL_set_quic_transport_version(tctx->ssl, 0);
  419. wolfSSL_set_quic_transport_params(tctx->ssl, tp_params_c, sizeof(tp_params_c));
  420. }
  421. }
  422. static void QuicTestContext_free(QuicTestContext *tctx)
  423. {
  424. OutputBuffer *out, *n;
  425. if (tctx->ssl) {
  426. wolfSSL_free(tctx->ssl);
  427. tctx->ssl = NULL;
  428. }
  429. out = tctx->output.next;
  430. while (out) {
  431. n = out->next;
  432. free(out);
  433. out = n;
  434. }
  435. }
  436. static int ctx_set_encryption_secrets(WOLFSSL *ssl, WOLFSSL_ENCRYPTION_LEVEL level,
  437. const uint8_t *read_secret,
  438. const uint8_t *write_secret, size_t secret_len)
  439. {
  440. QuicTestContext *ctx = (QuicTestContext*)wolfSSL_get_app_data(ssl);
  441. AssertNotNull(ctx);
  442. AssertTrue(secret_len <= sizeof(ctx->rx_secret[0]));
  443. if (read_secret) {
  444. memcpy(ctx->rx_secret[level], read_secret, secret_len);
  445. ctx->rx_secret_len[level] = secret_len;
  446. }
  447. if (write_secret) {
  448. memcpy(ctx->tx_secret[level], write_secret, secret_len);
  449. ctx->tx_secret_len[level] = secret_len;
  450. }
  451. AssertNotNull(ctx);
  452. return 1;
  453. }
  454. static int ctx_add_handshake_data(WOLFSSL *ssl, WOLFSSL_ENCRYPTION_LEVEL level,
  455. const uint8_t *data, size_t len)
  456. {
  457. QuicTestContext *ctx = (QuicTestContext*)wolfSSL_get_app_data(ssl);
  458. OutputBuffer *out;
  459. AssertNotNull(ctx);
  460. out = &ctx->output;
  461. while (out->next) {
  462. out = out->next;
  463. }
  464. if (out->level != level) {
  465. if (out->len > 0) {
  466. out->next = (OutputBuffer*)calloc(1, sizeof(OutputBuffer));
  467. out = out->next;
  468. AssertNotNull(out);
  469. }
  470. out->level = level;
  471. }
  472. if (ctx->verbose) {
  473. printf("[%s] add_handshake[enc_level=%d]: %d bytes\n", ctx->name, level, (int)len);
  474. /* dump_buffer("add", data, len, 0); */
  475. }
  476. if (len > 0) {
  477. AssertTrue(out->len + len < sizeof(out->data));
  478. memcpy(out->data + out->len, data, len);
  479. out->len += len;
  480. }
  481. return 1;
  482. }
  483. static int ctx_flush_flight(WOLFSSL *ssl)
  484. {
  485. QuicTestContext *ctx = (QuicTestContext*)wolfSSL_get_app_data(ssl);
  486. AssertNotNull(ctx);
  487. ctx->flushed = 1;
  488. return 1;
  489. }
  490. static int ctx_send_alert(WOLFSSL *ssl, WOLFSSL_ENCRYPTION_LEVEL level, uint8_t err)
  491. {
  492. QuicTestContext *ctx = (QuicTestContext*)wolfSSL_get_app_data(ssl);
  493. AssertNotNull(ctx);
  494. if (ctx->verbose) {
  495. printf("[%s] send_alert: level=%d, err=%d\n", ctx->name, level, err);
  496. }
  497. ctx->alert_level = level;
  498. ctx->alert = alert;
  499. return 1;
  500. }
  501. #ifdef HAVE_SESSION_TICKET
  502. static int ctx_session_ticket_cb(WOLFSSL* ssl,
  503. const unsigned char* ticket, int ticketSz,
  504. void* cb_ctx)
  505. {
  506. QuicTestContext *ctx = (QuicTestContext*)wolfSSL_get_app_data(ssl);
  507. AssertNotNull(ctx);
  508. (void)cb_ctx;
  509. if (ticketSz < 0 || (size_t)ticketSz > sizeof(ctx->ticket)) {
  510. printf("SESSION TICKET callback: ticket given is too large: %d bytes\n", ticketSz);
  511. return 1;
  512. }
  513. memset(ctx->ticket, 0, sizeof(ctx->ticket));
  514. ctx->ticket_len = (word32)ticketSz;
  515. memcpy(ctx->ticket, ticket, (size_t)ticketSz);
  516. if (ctx->verbose) {
  517. printf("Session Ticket[%s]: ", ctx->name);
  518. dump_buffer("", ticket, (size_t)ticketSz, 4);
  519. }
  520. return 0;
  521. }
  522. #endif
  523. static void ctx_dump_output(QuicTestContext *ctx)
  524. {
  525. dump_buffer("Output", ctx->output.data, ctx->output.len, 0);
  526. }
  527. static void check_handshake_record(const byte *data, size_t data_len, int *ptype, size_t *prlen)
  528. {
  529. word32 rlen;
  530. AssertTrue(data_len >= HANDSHAKE_HEADER_SZ);
  531. *ptype = data[0];
  532. c24to32(&data[1], &rlen);
  533. *prlen = rlen + HANDSHAKE_HEADER_SZ;
  534. }
  535. static void ext_dump(const byte *data, size_t data_len, int indent)
  536. {
  537. size_t idx = 0;
  538. word16 len16, etype, i;
  539. printf("%*sextensions:\n", indent, " ");
  540. while (idx < data_len) {
  541. ato16(&data[idx], &etype); /* extension type */
  542. ato16(&data[idx+2], &len16); /* extension length */
  543. printf(" extension: %04x [", etype);
  544. for (i = 0; i < len16; ++i) {
  545. printf("%s0x%02x", (i? ", ": ""), data[idx+4+i]);
  546. }
  547. printf("]\n");
  548. idx += 2 + 2 + len16;
  549. }
  550. }
  551. static const byte *ext_find(const byte *data, size_t data_len, int ext_type)
  552. {
  553. size_t idx = 0;
  554. word16 len16, etype;
  555. while (idx < data_len) {
  556. ato16(&data[idx], &etype); /* extension type */
  557. if (etype == ext_type) {
  558. return data + idx;
  559. }
  560. ato16(&data[idx+2], &len16); /* extension length */
  561. idx += 2 + 2 + len16;
  562. }
  563. return NULL;
  564. }
  565. static int ext_has(const byte *data, size_t data_len, int ext_type)
  566. {
  567. return ext_find(data, data_len,ext_type) != NULL;
  568. }
  569. static void ext_equals(const byte *data, size_t data_len, int ext_type,
  570. const byte *exp_data, size_t exp_len)
  571. {
  572. const byte *ext;
  573. word16 len16;
  574. AssertNotNull(ext = ext_find(data, data_len, ext_type));
  575. ato16(&ext[2], &len16);
  576. AssertTrue(len16 == exp_len);
  577. AssertTrue(memcmp(ext + 4, exp_data, exp_len) == 0);
  578. }
  579. static void check_quic_client_hello(const byte *data, size_t data_len, int verbose, int indent)
  580. {
  581. size_t idx;
  582. word16 len16;
  583. const byte *exts;
  584. size_t exts_len, rec_len;
  585. int rec_type;
  586. static byte ext_sup_version[3] = {0x02, 0x03, 0x04};
  587. check_handshake_record(data, data_len, &rec_type, &rec_len);
  588. AssertIntEQ(rec_type, client_hello);
  589. idx = HANDSHAKE_HEADER_SZ;
  590. /* the client hello arrives alone */
  591. AssertIntEQ(rec_len, data_len);
  592. AssertTrue(data[idx++] == SSLv3_MAJOR);
  593. AssertTrue(data[idx++] == TLSv1_2_MINOR);
  594. idx += 32; /* 32 bytes RANDOM */
  595. AssertIntEQ(data[idx], 0); /* session id length MUST be 0, RFC9001 ch. 8.4 */
  596. idx += 1 + data[idx];
  597. ato16(&data[idx], &len16); /* ciphers length */
  598. AssertTrue(len16 > 0);
  599. idx += 2 + len16;
  600. AssertTrue(data[idx] == 1); /* compressions */
  601. AssertTrue(data[idx+1] == 0); /* no compression */
  602. idx += 2;
  603. ato16(&data[idx], &len16); /* extensions length */
  604. AssertTrue(len16 > 0);
  605. exts_len = len16;
  606. idx += 2;
  607. exts = &data[idx];
  608. idx += exts_len;
  609. AssertTrue(idx <= rec_len); /* should fit */
  610. for (; idx < rec_len; ++idx) {
  611. AssertTrue(data[idx] == 0); /* padding */
  612. }
  613. ext_equals(exts, exts_len, TLSX_SUPPORTED_VERSIONS,
  614. ext_sup_version, sizeof(ext_sup_version));
  615. if (verbose) {
  616. ext_dump(exts, exts_len, indent);
  617. dump_buffer("", data, data_len, indent);
  618. }
  619. }
  620. static void check_quic_client_hello_tp(OutputBuffer *out, int tp_v1, int tp_draft)
  621. {
  622. size_t idx;
  623. word16 len16;
  624. const byte *exts;
  625. size_t exts_len, rec_len;
  626. int rec_type;
  627. check_handshake_record(out->data, out->len, &rec_type, &rec_len);
  628. AssertIntEQ(rec_type, client_hello);
  629. idx = HANDSHAKE_HEADER_SZ;
  630. idx += 2; /* old version */
  631. idx += 32; /* 32 bytes RANDOM */
  632. idx += 1 + out->data[idx]; /* session id */
  633. ato16(&out->data[idx], &len16); /* ciphers length */
  634. idx += 2 + len16;
  635. idx += 2; /* compression */
  636. ato16(&out->data[idx], &len16); /* extensions length */
  637. AssertTrue(len16 > 0);
  638. exts_len = len16;
  639. idx += 2;
  640. exts = &out->data[idx];
  641. AssertTrue(!ext_has(exts, exts_len, TLSX_KEY_QUIC_TP_PARAMS) == !tp_v1);
  642. AssertTrue(!ext_has(exts, exts_len, TLSX_KEY_QUIC_TP_PARAMS_DRAFT) == !tp_draft);
  643. }
  644. static void check_secrets(QuicTestContext *ctx, WOLFSSL_ENCRYPTION_LEVEL level, size_t rx_len, size_t tx_len)
  645. {
  646. int idx = (int)level;
  647. AssertTrue(idx < 4);
  648. AssertIntEQ(ctx->rx_secret_len[idx], rx_len);
  649. AssertIntEQ(ctx->tx_secret_len[idx], tx_len);
  650. }
  651. static void assert_secrets_EQ(QuicTestContext *ctx1, QuicTestContext *ctx2,
  652. WOLFSSL_ENCRYPTION_LEVEL level)
  653. {
  654. int idx = (int)level;
  655. /* rx secrets are the other ones tx secrets */
  656. AssertIntEQ(ctx1->rx_secret_len[idx], ctx2->tx_secret_len[idx]);
  657. AssertIntEQ(ctx1->tx_secret_len[idx], ctx2->rx_secret_len[idx]);
  658. AssertIntEQ(memcmp(ctx1->rx_secret[idx], ctx2->tx_secret[idx], ctx1->rx_secret_len[idx]), 0);
  659. AssertIntEQ(memcmp(ctx1->tx_secret[idx], ctx2->rx_secret[idx], ctx1->tx_secret_len[idx]), 0);
  660. }
  661. static void check_ee(const byte *data, size_t data_len, int verbose, int indent)
  662. {
  663. size_t rec_len, exts_len, idx;
  664. word16 len16;
  665. const byte *exts;
  666. int rec_type;
  667. check_handshake_record(data, data_len, &rec_type, &rec_len);
  668. AssertIntEQ(rec_type, encrypted_extensions);
  669. idx = HANDSHAKE_HEADER_SZ;
  670. ato16(&data[idx], &len16); /* extensions length */
  671. AssertTrue(len16 > 0);
  672. exts_len = len16;
  673. idx += 2;
  674. exts = &data[idx];
  675. if (verbose) {
  676. ext_dump(exts, exts_len, indent);
  677. dump_buffer("", data, data_len, indent);
  678. }
  679. }
  680. static void check_quic_server_hello(const byte *data, size_t data_len, int verbose, int indent)
  681. {
  682. size_t idx;
  683. word16 len16, cipher;
  684. const byte *exts;
  685. size_t exts_len, rec_len;
  686. static byte ext_sup_version[2] = {0x03, 0x04};
  687. int rec_type;
  688. check_handshake_record(data, data_len, &rec_type, &rec_len);
  689. AssertIntEQ(rec_type, server_hello);
  690. idx = HANDSHAKE_HEADER_SZ;
  691. AssertTrue(data[idx++] == SSLv3_MAJOR);
  692. AssertTrue(data[idx++] == TLSv1_2_MINOR);
  693. idx += 32; /* 32 bytes RANDOM */
  694. /* AssertIntEQ(data[idx], 0); session id of len 0 */
  695. idx += 1 + data[idx];
  696. ato16(&data[idx], &cipher); /* cipher selected */
  697. AssertTrue(cipher != 0);
  698. idx += 2;
  699. AssertTrue(data[idx] == 0); /* null compression */
  700. idx += 1;
  701. ato16(&data[idx], &len16); /* extensions length */
  702. AssertTrue(len16 > 0);
  703. exts_len = len16;
  704. idx += 2;
  705. exts = &data[idx];
  706. idx += exts_len;
  707. AssertTrue(idx <= rec_len); /* should fit */
  708. for (; idx < rec_len; ++idx) {
  709. AssertTrue(data[idx] == 0); /* padding */
  710. }
  711. if (verbose) {
  712. ext_dump(exts, exts_len, indent);
  713. dump_buffer("", data, rec_len, indent);
  714. }
  715. ext_equals(exts, exts_len, TLSX_SUPPORTED_VERSIONS,
  716. ext_sup_version, sizeof(ext_sup_version));
  717. }
  718. static void check_crypto_rec(const byte *data, size_t data_len, int verbose, int indent)
  719. {
  720. size_t rec_len;
  721. int rec_type;
  722. check_handshake_record(data, data_len, &rec_type, &rec_len);
  723. if (verbose) {
  724. dump_buffer("", data, rec_len, indent);
  725. }
  726. }
  727. static void check_crypto_records(QuicTestContext *from, OutputBuffer *out, int indent, char *rec_log, size_t rec_log_size)
  728. {
  729. const byte *data = out->data;
  730. size_t data_len = out->len;
  731. size_t rec_len;
  732. int rec_type;
  733. const char *rec_name;
  734. char lbuffer[128];
  735. void (*check_rec) (const byte *d, size_t l, int v, int indent);
  736. while (data_len > 0) {
  737. check_handshake_record(data, data_len, &rec_type, &rec_len);
  738. if (rec_len > data_len) {
  739. printf("%*sINCOMPLETE CRYPTO?: ", indent, " ");
  740. dump_buffer("", data, data_len, indent);
  741. }
  742. AssertTrue(rec_len <= data_len);
  743. check_rec = check_crypto_rec;
  744. switch (rec_type) {
  745. case client_hello:
  746. rec_name = "ClientHello";
  747. check_rec = check_quic_client_hello;
  748. break;
  749. case server_hello:
  750. rec_name = "ServerHello";
  751. check_rec = check_quic_server_hello;
  752. break;
  753. case session_ticket:
  754. rec_name = "SessionTicket";
  755. break;
  756. case encrypted_extensions:
  757. rec_name = "EncryptedExtension";
  758. check_rec = check_ee;
  759. break;
  760. case certificate:
  761. rec_name = "Certificate";
  762. break;
  763. case certificate_verify:
  764. rec_name = "CertificateVerify";
  765. break;
  766. case finished:
  767. rec_name = "Finished";
  768. break;
  769. default:
  770. (void)XSNPRINTF(lbuffer, sizeof(lbuffer), "%d", rec_type);
  771. rec_name = lbuffer;
  772. break;
  773. }
  774. if (rec_log) {
  775. if (*rec_log) XSTRLCAT(rec_log, ":", rec_log_size);
  776. XSTRLCAT(rec_log, rec_name, rec_log_size);
  777. }
  778. if (from->verbose) printf("%*sCRYPTO[%s]: ", indent, " ", rec_name);
  779. check_rec(data, rec_len, from->verbose, indent);
  780. if (from->verbose) printf("\n");
  781. data += rec_len;
  782. data_len -= rec_len;
  783. }
  784. }
  785. static void QuicTestContext_forward(QuicTestContext *from, QuicTestContext *to, char *rec_log, size_t rec_log_size)
  786. {
  787. int ret;
  788. OutputBuffer *out, *old;
  789. out = &from->output;
  790. while (out->len > 0) {
  791. if (from->verbose) {
  792. printf("[%s -> %s] forward %d bytes at level %d\n",
  793. from->name, to->name, (int)out->len, out->level);
  794. }
  795. if (out->level == wolfssl_encryption_early_data) {
  796. if (from->verbose) dump_buffer("EarlyData", out->data, out->len, 4);
  797. }
  798. else {
  799. check_crypto_records(from, out, 4, rec_log, rec_log_size);
  800. }
  801. ret = wolfSSL_provide_quic_data(to->ssl, out->level, out->data, out->len);
  802. out->len = 0;
  803. AssertIntEQ(ret, WOLFSSL_SUCCESS);
  804. if (out->next) {
  805. old = out->next;
  806. memcpy(out, out->next, sizeof(*out));
  807. free(old);
  808. }
  809. }
  810. }
  811. typedef struct {
  812. QuicTestContext *client;
  813. QuicTestContext *server;
  814. int started;
  815. int verbose;
  816. char rec_log[16*1024];
  817. int sent_early_data;
  818. int accept_early_data;
  819. char early_data[16*1024];
  820. size_t early_data_len;
  821. } QuicConversation;
  822. static void QuicConversation_init(QuicConversation *conv,
  823. QuicTestContext *tclient, QuicTestContext *tserver)
  824. {
  825. memset(conv, 0, sizeof(*conv));
  826. conv->client = tclient;
  827. conv->server = tserver;
  828. conv->verbose = tclient->verbose && tserver->verbose;
  829. }
  830. static int QuicConversation_start(QuicConversation *conv, const byte *data,
  831. size_t data_len, size_t *pwritten)
  832. {
  833. int ret;
  834. AssertFalse(conv->started);
  835. if (conv->verbose) {
  836. printf("[%s <-> %s] starting\n", conv->client->name, conv->server->name);
  837. }
  838. if (data && data_len > 0) {
  839. #ifdef WOLFSSL_EARLY_DATA
  840. int written;
  841. ret = wolfSSL_write_early_data(conv->client->ssl, data, (int)data_len, &written);
  842. if (ret < 0) {
  843. int err = wolfSSL_get_error(conv->client->ssl, ret);
  844. char lbuffer[1024];
  845. printf("EARLY DATA ret = %d, error = %d, %s\n", ret, err, wolfSSL_ERR_error_string((unsigned long)err, lbuffer));
  846. AssertTrue(0);
  847. }
  848. *pwritten = (size_t)written;
  849. conv->sent_early_data = 1;
  850. #else
  851. fprintf(stderr, "Cannot send EARLY DATA without feature enabled!\n");
  852. AssertTrue(0);
  853. #endif
  854. }
  855. else {
  856. ret = wolfSSL_connect(conv->client->ssl);
  857. if (ret != WOLFSSL_SUCCESS) {
  858. AssertIntEQ(wolfSSL_get_error(conv->client->ssl, 0), WC_NO_ERR_TRACE(SSL_ERROR_WANT_READ));
  859. }
  860. if (pwritten) *pwritten = 0;
  861. }
  862. conv->started = 1;
  863. return ret;
  864. }
  865. static int QuicConversation_step(QuicConversation *conv, int may_fail)
  866. {
  867. int n;
  868. if (!conv->started) {
  869. n = wolfSSL_connect(conv->client->ssl);
  870. if (n != WOLFSSL_SUCCESS
  871. && wolfSSL_get_error(conv->client->ssl, 0) != WC_NO_ERR_TRACE(SSL_ERROR_WANT_READ)) {
  872. if (may_fail) return 0;
  873. AssertIntEQ(WC_NO_ERR_TRACE(SSL_ERROR_WANT_READ), wolfSSL_get_error(conv->client->ssl, 0));
  874. }
  875. conv->started = 1;
  876. }
  877. if (conv->server->output.len > 0) {
  878. QuicTestContext_forward(conv->server, conv->client, conv->rec_log, sizeof(conv->rec_log));
  879. n = wolfSSL_quic_read_write(conv->client->ssl);
  880. if (n != WOLFSSL_SUCCESS
  881. && wolfSSL_get_error(conv->client->ssl, 0) != WC_NO_ERR_TRACE(SSL_ERROR_WANT_READ)) {
  882. if (may_fail) return 0;
  883. AssertIntEQ(WC_NO_ERR_TRACE(SSL_ERROR_WANT_READ), wolfSSL_get_error(conv->client->ssl, 0));
  884. }
  885. return 1;
  886. }
  887. else if (conv->client->output.len > 0) {
  888. QuicTestContext_forward(conv->client, conv->server, conv->rec_log, sizeof(conv->rec_log));
  889. #ifdef WOLFSSL_EARLY_DATA
  890. if (conv->accept_early_data) {
  891. int written;
  892. n = wolfSSL_read_early_data(conv->server->ssl,
  893. conv->early_data + conv->early_data_len,
  894. (int)(sizeof(conv->early_data) - conv->early_data_len),
  895. &written);
  896. if (n < 0) {
  897. if (wolfSSL_get_error(conv->server->ssl, 0) != WC_NO_ERR_TRACE(SSL_ERROR_WANT_READ)) {
  898. if (may_fail) return 0;
  899. AssertIntEQ(wolfSSL_get_error(conv->server->ssl, 0), WC_NO_ERR_TRACE(SSL_ERROR_WANT_READ));
  900. }
  901. }
  902. else if (n > 0) {
  903. conv->early_data_len += (size_t)n;
  904. if (conv->verbose)
  905. printf("RECVed early data, len now=%d\n", (int)conv->early_data_len);
  906. }
  907. }
  908. else
  909. #endif /* WOLFSSL_EARLY_DATA */
  910. {
  911. n = wolfSSL_quic_read_write(conv->server->ssl);
  912. if (n != WOLFSSL_SUCCESS
  913. && wolfSSL_get_error(conv->server->ssl, 0) != WC_NO_ERR_TRACE(SSL_ERROR_WANT_READ)) {
  914. if (may_fail) return 0;
  915. AssertIntEQ(wolfSSL_get_error(conv->server->ssl, 0), WC_NO_ERR_TRACE(SSL_ERROR_WANT_READ));
  916. }
  917. }
  918. return 1;
  919. }
  920. return 0;
  921. }
  922. static void QuicConversation_do(QuicConversation *conv)
  923. {
  924. if (!conv->started) {
  925. QuicConversation_start(conv, NULL, 0, NULL);
  926. }
  927. while (1) {
  928. if (!QuicConversation_step(conv, 0)) {
  929. int c_err = wolfSSL_get_error(conv->client->ssl, 0);
  930. int s_err = wolfSSL_get_error(conv->server->ssl, 0);
  931. if (c_err == 0 && s_err == 0) {
  932. break; /* handshake done */
  933. }
  934. printf("Neither tclient nor server have anything to send, "
  935. "but client_error=%d, server_error=%d\n",
  936. c_err, s_err);
  937. AssertFalse(1);
  938. }
  939. }
  940. }
  941. #ifdef HAVE_SESSION_TICKET
  942. static void QuicConversation_fail(QuicConversation *conv)
  943. {
  944. if (!conv->started) {
  945. QuicConversation_start(conv, NULL, 0, NULL);
  946. }
  947. while (1) {
  948. if (!QuicConversation_step(conv, 1)) {
  949. int c_err = wolfSSL_get_error(conv->client->ssl, 0);
  950. int s_err = wolfSSL_get_error(conv->server->ssl, 0);
  951. AssertTrue(c_err != 0 || s_err != 0);
  952. break;
  953. }
  954. }
  955. }
  956. #endif /* HAVE_SESSION_TICKET */
  957. static int test_quic_client_hello(int verbose) {
  958. WOLFSSL_CTX *ctx;
  959. int ret = 0;
  960. QuicTestContext tctx;
  961. (void)ctx_dump_output;
  962. AssertNotNull(ctx = wolfSSL_CTX_new(wolfTLSv1_3_client_method()));
  963. QuicTestContext_init(&tctx, ctx, "client", verbose);
  964. /* Without any QUIC transport params, this needs to fail */
  965. AssertTrue(wolfSSL_set_quic_transport_params(tctx.ssl, NULL, 0) == WOLFSSL_SUCCESS);
  966. AssertTrue(wolfSSL_quic_read_write(tctx.ssl) != 0);
  967. AssertIntEQ(wolfSSL_get_error(tctx.ssl, 0), WC_NO_ERR_TRACE(QUIC_TP_MISSING_E));
  968. QuicTestContext_free(&tctx);
  969. /* Set transport params, expect both extensions */
  970. QuicTestContext_init(&tctx, ctx, "client", verbose);
  971. #ifdef HAVE_SNI
  972. wolfSSL_UseSNI(tctx.ssl, WOLFSSL_SNI_HOST_NAME,
  973. "wolfssl.com", sizeof("wolfssl.com")-1);
  974. #endif
  975. AssertTrue(wolfSSL_connect(tctx.ssl) != 0);
  976. AssertIntEQ(wolfSSL_get_error(tctx.ssl, 0), WC_NO_ERR_TRACE(SSL_ERROR_WANT_READ));
  977. check_quic_client_hello_tp(&tctx.output, 1, 1);
  978. QuicTestContext_free(&tctx);
  979. /* Set transport params v1, expect v1 extension */
  980. QuicTestContext_init(&tctx, ctx, "client", verbose);
  981. wolfSSL_set_quic_transport_version(tctx.ssl, TLSX_KEY_QUIC_TP_PARAMS);
  982. AssertTrue(wolfSSL_connect(tctx.ssl) != 0);
  983. check_quic_client_hello_tp(&tctx.output, 1, 0);
  984. QuicTestContext_free(&tctx);
  985. /* Set transport params draft, expect draft extension */
  986. QuicTestContext_init(&tctx, ctx, "client", verbose);
  987. wolfSSL_set_quic_transport_version(tctx.ssl, TLSX_KEY_QUIC_TP_PARAMS_DRAFT);
  988. AssertTrue(wolfSSL_connect(tctx.ssl) != 0);
  989. check_quic_client_hello_tp(&tctx.output, 0, 1);
  990. QuicTestContext_free(&tctx);
  991. /* Set transport params 0, expect both extension */
  992. QuicTestContext_init(&tctx, ctx, "client", verbose);
  993. wolfSSL_set_quic_transport_version(tctx.ssl, 0);
  994. AssertTrue(wolfSSL_connect(tctx.ssl) != 0);
  995. check_quic_client_hello_tp(&tctx.output, 1, 1);
  996. QuicTestContext_free(&tctx);
  997. wolfSSL_CTX_free(ctx);
  998. printf(" test_quic_client_hello: %s\n", (ret == 0)? passed : failed);
  999. return ret;
  1000. }
  1001. static int test_quic_server_hello(int verbose) {
  1002. WOLFSSL_CTX *ctx_c, *ctx_s;
  1003. int ret = 0;
  1004. QuicTestContext tclient, tserver;
  1005. QuicConversation conv;
  1006. AssertNotNull(ctx_c = wolfSSL_CTX_new(wolfTLSv1_3_client_method()));
  1007. AssertNotNull(ctx_s = wolfSSL_CTX_new(wolfTLSv1_3_server_method()));
  1008. AssertTrue(wolfSSL_CTX_use_certificate_file(ctx_s, svrCertFile, WOLFSSL_FILETYPE_PEM));
  1009. AssertTrue(wolfSSL_CTX_use_PrivateKey_file(ctx_s, svrKeyFile, WOLFSSL_FILETYPE_PEM));
  1010. /* setup ssls */
  1011. QuicTestContext_init(&tclient, ctx_c, "client", verbose);
  1012. QuicTestContext_init(&tserver, ctx_s, "server", verbose);
  1013. /* connect */
  1014. QuicConversation_init(&conv, &tclient, &tserver);
  1015. QuicConversation_step(&conv, 0);
  1016. /* check established/missing secrets */
  1017. check_secrets(&tserver, wolfssl_encryption_initial, 0, 0);
  1018. check_secrets(&tserver, wolfssl_encryption_handshake,
  1019. DEFAULT_TLS_DIGEST_SZ, DEFAULT_TLS_DIGEST_SZ);
  1020. check_secrets(&tserver, wolfssl_encryption_application,
  1021. DEFAULT_TLS_DIGEST_SZ, DEFAULT_TLS_DIGEST_SZ);
  1022. check_secrets(&tclient, wolfssl_encryption_handshake, 0, 0);
  1023. /* feed the server data to the client */
  1024. QuicConversation_step(&conv, 0);
  1025. /* client has generated handshake secret */
  1026. check_secrets(&tclient, wolfssl_encryption_handshake,
  1027. DEFAULT_TLS_DIGEST_SZ, DEFAULT_TLS_DIGEST_SZ);
  1028. /* continue the handshake till done */
  1029. conv.started = 1;
  1030. /* run till end */
  1031. QuicConversation_do(&conv);
  1032. AssertIntEQ(tclient.output.len, 0);
  1033. AssertIntEQ(tserver.output.len, 0);
  1034. /* what have we seen? */
  1035. #ifdef HAVE_SESSION_TICKET
  1036. AssertStrEQ(conv.rec_log, "ClientHello:ServerHello:EncryptedExtension:"
  1037. "Certificate:CertificateVerify:Finished:Finished:SessionTicket");
  1038. #else
  1039. AssertStrEQ(conv.rec_log, "ClientHello:ServerHello:EncryptedExtension:"
  1040. "Certificate:CertificateVerify:Finished:Finished");
  1041. #endif
  1042. /* we are at application encryption level */
  1043. AssertTrue(wolfSSL_quic_read_level(tclient.ssl) == wolfssl_encryption_application);
  1044. AssertTrue(wolfSSL_quic_write_level(tclient.ssl) == wolfssl_encryption_application);
  1045. AssertTrue(wolfSSL_quic_read_level(tserver.ssl) == wolfssl_encryption_application);
  1046. AssertTrue(wolfSSL_quic_write_level(tserver.ssl) == wolfssl_encryption_application);
  1047. /* the last client write (FINISHED) was at handshake level */
  1048. AssertTrue(tclient.output.level == wolfssl_encryption_handshake);
  1049. /* we have the app secrets */
  1050. check_secrets(&tclient, wolfssl_encryption_application,
  1051. DEFAULT_TLS_DIGEST_SZ, DEFAULT_TLS_DIGEST_SZ);
  1052. check_secrets(&tserver, wolfssl_encryption_application,
  1053. DEFAULT_TLS_DIGEST_SZ, DEFAULT_TLS_DIGEST_SZ);
  1054. /* verify client and server have the same secrets established */
  1055. assert_secrets_EQ(&tclient, &tserver, wolfssl_encryption_handshake);
  1056. assert_secrets_EQ(&tclient, &tserver, wolfssl_encryption_application);
  1057. /* AEAD cipher should be known */
  1058. AssertNotNull(wolfSSL_quic_get_aead(tclient.ssl));
  1059. AssertNotNull(wolfSSL_quic_get_aead(tserver.ssl));
  1060. /* What was negiotiated and is it the same? */
  1061. AssertIntEQ(wolfSSL_get_peer_quic_transport_version(tclient.ssl),
  1062. wolfSSL_get_peer_quic_transport_version(tserver.ssl));
  1063. QuicTestContext_free(&tclient);
  1064. QuicTestContext_free(&tserver);
  1065. wolfSSL_CTX_free(ctx_c);
  1066. wolfSSL_CTX_free(ctx_s);
  1067. printf(" test_quic_server_hello: %s\n", (ret == 0)? passed : failed);
  1068. return ret;
  1069. }
  1070. /* This has gotten a bit out of hand. */
  1071. #if (defined(OPENSSL_ALL) || (defined(OPENSSL_EXTRA) && \
  1072. (defined(HAVE_STUNNEL) || defined(WOLFSSL_NGINX) || \
  1073. defined(HAVE_LIGHTY) || defined(WOLFSSL_HAPROXY) || \
  1074. defined(WOLFSSL_OPENSSH) || defined(HAVE_SBLIM_SFCB)))) \
  1075. && defined(HAVE_ALPN) && defined(HAVE_SNI)
  1076. #define REALLY_HAVE_ALPN_AND_SNI
  1077. #else
  1078. #undef REALLY_HAVE_ALPN_AND_SNI
  1079. #endif
  1080. #ifdef REALLY_HAVE_ALPN_AND_SNI
  1081. struct stripe_buffer {
  1082. char stripe[256];
  1083. };
  1084. static int inspect_SNI(WOLFSSL *ssl, int *ad, void *baton)
  1085. {
  1086. struct stripe_buffer *stripe = (struct stripe_buffer *)baton;
  1087. (void)ssl;
  1088. *ad = 0;
  1089. XSTRLCAT(stripe->stripe, "S", sizeof(stripe->stripe));
  1090. return 0;
  1091. }
  1092. static int select_ALPN(WOLFSSL *ssl,
  1093. const unsigned char **out,
  1094. unsigned char *outlen,
  1095. const unsigned char *in,
  1096. unsigned int inlen,
  1097. void *baton)
  1098. {
  1099. struct stripe_buffer *stripe = (struct stripe_buffer *)baton;
  1100. (void)ssl;
  1101. (void)inlen;
  1102. /* just select the first */
  1103. *out = in + 1;
  1104. *outlen = in[0];
  1105. XSTRLCAT(stripe->stripe, "A", sizeof(stripe->stripe));
  1106. return 0;
  1107. }
  1108. static int test_quic_alpn(int verbose) {
  1109. WOLFSSL_CTX *ctx_c, *ctx_s;
  1110. int ret = 0;
  1111. QuicTestContext tclient, tserver;
  1112. QuicConversation conv;
  1113. struct stripe_buffer stripe;
  1114. unsigned char alpn_protos[256];
  1115. AssertNotNull(ctx_c = wolfSSL_CTX_new(wolfTLSv1_3_client_method()));
  1116. AssertNotNull(ctx_s = wolfSSL_CTX_new(wolfTLSv1_3_server_method()));
  1117. AssertTrue(wolfSSL_CTX_use_certificate_file(ctx_s, svrCertFile, WOLFSSL_FILETYPE_PEM));
  1118. AssertTrue(wolfSSL_CTX_use_PrivateKey_file(ctx_s, svrKeyFile, WOLFSSL_FILETYPE_PEM));
  1119. stripe.stripe[0] = '\0';
  1120. wolfSSL_CTX_set_servername_callback(ctx_s, inspect_SNI);
  1121. wolfSSL_CTX_set_servername_arg(ctx_s, &stripe);
  1122. wolfSSL_CTX_set_alpn_select_cb(ctx_s, select_ALPN, &stripe);
  1123. /* setup ssls */
  1124. QuicTestContext_init(&tclient, ctx_c, "client", verbose);
  1125. QuicTestContext_init(&tserver, ctx_s, "server", verbose);
  1126. /* set SNI and ALPN callbacks on server side,
  1127. * provide values on client side */
  1128. wolfSSL_UseSNI(tclient.ssl, WOLFSSL_SNI_HOST_NAME,
  1129. "wolfssl.com", sizeof("wolfssl.com")-1);
  1130. /* connect */
  1131. QuicConversation_init(&conv, &tclient, &tserver);
  1132. XSTRLCPY((char*)(alpn_protos + 1), "test", sizeof(alpn_protos));
  1133. alpn_protos[0] = strlen("test");
  1134. wolfSSL_set_alpn_protos(tclient.ssl, alpn_protos, 1 + strlen("test"));
  1135. QuicConversation_do(&conv);
  1136. AssertIntEQ(tclient.output.len, 0);
  1137. AssertIntEQ(tserver.output.len, 0);
  1138. /* SNI callback needs to be called before ALPN callback */
  1139. AssertStrEQ(stripe.stripe, "SA");
  1140. QuicTestContext_free(&tclient);
  1141. QuicTestContext_free(&tserver);
  1142. wolfSSL_CTX_free(ctx_c);
  1143. wolfSSL_CTX_free(ctx_s);
  1144. printf(" test_quic_alpn: %s\n", (ret == 0)? passed : failed);
  1145. return ret;
  1146. }
  1147. #endif /* REALLY_HAVE_ALPN_AND_SNI */
  1148. #ifdef HAVE_SESSION_TICKET
  1149. static int test_quic_key_share(int verbose) {
  1150. WOLFSSL_CTX *ctx_c, *ctx_s;
  1151. int ret = 0;
  1152. QuicTestContext tclient, tserver;
  1153. QuicConversation conv;
  1154. AssertNotNull(ctx_c = wolfSSL_CTX_new(wolfTLSv1_3_client_method()));
  1155. AssertNotNull(ctx_s = wolfSSL_CTX_new(wolfTLSv1_3_server_method()));
  1156. AssertTrue(wolfSSL_CTX_use_certificate_file(ctx_s, svrCertFile, WOLFSSL_FILETYPE_PEM));
  1157. AssertTrue(wolfSSL_CTX_use_PrivateKey_file(ctx_s, svrKeyFile, WOLFSSL_FILETYPE_PEM));
  1158. /* setup & handshake defaults */
  1159. QuicTestContext_init(&tclient, ctx_c, "client", verbose);
  1160. QuicTestContext_init(&tserver, ctx_s, "server", verbose);
  1161. QuicConversation_init(&conv, &tclient, &tserver);
  1162. QuicConversation_do(&conv);
  1163. AssertStrEQ(conv.rec_log, "ClientHello:ServerHello:EncryptedExtension:"
  1164. "Certificate:CertificateVerify:Finished:Finished:SessionTicket");
  1165. QuicTestContext_free(&tclient);
  1166. QuicTestContext_free(&tserver);
  1167. /* setup & handshake, restricted groups. KEY_SHARE should use
  1168. * the first configured group. */
  1169. /*If that is supported by the server, expect a smooth handshake.*/
  1170. QuicTestContext_init(&tclient, ctx_c, "client", verbose);
  1171. QuicTestContext_init(&tserver, ctx_s, "server", verbose);
  1172. AssertTrue(wolfSSL_set1_curves_list(tclient.ssl, "X25519:P-256")
  1173. == WOLFSSL_SUCCESS);
  1174. AssertTrue(wolfSSL_set1_curves_list(tserver.ssl, "X25519")
  1175. == WOLFSSL_SUCCESS);
  1176. QuicConversation_init(&conv, &tclient, &tserver);
  1177. QuicConversation_do(&conv);
  1178. AssertStrEQ(conv.rec_log,
  1179. "ClientHello:ServerHello:EncryptedExtension:"
  1180. "Certificate:CertificateVerify:Finished:Finished:SessionTicket");
  1181. QuicTestContext_free(&tclient);
  1182. QuicTestContext_free(&tserver);
  1183. printf(" test_quic_key_share: priority ok\n");
  1184. /* If group is not supported by server, expect HelloRetry */
  1185. QuicTestContext_init(&tclient, ctx_c, "client", verbose);
  1186. QuicTestContext_init(&tserver, ctx_s, "server", verbose);
  1187. AssertTrue(wolfSSL_set1_curves_list(tclient.ssl, "X25519:P-256")
  1188. == WOLFSSL_SUCCESS);
  1189. AssertTrue(wolfSSL_set1_curves_list(tserver.ssl, "P-256")
  1190. == WOLFSSL_SUCCESS);
  1191. QuicConversation_init(&conv, &tclient, &tserver);
  1192. QuicConversation_do(&conv);
  1193. AssertStrEQ(conv.rec_log,
  1194. "ClientHello:ServerHello:ClientHello:ServerHello:EncryptedExtension:"
  1195. "Certificate:CertificateVerify:Finished:Finished:SessionTicket");
  1196. QuicTestContext_free(&tclient);
  1197. QuicTestContext_free(&tserver);
  1198. printf(" test_quic_key_share: retry ok\n");
  1199. /* If no group overlap, expect failure */
  1200. QuicTestContext_init(&tclient, ctx_c, "client", verbose);
  1201. QuicTestContext_init(&tserver, ctx_s, "server", verbose);
  1202. AssertTrue(wolfSSL_set1_curves_list(tclient.ssl, "P-256")
  1203. == WOLFSSL_SUCCESS);
  1204. AssertTrue(wolfSSL_set1_curves_list(tserver.ssl, "X25519")
  1205. == WOLFSSL_SUCCESS);
  1206. QuicConversation_init(&conv, &tclient, &tserver);
  1207. QuicConversation_fail(&conv);
  1208. AssertIntEQ(wolfSSL_get_error(tserver.ssl, 0), WC_NO_ERR_TRACE(SSL_ERROR_WANT_READ));
  1209. AssertIntEQ(wolfSSL_get_error(tclient.ssl, 0), WC_NO_ERR_TRACE(BAD_KEY_SHARE_DATA));
  1210. QuicTestContext_free(&tclient);
  1211. QuicTestContext_free(&tserver);
  1212. printf(" test_quic_key_share: no match ok\n");
  1213. wolfSSL_CTX_free(ctx_c);
  1214. wolfSSL_CTX_free(ctx_s);
  1215. printf(" test_quic_key_share: %s\n", (ret == 0)? passed : failed);
  1216. return ret;
  1217. }
  1218. static int test_quic_resumption(int verbose) {
  1219. WOLFSSL_CTX *ctx_c, *ctx_s;
  1220. WOLFSSL_SESSION *session, *session_restored;
  1221. int ret = 0;
  1222. QuicTestContext tclient, tserver;
  1223. QuicConversation conv;
  1224. unsigned char session_buffer[16 * 1024], *session_data;
  1225. const unsigned char *session_data2;
  1226. unsigned int session_size;
  1227. AssertNotNull(ctx_c = wolfSSL_CTX_new(wolfTLSv1_3_client_method()));
  1228. AssertNotNull(ctx_s = wolfSSL_CTX_new(wolfTLSv1_3_server_method()));
  1229. AssertTrue(wolfSSL_CTX_use_certificate_file(ctx_s, svrCertFile, WOLFSSL_FILETYPE_PEM));
  1230. AssertTrue(wolfSSL_CTX_use_PrivateKey_file(ctx_s, svrKeyFile, WOLFSSL_FILETYPE_PEM));
  1231. /* setup ssls */
  1232. QuicTestContext_init(&tclient, ctx_c, "client", verbose);
  1233. QuicTestContext_init(&tserver, ctx_s, "server", verbose);
  1234. QuicConversation_init(&conv, &tclient, &tserver);
  1235. /* run till end */
  1236. QuicConversation_do(&conv);
  1237. /* what have we seen? */
  1238. AssertStrEQ(conv.rec_log, "ClientHello:ServerHello:EncryptedExtension:"
  1239. "Certificate:CertificateVerify:Finished:Finished:SessionTicket");
  1240. /* Should have received a session ticket, save the session
  1241. * and also make a serialized/deserialized copy to check that persisting
  1242. * a session works. */
  1243. AssertTrue(tclient.ticket_len > 0);
  1244. AssertNotNull(session = wolfSSL_get1_session(tclient.ssl));
  1245. AssertTrue((session_size = (unsigned int)wolfSSL_i2d_SSL_SESSION(session, NULL)) > 0);
  1246. AssertTrue((size_t)session_size < sizeof(session_buffer));
  1247. session_data2 = session_data = session_buffer;
  1248. session_size = (unsigned int)wolfSSL_i2d_SSL_SESSION(session, &session_data);
  1249. session_restored = wolfSSL_d2i_SSL_SESSION(NULL, &session_data2, session_size);
  1250. AssertNotNull(session_restored);
  1251. QuicTestContext_free(&tserver);
  1252. QuicTestContext_free(&tclient);
  1253. /* Do a Session resumption with the session object */
  1254. QuicTestContext_init(&tserver, ctx_s, "server", verbose);
  1255. QuicTestContext_init(&tclient, ctx_c, "client_resume", verbose);
  1256. AssertIntEQ(wolfSSL_set_session(tclient.ssl, session), WOLFSSL_SUCCESS);
  1257. /* let them talk */
  1258. QuicConversation_init(&conv, &tclient, &tserver);
  1259. QuicConversation_do(&conv);
  1260. /* this is what should happen. Look Ma, no certificate! */
  1261. AssertStrEQ(conv.rec_log, "ClientHello:ServerHello:EncryptedExtension:"
  1262. "Finished:Finished:SessionTicket");
  1263. QuicTestContext_free(&tclient);
  1264. QuicTestContext_free(&tserver);
  1265. /* Do a Session resumption with the restored session object */
  1266. QuicTestContext_init(&tserver, ctx_s, "server", verbose);
  1267. QuicTestContext_init(&tclient, ctx_c, "client_resume_restored", verbose);
  1268. AssertIntEQ(wolfSSL_set_session(tclient.ssl, session_restored), WOLFSSL_SUCCESS);
  1269. /* let them talk */
  1270. QuicConversation_init(&conv, &tclient, &tserver);
  1271. QuicConversation_do(&conv);
  1272. /* this is what should happen. Look Ma, no certificate! */
  1273. AssertStrEQ(conv.rec_log, "ClientHello:ServerHello:EncryptedExtension:"
  1274. "Finished:Finished:SessionTicket");
  1275. QuicTestContext_free(&tclient);
  1276. QuicTestContext_free(&tserver);
  1277. {
  1278. /* Do a Session resumption with a new server ctx */
  1279. WOLFSSL_CTX *ctx_s2;
  1280. AssertNotNull(ctx_s2 = wolfSSL_CTX_new(wolfTLSv1_3_server_method()));
  1281. AssertTrue(wolfSSL_CTX_use_certificate_file(ctx_s2, eccCertFile, WOLFSSL_FILETYPE_PEM));
  1282. AssertTrue(wolfSSL_CTX_use_PrivateKey_file(ctx_s2, eccKeyFile, WOLFSSL_FILETYPE_PEM));
  1283. QuicTestContext_init(&tserver, ctx_s2, "server2", verbose);
  1284. QuicTestContext_init(&tclient, ctx_c, "client_resume2", verbose);
  1285. AssertIntEQ(wolfSSL_set_session(tclient.ssl, session_restored), WOLFSSL_SUCCESS);
  1286. /* let them talk */
  1287. QuicConversation_init(&conv, &tclient, &tserver);
  1288. QuicConversation_do(&conv);
  1289. AssertStrEQ(conv.rec_log, "ClientHello:ServerHello:EncryptedExtension:"
  1290. "Certificate:CertificateVerify:Finished:Finished:SessionTicket");
  1291. QuicTestContext_free(&tclient);
  1292. QuicTestContext_free(&tserver);
  1293. wolfSSL_CTX_free(ctx_s2);
  1294. }
  1295. wolfSSL_SESSION_free(session);
  1296. wolfSSL_SESSION_free(session_restored);
  1297. wolfSSL_CTX_free(ctx_c);
  1298. wolfSSL_CTX_free(ctx_s);
  1299. printf(" test_quic_resumption: %s\n", (ret == 0)? passed : failed);
  1300. return ret;
  1301. }
  1302. #ifdef WOLFSSL_EARLY_DATA
  1303. static int test_quic_early_data(int verbose) {
  1304. WOLFSSL_CTX *ctx_c, *ctx_s;
  1305. int ret = 0;
  1306. QuicTestContext tclient, tserver;
  1307. QuicConversation conv;
  1308. const byte early_data[] = "Nulla dies sine linea!";
  1309. size_t ed_written;
  1310. WOLFSSL_SESSION *session;
  1311. unsigned int max_early_sz;
  1312. AssertNotNull(ctx_c = wolfSSL_CTX_new(wolfTLSv1_3_client_method()));
  1313. wolfSSL_CTX_UseSessionTicket(ctx_c);
  1314. AssertNotNull(ctx_s = wolfSSL_CTX_new(wolfTLSv1_3_server_method()));
  1315. AssertTrue(wolfSSL_CTX_use_certificate_file(ctx_s, svrCertFile, WOLFSSL_FILETYPE_PEM));
  1316. AssertTrue(wolfSSL_CTX_use_PrivateKey_file(ctx_s, svrKeyFile, WOLFSSL_FILETYPE_PEM));
  1317. /* setup ssls */
  1318. QuicTestContext_init(&tclient, ctx_c, "client", verbose);
  1319. QuicTestContext_init(&tserver, ctx_s, "server", verbose);
  1320. wolfSSL_set_quic_early_data_enabled(tserver.ssl, 1);
  1321. /* QUIC only allows 0xffffffff or 0x0 as values */
  1322. AssertIntEQ(wolfSSL_get_max_early_data(tserver.ssl), UINT32_MAX);
  1323. QuicConversation_init(&conv, &tclient, &tserver);
  1324. /* run till end */
  1325. QuicConversation_do(&conv);
  1326. /* what have we seen? */
  1327. AssertStrEQ(conv.rec_log, "ClientHello:ServerHello:EncryptedExtension:"
  1328. "Certificate:CertificateVerify:Finished:Finished:SessionTicket");
  1329. /* Should have received a session ticket, save the session */
  1330. AssertTrue(tclient.ticket_len > 0);
  1331. AssertNotNull(session = wolfSSL_get1_session(tclient.ssl));
  1332. QuicTestContext_free(&tclient);
  1333. QuicTestContext_free(&tserver);
  1334. /* QUIC requires 0 or 0xffffffff as only allowed values.
  1335. * Since we enabled early data in the server that created the session,
  1336. * we need to see it here. */
  1337. max_early_sz = wolfSSL_SESSION_get_max_early_data(session);
  1338. AssertIntEQ(max_early_sz, UINT32_MAX);
  1339. /* Do a Session resumption with the ticket */
  1340. QuicTestContext_init(&tserver, ctx_s, "server", verbose);
  1341. QuicTestContext_init(&tclient, ctx_c, "client", verbose);
  1342. AssertIntEQ(wolfSSL_set_session(tclient.ssl, session), WOLFSSL_SUCCESS);
  1343. /* enable early data -*/
  1344. wolfSSL_set_quic_early_data_enabled(tserver.ssl, 1);
  1345. /* client will send, and server will receive implicitly */
  1346. QuicConversation_init(&conv, &tclient, &tserver);
  1347. QuicConversation_start(&conv, early_data, sizeof(early_data), &ed_written);
  1348. QuicConversation_do(&conv);
  1349. AssertIntEQ(wolfSSL_get_early_data_status(tclient.ssl), WOLFSSL_EARLY_DATA_ACCEPTED);
  1350. QuicTestContext_free(&tclient);
  1351. QuicTestContext_free(&tserver);
  1352. QuicTestContext_init(&tserver, ctx_s, "server", verbose);
  1353. QuicTestContext_init(&tclient, ctx_c, "client", verbose);
  1354. AssertIntEQ(wolfSSL_set_session(tclient.ssl, session), WOLFSSL_SUCCESS);
  1355. /* client will send, and server will receive */
  1356. QuicConversation_init(&conv, &tclient, &tserver);
  1357. /* make QuicConversation_do() use wolfSSL_read_early_data() */
  1358. conv.accept_early_data = 1;
  1359. QuicConversation_start(&conv, early_data, sizeof(early_data), &ed_written);
  1360. QuicConversation_do(&conv);
  1361. AssertIntEQ(wolfSSL_get_early_data_status(tclient.ssl), WOLFSSL_EARLY_DATA_ACCEPTED);
  1362. AssertIntEQ(conv.early_data_len, sizeof(early_data));
  1363. AssertStrEQ(conv.early_data, (const char*)early_data);
  1364. QuicTestContext_free(&tclient);
  1365. QuicTestContext_free(&tserver);
  1366. wolfSSL_SESSION_free(session);
  1367. wolfSSL_CTX_free(ctx_c);
  1368. wolfSSL_CTX_free(ctx_s);
  1369. printf(" test_quic_early_data: %s\n", (ret == 0)? passed : failed);
  1370. return ret;
  1371. }
  1372. #endif /* WOLFSSL_EARLY_DATA */
  1373. static int new_session_cb(WOLFSSL *ssl, WOLFSSL_SESSION *session)
  1374. {
  1375. QuicTestContext *ctx = (QuicTestContext*)wolfSSL_get_app_data(ssl);
  1376. byte *data;
  1377. int ret = 0;
  1378. int sz;
  1379. AssertNotNull(ctx);
  1380. sz = wolfSSL_i2d_SSL_SESSION(session, NULL);
  1381. if (sz <= 0) {
  1382. printf("[%s] session serialization error: %d <- ", ctx->name, sz);
  1383. return sz;
  1384. }
  1385. if ((size_t)sz > sizeof(ctx->session)) {
  1386. printf("[%s] session serialization too large: %d <- ", ctx->name, sz);
  1387. return -1;
  1388. }
  1389. data = ctx->session;
  1390. ctx->session_len = (word32)wolfSSL_i2d_SSL_SESSION(session, &data);
  1391. if (ctx->verbose) {
  1392. printf("[%s]", ctx->name);
  1393. dump_buffer(" new SESSION", ctx->session, ctx->session_len, 4);
  1394. }
  1395. return ret;
  1396. }
  1397. static int test_quic_session_export(int verbose)
  1398. {
  1399. WOLFSSL_CTX *ctx_c, *ctx_s;
  1400. WOLFSSL_SESSION *session = NULL;
  1401. int ret = 0;
  1402. QuicTestContext tclient, tserver;
  1403. QuicConversation conv;
  1404. byte session_data[16*1024];
  1405. const byte *bp;
  1406. word32 session_len;
  1407. AssertNotNull(ctx_c = wolfSSL_CTX_new(wolfTLSv1_3_client_method()));
  1408. AssertNotNull(ctx_s = wolfSSL_CTX_new(wolfTLSv1_3_server_method()));
  1409. AssertTrue(wolfSSL_CTX_use_certificate_file(ctx_s, svrCertFile, WOLFSSL_FILETYPE_PEM));
  1410. AssertTrue(wolfSSL_CTX_use_PrivateKey_file(ctx_s, svrKeyFile, WOLFSSL_FILETYPE_PEM));
  1411. /* Uses CTX session callback for new sessions */
  1412. wolfSSL_CTX_sess_set_new_cb(ctx_c, new_session_cb);
  1413. /* setup ssls */
  1414. QuicTestContext_init(&tclient, ctx_c, "client", verbose);
  1415. QuicTestContext_init(&tserver, ctx_s, "server", verbose);
  1416. QuicConversation_init(&conv, &tclient, &tserver);
  1417. /* run till end */
  1418. QuicConversation_do(&conv);
  1419. /* what have we seen? */
  1420. AssertStrEQ(conv.rec_log, "ClientHello:ServerHello:EncryptedExtension:Certificate:CertificateVerify:Finished:Finished:SessionTicket");
  1421. /* Should have received a session, save it */
  1422. AssertTrue(tclient.session_len > 0);
  1423. memcpy(session_data, tclient.session, tclient.session_len);
  1424. session_len = tclient.session_len;
  1425. if (verbose)
  1426. dump_buffer("copied SESSION", session_data, session_len, 0);
  1427. QuicTestContext_free(&tserver);
  1428. QuicTestContext_free(&tclient);
  1429. /* Do a Session resumption with the ticket */
  1430. QuicTestContext_init(&tserver, ctx_s, "server", verbose);
  1431. QuicTestContext_init(&tclient, ctx_c, "client_resume", verbose);
  1432. bp = session_data;
  1433. AssertNotNull(session = wolfSSL_d2i_SSL_SESSION(NULL, &bp, session_len));
  1434. AssertIntEQ(wolfSSL_set_session(tclient.ssl, session), WOLFSSL_SUCCESS);
  1435. wolfSSL_SESSION_free(session);
  1436. /* let them talk */
  1437. QuicConversation_init(&conv, &tclient, &tserver);
  1438. QuicConversation_do(&conv);
  1439. /* this is what should happen. Look Ma, no certificate! */
  1440. AssertStrEQ(conv.rec_log, "ClientHello:ServerHello:EncryptedExtension:Finished:Finished:SessionTicket");
  1441. QuicTestContext_free(&tclient);
  1442. QuicTestContext_free(&tserver);
  1443. wolfSSL_CTX_free(ctx_c);
  1444. wolfSSL_CTX_free(ctx_s);
  1445. printf(" test_quic_session_export: %s\n", (ret == 0)? passed : failed);
  1446. return ret;
  1447. }
  1448. #endif /* WOLFSSL_SESSION_EXPORT */
  1449. #endif /* WOLFSSL_QUIC */
  1450. int QuicTest(void)
  1451. {
  1452. int ret = 0;
  1453. #ifdef WOLFSSL_QUIC
  1454. int verbose = 0;
  1455. printf(" Begin QUIC Tests\n");
  1456. if ((ret = test_set_quic_method()) != 0) goto leave;
  1457. if ((ret = test_provide_quic_data()) != 0) goto leave;
  1458. if ((ret = test_quic_crypt()) != 0) goto leave;
  1459. if ((ret = test_quic_client_hello(verbose)) != 0) goto leave;
  1460. if ((ret = test_quic_server_hello(verbose)) != 0) goto leave;
  1461. #ifdef REALLY_HAVE_ALPN_AND_SNI
  1462. if ((ret = test_quic_alpn(verbose)) != 0) goto leave;
  1463. #endif /* REALLY_HAVE_ALPN_AND_SNI */
  1464. #ifdef HAVE_SESSION_TICKET
  1465. if ((ret = test_quic_key_share(verbose)) != 0) goto leave;
  1466. if ((ret = test_quic_resumption(verbose)) != 0) goto leave;
  1467. #ifdef WOLFSSL_EARLY_DATA
  1468. if ((ret = test_quic_early_data(verbose)) != 0) goto leave;
  1469. #endif /* WOLFSSL_EARLY_DATA */
  1470. if ((ret = test_quic_session_export(verbose)) != 0) goto leave;
  1471. #endif /* HAVE_SESSION_TICKET */
  1472. leave:
  1473. if (ret != 0)
  1474. printf(" FAILED: some tests did not pass.\n");
  1475. printf(" End QUIC Tests\n");
  1476. #endif
  1477. return ret;
  1478. }