quic.c 60 KB

12345678910111213141516171819202122232425262728293031323334353637383940414243444546474849505152535455565758596061626364656667686970717273747576777879808182838485868788899091929394959697989910010110210310410510610710810911011111211311411511611711811912012112212312412512612712812913013113213313413513613713813914014114214314414514614714814915015115215315415515615715815916016116216316416516616716816917017117217317417517617717817918018118218318418518618718818919019119219319419519619719819920020120220320420520620720820921021121221321421521621721821922022122222322422522622722822923023123223323423523623723823924024124224324424524624724824925025125225325425525625725825926026126226326426526626726826927027127227327427527627727827928028128228328428528628728828929029129229329429529629729829930030130230330430530630730830931031131231331431531631731831932032132232332432532632732832933033133233333433533633733833934034134234334434534634734834935035135235335435535635735835936036136236336436536636736836937037137237337437537637737837938038138238338438538638738838939039139239339439539639739839940040140240340440540640740840941041141241341441541641741841942042142242342442542642742842943043143243343443543643743843944044144244344444544644744844945045145245345445545645745845946046146246346446546646746846947047147247347447547647747847948048148248348448548648748848949049149249349449549649749849950050150250350450550650750850951051151251351451551651751851952052152252352452552652752852953053153253353453553653753853954054154254354454554654754854955055155255355455555655755855956056156256356456556656756856957057157257357457557657757857958058158258358458558658758858959059159259359459559659759859960060160260360460560660760860961061161261361461561661761861962062162262362462562662762862963063163263363463563663763863964064164264364464564664764864965065165265365465565665765865966066166266366466566666766866967067167267367467567667767867968068168268368468568668768868969069169269369469569669769869970070170270370470570670770870971071171271371471571671771871972072172272372472572672772872973073173273373473573673773873974074174274374474574674774874975075175275375475575675775875976076176276376476576676776876977077177277377477577677777877978078178278378478578678778878979079179279379479579679779879980080180280380480580680780880981081181281381481581681781881982082182282382482582682782882983083183283383483583683783883984084184284384484584684784884985085185285385485585685785885986086186286386486586686786886987087187287387487587687787887988088188288388488588688788888989089189289389489589689789889990090190290390490590690790890991091191291391491591691791891992092192292392492592692792892993093193293393493593693793893994094194294394494594694794894995095195295395495595695795895996096196296396496596696796896997097197297397497597697797897998098198298398498598698798898999099199299399499599699799899910001001100210031004100510061007100810091010101110121013101410151016101710181019102010211022102310241025102610271028102910301031103210331034103510361037103810391040104110421043104410451046104710481049105010511052105310541055105610571058105910601061106210631064106510661067106810691070107110721073107410751076107710781079108010811082108310841085108610871088108910901091109210931094109510961097109810991100110111021103110411051106110711081109111011111112111311141115111611171118111911201121112211231124112511261127112811291130113111321133113411351136113711381139114011411142114311441145114611471148114911501151115211531154115511561157115811591160116111621163116411651166116711681169117011711172117311741175117611771178117911801181118211831184118511861187118811891190119111921193119411951196119711981199120012011202120312041205120612071208120912101211121212131214121512161217121812191220122112221223122412251226122712281229123012311232123312341235123612371238123912401241124212431244124512461247124812491250125112521253125412551256125712581259126012611262126312641265126612671268126912701271127212731274127512761277127812791280128112821283128412851286128712881289129012911292129312941295129612971298129913001301130213031304130513061307130813091310131113121313131413151316131713181319132013211322132313241325132613271328132913301331133213331334133513361337133813391340134113421343134413451346134713481349135013511352135313541355135613571358135913601361136213631364136513661367136813691370137113721373137413751376137713781379138013811382138313841385138613871388138913901391139213931394139513961397139813991400140114021403140414051406140714081409141014111412141314141415141614171418141914201421142214231424142514261427142814291430143114321433143414351436143714381439144014411442144314441445144614471448144914501451145214531454145514561457145814591460146114621463146414651466146714681469147014711472147314741475147614771478147914801481148214831484148514861487148814891490149114921493149414951496149714981499150015011502150315041505150615071508150915101511151215131514151515161517151815191520152115221523152415251526152715281529153015311532153315341535153615371538153915401541154215431544154515461547154815491550155115521553155415551556155715581559156015611562156315641565156615671568156915701571157215731574157515761577157815791580158115821583158415851586158715881589159015911592159315941595159615971598159916001601160216031604160516061607160816091610161116121613161416151616161716181619162016211622162316241625162616271628162916301631163216331634163516361637163816391640164116421643164416451646164716481649165016511652165316541655165616571658
  1. /* quic.c QUIC unit tests
  2. *
  3. * Copyright (C) 2006-2024 wolfSSL Inc.
  4. *
  5. * This file is part of wolfSSL.
  6. *
  7. * wolfSSL is free software; you can redistribute it and/or modify
  8. * it under the terms of the GNU General Public License as published by
  9. * the Free Software Foundation; either version 2 of the License, or
  10. * (at your option) any later version.
  11. *
  12. * wolfSSL is distributed in the hope that it will be useful,
  13. * but WITHOUT ANY WARRANTY; without even the implied warranty of
  14. * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
  15. * GNU General Public License for more details.
  16. *
  17. * You should have received a copy of the GNU General Public License
  18. * along with this program; if not, write to the Free Software
  19. * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1335, USA
  20. */
  21. #ifdef HAVE_CONFIG_H
  22. #include <config.h>
  23. #endif
  24. #include <wolfssl/wolfcrypt/settings.h>
  25. #include <tests/unit.h>
  26. #ifdef WOLFSSL_QUIC
  27. #include <wolfssl/ssl.h>
  28. #include <wolfssl/quic.h>
  29. #ifdef NO_INLINE
  30. #include <wolfssl/wolfcrypt/misc.h>
  31. #else
  32. #define WOLFSSL_MISC_INCLUDED
  33. #include <wolfcrypt/src/misc.c>
  34. #endif
  35. #include <wolfssl/error-ssl.h>
  36. #include <wolfssl/internal.h>
  37. #define testingFmt " %s:"
  38. #define resultFmt " %s\n"
  39. static const char* passed = "passed";
  40. static const char* failed = "failed";
  41. typedef struct {
  42. const char *name;
  43. WOLFSSL_METHOD *method;
  44. int is_server;
  45. } ctx_setups;
  46. static int dummy_set_encryption_secrets(WOLFSSL *ssl, WOLFSSL_ENCRYPTION_LEVEL level,
  47. const uint8_t *read_secret,
  48. const uint8_t *write_secret, size_t secret_len)
  49. {
  50. (void)ssl;
  51. printf("QUIC_set_encryption_secrets(level=%d, length=%d, rx=%s, tx=%s)\n",
  52. level, (int)secret_len, read_secret? "yes" : "no", write_secret? "yes" : "no");
  53. return 1;
  54. }
  55. static int dummy_add_handshake_data(WOLFSSL *ssl, WOLFSSL_ENCRYPTION_LEVEL level,
  56. const uint8_t *data, size_t len)
  57. {
  58. (void)ssl;
  59. (void)data;
  60. printf("QUIC_add_handshake_data(level=%d, length=%d)\n", level, (int)len);
  61. return 1;
  62. }
  63. static int dummy_flush_flight(WOLFSSL *ssl)
  64. {
  65. (void)ssl;
  66. printf("QUIC_flush_flight()\n");
  67. return 1;
  68. }
  69. static int dummy_send_alert(WOLFSSL *ssl, WOLFSSL_ENCRYPTION_LEVEL level, uint8_t err)
  70. {
  71. (void)ssl;
  72. printf("QUIC_send_alert(level=%d, err=%d)\n", level, err);
  73. return 1;
  74. }
  75. static WOLFSSL_QUIC_METHOD dummy_method = {
  76. dummy_set_encryption_secrets,
  77. dummy_add_handshake_data,
  78. dummy_flush_flight,
  79. dummy_send_alert,
  80. };
  81. static WOLFSSL_QUIC_METHOD null_method = {
  82. NULL, NULL, NULL, NULL
  83. };
  84. static int test_set_quic_method(void) {
  85. WOLFSSL_CTX *ctx;
  86. WOLFSSL *ssl;
  87. int ret = 0, i;
  88. const uint8_t *data;
  89. size_t data_len;
  90. ctx_setups valids[] = {
  91. #ifdef WOLFSSL_TLS13
  92. { "TLSv1.3 server", wolfTLSv1_3_server_method(), 1},
  93. { "TLSv1.3 client", wolfTLSv1_3_client_method(), 0},
  94. #endif
  95. { NULL, NULL, 0}
  96. };
  97. ctx_setups invalids[] = {
  98. #ifndef WOLFSSL_NO_TLS12
  99. { "TLSv1.2 server", wolfTLSv1_2_server_method(), 1},
  100. { "TLSv1.2 client", wolfTLSv1_2_client_method(), 0},
  101. #endif
  102. #ifndef NO_OLD_TLS
  103. { "TLSv1.1 server", wolfTLSv1_1_server_method(), 1},
  104. { "TLSv1.1 client", wolfTLSv1_1_client_method(), 0},
  105. #endif
  106. { NULL, NULL, 0}
  107. };
  108. for (i = 0; valids[i].name != NULL; ++i) {
  109. AssertNotNull(ctx = wolfSSL_CTX_new(valids[i].method));
  110. if (valids[i].is_server) {
  111. AssertTrue(wolfSSL_CTX_use_certificate_file(ctx, svrCertFile,
  112. WOLFSSL_FILETYPE_PEM));
  113. AssertTrue(wolfSSL_CTX_use_PrivateKey_file(ctx, svrKeyFile,
  114. WOLFSSL_FILETYPE_PEM));
  115. }
  116. /* ctx does not have quic enabled, so will SSL* derived from it */
  117. AssertNotNull(ssl = wolfSSL_new(ctx));
  118. AssertFalse(wolfSSL_is_quic(ssl));
  119. /* Enable quic on the SSL* */
  120. AssertFalse(wolfSSL_set_quic_method(ssl, &null_method) == WOLFSSL_SUCCESS);
  121. AssertTrue(wolfSSL_set_quic_method(ssl, &dummy_method) == WOLFSSL_SUCCESS);
  122. AssertTrue(wolfSSL_is_quic(ssl));
  123. /* Check some default, initial behaviour */
  124. AssertTrue(wolfSSL_set_quic_transport_params(ssl, NULL, 0) == WOLFSSL_SUCCESS);
  125. wolfSSL_get_peer_quic_transport_params(ssl, &data, &data_len);
  126. AssertNull(data);
  127. AssertTrue(data_len == 0);
  128. AssertTrue(wolfSSL_quic_read_level(ssl) == wolfssl_encryption_initial);
  129. AssertTrue(wolfSSL_quic_write_level(ssl) == wolfssl_encryption_initial);
  130. AssertTrue(wolfSSL_get_quic_transport_version(ssl) == 0);
  131. wolfSSL_set_quic_transport_version(ssl, TLSX_KEY_QUIC_TP_PARAMS);
  132. AssertTrue(wolfSSL_get_quic_transport_version(ssl) == TLSX_KEY_QUIC_TP_PARAMS);
  133. wolfSSL_set_quic_use_legacy_codepoint(ssl, 1);
  134. AssertTrue(wolfSSL_get_quic_transport_version(ssl) == TLSX_KEY_QUIC_TP_PARAMS_DRAFT);
  135. wolfSSL_set_quic_use_legacy_codepoint(ssl, 0);
  136. AssertTrue(wolfSSL_get_quic_transport_version(ssl) == TLSX_KEY_QUIC_TP_PARAMS);
  137. /* max flight len during stages of handhshake, we us 16k initial and on
  138. * app data, and during handshake allow larger for cert exchange. This is
  139. * more advisory for the network code. ngtcp2 has its own ideas, for example.
  140. */
  141. data_len = wolfSSL_quic_max_handshake_flight_len(ssl, wolfssl_encryption_initial);
  142. AssertTrue(data_len == 16*1024);
  143. data_len = wolfSSL_quic_max_handshake_flight_len(ssl, wolfssl_encryption_early_data);
  144. AssertTrue(data_len == 0);
  145. data_len = wolfSSL_quic_max_handshake_flight_len(ssl, wolfssl_encryption_handshake);
  146. AssertTrue(data_len >= 16*1024);
  147. data_len = wolfSSL_quic_max_handshake_flight_len(ssl, wolfssl_encryption_application);
  148. AssertTrue(data_len == 16*1024);
  149. wolfSSL_free(ssl);
  150. /* Enabled quic on the ctx */
  151. AssertTrue(wolfSSL_CTX_set_quic_method(ctx, &dummy_method) == WOLFSSL_SUCCESS);
  152. /* It will be enabled on the SSL* */
  153. AssertNotNull(ssl = wolfSSL_new(ctx));
  154. AssertTrue(wolfSSL_is_quic(ssl));
  155. wolfSSL_free(ssl);
  156. wolfSSL_CTX_free(ctx);
  157. }
  158. for (i = 0; invalids[i].name != NULL; ++i) {
  159. AssertNotNull(ctx = wolfSSL_CTX_new(invalids[i].method));
  160. AssertTrue(wolfSSL_CTX_use_certificate_file(ctx, svrCertFile,
  161. WOLFSSL_FILETYPE_PEM));
  162. AssertTrue(wolfSSL_CTX_use_PrivateKey_file(ctx, svrKeyFile,
  163. WOLFSSL_FILETYPE_PEM));
  164. AssertFalse(wolfSSL_CTX_set_quic_method(ctx, &dummy_method) == WOLFSSL_SUCCESS);
  165. AssertNotNull(ssl = wolfSSL_new(ctx));
  166. AssertFalse(wolfSSL_set_quic_method(ssl, &dummy_method) == WOLFSSL_SUCCESS);
  167. AssertFalse(wolfSSL_is_quic(ssl));
  168. /* even though not quic, this is the only level we can return */
  169. AssertTrue(wolfSSL_quic_read_level(ssl) == wolfssl_encryption_initial);
  170. AssertTrue(wolfSSL_quic_write_level(ssl) == wolfssl_encryption_initial);
  171. wolfSSL_free(ssl);
  172. wolfSSL_CTX_free(ctx);
  173. }
  174. printf(" test_set_quic_method: %s\n", (ret == 0)? passed : failed);
  175. return ret;
  176. }
  177. static size_t fake_record(byte rtype, word32 rlen, uint8_t *rec)
  178. {
  179. rec[0] = (uint8_t)rtype;
  180. c32to24(rlen, rec+1);
  181. return rlen + 4;
  182. }
  183. static size_t shift_record(uint8_t *rec, size_t len, size_t written)
  184. {
  185. len -= written;
  186. XMEMMOVE(rec, rec+written, len);
  187. return len;
  188. }
  189. static void dump_buffer(const char *name, const byte *p, size_t len, int indent)
  190. {
  191. size_t i = 0;
  192. printf("%s[%d] = {", name, (int)len);
  193. while((p != NULL) && (i < len)) {
  194. if((i % 0x10) == 0) {
  195. printf("\n");
  196. printf("%*s %04X - ", indent, " ", (int)i);
  197. }
  198. else if((i % 0x08) == 0) {
  199. printf(" ");
  200. }
  201. printf("%02X ", p[i]);
  202. i++;
  203. }
  204. printf("\n%*s};\n", indent, " ");
  205. }
  206. static void dump_ssl_buffers(WOLFSSL *ssl, FILE *fp)
  207. {
  208. QuicRecord *qr = ssl->quic.input_head;
  209. fprintf(fp, "SSL quic data buffered: \n");
  210. while (qr) {
  211. fprintf(fp, " - %d-%d/%d (cap %d, level=%d)\n",
  212. qr->start, qr->end, qr->len, qr->capacity, qr->level);
  213. qr = qr->next;
  214. }
  215. if ((qr = ssl->quic.scratch)) {
  216. fprintf(fp, " scratch: %d-%d/%d (cap %d, level=%d)\n",
  217. qr->start, qr->end, qr->len, qr->capacity, qr->level);
  218. }
  219. else {
  220. fprintf(fp, " scratch: -\n");
  221. }
  222. }
  223. static int provide_data(WOLFSSL *ssl, WOLFSSL_ENCRYPTION_LEVEL level,
  224. const uint8_t *data, size_t len, int excpect_fail)
  225. {
  226. int ret;
  227. ret = (wolfSSL_provide_quic_data(ssl, level, data, len) == WOLFSSL_SUCCESS);
  228. if (!!ret != !excpect_fail) {
  229. dump_ssl_buffers(ssl, stdout);
  230. return 0;
  231. }
  232. return 1;
  233. }
  234. static int test_provide_quic_data(void) {
  235. WOLFSSL_CTX *ctx;
  236. WOLFSSL *ssl;
  237. uint8_t lbuffer[16*1024];
  238. size_t len;
  239. int ret = 0;
  240. AssertNotNull(ctx = wolfSSL_CTX_new(wolfTLSv1_3_client_method()));
  241. AssertTrue(wolfSSL_CTX_set_quic_method(ctx, &dummy_method) == WOLFSSL_SUCCESS);
  242. /* provide_quic_data() feeds CRYPTO packets inside a QUIC Frame into
  243. * the TLSv1.3 state machine.
  244. * The data fed is not the QUIC frame, but the TLS record inside it.
  245. * This may be called several times before SSL_do_handshake() is invoked
  246. * to process them.
  247. * During buffering this data, the code checks that:
  248. * - encryption level only ever increases for subsequent TLS records
  249. * - a TLS record is received complete before the encryption level increases
  250. */
  251. AssertNotNull(ssl = wolfSSL_new(ctx));
  252. len = fake_record(1, 100, lbuffer);
  253. AssertTrue(provide_data(ssl, wolfssl_encryption_initial, lbuffer, len, 0));
  254. len = fake_record(2, 1523, lbuffer);
  255. AssertTrue(provide_data(ssl, wolfssl_encryption_handshake, lbuffer, len, 0));
  256. len = fake_record(2, 1, lbuffer);
  257. len += fake_record(3, 190, lbuffer+len);
  258. AssertTrue(provide_data(ssl, wolfssl_encryption_handshake, lbuffer, len, 0));
  259. len = fake_record(5, 2049, lbuffer);
  260. AssertTrue(provide_data(ssl, wolfssl_encryption_application, lbuffer, len, 0));
  261. /* adding another record with decreased level must fail */
  262. len = fake_record(1, 100, lbuffer);
  263. AssertTrue(provide_data(ssl, wolfssl_encryption_initial, lbuffer, len, 1));
  264. wolfSSL_free(ssl);
  265. AssertNotNull(ssl = wolfSSL_new(ctx));
  266. len = fake_record(1, 100, lbuffer);
  267. AssertTrue(provide_data(ssl, wolfssl_encryption_initial, lbuffer, 24, 0));
  268. len = shift_record(lbuffer, len, 24);
  269. len += fake_record(2, 4000, lbuffer+len);
  270. AssertTrue(provide_data(ssl, wolfssl_encryption_initial, lbuffer, len - 99, 0));
  271. len = shift_record(lbuffer, len, len - 99);
  272. len += fake_record(5, 2049, lbuffer+len);
  273. AssertTrue(provide_data(ssl, wolfssl_encryption_initial, lbuffer, len, 0));
  274. /* should be recognized as complete and level increase needs to be accepted */
  275. len = fake_record(2, 1, lbuffer);
  276. len += fake_record(3, 190, lbuffer+len);
  277. AssertTrue(provide_data(ssl, wolfssl_encryption_handshake, lbuffer, len - 10, 0));
  278. len = shift_record(lbuffer, len, len - 10);
  279. /* Change level with incomplete record in lbuffer, needs to fail */
  280. len += fake_record(5, 8102, lbuffer+len);
  281. AssertTrue(provide_data(ssl, wolfssl_encryption_application, lbuffer, len - 10, 1));
  282. wolfSSL_free(ssl);
  283. wolfSSL_CTX_free(ctx);
  284. printf(" test_provide_quic_data: %s\n", (ret == 0)? passed : failed);
  285. return 0;
  286. }
  287. static int test_quic_crypt(void) {
  288. WOLFSSL_CTX *ctx;
  289. WOLFSSL *ssl;
  290. const WOLFSSL_EVP_CIPHER *aead_cipher;
  291. int ret = 0;
  292. AssertNotNull(ctx = wolfSSL_CTX_new(wolfTLSv1_3_client_method()));
  293. AssertTrue(wolfSSL_CTX_set_quic_method(ctx, &dummy_method) == WOLFSSL_SUCCESS);
  294. AssertNotNull(ssl = wolfSSL_new(ctx));
  295. /* don't have an AEAD cipher selected before start */
  296. AssertTrue(wolfSSL_CIPHER_get_id(wolfSSL_get_current_cipher(ssl)) == 0);
  297. AssertNotNull(aead_cipher = wolfSSL_EVP_aes_128_gcm());
  298. AssertTrue(wolfSSL_quic_aead_is_gcm(aead_cipher) != 0);
  299. AssertTrue(wolfSSL_quic_aead_is_ccm(aead_cipher) == 0);
  300. AssertTrue(wolfSSL_quic_aead_is_chacha20(aead_cipher) == 0);
  301. if (1) {
  302. /* check that our enc-/decrypt support in quic rount-trips */
  303. static const uint8_t key[16] = {0x00, 0x11, 0x22, 0x33, 0x44, 0x55, 0x66, 0x77,
  304. 0x88, 0x99, 0xaa, 0xbb, 0xcc, 0xdd, 0xee, 0xff};
  305. static const uint8_t aad[] = {0, 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19};
  306. static const uint8_t iv[] = {20, 21, 22, 23, 24, 25, 26, 27, 28, 29, 30, 31};
  307. static const uint8_t plaintext[] = "hello world\nhello world\nhello world\nhello world\nhello world\nhello world\nhello world\n";
  308. static const uint8_t expected[] = {0xd3, 0xa8, 0x1d, 0x96, 0x4c, 0x9b, 0x02, 0xd7, 0x9a, 0xb0, 0x41, 0x07, 0x4c, 0x8c, 0xe2,
  309. 0xe0, 0x2e, 0x83, 0x54, 0x52, 0x45, 0xcb, 0xd4, 0x68, 0xc8, 0x43, 0x45, 0xca, 0x91, 0xfb,
  310. 0xa3, 0x7a, 0x67, 0xed, 0xe8, 0xd7, 0x5e, 0xe2, 0x33, 0xd1, 0x3e, 0xbf, 0x50, 0xc2, 0x4b,
  311. 0x86, 0x83, 0x55, 0x11, 0xbb, 0x17, 0x4f, 0xf5, 0x78, 0xb8, 0x65, 0xeb, 0x9a, 0x2b, 0x8f,
  312. 0x77, 0x08, 0xa9, 0x60, 0x17, 0x73, 0xc5, 0x07, 0xf3, 0x04, 0xc9, 0x3f, 0x67, 0x4d, 0x12,
  313. 0xa1, 0x02, 0x93, 0xc2, 0x3c, 0xd3, 0xf8, 0x59, 0x33, 0xd5, 0x01, 0xc3, 0xbb, 0xaa, 0xe6,
  314. 0x3f, 0xbb, 0x23, 0x66, 0x94, 0x26, 0x28, 0x43, 0xa5, 0xfd, 0x2f};
  315. WOLFSSL_EVP_CIPHER_CTX *enc_ctx, *dec_ctx;
  316. uint8_t *encrypted, *decrypted;
  317. size_t tag_len, enc_len, dec_len;
  318. AssertTrue((tag_len = wolfSSL_quic_get_aead_tag_len(aead_cipher)) == 16);
  319. dec_len = sizeof(plaintext);
  320. enc_len = dec_len + tag_len;
  321. encrypted = (uint8_t*)XMALLOC(enc_len, NULL, DYNAMIC_TYPE_TMP_BUFFER);
  322. AssertNotNull(encrypted);
  323. decrypted = (uint8_t*)XMALLOC(dec_len, NULL, DYNAMIC_TYPE_TMP_BUFFER);
  324. AssertNotNull(decrypted);
  325. AssertNotNull(enc_ctx = wolfSSL_quic_crypt_new(aead_cipher, key, iv, 1));
  326. AssertTrue(wolfSSL_quic_aead_encrypt(encrypted, enc_ctx,
  327. plaintext, sizeof(plaintext),
  328. NULL, aad, sizeof(aad)) == WOLFSSL_SUCCESS);
  329. AssertTrue(memcmp(expected, encrypted, dec_len) == 0);
  330. AssertTrue(memcmp(expected+dec_len, encrypted+dec_len, tag_len) == 0);
  331. AssertNotNull(dec_ctx = wolfSSL_quic_crypt_new(aead_cipher, key, iv, 0));
  332. AssertTrue(wolfSSL_quic_aead_decrypt(decrypted, dec_ctx,
  333. encrypted, enc_len,
  334. NULL, aad, sizeof(aad)) == WOLFSSL_SUCCESS);
  335. AssertTrue(memcmp(plaintext, decrypted, dec_len) == 0);
  336. XFREE(encrypted, NULL, DYNAMIC_TYPE_TMP_BUFFER);
  337. XFREE(decrypted, NULL, DYNAMIC_TYPE_TMP_BUFFER);
  338. wolfSSL_EVP_CIPHER_CTX_free(enc_ctx);
  339. wolfSSL_EVP_CIPHER_CTX_free(dec_ctx);
  340. }
  341. wolfSSL_free(ssl);
  342. wolfSSL_CTX_free(ctx);
  343. printf(" test_quic_crypt: %s\n", (ret == 0)? passed : failed);
  344. return ret;
  345. }
  346. typedef struct OutputBuffer {
  347. byte data[64*1024];
  348. size_t len;
  349. WOLFSSL_ENCRYPTION_LEVEL level;
  350. struct OutputBuffer *next;
  351. } OutputBuffer;
  352. typedef struct {
  353. const char *name;
  354. WOLFSSL *ssl;
  355. OutputBuffer output;
  356. byte rx_secret[4][1024];
  357. size_t rx_secret_len[4];
  358. byte tx_secret[4][1024];
  359. size_t tx_secret_len[4];
  360. int handshake_done;
  361. int alert_level;
  362. int alert;
  363. int flushed;
  364. int verbose;
  365. byte ticket[16*1024];
  366. word32 ticket_len;
  367. byte session[16*1024];
  368. word32 session_len;
  369. } QuicTestContext;
  370. static int ctx_set_encryption_secrets(WOLFSSL *ssl, WOLFSSL_ENCRYPTION_LEVEL level,
  371. const uint8_t *read_secret,
  372. const uint8_t *write_secret, size_t secret_len);
  373. static int ctx_add_handshake_data(WOLFSSL *ssl, WOLFSSL_ENCRYPTION_LEVEL level,
  374. const uint8_t *data, size_t len);
  375. static int ctx_flush_flight(WOLFSSL *ssl);
  376. static int ctx_send_alert(WOLFSSL *ssl, WOLFSSL_ENCRYPTION_LEVEL level, uint8_t err);
  377. #ifdef HAVE_SESSION_TICKET
  378. static int ctx_session_ticket_cb(WOLFSSL* ssl,
  379. const unsigned char* ticket, int ticketSz,
  380. void* cb_ctx);
  381. #endif
  382. static WOLFSSL_QUIC_METHOD ctx_method = {
  383. ctx_set_encryption_secrets,
  384. ctx_add_handshake_data,
  385. ctx_flush_flight,
  386. ctx_send_alert,
  387. };
  388. static void QuicTestContext_init(QuicTestContext *tctx, WOLFSSL_CTX *ctx,
  389. const char *name, int verbose)
  390. {
  391. static const byte tp_params_c[] = {0, 1, 2, 3, 4, 5, 6, 7};
  392. static const byte tp_params_s[] = {7, 6, 5, 4, 3, 2, 1, 0, 1};
  393. AssertNotNull(tctx);
  394. memset(tctx, 0, sizeof(*tctx));
  395. tctx->name = name;
  396. AssertNotNull((tctx->ssl = wolfSSL_new(ctx)));
  397. tctx->verbose = verbose;
  398. wolfSSL_set_app_data(tctx->ssl, tctx);
  399. AssertTrue(wolfSSL_set_quic_method(tctx->ssl, &ctx_method) == WOLFSSL_SUCCESS);
  400. wolfSSL_set_verify(tctx->ssl, SSL_VERIFY_NONE, 0);
  401. #ifdef HAVE_SESSION_TICKET
  402. wolfSSL_UseSessionTicket(tctx->ssl);
  403. wolfSSL_set_SessionTicket_cb(tctx->ssl, ctx_session_ticket_cb, NULL);
  404. #endif
  405. if (wolfSSL_is_server(tctx->ssl)) {
  406. wolfSSL_set_quic_transport_version(tctx->ssl, 0);
  407. wolfSSL_set_quic_transport_params(tctx->ssl, tp_params_s, sizeof(tp_params_s));
  408. }
  409. else {
  410. wolfSSL_set_quic_transport_version(tctx->ssl, 0);
  411. wolfSSL_set_quic_transport_params(tctx->ssl, tp_params_c, sizeof(tp_params_c));
  412. }
  413. }
  414. static void QuicTestContext_free(QuicTestContext *tctx)
  415. {
  416. OutputBuffer *out, *n;
  417. if (tctx->ssl) {
  418. wolfSSL_free(tctx->ssl);
  419. tctx->ssl = NULL;
  420. }
  421. out = tctx->output.next;
  422. while (out) {
  423. n = out->next;
  424. free(out);
  425. out = n;
  426. }
  427. }
  428. static int ctx_set_encryption_secrets(WOLFSSL *ssl, WOLFSSL_ENCRYPTION_LEVEL level,
  429. const uint8_t *read_secret,
  430. const uint8_t *write_secret, size_t secret_len)
  431. {
  432. QuicTestContext *ctx = (QuicTestContext*)wolfSSL_get_app_data(ssl);
  433. AssertNotNull(ctx);
  434. AssertTrue(secret_len <= sizeof(ctx->rx_secret[0]));
  435. if (read_secret) {
  436. memcpy(ctx->rx_secret[level], read_secret, secret_len);
  437. ctx->rx_secret_len[level] = secret_len;
  438. }
  439. if (write_secret) {
  440. memcpy(ctx->tx_secret[level], write_secret, secret_len);
  441. ctx->tx_secret_len[level] = secret_len;
  442. }
  443. AssertNotNull(ctx);
  444. return 1;
  445. }
  446. static int ctx_add_handshake_data(WOLFSSL *ssl, WOLFSSL_ENCRYPTION_LEVEL level,
  447. const uint8_t *data, size_t len)
  448. {
  449. QuicTestContext *ctx = (QuicTestContext*)wolfSSL_get_app_data(ssl);
  450. OutputBuffer *out;
  451. AssertNotNull(ctx);
  452. out = &ctx->output;
  453. while (out->next) {
  454. out = out->next;
  455. }
  456. if (out->level != level) {
  457. if (out->len > 0) {
  458. out->next = (OutputBuffer*)calloc(1, sizeof(OutputBuffer));
  459. out = out->next;
  460. AssertNotNull(out);
  461. }
  462. out->level = level;
  463. }
  464. if (ctx->verbose) {
  465. printf("[%s] add_handshake[enc_level=%d]: %d bytes\n", ctx->name, level, (int)len);
  466. /* dump_buffer("add", data, len, 0); */
  467. }
  468. if (len > 0) {
  469. AssertTrue(out->len + len < sizeof(out->data));
  470. memcpy(out->data + out->len, data, len);
  471. out->len += len;
  472. }
  473. return 1;
  474. }
  475. static int ctx_flush_flight(WOLFSSL *ssl)
  476. {
  477. QuicTestContext *ctx = (QuicTestContext*)wolfSSL_get_app_data(ssl);
  478. AssertNotNull(ctx);
  479. ctx->flushed = 1;
  480. return 1;
  481. }
  482. static int ctx_send_alert(WOLFSSL *ssl, WOLFSSL_ENCRYPTION_LEVEL level, uint8_t err)
  483. {
  484. QuicTestContext *ctx = (QuicTestContext*)wolfSSL_get_app_data(ssl);
  485. AssertNotNull(ctx);
  486. if (ctx->verbose) {
  487. printf("[%s] send_alert: level=%d, err=%d\n", ctx->name, level, err);
  488. }
  489. ctx->alert_level = level;
  490. ctx->alert = alert;
  491. return 1;
  492. }
  493. #ifdef HAVE_SESSION_TICKET
  494. static int ctx_session_ticket_cb(WOLFSSL* ssl,
  495. const unsigned char* ticket, int ticketSz,
  496. void* cb_ctx)
  497. {
  498. QuicTestContext *ctx = (QuicTestContext*)wolfSSL_get_app_data(ssl);
  499. AssertNotNull(ctx);
  500. (void)cb_ctx;
  501. if (ticketSz < 0 || (size_t)ticketSz > sizeof(ctx->ticket)) {
  502. printf("SESSION TICKET callback: ticket given is too large: %d bytes\n", ticketSz);
  503. return 1;
  504. }
  505. memset(ctx->ticket, 0, sizeof(ctx->ticket));
  506. ctx->ticket_len = (word32)ticketSz;
  507. memcpy(ctx->ticket, ticket, (size_t)ticketSz);
  508. if (ctx->verbose) {
  509. printf("Session Ticket[%s]: ", ctx->name);
  510. dump_buffer("", ticket, (size_t)ticketSz, 4);
  511. }
  512. return 0;
  513. }
  514. #endif
  515. static void ctx_dump_output(QuicTestContext *ctx)
  516. {
  517. dump_buffer("Output", ctx->output.data, ctx->output.len, 0);
  518. }
  519. static void check_handshake_record(const byte *data, size_t data_len, int *ptype, size_t *prlen)
  520. {
  521. word32 rlen;
  522. AssertTrue(data_len >= HANDSHAKE_HEADER_SZ);
  523. *ptype = data[0];
  524. c24to32(&data[1], &rlen);
  525. *prlen = rlen + HANDSHAKE_HEADER_SZ;
  526. }
  527. static void ext_dump(const byte *data, size_t data_len, int indent)
  528. {
  529. size_t idx = 0;
  530. word16 len16, etype, i;
  531. printf("%*sextensions:\n", indent, " ");
  532. while (idx < data_len) {
  533. ato16(&data[idx], &etype); /* extension type */
  534. ato16(&data[idx+2], &len16); /* extension length */
  535. printf(" extension: %04x [", etype);
  536. for (i = 0; i < len16; ++i) {
  537. printf("%s0x%02x", (i? ", ": ""), data[idx+4+i]);
  538. }
  539. printf("]\n");
  540. idx += 2 + 2 + len16;
  541. }
  542. }
  543. static const byte *ext_find(const byte *data, size_t data_len, int ext_type)
  544. {
  545. size_t idx = 0;
  546. word16 len16, etype;
  547. while (idx < data_len) {
  548. ato16(&data[idx], &etype); /* extension type */
  549. if (etype == ext_type) {
  550. return data + idx;
  551. }
  552. ato16(&data[idx+2], &len16); /* extension length */
  553. idx += 2 + 2 + len16;
  554. }
  555. return NULL;
  556. }
  557. static int ext_has(const byte *data, size_t data_len, int ext_type)
  558. {
  559. return ext_find(data, data_len,ext_type) != NULL;
  560. }
  561. static void ext_equals(const byte *data, size_t data_len, int ext_type,
  562. const byte *exp_data, size_t exp_len)
  563. {
  564. const byte *ext;
  565. word16 len16;
  566. AssertNotNull(ext = ext_find(data, data_len, ext_type));
  567. ato16(&ext[2], &len16);
  568. AssertTrue(len16 == exp_len);
  569. AssertTrue(memcmp(ext + 4, exp_data, exp_len) == 0);
  570. }
  571. static void check_quic_client_hello(const byte *data, size_t data_len, int verbose, int indent)
  572. {
  573. size_t idx;
  574. word16 len16;
  575. const byte *exts;
  576. size_t exts_len, rec_len;
  577. int rec_type;
  578. static byte ext_sup_version[3] = {0x02, 0x03, 0x04};
  579. check_handshake_record(data, data_len, &rec_type, &rec_len);
  580. AssertIntEQ(rec_type, client_hello);
  581. idx = HANDSHAKE_HEADER_SZ;
  582. /* the client hello arrives alone */
  583. AssertIntEQ(rec_len, data_len);
  584. AssertTrue(data[idx++] == SSLv3_MAJOR);
  585. AssertTrue(data[idx++] == TLSv1_2_MINOR);
  586. idx += 32; /* 32 bytes RANDOM */
  587. AssertIntEQ(data[idx], 0); /* session id length MUST be 0, RFC9001 ch. 8.4 */
  588. idx += 1 + data[idx];
  589. ato16(&data[idx], &len16); /* ciphers length */
  590. AssertTrue(len16 > 0);
  591. idx += 2 + len16;
  592. AssertTrue(data[idx] == 1); /* compressions */
  593. AssertTrue(data[idx+1] == 0); /* no compression */
  594. idx += 2;
  595. ato16(&data[idx], &len16); /* extensions length */
  596. AssertTrue(len16 > 0);
  597. exts_len = len16;
  598. idx += 2;
  599. exts = &data[idx];
  600. idx += exts_len;
  601. AssertTrue(idx <= rec_len); /* should fit */
  602. for (; idx < rec_len; ++idx) {
  603. AssertTrue(data[idx] == 0); /* padding */
  604. }
  605. ext_equals(exts, exts_len, TLSX_SUPPORTED_VERSIONS,
  606. ext_sup_version, sizeof(ext_sup_version));
  607. if (verbose) {
  608. ext_dump(exts, exts_len, indent);
  609. dump_buffer("", data, data_len, indent);
  610. }
  611. }
  612. static void check_quic_client_hello_tp(OutputBuffer *out, int tp_v1, int tp_draft)
  613. {
  614. size_t idx;
  615. word16 len16;
  616. const byte *exts;
  617. size_t exts_len, rec_len;
  618. int rec_type;
  619. check_handshake_record(out->data, out->len, &rec_type, &rec_len);
  620. AssertIntEQ(rec_type, client_hello);
  621. idx = HANDSHAKE_HEADER_SZ;
  622. idx += 2; /* old version */
  623. idx += 32; /* 32 bytes RANDOM */
  624. idx += 1 + out->data[idx]; /* session id */
  625. ato16(&out->data[idx], &len16); /* ciphers length */
  626. idx += 2 + len16;
  627. idx += 2; /* compression */
  628. ato16(&out->data[idx], &len16); /* extensions length */
  629. AssertTrue(len16 > 0);
  630. exts_len = len16;
  631. idx += 2;
  632. exts = &out->data[idx];
  633. AssertTrue(!ext_has(exts, exts_len, TLSX_KEY_QUIC_TP_PARAMS) == !tp_v1);
  634. AssertTrue(!ext_has(exts, exts_len, TLSX_KEY_QUIC_TP_PARAMS_DRAFT) == !tp_draft);
  635. }
  636. static void check_secrets(QuicTestContext *ctx, WOLFSSL_ENCRYPTION_LEVEL level, size_t rx_len, size_t tx_len)
  637. {
  638. int idx = (int)level;
  639. AssertTrue(idx < 4);
  640. AssertIntEQ(ctx->rx_secret_len[idx], rx_len);
  641. AssertIntEQ(ctx->tx_secret_len[idx], tx_len);
  642. }
  643. static void assert_secrets_EQ(QuicTestContext *ctx1, QuicTestContext *ctx2,
  644. WOLFSSL_ENCRYPTION_LEVEL level)
  645. {
  646. int idx = (int)level;
  647. /* rx secrets are the other ones tx secrets */
  648. AssertIntEQ(ctx1->rx_secret_len[idx], ctx2->tx_secret_len[idx]);
  649. AssertIntEQ(ctx1->tx_secret_len[idx], ctx2->rx_secret_len[idx]);
  650. AssertIntEQ(memcmp(ctx1->rx_secret[idx], ctx2->tx_secret[idx], ctx1->rx_secret_len[idx]), 0);
  651. AssertIntEQ(memcmp(ctx1->tx_secret[idx], ctx2->rx_secret[idx], ctx1->tx_secret_len[idx]), 0);
  652. }
  653. static void check_ee(const byte *data, size_t data_len, int verbose, int indent)
  654. {
  655. size_t rec_len, exts_len, idx;
  656. word16 len16;
  657. const byte *exts;
  658. int rec_type;
  659. check_handshake_record(data, data_len, &rec_type, &rec_len);
  660. AssertIntEQ(rec_type, encrypted_extensions);
  661. idx = HANDSHAKE_HEADER_SZ;
  662. ato16(&data[idx], &len16); /* extensions length */
  663. AssertTrue(len16 > 0);
  664. exts_len = len16;
  665. idx += 2;
  666. exts = &data[idx];
  667. if (verbose) {
  668. ext_dump(exts, exts_len, indent);
  669. dump_buffer("", data, data_len, indent);
  670. }
  671. }
  672. static void check_quic_server_hello(const byte *data, size_t data_len, int verbose, int indent)
  673. {
  674. size_t idx;
  675. word16 len16, cipher;
  676. const byte *exts;
  677. size_t exts_len, rec_len;
  678. static byte ext_sup_version[2] = {0x03, 0x04};
  679. int rec_type;
  680. check_handshake_record(data, data_len, &rec_type, &rec_len);
  681. AssertIntEQ(rec_type, server_hello);
  682. idx = HANDSHAKE_HEADER_SZ;
  683. AssertTrue(data[idx++] == SSLv3_MAJOR);
  684. AssertTrue(data[idx++] == TLSv1_2_MINOR);
  685. idx += 32; /* 32 bytes RANDOM */
  686. /* AssertIntEQ(data[idx], 0); session id of len 0 */
  687. idx += 1 + data[idx];
  688. ato16(&data[idx], &cipher); /* cipher selected */
  689. AssertTrue(cipher != 0);
  690. idx += 2;
  691. AssertTrue(data[idx] == 0); /* null compression */
  692. idx += 1;
  693. ato16(&data[idx], &len16); /* extensions length */
  694. AssertTrue(len16 > 0);
  695. exts_len = len16;
  696. idx += 2;
  697. exts = &data[idx];
  698. idx += exts_len;
  699. AssertTrue(idx <= rec_len); /* should fit */
  700. for (; idx < rec_len; ++idx) {
  701. AssertTrue(data[idx] == 0); /* padding */
  702. }
  703. if (verbose) {
  704. ext_dump(exts, exts_len, indent);
  705. dump_buffer("", data, rec_len, indent);
  706. }
  707. ext_equals(exts, exts_len, TLSX_SUPPORTED_VERSIONS,
  708. ext_sup_version, sizeof(ext_sup_version));
  709. }
  710. static void check_crypto_rec(const byte *data, size_t data_len, int verbose, int indent)
  711. {
  712. size_t rec_len;
  713. int rec_type;
  714. check_handshake_record(data, data_len, &rec_type, &rec_len);
  715. if (verbose) {
  716. dump_buffer("", data, rec_len, indent);
  717. }
  718. }
  719. static void check_crypto_records(QuicTestContext *from, OutputBuffer *out, int indent, char *rec_log, size_t rec_log_size)
  720. {
  721. const byte *data = out->data;
  722. size_t data_len = out->len;
  723. size_t rec_len;
  724. int rec_type;
  725. const char *rec_name;
  726. char lbuffer[128];
  727. void (*check_rec) (const byte *d, size_t l, int v, int indent);
  728. while (data_len > 0) {
  729. check_handshake_record(data, data_len, &rec_type, &rec_len);
  730. if (rec_len > data_len) {
  731. printf("%*sINCOMPLETE CRYPTO?: ", indent, " ");
  732. dump_buffer("", data, data_len, indent);
  733. }
  734. AssertTrue(rec_len <= data_len);
  735. check_rec = check_crypto_rec;
  736. switch (rec_type) {
  737. case client_hello:
  738. rec_name = "ClientHello";
  739. check_rec = check_quic_client_hello;
  740. break;
  741. case server_hello:
  742. rec_name = "ServerHello";
  743. check_rec = check_quic_server_hello;
  744. break;
  745. case session_ticket:
  746. rec_name = "SessionTicket";
  747. break;
  748. case encrypted_extensions:
  749. rec_name = "EncryptedExtension";
  750. check_rec = check_ee;
  751. break;
  752. case certificate:
  753. rec_name = "Certificate";
  754. break;
  755. case certificate_verify:
  756. rec_name = "CertificateVerify";
  757. break;
  758. case finished:
  759. rec_name = "Finished";
  760. break;
  761. default:
  762. (void)XSNPRINTF(lbuffer, sizeof(lbuffer), "%d", rec_type);
  763. rec_name = lbuffer;
  764. break;
  765. }
  766. if (rec_log) {
  767. if (*rec_log) XSTRLCAT(rec_log, ":", rec_log_size);
  768. XSTRLCAT(rec_log, rec_name, rec_log_size);
  769. }
  770. if (from->verbose) printf("%*sCRYPTO[%s]: ", indent, " ", rec_name);
  771. check_rec(data, rec_len, from->verbose, indent);
  772. if (from->verbose) printf("\n");
  773. data += rec_len;
  774. data_len -= rec_len;
  775. }
  776. }
  777. static void QuicTestContext_forward(QuicTestContext *from, QuicTestContext *to, char *rec_log, size_t rec_log_size)
  778. {
  779. int ret;
  780. OutputBuffer *out, *old;
  781. out = &from->output;
  782. while (out->len > 0) {
  783. if (from->verbose) {
  784. printf("[%s -> %s] forward %d bytes at level %d\n",
  785. from->name, to->name, (int)out->len, out->level);
  786. }
  787. if (out->level == wolfssl_encryption_early_data) {
  788. if (from->verbose) dump_buffer("EarlyData", out->data, out->len, 4);
  789. }
  790. else {
  791. check_crypto_records(from, out, 4, rec_log, rec_log_size);
  792. }
  793. ret = wolfSSL_provide_quic_data(to->ssl, out->level, out->data, out->len);
  794. out->len = 0;
  795. AssertIntEQ(ret, WOLFSSL_SUCCESS);
  796. if (out->next) {
  797. old = out->next;
  798. memcpy(out, out->next, sizeof(*out));
  799. free(old);
  800. }
  801. }
  802. }
  803. typedef struct {
  804. QuicTestContext *client;
  805. QuicTestContext *server;
  806. int started;
  807. int verbose;
  808. char rec_log[16*1024];
  809. int sent_early_data;
  810. int accept_early_data;
  811. char early_data[16*1024];
  812. size_t early_data_len;
  813. } QuicConversation;
  814. static void QuicConversation_init(QuicConversation *conv,
  815. QuicTestContext *tclient, QuicTestContext *tserver)
  816. {
  817. memset(conv, 0, sizeof(*conv));
  818. conv->client = tclient;
  819. conv->server = tserver;
  820. conv->verbose = tclient->verbose && tserver->verbose;
  821. }
  822. static int QuicConversation_start(QuicConversation *conv, const byte *data,
  823. size_t data_len, size_t *pwritten)
  824. {
  825. int ret;
  826. AssertFalse(conv->started);
  827. if (conv->verbose) {
  828. printf("[%s <-> %s] starting\n", conv->client->name, conv->server->name);
  829. }
  830. if (data && data_len > 0) {
  831. #ifdef WOLFSSL_EARLY_DATA
  832. int written;
  833. ret = wolfSSL_write_early_data(conv->client->ssl, data, (int)data_len, &written);
  834. if (ret < 0) {
  835. int err = wolfSSL_get_error(conv->client->ssl, ret);
  836. char lbuffer[1024];
  837. printf("EARLY DATA ret = %d, error = %d, %s\n", ret, err, wolfSSL_ERR_error_string((unsigned long)err, lbuffer));
  838. AssertTrue(0);
  839. }
  840. *pwritten = (size_t)written;
  841. conv->sent_early_data = 1;
  842. #else
  843. fprintf(stderr, "Cannot send EARLY DATA without feature enabled!\n");
  844. AssertTrue(0);
  845. #endif
  846. }
  847. else {
  848. ret = wolfSSL_connect(conv->client->ssl);
  849. if (ret != WOLFSSL_SUCCESS) {
  850. AssertIntEQ(wolfSSL_get_error(conv->client->ssl, 0), WC_NO_ERR_TRACE(SSL_ERROR_WANT_READ));
  851. }
  852. if (pwritten) *pwritten = 0;
  853. }
  854. conv->started = 1;
  855. return ret;
  856. }
  857. static int QuicConversation_step(QuicConversation *conv, int may_fail)
  858. {
  859. int n;
  860. if (!conv->started) {
  861. n = wolfSSL_connect(conv->client->ssl);
  862. if (n != WOLFSSL_SUCCESS
  863. && wolfSSL_get_error(conv->client->ssl, 0) != WC_NO_ERR_TRACE(SSL_ERROR_WANT_READ)) {
  864. if (may_fail) return 0;
  865. AssertIntEQ(WC_NO_ERR_TRACE(SSL_ERROR_WANT_READ), wolfSSL_get_error(conv->client->ssl, 0));
  866. }
  867. conv->started = 1;
  868. }
  869. if (conv->server->output.len > 0) {
  870. QuicTestContext_forward(conv->server, conv->client, conv->rec_log, sizeof(conv->rec_log));
  871. n = wolfSSL_quic_read_write(conv->client->ssl);
  872. if (n != WOLFSSL_SUCCESS
  873. && wolfSSL_get_error(conv->client->ssl, 0) != WC_NO_ERR_TRACE(SSL_ERROR_WANT_READ)) {
  874. if (may_fail) return 0;
  875. AssertIntEQ(WC_NO_ERR_TRACE(SSL_ERROR_WANT_READ), wolfSSL_get_error(conv->client->ssl, 0));
  876. }
  877. return 1;
  878. }
  879. else if (conv->client->output.len > 0) {
  880. QuicTestContext_forward(conv->client, conv->server, conv->rec_log, sizeof(conv->rec_log));
  881. #ifdef WOLFSSL_EARLY_DATA
  882. if (conv->accept_early_data) {
  883. int written;
  884. n = wolfSSL_read_early_data(conv->server->ssl,
  885. conv->early_data + conv->early_data_len,
  886. (int)(sizeof(conv->early_data) - conv->early_data_len),
  887. &written);
  888. if (n < 0) {
  889. if (wolfSSL_get_error(conv->server->ssl, 0) != WC_NO_ERR_TRACE(SSL_ERROR_WANT_READ)) {
  890. if (may_fail) return 0;
  891. AssertIntEQ(wolfSSL_get_error(conv->server->ssl, 0), WC_NO_ERR_TRACE(SSL_ERROR_WANT_READ));
  892. }
  893. }
  894. else if (n > 0) {
  895. conv->early_data_len += (size_t)n;
  896. if (conv->verbose)
  897. printf("RECVed early data, len now=%d\n", (int)conv->early_data_len);
  898. }
  899. }
  900. else
  901. #endif /* WOLFSSL_EARLY_DATA */
  902. {
  903. n = wolfSSL_quic_read_write(conv->server->ssl);
  904. if (n != WOLFSSL_SUCCESS
  905. && wolfSSL_get_error(conv->server->ssl, 0) != WC_NO_ERR_TRACE(SSL_ERROR_WANT_READ)) {
  906. if (may_fail) return 0;
  907. AssertIntEQ(wolfSSL_get_error(conv->server->ssl, 0), WC_NO_ERR_TRACE(SSL_ERROR_WANT_READ));
  908. }
  909. }
  910. return 1;
  911. }
  912. return 0;
  913. }
  914. static void QuicConversation_do(QuicConversation *conv)
  915. {
  916. if (!conv->started) {
  917. QuicConversation_start(conv, NULL, 0, NULL);
  918. }
  919. while (1) {
  920. if (!QuicConversation_step(conv, 0)) {
  921. int c_err = wolfSSL_get_error(conv->client->ssl, 0);
  922. int s_err = wolfSSL_get_error(conv->server->ssl, 0);
  923. if (c_err == 0 && s_err == 0) {
  924. break; /* handshake done */
  925. }
  926. printf("Neither tclient nor server have anything to send, "
  927. "but client_error=%d, server_error=%d\n",
  928. c_err, s_err);
  929. AssertFalse(1);
  930. }
  931. }
  932. }
  933. #ifdef HAVE_SESSION_TICKET
  934. static void QuicConversation_fail(QuicConversation *conv)
  935. {
  936. if (!conv->started) {
  937. QuicConversation_start(conv, NULL, 0, NULL);
  938. }
  939. while (1) {
  940. if (!QuicConversation_step(conv, 1)) {
  941. int c_err = wolfSSL_get_error(conv->client->ssl, 0);
  942. int s_err = wolfSSL_get_error(conv->server->ssl, 0);
  943. AssertTrue(c_err != 0 || s_err != 0);
  944. break;
  945. }
  946. }
  947. }
  948. #endif /* HAVE_SESSION_TICKET */
  949. static int test_quic_client_hello(int verbose) {
  950. WOLFSSL_CTX *ctx;
  951. int ret = 0;
  952. QuicTestContext tctx;
  953. (void)ctx_dump_output;
  954. AssertNotNull(ctx = wolfSSL_CTX_new(wolfTLSv1_3_client_method()));
  955. QuicTestContext_init(&tctx, ctx, "client", verbose);
  956. /* Without any QUIC transport params, this needs to fail */
  957. AssertTrue(wolfSSL_set_quic_transport_params(tctx.ssl, NULL, 0) == WOLFSSL_SUCCESS);
  958. AssertTrue(wolfSSL_quic_read_write(tctx.ssl) != 0);
  959. AssertIntEQ(wolfSSL_get_error(tctx.ssl, 0), WC_NO_ERR_TRACE(QUIC_TP_MISSING_E));
  960. QuicTestContext_free(&tctx);
  961. /* Set transport params, expect both extensions */
  962. QuicTestContext_init(&tctx, ctx, "client", verbose);
  963. #ifdef HAVE_SNI
  964. wolfSSL_UseSNI(tctx.ssl, WOLFSSL_SNI_HOST_NAME,
  965. "wolfssl.com", sizeof("wolfssl.com")-1);
  966. #endif
  967. AssertTrue(wolfSSL_connect(tctx.ssl) != 0);
  968. AssertIntEQ(wolfSSL_get_error(tctx.ssl, 0), WC_NO_ERR_TRACE(SSL_ERROR_WANT_READ));
  969. check_quic_client_hello_tp(&tctx.output, 1, 1);
  970. QuicTestContext_free(&tctx);
  971. /* Set transport params v1, expect v1 extension */
  972. QuicTestContext_init(&tctx, ctx, "client", verbose);
  973. wolfSSL_set_quic_transport_version(tctx.ssl, TLSX_KEY_QUIC_TP_PARAMS);
  974. AssertTrue(wolfSSL_connect(tctx.ssl) != 0);
  975. check_quic_client_hello_tp(&tctx.output, 1, 0);
  976. QuicTestContext_free(&tctx);
  977. /* Set transport params draft, expect draft extension */
  978. QuicTestContext_init(&tctx, ctx, "client", verbose);
  979. wolfSSL_set_quic_transport_version(tctx.ssl, TLSX_KEY_QUIC_TP_PARAMS_DRAFT);
  980. AssertTrue(wolfSSL_connect(tctx.ssl) != 0);
  981. check_quic_client_hello_tp(&tctx.output, 0, 1);
  982. QuicTestContext_free(&tctx);
  983. /* Set transport params 0, expect both extension */
  984. QuicTestContext_init(&tctx, ctx, "client", verbose);
  985. wolfSSL_set_quic_transport_version(tctx.ssl, 0);
  986. AssertTrue(wolfSSL_connect(tctx.ssl) != 0);
  987. check_quic_client_hello_tp(&tctx.output, 1, 1);
  988. QuicTestContext_free(&tctx);
  989. wolfSSL_CTX_free(ctx);
  990. printf(" test_quic_client_hello: %s\n", (ret == 0)? passed : failed);
  991. return ret;
  992. }
  993. static int test_quic_server_hello(int verbose) {
  994. WOLFSSL_CTX *ctx_c, *ctx_s;
  995. int ret = 0;
  996. QuicTestContext tclient, tserver;
  997. QuicConversation conv;
  998. AssertNotNull(ctx_c = wolfSSL_CTX_new(wolfTLSv1_3_client_method()));
  999. AssertNotNull(ctx_s = wolfSSL_CTX_new(wolfTLSv1_3_server_method()));
  1000. AssertTrue(wolfSSL_CTX_use_certificate_file(ctx_s, svrCertFile, WOLFSSL_FILETYPE_PEM));
  1001. AssertTrue(wolfSSL_CTX_use_PrivateKey_file(ctx_s, svrKeyFile, WOLFSSL_FILETYPE_PEM));
  1002. /* setup ssls */
  1003. QuicTestContext_init(&tclient, ctx_c, "client", verbose);
  1004. QuicTestContext_init(&tserver, ctx_s, "server", verbose);
  1005. /* connect */
  1006. QuicConversation_init(&conv, &tclient, &tserver);
  1007. QuicConversation_step(&conv, 0);
  1008. /* check established/missing secrets */
  1009. check_secrets(&tserver, wolfssl_encryption_initial, 0, 0);
  1010. check_secrets(&tserver, wolfssl_encryption_handshake, 32, 32);
  1011. check_secrets(&tserver, wolfssl_encryption_application, 32, 32);
  1012. check_secrets(&tclient, wolfssl_encryption_handshake, 0, 0);
  1013. /* feed the server data to the client */
  1014. QuicConversation_step(&conv, 0);
  1015. /* client has generated handshake secret */
  1016. check_secrets(&tclient, wolfssl_encryption_handshake, 32, 32);
  1017. /* continue the handshake till done */
  1018. conv.started = 1;
  1019. /* run till end */
  1020. QuicConversation_do(&conv);
  1021. AssertIntEQ(tclient.output.len, 0);
  1022. AssertIntEQ(tserver.output.len, 0);
  1023. /* what have we seen? */
  1024. #ifdef HAVE_SESSION_TICKET
  1025. AssertStrEQ(conv.rec_log, "ClientHello:ServerHello:EncryptedExtension:"
  1026. "Certificate:CertificateVerify:Finished:Finished:SessionTicket");
  1027. #else
  1028. AssertStrEQ(conv.rec_log, "ClientHello:ServerHello:EncryptedExtension:"
  1029. "Certificate:CertificateVerify:Finished:Finished");
  1030. #endif
  1031. /* we are at application encryption level */
  1032. AssertTrue(wolfSSL_quic_read_level(tclient.ssl) == wolfssl_encryption_application);
  1033. AssertTrue(wolfSSL_quic_write_level(tclient.ssl) == wolfssl_encryption_application);
  1034. AssertTrue(wolfSSL_quic_read_level(tserver.ssl) == wolfssl_encryption_application);
  1035. AssertTrue(wolfSSL_quic_write_level(tserver.ssl) == wolfssl_encryption_application);
  1036. /* the last client write (FINISHED) was at handshake level */
  1037. AssertTrue(tclient.output.level == wolfssl_encryption_handshake);
  1038. /* we have the app secrets */
  1039. check_secrets(&tclient, wolfssl_encryption_application, 32, 32);
  1040. check_secrets(&tserver, wolfssl_encryption_application, 32, 32);
  1041. /* verify client and server have the same secrets established */
  1042. assert_secrets_EQ(&tclient, &tserver, wolfssl_encryption_handshake);
  1043. assert_secrets_EQ(&tclient, &tserver, wolfssl_encryption_application);
  1044. /* AEAD cipher should be known */
  1045. AssertNotNull(wolfSSL_quic_get_aead(tclient.ssl));
  1046. AssertNotNull(wolfSSL_quic_get_aead(tserver.ssl));
  1047. /* What was negiotiated and is it the same? */
  1048. AssertIntEQ(wolfSSL_get_peer_quic_transport_version(tclient.ssl),
  1049. wolfSSL_get_peer_quic_transport_version(tserver.ssl));
  1050. QuicTestContext_free(&tclient);
  1051. QuicTestContext_free(&tserver);
  1052. wolfSSL_CTX_free(ctx_c);
  1053. wolfSSL_CTX_free(ctx_s);
  1054. printf(" test_quic_server_hello: %s\n", (ret == 0)? passed : failed);
  1055. return ret;
  1056. }
  1057. /* This has gotten a bit out of hand. */
  1058. #if (defined(OPENSSL_ALL) || (defined(OPENSSL_EXTRA) && \
  1059. (defined(HAVE_STUNNEL) || defined(WOLFSSL_NGINX) || \
  1060. defined(HAVE_LIGHTY) || defined(WOLFSSL_HAPROXY) || \
  1061. defined(WOLFSSL_OPENSSH) || defined(HAVE_SBLIM_SFCB)))) \
  1062. && defined(HAVE_ALPN) && defined(HAVE_SNI)
  1063. #define REALLY_HAVE_ALPN_AND_SNI
  1064. #else
  1065. #undef REALLY_HAVE_ALPN_AND_SNI
  1066. #endif
  1067. #ifdef REALLY_HAVE_ALPN_AND_SNI
  1068. struct stripe_buffer {
  1069. char stripe[256];
  1070. };
  1071. static int inspect_SNI(WOLFSSL *ssl, int *ad, void *baton)
  1072. {
  1073. struct stripe_buffer *stripe = (struct stripe_buffer *)baton;
  1074. (void)ssl;
  1075. *ad = 0;
  1076. XSTRLCAT(stripe->stripe, "S", sizeof(stripe->stripe));
  1077. return 0;
  1078. }
  1079. static int select_ALPN(WOLFSSL *ssl,
  1080. const unsigned char **out,
  1081. unsigned char *outlen,
  1082. const unsigned char *in,
  1083. unsigned int inlen,
  1084. void *baton)
  1085. {
  1086. struct stripe_buffer *stripe = (struct stripe_buffer *)baton;
  1087. (void)ssl;
  1088. (void)inlen;
  1089. /* just select the first */
  1090. *out = in + 1;
  1091. *outlen = in[0];
  1092. XSTRLCAT(stripe->stripe, "A", sizeof(stripe->stripe));
  1093. return 0;
  1094. }
  1095. static int test_quic_alpn(int verbose) {
  1096. WOLFSSL_CTX *ctx_c, *ctx_s;
  1097. int ret = 0;
  1098. QuicTestContext tclient, tserver;
  1099. QuicConversation conv;
  1100. struct stripe_buffer stripe;
  1101. unsigned char alpn_protos[256];
  1102. AssertNotNull(ctx_c = wolfSSL_CTX_new(wolfTLSv1_3_client_method()));
  1103. AssertNotNull(ctx_s = wolfSSL_CTX_new(wolfTLSv1_3_server_method()));
  1104. AssertTrue(wolfSSL_CTX_use_certificate_file(ctx_s, svrCertFile, WOLFSSL_FILETYPE_PEM));
  1105. AssertTrue(wolfSSL_CTX_use_PrivateKey_file(ctx_s, svrKeyFile, WOLFSSL_FILETYPE_PEM));
  1106. stripe.stripe[0] = '\0';
  1107. wolfSSL_CTX_set_servername_callback(ctx_s, inspect_SNI);
  1108. wolfSSL_CTX_set_servername_arg(ctx_s, &stripe);
  1109. wolfSSL_CTX_set_alpn_select_cb(ctx_s, select_ALPN, &stripe);
  1110. /* setup ssls */
  1111. QuicTestContext_init(&tclient, ctx_c, "client", verbose);
  1112. QuicTestContext_init(&tserver, ctx_s, "server", verbose);
  1113. /* set SNI and ALPN callbacks on server side,
  1114. * provide values on client side */
  1115. wolfSSL_UseSNI(tclient.ssl, WOLFSSL_SNI_HOST_NAME,
  1116. "wolfssl.com", sizeof("wolfssl.com")-1);
  1117. /* connect */
  1118. QuicConversation_init(&conv, &tclient, &tserver);
  1119. XSTRLCPY((char*)(alpn_protos + 1), "test", sizeof(alpn_protos));
  1120. alpn_protos[0] = strlen("test");
  1121. wolfSSL_set_alpn_protos(tclient.ssl, alpn_protos, 1 + strlen("test"));
  1122. QuicConversation_do(&conv);
  1123. AssertIntEQ(tclient.output.len, 0);
  1124. AssertIntEQ(tserver.output.len, 0);
  1125. /* SNI callback needs to be called before ALPN callback */
  1126. AssertStrEQ(stripe.stripe, "SA");
  1127. QuicTestContext_free(&tclient);
  1128. QuicTestContext_free(&tserver);
  1129. wolfSSL_CTX_free(ctx_c);
  1130. wolfSSL_CTX_free(ctx_s);
  1131. printf(" test_quic_alpn: %s\n", (ret == 0)? passed : failed);
  1132. return ret;
  1133. }
  1134. #endif /* REALLY_HAVE_ALPN_AND_SNI */
  1135. #ifdef HAVE_SESSION_TICKET
  1136. static int test_quic_key_share(int verbose) {
  1137. WOLFSSL_CTX *ctx_c, *ctx_s;
  1138. int ret = 0;
  1139. QuicTestContext tclient, tserver;
  1140. QuicConversation conv;
  1141. AssertNotNull(ctx_c = wolfSSL_CTX_new(wolfTLSv1_3_client_method()));
  1142. AssertNotNull(ctx_s = wolfSSL_CTX_new(wolfTLSv1_3_server_method()));
  1143. AssertTrue(wolfSSL_CTX_use_certificate_file(ctx_s, svrCertFile, WOLFSSL_FILETYPE_PEM));
  1144. AssertTrue(wolfSSL_CTX_use_PrivateKey_file(ctx_s, svrKeyFile, WOLFSSL_FILETYPE_PEM));
  1145. /* setup & handshake defaults */
  1146. QuicTestContext_init(&tclient, ctx_c, "client", verbose);
  1147. QuicTestContext_init(&tserver, ctx_s, "server", verbose);
  1148. QuicConversation_init(&conv, &tclient, &tserver);
  1149. QuicConversation_do(&conv);
  1150. AssertStrEQ(conv.rec_log, "ClientHello:ServerHello:EncryptedExtension:"
  1151. "Certificate:CertificateVerify:Finished:Finished:SessionTicket");
  1152. QuicTestContext_free(&tclient);
  1153. QuicTestContext_free(&tserver);
  1154. /* setup & handshake, restricted groups. KEY_SHARE should use
  1155. * the first configured group. */
  1156. /*If that is supported by the server, expect a smooth handshake.*/
  1157. QuicTestContext_init(&tclient, ctx_c, "client", verbose);
  1158. QuicTestContext_init(&tserver, ctx_s, "server", verbose);
  1159. AssertTrue(wolfSSL_set1_curves_list(tclient.ssl, "X25519:P-256")
  1160. == WOLFSSL_SUCCESS);
  1161. AssertTrue(wolfSSL_set1_curves_list(tserver.ssl, "X25519")
  1162. == WOLFSSL_SUCCESS);
  1163. QuicConversation_init(&conv, &tclient, &tserver);
  1164. QuicConversation_do(&conv);
  1165. AssertStrEQ(conv.rec_log,
  1166. "ClientHello:ServerHello:EncryptedExtension:"
  1167. "Certificate:CertificateVerify:Finished:Finished:SessionTicket");
  1168. QuicTestContext_free(&tclient);
  1169. QuicTestContext_free(&tserver);
  1170. printf(" test_quic_key_share: priority ok\n");
  1171. /* If group is not supported by server, expect HelloRetry */
  1172. QuicTestContext_init(&tclient, ctx_c, "client", verbose);
  1173. QuicTestContext_init(&tserver, ctx_s, "server", verbose);
  1174. AssertTrue(wolfSSL_set1_curves_list(tclient.ssl, "X25519:P-256")
  1175. == WOLFSSL_SUCCESS);
  1176. AssertTrue(wolfSSL_set1_curves_list(tserver.ssl, "P-256")
  1177. == WOLFSSL_SUCCESS);
  1178. QuicConversation_init(&conv, &tclient, &tserver);
  1179. QuicConversation_do(&conv);
  1180. AssertStrEQ(conv.rec_log,
  1181. "ClientHello:ServerHello:ClientHello:ServerHello:EncryptedExtension:"
  1182. "Certificate:CertificateVerify:Finished:Finished:SessionTicket");
  1183. QuicTestContext_free(&tclient);
  1184. QuicTestContext_free(&tserver);
  1185. printf(" test_quic_key_share: retry ok\n");
  1186. /* If no group overlap, expect failure */
  1187. QuicTestContext_init(&tclient, ctx_c, "client", verbose);
  1188. QuicTestContext_init(&tserver, ctx_s, "server", verbose);
  1189. AssertTrue(wolfSSL_set1_curves_list(tclient.ssl, "P-256")
  1190. == WOLFSSL_SUCCESS);
  1191. AssertTrue(wolfSSL_set1_curves_list(tserver.ssl, "X25519")
  1192. == WOLFSSL_SUCCESS);
  1193. QuicConversation_init(&conv, &tclient, &tserver);
  1194. QuicConversation_fail(&conv);
  1195. AssertIntEQ(wolfSSL_get_error(tserver.ssl, 0), WC_NO_ERR_TRACE(SSL_ERROR_WANT_READ));
  1196. AssertIntEQ(wolfSSL_get_error(tclient.ssl, 0), WC_NO_ERR_TRACE(BAD_KEY_SHARE_DATA));
  1197. QuicTestContext_free(&tclient);
  1198. QuicTestContext_free(&tserver);
  1199. printf(" test_quic_key_share: no match ok\n");
  1200. wolfSSL_CTX_free(ctx_c);
  1201. wolfSSL_CTX_free(ctx_s);
  1202. printf(" test_quic_key_share: %s\n", (ret == 0)? passed : failed);
  1203. return ret;
  1204. }
  1205. static int test_quic_resumption(int verbose) {
  1206. WOLFSSL_CTX *ctx_c, *ctx_s;
  1207. WOLFSSL_SESSION *session, *session_restored;
  1208. int ret = 0;
  1209. QuicTestContext tclient, tserver;
  1210. QuicConversation conv;
  1211. unsigned char session_buffer[16 * 1024], *session_data;
  1212. const unsigned char *session_data2;
  1213. unsigned int session_size;
  1214. AssertNotNull(ctx_c = wolfSSL_CTX_new(wolfTLSv1_3_client_method()));
  1215. AssertNotNull(ctx_s = wolfSSL_CTX_new(wolfTLSv1_3_server_method()));
  1216. AssertTrue(wolfSSL_CTX_use_certificate_file(ctx_s, svrCertFile, WOLFSSL_FILETYPE_PEM));
  1217. AssertTrue(wolfSSL_CTX_use_PrivateKey_file(ctx_s, svrKeyFile, WOLFSSL_FILETYPE_PEM));
  1218. /* setup ssls */
  1219. QuicTestContext_init(&tclient, ctx_c, "client", verbose);
  1220. QuicTestContext_init(&tserver, ctx_s, "server", verbose);
  1221. QuicConversation_init(&conv, &tclient, &tserver);
  1222. /* run till end */
  1223. QuicConversation_do(&conv);
  1224. /* what have we seen? */
  1225. AssertStrEQ(conv.rec_log, "ClientHello:ServerHello:EncryptedExtension:"
  1226. "Certificate:CertificateVerify:Finished:Finished:SessionTicket");
  1227. /* Should have received a session ticket, save the session
  1228. * and also make a serialized/deserialized copy to check that persisting
  1229. * a session works. */
  1230. AssertTrue(tclient.ticket_len > 0);
  1231. AssertNotNull(session = wolfSSL_get1_session(tclient.ssl));
  1232. AssertTrue((session_size = (unsigned int)wolfSSL_i2d_SSL_SESSION(session, NULL)) > 0);
  1233. AssertTrue((size_t)session_size < sizeof(session_buffer));
  1234. session_data2 = session_data = session_buffer;
  1235. session_size = (unsigned int)wolfSSL_i2d_SSL_SESSION(session, &session_data);
  1236. session_restored = wolfSSL_d2i_SSL_SESSION(NULL, &session_data2, session_size);
  1237. AssertNotNull(session_restored);
  1238. QuicTestContext_free(&tserver);
  1239. QuicTestContext_free(&tclient);
  1240. /* Do a Session resumption with the session object */
  1241. QuicTestContext_init(&tserver, ctx_s, "server", verbose);
  1242. QuicTestContext_init(&tclient, ctx_c, "client_resume", verbose);
  1243. AssertIntEQ(wolfSSL_set_session(tclient.ssl, session), WOLFSSL_SUCCESS);
  1244. /* let them talk */
  1245. QuicConversation_init(&conv, &tclient, &tserver);
  1246. QuicConversation_do(&conv);
  1247. /* this is what should happen. Look Ma, no certificate! */
  1248. AssertStrEQ(conv.rec_log, "ClientHello:ServerHello:EncryptedExtension:"
  1249. "Finished:Finished:SessionTicket");
  1250. QuicTestContext_free(&tclient);
  1251. QuicTestContext_free(&tserver);
  1252. /* Do a Session resumption with the restored session object */
  1253. QuicTestContext_init(&tserver, ctx_s, "server", verbose);
  1254. QuicTestContext_init(&tclient, ctx_c, "client_resume_restored", verbose);
  1255. AssertIntEQ(wolfSSL_set_session(tclient.ssl, session_restored), WOLFSSL_SUCCESS);
  1256. /* let them talk */
  1257. QuicConversation_init(&conv, &tclient, &tserver);
  1258. QuicConversation_do(&conv);
  1259. /* this is what should happen. Look Ma, no certificate! */
  1260. AssertStrEQ(conv.rec_log, "ClientHello:ServerHello:EncryptedExtension:"
  1261. "Finished:Finished:SessionTicket");
  1262. QuicTestContext_free(&tclient);
  1263. QuicTestContext_free(&tserver);
  1264. {
  1265. /* Do a Session resumption with a new server ctx */
  1266. WOLFSSL_CTX *ctx_s2;
  1267. AssertNotNull(ctx_s2 = wolfSSL_CTX_new(wolfTLSv1_3_server_method()));
  1268. AssertTrue(wolfSSL_CTX_use_certificate_file(ctx_s2, eccCertFile, WOLFSSL_FILETYPE_PEM));
  1269. AssertTrue(wolfSSL_CTX_use_PrivateKey_file(ctx_s2, eccKeyFile, WOLFSSL_FILETYPE_PEM));
  1270. QuicTestContext_init(&tserver, ctx_s2, "server2", verbose);
  1271. QuicTestContext_init(&tclient, ctx_c, "client_resume2", verbose);
  1272. AssertIntEQ(wolfSSL_set_session(tclient.ssl, session_restored), WOLFSSL_SUCCESS);
  1273. /* let them talk */
  1274. QuicConversation_init(&conv, &tclient, &tserver);
  1275. QuicConversation_do(&conv);
  1276. AssertStrEQ(conv.rec_log, "ClientHello:ServerHello:EncryptedExtension:"
  1277. "Certificate:CertificateVerify:Finished:Finished:SessionTicket");
  1278. QuicTestContext_free(&tclient);
  1279. QuicTestContext_free(&tserver);
  1280. wolfSSL_CTX_free(ctx_s2);
  1281. }
  1282. wolfSSL_SESSION_free(session);
  1283. wolfSSL_SESSION_free(session_restored);
  1284. wolfSSL_CTX_free(ctx_c);
  1285. wolfSSL_CTX_free(ctx_s);
  1286. printf(" test_quic_resumption: %s\n", (ret == 0)? passed : failed);
  1287. return ret;
  1288. }
  1289. #ifdef WOLFSSL_EARLY_DATA
  1290. static int test_quic_early_data(int verbose) {
  1291. WOLFSSL_CTX *ctx_c, *ctx_s;
  1292. int ret = 0;
  1293. QuicTestContext tclient, tserver;
  1294. QuicConversation conv;
  1295. const byte early_data[] = "Nulla dies sine linea!";
  1296. size_t ed_written;
  1297. WOLFSSL_SESSION *session;
  1298. unsigned int max_early_sz;
  1299. AssertNotNull(ctx_c = wolfSSL_CTX_new(wolfTLSv1_3_client_method()));
  1300. wolfSSL_CTX_UseSessionTicket(ctx_c);
  1301. AssertNotNull(ctx_s = wolfSSL_CTX_new(wolfTLSv1_3_server_method()));
  1302. AssertTrue(wolfSSL_CTX_use_certificate_file(ctx_s, svrCertFile, WOLFSSL_FILETYPE_PEM));
  1303. AssertTrue(wolfSSL_CTX_use_PrivateKey_file(ctx_s, svrKeyFile, WOLFSSL_FILETYPE_PEM));
  1304. /* setup ssls */
  1305. QuicTestContext_init(&tclient, ctx_c, "client", verbose);
  1306. QuicTestContext_init(&tserver, ctx_s, "server", verbose);
  1307. wolfSSL_set_quic_early_data_enabled(tserver.ssl, 1);
  1308. /* QUIC only allows 0xffffffff or 0x0 as values */
  1309. AssertIntEQ(wolfSSL_get_max_early_data(tserver.ssl), UINT32_MAX);
  1310. QuicConversation_init(&conv, &tclient, &tserver);
  1311. /* run till end */
  1312. QuicConversation_do(&conv);
  1313. /* what have we seen? */
  1314. AssertStrEQ(conv.rec_log, "ClientHello:ServerHello:EncryptedExtension:"
  1315. "Certificate:CertificateVerify:Finished:Finished:SessionTicket");
  1316. /* Should have received a session ticket, save the session */
  1317. AssertTrue(tclient.ticket_len > 0);
  1318. AssertNotNull(session = wolfSSL_get1_session(tclient.ssl));
  1319. QuicTestContext_free(&tclient);
  1320. QuicTestContext_free(&tserver);
  1321. /* QUIC requires 0 or 0xffffffff as only allowed values.
  1322. * Since we enabled early data in the server that created the session,
  1323. * we need to see it here. */
  1324. max_early_sz = wolfSSL_SESSION_get_max_early_data(session);
  1325. AssertIntEQ(max_early_sz, UINT32_MAX);
  1326. /* Do a Session resumption with the ticket */
  1327. QuicTestContext_init(&tserver, ctx_s, "server", verbose);
  1328. QuicTestContext_init(&tclient, ctx_c, "client", verbose);
  1329. AssertIntEQ(wolfSSL_set_session(tclient.ssl, session), WOLFSSL_SUCCESS);
  1330. /* enable early data -*/
  1331. wolfSSL_set_quic_early_data_enabled(tserver.ssl, 1);
  1332. /* client will send, and server will receive implicitly */
  1333. QuicConversation_init(&conv, &tclient, &tserver);
  1334. QuicConversation_start(&conv, early_data, sizeof(early_data), &ed_written);
  1335. QuicConversation_do(&conv);
  1336. AssertIntEQ(wolfSSL_get_early_data_status(tclient.ssl), WOLFSSL_EARLY_DATA_ACCEPTED);
  1337. QuicTestContext_free(&tclient);
  1338. QuicTestContext_free(&tserver);
  1339. QuicTestContext_init(&tserver, ctx_s, "server", verbose);
  1340. QuicTestContext_init(&tclient, ctx_c, "client", verbose);
  1341. AssertIntEQ(wolfSSL_set_session(tclient.ssl, session), WOLFSSL_SUCCESS);
  1342. /* client will send, and server will receive */
  1343. QuicConversation_init(&conv, &tclient, &tserver);
  1344. /* make QuicConversation_do() use wolfSSL_read_early_data() */
  1345. conv.accept_early_data = 1;
  1346. QuicConversation_start(&conv, early_data, sizeof(early_data), &ed_written);
  1347. QuicConversation_do(&conv);
  1348. AssertIntEQ(wolfSSL_get_early_data_status(tclient.ssl), WOLFSSL_EARLY_DATA_ACCEPTED);
  1349. AssertIntEQ(conv.early_data_len, sizeof(early_data));
  1350. AssertStrEQ(conv.early_data, (const char*)early_data);
  1351. QuicTestContext_free(&tclient);
  1352. QuicTestContext_free(&tserver);
  1353. wolfSSL_SESSION_free(session);
  1354. wolfSSL_CTX_free(ctx_c);
  1355. wolfSSL_CTX_free(ctx_s);
  1356. printf(" test_quic_early_data: %s\n", (ret == 0)? passed : failed);
  1357. return ret;
  1358. }
  1359. #endif /* WOLFSSL_EARLY_DATA */
  1360. static int new_session_cb(WOLFSSL *ssl, WOLFSSL_SESSION *session)
  1361. {
  1362. QuicTestContext *ctx = (QuicTestContext*)wolfSSL_get_app_data(ssl);
  1363. byte *data;
  1364. int ret = 0;
  1365. int sz;
  1366. AssertNotNull(ctx);
  1367. sz = wolfSSL_i2d_SSL_SESSION(session, NULL);
  1368. if (sz <= 0) {
  1369. printf("[%s] session serialization error: %d <- ", ctx->name, sz);
  1370. return sz;
  1371. }
  1372. if ((size_t)sz > sizeof(ctx->session)) {
  1373. printf("[%s] session serialization too large: %d <- ", ctx->name, sz);
  1374. return -1;
  1375. }
  1376. data = ctx->session;
  1377. ctx->session_len = (word32)wolfSSL_i2d_SSL_SESSION(session, &data);
  1378. if (ctx->verbose) {
  1379. printf("[%s]", ctx->name);
  1380. dump_buffer(" new SESSION", ctx->session, ctx->session_len, 4);
  1381. }
  1382. return ret;
  1383. }
  1384. static int test_quic_session_export(int verbose)
  1385. {
  1386. WOLFSSL_CTX *ctx_c, *ctx_s;
  1387. WOLFSSL_SESSION *session = NULL;
  1388. int ret = 0;
  1389. QuicTestContext tclient, tserver;
  1390. QuicConversation conv;
  1391. byte session_data[16*1024];
  1392. const byte *bp;
  1393. word32 session_len;
  1394. AssertNotNull(ctx_c = wolfSSL_CTX_new(wolfTLSv1_3_client_method()));
  1395. AssertNotNull(ctx_s = wolfSSL_CTX_new(wolfTLSv1_3_server_method()));
  1396. AssertTrue(wolfSSL_CTX_use_certificate_file(ctx_s, svrCertFile, WOLFSSL_FILETYPE_PEM));
  1397. AssertTrue(wolfSSL_CTX_use_PrivateKey_file(ctx_s, svrKeyFile, WOLFSSL_FILETYPE_PEM));
  1398. /* Uses CTX session callback for new sessions */
  1399. wolfSSL_CTX_sess_set_new_cb(ctx_c, new_session_cb);
  1400. /* setup ssls */
  1401. QuicTestContext_init(&tclient, ctx_c, "client", verbose);
  1402. QuicTestContext_init(&tserver, ctx_s, "server", verbose);
  1403. QuicConversation_init(&conv, &tclient, &tserver);
  1404. /* run till end */
  1405. QuicConversation_do(&conv);
  1406. /* what have we seen? */
  1407. AssertStrEQ(conv.rec_log, "ClientHello:ServerHello:EncryptedExtension:Certificate:CertificateVerify:Finished:Finished:SessionTicket");
  1408. /* Should have received a session, save it */
  1409. AssertTrue(tclient.session_len > 0);
  1410. memcpy(session_data, tclient.session, tclient.session_len);
  1411. session_len = tclient.session_len;
  1412. if (verbose)
  1413. dump_buffer("copied SESSION", session_data, session_len, 0);
  1414. QuicTestContext_free(&tserver);
  1415. QuicTestContext_free(&tclient);
  1416. /* Do a Session resumption with the ticket */
  1417. QuicTestContext_init(&tserver, ctx_s, "server", verbose);
  1418. QuicTestContext_init(&tclient, ctx_c, "client_resume", verbose);
  1419. bp = session_data;
  1420. AssertNotNull(session = wolfSSL_d2i_SSL_SESSION(NULL, &bp, session_len));
  1421. AssertIntEQ(wolfSSL_set_session(tclient.ssl, session), WOLFSSL_SUCCESS);
  1422. wolfSSL_SESSION_free(session);
  1423. /* let them talk */
  1424. QuicConversation_init(&conv, &tclient, &tserver);
  1425. QuicConversation_do(&conv);
  1426. /* this is what should happen. Look Ma, no certificate! */
  1427. AssertStrEQ(conv.rec_log, "ClientHello:ServerHello:EncryptedExtension:Finished:Finished:SessionTicket");
  1428. QuicTestContext_free(&tclient);
  1429. QuicTestContext_free(&tserver);
  1430. wolfSSL_CTX_free(ctx_c);
  1431. wolfSSL_CTX_free(ctx_s);
  1432. printf(" test_quic_session_export: %s\n", (ret == 0)? passed : failed);
  1433. return ret;
  1434. }
  1435. #endif /* WOLFSSL_SESSION_EXPORT */
  1436. #endif /* WOLFSSL_QUIC */
  1437. int QuicTest(void)
  1438. {
  1439. int ret = 0;
  1440. #ifdef WOLFSSL_QUIC
  1441. int verbose = 0;
  1442. printf(" Begin QUIC Tests\n");
  1443. if ((ret = test_set_quic_method()) != 0) goto leave;
  1444. if ((ret = test_provide_quic_data()) != 0) goto leave;
  1445. if ((ret = test_quic_crypt()) != 0) goto leave;
  1446. if ((ret = test_quic_client_hello(verbose)) != 0) goto leave;
  1447. if ((ret = test_quic_server_hello(verbose)) != 0) goto leave;
  1448. #ifdef REALLY_HAVE_ALPN_AND_SNI
  1449. if ((ret = test_quic_alpn(verbose)) != 0) goto leave;
  1450. #endif /* REALLY_HAVE_ALPN_AND_SNI */
  1451. #ifdef HAVE_SESSION_TICKET
  1452. if ((ret = test_quic_key_share(verbose)) != 0) goto leave;
  1453. if ((ret = test_quic_resumption(verbose)) != 0) goto leave;
  1454. #ifdef WOLFSSL_EARLY_DATA
  1455. if ((ret = test_quic_early_data(verbose)) != 0) goto leave;
  1456. #endif /* WOLFSSL_EARLY_DATA */
  1457. if ((ret = test_quic_session_export(verbose)) != 0) goto leave;
  1458. #endif /* HAVE_SESSION_TICKET */
  1459. leave:
  1460. if (ret != 0)
  1461. printf(" FAILED: some tests did not pass.\n");
  1462. printf(" End QUIC Tests\n");
  1463. #endif
  1464. return ret;
  1465. }