1
0

quic.c 60 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422423424425426427428429430431432433434435436437438439440441442443444445446447448449450451452453454455456457458459460461462463464465466467468469470471472473474475476477478479480481482483484485486487488489490491492493494495496497498499500501502503504505506507508509510511512513514515516517518519520521522523524525526527528529530531532533534535536537538539540541542543544545546547548549550551552553554555556557558559560561562563564565566567568569570571572573574575576577578579580581582583584585586587588589590591592593594595596597598599600601602603604605606607608609610611612613614615616617618619620621622623624625626627628629630631632633634635636637638639640641642643644645646647648649650651652653654655656657658659660661662663664665666667668669670671672673674675676677678679680681682683684685686687688689690691692693694695696697698699700701702703704705706707708709710711712713714715716717718719720721722723724725726727728729730731732733734735736737738739740741742743744745746747748749750751752753754755756757758759760761762763764765766767768769770771772773774775776777778779780781782783784785786787788789790791792793794795796797798799800801802803804805806807808809810811812813814815816817818819820821822823824825826827828829830831832833834835836837838839840841842843844845846847848849850851852853854855856857858859860861862863864865866867868869870871872873874875876877878879880881882883884885886887888889890891892893894895896897898899900901902903904905906907908909910911912913914915916917918919920921922923924925926927928929930931932933934935936937938939940941942943944945946947948949950951952953954955956957958959960961962963964965966967968969970971972973974975976977978979980981982983984985986987988989990991992993994995996997998999100010011002100310041005100610071008100910101011101210131014101510161017101810191020102110221023102410251026102710281029103010311032103310341035103610371038103910401041104210431044104510461047104810491050105110521053105410551056105710581059106010611062106310641065106610671068106910701071107210731074107510761077107810791080108110821083108410851086108710881089109010911092109310941095109610971098109911001101110211031104110511061107110811091110111111121113111411151116111711181119112011211122112311241125112611271128112911301131113211331134113511361137113811391140114111421143114411451146114711481149115011511152115311541155115611571158115911601161116211631164116511661167116811691170117111721173117411751176117711781179118011811182118311841185118611871188118911901191119211931194119511961197119811991200120112021203120412051206120712081209121012111212121312141215121612171218121912201221122212231224122512261227122812291230123112321233123412351236123712381239124012411242124312441245124612471248124912501251125212531254125512561257125812591260126112621263126412651266126712681269127012711272127312741275127612771278127912801281128212831284128512861287128812891290129112921293129412951296129712981299130013011302130313041305130613071308130913101311131213131314131513161317131813191320132113221323132413251326132713281329133013311332133313341335133613371338133913401341134213431344134513461347134813491350135113521353135413551356135713581359136013611362136313641365136613671368136913701371137213731374137513761377137813791380138113821383138413851386138713881389139013911392139313941395139613971398139914001401140214031404140514061407140814091410141114121413141414151416141714181419142014211422142314241425142614271428142914301431143214331434143514361437143814391440144114421443144414451446144714481449145014511452145314541455145614571458145914601461146214631464146514661467146814691470147114721473147414751476147714781479148014811482148314841485148614871488148914901491149214931494149514961497149814991500150115021503150415051506150715081509151015111512151315141515151615171518151915201521152215231524152515261527152815291530153115321533153415351536153715381539154015411542154315441545154615471548154915501551155215531554155515561557155815591560156115621563156415651566156715681569157015711572157315741575157615771578157915801581158215831584158515861587158815891590159115921593159415951596159715981599160016011602160316041605160616071608160916101611161216131614161516161617161816191620162116221623162416251626162716281629163016311632163316341635163616371638163916401641164216431644164516461647164816491650165116521653165416551656165716581659
  1. /* quic.c QUIC unit tests
  2. *
  3. * Copyright (C) 2006-2024 wolfSSL Inc.
  4. *
  5. * This file is part of wolfSSL.
  6. *
  7. * wolfSSL is free software; you can redistribute it and/or modify
  8. * it under the terms of the GNU General Public License as published by
  9. * the Free Software Foundation; either version 2 of the License, or
  10. * (at your option) any later version.
  11. *
  12. * wolfSSL is distributed in the hope that it will be useful,
  13. * but WITHOUT ANY WARRANTY; without even the implied warranty of
  14. * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
  15. * GNU General Public License for more details.
  16. *
  17. * You should have received a copy of the GNU General Public License
  18. * along with this program; if not, write to the Free Software
  19. * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1335, USA
  20. */
  21. #ifdef HAVE_CONFIG_H
  22. #include <config.h>
  23. #endif
  24. #ifndef WOLFSSL_USER_SETTINGS
  25. #include <wolfssl/options.h>
  26. #endif
  27. #include <wolfssl/wolfcrypt/settings.h>
  28. #include <tests/unit.h>
  29. #ifdef WOLFSSL_QUIC
  30. #include <wolfssl/ssl.h>
  31. #include <wolfssl/quic.h>
  32. #ifdef NO_INLINE
  33. #include <wolfssl/wolfcrypt/misc.h>
  34. #else
  35. #define WOLFSSL_MISC_INCLUDED
  36. #include <wolfcrypt/src/misc.c>
  37. #endif
  38. #include <wolfssl/error-ssl.h>
  39. #include <wolfssl/internal.h>
  40. #define testingFmt " %s:"
  41. #define resultFmt " %s\n"
  42. static const char* passed = "passed";
  43. static const char* failed = "failed";
  44. typedef struct {
  45. const char *name;
  46. WOLFSSL_METHOD *method;
  47. int is_server;
  48. } ctx_setups;
  49. static int dummy_set_encryption_secrets(WOLFSSL *ssl, WOLFSSL_ENCRYPTION_LEVEL level,
  50. const uint8_t *read_secret,
  51. const uint8_t *write_secret, size_t secret_len)
  52. {
  53. (void)ssl;
  54. printf("QUIC_set_encryption_secrets(level=%d, length=%d, rx=%s, tx=%s)\n",
  55. level, (int)secret_len, read_secret? "yes" : "no", write_secret? "yes" : "no");
  56. return 1;
  57. }
  58. static int dummy_add_handshake_data(WOLFSSL *ssl, WOLFSSL_ENCRYPTION_LEVEL level,
  59. const uint8_t *data, size_t len)
  60. {
  61. (void)ssl;
  62. (void)data;
  63. printf("QUIC_add_handshake_data(level=%d, length=%d)\n", level, (int)len);
  64. return 1;
  65. }
  66. static int dummy_flush_flight(WOLFSSL *ssl)
  67. {
  68. (void)ssl;
  69. printf("QUIC_flush_flight()\n");
  70. return 1;
  71. }
  72. static int dummy_send_alert(WOLFSSL *ssl, WOLFSSL_ENCRYPTION_LEVEL level, uint8_t err)
  73. {
  74. (void)ssl;
  75. printf("QUIC_send_alert(level=%d, err=%d)\n", level, err);
  76. return 1;
  77. }
  78. static WOLFSSL_QUIC_METHOD dummy_method = {
  79. dummy_set_encryption_secrets,
  80. dummy_add_handshake_data,
  81. dummy_flush_flight,
  82. dummy_send_alert,
  83. };
  84. static WOLFSSL_QUIC_METHOD null_method = {
  85. NULL, NULL, NULL, NULL
  86. };
  87. static int test_set_quic_method(void) {
  88. WOLFSSL_CTX *ctx;
  89. WOLFSSL *ssl;
  90. int ret = 0, i;
  91. const uint8_t *data;
  92. size_t data_len;
  93. ctx_setups valids[] = {
  94. #ifdef WOLFSSL_TLS13
  95. { "TLSv1.3 server", wolfTLSv1_3_server_method(), 1},
  96. { "TLSv1.3 client", wolfTLSv1_3_client_method(), 0},
  97. #endif
  98. { NULL, NULL, 0}
  99. };
  100. ctx_setups invalids[] = {
  101. #ifndef WOLFSSL_NO_TLS12
  102. { "TLSv1.2 server", wolfTLSv1_2_server_method(), 1},
  103. { "TLSv1.2 client", wolfTLSv1_2_client_method(), 0},
  104. #endif
  105. #ifndef NO_OLD_TLS
  106. { "TLSv1.1 server", wolfTLSv1_1_server_method(), 1},
  107. { "TLSv1.1 client", wolfTLSv1_1_client_method(), 0},
  108. #endif
  109. { NULL, NULL, 0}
  110. };
  111. for (i = 0; valids[i].name != NULL; ++i) {
  112. AssertNotNull(ctx = wolfSSL_CTX_new(valids[i].method));
  113. if (valids[i].is_server) {
  114. AssertTrue(wolfSSL_CTX_use_certificate_file(ctx, svrCertFile,
  115. WOLFSSL_FILETYPE_PEM));
  116. AssertTrue(wolfSSL_CTX_use_PrivateKey_file(ctx, svrKeyFile,
  117. WOLFSSL_FILETYPE_PEM));
  118. }
  119. /* ctx does not have quic enabled, so will SSL* derived from it */
  120. AssertNotNull(ssl = wolfSSL_new(ctx));
  121. AssertFalse(wolfSSL_is_quic(ssl));
  122. /* Enable quic on the SSL* */
  123. AssertFalse(wolfSSL_set_quic_method(ssl, &null_method) == WOLFSSL_SUCCESS);
  124. AssertTrue(wolfSSL_set_quic_method(ssl, &dummy_method) == WOLFSSL_SUCCESS);
  125. AssertTrue(wolfSSL_is_quic(ssl));
  126. /* Check some default, initial behaviour */
  127. AssertTrue(wolfSSL_set_quic_transport_params(ssl, NULL, 0) == WOLFSSL_SUCCESS);
  128. wolfSSL_get_peer_quic_transport_params(ssl, &data, &data_len);
  129. AssertNull(data);
  130. AssertTrue(data_len == 0);
  131. AssertTrue(wolfSSL_quic_read_level(ssl) == wolfssl_encryption_initial);
  132. AssertTrue(wolfSSL_quic_write_level(ssl) == wolfssl_encryption_initial);
  133. AssertTrue(wolfSSL_get_quic_transport_version(ssl) == 0);
  134. wolfSSL_set_quic_transport_version(ssl, TLSX_KEY_QUIC_TP_PARAMS);
  135. AssertTrue(wolfSSL_get_quic_transport_version(ssl) == TLSX_KEY_QUIC_TP_PARAMS);
  136. wolfSSL_set_quic_use_legacy_codepoint(ssl, 1);
  137. AssertTrue(wolfSSL_get_quic_transport_version(ssl) == TLSX_KEY_QUIC_TP_PARAMS_DRAFT);
  138. wolfSSL_set_quic_use_legacy_codepoint(ssl, 0);
  139. AssertTrue(wolfSSL_get_quic_transport_version(ssl) == TLSX_KEY_QUIC_TP_PARAMS);
  140. /* max flight len during stages of handhshake, we us 16k initial and on
  141. * app data, and during handshake allow larger for cert exchange. This is
  142. * more advisory for the network code. ngtcp2 has its own ideas, for example.
  143. */
  144. data_len = wolfSSL_quic_max_handshake_flight_len(ssl, wolfssl_encryption_initial);
  145. AssertTrue(data_len == 16*1024);
  146. data_len = wolfSSL_quic_max_handshake_flight_len(ssl, wolfssl_encryption_early_data);
  147. AssertTrue(data_len == 0);
  148. data_len = wolfSSL_quic_max_handshake_flight_len(ssl, wolfssl_encryption_handshake);
  149. AssertTrue(data_len >= 16*1024);
  150. data_len = wolfSSL_quic_max_handshake_flight_len(ssl, wolfssl_encryption_application);
  151. AssertTrue(data_len == 16*1024);
  152. wolfSSL_free(ssl);
  153. /* Enabled quic on the ctx */
  154. AssertTrue(wolfSSL_CTX_set_quic_method(ctx, &dummy_method) == WOLFSSL_SUCCESS);
  155. /* It will be enabled on the SSL* */
  156. AssertNotNull(ssl = wolfSSL_new(ctx));
  157. AssertTrue(wolfSSL_is_quic(ssl));
  158. wolfSSL_free(ssl);
  159. wolfSSL_CTX_free(ctx);
  160. }
  161. for (i = 0; invalids[i].name != NULL; ++i) {
  162. AssertNotNull(ctx = wolfSSL_CTX_new(invalids[i].method));
  163. AssertTrue(wolfSSL_CTX_use_certificate_file(ctx, svrCertFile,
  164. WOLFSSL_FILETYPE_PEM));
  165. AssertTrue(wolfSSL_CTX_use_PrivateKey_file(ctx, svrKeyFile,
  166. WOLFSSL_FILETYPE_PEM));
  167. AssertFalse(wolfSSL_CTX_set_quic_method(ctx, &dummy_method) == WOLFSSL_SUCCESS);
  168. AssertNotNull(ssl = wolfSSL_new(ctx));
  169. AssertFalse(wolfSSL_set_quic_method(ssl, &dummy_method) == WOLFSSL_SUCCESS);
  170. AssertFalse(wolfSSL_is_quic(ssl));
  171. /* even though not quic, this is the only level we can return */
  172. AssertTrue(wolfSSL_quic_read_level(ssl) == wolfssl_encryption_initial);
  173. AssertTrue(wolfSSL_quic_write_level(ssl) == wolfssl_encryption_initial);
  174. wolfSSL_free(ssl);
  175. wolfSSL_CTX_free(ctx);
  176. }
  177. printf(" test_set_quic_method: %s\n", (ret == 0)? passed : failed);
  178. return ret;
  179. }
  180. static size_t fake_record(byte rtype, word32 rlen, uint8_t *rec)
  181. {
  182. rec[0] = (uint8_t)rtype;
  183. c32to24(rlen, rec+1);
  184. return rlen + 4;
  185. }
  186. static size_t shift_record(uint8_t *rec, size_t len, size_t written)
  187. {
  188. len -= written;
  189. XMEMMOVE(rec, rec+written, len);
  190. return len;
  191. }
  192. static void dump_buffer(const char *name, const byte *p, size_t len, int indent)
  193. {
  194. size_t i = 0;
  195. printf("%s[%d] = {", name, (int)len);
  196. while((p != NULL) && (i < len)) {
  197. if((i % 0x10) == 0) {
  198. printf("\n");
  199. printf("%*s %04X - ", indent, " ", (int)i);
  200. }
  201. else if((i % 0x08) == 0) {
  202. printf(" ");
  203. }
  204. printf("%02X ", p[i]);
  205. i++;
  206. }
  207. printf("\n%*s};\n", indent, " ");
  208. }
  209. static void dump_ssl_buffers(WOLFSSL *ssl, FILE *fp)
  210. {
  211. QuicRecord *qr = ssl->quic.input_head;
  212. fprintf(fp, "SSL quic data buffered: \n");
  213. while (qr) {
  214. fprintf(fp, " - %d-%d/%d (cap %d, level=%d)\n",
  215. qr->start, qr->end, qr->len, qr->capacity, qr->level);
  216. qr = qr->next;
  217. }
  218. if ((qr = ssl->quic.scratch)) {
  219. fprintf(fp, " scratch: %d-%d/%d (cap %d, level=%d)\n",
  220. qr->start, qr->end, qr->len, qr->capacity, qr->level);
  221. }
  222. else {
  223. fprintf(fp, " scratch: -\n");
  224. }
  225. }
  226. static int provide_data(WOLFSSL *ssl, WOLFSSL_ENCRYPTION_LEVEL level,
  227. const uint8_t *data, size_t len, int excpect_fail)
  228. {
  229. int ret;
  230. ret = (wolfSSL_provide_quic_data(ssl, level, data, len) == WOLFSSL_SUCCESS);
  231. if (!!ret != !excpect_fail) {
  232. dump_ssl_buffers(ssl, stdout);
  233. return 0;
  234. }
  235. return 1;
  236. }
  237. static int test_provide_quic_data(void) {
  238. WOLFSSL_CTX *ctx;
  239. WOLFSSL *ssl;
  240. uint8_t lbuffer[16*1024];
  241. size_t len;
  242. int ret = 0;
  243. AssertNotNull(ctx = wolfSSL_CTX_new(wolfTLSv1_3_client_method()));
  244. AssertTrue(wolfSSL_CTX_set_quic_method(ctx, &dummy_method) == WOLFSSL_SUCCESS);
  245. /* provide_quic_data() feeds CRYPTO packets inside a QUIC Frame into
  246. * the TLSv1.3 state machine.
  247. * The data fed is not the QUIC frame, but the TLS record inside it.
  248. * This may be called several times before SSL_do_handshake() is invoked
  249. * to process them.
  250. * During buffering this data, the code checks that:
  251. * - encryption level only ever increases for subsequent TLS records
  252. * - a TLS record is received complete before the encryption level increases
  253. */
  254. AssertNotNull(ssl = wolfSSL_new(ctx));
  255. len = fake_record(1, 100, lbuffer);
  256. AssertTrue(provide_data(ssl, wolfssl_encryption_initial, lbuffer, len, 0));
  257. len = fake_record(2, 1523, lbuffer);
  258. AssertTrue(provide_data(ssl, wolfssl_encryption_handshake, lbuffer, len, 0));
  259. len = fake_record(2, 1, lbuffer);
  260. len += fake_record(3, 190, lbuffer+len);
  261. AssertTrue(provide_data(ssl, wolfssl_encryption_handshake, lbuffer, len, 0));
  262. len = fake_record(5, 2049, lbuffer);
  263. AssertTrue(provide_data(ssl, wolfssl_encryption_application, lbuffer, len, 0));
  264. /* adding another record with decreased level must fail */
  265. len = fake_record(1, 100, lbuffer);
  266. AssertTrue(provide_data(ssl, wolfssl_encryption_initial, lbuffer, len, 1));
  267. wolfSSL_free(ssl);
  268. AssertNotNull(ssl = wolfSSL_new(ctx));
  269. len = fake_record(1, 100, lbuffer);
  270. AssertTrue(provide_data(ssl, wolfssl_encryption_initial, lbuffer, 24, 0));
  271. len = shift_record(lbuffer, len, 24);
  272. len += fake_record(2, 4000, lbuffer+len);
  273. AssertTrue(provide_data(ssl, wolfssl_encryption_initial, lbuffer, len - 99, 0));
  274. len = shift_record(lbuffer, len, len - 99);
  275. len += fake_record(5, 2049, lbuffer+len);
  276. AssertTrue(provide_data(ssl, wolfssl_encryption_initial, lbuffer, len, 0));
  277. /* should be recognized as complete and level increase needs to be accepted */
  278. len = fake_record(2, 1, lbuffer);
  279. len += fake_record(3, 190, lbuffer+len);
  280. AssertTrue(provide_data(ssl, wolfssl_encryption_handshake, lbuffer, len - 10, 0));
  281. len = shift_record(lbuffer, len, len - 10);
  282. /* Change level with incomplete record in lbuffer, needs to fail */
  283. len += fake_record(5, 8102, lbuffer+len);
  284. AssertTrue(provide_data(ssl, wolfssl_encryption_application, lbuffer, len - 10, 1));
  285. wolfSSL_free(ssl);
  286. wolfSSL_CTX_free(ctx);
  287. printf(" test_provide_quic_data: %s\n", (ret == 0)? passed : failed);
  288. return 0;
  289. }
  290. static int test_quic_crypt(void) {
  291. WOLFSSL_CTX *ctx;
  292. WOLFSSL *ssl;
  293. const WOLFSSL_EVP_CIPHER *aead_cipher;
  294. int ret = 0;
  295. AssertNotNull(ctx = wolfSSL_CTX_new(wolfTLSv1_3_client_method()));
  296. AssertTrue(wolfSSL_CTX_set_quic_method(ctx, &dummy_method) == WOLFSSL_SUCCESS);
  297. AssertNotNull(ssl = wolfSSL_new(ctx));
  298. /* don't have an AEAD cipher selected before start */
  299. AssertTrue(wolfSSL_CIPHER_get_id(wolfSSL_get_current_cipher(ssl)) == 0);
  300. AssertNotNull(aead_cipher = wolfSSL_EVP_aes_128_gcm());
  301. AssertTrue(wolfSSL_quic_aead_is_gcm(aead_cipher) != 0);
  302. AssertTrue(wolfSSL_quic_aead_is_ccm(aead_cipher) == 0);
  303. AssertTrue(wolfSSL_quic_aead_is_chacha20(aead_cipher) == 0);
  304. if (1) {
  305. /* check that our enc-/decrypt support in quic rount-trips */
  306. static const uint8_t key[16] = {0x00, 0x11, 0x22, 0x33, 0x44, 0x55, 0x66, 0x77,
  307. 0x88, 0x99, 0xaa, 0xbb, 0xcc, 0xdd, 0xee, 0xff};
  308. static const uint8_t aad[] = {0, 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19};
  309. static const uint8_t iv[] = {20, 21, 22, 23, 24, 25, 26, 27, 28, 29, 30, 31};
  310. static const uint8_t plaintext[] = "hello world\nhello world\nhello world\nhello world\nhello world\nhello world\nhello world\n";
  311. static const uint8_t expected[] = {0xd3, 0xa8, 0x1d, 0x96, 0x4c, 0x9b, 0x02, 0xd7, 0x9a, 0xb0, 0x41, 0x07, 0x4c, 0x8c, 0xe2,
  312. 0xe0, 0x2e, 0x83, 0x54, 0x52, 0x45, 0xcb, 0xd4, 0x68, 0xc8, 0x43, 0x45, 0xca, 0x91, 0xfb,
  313. 0xa3, 0x7a, 0x67, 0xed, 0xe8, 0xd7, 0x5e, 0xe2, 0x33, 0xd1, 0x3e, 0xbf, 0x50, 0xc2, 0x4b,
  314. 0x86, 0x83, 0x55, 0x11, 0xbb, 0x17, 0x4f, 0xf5, 0x78, 0xb8, 0x65, 0xeb, 0x9a, 0x2b, 0x8f,
  315. 0x77, 0x08, 0xa9, 0x60, 0x17, 0x73, 0xc5, 0x07, 0xf3, 0x04, 0xc9, 0x3f, 0x67, 0x4d, 0x12,
  316. 0xa1, 0x02, 0x93, 0xc2, 0x3c, 0xd3, 0xf8, 0x59, 0x33, 0xd5, 0x01, 0xc3, 0xbb, 0xaa, 0xe6,
  317. 0x3f, 0xbb, 0x23, 0x66, 0x94, 0x26, 0x28, 0x43, 0xa5, 0xfd, 0x2f};
  318. WOLFSSL_EVP_CIPHER_CTX *enc_ctx, *dec_ctx;
  319. uint8_t *encrypted, *decrypted;
  320. size_t tag_len, enc_len, dec_len;
  321. AssertTrue((tag_len = wolfSSL_quic_get_aead_tag_len(aead_cipher)) == 16);
  322. dec_len = sizeof(plaintext);
  323. enc_len = dec_len + tag_len;
  324. encrypted = (uint8_t*)XMALLOC(enc_len, NULL, DYNAMIC_TYPE_TMP_BUFFER);
  325. AssertNotNull(encrypted);
  326. decrypted = (uint8_t*)XMALLOC(dec_len, NULL, DYNAMIC_TYPE_TMP_BUFFER);
  327. AssertNotNull(decrypted);
  328. AssertNotNull(enc_ctx = wolfSSL_quic_crypt_new(aead_cipher, key, iv, 1));
  329. AssertTrue(wolfSSL_quic_aead_encrypt(encrypted, enc_ctx,
  330. plaintext, sizeof(plaintext),
  331. NULL, aad, sizeof(aad)) == WOLFSSL_SUCCESS);
  332. AssertTrue(memcmp(expected, encrypted, dec_len) == 0);
  333. AssertTrue(memcmp(expected+dec_len, encrypted+dec_len, tag_len) == 0);
  334. AssertNotNull(dec_ctx = wolfSSL_quic_crypt_new(aead_cipher, key, iv, 0));
  335. AssertTrue(wolfSSL_quic_aead_decrypt(decrypted, dec_ctx,
  336. encrypted, enc_len,
  337. NULL, aad, sizeof(aad)) == WOLFSSL_SUCCESS);
  338. AssertTrue(memcmp(plaintext, decrypted, dec_len) == 0);
  339. XFREE(encrypted, NULL, DYNAMIC_TYPE_TMP_BUFFER);
  340. XFREE(decrypted, NULL, DYNAMIC_TYPE_TMP_BUFFER);
  341. wolfSSL_EVP_CIPHER_CTX_free(enc_ctx);
  342. wolfSSL_EVP_CIPHER_CTX_free(dec_ctx);
  343. }
  344. wolfSSL_free(ssl);
  345. wolfSSL_CTX_free(ctx);
  346. printf(" test_quic_crypt: %s\n", (ret == 0)? passed : failed);
  347. return ret;
  348. }
  349. typedef struct OutputBuffer {
  350. byte data[64*1024];
  351. size_t len;
  352. WOLFSSL_ENCRYPTION_LEVEL level;
  353. struct OutputBuffer *next;
  354. } OutputBuffer;
  355. typedef struct {
  356. const char *name;
  357. WOLFSSL *ssl;
  358. OutputBuffer output;
  359. byte rx_secret[4][1024];
  360. size_t rx_secret_len[4];
  361. byte tx_secret[4][1024];
  362. size_t tx_secret_len[4];
  363. int handshake_done;
  364. int alert_level;
  365. int alert;
  366. int flushed;
  367. int verbose;
  368. byte ticket[16*1024];
  369. word32 ticket_len;
  370. byte session[16*1024];
  371. word32 session_len;
  372. } QuicTestContext;
  373. static int ctx_set_encryption_secrets(WOLFSSL *ssl, WOLFSSL_ENCRYPTION_LEVEL level,
  374. const uint8_t *read_secret,
  375. const uint8_t *write_secret, size_t secret_len);
  376. static int ctx_add_handshake_data(WOLFSSL *ssl, WOLFSSL_ENCRYPTION_LEVEL level,
  377. const uint8_t *data, size_t len);
  378. static int ctx_flush_flight(WOLFSSL *ssl);
  379. static int ctx_send_alert(WOLFSSL *ssl, WOLFSSL_ENCRYPTION_LEVEL level, uint8_t err);
  380. #ifdef HAVE_SESSION_TICKET
  381. static int ctx_session_ticket_cb(WOLFSSL* ssl,
  382. const unsigned char* ticket, int ticketSz,
  383. void* cb_ctx);
  384. #endif
  385. static WOLFSSL_QUIC_METHOD ctx_method = {
  386. ctx_set_encryption_secrets,
  387. ctx_add_handshake_data,
  388. ctx_flush_flight,
  389. ctx_send_alert,
  390. };
  391. static void QuicTestContext_init(QuicTestContext *tctx, WOLFSSL_CTX *ctx,
  392. const char *name, int verbose)
  393. {
  394. static const byte tp_params_c[] = {0, 1, 2, 3, 4, 5, 6, 7};
  395. static const byte tp_params_s[] = {7, 6, 5, 4, 3, 2, 1, 0, 1};
  396. AssertNotNull(tctx);
  397. memset(tctx, 0, sizeof(*tctx));
  398. tctx->name = name;
  399. AssertNotNull((tctx->ssl = wolfSSL_new(ctx)));
  400. tctx->verbose = verbose;
  401. wolfSSL_set_app_data(tctx->ssl, tctx);
  402. AssertTrue(wolfSSL_set_quic_method(tctx->ssl, &ctx_method) == WOLFSSL_SUCCESS);
  403. wolfSSL_set_verify(tctx->ssl, SSL_VERIFY_NONE, 0);
  404. #ifdef HAVE_SESSION_TICKET
  405. wolfSSL_UseSessionTicket(tctx->ssl);
  406. wolfSSL_set_SessionTicket_cb(tctx->ssl, ctx_session_ticket_cb, NULL);
  407. #endif
  408. if (wolfSSL_is_server(tctx->ssl)) {
  409. wolfSSL_set_quic_transport_version(tctx->ssl, 0);
  410. wolfSSL_set_quic_transport_params(tctx->ssl, tp_params_s, sizeof(tp_params_s));
  411. }
  412. else {
  413. wolfSSL_set_quic_transport_version(tctx->ssl, 0);
  414. wolfSSL_set_quic_transport_params(tctx->ssl, tp_params_c, sizeof(tp_params_c));
  415. }
  416. }
  417. static void QuicTestContext_free(QuicTestContext *tctx)
  418. {
  419. OutputBuffer *out, *n;
  420. if (tctx->ssl) {
  421. wolfSSL_free(tctx->ssl);
  422. tctx->ssl = NULL;
  423. }
  424. out = tctx->output.next;
  425. while (out) {
  426. n = out->next;
  427. free(out);
  428. out = n;
  429. }
  430. }
  431. static int ctx_set_encryption_secrets(WOLFSSL *ssl, WOLFSSL_ENCRYPTION_LEVEL level,
  432. const uint8_t *read_secret,
  433. const uint8_t *write_secret, size_t secret_len)
  434. {
  435. QuicTestContext *ctx = (QuicTestContext*)wolfSSL_get_app_data(ssl);
  436. AssertNotNull(ctx);
  437. AssertTrue(secret_len <= sizeof(ctx->rx_secret[0]));
  438. if (read_secret) {
  439. memcpy(ctx->rx_secret[level], read_secret, secret_len);
  440. ctx->rx_secret_len[level] = secret_len;
  441. }
  442. if (write_secret) {
  443. memcpy(ctx->tx_secret[level], write_secret, secret_len);
  444. ctx->tx_secret_len[level] = secret_len;
  445. }
  446. AssertNotNull(ctx);
  447. return 1;
  448. }
  449. static int ctx_add_handshake_data(WOLFSSL *ssl, WOLFSSL_ENCRYPTION_LEVEL level,
  450. const uint8_t *data, size_t len)
  451. {
  452. QuicTestContext *ctx = (QuicTestContext*)wolfSSL_get_app_data(ssl);
  453. OutputBuffer *out;
  454. AssertNotNull(ctx);
  455. out = &ctx->output;
  456. while (out->next) {
  457. out = out->next;
  458. }
  459. if (out->level != level) {
  460. if (out->len > 0) {
  461. out->next = (OutputBuffer*)calloc(1, sizeof(OutputBuffer));
  462. out = out->next;
  463. AssertNotNull(out);
  464. }
  465. out->level = level;
  466. }
  467. if (ctx->verbose) {
  468. printf("[%s] add_handshake[enc_level=%d]: %d bytes\n", ctx->name, level, (int)len);
  469. /* dump_buffer("add", data, len, 0); */
  470. }
  471. if (len > 0) {
  472. AssertTrue(out->len + len < sizeof(out->data));
  473. memcpy(out->data + out->len, data, len);
  474. out->len += len;
  475. }
  476. return 1;
  477. }
  478. static int ctx_flush_flight(WOLFSSL *ssl)
  479. {
  480. QuicTestContext *ctx = (QuicTestContext*)wolfSSL_get_app_data(ssl);
  481. AssertNotNull(ctx);
  482. ctx->flushed = 1;
  483. return 1;
  484. }
  485. static int ctx_send_alert(WOLFSSL *ssl, WOLFSSL_ENCRYPTION_LEVEL level, uint8_t err)
  486. {
  487. QuicTestContext *ctx = (QuicTestContext*)wolfSSL_get_app_data(ssl);
  488. AssertNotNull(ctx);
  489. if (ctx->verbose) {
  490. printf("[%s] send_alert: level=%d, err=%d\n", ctx->name, level, err);
  491. }
  492. ctx->alert_level = level;
  493. ctx->alert = alert;
  494. return 1;
  495. }
  496. #ifdef HAVE_SESSION_TICKET
  497. static int ctx_session_ticket_cb(WOLFSSL* ssl,
  498. const unsigned char* ticket, int ticketSz,
  499. void* cb_ctx)
  500. {
  501. QuicTestContext *ctx = (QuicTestContext*)wolfSSL_get_app_data(ssl);
  502. AssertNotNull(ctx);
  503. (void)cb_ctx;
  504. if (ticketSz < 0 || (size_t)ticketSz > sizeof(ctx->ticket)) {
  505. printf("SESSION TICKET callback: ticket given is too large: %d bytes\n", ticketSz);
  506. return 1;
  507. }
  508. memset(ctx->ticket, 0, sizeof(ctx->ticket));
  509. ctx->ticket_len = (word32)ticketSz;
  510. memcpy(ctx->ticket, ticket, (size_t)ticketSz);
  511. if (ctx->verbose) {
  512. printf("Session Ticket[%s]: ", ctx->name);
  513. dump_buffer("", ticket, (size_t)ticketSz, 4);
  514. }
  515. return 0;
  516. }
  517. #endif
  518. static void ctx_dump_output(QuicTestContext *ctx)
  519. {
  520. dump_buffer("Output", ctx->output.data, ctx->output.len, 0);
  521. }
  522. static void check_handshake_record(const byte *data, size_t data_len, int *ptype, size_t *prlen)
  523. {
  524. word32 rlen;
  525. AssertTrue(data_len >= HANDSHAKE_HEADER_SZ);
  526. *ptype = data[0];
  527. c24to32(&data[1], &rlen);
  528. *prlen = rlen + HANDSHAKE_HEADER_SZ;
  529. }
  530. static void ext_dump(const byte *data, size_t data_len, int indent)
  531. {
  532. size_t idx = 0;
  533. word16 len16, etype, i;
  534. printf("%*sextensions:\n", indent, " ");
  535. while (idx < data_len) {
  536. ato16(&data[idx], &etype); /* extension type */
  537. ato16(&data[idx+2], &len16); /* extension length */
  538. printf(" extension: %04x [", etype);
  539. for (i = 0; i < len16; ++i) {
  540. printf("%s0x%02x", (i? ", ": ""), data[idx+4+i]);
  541. }
  542. printf("]\n");
  543. idx += 2 + 2 + len16;
  544. }
  545. }
  546. static const byte *ext_find(const byte *data, size_t data_len, int ext_type)
  547. {
  548. size_t idx = 0;
  549. word16 len16, etype;
  550. while (idx < data_len) {
  551. ato16(&data[idx], &etype); /* extension type */
  552. if (etype == ext_type) {
  553. return data + idx;
  554. }
  555. ato16(&data[idx+2], &len16); /* extension length */
  556. idx += 2 + 2 + len16;
  557. }
  558. return NULL;
  559. }
  560. static int ext_has(const byte *data, size_t data_len, int ext_type)
  561. {
  562. return ext_find(data, data_len,ext_type) != NULL;
  563. }
  564. static void ext_equals(const byte *data, size_t data_len, int ext_type,
  565. const byte *exp_data, size_t exp_len)
  566. {
  567. const byte *ext;
  568. word16 len16;
  569. AssertNotNull(ext = ext_find(data, data_len, ext_type));
  570. ato16(&ext[2], &len16);
  571. AssertTrue(len16 == exp_len);
  572. AssertTrue(memcmp(ext + 4, exp_data, exp_len) == 0);
  573. }
  574. static void check_quic_client_hello(const byte *data, size_t data_len, int verbose, int indent)
  575. {
  576. size_t idx;
  577. word16 len16;
  578. const byte *exts;
  579. size_t exts_len, rec_len;
  580. int rec_type;
  581. static byte ext_sup_version[3] = {0x02, 0x03, 0x04};
  582. check_handshake_record(data, data_len, &rec_type, &rec_len);
  583. AssertIntEQ(rec_type, client_hello);
  584. idx = HANDSHAKE_HEADER_SZ;
  585. /* the client hello arrives alone */
  586. AssertIntEQ(rec_len, data_len);
  587. AssertTrue(data[idx++] == SSLv3_MAJOR);
  588. AssertTrue(data[idx++] == TLSv1_2_MINOR);
  589. idx += 32; /* 32 bytes RANDOM */
  590. AssertIntEQ(data[idx], 0); /* session id length MUST be 0, RFC9001 ch. 8.4 */
  591. idx += 1 + data[idx];
  592. ato16(&data[idx], &len16); /* ciphers length */
  593. AssertTrue(len16 > 0);
  594. idx += 2 + len16;
  595. AssertTrue(data[idx] == 1); /* compressions */
  596. AssertTrue(data[idx+1] == 0); /* no compression */
  597. idx += 2;
  598. ato16(&data[idx], &len16); /* extensions length */
  599. AssertTrue(len16 > 0);
  600. exts_len = len16;
  601. idx += 2;
  602. exts = &data[idx];
  603. idx += exts_len;
  604. AssertTrue(idx <= rec_len); /* should fit */
  605. for (; idx < rec_len; ++idx) {
  606. AssertTrue(data[idx] == 0); /* padding */
  607. }
  608. ext_equals(exts, exts_len, TLSX_SUPPORTED_VERSIONS,
  609. ext_sup_version, sizeof(ext_sup_version));
  610. if (verbose) {
  611. ext_dump(exts, exts_len, indent);
  612. dump_buffer("", data, data_len, indent);
  613. }
  614. }
  615. static void check_quic_client_hello_tp(OutputBuffer *out, int tp_v1, int tp_draft)
  616. {
  617. size_t idx;
  618. word16 len16;
  619. const byte *exts;
  620. size_t exts_len, rec_len;
  621. int rec_type;
  622. check_handshake_record(out->data, out->len, &rec_type, &rec_len);
  623. AssertIntEQ(rec_type, client_hello);
  624. idx = HANDSHAKE_HEADER_SZ;
  625. idx += 2; /* old version */
  626. idx += 32; /* 32 bytes RANDOM */
  627. idx += 1 + out->data[idx]; /* session id */
  628. ato16(&out->data[idx], &len16); /* ciphers length */
  629. idx += 2 + len16;
  630. idx += 2; /* compression */
  631. ato16(&out->data[idx], &len16); /* extensions length */
  632. AssertTrue(len16 > 0);
  633. exts_len = len16;
  634. idx += 2;
  635. exts = &out->data[idx];
  636. AssertTrue(!ext_has(exts, exts_len, TLSX_KEY_QUIC_TP_PARAMS) == !tp_v1);
  637. AssertTrue(!ext_has(exts, exts_len, TLSX_KEY_QUIC_TP_PARAMS_DRAFT) == !tp_draft);
  638. }
  639. static void check_secrets(QuicTestContext *ctx, WOLFSSL_ENCRYPTION_LEVEL level, size_t rx_len, size_t tx_len)
  640. {
  641. int idx = (int)level;
  642. AssertTrue(idx < 4);
  643. AssertIntEQ(ctx->rx_secret_len[idx], rx_len);
  644. AssertIntEQ(ctx->tx_secret_len[idx], tx_len);
  645. }
  646. static void assert_secrets_EQ(QuicTestContext *ctx1, QuicTestContext *ctx2,
  647. WOLFSSL_ENCRYPTION_LEVEL level)
  648. {
  649. int idx = (int)level;
  650. /* rx secrets are the other ones tx secrets */
  651. AssertIntEQ(ctx1->rx_secret_len[idx], ctx2->tx_secret_len[idx]);
  652. AssertIntEQ(ctx1->tx_secret_len[idx], ctx2->rx_secret_len[idx]);
  653. AssertIntEQ(memcmp(ctx1->rx_secret[idx], ctx2->tx_secret[idx], ctx1->rx_secret_len[idx]), 0);
  654. AssertIntEQ(memcmp(ctx1->tx_secret[idx], ctx2->rx_secret[idx], ctx1->tx_secret_len[idx]), 0);
  655. }
  656. static void check_ee(const byte *data, size_t data_len, int verbose, int indent)
  657. {
  658. size_t rec_len, exts_len, idx;
  659. word16 len16;
  660. const byte *exts;
  661. int rec_type;
  662. check_handshake_record(data, data_len, &rec_type, &rec_len);
  663. AssertIntEQ(rec_type, encrypted_extensions);
  664. idx = HANDSHAKE_HEADER_SZ;
  665. ato16(&data[idx], &len16); /* extensions length */
  666. AssertTrue(len16 > 0);
  667. exts_len = len16;
  668. idx += 2;
  669. exts = &data[idx];
  670. if (verbose) {
  671. ext_dump(exts, exts_len, indent);
  672. dump_buffer("", data, data_len, indent);
  673. }
  674. }
  675. static void check_quic_server_hello(const byte *data, size_t data_len, int verbose, int indent)
  676. {
  677. size_t idx;
  678. word16 len16, cipher;
  679. const byte *exts;
  680. size_t exts_len, rec_len;
  681. static byte ext_sup_version[2] = {0x03, 0x04};
  682. int rec_type;
  683. check_handshake_record(data, data_len, &rec_type, &rec_len);
  684. AssertIntEQ(rec_type, server_hello);
  685. idx = HANDSHAKE_HEADER_SZ;
  686. AssertTrue(data[idx++] == SSLv3_MAJOR);
  687. AssertTrue(data[idx++] == TLSv1_2_MINOR);
  688. idx += 32; /* 32 bytes RANDOM */
  689. /* AssertIntEQ(data[idx], 0); session id of len 0 */
  690. idx += 1 + data[idx];
  691. ato16(&data[idx], &cipher); /* cipher selected */
  692. AssertTrue(cipher != 0);
  693. idx += 2;
  694. AssertTrue(data[idx] == 0); /* null compression */
  695. idx += 1;
  696. ato16(&data[idx], &len16); /* extensions length */
  697. AssertTrue(len16 > 0);
  698. exts_len = len16;
  699. idx += 2;
  700. exts = &data[idx];
  701. idx += exts_len;
  702. AssertTrue(idx <= rec_len); /* should fit */
  703. for (; idx < rec_len; ++idx) {
  704. AssertTrue(data[idx] == 0); /* padding */
  705. }
  706. if (verbose) {
  707. ext_dump(exts, exts_len, indent);
  708. dump_buffer("", data, rec_len, indent);
  709. }
  710. ext_equals(exts, exts_len, TLSX_SUPPORTED_VERSIONS,
  711. ext_sup_version, sizeof(ext_sup_version));
  712. }
  713. static void check_crypto_rec(const byte *data, size_t data_len, int verbose, int indent)
  714. {
  715. size_t rec_len;
  716. int rec_type;
  717. check_handshake_record(data, data_len, &rec_type, &rec_len);
  718. if (verbose) {
  719. dump_buffer("", data, rec_len, indent);
  720. }
  721. }
  722. static void check_crypto_records(QuicTestContext *from, OutputBuffer *out, int indent, char *rec_log, size_t rec_log_size)
  723. {
  724. const byte *data = out->data;
  725. size_t data_len = out->len;
  726. size_t rec_len;
  727. int rec_type;
  728. const char *rec_name;
  729. char lbuffer[128];
  730. void (*check_rec) (const byte *d, size_t l, int v, int indent);
  731. while (data_len > 0) {
  732. check_handshake_record(data, data_len, &rec_type, &rec_len);
  733. if (rec_len > data_len) {
  734. printf("%*sINCOMPLETE CRYPTO?: ", indent, " ");
  735. dump_buffer("", data, data_len, indent);
  736. }
  737. AssertTrue(rec_len <= data_len);
  738. check_rec = check_crypto_rec;
  739. switch (rec_type) {
  740. case client_hello:
  741. rec_name = "ClientHello";
  742. check_rec = check_quic_client_hello;
  743. break;
  744. case server_hello:
  745. rec_name = "ServerHello";
  746. check_rec = check_quic_server_hello;
  747. break;
  748. case session_ticket:
  749. rec_name = "SessionTicket";
  750. break;
  751. case encrypted_extensions:
  752. rec_name = "EncryptedExtension";
  753. check_rec = check_ee;
  754. break;
  755. case certificate:
  756. rec_name = "Certificate";
  757. break;
  758. case certificate_verify:
  759. rec_name = "CertificateVerify";
  760. break;
  761. case finished:
  762. rec_name = "Finished";
  763. break;
  764. default:
  765. (void)XSNPRINTF(lbuffer, sizeof(lbuffer), "%d", rec_type);
  766. rec_name = lbuffer;
  767. break;
  768. }
  769. if (rec_log) {
  770. if (*rec_log) XSTRLCAT(rec_log, ":", rec_log_size);
  771. XSTRLCAT(rec_log, rec_name, rec_log_size);
  772. }
  773. if (from->verbose) printf("%*sCRYPTO[%s]: ", indent, " ", rec_name);
  774. check_rec(data, rec_len, from->verbose, indent);
  775. if (from->verbose) printf("\n");
  776. data += rec_len;
  777. data_len -= rec_len;
  778. }
  779. }
  780. static void QuicTestContext_forward(QuicTestContext *from, QuicTestContext *to, char *rec_log, size_t rec_log_size)
  781. {
  782. int ret;
  783. OutputBuffer *out, *old;
  784. out = &from->output;
  785. while (out->len > 0) {
  786. if (from->verbose) {
  787. printf("[%s -> %s] forward %d bytes at level %d\n",
  788. from->name, to->name, (int)out->len, out->level);
  789. }
  790. if (out->level == wolfssl_encryption_early_data) {
  791. if (from->verbose) dump_buffer("EarlyData", out->data, out->len, 4);
  792. }
  793. else {
  794. check_crypto_records(from, out, 4, rec_log, rec_log_size);
  795. }
  796. ret = wolfSSL_provide_quic_data(to->ssl, out->level, out->data, out->len);
  797. out->len = 0;
  798. AssertIntEQ(ret, WOLFSSL_SUCCESS);
  799. if (out->next) {
  800. old = out->next;
  801. memcpy(out, out->next, sizeof(*out));
  802. free(old);
  803. }
  804. }
  805. }
  806. typedef struct {
  807. QuicTestContext *client;
  808. QuicTestContext *server;
  809. int started;
  810. int verbose;
  811. char rec_log[16*1024];
  812. int sent_early_data;
  813. int accept_early_data;
  814. char early_data[16*1024];
  815. size_t early_data_len;
  816. } QuicConversation;
  817. static void QuicConversation_init(QuicConversation *conv,
  818. QuicTestContext *tclient, QuicTestContext *tserver)
  819. {
  820. memset(conv, 0, sizeof(*conv));
  821. conv->client = tclient;
  822. conv->server = tserver;
  823. conv->verbose = tclient->verbose && tserver->verbose;
  824. }
  825. static int QuicConversation_start(QuicConversation *conv, const byte *data,
  826. size_t data_len, size_t *pwritten)
  827. {
  828. int ret;
  829. AssertFalse(conv->started);
  830. if (conv->verbose) {
  831. printf("[%s <-> %s] starting\n", conv->client->name, conv->server->name);
  832. }
  833. if (data && data_len > 0) {
  834. #ifdef WOLFSSL_EARLY_DATA
  835. int written;
  836. ret = wolfSSL_write_early_data(conv->client->ssl, data, (int)data_len, &written);
  837. if (ret < 0) {
  838. int err = wolfSSL_get_error(conv->client->ssl, ret);
  839. char lbuffer[1024];
  840. printf("EARLY DATA ret = %d, error = %d, %s\n", ret, err, wolfSSL_ERR_error_string((unsigned long)err, lbuffer));
  841. AssertTrue(0);
  842. }
  843. *pwritten = (size_t)written;
  844. conv->sent_early_data = 1;
  845. #else
  846. fprintf(stderr, "Cannot send EARLY DATA without feature enabled!\n");
  847. AssertTrue(0);
  848. #endif
  849. }
  850. else {
  851. ret = wolfSSL_connect(conv->client->ssl);
  852. if (ret != WOLFSSL_SUCCESS) {
  853. AssertIntEQ(wolfSSL_get_error(conv->client->ssl, 0), WC_NO_ERR_TRACE(SSL_ERROR_WANT_READ));
  854. }
  855. if (pwritten) *pwritten = 0;
  856. }
  857. conv->started = 1;
  858. return ret;
  859. }
  860. static int QuicConversation_step(QuicConversation *conv, int may_fail)
  861. {
  862. int n;
  863. if (!conv->started) {
  864. n = wolfSSL_connect(conv->client->ssl);
  865. if (n != WOLFSSL_SUCCESS
  866. && wolfSSL_get_error(conv->client->ssl, 0) != WC_NO_ERR_TRACE(SSL_ERROR_WANT_READ)) {
  867. if (may_fail) return 0;
  868. AssertIntEQ(WC_NO_ERR_TRACE(SSL_ERROR_WANT_READ), wolfSSL_get_error(conv->client->ssl, 0));
  869. }
  870. conv->started = 1;
  871. }
  872. if (conv->server->output.len > 0) {
  873. QuicTestContext_forward(conv->server, conv->client, conv->rec_log, sizeof(conv->rec_log));
  874. n = wolfSSL_quic_read_write(conv->client->ssl);
  875. if (n != WOLFSSL_SUCCESS
  876. && wolfSSL_get_error(conv->client->ssl, 0) != WC_NO_ERR_TRACE(SSL_ERROR_WANT_READ)) {
  877. if (may_fail) return 0;
  878. AssertIntEQ(WC_NO_ERR_TRACE(SSL_ERROR_WANT_READ), wolfSSL_get_error(conv->client->ssl, 0));
  879. }
  880. return 1;
  881. }
  882. else if (conv->client->output.len > 0) {
  883. QuicTestContext_forward(conv->client, conv->server, conv->rec_log, sizeof(conv->rec_log));
  884. #ifdef WOLFSSL_EARLY_DATA
  885. if (conv->accept_early_data) {
  886. int written;
  887. n = wolfSSL_read_early_data(conv->server->ssl,
  888. conv->early_data + conv->early_data_len,
  889. (int)(sizeof(conv->early_data) - conv->early_data_len),
  890. &written);
  891. if (n < 0) {
  892. if (wolfSSL_get_error(conv->server->ssl, 0) != WC_NO_ERR_TRACE(SSL_ERROR_WANT_READ)) {
  893. if (may_fail) return 0;
  894. AssertIntEQ(wolfSSL_get_error(conv->server->ssl, 0), WC_NO_ERR_TRACE(SSL_ERROR_WANT_READ));
  895. }
  896. }
  897. else if (n > 0) {
  898. conv->early_data_len += (size_t)n;
  899. if (conv->verbose)
  900. printf("RECVed early data, len now=%d\n", (int)conv->early_data_len);
  901. }
  902. }
  903. else
  904. #endif /* WOLFSSL_EARLY_DATA */
  905. {
  906. n = wolfSSL_quic_read_write(conv->server->ssl);
  907. if (n != WOLFSSL_SUCCESS
  908. && wolfSSL_get_error(conv->server->ssl, 0) != WC_NO_ERR_TRACE(SSL_ERROR_WANT_READ)) {
  909. if (may_fail) return 0;
  910. AssertIntEQ(wolfSSL_get_error(conv->server->ssl, 0), WC_NO_ERR_TRACE(SSL_ERROR_WANT_READ));
  911. }
  912. }
  913. return 1;
  914. }
  915. return 0;
  916. }
  917. static void QuicConversation_do(QuicConversation *conv)
  918. {
  919. if (!conv->started) {
  920. QuicConversation_start(conv, NULL, 0, NULL);
  921. }
  922. while (1) {
  923. if (!QuicConversation_step(conv, 0)) {
  924. int c_err = wolfSSL_get_error(conv->client->ssl, 0);
  925. int s_err = wolfSSL_get_error(conv->server->ssl, 0);
  926. if (c_err == 0 && s_err == 0) {
  927. break; /* handshake done */
  928. }
  929. printf("Neither tclient nor server have anything to send, "
  930. "but client_error=%d, server_error=%d\n",
  931. c_err, s_err);
  932. AssertFalse(1);
  933. }
  934. }
  935. }
  936. #ifdef HAVE_SESSION_TICKET
  937. static void QuicConversation_fail(QuicConversation *conv)
  938. {
  939. if (!conv->started) {
  940. QuicConversation_start(conv, NULL, 0, NULL);
  941. }
  942. while (1) {
  943. if (!QuicConversation_step(conv, 1)) {
  944. int c_err = wolfSSL_get_error(conv->client->ssl, 0);
  945. int s_err = wolfSSL_get_error(conv->server->ssl, 0);
  946. AssertTrue(c_err != 0 || s_err != 0);
  947. break;
  948. }
  949. }
  950. }
  951. #endif /* HAVE_SESSION_TICKET */
  952. static int test_quic_client_hello(int verbose) {
  953. WOLFSSL_CTX *ctx;
  954. int ret = 0;
  955. QuicTestContext tctx;
  956. (void)ctx_dump_output;
  957. AssertNotNull(ctx = wolfSSL_CTX_new(wolfTLSv1_3_client_method()));
  958. QuicTestContext_init(&tctx, ctx, "client", verbose);
  959. /* Without any QUIC transport params, this needs to fail */
  960. AssertTrue(wolfSSL_set_quic_transport_params(tctx.ssl, NULL, 0) == WOLFSSL_SUCCESS);
  961. AssertTrue(wolfSSL_quic_read_write(tctx.ssl) != 0);
  962. AssertIntEQ(wolfSSL_get_error(tctx.ssl, 0), WC_NO_ERR_TRACE(QUIC_TP_MISSING_E));
  963. QuicTestContext_free(&tctx);
  964. /* Set transport params, expect both extensions */
  965. QuicTestContext_init(&tctx, ctx, "client", verbose);
  966. #ifdef HAVE_SNI
  967. wolfSSL_UseSNI(tctx.ssl, WOLFSSL_SNI_HOST_NAME,
  968. "wolfssl.com", sizeof("wolfssl.com")-1);
  969. #endif
  970. AssertTrue(wolfSSL_connect(tctx.ssl) != 0);
  971. AssertIntEQ(wolfSSL_get_error(tctx.ssl, 0), WC_NO_ERR_TRACE(SSL_ERROR_WANT_READ));
  972. check_quic_client_hello_tp(&tctx.output, 1, 1);
  973. QuicTestContext_free(&tctx);
  974. /* Set transport params v1, expect v1 extension */
  975. QuicTestContext_init(&tctx, ctx, "client", verbose);
  976. wolfSSL_set_quic_transport_version(tctx.ssl, TLSX_KEY_QUIC_TP_PARAMS);
  977. AssertTrue(wolfSSL_connect(tctx.ssl) != 0);
  978. check_quic_client_hello_tp(&tctx.output, 1, 0);
  979. QuicTestContext_free(&tctx);
  980. /* Set transport params draft, expect draft extension */
  981. QuicTestContext_init(&tctx, ctx, "client", verbose);
  982. wolfSSL_set_quic_transport_version(tctx.ssl, TLSX_KEY_QUIC_TP_PARAMS_DRAFT);
  983. AssertTrue(wolfSSL_connect(tctx.ssl) != 0);
  984. check_quic_client_hello_tp(&tctx.output, 0, 1);
  985. QuicTestContext_free(&tctx);
  986. /* Set transport params 0, expect both extension */
  987. QuicTestContext_init(&tctx, ctx, "client", verbose);
  988. wolfSSL_set_quic_transport_version(tctx.ssl, 0);
  989. AssertTrue(wolfSSL_connect(tctx.ssl) != 0);
  990. check_quic_client_hello_tp(&tctx.output, 1, 1);
  991. QuicTestContext_free(&tctx);
  992. wolfSSL_CTX_free(ctx);
  993. printf(" test_quic_client_hello: %s\n", (ret == 0)? passed : failed);
  994. return ret;
  995. }
  996. static int test_quic_server_hello(int verbose) {
  997. WOLFSSL_CTX *ctx_c, *ctx_s;
  998. int ret = 0;
  999. QuicTestContext tclient, tserver;
  1000. QuicConversation conv;
  1001. AssertNotNull(ctx_c = wolfSSL_CTX_new(wolfTLSv1_3_client_method()));
  1002. AssertNotNull(ctx_s = wolfSSL_CTX_new(wolfTLSv1_3_server_method()));
  1003. AssertTrue(wolfSSL_CTX_use_certificate_file(ctx_s, svrCertFile, WOLFSSL_FILETYPE_PEM));
  1004. AssertTrue(wolfSSL_CTX_use_PrivateKey_file(ctx_s, svrKeyFile, WOLFSSL_FILETYPE_PEM));
  1005. /* setup ssls */
  1006. QuicTestContext_init(&tclient, ctx_c, "client", verbose);
  1007. QuicTestContext_init(&tserver, ctx_s, "server", verbose);
  1008. /* connect */
  1009. QuicConversation_init(&conv, &tclient, &tserver);
  1010. QuicConversation_step(&conv, 0);
  1011. /* check established/missing secrets */
  1012. check_secrets(&tserver, wolfssl_encryption_initial, 0, 0);
  1013. check_secrets(&tserver, wolfssl_encryption_handshake, 32, 32);
  1014. check_secrets(&tserver, wolfssl_encryption_application, 32, 32);
  1015. check_secrets(&tclient, wolfssl_encryption_handshake, 0, 0);
  1016. /* feed the server data to the client */
  1017. QuicConversation_step(&conv, 0);
  1018. /* client has generated handshake secret */
  1019. check_secrets(&tclient, wolfssl_encryption_handshake, 32, 32);
  1020. /* continue the handshake till done */
  1021. conv.started = 1;
  1022. /* run till end */
  1023. QuicConversation_do(&conv);
  1024. AssertIntEQ(tclient.output.len, 0);
  1025. AssertIntEQ(tserver.output.len, 0);
  1026. /* what have we seen? */
  1027. #ifdef HAVE_SESSION_TICKET
  1028. AssertStrEQ(conv.rec_log, "ClientHello:ServerHello:EncryptedExtension:"
  1029. "Certificate:CertificateVerify:Finished:Finished:SessionTicket");
  1030. #else
  1031. AssertStrEQ(conv.rec_log, "ClientHello:ServerHello:EncryptedExtension:"
  1032. "Certificate:CertificateVerify:Finished:Finished");
  1033. #endif
  1034. /* we are at application encryption level */
  1035. AssertTrue(wolfSSL_quic_read_level(tclient.ssl) == wolfssl_encryption_application);
  1036. AssertTrue(wolfSSL_quic_write_level(tclient.ssl) == wolfssl_encryption_application);
  1037. AssertTrue(wolfSSL_quic_read_level(tserver.ssl) == wolfssl_encryption_application);
  1038. AssertTrue(wolfSSL_quic_write_level(tserver.ssl) == wolfssl_encryption_application);
  1039. /* the last client write (FINISHED) was at handshake level */
  1040. AssertTrue(tclient.output.level == wolfssl_encryption_handshake);
  1041. /* we have the app secrets */
  1042. check_secrets(&tclient, wolfssl_encryption_application, 32, 32);
  1043. check_secrets(&tserver, wolfssl_encryption_application, 32, 32);
  1044. /* verify client and server have the same secrets established */
  1045. assert_secrets_EQ(&tclient, &tserver, wolfssl_encryption_handshake);
  1046. assert_secrets_EQ(&tclient, &tserver, wolfssl_encryption_application);
  1047. /* AEAD cipher should be known */
  1048. AssertNotNull(wolfSSL_quic_get_aead(tclient.ssl));
  1049. AssertNotNull(wolfSSL_quic_get_aead(tserver.ssl));
  1050. /* What was negiotiated and is it the same? */
  1051. AssertIntEQ(wolfSSL_get_peer_quic_transport_version(tclient.ssl),
  1052. wolfSSL_get_peer_quic_transport_version(tserver.ssl));
  1053. QuicTestContext_free(&tclient);
  1054. QuicTestContext_free(&tserver);
  1055. wolfSSL_CTX_free(ctx_c);
  1056. wolfSSL_CTX_free(ctx_s);
  1057. printf(" test_quic_server_hello: %s\n", (ret == 0)? passed : failed);
  1058. return ret;
  1059. }
  1060. /* This has gotten a bit out of hand. */
  1061. #if (defined(OPENSSL_ALL) || (defined(OPENSSL_EXTRA) && \
  1062. (defined(HAVE_STUNNEL) || defined(WOLFSSL_NGINX) || \
  1063. defined(HAVE_LIGHTY) || defined(WOLFSSL_HAPROXY) || \
  1064. defined(WOLFSSL_OPENSSH) || defined(HAVE_SBLIM_SFCB)))) \
  1065. && defined(HAVE_ALPN) && defined(HAVE_SNI)
  1066. #define REALLY_HAVE_ALPN_AND_SNI
  1067. #else
  1068. #undef REALLY_HAVE_ALPN_AND_SNI
  1069. #endif
  1070. #ifdef REALLY_HAVE_ALPN_AND_SNI
  1071. struct stripe_buffer {
  1072. char stripe[256];
  1073. };
  1074. static int inspect_SNI(WOLFSSL *ssl, int *ad, void *baton)
  1075. {
  1076. struct stripe_buffer *stripe = (struct stripe_buffer *)baton;
  1077. (void)ssl;
  1078. *ad = 0;
  1079. XSTRLCAT(stripe->stripe, "S", sizeof(stripe->stripe));
  1080. return 0;
  1081. }
  1082. static int select_ALPN(WOLFSSL *ssl,
  1083. const unsigned char **out,
  1084. unsigned char *outlen,
  1085. const unsigned char *in,
  1086. unsigned int inlen,
  1087. void *baton)
  1088. {
  1089. struct stripe_buffer *stripe = (struct stripe_buffer *)baton;
  1090. (void)ssl;
  1091. (void)inlen;
  1092. /* just select the first */
  1093. *out = in + 1;
  1094. *outlen = in[0];
  1095. XSTRLCAT(stripe->stripe, "A", sizeof(stripe->stripe));
  1096. return 0;
  1097. }
  1098. static int test_quic_alpn(int verbose) {
  1099. WOLFSSL_CTX *ctx_c, *ctx_s;
  1100. int ret = 0;
  1101. QuicTestContext tclient, tserver;
  1102. QuicConversation conv;
  1103. struct stripe_buffer stripe;
  1104. unsigned char alpn_protos[256];
  1105. AssertNotNull(ctx_c = wolfSSL_CTX_new(wolfTLSv1_3_client_method()));
  1106. AssertNotNull(ctx_s = wolfSSL_CTX_new(wolfTLSv1_3_server_method()));
  1107. AssertTrue(wolfSSL_CTX_use_certificate_file(ctx_s, svrCertFile, WOLFSSL_FILETYPE_PEM));
  1108. AssertTrue(wolfSSL_CTX_use_PrivateKey_file(ctx_s, svrKeyFile, WOLFSSL_FILETYPE_PEM));
  1109. stripe.stripe[0] = '\0';
  1110. wolfSSL_CTX_set_servername_callback(ctx_s, inspect_SNI);
  1111. wolfSSL_CTX_set_servername_arg(ctx_s, &stripe);
  1112. wolfSSL_CTX_set_alpn_select_cb(ctx_s, select_ALPN, &stripe);
  1113. /* setup ssls */
  1114. QuicTestContext_init(&tclient, ctx_c, "client", verbose);
  1115. QuicTestContext_init(&tserver, ctx_s, "server", verbose);
  1116. /* set SNI and ALPN callbacks on server side,
  1117. * provide values on client side */
  1118. wolfSSL_UseSNI(tclient.ssl, WOLFSSL_SNI_HOST_NAME,
  1119. "wolfssl.com", sizeof("wolfssl.com")-1);
  1120. /* connect */
  1121. QuicConversation_init(&conv, &tclient, &tserver);
  1122. XSTRLCPY((char*)(alpn_protos + 1), "test", sizeof(alpn_protos));
  1123. alpn_protos[0] = strlen("test");
  1124. wolfSSL_set_alpn_protos(tclient.ssl, alpn_protos, 1 + strlen("test"));
  1125. QuicConversation_do(&conv);
  1126. AssertIntEQ(tclient.output.len, 0);
  1127. AssertIntEQ(tserver.output.len, 0);
  1128. /* SNI callback needs to be called before ALPN callback */
  1129. AssertStrEQ(stripe.stripe, "SA");
  1130. QuicTestContext_free(&tclient);
  1131. QuicTestContext_free(&tserver);
  1132. wolfSSL_CTX_free(ctx_c);
  1133. wolfSSL_CTX_free(ctx_s);
  1134. printf(" test_quic_alpn: %s\n", (ret == 0)? passed : failed);
  1135. return ret;
  1136. }
  1137. #endif /* REALLY_HAVE_ALPN_AND_SNI */
  1138. #ifdef HAVE_SESSION_TICKET
  1139. static int test_quic_key_share(int verbose) {
  1140. WOLFSSL_CTX *ctx_c, *ctx_s;
  1141. int ret = 0;
  1142. QuicTestContext tclient, tserver;
  1143. QuicConversation conv;
  1144. AssertNotNull(ctx_c = wolfSSL_CTX_new(wolfTLSv1_3_client_method()));
  1145. AssertNotNull(ctx_s = wolfSSL_CTX_new(wolfTLSv1_3_server_method()));
  1146. AssertTrue(wolfSSL_CTX_use_certificate_file(ctx_s, svrCertFile, WOLFSSL_FILETYPE_PEM));
  1147. AssertTrue(wolfSSL_CTX_use_PrivateKey_file(ctx_s, svrKeyFile, WOLFSSL_FILETYPE_PEM));
  1148. /* setup & handshake defaults */
  1149. QuicTestContext_init(&tclient, ctx_c, "client", verbose);
  1150. QuicTestContext_init(&tserver, ctx_s, "server", verbose);
  1151. QuicConversation_init(&conv, &tclient, &tserver);
  1152. QuicConversation_do(&conv);
  1153. AssertStrEQ(conv.rec_log, "ClientHello:ServerHello:EncryptedExtension:"
  1154. "Certificate:CertificateVerify:Finished:Finished:SessionTicket");
  1155. QuicTestContext_free(&tclient);
  1156. QuicTestContext_free(&tserver);
  1157. /* setup & handshake, restricted groups. KEY_SHARE should use
  1158. * the first configured group. */
  1159. /*If that is supported by the server, expect a smooth handshake.*/
  1160. QuicTestContext_init(&tclient, ctx_c, "client", verbose);
  1161. QuicTestContext_init(&tserver, ctx_s, "server", verbose);
  1162. AssertTrue(wolfSSL_set1_curves_list(tclient.ssl, "X25519:P-256")
  1163. == WOLFSSL_SUCCESS);
  1164. AssertTrue(wolfSSL_set1_curves_list(tserver.ssl, "X25519")
  1165. == WOLFSSL_SUCCESS);
  1166. QuicConversation_init(&conv, &tclient, &tserver);
  1167. QuicConversation_do(&conv);
  1168. AssertStrEQ(conv.rec_log,
  1169. "ClientHello:ServerHello:EncryptedExtension:"
  1170. "Certificate:CertificateVerify:Finished:Finished:SessionTicket");
  1171. QuicTestContext_free(&tclient);
  1172. QuicTestContext_free(&tserver);
  1173. printf(" test_quic_key_share: priority ok\n");
  1174. /* If group is not supported by server, expect HelloRetry */
  1175. QuicTestContext_init(&tclient, ctx_c, "client", verbose);
  1176. QuicTestContext_init(&tserver, ctx_s, "server", verbose);
  1177. AssertTrue(wolfSSL_set1_curves_list(tclient.ssl, "X25519:P-256")
  1178. == WOLFSSL_SUCCESS);
  1179. AssertTrue(wolfSSL_set1_curves_list(tserver.ssl, "P-256")
  1180. == WOLFSSL_SUCCESS);
  1181. QuicConversation_init(&conv, &tclient, &tserver);
  1182. QuicConversation_do(&conv);
  1183. AssertStrEQ(conv.rec_log,
  1184. "ClientHello:ServerHello:ClientHello:ServerHello:EncryptedExtension:"
  1185. "Certificate:CertificateVerify:Finished:Finished:SessionTicket");
  1186. QuicTestContext_free(&tclient);
  1187. QuicTestContext_free(&tserver);
  1188. printf(" test_quic_key_share: retry ok\n");
  1189. /* If no group overlap, expect failure */
  1190. QuicTestContext_init(&tclient, ctx_c, "client", verbose);
  1191. QuicTestContext_init(&tserver, ctx_s, "server", verbose);
  1192. AssertTrue(wolfSSL_set1_curves_list(tclient.ssl, "P-256")
  1193. == WOLFSSL_SUCCESS);
  1194. AssertTrue(wolfSSL_set1_curves_list(tserver.ssl, "X25519")
  1195. == WOLFSSL_SUCCESS);
  1196. QuicConversation_init(&conv, &tclient, &tserver);
  1197. QuicConversation_fail(&conv);
  1198. AssertIntEQ(wolfSSL_get_error(tserver.ssl, 0), WC_NO_ERR_TRACE(SSL_ERROR_WANT_READ));
  1199. AssertIntEQ(wolfSSL_get_error(tclient.ssl, 0), WC_NO_ERR_TRACE(BAD_KEY_SHARE_DATA));
  1200. QuicTestContext_free(&tclient);
  1201. QuicTestContext_free(&tserver);
  1202. printf(" test_quic_key_share: no match ok\n");
  1203. wolfSSL_CTX_free(ctx_c);
  1204. wolfSSL_CTX_free(ctx_s);
  1205. printf(" test_quic_key_share: %s\n", (ret == 0)? passed : failed);
  1206. return ret;
  1207. }
  1208. static int test_quic_resumption(int verbose) {
  1209. WOLFSSL_CTX *ctx_c, *ctx_s;
  1210. WOLFSSL_SESSION *session, *session_restored;
  1211. int ret = 0;
  1212. QuicTestContext tclient, tserver;
  1213. QuicConversation conv;
  1214. unsigned char session_buffer[16 * 1024], *session_data;
  1215. const unsigned char *session_data2;
  1216. unsigned int session_size;
  1217. AssertNotNull(ctx_c = wolfSSL_CTX_new(wolfTLSv1_3_client_method()));
  1218. AssertNotNull(ctx_s = wolfSSL_CTX_new(wolfTLSv1_3_server_method()));
  1219. AssertTrue(wolfSSL_CTX_use_certificate_file(ctx_s, svrCertFile, WOLFSSL_FILETYPE_PEM));
  1220. AssertTrue(wolfSSL_CTX_use_PrivateKey_file(ctx_s, svrKeyFile, WOLFSSL_FILETYPE_PEM));
  1221. /* setup ssls */
  1222. QuicTestContext_init(&tclient, ctx_c, "client", verbose);
  1223. QuicTestContext_init(&tserver, ctx_s, "server", verbose);
  1224. QuicConversation_init(&conv, &tclient, &tserver);
  1225. /* run till end */
  1226. QuicConversation_do(&conv);
  1227. /* what have we seen? */
  1228. AssertStrEQ(conv.rec_log, "ClientHello:ServerHello:EncryptedExtension:"
  1229. "Certificate:CertificateVerify:Finished:Finished:SessionTicket");
  1230. /* Should have received a session ticket, save the session
  1231. * and also make a serialized/deserialized copy to check that persisting
  1232. * a session works. */
  1233. AssertTrue(tclient.ticket_len > 0);
  1234. AssertNotNull(session = wolfSSL_get1_session(tclient.ssl));
  1235. AssertTrue((session_size = (unsigned int)wolfSSL_i2d_SSL_SESSION(session, NULL)) > 0);
  1236. AssertTrue((size_t)session_size < sizeof(session_buffer));
  1237. session_data2 = session_data = session_buffer;
  1238. session_size = (unsigned int)wolfSSL_i2d_SSL_SESSION(session, &session_data);
  1239. session_restored = wolfSSL_d2i_SSL_SESSION(NULL, &session_data2, session_size);
  1240. AssertNotNull(session_restored);
  1241. QuicTestContext_free(&tserver);
  1242. QuicTestContext_free(&tclient);
  1243. /* Do a Session resumption with the session object */
  1244. QuicTestContext_init(&tserver, ctx_s, "server", verbose);
  1245. QuicTestContext_init(&tclient, ctx_c, "client_resume", verbose);
  1246. AssertIntEQ(wolfSSL_set_session(tclient.ssl, session), WOLFSSL_SUCCESS);
  1247. /* let them talk */
  1248. QuicConversation_init(&conv, &tclient, &tserver);
  1249. QuicConversation_do(&conv);
  1250. /* this is what should happen. Look Ma, no certificate! */
  1251. AssertStrEQ(conv.rec_log, "ClientHello:ServerHello:EncryptedExtension:"
  1252. "Finished:Finished:SessionTicket");
  1253. QuicTestContext_free(&tclient);
  1254. QuicTestContext_free(&tserver);
  1255. /* Do a Session resumption with the restored session object */
  1256. QuicTestContext_init(&tserver, ctx_s, "server", verbose);
  1257. QuicTestContext_init(&tclient, ctx_c, "client_resume_restored", verbose);
  1258. AssertIntEQ(wolfSSL_set_session(tclient.ssl, session_restored), WOLFSSL_SUCCESS);
  1259. /* let them talk */
  1260. QuicConversation_init(&conv, &tclient, &tserver);
  1261. QuicConversation_do(&conv);
  1262. /* this is what should happen. Look Ma, no certificate! */
  1263. AssertStrEQ(conv.rec_log, "ClientHello:ServerHello:EncryptedExtension:"
  1264. "Finished:Finished:SessionTicket");
  1265. QuicTestContext_free(&tclient);
  1266. QuicTestContext_free(&tserver);
  1267. {
  1268. /* Do a Session resumption with a new server ctx */
  1269. WOLFSSL_CTX *ctx_s2;
  1270. AssertNotNull(ctx_s2 = wolfSSL_CTX_new(wolfTLSv1_3_server_method()));
  1271. AssertTrue(wolfSSL_CTX_use_certificate_file(ctx_s2, eccCertFile, WOLFSSL_FILETYPE_PEM));
  1272. AssertTrue(wolfSSL_CTX_use_PrivateKey_file(ctx_s2, eccKeyFile, WOLFSSL_FILETYPE_PEM));
  1273. QuicTestContext_init(&tserver, ctx_s2, "server2", verbose);
  1274. QuicTestContext_init(&tclient, ctx_c, "client_resume2", verbose);
  1275. AssertIntEQ(wolfSSL_set_session(tclient.ssl, session_restored), WOLFSSL_SUCCESS);
  1276. /* let them talk */
  1277. QuicConversation_init(&conv, &tclient, &tserver);
  1278. QuicConversation_do(&conv);
  1279. AssertStrEQ(conv.rec_log, "ClientHello:ServerHello:EncryptedExtension:"
  1280. "Certificate:CertificateVerify:Finished:Finished:SessionTicket");
  1281. QuicTestContext_free(&tclient);
  1282. QuicTestContext_free(&tserver);
  1283. wolfSSL_CTX_free(ctx_s2);
  1284. }
  1285. wolfSSL_SESSION_free(session);
  1286. wolfSSL_SESSION_free(session_restored);
  1287. wolfSSL_CTX_free(ctx_c);
  1288. wolfSSL_CTX_free(ctx_s);
  1289. printf(" test_quic_resumption: %s\n", (ret == 0)? passed : failed);
  1290. return ret;
  1291. }
  1292. #ifdef WOLFSSL_EARLY_DATA
  1293. static int test_quic_early_data(int verbose) {
  1294. WOLFSSL_CTX *ctx_c, *ctx_s;
  1295. int ret = 0;
  1296. QuicTestContext tclient, tserver;
  1297. QuicConversation conv;
  1298. const byte early_data[] = "Nulla dies sine linea!";
  1299. size_t ed_written;
  1300. WOLFSSL_SESSION *session;
  1301. unsigned int max_early_sz;
  1302. AssertNotNull(ctx_c = wolfSSL_CTX_new(wolfTLSv1_3_client_method()));
  1303. wolfSSL_CTX_UseSessionTicket(ctx_c);
  1304. AssertNotNull(ctx_s = wolfSSL_CTX_new(wolfTLSv1_3_server_method()));
  1305. AssertTrue(wolfSSL_CTX_use_certificate_file(ctx_s, svrCertFile, WOLFSSL_FILETYPE_PEM));
  1306. AssertTrue(wolfSSL_CTX_use_PrivateKey_file(ctx_s, svrKeyFile, WOLFSSL_FILETYPE_PEM));
  1307. /* setup ssls */
  1308. QuicTestContext_init(&tclient, ctx_c, "client", verbose);
  1309. QuicTestContext_init(&tserver, ctx_s, "server", verbose);
  1310. wolfSSL_set_quic_early_data_enabled(tserver.ssl, 1);
  1311. /* QUIC only allows 0xffffffff or 0x0 as values */
  1312. AssertIntEQ(wolfSSL_get_max_early_data(tserver.ssl), UINT32_MAX);
  1313. QuicConversation_init(&conv, &tclient, &tserver);
  1314. /* run till end */
  1315. QuicConversation_do(&conv);
  1316. /* what have we seen? */
  1317. AssertStrEQ(conv.rec_log, "ClientHello:ServerHello:EncryptedExtension:"
  1318. "Certificate:CertificateVerify:Finished:Finished:SessionTicket");
  1319. /* Should have received a session ticket, save the session */
  1320. AssertTrue(tclient.ticket_len > 0);
  1321. AssertNotNull(session = wolfSSL_get1_session(tclient.ssl));
  1322. QuicTestContext_free(&tclient);
  1323. QuicTestContext_free(&tserver);
  1324. /* QUIC requires 0 or 0xffffffff as only allowed values.
  1325. * Since we enabled early data in the server that created the session,
  1326. * we need to see it here. */
  1327. max_early_sz = wolfSSL_SESSION_get_max_early_data(session);
  1328. AssertIntEQ(max_early_sz, UINT32_MAX);
  1329. /* Do a Session resumption with the ticket */
  1330. QuicTestContext_init(&tserver, ctx_s, "server", verbose);
  1331. QuicTestContext_init(&tclient, ctx_c, "client", verbose);
  1332. AssertIntEQ(wolfSSL_set_session(tclient.ssl, session), WOLFSSL_SUCCESS);
  1333. /* enable early data -*/
  1334. wolfSSL_set_quic_early_data_enabled(tserver.ssl, 1);
  1335. /* client will send, and server will receive implicitly */
  1336. QuicConversation_init(&conv, &tclient, &tserver);
  1337. QuicConversation_start(&conv, early_data, sizeof(early_data), &ed_written);
  1338. QuicConversation_do(&conv);
  1339. AssertIntEQ(wolfSSL_get_early_data_status(tclient.ssl), WOLFSSL_EARLY_DATA_ACCEPTED);
  1340. QuicTestContext_free(&tclient);
  1341. QuicTestContext_free(&tserver);
  1342. QuicTestContext_init(&tserver, ctx_s, "server", verbose);
  1343. QuicTestContext_init(&tclient, ctx_c, "client", verbose);
  1344. AssertIntEQ(wolfSSL_set_session(tclient.ssl, session), WOLFSSL_SUCCESS);
  1345. /* client will send, and server will receive */
  1346. QuicConversation_init(&conv, &tclient, &tserver);
  1347. /* make QuicConversation_do() use wolfSSL_read_early_data() */
  1348. conv.accept_early_data = 1;
  1349. QuicConversation_start(&conv, early_data, sizeof(early_data), &ed_written);
  1350. QuicConversation_do(&conv);
  1351. AssertIntEQ(wolfSSL_get_early_data_status(tclient.ssl), WOLFSSL_EARLY_DATA_ACCEPTED);
  1352. AssertIntEQ(conv.early_data_len, sizeof(early_data));
  1353. AssertStrEQ(conv.early_data, (const char*)early_data);
  1354. QuicTestContext_free(&tclient);
  1355. QuicTestContext_free(&tserver);
  1356. wolfSSL_SESSION_free(session);
  1357. wolfSSL_CTX_free(ctx_c);
  1358. wolfSSL_CTX_free(ctx_s);
  1359. printf(" test_quic_early_data: %s\n", (ret == 0)? passed : failed);
  1360. return ret;
  1361. }
  1362. #endif /* WOLFSSL_EARLY_DATA */
  1363. static int new_session_cb(WOLFSSL *ssl, WOLFSSL_SESSION *session)
  1364. {
  1365. QuicTestContext *ctx = (QuicTestContext*)wolfSSL_get_app_data(ssl);
  1366. byte *data;
  1367. int ret = 0;
  1368. int sz;
  1369. AssertNotNull(ctx);
  1370. sz = wolfSSL_i2d_SSL_SESSION(session, NULL);
  1371. if (sz <= 0) {
  1372. printf("[%s] session serialization error: %d <- ", ctx->name, sz);
  1373. return sz;
  1374. }
  1375. if ((size_t)sz > sizeof(ctx->session)) {
  1376. printf("[%s] session serialization too large: %d <- ", ctx->name, sz);
  1377. return -1;
  1378. }
  1379. data = ctx->session;
  1380. ctx->session_len = (word32)wolfSSL_i2d_SSL_SESSION(session, &data);
  1381. if (ctx->verbose) {
  1382. printf("[%s]", ctx->name);
  1383. dump_buffer(" new SESSION", ctx->session, ctx->session_len, 4);
  1384. }
  1385. return ret;
  1386. }
  1387. static int test_quic_session_export(int verbose)
  1388. {
  1389. WOLFSSL_CTX *ctx_c, *ctx_s;
  1390. WOLFSSL_SESSION *session = NULL;
  1391. int ret = 0;
  1392. QuicTestContext tclient, tserver;
  1393. QuicConversation conv;
  1394. byte session_data[16*1024];
  1395. const byte *bp;
  1396. word32 session_len;
  1397. AssertNotNull(ctx_c = wolfSSL_CTX_new(wolfTLSv1_3_client_method()));
  1398. AssertNotNull(ctx_s = wolfSSL_CTX_new(wolfTLSv1_3_server_method()));
  1399. AssertTrue(wolfSSL_CTX_use_certificate_file(ctx_s, svrCertFile, WOLFSSL_FILETYPE_PEM));
  1400. AssertTrue(wolfSSL_CTX_use_PrivateKey_file(ctx_s, svrKeyFile, WOLFSSL_FILETYPE_PEM));
  1401. /* Uses CTX session callback for new sessions */
  1402. wolfSSL_CTX_sess_set_new_cb(ctx_c, new_session_cb);
  1403. /* setup ssls */
  1404. QuicTestContext_init(&tclient, ctx_c, "client", verbose);
  1405. QuicTestContext_init(&tserver, ctx_s, "server", verbose);
  1406. QuicConversation_init(&conv, &tclient, &tserver);
  1407. /* run till end */
  1408. QuicConversation_do(&conv);
  1409. /* what have we seen? */
  1410. AssertStrEQ(conv.rec_log, "ClientHello:ServerHello:EncryptedExtension:Certificate:CertificateVerify:Finished:Finished:SessionTicket");
  1411. /* Should have received a session, save it */
  1412. AssertTrue(tclient.session_len > 0);
  1413. memcpy(session_data, tclient.session, tclient.session_len);
  1414. session_len = tclient.session_len;
  1415. if (verbose)
  1416. dump_buffer("copied SESSION", session_data, session_len, 0);
  1417. QuicTestContext_free(&tserver);
  1418. QuicTestContext_free(&tclient);
  1419. /* Do a Session resumption with the ticket */
  1420. QuicTestContext_init(&tserver, ctx_s, "server", verbose);
  1421. QuicTestContext_init(&tclient, ctx_c, "client_resume", verbose);
  1422. bp = session_data;
  1423. AssertNotNull(session = wolfSSL_d2i_SSL_SESSION(NULL, &bp, session_len));
  1424. AssertIntEQ(wolfSSL_set_session(tclient.ssl, session), WOLFSSL_SUCCESS);
  1425. wolfSSL_SESSION_free(session);
  1426. /* let them talk */
  1427. QuicConversation_init(&conv, &tclient, &tserver);
  1428. QuicConversation_do(&conv);
  1429. /* this is what should happen. Look Ma, no certificate! */
  1430. AssertStrEQ(conv.rec_log, "ClientHello:ServerHello:EncryptedExtension:Finished:Finished:SessionTicket");
  1431. QuicTestContext_free(&tclient);
  1432. QuicTestContext_free(&tserver);
  1433. wolfSSL_CTX_free(ctx_c);
  1434. wolfSSL_CTX_free(ctx_s);
  1435. printf(" test_quic_session_export: %s\n", (ret == 0)? passed : failed);
  1436. return ret;
  1437. }
  1438. #endif /* WOLFSSL_SESSION_EXPORT */
  1439. #endif /* WOLFSSL_QUIC */
  1440. int QuicTest(void)
  1441. {
  1442. int ret = 0;
  1443. #ifdef WOLFSSL_QUIC
  1444. int verbose = 0;
  1445. printf(" Begin QUIC Tests\n");
  1446. if ((ret = test_set_quic_method()) != 0) goto leave;
  1447. if ((ret = test_provide_quic_data()) != 0) goto leave;
  1448. if ((ret = test_quic_crypt()) != 0) goto leave;
  1449. if ((ret = test_quic_client_hello(verbose)) != 0) goto leave;
  1450. if ((ret = test_quic_server_hello(verbose)) != 0) goto leave;
  1451. #ifdef REALLY_HAVE_ALPN_AND_SNI
  1452. if ((ret = test_quic_alpn(verbose)) != 0) goto leave;
  1453. #endif /* REALLY_HAVE_ALPN_AND_SNI */
  1454. #ifdef HAVE_SESSION_TICKET
  1455. if ((ret = test_quic_key_share(verbose)) != 0) goto leave;
  1456. if ((ret = test_quic_resumption(verbose)) != 0) goto leave;
  1457. #ifdef WOLFSSL_EARLY_DATA
  1458. if ((ret = test_quic_early_data(verbose)) != 0) goto leave;
  1459. #endif /* WOLFSSL_EARLY_DATA */
  1460. if ((ret = test_quic_session_export(verbose)) != 0) goto leave;
  1461. #endif /* HAVE_SESSION_TICKET */
  1462. leave:
  1463. if (ret != 0)
  1464. printf(" FAILED: some tests did not pass.\n");
  1465. printf(" End QUIC Tests\n");
  1466. #endif
  1467. return ret;
  1468. }