Add an initial regress test that covers the server-side of libssl, by

providing SSL_accept() with fixed ClientHello messages.

3 files changed, 220 insertions, 1 deletions

diff --git a/regress/lib/libssl/Makefile b/regress/lib/libssl/Makefile
index 85e50ecb046..d6ee2f160a0 100644
--- a/regress/lib/libssl/Makefile
+++ b/regress/lib/libssl/Makefile
@@ -1,4 +1,4 @@
-#	$OpenBSD: Makefile,v 1.24 2016/11/04 19:45:12 jsing Exp $
+#	$OpenBSD: Makefile,v 1.25 2017/03/05 14:15:53 jsing Exp $
 
 SUBDIR= \
 	asn1 \
@@ -6,6 +6,7 @@ SUBDIR= \
 	ciphers \
 	client \
 	pqueue \
+	server \
 	ssl \
 	unit
 
diff --git a/regress/lib/libssl/server/Makefile b/regress/lib/libssl/server/Makefile
new file mode 100644
index 00000000000..705190d076b
--- /dev/null
+++ b/regress/lib/libssl/server/Makefile
@@ -0,0 +1,18 @@
+#	$OpenBSD: Makefile,v 1.1 2017/03/05 14:15:53 jsing Exp $
+
+PROG=	servertest
+LDADD=	-lssl -lcrypto
+DPADD=	${LIBSSL} ${LIBCRYPTO}
+WARNINGS=	Yes
+CFLAGS+=	-DLIBRESSL_INTERNAL -Werror
+
+REGRESS_TARGETS= \
+	regress-servertest
+
+regress-servertest: ${PROG}
+	./servertest \
+	    ${.CURDIR}/../../libssl/certs/server.pem \
+	    ${.CURDIR}/../../libssl/certs/server.pem \
+	    ${.CURDIR}/../../libssl/certs/ca.pem
+
+.include <bsd.regress.mk>
diff --git a/regress/lib/libssl/server/servertest.c b/regress/lib/libssl/server/servertest.c
new file mode 100644
index 00000000000..32578599e5a
--- /dev/null
+++ b/regress/lib/libssl/server/servertest.c
@@ -0,0 +1,200 @@
+/* $OpenBSD: servertest.c,v 1.1 2017/03/05 14:15:53 jsing Exp $ */
+/*
+ * Copyright (c) 2015, 2016, 2017 Joel Sing <jsing@openbsd.org>
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
+ * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+ * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
+ * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+ * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
+ * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+ */
+
+#include <openssl/ssl.h>
+
+#include <openssl/err.h>
+#include <openssl/dtls1.h>
+#include <openssl/ssl3.h>
+
+#include <err.h>
+#include <stdio.h>
+#include <string.h>
+
+char *server_ca_file;
+char *server_cert_file;
+char *server_key_file;
+
+static unsigned char sslv2_client_hello_tls10[] = {
+	0x80, 0x6a, 0x01, 0x03, 0x01, 0x00, 0x51, 0x00,
+	0x00, 0x00, 0x10, 0x00, 0x00, 0x39, 0x00, 0x00,
+	0x38, 0x00, 0x00, 0x35, 0x00, 0x00, 0x16, 0x00,
+	0x00, 0x13, 0x00, 0x00, 0x0a, 0x00, 0x00, 0x33,
+	0x00, 0x00, 0x32, 0x00, 0x00, 0x2f, 0x00, 0x00,
+	0x07, 0x00, 0x00, 0x66, 0x00, 0x00, 0x05, 0x00,
+	0x00, 0x04, 0x00, 0x00, 0x63, 0x00, 0x00, 0x62,
+	0x00, 0x00, 0x61, 0x00, 0x00, 0x15, 0x00, 0x00,
+	0x12, 0x00, 0x00, 0x09, 0x00, 0x00, 0x65, 0x00,
+	0x00, 0x64, 0x00, 0x00, 0x60, 0x00, 0x00, 0x14,
+	0x00, 0x00, 0x11, 0x00, 0x00, 0x08, 0x00, 0x00,
+	0x06, 0x00, 0x00, 0x03, 0xdd, 0xb6, 0x59, 0x26,
+	0x46, 0xe6, 0x79, 0x77, 0xf4, 0xec, 0x42, 0x76,
+	0xc8, 0x73, 0xad, 0x9c,
+};
+
+static unsigned char sslv2_client_hello_tls12[] = {
+	0x80, 0xcb, 0x01, 0x03, 0x03, 0x00, 0xa2, 0x00,
+	0x00, 0x00, 0x20, 0x00, 0x00, 0xa5, 0x00, 0x00,
+	0xa3, 0x00, 0x00, 0xa1, 0x00, 0x00, 0x9f, 0x00,
+	0x00, 0x6b, 0x00, 0x00, 0x6a, 0x00, 0x00, 0x69,
+	0x00, 0x00, 0x68, 0x00, 0x00, 0x39, 0x00, 0x00,
+	0x38, 0x00, 0x00, 0x37, 0x00, 0x00, 0x36, 0x00,
+	0x00, 0x88, 0x00, 0x00, 0x87, 0x00, 0x00, 0x86,
+	0x00, 0x00, 0x85, 0x00, 0x00, 0x9d, 0x00, 0x00,
+	0x3d, 0x00, 0x00, 0x35, 0x00, 0x00, 0x84, 0x00,
+	0x00, 0xa4, 0x00, 0x00, 0xa2, 0x00, 0x00, 0xa0,
+	0x00, 0x00, 0x9e, 0x00, 0x00, 0x67, 0x00, 0x00,
+	0x40, 0x00, 0x00, 0x3f, 0x00, 0x00, 0x3e, 0x00,
+	0x00, 0x33, 0x00, 0x00, 0x32, 0x00, 0x00, 0x31,
+	0x00, 0x00, 0x30, 0x00, 0x00, 0x9a, 0x00, 0x00,
+	0x99, 0x00, 0x00, 0x98, 0x00, 0x00, 0x97, 0x00,
+	0x00, 0x45, 0x00, 0x00, 0x44, 0x00, 0x00, 0x43,
+	0x00, 0x00, 0x42, 0x00, 0x00, 0x9c, 0x00, 0x00,
+	0x3c, 0x00, 0x00, 0x2f, 0x00, 0x00, 0x96, 0x00,
+	0x00, 0x41, 0x00, 0x00, 0x07, 0x00, 0x00, 0x05,
+	0x00, 0x00, 0x04, 0x00, 0x00, 0x16, 0x00, 0x00,
+	0x13, 0x00, 0x00, 0x10, 0x00, 0x00, 0x0d, 0x00,
+	0x00, 0x0a, 0x00, 0x00, 0xff, 0x1d, 0xfd, 0x90,
+	0x03, 0x61, 0x3c, 0x5a, 0x22, 0x83, 0xed, 0x11,
+	0x85, 0xf4, 0xea, 0x36, 0x59, 0xd9, 0x1b, 0x27,
+	0x22, 0x01, 0x14, 0x07, 0x66, 0xb2, 0x24, 0xf5,
+	0x4e, 0x7d, 0x9d, 0x9c, 0x52,
+};
+
+struct server_hello_test {
+	const unsigned char *desc;
+	unsigned char *client_hello;
+	const size_t client_hello_len;
+	const SSL_METHOD *(*ssl_method)(void);
+	const long ssl_options;
+};
+
+static struct server_hello_test server_hello_tests[] = {
+	{
+		.desc = "TLSv1.0 in SSLv2 record",
+		.client_hello = sslv2_client_hello_tls10,
+		.client_hello_len = sizeof(sslv2_client_hello_tls10),
+		.ssl_method = TLS_server_method,
+		.ssl_options = 0,
+	},
+	{
+		.desc = "TLSv1.2 in SSLv2 record",
+		.client_hello = sslv2_client_hello_tls12,
+		.client_hello_len = sizeof(sslv2_client_hello_tls12),
+		.ssl_method = TLS_server_method,
+		.ssl_options = 0,
+	},
+};
+
+#define N_SERVER_HELLO_TESTS \
+    (sizeof(server_hello_tests) / sizeof(*server_hello_tests))
+
+static int
+server_hello_test(int testno, struct server_hello_test *sht)
+{
+	BIO *rbio = NULL, *wbio = NULL;
+	SSL_CTX *ssl_ctx = NULL;
+	SSL *ssl = NULL;
+	int ret = 1;
+
+	fprintf(stderr, "Test %i - %s\n", testno, sht->desc);
+
+	if ((rbio = BIO_new_mem_buf(sht->client_hello,
+	    sht->client_hello_len)) == NULL) {
+		fprintf(stderr, "Failed to setup rbio\n");
+		goto failure;
+	}
+	if ((wbio = BIO_new(BIO_s_mem())) == NULL) {
+		fprintf(stderr, "Failed to setup wbio\n");
+		goto failure;
+	}
+
+	if ((ssl_ctx = SSL_CTX_new(sht->ssl_method())) == NULL) {
+		fprintf(stderr, "SSL_CTX_new() returned NULL\n");
+		goto failure;
+	}
+
+	if (SSL_CTX_use_certificate_file(ssl_ctx, server_cert_file,
+	    SSL_FILETYPE_PEM) != 1) {
+		fprintf(stderr, "Failed to load server certificate");
+		goto failure;
+	}
+	if (SSL_CTX_use_PrivateKey_file(ssl_ctx, server_key_file,
+	    SSL_FILETYPE_PEM) != 1) {
+		fprintf(stderr, "Failed to load server private key");
+		goto failure;
+	}
+
+	SSL_CTX_set_dh_auto(ssl_ctx, 1);
+	SSL_CTX_set_ecdh_auto(ssl_ctx, 1);
+	SSL_CTX_set_options(ssl_ctx, sht->ssl_options);
+
+	if ((ssl = SSL_new(ssl_ctx)) == NULL) {
+		fprintf(stderr, "SSL_new() returned NULL\n");
+		goto failure;
+	}
+
+	rbio->references = 2;
+	wbio->references = 2;
+
+	SSL_set_bio(ssl, rbio, wbio);
+	
+	if (SSL_accept(ssl) != 0) {
+		fprintf(stderr, "SSL_accept() returned non-zero\n");
+		ERR_print_errors_fp(stderr);
+		goto failure;
+	}
+
+	ret = 0;
+
+ failure:
+	SSL_CTX_free(ssl_ctx);
+	SSL_free(ssl);
+
+	rbio->references = 1;
+	wbio->references = 1;
+
+	BIO_free(rbio);
+	BIO_free(wbio);
+
+	return (ret);
+}
+
+int
+main(int argc, char **argv)
+{
+	int failed = 0;
+	size_t i;
+
+	if (argc != 4) {
+		fprintf(stderr, "usage: %s keyfile certfile cafile\n",
+		    argv[0]);
+		exit(1);
+	}
+
+	server_key_file = argv[1];
+	server_cert_file = argv[2];
+	server_ca_file = argv[3];
+
+	SSL_library_init();
+	SSL_load_error_strings();
+
+	for (i = 0; i < N_SERVER_HELLO_TESTS; i++)
+		failed |= server_hello_test(i, &server_hello_tests[i]);
+
+	return (failed);
+}