summaryrefslogtreecommitdiff
path: root/regress/lib
diff options
context:
space:
mode:
authorJoel Sing <jsing@cvs.openbsd.org>2024-01-19 08:29:09 +0000
committerJoel Sing <jsing@cvs.openbsd.org>2024-01-19 08:29:09 +0000
commitae75d73baddd89799e54bebc0feea545c92ad65b (patch)
treebe795b7037faa8f515986a01bc976683bfdc5324 /regress/lib
parent659f10d521cfca77d45ab3ed7f332d60eac8345f (diff)
Add regress test coverage for SSL_shutdown().
This tests and codifies the behaviour of SSL_shutdown() with respect to SSL_quiet_shutdown() and SSL_set_shutdown(). For now, only the legacy stack (TLSv1.2) is tested, as there are currently some subtle differences with the TLSv1.3 stack.
Diffstat (limited to 'regress/lib')
-rw-r--r--regress/lib/libssl/shutdown/Makefile18
-rw-r--r--regress/lib/libssl/shutdown/shutdowntest.c528
2 files changed, 546 insertions, 0 deletions
diff --git a/regress/lib/libssl/shutdown/Makefile b/regress/lib/libssl/shutdown/Makefile
new file mode 100644
index 00000000000..51305012d6f
--- /dev/null
+++ b/regress/lib/libssl/shutdown/Makefile
@@ -0,0 +1,18 @@
+# $OpenBSD: Makefile,v 1.1 2024/01/19 08:29:08 jsing Exp $
+
+PROG= shutdowntest
+LDADD= -lssl -lcrypto
+DPADD= ${LIBSSL} ${LIBCRYPTO}
+WARNINGS= Yes
+CFLAGS+= -DLIBRESSL_INTERNAL -Werror
+
+REGRESS_TARGETS= \
+ regress-shutdowntest
+
+regress-shutdowntest: ${PROG}
+ ./shutdowntest \
+ ${.CURDIR}/../../libssl/certs/server.pem \
+ ${.CURDIR}/../../libssl/certs/server.pem \
+ ${.CURDIR}/../../libssl/certs/ca.pem
+
+.include <bsd.regress.mk>
diff --git a/regress/lib/libssl/shutdown/shutdowntest.c b/regress/lib/libssl/shutdown/shutdowntest.c
new file mode 100644
index 00000000000..7dea3a85012
--- /dev/null
+++ b/regress/lib/libssl/shutdown/shutdowntest.c
@@ -0,0 +1,528 @@
+/* $OpenBSD: shutdowntest.c,v 1.1 2024/01/19 08:29:08 jsing Exp $ */
+/*
+ * Copyright (c) 2020, 2021, 2024 Joel Sing <jsing@openbsd.org>
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
+ * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+ * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
+ * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+ * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
+ * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+ */
+
+#include <err.h>
+
+#include <openssl/bio.h>
+#include <openssl/err.h>
+#include <openssl/ssl.h>
+
+const char *server_ca_file;
+const char *server_cert_file;
+const char *server_key_file;
+
+int debug = 0;
+
+static void
+hexdump(const unsigned char *buf, size_t len)
+{
+ size_t i;
+
+ for (i = 1; i <= len; i++)
+ fprintf(stderr, " 0x%02hhx,%s", buf[i - 1], i % 8 ? "" : "\n");
+
+ if (len % 8)
+ fprintf(stderr, "\n");
+}
+
+static SSL *
+tls_client(BIO *rbio, BIO *wbio)
+{
+ SSL_CTX *ssl_ctx = NULL;
+ SSL *ssl = NULL;
+
+ if ((ssl_ctx = SSL_CTX_new(TLS_method())) == NULL)
+ errx(1, "client context");
+
+ if ((ssl = SSL_new(ssl_ctx)) == NULL)
+ errx(1, "client ssl");
+
+ BIO_up_ref(rbio);
+ BIO_up_ref(wbio);
+
+ SSL_set_bio(ssl, rbio, wbio);
+
+ SSL_CTX_free(ssl_ctx);
+
+ return ssl;
+}
+
+static SSL *
+tls_server(BIO *rbio, BIO *wbio)
+{
+ SSL_CTX *ssl_ctx = NULL;
+ SSL *ssl = NULL;
+
+ if ((ssl_ctx = SSL_CTX_new(TLS_method())) == NULL)
+ errx(1, "server context");
+
+ SSL_CTX_set_dh_auto(ssl_ctx, 2);
+
+ if (SSL_CTX_use_certificate_file(ssl_ctx, server_cert_file,
+ SSL_FILETYPE_PEM) != 1) {
+ fprintf(stderr, "FAIL: Failed to load server certificate");
+ goto failure;
+ }
+ if (SSL_CTX_use_PrivateKey_file(ssl_ctx, server_key_file,
+ SSL_FILETYPE_PEM) != 1) {
+ fprintf(stderr, "FAIL: Failed to load server private key");
+ goto failure;
+ }
+
+ if ((ssl = SSL_new(ssl_ctx)) == NULL)
+ errx(1, "server ssl");
+
+ BIO_up_ref(rbio);
+ BIO_up_ref(wbio);
+
+ SSL_set_bio(ssl, rbio, wbio);
+
+ failure:
+ SSL_CTX_free(ssl_ctx);
+
+ return ssl;
+}
+
+static int
+ssl_error(SSL *ssl, const char *name, const char *desc, int ssl_ret)
+{
+ int ssl_err;
+
+ ssl_err = SSL_get_error(ssl, ssl_ret);
+
+ if (ssl_err == SSL_ERROR_WANT_READ) {
+ return 1;
+ } else if (ssl_err == SSL_ERROR_WANT_WRITE) {
+ return 1;
+ } else if (ssl_err == SSL_ERROR_SYSCALL && errno == 0) {
+ /* Yup, this is apparently a thing... */
+ return 1;
+ } else {
+ fprintf(stderr, "FAIL: %s %s failed - ssl err = %d, errno = %d\n",
+ name, desc, ssl_err, errno);
+ ERR_print_errors_fp(stderr);
+ return 0;
+ }
+}
+
+static int
+do_connect(SSL *ssl, const char *name, int *done)
+{
+ int ssl_ret;
+
+ if ((ssl_ret = SSL_connect(ssl)) == 1) {
+ fprintf(stderr, "INFO: %s connect done\n", name);
+ *done = 1;
+ return 1;
+ }
+
+ return ssl_error(ssl, name, "connect", ssl_ret);
+}
+
+static int
+do_accept(SSL *ssl, const char *name, int *done)
+{
+ int ssl_ret;
+
+ if ((ssl_ret = SSL_accept(ssl)) == 1) {
+ fprintf(stderr, "INFO: %s accept done\n", name);
+ *done = 1;
+ return 1;
+ }
+
+ return ssl_error(ssl, name, "accept", ssl_ret);
+}
+
+static int
+do_read(SSL *ssl, const char *name, int *done)
+{
+ uint8_t buf[512];
+ int ssl_ret;
+
+ if ((ssl_ret = SSL_read(ssl, buf, sizeof(buf))) > 0) {
+ fprintf(stderr, "INFO: %s read done\n", name);
+ if (debug > 1)
+ hexdump(buf, ssl_ret);
+ *done = 1;
+ return 1;
+ }
+
+ return ssl_error(ssl, name, "read", ssl_ret);
+}
+
+static int
+do_write(SSL *ssl, const char *name, int *done)
+{
+ const uint8_t buf[] = "Hello, World!\n";
+ int ssl_ret;
+
+ if ((ssl_ret = SSL_write(ssl, buf, sizeof(buf))) > 0) {
+ fprintf(stderr, "INFO: %s write done\n", name);
+ *done = 1;
+ return 1;
+ }
+
+ return ssl_error(ssl, name, "write", ssl_ret);
+}
+
+static int
+do_shutdown(SSL *ssl, const char *name, int *done)
+{
+ int ssl_ret;
+
+ ssl_ret = SSL_shutdown(ssl);
+ if (ssl_ret == 1) {
+ fprintf(stderr, "INFO: %s shutdown done\n", name);
+ *done = 1;
+ return 1;
+ }
+
+ /* The astounding EOF condition. */
+ if (ssl_ret == -1 &&
+ SSL_get_error(ssl, ssl_ret) == SSL_ERROR_SYSCALL && errno == 0) {
+ fprintf(stderr, "INFO: %s shutdown encountered EOF\n", name);
+ *done = 1;
+ return 1;
+ }
+
+ return ssl_error(ssl, name, "shutdown", ssl_ret);
+}
+
+typedef int (*ssl_func)(SSL *ssl, const char *name, int *done);
+
+static int
+do_client_server_loop(SSL *client, ssl_func client_func, SSL *server,
+ ssl_func server_func)
+{
+ int client_done = 0, server_done = 0;
+ int i = 0;
+
+ do {
+ if (!client_done) {
+ if (debug)
+ fprintf(stderr, "DEBUG: client loop\n");
+ if (!client_func(client, "client", &client_done))
+ return 0;
+ }
+ if (!server_done) {
+ if (debug)
+ fprintf(stderr, "DEBUG: server loop\n");
+ if (!server_func(server, "server", &server_done))
+ return 0;
+ }
+ } while (i++ < 100 && (!client_done || !server_done));
+
+ if (!client_done || !server_done)
+ fprintf(stderr, "FAIL: gave up\n");
+
+ return client_done && server_done;
+}
+
+static int
+do_shutdown_loop(SSL *client, SSL *server)
+{
+ int client_done = 0, server_done = 0;
+ int i = 0;
+
+ do {
+ if (!client_done) {
+ if (debug)
+ fprintf(stderr, "DEBUG: client loop\n");
+ if (!do_shutdown(client, "client", &client_done))
+ return 0;
+ if (client_done)
+ BIO_set_mem_eof_return(SSL_get_wbio(client), 0);
+ }
+ if (!server_done) {
+ if (debug)
+ fprintf(stderr, "DEBUG: server loop\n");
+ if (!do_shutdown(server, "server", &server_done))
+ return 0;
+ if (server_done)
+ BIO_set_mem_eof_return(SSL_get_wbio(server), 0);
+ }
+ } while (i++ < 100 && (!client_done || !server_done));
+
+ if (!client_done || !server_done)
+ fprintf(stderr, "FAIL: gave up\n");
+
+ return client_done && server_done;
+}
+
+static void
+ssl_msg_callback(int is_write, int version, int content_type, const void *buf,
+ size_t len, SSL *ssl, void *arg)
+{
+ const uint8_t *msg = buf;
+ int *close_notify = arg;
+
+ if (is_write || content_type != SSL3_RT_ALERT)
+ return;
+ if (len == 2 && msg[0] == SSL3_AL_WARNING && msg[1] == SSL_AD_CLOSE_NOTIFY)
+ *close_notify = 1;
+}
+
+struct shutdown_test {
+ const unsigned char *desc;
+ int client_quiet_shutdown;
+ int client_set_shutdown;
+ int want_client_shutdown;
+ int want_client_close_notify;
+ int server_quiet_shutdown;
+ int server_set_shutdown;
+ int want_server_shutdown;
+ int want_server_close_notify;
+};
+
+static const struct shutdown_test shutdown_tests[] = {
+ {
+ .desc = "bidirectional shutdown",
+ .want_client_close_notify = 1,
+ .want_client_shutdown = SSL_SENT_SHUTDOWN | SSL_RECEIVED_SHUTDOWN,
+ .want_server_close_notify = 1,
+ .want_server_shutdown = SSL_SENT_SHUTDOWN | SSL_RECEIVED_SHUTDOWN,
+ },
+ {
+ .desc = "client quiet shutdown",
+ .client_quiet_shutdown = 1,
+ .want_client_shutdown = SSL_SENT_SHUTDOWN | SSL_RECEIVED_SHUTDOWN,
+ .want_server_shutdown = SSL_SENT_SHUTDOWN,
+ },
+ {
+ .desc = "server quiet shutdown",
+ .server_quiet_shutdown = 1,
+ .want_client_shutdown = SSL_SENT_SHUTDOWN,
+ .want_server_shutdown = SSL_SENT_SHUTDOWN | SSL_RECEIVED_SHUTDOWN,
+ },
+ {
+ .desc = "both quiet shutdown",
+ .client_quiet_shutdown = 1,
+ .server_quiet_shutdown = 1,
+ .want_client_shutdown = SSL_SENT_SHUTDOWN | SSL_RECEIVED_SHUTDOWN,
+ .want_server_shutdown = SSL_SENT_SHUTDOWN | SSL_RECEIVED_SHUTDOWN,
+ },
+ {
+ .desc = "client set sent shutdown",
+ .client_set_shutdown = SSL_SENT_SHUTDOWN,
+ .want_client_close_notify = 1,
+ .want_client_shutdown = SSL_SENT_SHUTDOWN | SSL_RECEIVED_SHUTDOWN,
+ .want_server_shutdown = SSL_SENT_SHUTDOWN,
+ },
+ {
+ .desc = "client set received shutdown",
+ .client_set_shutdown = SSL_RECEIVED_SHUTDOWN,
+ .want_client_shutdown = SSL_SENT_SHUTDOWN | SSL_RECEIVED_SHUTDOWN,
+ .want_server_close_notify = 1,
+ .want_server_shutdown = SSL_SENT_SHUTDOWN | SSL_RECEIVED_SHUTDOWN,
+ },
+ {
+ .desc = "client set sent/received shutdown",
+ .client_set_shutdown = SSL_SENT_SHUTDOWN | SSL_RECEIVED_SHUTDOWN,
+ .want_client_shutdown = SSL_SENT_SHUTDOWN | SSL_RECEIVED_SHUTDOWN,
+ .want_server_shutdown = SSL_SENT_SHUTDOWN,
+ },
+ {
+ .desc = "server set sent shutdown",
+ .server_set_shutdown = SSL_SENT_SHUTDOWN,
+ .want_client_shutdown = SSL_SENT_SHUTDOWN,
+ .want_server_close_notify = 1,
+ .want_server_shutdown = SSL_SENT_SHUTDOWN | SSL_RECEIVED_SHUTDOWN,
+ },
+ {
+ .desc = "server set received shutdown",
+ .server_set_shutdown = SSL_RECEIVED_SHUTDOWN,
+ .want_client_close_notify = 1,
+ .want_client_shutdown = SSL_SENT_SHUTDOWN | SSL_RECEIVED_SHUTDOWN,
+ .want_server_shutdown = SSL_SENT_SHUTDOWN | SSL_RECEIVED_SHUTDOWN,
+ },
+ {
+ .desc = "server set sent/received shutdown",
+ .server_set_shutdown = SSL_SENT_SHUTDOWN | SSL_RECEIVED_SHUTDOWN,
+ .want_client_shutdown = SSL_SENT_SHUTDOWN,
+ .want_server_shutdown = SSL_SENT_SHUTDOWN | SSL_RECEIVED_SHUTDOWN,
+ },
+};
+
+#define N_TLS_TESTS (sizeof(shutdown_tests) / sizeof(*shutdown_tests))
+
+static int
+shutdowntest(uint16_t ssl_version, const char *ssl_version_name,
+ const struct shutdown_test *st)
+{
+ BIO *client_wbio = NULL, *server_wbio = NULL;
+ SSL *client = NULL, *server = NULL;
+ int client_close_notify = 0, server_close_notify = 0;
+ int shutdown, ssl_err;
+ int failed = 1;
+
+ fprintf(stderr, "\n== Testing %s, %s... ==\n", ssl_version_name,
+ st->desc);
+
+ if ((client_wbio = BIO_new(BIO_s_mem())) == NULL)
+ goto failure;
+ if (BIO_set_mem_eof_return(client_wbio, -1) <= 0)
+ goto failure;
+
+ if ((server_wbio = BIO_new(BIO_s_mem())) == NULL)
+ goto failure;
+ if (BIO_set_mem_eof_return(server_wbio, -1) <= 0)
+ goto failure;
+
+ if ((client = tls_client(server_wbio, client_wbio)) == NULL)
+ goto failure;
+ if (!SSL_set_min_proto_version(client, ssl_version))
+ goto failure;
+ if (!SSL_set_max_proto_version(client, ssl_version))
+ goto failure;
+
+ if ((server = tls_server(client_wbio, server_wbio)) == NULL)
+ goto failure;
+ if (!SSL_set_min_proto_version(server, ssl_version))
+ goto failure;
+ if (!SSL_set_max_proto_version(server, ssl_version))
+ goto failure;
+
+ if (!do_client_server_loop(client, do_connect, server, do_accept)) {
+ fprintf(stderr, "FAIL: client and server handshake failed\n");
+ goto failure;
+ }
+
+ if (!do_client_server_loop(client, do_write, server, do_read)) {
+ fprintf(stderr, "FAIL: client write and server read I/O failed\n");
+ goto failure;
+ }
+
+ if (!do_client_server_loop(client, do_read, server, do_write)) {
+ fprintf(stderr, "FAIL: client read and server write I/O failed\n");
+ goto failure;
+ }
+
+ /* Seemingly this is the only way to find out about alerts... */
+ SSL_set_msg_callback(client, ssl_msg_callback);
+ SSL_set_msg_callback_arg(client, &client_close_notify);
+ SSL_set_msg_callback(server, ssl_msg_callback);
+ SSL_set_msg_callback_arg(server, &server_close_notify);
+
+ SSL_set_shutdown(client, st->client_set_shutdown);
+ SSL_set_shutdown(server, st->server_set_shutdown);
+
+ SSL_set_quiet_shutdown(client, st->client_quiet_shutdown);
+ SSL_set_quiet_shutdown(server, st->server_quiet_shutdown);
+
+ if (!do_shutdown_loop(client, server)) {
+ fprintf(stderr, "FAIL: client and server shutdown failed\n");
+ goto failure;
+ }
+
+ if ((shutdown = SSL_get_shutdown(client)) != st->want_client_shutdown) {
+ fprintf(stderr, "FAIL: client shutdown flags = %x, want %x\n",
+ shutdown, st->want_client_shutdown);
+ goto failure;
+ }
+ if ((shutdown = SSL_get_shutdown(server)) != st->want_server_shutdown) {
+ fprintf(stderr, "FAIL: server shutdown flags = %x, want %x\n",
+ shutdown, st->want_server_shutdown);
+ goto failure;
+ }
+
+ if (client_close_notify != st->want_client_close_notify) {
+ fprintf(stderr, "FAIL: client close notify = %d, want %d\n",
+ client_close_notify, st->want_client_close_notify);
+ goto failure;
+ }
+ if (server_close_notify != st->want_server_close_notify) {
+ fprintf(stderr, "FAIL: server close notify = %d, want %d\n",
+ server_close_notify, st->want_server_close_notify);
+ goto failure;
+ }
+
+ if (st->want_client_close_notify) {
+ if ((ssl_err = SSL_get_error(client, 0)) != SSL_ERROR_ZERO_RETURN) {
+ fprintf(stderr, "FAIL: client ssl error = %d, want %d\n",
+ ssl_err, SSL_ERROR_ZERO_RETURN);
+ goto failure;
+ }
+ }
+ if (st->want_server_close_notify) {
+ if ((ssl_err = SSL_get_error(server, 0)) != SSL_ERROR_ZERO_RETURN) {
+ fprintf(stderr, "FAIL: server ssl error = %d, want %d\n",
+ ssl_err, SSL_ERROR_ZERO_RETURN);
+ goto failure;
+ }
+ }
+
+ fprintf(stderr, "INFO: Done!\n");
+
+ failed = 0;
+
+ failure:
+ BIO_free(client_wbio);
+ BIO_free(server_wbio);
+
+ SSL_free(client);
+ SSL_free(server);
+
+ return failed;
+}
+
+struct ssl_version {
+ uint16_t version;
+ const char *name;
+};
+
+struct ssl_version ssl_versions[] = {
+ {
+ .version = TLS1_2_VERSION,
+ .name = SSL_TXT_TLSV1_2,
+ },
+#if 0
+ {
+ .version = TLS1_3_VERSION,
+ .name = SSL_TXT_TLSV1_3,
+ },
+#endif
+};
+
+#define N_SSL_VERSIONS (sizeof(ssl_versions) / sizeof(*ssl_versions))
+
+int
+main(int argc, char **argv)
+{
+ const struct ssl_version *sv;
+ int failed = 0;
+ size_t i, j;
+
+ if (argc != 4) {
+ fprintf(stderr, "usage: %s keyfile certfile cafile\n",
+ argv[0]);
+ exit(1);
+ }
+
+ server_key_file = argv[1];
+ server_cert_file = argv[2];
+ server_ca_file = argv[3];
+
+ for (i = 0; i < N_SSL_VERSIONS; i++) {
+ sv = &ssl_versions[i];
+ for (j = 0; j < N_TLS_TESTS; j++) {
+ failed |= shutdowntest(sv->version, sv->name,
+ &shutdown_tests[j]);
+ }
+ }
+
+ return failed;
+}