|
|
|
|
/* Copyright (c) 2018, Google Inc.
|
|
|
|
|
*
|
|
|
|
|
* Permission to use, copy, modify, and/or distribute this software for any
|
|
|
|
|
* purpose with or without fee is hereby granted, provided that the above
|
|
|
|
|
* copyright notice and this permission notice appear in all copies.
|
|
|
|
|
*
|
|
|
|
|
* THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
|
|
|
|
|
* WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
|
|
|
|
|
* MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY
|
|
|
|
|
* SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
|
|
|
|
|
* WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION
|
|
|
|
|
* OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN
|
|
|
|
|
* CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */
|
|
|
|
|
|
|
|
|
|
#ifndef HEADER_TEST_STATE
|
|
|
|
|
#define HEADER_TEST_STATE
|
|
|
|
|
|
|
|
|
|
#include <openssl/base.h>
|
|
|
|
|
|
|
|
|
|
#include <functional>
|
|
|
|
|
#include <memory>
|
|
|
|
|
#include <string>
|
|
|
|
|
#include <vector>
|
|
|
|
|
|
|
|
|
|
#include "mock_quic_transport.h"
|
|
|
|
|
|
|
|
|
|
struct TestState {
|
|
|
|
|
// Serialize writes |pending_session| and |msg_callback_text| to |out|, for
|
|
|
|
|
// use in split-handshake tests. We don't try to serialize every bit of test
|
|
|
|
|
// state, but serializing |pending_session| is necessary to exercise session
|
|
|
|
|
// resumption, and |msg_callback_text| is especially useful. In the general
|
|
|
|
|
// case, checks of state updated during the handshake can be skipped when
|
|
|
|
|
// |config->handoff|.
|
|
|
|
|
bool Serialize(CBB *out) const;
|
|
|
|
|
|
|
|
|
|
// Deserialize returns a new |TestState| from data written by |Serialize|.
|
|
|
|
|
static std::unique_ptr<TestState> Deserialize(CBS *cbs, SSL_CTX *ctx);
|
|
|
|
|
|
|
|
|
|
// async_bio is async BIO which pauses reads and writes.
|
|
|
|
|
BIO *async_bio = nullptr;
|
|
|
|
|
// packeted_bio is the packeted BIO which simulates read timeouts.
|
|
|
|
|
BIO *packeted_bio = nullptr;
|
|
|
|
|
std::unique_ptr<MockQuicTransport> quic_transport;
|
|
|
|
|
bool cert_ready = false;
|
|
|
|
|
bssl::UniquePtr<SSL_SESSION> session;
|
|
|
|
|
bssl::UniquePtr<SSL_SESSION> pending_session;
|
|
|
|
|
bool early_callback_called = false;
|
|
|
|
|
bool handshake_done = false;
|
|
|
|
|
// private_key is the underlying private key used when testing custom keys.
|
|
|
|
|
bssl::UniquePtr<EVP_PKEY> private_key;
|
|
|
|
|
// When private key methods are used, whether the private key was used.
|
|
|
|
|
bool used_private_key = false;
|
|
|
|
|
std::vector<uint8_t> private_key_result;
|
|
|
|
|
// private_key_retries is the number of times an asynchronous private key
|
|
|
|
|
// operation has been retried.
|
|
|
|
|
unsigned private_key_retries = 0;
|
|
|
|
|
bool got_new_session = false;
|
|
|
|
|
bssl::UniquePtr<SSL_SESSION> new_session;
|
|
|
|
|
bool ticket_decrypt_done = false;
|
|
|
|
|
bool alpn_select_done = false;
|
|
|
|
|
bool early_callback_ready = false;
|
|
|
|
|
bool custom_verify_ready = false;
|
|
|
|
|
std::string msg_callback_text;
|
|
|
|
|
bool msg_callback_ok = true;
|
|
|
|
|
// cert_verified is true if certificate verification has been driven to
|
|
|
|
|
// completion. This tests that the callback is not called again after this.
|
|
|
|
|
bool cert_verified = false;
|
|
|
|
|
int explicit_renegotiates = 0;
|
|
|
|
|
std::function<bool(const SSL_CLIENT_HELLO*)> get_handshake_hints_cb;
|
Check hs->early_session, not ssl->session, for the early data limit.
ServerHello/EncryptedExtensions/Finished is logically one atomic flight
that exits the early data state, we have process each message
sequentially. Until we've processed Finished, we are still in the early
data state and must support writing data. Individual messages *are*
processed atomically, so the interesting points are before ServerHello
(already tested), after ServerHello, and after EncryptedExtensions.
The TLS 1.3 handshake internally clears ssl->session when processing
ServerHello, so getting the early data information from ssl->session
does not work. Instead, use hs->early_session, which is what other
codepaths use.
I've tested this with runner rather than ssl_test, so we can test both
post-SH and post-EE states. ssl_test would be more self-contained, since
we can directly control the API calls, but it cannot test the post-EE
state. To reduce record overhead, our production implementation packs EE
and Finished into the same record, which means the handshake will
process the two atomically. Instead, I've tested this in runner, with a
flag to partially drive the handshake before reading early data.
I've also tweaked the logic to hopefully be a little clearer.
Bug: chromium:1208784
Change-Id: Ia4901042419c5324054f97743bd1aac59ebf8f24
Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/47485
Commit-Queue: David Benjamin <davidben@google.com>
Reviewed-by: Adam Langley <agl@google.com>
4 years ago
|
|
|
int last_message_received = -1;
|
Add an SSL_CREDENTIAL API for ECDSA/RSA and delegated credentials
This adds a notion of "credentials" to BoringSSL's API, to support
certificate selection by key type (typically ECDSA vs RSA), though the
aim is for it to be generalizable to other certificate types and other
kinds of selection criteria, such as Trust Expressions, or Merkle Tree
Certificates. Since we already had some nascent delegated credentials
I've reworked that feature with SSL_CREDENTIALs as well.
The model is that you create an SSL_CREDENTIAL object containing all the
configuration for what you are authenticating as. An X.509
SSL_CREDENTIAL has a certificate chain, private key, optionally an OCSP
response and SCT list. Delegated credentials are similar. In the future,
we might use this for raw public keys, other certificate types, etc.
Once you set those up, you configure those on the SSL or SSL_CTX in
preference order, and BoringSSL will internally pick the first one that
is usable.
The current implementation ends up redundantly selecting the signature
algorithm a couple of times. This works but is a little goofy. A
follow-up change will remove this redundancy. The protocol between the
runner and shim for tests is also a little weird, but it was the easiest
way I could think of for injecting that. Long-term, I think we should
just replace that protocol with a JSON structure. (See
https://crbug.com/boringssl/704.)
As split handshakes are in the process of being replaced with handshake
hints, this won't work with split handshakes. It works with handshake
hints without any extra work.
Update-Note: The delegated credentials API has been revamped.
Previously, it worked by configuring an optional delegated credential
and key with your normal certificate chain. This has the side effect of
forcing your DC issuer and your fallback certificate to be the same. The
SSL_CREDENTIAL API lifts this restriction.
A delegated credential is now just a different kind of credential. It
may use the same certificate chain as an X.509 credential or be
completely separate. All the SSL_CREDENTIAL APIs take CRYPTO_BUFFERs,
so, if common, the buffers may be shared to reduce memory.
The SSL_delegated_credential_used API is also removed, in favor of the
more general SSL_get0_selected_credential API. Callers can use ex_data
or pointer equality to identify the credential.
Bug: 249
Change-Id: Ibc290df3b7b95f148df12625e41cf55c50566602
Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/66690
Reviewed-by: Bob Beck <bbe@google.com>
Commit-Queue: David Benjamin <davidben@google.com>
9 months ago
|
|
|
int selected_credential = -1;
|
|
|
|
|
};
|
|
|
|
|
|
|
|
|
|
bool SetTestState(SSL *ssl, std::unique_ptr<TestState> state);
|
|
|
|
|
|
|
|
|
|
TestState *GetTestState(const SSL *ssl);
|
|
|
|
|
|
|
|
|
|
struct timeval *GetClock();
|
|
|
|
|
|
|
|
|
|
void AdvanceClock(unsigned seconds);
|
|
|
|
|
|
|
|
|
|
void CopySessions(SSL_CTX *dest, const SSL_CTX *src);
|
|
|
|
|
|
|
|
|
|
// SerializeContextState writes session material (sessions and ticket keys) from
|
|
|
|
|
// |ctx| into |cbb|.
|
|
|
|
|
bool SerializeContextState(SSL_CTX *ctx, CBB *cbb);
|
|
|
|
|
|
|
|
|
|
// DeserializeContextState updates |out| with material previously serialized by
|
|
|
|
|
// SerializeContextState.
|
|
|
|
|
bool DeserializeContextState(CBS *in, SSL_CTX *out);
|
|
|
|
|
|
|
|
|
|
#endif // HEADER_TEST_STATE
|
