From fe6fa0cbb366148c8c6bcddd7c39efb2a131a9c5 Mon Sep 17 00:00:00 2001 From: jsing Date: Sat, 27 Aug 2022 09:16:29 +0000 Subject: [PATCH] Add regress for QUIC. This exercises the libssl QUIC implementation and completes a TLS handshake using the SSL_QUIC_METHOD interface. --- regress/lib/libssl/quic/Makefile | 19 ++ regress/lib/libssl/quic/quictest.c | 339 +++++++++++++++++++++++++++++ 2 files changed, 358 insertions(+) create mode 100644 regress/lib/libssl/quic/Makefile create mode 100644 regress/lib/libssl/quic/quictest.c diff --git a/regress/lib/libssl/quic/Makefile b/regress/lib/libssl/quic/Makefile new file mode 100644 index 00000000000..72f1a048497 --- /dev/null +++ b/regress/lib/libssl/quic/Makefile @@ -0,0 +1,19 @@ +# $OpenBSD: Makefile,v 1.1 2022/08/27 09:16:29 jsing Exp $ + +PROG= quictest +LDADD= ${SSL_INT} -lcrypto +DPADD= ${LIBSSL} ${LIBCRYPTO} + +WARNINGS= Yes +CFLAGS+= -DLIBRESSL_INTERNAL -Werror + +REGRESS_TARGETS= \ + regress-quictest + +regress-quictest: ${PROG} + ./quictest \ + ${.CURDIR}/../../libssl/certs/server.pem \ + ${.CURDIR}/../../libssl/certs/server.pem \ + ${.CURDIR}/../../libssl/certs/ca.pem + +.include diff --git a/regress/lib/libssl/quic/quictest.c b/regress/lib/libssl/quic/quictest.c new file mode 100644 index 00000000000..cdd4b2387ca --- /dev/null +++ b/regress/lib/libssl/quic/quictest.c @@ -0,0 +1,339 @@ +/* $OpenBSD: quictest.c,v 1.1 2022/08/27 09:16:29 jsing Exp $ */ +/* + * Copyright (c) 2020, 2021, 2022 Joel Sing + * + * Permission to use, copy, modify, and distribute this software for any + * purpose with or without fee is hereby granted, provided that the above + * copyright notice and this permission notice appear in all copies. + * + * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES + * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF + * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR + * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES + * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN + * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF + * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. + */ + +#include + +#include +#include +#include + +const char *server_ca_file; +const char *server_cert_file; +const char *server_key_file; + +int debug = 0; + +static void +hexdump(const unsigned char *buf, size_t len) +{ + size_t i; + + for (i = 1; i <= len; i++) + fprintf(stderr, " 0x%02hhx,%s", buf[i - 1], i % 8 ? "" : "\n"); + + if (len % 8) + fprintf(stderr, "\n"); +} + +struct quic_data { + enum ssl_encryption_level_t rlevel; + enum ssl_encryption_level_t wlevel; + BIO *rbio; + BIO *wbio; +}; + +static int +quic_set_read_secret(SSL *ssl, enum ssl_encryption_level_t level, + const SSL_CIPHER *cipher, const uint8_t *secret, size_t secret_len) +{ + struct quic_data *qd = SSL_get_app_data(ssl); + + qd->rlevel = level; + + return 1; +} + +static int +quic_set_write_secret(SSL *ssl, enum ssl_encryption_level_t level, + const SSL_CIPHER *cipher, const uint8_t *secret, size_t secret_len) +{ + struct quic_data *qd = SSL_get_app_data(ssl); + + qd->wlevel = level; + + return 1; +} + +static int +quic_read_handshake_data(SSL *ssl) +{ + struct quic_data *qd = SSL_get_app_data(ssl); + uint8_t buf[2048]; + int ret; + + if ((ret = BIO_read(qd->rbio, buf, sizeof(buf))) > 0) { + if (debug > 1) { + fprintf(stderr, "== quic_read_handshake_data ==\n"); + hexdump(buf, ret); + } + if (!SSL_provide_quic_data(ssl, qd->rlevel, buf, ret)) + return -1; + } + + return 1; +} + +static int +quic_add_handshake_data(SSL *ssl, enum ssl_encryption_level_t level, + const uint8_t *data, size_t len) +{ + struct quic_data *qd = SSL_get_app_data(ssl); + int ret; + + if (debug > 1) { + fprintf(stderr, "== quic_add_handshake_data\n"); + hexdump(data, len); + } + + if ((ret = BIO_write(qd->wbio, data, len)) <= 0) + return 0; + + return (size_t)ret == len; +} + +static int +quic_flush_flight(SSL *ssl) +{ + return 1; +} + +static int +quic_send_alert(SSL *ssl, enum ssl_encryption_level_t level, uint8_t alert) +{ + return 1; +} + +const SSL_QUIC_METHOD quic_method = { + .set_read_secret = quic_set_read_secret, + .set_write_secret = quic_set_write_secret, + .add_handshake_data = quic_add_handshake_data, + .flush_flight = quic_flush_flight, + .send_alert = quic_send_alert, +}; + +static SSL * +quic_client(struct quic_data *data) +{ + SSL_CTX *ssl_ctx = NULL; + SSL *ssl = NULL; + + if ((ssl_ctx = SSL_CTX_new(TLS_method())) == NULL) + errx(1, "client context"); + + if (!SSL_CTX_set_quic_method(ssl_ctx, &quic_method)) { + fprintf(stderr, "FAIL: Failed to set QUIC method\n"); + goto failure; + } + + if ((ssl = SSL_new(ssl_ctx)) == NULL) + errx(1, "client ssl"); + + SSL_set_connect_state(ssl); + SSL_set_app_data(ssl, data); + + failure: + SSL_CTX_free(ssl_ctx); + + return ssl; +} + +static SSL * +quic_server(struct quic_data *data) +{ + SSL_CTX *ssl_ctx = NULL; + SSL *ssl = NULL; + + if ((ssl_ctx = SSL_CTX_new(TLS_method())) == NULL) + errx(1, "server context"); + + SSL_CTX_set_dh_auto(ssl_ctx, 2); + + if (SSL_CTX_use_certificate_file(ssl_ctx, server_cert_file, + SSL_FILETYPE_PEM) != 1) { + fprintf(stderr, "FAIL: Failed to load server certificate\n"); + goto failure; + } + if (SSL_CTX_use_PrivateKey_file(ssl_ctx, server_key_file, + SSL_FILETYPE_PEM) != 1) { + fprintf(stderr, "FAIL: Failed to load server private key\n"); + goto failure; + } + + if (!SSL_CTX_set_quic_method(ssl_ctx, &quic_method)) { + fprintf(stderr, "FAIL: Failed to set QUIC method\n"); + goto failure; + } + + if ((ssl = SSL_new(ssl_ctx)) == NULL) + errx(1, "server ssl"); + + SSL_set_accept_state(ssl); + SSL_set_app_data(ssl, data); + + failure: + SSL_CTX_free(ssl_ctx); + + return ssl; +} + +static int +ssl_error(SSL *ssl, const char *name, const char *desc, int ssl_ret) +{ + int ssl_err; + + ssl_err = SSL_get_error(ssl, ssl_ret); + + if (ssl_err == SSL_ERROR_WANT_READ) { + if (quic_read_handshake_data(ssl) < 0) + return 0; + return 1; + } else if (ssl_err == SSL_ERROR_WANT_WRITE) { + return 1; + } else if (ssl_err == SSL_ERROR_SYSCALL && errno == 0) { + /* Yup, this is apparently a thing... */ + } else { + fprintf(stderr, "FAIL: %s %s failed - ssl err = %d, errno = %d\n", + name, desc, ssl_err, errno); + ERR_print_errors_fp(stderr); + return 0; + } + + return 1; +} + +static int +do_handshake(SSL *ssl, const char *name, int *done) +{ + int ssl_ret; + + if ((ssl_ret = SSL_do_handshake(ssl)) == 1) { + fprintf(stderr, "INFO: %s handshake done\n", name); + *done = 1; + return 1; + } + + return ssl_error(ssl, name, "handshake", ssl_ret); +} + +typedef int (*ssl_func)(SSL *ssl, const char *name, int *done); + +static int +do_client_server_loop(SSL *client, ssl_func client_func, SSL *server, + ssl_func server_func) +{ + int client_done = 0, server_done = 0; + int i = 0; + + do { + if (!client_done) { + if (debug) + fprintf(stderr, "DEBUG: client loop\n"); + if (!client_func(client, "client", &client_done)) + return 0; + } + if (!server_done) { + if (debug) + fprintf(stderr, "DEBUG: server loop\n"); + if (!server_func(server, "server", &server_done)) + return 0; + } + } while (i++ < 100 && (!client_done || !server_done)); + + if (!client_done || !server_done) + fprintf(stderr, "FAIL: gave up\n"); + + return client_done && server_done; +} + +static int +quictest(void) +{ + struct quic_data *client_data = NULL, *server_data = NULL; + BIO *client_wbio = NULL, *server_wbio = NULL; + SSL *client = NULL, *server = NULL; + int failed = 1; + + if ((client_wbio = BIO_new(BIO_s_mem())) == NULL) + goto failure; + if (BIO_set_mem_eof_return(client_wbio, -1) <= 0) + goto failure; + + if ((server_wbio = BIO_new(BIO_s_mem())) == NULL) + goto failure; + if (BIO_set_mem_eof_return(server_wbio, -1) <= 0) + goto failure; + + if ((client_data = calloc(1, sizeof(*client_data))) == NULL) + goto failure; + + client_data->rbio = server_wbio; + client_data->wbio = client_wbio; + + if ((client = quic_client(client_data)) == NULL) + goto failure; + + if ((server_data = calloc(1, sizeof(*server_data))) == NULL) + goto failure; + + server_data->rbio = client_wbio; + server_data->wbio = server_wbio; + + if ((server = quic_server(server_data)) == NULL) + goto failure; + + if (!do_client_server_loop(client, do_handshake, server, do_handshake)) { + fprintf(stderr, "FAIL: client and server handshake failed\n"); + ERR_print_errors_fp(stderr); + goto failure; + } + + fprintf(stderr, "INFO: Done!\n"); + + failed = 0; + + failure: + BIO_free(client_wbio); + BIO_free(server_wbio); + + free(client_data); + free(server_data); + + SSL_free(client); + SSL_free(server); + + return failed; +} + +int +main(int argc, char **argv) +{ + int failed = 0; + + if (argc != 4) { + fprintf(stderr, "usage: %s keyfile certfile cafile\n", + argv[0]); + exit(1); + } + + server_key_file = argv[1]; + server_cert_file = argv[2]; + server_ca_file = argv[3]; + + failed |= quictest(); + + return failed; +} -- 2.20.1