Attachment 661346 Details for Bug 960082

[patch] openssl-ALPN-tests.patch

openssl-ALPN-tests.patch (text/plain), 8.00 KB, created by Marcus Meissner on 2016-01-11 15:33:51 UTC

(hide)

Description:

Filename:

MIME Type:

Creator: Marcus Meissner

Created: 2016-01-11 15:33:51 UTC

Size: 8.00 KB

patch

obsolete

>commit 0f385fed8da81b2f73a59f4abb174fbc6f35d689
>Author: Adam Langley <agl@chromium.org>
>Date:   Sun Dec 20 05:01:14 2015 -0800
>
>    Add tests for ALPN functionality.
>
>diff --git a/apps/s_client.c b/apps/s_client.c
>index 36a2859050a9..58296378cef8 100644
>--- a/apps/s_client.c
>+++ b/apps/s_client.c
>@@ -1181,10 +1181,11 @@ bad:
> 			{
> 			BIO_printf(bio_err, "Error parsing -alpn argument\n");
> 			goto end;
> 			}
> 		SSL_CTX_set_alpn_protos(ctx, alpn, alpn_len);
>+		OPENSSL_free(alpn);
> 		}
> #endif
> 
> 	if (state) SSL_CTX_set_info_callback(ctx,apps_ssl_info_callback);
> 	if (cipher != NULL)
>diff --git a/ssl/ssltest.c b/ssl/ssltest.c
>index 4f80be8ee4d8..2bad92d36049 100644
>--- a/ssl/ssltest.c
>+++ b/ssl/ssltest.c
>@@ -305,10 +305,131 @@ static int s_nbio=0;
> #endif
> #endif
> 
> static const char rnd_seed[] = "string to make the random number generator think it has entropy";
> 
>+static const char *alpn_client;
>+static const char *alpn_server;
>+static const char *alpn_expected;
>+static unsigned char *alpn_selected;
>+
>+/* next_protos_parse parses a comma separated list of strings into a string
>+ * in a format suitable for passing to SSL_CTX_set_next_protos_advertised.
>+ *   outlen: (output) set to the length of the resulting buffer on success.
>+ *   err: (maybe NULL) on failure, an error message line is written to this BIO.
>+ *   in: a NUL termianted string like "abc,def,ghi"
>+ *
>+ *   returns: a malloced buffer or NULL on failure.
>+ */
>+static unsigned char *next_protos_parse(unsigned short *outlen, const char *in)
>+	{
>+	size_t len;
>+	unsigned char *out;
>+	size_t i, start = 0;
>+
>+	len = strlen(in);
>+	if (len >= 65535)
>+		return NULL;
>+
>+	out = OPENSSL_malloc(strlen(in) + 1);
>+	if (!out)
>+		return NULL;
>+
>+	for (i = 0; i <= len; ++i)
>+		{
>+		if (i == len || in[i] == ',')
>+			{
>+			if (i - start > 255)
>+				{
>+				OPENSSL_free(out);
>+				return NULL;
>+				}
>+			out[start] = i - start;
>+			start = i + 1;
>+			}
>+		else
>+			out[i+1] = in[i];
>+		}
>+
>+	*outlen = len + 1;
>+	return out;
>+	}
>+
>+static int cb_server_alpn(SSL *s, const unsigned char **out, unsigned char *outlen, const unsigned char *in, unsigned int inlen, void *arg)
>+	{
>+	unsigned char *protos;
>+	unsigned short protos_len;
>+
>+	protos = next_protos_parse(&protos_len, alpn_server);
>+	if (protos == NULL)
>+		{
>+		fprintf(stderr, "failed to parser ALPN server protocol string: %s\n", alpn_server);
>+		abort();
>+		}
>+
>+	if (SSL_select_next_proto((unsigned char**) out, outlen, protos, protos_len, in, inlen) !=
>+	    OPENSSL_NPN_NEGOTIATED)
>+		{
>+		OPENSSL_free(protos);
>+		return SSL_TLSEXT_ERR_NOACK;
>+		}
>+
>+	/* Make a copy of the selected protocol which will be freed in verify_alpn. */
>+	alpn_selected = OPENSSL_malloc(*outlen);
>+	memcpy(alpn_selected, *out, *outlen);
>+	*out = alpn_selected;
>+
>+	OPENSSL_free(protos);
>+	return SSL_TLSEXT_ERR_OK;
>+	}
>+
>+static int verify_alpn(SSL *client, SSL *server)
>+	{
>+	const unsigned char *client_proto, *server_proto;
>+	unsigned int client_proto_len = 0, server_proto_len = 0;
>+	SSL_get0_alpn_selected(client, &client_proto, &client_proto_len);
>+	SSL_get0_alpn_selected(server, &server_proto, &server_proto_len);
>+
>+	if (alpn_selected != NULL)
>+		{
>+		OPENSSL_free(alpn_selected);
>+		alpn_selected = NULL;
>+		}
>+
>+	if (client_proto_len != server_proto_len ||
>+	    memcmp(client_proto, server_proto, client_proto_len) != 0)
>+		{
>+		BIO_printf(bio_stdout, "ALPN selected protocols differ!\n");
>+		goto err;
>+		}
>+
>+	if (client_proto_len > 0 && alpn_expected == NULL)
>+		{
>+		BIO_printf(bio_stdout, "ALPN unexpectedly negotiated\n");
>+		goto err;
>+		}
>+
>+	if (alpn_expected != NULL &&
>+	    (client_proto_len != strlen(alpn_expected) ||
>+	     memcmp(client_proto, alpn_expected, client_proto_len) != 0))
>+		{
>+		BIO_printf(bio_stdout, "ALPN selected protocols not equal to expected protocol: %s\n", alpn_expected);
>+		goto err;
>+		}
>+
>+	return 0;
>+
>+err:
>+	BIO_printf(bio_stdout, "ALPN results: client: '");
>+	BIO_write(bio_stdout, client_proto, client_proto_len);
>+	BIO_printf(bio_stdout, "', server: '");
>+	BIO_write(bio_stdout, server_proto, server_proto_len);
>+	BIO_printf(bio_stdout, "'\n");
>+	BIO_printf(bio_stdout, "ALPN configured: client: '%s', server: '%s'\n", alpn_client, alpn_server);
>+	return -1;
>+	}
>+
> int doit_biopair(SSL *s_ssl,SSL *c_ssl,long bytes,clock_t *s_time,clock_t *c_time);
> int doit(SSL *s_ssl,SSL *c_ssl,long bytes);
> static int do_test_cipherlist(void);
> static void sv_usage(void)
> 	{
>@@ -366,11 +487,14 @@ static void sv_usage(void)
> #ifndef OPENSSL_NO_ECDH
> 	fprintf(stderr," -named_curve arg  - Elliptic curve name to use for ephemeral ECDH keys.\n" \
> 	               "                 Use \"openssl ecparam -list_curves\" for all names\n"  \
> 	               "                 (default is sect163r2).\n");
> #endif
>-	fprintf(stderr," -test_cipherlist - verifies the order of the ssl cipher lists\n");
>+	fprintf(stderr," -custom_ext - try various custom extension callbacks\n");
>+	fprintf(stderr," -alpn_client <string> - have client side offer ALPN\n");
>+	fprintf(stderr," -alpn_server <string> - have server side offer ALPN\n");
>+	fprintf(stderr," -alpn_expected <string> - the ALPN protocol that should be negotiated\n");
> 	}
> 
> static void print_details(SSL *c_ssl, const char *prefix)
> 	{
> 	const SSL_CIPHER *ciph;
>@@ -763,10 +887,25 @@ int main(int argc, char *argv[])
> 			}
> 		else if (strcmp(*argv,"-test_cipherlist") == 0)
> 			{
> 			test_cipherlist = 1;
> 			}
>+		else if (strcmp(*argv,"-alpn_client") == 0)
>+			{
>+			if (--argc < 1) goto bad;
>+			alpn_client = *(++argv);
>+			}
>+		else if (strcmp(*argv,"-alpn_server") == 0)
>+			{
>+			if (--argc < 1) goto bad;
>+			alpn_server = *(++argv);
>+			}
>+		else if (strcmp(*argv,"-alpn_expected") == 0)
>+			{
>+			if (--argc < 1) goto bad;
>+			alpn_expected = *(++argv);
>+			}
> 		else
> 			{
> 			fprintf(stderr,"unknown option %s\n",*argv);
> 			badop=1;
> 			break;
>@@ -1068,10 +1207,27 @@ bad:
> 		SSL_CTX_set_srp_cb_arg(s_ctx, &srp_server_arg);
> 		SSL_CTX_set_srp_username_callback(s_ctx, ssl_srp_server_param_cb);
> 		}
> #endif
> 
>+	if (alpn_server)
>+		SSL_CTX_set_alpn_select_cb(s_ctx, cb_server_alpn, NULL);
>+
>+	if (alpn_client)
>+		{
>+		unsigned short alpn_len;
>+		unsigned char *alpn = next_protos_parse(&alpn_len, alpn_client);
>+
>+		if (alpn == NULL)
>+			{
>+			BIO_printf(bio_err, "Error parsing -alpn_client argument\n");
>+			goto end;
>+			}
>+		SSL_CTX_set_alpn_protos(c_ctx, alpn, alpn_len);
>+		OPENSSL_free(alpn);
>+		}
>+
> 	c_ssl=SSL_new(c_ctx);
> 	s_ssl=SSL_new(s_ctx);
> 
> #ifndef OPENSSL_NO_KRB5
> 	if (c_ssl  &&  c_ssl->kssl_ctx)
>@@ -1518,10 +1674,16 @@ int doit_biopair(SSL *s_ssl, SSL *c_ssl, long count,
> 		}
> 	while (cw_num > 0 || cr_num > 0 || sw_num > 0 || sr_num > 0);
> 
> 	if (verbose)
> 		print_details(c_ssl, "DONE via BIO pair: ");
>+
>+	if (verify_alpn(c_ssl, s_ssl) < 0)
>+		{
>+		ret = 1;
>+		goto err;
>+		}
> end:
> 	ret = 0;
> 
>  err:
> 	ERR_print_errors(bio_err);
>diff --git a/test/testssl b/test/testssl
>index a2ac27fdd585..fd94f14dc9df 100644
>--- a/test/testssl
>+++ b/test/testssl
>@@ -182,10 +182,22 @@ echo test tls1 with PSK
> $ssltest -tls1 -cipher PSK -psk abc123 $extra || exit 1
> 
> echo test tls1 with PSK via BIO pair
> $ssltest -bio_pair -tls1 -cipher PSK -psk abc123 $extra || exit 1
> 
>+#############################################################################
>+# ALPN tests
>+
>+$ssltest -bio_pair -tls1 -alpn_client foo -alpn_server bar || exit 1
>+$ssltest -bio_pair -tls1 -alpn_client foo -alpn_server foo -alpn_expected foo || exit 1
>+$ssltest -bio_pair -tls1 -alpn_client foo,bar -alpn_server foo -alpn_expected foo || exit 1
>+$ssltest -bio_pair -tls1 -alpn_client bar,foo -alpn_server foo -alpn_expected foo || exit 1
>+$ssltest -bio_pair -tls1 -alpn_client bar,foo -alpn_server foo,bar -alpn_expected foo || exit 1
>+$ssltest -bio_pair -tls1 -alpn_client bar,foo -alpn_server bar,foo -alpn_expected bar || exit 1
>+$ssltest -bio_pair -tls1 -alpn_client foo,bar -alpn_server bar,foo -alpn_expected bar || exit 1
>+$ssltest -bio_pair -tls1 -alpn_client baz -alpn_server bar,foo || exit 1
>+
> if ../util/shlib_wrap.sh ../apps/openssl no-srp; then
>   echo skipping SRP tests
> else
>   echo test tls1 with SRP
>   $ssltest -tls1 -cipher SRP -srpuser test -srppass abc123

Actions: View | Diff

Attachments on bug 960082: 661345 | 661346 | 661347