static BIO *bio_err=NULL;
static BIO *bio_stdout=NULL;
-#ifndef OPENSSL_NO_NPN
+#ifndef OPENSSL_NO_NEXTPROTONEG
/* Note that this code assumes that this is only a one element list: */
static const char NEXT_PROTO_STRING[] = "\x09testproto";
int npn_client = 0;
}
#endif
+static const char *alpn_client;
+static const char *alpn_server;
+static const char *alpn_expected;
+static unsigned char *alpn_selected;
+
+/* next_protos_parse parses a comma separated list of strings into a string
+ * in a format suitable for passing to SSL_CTX_set_next_protos_advertised.
+ * outlen: (output) set to the length of the resulting buffer on success.
+ * err: (maybe NULL) on failure, an error message line is written to this BIO.
+ * in: a NUL termianted string like "abc,def,ghi"
+ *
+ * returns: a malloced buffer or NULL on failure.
+ */
+static unsigned char *next_protos_parse(unsigned short *outlen, const char *in)
+ {
+ size_t len;
+ unsigned char *out;
+ size_t i, start = 0;
+
+ len = strlen(in);
+ if (len >= 65535)
+ return NULL;
+
+ out = OPENSSL_malloc(strlen(in) + 1);
+ if (!out)
+ return NULL;
+
+ for (i = 0; i <= len; ++i)
+ {
+ if (i == len || in[i] == ',')
+ {
+ if (i - start > 255)
+ {
+ OPENSSL_free(out);
+ return NULL;
+ }
+ out[start] = i - start;
+ start = i + 1;
+ }
+ else
+ out[i+1] = in[i];
+ }
+
+ *outlen = len + 1;
+ return out;
+ }
+
+static int cb_server_alpn(SSL *s, const unsigned char **out, unsigned char *outlen, const unsigned char *in, unsigned int inlen, void *arg)
+ {
+ unsigned char *protos;
+ unsigned short protos_len;
+
+ protos = next_protos_parse(&protos_len, alpn_server);
+ if (protos == NULL)
+ {
+ fprintf(stderr, "failed to parser ALPN server protocol string: %s\n", alpn_server);
+ abort();
+ }
+
+ if (SSL_select_next_proto((unsigned char**) out, outlen, protos, protos_len, in, inlen) !=
+ OPENSSL_NPN_NEGOTIATED)
+ {
+ OPENSSL_free(protos);
+ return SSL_TLSEXT_ERR_NOACK;
+ }
+
+ /* Make a copy of the selected protocol which will be freed in verify_alpn. */
+ alpn_selected = OPENSSL_malloc(*outlen);
+ memcpy(alpn_selected, *out, *outlen);
+ *out = alpn_selected;
+
+ OPENSSL_free(protos);
+ return SSL_TLSEXT_ERR_OK;
+ }
+
+static int verify_alpn(SSL *client, SSL *server)
+ {
+ const unsigned char *client_proto, *server_proto;
+ unsigned int client_proto_len = 0, server_proto_len = 0;
+ SSL_get0_alpn_selected(client, &client_proto, &client_proto_len);
+ SSL_get0_alpn_selected(server, &server_proto, &server_proto_len);
+
+ if (alpn_selected != NULL)
+ {
+ OPENSSL_free(alpn_selected);
+ alpn_selected = NULL;
+ }
+
+ if (client_proto_len != server_proto_len ||
+ memcmp(client_proto, server_proto, client_proto_len) != 0)
+ {
+ BIO_printf(bio_stdout, "ALPN selected protocols differ!\n");
+ goto err;
+ }
+
+ if (client_proto_len > 0 && alpn_expected == NULL)
+ {
+ BIO_printf(bio_stdout, "ALPN unexpectedly negotiated\n");
+ goto err;
+ }
+
+ if (alpn_expected != NULL &&
+ (client_proto_len != strlen(alpn_expected) ||
+ memcmp(client_proto, alpn_expected, client_proto_len) != 0))
+ {
+ BIO_printf(bio_stdout, "ALPN selected protocols not equal to expected protocol: %s\n", alpn_expected);
+ goto err;
+ }
+
+ return 0;
+
+err:
+ BIO_printf(bio_stdout, "ALPN results: client: '");
+ BIO_write(bio_stdout, client_proto, client_proto_len);
+ BIO_printf(bio_stdout, "', server: '");
+ BIO_write(bio_stdout, server_proto, server_proto_len);
+ BIO_printf(bio_stdout, "'\n");
+ BIO_printf(bio_stdout, "ALPN configured: client: '%s', server: '%s'\n", alpn_client, alpn_server);
+ return -1;
+ }
+
#define SCT_EXT_TYPE 18
/* WARNING : below extension types are *NOT* IETF assigned, and
/* This set based on extension callbacks */
int custom_ext_error = 0;
+/* Not IETF assigned supplemental data types */
+#define CUSTOM_SUPP_DATA_TYPE_0 100
+#define CUSTOM_SUPP_DATA_TYPE_1 101
+#define CUSTOM_SUPP_DATA_TYPE_2 102
+
+const char supp_data_0_string[] = "00000";
+
+int suppdata = 0;
+int suppdata_error = 0;
+
static int serverinfo_cli_cb(SSL* s, unsigned short ext_type,
const unsigned char* in, unsigned short inlen,
int* al, void* arg)
static int custom_ext_0_cli_first_cb(SSL *s, unsigned short ext_type,
const unsigned char **out,
- unsigned short *outlen, void *arg)
+ unsigned short *outlen, int *al, void *arg)
{
if (ext_type != CUSTOM_EXT_TYPE_0)
custom_ext_error = 1;
unsigned short inlen, int *al,
void *arg)
{
- custom_ext_error = 1; /* Shouldn't be called */
- return 0;
+ return 1;
}
static int custom_ext_1_cli_first_cb(SSL *s, unsigned short ext_type,
const unsigned char **out,
- unsigned short *outlen, void *arg)
+ unsigned short *outlen, int *al, void *arg)
{
if (ext_type != CUSTOM_EXT_TYPE_1)
custom_ext_error = 1;
unsigned short inlen, int *al,
void *arg)
{
- custom_ext_error = 1; /* Shouldn't be called */
- return 0;
+ return 1;
}
static int custom_ext_2_cli_first_cb(SSL *s, unsigned short ext_type,
const unsigned char **out,
- unsigned short *outlen, void *arg)
+ unsigned short *outlen, int *al, void *arg)
{
if (ext_type != CUSTOM_EXT_TYPE_2)
custom_ext_error = 1;
static int custom_ext_3_cli_first_cb(SSL *s, unsigned short ext_type,
const unsigned char **out,
- unsigned short *outlen, void *arg)
+ unsigned short *outlen, int *al, void *arg)
{
if (ext_type != CUSTOM_EXT_TYPE_3)
custom_ext_error = 1;
return 1;
}
-
+/* custom_ext_0_cli_first_cb returns -1 - the server won't receive a callback for this extension */
static int custom_ext_0_srv_first_cb(SSL *s, unsigned short ext_type,
const unsigned char *in,
unsigned short inlen, int *al,
void *arg)
{
- custom_ext_error = 1;
- return 0; /* Shouldn't be called */
+ return 1;
}
+/* 'generate' callbacks are always called, even if the 'receive' callback isn't called */
static int custom_ext_0_srv_second_cb(SSL *s, unsigned short ext_type,
const unsigned char **out,
- unsigned short *outlen, void *arg)
+ unsigned short *outlen, int *al, void *arg)
{
- custom_ext_error = 1;
- return 0; /* Shouldn't be called */
+ return -1; /* Don't send an extension */
}
static int custom_ext_1_srv_first_cb(SSL *s, unsigned short ext_type,
- const unsigned char *in,
- unsigned short inlen, int *al,
- void *arg)
+ const unsigned char *in,
+ unsigned short inlen, int *al,
+ void *arg)
{
if (ext_type != CUSTOM_EXT_TYPE_1)
custom_ext_error = 1;
static int custom_ext_1_srv_second_cb(SSL *s, unsigned short ext_type,
const unsigned char **out,
- unsigned short *outlen, void *arg)
+ unsigned short *outlen, int *al, void *arg)
{
return -1; /* Don't send an extension */
}
static int custom_ext_2_srv_second_cb(SSL *s, unsigned short ext_type,
const unsigned char **out,
- unsigned short *outlen, void *arg)
+ unsigned short *outlen, int *al, void *arg)
{
*out = NULL;
*outlen = 0;
static int custom_ext_3_srv_second_cb(SSL *s, unsigned short ext_type,
const unsigned char **out,
- unsigned short *outlen, void *arg)
+ unsigned short *outlen, int *al, void *arg)
{
*out = (const unsigned char*)custom_ext_srv_string;
*outlen = strlen(custom_ext_srv_string);
return 1; /* Send "defg" */
}
+static int supp_data_0_srv_first_cb(SSL *s, unsigned short supp_data_type,
+ const unsigned char **out,
+ unsigned short *outlen, int *al, void *arg)
+ {
+ *out = (const unsigned char*)supp_data_0_string;
+ *outlen = strlen(supp_data_0_string);
+ if (arg != s)
+ suppdata_error = 1;
+ return 1;
+ }
+
+static int supp_data_0_srv_second_cb(SSL *s, unsigned short supp_data_type,
+ const unsigned char *in,
+ unsigned short inlen, int *al,
+ void *arg)
+ {
+ if (supp_data_type != CUSTOM_SUPP_DATA_TYPE_0)
+ suppdata_error = 1;
+ if (inlen != strlen(supp_data_0_string))
+ suppdata_error = 1;
+ if (memcmp(in, supp_data_0_string, inlen) != 0)
+ suppdata_error = 1;
+ if (arg != s)
+ suppdata_error = 1;
+ return 1;
+ }
+
+static int supp_data_1_srv_first_cb(SSL *s, unsigned short supp_data_type,
+ const unsigned char **out,
+ unsigned short *outlen, int *al, void *arg)
+ {
+ return -1;
+ }
+
+static int supp_data_1_srv_second_cb(SSL *s, unsigned short supp_data_type,
+ const unsigned char *in,
+ unsigned short inlen, int *al,
+ void *arg)
+ {
+ suppdata_error = 1;
+ return 1;
+ }
+
+static int supp_data_2_srv_second_cb(SSL *s, unsigned short supp_data_type,
+ const unsigned char *in,
+ unsigned short inlen, int *al,
+ void *arg)
+ {
+ suppdata_error = 1;
+ return 1;
+ }
+
+static int supp_data_0_cli_first_cb(SSL *s, unsigned short supp_data_type,
+ const unsigned char *in,
+ unsigned short inlen, int *al,
+ void *arg)
+ {
+ if (supp_data_type != CUSTOM_SUPP_DATA_TYPE_0)
+ suppdata_error = 1;
+ if (inlen != strlen(supp_data_0_string))
+ suppdata_error = 1;
+ if (memcmp(in, supp_data_0_string, inlen) != 0)
+ suppdata_error = 1;
+ if (arg != s)
+ suppdata_error = 1;
+ return 1;
+ }
+
+static int supp_data_0_cli_second_cb(SSL *s, unsigned short supp_data_type,
+ const unsigned char **out,
+ unsigned short *outlen, int *al, void *arg)
+ {
+ *out = (const unsigned char*)supp_data_0_string;
+ *outlen = strlen(supp_data_0_string);
+ if (arg != s)
+ suppdata_error = 1;
+ return 1;
+ }
+
+static int supp_data_1_cli_first_cb(SSL *s, unsigned short supp_data_type,
+ const unsigned char *in,
+ unsigned short inlen, int *al,
+ void *arg)
+ {
+ suppdata_error = 1;
+ return 1;
+ }
+
+static int supp_data_1_cli_second_cb(SSL *s, unsigned short supp_data_type,
+ const unsigned char **out,
+ unsigned short *outlen, int *al, void *arg)
+ {
+ return -1;
+ }
+
+static int supp_data_2_cli_first_cb(SSL *s, unsigned short supp_data_type,
+ const unsigned char *in,
+ unsigned short inlen, int *al,
+ void *arg)
+ {
+ suppdata_error = 1;
+ return 1;
+ }
static char *cipher=NULL;
static int verbose=0;
" (default is sect163r2).\n");
#endif
fprintf(stderr," -test_cipherlist - verifies the order of the ssl cipher lists\n");
-#ifndef OPENSSL_NO_NPN
+#ifndef OPENSSL_NO_NEXTPROTONEG
fprintf(stderr," -npn_client - have client side offer NPN\n");
fprintf(stderr," -npn_server - have server side offer NPN\n");
fprintf(stderr," -npn_server_reject - have server reject NPN\n");
fprintf(stderr," -serverinfo_sct - have client offer and expect SCT\n");
fprintf(stderr," -serverinfo_tack - have client offer and expect TACK\n");
fprintf(stderr," -custom_ext - try various custom extension callbacks\n");
+ fprintf(stderr," -alpn_client <string> - have client side offer ALPN\n");
+ fprintf(stderr," -alpn_server <string> - have server side offer ALPN\n");
+ fprintf(stderr," -alpn_expected <string> - the ALPN protocol that should be negotiated\n");
+ fprintf(stderr, "-suppdata - exercise supplemental data callbacks\n");
}
static void print_details(SSL *c_ssl, const char *prefix)
{
test_cipherlist = 1;
}
-#ifndef OPENSSL_NO_NPN
+#ifndef OPENSSL_NO_NEXTPROTONEG
else if (strcmp(*argv,"-npn_client") == 0)
{
npn_client = 1;
{
custom_ext = 1;
}
+ else if (strcmp(*argv,"-alpn_client") == 0)
+ {
+ if (--argc < 1) goto bad;
+ alpn_client = *(++argv);
+ }
+ else if (strcmp(*argv,"-alpn_server") == 0)
+ {
+ if (--argc < 1) goto bad;
+ alpn_server = *(++argv);
+ }
+ else if (strcmp(*argv,"-alpn_expected") == 0)
+ {
+ if (--argc < 1) goto bad;
+ alpn_expected = *(++argv);
+ }
+ else if (strcmp(*argv,"-suppdata") == 0)
+ {
+ suppdata = 1;
+ }
else
{
fprintf(stderr,"unknown option %s\n",*argv);
ERR_print_errors(bio_err);
goto end;
}
+ /* Since we will use low security ciphersuites and keys for
+ * testing set security level to zero.
+ */
+ SSL_CTX_set_security_level(c_ctx, 0);
+ SSL_CTX_set_security_level(s_ctx, 0);
if (cipher != NULL)
{
}
#endif
-#ifndef OPENSSL_NO_NPN
+#ifndef OPENSSL_NO_NEXTPROTONEG
if (npn_client)
{
SSL_CTX_set_next_proto_select_cb(c_ctx, cb_client_npn, NULL);
custom_ext_3_srv_second_cb, NULL);
}
+ if (alpn_server)
+ SSL_CTX_set_alpn_select_cb(s_ctx, cb_server_alpn, NULL);
+
+ if (alpn_client)
+ {
+ unsigned short alpn_len;
+ unsigned char *alpn = next_protos_parse(&alpn_len, alpn_client);
+
+ if (alpn == NULL)
+ {
+ BIO_printf(bio_err, "Error parsing -alpn_client argument\n");
+ goto end;
+ }
+ SSL_CTX_set_alpn_protos(c_ctx, alpn, alpn_len);
+ OPENSSL_free(alpn);
+ }
+
c_ssl=SSL_new(c_ctx);
s_ssl=SSL_new(s_ctx);
+ if (suppdata)
+ {
+ /* TEST CASES */
+ /* client and server both send and receive, verify
+ * additional arg passed back */
+ SSL_CTX_set_srv_supp_data(s_ctx, CUSTOM_SUPP_DATA_TYPE_0,
+ supp_data_0_srv_first_cb,
+ supp_data_0_srv_second_cb, s_ssl);
+ SSL_CTX_set_cli_supp_data(c_ctx, CUSTOM_SUPP_DATA_TYPE_0,
+ supp_data_0_cli_first_cb,
+ supp_data_0_cli_second_cb, c_ssl);
+
+ /* -1 response from sending server/client doesn't
+ * receive, -1 response from sending client/server
+ * doesn't receive */
+ SSL_CTX_set_srv_supp_data(s_ctx, CUSTOM_SUPP_DATA_TYPE_1,
+ supp_data_1_srv_first_cb,
+ supp_data_1_srv_second_cb, NULL);
+ SSL_CTX_set_cli_supp_data(c_ctx, CUSTOM_SUPP_DATA_TYPE_1,
+ supp_data_1_cli_first_cb,
+ supp_data_1_cli_second_cb, NULL);
+
+ /* null sending server/client doesn't receive, null
+ sending client/server doesn't receive */
+ SSL_CTX_set_srv_supp_data(s_ctx, CUSTOM_SUPP_DATA_TYPE_2,
+ /*supp_data_2_srv_first_cb*/NULL,
+ supp_data_2_srv_second_cb, NULL);
+ SSL_CTX_set_cli_supp_data(c_ctx, CUSTOM_SUPP_DATA_TYPE_2,
+ supp_data_2_cli_first_cb,
+ /*supp_data_2_cli_second_cb*/NULL,
+ NULL);
+
+ /* alerts set to non-zero and zero return values not tested */
+ }
#ifndef OPENSSL_NO_KRB5
if (c_ssl && c_ssl->kssl_ctx)
{
if (verbose)
print_details(c_ssl, "DONE via BIO pair: ");
-#ifndef OPENSSL_NO_NPN
+#ifndef OPENSSL_NO_NEXTPROTONEG
if (verify_npn(c_ssl, s_ssl) < 0)
{
ret = 1;
ret = 1;
goto err;
}
+ if (verify_alpn(c_ssl, s_ssl) < 0)
+ {
+ ret = 1;
+ goto err;
+ }
if (custom_ext_error)
{
if (verbose)
print_details(c_ssl, "DONE: ");
-#ifndef OPENSSL_NO_NPN
+#ifndef OPENSSL_NO_NEXTPROTONEG
if (verify_npn(c_ssl, s_ssl) < 0)
{
ret = 1;
goto err;
}
#endif
+ if (suppdata_error < 0)
+ {
+ ret = 1;
+ goto err;
+ }
if (verify_serverinfo() < 0)
{
ret = 1;