Google Git
Sign in
webrtc / src.git / 973705e5be64765b4ef9e504cd9fe9f143c47633 / . / rtc_base / openssl_utility_unittest.cc
blob: 3302490bd069f3f646195e2155fe94b6244f0176 [file] [log] [blame]
Benjamin Wright9201d1a2018-04-05 19:12:26[diff] [blame]1/*
2 * Copyright 2018 The WebRTC Project Authors. All rights reserved.
3 *
4 * Use of this source code is governed by a BSD-style license
5 * that can be found in the LICENSE file in the root of the source
6 * tree. An additional intellectual property rights grant can be found
7 * in the file PATENTS. All contributing project authors may
8 * be found in the AUTHORS file in the root of the source tree.
9 */
10
11#include <string>
12#include <vector>
13
14#if defined(WEBRTC_POSIX)
15#include <unistd.h>
16#endif
17
18#if defined(WEBRTC_WIN)
19// Must be included first before openssl headers.
20#include "rtc_base/win32.h" // NOLINT
21#endif // WEBRTC_WIN
22
23#include <openssl/bio.h>
24#include <openssl/crypto.h>
David Benjaminc816ffc2018-05-04 16:38:00[diff] [blame]25#include <openssl/evp.h>
26#include <openssl/ssl.h>
Taylor Brandstetter165c6182020-12-11 00:23:03[diff] [blame]27#ifdef OPENSSL_IS_BORINGSSL
28#include <openssl/pool.h>
29#else
Benjamin Wright9201d1a2018-04-05 19:12:26[diff] [blame]30#include <openssl/x509.h>
31#include <openssl/x509v3.h>
Taylor Brandstetter165c6182020-12-11 00:23:03[diff] [blame]32#endif
Benjamin Wright9201d1a2018-04-05 19:12:26[diff] [blame]33
34#include "rtc_base/arraysize.h"
David Benjaminc816ffc2018-05-04 16:38:00[diff] [blame]35#include "rtc_base/checks.h"
Benjamin Wright9201d1a2018-04-05 19:12:26[diff] [blame]36#include "rtc_base/gunit.h"
37#include "rtc_base/numerics/safe_conversions.h"
38#include "rtc_base/openssl.h"
Steve Anton10542f22019-01-11 17:11:00[diff] [blame]39#include "rtc_base/openssl_utility.h"
40#include "rtc_base/ssl_roots.h"
Benjamin Wright9201d1a2018-04-05 19:12:26[diff] [blame]41#include "test/gmock.h"
42
43namespace rtc {
44namespace {
David Benjaminc816ffc2018-05-04 16:38:00[diff] [blame]45// Fake P-256 key for use with the test certificates below.
46const unsigned char kFakeSSLPrivateKey[] = {
47 0x30, 0x81, 0x87, 0x02, 0x01, 0x00, 0x30, 0x13, 0x06, 0x07, 0x2a, 0x86,
48 0x48, 0xce, 0x3d, 0x02, 0x01, 0x06, 0x08, 0x2a, 0x86, 0x48, 0xce, 0x3d,
49 0x03, 0x01, 0x07, 0x04, 0x6d, 0x30, 0x6b, 0x02, 0x01, 0x01, 0x04, 0x20,
50 0x07, 0x0f, 0x08, 0x72, 0x7a, 0xd4, 0xa0, 0x4a, 0x9c, 0xdd, 0x59, 0xc9,
51 0x4d, 0x89, 0x68, 0x77, 0x08, 0xb5, 0x6f, 0xc9, 0x5d, 0x30, 0x77, 0x0e,
52 0xe8, 0xd1, 0xc9, 0xce, 0x0a, 0x8b, 0xb4, 0x6a, 0xa1, 0x44, 0x03, 0x42,
53 0x00, 0x04, 0xe6, 0x2b, 0x69, 0xe2, 0xbf, 0x65, 0x9f, 0x97, 0xbe, 0x2f,
54 0x1e, 0x0d, 0x94, 0x8a, 0x4c, 0xd5, 0x97, 0x6b, 0xb7, 0xa9, 0x1e, 0x0d,
55 0x46, 0xfb, 0xdd, 0xa9, 0xa9, 0x1e, 0x9d, 0xdc, 0xba, 0x5a, 0x01, 0xe7,
56 0xd6, 0x97, 0xa8, 0x0a, 0x18, 0xf9, 0xc3, 0xc4, 0xa3, 0x1e, 0x56, 0xe2,
57 0x7c, 0x83, 0x48, 0xdb, 0x16, 0x1a, 0x1c, 0xf5, 0x1d, 0x7e, 0xf1, 0x94,
58 0x2d, 0x4b, 0xcf, 0x72, 0x22, 0xc1};
Benjamin Wright9201d1a2018-04-05 19:12:26[diff] [blame]59
David Benjaminc816ffc2018-05-04 16:38:00[diff] [blame]60// A self-signed certificate with CN *.webrtc.org and SANs foo.test, *.bar.test,
61// and test.webrtc.org.
62const unsigned char kFakeSSLCertificate[] = {
63 0x30, 0x82, 0x02, 0x9e, 0x30, 0x82, 0x02, 0x42, 0xa0, 0x03, 0x02, 0x01,
64 0x02, 0x02, 0x09, 0x00, 0xc8, 0x83, 0x59, 0x4d, 0x90, 0xc3, 0x5f, 0xc8,
65 0x30, 0x0c, 0x06, 0x08, 0x2a, 0x86, 0x48, 0xce, 0x3d, 0x04, 0x03, 0x02,
66 0x05, 0x00, 0x30, 0x81, 0x8d, 0x31, 0x0b, 0x30, 0x09, 0x06, 0x03, 0x55,
67 0x04, 0x06, 0x13, 0x02, 0x55, 0x53, 0x31, 0x0b, 0x30, 0x09, 0x06, 0x03,
68 0x55, 0x04, 0x08, 0x0c, 0x02, 0x57, 0x41, 0x31, 0x2c, 0x30, 0x2a, 0x06,
69 0x03, 0x55, 0x04, 0x0a, 0x0c, 0x23, 0x46, 0x61, 0x6b, 0x65, 0x20, 0x57,
70 0x65, 0x62, 0x52, 0x54, 0x43, 0x20, 0x43, 0x65, 0x72, 0x74, 0x69, 0x66,
71 0x69, 0x63, 0x61, 0x74, 0x65, 0x20, 0x46, 0x6f, 0x72, 0x20, 0x54, 0x65,
72 0x73, 0x74, 0x69, 0x6e, 0x67, 0x31, 0x2c, 0x30, 0x2a, 0x06, 0x03, 0x55,
73 0x04, 0x0b, 0x0c, 0x23, 0x46, 0x61, 0x6b, 0x65, 0x20, 0x57, 0x65, 0x62,
74 0x52, 0x54, 0x43, 0x20, 0x43, 0x65, 0x72, 0x74, 0x69, 0x66, 0x69, 0x63,
75 0x61, 0x74, 0x65, 0x20, 0x46, 0x6f, 0x72, 0x20, 0x54, 0x65, 0x73, 0x74,
76 0x69, 0x6e, 0x67, 0x31, 0x15, 0x30, 0x13, 0x06, 0x03, 0x55, 0x04, 0x03,
77 0x0c, 0x0c, 0x2a, 0x2e, 0x77, 0x65, 0x62, 0x72, 0x74, 0x63, 0x2e, 0x6f,
78 0x72, 0x67, 0x30, 0x1e, 0x17, 0x0d, 0x31, 0x38, 0x30, 0x34, 0x30, 0x33,
79 0x32, 0x31, 0x35, 0x34, 0x30, 0x38, 0x5a, 0x17, 0x0d, 0x31, 0x39, 0x30,
80 0x34, 0x30, 0x33, 0x32, 0x31, 0x35, 0x34, 0x30, 0x38, 0x5a, 0x30, 0x81,
81 0x8d, 0x31, 0x0b, 0x30, 0x09, 0x06, 0x03, 0x55, 0x04, 0x06, 0x13, 0x02,
82 0x55, 0x53, 0x31, 0x0b, 0x30, 0x09, 0x06, 0x03, 0x55, 0x04, 0x08, 0x0c,
83 0x02, 0x57, 0x41, 0x31, 0x2c, 0x30, 0x2a, 0x06, 0x03, 0x55, 0x04, 0x0a,
84 0x0c, 0x23, 0x46, 0x61, 0x6b, 0x65, 0x20, 0x57, 0x65, 0x62, 0x52, 0x54,
85 0x43, 0x20, 0x43, 0x65, 0x72, 0x74, 0x69, 0x66, 0x69, 0x63, 0x61, 0x74,
86 0x65, 0x20, 0x46, 0x6f, 0x72, 0x20, 0x54, 0x65, 0x73, 0x74, 0x69, 0x6e,
87 0x67, 0x31, 0x2c, 0x30, 0x2a, 0x06, 0x03, 0x55, 0x04, 0x0b, 0x0c, 0x23,
88 0x46, 0x61, 0x6b, 0x65, 0x20, 0x57, 0x65, 0x62, 0x52, 0x54, 0x43, 0x20,
89 0x43, 0x65, 0x72, 0x74, 0x69, 0x66, 0x69, 0x63, 0x61, 0x74, 0x65, 0x20,
90 0x46, 0x6f, 0x72, 0x20, 0x54, 0x65, 0x73, 0x74, 0x69, 0x6e, 0x67, 0x31,
91 0x15, 0x30, 0x13, 0x06, 0x03, 0x55, 0x04, 0x03, 0x0c, 0x0c, 0x2a, 0x2e,
92 0x77, 0x65, 0x62, 0x72, 0x74, 0x63, 0x2e, 0x6f, 0x72, 0x67, 0x30, 0x59,
93 0x30, 0x13, 0x06, 0x07, 0x2a, 0x86, 0x48, 0xce, 0x3d, 0x02, 0x01, 0x06,
94 0x08, 0x2a, 0x86, 0x48, 0xce, 0x3d, 0x03, 0x01, 0x07, 0x03, 0x42, 0x00,
95 0x04, 0xe6, 0x2b, 0x69, 0xe2, 0xbf, 0x65, 0x9f, 0x97, 0xbe, 0x2f, 0x1e,
96 0x0d, 0x94, 0x8a, 0x4c, 0xd5, 0x97, 0x6b, 0xb7, 0xa9, 0x1e, 0x0d, 0x46,
97 0xfb, 0xdd, 0xa9, 0xa9, 0x1e, 0x9d, 0xdc, 0xba, 0x5a, 0x01, 0xe7, 0xd6,
98 0x97, 0xa8, 0x0a, 0x18, 0xf9, 0xc3, 0xc4, 0xa3, 0x1e, 0x56, 0xe2, 0x7c,
99 0x83, 0x48, 0xdb, 0x16, 0x1a, 0x1c, 0xf5, 0x1d, 0x7e, 0xf1, 0x94, 0x2d,
100 0x4b, 0xcf, 0x72, 0x22, 0xc1, 0xa3, 0x81, 0x86, 0x30, 0x81, 0x83, 0x30,
101 0x1d, 0x06, 0x03, 0x55, 0x1d, 0x0e, 0x04, 0x16, 0x04, 0x14, 0xb7, 0xc0,
102 0x9a, 0xa7, 0x22, 0xaf, 0xf8, 0x7d, 0xff, 0x68, 0xdb, 0x80, 0xac, 0x0a,
103 0xb6, 0xdc, 0x64, 0x89, 0xdb, 0xd4, 0x30, 0x1f, 0x06, 0x03, 0x55, 0x1d,
104 0x23, 0x04, 0x18, 0x30, 0x16, 0x80, 0x14, 0xb7, 0xc0, 0x9a, 0xa7, 0x22,
105 0xaf, 0xf8, 0x7d, 0xff, 0x68, 0xdb, 0x80, 0xac, 0x0a, 0xb6, 0xdc, 0x64,
106 0x89, 0xdb, 0xd4, 0x30, 0x0f, 0x06, 0x03, 0x55, 0x1d, 0x13, 0x01, 0x01,
107 0xff, 0x04, 0x05, 0x30, 0x03, 0x01, 0x01, 0xff, 0x30, 0x30, 0x06, 0x03,
108 0x55, 0x1d, 0x11, 0x04, 0x29, 0x30, 0x27, 0x82, 0x08, 0x66, 0x6f, 0x6f,
109 0x2e, 0x74, 0x65, 0x73, 0x74, 0x82, 0x0a, 0x2a, 0x2e, 0x62, 0x61, 0x72,
110 0x2e, 0x74, 0x65, 0x73, 0x74, 0x82, 0x0f, 0x74, 0x65, 0x73, 0x74, 0x2e,
111 0x77, 0x65, 0x62, 0x72, 0x74, 0x63, 0x2e, 0x6f, 0x72, 0x67, 0x30, 0x0c,
112 0x06, 0x08, 0x2a, 0x86, 0x48, 0xce, 0x3d, 0x04, 0x03, 0x02, 0x05, 0x00,
113 0x03, 0x48, 0x00, 0x30, 0x45, 0x02, 0x21, 0x00, 0x81, 0xcb, 0xe2, 0xf9,
114 0x04, 0xba, 0xf7, 0xfd, 0x3f, 0x0d, 0x56, 0x37, 0xdb, 0x65, 0x68, 0x07,
115 0x28, 0x8d, 0xc5, 0xe1, 0x73, 0xb7, 0xce, 0xa5, 0x20, 0x65, 0x15, 0xb2,
116 0xc6, 0x37, 0x8c, 0x5a, 0x02, 0x20, 0x24, 0x62, 0x74, 0xe8, 0xd9, 0x80,
117 0x78, 0x2a, 0xbb, 0x87, 0xff, 0x49, 0x99, 0xdb, 0x94, 0xab, 0x06, 0x91,
118 0xc0, 0x7a, 0xa4, 0x62, 0x61, 0x98, 0x97, 0x47, 0xb7, 0x64, 0x2b, 0x99,
119 0xc3, 0x71};
120
121// A self-signed SSL certificate with only the legacy CN field *.webrtc.org.
122const unsigned char kFakeSSLCertificateLegacy[] = {
123 0x30, 0x82, 0x02, 0x6a, 0x30, 0x82, 0x02, 0x0e, 0xa0, 0x03, 0x02, 0x01,
124 0x02, 0x02, 0x09, 0x00, 0xc8, 0x83, 0x59, 0x4d, 0x90, 0xc3, 0x5f, 0xc8,
125 0x30, 0x0c, 0x06, 0x08, 0x2a, 0x86, 0x48, 0xce, 0x3d, 0x04, 0x03, 0x02,
126 0x05, 0x00, 0x30, 0x81, 0x8d, 0x31, 0x0b, 0x30, 0x09, 0x06, 0x03, 0x55,
127 0x04, 0x06, 0x13, 0x02, 0x55, 0x53, 0x31, 0x0b, 0x30, 0x09, 0x06, 0x03,
128 0x55, 0x04, 0x08, 0x0c, 0x02, 0x57, 0x41, 0x31, 0x2c, 0x30, 0x2a, 0x06,
129 0x03, 0x55, 0x04, 0x0a, 0x0c, 0x23, 0x46, 0x61, 0x6b, 0x65, 0x20, 0x57,
130 0x65, 0x62, 0x52, 0x54, 0x43, 0x20, 0x43, 0x65, 0x72, 0x74, 0x69, 0x66,
131 0x69, 0x63, 0x61, 0x74, 0x65, 0x20, 0x46, 0x6f, 0x72, 0x20, 0x54, 0x65,
132 0x73, 0x74, 0x69, 0x6e, 0x67, 0x31, 0x2c, 0x30, 0x2a, 0x06, 0x03, 0x55,
133 0x04, 0x0b, 0x0c, 0x23, 0x46, 0x61, 0x6b, 0x65, 0x20, 0x57, 0x65, 0x62,
134 0x52, 0x54, 0x43, 0x20, 0x43, 0x65, 0x72, 0x74, 0x69, 0x66, 0x69, 0x63,
135 0x61, 0x74, 0x65, 0x20, 0x46, 0x6f, 0x72, 0x20, 0x54, 0x65, 0x73, 0x74,
136 0x69, 0x6e, 0x67, 0x31, 0x15, 0x30, 0x13, 0x06, 0x03, 0x55, 0x04, 0x03,
137 0x0c, 0x0c, 0x2a, 0x2e, 0x77, 0x65, 0x62, 0x72, 0x74, 0x63, 0x2e, 0x6f,
138 0x72, 0x67, 0x30, 0x1e, 0x17, 0x0d, 0x31, 0x38, 0x30, 0x34, 0x30, 0x33,
139 0x32, 0x31, 0x35, 0x34, 0x30, 0x38, 0x5a, 0x17, 0x0d, 0x31, 0x39, 0x30,
140 0x34, 0x30, 0x33, 0x32, 0x31, 0x35, 0x34, 0x30, 0x38, 0x5a, 0x30, 0x81,
141 0x8d, 0x31, 0x0b, 0x30, 0x09, 0x06, 0x03, 0x55, 0x04, 0x06, 0x13, 0x02,
142 0x55, 0x53, 0x31, 0x0b, 0x30, 0x09, 0x06, 0x03, 0x55, 0x04, 0x08, 0x0c,
143 0x02, 0x57, 0x41, 0x31, 0x2c, 0x30, 0x2a, 0x06, 0x03, 0x55, 0x04, 0x0a,
144 0x0c, 0x23, 0x46, 0x61, 0x6b, 0x65, 0x20, 0x57, 0x65, 0x62, 0x52, 0x54,
145 0x43, 0x20, 0x43, 0x65, 0x72, 0x74, 0x69, 0x66, 0x69, 0x63, 0x61, 0x74,
146 0x65, 0x20, 0x46, 0x6f, 0x72, 0x20, 0x54, 0x65, 0x73, 0x74, 0x69, 0x6e,
147 0x67, 0x31, 0x2c, 0x30, 0x2a, 0x06, 0x03, 0x55, 0x04, 0x0b, 0x0c, 0x23,
148 0x46, 0x61, 0x6b, 0x65, 0x20, 0x57, 0x65, 0x62, 0x52, 0x54, 0x43, 0x20,
149 0x43, 0x65, 0x72, 0x74, 0x69, 0x66, 0x69, 0x63, 0x61, 0x74, 0x65, 0x20,
150 0x46, 0x6f, 0x72, 0x20, 0x54, 0x65, 0x73, 0x74, 0x69, 0x6e, 0x67, 0x31,
151 0x15, 0x30, 0x13, 0x06, 0x03, 0x55, 0x04, 0x03, 0x0c, 0x0c, 0x2a, 0x2e,
152 0x77, 0x65, 0x62, 0x72, 0x74, 0x63, 0x2e, 0x6f, 0x72, 0x67, 0x30, 0x59,
153 0x30, 0x13, 0x06, 0x07, 0x2a, 0x86, 0x48, 0xce, 0x3d, 0x02, 0x01, 0x06,
154 0x08, 0x2a, 0x86, 0x48, 0xce, 0x3d, 0x03, 0x01, 0x07, 0x03, 0x42, 0x00,
155 0x04, 0xe6, 0x2b, 0x69, 0xe2, 0xbf, 0x65, 0x9f, 0x97, 0xbe, 0x2f, 0x1e,
156 0x0d, 0x94, 0x8a, 0x4c, 0xd5, 0x97, 0x6b, 0xb7, 0xa9, 0x1e, 0x0d, 0x46,
157 0xfb, 0xdd, 0xa9, 0xa9, 0x1e, 0x9d, 0xdc, 0xba, 0x5a, 0x01, 0xe7, 0xd6,
158 0x97, 0xa8, 0x0a, 0x18, 0xf9, 0xc3, 0xc4, 0xa3, 0x1e, 0x56, 0xe2, 0x7c,
159 0x83, 0x48, 0xdb, 0x16, 0x1a, 0x1c, 0xf5, 0x1d, 0x7e, 0xf1, 0x94, 0x2d,
160 0x4b, 0xcf, 0x72, 0x22, 0xc1, 0xa3, 0x53, 0x30, 0x51, 0x30, 0x1d, 0x06,
161 0x03, 0x55, 0x1d, 0x0e, 0x04, 0x16, 0x04, 0x14, 0xb7, 0xc0, 0x9a, 0xa7,
162 0x22, 0xaf, 0xf8, 0x7d, 0xff, 0x68, 0xdb, 0x80, 0xac, 0x0a, 0xb6, 0xdc,
163 0x64, 0x89, 0xdb, 0xd4, 0x30, 0x1f, 0x06, 0x03, 0x55, 0x1d, 0x23, 0x04,
164 0x18, 0x30, 0x16, 0x80, 0x14, 0xb7, 0xc0, 0x9a, 0xa7, 0x22, 0xaf, 0xf8,
165 0x7d, 0xff, 0x68, 0xdb, 0x80, 0xac, 0x0a, 0xb6, 0xdc, 0x64, 0x89, 0xdb,
166 0xd4, 0x30, 0x0f, 0x06, 0x03, 0x55, 0x1d, 0x13, 0x01, 0x01, 0xff, 0x04,
167 0x05, 0x30, 0x03, 0x01, 0x01, 0xff, 0x30, 0x0c, 0x06, 0x08, 0x2a, 0x86,
168 0x48, 0xce, 0x3d, 0x04, 0x03, 0x02, 0x05, 0x00, 0x03, 0x48, 0x00, 0x30,
169 0x45, 0x02, 0x21, 0x00, 0xae, 0x51, 0xbc, 0x0f, 0x28, 0x29, 0xd9, 0x35,
170 0x95, 0xcc, 0x68, 0xf1, 0xc6, 0x3e, 0xfe, 0x56, 0xfd, 0x7f, 0xd2, 0x03,
171 0x6d, 0x09, 0xc7, 0x9b, 0x83, 0x93, 0xd6, 0xd0, 0xfe, 0x45, 0x34, 0x7c,
172 0x02, 0x20, 0x6b, 0xaa, 0x95, 0x8c, 0xfc, 0x29, 0x5e, 0x5e, 0xc9, 0xf5,
173 0x84, 0x0b, 0xc7, 0x15, 0x86, 0xc3, 0xfc, 0x48, 0x55, 0xb5, 0x81, 0x94,
174 0x73, 0xbd, 0x18, 0xcd, 0x9d, 0x92, 0x47, 0xaa, 0xfd, 0x18};
175
Taylor Brandstetter165c6182020-12-11 00:23:03[diff] [blame]176#ifdef OPENSSL_IS_BORINGSSL
177enum ssl_verify_result_t DummyVerifyCallback(SSL* ssl, uint8_t* out_alert) {
178 return ssl_verify_ok;
179}
180#endif
181
David Benjaminc816ffc2018-05-04 16:38:00[diff] [blame]182// Creates a client SSL that has completed handshaking with a server that uses
183// the specified certificate (which must have private key kFakeSSLPrivateKey).
184// The server is deallocated. This client will have a peer certificate available
185// and is thus suitable for testing VerifyPeerCertMatchesHost.
186SSL* CreateSSLWithPeerCertificate(const unsigned char* cert, size_t cert_len) {
David Benjaminc816ffc2018-05-04 16:38:00[diff] [blame]187 const unsigned char* key_ptr = kFakeSSLPrivateKey;
Benjamin Wrightd6f86e82018-05-08 20:12:25[diff] [blame]188 EVP_PKEY* key = d2i_PrivateKey(
189 EVP_PKEY_EC, nullptr, &key_ptr,
190 checked_cast<long>(arraysize(kFakeSSLPrivateKey))); // NOLINT
David Benjaminc816ffc2018-05-04 16:38:00[diff] [blame]191 RTC_CHECK(key);
192
Taylor Brandstetter165c6182020-12-11 00:23:03[diff] [blame]193#ifdef OPENSSL_IS_BORINGSSL
194 SSL_CTX* ctx = SSL_CTX_new(TLS_with_buffers_method());
195#else
196 SSL_CTX* ctx = SSL_CTX_new(TLS_method());
197#endif
David Benjaminc816ffc2018-05-04 16:38:00[diff] [blame]198 SSL* client = SSL_new(ctx);
199 SSL* server = SSL_new(ctx);
200 SSL_set_connect_state(client);
201 SSL_set_accept_state(server);
202
Taylor Brandstetter165c6182020-12-11 00:23:03[diff] [blame]203#ifdef OPENSSL_IS_BORINGSSL
204 bssl::UniquePtr<CRYPTO_BUFFER> cert_buffer(CRYPTO_BUFFER_new(
205 static_cast<const uint8_t*>(cert), cert_len, openssl::GetBufferPool()));
206 RTC_CHECK(cert_buffer);
207 std::vector<CRYPTO_BUFFER*> cert_buffers;
208 cert_buffers.push_back(cert_buffer.get());
209 RTC_CHECK(1 == SSL_set_chain_and_key(server, cert_buffers.data(),
210 cert_buffers.size(), key, nullptr));
211 // When using crypto buffers we don't get any built-in verification.
212 SSL_set_custom_verify(client, SSL_VERIFY_PEER, DummyVerifyCallback);
213#else
214 X509* x509 =
215 d2i_X509(nullptr, &cert, checked_cast<long>(cert_len)); // NOLINT
216 RTC_CHECK(x509);
David Benjaminc816ffc2018-05-04 16:38:00[diff] [blame]217 RTC_CHECK(SSL_use_certificate(server, x509));
218 RTC_CHECK(SSL_use_PrivateKey(server, key));
Taylor Brandstetter165c6182020-12-11 00:23:03[diff] [blame]219#endif
David Benjaminc816ffc2018-05-04 16:38:00[diff] [blame]220
221 BIO* bio1;
222 BIO* bio2;
223 BIO_new_bio_pair(&bio1, 0, &bio2, 0);
224 // SSL_set_bio takes ownership of the BIOs.
225 SSL_set_bio(client, bio1, bio1);
226 SSL_set_bio(server, bio2, bio2);
227
228 for (;;) {
229 int client_ret = SSL_do_handshake(client);
230 int client_err = SSL_get_error(client, client_ret);
231 RTC_CHECK(client_err == SSL_ERROR_NONE ||
232 client_err == SSL_ERROR_WANT_READ ||
233 client_err == SSL_ERROR_WANT_WRITE);
234
235 int server_ret = SSL_do_handshake(server);
236 int server_err = SSL_get_error(server, server_ret);
237 RTC_CHECK(server_err == SSL_ERROR_NONE ||
238 server_err == SSL_ERROR_WANT_READ ||
239 server_err == SSL_ERROR_WANT_WRITE);
240
241 if (client_ret == 1 && server_ret == 1) {
242 break;
243 }
244 }
245
246 SSL_free(server);
247 SSL_CTX_free(ctx);
248 EVP_PKEY_free(key);
Taylor Brandstetter165c6182020-12-11 00:23:03[diff] [blame]249#ifndef OPENSSL_IS_BORINGSSL
David Benjaminc816ffc2018-05-04 16:38:00[diff] [blame]250 X509_free(x509);
Taylor Brandstetter165c6182020-12-11 00:23:03[diff] [blame]251#endif
David Benjaminc816ffc2018-05-04 16:38:00[diff] [blame]252 return client;
Benjamin Wright9201d1a2018-04-05 19:12:26[diff] [blame]253}
254} // namespace
255
Benjamin Wrightd6f86e82018-05-08 20:12:25[diff] [blame]256TEST(OpenSSLUtilityTest, VerifyPeerCertMatchesHostFailsOnNoPeerCertificate) {
Taylor Brandstetter165c6182020-12-11 00:23:03[diff] [blame]257#ifdef OPENSSL_IS_BORINGSSL
258 SSL_CTX* ssl_ctx = SSL_CTX_new(DTLS_with_buffers_method());
259#else
260 SSL_CTX* ssl_ctx = SSL_CTX_new(DTLS_method());
261#endif
Benjamin Wright9201d1a2018-04-05 19:12:26[diff] [blame]262 SSL* ssl = SSL_new(ssl_ctx);
263
264 EXPECT_FALSE(openssl::VerifyPeerCertMatchesHost(ssl, "webrtc.org"));
265
266 SSL_free(ssl);
267 SSL_CTX_free(ssl_ctx);
268}
269
Benjamin Wrightd6f86e82018-05-08 20:12:25[diff] [blame]270TEST(OpenSSLUtilityTest, VerifyPeerCertMatchesHost) {
David Benjaminc816ffc2018-05-04 16:38:00[diff] [blame]271 SSL* ssl = CreateSSLWithPeerCertificate(kFakeSSLCertificate,
272 arraysize(kFakeSSLCertificate));
Benjamin Wright9201d1a2018-04-05 19:12:26[diff] [blame]273
David Benjaminc816ffc2018-05-04 16:38:00[diff] [blame]274 // Each of the names in the SAN list is valid.
275 EXPECT_TRUE(openssl::VerifyPeerCertMatchesHost(ssl, "foo.test"));
276 EXPECT_TRUE(openssl::VerifyPeerCertMatchesHost(ssl, "a.bar.test"));
277 EXPECT_TRUE(openssl::VerifyPeerCertMatchesHost(ssl, "b.bar.test"));
278 EXPECT_TRUE(openssl::VerifyPeerCertMatchesHost(ssl, "test.webrtc.org"));
279
280 // If the SAN list is present, the CN is not checked for hosts.
281 EXPECT_FALSE(openssl::VerifyPeerCertMatchesHost(ssl, "www.webrtc.org"));
282
283 // Additional cases around wildcards.
284 EXPECT_FALSE(openssl::VerifyPeerCertMatchesHost(ssl, "a.b.bar.test"));
285 EXPECT_FALSE(openssl::VerifyPeerCertMatchesHost(ssl, "notbar.test"));
286 EXPECT_FALSE(openssl::VerifyPeerCertMatchesHost(ssl, "bar.test"));
287
288 SSL_free(ssl);
289}
290
Benjamin Wrightd6f86e82018-05-08 20:12:25[diff] [blame]291TEST(OpenSSLUtilityTest, VerifyPeerCertMatchesHostLegacy) {
David Benjaminc816ffc2018-05-04 16:38:00[diff] [blame]292 SSL* ssl = CreateSSLWithPeerCertificate(kFakeSSLCertificateLegacy,
293 arraysize(kFakeSSLCertificateLegacy));
294
295 // If there is no SAN list, WebRTC still implements the legacy mechanism which
296 // checks the CN, no longer supported by modern browsers.
Benjamin Wright9201d1a2018-04-05 19:12:26[diff] [blame]297 EXPECT_TRUE(openssl::VerifyPeerCertMatchesHost(ssl, "www.webrtc.org"));
298 EXPECT_TRUE(openssl::VerifyPeerCertMatchesHost(ssl, "alice.webrtc.org"));
299 EXPECT_TRUE(openssl::VerifyPeerCertMatchesHost(ssl, "bob.webrtc.org"));
300
Benjamin Wright9201d1a2018-04-05 19:12:26[diff] [blame]301 EXPECT_FALSE(openssl::VerifyPeerCertMatchesHost(ssl, "a.b.webrtc.org"));
302 EXPECT_FALSE(openssl::VerifyPeerCertMatchesHost(ssl, "notwebrtc.org"));
303 EXPECT_FALSE(openssl::VerifyPeerCertMatchesHost(ssl, "webrtc.org"));
304
Benjamin Wright9201d1a2018-04-05 19:12:26[diff] [blame]305 SSL_free(ssl);
Benjamin Wright9201d1a2018-04-05 19:12:26[diff] [blame]306}
307
308} // namespace rtc