ssl_0rtt_unittest.cc (39864B)
1 /* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */ 2 /* vim: set ts=2 et sw=2 tw=80: */ 3 /* This Source Code Form is subject to the terms of the Mozilla Public 4 * License, v. 2.0. If a copy of the MPL was not distributed with this file, 5 * You can obtain one at http://mozilla.org/MPL/2.0/. */ 6 7 #include "secerr.h" 8 #include "ssl.h" 9 #include "sslerr.h" 10 #include "sslexp.h" 11 #include "sslproto.h" 12 13 extern "C" { 14 // This is not something that should make you happy. 15 #include "libssl_internals.h" 16 } 17 18 #include "cpputil.h" 19 #include "gtest_utils.h" 20 #include "nss_scoped_ptrs.h" 21 #include "tls_connect.h" 22 #include "tls_filter.h" 23 #include "tls_parser.h" 24 25 namespace nss_test { 26 27 TEST_P(TlsConnectTls13, ZeroRtt) { 28 SetupForZeroRtt(); 29 client_->Set0RttEnabled(true); 30 server_->Set0RttEnabled(true); 31 ExpectResumption(RESUME_TICKET); 32 ZeroRttSendReceive(true, true); 33 Handshake(); 34 ExpectEarlyDataAccepted(true); 35 CheckConnected(); 36 SendReceive(); 37 } 38 39 TEST_P(TlsConnectTls13, ZeroRttServerRejectByOption) { 40 SetupForZeroRtt(); 41 client_->Set0RttEnabled(true); 42 ExpectResumption(RESUME_TICKET); 43 ZeroRttSendReceive(true, false); 44 Handshake(); 45 CheckConnected(); 46 SendReceive(); 47 } 48 49 TEST_P(TlsConnectTls13, ZeroRttApplicationReject) { 50 SetupForZeroRtt(); 51 client_->Set0RttEnabled(true); 52 server_->Set0RttEnabled(true); 53 ExpectResumption(RESUME_TICKET); 54 55 auto reject_0rtt = [](PRBool firstHello, const PRUint8* clientToken, 56 unsigned int clientTokenLen, PRUint8* appToken, 57 unsigned int* appTokenLen, unsigned int appTokenMax, 58 void* arg) { 59 auto* called = reinterpret_cast<bool*>(arg); 60 *called = true; 61 62 EXPECT_TRUE(firstHello); 63 EXPECT_EQ(0U, clientTokenLen); 64 return ssl_hello_retry_reject_0rtt; 65 }; 66 67 bool cb_run = false; 68 EXPECT_EQ(SECSuccess, SSL_HelloRetryRequestCallback(server_->ssl_fd(), 69 reject_0rtt, &cb_run)); 70 ZeroRttSendReceive(true, false); 71 Handshake(); 72 EXPECT_TRUE(cb_run); 73 CheckConnected(); 74 SendReceive(); 75 } 76 77 TEST_P(TlsConnectTls13, ZeroRttApparentReplayAfterRestart) { 78 // The test fixtures enable anti-replay in SetUp(). This results in 0-RTT 79 // being rejected until at least one window passes. SetupFor0Rtt() forces a 80 // rollover of the anti-replay filters, which clears that state and allows 81 // 0-RTT to work. Make the first connection manually to avoid that rollover 82 // and cause 0-RTT to be rejected. 83 84 ConfigureSessionCache(RESUME_BOTH, RESUME_TICKET); 85 ConfigureVersion(SSL_LIBRARY_VERSION_TLS_1_3); 86 server_->Set0RttEnabled(true); // So we signal that we allow 0-RTT. 87 Connect(); 88 SendReceive(); // Need to read so that we absorb the session ticket. 89 CheckKeys(); 90 91 Reset(); 92 StartConnect(); 93 client_->Set0RttEnabled(true); 94 server_->Set0RttEnabled(true); 95 ExpectResumption(RESUME_TICKET); 96 ZeroRttSendReceive(true, false); 97 Handshake(); 98 CheckConnected(); 99 SendReceive(); 100 } 101 102 class TlsZeroRttReplayTest : public TlsConnectTls13 { 103 private: 104 class SaveFirstPacket : public PacketFilter { 105 public: 106 PacketFilter::Action Filter(const DataBuffer& input, 107 DataBuffer* output) override { 108 if (!packet_.len() && input.len()) { 109 packet_ = input; 110 } 111 return KEEP; 112 } 113 114 const DataBuffer& packet() const { return packet_; } 115 116 private: 117 DataBuffer packet_; 118 }; 119 120 protected: 121 void RunTest(bool rollover, const ScopedPK11SymKey& epsk) { 122 // Now run a true 0-RTT handshake, but capture the first packet. 123 auto first_packet = std::make_shared<SaveFirstPacket>(); 124 client_->SetFilter(first_packet); 125 client_->Set0RttEnabled(true); 126 server_->Set0RttEnabled(true); 127 ZeroRttSendReceive(true, true); 128 Handshake(); 129 EXPECT_LT(0U, first_packet->packet().len()); 130 ExpectEarlyDataAccepted(true); 131 CheckConnected(); 132 SendReceive(); 133 134 if (rollover) { 135 RolloverAntiReplay(); 136 } 137 138 // Now replay that packet against the server. 139 Reset(); 140 server_->StartConnect(); 141 server_->Set0RttEnabled(true); 142 server_->SetAntiReplayContext(anti_replay_); 143 if (epsk) { 144 AddPsk(epsk, std::string("foo"), ssl_hash_sha256, 145 TLS_CHACHA20_POLY1305_SHA256); 146 } 147 148 // Capture the early_data extension, which should not appear. 149 auto early_data_ext = 150 MakeTlsFilter<TlsExtensionCapture>(server_, ssl_tls13_early_data_xtn); 151 152 // Finally, replay the ClientHello and force the server to consume it. Stop 153 // after the server sends its first flight; the client will not be able to 154 // complete this handshake. 155 server_->adapter()->PacketReceived(first_packet->packet()); 156 server_->Handshake(); 157 EXPECT_FALSE(early_data_ext->captured()); 158 } 159 160 void RunResPskTest(bool rollover) { 161 // Run the initial handshake 162 SetupForZeroRtt(); 163 ExpectResumption(RESUME_TICKET); 164 RunTest(rollover, ScopedPK11SymKey(nullptr)); 165 } 166 167 void RunExtPskTest(bool rollover) { 168 ScopedPK11SlotInfo slot(PK11_GetInternalSlot()); 169 ASSERT_NE(nullptr, slot); 170 171 const std::vector<uint8_t> kPskDummyVal(16, 0xFF); 172 SECItem psk_item = {siBuffer, toUcharPtr(kPskDummyVal.data()), 173 static_cast<unsigned int>(kPskDummyVal.size())}; 174 PK11SymKey* key = 175 PK11_ImportSymKey(slot.get(), CKM_HKDF_KEY_GEN, PK11_OriginUnwrap, 176 CKA_DERIVE, &psk_item, NULL); 177 ASSERT_NE(nullptr, key); 178 ScopedPK11SymKey scoped_psk(key); 179 RolloverAntiReplay(); 180 AddPsk(scoped_psk, std::string("foo"), ssl_hash_sha256, 181 TLS_CHACHA20_POLY1305_SHA256); 182 StartConnect(); 183 RunTest(rollover, scoped_psk); 184 } 185 }; 186 187 TEST_P(TlsZeroRttReplayTest, ResPskZeroRttReplay) { RunResPskTest(false); } 188 189 TEST_P(TlsZeroRttReplayTest, ExtPskZeroRttReplay) { RunExtPskTest(false); } 190 191 TEST_P(TlsZeroRttReplayTest, ZeroRttReplayAfterRollover) { 192 RunResPskTest(true); 193 } 194 195 // Test that we don't try to send 0-RTT data when the server sent 196 // us a ticket without the 0-RTT flags. 197 TEST_P(TlsConnectTls13, ZeroRttOptionsSetLate) { 198 ConfigureSessionCache(RESUME_BOTH, RESUME_TICKET); 199 Connect(); 200 SendReceive(); // Need to read so that we absorb the session ticket. 201 CheckKeys(); 202 Reset(); 203 StartConnect(); 204 // Now turn on 0-RTT but too late for the ticket. 205 client_->Set0RttEnabled(true); 206 server_->Set0RttEnabled(true); 207 ExpectResumption(RESUME_TICKET); 208 ZeroRttSendReceive(false, false); 209 Handshake(); 210 CheckConnected(); 211 SendReceive(); 212 } 213 214 // Make sure that a session ticket sent well after the original handshake 215 // can be used for 0-RTT. 216 // Stream because DTLS doesn't support SSL_SendSessionTicket. 217 TEST_F(TlsConnectStreamTls13, ZeroRttUsingLateTicket) { 218 // Use a small-ish anti-replay window. 219 ResetAntiReplay(100 * PR_USEC_PER_MSEC); 220 RolloverAntiReplay(); 221 222 ConfigureSessionCache(RESUME_BOTH, RESUME_TICKET); 223 server_->Set0RttEnabled(true); 224 Connect(); 225 CheckKeys(); 226 227 // Now move time forward 30s and send a ticket. 228 AdvanceTime(30 * PR_USEC_PER_SEC); 229 EXPECT_EQ(SECSuccess, SSL_SendSessionTicket(server_->ssl_fd(), NULL, 0)); 230 SendReceive(); 231 Reset(); 232 StartConnect(); 233 234 client_->Set0RttEnabled(true); 235 server_->Set0RttEnabled(true); 236 ExpectResumption(RESUME_TICKET); 237 ZeroRttSendReceive(true, true); 238 Handshake(); 239 ExpectEarlyDataAccepted(true); 240 CheckConnected(); 241 SendReceive(); 242 } 243 244 // Check that post-handshake authentication with a long RTT doesn't 245 // make things worse. 246 TEST_F(TlsConnectStreamTls13, ZeroRttUsingLateTicketPha) { 247 // Use a small-ish anti-replay window. 248 ResetAntiReplay(100 * PR_USEC_PER_MSEC); 249 RolloverAntiReplay(); 250 251 ConfigureSessionCache(RESUME_BOTH, RESUME_TICKET); 252 server_->Set0RttEnabled(true); 253 client_->SetupClientAuth(); 254 client_->SetOption(SSL_ENABLE_POST_HANDSHAKE_AUTH, PR_TRUE); 255 Connect(); 256 CheckKeys(); 257 258 // Add post-handshake authentication, with some added delays. 259 AdvanceTime(10 * PR_USEC_PER_SEC); 260 EXPECT_EQ(SECSuccess, SSL_SendCertificateRequest(server_->ssl_fd())); 261 AdvanceTime(10 * PR_USEC_PER_SEC); 262 server_->SendData(50); 263 client_->ReadBytes(50); 264 client_->SendData(50); 265 server_->ReadBytes(50); 266 267 AdvanceTime(10 * PR_USEC_PER_SEC); 268 EXPECT_EQ(SECSuccess, SSL_SendSessionTicket(server_->ssl_fd(), NULL, 0)); 269 server_->SendData(100); 270 client_->ReadBytes(100); 271 Reset(); 272 StartConnect(); 273 274 client_->Set0RttEnabled(true); 275 server_->Set0RttEnabled(true); 276 ExpectResumption(RESUME_TICKET); 277 ZeroRttSendReceive(true, true); 278 Handshake(); 279 ExpectEarlyDataAccepted(true); 280 CheckConnected(); 281 SendReceive(); 282 } 283 284 // Same, but with client authentication on the first connection. 285 TEST_F(TlsConnectStreamTls13, ZeroRttUsingLateTicketClientAuth) { 286 // Use a small-ish anti-replay window. 287 ResetAntiReplay(100 * PR_USEC_PER_MSEC); 288 RolloverAntiReplay(); 289 290 ConfigureSessionCache(RESUME_BOTH, RESUME_TICKET); 291 client_->SetupClientAuth(); 292 server_->RequestClientAuth(true); 293 server_->Set0RttEnabled(true); 294 Connect(); 295 CheckKeys(); 296 297 // Now move time forward 30s and send a ticket. 298 AdvanceTime(30 * PR_USEC_PER_SEC); 299 EXPECT_EQ(SECSuccess, SSL_SendSessionTicket(server_->ssl_fd(), NULL, 0)); 300 SendReceive(); 301 Reset(); 302 StartConnect(); 303 304 client_->Set0RttEnabled(true); 305 server_->Set0RttEnabled(true); 306 ExpectResumption(RESUME_TICKET); 307 ZeroRttSendReceive(true, true); 308 Handshake(); 309 ExpectEarlyDataAccepted(true); 310 CheckConnected(); 311 SendReceive(); 312 } 313 314 TEST_P(TlsConnectTls13, ZeroRttServerForgetTicket) { 315 SetupForZeroRtt(); 316 client_->Set0RttEnabled(true); 317 server_->Set0RttEnabled(true); 318 ClearServerCache(); 319 ConfigureSessionCache(RESUME_BOTH, RESUME_TICKET); 320 ExpectResumption(RESUME_NONE); 321 ZeroRttSendReceive(true, false); 322 Handshake(); 323 CheckConnected(); 324 SendReceive(); 325 } 326 327 TEST_P(TlsConnectTls13, ZeroRttServerOnly) { 328 ExpectResumption(RESUME_NONE); 329 server_->Set0RttEnabled(true); 330 StartConnect(); 331 332 // Client sends ordinary ClientHello. 333 client_->Handshake(); 334 335 // Verify that the server doesn't get data. 336 uint8_t buf[100]; 337 PRInt32 rv = PR_Read(server_->ssl_fd(), buf, sizeof(buf)); 338 EXPECT_EQ(SECFailure, rv); 339 EXPECT_EQ(PR_WOULD_BLOCK_ERROR, PORT_GetError()); 340 341 // Now make sure that things complete. 342 Handshake(); 343 CheckConnected(); 344 SendReceive(); 345 CheckKeys(); 346 } 347 348 // Advancing time after sending the ClientHello means that the ticket age that 349 // arrives at the server is too low. The server then rejects early data if this 350 // delay exceeds half the anti-replay window. 351 TEST_P(TlsConnectTls13, ZeroRttRejectOldTicket) { 352 static const PRTime kWindow = 10 * PR_USEC_PER_SEC; 353 ResetAntiReplay(kWindow); 354 SetupForZeroRtt(); 355 356 Reset(); 357 StartConnect(); 358 client_->Set0RttEnabled(true); 359 server_->Set0RttEnabled(true); 360 ExpectResumption(RESUME_TICKET); 361 ZeroRttSendReceive(true, false, [this]() { 362 AdvanceTime(1 + kWindow / 2); 363 return true; 364 }); 365 Handshake(); 366 ExpectEarlyDataAccepted(false); 367 CheckConnected(); 368 SendReceive(); 369 } 370 371 // In this test, we falsely inflate the estimate of the RTT by delaying the 372 // ServerHello on the first handshake. This results in the server estimating a 373 // higher value of the ticket age than the client ultimately provides. Add a 374 // small tolerance for variation in ticket age and the ticket will appear to 375 // arrive prematurely, causing the server to reject early data. 376 TEST_P(TlsConnectTls13, ZeroRttRejectPrematureTicket) { 377 static const PRTime kWindow = 10 * PR_USEC_PER_SEC; 378 ResetAntiReplay(kWindow); 379 ConfigureSessionCache(RESUME_BOTH, RESUME_TICKET); 380 ConfigureVersion(SSL_LIBRARY_VERSION_TLS_1_3); 381 server_->Set0RttEnabled(true); 382 StartConnect(); 383 client_->Handshake(); // ClientHello 384 server_->Handshake(); // ServerHello 385 AdvanceTime(1 + kWindow / 2); 386 Handshake(); // Remainder of handshake 387 CheckConnected(); 388 SendReceive(); 389 CheckKeys(); 390 391 Reset(); 392 client_->Set0RttEnabled(true); 393 server_->Set0RttEnabled(true); 394 ExpectResumption(RESUME_TICKET); 395 ExpectEarlyDataAccepted(false); 396 StartConnect(); 397 ZeroRttSendReceive(true, false); 398 Handshake(); 399 CheckConnected(); 400 SendReceive(); 401 } 402 403 TEST_P(TlsConnectTls13, TestTls13ZeroRttAlpn) { 404 EnableAlpn(); 405 SetupForZeroRtt(); 406 EnableAlpn(); 407 client_->Set0RttEnabled(true); 408 server_->Set0RttEnabled(true); 409 ExpectResumption(RESUME_TICKET); 410 ExpectEarlyDataAccepted(true); 411 ZeroRttSendReceive(true, true, [this]() { 412 client_->CheckAlpn(SSL_NEXT_PROTO_EARLY_VALUE, "a"); 413 return true; 414 }); 415 Handshake(); 416 CheckConnected(); 417 SendReceive(); 418 CheckAlpn("a"); 419 } 420 421 // NOTE: In this test and those below, the client always sends 422 // post-ServerHello alerts with the handshake keys, even if the server 423 // has accepted 0-RTT. In some cases, as with errors in 424 // EncryptedExtensions, the client can't know the server's behavior, 425 // and in others it's just simpler. What the server is expecting 426 // depends on whether it accepted 0-RTT or not. Eventually, we may 427 // make the server trial decrypt. 428 // 429 // Have the server negotiate a different ALPN value, and therefore 430 // reject 0-RTT. 431 TEST_P(TlsConnectTls13, TestTls13ZeroRttAlpnChangeServer) { 432 EnableAlpn(); 433 SetupForZeroRtt(); 434 static const uint8_t client_alpn[] = {0x01, 0x61, 0x01, 0x62}; // "a", "b" 435 static const uint8_t server_alpn[] = {0x01, 0x62}; // "b" 436 client_->EnableAlpn(client_alpn, sizeof(client_alpn)); 437 server_->EnableAlpn(server_alpn, sizeof(server_alpn)); 438 client_->Set0RttEnabled(true); 439 server_->Set0RttEnabled(true); 440 ExpectResumption(RESUME_TICKET); 441 ZeroRttSendReceive(true, false, [this]() { 442 client_->CheckAlpn(SSL_NEXT_PROTO_EARLY_VALUE, "a"); 443 return true; 444 }); 445 Handshake(); 446 CheckConnected(); 447 SendReceive(); 448 CheckAlpn("b"); 449 } 450 451 // Check that the client validates the ALPN selection of the server. 452 // Stomp the ALPN on the client after sending the ClientHello so 453 // that the server selection appears to be incorrect. The client 454 // should then fail the connection. 455 TEST_P(TlsConnectTls13, TestTls13ZeroRttNoAlpnServer) { 456 EnableAlpn(); 457 SetupForZeroRtt(); 458 client_->Set0RttEnabled(true); 459 server_->Set0RttEnabled(true); 460 EnableAlpn(); 461 ExpectResumption(RESUME_TICKET); 462 ZeroRttSendReceive(true, true, [this]() { 463 PRUint8 b[] = {'b'}; 464 client_->CheckAlpn(SSL_NEXT_PROTO_EARLY_VALUE, "a"); 465 EXPECT_EQ(SECSuccess, SSLInt_Set0RttAlpn(client_->ssl_fd(), b, sizeof(b))); 466 client_->CheckAlpn(SSL_NEXT_PROTO_EARLY_VALUE, "b"); 467 client_->ExpectSendAlert(kTlsAlertIllegalParameter); 468 return true; 469 }); 470 if (variant_ == ssl_variant_stream) { 471 server_->ExpectSendAlert(kTlsAlertBadRecordMac); 472 Handshake(); 473 server_->CheckErrorCode(SSL_ERROR_BAD_MAC_READ); 474 } else { 475 client_->Handshake(); 476 } 477 client_->CheckErrorCode(SSL_ERROR_NEXT_PROTOCOL_DATA_INVALID); 478 } 479 480 // Set up with no ALPN and then set the client so it thinks it has ALPN. 481 // The server responds without the extension and the client returns an 482 // error. 483 TEST_P(TlsConnectTls13, TestTls13ZeroRttNoAlpnClient) { 484 SetupForZeroRtt(); 485 client_->Set0RttEnabled(true); 486 server_->Set0RttEnabled(true); 487 ExpectResumption(RESUME_TICKET); 488 ZeroRttSendReceive(true, true, [this]() { 489 PRUint8 b[] = {'b'}; 490 EXPECT_EQ(SECSuccess, SSLInt_Set0RttAlpn(client_->ssl_fd(), b, 1)); 491 client_->CheckAlpn(SSL_NEXT_PROTO_EARLY_VALUE, "b"); 492 client_->ExpectSendAlert(kTlsAlertIllegalParameter); 493 return true; 494 }); 495 if (variant_ == ssl_variant_stream) { 496 server_->ExpectSendAlert(kTlsAlertBadRecordMac); 497 Handshake(); 498 server_->CheckErrorCode(SSL_ERROR_BAD_MAC_READ); 499 } else { 500 client_->Handshake(); 501 } 502 client_->CheckErrorCode(SSL_ERROR_NEXT_PROTOCOL_DATA_INVALID); 503 } 504 505 // Remove the old ALPN value and so the client will not offer early data. 506 TEST_P(TlsConnectTls13, TestTls13ZeroRttAlpnChangeBoth) { 507 EnableAlpn(); 508 SetupForZeroRtt(); 509 static const std::vector<uint8_t> alpn({0x01, 0x62}); // "b" 510 EnableAlpn(alpn); 511 client_->Set0RttEnabled(true); 512 server_->Set0RttEnabled(true); 513 ExpectResumption(RESUME_TICKET); 514 ZeroRttSendReceive(true, false, [this]() { 515 client_->CheckAlpn(SSL_NEXT_PROTO_NO_SUPPORT); 516 return false; 517 }); 518 Handshake(); 519 CheckConnected(); 520 SendReceive(); 521 CheckAlpn("b"); 522 } 523 524 // The client should abort the connection when sending a 0-rtt handshake but 525 // the servers responds with a TLS 1.2 ServerHello. (no app data sent) 526 TEST_P(TlsConnectTls13, TestTls13ZeroRttDowngrade) { 527 ConfigureSessionCache(RESUME_BOTH, RESUME_TICKET); 528 server_->Set0RttEnabled(true); // set ticket_allow_early_data 529 Connect(); 530 531 SendReceive(); // Need to read so that we absorb the session tickets. 532 CheckKeys(); 533 534 Reset(); 535 ConfigureSessionCache(RESUME_BOTH, RESUME_TICKET); 536 client_->SetVersionRange(SSL_LIBRARY_VERSION_TLS_1_2, 537 SSL_LIBRARY_VERSION_TLS_1_3); 538 server_->SetVersionRange(SSL_LIBRARY_VERSION_TLS_1_2, 539 SSL_LIBRARY_VERSION_TLS_1_2); 540 StartConnect(); 541 // We will send the early data xtn without sending actual early data. Thus 542 // a 1.2 server shouldn't fail until the client sends an alert because the 543 // client sends end_of_early_data only after reading the server's flight. 544 client_->Set0RttEnabled(true); 545 546 client_->ExpectSendAlert(kTlsAlertIllegalParameter); 547 if (variant_ == ssl_variant_stream) { 548 server_->ExpectSendAlert(kTlsAlertUnexpectedMessage); 549 } 550 client_->Handshake(); 551 server_->Handshake(); 552 ASSERT_TRUE_WAIT( 553 (client_->error_code() == SSL_ERROR_DOWNGRADE_WITH_EARLY_DATA), 2000); 554 555 // DTLS will timeout as we bump the epoch when installing the early app data 556 // cipher suite. Thus the encrypted alert will be ignored. 557 if (variant_ == ssl_variant_stream) { 558 // The client sends an encrypted alert message. 559 ASSERT_TRUE_WAIT( 560 (server_->error_code() == SSL_ERROR_RX_UNEXPECTED_APPLICATION_DATA), 561 2000); 562 } 563 } 564 565 // The client should abort the connection when sending a 0-rtt handshake but 566 // the servers responds with a TLS 1.2 ServerHello. (with app data) 567 TEST_P(TlsConnectTls13, TestTls13ZeroRttDowngradeEarlyData) { 568 const char* k0RttData = "ABCDEF"; 569 const PRInt32 k0RttDataLen = static_cast<PRInt32>(strlen(k0RttData)); 570 571 ConfigureSessionCache(RESUME_BOTH, RESUME_TICKET); 572 server_->Set0RttEnabled(true); // set ticket_allow_early_data 573 Connect(); 574 575 SendReceive(); // Need to read so that we absorb the session tickets. 576 CheckKeys(); 577 578 Reset(); 579 ConfigureSessionCache(RESUME_BOTH, RESUME_TICKET); 580 client_->SetVersionRange(SSL_LIBRARY_VERSION_TLS_1_2, 581 SSL_LIBRARY_VERSION_TLS_1_3); 582 server_->SetVersionRange(SSL_LIBRARY_VERSION_TLS_1_2, 583 SSL_LIBRARY_VERSION_TLS_1_2); 584 StartConnect(); 585 // Send the early data xtn in the CH, followed by early app data. The server 586 // will fail right after sending its flight, when receiving the early data. 587 client_->Set0RttEnabled(true); 588 client_->Handshake(); // Send ClientHello. 589 PRInt32 rv = 590 PR_Write(client_->ssl_fd(), k0RttData, k0RttDataLen); // 0-RTT write. 591 EXPECT_EQ(k0RttDataLen, rv); 592 593 if (variant_ == ssl_variant_stream) { 594 // When the server receives the early data, it will fail. 595 server_->ExpectSendAlert(kTlsAlertUnexpectedMessage); 596 server_->Handshake(); // Consume ClientHello 597 EXPECT_EQ(TlsAgent::STATE_ERROR, server_->state()); 598 server_->CheckErrorCode(SSL_ERROR_RX_UNEXPECTED_APPLICATION_DATA); 599 } else { 600 // If it's datagram, we just discard the early data. 601 server_->Handshake(); // Consume ClientHello 602 EXPECT_EQ(TlsAgent::STATE_CONNECTING, server_->state()); 603 } 604 605 // The client now reads the ServerHello and fails. 606 ASSERT_EQ(TlsAgent::STATE_CONNECTING, client_->state()); 607 client_->ExpectSendAlert(kTlsAlertIllegalParameter); 608 client_->Handshake(); 609 client_->CheckErrorCode(SSL_ERROR_DOWNGRADE_WITH_EARLY_DATA); 610 } 611 612 TEST_P(TlsConnectTls13, SendTooMuchEarlyData) { 613 EnsureTlsSetup(); 614 const char* big_message = "0123456789abcdef"; 615 const size_t short_size = strlen(big_message) - 1; 616 const PRInt32 short_length = static_cast<PRInt32>(short_size); 617 EXPECT_EQ(SECSuccess, 618 SSL_SetMaxEarlyDataSize(server_->ssl_fd(), 619 static_cast<PRUint32>(short_size))); 620 SetupForZeroRtt(); 621 622 client_->Set0RttEnabled(true); 623 server_->Set0RttEnabled(true); 624 ExpectResumption(RESUME_TICKET); 625 626 client_->Handshake(); 627 CheckEarlyDataLimit(client_, short_size); 628 629 PRInt32 sent; 630 // Writing more than the limit will succeed in TLS, but fail in DTLS. 631 if (variant_ == ssl_variant_stream) { 632 sent = PR_Write(client_->ssl_fd(), big_message, 633 static_cast<PRInt32>(strlen(big_message))); 634 } else { 635 sent = PR_Write(client_->ssl_fd(), big_message, 636 static_cast<PRInt32>(strlen(big_message))); 637 EXPECT_GE(0, sent); 638 EXPECT_EQ(PR_WOULD_BLOCK_ERROR, PORT_GetError()); 639 640 // Try an exact-sized write now. 641 sent = PR_Write(client_->ssl_fd(), big_message, short_length); 642 } 643 EXPECT_EQ(short_length, sent); 644 645 // Even a single octet write should now fail. 646 sent = PR_Write(client_->ssl_fd(), big_message, 1); 647 EXPECT_GE(0, sent); 648 EXPECT_EQ(PR_WOULD_BLOCK_ERROR, PORT_GetError()); 649 650 // Process the ClientHello and read 0-RTT. 651 server_->Handshake(); 652 CheckEarlyDataLimit(server_, short_size); 653 654 std::vector<uint8_t> buf(short_size + 1); 655 PRInt32 read = PR_Read(server_->ssl_fd(), buf.data(), buf.capacity()); 656 EXPECT_EQ(short_length, read); 657 EXPECT_EQ(0, memcmp(big_message, buf.data(), short_size)); 658 659 // Second read fails. 660 read = PR_Read(server_->ssl_fd(), buf.data(), buf.capacity()); 661 EXPECT_EQ(SECFailure, read); 662 EXPECT_EQ(PR_WOULD_BLOCK_ERROR, PORT_GetError()); 663 664 Handshake(); 665 ExpectEarlyDataAccepted(true); 666 CheckConnected(); 667 SendReceive(); 668 } 669 670 TEST_P(TlsConnectTls13, ReceiveTooMuchEarlyData) { 671 EnsureTlsSetup(); 672 673 const size_t limit = 5; 674 EXPECT_EQ(SECSuccess, SSL_SetMaxEarlyDataSize(server_->ssl_fd(), limit)); 675 SetupForZeroRtt(); 676 677 client_->Set0RttEnabled(true); 678 server_->Set0RttEnabled(true); 679 ExpectResumption(RESUME_TICKET); 680 681 client_->Handshake(); // Send ClientHello 682 CheckEarlyDataLimit(client_, limit); 683 684 server_->Handshake(); // Process ClientHello, send server flight. 685 686 // Lift the limit on the client. 687 EXPECT_EQ(SECSuccess, 688 SSLInt_SetSocketMaxEarlyDataSize(client_->ssl_fd(), 1000)); 689 690 // Send message 691 const char* message = "0123456789abcdef"; 692 const PRInt32 message_len = static_cast<PRInt32>(strlen(message)); 693 EXPECT_EQ(message_len, PR_Write(client_->ssl_fd(), message, message_len)); 694 695 if (variant_ == ssl_variant_stream) { 696 // This error isn't fatal for DTLS. 697 ExpectAlert(server_, kTlsAlertUnexpectedMessage); 698 } 699 700 server_->Handshake(); // This reads the early data and maybe throws an error. 701 if (variant_ == ssl_variant_stream) { 702 server_->CheckErrorCode(SSL_ERROR_TOO_MUCH_EARLY_DATA); 703 } else { 704 EXPECT_EQ(TlsAgent::STATE_CONNECTING, server_->state()); 705 } 706 CheckEarlyDataLimit(server_, limit); 707 708 // Attempt to read early data. This will get an error. 709 std::vector<uint8_t> buf(strlen(message) + 1); 710 EXPECT_GT(0, PR_Read(server_->ssl_fd(), buf.data(), buf.capacity())); 711 if (variant_ == ssl_variant_stream) { 712 EXPECT_EQ(SSL_ERROR_HANDSHAKE_FAILED, PORT_GetError()); 713 } else { 714 EXPECT_EQ(PR_WOULD_BLOCK_ERROR, PORT_GetError()); 715 } 716 717 client_->Handshake(); // Process the server's first flight. 718 if (variant_ == ssl_variant_stream) { 719 client_->Handshake(); // Process the alert. 720 client_->CheckErrorCode(SSL_ERROR_HANDSHAKE_UNEXPECTED_ALERT); 721 } else { 722 server_->Handshake(); // Finish connecting. 723 EXPECT_EQ(TlsAgent::STATE_CONNECTED, server_->state()); 724 } 725 } 726 727 class PacketCoalesceFilter : public PacketFilter { 728 public: 729 PacketCoalesceFilter() : packet_data_() {} 730 731 void SendCoalesced(std::shared_ptr<TlsAgent> agent) { 732 agent->SendDirect(packet_data_); 733 } 734 735 protected: 736 PacketFilter::Action Filter(const DataBuffer& input, 737 DataBuffer* output) override { 738 packet_data_.Write(packet_data_.len(), input); 739 return DROP; 740 } 741 742 private: 743 DataBuffer packet_data_; 744 }; 745 746 TEST_P(TlsConnectTls13, ZeroRttOrdering) { 747 SetupForZeroRtt(); 748 client_->Set0RttEnabled(true); 749 server_->Set0RttEnabled(true); 750 ExpectResumption(RESUME_TICKET); 751 752 // Send out the ClientHello. 753 client_->Handshake(); 754 755 // Now, coalesce the next three things from the client: early data, second 756 // flight and 1-RTT data. 757 auto coalesce = std::make_shared<PacketCoalesceFilter>(); 758 client_->SetFilter(coalesce); 759 760 // Send (and hold) early data. 761 static const std::vector<uint8_t> early_data = {3, 2, 1}; 762 EXPECT_EQ(static_cast<PRInt32>(early_data.size()), 763 PR_Write(client_->ssl_fd(), early_data.data(), early_data.size())); 764 765 // Send (and hold) the second client handshake flight. 766 // The client sends EndOfEarlyData after seeing the server Finished. 767 server_->Handshake(); 768 client_->Handshake(); 769 770 // Send (and hold) 1-RTT data. 771 static const std::vector<uint8_t> late_data = {7, 8, 9, 10}; 772 EXPECT_EQ(static_cast<PRInt32>(late_data.size()), 773 PR_Write(client_->ssl_fd(), late_data.data(), late_data.size())); 774 775 // Now release them all at once. 776 coalesce->SendCoalesced(client_); 777 778 // Now ensure that the three steps are exposed in the right order on the 779 // server: delivery of early data, handshake callback, delivery of 1-RTT. 780 size_t step = 0; 781 server_->SetHandshakeCallback([&step](TlsAgent*) { 782 EXPECT_EQ(1U, step); 783 ++step; 784 }); 785 786 std::vector<uint8_t> buf(10); 787 PRInt32 read = PR_Read(server_->ssl_fd(), buf.data(), buf.size()); 788 ASSERT_EQ(static_cast<PRInt32>(early_data.size()), read); 789 buf.resize(read); 790 EXPECT_EQ(early_data, buf); 791 EXPECT_EQ(0U, step); 792 ++step; 793 794 // The third read should be after the handshake callback and should return the 795 // data that was sent after the handshake completed. 796 buf.resize(10); 797 read = PR_Read(server_->ssl_fd(), buf.data(), buf.size()); 798 ASSERT_EQ(static_cast<PRInt32>(late_data.size()), read); 799 buf.resize(read); 800 EXPECT_EQ(late_data, buf); 801 EXPECT_EQ(2U, step); 802 } 803 804 // Early data remains available after the handshake completes for TLS. 805 TEST_F(TlsConnectStreamTls13, ZeroRttLateReadTls) { 806 SetupForZeroRtt(); 807 client_->Set0RttEnabled(true); 808 server_->Set0RttEnabled(true); 809 ExpectResumption(RESUME_TICKET); 810 client_->Handshake(); // ClientHello 811 812 // Write some early data. 813 const uint8_t data[] = {1, 2, 3, 4, 5, 6, 7, 8}; 814 PRInt32 rv = PR_Write(client_->ssl_fd(), data, sizeof(data)); 815 EXPECT_EQ(static_cast<PRInt32>(sizeof(data)), rv); 816 817 // Consume the ClientHello and generate ServerHello..Finished. 818 server_->Handshake(); 819 820 // Read some of the data. 821 std::vector<uint8_t> small_buffer(1 + sizeof(data) / 2); 822 rv = PR_Read(server_->ssl_fd(), small_buffer.data(), small_buffer.size()); 823 EXPECT_EQ(static_cast<PRInt32>(small_buffer.size()), rv); 824 EXPECT_EQ(0, memcmp(data, small_buffer.data(), small_buffer.size())); 825 826 Handshake(); // Complete the handshake. 827 ExpectEarlyDataAccepted(true); 828 CheckConnected(); 829 830 // After the handshake, it should be possible to read the remainder. 831 uint8_t big_buf[100]; 832 rv = PR_Read(server_->ssl_fd(), big_buf, sizeof(big_buf)); 833 EXPECT_EQ(static_cast<PRInt32>(sizeof(data) - small_buffer.size()), rv); 834 EXPECT_EQ(0, memcmp(&data[small_buffer.size()], big_buf, 835 sizeof(data) - small_buffer.size())); 836 837 // And that's all there is to read. 838 rv = PR_Read(server_->ssl_fd(), big_buf, sizeof(big_buf)); 839 EXPECT_GT(0, rv); 840 EXPECT_EQ(PR_WOULD_BLOCK_ERROR, PORT_GetError()); 841 } 842 843 // Early data that arrives before the handshake can be read after the handshake 844 // is complete. 845 TEST_F(TlsConnectDatagram13, ZeroRttLateReadDtls) { 846 SetupForZeroRtt(); 847 client_->Set0RttEnabled(true); 848 server_->Set0RttEnabled(true); 849 ExpectResumption(RESUME_TICKET); 850 client_->Handshake(); // ClientHello 851 852 // Write some early data. 853 const uint8_t data[] = {1, 2, 3}; 854 PRInt32 written = PR_Write(client_->ssl_fd(), data, sizeof(data)); 855 EXPECT_EQ(static_cast<PRInt32>(sizeof(data)), written); 856 857 Handshake(); // Complete the handshake. 858 ExpectEarlyDataAccepted(true); 859 CheckConnected(); 860 861 // Reading at the server should return the early data, which was buffered. 862 uint8_t buf[sizeof(data) + 1] = {0}; 863 PRInt32 read = PR_Read(server_->ssl_fd(), buf, sizeof(buf)); 864 EXPECT_EQ(static_cast<PRInt32>(sizeof(data)), read); 865 EXPECT_EQ(0, memcmp(data, buf, sizeof(data))); 866 } 867 868 class PacketHolder : public PacketFilter { 869 public: 870 PacketHolder() = default; 871 872 virtual Action Filter(const DataBuffer& input, DataBuffer* output) { 873 packet_ = input; 874 Disable(); 875 return DROP; 876 } 877 878 const DataBuffer& packet() const { return packet_; } 879 880 private: 881 DataBuffer packet_; 882 }; 883 884 // Early data that arrives late is discarded for DTLS. 885 TEST_F(TlsConnectDatagram13, ZeroRttLateArrivalDtls) { 886 SetupForZeroRtt(); 887 client_->Set0RttEnabled(true); 888 server_->Set0RttEnabled(true); 889 ExpectResumption(RESUME_TICKET); 890 client_->Handshake(); // ClientHello 891 892 // Write some early data. Twice, so that we can read bits of it. 893 const uint8_t data[] = {1, 2, 3}; 894 PRInt32 written = PR_Write(client_->ssl_fd(), data, sizeof(data)); 895 EXPECT_EQ(static_cast<PRInt32>(sizeof(data)), written); 896 897 // Block and capture the next packet. 898 auto holder = std::make_shared<PacketHolder>(); 899 client_->SetFilter(holder); 900 written = PR_Write(client_->ssl_fd(), data, sizeof(data)); 901 EXPECT_EQ(static_cast<PRInt32>(sizeof(data)), written); 902 EXPECT_FALSE(holder->enabled()) << "the filter should disable itself"; 903 904 // Consume the ClientHello and generate ServerHello..Finished. 905 server_->Handshake(); 906 907 // Read some of the data. 908 std::vector<uint8_t> small_buffer(sizeof(data)); 909 PRInt32 read = 910 PR_Read(server_->ssl_fd(), small_buffer.data(), small_buffer.size()); 911 912 EXPECT_EQ(static_cast<PRInt32>(small_buffer.size()), read); 913 EXPECT_EQ(0, memcmp(data, small_buffer.data(), small_buffer.size())); 914 915 Handshake(); // Complete the handshake. 916 ExpectEarlyDataAccepted(true); 917 CheckConnected(); 918 919 server_->SendDirect(holder->packet()); 920 921 // Reading now should return nothing, even though a valid packet was 922 // delivered. 923 read = PR_Read(server_->ssl_fd(), small_buffer.data(), small_buffer.size()); 924 EXPECT_GT(0, read); 925 EXPECT_EQ(PR_WOULD_BLOCK_ERROR, PORT_GetError()); 926 } 927 928 // Early data reads in TLS should be coalesced. 929 TEST_F(TlsConnectStreamTls13, ZeroRttCoalesceReadTls) { 930 SetupForZeroRtt(); 931 client_->Set0RttEnabled(true); 932 server_->Set0RttEnabled(true); 933 ExpectResumption(RESUME_TICKET); 934 client_->Handshake(); // ClientHello 935 936 // Write some early data. In two writes. 937 const uint8_t data[] = {1, 2, 3, 4, 5, 6}; 938 PRInt32 written = PR_Write(client_->ssl_fd(), data, 1); 939 EXPECT_EQ(1, written); 940 941 written = PR_Write(client_->ssl_fd(), data + 1, sizeof(data) - 1); 942 EXPECT_EQ(static_cast<PRInt32>(sizeof(data) - 1), written); 943 944 // Consume the ClientHello and generate ServerHello..Finished. 945 server_->Handshake(); 946 947 // Read all of the data. 948 std::vector<uint8_t> buffer(sizeof(data)); 949 PRInt32 read = PR_Read(server_->ssl_fd(), buffer.data(), buffer.size()); 950 EXPECT_EQ(static_cast<PRInt32>(sizeof(data)), read); 951 EXPECT_EQ(0, memcmp(data, buffer.data(), sizeof(data))); 952 953 Handshake(); // Complete the handshake. 954 ExpectEarlyDataAccepted(true); 955 CheckConnected(); 956 } 957 958 // Early data reads in DTLS should not be coalesced. 959 TEST_F(TlsConnectDatagram13, ZeroRttNoCoalesceReadDtls) { 960 SetupForZeroRtt(); 961 client_->Set0RttEnabled(true); 962 server_->Set0RttEnabled(true); 963 ExpectResumption(RESUME_TICKET); 964 client_->Handshake(); // ClientHello 965 966 // Write some early data. In two writes. 967 const uint8_t data[] = {1, 2, 3, 4, 5, 6}; 968 PRInt32 written = PR_Write(client_->ssl_fd(), data, 1); 969 EXPECT_EQ(1, written); 970 971 written = PR_Write(client_->ssl_fd(), data + 1, sizeof(data) - 1); 972 EXPECT_EQ(static_cast<PRInt32>(sizeof(data) - 1), written); 973 974 // Consume the ClientHello and generate ServerHello..Finished. 975 server_->Handshake(); 976 977 // Try to read all of the data. 978 std::vector<uint8_t> buffer(sizeof(data)); 979 PRInt32 read = PR_Read(server_->ssl_fd(), buffer.data(), buffer.size()); 980 EXPECT_EQ(1, read); 981 EXPECT_EQ(0, memcmp(data, buffer.data(), 1)); 982 983 // Read the remainder. 984 read = PR_Read(server_->ssl_fd(), buffer.data(), buffer.size()); 985 EXPECT_EQ(static_cast<PRInt32>(sizeof(data) - 1), read); 986 EXPECT_EQ(0, memcmp(data + 1, buffer.data(), sizeof(data) - 1)); 987 988 Handshake(); // Complete the handshake. 989 ExpectEarlyDataAccepted(true); 990 CheckConnected(); 991 } 992 993 // Early data reads in DTLS should fail if the buffer is too small. 994 TEST_F(TlsConnectDatagram13, ZeroRttShortReadDtls) { 995 SetupForZeroRtt(); 996 client_->Set0RttEnabled(true); 997 server_->Set0RttEnabled(true); 998 ExpectResumption(RESUME_TICKET); 999 client_->Handshake(); // ClientHello 1000 1001 // Write some early data. In two writes. 1002 const uint8_t data[] = {1, 2, 3, 4, 5, 6}; 1003 PRInt32 written = PR_Write(client_->ssl_fd(), data, sizeof(data)); 1004 EXPECT_EQ(static_cast<PRInt32>(sizeof(data)), written); 1005 1006 // Consume the ClientHello and generate ServerHello..Finished. 1007 server_->Handshake(); 1008 1009 // Try to read all of the data into a small buffer. 1010 std::vector<uint8_t> buffer(sizeof(data)); 1011 PRInt32 read = PR_Read(server_->ssl_fd(), buffer.data(), 1); 1012 EXPECT_GT(0, read); 1013 EXPECT_EQ(SSL_ERROR_RX_SHORT_DTLS_READ, PORT_GetError()); 1014 1015 // Read again with more space. 1016 read = PR_Read(server_->ssl_fd(), buffer.data(), buffer.size()); 1017 EXPECT_EQ(static_cast<PRInt32>(sizeof(data)), read); 1018 EXPECT_EQ(0, memcmp(data, buffer.data(), sizeof(data))); 1019 1020 Handshake(); // Complete the handshake. 1021 ExpectEarlyDataAccepted(true); 1022 CheckConnected(); 1023 } 1024 1025 // There are few ways in which TLS uses the clock and most of those operate on 1026 // timescales that would be ridiculous to wait for in a test. This is the one 1027 // test we have that uses the real clock. It tests that time passes by checking 1028 // that a small sleep results in rejection of early data. 0-RTT has a 1029 // configurable timer, which makes it ideal for this. 1030 TEST_F(TlsConnectStreamTls13, TimePassesByDefault) { 1031 // Calling EnsureTlsSetup() replaces the time function on client and server, 1032 // and sets up anti-replay, which we don't want, so initialize each directly. 1033 client_->EnsureTlsSetup(); 1034 server_->EnsureTlsSetup(); 1035 // StartConnect() calls EnsureTlsSetup(), so avoid that too. 1036 client_->StartConnect(); 1037 server_->StartConnect(); 1038 1039 // Set a tiny anti-replay window. This has to be at least 2 milliseconds to 1040 // have any chance of being relevant as that is the smallest window that we 1041 // can detect. Anything smaller rounds to zero. 1042 static const unsigned int kTinyWindowMs = 5; 1043 ResetAntiReplay(static_cast<PRTime>(kTinyWindowMs * PR_USEC_PER_MSEC)); 1044 server_->SetAntiReplayContext(anti_replay_); 1045 1046 ConfigureSessionCache(RESUME_BOTH, RESUME_TICKET); 1047 ConfigureVersion(SSL_LIBRARY_VERSION_TLS_1_3); 1048 server_->Set0RttEnabled(true); 1049 Handshake(); 1050 CheckConnected(); 1051 SendReceive(); // Absorb a session ticket. 1052 CheckKeys(); 1053 1054 // Clear the first window. 1055 PR_Sleep(PR_MillisecondsToInterval(kTinyWindowMs)); 1056 1057 Reset(); 1058 client_->EnsureTlsSetup(); 1059 server_->EnsureTlsSetup(); 1060 client_->StartConnect(); 1061 server_->StartConnect(); 1062 1063 // Early data is rejected by the server only if time passes for it as well. 1064 client_->Set0RttEnabled(true); 1065 server_->Set0RttEnabled(true); 1066 ExpectResumption(RESUME_TICKET); 1067 ZeroRttSendReceive(true, false, []() { 1068 // Sleep long enough that we minimize the risk of our RTT estimation being 1069 // duped by stutters in test execution. This is very long to allow for 1070 // flaky and low-end hardware, especially what our CI runs on. 1071 PR_Sleep(PR_MillisecondsToInterval(1000)); 1072 return true; 1073 }); 1074 Handshake(); 1075 ExpectEarlyDataAccepted(false); 1076 CheckConnected(); 1077 } 1078 1079 // Test that SSL_CreateAntiReplayContext doesn't pass bad inputs. 1080 TEST_F(TlsConnectStreamTls13, BadAntiReplayArgs) { 1081 SSLAntiReplayContext* p; 1082 // Zero or negative window. 1083 EXPECT_EQ(SECFailure, SSL_CreateAntiReplayContext(0, -1, 1, 1, &p)); 1084 EXPECT_EQ(SEC_ERROR_INVALID_ARGS, PORT_GetError()); 1085 EXPECT_EQ(SECFailure, SSL_CreateAntiReplayContext(0, 0, 1, 1, &p)); 1086 EXPECT_EQ(SEC_ERROR_INVALID_ARGS, PORT_GetError()); 1087 // Zero k. 1088 EXPECT_EQ(SECFailure, SSL_CreateAntiReplayContext(0, 1, 0, 1, &p)); 1089 EXPECT_EQ(SEC_ERROR_INVALID_ARGS, PORT_GetError()); 1090 // Zero bits. 1091 EXPECT_EQ(SECFailure, SSL_CreateAntiReplayContext(0, 1, 1, 0, &p)); 1092 EXPECT_EQ(SEC_ERROR_INVALID_ARGS, PORT_GetError()); 1093 EXPECT_EQ(SECFailure, SSL_CreateAntiReplayContext(0, 1, 1, 1, nullptr)); 1094 EXPECT_EQ(SEC_ERROR_INVALID_ARGS, PORT_GetError()); 1095 1096 // Prove that these parameters do work, even if they are useless.. 1097 EXPECT_EQ(SECSuccess, SSL_CreateAntiReplayContext(0, 1, 1, 1, &p)); 1098 ASSERT_NE(nullptr, p); 1099 ScopedSSLAntiReplayContext ctx(p); 1100 1101 // The socket isn't a client or server until later, so configuring a client 1102 // should work OK. 1103 client_->EnsureTlsSetup(); 1104 EXPECT_EQ(SECSuccess, SSL_SetAntiReplayContext(client_->ssl_fd(), ctx.get())); 1105 EXPECT_EQ(SECSuccess, SSL_SetAntiReplayContext(client_->ssl_fd(), nullptr)); 1106 } 1107 1108 // See also TlsConnectGenericResumption.ResumeServerIncompatibleCipher 1109 TEST_P(TlsConnectTls13, ZeroRttDifferentCompatibleCipher) { 1110 EnsureTlsSetup(); 1111 server_->EnableSingleCipher(TLS_AES_128_GCM_SHA256); 1112 SetupForZeroRtt(); 1113 client_->Set0RttEnabled(true); 1114 server_->Set0RttEnabled(true); 1115 // Change the ciphersuite. Resumption is OK because the hash is the same, but 1116 // early data will be rejected. 1117 server_->EnableSingleCipher(TLS_CHACHA20_POLY1305_SHA256); 1118 ExpectResumption(RESUME_TICKET); 1119 1120 StartConnect(); 1121 ZeroRttSendReceive(true, false); 1122 1123 Handshake(); 1124 ExpectEarlyDataAccepted(false); 1125 CheckConnected(); 1126 SendReceive(); 1127 } 1128 1129 // See also TlsConnectGenericResumption.ResumeServerIncompatibleCipher 1130 TEST_P(TlsConnectTls13, ZeroRttDifferentIncompatibleCipher) { 1131 EnsureTlsSetup(); 1132 server_->EnableSingleCipher(TLS_AES_256_GCM_SHA384); 1133 SetupForZeroRtt(); 1134 client_->Set0RttEnabled(true); 1135 server_->Set0RttEnabled(true); 1136 // Resumption is rejected because the hash is different. 1137 server_->EnableSingleCipher(TLS_CHACHA20_POLY1305_SHA256); 1138 ExpectResumption(RESUME_NONE); 1139 1140 StartConnect(); 1141 ZeroRttSendReceive(true, false); 1142 1143 Handshake(); 1144 ExpectEarlyDataAccepted(false); 1145 CheckConnected(); 1146 SendReceive(); 1147 } 1148 1149 // The client failing to provide EndOfEarlyData results in failure. 1150 // After 0-RTT working perfectly, things fall apart later. 1151 // The server is unable to detect the change in keys, so it fails decryption. 1152 // The client thinks everything has worked until it gets the alert. 1153 TEST_F(TlsConnectStreamTls13, SuppressEndOfEarlyDataClientOnly) { 1154 SetupForZeroRtt(); 1155 client_->Set0RttEnabled(true); 1156 server_->Set0RttEnabled(true); 1157 client_->SetOption(SSL_SUPPRESS_END_OF_EARLY_DATA, true); 1158 ExpectResumption(RESUME_TICKET); 1159 ZeroRttSendReceive(true, true); 1160 ExpectAlert(server_, kTlsAlertBadRecordMac); 1161 Handshake(); 1162 EXPECT_EQ(TlsAgent::STATE_CONNECTED, client_->state()); 1163 EXPECT_EQ(TlsAgent::STATE_ERROR, server_->state()); 1164 server_->CheckErrorCode(SSL_ERROR_BAD_MAC_READ); 1165 client_->Handshake(); 1166 EXPECT_EQ(TlsAgent::STATE_ERROR, client_->state()); 1167 client_->CheckErrorCode(SSL_ERROR_BAD_MAC_ALERT); 1168 } 1169 1170 TEST_P(TlsConnectGeneric, SuppressEndOfEarlyDataNoZeroRtt) { 1171 EnsureTlsSetup(); 1172 client_->SetOption(SSL_SUPPRESS_END_OF_EARLY_DATA, true); 1173 server_->SetOption(SSL_SUPPRESS_END_OF_EARLY_DATA, true); 1174 Connect(); 1175 SendReceive(); 1176 } 1177 1178 #ifndef NSS_DISABLE_TLS_1_3 1179 INSTANTIATE_TEST_SUITE_P(Tls13ZeroRttReplayTest, TlsZeroRttReplayTest, 1180 TlsConnectTestBase::kTlsVariantsAll); 1181 #endif 1182 1183 } // namespace nss_test