ssl_ciphersuite_unittest.cc (21947B)
1 /* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */ 2 /* vim: set ts=2 et sw=2 tw=80: */ 3 /* This Source Code Form is subject to the terms of the Mozilla Public 4 * License, v. 2.0. If a copy of the MPL was not distributed with this file, 5 * You can obtain one at http://mozilla.org/MPL/2.0/. */ 6 7 #include <functional> 8 #include <memory> 9 #include "secerr.h" 10 #include "ssl.h" 11 #include "sslerr.h" 12 #include "sslproto.h" 13 14 extern "C" { 15 // This is not something that should make you happy. 16 #include "libssl_internals.h" 17 } 18 19 #include "gtest_utils.h" 20 #include "tls_connect.h" 21 #include "tls_parser.h" 22 23 namespace nss_test { 24 25 // variant, version, cipher suite 26 typedef std::tuple<SSLProtocolVariant, uint16_t, uint16_t, SSLNamedGroup, 27 SSLSignatureScheme> 28 CipherSuiteProfile; 29 30 class TlsCipherSuiteTestBase : public TlsConnectTestBase { 31 public: 32 TlsCipherSuiteTestBase(SSLProtocolVariant variant, uint16_t version, 33 uint16_t cipher_suite, SSLNamedGroup group, 34 SSLSignatureScheme sig_scheme) 35 : TlsConnectTestBase(variant, version), 36 cipher_suite_(cipher_suite), 37 group_(group), 38 sig_scheme_(sig_scheme), 39 csinfo_({0}) { 40 SECStatus rv = 41 SSL_GetCipherSuiteInfo(cipher_suite_, &csinfo_, sizeof(csinfo_)); 42 EXPECT_EQ(SECSuccess, rv); 43 if (rv == SECSuccess) { 44 std::cerr << "Cipher suite: " << csinfo_.cipherSuiteName << std::endl; 45 } 46 auth_type_ = csinfo_.authType; 47 kea_type_ = csinfo_.keaType; 48 } 49 50 protected: 51 void EnableSingleCipher() { 52 EnsureTlsSetup(); 53 // It doesn't matter which does this, but the test is better if both do it. 54 client_->EnableSingleCipher(cipher_suite_); 55 server_->EnableSingleCipher(cipher_suite_); 56 57 if (version_ >= SSL_LIBRARY_VERSION_TLS_1_3) { 58 std::vector<SSLNamedGroup> groups = {group_}; 59 if (cert_group_ != ssl_grp_none) { 60 groups.push_back(cert_group_); 61 } 62 client_->ConfigNamedGroups(groups); 63 server_->ConfigNamedGroups(groups); 64 kea_type_ = SSLInt_GetKEAType(group_); 65 66 client_->SetSignatureSchemes(&sig_scheme_, 1); 67 server_->SetSignatureSchemes(&sig_scheme_, 1); 68 } 69 } 70 71 virtual void SetupCertificate() { 72 if (version_ >= SSL_LIBRARY_VERSION_TLS_1_3) { 73 switch (sig_scheme_) { 74 case ssl_sig_rsa_pss_rsae_sha256: 75 std::cerr << "Signature scheme: rsa_pss_rsae_sha256" << std::endl; 76 Reset(TlsAgent::kServerRsaSign); 77 auth_type_ = ssl_auth_rsa_sign; 78 break; 79 case ssl_sig_rsa_pss_rsae_sha384: 80 std::cerr << "Signature scheme: rsa_pss_rsae_sha384" << std::endl; 81 Reset(TlsAgent::kServerRsaSign); 82 auth_type_ = ssl_auth_rsa_sign; 83 break; 84 case ssl_sig_rsa_pss_rsae_sha512: 85 // You can't fit SHA-512 PSS in a 1024-bit key. 86 std::cerr << "Signature scheme: rsa_pss_rsae_sha512" << std::endl; 87 Reset(TlsAgent::kRsa2048); 88 auth_type_ = ssl_auth_rsa_sign; 89 break; 90 case ssl_sig_rsa_pss_pss_sha256: 91 std::cerr << "Signature scheme: rsa_pss_pss_sha256" << std::endl; 92 Reset(TlsAgent::kServerRsaPss); 93 auth_type_ = ssl_auth_rsa_pss; 94 break; 95 case ssl_sig_rsa_pss_pss_sha384: 96 std::cerr << "Signature scheme: rsa_pss_pss_sha384" << std::endl; 97 Reset("rsa_pss384"); 98 auth_type_ = ssl_auth_rsa_pss; 99 break; 100 case ssl_sig_rsa_pss_pss_sha512: 101 std::cerr << "Signature scheme: rsa_pss_pss_sha512" << std::endl; 102 Reset("rsa_pss512"); 103 auth_type_ = ssl_auth_rsa_pss; 104 break; 105 case ssl_sig_ecdsa_secp256r1_sha256: 106 std::cerr << "Signature scheme: ecdsa_secp256r1_sha256" << std::endl; 107 Reset(TlsAgent::kServerEcdsa256); 108 auth_type_ = ssl_auth_ecdsa; 109 cert_group_ = ssl_grp_ec_secp256r1; 110 break; 111 case ssl_sig_ecdsa_secp384r1_sha384: 112 std::cerr << "Signature scheme: ecdsa_secp384r1_sha384" << std::endl; 113 Reset(TlsAgent::kServerEcdsa384); 114 auth_type_ = ssl_auth_ecdsa; 115 cert_group_ = ssl_grp_ec_secp384r1; 116 break; 117 default: 118 ADD_FAILURE() << "Unsupported signature scheme: " << sig_scheme_; 119 break; 120 } 121 } else { 122 switch (csinfo_.authType) { 123 case ssl_auth_rsa_sign: 124 Reset(TlsAgent::kServerRsaSign); 125 break; 126 case ssl_auth_rsa_decrypt: 127 Reset(TlsAgent::kServerRsaDecrypt); 128 break; 129 case ssl_auth_ecdsa: 130 Reset(TlsAgent::kServerEcdsa256); 131 cert_group_ = ssl_grp_ec_secp256r1; 132 break; 133 case ssl_auth_ecdh_ecdsa: 134 Reset(TlsAgent::kServerEcdhEcdsa); 135 cert_group_ = ssl_grp_ec_secp256r1; 136 break; 137 case ssl_auth_ecdh_rsa: 138 Reset(TlsAgent::kServerEcdhRsa); 139 break; 140 case ssl_auth_dsa: 141 Reset(TlsAgent::kServerDsa); 142 break; 143 default: 144 ASSERT_TRUE(false) << "Unsupported cipher suite: " << cipher_suite_; 145 break; 146 } 147 } 148 } 149 150 void ConnectAndCheckCipherSuite() { 151 Connect(); 152 SendReceive(); 153 154 // Check that we used the right cipher suite, auth type and kea type. 155 uint16_t actual = TLS_NULL_WITH_NULL_NULL; 156 EXPECT_TRUE(client_->cipher_suite(&actual)); 157 EXPECT_EQ(cipher_suite_, actual); 158 EXPECT_TRUE(server_->cipher_suite(&actual)); 159 EXPECT_EQ(cipher_suite_, actual); 160 SSLAuthType auth = ssl_auth_size; 161 EXPECT_TRUE(client_->auth_type(&auth)); 162 EXPECT_EQ(auth_type_, auth); 163 EXPECT_TRUE(server_->auth_type(&auth)); 164 EXPECT_EQ(auth_type_, auth); 165 SSLKEAType kea = ssl_kea_size; 166 EXPECT_TRUE(client_->kea_type(&kea)); 167 EXPECT_EQ(kea_type_, kea); 168 EXPECT_TRUE(server_->kea_type(&kea)); 169 EXPECT_EQ(kea_type_, kea); 170 } 171 172 // Get the expected limit on the number of records that can be sent for the 173 // cipher suite. 174 uint64_t record_limit() const { 175 switch (csinfo_.symCipher) { 176 case ssl_calg_rc4: 177 case ssl_calg_3des: 178 return 1ULL << 20; 179 case ssl_calg_aes: 180 case ssl_calg_aes_gcm: 181 return 0x5aULL << 28; 182 case ssl_calg_null: 183 case ssl_calg_chacha20: 184 return (1ULL << 48) - 1; 185 case ssl_calg_rc2: 186 case ssl_calg_des: 187 case ssl_calg_idea: 188 case ssl_calg_fortezza: 189 case ssl_calg_camellia: 190 case ssl_calg_seed: 191 break; 192 } 193 ADD_FAILURE() << "No limit for " << csinfo_.cipherSuiteName; 194 return 0; 195 } 196 197 uint64_t last_safe_write() const { 198 uint64_t limit = record_limit() - 1; 199 if (version_ < SSL_LIBRARY_VERSION_TLS_1_1 && 200 (csinfo_.symCipher == ssl_calg_3des || 201 csinfo_.symCipher == ssl_calg_aes)) { 202 // 1/n-1 record splitting needs space for two records. 203 limit--; 204 } 205 return limit; 206 } 207 208 protected: 209 uint16_t cipher_suite_; 210 SSLAuthType auth_type_; 211 SSLKEAType kea_type_; 212 SSLNamedGroup group_; 213 SSLNamedGroup cert_group_ = ssl_grp_none; 214 SSLSignatureScheme sig_scheme_; 215 SSLCipherSuiteInfo csinfo_; 216 }; 217 218 class TlsCipherSuiteTest 219 : public TlsCipherSuiteTestBase, 220 public ::testing::WithParamInterface<CipherSuiteProfile> { 221 public: 222 TlsCipherSuiteTest() 223 : TlsCipherSuiteTestBase(std::get<0>(GetParam()), std::get<1>(GetParam()), 224 std::get<2>(GetParam()), std::get<3>(GetParam()), 225 std::get<4>(GetParam())) {} 226 227 protected: 228 bool SkipIfCipherSuiteIsDSA() { 229 bool isDSA = csinfo_.authType == ssl_auth_dsa; 230 if (isDSA) { 231 std::cerr << "Skipping DSA suite: " << csinfo_.cipherSuiteName 232 << std::endl; 233 } 234 return isDSA; 235 } 236 }; 237 238 TEST_P(TlsCipherSuiteTest, SingleCipherSuite) { 239 SetupCertificate(); 240 EnableSingleCipher(); 241 ConnectAndCheckCipherSuite(); 242 } 243 244 TEST_P(TlsCipherSuiteTest, ResumeCipherSuite) { 245 if (SkipIfCipherSuiteIsDSA()) { 246 GTEST_SKIP() << "Tickets not supported with DSA (bug 1174677)."; 247 } 248 249 SetupCertificate(); // This is only needed once. 250 251 ConfigureSessionCache(RESUME_BOTH, RESUME_TICKET); 252 EnableSingleCipher(); 253 254 ConnectAndCheckCipherSuite(); 255 256 Reset(); 257 ConfigureSessionCache(RESUME_BOTH, RESUME_TICKET); 258 EnableSingleCipher(); 259 ExpectResumption(RESUME_TICKET); 260 ConnectAndCheckCipherSuite(); 261 } 262 263 TEST_P(TlsCipherSuiteTest, ReadLimit) { 264 SetupCertificate(); 265 EnableSingleCipher(); 266 TlsSendCipherSpecCapturer capturer(client_); 267 ConnectAndCheckCipherSuite(); 268 if (version_ < SSL_LIBRARY_VERSION_TLS_1_3) { 269 uint64_t last = last_safe_write(); 270 EXPECT_EQ(SECSuccess, SSLInt_AdvanceWriteSeqNum(client_->ssl_fd(), last)); 271 EXPECT_EQ(SECSuccess, SSLInt_AdvanceReadSeqNum(server_->ssl_fd(), last)); 272 273 client_->SendData(10, 10); 274 server_->ReadBytes(); // This should be OK. 275 server_->ReadBytes(); // Read twice to flush any 1,N-1 record splitting. 276 } else { 277 // In TLS 1.3, reading or writing triggers a KeyUpdate. That would mean 278 // that the sequence numbers would reset and we wouldn't hit the limit. So 279 // move the sequence number to the limit directly and don't test sending and 280 // receiving just before the limit. 281 uint64_t last = record_limit(); 282 EXPECT_EQ(SECSuccess, SSLInt_AdvanceReadSeqNum(server_->ssl_fd(), last)); 283 } 284 285 // The payload needs to be big enough to pass for encrypted. The code checks 286 // the limit before it tries to decrypt. 287 static const uint8_t payload[32] = {6}; 288 DataBuffer record; 289 uint64_t epoch; 290 if (variant_ == ssl_variant_datagram) { 291 if (version_ == SSL_LIBRARY_VERSION_TLS_1_3) { 292 epoch = 3; // Application traffic keys. 293 } else { 294 epoch = 1; 295 } 296 } else { 297 epoch = 0; 298 } 299 300 uint64_t seqno = (epoch << 48) | record_limit(); 301 302 // DTLS 1.3 masks the sequence number 303 if (variant_ == ssl_variant_datagram && 304 version_ >= SSL_LIBRARY_VERSION_TLS_1_3) { 305 auto spec = capturer.spec(1); 306 ASSERT_NE(nullptr, spec.get()); 307 ASSERT_EQ(3, spec->epoch()); 308 309 DataBuffer pt, ct; 310 uint8_t dtls13_ctype = kCtDtlsCiphertext | kCtDtlsCiphertext16bSeqno | 311 kCtDtlsCiphertextLengthPresent; 312 TlsRecordHeader hdr(variant_, version_, dtls13_ctype, seqno); 313 pt.Assign(payload, sizeof(payload)); 314 TlsRecordHeader out_hdr; 315 spec->Protect(hdr, pt, &ct, &out_hdr); 316 317 auto rv = out_hdr.Write(&record, 0, ct); 318 EXPECT_EQ(out_hdr.header_length() + ct.len(), rv); 319 } else { 320 TlsAgentTestBase::MakeRecord(variant_, ssl_ct_application_data, version_, 321 payload, sizeof(payload), &record, seqno); 322 } 323 324 client_->SendDirect(record); 325 server_->ExpectReadWriteError(); 326 server_->ReadBytes(); 327 EXPECT_EQ(SSL_ERROR_TOO_MANY_RECORDS, server_->error_code()); 328 } 329 330 TEST_P(TlsCipherSuiteTest, WriteLimit) { 331 // This asserts in TLS 1.3 because we expect an automatic update. 332 if (version_ >= SSL_LIBRARY_VERSION_TLS_1_3) { 333 GTEST_SKIP(); 334 } 335 SetupCertificate(); 336 EnableSingleCipher(); 337 ConnectAndCheckCipherSuite(); 338 EXPECT_EQ(SECSuccess, 339 SSLInt_AdvanceWriteSeqNum(client_->ssl_fd(), last_safe_write())); 340 client_->SendData(10, 10); 341 client_->ExpectReadWriteError(); 342 client_->SendData(10, 10); 343 EXPECT_EQ(SSL_ERROR_TOO_MANY_RECORDS, client_->error_code()); 344 } 345 346 // This awful macro makes the test instantiations easier to read. 347 #define INSTANTIATE_CIPHER_TEST_P(name, modes, versions, groups, sigalgs, ...) \ 348 static const uint16_t k##name##CiphersArr[] = {__VA_ARGS__}; \ 349 static const ::testing::internal::ParamGenerator<uint16_t> \ 350 k##name##Ciphers = ::testing::ValuesIn(k##name##CiphersArr); \ 351 INSTANTIATE_TEST_SUITE_P( \ 352 CipherSuite##name, TlsCipherSuiteTest, \ 353 ::testing::Combine(TlsConnectTestBase::kTlsVariants##modes, \ 354 TlsConnectTestBase::kTls##versions, k##name##Ciphers, \ 355 groups, sigalgs)); 356 357 static const auto kDummyNamedGroupParams = ::testing::Values(ssl_grp_none); 358 static const auto kDummySignatureSchemesParams = 359 ::testing::Values(ssl_sig_none); 360 361 static SSLSignatureScheme kSignatureSchemesParamsArr[] = { 362 ssl_sig_rsa_pkcs1_sha256, ssl_sig_rsa_pkcs1_sha384, 363 ssl_sig_rsa_pkcs1_sha512, ssl_sig_ecdsa_secp256r1_sha256, 364 ssl_sig_ecdsa_secp384r1_sha384, ssl_sig_rsa_pss_rsae_sha256, 365 ssl_sig_rsa_pss_rsae_sha384, ssl_sig_rsa_pss_rsae_sha512, 366 ssl_sig_rsa_pss_pss_sha256, ssl_sig_rsa_pss_pss_sha384, 367 ssl_sig_rsa_pss_pss_sha512}; 368 369 static SSLSignatureScheme kSignatureSchemesParamsArrTls13[] = { 370 ssl_sig_ecdsa_secp256r1_sha256, ssl_sig_ecdsa_secp384r1_sha384, 371 ssl_sig_rsa_pss_rsae_sha256, ssl_sig_rsa_pss_rsae_sha384, 372 ssl_sig_rsa_pss_rsae_sha512, ssl_sig_rsa_pss_pss_sha256, 373 ssl_sig_rsa_pss_pss_sha384, ssl_sig_rsa_pss_pss_sha512}; 374 375 INSTANTIATE_CIPHER_TEST_P(RC4, Stream, V10ToV12, kDummyNamedGroupParams, 376 kDummySignatureSchemesParams, 377 TLS_RSA_WITH_RC4_128_SHA, 378 TLS_ECDH_ECDSA_WITH_RC4_128_SHA, 379 TLS_ECDHE_ECDSA_WITH_RC4_128_SHA, 380 TLS_ECDH_RSA_WITH_RC4_128_SHA, 381 TLS_ECDHE_RSA_WITH_RC4_128_SHA); 382 #ifndef NSS_DISABLE_DSA 383 /* sign windows chokes if we have 'DISABLE_DSA' insided this macro call */ 384 INSTANTIATE_CIPHER_TEST_P(AEAD12, All, V12, kDummyNamedGroupParams, 385 kDummySignatureSchemesParams, 386 TLS_RSA_WITH_AES_128_GCM_SHA256, 387 TLS_RSA_WITH_AES_256_GCM_SHA384, 388 TLS_DHE_DSS_WITH_AES_128_GCM_SHA256, 389 TLS_DHE_DSS_WITH_AES_256_GCM_SHA384, 390 TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384, 391 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384); 392 #else 393 INSTANTIATE_CIPHER_TEST_P(AEAD12, All, V12, kDummyNamedGroupParams, 394 kDummySignatureSchemesParams, 395 TLS_RSA_WITH_AES_128_GCM_SHA256, 396 TLS_RSA_WITH_AES_256_GCM_SHA384, 397 TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384, 398 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384); 399 #endif 400 INSTANTIATE_CIPHER_TEST_P(AEAD, All, V12, kDummyNamedGroupParams, 401 kDummySignatureSchemesParams, 402 TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, 403 TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, 404 TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, 405 TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384, 406 TLS_DHE_RSA_WITH_AES_128_GCM_SHA256, 407 TLS_DHE_RSA_WITH_AES_256_GCM_SHA384, 408 TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256, 409 TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256, 410 TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256); 411 #ifndef NSS_DISABLE_DSA 412 INSTANTIATE_CIPHER_TEST_P( 413 CBC12, All, V12, kDummyNamedGroupParams, kDummySignatureSchemesParams, 414 TLS_DHE_RSA_WITH_AES_256_CBC_SHA256, TLS_RSA_WITH_AES_256_CBC_SHA256, 415 TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256, 416 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, TLS_DHE_RSA_WITH_AES_128_CBC_SHA256, 417 TLS_RSA_WITH_AES_128_CBC_SHA256, TLS_DHE_DSS_WITH_AES_128_CBC_SHA256, 418 TLS_DHE_DSS_WITH_AES_256_CBC_SHA256); 419 #else 420 // sigh, clang wants to reformat this because some threshold has been reached 421 // but it is identical the the above line, so just tell clang to go away 422 // clang-format off 423 INSTANTIATE_CIPHER_TEST_P( 424 CBC12, All, V12, kDummyNamedGroupParams, kDummySignatureSchemesParams, 425 TLS_DHE_RSA_WITH_AES_256_CBC_SHA256, TLS_RSA_WITH_AES_256_CBC_SHA256, 426 TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256, 427 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, TLS_DHE_RSA_WITH_AES_128_CBC_SHA256, 428 TLS_RSA_WITH_AES_128_CBC_SHA256); 429 // clang-format on 430 #endif 431 INSTANTIATE_CIPHER_TEST_P( 432 CBCStream, Stream, V10ToV12, kDummyNamedGroupParams, 433 kDummySignatureSchemesParams, TLS_ECDH_ECDSA_WITH_NULL_SHA, 434 TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA, 435 TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA, TLS_ECDHE_ECDSA_WITH_NULL_SHA, 436 TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, 437 TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, TLS_ECDH_RSA_WITH_NULL_SHA, 438 TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDH_RSA_WITH_AES_128_CBC_SHA, 439 TLS_ECDH_RSA_WITH_AES_256_CBC_SHA, TLS_ECDHE_RSA_WITH_NULL_SHA, 440 TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, 441 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA); 442 INSTANTIATE_CIPHER_TEST_P( 443 CBCDatagram, Datagram, V11V12, kDummyNamedGroupParams, 444 kDummySignatureSchemesParams, TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA, 445 TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA, TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA, 446 TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, 447 TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA, 448 TLS_ECDH_RSA_WITH_AES_128_CBC_SHA, TLS_ECDH_RSA_WITH_AES_256_CBC_SHA, 449 TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, 450 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA); 451 #ifndef NSS_DISABLE_DSA 452 INSTANTIATE_CIPHER_TEST_P( 453 TLS12SigSchemes, All, V12, ::testing::ValuesIn(kFasterDHEGroups), 454 ::testing::ValuesIn(kSignatureSchemesParamsArr), 455 TLS_DHE_RSA_WITH_AES_256_CBC_SHA256, TLS_RSA_WITH_AES_256_CBC_SHA256, 456 TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256, 457 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, TLS_DHE_RSA_WITH_AES_128_CBC_SHA256, 458 TLS_RSA_WITH_AES_128_CBC_SHA256, TLS_DHE_DSS_WITH_AES_128_CBC_SHA256, 459 TLS_DHE_DSS_WITH_AES_256_CBC_SHA256); 460 #else 461 // see comment above 462 // clang-format off 463 INSTANTIATE_CIPHER_TEST_P( 464 TLS12SigSchemes, All, V12, ::testing::ValuesIn(kFasterDHEGroups), 465 ::testing::ValuesIn(kSignatureSchemesParamsArr), 466 TLS_DHE_RSA_WITH_AES_256_CBC_SHA256, TLS_RSA_WITH_AES_256_CBC_SHA256, 467 TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256, 468 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, TLS_DHE_RSA_WITH_AES_128_CBC_SHA256, 469 TLS_RSA_WITH_AES_128_CBC_SHA256); 470 // clang-format on 471 #endif 472 #ifndef NSS_DISABLE_TLS_1_3 473 INSTANTIATE_CIPHER_TEST_P(TLS13, All, V13, 474 ::testing::ValuesIn(kFasterDHEGroups), 475 ::testing::ValuesIn(kSignatureSchemesParamsArrTls13), 476 TLS_AES_128_GCM_SHA256, TLS_CHACHA20_POLY1305_SHA256, 477 TLS_AES_256_GCM_SHA384); 478 INSTANTIATE_CIPHER_TEST_P(TLS13AllGroups, All, V13, 479 ::testing::ValuesIn(kAllDHEGroups), 480 ::testing::Values(ssl_sig_ecdsa_secp384r1_sha384), 481 TLS_AES_256_GCM_SHA384); 482 #endif 483 484 // Fields are: version, cipher suite, bulk cipher name, secretKeySize 485 struct SecStatusParams { 486 uint16_t version; 487 uint16_t cipher_suite; 488 std::string name; 489 int keySize; 490 }; 491 492 inline std::ostream &operator<<(std::ostream &stream, 493 const SecStatusParams &vals) { 494 SSLCipherSuiteInfo csinfo; 495 SECStatus rv = 496 SSL_GetCipherSuiteInfo(vals.cipher_suite, &csinfo, sizeof(csinfo)); 497 if (rv != SECSuccess) { 498 return stream << "Error invoking SSL_GetCipherSuiteInfo()"; 499 } 500 501 return stream << "TLS " << VersionString(vals.version) << ", " 502 << csinfo.cipherSuiteName << ", name = \"" << vals.name 503 << "\", key size = " << vals.keySize; 504 } 505 506 class SecurityStatusTest 507 : public TlsCipherSuiteTestBase, 508 public ::testing::WithParamInterface<SecStatusParams> { 509 public: 510 SecurityStatusTest() 511 : TlsCipherSuiteTestBase(ssl_variant_stream, GetParam().version, 512 GetParam().cipher_suite, ssl_grp_none, 513 ssl_sig_none) {} 514 }; 515 516 // SSL_SecurityStatus produces fairly useless output when compared to 517 // SSL_GetCipherSuiteInfo and SSL_GetChannelInfo, but we can't break it, so we 518 // need to check it. 519 TEST_P(SecurityStatusTest, CheckSecurityStatus) { 520 SetupCertificate(); 521 EnableSingleCipher(); 522 ConnectAndCheckCipherSuite(); 523 524 int on; 525 char *cipher; 526 int keySize; 527 int secretKeySize; 528 char *issuer; 529 char *subject; 530 EXPECT_EQ(SECSuccess, 531 SSL_SecurityStatus(client_->ssl_fd(), &on, &cipher, &keySize, 532 &secretKeySize, &issuer, &subject)); 533 if (std::string(cipher) == "NULL") { 534 EXPECT_EQ(0, on); 535 } else { 536 EXPECT_NE(0, on); 537 } 538 EXPECT_EQ(GetParam().name, std::string(cipher)); 539 // All the ciphers we support have secret key size == key size. 540 EXPECT_EQ(GetParam().keySize, keySize); 541 EXPECT_EQ(GetParam().keySize, secretKeySize); 542 EXPECT_LT(0U, strlen(issuer)); 543 EXPECT_LT(0U, strlen(subject)); 544 545 PORT_Free(cipher); 546 PORT_Free(issuer); 547 PORT_Free(subject); 548 } 549 550 static const SecStatusParams kSecStatusTestValuesArr[] = { 551 {SSL_LIBRARY_VERSION_TLS_1_0, TLS_ECDHE_RSA_WITH_NULL_SHA, "NULL", 0}, 552 {SSL_LIBRARY_VERSION_TLS_1_0, TLS_RSA_WITH_RC4_128_SHA, "RC4", 128}, 553 {SSL_LIBRARY_VERSION_TLS_1_0, TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA, 554 "3DES-EDE-CBC", 168}, 555 {SSL_LIBRARY_VERSION_TLS_1_0, TLS_RSA_WITH_AES_128_CBC_SHA, "AES-128", 128}, 556 {SSL_LIBRARY_VERSION_TLS_1_2, TLS_RSA_WITH_AES_256_CBC_SHA256, "AES-256", 557 256}, 558 {SSL_LIBRARY_VERSION_TLS_1_2, TLS_RSA_WITH_AES_128_GCM_SHA256, 559 "AES-128-GCM", 128}, 560 {SSL_LIBRARY_VERSION_TLS_1_2, TLS_RSA_WITH_AES_256_GCM_SHA384, 561 "AES-256-GCM", 256}, 562 {SSL_LIBRARY_VERSION_TLS_1_2, TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256, 563 "ChaCha20-Poly1305", 256}}; 564 INSTANTIATE_TEST_SUITE_P(TestSecurityStatus, SecurityStatusTest, 565 ::testing::ValuesIn(kSecStatusTestValuesArr)); 566 567 } // namespace nss_test