ssl_hrr_unittest.cc (52721B)
1 /* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */ 2 /* vim: set ts=2 et sw=2 tw=80: */ 3 /* This Source Code Form is subject to the terms of the Mozilla Public 4 * License, v. 2.0. If a copy of the MPL was not distributed with this file, 5 * You can obtain one at http://mozilla.org/MPL/2.0/. */ 6 7 #include "secerr.h" 8 #include "ssl.h" 9 #include "sslerr.h" 10 #include "sslproto.h" 11 12 #include "gtest_utils.h" 13 #include "nss_scoped_ptrs.h" 14 #include "tls_connect.h" 15 #include "tls_filter.h" 16 #include "tls_parser.h" 17 18 namespace nss_test { 19 20 // NSS doesn't support DTLS1.2 HelloVerifyRequest so we have to inject it 21 // ourselves. Inject a DTLS 1.2 HelloVerifyRequest to the client, carrying a 22 // simple cookie. 23 static void SendHelloVerifyRequest(const std::shared_ptr<TlsAgent>& server, 24 uint8_t cookie_len = 8) { 25 // struct { ProtocolVersion server_version; opaque cookie<0..2^8-1>; } HVR; 26 DataBuffer hvr_body; 27 size_t off = 0; 28 off = hvr_body.Write(off, SSL_LIBRARY_VERSION_DTLS_1_0_WIRE, 2); 29 30 DataBuffer cookie; 31 cookie.Allocate(cookie_len); 32 for (uint8_t i = 0; i < cookie_len; ++i) { 33 cookie.Write(i, 0xA0 + i, 1); 34 } 35 WriteVariable(&hvr_body, off, cookie, 1); 36 37 // Handshake header (DTLS): type, length, message_seq, frag_off, frag_len 38 DataBuffer hvr; 39 off = 0; 40 off = hvr.Write(off, ssl_hs_hello_verify_request, 1); 41 off = hvr.Write(off, hvr_body.len(), 3); 42 off = hvr.Write(off, static_cast<uint32_t>(0), 2); 43 off = hvr.Write(off, static_cast<uint32_t>(0), 3); 44 off = hvr.Write(off, hvr_body.len(), 3); 45 off = hvr.Write(off, hvr_body); 46 47 // Send as a DTLS 1.2 handshake record. 48 TlsRecordHeader rec(ssl_variant_datagram, SSL_LIBRARY_VERSION_DTLS_1_0, 49 ssl_ct_handshake, 0 /* epoch 0, seq 0 */); 50 DataBuffer record; 51 rec.Write(&record, 0, hvr); 52 server->SendDirect(record); 53 } 54 55 // After HelloVerifyRequest (DTLS 1.2), the client must not include the TLS 1.3 56 // cookie extension in the second ClientHello. The cookie only belongs in the 57 // DTLS ClientHello legacy cookie field in this case. 58 TEST_F(DtlsConnectTest, NoTls13CookieExtensionAfterHelloVerifyRequest) { 59 EnsureTlsSetup(); 60 client_->SetVersionRange(SSL_LIBRARY_VERSION_DTLS_1_0, 61 SSL_LIBRARY_VERSION_DTLS_1_3); 62 server_->SetVersionRange(SSL_LIBRARY_VERSION_DTLS_1_0, 63 SSL_LIBRARY_VERSION_DTLS_1_3); 64 65 auto cookie_xtn_capture = 66 MakeTlsFilter<TlsExtensionCapture>(client_, ssl_tls13_cookie_xtn, true); 67 68 StartConnect(); 69 client_->Handshake(); // Send initial ClientHello. 70 71 // Inject HVR from server with a dummy cookie. 72 SendHelloVerifyRequest(server_); 73 74 // Client sends second ClientHello in response to HVR. 75 client_->Handshake(); 76 77 // Ensure the TLS 1.3 cookie extension is absent in CH2. 78 EXPECT_FALSE(cookie_xtn_capture->captured()) 79 << "TLS 1.3 cookie extension must NOT be included after " 80 "HelloVerifyRequest"; 81 } 82 83 TEST_P(TlsConnectTls13, HelloRetryRequestAbortsZeroRtt) { 84 const char* k0RttData = "Such is life"; 85 const PRInt32 k0RttDataLen = static_cast<PRInt32>(strlen(k0RttData)); 86 87 SetupForZeroRtt(); // initial handshake as normal 88 89 static const std::vector<SSLNamedGroup> groups = {ssl_grp_ec_secp384r1, 90 ssl_grp_ec_secp521r1}; 91 server_->ConfigNamedGroups(groups); 92 client_->Set0RttEnabled(true); 93 server_->Set0RttEnabled(true); 94 ExpectResumption(RESUME_TICKET); 95 96 // Send first ClientHello and send 0-RTT data 97 auto capture_early_data = 98 MakeTlsFilter<TlsExtensionCapture>(client_, ssl_tls13_early_data_xtn); 99 client_->Handshake(); 100 EXPECT_EQ(k0RttDataLen, PR_Write(client_->ssl_fd(), k0RttData, 101 k0RttDataLen)); // 0-RTT write. 102 EXPECT_TRUE(capture_early_data->captured()); 103 104 // Send the HelloRetryRequest 105 auto hrr_capture = MakeTlsFilter<TlsHandshakeRecorder>( 106 server_, kTlsHandshakeHelloRetryRequest); 107 server_->Handshake(); 108 EXPECT_LT(0U, hrr_capture->buffer().len()); 109 110 // The server can't read 111 std::vector<uint8_t> buf(k0RttDataLen); 112 EXPECT_EQ(SECFailure, PR_Read(server_->ssl_fd(), buf.data(), k0RttDataLen)); 113 EXPECT_EQ(PR_WOULD_BLOCK_ERROR, PORT_GetError()); 114 115 // Make a new capture for the early data. 116 capture_early_data = 117 MakeTlsFilter<TlsExtensionCapture>(client_, ssl_tls13_early_data_xtn); 118 119 // Complete the handshake successfully 120 Handshake(); 121 ExpectEarlyDataAccepted(false); // The server should reject 0-RTT 122 CheckConnected(); 123 SendReceive(); 124 EXPECT_FALSE(capture_early_data->captured()); 125 } 126 127 // This filter only works for DTLS 1.3 where there is exactly one handshake 128 // packet. If the record is split into two packets, or there are multiple 129 // handshake packets, this will break. 130 class CorrectMessageSeqAfterHrrFilter : public TlsRecordFilter { 131 public: 132 CorrectMessageSeqAfterHrrFilter(const std::shared_ptr<TlsAgent>& a) 133 : TlsRecordFilter(a) {} 134 135 protected: 136 PacketFilter::Action FilterRecord(const TlsRecordHeader& header, 137 const DataBuffer& record, size_t* offset, 138 DataBuffer* output) { 139 if (filtered_packets() > 0 || header.content_type() != ssl_ct_handshake) { 140 return KEEP; 141 } 142 143 DataBuffer buffer(record); 144 TlsRecordHeader new_header(header.variant(), header.version(), 145 header.content_type(), 146 header.sequence_number() + 1); 147 148 // Correct message_seq. 149 buffer.Write(4, 1U, 2); 150 151 *offset = new_header.Write(output, *offset, buffer); 152 return CHANGE; 153 } 154 }; 155 156 TEST_P(TlsConnectTls13, SecondClientHelloRejectEarlyDataXtn) { 157 static const std::vector<SSLNamedGroup> groups = {ssl_grp_ec_secp384r1, 158 ssl_grp_ec_secp521r1}; 159 160 SetupForZeroRtt(); 161 ExpectResumption(RESUME_TICKET); 162 163 client_->ConfigNamedGroups(groups); 164 server_->ConfigNamedGroups(groups); 165 client_->Set0RttEnabled(true); 166 server_->Set0RttEnabled(true); 167 168 // A new client that tries to resume with 0-RTT but doesn't send the 169 // correct key share(s). The server will respond with an HRR. 170 auto orig_client = 171 std::make_shared<TlsAgent>(client_->name(), TlsAgent::CLIENT, variant_); 172 client_.swap(orig_client); 173 // filters only work with particular groups 174 client_->ConfigNamedGroups(kNonPQDHEGroups); 175 client_->SetVersionRange(SSL_LIBRARY_VERSION_TLS_1_1, 176 SSL_LIBRARY_VERSION_TLS_1_3); 177 client_->ConfigureSessionCache(RESUME_BOTH); 178 client_->Set0RttEnabled(true); 179 client_->StartConnect(); 180 181 // Swap in the new client. 182 client_->SetPeer(server_); 183 server_->SetPeer(client_); 184 185 // Send the ClientHello. 186 client_->Handshake(); 187 // Process the CH, send an HRR. 188 server_->Handshake(); 189 190 // Swap the client we created manually with the one that successfully 191 // received a PSK, and try to resume with 0-RTT. The client doesn't know 192 // about the HRR so it will send the early_data xtn as well as 0-RTT data. 193 client_.swap(orig_client); 194 orig_client.reset(); 195 196 // Correct the DTLS message sequence number after an HRR. 197 if (variant_ == ssl_variant_datagram) { 198 MakeTlsFilter<CorrectMessageSeqAfterHrrFilter>(client_); 199 } 200 201 server_->SetPeer(client_); 202 client_->Handshake(); 203 204 // Send 0-RTT data. 205 const char* k0RttData = "ABCDEF"; 206 const PRInt32 k0RttDataLen = static_cast<PRInt32>(strlen(k0RttData)); 207 PRInt32 rv = PR_Write(client_->ssl_fd(), k0RttData, k0RttDataLen); 208 EXPECT_EQ(k0RttDataLen, rv); 209 210 ExpectAlert(server_, kTlsAlertUnsupportedExtension); 211 Handshake(); 212 client_->CheckErrorCode(SSL_ERROR_UNSUPPORTED_EXTENSION_ALERT); 213 } 214 215 class KeyShareReplayer : public TlsExtensionFilter { 216 public: 217 KeyShareReplayer(const std::shared_ptr<TlsAgent>& a) 218 : TlsExtensionFilter(a) {} 219 220 virtual PacketFilter::Action FilterExtension(uint16_t extension_type, 221 const DataBuffer& input, 222 DataBuffer* output) { 223 if (extension_type != ssl_tls13_key_share_xtn) { 224 return KEEP; 225 } 226 227 if (!data_.len()) { 228 data_ = input; 229 return KEEP; 230 } 231 232 *output = data_; 233 return CHANGE; 234 } 235 236 private: 237 DataBuffer data_; 238 }; 239 240 // This forces a HelloRetryRequest by disabling P-256 on the server. However, 241 // the second ClientHello is modified so that it omits the requested share. The 242 // server should reject this. 243 TEST_P(TlsConnectTls13, RetryWithSameKeyShare) { 244 EnsureTlsSetup(); 245 MakeTlsFilter<KeyShareReplayer>(client_); 246 static const std::vector<SSLNamedGroup> groups = {ssl_grp_ec_secp384r1, 247 ssl_grp_ec_secp521r1}; 248 server_->ConfigNamedGroups(groups); 249 ConnectExpectAlert(server_, kTlsAlertIllegalParameter); 250 EXPECT_EQ(SSL_ERROR_BAD_2ND_CLIENT_HELLO, server_->error_code()); 251 EXPECT_EQ(SSL_ERROR_ILLEGAL_PARAMETER_ALERT, client_->error_code()); 252 } 253 254 // Here we modify the second ClientHello so that the client retries with the 255 // same shares, even though the server wanted something else. 256 TEST_P(TlsConnectTls13, RetryWithTwoShares) { 257 EnsureTlsSetup(); 258 EXPECT_EQ(SECSuccess, SSL_SendAdditionalKeyShares(client_->ssl_fd(), 1)); 259 MakeTlsFilter<KeyShareReplayer>(client_); 260 261 static const std::vector<SSLNamedGroup> groups = {ssl_grp_ec_secp384r1, 262 ssl_grp_ec_secp521r1}; 263 server_->ConfigNamedGroups(groups); 264 ConnectExpectAlert(server_, kTlsAlertIllegalParameter); 265 EXPECT_EQ(SSL_ERROR_BAD_2ND_CLIENT_HELLO, server_->error_code()); 266 EXPECT_EQ(SSL_ERROR_ILLEGAL_PARAMETER_ALERT, client_->error_code()); 267 } 268 269 TEST_P(TlsConnectTls13, RetryCallbackAccept) { 270 EnsureTlsSetup(); 271 272 auto accept_hello = [](PRBool firstHello, const PRUint8* clientToken, 273 unsigned int clientTokenLen, PRUint8* appToken, 274 unsigned int* appTokenLen, unsigned int appTokenMax, 275 void* arg) { 276 auto* called = reinterpret_cast<bool*>(arg); 277 *called = true; 278 279 EXPECT_TRUE(firstHello); 280 EXPECT_EQ(0U, clientTokenLen); 281 return ssl_hello_retry_accept; 282 }; 283 284 bool cb_run = false; 285 EXPECT_EQ(SECSuccess, SSL_HelloRetryRequestCallback(server_->ssl_fd(), 286 accept_hello, &cb_run)); 287 Connect(); 288 EXPECT_TRUE(cb_run); 289 } 290 291 TEST_P(TlsConnectTls13, RetryCallbackAcceptGroupMismatch) { 292 EnsureTlsSetup(); 293 294 auto accept_hello_twice = [](PRBool firstHello, const PRUint8* clientToken, 295 unsigned int clientTokenLen, PRUint8* appToken, 296 unsigned int* appTokenLen, 297 unsigned int appTokenMax, void* arg) { 298 auto* called = reinterpret_cast<size_t*>(arg); 299 ++*called; 300 301 EXPECT_EQ(0U, clientTokenLen); 302 return ssl_hello_retry_accept; 303 }; 304 305 auto capture = 306 MakeTlsFilter<TlsExtensionCapture>(server_, ssl_tls13_cookie_xtn); 307 capture->SetHandshakeTypes({kTlsHandshakeHelloRetryRequest}); 308 309 static const std::vector<SSLNamedGroup> groups = {ssl_grp_ec_secp384r1}; 310 server_->ConfigNamedGroups(groups); 311 312 size_t cb_run = 0; 313 EXPECT_EQ(SECSuccess, SSL_HelloRetryRequestCallback( 314 server_->ssl_fd(), accept_hello_twice, &cb_run)); 315 Connect(); 316 EXPECT_EQ(2U, cb_run); 317 EXPECT_TRUE(capture->captured()) << "expected a cookie in HelloRetryRequest"; 318 } 319 320 TEST_P(TlsConnectTls13, RetryCallbackFail) { 321 EnsureTlsSetup(); 322 323 auto fail_hello = [](PRBool firstHello, const PRUint8* clientToken, 324 unsigned int clientTokenLen, PRUint8* appToken, 325 unsigned int* appTokenLen, unsigned int appTokenMax, 326 void* arg) { 327 auto* called = reinterpret_cast<bool*>(arg); 328 *called = true; 329 330 EXPECT_TRUE(firstHello); 331 EXPECT_EQ(0U, clientTokenLen); 332 return ssl_hello_retry_fail; 333 }; 334 335 bool cb_run = false; 336 EXPECT_EQ(SECSuccess, SSL_HelloRetryRequestCallback(server_->ssl_fd(), 337 fail_hello, &cb_run)); 338 ConnectExpectAlert(server_, kTlsAlertHandshakeFailure); 339 server_->CheckErrorCode(SSL_ERROR_APPLICATION_ABORT); 340 EXPECT_TRUE(cb_run); 341 } 342 343 // Asking for retry twice isn't allowed. 344 TEST_P(TlsConnectTls13, RetryCallbackRequestHrrTwice) { 345 EnsureTlsSetup(); 346 347 auto bad_callback = [](PRBool firstHello, const PRUint8* clientToken, 348 unsigned int clientTokenLen, PRUint8* appToken, 349 unsigned int* appTokenLen, unsigned int appTokenMax, 350 void* arg) -> SSLHelloRetryRequestAction { 351 return ssl_hello_retry_request; 352 }; 353 EXPECT_EQ(SECSuccess, SSL_HelloRetryRequestCallback(server_->ssl_fd(), 354 bad_callback, NULL)); 355 ConnectExpectAlert(server_, kTlsAlertInternalError); 356 server_->CheckErrorCode(SSL_ERROR_APP_CALLBACK_ERROR); 357 } 358 359 // Accepting the CH and modifying the token isn't allowed. 360 TEST_P(TlsConnectTls13, RetryCallbackAcceptAndSetToken) { 361 EnsureTlsSetup(); 362 363 auto bad_callback = [](PRBool firstHello, const PRUint8* clientToken, 364 unsigned int clientTokenLen, PRUint8* appToken, 365 unsigned int* appTokenLen, unsigned int appTokenMax, 366 void* arg) -> SSLHelloRetryRequestAction { 367 *appTokenLen = 1; 368 return ssl_hello_retry_accept; 369 }; 370 EXPECT_EQ(SECSuccess, SSL_HelloRetryRequestCallback(server_->ssl_fd(), 371 bad_callback, NULL)); 372 ConnectExpectAlert(server_, kTlsAlertInternalError); 373 server_->CheckErrorCode(SSL_ERROR_APP_CALLBACK_ERROR); 374 } 375 376 // As above, but with reject. 377 TEST_P(TlsConnectTls13, RetryCallbackRejectAndSetToken) { 378 EnsureTlsSetup(); 379 380 auto bad_callback = [](PRBool firstHello, const PRUint8* clientToken, 381 unsigned int clientTokenLen, PRUint8* appToken, 382 unsigned int* appTokenLen, unsigned int appTokenMax, 383 void* arg) -> SSLHelloRetryRequestAction { 384 *appTokenLen = 1; 385 return ssl_hello_retry_fail; 386 }; 387 EXPECT_EQ(SECSuccess, SSL_HelloRetryRequestCallback(server_->ssl_fd(), 388 bad_callback, NULL)); 389 ConnectExpectAlert(server_, kTlsAlertInternalError); 390 server_->CheckErrorCode(SSL_ERROR_APP_CALLBACK_ERROR); 391 } 392 393 // This is a (pretend) buffer overflow. 394 TEST_P(TlsConnectTls13, RetryCallbackSetTooLargeToken) { 395 EnsureTlsSetup(); 396 397 auto bad_callback = [](PRBool firstHello, const PRUint8* clientToken, 398 unsigned int clientTokenLen, PRUint8* appToken, 399 unsigned int* appTokenLen, unsigned int appTokenMax, 400 void* arg) -> SSLHelloRetryRequestAction { 401 *appTokenLen = appTokenMax + 1; 402 return ssl_hello_retry_accept; 403 }; 404 EXPECT_EQ(SECSuccess, SSL_HelloRetryRequestCallback(server_->ssl_fd(), 405 bad_callback, NULL)); 406 ConnectExpectAlert(server_, kTlsAlertInternalError); 407 server_->CheckErrorCode(SSL_ERROR_APP_CALLBACK_ERROR); 408 } 409 410 SSLHelloRetryRequestAction RetryHello(PRBool firstHello, 411 const PRUint8* clientToken, 412 unsigned int clientTokenLen, 413 PRUint8* appToken, 414 unsigned int* appTokenLen, 415 unsigned int appTokenMax, void* arg) { 416 auto* called = reinterpret_cast<size_t*>(arg); 417 ++*called; 418 419 EXPECT_EQ(0U, clientTokenLen); 420 return firstHello ? ssl_hello_retry_request : ssl_hello_retry_accept; 421 } 422 423 TEST_P(TlsConnectTls13, RetryCallbackRetry) { 424 EnsureTlsSetup(); 425 426 auto capture_hrr = std::make_shared<TlsHandshakeRecorder>( 427 server_, ssl_hs_hello_retry_request); 428 auto capture_key_share = 429 std::make_shared<TlsExtensionCapture>(server_, ssl_tls13_key_share_xtn); 430 capture_key_share->SetHandshakeTypes({kTlsHandshakeHelloRetryRequest}); 431 std::vector<std::shared_ptr<PacketFilter>> chain = {capture_hrr, 432 capture_key_share}; 433 server_->SetFilter(std::make_shared<ChainedPacketFilter>(chain)); 434 435 size_t cb_called = 0; 436 EXPECT_EQ(SECSuccess, SSL_HelloRetryRequestCallback(server_->ssl_fd(), 437 RetryHello, &cb_called)); 438 439 // Do the first message exchange. 440 StartConnect(); 441 client_->Handshake(); 442 server_->Handshake(); 443 444 EXPECT_EQ(1U, cb_called) << "callback should be called once here"; 445 EXPECT_LT(0U, capture_hrr->buffer().len()) << "HelloRetryRequest expected"; 446 EXPECT_FALSE(capture_key_share->captured()) 447 << "no key_share extension expected"; 448 449 auto capture_cookie = 450 MakeTlsFilter<TlsExtensionCapture>(client_, ssl_tls13_cookie_xtn); 451 452 Handshake(); 453 CheckConnected(); 454 EXPECT_EQ(2U, cb_called); 455 EXPECT_TRUE(capture_cookie->captured()) << "should have a cookie"; 456 } 457 458 static size_t CountShares(const DataBuffer& key_share) { 459 size_t count = 0; 460 uint32_t len = 0; 461 size_t offset = 2; 462 463 EXPECT_TRUE(key_share.Read(0, 2, &len)); 464 EXPECT_EQ(key_share.len() - 2, len); 465 while (offset < key_share.len()) { 466 offset += 2; // Skip KeyShareEntry.group 467 EXPECT_TRUE(key_share.Read(offset, 2, &len)); 468 offset += 2 + len; // Skip KeyShareEntry.key_exchange 469 ++count; 470 } 471 return count; 472 } 473 474 TEST_P(TlsConnectTls13, RetryCallbackRetryWithAdditionalShares) { 475 EnsureTlsSetup(); 476 EXPECT_EQ(SECSuccess, SSL_SendAdditionalKeyShares(client_->ssl_fd(), 1)); 477 478 auto capture_server = 479 MakeTlsFilter<TlsExtensionCapture>(server_, ssl_tls13_key_share_xtn); 480 capture_server->SetHandshakeTypes({kTlsHandshakeHelloRetryRequest}); 481 482 size_t cb_called = 0; 483 EXPECT_EQ(SECSuccess, SSL_HelloRetryRequestCallback(server_->ssl_fd(), 484 RetryHello, &cb_called)); 485 486 // Do the first message exchange. 487 StartConnect(); 488 client_->Handshake(); 489 server_->Handshake(); 490 491 EXPECT_EQ(1U, cb_called) << "callback should be called once here"; 492 EXPECT_FALSE(capture_server->captured()) 493 << "no key_share extension expected from server"; 494 495 auto capture_client_2nd = 496 MakeTlsFilter<TlsExtensionCapture>(client_, ssl_tls13_key_share_xtn); 497 498 Handshake(); 499 CheckConnected(); 500 EXPECT_EQ(2U, cb_called); 501 EXPECT_TRUE(capture_client_2nd->captured()) << "client should send key_share"; 502 EXPECT_EQ(2U, CountShares(capture_client_2nd->extension())) 503 << "client should still send two shares"; 504 } 505 506 // The callback should be run even if we have another reason to send 507 // HelloRetryRequest. In this case, the server sends HRR because the server 508 // wants a P-384 key share and the client didn't offer one. 509 TEST_P(TlsConnectTls13, RetryCallbackRetryWithGroupMismatch) { 510 EnsureTlsSetup(); 511 512 auto capture_cookie = 513 std::make_shared<TlsExtensionCapture>(server_, ssl_tls13_cookie_xtn); 514 capture_cookie->SetHandshakeTypes({kTlsHandshakeHelloRetryRequest}); 515 auto capture_key_share = 516 std::make_shared<TlsExtensionCapture>(server_, ssl_tls13_key_share_xtn); 517 capture_key_share->SetHandshakeTypes({kTlsHandshakeHelloRetryRequest}); 518 server_->SetFilter(std::make_shared<ChainedPacketFilter>( 519 ChainedPacketFilterInit{capture_cookie, capture_key_share})); 520 521 static const std::vector<SSLNamedGroup> groups = {ssl_grp_ec_secp384r1}; 522 server_->ConfigNamedGroups(groups); 523 524 size_t cb_called = 0; 525 EXPECT_EQ(SECSuccess, SSL_HelloRetryRequestCallback(server_->ssl_fd(), 526 RetryHello, &cb_called)); 527 Connect(); 528 EXPECT_EQ(2U, cb_called); 529 EXPECT_TRUE(capture_cookie->captured()) << "cookie expected"; 530 EXPECT_TRUE(capture_key_share->captured()) << "key_share expected"; 531 } 532 533 static const uint8_t kApplicationToken[] = {0x92, 0x44, 0x00}; 534 535 SSLHelloRetryRequestAction RetryHelloWithToken( 536 PRBool firstHello, const PRUint8* clientToken, unsigned int clientTokenLen, 537 PRUint8* appToken, unsigned int* appTokenLen, unsigned int appTokenMax, 538 void* arg) { 539 auto* called = reinterpret_cast<size_t*>(arg); 540 ++*called; 541 542 if (firstHello) { 543 memcpy(appToken, kApplicationToken, sizeof(kApplicationToken)); 544 *appTokenLen = sizeof(kApplicationToken); 545 return ssl_hello_retry_request; 546 } 547 548 EXPECT_EQ(DataBuffer(kApplicationToken, sizeof(kApplicationToken)), 549 DataBuffer(clientToken, static_cast<size_t>(clientTokenLen))); 550 return ssl_hello_retry_accept; 551 } 552 553 TEST_P(TlsConnectTls13, RetryCallbackRetryWithToken) { 554 EnsureTlsSetup(); 555 556 auto capture_key_share = 557 MakeTlsFilter<TlsExtensionCapture>(server_, ssl_tls13_key_share_xtn); 558 capture_key_share->SetHandshakeTypes({kTlsHandshakeHelloRetryRequest}); 559 560 size_t cb_called = 0; 561 EXPECT_EQ(SECSuccess, 562 SSL_HelloRetryRequestCallback(server_->ssl_fd(), 563 RetryHelloWithToken, &cb_called)); 564 Connect(); 565 EXPECT_EQ(2U, cb_called); 566 EXPECT_FALSE(capture_key_share->captured()) << "no key share expected"; 567 } 568 569 TEST_P(TlsConnectTls13, RetryCallbackRetryWithTokenAndGroupMismatch) { 570 EnsureTlsSetup(); 571 572 static const std::vector<SSLNamedGroup> groups = {ssl_grp_ec_secp384r1}; 573 server_->ConfigNamedGroups(groups); 574 575 auto capture_key_share = 576 MakeTlsFilter<TlsExtensionCapture>(server_, ssl_tls13_key_share_xtn); 577 capture_key_share->SetHandshakeTypes({kTlsHandshakeHelloRetryRequest}); 578 579 size_t cb_called = 0; 580 EXPECT_EQ(SECSuccess, 581 SSL_HelloRetryRequestCallback(server_->ssl_fd(), 582 RetryHelloWithToken, &cb_called)); 583 Connect(); 584 EXPECT_EQ(2U, cb_called); 585 EXPECT_TRUE(capture_key_share->captured()) << "key share expected"; 586 } 587 588 SSLHelloRetryRequestAction CheckTicketToken( 589 PRBool firstHello, const PRUint8* clientToken, unsigned int clientTokenLen, 590 PRUint8* appToken, unsigned int* appTokenLen, unsigned int appTokenMax, 591 void* arg) { 592 auto* called = reinterpret_cast<bool*>(arg); 593 *called = true; 594 595 EXPECT_TRUE(firstHello); 596 EXPECT_EQ(DataBuffer(kApplicationToken, sizeof(kApplicationToken)), 597 DataBuffer(clientToken, static_cast<size_t>(clientTokenLen))); 598 return ssl_hello_retry_accept; 599 } 600 601 // Stream because SSL_SendSessionTicket only supports that. 602 TEST_F(TlsConnectStreamTls13, RetryCallbackWithSessionTicketToken) { 603 ConfigureSessionCache(RESUME_BOTH, RESUME_TICKET); 604 Connect(); 605 EXPECT_EQ(SECSuccess, 606 SSL_SendSessionTicket(server_->ssl_fd(), kApplicationToken, 607 sizeof(kApplicationToken))); 608 SendReceive(); 609 610 Reset(); 611 ConfigureSessionCache(RESUME_BOTH, RESUME_TICKET); 612 ExpectResumption(RESUME_TICKET); 613 614 bool cb_run = false; 615 EXPECT_EQ(SECSuccess, SSL_HelloRetryRequestCallback( 616 server_->ssl_fd(), CheckTicketToken, &cb_run)); 617 Connect(); 618 EXPECT_TRUE(cb_run); 619 } 620 621 void TriggerHelloRetryRequest(std::shared_ptr<TlsAgent>& client, 622 std::shared_ptr<TlsAgent>& server) { 623 size_t cb_called = 0; 624 EXPECT_EQ(SECSuccess, SSL_HelloRetryRequestCallback(server->ssl_fd(), 625 RetryHello, &cb_called)); 626 627 // Start the handshake. 628 client->StartConnect(); 629 server->StartConnect(); 630 client->Handshake(); 631 server->Handshake(); 632 EXPECT_EQ(1U, cb_called); 633 // Stop the callback from being called in future handshakes. 634 EXPECT_EQ(SECSuccess, 635 SSL_HelloRetryRequestCallback(server->ssl_fd(), nullptr, nullptr)); 636 } 637 638 TEST_P(TlsConnectTls13, VersionNumbersAfterRetry) { 639 ConfigureSelfEncrypt(); 640 EnsureTlsSetup(); 641 auto r = MakeTlsFilter<TlsRecordRecorder>(client_); 642 TriggerHelloRetryRequest(client_, server_); 643 Handshake(); 644 ASSERT_GT(r->count(), 1UL); 645 auto ch1 = r->record(0); 646 if (ch1.header.is_dtls()) { 647 ASSERT_EQ(SSL_LIBRARY_VERSION_TLS_1_1, ch1.header.version()); 648 } else { 649 ASSERT_EQ(SSL_LIBRARY_VERSION_TLS_1_0, ch1.header.version()); 650 } 651 auto ch2 = r->record(1); 652 ASSERT_EQ(SSL_LIBRARY_VERSION_TLS_1_2, ch2.header.version()); 653 654 CheckConnected(); 655 } 656 657 TEST_P(TlsConnectTls13, RetryStateless) { 658 ConfigureSelfEncrypt(); 659 EnsureTlsSetup(); 660 661 TriggerHelloRetryRequest(client_, server_); 662 MakeNewServer(); 663 664 Handshake(); 665 CheckConnected(); 666 SendReceive(); 667 } 668 669 TEST_P(TlsConnectTls13, RetryStatefulDropCookie) { 670 ConfigureSelfEncrypt(); 671 EnsureTlsSetup(); 672 673 TriggerHelloRetryRequest(client_, server_); 674 MakeTlsFilter<TlsExtensionDropper>(client_, ssl_tls13_cookie_xtn); 675 676 ExpectAlert(server_, kTlsAlertMissingExtension); 677 Handshake(); 678 client_->CheckErrorCode(SSL_ERROR_MISSING_EXTENSION_ALERT); 679 server_->CheckErrorCode(SSL_ERROR_MISSING_COOKIE_EXTENSION); 680 } 681 682 class TruncateHrrCookie : public TlsExtensionFilter { 683 public: 684 TruncateHrrCookie(const std::shared_ptr<TlsAgent>& a) 685 : TlsExtensionFilter(a) {} 686 virtual PacketFilter::Action FilterExtension(uint16_t extension_type, 687 const DataBuffer& input, 688 DataBuffer* output) { 689 if (extension_type != ssl_tls13_cookie_xtn) { 690 return KEEP; 691 } 692 693 // Claim a zero-length cookie. 694 output->Allocate(2); 695 output->Write(0, static_cast<uint32_t>(0), 2); 696 return CHANGE; 697 } 698 }; 699 700 TEST_P(TlsConnectTls13, RetryCookieEmpty) { 701 ConfigureSelfEncrypt(); 702 EnsureTlsSetup(); 703 704 TriggerHelloRetryRequest(client_, server_); 705 MakeTlsFilter<TruncateHrrCookie>(client_); 706 707 ExpectAlert(server_, kTlsAlertHandshakeFailure); 708 Handshake(); 709 client_->CheckErrorCode(SSL_ERROR_NO_CYPHER_OVERLAP); 710 server_->CheckErrorCode(SSL_ERROR_RX_MALFORMED_CLIENT_HELLO); 711 } 712 713 class AddJunkToCookie : public TlsExtensionFilter { 714 public: 715 AddJunkToCookie(const std::shared_ptr<TlsAgent>& a) : TlsExtensionFilter(a) {} 716 virtual PacketFilter::Action FilterExtension(uint16_t extension_type, 717 const DataBuffer& input, 718 DataBuffer* output) { 719 if (extension_type != ssl_tls13_cookie_xtn) { 720 return KEEP; 721 } 722 723 *output = input; 724 // Add junk after the cookie. 725 static const uint8_t junk[2] = {1, 2}; 726 output->Append(DataBuffer(junk, sizeof(junk))); 727 return CHANGE; 728 } 729 }; 730 731 TEST_P(TlsConnectTls13, RetryCookieWithExtras) { 732 ConfigureSelfEncrypt(); 733 EnsureTlsSetup(); 734 735 TriggerHelloRetryRequest(client_, server_); 736 MakeTlsFilter<AddJunkToCookie>(client_); 737 738 ExpectAlert(server_, kTlsAlertHandshakeFailure); 739 Handshake(); 740 client_->CheckErrorCode(SSL_ERROR_NO_CYPHER_OVERLAP); 741 server_->CheckErrorCode(SSL_ERROR_RX_MALFORMED_CLIENT_HELLO); 742 } 743 744 // Stream only because DTLS drops bad packets. 745 TEST_F(TlsConnectStreamTls13, RetryStatelessDamageFirstClientHello) { 746 ConfigureSelfEncrypt(); 747 EnsureTlsSetup(); 748 749 auto damage_ch = 750 MakeTlsFilter<TlsExtensionInjector>(client_, 0xfff3, DataBuffer()); 751 752 TriggerHelloRetryRequest(client_, server_); 753 MakeNewServer(); 754 755 // Key exchange fails when the handshake continues because client and server 756 // disagree about the transcript. 757 client_->ExpectSendAlert(kTlsAlertBadRecordMac); 758 server_->ExpectSendAlert(kTlsAlertBadRecordMac); 759 Handshake(); 760 server_->CheckErrorCode(SSL_ERROR_BAD_MAC_READ); 761 client_->CheckErrorCode(SSL_ERROR_BAD_MAC_READ); 762 } 763 764 TEST_F(TlsConnectStreamTls13, RetryStatelessDamageSecondClientHello) { 765 ConfigureSelfEncrypt(); 766 EnsureTlsSetup(); 767 768 TriggerHelloRetryRequest(client_, server_); 769 MakeNewServer(); 770 771 auto damage_ch = 772 MakeTlsFilter<TlsExtensionInjector>(client_, 0xfff3, DataBuffer()); 773 774 // Key exchange fails when the handshake continues because client and server 775 // disagree about the transcript. 776 client_->ExpectSendAlert(kTlsAlertBadRecordMac); 777 server_->ExpectSendAlert(kTlsAlertBadRecordMac); 778 Handshake(); 779 server_->CheckErrorCode(SSL_ERROR_BAD_MAC_READ); 780 client_->CheckErrorCode(SSL_ERROR_BAD_MAC_READ); 781 } 782 783 // Stream because SSL_SendSessionTicket only supports that. 784 TEST_F(TlsConnectStreamTls13, SecondClientHelloSendSameTicket) { 785 // This simulates the scenario described at: 786 // https://bugzilla.mozilla.org/show_bug.cgi?id=1481271#c7 787 // 788 // Here two connections are interleaved. Tickets are issued on one 789 // connection. A HelloRetryRequest is triggered on the second connection, 790 // meaning that there are two ClientHellos. We need to check that both 791 // ClientHellos have the same ticket, even if a new ticket is issued on the 792 // other connection in the meantime. 793 // 794 // Connection 1: <handshake> 795 // Connection 1: S->C: NST=X 796 // Connection 2: C->S: CH [PSK_ID=X] 797 // Connection 1: S->C: NST=Y 798 // Connection 2: S->C: HRR 799 // Connection 2: C->S: CH [PSK_ID=Y] 800 801 // Connection 1, send a ticket after handshake is complete. 802 ConfigureSessionCache(RESUME_TICKET, RESUME_TICKET); 803 804 Connect(); 805 806 // Set this token so that RetryHelloWithToken() will check that this 807 // is the token that it receives in the HelloRetryRequest callback. 808 EXPECT_EQ(SECSuccess, 809 SSL_SendSessionTicket(server_->ssl_fd(), kApplicationToken, 810 sizeof(kApplicationToken))); 811 SendReceive(50); 812 813 // Connection 2, trigger HRR. 814 auto client2 = 815 std::make_shared<TlsAgent>(client_->name(), TlsAgent::CLIENT, variant_); 816 auto server2 = 817 std::make_shared<TlsAgent>(server_->name(), TlsAgent::SERVER, variant_); 818 819 client2->SetPeer(server2); 820 server2->SetPeer(client2); 821 822 client_.swap(client2); 823 server_.swap(server2); 824 825 ConfigureSessionCache(RESUME_TICKET, RESUME_TICKET); 826 827 ConfigureVersion(SSL_LIBRARY_VERSION_TLS_1_3); 828 829 client_->StartConnect(); 830 server_->StartConnect(); 831 832 size_t cb_called = 0; 833 EXPECT_EQ(SECSuccess, 834 SSL_HelloRetryRequestCallback(server_->ssl_fd(), 835 RetryHelloWithToken, &cb_called)); 836 client_->Handshake(); // Send ClientHello. 837 server_->Handshake(); // Process ClientHello, send HelloRetryRequest. 838 839 EXPECT_EQ(1U, cb_called) << "callback should be called once here"; 840 841 // Connection 1, send another ticket. 842 client_.swap(client2); 843 server_.swap(server2); 844 845 // If the client uses this token, RetryHelloWithToken() will fail the test. 846 const uint8_t kAnotherApplicationToken[] = {0x92, 0x44, 0x01}; 847 EXPECT_EQ(SECSuccess, 848 SSL_SendSessionTicket(server_->ssl_fd(), kAnotherApplicationToken, 849 sizeof(kAnotherApplicationToken))); 850 SendReceive(60); 851 852 // Connection 2, continue the handshake. 853 // The client should use kApplicationToken, not kAnotherApplicationToken. 854 client_.swap(client2); 855 server_.swap(server2); 856 857 client_->Handshake(); 858 server_->Handshake(); 859 860 EXPECT_EQ(2U, cb_called) << "callback should be called twice here"; 861 } 862 863 // Read the cipher suite from the HRR and disable it on the identified agent. 864 static void DisableSuiteFromHrr( 865 std::shared_ptr<TlsAgent>& agent, 866 std::shared_ptr<TlsHandshakeRecorder>& capture_hrr) { 867 uint32_t tmp; 868 size_t offset = 2 + 32; // skip version + server_random 869 ASSERT_TRUE( 870 capture_hrr->buffer().Read(offset, 1, &tmp)); // session_id length 871 EXPECT_EQ(0U, tmp); 872 offset += 1 + tmp; 873 ASSERT_TRUE(capture_hrr->buffer().Read(offset, 2, &tmp)); // suite 874 EXPECT_EQ( 875 SECSuccess, 876 SSL_CipherPrefSet(agent->ssl_fd(), static_cast<uint16_t>(tmp), PR_FALSE)); 877 } 878 879 TEST_P(TlsConnectTls13, RetryStatelessDisableSuiteClient) { 880 ConfigureSelfEncrypt(); 881 EnsureTlsSetup(); 882 883 auto capture_hrr = 884 MakeTlsFilter<TlsHandshakeRecorder>(server_, ssl_hs_hello_retry_request); 885 886 TriggerHelloRetryRequest(client_, server_); 887 MakeNewServer(); 888 889 DisableSuiteFromHrr(client_, capture_hrr); 890 891 // The client thinks that the HelloRetryRequest is bad, even though its 892 // because it changed its mind about the cipher suite. 893 ExpectAlert(client_, kTlsAlertIllegalParameter); 894 Handshake(); 895 client_->CheckErrorCode(SSL_ERROR_NO_CYPHER_OVERLAP); 896 server_->CheckErrorCode(SSL_ERROR_ILLEGAL_PARAMETER_ALERT); 897 } 898 899 TEST_P(TlsConnectTls13, RetryStatelessDisableSuiteServer) { 900 ConfigureSelfEncrypt(); 901 EnsureTlsSetup(); 902 903 auto capture_hrr = 904 MakeTlsFilter<TlsHandshakeRecorder>(server_, ssl_hs_hello_retry_request); 905 906 TriggerHelloRetryRequest(client_, server_); 907 MakeNewServer(); 908 909 DisableSuiteFromHrr(server_, capture_hrr); 910 911 ExpectAlert(server_, kTlsAlertIllegalParameter); 912 Handshake(); 913 server_->CheckErrorCode(SSL_ERROR_BAD_2ND_CLIENT_HELLO); 914 client_->CheckErrorCode(SSL_ERROR_ILLEGAL_PARAMETER_ALERT); 915 } 916 917 TEST_P(TlsConnectTls13, RetryStatelessDisableGroupClient) { 918 ConfigureSelfEncrypt(); 919 EnsureTlsSetup(); 920 921 TriggerHelloRetryRequest(client_, server_); 922 MakeNewServer(); 923 924 static const std::vector<SSLNamedGroup> groups = {ssl_grp_ec_secp384r1}; 925 client_->ConfigNamedGroups(groups); 926 927 // We're into undefined behavior on the client side, but - at the point this 928 // test was written - the client here doesn't amend its key shares because the 929 // server doesn't ask it to. The server notices that the key share (x25519) 930 // doesn't match the negotiated group (P-384) and objects. 931 ExpectAlert(server_, kTlsAlertIllegalParameter); 932 Handshake(); 933 server_->CheckErrorCode(SSL_ERROR_BAD_2ND_CLIENT_HELLO); 934 client_->CheckErrorCode(SSL_ERROR_ILLEGAL_PARAMETER_ALERT); 935 } 936 937 TEST_P(TlsConnectTls13, RetryStatelessDisableGroupServer) { 938 ConfigureSelfEncrypt(); 939 EnsureTlsSetup(); 940 941 TriggerHelloRetryRequest(client_, server_); 942 MakeNewServer(); 943 944 static const std::vector<SSLNamedGroup> groups = {ssl_grp_ec_secp384r1}; 945 server_->ConfigNamedGroups(groups); 946 947 ExpectAlert(server_, kTlsAlertIllegalParameter); 948 Handshake(); 949 server_->CheckErrorCode(SSL_ERROR_BAD_2ND_CLIENT_HELLO); 950 client_->CheckErrorCode(SSL_ERROR_ILLEGAL_PARAMETER_ALERT); 951 } 952 953 TEST_P(TlsConnectTls13, RetryStatelessBadCookie) { 954 ConfigureSelfEncrypt(); 955 EnsureTlsSetup(); 956 957 TriggerHelloRetryRequest(client_, server_); 958 959 // Now replace the self-encrypt MAC key with a garbage key. 960 static const uint8_t bad_hmac_key[32] = {0}; 961 SECItem key_item = {siBuffer, const_cast<uint8_t*>(bad_hmac_key), 962 sizeof(bad_hmac_key)}; 963 ScopedPK11SlotInfo slot(PK11_GetInternalSlot()); 964 PK11SymKey* hmac_key = 965 PK11_ImportSymKey(slot.get(), CKM_SHA256_HMAC, PK11_OriginUnwrap, 966 CKA_SIGN, &key_item, nullptr); 967 ASSERT_NE(nullptr, hmac_key); 968 SSLInt_SetSelfEncryptMacKey(hmac_key); // Passes ownership. 969 970 MakeNewServer(); 971 972 ExpectAlert(server_, kTlsAlertIllegalParameter); 973 Handshake(); 974 server_->CheckErrorCode(SSL_ERROR_BAD_2ND_CLIENT_HELLO); 975 client_->CheckErrorCode(SSL_ERROR_ILLEGAL_PARAMETER_ALERT); 976 } 977 978 // Stream because the server doesn't consume the alert and terminate. 979 TEST_F(TlsConnectStreamTls13, RetryWithDifferentCipherSuite) { 980 EnsureTlsSetup(); 981 // Force a HelloRetryRequest. 982 static const std::vector<SSLNamedGroup> groups = {ssl_grp_ec_secp384r1}; 983 server_->ConfigNamedGroups(groups); 984 // Then switch out the default suite (TLS_AES_128_GCM_SHA256). 985 MakeTlsFilter<SelectedCipherSuiteReplacer>(server_, 986 TLS_CHACHA20_POLY1305_SHA256); 987 988 client_->ExpectSendAlert(kTlsAlertIllegalParameter); 989 server_->ExpectSendAlert(kTlsAlertUnexpectedMessage); 990 ConnectExpectFail(); 991 EXPECT_EQ(SSL_ERROR_RX_MALFORMED_SERVER_HELLO, client_->error_code()); 992 EXPECT_EQ(SSL_ERROR_RX_UNEXPECTED_RECORD_TYPE, server_->error_code()); 993 } 994 995 // This tests that the second attempt at sending a ClientHello (after receiving 996 // a HelloRetryRequest) is correctly retransmitted. 997 TEST_F(TlsConnectDatagram13, DropClientSecondFlightWithHelloRetry) { 998 static const std::vector<SSLNamedGroup> groups = {ssl_grp_ec_secp384r1, 999 ssl_grp_ec_secp521r1}; 1000 server_->ConfigNamedGroups(groups); 1001 server_->SetFilter(std::make_shared<SelectiveDropFilter>(0x2)); 1002 Connect(); 1003 } 1004 1005 class TlsKeyExchange13 : public TlsKeyExchangeTest {}; 1006 1007 // This should work, with an HRR, because the server prefers x25519 and the 1008 // client generates a share for P-384 on the initial ClientHello. 1009 TEST_P(TlsKeyExchange13, ConnectEcdhePreferenceMismatchHrr) { 1010 EnsureKeyShareSetup(); 1011 static const std::vector<SSLNamedGroup> client_groups = { 1012 ssl_grp_ec_secp384r1, ssl_grp_ec_curve25519}; 1013 static const std::vector<SSLNamedGroup> server_groups = { 1014 ssl_grp_ec_curve25519, ssl_grp_ec_secp384r1}; 1015 client_->ConfigNamedGroups(client_groups); 1016 server_->ConfigNamedGroups(server_groups); 1017 Connect(); 1018 CheckKeys(ssl_kea_ecdh, ssl_grp_ec_curve25519); 1019 static const std::vector<SSLNamedGroup> expectedShares = { 1020 ssl_grp_ec_secp384r1}; 1021 CheckKEXDetails(client_groups, expectedShares, ssl_grp_ec_curve25519); 1022 } 1023 1024 TEST_P(TlsKeyExchange13, SecondClientHelloPreambleMatches) { 1025 server_->SetVersionRange(SSL_LIBRARY_VERSION_TLS_1_3, 1026 SSL_LIBRARY_VERSION_TLS_1_3); 1027 client_->SetVersionRange(SSL_LIBRARY_VERSION_TLS_1_1, 1028 SSL_LIBRARY_VERSION_TLS_1_3); 1029 1030 ConfigureSelfEncrypt(); 1031 static const std::vector<SSLNamedGroup> client_groups = { 1032 ssl_grp_ec_secp384r1, ssl_grp_ec_curve25519}; 1033 static const std::vector<SSLNamedGroup> server_groups = { 1034 ssl_grp_ec_curve25519}; 1035 client_->ConfigNamedGroups(client_groups); 1036 server_->ConfigNamedGroups(server_groups); 1037 1038 auto ch1 = MakeTlsFilter<ClientHelloPreambleCapture>(client_); 1039 StartConnect(); 1040 client_->Handshake(); 1041 server_->Handshake(); 1042 1043 MakeNewServer(); 1044 auto ch2 = MakeTlsFilter<ClientHelloPreambleCapture>(client_); 1045 Handshake(); 1046 1047 EXPECT_TRUE(ch1->captured()); 1048 EXPECT_TRUE(ch2->captured()); 1049 EXPECT_EQ(ch1->contents(), ch2->contents()); 1050 } 1051 1052 // This should work, but not use HRR because the key share for x25519 was 1053 // pre-generated by the client. 1054 TEST_P(TlsKeyExchange13, ConnectEcdhePreferenceMismatchHrrExtraShares) { 1055 EnsureKeyShareSetup(); 1056 static const std::vector<SSLNamedGroup> client_groups = { 1057 ssl_grp_ec_secp384r1, ssl_grp_ec_curve25519}; 1058 static const std::vector<SSLNamedGroup> server_groups = { 1059 ssl_grp_ec_curve25519, ssl_grp_ec_secp384r1}; 1060 client_->ConfigNamedGroups(client_groups); 1061 server_->ConfigNamedGroups(server_groups); 1062 EXPECT_EQ(SECSuccess, SSL_SendAdditionalKeyShares(client_->ssl_fd(), 1)); 1063 1064 Connect(); 1065 CheckKeys(ssl_kea_ecdh, ssl_grp_ec_curve25519); 1066 CheckKEXDetails(client_groups, client_groups); 1067 } 1068 1069 // The callback should be run even if we have another reason to send 1070 // HelloRetryRequest. In this case, the server sends HRR because the server 1071 // wants an X25519 key share and the client didn't offer one. 1072 TEST_P(TlsKeyExchange13, 1073 RetryCallbackRetryWithGroupMismatchAndAdditionalShares) { 1074 EnsureKeyShareSetup(); 1075 1076 static const std::vector<SSLNamedGroup> client_groups = { 1077 ssl_grp_ec_secp256r1, ssl_grp_ec_secp384r1, ssl_grp_ec_curve25519}; 1078 client_->ConfigNamedGroups(client_groups); 1079 static const std::vector<SSLNamedGroup> server_groups = { 1080 ssl_grp_ec_curve25519}; 1081 server_->ConfigNamedGroups(server_groups); 1082 EXPECT_EQ(SECSuccess, SSL_SendAdditionalKeyShares(client_->ssl_fd(), 1)); 1083 1084 auto capture_server = 1085 std::make_shared<TlsExtensionCapture>(server_, ssl_tls13_key_share_xtn); 1086 capture_server->SetHandshakeTypes({kTlsHandshakeHelloRetryRequest}); 1087 server_->SetFilter(std::make_shared<ChainedPacketFilter>( 1088 ChainedPacketFilterInit{capture_hrr_, capture_server})); 1089 1090 size_t cb_called = 0; 1091 EXPECT_EQ(SECSuccess, SSL_HelloRetryRequestCallback(server_->ssl_fd(), 1092 RetryHello, &cb_called)); 1093 1094 // Do the first message exchange. 1095 StartConnect(); 1096 client_->Handshake(); 1097 server_->Handshake(); 1098 1099 EXPECT_EQ(1U, cb_called) << "callback should be called once here"; 1100 EXPECT_TRUE(capture_server->captured()) << "key_share extension expected"; 1101 1102 uint32_t server_group = 0; 1103 EXPECT_TRUE(capture_server->extension().Read(0, 2, &server_group)); 1104 EXPECT_EQ(ssl_grp_ec_curve25519, static_cast<SSLNamedGroup>(server_group)); 1105 1106 Handshake(); 1107 CheckConnected(); 1108 EXPECT_EQ(2U, cb_called); 1109 EXPECT_TRUE(shares_capture2_->captured()) << "client should send shares"; 1110 1111 CheckKeys(ssl_kea_ecdh, ssl_grp_ec_curve25519); 1112 static const std::vector<SSLNamedGroup> client_shares( 1113 client_groups.begin(), client_groups.begin() + 2); 1114 CheckKEXDetails(client_groups, client_shares, server_groups[0]); 1115 } 1116 1117 TEST_F(TlsConnectTest, Select12AfterHelloRetryRequest) { 1118 EnsureTlsSetup(); 1119 client_->SetVersionRange(SSL_LIBRARY_VERSION_TLS_1_2, 1120 SSL_LIBRARY_VERSION_TLS_1_3); 1121 server_->SetVersionRange(SSL_LIBRARY_VERSION_TLS_1_2, 1122 SSL_LIBRARY_VERSION_TLS_1_3); 1123 static const std::vector<SSLNamedGroup> client_groups = { 1124 ssl_grp_ec_secp256r1, ssl_grp_ec_secp521r1}; 1125 client_->ConfigNamedGroups(client_groups); 1126 static const std::vector<SSLNamedGroup> server_groups = { 1127 ssl_grp_ec_secp384r1, ssl_grp_ec_secp521r1}; 1128 server_->ConfigNamedGroups(server_groups); 1129 StartConnect(); 1130 1131 client_->Handshake(); 1132 server_->Handshake(); 1133 1134 // Here we replace the TLS server with one that does TLS 1.2 only. 1135 // This will happily send the client a TLS 1.2 ServerHello. 1136 server_.reset(new TlsAgent(server_->name(), TlsAgent::SERVER, variant_)); 1137 client_->SetPeer(server_); 1138 server_->SetPeer(client_); 1139 server_->SetVersionRange(SSL_LIBRARY_VERSION_TLS_1_2, 1140 SSL_LIBRARY_VERSION_TLS_1_2); 1141 server_->StartConnect(); 1142 ExpectAlert(client_, kTlsAlertIllegalParameter); 1143 Handshake(); 1144 EXPECT_EQ(SSL_ERROR_ILLEGAL_PARAMETER_ALERT, server_->error_code()); 1145 EXPECT_EQ(SSL_ERROR_RX_MALFORMED_SERVER_HELLO, client_->error_code()); 1146 } 1147 1148 // This class increments the low byte of the first Handshake.message_seq 1149 // field in every handshake record. 1150 class MessageSeqIncrementer : public TlsRecordFilter { 1151 public: 1152 MessageSeqIncrementer(const std::shared_ptr<TlsAgent>& a) 1153 : TlsRecordFilter(a) {} 1154 1155 protected: 1156 PacketFilter::Action FilterRecord(const TlsRecordHeader& header, 1157 const DataBuffer& data, 1158 DataBuffer* changed) override { 1159 if (header.content_type() != ssl_ct_handshake) { 1160 return KEEP; 1161 } 1162 1163 *changed = data; 1164 // struct { uint8 msg_type; uint24 length; uint16 message_seq; ... } 1165 // Handshake; 1166 changed->data()[5]++; 1167 EXPECT_NE(0, changed->data()[5]); // Check for overflow. 1168 return CHANGE; 1169 } 1170 }; 1171 1172 // A server that receives a ClientHello with message_seq == 1 1173 // assumes that this is after a stateless HelloRetryRequest. 1174 // However, it should reject the ClientHello if it lacks a cookie. 1175 TEST_F(TlsConnectDatagram13, MessageSeq1ClientHello) { 1176 EnsureTlsSetup(); 1177 MakeTlsFilter<MessageSeqIncrementer>(client_); 1178 ConnectExpectAlert(server_, kTlsAlertMissingExtension); 1179 EXPECT_EQ(SSL_ERROR_MISSING_COOKIE_EXTENSION, server_->error_code()); 1180 EXPECT_EQ(SSL_ERROR_MISSING_EXTENSION_ALERT, client_->error_code()); 1181 } 1182 1183 class HelloRetryRequestAgentTest : public TlsAgentTestClient { 1184 protected: 1185 void SetUp() override { 1186 TlsAgentTestClient::SetUp(); 1187 EnsureInit(); 1188 agent_->StartConnect(); 1189 } 1190 1191 void MakeCannedHrr(const uint8_t* body, size_t len, DataBuffer* hrr_record, 1192 uint32_t seq_num = 0) const { 1193 DataBuffer hrr_data; 1194 const uint8_t ssl_hello_retry_random[] = { 1195 0xCF, 0x21, 0xAD, 0x74, 0xE5, 0x9A, 0x61, 0x11, 0xBE, 0x1D, 0x8C, 1196 0x02, 0x1E, 0x65, 0xB8, 0x91, 0xC2, 0xA2, 0x11, 0x16, 0x7A, 0xBB, 1197 0x8C, 0x5E, 0x07, 0x9E, 0x09, 0xE2, 0xC8, 0xA8, 0x33, 0x9C}; 1198 1199 hrr_data.Allocate(len + 6); 1200 size_t i = 0; 1201 i = hrr_data.Write(i, 1202 variant_ == ssl_variant_datagram 1203 ? SSL_LIBRARY_VERSION_DTLS_1_2_WIRE 1204 : SSL_LIBRARY_VERSION_TLS_1_2, 1205 2); 1206 i = hrr_data.Write(i, ssl_hello_retry_random, 1207 sizeof(ssl_hello_retry_random)); 1208 i = hrr_data.Write(i, static_cast<uint32_t>(0), 1); // session_id 1209 i = hrr_data.Write(i, TLS_AES_128_GCM_SHA256, 2); 1210 i = hrr_data.Write(i, ssl_compression_null, 1); 1211 // Add extensions. First a length, which includes the supported version. 1212 i = hrr_data.Write(i, static_cast<uint32_t>(len) + 6, 2); 1213 // Now the supported version. 1214 i = hrr_data.Write(i, ssl_tls13_supported_versions_xtn, 2); 1215 i = hrr_data.Write(i, 2, 2); 1216 i = hrr_data.Write(i, 1217 (variant_ == ssl_variant_datagram) 1218 ? SSL_LIBRARY_VERSION_DTLS_1_3_WIRE 1219 : SSL_LIBRARY_VERSION_TLS_1_3, 1220 2); 1221 if (len) { 1222 hrr_data.Write(i, body, len); 1223 } 1224 DataBuffer hrr; 1225 MakeHandshakeMessage(kTlsHandshakeServerHello, hrr_data.data(), 1226 hrr_data.len(), &hrr, seq_num); 1227 MakeRecord(ssl_ct_handshake, SSL_LIBRARY_VERSION_TLS_1_3, hrr.data(), 1228 hrr.len(), hrr_record, seq_num); 1229 } 1230 1231 void MakeGroupHrr(SSLNamedGroup group, DataBuffer* hrr_record, 1232 uint32_t seq_num = 0) const { 1233 const uint8_t group_hrr[] = { 1234 static_cast<uint8_t>(ssl_tls13_key_share_xtn >> 8), 1235 static_cast<uint8_t>(ssl_tls13_key_share_xtn), 1236 0, 1237 2, // length of key share extension 1238 static_cast<uint8_t>(group >> 8), 1239 static_cast<uint8_t>(group)}; 1240 MakeCannedHrr(group_hrr, sizeof(group_hrr), hrr_record, seq_num); 1241 } 1242 }; 1243 1244 // Send two HelloRetryRequest messages in response to the ClientHello. The are 1245 // constructed to appear legitimate by asking for a new share in each, so that 1246 // the client has to count to work out that the server is being unreasonable. 1247 TEST_P(HelloRetryRequestAgentTest, SendSecondHelloRetryRequest) { 1248 DataBuffer hrr; 1249 MakeGroupHrr(ssl_grp_ec_secp384r1, &hrr, 0); 1250 ProcessMessage(hrr, TlsAgent::STATE_CONNECTING); 1251 MakeGroupHrr(ssl_grp_ec_secp521r1, &hrr, 1); 1252 ExpectAlert(kTlsAlertUnexpectedMessage); 1253 ProcessMessage(hrr, TlsAgent::STATE_ERROR, 1254 SSL_ERROR_RX_UNEXPECTED_HELLO_RETRY_REQUEST); 1255 } 1256 1257 // Here the client receives a HelloRetryRequest with a group that they already 1258 // provided a share for. 1259 TEST_P(HelloRetryRequestAgentTest, HandleBogusHelloRetryRequest) { 1260 DataBuffer hrr; 1261 MakeGroupHrr(ssl_grp_ec_curve25519, &hrr); 1262 ExpectAlert(kTlsAlertIllegalParameter); 1263 ProcessMessage(hrr, TlsAgent::STATE_ERROR, 1264 SSL_ERROR_RX_MALFORMED_HELLO_RETRY_REQUEST); 1265 } 1266 1267 TEST_P(HelloRetryRequestAgentTest, HandleNoopHelloRetryRequest) { 1268 DataBuffer hrr; 1269 MakeCannedHrr(nullptr, 0U, &hrr); 1270 ExpectAlert(kTlsAlertDecodeError); 1271 ProcessMessage(hrr, TlsAgent::STATE_ERROR, 1272 SSL_ERROR_RX_MALFORMED_HELLO_RETRY_REQUEST); 1273 } 1274 1275 class ReplaceRandom : public TlsHandshakeFilter { 1276 public: 1277 ReplaceRandom(const std::shared_ptr<TlsAgent>& a, const DataBuffer& r) 1278 : TlsHandshakeFilter(a, {kTlsHandshakeServerHello}), random_(r) {} 1279 1280 PacketFilter::Action FilterHandshake(const HandshakeHeader& header, 1281 const DataBuffer& input, 1282 DataBuffer* output) override { 1283 output->Assign(input); 1284 output->Write(2, random_); 1285 return CHANGE; 1286 } 1287 1288 private: 1289 DataBuffer random_; 1290 }; 1291 1292 // Make sure that the TLS 1.3 special value for the ServerHello.random 1293 // is rejected by earlier versions. 1294 TEST_P(TlsConnectStreamPre13, HrrRandomOnTls10) { 1295 static const uint8_t hrr_random[] = { 1296 0xCF, 0x21, 0xAD, 0x74, 0xE5, 0x9A, 0x61, 0x11, 0xBE, 0x1D, 0x8C, 1297 0x02, 0x1E, 0x65, 0xB8, 0x91, 0xC2, 0xA2, 0x11, 0x16, 0x7A, 0xBB, 1298 0x8C, 0x5E, 0x07, 0x9E, 0x09, 0xE2, 0xC8, 0xA8, 0x33, 0x9C}; 1299 1300 EnsureTlsSetup(); 1301 MakeTlsFilter<ReplaceRandom>(server_, 1302 DataBuffer(hrr_random, sizeof(hrr_random))); 1303 ConnectExpectAlert(client_, kTlsAlertIllegalParameter); 1304 client_->CheckErrorCode(SSL_ERROR_RX_MALFORMED_SERVER_HELLO); 1305 server_->CheckErrorCode(SSL_ERROR_ILLEGAL_PARAMETER_ALERT); 1306 } 1307 1308 TEST_F(TlsConnectStreamTls13, HrrThenTls12) { 1309 StartConnect(); 1310 size_t cb_called = 0; 1311 EXPECT_EQ(SECSuccess, SSL_HelloRetryRequestCallback(server_->ssl_fd(), 1312 RetryHello, &cb_called)); 1313 server_->SetVersionRange(SSL_LIBRARY_VERSION_TLS_1_2, 1314 SSL_LIBRARY_VERSION_TLS_1_3); 1315 1316 client_->Handshake(); // Send CH (1.3) 1317 server_->Handshake(); // Send HRR. 1318 EXPECT_EQ(1U, cb_called); 1319 1320 // Replace the client with a new TLS 1.2 client. Don't call Init(), since 1321 // it will artifically limit the server's vrange. 1322 client_.reset( 1323 new TlsAgent(client_->name(), TlsAgent::CLIENT, ssl_variant_stream)); 1324 client_->SetPeer(server_); 1325 server_->SetPeer(client_); 1326 client_->SetVersionRange(SSL_LIBRARY_VERSION_TLS_1_2, 1327 SSL_LIBRARY_VERSION_TLS_1_2); 1328 1329 client_->StartConnect(); 1330 client_->Handshake(); // Send CH (1.2) 1331 ExpectAlert(server_, kTlsAlertProtocolVersion); 1332 server_->Handshake(); 1333 server_->CheckErrorCode(SSL_ERROR_UNSUPPORTED_VERSION); 1334 client_->Handshake(); 1335 client_->CheckErrorCode(SSL_ERROR_PROTOCOL_VERSION_ALERT); 1336 } 1337 1338 TEST_F(TlsConnectStreamTls13, ZeroRttHrrThenTls12) { 1339 SetupForZeroRtt(); 1340 1341 client_->Set0RttEnabled(true); 1342 size_t cb_called = 0; 1343 EXPECT_EQ(SECSuccess, SSL_HelloRetryRequestCallback(server_->ssl_fd(), 1344 RetryHello, &cb_called)); 1345 server_->SetVersionRange(SSL_LIBRARY_VERSION_TLS_1_2, 1346 SSL_LIBRARY_VERSION_TLS_1_3); 1347 1348 client_->Handshake(); // Send CH (1.3) 1349 ZeroRttSendReceive(true, false); 1350 server_->Handshake(); // Send HRR. 1351 EXPECT_EQ(1U, cb_called); 1352 1353 // Replace the client with a new TLS 1.2 client. Don't call Init(), since 1354 // it will artifically limit the server's vrange. 1355 client_.reset( 1356 new TlsAgent(client_->name(), TlsAgent::CLIENT, ssl_variant_stream)); 1357 client_->SetPeer(server_); 1358 server_->SetPeer(client_); 1359 client_->SetVersionRange(SSL_LIBRARY_VERSION_TLS_1_2, 1360 SSL_LIBRARY_VERSION_TLS_1_2); 1361 1362 client_->StartConnect(); 1363 client_->Handshake(); // Send CH (1.2) 1364 ExpectAlert(server_, kTlsAlertProtocolVersion); 1365 server_->Handshake(); 1366 server_->CheckErrorCode(SSL_ERROR_UNSUPPORTED_VERSION); 1367 client_->Handshake(); 1368 client_->CheckErrorCode(SSL_ERROR_PROTOCOL_VERSION_ALERT); 1369 1370 // Try to write something 1371 server_->Handshake(); 1372 client_->ExpectReadWriteError(); 1373 client_->SendData(1); 1374 uint8_t buf[1]; 1375 EXPECT_EQ(-1, PR_Read(server_->ssl_fd(), buf, sizeof(buf))); 1376 EXPECT_EQ(SSL_ERROR_HANDSHAKE_FAILED, PR_GetError()); 1377 } 1378 1379 TEST_F(TlsConnectStreamTls13, HrrThenTls12SupportedVersions) { 1380 SetupForZeroRtt(); 1381 client_->Set0RttEnabled(true); 1382 size_t cb_called = 0; 1383 EXPECT_EQ(SECSuccess, SSL_HelloRetryRequestCallback(server_->ssl_fd(), 1384 RetryHello, &cb_called)); 1385 server_->SetVersionRange(SSL_LIBRARY_VERSION_TLS_1_2, 1386 SSL_LIBRARY_VERSION_TLS_1_3); 1387 1388 client_->Handshake(); // Send CH (1.3) 1389 ZeroRttSendReceive(true, false); 1390 server_->Handshake(); // Send HRR. 1391 EXPECT_EQ(1U, cb_called); 1392 1393 // Replace the client with a new TLS 1.2 client. Don't call Init(), since 1394 // it will artifically limit the server's vrange. 1395 client_.reset( 1396 new TlsAgent(client_->name(), TlsAgent::CLIENT, ssl_variant_stream)); 1397 client_->SetPeer(server_); 1398 server_->SetPeer(client_); 1399 client_->SetVersionRange(SSL_LIBRARY_VERSION_TLS_1_1, 1400 SSL_LIBRARY_VERSION_TLS_1_2); 1401 // Negotiate via supported_versions 1402 static const uint8_t tls12[] = {0x02, 0x03, 0x03}; 1403 auto replacer = MakeTlsFilter<TlsExtensionInjector>( 1404 client_, ssl_tls13_supported_versions_xtn, 1405 DataBuffer(tls12, sizeof(tls12))); 1406 1407 client_->StartConnect(); 1408 client_->Handshake(); // Send CH (1.2) 1409 ExpectAlert(server_, kTlsAlertProtocolVersion); 1410 server_->Handshake(); 1411 server_->CheckErrorCode(SSL_ERROR_UNSUPPORTED_VERSION); 1412 client_->Handshake(); 1413 client_->CheckErrorCode(SSL_ERROR_PROTOCOL_VERSION_ALERT); 1414 } 1415 1416 INSTANTIATE_TEST_SUITE_P(HelloRetryRequestAgentTests, 1417 HelloRetryRequestAgentTest, 1418 ::testing::Combine(TlsConnectTestBase::kTlsVariantsAll, 1419 TlsConnectTestBase::kTlsV13)); 1420 #ifndef NSS_DISABLE_TLS_1_3 1421 INSTANTIATE_TEST_SUITE_P(HelloRetryRequestKeyExchangeTests, TlsKeyExchange13, 1422 ::testing::Combine(TlsConnectTestBase::kTlsVariantsAll, 1423 TlsConnectTestBase::kTlsV13)); 1424 #endif 1425 1426 } // namespace nss_test