tor-browser

ssl_keyupdate_unittest.cc (51174B)

---

/* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
/* vim: set ts=2 et sw=2 tw=80: */
/* This Source Code Form is subject to the terms of the Mozilla Public
* License, v. 2.0. If a copy of the MPL was not distributed with this file,
* You can obtain one at http://mozilla.org/MPL/2.0/. */

#include "secerr.h"
#include "ssl.h"
#include "sslerr.h"
#include "sslproto.h"

extern "C" {
// This is not something that should make you happy.
#include "libssl_internals.h"
}

#include "gtest_utils.h"
#include "nss_scoped_ptrs.h"
#include "tls_connect.h"
#include "tls_filter.h"
#include "tls_parser.h"

namespace nss_test {

TEST_F(TlsConnectTest, KeyUpdateClient) {
 ConfigureVersion(SSL_LIBRARY_VERSION_TLS_1_3);
 Connect();
 EXPECT_EQ(SECSuccess, SSL_KeyUpdate(client_->ssl_fd(), PR_FALSE));
 SendReceive(50);
 SendReceive(60);
 CheckEpochs(4, 3);
}

TEST_F(TlsConnectStreamTls13, KeyUpdateTooEarly_Client) {
 StartConnect();
 auto filter = MakeTlsFilter<TlsEncryptedHandshakeMessageReplacer>(
     server_, kTlsHandshakeFinished, kTlsHandshakeKeyUpdate);
 filter->EnableDecryption();

 client_->Handshake();
 server_->Handshake();
 ExpectAlert(client_, kTlsAlertUnexpectedMessage);
 client_->Handshake();
 client_->CheckErrorCode(SSL_ERROR_RX_UNEXPECTED_KEY_UPDATE);
 server_->Handshake();
 server_->CheckErrorCode(SSL_ERROR_HANDSHAKE_UNEXPECTED_ALERT);
}

TEST_F(TlsConnectStreamTls13, KeyUpdateTooEarly_Server) {
 StartConnect();
 auto filter = MakeTlsFilter<TlsEncryptedHandshakeMessageReplacer>(
     client_, kTlsHandshakeFinished, kTlsHandshakeKeyUpdate);
 filter->EnableDecryption();

 client_->Handshake();
 server_->Handshake();
 client_->Handshake();
 ExpectAlert(server_, kTlsAlertUnexpectedMessage);
 server_->Handshake();
 server_->CheckErrorCode(SSL_ERROR_RX_UNEXPECTED_KEY_UPDATE);
 client_->Handshake();
 client_->CheckErrorCode(SSL_ERROR_HANDSHAKE_UNEXPECTED_ALERT);
}

TEST_F(TlsConnectTest, KeyUpdateClientRequestUpdate) {
 ConfigureVersion(SSL_LIBRARY_VERSION_TLS_1_3);
 Connect();
 EXPECT_EQ(SECSuccess, SSL_KeyUpdate(client_->ssl_fd(), PR_TRUE));
 // SendReceive() only gives each peer one chance to read.  This isn't enough
 // when the read on one side generates another handshake message.  A second
 // read gives each peer an extra chance to consume the KeyUpdate.
 SendReceive(50);
 SendReceive(60);  // Cumulative count.
 CheckEpochs(4, 4);
}

TEST_F(TlsConnectTest, KeyUpdateServer) {
 ConfigureVersion(SSL_LIBRARY_VERSION_TLS_1_3);
 Connect();
 EXPECT_EQ(SECSuccess, SSL_KeyUpdate(server_->ssl_fd(), PR_FALSE));
 SendReceive(50);
 SendReceive(60);
 CheckEpochs(3, 4);
}

TEST_F(TlsConnectTest, KeyUpdateServerRequestUpdate) {
 ConfigureVersion(SSL_LIBRARY_VERSION_TLS_1_3);
 Connect();
 EXPECT_EQ(SECSuccess, SSL_KeyUpdate(server_->ssl_fd(), PR_TRUE));
 SendReceive(50);
 SendReceive(60);
 CheckEpochs(4, 4);
}

TEST_F(TlsConnectTest, KeyUpdateConsecutiveRequests) {
 ConfigureVersion(SSL_LIBRARY_VERSION_TLS_1_3);
 Connect();
 EXPECT_EQ(SECSuccess, SSL_KeyUpdate(server_->ssl_fd(), PR_TRUE));
 EXPECT_EQ(SECSuccess, SSL_KeyUpdate(server_->ssl_fd(), PR_TRUE));
 SendReceive(50);
 SendReceive(60);
 // The server should have updated twice, but the client should have declined
 // to respond to the second request from the server, since it doesn't send
 // anything in between those two requests.
 CheckEpochs(4, 5);
}

// Check that a local update can be immediately followed by a remotely triggered
// update even if there is no use of the keys.
TEST_F(TlsConnectTest, KeyUpdateLocalUpdateThenConsecutiveRequests) {
 ConfigureVersion(SSL_LIBRARY_VERSION_TLS_1_3);
 Connect();
 // This should trigger an update on the client.
 EXPECT_EQ(SECSuccess, SSL_KeyUpdate(client_->ssl_fd(), PR_FALSE));
 // The client should update for the first request.
 EXPECT_EQ(SECSuccess, SSL_KeyUpdate(server_->ssl_fd(), PR_TRUE));
 // ...but not the second.
 EXPECT_EQ(SECSuccess, SSL_KeyUpdate(server_->ssl_fd(), PR_TRUE));
 SendReceive(50);
 SendReceive(60);
 // Both should have updated twice.
 CheckEpochs(5, 5);
}

TEST_F(TlsConnectTest, KeyUpdateMultiple) {
 ConfigureVersion(SSL_LIBRARY_VERSION_TLS_1_3);
 Connect();
 EXPECT_EQ(SECSuccess, SSL_KeyUpdate(server_->ssl_fd(), PR_FALSE));
 EXPECT_EQ(SECSuccess, SSL_KeyUpdate(server_->ssl_fd(), PR_TRUE));
 EXPECT_EQ(SECSuccess, SSL_KeyUpdate(server_->ssl_fd(), PR_FALSE));
 EXPECT_EQ(SECSuccess, SSL_KeyUpdate(client_->ssl_fd(), PR_FALSE));
 SendReceive(50);
 SendReceive(60);
 CheckEpochs(5, 6);
}

// Both ask the other for an update, and both should react.
TEST_F(TlsConnectTest, KeyUpdateBothRequest) {
 ConfigureVersion(SSL_LIBRARY_VERSION_TLS_1_3);
 Connect();
 EXPECT_EQ(SECSuccess, SSL_KeyUpdate(client_->ssl_fd(), PR_TRUE));
 EXPECT_EQ(SECSuccess, SSL_KeyUpdate(server_->ssl_fd(), PR_TRUE));
 SendReceive(50);
 SendReceive(60);
 CheckEpochs(5, 5);
}

// If the sequence number exceeds the number of writes before an automatic
// update (currently 3/4 of the max records for the cipher suite), then the
// stack should send an update automatically (but not request one).
TEST_F(TlsConnectTest, KeyUpdateAutomaticOnWrite) {
 ConfigureVersion(SSL_LIBRARY_VERSION_TLS_1_3);
 ConnectWithCipherSuite(TLS_AES_128_GCM_SHA256);

 // Set this to one below the write threshold.
 uint64_t threshold = (0x5aULL << 28) * 3 / 4;
 EXPECT_EQ(SECSuccess,
           SSLInt_AdvanceWriteSeqNum(client_->ssl_fd(), threshold));
 EXPECT_EQ(SECSuccess, SSLInt_AdvanceReadSeqNum(server_->ssl_fd(), threshold));

 // This should be OK.
 client_->SendData(10);
 server_->ReadBytes();

 // This should cause the client to update.
 client_->SendData(20);
 server_->ReadBytes();

 SendReceive(100);
 CheckEpochs(4, 3);
}

// If the sequence number exceeds a certain number of reads (currently 7/8 of
// the max records for the cipher suite), then the stack should send AND request
// an update automatically.  However, the sender (client) will be above its
// automatic update threshold, so the KeyUpdate - that it sends with the old
// cipher spec - will exceed the receiver (server) automatic update threshold.
// The receiver gets a packet with a sequence number over its automatic read
// update threshold.  Even though the sender has updated, the code that checks
// the sequence numbers at the receiver doesn't know this and it will request an
// update.  This causes two updates: one from the sender (without requesting a
// response) and one from the receiver (which does request a response).
TEST_F(TlsConnectTest, KeyUpdateAutomaticOnRead) {
 ConfigureVersion(SSL_LIBRARY_VERSION_TLS_1_3);
 ConnectWithCipherSuite(TLS_AES_128_GCM_SHA256);

 // Move to right at the read threshold.  Unlike the write test, we can't send
 // packets because that would cause the client to update, which would spoil
 // the test.
 uint64_t threshold = ((0x5aULL << 28) * 7 / 8) + 1;
 EXPECT_EQ(SECSuccess,
           SSLInt_AdvanceWriteSeqNum(client_->ssl_fd(), threshold));
 EXPECT_EQ(SECSuccess, SSLInt_AdvanceReadSeqNum(server_->ssl_fd(), threshold));

 // This should cause the client to update, but not early enough to prevent the
 // server from updating also.
 client_->SendData(10);
 server_->ReadBytes();

 // Need two SendReceive() calls to ensure that the update that the server
 // requested is properly generated and consumed.
 SendReceive(70);
 SendReceive(80);
 CheckEpochs(5, 4);
}

// Filter to modify KeyUpdate message. Takes as an input which byte and what
// value to install.
class TLSKeyUpdateDamager : public TlsRecordFilter {
public:
 TLSKeyUpdateDamager(const std::shared_ptr<TlsAgent>& a, size_t byte,
                     uint8_t val)
     : TlsRecordFilter(a), offset_(byte), value_(val) {}

protected:
 PacketFilter::Action FilterRecord(const TlsRecordHeader& header,
                                   const DataBuffer& record, size_t* offset,
                                   DataBuffer* output) override {
   if (!header.is_protected()) {
     return KEEP;
   }
   uint16_t protection_epoch;
   uint8_t inner_content_type;
   DataBuffer plaintext;
   TlsRecordHeader out_header;

   if (!Unprotect(header, record, &protection_epoch, &inner_content_type,
                  &plaintext, &out_header)) {
     return KEEP;
   }

   if (inner_content_type != ssl_ct_handshake) {
     return KEEP;
   }

   if (plaintext.data()[0] != ssl_hs_key_update) {
     return KEEP;
   }

   if (offset_ >= plaintext.len()) {
     ADD_FAILURE() << "TLSKeyUpdateDamager: the input (offset_) is out "
                      "of the range (the expected len is equal to "
                   << plaintext.len() << ")." << std::endl;
     return KEEP;
   }

   plaintext.data()[offset_] = value_;
   DataBuffer ciphertext;
   bool ok = Protect(spec(protection_epoch), out_header, inner_content_type,
                     plaintext, &ciphertext, &out_header);
   if (!ok) {
     ADD_FAILURE() << "Unable to protect the plaintext using  "
                   << protection_epoch << "epoch. " << std::endl;
     return KEEP;
   }
   *offset = out_header.Write(output, *offset, ciphertext);
   return CHANGE;
 }

protected:
 size_t offset_;
 uint8_t value_;
};

// The next tests check the behaviour in case of malformed KeyUpdate.
// The first test, TLSKeyUpdateWrongValueForUpdateRequested,
// modifies the 4th byte (KeyUpdate) to have the incorrect value.
// The last tests check the incorrect values of the length.

// RFC 8446: 4.  Handshake Protocol
//    struct {
//          HandshakeType msg_type;     handshake type
//          uint24 length;              remaining bytes in message
//          select (Handshake.msg_type) {
//              case key_update:            KeyUpdate; (4th byte)
//          };
//      } Handshake;

TEST_F(TlsConnectStreamTls13, TLSKeyUpdateWrongValueForUpdateRequested) {
 EnsureTlsSetup();
 // This test is setting the update_requested to be equal to 2
 // Whereas the allowed values are [0, 1].
 auto filter = MakeTlsFilter<TLSKeyUpdateDamager>(client_, 4, 2);
 filter->EnableDecryption();
 filter->Disable();
 Connect();

 filter->Enable();
 SSL_KeyUpdate(client_->ssl_fd(), PR_FALSE);
 filter->Disable();

 ExpectAlert(server_, kTlsAlertDecodeError);
 client_->ExpectReceiveAlert(kTlsAlertDecodeError);

 server_->ExpectReadWriteError();
 client_->ExpectReadWriteError();
 server_->ReadBytes();
 client_->ReadBytes();

 server_->CheckErrorCode(SSL_ERROR_RX_MALFORMED_KEY_UPDATE);
 client_->CheckErrorCode(SSL_ERROR_DECODE_ERROR_ALERT);

 // Even if the client has updated his writing key,
 client_->CheckEpochs(3, 4);
 // the server has not.
 server_->CheckEpochs(3, 3);
}

TEST_F(TlsConnectStreamTls13, TLSKeyUpdateWrongValueForLength_MessageTooLong) {
 EnsureTlsSetup();
 // the first byte of the length was replaced with 0xff.
 // The message now is too long.
 auto filter = MakeTlsFilter<TLSKeyUpdateDamager>(client_, 1, 0xff);
 filter->EnableDecryption();
 filter->Disable();
 Connect();

 filter->Enable();
 SSL_KeyUpdate(client_->ssl_fd(), PR_FALSE);
 filter->Disable();

 ExpectAlert(server_, kTlsAlertDecodeError);
 client_->ExpectReceiveAlert(kTlsAlertDecodeError);

 server_->ExpectReadWriteError();
 client_->ExpectReadWriteError();
 server_->ReadBytes();
 client_->ReadBytes();

 server_->CheckErrorCode(SSL_ERROR_RX_MALFORMED_HANDSHAKE);
 client_->CheckErrorCode(SSL_ERROR_DECODE_ERROR_ALERT);

 // Even if the client has updated his writing key,
 client_->CheckEpochs(3, 4);
 // the server has not.
 server_->CheckEpochs(3, 3);
}

TEST_F(TlsConnectStreamTls13, TLSKeyUpdateWrongValueForLength_MessageTooShort) {
 EnsureTlsSetup();
 // Changing the value of length of the KU message to be shorter than the
 // correct one.
 auto filter = MakeTlsFilter<TLSKeyUpdateDamager>(client_, 0x3, 0x00);
 filter->EnableDecryption();
 filter->Disable();
 Connect();

 filter->Enable();
 SSL_KeyUpdate(client_->ssl_fd(), PR_FALSE);
 filter->Disable();

 ExpectAlert(server_, kTlsAlertDecodeError);
 client_->ExpectReceiveAlert(kTlsAlertCloseNotify);

 client_->SendData(10);
 server_->ReadBytes();
}

// DTLS1.3 tests

// The KeyUpdate in DTLS1.3 workflow (with the update_requested set):

// Client(P1) is asking for KeyUpdate
// Here the second parameter states whether the P1 requires update_requested
// (RFC9147, Section 8).
// EXPECT_EQ(SECSuccess, SSL_KeyUpdate(client_->ssl_fd(),
// PR_FALSE));

// The server (P2) receives the KeyUpdate request and processes it.
// server_->ReadBytes();

// P2 sends ACK.
// SSLInt_SendImmediateACK(server_->ssl_fd());

// P1 receives ACK and finished the KeyUpdate:
// client_->ReadBytes();

// This function sends and proceeds KeyUpdate explained above (assuming
// updateRequested == PR_FALSE) For the explantation of the updateRequested look
// at the test DTLSKeyUpdateClientUpdateRequestedSucceed.*/
static void SendAndProcessKU(const std::shared_ptr<TlsAgent>& sender,
                            const std::shared_ptr<TlsAgent>& receiver,
                            bool updateRequested) {
 EXPECT_EQ(SECSuccess, SSL_KeyUpdate(sender->ssl_fd(), updateRequested));
 receiver->ReadBytes();
 // It takes some time to send an ack message, so here we send it immediately
 SSLInt_SendImmediateACK(receiver->ssl_fd());
 sender->ReadBytes();
 if (updateRequested) {
   SSLInt_SendImmediateACK(sender->ssl_fd());
   receiver->ReadBytes();
 }
}

// This test checks that after the execution of KeyUpdate started by the client,
// the writing client/reading server key epoch was incremented.
// RFC 9147. Section 4.
// However, this value is set [...] of the connection epoch,
// which is an [...] counter incremented on every KeyUpdate.
TEST_F(TlsConnectDatagram13, DTLSKU_ClientKUSucceed) {
 Connect();
 CheckEpochs(3, 3);
 //  Client starts KeyUpdate
 //  The updateRequested is not requested.
 SendAndProcessKU(client_, server_, PR_FALSE);
 //  The KeyUpdate is finished, and the client writing spec/the server reading
 //  spec is incremented.
 CheckEpochs(4, 3);
 //  Check that we can send/receive data after KeyUpdate.
 SendReceive(50);
}

// This test checks that only one KeyUpdate is possible at the same time.
// RFC 9147 Section 5.8.4
// In contrast, implementations MUST NOT send KeyUpdate, NewConnectionId, or
// RequestConnectionId messages if an earlier message of the same type has not
// yet been acknowledged.
TEST_F(TlsConnectDatagram13, DTLSKU_ClientKUTwiceOnceIgnored) {
 Connect();
 CheckEpochs(3, 3);
 //  Client sends a key update message.
 EXPECT_EQ(SECSuccess, SSL_KeyUpdate(client_->ssl_fd(), PR_FALSE));
 // The second key update message will be ignored as there is KeyUpdate in
 //  progress.
 EXPECT_EQ(SECSuccess, SSL_KeyUpdate(client_->ssl_fd(), PR_FALSE));
 //  For the workflow see ssl_KeyUpdate_unittest.cc:SendAndProcessKU.
 server_->ReadBytes();
 SSLInt_SendImmediateACK(server_->ssl_fd());
 client_->ReadBytes();
 //  As only one KeyUpdate was executed, the key epoch was incremented only
 //  once.
 CheckEpochs(4, 3);
 SendReceive(50);
}

// This test checks the same as the test DTLSKeyUpdateClientKeyUpdateSucceed,
// except that the server sends KeyUpdate.
TEST_F(TlsConnectDatagram13, DTLSKU_ServerKUSucceed) {
 Connect();
 CheckEpochs(3, 3);
 SendAndProcessKU(server_, client_, PR_FALSE);
 CheckEpochs(3, 4);
 SendReceive(50);
}

// This test checks the same as the test
// DTLSKeyUpdateClientKeyUpdateTwiceOnceIgnored, except that the server sends
// KeyUpdate.
TEST_F(TlsConnectDatagram13, DTLSKU_PreviousKUNotYetACKed) {
 Connect();
 CheckEpochs(3, 3);
 EXPECT_EQ(SECSuccess, SSL_KeyUpdate(server_->ssl_fd(), PR_FALSE));
 // The second key update message will be ignored
 EXPECT_EQ(SECSuccess, SSL_KeyUpdate(server_->ssl_fd(), PR_FALSE));

 client_->ReadBytes();
 SSLInt_SendImmediateACK(client_->ssl_fd());
 server_->ReadBytes();

 CheckEpochs(3, 4);
 // Checking that we still can send/receive data.
 SendReceive(50);
}

// This test checks that if we receive two KeyUpdates, one will be ignored
TEST_F(TlsConnectDatagram13, DTLSKU_TwiceReceivedOnceIgnored) {
 Connect();
 CheckEpochs(3, 3);
 auto filter = MakeTlsFilter<TLSRecordSaveAndDropNext>(server_);
 EXPECT_EQ(SECSuccess, SSL_KeyUpdate(server_->ssl_fd(), PR_FALSE));

 // Here we check that there was no KeyUpdate happened
 client_->ReadBytes();
 SSLInt_SendImmediateACK(client_->ssl_fd());
 server_->ReadBytes();
 CheckEpochs(3, 3);

 DataBuffer d = filter->ReturnRecorded();
 // Sending the recorded KeyUpdate
 server_->SendDirect(d);
 // Sending the KeyUpdate again
 server_->SendDirect(d);

 client_->ReadBytes();
 SSLInt_SendImmediateACK(client_->ssl_fd());
 server_->ReadBytes();

 // We observe that only one KeyUpdate has happened
 CheckEpochs(3, 4);
 // Checking that we still can send/receive data.
 SendReceive(50);
}

// The KeyUpdate in DTLS1.3 workflow (with the update_requested set):

// Client(P1) is asking for KeyUpdate
// EXPECT_EQ(SECSuccess, SSL_KeyUpdate(client_->ssl_fd(), PR_TRUE));

// The server (P2) receives and processes the KeyUpdate request
// At the same time, P2 sends its own KeyUpdate request (due to update_requested
// was set)
// server_->ReadBytes();

// P1 receives the ACK and finalizes the KeyUpdate.
// SSLInt_SendImmediateACK(server_->ssl_fd());

// P1 receives the KeyUpdate request and processes it.
// client_->ReadBytes();

// P2 receives the ACK and finalizes the KeyUpdate.
// SSLInt_SendImmediateACK(client_->ssl_fd());
// server_->ReadBytes();

// This test checks that after the KeyUpdate (with update requested set)
// both client w/r and server w/r key epochs were incremented.
TEST_F(TlsConnectDatagram13, DTLSKU_UpdateRequestedSucceed) {
 Connect();
 CheckEpochs(3, 3);
 // Here the second parameter sets the update_requested to true.
 SendAndProcessKU(client_, server_, PR_TRUE);
 // As there were two KeyUpdates executed (one by a client, another one by a
 // server) Both of the keys were modified.
 CheckEpochs(4, 4);
 // Checking that we still can send/receive data.
 SendReceive(50);
}

// This test checks that after two KeyUpdates (with update requested set)
// the keys epochs were incremented twice.
TEST_F(TlsConnectDatagram13, DTLSKU_UpdateRequestedTwiceSucceed) {
 Connect();
 CheckEpochs(3, 3);
 SendAndProcessKU(client_, server_, PR_TRUE);
 // The KeyUpdate is finished, so both of the epochs got incremented.
 CheckEpochs(4, 4);
 SendAndProcessKU(client_, server_, PR_TRUE);
 // The second KeyUpdate is finished, so finally the epochs were incremented
 // twice.
 CheckEpochs(5, 5);
 // Checking that we still can send/receive data.
 SendReceive(50);
}

// This test checks the same as the test DTLSKeyUpdateUpdateRequestedSucceed,
// except that the server sends KeyUpdate.
TEST_F(TlsConnectDatagram13, DTLSKU_ServerUpdateRequestedSucceed) {
 Connect();
 CheckEpochs(3, 3);
 SendAndProcessKU(server_, client_, PR_TRUE);
 CheckEpochs(4, 4);
 SendReceive(50);
}

// This test checks that after two KeyUpdates (with update requested set)
// the keys epochs were incremented twice.
TEST_F(TlsConnectDatagram13, DTLSKU_ServerUpdateRequestedTwiceSucceed) {
 Connect();
 CheckEpochs(3, 3);
 SendAndProcessKU(server_, client_, PR_TRUE);
 // The KeyUpdate is finished, so both of the epochs got incremented.
 CheckEpochs(4, 4);

 // Server sends another KeyUpdate
 SendAndProcessKU(server_, client_, PR_TRUE);
 // The second KeyUpdate is finished, so finally the epochs were incremented
 // twice.
 CheckEpochs(5, 5);
 // Checking that we still can send/receive data.
 SendReceive(50);
}

// This test checks that both client and server can send the KeyUpdate in
// consequence.
TEST_F(TlsConnectDatagram13, DTLSKU_ClientServerConseqSucceed) {
 Connect();
 CheckEpochs(3, 3);
 SendAndProcessKU(client_, server_, PR_FALSE);
 // As the server initiated KeyUpdate and did not request an update_request,
 // Only the server writing/client reading key epoch was incremented.
 CheckEpochs(4, 3);
 SendAndProcessKU(server_, client_, PR_FALSE);
 // Now the client initiated KeyUpdate and did not request an update_request,
 // so now both of epochs got incremented.
 CheckEpochs(4, 4);
 // Checking that we still can send/receive data.
 SendReceive(50);
}

// This test checks that both client and server can send the KeyUpdate in
// consequence. Compared to the DTLSKeyUpdateClientServerConseqSucceed TV, this
// time both parties set update_requested to be true.
TEST_F(TlsConnectDatagram13, DTLSKU_ClientServerUpdateRequestedBothSucceed) {
 Connect();
 CheckEpochs(3, 3);
 SendAndProcessKU(client_, server_, PR_TRUE);
 SendAndProcessKU(server_, client_, PR_TRUE);
 // The second KeyUpdate (update_request = True) increments again the epochs
 // of both keys.
 CheckEpochs(5, 5);
 // Checking that we still can send/receive data.
 SendReceive(50);
}

// This test checks that if there is an ongoing KeyUpdate, the one started
// durint the KU is not going to be executed.
TEST_F(TlsConnectDatagram13, DTLSKU_KUInTheMiddleIsRejected) {
 Connect();
 CheckEpochs(3, 3);
 EXPECT_EQ(SECSuccess, SSL_KeyUpdate(server_->ssl_fd(), PR_TRUE));
 client_->ReadBytes();
 SSLInt_SendImmediateACK(client_->ssl_fd());
 // Here a client starts KeyUpdate at the same time as the ongoing KeyUpdate
 // This KeyUpdate will not execute
 EXPECT_EQ(SECSuccess, SSL_KeyUpdate(client_->ssl_fd(), PR_TRUE));
 server_->ReadBytes();
 SSLInt_SendImmediateACK(server_->ssl_fd());
 client_->ReadBytes();
 // As there was only one KeyUpdate executed, both keys got incremented only
 // once.
 CheckEpochs(4, 4);
 // Checking that we still can send/receive data.
 SendReceive(50);
}

// DTLS1.3 KeyUpdate - Immediate Send Tests.

// The expected behaviour of the protocol:
// P1 starts initiates KeyUpdate
// P2 receives KeyUpdate
// And this moment, P2 will update the reading key to n
// But P2 will be accepting the keys from the previous epoch until a new message
// encrypted with the epoch n arrives.

// This test checks that when a client sent KeyUpdate, but the KeyUpdate message
// was not yet received, client can still send data.
TEST_F(TlsConnectDatagram13, DTLSKU_ClientImmediateSend) {
 Connect();
 // Client has initiated KeyUpdate
 EXPECT_EQ(SECSuccess, SSL_KeyUpdate(client_->ssl_fd(), PR_FALSE));
 // Server has not yet received it, client is trying to send some additional
 // data.
 CheckEpochs(3, 3);
 client_->SendData(10);
 // Server successfully receives it.
 WAIT_(server_->received_bytes() == 10, 2000);
 ASSERT_EQ((size_t)10, server_->received_bytes());
 SendReceive(50);
}

// This test checks that when a client sent KeyUpdate, but the KeyUpdate message
// was not yet received, it can still receive data.
TEST_F(TlsConnectDatagram13, DTLSKU_ServerImmediateSend) {
 Connect();
 // Client has initiated KeyUpdate
 EXPECT_EQ(SECSuccess, SSL_KeyUpdate(client_->ssl_fd(), PR_FALSE));
 // The server can successfully send data.
 CheckEpochs(3, 3);
 server_->SendData(10);
 WAIT_(client_->received_bytes() == 10, 2000);
 ASSERT_EQ((size_t)10, client_->received_bytes());
 SendReceive(50);
}

// This test checks that when a client sent KeyUpdate,
// the server has not yet sent an ACK and the client has not yet ACKed
// KeyUpdate, both parties can exchange data.
TEST_F(TlsConnectDatagram13, DTLSKU_ClientImmediateSendAfterServerRead) {
 Connect();
 // Client has initiated KeyUpdate
 EXPECT_EQ(SECSuccess, SSL_KeyUpdate(client_->ssl_fd(), PR_FALSE));
 // Server receives KeyUpdate
 server_->ReadBytes();
 // Client can send data before the server sending ACK and client receiving
 // * ACK messages
 // Only server keys got updated.
 server_->CheckEpochs(4, 3);
 client_->CheckEpochs(3, 3);
 client_->SendData(10);
 WAIT_(server_->received_bytes() == 10, 2000);
 ASSERT_EQ((size_t)10, server_->received_bytes());
 // Server can send data
 server_->SendData(10);
 WAIT_(client_->received_bytes() == 10, 2000);
 ASSERT_EQ((size_t)10, client_->received_bytes());
 SendReceive(50);
}

// This test checks that when a client sent KeyUpdate, but has not yet ACKed it,
// both parties can exchange data.
TEST_F(TlsConnectDatagram13, DTLSKU_ClientImmediateSendAfterServerReadAndACK) {
 Connect();
 CheckEpochs(3, 3);
 // Client has initiated KeyUpdate
 EXPECT_EQ(SECSuccess, SSL_KeyUpdate(client_->ssl_fd(), PR_FALSE));
 // Server receives KeyUpdate
 server_->ReadBytes();
 // Server sends ACK
 SSLInt_SendImmediateACK(server_->ssl_fd());
 // Client can send data before he has received KeyUpdate
 // Only server keys got updated.
 server_->CheckEpochs(4, 3);
 client_->CheckEpochs(3, 3);
 client_->SendData(10);
 WAIT_(server_->received_bytes() == 10, 2000);
 ASSERT_EQ((size_t)10, server_->received_bytes());
 // Server can send data
 server_->SendData(10);
 WAIT_(client_->received_bytes() == 10, 2000);
 ASSERT_EQ((size_t)10, client_->received_bytes());
 SendReceive(50);
}

// This test checks that the client writing epoch is updated only
// when the client has received the ACK.
// RFC 9147. Section 8
// As with other handshake messages with no built-in response, KeyUpdates MUST
// be acknowledged.
TEST_F(TlsConnectDatagram13, DTLSKU_ClientWritingEpochUpdatedAfterReceivedACK) {
 Connect();
 // Previous epoch
 CheckEpochs(3, 3);
 // Client sends a KeyUpdate
 EXPECT_EQ(SECSuccess, SSL_KeyUpdate(client_->ssl_fd(), PR_FALSE));
 // Server updates his reading key
 server_->ReadBytes();
 // Now the server has a reading key = 4
 server_->CheckEpochs(4, 3);
 // But the client has a writing key = 3
 client_->CheckEpochs(3, 3);

 // Client sends a data, but using the old (3) keys
 client_->SendData(10);
 WAIT_(server_->received_bytes() == 10, 2000);
 ASSERT_EQ((size_t)10, server_->received_bytes());

 server_->CheckEpochs(4, 3);
 client_->CheckEpochs(3, 3);

 SSLInt_SendImmediateACK(server_->ssl_fd());
 client_->ReadBytes();

 CheckEpochs(4, 3);
 SendReceive(50);
}

// DTLS1.3 KeyUpdate - Testing the border conditions
// (i.e. the cases where we reached the highest epoch).

// This test checks that the maximum epoch will not be exceeded on KeyUpdate.
// RFC 9147. Section 8.
// In order to provide an extra margin of security,
// sending implementations MUST NOT allow the epoch to exceed 2^48-1.

// Here we use the maximum as 2^16,
// See bug https://bugzilla.mozilla.org/show_bug.cgi?id=1809872
// When the bug is solved, the constant is to be replaced with 2^48 as
// required by RFC.
TEST_F(TlsConnectDatagram13, DTLSKU_ClientMaxEpochReached) {
 Connect();
 CheckEpochs(3, 3);
 PRUint64 max_epoch_type = (0x1ULL << 16) - 1;

 // We assign the maximum possible epochs
 EXPECT_EQ(SECSuccess,
           SSLInt_AdvanceWriteEpochNum(client_->ssl_fd(), max_epoch_type));
 EXPECT_EQ(SECSuccess,
           SSLInt_AdvanceReadEpochNum(server_->ssl_fd(), max_epoch_type));
 CheckEpochs(max_epoch_type, 3);
 // Upon trying to execute KeyUpdate, we return a SECFailure.
 EXPECT_EQ(SECFailure, SSL_KeyUpdate(client_->ssl_fd(), PR_FALSE));
 SendReceive(50);
}

// This test checks the compliance with the RFC 9147 stating the behaviour
// reaching the max epoch: RFC 9147 Section 8. If a sending implementation
// receives a KeyUpdate with request_update set to "update_requested", it MUST
// NOT send its own KeyUpdate if that would cause it to exceed these limits and
// SHOULD instead ignore the "update_requested" flag.
TEST_F(TlsConnectDatagram13, DTLSKU_ClientMaxEpochReachedUpdateRequested) {
 Connect();
 CheckEpochs(3, 3);

 PRUint64 max_epoch_type = (0x1ULL << 16) - 1;

 // We assign the maximum possible epochs - 1.
 EXPECT_EQ(SECSuccess,
           SSLInt_AdvanceWriteEpochNum(client_->ssl_fd(), max_epoch_type));
 EXPECT_EQ(SECSuccess,
           SSLInt_AdvanceReadEpochNum(server_->ssl_fd(), max_epoch_type));

 CheckEpochs(max_epoch_type, 3);
 // Once we call KeyUpdate with update requested
 EXPECT_EQ(SECSuccess, SSL_KeyUpdate(server_->ssl_fd(), PR_TRUE));
 client_->ReadBytes();
 SSLInt_SendImmediateACK(client_->ssl_fd());
 server_->ReadBytes();
 SSLInt_SendImmediateACK(server_->ssl_fd());
 client_->ReadBytes();
 // Only one key (that has not reached the maximum epoch) was updated.
 CheckEpochs(max_epoch_type, 4);
 SendReceive(50);
}

// DTLS1.3 KeyUpdate - Automatic update tests

// RFC 9147 Section 4.5.3.
// Implementations SHOULD NOT protect more records than allowed by the limit
// specified for the negotiated AEAD.
// Implementations SHOULD initiate a key update before reaching this limit.

// These two tests check that the KeyUpdate is automatically called upon
// reaching the reading/writing limit.
TEST_F(TlsConnectDatagram13, DTLSKU_AutomaticOnWrite) {
 ConfigureVersion(SSL_LIBRARY_VERSION_TLS_1_3);
 ConnectWithCipherSuite(TLS_AES_128_GCM_SHA256);
 CheckEpochs(3, 3);

 // Set this to one below the write threshold.
 uint64_t threshold = 0x438000000;
 EXPECT_EQ(SECSuccess,
           SSLInt_AdvanceWriteSeqNum(client_->ssl_fd(), threshold));
 EXPECT_EQ(SECSuccess, SSLInt_AdvanceReadSeqNum(server_->ssl_fd(), threshold));

 // This should be OK.
 client_->SendData(10);
 server_->ReadBytes();

 // This should cause the client to update.
 client_->SendData(15);
 server_->ReadBytes();
 SSLInt_SendImmediateACK(server_->ssl_fd());
 client_->ReadBytes();

 // The client key epoch was incremented.
 CheckEpochs(4, 3);
 // Checking that we still can send/receive data.
 SendReceive(100);
}

TEST_F(TlsConnectDatagram13, DTLSKU_AutomaticOnRead) {
 ConfigureVersion(SSL_LIBRARY_VERSION_TLS_1_3);
 ConnectWithCipherSuite(TLS_AES_128_GCM_SHA256);
 CheckEpochs(3, 3);

 // Set this to one below the read threshold.
 uint64_t threshold = 0x4ec000000 - 1;
 EXPECT_EQ(SECSuccess,
           SSLInt_AdvanceWriteSeqNum(client_->ssl_fd(), threshold));
 EXPECT_EQ(SECSuccess, SSLInt_AdvanceReadSeqNum(server_->ssl_fd(), threshold));

 auto filter = MakeTlsFilter<TLSRecordSaveAndDropNext>(client_);
 client_->SendData(10);
 DataBuffer d = filter->ReturnRecorded();

 client_->SendDirect(d);
 // This message will cause the server to start KeyUpdate with updateRequested
 // = 1.
 server_->ReadBytes();

 SSLInt_SendImmediateACK(server_->ssl_fd());
 client_->ReadBytes();
 SSLInt_SendImmediateACK(client_->ssl_fd());
 server_->ReadBytes();

 // Both keys got updated.
 CheckEpochs(4, 4);
 // Checking that we still can send/receive data.
 SendReceive(100);
}

// The test describes the situation when there was a request
// to execute an automatic KU, but the server has not responded.
TEST_F(TlsConnectDatagram13, DTLSKU_CanSendBeforeThreshold) {
 ConfigureVersion(SSL_LIBRARY_VERSION_TLS_1_3);
 ConnectWithCipherSuite(TLS_AES_128_GCM_SHA256);
 CheckEpochs(3, 3);

 uint64_t threshold = 0x5a0000000 - 2;
 EXPECT_EQ(SECSuccess,
           SSLInt_AdvanceWriteSeqNum(client_->ssl_fd(), threshold));
 EXPECT_EQ(SECSuccess, SSLInt_AdvanceReadSeqNum(server_->ssl_fd(), threshold));

 size_t received_bytes = server_->received_bytes();
 // We still can send a message
 client_->SendData(15);

 // We can not send a message anymore
 client_->ExpectReadWriteError();
 client_->SendData(105);

 server_->ReadBytes();
 // And it was not received.
 ASSERT_EQ((size_t)received_bytes + 15, server_->received_bytes());
}

TEST_F(TlsConnectDatagram13, DTLSKU_DiscardAfterThreshold) {
 ConfigureVersion(SSL_LIBRARY_VERSION_TLS_1_3);
 ConnectWithCipherSuite(TLS_AES_128_GCM_SHA256);
 CheckEpochs(3, 3);

 uint64_t threshold = 0x5a0000000 - 3;
 EXPECT_EQ(SECSuccess,
           SSLInt_AdvanceWriteSeqNum(client_->ssl_fd(), threshold));
 EXPECT_EQ(SECSuccess, SSLInt_AdvanceReadSeqNum(server_->ssl_fd(), threshold));

 size_t received_bytes = server_->received_bytes();

 auto filter = MakeTlsFilter<TLSRecordSaveAndDropNext>(client_);
 client_->SendData(30);
 DataBuffer d = filter->ReturnRecorded();

 client_->SendDirect(d);
 client_->SendDirect(d);

 server_->ReadBytes();
 // Only one message was received.
 ASSERT_EQ((size_t)received_bytes + 30, server_->received_bytes());
}

// DTLS1.3 KeyUpdate - Managing previous epoch messages
// RFC 9147 Section 8.
// Due to the possibility of an ACK message for a KeyUpdate being lost
// and thereby preventing the sender of the KeyUpdate from updating its
// keying material, receivers MUST retain the pre-update keying material
// until receipt and successful decryption of a message using the new
// keys.

// This test checks that message encrypted with the key n-1 will be accepted
// after KeyUpdate is executed, but before the message n has arrived.
TEST_F(TlsConnectDatagram13, DTLSKU_PreviousEpochIsAcceptedBeforeNew) {
 size_t len = 10;

 Connect();
 // Client starts KeyUpdate
 EXPECT_EQ(SECSuccess, SSL_KeyUpdate(client_->ssl_fd(), PR_FALSE));
 // Server receives KeyUpdate and sends ACK
 server_->ReadBytes();
 SSLInt_SendImmediateACK(server_->ssl_fd());
 // Client has not yet received the ACK, so the writing key epoch has not
 // changed
 client_->CheckEpochs(3, 3);
 server_->CheckEpochs(4, 3);

 auto filter = MakeTlsFilter<TLSRecordSaveAndDropNext>(client_);

 // Here the message previousEpochMessageBuffer contains a message
 // encrypted with the client 3rd epoch key, m1 = enc(message, key_3)
 client_->SendData(len);
 DataBuffer d = filter->ReturnRecorded();

 // Client has received the ACK
 client_->ReadBytes();
 // Now he updates the writing Key to 4
 client_->CheckEpochs(3, 4);
 server_->CheckEpochs(4, 3);

 // And now we resend the message m1 and successfully receive it
 client_->SendDirect(d);
 WAIT_(server_->received_bytes() == len, 2000);
 ASSERT_EQ(len, server_->received_bytes());
 // Checking that we still can send/receive data.
 SendReceive(50);
}

// This test checks that message encrypted with the key n-2 will not be accepted
// after KeyUpdate is executed, but before the message n has arrived.
TEST_F(TlsConnectDatagram13, DTLSKU_2EpochsAgoIsRejected) {
 size_t len = 10;

 Connect();
 CheckEpochs(3, 3);
 auto filter = MakeTlsFilter<TLSRecordSaveAndDropNext>(client_);
 client_->SendData(len);
 DataBuffer d = filter->ReturnRecorded();
 client_->ResetSentBytes();

 SendAndProcessKU(client_, server_, PR_FALSE);
 SendAndProcessKU(client_, server_, PR_FALSE);

 // Executing 2 KeyUpdates, so the client writing key is equal to 5 now
 CheckEpochs(5, 3);
 // And now we resend the message m1 encrypted with the key n-2 (3)
 client_->SendDirect(d);
 server_->ReadBytes();
 // Server has still received just legal_message_len of bytes (not the
 // previousEpochLen + legal_message_len)
 ASSERT_EQ((size_t)0, server_->received_bytes());
 // Checking that we still can send/receive data.
 SendReceive(60);
}

// This test checks that that message encrypted with the key n-1 will be
// rejected after KeyUpdate is executed, and after the message n has arrived.
TEST_F(TlsConnectDatagram13, DTLSKU_PreviousEpochIsAcceptedAfterNew) {
 size_t len = 30;
 size_t legal_message_len = 20;

 Connect();
 // Client starts KeyUpdate
 EXPECT_EQ(SECSuccess, SSL_KeyUpdate(client_->ssl_fd(), PR_FALSE));
 // Server receives KeyUpdate and sends ACK
 server_->ReadBytes();
 SSLInt_SendImmediateACK(server_->ssl_fd());
 // Client has not yet received the ACK, so the writing key epoch has not
 // changed
 client_->CheckEpochs(3, 3);
 server_->CheckEpochs(4, 3);

 auto filter = MakeTlsFilter<TLSRecordSaveAndDropNext>(client_);

 // Here the message previousEpochMessageBuffer contains a message
 // encrypted with the client 3rd epoch key, m1 = enc(message, key_3)
 client_->SendData(len);
 DataBuffer d = filter->ReturnRecorded();
 client_->ResetSentBytes();

 // Client has received the ACK
 client_->ReadBytes();
 client_->CheckEpochs(3, 4);
 server_->CheckEpochs(4, 3);

 // At this moment, a client will send a message with the new key
 SendReceive(legal_message_len);
 // As soon as it's received, the server will forbid the messaged from the
 // previous epochs
 server_->ReadBytes();

 // If a message from the previous epoch arrives to the server (m1, the key_3
 // was used to encrypt it)
 client_->SendDirect(d);
 // it will be silently dropped
 server_->ReadBytes();
 //  Server has still received just legal_message_len of bytes (not the
 // previousEpochLen + legal_message_len)
 ASSERT_EQ((size_t)legal_message_len, server_->received_bytes());
 // Checking that we still can send/receive data.
 SendReceive(50);
}

// DTLS Epoch reconstruction test
// RFC 9147 Section 8. 4.2.2. Reconstructing the Sequence Number and Epoch

// This test checks that the epoch reconstruction is correct.
// The function under testing is dtlscon.c::dtls_ReadEpoch.
// We only consider the case when dtls_IsDtls13Ciphertext is true.

typedef struct sslKeyUpdateReadEpochTVStr {
 // The current epoch
 DTLSEpoch epoch;
 // Only two-bit epoch here
 PRUint8 header;
 DTLSEpoch expected_reconstructed_epoch;
} sslKeyUpdateReadEpochTV_t;

static const sslKeyUpdateReadEpochTV_t sslKeyUpdateReadEpochTV[26] = {
   {0x1, 0x1, 0x1},

   {0x2, 0x1, 0x1},
   {0x2, 0x2, 0x2},

   {0x3, 0x3, 0x3},
   {0x3, 0x2, 0x2},
   {0x3, 0x1, 0x1},

   {0x4, 0x0, 0x4},  // the difference (diff) between the reconstructed and
                     // the current epoch is equal to 0
   {0x4, 0x1, 0x1},  // diff == 3
   {0x4, 0x2, 0x2},  // diff == 2
   {0x4, 0x3, 0x3},  // diff == 1

   {0x5, 0x0, 0x4},  // diff == 1
   {0x5, 0x1, 0x5},  // diff == 0
   {0x5, 0x2, 0x2},  // diff == 3
   {0x5, 0x3, 0x3},  // diff == 2

   {0x6, 0x0, 0x4},
   {0x6, 0x1, 0x5},
   {0x6, 0x2, 0x6},
   {0x6, 0x3, 0x3},

   {0x7, 0x0, 0x4},
   {0x7, 0x1, 0x5},
   {0x7, 0x2, 0x6},
   {0x7, 0x3, 0x7},

   {0x8, 0x0, 0x8},
   {0x8, 0x1, 0x5},
   {0x8, 0x2, 0x6},
   {0x8, 0x3, 0x7},

   // Starting from here the pattern (starting from 4) repeats:
   // if a current epoch is equal to n,
   // the difference will behave as for n % 4 + 4.
   // For example, if the current epoch is equal to 9, then
   // the difference between the reconstructed epoch and the current one
   // will be the same as for the 5th epoch.
};

TEST_F(TlsConnectDatagram13, DTLS_EpochReconstruction) {
 PRUint8 header[5] = {0};
 header[0] = 0x20;
 DTLSEpoch epoch;

 for (size_t i = 0; i < 26; i++) {
   epoch = sslKeyUpdateReadEpochTV[i].epoch;
   header[0] = (header[0] & 0xfc) | (sslKeyUpdateReadEpochTV[i].header & 0x3);
   // ReadEpoch (dtlscon.c#1339) uses only spec->version and spec->epoch.
   ASSERT_EQ(sslKeyUpdateReadEpochTV[i].expected_reconstructed_epoch,
             dtls_ReadEpoch(SSL_LIBRARY_VERSION_TLS_1_3, epoch, header));
 }
}

// RFC 9147. A.2. Handshake Protocol
// struct {
//  HandshakeType msg_type;    -- handshake type
//  uint24 length;             -- bytes in message
//  uint16 message_seq;        -- DTLS-required field
//  uint24 fragment_offset;    -- DTLS-required field
//  uint24 fragment_length;    -- DTLS-required field
//  select (msg_type) {
//  ...
//  case key_update:            KeyUpdate;
//  } body;
// } Handshake;
//
// enum {
// update_not_requested(0), update_requested(1), (255)
// } KeyUpdateRequest;

// The next tests send malformed KeyUpdate messages.
// A remainder: TLSKeyUpdateDamager filter takes as an input an agent,
// a byte index and a value that the existing value of the byte with the byte
// index will be replaced with. The filter catchs only the KeyUpdate messages,
// keeping unchanged all the rest.

// The first test, DTLSKeyUpdateDamagerFilterTestingNoModification,
// checks the correctness of the filter itself. It replaces the value of 12th
// byte with 0: The 12th byte is used to specify KeyUpdateRequest. Thus, the
// modification done in the test will still result in the correct KeyUpdate
// request.

// The test DTLSKU_WrongValueForUpdateRequested is modifying
// KeyUpdateRequest byte to have an not-allowed value.

// The test DTLSKeyUpdateDamagedLength modifies the 3rd byte (one of the length
// bytes).

// The test DTLSKeyUpdateDamagedLengthLongMessage changes the length of the
// message as well.

// The test DTLSKeyUpdateDamagedFragmentLength modifies the 10th byte (one of
// the fragment_length bytes)

TEST_F(TlsConnectDatagram13, DTLSKU_WrongValueForUpdateRequested) {
 EnsureTlsSetup();
 // Filter replacing the update_requested with an unexpected value.
 auto filter = MakeTlsFilter<TLSKeyUpdateDamager>(client_, 12, 2);
 filter->EnableDecryption();
 filter->Disable();
 Connect();
 filter->Enable();
 SSL_KeyUpdate(client_->ssl_fd(), PR_FALSE);
 filter->Disable();

 ExpectAlert(server_, kTlsAlertDecodeError);
 client_->ExpectReceiveAlert(kTlsAlertDecodeError);

 server_->ExpectReadWriteError();
 client_->ExpectReadWriteError();

 server_->ReadBytes();
 client_->ReadBytes();

 server_->CheckErrorCode(SSL_ERROR_RX_MALFORMED_KEY_UPDATE);
 client_->CheckErrorCode(SSL_ERROR_DECODE_ERROR_ALERT);

 // No KeyUpdate happened.
 CheckEpochs(3, 3);
}

TEST_F(TlsConnectDatagram13, DTLSKU_DamagedLength) {
 EnsureTlsSetup();
 // Filter replacing the length value with 0.
 auto filter = MakeTlsFilter<TLSKeyUpdateDamager>(client_, 3, 0);
 filter->EnableDecryption();
 filter->Disable();
 Connect();
 filter->Enable();

 SSL_KeyUpdate(client_->ssl_fd(), PR_FALSE);
 filter->Disable();
 SSLInt_SendImmediateACK(server_->ssl_fd());
 client_->ReadBytes();
 // No KeyUpdate happened.
 CheckEpochs(3, 3);
 SendReceive(50);
}

TEST_F(TlsConnectDatagram13, DTLSKU_DamagedLengthTooLong) {
 EnsureTlsSetup();
 // Filter replacing the second byte of length with one
 // The message length is increased by 2 ^ 8
 auto filter = MakeTlsFilter<TLSKeyUpdateDamager>(client_, 2, 2);
 filter->EnableDecryption();
 filter->Disable();
 Connect();
 filter->Enable();

 SSL_KeyUpdate(client_->ssl_fd(), PR_FALSE);
 filter->Disable();
 SSLInt_SendImmediateACK(server_->ssl_fd());
 client_->ReadBytes();
 // No KeyUpdate happened.
 CheckEpochs(3, 3);
 SendReceive(50);
}

TEST_F(TlsConnectDatagram13, DTLSKU_DamagedFragmentLength) {
 EnsureTlsSetup();
 // Filter replacing the fragment length with 1.
 auto filter = MakeTlsFilter<TLSKeyUpdateDamager>(client_, 10, 1);
 filter->EnableDecryption();
 filter->Disable();
 Connect();
 filter->Enable();

 SSL_KeyUpdate(client_->ssl_fd(), PR_FALSE);
 filter->Disable();
 SSLInt_SendImmediateACK(server_->ssl_fd());
 client_->ReadBytes();
 // No KeyUpdate happened.
 CheckEpochs(3, 3);
 SendReceive(50);
}

// This filter is used in order to modify an ACK message.
// As it's possible that one record contains several ACKs,
// we fault all of them.

class TLSACKDamager : public TlsRecordFilter {
public:
 TLSACKDamager(const std::shared_ptr<TlsAgent>& a, size_t byte, uint8_t val)
     : TlsRecordFilter(a), offset_(byte), value_(val) {}

protected:
 PacketFilter::Action FilterRecord(const TlsRecordHeader& header,
                                   const DataBuffer& record, size_t* offset,
                                   DataBuffer* output) override {
   if (!header.is_protected()) {
     return KEEP;
   }

   uint16_t protection_epoch;
   uint8_t inner_content_type;
   DataBuffer plaintext;
   TlsRecordHeader out_header;

   if (!Unprotect(header, record, &protection_epoch, &inner_content_type,
                  &plaintext, &out_header)) {
     return KEEP;
   }

   if (plaintext.data() == NULL || plaintext.len() == 0) {
     return KEEP;
   }

   if (decrypting() && inner_content_type != ssl_ct_ack) {
     return KEEP;
   }

   // We compute the number of ACKS in the message
   // As we keep processing the ACK even if one message is incorrent,
   // we fault all the found ACKs.

   uint8_t ack_message_header_len = 2;
   uint8_t ack_message_len_one_ACK = 16;
   uint64_t acks = plaintext.len() - ack_message_header_len;
   EXPECT_EQ((uint64_t)0, acks % ack_message_len_one_ACK);
   acks = acks / ack_message_len_one_ACK;

   if (plaintext.len() <= ack_message_header_len + offset_ +
                              (acks - 1) * ack_message_len_one_ACK) {
     return KEEP;
   }

   for (size_t i = 0; i < acks; i++) {
     // Here we replace the offset_-th byte after the header
     // i.e. headerAck + ACK(0) + ACK(1) <-- the offset_-th byte
     // of ACK(0), ACK(1), etc
     plaintext.data()[ack_message_header_len + offset_ +
                      i * ack_message_len_one_ACK] = value_;
   }

   DataBuffer ciphertext;
   bool ok = Protect(spec(protection_epoch), out_header, inner_content_type,
                     plaintext, &ciphertext, &out_header);
   if (!ok) {
     return KEEP;
   }
   *offset = out_header.Write(output, *offset, ciphertext);
   return CHANGE;
 }

protected:
 size_t offset_;
 uint8_t value_;
};

// The next two tests are modifying the ACK message:

// First, we call KeyUpdate on the client side. The server successfully
// processes it, and it's sending an ACK message. At this moment, the filter
// modifies the content of the ACK message by changing the seqNum or epoch and
// sends it back to the client.
//
// struct {
//  uint64 epoch;
//  uint64 sequence_number;
// } RecordNumber;

// struct {
//  RecordNumber record_numbers<0..2^16-1>;
// } ACK;

TEST_F(TlsConnectDatagram13, DTLSKU_ModifACKEpoch) {
 EnsureTlsSetup();
 uint8_t byte = 3;
 uint8_t v = 1;
 // The filter will replace value-th byte of each ACK with one
 // The epoch will be more than v * 2 ^ ((byte - 1) * 8).
 // HandleACK function allows the epochs such that (epoch > RECORD_EPOCH_MAX)
 // where RECORD_EPOCH_MAX == ((0x1ULL << 16) - 1)
 auto filter = MakeTlsFilter<TLSACKDamager>(server_, byte, v);
 filter->EnableDecryption();
 filter->Disable();
 Connect();
 CheckEpochs(3, 3);
 EXPECT_EQ(SECSuccess, SSL_KeyUpdate(client_->ssl_fd(), PR_FALSE));
 server_->ReadBytes();

 filter->Enable();
 SSLInt_SendImmediateACK(server_->ssl_fd());
 filter->Disable();

 client_->ReadBytes();
 server_->CheckEpochs(4, 3);
 // The client has not received the ACK, so it will not update the key.
 client_->CheckEpochs(3, 3);

 // The communication still continues.
 SendReceive(50);
}

TEST_F(TlsConnectDatagram13, DTLSKU_ModifACKSeqNum) {
 EnsureTlsSetup();
 uint8_t byte = 7;
 uint8_t v = 1;
 // The filter will replace value byte  of each ACK with one
 // The seqNum will be more than v * 2 ^ ((byte - 1) * 8).
 // HandleACK function allows the epochs such that (seq > RECORD_SEQ_MAX)
 // where RECORD_SEQ_MAX == ((0x1ULL << 48) - 1)

 // here byte + 8 means that we modify not epoch, but sequenceNum
 auto filter = MakeTlsFilter<TLSACKDamager>(server_, byte + 8, v);
 filter->EnableDecryption();
 filter->Disable();
 Connect();

 EXPECT_EQ(SECSuccess, SSL_KeyUpdate(client_->ssl_fd(), PR_FALSE));
 server_->ReadBytes();

 filter->Enable();
 SSLInt_SendImmediateACK(server_->ssl_fd());
 filter->Disable();

 client_->ReadBytes();

 client_->ReadBytes();
 server_->CheckEpochs(4, 3);
 // The client has not received the ACK, so it will not update the key.
 client_->CheckEpochs(3, 3);

 // The communication still continues.
 SendReceive(50);
}

TEST_F(TlsConnectDatagram13, DTLSKU_TooEarly_ClientCannotSendKeyUpdate) {
 StartConnect();
 auto filter = MakeTlsFilter<TLSRecordSaveAndDropNext>(server_);
 filter->EnableDecryption();

 client_->Handshake();
 server_->Handshake();

 EXPECT_EQ(SECFailure, SSL_KeyUpdate(client_->ssl_fd(), PR_FALSE));
}

TEST_F(TlsConnectDatagram13, DTLSKeyUpdateTooEarly_ServerCannotSendKeyUpdate) {
 StartConnect();
 auto filter = MakeTlsFilter<TLSRecordSaveAndDropNext>(server_);
 filter->EnableDecryption();

 client_->Handshake();
 server_->Handshake();

 EXPECT_EQ(SECFailure, SSL_KeyUpdate(server_->ssl_fd(), PR_FALSE));
}

class DTlsEncryptedHandshakeHeaderReplacer : public TlsRecordFilter {
public:
 DTlsEncryptedHandshakeHeaderReplacer(const std::shared_ptr<TlsAgent>& a,
                                      uint8_t old_ct, uint8_t new_ct)
     : TlsRecordFilter(a),
       old_ct_(old_ct),
       new_ct_(new_ct),
       replaced_(false) {}

protected:
 PacketFilter::Action FilterRecord(const TlsRecordHeader& header,
                                   const DataBuffer& record, size_t* offset,
                                   DataBuffer* output) override {
   if (replaced_) return KEEP;

   uint8_t inner_content_type;
   DataBuffer plaintext;
   uint16_t protection_epoch = 0;
   TlsRecordHeader out_header(header);

   if (!Unprotect(header, record, &protection_epoch, &inner_content_type,
                  &plaintext, &out_header)) {
     return KEEP;
   }

   auto& protection_spec = spec(protection_epoch);
   uint32_t msg_type = 256;  // Not a real message
   if (!plaintext.Read(0, 1, &msg_type) || msg_type == old_ct_) {
     replaced_ = true;
     plaintext.Write(0, new_ct_, 1);
   }

   uint64_t seq_num = protection_spec.next_out_seqno();
   if (out_header.is_dtls()) {
     seq_num |= out_header.sequence_number() & (0xffffULL << 48);
   }
   out_header.sequence_number(seq_num);

   DataBuffer ciphertext;
   bool rv = Protect(protection_spec, out_header, inner_content_type,
                     plaintext, &ciphertext, &out_header);
   if (!rv) {
     return KEEP;
   }
   *offset = out_header.Write(output, *offset, ciphertext);
   return CHANGE;
 }

private:
 uint8_t old_ct_;
 uint8_t new_ct_;
 bool replaced_;
};

// The next tests check the behaviour of KU before the handshake is finished.
TEST_F(TlsConnectDatagram13, DTLSKU_TooEarly_Client) {
 StartConnect();
 // This filter takes the record and if it finds kTlsHandshakeFinished
 // it replaces it with kTlsHandshakeKeyUpdate
 // Then, the KeyUpdate will be started when the handshake is not yet finished
 // This handshake will be cancelled.
 auto filter = MakeTlsFilter<DTlsEncryptedHandshakeHeaderReplacer>(
     server_, kTlsHandshakeFinished, kTlsHandshakeKeyUpdate);
 filter->EnableDecryption();

 client_->Handshake();
 server_->Handshake();
 ExpectAlert(client_, kTlsAlertUnexpectedMessage);
 client_->Handshake();
 client_->CheckErrorCode(SSL_ERROR_RX_UNEXPECTED_KEY_UPDATE);
 server_->Handshake();
 server_->CheckErrorCode(SSL_ERROR_HANDSHAKE_UNEXPECTED_ALERT);
}

TEST_F(TlsConnectDatagram13, DTLSKU_TooEarly_Server) {
 StartConnect();
 // This filter takes the record and if it finds kTlsHandshakeFinished
 // it replaces it with kTlsHandshakeKeyUpdate
 auto filter = MakeTlsFilter<DTlsEncryptedHandshakeHeaderReplacer>(
     client_, kTlsHandshakeFinished, kTlsHandshakeKeyUpdate);
 filter->EnableDecryption();

 client_->Handshake();
 server_->Handshake();
 client_->Handshake();
 ExpectAlert(server_, kTlsAlertUnexpectedMessage);
 server_->Handshake();
 server_->CheckErrorCode(SSL_ERROR_RX_UNEXPECTED_KEY_UPDATE);
 client_->Handshake();
 client_->CheckErrorCode(SSL_ERROR_HANDSHAKE_UNEXPECTED_ALERT);
}

}  // namespace nss_test