ssl_loopback_unittest.cc (27763B)
1 /* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */ 2 /* vim: set ts=2 et sw=2 tw=80: */ 3 /* This Source Code Form is subject to the terms of the Mozilla Public 4 * License, v. 2.0. If a copy of the MPL was not distributed with this file, 5 * You can obtain one at http://mozilla.org/MPL/2.0/. */ 6 7 #include <functional> 8 #include <memory> 9 #include <vector> 10 #include "secerr.h" 11 #include "ssl.h" 12 #include "sslerr.h" 13 #include "sslproto.h" 14 15 extern "C" { 16 // This is not something that should make you happy. 17 #include "libssl_internals.h" 18 } 19 20 #include "gtest_utils.h" 21 #include "nss_scoped_ptrs.h" 22 #include "tls_connect.h" 23 #include "tls_filter.h" 24 #include "tls_parser.h" 25 26 namespace nss_test { 27 28 TEST_P(TlsConnectGeneric, SetupOnly) {} 29 30 TEST_P(TlsConnectGeneric, Connect) { 31 SetExpectedVersion(std::get<1>(GetParam())); 32 Connect(); 33 CheckKeys(); 34 } 35 36 TEST_P(TlsConnectGeneric, ConnectEcdsa) { 37 SetExpectedVersion(std::get<1>(GetParam())); 38 Reset(TlsAgent::kServerEcdsa256); 39 Connect(); 40 CheckKeys(ssl_auth_ecdsa); 41 } 42 43 TEST_P(TlsConnectGeneric, CipherSuiteMismatch) { 44 EnsureTlsSetup(); 45 if (version_ >= SSL_LIBRARY_VERSION_TLS_1_3) { 46 client_->EnableSingleCipher(TLS_AES_128_GCM_SHA256); 47 server_->EnableSingleCipher(TLS_AES_256_GCM_SHA384); 48 } else { 49 client_->EnableSingleCipher(TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA); 50 server_->EnableSingleCipher(TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA); 51 } 52 ConnectExpectAlert(server_, kTlsAlertHandshakeFailure); 53 client_->CheckErrorCode(SSL_ERROR_NO_CYPHER_OVERLAP); 54 server_->CheckErrorCode(SSL_ERROR_NO_CYPHER_OVERLAP); 55 } 56 57 class TlsAlertRecorder : public TlsRecordFilter { 58 public: 59 TlsAlertRecorder(const std::shared_ptr<TlsAgent>& a) 60 : TlsRecordFilter(a), level_(255), description_(255) {} 61 62 PacketFilter::Action FilterRecord(const TlsRecordHeader& header, 63 const DataBuffer& input, 64 DataBuffer* output) override { 65 if (level_ != 255) { // Already captured. 66 return KEEP; 67 } 68 if (header.content_type() != ssl_ct_alert) { 69 return KEEP; 70 } 71 72 std::cerr << "Alert: " << input << std::endl; 73 74 TlsParser parser(input); 75 EXPECT_TRUE(parser.Read(&level_)); 76 EXPECT_TRUE(parser.Read(&description_)); 77 return KEEP; 78 } 79 80 uint8_t level() const { return level_; } 81 uint8_t description() const { return description_; } 82 83 private: 84 uint8_t level_; 85 uint8_t description_; 86 }; 87 88 class HelloTruncator : public TlsHandshakeFilter { 89 public: 90 HelloTruncator(const std::shared_ptr<TlsAgent>& a) 91 : TlsHandshakeFilter( 92 a, {kTlsHandshakeClientHello, kTlsHandshakeServerHello}) {} 93 PacketFilter::Action FilterHandshake(const HandshakeHeader& header, 94 const DataBuffer& input, 95 DataBuffer* output) override { 96 output->Assign(input.data(), input.len() - 1); 97 return CHANGE; 98 } 99 }; 100 101 // Verify that when NSS reports that an alert is sent, it is actually sent. 102 TEST_P(TlsConnectGeneric, CaptureAlertServer) { 103 MakeTlsFilter<HelloTruncator>(client_); 104 auto alert_recorder = MakeTlsFilter<TlsAlertRecorder>(server_); 105 106 ConnectExpectAlert(server_, kTlsAlertDecodeError); 107 EXPECT_EQ(kTlsAlertFatal, alert_recorder->level()); 108 EXPECT_EQ(kTlsAlertDecodeError, alert_recorder->description()); 109 } 110 111 TEST_P(TlsConnectGenericPre13, CaptureAlertClient) { 112 MakeTlsFilter<HelloTruncator>(server_); 113 auto alert_recorder = MakeTlsFilter<TlsAlertRecorder>(client_); 114 115 ConnectExpectAlert(client_, kTlsAlertDecodeError); 116 EXPECT_EQ(kTlsAlertFatal, alert_recorder->level()); 117 EXPECT_EQ(kTlsAlertDecodeError, alert_recorder->description()); 118 } 119 120 // In TLS 1.3, the server can't read the client alert. 121 TEST_P(TlsConnectTls13, CaptureAlertClient) { 122 MakeTlsFilter<HelloTruncator>(server_); 123 auto alert_recorder = MakeTlsFilter<TlsAlertRecorder>(client_); 124 125 StartConnect(); 126 127 client_->Handshake(); 128 client_->ExpectSendAlert(kTlsAlertDecodeError); 129 server_->Handshake(); 130 client_->Handshake(); 131 if (variant_ == ssl_variant_stream) { 132 // DTLS just drops the alert it can't decrypt. 133 server_->ExpectSendAlert(kTlsAlertUnexpectedMessage); 134 } 135 server_->Handshake(); 136 EXPECT_EQ(kTlsAlertFatal, alert_recorder->level()); 137 EXPECT_EQ(kTlsAlertDecodeError, alert_recorder->description()); 138 } 139 140 TEST_P(TlsConnectGenericPre13, ConnectFalseStart) { 141 client_->EnableFalseStart(); 142 Connect(); 143 SendReceive(); 144 } 145 146 TEST_P(TlsConnectGeneric, ConnectAlpn) { 147 EnableAlpn(); 148 Connect(); 149 CheckAlpn("a"); 150 } 151 152 TEST_P(TlsConnectGeneric, ConnectAlpnPriorityA) { 153 // "alpn" "npn" 154 // alpn is the fallback here. npn has the highest priority and should be 155 // picked. 156 const std::vector<uint8_t> alpn = {0x04, 0x61, 0x6c, 0x70, 0x6e, 157 0x03, 0x6e, 0x70, 0x6e}; 158 EnableAlpn(alpn); 159 Connect(); 160 CheckAlpn("npn"); 161 } 162 163 TEST_P(TlsConnectGeneric, ConnectAlpnPriorityB) { 164 // "alpn" "npn" "http" 165 // npn has the highest priority and should be picked. 166 const std::vector<uint8_t> alpn = {0x04, 0x61, 0x6c, 0x70, 0x6e, 0x03, 0x6e, 167 0x70, 0x6e, 0x04, 0x68, 0x74, 0x74, 0x70}; 168 EnableAlpn(alpn); 169 Connect(); 170 CheckAlpn("npn"); 171 } 172 173 TEST_P(TlsConnectGeneric, ConnectAlpnClone) { 174 EnsureModelSockets(); 175 client_model_->EnableAlpn(alpn_dummy_val_, sizeof(alpn_dummy_val_)); 176 server_model_->EnableAlpn(alpn_dummy_val_, sizeof(alpn_dummy_val_)); 177 Connect(); 178 CheckAlpn("a"); 179 } 180 181 TEST_P(TlsConnectGeneric, ConnectAlpnWithCustomCallbackA) { 182 // "ab" "alpn" 183 const std::vector<uint8_t> client_alpn = {0x02, 0x61, 0x62, 0x04, 184 0x61, 0x6c, 0x70, 0x6e}; 185 EnableAlpnWithCallback(client_alpn, "alpn"); 186 Connect(); 187 CheckAlpn("alpn"); 188 } 189 190 TEST_P(TlsConnectGeneric, ConnectAlpnWithCustomCallbackB) { 191 // "ab" "alpn" 192 const std::vector<uint8_t> client_alpn = {0x02, 0x61, 0x62, 0x04, 193 0x61, 0x6c, 0x70, 0x6e}; 194 EnableAlpnWithCallback(client_alpn, "ab"); 195 Connect(); 196 CheckAlpn("ab"); 197 } 198 199 TEST_P(TlsConnectGeneric, ConnectAlpnWithCustomCallbackC) { 200 // "cd" "npn" "alpn" 201 const std::vector<uint8_t> client_alpn = {0x02, 0x63, 0x64, 0x03, 0x6e, 0x70, 202 0x6e, 0x04, 0x61, 0x6c, 0x70, 0x6e}; 203 EnableAlpnWithCallback(client_alpn, "npn"); 204 Connect(); 205 CheckAlpn("npn"); 206 } 207 208 TEST_P(TlsConnectDatagram, ConnectSrtp) { 209 EnableSrtp(); 210 Connect(); 211 CheckSrtp(); 212 SendReceive(); 213 } 214 215 TEST_P(TlsConnectGeneric, ConnectSendReceive) { 216 Connect(); 217 SendReceive(); 218 } 219 220 class SaveTlsRecord : public TlsRecordFilter { 221 public: 222 SaveTlsRecord(const std::shared_ptr<TlsAgent>& a, size_t index) 223 : TlsRecordFilter(a), index_(index), count_(0), contents_() {} 224 225 const DataBuffer& contents() const { return contents_; } 226 227 protected: 228 PacketFilter::Action FilterRecord(const TlsRecordHeader& header, 229 const DataBuffer& data, 230 DataBuffer* changed) override { 231 if (count_++ == index_) { 232 contents_ = data; 233 } 234 return KEEP; 235 } 236 237 private: 238 const size_t index_; 239 size_t count_; 240 DataBuffer contents_; 241 }; 242 243 // Check that decrypting filters work and can read any record. 244 // This test (currently) only works in TLS 1.3 where we can decrypt. 245 TEST_F(TlsConnectStreamTls13, DecryptRecordClient) { 246 EnsureTlsSetup(); 247 // 0 = ClientHello, 1 = Finished, 2 = SendReceive, 3 = SendBuffer 248 auto saved = MakeTlsFilter<SaveTlsRecord>(client_, 3); 249 saved->EnableDecryption(); 250 Connect(); 251 SendReceive(); 252 253 static const uint8_t data[] = {0xde, 0xad, 0xdc}; 254 DataBuffer buf(data, sizeof(data)); 255 client_->SendBuffer(buf); 256 EXPECT_EQ(buf, saved->contents()); 257 } 258 259 TEST_F(TlsConnectStreamTls13, DecryptRecordServer) { 260 EnsureTlsSetup(); 261 // Disable tickets so that we are sure to not get NewSessionTicket. 262 EXPECT_EQ(SECSuccess, SSL_OptionSet(server_->ssl_fd(), 263 SSL_ENABLE_SESSION_TICKETS, PR_FALSE)); 264 // 0 = ServerHello, 1 = other handshake, 2 = SendReceive, 3 = SendBuffer 265 auto saved = MakeTlsFilter<SaveTlsRecord>(server_, 3); 266 saved->EnableDecryption(); 267 Connect(); 268 SendReceive(); 269 270 static const uint8_t data[] = {0xde, 0xad, 0xd5}; 271 DataBuffer buf(data, sizeof(data)); 272 server_->SendBuffer(buf); 273 EXPECT_EQ(buf, saved->contents()); 274 } 275 276 class DropTlsRecord : public TlsRecordFilter { 277 public: 278 DropTlsRecord(const std::shared_ptr<TlsAgent>& a, size_t index) 279 : TlsRecordFilter(a), index_(index), count_(0) {} 280 281 protected: 282 PacketFilter::Action FilterRecord(const TlsRecordHeader& header, 283 const DataBuffer& data, 284 DataBuffer* changed) override { 285 if (count_++ == index_) { 286 return DROP; 287 } 288 return KEEP; 289 } 290 291 private: 292 const size_t index_; 293 size_t count_; 294 }; 295 296 // Test that decrypting filters work correctly and are able to drop records. 297 TEST_F(TlsConnectStreamTls13, DropRecordServer) { 298 EnsureTlsSetup(); 299 // Disable session tickets so that the server doesn't send an extra record. 300 EXPECT_EQ(SECSuccess, SSL_OptionSet(server_->ssl_fd(), 301 SSL_ENABLE_SESSION_TICKETS, PR_FALSE)); 302 303 // 0 = ServerHello, 1 = other handshake, 2 = first write 304 auto filter = MakeTlsFilter<DropTlsRecord>(server_, 2); 305 filter->EnableDecryption(); 306 Connect(); 307 server_->SendData(23, 23); // This should be dropped, so it won't be counted. 308 server_->ResetSentBytes(); 309 SendReceive(); 310 } 311 312 TEST_F(TlsConnectStreamTls13, DropRecordClient) { 313 EnsureTlsSetup(); 314 // 0 = ClientHello, 1 = Finished, 2 = first write 315 auto filter = MakeTlsFilter<DropTlsRecord>(client_, 2); 316 filter->EnableDecryption(); 317 Connect(); 318 client_->SendData(26, 26); // This should be dropped, so it won't be counted. 319 client_->ResetSentBytes(); 320 SendReceive(); 321 } 322 323 // Check that a server can use 0.5 RTT if client authentication isn't enabled. 324 TEST_P(TlsConnectTls13, WriteBeforeClientFinished) { 325 EnsureTlsSetup(); 326 StartConnect(); 327 client_->Handshake(); // ClientHello 328 server_->Handshake(); // ServerHello 329 330 server_->SendData(10); 331 client_->ReadBytes(10); // Client should emit the Finished as a side-effect. 332 server_->Handshake(); // Server consumes the Finished. 333 CheckConnected(); 334 } 335 336 // We don't allow 0.5 RTT if client authentication is requested. 337 TEST_P(TlsConnectTls13, WriteBeforeClientFinishedClientAuth) { 338 client_->SetupClientAuth(); 339 server_->RequestClientAuth(false); 340 StartConnect(); 341 client_->Handshake(); // ClientHello 342 server_->Handshake(); // ServerHello 343 344 static const uint8_t data[] = {1, 2, 3}; 345 EXPECT_GT(0, PR_Write(server_->ssl_fd(), data, sizeof(data))); 346 EXPECT_EQ(PR_WOULD_BLOCK_ERROR, PORT_GetError()); 347 348 Handshake(); 349 CheckConnected(); 350 SendReceive(); 351 } 352 353 // 0.5 RTT should fail with client authentication required. 354 TEST_P(TlsConnectTls13, WriteBeforeClientFinishedClientAuthRequired) { 355 client_->SetupClientAuth(); 356 server_->RequestClientAuth(true); 357 StartConnect(); 358 client_->Handshake(); // ClientHello 359 server_->Handshake(); // ServerHello 360 361 static const uint8_t data[] = {1, 2, 3}; 362 EXPECT_GT(0, PR_Write(server_->ssl_fd(), data, sizeof(data))); 363 EXPECT_EQ(PR_WOULD_BLOCK_ERROR, PORT_GetError()); 364 365 Handshake(); 366 CheckConnected(); 367 SendReceive(); 368 } 369 370 // The next two tests takes advantage of the fact that we 371 // automatically read the first 1024 bytes, so if 372 // we provide 1200 bytes, they overrun the read buffer 373 // provided by the calling test. 374 375 // DTLS should return an error. 376 TEST_P(TlsConnectDatagram, ShortRead) { 377 Connect(); 378 client_->ExpectReadWriteError(); 379 server_->SendData(50, 50); 380 client_->ReadBytes(20); 381 EXPECT_EQ(0U, client_->received_bytes()); 382 EXPECT_EQ(SSL_ERROR_RX_SHORT_DTLS_READ, PORT_GetError()); 383 384 // Now send and receive another packet. 385 server_->ResetSentBytes(); // Reset the counter. 386 SendReceive(); 387 } 388 389 // TLS should get the write in two chunks. 390 TEST_P(TlsConnectStream, ShortRead) { 391 // This test behaves oddly with TLS 1.0 because of 1/n+1 splitting, 392 // so skip in that case. 393 if (version_ < SSL_LIBRARY_VERSION_TLS_1_1) GTEST_SKIP(); 394 395 Connect(); 396 server_->SendData(50, 50); 397 // Read the first tranche. 398 client_->ReadBytes(20); 399 ASSERT_EQ(20U, client_->received_bytes()); 400 // The second tranche should now immediately be available. 401 client_->ReadBytes(); 402 ASSERT_EQ(50U, client_->received_bytes()); 403 } 404 405 // We enable compression via the API but it's disabled internally, 406 // so we should never get it. 407 TEST_P(TlsConnectGeneric, ConnectWithCompressionEnabled) { 408 EnsureTlsSetup(); 409 client_->SetOption(SSL_ENABLE_DEFLATE, PR_TRUE); 410 server_->SetOption(SSL_ENABLE_DEFLATE, PR_TRUE); 411 Connect(); 412 EXPECT_FALSE(client_->is_compressed()); 413 SendReceive(); 414 } 415 416 class TlsHolddownTest : public TlsConnectDatagram { 417 protected: 418 // This causes all timers to run to completion. It advances the clock and 419 // handshakes on both peers until both peers have no more timers pending, 420 // which should happen at the end of a handshake. This is necessary to ensure 421 // that the relatively long holddown timer expires, but that any other timers 422 // also expire and run correctly. 423 void RunAllTimersDown() { 424 while (true) { 425 PRIntervalTime time; 426 SECStatus rv = DTLS_GetHandshakeTimeout(client_->ssl_fd(), &time); 427 if (rv != SECSuccess) { 428 rv = DTLS_GetHandshakeTimeout(server_->ssl_fd(), &time); 429 if (rv != SECSuccess) { 430 break; // Neither peer has an outstanding timer. 431 } 432 } 433 434 if (g_ssl_gtest_verbose) { 435 std::cerr << "Shifting timers" << std::endl; 436 } 437 ShiftDtlsTimers(); 438 Handshake(); 439 } 440 } 441 }; 442 443 TEST_P(TlsHolddownTest, TestDtlsHolddownExpiry) { 444 Connect(); 445 std::cerr << "Expiring holddown timer" << std::endl; 446 RunAllTimersDown(); 447 SendReceive(); 448 if (version_ >= SSL_LIBRARY_VERSION_TLS_1_3) { 449 // One for send, one for receive. 450 EXPECT_EQ(2, SSLInt_CountCipherSpecs(client_->ssl_fd())); 451 } 452 } 453 454 TEST_P(TlsHolddownTest, TestDtlsHolddownExpiryResumption) { 455 ConfigureSessionCache(RESUME_BOTH, RESUME_TICKET); 456 Connect(); 457 SendReceive(); 458 459 Reset(); 460 ConfigureSessionCache(RESUME_BOTH, RESUME_TICKET); 461 ExpectResumption(RESUME_TICKET); 462 Connect(); 463 RunAllTimersDown(); 464 SendReceive(); 465 // One for send, one for receive. 466 EXPECT_EQ(2, SSLInt_CountCipherSpecs(client_->ssl_fd())); 467 } 468 469 class TlsPreCCSHeaderInjector : public TlsRecordFilter { 470 public: 471 TlsPreCCSHeaderInjector(const std::shared_ptr<TlsAgent>& a) 472 : TlsRecordFilter(a) {} 473 virtual PacketFilter::Action FilterRecord( 474 const TlsRecordHeader& record_header, const DataBuffer& input, 475 size_t* offset, DataBuffer* output) override { 476 if (record_header.content_type() != ssl_ct_change_cipher_spec) { 477 return KEEP; 478 } 479 480 std::cerr << "Injecting Finished header before CCS\n"; 481 const uint8_t hhdr[] = {kTlsHandshakeFinished, 0x00, 0x00, 0x0c}; 482 DataBuffer hhdr_buf(hhdr, sizeof(hhdr)); 483 TlsRecordHeader nhdr(record_header.variant(), record_header.version(), 484 ssl_ct_handshake, 0); 485 *offset = nhdr.Write(output, *offset, hhdr_buf); 486 *offset = record_header.Write(output, *offset, input); 487 return CHANGE; 488 } 489 }; 490 491 TEST_P(TlsConnectStreamPre13, ClientFinishedHeaderBeforeCCS) { 492 MakeTlsFilter<TlsPreCCSHeaderInjector>(client_); 493 ConnectExpectAlert(server_, kTlsAlertUnexpectedMessage); 494 client_->CheckErrorCode(SSL_ERROR_HANDSHAKE_UNEXPECTED_ALERT); 495 server_->CheckErrorCode(SSL_ERROR_RX_UNEXPECTED_CHANGE_CIPHER); 496 } 497 498 TEST_P(TlsConnectStreamPre13, ServerFinishedHeaderBeforeCCS) { 499 MakeTlsFilter<TlsPreCCSHeaderInjector>(server_); 500 StartConnect(); 501 ExpectAlert(client_, kTlsAlertUnexpectedMessage); 502 Handshake(); 503 EXPECT_EQ(TlsAgent::STATE_ERROR, client_->state()); 504 client_->CheckErrorCode(SSL_ERROR_RX_UNEXPECTED_CHANGE_CIPHER); 505 EXPECT_EQ(TlsAgent::STATE_CONNECTED, server_->state()); 506 server_->Handshake(); // Make sure alert is consumed. 507 } 508 509 TEST_P(TlsConnectTls13, UnknownAlert) { 510 Connect(); 511 server_->ExpectSendAlert(0xff, kTlsAlertWarning); 512 client_->ExpectReceiveAlert(0xff, kTlsAlertWarning); 513 SSLInt_SendAlert(server_->ssl_fd(), kTlsAlertWarning, 514 0xff); // Unknown value. 515 client_->ExpectReadWriteError(); 516 client_->WaitForErrorCode(SSL_ERROR_RX_UNKNOWN_ALERT, 2000); 517 } 518 519 TEST_P(TlsConnectTls13, AlertWrongLevel) { 520 Connect(); 521 server_->ExpectSendAlert(kTlsAlertUnexpectedMessage, kTlsAlertWarning); 522 client_->ExpectReceiveAlert(kTlsAlertUnexpectedMessage, kTlsAlertWarning); 523 SSLInt_SendAlert(server_->ssl_fd(), kTlsAlertWarning, 524 kTlsAlertUnexpectedMessage); 525 client_->ExpectReadWriteError(); 526 client_->WaitForErrorCode(SSL_ERROR_HANDSHAKE_UNEXPECTED_ALERT, 2000); 527 } 528 529 TEST_P(TlsConnectTls13, UnknownRecord) { 530 static const uint8_t kUknownRecord[] = { 531 0xff, SSL_LIBRARY_VERSION_TLS_1_2 >> 8, 532 SSL_LIBRARY_VERSION_TLS_1_2 & 0xff, 0, 0}; 533 534 Connect(); 535 if (variant_ == ssl_variant_stream) { 536 // DTLS just drops the record with an invalid type. 537 server_->ExpectSendAlert(kTlsAlertUnexpectedMessage); 538 } 539 client_->SendDirect(DataBuffer(kUknownRecord, sizeof(kUknownRecord))); 540 server_->ExpectReadWriteError(); 541 server_->ReadBytes(); 542 if (variant_ == ssl_variant_stream) { 543 EXPECT_EQ(SSL_ERROR_RX_UNEXPECTED_RECORD_TYPE, server_->error_code()); 544 } else { 545 EXPECT_EQ(SSL_ERROR_RX_UNKNOWN_RECORD_TYPE, server_->error_code()); 546 } 547 } 548 549 TEST_F(TlsConnectStreamTls13, Tls13FailedWriteSecondFlight) { 550 EnsureTlsSetup(); 551 StartConnect(); 552 client_->Handshake(); 553 server_->Handshake(); // Send first flight. 554 client_->adapter()->SetWriteError(PR_IO_ERROR); 555 client_->Handshake(); // This will get an error, but shouldn't crash. 556 client_->CheckErrorCode(SSL_ERROR_SOCKET_WRITE_FAILURE); 557 } 558 559 TEST_P(TlsConnectDatagram, BlockedWrite) { 560 Connect(); 561 562 // Mark the socket as blocked. 563 client_->adapter()->SetWriteError(PR_WOULD_BLOCK_ERROR); 564 static const uint8_t data[] = {1, 2, 3}; 565 int32_t rv = PR_Write(client_->ssl_fd(), data, sizeof(data)); 566 EXPECT_GT(0, rv); 567 EXPECT_EQ(PR_WOULD_BLOCK_ERROR, PORT_GetError()); 568 569 // Remove the write error and though the previous write failed, future reads 570 // and writes should just work as if it never happened. 571 client_->adapter()->SetWriteError(0); 572 SendReceive(); 573 } 574 575 TEST_F(TlsConnectTest, ConnectSSLv3) { 576 ConfigureVersion(SSL_LIBRARY_VERSION_3_0); 577 EnableOnlyStaticRsaCiphers(); 578 Connect(); 579 CheckKeys(ssl_kea_rsa, ssl_grp_none, ssl_auth_rsa_decrypt, ssl_sig_none); 580 } 581 582 TEST_F(TlsConnectTest, ConnectSSLv3ClientAuth) { 583 ConfigureVersion(SSL_LIBRARY_VERSION_3_0); 584 EnableOnlyStaticRsaCiphers(); 585 client_->SetupClientAuth(); 586 server_->RequestClientAuth(true); 587 Connect(); 588 CheckKeys(ssl_kea_rsa, ssl_grp_none, ssl_auth_rsa_decrypt, ssl_sig_none); 589 } 590 591 static size_t ExpectedCbcLen(size_t in, size_t hmac = 20, size_t block = 16) { 592 // MAC-then-Encrypt expansion formula: 593 return ((in + hmac + (block - 1)) / block) * block; 594 } 595 596 TEST_F(TlsConnectTest, OneNRecordSplitting) { 597 ConfigureVersion(SSL_LIBRARY_VERSION_TLS_1_0); 598 EnsureTlsSetup(); 599 ConnectWithCipherSuite(TLS_RSA_WITH_AES_128_CBC_SHA); 600 auto records = MakeTlsFilter<TlsRecordRecorder>(server_); 601 // This should be split into 1, 16384 and 20. 602 DataBuffer big_buffer; 603 big_buffer.Allocate(1 + 16384 + 20); 604 server_->SendBuffer(big_buffer); 605 ASSERT_EQ(3U, records->count()); 606 EXPECT_EQ(ExpectedCbcLen(1), records->record(0).buffer.len()); 607 EXPECT_EQ(ExpectedCbcLen(16384), records->record(1).buffer.len()); 608 EXPECT_EQ(ExpectedCbcLen(20), records->record(2).buffer.len()); 609 } 610 611 // We can't test for randomness easily here, but we can test that we don't 612 // produce a zero value, or produce the same value twice. There are 5 values 613 // here: two ClientHello.random, two ServerHello.random, and one zero value. 614 // Matrix them and fail if any are the same. 615 TEST_P(TlsConnectGeneric, CheckRandoms) { 616 ConfigureSessionCache(RESUME_NONE, RESUME_NONE); 617 618 static const size_t random_len = 32; 619 uint8_t crandom1[random_len], srandom1[random_len]; 620 uint8_t z[random_len] = {0}; 621 622 auto ch = MakeTlsFilter<TlsHandshakeRecorder>(client_, ssl_hs_client_hello); 623 auto sh = MakeTlsFilter<TlsHandshakeRecorder>(server_, ssl_hs_server_hello); 624 Connect(); 625 ASSERT_TRUE(ch->buffer().len() > (random_len + 2)); 626 ASSERT_TRUE(sh->buffer().len() > (random_len + 2)); 627 memcpy(crandom1, ch->buffer().data() + 2, random_len); 628 memcpy(srandom1, sh->buffer().data() + 2, random_len); 629 EXPECT_NE(0, memcmp(crandom1, srandom1, random_len)); 630 EXPECT_NE(0, memcmp(crandom1, z, random_len)); 631 EXPECT_NE(0, memcmp(srandom1, z, random_len)); 632 633 Reset(); 634 ch = MakeTlsFilter<TlsHandshakeRecorder>(client_, ssl_hs_client_hello); 635 sh = MakeTlsFilter<TlsHandshakeRecorder>(server_, ssl_hs_server_hello); 636 Connect(); 637 ASSERT_TRUE(ch->buffer().len() > (random_len + 2)); 638 ASSERT_TRUE(sh->buffer().len() > (random_len + 2)); 639 const uint8_t* crandom2 = ch->buffer().data() + 2; 640 const uint8_t* srandom2 = sh->buffer().data() + 2; 641 642 EXPECT_NE(0, memcmp(crandom2, srandom2, random_len)); 643 EXPECT_NE(0, memcmp(crandom2, z, random_len)); 644 EXPECT_NE(0, memcmp(srandom2, z, random_len)); 645 646 EXPECT_NE(0, memcmp(crandom1, crandom2, random_len)); 647 EXPECT_NE(0, memcmp(crandom1, srandom2, random_len)); 648 EXPECT_NE(0, memcmp(srandom1, crandom2, random_len)); 649 EXPECT_NE(0, memcmp(srandom1, srandom2, random_len)); 650 } 651 652 void FailOnCloseNotify(const PRFileDesc* fd, void* arg, const SSLAlert* alert) { 653 ADD_FAILURE() << "received alert " << alert->description; 654 } 655 656 void CheckCloseNotify(const PRFileDesc* fd, void* arg, const SSLAlert* alert) { 657 *reinterpret_cast<bool*>(arg) = true; 658 EXPECT_EQ(close_notify, alert->description); 659 EXPECT_EQ(alert_warning, alert->level); 660 } 661 662 TEST_P(TlsConnectGeneric, ShutdownOneSide) { 663 Connect(); 664 665 // Setup to check alerts. 666 EXPECT_EQ(SECSuccess, SSL_AlertSentCallback(server_->ssl_fd(), 667 FailOnCloseNotify, nullptr)); 668 EXPECT_EQ(SECSuccess, SSL_AlertReceivedCallback(client_->ssl_fd(), 669 FailOnCloseNotify, nullptr)); 670 671 bool client_sent = false; 672 EXPECT_EQ(SECSuccess, SSL_AlertSentCallback(client_->ssl_fd(), 673 CheckCloseNotify, &client_sent)); 674 bool server_received = false; 675 EXPECT_EQ(SECSuccess, 676 SSL_AlertReceivedCallback(server_->ssl_fd(), CheckCloseNotify, 677 &server_received)); 678 EXPECT_EQ(PR_SUCCESS, PR_Shutdown(client_->ssl_fd(), PR_SHUTDOWN_SEND)); 679 680 // Make sure that the server reads out the close_notify. 681 uint8_t buf[10]; 682 EXPECT_EQ(0, PR_Read(server_->ssl_fd(), buf, sizeof(buf))); 683 684 // Reading and writing should still work in the one open direction. 685 EXPECT_TRUE(client_sent); 686 EXPECT_TRUE(server_received); 687 server_->SendData(10, 10); 688 client_->ReadBytes(10); 689 690 // Now close the other side and do the same checks. 691 bool server_sent = false; 692 EXPECT_EQ(SECSuccess, SSL_AlertSentCallback(server_->ssl_fd(), 693 CheckCloseNotify, &server_sent)); 694 bool client_received = false; 695 EXPECT_EQ(SECSuccess, 696 SSL_AlertReceivedCallback(client_->ssl_fd(), CheckCloseNotify, 697 &client_received)); 698 EXPECT_EQ(PR_SUCCESS, PR_Shutdown(server_->ssl_fd(), PR_SHUTDOWN_SEND)); 699 700 EXPECT_EQ(0, PR_Read(client_->ssl_fd(), buf, sizeof(buf))); 701 EXPECT_TRUE(server_sent); 702 EXPECT_TRUE(client_received); 703 } 704 705 TEST_P(TlsConnectGeneric, ShutdownOneSideThenCloseTcp) { 706 Connect(); 707 708 bool client_sent = false; 709 EXPECT_EQ(SECSuccess, SSL_AlertSentCallback(client_->ssl_fd(), 710 CheckCloseNotify, &client_sent)); 711 bool server_received = false; 712 EXPECT_EQ(SECSuccess, 713 SSL_AlertReceivedCallback(server_->ssl_fd(), CheckCloseNotify, 714 &server_received)); 715 EXPECT_EQ(PR_SUCCESS, PR_Shutdown(client_->ssl_fd(), PR_SHUTDOWN_SEND)); 716 717 // Make sure that the server reads out the close_notify. 718 uint8_t buf[10]; 719 EXPECT_EQ(0, PR_Read(server_->ssl_fd(), buf, sizeof(buf))); 720 721 // Now simulate the underlying connection closing. 722 client_->adapter()->Reset(); 723 724 // Now close the other side and see that things don't explode. 725 EXPECT_EQ(PR_SUCCESS, PR_Shutdown(server_->ssl_fd(), PR_SHUTDOWN_SEND)); 726 727 EXPECT_GT(0, PR_Read(client_->ssl_fd(), buf, sizeof(buf))); 728 EXPECT_EQ(PR_NOT_CONNECTED_ERROR, PR_GetError()); 729 } 730 731 INSTANTIATE_TEST_SUITE_P( 732 GenericStream, TlsConnectGeneric, 733 ::testing::Combine(TlsConnectTestBase::kTlsVariantsStream, 734 TlsConnectTestBase::kTlsVAll)); 735 INSTANTIATE_TEST_SUITE_P( 736 GenericDatagram, TlsConnectGeneric, 737 ::testing::Combine(TlsConnectTestBase::kTlsVariantsDatagram, 738 TlsConnectTestBase::kTlsV11Plus)); 739 740 INSTANTIATE_TEST_SUITE_P(StreamOnly, TlsConnectStream, 741 TlsConnectTestBase::kTlsVAll); 742 INSTANTIATE_TEST_SUITE_P(DatagramOnly, TlsConnectDatagram, 743 TlsConnectTestBase::kTlsV11Plus); 744 INSTANTIATE_TEST_SUITE_P(DatagramHolddown, TlsHolddownTest, 745 TlsConnectTestBase::kTlsV11Plus); 746 747 INSTANTIATE_TEST_SUITE_P( 748 Pre12Stream, TlsConnectPre12, 749 ::testing::Combine(TlsConnectTestBase::kTlsVariantsStream, 750 TlsConnectTestBase::kTlsV10V11)); 751 INSTANTIATE_TEST_SUITE_P( 752 Pre12Datagram, TlsConnectPre12, 753 ::testing::Combine(TlsConnectTestBase::kTlsVariantsDatagram, 754 TlsConnectTestBase::kTlsV11)); 755 756 INSTANTIATE_TEST_SUITE_P(Version12Only, TlsConnectTls12, 757 TlsConnectTestBase::kTlsVariantsAll); 758 #ifndef NSS_DISABLE_TLS_1_3 759 INSTANTIATE_TEST_SUITE_P(Version13Only, TlsConnectTls13, 760 TlsConnectTestBase::kTlsVariantsAll); 761 #endif 762 763 INSTANTIATE_TEST_SUITE_P( 764 Pre13Stream, TlsConnectGenericPre13, 765 ::testing::Combine(TlsConnectTestBase::kTlsVariantsStream, 766 TlsConnectTestBase::kTlsV10ToV12)); 767 INSTANTIATE_TEST_SUITE_P( 768 Pre13Datagram, TlsConnectGenericPre13, 769 ::testing::Combine(TlsConnectTestBase::kTlsVariantsDatagram, 770 TlsConnectTestBase::kTlsV11V12)); 771 INSTANTIATE_TEST_SUITE_P(Pre13StreamOnly, TlsConnectStreamPre13, 772 TlsConnectTestBase::kTlsV10ToV12); 773 774 INSTANTIATE_TEST_SUITE_P(Version12Plus, TlsConnectTls12Plus, 775 ::testing::Combine(TlsConnectTestBase::kTlsVariantsAll, 776 TlsConnectTestBase::kTlsV12Plus)); 777 778 INSTANTIATE_TEST_SUITE_P( 779 GenericStream, TlsConnectGenericResumption, 780 ::testing::Combine(TlsConnectTestBase::kTlsVariantsStream, 781 TlsConnectTestBase::kTlsVAll, 782 ::testing::Values(true, false))); 783 INSTANTIATE_TEST_SUITE_P( 784 GenericDatagram, TlsConnectGenericResumption, 785 ::testing::Combine(TlsConnectTestBase::kTlsVariantsDatagram, 786 TlsConnectTestBase::kTlsV11Plus, 787 ::testing::Values(true, false))); 788 789 INSTANTIATE_TEST_SUITE_P( 790 GenericStream, TlsConnectGenericResumptionToken, 791 ::testing::Combine(TlsConnectTestBase::kTlsVariantsStream, 792 TlsConnectTestBase::kTlsVAll)); 793 INSTANTIATE_TEST_SUITE_P( 794 GenericDatagram, TlsConnectGenericResumptionToken, 795 ::testing::Combine(TlsConnectTestBase::kTlsVariantsDatagram, 796 TlsConnectTestBase::kTlsV11Plus)); 797 798 INSTANTIATE_TEST_SUITE_P(GenericDatagram, TlsConnectTls13ResumptionToken, 799 TlsConnectTestBase::kTlsVariantsAll); 800 801 } // namespace nss_test