tor-browser

The Tor Browser
git clone https://git.dasho.dev/tor-browser.git
Log | Files | Refs | README | LICENSE

ssl_renegotiation_unittest.cc (7764B)

      1 /* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
      2 /* vim: set ts=2 et sw=2 tw=80: */
      3 /* This Source Code Form is subject to the terms of the Mozilla Public
      4 * License, v. 2.0. If a copy of the MPL was not distributed with this file,
      5 * You can obtain one at http://mozilla.org/MPL/2.0/. */
      6 
      7 #include <functional>
      8 #include <memory>
      9 #include "secerr.h"
     10 #include "ssl.h"
     11 #include "sslerr.h"
     12 #include "sslproto.h"
     13 
     14 extern "C" {
     15 // This is not something that should make you happy.
     16 #include "libssl_internals.h"
     17 }
     18 
     19 #include "gtest_utils.h"
     20 #include "tls_connect.h"
     21 
     22 namespace nss_test {
     23 
     24 // 1.3 is disabled in the next few tests because we don't
     25 // presently support resumption in 1.3.
     26 TEST_P(TlsConnectStreamPre13, RenegotiateClient) {
     27  Connect();
     28  server_->PrepareForRenegotiate();
     29  client_->StartRenegotiate();
     30  Handshake();
     31  CheckConnected();
     32 }
     33 
     34 TEST_P(TlsConnectStreamPre13, RenegotiateServer) {
     35  Connect();
     36  client_->PrepareForRenegotiate();
     37  server_->StartRenegotiate();
     38  Handshake();
     39  CheckConnected();
     40 }
     41 
     42 TEST_P(TlsConnectStreamPre13, RenegotiateRandoms) {
     43  SSL3Random crand1, crand2, srand1, srand2;
     44  Connect();
     45  EXPECT_EQ(SECSuccess,
     46            SSLInt_GetHandshakeRandoms(client_->ssl_fd(), crand1, srand1));
     47 
     48  // Renegotiate and check that both randoms have changed.
     49  client_->PrepareForRenegotiate();
     50  server_->StartRenegotiate();
     51  Handshake();
     52  CheckConnected();
     53  EXPECT_EQ(SECSuccess,
     54            SSLInt_GetHandshakeRandoms(client_->ssl_fd(), crand2, srand2));
     55 
     56  EXPECT_NE(0, memcmp(crand1, crand2, sizeof(SSL3Random)));
     57  EXPECT_NE(0, memcmp(srand1, srand2, sizeof(SSL3Random)));
     58 }
     59 
     60 // The renegotiation options shouldn't cause an error if TLS 1.3 is chosen.
     61 TEST_F(TlsConnectTest, RenegotiationConfigTls13) {
     62  EnsureTlsSetup();
     63  ConfigureVersion(SSL_LIBRARY_VERSION_TLS_1_3);
     64  server_->SetOption(SSL_ENABLE_RENEGOTIATION, SSL_RENEGOTIATE_UNRESTRICTED);
     65  server_->SetOption(SSL_REQUIRE_SAFE_NEGOTIATION, PR_TRUE);
     66  Connect();
     67  SendReceive();
     68  CheckKeys();
     69 }
     70 
     71 TEST_P(TlsConnectStream, ConnectTls10AndServerRenegotiateHigher) {
     72  if (version_ == SSL_LIBRARY_VERSION_TLS_1_0) {
     73    GTEST_SKIP();
     74  }
     75  // Set the client so it will accept any version from 1.0
     76  // to |version_|.
     77  client_->SetVersionRange(SSL_LIBRARY_VERSION_TLS_1_0, version_);
     78  server_->SetVersionRange(SSL_LIBRARY_VERSION_TLS_1_0,
     79                           SSL_LIBRARY_VERSION_TLS_1_0);
     80  // Reset version so that the checks succeed.
     81  uint16_t test_version = version_;
     82  version_ = SSL_LIBRARY_VERSION_TLS_1_0;
     83  Connect();
     84 
     85  // Now renegotiate, with the server being set to do
     86  // |version_|.
     87  client_->PrepareForRenegotiate();
     88  server_->SetVersionRange(SSL_LIBRARY_VERSION_TLS_1_0, test_version);
     89  // Reset version and cipher suite so that the preinfo callback
     90  // doesn't fail.
     91  server_->ResetPreliminaryInfo();
     92  server_->StartRenegotiate();
     93 
     94  if (test_version >= SSL_LIBRARY_VERSION_TLS_1_3) {
     95    ExpectAlert(server_, kTlsAlertUnexpectedMessage);
     96  } else {
     97    ExpectAlert(server_, kTlsAlertProtocolVersion);
     98  }
     99 
    100  Handshake();
    101  if (test_version >= SSL_LIBRARY_VERSION_TLS_1_3) {
    102    // In TLS 1.3, the server detects this problem.
    103    client_->CheckErrorCode(SSL_ERROR_HANDSHAKE_UNEXPECTED_ALERT);
    104    server_->CheckErrorCode(SSL_ERROR_RENEGOTIATION_NOT_ALLOWED);
    105  } else {
    106    client_->CheckErrorCode(SSL_ERROR_PROTOCOL_VERSION_ALERT);
    107    server_->CheckErrorCode(SSL_ERROR_UNSUPPORTED_VERSION);
    108  }
    109 }
    110 
    111 TEST_P(TlsConnectStream, ConnectTls10AndClientRenegotiateHigher) {
    112  if (version_ == SSL_LIBRARY_VERSION_TLS_1_0) {
    113    GTEST_SKIP();
    114  }
    115  // Set the client so it will accept any version from 1.0
    116  // to |version_|.
    117  client_->SetVersionRange(SSL_LIBRARY_VERSION_TLS_1_0, version_);
    118  server_->SetVersionRange(SSL_LIBRARY_VERSION_TLS_1_0,
    119                           SSL_LIBRARY_VERSION_TLS_1_0);
    120  // Reset version so that the checks succeed.
    121  uint16_t test_version = version_;
    122  version_ = SSL_LIBRARY_VERSION_TLS_1_0;
    123  Connect();
    124 
    125  // Now renegotiate, with the server being set to do
    126  // |version_|.
    127  server_->PrepareForRenegotiate();
    128  server_->SetVersionRange(SSL_LIBRARY_VERSION_TLS_1_0, test_version);
    129  // Reset version and cipher suite so that the preinfo callback
    130  // doesn't fail.
    131  server_->ResetPreliminaryInfo();
    132  client_->StartRenegotiate();
    133  if (test_version >= SSL_LIBRARY_VERSION_TLS_1_3) {
    134    ExpectAlert(server_, kTlsAlertUnexpectedMessage);
    135  } else {
    136    ExpectAlert(server_, kTlsAlertProtocolVersion);
    137  }
    138  Handshake();
    139  if (test_version >= SSL_LIBRARY_VERSION_TLS_1_3) {
    140    // In TLS 1.3, the server detects this problem.
    141    client_->CheckErrorCode(SSL_ERROR_HANDSHAKE_UNEXPECTED_ALERT);
    142    server_->CheckErrorCode(SSL_ERROR_RENEGOTIATION_NOT_ALLOWED);
    143  } else {
    144    client_->CheckErrorCode(SSL_ERROR_PROTOCOL_VERSION_ALERT);
    145    server_->CheckErrorCode(SSL_ERROR_UNSUPPORTED_VERSION);
    146  }
    147 }
    148 
    149 TEST_P(TlsConnectStream, ConnectAndServerRenegotiateLower) {
    150  if (version_ == SSL_LIBRARY_VERSION_TLS_1_0) {
    151    GTEST_SKIP();
    152  }
    153  Connect();
    154 
    155  // Now renegotiate with the server set to TLS 1.0.
    156  client_->PrepareForRenegotiate();
    157  server_->PrepareForRenegotiate();
    158  client_->SetVersionRange(SSL_LIBRARY_VERSION_TLS_1_0, version_);
    159  // Reset version and cipher suite so that the preinfo callback
    160  // doesn't fail.
    161  server_->ResetPreliminaryInfo();
    162 
    163  SECStatus rv = SSL_ReHandshake(server_->ssl_fd(), PR_TRUE);
    164  if (version_ >= SSL_LIBRARY_VERSION_TLS_1_3) {
    165    EXPECT_EQ(SECFailure, rv);
    166    return;
    167  }
    168  ASSERT_EQ(SECSuccess, rv);
    169 
    170  // Now, before handshaking, tweak the server configuration.
    171  server_->SetVersionRange(SSL_LIBRARY_VERSION_TLS_1_0,
    172                           SSL_LIBRARY_VERSION_TLS_1_0);
    173 
    174  // The server should catch the own error.
    175  ExpectAlert(server_, kTlsAlertProtocolVersion);
    176 
    177  Handshake();
    178  client_->CheckErrorCode(SSL_ERROR_PROTOCOL_VERSION_ALERT);
    179  server_->CheckErrorCode(SSL_ERROR_UNSUPPORTED_VERSION);
    180 }
    181 
    182 TEST_P(TlsConnectStream, ConnectAndServerWontRenegotiateLower) {
    183  if (version_ == SSL_LIBRARY_VERSION_TLS_1_0) {
    184    GTEST_SKIP();
    185  }
    186  Connect();
    187 
    188  // Now renegotiate with the server set to TLS 1.0.
    189  client_->PrepareForRenegotiate();
    190  server_->PrepareForRenegotiate();
    191  client_->SetVersionRange(SSL_LIBRARY_VERSION_TLS_1_0, version_);
    192  server_->SetVersionRange(SSL_LIBRARY_VERSION_TLS_1_0,
    193                           SSL_LIBRARY_VERSION_TLS_1_0);
    194  // Reset version and cipher suite so that the preinfo callback
    195  // doesn't fail.
    196  server_->ResetPreliminaryInfo();
    197 
    198  EXPECT_EQ(SECFailure, SSL_ReHandshake(server_->ssl_fd(), PR_TRUE));
    199 }
    200 
    201 TEST_P(TlsConnectStream, ConnectAndClientWontRenegotiateLower) {
    202  if (version_ == SSL_LIBRARY_VERSION_TLS_1_0) {
    203    GTEST_SKIP();
    204  }
    205  Connect();
    206 
    207  // Now renegotiate with the client set to TLS 1.0.
    208  client_->PrepareForRenegotiate();
    209  server_->PrepareForRenegotiate();
    210  server_->ResetPreliminaryInfo();
    211  client_->SetVersionRange(SSL_LIBRARY_VERSION_TLS_1_0,
    212                           SSL_LIBRARY_VERSION_TLS_1_0);
    213  // The client will refuse to renegotiate down.
    214  EXPECT_EQ(SECFailure, SSL_ReHandshake(client_->ssl_fd(), PR_TRUE));
    215 }
    216 
    217 TEST_F(TlsConnectTest, Tls13RejectsRehandshakeClient) {
    218  EnsureTlsSetup();
    219  ConfigureVersion(SSL_LIBRARY_VERSION_TLS_1_3);
    220  Connect();
    221  SECStatus rv = SSL_ReHandshake(client_->ssl_fd(), PR_TRUE);
    222  EXPECT_EQ(SECFailure, rv);
    223  EXPECT_EQ(SSL_ERROR_RENEGOTIATION_NOT_ALLOWED, PORT_GetError());
    224 }
    225 
    226 TEST_F(TlsConnectTest, Tls13RejectsRehandshakeServer) {
    227  EnsureTlsSetup();
    228  ConfigureVersion(SSL_LIBRARY_VERSION_TLS_1_3);
    229  Connect();
    230  SECStatus rv = SSL_ReHandshake(server_->ssl_fd(), PR_TRUE);
    231  EXPECT_EQ(SECFailure, rv);
    232  EXPECT_EQ(SSL_ERROR_RENEGOTIATION_NOT_ALLOWED, PORT_GetError());
    233 }
    234 
    235 }  // namespace nss_test