ssl_resumption_unittest.cc (50030B)
1 /* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */ 2 /* vim: set ts=2 et sw=2 tw=80: */ 3 /* This Source Code Form is subject to the terms of the Mozilla Public 4 * License, v. 2.0. If a copy of the MPL was not distributed with this file, 5 * You can obtain one at http://mozilla.org/MPL/2.0/. */ 6 7 #include <functional> 8 #include <memory> 9 #include "secerr.h" 10 #include "ssl.h" 11 #include "sslerr.h" 12 #include "sslexp.h" 13 #include "sslproto.h" 14 15 extern "C" { 16 // This is not something that should make you happy. 17 #include "libssl_internals.h" 18 } 19 20 #include "gtest_utils.h" 21 #include "nss_scoped_ptrs.h" 22 #include "scoped_ptrs_ssl.h" 23 #include "tls_connect.h" 24 #include "tls_filter.h" 25 #include "tls_parser.h" 26 #include "tls_protect.h" 27 28 namespace nss_test { 29 30 class TlsServerKeyExchangeEcdhe { 31 public: 32 bool Parse(const DataBuffer& buffer) { 33 TlsParser parser(buffer); 34 35 uint8_t curve_type; 36 if (!parser.Read(&curve_type)) { 37 return false; 38 } 39 40 if (curve_type != 3) { // named_curve 41 return false; 42 } 43 44 uint32_t named_curve; 45 if (!parser.Read(&named_curve, 2)) { 46 return false; 47 } 48 49 return parser.ReadVariable(&public_key_, 1); 50 } 51 52 DataBuffer public_key_; 53 }; 54 55 TEST_P(TlsConnectGenericPre13, ConnectResumed) { 56 ConfigureSessionCache(RESUME_SESSIONID, RESUME_SESSIONID); 57 Connect(); 58 59 Reset(); 60 ExpectResumption(RESUME_SESSIONID); 61 Connect(); 62 } 63 64 TEST_P(TlsConnectGenericResumption, ConnectClientCacheDisabled) { 65 ConfigureSessionCache(RESUME_NONE, RESUME_SESSIONID); 66 Connect(); 67 SendReceive(); 68 69 Reset(); 70 ExpectResumption(RESUME_NONE); 71 Connect(); 72 SendReceive(); 73 } 74 75 TEST_P(TlsConnectGenericResumption, ConnectServerCacheDisabled) { 76 ConfigureSessionCache(RESUME_SESSIONID, RESUME_NONE); 77 Connect(); 78 SendReceive(); 79 80 Reset(); 81 ExpectResumption(RESUME_NONE); 82 Connect(); 83 SendReceive(); 84 } 85 86 TEST_P(TlsConnectGenericResumption, ConnectSessionCacheDisabled) { 87 ConfigureSessionCache(RESUME_NONE, RESUME_NONE); 88 Connect(); 89 SendReceive(); 90 91 Reset(); 92 ExpectResumption(RESUME_NONE); 93 Connect(); 94 SendReceive(); 95 } 96 97 TEST_P(TlsConnectGenericResumption, ConnectResumeSupportBoth) { 98 // This prefers tickets. 99 ConfigureSessionCache(RESUME_BOTH, RESUME_BOTH); 100 Connect(); 101 SendReceive(); 102 103 Reset(); 104 ConfigureSessionCache(RESUME_BOTH, RESUME_BOTH); 105 ExpectResumption(RESUME_TICKET); 106 Connect(); 107 SendReceive(); 108 } 109 110 TEST_P(TlsConnectGenericResumption, ConnectResumeClientTicketServerBoth) { 111 // This causes no resumption because the client needs the 112 // session cache to resume even with tickets. 113 ConfigureSessionCache(RESUME_TICKET, RESUME_BOTH); 114 Connect(); 115 SendReceive(); 116 117 Reset(); 118 ConfigureSessionCache(RESUME_TICKET, RESUME_BOTH); 119 ExpectResumption(RESUME_NONE); 120 Connect(); 121 SendReceive(); 122 } 123 124 TEST_P(TlsConnectGenericResumption, ConnectResumeClientBothTicketServerTicket) { 125 // This causes a ticket resumption. 126 ConfigureSessionCache(RESUME_BOTH, RESUME_TICKET); 127 Connect(); 128 SendReceive(); 129 130 Reset(); 131 ConfigureSessionCache(RESUME_BOTH, RESUME_TICKET); 132 ExpectResumption(RESUME_TICKET); 133 Connect(); 134 SendReceive(); 135 } 136 137 TEST_P(TlsConnectGenericResumption, ConnectResumeClientServerTicketOnly) { 138 // This causes no resumption because the client needs the 139 // session cache to resume even with tickets. 140 ConfigureSessionCache(RESUME_TICKET, RESUME_TICKET); 141 Connect(); 142 SendReceive(); 143 144 Reset(); 145 ConfigureSessionCache(RESUME_TICKET, RESUME_TICKET); 146 ExpectResumption(RESUME_NONE); 147 Connect(); 148 SendReceive(); 149 } 150 151 TEST_P(TlsConnectGenericResumption, ConnectResumeClientBothServerNone) { 152 ConfigureSessionCache(RESUME_BOTH, RESUME_NONE); 153 Connect(); 154 SendReceive(); 155 156 Reset(); 157 ConfigureSessionCache(RESUME_BOTH, RESUME_NONE); 158 ExpectResumption(RESUME_NONE); 159 Connect(); 160 SendReceive(); 161 } 162 163 TEST_P(TlsConnectGenericResumption, ConnectResumeClientNoneServerBoth) { 164 ConfigureSessionCache(RESUME_NONE, RESUME_BOTH); 165 Connect(); 166 SendReceive(); 167 168 Reset(); 169 ConfigureSessionCache(RESUME_NONE, RESUME_BOTH); 170 ExpectResumption(RESUME_NONE); 171 Connect(); 172 SendReceive(); 173 } 174 175 TEST_P(TlsConnectGenericPre13, ResumeWithHigherVersionTls13) { 176 uint16_t lower_version = version_; 177 ConfigureSessionCache(RESUME_BOTH, RESUME_BOTH); 178 Connect(); 179 SendReceive(); 180 CheckKeys(); 181 182 Reset(); 183 ConfigureSessionCache(RESUME_BOTH, RESUME_BOTH); 184 EnsureTlsSetup(); 185 auto psk_ext = std::make_shared<TlsExtensionCapture>( 186 client_, ssl_tls13_pre_shared_key_xtn); 187 auto ticket_ext = 188 std::make_shared<TlsExtensionCapture>(client_, ssl_session_ticket_xtn); 189 client_->SetFilter(std::make_shared<ChainedPacketFilter>( 190 ChainedPacketFilterInit({psk_ext, ticket_ext}))); 191 SetExpectedVersion(SSL_LIBRARY_VERSION_TLS_1_3); 192 client_->SetVersionRange(lower_version, SSL_LIBRARY_VERSION_TLS_1_3); 193 server_->SetVersionRange(lower_version, SSL_LIBRARY_VERSION_TLS_1_3); 194 ExpectResumption(RESUME_NONE); 195 Connect(); 196 197 // The client shouldn't have sent a PSK, though it will send a ticket. 198 EXPECT_FALSE(psk_ext->captured()); 199 EXPECT_TRUE(ticket_ext->captured()); 200 } 201 202 class CaptureSessionId : public TlsHandshakeFilter { 203 public: 204 CaptureSessionId(const std::shared_ptr<TlsAgent>& a) 205 : TlsHandshakeFilter( 206 a, {kTlsHandshakeClientHello, kTlsHandshakeServerHello}), 207 sid_() {} 208 209 const DataBuffer& sid() const { return sid_; } 210 211 protected: 212 PacketFilter::Action FilterHandshake(const HandshakeHeader& header, 213 const DataBuffer& input, 214 DataBuffer* output) override { 215 // The session_id is in the same place in both Hello messages: 216 size_t offset = 2 + 32; // Version(2) + Random(32) 217 uint32_t len = 0; 218 EXPECT_TRUE(input.Read(offset, 1, &len)); 219 offset++; 220 if (input.len() < offset + len) { 221 ADD_FAILURE() << "session_id overflows the Hello message"; 222 return KEEP; 223 } 224 sid_.Assign(input.data() + offset, len); 225 return KEEP; 226 } 227 228 private: 229 DataBuffer sid_; 230 }; 231 232 // Attempting to resume from TLS 1.2 when 1.3 is possible should not result in 233 // resumption, though it will appear to be TLS 1.3 compatibility mode if the 234 // server uses a session ID. 235 TEST_P(TlsConnectGenericPre13, ResumeWithHigherVersionTls13SessionId) { 236 uint16_t lower_version = version_; 237 ConfigureSessionCache(RESUME_SESSIONID, RESUME_SESSIONID); 238 auto original_sid = MakeTlsFilter<CaptureSessionId>(server_); 239 Connect(); 240 CheckKeys(); 241 EXPECT_EQ(32U, original_sid->sid().len()); 242 243 // The client should now attempt to resume with the session ID from the last 244 // connection. This looks like compatibility mode, we just want to ensure 245 // that we get TLS 1.3 rather than 1.2 (and no resumption). 246 Reset(); 247 auto client_sid = MakeTlsFilter<CaptureSessionId>(client_); 248 auto server_sid = MakeTlsFilter<CaptureSessionId>(server_); 249 ConfigureSessionCache(RESUME_SESSIONID, RESUME_SESSIONID); 250 SetExpectedVersion(SSL_LIBRARY_VERSION_TLS_1_3); 251 client_->SetVersionRange(lower_version, SSL_LIBRARY_VERSION_TLS_1_3); 252 server_->SetVersionRange(lower_version, SSL_LIBRARY_VERSION_TLS_1_3); 253 ExpectResumption(RESUME_NONE); 254 255 Connect(); 256 SendReceive(); 257 258 EXPECT_EQ(client_sid->sid(), original_sid->sid()); 259 if (variant_ == ssl_variant_stream) { 260 EXPECT_EQ(client_sid->sid(), server_sid->sid()); 261 } else { 262 // DTLS servers don't echo the session ID. 263 EXPECT_EQ(0U, server_sid->sid().len()); 264 } 265 } 266 267 TEST_P(TlsConnectPre12, ResumeWithHigherVersionTls12) { 268 uint16_t lower_version = version_; 269 ConfigureSessionCache(RESUME_BOTH, RESUME_BOTH); 270 Connect(); 271 272 Reset(); 273 ConfigureSessionCache(RESUME_BOTH, RESUME_BOTH); 274 EnsureTlsSetup(); 275 SetExpectedVersion(SSL_LIBRARY_VERSION_TLS_1_3); 276 client_->SetVersionRange(lower_version, SSL_LIBRARY_VERSION_TLS_1_3); 277 server_->SetVersionRange(lower_version, SSL_LIBRARY_VERSION_TLS_1_3); 278 ExpectResumption(RESUME_NONE); 279 Connect(); 280 } 281 282 TEST_P(TlsConnectGenericPre13, ResumeWithLowerVersionFromTls13) { 283 uint16_t original_version = version_; 284 ConfigureSessionCache(RESUME_BOTH, RESUME_BOTH); 285 ConfigureVersion(SSL_LIBRARY_VERSION_TLS_1_3); 286 Connect(); 287 SendReceive(); 288 CheckKeys(); 289 290 Reset(); 291 ConfigureSessionCache(RESUME_BOTH, RESUME_BOTH); 292 ConfigureVersion(original_version); 293 ExpectResumption(RESUME_NONE); 294 Connect(); 295 SendReceive(); 296 } 297 298 TEST_P(TlsConnectPre12, ResumeWithLowerVersionFromTls12) { 299 uint16_t original_version = version_; 300 ConfigureSessionCache(RESUME_BOTH, RESUME_BOTH); 301 ConfigureVersion(SSL_LIBRARY_VERSION_TLS_1_2); 302 Connect(); 303 SendReceive(); 304 CheckKeys(); 305 306 Reset(); 307 ConfigureSessionCache(RESUME_BOTH, RESUME_BOTH); 308 ConfigureVersion(original_version); 309 ExpectResumption(RESUME_NONE); 310 Connect(); 311 SendReceive(); 312 } 313 314 TEST_P(TlsConnectGeneric, ConnectResumeClientBothTicketServerTicketForget) { 315 // This causes a ticket resumption. 316 ConfigureSessionCache(RESUME_BOTH, RESUME_TICKET); 317 Connect(); 318 SendReceive(); 319 320 Reset(); 321 ClearServerCache(); 322 ConfigureSessionCache(RESUME_BOTH, RESUME_TICKET); 323 ExpectResumption(RESUME_NONE); 324 Connect(); 325 SendReceive(); 326 } 327 328 // Tickets last two days maximum; this is a time longer than that. 329 static const PRTime kLongerThanTicketLifetime = 330 3LL * 24 * 60 * 60 * PR_USEC_PER_SEC; 331 332 TEST_P(TlsConnectGenericResumption, ConnectWithExpiredTicketAtClient) { 333 // This causes a ticket resumption. 334 ConfigureSessionCache(RESUME_BOTH, RESUME_TICKET); 335 Connect(); 336 SendReceive(); 337 338 AdvanceTime(kLongerThanTicketLifetime); 339 340 Reset(); 341 ConfigureSessionCache(RESUME_BOTH, RESUME_TICKET); 342 ExpectResumption(RESUME_NONE); 343 344 // TLS 1.3 uses the pre-shared key extension instead. 345 SSLExtensionType xtn = (version_ >= SSL_LIBRARY_VERSION_TLS_1_3) 346 ? ssl_tls13_pre_shared_key_xtn 347 : ssl_session_ticket_xtn; 348 auto capture = MakeTlsFilter<TlsExtensionCapture>(client_, xtn); 349 Connect(); 350 351 if (version_ >= SSL_LIBRARY_VERSION_TLS_1_3) { 352 EXPECT_FALSE(capture->captured()); 353 } else { 354 EXPECT_TRUE(capture->captured()); 355 EXPECT_EQ(0U, capture->extension().len()); 356 } 357 } 358 359 TEST_P(TlsConnectGeneric, ConnectWithExpiredTicketAtServer) { 360 // This causes a ticket resumption. 361 ConfigureSessionCache(RESUME_BOTH, RESUME_TICKET); 362 Connect(); 363 SendReceive(); 364 365 Reset(); 366 ConfigureSessionCache(RESUME_BOTH, RESUME_TICKET); 367 ExpectResumption(RESUME_NONE); 368 369 SSLExtensionType xtn = (version_ >= SSL_LIBRARY_VERSION_TLS_1_3) 370 ? ssl_tls13_pre_shared_key_xtn 371 : ssl_session_ticket_xtn; 372 auto capture = MakeTlsFilter<TlsExtensionCapture>(client_, xtn); 373 StartConnect(); 374 client_->Handshake(); 375 EXPECT_TRUE(capture->captured()); 376 EXPECT_LT(0U, capture->extension().len()); 377 378 AdvanceTime(kLongerThanTicketLifetime); 379 380 Handshake(); 381 CheckConnected(); 382 } 383 384 TEST_P(TlsConnectGeneric, ConnectResumeCorruptTicket) { 385 // This causes a ticket resumption. 386 ConfigureSessionCache(RESUME_BOTH, RESUME_TICKET); 387 Connect(); 388 SendReceive(); 389 390 Reset(); 391 static const uint8_t kHmacKey1Buf[32] = {0}; 392 static const DataBuffer kHmacKey1(kHmacKey1Buf, sizeof(kHmacKey1Buf)); 393 394 SECItem key_item = {siBuffer, const_cast<uint8_t*>(kHmacKey1Buf), 395 sizeof(kHmacKey1Buf)}; 396 397 ScopedPK11SlotInfo slot(PK11_GetInternalSlot()); 398 PK11SymKey* hmac_key = 399 PK11_ImportSymKey(slot.get(), CKM_SHA256_HMAC, PK11_OriginUnwrap, 400 CKA_SIGN, &key_item, nullptr); 401 ASSERT_NE(nullptr, hmac_key); 402 SSLInt_SetSelfEncryptMacKey(hmac_key); 403 ConfigureSessionCache(RESUME_BOTH, RESUME_TICKET); 404 if (version_ >= SSL_LIBRARY_VERSION_TLS_1_3) { 405 ExpectResumption(RESUME_NONE); 406 Connect(); 407 } else { 408 ConnectExpectAlert(server_, illegal_parameter); 409 server_->CheckErrorCode(SSL_ERROR_RX_MALFORMED_CLIENT_HELLO); 410 } 411 } 412 413 // This callback switches out the "server" cert used on the server with 414 // the "client" certificate, which should be the same type. 415 static int32_t SwitchCertificates(TlsAgent* agent, const SECItem* srvNameArr, 416 uint32_t srvNameArrSize) { 417 bool ok = agent->ConfigServerCert("client"); 418 if (!ok) return SSL_SNI_SEND_ALERT; 419 420 return 0; // first config 421 }; 422 423 TEST_P(TlsConnectGeneric, ServerSNICertSwitch) { 424 Connect(); 425 ScopedCERTCertificate cert1(SSL_PeerCertificate(client_->ssl_fd())); 426 ASSERT_NE(nullptr, cert1.get()); 427 428 Reset(); 429 ConfigureSessionCache(RESUME_NONE, RESUME_NONE); 430 431 server_->SetSniCallback(SwitchCertificates); 432 433 Connect(); 434 ScopedCERTCertificate cert2(SSL_PeerCertificate(client_->ssl_fd())); 435 ASSERT_NE(nullptr, cert2.get()); 436 CheckKeys(); 437 EXPECT_FALSE(SECITEM_ItemsAreEqual(&cert1->derCert, &cert2->derCert)); 438 } 439 440 TEST_P(TlsConnectGeneric, ServerSNICertTypeSwitch) { 441 Reset(TlsAgent::kServerEcdsa256); 442 Connect(); 443 ScopedCERTCertificate cert1(SSL_PeerCertificate(client_->ssl_fd())); 444 ASSERT_NE(nullptr, cert1.get()); 445 446 Reset(); 447 ConfigureSessionCache(RESUME_NONE, RESUME_NONE); 448 449 // Because we configure an RSA certificate here, it only adds a second, unused 450 // certificate, which has no effect on what the server uses. 451 server_->SetSniCallback(SwitchCertificates); 452 453 Connect(); 454 ScopedCERTCertificate cert2(SSL_PeerCertificate(client_->ssl_fd())); 455 ASSERT_NE(nullptr, cert2.get()); 456 CheckKeys(ssl_auth_ecdsa); 457 EXPECT_TRUE(SECITEM_ItemsAreEqual(&cert1->derCert, &cert2->derCert)); 458 } 459 460 TEST_P(TlsConnectGenericPre13, ConnectEcdheTwiceReuseKey) { 461 auto filter = MakeTlsFilter<TlsHandshakeRecorder>( 462 server_, kTlsHandshakeServerKeyExchange); 463 EnableECDHEServerKeyReuse(); 464 Connect(); 465 CheckKeys(); 466 TlsServerKeyExchangeEcdhe dhe1; 467 EXPECT_TRUE(dhe1.Parse(filter->buffer())); 468 469 // Restart 470 Reset(); 471 EnableECDHEServerKeyReuse(); 472 auto filter2 = MakeTlsFilter<TlsHandshakeRecorder>( 473 server_, kTlsHandshakeServerKeyExchange); 474 ConfigureSessionCache(RESUME_NONE, RESUME_NONE); 475 Connect(); 476 CheckKeys(); 477 478 TlsServerKeyExchangeEcdhe dhe2; 479 EXPECT_TRUE(dhe2.Parse(filter2->buffer())); 480 481 // Make sure they are the same. 482 EXPECT_EQ(dhe1.public_key_.len(), dhe2.public_key_.len()); 483 EXPECT_TRUE(!memcmp(dhe1.public_key_.data(), dhe2.public_key_.data(), 484 dhe1.public_key_.len())); 485 } 486 487 // This test parses the ServerKeyExchange, which isn't in 1.3 488 TEST_P(TlsConnectGenericPre13, ConnectEcdheTwiceNewKey) { 489 auto filter = MakeTlsFilter<TlsHandshakeRecorder>( 490 server_, kTlsHandshakeServerKeyExchange); 491 Connect(); 492 CheckKeys(); 493 TlsServerKeyExchangeEcdhe dhe1; 494 EXPECT_TRUE(dhe1.Parse(filter->buffer())); 495 496 // Restart 497 Reset(); 498 auto filter2 = MakeTlsFilter<TlsHandshakeRecorder>( 499 server_, kTlsHandshakeServerKeyExchange); 500 ConfigureSessionCache(RESUME_NONE, RESUME_NONE); 501 Connect(); 502 CheckKeys(); 503 504 TlsServerKeyExchangeEcdhe dhe2; 505 EXPECT_TRUE(dhe2.Parse(filter2->buffer())); 506 507 // Make sure they are different. 508 EXPECT_FALSE((dhe1.public_key_.len() == dhe2.public_key_.len()) && 509 (!memcmp(dhe1.public_key_.data(), dhe2.public_key_.data(), 510 dhe1.public_key_.len()))); 511 } 512 513 // Verify that TLS 1.3 reports an accurate group on resumption. 514 TEST_P(TlsConnectTls13, TestTls13ResumeDifferentGroup) { 515 ConfigureSessionCache(RESUME_BOTH, RESUME_TICKET); 516 Connect(); 517 SendReceive(); // Need to read so that we absorb the session ticket. 518 CheckKeys(); 519 520 Reset(); 521 ConfigureSessionCache(RESUME_BOTH, RESUME_TICKET); 522 ExpectResumption(RESUME_TICKET); 523 client_->ConfigNamedGroups(kFFDHEGroups); 524 server_->ConfigNamedGroups(kFFDHEGroups); 525 Connect(); 526 CheckKeys(ssl_kea_dh, ssl_grp_ffdhe_2048, ssl_auth_rsa_sign, 527 ssl_sig_rsa_pss_rsae_sha256); 528 } 529 530 // Verify that TLS 1.3 server doesn't request certificate in the main 531 // handshake, after resumption. 532 TEST_P(TlsConnectTls13, TestTls13ResumeNoCertificateRequest) { 533 ConfigureSessionCache(RESUME_BOTH, RESUME_TICKET); 534 client_->SetupClientAuth(); 535 server_->RequestClientAuth(true); 536 Connect(); 537 SendReceive(); // Need to read so that we absorb the session ticket. 538 ScopedCERTCertificate cert1(SSL_LocalCertificate(client_->ssl_fd())); 539 ASSERT_NE(nullptr, cert1.get()); 540 541 Reset(); 542 ConfigureSessionCache(RESUME_BOTH, RESUME_TICKET); 543 ExpectResumption(RESUME_TICKET); 544 server_->RequestClientAuth(false); 545 auto cr_capture = 546 MakeTlsFilter<TlsHandshakeRecorder>(server_, ssl_hs_certificate_request); 547 cr_capture->EnableDecryption(); 548 Connect(); 549 SendReceive(); 550 EXPECT_EQ(0U, cr_capture->buffer().len()) << "expect nothing captured yet"; 551 552 // Sanity check whether the client certificate matches the one 553 // decrypted from ticket. 554 ScopedCERTCertificate cert2(SSL_PeerCertificate(server_->ssl_fd())); 555 ASSERT_NE(nullptr, cert2.get()); 556 EXPECT_TRUE(SECITEM_ItemsAreEqual(&cert1->derCert, &cert2->derCert)); 557 } 558 559 // Here we test that 0.5 RTT is available at the server when resuming, even if 560 // configured to request a client certificate. The resumed handshake relies on 561 // the authentication from the original handshake, so no certificate is 562 // requested this time around. The server can write before the handshake 563 // completes because the PSK binder is sufficient authentication for the client. 564 TEST_P(TlsConnectTls13, WriteBeforeHandshakeCompleteOnResumption) { 565 ConfigureSessionCache(RESUME_BOTH, RESUME_TICKET); 566 client_->SetupClientAuth(); 567 server_->RequestClientAuth(true); 568 Connect(); 569 SendReceive(); // Absorb the session ticket. 570 ScopedCERTCertificate cert1(SSL_LocalCertificate(client_->ssl_fd())); 571 ASSERT_NE(nullptr, cert1.get()); 572 573 Reset(); 574 ConfigureSessionCache(RESUME_BOTH, RESUME_TICKET); 575 ExpectResumption(RESUME_TICKET); 576 server_->RequestClientAuth(false); 577 StartConnect(); 578 client_->Handshake(); // ClientHello 579 server_->Handshake(); // ServerHello 580 581 server_->SendData(10); 582 client_->ReadBytes(10); // Client should emit the Finished as a side-effect. 583 server_->Handshake(); // Server consumes the Finished. 584 CheckConnected(); 585 586 // Check whether the client certificate matches the one from the ticket. 587 ScopedCERTCertificate cert2(SSL_PeerCertificate(server_->ssl_fd())); 588 ASSERT_NE(nullptr, cert2.get()); 589 EXPECT_TRUE(SECITEM_ItemsAreEqual(&cert1->derCert, &cert2->derCert)); 590 } 591 592 // We need to enable different cipher suites at different times in the following 593 // tests. Those cipher suites need to be suited to the version. 594 static uint16_t ChooseOneCipher(uint16_t version) { 595 if (version >= SSL_LIBRARY_VERSION_TLS_1_3) { 596 return TLS_AES_128_GCM_SHA256; 597 } 598 return TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA; 599 } 600 601 static uint16_t ChooseIncompatibleCipher(uint16_t version) { 602 if (version >= SSL_LIBRARY_VERSION_TLS_1_3) { 603 return TLS_AES_256_GCM_SHA384; 604 } 605 return TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA; 606 } 607 608 // Test that we don't resume when we can't negotiate the same cipher. Note that 609 // for TLS 1.3, resumption is allowed between compatible ciphers, that is those 610 // with the same KDF hash, but we choose an incompatible one here. 611 TEST_P(TlsConnectGenericResumption, ResumeClientIncompatibleCipher) { 612 ConfigureSessionCache(RESUME_BOTH, RESUME_TICKET); 613 client_->EnableSingleCipher(ChooseOneCipher(version_)); 614 Connect(); 615 SendReceive(); 616 CheckKeys(); 617 618 Reset(); 619 ConfigureSessionCache(RESUME_BOTH, RESUME_TICKET); 620 ExpectResumption(RESUME_NONE); 621 client_->EnableSingleCipher(ChooseIncompatibleCipher(version_)); 622 uint16_t ticket_extension; 623 if (version_ >= SSL_LIBRARY_VERSION_TLS_1_3) { 624 ticket_extension = ssl_tls13_pre_shared_key_xtn; 625 } else { 626 ticket_extension = ssl_session_ticket_xtn; 627 } 628 auto ticket_capture = 629 MakeTlsFilter<TlsExtensionCapture>(client_, ticket_extension); 630 Connect(); 631 CheckKeys(); 632 EXPECT_EQ(0U, ticket_capture->extension().len()); 633 } 634 635 // Test that we don't resume when we can't negotiate the same cipher. 636 TEST_P(TlsConnectGenericResumption, ResumeServerIncompatibleCipher) { 637 ConfigureSessionCache(RESUME_BOTH, RESUME_TICKET); 638 server_->EnableSingleCipher(ChooseOneCipher(version_)); 639 Connect(); 640 SendReceive(); // Absorb the session ticket. 641 CheckKeys(); 642 643 Reset(); 644 ConfigureSessionCache(RESUME_BOTH, RESUME_TICKET); 645 ExpectResumption(RESUME_NONE); 646 server_->EnableSingleCipher(ChooseIncompatibleCipher(version_)); 647 Connect(); 648 CheckKeys(); 649 } 650 651 // Test that the client doesn't tolerate the server picking a different cipher 652 // suite for resumption. 653 TEST_P(TlsConnectStream, ResumptionOverrideCipher) { 654 ConfigureSessionCache(RESUME_BOTH, RESUME_TICKET); 655 server_->EnableSingleCipher(ChooseOneCipher(version_)); 656 Connect(); 657 SendReceive(); 658 CheckKeys(); 659 660 Reset(); 661 ConfigureSessionCache(RESUME_BOTH, RESUME_TICKET); 662 MakeTlsFilter<SelectedCipherSuiteReplacer>( 663 server_, ChooseIncompatibleCipher(version_)); 664 665 if (version_ >= SSL_LIBRARY_VERSION_TLS_1_3) { 666 client_->ExpectSendAlert(kTlsAlertIllegalParameter); 667 server_->ExpectSendAlert(kTlsAlertUnexpectedMessage); 668 } else { 669 ExpectAlert(client_, kTlsAlertHandshakeFailure); 670 } 671 ConnectExpectFail(); 672 client_->CheckErrorCode(SSL_ERROR_RX_MALFORMED_SERVER_HELLO); 673 if (version_ >= SSL_LIBRARY_VERSION_TLS_1_3) { 674 // The reason this test is stream only: the server is unable to decrypt 675 // the alert that the client sends, see bug 1304603. 676 server_->CheckErrorCode(SSL_ERROR_RX_UNEXPECTED_RECORD_TYPE); 677 } else { 678 server_->CheckErrorCode(SSL_ERROR_HANDSHAKE_FAILURE_ALERT); 679 } 680 } 681 682 // In TLS 1.3, it is possible to resume with a different cipher if it has the 683 // same hash. 684 TEST_P(TlsConnectTls13, ResumeClientCompatibleCipher) { 685 ConfigureSessionCache(RESUME_BOTH, RESUME_TICKET); 686 client_->EnableSingleCipher(TLS_AES_128_GCM_SHA256); 687 Connect(); 688 SendReceive(); // Absorb the session ticket. 689 CheckKeys(); 690 691 Reset(); 692 ConfigureSessionCache(RESUME_BOTH, RESUME_TICKET); 693 ExpectResumption(RESUME_TICKET); 694 client_->EnableSingleCipher(TLS_CHACHA20_POLY1305_SHA256); 695 Connect(); 696 CheckKeys(); 697 } 698 699 TEST_P(TlsConnectTls13, ResumeServerCompatibleCipher) { 700 ConfigureSessionCache(RESUME_BOTH, RESUME_TICKET); 701 server_->EnableSingleCipher(TLS_AES_128_GCM_SHA256); 702 Connect(); 703 SendReceive(); // Absorb the session ticket. 704 CheckKeys(); 705 706 Reset(); 707 ConfigureSessionCache(RESUME_BOTH, RESUME_TICKET); 708 ExpectResumption(RESUME_TICKET); 709 server_->EnableSingleCipher(TLS_CHACHA20_POLY1305_SHA256); 710 Connect(); 711 CheckKeys(); 712 } 713 714 class SelectedVersionReplacer : public TlsHandshakeFilter { 715 public: 716 SelectedVersionReplacer(const std::shared_ptr<TlsAgent>& a, uint16_t version) 717 : TlsHandshakeFilter(a, {kTlsHandshakeServerHello}), version_(version) {} 718 719 protected: 720 PacketFilter::Action FilterHandshake(const HandshakeHeader& header, 721 const DataBuffer& input, 722 DataBuffer* output) override { 723 *output = input; 724 output->Write(0, static_cast<uint32_t>(version_), 2); 725 return CHANGE; 726 } 727 728 private: 729 uint16_t version_; 730 }; 731 732 // Test how the client handles the case where the server picks a 733 // lower version number on resumption. 734 TEST_P(TlsConnectGenericPre13, TestResumptionOverrideVersion) { 735 uint16_t override_version = 0; 736 if (variant_ == ssl_variant_stream) { 737 switch (version_) { 738 case SSL_LIBRARY_VERSION_TLS_1_0: 739 GTEST_SKIP(); 740 case SSL_LIBRARY_VERSION_TLS_1_1: 741 override_version = SSL_LIBRARY_VERSION_TLS_1_0; 742 break; 743 case SSL_LIBRARY_VERSION_TLS_1_2: 744 override_version = SSL_LIBRARY_VERSION_TLS_1_1; 745 break; 746 default: 747 ASSERT_TRUE(false) << "unknown version"; 748 } 749 } else { 750 if (version_ == SSL_LIBRARY_VERSION_TLS_1_2) { 751 override_version = SSL_LIBRARY_VERSION_DTLS_1_0_WIRE; 752 } else { 753 ASSERT_EQ(SSL_LIBRARY_VERSION_TLS_1_1, version_); 754 GTEST_SKIP(); 755 } 756 } 757 758 ConfigureSessionCache(RESUME_BOTH, RESUME_TICKET); 759 // Need to use a cipher that is plausible for the lower version. 760 server_->EnableSingleCipher(TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA); 761 Connect(); 762 CheckKeys(); 763 764 Reset(); 765 ConfigureSessionCache(RESUME_BOTH, RESUME_TICKET); 766 // Enable the lower version on the client. 767 client_->SetVersionRange(version_ - 1, version_); 768 server_->EnableSingleCipher(TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA); 769 MakeTlsFilter<SelectedVersionReplacer>(server_, override_version); 770 771 ConnectExpectAlert(client_, kTlsAlertHandshakeFailure); 772 client_->CheckErrorCode(SSL_ERROR_RX_MALFORMED_SERVER_HELLO); 773 server_->CheckErrorCode(SSL_ERROR_HANDSHAKE_FAILURE_ALERT); 774 } 775 776 // Test that two TLS resumptions work and produce the same ticket. 777 // This will change after bug 1257047 is fixed. 778 TEST_F(TlsConnectTest, TestTls13ResumptionTwice) { 779 ConfigureSessionCache(RESUME_BOTH, RESUME_TICKET); 780 ConfigureVersion(SSL_LIBRARY_VERSION_TLS_1_3); 781 782 Connect(); 783 SendReceive(); // Need to read so that we absorb the session ticket. 784 CheckKeys(); 785 uint16_t original_suite; 786 EXPECT_TRUE(client_->cipher_suite(&original_suite)); 787 788 Reset(); 789 ConfigureSessionCache(RESUME_BOTH, RESUME_TICKET); 790 ConfigureVersion(SSL_LIBRARY_VERSION_TLS_1_3); 791 ExpectResumption(RESUME_TICKET); 792 auto c1 = 793 MakeTlsFilter<TlsExtensionCapture>(client_, ssl_tls13_pre_shared_key_xtn); 794 Connect(); 795 SendReceive(); 796 CheckKeys(ssl_auth_rsa_sign, ssl_sig_rsa_pss_rsae_sha256); 797 // The filter will go away when we reset, so save the captured extension. 798 DataBuffer initialTicket(c1->extension()); 799 ASSERT_LT(0U, initialTicket.len()); 800 801 ScopedCERTCertificate cert1(SSL_PeerCertificate(client_->ssl_fd())); 802 ASSERT_NE(nullptr, cert1.get()); 803 804 Reset(); 805 ClearStats(); 806 ConfigureSessionCache(RESUME_BOTH, RESUME_TICKET); 807 ConfigureVersion(SSL_LIBRARY_VERSION_TLS_1_3); 808 auto c2 = 809 MakeTlsFilter<TlsExtensionCapture>(client_, ssl_tls13_pre_shared_key_xtn); 810 ExpectResumption(RESUME_TICKET); 811 Connect(); 812 SendReceive(); 813 CheckKeys(ssl_auth_rsa_sign, ssl_sig_rsa_pss_rsae_sha256); 814 ASSERT_LT(0U, c2->extension().len()); 815 816 ScopedCERTCertificate cert2(SSL_PeerCertificate(client_->ssl_fd())); 817 ASSERT_NE(nullptr, cert2.get()); 818 819 // Check that the cipher suite is reported the same on both sides, though in 820 // TLS 1.3 resumption actually negotiates a different cipher suite. 821 uint16_t resumed_suite; 822 EXPECT_TRUE(server_->cipher_suite(&resumed_suite)); 823 EXPECT_EQ(original_suite, resumed_suite); 824 EXPECT_TRUE(client_->cipher_suite(&resumed_suite)); 825 EXPECT_EQ(original_suite, resumed_suite); 826 827 ASSERT_NE(initialTicket, c2->extension()); 828 } 829 830 // Check that resumption works after receiving two NST messages. 831 TEST_F(TlsConnectTest, TestTls13ResumptionDuplicateNST) { 832 ConfigureSessionCache(RESUME_BOTH, RESUME_TICKET); 833 ConfigureVersion(SSL_LIBRARY_VERSION_TLS_1_3); 834 Connect(); 835 836 // Clear the session ticket keys to invalidate the old ticket. 837 ClearServerCache(); 838 EXPECT_EQ(SECSuccess, SSL_SendSessionTicket(server_->ssl_fd(), NULL, 0)); 839 840 SendReceive(); // Need to read so that we absorb the session tickets. 841 CheckKeys(); 842 843 // Resume the connection. 844 Reset(); 845 ConfigureSessionCache(RESUME_BOTH, RESUME_TICKET); 846 ConfigureVersion(SSL_LIBRARY_VERSION_TLS_1_3); 847 ExpectResumption(RESUME_TICKET); 848 Connect(); 849 SendReceive(); 850 } 851 852 // Check that the value captured in a NewSessionTicket message matches the value 853 // captured from a pre_shared_key extension. 854 void NstTicketMatchesPskIdentity(const DataBuffer& nst, const DataBuffer& psk) { 855 uint32_t len; 856 857 size_t offset = 4 + 4; // Skip ticket_lifetime and ticket_age_add. 858 ASSERT_TRUE(nst.Read(offset, 1, &len)); 859 offset += 1 + len; // Skip ticket_nonce. 860 861 ASSERT_TRUE(nst.Read(offset, 2, &len)); 862 offset += 2; // Skip the ticket length. 863 ASSERT_LE(offset + len, nst.len()); 864 DataBuffer nst_ticket(nst.data() + offset, static_cast<size_t>(len)); 865 866 offset = 2; // Skip the identities length. 867 ASSERT_TRUE(psk.Read(offset, 2, &len)); 868 offset += 2; // Skip the identity length. 869 ASSERT_LE(offset + len, psk.len()); 870 DataBuffer psk_ticket(psk.data() + offset, static_cast<size_t>(len)); 871 872 EXPECT_EQ(nst_ticket, psk_ticket); 873 } 874 875 TEST_F(TlsConnectTest, TestTls13ResumptionDuplicateNSTWithToken) { 876 ConfigureSessionCache(RESUME_BOTH, RESUME_TICKET); 877 ConfigureVersion(SSL_LIBRARY_VERSION_TLS_1_3); 878 879 auto nst_capture = 880 MakeTlsFilter<TlsHandshakeRecorder>(server_, ssl_hs_new_session_ticket); 881 nst_capture->EnableDecryption(); 882 Connect(); 883 884 // Clear the session ticket keys to invalidate the old ticket. 885 ClearServerCache(); 886 nst_capture->Reset(); 887 uint8_t token[] = {0x20, 0x20, 0xff, 0x00}; 888 EXPECT_EQ(SECSuccess, 889 SSL_SendSessionTicket(server_->ssl_fd(), token, sizeof(token))); 890 891 SendReceive(); // Need to read so that we absorb the session tickets. 892 CheckKeys(); 893 EXPECT_LT(0U, nst_capture->buffer().len()); 894 895 // Resume the connection. 896 Reset(); 897 ConfigureSessionCache(RESUME_BOTH, RESUME_TICKET); 898 ConfigureVersion(SSL_LIBRARY_VERSION_TLS_1_3); 899 ExpectResumption(RESUME_TICKET); 900 901 auto psk_capture = 902 MakeTlsFilter<TlsExtensionCapture>(client_, ssl_tls13_pre_shared_key_xtn); 903 Connect(); 904 SendReceive(); 905 906 NstTicketMatchesPskIdentity(nst_capture->buffer(), psk_capture->extension()); 907 } 908 909 // Disable SSL_ENABLE_SESSION_TICKETS but ensure that tickets can still be sent 910 // by invoking SSL_SendSessionTicket directly (and that the ticket is usable). 911 TEST_F(TlsConnectTest, SendSessionTicketWithTicketsDisabled) { 912 ConfigureSessionCache(RESUME_BOTH, RESUME_TICKET); 913 ConfigureVersion(SSL_LIBRARY_VERSION_TLS_1_3); 914 915 server_->SetOption(SSL_ENABLE_SESSION_TICKETS, PR_FALSE); 916 917 auto nst_capture = 918 MakeTlsFilter<TlsHandshakeRecorder>(server_, ssl_hs_new_session_ticket); 919 nst_capture->EnableDecryption(); 920 Connect(); 921 922 EXPECT_EQ(0U, nst_capture->buffer().len()) << "expect nothing captured yet"; 923 924 EXPECT_EQ(SECSuccess, SSL_SendSessionTicket(server_->ssl_fd(), NULL, 0)); 925 EXPECT_LT(0U, nst_capture->buffer().len()) << "should capture now"; 926 927 SendReceive(); // Ensure that the client reads the ticket. 928 929 // Resume the connection. 930 Reset(); 931 ConfigureSessionCache(RESUME_BOTH, RESUME_TICKET); 932 ConfigureVersion(SSL_LIBRARY_VERSION_TLS_1_3); 933 ExpectResumption(RESUME_TICKET); 934 935 auto psk_capture = 936 MakeTlsFilter<TlsExtensionCapture>(client_, ssl_tls13_pre_shared_key_xtn); 937 Connect(); 938 SendReceive(); 939 940 NstTicketMatchesPskIdentity(nst_capture->buffer(), psk_capture->extension()); 941 } 942 943 // Successfully send a session ticket after resuming and then use it. 944 TEST_F(TlsConnectTest, SendTicketAfterResumption) { 945 ConfigureSessionCache(RESUME_BOTH, RESUME_TICKET); 946 ConfigureVersion(SSL_LIBRARY_VERSION_TLS_1_3); 947 Connect(); 948 949 SendReceive(); // Need to read so that we absorb the session tickets. 950 CheckKeys(); 951 952 // Resume the connection. 953 Reset(); 954 ConfigureSessionCache(RESUME_BOTH, RESUME_TICKET); 955 ConfigureVersion(SSL_LIBRARY_VERSION_TLS_1_3); 956 ExpectResumption(RESUME_TICKET); 957 958 // We need to capture just one ticket, so 959 // disable automatic sending of tickets at the server. 960 // ConfigureSessionCache enables this option, so revert that. 961 server_->SetOption(SSL_ENABLE_SESSION_TICKETS, PR_FALSE); 962 auto nst_capture = 963 MakeTlsFilter<TlsHandshakeRecorder>(server_, ssl_hs_new_session_ticket); 964 nst_capture->EnableDecryption(); 965 Connect(); 966 967 ClearServerCache(); 968 EXPECT_EQ(SECSuccess, SSL_SendSessionTicket(server_->ssl_fd(), NULL, 0)); 969 SendReceive(); 970 971 // Reset stats so that the counters for resumptions match up. 972 ClearStats(); 973 // Resume again and ensure that we get the same ticket. 974 Reset(); 975 ConfigureSessionCache(RESUME_BOTH, RESUME_TICKET); 976 ConfigureVersion(SSL_LIBRARY_VERSION_TLS_1_3); 977 ExpectResumption(RESUME_TICKET); 978 979 auto psk_capture = 980 MakeTlsFilter<TlsExtensionCapture>(client_, ssl_tls13_pre_shared_key_xtn); 981 Connect(); 982 SendReceive(); 983 984 NstTicketMatchesPskIdentity(nst_capture->buffer(), psk_capture->extension()); 985 } 986 987 // Test calling SSL_SendSessionTicket in inappropriate conditions. 988 TEST_F(TlsConnectTest, SendSessionTicketInappropriate) { 989 ConfigureSessionCache(RESUME_BOTH, RESUME_TICKET); 990 ConfigureVersion(SSL_LIBRARY_VERSION_TLS_1_2); 991 992 EXPECT_EQ(SECFailure, SSL_SendSessionTicket(client_->ssl_fd(), NULL, 0)) 993 << "clients can't send tickets"; 994 EXPECT_EQ(SEC_ERROR_INVALID_ARGS, PORT_GetError()); 995 996 StartConnect(); 997 998 EXPECT_EQ(SECFailure, SSL_SendSessionTicket(server_->ssl_fd(), NULL, 0)) 999 << "no ticket before the handshake has started"; 1000 EXPECT_EQ(SEC_ERROR_INVALID_ARGS, PORT_GetError()); 1001 Handshake(); 1002 EXPECT_EQ(SECFailure, SSL_SendSessionTicket(server_->ssl_fd(), NULL, 0)) 1003 << "no special tickets in TLS 1.2"; 1004 EXPECT_EQ(SEC_ERROR_INVALID_ARGS, PORT_GetError()); 1005 } 1006 1007 TEST_F(TlsConnectTest, SendSessionTicketMassiveToken) { 1008 ConfigureSessionCache(RESUME_BOTH, RESUME_TICKET); 1009 ConfigureVersion(SSL_LIBRARY_VERSION_TLS_1_3); 1010 Connect(); 1011 // It should be safe to set length with a NULL token because the length should 1012 // be checked before reading token. 1013 EXPECT_EQ(SECFailure, SSL_SendSessionTicket(server_->ssl_fd(), NULL, 0x1ffff)) 1014 << "this is clearly too big"; 1015 EXPECT_EQ(SEC_ERROR_INVALID_ARGS, PORT_GetError()); 1016 1017 static const uint8_t big_token[0xffff] = {1}; 1018 EXPECT_EQ(SECFailure, SSL_SendSessionTicket(server_->ssl_fd(), big_token, 1019 sizeof(big_token))) 1020 << "this is too big, but that's not immediately obvious"; 1021 EXPECT_EQ(SEC_ERROR_INVALID_ARGS, PORT_GetError()); 1022 } 1023 1024 TEST_F(TlsConnectDatagram13, SendSessionTicketDtls) { 1025 ConfigureSessionCache(RESUME_BOTH, RESUME_TICKET); 1026 ConfigureVersion(SSL_LIBRARY_VERSION_TLS_1_3); 1027 Connect(); 1028 EXPECT_EQ(SECFailure, SSL_SendSessionTicket(server_->ssl_fd(), NULL, 0)) 1029 << "no extra tickets in DTLS until we have Ack support"; 1030 EXPECT_EQ(SSL_ERROR_FEATURE_NOT_SUPPORTED_FOR_VERSION, PORT_GetError()); 1031 } 1032 1033 TEST_F(TlsConnectStreamTls13, ExternalResumptionUseSecondTicket) { 1034 ConfigureSessionCache(RESUME_BOTH, RESUME_BOTH); 1035 ConfigureVersion(SSL_LIBRARY_VERSION_TLS_1_3); 1036 1037 struct ResumptionTicketState { 1038 std::vector<uint8_t> ticket; 1039 size_t invoked = 0; 1040 } ticket_state; 1041 auto cb = [](PRFileDesc* fd, const PRUint8* ticket, unsigned int ticket_len, 1042 void* arg) -> SECStatus { 1043 auto state = reinterpret_cast<ResumptionTicketState*>(arg); 1044 state->ticket.assign(ticket, ticket + ticket_len); 1045 state->invoked++; 1046 return SECSuccess; 1047 }; 1048 EXPECT_EQ(SECSuccess, SSL_SetResumptionTokenCallback(client_->ssl_fd(), cb, 1049 &ticket_state)); 1050 1051 Connect(); 1052 EXPECT_EQ(SECSuccess, SSL_SendSessionTicket(server_->ssl_fd(), nullptr, 0)); 1053 SendReceive(); 1054 EXPECT_EQ(2U, ticket_state.invoked); 1055 1056 Reset(); 1057 ConfigureSessionCache(RESUME_BOTH, RESUME_BOTH); 1058 client_->SetResumptionToken(ticket_state.ticket); 1059 ExpectResumption(RESUME_TICKET); 1060 Connect(); 1061 SendReceive(); 1062 } 1063 1064 TEST_F(TlsConnectTest, TestTls13ResumptionDowngrade) { 1065 ConfigureSessionCache(RESUME_BOTH, RESUME_TICKET); 1066 ConfigureVersion(SSL_LIBRARY_VERSION_TLS_1_3); 1067 Connect(); 1068 1069 SendReceive(); // Need to read so that we absorb the session tickets. 1070 CheckKeys(); 1071 1072 // Try resuming the connection. This will fail resuming the 1.3 session 1073 // from before, but will successfully establish a 1.2 connection. 1074 Reset(); 1075 ConfigureSessionCache(RESUME_BOTH, RESUME_TICKET); 1076 client_->SetVersionRange(SSL_LIBRARY_VERSION_TLS_1_2, 1077 SSL_LIBRARY_VERSION_TLS_1_3); 1078 server_->SetVersionRange(SSL_LIBRARY_VERSION_TLS_1_2, 1079 SSL_LIBRARY_VERSION_TLS_1_2); 1080 Connect(); 1081 1082 // Renegotiate to ensure we don't carryover any state 1083 // from the 1.3 resumption attempt. 1084 client_->SetExpectedVersion(SSL_LIBRARY_VERSION_TLS_1_2); 1085 client_->PrepareForRenegotiate(); 1086 server_->StartRenegotiate(); 1087 Handshake(); 1088 1089 SendReceive(); 1090 CheckKeys(ssl_kea_ecdh); 1091 } 1092 1093 TEST_F(TlsConnectTest, TestTls13ResumptionForcedDowngrade) { 1094 ConfigureSessionCache(RESUME_BOTH, RESUME_TICKET); 1095 ConfigureVersion(SSL_LIBRARY_VERSION_TLS_1_3); 1096 Connect(); 1097 1098 SendReceive(); // Need to read so that we absorb the session tickets. 1099 CheckKeys(); 1100 1101 // Try resuming the connection. 1102 Reset(); 1103 ConfigureVersion(SSL_LIBRARY_VERSION_TLS_1_3); 1104 ConfigureSessionCache(RESUME_BOTH, RESUME_TICKET); 1105 // Enable the lower version on the client. 1106 client_->SetVersionRange(SSL_LIBRARY_VERSION_TLS_1_2, 1107 SSL_LIBRARY_VERSION_TLS_1_3); 1108 1109 // Add filters that set downgrade SH.version to 1.2 and the cipher suite 1110 // to one that works with 1.2, so that we don't run into early sanity checks. 1111 // We will eventually fail the (sid.version == SH.version) check. 1112 std::vector<std::shared_ptr<PacketFilter>> filters; 1113 filters.push_back(std::make_shared<SelectedCipherSuiteReplacer>( 1114 server_, TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256)); 1115 filters.push_back(std::make_shared<SelectedVersionReplacer>( 1116 server_, SSL_LIBRARY_VERSION_TLS_1_2)); 1117 1118 // Drop a bunch of extensions so that we get past the SH processing. The 1119 // version extension says TLS 1.3, which is counter to our goal, the others 1120 // are not permitted in TLS 1.2 handshakes. 1121 filters.push_back(std::make_shared<TlsExtensionDropper>( 1122 server_, ssl_tls13_supported_versions_xtn)); 1123 filters.push_back( 1124 std::make_shared<TlsExtensionDropper>(server_, ssl_tls13_key_share_xtn)); 1125 filters.push_back(std::make_shared<TlsExtensionDropper>( 1126 server_, ssl_tls13_pre_shared_key_xtn)); 1127 server_->SetFilter(std::make_shared<ChainedPacketFilter>(filters)); 1128 1129 // The client here generates an unexpected_message alert when it receives an 1130 // encrypted handshake message from the server (EncryptedExtension). The 1131 // client expects to receive an unencrypted TLS 1.2 Certificate message. 1132 // The server can't decrypt the alert. 1133 client_->ExpectSendAlert(kTlsAlertUnexpectedMessage); 1134 server_->ExpectSendAlert(kTlsAlertUnexpectedMessage); // Server can't read 1135 ConnectExpectFail(); 1136 client_->CheckErrorCode(SSL_ERROR_RX_UNEXPECTED_APPLICATION_DATA); 1137 server_->CheckErrorCode(SSL_ERROR_RX_UNEXPECTED_RECORD_TYPE); 1138 } 1139 1140 TEST_P(TlsConnectGenericResumption, ReConnectTicket) { 1141 ConfigureSessionCache(RESUME_BOTH, RESUME_BOTH); 1142 server_->EnableSingleCipher(ChooseOneCipher(version_)); 1143 Connect(); 1144 SendReceive(); 1145 CheckKeys(ssl_auth_rsa_sign, ssl_sig_rsa_pss_rsae_sha256); 1146 // Resume 1147 Reset(); 1148 ConfigureSessionCache(RESUME_BOTH, RESUME_BOTH); 1149 ExpectResumption(RESUME_TICKET); 1150 Connect(); 1151 // Only the client knows this. 1152 CheckKeysResumption(GetDefaultKEA(), ssl_grp_none, 1153 GetDefaultGroupFromKEA(GetDefaultKEA()), 1154 ssl_auth_rsa_sign, ssl_sig_rsa_pss_rsae_sha256); 1155 } 1156 1157 TEST_P(TlsConnectGenericPre13, ReConnectCache) { 1158 ConfigureSessionCache(RESUME_SESSIONID, RESUME_SESSIONID); 1159 server_->EnableSingleCipher(ChooseOneCipher(version_)); 1160 Connect(); 1161 SendReceive(); 1162 CheckKeys(ssl_auth_rsa_sign, ssl_sig_rsa_pss_rsae_sha256); 1163 // Resume 1164 Reset(); 1165 ExpectResumption(RESUME_SESSIONID); 1166 Connect(); 1167 CheckKeysResumption(GetDefaultKEA(), ssl_grp_none, 1168 GetDefaultGroupFromKEA(GetDefaultKEA()), 1169 ssl_auth_rsa_sign, ssl_sig_rsa_pss_rsae_sha256); 1170 } 1171 1172 TEST_P(TlsConnectGenericResumption, ReConnectAgainTicket) { 1173 ConfigureSessionCache(RESUME_BOTH, RESUME_BOTH); 1174 server_->EnableSingleCipher(ChooseOneCipher(version_)); 1175 Connect(); 1176 SendReceive(); 1177 CheckKeys(ssl_auth_rsa_sign, ssl_sig_rsa_pss_rsae_sha256); 1178 // Resume 1179 Reset(); 1180 ConfigureSessionCache(RESUME_BOTH, RESUME_BOTH); 1181 ExpectResumption(RESUME_TICKET); 1182 Connect(); 1183 // Only the client knows this. 1184 CheckKeysResumption(GetDefaultKEA(), ssl_grp_none, 1185 GetDefaultGroupFromKEA(GetDefaultKEA()), 1186 ssl_auth_rsa_sign, ssl_sig_rsa_pss_rsae_sha256); 1187 // Resume connection again 1188 Reset(); 1189 ConfigureSessionCache(RESUME_BOTH, RESUME_BOTH); 1190 ExpectResumption(RESUME_TICKET, 2); 1191 Connect(); 1192 // Only the client knows this. 1193 CheckKeysResumption(GetDefaultKEA(), ssl_grp_none, 1194 GetDefaultGroupFromKEA(GetDefaultKEA()), 1195 ssl_auth_rsa_sign, ssl_sig_rsa_pss_rsae_sha256); 1196 } 1197 1198 void CheckGetInfoResult(PRTime now, uint32_t alpnSize, uint32_t earlyDataSize, 1199 ScopedCERTCertificate& cert, 1200 ScopedSSLResumptionTokenInfo& token) { 1201 ASSERT_TRUE(cert); 1202 ASSERT_TRUE(token->peerCert); 1203 1204 // Check that the server cert is the correct one. 1205 ASSERT_EQ(cert->derCert.len, token->peerCert->derCert.len); 1206 EXPECT_EQ(0, memcmp(cert->derCert.data, token->peerCert->derCert.data, 1207 cert->derCert.len)); 1208 1209 ASSERT_EQ(alpnSize, token->alpnSelectionLen); 1210 EXPECT_EQ(0, memcmp("a", token->alpnSelection, token->alpnSelectionLen)); 1211 1212 ASSERT_EQ(earlyDataSize, token->maxEarlyDataSize); 1213 1214 ASSERT_LT(now, token->expirationTime); 1215 } 1216 1217 // The client should generate a new, randomized session_id 1218 // when resuming using an external token. 1219 TEST_P(TlsConnectGenericResumptionToken, CheckSessionId) { 1220 ConfigureSessionCache(RESUME_BOTH, RESUME_BOTH); 1221 auto original_sid = MakeTlsFilter<CaptureSessionId>(client_); 1222 Connect(); 1223 SendReceive(); 1224 1225 Reset(); 1226 ConfigureSessionCache(RESUME_BOTH, RESUME_BOTH); 1227 ExpectResumption(RESUME_TICKET); 1228 1229 StartConnect(); 1230 ASSERT_TRUE(client_->MaybeSetResumptionToken()); 1231 auto resumed_sid = MakeTlsFilter<CaptureSessionId>(client_); 1232 1233 Handshake(); 1234 CheckConnected(); 1235 SendReceive(); 1236 1237 if (version_ < SSL_LIBRARY_VERSION_TLS_1_3) { 1238 EXPECT_NE(resumed_sid->sid(), original_sid->sid()); 1239 EXPECT_EQ(32U, resumed_sid->sid().len()); 1240 } else { 1241 EXPECT_EQ(0U, resumed_sid->sid().len()); 1242 } 1243 } 1244 1245 TEST_P(TlsConnectGenericResumptionToken, ConnectResumeGetInfo) { 1246 ConfigureSessionCache(RESUME_BOTH, RESUME_BOTH); 1247 Connect(); 1248 SendReceive(); 1249 1250 Reset(); 1251 ConfigureSessionCache(RESUME_BOTH, RESUME_BOTH); 1252 ExpectResumption(RESUME_TICKET); 1253 1254 StartConnect(); 1255 ASSERT_TRUE(client_->MaybeSetResumptionToken()); 1256 1257 // Get resumption token infos 1258 SSLResumptionTokenInfo tokenInfo = {0}; 1259 ScopedSSLResumptionTokenInfo token(&tokenInfo); 1260 client_->GetTokenInfo(token); 1261 ScopedCERTCertificate cert( 1262 PK11_FindCertFromNickname(server_->name().c_str(), nullptr)); 1263 ASSERT_NE(nullptr, cert.get()); 1264 1265 CheckGetInfoResult(now(), 0, 0, cert, token); 1266 1267 Handshake(); 1268 CheckConnected(); 1269 1270 SendReceive(); 1271 } 1272 1273 TEST_P(TlsConnectGenericResumptionToken, RefuseExpiredTicketClient) { 1274 ConfigureSessionCache(RESUME_BOTH, RESUME_BOTH); 1275 Connect(); 1276 SendReceive(); 1277 1278 // Move the clock to the expiration time of the ticket. 1279 SSLResumptionTokenInfo tokenInfo = {0}; 1280 ScopedSSLResumptionTokenInfo token(&tokenInfo); 1281 client_->GetTokenInfo(token); 1282 AdvanceTime(token->expirationTime - now()); 1283 1284 Reset(); 1285 ConfigureSessionCache(RESUME_BOTH, RESUME_BOTH); 1286 ExpectResumption(RESUME_TICKET); 1287 1288 StartConnect(); 1289 ASSERT_EQ(SECFailure, 1290 SSL_SetResumptionToken(client_->ssl_fd(), 1291 client_->GetResumptionToken().data(), 1292 client_->GetResumptionToken().size())); 1293 EXPECT_EQ(SSL_ERROR_BAD_RESUMPTION_TOKEN_ERROR, PORT_GetError()); 1294 } 1295 1296 TEST_P(TlsConnectGenericResumptionToken, RefuseExpiredTicketServer) { 1297 ConfigureSessionCache(RESUME_BOTH, RESUME_BOTH); 1298 Connect(); 1299 SendReceive(); 1300 1301 Reset(); 1302 ConfigureSessionCache(RESUME_BOTH, RESUME_BOTH); 1303 ExpectResumption(RESUME_NONE); 1304 1305 // Start the handshake and send the ClientHello. 1306 StartConnect(); 1307 ASSERT_EQ(SECSuccess, 1308 SSL_SetResumptionToken(client_->ssl_fd(), 1309 client_->GetResumptionToken().data(), 1310 client_->GetResumptionToken().size())); 1311 client_->Handshake(); 1312 1313 // Move the clock to the expiration time of the ticket. 1314 SSLResumptionTokenInfo tokenInfo = {0}; 1315 ScopedSSLResumptionTokenInfo token(&tokenInfo); 1316 client_->GetTokenInfo(token); 1317 AdvanceTime(token->expirationTime - now()); 1318 1319 Handshake(); 1320 CheckConnected(); 1321 } 1322 1323 TEST_P(TlsConnectGenericResumptionToken, ConnectResumeGetInfoAlpn) { 1324 EnableAlpn(); 1325 ConfigureSessionCache(RESUME_BOTH, RESUME_BOTH); 1326 Connect(); 1327 CheckAlpn("a"); 1328 SendReceive(); 1329 1330 Reset(); 1331 EnableAlpn(); 1332 ConfigureSessionCache(RESUME_BOTH, RESUME_BOTH); 1333 ExpectResumption(RESUME_TICKET); 1334 1335 StartConnect(); 1336 ASSERT_TRUE(client_->MaybeSetResumptionToken()); 1337 1338 // Get resumption token infos 1339 SSLResumptionTokenInfo tokenInfo = {0}; 1340 ScopedSSLResumptionTokenInfo token(&tokenInfo); 1341 client_->GetTokenInfo(token); 1342 ScopedCERTCertificate cert( 1343 PK11_FindCertFromNickname(server_->name().c_str(), nullptr)); 1344 ASSERT_NE(nullptr, cert.get()); 1345 1346 CheckGetInfoResult(now(), 1, 0, cert, token); 1347 1348 Handshake(); 1349 CheckConnected(); 1350 CheckAlpn("a"); 1351 1352 SendReceive(); 1353 } 1354 1355 TEST_P(TlsConnectTls13ResumptionToken, ConnectResumeGetInfoZeroRtt) { 1356 EnableAlpn(); 1357 RolloverAntiReplay(); 1358 ConfigureSessionCache(RESUME_BOTH, RESUME_BOTH); 1359 server_->Set0RttEnabled(true); 1360 Connect(); 1361 CheckAlpn("a"); 1362 SendReceive(); 1363 1364 Reset(); 1365 EnableAlpn(); 1366 ConfigureSessionCache(RESUME_BOTH, RESUME_BOTH); 1367 ExpectResumption(RESUME_TICKET); 1368 1369 StartConnect(); 1370 server_->Set0RttEnabled(true); 1371 client_->Set0RttEnabled(true); 1372 ASSERT_TRUE(client_->MaybeSetResumptionToken()); 1373 1374 // Get resumption token infos 1375 SSLResumptionTokenInfo tokenInfo = {0}; 1376 ScopedSSLResumptionTokenInfo token(&tokenInfo); 1377 client_->GetTokenInfo(token); 1378 ScopedCERTCertificate cert( 1379 PK11_FindCertFromNickname(server_->name().c_str(), nullptr)); 1380 ASSERT_NE(nullptr, cert.get()); 1381 CheckGetInfoResult(now(), 1, 1024, cert, token); 1382 1383 ZeroRttSendReceive(true, true); 1384 Handshake(); 1385 ExpectEarlyDataAccepted(true); 1386 CheckConnected(); 1387 CheckAlpn("a"); 1388 1389 SendReceive(); 1390 } 1391 1392 // Resumption on sessions with client authentication only works with internal 1393 // caching. 1394 TEST_P(TlsConnectGenericResumption, ConnectResumeClientAuth) { 1395 ConfigureSessionCache(RESUME_BOTH, RESUME_BOTH); 1396 client_->SetupClientAuth(); 1397 server_->RequestClientAuth(true); 1398 Connect(); 1399 SendReceive(); 1400 EXPECT_FALSE(client_->resumption_callback_called()); 1401 1402 Reset(); 1403 ConfigureSessionCache(RESUME_BOTH, RESUME_BOTH); 1404 if (use_external_cache()) { 1405 ExpectResumption(RESUME_NONE); 1406 } else { 1407 ExpectResumption(RESUME_TICKET); 1408 } 1409 Connect(); 1410 SendReceive(); 1411 } 1412 1413 // Check that resumption is blocked if the server requires client auth. 1414 TEST_P(TlsConnectGenericResumption, ClientAuthRequiredOnResumption) { 1415 ConfigureSessionCache(RESUME_BOTH, RESUME_BOTH); 1416 server_->RequestClientAuth(false); 1417 Connect(); 1418 SendReceive(); 1419 1420 Reset(); 1421 client_->SetupClientAuth(); 1422 server_->RequestClientAuth(true); 1423 ConfigureSessionCache(RESUME_BOTH, RESUME_BOTH); 1424 ExpectResumption(RESUME_NONE); 1425 Connect(); 1426 SendReceive(); 1427 } 1428 1429 // Check that resumption is blocked if the server requires client auth and 1430 // the client fails to provide a certificate. 1431 TEST_P(TlsConnectGenericResumption, ClientAuthRequiredOnResumptionNoCert) { 1432 ConfigureSessionCache(RESUME_BOTH, RESUME_BOTH); 1433 server_->RequestClientAuth(false); 1434 Connect(); 1435 SendReceive(); 1436 1437 Reset(); 1438 server_->RequestClientAuth(true); 1439 ConfigureSessionCache(RESUME_BOTH, RESUME_BOTH); 1440 // Drive handshake manually because TLS 1.3 needs it. 1441 StartConnect(); 1442 client_->Handshake(); // CH 1443 server_->Handshake(); // SH.. (no resumption) 1444 client_->Handshake(); // ... 1445 if (version_ >= SSL_LIBRARY_VERSION_TLS_1_3) { 1446 // In TLS 1.3, the client thinks that everything is OK here. 1447 ASSERT_EQ(TlsAgent::STATE_CONNECTED, client_->state()); 1448 ExpectAlert(server_, kTlsAlertCertificateRequired); 1449 server_->Handshake(); // Alert 1450 client_->Handshake(); // Receive Alert 1451 client_->CheckErrorCode(SSL_ERROR_RX_CERTIFICATE_REQUIRED_ALERT); 1452 } else { 1453 ExpectAlert(server_, kTlsAlertBadCertificate); 1454 server_->Handshake(); // Alert 1455 client_->Handshake(); // Receive Alert 1456 client_->CheckErrorCode(SSL_ERROR_BAD_CERT_ALERT); 1457 } 1458 server_->CheckErrorCode(SSL_ERROR_NO_CERTIFICATE); 1459 } 1460 1461 TEST_F(TlsConnectStreamTls13, ExternalTokenAfterHrr) { 1462 ConfigureSessionCache(RESUME_BOTH, RESUME_BOTH); 1463 Connect(); 1464 SendReceive(); 1465 1466 Reset(); 1467 ConfigureSessionCache(RESUME_BOTH, RESUME_BOTH); 1468 ExpectResumption(RESUME_TICKET); 1469 1470 static const std::vector<SSLNamedGroup> groups = {ssl_grp_ec_secp384r1, 1471 ssl_grp_ec_secp521r1}; 1472 server_->ConfigNamedGroups(groups); 1473 1474 StartConnect(); 1475 ASSERT_TRUE(client_->MaybeSetResumptionToken()); 1476 1477 client_->Handshake(); // Send ClientHello. 1478 server_->Handshake(); // Process ClientHello, send HelloRetryRequest. 1479 1480 auto& token = client_->GetResumptionToken(); 1481 SECStatus rv = 1482 SSL_SetResumptionToken(client_->ssl_fd(), token.data(), token.size()); 1483 ASSERT_EQ(SECFailure, rv); 1484 ASSERT_EQ(SEC_ERROR_INVALID_ARGS, PORT_GetError()); 1485 1486 Handshake(); 1487 CheckConnected(); 1488 SendReceive(); 1489 } 1490 1491 TEST_F(TlsConnectStreamTls13, ExternalTokenWithPeerId) { 1492 ConfigureSessionCache(RESUME_BOTH, RESUME_BOTH); 1493 ConfigureVersion(SSL_LIBRARY_VERSION_TLS_1_3); 1494 EXPECT_EQ(SECSuccess, SSL_SetSockPeerID(client_->ssl_fd(), "testPeerId")); 1495 std::vector<uint8_t> ticket_state; 1496 auto cb = [](PRFileDesc* fd, const PRUint8* ticket, unsigned int ticket_len, 1497 void* arg) -> SECStatus { 1498 EXPECT_NE(0U, ticket_len); 1499 EXPECT_NE(nullptr, ticket); 1500 auto ticket_state_ = reinterpret_cast<std::vector<uint8_t>*>(arg); 1501 ticket_state_->assign(ticket, ticket + ticket_len); 1502 return SECSuccess; 1503 }; 1504 EXPECT_EQ(SECSuccess, SSL_SetResumptionTokenCallback(client_->ssl_fd(), cb, 1505 &ticket_state)); 1506 1507 Connect(); 1508 SendReceive(); 1509 EXPECT_NE(0U, ticket_state.size()); 1510 1511 Reset(); 1512 ConfigureSessionCache(RESUME_BOTH, RESUME_BOTH); 1513 EXPECT_EQ(SECSuccess, SSL_SetSockPeerID(client_->ssl_fd(), "testPeerId")); 1514 client_->SetResumptionToken(ticket_state); 1515 ASSERT_TRUE(client_->MaybeSetResumptionToken()); 1516 ExpectResumption(RESUME_TICKET); 1517 Connect(); 1518 SendReceive(); 1519 } 1520 1521 } // namespace nss_test