tls_ech_unittest.cc (123224B)
1 /* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */ 2 /* vim: set ts=2 et sw=2 tw=80: */ 3 /* This Source Code Form is subject to the terms of the Mozilla Public 4 * License, v. 2.0. If a copy of the MPL was not distributed with this file, 5 * You can obtain one at http://mozilla.org/MPL/2.0/. */ 6 7 #include "secerr.h" 8 #include "ssl.h" 9 10 #include "gtest_utils.h" 11 #include "pk11pub.h" 12 #include "tls_agent.h" 13 #include "tls_connect.h" 14 #include "util.h" 15 #include "tls13ech.h" 16 17 namespace nss_test { 18 19 class TlsAgentEchTest : public TlsAgentStreamTestClient13 { 20 protected: 21 void InstallEchConfig(const DataBuffer& echconfig, PRErrorCode err = 0) { 22 SECStatus rv = SSL_SetClientEchConfigs(agent_->ssl_fd(), echconfig.data(), 23 echconfig.len()); 24 if (err == 0) { 25 ASSERT_EQ(SECSuccess, rv); 26 } else { 27 ASSERT_EQ(SECFailure, rv); 28 ASSERT_EQ(err, PORT_GetError()); 29 } 30 } 31 }; 32 33 #include "cpputil.h" // Unused function error if included without HPKE. 34 35 static std::string kPublicName("public.name"); 36 37 static const std::vector<HpkeSymmetricSuite> kDefaultSuites = { 38 {HpkeKdfHkdfSha256, HpkeAeadChaCha20Poly1305}, 39 {HpkeKdfHkdfSha256, HpkeAeadAes128Gcm}}; 40 static const std::vector<HpkeSymmetricSuite> kSuiteChaCha = { 41 {HpkeKdfHkdfSha256, HpkeAeadChaCha20Poly1305}}; 42 static const std::vector<HpkeSymmetricSuite> kSuiteAes = { 43 {HpkeKdfHkdfSha256, HpkeAeadAes128Gcm}}; 44 std::vector<HpkeSymmetricSuite> kBogusSuite = { 45 {static_cast<HpkeKdfId>(0xfefe), static_cast<HpkeAeadId>(0xfefe)}}; 46 static const std::vector<HpkeSymmetricSuite> kUnknownFirstSuite = { 47 {static_cast<HpkeKdfId>(0xfefe), static_cast<HpkeAeadId>(0xfefe)}, 48 {HpkeKdfHkdfSha256, HpkeAeadAes128Gcm}}; 49 50 class TlsConnectStreamTls13Ech : public TlsConnectTestBase { 51 public: 52 TlsConnectStreamTls13Ech() 53 : TlsConnectTestBase(ssl_variant_stream, SSL_LIBRARY_VERSION_TLS_1_3) {} 54 55 void ReplayChWithMalformedInner(const std::string& ch, uint8_t server_alert, 56 uint32_t server_code, uint32_t client_code) { 57 std::vector<uint8_t> ch_vec = hex_string_to_bytes(ch); 58 DataBuffer ch_buf; 59 ScopedSECKEYPublicKey pub; 60 ScopedSECKEYPrivateKey priv; 61 EnsureTlsSetup(); 62 ImportFixedEchKeypair(pub, priv); 63 SetMutualEchConfigs(pub, priv); 64 65 TlsAgentTestBase::MakeRecord(variant_, ssl_ct_handshake, 66 SSL_LIBRARY_VERSION_TLS_1_3, ch_vec.data(), 67 ch_vec.size(), &ch_buf, 0); 68 StartConnect(); 69 client_->SendDirect(ch_buf); 70 ExpectAlert(server_, server_alert); 71 server_->Handshake(); 72 server_->CheckErrorCode(server_code); 73 client_->ExpectReceiveAlert(server_alert, kTlsAlertFatal); 74 client_->Handshake(); 75 client_->CheckErrorCode(client_code); 76 } 77 78 // Setup Client/Server with mismatched AEADs 79 void SetupForEchRetry() { 80 ScopedSECKEYPublicKey server_pub; 81 ScopedSECKEYPrivateKey server_priv; 82 ScopedSECKEYPublicKey client_pub; 83 ScopedSECKEYPrivateKey client_priv; 84 DataBuffer server_rec; 85 DataBuffer client_rec; 86 TlsConnectTestBase::GenerateEchConfig(HpkeDhKemX25519Sha256, kSuiteChaCha, 87 kPublicName, 100, server_rec, 88 server_pub, server_priv); 89 ASSERT_EQ(SECSuccess, 90 SSL_SetServerEchConfigs(server_->ssl_fd(), server_pub.get(), 91 server_priv.get(), server_rec.data(), 92 server_rec.len())); 93 94 TlsConnectTestBase::GenerateEchConfig(HpkeDhKemX25519Sha256, kSuiteAes, 95 kPublicName, 100, client_rec, 96 client_pub, client_priv); 97 ASSERT_EQ(SECSuccess, 98 SSL_SetClientEchConfigs(client_->ssl_fd(), client_rec.data(), 99 client_rec.len())); 100 } 101 102 // Parse a captured SNI extension and validate the contained name. 103 void CheckSniExtension(const DataBuffer& data, 104 const std::string expected_name) { 105 TlsParser parser(data.data(), data.len()); 106 uint32_t tmp; 107 ASSERT_TRUE(parser.Read(&tmp, 2)); 108 ASSERT_EQ(parser.remaining(), tmp); 109 ASSERT_TRUE(parser.Read(&tmp, 1)); 110 ASSERT_EQ(0U, tmp); /* sni_nametype_hostname */ 111 DataBuffer name; 112 ASSERT_TRUE(parser.ReadVariable(&name, 2)); 113 ASSERT_EQ(0U, parser.remaining()); 114 std::string captured_name(reinterpret_cast<const char*>(name.data()), 115 name.len()); 116 EXPECT_EQ(expected_name, captured_name); 117 } 118 119 void DoEchRetry(const ScopedSECKEYPublicKey& server_pub, 120 const ScopedSECKEYPrivateKey& server_priv, 121 const DataBuffer& server_rec) { 122 StackSECItem retry_configs; 123 ASSERT_EQ(SECSuccess, 124 SSL_GetEchRetryConfigs(client_->ssl_fd(), &retry_configs)); 125 ASSERT_NE(0U, retry_configs.len); 126 127 // Reset expectations for the TlsAgent dtor. 128 server_->ExpectReceiveAlert(kTlsAlertCloseNotify, kTlsAlertWarning); 129 Reset(); 130 EnsureTlsSetup(); 131 ASSERT_EQ(SECSuccess, 132 SSL_SetServerEchConfigs(server_->ssl_fd(), server_pub.get(), 133 server_priv.get(), server_rec.data(), 134 server_rec.len())); 135 ASSERT_EQ(SECSuccess, 136 SSL_SetClientEchConfigs(client_->ssl_fd(), retry_configs.data, 137 retry_configs.len)); 138 client_->ExpectEch(); 139 server_->ExpectEch(); 140 Connect(); 141 } 142 143 void ImportFixedEchKeypair(ScopedSECKEYPublicKey& pub, 144 ScopedSECKEYPrivateKey& priv) { 145 ScopedPK11SlotInfo slot(PK11_GetInternalSlot()); 146 if (!slot) { 147 ADD_FAILURE() << "No slot"; 148 return; 149 } 150 std::vector<uint8_t> pkcs8_r = hex_string_to_bytes(kFixedServerKey); 151 SECItem pkcs8_r_item = {siBuffer, toUcharPtr(pkcs8_r.data()), 152 static_cast<unsigned int>(pkcs8_r.size())}; 153 154 SECKEYPrivateKey* tmp_priv = nullptr; 155 ASSERT_EQ(SECSuccess, PK11_ImportDERPrivateKeyInfoAndReturnKey( 156 slot.get(), &pkcs8_r_item, nullptr, nullptr, 157 false, false, KU_ALL, &tmp_priv, nullptr)); 158 priv.reset(tmp_priv); 159 SECKEYPublicKey* tmp_pub = SECKEY_ConvertToPublicKey(tmp_priv); 160 pub.reset(tmp_pub); 161 ASSERT_NE(nullptr, tmp_pub); 162 } 163 164 void SetMutualEchConfigs(ScopedSECKEYPublicKey& pub, 165 ScopedSECKEYPrivateKey& priv) { 166 DataBuffer echconfig; 167 TlsConnectTestBase::GenerateEchConfig(HpkeDhKemX25519Sha256, kDefaultSuites, 168 kPublicName, 100, echconfig, pub, 169 priv); 170 ASSERT_EQ(SECSuccess, 171 SSL_SetServerEchConfigs(server_->ssl_fd(), pub.get(), priv.get(), 172 echconfig.data(), echconfig.len())); 173 ASSERT_EQ(SECSuccess, 174 SSL_SetClientEchConfigs(client_->ssl_fd(), echconfig.data(), 175 echconfig.len())); 176 } 177 178 void ValidatePublicNames(const std::vector<std::string>& names, 179 SECStatus expected) { 180 static const std::vector<HpkeSymmetricSuite> kSuites = { 181 {HpkeKdfHkdfSha256, HpkeAeadAes128Gcm}}; 182 183 ScopedSECItem ecParams = MakeEcKeyParams(ssl_grp_ec_curve25519); 184 ScopedSECKEYPublicKey pub; 185 ScopedSECKEYPrivateKey priv; 186 SECKEYPublicKey* pub_p = nullptr; 187 SECKEYPrivateKey* priv_p = 188 SECKEY_CreateECPrivateKey(ecParams.get(), &pub_p, nullptr); 189 pub.reset(pub_p); 190 priv.reset(priv_p); 191 ASSERT_TRUE(!!pub); 192 ASSERT_TRUE(!!priv); 193 194 EnsureTlsSetup(); 195 196 DataBuffer cfg; 197 SECStatus rv; 198 for (auto name : names) { 199 if (g_ssl_gtest_verbose) { 200 std::cout << ((expected == SECFailure) ? "in" : "") 201 << "valid public_name: " << name << std::endl; 202 } 203 GenerateEchConfig(HpkeDhKemX25519Sha256, kSuites, name, 100, cfg, pub, 204 priv); 205 206 rv = SSL_SetServerEchConfigs(server_->ssl_fd(), pub.get(), priv.get(), 207 cfg.data(), cfg.len()); 208 EXPECT_EQ(expected, rv); 209 210 rv = SSL_SetClientEchConfigs(client_->ssl_fd(), cfg.data(), cfg.len()); 211 EXPECT_EQ(expected, rv); 212 } 213 } 214 215 private: 216 // Testing certan invalid CHInner configurations is tricky, particularly 217 // since the CHOuter forms AAD and isn't available in filters. Instead of 218 // generating these inputs on the fly, use a fixed server keypair so that 219 // the input can be generated once (e.g. via a debugger) and replayed in 220 // each invocation of the test. 221 std::string kFixedServerKey = 222 "3067020100301406072a8648ce3d020106092b06010401da470f01044c304a" 223 "02010104205a8aa0d2476b28521588e0c704b14db82cdd4970d340d293a957" 224 "6deaee9ec1c7a1230321008756e2580c07c1d2ffcb662f5fadc6d6ff13da85" 225 "abd7adfecf984aaa102c1269"; 226 }; 227 228 static void CheckCertVerifyPublicName(TlsAgent* agent) { 229 agent->UpdatePreliminaryChannelInfo(); 230 EXPECT_NE(0U, (agent->pre_info().valuesSet & ssl_preinfo_ech)); 231 EXPECT_EQ(agent->GetEchExpected(), agent->pre_info().echAccepted); 232 233 // Check that echPublicName is only exposed in the rejection 234 // case, so that the application can use it for CertVerfiy. 235 if (agent->GetEchExpected()) { 236 EXPECT_EQ(nullptr, agent->pre_info().echPublicName); 237 } else { 238 EXPECT_NE(nullptr, agent->pre_info().echPublicName); 239 if (agent->pre_info().echPublicName) { 240 EXPECT_EQ(0, 241 strcmp(kPublicName.c_str(), agent->pre_info().echPublicName)); 242 } 243 } 244 } 245 246 static SECStatus AuthCompleteFail(TlsAgent* agent, PRBool, PRBool) { 247 CheckCertVerifyPublicName(agent); 248 return SECFailure; 249 } 250 251 // Given two EchConfigList structures, e.g. from GenerateEchConfig, construct 252 // a single list containing all entries. 253 static DataBuffer MakeEchConfigList(DataBuffer config1, DataBuffer config2) { 254 DataBuffer sizedConfigListBuffer; 255 256 sizedConfigListBuffer.Write(2, config1.data() + 2, config1.len() - 2); 257 sizedConfigListBuffer.Write(sizedConfigListBuffer.len(), config2.data() + 2, 258 config2.len() - 2); 259 sizedConfigListBuffer.Write(0, sizedConfigListBuffer.len() - 2, 2); 260 261 PR_ASSERT(sizedConfigListBuffer.len() == config1.len() + config2.len() - 2); 262 return sizedConfigListBuffer; 263 } 264 265 TEST_P(TlsAgentEchTest, EchConfigsSupportedYesNo) { 266 ScopedSECKEYPublicKey pub; 267 ScopedSECKEYPrivateKey priv; 268 // ECHConfig 2 cipher_suites are unsupported. 269 DataBuffer config1; 270 TlsConnectTestBase::GenerateEchConfig(HpkeDhKemX25519Sha256, kSuiteAes, 271 kPublicName, 100, config1, pub, priv); 272 DataBuffer config2; 273 TlsConnectTestBase::GenerateEchConfig(HpkeDhKemX25519Sha256, kBogusSuite, 274 kPublicName, 100, config2, pub, priv); 275 EnsureInit(); 276 EXPECT_EQ(SECSuccess, SSL_EnableTls13GreaseEch(agent_->ssl_fd(), 277 PR_FALSE)); // Don't GREASE 278 279 DataBuffer sizedConfigListBuffer = MakeEchConfigList(config1, config2); 280 InstallEchConfig(sizedConfigListBuffer, 0); 281 auto filter = MakeTlsFilter<TlsExtensionCapture>( 282 agent_, ssl_tls13_encrypted_client_hello_xtn); 283 agent_->Handshake(); 284 ASSERT_EQ(TlsAgent::STATE_CONNECTING, agent_->state()); 285 ASSERT_TRUE(filter->captured()); 286 } 287 288 TEST_P(TlsAgentEchTest, EchConfigsSupportedNoYes) { 289 ScopedSECKEYPublicKey pub; 290 ScopedSECKEYPrivateKey priv; 291 DataBuffer config2; 292 TlsConnectTestBase::GenerateEchConfig(HpkeDhKemX25519Sha256, kSuiteAes, 293 kPublicName, 100, config2, pub, priv); 294 DataBuffer config1; 295 TlsConnectTestBase::GenerateEchConfig(HpkeDhKemX25519Sha256, kBogusSuite, 296 kPublicName, 100, config1, pub, priv); 297 // ECHConfig 1 cipher_suites are unsupported. 298 DataBuffer sizedConfigListBuffer = MakeEchConfigList(config1, config2); 299 EnsureInit(); 300 EXPECT_EQ(SECSuccess, SSL_EnableTls13GreaseEch(agent_->ssl_fd(), 301 PR_FALSE)); // Don't GREASE 302 InstallEchConfig(sizedConfigListBuffer, 0); 303 auto filter = MakeTlsFilter<TlsExtensionCapture>( 304 agent_, ssl_tls13_encrypted_client_hello_xtn); 305 agent_->Handshake(); 306 ASSERT_EQ(TlsAgent::STATE_CONNECTING, agent_->state()); 307 ASSERT_TRUE(filter->captured()); 308 } 309 310 TEST_P(TlsAgentEchTest, EchConfigsSupportedNoNo) { 311 ScopedSECKEYPublicKey pub; 312 ScopedSECKEYPrivateKey priv; 313 DataBuffer config2; 314 TlsConnectTestBase::GenerateEchConfig(HpkeDhKemX25519Sha256, kBogusSuite, 315 kPublicName, 100, config2, pub, priv); 316 DataBuffer config1; 317 TlsConnectTestBase::GenerateEchConfig(HpkeDhKemX25519Sha256, kBogusSuite, 318 kPublicName, 100, config1, pub, priv); 319 // ECHConfig 1 and 2 cipher_suites are unsupported. 320 DataBuffer sizedConfigListBuffer = MakeEchConfigList(config1, config2); 321 EnsureInit(); 322 EXPECT_EQ(SECSuccess, SSL_EnableTls13GreaseEch(agent_->ssl_fd(), 323 PR_FALSE)); // Don't GREASE 324 InstallEchConfig(sizedConfigListBuffer, SEC_ERROR_INVALID_ARGS); 325 auto filter = MakeTlsFilter<TlsExtensionCapture>( 326 agent_, ssl_tls13_encrypted_client_hello_xtn); 327 agent_->Handshake(); 328 ASSERT_EQ(TlsAgent::STATE_CONNECTING, agent_->state()); 329 ASSERT_FALSE(filter->captured()); 330 } 331 332 TEST_P(TlsAgentEchTest, ShortEchConfig) { 333 EnsureInit(); 334 ScopedSECKEYPublicKey pub; 335 ScopedSECKEYPrivateKey priv; 336 DataBuffer echconfig; 337 TlsConnectTestBase::GenerateEchConfig(HpkeDhKemX25519Sha256, kDefaultSuites, 338 kPublicName, 100, echconfig, pub, priv); 339 echconfig.Truncate(echconfig.len() - 1); 340 InstallEchConfig(echconfig, SEC_ERROR_BAD_DATA); 341 EXPECT_EQ(SECSuccess, SSL_EnableTls13GreaseEch(agent_->ssl_fd(), 342 PR_FALSE)); // Don't GREASE 343 auto filter = MakeTlsFilter<TlsExtensionCapture>( 344 agent_, ssl_tls13_encrypted_client_hello_xtn); 345 agent_->Handshake(); 346 ASSERT_EQ(TlsAgent::STATE_CONNECTING, agent_->state()); 347 ASSERT_FALSE(filter->captured()); 348 } 349 350 TEST_P(TlsAgentEchTest, LongEchConfig) { 351 EnsureInit(); 352 ScopedSECKEYPublicKey pub; 353 ScopedSECKEYPrivateKey priv; 354 DataBuffer echconfig; 355 TlsConnectTestBase::GenerateEchConfig(HpkeDhKemX25519Sha256, kDefaultSuites, 356 kPublicName, 100, echconfig, pub, priv); 357 echconfig.Write(echconfig.len(), 1, 1); // Append one byte 358 InstallEchConfig(echconfig, SEC_ERROR_BAD_DATA); 359 EXPECT_EQ(SECSuccess, SSL_EnableTls13GreaseEch(agent_->ssl_fd(), 360 PR_FALSE)); // Don't GREASE 361 auto filter = MakeTlsFilter<TlsExtensionCapture>( 362 agent_, ssl_tls13_encrypted_client_hello_xtn); 363 agent_->Handshake(); 364 ASSERT_EQ(TlsAgent::STATE_CONNECTING, agent_->state()); 365 ASSERT_FALSE(filter->captured()); 366 } 367 368 TEST_P(TlsAgentEchTest, UnsupportedEchConfigVersion) { 369 EnsureInit(); 370 ScopedSECKEYPublicKey pub; 371 ScopedSECKEYPrivateKey priv; 372 DataBuffer echconfig; 373 static const uint8_t bad_version[] = {0xff, 0xff}; 374 DataBuffer bad_ver_buf(bad_version, sizeof(bad_version)); 375 TlsConnectTestBase::GenerateEchConfig(HpkeDhKemX25519Sha256, kDefaultSuites, 376 kPublicName, 100, echconfig, pub, priv); 377 echconfig.Splice(bad_ver_buf, 2, 2); 378 InstallEchConfig(echconfig, SEC_ERROR_INVALID_ARGS); 379 EXPECT_EQ(SECSuccess, SSL_EnableTls13GreaseEch(agent_->ssl_fd(), 380 PR_FALSE)); // Don't GREASE 381 auto filter = MakeTlsFilter<TlsExtensionCapture>( 382 agent_, ssl_tls13_encrypted_client_hello_xtn); 383 agent_->Handshake(); 384 ASSERT_EQ(TlsAgent::STATE_CONNECTING, agent_->state()); 385 ASSERT_FALSE(filter->captured()); 386 } 387 388 TEST_P(TlsAgentEchTest, UnsupportedHpkeKem) { 389 EnsureInit(); 390 ScopedSECKEYPublicKey pub; 391 ScopedSECKEYPrivateKey priv; 392 DataBuffer echconfig; 393 // SSL_EncodeEchConfigId encodes without validation. 394 TlsConnectTestBase::GenerateEchConfig(static_cast<HpkeKemId>(0xff), 395 kDefaultSuites, kPublicName, 100, 396 echconfig, pub, priv); 397 InstallEchConfig(echconfig, SEC_ERROR_INVALID_ARGS); 398 EXPECT_EQ(SECSuccess, SSL_EnableTls13GreaseEch(agent_->ssl_fd(), 399 PR_FALSE)); // Don't GREASE 400 auto filter = MakeTlsFilter<TlsExtensionCapture>( 401 agent_, ssl_tls13_encrypted_client_hello_xtn); 402 agent_->Handshake(); 403 ASSERT_EQ(TlsAgent::STATE_CONNECTING, agent_->state()); 404 ASSERT_FALSE(filter->captured()); 405 } 406 407 TEST_P(TlsAgentEchTest, EchRejectIgnoreAllUnknownSuites) { 408 EnsureInit(); 409 ScopedSECKEYPublicKey pub; 410 ScopedSECKEYPrivateKey priv; 411 DataBuffer echconfig; 412 TlsConnectTestBase::GenerateEchConfig(HpkeDhKemX25519Sha256, kBogusSuite, 413 kPublicName, 100, echconfig, pub, priv); 414 InstallEchConfig(echconfig, SEC_ERROR_INVALID_ARGS); 415 EXPECT_EQ(SECSuccess, SSL_EnableTls13GreaseEch(agent_->ssl_fd(), 416 PR_FALSE)); // Don't GREASE 417 auto filter = MakeTlsFilter<TlsExtensionCapture>( 418 agent_, ssl_tls13_encrypted_client_hello_xtn); 419 agent_->Handshake(); 420 ASSERT_FALSE(filter->captured()); 421 } 422 423 TEST_P(TlsAgentEchTest, EchConfigRejectEmptyPublicName) { 424 EnsureInit(); 425 ScopedSECKEYPublicKey pub; 426 ScopedSECKEYPrivateKey priv; 427 DataBuffer echconfig; 428 TlsConnectTestBase::GenerateEchConfig(HpkeDhKemX25519Sha256, kBogusSuite, "", 429 100, echconfig, pub, priv); 430 InstallEchConfig(echconfig, SSL_ERROR_RX_MALFORMED_ECH_CONFIG); 431 EXPECT_EQ(SECSuccess, SSL_EnableTls13GreaseEch(agent_->ssl_fd(), 432 PR_FALSE)); // Don't GREASE 433 auto filter = MakeTlsFilter<TlsExtensionCapture>( 434 agent_, ssl_tls13_encrypted_client_hello_xtn); 435 agent_->Handshake(); 436 ASSERT_FALSE(filter->captured()); 437 } 438 439 TEST_F(TlsConnectStreamTls13, EchAcceptIgnoreSingleUnknownSuite) { 440 EnsureTlsSetup(); 441 DataBuffer echconfig; 442 ScopedSECKEYPublicKey pub; 443 ScopedSECKEYPrivateKey priv; 444 TlsConnectTestBase::GenerateEchConfig(HpkeDhKemX25519Sha256, 445 kUnknownFirstSuite, kPublicName, 100, 446 echconfig, pub, priv); 447 ASSERT_EQ(SECSuccess, 448 SSL_SetClientEchConfigs(client_->ssl_fd(), echconfig.data(), 449 echconfig.len())); 450 ASSERT_EQ(SECSuccess, 451 SSL_SetServerEchConfigs(server_->ssl_fd(), pub.get(), priv.get(), 452 echconfig.data(), echconfig.len())); 453 454 client_->ExpectEch(); 455 server_->ExpectEch(); 456 Connect(); 457 } 458 459 TEST_P(TlsAgentEchTest, ApiInvalidArgs) { 460 EnsureInit(); 461 // SetClient 462 EXPECT_EQ(SECFailure, SSL_SetClientEchConfigs(agent_->ssl_fd(), nullptr, 1)); 463 464 EXPECT_EQ(SECFailure, 465 SSL_SetClientEchConfigs(agent_->ssl_fd(), 466 reinterpret_cast<const uint8_t*>(1), 0)); 467 468 // SetServer 469 EXPECT_EQ(SECFailure, 470 SSL_SetServerEchConfigs(agent_->ssl_fd(), nullptr, 471 reinterpret_cast<SECKEYPrivateKey*>(1), 472 reinterpret_cast<const uint8_t*>(1), 1)); 473 EXPECT_EQ(SECFailure, 474 SSL_SetServerEchConfigs( 475 agent_->ssl_fd(), reinterpret_cast<SECKEYPublicKey*>(1), 476 nullptr, reinterpret_cast<const uint8_t*>(1), 1)); 477 EXPECT_EQ(SECFailure, 478 SSL_SetServerEchConfigs( 479 agent_->ssl_fd(), reinterpret_cast<SECKEYPublicKey*>(1), 480 reinterpret_cast<SECKEYPrivateKey*>(1), nullptr, 1)); 481 EXPECT_EQ(SECFailure, 482 SSL_SetServerEchConfigs(agent_->ssl_fd(), 483 reinterpret_cast<SECKEYPublicKey*>(1), 484 reinterpret_cast<SECKEYPrivateKey*>(1), 485 reinterpret_cast<const uint8_t*>(1), 0)); 486 487 // GetRetries 488 EXPECT_EQ(SECFailure, SSL_GetEchRetryConfigs(agent_->ssl_fd(), nullptr)); 489 490 // EncodeEchConfigId 491 EXPECT_EQ(SECFailure, 492 SSL_EncodeEchConfigId(0, nullptr, 1, static_cast<HpkeKemId>(1), 493 reinterpret_cast<SECKEYPublicKey*>(1), 494 reinterpret_cast<HpkeSymmetricSuite*>(1), 1, 495 reinterpret_cast<uint8_t*>(1), 496 reinterpret_cast<unsigned int*>(1), 1)); 497 498 EXPECT_EQ(SECFailure, 499 SSL_EncodeEchConfigId(0, "name", 1, static_cast<HpkeKemId>(1), 500 reinterpret_cast<SECKEYPublicKey*>(1), 501 nullptr, 1, reinterpret_cast<uint8_t*>(1), 502 reinterpret_cast<unsigned int*>(1), 1)); 503 EXPECT_EQ(SECFailure, 504 SSL_EncodeEchConfigId(0, "name", 1, static_cast<HpkeKemId>(1), 505 reinterpret_cast<SECKEYPublicKey*>(1), 506 reinterpret_cast<HpkeSymmetricSuite*>(1), 0, 507 reinterpret_cast<uint8_t*>(1), 508 reinterpret_cast<unsigned int*>(1), 1)); 509 510 EXPECT_EQ(SECFailure, SSL_EncodeEchConfigId( 511 0, "name", 1, static_cast<HpkeKemId>(1), nullptr, 512 reinterpret_cast<HpkeSymmetricSuite*>(1), 1, 513 reinterpret_cast<uint8_t*>(1), 514 reinterpret_cast<unsigned int*>(1), 1)); 515 516 EXPECT_EQ(SECFailure, 517 SSL_EncodeEchConfigId(0, nullptr, 0, static_cast<HpkeKemId>(1), 518 reinterpret_cast<SECKEYPublicKey*>(1), 519 reinterpret_cast<HpkeSymmetricSuite*>(1), 1, 520 reinterpret_cast<uint8_t*>(1), 521 reinterpret_cast<unsigned int*>(1), 1)); 522 523 EXPECT_EQ(SECFailure, SSL_EncodeEchConfigId( 524 0, "name", 1, static_cast<HpkeKemId>(1), 525 reinterpret_cast<SECKEYPublicKey*>(1), 526 reinterpret_cast<HpkeSymmetricSuite*>(1), 1, 527 nullptr, reinterpret_cast<unsigned int*>(1), 1)); 528 529 EXPECT_EQ(SECFailure, 530 SSL_EncodeEchConfigId(0, "name", 1, static_cast<HpkeKemId>(1), 531 reinterpret_cast<SECKEYPublicKey*>(1), 532 reinterpret_cast<HpkeSymmetricSuite*>(1), 1, 533 reinterpret_cast<uint8_t*>(1), nullptr, 1)); 534 } 535 536 TEST_P(TlsAgentEchTest, NoEarlyRetryConfigs) { 537 EnsureInit(); 538 StackSECItem retry_configs; 539 EXPECT_EQ(SECFailure, 540 SSL_GetEchRetryConfigs(agent_->ssl_fd(), &retry_configs)); 541 EXPECT_EQ(SSL_ERROR_HANDSHAKE_NOT_COMPLETED, PORT_GetError()); 542 543 ScopedSECKEYPublicKey pub; 544 ScopedSECKEYPrivateKey priv; 545 DataBuffer echconfig; 546 TlsConnectTestBase::GenerateEchConfig(HpkeDhKemX25519Sha256, kDefaultSuites, 547 kPublicName, 100, echconfig, pub, priv); 548 InstallEchConfig(echconfig, 0); 549 550 EXPECT_EQ(SECFailure, 551 SSL_GetEchRetryConfigs(agent_->ssl_fd(), &retry_configs)); 552 EXPECT_EQ(SSL_ERROR_HANDSHAKE_NOT_COMPLETED, PORT_GetError()); 553 } 554 555 TEST_P(TlsAgentEchTest, NoSniSoNoEch) { 556 EnsureInit(); 557 ScopedSECKEYPublicKey pub; 558 ScopedSECKEYPrivateKey priv; 559 DataBuffer echconfig; 560 TlsConnectTestBase::GenerateEchConfig(HpkeDhKemX25519Sha256, kDefaultSuites, 561 kPublicName, 100, echconfig, pub, priv); 562 SSL_SetURL(agent_->ssl_fd(), ""); 563 InstallEchConfig(echconfig, 0); 564 SSL_SetURL(agent_->ssl_fd(), ""); 565 EXPECT_EQ(SECSuccess, SSL_EnableTls13GreaseEch(agent_->ssl_fd(), 566 PR_FALSE)); // Don't GREASE 567 auto filter = MakeTlsFilter<TlsExtensionCapture>( 568 agent_, ssl_tls13_encrypted_client_hello_xtn); 569 agent_->Handshake(); 570 ASSERT_FALSE(filter->captured()); 571 } 572 573 TEST_P(TlsAgentEchTest, NoEchConfigSoNoEch) { 574 EnsureInit(); 575 ScopedSECKEYPublicKey pub; 576 ScopedSECKEYPrivateKey priv; 577 DataBuffer echconfig; 578 EXPECT_EQ(SECSuccess, SSL_EnableTls13GreaseEch(agent_->ssl_fd(), 579 PR_FALSE)); // Don't GREASE 580 auto filter = MakeTlsFilter<TlsExtensionCapture>( 581 agent_, ssl_tls13_encrypted_client_hello_xtn); 582 agent_->Handshake(); 583 ASSERT_FALSE(filter->captured()); 584 } 585 586 TEST_P(TlsAgentEchTest, EchConfigDuplicateExtensions) { 587 EnsureInit(); 588 ScopedSECKEYPublicKey pub; 589 ScopedSECKEYPrivateKey priv; 590 DataBuffer echconfig; 591 TlsConnectTestBase::GenerateEchConfig(HpkeDhKemX25519Sha256, kDefaultSuites, 592 kPublicName, 100, echconfig, pub, priv); 593 594 static const uint8_t duped_xtn[] = {0x00, 0x08, 0x00, 0x01, 0x00, 595 0x00, 0x00, 0x01, 0x00, 0x00}; 596 DataBuffer buf(duped_xtn, sizeof(duped_xtn)); 597 echconfig.Truncate(echconfig.len() - 2); 598 echconfig.Append(buf); 599 uint32_t len; 600 ASSERT_TRUE(echconfig.Read(0, 2, &len)); 601 len += buf.len() - 2; 602 DataBuffer new_len; 603 ASSERT_TRUE(new_len.Write(0, len, 2)); 604 echconfig.Splice(new_len, 0, 2); 605 new_len.Truncate(0); 606 607 ASSERT_TRUE(echconfig.Read(4, 2, &len)); 608 len += buf.len() - 2; 609 ASSERT_TRUE(new_len.Write(0, len, 2)); 610 echconfig.Splice(new_len, 4, 2); 611 612 InstallEchConfig(echconfig, SEC_ERROR_EXTENSION_VALUE_INVALID); 613 EXPECT_EQ(SECSuccess, SSL_EnableTls13GreaseEch(agent_->ssl_fd(), 614 PR_FALSE)); // Don't GREASE 615 auto filter = MakeTlsFilter<TlsExtensionCapture>( 616 agent_, ssl_tls13_encrypted_client_hello_xtn); 617 agent_->Handshake(); 618 ASSERT_EQ(TlsAgent::STATE_CONNECTING, agent_->state()); 619 ASSERT_FALSE(filter->captured()); 620 } 621 622 TEST_F(TlsConnectStreamTls13Ech, EchFixedConfig) { 623 ScopedSECKEYPublicKey pub; 624 ScopedSECKEYPrivateKey priv; 625 EnsureTlsSetup(); 626 ImportFixedEchKeypair(pub, priv); 627 SetMutualEchConfigs(pub, priv); 628 629 client_->ExpectEch(); 630 server_->ExpectEch(); 631 Connect(); 632 } 633 634 TEST_F(TlsConnectTest, RenegotiateClientECHGrease) { 635 EnsureTlsSetup(); 636 637 // Client speaks 1.2 or 1.3, with ECH GREASE enabled. 638 client_->SetVersionRange(SSL_LIBRARY_VERSION_TLS_1_2, 639 SSL_LIBRARY_VERSION_TLS_1_3); 640 EXPECT_EQ(SECSuccess, SSL_EnableTls13GreaseEch(client_->ssl_fd(), PR_TRUE)); 641 642 // Server speaks 1.2 643 server_->SetVersionRange(SSL_LIBRARY_VERSION_TLS_1_2, 644 SSL_LIBRARY_VERSION_TLS_1_2); 645 646 Connect(); 647 648 // Renegotiation 649 client_->PrepareForRenegotiate(); 650 server_->StartRenegotiate(); 651 Handshake(); 652 CheckConnected(); 653 } 654 655 // The next set of tests all use a fixed server key and a pre-built ClientHello. 656 // This ClientHelo can be constructed using the above EchFixedConfig test, 657 // modifying tls13_ConstructInnerExtensionsFromOuter as indicated. For this 658 // small number of tests, these fixed values are easier to construct than 659 // constructing ClientHello in the test that can be successfully decrypted. 660 661 // Test an encoded ClientHelloInner containing an extra extensionType 662 // in outer_extensions, for which there is no corresponding (uncompressed) 663 // extension in ClientHelloOuter. 664 TEST_F(TlsConnectStreamTls13Ech, EchOuterExtensionsReferencesMissing) { 665 // Construct this by prepending 0xabcd to ssl_tls13_outer_extensions_xtn. 666 std::string ch = 667 "010001fc030390901d039ca83262d9115a5f98f43ddb2553241a8de5c46d9f118c4c29c2" 668 "64bc000006130113031302010001cd00000010000e00000b7075626c69632e6e616d65ff" 669 "01000100000a00140012001d00170018001901000101010201030104003300260024001d" 670 "00206df5f908d1c02320e246694c765d5ec1c0f7d7aef2b1b00b17c36331623d332d002b" 671 "0003020304000d0018001604030503060302030804080508060401050106010201002d00" 672 "020101001c00024001fe0d00f900000100034d00209a4f67b0744d1fba23aa4bacfadb2a" 673 "c706562dae04d80a83ae668a6f2dd6ef2700cfab1671182341df246d66c3aca873e8c714" 674 "bc2b1c3b576653609533c486df0bdcf63ab4e4e7d0b67fadf4e3504eec96f72e6778b15d" 675 "69c9a9594a041348a7130f67a1a7cac796a0e6d6fca505438355278a9a8fd55e44218441" 676 "9927a1e084ac7d7adeb2f0c19faafba430876bf0cdf4d195b2d06428b3de13120f65748a" 677 "468f8997a2c3bf1dd7f3996a0f2c70dea6c88149df182b3c3b78a8da8bb709a9ed9d77c6" 678 "5dc09accdfeb66c90db26b99a35052a8cbaf7bb9307a1e17d90a7aa9f768f5f446559d08" 679 "69bccc83eda9d2b347a00015004200000000000000000000000000000000000000000000" 680 "000000000000000000000000000000000000000000000000000000000000000000000000" 681 "0000000000000000"; 682 ReplayChWithMalformedInner(ch, kTlsAlertIllegalParameter, 683 SSL_ERROR_RX_MALFORMED_ECH_EXTENSION, 684 SSL_ERROR_ILLEGAL_PARAMETER_ALERT); 685 } 686 687 TEST_F(TlsConnectStreamTls13Ech, EchOuterExtensionsInsideInner) { 688 // Construct this by appending ssl_tls13_outer_extensions_xtn to the 689 // references in 690 // ssl_tls13_outer_extensions_xtn. 691 std::string ch = 692 "010001fc03035e2268bc7133079cd33eb088253393e561d80c5ee6f9a238aff022e1e10d" 693 "4c82000006130113031302010001cd00000010000e00000b7075626c69632e6e616d65ff" 694 "01000100000a00140012001d00170018001901000101010201030104003300260024001d" 695 "00200e071fd982854d50236ed0e4e7981460840f03d03fd84b44c409fe486203b252002b" 696 "0003020304000d0018001604030503060302030804080508060401050106010201002d00" 697 "020101001c00024001fe0d00f900000100034d002099a032502ea4fd3c85b858ae1c59df" 698 "6a374f3698ed6bca188cf75c432c78cf5a00cf28dde32de7ade40abb16d550c1eec3dad4" 699 "a03c85efb95ec605837deae92a419285116e5cb8223ea53cff2b605e66f28e96d37e9b4e" 700 "3035fb1cfa125fa053d6770091b5731c9fb03e872a82991dfdd24ad8399fcc76db7fadba" 701 "029e064beb02c1282684a93e777bcefbca3dd143dfc225d2e65c80dbf3819ebda288e32c" 702 "3a1f8a27bb3aa9480dee2a4307073da3e15ee03dba386223d9399ad796af80c646f85406" 703 "282c34fd9406d25752087f08140e1be834e8a149f0bebfc2b3db16ccba83c37051e2e75d" 704 "e8a4e999ef385c74c96d0015004200000000000000000000000000000000000000000000" 705 "000000000000000000000000000000000000000000000000000000000000000000000000" 706 "0000000000000000"; 707 ReplayChWithMalformedInner(ch, kTlsAlertIllegalParameter, 708 SSL_ERROR_RX_MALFORMED_ECH_EXTENSION, 709 SSL_ERROR_ILLEGAL_PARAMETER_ALERT); 710 } 711 712 TEST_F(TlsConnectStreamTls13Ech, EchOuterExtensionsDuplicateReference) { 713 // Construct this by altering tls13_ConstructInnerExtensionsFromOuter to have 714 // each extension inserted in the reference list twice and running the 715 // EchFixedConfig test. 716 std::string ch = 717 "010001fc0303d8717df80286fcd8b4242ed846995c6473e290678231046bb1bfc7848460" 718 "b122000006130113031302010001cd00000010000e00000b7075626c69632e6e616d65ff" 719 "01000100000a00140012001d00170018001901000101010201030104003300260024001d" 720 "00206f21d5fdf7bf81943939a03656c1195ad347cec453bf7a16d0773ffef481d22f002b" 721 "0003020304000d0018001604030503060302030804080508060401050106010201002d00" 722 "020101001c00024001fe0d011900000100034d002027eb9b641ba8ffc3a4028d00d1f5bd" 723 "e190736b1ea5a79513dee0a551cc6fe55200efc2ed6bf501f100896eb91221ce512c20c3" 724 "c5c110e7be6a5d340854ff5ac0175312631b021fd5a5c9841549989f415c4041a4b384b1" 725 "dba1d6b4182cc48904f993a15eab6bf7787b267ca65acef51c019508e0c9b382086a71d8" 726 "517cf19644d66d396efc066a4d37916d67b0e5fe08d52dd94d068dd85b9a245aaffac4ff" 727 "66d9a5221fd5805473bb7584eb7f218357c00aff890d2f2edf1c092c648c888b5cba1ca6" 728 "26817fda7765fcedfbc418b90b1841d878ed443593cafb61fa8fb708c53977615b45f545" 729 "2a8236cab3ec121cdc91a2de6a79437cae9d09e781339fddcac005ce62fd65d50e33faa2" 730 "2366955a0374001500220000000000000000000000000000000000000000000000000000" 731 "0000000000000000"; 732 ReplayChWithMalformedInner(ch, kTlsAlertIllegalParameter, 733 SSL_ERROR_RX_MALFORMED_ECH_EXTENSION, 734 SSL_ERROR_ILLEGAL_PARAMETER_ALERT); 735 } 736 737 TEST_F(TlsConnectStreamTls13Ech, EchOuterExtensionsOutOfOrder) { 738 // Construct this by altering tls13_ConstructInnerExtensionsFromOuter to leave 739 // a gap at the start and insert a 'late' extension there. 740 std::string ch = 741 "010001fc0303fabff6caf4d8b1eb1db5945c96badefec4b33188b97121e6a206e82b74bd" 742 "a855000006130113031302010001cd00000010000e00000b7075626c69632e6e616d65ff" 743 "01000100000a00140012001d00170018001901000101010201030104003300260024001d" 744 "00208fe970fc0c908f0c51734f18467e640df1d45a6ace2948b5c4bf73ee52ab3160002b" 745 "0003020304000d0018001604030503060302030804080508060401050106010201002d00" 746 "020101001c00024001fe0d00f900000100034d00203339239f8925c3f9b89f4ced17c3b3" 747 "1c649299d7e10b3cdbc115de2a57d90d2200cf006e62866516380e8a16763bee5b2a75a8" 748 "74e8698c459f474d0e952c2fd3300bef1decd6f259b8ac2912684ef69b7a7be2520fbf15" 749 "5e0c3f88998789976ca1fbcaa40616fc513e3353540db091da76ca98007532974550d3da" 750 "aaddb799baf60adbc5800df30e187251427fe9de707d18a270352ee44f6eb37f0d8c72a1" 751 "5f9ffb5dd4bbb6045473c8d99b7a5c2c8cc59027f346cbe6ef240d5cf1919f58a998d427" 752 "0f8c882d03d22ec4df4079e15a639452ea4c24023f6bcad89566ce6a32b1dad6ddf6b436" 753 "3e6759bd48bed1b30a840015004200000000000000000000000000000000000000000000" 754 "000000000000000000000000000000000000000000000000000000000000000000000000" 755 "0000000000000000"; 756 ReplayChWithMalformedInner(ch, kTlsAlertIllegalParameter, 757 SSL_ERROR_RX_MALFORMED_ECH_EXTENSION, 758 SSL_ERROR_ILLEGAL_PARAMETER_ALERT); 759 } 760 761 // Drop supported_versions from CHInner, make sure we don't negotiate 1.2+ECH. 762 TEST_F(TlsConnectStreamTls13Ech, EchVersion12Inner) { 763 // Construct this by removing ssl_tls13_supported_versions_xtn entirely. 764 std::string ch = 765 "010001fc030338e9ebcde2b87ef779c4d9a9b9870aef3978130b254fbf168a92644c97c1" 766 "c5cb000006130113031302010001cd00000010000e00000b7075626c69632e6e616d65ff" 767 "01000100000a00140012001d00170018001901000101010201030104003300260024001d" 768 "002081b3ea444fd631f9264e01276bcc1a6771aed3b5a8a396446467d1c820e52b25002b" 769 "0003020304000d0018001604030503060302030804080508060401050106010201002d00" 770 "020101001c00024001fe0d00f900000100034d00205864042b43f4d4d544558fbcba410f" 771 "ebfb78ddfc5528672a7f7d9e70abc3eb6300cf6ff3271da628139bddc4a58ee92db26170" 772 "7310dee54d88c8a96a8d998b8608d5f10260b7e201e5dc8cafa13917a3fdfdf399082959" 773 "8adf3c291decf640f696e64c4e22bafb81565587c50dd829ccad68bd00babeaba7d8a7a5" 774 "400ad3200dbae674c549953ca6d3298ed751a9bc215a33be444fe908bf1c6f374cc139f9" 775 "98339f58b8fd3510a670e4102e3f7de21586ebd70c3fb1df8bb6b9e5dbc0db147dbac6d0" 776 "72dfc6cdf17ecee5c019c311b37ef9f5ceabb7edbdf87a4a04041c4d8b512a16517c5380" 777 "e8d4f6e3b2412b4a6c030015004200000000000000000000000000000000000000000000" 778 "000000000000000000000000000000000000000000000000000000000000000000000000" 779 "0000000000000000"; 780 ReplayChWithMalformedInner(ch, kTlsAlertIllegalParameter, 781 SSL_ERROR_UNSUPPORTED_VERSION, 782 SSL_ERROR_ILLEGAL_PARAMETER_ALERT); 783 } 784 785 // Use CHInner supported_versions to negotiate 1.2. 786 TEST_F(TlsConnectStreamTls13Ech, EchVersion12InnerSupportedVersions) { 787 // Construct this by changing ssl_tls13_supported_versions_xtn to write 788 // TLS 1.2 instead of TLS 1.3. 789 std::string ch = 790 "010001fc0303f7146bdc88c399feb49c62b796db2f8b1330e25292a889edf7c65231d0be" 791 "b95f000006130113031302010001cd00000010000e00000b7075626c69632e6e616d65ff" 792 "01000100000a00140012001d00170018001901000101010201030104003300260024001d" 793 "0020d31f8eb204efba49dbdbf40bb046b1e0b90fa3f034260d60f351d4b15e614e7f002b" 794 "0003020304000d0018001604030503060302030804080508060401050106010201002d00" 795 "020101001c00024001fe0d00f900000100034d0020eaa25e92721e65fd405577bf2fd322" 796 "857e60f8766a595929fc404c9a01ef441200cf04992c693fbc8eac87726b336a11abc411" 797 "541ceff50d533d4cf4d6e1078479acb5446675b652f22d6db04daf0c3640ec2429ba4f51" 798 "99c00daa43e9a7d85bd6733041feeca0b38ee6ca07042c7e67d40cd3e236499f3f9d92ab" 799 "e4642e483c75d77c247b0228bc773c09551d15845c35663afd1805c5b3adb136ffa6d94f" 800 "b7cbfe93d5d33c894b2a6437ad9a2278d5863ed20db652a6084c9e95a8dfaf821d0b474a" 801 "7efc2839f110edb4a73376ecab629b26b1eea63304899c49a07157fbbee67c786686cb04" 802 "a53666a74e1e003aefc70015004200000000000000000000000000000000000000000000" 803 "000000000000000000000000000000000000000000000000000000000000000000000000" 804 "0000000000000000"; 805 ReplayChWithMalformedInner(ch, kTlsAlertProtocolVersion, 806 SSL_ERROR_UNSUPPORTED_VERSION, 807 SSL_ERROR_PROTOCOL_VERSION_ALERT); 808 } 809 810 // Replay a CH for which CHInner lacks the required ech xtn of inner type 811 TEST_F(TlsConnectStreamTls13Ech, EchInnerMissing) { 812 // Construct by omitting the ech inner extension 813 std::string ch = 814 "010001fc0303fa9cd9cf5b77bb4083f69a1d169d44b356faea0d6a0aee6d50412de6fef7" 815 "8d22000006130113031302010001cd00000010000e00000b7075626c69632e6e616d65ff" 816 "01000100000a00140012001d00170018001901000101010201030104003300260024001d" 817 "0020c329f1dde4d51b50f68c21053b545290b250af527b2832d3acf2c6af9b8b8d5c002b" 818 "0003020304000d0018001604030503060302030804080508060401050106010201002d00" 819 "020101001c00024001fe0d00f900000100034d00207e2a0397b7d2776ae468057d630243" 820 "b01388cf80680b074323adf4091aba7b4c00cff4b649fb5b3a0719c1e085c7006a95eaad" 821 "32375b717a42d009c075e6246342fdc1e847c528495f90378ff5b4912da5190f7e8bfa1c" 822 "c9744b50e9e469cd7cd12bcb5f6534b7d617459d2efa4d796ad244567c49f1d22feb08a5" 823 "8e8ebdce059c28883dd69ca401e189f3ef438c3f0bf3d377e6727a1f6abf3a8a8cc149ee" 824 "60a1aa5ba4a50e99d2519216762558e9613a238bd630b5822f549575d9402f8da066aaef" 825 "2e0e6a7a04583b041925e0ef4575107c4436f9af26e561c0ab733cd88bee6a20e6414128" 826 "ea0ba1c73612bb62c1e90015004200000000000000000000000000000000000000000000" 827 "000000000000000000000000000000000000000000000000000000000000000000000000" 828 "0000000000000000"; 829 ReplayChWithMalformedInner(ch, kTlsAlertIllegalParameter, 830 SSL_ERROR_MISSING_ECH_EXTENSION, 831 SSL_ERROR_ILLEGAL_PARAMETER_ALERT); 832 } 833 834 TEST_F(TlsConnectStreamTls13Ech, EchInnerWrongSize) { 835 // Construct by including ech inner with wrong size 836 std::string ch = 837 "010001fc03035f8410dab9e49b0833d13390f3fe0b3c6321d842961c9cc46b59a0b5b8e1" 838 "4e0b000006130113031302010001cd00000010000e00000b7075626c69632e6e616d65ff" 839 "01000100000a00140012001d00170018001901000101010201030104003300260024001d" 840 "0020526a56087d685e574accb0e87d6781bc553612479e56460fe6a497fa1cd74e2e002b" 841 "0003020304000d0018001604030503060302030804080508060401050106010201002d00" 842 "020101001c00024001fe0d00f900000100034d00200d096bf6ac0c3bcb79d70677da0e0d" 843 "249b40bc5ba6b8727654619fe6567d0b0700cfd13e136d2d041e3cd993b252386d97e98d" 844 "c972d29d28e0281a210fa56156b95e4371a6610a0b3e65f1b842875fb456de9b9c0e03f8" 845 "aa4d1055057ac3e20e5fa45b837ccbb06ef3856c71f1f63e91b60bfb5f3415f26e9a0d3c" 846 "4d404d5d5aaa6dca8d57cf2e6b4aaf399fa7271b0c1eedbfdd85fbc9711b0446eb9c9535" 847 "a74f3e5a71e2e22dc8d89980f96233ec9b80fbe4f295ff7903bade407fc544c8d76df4fb" 848 "ce4b8d79cea0ff7e0b0736ecbeaf5a146a4f81a930e788ae144cf2219e90dc3594165a7e" 849 "2a0b64f6189a87a348840015004200000000000000000000000000000000000000000000" 850 "000000000000000000000000000000000000000000000000000000000000000000000000" 851 "0000000000000000"; 852 ReplayChWithMalformedInner(ch, kTlsAlertDecodeError, 853 SSL_ERROR_RX_MALFORMED_ESNI_EXTENSION, 854 SSL_ERROR_DECODE_ERROR_ALERT); 855 } 856 857 TEST_F(TlsConnectStreamTls13Ech, InnerWithEchAndEchIsInner) { 858 // Construct by appending an empty ssl_tls13_encrypted_client_hello_xtn of 859 // type outer to 860 // CHInner. 861 std::string ch = 862 "010001fc0303527df5a8dbcf390c184c5274295283fdba78d05784170d8f3cb8c7d84747" 863 "afb5000006130113031302010001cd00000010000e00000b7075626c69632e6e616d65ff" 864 "01000100000a00140012001d00170018001901000101010201030104003300260024001d" 865 "002099461dcfcdc7804a0f34bf3ca49ac39776a7ef4d8edd30fab3599ff59b09f826002b" 866 "0003020304000d0018001604030503060302030804080508060401050106010201002d00" 867 "020101001c00024001fe0d00f900000100034d00201da1341e8ba21ff90e025d2438d4e5" 868 "b4e8b376befc57cf8c9afb484e6f051b2f00cff747491b810705e5cc8d8a1302468000d9" 869 "8660d659d8382a6fc23ca1a582def728eabb363771328035565048213b1d725b20f757be" 870 "63d6956cd861aa9d33adcc913de2443695f70e130af96fd2b078dd662478a29bd17a4479" 871 "715c949b5fc118456d0243c9d1819cecd0f5fbd1c78dadd6fcd09abe41ca97a00c97efb3" 872 "894c9d4bab60dcd150b55608f6260723a08e112e39e6a43f645f85a08085054f27f269bc" 873 "1acb9ff5007b04eaef3414767666472e4e24c2a2953f5dc68aeb5207d556f1b872a810b6" 874 "686cf83a09db8b474df70015004200000000000000000000000000000000000000000000" 875 "000000000000000000000000000000000000000000000000000000000000000000000000" 876 "0000000000000000"; 877 ReplayChWithMalformedInner(ch, kTlsAlertIllegalParameter, 878 SSL_ERROR_RX_UNEXPECTED_EXTENSION, 879 SSL_ERROR_ILLEGAL_PARAMETER_ALERT); 880 } 881 882 TEST_F(TlsConnectStreamTls13, EchWithInnerExtNotSplit) { 883 static uint8_t type_val[1] = {1}; 884 DataBuffer type_buffer(type_val, sizeof(type_val)); 885 886 EnsureTlsSetup(); 887 EXPECT_EQ(SECSuccess, SSL_EnableTls13GreaseEch(client_->ssl_fd(), PR_FALSE)); 888 MakeTlsFilter<TlsExtensionAppender>(client_, kTlsHandshakeClientHello, 889 ssl_tls13_encrypted_client_hello_xtn, 890 type_buffer); 891 ConnectExpectAlert(server_, kTlsAlertIllegalParameter); 892 client_->CheckErrorCode(SSL_ERROR_ILLEGAL_PARAMETER_ALERT); 893 server_->CheckErrorCode(SSL_ERROR_RX_UNEXPECTED_EXTENSION); 894 } 895 896 /* Parameters 897 * Length of SNI for first connection 898 * Length of SNI for second connection 899 * Use GREASE for first connection? 900 * Use GREASE for second connection? 901 * For both connections, SNI length to pad to. 902 */ 903 class EchCHPaddingTest : public TlsConnectStreamTls13, 904 public testing::WithParamInterface< 905 std::tuple<int, int, bool, bool, int>> {}; 906 907 TEST_P(EchCHPaddingTest, EchChPaddingEqual) { 908 auto parameters = GetParam(); 909 std::string name_str1 = std::string(std::get<0>(parameters), 'a'); 910 std::string name_str2 = std::string(std::get<1>(parameters), 'a'); 911 const char* name1 = name_str1.c_str(); 912 const char* name2 = name_str2.c_str(); 913 bool grease_mode1 = std::get<2>(parameters); 914 bool grease_mode2 = std::get<3>(parameters); 915 uint8_t max_name_len = std::get<4>(parameters); 916 917 // Connection 1 918 EnsureTlsSetup(); 919 SSL_SetURL(client_->ssl_fd(), name1); 920 if (grease_mode1) { 921 EXPECT_EQ(SECSuccess, SSL_EnableTls13GreaseEch(client_->ssl_fd(), PR_TRUE)); 922 EXPECT_EQ(SECSuccess, 923 SSL_SetTls13GreaseEchSize(client_->ssl_fd(), max_name_len)); 924 client_->ExpectEch(false); 925 server_->ExpectEch(false); 926 } else { 927 SetupEch(client_, server_, HpkeDhKemX25519Sha256, true, true, true, 928 max_name_len); 929 } 930 auto filter1 = MakeTlsFilter<TlsExtensionCapture>( 931 client_, ssl_tls13_encrypted_client_hello_xtn); 932 Connect(); 933 size_t echXtnLen1 = filter1->extension().len(); 934 935 Reset(); 936 937 // Connection 2 938 EnsureTlsSetup(); 939 SSL_SetURL(client_->ssl_fd(), name2); 940 if (grease_mode2) { 941 EXPECT_EQ(SECSuccess, SSL_EnableTls13GreaseEch(client_->ssl_fd(), PR_TRUE)); 942 EXPECT_EQ(SECSuccess, 943 SSL_SetTls13GreaseEchSize(client_->ssl_fd(), max_name_len)); 944 client_->ExpectEch(false); 945 server_->ExpectEch(false); 946 } else { 947 SetupEch(client_, server_, HpkeDhKemX25519Sha256, true, true, true, 948 max_name_len); 949 } 950 auto filter2 = MakeTlsFilter<TlsExtensionCapture>( 951 client_, ssl_tls13_encrypted_client_hello_xtn); 952 Connect(); 953 size_t echXtnLen2 = filter2->extension().len(); 954 955 // We always expect an ECH extension. 956 ASSERT_TRUE(echXtnLen2 > 0 && echXtnLen1 > 0); 957 // We expect the ECH extension to round to the same multiple of 32. 958 // Note: It will not be 0 % 32 because we pad the Payload, but have a number 959 // of extra bytes from the rest of the ECH extension (e.g. ciphersuite) 960 ASSERT_EQ(echXtnLen1 % 32, echXtnLen2 % 32); 961 // Both connections should have the same size after padding. 962 if (name_str1.size() <= max_name_len && name_str2.size() <= max_name_len) { 963 ASSERT_EQ(echXtnLen1, echXtnLen2); 964 } 965 } 966 967 #define ECH_PADDING_TEST_INSTANTIATE(name, values) \ 968 INSTANTIATE_TEST_SUITE_P(name, EchCHPaddingTest, \ 969 testing::Combine(values, values, testing::Bool(), \ 970 testing::Bool(), values)) 971 972 const int kExtremalSNILengths[] = {1, 128, 255}; 973 const int kNormalSNILengths[] = {17, 24, 100}; 974 const int kLongSNILengths[] = {90, 167, 214}; 975 976 /* Each invocation with N lengths, results in 4N^3 test cases, so we test 977 * 3 lots of (4*3^3) rather than all permutations. */ 978 ECH_PADDING_TEST_INSTANTIATE(extremal, testing::ValuesIn(kExtremalSNILengths)); 979 ECH_PADDING_TEST_INSTANTIATE(normal, testing::ValuesIn(kNormalSNILengths)); 980 ECH_PADDING_TEST_INSTANTIATE(lengthy, testing::ValuesIn(kLongSNILengths)); 981 982 // Check the server rejects ClientHellos with bad padding 983 TEST_F(TlsConnectStreamTls13Ech, EchChPaddingChecked) { 984 // Generate this string by changing the padding in 985 // tls13_GenPaddingClientHelloInner 986 std::string ch = 987 "010001fc03037473367a6eb6773391081b403908fc0c0026aac706889c59ca694d0c1188" 988 "c4b3000006130113031302010001cd00000010000e00000b7075626c69632e6e616d65ff" 989 "01000100000a00140012001d00170018001901000101010201030104003300260024001d" 990 "0020f7d8ad5fea0165e115e984e11c43f1d8f255bd8f772b893432d8d7721e91785a002b" 991 "0003020304000d0018001604030503060302030804080508060401050106010201002d00" 992 "020101001c00024001fe0d00f900000100034d00207e0ad8e83f8a9c89e1ae4fd65b8091" 993 "01e496bbb5f29ce20b299ce58937e2563300cff471a787585e15ae5aff5e4fee7ec988ba" 994 "72f8a95db41e793568b0301d553251f0826dc0c3ff658e4e029ef840ae86fa80af4b11b5" 995 "3a33fab99887bf8df18bc87abbb1f578f7964848d91a2023cbe7609fcc31bd721865009c" 996 "ad68c09e438d677f7c56af76e62c168bdb373bb88962471dacc4ddf654e435cd903f6555" 997 "4c9a93ffd2541cd7bce520e7215d15495184b781ca8c138cedd573fbdef1d40e5de82c33" 998 "5c9c43370102ecb0b66dd27efc719a9a54589b6e6b599b1b0146e121eae0ab5b2070c12f" 999 "4f4f2b099808294a459f0015004200000000000000000000000000000000000000000000" 1000 "000000000000000000000000000000000000000000000000000000000000000000000000" 1001 "0000000000000000"; 1002 ReplayChWithMalformedInner(ch, kTlsAlertIllegalParameter, 1003 SSL_ERROR_RX_MALFORMED_ECH_EXTENSION, 1004 SSL_ERROR_ILLEGAL_PARAMETER_ALERT); 1005 } 1006 1007 TEST_F(TlsConnectStreamTls13Ech, EchConfigList) { 1008 ScopedSECKEYPublicKey pub; 1009 ScopedSECKEYPrivateKey priv; 1010 EnsureTlsSetup(); 1011 1012 DataBuffer config1; 1013 TlsConnectTestBase::GenerateEchConfig(HpkeDhKemX25519Sha256, kSuiteAes, 1014 kPublicName, 100, config1, pub, priv); 1015 DataBuffer config2; 1016 TlsConnectTestBase::GenerateEchConfig(HpkeDhKemX25519Sha256, kSuiteAes, 1017 kPublicName, 100, config2, pub, priv); 1018 DataBuffer configList = MakeEchConfigList(config1, config2); 1019 SECStatus rv = 1020 SSL_SetServerEchConfigs(server_->ssl_fd(), pub.get(), priv.get(), 1021 configList.data(), configList.len()); 1022 printf("%u", rv); 1023 ASSERT_EQ(rv, SECSuccess); 1024 } 1025 1026 TEST_F(TlsConnectStreamTls13Ech, EchConfigsTrialDecrypt) { 1027 // Apply two ECHConfigs on the server. They are identical with the exception 1028 // of the public key: the first ECHConfig contains a public key for which we 1029 // lack the private value. Use an SSLInt function to zero all the config_ids 1030 // (client and server), then confirm that trial decryption works. 1031 ScopedSECKEYPublicKey pub; 1032 ScopedSECKEYPrivateKey priv; 1033 EnsureTlsSetup(); 1034 ImportFixedEchKeypair(pub, priv); 1035 ScopedSECKEYPublicKey pub2; 1036 ScopedSECKEYPrivateKey priv2; 1037 DataBuffer config2; 1038 TlsConnectTestBase::GenerateEchConfig(HpkeDhKemX25519Sha256, kSuiteAes, 1039 kPublicName, 100, config2, pub, priv); 1040 DataBuffer config1; 1041 TlsConnectTestBase::GenerateEchConfig(HpkeDhKemX25519Sha256, kSuiteAes, 1042 kPublicName, 100, config1, pub2, priv2); 1043 // Zero the config id for both, only public key differs. 1044 config2.Write(7, (uint32_t)0, 1); 1045 config1.Write(7, (uint32_t)0, 1); 1046 // Server only knows private key for conf2 1047 DataBuffer configList = MakeEchConfigList(config1, config2); 1048 ASSERT_EQ(SECSuccess, 1049 SSL_SetServerEchConfigs(server_->ssl_fd(), pub.get(), priv.get(), 1050 configList.data(), configList.len())); 1051 ASSERT_EQ(SECSuccess, SSL_SetClientEchConfigs(client_->ssl_fd(), 1052 config2.data(), config2.len())); 1053 client_->ExpectEch(); 1054 server_->ExpectEch(); 1055 Connect(); 1056 } 1057 1058 TEST_F(TlsConnectStreamTls13Ech, EchAcceptBasic) { 1059 EnsureTlsSetup(); 1060 SetupEch(client_, server_); 1061 auto c_filter_sni = 1062 MakeTlsFilter<TlsExtensionCapture>(client_, ssl_server_name_xtn); 1063 Connect(); 1064 ASSERT_TRUE(c_filter_sni->captured()); 1065 CheckSniExtension(c_filter_sni->extension(), kPublicName); 1066 } 1067 1068 TEST_F(TlsConnectStreamTls13, EchAcceptWithResume) { 1069 EnsureTlsSetup(); 1070 SetupEch(client_, server_); 1071 ConfigureSessionCache(RESUME_BOTH, RESUME_TICKET); 1072 Connect(); 1073 SendReceive(); // Need to read so that we absorb the session ticket. 1074 CheckKeys(); 1075 1076 Reset(); 1077 EnsureTlsSetup(); 1078 SetupEch(client_, server_); 1079 ExpectResumption(RESUME_TICKET); 1080 auto filter = 1081 MakeTlsFilter<TlsExtensionCapture>(client_, ssl_tls13_pre_shared_key_xtn); 1082 StartConnect(); 1083 Handshake(); 1084 CheckConnected(); 1085 // Make sure that the PSK extension is only in CHInner. 1086 ASSERT_TRUE(filter->captured()); 1087 } 1088 1089 TEST_F(TlsConnectStreamTls13, EchAcceptWithExternalPsk) { 1090 static const std::string kPskId = "testing123"; 1091 EnsureTlsSetup(); 1092 SetupEch(client_, server_); 1093 1094 ScopedPK11SlotInfo slot(PK11_GetInternalSlot()); 1095 ASSERT_TRUE(!!slot); 1096 ScopedPK11SymKey key( 1097 PK11_KeyGen(slot.get(), CKM_HKDF_KEY_GEN, nullptr, 16, nullptr)); 1098 ASSERT_TRUE(!!key); 1099 AddPsk(key, kPskId, ssl_hash_sha256); 1100 1101 // Not permitted in outer. 1102 auto filter = 1103 MakeTlsFilter<TlsExtensionCapture>(client_, ssl_tls13_pre_shared_key_xtn); 1104 StartConnect(); 1105 Handshake(); 1106 CheckConnected(); 1107 SendReceive(); 1108 CheckKeys(ssl_auth_psk, ssl_sig_none); 1109 // The PSK extension is present in CHOuter. 1110 ASSERT_TRUE(filter->captured()); 1111 1112 // But the PSK in CHOuter is completely different. 1113 // (Failure/collision chance means kPskId needs to be longish.) 1114 uint32_t v = 0; 1115 ASSERT_TRUE(filter->extension().Read(0, 2, &v)); 1116 ASSERT_EQ(v, kPskId.size() + 2 + 4) << "check size of identities"; 1117 ASSERT_TRUE(filter->extension().Read(2, 2, &v)); 1118 ASSERT_EQ(v, kPskId.size()) << "check size of identity"; 1119 bool different = false; 1120 for (size_t i = 0; i < kPskId.size(); ++i) { 1121 ASSERT_TRUE(filter->extension().Read(i + 4, 1, &v)); 1122 different |= v != static_cast<uint8_t>(kPskId[i]); 1123 } 1124 ASSERT_TRUE(different); 1125 } 1126 1127 // If an earlier version is negotiated, False Start must be disabled. 1128 TEST_F(TlsConnectStreamTls13, EchDowngradeNoFalseStart) { 1129 EnsureTlsSetup(); 1130 SetupEch(client_, server_, HpkeDhKemX25519Sha256, false, true, false); 1131 MakeTlsFilter<TlsExtensionDropper>(client_, 1132 ssl_tls13_encrypted_client_hello_xtn); 1133 client_->EnableFalseStart(); 1134 client_->SetVersionRange(SSL_LIBRARY_VERSION_TLS_1_2, 1135 SSL_LIBRARY_VERSION_TLS_1_3); 1136 server_->SetVersionRange(SSL_LIBRARY_VERSION_TLS_1_2, 1137 SSL_LIBRARY_VERSION_TLS_1_2); 1138 1139 StartConnect(); 1140 client_->Handshake(); 1141 server_->Handshake(); 1142 client_->Handshake(); 1143 EXPECT_FALSE(client_->can_falsestart_hook_called()); 1144 1145 // Make sure the write is blocked. 1146 client_->ExpectReadWriteError(); 1147 client_->SendData(10); 1148 } 1149 1150 SSLHelloRetryRequestAction RetryEchHello(PRBool firstHello, 1151 const PRUint8* clientToken, 1152 unsigned int clientTokenLen, 1153 PRUint8* appToken, 1154 unsigned int* appTokenLen, 1155 unsigned int appTokenMax, void* arg) { 1156 auto* called = reinterpret_cast<size_t*>(arg); 1157 ++*called; 1158 1159 EXPECT_EQ(0U, clientTokenLen); 1160 return firstHello ? ssl_hello_retry_request : ssl_hello_retry_accept; 1161 } 1162 1163 // Generate HRR on CH1 Inner 1164 TEST_F(TlsConnectStreamTls13, EchAcceptWithHrr) { 1165 ScopedSECKEYPublicKey pub; 1166 ScopedSECKEYPrivateKey priv; 1167 DataBuffer echconfig; 1168 ConfigureSelfEncrypt(); 1169 EnsureTlsSetup(); 1170 TlsConnectTestBase::GenerateEchConfig(HpkeDhKemX25519Sha256, kDefaultSuites, 1171 kPublicName, 100, echconfig, pub, priv); 1172 ASSERT_EQ(SECSuccess, 1173 SSL_SetServerEchConfigs(server_->ssl_fd(), pub.get(), priv.get(), 1174 echconfig.data(), echconfig.len())); 1175 ASSERT_EQ(SECSuccess, 1176 SSL_SetClientEchConfigs(client_->ssl_fd(), echconfig.data(), 1177 echconfig.len())); 1178 client_->ExpectEch(); 1179 server_->ExpectEch(); 1180 1181 size_t cb_called = 0; 1182 EXPECT_EQ(SECSuccess, SSL_HelloRetryRequestCallback( 1183 server_->ssl_fd(), RetryEchHello, &cb_called)); 1184 1185 auto server_hrr_ech_xtn = MakeTlsFilter<TlsExtensionCapture>( 1186 server_, ssl_tls13_encrypted_client_hello_xtn); 1187 // Start the handshake. 1188 client_->StartConnect(); 1189 server_->StartConnect(); 1190 client_->Handshake(); 1191 server_->Handshake(); 1192 MakeNewServer(); 1193 ASSERT_EQ(SECSuccess, 1194 SSL_SetServerEchConfigs(server_->ssl_fd(), pub.get(), priv.get(), 1195 echconfig.data(), echconfig.len())); 1196 client_->ExpectEch(); 1197 server_->ExpectEch(); 1198 Handshake(); 1199 ASSERT_TRUE(server_hrr_ech_xtn->captured()); 1200 EXPECT_EQ(1U, cb_called); 1201 CheckConnected(); 1202 SendReceive(); 1203 } 1204 1205 TEST_F(TlsConnectStreamTls13Ech, EchGreaseSize) { 1206 EnsureTlsSetup(); 1207 EXPECT_EQ(SECSuccess, SSL_EnableTls13GreaseEch(client_->ssl_fd(), PR_TRUE)); 1208 1209 auto greased_ext = MakeTlsFilter<TlsExtensionCapture>( 1210 client_, ssl_tls13_encrypted_client_hello_xtn); 1211 Connect(); 1212 ASSERT_TRUE(greased_ext->captured()); 1213 1214 Reset(); 1215 EnsureTlsSetup(); 1216 1217 ScopedSECKEYPublicKey pub; 1218 ScopedSECKEYPrivateKey priv; 1219 ImportFixedEchKeypair(pub, priv); 1220 SetMutualEchConfigs(pub, priv); 1221 1222 auto real_ext = MakeTlsFilter<TlsExtensionCapture>( 1223 client_, ssl_tls13_encrypted_client_hello_xtn); 1224 client_->ExpectEch(); 1225 server_->ExpectEch(); 1226 Connect(); 1227 1228 ASSERT_TRUE(real_ext->captured()); 1229 ASSERT_EQ(real_ext->extension().len(), greased_ext->extension().len()); 1230 } 1231 1232 TEST_F(TlsConnectStreamTls13Ech, EchGreaseClientDisable) { 1233 ScopedSECKEYPublicKey pub; 1234 ScopedSECKEYPrivateKey priv; 1235 DataBuffer echconfig; 1236 EnsureTlsSetup(); 1237 TlsConnectTestBase::GenerateEchConfig(HpkeDhKemX25519Sha256, kDefaultSuites, 1238 kPublicName, 100, echconfig, pub, priv); 1239 ASSERT_EQ(SECSuccess, 1240 SSL_SetServerEchConfigs(server_->ssl_fd(), pub.get(), priv.get(), 1241 echconfig.data(), echconfig.len())); 1242 EXPECT_EQ(SECSuccess, SSL_EnableTls13GreaseEch(client_->ssl_fd(), PR_FALSE)); 1243 1244 auto c_filter_esni = MakeTlsFilter<TlsExtensionCapture>( 1245 client_, ssl_tls13_encrypted_client_hello_xtn); 1246 1247 Connect(); 1248 ASSERT_TRUE(!c_filter_esni->captured()); 1249 } 1250 1251 TEST_F(TlsConnectStreamTls13Ech, EchHrrGreaseServerDisable) { 1252 ScopedSECKEYPublicKey pub; 1253 ScopedSECKEYPrivateKey priv; 1254 DataBuffer echconfig; 1255 ConfigureSelfEncrypt(); 1256 EnsureTlsSetup(); 1257 EXPECT_EQ(SECSuccess, SSL_EnableTls13GreaseEch(client_->ssl_fd(), PR_TRUE)); 1258 EXPECT_EQ(SECSuccess, SSL_EnableTls13GreaseEch(server_->ssl_fd(), PR_FALSE)); 1259 size_t cb_called = 0; 1260 EXPECT_EQ(SECSuccess, SSL_HelloRetryRequestCallback( 1261 server_->ssl_fd(), RetryEchHello, &cb_called)); 1262 1263 auto server_hrr_ech_xtn = MakeTlsFilter<TlsExtensionCapture>( 1264 server_, ssl_tls13_encrypted_client_hello_xtn); 1265 // Start the handshake. 1266 client_->StartConnect(); 1267 server_->StartConnect(); 1268 client_->Handshake(); 1269 server_->Handshake(); 1270 MakeNewServer(); 1271 EXPECT_EQ(SECSuccess, SSL_EnableTls13GreaseEch(server_->ssl_fd(), PR_FALSE)); 1272 Handshake(); 1273 ASSERT_TRUE(!server_hrr_ech_xtn->captured()); 1274 EXPECT_EQ(1U, cb_called); 1275 CheckConnected(); 1276 SendReceive(); 1277 } 1278 1279 TEST_F(TlsConnectStreamTls13Ech, EchGreaseSizePsk) { 1280 // Original connection without ECH 1281 ConfigureSessionCache(RESUME_BOTH, RESUME_BOTH); 1282 Connect(); 1283 SendReceive(); 1284 1285 // Resumption with only GREASE 1286 Reset(); 1287 ConfigureSessionCache(RESUME_BOTH, RESUME_BOTH); 1288 ExpectResumption(RESUME_TICKET); 1289 EXPECT_EQ(SECSuccess, SSL_EnableTls13GreaseEch(client_->ssl_fd(), PR_TRUE)); 1290 1291 auto greased_ext = MakeTlsFilter<TlsExtensionCapture>( 1292 client_, ssl_tls13_encrypted_client_hello_xtn); 1293 Connect(); 1294 SendReceive(); 1295 ASSERT_TRUE(greased_ext->captured()); 1296 1297 // Finally, resume with ECH enabled 1298 // ECH state does not determine whether resumption succeeds 1299 // or is attempted, so this should work fine. 1300 Reset(); 1301 ConfigureSessionCache(RESUME_BOTH, RESUME_BOTH); 1302 ExpectResumption(RESUME_TICKET, 2); 1303 1304 ScopedSECKEYPublicKey pub; 1305 ScopedSECKEYPrivateKey priv; 1306 ImportFixedEchKeypair(pub, priv); 1307 SetMutualEchConfigs(pub, priv); 1308 1309 auto real_ext = MakeTlsFilter<TlsExtensionCapture>( 1310 client_, ssl_tls13_encrypted_client_hello_xtn); 1311 client_->ExpectEch(); 1312 server_->ExpectEch(); 1313 Connect(); 1314 ASSERT_TRUE(real_ext->captured()); 1315 1316 ASSERT_EQ(real_ext->extension().len(), greased_ext->extension().len()); 1317 } 1318 1319 // Send GREASE ECH in CH1. CH2 must send exactly the same GREASE ECH contents. 1320 TEST_F(TlsConnectStreamTls13, GreaseEchHrrMatches) { 1321 ConfigureSelfEncrypt(); 1322 EnsureTlsSetup(); 1323 size_t cb_called = 0; 1324 EXPECT_EQ(SECSuccess, SSL_HelloRetryRequestCallback( 1325 server_->ssl_fd(), RetryEchHello, &cb_called)); 1326 1327 EXPECT_EQ(SECSuccess, SSL_EnableTls13GreaseEch(client_->ssl_fd(), 1328 PR_TRUE)); // GREASE 1329 auto capture = MakeTlsFilter<TlsExtensionCapture>( 1330 client_, ssl_tls13_encrypted_client_hello_xtn); 1331 1332 // Start the handshake. 1333 client_->StartConnect(); 1334 server_->StartConnect(); 1335 client_->Handshake(); // Send CH1 1336 EXPECT_TRUE(capture->captured()); 1337 DataBuffer ch1_grease = capture->extension(); 1338 1339 server_->Handshake(); 1340 MakeNewServer(); 1341 capture = MakeTlsFilter<TlsExtensionCapture>( 1342 client_, ssl_tls13_encrypted_client_hello_xtn); 1343 1344 EXPECT_FALSE(capture->captured()); 1345 client_->Handshake(); // Send CH2 1346 EXPECT_TRUE(capture->captured()); 1347 EXPECT_EQ(ch1_grease, capture->extension()); 1348 1349 EXPECT_EQ(1U, cb_called); 1350 server_->StartConnect(); 1351 Handshake(); 1352 CheckConnected(); 1353 } 1354 1355 TEST_F(TlsConnectStreamTls13Ech, EchRejectMisizedEchXtn) { 1356 ScopedSECKEYPublicKey pub; 1357 ScopedSECKEYPrivateKey priv; 1358 DataBuffer echconfig; 1359 ConfigureSelfEncrypt(); 1360 EnsureTlsSetup(); 1361 EXPECT_EQ(SECSuccess, SSL_EnableTls13GreaseEch(client_->ssl_fd(), PR_TRUE)); 1362 EXPECT_EQ(SECSuccess, SSL_EnableTls13GreaseEch(server_->ssl_fd(), PR_TRUE)); 1363 size_t cb_called = 0; 1364 EXPECT_EQ(SECSuccess, SSL_HelloRetryRequestCallback( 1365 server_->ssl_fd(), RetryEchHello, &cb_called)); 1366 auto server_hrr_ext_xtn_fake = MakeTlsFilter<TlsExtensionResizer>( 1367 server_, ssl_tls13_encrypted_client_hello_xtn, 34); 1368 // Start the handshake. 1369 client_->StartConnect(); 1370 server_->StartConnect(); 1371 client_->Handshake(); 1372 server_->Handshake(); 1373 // Process the hello retry. 1374 server_->ExpectReceiveAlert(kTlsAlertDecodeError, kTlsAlertFatal); 1375 client_->ExpectSendAlert(kTlsAlertDecodeError); 1376 Handshake(); 1377 client_->CheckErrorCode(SSL_ERROR_RX_MALFORMED_ECH_EXTENSION); 1378 server_->CheckErrorCode(SSL_ERROR_DECODE_ERROR_ALERT); 1379 EXPECT_EQ(1U, cb_called); 1380 } 1381 1382 TEST_F(TlsConnectStreamTls13Ech, EchRejectDroppedEchXtn) { 1383 ScopedSECKEYPublicKey pub; 1384 ScopedSECKEYPrivateKey priv; 1385 DataBuffer echconfig; 1386 ConfigureSelfEncrypt(); 1387 EnsureTlsSetup(); 1388 TlsConnectTestBase::GenerateEchConfig(HpkeDhKemX25519Sha256, kDefaultSuites, 1389 kPublicName, 100, echconfig, pub, priv); 1390 ASSERT_EQ(SECSuccess, 1391 SSL_SetServerEchConfigs(server_->ssl_fd(), pub.get(), priv.get(), 1392 echconfig.data(), echconfig.len())); 1393 ASSERT_EQ(SECSuccess, 1394 SSL_SetClientEchConfigs(client_->ssl_fd(), echconfig.data(), 1395 echconfig.len())); 1396 size_t cb_called = 0; 1397 EXPECT_EQ(SECSuccess, SSL_HelloRetryRequestCallback( 1398 server_->ssl_fd(), RetryEchHello, &cb_called)); 1399 auto server_hrr_ext_xtn_fake = MakeTlsFilter<TlsExtensionDropper>( 1400 server_, ssl_tls13_encrypted_client_hello_xtn); 1401 // Start the handshake. 1402 client_->StartConnect(); 1403 server_->StartConnect(); 1404 client_->Handshake(); 1405 server_->Handshake(); 1406 MakeNewServer(); 1407 ASSERT_EQ(SECSuccess, 1408 SSL_SetServerEchConfigs(server_->ssl_fd(), pub.get(), priv.get(), 1409 echconfig.data(), echconfig.len())); 1410 // Process the hello retry. 1411 server_->ExpectSendAlert(kTlsAlertBadRecordMac); 1412 client_->ExpectSendAlert(kTlsAlertBadRecordMac); 1413 Handshake(); 1414 client_->CheckErrorCode(SSL_ERROR_BAD_MAC_READ); 1415 server_->CheckErrorCode(SSL_ERROR_BAD_MAC_READ); 1416 EXPECT_EQ(1U, cb_called); 1417 } 1418 1419 // Generate an HRR on CHInner. Mangle the Hrr Xtn causing client to reject ECH 1420 // which then causes a MAC mismatch. 1421 TEST_F(TlsConnectStreamTls13Ech, EchRejectMangledHrrXtn) { 1422 ScopedSECKEYPublicKey pub; 1423 ScopedSECKEYPrivateKey priv; 1424 DataBuffer echconfig; 1425 ConfigureSelfEncrypt(); 1426 EnsureTlsSetup(); 1427 TlsConnectTestBase::GenerateEchConfig(HpkeDhKemX25519Sha256, kDefaultSuites, 1428 kPublicName, 100, echconfig, pub, priv); 1429 ASSERT_EQ(SECSuccess, 1430 SSL_SetServerEchConfigs(server_->ssl_fd(), pub.get(), priv.get(), 1431 echconfig.data(), echconfig.len())); 1432 ASSERT_EQ(SECSuccess, 1433 SSL_SetClientEchConfigs(client_->ssl_fd(), echconfig.data(), 1434 echconfig.len())); 1435 1436 size_t cb_called = 0; 1437 EXPECT_EQ(SECSuccess, SSL_HelloRetryRequestCallback( 1438 server_->ssl_fd(), RetryEchHello, &cb_called)); 1439 auto server_hrr_ech_xtn = MakeTlsFilter<TlsExtensionDamager>( 1440 server_, ssl_tls13_encrypted_client_hello_xtn, 4); 1441 // Start the handshake. 1442 client_->StartConnect(); 1443 server_->StartConnect(); 1444 client_->Handshake(); 1445 server_->Handshake(); 1446 MakeNewServer(); 1447 ASSERT_EQ(SECSuccess, 1448 SSL_SetServerEchConfigs(server_->ssl_fd(), pub.get(), priv.get(), 1449 echconfig.data(), echconfig.len())); 1450 client_->ExpectEch(false); 1451 server_->ExpectEch(false); 1452 server_->ExpectSendAlert(kTlsAlertBadRecordMac); 1453 client_->ExpectSendAlert(kTlsAlertBadRecordMac); 1454 Handshake(); 1455 client_->CheckErrorCode(SSL_ERROR_BAD_MAC_READ); 1456 server_->CheckErrorCode(SSL_ERROR_BAD_MAC_READ); 1457 EXPECT_EQ(1U, cb_called); 1458 } 1459 1460 // First capture an ECH CH Xtn. 1461 // Start new connection, inject ECH CH Xtn. 1462 // Server will respond with ECH HRR Xtn. 1463 // Check Client correctly panics. 1464 TEST_F(TlsConnectStreamTls13Ech, EchClientRejectSpuriousHrrXtn) { 1465 ScopedSECKEYPublicKey pub; 1466 ScopedSECKEYPrivateKey priv; 1467 DataBuffer echconfig; 1468 ConfigureSelfEncrypt(); 1469 EnsureTlsSetup(); 1470 TlsConnectTestBase::GenerateEchConfig(HpkeDhKemX25519Sha256, kDefaultSuites, 1471 kPublicName, 100, echconfig, pub, priv); 1472 ASSERT_EQ(SECSuccess, 1473 SSL_SetServerEchConfigs(server_->ssl_fd(), pub.get(), priv.get(), 1474 echconfig.data(), echconfig.len())); 1475 EXPECT_EQ(SECSuccess, SSL_EnableTls13GreaseEch(client_->ssl_fd(), PR_TRUE)); 1476 client_->ExpectEch(false); 1477 server_->ExpectEch(false); 1478 auto client_ech_xtn_capture = MakeTlsFilter<TlsExtensionCapture>( 1479 client_, ssl_tls13_encrypted_client_hello_xtn); 1480 Connect(); 1481 ASSERT_TRUE(client_ech_xtn_capture->captured()); 1482 1483 // Now configure client without ECH. Server with ECH. 1484 Reset(); 1485 EnsureTlsSetup(); 1486 EXPECT_EQ(SECSuccess, SSL_EnableTls13GreaseEch(client_->ssl_fd(), PR_FALSE)); 1487 ASSERT_EQ(SECSuccess, 1488 SSL_SetServerEchConfigs(server_->ssl_fd(), pub.get(), priv.get(), 1489 echconfig.data(), echconfig.len())); 1490 client_->ExpectEch(false); 1491 server_->ExpectEch(false); 1492 size_t cb_called = 0; 1493 EXPECT_EQ(SECSuccess, SSL_HelloRetryRequestCallback( 1494 server_->ssl_fd(), RetryEchHello, &cb_called)); 1495 1496 // Inject CH ECH Xtn into CH. 1497 DataBuffer buff = DataBuffer(client_ech_xtn_capture->extension()); 1498 auto client_ech_xtn = MakeTlsFilter<TlsExtensionAppender>( 1499 client_, kTlsHandshakeClientHello, ssl_tls13_encrypted_client_hello_xtn, 1500 buff); 1501 1502 // Connect and check we see the HRR extension and alert. 1503 auto server_hrr_ech_xtn = MakeTlsFilter<TlsExtensionCapture>( 1504 server_, ssl_tls13_encrypted_client_hello_xtn); 1505 server_hrr_ech_xtn->SetHandshakeTypes({kTlsHandshakeHelloRetryRequest}); 1506 1507 ConnectExpectAlert(client_, kTlsAlertUnsupportedExtension); 1508 1509 client_->CheckErrorCode(SSL_ERROR_RX_UNEXPECTED_EXTENSION); 1510 server_->CheckErrorCode(SSL_ERROR_UNSUPPORTED_EXTENSION_ALERT); 1511 ASSERT_TRUE(server_hrr_ech_xtn->captured()); 1512 } 1513 1514 // Fail to decrypt CH2. Unlike CH1, this generates an alert. 1515 TEST_F(TlsConnectStreamTls13, EchFailDecryptCH2) { 1516 EnsureTlsSetup(); 1517 SetupEch(client_, server_); 1518 size_t cb_called = 0; 1519 EXPECT_EQ(SECSuccess, SSL_HelloRetryRequestCallback( 1520 server_->ssl_fd(), RetryEchHello, &cb_called)); 1521 1522 client_->StartConnect(); 1523 server_->StartConnect(); 1524 client_->Handshake(); 1525 server_->Handshake(); 1526 EXPECT_EQ(1U, cb_called); 1527 // Stop the callback from being called in future handshakes. 1528 EXPECT_EQ(SECSuccess, 1529 SSL_HelloRetryRequestCallback(server_->ssl_fd(), nullptr, nullptr)); 1530 1531 MakeTlsFilter<TlsExtensionDamager>(client_, 1532 ssl_tls13_encrypted_client_hello_xtn, 80); 1533 ExpectAlert(server_, kTlsAlertDecryptError); 1534 Handshake(); 1535 client_->CheckErrorCode(SSL_ERROR_DECRYPT_ERROR_ALERT); 1536 server_->CheckErrorCode(SSL_ERROR_RX_MALFORMED_ECH_EXTENSION); 1537 } 1538 1539 // Change the ECH advertisement between CH1 and CH2. Use GREASE for simplicity. 1540 TEST_F(TlsConnectStreamTls13, EchHrrChangeCh2OfferingYN) { 1541 ConfigureSelfEncrypt(); 1542 EnsureTlsSetup(); 1543 size_t cb_called = 0; 1544 EXPECT_EQ(SECSuccess, SSL_HelloRetryRequestCallback( 1545 server_->ssl_fd(), RetryEchHello, &cb_called)); 1546 1547 // Start the handshake, send GREASE ECH. 1548 EXPECT_EQ(SECSuccess, SSL_EnableTls13GreaseEch(client_->ssl_fd(), 1549 PR_TRUE)); // GREASE 1550 client_->StartConnect(); 1551 server_->StartConnect(); 1552 client_->Handshake(); 1553 server_->Handshake(); 1554 MakeNewServer(); 1555 EXPECT_EQ(SECSuccess, SSL_EnableTls13GreaseEch(client_->ssl_fd(), 1556 PR_FALSE)); // Don't GREASE 1557 ExpectAlert(server_, kTlsAlertMissingExtension); 1558 Handshake(); 1559 client_->CheckErrorCode(SSL_ERROR_MISSING_EXTENSION_ALERT); 1560 server_->CheckErrorCode(SSL_ERROR_BAD_2ND_CLIENT_HELLO); 1561 EXPECT_EQ(1U, cb_called); 1562 } 1563 1564 TEST_F(TlsConnectStreamTls13, EchHrrChangeCh2OfferingNY) { 1565 ConfigureSelfEncrypt(); 1566 EnsureTlsSetup(); 1567 SetupEch(client_, server_); 1568 size_t cb_called = 0; 1569 EXPECT_EQ(SECSuccess, SSL_HelloRetryRequestCallback( 1570 server_->ssl_fd(), RetryEchHello, &cb_called)); 1571 1572 MakeTlsFilter<TlsExtensionDropper>(client_, 1573 ssl_tls13_encrypted_client_hello_xtn); 1574 // Start the handshake. 1575 client_->StartConnect(); 1576 server_->StartConnect(); 1577 client_->Handshake(); 1578 server_->Handshake(); 1579 MakeNewServer(); 1580 client_->ClearFilter(); // Let the second ECH offering through. 1581 ExpectAlert(server_, kTlsAlertIllegalParameter); 1582 Handshake(); 1583 client_->CheckErrorCode(SSL_ERROR_ILLEGAL_PARAMETER_ALERT); 1584 server_->CheckErrorCode(SSL_ERROR_BAD_2ND_CLIENT_HELLO); 1585 EXPECT_EQ(1U, cb_called); 1586 } 1587 1588 // Change the ECHCipherSuite between CH1 and CH2. Expect alert. 1589 TEST_F(TlsConnectStreamTls13, EchHrrChangeCipherSuite) { 1590 ConfigureSelfEncrypt(); 1591 EnsureTlsSetup(); 1592 SetupEch(client_, server_); 1593 1594 size_t cb_called = 0; 1595 EXPECT_EQ(SECSuccess, SSL_HelloRetryRequestCallback( 1596 server_->ssl_fd(), RetryEchHello, &cb_called)); 1597 // Start the handshake and trigger HRR. 1598 client_->StartConnect(); 1599 server_->StartConnect(); 1600 client_->Handshake(); 1601 server_->Handshake(); 1602 MakeNewServer(); 1603 1604 // Damage the first byte of the ciphersuite (offset 1) 1605 MakeTlsFilter<TlsExtensionDamager>(client_, 1606 ssl_tls13_encrypted_client_hello_xtn, 1); 1607 1608 ExpectAlert(server_, kTlsAlertIllegalParameter); 1609 Handshake(); 1610 client_->CheckErrorCode(SSL_ERROR_ILLEGAL_PARAMETER_ALERT); 1611 server_->CheckErrorCode(SSL_ERROR_BAD_2ND_CLIENT_HELLO); 1612 EXPECT_EQ(1U, cb_called); 1613 } 1614 1615 // Configure an external PSK. Generate an HRR off CH1Inner (which contains 1616 // the PSK extension). Use the same PSK in CH2 and connect. 1617 TEST_F(TlsConnectStreamTls13, EchAcceptWithHrrAndPsk) { 1618 ScopedSECKEYPublicKey pub; 1619 ScopedSECKEYPrivateKey priv; 1620 DataBuffer echconfig; 1621 ConfigureSelfEncrypt(); 1622 EnsureTlsSetup(); 1623 1624 TlsConnectTestBase::GenerateEchConfig(HpkeDhKemX25519Sha256, kDefaultSuites, 1625 kPublicName, 100, echconfig, pub, priv); 1626 ASSERT_EQ(SECSuccess, 1627 SSL_SetServerEchConfigs(server_->ssl_fd(), pub.get(), priv.get(), 1628 echconfig.data(), echconfig.len())); 1629 ASSERT_EQ(SECSuccess, 1630 SSL_SetClientEchConfigs(client_->ssl_fd(), echconfig.data(), 1631 echconfig.len())); 1632 client_->ExpectEch(); 1633 server_->ExpectEch(); 1634 1635 size_t cb_called = 0; 1636 EXPECT_EQ(SECSuccess, SSL_HelloRetryRequestCallback( 1637 server_->ssl_fd(), RetryEchHello, &cb_called)); 1638 1639 static const uint8_t key_buf[16] = {0}; 1640 SECItem key_item = {siBuffer, const_cast<uint8_t*>(&key_buf[0]), 1641 sizeof(key_buf)}; 1642 const char* label = "foo"; 1643 ScopedPK11SlotInfo slot(PK11_GetInternalSlot()); 1644 ASSERT_TRUE(!!slot); 1645 ScopedPK11SymKey key(PK11_ImportSymKey(slot.get(), CKM_HKDF_KEY_GEN, 1646 PK11_OriginUnwrap, CKA_DERIVE, 1647 &key_item, nullptr)); 1648 ASSERT_TRUE(!!key); 1649 AddPsk(key, std::string(label), ssl_hash_sha256); 1650 1651 // Start the handshake. 1652 client_->StartConnect(); 1653 server_->StartConnect(); 1654 client_->Handshake(); 1655 server_->Handshake(); 1656 MakeNewServer(); 1657 ASSERT_EQ(SECSuccess, 1658 SSL_SetServerEchConfigs(server_->ssl_fd(), pub.get(), priv.get(), 1659 echconfig.data(), echconfig.len())); 1660 client_->ExpectEch(); 1661 server_->ExpectEch(); 1662 EXPECT_EQ(SECSuccess, 1663 SSL_AddExternalPsk0Rtt(server_->ssl_fd(), key.get(), 1664 reinterpret_cast<const uint8_t*>(label), 1665 strlen(label), ssl_hash_sha256, 0, 1000)); 1666 server_->ExpectPsk(); 1667 Handshake(); 1668 EXPECT_EQ(1U, cb_called); 1669 CheckConnected(); 1670 SendReceive(); 1671 } 1672 1673 // Generate an HRR on CHOuter. Reject ECH on the second CH. 1674 TEST_F(TlsConnectStreamTls13Ech, EchRejectWithHrr) { 1675 ScopedSECKEYPublicKey pub; 1676 ScopedSECKEYPrivateKey priv; 1677 DataBuffer echconfig; 1678 ConfigureSelfEncrypt(); 1679 EnsureTlsSetup(); 1680 SetupForEchRetry(); 1681 1682 size_t cb_called = 0; 1683 EXPECT_EQ(SECSuccess, SSL_HelloRetryRequestCallback( 1684 server_->ssl_fd(), RetryEchHello, &cb_called)); 1685 EXPECT_EQ(SECSuccess, SSL_EnableTls13GreaseEch(server_->ssl_fd(), PR_TRUE)); 1686 auto server_hrr_ech_xtn = MakeTlsFilter<TlsExtensionCapture>( 1687 server_, ssl_tls13_encrypted_client_hello_xtn); 1688 // Start the handshake. 1689 client_->StartConnect(); 1690 server_->StartConnect(); 1691 client_->Handshake(); 1692 server_->Handshake(); 1693 MakeNewServer(); 1694 EXPECT_EQ(SECSuccess, SSL_EnableTls13GreaseEch(server_->ssl_fd(), PR_TRUE)); 1695 client_->ExpectEch(false); 1696 server_->ExpectEch(false); 1697 ExpectAlert(client_, kTlsAlertEchRequired); 1698 Handshake(); 1699 ASSERT_TRUE(server_hrr_ech_xtn->captured()); 1700 client_->CheckErrorCode(SSL_ERROR_ECH_RETRY_WITHOUT_ECH); 1701 server_->ExpectReceiveAlert(kTlsAlertEchRequired, kTlsAlertFatal); 1702 server_->Handshake(); 1703 EXPECT_EQ(1U, cb_called); 1704 } 1705 1706 // Server can't change its mind on ECH after HRR. We change the confirmation 1707 // value and the server panics accordingly. 1708 TEST_F(TlsConnectStreamTls13Ech, EchHrrServerYN) { 1709 ScopedSECKEYPublicKey pub; 1710 ScopedSECKEYPrivateKey priv; 1711 DataBuffer echconfig; 1712 ConfigureSelfEncrypt(); 1713 EnsureTlsSetup(); 1714 TlsConnectTestBase::GenerateEchConfig(HpkeDhKemX25519Sha256, kDefaultSuites, 1715 kPublicName, 100, echconfig, pub, priv); 1716 ASSERT_EQ(SECSuccess, 1717 SSL_SetServerEchConfigs(server_->ssl_fd(), pub.get(), priv.get(), 1718 echconfig.data(), echconfig.len())); 1719 ASSERT_EQ(SECSuccess, 1720 SSL_SetClientEchConfigs(client_->ssl_fd(), echconfig.data(), 1721 echconfig.len())); 1722 client_->ExpectEch(); 1723 server_->ExpectEch(); 1724 1725 size_t cb_called = 0; 1726 EXPECT_EQ(SECSuccess, SSL_HelloRetryRequestCallback( 1727 server_->ssl_fd(), RetryEchHello, &cb_called)); 1728 1729 auto server_hrr_ech_xtn = MakeTlsFilter<TlsExtensionCapture>( 1730 server_, ssl_tls13_encrypted_client_hello_xtn); 1731 // Start the handshake. 1732 client_->StartConnect(); 1733 server_->StartConnect(); 1734 client_->Handshake(); 1735 server_->Handshake(); 1736 MakeNewServer(); 1737 ASSERT_EQ(SECSuccess, 1738 SSL_SetServerEchConfigs(server_->ssl_fd(), pub.get(), priv.get(), 1739 echconfig.data(), echconfig.len())); 1740 client_->ExpectEch(); 1741 server_->ExpectEch(); 1742 client_->ExpectSendAlert(kTlsAlertIllegalParameter); 1743 server_->ExpectSendAlert(kTlsAlertUnexpectedMessage); 1744 auto server_random_damager = MakeTlsFilter<ServerHelloRandomChanger>(server_); 1745 Handshake(); 1746 client_->CheckErrorCode(SSL_ERROR_RX_MALFORMED_SERVER_HELLO); 1747 ASSERT_TRUE(server_hrr_ech_xtn->captured()); 1748 EXPECT_EQ(1U, cb_called); 1749 } 1750 1751 // Client sends GREASE'd ECH Xtn, server reponds with HRR in GREASE mode 1752 // Check HRR responses are present and differ. 1753 TEST_F(TlsConnectStreamTls13Ech, EchHrrServerGreaseChanges) { 1754 ScopedSECKEYPublicKey pub; 1755 ScopedSECKEYPrivateKey priv; 1756 DataBuffer echconfig; 1757 ConfigureSelfEncrypt(); 1758 EnsureTlsSetup(); 1759 EXPECT_EQ(SECSuccess, SSL_EnableTls13GreaseEch(client_->ssl_fd(), PR_TRUE)); 1760 EXPECT_EQ(SECSuccess, SSL_EnableTls13GreaseEch(server_->ssl_fd(), PR_TRUE)); 1761 size_t cb_called = 0; 1762 EXPECT_EQ(SECSuccess, SSL_HelloRetryRequestCallback( 1763 server_->ssl_fd(), RetryEchHello, &cb_called)); 1764 1765 auto server_hrr_ech_xtn_1 = MakeTlsFilter<TlsExtensionCapture>( 1766 server_, ssl_tls13_encrypted_client_hello_xtn); 1767 // Start the handshake. 1768 client_->StartConnect(); 1769 server_->StartConnect(); 1770 client_->Handshake(); 1771 server_->Handshake(); 1772 ASSERT_TRUE(server_hrr_ech_xtn_1->captured()); 1773 EXPECT_EQ(1U, cb_called); 1774 1775 /* Run the connection again */ 1776 Reset(); 1777 EnsureTlsSetup(); 1778 EXPECT_EQ(SECSuccess, SSL_EnableTls13GreaseEch(server_->ssl_fd(), PR_TRUE)); 1779 EXPECT_EQ(SECSuccess, SSL_EnableTls13GreaseEch(client_->ssl_fd(), PR_TRUE)); 1780 cb_called = 0; 1781 EXPECT_EQ(SECSuccess, SSL_HelloRetryRequestCallback( 1782 server_->ssl_fd(), RetryEchHello, &cb_called)); 1783 1784 auto server_hrr_ech_xtn_2 = MakeTlsFilter<TlsExtensionCapture>( 1785 server_, ssl_tls13_encrypted_client_hello_xtn); 1786 // Start the handshake. 1787 client_->StartConnect(); 1788 server_->StartConnect(); 1789 client_->Handshake(); 1790 server_->Handshake(); 1791 ASSERT_TRUE(server_hrr_ech_xtn_2->captured()); 1792 EXPECT_EQ(1U, cb_called); 1793 1794 ASSERT_TRUE(server_hrr_ech_xtn_1->extension().len() == 1795 server_hrr_ech_xtn_2->extension().len()); 1796 ASSERT_TRUE(memcmp(server_hrr_ech_xtn_1->extension().data(), 1797 server_hrr_ech_xtn_2->extension().data(), 1798 server_hrr_ech_xtn_1->extension().len())); 1799 } 1800 1801 // Reject ECH on CH1 and CH2. PSKs are no longer allowed 1802 // in CHOuter, but we can still make sure the handshake succeeds. 1803 // This prompts an ech_required alert when the handshake completes. 1804 TEST_F(TlsConnectStreamTls13, EchRejectWithHrrAndPsk) { 1805 ScopedSECKEYPublicKey pub; 1806 ScopedSECKEYPrivateKey priv; 1807 DataBuffer echconfig; 1808 ConfigureSelfEncrypt(); 1809 EnsureTlsSetup(); 1810 TlsConnectTestBase::GenerateEchConfig(HpkeDhKemX25519Sha256, kDefaultSuites, 1811 kPublicName, 100, echconfig, pub, priv); 1812 ASSERT_EQ(SECSuccess, 1813 SSL_SetClientEchConfigs(client_->ssl_fd(), echconfig.data(), 1814 echconfig.len())); 1815 1816 size_t cb_called = 0; 1817 EXPECT_EQ(SECSuccess, SSL_HelloRetryRequestCallback( 1818 server_->ssl_fd(), RetryEchHello, &cb_called)); 1819 1820 // Add a PSK to both endpoints. 1821 static const uint8_t key_buf[16] = {0}; 1822 SECItem key_item = {siBuffer, const_cast<uint8_t*>(&key_buf[0]), 1823 sizeof(key_buf)}; 1824 const char* label = "foo"; 1825 ScopedPK11SlotInfo slot(PK11_GetInternalSlot()); 1826 ASSERT_TRUE(!!slot); 1827 ScopedPK11SymKey key(PK11_ImportSymKey(slot.get(), CKM_HKDF_KEY_GEN, 1828 PK11_OriginUnwrap, CKA_DERIVE, 1829 &key_item, nullptr)); 1830 ASSERT_TRUE(!!key); 1831 AddPsk(key, std::string(label), ssl_hash_sha256); 1832 client_->ExpectPsk(ssl_psk_none); 1833 1834 // Start the handshake. 1835 client_->StartConnect(); 1836 server_->StartConnect(); 1837 client_->Handshake(); 1838 server_->Handshake(); 1839 MakeNewServer(); 1840 client_->ExpectEch(false); 1841 server_->ExpectEch(false); 1842 EXPECT_EQ(SECSuccess, 1843 SSL_AddExternalPsk0Rtt(server_->ssl_fd(), key.get(), 1844 reinterpret_cast<const uint8_t*>(label), 1845 strlen(label), ssl_hash_sha256, 0, 1000)); 1846 // Don't call ExpectPsk 1847 ExpectAlert(client_, kTlsAlertEchRequired); 1848 Handshake(); 1849 client_->CheckErrorCode(SSL_ERROR_ECH_RETRY_WITHOUT_ECH); 1850 server_->ExpectReceiveAlert(kTlsAlertEchRequired, kTlsAlertFatal); 1851 server_->Handshake(); 1852 EXPECT_EQ(1U, cb_called); 1853 } 1854 1855 // ECH (both connections), resumption rejected. 1856 TEST_F(TlsConnectStreamTls13, EchRejectResume) { 1857 EnsureTlsSetup(); 1858 ConfigureSessionCache(RESUME_BOTH, RESUME_TICKET); 1859 SetupEch(client_, server_); 1860 Connect(); 1861 SendReceive(); 1862 1863 Reset(); 1864 ClearServerCache(); // Invalidate the ticket 1865 ConfigureSessionCache(RESUME_BOTH, RESUME_NONE); 1866 ExpectResumption(RESUME_NONE); 1867 SetupEch(client_, server_); 1868 Connect(); 1869 SendReceive(); 1870 } 1871 1872 // ECH (both connections) + 0-RTT 1873 TEST_F(TlsConnectStreamTls13, EchZeroRttBoth) { 1874 EnsureTlsSetup(); 1875 SetupEch(client_, server_); 1876 SetupForZeroRtt(); 1877 client_->Set0RttEnabled(true); 1878 server_->Set0RttEnabled(true); 1879 SetupEch(client_, server_); 1880 ExpectResumption(RESUME_TICKET); 1881 ZeroRttSendReceive(true, true); 1882 Handshake(); 1883 ExpectEarlyDataAccepted(true); 1884 CheckConnected(); 1885 SendReceive(); 1886 } 1887 1888 // ECH (first connection only) + 0-RTT 1889 TEST_F(TlsConnectStreamTls13, EchZeroRttFirst) { 1890 EnsureTlsSetup(); 1891 SetupEch(client_, server_); 1892 SetupForZeroRtt(); 1893 client_->Set0RttEnabled(true); 1894 server_->Set0RttEnabled(true); 1895 ExpectResumption(RESUME_TICKET); 1896 ZeroRttSendReceive(true, true); 1897 Handshake(); 1898 ExpectEarlyDataAccepted(true); 1899 CheckConnected(); 1900 SendReceive(); 1901 } 1902 1903 // ECH (second connection only) + 0-RTT 1904 TEST_F(TlsConnectStreamTls13, EchZeroRttSecond) { 1905 EnsureTlsSetup(); 1906 SetupForZeroRtt(); // Get a ticket 1907 client_->Set0RttEnabled(true); 1908 server_->Set0RttEnabled(true); 1909 SetupEch(client_, server_); 1910 ExpectResumption(RESUME_TICKET); 1911 ZeroRttSendReceive(true, true); 1912 Handshake(); 1913 ExpectEarlyDataAccepted(true); 1914 CheckConnected(); 1915 SendReceive(); 1916 } 1917 1918 // ECH (first connection only, reject on second) + 0-RTT 1919 TEST_F(TlsConnectStreamTls13, EchZeroRttRejectSecond) { 1920 EnsureTlsSetup(); 1921 SetupEch(client_, server_); 1922 SetupForZeroRtt(); 1923 client_->Set0RttEnabled(true); 1924 server_->Set0RttEnabled(true); 1925 1926 // Setup ECH only on the client. 1927 SetupEch(client_, server_, HpkeDhKemX25519Sha256, false, true, false); 1928 1929 ExpectResumption(RESUME_NONE); 1930 ExpectAlert(client_, kTlsAlertEchRequired); 1931 ZeroRttSendReceive(true, false); 1932 server_->Handshake(); 1933 client_->Handshake(); 1934 client_->CheckErrorCode(SSL_ERROR_ECH_RETRY_WITHOUT_ECH); 1935 1936 ExpectEarlyDataAccepted(false); 1937 server_->ExpectReceiveAlert(kTlsAlertEchRequired, kTlsAlertFatal); 1938 server_->Handshake(); 1939 // Reset expectations for the TlsAgent dtor. 1940 server_->ExpectReceiveAlert(kTlsAlertCloseNotify, kTlsAlertWarning); 1941 } 1942 1943 // Test a critical extension in ECHConfig 1944 TEST_F(TlsConnectStreamTls13, EchRejectUnknownCriticalExtension) { 1945 EnsureTlsSetup(); 1946 ScopedSECKEYPublicKey pub; 1947 ScopedSECKEYPrivateKey priv; 1948 DataBuffer echconfig; 1949 DataBuffer crit_rec; 1950 DataBuffer len_buf; 1951 uint64_t tmp; 1952 1953 static const uint8_t crit_extensions[] = {0x00, 0x04, 0xff, 0xff, 0x00, 0x00}; 1954 static const uint8_t extensions[] = {0x00, 0x04, 0x7f, 0xff, 0x00, 0x00}; 1955 DataBuffer crit_exts(crit_extensions, sizeof(crit_extensions)); 1956 DataBuffer non_crit_exts(extensions, sizeof(extensions)); 1957 1958 TlsConnectTestBase::GenerateEchConfig(HpkeDhKemX25519Sha256, kSuiteChaCha, 1959 kPublicName, 100, echconfig, pub, priv); 1960 echconfig.Truncate(echconfig.len() - 2); // Eat the empty extensions. 1961 crit_rec.Assign(echconfig); 1962 ASSERT_TRUE(crit_rec.Read(0, 2, &tmp)); 1963 len_buf.Write(0, tmp + crit_exts.len() - 2, 2); // two bytes of length 1964 crit_rec.Splice(len_buf, 0, 2); 1965 len_buf.Truncate(0); 1966 1967 ASSERT_TRUE(crit_rec.Read(4, 2, &tmp)); 1968 len_buf.Write(0, tmp + crit_exts.len() - 2, 2); // two bytes of length 1969 crit_rec.Append(crit_exts); 1970 crit_rec.Splice(len_buf, 4, 2); 1971 len_buf.Truncate(0); 1972 1973 ASSERT_TRUE(echconfig.Read(0, 2, &tmp)); 1974 len_buf.Write(0, tmp + non_crit_exts.len() - 2, 2); 1975 echconfig.Append(non_crit_exts); 1976 echconfig.Splice(len_buf, 0, 2); 1977 ASSERT_TRUE(echconfig.Read(4, 2, &tmp)); 1978 len_buf.Write(0, tmp + non_crit_exts.len() - 2, 2); 1979 echconfig.Splice(len_buf, 4, 2); 1980 1981 /* Expect that retry configs containing unsupported mandatory extensions can 1982 * not be set and lead to SEC_ERROR_INVALID_ARGS. */ 1983 EXPECT_EQ(SECFailure, 1984 SSL_SetClientEchConfigs(client_->ssl_fd(), crit_rec.data(), 1985 crit_rec.len())); 1986 EXPECT_EQ(SEC_ERROR_INVALID_ARGS, PORT_GetError()); 1987 EXPECT_EQ(SECSuccess, SSL_EnableTls13GreaseEch(client_->ssl_fd(), 1988 PR_FALSE)); // Don't GREASE 1989 auto filter = MakeTlsFilter<TlsExtensionCapture>( 1990 client_, ssl_tls13_encrypted_client_hello_xtn); 1991 StartConnect(); 1992 client_->Handshake(); 1993 ASSERT_EQ(TlsAgent::STATE_CONNECTING, client_->state()); 1994 ASSERT_FALSE(filter->captured()); 1995 1996 // Now try a variant with non-critical extensions, it should work. 1997 Reset(); 1998 EnsureTlsSetup(); 1999 EXPECT_EQ(SECSuccess, 2000 SSL_SetClientEchConfigs(client_->ssl_fd(), echconfig.data(), 2001 echconfig.len())); 2002 filter = MakeTlsFilter<TlsExtensionCapture>( 2003 client_, ssl_tls13_encrypted_client_hello_xtn); 2004 StartConnect(); 2005 client_->Handshake(); 2006 ASSERT_EQ(TlsAgent::STATE_CONNECTING, client_->state()); 2007 ASSERT_TRUE(filter->captured()); 2008 } 2009 2010 // Secure disable without ECH 2011 TEST_F(TlsConnectStreamTls13, EchRejectAuthCertSuccessNoRetries) { 2012 EnsureTlsSetup(); 2013 SetupEch(client_, server_, HpkeDhKemX25519Sha256, false, true, false); 2014 ExpectAlert(client_, kTlsAlertEchRequired); 2015 ConnectExpectFailOneSide(TlsAgent::CLIENT); 2016 client_->CheckErrorCode(SSL_ERROR_ECH_RETRY_WITHOUT_ECH); 2017 server_->ExpectReceiveAlert(kTlsAlertEchRequired, kTlsAlertFatal); 2018 server_->Handshake(); 2019 // Reset expectations for the TlsAgent dtor. 2020 server_->ExpectReceiveAlert(kTlsAlertCloseNotify, kTlsAlertWarning); 2021 } 2022 2023 // When authenticating to the public name, the client MUST NOT 2024 // send a certificate in response to a certificate request. 2025 TEST_F(TlsConnectStreamTls13, EchRejectSuppressClientCert) { 2026 EnsureTlsSetup(); 2027 SetupEch(client_, server_, HpkeDhKemX25519Sha256, false, true, false); 2028 client_->SetupClientAuth(); 2029 server_->RequestClientAuth(true); 2030 auto cert_capture = 2031 MakeTlsFilter<TlsHandshakeRecorder>(client_, kTlsHandshakeCertificate); 2032 cert_capture->EnableDecryption(); 2033 2034 StartConnect(); 2035 client_->ExpectSendAlert(kTlsAlertEchRequired); 2036 server_->ExpectSendAlert(kTlsAlertCertificateRequired); 2037 ConnectExpectFail(); 2038 2039 static const uint8_t empty_cert[4] = {0}; 2040 EXPECT_EQ(DataBuffer(empty_cert, sizeof(empty_cert)), cert_capture->buffer()); 2041 } 2042 2043 // Secure disable with incompatible ECHConfig 2044 TEST_F(TlsConnectStreamTls13, EchRejectAuthCertSuccessIncompatibleRetries) { 2045 EnsureTlsSetup(); 2046 ScopedSECKEYPublicKey server_pub; 2047 ScopedSECKEYPrivateKey server_priv; 2048 ScopedSECKEYPublicKey client_pub; 2049 ScopedSECKEYPrivateKey client_priv; 2050 DataBuffer server_rec; 2051 DataBuffer client_rec; 2052 2053 TlsConnectTestBase::GenerateEchConfig(HpkeDhKemX25519Sha256, kSuiteChaCha, 2054 kPublicName, 100, server_rec, 2055 server_pub, server_priv); 2056 ASSERT_EQ(SECSuccess, 2057 SSL_SetServerEchConfigs(server_->ssl_fd(), server_pub.get(), 2058 server_priv.get(), server_rec.data(), 2059 server_rec.len())); 2060 2061 TlsConnectTestBase::GenerateEchConfig(HpkeDhKemX25519Sha256, kSuiteAes, 2062 kPublicName, 100, client_rec, 2063 client_pub, client_priv); 2064 ASSERT_EQ(SECSuccess, 2065 SSL_SetClientEchConfigs(client_->ssl_fd(), client_rec.data(), 2066 client_rec.len())); 2067 2068 // Change the first ECHConfig version to one we don't understand. 2069 server_rec.Write(2, 0xfefe, 2); 2070 // Skip the ECHConfigs length, the server sender will re-encode. 2071 ASSERT_EQ(SECSuccess, SSLInt_SetRawEchConfigForRetry(server_->ssl_fd(), 2072 &server_rec.data()[2], 2073 server_rec.len() - 2)); 2074 2075 ExpectAlert(client_, kTlsAlertEchRequired); 2076 ConnectExpectFailOneSide(TlsAgent::CLIENT); 2077 client_->CheckErrorCode(SSL_ERROR_ECH_RETRY_WITHOUT_ECH); 2078 server_->ExpectReceiveAlert(kTlsAlertEchRequired, kTlsAlertFatal); 2079 server_->Handshake(); 2080 // Reset expectations for the TlsAgent dtor. 2081 server_->ExpectReceiveAlert(kTlsAlertCloseNotify, kTlsAlertWarning); 2082 } 2083 2084 // Check that an otherwise-accepted ECH fails expectedly 2085 // with a bad certificate. 2086 TEST_F(TlsConnectStreamTls13, EchRejectAuthCertFail) { 2087 EnsureTlsSetup(); 2088 SetupEch(client_, server_); 2089 client_->SetAuthCertificateCallback(AuthCompleteFail); 2090 ConnectExpectAlert(client_, kTlsAlertBadCertificate); 2091 client_->CheckErrorCode(SSL_ERROR_BAD_CERTIFICATE); 2092 server_->CheckErrorCode(SSL_ERROR_BAD_CERT_ALERT); 2093 EXPECT_EQ(TlsAgent::STATE_ERROR, client_->state()); 2094 } 2095 2096 TEST_F(TlsConnectStreamTls13Ech, EchShortClientEncryptedCH) { 2097 EnsureTlsSetup(); 2098 SetupForEchRetry(); 2099 auto filter = MakeTlsFilter<TlsExtensionResizer>( 2100 client_, ssl_tls13_encrypted_client_hello_xtn, 1); 2101 ConnectExpectAlert(server_, kTlsAlertDecodeError); 2102 client_->CheckErrorCode(SSL_ERROR_DECODE_ERROR_ALERT); 2103 server_->CheckErrorCode(SSL_ERROR_RX_MALFORMED_ECH_EXTENSION); 2104 } 2105 2106 TEST_F(TlsConnectStreamTls13Ech, EchLongClientEncryptedCH) { 2107 EnsureTlsSetup(); 2108 SetupForEchRetry(); 2109 auto filter = MakeTlsFilter<TlsExtensionResizer>( 2110 client_, ssl_tls13_encrypted_client_hello_xtn, 1000); 2111 ConnectExpectAlert(server_, kTlsAlertDecodeError); 2112 client_->CheckErrorCode(SSL_ERROR_DECODE_ERROR_ALERT); 2113 server_->CheckErrorCode(SSL_ERROR_RX_MALFORMED_ECH_EXTENSION); 2114 } 2115 2116 TEST_F(TlsConnectStreamTls13Ech, EchShortServerEncryptedCH) { 2117 EnsureTlsSetup(); 2118 SetupForEchRetry(); 2119 auto filter = MakeTlsFilter<TlsExtensionResizer>( 2120 server_, ssl_tls13_encrypted_client_hello_xtn, 1); 2121 filter->EnableDecryption(); 2122 ConnectExpectAlert(client_, kTlsAlertDecodeError); 2123 client_->CheckErrorCode(SSL_ERROR_RX_MALFORMED_ECH_CONFIG); 2124 server_->CheckErrorCode(SSL_ERROR_DECODE_ERROR_ALERT); 2125 } 2126 2127 TEST_F(TlsConnectStreamTls13Ech, EchLongServerEncryptedCH) { 2128 EnsureTlsSetup(); 2129 SetupForEchRetry(); 2130 auto filter = MakeTlsFilter<TlsExtensionResizer>( 2131 server_, ssl_tls13_encrypted_client_hello_xtn, 1000); 2132 filter->EnableDecryption(); 2133 ConnectExpectAlert(client_, kTlsAlertDecodeError); 2134 client_->CheckErrorCode(SSL_ERROR_RX_MALFORMED_ECH_CONFIG); 2135 server_->CheckErrorCode(SSL_ERROR_DECODE_ERROR_ALERT); 2136 } 2137 2138 // Check that if authCertificate fails, retry_configs 2139 // are not available to the application. 2140 TEST_F(TlsConnectStreamTls13Ech, EchInsecureFallbackNoRetries) { 2141 EnsureTlsSetup(); 2142 StackSECItem retry_configs; 2143 SetupForEchRetry(); 2144 2145 // Use the filter to make sure retry_configs are sent. 2146 auto filter = MakeTlsFilter<TlsExtensionCapture>( 2147 server_, ssl_tls13_encrypted_client_hello_xtn); 2148 filter->EnableDecryption(); 2149 2150 client_->SetAuthCertificateCallback(AuthCompleteFail); 2151 ConnectExpectAlert(client_, kTlsAlertBadCertificate); 2152 client_->CheckErrorCode(SSL_ERROR_BAD_CERTIFICATE); 2153 server_->CheckErrorCode(SSL_ERROR_BAD_CERT_ALERT); 2154 EXPECT_EQ(TlsAgent::STATE_ERROR, client_->state()); 2155 EXPECT_EQ(SECFailure, 2156 SSL_GetEchRetryConfigs(client_->ssl_fd(), &retry_configs)); 2157 EXPECT_EQ(SSL_ERROR_HANDSHAKE_NOT_COMPLETED, PORT_GetError()); 2158 ASSERT_EQ(0U, retry_configs.len); 2159 EXPECT_TRUE(filter->captured()); 2160 } 2161 2162 // Test that mismatched ECHConfigContents triggers a retry. 2163 TEST_F(TlsConnectStreamTls13Ech, EchMismatchHpkeCiphersRetry) { 2164 EnsureTlsSetup(); 2165 ScopedSECKEYPublicKey server_pub; 2166 ScopedSECKEYPrivateKey server_priv; 2167 ScopedSECKEYPublicKey client_pub; 2168 ScopedSECKEYPrivateKey client_priv; 2169 DataBuffer server_rec; 2170 DataBuffer client_rec; 2171 2172 TlsConnectTestBase::GenerateEchConfig(HpkeDhKemX25519Sha256, kSuiteChaCha, 2173 kPublicName, 100, server_rec, 2174 server_pub, server_priv); 2175 TlsConnectTestBase::GenerateEchConfig(HpkeDhKemX25519Sha256, kSuiteAes, 2176 kPublicName, 100, client_rec, 2177 client_pub, client_priv); 2178 2179 ASSERT_EQ(SECSuccess, 2180 SSL_SetServerEchConfigs(server_->ssl_fd(), server_pub.get(), 2181 server_priv.get(), server_rec.data(), 2182 server_rec.len())); 2183 ASSERT_EQ(SECSuccess, 2184 SSL_SetClientEchConfigs(client_->ssl_fd(), client_rec.data(), 2185 client_rec.len())); 2186 2187 ExpectAlert(client_, kTlsAlertEchRequired); 2188 ConnectExpectFailOneSide(TlsAgent::CLIENT); 2189 client_->CheckErrorCode(SSL_ERROR_ECH_RETRY_WITH_ECH); 2190 server_->ExpectReceiveAlert(kTlsAlertEchRequired, kTlsAlertFatal); 2191 server_->Handshake(); 2192 DoEchRetry(server_pub, server_priv, server_rec); 2193 } 2194 2195 // Test that mismatched ECH server keypair triggers a retry. 2196 TEST_F(TlsConnectStreamTls13Ech, EchMismatchKeysRetry) { 2197 EnsureTlsSetup(); 2198 ScopedSECKEYPublicKey server_pub; 2199 ScopedSECKEYPrivateKey server_priv; 2200 ScopedSECKEYPublicKey client_pub; 2201 ScopedSECKEYPrivateKey client_priv; 2202 DataBuffer server_rec; 2203 DataBuffer client_rec; 2204 TlsConnectTestBase::GenerateEchConfig(HpkeDhKemX25519Sha256, kDefaultSuites, 2205 kPublicName, 100, server_rec, 2206 server_pub, server_priv); 2207 TlsConnectTestBase::GenerateEchConfig(HpkeDhKemX25519Sha256, kDefaultSuites, 2208 kPublicName, 100, client_rec, 2209 client_pub, client_priv); 2210 ASSERT_EQ(SECSuccess, 2211 SSL_SetServerEchConfigs(server_->ssl_fd(), server_pub.get(), 2212 server_priv.get(), server_rec.data(), 2213 server_rec.len())); 2214 ASSERT_EQ(SECSuccess, 2215 SSL_SetClientEchConfigs(client_->ssl_fd(), client_rec.data(), 2216 client_rec.len())); 2217 2218 client_->ExpectSendAlert(kTlsAlertEchRequired); 2219 ConnectExpectFailOneSide(TlsAgent::CLIENT); 2220 client_->CheckErrorCode(SSL_ERROR_ECH_RETRY_WITH_ECH); 2221 server_->ExpectReceiveAlert(kTlsAlertEchRequired, kTlsAlertFatal); 2222 server_->Handshake(); 2223 DoEchRetry(server_pub, server_priv, server_rec); 2224 } 2225 2226 // Check that the client validates any server response to GREASE ECH 2227 TEST_F(TlsConnectStreamTls13, EchValidateGreaseResponse) { 2228 EnsureTlsSetup(); 2229 ScopedSECKEYPublicKey server_pub; 2230 ScopedSECKEYPrivateKey server_priv; 2231 DataBuffer server_rec; 2232 TlsConnectTestBase::GenerateEchConfig(HpkeDhKemX25519Sha256, kDefaultSuites, 2233 kPublicName, 100, server_rec, 2234 server_pub, server_priv); 2235 ASSERT_EQ(SECSuccess, 2236 SSL_SetServerEchConfigs(server_->ssl_fd(), server_pub.get(), 2237 server_priv.get(), server_rec.data(), 2238 server_rec.len())); 2239 2240 // Damage the length and expect an alert. 2241 auto filter = MakeTlsFilter<TlsExtensionDamager>( 2242 server_, ssl_tls13_encrypted_client_hello_xtn, 0); 2243 filter->EnableDecryption(); 2244 EXPECT_EQ(SECSuccess, SSL_EnableTls13GreaseEch(client_->ssl_fd(), 2245 PR_TRUE)); // GREASE 2246 ConnectExpectAlert(client_, kTlsAlertDecodeError); 2247 client_->CheckErrorCode(SSL_ERROR_RX_MALFORMED_ECH_CONFIG); 2248 server_->CheckErrorCode(SSL_ERROR_DECODE_ERROR_ALERT); 2249 2250 // If the retry_config contains an unknown version, it should be ignored. 2251 Reset(); 2252 EnsureTlsSetup(); 2253 ASSERT_EQ(SECSuccess, 2254 SSL_SetServerEchConfigs(server_->ssl_fd(), server_pub.get(), 2255 server_priv.get(), server_rec.data(), 2256 server_rec.len())); 2257 server_rec.Write(2, 0xfefe, 2); 2258 // Skip the ECHConfigs length, the server sender will re-encode. 2259 ASSERT_EQ(SECSuccess, SSLInt_SetRawEchConfigForRetry(server_->ssl_fd(), 2260 &server_rec.data()[2], 2261 server_rec.len() - 2)); 2262 EXPECT_EQ(SECSuccess, SSL_EnableTls13GreaseEch(client_->ssl_fd(), 2263 PR_TRUE)); // GREASE 2264 Connect(); 2265 2266 // Lastly, if we DO support the retry_config, GREASE ECH should ignore it. 2267 Reset(); 2268 EnsureTlsSetup(); 2269 server_rec.Write(2, ssl_tls13_encrypted_client_hello_xtn, 2); 2270 ASSERT_EQ(SECSuccess, 2271 SSL_SetServerEchConfigs(server_->ssl_fd(), server_pub.get(), 2272 server_priv.get(), server_rec.data(), 2273 server_rec.len())); 2274 EXPECT_EQ(SECSuccess, SSL_EnableTls13GreaseEch(client_->ssl_fd(), 2275 PR_TRUE)); // GREASE 2276 Connect(); 2277 } 2278 2279 // Test a tampered CHInner (decrypt failure). 2280 // Expect negotiation on outer, which fails due to the tampered transcript. 2281 TEST_F(TlsConnectStreamTls13, EchBadCiphertext) { 2282 EnsureTlsSetup(); 2283 SetupEch(client_, server_); 2284 /* Target the payload: 2285 struct { 2286 ECHCipherSuite suite; // 4B 2287 opaque config_id<0..255>; // 32B 2288 opaque enc<1..2^16-1>; // 32B for X25519 2289 opaque payload<1..2^16-1>; 2290 } ClientEncryptedCH; 2291 */ 2292 MakeTlsFilter<TlsExtensionDamager>(client_, 2293 ssl_tls13_encrypted_client_hello_xtn, 80); 2294 client_->ExpectSendAlert(kTlsAlertBadRecordMac); 2295 server_->ExpectSendAlert(kTlsAlertBadRecordMac); 2296 ConnectExpectFail(); 2297 } 2298 2299 // Test a tampered CHOuter (decrypt failure on AAD). 2300 // Expect negotiation on outer, which fails due to the tampered transcript. 2301 TEST_F(TlsConnectStreamTls13, EchOuterBinding) { 2302 EnsureTlsSetup(); 2303 SetupEch(client_, server_); 2304 client_->SetVersionRange(SSL_LIBRARY_VERSION_TLS_1_2, 2305 SSL_LIBRARY_VERSION_TLS_1_3); 2306 2307 static const uint8_t supported_vers_13[] = {0x02, 0x03, 0x04}; 2308 DataBuffer buf(supported_vers_13, sizeof(supported_vers_13)); 2309 MakeTlsFilter<TlsExtensionReplacer>(client_, ssl_tls13_supported_versions_xtn, 2310 buf); 2311 client_->ExpectSendAlert(kTlsAlertBadRecordMac); 2312 server_->ExpectSendAlert(kTlsAlertBadRecordMac); 2313 ConnectExpectFail(); 2314 } 2315 2316 // Altering the CH after the Ech Xtn should also cause a failure. 2317 TEST_F(TlsConnectStreamTls13, EchOuterBindingAfterXtn) { 2318 EnsureTlsSetup(); 2319 SetupEch(client_, server_); 2320 client_->SetVersionRange(SSL_LIBRARY_VERSION_TLS_1_2, 2321 SSL_LIBRARY_VERSION_TLS_1_3); 2322 2323 static const uint8_t supported_vers_13[] = {0x02, 0x03, 0x04}; 2324 DataBuffer buf(supported_vers_13, sizeof(supported_vers_13)); 2325 MakeTlsFilter<TlsExtensionAppender>(client_, kTlsHandshakeClientHello, 5044, 2326 buf); 2327 client_->ExpectSendAlert(kTlsAlertBadRecordMac); 2328 server_->ExpectSendAlert(kTlsAlertBadRecordMac); 2329 ConnectExpectFail(); 2330 } 2331 2332 // Test a bad (unknown) ECHCipherSuite. 2333 // Expect negotiation on outer, which fails due to the tampered transcript. 2334 TEST_F(TlsConnectStreamTls13, EchBadCiphersuite) { 2335 EnsureTlsSetup(); 2336 SetupEch(client_, server_); 2337 /* Make KDF unknown */ 2338 MakeTlsFilter<TlsExtensionDamager>(client_, 2339 ssl_tls13_encrypted_client_hello_xtn, 1); 2340 client_->ExpectSendAlert(kTlsAlertBadRecordMac); 2341 server_->ExpectSendAlert(kTlsAlertBadRecordMac); 2342 ConnectExpectFail(); 2343 2344 Reset(); 2345 EnsureTlsSetup(); 2346 SetupEch(client_, server_); 2347 /* Make AEAD unknown */ 2348 MakeTlsFilter<TlsExtensionDamager>(client_, 2349 ssl_tls13_encrypted_client_hello_xtn, 4); 2350 client_->ExpectSendAlert(kTlsAlertBadRecordMac); 2351 server_->ExpectSendAlert(kTlsAlertBadRecordMac); 2352 ConnectExpectFail(); 2353 } 2354 2355 /* ECH (configured) client connects to a 1.2 server, this MUST lead to an 2356 * 'ech_required' alert being sent by the client when handling the handshake 2357 * finished messages [draft-ietf-tls-esni-14, Section 6.1.6]. */ 2358 TEST_F(TlsConnectStreamTls13, EchToTls12Server) { 2359 EnsureTlsSetup(); 2360 SetupEch(client_, server_); 2361 client_->SetVersionRange(SSL_LIBRARY_VERSION_TLS_1_2, 2362 SSL_LIBRARY_VERSION_TLS_1_3); 2363 server_->SetVersionRange(SSL_LIBRARY_VERSION_TLS_1_2, 2364 SSL_LIBRARY_VERSION_TLS_1_2); 2365 2366 client_->ExpectEch(false); 2367 server_->ExpectEch(false); 2368 2369 client_->ExpectSendAlert(kTlsAlertEchRequired, kTlsAlertFatal); 2370 server_->ExpectReceiveAlert(kTlsAlertEchRequired, kTlsAlertFatal); 2371 ConnectExpectFailOneSide(TlsAgent::CLIENT); 2372 client_->CheckErrorCode(SSL_ERROR_ECH_RETRY_WITHOUT_ECH); 2373 2374 /* Reset expectations for the TlsAgent deconstructor. */ 2375 server_->ExpectReceiveAlert(kTlsAlertCloseNotify, kTlsAlertWarning); 2376 } 2377 2378 TEST_F(TlsConnectStreamTls13, NoEchFromTls12Client) { 2379 EnsureTlsSetup(); 2380 SetupEch(client_, server_); 2381 client_->SetVersionRange(SSL_LIBRARY_VERSION_TLS_1_2, 2382 SSL_LIBRARY_VERSION_TLS_1_2); 2383 server_->SetVersionRange(SSL_LIBRARY_VERSION_TLS_1_2, 2384 SSL_LIBRARY_VERSION_TLS_1_3); 2385 auto filter = MakeTlsFilter<TlsExtensionCapture>( 2386 client_, ssl_tls13_encrypted_client_hello_xtn); 2387 client_->ExpectEch(false); 2388 server_->ExpectEch(false); 2389 SetExpectedVersion(SSL_LIBRARY_VERSION_TLS_1_2); 2390 Connect(); 2391 ASSERT_FALSE(filter->captured()); 2392 } 2393 2394 TEST_F(TlsConnectStreamTls13Ech, CorrectPreLimInfoFromTls12ClientWithEch) { 2395 EnsureTlsSetup(); 2396 SetupEch(client_, server_); 2397 client_->SetVersionRange(SSL_LIBRARY_VERSION_TLS_1_2, 2398 SSL_LIBRARY_VERSION_TLS_1_2); 2399 server_->SetVersionRange(SSL_LIBRARY_VERSION_TLS_1_2, 2400 SSL_LIBRARY_VERSION_TLS_1_3); 2401 client_->ExpectEch(false); 2402 server_->ExpectEch(false); 2403 SetExpectedVersion(SSL_LIBRARY_VERSION_TLS_1_2); 2404 Connect(); 2405 SSLPreliminaryChannelInfo channelPreInfo; 2406 SSL_GetPreliminaryChannelInfo(server_->ssl_fd(), &channelPreInfo, 2407 sizeof(channelPreInfo)); 2408 EXPECT_EQ(PR_FALSE, channelPreInfo.echAccepted); 2409 EXPECT_EQ(NULL, channelPreInfo.echPublicName); 2410 } 2411 2412 TEST_F(TlsConnectStreamTls13Ech, CorrectSNIFromTls12ClientWithEch) { 2413 EnsureTlsSetup(); 2414 SetupEch(client_, server_); 2415 client_->SetVersionRange(SSL_LIBRARY_VERSION_TLS_1_2, 2416 SSL_LIBRARY_VERSION_TLS_1_2); 2417 server_->SetVersionRange(SSL_LIBRARY_VERSION_TLS_1_2, 2418 SSL_LIBRARY_VERSION_TLS_1_3); 2419 client_->ExpectEch(false); 2420 server_->ExpectEch(false); 2421 SetExpectedVersion(SSL_LIBRARY_VERSION_TLS_1_2); 2422 auto filter = 2423 MakeTlsFilter<TlsExtensionCapture>(client_, ssl_server_name_xtn); 2424 Connect(); 2425 ASSERT_TRUE(filter->captured()); 2426 CheckSniExtension(filter->extension(), "server"); 2427 } 2428 2429 TEST_F(TlsConnectStreamTls13, EchOuterWith12Max) { 2430 EnsureTlsSetup(); 2431 SetupEch(client_, server_); 2432 client_->SetVersionRange(SSL_LIBRARY_VERSION_TLS_1_2, 2433 SSL_LIBRARY_VERSION_TLS_1_3); 2434 server_->SetVersionRange(SSL_LIBRARY_VERSION_TLS_1_2, 2435 SSL_LIBRARY_VERSION_TLS_1_3); 2436 2437 static const uint8_t supported_vers_12[] = {0x02, 0x03, 0x03}; 2438 DataBuffer buf(supported_vers_12, sizeof(supported_vers_12)); 2439 2440 // The server will set the downgrade sentinel. The client needs 2441 // to ignore it for this test. 2442 client_->SetOption(SSL_ENABLE_HELLO_DOWNGRADE_CHECK, PR_FALSE); 2443 2444 StartConnect(); 2445 MakeTlsFilter<TlsExtensionReplacer>(client_, ssl_tls13_supported_versions_xtn, 2446 buf); 2447 2448 // Server should ignore the extension if 1.2 is negotiated. 2449 // Here the CHInner is not modified, so if Accepted we'd connect. 2450 auto filter = MakeTlsFilter<TlsExtensionCapture>( 2451 server_, ssl_tls13_encrypted_client_hello_xtn); 2452 client_->ExpectEch(false); 2453 server_->ExpectEch(false); 2454 ConnectExpectAlert(server_, kTlsAlertDecryptError); 2455 client_->CheckErrorCode(SSL_ERROR_DECRYPT_ERROR_ALERT); 2456 server_->CheckErrorCode(SSL_ERROR_BAD_HANDSHAKE_HASH_VALUE); 2457 ASSERT_FALSE(filter->captured()); 2458 } 2459 2460 TEST_F(TlsConnectStreamTls13, EchOuterExtensionsInCHOuter) { 2461 EnsureTlsSetup(); 2462 uint8_t outer[2] = {0}; 2463 DataBuffer outer_buf(outer, sizeof(outer)); 2464 MakeTlsFilter<TlsExtensionAppender>(client_, kTlsHandshakeClientHello, 2465 ssl_tls13_outer_extensions_xtn, 2466 outer_buf); 2467 2468 ConnectExpectAlert(server_, kTlsAlertIllegalParameter); 2469 client_->CheckErrorCode(SSL_ERROR_ILLEGAL_PARAMETER_ALERT); 2470 server_->CheckErrorCode(SSL_ERROR_RX_MALFORMED_CLIENT_HELLO); 2471 } 2472 2473 static SECStatus NoopExtensionHandler(PRFileDesc* fd, SSLHandshakeType message, 2474 const PRUint8* data, unsigned int len, 2475 SSLAlertDescription* alert, void* arg) { 2476 return SECSuccess; 2477 } 2478 2479 static PRBool EmptyExtensionWriter(PRFileDesc* fd, SSLHandshakeType message, 2480 PRUint8* data, unsigned int* len, 2481 unsigned int maxLen, void* arg) { 2482 return true; 2483 } 2484 2485 static PRBool LargeExtensionWriter(PRFileDesc* fd, SSLHandshakeType message, 2486 PRUint8* data, unsigned int* len, 2487 unsigned int maxLen, void* arg) { 2488 unsigned int length = 1024; 2489 PR_ASSERT(length <= maxLen); 2490 memset(data, 0, length); 2491 *len = length; 2492 return true; 2493 } 2494 2495 static PRBool OuterOnlyExtensionWriter(PRFileDesc* fd, SSLHandshakeType message, 2496 PRUint8* data, unsigned int* len, 2497 unsigned int maxLen, void* arg) { 2498 if (message == ssl_hs_ech_outer_client_hello) { 2499 return LargeExtensionWriter(fd, message, data, len, maxLen, arg); 2500 } 2501 return false; 2502 } 2503 2504 static PRBool InnerOnlyExtensionWriter(PRFileDesc* fd, SSLHandshakeType message, 2505 PRUint8* data, unsigned int* len, 2506 unsigned int maxLen, void* arg) { 2507 if (message == ssl_hs_client_hello) { 2508 return LargeExtensionWriter(fd, message, data, len, maxLen, arg); 2509 } 2510 return false; 2511 } 2512 2513 static PRBool InnerOuterDiffExtensionWriter(PRFileDesc* fd, 2514 SSLHandshakeType message, 2515 PRUint8* data, unsigned int* len, 2516 unsigned int maxLen, void* arg) { 2517 unsigned int length = 1024; 2518 PR_ASSERT(length <= maxLen); 2519 memset(data, (message == ssl_hs_client_hello) ? 1 : 0, length); 2520 *len = length; 2521 return true; 2522 } 2523 2524 TEST_F(TlsConnectStreamTls13Ech, EchCustomExtensionWriter) { 2525 EnsureTlsSetup(); 2526 SetupEch(client_, server_); 2527 2528 EXPECT_EQ(SECSuccess, SSL_InstallExtensionHooks( 2529 client_->ssl_fd(), 62028, EmptyExtensionWriter, 2530 nullptr, NoopExtensionHandler, nullptr)); 2531 2532 client_->ExpectEch(); 2533 server_->ExpectEch(); 2534 Connect(); 2535 } 2536 2537 TEST_F(TlsConnectStreamTls13, EchCustomExtensionWriterZeroRtt) { 2538 EnsureTlsSetup(); 2539 SetupEch(client_, server_); 2540 SetupForZeroRtt(); 2541 2542 client_->Set0RttEnabled(true); 2543 server_->Set0RttEnabled(true); 2544 ASSERT_EQ(SECSuccess, SSL_InstallExtensionHooks( 2545 client_->ssl_fd(), 62028, EmptyExtensionWriter, 2546 nullptr, NoopExtensionHandler, nullptr)); 2547 SetupEch(client_, server_); 2548 ExpectResumption(RESUME_TICKET); 2549 2550 ZeroRttSendReceive(true, true); 2551 Handshake(); 2552 ExpectEarlyDataAccepted(true); 2553 CheckConnected(); 2554 SendReceive(); 2555 } 2556 2557 TEST_F(TlsConnectStreamTls13Ech, EchCustomExtensionWriterOuterOnly) { 2558 EnsureTlsSetup(); 2559 SetupEch(client_, server_); 2560 2561 EXPECT_EQ(SECSuccess, SSL_InstallExtensionHooks( 2562 client_->ssl_fd(), 62028, OuterOnlyExtensionWriter, 2563 nullptr, NoopExtensionHandler, nullptr)); 2564 EXPECT_EQ(SECSuccess, 2565 SSL_CallExtensionWriterOnEchInner(client_->ssl_fd(), true)); 2566 2567 client_->ExpectEch(); 2568 server_->ExpectEch(); 2569 Connect(); 2570 } 2571 2572 TEST_F(TlsConnectStreamTls13Ech, EchCustomExtensionWriterInnerOnly) { 2573 EnsureTlsSetup(); 2574 SetupEch(client_, server_); 2575 2576 EXPECT_EQ(SECSuccess, SSL_InstallExtensionHooks( 2577 client_->ssl_fd(), 62028, InnerOnlyExtensionWriter, 2578 nullptr, NoopExtensionHandler, nullptr)); 2579 EXPECT_EQ(SECSuccess, 2580 SSL_CallExtensionWriterOnEchInner(client_->ssl_fd(), true)); 2581 2582 client_->ExpectEch(); 2583 server_->ExpectEch(); 2584 Connect(); 2585 } 2586 2587 // Write different values to inner and outer CH. 2588 TEST_F(TlsConnectStreamTls13Ech, EchCustomExtensionWriterDifferent) { 2589 EnsureTlsSetup(); 2590 SetupEch(client_, server_); 2591 2592 EXPECT_EQ(SECSuccess, 2593 SSL_InstallExtensionHooks(client_->ssl_fd(), 62028, 2594 InnerOuterDiffExtensionWriter, nullptr, 2595 NoopExtensionHandler, nullptr)); 2596 EXPECT_EQ(SECSuccess, 2597 SSL_CallExtensionWriterOnEchInner(client_->ssl_fd(), true)); 2598 auto filter = MakeTlsFilter<TlsExtensionCapture>( 2599 client_, ssl_tls13_encrypted_client_hello_xtn); 2600 client_->ExpectEch(); 2601 server_->ExpectEch(); 2602 Connect(); 2603 ASSERT_TRUE(filter->extension().len() > 1024); 2604 } 2605 2606 // Test that basic compression works 2607 TEST_F(TlsConnectStreamTls13Ech, EchCustomExtensionWriterCompressionBasic) { 2608 EnsureTlsSetup(); 2609 SetupEch(client_, server_); 2610 2611 // This will be compressed. 2612 EXPECT_EQ(SECSuccess, SSL_InstallExtensionHooks( 2613 client_->ssl_fd(), 62028, LargeExtensionWriter, 2614 nullptr, NoopExtensionHandler, nullptr)); 2615 EXPECT_EQ(SECSuccess, 2616 SSL_CallExtensionWriterOnEchInner(client_->ssl_fd(), true)); 2617 auto filter = MakeTlsFilter<TlsExtensionCapture>( 2618 client_, ssl_tls13_encrypted_client_hello_xtn); 2619 client_->ExpectEch(); 2620 server_->ExpectEch(); 2621 Connect(); 2622 size_t echXtnLen = filter->extension().len(); 2623 ASSERT_TRUE(echXtnLen > 0 && echXtnLen < 1024); 2624 } 2625 2626 // Test that compression works when things change. 2627 TEST_F(TlsConnectStreamTls13Ech, 2628 EchCustomExtensionWriterCompressSomeDifferent) { 2629 EnsureTlsSetup(); 2630 SetupEch(client_, server_); 2631 2632 // This will be compressed. 2633 EXPECT_EQ(SECSuccess, SSL_InstallExtensionHooks( 2634 client_->ssl_fd(), 62028, LargeExtensionWriter, 2635 nullptr, NoopExtensionHandler, nullptr)); 2636 // This can't be. 2637 EXPECT_EQ(SECSuccess, 2638 SSL_InstallExtensionHooks(client_->ssl_fd(), 62029, 2639 InnerOuterDiffExtensionWriter, nullptr, 2640 NoopExtensionHandler, nullptr)); 2641 // This will be compressed. 2642 EXPECT_EQ(SECSuccess, SSL_InstallExtensionHooks( 2643 client_->ssl_fd(), 62030, LargeExtensionWriter, 2644 nullptr, NoopExtensionHandler, nullptr)); 2645 EXPECT_EQ(SECSuccess, 2646 SSL_CallExtensionWriterOnEchInner(client_->ssl_fd(), true)); 2647 auto filter = MakeTlsFilter<TlsExtensionCapture>( 2648 client_, ssl_tls13_encrypted_client_hello_xtn); 2649 client_->ExpectEch(); 2650 server_->ExpectEch(); 2651 Connect(); 2652 auto echXtnLen = filter->extension().len(); 2653 /* Exactly one custom xtn plus change */ 2654 ASSERT_TRUE(echXtnLen > 1024 && echXtnLen < 2048); 2655 } 2656 2657 // An outer-only extension stops compression. 2658 TEST_F(TlsConnectStreamTls13Ech, 2659 EchCustomExtensionWriterCompressSomeOuterOnly) { 2660 EnsureTlsSetup(); 2661 SetupEch(client_, server_); 2662 2663 // This will be compressed. 2664 EXPECT_EQ(SECSuccess, SSL_InstallExtensionHooks( 2665 client_->ssl_fd(), 62028, LargeExtensionWriter, 2666 nullptr, NoopExtensionHandler, nullptr)); 2667 // This can't be as it appears in the outer only. 2668 EXPECT_EQ(SECSuccess, SSL_InstallExtensionHooks( 2669 client_->ssl_fd(), 62029, OuterOnlyExtensionWriter, 2670 nullptr, NoopExtensionHandler, nullptr)); 2671 // This will be compressed 2672 EXPECT_EQ(SECSuccess, SSL_InstallExtensionHooks( 2673 client_->ssl_fd(), 62030, LargeExtensionWriter, 2674 nullptr, NoopExtensionHandler, nullptr)); 2675 EXPECT_EQ(SECSuccess, 2676 SSL_CallExtensionWriterOnEchInner(client_->ssl_fd(), true)); 2677 auto filter = MakeTlsFilter<TlsExtensionCapture>( 2678 client_, ssl_tls13_encrypted_client_hello_xtn); 2679 client_->ExpectEch(); 2680 server_->ExpectEch(); 2681 Connect(); 2682 size_t echXtnLen = filter->extension().len(); 2683 ASSERT_TRUE(echXtnLen > 0 && echXtnLen < 1024); 2684 } 2685 2686 // An inner only extension does not stop compression. 2687 TEST_F(TlsConnectStreamTls13Ech, EchCustomExtensionWriterCompressAllInnerOnly) { 2688 EnsureTlsSetup(); 2689 SetupEch(client_, server_); 2690 2691 // This will be compressed. 2692 EXPECT_EQ(SECSuccess, SSL_InstallExtensionHooks( 2693 client_->ssl_fd(), 62028, LargeExtensionWriter, 2694 nullptr, NoopExtensionHandler, nullptr)); 2695 // This can't be as it appears in the inner only. 2696 EXPECT_EQ(SECSuccess, SSL_InstallExtensionHooks( 2697 client_->ssl_fd(), 62029, InnerOnlyExtensionWriter, 2698 nullptr, NoopExtensionHandler, nullptr)); 2699 // This will be compressed. 2700 EXPECT_EQ(SECSuccess, SSL_InstallExtensionHooks( 2701 client_->ssl_fd(), 62030, LargeExtensionWriter, 2702 nullptr, NoopExtensionHandler, nullptr)); 2703 EXPECT_EQ(SECSuccess, 2704 SSL_CallExtensionWriterOnEchInner(client_->ssl_fd(), true)); 2705 auto filter = MakeTlsFilter<TlsExtensionCapture>( 2706 client_, ssl_tls13_encrypted_client_hello_xtn); 2707 client_->ExpectEch(); 2708 server_->ExpectEch(); 2709 Connect(); 2710 size_t echXtnLen = filter->extension().len(); 2711 ASSERT_TRUE(echXtnLen > 1024 && echXtnLen < 2048); 2712 } 2713 2714 TEST_F(TlsConnectStreamTls13Ech, EchAcceptCustomXtn) { 2715 EnsureTlsSetup(); 2716 SetupEch(client_, server_); 2717 2718 EXPECT_EQ(SECSuccess, SSL_InstallExtensionHooks( 2719 client_->ssl_fd(), 62028, LargeExtensionWriter, 2720 nullptr, NoopExtensionHandler, nullptr)); 2721 2722 EXPECT_EQ(SECSuccess, 2723 SSL_CallExtensionWriterOnEchInner(client_->ssl_fd(), true)); 2724 2725 EXPECT_EQ(SECSuccess, SSL_InstallExtensionHooks( 2726 server_->ssl_fd(), 62028, LargeExtensionWriter, 2727 nullptr, NoopExtensionHandler, nullptr)); 2728 auto filter = MakeTlsFilter<TlsExtensionCapture>(server_, 62028); 2729 client_->ExpectEch(); 2730 server_->ExpectEch(); 2731 Connect(); 2732 } 2733 2734 // Test that we reject Outer Xtn in SH if accepting ECH Inner 2735 TEST_F(TlsConnectStreamTls13Ech, EchRejectOuterXtnOnInner) { 2736 EnsureTlsSetup(); 2737 SetupEch(client_, server_); 2738 2739 EXPECT_EQ(SECSuccess, SSL_InstallExtensionHooks( 2740 client_->ssl_fd(), 62028, OuterOnlyExtensionWriter, 2741 nullptr, NoopExtensionHandler, nullptr)); 2742 2743 EXPECT_EQ(SECSuccess, 2744 SSL_CallExtensionWriterOnEchInner(client_->ssl_fd(), true)); 2745 2746 // Put the same extension on the Server Hello 2747 EXPECT_EQ(SECSuccess, SSL_InstallExtensionHooks( 2748 server_->ssl_fd(), 62028, LargeExtensionWriter, 2749 nullptr, NoopExtensionHandler, nullptr)); 2750 auto filter = MakeTlsFilter<TlsExtensionCapture>(server_, 62028); 2751 client_->ExpectEch(false); 2752 server_->ExpectEch(false); 2753 client_->ExpectSendAlert(kTlsAlertUnsupportedExtension); 2754 // The server will be expecting an alert encrypted under a different key. 2755 server_->ExpectSendAlert(kTlsAlertUnexpectedMessage); 2756 ConnectExpectFail(); 2757 ASSERT_TRUE(filter->captured()); 2758 client_->CheckErrorCode(SSL_ERROR_RX_UNEXPECTED_EXTENSION); 2759 } 2760 2761 // Test that we reject Inner Xtn in SH if accepting ECH Outer 2762 TEST_F(TlsConnectStreamTls13Ech, EchRejectInnerXtnOnOuter) { 2763 EnsureTlsSetup(); 2764 2765 // Setup ECH only on the client 2766 SetupEch(client_, server_, HpkeDhKemX25519Sha256, false, true, false); 2767 2768 EXPECT_EQ(SECSuccess, SSL_InstallExtensionHooks( 2769 client_->ssl_fd(), 62028, InnerOnlyExtensionWriter, 2770 nullptr, NoopExtensionHandler, nullptr)); 2771 2772 EXPECT_EQ(SECSuccess, 2773 SSL_CallExtensionWriterOnEchInner(client_->ssl_fd(), true)); 2774 2775 // Put the same extension on the Server Hello 2776 EXPECT_EQ(SECSuccess, SSL_InstallExtensionHooks( 2777 server_->ssl_fd(), 62028, LargeExtensionWriter, 2778 nullptr, NoopExtensionHandler, nullptr)); 2779 auto filter = MakeTlsFilter<TlsExtensionCapture>(server_, 62028); 2780 client_->ExpectEch(false); 2781 server_->ExpectEch(false); 2782 client_->ExpectSendAlert(kTlsAlertUnsupportedExtension); 2783 // The server will be expecting an alert encrypted under a different key. 2784 server_->ExpectSendAlert(kTlsAlertUnexpectedMessage); 2785 ConnectExpectFail(); 2786 ASSERT_TRUE(filter->captured()); 2787 client_->CheckErrorCode(SSL_ERROR_RX_UNEXPECTED_EXTENSION); 2788 } 2789 2790 // Test that we reject an Inner Xtn in SH, if accepting Ech Inner and 2791 // we didn't advertise it on SH Outer. 2792 TEST_F(TlsConnectStreamTls13Ech, EchRejectInnerXtnNotOnOuter) { 2793 EnsureTlsSetup(); 2794 2795 // Setup ECH only on the client 2796 SetupEch(client_, server_); 2797 2798 EXPECT_EQ(SECSuccess, SSL_InstallExtensionHooks( 2799 client_->ssl_fd(), 62028, InnerOnlyExtensionWriter, 2800 nullptr, NoopExtensionHandler, nullptr)); 2801 2802 EXPECT_EQ(SECSuccess, 2803 SSL_CallExtensionWriterOnEchInner(client_->ssl_fd(), true)); 2804 2805 // Put the same extension on the Server Hello 2806 EXPECT_EQ(SECSuccess, SSL_InstallExtensionHooks( 2807 server_->ssl_fd(), 62028, LargeExtensionWriter, 2808 nullptr, NoopExtensionHandler, nullptr)); 2809 auto filter = MakeTlsFilter<TlsExtensionCapture>(server_, 62028); 2810 client_->ExpectEch(false); 2811 server_->ExpectEch(false); 2812 client_->ExpectSendAlert(kTlsAlertUnsupportedExtension); 2813 // The server will be expecting an alert encrypted under a different key. 2814 server_->ExpectSendAlert(kTlsAlertUnexpectedMessage); 2815 ConnectExpectFail(); 2816 ASSERT_TRUE(filter->captured()); 2817 client_->CheckErrorCode(SSL_ERROR_RX_UNEXPECTED_EXTENSION); 2818 } 2819 2820 // At draft-09: If a CH containing the ech_is_inner extension is received, the 2821 // server acts as backend server in split-mode by responding with the ECH 2822 // acceptance signal. The signal value itself depends on the handshake secret, 2823 // which we've broken by appending ech_is_inner. For now, just check that the 2824 // server negotiates ech_is_inner (which is what triggers sending the signal). 2825 TEST_F(TlsConnectStreamTls13, EchBackendAcceptance) { 2826 DataBuffer ch_buf; 2827 static uint8_t inner_value[1] = {1}; 2828 DataBuffer inner_buffer(inner_value, sizeof(inner_value)); 2829 2830 EnsureTlsSetup(); 2831 StartConnect(); 2832 EXPECT_EQ(SECSuccess, SSL_EnableTls13GreaseEch(client_->ssl_fd(), PR_FALSE)); 2833 MakeTlsFilter<TlsExtensionAppender>(client_, kTlsHandshakeClientHello, 2834 ssl_tls13_encrypted_client_hello_xtn, 2835 inner_buffer); 2836 2837 EXPECT_EQ(SECSuccess, SSL_EnableTls13BackendEch(server_->ssl_fd(), PR_TRUE)); 2838 client_->Handshake(); 2839 server_->Handshake(); 2840 2841 ExpectAlert(client_, kTlsAlertBadRecordMac); 2842 client_->Handshake(); 2843 EXPECT_EQ(TlsAgent::STATE_ERROR, client_->state()); 2844 EXPECT_EQ(PR_TRUE, 2845 SSLInt_ExtensionNegotiated(server_->ssl_fd(), 2846 ssl_tls13_encrypted_client_hello_xtn)); 2847 server_->ExpectReceiveAlert(kTlsAlertCloseNotify, kTlsAlertWarning); 2848 } 2849 2850 // A public_name that includes an IP address has to be rejected. 2851 TEST_F(TlsConnectStreamTls13Ech, EchPublicNameIp) { 2852 static const std::vector<std::string> kIps = { 2853 "0.0.0.0", 2854 "1.1.1.1", 2855 "255.255.255.255", 2856 "255.255.65535", 2857 "255.16777215", 2858 "4294967295", 2859 "0377.0377.0377.0377", 2860 "0377.0377.0177777", 2861 "0377.077777777", 2862 "037777777777", 2863 "00377.00377.00377.00377", 2864 "00377.00377.00177777", 2865 "00377.0077777777", 2866 "0037777777777", 2867 "0xff.0xff.0xff.0xff", 2868 "0xff.0xff.0xffff", 2869 "0xff.0xffffff", 2870 "0xffffffff", 2871 "0XFF.0XFF.0XFF.0XFF", 2872 "0XFF.0XFF.0XFFFF", 2873 "0XFF.0XFFFFFF", 2874 "0XFFFFFFFF", 2875 "0x0ff.0x0ff.0x0ff.0x0ff", 2876 "0x0ff.0x0ff.0x0ffff", 2877 "0x0ff.0x0ffffff", 2878 "0x0ffffffff", 2879 "00000000000000000000000000000000000000000", 2880 "00000000000000000000000000000000000000001", 2881 "127.0.0.1", 2882 "127.0.1", 2883 "127.1", 2884 "2130706433", 2885 "017700000001", 2886 }; 2887 ValidatePublicNames(kIps, SECFailure); 2888 } 2889 2890 // These are nearly IP addresses. 2891 TEST_F(TlsConnectStreamTls13Ech, EchPublicNameNotIp) { 2892 static const std::vector<std::string> kNotIps = { 2893 "0.0.0.0.0", 2894 "1.2.3.4.5", 2895 "999999999999999999999999999999999", 2896 "07777777777777777777777777777777777777777", 2897 "111111111100000000001111111111000000000011111111110000000000123", 2898 "256.255.255.255", 2899 "255.256.255.255", 2900 "255.255.256.255", 2901 "255.255.255.256", 2902 "255.255.65536", 2903 "255.16777216", 2904 "4294967296", 2905 "0400.0377.0377.0377", 2906 "0377.0400.0377.0377", 2907 "0377.0377.0400.0377", 2908 "0377.0377.0377.0400", 2909 "0377.0377.0200000", 2910 "0377.0100000000", 2911 "040000000000", 2912 "0x100.0xff.0xff.0xff", 2913 "0xff.0x100.0xff.0xff", 2914 "0xff.0xff.0x100.0xff", 2915 "0xff.0xff.0xff.0x100", 2916 "0xff.0xff.0x10000", 2917 "0xff.0x1000000", 2918 "0x100000000", 2919 "08", 2920 "09", 2921 "a", 2922 "0xg", 2923 "0XG", 2924 "0x", 2925 "0x.1.2.3", 2926 "test-name", 2927 "test-name.test", 2928 "TEST-NAME", 2929 "under_score", 2930 "_under_score", 2931 "under_score_", 2932 }; 2933 ValidatePublicNames(kNotIps, SECSuccess); 2934 } 2935 2936 TEST_F(TlsConnectStreamTls13Ech, EchPublicNameNotLdh) { 2937 static const std::vector<std::string> kNotLdh = { 2938 ".", 2939 "name.", 2940 ".name", 2941 "test..name", 2942 "1111111111000000000011111111110000000000111111111100000000001234", 2943 "-name", 2944 "name-", 2945 "test-.name", 2946 "!", 2947 u8"\u2077", 2948 }; 2949 ValidatePublicNames(kNotLdh, SECFailure); 2950 } 2951 2952 TEST_F(TlsConnectStreamTls13, EchClientHelloExtensionPermutation) { 2953 EnsureTlsSetup(); 2954 ASSERT_TRUE(SSL_OptionSet(client_->ssl_fd(), 2955 SSL_ENABLE_CH_EXTENSION_PERMUTATION, 2956 PR_TRUE) == SECSuccess); 2957 SetupEch(client_, server_); 2958 2959 client_->ExpectEch(); 2960 server_->ExpectEch(); 2961 Connect(); 2962 } 2963 2964 TEST_F(TlsConnectStreamTls13, EchGreaseClientHelloExtensionPermutation) { 2965 EnsureTlsSetup(); 2966 ASSERT_TRUE(SSL_OptionSet(client_->ssl_fd(), 2967 SSL_ENABLE_CH_EXTENSION_PERMUTATION, 2968 PR_TRUE) == SECSuccess); 2969 ASSERT_TRUE(SSL_EnableTls13GreaseEch(client_->ssl_fd(), PR_FALSE) == 2970 SECSuccess); 2971 Connect(); 2972 } 2973 2974 TEST_F(TlsConnectDatagram13, EchNoSupportDTLS) { 2975 EnsureTlsSetup(); 2976 DataBuffer echconfig; 2977 ScopedSECKEYPublicKey pub; 2978 ScopedSECKEYPrivateKey priv; 2979 TlsConnectTestBase::GenerateEchConfig(HpkeDhKemX25519Sha256, 2980 kUnknownFirstSuite, kPublicName, 100, 2981 echconfig, pub, priv); 2982 ASSERT_EQ(SECFailure, 2983 SSL_SetClientEchConfigs(client_->ssl_fd(), echconfig.data(), 2984 echconfig.len())); 2985 ASSERT_EQ(SECFailure, 2986 SSL_SetServerEchConfigs(server_->ssl_fd(), pub.get(), priv.get(), 2987 echconfig.data(), echconfig.len())); 2988 2989 client_->ExpectEch(false); 2990 server_->ExpectEch(false); 2991 Connect(); 2992 } 2993 2994 INSTANTIATE_TEST_SUITE_P(EchAgentTest, TlsAgentEchTest, 2995 ::testing::Combine(TlsConnectTestBase::kTlsVariantsAll, 2996 TlsConnectTestBase::kTlsV13)); 2997 2998 } // namespace nss_test