tls_grease_unittest.cc (30742B)
1 /* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */ 2 /* vim: set ts=2 et sw=2 tw=80: */ 3 /* This Source Code Form is subject to the terms of the Mozilla Public 4 * License, v. 2.0. If a copy of the MPL was not distributed with this file, 5 * You can obtain one at http://mozilla.org/MPL/2.0/. */ 6 7 #include "secerr.h" 8 #include "ssl.h" 9 10 #include "gtest_utils.h" 11 #include "tls_connect.h" 12 #include "util.h" 13 14 namespace nss_test { 15 16 const uint8_t kTlsGreaseExtensionMessages[] = {kTlsHandshakeEncryptedExtensions, 17 kTlsHandshakeCertificate}; 18 19 const uint16_t kTlsGreaseValues[] = { 20 0x0a0a, 0x1a1a, 0x2a2a, 0x3a3a, 0x4a4a, 0x5a5a, 0x6a6a, 0x7a7a, 21 0x8a8a, 0x9a9a, 0xaaaa, 0xbaba, 0xcaca, 0xdada, 0xeaea, 0xfafa}; 22 23 const uint8_t kTlsGreasePskValues[] = {0x0B, 0x2A, 0x49, 0x68, 24 0x87, 0xA6, 0xC5, 0xE4}; 25 26 size_t countGreaseInBuffer(const DataBuffer& list) { 27 if (!list.len()) { 28 return 0; 29 } 30 size_t occurrence = 0; 31 for (uint16_t greaseVal : kTlsGreaseValues) { 32 for (size_t i = 0; i < (list.len() - 1); i += 2) { 33 uint16_t sample = list.data()[i + 1] + (list.data()[i] << 8); 34 if (greaseVal == sample) { 35 occurrence++; 36 } 37 } 38 } 39 return occurrence; 40 } 41 42 class GreasePresenceAbsenceTestBase : public TlsConnectTestBase { 43 public: 44 GreasePresenceAbsenceTestBase(SSLProtocolVariant variant, uint16_t version, 45 bool shouldGrease) 46 : TlsConnectTestBase(variant, version), set_grease_(shouldGrease){}; 47 48 void SetupGrease() { 49 EnsureTlsSetup(); 50 ASSERT_EQ(SSL_OptionSet(client_->ssl_fd(), SSL_ENABLE_GREASE, set_grease_), 51 SECSuccess); 52 ASSERT_EQ(SSL_OptionSet(server_->ssl_fd(), SSL_ENABLE_GREASE, set_grease_), 53 SECSuccess); 54 } 55 56 bool expectGrease() { 57 return set_grease_ && version_ >= SSL_LIBRARY_VERSION_TLS_1_3; 58 } 59 60 void checkGreasePresence(const int ifEnabled, const int ifDisabled, 61 const DataBuffer& buffer) { 62 size_t expected = expectGrease() ? size_t(ifEnabled) : size_t(ifDisabled); 63 EXPECT_EQ(expected, countGreaseInBuffer(buffer)); 64 } 65 66 private: 67 bool set_grease_; 68 }; 69 70 class GreasePresenceAbsenceTestAllVersions 71 : public GreasePresenceAbsenceTestBase, 72 public ::testing::WithParamInterface< 73 std::tuple<SSLProtocolVariant, uint16_t, bool>> { 74 public: 75 GreasePresenceAbsenceTestAllVersions() 76 : GreasePresenceAbsenceTestBase(std::get<0>(GetParam()), 77 std::get<1>(GetParam()), 78 std::get<2>(GetParam())){}; 79 }; 80 81 // Varies stream/datagram, TLS Version and whether GREASE is enabled 82 INSTANTIATE_TEST_SUITE_P(GreaseTests, GreasePresenceAbsenceTestAllVersions, 83 ::testing::Combine(TlsConnectTestBase::kTlsVariantsAll, 84 TlsConnectTestBase::kTlsV11Plus, 85 ::testing::Values(true, false))); 86 87 // Varies whether GREASE is enabled for TLS13 only 88 class GreasePresenceAbsenceTestTlsStream13 89 : public GreasePresenceAbsenceTestBase, 90 public ::testing::WithParamInterface<bool> { 91 public: 92 GreasePresenceAbsenceTestTlsStream13() 93 : GreasePresenceAbsenceTestBase( 94 ssl_variant_stream, SSL_LIBRARY_VERSION_TLS_1_3, GetParam()){}; 95 }; 96 97 INSTANTIATE_TEST_SUITE_P(GreaseTests, GreasePresenceAbsenceTestTlsStream13, 98 ::testing::Values(true, false)); 99 100 // These tests check for the presence / absence of GREASE values in the various 101 // positions that we are permitted to add them. For positions which existed in 102 // prior versions of TLS, we check that enabling GREASE is only effective when 103 // negotiating TLS1.3 or higher and that disabling GREASE results in the absence 104 // of any GREASE values. 105 // For positions that specific to TLS1.3, we only check that enabling/disabling 106 // GREASE results in the correct presence/absence of the GREASE value. 107 108 TEST_P(GreasePresenceAbsenceTestAllVersions, ClientGreaseCiphersuites) { 109 SetupGrease(); 110 111 auto ch1 = MakeTlsFilter<ClientHelloCiphersuiteCapture>(client_); 112 Connect(); 113 EXPECT_TRUE(ch1->captured()); 114 115 checkGreasePresence(1, 0, ch1->contents()); 116 } 117 118 TEST_P(GreasePresenceAbsenceTestAllVersions, ClientGreaseNamedGroups) { 119 SetupGrease(); 120 121 auto ch1 = 122 MakeTlsFilter<TlsExtensionCapture>(client_, ssl_supported_groups_xtn); 123 Connect(); 124 EXPECT_TRUE(ch1->captured()); 125 126 checkGreasePresence(1, 0, ch1->extension()); 127 } 128 129 TEST_P(GreasePresenceAbsenceTestAllVersions, ClientGreaseKeyShare) { 130 SetupGrease(); 131 132 auto ch1 = 133 MakeTlsFilter<TlsExtensionCapture>(client_, ssl_tls13_key_share_xtn); 134 // filters only work with particular groups 135 server_->ConfigNamedGroups(kNonPQDHEGroups); 136 client_->ConfigNamedGroups(kNonPQDHEGroups); 137 Connect(); 138 EXPECT_TRUE((version_ >= SSL_LIBRARY_VERSION_TLS_1_3) == ch1->captured()); 139 140 checkGreasePresence(1, 0, ch1->extension()); 141 } 142 143 TEST_P(GreasePresenceAbsenceTestAllVersions, ClientGreaseSigAlg) { 144 SetupGrease(); 145 146 auto ch1 = 147 MakeTlsFilter<TlsExtensionCapture>(client_, ssl_signature_algorithms_xtn); 148 Connect(); 149 EXPECT_TRUE((version_ >= SSL_LIBRARY_VERSION_TLS_1_2) == ch1->captured()); 150 151 checkGreasePresence(1, 0, ch1->extension()); 152 } 153 154 TEST_P(GreasePresenceAbsenceTestAllVersions, ClientGreaseSupportedVersions) { 155 SetupGrease(); 156 157 auto ch1 = MakeTlsFilter<TlsExtensionCapture>( 158 client_, ssl_tls13_supported_versions_xtn); 159 Connect(); 160 EXPECT_TRUE((version_ >= SSL_LIBRARY_VERSION_TLS_1_3) == ch1->captured()); 161 162 // Supported Versions have a 1 byte length field. 163 TlsParser extParser(ch1->extension()); 164 DataBuffer versions; 165 extParser.ReadVariable(&versions, 1); 166 167 checkGreasePresence(1, 0, versions); 168 } 169 170 TEST_P(GreasePresenceAbsenceTestTlsStream13, ClientGreasePskExchange) { 171 SetupGrease(); 172 173 auto ch1 = MakeTlsFilter<TlsExtensionCapture>( 174 client_, ssl_tls13_psk_key_exchange_modes_xtn); 175 Connect(); 176 EXPECT_TRUE(ch1->captured()); 177 178 // PSK Exchange Modes have a 1 byte length field 179 TlsParser extParser(ch1->extension()); 180 DataBuffer modes; 181 extParser.ReadVariable(&modes, 1); 182 183 // Scan for single byte GREASE PSK Values 184 size_t numGrease = 0; 185 for (uint8_t greaseVal : kTlsGreasePskValues) { 186 for (unsigned long i = 0; i < modes.len(); i++) { 187 if (greaseVal == modes.data()[i]) { 188 numGrease++; 189 } 190 } 191 } 192 193 EXPECT_EQ(expectGrease() ? size_t(1) : size_t(0), numGrease); 194 } 195 196 TEST_P(GreasePresenceAbsenceTestAllVersions, ClientGreaseAlpn) { 197 SetupGrease(); 198 EnableAlpn(); 199 200 auto ch1 = 201 MakeTlsFilter<TlsExtensionCapture>(client_, ssl_app_layer_protocol_xtn); 202 Connect(); 203 EXPECT_TRUE((version_ >= SSL_LIBRARY_VERSION_TLS_1_1) == ch1->captured()); 204 205 // ALPN Xtns have a redundant two-byte length 206 TlsParser alpnParser(ch1->extension()); 207 alpnParser.Skip(2); // Skip the length 208 DataBuffer alpnEntry; 209 210 // Each ALPN entry has a single byte length prefixed. 211 size_t greaseAlpnEntrys = 0; 212 while (alpnParser.remaining()) { 213 alpnParser.ReadVariable(&alpnEntry, 1); 214 if (alpnEntry.len() == 2) { 215 greaseAlpnEntrys += countGreaseInBuffer(alpnEntry); 216 } 217 } 218 219 EXPECT_EQ(expectGrease() ? size_t(1) : size_t(0), greaseAlpnEntrys); 220 } 221 222 TEST_P(GreasePresenceAbsenceTestAllVersions, GreaseClientHelloExtension) { 223 SetupGrease(); 224 225 auto ch1 = 226 MakeTlsFilter<TlsHandshakeRecorder>(client_, kTlsHandshakeClientHello); 227 Connect(); 228 EXPECT_TRUE(ch1->buffer().len() > 0); 229 230 TlsParser extParser(ch1->buffer()); 231 EXPECT_TRUE(extParser.Skip(2 + 32)); // Version + Random 232 EXPECT_TRUE(extParser.SkipVariable(1)); // Session ID 233 if (variant_ == ssl_variant_datagram) { 234 EXPECT_TRUE(extParser.SkipVariable(1)); // Cookie 235 } 236 EXPECT_TRUE(extParser.SkipVariable(2)); // Ciphersuites 237 EXPECT_TRUE(extParser.SkipVariable(1)); // Compression Methods 238 EXPECT_TRUE(extParser.Skip(2)); // Extension Lengths 239 240 // Scan for a 1-byte and a 0-byte extension. 241 uint32_t extType; 242 DataBuffer extBuf; 243 bool foundSmall = false; 244 bool foundLarge = false; 245 size_t numFound = 0; 246 while (extParser.remaining()) { 247 extParser.Read(&extType, 2); 248 extParser.ReadVariable(&extBuf, 2); 249 for (uint16_t greaseVal : kTlsGreaseValues) { 250 if (greaseVal == extType) { 251 numFound++; 252 foundSmall |= extBuf.len() == 0; 253 foundLarge |= extBuf.len() > 0; 254 } 255 } 256 } 257 258 EXPECT_EQ(foundSmall, expectGrease()); 259 EXPECT_EQ(foundLarge, expectGrease()); 260 EXPECT_EQ(numFound, expectGrease() ? size_t(2) : size_t(0)); 261 } 262 263 TEST_P(GreasePresenceAbsenceTestTlsStream13, GreaseCertificateRequestSigAlg) { 264 SetupGrease(); 265 client_->SetupClientAuth(); 266 server_->RequestClientAuth(true); 267 268 auto cr = 269 MakeTlsFilter<TlsExtensionCapture>(server_, ssl_signature_algorithms_xtn); 270 cr->SetHandshakeTypes({kTlsHandshakeCertificateRequest}); 271 cr->EnableDecryption(); 272 Connect(); 273 EXPECT_TRUE(cr->captured()); 274 275 checkGreasePresence(1, 0, cr->extension()); 276 } 277 278 TEST_P(GreasePresenceAbsenceTestTlsStream13, 279 GreaseCertificateRequestExtension) { 280 SetupGrease(); 281 client_->SetupClientAuth(); 282 server_->RequestClientAuth(true); 283 284 auto cr = MakeTlsFilter<TlsHandshakeRecorder>( 285 server_, kTlsHandshakeCertificateRequest); 286 cr->EnableDecryption(); 287 Connect(); 288 EXPECT_TRUE(cr->buffer().len() > 0); 289 290 TlsParser extParser(cr->buffer()); 291 EXPECT_TRUE(extParser.SkipVariable(1)); // Context 292 EXPECT_TRUE(extParser.Skip(2)); // Extension Lengths 293 294 uint32_t extType; 295 DataBuffer extBuf; 296 bool found = false; 297 // Scan for a single, empty extension 298 while (extParser.remaining()) { 299 extParser.Read(&extType, 2); 300 extParser.ReadVariable(&extBuf, 2); 301 for (uint16_t greaseVal : kTlsGreaseValues) { 302 if (greaseVal == extType) { 303 EXPECT_TRUE(!found); 304 EXPECT_EQ(extBuf.len(), size_t(0)); 305 found = true; 306 } 307 } 308 } 309 310 EXPECT_EQ(expectGrease(), found); 311 } 312 313 TEST_P(GreasePresenceAbsenceTestTlsStream13, GreaseNewSessionTicketExtension) { 314 SetupGrease(); 315 316 auto nst = MakeTlsFilter<TlsHandshakeRecorder>(server_, 317 kTlsHandshakeNewSessionTicket); 318 nst->EnableDecryption(); 319 Connect(); 320 EXPECT_EQ(SECSuccess, SSL_SendSessionTicket(server_->ssl_fd(), nullptr, 0)); 321 EXPECT_TRUE(nst->buffer().len() > 0); 322 323 TlsParser extParser(nst->buffer()); 324 EXPECT_TRUE(extParser.Skip(4)); // lifetime 325 EXPECT_TRUE(extParser.Skip(4)); // age 326 EXPECT_TRUE(extParser.SkipVariable(1)); // Nonce 327 EXPECT_TRUE(extParser.SkipVariable(2)); // Ticket 328 EXPECT_TRUE(extParser.Skip(2)); // Extension Length 329 330 uint32_t extType; 331 DataBuffer extBuf; 332 bool found = false; 333 // Scan for a single, empty extension 334 while (extParser.remaining()) { 335 extParser.Read(&extType, 2); 336 extParser.ReadVariable(&extBuf, 2); 337 for (uint16_t greaseVal : kTlsGreaseValues) { 338 if (greaseVal == extType) { 339 EXPECT_TRUE(!found); 340 EXPECT_EQ(extBuf.len(), size_t(0)); 341 found = true; 342 } 343 } 344 } 345 346 EXPECT_EQ(expectGrease(), found); 347 } 348 349 // Generic Client GREASE test 350 TEST_P(TlsConnectGeneric, ClientGrease) { 351 EnsureTlsSetup(); 352 ASSERT_EQ(SSL_OptionSet(client_->ssl_fd(), SSL_ENABLE_GREASE, PR_TRUE), 353 SECSuccess); 354 Connect(); 355 } 356 357 // Generic Server GREASE test 358 TEST_P(TlsConnectGeneric, ServerGrease) { 359 EnsureTlsSetup(); 360 ASSERT_EQ(SSL_OptionSet(server_->ssl_fd(), SSL_ENABLE_GREASE, PR_TRUE), 361 SECSuccess); 362 Connect(); 363 } 364 365 // Generic GREASE test 366 TEST_P(TlsConnectGeneric, Grease) { 367 EnsureTlsSetup(); 368 ASSERT_EQ(SSL_OptionSet(client_->ssl_fd(), SSL_ENABLE_GREASE, PR_TRUE), 369 SECSuccess); 370 ASSERT_EQ(SSL_OptionSet(server_->ssl_fd(), SSL_ENABLE_GREASE, PR_TRUE), 371 SECSuccess); 372 Connect(); 373 } 374 375 // Check that GREASE values can be correctly reconstructed after HRR. 376 TEST_P(TlsConnectGeneric, GreaseHRR) { 377 EnsureTlsSetup(); 378 const std::vector<SSLNamedGroup> client_groups = { 379 ssl_grp_ec_curve25519, ssl_grp_ec_secp256r1, ssl_grp_ec_secp384r1}; 380 const std::vector<SSLNamedGroup> server_groups = { 381 ssl_grp_ec_secp256r1, ssl_grp_ec_secp384r1, ssl_grp_ec_curve25519}; 382 client_->ConfigNamedGroups(client_groups); 383 server_->ConfigNamedGroups(server_groups); 384 ASSERT_EQ(SSL_OptionSet(client_->ssl_fd(), SSL_ENABLE_GREASE, PR_TRUE), 385 SECSuccess); 386 ASSERT_EQ(SSL_OptionSet(server_->ssl_fd(), SSL_ENABLE_GREASE, PR_TRUE), 387 SECSuccess); 388 Connect(); 389 } 390 391 // Check that GREASE additions interact correctly with psk-only handshake. 392 TEST_F(TlsConnectStreamTls13, GreasePsk) { 393 EnsureTlsSetup(); 394 ASSERT_EQ(SSL_OptionSet(client_->ssl_fd(), SSL_ENABLE_GREASE, PR_TRUE), 395 SECSuccess); 396 ASSERT_EQ(SSL_OptionSet(server_->ssl_fd(), SSL_ENABLE_GREASE, PR_TRUE), 397 SECSuccess); 398 399 ScopedPK11SlotInfo slot(PK11_GetInternalSlot()); 400 const uint8_t kPskDummyVal_[16] = {0x01, 0x02, 0x03, 0x04, 0x05, 401 0x06, 0x07, 0x08, 0x09, 0x0a, 402 0x0b, 0x0c, 0x0d, 0x0e, 0x0f}; 403 SECItem psk_item; 404 psk_item.type = siBuffer; 405 psk_item.len = sizeof(kPskDummyVal_); 406 psk_item.data = const_cast<uint8_t*>(kPskDummyVal_); 407 PK11SymKey* key = 408 PK11_ImportSymKey(slot.get(), CKM_HKDF_KEY_GEN, PK11_OriginUnwrap, 409 CKA_DERIVE, &psk_item, NULL); 410 411 ScopedPK11SymKey scoped_psk_(key); 412 const std::string kPskDummyLabel_ = "NSS PSK GTEST label"; 413 const SSLHashType kPskHash_ = ssl_hash_sha384; 414 AddPsk(scoped_psk_, kPskDummyLabel_, kPskHash_); 415 416 Connect(); 417 SendReceive(); 418 CheckKeys(ssl_auth_psk, ssl_sig_none); 419 } 420 421 // Test that ECH and GREASE work together successfully 422 TEST_F(TlsConnectStreamTls13, GreaseAndECH) { 423 EnsureTlsSetup(); 424 SetupEch(client_, server_); 425 ASSERT_EQ(SSL_OptionSet(client_->ssl_fd(), SSL_ENABLE_GREASE, PR_TRUE), 426 SECSuccess); 427 ASSERT_EQ(SSL_OptionSet(server_->ssl_fd(), SSL_ENABLE_GREASE, PR_TRUE), 428 SECSuccess); 429 Connect(); 430 } 431 432 // Test that TLS12 Server handles Client GREASE correctly 433 TEST_F(TlsConnectTest, GreaseTLS12Server) { 434 EnsureTlsSetup(); 435 ASSERT_EQ(SSL_OptionSet(client_->ssl_fd(), SSL_ENABLE_GREASE, PR_TRUE), 436 SECSuccess); 437 server_->SetVersionRange(SSL_LIBRARY_VERSION_TLS_1_2, 438 SSL_LIBRARY_VERSION_TLS_1_2); 439 client_->SetVersionRange(SSL_LIBRARY_VERSION_TLS_1_2, 440 SSL_LIBRARY_VERSION_TLS_1_3); 441 Connect(); 442 } 443 444 // Test that TLS12 Client handles Server GREASE correctly 445 TEST_F(TlsConnectTest, GreaseTLS12Client) { 446 EnsureTlsSetup(); 447 ASSERT_EQ(SSL_OptionSet(server_->ssl_fd(), SSL_ENABLE_GREASE, PR_TRUE), 448 SECSuccess); 449 server_->SetVersionRange(SSL_LIBRARY_VERSION_TLS_1_2, 450 SSL_LIBRARY_VERSION_TLS_1_3); 451 client_->SetVersionRange(SSL_LIBRARY_VERSION_TLS_1_2, 452 SSL_LIBRARY_VERSION_TLS_1_2); 453 Connect(); 454 } 455 456 class GreaseOnlyTestStreamTls13 : public TlsConnectStreamTls13 { 457 public: 458 GreaseOnlyTestStreamTls13() : TlsConnectStreamTls13() {} 459 460 void ConnectWithCustomChExpectFail(const std::string& ch, 461 uint8_t server_alert, uint32_t server_code, 462 uint32_t client_code) { 463 std::vector<uint8_t> ch_vec = hex_string_to_bytes(ch); 464 DataBuffer ch_buf; 465 EnsureTlsSetup(); 466 467 TlsAgentTestBase::MakeRecord(variant_, ssl_ct_handshake, 468 SSL_LIBRARY_VERSION_TLS_1_3, ch_vec.data(), 469 ch_vec.size(), &ch_buf, 0); 470 StartConnect(); 471 client_->SendDirect(ch_buf); 472 ExpectAlert(server_, server_alert); 473 server_->Handshake(); 474 server_->CheckErrorCode(server_code); 475 client_->ExpectReceiveAlert(server_alert, kTlsAlertFatal); 476 client_->Handshake(); 477 client_->CheckErrorCode(client_code); 478 } 479 }; 480 481 // Client: Offer only GREASE CipherSuite value 482 TEST_F(GreaseOnlyTestStreamTls13, GreaseOnlyClientCipherSuite) { 483 // 0xdada 484 std::string ch = 485 "010000b003038afacda2963358e98f464f3ff0680ed3a9d382a8c3eac5e5604f5721add9" 486 "855c000002dada010000850000000b0009000006736572766572ff01000100000a001400" 487 "12001d00170018001901000101010201030104003300260024001d0020683668992de470" 488 "38660ee37bafc7392b05b8a94402ea1f3463ad3cfd7a694a46002b0003020304000d0018" 489 "001604030503060302030804080508060401050106010201002d00020101001c0002400" 490 "1"; 491 492 ConnectWithCustomChExpectFail(ch, kTlsAlertHandshakeFailure, 493 SSL_ERROR_NO_CYPHER_OVERLAP, 494 SSL_ERROR_NO_CYPHER_OVERLAP); 495 } 496 497 // Client: Offer only GREASE SupportedGroups value 498 TEST_F(GreaseOnlyTestStreamTls13, GreaseOnlyClientSupportedGroup) { 499 // 0x3a3a 500 std::string ch = 501 "010000a40303484a4e14f547404da6115d7f73bbb0f1c9d65e66ac073dee6c4a62f72de9" 502 "a36f000006130113031302010000750000000b0009000006736572766572ff0100010000" 503 "0a000400023a3a003300260024001d0020e75cb8e217c95176954e8b5fb95843882462ce" 504 "2cd3fcfe67cf31463a05ea3d57002b0003020304000d0018001604030503060302030804" 505 "080508060401050106010201002d00020101001c00024001"; 506 507 ConnectWithCustomChExpectFail(ch, kTlsAlertHandshakeFailure, 508 SSL_ERROR_NO_CYPHER_OVERLAP, 509 SSL_ERROR_NO_CYPHER_OVERLAP); 510 } 511 512 // Client: Offer only GREASE SigAlgs value 513 TEST_F(GreaseOnlyTestStreamTls13, GreaseOnlyClientSignatureAlgorithm) { 514 // 0x8a8a 515 std::string ch = 516 "010000a00303dfd8e2438a8d1b9f48d921dfc08959108807bd1105238bb3da2a2a8e3db0" 517 "6990000006130113031302010000710000000b0009000006736572766572ff0100010000" 518 "0a00140012001d00170018001901000101010201030104003300260024001d002074bb2c" 519 "94996d3ffc7ae5792f0c3c58676358a85ea304cd029fa3d6551013b333002b0003020304" 520 "000d000400028a8a002d00020101001c00024001"; 521 522 ConnectWithCustomChExpectFail(ch, kTlsAlertHandshakeFailure, 523 SSL_ERROR_UNSUPPORTED_SIGNATURE_ALGORITHM, 524 SSL_ERROR_NO_CYPHER_OVERLAP); 525 } 526 527 // Client: Offer only GREASE SupportedVersions value 528 TEST_F(GreaseOnlyTestStreamTls13, GreaseOnlyClientSupportedVersion) { 529 // 0xeaea 530 std::string ch = 531 "010000b203037e3618abae0dd0b3f06a504c47354551d1d5be36e9c3e1eac9c139c246b1" 532 "66da000006130113031302010000830000000b0009000006736572766572ff0100010000" 533 "0a00140012001d00170018001901000101010201030104003300260024001d00206b1816" 534 "577ff2e69d4d2661419150eaefa0328ffd396425cf1733ec06536b4e55002b000100000d" 535 "0018001604030503060302030804080508060401050106010201002d00020101001c0002" 536 "4001"; 537 538 ConnectWithCustomChExpectFail(ch, kTlsAlertIllegalParameter, 539 SSL_ERROR_RX_MALFORMED_CLIENT_HELLO, 540 SSL_ERROR_ILLEGAL_PARAMETER_ALERT); 541 } 542 543 class GreaseTestStreamTls12 544 : public TlsConnectStreamTls12, 545 public ::testing::WithParamInterface<uint16_t /* GREASE */> { 546 public: 547 GreaseTestStreamTls12() : TlsConnectStreamTls12(), grease_(GetParam()){}; 548 549 void ConnectExpectSigAlgFail() { 550 client_->ExpectSendAlert(kTlsAlertIllegalParameter); 551 server_->ExpectReceiveAlert(kTlsAlertIllegalParameter); 552 ConnectExpectFail(); 553 client_->CheckErrorCode(SSL_ERROR_UNSUPPORTED_SIGNATURE_ALGORITHM); 554 server_->CheckErrorCode(SSL_ERROR_ILLEGAL_PARAMETER_ALERT); 555 } 556 557 protected: 558 uint16_t grease_; 559 }; 560 561 class TlsCertificateRequestSigAlgSetterFilter : public TlsHandshakeFilter { 562 public: 563 TlsCertificateRequestSigAlgSetterFilter(const std::shared_ptr<TlsAgent>& a, 564 uint16_t sigAlg) 565 : TlsHandshakeFilter(a, {kTlsHandshakeCertificateRequest}), 566 sigAlg_(sigAlg) {} 567 virtual PacketFilter::Action FilterHandshake( 568 const TlsHandshakeFilter::HandshakeHeader& header, 569 const DataBuffer& input, DataBuffer* output) { 570 TlsParser parser(input); 571 DataBuffer cert_types; 572 if (!parser.ReadVariable(&cert_types, 1)) { 573 ADD_FAILURE(); 574 return KEEP; 575 } 576 577 if (!parser.SkipVariable(2)) { 578 ADD_FAILURE(); 579 return KEEP; 580 } 581 582 DataBuffer cas; 583 if (!parser.ReadVariable(&cas, 2)) { 584 ADD_FAILURE(); 585 return KEEP; 586 } 587 588 size_t idx = 0; 589 590 // Write certificate types. 591 idx = output->Write(idx, cert_types.len(), 1); 592 idx = output->Write(idx, cert_types); 593 594 // Write signature algorithm. 595 idx = output->Write(idx, sizeof(sigAlg_), 2); 596 idx = output->Write(idx, sigAlg_, 2); 597 598 // Write certificate authorities. 599 idx = output->Write(idx, cas.len(), 2); 600 idx = output->Write(idx, cas); 601 602 return CHANGE; 603 } 604 605 private: 606 uint16_t sigAlg_; 607 }; 608 609 // Server: Offer only GREASE CertificateRequest SigAlg value 610 TEST_P(GreaseTestStreamTls12, GreaseOnlyServerTLS12CertificateRequestSigAlg) { 611 EnsureTlsSetup(); 612 client_->SetupClientAuth(); 613 server_->RequestClientAuth(true); 614 MakeTlsFilter<TlsCertificateRequestSigAlgSetterFilter>(server_, grease_); 615 616 client_->ExpectSendAlert(kTlsAlertHandshakeFailure); 617 server_->ExpectReceiveAlert(kTlsAlertHandshakeFailure); 618 ConnectExpectFail(); 619 server_->CheckErrorCode(SSL_ERROR_HANDSHAKE_FAILURE_ALERT); 620 client_->CheckErrorCode(SSL_ERROR_UNSUPPORTED_SIGNATURE_ALGORITHM); 621 } 622 623 // Illegally GREASE ServerKeyExchange ECC SignatureAlgorithm 624 TEST_P(GreaseTestStreamTls12, GreasedTLS12ServerKexEccSigAlg) { 625 MakeTlsFilter<ECCServerKEXSigAlgReplacer>(server_, grease_); 626 EnableSomeEcdhCiphers(); 627 628 client_->ExpectSendAlert(kTlsAlertIllegalParameter); 629 server_->ExpectReceiveAlert(kTlsAlertIllegalParameter); 630 ConnectExpectFail(); 631 client_->CheckErrorCode(SSL_ERROR_UNSUPPORTED_SIGNATURE_ALGORITHM); 632 server_->CheckErrorCode(SSL_ERROR_ILLEGAL_PARAMETER_ALERT); 633 } 634 635 // Illegally GREASE ServerKeyExchange DHE SignatureAlgorithm 636 TEST_P(GreaseTestStreamTls12, GreasedTLS12ServerKexDheSigAlg) { 637 MakeTlsFilter<DHEServerKEXSigAlgReplacer>(server_, grease_); 638 EnableOnlyDheCiphers(); 639 640 client_->ExpectSendAlert(kTlsAlertIllegalParameter); 641 server_->ExpectReceiveAlert(kTlsAlertIllegalParameter); 642 ConnectExpectFail(); 643 client_->CheckErrorCode(SSL_ERROR_UNSUPPORTED_SIGNATURE_ALGORITHM); 644 server_->CheckErrorCode(SSL_ERROR_ILLEGAL_PARAMETER_ALERT); 645 } 646 647 // Illegally GREASE ServerKeyExchange ECDHE NamedCurve 648 TEST_P(GreaseTestStreamTls12, GreasedTLS12ServerKexEcdheNamedCurve) { 649 MakeTlsFilter<ECCServerKEXNamedCurveReplacer>(server_, grease_); 650 EnableSomeEcdhCiphers(); 651 652 client_->ExpectSendAlert(kTlsAlertHandshakeFailure); 653 server_->ExpectReceiveAlert(kTlsAlertHandshakeFailure); 654 ConnectExpectFail(); 655 server_->CheckErrorCode(SSL_ERROR_HANDSHAKE_FAILURE_ALERT); 656 client_->CheckErrorCode(SEC_ERROR_UNSUPPORTED_ELLIPTIC_CURVE); 657 } 658 659 // Illegally GREASE TLS12 Client CertificateVerify SignatureAlgorithm 660 TEST_P(GreaseTestStreamTls12, GreasedTLS12ClientCertificateVerifySigAlg) { 661 client_->SetupClientAuth(); 662 server_->RequestClientAuth(true); 663 MakeTlsFilter<TlsReplaceSignatureSchemeFilter>(client_, grease_); 664 665 server_->ExpectSendAlert(kTlsAlertIllegalParameter); 666 client_->ExpectReceiveAlert(kTlsAlertIllegalParameter); 667 ConnectExpectFail(); 668 client_->CheckErrorCode(SSL_ERROR_ILLEGAL_PARAMETER_ALERT); 669 server_->CheckErrorCode(SSL_ERROR_UNSUPPORTED_SIGNATURE_ALGORITHM); 670 } 671 672 class GreaseTestStreamTls13 673 : public TlsConnectStreamTls13, 674 public ::testing::WithParamInterface<uint16_t /* GREASE */> { 675 public: 676 GreaseTestStreamTls13() : grease_(GetParam()){}; 677 678 protected: 679 uint16_t grease_; 680 }; 681 682 // Illegally GREASE TLS13 Client CertificateVerify SignatureAlgorithm 683 TEST_P(GreaseTestStreamTls13, GreasedTLS13ClientCertificateVerifySigAlg) { 684 client_->SetupClientAuth(); 685 server_->RequestClientAuth(true); 686 auto filter = 687 MakeTlsFilter<TlsReplaceSignatureSchemeFilter>(client_, grease_); 688 filter->EnableDecryption(); 689 690 server_->ExpectSendAlert(kTlsAlertIllegalParameter); 691 client_->ExpectReceiveAlert(kTlsAlertIllegalParameter); 692 693 // Manually trigger handshake to avoid race conditions 694 StartConnect(); 695 client_->Handshake(); 696 server_->Handshake(); 697 client_->Handshake(); 698 server_->Handshake(); 699 client_->Handshake(); 700 701 server_->CheckErrorCode(SSL_ERROR_RX_MALFORMED_CERT_VERIFY); 702 client_->CheckErrorCode(SSL_ERROR_ILLEGAL_PARAMETER_ALERT); 703 } 704 705 // Illegally GREASE TLS13 Server CertificateVerify SignatureAlgorithm 706 TEST_P(GreaseTestStreamTls13, GreasedTLS13ServerCertificateVerifySigAlg) { 707 EnsureTlsSetup(); 708 auto filter = 709 MakeTlsFilter<TlsReplaceSignatureSchemeFilter>(server_, grease_); 710 filter->EnableDecryption(); 711 712 client_->ExpectSendAlert(kTlsAlertIllegalParameter); 713 server_->ExpectReceiveAlert(kTlsAlertIllegalParameter); 714 ConnectExpectFail(); 715 client_->CheckErrorCode(SSL_ERROR_RX_MALFORMED_CERT_VERIFY); 716 } 717 718 // Illegally GREASE HelloRetryRequest version value 719 TEST_P(GreaseTestStreamTls13, GreasedHelloRetryRequestVersion) { 720 EnsureTlsSetup(); 721 // Trigger HelloRetryRequest 722 MakeTlsFilter<TlsExtensionDropper>(client_, ssl_tls13_key_share_xtn); 723 auto filter = MakeTlsFilter<TlsMessageVersionSetter>( 724 server_, kTlsHandshakeHelloRetryRequest, grease_); 725 filter->EnableDecryption(); 726 727 client_->ExpectSendAlert(kTlsAlertIllegalParameter); 728 server_->ExpectReceiveAlert(kTlsAlertIllegalParameter); 729 ConnectExpectFail(); 730 client_->CheckErrorCode(SSL_ERROR_RX_MALFORMED_SERVER_HELLO); 731 server_->CheckErrorCode(SSL_ERROR_ILLEGAL_PARAMETER_ALERT); 732 } 733 734 class GreaseTestStreamTls123 735 : public TlsConnectTestBase, 736 public ::testing::WithParamInterface< 737 std::tuple<uint16_t /* version */, uint16_t /* GREASE */>> { 738 public: 739 GreaseTestStreamTls123() 740 : TlsConnectTestBase(ssl_variant_stream, std::get<0>(GetParam())), 741 grease_(std::get<1>(GetParam())){}; 742 743 void ConnectExpectIllegalGreaseFail() { 744 client_->ExpectSendAlert(kTlsAlertIllegalParameter); 745 if (version_ >= SSL_LIBRARY_VERSION_TLS_1_3) { 746 // Server expects handshake but receives encrypted alert. 747 server_->ExpectSendAlert(kTlsAlertUnexpectedMessage); 748 } else { 749 server_->ExpectReceiveAlert(kTlsAlertIllegalParameter); 750 } 751 ConnectExpectFail(); 752 } 753 754 protected: 755 uint16_t grease_; 756 }; 757 758 // Illegally GREASE TLS12 and TLS13 ServerHello version value 759 TEST_P(GreaseTestStreamTls123, GreasedServerHelloVersion) { 760 EnsureTlsSetup(); 761 auto filter = MakeTlsFilter<TlsMessageVersionSetter>( 762 server_, kTlsHandshakeServerHello, grease_); 763 if (version_ >= SSL_LIBRARY_VERSION_TLS_1_3) { 764 filter->EnableDecryption(); 765 } 766 ConnectExpectIllegalGreaseFail(); 767 client_->CheckErrorCode(SSL_ERROR_RX_MALFORMED_SERVER_HELLO); 768 } 769 770 // Illegally GREASE TLS12 and TLS13 selected CipherSuite value 771 TEST_P(GreaseTestStreamTls123, GreasedServerHelloCipherSuite) { 772 EnsureTlsSetup(); 773 auto filter = MakeTlsFilter<SelectedCipherSuiteReplacer>(server_, grease_); 774 if (version_ >= SSL_LIBRARY_VERSION_TLS_1_3) { 775 filter->EnableDecryption(); 776 } 777 ConnectExpectIllegalGreaseFail(); 778 client_->CheckErrorCode(SSL_ERROR_NO_CYPHER_OVERLAP); 779 } 780 781 class GreaseExtensionTestStreamTls13 782 : public TlsConnectStreamTls13, 783 public ::testing::WithParamInterface< 784 std::tuple<uint8_t /* message */, uint16_t /* GREASE */>> { 785 public: 786 GreaseExtensionTestStreamTls13() 787 : TlsConnectStreamTls13(), 788 message_(std::get<0>(GetParam())), 789 grease_(std::get<1>(GetParam())){}; 790 791 protected: 792 uint8_t message_; 793 uint16_t grease_; 794 }; 795 796 // Illegally GREASE TLS13 Server EncryptedExtensions and Certificate Extensions 797 // NSS currently allows offering unkown extensions in HelloRetryRequests! 798 TEST_P(GreaseExtensionTestStreamTls13, GreasedServerExtensions) { 799 EnsureTlsSetup(); 800 DataBuffer empty = DataBuffer(1); 801 auto filter = 802 MakeTlsFilter<TlsExtensionAppender>(server_, message_, grease_, empty); 803 filter->EnableDecryption(); 804 805 server_->ExpectReceiveAlert(kTlsAlertUnsupportedExtension); 806 client_->ExpectSendAlert(kTlsAlertUnsupportedExtension); 807 ConnectExpectFail(); 808 client_->CheckErrorCode(SSL_ERROR_RX_UNEXPECTED_EXTENSION); 809 server_->CheckErrorCode(SSL_ERROR_UNSUPPORTED_EXTENSION_ALERT); 810 } 811 812 // Illegally GREASE TLS12 and TLS13 ServerHello Extensions 813 TEST_P(GreaseTestStreamTls123, GreasedServerHelloExtensions) { 814 EnsureTlsSetup(); 815 DataBuffer empty = DataBuffer(1); 816 auto filter = MakeTlsFilter<TlsExtensionAppender>( 817 server_, kTlsHandshakeServerHello, grease_, empty); 818 819 if (version_ >= SSL_LIBRARY_VERSION_TLS_1_3) { 820 filter->EnableDecryption(); 821 server_->ExpectSendAlert(kTlsAlertUnexpectedMessage); 822 } else { 823 server_->ExpectReceiveAlert(kTlsAlertUnsupportedExtension); 824 } 825 client_->ExpectSendAlert(kTlsAlertUnsupportedExtension); 826 ConnectExpectFail(); 827 client_->CheckErrorCode(SSL_ERROR_RX_UNEXPECTED_EXTENSION); 828 } 829 830 // Illegally GREASE TLS13 Client Certificate Extensions 831 // Server ignores injected client extensions and fails on CertificateVerify 832 TEST_P(GreaseTestStreamTls13, GreasedClientCertificateExtensions) { 833 client_->SetupClientAuth(); 834 server_->RequestClientAuth(true); 835 DataBuffer empty = DataBuffer(1); 836 auto filter = MakeTlsFilter<TlsExtensionAppender>( 837 client_, kTlsHandshakeCertificate, grease_, empty); 838 filter->EnableDecryption(); 839 840 server_->ExpectSendAlert(kTlsAlertDecryptError); 841 client_->ExpectReceiveAlert(kTlsAlertDecryptError); 842 843 // Manually trigger handshake to avoid race conditions 844 StartConnect(); 845 client_->Handshake(); 846 server_->Handshake(); 847 client_->Handshake(); 848 server_->Handshake(); 849 client_->Handshake(); 850 851 server_->CheckErrorCode(SEC_ERROR_BAD_SIGNATURE); 852 client_->CheckErrorCode(SSL_ERROR_DECRYPT_ERROR_ALERT); 853 } 854 855 TEST_F(TlsConnectStreamTls13, GreaseClientHelloExtensionPermutation) { 856 EnsureTlsSetup(); 857 ASSERT_TRUE(SSL_OptionSet(client_->ssl_fd(), 858 SSL_ENABLE_CH_EXTENSION_PERMUTATION, 859 PR_TRUE) == SECSuccess); 860 ASSERT_TRUE(SSL_OptionSet(client_->ssl_fd(), SSL_ENABLE_GREASE, PR_TRUE) == 861 SECSuccess); 862 Connect(); 863 } 864 865 INSTANTIATE_TEST_SUITE_P(GreaseTestTls12, GreaseTestStreamTls12, 866 ::testing::ValuesIn(kTlsGreaseValues)); 867 868 INSTANTIATE_TEST_SUITE_P(GreaseTestTls13, GreaseTestStreamTls13, 869 ::testing::ValuesIn(kTlsGreaseValues)); 870 871 INSTANTIATE_TEST_SUITE_P( 872 GreaseTestTls123, GreaseTestStreamTls123, 873 ::testing::Combine(TlsConnectTestBase::kTlsV12Plus, 874 ::testing::ValuesIn(kTlsGreaseValues))); 875 876 INSTANTIATE_TEST_SUITE_P( 877 GreaseExtensionTest, GreaseExtensionTestStreamTls13, 878 testing::Combine(testing::ValuesIn(kTlsGreaseExtensionMessages), 879 testing::ValuesIn(kTlsGreaseValues))); 880 881 } // namespace nss_test