/* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */ /* vim: set ts=2 et sw=2 tw=80: */ /* This Source Code Form is subject to the terms of the Mozilla Public * License, v. 2.0. If a copy of the MPL was not distributed with this file, * You can obtain one at http://mozilla.org/MPL/2.0/. */ #include "ssl.h" #include "sslerr.h" #include "sslproto.h" extern "C" { // This is not something that should make you happy. #include "libssl_internals.h" } #include "gtest_utils.h" #include "nss_scoped_ptrs.h" #include "tls_connect.h" #include "tls_filter.h" #include "tls_parser.h" namespace nss_test { TEST_P(TlsKeyExchangeTest13, Mlkem768x25519Supported) { EnsureKeyShareSetup(); ConfigNamedGroups({ssl_grp_kem_mlkem768x25519}); Connect(); CheckKeys(ssl_kea_ecdh_hybrid, ssl_grp_kem_mlkem768x25519, ssl_auth_rsa_sign, ssl_sig_rsa_pss_rsae_sha256); } TEST_P(TlsKeyExchangeTest, Tls12ClientMlkem768x25519NotSupported) { EnsureKeyShareSetup(); client_->SetVersionRange(SSL_LIBRARY_VERSION_TLS_1_2, SSL_LIBRARY_VERSION_TLS_1_2); server_->SetVersionRange(SSL_LIBRARY_VERSION_TLS_1_2, SSL_LIBRARY_VERSION_TLS_1_3); client_->DisableAllCiphers(); client_->EnableCiphersByKeyExchange(ssl_kea_ecdh); client_->EnableCiphersByKeyExchange(ssl_kea_ecdh_hybrid); EXPECT_EQ(SECSuccess, SSL_SendAdditionalKeyShares( client_->ssl_fd(), kECDHEGroups.size() + kEcdhHybridGroups.size())); Connect(); std::vector groups = GetGroupDetails(groups_capture_); for (auto group : groups) { EXPECT_NE(group, ssl_grp_kem_mlkem768x25519); } } TEST_P(TlsKeyExchangeTest13, Tls12ServerMlkem768x25519NotSupported) { EnsureKeyShareSetup(); client_->SetVersionRange(SSL_LIBRARY_VERSION_TLS_1_2, SSL_LIBRARY_VERSION_TLS_1_3); server_->SetVersionRange(SSL_LIBRARY_VERSION_TLS_1_2, SSL_LIBRARY_VERSION_TLS_1_2); client_->DisableAllCiphers(); client_->EnableCiphersByKeyExchange(ssl_kea_ecdh); client_->EnableCiphersByKeyExchange(ssl_kea_ecdh_hybrid); client_->ConfigNamedGroups( {ssl_grp_kem_mlkem768x25519, ssl_grp_ec_curve25519}); EXPECT_EQ(SECSuccess, SSL_SendAdditionalKeyShares(client_->ssl_fd(), 1)); server_->EnableCiphersByKeyExchange(ssl_kea_ecdh); server_->EnableCiphersByKeyExchange(ssl_kea_ecdh_hybrid); server_->ConfigNamedGroups( {ssl_grp_kem_mlkem768x25519, ssl_grp_ec_curve25519}); Connect(); CheckKeys(ssl_kea_ecdh, ssl_grp_ec_curve25519, ssl_auth_rsa_sign, ssl_sig_rsa_pss_rsae_sha256); } TEST_P(TlsKeyExchangeTest13, Mlkem768x25519ClientDisabledByPolicy) { EnsureKeyShareSetup(); client_->SetPolicy(SEC_OID_MLKEM768X25519, 0, NSS_USE_ALG_IN_SSL_KX); ConfigNamedGroups({ssl_grp_kem_mlkem768x25519, ssl_grp_ec_secp256r1}); Connect(); CheckKEXDetails({ssl_grp_ec_secp256r1}, {ssl_grp_ec_secp256r1}); } TEST_P(TlsKeyExchangeTest13, Mlkem768x25519ServerDisabledByPolicy) { EnsureKeyShareSetup(); server_->SetPolicy(SEC_OID_MLKEM768X25519, 0, NSS_USE_ALG_IN_SSL_KX); ConfigNamedGroups({ssl_grp_kem_mlkem768x25519, ssl_grp_ec_secp256r1}); Connect(); CheckKEXDetails({ssl_grp_kem_mlkem768x25519, ssl_grp_ec_secp256r1}, {ssl_grp_kem_mlkem768x25519}, ssl_grp_ec_secp256r1); } static void CheckECDHShareReuse( const std::shared_ptr& capture) { EXPECT_TRUE(capture->captured()); const DataBuffer& ext = capture->extension(); DataBuffer hybrid_share; DataBuffer x25519_share; size_t offset = 0; uint32_t ext_len; ext.Read(0, 2, &ext_len); EXPECT_EQ(ext.len() - 2, ext_len); offset += 2; uint32_t named_group; uint32_t named_group_len; ext.Read(offset, 2, &named_group); ext.Read(offset + 2, 2, &named_group_len); while (offset < ext.len()) { if (named_group == ssl_grp_kem_mlkem768x25519) { hybrid_share = DataBuffer(ext.data() + offset + 2 + 2, named_group_len); } if (named_group == ssl_grp_ec_curve25519) { x25519_share = DataBuffer(ext.data() + offset + 2 + 2, named_group_len); } offset += 2 + 2 + named_group_len; ext.Read(offset, 2, &named_group); ext.Read(offset + 2, 2, &named_group_len); } EXPECT_EQ(offset, ext.len()); ASSERT_TRUE(hybrid_share.data()); ASSERT_TRUE(x25519_share.data()); ASSERT_GT(hybrid_share.len(), x25519_share.len()); EXPECT_EQ(0, memcmp(hybrid_share.data() + KYBER768_PUBLIC_KEY_BYTES, x25519_share.data(), x25519_share.len())); } TEST_P(TlsKeyExchangeTest13, Mlkem768x25519ShareReuseFirst) { EnsureKeyShareSetup(); ConfigNamedGroups({ssl_grp_kem_mlkem768x25519, ssl_grp_ec_curve25519}); EXPECT_EQ(SECSuccess, SSL_SendAdditionalKeyShares(client_->ssl_fd(), 1)); Connect(); CheckKEXDetails({ssl_grp_kem_mlkem768x25519, ssl_grp_ec_curve25519}, {ssl_grp_kem_mlkem768x25519, ssl_grp_ec_curve25519}); CheckECDHShareReuse(shares_capture_); } TEST_P(TlsKeyExchangeTest13, Mlkem768x25519ShareReuseSecond) { EnsureKeyShareSetup(); ConfigNamedGroups({ssl_grp_ec_curve25519, ssl_grp_kem_mlkem768x25519}); EXPECT_EQ(SECSuccess, SSL_SendAdditionalKeyShares(client_->ssl_fd(), 1)); Connect(); CheckKEXDetails({ssl_grp_ec_curve25519, ssl_grp_kem_mlkem768x25519}, {ssl_grp_ec_curve25519, ssl_grp_kem_mlkem768x25519}); CheckECDHShareReuse(shares_capture_); } class Mlkem768x25519ShareDamager : public TlsExtensionFilter { public: typedef enum { downgrade, extend, truncate, zero_ecdh, modify_ecdh, modify_mlkem, modify_mlkem_pubkey_mod_q, } damage_type; Mlkem768x25519ShareDamager(const std::shared_ptr& a, damage_type damage) : TlsExtensionFilter(a), damage_(damage) {} virtual PacketFilter::Action FilterExtension(uint16_t extension_type, const DataBuffer& input, DataBuffer* output) { if (extension_type != ssl_tls13_key_share_xtn) { return KEEP; } // Find the Mlkem768x25519 share size_t offset = 0; if (agent()->role() == TlsAgent::CLIENT) { offset += 2; // skip KeyShareClientHello length } uint32_t named_group; uint32_t named_group_len; input.Read(offset, 2, &named_group); input.Read(offset + 2, 2, &named_group_len); while (named_group != ssl_grp_kem_mlkem768x25519) { offset += 2 + 2 + named_group_len; input.Read(offset, 2, &named_group); input.Read(offset + 2, 2, &named_group_len); } EXPECT_EQ(named_group, ssl_grp_kem_mlkem768x25519); DataBuffer hybrid_key_share(input.data() + offset, 2 + 2 + named_group_len); // Damage the Mlkem768x25519 share uint32_t mlkem_component_len = hybrid_key_share.len() - 2 - 2 - X25519_PUBLIC_KEY_BYTES; unsigned char* ecdh_component = hybrid_key_share.data() + 2 + 2 + mlkem_component_len; unsigned char* mlkem_component = hybrid_key_share.data() + 2 + 2; switch (damage_) { case Mlkem768x25519ShareDamager::downgrade: // Downgrade a Mlkem768x25519 share to X25519 memcpy(mlkem_component, ecdh_component, X25519_PUBLIC_KEY_BYTES); hybrid_key_share.Truncate(2 + 2 + X25519_PUBLIC_KEY_BYTES); hybrid_key_share.Write(0, ssl_grp_ec_curve25519, 2); hybrid_key_share.Write(2, X25519_PUBLIC_KEY_BYTES, 2); break; case Mlkem768x25519ShareDamager::truncate: // Truncate a Mlkem768x25519 share before the X25519 component hybrid_key_share.Truncate(2 + 2 + mlkem_component_len); hybrid_key_share.Write(2, mlkem_component_len, 2); break; case Mlkem768x25519ShareDamager::extend: // Append 4 bytes to a Mlkem768x25519 share uint32_t current_len; hybrid_key_share.Read(2, 2, ¤t_len); hybrid_key_share.Write(hybrid_key_share.len(), current_len, 4); hybrid_key_share.Write(2, current_len + 4, 2); break; case Mlkem768x25519ShareDamager::zero_ecdh: // Replace an X25519 component with 0s memset(ecdh_component, 0, X25519_PUBLIC_KEY_BYTES); break; case Mlkem768x25519ShareDamager::modify_ecdh: // Flip a bit in the X25519 component ecdh_component[0] ^= 0x01; break; case Mlkem768x25519ShareDamager::modify_mlkem: // Flip a bit in the mlkem component mlkem_component[0] ^= 0x01; break; case Mlkem768x25519ShareDamager::modify_mlkem_pubkey_mod_q: if (agent()->role() == TlsAgent::CLIENT) { // Replace the client's public key with an sequence of 12-bit values // in the same equivalence class mod 3329. The FIPS-203 input // validation check should fail. for (size_t i = 0; i < mlkem_component_len - 32; i += 3) { // Pairs of 12-bit coefficients are packed into 3 bytes. // Unpack them, change equivalence class if possible, and repack. uint16_t coeff0 = mlkem_component[i] | ((mlkem_component[i + 1] & 0x0f) << 8); uint16_t coeff1 = (mlkem_component[i + 1] & 0xf0 >> 4) | ((mlkem_component[i + 2]) << 4); if (coeff0 < 4096 - 3329) { coeff0 += 3329; } if (coeff1 < 4096 - 3329) { coeff1 += 3329; } mlkem_component[i] = coeff0; mlkem_component[i + 1] = (coeff0 >> 8) + ((coeff1 & 0x0f) << 4); mlkem_component[i + 2] = coeff1 >> 4; } } break; } *output = input; output->Splice(hybrid_key_share, offset, 2 + 2 + named_group_len); // Fix the KeyShareClientHello length if necessary if (agent()->role() == TlsAgent::CLIENT && hybrid_key_share.len() != 2 + 2 + named_group_len) { output->Write(0, output->len() - 2, 2); } return CHANGE; } private: damage_type damage_; }; class TlsMlkem768x25519DamageTest : public TlsConnectTestBase, public ::testing::WithParamInterface< Mlkem768x25519ShareDamager::damage_type> { public: TlsMlkem768x25519DamageTest() : TlsConnectTestBase(ssl_variant_stream, SSL_LIBRARY_VERSION_TLS_1_3) {} protected: void Damage(const std::shared_ptr& agent) { EnsureTlsSetup(); client_->ConfigNamedGroups( {ssl_grp_ec_curve25519, ssl_grp_kem_mlkem768x25519}); server_->ConfigNamedGroups( {ssl_grp_kem_mlkem768x25519, ssl_grp_ec_curve25519}); EXPECT_EQ(SECSuccess, SSL_SendAdditionalKeyShares(client_->ssl_fd(), 1)); MakeTlsFilter(agent, GetParam()); } }; TEST_P(TlsMlkem768x25519DamageTest, DamageClientShare) { Damage(client_); switch (GetParam()) { case Mlkem768x25519ShareDamager::extend: case Mlkem768x25519ShareDamager::truncate: ConnectExpectAlert(server_, kTlsAlertIllegalParameter); server_->CheckErrorCode(SSL_ERROR_RX_MALFORMED_HYBRID_KEY_SHARE); break; case Mlkem768x25519ShareDamager::zero_ecdh: ConnectExpectAlert(server_, kTlsAlertIllegalParameter); server_->CheckErrorCode(SEC_ERROR_INVALID_KEY); break; case Mlkem768x25519ShareDamager::modify_mlkem_pubkey_mod_q: ConnectExpectAlert(server_, kTlsAlertIllegalParameter); server_->CheckErrorCode(SEC_ERROR_INVALID_ARGS); break; case Mlkem768x25519ShareDamager::downgrade: case Mlkem768x25519ShareDamager::modify_ecdh: case Mlkem768x25519ShareDamager::modify_mlkem: client_->ExpectSendAlert(kTlsAlertBadRecordMac); server_->ExpectSendAlert(kTlsAlertBadRecordMac); ConnectExpectFail(); client_->CheckErrorCode(SSL_ERROR_BAD_MAC_READ); server_->CheckErrorCode(SSL_ERROR_BAD_MAC_READ); break; } } TEST_P(TlsMlkem768x25519DamageTest, DamageServerShare) { Damage(server_); switch (GetParam()) { case Mlkem768x25519ShareDamager::extend: case Mlkem768x25519ShareDamager::truncate: client_->ExpectSendAlert(kTlsAlertIllegalParameter); server_->ExpectSendAlert(kTlsAlertUnexpectedMessage); ConnectExpectFail(); client_->CheckErrorCode(SSL_ERROR_RX_MALFORMED_HYBRID_KEY_SHARE); break; case Mlkem768x25519ShareDamager::zero_ecdh: client_->ExpectSendAlert(kTlsAlertIllegalParameter); server_->ExpectSendAlert(kTlsAlertUnexpectedMessage); ConnectExpectFail(); client_->CheckErrorCode(SEC_ERROR_INVALID_KEY); break; case Mlkem768x25519ShareDamager::downgrade: case Mlkem768x25519ShareDamager::modify_ecdh: case Mlkem768x25519ShareDamager::modify_mlkem: client_->ExpectSendAlert(kTlsAlertBadRecordMac); server_->ExpectSendAlert(kTlsAlertBadRecordMac); ConnectExpectFail(); client_->CheckErrorCode(SSL_ERROR_BAD_MAC_READ); server_->CheckErrorCode(SSL_ERROR_BAD_MAC_READ); break; case Mlkem768x25519ShareDamager::modify_mlkem_pubkey_mod_q: // The server doesn't send a public key, so nothing is changed. break; } } INSTANTIATE_TEST_SUITE_P( TlsMlkem768x25519DamageTest, TlsMlkem768x25519DamageTest, ::testing::Values(Mlkem768x25519ShareDamager::downgrade, Mlkem768x25519ShareDamager::extend, Mlkem768x25519ShareDamager::truncate, Mlkem768x25519ShareDamager::zero_ecdh, Mlkem768x25519ShareDamager::modify_ecdh, Mlkem768x25519ShareDamager::modify_mlkem, Mlkem768x25519ShareDamager::modify_mlkem_pubkey_mod_q)); } // namespace nss_test