1183 lines
39 KiB
C++
1183 lines
39 KiB
C++
/* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
|
|
/* vim: set ts=2 et sw=2 tw=80: */
|
|
/* This Source Code Form is subject to the terms of the Mozilla Public
|
|
* License, v. 2.0. If a copy of the MPL was not distributed with this file,
|
|
* You can obtain one at http://mozilla.org/MPL/2.0/. */
|
|
|
|
#include "secerr.h"
|
|
#include "ssl.h"
|
|
#include "sslerr.h"
|
|
#include "sslexp.h"
|
|
#include "sslproto.h"
|
|
|
|
extern "C" {
|
|
// This is not something that should make you happy.
|
|
#include "libssl_internals.h"
|
|
}
|
|
|
|
#include "cpputil.h"
|
|
#include "gtest_utils.h"
|
|
#include "nss_scoped_ptrs.h"
|
|
#include "tls_connect.h"
|
|
#include "tls_filter.h"
|
|
#include "tls_parser.h"
|
|
|
|
namespace nss_test {
|
|
|
|
TEST_P(TlsConnectTls13, ZeroRtt) {
|
|
SetupForZeroRtt();
|
|
client_->Set0RttEnabled(true);
|
|
server_->Set0RttEnabled(true);
|
|
ExpectResumption(RESUME_TICKET);
|
|
ZeroRttSendReceive(true, true);
|
|
Handshake();
|
|
ExpectEarlyDataAccepted(true);
|
|
CheckConnected();
|
|
SendReceive();
|
|
}
|
|
|
|
TEST_P(TlsConnectTls13, ZeroRttServerRejectByOption) {
|
|
SetupForZeroRtt();
|
|
client_->Set0RttEnabled(true);
|
|
ExpectResumption(RESUME_TICKET);
|
|
ZeroRttSendReceive(true, false);
|
|
Handshake();
|
|
CheckConnected();
|
|
SendReceive();
|
|
}
|
|
|
|
TEST_P(TlsConnectTls13, ZeroRttApplicationReject) {
|
|
SetupForZeroRtt();
|
|
client_->Set0RttEnabled(true);
|
|
server_->Set0RttEnabled(true);
|
|
ExpectResumption(RESUME_TICKET);
|
|
|
|
auto reject_0rtt = [](PRBool firstHello, const PRUint8* clientToken,
|
|
unsigned int clientTokenLen, PRUint8* appToken,
|
|
unsigned int* appTokenLen, unsigned int appTokenMax,
|
|
void* arg) {
|
|
auto* called = reinterpret_cast<bool*>(arg);
|
|
*called = true;
|
|
|
|
EXPECT_TRUE(firstHello);
|
|
EXPECT_EQ(0U, clientTokenLen);
|
|
return ssl_hello_retry_reject_0rtt;
|
|
};
|
|
|
|
bool cb_run = false;
|
|
EXPECT_EQ(SECSuccess, SSL_HelloRetryRequestCallback(server_->ssl_fd(),
|
|
reject_0rtt, &cb_run));
|
|
ZeroRttSendReceive(true, false);
|
|
Handshake();
|
|
EXPECT_TRUE(cb_run);
|
|
CheckConnected();
|
|
SendReceive();
|
|
}
|
|
|
|
TEST_P(TlsConnectTls13, ZeroRttApparentReplayAfterRestart) {
|
|
// The test fixtures enable anti-replay in SetUp(). This results in 0-RTT
|
|
// being rejected until at least one window passes. SetupFor0Rtt() forces a
|
|
// rollover of the anti-replay filters, which clears that state and allows
|
|
// 0-RTT to work. Make the first connection manually to avoid that rollover
|
|
// and cause 0-RTT to be rejected.
|
|
|
|
ConfigureSessionCache(RESUME_BOTH, RESUME_TICKET);
|
|
ConfigureVersion(SSL_LIBRARY_VERSION_TLS_1_3);
|
|
server_->Set0RttEnabled(true); // So we signal that we allow 0-RTT.
|
|
Connect();
|
|
SendReceive(); // Need to read so that we absorb the session ticket.
|
|
CheckKeys();
|
|
|
|
Reset();
|
|
StartConnect();
|
|
client_->Set0RttEnabled(true);
|
|
server_->Set0RttEnabled(true);
|
|
ExpectResumption(RESUME_TICKET);
|
|
ZeroRttSendReceive(true, false);
|
|
Handshake();
|
|
CheckConnected();
|
|
SendReceive();
|
|
}
|
|
|
|
class TlsZeroRttReplayTest : public TlsConnectTls13 {
|
|
private:
|
|
class SaveFirstPacket : public PacketFilter {
|
|
public:
|
|
PacketFilter::Action Filter(const DataBuffer& input,
|
|
DataBuffer* output) override {
|
|
if (!packet_.len() && input.len()) {
|
|
packet_ = input;
|
|
}
|
|
return KEEP;
|
|
}
|
|
|
|
const DataBuffer& packet() const { return packet_; }
|
|
|
|
private:
|
|
DataBuffer packet_;
|
|
};
|
|
|
|
protected:
|
|
void RunTest(bool rollover, const ScopedPK11SymKey& epsk) {
|
|
// Now run a true 0-RTT handshake, but capture the first packet.
|
|
auto first_packet = std::make_shared<SaveFirstPacket>();
|
|
client_->SetFilter(first_packet);
|
|
client_->Set0RttEnabled(true);
|
|
server_->Set0RttEnabled(true);
|
|
ZeroRttSendReceive(true, true);
|
|
Handshake();
|
|
EXPECT_LT(0U, first_packet->packet().len());
|
|
ExpectEarlyDataAccepted(true);
|
|
CheckConnected();
|
|
SendReceive();
|
|
|
|
if (rollover) {
|
|
RolloverAntiReplay();
|
|
}
|
|
|
|
// Now replay that packet against the server.
|
|
Reset();
|
|
server_->StartConnect();
|
|
server_->Set0RttEnabled(true);
|
|
server_->SetAntiReplayContext(anti_replay_);
|
|
if (epsk) {
|
|
AddPsk(epsk, std::string("foo"), ssl_hash_sha256,
|
|
TLS_CHACHA20_POLY1305_SHA256);
|
|
}
|
|
|
|
// Capture the early_data extension, which should not appear.
|
|
auto early_data_ext =
|
|
MakeTlsFilter<TlsExtensionCapture>(server_, ssl_tls13_early_data_xtn);
|
|
|
|
// Finally, replay the ClientHello and force the server to consume it. Stop
|
|
// after the server sends its first flight; the client will not be able to
|
|
// complete this handshake.
|
|
server_->adapter()->PacketReceived(first_packet->packet());
|
|
server_->Handshake();
|
|
EXPECT_FALSE(early_data_ext->captured());
|
|
}
|
|
|
|
void RunResPskTest(bool rollover) {
|
|
// Run the initial handshake
|
|
SetupForZeroRtt();
|
|
ExpectResumption(RESUME_TICKET);
|
|
RunTest(rollover, ScopedPK11SymKey(nullptr));
|
|
}
|
|
|
|
void RunExtPskTest(bool rollover) {
|
|
ScopedPK11SlotInfo slot(PK11_GetInternalSlot());
|
|
ASSERT_NE(nullptr, slot);
|
|
|
|
const std::vector<uint8_t> kPskDummyVal(16, 0xFF);
|
|
SECItem psk_item = {siBuffer, toUcharPtr(kPskDummyVal.data()),
|
|
static_cast<unsigned int>(kPskDummyVal.size())};
|
|
PK11SymKey* key =
|
|
PK11_ImportSymKey(slot.get(), CKM_HKDF_KEY_GEN, PK11_OriginUnwrap,
|
|
CKA_DERIVE, &psk_item, NULL);
|
|
ASSERT_NE(nullptr, key);
|
|
ScopedPK11SymKey scoped_psk(key);
|
|
RolloverAntiReplay();
|
|
AddPsk(scoped_psk, std::string("foo"), ssl_hash_sha256,
|
|
TLS_CHACHA20_POLY1305_SHA256);
|
|
StartConnect();
|
|
RunTest(rollover, scoped_psk);
|
|
}
|
|
};
|
|
|
|
TEST_P(TlsZeroRttReplayTest, ResPskZeroRttReplay) { RunResPskTest(false); }
|
|
|
|
TEST_P(TlsZeroRttReplayTest, ExtPskZeroRttReplay) { RunExtPskTest(false); }
|
|
|
|
TEST_P(TlsZeroRttReplayTest, ZeroRttReplayAfterRollover) {
|
|
RunResPskTest(true);
|
|
}
|
|
|
|
// Test that we don't try to send 0-RTT data when the server sent
|
|
// us a ticket without the 0-RTT flags.
|
|
TEST_P(TlsConnectTls13, ZeroRttOptionsSetLate) {
|
|
ConfigureSessionCache(RESUME_BOTH, RESUME_TICKET);
|
|
Connect();
|
|
SendReceive(); // Need to read so that we absorb the session ticket.
|
|
CheckKeys(ssl_kea_ecdh, ssl_auth_rsa_sign);
|
|
Reset();
|
|
StartConnect();
|
|
// Now turn on 0-RTT but too late for the ticket.
|
|
client_->Set0RttEnabled(true);
|
|
server_->Set0RttEnabled(true);
|
|
ExpectResumption(RESUME_TICKET);
|
|
ZeroRttSendReceive(false, false);
|
|
Handshake();
|
|
CheckConnected();
|
|
SendReceive();
|
|
}
|
|
|
|
// Make sure that a session ticket sent well after the original handshake
|
|
// can be used for 0-RTT.
|
|
// Stream because DTLS doesn't support SSL_SendSessionTicket.
|
|
TEST_F(TlsConnectStreamTls13, ZeroRttUsingLateTicket) {
|
|
// Use a small-ish anti-replay window.
|
|
ResetAntiReplay(100 * PR_USEC_PER_MSEC);
|
|
RolloverAntiReplay();
|
|
|
|
ConfigureSessionCache(RESUME_BOTH, RESUME_TICKET);
|
|
server_->Set0RttEnabled(true);
|
|
Connect();
|
|
CheckKeys();
|
|
|
|
// Now move time forward 30s and send a ticket.
|
|
AdvanceTime(30 * PR_USEC_PER_SEC);
|
|
EXPECT_EQ(SECSuccess, SSL_SendSessionTicket(server_->ssl_fd(), NULL, 0));
|
|
SendReceive();
|
|
Reset();
|
|
StartConnect();
|
|
|
|
client_->Set0RttEnabled(true);
|
|
server_->Set0RttEnabled(true);
|
|
ExpectResumption(RESUME_TICKET);
|
|
ZeroRttSendReceive(true, true);
|
|
Handshake();
|
|
ExpectEarlyDataAccepted(true);
|
|
CheckConnected();
|
|
SendReceive();
|
|
}
|
|
|
|
// Check that post-handshake authentication with a long RTT doesn't
|
|
// make things worse.
|
|
TEST_F(TlsConnectStreamTls13, ZeroRttUsingLateTicketPha) {
|
|
// Use a small-ish anti-replay window.
|
|
ResetAntiReplay(100 * PR_USEC_PER_MSEC);
|
|
RolloverAntiReplay();
|
|
|
|
ConfigureSessionCache(RESUME_BOTH, RESUME_TICKET);
|
|
server_->Set0RttEnabled(true);
|
|
client_->SetupClientAuth();
|
|
client_->SetOption(SSL_ENABLE_POST_HANDSHAKE_AUTH, PR_TRUE);
|
|
Connect();
|
|
CheckKeys();
|
|
|
|
// Add post-handshake authentication, with some added delays.
|
|
AdvanceTime(10 * PR_USEC_PER_SEC);
|
|
EXPECT_EQ(SECSuccess, SSL_SendCertificateRequest(server_->ssl_fd()));
|
|
AdvanceTime(10 * PR_USEC_PER_SEC);
|
|
server_->SendData(50);
|
|
client_->ReadBytes(50);
|
|
client_->SendData(50);
|
|
server_->ReadBytes(50);
|
|
|
|
AdvanceTime(10 * PR_USEC_PER_SEC);
|
|
EXPECT_EQ(SECSuccess, SSL_SendSessionTicket(server_->ssl_fd(), NULL, 0));
|
|
server_->SendData(100);
|
|
client_->ReadBytes(100);
|
|
Reset();
|
|
StartConnect();
|
|
|
|
client_->Set0RttEnabled(true);
|
|
server_->Set0RttEnabled(true);
|
|
ExpectResumption(RESUME_TICKET);
|
|
ZeroRttSendReceive(true, true);
|
|
Handshake();
|
|
ExpectEarlyDataAccepted(true);
|
|
CheckConnected();
|
|
SendReceive();
|
|
}
|
|
|
|
// Same, but with client authentication on the first connection.
|
|
TEST_F(TlsConnectStreamTls13, ZeroRttUsingLateTicketClientAuth) {
|
|
// Use a small-ish anti-replay window.
|
|
ResetAntiReplay(100 * PR_USEC_PER_MSEC);
|
|
RolloverAntiReplay();
|
|
|
|
ConfigureSessionCache(RESUME_BOTH, RESUME_TICKET);
|
|
client_->SetupClientAuth();
|
|
server_->RequestClientAuth(true);
|
|
server_->Set0RttEnabled(true);
|
|
Connect();
|
|
CheckKeys();
|
|
|
|
// Now move time forward 30s and send a ticket.
|
|
AdvanceTime(30 * PR_USEC_PER_SEC);
|
|
EXPECT_EQ(SECSuccess, SSL_SendSessionTicket(server_->ssl_fd(), NULL, 0));
|
|
SendReceive();
|
|
Reset();
|
|
StartConnect();
|
|
|
|
client_->Set0RttEnabled(true);
|
|
server_->Set0RttEnabled(true);
|
|
ExpectResumption(RESUME_TICKET);
|
|
ZeroRttSendReceive(true, true);
|
|
Handshake();
|
|
ExpectEarlyDataAccepted(true);
|
|
CheckConnected();
|
|
SendReceive();
|
|
}
|
|
|
|
TEST_P(TlsConnectTls13, ZeroRttServerForgetTicket) {
|
|
SetupForZeroRtt();
|
|
client_->Set0RttEnabled(true);
|
|
server_->Set0RttEnabled(true);
|
|
ClearServerCache();
|
|
ConfigureSessionCache(RESUME_BOTH, RESUME_TICKET);
|
|
ExpectResumption(RESUME_NONE);
|
|
ZeroRttSendReceive(true, false);
|
|
Handshake();
|
|
CheckConnected();
|
|
SendReceive();
|
|
}
|
|
|
|
TEST_P(TlsConnectTls13, ZeroRttServerOnly) {
|
|
ExpectResumption(RESUME_NONE);
|
|
server_->Set0RttEnabled(true);
|
|
StartConnect();
|
|
|
|
// Client sends ordinary ClientHello.
|
|
client_->Handshake();
|
|
|
|
// Verify that the server doesn't get data.
|
|
uint8_t buf[100];
|
|
PRInt32 rv = PR_Read(server_->ssl_fd(), buf, sizeof(buf));
|
|
EXPECT_EQ(SECFailure, rv);
|
|
EXPECT_EQ(PR_WOULD_BLOCK_ERROR, PORT_GetError());
|
|
|
|
// Now make sure that things complete.
|
|
Handshake();
|
|
CheckConnected();
|
|
SendReceive();
|
|
CheckKeys();
|
|
}
|
|
|
|
// Advancing time after sending the ClientHello means that the ticket age that
|
|
// arrives at the server is too low. The server then rejects early data if this
|
|
// delay exceeds half the anti-replay window.
|
|
TEST_P(TlsConnectTls13, ZeroRttRejectOldTicket) {
|
|
static const PRTime kWindow = 10 * PR_USEC_PER_SEC;
|
|
ResetAntiReplay(kWindow);
|
|
SetupForZeroRtt();
|
|
|
|
Reset();
|
|
StartConnect();
|
|
client_->Set0RttEnabled(true);
|
|
server_->Set0RttEnabled(true);
|
|
ExpectResumption(RESUME_TICKET);
|
|
ZeroRttSendReceive(true, false, [this]() {
|
|
AdvanceTime(1 + kWindow / 2);
|
|
return true;
|
|
});
|
|
Handshake();
|
|
ExpectEarlyDataAccepted(false);
|
|
CheckConnected();
|
|
SendReceive();
|
|
}
|
|
|
|
// In this test, we falsely inflate the estimate of the RTT by delaying the
|
|
// ServerHello on the first handshake. This results in the server estimating a
|
|
// higher value of the ticket age than the client ultimately provides. Add a
|
|
// small tolerance for variation in ticket age and the ticket will appear to
|
|
// arrive prematurely, causing the server to reject early data.
|
|
TEST_P(TlsConnectTls13, ZeroRttRejectPrematureTicket) {
|
|
static const PRTime kWindow = 10 * PR_USEC_PER_SEC;
|
|
ResetAntiReplay(kWindow);
|
|
ConfigureSessionCache(RESUME_BOTH, RESUME_TICKET);
|
|
ConfigureVersion(SSL_LIBRARY_VERSION_TLS_1_3);
|
|
server_->Set0RttEnabled(true);
|
|
StartConnect();
|
|
client_->Handshake(); // ClientHello
|
|
server_->Handshake(); // ServerHello
|
|
AdvanceTime(1 + kWindow / 2);
|
|
Handshake(); // Remainder of handshake
|
|
CheckConnected();
|
|
SendReceive();
|
|
CheckKeys();
|
|
|
|
Reset();
|
|
client_->Set0RttEnabled(true);
|
|
server_->Set0RttEnabled(true);
|
|
ExpectResumption(RESUME_TICKET);
|
|
ExpectEarlyDataAccepted(false);
|
|
StartConnect();
|
|
ZeroRttSendReceive(true, false);
|
|
Handshake();
|
|
CheckConnected();
|
|
SendReceive();
|
|
}
|
|
|
|
TEST_P(TlsConnectTls13, TestTls13ZeroRttAlpn) {
|
|
EnableAlpn();
|
|
SetupForZeroRtt();
|
|
EnableAlpn();
|
|
client_->Set0RttEnabled(true);
|
|
server_->Set0RttEnabled(true);
|
|
ExpectResumption(RESUME_TICKET);
|
|
ExpectEarlyDataAccepted(true);
|
|
ZeroRttSendReceive(true, true, [this]() {
|
|
client_->CheckAlpn(SSL_NEXT_PROTO_EARLY_VALUE, "a");
|
|
return true;
|
|
});
|
|
Handshake();
|
|
CheckConnected();
|
|
SendReceive();
|
|
CheckAlpn("a");
|
|
}
|
|
|
|
// NOTE: In this test and those below, the client always sends
|
|
// post-ServerHello alerts with the handshake keys, even if the server
|
|
// has accepted 0-RTT. In some cases, as with errors in
|
|
// EncryptedExtensions, the client can't know the server's behavior,
|
|
// and in others it's just simpler. What the server is expecting
|
|
// depends on whether it accepted 0-RTT or not. Eventually, we may
|
|
// make the server trial decrypt.
|
|
//
|
|
// Have the server negotiate a different ALPN value, and therefore
|
|
// reject 0-RTT.
|
|
TEST_P(TlsConnectTls13, TestTls13ZeroRttAlpnChangeServer) {
|
|
EnableAlpn();
|
|
SetupForZeroRtt();
|
|
static const uint8_t client_alpn[] = {0x01, 0x61, 0x01, 0x62}; // "a", "b"
|
|
static const uint8_t server_alpn[] = {0x01, 0x62}; // "b"
|
|
client_->EnableAlpn(client_alpn, sizeof(client_alpn));
|
|
server_->EnableAlpn(server_alpn, sizeof(server_alpn));
|
|
client_->Set0RttEnabled(true);
|
|
server_->Set0RttEnabled(true);
|
|
ExpectResumption(RESUME_TICKET);
|
|
ZeroRttSendReceive(true, false, [this]() {
|
|
client_->CheckAlpn(SSL_NEXT_PROTO_EARLY_VALUE, "a");
|
|
return true;
|
|
});
|
|
Handshake();
|
|
CheckConnected();
|
|
SendReceive();
|
|
CheckAlpn("b");
|
|
}
|
|
|
|
// Check that the client validates the ALPN selection of the server.
|
|
// Stomp the ALPN on the client after sending the ClientHello so
|
|
// that the server selection appears to be incorrect. The client
|
|
// should then fail the connection.
|
|
TEST_P(TlsConnectTls13, TestTls13ZeroRttNoAlpnServer) {
|
|
EnableAlpn();
|
|
SetupForZeroRtt();
|
|
client_->Set0RttEnabled(true);
|
|
server_->Set0RttEnabled(true);
|
|
EnableAlpn();
|
|
ExpectResumption(RESUME_TICKET);
|
|
ZeroRttSendReceive(true, true, [this]() {
|
|
PRUint8 b[] = {'b'};
|
|
client_->CheckAlpn(SSL_NEXT_PROTO_EARLY_VALUE, "a");
|
|
EXPECT_EQ(SECSuccess, SSLInt_Set0RttAlpn(client_->ssl_fd(), b, sizeof(b)));
|
|
client_->CheckAlpn(SSL_NEXT_PROTO_EARLY_VALUE, "b");
|
|
client_->ExpectSendAlert(kTlsAlertIllegalParameter);
|
|
return true;
|
|
});
|
|
if (variant_ == ssl_variant_stream) {
|
|
server_->ExpectSendAlert(kTlsAlertBadRecordMac);
|
|
Handshake();
|
|
server_->CheckErrorCode(SSL_ERROR_BAD_MAC_READ);
|
|
} else {
|
|
client_->Handshake();
|
|
}
|
|
client_->CheckErrorCode(SSL_ERROR_NEXT_PROTOCOL_DATA_INVALID);
|
|
}
|
|
|
|
// Set up with no ALPN and then set the client so it thinks it has ALPN.
|
|
// The server responds without the extension and the client returns an
|
|
// error.
|
|
TEST_P(TlsConnectTls13, TestTls13ZeroRttNoAlpnClient) {
|
|
SetupForZeroRtt();
|
|
client_->Set0RttEnabled(true);
|
|
server_->Set0RttEnabled(true);
|
|
ExpectResumption(RESUME_TICKET);
|
|
ZeroRttSendReceive(true, true, [this]() {
|
|
PRUint8 b[] = {'b'};
|
|
EXPECT_EQ(SECSuccess, SSLInt_Set0RttAlpn(client_->ssl_fd(), b, 1));
|
|
client_->CheckAlpn(SSL_NEXT_PROTO_EARLY_VALUE, "b");
|
|
client_->ExpectSendAlert(kTlsAlertIllegalParameter);
|
|
return true;
|
|
});
|
|
if (variant_ == ssl_variant_stream) {
|
|
server_->ExpectSendAlert(kTlsAlertBadRecordMac);
|
|
Handshake();
|
|
server_->CheckErrorCode(SSL_ERROR_BAD_MAC_READ);
|
|
} else {
|
|
client_->Handshake();
|
|
}
|
|
client_->CheckErrorCode(SSL_ERROR_NEXT_PROTOCOL_DATA_INVALID);
|
|
}
|
|
|
|
// Remove the old ALPN value and so the client will not offer early data.
|
|
TEST_P(TlsConnectTls13, TestTls13ZeroRttAlpnChangeBoth) {
|
|
EnableAlpn();
|
|
SetupForZeroRtt();
|
|
static const std::vector<uint8_t> alpn({0x01, 0x62}); // "b"
|
|
EnableAlpn(alpn);
|
|
client_->Set0RttEnabled(true);
|
|
server_->Set0RttEnabled(true);
|
|
ExpectResumption(RESUME_TICKET);
|
|
ZeroRttSendReceive(true, false, [this]() {
|
|
client_->CheckAlpn(SSL_NEXT_PROTO_NO_SUPPORT);
|
|
return false;
|
|
});
|
|
Handshake();
|
|
CheckConnected();
|
|
SendReceive();
|
|
CheckAlpn("b");
|
|
}
|
|
|
|
// The client should abort the connection when sending a 0-rtt handshake but
|
|
// the servers responds with a TLS 1.2 ServerHello. (no app data sent)
|
|
TEST_P(TlsConnectTls13, TestTls13ZeroRttDowngrade) {
|
|
ConfigureSessionCache(RESUME_BOTH, RESUME_TICKET);
|
|
server_->Set0RttEnabled(true); // set ticket_allow_early_data
|
|
Connect();
|
|
|
|
SendReceive(); // Need to read so that we absorb the session tickets.
|
|
CheckKeys();
|
|
|
|
Reset();
|
|
ConfigureSessionCache(RESUME_BOTH, RESUME_TICKET);
|
|
client_->SetVersionRange(SSL_LIBRARY_VERSION_TLS_1_2,
|
|
SSL_LIBRARY_VERSION_TLS_1_3);
|
|
server_->SetVersionRange(SSL_LIBRARY_VERSION_TLS_1_2,
|
|
SSL_LIBRARY_VERSION_TLS_1_2);
|
|
StartConnect();
|
|
// We will send the early data xtn without sending actual early data. Thus
|
|
// a 1.2 server shouldn't fail until the client sends an alert because the
|
|
// client sends end_of_early_data only after reading the server's flight.
|
|
client_->Set0RttEnabled(true);
|
|
|
|
client_->ExpectSendAlert(kTlsAlertIllegalParameter);
|
|
if (variant_ == ssl_variant_stream) {
|
|
server_->ExpectSendAlert(kTlsAlertUnexpectedMessage);
|
|
}
|
|
client_->Handshake();
|
|
server_->Handshake();
|
|
ASSERT_TRUE_WAIT(
|
|
(client_->error_code() == SSL_ERROR_DOWNGRADE_WITH_EARLY_DATA), 2000);
|
|
|
|
// DTLS will timeout as we bump the epoch when installing the early app data
|
|
// cipher suite. Thus the encrypted alert will be ignored.
|
|
if (variant_ == ssl_variant_stream) {
|
|
// The client sends an encrypted alert message.
|
|
ASSERT_TRUE_WAIT(
|
|
(server_->error_code() == SSL_ERROR_RX_UNEXPECTED_APPLICATION_DATA),
|
|
2000);
|
|
}
|
|
}
|
|
|
|
// The client should abort the connection when sending a 0-rtt handshake but
|
|
// the servers responds with a TLS 1.2 ServerHello. (with app data)
|
|
TEST_P(TlsConnectTls13, TestTls13ZeroRttDowngradeEarlyData) {
|
|
const char* k0RttData = "ABCDEF";
|
|
const PRInt32 k0RttDataLen = static_cast<PRInt32>(strlen(k0RttData));
|
|
|
|
ConfigureSessionCache(RESUME_BOTH, RESUME_TICKET);
|
|
server_->Set0RttEnabled(true); // set ticket_allow_early_data
|
|
Connect();
|
|
|
|
SendReceive(); // Need to read so that we absorb the session tickets.
|
|
CheckKeys();
|
|
|
|
Reset();
|
|
ConfigureSessionCache(RESUME_BOTH, RESUME_TICKET);
|
|
client_->SetVersionRange(SSL_LIBRARY_VERSION_TLS_1_2,
|
|
SSL_LIBRARY_VERSION_TLS_1_3);
|
|
server_->SetVersionRange(SSL_LIBRARY_VERSION_TLS_1_2,
|
|
SSL_LIBRARY_VERSION_TLS_1_2);
|
|
StartConnect();
|
|
// Send the early data xtn in the CH, followed by early app data. The server
|
|
// will fail right after sending its flight, when receiving the early data.
|
|
client_->Set0RttEnabled(true);
|
|
client_->Handshake(); // Send ClientHello.
|
|
PRInt32 rv =
|
|
PR_Write(client_->ssl_fd(), k0RttData, k0RttDataLen); // 0-RTT write.
|
|
EXPECT_EQ(k0RttDataLen, rv);
|
|
|
|
if (variant_ == ssl_variant_stream) {
|
|
// When the server receives the early data, it will fail.
|
|
server_->ExpectSendAlert(kTlsAlertUnexpectedMessage);
|
|
server_->Handshake(); // Consume ClientHello
|
|
EXPECT_EQ(TlsAgent::STATE_ERROR, server_->state());
|
|
server_->CheckErrorCode(SSL_ERROR_RX_UNEXPECTED_APPLICATION_DATA);
|
|
} else {
|
|
// If it's datagram, we just discard the early data.
|
|
server_->Handshake(); // Consume ClientHello
|
|
EXPECT_EQ(TlsAgent::STATE_CONNECTING, server_->state());
|
|
}
|
|
|
|
// The client now reads the ServerHello and fails.
|
|
ASSERT_EQ(TlsAgent::STATE_CONNECTING, client_->state());
|
|
client_->ExpectSendAlert(kTlsAlertIllegalParameter);
|
|
client_->Handshake();
|
|
client_->CheckErrorCode(SSL_ERROR_DOWNGRADE_WITH_EARLY_DATA);
|
|
}
|
|
|
|
TEST_P(TlsConnectTls13, SendTooMuchEarlyData) {
|
|
EnsureTlsSetup();
|
|
const char* big_message = "0123456789abcdef";
|
|
const size_t short_size = strlen(big_message) - 1;
|
|
const PRInt32 short_length = static_cast<PRInt32>(short_size);
|
|
EXPECT_EQ(SECSuccess,
|
|
SSL_SetMaxEarlyDataSize(server_->ssl_fd(),
|
|
static_cast<PRUint32>(short_size)));
|
|
SetupForZeroRtt();
|
|
|
|
client_->Set0RttEnabled(true);
|
|
server_->Set0RttEnabled(true);
|
|
ExpectResumption(RESUME_TICKET);
|
|
|
|
client_->Handshake();
|
|
CheckEarlyDataLimit(client_, short_size);
|
|
|
|
PRInt32 sent;
|
|
// Writing more than the limit will succeed in TLS, but fail in DTLS.
|
|
if (variant_ == ssl_variant_stream) {
|
|
sent = PR_Write(client_->ssl_fd(), big_message,
|
|
static_cast<PRInt32>(strlen(big_message)));
|
|
} else {
|
|
sent = PR_Write(client_->ssl_fd(), big_message,
|
|
static_cast<PRInt32>(strlen(big_message)));
|
|
EXPECT_GE(0, sent);
|
|
EXPECT_EQ(PR_WOULD_BLOCK_ERROR, PORT_GetError());
|
|
|
|
// Try an exact-sized write now.
|
|
sent = PR_Write(client_->ssl_fd(), big_message, short_length);
|
|
}
|
|
EXPECT_EQ(short_length, sent);
|
|
|
|
// Even a single octet write should now fail.
|
|
sent = PR_Write(client_->ssl_fd(), big_message, 1);
|
|
EXPECT_GE(0, sent);
|
|
EXPECT_EQ(PR_WOULD_BLOCK_ERROR, PORT_GetError());
|
|
|
|
// Process the ClientHello and read 0-RTT.
|
|
server_->Handshake();
|
|
CheckEarlyDataLimit(server_, short_size);
|
|
|
|
std::vector<uint8_t> buf(short_size + 1);
|
|
PRInt32 read = PR_Read(server_->ssl_fd(), buf.data(), buf.capacity());
|
|
EXPECT_EQ(short_length, read);
|
|
EXPECT_EQ(0, memcmp(big_message, buf.data(), short_size));
|
|
|
|
// Second read fails.
|
|
read = PR_Read(server_->ssl_fd(), buf.data(), buf.capacity());
|
|
EXPECT_EQ(SECFailure, read);
|
|
EXPECT_EQ(PR_WOULD_BLOCK_ERROR, PORT_GetError());
|
|
|
|
Handshake();
|
|
ExpectEarlyDataAccepted(true);
|
|
CheckConnected();
|
|
SendReceive();
|
|
}
|
|
|
|
TEST_P(TlsConnectTls13, ReceiveTooMuchEarlyData) {
|
|
EnsureTlsSetup();
|
|
|
|
const size_t limit = 5;
|
|
EXPECT_EQ(SECSuccess, SSL_SetMaxEarlyDataSize(server_->ssl_fd(), limit));
|
|
SetupForZeroRtt();
|
|
|
|
client_->Set0RttEnabled(true);
|
|
server_->Set0RttEnabled(true);
|
|
ExpectResumption(RESUME_TICKET);
|
|
|
|
client_->Handshake(); // Send ClientHello
|
|
CheckEarlyDataLimit(client_, limit);
|
|
|
|
server_->Handshake(); // Process ClientHello, send server flight.
|
|
|
|
// Lift the limit on the client.
|
|
EXPECT_EQ(SECSuccess,
|
|
SSLInt_SetSocketMaxEarlyDataSize(client_->ssl_fd(), 1000));
|
|
|
|
// Send message
|
|
const char* message = "0123456789abcdef";
|
|
const PRInt32 message_len = static_cast<PRInt32>(strlen(message));
|
|
EXPECT_EQ(message_len, PR_Write(client_->ssl_fd(), message, message_len));
|
|
|
|
if (variant_ == ssl_variant_stream) {
|
|
// This error isn't fatal for DTLS.
|
|
ExpectAlert(server_, kTlsAlertUnexpectedMessage);
|
|
}
|
|
|
|
server_->Handshake(); // This reads the early data and maybe throws an error.
|
|
if (variant_ == ssl_variant_stream) {
|
|
server_->CheckErrorCode(SSL_ERROR_TOO_MUCH_EARLY_DATA);
|
|
} else {
|
|
EXPECT_EQ(TlsAgent::STATE_CONNECTING, server_->state());
|
|
}
|
|
CheckEarlyDataLimit(server_, limit);
|
|
|
|
// Attempt to read early data. This will get an error.
|
|
std::vector<uint8_t> buf(strlen(message) + 1);
|
|
EXPECT_GT(0, PR_Read(server_->ssl_fd(), buf.data(), buf.capacity()));
|
|
if (variant_ == ssl_variant_stream) {
|
|
EXPECT_EQ(SSL_ERROR_HANDSHAKE_FAILED, PORT_GetError());
|
|
} else {
|
|
EXPECT_EQ(PR_WOULD_BLOCK_ERROR, PORT_GetError());
|
|
}
|
|
|
|
client_->Handshake(); // Process the server's first flight.
|
|
if (variant_ == ssl_variant_stream) {
|
|
client_->Handshake(); // Process the alert.
|
|
client_->CheckErrorCode(SSL_ERROR_HANDSHAKE_UNEXPECTED_ALERT);
|
|
} else {
|
|
server_->Handshake(); // Finish connecting.
|
|
EXPECT_EQ(TlsAgent::STATE_CONNECTED, server_->state());
|
|
}
|
|
}
|
|
|
|
class PacketCoalesceFilter : public PacketFilter {
|
|
public:
|
|
PacketCoalesceFilter() : packet_data_() {}
|
|
|
|
void SendCoalesced(std::shared_ptr<TlsAgent> agent) {
|
|
agent->SendDirect(packet_data_);
|
|
}
|
|
|
|
protected:
|
|
PacketFilter::Action Filter(const DataBuffer& input,
|
|
DataBuffer* output) override {
|
|
packet_data_.Write(packet_data_.len(), input);
|
|
return DROP;
|
|
}
|
|
|
|
private:
|
|
DataBuffer packet_data_;
|
|
};
|
|
|
|
TEST_P(TlsConnectTls13, ZeroRttOrdering) {
|
|
SetupForZeroRtt();
|
|
client_->Set0RttEnabled(true);
|
|
server_->Set0RttEnabled(true);
|
|
ExpectResumption(RESUME_TICKET);
|
|
|
|
// Send out the ClientHello.
|
|
client_->Handshake();
|
|
|
|
// Now, coalesce the next three things from the client: early data, second
|
|
// flight and 1-RTT data.
|
|
auto coalesce = std::make_shared<PacketCoalesceFilter>();
|
|
client_->SetFilter(coalesce);
|
|
|
|
// Send (and hold) early data.
|
|
static const std::vector<uint8_t> early_data = {3, 2, 1};
|
|
EXPECT_EQ(static_cast<PRInt32>(early_data.size()),
|
|
PR_Write(client_->ssl_fd(), early_data.data(), early_data.size()));
|
|
|
|
// Send (and hold) the second client handshake flight.
|
|
// The client sends EndOfEarlyData after seeing the server Finished.
|
|
server_->Handshake();
|
|
client_->Handshake();
|
|
|
|
// Send (and hold) 1-RTT data.
|
|
static const std::vector<uint8_t> late_data = {7, 8, 9, 10};
|
|
EXPECT_EQ(static_cast<PRInt32>(late_data.size()),
|
|
PR_Write(client_->ssl_fd(), late_data.data(), late_data.size()));
|
|
|
|
// Now release them all at once.
|
|
coalesce->SendCoalesced(client_);
|
|
|
|
// Now ensure that the three steps are exposed in the right order on the
|
|
// server: delivery of early data, handshake callback, delivery of 1-RTT.
|
|
size_t step = 0;
|
|
server_->SetHandshakeCallback([&step](TlsAgent*) {
|
|
EXPECT_EQ(1U, step);
|
|
++step;
|
|
});
|
|
|
|
std::vector<uint8_t> buf(10);
|
|
PRInt32 read = PR_Read(server_->ssl_fd(), buf.data(), buf.size());
|
|
ASSERT_EQ(static_cast<PRInt32>(early_data.size()), read);
|
|
buf.resize(read);
|
|
EXPECT_EQ(early_data, buf);
|
|
EXPECT_EQ(0U, step);
|
|
++step;
|
|
|
|
// The third read should be after the handshake callback and should return the
|
|
// data that was sent after the handshake completed.
|
|
buf.resize(10);
|
|
read = PR_Read(server_->ssl_fd(), buf.data(), buf.size());
|
|
ASSERT_EQ(static_cast<PRInt32>(late_data.size()), read);
|
|
buf.resize(read);
|
|
EXPECT_EQ(late_data, buf);
|
|
EXPECT_EQ(2U, step);
|
|
}
|
|
|
|
// Early data remains available after the handshake completes for TLS.
|
|
TEST_F(TlsConnectStreamTls13, ZeroRttLateReadTls) {
|
|
SetupForZeroRtt();
|
|
client_->Set0RttEnabled(true);
|
|
server_->Set0RttEnabled(true);
|
|
ExpectResumption(RESUME_TICKET);
|
|
client_->Handshake(); // ClientHello
|
|
|
|
// Write some early data.
|
|
const uint8_t data[] = {1, 2, 3, 4, 5, 6, 7, 8};
|
|
PRInt32 rv = PR_Write(client_->ssl_fd(), data, sizeof(data));
|
|
EXPECT_EQ(static_cast<PRInt32>(sizeof(data)), rv);
|
|
|
|
// Consume the ClientHello and generate ServerHello..Finished.
|
|
server_->Handshake();
|
|
|
|
// Read some of the data.
|
|
std::vector<uint8_t> small_buffer(1 + sizeof(data) / 2);
|
|
rv = PR_Read(server_->ssl_fd(), small_buffer.data(), small_buffer.size());
|
|
EXPECT_EQ(static_cast<PRInt32>(small_buffer.size()), rv);
|
|
EXPECT_EQ(0, memcmp(data, small_buffer.data(), small_buffer.size()));
|
|
|
|
Handshake(); // Complete the handshake.
|
|
ExpectEarlyDataAccepted(true);
|
|
CheckConnected();
|
|
|
|
// After the handshake, it should be possible to read the remainder.
|
|
uint8_t big_buf[100];
|
|
rv = PR_Read(server_->ssl_fd(), big_buf, sizeof(big_buf));
|
|
EXPECT_EQ(static_cast<PRInt32>(sizeof(data) - small_buffer.size()), rv);
|
|
EXPECT_EQ(0, memcmp(&data[small_buffer.size()], big_buf,
|
|
sizeof(data) - small_buffer.size()));
|
|
|
|
// And that's all there is to read.
|
|
rv = PR_Read(server_->ssl_fd(), big_buf, sizeof(big_buf));
|
|
EXPECT_GT(0, rv);
|
|
EXPECT_EQ(PR_WOULD_BLOCK_ERROR, PORT_GetError());
|
|
}
|
|
|
|
// Early data that arrives before the handshake can be read after the handshake
|
|
// is complete.
|
|
TEST_F(TlsConnectDatagram13, ZeroRttLateReadDtls) {
|
|
SetupForZeroRtt();
|
|
client_->Set0RttEnabled(true);
|
|
server_->Set0RttEnabled(true);
|
|
ExpectResumption(RESUME_TICKET);
|
|
client_->Handshake(); // ClientHello
|
|
|
|
// Write some early data.
|
|
const uint8_t data[] = {1, 2, 3};
|
|
PRInt32 written = PR_Write(client_->ssl_fd(), data, sizeof(data));
|
|
EXPECT_EQ(static_cast<PRInt32>(sizeof(data)), written);
|
|
|
|
Handshake(); // Complete the handshake.
|
|
ExpectEarlyDataAccepted(true);
|
|
CheckConnected();
|
|
|
|
// Reading at the server should return the early data, which was buffered.
|
|
uint8_t buf[sizeof(data) + 1] = {0};
|
|
PRInt32 read = PR_Read(server_->ssl_fd(), buf, sizeof(buf));
|
|
EXPECT_EQ(static_cast<PRInt32>(sizeof(data)), read);
|
|
EXPECT_EQ(0, memcmp(data, buf, sizeof(data)));
|
|
}
|
|
|
|
class PacketHolder : public PacketFilter {
|
|
public:
|
|
PacketHolder() = default;
|
|
|
|
virtual Action Filter(const DataBuffer& input, DataBuffer* output) {
|
|
packet_ = input;
|
|
Disable();
|
|
return DROP;
|
|
}
|
|
|
|
const DataBuffer& packet() const { return packet_; }
|
|
|
|
private:
|
|
DataBuffer packet_;
|
|
};
|
|
|
|
// Early data that arrives late is discarded for DTLS.
|
|
TEST_F(TlsConnectDatagram13, ZeroRttLateArrivalDtls) {
|
|
SetupForZeroRtt();
|
|
client_->Set0RttEnabled(true);
|
|
server_->Set0RttEnabled(true);
|
|
ExpectResumption(RESUME_TICKET);
|
|
client_->Handshake(); // ClientHello
|
|
|
|
// Write some early data. Twice, so that we can read bits of it.
|
|
const uint8_t data[] = {1, 2, 3};
|
|
PRInt32 written = PR_Write(client_->ssl_fd(), data, sizeof(data));
|
|
EXPECT_EQ(static_cast<PRInt32>(sizeof(data)), written);
|
|
|
|
// Block and capture the next packet.
|
|
auto holder = std::make_shared<PacketHolder>();
|
|
client_->SetFilter(holder);
|
|
written = PR_Write(client_->ssl_fd(), data, sizeof(data));
|
|
EXPECT_EQ(static_cast<PRInt32>(sizeof(data)), written);
|
|
EXPECT_FALSE(holder->enabled()) << "the filter should disable itself";
|
|
|
|
// Consume the ClientHello and generate ServerHello..Finished.
|
|
server_->Handshake();
|
|
|
|
// Read some of the data.
|
|
std::vector<uint8_t> small_buffer(sizeof(data));
|
|
PRInt32 read =
|
|
PR_Read(server_->ssl_fd(), small_buffer.data(), small_buffer.size());
|
|
|
|
EXPECT_EQ(static_cast<PRInt32>(small_buffer.size()), read);
|
|
EXPECT_EQ(0, memcmp(data, small_buffer.data(), small_buffer.size()));
|
|
|
|
Handshake(); // Complete the handshake.
|
|
ExpectEarlyDataAccepted(true);
|
|
CheckConnected();
|
|
|
|
server_->SendDirect(holder->packet());
|
|
|
|
// Reading now should return nothing, even though a valid packet was
|
|
// delivered.
|
|
read = PR_Read(server_->ssl_fd(), small_buffer.data(), small_buffer.size());
|
|
EXPECT_GT(0, read);
|
|
EXPECT_EQ(PR_WOULD_BLOCK_ERROR, PORT_GetError());
|
|
}
|
|
|
|
// Early data reads in TLS should be coalesced.
|
|
TEST_F(TlsConnectStreamTls13, ZeroRttCoalesceReadTls) {
|
|
SetupForZeroRtt();
|
|
client_->Set0RttEnabled(true);
|
|
server_->Set0RttEnabled(true);
|
|
ExpectResumption(RESUME_TICKET);
|
|
client_->Handshake(); // ClientHello
|
|
|
|
// Write some early data. In two writes.
|
|
const uint8_t data[] = {1, 2, 3, 4, 5, 6};
|
|
PRInt32 written = PR_Write(client_->ssl_fd(), data, 1);
|
|
EXPECT_EQ(1, written);
|
|
|
|
written = PR_Write(client_->ssl_fd(), data + 1, sizeof(data) - 1);
|
|
EXPECT_EQ(static_cast<PRInt32>(sizeof(data) - 1), written);
|
|
|
|
// Consume the ClientHello and generate ServerHello..Finished.
|
|
server_->Handshake();
|
|
|
|
// Read all of the data.
|
|
std::vector<uint8_t> buffer(sizeof(data));
|
|
PRInt32 read = PR_Read(server_->ssl_fd(), buffer.data(), buffer.size());
|
|
EXPECT_EQ(static_cast<PRInt32>(sizeof(data)), read);
|
|
EXPECT_EQ(0, memcmp(data, buffer.data(), sizeof(data)));
|
|
|
|
Handshake(); // Complete the handshake.
|
|
ExpectEarlyDataAccepted(true);
|
|
CheckConnected();
|
|
}
|
|
|
|
// Early data reads in DTLS should not be coalesced.
|
|
TEST_F(TlsConnectDatagram13, ZeroRttNoCoalesceReadDtls) {
|
|
SetupForZeroRtt();
|
|
client_->Set0RttEnabled(true);
|
|
server_->Set0RttEnabled(true);
|
|
ExpectResumption(RESUME_TICKET);
|
|
client_->Handshake(); // ClientHello
|
|
|
|
// Write some early data. In two writes.
|
|
const uint8_t data[] = {1, 2, 3, 4, 5, 6};
|
|
PRInt32 written = PR_Write(client_->ssl_fd(), data, 1);
|
|
EXPECT_EQ(1, written);
|
|
|
|
written = PR_Write(client_->ssl_fd(), data + 1, sizeof(data) - 1);
|
|
EXPECT_EQ(static_cast<PRInt32>(sizeof(data) - 1), written);
|
|
|
|
// Consume the ClientHello and generate ServerHello..Finished.
|
|
server_->Handshake();
|
|
|
|
// Try to read all of the data.
|
|
std::vector<uint8_t> buffer(sizeof(data));
|
|
PRInt32 read = PR_Read(server_->ssl_fd(), buffer.data(), buffer.size());
|
|
EXPECT_EQ(1, read);
|
|
EXPECT_EQ(0, memcmp(data, buffer.data(), 1));
|
|
|
|
// Read the remainder.
|
|
read = PR_Read(server_->ssl_fd(), buffer.data(), buffer.size());
|
|
EXPECT_EQ(static_cast<PRInt32>(sizeof(data) - 1), read);
|
|
EXPECT_EQ(0, memcmp(data + 1, buffer.data(), sizeof(data) - 1));
|
|
|
|
Handshake(); // Complete the handshake.
|
|
ExpectEarlyDataAccepted(true);
|
|
CheckConnected();
|
|
}
|
|
|
|
// Early data reads in DTLS should fail if the buffer is too small.
|
|
TEST_F(TlsConnectDatagram13, ZeroRttShortReadDtls) {
|
|
SetupForZeroRtt();
|
|
client_->Set0RttEnabled(true);
|
|
server_->Set0RttEnabled(true);
|
|
ExpectResumption(RESUME_TICKET);
|
|
client_->Handshake(); // ClientHello
|
|
|
|
// Write some early data. In two writes.
|
|
const uint8_t data[] = {1, 2, 3, 4, 5, 6};
|
|
PRInt32 written = PR_Write(client_->ssl_fd(), data, sizeof(data));
|
|
EXPECT_EQ(static_cast<PRInt32>(sizeof(data)), written);
|
|
|
|
// Consume the ClientHello and generate ServerHello..Finished.
|
|
server_->Handshake();
|
|
|
|
// Try to read all of the data into a small buffer.
|
|
std::vector<uint8_t> buffer(sizeof(data));
|
|
PRInt32 read = PR_Read(server_->ssl_fd(), buffer.data(), 1);
|
|
EXPECT_GT(0, read);
|
|
EXPECT_EQ(SSL_ERROR_RX_SHORT_DTLS_READ, PORT_GetError());
|
|
|
|
// Read again with more space.
|
|
read = PR_Read(server_->ssl_fd(), buffer.data(), buffer.size());
|
|
EXPECT_EQ(static_cast<PRInt32>(sizeof(data)), read);
|
|
EXPECT_EQ(0, memcmp(data, buffer.data(), sizeof(data)));
|
|
|
|
Handshake(); // Complete the handshake.
|
|
ExpectEarlyDataAccepted(true);
|
|
CheckConnected();
|
|
}
|
|
|
|
// There are few ways in which TLS uses the clock and most of those operate on
|
|
// timescales that would be ridiculous to wait for in a test. This is the one
|
|
// test we have that uses the real clock. It tests that time passes by checking
|
|
// that a small sleep results in rejection of early data. 0-RTT has a
|
|
// configurable timer, which makes it ideal for this.
|
|
TEST_F(TlsConnectStreamTls13, TimePassesByDefault) {
|
|
// Calling EnsureTlsSetup() replaces the time function on client and server,
|
|
// and sets up anti-replay, which we don't want, so initialize each directly.
|
|
client_->EnsureTlsSetup();
|
|
server_->EnsureTlsSetup();
|
|
// StartConnect() calls EnsureTlsSetup(), so avoid that too.
|
|
client_->StartConnect();
|
|
server_->StartConnect();
|
|
|
|
// Set a tiny anti-replay window. This has to be at least 2 milliseconds to
|
|
// have any chance of being relevant as that is the smallest window that we
|
|
// can detect. Anything smaller rounds to zero.
|
|
static const unsigned int kTinyWindowMs = 5;
|
|
ResetAntiReplay(static_cast<PRTime>(kTinyWindowMs * PR_USEC_PER_MSEC));
|
|
server_->SetAntiReplayContext(anti_replay_);
|
|
|
|
ConfigureSessionCache(RESUME_BOTH, RESUME_TICKET);
|
|
ConfigureVersion(SSL_LIBRARY_VERSION_TLS_1_3);
|
|
server_->Set0RttEnabled(true);
|
|
Handshake();
|
|
CheckConnected();
|
|
SendReceive(); // Absorb a session ticket.
|
|
CheckKeys();
|
|
|
|
// Clear the first window.
|
|
PR_Sleep(PR_MillisecondsToInterval(kTinyWindowMs));
|
|
|
|
Reset();
|
|
client_->EnsureTlsSetup();
|
|
server_->EnsureTlsSetup();
|
|
client_->StartConnect();
|
|
server_->StartConnect();
|
|
|
|
// Early data is rejected by the server only if time passes for it as well.
|
|
client_->Set0RttEnabled(true);
|
|
server_->Set0RttEnabled(true);
|
|
ExpectResumption(RESUME_TICKET);
|
|
ZeroRttSendReceive(true, false, []() {
|
|
// Sleep long enough that we minimize the risk of our RTT estimation being
|
|
// duped by stutters in test execution. This is very long to allow for
|
|
// flaky and low-end hardware, especially what our CI runs on.
|
|
PR_Sleep(PR_MillisecondsToInterval(1000));
|
|
return true;
|
|
});
|
|
Handshake();
|
|
ExpectEarlyDataAccepted(false);
|
|
CheckConnected();
|
|
}
|
|
|
|
// Test that SSL_CreateAntiReplayContext doesn't pass bad inputs.
|
|
TEST_F(TlsConnectStreamTls13, BadAntiReplayArgs) {
|
|
SSLAntiReplayContext* p;
|
|
// Zero or negative window.
|
|
EXPECT_EQ(SECFailure, SSL_CreateAntiReplayContext(0, -1, 1, 1, &p));
|
|
EXPECT_EQ(SEC_ERROR_INVALID_ARGS, PORT_GetError());
|
|
EXPECT_EQ(SECFailure, SSL_CreateAntiReplayContext(0, 0, 1, 1, &p));
|
|
EXPECT_EQ(SEC_ERROR_INVALID_ARGS, PORT_GetError());
|
|
// Zero k.
|
|
EXPECT_EQ(SECFailure, SSL_CreateAntiReplayContext(0, 1, 0, 1, &p));
|
|
EXPECT_EQ(SEC_ERROR_INVALID_ARGS, PORT_GetError());
|
|
// Zero bits.
|
|
EXPECT_EQ(SECFailure, SSL_CreateAntiReplayContext(0, 1, 1, 0, &p));
|
|
EXPECT_EQ(SEC_ERROR_INVALID_ARGS, PORT_GetError());
|
|
EXPECT_EQ(SECFailure, SSL_CreateAntiReplayContext(0, 1, 1, 1, nullptr));
|
|
EXPECT_EQ(SEC_ERROR_INVALID_ARGS, PORT_GetError());
|
|
|
|
// Prove that these parameters do work, even if they are useless..
|
|
EXPECT_EQ(SECSuccess, SSL_CreateAntiReplayContext(0, 1, 1, 1, &p));
|
|
ASSERT_NE(nullptr, p);
|
|
ScopedSSLAntiReplayContext ctx(p);
|
|
|
|
// The socket isn't a client or server until later, so configuring a client
|
|
// should work OK.
|
|
client_->EnsureTlsSetup();
|
|
EXPECT_EQ(SECSuccess, SSL_SetAntiReplayContext(client_->ssl_fd(), ctx.get()));
|
|
EXPECT_EQ(SECSuccess, SSL_SetAntiReplayContext(client_->ssl_fd(), nullptr));
|
|
}
|
|
|
|
// See also TlsConnectGenericResumption.ResumeServerIncompatibleCipher
|
|
TEST_P(TlsConnectTls13, ZeroRttDifferentCompatibleCipher) {
|
|
EnsureTlsSetup();
|
|
server_->EnableSingleCipher(TLS_AES_128_GCM_SHA256);
|
|
SetupForZeroRtt();
|
|
client_->Set0RttEnabled(true);
|
|
server_->Set0RttEnabled(true);
|
|
// Change the ciphersuite. Resumption is OK because the hash is the same, but
|
|
// early data will be rejected.
|
|
server_->EnableSingleCipher(TLS_CHACHA20_POLY1305_SHA256);
|
|
ExpectResumption(RESUME_TICKET);
|
|
|
|
StartConnect();
|
|
ZeroRttSendReceive(true, false);
|
|
|
|
Handshake();
|
|
ExpectEarlyDataAccepted(false);
|
|
CheckConnected();
|
|
SendReceive();
|
|
}
|
|
|
|
// See also TlsConnectGenericResumption.ResumeServerIncompatibleCipher
|
|
TEST_P(TlsConnectTls13, ZeroRttDifferentIncompatibleCipher) {
|
|
EnsureTlsSetup();
|
|
server_->EnableSingleCipher(TLS_AES_256_GCM_SHA384);
|
|
SetupForZeroRtt();
|
|
client_->Set0RttEnabled(true);
|
|
server_->Set0RttEnabled(true);
|
|
// Resumption is rejected because the hash is different.
|
|
server_->EnableSingleCipher(TLS_CHACHA20_POLY1305_SHA256);
|
|
ExpectResumption(RESUME_NONE);
|
|
|
|
StartConnect();
|
|
ZeroRttSendReceive(true, false);
|
|
|
|
Handshake();
|
|
ExpectEarlyDataAccepted(false);
|
|
CheckConnected();
|
|
SendReceive();
|
|
}
|
|
|
|
// The client failing to provide EndOfEarlyData results in failure.
|
|
// After 0-RTT working perfectly, things fall apart later.
|
|
// The server is unable to detect the change in keys, so it fails decryption.
|
|
// The client thinks everything has worked until it gets the alert.
|
|
TEST_F(TlsConnectStreamTls13, SuppressEndOfEarlyDataClientOnly) {
|
|
SetupForZeroRtt();
|
|
client_->Set0RttEnabled(true);
|
|
server_->Set0RttEnabled(true);
|
|
client_->SetOption(SSL_SUPPRESS_END_OF_EARLY_DATA, true);
|
|
ExpectResumption(RESUME_TICKET);
|
|
ZeroRttSendReceive(true, true);
|
|
ExpectAlert(server_, kTlsAlertBadRecordMac);
|
|
Handshake();
|
|
EXPECT_EQ(TlsAgent::STATE_CONNECTED, client_->state());
|
|
EXPECT_EQ(TlsAgent::STATE_ERROR, server_->state());
|
|
server_->CheckErrorCode(SSL_ERROR_BAD_MAC_READ);
|
|
client_->Handshake();
|
|
EXPECT_EQ(TlsAgent::STATE_ERROR, client_->state());
|
|
client_->CheckErrorCode(SSL_ERROR_BAD_MAC_ALERT);
|
|
}
|
|
|
|
TEST_P(TlsConnectGeneric, SuppressEndOfEarlyDataNoZeroRtt) {
|
|
EnsureTlsSetup();
|
|
client_->SetOption(SSL_SUPPRESS_END_OF_EARLY_DATA, true);
|
|
server_->SetOption(SSL_SUPPRESS_END_OF_EARLY_DATA, true);
|
|
Connect();
|
|
SendReceive();
|
|
}
|
|
|
|
#ifndef NSS_DISABLE_TLS_1_3
|
|
INSTANTIATE_TEST_SUITE_P(Tls13ZeroRttReplayTest, TlsZeroRttReplayTest,
|
|
TlsConnectTestBase::kTlsVariantsAll);
|
|
#endif
|
|
|
|
} // namespace nss_test
|