1 /* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
2 /* vim: set ts=2 et sw=2 tw=80: */
3 /* This Source Code Form is subject to the terms of the Mozilla Public
4  * License, v. 2.0. If a copy of the MPL was not distributed with this file,
5  * You can obtain one at http://mozilla.org/MPL/2.0/. */
6 
7 #include <functional>
8 #include <memory>
9 #include "secerr.h"
10 #include "ssl.h"
11 #include "sslerr.h"
12 #include "sslproto.h"
13 
14 extern "C" {
15 // This is not something that should make you happy.
16 #include "libssl_internals.h"
17 }
18 
19 #include "gtest_utils.h"
20 #include "tls_connect.h"
21 
22 namespace nss_test {
23 
24 // 1.3 is disabled in the next few tests because we don't
25 // presently support resumption in 1.3.
TEST_P(TlsConnectStreamPre13,RenegotiateClient)26 TEST_P(TlsConnectStreamPre13, RenegotiateClient) {
27   Connect();
28   server_->PrepareForRenegotiate();
29   client_->StartRenegotiate();
30   Handshake();
31   CheckConnected();
32 }
33 
TEST_P(TlsConnectStreamPre13,RenegotiateServer)34 TEST_P(TlsConnectStreamPre13, RenegotiateServer) {
35   Connect();
36   client_->PrepareForRenegotiate();
37   server_->StartRenegotiate();
38   Handshake();
39   CheckConnected();
40 }
41 
TEST_P(TlsConnectStreamPre13,RenegotiateRandoms)42 TEST_P(TlsConnectStreamPre13, RenegotiateRandoms) {
43   SSL3Random crand1, crand2, srand1, srand2;
44   Connect();
45   EXPECT_EQ(SECSuccess,
46             SSLInt_GetHandshakeRandoms(client_->ssl_fd(), crand1, srand1));
47 
48   // Renegotiate and check that both randoms have changed.
49   client_->PrepareForRenegotiate();
50   server_->StartRenegotiate();
51   Handshake();
52   CheckConnected();
53   EXPECT_EQ(SECSuccess,
54             SSLInt_GetHandshakeRandoms(client_->ssl_fd(), crand2, srand2));
55 
56   EXPECT_NE(0, memcmp(crand1, crand2, sizeof(SSL3Random)));
57   EXPECT_NE(0, memcmp(srand1, srand2, sizeof(SSL3Random)));
58 }
59 
60 // The renegotiation options shouldn't cause an error if TLS 1.3 is chosen.
TEST_F(TlsConnectTest,RenegotiationConfigTls13)61 TEST_F(TlsConnectTest, RenegotiationConfigTls13) {
62   EnsureTlsSetup();
63   ConfigureVersion(SSL_LIBRARY_VERSION_TLS_1_3);
64   server_->SetOption(SSL_ENABLE_RENEGOTIATION, SSL_RENEGOTIATE_UNRESTRICTED);
65   server_->SetOption(SSL_REQUIRE_SAFE_NEGOTIATION, PR_TRUE);
66   Connect();
67   SendReceive();
68   CheckKeys();
69 }
70 
TEST_P(TlsConnectStream,ConnectTls10AndServerRenegotiateHigher)71 TEST_P(TlsConnectStream, ConnectTls10AndServerRenegotiateHigher) {
72   if (version_ == SSL_LIBRARY_VERSION_TLS_1_0) {
73     GTEST_SKIP();
74   }
75   // Set the client so it will accept any version from 1.0
76   // to |version_|.
77   client_->SetVersionRange(SSL_LIBRARY_VERSION_TLS_1_0, version_);
78   server_->SetVersionRange(SSL_LIBRARY_VERSION_TLS_1_0,
79                            SSL_LIBRARY_VERSION_TLS_1_0);
80   // Reset version so that the checks succeed.
81   uint16_t test_version = version_;
82   version_ = SSL_LIBRARY_VERSION_TLS_1_0;
83   Connect();
84 
85   // Now renegotiate, with the server being set to do
86   // |version_|.
87   client_->PrepareForRenegotiate();
88   server_->SetVersionRange(SSL_LIBRARY_VERSION_TLS_1_0, test_version);
89   // Reset version and cipher suite so that the preinfo callback
90   // doesn't fail.
91   server_->ResetPreliminaryInfo();
92   server_->StartRenegotiate();
93 
94   if (test_version >= SSL_LIBRARY_VERSION_TLS_1_3) {
95     ExpectAlert(server_, kTlsAlertUnexpectedMessage);
96   } else {
97     ExpectAlert(server_, kTlsAlertProtocolVersion);
98   }
99 
100   Handshake();
101   if (test_version >= SSL_LIBRARY_VERSION_TLS_1_3) {
102     // In TLS 1.3, the server detects this problem.
103     client_->CheckErrorCode(SSL_ERROR_HANDSHAKE_UNEXPECTED_ALERT);
104     server_->CheckErrorCode(SSL_ERROR_RENEGOTIATION_NOT_ALLOWED);
105   } else {
106     client_->CheckErrorCode(SSL_ERROR_PROTOCOL_VERSION_ALERT);
107     server_->CheckErrorCode(SSL_ERROR_UNSUPPORTED_VERSION);
108   }
109 }
110 
TEST_P(TlsConnectStream,ConnectTls10AndClientRenegotiateHigher)111 TEST_P(TlsConnectStream, ConnectTls10AndClientRenegotiateHigher) {
112   if (version_ == SSL_LIBRARY_VERSION_TLS_1_0) {
113     GTEST_SKIP();
114   }
115   // Set the client so it will accept any version from 1.0
116   // to |version_|.
117   client_->SetVersionRange(SSL_LIBRARY_VERSION_TLS_1_0, version_);
118   server_->SetVersionRange(SSL_LIBRARY_VERSION_TLS_1_0,
119                            SSL_LIBRARY_VERSION_TLS_1_0);
120   // Reset version so that the checks succeed.
121   uint16_t test_version = version_;
122   version_ = SSL_LIBRARY_VERSION_TLS_1_0;
123   Connect();
124 
125   // Now renegotiate, with the server being set to do
126   // |version_|.
127   server_->PrepareForRenegotiate();
128   server_->SetVersionRange(SSL_LIBRARY_VERSION_TLS_1_0, test_version);
129   // Reset version and cipher suite so that the preinfo callback
130   // doesn't fail.
131   server_->ResetPreliminaryInfo();
132   client_->StartRenegotiate();
133   if (test_version >= SSL_LIBRARY_VERSION_TLS_1_3) {
134     ExpectAlert(server_, kTlsAlertUnexpectedMessage);
135   } else {
136     ExpectAlert(server_, kTlsAlertProtocolVersion);
137   }
138   Handshake();
139   if (test_version >= SSL_LIBRARY_VERSION_TLS_1_3) {
140     // In TLS 1.3, the server detects this problem.
141     client_->CheckErrorCode(SSL_ERROR_HANDSHAKE_UNEXPECTED_ALERT);
142     server_->CheckErrorCode(SSL_ERROR_RENEGOTIATION_NOT_ALLOWED);
143   } else {
144     client_->CheckErrorCode(SSL_ERROR_PROTOCOL_VERSION_ALERT);
145     server_->CheckErrorCode(SSL_ERROR_UNSUPPORTED_VERSION);
146   }
147 }
148 
TEST_P(TlsConnectStream,ConnectAndServerRenegotiateLower)149 TEST_P(TlsConnectStream, ConnectAndServerRenegotiateLower) {
150   if (version_ == SSL_LIBRARY_VERSION_TLS_1_0) {
151     GTEST_SKIP();
152   }
153   Connect();
154 
155   // Now renegotiate with the server set to TLS 1.0.
156   client_->PrepareForRenegotiate();
157   server_->PrepareForRenegotiate();
158   client_->SetVersionRange(SSL_LIBRARY_VERSION_TLS_1_0, version_);
159   // Reset version and cipher suite so that the preinfo callback
160   // doesn't fail.
161   server_->ResetPreliminaryInfo();
162 
163   SECStatus rv = SSL_ReHandshake(server_->ssl_fd(), PR_TRUE);
164   if (version_ >= SSL_LIBRARY_VERSION_TLS_1_3) {
165     EXPECT_EQ(SECFailure, rv);
166     return;
167   }
168   ASSERT_EQ(SECSuccess, rv);
169 
170   // Now, before handshaking, tweak the server configuration.
171   server_->SetVersionRange(SSL_LIBRARY_VERSION_TLS_1_0,
172                            SSL_LIBRARY_VERSION_TLS_1_0);
173 
174   // The server should catch the own error.
175   ExpectAlert(server_, kTlsAlertProtocolVersion);
176 
177   Handshake();
178   client_->CheckErrorCode(SSL_ERROR_PROTOCOL_VERSION_ALERT);
179   server_->CheckErrorCode(SSL_ERROR_UNSUPPORTED_VERSION);
180 }
181 
TEST_P(TlsConnectStream,ConnectAndServerWontRenegotiateLower)182 TEST_P(TlsConnectStream, ConnectAndServerWontRenegotiateLower) {
183   if (version_ == SSL_LIBRARY_VERSION_TLS_1_0) {
184     GTEST_SKIP();
185   }
186   Connect();
187 
188   // Now renegotiate with the server set to TLS 1.0.
189   client_->PrepareForRenegotiate();
190   server_->PrepareForRenegotiate();
191   client_->SetVersionRange(SSL_LIBRARY_VERSION_TLS_1_0, version_);
192   server_->SetVersionRange(SSL_LIBRARY_VERSION_TLS_1_0,
193                            SSL_LIBRARY_VERSION_TLS_1_0);
194   // Reset version and cipher suite so that the preinfo callback
195   // doesn't fail.
196   server_->ResetPreliminaryInfo();
197 
198   EXPECT_EQ(SECFailure, SSL_ReHandshake(server_->ssl_fd(), PR_TRUE));
199 }
200 
TEST_P(TlsConnectStream,ConnectAndClientWontRenegotiateLower)201 TEST_P(TlsConnectStream, ConnectAndClientWontRenegotiateLower) {
202   if (version_ == SSL_LIBRARY_VERSION_TLS_1_0) {
203     GTEST_SKIP();
204   }
205   Connect();
206 
207   // Now renegotiate with the client set to TLS 1.0.
208   client_->PrepareForRenegotiate();
209   server_->PrepareForRenegotiate();
210   server_->ResetPreliminaryInfo();
211   client_->SetVersionRange(SSL_LIBRARY_VERSION_TLS_1_0,
212                            SSL_LIBRARY_VERSION_TLS_1_0);
213   // The client will refuse to renegotiate down.
214   EXPECT_EQ(SECFailure, SSL_ReHandshake(client_->ssl_fd(), PR_TRUE));
215 }
216 
TEST_F(TlsConnectTest,Tls13RejectsRehandshakeClient)217 TEST_F(TlsConnectTest, Tls13RejectsRehandshakeClient) {
218   EnsureTlsSetup();
219   ConfigureVersion(SSL_LIBRARY_VERSION_TLS_1_3);
220   Connect();
221   SECStatus rv = SSL_ReHandshake(client_->ssl_fd(), PR_TRUE);
222   EXPECT_EQ(SECFailure, rv);
223   EXPECT_EQ(SSL_ERROR_RENEGOTIATION_NOT_ALLOWED, PORT_GetError());
224 }
225 
TEST_F(TlsConnectTest,Tls13RejectsRehandshakeServer)226 TEST_F(TlsConnectTest, Tls13RejectsRehandshakeServer) {
227   EnsureTlsSetup();
228   ConfigureVersion(SSL_LIBRARY_VERSION_TLS_1_3);
229   Connect();
230   SECStatus rv = SSL_ReHandshake(server_->ssl_fd(), PR_TRUE);
231   EXPECT_EQ(SECFailure, rv);
232   EXPECT_EQ(SSL_ERROR_RENEGOTIATION_NOT_ALLOWED, PORT_GetError());
233 }
234 
235 }  // namespace nss_test
236