1 /* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
2 /* vim: set ts=2 et sw=2 tw=80: */
3 /* This Source Code Form is subject to the terms of the Mozilla Public
4 * License, v. 2.0. If a copy of the MPL was not distributed with this file,
5 * You can obtain one at http://mozilla.org/MPL/2.0/. */
6
7 #include "secerr.h"
8 #include "ssl.h"
9 #include "sslerr.h"
10 #include "sslproto.h"
11
12 extern "C" {
13 // This is not something that should make you happy.
14 #include "libssl_internals.h"
15 }
16
17 #include "gtest_utils.h"
18 #include "nss_scoped_ptrs.h"
19 #include "tls_connect.h"
20 #include "tls_filter.h"
21 #include "tls_parser.h"
22
23 namespace nss_test {
24
25 // All stream only tests; DTLS isn't supported yet.
26
TEST_F(TlsConnectTest,KeyUpdateClient)27 TEST_F(TlsConnectTest, KeyUpdateClient) {
28 ConfigureVersion(SSL_LIBRARY_VERSION_TLS_1_3);
29 Connect();
30 EXPECT_EQ(SECSuccess, SSL_KeyUpdate(client_->ssl_fd(), PR_FALSE));
31 SendReceive(50);
32 SendReceive(60);
33 CheckEpochs(4, 3);
34 }
35
TEST_F(TlsConnectStreamTls13,KeyUpdateTooEarly_Client)36 TEST_F(TlsConnectStreamTls13, KeyUpdateTooEarly_Client) {
37 StartConnect();
38 auto filter = MakeTlsFilter<TlsEncryptedHandshakeMessageReplacer>(
39 server_, kTlsHandshakeFinished, kTlsHandshakeKeyUpdate);
40 filter->EnableDecryption();
41
42 client_->Handshake();
43 server_->Handshake();
44 ExpectAlert(client_, kTlsAlertUnexpectedMessage);
45 client_->Handshake();
46 client_->CheckErrorCode(SSL_ERROR_RX_UNEXPECTED_KEY_UPDATE);
47 server_->Handshake();
48 server_->CheckErrorCode(SSL_ERROR_HANDSHAKE_UNEXPECTED_ALERT);
49 }
50
TEST_F(TlsConnectStreamTls13,KeyUpdateTooEarly_Server)51 TEST_F(TlsConnectStreamTls13, KeyUpdateTooEarly_Server) {
52 StartConnect();
53 auto filter = MakeTlsFilter<TlsEncryptedHandshakeMessageReplacer>(
54 client_, kTlsHandshakeFinished, kTlsHandshakeKeyUpdate);
55 filter->EnableDecryption();
56
57 client_->Handshake();
58 server_->Handshake();
59 client_->Handshake();
60 ExpectAlert(server_, kTlsAlertUnexpectedMessage);
61 server_->Handshake();
62 server_->CheckErrorCode(SSL_ERROR_RX_UNEXPECTED_KEY_UPDATE);
63 client_->Handshake();
64 client_->CheckErrorCode(SSL_ERROR_HANDSHAKE_UNEXPECTED_ALERT);
65 }
66
TEST_F(TlsConnectTest,KeyUpdateClientRequestUpdate)67 TEST_F(TlsConnectTest, KeyUpdateClientRequestUpdate) {
68 ConfigureVersion(SSL_LIBRARY_VERSION_TLS_1_3);
69 Connect();
70 EXPECT_EQ(SECSuccess, SSL_KeyUpdate(client_->ssl_fd(), PR_TRUE));
71 // SendReceive() only gives each peer one chance to read. This isn't enough
72 // when the read on one side generates another handshake message. A second
73 // read gives each peer an extra chance to consume the KeyUpdate.
74 SendReceive(50);
75 SendReceive(60); // Cumulative count.
76 CheckEpochs(4, 4);
77 }
78
TEST_F(TlsConnectTest,KeyUpdateServer)79 TEST_F(TlsConnectTest, KeyUpdateServer) {
80 ConfigureVersion(SSL_LIBRARY_VERSION_TLS_1_3);
81 Connect();
82 EXPECT_EQ(SECSuccess, SSL_KeyUpdate(server_->ssl_fd(), PR_FALSE));
83 SendReceive(50);
84 SendReceive(60);
85 CheckEpochs(3, 4);
86 }
87
TEST_F(TlsConnectTest,KeyUpdateServerRequestUpdate)88 TEST_F(TlsConnectTest, KeyUpdateServerRequestUpdate) {
89 ConfigureVersion(SSL_LIBRARY_VERSION_TLS_1_3);
90 Connect();
91 EXPECT_EQ(SECSuccess, SSL_KeyUpdate(server_->ssl_fd(), PR_TRUE));
92 SendReceive(50);
93 SendReceive(60);
94 CheckEpochs(4, 4);
95 }
96
TEST_F(TlsConnectTest,KeyUpdateConsecutiveRequests)97 TEST_F(TlsConnectTest, KeyUpdateConsecutiveRequests) {
98 ConfigureVersion(SSL_LIBRARY_VERSION_TLS_1_3);
99 Connect();
100 EXPECT_EQ(SECSuccess, SSL_KeyUpdate(server_->ssl_fd(), PR_TRUE));
101 EXPECT_EQ(SECSuccess, SSL_KeyUpdate(server_->ssl_fd(), PR_TRUE));
102 SendReceive(50);
103 SendReceive(60);
104 // The server should have updated twice, but the client should have declined
105 // to respond to the second request from the server, since it doesn't send
106 // anything in between those two requests.
107 CheckEpochs(4, 5);
108 }
109
110 // Check that a local update can be immediately followed by a remotely triggered
111 // update even if there is no use of the keys.
TEST_F(TlsConnectTest,KeyUpdateLocalUpdateThenConsecutiveRequests)112 TEST_F(TlsConnectTest, KeyUpdateLocalUpdateThenConsecutiveRequests) {
113 ConfigureVersion(SSL_LIBRARY_VERSION_TLS_1_3);
114 Connect();
115 // This should trigger an update on the client.
116 EXPECT_EQ(SECSuccess, SSL_KeyUpdate(client_->ssl_fd(), PR_FALSE));
117 // The client should update for the first request.
118 EXPECT_EQ(SECSuccess, SSL_KeyUpdate(server_->ssl_fd(), PR_TRUE));
119 // ...but not the second.
120 EXPECT_EQ(SECSuccess, SSL_KeyUpdate(server_->ssl_fd(), PR_TRUE));
121 SendReceive(50);
122 SendReceive(60);
123 // Both should have updated twice.
124 CheckEpochs(5, 5);
125 }
126
TEST_F(TlsConnectTest,KeyUpdateMultiple)127 TEST_F(TlsConnectTest, KeyUpdateMultiple) {
128 ConfigureVersion(SSL_LIBRARY_VERSION_TLS_1_3);
129 Connect();
130 EXPECT_EQ(SECSuccess, SSL_KeyUpdate(server_->ssl_fd(), PR_FALSE));
131 EXPECT_EQ(SECSuccess, SSL_KeyUpdate(server_->ssl_fd(), PR_TRUE));
132 EXPECT_EQ(SECSuccess, SSL_KeyUpdate(server_->ssl_fd(), PR_FALSE));
133 EXPECT_EQ(SECSuccess, SSL_KeyUpdate(client_->ssl_fd(), PR_FALSE));
134 SendReceive(50);
135 SendReceive(60);
136 CheckEpochs(5, 6);
137 }
138
139 // Both ask the other for an update, and both should react.
TEST_F(TlsConnectTest,KeyUpdateBothRequest)140 TEST_F(TlsConnectTest, KeyUpdateBothRequest) {
141 ConfigureVersion(SSL_LIBRARY_VERSION_TLS_1_3);
142 Connect();
143 EXPECT_EQ(SECSuccess, SSL_KeyUpdate(client_->ssl_fd(), PR_TRUE));
144 EXPECT_EQ(SECSuccess, SSL_KeyUpdate(server_->ssl_fd(), PR_TRUE));
145 SendReceive(50);
146 SendReceive(60);
147 CheckEpochs(5, 5);
148 }
149
150 // If the sequence number exceeds the number of writes before an automatic
151 // update (currently 3/4 of the max records for the cipher suite), then the
152 // stack should send an update automatically (but not request one).
TEST_F(TlsConnectTest,KeyUpdateAutomaticOnWrite)153 TEST_F(TlsConnectTest, KeyUpdateAutomaticOnWrite) {
154 ConfigureVersion(SSL_LIBRARY_VERSION_TLS_1_3);
155 ConnectWithCipherSuite(TLS_AES_128_GCM_SHA256);
156
157 // Set this to one below the write threshold.
158 uint64_t threshold = (0x5aULL << 28) * 3 / 4;
159 EXPECT_EQ(SECSuccess,
160 SSLInt_AdvanceWriteSeqNum(client_->ssl_fd(), threshold));
161 EXPECT_EQ(SECSuccess, SSLInt_AdvanceReadSeqNum(server_->ssl_fd(), threshold));
162
163 // This should be OK.
164 client_->SendData(10);
165 server_->ReadBytes();
166
167 // This should cause the client to update.
168 client_->SendData(10);
169 server_->ReadBytes();
170
171 SendReceive(100);
172 CheckEpochs(4, 3);
173 }
174
175 // If the sequence number exceeds a certain number of reads (currently 7/8 of
176 // the max records for the cipher suite), then the stack should send AND request
177 // an update automatically. However, the sender (client) will be above its
178 // automatic update threshold, so the KeyUpdate - that it sends with the old
179 // cipher spec - will exceed the receiver (server) automatic update threshold.
180 // The receiver gets a packet with a sequence number over its automatic read
181 // update threshold. Even though the sender has updated, the code that checks
182 // the sequence numbers at the receiver doesn't know this and it will request an
183 // update. This causes two updates: one from the sender (without requesting a
184 // response) and one from the receiver (which does request a response).
TEST_F(TlsConnectTest,KeyUpdateAutomaticOnRead)185 TEST_F(TlsConnectTest, KeyUpdateAutomaticOnRead) {
186 ConfigureVersion(SSL_LIBRARY_VERSION_TLS_1_3);
187 ConnectWithCipherSuite(TLS_AES_128_GCM_SHA256);
188
189 // Move to right at the read threshold. Unlike the write test, we can't send
190 // packets because that would cause the client to update, which would spoil
191 // the test.
192 uint64_t threshold = ((0x5aULL << 28) * 7 / 8) + 1;
193 EXPECT_EQ(SECSuccess,
194 SSLInt_AdvanceWriteSeqNum(client_->ssl_fd(), threshold));
195 EXPECT_EQ(SECSuccess, SSLInt_AdvanceReadSeqNum(server_->ssl_fd(), threshold));
196
197 // This should cause the client to update, but not early enough to prevent the
198 // server from updating also.
199 client_->SendData(10);
200 server_->ReadBytes();
201
202 // Need two SendReceive() calls to ensure that the update that the server
203 // requested is properly generated and consumed.
204 SendReceive(70);
205 SendReceive(80);
206 CheckEpochs(5, 4);
207 }
208
209 } // namespace nss_test
210