1 /* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
2 /* vim: set ts=2 et sw=2 tw=80: */
3 /* This Source Code Form is subject to the terms of the Mozilla Public
4 * License, v. 2.0. If a copy of the MPL was not distributed with this file,
5 * You can obtain one at http://mozilla.org/MPL/2.0/. */
6
7 #include "secerr.h"
8 #include "ssl.h"
9 #include "sslerr.h"
10 #include "sslproto.h"
11
12 extern "C" {
13 // This is not something that should make you happy.
14 #include "libssl_internals.h"
15 }
16
17 #include "gtest_utils.h"
18 #include "scoped_ptrs.h"
19 #include "tls_connect.h"
20 #include "tls_filter.h"
21 #include "tls_parser.h"
22
23 namespace nss_test {
24
TEST_P(TlsConnectGeneric,ServerAuthBigRsa)25 TEST_P(TlsConnectGeneric, ServerAuthBigRsa) {
26 Reset(TlsAgent::kRsa2048);
27 Connect();
28 CheckKeys();
29 }
30
TEST_P(TlsConnectGeneric,ServerAuthRsaChain)31 TEST_P(TlsConnectGeneric, ServerAuthRsaChain) {
32 Reset(TlsAgent::kServerRsaChain);
33 Connect();
34 CheckKeys();
35 size_t chain_length;
36 EXPECT_TRUE(client_->GetPeerChainLength(&chain_length));
37 EXPECT_EQ(2UL, chain_length);
38 }
39
TEST_P(TlsConnectGeneric,ClientAuth)40 TEST_P(TlsConnectGeneric, ClientAuth) {
41 client_->SetupClientAuth();
42 server_->RequestClientAuth(true);
43 Connect();
44 CheckKeys();
45 }
46
47 // In TLS 1.3, the client sends its cert rejection on the
48 // second flight, and since it has already received the
49 // server's Finished, it transitions to complete and
50 // then gets an alert from the server. The test harness
51 // doesn't handle this right yet.
TEST_P(TlsConnectStream,DISABLED_ClientAuthRequiredRejected)52 TEST_P(TlsConnectStream, DISABLED_ClientAuthRequiredRejected) {
53 server_->RequestClientAuth(true);
54 ConnectExpectFail();
55 }
56
TEST_P(TlsConnectGeneric,ClientAuthRequestedRejected)57 TEST_P(TlsConnectGeneric, ClientAuthRequestedRejected) {
58 server_->RequestClientAuth(false);
59 Connect();
60 CheckKeys();
61 }
62
TEST_P(TlsConnectGeneric,ClientAuthEcdsa)63 TEST_P(TlsConnectGeneric, ClientAuthEcdsa) {
64 Reset(TlsAgent::kServerEcdsa256);
65 client_->SetupClientAuth();
66 server_->RequestClientAuth(true);
67 Connect();
68 CheckKeys(ssl_kea_ecdh, ssl_auth_ecdsa);
69 }
70
TEST_P(TlsConnectGeneric,ClientAuthBigRsa)71 TEST_P(TlsConnectGeneric, ClientAuthBigRsa) {
72 Reset(TlsAgent::kServerRsa, TlsAgent::kRsa2048);
73 client_->SetupClientAuth();
74 server_->RequestClientAuth(true);
75 Connect();
76 CheckKeys();
77 }
78
79 // Offset is the position in the captured buffer where the signature sits.
CheckSigScheme(TlsInspectorRecordHandshakeMessage * capture,size_t offset,TlsAgent * peer,uint16_t expected_scheme,size_t expected_size)80 static void CheckSigScheme(TlsInspectorRecordHandshakeMessage* capture,
81 size_t offset, TlsAgent* peer,
82 uint16_t expected_scheme, size_t expected_size) {
83 EXPECT_LT(offset + 2U, capture->buffer().len());
84
85 uint32_t scheme = 0;
86 capture->buffer().Read(offset, 2, &scheme);
87 EXPECT_EQ(expected_scheme, static_cast<uint16_t>(scheme));
88
89 ScopedCERTCertificate remote_cert(SSL_PeerCertificate(peer->ssl_fd()));
90 ScopedSECKEYPublicKey remote_key(CERT_ExtractPublicKey(remote_cert.get()));
91 EXPECT_EQ(expected_size, SECKEY_PublicKeyStrengthInBits(remote_key.get()));
92 }
93
94 // The server should prefer SHA-256 by default, even for the small key size used
95 // in the default certificate.
TEST_P(TlsConnectTls12,ServerAuthCheckSigAlg)96 TEST_P(TlsConnectTls12, ServerAuthCheckSigAlg) {
97 EnsureTlsSetup();
98 auto capture_ske =
99 new TlsInspectorRecordHandshakeMessage(kTlsHandshakeServerKeyExchange);
100 server_->SetPacketFilter(capture_ske);
101 Connect();
102 CheckKeys();
103
104 const DataBuffer& buffer = capture_ske->buffer();
105 EXPECT_LT(3U, buffer.len());
106 EXPECT_EQ(3U, buffer.data()[0]) << "curve_type == named_curve";
107 uint32_t tmp;
108 EXPECT_TRUE(buffer.Read(1, 2, &tmp)) << "read NamedCurve";
109 EXPECT_EQ(ssl_grp_ec_curve25519, tmp);
110 EXPECT_TRUE(buffer.Read(3, 1, &tmp)) << " read ECPoint";
111 CheckSigScheme(capture_ske, 4 + tmp, client_, ssl_sig_rsa_pss_sha256, 1024);
112 }
113
TEST_P(TlsConnectTls12,ClientAuthCheckSigAlg)114 TEST_P(TlsConnectTls12, ClientAuthCheckSigAlg) {
115 EnsureTlsSetup();
116 auto capture_cert_verify =
117 new TlsInspectorRecordHandshakeMessage(kTlsHandshakeCertificateVerify);
118 client_->SetPacketFilter(capture_cert_verify);
119 client_->SetupClientAuth();
120 server_->RequestClientAuth(true);
121 Connect();
122 CheckKeys();
123
124 CheckSigScheme(capture_cert_verify, 0, server_, ssl_sig_rsa_pkcs1_sha1, 1024);
125 }
126
TEST_P(TlsConnectTls12,ClientAuthBigRsaCheckSigAlg)127 TEST_P(TlsConnectTls12, ClientAuthBigRsaCheckSigAlg) {
128 Reset(TlsAgent::kServerRsa, TlsAgent::kRsa2048);
129 auto capture_cert_verify =
130 new TlsInspectorRecordHandshakeMessage(kTlsHandshakeCertificateVerify);
131 client_->SetPacketFilter(capture_cert_verify);
132 client_->SetupClientAuth();
133 server_->RequestClientAuth(true);
134 Connect();
135 CheckKeys();
136 CheckSigScheme(capture_cert_verify, 0, server_, ssl_sig_rsa_pss_sha256, 2048);
137 }
138
139 static const SSLSignatureScheme SignatureSchemeEcdsaSha384[] = {
140 ssl_sig_ecdsa_secp384r1_sha384};
141 static const SSLSignatureScheme SignatureSchemeEcdsaSha256[] = {
142 ssl_sig_ecdsa_secp256r1_sha256};
143 static const SSLSignatureScheme SignatureSchemeRsaSha384[] = {
144 ssl_sig_rsa_pkcs1_sha384};
145 static const SSLSignatureScheme SignatureSchemeRsaSha256[] = {
146 ssl_sig_rsa_pkcs1_sha256};
147
NamedGroupForEcdsa384(uint16_t version)148 static SSLNamedGroup NamedGroupForEcdsa384(uint16_t version) {
149 // NSS tries to match the group size to the symmetric cipher. In TLS 1.1 and
150 // 1.0, TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA is the highest priority suite, so
151 // we use P-384. With TLS 1.2 on we pick AES-128 GCM so use x25519.
152 if (version <= SSL_LIBRARY_VERSION_TLS_1_1) {
153 return ssl_grp_ec_secp384r1;
154 }
155 return ssl_grp_ec_curve25519;
156 }
157
158 // When signature algorithms match up, this should connect successfully; even
159 // for TLS 1.1 and 1.0, where they should be ignored.
TEST_P(TlsConnectGeneric,SignatureAlgorithmServerAuth)160 TEST_P(TlsConnectGeneric, SignatureAlgorithmServerAuth) {
161 Reset(TlsAgent::kServerEcdsa384);
162 client_->SetSignatureSchemes(SignatureSchemeEcdsaSha384,
163 PR_ARRAY_SIZE(SignatureSchemeEcdsaSha384));
164 server_->SetSignatureSchemes(SignatureSchemeEcdsaSha384,
165 PR_ARRAY_SIZE(SignatureSchemeEcdsaSha384));
166 Connect();
167 CheckKeys(ssl_kea_ecdh, NamedGroupForEcdsa384(version_), ssl_auth_ecdsa,
168 ssl_sig_ecdsa_secp384r1_sha384);
169 }
170
171 // Here the client picks a single option, which should work in all versions.
172 // Defaults on the server include the first option.
TEST_P(TlsConnectGeneric,SignatureAlgorithmClientOnly)173 TEST_P(TlsConnectGeneric, SignatureAlgorithmClientOnly) {
174 const SSLSignatureAndHashAlg clientAlgorithms[] = {
175 {ssl_hash_sha384, ssl_sign_ecdsa},
176 {ssl_hash_sha384, ssl_sign_rsa}, // supported but unusable
177 {ssl_hash_md5, ssl_sign_ecdsa} // unsupported and ignored
178 };
179 Reset(TlsAgent::kServerEcdsa384);
180 EnsureTlsSetup();
181 // Use the old API for this function.
182 EXPECT_EQ(SECSuccess,
183 SSL_SignaturePrefSet(client_->ssl_fd(), clientAlgorithms,
184 PR_ARRAY_SIZE(clientAlgorithms)));
185 Connect();
186 CheckKeys(ssl_kea_ecdh, NamedGroupForEcdsa384(version_), ssl_auth_ecdsa,
187 ssl_sig_ecdsa_secp384r1_sha384);
188 }
189
190 // Here the server picks a single option, which should work in all versions.
191 // Defaults on the client include the provided option.
TEST_P(TlsConnectGeneric,SignatureAlgorithmServerOnly)192 TEST_P(TlsConnectGeneric, SignatureAlgorithmServerOnly) {
193 Reset(TlsAgent::kServerEcdsa384);
194 server_->SetSignatureSchemes(SignatureSchemeEcdsaSha384,
195 PR_ARRAY_SIZE(SignatureSchemeEcdsaSha384));
196 Connect();
197 CheckKeys(ssl_kea_ecdh, NamedGroupForEcdsa384(version_), ssl_auth_ecdsa,
198 ssl_sig_ecdsa_secp384r1_sha384);
199 }
200
201 // In TLS 1.2, curve and hash aren't bound together.
TEST_P(TlsConnectTls12,SignatureSchemeCurveMismatch)202 TEST_P(TlsConnectTls12, SignatureSchemeCurveMismatch) {
203 Reset(TlsAgent::kServerEcdsa256);
204 client_->SetSignatureSchemes(SignatureSchemeEcdsaSha384,
205 PR_ARRAY_SIZE(SignatureSchemeEcdsaSha384));
206 Connect();
207 }
208
209 // In TLS 1.3, curve and hash are coupled.
TEST_P(TlsConnectTls13,SignatureSchemeCurveMismatch)210 TEST_P(TlsConnectTls13, SignatureSchemeCurveMismatch) {
211 Reset(TlsAgent::kServerEcdsa256);
212 client_->SetSignatureSchemes(SignatureSchemeEcdsaSha384,
213 PR_ARRAY_SIZE(SignatureSchemeEcdsaSha384));
214 ConnectExpectFail();
215 server_->CheckErrorCode(SSL_ERROR_UNSUPPORTED_SIGNATURE_ALGORITHM);
216 client_->CheckErrorCode(SSL_ERROR_NO_CYPHER_OVERLAP);
217 }
218
219 // Configuring a P-256 cert with only SHA-384 signatures is OK in TLS 1.2.
TEST_P(TlsConnectTls12,SignatureSchemeBadConfig)220 TEST_P(TlsConnectTls12, SignatureSchemeBadConfig) {
221 Reset(TlsAgent::kServerEcdsa256); // P-256 cert can't be used.
222 server_->SetSignatureSchemes(SignatureSchemeEcdsaSha384,
223 PR_ARRAY_SIZE(SignatureSchemeEcdsaSha384));
224 Connect();
225 }
226
227 // A P-256 certificate in TLS 1.3 needs a SHA-256 signature scheme.
TEST_P(TlsConnectTls13,SignatureSchemeBadConfig)228 TEST_P(TlsConnectTls13, SignatureSchemeBadConfig) {
229 Reset(TlsAgent::kServerEcdsa256); // P-256 cert can't be used.
230 server_->SetSignatureSchemes(SignatureSchemeEcdsaSha384,
231 PR_ARRAY_SIZE(SignatureSchemeEcdsaSha384));
232 ConnectExpectFail();
233 server_->CheckErrorCode(SSL_ERROR_UNSUPPORTED_SIGNATURE_ALGORITHM);
234 client_->CheckErrorCode(SSL_ERROR_NO_CYPHER_OVERLAP);
235 }
236
237 // Where there is no overlap on signature schemes, we still connect successfully
238 // if we aren't going to use a signature.
TEST_P(TlsConnectGenericPre13,SignatureAlgorithmNoOverlapStaticRsa)239 TEST_P(TlsConnectGenericPre13, SignatureAlgorithmNoOverlapStaticRsa) {
240 client_->SetSignatureSchemes(SignatureSchemeRsaSha384,
241 PR_ARRAY_SIZE(SignatureSchemeRsaSha384));
242 server_->SetSignatureSchemes(SignatureSchemeRsaSha256,
243 PR_ARRAY_SIZE(SignatureSchemeRsaSha256));
244 EnableOnlyStaticRsaCiphers();
245 Connect();
246 CheckKeys(ssl_kea_rsa, ssl_auth_rsa_decrypt);
247 }
248
TEST_P(TlsConnectTls12Plus,SignatureAlgorithmNoOverlapEcdsa)249 TEST_P(TlsConnectTls12Plus, SignatureAlgorithmNoOverlapEcdsa) {
250 Reset(TlsAgent::kServerEcdsa256);
251 client_->SetSignatureSchemes(SignatureSchemeEcdsaSha384,
252 PR_ARRAY_SIZE(SignatureSchemeEcdsaSha384));
253 server_->SetSignatureSchemes(SignatureSchemeEcdsaSha256,
254 PR_ARRAY_SIZE(SignatureSchemeEcdsaSha256));
255 ConnectExpectFail();
256 client_->CheckErrorCode(SSL_ERROR_NO_CYPHER_OVERLAP);
257 server_->CheckErrorCode(SSL_ERROR_UNSUPPORTED_SIGNATURE_ALGORITHM);
258 }
259
260 // Pre 1.2, a mismatch on signature algorithms shouldn't affect anything.
TEST_P(TlsConnectPre12,SignatureAlgorithmNoOverlapEcdsa)261 TEST_P(TlsConnectPre12, SignatureAlgorithmNoOverlapEcdsa) {
262 Reset(TlsAgent::kServerEcdsa256);
263 client_->SetSignatureSchemes(SignatureSchemeEcdsaSha384,
264 PR_ARRAY_SIZE(SignatureSchemeEcdsaSha384));
265 server_->SetSignatureSchemes(SignatureSchemeEcdsaSha256,
266 PR_ARRAY_SIZE(SignatureSchemeEcdsaSha256));
267 Connect();
268 }
269
270 // The signature_algorithms extension is mandatory in TLS 1.3.
TEST_P(TlsConnectTls13,SignatureAlgorithmDrop)271 TEST_P(TlsConnectTls13, SignatureAlgorithmDrop) {
272 client_->SetPacketFilter(
273 new TlsExtensionDropper(ssl_signature_algorithms_xtn));
274 ConnectExpectFail();
275 client_->CheckErrorCode(SSL_ERROR_MISSING_EXTENSION_ALERT);
276 server_->CheckErrorCode(SSL_ERROR_MISSING_SIGNATURE_ALGORITHMS_EXTENSION);
277 }
278
279 // TLS 1.2 has trouble detecting this sort of modification: it uses SHA1 and
280 // only fails when the Finished is checked.
TEST_P(TlsConnectTls12,SignatureAlgorithmDrop)281 TEST_P(TlsConnectTls12, SignatureAlgorithmDrop) {
282 client_->SetPacketFilter(
283 new TlsExtensionDropper(ssl_signature_algorithms_xtn));
284 ConnectExpectFail();
285 client_->CheckErrorCode(SSL_ERROR_DECRYPT_ERROR_ALERT);
286 server_->CheckErrorCode(SSL_ERROR_BAD_HANDSHAKE_HASH_VALUE);
287 }
288
TEST_P(TlsConnectTls12Plus,RequestClientAuthWithSha384)289 TEST_P(TlsConnectTls12Plus, RequestClientAuthWithSha384) {
290 server_->SetSignatureSchemes(SignatureSchemeRsaSha384,
291 PR_ARRAY_SIZE(SignatureSchemeRsaSha384));
292 server_->RequestClientAuth(false);
293 Connect();
294 }
295
296 class BeforeFinished : public TlsRecordFilter {
297 private:
298 enum HandshakeState { BEFORE_CCS, AFTER_CCS, DONE };
299
300 public:
BeforeFinished(TlsAgent * client,TlsAgent * server,VoidFunction before_ccs,VoidFunction before_finished)301 BeforeFinished(TlsAgent* client, TlsAgent* server, VoidFunction before_ccs,
302 VoidFunction before_finished)
303 : client_(client),
304 server_(server),
305 before_ccs_(before_ccs),
306 before_finished_(before_finished),
307 state_(BEFORE_CCS) {}
308
309 protected:
FilterRecord(const RecordHeader & header,const DataBuffer & body,DataBuffer * out)310 virtual PacketFilter::Action FilterRecord(const RecordHeader& header,
311 const DataBuffer& body,
312 DataBuffer* out) {
313 switch (state_) {
314 case BEFORE_CCS:
315 // Awaken when we see the CCS.
316 if (header.content_type() == kTlsChangeCipherSpecType) {
317 before_ccs_();
318
319 // Write the CCS out as a separate write, so that we can make
320 // progress. Ordinarily, libssl sends the CCS and Finished together,
321 // but that means that they both get processed together.
322 DataBuffer ccs;
323 header.Write(&ccs, 0, body);
324 server_->SendDirect(ccs);
325 client_->Handshake();
326 state_ = AFTER_CCS;
327 // Request that the original record be dropped by the filter.
328 return DROP;
329 }
330 break;
331
332 case AFTER_CCS:
333 EXPECT_EQ(kTlsHandshakeType, header.content_type());
334 // This could check that data contains a Finished message, but it's
335 // encrypted, so that's too much extra work.
336
337 before_finished_();
338 state_ = DONE;
339 break;
340
341 case DONE:
342 break;
343 }
344 return KEEP;
345 }
346
347 private:
348 TlsAgent* client_;
349 TlsAgent* server_;
350 VoidFunction before_ccs_;
351 VoidFunction before_finished_;
352 HandshakeState state_;
353 };
354
355 // Running code after the client has started processing the encrypted part of
356 // the server's first flight, but before the Finished is processed is very hard
357 // in TLS 1.3. These encrypted messages are sent in a single encrypted blob.
358 // The following test uses DTLS to make it possible to force the client to
359 // process the handshake in pieces.
360 //
361 // The first encrypted message from the server is dropped, and the MTU is
362 // reduced to just below the original message size so that the server sends two
363 // messages. The Finished message is then processed separately.
364 class BeforeFinished13 : public PacketFilter {
365 private:
366 enum HandshakeState {
367 INIT,
368 BEFORE_FIRST_FRAGMENT,
369 BEFORE_SECOND_FRAGMENT,
370 DONE
371 };
372
373 public:
BeforeFinished13(TlsAgent * client,TlsAgent * server,VoidFunction before_finished)374 BeforeFinished13(TlsAgent* client, TlsAgent* server,
375 VoidFunction before_finished)
376 : client_(client),
377 server_(server),
378 before_finished_(before_finished),
379 records_(0) {}
380
381 protected:
Filter(const DataBuffer & input,DataBuffer * output)382 virtual PacketFilter::Action Filter(const DataBuffer& input,
383 DataBuffer* output) {
384 switch (++records_) {
385 case 1:
386 // Packet 1 is the server's entire first flight. Drop it.
387 EXPECT_EQ(SECSuccess,
388 SSLInt_SetMTU(server_->ssl_fd(), input.len() - 1));
389 return DROP;
390
391 // Packet 2 is the first part of the server's retransmitted first
392 // flight. Keep that.
393
394 case 3:
395 // Packet 3 is the second part of the server's retransmitted first
396 // flight. Before passing that on, make sure that the client processes
397 // packet 2, then call the before_finished_() callback.
398 client_->Handshake();
399 before_finished_();
400 break;
401
402 default:
403 break;
404 }
405 return KEEP;
406 }
407
408 private:
409 TlsAgent* client_;
410 TlsAgent* server_;
411 VoidFunction before_finished_;
412 size_t records_;
413 };
414
AuthCompleteBlock(TlsAgent *,PRBool,PRBool)415 static SECStatus AuthCompleteBlock(TlsAgent*, PRBool, PRBool) {
416 return SECWouldBlock;
417 }
418
419 // This test uses an AuthCertificateCallback that blocks. A filter is used to
420 // split the server's first flight into two pieces. Before the second piece is
421 // processed by the client, SSL_AuthCertificateComplete() is called.
TEST_F(TlsConnectDatagram13,AuthCompleteBeforeFinished)422 TEST_F(TlsConnectDatagram13, AuthCompleteBeforeFinished) {
423 client_->SetAuthCertificateCallback(AuthCompleteBlock);
424 server_->SetPacketFilter(new BeforeFinished13(client_, server_, [this]() {
425 EXPECT_EQ(SECSuccess, SSL_AuthCertificateComplete(client_->ssl_fd(), 0));
426 }));
427 Connect();
428 }
429
TriggerAuthComplete(PollTarget * target,Event event)430 static void TriggerAuthComplete(PollTarget* target, Event event) {
431 std::cerr << "client: call SSL_AuthCertificateComplete" << std::endl;
432 EXPECT_EQ(TIMER_EVENT, event);
433 TlsAgent* client = static_cast<TlsAgent*>(target);
434 EXPECT_EQ(SECSuccess, SSL_AuthCertificateComplete(client->ssl_fd(), 0));
435 }
436
437 // This test uses a simple AuthCertificateCallback. Due to the way that the
438 // entire server flight is processed, the call to SSL_AuthCertificateComplete
439 // will trigger after the Finished message is processed.
TEST_F(TlsConnectDatagram13,AuthCompleteAfterFinished)440 TEST_F(TlsConnectDatagram13, AuthCompleteAfterFinished) {
441 client_->SetAuthCertificateCallback(
442 [this](TlsAgent*, PRBool, PRBool) -> SECStatus {
443 Poller::Timer* timer_handle;
444 // This is really just to unroll the stack.
445 Poller::Instance()->SetTimer(1U, client_, TriggerAuthComplete,
446 &timer_handle);
447 return SECWouldBlock;
448 });
449 Connect();
450 }
451
TEST_P(TlsConnectGenericPre13,ClientWriteBetweenCCSAndFinishedWithFalseStart)452 TEST_P(TlsConnectGenericPre13, ClientWriteBetweenCCSAndFinishedWithFalseStart) {
453 client_->EnableFalseStart();
454 server_->SetPacketFilter(new BeforeFinished(
455 client_, server_,
456 [this]() { EXPECT_TRUE(client_->can_falsestart_hook_called()); },
457 [this]() {
458 // Write something, which used to fail: bug 1235366.
459 client_->SendData(10);
460 }));
461
462 Connect();
463 server_->SendData(10);
464 Receive(10);
465 }
466
TEST_P(TlsConnectGenericPre13,AuthCompleteBeforeFinishedWithFalseStart)467 TEST_P(TlsConnectGenericPre13, AuthCompleteBeforeFinishedWithFalseStart) {
468 client_->EnableFalseStart();
469 client_->SetAuthCertificateCallback(AuthCompleteBlock);
470 server_->SetPacketFilter(new BeforeFinished(
471 client_, server_,
472 []() {
473 // Do nothing before CCS
474 },
475 [this]() {
476 EXPECT_FALSE(client_->can_falsestart_hook_called());
477 // AuthComplete before Finished still enables false start.
478 EXPECT_EQ(SECSuccess,
479 SSL_AuthCertificateComplete(client_->ssl_fd(), 0));
480 EXPECT_TRUE(client_->can_falsestart_hook_called());
481 client_->SendData(10);
482 }));
483
484 Connect();
485 server_->SendData(10);
486 Receive(10);
487 }
488
489 class EnforceNoActivity : public PacketFilter {
490 protected:
Filter(const DataBuffer & input,DataBuffer * output)491 PacketFilter::Action Filter(const DataBuffer& input,
492 DataBuffer* output) override {
493 std::cerr << "Unexpected packet: " << input << std::endl;
494 EXPECT_TRUE(false) << "should not send anything";
495 return KEEP;
496 }
497 };
498
499 // In this test, we want to make sure that the server completes its handshake,
500 // but the client does not. Because the AuthCertificate callback blocks and we
501 // never call SSL_AuthCertificateComplete(), the client should never report that
502 // it has completed the handshake. Manually call Handshake(), alternating sides
503 // between client and server, until the desired state is reached.
TEST_P(TlsConnectGenericPre13,AuthCompleteDelayed)504 TEST_P(TlsConnectGenericPre13, AuthCompleteDelayed) {
505 client_->SetAuthCertificateCallback(AuthCompleteBlock);
506
507 server_->StartConnect();
508 client_->StartConnect();
509 client_->Handshake(); // Send ClientHello
510 server_->Handshake(); // Send ServerHello
511 client_->Handshake(); // Send ClientKeyExchange and Finished
512 server_->Handshake(); // Send Finished
513 // The server should now report that it is connected
514 EXPECT_EQ(TlsAgent::STATE_CONNECTED, server_->state());
515
516 // The client should send nothing from here on.
517 client_->SetPacketFilter(new EnforceNoActivity());
518 client_->Handshake();
519 EXPECT_EQ(TlsAgent::STATE_CONNECTING, client_->state());
520
521 // This should allow the handshake to complete now.
522 EXPECT_EQ(SECSuccess, SSL_AuthCertificateComplete(client_->ssl_fd(), 0));
523 client_->Handshake(); // Transition to connected
524 EXPECT_EQ(TlsAgent::STATE_CONNECTED, client_->state());
525 EXPECT_EQ(TlsAgent::STATE_CONNECTED, server_->state());
526
527 // Remove this before closing or the close_notify alert will trigger it.
528 client_->SetPacketFilter(nullptr);
529 }
530
531 // TLS 1.3 handles a delayed AuthComplete callback differently since the
532 // shape of the handshake is different.
TEST_P(TlsConnectTls13,AuthCompleteDelayed)533 TEST_P(TlsConnectTls13, AuthCompleteDelayed) {
534 client_->SetAuthCertificateCallback(AuthCompleteBlock);
535
536 server_->StartConnect();
537 client_->StartConnect();
538 client_->Handshake(); // Send ClientHello
539 server_->Handshake(); // Send ServerHello
540 EXPECT_EQ(TlsAgent::STATE_CONNECTING, client_->state());
541 EXPECT_EQ(TlsAgent::STATE_CONNECTING, server_->state());
542
543 // The client will send nothing until AuthCertificateComplete is called.
544 client_->SetPacketFilter(new EnforceNoActivity());
545 client_->Handshake();
546 EXPECT_EQ(TlsAgent::STATE_CONNECTING, client_->state());
547
548 // This should allow the handshake to complete now.
549 client_->SetPacketFilter(nullptr);
550 EXPECT_EQ(SECSuccess, SSL_AuthCertificateComplete(client_->ssl_fd(), 0));
551 client_->Handshake(); // Send Finished
552 server_->Handshake(); // Transition to connected and send NewSessionTicket
553 EXPECT_EQ(TlsAgent::STATE_CONNECTED, client_->state());
554 EXPECT_EQ(TlsAgent::STATE_CONNECTED, server_->state());
555 }
556
557 static const SSLExtraServerCertData ServerCertDataRsaPkcs1Decrypt = {
558 ssl_auth_rsa_decrypt, nullptr, nullptr, nullptr};
559 static const SSLExtraServerCertData ServerCertDataRsaPkcs1Sign = {
560 ssl_auth_rsa_sign, nullptr, nullptr, nullptr};
561 static const SSLExtraServerCertData ServerCertDataRsaPss = {
562 ssl_auth_rsa_pss, nullptr, nullptr, nullptr};
563
564 // Test RSA cert with usage=[signature, encipherment].
TEST_F(TlsAgentStreamTestServer,ConfigureCertRsaPkcs1SignAndKEX)565 TEST_F(TlsAgentStreamTestServer, ConfigureCertRsaPkcs1SignAndKEX) {
566 Reset(TlsAgent::kServerRsa);
567
568 PRFileDesc* ssl_fd = agent_->ssl_fd();
569 EXPECT_TRUE(SSLInt_HasCertWithAuthType(ssl_fd, ssl_auth_rsa_decrypt));
570 EXPECT_TRUE(SSLInt_HasCertWithAuthType(ssl_fd, ssl_auth_rsa_sign));
571 EXPECT_TRUE(SSLInt_HasCertWithAuthType(ssl_fd, ssl_auth_rsa_pss));
572
573 // Configuring for only rsa_sign, rsa_pss, or rsa_decrypt should work.
574 EXPECT_TRUE(agent_->ConfigServerCert(TlsAgent::kServerRsa, false,
575 &ServerCertDataRsaPkcs1Decrypt));
576 EXPECT_TRUE(agent_->ConfigServerCert(TlsAgent::kServerRsa, false,
577 &ServerCertDataRsaPkcs1Sign));
578 EXPECT_TRUE(agent_->ConfigServerCert(TlsAgent::kServerRsa, false,
579 &ServerCertDataRsaPss));
580 }
581
582 // Test RSA cert with usage=[signature].
TEST_F(TlsAgentStreamTestServer,ConfigureCertRsaPkcs1Sign)583 TEST_F(TlsAgentStreamTestServer, ConfigureCertRsaPkcs1Sign) {
584 Reset(TlsAgent::kServerRsaSign);
585
586 PRFileDesc* ssl_fd = agent_->ssl_fd();
587 EXPECT_FALSE(SSLInt_HasCertWithAuthType(ssl_fd, ssl_auth_rsa_decrypt));
588 EXPECT_TRUE(SSLInt_HasCertWithAuthType(ssl_fd, ssl_auth_rsa_sign));
589 EXPECT_TRUE(SSLInt_HasCertWithAuthType(ssl_fd, ssl_auth_rsa_pss));
590
591 // Configuring for only rsa_decrypt should fail.
592 EXPECT_FALSE(agent_->ConfigServerCert(TlsAgent::kServerRsaSign, false,
593 &ServerCertDataRsaPkcs1Decrypt));
594
595 // Configuring for only rsa_sign or rsa_pss should work.
596 EXPECT_TRUE(agent_->ConfigServerCert(TlsAgent::kServerRsaSign, false,
597 &ServerCertDataRsaPkcs1Sign));
598 EXPECT_TRUE(agent_->ConfigServerCert(TlsAgent::kServerRsaSign, false,
599 &ServerCertDataRsaPss));
600 }
601
602 // Test RSA cert with usage=[encipherment].
TEST_F(TlsAgentStreamTestServer,ConfigureCertRsaPkcs1KEX)603 TEST_F(TlsAgentStreamTestServer, ConfigureCertRsaPkcs1KEX) {
604 Reset(TlsAgent::kServerRsaDecrypt);
605
606 PRFileDesc* ssl_fd = agent_->ssl_fd();
607 EXPECT_TRUE(SSLInt_HasCertWithAuthType(ssl_fd, ssl_auth_rsa_decrypt));
608 EXPECT_FALSE(SSLInt_HasCertWithAuthType(ssl_fd, ssl_auth_rsa_sign));
609 EXPECT_FALSE(SSLInt_HasCertWithAuthType(ssl_fd, ssl_auth_rsa_pss));
610
611 // Configuring for only rsa_sign or rsa_pss should fail.
612 EXPECT_FALSE(agent_->ConfigServerCert(TlsAgent::kServerRsaDecrypt, false,
613 &ServerCertDataRsaPkcs1Sign));
614 EXPECT_FALSE(agent_->ConfigServerCert(TlsAgent::kServerRsaDecrypt, false,
615 &ServerCertDataRsaPss));
616
617 // Configuring for only rsa_decrypt should work.
618 EXPECT_TRUE(agent_->ConfigServerCert(TlsAgent::kServerRsaDecrypt, false,
619 &ServerCertDataRsaPkcs1Decrypt));
620 }
621
622 // Test configuring an RSA-PSS cert.
TEST_F(TlsAgentStreamTestServer,ConfigureCertRsaPss)623 TEST_F(TlsAgentStreamTestServer, ConfigureCertRsaPss) {
624 Reset(TlsAgent::kServerRsaPss);
625
626 PRFileDesc* ssl_fd = agent_->ssl_fd();
627 EXPECT_FALSE(SSLInt_HasCertWithAuthType(ssl_fd, ssl_auth_rsa_decrypt));
628 EXPECT_FALSE(SSLInt_HasCertWithAuthType(ssl_fd, ssl_auth_rsa_sign));
629 EXPECT_TRUE(SSLInt_HasCertWithAuthType(ssl_fd, ssl_auth_rsa_pss));
630
631 // Configuring for only rsa_sign or rsa_decrypt should fail.
632 EXPECT_FALSE(agent_->ConfigServerCert(TlsAgent::kServerRsaPss, false,
633 &ServerCertDataRsaPkcs1Sign));
634 EXPECT_FALSE(agent_->ConfigServerCert(TlsAgent::kServerRsaPss, false,
635 &ServerCertDataRsaPkcs1Decrypt));
636
637 // Configuring for only rsa_pss should work.
638 EXPECT_TRUE(agent_->ConfigServerCert(TlsAgent::kServerRsaPss, false,
639 &ServerCertDataRsaPss));
640 }
641
642 // mode, version, certificate, auth type, signature scheme
643 typedef std::tuple<std::string, uint16_t, std::string, SSLAuthType,
644 SSLSignatureScheme>
645 SignatureSchemeProfile;
646
647 class TlsSignatureSchemeConfiguration
648 : public TlsConnectTestBase,
649 public ::testing::WithParamInterface<SignatureSchemeProfile> {
650 public:
TlsSignatureSchemeConfiguration()651 TlsSignatureSchemeConfiguration()
652 : TlsConnectTestBase(std::get<0>(GetParam()), std::get<1>(GetParam())),
653 certificate_(std::get<2>(GetParam())),
654 auth_type_(std::get<3>(GetParam())),
655 signature_scheme_(std::get<4>(GetParam())) {}
656
657 protected:
TestSignatureSchemeConfig(TlsAgent * configPeer)658 void TestSignatureSchemeConfig(TlsAgent* configPeer) {
659 EnsureTlsSetup();
660 configPeer->SetSignatureSchemes(&signature_scheme_, 1);
661 Connect();
662 CheckKeys(ssl_kea_ecdh, ssl_grp_ec_curve25519, auth_type_,
663 signature_scheme_);
664 }
665
666 std::string certificate_;
667 SSLAuthType auth_type_;
668 SSLSignatureScheme signature_scheme_;
669 };
670
TEST_P(TlsSignatureSchemeConfiguration,SignatureSchemeConfigServer)671 TEST_P(TlsSignatureSchemeConfiguration, SignatureSchemeConfigServer) {
672 Reset(certificate_);
673 TestSignatureSchemeConfig(server_);
674 }
675
TEST_P(TlsSignatureSchemeConfiguration,SignatureSchemeConfigClient)676 TEST_P(TlsSignatureSchemeConfiguration, SignatureSchemeConfigClient) {
677 Reset(certificate_);
678 TlsExtensionCapture* capture =
679 new TlsExtensionCapture(ssl_signature_algorithms_xtn);
680 client_->SetPacketFilter(capture);
681 TestSignatureSchemeConfig(client_);
682
683 const DataBuffer& ext = capture->extension();
684 ASSERT_EQ(2U + 2U, ext.len());
685 uint32_t v = 0;
686 ASSERT_TRUE(ext.Read(0, 2, &v));
687 EXPECT_EQ(2U, v);
688 ASSERT_TRUE(ext.Read(2, 2, &v));
689 EXPECT_EQ(signature_scheme_, static_cast<SSLSignatureScheme>(v));
690 }
691
TEST_P(TlsSignatureSchemeConfiguration,SignatureSchemeConfigBoth)692 TEST_P(TlsSignatureSchemeConfiguration, SignatureSchemeConfigBoth) {
693 Reset(certificate_);
694 EnsureTlsSetup();
695 client_->SetSignatureSchemes(&signature_scheme_, 1);
696 server_->SetSignatureSchemes(&signature_scheme_, 1);
697 Connect();
698 CheckKeys(ssl_kea_ecdh, ssl_grp_ec_curve25519, auth_type_, signature_scheme_);
699 }
700
701 INSTANTIATE_TEST_CASE_P(
702 SignatureSchemeRsa, TlsSignatureSchemeConfiguration,
703 ::testing::Combine(
704 TlsConnectTestBase::kTlsModesAll, TlsConnectTestBase::kTlsV12Plus,
705 ::testing::Values(TlsAgent::kServerRsaSign),
706 ::testing::Values(ssl_auth_rsa_sign),
707 ::testing::Values(ssl_sig_rsa_pkcs1_sha256, ssl_sig_rsa_pkcs1_sha384,
708 ssl_sig_rsa_pkcs1_sha512, ssl_sig_rsa_pss_sha256,
709 ssl_sig_rsa_pss_sha384)));
710 // PSS with SHA-512 needs a bigger key to work.
711 INSTANTIATE_TEST_CASE_P(
712 SignatureSchemeBigRsa, TlsSignatureSchemeConfiguration,
713 ::testing::Combine(TlsConnectTestBase::kTlsModesAll,
714 TlsConnectTestBase::kTlsV12Plus,
715 ::testing::Values(TlsAgent::kRsa2048),
716 ::testing::Values(ssl_auth_rsa_sign),
717 ::testing::Values(ssl_sig_rsa_pss_sha512)));
718 INSTANTIATE_TEST_CASE_P(
719 SignatureSchemeRsaSha1, TlsSignatureSchemeConfiguration,
720 ::testing::Combine(TlsConnectTestBase::kTlsModesAll,
721 TlsConnectTestBase::kTlsV12,
722 ::testing::Values(TlsAgent::kServerRsa),
723 ::testing::Values(ssl_auth_rsa_sign),
724 ::testing::Values(ssl_sig_rsa_pkcs1_sha1)));
725 INSTANTIATE_TEST_CASE_P(
726 SignatureSchemeEcdsaP256, TlsSignatureSchemeConfiguration,
727 ::testing::Combine(TlsConnectTestBase::kTlsModesAll,
728 TlsConnectTestBase::kTlsV12Plus,
729 ::testing::Values(TlsAgent::kServerEcdsa256),
730 ::testing::Values(ssl_auth_ecdsa),
731 ::testing::Values(ssl_sig_ecdsa_secp256r1_sha256)));
732 INSTANTIATE_TEST_CASE_P(
733 SignatureSchemeEcdsaP384, TlsSignatureSchemeConfiguration,
734 ::testing::Combine(TlsConnectTestBase::kTlsModesAll,
735 TlsConnectTestBase::kTlsV12Plus,
736 ::testing::Values(TlsAgent::kServerEcdsa384),
737 ::testing::Values(ssl_auth_ecdsa),
738 ::testing::Values(ssl_sig_ecdsa_secp384r1_sha384)));
739 INSTANTIATE_TEST_CASE_P(
740 SignatureSchemeEcdsaP521, TlsSignatureSchemeConfiguration,
741 ::testing::Combine(TlsConnectTestBase::kTlsModesAll,
742 TlsConnectTestBase::kTlsV12Plus,
743 ::testing::Values(TlsAgent::kServerEcdsa521),
744 ::testing::Values(ssl_auth_ecdsa),
745 ::testing::Values(ssl_sig_ecdsa_secp521r1_sha512)));
746 INSTANTIATE_TEST_CASE_P(
747 SignatureSchemeEcdsaSha1, TlsSignatureSchemeConfiguration,
748 ::testing::Combine(TlsConnectTestBase::kTlsModesAll,
749 TlsConnectTestBase::kTlsV12,
750 ::testing::Values(TlsAgent::kServerEcdsa256,
751 TlsAgent::kServerEcdsa384),
752 ::testing::Values(ssl_auth_ecdsa),
753 ::testing::Values(ssl_sig_ecdsa_sha1)));
754 }
755