summaryrefslogtreecommitdiffstats
path: root/security/nss/gtests/ssl_gtest/ssl_version_unittest.cc
diff options
context:
space:
mode:
Diffstat (limited to 'security/nss/gtests/ssl_gtest/ssl_version_unittest.cc')
-rw-r--r--security/nss/gtests/ssl_gtest/ssl_version_unittest.cc152
1 files changed, 23 insertions, 129 deletions
diff --git a/security/nss/gtests/ssl_gtest/ssl_version_unittest.cc b/security/nss/gtests/ssl_gtest/ssl_version_unittest.cc
index 379a67e35..4e9099561 100644
--- a/security/nss/gtests/ssl_gtest/ssl_version_unittest.cc
+++ b/security/nss/gtests/ssl_gtest/ssl_version_unittest.cc
@@ -56,18 +56,15 @@ TEST_P(TlsConnectGeneric, ServerNegotiateTls12) {
// two validate that we can also detect fallback using the
// SSL_SetDowngradeCheckVersion() API.
TEST_F(TlsConnectTest, TestDowngradeDetectionToTls11) {
- client_->SetPacketFilter(
- std::make_shared<TlsInspectorClientHelloVersionSetter>(
- SSL_LIBRARY_VERSION_TLS_1_1));
+ MakeTlsFilter<TlsClientHelloVersionSetter>(client_,
+ SSL_LIBRARY_VERSION_TLS_1_1);
ConnectExpectFail();
ASSERT_EQ(SSL_ERROR_RX_MALFORMED_SERVER_HELLO, client_->error_code());
}
/* Attempt to negotiate the bogus DTLS 1.1 version. */
TEST_F(DtlsConnectTest, TestDtlsVersion11) {
- client_->SetPacketFilter(
- std::make_shared<TlsInspectorClientHelloVersionSetter>(
- ((~0x0101) & 0xffff)));
+ MakeTlsFilter<TlsClientHelloVersionSetter>(client_, ((~0x0101) & 0xffff));
ConnectExpectFail();
// It's kind of surprising that SSL_ERROR_NO_CYPHER_OVERLAP is
// what is returned here, but this is deliberate in ssl3_HandleAlert().
@@ -78,9 +75,8 @@ TEST_F(DtlsConnectTest, TestDtlsVersion11) {
// Disabled as long as we have draft version.
TEST_F(TlsConnectTest, TestDowngradeDetectionToTls12) {
EnsureTlsSetup();
- client_->SetPacketFilter(
- std::make_shared<TlsInspectorClientHelloVersionSetter>(
- SSL_LIBRARY_VERSION_TLS_1_2));
+ MakeTlsFilter<TlsClientHelloVersionSetter>(client_,
+ SSL_LIBRARY_VERSION_TLS_1_2);
client_->SetVersionRange(SSL_LIBRARY_VERSION_TLS_1_2,
SSL_LIBRARY_VERSION_TLS_1_3);
server_->SetVersionRange(SSL_LIBRARY_VERSION_TLS_1_2,
@@ -92,9 +88,8 @@ TEST_F(TlsConnectTest, TestDowngradeDetectionToTls12) {
// TLS 1.1 clients do not check the random values, so we should
// instead get a handshake failure alert from the server.
TEST_F(TlsConnectTest, TestDowngradeDetectionToTls10) {
- client_->SetPacketFilter(
- std::make_shared<TlsInspectorClientHelloVersionSetter>(
- SSL_LIBRARY_VERSION_TLS_1_0));
+ MakeTlsFilter<TlsClientHelloVersionSetter>(client_,
+ SSL_LIBRARY_VERSION_TLS_1_0);
client_->SetVersionRange(SSL_LIBRARY_VERSION_TLS_1_0,
SSL_LIBRARY_VERSION_TLS_1_1);
server_->SetVersionRange(SSL_LIBRARY_VERSION_TLS_1_0,
@@ -128,12 +123,12 @@ TEST_F(TlsConnectTest, TestFallbackFromTls13) {
#endif
TEST_P(TlsConnectGeneric, TestFallbackSCSVVersionMatch) {
- client_->SetFallbackSCSVEnabled(true);
+ client_->SetOption(SSL_ENABLE_FALLBACK_SCSV, PR_TRUE);
Connect();
}
TEST_P(TlsConnectGenericPre13, TestFallbackSCSVVersionMismatch) {
- client_->SetFallbackSCSVEnabled(true);
+ client_->SetOption(SSL_ENABLE_FALLBACK_SCSV, PR_TRUE);
server_->SetVersionRange(version_, version_ + 1);
ConnectExpectAlert(server_, kTlsAlertInappropriateFallback);
client_->CheckErrorCode(SSL_ERROR_INAPPROPRIATE_FALLBACK_ALERT);
@@ -155,107 +150,10 @@ TEST_F(TlsConnectTest, DisallowSSLv3HelloWithTLSv13Enabled) {
EXPECT_EQ(SECFailure, rv);
}
-TEST_P(TlsConnectStream, ConnectTls10AndServerRenegotiateHigher) {
- if (version_ == SSL_LIBRARY_VERSION_TLS_1_0) {
- return;
- }
- // Set the client so it will accept any version from 1.0
- // to |version_|.
- client_->SetVersionRange(SSL_LIBRARY_VERSION_TLS_1_0, version_);
- server_->SetVersionRange(SSL_LIBRARY_VERSION_TLS_1_0,
- SSL_LIBRARY_VERSION_TLS_1_0);
- // Reset version so that the checks succeed.
- uint16_t test_version = version_;
- version_ = SSL_LIBRARY_VERSION_TLS_1_0;
- Connect();
-
- // Now renegotiate, with the server being set to do
- // |version_|.
- client_->PrepareForRenegotiate();
- server_->SetVersionRange(SSL_LIBRARY_VERSION_TLS_1_0, test_version);
- // Reset version and cipher suite so that the preinfo callback
- // doesn't fail.
- server_->ResetPreliminaryInfo();
- server_->StartRenegotiate();
-
- if (test_version >= SSL_LIBRARY_VERSION_TLS_1_3) {
- ExpectAlert(server_, kTlsAlertUnexpectedMessage);
- } else {
- ExpectAlert(client_, kTlsAlertIllegalParameter);
- }
-
- Handshake();
- if (test_version >= SSL_LIBRARY_VERSION_TLS_1_3) {
- // In TLS 1.3, the server detects this problem.
- client_->CheckErrorCode(SSL_ERROR_HANDSHAKE_UNEXPECTED_ALERT);
- server_->CheckErrorCode(SSL_ERROR_RENEGOTIATION_NOT_ALLOWED);
- } else {
- client_->CheckErrorCode(SSL_ERROR_UNSUPPORTED_VERSION);
- server_->CheckErrorCode(SSL_ERROR_ILLEGAL_PARAMETER_ALERT);
- }
-}
-
-TEST_P(TlsConnectStream, ConnectTls10AndClientRenegotiateHigher) {
- if (version_ == SSL_LIBRARY_VERSION_TLS_1_0) {
- return;
- }
- // Set the client so it will accept any version from 1.0
- // to |version_|.
- client_->SetVersionRange(SSL_LIBRARY_VERSION_TLS_1_0, version_);
- server_->SetVersionRange(SSL_LIBRARY_VERSION_TLS_1_0,
- SSL_LIBRARY_VERSION_TLS_1_0);
- // Reset version so that the checks succeed.
- uint16_t test_version = version_;
- version_ = SSL_LIBRARY_VERSION_TLS_1_0;
- Connect();
-
- // Now renegotiate, with the server being set to do
- // |version_|.
- server_->PrepareForRenegotiate();
- server_->SetVersionRange(SSL_LIBRARY_VERSION_TLS_1_0, test_version);
- // Reset version and cipher suite so that the preinfo callback
- // doesn't fail.
- server_->ResetPreliminaryInfo();
- client_->StartRenegotiate();
- if (test_version >= SSL_LIBRARY_VERSION_TLS_1_3) {
- ExpectAlert(server_, kTlsAlertUnexpectedMessage);
- } else {
- ExpectAlert(client_, kTlsAlertIllegalParameter);
- }
- Handshake();
- if (test_version >= SSL_LIBRARY_VERSION_TLS_1_3) {
- // In TLS 1.3, the server detects this problem.
- client_->CheckErrorCode(SSL_ERROR_HANDSHAKE_UNEXPECTED_ALERT);
- server_->CheckErrorCode(SSL_ERROR_RENEGOTIATION_NOT_ALLOWED);
- } else {
- client_->CheckErrorCode(SSL_ERROR_UNSUPPORTED_VERSION);
- server_->CheckErrorCode(SSL_ERROR_ILLEGAL_PARAMETER_ALERT);
- }
-}
-
-TEST_F(TlsConnectTest, Tls13RejectsRehandshakeClient) {
- EnsureTlsSetup();
- ConfigureVersion(SSL_LIBRARY_VERSION_TLS_1_3);
- Connect();
- SECStatus rv = SSL_ReHandshake(client_->ssl_fd(), PR_TRUE);
- EXPECT_EQ(SECFailure, rv);
- EXPECT_EQ(SSL_ERROR_RENEGOTIATION_NOT_ALLOWED, PORT_GetError());
-}
-
-TEST_F(TlsConnectTest, Tls13RejectsRehandshakeServer) {
- EnsureTlsSetup();
- ConfigureVersion(SSL_LIBRARY_VERSION_TLS_1_3);
- Connect();
- SECStatus rv = SSL_ReHandshake(server_->ssl_fd(), PR_TRUE);
- EXPECT_EQ(SECFailure, rv);
- EXPECT_EQ(SSL_ERROR_RENEGOTIATION_NOT_ALLOWED, PORT_GetError());
-}
-
TEST_P(TlsConnectGeneric, AlertBeforeServerHello) {
EnsureTlsSetup();
client_->ExpectReceiveAlert(kTlsAlertUnrecognizedName, kTlsAlertWarning);
- client_->StartConnect();
- server_->StartConnect();
+ StartConnect();
client_->Handshake(); // Send ClientHello.
static const uint8_t kWarningAlert[] = {kTlsAlertWarning,
kTlsAlertUnrecognizedName};
@@ -274,12 +172,10 @@ class Tls13NoSupportedVersions : public TlsConnectStreamTls12 {
client_->SetVersionRange(SSL_LIBRARY_VERSION_TLS_1_2,
SSL_LIBRARY_VERSION_TLS_1_2);
server_->SetVersionRange(SSL_LIBRARY_VERSION_TLS_1_2, max_server_version);
- client_->SetPacketFilter(
- std::make_shared<TlsInspectorClientHelloVersionSetter>(
- overwritten_client_version));
- auto capture = std::make_shared<TlsInspectorRecordHandshakeMessage>(
- kTlsHandshakeServerHello);
- server_->SetPacketFilter(capture);
+ MakeTlsFilter<TlsClientHelloVersionSetter>(client_,
+ overwritten_client_version);
+ auto capture =
+ MakeTlsFilter<TlsHandshakeRecorder>(server_, kTlsHandshakeServerHello);
ConnectExpectAlert(server_, kTlsAlertDecryptError);
client_->CheckErrorCode(SSL_ERROR_DECRYPT_ERROR_ALERT);
server_->CheckErrorCode(SSL_ERROR_BAD_HANDSHAKE_HASH_VALUE);
@@ -311,23 +207,21 @@ TEST_F(Tls13NoSupportedVersions,
// Offer 1.3 but with ClientHello.legacy_version == TLS 1.4. This
// causes a bad MAC error when we read EncryptedExtensions.
TEST_F(TlsConnectStreamTls13, Tls14ClientHelloWithSupportedVersions) {
- client_->SetPacketFilter(
- std::make_shared<TlsInspectorClientHelloVersionSetter>(
- SSL_LIBRARY_VERSION_TLS_1_3 + 1));
- auto capture = std::make_shared<TlsInspectorRecordHandshakeMessage>(
- kTlsHandshakeServerHello);
- server_->SetPacketFilter(capture);
+ MakeTlsFilter<TlsClientHelloVersionSetter>(client_,
+ SSL_LIBRARY_VERSION_TLS_1_3 + 1);
+ auto capture = MakeTlsFilter<TlsExtensionCapture>(
+ server_, ssl_tls13_supported_versions_xtn);
client_->ExpectSendAlert(kTlsAlertBadRecordMac);
server_->ExpectSendAlert(kTlsAlertBadRecordMac);
ConnectExpectFail();
client_->CheckErrorCode(SSL_ERROR_BAD_MAC_READ);
server_->CheckErrorCode(SSL_ERROR_BAD_MAC_READ);
- const DataBuffer& server_hello = capture->buffer();
- ASSERT_GT(server_hello.len(), 2U);
- uint32_t ver;
- ASSERT_TRUE(server_hello.Read(0, 2, &ver));
+
+ ASSERT_EQ(2U, capture->extension().len());
+ uint32_t version = 0;
+ ASSERT_TRUE(capture->extension().Read(0, 2, &version));
// This way we don't need to change with new draft version.
- ASSERT_LT(static_cast<uint32_t>(SSL_LIBRARY_VERSION_TLS_1_2), ver);
+ ASSERT_LT(static_cast<uint32_t>(SSL_LIBRARY_VERSION_TLS_1_2), version);
}
} // namespace nss_test
generated by cgit v1.2.3 (git 2.25.1) at 2024-11-24 13:11:43 +0000